General ARM7TDMI Information ARM CPU Overview ARM CPU Register Set ARM CPU Flags & Condition Field (cond) ARM CPU 26bit Memory Interface ARM CPU Exceptions ARM CPU Memory Alignments Further Information ARM Pseudo Instructions and Directives ARM CP15 System Control Coprocessor ARM CPU Instruction Cycle Times ARM CPU Versions ARM CPU Data Sheet |
ARM 32bit Opcodes (ARM Code) ARM Instruction Summary ARM Branch and Branch with Link (B, BL, BX, BLX, SWI, BKPT) ARM Data Processing (ALU) ARM Multiply and Multiply-Accumulate (MUL, MLA) ARM Special ARM9 Instructions (CLZ, QADD/QSUB) ARM PSR Transfer (MRS, MSR) ARM Memory: Single Data Transfer (LDR, STR, PLD) ARM Memory: Halfword, Doubleword, and Signed Data Transfer ARM Memory: Block Data Transfer (LDM, STM) ARM Memory: Single Data Swap (SWP) ARM Coprocessor (MRC/MCR, LDC/STC, CDP, MCRR/MRRC) |
ARM 16bit Opcodes (THUMB Code) When operating in THUMB state, cut-down 16bit opcodes are used. THUMB is supported on T-variants of ARMv4 and up, ie. ARMv4T, ARMv5T, etc. THUMB Instruction Summary THUMB Register Operations (ALU, BX) THUMB Memory Load/Store (LDR/STR) THUMB Memory Addressing (ADD PC/SP) THUMB Memory Multiple Load/Store (PUSH/POP and LDM/STM) THUMB Jumps and Calls |
| GBA Reference |
| GBA Technical Data |
ARM Mode ARM7TDMI 32bit RISC CPU, 16.78MHz, 32bit opcodes (GBA) THUMB Mode ARM7TDMI 32bit RISC CPU, 16.78MHz, 16bit opcodes (GBA) CGB Mode Z80/8080-style 8bit CPU, 4.2MHz or 8.4MHz (CGB compatibility) DMG Mode Z80/8080-style 8bit CPU, 4.2MHz (monochrome gameboy compatib.) |
BIOS ROM 16 KBytes Work RAM 288 KBytes (Fast 32K on-chip, plus Slow 256K on-board) VRAM 96 KBytes OAM 1 KByte (128 OBJs 3x16bit, 32 OBJ-Rotation/Scalings 4x16bit) Palette RAM 1 KByte (256 BG colors, 256 OBJ colors) |
Display 240x160 pixels (2.9 inch TFT color LCD display) BG layers 4 background layers BG types Tile/map based, or Bitmap based BG colors 256 colors, or 16 colors/16 palettes, or 32768 colors OBJ colors 256 colors, or 16 colors/16 palettes OBJ size 12 types (in range 8x8 up to 64x64 dots) OBJs/Screen max. 128 OBJs of any size (up to 64x64 dots each) OBJs/Line max. 128 OBJs of 8x8 dots size (under best circumstances) Priorities OBJ/OBJ: 0-127, OBJ/BG: 0-3, BG/BG: 0-3 Effects Rotation/Scaling, alpha blending, fade-in/out, mosaic, window Backlight GBA SP only (optionally by light on/off toggle button) |
Analogue 4 channel CGB compatible (3x square wave, 1x noise) Digital 2 DMA sound channels Output Built-in speaker (mono), or headphones socket (stereo) |
Gamepad 4 Direction Keys, 6 Buttons |
Serial Port Various transfer modes, 4-Player Link, Single Game Pak play |
GBA Game Pak max. 32MB ROM or flash ROM + max 64K SRAM CGB Game Pak max. 32KB ROM + 8KB SRAM (more memory requires banking) |
Size (mm) GBA: 145x81x25 - GBA SP: 82x82x24 (closed), 155x82x24 (stretch) |
Battery GBA GBA: 2x1.5V DC (AA), Life-time approx. 15 hours Battery SP GBA SP: Built-in rechargeable Lithium ion battery, 3.7V 600mAh External GBA: 3.3V DC 350mA - GBA SP: 5.2V DC 320mA |
---------------------------------------------------------------------------- |
____._____________...___.____
____/ : CARTRIDGE SIO : \____
| L _____________________ LED R |
| | | |
| _||_ | 2.9" TFT SCREEN | (A) |
| |_ _| | 240x160pix 61x40mm | (B) |
| || | NO BACKLIGHT | :::: |
| | | SPEAKR |
| STRT() |_____________________| :::: |
| SLCT() GAME BOY ADVANCE VOLUME |
|____ OFF-ON BATTERY 2xAA PHONES _==_|
\__.##.__________________,,___/
|
_______________________ _ | _____________________ | / / || || / / || 2.9" TFT SCREEN || / / || 240x160pix 61x40mm || / / || WITH BACKLIGHT || / / || || GBA SP SIDE VIEWS / / ||_____________________|| / / | GAME BOY ADVANCE SP | _____________________(_) |_______________________| |. . . . . . . .'.'. _| |_|________|________|_|_| |_CARTRIDGE_:_BATT._:_|_| <-- EXT1/EXT2 |L EXT1 EXT2 R| | (*) LEDSo _____________________ _ (VOL_||_ (A) o |_____________________(_) | |_ _| ,,,,,(B) | |. . . . . . . .'.'. _| | || ;SPK; | |_CARTRIDGE_:_BATT._:_|_| <-- EXT1/EXT2 | ''''' ON # _ _____________________ | SLCT STRT OFF# _____________________(_)_____________________| | CART. () () | |. . . . . . . .'.'. _| |_:___________________:_| |_CARTRIDGE_:_BATT._:_|_| <-- EXT1/EXT2 |
________________SIO_______________
| L __________________ R |
| | GBA-MICRO | |
| _||_ | 2.0" TFT SCREEN | (A)| +
||_ _| |240x160pix 42x28mm| (B) |VOL
| || | BACKLIGHT | | -
| |__________________| ... |
|___________SELECT__START__________|
PWR <--- CARTRIDGE SLOT ---> PHONES
|
_____________________________________
| _____________________ |
| | | |
| | 3" TFT SCREEN | |
| | 256x192pix 61x46mm | |
| | BACKLIGHT | |
| ::::: | Original NDS | ::::: |
| ::::: |_____________________| ::::: |
_| _ ______ _ |_ <-- gap between screens: 22mm
|L|_______| |________| |_| |_______|R| (equivalent to 90 pixels)
|_______ _____________________ _______|
| PWR | | | |SEL STA|
| _ | | 3" TFT SCREEN | | |
| _| |_ | | 256x192pix 61x46mm | | X |
||_ _|| | BACKLIGHT | | Y A |
| |_| | | TOUCH SCREEN | | B |
| | |_____________________| | |
|_______| NintendoDS |_______|
| MIC LEDS |
|_________________________________________|
VOL SLOT2(GBA) MIC/PHONES
|
_____________________________________
| _____________________ |
| | | |
| | 3" TFT SCREEN | |
| ... | 256x192pix 61x46mm | ... |
| ... | BACKLIGHT | ... |
| | NDS-LITE | |
| |_____________________| |
|___ _ _ _ _ _ _ _ _ _ _ _ _ _ _ ____| <-- gap between screens: 23mm
L| _ |_____________MIC____________|LEDS|R
| _ _____________________ |
| _| |_ | | X |
||_ _|| 3" TFT SCREEN | Y A |PWR
| |_| | 256x192pix 61x46mm | B |
| | BACKLIGHT | |
| | TOUCH SCREEN |oSTART |
| |_____________________|oSELECT|
|_____________________________________|
VOL SLOT2(GBA) MIC/PHONES
|
_____________________________________
| _____________________ |
| | | O o | <-- CAM (O) and LED (o)
| | 3.25" TFT SCREEN | | (on backside)
| | 256x192pix 66x50mm | |
| | BACKLIGHT | |
| __ | DSi | __ |
| (__) |_____________________| (__) |
|___ _ _ _ _ _ _ _ _ _ _ _ _ _ _ ____| <-- gap between screens: 23mm
L|LEDS|__________CAM__MIC_________| __ |R (88 pixels)
+ | _ _____________________ |
VOL| _| |_ | | X | <-- SD Card Slot
- ||_ _|| 3.25" TFT SCREEN | Y A |
| |_| | 256x192pix 66x50mm | B |
| | BACKLIGHT | |
| | TOUCH SCREEN |oSTART |
| POWERo|_____________________|oSELECT|
|_____________________________________|
MIC/PHONES
|
As DSi, but bigger case, and bigger 4.2" screens |
_________
L____------- -------____R
/ ___ \ / (Y) \Z
/ / O \ | (START) | (X)\ Z = Gameboy Player Menu
| \___/ \_______/ (A) | X or Y = Select button
|\ _ \ / (B) /|
| \___ _| |_ \ / ___ ___/ | optionally X/Y can be
| |\ |_ _| / \ / C \ /| | swapped with L/R (?)
| | \ |_| / \ \___/ / | |
| | \_____/ \_____/ | | analogue sticks = ?
\__/ \__/
|
_______ _______
/ Y \ / X \ Y/B = left bongo rear/front side
| . . . . |_| . . . . | X/A = right bongo rear/front side
| B |R| A | S = start/pause button
|\_______/|_|\_______/| R = microphone (triggers R button)
|\_______/|S|\_______/|
| |_| | (the X/Y inputs can be assigned to
|\_______/| |\_______/| GBA R/L inputs in GBA player setup)
\_______/ \_______/
|
| GBA Memory Map |
00000000-00003FFF BIOS - System ROM (16 KBytes) 00004000-01FFFFFF Not used 02000000-0203FFFF WRAM - On-board Work RAM (256 KBytes) 2 Wait 02040000-02FFFFFF Not used 03000000-03007FFF WRAM - On-chip Work RAM (32 KBytes) 03008000-03FFFFFF Not used 04000000-040003FE I/O Registers 04000400-04FFFFFF Not used |
05000000-050003FF BG/OBJ Palette RAM (1 Kbyte) 05000400-05FFFFFF Not used 06000000-06017FFF VRAM - Video RAM (96 KBytes) 06018000-06FFFFFF Not used 07000000-070003FF OAM - OBJ Attributes (1 Kbyte) 07000400-07FFFFFF Not used |
08000000-09FFFFFF Game Pak ROM/FlashROM (max 32MB) - Wait State 0 0A000000-0BFFFFFF Game Pak ROM/FlashROM (max 32MB) - Wait State 1 0C000000-0DFFFFFF Game Pak ROM/FlashROM (max 32MB) - Wait State 2 0E000000-0E00FFFF Game Pak SRAM (max 64 KBytes) - 8bit Bus width 0E010000-0FFFFFFF Not used |
10000000-FFFFFFFF Not used (upper 4bits of address bus unused) |
Region Bus Read Write Cycles BIOS ROM 32 8/16/32 - 1/1/1 Work RAM 32K 32 8/16/32 8/16/32 1/1/1 I/O 32 8/16/32 8/16/32 1/1/1 OAM 32 8/16/32 16/32 1/1/1 * Work RAM 256K 16 8/16/32 8/16/32 3/3/6 ** Palette RAM 16 8/16/32 16/32 1/1/2 * VRAM 16 8/16/32 16/32 1/1/2 * GamePak ROM 16 8/16/32 - 5/5/8 **/*** GamePak Flash 16 8/16/32 16/32 5/5/8 **/*** GamePak SRAM 8 8 8 5 ** |
* Plus 1 cycle if GBA accesses video memory at the same time. ** Default waitstate settings, see System Control chapter. *** Separate timings for sequential, and non-sequential accesses. One cycle equals approx. 59.59ns (ie. 16.78MHz clock). |
| GBA I/O Map |
4000000h 2 R/W DISPCNT LCD Control 4000002h 2 R/W - Undocumented - Green Swap 4000004h 2 R/W DISPSTAT General LCD Status (STAT,LYC) 4000006h 2 R VCOUNT Vertical Counter (LY) 4000008h 2 R/W BG0CNT BG0 Control 400000Ah 2 R/W BG1CNT BG1 Control 400000Ch 2 R/W BG2CNT BG2 Control 400000Eh 2 R/W BG3CNT BG3 Control 4000010h 2 W BG0HOFS BG0 X-Offset 4000012h 2 W BG0VOFS BG0 Y-Offset 4000014h 2 W BG1HOFS BG1 X-Offset 4000016h 2 W BG1VOFS BG1 Y-Offset 4000018h 2 W BG2HOFS BG2 X-Offset 400001Ah 2 W BG2VOFS BG2 Y-Offset 400001Ch 2 W BG3HOFS BG3 X-Offset 400001Eh 2 W BG3VOFS BG3 Y-Offset 4000020h 2 W BG2PA BG2 Rotation/Scaling Parameter A (dx) 4000022h 2 W BG2PB BG2 Rotation/Scaling Parameter B (dmx) 4000024h 2 W BG2PC BG2 Rotation/Scaling Parameter C (dy) 4000026h 2 W BG2PD BG2 Rotation/Scaling Parameter D (dmy) 4000028h 4 W BG2X BG2 Reference Point X-Coordinate 400002Ch 4 W BG2Y BG2 Reference Point Y-Coordinate 4000030h 2 W BG3PA BG3 Rotation/Scaling Parameter A (dx) 4000032h 2 W BG3PB BG3 Rotation/Scaling Parameter B (dmx) 4000034h 2 W BG3PC BG3 Rotation/Scaling Parameter C (dy) 4000036h 2 W BG3PD BG3 Rotation/Scaling Parameter D (dmy) 4000038h 4 W BG3X BG3 Reference Point X-Coordinate 400003Ch 4 W BG3Y BG3 Reference Point Y-Coordinate 4000040h 2 W WIN0H Window 0 Horizontal Dimensions 4000042h 2 W WIN1H Window 1 Horizontal Dimensions 4000044h 2 W WIN0V Window 0 Vertical Dimensions 4000046h 2 W WIN1V Window 1 Vertical Dimensions 4000048h 2 R/W WININ Inside of Window 0 and 1 400004Ah 2 R/W WINOUT Inside of OBJ Window & Outside of Windows 400004Ch 2 W MOSAIC Mosaic Size 400004Eh - - Not used 4000050h 2 R/W BLDCNT Color Special Effects Selection 4000052h 2 R/W BLDALPHA Alpha Blending Coefficients 4000054h 2 W BLDY Brightness (Fade-In/Out) Coefficient 4000056h - - Not used |
4000060h 2 R/W SOUND1CNT_L Channel 1 Sweep register (NR10) 4000062h 2 R/W SOUND1CNT_H Channel 1 Duty/Length/Envelope (NR11, NR12) 4000064h 2 R/W SOUND1CNT_X Channel 1 Frequency/Control (NR13, NR14) 4000066h - - Not used 4000068h 2 R/W SOUND2CNT_L Channel 2 Duty/Length/Envelope (NR21, NR22) 400006Ah - - Not used 400006Ch 2 R/W SOUND2CNT_H Channel 2 Frequency/Control (NR23, NR24) 400006Eh - - Not used 4000070h 2 R/W SOUND3CNT_L Channel 3 Stop/Wave RAM select (NR30) 4000072h 2 R/W SOUND3CNT_H Channel 3 Length/Volume (NR31, NR32) 4000074h 2 R/W SOUND3CNT_X Channel 3 Frequency/Control (NR33, NR34) 4000076h - - Not used 4000078h 2 R/W SOUND4CNT_L Channel 4 Length/Envelope (NR41, NR42) 400007Ah - - Not used 400007Ch 2 R/W SOUND4CNT_H Channel 4 Frequency/Control (NR43, NR44) 400007Eh - - Not used 4000080h 2 R/W SOUNDCNT_L Control Stereo/Volume/Enable (NR50, NR51) 4000082h 2 R/W SOUNDCNT_H Control Mixing/DMA Control 4000084h 2 R/W SOUNDCNT_X Control Sound on/off (NR52) 4000086h - - Not used 4000088h 2 BIOS SOUNDBIAS Sound PWM Control 400008Ah .. - - Not used 4000090h 2x10h R/W WAVE_RAM Channel 3 Wave Pattern RAM (2 banks!!) 40000A0h 4 W FIFO_A Channel A FIFO, Data 0-3 40000A4h 4 W FIFO_B Channel B FIFO, Data 0-3 40000A8h - - Not used |
40000B0h 4 W DMA0SAD DMA 0 Source Address 40000B4h 4 W DMA0DAD DMA 0 Destination Address 40000B8h 2 W DMA0CNT_L DMA 0 Word Count 40000BAh 2 R/W DMA0CNT_H DMA 0 Control 40000BCh 4 W DMA1SAD DMA 1 Source Address 40000C0h 4 W DMA1DAD DMA 1 Destination Address 40000C4h 2 W DMA1CNT_L DMA 1 Word Count 40000C6h 2 R/W DMA1CNT_H DMA 1 Control 40000C8h 4 W DMA2SAD DMA 2 Source Address 40000CCh 4 W DMA2DAD DMA 2 Destination Address 40000D0h 2 W DMA2CNT_L DMA 2 Word Count 40000D2h 2 R/W DMA2CNT_H DMA 2 Control 40000D4h 4 W DMA3SAD DMA 3 Source Address 40000D8h 4 W DMA3DAD DMA 3 Destination Address 40000DCh 2 W DMA3CNT_L DMA 3 Word Count 40000DEh 2 R/W DMA3CNT_H DMA 3 Control 40000E0h - - Not used |
4000100h 2 R/W TM0CNT_L Timer 0 Counter/Reload 4000102h 2 R/W TM0CNT_H Timer 0 Control 4000104h 2 R/W TM1CNT_L Timer 1 Counter/Reload 4000106h 2 R/W TM1CNT_H Timer 1 Control 4000108h 2 R/W TM2CNT_L Timer 2 Counter/Reload 400010Ah 2 R/W TM2CNT_H Timer 2 Control 400010Ch 2 R/W TM3CNT_L Timer 3 Counter/Reload 400010Eh 2 R/W TM3CNT_H Timer 3 Control 4000110h - - Not used |
4000120h 4 R/W SIODATA32 SIO Data (Normal-32bit Mode; shared with below) 4000120h 2 R/W SIOMULTI0 SIO Data 0 (Parent) (Multi-Player Mode) 4000122h 2 R/W SIOMULTI1 SIO Data 1 (1st Child) (Multi-Player Mode) 4000124h 2 R/W SIOMULTI2 SIO Data 2 (2nd Child) (Multi-Player Mode) 4000126h 2 R/W SIOMULTI3 SIO Data 3 (3rd Child) (Multi-Player Mode) 4000128h 2 R/W SIOCNT SIO Control Register 400012Ah 2 R/W SIOMLT_SEND SIO Data (Local of MultiPlayer; shared below) 400012Ah 2 R/W SIODATA8 SIO Data (Normal-8bit and UART Mode) 400012Ch - - Not used |
4000130h 2 R KEYINPUT Key Status 4000132h 2 R/W KEYCNT Key Interrupt Control |
4000134h 2 R/W RCNT SIO Mode Select/General Purpose Data 4000136h - - IR Ancient - Infrared Register (Prototypes only) 4000138h - - Not used 4000140h 2 R/W JOYCNT SIO JOY Bus Control 4000142h - - Not used 4000150h 4 R/W JOY_RECV SIO JOY Bus Receive Data 4000154h 4 R/W JOY_TRANS SIO JOY Bus Transmit Data 4000158h 2 R/? JOYSTAT SIO JOY Bus Receive Status 400015Ah - - Not used |
4000200h 2 R/W IE Interrupt Enable Register 4000202h 2 R/W IF Interrupt Request Flags / IRQ Acknowledge 4000204h 2 R/W WAITCNT Game Pak Waitstate Control 4000206h - - Not used 4000208h 2 R/W IME Interrupt Master Enable Register 400020Ah - - Not used 4000300h 1 R/W POSTFLG Undocumented - Post Boot Flag 4000301h 1 W HALTCNT Undocumented - Power Down Control 4000302h - - Not used 4000410h ? ? ? Undocumented - Purpose Unknown / Bug ??? 0FFh 4000411h - - Not used 4000800h 4 R/W ? Undocumented - Internal Memory Control (R/W) 4000804h - - Not used 4xx0800h 4 R/W ? Mirrors of 4000800h (repeated each 64K) |
| GBA LCD Video Controller |
| LCD I/O Display Control |
Bit Expl. 0-2 BG Mode (0-5=Video Mode 0-5, 6-7=Prohibited) 3 Reserved / CGB Mode (0=GBA, 1=CGB; can be set only by BIOS opcodes) 4 Display Frame Select (0-1=Frame 0-1) (for BG Modes 4,5 only) 5 H-Blank Interval Free (1=Allow access to OAM during H-Blank) 6 OBJ Character VRAM Mapping (0=Two dimensional, 1=One dimensional) 7 Forced Blank (1=Allow FAST access to VRAM,Palette,OAM) 8 Screen Display BG0 (0=Off, 1=On) 9 Screen Display BG1 (0=Off, 1=On) 10 Screen Display BG2 (0=Off, 1=On) 11 Screen Display BG3 (0=Off, 1=On) 12 Screen Display OBJ (0=Off, 1=On) 13 Window 0 Display Flag (0=Off, 1=On) 14 Window 1 Display Flag (0=Off, 1=On) 15 OBJ Window Display Flag (0=Off, 1=On) |
Mode Rot/Scal Layers Size Tiles Colors Features 0 No 0123 256x256..512x515 1024 16/16..256/1 SFMABP 1 Mixed 012- (BG0,BG1 as above Mode 0, BG2 as below Mode 2) 2 Yes --23 128x128..1024x1024 256 256/1 S-MABP 3 Yes --2- 240x160 1 32768 --MABP 4 Yes --2- 240x160 2 256/1 --MABP 5 Yes --2- 160x128 2 32768 --MABP |
Bit Expl. 0 Green Swap (0=Normal, 1=Swap) 1-15 Not used |
| LCD I/O Interrupts and Status |
Bit Expl. 0 V-Blank flag (Read only) (1=VBlank) (set in line 160..226; not 227) 1 H-Blank flag (Read only) (1=HBlank) (toggled in all lines, 0..227) 2 V-Counter flag (Read only) (1=Match) (set in selected line) (R) 3 V-Blank IRQ Enable (1=Enable) (R/W) 4 H-Blank IRQ Enable (1=Enable) (R/W) 5 V-Counter IRQ Enable (1=Enable) (R/W) 6 Not used (0) / DSi: LCD Initialization Ready (0=Busy, 1=Ready) (R) 7 Not used (0) / NDS: MSB of V-Vcount Setting (LYC.Bit8) (0..262)(R/W) 8-15 V-Count Setting (LYC) (0..227) (R/W) |
Bit Expl. 0-7 Current Scanline (LY) (0..227) (R) 8 Not used (0) / NDS: MSB of Current Scanline (LY.Bit8) (0..262) (R) 9-15 Not Used (0) |
| LCD I/O BG Control |
Bit Expl. 0-1 BG Priority (0-3, 0=Highest) 2-3 Character Base Block (0-3, in units of 16 KBytes) (=BG Tile Data) 4-5 Not used (must be zero) (except in NDS mode: MSBs of char base) 6 Mosaic (0=Disable, 1=Enable) 7 Colors/Palettes (0=16/16, 1=256/1) 8-12 Screen Base Block (0-31, in units of 2 KBytes) (=BG Map Data) 13 BG0/BG1: Not used (except in NDS mode: Ext Palette Slot for BG0/BG1) 13 BG2/BG3: Display Area Overflow (0=Transparent, 1=Wraparound) 14-15 Screen Size (0-3) |
Value Text Mode Rotation/Scaling Mode 0 256x256 (2K) 128x128 (256 bytes) 1 512x256 (4K) 256x256 (1K) 2 256x512 (4K) 512x512 (4K) 3 512x512 (8K) 1024x1024 (16K) |
| LCD I/O BG Scrolling |
Bit Expl. 0-8 Offset (0-511) 9-15 Not used |
| LCD I/O BG Rotation/Scaling |
Bit Expl. 0-7 Fractional portion (8 bits) 8-26 Integer portion (19 bits) 27 Sign (1 bit) 28-31 Not used |
Bit Expl. 0-7 Fractional portion (8 bits) 8-14 Integer portion (7 bits) 15 Sign (1 bit) |
Rotation Center X and Y Coordinates (x0,y0) Rotation Angle (alpha) Magnification X and Y Values (xMag,yMag) |
A = Cos (alpha) / xMag ;distance moved in direction x, same line B = Sin (alpha) / xMag ;distance moved in direction x, next line C = Sin (alpha) / yMag ;distance moved in direction y, same line D = Cos (alpha) / yMag ;distance moved in direction y, next line |
x0,y0 Rotation Center x1,y1 Old Position of a pixel (before rotation/scaling) x2,y2 New position of above pixel (after rotation scaling) A,B,C,D BG2PA-BG2PD Parameters (as calculated above) |
x2 = A(x1-x0) + B(y1-y0) + x0 y2 = C(x1-x0) + D(y1-y0) + y0 |
| LCD I/O Window Feature |
Bit Expl. 0-7 X2, Rightmost coordinate of window, plus 1 8-15 X1, Leftmost coordinate of window |
Bit Expl. 0-7 Y2, Bottom-most coordinate of window, plus 1 8-15 Y1, Top-most coordinate of window |
Bit Expl. 0-3 Window 0 BG0-BG3 Enable Bits (0=No Display, 1=Display) 4 Window 0 OBJ Enable Bit (0=No Display, 1=Display) 5 Window 0 Color Special Effect (0=Disable, 1=Enable) 6-7 Not used 8-11 Window 1 BG0-BG3 Enable Bits (0=No Display, 1=Display) 12 Window 1 OBJ Enable Bit (0=No Display, 1=Display) 13 Window 1 Color Special Effect (0=Disable, 1=Enable) 14-15 Not used |
Bit Expl. 0-3 Outside BG0-BG3 Enable Bits (0=No Display, 1=Display) 4 Outside OBJ Enable Bit (0=No Display, 1=Display) 5 Outside Color Special Effect (0=Disable, 1=Enable) 6-7 Not used 8-11 OBJ Window BG0-BG3 Enable Bits (0=No Display, 1=Display) 12 OBJ Window OBJ Enable Bit (0=No Display, 1=Display) 13 OBJ Window Color Special Effect (0=Disable, 1=Enable) 14-15 Not used |
| LCD I/O Mosaic Function |
Bit Expl. 0-3 BG Mosaic H-Size (minus 1) 4-7 BG Mosaic V-Size (minus 1) 8-11 OBJ Mosaic H-Size (minus 1) 12-15 OBJ Mosaic V-Size (minus 1) 16-31 Not used |
| LCD I/O Color Special Effects |
Bit Expl.
0 BG0 1st Target Pixel (Background 0)
1 BG1 1st Target Pixel (Background 1)
2 BG2 1st Target Pixel (Background 2)
3 BG3 1st Target Pixel (Background 3)
4 OBJ 1st Target Pixel (Top-most OBJ pixel)
5 BD 1st Target Pixel (Backdrop)
6-7 Color Special Effect (0-3, see below)
0 = None (Special effects disabled)
1 = Alpha Blending (1st+2nd Target mixed)
2 = Brightness Increase (1st Target becomes whiter)
3 = Brightness Decrease (1st Target becomes blacker)
8 BG0 2nd Target Pixel (Background 0)
9 BG1 2nd Target Pixel (Background 1)
10 BG2 2nd Target Pixel (Background 2)
11 BG3 2nd Target Pixel (Background 3)
12 OBJ 2nd Target Pixel (Top-most OBJ pixel)
13 BD 2nd Target Pixel (Backdrop)
14-15 Not used
|
Bit Expl. 0-4 EVA Coefficient (1st Target) (0..16 = 0/16..16/16, 17..31=16/16) 5-7 Not used 8-12 EVB Coefficient (2nd Target) (0..16 = 0/16..16/16, 17..31=16/16) 13-15 Not used |
I = MIN ( 31, I1st*EVA + I2nd*EVB ) |
Bit Expl. 0-4 EVY Coefficient (Brightness) (0..16 = 0/16..16/16, 17..31=16/16) 5-31 Not used |
I = I1st + (31-I1st)*EVY ;For Brightness Increase I = I1st - (I1st)*EVY ;For Brightness Decrease |
| LCD VRAM Overview |
06000000-0600FFFF 64 KBytes shared for BG Map and Tiles 06010000-06017FFF 32 KBytes OBJ Tiles |
Item Depth Required Memory One Tile 4bit 20h bytes One Tile 8bit 40h bytes 1024 Tiles 4bit 8000h (32K) 1024 Tiles 8bit 10000h (64K) - excluding some bytes for BG map BG Map 32x32 800h (2K) BG Map 64x64 2000h (8K) |
Item Depth Required Memory One Tile 8bit 40h bytes 256 Tiles 8bit 4000h (16K) BG Map 16x16 100h bytes BG Map 128x128 4000h (16K) |
06000000-06013FFF 80 KBytes Frame 0 buffer (only 75K actually used) 06014000-06017FFF 16 KBytes OBJ Tiles |
06000000-06009FFF 40 KBytes Frame 0 buffer (only 37.5K used in Mode 4) 0600A000-06013FFF 40 KBytes Frame 1 buffer (only 37.5K used in Mode 4) 06014000-06017FFF 16 KBytes OBJ Tiles |
| LCD VRAM Character Data |
| LCD VRAM BG Screen Data Format (BG Map) |
Bit Expl.
0-9 Tile Number (0-1023) (a bit less in 256 color mode, because
there'd be otherwise no room for the bg map)
10 Horizontal Flip (0=Normal, 1=Mirrored)
11 Vertical Flip (0=Normal, 1=Mirrored)
12-15 Palette Number (0-15) (Not used in 256 color/1 palette mode)
|
Bit Expl. 0-7 Tile Number (0-255) |
| LCD VRAM Bitmap BG Modes |
Bit Expl. 0-4 Red Intensity (0-31) 5-9 Green Intensity (0-31) 10-14 Blue Intensity (0-31) 15 Not used in GBA Mode (in NDS Mode: Alpha=0=Transparent, Alpha=1=Normal) |
| LCD OBJ - Overview |
1210 (=304*4-6) If "H-Blank Interval Free" bit in DISPCNT register is 0 954 (=240*4-6) If "H-Blank Interval Free" bit in DISPCNT register is 1 |
Cycles per <n> Pixels OBJ Type OBJ Type Screen Pixel Range n*1 cycles Normal OBJs 8..64 pixels 10+n*2 cycles Rotation/Scaling OBJs 8..64 pixels (area clipped) 10+n*2 cycles Rotation/Scaling OBJs 16..128 pixels (double size) |
| LCD OBJ - OAM Attributes |
Bit Expl.
0-7 Y-Coordinate (0-255)
8 Rotation/Scaling Flag (0=Off, 1=On)
When Rotation/Scaling used (Attribute 0, bit 8 set):
9 Double-Size Flag (0=Normal, 1=Double)
When Rotation/Scaling not used (Attribute 0, bit 8 cleared):
9 OBJ Disable (0=Normal, 1=Not displayed)
10-11 OBJ Mode (0=Normal, 1=Semi-Transparent, 2=OBJ Window, 3=Prohibited)
12 OBJ Mosaic (0=Off, 1=On)
13 Colors/Palettes (0=16/16, 1=256/1)
14-15 OBJ Shape (0=Square,1=Horizontal,2=Vertical,3=Prohibited)
|
Bit Expl.
0-8 X-Coordinate (0-511)
When Rotation/Scaling used (Attribute 0, bit 8 set):
9-13 Rotation/Scaling Parameter Selection (0-31)
(Selects one of the 32 Rotation/Scaling Parameters that
can be defined in OAM, for details read next chapter.)
When Rotation/Scaling not used (Attribute 0, bit 8 cleared):
9-11 Not used
12 Horizontal Flip (0=Normal, 1=Mirrored)
13 Vertical Flip (0=Normal, 1=Mirrored)
14-15 OBJ Size (0..3, depends on OBJ Shape, see Attr 0)
Size Square Horizontal Vertical
0 8x8 16x8 8x16
1 16x16 32x8 8x32
2 32x32 32x16 16x32
3 64x64 64x32 32x64
|
Bit Expl. 0-9 Character Name (0-1023=Tile Number) 10-11 Priority relative to BG (0-3; 0=Highest) 12-15 Palette Number (0-15) (Not used in 256 color/1 palette mode) |
OBJ No. 0 with Priority relative to BG=1 ;hi OBJ prio, lo BG prio OBJ No. 1 with Priority relative to BG=0 ;lo OBJ prio, hi BG prio |
| LCD OBJ - OAM Rotation/Scaling Parameters |
1st Group - PA=07000006, PB=0700000E, PC=07000016, PD=0700001E 2nd Group - PA=07000026, PB=0700002E, PC=07000036, PD=0700003E etc. |
| LCD OBJ - VRAM Character (Tile) Mapping |
| LCD Color Palettes |
05000000-050001FF - BG Palette RAM (512 bytes, 256 colors) 05000200-050003FF - OBJ Palette RAM (512 bytes, 256 colors) |
Bit Expl. 0-4 Red Intensity (0-31) 5-9 Green Intensity (0-31) 10-14 Blue Intensity (0-31) 15 Not used |
| LCD Dimensions and Timings |
Visible 240 dots, 57.221 us, 960 cycles - 78% of h-time H-Blanking 68 dots, 16.212 us, 272 cycles - 22% of h-time Total 308 dots, 73.433 us, 1232 cycles - ca. 13.620 kHz |
Visible (*) 160 lines, 11.749 ms, 197120 cycles - 70% of v-time V-Blanking 68 lines, 4.994 ms, 83776 cycles - 30% of v-time Total 228 lines, 16.743 ms, 280896 cycles - ca. 59.737 Hz |
| GBA Sound Controller |
| GBA Sound Channel 1 - Tone & Sweep |
Bit Expl. 0-2 R/W Number of sweep shift (n=0-7) 3 R/W Sweep Frequency Direction (0=Increase, 1=Decrease) 4-6 R/W Sweep Time; units of 7.8ms (0-7, min=7.8ms, max=54.7ms) 7-15 - Not used |
X(t) = X(t-1) +/- X(t-1)/2^n |
Bit Expl. 0-5 W Sound length; units of (64-n)/256s (0-63) 6-7 R/W Wave Pattern Duty (0-3, see below) 8-10 R/W Envelope Step-Time; units of n/64s (1-7, 0=No Envelope) 11 R/W Envelope Direction (0=Decrease, 1=Increase) 12-15 R/W Initial Volume of envelope (1-15, 0=No Sound) |
0: 12.5% ( -_______-_______-_______ ) 1: 25% ( --______--______--______ ) 2: 50% ( ----____----____----____ ) (normal) 3: 75% ( ------__------__------__ ) |
Bit Expl. 0-10 W Frequency; 131072/(2048-n)Hz (0-2047) 11-13 - Not used 14 R/W Length Flag (1=Stop output when length in NR11 expires) 15 W Initial (1=Restart Sound) 16-31 - Not used |
| GBA Sound Channel 2 - Tone |
| GBA Sound Channel 3 - Wave Output |
Bit Expl. 0-4 - Not used 5 R/W Wave RAM Dimension (0=One bank/32 digits, 1=Two banks/64 digits) 6 R/W Wave RAM Bank Number (0-1, see below) 7 R/W Sound Channel 3 Off (0=Stop, 1=Playback) 8-15 - Not used |
Bit Expl. 0-7 W Sound length; units of (256-n)/256s (0-255) 8-12 - Not used. 13-14 R/W Sound Volume (0=Mute/Zero, 1=100%, 2=50%, 3=25%) 15 R/W Force Volume (0=Use above, 1=Force 75% regardless of above) |
Bit Expl. 0-10 W Sample Rate; 2097152/(2048-n) Hz (0-2047) 11-13 - Not used 14 R/W Length Flag (1=Stop output when length in NR31 expires) 15 W Initial (1=Restart Sound) 16-31 - Not used |
Wave RAM, single bank 32 digits Tone Frequency FFFFFFFFFFFFFFFF0000000000000000 65536/(2048-n) Hz FFFFFFFF00000000FFFFFFFF00000000 131072/(2048-n) Hz FFFF0000FFFF0000FFFF0000FFFF0000 262144/(2048-n) Hz FF00FF00FF00FF00FF00FF00FF00FF00 524288/(2048-n) Hz F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F0 1048576/(2048-n) Hz |
| GBA Sound Channel 4 - Noise |
Bit Expl. 0-5 W Sound length; units of (64-n)/256s (0-63) 6-7 - Not used 8-10 R/W Envelope Step-Time; units of n/64s (1-7, 0=No Envelope) 11 R/W Envelope Direction (0=Decrease, 1=Increase) 12-15 R/W Initial Volume of envelope (1-15, 0=No Sound) 16-31 - Not used |
Bit Expl. 0-2 R/W Dividing Ratio of Frequencies (r) 3 R/W Counter Step/Width (0=15 bits, 1=7 bits) 4-7 R/W Shift Clock Frequency (s) 8-13 - Not used 14 R/W Length Flag (1=Stop output when length in NR41 expires) 15 W Initial (1=Restart Sound) 16-31 - Not used |
7bit: X=X SHR 1, IF carry THEN Out=HIGH, X=X XOR 60h ELSE Out=LOW 15bit: X=X SHR 1, IF carry THEN Out=HIGH, X=X XOR 6000h ELSE Out=LOW |
| GBA Sound Channel A and B - DMA Sound |
If Timer overflows then
Move 8bit data from FIFO to sound circuit.
If FIFO contains only 4 x 32bits (16 bytes) then
Request more data per DMA
Receive 4 x 32bit (16 bytes) per DMA
Endif
Endif
|
| GBA Sound Control Registers |
Bit Expl. 0-2 R/W Sound 1-4 Master Volume RIGHT (0-7) 3 - Not used 4-6 R/W Sound 1-4 Master Volume LEFT (0-7) 7 - Not used 8-11 R/W Sound 1-4 Enable Flags RIGHT (each Bit 8-11, 0=Disable, 1=Enable) 12-15 R/W Sound 1-4 Enable Flags LEFT (each Bit 12-15, 0=Disable, 1=Enable) |
Bit Expl. 0-1 R/W Sound # 1-4 Volume (0=25%, 1=50%, 2=100%, 3=Prohibited) 2 R/W DMA Sound A Volume (0=50%, 1=100%) 3 R/W DMA Sound B Volume (0=50%, 1=100%) 4-7 - Not used 8 R/W DMA Sound A Enable RIGHT (0=Disable, 1=Enable) 9 R/W DMA Sound A Enable LEFT (0=Disable, 1=Enable) 10 R/W DMA Sound A Timer Select (0=Timer 0, 1=Timer 1) 11 W? DMA Sound A Reset FIFO (1=Reset) 12 R/W DMA Sound B Enable RIGHT (0=Disable, 1=Enable) 13 R/W DMA Sound B Enable LEFT (0=Disable, 1=Enable) 14 R/W DMA Sound B Timer Select (0=Timer 0, 1=Timer 1) 15 W? DMA Sound B Reset FIFO (1=Reset) |
Bit Expl. 0 R Sound 1 ON flag (Read Only) 1 R Sound 2 ON flag (Read Only) 2 R Sound 3 ON flag (Read Only) 3 R Sound 4 ON flag (Read Only) 4-6 - Not used 7 R/W PSG/FIFO Master Enable (0=Disable, 1=Enable) (Read/Write) 8-31 - Not used |
Bit Expl. 0 - Not used 1-9 R/W Bias Level (Default=100h, converting signed samples into unsigned) 10-13 - Not used 14-15 R/W Amplitude Resolution/Sampling Cycle (Default=0, see below) 16-31 - Not used |
0 9bit / 32.768kHz (Default, best for DMA channels A,B) 1 8bit / 65.536kHz 2 7bit / 131.072kHz 3 6bit / 262.144kHz (Best for PSG channels 1-4) |
| GBA Comparison of CGB and GBA Sound |
| GBA Timers |
Bit Expl. 0-1 Prescaler Selection (0=F/1, 1=F/64, 2=F/256, 3=F/1024) 2 Count-up Timing (0=Normal, 1=See below) ;Not used in TM0CNT_H 3-5 Not used 6 Timer IRQ Enable (0=Disable, 1=IRQ on Timer overflow) 7 Timer Start/Stop (0=Stop, 1=Operate) 8-15 Not used |
| GBA DMA Transfers |
Bit Expl.
0-4 Not used
5-6 Dest Addr Control (0=Increment,1=Decrement,2=Fixed,3=Increment/Reload)
7-8 Source Adr Control (0=Increment,1=Decrement,2=Fixed,3=Prohibited)
9 DMA Repeat (0=Off, 1=On) (Must be zero if Bit 11 set)
10 DMA Transfer Type (0=16bit, 1=32bit)
11 Game Pak DRQ - DMA3 only - (0=Normal, 1=DRQ <from> Game Pak, DMA3)
12-13 DMA Start Timing (0=Immediately, 1=VBlank, 2=HBlank, 3=Special)
The 'Special' setting (Start Timing=3) depends on the DMA channel:
DMA0=Prohibited, DMA1/DMA2=Sound FIFO, DMA3=Video Capture
14 IRQ upon end of Word Count (0=Disable, 1=Enable)
15 DMA Enable (0=Off, 1=On)
|
2N+2(n-1)S+xI |
| GBA Communication Ports |
| SIO Normal Mode |
Bit Expl. 0-3 Undocumented (current SC,SD,SI,SO state, as for General Purpose mode) 4-8 Not used (Should be 0, bits are read/write-able though) 9-13 Not used (Always 0, read only) 14 Not used (Should be 0, bit is read/write-able though) 15 Must be zero (0) for Normal/Multiplayer/UART modes |
Bit Expl. 0 Shift Clock (SC) (0=External, 1=Internal) 1 Internal Shift Clock (0=256KHz, 1=2MHz) 2 SI State (opponents SO) (0=Low, 1=High/None) --- (Read Only) 3 SO during inactivity (0=Low, 1=High) (applied ONLY when Bit7=0) 4-6 Not used (Read only, always 0 ?) 7 Start Bit (0=Inactive/Ready, 1=Start/Active) 8-11 Not used (R/W, should be 0) 12 Transfer Length (0=8bit, 1=32bit) 13 Must be "0" for Normal Mode 14 IRQ Enable (0=Disable, 1=Want IRQ upon completion) 15 Not used (Read only, always 0) |
(Expl. Old SO=LOW kept output until 1st clock bit received). (Expl. New SO=HIGH is automatically output at transfer completion). |
Step Sender 1st Recipient 2nd Recipient Transfer 1: DATA #0 --> UNDEF --> UNDEF --> Transfer 2: DATA #1 --> DATA #0 --> UNDEF --> Transfer 3: DATA #2 --> DATA #1 --> DATA #0 --> Transfer 4: DATA #3 --> DATA #2 --> DATA #1 --> |
| SIO Multi-Player Mode |
Bit Expl. 0-3 Undocumented (current SC,SD,SI,SO state, as for General Purpose mode) 4-8 Not used (Should be 0, bits are read/write-able though) 9-13 Not used (Always 0, read only) 14 Not used (Should be 0, bit is read/write-able though) 15 Must be zero (0) for Normal/Multiplayer/UART modes |
Bit Expl. 0-1 Baud Rate (0-3: 9600,38400,57600,115200 bps) 2 SI-Terminal (0=Parent, 1=Child) (Read Only) 3 SD-Terminal (0=Bad connection, 1=All GBAs Ready) (Read Only) 4-5 Multi-Player ID (0=Parent, 1-3=1st-3rd child) (Read Only) 6 Multi-Player Error (0=Normal, 1=Error) (Read Only) 7 Start/Busy Bit (0=Inactive, 1=Start/Busy) (Read Only for Slaves) 8-11 Not used (R/W, should be 0) 12 Must be "0" for Multi-Player mode 13 Must be "1" for Multi-Player mode 14 IRQ Enable (0=Disable, 1=Want IRQ upon completion) 15 Not used (Read only, always 0) |
GBAs Bits Delays Timeout 1 18 None Yes 2 36 1 Yes 3 54 2 Yes 4 72 3 None |
| SIO UART Mode |
Bit Expl. 0-3 Undocumented (current SC,SD,SI,SO state, as for General Purpose mode) 4-8 Not used (Should be 0, bits are read/write-able though) 9-13 Not used (Always 0, read only) 14 Not used (Should be 0, bit is read/write-able though) 15 Must be zero (0) for Normal/Multiplayer/UART modes |
Bit Expl. 0-1 Baud Rate (0-3: 9600,38400,57600,115200 bps) 2 CTS Flag (0=Send always/blindly, 1=Send only when SC=LOW) 3 Parity Control (0=Even, 1=Odd) 4 Send Data Flag (0=Not Full, 1=Full) (Read Only) 5 Receive Data Flag (0=Not Empty, 1=Empty) (Read Only) 6 Error Flag (0=No Error, 1=Error) (Read Only) 7 Data Length (0=7bits, 1=8bits) 8 FIFO Enable Flag (0=Disable, 1=Enable) 9 Parity Enable Flag (0=Disable, 1=Enable) 10 Send Enable Flag (0=Disable, 1=Enable) 11 Receive Enable Flag (0=Disable, 1=Enable) 12 Must be "1" for UART mode 13 Must be "1" for UART mode 14 IRQ Enable (0=Disable, 1=IRQ when any Bit 4/5/6 become set) 15 Not used (Read only, always 0) |
| SIO JOY BUS Mode |
Bit Expl. 0-3 Undocumented (current SC,SD,SI,SO state, as for General Purpose mode) 4-8 Not used (Should be 0, bits are read/write-able though) 9-13 Not used (Always 0, read only) 14 Must be "1" for JOY BUS Mode 15 Must be "1" for JOY BUS Mode |
Bit Expl. 0 Device Reset Flag (Command FFh) (Read/Acknowledge) 1 Receive Complete Flag (Command 14h or 15h?) (Read/Acknowledge) 2 Send Complete Flag (Command 15h or 14h?) (Read/Acknowledge) 3-5 Not used 6 IRQ when receiving a Device Reset Command (0=Disable, 1=Enable) 7-31 Not used |
Bit Expl. 0 Not used 1 Receive Status Flag (0=Remote GBA is/was receiving) (Read Only?) 2 Not used 3 Send Status Flag (1=Remote GBA is/was sending) (Read Only?) 4-5 General Purpose Flag (Not assigned, may be used for whatever purpose) 6-31 Not used |
Receive FFh (Command) Send 00h (GBA Type number LSB (or MSB?)) Send 04h (GBA Type number MSB (or LSB?)) Send XXh (lower 8bits of SIOSTAT register) |
Receive 00h (Command) Send 00h (GBA Type number LSB (or MSB?)) Send 04h (GBA Type number MSB (or LSB?)) Send XXh (lower 8bits of SIOSTAT register) |
Receive 15h (Command) Receive XXh (Lower 8bits of JOY_RECV_L) Receive XXh (Upper 8bits of JOY_RECV_L) Receive XXh (Lower 8bits of JOY_RECV_H) Receive XXh (Upper 8bits of JOY_RECV_H) Send XXh (lower 8bits of SIOSTAT register) |
Receive 14h (Command) Send XXh (Lower 8bits of JOY_TRANS_L) Send XXh (Upper 8bits of JOY_TRANS_L) Send XXh (Lower 8bits of JOY_TRANS_H) Send XXh (Upper 8bits of JOY_TRANS_H) Send XXh (lower 8bits of SIOSTAT register) |
| SIO General-Purpose Mode |
Bit Expl. 0 SC Data Bit (0=Low, 1=High) 1 SD Data Bit (0=Low, 1=High) 2 SI Data Bit (0=Low, 1=High) 3 SO Data Bit (0=Low, 1=High) 4 SC Direction (0=Input, 1=Output) 5 SD Direction (0=Input, 1=Output) 6 SI Direction (0=Input, 1=Output, but see below) 7 SO Direction (0=Input, 1=Output) 8 SI Interrupt Enable (0=Disable, 1=Enable) 9-13 Not used 14 Must be "0" for General-Purpose Mode 15 Must be "1" for General-Purpose or JOYBUS Mode |
| SIO Control Registers Summary |
R.15 R.14 S.13 S.12 Mode 0 x 0 0 Normal 8bit 0 x 0 1 Normal 32bit 0 x 1 0 Multiplay 16bit 0 x 1 1 UART (RS232) 1 0 x x General Purpose 1 1 x x JOY BUS |
Bit 0 1 2 3 4 5 6 7 8 9 10 11 Normal Master Rate SI/In SO/Out - - - Start - - - - Multi Baud Baud SI/In SD/In ID# Err Start - - - - UART Baud Baud CTS Parity S R Err Bits FIFO Parity Send Recv |
| GBA Wireless Adapter |
| GBA Wireless Adapter Games |
bit Generations series (Japan only) Boktai 2: Solar Boy Django (Konami) Boktai 3: Sabata's Counterattack Classic NES Series: Donkey Kong Classic NES Series: Dr. Mario Classic NES Series: Ice Climber Classic NES Series: Pac-Man Classic NES Series: Super Mario Bros. Classic NES Series: Xevious Digimon Racing (Bandai) (No Wireless Adapter support in European release) Dragon Ball Z: Buu's Fury (Atari) Famicom Mini Series: #13 Balloon Fight Famicom Mini Series: #12 Clu Clu Land Famicom Mini Series: #16 Dig Dug Famicom Mini Series: #02 Donkey Kong Famicom Mini Series: #15 Dr. Mario Famicom Mini Series: #03 Ice Climber Famicom Mini Series: #18 Makaimura Famicom Mini Series: #08 Mappy Famicom Mini Series: #11 Mario Bros. Famicom Mini Series: #06 Pac-Man Famicom Mini Series: #30 SD Gundam World Scramble Wars Famicom Mini Series: #01 Super Mario Bros. Famicom Mini Series: #21 Super Mario Bros. Famicom Mini Series: #19 Twin Bee Famicom Mini Series: #14 Wrecking Crew Famicom Mini Series: #07 Xevious Hamtaro: Ham-Ham Games (Nintendo) Lord of the Rings: The Third Age, The (EA Games) Mario Golf: Advance Tour (Nintendo) Mario Tennis: Power Tour (Nintendo) Mega Man Battle Network 5: Team Protoman (Capcom) Mega Man Battle Network 5: Team Colonel (Capcom) Mega Man Battle Network 6: Cybeast Falzar Mega Man Battle Network 6: Cybeast Gregar Momotaro Dentetsu G: Make a Gold Deck! (Japan only) Pokemon Emerald (Nintendo) Pokemon FireRed (Nintendo) Pokemon LeafGreen (Nintendo) Sennen Kazoku (Japan only) Shrek SuperSlam Sonic Advance 3 |
| GBA Wireless Adapter Login |
rcnt=8000h ;\ rcnt=80A0h ; rcnt=80A2h ; reset adapter or so wait ; rcnt=80A0h ;/ siocnt=5003h ;\set 32bit normal mode, 2MHz internal clock rcnt=0000h ;/ passes=0, index=0 @@lop: passes=passes+1, if passes>32 then ERROR ;give up (usually only 10 passses) recv.lo=siodata AND FFFFh ;response from adapter recv.hi=siodata/10000h ;adapter's own "NI" data if send.hi<>recv.lo then index=0, goto @@stuck ;<-- fallback to index=0 if (send.lo XOR FFFFh)<>recv.lo then goto @@stuck if (send.hi XOR FFFFh)<>recv.hi then goto @@stuck index=index+1 @@stuck: send.lo=halfword[@@key_string+index*2] send.hi=recv.hi XOR FFFFh siodata=send.lo+(send.hi*10000h) siocnt.bit7=1 ;<-- start transmission if index<4 then goto @@lop ret @@key_string db 'NINTENDO',01h,80h ;10 bytes (5 halfwords; index=0..4) |
GBA ADAPTER
xxxx494E ;\ <--> xxxxxxxx
xxxx494E ; "NI" <--> "NI"/; 494EB6B1 ;\
NOT("NI") /; B6B1494E ;/ <--> \; 494EB6B1 ; NOT("NI")
\; B6B1544E ;\"NT" <--> "NT"/; 544EB6B1 ;/
NOT("NT") /; ABB1544E ;/ <--> \; 544EABB1 ;\NOT("NT")
\; ABB14E45 ;\"EN" <--> "EN"/; 4E45ABB1 ;/
NOT("EN") /; B1BA4E45 ;/ <--> \; 4E45B1BA ;\NOT("EN")
\; B1BA4F44 ;\"DO" <--> "DO"/; 4F44B1BA ;/
NOT("DO") /; B0BB4F44 ;/ <--> \; 4F44B0BB ;\NOT("DO")
\; B0BB8001 ;-fin <--> fin-; 8001B0BB ;/
\ \ \ \
\ LSBs=Own \ LSBs=Inverse of
\ Data.From.Gba \ Prev.Data.From.Gba
\ \
MSBs=Inverse of MSBs=Own
Prev.Data.From.Adapter Data.From.Adapter
|
| GBA Wireless Adapter Commands |
GBA Adapter 9966ppcch 80000000h ;-send command (cc), and num param_words (pp) <param01> 80000000h ;\ <param02> 80000000h ; send "pp" parameter word(s), if any ... ... ;/ 80000000h 9966rraah ;-recv ack (aa=cc+80h), and num response_words (rr) 80000000? <reply01> ;\ 80000000? <reply02> ; recv "rr" response word(s), if any ... ... ;/ |
wait until [4000128h].Bit2=0 ;want SI=0 set [4000128h].Bit3=1 ;set SO=1 wait until [4000128h].Bit2=1 ;want SI=1 set [4000128h].Bit3=0,Bit7=1 ;set SO=0 and start 32bit transfer |
Cmd Para Reply Name 10h - - Hello (send immediately after login) 11h - 1 Good/Bad response to cmd 16h ? 12h 13h - 1 14h 15h 16h 6 - Introduce (send game/user name) 17h 1 - Config (send after Hello) (eg. param=003C0420h or 003C043Ch) 18h 19h 1Ah 1Bh 1Ch - - 1Dh - NN Get Directory? (receive list of game/user names?) 1Eh - NN Get Directory? (receive list of game/user names?) 1Fh 1 - Select Game for Download (send 16bit Game_ID) |
20h - 1 21h - 1 Good/Bad response to cmd 1Fh ? 22h 23h 24h - - 25h ;use EXT clock! 26h - - 27h - - Begin Download ? ;use EXT clock! 28h 29h 2Ah 2Bh 2Ch 2Dh 2Eh 2Fh |
30h 1 - 31h 32h 33h 34h 35h ;use EXT clock! 36h 37h ;use EXT clock! 38h 39h 3Ah 3Bh 3Ch 3Dh - - Bye (return to language select) 3Eh 3Fh |
| GBA Wireless Adapter Component Lists |
U1 32pin Freescale MC13190 (2.4 GHz ISM band transceiver) U2 48pin Freescale CT3000 or CT3001 (depending on adapter version) X3 2pin 9.5MHz crystal |
Sticker on Case:
"GAME BOY advance, WIRELESS ADAPTER"
"Pat.Pend.Made in Philipines, CE0125(!)B"
"MODEL NO./MODELE NO.AGB-015 D-63760 Grossosteim P/AGB-A-WA-EUR-2 E3"
PCB: "19-C046-04, A-7" (top side) and "B-7" and Microchip ",\\" (bottom side)
PCB: white stamp "3104, 94V-0, RU, TW-15"
PCB: black stamp "22FDE"
U1 32pin "Freescale 13190, 4WFQ" (MC13190) (2.4 GHz ISM band transceiver)
U2 48pin "Freescale CT3001, XAC0445" (bottom side)
X3 2pin "D959L4I" (9.5MHz) (top side) (ca. 19 clks per 2us)
|
D1 5pin "D6F, 44" (top side, below X3) U71 6pin ".., () 2" (top side, right of X3, tiny black chip) B71 6pin "[]" (top side, right of X3, small white chip) ANT 2pin on-board copper wings Q? 3pin (top side, above CN1) Q? 3pin (top side, above CN1) D? 2pin "72" (top side, above CN1) D3 2pin "F2" (top side, above CN1) U200 4pin "MSV" (top side, above CN1) U202 5pin "LXKA" (top side, right of CN1) U203 4pin "M6H" (top side, right of CN1) CN1 6pin connector to GBA link port (top side) |
U201 5pin "LXVB" (bottom side, near CN1) U72 4pin "BMs" (bottom side, near ANT, tiny black chip) FL70 ?pin "[] o26" (bottom side, near ANT, bigger white chip) B70 6pin "[]" (bottom side, near ANT, small white chip) |
Sticker on Case: N/A PCB: "19-C046-03, A-1" (top side) and "B-1" and Microchip ",\\" (bottom side) PCB: white stamp "3204, TW-15, RU, 94V-0" PCB: black stamp "23MN" or "23NH" or so (smeared) U1 32pin "Freescale 13190, 4FGD" (top side) U2 48pin "Freescale CT3000, XAB0425" (bottom side) ;CT3000 (not CT3001) X3 2pin "9.5SKSS4GT" (top side) |
D1 5pin "D6F, 31" (top side, below X3) U71 6pin "P3, () 2" (top side, right of X3, tiny black chip) B71 6pin "[]" (top side, right of X3, small white chip) ANT 2pin on-board copper wings Q70 3pin (top side, above CN1) D? 2pin "72" (top side, above CN1) D3 2pin "F2" (top side, above CN1) U200 4pin "MSV" (top side, above CN1) U202 5pin "LXKH" (top side, right of CN1) U203 4pin "M6H" (top side, right of CN1) CN1 6pin connector to GBA link port (top side) |
U201 5pin "LXV2" (bottom side, near CN1) U70 6pin "AAG" (bottom side, near ANT, tiny black chip) FL70 ?pin "[] o26" (bottom side, near ANT, bigger white chip) B70 6pin "[]" (bottom side, near ANT, small white chip) |
Sticker "N/A" vs "Grossosteim P/AGB-A-WA-EUR-2 E3" PCB-markings "19-C046-03, A-1, 3204" vs "19-C046-04, A-7, 3104" U1 "CT3000, XAB0425" vs "CT3001, XAC0445" Transistors One transistor (Q70) vs Two transistors (both nameless) U70/U72 U70 "AAG" (6pin) vs U72 "BMs" (4pin) |
| GBA Infrared Communication |
Bit Expl. 0 Transmission Data (0=LED Off, 1=LED On) 1 READ Enable (0=Disable, 1=Enable) 2 Reception Data (0=None, 1=Signal received) (Read only) 3 AMP Operation (0=Off, 1=On) 4 IRQ Enable Flag (0=Disable, 1=Enable) 5-15 Not used |
| GBA Keypad Input |
Bit Expl. 0 Button A (0=Pressed, 1=Released) 1 Button B (etc.) 2 Select (etc.) 3 Start (etc.) 4 Right (etc.) 5 Left (etc.) 6 Up (etc.) 7 Down (etc.) 8 Button R (etc.) 9 Button L (etc.) 10-15 Not used |
Bit Expl. 0 Button A (0=Ignore, 1=Select) 1 Button B (etc.) 2 Select (etc.) 3 Start (etc.) 4 Right (etc.) 5 Left (etc.) 6 Up (etc.) 7 Down (etc.) 8 Button R (etc.) 9 Button L (etc.) 10-13 Not used 14 IRQ Enable Flag (0=Disable, 1=Enable) 15 IRQ Condition (0=Logical OR, 1=Logical AND) |
| GBA Interrupt Control |
Bit Expl. 0 Disable all interrupts (0=Disable All, 1=See IE register) 1-31 Not used |
Bit Expl. 0 LCD V-Blank (0=Disable) 1 LCD H-Blank (etc.) 2 LCD V-Counter Match (etc.) 3 Timer 0 Overflow (etc.) 4 Timer 1 Overflow (etc.) 5 Timer 2 Overflow (etc.) 6 Timer 3 Overflow (etc.) 7 Serial Communication (etc.) 8 DMA 0 (etc.) 9 DMA 1 (etc.) 10 DMA 2 (etc.) 11 DMA 3 (etc.) 12 Keypad (etc.) 13 Game Pak (external IRQ source) (etc.) 14-15 Not used |
Bit Expl. 0 LCD V-Blank (1=Request Interrupt) 1 LCD H-Blank (etc.) 2 LCD V-Counter Match (etc.) 3 Timer 0 Overflow (etc.) 4 Timer 1 Overflow (etc.) 5 Timer 2 Overflow (etc.) 6 Timer 3 Overflow (etc.) 7 Serial Communication (etc.) 8 DMA 0 (etc.) 9 DMA 1 (etc.) 10 DMA 2 (etc.) 11 DMA 3 (etc.) 12 Keypad (etc.) 13 Game Pak (external IRQ source) (etc.) 14-15 Not used |
00000018 b 128h ;IRQ vector: jump to actual BIOS handler 00000128 stmfd r13!,r0-r3,r12,r14 ;save registers to SP_irq 0000012C mov r0,4000000h ;ptr+4 to 03FFFFFC (mirror of 03007FFC) 00000130 add r14,r15,0h ;retadr for USER handler $+8=138h 00000134 ldr r15,[r0,-4h] ;jump to [03FFFFFC] USER handler 00000138 ldmfd r13!,r0-r3,r12,r14 ;restore registers from SP_irq 0000013C subs r15,r14,4h ;return from IRQ (PC=LR-4, CPSR=SPSR) |
Addr. Size Expl. 3007FFCh 4 Pointer to user IRQ handler (32bit ARM code) 3007FF8h 2 Interrupt Check Flag (for IntrWait/VBlankIntrWait functions) 3007FF4h 4 Allocated Area 3007FF0h 4 Pointer to Sound Buffer 3007FE0h 16 Allocated Area 3007FA0h 64 Default area for SP_svc Supervisor Stack (4 words/time) 3007F00h 160 Default area for SP_irq Interrupt Stack (6 words/time) |
SP_svc=03007FE0h SP_irq=03007FA0h SP_usr=03007F00h |
| GBA System Control |
Bit Expl. 0-1 SRAM Wait Control (0..3 = 4,3,2,8 cycles) 2-3 Wait State 0 First Access (0..3 = 4,3,2,8 cycles) 4 Wait State 0 Second Access (0..1 = 2,1 cycles) 5-6 Wait State 1 First Access (0..3 = 4,3,2,8 cycles) 7 Wait State 1 Second Access (0..1 = 4,1 cycles; unlike above WS0) 8-9 Wait State 2 First Access (0..3 = 4,3,2,8 cycles) 10 Wait State 2 Second Access (0..1 = 8,1 cycles; unlike above WS0,WS1) 11-12 PHI Terminal Output (0..3 = Disable, 4.19MHz, 8.38MHz, 16.78MHz) 13 Not used 14 Game Pak Prefetch Buffer (Pipe) (0=Disable, 1=Enable) 15 Game Pak Type Flag (Read Only) (0=GBA, 1=CGB) (IN35 signal) 16-31 Not used |
Bit Expl. 0 Undocumented. First Boot Flag (0=First, 1=Further) 1-7 Undocumented. Not used. |
Bit Expl. 0-6 Undocumented. Not used. 7 Undocumented. Power Down Mode (0=Halt, 1=Stop) |
Bit Expl. 0 Disable 32K+256K WRAM (0=Normal, 1=Disable) (when off: empty/prefetch) 1-3 Unknown (Read/Write-able) 4 Unknown (Always zero, not used or write only) 5 Enable 256K WRAM (0=Disable, 1=Normal) (when off: mirror of 32K WRAM) 6-23 Unknown (Always zero, not used or write only) 24-27 Wait Control WRAM 256K (0-14 = 15..1 Waitstates, 15=Lockup) 28-31 Unknown (Read/Write-able) |
| GBA GamePak Prefetch |
1) opcodes with internal cycles (I) which do not change R15, shift/rotate
register-by-register, load opcodes (ldr,ldm,pop,swp), multiply opcodes
2) opcodes that load/store memory (ldr,str,ldm,stm,etc.)
|
"Opcodes in GamePak ROM with Internal Cycles which do not change R15" |
| GBA Cartridges |
| GBA Cartridge Header |
Address Bytes Expl. 000h 4 ROM Entry Point (32bit ARM branch opcode, eg. "B rom_start") 004h 156 Nintendo Logo (compressed bitmap, required!) 0A0h 12 Game Title (uppercase ascii, max 12 characters) 0ACh 4 Game Code (uppercase ascii, 4 characters) 0B0h 2 Maker Code (uppercase ascii, 2 characters) 0B2h 1 Fixed value (must be 96h, required!) 0B3h 1 Main unit code (00h for current GBA models) 0B4h 1 Device type (usually 00h) (bit7=DACS/debug related) 0B5h 7 Reserved Area (should be zero filled) 0BCh 1 Software version (usually 00h) 0BDh 1 Complement check (header checksum, required!) 0BEh 2 Reserved Area (should be zero filled) --- Additional Multiboot Header Entries --- 0C0h 4 RAM Entry Point (32bit ARM branch opcode, eg. "B ram_start") 0C4h 1 Boot mode (init as 00h - BIOS overwrites this value!) 0C5h 1 Slave ID Number (init as 00h - BIOS overwrites this value!) 0C6h 26 Not used (seems to be unused) 0E0h 4 JOYBUS Entry Pt. (32bit ARM branch opcode, eg. "B joy_start") |
U Unique Code (usually "A" or "B" or special meaning) TT Short Title (eg. "PM" for Pac Man) D Destination/Language (usually "J" or "E" or "P" or specific language) |
A Normal game; Older titles (mainly 2001..2003) B Normal game; Newer titles (2003..) C Normal game; Not used yet, but might be used for even newer titles F Famicom/Classic NES Series (software emulated NES games) K Yoshi and Koro Koro Puzzle (acceleration sensor) P e-Reader (dot-code scanner) R Warioware Twisted (cartridge with rumble and z-axis gyro sensor) U Boktai 1 and 2 (cartridge with RTC and solar sensor) V Drill Dozer (cartridge with rumble) |
Usually an abbreviation of the game title (eg. "PM" for "Pac Man") (unless that gamecode was already used for another game, then TT is just random) |
J Japan P Europe/Elsewhere F French S Spanish E USA/English D German I Italian |
Value Expl. 01h Joybus mode 02h Normal mode 03h Multiplay mode |
Value Expl. 01h Slave #1 02h Slave #2 03h Slave #3 |
| GBA Cartridge ROM |
| GBA Cart Backup IDs |
EEPROM_Vnnn EEPROM 512 bytes or 8 Kbytes (4Kbit or 64Kbit) SRAM_Vnnn SRAM 32 Kbytes (256Kbit) FLASH_Vnnn FLASH 64 Kbytes (512Kbit) (ID used in older files) FLASH512_Vnnn FLASH 64 Kbytes (512Kbit) (ID used in newer files) FLASH1M_Vnnn FLASH 128 Kbytes (1Mbit) |
| GBA Cart Backup SRAM/FRAM |
| GBA Cart Backup EEPROM |
2 bits "11" (Read Request) n bits eeprom address (MSB first, 6 or 14 bits, depending on EEPROM) 1 bit "0" |
4 bits - ignore these 64 bits - data (conventionally MSB first) |
2 bits "10" (Write Request) n bits eeprom address (MSB first, 6 or 14 bits, depending on EEPROM) 64 bits data (conventionally MSB first) 1 bit "0" |
| GBA Cart Backup Flash ROM |
[E005555h]=AAh, [E002AAAh]=55h, [E005555h]=90h (enter ID mode) dev=[E000001h], man=[E000000h] (get device & manufacturer) [E005555h]=AAh, [E002AAAh]=55h, [E005555h]=F0h (terminate ID mode) |
dat=[E00xxxxh] (read byte from address xxxx) |
[E005555h]=AAh, [E002AAAh]=55h, [E005555h]=80h (erase command) [E005555h]=AAh, [E002AAAh]=55h, [E005555h]=10h (erase entire chip) wait until [E000000h]=FFh (or timeout) |
[E005555h]=AAh, [E002AAAh]=55h, [E005555h]=80h (erase command) [E005555h]=AAh, [E002AAAh]=55h, [E00n000h]=30h (erase sector n) wait until [E00n000h]=FFh (or timeout) |
old=IME, IME=0 (disable interrupts) [E005555h]=AAh, [E002AAAh]=55h, [E005555h]=A0h (erase/write sector command) [E00xxxxh+00h..7Fh]=dat[00h..7Fh] (write 128 bytes) IME=old (restore old IME state) wait until [E00xxxxh+7Fh]=dat[7Fh] (or timeout) |
[E005555h]=AAh, [E002AAAh]=55h, [E005555h]=A0h (write byte command) [E00xxxxh]=dat (write byte to address xxxx) wait until [E00xxxxh]=dat (or timeout) |
[E005555h]=F0h (force end of write/erase command) |
[E005555h]=AAh, [E002AAAh]=55h, [E005555h]=B0h (select bank command) [E000000h]=bnk (write bank number 0..1) |
ID Name Size Sectors AverageTimings Timeouts/ms Waits D4BFh SST 64K 16x4K 20us?,?,? 10, 40, 200 3,2 1CC2h Macronix 64K 16x4K ?,?,? 10,2000,2000 8,3 1B32h Panasonic 64K 16x4K ?,?,? 10, 500, 500 4,2 3D1Fh Atmel 64K 512x128 ?,?,? ...40.., 40 8,8 1362h Sanyo 128K ? ?,?,? ? ? ? ? 09C2h Macronix 128K ? ?,?,? ? ? ? ? |
| GBA Cart Backup DACS |
| GBA Cart I/O Port (GPIO) |
bit0-3 Data Bits 0..3 (0=Low, 1=High) bit4-15 not used (0) |
bit0-3 Direction for Data Port Bits 0..3 (0=In, 1=Out) bit4-15 not used (0) |
bit0 Register 80000C4h..80000C8h Control (0=Write-Only, 1=Read/Write) bit1-15 not used (0) |
GPIO | Boktai | Wario Bit Pin | RTC SOL | GYR RBL -----------+---------+--------- 0 ROM.1 | SCK CLK | RES - 1 ROM.2 | SIO RST | CLK - 2 ROM.21 | CS - | DTA - 3 ROM.22 | - FLG | - MOT -----------+---------+--------- IRQ ROM.43 | IRQ - | - - |
| GBA Cart Real-Time Clock (RTC) |
NDS_________GBA_________GBA/Params___ stat2 control (1-byte) datetime datetime (7-byte) time time (3-byte) stat1 force reset (0-byte) clkadjust force irq (0-byte) alarm1/int1 always FFh (boktai contains code for writing 1-byte to it) alarm2 always FFh (unused) free always FFh (unused) |
Bit Dir Expl. 0 - Not used 1 R/W IRQ duty/hold related? 2 - Not used 3 R/W Per Minute IRQ (30s duty) (0=Disable, 1=Enable) 4 - Not used 5 R/W Unknown? 6 R/W 12/24-hour Mode (0=12h, 1=24h) (usually 1) 7 R Power-Off (auto cleared on read) (0=Normal, 1=Failure) |
| GBA Cart Solar Sensor |
strh 0001h,[80000c8h] ;-enable R/W mode strh 0007h,[80000c6h] ;-init I/O direction strh 0002h,[80000c4h] ;-reset counter to zero (high=reset) (I/O bit0) strh 0000h,[80000c4h] ;-clear reset (low=normal) mov r0,0 ;-initial level @@lop: strh 0001h,[80000c4h] ;-clock high ;\increase counter (I/O bit1) strh 0000h,[80000c4h] ;-clock low ;/ ldrh r1,[80000c4h] ;-read port (I/O bit3) tst r1,08h ;\ addeq r0,1 ; loop until voltage match (exit with r0=00h..FFh), tsteq r0,100h ; or until failure/timeout (exit with r0=100h) beq @@lop ;/ |
E8h total darkness (including daylight on rainy days) Dxh close to a 100 Watt Bulb 5xh reaches max level in boktai's solar gauge 00h close to a tactical nuclear bomb dropped on your city |
| GBA Cart Tilt Sensor |
E008000h (W) Write 55h to start sampling E008100h (W) Write AAh to start sampling E008200h (R) Lower 8 bits of X axis E008300h (R) Upper 4 bits of X axis, and Bit7: ADC Status (0=Busy, 1=Ready) E008400h (R) Lower 8 bits of Y axis E008500h (R) Upper 4 bits of Y axis |
wait until [E008300h].Bit7=1 or until timeout ;wait ready x = ([E008300h] AND 0Fh)*100h + [E008200h] ;get x y = ([E008500h] AND 0Fh)*100h + [E008400h] ;get y [E008000h]=55h, [E008100h]=AAh ;start next conversion |
X ranged between 0x2AF to 0x477, center at 0x392. Huh? Y ranged between 0x2C3 to 0x480, center at 0x3A0. Huh? |
| GBA Cart Gyro Sensor |
GPIO.Bit0 (W) Start Conversion GPIO.Bit1 (W) Serial Clock GPIO.Bit2 (R) Serial Data GPIO.Bit3 (W) Used for Rumble (not gyro related) |
read_gyro: mov r1,8000000h ;-cartridge base address mov r0,01h ;\enable R/W access strh r0,[r1,0c8h] ;/ mov r0,0bh ;\init direction (gpio2=input, others=output) strh r0,[r1,0c6h] ;/ ldrh r2,[r1,0c4h] ;-get current state (for keeping gpio3=rumble) orr r2,3 ;\ strh r2,[r1,0c4h] ;gpio0=1 ; start ADC conversion bic r2,1 ; strh r2,[r1,0c4h] ;gpio0=0 ;/ mov r0,00010000h ;stop-bit ;\ bic r2,2 ; @@lop: ; ldrh r3,[r1,0c4h] ;get gpio2=data ; read 16 bits strh r2,[r1,0c4h] ;gpio1=0=clk=low ; (4 dummy bits, plus 12 data bits) movs r3,r3,lsr 3 ;gpio2 to cy=data ; adcs r0,r0,r0 ;merge data, cy=done; orr r3,r2,2 ;set bit1 and delay ; strh r3,[r1,0c4h] ;gpio1=1=clk=high ; bcc @@lop ;/ bic r0,0f000h ;-strip upper 4 dummy bits (isolate 12bit adc) bx lr |
354h rotated in anti-clockwise direction (shock-speed) 64Dh rotated in anti-clockwise direction (normal fast) 6A3h rotated in anti-clockwise direction (slow) 6C0h no rotation (stopped) 6DAh rotation in clockwise direction (slow) 73Ah rotation in clockwise direction (normal fast) 9E3h rotation in clockwise direction (shock-speed) |
| GBA Cart Rumble |
| GBA Cart e-Reader |
________________ | ShortStrip | |L L| |o Center o| |n Region n| |g g| | may contain | |S pictures, S| |t instructions t| |r etc. r| |i i| |p p| |___ShortStrip___| |
| GBA Cart e-Reader Overview |
| GBA Cart e-Reader I/O Ports |
0 Output to PGA.Pin93 (which seems to be not connected to anything) 1-3 Unknown, read/write-able (not used by e-Reader BIOS) 4-15 Always zero (0) |
0 Always zero (0) 1 Reset Something? (0=Normal, 1=Reset) 2 Unknown, always set (1) 3 Unknown, read/write-able (not used by e-Reader BIOS) 4-7 Always zero (0) 8 Unknown, read/write-able (not used by e-Reader BIOS) 9-15 Always zero (0) |
0-6 Max Brightness (00h..7Fh; 00h=All black, 7Fh=One or more white) 7-15 Always zero |
0-7 Max Darkness (00h..7Fh; 00h=One or more black, 7Fh=All white) 8-15 Always zero |
0-6 Block Intensity Boundaries (0..7Fh; 7Fh=Whole block gets black) 7 Always zero |
0 Serial Data (Low/High) 1 Serial Clock (Low/High) 2 Serial Direction (0=Input, 1=Output) 3 Led/Irq Enable (0=Off, 1=On; Enable LED and Gamepak IRQ) 4 Start Scan (0=Off, 1=Start) (0-to-1 --> Resync line 0) 5 Phi 16MHz Output (0=Off, 1=On; Enable Clock for Camera, and for LED) 6 Power 3V Enable (0=Off, 1=On; Enable 3V Supply for Camera) 7 Not used (always 0) (sometimes 1) (Read only) |
0 Not used (always 0) 1 Scanline Flag (1=Scanline Received, 0=Acknowledge) 2-3 Not used (always 0) 4 Strange Bit (0=Normal, 1=Force Resync/Line0 on certain interval?) 5 LED Anode Voltage (0=3.0V, 1=5.1V; requires E00FFB0h.Bit3+5 to be set) 6 Not used (always 0) 7 Input from PGA.Pin22, always high (not used by e-Reader) (Read Only) |
Port Expl. (e-Reader Setting) 00h Maybe Chip ID (12h) (not used by e-Reader BIOS) (Read Only) 01h (05h) ;-Bit0: 1=auto-repeat scanning? 02h (0Eh) 10h-11h Vertical Scroll (calib_data[30h]+7) 12h-13h Horizontal Scroll (0030h) 14h-15h Vertical Size (00F6h=246) 16h-17h Horizontal Size (0140h=320) 20h-21h H-Blank Duration (00C4h) 22h-23h (0400h) ;-Upper-Blanking in dot-clock units? 25h (var) ;-bit1: 0=enable [57h..5Ah] ? 26h (var) ;\maybe a 16bit value 27h (var) ;/ 28h (00h) 30h Brightness/contrast (calib_data[31h]+/-nn) 31h-33h (014h,014h,014h) 34h Brightness/contrast (02h) 50h-52h 8bit Read/Write (not used by e-Reader BIOS) 53h-55h 2bit Read/Write (not used by e-Reader BIOS) 56h 8bit Read/Write (not used by e-Reader BIOS) 57h-58h 16bit value, used to autodetect/adjust register[30h] (Read Only) 59h-5Ah 16bit value, used to autodetect/adjust register[30h] (Read Only) 80h-FFh Mirrors of 00h..7Fh (not used by e-Reader BIOS) |
Port Expl. (e-Reader Setting) 00h (22h) 01h (50h) 02h-03h Vertical Scroll (calib_data[30h]+28h) 04h-05h Horizontal Scroll (001Eh) 06h-07h Vertical Size (00F6h) ;=246 08h-09h Horizontal Size (0140h) ;=320 0Ah-0Ch (not used by e-Reader BIOS) 0Dh (01h) 0Eh-0Fh (01EAh) ;=245*2 10h-11h (00F5h) ;=245 12h-13h (20h,F0h) ;maybe min/max values? 14h-15h (31h,C0h) ;maybe min/max values? 16h (00h) 17h-18h (77h,77h) 19h-1Ch (30h,30h,30h,30h) 1Dh-20h (80h,80h,80h,80h) 21h-FFh (not used by e-Reader BIOS) |
E00D000 14h ID String ('Card-E Reader 2001',0,0)
E00D014 2 Sector Checksum (NOT(x+x/10000h); x=sum of all other halfwords)
|
E00D016 8x6 [00h] Intensity Boundaries for 8x6 blocks ;see E00FF80h..AFh E00D046 1 [30h] Vertical scroll (0..36h) ;see type1.reg10h/type2.reg02h E00D047 1 [31h] Brightness or contrast ;see type1.reg30h E00D048 2 [32h] LED Duration ;see E00FFB2h..B3h E00D04A 2 [34h] Not used? (0000h) E00D04C 2 [36h] Signed value, related to adjusting the 8x6 blocks E00D04E 4 [38h] Not used? (00000077h) E00D052 4 [3Ch] Camera Type (0=none,1=DV488800,2=Whatever?) |
E00D056 FAAh Not used (zerofilled) (included in above checksum) |
call ereader_power_on call ereader_initialize for z=1 to number_of_frames for y=0 to 245 Wait until E00FFB1h.Bit1 gets set by hardware (can be handled by IRQ) Copy 14h halfwords from DFC0000h to buf+y*28h via DMA3 Reset E00FFB1h.Bit1 by software next y ;(could now check DFC0028h..DFC0086h/DFC0088h for adjusting E00FF00h..2Fh) ;(could now show image on screen, that may require to stop/pause scanning) next z call ereader_power_off Ret |
[4000204h]=5803h ;Init waitstates, and enable Phi 16MHz [DFA0000h].Bit1=1 Wait(10ms) [E00FFB0h]=40h ;Enable Power3V and reset other bits [DFA0000h].Bit1=0 [E00FFB1h]=20h ;Enable Power5V and reset other bits Wait(40ms) [E00FFB1h].Bit4=0 ;...should be already 0 ? [E00FFB0h]=40h+27h ;Phi16MHz=On, SioDtaClkDir=HighHighOut Ret |
[E00FFB0h]=04h ;Power3V=Off, Disable Everything, SioDtaClkDir=LowLowOut [DFA0000h].Bit1=0 ;...should be already 0 [E00FFB1h].Bit5=0 ;Power5V=Off Ret |
IF calib_data[3Ch] AND 03h = 1 THEN init_camera_type1 [E00FFB0h].Bit4=1 ;ScanStart IF calib_data[3Ch] AND 03h = 2 THEN init_camera_type2 Copy calib_data[00h..2Fh] to [E00FF80h+00h..2Fh] ;Intensity Boundaries Copy calib_data[32h..33h] to [E00FFB2h+00h..01h] ;LED Duration LSB,MSB [E00FFB0h].Bit3=1 ;LedIrqOn Ret |
x=MIN(0,calib_data[31h]-0Bh) Set Sio Registers (as shown for Camera Type 1, except below values...) Set Sio Registers [30h]=x [25h]=04h, [26h]=58h, [27h]=6Ch ;(could now detect/adjust <x> based on Sio Registers [57h..5Ah]) Set Sio Registers [30h]=x [25h]=06h, [26h]=E8h, [27h]=6Ch Ret |
Wait(0.5ms) Set Sio Registers (as shown for Camera Type 2) Ret |
Begin Write(A) Write(B) Read(C) Read(D) End Idle PwrOff
Dir ooooooo ooooooo ooooooo iiiiiii iiiiiii ooooooo ooooooo ooooooo
Dta ---____ AAAAAAA BBBBBBB xxxxxCx xxxxxDx ______- ------- _______
Clk ------_ ___---_ ___---_ ___---_ ___---_ ___---- ------- _______
|
Delay: Wait circa 2.5us, Ret SioBegin: SioDta=1, SioDir=Out, SioClk=1, Delay, SioDta=0, Delay, SioClk=0, Ret SioEnd: SioDta=0, SioDir=Out, Delay, SioClk=1, Delay, SioDta=1, Ret SioRead1bit: ;out: databit SioDir=In, Delay, SioClk=1, Delay, databit=SioDta, SioClk=0, Ret SioWrite1bit: ;in: databit SioDta=databit, SioDir=Out, Delay, SioClk=1, Delay, SioClk=0, Ret SioReadByte: ;in: endflag - out: data for i=7 to 0, data.bit<i>=SioRead1bit, next i, SioWrite1bit(endflag), Ret SioWriteByte: ;in: data - out: errorflag for i=7 to 0, Delay(huh/why?), SioWrite1bit(data.bit<i>), next i errorflag=SioRead1bit, SioDir=Out(huh/why?), Ret SioWriteRegisters: ;in: index, len, buffer SioBegin SioWriteByte(22h) ;command (set_index) (and write_data) SioWriteByte(index) ;index for i=0 to len-1 SioWriteByte(buffer[i]) ;write data (and auto-increment index) next SioEnd ret SioReadRegisters: ;in: index, len - out: buffer SioBegin SioWriteByte(22h) ;command (set_index) (without any write_data here) SioWriteByte(index) ;index SioBegin SioWriteByte(23h) ;command (read_data) (using above index) for i=0 to len-1 if i=len-1 then endflag=1 else endflag=0 buffer[i]=SioReadByte(endflag) ;read data (and auto-increment index) next SioEnd Ret |
C000000h-C7FFFFFh ROM (8MB) C800000h-DF7FFFFh Open Bus DF80000h-DF80001h Useless Register (R/W) DF80002h-DF9FFFFh Mirrors of DF80000h-DF80001h DFA0000h-DFA0001h Reset Register (R/W) DFA0002h-DFBFFFFh Mirrors of DFA0000h-DFA0001h DFC0000h-DFC0027h Scanline Data (320 Pixels) (R) DFC0028h-DFC0087h Brightest Pixels of 8x6 Blocks (R) DFC0088h Darkest Pixel of whole Image (R) DFC0089h-DFC00FFh Always zero DFC0100h-DFDFFFFh Mirrors of DFC0000h-DFC00FFh DFE0000h-DFFFFFFh Open Bus E000000h-E00CFFFh FLASH Bank 0 - Data E00D000h-E00DFFFh FLASH Bank 0 - Calibration Data E00E000h-E00EFFFh FLASH Bank 0 - Copy of Calibration Data E00F000h-E00FF7Fh FLASH Bank 0 - Unused region E000000h-E00EFFFh FLASH Bank 1 - Data E00F000h-E00FF7Fh FLASH Bank 1 - Unused region E00FF80h-E00FFAFh Intensity Boundaries for 8x6 Blocks (R/W) E00FFB0h Control Register 0 (R/W) E00FFB1h Control Register 1 (R/W) E00FFB2h-E00FFB3h LED Duration (16bit) (R/W) E00FFB4h-E00FFBFh Always zero E00FFC0h-E00FFFFh Mirror of E00FF80h-E00FFBFh |
Actual Shape Scanned Shape
XXXXX X X
XXXXXXX X X X
XXXXXXXXX X X X XX
XXXXXXXXX X X X XX
XXXXXXX XXXXXXX
XXXXX XXXXX
|
| GBA Cart e-Reader Dotcode Format |
XXX BLOCK 1 XXX BLOCK 2 XXX
XXXXX XXXXX XXXXX
XXXXX X X X X X X X X X X X X XXXXX X X X X X X X X X X X X XXXXX
XXXXX XXXXX XXXXX
XXX HHHHHHHHHHHHHHHHHHHH...... XXX HHHHHHHHHHHHHHHHHHHH...... XXX
.......................... ..........................
...... 3 short lines ..... ..........................
A..................................A..................................A..
A.... 26 long lines ....A........ X = Sync Marks ........A..
A.... (each 34 data dots) ....A........ H = Block Header ........A..
A....(not all lines shown here)....A........ . = Data Bits ........A..
A..................................A........ A = Address Bits ........A..
...... 3 short lines ..... ..........................
...(each 26 data dots).... ..........................
XXX .......................... XXX .......................... XXX
XXXXX XXXXX XXXXX
XXXXX X X X X X X X X X X X X XXXXX X X X X X X X X X X X X XXXXX
XXXXX XXXXX XXXXX
XXX XXX XXX
<ca. 35 blank lines>
___Snip____________________________________________________________________
|
addr[0] = 03FFh
for i = 1 to 53
addr[i] = addr[i-1] xor ((i and (-i)) * 769h)
if (i and 07h)=0 then addr[i] = addr[i] xor (769h)
if (i and 0Fh)=0 then addr[i] = addr[i] xor (769h*2)
if (i and 1Fh)=0 then addr[i] = addr[i] xor (769h*4) xor (769h)
next i
|
00h Unknown (00h)
01h Dotcode type (02h=Short, 03h=Long)
02h Unknown (00h)
03h Address of 1st Block (01h=Short, 19h=Long)
04h Total Fragment Size (40h) ;64 bytes per fragment, of which,
;48 bytes are actual data, the remaining
05h Error-Info Size (10h) ;16 bytes are error-info
06h Unknown (00h)
07h Interleave Value (1Ch=Short, 2Ch=Long)
08h..17h 16 bytes Reed-solomon error correction info for Block Header
|
4bit 00h 01h 02h 03h 04h 05h 06h 07h 08h 09h 0Ah 0Bh 0Ch 0Dh 0Eh 0Fh 5bit 00h 01h 02h 12h 04h 05h 06h 16h 08h 09h 0Ah 14h 0Ch 0Dh 11h 10h |
RAW Offset Content 000h..001h 1st 2 bytes of RAW Header 002h 1st byte of 1st fragment 003h 1st byte of 2nd fragment ... ... 002h+I-1 1st byte of last fragment 002h+I 2nd byte of 1st fragment 003h+I 2nd byte of 2nd fragment ... ... 002h+I*2-1 2nd byte of last fragment ... ... |
| GBA Cart e-Reader Data Format |
Data Header (48 bytes) Main-Title (17 bytes, or 33 bytes) Sub-Title(s) (3+18 bytes, or 33 bytes) (for each strip) (optional) VPK Size (2 byte value, total length of VPK Data in ALL strips) NULL Value (4 bytes, contained ONLY in 1st strip of GBA strips) VPK Data (length as defined in VPK Size entry, see above) |
Data Header (48 bytes) Main-Title (17 bytes, or 33 bytes) Sub-Title(s) (3+18 bytes, or 33 bytes) (for each strip) (optional) VPK Data (continued from previous strip) |
00h-01h Fixed (00h,30h)
02h Fixed (01h) ;01h="Do not calculate Global Checksum" ?
03h Primary Type (see below)
04h-05h Fixed (00h,01h) (don't care)
06h-07h Strip Size (0510h=Short, 0810h=Long Strip) ((I-1)*30h) (MSB,LSB)
08h-0Bh Fixed (00h,00h,10h,12h)
0Ch-0Dh Region/Type (see below)
0Eh Strip Type (02h=Short Strip, 01h=Long Strip) (don't care)
0Fh Fixed (00h) (don't care)
10h-11h Unknown (whatever) (don't care)
12h Fixed (10h) ;10h="Do calculate Data Checksum" ?
13h-14h Data Checksum (see below) (MSB,LSB)
15h-19h Fixed (19h,00h,00h,00h,08h)
1Ah-21h ID String ('NINTENDO')
22h-25h Fixed (00h,22h,00h,09h)
26h-29h Size Info (see below)
2Ah-2Dh Flags (see below)
2Eh Header Checksum (entries [0Ch-0Dh,10h-11h,26h-2Dh] XORed together)
2Fh Global Checksum (see below)
|
0 Card Type (upper bit) (see below) 1 Unknown (usually opposite of Bit0) (don't care) 2-7 Unknown (usually zero) |
0-3 Unknown (don't care) 4-7 Card Type (lower bits) (see below) 8-11 Region/Version (0=Japan/Original, 1=Non-japan, 2=Japan/Plus) 12-15 Unknown (don't care) |
0 Unknown (don't care)
1-4 Strip Number (01h..Number of strips)
5-8 Number of Strips (01h..0Ch) (01h..08h for Japan/Original version)
9-23 Size of all Strips (excluding Headers and Main/Sub-Titles)
(same as "VPK Size", but also including the 2-byte "VPK Size" value,
plus the 4-byte NULL value; if it is present)
24-31 Fixed (02h) (don't care)
|
0 Permission to save (0=Start Immediately, 1=Prompt for FLASH Saving) 1 Sub-Title Flag (0=Yes, 1=None) (Japan/Original: always 0=Yes) 2 Application Type (0=GBA/Z80, 1=NES) (Japan/Original: always 0=Z80) 3-31 Zero (0) (don't care) |
Bit Expl.
0-3 h1, values 1..15 shown as "10..150", value 0 is not displayed
4-6 i3, values 0..7 shown as "A..G,#"
7-13 i2, values 0..98 shown as "01..99" values 99..127 as "A0..C8"
14-18 i1, values 0..31 shown as "A..Z,-,_,{HP},.,{ID?},:"
19-22 Unknown
23 Disable stats (0=Show as "HP: h1 ID: i1-i2-i3", 1=Don't show it)
|
00h --> end-byte 81h,40h --> SPC 81h,43h..97h --> punctuation marks 82h,4Fh..58h --> "0..9" 82h,60h..79h --> "A..Z" 82h,81h..9Ah --> "a..z" |
00 = end-byte
01 = spc
02..0B = 0..9
0C..AF = japanese
B0..B4 = dash, male, female, comma, round-dot
B5..C0 = !"%&~?/+-:.'
C1..DA = A..Z
DB..DF = unused (blank)
E0..E5 = japanese
E6..FF = a..z
N/A = #$()*;<=>@[\]^_`{|}
|
00h..01h Blank Screen (?) 02h..03h Dotcode Application with 17byte-title, with stats, load music A 04h..05h Dotcode Application with 17byte-title, with stats, load music B 06h..07h P-Letter Attacks 08h..09h Construction Escape 0Ah..0Bh Construction Action 0Ch..0Dh Construction Melody Box 0Eh Dotcode Application with 33byte-title, without stats, load music A 0Fh Game specific cards 10h..1Dh P-Letter Viewer 1Eh..1Fh Same as 0Eh and 0Fh (see above) |
| GBA Cart e-Reader Program Code |
IF e-Reader is Non-Japanese, AND [2000008h] is outside of range of 2000000h..20000E3h, AND only if booted from camera (not when booted from FLASH?), THEN [2000008h]=[2000008h]-0001610Ch ELSE [2000008h] kept intact |
Store "B 20000C0h" at 2000000h ;redirect to RAM-entrypoint Zerofill 2000004h..20000BFh ;erase header (for better compression rate) Store 01h,01h at 20000C4h ;indicate RAM boot |
http://problemkaputt.de/everynes.htm |
for i=17h to 0 for j=07h to 0, nmi = nmi shr 1, if carry then nmi = nmi xor 8646h, next j nmi = nmi xor (byte[dmca_data+i] shl 8) next i dmca_data: db 0,0,'DMCA NINTENDO E-READER' |
Bit0-14 Lower bits of Entrypoint (0..7FFFh = Address 8000h..FFFFh) Bit15 Nametable Mode (0=Vertical Mirroring, 1=Horizontal Mirroring) |
(NES limitations, 1 16K program rom + 1-2 8K CHR rom, mapper 0 and 1) ines mapper 1 would be MMC1, rather than CNROM (ines mapper 3)? but, there are more or less NONE games that have 16K PRG ROM + 16K VROM? |
CB [Prefix] E0 RET PO E2 JP PO,nn E4 CALL PO,nn 27 DAA 76 HALT ED [Prefix] E8 RET PE EA JP PE,nn EC CALL PE,nn D3 OUT (n),A DD [IX Prefix] F3 DI 08 EX AF,AF' F4 CALL P,nn DB IN A,(n) FD [IY Prefix] FB EI D9 EXX FC CALL M,nn xx RST 00h..38h |
76 WAIT A frames, D3 WAIT n frames, and C7/CF RST 0/8 used for API calls. |
retry: ld bc,data // ld hl,00c8h ;src/dst lop: ld a,[bc] // inc bc // ld e,a ;lsb ld a,[bc] // inc bc // ld d,a ;msb dw 0bcfh ;aka rst 8 // db 0bh ;[4000000h+hl]=de (DMA registers) inc hl // inc hl // ld a,l cp a,0dch // jr nz,lop mod1 equ $+1 dw 37cfh ;aka rst 8 // db 37h ;bx 3E700F0h ;below executed only on jap/plus... on jap/plus, above 37cfh is hl=[400010Ch] ld a,3Ah // ld [mod1],a ;bx 3E700F0h (3Ah instead 37h) ld hl,1 // ld [mod2],hl // ld [mod3],hl ;base (0200010Ch instead 0201610Ch) jr retry data: mod2 equ $+1 dd loader ;40000C8h dma2sad (loader) ;\ dd 030000F0h ;40000CCh dma2dad (mirrored 3E700F0h) ; relocate loader dd 8000000ah ;40000D0h dma2cnt (copy 0Ah x 16bit) ;/ mod3 equ $+1 dd main ;40000D4h dma3sad (main) ;\prepare main reloc dd 02000000h ;40000D8h dma3dad (2000000h) ;/dma3cnt see loader .align 2 ;alignment for 16bit-halfword org $+201600ch ;jap/plus: adjusted to org $+200000ch loader: mov r0,80000000h ;(dma3cnt, copy 10000h x 16bit) mov r1,04000000h ;i/o base strb r1,[r1,208h] ;ime=0 (better disable ime before moving ram) str r0,[r1,0DCh] ;dma3cnt (relocate to 2000000h) mov r15,2000000h ;start relocated code at 2000000h in ARM state main: ;...insert/append whatever ARM code here... end |
| GBA Cart e-Reader API Functions |
db 76h ;Wait8bit A db D3h,xxh ;Wait8bit xxh db C7h,xxh ;RST0_xxh db CFh,xxh ;RST8_xxh ld r,[00xxh] ;get system values (addresses differ on jap/ori) ld r,[00C2h..C3h] ;GetKeyStateSticky (jap/ori: 9F02h..9F03h) ld r,[00C4h..C5h] ;GetKeyStateRaw (jap/ori: 9F04h..9F05h) ld r,[00C0h..C1h] ;see Exit and ExitRestart ld r,[00D0h..D3h] ;see Mul16bit |
bx [30075FCh] ;ApiVector ;in: r0=func_no,r1,r2,r3,[sp+0],[sp+4],[sp+8]=params bx lr ;Exit ;in: r0 (0=Restart, 2=To_Menu) |
RST0_00h FadeIn, A speed, number of frames (0..x)
RST0_01h FadeOut
RST0_02h BlinkWhite
RST0_03h (?)
RST0_04h (?) blend_func_unk1
RST0_05h (?)
RST0_06h (?)
RST0_07h (?)
RST0_08h (?)
RST0_09h (?) _020264CC_check
RST0_0Ah (?) _020264CC_free
RST0_0Bh N/A (bx 0)
RST0_0Ch N/A (bx 0)
RST0_0Dh N/A (bx 0)
RST0_0Eh N/A (bx 0)
RST0_0Fh N/A (bx 0)
RST0_10h LoadSystemBackground, A number of background (1..101), E bg# (0..3)
RST0_11h SetBackgroundOffset, A=bg# (0..3), DE=X, BC=Y
RST0_12h SetBackgroundAutoScroll
RST0_13h SetBackgroundMirrorToggle
RST0_14h (?)
RST0_15h (?)
RST0_16h (?) write_000000FF_to_02029494_
RST0_17h (?)
RST0_18h (?)
RST0_19h SetBackgroundMode, A=mode (0..2)
RST0_1Ah (?)
RST0_1Bh (?)
RST0_1Ch (?)
RST0_1Dh (?)
RST0_1Eh (?)
RST0_1Fh (?)
RST0_20h LayerShow
RST0_21h LayerHide
RST0_22h (?)
RST0_23h (?)
RST0_24h ... [20264DCh+A*20h+1Ah]=DE, [20264DCh+A*20h+1Ch]=BC
RST0_25h (?)
RST0_26h (?)
RST0_27h (?)
RST0_28h (?)
RST0_29h (?)
RST0_2Ah (?)
RST0_2Bh (?)
RST0_2Ch (?)
RST0_2Dh LoadCustomBackground, A bg# (0..3), DE pointer to struct_background,
max. tile data size = 3000h bytes, max. map data size = 1000h bytes
RST0_2Eh GBA: N/A - Z80: (?)
RST0_2Fh (?)
RST0_30h CreateSystemSprite, - - (what "- -" ???)
RST0_31h SpriteFree, HL sprite handle
RST0_32h SetSpritePos, HL=sprite handle, DE=X, BC=Y
RST0_33h (?) sprite_unk2
RST0_34h SpriteFrameNext
RST0_35h SpriteFramePrev
RST0_36h SetSpriteFrame, HL=sprite handle, E=frame number (0..x)
RST0_37h (?) sprite_unk3
RST0_38h (?) sprite_unk4
RST0_39h SetSpriteAutoMove, HL=sprite handle, DE=X, BC=Y
RST0_3Ah (?) sprite_unk5
RST0_3Bh (?) sprite_unk6
RST0_3Ch SpriteAutoAnimate
RST0_3Dh (?) sprite_unk7
RST0_3Eh SpriteAutoRotateUntilAngle
RST0_3Fh SpriteAutoRotateByAngle
RST0_40h SpriteAutoRotateByTime
RST0_41h (?) sprite_unk8
RST0_42h SetSpriteAutoMoveHorizontal
RST0_43h SetSpriteAutoMoveVertical
RST0_44h (?) sprite_unk9
RST0_45h SpriteDrawOnBackground
RST0_46h SpriteShow, HL=sprite handle
RST0_47h SpriteHide, HL=sprite handle
RST0_48h SpriteMirrorToggle
RST0_49h (?) sprite_unk10
RST0_4Ah (?) sprite_unk11
RST0_4Bh (?) sprite_unk12
RST0_4Ch GetSpritePos
RST0_4Dh CreateCustomSprite
RST0_4Eh (?)
RST0_4Fh (?) sprite_unk14
RST0_50h (?) sprite_unk15
RST0_51h (?) sprite_unk16
RST0_52h (?) sprite_unk17
RST0_53h (?) sprite_unk18
RST0_54h (?)
RST0_55h (?) sprite_unk20
RST0_56h (?)
RST0_57h SpriteMove
RST0_58h (?) sprite_unk22
RST0_59h (?) sprite_unk23
RST0_5Ah (?) sprite_unk24
RST0_5Bh SpriteAutoScaleUntilSize, C=speed (higher value is slower),
HL=sprite handle, DE=size (0100h = normal size,
lower value = larger, higher value = smaller)
RST0_5Ch SpriteAutoScaleBySize
RST0_5Dh SpriteAutoScaleWidthUntilSize
RST0_5Eh SpriteAutoScaleHeightBySize
RST0_5Fh (?)
RST0_60h (?)
RST0_61h (?)
RST0_62h (?)
RST0_63h (?)
RST0_64h hl=[[2024D28h+a*4]+12h]
RST0_65h (?) sprite_unk25
RST0_66h SetSpriteVisible, HL=sprite handle, E=(0=not visible, 1=visible)
RST0_67h (?) sprite_unk26
RST0_68h (?) set_sprite_unk27
RST0_69h (?) get_sprite_unk27
RST0_6Ah (?)
RST0_6Bh (?)
RST0_6Ch (?)
RST0_6Dh (?)
RST0_6Eh hl=[hl+000Ah] ;r0=[r1+0Ah]
RST0_6Fh (?)
RST0_70h (?)
RST0_71h (?)
RST0_72h (?)
RST0_73h (?)
RST0_74h (?)
RST0_75h (?)
RST0_76h (?)
RST0_77h (?)
RST0_78h (?)
RST0_79h (?)
RST0_7Ah (?)
RST0_7Bh (?)
RST0_7Ch (?) _0202FD2C_unk12
RST0_7Dh Wait16bit ;HL=num_frames (16bit variant of Wait8bit opcode/function)
RST0_7Eh SetBackgroundPalette, HL=src_addr, DE=offset, C=num_colors (1..x)
RST0_7Fh GetBackgroundPalette(a,b,c)
RST0_80h SetSpritePalette, HL=src_addr, DE=offset, C=num_colors (1..x)
RST0_81h GetSpritePalette(a,b,c)
RST0_82h ClearPalette
RST0_83h (?) _0202FD2C_unk11
RST0_84h (?)
RST0_85h (?)
RST0_86h (?)
RST0_87h (?) _0202FD2C_unk8
RST0_88h (?) _0202FD2C_unk7
RST0_89h (?)
RST0_8Ah (?) _0202FD2C_unk6
RST0_8Bh (?) _0202FD2C_unk5
RST0_8Ch GBA: N/A - Z80: (?)
RST0_8Dh GBA: N/A - Z80: (?)
RST0_8Eh (?)
RST0_8Fh WindowHide
RST0_90h CreateRegion, H=bg# (0..3), L=palbank# (0..15),
D,E,B,C=x1,y1,cx,cy (in tiles), return: n/a (no$note: n/a ???)
RST0_91h SetRegionColor
RST0_92h ClearRegion
RST0_93h SetPixel
RST0_94h GetPixel
RST0_95h DrawLine
RST0_96h DrawRect
RST0_97h (?) _0202FD2C_unk4
RST0_98h SetTextColor, A=region handle, D=color foreground (0..15),
E=color background (0..15)
RST0_99h DrawText, A=region handle, BC=pointer to text, D=X, E=Y
(non-japan uses ASCII text, but japanese e-reader's use STH ELSE?)
RST0_9Ah SetTextSize
RST0_9Bh (?) RegionUnk7
RST0_9Ch (?) _0202FD2C_unk3
RST0_9Dh (?) _0202FD2C_unk2
RST0_9Eh (?) _0202FD2C_unk1
RST0_9Fh Z80: (?) - GBA: SetBackgroundModeRaw
RST0_A0h (?)
RST0_A1h (?)
RST0_A2h (?) RegionUnk6
RST0_A3h GBA: N/A - Z80: (?)
RST0_A4h GBA: N/A - Z80: (?)
RST0_A5h (?)
RST0_A6h (?)
RST0_A7h (?)
RST0_A8h (?)
RST0_A9h (?)
RST0_AAh (?)
RST0_ABh (?)
RST0_ACh (?)
RST0_ADh (?) RegionUnk5
RST0_AEh [202FD2Ch+122h]=A
RST0_AFh [202FD2Ch+123h]=A
RST0_B0h [202FD2Ch+124h]=A
RST0_B1h (?)
RST0_B2h (?)
RST0_B3h GBA: N/A - Z80: Sqrt ;hl=sqrt(hl)
RST0_B4h GBA: N/A - Z80: ArcTan ;hl=ArcTan2(hl,de)
RST0_B5h Sine ;hl=sin(a)*de
RST0_B6h Cosine ;hl=cos(a)*de
RST0_B7h (?)
RST0_B8h (?)
RST0_B9h N/A (bx 0)
RST0_BAh N/A (bx 0)
RST0_BBh N/A (bx 0)
RST0_BCh N/A (bx 0)
RST0_BDh N/A (bx 0)
RST0_BEh N/A (bx 0)
RST0_BFh N/A (bx 0)
Below Non-Japan and Japan/Plus only (not Japan/Ori)
RST0_C0h GetTextWidth(a,b)
RST0_C1h GetTextWidthEx(a,b,c)
RST0_C2h (?)
RST0_C3h Z80: N/A (bx 0) - GBA: (?)
RST0_C4h (?)
RST0_C5h (?)
RST0_C6h (?)
RST0_C7h (?)
RST0_C8h (?)
RST0_C9h (?)
RST0_CAh (?)
RST0_CBh (?)
RST0_CCh (?)
RST0_CDh N/A (bx lr)
RST0_CEh ;same as RST0_3Bh, but with 16bit mask
RST0_CFh ;same as RST0_3Eh, but with 16bit de
RST0_D0h ;same as RST0_3Fh, but with 16bit de
RST0_D1h ;same as RST0_5Bh, but with 16bit de
RST0_D2h ;same as RST0_5Ch, but with 16bit de
RST0_D3h ;same as RST0_5Dh, but with 16bit de
RST0_D4h ;same as RST0_5Eh, but with 16bit de
RST0_D5h (?)
RST0_D6h (?)
RST0_D7h ;[202FD2Ch+125h]=A
RST0_D8h (?)
RST0_D9h (?)
RST0_DAh (?)
RST0_DBh ;A=[3003E51h]
RST0_DCh ;[3004658h]=01h
RST0_DDh DecompressVPKorNonVPK
RST0_DEh FlashWriteSectorSingle(a,b)
RST0_DFh FlashReadSectorSingle(a,b)
RST0_E0h SoftReset
RST0_E1h GetCartridgeHeader ;[hl+0..BFh]=[8000000h..80000BFh]
RST0_E2h GBA: N/A - Z80: bx hl ;in: hl=addr, af,bc,de,sp=param, out: a
RST0_E3h Z80: N/A (bx 0) - GBA: (?)
RST0_E4h (?)
RST0_E5h (?)
RST0_E6h (?)
RST0_E7h (?)
RST0_E8h (?)
RST0_E9h ;[2029498h]=0000h
RST0_EAh Z80: N/A (bx 0) - GBA: InitMemory(a)
RST0_EBh (?) BL_irq_sio_dma3
RST0_ECh ;hl = [3003E30h]*100h + [3003E34h]
RST0_EDh FlashWriteSectorMulti(a,b,c)
RST0_EEh FlashReadPart(a,b,c)
RST0_EFh ;A=((-([2029416h] xor 1)) OR (+([2029416h] xor 1))) SHR 31
RST0_F0h (?) _unk1
RST0_F1h RandomInit ;in: hl=random_seed
RST0_F2h (?)
Below Japan/Plus only
RST0_F3h (?)
RST0_F4h (?)
RST0_F5h (?)
RST0_F6h (?)
RST0_F7h GBA: N/A - Z80: (?)
Below is undefined/garbage (values as so in Z80 mode)
Jap/Ori: RST0_C0h N/A (bx 0)
Jap/Ori: RST0_C1h..FFh Overlaps RST8 jump list
Non-Jap: RST0_F3h..FFh Overlaps RST8 jump list
Jap/Pls: RST0_F8h..FFh Overlaps RST8 jump list
|
RST8_00h GBA: N/A - Z80: Exit ;[00C0h]=a ;(1=restart, 2=exit) RST8_01h GBA: N/A - Z80: Mul8bit ;hl=a*e RST8_02h GBA: N/A - Z80: Mul16bit ;hl=hl*de, s32[00D0h]=hl*de RST8_03h Div ;hl=hl/de RST8_04h DivRem ;hl=hl mod de RST8_05h PlaySystemSound ;in: hl=sound_number RST8_06h (?) sound_unk1 RST8_07h Random8bit ;a=random(0..FFh) RST8_08h SetSoundVolume RST8_09h BcdTime ;[de+0..5]=hhmmss(hl*bc) RST8_0Ah BcdNumber ;[de+0..4]=BCD(hl), [de+5]=00h RST8_0Bh IoWrite ;[4000000h+hl]=de RST8_0Ch IoRead ;de=[4000000h+hl] RST8_0Dh GBA: N/A - Z80: (?) RST8_0Eh GBA: N/A - Z80: (?) RST8_0Fh GBA: N/A - Z80: (?) RST8_10h GBA: N/A - Z80: (?) RST8_11h DivSigned ;hl=hl/de, signed RST8_12h RandomMax ;a=random(0..a-1) RST8_13h SetSoundSpeed RST8_14h hl=[202FD20h]=[2024CACh] RST8_15h hl=[2024CACh]-[202FD20h] RST8_16h SoundPause RST8_17h SoundResume RST8_18h PlaySystemSoundEx RST8_19h IsSoundPlaying RST8_1Ah (?) RST8_1Bh (?) RST8_1Ch (?) RST8_1Dh GetExitCount ;a=[2032D34h] RST8_1Eh Permille ;hl=de*1000/hl RST8_1Fh GBA: N/A - Z80: ExitRestart;[2032D38h]=a, [00C0h]=0001h ;a=? RST8_20h GBA: N/A - Z80: WaitJoypad ;wait until joypad<>0, set hl=joypad RST8_21h GBA: N/A - Z80: (?) RST8_22h (?) _sound_unk7 RST8_23h (?) _sound_unk8 RST8_24h (?) _sound_unk9 RST8_25h (?) _sound_unk10 RST8_26h Mosaic ;bg<n>cnt.bit6=a.bit<n>, [400004Ch]=de RST8_27h (?) RST8_28h (?) RST8_29h (?) RST8_2Ah (?) get_8bit_from_2030110h RST8_2Bh (?) RST8_2Ch (?) get_16bit_from_2030112h ;jap/ori: hl=[20077B2h] RST8_2Dh (?) get_16bit_from_2030114h ;jap/ori: hl=[20077B4h] RST8_2Eh (?) RST8_2Fh PlayCustomSound(a,b) Below not for Japanese/Original (the renumbered functions can be theoretically used on japanese/original) (but, doing so would blow forwards compatibility with japanese/plus) RST8_30h (ori: none) GBA: N/A - Z80: (?) RST8_31h (ori: none) PlayCustomSoundEx(a,b,c) RST8_32h (ori: RST8_30h) BrightnessHalf ;[4000050h]=00FFh,[4000054h]=0008h RST8_33h (ori: RST8_31h) BrightnessNormal ;[4000050h]=0000h RST8_34h (ori: RST8_32h) N/A (bx lr) RST8_35h (ori: RST8_33h) (?) RST8_36h (ori: RST8_34h) ResetTimer ;[400010Ch]=00000000h, [400010Eh]=A+80h RST8_37h (ori: RST8_35h) GetTimer ;hl=[400010Ch] RST8_38h (ori: none) GBA: N/A - Z80: (?) Below is undefined/reserved/garbage (values as so in Z80 mode) (can be used to tweak jap/ori to start GBA-code from inside of Z80-code) (that, after relocating code to 3000xxxh via DMA via IoWrite function) RST8_39h (ori: RST8_36h) bx 0140014h RST8_3Ah (ori: RST8_37h) bx 3E700F0h RST8_3Bh (ori: RST8_38h) bx 3E70000h+1 RST8_3Ch (ori: RST8_39h) bx 3E703E6h+1 RST8_3Dh (ori: RST8_3Ah) bx 3E703E6h+1 RST8_3Eh (ori: RST8_3Bh) bx 3E703E6h+1 RST8_3Fh (ori: RST8_3Ch) bx 3E703E6h+1 40h-FFh (ori: 3Dh-FFh) bx ... |
RSTX_00h Wait8bit ;for 16bit: RST0_7Dh RSTX_01h GetKeyStateSticky() RSTX_02h GetKeyStateRaw() RSTX_03h (?) RSTX_04h (?) |
| GBA Cart e-Reader VPK Decompression |
collected32bit=80000000h ;initially empty (endflag in bit31)
for i=0 to 3, id[i]=read_bits(8), next i, if id[0..3]<>'vpk0' then error
dest_end=dest+read_bits(32) ;size of decompressed data (of all strips)
method=read_bits(8), if method>1 then error
tree_index=0, read_huffman_tree, disproot=tree_index
tree_index=tree_index+1, read_huffman_tree, lenroot=tree_index
;above stuff is contained only in the first strip. below loop starts at
;current location in first strip, and does then continue in further strips.
decompress_loop:
if read_bits(1)=0 then ;copy one uncompressed data byte,
[dest]=read_bits(8), dest=dest+1 ;does work without huffman trees
else
if disproot=-1 or lenroot=-1 then error ;compression does require trees
disp=read_tree(disproot)
if method=1 ;disp*4 is good for 32bit ARM opcodes
if disp>2 then disp=disp*4-8 else disp=disp+4*read_tree(disproot)-7
len=read_tree(lenroot)
if len=0 or disp<=0 or dest+len-1>dest_end then error ;whoops
for j=1 to len, [dest]=[dest-disp], dest=dest+1, next j
if dest<dest_end then decompress_loop
ret
|
mov data=0
for i=1 to num
shl collected32bit,1 ;move next bit to carry, or set zeroflag if empty
if zeroflag
collected32bit=[src+0]*1000000h+[src+1]*10000h+[src+2]*100h+[src+3]
src=src+4 ;read data in 32bit units, in reversed byte-order
carryflag=1 ;endbit
rcl collected32bit,1 ;move bit31 to carry (and endbit to bit0)
rcl data,1 ;move carry to data
next i
ret(data)
|
i=root_index
while node[i].right<>-1 ;loop until reaching data node
if read_bits(1)=1 then i=node[i].right else i=node[i].left
i=node[i].left ;get number of bits
i=read_bits(i) ;read that number of bits
ret(i) ;return that value
|
stacktop=sp if read_bits(1)=1 then tree_index=-1, ret ;exit (empty) node[tree_index].right=-1 ;indicate data node node[tree_index].left=read_bits(8) ;store data value if read_bits(1)=1 then ret ;exit (only 1 data node at root) push tree_index ;save previous (child) node tree_index=tree_index+1 jmp data_injump load_loop: push tree_index ;save previous (child) node tree_index=tree_index+1 if read_bits(1)=1 then parent_node data_injump: node[tree_index].right=-1 ;indicate data node node[tree_index].left=read_bits(8) ;store data value jmp load_loop parent_node: pop node[tree_index].right ;store 1st child pop node[tree_index].left ;store 2nd child if sp<>stacktop then jmp load_loop if read_bits(1)=0 then error ;end bit (must be 1) ret |
| GBA Cart e-Reader Error Correction |
reverse_byte_order(data,dtalen)
zerofill_error_bytes(data,errlen)
for i=dtalen-1 to errlen ;loop across data portion
z = rev[ data[i] xor data[errlen-1] ] ;
for j=errlen-1 to 0 ;loop across error-info portion
if j=0 then x=00h else x=data[j-1]
if z<>FFh then
y=gg[j], if y<>FFh then
y=y+z, if y>=FFh then y=y-FFh
x=x xor pow[y]
data[j]=x
next j
next i
invert_error_bytes(data,errlen)
reverse_byte_order(data,dtalen)
|
reverse_byte_order(data,dtalen)
invert_error_bytes(data,errlen)
make_rev(data,dtalen)
for i=78h to 78h+errlen-1
x=0, z=0
for j=0 to dtalen-1
y=data[j]
if y<>FFh then
y=y+z, if y>=FFh then y=y-FFh
x=x xor pow[y]
z=z+i, if z>=FFh then z=z-FFh
next j
if x<>0 then error
next i
;(if errors occured, could correct them now)
make_pow(data,dtalen)
invert_error_bytes(data,errlen)
reverse_byte_order(data,dtalen)
|
for i=0 to len-1, data[i]=rev[data[i]], next i |
for i=0 to len-1, data[i]=pow[data[i]], next i |
for i=0 to len-1, data[i]=data[i] xor FFh, next i |
for i=0 to len-1, data[i]=00h, next i |
for i=0 to (len-1)/2, x=data[i], data[i]=data[len-i], data[len-i]=x, next i |
x=01h, pow[FFh]=00h, rev[00h]=FFh
for i=00h to FEh
pow[i]=x, rev[x]=i, x=x*2, if x>=100h then x=x xor 187h
next i
|
gg[0]=pow[78h]
for i=1 to errlen-1
gg[i]=01h
for j=i downto 0
if j=0 then y=00h else y=gg[j-1]
x=gg[j], if x<>00h then
x=rev[x]+78h+i, if x>=FFh then x=x-FFh
y=y xor pow[x]
gg[j]=y
next j
next i
make_rev(gg,errlen)
|
00h,4Bh,EBh,D5h,EFh,4Ch,71h,00h,F4h,00h,71h,4Ch,EFh,D5h,EBh,4Bh |
pow = alpha_to, but generated as shown above rev = index_of, dito b0 = 78h nn = dtalen kk = dtalen-errlen %nn = MOD FFh (for the ereader that isn't MOD dtalen) -1 = FFh |
| GBA Cart e-Reader File Formats |
| GBA Cart Unknown Devices |
| GBA Cart Protections |
| GBA Flashcards |
configure_flashcard(9E2468Ah,9413h) ;unlock flash advance cards turbo=1, send_command(8000000h,90h) ;enter ID mode (both chips, if any) maker=[8000000h], device=[8000000h+2] IF maker=device THEN device=[8000000h+4] ELSE turbo=0 flashcard_read_mode ;exit ID mode search (maker+device*10000h) in device_list total/erase/write_block_size = list_entry SHL turbo |
FOR x=1 to len/erase_block_size send_command(dest,20h) ;erase sector command send_command(dest,D0h) ;confirm erase sector dest=dest+erase_block_size IF wait_busy=okay THEN NEXT x enter_read_mode ;exit erase/status mode |
siz=write_block_size FOR x=1 to len/siz IF siz=2 THEN send_command(dest,10h) ;write halfword command IF siz>2 THEN send_command(dest,E8h) ;write to buffer command IF siz>2 THEN send_command(dest,16-1) ;buffer size 16 halfwords (per chip) FOR y=1 TO siz/2 [dest]=[src], dest=dest+2, src=src+2 ;write data to buffer NEXT y IF siz>2 THEN send_command(dest,D0h) ;confirm write to buffer IF wait_busy=okay THEN NEXT x enter_read_mode ;exit write/status mode |
[adr]=val IF turbo THEN [adr+2]=val |
send_command(8000000h,FFh) ;exit status mode send_command(8000000h,FFh) ;again maybe more stable (as in jeff's source) |
start=time REPEAT stat=[8000000h] XOR 80h IF turbo THEN stat=stat OR ([8000000h+2] XOR 80h) IF (stat AND 7Fh)>0 THEN error IF (stat AND 80h)=0 THEN ready IF time-start>5secs THEN timeout UNTIL ready OR error OR timeout IF error OR timeout THEN send_command(8000000h,50h) ;clear status |
[930ECA8h]=5354h [802468Ah]=1234h, repeated 500 times [800ECA8h]=5354h [802468Ah]=5354h [802468Ah]=5678h, repeated 500 times [930ECA8h]=5354h [802468Ah]=5354h [8ECA800h]=5678h [80268A0h]=1234h [802468Ah]=ABCDh, repeated 500 times [930ECA8h]=5354h [adr]=val |
configure_flashcard(942468Ah,???) |
ID Code Total Erase Write Name -??-00DCh ? ? ? Hudson Cart (???) 00160089h 4M 128K 32 Intel i28F320J3A (Flash Advance) 00170089h 8M 128K 32 Intel i28F640J3A (Flash Advance) 00180089h 16M 128K 32 Intel i28F128J3A (Flash Advance) 00E200B0h ? 64K 2 Sharp LH28F320BJE ? (Nintendo) |
| GBA Cheat Devices |
| GBA Cheat Codes - General Info |
| GBA Cheat Codes - Codebreaker/Xploder |
0000xxxx 000y Enable Code 1 - Game ID 1aaaaaaa 000z Enable Code 2 - Hook Address 2aaaaaaa yyyy [aaaaaaa]=[aaaaaaa] OR yyyy 3aaaaaaa 00yy [aaaaaaa]=yy 4aaaaaaa yyyy [aaaaaaa+0..(cccc-1)*ssss]=yyyy+0..(cccc-1)*ssss iiiicccc ssss parameters for above code 5aaaaaaa cccc [aaaaaaa+0..(cccc-1)]=11,22,33,44,etc. 11223344 5566 parameter bytes 1..6 for above code (example) 77880000 0000 parameter bytes 7..8 for above code (padded with zero) 6aaaaaaa yyyy [aaaaaaa]=[aaaaaaa] AND yyyy 7aaaaaaa yyyy IF [aaaaaaa]=yyyy THEN (next code) 8aaaaaaa yyyy [aaaaaaa]=yyyy 9xyyxxxx xxxx Enable Code 0 - Encrypt all following codes (optional) Aaaaaaaa yyyy IF [aaaaaaa]<>yyyy THEN (next code) Baaaaaaa yyyy IF [aaaaaaa]>yyyy THEN (next code) (signed comparison) Caaaaaaa yyyy IF [aaaaaaa]<yyyy THEN (next code) (signed comparison) D0000020 yyyy IF [joypad] AND yyyy = 0 THEN (next code) Eaaaaaaa yyyy [aaaaaaa]=[aaaaaaa]+yyyy Faaaaaaa yyyy IF [aaaaaaa] AND yyyy THEN (next code) |
crc=FFFFh for i=0 to FFFFh x=byte[i] xor (crc/100h) x=x xor (x/10h) crc=(crc*100h) xor (x*1001h) xor (x*20h) next i |
for i=0 to 2Fh, swaplist[i]=i, next i
randomizer = 1111h xor byte[code+4] ;LSB value
for i=0 to 4Fh
exchange swaplist[random MOD 30h] with swaplist[random MOD 30h]
next i
halfword[seedlist+0] = halfword[code+0] ;LSW address
randomizer = 4EFAD1C3h
for i=0 to byte[code+3]-91h, randomizer=random, next i ;MSB address
word[seedlist+2]=random, halfword[seedlist+6]=random
randomizer = F254h xor byte[code+5] ;MSB value
for i=0 to byte[code+5]-01h, randomizer=random, next i ;MSB value
word[seedlist+8]=random, halfword[seedlist+12]=random
;note: byte[code+2] = don't care
ret
|
randomizer=randomizer*41C64E6Dh+3039h, x=(randomizer SHL 14 AND C0000000h) randomizer=randomizer*41C64E6Dh+3039h, x=(randomizer SHR 1 AND 3FFF8000h)+x randomizer=randomizer*41C64E6Dh+3039h, x=(randomizer SHR 16 AND 00007FFFh)+x return(x) |
for i=2Fh to 0
j=swaplist[i]
bitno1=(i AND 7), index1=xlatlist[i/8]
bitno2=(j AND 7), index2=xlatlist[j/8]
exchange [code+index1].bitno1 with [code+index2].bitno2
next i
word[code+0] = word[code+0] xor word[seedlist+8]
i = (byte[code+3]*1010000h + byte[code+0]*100h + byte[code+5])
i = (halfword[code+1]*10001h) xor (word[seedlist+2]) xor i
i = (byte[seedlist+0]*1010101h) xor (byte[seedlist+1]*1000000h) xor i
j = (byte[code+5] + (byte[code+0] xor byte[code+4])*100h)
j = (byte[seedlist+0]*101h) xor halfword[seedlist+6] xor j
word[code+0] = i, halfword[code+4] = j
|
| GBA Cheat Codes - Gameshark/Action Replay V1/V2 |
0aaaaaaa 000000xx [aaaaaaa]=xx 1aaaaaaa 0000xxxx [aaaaaaa]=xxxx 2aaaaaaa xxxxxxxx [aaaaaaa]=xxxxxxxx 3000cccc xxxxxxxx write xxxxxxxx to (cccc-1) addresses (list in next codes) aaaaaaaa aaaaaaaa parameter for above code, containing two addresses each aaaaaaaa 00000000 last parameter for above, zero-padded if only one address 60aaaaaa y000xxxx [8000000h+aaaaaa*2]=xxxx (ROM Patch) 8a1aaaaa 000000xx IF GS_Button_Down THEN [a0aaaaa]=xx 8a2aaaaa 0000xxxx IF GS_Button_Down THEN [a0aaaaa]=xxxx 80F00000 0000xxxx IF GS_Button_Down THEN slowdown xxxx * ? cycles per hook Daaaaaaa 0000xxxx IF [aaaaaaa]=xxxx THEN (next code) E0zzxxxx 0aaaaaaa IF [aaaaaaa]=xxxx THEN (next 'zz' codes) Faaaaaaa 00000x0y Enable Code - Hook Routine xxxxxxxx 001DC0DE Enable Code - Game Code ID (value at [0ACh] in cartridge) DEADFACE 0000xxyy Change Encryption Seeds |
y=1 - Executes code handler without backing up the LR register. y=2 - Executes code handler and backs up the LR register. y=3 - Replaces a 32-bit pointer used for long-branches. x=0 - Must turn GSA off before loading game. x=1 - Must not do that. |
y=0 wait for the code handler to enable the patch y=1 patch is enabled before the game starts y=2 unknown ? |
FOR I=1 TO 32
A=A + (V*16+S0) XOR (V+I*9E3779B9h) XOR (V/32+S1)
V=V + (A*16+S2) XOR (A+I*9E3779B9h) XOR (A/32+S3)
NEXT I
|
S0=09F4FBBDh S1=9681884Ah S2=352027E9h S3=F3DEE5A7h |
FOR y=0 TO 3
FOR x=0 TO 3
z = T1[(xx+x) AND FFh] + T2[(yy+y) AND FFh]
Sy = Sy*100h + (z AND FFh)
NEXT x
NEXT y
|
| GBA Cheat Codes - Pro Action Replay V3 |
C4aaaaaa 0000yyyy Enable Code - Hook Routine at [8aaaaaa] xxxxxxxx 001DC0DE Enable Code - ID Code [080000AC] DEADFACE 0000xxxx Enable Code - Change Encryption Seeds 00aaaaaa xxxxxxyy [a0aaaaa..a0aaaaa+xxxxxx]=yy 02aaaaaa xxxxyyyy [a0aaaaa..a0aaaaa+xxxx*2]=yyyy 04aaaaaa yyyyyyyy [a0aaaaa]=yyyyyyyy 40aaaaaa xxxxxxyy [ [a0aaaaa] + xxxxxx ]=yy (Indirect) 42aaaaaa xxxxyyyy [ [a0aaaaa] + xxxx*2 ]=yyyy (Indirect) 44aaaaaa yyyyyyyy [ [a0aaaaa] ]=yyyyyyyy (Indirect) 80aaaaaa 000000yy [a0aaaaa]=[a0aaaaa]+yy 82aaaaaa 0000yyyy [a0aaaaa]=[a0aaaaa]+yyyy 84aaaaaa yyyyyyyy [a0aaaaa]=[a0aaaaa]+yyyyyyyy C6aaaaaa 0000yyyy [4aaaaaa]=yyyy (I/O Area) C7aaaaaa yyyyyyyy [4aaaaaa]=yyyyyyyy (I/O Area) iiaaaaaa yyyyyyyy IF [a0aaaaa] <cond> <value> THEN <action> 00000000 60000000 ELSE (?) 00000000 40000000 ENDIF (?) 00000000 0800xx00 AR Slowdown : loops the AR xx times 00000000 00000000 End of the code list 00000000 10aaaaaa 000000zz 00000000 IF AR_BUTTON THEN [a0aaaaa]=zz 00000000 12aaaaaa 0000zzzz 00000000 IF AR_BUTTON THEN [a0aaaaa]=zzzz 00000000 14aaaaaa zzzzzzzz 00000000 IF AR_BUTTON THEN [a0aaaaa]=zzzzzzzz 00000000 18aaaaaa 0000zzzz 00000000 [8000000+aaaaaa*2]=zzzz (ROM Patch 1) 00000000 1Aaaaaaa 0000zzzz 00000000 [8000000+aaaaaa*2]=zzzz (ROM Patch 2) 00000000 1Caaaaaa 0000zzzz 00000000 [8000000+aaaaaa*2]=zzzz (ROM Patch 3) 00000000 1Eaaaaaa 0000zzzz 00000000 [8000000+aaaaaa*2]=zzzz (ROM Patch 4) |
00000000 80aaaaaa 000000yy ssccssss repeat cc times [a0aaaaa]=yy (with yy=yy+ss, a0aaaaa=a0aaaaa+ssss after each step) |
00000000 82aaaaaa 0000yyyy ssccssss repeat cc times [a0aaaaa]=yyyy (with yyyy=yyyy+ss, a0aaaaa=a0aaaaa+ssss*2 after each step) |
00000000 84aaaaaa yyyyyyyy ssccssss repeat cc times [a0aaaaa]=yyyyyyyy (with yyyy=yyyy+ss, a0aaaaa=a0aaaaa+ssss*4 after each step) |
<cond> <value> <action> 08 Equal = 00 8bit zz 00 execute next code 10 Not equal <> 02 16bit zzzz 40 execute next two codes 18 Signed < 04 32bit zzzzzzzz 80 execute all following 20 Signed > 06 (always false) codes until ELSE or ENDIF 28 Unsigned < C0 normal ELSE turn off all codes 30 Unsigned > 38 Logical AND |
For the "Always..." codes: - XXXXXXXX can be any authorised address except 00000000 (eg. use 02000000). - ZZZZZZZZ can be anything. - The "y" in the code data must be in the [1-7] range (which means not 0). typ=y,sub=0,siz=3 Always skip next line. typ=y,sub=1,siz=3 Always skip next 2 lines. typ=y,sub=2,siz=3 Always Stops executing all the codes below. typ=y,sub=3,siz=3 Always turn off all codes. |
adr mask = 003FFFFF n/a mask = 00C00000 ;not used xtr mask = 01000000 ;used only by I/O write, and MSB of Hook siz mask = 06000000 typ mask = 38000000 ;0=normal, other=conditional sub mask = C0000000 |
S0=7AA9648Fh S1=7FAE6994h S2=C0EFAAD5h S3=42712C57h |
| GBA Gameboy Player |
Drill Dozer (supports BOTH handheld-rumble and GBP-rumble?) Mario & Luigi: Superstar Saga Pokemon Pinball: Ruby & Sapphire Shikakui Atama wo Marukusuru Advance: Kokugo Sansu Rika Shakai Shikakui Atama wo Marukusuru Advance: Kanji Keisan Summon Night Craft Sword Monogatari: Hajimari no Ishi Super Mario Advance 4: Super Mario Bros. 3 |
Remudvance (FluBBA) (homebrew) Goomba (FluBBA) (8bit Gameboy Color Emulator for 32bit GBA) (homebrew) and, supposedly in "Tetanus on Drugs" (Tepples) (homebrew) |
Receive Response 0000494E 494EB6B1 xxxx494E 494EB6B1 B6B1494E 544EB6B1 B6B1544E 544EABB1 ABB1544E 4E45ABB1 ABB14E45 4E45B1BA B1BA4E45 4F44B1BA B1BA4F44 4F44B0BB B0BB4F44 8000B0BB B0BB8002 10000010 10000010 20000013 20000013 40000004 30000003 40000004 30000003 40000004 30000003 40000004 30000003 400000yy 30000003 40000004 |
| GBA Unpredictable Things |
WORD = [$+8] |
LSW = [$+4], MSW = [$+4] |
LSW = [$+4], MSW = [$+6] ;for opcodes at 4-byte aligned locations LSW = [$+2], MSW = [$+4] ;for opcodes at non-4-byte aligned locations |
LSW = [$+4], MSW = OldHI ;for opcodes at 4-byte aligned locations LSW = OldLO, MSW = [$+4] ;for opcodes at non-4-byte aligned locations |
OldLO=[$+2], OldHI=[$+2] |
OldLO=LSW(data), OldHI=MSW(data) Theoretically, this might also change if a DMA transfer occurs. |
| NDS Reference |
| DS Technical Data |
1x ARM946E-S 32bit RISC CPU, 66MHz (NDS9 video) (not used in GBA mode) 1x ARM7TDMI 32bit RISC CPU, 33MHz (NDS7 sound) (16MHz in GBA mode) |
4096KB Main RAM (8192KB in debug version) 96KB WRAM (64K mapped to NDS7, plus 32K mappable to NDS7 or NDS9) 60KB TCM/Cache (TCM: 16K Data, 32K Code) (Cache: 4K Data, 8K Code) 656KB VRAM (allocateable as BG/OBJ/2D/3D/Palette/Texture/WRAM memory) 4KB OAM/PAL (2K OBJ Attribute Memory, 2K Standard Palette RAM) 248KB Internal 3D Memory (104K Polygon RAM, 144K Vertex RAM) ?KB Matrix Stack, 48 scanline cache 8KB Wifi RAM 256KB Firmware FLASH (512KB in iQue variant, with chinese charset) 36KB BIOS ROM (4K NDS9, 16K NDS7, 16K GBA) |
2x LCD screens (each 256x192 pixel, 3 inch, 18bit color depth, backlight) 2x 2D video engines (extended variants of the GBA's video controller) 1x 3D video engine (can be assigned to upper or lower screen) 1x video capture (for effects, or for forwarding 3D to the 2nd 2D engine) |
16 sound channels (16x PCM8/PCM16/IMA-ADPCM, 6x PSG-Wave, 2x PSG-Noise) 2 sound capture units (for echo effects, etc.) Output: Two built-in stereo speakers, and headphones socket Input: One built-in microphone, and microphone socket |
Gamepad 4 Direction Keys, 8 Buttons Touchscreen (on lower LCD screen) |
Wifi IEEE802.11b |
Built-in Real Time Clock Power Managment Device Hardware divide and square root functions CP15 System Control Coprocessor (cache, tcm, pu, bist, etc.) |
NDS Slot (for NDS games) (encrypted 8bit data bus, and serial 1bit bus) GBA Slot (for NDS expansions, or for GBA games) (but not for DMG/CGB games) |
ROM: 16MB, 32MB, or 64MB EEPROM/FLASH/FRAM: 0.5KB, 8KB, 64KB, 256KB, or 512KB |
NDS Cartridge (NDS mode) Firmware FLASH (NDS mode) (eg. by patching firmware via ds-xboo cable) Wifi (NDS mode) GBA Cartridge (GBA mode) (without DMG/CGB support) (without SIO support) |
Built-in rechargeable Lithium ion battery, 3.7V 1000mAh (DS-Lite) External Supply: 5.2V DC |
| DS I/O Maps |
4000000h 4 2D Engine A - DISPCNT - LCD Control (Read/Write) 4000004h 2 2D Engine A+B - DISPSTAT - General LCD Status (Read/Write) 4000006h 2 2D Engine A+B - VCOUNT - Vertical Counter (Read only) 4000008h 50h 2D Engine A (same registers as GBA, some changed bits) 4000060h 2 DISP3DCNT - 3D Display Control Register (R/W) 4000064h 4 DISPCAPCNT - Display Capture Control Register (R/W) 4000068h 4 DISP_MMEM_FIFO - Main Memory Display FIFO (R?/W) 400006Ch 2 2D Engine A - MASTER_BRIGHT - Master Brightness Up/Down |
40000B0h 30h DMA Channel 0..3 40000E0h 10h DMA FILL Registers for Channel 0..3 4000100h 10h Timers 0..3 4000130h 2 KEYINPUT 4000132h 2 KEYCNT |
4000180h 2 IPCSYNC - IPC Synchronize Register (R/W) 4000184h 2 IPCFIFOCNT - IPC Fifo Control Register (R/W) 4000188h 4 IPCFIFOSEND - IPC Send Fifo (W) 40001A0h 2 AUXSPICNT - Gamecard ROM and SPI Control 40001A2h 2 AUXSPIDATA - Gamecard SPI Bus Data/Strobe 40001A4h 4 Gamecard bus timing/control 40001A8h 8 Gamecard bus 8-byte command out 40001B0h 4 Gamecard Encryption Seed 0 Lower 32bit 40001B4h 4 Gamecard Encryption Seed 1 Lower 32bit 40001B8h 2 Gamecard Encryption Seed 0 Upper 7bit (bit7-15 unused) 40001BAh 2 Gamecard Encryption Seed 1 Upper 7bit (bit7-15 unused) |
4000204h 2 EXMEMCNT - External Memory Control (R/W) 4000208h 2 IME - Interrupt Master Enable (R/W) 4000210h 4 IE - Interrupt Enable (R/W) 4000214h 4 IF - Interrupt Request Flags (R/W) 4000240h 1 VRAMCNT_A - VRAM-A (128K) Bank Control (W) 4000241h 1 VRAMCNT_B - VRAM-B (128K) Bank Control (W) 4000242h 1 VRAMCNT_C - VRAM-C (128K) Bank Control (W) 4000243h 1 VRAMCNT_D - VRAM-D (128K) Bank Control (W) 4000244h 1 VRAMCNT_E - VRAM-E (64K) Bank Control (W) 4000245h 1 VRAMCNT_F - VRAM-F (16K) Bank Control (W) 4000246h 1 VRAMCNT_G - VRAM-G (16K) Bank Control (W) 4000247h 1 WRAMCNT - WRAM Bank Control (W) 4000248h 1 VRAMCNT_H - VRAM-H (32K) Bank Control (W) 4000249h 1 VRAMCNT_I - VRAM-I (16K) Bank Control (W) |
4000280h 2 DIVCNT - Division Control (R/W) 4000290h 8 DIV_NUMER - Division Numerator (R/W) 4000298h 8 DIV_DENOM - Division Denominator (R/W) 40002A0h 8 DIV_RESULT - Division Quotient (=Numer/Denom) (R) 40002A8h 8 DIVREM_RESULT - Division Remainder (=Numer MOD Denom) (R) 40002B0h 2 SQRTCNT - Square Root Control (R/W) 40002B4h 4 SQRT_RESULT - Square Root Result (R) 40002B8h 8 SQRT_PARAM - Square Root Parameter Input (R/W) 4000300h 4 POSTFLG - Undoc 4000304h 2 POWCNT1 - Graphics Power Control Register (R/W) |
4000320h..6A3h |
4001000h 4 2D Engine B - DISPCNT - LCD Control (Read/Write) 4001008h 50h 2D Engine B (same registers as GBA, some changed bits) 400106Ch 2 2D Engine B - MASTER_BRIGHT - 16bit - Brightness Up/Down |
40021Axh .. DSi Registers 4004xxxh .. DSi Registers |
4100000h 4 IPCFIFORECV - IPC Receive Fifo (R) 4100010h 4 Gamecard bus 4-byte data in, for manual or dma read |
4FFF0xxh .. Ensata Emulator Debug Registers 4FFFAxxh .. No$gba Emulator Debug Registers |
27FFD9Ch .. NDS9 Debug Stacktop / Debug Vector (0=None) DTCM+3FF8h 4 NDS9 IRQ Check Bits (hardcoded RAM address) DTCM+3FFCh 4 NDS9 IRQ Handler (hardcoded RAM address) |
27FFFFEh 2 Main Memory Control |
4000004h 2 DISPSTAT 4000006h 2 VCOUNT 40000B0h 30h DMA Channels 0..3 4000100h 10h Timers 0..3 4000120h 4 Debug SIODATA32 4000128h 4 Debug SIOCNT 4000130h 2 keyinput 4000132h 2 keycnt 4000134h 2 Debug RCNT 4000136h 2 EXTKEYIN 4000138h 1 RTC Realtime Clock Bus 4000180h 2 IPCSYNC - IPC Synchronize Register (R/W) 4000184h 2 IPCFIFOCNT - IPC Fifo Control Register (R/W) 4000188h 4 IPCFIFOSEND - IPC Send Fifo (W) 40001A0h 2 AUXSPICNT - Gamecard ROM and SPI Control 40001A2h 2 AUXSPIDATA - Gamecard SPI Bus Data/Strobe 40001A4h 4 Gamecard bus timing/control 40001A8h 8 Gamecard bus 8-byte command out 40001B0h 4 Gamecard Encryption Seed 0 Lower 32bit 40001B4h 4 Gamecard Encryption Seed 1 Lower 32bit 40001B8h 2 Gamecard Encryption Seed 0 Upper 7bit (bit7-15 unused) 40001BAh 2 Gamecard Encryption Seed 1 Upper 7bit (bit7-15 unused) 40001C0h 2 SPI bus Control (Firmware, Touchscreen, Powerman) 40001C2h 2 SPI bus Data |
4000204h 2 EXMEMSTAT - External Memory Status 4000206h 2 WIFIWAITCNT 4000208h 4 IME - Interrupt Master Enable (R/W) 4000210h 4 IE - Interrupt Enable (R/W) 4000214h 4 IF - Interrupt Request Flags (R/W) 4000218h - IE2 ;\DSi only (additional ARM7 interrupt sources) 400021Ch - IF2 ;/ 4000240h 1 VRAMSTAT - VRAM-C,D Bank Status (R) 4000241h 1 WRAMSTAT - WRAM Bank Status (R) 4000300h 1 POSTFLG 4000301h 1 HALTCNT (different bits than on GBA) (plus NOP delay) 4000304h 2 POWCNT2 Sound/Wifi Power Control Register (R/W) 4000308h 4 BIOSPROT - Bios-data-read-protection address |
4000400h 100h Sound Channel 0..15 (10h bytes each) 40004x0h 4 SOUNDxCNT - Sound Channel X Control Register (R/W) 40004x4h 4 SOUNDxSAD - Sound Channel X Data Source Register (W) 40004x8h 2 SOUNDxTMR - Sound Channel X Timer Register (W) 40004xAh 2 SOUNDxPNT - Sound Channel X Loopstart Register (W) 40004xCh 4 SOUNDxLEN - Sound Channel X Length Register (W) 4000500h 2 SOUNDCNT - Sound Control Register (R/W) 4000504h 2 SOUNDBIAS - Sound Bias Register (R/W) 4000508h 1 SNDCAP0CNT - Sound Capture 0 Control Register (R/W) 4000509h 1 SNDCAP1CNT - Sound Capture 1 Control Register (R/W) 4000510h 4 SNDCAP0DAD - Sound Capture 0 Destination Address (R/W) 4000514h 2 SNDCAP0LEN - Sound Capture 0 Length (W) 4000518h 4 SNDCAP1DAD - Sound Capture 1 Destination Address (R/W) 400051Ch 2 SNDCAP1LEN - Sound Capture 1 Length (W) |
40021Axh .. DSi Registers 4004xxxh .. DSi Registers 4004700h 2 DSi SNDEXCNT Register ;\mapped even in DS mode 4004C0xh .. DSi GPIO Registers ;/ |
4100000h 4 IPCFIFORECV - IPC Receive Fifo (R) 4100010h 4 Gamecard bus 4-byte data in, for manual or dma read |
4800000h .. Wifi WS0 Region (32K) (Wifi Ports, and 8K Wifi RAM) 4808000h .. Wifi WS1 Region (32K) (mirror of above, other waitstates) |
380FFC0h 4 DSi7 IRQ IF2 Check Bits (hardcoded RAM address) (DSi only) 380FFDCh .. NDS7 Debug Stacktop / Debug Vector (0=None) 380FFF8h 4 NDS7 IRQ IF Check Bits (hardcoded RAM address) 380FFFCh 4 NDS7 IRQ Handler (hardcoded RAM address) |
| DS Memory Maps |
00000000h Instruction TCM (32KB) (not moveable) (mirror-able to 1000000h) 0xxxx000h Data TCM (16KB) (moveable) 02000000h Main Memory (4MB) 03000000h Shared WRAM (0KB, 16KB, or 32KB can be allocated to ARM9) 04000000h ARM9-I/O Ports 05000000h Standard Palettes (2KB) (Engine A BG/OBJ, Engine B BG/OBJ) 06000000h VRAM - Engine A, BG VRAM (max 512KB) 06200000h VRAM - Engine B, BG VRAM (max 128KB) 06400000h VRAM - Engine A, OBJ VRAM (max 256KB) 06600000h VRAM - Engine B, OBJ VRAM (max 128KB) 06800000h VRAM - "LCDC"-allocated (max 656KB) 07000000h OAM (2KB) (Engine A, Engine B) 08000000h GBA Slot ROM (max 32MB) 0A000000h GBA Slot RAM (max 64KB) FFFF0000h ARM9-BIOS (32KB) (only 3K used) |
00000000h ARM7-BIOS (16KB) 02000000h Main Memory (4MB) 03000000h Shared WRAM (0KB, 16KB, or 32KB can be allocated to ARM7) 03800000h ARM7-WRAM (64KB) 04000000h ARM7-I/O Ports 04800000h Wireless Communications Wait State 0 (8KB RAM at 4804000h) 04808000h Wireless Communications Wait State 1 (I/O Ports at 4808000h) 06000000h VRAM allocated as Work RAM to ARM7 (max 256K) 08000000h GBA Slot ROM (max 32MB) 0A000000h GBA Slot RAM (max 64KB) |
3D Engine Polygon RAM (52KBx2) 3D Engine Vertex RAM (72KBx2) Firmware (256KB) (built-in serial flash memory) GBA-BIOS (16KB) (not used in NDS mode) NDS Slot ROM (serial 8bit-bus, max 4GB with default protocol) NDS Slot FLASH/EEPROM/FRAM (serial 1bit-bus) |
| DS Memory Control |
| DS Memory Control - Cache and TCM |
ITCM 32K, base=00000000h (fixed, not move-able) DTCM 16K, base=moveable (default base=27C0000h) |
Data Cache 4KB, Instruction Cache 8KB 4-way set associative method Cache line 8 words (32 bytes) Read-allocate method (ie. writes are not allocating cache lines) Round-robin and Pseudo-random replacement algorithms selectable Cache Lockdown, Instruction Prefetch, Data Preload Data write-through and write-back modes selectable |
Region Name Address Size Cache WBuf Code Data - Background 00000000h 4GB - - - - 0 I/O and VRAM 04000000h 64MB - - R/W R/W 1 Main Memory 02000000h 4MB On On R/W R/W 2 ARM7-dedicated 027C0000h 256KB - - - - 3 GBA Slot 08000000h 128MB - - - R/W 4 DTCM 027C0000h 16KB - - - R/W 5 ITCM 01000000h 32KB - - R/W R/W 6 BIOS FFFF0000h 32KB On - R R 7 Shared Work 027FF000h 4KB - - - R/W |
| DS Memory Control - Cartridges and Main RAM |
0-1 32-pin GBA Slot SRAM Access Time (0-3 = 10, 8, 6, 18 cycles) 2-3 32-pin GBA Slot ROM 1st Access Time (0-3 = 10, 8, 6, 18 cycles) 4 32-pin GBA Slot ROM 2nd Access Time (0-1 = 6, 4 cycles) 5-6 32-pin GBA Slot PHI-pin out (0-3 = Low, 4.19MHz, 8.38MHz, 16.76MHz) 7 32-pin GBA Slot Access Rights (0=ARM9, 1=ARM7) 8-10 Not used (always zero) 11 17-pin NDS Slot Access Rights (0=ARM9, 1=ARM7) 12 Not used (always zero) 13 NDS:Always set? ;set/tested by DSi bootcode: Main RAM enable, CE2 pin? 14 Main Memory Interface Mode Switch (0=Async/GBA/Reserved, 1=Synchronous) 15 Main Memory Access Priority (0=ARM9 Priority, 1=ARM7 Priority) |
6 clks --> returns "Addr/2" 8 clks --> returns "Addr/2" 10 clks --> returns "Addr/2 OR FE08h" (or similar garbage) 18 clks --> returns "FFFFh" (High-Z) |
| DS Memory Control - WRAM |
0-1 ARM9/ARM7 (0-3 = 32K/0K, 2nd 16K/1st 16K, 1st 16K/2nd 16K, 0K/32K) 2-7 Not used |
| DS Memory Control - VRAM |
0 VRAM C enabled and allocated to NDS7 (0=No, 1=Yes) 1 VRAM D enabled and allocated to NDS7 (0=No, 1=Yes) 2-7 Not used (always zero) |
0-2 VRAM MST ;Bit2 not used by VRAM-A,B,H,I 3-4 VRAM Offset (0-3) ;Offset not used by VRAM-E,H,I 5-6 Not used 7 VRAM Enable (0=Disable, 1=Enable) |
VRAM SIZE MST OFS ARM9, Plain ARM9-CPU Access (so-called LCDC mode) A 128K 0 - 6800000h-681FFFFh B 128K 0 - 6820000h-683FFFFh C 128K 0 - 6840000h-685FFFFh D 128K 0 - 6860000h-687FFFFh E 64K 0 - 6880000h-688FFFFh F 16K 0 - 6890000h-6893FFFh G 16K 0 - 6894000h-6897FFFh H 32K 0 - 6898000h-689FFFFh I 16K 0 - 68A0000h-68A3FFFh VRAM SIZE MST OFS ARM9, 2D Graphics Engine A, BG-VRAM (max 512K) A,B,C,D 128K 1 0..3 6000000h+(20000h*OFS) E 64K 1 - 6000000h F,G 16K 1 0..3 6000000h+(4000h*OFS.0)+(10000h*OFS.1) VRAM SIZE MST OFS ARM9, 2D Graphics Engine A, OBJ-VRAM (max 256K) A,B 128K 2 0..1 6400000h+(20000h*OFS.0) ;(OFS.1 must be zero) E 64K 2 - 6400000h F,G 16K 2 0..3 6400000h+(4000h*OFS.0)+(10000h*OFS.1) VRAM SIZE MST OFS 2D Graphics Engine A, BG Extended Palette E 64K 4 - Slot 0-3 ;only lower 32K used F,G 16K 4 0..1 Slot 0-1 (OFS=0), Slot 2-3 (OFS=1) VRAM SIZE MST OFS 2D Graphics Engine A, OBJ Extended Palette F,G 16K 5 - Slot 0 ;16K each (only lower 8K used) VRAM SIZE MST OFS Texture/Rear-plane Image A,B,C,D 128K 3 0..3 Slot OFS(0-3) ;(Slot2-3: Texture, or Rear-plane) VRAM SIZE MST OFS Texture Palette E 64K 3 - Slots 0-3 ;OFS=don't care F,G 16K 3 0..3 Slot (OFS.0*1)+(OFS.1*4) ;ie. Slot 0, 1, 4, or 5 VRAM SIZE MST OFS ARM9, 2D Graphics Engine B, BG-VRAM (max 128K) C 128K 4 - 6200000h H 32K 1 - 6200000h I 16K 1 - 6208000h VRAM SIZE MST OFS ARM9, 2D Graphics Engine B, OBJ-VRAM (max 128K) D 128K 4 - 6600000h I 16K 2 - 6600000h VRAM SIZE MST OFS 2D Graphics Engine B, BG Extended Palette H 32K 2 - Slot 0-3 VRAM SIZE MST OFS 2D Graphics Engine B, OBJ Extended Palette I 16K 3 - Slot 0 ;(only lower 8K used) VRAM SIZE MST OFS <ARM7>, Plain <ARM7>-CPU Access C,D 128K 2 0..1 6000000h+(20000h*OFS.0) ;OFS.1 must be zero |
5000000h Engine A Standard BG Palette (512 bytes) 5000200h Engine A Standard OBJ Palette (512 bytes) 5000400h Engine B Standard BG Palette (512 bytes) 5000600h Engine B Standard OBJ Palette (512 bytes) 7000000h Engine A OAM (1024 bytes) 7000400h Engine B OAM (1024 bytes) |
| DS Memory Control - BIOS |
Opcodes at... Can read from Expl. 0..[BIOSPROT]-1 0..3FFFh Double-protected (when BIOSPROT is set) [BIOSPROT]..3FFFh [BIOSPROT]..3FFFh Normal-protected (always active) |
05ECh ldrb r3,[r3,12h] ;requires incoming r3=src-12h 05EEh pop r2,r4,r6,r7,r15 ;requires dummy values & THUMB retadr on stack |
| DS Memory Timings |
Bus clock = 33MHz (33.513982 MHz) (1FF61FEh Hertz) NDS7 clock = 33MHz (same as bus clock) NDS9 clock = 66MHz (internally twice bus clock; for cache/tcm) |
NDS7/CODE NDS9/CODE N32 S32 N16 S16 Bus N32 S32 N16 S16 Bus 9 2 8 1 16 9 9 4.5 4.5 16 Main RAM (read) (cache off) 1 1 1 1 32 4 4 2 2 32 WRAM,BIOS,I/O,OAM 2 2 1 1 16 5 5 2.5 2.5 16 VRAM,Palette RAM 16 12 10 6 16 19 19 9.5 9.5 16 GBA ROM (example 10,6 access) - - - - - 0.5 0.5 0.5 0.5 32 TCM, Cache_Hit - - - - - (--Load 8 words--) Cache_Miss |
NDS7/DATA NDS9/DATA N32 S32 N16 S16 Bus N32 S32 N16 S16 Bus 10 2 9 1 16 10 2 9 1 16 Main RAM (read) (cache off) 1 1 1 1 32 4 1 4 1 32 WRAM,BIOS,I/O,OAM 1? 2 1 1 16 5 2 4 1 16 VRAM,Palette RAM 15 12 9 6 16 19 12 13 6 16 GBA ROM (example 10,6 access) 9 10 9 10 8 13 10 13 10 8 GBA RAM (example 10 access) - - - - - 0.5 0.5 0.5 - 32 TCM, Cache_Hit - - - - - (--Load 8 words--) Cache_Miss - - - - - 11 11 11 - 32 Cache_Miss (BIOS) - - - - - 23 23 23 - 16 Cache_Miss (Main RAM) |
S16 and N16 do not exist (because thumb-double-fetching) (see there). S32 becomes N32 (ie. the ARM9 does NOT support fast sequential timing). |
Eg. an ARM9 N32 or S32 to 16bit bus will take: N16 + S16 + 3 waits. Eg. an ARM9 N32 or S32 to 32bit bus will take: N32 + 3 waits. |
Eg. LDRH on 16bit-data-bus is N16+3waits. Eg. LDR on 16bit-data-bus is N16+S16+3waits. Eg. LDM on 16bit-data-bus is N16+(n*2-1)*S16+3waits. |
That is NOT true for LDM (works only for LDR/LDRB/LDRH). That is NOT true for DATA in SAME memory region than CODE. That is NOT true for DATA in ITCM (no matter if CODE is in ITCM). |
| DS Video |
| DS Video Stuff |
0-4 Factor used for 6bit R,G,B Intensities (0-16, values >16 same as 16)
Brightness up: New = Old + (63-Old) * Factor/16
Brightness down: New = Old - Old * Factor/16
5-13 Not used
14-15 Mode (0=Disable, 1=Up, 2=Down, 3=Reserved)
16-31 Not used
|
write new LY values only in range of 202..212 write only while old LY values are in range of 202..212 |
Region______Engine A______________Engine B___________ I/O Ports 4000000h 4001000h Palette 5000000h (1K) 5000400h (1K) BG VRAM 6000000h (max 512K) 6200000h (max 128K) OBJ VRAM 6400000h (max 256K) 6600000h (max 128K) OAM 7000000h (1K) 7000400h (1K) |
Bit0-3 "COMMAND" (?) Bit4-7 "COMMAND2" (?) Bit8-11 "COMMAND3" (?) |
| DS Video BG Modes / Control |
Bit Engine Expl. 0-2 A+B BG Mode 3 A BG0 2D/3D Selection (instead CGB Mode) (0=2D, 1=3D) 4 A+B Tile OBJ Mapping (0=2D; max 32KB, 1=1D; max 32KB..256KB) 5 A+B Bitmap OBJ 2D-Dimension (0=128x512 dots, 1=256x256 dots) 6 A+B Bitmap OBJ Mapping (0=2D; max 128KB, 1=1D; max 128KB..256KB) 7-15 A+B Same as GBA 16-17 A+B Display Mode (Engine A: 0..3, Engine B: 0..1, GBA: Green Swap) 18-19 A VRAM block (0..3=VRAM A..D) (For Capture & above Display Mode=2) 20-21 A+B Tile OBJ 1D-Boundary (see Bit4) 22 A Bitmap OBJ 1D-Boundary (see Bit5-6) 23 A+B OBJ Processing during H-Blank (was located in Bit5 on GBA) 24-26 A Character Base (in 64K steps) (merged with 16K step in BGxCNT) 27-29 A Screen Base (in 64K steps) (merged with 2K step in BGxCNT) 30 A+B BG Extended Palettes (0=Disable, 1=Enable) 31 A+B OBJ Extended Palettes (0=Disable, 1=Enable) |
Mode BG0 BG1 BG2 BG3 0 Text/3D Text Text Text 1 Text/3D Text Text Affine 2 Text/3D Text Affine Affine 3 Text/3D Text Text Extended 4 Text/3D Text Affine Extended 5 Text/3D Text Extended Extended 6 3D - Large - |
BGxCNT.Bit7 BGxCNT.Bit2 Extended Affine Mode Selection 0 CharBaseLsb rot/scal with 16bit bgmap entries (Text+Affine mixup) 1 0 rot/scal 256 color bitmap 1 1 rot/scal direct color bitmap |
0 Display off (screen becomes white) 1 Graphics Display (normal BG and OBJ layers) 2 Engine A only: VRAM Display (Bitmap from block selected in DISPCNT.18-19) 3 Engine A only: Main Memory Display (Bitmap DMA transfer from Main RAM) |
engine A screen base: BGxCNT.bits*2K + DISPCNT.bits*64K engine B screen base: BGxCNT.bits*2K + 0 engine A char base: BGxCNT.bits*16K + DISPCNT.bits*64K engine B char base: BGxCNT.bits*16K + 0 |
bgcnt size text rotscal bitmap large bmp 0 256x256 128x128 128x128 512x1024 1 512x256 256x256 256x256 1024x512 2 256x512 512x512 512x256 - 3 512x512 1024x1024 512x512 - |
for BG0CNT, BG1CNT only: bit13 selects extended palette slot
(BG0: 0=Slot0, 1=Slot2, BG1: 0=Slot1, 1=Slot3)
|
| DS Video OBJs |
Bit4 Bit20-21 Dimension Boundary Total ;Notes 0 x 2D 32 32K ;Same as GBA 2D Mapping 1 0 1D 32 32K ;Same as GBA 1D Mapping 1 1 1D 64 64K 1 2 1D 128 128K 1 3 1D 256 256K ;Engine B: 128K max |
Bit6 Bit5 Bit22 Dimension Boundary Total ;Notes 0 0 x 2D/128 dots 8x8 dots 128K ;Source Bitmap width 128 dots 0 1 x 2D/256 dots 8x8 dots 128K ;Source Bitmap width 256 dots 1 0 0 1D 128 bytes 128K ;Source Width = Target Width 1 0 1 1D 256 bytes 256K ;Engine A only 1 1 x Reserved |
1D_BitmapVramAddress = TileNumber(0..3FFh) * BoundaryValue(128..256) 2D_BitmapVramAddress = (TileNo AND MaskX)*10h + (TileNo AND NOT MaskX)*80h |
| DS Video Extended Palettes |
standard palette --> 16-color tiles (with 16bit bgmap entries) (text)
256-color tiles (with 8bit bgmap entries) (rot/scal)
256-color bitmaps
backdrop-color (color 0)
extended palette --> 256-color tiles (with 16bit bgmap entries)(text,rot/scal)
|
16 colors x 16 palettes --> standard palette memory (=256 colors) 256 colors x 16 palettes --> extended palette memory (=4096 colors) |
| DS Video Capture and Main Memory Display Mode |
0-4 EVA (0..16 = Blending Factor for Source A) 5-7 Not used 8-12 EVB (0..16 = Blending Factor for Source B) 13-15 Not used 16-17 VRAM Write Block (0..3 = VRAM A..D) (VRAM must be allocated to LCDC) 18-19 VRAM Write Offset (0=00000h, 0=08000h, 0=10000h, 0=18000h) 20-21 Capture Size (0=128x128, 1=256x64, 2=256x128, 3=256x192 dots) 22-23 Not used 24 Source A (0=Graphics Screen BG+3D+OBJ, 1=3D Screen) 25 Source B (0=VRAM, 1=Main Memory Display FIFO) 26-27 VRAM Read Offset (0=00000h, 0=08000h, 0=10000h, 0=18000h) 28 Not used 29-30 Capture Source (0=Source A, 1=Source B, 2/3=Sources A+B blended) 31 Capture Enable (0=Disable/Ready, 1=Enable/Busy) |
Dest_Intensity = ( (SrcA_Intensitity * SrcA_Alpha * EVA)
+ (SrcB_Intensitity * SrcB_Alpha * EVB) ) / 16
Dest_Alpha = (SrcA_Alpha AND (EVA>0)) OR (SrcB_Alpha AND EVB>0))
|
- to Screen A (set DISPCNT to Main Memory Display mode), or - to Display Capture unit (set DISPCAPCNT to Main Memory Source). |
| DS Video Display System Block Diagram |
_____________ __________
VRAM A -->| 2D Graphics |--------OBJ->| |
VRAM B -->| Engine A |--------BG3->| Layering |
VRAM C -->| |--------BG2->| and |
VRAM D -->| |--------BG1->| Special |
VRAM E -->| | ___ | Effects |
VRAM F -->| |->|SEL| | | ______
VRAM G -->| - - - - - - | |BG0|-BG0->| |----+--->| |
| 3D Graphics |->|___| |__________| | |Select|
| Engine | | |Video |
|_____________|--------3D----------------+ | |Input |
_______ _______ ___ | | | |
| | | |<-----------|SEL|<-+ | |and |-->
| | | | _____ |A | | | |
VRAM A <--|Select | |Select | | |<-|___|<----+ |Master|
VRAM B <--|Capture|<---|Capture|<--|Blend| ___ |Bright|
VRAM C <--|Dest. | |Source | |_____|<-|SEL|<----+ |A |
VRAM D <--| | | | |B | | | |
|_______| |_______|<-----------|___|<-+ | | |
_______ | | | |
VRAM A -->|Select | | | | |
VRAM B -->|Display|--------------------------------+------>| |
VRAM C -->|VRAM | | | |
VRAM D -->|_______| _____________ | | |
|Main Memory | | | |
Main ------DMA---->|Display FIFO |------------------+--->|______|
Memory |_____________|
_____________ __________ ______
VRAM C -->| 2D Graphics |--------OBJ->| Layering | | |
VRAM D -->| Engine B |--------BG3->| and | |Master|
VRAM H -->| |--------BG2->| Special |-------->|Bright|-->
VRAM I -->| |--------BG1->| Effects | |B |
|_____________|--------BG0->|__________| |______|
|
| DS 3D Video |
| DS 3D Overview |
| DS 3D I/O Map |
Address Siz Name Expl. Rendering Engine (per Frame settings) 4000060h 2 DISP3DCNT 3D Display Control Register (R/W) 4000320h 1 RDLINES_COUNT Rendered Line Count Register (R) 4000330h 10h EDGE_COLOR Edge Colors 0..7 (W) 4000340h 1 ALPHA_TEST_REF Alpha-Test Comparision Value (W) 4000350h 4 CLEAR_COLOR Clear Color Attribute Register (W) 4000354h 2 CLEAR_DEPTH Clear Depth Register (W) 4000356h 2 CLRIMAGE_OFFSET Rear-plane Bitmap Scroll Offsets (W) 4000358h 4 FOG_COLOR Fog Color (W) 400035Ch 2 FOG_OFFSET Fog Depth Offset (W) 4000360h 20h FOG_TABLE Fog Density Table, 32 entries (W) 4000380h 40h TOON_TABLE Toon Table, 32 colors (W) Geometry Engine (per Polygon/Vertex settings) 4000400h 40h GXFIFO Geometry Command FIFO (W) 4000440h ... ... Geometry Command Ports (see below) 4000600h 4 GXSTAT Geometry Engine Status Register (R and R/W) 4000604h 4 RAM_COUNT Polygon List & Vertex RAM Count Register (R) 4000610h 2 DISP_1DOT_DEPTH 1-Dot Polygon Display Boundary Depth (W) 4000620h 10h POS_RESULT Position Test Results (R) 4000630h 6 VEC_RESULT Vector Test Results (R) 4000640h 40h CLIPMTX_RESULT Read Current Clip Coordinates Matrix (R) 4000680h 24h VECMTX_RESULT Read Current Directional Vector Matrix (R) |
Address Cmd Pa.Cy. N/A 00h - - NOP - No Operation (for padding packed GXFIFO commands) 4000440h 10h 1 1 MTX_MODE - Set Matrix Mode (W) 4000444h 11h - 17 MTX_PUSH - Push Current Matrix on Stack (W) 4000448h 12h 1 36 MTX_POP - Pop Current Matrix from Stack (W) 400044Ch 13h 1 17 MTX_STORE - Store Current Matrix on Stack (W) 4000450h 14h 1 36 MTX_RESTORE - Restore Current Matrix from Stack (W) 4000454h 15h - 19 MTX_IDENTITY - Load Unit Matrix to Current Matrix (W) 4000458h 16h 16 34 MTX_LOAD_4x4 - Load 4x4 Matrix to Current Matrix (W) 400045Ch 17h 12 30 MTX_LOAD_4x3 - Load 4x3 Matrix to Current Matrix (W) 4000460h 18h 16 35* MTX_MULT_4x4 - Multiply Current Matrix by 4x4 Matrix (W) 4000464h 19h 12 31* MTX_MULT_4x3 - Multiply Current Matrix by 4x3 Matrix (W) 4000468h 1Ah 9 28* MTX_MULT_3x3 - Multiply Current Matrix by 3x3 Matrix (W) 400046Ch 1Bh 3 22 MTX_SCALE - Multiply Current Matrix by Scale Matrix (W) 4000470h 1Ch 3 22* MTX_TRANS - Mult. Curr. Matrix by Translation Matrix (W) 4000480h 20h 1 1 COLOR - Directly Set Vertex Color (W) 4000484h 21h 1 9* NORMAL - Set Normal Vector (W) 4000488h 22h 1 1 TEXCOORD - Set Texture Coordinates (W) 400048Ch 23h 2 9 VTX_16 - Set Vertex XYZ Coordinates (W) 4000490h 24h 1 8 VTX_10 - Set Vertex XYZ Coordinates (W) 4000494h 25h 1 8 VTX_XY - Set Vertex XY Coordinates (W) 4000498h 26h 1 8 VTX_XZ - Set Vertex XZ Coordinates (W) 400049Ch 27h 1 8 VTX_YZ - Set Vertex YZ Coordinates (W) 40004A0h 28h 1 8 VTX_DIFF - Set Relative Vertex Coordinates (W) 40004A4h 29h 1 1 POLYGON_ATTR - Set Polygon Attributes (W) 40004A8h 2Ah 1 1 TEXIMAGE_PARAM - Set Texture Parameters (W) 40004ACh 2Bh 1 1 PLTT_BASE - Set Texture Palette Base Address (W) 40004C0h 30h 1 4 DIF_AMB - MaterialColor0 - Diffuse/Ambient Reflect. (W) 40004C4h 31h 1 4 SPE_EMI - MaterialColor1 - Specular Ref. & Emission (W) 40004C8h 32h 1 6 LIGHT_VECTOR - Set Light's Directional Vector (W) 40004CCh 33h 1 1 LIGHT_COLOR - Set Light Color (W) 40004D0h 34h 32 32 SHININESS - Specular Reflection Shininess Table (W) 4000500h 40h 1 1 BEGIN_VTXS - Start of Vertex List (W) 4000504h 41h - 1 END_VTXS - End of Vertex List (W) 4000540h 50h 1 392 SWAP_BUFFERS - Swap Rendering Engine Buffer (W) 4000580h 60h 1 1 VIEWPORT - Set Viewport (W) 40005C0h 70h 3 103 BOX_TEST - Test if Cuboid Sits inside View Volume (W) 40005C4h 71h 2 9 POS_TEST - Set Position Coordinates for Test (W) 40005C8h 72h 1 5 VEC_TEST - Set Directional Vector for Test (W) |
| DS 3D Display Control |
0 Texture Mapping (0=Disable, 1=Enable) 1 PolygonAttr Shading (0=Toon Shading, 1=Highlight Shading) 2 Alpha-Test (0=Disable, 1=Enable) (see ALPHA_TEST_REF) 3 Alpha-Blending (0=Disable, 1=Enable) (see various Alpha values) 4 Anti-Aliasing (0=Disable, 1=Enable) 5 Edge-Marking (0=Disable, 1=Enable) (see EDGE_COLOR) 6 Fog Color/Alpha Mode (0=Alpha and Color, 1=Only Alpha) (see FOG_COLOR) 7 Fog Master Enable (0=Disable, 1=Enable) 8-11 Fog Depth Shift (FOG_STEP=400h shr FOG_SHIFT) (see FOG_OFFSET) 12 Color Buffer RDLINES Underflow (0=None, 1=Underflow/Acknowledge) 13 Polygon/Vertex RAM Overflow (0=None, 1=Overflow/Acknowledge) 14 Rear-Plane Mode (0=Blank, 1=Bitmap) 15-31 Not used |
0 Translucent polygon Y-sorting (0=Auto-sort, 1=Manual-sort)
1 Depth Buffering (0=With Z-value, 1=With W-value)
(mode 1 does not function properly with orthogonal projections)
2-31 Not used
|
0-7 Screen/BG0 Coordinate X1 (0..255) (For Fullscreen: 0=Left-most) 8-15 Screen/BG0 Coordinate Y1 (0..191) (For Fullscreen: 0=Bottom-most) 16-23 Screen/BG0 Coordinate X2 (0..255) (For Fullscreen: 255=Right-most) 24-31 Screen/BG0 Coordinate Y2 (0..191) (For Fullscreen: 191=Top-most) |
0-14 W-Coordinate (Unsigned, 12bit integer, 3bit fractional part) 15-31 Not used (0000h=Closest, 7FFFh=Most Distant) |
0-4 Alpha-Test Comparision Value (0..31) (Draw pixels if Alpha>AlphaRef) 5-31 Not used |
| DS 3D Geometry Commands |
0-7 First Packed Command (or Unpacked Command) 8-15 Second Packed Command (or 00h=None) 16-23 Third Packed Command (or 00h=None) 24-31 Fourth Packed Command (or 00h=None) |
0-31 Parameter data for the previously sent (packed) command(s) |
- command1 (upper 24bit zero) - parameter(s) for command1 (if any) - command2 (upper 24bit zero) - parameter(s) for command2 (if any) - command3 (upper 24bit zero) - parameter(s) for command3 (if any) |
- command1,2,3,4 packed into one 32bit value (all bits used) - parameter(s) for command1 (if any) - parameter(s) for command2 (if any) - parameter(s) for command3 (if any) - parameter(s) for command4 (top-most packed command MUST have parameters) - command5,6 packed into one 32bit value (upper 16bit zero) - parameter(s) for command5 (if any) - parameter(s) for command6 (top-most packed command MUST have parameters) - command7,8,9 packed into one 32bit value (upper 8bit zero) - parameter(s) for command7 (if any) - parameter(s) for command8 (if any) - parameter(s) for command9 (top-most packed command MUST have parameters) |
| DS 3D Matrix Load/Multiply |
0-1 Matrix Mode (0..3)
0 Projection Matrix
1 Position Matrix (aka Modelview Matrix)
2 Position & Vector Simultaneous Set mode (used for Light+VEC_TEST)
3 Texture Matrix (see DS 3D Texture Coordinates chapter)
2-31 Not used
|
MTX_SCALE in Mode 2: uses ONLY Position Matrix MTX_PUSH/POP/STORE/RESTORE in Mode 1: uses BOTH Position AND Vector Matrices |
vice-versa for the scale command. |
ClipMatrix = PositionMatrix * ProjectionMatrix |
| DS 3D Matrix Types |
_ 4x4 Matrix _ _ Identity Matrix _ | m[0] m[1] m[2] m[3] | | 1.0 0 0 0 | | m[4] m[5] m[6] m[7] | | 0 1.0 0 0 | | m[8] m[9] m[10] m[11] | | 0 0 1.0 0 | |_m[12] m[13] m[14] m[15]_| |_ 0 0 0 1.0 _| |
_ 4x3 Matrix _ _ Translation Matrix _ | m[0] m[1] m[2] 0 | | 1.0 0 0 0 | | m[3] m[4] m[5] 0 | | 0 1.0 0 0 | | m[6] m[7] m[8] 0 | | 0 0 1.0 0 | |_m[9] m[10] m[11] 1.0 _| |_m[0] m[1] m[2] 1.0 _| |
_ 3x3 Matrix _ _ Scale Matrix _ | m[0] m[1] m[2] 0 | | m[0] 0 0 0 | | m[3] m[4] m[5] 0 | | 0 m[1] 0 0 | | m[6] m[7] m[8] 0 | | 0 0 m[2] 0 | |_ 0 0 0 1.0 _| |_ 0 0 0 1.0 _| |
| DS 3D Matrix Stack |
Matrix Stack________Valid Stack Area____Stack Pointer___________________ Projection Stack 0..0 (1 entry) 0..1 (1bit) (GXSTAT: 1bit) Coordinate Stack 0..30 (31 entries) 0..63 (6bit) (GXSTAT: 5bit only) Directional Stack 0..30 (31 entries) (uses Coordinate Stack Pointer) Texture Stack One..None? 0..1 (1bit) (GXSTAT: N/A) |
MTX_MODE = 0 --> Projection Stack MTX_MODE = 1 or 2 --> BOTH Coordinate AND Directional Stack MTX_MODE = 3 --> Texture Stack |
Parameter Bit0-5: Stack Offset (signed value, -30..+31) (usually +1) Parameter Bit6-31: Not used |
Parameter Bit0-4: Stack Address (0..30) (31 causes overflow in GXSTAT.15) Parameter Bit5-31: Not used |
Parameter Bit0-4: Stack Address (0..30) (31 causes overflow in GXSTAT.15) Parameter Bit5-31: Not used |
| DS 3D Matrix Examples (Projection) |
Perspective Projection Orthogonal Projection
__ __________
top __..--'' | top | |
| view | | view |
Eye ----|--------->| Eye ----|--------->|
|__volume | | volume |
bottom ''--..__| bottom|__________|
near far near far
|
| (2.0)/(r-l) 0 0 0 | | 0 (2.0)/(t-b) 0 0 | | 0 0 (2.0)/(n-f) 0 | | (l+r)/(l-r) (b+t)/(b-t) (n+f)/(n-f) 1.0 | |
| (2*n)/(r-l) 0 0 0 | | 0 (2*n)/(t-b) 0 0 | | (r+l)/(r-l) (t+b)/(t-b) (n+f)/(n-f) -1.0 | | 0 0 (2*n*f)/(n-f) 0 | |
| cos/(asp*sin) 0 0 0 | | 0 cos/sin 0 0 | | 0 0 (n+f)/(n-f) -1.0 | | 0 0 (2*n*f)/(n-f) 0 | |
| DS 3D Matrix Examples (Rotate/Scale/Translate) |
Load(Identity) ;no rotation/scaling used Load(Identity), Mul(Rotate), Mul(Scale) ;rotation/scaling (not so efficient) Load(Rotate), Mul(Scale) ;rotation/scaling (more efficient) |
Around X-Axis Around Y-Axis Around Z-Axis | 1.0 0 0 | | cos 0 sin | | cos sin 0 | | 0 cos sin | | 0 1.0 0 | | -sin cos 0 | | 0 -sin cos | | -sin 0 cos | | 0 0 1.0 | |
| DS 3D Matrix Examples (Maths Basics) |
| c11 c12 c13 c14 | | a11 a12 a13 a14 | | b11 b12 b13 b14 | | c21 c22 c23 c24 | = | a21 a22 a23 a24 | * | b21 b22 b23 b24 | | c31 c32 c33 c34 | | a31 a32 a33 a34 | | b31 b32 b33 b34 | | c41 c42 c43 c44 | | a41 a42 a43 a44 | | b41 b42 b43 b44 | |
cyx = ay1*b1x + ay2*b2x + ay3*b3x + ay4*b4x |
| b11 b12 b13 b14 |
| c11 c12 c13 c14 | = | a11 a12 a13 a14 | * | b21 b22 b23 b24 |
| b31 b32 b33 b34 |
| b41 b42 b43 b44 |
|
cyx = ay1*b1x + ay2*b2x + ay3*b3x + ay4*b4x |
cyx = ayx*n |
cyx = ayx +/- byx |
cyx = ay1*b1x + ay2*b2x + ay3*b3x + ay4*b4x |
| DS 3D Polygon Attributes |
0-3 Light 0..3 Enable Flags (each bit: 0=Disable, 1=Enable) 4-5 Polygon Mode (0=Modulation,1=Decal,2=Toon/Highlight Shading,3=Shadow) 6 Polygon Back Surface (0=Hide, 1=Render) ;Line-segments are always 7 Polygon Front Surface (0=Hide, 1=Render) ;rendered (no front/back) 8-10 Not used 11 Depth-value for Translucent Pixels (0=Keep Old, 1=Set New Depth) 12 Far-plane intersecting polygons (0=Hide, 1=Render/clipped) 13 1-Dot polygons behind DISP_1DOT_DEPTH (0=Hide, 1=Render) 14 Depth Test, Draw Pixels with Depth (0=Less, 1=Equal) (usually 0) 15 Fog Enable (0=Disable, 1=Enable) 16-20 Alpha (0=Wire-Frame, 1..30=Translucent, 31=Solid) 21-23 Not used 24-29 Polygon ID (00h..3Fh, used for translucent, shadow, and edge-marking) 30-31 Not used |
Parameter 1, Bit 0-4 Red Parameter 1, Bit 5-9 Green Parameter 1, Bit 10-14 Blue Parameter 1, Bit 15-31 Not used |
| DS 3D Polygon Definitions by Vertices |
Separate Tri. Triangle Strips Line Segment v0 v2___v4____v6 |\ v3 /|\ |\ /\ v0 v1 | \ /\ v0( | \ | \ / \ ------ |__\ /__\ \|__\|__\/____\ v2 v1 v2 v4 v5 v1 v3 v5 v7 |
Separate Quads Quadliteral Strips Prohibited Quads
v0__v3 v0__v2____v4 v10__ v0__v3 v4
/ \ v4____v7 / \ |\ _____ / /v11 \/ |\
/ \ | \ / \ | |v6 v8| / /\ v5| \
/______\ |_____\ /______\___|_|_____|/ /__\ /___\
v1 v2 v5 v6 v1 v3 v5 v7 v9 v2 v1 v6 v7
|
Parameter 1, Bit 0-1 Primitive Type (0..3, see below) Parameter 1, Bit 2-31 Not used |
0 Separate Triangle(s) ;3*N vertices per N triangles 1 Separate Quadliteral(s) ;4*N vertices per N quads 2 Triangle Strips ;3+(N-1) vertices per N triangles 3 Quadliteral Strips ;4+(N-1)*2 vertices per N quads |
Parameter 1, Bit 0-15 X-Coordinate (signed, with 12bit fractional part) Parameter 1, Bit 16-31 Y-Coordinate (signed, with 12bit fractional part) Parameter 2, Bit 0-15 Z-Coordinate (signed, with 12bit fractional part) Parameter 2, Bit 16-31 Not used |
Parameter 1, Bit 0-9 X-Coordinate (signed, with 6bit fractional part) Parameter 1, Bit 10-19 Y-Coordinate (signed, with 6bit fractional part) Parameter 1, Bit 20-29 Z-Coordinate (signed, with 6bit fractional part) Parameter 1, Bit 30-31 Not used |
Parameter 1, Bit 0-15 X-Coordinate (signed, with 12bit fractional part) Parameter 1, Bit 16-31 Y-Coordinate (signed, with 12bit fractional part) |
Parameter 1, Bit 0-15 X-Coordinate (signed, with 12bit fractional part) Parameter 1, Bit 16-31 Z-Coordinate (signed, with 12bit fractional part) |
Parameter 1, Bit 0-15 Y-Coordinate (signed, with 12bit fractional part) Parameter 1, Bit 16-31 Z-Coordinate (signed, with 12bit fractional part) |
Parameter 1, Bit 0-9 X-Difference (signed, with 9/12bit fractional part) Parameter 1, Bit 10-19 Y-Difference (signed, with 9/12bit fractional part) Parameter 1, Bit 20-29 Z-Difference (signed, with 9/12bit fractional part) Parameter 1, Bit 30-31 Not used |
( xx, yy, zz, ww ) = ( x, y, z, 1.0 ) * ClipMatrix |
screen_x = (xx+ww)*viewport_width / (2*ww) + viewport_x1 screen_y = (yy+ww)*viewport_height / (2*ww) + viewport_y1 |
| DS 3D Polygon Light Parameters |
0-9 Directional Vector's X component (1bit sign + 9bit fractional part) 10-19 Directional Vector's Y component (1bit sign + 9bit fractional part) 20-29 Directional Vector's Z component (1bit sign + 9bit fractional part) 30-31 Light Number (0..3) |
0-4 Red (0..1Fh) ;\light color this will be combined with 5-9 Green (0..1Fh) ; diffuse, specular, and ambient colors 10-14 Blue (0..1Fh) ;/upon execution of the normal command 15-29 Not used 30-31 Light Number (0..3) |
0-4 Diffuse Reflection Red ;\light(s) that directly hits the polygon, 5-9 Diffuse Reflection Green ; ie. max when NormalVector has opposite 10-14 Diffuse Reflection Blue ;/direction of LightVector 15 Set Vertex Color (0=No, 1=Set Diffuse Reflection Color as Vertex Color) 16-20 Ambient Reflection Red ;\light(s) that indirectly hits the polygon, 21-25 Ambient Reflection Green ; ie. assuming that light is reflected by 26-30 Ambient Reflection Blue ;/walls/floor, regardless of LightVector 31 Not used |
0-4 Specular Reflection Red ;\light(s) reflected towards the camera, 5-9 Specular Reflection Green ; ie. max when NormalVector is in middle of 10-14 Specular Reflection Blue ;/LightVector and ViewDirection 15 Specular Reflection Shininess Table (0=Disable, 1=Enable) 16-20 Emission Red ;\light emitted by the polygon itself, 21-25 Emission Green ; ie. regardless of light colors/vectors, 26-30 Emission Blue ;/and no matter if any lights are enabled 31 Not used |
0-7 Shininess 0 (unsigned fixed-point, 0bit integer, 8bit fractional part)
8-15 Shininess 1 ("")
16-23 Shininess 2 ("")
24-31 Shininess 3 ("")
|
0-9 X-Component of Normal Vector (1bit sign + 9bit fractional part) 10-19 Y-Component of Normal Vector (1bit sign + 9bit fractional part) 20-29 Z-Component of Normal Vector (1bit sign + 9bit fractional part) 30-31 Not used |
IF TexCoordTransformMode=2 THEN TexCoord=NormalVector*Matrix (see TexCoord)
NormalVector=NormalVector*DirectionalMatrix
VertexColor = EmissionColor
FOR i=0 to 3
IF PolygonAttrLight[i]=enabled THEN
DiffuseLevel = max(0,-(LightVector[i]*NormalVector))
ShininessLevel = max(0,(-HalfVector[i])*(NormalVector))^2
IF TableEnabled THEN ShininessLevel = ShininessTable[ShininessLevel]
;note: below processed separately for the R,G,B color components...
VertexColor = VertexColor + SpecularColor*LightColor[i]*ShininessLevel
VertexColor = VertexColor + DiffuseColor*LightColor[i]*DiffuseLevel
VertexColor = VertexColor + AmbientColor*LightColor[i]
ENDIF
NEXT i
|
LightVector[i] = (LightVector*DirectionalMatrix) HalfVector[i] = (LightVector[i]+LineOfSightVector)/2 |
LineOfSightVector = (0,0,-1.0) |
Specular Reflection WON'T WORK when the ProjectionMatrix is rotated (!) |
| DS 3D Shadow Polygons |
| DS 3D Texture Attributes |
Parameter 1, Bit 0-15 S-Coordinate (X-Coordinate in Texture Source) Parameter 1, Bit 16-31 T-Coordinate (Y-Coordinate in Texture Source) Both values are 1bit sign + 11bit integer + 4bit fractional part. A value of 1.0 (=1 SHL 4) equals to one Texel. |
0-15 Texture VRAM Offset div 8 (0..FFFFh -> 512K RAM in Slot 0,1,2,3)
(VRAM must be allocated as Texture data, see Memory Control chapter)
16 Repeat in S Direction (0=Clamp Texture, 1=Repeat Texture)
17 Repeat in T Direction (0=Clamp Texture, 1=Repeat Texture)
18 Flip in S Direction (0=No, 1=Flip each 2nd Texture) (requires Repeat)
19 Flip in T Direction (0=No, 1=Flip each 2nd Texture) (requires Repeat)
20-22 Texture S-Size (for N=0..7: Size=(8 SHL N); ie. 8..1024 texels)
23-25 Texture T-Size (for N=0..7: Size=(8 SHL N); ie. 8..1024 texels)
26-28 Texture Format (0..7, see below)
29 Color 0 of 4/16/256-Color Palettes (0=Displayed, 1=Made Transparent)
30-31 Texture Coordinates Transformation Mode (0..3, see below)
|
0 No Texture 1 A3I5 Translucent Texture 2 4-Color Palette Texture 3 16-Color Palette Texture 4 256-Color Palette Texture 5 4x4-Texel Compressed Texture 6 A5I3 Translucent Texture 7 Direct Texture |
0 Do not Transform texture coordinates 1 TexCoord source 2 Normal source 3 Vertex source |
Clamp _____ Repeat Repeat+Flip _____/ /////////// /\/\/\/\/\/ |
0-12 Palette Base Address (div8 or div10h, see below)
(Not used for Texture Format 7: Direct Color Texture)
(0..FFF8h/8 for Texture Format 2: ie. 4-color-palette Texture)
(0..17FF0h/10h for all other Texture formats)
13-31 Not used
|
| DS 3D Texture Formats |
Bit0-4: Color Index (0..31) of a 32-color Palette Bit5-7: Alpha (0..7; 0=Transparent, 7=Solid) |
Bit0-2: Color Index (0..7) of a 8-color Palette Bit3-7: Alpha (0..31; 0=Transparent, 31=Solid) |
Bit0-7 Upper 4-Texel row (LSB=first/left-most Texel)
Bit8-15 Next 4-Texel row ("")
Bit16-23 Next 4-Texel row ("")
Bit24-31 Lower 4-Texel row ("")
|
Bit0-13 Palette Offset in 4-byte steps; Addr=(PLTT_BASE*10h)+(Offset*4) Bit14-15 Transparent/Interpolation Mode (0..3, see below) |
slot1_addr = slot0_addr / 2 ;lower 64K of Slot1 assoc to Slot0 slot1_addr = slot2_addr / 2 + 10000h ;upper 64K of Slot1 assoc to Slot2 |
Texel Mode 0 Mode 1 Mode 2 Mode 3 0 Color 0 Color0 Color 0 Color 0 1 Color 1 Color1 Color 1 Color 1 2 Color 2 (Color0+Color1)/2 Color 2 (Color0*5+Color1*3)/8 3 Transparent Transparent Color 3 (Color0*3+Color1*5)/8 |
| DS 3D Texture Coordinates |
( S' T' ) = ( S T ) |
| m[0] m[1] |
( S' T' ) = ( S T 1/16 1/16 ) * | m[4] m[5] |
| m[8] m[9] |
| m[12] m[13] |
|
| m[0] m[1] |
( S' T' ) = ( Nx Ny Nz 1.0 ) * | m[4] m[5] |
| m[8] m[9] |
| S T |
|
| m[0] m[1] |
( S' T' ) = ( Vx Vy Vz 1.0 ) * | m[4] m[5] |
| m[8] m[9] |
| S T |
|
Matrix m[..] 1+19+12 (32bit) Vertex Vx,Vy,Vz 1+3+12 (16bit) Normal Nx,Ny,Nz 1+0+9 (10bit) Constant 1.0 0+1+0 (1bit) Constant 1/16 0+0+4 (4bit) TexCoord S,T 1+11+4 (16bit) Result S',T' 1+11+4 (16bit) <-------- clipped to that size ! |
| DS 3D Texture Blending |
R = ((Rt+1)*(Rv+1)-1)/64 G = ((Gt+1)*(Gv+1)-1)/64 B = ((Bt+1)*(Bv+1)-1)/64 A = ((At+1)*(Av+1)-1)/64 |
R = (Rt*At + Rv*(63-At))/64 ;except, when At=0: R=Rv, when At=31: R=Rt G = (Gt*At + Gv*(63-At))/64 ;except, when At=0: G=Gv, when At=31: G=Gt B = (Bt*At + Bv*(63-At))/64 ;except, when At=0: B=Bv, when At=31: B=Bt A = Av |
R = ((Rt+1)*(Rs+1)-1)/64 ;Rs=ToonTableRed[Rv] G = ((Gt+1)*(Gs+1)-1)/64 ;Gs=ToonTableGreen[Rv] B = ((Bt+1)*(Bs+1)-1)/64 ;Bs=ToonTableBlue[Rv] A = ((At+1)*(Av+1)-1)/64 |
R = ((Rt+1)*(Rs+1)-1)/64+Rs ;truncated to MAX=63 G = ((Gt+1)*(Gs+1)-1)/64+Gs ;truncated to MAX=63 B = ((Bt+1)*(Bs+1)-1)/64+Bs ;truncated to MAX=63 A = ((At+1)*(Av+1)-1)/64 |
| DS 3D Toon, Edge, Fog, Alpha-Blending, Anti-Aliasing |
Bit0-4: Red, Bit5-9: Green, Bit10-14: Blue, Bit15: Not Used |
Bit0-4: Red, Bit5-9: Green, Bit10-14: Blue, Bit15: Not Used |
0-4 Fog Color, Red ;\ 5-9 Fog Color, Green ; used only when DISP3DCNT.Bit6 is zero 10-14 Fog Color, Blue ;/ 15 Not used 16-20 Fog Alpha ;-used no matter of DISP3DCNT.Bit6 21-31 Not used |
0-14 Fog Offset (Unsigned) (0..7FFFh) 15-31 Not used |
FogDepthBoundary[n] = FOG_OFFSET + FOG_STEP*(n+1) ;with n = 0..31 |
0-6 Fog Density (00h..7Fh = None..Full) (usually increasing values) 7 Not used |
FrameBuffer[R] = (FogColor[R]*Density + FrameBuffer[R]*(128-Density)) / 128 FrameBuffer[G] = (FogColor[G]*Density + FrameBuffer[G]*(128-Density)) / 128 FrameBuffer[B] = (FogColor[B]*Density + FrameBuffer[B]*(128-Density)) / 128 FrameBuffer[A] = (FogColor[A]*Density + FrameBuffer[A]*(128-Density)) / 128 |
FrameBuf[R] = (Poly[R]*(Poly[A]+1) + FrameBuf[R]*(31-(Poly[A])) / 32 FrameBuf[G] = (Poly[G]*(Poly[A]+1) + FrameBuf[G]*(31-(Poly[A])) / 32 FrameBuf[B] = (Poly[B]*(Poly[A]+1) + FrameBuf[B]*(31-(Poly[A])) / 32 FrameBuf[A] = max(Poly[A],FrameBuf[A]) |
1) Alpha-Blending is disabled (DISP3DCNT.Bit3=0) 2) The polygon pixel is opaque (Poly[A]=31) 3) The old framebuffer value is totally transparent (FrameBuf[A]=0) |
Opaque polygons (except wire-frames) without Edge-Marking and Anti-Aliasing, and, all polygons with vertical right-edges (except line-segments). Plus, Translucent Polys when Alpha-Blending is disabled in DISP3DCNT.Bit3. |
| DS 3D Status |
0 BoxTest,PositionTest,VectorTest Busy (0=Ready, 1=Busy) 1 BoxTest Result (0=All Outside View, 1=Parts or Fully Inside View) 2-7 Not used 8-12 Position & Vector Matrix Stack Level (0..31) (lower 5bit of 6bit value) 13 Projection Matrix Stack Level (0..1) 14 Matrix Stack Busy (0=No, 1=Yes; Currently executing a Push/Pop command) 15 Matrix Stack Overflow/Underflow Error (0=No, 1=Error/Acknowledge/Reset) 16-24 Number of 40bit-entries in Command FIFO (0..256) (24) Command FIFO Full (MSB of above) (0=No, 1=Yes; Full) 25 Command FIFO Less Than Half Full (0=No, 1=Yes; Less than Half-full) 26 Command FIFO Empty (0=No, 1=Yes; Empty) 27 Geometry Engine Busy (0=No, 1=Yes; Busy; Commands are executing) 28-29 Not used 30-31 Command FIFO IRQ (0=Never, 1=Less than half full, 2=Empty, 3=Reserved) |
0-11 Number of Polygons currently stored in Polygon List RAM (0..2048) 12-15 Not used 16-28 Number of Vertices currently stored in Vertex RAM (0..6144) 13-15 Not used |
0-5 Minimum Number (minus 2) of buffered lines in previous frame (0..46) 6-31 Not used |
| DS 3D Tests |
Parameter 1, Bit 0-15 X-Coordinate Parameter 1, Bit 16-31 Y-Coordinate Parameter 2, Bit 0-15 Z-Coordinate Parameter 2, Bit 16-31 Width (presumably: X-Offset?) Parameter 3, Bit 0-15 Height (presumably: Y-Offset?) Parameter 3, Bit 16-31 Depth (presumably: Z-Offset?) All values are 1bit sign, 3bit integer, 12bit fractional part |
Parameter 1, Bit 0-15 X-Coordinate Parameter 1, Bit 16-31 Y-Coordinate Parameter 2, Bit 0-15 Z-Coordinate Parameter 2, Bit 16-31 Not used All values are 1bit sign, 3bit integer, 12bit fractional part. |
Parameter 1, Bit 0-9 X-Component Parameter 1, Bit 10-19 Y-Component Parameter 1, Bit 20-29 Z-Component Parameter 1, Bit 30-31 Not used All values are 1bit sign, 9bit fractional part. |
| DS 3D Rear-Plane |
--> 2D Layers --> 3D Polygons --> 3D Rear-plane --> 2D Layers --> 2D Backdrop |
0-4 Clear Color, Red 5-9 Clear Color, Green 10-14 Clear Color, Blue 15 Fog (enables Fog to the rear-plane) (doesn't affect Fog of polygons) 16-20 Alpha 21-23 Not used 24-29 Clear Polygon ID (affects edge-marking, at the screen-edges?) 30-31 Not used |
0-14 Clear Depth (0..7FFFh) (usually 7FFFh = most distant) 15 Not used 16-31 See Port 4000356h, CLRIMAGE_OFFSET |
Rear Color Bitmap (located in Texture Slot 2)
0-4 Clear Color, Red
5-9 Clear Color, Green
10-14 Clear Color, Blue
15 Alpha (0=Transparent, 1=Solid) (equivalent to 5bit-alpha 0 and 31)
Rear Depth Bitmap (located in Texture Slot 3)
0-14 Clear Depth, expanded to 24bit as X=(X*200h)+((X+1)/8000h)*1FFh
15 Clear Fog (Initial fog enable value)
|
Bit0-7 X-Offset (0..255; 0=upper row of bitmap) Bit8-14 Y-Offset (0..255; 0=left column of bitmap) |
| DS 3D Final 2D Output |
Brightness up/down with BG0 as 1st Target via EVY (as for 2D) Blending with BG0 as 2nd Target via EVA/EVB (as for 2D) Blending with BG0 as 1st Target via 3D Alpha-values (unlike as for 2D) |
| DS Sound |
| DS Sound Channels 0..15 |
Bit0-6 Volume Mul (0..127=silent..loud) Bit7 Not used (always zero) Bit8-9 Volume Div (0=Normal, 1=Div2, 2=Div4, 3=Div16) Bit10-14 Not used (always zero) Bit15 Hold (0=Normal, 1=Hold last sample after one-shot sound) Bit16-22 Panning (0..127=left..right) (64=half volume on both speakers) Bit23 Not used (always zero) Bit24-26 Wave Duty (0..7) ;HIGH=(N+1)*12.5%, LOW=(7-N)*12.5% (PSG only) Bit27-28 Repeat Mode (0=Manual, 1=Loop Infinite, 2=One-Shot, 3=Prohibited) Bit29-30 Format (0=PCM8, 1=PCM16, 2=IMA-ADPCM, 3=PSG/Noise) Bit31 Start/Status (0=Stop, 1=Start/Busy) |
Bit0-26 Source Address (must be word aligned, bit0-1 are always zero) Bit27-31 Not used |
Bit0-15 Timer Value, Sample frequency, timerval=-(33513982Hz/2)/freq |
Bit0-15 Loop Start, Sample loop start position
(counted in words, ie. N*4 bytes)
|
Bit0-21 Sound length (counted in words, ie. N*4 bytes) Bit22-31 Not used |
| DS Sound Control Registers |
Bit0-6 Master Volume (0..127=silent..loud) Bit7 Not used (always zero) Bit8-9 Left Output from (0=Left Mixer, 1=Ch1, 2=Ch3, 3=Ch1+Ch3) Bit10-11 Right Output from (0=Right Mixer, 1=Ch1, 2=Ch3, 3=Ch1+Ch3) Bit12 Output Ch1 to Mixer (0=Yes, 1=No) (both Left/Right) Bit13 Output Ch3 to Mixer (0=Yes, 1=No) (both Left/Right) Bit14 Not used (always zero) Bit15 Master Enable (0=Disable, 1=Enable) Bit16-31 Not used (always zero) |
Bit0-9 Sound Bias (0..3FFh, usually 200h) Bit10-31 Not used (always zero) |
| DS Sound Capture |
Bit0 Control of Associated Sound Channels (ANDed with Bit7)
SNDCAP0CNT: Output Sound Channel 1 (0=As such, 1=Add to Channel 0)
SNDCAP1CNT: Output Sound Channel 3 (0=As such, 1=Add to Channel 2)
Caution: Addition mode works only if BOTH Bit0 and Bit7 are set.
Bit1 Capture Source Selection
SNDCAP0CNT: Capture 0 Source (0=Left Mixer, 1=Channel 0/Bugged)
SNDCAP1CNT: Capture 1 Source (0=Right Mixer, 1=Channel 2/Bugged)
Bit2 Capture Repeat (0=Loop, 1=One-shot)
Bit3 Capture Format (0=PCM16, 1=PCM8)
Bit4-6 Not used (always zero)
Bit7 Capture Start/Status (0=Stop, 1=Start/Busy)
|
Bit0-26 Destination address (word aligned, bit0-1 are always zero) Bit27-31 Not used (always zero) |
Bit0-15 Buffer length (1..FFFFh words) (ie. N*4 bytes) Bit16-31 Not used |
1) Both Negative Bug - SNDCAPxCNT Bit1=1, Bit0=0 (addition disabled) Capture data is accidently set to -8000h if ch(a) and ch(b) are both <0. Otherwise the correct capture result is returned, ie. plain ch(a) data, not being affected by ch(b) (since addition is disabled). Workaround: Ensure that ch(a) and/or ch(b) are >=0 (or disabled). 2) Overflow Bug - SNDCAPxCNT Bit1=1, Bit0=1 (addition enabled) In this mode, Capture data isn't clipped to MinMax(-8000h,+7FFFh), instead, it is ANDed with FFFFh, so the sign bit is lost if the addition result ch(a)+ch(b) is less/greater than -8000h/+7FFFh. Workaround: Reduce ch(a)/ch(b) volume or data to avoid overflows. |
1) Addition Result for Capture(x) when using capture source=ch(a): Addition is performed always, no matter of SOUNDCNT.Bit12/13. And, no matter of ch(a) enable, result is plain ch(b) if ch(a) is disabled. Result is 16bit (plus fraction) with overflow error (see Capture Bugs). 2) Addition Result for Mixer (towards speakers, and capture source=mixer): Ch(b) is muted if ch(a) is disabled. Ch(b) is muted if ch(b) SOUNDCNT.Bit12/13 is set to "Ch(b) not to mixer". Result is 17bit (plus fraction) without overflow error. |
| DS Sound Block Diagrams |
_____
Ch0.L ------------->| | +------------------------------> to Capture 0
___ | | | ___
Ch1.L ---+->|Sel|-->| | | Ch0..Ch15 | |
| |___| |Left |--+---------------->| |
Ch2.L ---|--------->|Mixer| |Sel| ______ ____
| ___ | | Ch1 | | |Master| |Add |
Ch3.L -+-|->|Sel|-->| | +----------------->| |->|Volume|->|Bias|-> L
| | |___| | | | | | |______| |____|
Ch4.L -|-|--------->| | | Ch3 | |
... -|-|--------->| | | +--------------->| |
Ch15.L-|-|--------->|_____| | | ___ | |
| +------------------+-|->|Add| Ch1+Ch3 | |
+----------------------+->|___|-------->|___|
|
____ _________ ___ ___ ___ |FIFO|-->|Channel 0|-->|Vol|-->|Add|-+->|Pan|--> Ch0.L |____| |_________| |___| |___| | |___|--> Ch0.R ____ _________ ___ ^ | |FIFO|<--|Capture 0|<--|Sel|<----|---+ |____| |_ _____ _| |___|<----|-------------- Left Mixer ____ _:Timer:_ ___ _|_ ___ |FIFO|-->|Channel 1|-->|Vol|-->|Sel|--->|Pan|--> Ch1.L |____| |_________| |___| |___| |___|--> Ch1.R |
____ _________ ___ ___ |FIFO|-->|Channel 4|-->|Vol|----------->|Pan|--> Ch4.L |____| |_________| |___| |___|--> Ch4.R |
| DS Sound Notes |
data.vol = data*N/128 pan.left = data*(128-N)/128 pan.right = data*N/128 master.vol = data*N/128/64 |
Step Bits Min Max 0 Incoming PCM16 Data 16.0 -8000h +7FFFh 1 Volume Divider (div 1..16) 16.4 -8000h +7FFFh 2 Volume Factor (mul N/128) 16.11 -8000h +7FFFh 3 Panning (mul N/128) 16.18 -8000h +7FFFh 4 Rounding Down (strip 10bit) 16.8 -8000h +7FFFh 5 Mixer (add channel 0..15) 20.8 -80000h +7FFF0h 6 Master Volume (mul N/128/64) 14.21 -2000h +1FF0h 7 Strip fraction 14.0 -2000h +1FF0h 8 Add Bias (0..3FFh, def=200h) 15.0 -2000h+0 +1FF0h+3FFh 9 Clip (min/max 0h..3FFh) 10.0 0 +3FFh |
0 12.5% "_______-_______-_______-" 1 25.0% "______--______--______--" 2 37.5% "_____---_____---_____---" 3 50.0% "____----____----____----" 4 62.5% "___-----___-----___-----" 5 75.0% "__------__------__------" 6 87.5% "_-------_-------_-------" 7 0.0% "________________________" |
X=X SHR 1, IF carry THEN Out=LOW, X=X XOR 6000h ELSE Out=HIGH |
Bit0-15 Initial PCM16 Value (Pcm16bit = -7FFFh..+7FFF) (not -8000h) Bit16-22 Initial Table Index Value (Index = 0..88) Bit23-31 Not used (zero) |
Diff = ((Data4bit AND 7)*2+1)*AdpcmTable[Index]/8 ;see rounding-error IF (Data4bit AND 8)=0 THEN Pcm16bit = Max(Pcm16bit+Diff,+7FFFh) IF (Data4bit AND 8)=8 THEN Pcm16bit = Min(Pcm16bit-Diff,-7FFFh) Index = MinMax (Index+IndexTable[Data4bit AND 7],0,88) |
Diff = AdpcmTable[Index]/8 IF (data4bit AND 1) THEN Diff = Diff + AdpcmTable[Index]/4 IF (data4bit AND 2) THEN Diff = Diff + AdpcmTable[Index]/2 IF (data4bit AND 4) THEN Diff = Diff + AdpcmTable[Index]/1 |
Max(+7FFFh) leaves -8000h unclipped (can happen if initial PCM16 was -8000h) Min(-7FFFh) clips -8000h to -7FFFh (possibly unlike windows .WAV files?) |
0007h,0008h,0009h,000Ah,000Bh,000Ch,000Dh,000Eh,0010h,0011h,0013h,0015h 0017h,0019h,001Ch,001Fh,0022h,0025h,0029h,002Dh,0032h,0037h,003Ch,0042h 0049h,0050h,0058h,0061h,006Bh,0076h,0082h,008Fh,009Dh,00ADh,00BEh,00D1h 00E6h,00FDh,0117h,0133h,0151h,0173h,0198h,01C1h,01EEh,0220h,0256h,0292h 02D4h,031Ch,036Ch,03C3h,0424h,048Eh,0502h,0583h,0610h,06ABh,0756h,0812h 08E0h,09C3h,0ABDh,0BD0h,0CFFh,0E4Ch,0FBAh,114Ch,1307h,14EEh,1706h,1954h 1BDCh,1EA5h,21B6h,2515h,28CAh,2CDFh,315Bh,364Bh,3BB9h,41B2h,4844h,4F7Eh 5771h,602Fh,69CEh,7462h,7FFFh |
X=000776d2h, FOR I=0 TO 88, Table[I]=X SHR 16, X=X+(X/10), NEXT I Table[3]=000Ah, Table[4]=000Bh, Table[88]=7FFFh, Table[89..127]=0000h |
| DS System and Built-in Peripherals |
| DS DMA Transfers |
0 Start Immediately 1 Start at V-Blank 2 Start at H-Blank (paused during V-Blank) 3 Synchronize to start of display 4 Main memory display 5 DS Cartridge Slot 6 GBA Cartridge Slot 7 Geometry Command FIFO |
0 Start Immediately 1 Start at V-Blank 2 DS Cartridge Slot 3 DMA0/DMA2: Wireless interrupt, DMA1/DMA3: GBA Cartridge Slot |
Bit0-31 Filldata |
| DS Timers |
| DS Interrupts |
0 Disable all interrupts (0=Disable All, 1=See IE register) 1-31 Not used |
0 LCD V-Blank 1 LCD H-Blank 2 LCD V-Counter Match 3 Timer 0 Overflow 4 Timer 1 Overflow 5 Timer 2 Overflow 6 Timer 3 Overflow 7 NDS7 only: SIO/RCNT/RTC (Real Time Clock) 8 DMA 0 9 DMA 1 10 DMA 2 11 DMA 3 12 Keypad 13 GBA-Slot (external IRQ source) / DSi: None such 14 Not used / DSi9: NDS-Slot Card change? 15 Not used / DSi: dito for 2nd NDS-Slot? 16 IPC Sync 17 IPC Send FIFO Empty 18 IPC Recv FIFO Not Empty 19 NDS-Slot Game Card Data Transfer Completion 20 NDS-Slot Game Card IREQ_MC 21 NDS9 only: Geometry Command FIFO 22 NDS7 only: Screens unfolding 23 NDS7 only: SPI bus 24 NDS7 only: Wifi / DSi9: XpertTeak DSP 25 Not used / DSi9: Camera 26 Not used / DSi9: Undoc, IF.26 set on FFh-filling 40021Axh 27 Not used / DSi: Maybe IREQ_MC for 2nd gamecard? 28 Not used / DSi: NewDMA0 29 Not used / DSi: NewDMA1 30 Not used / DSi: NewDMA2 31 Not used / DSi: NewDMA3 ? DSi7: any further new IRQs on ARM7 side... in bit13-15,21,25-26? |
0 DSi7: GPIO18[0] ;\ 1 DSi7: GPIO18[1] ; maybe 1.8V signals? 2 DSi7: GPIO18[2] ;/ 3 DSi7: Unused (0) 4 DSi7: GPIO33[0] unknown (related to "GPIO330" testpoint on mainboard?) 5 DSi7: GPIO33[1] Headphone connect (HP#SP) (static state) 6 DSi7: GPIO33[2] Powerbutton interrupt (short pulse upon key-down) 7 DSi7: GPIO33[3] sound enable output (ie. not a useful irq-input) 8 DSi7: SD/MMC Controller ;-Onboard eMMC and External SD Slot 9 DSi7: SD Slot Data1 pin ;-For SDIO hardware in External SD Slot 10 DSi7: SDIO Controller ;\Atheros Wifi Unit 11 DSi7: SDIO Data1 pin ;/ 12 DSi7: AES interrupt 13 DSi7: I2C interrupt 14 DSi7: Microphone Extended interrupt 15-31 DSi7: Unused (0) |
Bit 0-31 Pointer to IRQ Handler |
Bit 0-31 IRQ Flags (same format as IE/IF registers) |
| DS Maths |
0-1 Division Mode (0-2=See below) (3=Reserved; same as Mode 1) 2-13 Not used 14 Division by zero (0=Okay, 1=Division by zero error; 64bit Denom=0) 15 Busy (0=Ready, 1=Busy) (Execution time see below) 16-31 Not used |
Mode Numer / Denom = Result, Remainder ; Cycles 0 32bit / 32bit = 32bit , 32bit ; 18 clks 1 64bit / 32bit = 64bit , 32bit ; 34 clks 2 64bit / 64bit = 64bit , 64bit ; 34 clks |
DIV0 --> REMAIN=NUMER, RESULT=+/-1 (with sign opposite of NUMER) -MAX/-1 --> RESULT=-MAX (instead +MAX) |
0 Mode (0=32bit input, 1=64bit input) 1-14 Not used 15 Busy (0=Ready, 1=Busy) (Execution time is 13 clks, in either Mode) 16-31 Not used |
| DS Inter Process Communication (IPC) |
Bit Dir Expl. 0-3 R Data input from IPCSYNC Bit8-11 of remote CPU (00h..0Fh) 4-7 - Not used 8-11 R/W Data output to IPCSYNC Bit0-3 of remote CPU (00h..0Fh) 12 - Not used 13 W Send IRQ to remote CPU (0=None, 1=Send IRQ) 14 R/W Enable IRQ from remote CPU (0=Disable, 1=Enable) 15-31 - Not used |
Bit Dir Expl. 0 R Send Fifo Empty Status (0=Not Empty, 1=Empty) 1 R Send Fifo Full Status (0=Not Full, 1=Full) 2 R/W Send Fifo Empty IRQ (0=Disable, 1=Enable) 3 W Send Fifo Clear (0=Nothing, 1=Flush Send Fifo) 4-7 - Not used 8 R Receive Fifo Empty (0=Not Empty, 1=Empty) 9 R Receive Fifo Full (0=Not Full, 1=Full) 10 R/W Receive Fifo Not Empty IRQ (0=Disable, 1=Enable) 11-13 - Not used 14 R/W Error, Read Empty/Send Full (0=No Error, 1=Error/Acknowledge) 15 R/W Enable Send/Receive Fifo (0=Disable, 1=Enable) 16-31 - Not used |
Bit0-31 Send Fifo Data (max 16 words; 64bytes) |
Bit0-31 Receive Fifo Data (max 16 words; 64bytes) |
| DS Keypad |
0 Button X (0=Pressed, 1=Released) 1 Button Y (0=Pressed, 1=Released) 3 DEBUG button (0=Pressed, 1=Released/None such) 6 Pen down (0=Pressed, 1=Released/Disabled) (always 0 in DSi mode) 7 Hinge/folded (0=Open, 1=Closed) 2,4,5 Unknown / set 8..15 Unknown / zero |
| DS Absent Link Port |
NDS7 4000128h SIOCNT Bit15 "CKUP" New Bit in NORMAL/MULTI/UART mode (R/W) NDS7 4000128h SIOCNT Bit14 "N/A" Removed IRQ Bit in UART mode (?) NDS7 400012Ah SIOCNT_H Bit14 "TFEMP" New Bit (R/W) NDS7 400012Ah SIOCNT_H Bit15 "RFFUL" New Bit (always zero?) NDS7 400012Ch SIOSEL Bit0 "SEL" New Bit (always zero?) NDS7 4000140h JOYCNT Bit7 "MOD" New Bit (R/W) |
NDS9 4000120h SIODATA32 Bit0-31 Data (always zero?) NDS9 4000128h SIOCNT Bit2 "TRECV" New Bit (always zero?) NDS9 4000128h SIOCNT Bit3 "TSEND" New Bit (always zero?) NDS9 400012Ch SIOSEL Bit0 "SEL" New Bit (always zero?) |
| DS Real-Time Clock (RTC) |
Bit Expl. 0 Data I/O (0=Low, 1=High) 1 Clock Out (0=Low, 1=High) 2 Select Out (0=Low, 1=High/Select) 4 Data Direction (0=Read, 1=Write) 5 Clock Direction (should be 1=Write) 6 Select Direction (should be 1=Write) 3,8-11 Unused I/O Lines 7,12-15 Direction for Bit3,8-11 (usually 0) 16-31 Not used |
Init CS=LOW and /SCK=HIGH, and wait at least 1us Switch CS=HIGH, and wait at least 1us Send the Command byte (see bit-transfer below) Send/receive Parameter byte(s) associated with the command (see below) Switch CS to LOW |
Output /SCK=LOW and SIO=databit (when writing), then wait at least 5us Output /SCK=HIGH, wait at least 5us, then read SIO=databit (when reading) In either direction, data is output on (or immediately after) falling edge. |
Command Register
Fwd Rev
0 7 Fixed Code (must be 0)
1 6 Fixed Code (must be 1)
2 5 Fixed Code (must be 1)
3 4 Fixed Code (must be 0, or, DSi only: 1=Extended Command)
4-6 3-1 Command
Fwd Rev Parameter bytes (read/write access)
0 0 1 byte, status register 1
4 1 1 byte, status register 2
2 2 7 bytes, date & time (year,month,day,day_of_week,hh,mm,ss)
6 3 3 bytes, time (hh,mm,ss)
1* 4* 1 byte, int1, frequency duty setting
1* 4* 3 bytes, int1, alarm time 1 (day_of_week, hour, minute)
5 5 3 bytes, int2, alarm time 2 (day_of_week, hour, minute)
3 6 1 byte, clock adjustment register
7 7 1 byte, free register
Extended command (when above "fourth bit" was set, DSi only)
Fwd Rev Parameter bytes (read/write access)
0 0 3 byte, up counter (msw,mid,lsw) (read only)
4 1 1 byte, FOUT register setting 1
2 2 1 byte, FOUT register setting 2
6 3 reserved
1 4 3 bytes, alarm date 1 (year,month,day)
5 5 3 bytes, alarm date 2 (year,month,day)
3 6 reserved
7 7 reserved
7 0 Parameter Read/Write Access (0=Write, 1=Read)
|
Status Register 1
0 W Reset (0=Normal, 1=Reset)
1 R/W 12/24 hour mode (0=12 hour, 1=24 hour)
2-3 R/W General purpose bits
4 R Interrupt 1 Flag (1=Yes) ;auto-cleared on read
5 R Interrupt 2 Flag (1=Yes) ;auto-cleared on read
6 R Power Low Flag (0=Normal, 1=Power is/was low) ;auto-cleared on read
7 R Power Off Flag (0=Normal, 1=Power was off) ;auto-cleared on read
Power off indicates that the battery was removed or fully discharged,
all registers are reset to 00h (or 01h), and must be re-initialized.
Status Register 2
0-3 R/W INT1 Mode/Enable
0000b Disable
0x01b Selected Frequency steady interrupt
0x10b Per-minute edge interrupt
0011b Per-minute steady interrupt 1 (duty 30.0 seconds)
0100b Alarm 1 interrupt
0111b Per-minute steady interrupt 2 (duty 0.0079 seconds)
1xxxb 32kHz output
4-5 R/W General purpose bits
6 R/W INT2 Enable
0b Disable
1b Alarm 2 interrupt
7 R/W Test Mode (0=Normal, 1=Test, don't use) (cleared on Reset)
Clock Adjustment Register (to compensate oscillator inaccuracy)
0-7 R/W Adjustment (00h=Normal, no adjustment)
Free Register
0-7 R/W General purpose bits
|
Year Register
0-7 R/W Year (BCD 00h..99h = 2000..2099)
Month Register
0-4 R/W Month (BCD 01h..12h = January..December)
5-7 - Not used (always zero)
Day Register
0-5 R/W Day (BCD 01h..28h,29h,30h,31h, range depending on month/year)
6-7 - Not used (always zero)
Day of Week Register (septenary counter)
0-2 R/W Day of Week (00h..06h, custom assignment, usually 0=Monday?)
3-7 - Not used (always zero)
|
Hour Register
0-5 R/W Hour (BCD 00h..23h in 24h mode, or 00h..11h in 12h mode)
6 * AM/PM (0=AM before noon, 1=PM after noon)
* 24h mode: AM/PM flag is read only (PM=1 if hour = 12h..23h)
* 12h mode: AM/PM flag is read/write-able
* 12h mode: Observe that 12 o'clock is defined as 00h (not 12h)
7 - Not used (always zero)
Minute Register
0-6 R/W Minute (BCD 00h..59h)
7 - Not used (always zero)
Second Register
0-6 R/W Minute (BCD 00h..59h)
7 - Not used (always zero)
|
Alarm1 and Alarm2 Day of Week Registers (INT1 and INT2 each)
0-2 R/W Day of Week (00h..06h)
3-6 - Not used (always zero)
7 R/W Compare Enable (0=Alarm every day, 1=Alarm only at specified day)
Alarm1 and Alarm2 Hour Registers (INT1 and INT2 each)
0-5 R/W Hour (BCD 00h..23h in 24h mode, or 00h..11h in 12h mode)
6 R/W AM/PM (0=AM, 1=PM) (must be correct even in 24h mode?)
7 R/W Compare Enable (0=Alarm every hour, 1=Alarm only at specified hour)
Alarm1 and Alarm2 Minute Registers (INT1 and INT2 each)
0-6 R/W Minute (BCD 00h..59h)
7 R/W Compare Enable (0=Alarm every min, 1=Alarm only at specified min)
Selected Frequency Steady Interrupt Register (INT1 only) (when Stat2/Bit2=0)
0 R/W Enable 1Hz Frequency (0=Disable, 1=Enable)
1 R/W Enable 2Hz Frequency (0=Disable, 1=Enable)
2 R/W Enable 4Hz Frequency (0=Disable, 1=Enable)
3 R/W Enable 8Hz Frequency (0=Disable, 1=Enable)
4 R/W Enable 16Hz Frequency (0=Disable, 1=Enable)
The signals are ANDed when two or more frequencies are enabled,
ie. the /INT signal gets LOW when either of the signals is LOW.
5-7 R/W General purpose bits
|
Up Counter Msw
0-7 R Up Counter bit16-23 (non-BCD, 00h..FFh)
Up Counter Mid
0-7 R Up Counter bit8-15 (non-BCD, 00h..FFh)
Up Counter Lsw
0-7 R Up Counter bit0-7 (non-BCD, 00h..FFh)
|
Alarm 1 and Alarm 2 Year Register
0-7 R/W Year (BCD 00h..99h = 2000..2099)
Alarm 1 and Alarm 2 Month Register
0-4 R/W Month (BCD 01h..12h = January..December)
5 - Not used (always zero)
6 R/W Year Compare Enable (0=Ignore, 1=Enable)
7 R/W Month Compare Enable (0=Ignore, 1=Enable)
Alarm 1 and Alarm 2 Day Register
0-5 R/W Day (BCD 01h..28h,29h,30h,31h, range depending on month/year)
6 - Not used (always zero)
7 R/W Day Compare Enable (0=Ignore, 1=Enable)
|
FOUT Register Setting 1
0-7 R/W Enable bits (bit0=256Hz, bit1=512Hz, ..., bit7=32768Hz)
FOUT Register Setting 2
0-7 R/W Enable bits (bit0=1Hz, bit1=2Hz, ..., bit7=128Hz)
The above sixteen FOUT signals are ANDed when two or more frequencies are
enabled, ie. the FOUT signal gets LOW when either of the signals is LOW.
|
1 /INT 8 VDD 2 XOUT 7 SIO 3 XIN 6 /SCK 4 GND 5 CS |
| DS Serial Peripheral Interface Bus (SPI) |
0-1 Baudrate (0=4MHz/Firmware, 1=2MHz/Touchscr, 2=1MHz/Powerman., 3=512KHz) 2-6 Not used (Zero) 7 Busy Flag (0=Ready, 1=Busy) (presumably Read-only) 8-9 Device Select (0=Powerman., 1=Firmware, 2=Touchscr, 3=Reserved) 10 Transfer Size (0=8bit/Normal, 1=16bit/Bugged) 11 Chipselect Hold (0=Deselect after transfer, 1=Keep selected) 12-13 Not used (Zero) 14 Interrupt Request (0=Disable, 1=Enable) 15 SPI Bus Enable (0=Disable, 1=Enable) |
0-7 Data 8-15 Not used (always zero, even in bugged-16bit mode) |
| DS Touch Screen Controller (TSC) |
0-1 Power Down Mode Select 2 Reference Select (0=Differential, 1=Single-Ended) 3 Conversion Mode (0=12bit, max CLK=2MHz, 1=8bit, max CLK=3MHz) 4-6 Channel Select (0-7, see below) 7 Start Bit (Must be set to access Control Byte) |
0 Temperature 0 (requires calibration, step 2.1mV per 1'C accuracy) 1 Touchscreen Y-Position (somewhat 0B0h..F20h, or FFFh=released) 2 Battery Voltage (not used, connected to GND in NDS, always 000h) 3 Touchscreen Z1-Position (diagonal position for pressure measurement) 4 Touchscreen Z2-Position (diagonal position for pressure measurement) 5 Touchscreen X-Position (somewhat 100h..ED0h, or 000h=released) 6 AUX Input (connected to Microphone in the NDS) 7 Temperature 1 (difference to Temp 0, without calibration, 2'C accuracy) |
Mode /PENIRQ VREF ADC Recommended use 0 Enabled Auto Auto Differential Mode (Touchscreen, Penirq) 1 Disabled Off On Single-Ended Mode (Temperature, Microphone) 2 Enabled On Off Don't use 3 Disabled On On Don't use |
scr.x = (adc.x-adc.x1) * (scr.x2-scr.x1) / (adc.x2-adc.x1) + (scr.x1-1) scr.y = (adc.y-adc.y1) * (scr.y2-scr.y1) / (adc.y2-adc.y1) + (scr.y1-1) |
Rtouch = (Rx_plate*Xpos*(Z2pos/Z1pos-1))/4096 Rtouch = (Rx_plate*Xpos*(4096/Z1pos-1)-Ry_plate*(1-Ypos))/4096 |
touchval = Xpos*(Z2pos/Z1pos-1) |
K = (CAL.TP0-ADC.TP0) * 0.4 + CAL.KELVIN |
K = (ADC.TP1-ADC.TP0) * 8568 / 4096 |
Celsius: C = (K-273.15) Fahrenheit: F = (K-273.15)*9/5+32 Reaumur: R = (K-273.15)*4/5 Rankine: X = (K)*9/5 |
________
VCC 1|o |16 DCLK
X+ 2| |15 /CS
Y+ 3| TSC |14 DIN
X- 4| 2046 |13 BUSY
Y- 5| |12 DOUT
GND 6| |11 /PENIRQ
VBAT 7| |10 IOVDD
AUX 8|________|9 VREF
|
| DS Power Management |
0 Enable Flag for both LCDs (0=Disable) (Prohibited, see notes) 1 2D Graphics Engine A (0=Disable) (Ports 008h-05Fh, Pal 5000000h) 2 3D Rendering Engine (0=Disable) (Ports 320h-3FFh) 3 3D Geometry Engine (0=Disable) (Ports 400h-6FFh) 4-8 Not used 9 2D Graphics Engine B (0=Disable) (Ports 1008h-105Fh, Pal 5000400h) 10-14 Not used 15 Display Swap (0=Send Display A to Lower Screen, 1=To Upper Screen) 16-31 Not used |
Bit Expl. 0 Sound Speakers (0=Disable, 1=Enable) (Initial setting = 1) 1 Wifi (0=Disable, 1=Enable) (Initial setting = 0) 2-31 Not used |
Bit Expl. 0-2 Wifi WS0 Control (0-7) (Ports 4800000h-4807FFFh) 3-5 Wifi WS1 Control (0-7) (Ports 4808000h-480FFFFh) 4-15 Not used (zero) |
Bit Expl. 0-5 Not used (zero) 6-7 Power Down Mode (0=No function, 1=Enter GBA Mode, 2=Halt, 3=Sleep) |
Bit Expl. 0 Post Boot Flag (0=Boot in progress, 1=Boot completed) 1 NDS7: Not used (always zero), NDS9: Bit1 is read-writeable 2-7 Not used (always zero) |
Index Register
Bit0-6 Register Select (0..3) (0..4 for DS-Lite) (0..7Fh for DSi)
Bit7 Register Direction (0=Write, 1=Read)
Register 0 - Powermanagement Control (R/W)
Bit0 Sound Amplifier Enable (0=Disable, 1=Enable)
(Old-DS: Disabled: Sound is very silent, but still audible)
(DS-Lite: Disabled: Sound is NOT audible)
(DSi in NDS Mode: R/W, but effect is unknown yet)
(DSi in DSi Mode: Not used, Bit0 is always 1)
Bit1 Sound Amplifier Mute (0=Normal, 1=Mute) (Old-DS Only, not DS-Lite)
(Old-DS: Muted: Sound is NOT audible, that works only if Bit0=1)
(DS-Lite: Not used, Bit1 is always zero)
(DSi in NDS Mode: R/W, but effect is unknown yet)
(DSi in DSi Mode: R/W, but effect is unknown yet)
Bit2 Lower Backlight (0=Disable, 1=Enable)
Bit3 Upper Backlight (0=Disable, 1=Enable)
Bit4 Power LED Blink Enable (0=Always ON, 1=Blinking OFF/ON)
Bit5 Power LED Blink Speed (0=Slow, 1=Fast) (only if Blink enabled)
(DSi: Power LED Blinking isn't supported, neither in NDS nor DSi mode)
Bit6 DS System Power (0=Normal, 1=Shut Down)
Bit7 Not used (always 0)
Register 1 - Battery Status (R)
Bit0 Battery Power LED Status (0=Power Good/Green, 1=Power Low/Red)
(DSi: Usually 0, not tested if it changes upon Power=Low)
Bit1-7 Not used
Register 2 - Microphone Amplifier Control (R/W)
Bit0 Amplifier (0=Disable, 1=Enable)
Bit1-7 Not used (always 0)
(DSi in NDS Mode: looks same as NDS, ie. only bit0 is R/W)
(DSi in DSi Mode: Not used, always FFh)
Register 3 - Microphone Amplifier Gain Control (R/W)
Bit0-1 Gain (0..3=Gain 20, 40, 80, 160)
Bit2-7 Not used (always 0)
(DSi in NDS Mode: looks same as NDS, ie. only bit0-1 are R/W)
(DSi in DSi Mode: Not used, always FFh)
Register 4 - DS-Lite and DSi Only - Backlight Levels/Power Source (R/W)
Bit0-1 Backlight Brightness (0..3=Low,Med,High,Max) (R/W)
(when bit2+3 are both set, then reading bit0-1 always returns 3)
Bit2 Force Max Brightness when Bit3=1 (0=No, 1=Yes) (R/W)
Bit3 External Power Present (0=No, 1=Yes) (Read-Only)
Bit4-7 Unknown (Always 4) (Read-Only)
(DSi in NDS Mode: looks same as in DSi mode)
(DSi in DSi Mode: Bit0-1 are R/W, but ignored, bit2-3 are always 0)
Register 10h - DSi Only - Backlight Mirrors & Reset (R/W)
Bit0 Reset (0=No, 1=Reboot DSi) (same/similar as BPTWL reset feature?)
Bit1 Unknown (R/W) (note: whatever it is, it isn't warmboot flag)
Bit2-3 Mirror of Register 0, bit2-3 (backlight enable bits) (R/W)
Bit4-7 Not used (always 0)
(This register works in NDS mode and DSi mode, though it's mainly intended
for NDS mode, eg. DS Download Play uses the Reset bit to return to DSi menu)
(note: writing bit2 seems to affect BOTH bit1 and bit2 in register 0)
|
| DS Main Memory Control |
LDRH R0,[27FFFFEh] ;read one value STRH R0,[27FFFFEh] ;write should be same value as above STRH R0,[27FFFFEh] ;write should be same value as above STRH R0,[27FFFFEh] ;write any value STRH R0,[27FFFFEh] ;write any value LDRH R0,[2400000h+CR*2] ;read, address-bits are defining new CR value |
Bit Expl.
0-6 Reserved (Must be 7Fh)
7 Write Control
0=WE Single Clock Pulse Control without Write Suspend Function
1=WE Level Control with Write Suspend Function)
Burst Read/Single Write is not supported at WE Single Clock Mode.
8 Reserved (Must be 1)
9 Valid Clock Edge (0=Falling Edge, 1=Rising Edge)
10 Single Write (0=Burst Read/Burst Write, 1=Burst Read/Single Write)
11 Burst Sequence (0=Reserved, 1=Sequential)
12-14 Read Latency (1=3 clocks, 2=4 clocks, 3=5 clocks, other=Reserved)
15 Mode
0=Synchronous: Burst Read, Burst Write
1=Asynchronous: Page Read, Normal Write
In Mode 1 (Async), only the Partial Size bits are used,
all other bits, CR bits 0..18, must be "1".
16-18 Burst Length (2=8 Words, 3=16Words, 7=Continous, other=Reserved)
19-20 Partial Size (0=1MB, 1=512KB, 2=Reserved, 3=Deep/0 bytes)
|
STRH 2000h,[4000204h] LDRH R0,[27FFFFEh] STRH R0,[27FFFFEh] STRH R0,[27FFFFEh] STRH FFDFh,[27FFFFEh] STRH E732h,[27FFFFEh] LDRH R0,[27E57FEh] STRH 6000h,[4000204h] |
| DS Backwards-compatible GBA-Mode |
--- NDS9: --- ZEROFILL VRAM A,B ;init black screen border (or other color/image) POWCNT=8003h ;enable 2D engine A on upper screen (0003h=lower) EXMEMCNT=... ;set Async Main Memory mode (clear bit14) IME=0 ;disable interrupts SWI 06h ;halt with interrupts disabled (lockdown) --- NDS7: --- POWERMAN.REG0=09h ;enable sound amplifier & upper backlight (05h=lower) IME=0 ;disable interrupts wait for VCOUNT=200 ;wait until VBlank SWI 1Fh with R2=40h ;enter GBA mode, by CustomHalt(40h) |
| DS Debug Registers (Emulator/Devkits) |
4FFFA00h..A0Fh R Emulation ID (16 bytes, eg. "no$gba v2.7", padded with 20h) 4FFFA10h W String Out (raw) 4FFFA14h W String Out (with %param's) 4FFFA18h W String Out (with %param's, plus linefeed) 4FFFA1Ch W Char Out (nocash) 4FFFA20h..A27h R Clock Cycles (64bit) 4FFFA28h..A3Fh - N/A |
4000640h (32bit) ;aka CLIPMTX_RESULT (mis-used to invoke detection) 4000006h (16bit) ;aka VCOUNT (mis-used to get detection result) 4FFF010h (32bit) ;use to initialize/unlock/reset something 4FFF000h (8bit) ;debug message character output (used when Ensata detected) |
[4000640h]=2468ACE0h ;CLIPMTX_RESULT (on real hardware it's read-only)
if ([4000006h] AND 1FFh)=10Eh ;VCOUNT (on real hardware it's 000h..106h)
[4FFF010h]=13579BDFh ;\initialize/reset something
[4FFF010h]=FDB97531h ;/
Ensata=true
else
Ensata=false
endif
|
| DS Cartridges, Encryption, Firmware |
| DS Cartridge Header |
Address Bytes Expl.
000h 12 Game Title (Uppercase ASCII, padded with 00h)
00Ch 4 Gamecode (Uppercase ASCII, NTR-<code>) (0=homebrew)
010h 2 Makercode (Uppercase ASCII, eg. "01"=Nintendo) (0=homebrew)
012h 1 Unitcode (00h=NDS, 02h=NDS+DSi, 03h=DSi) (bit1=DSi)
013h 1 Encryption Seed Select (00..07h, usually 00h)
014h 1 Devicecapacity (Chipsize = 128KB SHL nn) (eg. 7 = 16MB)
015h 7 Reserved (zero filled)
01Ch 1 Reserved (zero) (except, used on DSi)
01Dh 1 NDS Region (00h=Normal, 80h=China, 40h=Korea) (other on DSi)
01Eh 1 ROM Version (usually 00h)
01Fh 1 Autostart (Bit2: Skip "Press Button" after Health and Safety)
(Also skips bootmenu, even in Manual mode & even Start pressed)
020h 4 ARM9 rom_offset (4000h and up, align 1000h)
024h 4 ARM9 entry_address (2000000h..23BFE00h)
028h 4 ARM9 ram_address (2000000h..23BFE00h)
02Ch 4 ARM9 size (max 3BFE00h) (3839.5KB)
030h 4 ARM7 rom_offset (8000h and up)
034h 4 ARM7 entry_address (2000000h..23BFE00h, or 37F8000h..3807E00h)
038h 4 ARM7 ram_address (2000000h..23BFE00h, or 37F8000h..3807E00h)
03Ch 4 ARM7 size (max 3BFE00h, or FE00h) (3839.5KB, 63.5KB)
040h 4 File Name Table (FNT) offset
044h 4 File Name Table (FNT) size
048h 4 File Allocation Table (FAT) offset
04Ch 4 File Allocation Table (FAT) size
050h 4 File ARM9 overlay_offset
054h 4 File ARM9 overlay_size
058h 4 File ARM7 overlay_offset
05Ch 4 File ARM7 overlay_size
060h 4 Port 40001A4h setting for normal commands (usually 00586000h)
064h 4 Port 40001A4h setting for KEY1 commands (usually 001808F8h)
068h 4 Icon/Title offset (0=None) (8000h and up)
06Ch 2 Secure Area Checksum, CRC-16 of [[020h]..00007FFFh]
06Eh 2 Secure Area Delay (in 131kHz units) (051Eh=10ms or 0D7Eh=26ms)
070h 4 ARM9 Auto Load List Hook RAM Address (?) ;\endaddr of auto-load
074h 4 ARM7 Auto Load List Hook RAM Address (?) ;/functions
078h 8 Secure Area Disable (by encrypted "NmMdOnly") (usually zero)
080h 4 Total Used ROM size (remaining/unused bytes usually FFh-padded)
084h 4 ROM Header Size (4000h)
088h 28h Reserved (zero filled; except, [88h..93h] used on DSi)
0B0h 10h Reserved (zero filled; or "DoNotZeroFillMem"=unlaunch fastboot)
0C0h 9Ch Nintendo Logo (compressed bitmap, same as in GBA Headers)
15Ch 2 Nintendo Logo Checksum, CRC-16 of [0C0h-15Bh], fixed CF56h
15Eh 2 Header Checksum, CRC-16 of [000h-15Dh]
160h 4 Debug rom_offset (0=none) (8000h and up) ;only if debug
164h 4 Debug size (0=none) (max 3BFE00h) ;version with
168h 4 Debug ram_address (0=none) (2400000h..27BFE00h) ;SIO and 8MB
16Ch 4 Reserved (zero filled) (transferred, and stored, but not used)
170h 90h Reserved (zero filled) (transferred, but not stored in RAM)
|
Delay,Cmd |
Cmd,Delay,Cmd ;for 2x repeat Cmd,Delay,Cmd,Cmd,Cmd,Cmd,Cmd,Cmd,Cmd,Cmd ;for 9x repeat |
U Unique Code (usually "A", "B", "C", or special meaning) TT Short Title (eg. "PM" for Pac Man) D Destination/Language (usually "J" or "E" or "P" or specific language) |
A NDS common games B NDS common games C NDS common games D DSi-exclusive games H DSiWare (system utilities and browser) (eg. HNGP=browser) I NDS and DSi-enhanced games with built-in Infrared port K DSiWare (dsiware games and flipnote) (eg. KGUV=flipnote) N NDS nintendo channel demo's japan (NTR-NTRJ-JPN) T NDS many games U NDS utilities, educational games, or uncommon extra hardware? V DSi-enhanced games Y NDS many games |
Usually an abbreviation of the game title (eg. "PM" for "Pac Man") (unless that gamecode was already used for another game, then TT is just random) |
A Asian E English/USA I Italian M Swedish Q Danish U Australian B N/A F French J Japanese N Nor R Russian V EUR+AUS C Chinese G N/A K Korean O Int S Spanish W..Z Europe #3..5 D German H Dutch L USA #2 P Europe T USA+AUS |
| DS Cartridge Secure Area |
Value Expl. "encryObj" raw ID before encryption (raw ROM-image) (encrypted) encrypted ID after encryption (encrypted ROM-image) "encryObj" raw ID after decryption (verified by BIOS boot code) E7FFDEFFh,E7FFDEFFh destroyed ID (overwritten by BIOS after verify) |
000h..007h Secure Area ID (see above) 008h..00Dh Fixed (FFh,DEh,FFh,E7h,FFh,DEh) 00Eh..00Fh CRC16 across following 7E0h bytes, ie. [010h..7FFh] 010h..7FDh Unknown/random values, mixed with some THUMB SWI calls 7FEh..7FFh Fixed (00h,00h) |
| DS Cartridge Icon/Title |
0000h 2 Version (0001h, 0002h, 0003h, or 0103h)
0002h 2 CRC16 across entries 0020h..083Fh (all versions)
0004h 2 CRC16 across entries 0020h..093Fh (Version 0002h and up)
0006h 2 CRC16 across entries 0020h..0A3Fh (Version 0003h and up)
0008h 2 CRC16 across entries 1240h..23BFh (Version 0103h and up)
000Ah 16h Reserved (zero-filled)
0020h 200h Icon Bitmap (32x32 pix) (4x4 tiles, 4bit depth) (4x8 bytes/tile)
0220h 20h Icon Palette (16 colors, 16bit, range 0000h-7FFFh)
(Color 0 is transparent, so the 1st palette entry is ignored)
0240h 100h Title 0 Japanese (128 characters, 16bit Unicode)
0340h 100h Title 1 English ("")
0440h 100h Title 2 French ("")
0540h 100h Title 3 German ("")
0640h 100h Title 4 Italian ("")
0740h 100h Title 5 Spanish ("")
0840h 100h Title 6 Chinese ("") (Version 0002h and up)
0940h 100h Title 7 Korean ("") (Version 0003h and up)
0A40h 800h Zerofilled (probably reserved for Title 8..15)
|
1240h 1000h Icon Animation Bitmap 0..7 (200h bytes each, format as above) 2240h 100h Icon Animation Palette 0..7 (20h bytes each, format as above) 2340h 80h Icon Animation Sequence (16bit tokens) |
0840h 1C0h Unused/padding (FFh-filled) in Version 0001h 0940h C0h Unused/padding (FFh-filled) in Version 0002h 23C0h 40h Unused/padding (FFh-filled) in Version 0103h |
0001h = Original 0002h = With Chinese Title 0003h = With Chinese+Korean Titles 0103h = With Chinese+Korean Titles and animated DSi icon |
15 Flip Vertically (0=No, 1=Yes) 14 Flip Horizontally (0=No, 1=Yes) 13-11 Palette Index (0..7) 10-8 Bitmap Index (0..7) 7-0 Frame Duration (01h..FFh) (in 60Hz units) |
0000h 2 Version (0103h) 0002h 6 Reserved (zero-filled) 0008h 2 CRC16 across entries 0020h..119Fh (with initial value FFFFh) 000Ah 16h Reserved (zero-filled) 0020h 1000h Icon Animation Bitmap 0..7 (200h bytes each) ;\same format as 1020h 100h Icon Animation Palette 0..7 (20h bytes each) ; in Icon/Title 1120h 80h Icon Animation Sequence (16bit tokens) ;/ 11A0h 2E60h Garbage (random values, maybe due to eMMC decryption) |
| DS Cartridge Protocol |
0000000h-0000FFFh Header (unencrypted) 0001000h-0003FFFh Not read-able (zero filled in ROM-images) 0004000h-0007FFFh Secure Area, 16KBytes (first 2Kbytes with extra encryption) 0008000h-... Main Data Area |
XX00000h XX02FFFh DSi Not read-able (XX00000h=first megabyte after NDS area) XX03000h-XX06FFFh DSi ARM9i Secure Area (usually with modcrypt encryption) XX07000h-... DSi Main Data Area |
Command/Params Expl. Cmd Reply Len -- Unencrypted Load -- 9F00000000000000h Dummy (read HIGH-Z bytes) RAW RAW 2000h 0000000000000000h Get Cartridge Header RAW RAW 200h DSi:1000h 9000000000000000h 1st Get ROM Chip ID RAW RAW 4 00aaaaaaaa000000h Unencrypted Data (debug ver only) RAW RAW 200h 3Ciiijjjxkkkkkxxh Activate KEY1 Encryption Mode RAW RAW 0 -- Secure Area Load -- 4llllmmmnnnkkkkkh Activate KEY2 Encryption Mode KEY1 FIX 910h+0 1lllliiijjjkkkkkh 2nd Get ROM Chip ID KEY1 KEY2 910h+4 xxxxxxxxxxxxxxxxh Invalid - Get KEY2 Stream XOR 00h KEY1 KEY2 910h+... 2bbbbiiijjjkkkkkh Get Secure Area Block (4Kbytes) KEY1 KEY2 910h+10A8h 6lllliiijjjkkkkkh Optional KEY2 Disable KEY1 KEY2 910h+? Alllliiijjjkkkkkh Enter Main Data Mode KEY1 KEY2 910h+0 -- Main Data Load -- B7aaaaaaaa000000h Encrypted Data Read KEY2 KEY2 200h B800000000000000h 3rd Get ROM Chip ID KEY2 KEY2 4 xxxxxxxxxxxxxxxxh Invalid - Get KEY2 Stream XOR 00h KEY2 KEY2 ... B500000000000000h Whatever NAND related? KEY2 KEY2 0 D600000000000000h Whatever NAND related? KEY2 KEY2 4 |
aaaaaaaa 32bit ROM address (command B7 can access only 8000h and up) bbbb Secure Area Block number (0004h..0007h for addr 4000h..7000h) x,xx Random, not used in further commands (DSi: always zero) iii,jjj,llll Random, must be SAME value in further commands kkkkk Random, must be INCREMENTED after FURTHER commands mmm,nnn Random, used as KEY2-encryption seed |
1st byte - Manufacturer (eg. C2h=Macronix) (roughly based on JEDEC IDs) 2nd byte - Chip size (00h..7Fh: (N+1)Mbytes, F0h..FFh: (100h-N)*256Mbytes?) 3rd byte - Flags (see below) 4th byte - Flags (see below) |
0 Maybe Infrared flag? (in case ROM does contain on-chip infrared stuff) 1 Unknown (set in some 3DS carts) 2-7 Zero |
0-2 Zero 3 Seems to be NAND flag (0=ROM, 1=NAND) (observed in only ONE cartridge) 4 3DS Flag (0=NDS/DSi, 1=3DS) 5 Zero ... set in ... DSi-exclusive games? 6 DSi flag (0=NDS/3DS, 1=DSi) 7 Cart Protocol Variant (0=older/smaller carts, 1=newer/bigger carts) |
C2h,07h,00h,00h NDS Macronix 8MB ROM (eg. DS Vision) AEh,0Fh,00h,00h NDS Noname 16MB ROM (eg. Meine Tierarztpraxis) C2h,0Fh,00h,00h NDS Macronix 16MB ROM (eg. Metroid Demo) C2h,1Fh,00h,00h NDS Macronix 32MB ROM (eg. Over the Hedge) C2h,1Fh,00h,40h DSi Macronix 32MB ROM (eg. Art Academy, TWL-VAAV, SystemFlaw) 80h,3Fh,01h,E0h ? 64MB ROM+Infrared (eg. Walk with Me, NTR-IMWP) AEh,3Fh,00h,E0h DSi Noname 64MB ROM (eg. de Blob 2, TWL-VD2V) C2h,3Fh,00h,00h NDS Macronix 64MB ROM (eg. Ultimate Spiderman) C2h,3Fh,00h,40h DSi Macronix 64MB ROM (eg. Crime Lab, NTR-VAOP) 80h,7Fh,00h,80h NDS SanDisk 128MB ROM (DS Zelda, NTR-AZEP-0) 80h,7Fh,01h,E0h ? 128MB ROM+Infrared? (P-letter Soul Silver, IPGE) C2h,7Fh,00h,80h NDS Macronix 128MB ROM (eg. Spirit Tracks, NTR-BKIP) C2h,7Fh,00h,C0h DSi Macronix 128MB ROM (eg. Cooking Coach/TWL-VCKE) ECh,7Fh,00h,88h NDS Samsung 128MB NAND (eg. Warioware D.I.Y.) ECh,7Fh,01h,88h NDS Samsung? 128MB NAND+What? (eg. Jam with the Band, UXBP) ECh,7Fh,00h,E8h DSi Samsung? 128MB NAND (eg. Face Training, USKV) 80h,FFh,80h,E0h NDS 256MB ROM (Kingdom Hearts - Re-Coded, NTR-BK9P) C2h,FFh,01h,C0h DSi Macronix 256MB ROM+Infrared? (eg. P-Letter White) C2h,FFh,00h,80h NDS Macronix 256MB ROM (eg. Band Hero, NTR-BGHP) C2h,FEh,01h,C0h DSi Macronix 512MB ROM+Infrared? (eg. P-Letter White 2) C2h,FEh,00h,90h 3DS Macronix probably 512MB? ROM (eg. Sims 3) 45h,FAh,00h,90h 3DS SunDisk? maybe... 1.5GB? ROM (eg. Starfox) C2h,F8h,00h,90h 3DS Macronix maybe... 2GB? ROM (eg. Kid Icarus) C2h,7Fh,00h,90h 3DS Macronix 128MB ROM CTR-P-AENJ MMinna no Ennichi C2h,FFh,00h,90h 3DS Macronix 256MB ROM CTR-P-AFSJ Pro Yakyuu Famista 2011 C2h,FEh,00h,90h 3DS Macronix 512MB ROM CTR-P-AFAJ Real 3D Bass FishingFishOn C2h,FAh,00h,90h 3DS Macronix 1GB ROM CTR-P-ASUJ Hana to Ikimono Rittai Zukan C2h,FAh,02h,90h 3DS Macronix 1GB ROM CTR-P-AGGW Luigis Mansion 2 ASiA CHT C2h,F8h,00h,90h 3DS Macronix 2GB ROM CTR-P-ACFJ Castlevania - Lords of Shadow C2h,F8h,02h,90h 3DS Macronix 2GB ROM CTR-P-AH4J Monster Hunter 4 AEh,FAh,00h,90h 3DS 1GB ROM CTR-P-AGKJ Gyakuten Saiban 5 AEh,FAh,00h,98h 3DS 1GB NAND CTR-P-EGDJ Tobidase Doubutsu no Mori 45h,FAh,00h,90h 3DS 1GB ROM CTR-P-AFLJ Fantasy Life 45h,F8h,00h,90h 3DS 2GB ROM CTR-P-AVHJ Senran Kagura Burst - Guren C2h,F0h,00h,90h 3DS Macronix 4GB ROM CTR-P-ABRJ Biohazard Revelations FFh,FFh,FFh,FFh None (no cartridge inserted) |
1) Command 2bbbbiiijjjkkkkkh loads ARM9i secure area (instead of ARM9 area) 2) Command B7aaaaaaaa000000h allows to read the 'whole' cartridge space |
1) Chip ID.Bit31=0 Used by older/smaller carts with up to 64MB ROM 2) Chip ID.Bit31=1 Used by newer/bigger carts with 64MB or more ROM |
| DS Cartridge Backup |
Type Total Size Page Size Chip/Example Game/Example EEPROM 0.5K bytes 16 bytes ST M95040-W (eg. Metroid Demo) EEPROM 8K bytes 32 bytes ST M95640-W (eg. Super Mario DS) EEPROM 64K bytes 128 bytes ST M95512-W (eg. Downhill Jam) FLASH 256K bytes 256 bytes ST M45PE20 (eg. Skateland) FLASH 256K bytes Sanyo LE25FW203T (eg. Mariokart) FLASH 512K bytes 256 bytes ST M25PE40? (eg. which/any games?) FLASH 512K bytes ST 45PE40V6 (eg. DS Zelda, NTR-AZEP-0) FLASH 1024K bytes ST 45PE80V6 (eg. Spirit Tracks, NTR-BKIP) FLASH 8192K bytes MX25L6445EZNI-10G (Art Academy only, TWL-VAAV) FRAM 8K bytes No limit ? (eg. which/any games?) FRAM 32K bytes No limit Ramtron FM25L256? (eg. which/any games?) |
Type Max Writes per Page Data Retention EEPROM 100,000 40 years FLASH 100,000 20 years FRAM No limit 10 years |
06h WREN Write Enable Cmd, no parameters 04h WRDI Write Disable Cmd, no parameters 05h RDSR Read Status Register Cmd, read repeated status value(s) 01h WRSR Write Status Register Cmd, write one-byte value 9Fh RDID Read JEDEC ID (not supported on EEPROM/FLASH, returns FFh-bytes) |
03h RDLO Read from Memory 000h-0FFh Cmd, addr lsb, read byte(s) 0Bh RDHI Read from Memory 100h-1FFh Cmd, addr lsb, read byte(s) 02h WRLO Write to Memory 000h-0FFh Cmd, addr lsb, write 1..MAX byte(s) 0Ah WRHI Write to Memory 100h-1FFh Cmd, addr lsb, write 1..MAX byte(s) |
03h RD Read from Memory Cmd, addr msb,lsb, read byte(s) 02h WR Write to Memory Cmd, addr msb,lsb, write 1..MAX byte(s) |
0 WIP Write in Progress (1=Busy) (Read only) (always 0 for FRAM chips) 1 WEL Write Enable Latch (1=Enable) (Read only, except by WREN,WRDI) 2-3 WP Write Protect (0=None, 1=Upper quarter, 2=Upper Half, 3=All memory) |
4-7 ONEs Not used (all four bits are always set to "1" each) |
4-6 ZERO Not used (all three bits are always set to "0" each) 7 SRWD Status Register Write Disable (0=Normal, 1=Lock) (Only if /W=LOW) |
RDSR RDID Type (bus-width) FFh, FFh,FFh,FFh None (none) F0h, FFh,FFh,FFh EEPROM (with 8+1bit address bus) 00h, FFh,FFh,FFh EEPROM/FRAM (with 16bit address bus) 00h, xxh,xxh,xxh FLASH (usually with 24bit address bus) |
Pin Name Expl. 1 /S Chip Select 2 Q Data Out 3 /W Write-Protect (not used in NDS, wired to VCC) 4 VSS Ground 5 D Data In 6 C Clock 7 /HOLD Transfer-pause (not used in NDS, wired to VCC) 8 VCC Supply 2.5 to 5.5V for M95xx0-W |
DS Vision (NDS cart with microSD slot... and maybe ALSO with EEPROM?)
Warioware D.I.Y. (uses a single NAND FLASH chip for both 'ROM' and 'SAVE')
(the warioware chip is marked "SAMSUNG 004, KLC2811ANB-P204, NTR-UORE-0")
(the warioware PCB is marked "DI X-7 C17-01")
and, a few games are said to have "Flash - 64 Mbit" save memory?
|
| DS Cartridge I/O Ports |
0-1 SPI Baudrate (0=4MHz/Default, 1=2MHz, 2=1MHz, 3=512KHz) 2-5 Not used (always zero) 6 SPI Hold Chipselect (0=Deselect after transfer, 1=Keep selected) 7 SPI Busy (0=Ready, 1=Busy) (presumably Read-only) 8-12 Not used (always zero) 13 NDS Slot Mode (0=Parallel/ROM, 1=Serial/SPI-Backup) 14 Transfer Ready IRQ (0=Disable, 1=Enable) (for ROM, not for AUXSPI) 15 NDS Slot Enable (0=Disable, 1=Enable) (for both ROM and AUXSPI) |
0-7 Data 8-15 Not used (always zero) |
Bit Expl. 0-12 KEY1 gap1 length (0-1FFFh) (forced min 08F8h by BIOS) (leading gap) 13 KEY2 encrypt data (0=Disable, 1=Enable KEY2 Encryption for Data) 14 "SE" Unknown? (usually same as Bit13) (does NOT affect timing?) 15 KEY2 Apply Seed (0=No change, 1=Apply Encryption Seed) (Write only) 16-21 KEY1 gap2 length (0-3Fh) (forced min 18h by BIOS) (200h-byte gap) 22 KEY2 encrypt cmd (0=Disable, 1=Enable KEY2 Encryption for Commands) 23 Data-Word Status (0=Busy, 1=Ready/DRQ) (Read-only) 24-26 Data Block size (0=None, 1..6=100h SHL (1..6) bytes, 7=4 bytes) 27 Transfer CLK rate (0=6.7MHz=33.51MHz/5, 1=4.2MHz=33.51MHz/8) 28 KEY1 Gap CLKs (0=Hold CLK High during gaps, 1=Output Dummy CLK Pulses) 29 RESB Release Reset (0=Reset, 1=Release) (cannot be cleared once set) 30 "WR" Unknown, maybe data-write? (usually 0) (read/write-able) 31 Block Start/Status (0=Ready, 1=Start/Busy) (IRQ See 40001A0h/Bit14) |
hdr[60h] hdr[64h] hdr[6Eh] 00586000h 001808F8h 051Eh ;older/faster MROM 00416657h 081808F8h 0D7Eh ;newer/slower 1T-ROM ? ? ? ;whatever NAND |
0-7 1st Command Byte (at 40001A8h) (eg. B7h) (MSB) 8-15 2nd Command Byte (at 40001A9h) (eg. addr bit 24-31) 16-23 3rd Command Byte (at 40001AAh) (eg. addr bit 16-23) 24-31 4th Command Byte (at 40001ABh) (eg. addr bit 8-15) (when aligned=even) 32-39 5th Command Byte (at 40001ACh) (eg. addr bit 0-7) (when aligned=00h) 40-47 6th Command Byte (at 40001ADh) (eg. 00h) 48-57 7th Command Byte (at 40001AEh) (eg. 00h) 56-63 8th Command Byte (at 40001AFh) (eg. 00h) (LSB) |
0-7 1st received Data Byte (at 4100010h) 8-15 2nd received Data Byte (at 4100011h) 16-23 3rd received Data Byte (at 4100012h) 24-31 4th received Data Byte (at 4100013h) |
For more info: |
| DS Cartridge NitroROM and NitroARC File Systems |
FNT = cart_hdr[040h] ;\origin as defined in ROM cartridge header FAT = cart_hdr[048h] ;/ IMG = 00000000h ;-origin at begin of ROM |
... ... Optional Header (eg. compression header, or RSA signature) 000h 4 Chunk Name "NARC" (Nitro Archive) ;\ 004h 2 Byte Order (FFFEh) ; 006h 2 Version (0100h) ; NARC 008h 4 File Size (from "NARC" ID to end of file) ; Header 00Ch 2 Chunk Size (0010h) ; 00Eh 2 Number of following chunks (0003h) ;/ 010h 4 Chunk Name "BTAF" (File Allocation Table Block) ;\ 014h 4 Chunk Size (including above chunk name) ; File 018h 2 Number of Files ; Allocation 01Ah 2 Reserved (0000h) ; Table 01Ch ... FAT (see below) ;/ ... 4 Chunk Name "BTNF" (File Name Table Block) ;\ ... 4 Chunk Size (including above chunk name) ; File Name ... ... FNT (see below) ; Table ... .. Padding for 4-byte alignment (FFh-filled, if any) ;/ ... 4 Chunk Name "GMIF" (File Image Block) ;\ ... 4 Chunk Size (including above chunk name) ; File Data ... ... IMG (File Data) ;/ |
Addr Size Expl. 00h 4 Start address (originated at IMG base) (0=Unused Entry) 04h 4 End address (Start+Len...-1?) (0=Unused Entry) |
Addr Size Expl. 00h 4 Offset to Sub-table (originated at FNT base) 04h 2 ID of first file in Sub-table (0000h..EFFFh) |
06h 2 Total Number of directories (1..4096) |
06h 2 ID of parent directory (F000h..FFFEh) |
Addr Size Expl.
00h 1 Type/Length
01h..7Fh File Entry (Length=1..127, without ID field)
81h..FFh Sub-Directory Entry (Length=1..127, plus ID field)
00h End of Sub-Table
80h Reserved
01h LEN File or Sub-Directory Name, case-sensitive, without any ending
zero, ASCII 20h..7Eh, except for characters \/?"<>*:;|
|
LEN+1 2 Sub-Directory ID (F001h..FFFFh) ;see FNT+(ID AND FFFh)*8 |
Addr Size Expl. 00h 4 Overlay ID 04h 4 RAM Address ;Point at which to load 08h 4 RAM Size ;Amount to load 0Ch 4 BSS Size ;Size of BSS data region 10h 4 Static initialiser start address 14h 4 Static initialiser end address 18h 4 File ID (0000h..EFFFh) 1Ch 4 Reserved (zero) |
| DS Cartridge PassMe/PassThrough |
Addr Siz Patch 004h 4 E59FF018h ;opcode LDR PC,[027FFE24h] at 27FFE04h 01Fh 1 04h ;set autostart bit 022h 1 01h ;set ARM9 rom offset to nn01nnnnh (above secure area) 024h 4 027FFE04h ;patch ARM9 entry address to endless loop 034h 4 080000C0h ;patch ARM7 entry address in GBA slot 15Eh 2 nnnnh ;adjust header crc16 |
0A0h GBA-style Title ("DSBooter")
0ACh GBA-style Gamecode ("PASS")
0C0h ARM7 Entrypoint (32bit ARM code)
|
| DS Cartridge GBA Slot |
NDS: Normal 32pin slot DS Lite: Short 32pin slot (GBA cards stick out) DSi: N/A (dropped support for GBA carts, and for DS-expansions) |
| DS Cart Rumble Pak |
VCC, GND, /WR, AD1, and IRQ (grounded) |
for i=0 to 0FFFh
if halfword[8000000h+i*2]<>(i and FFFDh) then <not_a_ds_rumble_pak>
next i
|
rumble_state = rumble_state xor 0002h halfword[8000000h]=rumble_state |
| DS Cart Slider with Rumble |
00h Product_ID (R) (03h) 01h Revision_ID (R) (10h=Rev. 1.0) (20h=Used in DS-option-pak) 02h Motion/Status Flags (R) 03h Delta_X (R) (signed 8bit) (automatically reset to 00h after reading) 04h Delta_Y (R) (signed 8bit) (automatically reset to 00h after reading) 05h SQUAL (R) (surface quality) (unsigned 8bit) 06h Average_Pixel (R) (unsigned 6bit, upper 2bit unused) 07h Maximum_Pixel (R) (unsigned 6bit, upper 2bit unused) 08h Reserved 09h Reserved 0Ah Configuration_bits (R/W) 0Bh Reserved 0Ch Data_Out_Lower (R) 0Dh Data_Out_Upper (R) 0Eh Shutter_Lower (R) 0Fh Shutter_Upper (R) 10h Frame_Period_Lower (R/W) 11h Frame_Period_Upper (R/W) |
7 Motion since last report or PD (0=None, 1=Motion occurred) 6 Reserved 5 LED Fault detected (0=No fault, 1=Fault detected) 4 Delta Y Overflow (0=No overflow, 1=Overflow occured) 3 Delta X Overflow (0=No overflow, 1=Overflow occured) 2 Reserved 1 Reserved 0 Resolution in counts per inch (0=400, 1=800) |
7 Reset Power up defaults (W) (0=No, 1=Reset)
6 LED Shutter Mode (0=LED always on, 1=LED only on when shutter is open)
5 Self Test (W) (0=No, 1=Perform all self tests)
4 Resolution in counts per inch (0=400, 1=800)
3 Dump 16x16 Pixel bitmap (0=No, 1=Dump via Data_Out ports)
2 Reserved
1 Reserved
0 Sleep Mode (0=Normal/Sleep after 1 second, 1=Always awake)
_______
|74273 |
/WR -----------------> |CLK | _____
AD1/SIO CLK ---------> |D1 Q1|--------------> CLK |74125|
AD2 power control ---> |D2 Q2|---> ____ | |
AD3/SIO DIR ---------> |D3 Q3|------+-|7400\________|/EN |
AD8 rumble on/off ---> |D? Q?|---> +-|____/ | |
AD0/SIO DTA ----+----> |D5 Q5|----------------------|A Y|--+--DTA
| |_______| |- - -| |
____ +-------------------------------------|Y A|--+
/RD ---|7400\______ ____ | |
/RD ---|____/ |7400\_____________________________|/EN |
A19 _______________|____/ |_____|
|
| DS Cart Expansion RAM |
Opera (8MB RAM) (official RAM expansion for Opera browser) EZ3/4/3-in-1 (8-16MB RAM, plus FLASH, plus rumble) Supercard (32MB) M3 (32MB) G6 (32MB) |
base=9000000h, size=800000h (8MB) unlock=1, lock=0 STRH [8240000h],lock/unlock |
base=8400000h, size=VAR (8MB..16MB) locking/unlocking/detection see below |
base=8000000h, size=1FFFFFEh (32MB minus last two bytes?) unlock=5 (RAM_RW), lock=3 (MEDIA) STRH [9FFFFFEh],A55Ah STRH [9FFFFFEh],A55Ah STRH [9FFFFFEh],lock/unlock STRH [9FFFFFEh],lock/unlock |
base=8000000h, size=2000000h (32MB) unlock=00400006h, lock=00400003h LDRH Rd,[8E00002h] LDRH Rd,[800000Eh] LDRH Rd,[8801FFCh] LDRH Rd,[800104Ah] LDRH Rd,[8800612h] LDRH Rd,[8000000h] LDRH Rd,[8801B66h] LDRH Rd,[8000000h+(lock/unlock)*2] LDRH Rd,[800080Eh] LDRH Rd,[8000000h] LDRH Rd,[80001E4h] LDRH Rd,[80001E4h] LDRH Rd,[8000188h] LDRH Rd,[8000188h] |
base=8000000h, size=2000000h (32MB) unlock=6, lock=3 LDRH Rd,[9000000h] LDRH Rd,[9FFFFE0h] LDRH Rd,[9FFFFECh] LDRH Rd,[9FFFFECh] LDRH Rd,[9FFFFECh] LDRH Rd,[9FFFFFCh] LDRH Rd,[9FFFFFCh] LDRH Rd,[9FFFFFCh] LDRH Rd,[9FFFF4Ah] LDRH Rd,[9FFFF4Ah] LDRH Rd,[9FFFF4Ah] LDRH Rd,[9200000h+(lock/unlock)*2] LDRH Rd,[9FFFFF0h] LDRH Rd,[9FFFFE8h] |
ez_ram_test: ;Based on DSLinux Amadeus' detection
ez_subfunc(9880000h,8000h) ;-SetRompage (OS mode)
ez_subfunc(9C40000h,1500h) ;-OpenNorWrite
[08400000h]=1234h ;\
if [08400000h]=1234h ; test writability at 8400000h
[8000000h]=4321h ; and non-writability at 8000000h
if [8000000h]<>4321h ;
return true ;/
ez_subfunc(9C40000h,D200h) ;CloseNorWrite
ez_subfunc(9880000h,0160h) ;SetRompage (0160h)
ez_subfunc(9C40000h,1500h) ;OpenNorWrite
[8400000h]=1234h ;\
if [8400000h]=1234h ; test writability at 8400000h
return true ;/
return false ;-failed
ez_subfunc(addr,data):
STRH [9FE0000h],D200h
STRH [8000000h],1500h
STRH [8020000h],D200h
STRH [8040000h],1500h
STRH [addr],data
STRH [9FC0000h],1500h
|
| DS Cart Unknown Extras |
| DS Cart Cheat Action Replay DS |
ABCD-NNNNNNNN Game ID ;ASCII Gamecode [00Ch] and CRC32 across [0..1FFh] 00000000 XXXXXXXX manual hook codes (rarely used) (default is auto hook) 0XXXXXXX YYYYYYYY word[XXXXXXX+offset] = YYYYYYYY 1XXXXXXX 0000YYYY half[XXXXXXX+offset] = YYYY 2XXXXXXX 000000YY byte[XXXXXXX+offset] = YY 3XXXXXXX YYYYYYYY IF YYYYYYYY > word[XXXXXXX] ;unsigned ;\ 4XXXXXXX YYYYYYYY IF YYYYYYYY < word[XXXXXXX] ;unsigned ; for v1.54, 5XXXXXXX YYYYYYYY IF YYYYYYYY = word[XXXXXXX] ; when X=0, 6XXXXXXX YYYYYYYY IF YYYYYYYY <> word[XXXXXXX] ; uses 7XXXXXXX ZZZZYYYY IF YYYY > ((not ZZZZ) AND half[XXXXXXX]) ; [offset] 8XXXXXXX ZZZZYYYY IF YYYY < ((not ZZZZ) AND half[XXXXXXX]) ; instead of 9XXXXXXX ZZZZYYYY IF YYYY = ((not ZZZZ) AND half[XXXXXXX]) ; [XXXXXXX] AXXXXXXX ZZZZYYYY IF YYYY <> ((not ZZZZ) AND half[XXXXXXX]) ;/ BXXXXXXX 00000000 offset = word[XXXXXXX+offset] C0000000 YYYYYYYY FOR loopcount=0 to YYYYYYYY ;execute Y+1 times C4000000 00000000 offset = address of the C4000000 code ;v1.54 C5000000 XXXXYYYY counter=counter+1, IF (counter AND YYYY) = XXXX ;v1.54 C6000000 XXXXXXXX [XXXXXXXX]=offset ;v1.54 D0000000 00000000 ENDIF D1000000 00000000 NEXT loopcount D2000000 00000000 NEXT loopcount, and then FLUSH everything D3000000 XXXXXXXX offset = XXXXXXXX D4000000 XXXXXXXX datareg = datareg + XXXXXXXX D5000000 XXXXXXXX datareg = XXXXXXXX D6000000 XXXXXXXX word[XXXXXXXX+offset]=datareg, offset=offset+4 D7000000 XXXXXXXX half[XXXXXXXX+offset]=datareg, offset=offset+2 D8000000 XXXXXXXX byte[XXXXXXXX+offset]=datareg, offset=offset+1 D9000000 XXXXXXXX datareg = word[XXXXXXXX+offset] DA000000 XXXXXXXX datareg = half[XXXXXXXX+offset] DB000000 XXXXXXXX datareg = byte[XXXXXXXX+offset] ;bugged on pre-v1.54 DC000000 XXXXXXXX offset = offset + XXXXXXXX EXXXXXXX YYYYYYYY Copy YYYYYYYY parameter bytes to [XXXXXXXX+offset...] 44332211 88776655 parameter bytes 1..8 for above code (example) 0000AA99 00000000 parameter bytes 9..10 for above code (padded with 00s) FXXXXXXX YYYYYYYY Copy YYYYYYYY bytes from [offset..] to [XXXXXXX...] |
1st: Address used prior to launching game (eg. 23xxxxxh) 2nd: Address to write the hook at (inside the ARM7 executable) 3rd: Hook final address (huh?) 4th: Hook mode selection (0=auto, 1=mode1, 2=mode2) 5th: Opcode that replaces the hooked one (eg. E51DE004h) 6th: Address to store important stuff (default 23FE000h) 7th: Address to store the code handler (default 23FE074h) 8th: Address to store the code list (default 23FE564h) 9th: Must be 1 (00000001h) |
| DS Cart Cheat Codebreaker DS |
---Initialization--- 0000CR16 GAMECODE Specify Game ID, use Encrypted codes 8000CR16 GAMECODE Specify Game ID, use Unencrypted codes BEEFC0DE XXXXXXXX Change Encryption Keys A0XXXXXX YYYYYYYY Bootup-Hook 1, X=Address, Y=Value A8XXXXXX YYYYYYYY Bootup-Hook 2, X=Address, Y=Value F0XXXXXX TYYYYYYY Code-Hook 1 (T=Type,Y=CheatEngineAddr,X=HookAddr) F8XXXXXX TPPPPPPP Code-Hook 2 (T=Type,X=CheatEngineHookAddr,P=Params) ---General codes--- 00XXXXXX 000000YY [X]=YY 10XXXXXX 0000YYYY [X]=YYYY 20XXXXXX YYYYYYYY [X]=YYYYYYYY 60XXXXXX 000000YY ZZZZZZZZ 00000000 [[X]+Z]=YY 60XXXXXX 0000YYYY ZZZZZZZZ 10000000 [[X]+Z]=YYYY 60XXXXXX YYYYYYYY ZZZZZZZZ 20000000 [[X]+Z]=YYYYYYYY 30XXXXXX 000000YY [X]=[X] + YY 30XXXXXX 0001YYYY [X]=[X] + YYYY 38XXXXXX YYYYYYYY [X]=[X] + YYYYYYYY 70XXXXXX 000000YY [X]=[X] OR YY 70XXXXXX 001000YY [X]=[X] AND YY 70XXXXXX 002000YY [X]=[X] XOR YY 70XXXXXX 0001YYYY [X]=[X] OR YYYY 70XXXXXX 0011YYYY [X]=[X] AND YYYY 70XXXXXX 0021YYYY [X]=[X] XOR YYYY ---Memory fill/copy--- 40XXXXXX 2NUMSTEP 000000YY 000000ZZ byte[X+(0..NUM-1)*STEP*1]=Y+(0..NUM-1)*Z 40XXXXXX 1NUMSTEP 0000YYYY 0000ZZZZ half[X+(0..NUM-1)*STEP*2]=Y+(0..NUM-1)*Z 40XXXXXX 0NUMSTEP YYYYYYYY ZZZZZZZZ word[X+(0..NUM-1)*STEP*4]=Y+(0..NUM-1)*Z 50XXXXXX YYYYYYYY ZZZZZZZZ 00000000 copy Y bytes from [X] to [Z] ---Conditional codes (bugged)--- 60XXXXXX 000000YY ZZZZZZZZ 01c100VV IF [[X]+Z] .. VV THEN [[X]+Z]=YY 60XXXXXX 000000YY ZZZZZZZZ 01c0VVVV IF [[X]+Z] .. VVVV THEN [[X]+Z]=YY 60XXXXXX 0000YYYY ZZZZZZZZ 11c100VV IF [[X]+Z] .. VV THEN [[X]+Z]=YYYY 60XXXXXX 0000YYYY ZZZZZZZZ 11c0VVVV IF [[X]+Z] .. VVVV THEN [[X]+Z]=YYYY 60XXXXXX YYYYYYYY ZZZZZZZZ 21c100VV IF [[X]+Z] .. VV THEN [[X]+Z]=YYYYYYYY 60XXXXXX YYYYYYYY ZZZZZZZZ 21c0VVVV IF [[X]+Z] .. VVVV THEN [[X]+Z]=YYYYYYYY ---Conditional codes (working)--- D0XXXXXX NNc100YY IF [X] .. YY THEN exec max(1,NN) lines D0XXXXXX NNc0YYYY IF [X] .. YYYY THEN exec max(1,NN) lines |
0 IF [mem] = imm THEN ... 4 IF ([mem] AND imm) = 0 THEN ... 1 IF [mem] <> imm THEN ... 5 IF ([mem] AND imm) <> 0 THEN ... 2 IF [mem] < imm THEN ... (unsigned) 6 IF ([mem] AND imm) = imm THEN ... 3 IF [mem] > imm THEN ... (unsigned) 7 IF ([mem] AND imm) <> imm THEN ... |
GAMECODE Cartridge Header[00Ch] (32bit in reversed byte-order) CR16 Cartridge Header[15Eh] (16bit in normal byte-order) XXXXXX 27bit addr (actually 7 digits, XXXXXXX, overlaps 5bit code number) |
for i=4Fh to 00h
y=77628ECFh
if i>13h then y=59E5DC8Ah
if i>27h then y=054A7818h
if i>3Bh then y=B1BF0855h
address = (Key0-value) xor address
value = value - Key1 - (address ror 1Bh)
address = (address xor (value + y)) ror 13h
if (i>13h) then
if (i<=27h) or (i>3Bh) then x=Key2 xor Key1 xor Key0
else x=((Key2 xor Key1) and Key0) xor (Key1 and Key2)
value=value xor (x+y+address)
x = Secure[((i*4+00h) and FCh)+000h]
x = Secure[((i*4+34h) and FCh)+100h] xor x
x = Secure[((i*4+20h) and FCh)+200h] xor x
x = Secure[((i*4+08h) and FCh)+300h] xor x
address = address - (x ror 19h)
next i
|
Secure[0..7FFh] = Copy of the ENCRYPTED 1st 2Kbytes of the game's Secure Area Key0 = 0C2EAB3Eh, Key1 = E2AE295Dh, Key2 = E1ACC3FFh, Key3 = 70D3AF46h scramble_keys |
Key0 = Key0 + (XXXXXXXX ror 1Dh) Key1 = Key1 - (XXXXXXXX ror 05h) Key2 = Key2 xor (Key3 xor Key0) Key3 = Key3 xor (Key2 - Key1) scramble_keys |
for i=0 to FFh
y = byte(xlat_table[i])
Secure[i*4+000h] = (Secure[i*4+000h] xor Secure[y*4]) + Secure[y*4+100h]
Secure[i*4+400h] = (Secure[i*4+400h] xor Secure[y*4]) - Secure[y*4+200h]
next i
for i=0 to 63h
Key0 = Key0 xor (Secure[i*4] + Secure[i*4+190h])
Key1 = Key1 xor (Secure[i*4] + Secure[i*4+320h])
Key2 = Key2 xor (Secure[i*4] + Secure[i*4+4B0h])
Key3 = Key3 xor (Secure[i*4] + Secure[i*4+640h])
next i
Key0 = Key0 - Secure[7D0h]
Key1 = Key1 xor Secure[7E0h]
Key2 = Key2 + Secure[7F0h]
Key3 = Key3 xor Secure[7D0h] xor Secure[7F0h]
|
34h,59h,00h,32h,7Bh,D3h,32h,C9h,9Bh,77h,75h,44h,E0h,73h,46h,06h 0Bh,88h,B3h,3Eh,ACh,F2h,BAh,FBh,2Bh,56h,FEh,7Ah,90h,F7h,8Dh,BCh 8Bh,86h,9Ch,89h,00h,19h,CDh,4Ch,54h,30h,01h,93h,30h,01h,FCh,36h 4Dh,9Fh,FDh,D7h,32h,94h,AEh,BCh,2Bh,61h,DFh,B3h,44h,EAh,8Bh,A3h 2Bh,53h,33h,54h,42h,27h,21h,DFh,A9h,DDh,C0h,35h,58h,EFh,8Bh,33h B4h,D3h,1Bh,C7h,93h,AEh,32h,30h,F1h,CDh,A8h,8Ah,47h,8Ch,70h,0Ch 17h,4Eh,0Eh,A2h,85h,0Dh,6Eh,37h,4Ch,39h,1Fh,44h,98h,26h,D8h,A1h B6h,54h,F3h,AFh,98h,83h,74h,0Eh,13h,6Eh,F4h,F7h,86h,80h,ECh,8Eh EEh,4Ah,05h,A1h,F1h,EAh,B4h,D6h,B8h,65h,8Ah,39h,B3h,59h,11h,20h B6h,BBh,4Dh,88h,68h,24h,12h,9Bh,59h,38h,06h,FAh,15h,1Dh,40h,F0h 01h,77h,57h,F5h,5Dh,76h,E5h,F1h,51h,7Dh,B4h,FAh,7Eh,D6h,32h,4Fh 0Eh,C8h,61h,C1h,EEh,FBh,2Ah,FCh,ABh,EAh,97h,D5h,5Dh,E8h,FAh,2Ch 06h,CCh,86h,D2h,8Ch,10h,D7h,4Ah,CEh,8Fh,EBh,03h,16h,ADh,84h,98h F5h,88h,2Ah,18h,ACh,7Fh,F6h,94h,FBh,3Fh,00h,B6h,32h,A2h,ABh,28h 64h,5Ch,0Fh,C6h,23h,12h,0Ch,D2h,BAh,4Dh,A3h,F2h,C9h,86h,31h,57h 0Eh,F8h,ECh,E1h,A0h,9Ah,3Ch,65h,17h,18h,A0h,81h,D0h,DBh,D5h,AEh |
| DS Cart DLDI Driver |
00h 4 DLDI ID (EDh,A5h,8Dh,BFh) (aka BF8DA5EDh) ;\patching tools will
04h 8 DLDI String (20h,"Chishm",00h) ; refuse any other
0Ch 1 DLDI Version (01h in .dldi, don't care in .nds) ;/values
0Dh 1 Size of .dldi+BSS (rounded up to 1 SHL N bytes) (max 0Fh=32Kbytes)
0Eh 1 Sections to fix/destroy (see FIX_xxx)
0Fh 1 Space in .nds file (1 SHL N) (0Eh..0Fh in .nds, can be 0 in .dldi)
10h 48 ASCII Full Driver Name (max 47 chars, plus zero padding)
40h 4 Address of ALL start (text) ;-base address (BF800000h in .dldi)
44h 4 Address of ALL end (data) ;-for highly-unstable FIX_ALL addr.adjusts
48h 4 Address of GLUE start ;\for semi-stable FIX_GLUE addr.adjusts
4Ch 4 Address of GLUE end ;/ ("Interworking glue" for ARM-vs-THUMB)
50h 4 Address of GOT start ;\for semi-stable FIX_GOT addr.adjusts
54h 4 Address of GOT end ;/ ("Global Offset Table")
58h 4 Address of BSS start ;\for zerofilling "BSS" via FIX_BSS
5Ch 4 Address of BSS end ;/ ("Block Started by Symbol")
60h 4 ASCII Short Driver/Device Name (4 chars, eg. "MYHW" for MyHardware)
64h 4 Flags 2 (see FEATURE_xxx) (usually 13h=GbaSlot, or 23h=NdsSlot)
68h 4 Address of Function startup() ;<-- must be at offset +80h !! ;\
6Ch 4 Address of Function isInserted() ;out: 0=no/fail, 1=yes/okay ; all
70h 4 Address of Function readSectors(sector,numSectors,buf) ; return
74h 4 Address of Function writeSectors(sector,numSectors,buf) ; 0=fail,
78h 4 Address of Function clearStatus() ; 1=okay
7Ch 4 Address of Function shutdown() ;/
80h .. Driver Code (can/must begin with "startup()") ;\max 7F80h
.. .. Glue section (usually a small snippet within above code) ; bytes (when
.. .. GOT section (usually after above code) (pointer table) ; having 32K
.. .. BSS section (usually at end, may exceed .dldi filesize) ; allocated)
.. .. Optional two garbage NOPs at end of default.dldi ;/
|
0 FIX_ALL ;-installer uses highly-unstable guessing in whole dldi file 1 FIX_GLUE ;-installer uses semi-stable address guessing in GLUE area 2 FIX_GOT ;-installer uses semi-stable address guessing in GOT area 3 FIX_BSS ;-installer will zerofill BSS area 4-7 Reserved (0) |
0 FEATURE_MEDIUM_CANREAD 00000001h (usually set) 1 FEATURE_MEDIUM_CANWRITE 00000002h (a few carts can't write) 2-3 Reserved (0) 4 FEATURE_SLOT_GBA 00000010h (need EXMEMCNT bit7 adjusted) 5 FEATURE_SLOT_NDS 00000020h (need EXMEMCNT bit11 adjusted) 6-31 Reserved (0) |
dldi area should be located at a 40h-byte aligned address in ROM image. dldi area should be located in ARM9 (or ARM7) bootcode area. |
dldi[00h..0Bh] must contain DLDI ID word/string dldi[0Fh] must contain allocated size (0Eh=16Kbyte or 0Fh=32Kbyte) dldi[40h..43h] must contain RAM base address of DLDI block and other entries should contain valid dummy strings and dummy functions. |
dldi[0Fh] must be kept as in the old .nds file (not as in .dldi file) |
| DS Cart DLDI Driver - Guessed Address-Adjustments |
| DS Encryption by Gamecode/Idcode (KEY1) |
NDS.ARM7 ROM: 00000030h..00001077h (values 99 D5 20 5F ..) Blowfish/NDS-mode DSi.ARM9 ROM: FFFF99A0h..FFFFA9E7h (values 99 D5 20 5F ..) "" DSi.TCM Copy: 01FFC894h..01FFD8DBh (values 99 D5 20 5F ..) "" DSi.ARM7 ROM: 0000C6D0h..0000D717h (values 59 AA 56 8E ..) Blowfish/DSi-mode DSi.RAM Copy: 03FFC654h..03FFD69Bh (values 59 AA 56 8E ..) "" DSi.Debug: (stored in launcher) (values 69 63 52 05 ..) Blowfish/DSi-debug |
Y=[ptr+0]
X=[ptr+4]
FOR I=0 TO 0Fh (encrypt), or FOR I=11h TO 02h (decrypt)
Z=[keybuf+I*4] XOR X
X=[keybuf+048h+((Z SHR 24) AND FFh)*4]
X=[keybuf+448h+((Z SHR 16) AND FFh)*4] + X
X=[keybuf+848h+((Z SHR 8) AND FFh)*4] XOR X
X=[keybuf+C48h+((Z SHR 0) AND FFh)*4] + X
X=Y XOR X
Y=Z
NEXT I
[ptr+0]=X XOR [keybuf+40h] (encrypt), or [ptr+0]=X XOR [keybuf+4h] (decrypt)
[ptr+4]=Y XOR [keybuf+44h] (encrypt), or [ptr+4]=Y XOR [keybuf+0h] (decrypt)
|
encrypt_64bit(keycode+4)
encrypt_64bit(keycode+0)
[scratch]=0000000000000000h ;S=0 (64bit)
FOR I=0 TO 44h STEP 4 ;xor with reversed byte-order (bswap)
[keybuf+I]=[keybuf+I] XOR bswap_32bit([keycode+(I MOD modulo)])
NEXT I
FOR I=0 TO 1040h STEP 8
encrypt_64bit(scratch) ;encrypt S (64bit) by keybuf
[keybuf+I+0]=[scratch+4] ;write S to keybuf (first upper 32bit)
[keybuf+I+4]=[scratch+0] ;write S to keybuf (then lower 32bit)
NEXT I
|
if key=nds then copy [nds_arm7bios+0030h..1077h] to [keybuf+0..1047h] if key=dsi then copy [dsi_arm7bios+C6D0h..D717h] to [keybuf+0..1047h] [keycode+0]=[idcode] [keycode+4]=[idcode]/2 [keycode+8]=[idcode]*2 IF level>=1 THEN apply_keycode(modulo) ;first apply (always) IF level>=2 THEN apply_keycode(modulo) ;second apply (optional) [keycode+4]=[keycode+4]*2 [keycode+8]=[keycode+8]/2 IF level>=3 THEN apply_keycode(modulo) ;third apply (optional) |
init_keycode(firmware_header+08h,1,0Ch,nds) ;idcode (usually "MACP"), level 1 decrypt_64bit(firmware_header+18h) ;rominfo init_keycode(firmware_header+08h,2,0Ch,nds) ;idcode (usually "MACP"), level 2 decrypt ARM9 and ARM7 bootcode by decrypt_64bit (each 8 bytes) decompress ARM9 and ARM7 bootcode by LZ77 function (swi) calc CRC16 on decrypted/decompressed ARM9 bootcode followed by ARM7 bootcode |
init_keycode(cart_header+0Ch,1,08h,nds) ;gamecode, level 1, modulo 8 decrypt_64bit(cart_header+78h) ;rominfo (secure area disable) init_keycode(cart_header+0Ch,2,08h,nds) ;gamecode, level 2, modulo 8 encrypt_64bit all NDS KEY1 commands (1st command byte in MSB of 64bit value) after loading the secure_area, calculate secure_area crc, then decrypt_64bit(secure_area+0) ;first 8 bytes of secure area init_keycode(cart_header+0Ch,3,08h,nds) ;gamecode, level 3, modulo 8 decrypt_64bit(secure_area+0..7F8h) ;each 8 bytes in first 2K of secure init_keycode(cart_header+0Ch,1,08h,dsi) ;gamecode, level 1, modulo 8 encrypt_64bit all DSi KEY1 commands (1st command byte in MSB of 64bit value) |
| DS Encryption by Random Seed (KEY2) |
Seed0 = 58C56DE0E8h Seed1 = 5C879B9B05h |
Seed0 = (mmmnnn SHL 15)+6000h+Seedbyte Seed1 = 5C879B9B05h |
x = reversed_bit_order(seed0) ;ie. LSB(bit0) exchanged with MSB(bit38), etc. y = reversed_bit_order(seed1) |
x = (((x shr 5)xor(x shr 17)xor(x shr 18)xor(x shr 31)) and 0FFh)+(x shl 8) y = (((y shr 5)xor(y shr 23)xor(y shr 18)xor(y shr 31)) and 0FFh)+(y shl 8) data = (data xor x xor y) and 0FFh |
| DS Firmware Serial Flash Memory |
ID 20h,40h,12h - ST M45PE20 - 256 KBytes (Nintendo DS) (in my old DS) ID 20h,50h,12h - ST M35PE20 - 256 KBytes (Nintendo DS) (in my DS-Lite) ID 20h,80h,13h - ST M25PE40 - 512 KBytes (iQue DS, with chinese charset) ID 20h,40h,11h - ST 45PE10V6 - 128 Kbytes (Nintendo DSi) (in my DSi) ID 20h,40h,13h - ST 45PE40V6 - 512 KBytes (DS Zelda, NTR-AZEP-0) ID 20h,40h,14h - ST 45PE80V6 - 1024 Kbytes (eg. Spirit Tracks, NTR-BKIP) +ID 62h,11h,00h - Sanyo ? - 512 Kbytes (P-Letter Diamond, ADAE) ID 62h,16h,00h - Sanyo LE25FW203T - 256 KBytes (Mariokart backup) +ID 62h,26h,11h - Sanyo ? - ? Kbytes (3DS: CTR-P-AXXJ) +ID 62h,26h,13h - Sanyo ? - ? Kbytes (3DS: CTR-P-APDJ) ID C2h,22h,11h - Macronix MX25L1021E? 128 Kbytes (eg. 3DS Starfox) ID C2h,22h,13h - Macronix ...? 512 Kbytes (eg. 3DS Kid Icarus, 3DS Sims 3) ID C2h,20h,17h - Macronix MX25L6445EZNI-10G 8192 Kbytes (DSi Art Academy) ID 01h,F0h,00h - Garbage/Infrared on SPI-bus? (eg. P-Letter White) ID 03h,F8h,00h - Garbage/Infrared on SPI-bus? (eg. P-Letter White 2) |
06h WREN Write Enable (No Parameters)
04h WRDI Write Disable (No Parameters)
9Fh RDID Read JEDEC Identification (Read 1..3 ID Bytes)
(Manufacturer, Device Type, Capacity)
05h RDSR Read Status Register (Read Status Register, endless repeated)
Bit7-2 Not used (zero)
Bit1 WEL Write Enable Latch (0=No, 1=Enable)
Bit0 WIP Write/Program/Erase in Progess (0=No, 1=Busy)
03h READ Read Data Bytes (Write 3-Byte-Address, read endless data stream)
0Bh FAST Read Data Bytes at Higher Speed (Write 3-Byte-Address, write 1
dummy-byte, read endless data stream) (max 25Mbit/s)
0Ah PW Page Write (Write 3-Byte-Address, write 1..256 data bytes)
(changing bits to 0 or 1) (reads unchanged data, erases the page,
then writes new & unchanged data) (11ms typ, 25ms max)
02h PP Page Program (Write 3-Byte-Address, write 1..256 data bytes)
(changing bits from 1 to 0) (1.2ms typ, 5ms max)
DBh PE Page Erase 100h bytes (Write 3-Byte-Address) (10ms typ, 20ms max)
D8h SE Sector Erase 10000h bytes (Write 3-Byte-Address) (1s typ, 5s max)
B9h DP Deep Power-down (No Parameters) (consumption 1uA typ, 10uA max)
(3us) (ignores all further instructions, except RDP)
ABh RDP Release from Deep Power-down (No Parameters) (30us)
|
Set Chip Select LOW to invoke the command Transmit the instruction byte Transmit any parameter bytes Transmit/receive any data bytes Set Chip Select HIGH to finish the command |
1 D Serial Data In (latched at rising clock edge) _________ 2 C Serial Clock (max 25MHz) /|o | 3 /RES Reset 1 -| | |- 8 4 /S Chip Select (instructions start at falling edge) 2 -| | |- 7 5 /W Write Protect (makes first 256 pages read-only) 3 -| |_________|- 6 6 VCC Supply (2.7V..3.6V typ) (4V max) (DS:VDD3.3) 4 -|/ |- 5 7 VSS Ground |___________| 8 Q Serial Data Out (changes at falling clock edge) |
| DS Firmware Header |
00000h-00029h Firmware Header 0002Ah-001FFh Wifi Settings 00200h-3F9FFh Firmware Code/Data ;-NDS only (not DSi) 00200h-002FEh 00h-filled ;\ 002FFh 80h ; 00300h-1F3FEh FFh-filled ; DSi only (not NDS) 1F3FFh Whatever Bootflags ; 1F400h-1F5FFh Wifi Access Point 4 ; 1F600h-1F7FFh Wifi Access Point 5 ; 1F800h-1F9FFh Wifi Access Point 6 ;/ 3FA00h-3FAFFh Wifi Access Point 1 3FB00h-3FBFFh Wifi Access Point 2 3FC00h-3FCFFh Wifi Access Point 3 3FD00h-3FDFFh Not used 3FE00h-3FEFFh User Settings Area 1 3FF00h-3FFFFh User Settings Area 2 |
Addr Size Expl.
000h 2 part3 romaddr/8 (arm9 gui code) (LZ/huffman compression)
002h 2 part4 romaddr/8 (arm7 wifi code) (LZ/huffman compression)
004h 2 part3/4 CRC16 arm9/7 gui/wifi code
006h 2 part1/2 CRC16 arm9/7 boot code
008h 4 firmware identifier (usually nintendo "MAC",nn) (or nocash "XBOO")
the 4th byte (nn) occassionally changes in different versions
00Ch 2 part1 arm9 boot code romaddr/2^(2+shift1) (LZSS compressed)
00Eh 2 part1 arm9 boot code 2800000h-ramaddr/2^(2+shift2)
010h 2 part2 arm7 boot code romaddr/2^(2+shift3) (LZSS compressed)
012h 2 part2 arm7 boot code 3810000h-ramaddr/2^(2+shift4)
014h 2 shift amounts, bit0-2=shift1, bit3-5=shift2, bit6-8=shift3,
bit9-11=shift4, bit12-15=firmware_chipsize/128K
016h 2 part5 data/gfx romaddr/8 (LZ/huffman compression)
018h 8 Optional KEY1-encrypted "enPngOFF"=Cartridge KEY2 Disable
(feature isn't used in any consoles, instead contains timestamp)
018h 5 Firmware version built timestamp (BCD minute,hour,day,month,year)
01Dh 1 Console type
FFh=Nintendo DS
20h=Nintendo DS-lite
57h=Nintendo DSi
43h=iQueDS
63h=iQueDS-lite
The entry was unused (FFh) in older NDS, ie. replace FFh by 00h)
Bit0 seems to be DSi/iQue related
Bit1 seems to be DSi/iQue related
Bit2 seems to be DSi related
Bit3 zero
Bit4 seems to be DSi related
Bit5 seems to be DS-Lite related
Bit6 indicates presence of "extended" user settings (DSi/iQue)
Bit7 zero
01Eh 2 Unused (FFh-filled)
020h 2 User Settings Offset (div8) (usually last 200h flash bytes)
022h 2 Unknown (7EC0h or 0B51h)
024h 2 Unknown (7E40h or 0DB3h)
026h 2 part5 CRC16 data/gfx
028h 2 unused (FFh-filled)
02Ah-1FFh Wifi Calibration Data (see next chapter)
|
000h 1Dh Zerofilled (bootcode is in new eMMC chip, not on old FLASH chip) 01Dh 6 Same as on DS (header: Console Type and User Settings Offset) 022h 6 Zerofilled (bootcode is in new eMMC chip, not on old FLASH chip) 028h..1FCh Same as on DS (wifi calibration) 1FDh 1 Wifi Board (01h=DWM-W015, 02h=DWM-W024) ;\this was 1FEh 1 Wifi Flash (20h=With access point 4/5/6) ; FFh-filled on DS 1FFh 1 Same as on DS (FFh) ;/ 200h FFh Zerofilled ;\ 2FFh Unknown (80h) ; this was bootcode on DS 00300h..1F2FFh FFh's ; 1F300h..1F3FEh FFh's ;twl-debugger: 00h's ; 1F3FFh FFh ;twl-debugger: 40h ;/ |
| DS Firmware Wifi Calibration Data |
Addr Size Expl.
000h-029h Firmware Header (see previous chapter)
02Ah 2 CRC16 (with initial value 0) of [2Ch..2Ch+config_length-1]
02Ch 2 config_length (usually 0138h, ie. entries 2Ch..163h)
02Eh 1 Unused (00h)
02Fh 1 Wifi version (00h=v1..v4, 03h=v5, 05h=v6..v7, 0Fh=DSi)
030h 6 Unused (00h-filled)
036h 6 48bit MAC address (v1-v5: 0009BFxxxxxx, v6-v7: 001656xxxxxx)
03Ch 2 list of enabled channels ANDed with 7FFE (Bit1..14 = Channel 1..14)
(usually 3FFEh, ie. only channel 1..13 enabled)
03Eh 2 Whatever Flags (usually FFFFh)
040h 1 RF Chip Type (usually 02h)
041h 1 RF Bits per entry at 0CEh (usually 18h=24bit=3byte) (Bit7=?)
042h 1 RF Number of entries at 0CEh (usually 0Ch)
043h 1 Unknown (usually 01h)
044h 2 Initial Value for [4808146h] ;W_CONFIG_146h
046h 2 Initial Value for [4808148h] ;W_CONFIG_148h
048h 2 Initial Value for [480814Ah] ;W_CONFIG_14Ah
04Ah 2 Initial Value for [480814Ch] ;W_CONFIG_14Ch
04Ch 2 Initial Value for [4808120h] ;W_CONFIG_120h
04Eh 2 Initial Value for [4808122h] ;W_CONFIG_122h
050h 2 Initial Value for [4808154h] ;W_CONFIG_154h
052h 2 Initial Value for [4808144h] ;W_CONFIG_144h
054h 2 Initial Value for [4808130h] ;W_CONFIG_130h
056h 2 Initial Value for [4808132h] ;W_CONFIG_132h
058h 2 Initial Value for [4808140h] ;W_CONFIG_140h
05Ah 2 Initial Value for [4808142h] ;W_CONFIG_142h
05Ch 2 Initial Value for [4808038h] ;W_POWER_TX
05Eh 2 Initial Value for [4808124h] ;W_CONFIG_124h
060h 2 Initial Value for [4808128h] ;W_CONFIG_128h
062h 2 Initial Value for [4808150h] ;W_CONFIG_150h
064h 69h Initial 8bit values for BB[0..68h]
0CDh 1 Unused (00h)
|
0CEh 24h Initial 24bit values for RF[0,4,5,6,7,8,9,0Ah,0Bh,1,2,3] 0F2h 54h Channel 1..14 2x24bit values for RF[5,6] 146h 0Eh Channel 1..14 8bit values for BB[1Eh] (usually somewhat B1h..B7h) 154h 0Eh Channel 1..14 8bit values for RF[9].Bit10..14 (usually 10h-filled) |
--- Type3 values are originated at 0CEh, following addresses depend on: --- 1) number of initial values, found at [042h] ;usually 29h 2) number of BB indices, found at [0CEh+[042h]] ;usually 02h 3) number of RF indices, found at [043h] ;usually 02h --- Below example addresses assume above values to be set to 29h,02h,02h --- 0CEh 29h Initial 8bit values for RF[0..28h] 0F7h 1 Number of BB indices per channel 0F8h 1 1st BB index 0F9h 14 1st BB data for channel 1..14 107h 1 2nd BB index 108h 14 2nd BB data for channel 1..14 116h 1 1st RF index 117h 14 1st RF data for channel 1..14 125h 1 2nd RF index 126h 14 2nd RF data for channel 1..14 134h 46 Unused (FFh-filled) |
162h 1 Unknown (usually 19h..1Ch) 163h 1 Unused (FFh) (Inside CRC16 region, with config_length=138h) 164h 99h Unused (FFh-filled) (Outside CRC16 region, with config_length=138h) 1FDh 1 DSi Wifi Board (01h=DWM-W015, 02h=DWM-W024) ;\this was 1FEh 1 DSi Wifi Flash (20h=With access point 4/5/6) ; FFh-filled on DS 1FFh 1 DSi Same as on DS (FFh) ;/ |
| DS Firmware Wifi Internet Access Points |
Addr Siz Expl.
000h 64 Unknown (usually 00h-filled) (no Proxy supported on NDS)
040h 32 SSID (ASCII name of the access point) (padded with 00h's)
060h 32 SSID for WEP64 on AOSS router (each security level has its own SSID)
080h 16 WEP Key 1 (for type/size, see entry E6h)
090h 16 WEP Key 2 ;\
0A0h 16 WEP Key 3 ; (usually 00h-filled)
0B0h 16 WEP Key 4 ;/
0C0h 4 IP Address (0=Auto/DHCP)
0C4h 4 Gateway (0=Auto/DHCP)
0C8h 4 Primary DNS Server (0=Auto/DHCP)
0CCh 4 Secondary DNS Server (0=Auto/DHCP)
0D0h 1 Subnet Mask (0=Auto/DHCP, 1..1Ch=Leading Ones) (eg. 6 = FC.00.00.00)
0D1h .. Unknown (usually 00h-filled)
0E6h 1 WEP Mode (0=None, 1/2/3=5/13/16 byte hex, 5/6/7=5/13/16 byte ascii)
0E7h 1 Status (00h=Normal, 01h=AOSS, FFh=connection not configured/deleted)
0E8h 1 Zero (not SSID Length, ie. unlike as entry 4,5,6 on DSi)
0E9h 1 Unknown (usually 00h)
0EAh 2 DSi only: MTU (Max transmission unit) (576..1500, usually 1400)
0ECh 3 Unknown (usually 00h-filled)
0EFh 1 bit0/1/2 - connection 1/2/3 (1=Configured, 0=Not configured)
0F0h 6 Nintendo Wifi Connection (WFC) 43bit User ID
(ID=([F0h] AND 07FFFFFFFFFFh)*1000, shown as decimal string
NNNN-NNNN-NNNN-N000) (the upper 5bit of the last byte are
containing additional/unknown nonzero data)
0F6h 8 Unknown (nonzero stuff !?!)
0FEh 2 CRC16 for Entries 000h..0FDh (with initial value 0000h)
|
Addr Siz Expl. 000h 32 Proxy Authentication Username (ASCII string, padded with 00's) 000h 32 Proxy Authentication Password (ASCII string, padded with 00's) 040h 32 SSID (ASCII string, padded with 00's) (see [0E8h] for length) 060h .. Maybe same as NDS 080h 16 WEP Key (zerofilled for WPA) 0xxh .. Maybe same as NDS 0C0h 4 IP Address (0=Auto/DHCP) 0C4h 4 Gateway (0=Auto/DHCP) 0C8h 4 Primary DNS Server (0=Auto/DHCP) 0CCh 4 Secondary DNS Server (0=Auto/DHCP) 0D0h 1 Subnet Mask (0=Auto/DHCP, 1..1Ch=Leading Ones) (eg. 6 = FC.00.00.00) 0D1h .. Unknown (zerofilled) 0E6h 1 WEP (00h=None/WPA/WPA2, 01h/02h/03h/05h/06h/07h=WEP, same as NDS) 0E7h 1 WPA (00h=Normal, 10h=WPA/WPA2, 13h=WPS+WPA/WPA2, FFh=unused/deleted) 0E8h 1 SSID Length in characters (01h..20h, or 00h=unused) 0E9h 1 Unknown (usually 00h) 0EAh 2 MTU Value (Max transmission unit) (576..1500, usually 1400) 0ECh 3 Unknown (usually 00h-filled) 0EFh 1 bit0/1/2 - connection 4/5/6 (1=Configured, 0=Not configured) 0F0h 14 Zerofilled (or maybe ID as on NDS, if any such ID exists for DSi?) 0FEh 2 CRC16 for Entries 000h..0FDh (with initial value 0000h) 100h 32 Precomputed PSK (based on WPA/WPA2 password and SSID) ;\all zero 120h 64 WPA/WPA2 password (ASCII string, padded with 00's) ;/for WEP 160h 33 Zerofilled 181h 1 WPA (0=None/WEP, 4=WPA-TKIP, 5=WPA2-TKIP, 6=WPA-AES, 7=WPA2-AES) 182h 1 Proxy Enable (00h=None, 01h=Yes) 183h 1 Proxy Authentication (00h=None, 01h=Yes) 184h 48 Proxy Name (ASCII string, max 47 chars, padded with 00's) 1B4h 52 Zerofilled 1E8h 2 Proxy Port (16bit) 1EAh 20 Zerofilled 1FEh 2 CRC16 for Entries 100h..1FDh (with initial value 0000h) (0=deleted) |
| DS Firmware User Settings |
Addr Size Expl. 000h 2 Version (5) (Always 5, for all NDS/DSi Firmware versions) 002h 1 Favorite color (0..15) (0=Gray, 1=Brown, etc.) 003h 1 Birthday month (1..12) (Binary, non-BCD) 004h 1 Birthday day (1..31) (Binary, non-BCD) 005h 1 Not used (zero) 006h 20 Nickname string in UTF-16 format 01Ah 2 Nickname length in characters (0..10) 01Ch 52 Message string in UTF-16 format 050h 2 Message length in characters (0..26) 052h 1 Alarm hour (0..23) (Binary, non-BCD) 053h 1 Alarm minute (0..59) (Binary, non-BCD) 054h 2 056h 1 80h=enable alarm (huh?), bit 0..6=enable? 057h 1 Zero (1 byte) 058h 2x2 Touch-screen calibration point (adc.x1,y1) 12bit ADC-position 05Ch 2x1 Touch-screen calibration point (scr.x1,y1) 8bit pixel-position 05Eh 2x2 Touch-screen calibration point (adc.x2,y2) 12bit ADC-position 062h 2x1 Touch-screen calibration point (scr.x2,y2) 8bit pixel-position 064h 2 Language and Flags (see below) 066h 1 Year (2000..2255) (when having entered date in the boot menu) 067h 1 Unknown (usually 00h...08h or 78h..7Fh or so) 068h 4 RTC Offset (difference in seconds when RTC time/date was changed) 06Ch 4 Not used (FFh-filled, sometimes 00h-filled) (=MSBs of above?) |
070h 2 update counter (used to check latest) (must be 0000h..007Fh) 072h 2 CRC16 of entries 00h..6Fh (70h bytes) 074h 8Ch Not used (FFh-filled) (or extended data, see below) |
074h 1 Unknown (01h) (maybe version?)
075h 1 Extended Language (0..5=Same as Entry 064h, plus 6=Chinese)
(for language 6, entry 064h defaults to english; for compatibility)
(for language 0..5, both entries 064h and 075h have same value)
076h 2 Bitmask for Supported Languages (Bit0..6)
(007Eh for iQue DS, ie. with chinese, but without japanese)
(003Eh for DSi/EUR, ie. without chinese, and without japanese)
078h 86h Not used (FFh-filled on iQue DS, 00h-filled on DSi)
0FEh 2 CRC16 of entries 74h..FDh (8Ah bytes)
|
Bit
0..2 Language (0=Japanese, 1=English, 2=French, 3=German,
4=Italian, 5=Spanish, 6..7=Reserved) (for Chinese see Entry 075h)
(the language setting also implies time/data format)
3 GBA mode screen selection (0=Upper, 1=Lower)
4-5 Backlight Level (0..3=Low,Med,High,Max) (DS-Lite only)
6 Bootmenu Disable (0=Manual/bootmenu, 1=Autostart Cartridge)
9 Settings Lost (1=Prompt for User Info, and Language, and Calibration)
10 Settings Okay (0=Prompt for User Info)
11 Settings Okay (0=Prompt for User Info) (Same as Bit10)
12 No function
13 Settings Okay (0=Prompt for User Info, and Language)
14 Settings Okay (0=Prompt for User Info) (Same as Bit10)
15 Settings Okay (0=Prompt for User Info) (Same as Bit10)
|
IF count1=((count0+1) AND 7Fh) THEN area1=newer ELSE area0=newer |
| DS Firmware Extended Settings |
Addr Siz Expl.
00h 8 ID "XbooInfo"
08h 2 CRC16 Value [0Ch..0Ch+Length-1]
0Ah 2 CRC16 Length (from 0Ch and up)
0Ch 1 Version (currently 01h)
0Dh 1 Update Count (newer = (older+1) AND FFh)
0Eh 1 Bootmenu Flags
Bit6 Important Info (0=Disable, 1=Enable)
Bit7 Bootmenu Screen (0=Upper, 1=Lower)
0Fh 1 GBA Border (0=Black, 1=Gray Line)
10h 2 Temperature Calibration TP0 ADC value (x16) (sum of 16 ADC values)
12h 2 Temperature Calibration TP1 ADC value (x16) (sum of 16 ADC values)
14h 2 Temperature Calibration Degrees Kelvin (x100) (0=none)
16h 1 Temperature Flags
Bit0-1 Format (0=Celsius, 1=Fahrenheit, 2=Reaumur, 3=Kelvin)
17h 1 Backlight Intensity (0=0ff .. FFh=Full)
18h 4 Date Century Offset (currently 20, for years 2000..2099)
1Ch 1 Date Month Recovery Value (1..12)
1Dh 1 Date Day Recovery Value (1..31)
1Eh 1 Date Year Recovery Value (0..99)
1Fh 1 Date/Time Flags
Bit0-1 Date Format (0=YYYY-MM-DD, 1=MM-DD-YYYY, 2=DD-MM-YYYY)
Bit2 Friendly Date (0=Raw Numeric, 1=With Day/Month Names)
Bit5 Time DST (0=Hide DST, 1=Show DST=On/Off)
Bit6 Time Seconds (0=Hide Seconds, 1=Show Seconds)
Bit7 Time Format (0=24 hour, 1=12 hour)
20h 1 Date Separator (Ascii, usually Slash, or Dot)
21h 1 Time Separator (Ascii, usually Colon, or Dot)
22h 1 Decimal Separator (Ascii, usually Comma, or Dot)
23h 1 Thousands Separator (Ascii, usually Comma, or Dot)
24h 1 Daylight Saving Time (Nth)
Bit 0-3 Activate on (0..4 = Last,1st,2nd,3rd,4th)
Bit 4-7 Deactivate on (0..4 = Last,1st,2nd,3rd,4th)
25h 1 Daylight Saving Time (Day)
Bit 0-3 Activate on (0..7 = Mon,Tue,Wed,Thu,Fri,Sat,Sun,AnyDay)
Bit 4-7 Deactivate on (0..7 = Mon,Tue,Wed,Thu,Fri,Sat,Sun,AnyDay)
26h 1 Daylight Saving Time (of Month)
Bit 0-3 Activate DST in Month (1..12)
Bit 4-7 Deactivate DST in Month (1..12)
27h 1 Daylight Saving Time (Flags)
Bit 0 Current DST State (0=Off, 1=On)
Bit 1 Adjust DST Enable (0=Disable, 1=Enable)
|
| DS Wireless Communications |
| DS Wifi I/O Map |
Address Dir Name r/w [Init] Description 4808000h R W_ID ---- [1440] Chip ID (1440h=DS, C340h=DS-Lite) 4808004h R/W W_MODE_RST 9fff [0000] Mode/Reset 4808006h R/W W_MODE_WEP --7f [0000] Mode/Wep modes 4808008h R/W W_TXSTATCNT ffff [0000] Beacon Status Request 480800Ah R/W W_X_00Ah ffff [0000] [bit7 - ingore rx duplicates] 4808010h R/W W_IF ackk [0000] Wifi Interrupt Request Flags 4808012h R/W W_IE ffff [0000] Wifi Interrupt Enable 4808018h R/W W_MACADDR_0 ffff [0000] Hardware MAC Address, 1st 2 bytes 480801Ah R/W W_MACADDR_1 ffff [0000] Hardware MAC Address, next 2 bytes 480801Ch R/W W_MACADDR_2 ffff [0000] Hardware MAC Address, last 2 bytes 4808020h R/W W_BSSID_0 ffff [0000] BSSID (first 2 bytes) 4808022h R/W W_BSSID_1 ffff [0000] BSSID (next 2 bytes) 4808024h R/W W_BSSID_2 ffff [0000] BSSID (last 2 bytes) 4808028h R/W W_AID_LOW ---f [0000] usually as lower 4bit of AID value 480802Ah R/W W_AID_FULL -7ff [0000] AID value assigned by a BSS. 480802Ch R/W W_TX_RETRYLIMIT ffff [0707] Tx Retry Limit (set from 00h-FFh) 480802Eh R/W W_INTERNAL ---1 [0000] 4808030h R/W W_RXCNT ff0e [0000] Receive control 4808032h R/W W_WEP_CNT ffff [0000] WEP engine enable 4808034h R? W_INTERNAL 0000 [0000] bit0,1 (see ports 004h,040h,1A0h) |
4808036h R/W W_POWER_US ---3 [0001] 4808038h R/W W_POWER_TX ---7 [0003] 480803Ch R/W W_POWERSTATE -r-2 [0200] 4808040h R/W W_POWERFORCE 8--1 [0000] 4808044h R W_RANDOM 0xxx [0xxx] 4808048h R/W W_POWER_? ---3 [0000] |
4808050h R/W W_RXBUF_BEGIN ffff [4000] 4808052h R/W W_RXBUF_END ffff [4800] 4808054h R W_RXBUF_WRCSR 0rrr [0000] 4808056h R/W W_RXBUF_WR_ADDR -fff [0000] 4808058h R/W W_RXBUF_RD_ADDR 1ffe [0000] 480805Ah R/W W_RXBUF_READCSR -fff [0000] 480805Ch R/W W_RXBUF_COUNT -fff [0000] 4808060h R W_RXBUF_RD_DATA rrrr [xxxx] 4808062h R/W W_RXBUF_GAP 1ffe [0000] 4808064h R/W W_RXBUF_GAPDISP -fff [0000] 4808068h R/W W_TXBUF_WR_ADDR 1ffe [0000] 480806Ch R/W W_TXBUF_COUNT -fff [0000] 4808070h W W_TXBUF_WR_DATA xxxx [xxxx] 4808074h R/W W_TXBUF_GAP 1ffe [0000] 4808076h R/W W_TXBUF_GAPDISP 0fff [0000] |
4808078h W W_INTERNAL mirr [mirr] Read: Mirror of 068h 4808080h R/W W_TXBUF_BEACON ffff [0000] Beacon Transmit Location 4808084h R/W W_TXBUF_TIM --ff [0000] Beacon TIM Index in Frame Body 4808088h R/W W_LISTENCOUNT --ff [0000] Listen Count 480808Ch R/W W_BEACONINT -3ff [0064] Beacon Interval 480808Eh R/W W_LISTENINT --ff [0000] Listen Interval 4808090h R/W W_TXBUF_CMD ffff [0000] (used by firmware part4) 4808094h R/W W_TXBUF_REPLY1 ffff [0000] (used by firmware part4) 4808098h R W_TXBUF_REPLY2 0000 [0000] (used by firmware part4) 480809Ch R/W W_INTERNAL ffff [0050] value 4x00h --> preamble+x*12h us? 48080A0h R/W W_TXBUF_LOC1 ffff [0000] 48080A4h R/W W_TXBUF_LOC2 ffff [0000] 48080A8h R/W W_TXBUF_LOC3 ffff [0000] 48080ACh W W_TXREQ_RESET fixx [0050] 48080AEh W W_TXREQ_SET fixx [0050] 48080B0h R W_TXREQ_READ --1f [0010] 48080B4h W W_TXBUF_RESET 0000 [0000] (used by firmware part4) 48080B6h R W_TXBUSY 0000 [0000] (used by firmware part4) 48080B8h R W_TXSTAT 0000 [0000] 48080BAh ? W_INTERNAL 0000 [0000] 48080BCh R/W W_PREAMBLE ---3 [0001] 48080C0h R/W x W_CMD_TOTALTIME ffff [0000] (used by firmware part4) 48080C4h R/W x W_CMD_REPLYTIME ffff [0000] (used by firmware part4) 48080C8h ? W_INTERNAL 0000 [0000] 48080D0h R/W W_RXFILTER 1fff [0401] 48080D4h R/W W_CONFIG_0D4h ---3 [0001] 48080D8h R/W W_CONFIG_0D8h -fff [0004] 48080DAh R/W W_RX_LEN_CROP ffff [0602] 48080E0h R/W W_RXFILTER2 ---f [0008] |
48080E8h R/W W_US_COUNTCNT ---1 [0000] Microsecond counter enable 48080EAh R/W W_US_COMPARECNT ---1 [0000] Microsecond compare enable 48080ECh R/W W_CONFIG_0ECh 3f1f [3F03] 48080EEh R/W W_CMD_COUNTCNT ---1 [0001] 48080F0h R/W W_US_COMPARE0 fc-- [FC00] Microsecond compare, bits 0-15 48080F2h R/W W_US_COMPARE1 ffff [FFFF] Microsecond compare, bits 16-31 48080F4h R/W W_US_COMPARE2 ffff [FFFF] Microsecond compare, bits 32-47 48080F6h R/W W_US_COMPARE3 ffff [FFFF] Microsecond compare, bits 48-63 48080F8h R/W W_US_COUNT0 ffff [0000] Microsecond counter, bits 0-15 48080FAh R/W W_US_COUNT1 ffff [0000] Microsecond counter, bits 16-31 48080FCh R/W W_US_COUNT2 ffff [0000] Microsecond counter, bits 32-47 48080FEh R/W W_US_COUNT3 ffff [0000] Microsecond counter, bits 48-63 4808100h ? W_INTERNAL 0000 [0000] 4808102h ? W_INTERNAL 0000 [0000] 4808104h ? W_INTERNAL 0000 [0000] 4808106h ? W_INTERNAL 0000 [0000] 480810Ch R/W W_CONTENTFREE ffff [0000] ... 4808110h R/W W_PRE_BEACON ffff [0000] 4808118h R/W W_CMD_COUNT ffff [0000] 480811Ch R/W W_BEACONCOUNT1 ffff [0000] reloaded with W_BEACONINT |
4808120h R/W W_CONFIG_120h 81ff [0048] init from firmware[04Ch] 4808122h R/W W_CONFIG_122h ffff [4840] init from firmware[04Eh] 4808124h R/W W_CONFIG_124h ffff [0000] init from firmware[05Eh], or 00C8h 4808126h ? W_INTERNAL fixx [ 0080] 4808128h R/W W_CONFIG_128h ffff [0000] init from firmware[060h], or 07D0h 480812Ah ? W_INTERNAL fixx [1000] lower 12bit same as W_CONFIG_128h 4808130h R/W W_CONFIG_130h -fff [0142] init from firmware[054h] 4808132h R/W W_CONFIG_132h 8fff [8064] init from firmware[056h] 4808134h R/W W_BEACONCOUNT2 ffff [FFFF] ... 4808140h R/W W_CONFIG_140h ffff [0000] init from firmware[058h], or xx 4808142h R/W W_CONFIG_142h ffff [2443] init from firmware[05Ah] 4808144h R/W W_CONFIG_144h --ff [0042] init from firmware[052h] 4808146h R/W W_CONFIG_146h --ff [0016] init from firmware[044h] 4808148h R/W W_CONFIG_148h --ff [0016] init from firmware[046h] 480814Ah R/W W_CONFIG_14Ah --ff [0016] init from firmware[048h] 480814Ch R/W W_CONFIG_14Ch ffff [162C] init from firmware[04Ah] 4808150h R/W W_CONFIG_150h ff3f [0204] init from firmware[062h], or 202h 4808154h R/W W_CONFIG_154h 7a7f [0058] init from firmware[050h] |
4808158h W W_BB_CNT mirr [00B5] BB Access Start/Direction/Index 480815Ah W W_BB_WRITE ???? [0000] BB Access data byte to write 480815Ch R W_BB_READ 00rr [00B5] BB Access data byte read 480815Eh R W_BB_BUSY 000r [0000] BB Access Busy flag 4808160h R/W W_BB_MODE 41-- [0100] BB Access Mode 4808168h R/W W_BB_POWER 8--f [800D] BB Access Powerdown |
480816Ah ? W_INTERNAL 0000 [0001] (or 0000h?) 4808170h ? W_INTERNAL 0000 [0000] 4808172h ? W_INTERNAL 0000 [0000] 4808174h ? W_INTERNAL 0000 [0000] 4808176h ? W_INTERNAL 0000 [0000] 4808178h W W_INTERNAL fixx [0800] Read: mirror of 17Ch |
480817Ch R/W W_RF_DATA2 ffff [0800] 480817Eh R/W W_RF_DATA1 ffff [C008] 4808180h R W_RF_BUSY 000r [0000] 4808184h R/W W_RF_CNT 413f [0018] |
4808190h R/W W_INTERNAL ffff [0000] 4808194h R/W W_TX_HDR_CNT ---7 [0000] used by firmware part4 (0 or 6) 4808198h R/W W_INTERNAL ---f [0000] 480819Ch R W_RF_PINS fixx [0004] 48081A0h R/W W_X_1A0h -933 [0000] used by firmware part4 (0 or 823h) 48081A2h R/W W_X_1A2h ---3 [0001] used by firmware part4 48081A4h R/W W_X_1A4h ffff [0000] "Rate used when signal test..." |
48081A8h R W_RXSTAT_INC_IF rrrr [0000] Stats Increment Flags 48081AAh R/W W_RXSTAT_INC_IE ffff [0000] Stats Increment IRQ Enable 48081ACh R W_RXSTAT_OVF_IF rrrr [0000] Stats Half-Overflow Flags 48081AEh R/W W_RXSTAT_OVF_IE ffff [0000] Stats Half-Overflow IRQ Enable 48081B0h R/W W_RXSTAT --ff [0000] 48081B2h R/W W_RXSTAT ffff [0000] RX_LengthRateErrorCount 48081B4h R/W W_RXSTAT rrff [0000] ... firmware uses also MSB ... ? 48081B6h R/W W_RXSTAT ffff [0000] 48081B8h R/W W_RXSTAT --ff [0000] 48081BAh R/W W_RXSTAT --ff [0000] 48081BCh R/W W_RXSTAT ffff [0000] 48081BEh R/W W_RXSTAT ffff [0000] 48081C0h R/W W_TX_ERR_COUNT --ff [0000] TransmitErrorCount 48081C4h R W_RX_COUNT fixx [0000] |
48081D0h R/W W_CMD_STAT ff-- [0000] 48081D2h R/W W_CMD_STAT ffff [0000] 48081D4h R/W W_CMD_STAT ffff [0000] 48081D6h R/W W_CMD_STAT ffff [0000] 48081D8h R/W W_CMD_STAT ffff [0000] 48081DAh R/W W_CMD_STAT ffff [0000] 48081DCh R/W W_CMD_STAT ffff [0000] 48081DEh R/W W_CMD_STAT ffff [0000] |
48081F0h R/W W_INTERNAL ---3 [0000]
4808204h ? W_INTERNAL fixx [0000]
4808208h ? W_INTERNAL fixx [0000]
480820Ch W W_INTERNAL fixx [0050]
4808210h R W_TX_SEQNO fixx [0000]
4808214h R W_RF_STATUS XXXX [0009] (used by firmware part4)
480821Ch W W_IF_SET fbff [0000] Force Interrupt (set bits in W_IF)
4808220h R/W W_INTERNAL ffff [0000] Bit0-1: Enable/Disable WifiRAM
(locks memory at 4000h-5FFFh)
4808224h R/W W_INTERNAL ---3 [0003]
4808228h W W_X_228h fixx [0000] (used by firmware part4) (bit3)
4808230h R/W W_INTERNAL --ff [0047]
4808234h R/W W_INTERNAL -eff [0EFF]
4808238h R/W W_INTERNAL ffff [0000] ;rx_seq_no-60h+/-x ;why that?
;other day: fixed value, not seq_no related?
480823Ch ? W_INTERNAL fixx [0000] like W_TXSTAT... ONLY for beacons?
4808244h R/W W_X_244h ffff [0000] (used by firmware part4)
4808248h R/W W_INTERNAL ffff [0000]
480824Ch R W_INTERNAL fixx [0000] ;rx_mac_addr_0
480824Eh R W_INTERNAL fixx [0000] ;rx_mac_addr_1
4808250h R W_INTERNAL fixx [0000] ;rx_mac_addr_2
4808254h ? W_CONFIG_254h fixx [0000] (read: FFFFh=DS, EEEEh=DS-Lite)
4808258h ? W_INTERNAL fixx [0000]
480825Ch ? W_INTERNAL fixx [0000]
4808260h ? W_INTERNAL fixx [ 0FEF]
4808264h R W_INTERNAL fixx [0000] ;rx_addr_1 (usually "rxtx_addr-x")
4808268h R W_RXTX_ADDR fixx [0005] ;rxtx_addr
4808270h R W_INTERNAL fixx [0000] ;rx_addr_2 (usually "rx_addr_1-1")
4808274h ? W_INTERNAL fixx [ 0001]
4808278h R/W W_INTERNAL ffff [000F]
480827Ch ? W_INTERNAL fixx [ 000A]
4808290h (R/W) W_X_290h fixx [FFFF] bit 0 = ? (used by firmware part4)
4808298h W W_INTERNAL fixx [0000]
48082A0h R/W W_INTERNAL ffff [0000]
48082A2h R W_INTERNAL XXXX [7FFF] 15bit shift reg (used during tx?)
48082A4h R W_INTERNAL fixx [0000] ;rx_rate_1 not ALWAYS same as 2C4h
48082A8h W W_INTERNAL fixx [0000]
48082ACh ? W_INTERNAL fixx [ 0038]
48082B0h W W_INTERNAL fixx [0000]
48082B4h R/W W_INTERNAL -1-3 [0000]
48082B8h ? W_INTERNAL fixx [0000]
48082C0h R/W W_INTERNAL ---1 [0000]
48082C4h R W_INTERNAL fixx [000A] ;rx_rate_2 (0Ah,14h = 1,2 Mbit/s)
48082C8h R W_INTERNAL fixx [0000] ;rx_duration/length/rate (or so?)
48082CCh R W_INTERNAL fixx [0000] ;rx_framecontrol; from ieee header
48082D0h DIS W_INTERNAL ;"W_POWERACK" (internal garbage)
;normally DISABLED (unless FORCE)
48082F0h R/W W_INTERNAL ffff [0000]
48082F2h R/W W_INTERNAL ffff [0000]
48082F4h R/W W_INTERNAL ffff [0000]
48082F6h R/W W_INTERNAL ffff [0000]
|
4804000h W_MACMEM RX/TX Buffers (2000h bytes) (excluding below specials) 4805F60h Used for something, not included in the rx circular buffer. 4805F80h W_WEPKEY_0 (32 bytes) 4805FA0h W_WEPKEY_1 (32 bytes) 4805FC0h W_WEPKEY_2 (32 bytes) 4805FE0h W_WEPKEY_3 (32 bytes) |
| DS Wifi Control |
0-15 Chip ID (1440h on NDS, C340h on NDS-lite) |
0 Adjust some ports (0/1=see lists below) (R/W)
TX Master Enable for LOC1..3 and Beacon (0=Disable, 1=Enable)
1-12 Unknown (R/W)
13 Reset some ports (0=No change, 1=Reset/see list below) (Write-Only)
14 Reset some ports (0=No change, 1=Reset/see list below) (Write-Only)
15 Unknown (R/W)
|
0-2 Unknown, specify a software mode for wifi operation
(may be related to hardware but a correlation has not yet been found)
3-5 WEP Encryption Key Size:
0=Reserved (acts same as 1)
1=64bit WEP (IV=24bit + KEY=40bit) (aka 3+5 bytes) ;standard/us
2=128bit WEP (IV=24bit + KEY=104bit) (aka 3+13 bytes) ;standard/world
3=152bit WEP (IV=24bit + KEY=128bit) (aka 3+16 bytes) ;uncommon
4=Unknown, mabye 256bit WEP (IV=24bit + KEY=232bit) (aka 3+29 bytes)?
5=Reserved (acts same as 1)
6=Reserved (acts same as 1)
7=Reserved (acts same as 1)
6 Unknown
8-15 Always zero
|
Bit0-3 Maybe player-number, assuming that HW supports such? (1..15, or 0) Bit4-15 Not used |
Bit0-10 Association ID (AID) (1..2007, or zero) Bit11-15 Not used |
0-14 Unknown (usually zero) 15 WEP Engine Enable (0=Disable, 1=Enable) |
0-10 Random 11-15 Not used (zero) |
X = (X AND 1) XOR (X ROL 1) ;(rotation within 11bit range) |
Bit Dir Expl. 0 R/W Unknown (this does NOT affect TX) 1 R/W Preamble (0=Long, 1=Short) (this does NOT affect TX) 2 W Preamble (0=Long, 1=Short) (this does affect TX) (only at 2Mbit/s) 3-15 - Always zero |
Type Carrier Signal SFD Value PLCP Header Data Long 128bit, 1Mbit 16bit, 1Mbit 48bit, 1Mbit N bits, 1Mbit or 2Mbit Short 56bit, 1Mbit 16bit, 1Mbit 48bit, 2Mbit N bits, 2Mbit |
[4808034h]=0002h ;W_INTERNAL [480819Ch]=0046h ;W_RF_PINS [4808214h]=0009h ;W_RF_STATUS [480827Ch]=0005h ;W_INTERNAL [48082A2h]=? ;...unstable? |
[480827Ch]=000Ah ;W_INTERNAL |
[4808056h]=0000h ;W_RXBUF_WR_ADDR [48080C0h]=0000h ;W_CMD_TOTALTIME [48080C4h]=0000h ;W_CMD_REPLYTIME [48081A4h]=0000h ;W_X_1A4h [4808278h]=000Fh ;W_INTERNAL ...Also, following may be affected (results are unstable though)... [48080AEh]=? ;or rather the actual port (which it is an mirror of) [48080BAh]=? ;W_INTERNAL (occassionally unstable) [4808204h]=? ;W_INTERNAL [480825Ch]=? ;W_INTERNAL [4808268h]=? ;W_RXTX_ADDR [4808274h]=? ;W_INTERNAL |
[4808006h]=0000h ;W_MODE_WEP [4808008h]=0000h ;W_TXSTATCNT [480800Ah]=0000h ;W_X_00Ah [4808018h]=0000h ;W_MACADDR_0 [480801Ah]=0000h ;W_MACADDR_1 [480801Ch]=0000h ;W_MACADDR_2 [4808020h]=0000h ;W_BSSID_0 [4808022h]=0000h ;W_BSSID_1 [4808024h]=0000h ;W_BSSID_2 [4808028h]=0000h ;W_AID_LOW [480802Ah]=0000h ;W_AID_FULL [480802Ch]=0707h ;W_TX_RETRYLIMIT [480802Eh]=0000h ;W_INTERNAL [4808050h]=4000h ;W_RXBUF_BEGIN [4808052h]=4800h ;W_RXBUF_END [4808084h]=0000h ;W_TXBUF_TIM [48080BCh]=0001h ;W_PREAMBLE [48080D0h]=0401h ;W_RXFILTER [48080D4h]=0001h ;W_CONFIG_0D4h [48080E0h]=0008h ;W_RXFILTER2 [48080ECh]=3F03h ;W_CONFIG_0ECh [4808194h]=0000h ;W_TX_HDR_CNT [4808198h]=0000h ;W_INTERNAL [48081A2h]=0001h ;W_X_1A2h [4808224h]=0003h ;W_INTERNAL [4808230h]=0047h ;W_INTERNAL |
| DS Wifi Interrupts |
0 Receive Complete (packet received and stored in the RX fifo) 1 Transmit Complete (packet is done being transmitted) (no matter if error) 2 Receive Event Increment (IRQ02, see W_RXSTAT_INC_IE) 3 Transmit Error Increment (IRQ03, see W_TX_ERR_COUNT) 4 Receive Event Half-Overflow (IRQ04, see W_RXSTAT_OVF_IE) 5 Transmit Error Half-Overflow (IRQ05, see W_TX_ERR_COUNT.Bit7) 6 Start Receive (IRQ06, a packet has just started to be received) 7 Start Transmit (IRQ07, a packet has just started to be transmitted) 8 Txbuf Count Expired (IRQ08, see W_TXBUF_COUNT) 9 Rxbuf Count Expired (IRQ09, see W_RXBUF_COUNT) 10 Not used (always zero, even when trying to set it with W_IF_SET) 11 RF Wakeup (IRQ11, see W_POWERSTATE) 12 Multiplay ...? (IRQ12, see W_CMD_COUNT) 13 Post-Beacon Timeslot (IRQ13, see W_BEACONCOUNT2) 14 Beacon Timeslot (IRQ14, see W_BEACONCOUNT1/W_US_COMPARE) 15 Pre-Beacon Timeslot (IRQ15, see W_BEACONCOUNT1/W_PRE_BEACON) |
0-15 Enable Flags, same bits as W_IF (0=Disable, 1=Enable) |
0-15 Set corresponding bits in W_IF (0=No change, 1=Set Bit) |
Caution Caution Caution Caution Caution That means, when acknowledging IF.Bit24, then NO FURTHER wifi IRQs will be executed whilst and as long as (W_IF AND W_IE) is non-zero. |
| DS Wifi Power-Down Registers |
0 Disable W_US_COUNT and W_BB_ports (0=Enable, 1=Disable) 1 Unknown (usually 0) 2-15 Always zero |
0 Auto Wakeup (1=Leave Idle Mode a while after IRQ15) 1 Auto Sleep (0=Enter Idle Mode on IRQ13) 2 Unknown 3 Unknown (Write-only) (used by firmware) 4-15 Always zero |
0 Unknown (usually 0) (R/W) 1 Request Power Enable (0=No, 1=Yes/queued) (R/W, but not always) 2-7 Always zero 8 Indicates that Bit9 is about the be cleared (Read only) 9 Current power state (0=Enabled, 1=Disabled) (Read only) 10-15 Always zero |
0 New value for W_POWERSTATE.Bit9 (0=Clear/Delayed, 1=Set/Immediately) 1-14 Always zero 15 Apply Bit0 to W_POWERSTATE.Bit9 (0=No, 1=Yes) |
(Doing this is okay. Switches to power down mode. Similar to IRQ13.) [4808034h]=0002h ;W_INTERNAL [480803Ch]=02xxh ;W_POWERSTATE [48080B0h]=0000h ;W_TXREQ_READ [480819Ch]=0046h ;W_RF_PINS [4808214h]=0009h ;W_RF_STATUS (idle) |
(Don't do this. After that sequence, the hardware seems to be messed up) W_POWERSTATE.Bit8 gets set to indicate the pending operation, while pending, changes to W_POWERFORCE aren't applied to W_POWERSTATE, while pending, W_POWERACK becomes Read/Write-able, writing 0000h to W_POWERACK does clear W_POWERSTATE.Bit8, and does apply POWERFORCE.Bit0 to W_POWERSTATE.Bit9 and does deactivate Port W_POWERACK again. |
0 Unknown 1 Unknown 2-15 Always zero |
| DS Wifi Receive Control |
0 Copy W_RXBUF_WR_ADDR to W_RXBUF_WRCSR (W) 1-3 Unknown (R/W) 4-6 Always zero 7 Copy W_TXBUF_REPLY1 to W_TXBUF_REPLY2, set W_TXBUF_REPLY1 to 0000h (W) 8-14 Unknown (R/W) 15 Enable Queuing received data to RX FIFO (R/W) |
0 (0=Insist on W_BSSID, 1=Accept no matter of W_BSSID) 1-6 Unknown (usually zero) 7 Unknown (0 or 1) 8 Unknown (0 or 1) 9 Unknown (0 or 1) 10 Unknown (0 or 1) (when set, receives beacons, and maybe others) 11 Unknown (usually zero) ;reportedly "allow toDS" ? 12 (0=Normal, 1=Accept even whatever garbage) 13-15 Not used (always zero) |
0 Unknown (0=Receive Data Frames, 1=Ignore Data Frames) (?) 1 Unknown 2 Unknown 3 Unknown (usually set) 4-15 Not used (always zero) |
| DS Wifi Receive Buffer |
0-15 Byte-offset in Wifi Memory (usually 4000h..5FFEh) |
0-11 Halfword Address in RAM 12-15 Always zero |
0-11 Halfword Address in RAM 12-15 Always zero |
0 Always zero 1-12 Halfword Address in RAM for reading via W_RXBUF_RD_DATA 13-15 Always zero |
0-11 Halfword Address in RAM 12-15 Always zero |
0-15 Data |
0 Always zero 1-12 Halfword Address in RAM 13-15 Always zero |
Addr=Addr+2 and 1FFEh ;address increment (by W_RXBUF_RD_DATA read)
if Addr=RXBUF_END then ;normal begin/end wrapping (done before gap wraps)
Addr=RXBUF_BEGIN
if Addr=RXBUF_GAP then ;now gap-wrap (may include further begin/end wrap)
Addr=RXBUF_GAP+RXBUF_GAPDISP*2
if Addr>=RXBUF_END then Addr=Addr+RXBUF_BEGIN-RXBUF_END ;wrap more
|
0-11 Halfword Offset, used with W_RXBUF_GAP (see there) 12-15 Always zero |
0-11 Decremented on reads from W_RXBUF_RD_DATA 12-15 Always zero |
| DS Wifi Receive Statistics |
0-12 Increment Flags (see Port 48081B0h..1BFh) 13-15 Always zero |
0-12 Counter Increment Interrupt Enable (see 48081B0h..1BFh) (1=Enable) 13-15 Unknown (usually zero) |
0-12 Half-Overflow Flags (see Port 48081B0h..1BFh) 13-15 Always zero |
0-12 Half-Overflow Interrupt Enable (see Port 48081B0h..1BFh) (1=Enable) 13-15 Unknown (usually zero) |
Port Dir Bit Expl.
48081B0h R/W 0 W_RXSTAT ?
48081B1h - - Always 0 -
48081B2h R/W 1 W_RXSTAT ? "RX_RateErrorCount"
48081B3h R/W 2 W_RXSTAT Length>2348 error
48081B4h R/W 3 W_RXSTAT RXBUF Full error
48081B5h R 4? W_RXSTAT ? (R) (but seems to exist; used by firmware)
48081B6h R/W 5 W_RXSTAT Length=0 or Wrong FCS Error
48081B7h R/W 6 W_RXSTAT Packet Received Okay
(also increments on W_MACADDR mis-match)
(also increments on internal ACK packets)
(also increments on invalid IEEE type=3)
(also increments TOGETHER with 1BCh and 1BEh)
(not incremented on RXBUF_FULL error)
48081B8h R/W 7 W_RXSTAT ?
48081B9h - - Always 0 -
48081BAh R/W 8 W_RXSTAT ?
48081BBh - - Always 0 -
48081BCh R/W 9 W_RXSTAT WEP Error (when FC.Bit14 is set)
48081BDh R/W 10 W_RXSTAT ?
48081BEh R/W 11 W_RXSTAT (duplicated sequence control)
48081BFh R/W 12 W_RXSTAT ?
|
0-? Receive Okay Count (increments together with ports 48081B4h, 48081B7h) 8-? Receive Error Count (increments together with ports 48081B3h, 48081B6h) |
48081D0h Not used (always zero) 48081D1h..1DFh Client 1..15 Response Error (increments on missing replies) |
| DS Wifi Transmit Control |
0-3 Reset corresponding bits in W_TXREQ_READ (0=No change, 1=Reset) 4-15 Unknown (if any) |
0-3 Set corresponding bits in W_TXREQ_READ (0=No change, 1=Set) 4-15 Unknown (if any) |
0 Send W_TXBUF_LOC1 (1=Transfer, if enabled in W_TXBUF_LOC1.Bit15) 1 Send W_TXBUF_CMD (1=Transfer, if enabled in W_TXBUF_CMD.Bit15) 2 Send W_TXBUF_LOC2 (1=Transfer, if enabled in W_TXBUF_LOC2.Bit15) 3 Send W_TXBUF_LOC3 (1=Transfer, if enabled in W_TXBUF_LOC3.Bit15) 4 Unknown (Beacon?) (always 1, except when cleared via W_POWERFORCE) 5-15 Unknown/Not used |
0 W_TXBUF_LOC1 (1=Requested Transfer busy, or not yet started at all) 1 W_TXBUF_CMD (1=Requested Transfer busy, or not yet started at all) 2 W_TXBUF_LOC2 (1=Requested Transfer busy, or not yet started at all) 3 W_TXBUF_LOC3 (1=Requested Transfer busy, or not yet started at all) 4 W_TXBUF_BEACON (1=Beacon Transfer busy) 5-15 Unknown (if any) |
0 One (or more) Packet has Completed (1=Yes)
(No matter if successful, for that info see Bit1)
(No matter if ALL packets are done, for that info see Bit12-13)
1 Packet Failed (1=Error)
2-7 Unknown/Not used
8-11 Usually 0, ...but firmware is checking for values 03h,08h,0Bh
(gets set to 07h when transferred W_TXBUF_LOC1/2/3 did have Bit12=set)
(gets set to 00h otherwise)
(gets set to 03h after beacons; if enabled in W_TXSTATCNT.Bit15)
(gets set to 08h or 0Bh after CMD; depending on W_TXSTATCNT.Bit13,14)
12-13 Packet which has updated W_TXSTAT (0=LOC1/BEACON/CMD, 1=LOC2, 2=LOC3)
14-15 Unknown/Not used
|
0-12 Unknown (usually zero) 13 Update W_TXSTAT=0B01h and trigger IRQ01 after CMD transmits (1=Yes) 14 Update W_TXSTAT=0800h and trigger IRQ01 after CMD transmits (1=Yes) 15 Update W_TXSTAT and trigger IRQ01 after BEACON transmits (0=No, 1=Yes) |
0 IEEE FC.Bit12 and Duration (0=Auto/whatever, 1=Manual/Wifi RAM) 1 IEEE Frame Check Sequence (0=Auto/FCS/CRC32, 1=Manual/Wifi RAM) 2 IEEE Sequence Control (0=Auto/W_TX_SEQNO, 1=Manual/Wifi RAM) 3-15 Always zero |
0-11 Increments on IRQ07 (Transmit Start Interrupt) 12-15 Always zero |
| DS Wifi Transmit Buffers |
0 Always zero 1-12 Halfword Address in RAM for Writes via W_TXBUF_WR_DATA 13-15 Always zero |
0-15 Data to be written to address specified in W_TXBUF_WR_ADDR |
0 Always zero 1-12 Halfword Address 13-15 Always zero |
0-11 Halfword Offset (added to; if equal to W_TXBUF_GAP) 12-15 Always zero |
0-11 Halfword Address of TX Frame Header in RAM
12 For LOC1-3: When set, W_TXSTAT.bit8-10 are set to 07h after transfer
And, when set, the transferred frame-body gets messed up?
For BEACON: Unknown, no effect on W_TXSTAT
For CMD: Unknown, no effect on W_TXSTAT
13 IEEE Sequence Control (0=From W_TX_SEQNO, 1=Value in Wifi RAM)
For BEACON: Unknown (always uses W_TX_SEQNO) (no matter of bit13)
14 Unknown
15 Transfer Request (1=Request/Pending)
|
0 Disable LOC1 (0=No change, 1=Reset W_TXBUF_LOC1.Bit15) 1 Disable CMD (0=No change, 1=Reset W_TXBUF_CMD.Bit15) 2 Disable LOC2 (0=No change, 1=Reset W_TXBUF_LOC2.Bit15) 3 Disable LOC3 (0=No change, 1=Reset W_TXBUF_LOC3.Bit15) 4-5 Unknown/Not used 6 Disable REPLY2 (0=No change, 1=Reset W_TXBUF_REPLY2.Bit15) 7 Disable REPLY1 (0=No change, 1=Reset W_TXBUF_REPLY1.Bit15) 8-15 Unknown/Not used |
0-7 Location of TIM parameters within Beacon Frame Body 8-15 Not used/zero |
0-11 Decremented on writes to W_TXBUF_WR_DATA 12-15 Always zero |
| DS Wifi Transmit Errors |
0-7 Retry Count (usually 07h) 8-15 Unknown (usually 07h) |
0-7 TransmitErrorCount 8-15 Always zero |
| DS Wifi Status |
0 Reportedly "carrier sense" (maybe 1 during RX.DTA?) (usually 0)
1 TX.MAIN (RFU.Pin17) Transmit Data Phase (0=No, 1=Active)
2 Unknown (RFU.Pin3) Seems to be always high (Always 1=high?)
3-5 Not used (Always zero)
6 TX.ON (RFU.Pin14) Transmit Preamble+Data Phase (0=No, 1=Active)
Uhhh, no that seems to be still wrong...
Bit6 is often set, even when not transmitting anything...
7 RX.ON (RFU.Pin15) Receive Mode (0=No, 1=Enabled)
8-15 Not used (Always zero)
|
0-3 Current Transmit/Receive State:
0 = Initial Value on power-up (before raising W_MODE_RST.Bit0)
1 = RX Mode enabled (waiting for incoming data)
2 = Switching from RX to TX (takes a few clock cycles)
3 = TX Mode active (sending preamble and data)
4 = Switching from TX to RX (takes a few clock cycles)
5 = Unknown, firmware checks for that value (maybe RX busy)
6 = Unknown, firmware checks for that value (maybe RX busy)
9 = Idle (upon IRQ13, and upon raising W_MODE_RST.Bit0)
----
5 = Receive ACK phase ?
6 =
7 =
8 = Multiplay related ? (when sending through W_TXBUF_CMD ?)
4-15 Always zero?
|
0-11 Halfword address 12-15 Always zero |
| DS Wifi Timers |
0 Counter Enable (0=Disable, 1=Enable) 1-15 Always zero |
0-63 Counter Value in microseconds (incrementing) |
0 Compare Enable (0=Disable, 1=Enable) (IRQ14/IRQ15) 1 Force IRQ14 (0=No, 1=Force Now) (Write-only) 2-15 Always zero |
0 Always zero... firmware writes 1 though (maybe write-only flag?) 1-9 Always zero 10-63 Compare Value in milliseconds (aka microseconds/1024) |
0-15 Decrementing Millisecond Counter (reloaded with W_BEACONINT upon IRQ14) |
0-15 Decrementing Millisecond Counter (reloaded with FFFFh upon IRQ14) |
0-9 Frequency in milliseconds of beacon transmission 10-15 Always zero |
0-15 Pre-Beacon Time in microseconds (static value, ie. NOT decrementing) |
0-7 Decremented by hardware at IRQ14 events (ie. once every beacon) 8-15 Always zero |
0-7 Listen Interval, counted in beacons (usually 02h) 8-15 Always zero |
0-15 Decrementing microsecond counter |
W_IF.Bit13=1 ;interrupt request |
[4808034h]=0002h ;W_INTERNAL ;(similar to W_POWERFORCE=8001h) [480803Ch]=02xxh ;W_POWERSTATE ;(W_TXREQ_READ.Bit4 is kept intact though) [480819Ch]=0046h ;W_RF_PINS.7=0;disable receive (enter idle mode) (RX.ON=Low) [4808214h]=0009h ;W_RF_STATUS=9;indicate idle mode |
W_BEACONCOUNT1=W_BEACONINT ;next IRQ15/IRQ14 (Above is NOT done when IRQ14 was forced via W_US_COMPARECNT.Bit1) |
(Below IS ALSO DONE when IRQ14 was forced via W_US_COMPARECNT.Bit1)
W_IF.Bit14=1
W_BEACONCOUNT2=FFFFh ;about 64 secs (ie. almost never) ;next IRQ13 ("never")
W_TXREQ_READ=W_TXREQ_READ AND FFF2h
if W_TXBUF_BEACON.15 then W_TXBUSY.Bit4=1
if W_LISTENCOUNT=00h then W_LISTENCOUNT=W_LISTENINT
W_LISTENCOUNT=W_LISTENCOUNT-1
|
W_RF_PINS.Bit7=0 ;disable receive (RX.ON=Low) W_RF_STATUS=2 ;indicate switching from RX to TX mode |
W_RF_PINS.Bit6=1 ;transmit preamble start (TX.ON=High) W_RF_STATUS=3 ;indicate TX mode |
W_BEACONCOUNT2 = W_BEACONCOUNT2 + TagDDhSteppingValue ;next IRQ13 |
W_IF.Bit7=1 ;interrupt request W_RF_PINS.Bit1=1 ;start data transfer (preamble finished now) (TX.MAIN=High) |
[TXBUF...] = W_TX_SEQNO*10h ;auto-adjust IEEE Sequence Control W_TX_SEQNO=W_TX_SEQNO+1 ;increase sequence number |
W_RF_PINS.Bit6=0 ;disable TX (TX.ON=Low) W_RF_STATUS=4 ;indicate switching from TX to RX mode |
W_IF.Bit1=1 ;interrupt request W_RF_PINS.Bit1=0 ;disable TX (TX.MAIN=Low) W_RF_PINS.Bit7=1 ;enable RX (RX.ON=High) W_RF_STATUS=1 ;indicate RX mode |
if W_US_COMPARECNT=1 then W_IF.Bit15=1 |
W_RF_PINS.Bit7=1 ;enable RX (RX.ON=High) ;\gets set like so a good while W_RF_STATUS=1 ;indicate RX mode ;/after IRQ15 (but not immediately) |
IRQ15 Pre-Beacon (beacon will be transferred soon) IRQ14 Beacon (beacon will be transferred very soon) (carrier starts) IRQ07 Tx Start (beacon transfer starts) (if enabled in W_TXBUF_BEACON.15) IRQ01 Tx End (beacon transfer done) (if enabled in W_TXSTATCNT.15) IRQ13 Post-Beacon (beacon transferred) (unless next IRQ14 occurs earlier) |
| DS Wifi Multiplay Master |
0 Enable W_CMD_COUNT (0=Disable, 1=Enable) 1-15 Always Zero |
0-15 Decremented once every 10 microseconds (Stopped at 0000h) |
0-15 Duration per ALL slave response packet(s) in microseconds |
0-15 Duration per SINGLE slave response packet in microseconds |
master_time = (master_bytes*4)+(60h) ;60h = 96 decimal = short preamble slave_time = (slave_bytes*4)+(0D0h..0D2h) all_slave_time = (EAh..F0h)+(slave_time+0Ah)*num_slaves txhdr[2] = slave_bits ;hardware header (*) ieee[2] = all_slave_time ;ieee header (duration/id) body[0] = slave_time ;duration per slave (for multiboot/pictochat) body[2] = slave_bits ;frame body -- required (*) [48080C0h] = all_slave_time ; [48080C4h] = slave_time ;duration per slave [4808118h] = (388h+(num_slaves*slave_time)+master_time+32h)/10 [4808090h] = 8000h+master_packet_address ;start transmit |
| DS Wifi Multiplay Slave |
0-11 Halfword address 12-14 Unknown (the bits can be set, ie. they DO exist) 15 Enable |
0-11 Halfword address 12-14 Unknown (the bits can be set, ie. they DO exist) 15 Enable |
| DS Wifi Configuration Ports |
W_CONFIG_140h = firmware[058h]+0202h ;1Mbit/s W_CONFIG_140h = firmware[058h]+0202h-6161h ;2Mbit/s with long preamble W_CONFIG_140h = firmware[058h]+0202h-6161h-6060h ;2Mbit/s with short preamble |
0-7 Decrease RX Length by N halfwords for Non-WEP packets (usually 2) 8-15 Decrease RX Length by N halfwords for WEP packets (usually 6) |
| DS Wifi Baseband Chip (BB) |
0-7 Index (00h-68h) 8-11 Not used (should be zero) 12-15 Direction (5=Write BB_WRITE to Chip, 6=Read from Chip to BB_READ) |
0-7 Data to be sent to chip (by following W_BB_CNT transfer) 8-15 Not used (should be zero) |
0-7 Data received from chip (from previous W_BB_CNT transfer) 8-15 Not used (always zero) |
0 Transfer Busy (0=Ready, 1=Busy) 1-15 Always zero |
0-7 Always zero 8 Unknown (usually 1) (no effect no matter what setting?) 9-13 Always zero 14 Unknown (usually 0) (W_BB_READ gets unstable when set) 15 Always zero |
0-3 Disable whatever (usually 0Dh=disable) 4-14 Always zero 15 Disable W_BB_ports (usually 1=Disable) |
Index Num Dir Expl. 00h 1 R always 6Dh (R) (Chip ID) 01h..0Ch 12 R/W 8bit R/W 0Dh..12h 6 - always 00h 13h..15h 3 R/W 8bit R/W 16h..1Ah 5 - always 00h 1Bh..26h 12 R/W 8bit R/W 27h 1 - always 00h 28h..4Ch R/W 8bit R/W 4Dh 1 R always 00h or BFh (depending on other regs) 4Eh..5Ch R/W 8bit R/W 5Dh 1 R always 01h (R) 5Eh..61h - always 00h 62h..63h 2 R/W 8bit R/W 64h 1 R always FFh or 3Fh (depending on other regs) 65h 1 R/W 8bit R/W 66h 1 - always 00h 67h..68h 2 R/W 8bit R/W 69h..FFh - always 00h |
Addr Initial Meaning
01h 0x9E [unsetting/resetting bit 7 initializes/resets the system?]
02h unknown (firmware is messing with this register)
06h unknown (firmware is messing with this register, too)
13h 0x00 CCA operation - criteria for receiving
0=only use Carrier Sense (CS)
1=only use Energy Detection (ED)
2=receive if CS OR ED
3=receive only if CS AND ED
1Eh 0xBB see change channels flowchart (Ext. Gain when RF[09h].bit16=0)
35h 0x1F Energy Detection (ED) criteria
value 0..61 (representing energy levels of -60dBm to -80dBm)
|
| DS Wifi RF Chip |
0-1 Upper 2bit of 18bit data 2-6 Index (00h..1Fh) (firmware uses only 00h..0Bh) 7 Command (0=Write data, 1=Read data) 8-15 Should be zero (not used with 24bit transfer) |
0-3 Command (5=Write data, 6=Read data) 4-15 Should be zero (not used with 20bit transfer) |
0-15 Lower 16bit of 18bit data |
0-7 Data (to be written to chip) (or being received from chip) 8-15 Index (usually 00h..28h) (index 40h..FFh are mirrors of 00h..3Fh) |
0 Transfer Busy (0=Ready, 1=Busy) 1-15 Always zero |
0-5 Transfer length (init from firmware[041h].Bit0-5) 6-7 Always zero 8 Unknown (init from firmware[041h].Bit7) 9-13 Always zero 14 Unknown (usually 0) 15 Always zero |
| DS Wifi RF9008 Registers |
Firmware Index Data (24bit) (4bit) (18bit) 00C007h = 00h + 0C007h ;-also set to 0C008h for power-down 129C03h = 04h + 29C03h 141728h = 05h + 01728h ;\these are also written when changing channels 1AE8BAh = 06h + 2E8BAh ;/ 1D456Fh = 07h + 1456Fh 23FFFAh = 08h + 3FFFAh 241D30h = 09h + 01D30h ;-bit10..14 should be also changed per channel? """"50h = """ + """50h ;firmware v5 and up uses narrower tx filter 280001h = 0Ah + 00001h 2C0000h = 0Bh + 00000h 069C03h = 01h + 29C03h 080022h = 02h + 00022h 0DFF6Fh = 03h + 1FF6Fh |
17-16 Reserved, program to zero (0) 15-14 Reference Divider Value (0=Div2, 1=Div3, 2=Div44, 3=Div1) 3 Sleep Mode Current (0=Normal, 1=Very Low) 2 RF VCO Regulator Enable (0=Disable, 1=Enable) 1 IF VCO Regulator Enable (0=Disable, 1=Enable) 0 IF VGA Regulator Enable (0=Disable, 1=Enable) |
17 IF PLL Enable (0=Disable, 1=Enable) 16 IF PLL KV Calibration Enable (0=Disable, 1=Enable) 15 IF PLL Coarse Tuning Enable (0=Disable, 1=Enable) 14 IF PLL Loop Filter Select (0=Internal, 1=External) 13 IF PLL Charge Pump Leakage Current (0=Minimum value, 1=2*Minimum value) 12 IF PLL Phase Detector Polarity (0=Positive, 1=Negative) 11 IF PLL Auto Calibration Enable (0=Disable, 1=Enable) 10 IF PLL Lock Detect Enable (0=Disable, 1=Enable) 9 IF PLL Prescaler Modulus (0=4/5 Mode, 1=8/9 Mode) 8-4 Reserved, program to zero (0) 3-0 IF VCO Coarse Tuning Voltage (N=Voltage*16/VDD) |
17-16 Reserved, program to zero (0) 15-0 IF PLL divide-by-N value |
17 Reserved, program to zero (0) 16-8 IF VCO KV Calibration, delta N value (signed) ;DeltaF=(DN/Fr) 7-4 IF VCO Coarse Tuning Default Value 3-0 IF VCO KV Calibration Default Value |
17-10 Same as for RF[01h] (but for RF, not for IF) 9 RF PLL Prescaler Modulus (0=8/9 Mode, 1=8/10 Mode) 8-0 Same as for RF[01h] (but for RF, not for IF) |
17-6 RF PLL Divide By N Value 5-0 RF PLL Numerator Value (Bits 23-18) |
17-0 RF PLL Numerator Value (Bits 17-0) |
17-10 Same as for RF[03h] (but for RF, not for IF) ;and, DN=(deltaF/Fr)*256 |
17-13 VCO1 Warm-up Time ;TVCO1=(approximate warm-up time)*(Fr/32) 12-8 VCO1 Tuning Gain Calibration ;TLOCK1=(approximate lock time)*(Fr/128) 7-3 VCO1 Coarse Tune Calibration Reference ;VALUE=(average time)*(Fr/32) 2-0 Lock Detect Resolution (0..7) |
17 Receiver DC Removal Loop (0=Enable DC Removal Loop, 1=Disable) 16 Internal Variable Gain for VGA (0=Disable/External, 1=Enable/Internal) 15 Internal Variable Gain Source (0=From TXVGC Bits, 1=From Power Control) 14-10 Transmit Variable Gain Select (TXVGC) (0..1Fh = High..low gain) 9-7 Receive Baseband Low Pass Filter (0=Wide Bandwidth, 7=Narrow) 6-4 Transmit Baseband Low Pass Filter (0=Wide Bandwidth, 7=Narrow) 3 Mode Switch (0=Single-ended mode, 1=Differential mode) 2 Input Buffer Enable TX (0=Input Buffer Controlled by TXEN, 1=By BBEN) 1 Internal Bias Enable (0=Disable/External, 1=Enable/Internal) 0 TX Baseband Filters Bypass (0=Not Bypassed, 1=Bypassed) |
17-15 Select MID_BIAS Level (1.6V through 2.6V) 14-9 Desired output power at antenna (N*0.5dBm) 8-3 Power Control loop-variation-adjustment Offset (signed, N*0.5dB) 2-0 Desired delay for using a single TX_PE line (N*0.5us) |
17-12 Desired MAX output power when PABIAS=MAX=2.6V (N*0.5dBm) 11-6 Desired MAX output power when PABIAS=MID_BIAS (N*0.5dBm) 5-0 Desired MAX output power when PABIAS=MIN=1.6V (N*0.5dBm) |
17 IF VCO Band Current Compensation (0=Disable, 1=Enable) 16 RF VCO Band Current Compensation (0=Disable, 1=Enable) 15-0 Reserved, program to zero (0) |
Not used. |
17-0 This is a test register for internal use only. |
Not used. |
17-0 Don't care (writing any value resets the chip) |
| DS Wifi Unknown Registers |
0-15 Unknown (usually zero) |
0-1 Unknown 2-3 Always zero 4-5 Unknown 6-7 Always zero 8 Unknown 9-10 Always zero 11 Unknown 12-15 Always zero |
0-1 Unknown. Firmware writes values 03h, 01h, and VAR. 2-15 Always zero |
0 Unknown (R/W) (if present) 1-15 Not used |
| DS Wifi Unused Registers |
4800000h-4807FFFh Wifi WS0 Region (32K) 4808000h-4808000h Wifi WS1 Region (32K) 4810000h-4FFFFFFh Not used (00h-filled) |
Wifi-WS0-Region Wifi-WS1-Region Content 4800000h-4800FFFh 4808000h-4808FFFh Registers 4801000h-4801FFFh 4809000h-4809FFFh Registers (mirror) 4802000h-4803FFFh 480A000h-480BFFFh Unused 4804000h-4805FFFh 480C000h-480DFFFh Wifi RAM (8K) 4806000h-4806FFFh 480E000h-480EFFFh Registers (mirror) 4807000h-4807FFFh 480F000h-480FFFFh Registers (mirror) |
2030h, 2044h, 2056h, 2080h, 2090h, 2094h, 2098h, 209Ch, 20A0h, 20A4h, 20A8h, 20AAh, 20B0h, 20B6h, 20BAh, 21C0h, 2208h, 2210h, 2244h, 31D0h, 31D2h, 31D4h, 31D6h, 31D8h, 31DAh, 31DCh, 31DEh. |
Read from (W) Mirrors to (NDS) Or to (NDS-Lite) 070h W_TXBUF_WR_DATA 060h W_RXBUF_RD_DATA 074h W_TXBUF_GAP 078h W_INTERNAL 068h W_TXBUF_WR_ADDR 074h W_TXBUF_GAP 0ACh W_TXREQ_RESET 09Ch W_INTERNAL ? (zero) 0AEh W_TXREQ_SET 09Ch W_INTERNAL ? (zero) 0B4h W_TXBUF_RESET 0B6h W_TXBUSY ? (zero) 158h W_BB_CNT 15Ch W_BB_READ ? (zero) 15Ah W_BB_WRITE ? (zero) ? (zero) 178h W_INTERNAL 17Ch W_RF_DATA2 ? (zero) 20Ch W_INTERNAL 09Ch W_INTERNAL ? (zero) 21Ch W_IF_SET 010h W_IF 010h-OR-05Ch-OR-more? 228h W_X_228h ? (zero) ? (zero) 298h W_INTERNAL 084h W_TXBUF_TIM 084h W_TXBUF_TIM 2A8h W_INTERNAL 238h W_INTERNAL 238h W_INTERNAL 2B0h W_INTERNAL 084h W_TXBUF_TIM 084h W_TXBUF_TIM |
| DS Wifi Initialization |
[4000304h].Bit1 = 1 ;POWCNT2 ;-Enable power to the wifi system W_MACADDR = firmware[036h] ;-Set 48bit Mac address reg[012h] = 0000h ;W_IE ;-Disable interrupts |
reg[036h] = 0000h ;W_POWER_US ;\clear all powerdown bits
delay 8 ms ; (works without that killer-delay ?)
reg[168h] = 0000h ;W_BB_POWER ;/
IF firmware[040h]=02h ;\
temp=BB[01h] ; for wifitype=02h only:
BB[01h]=temp AND 7Fh ; reset BB[01h].Bit7, then restore old BB[01h]
BB[01h]=temp ; (that BB setting enables the RF9008 chip)
ENDIF ;/
delay 30 ms ;-(more killer-delay now getting REALLY slow)
call init_sub_functions ;- same as "Init 16 registers by firmware[..]"
; and "Init RF registers", below.
; this or the other one probably not necessary
|
reg[004h] = 0000h - W_MODE_RST ;set hardware mode reg[008h] = 0000h - W_TXSTATCNT ; reg[00Ah] = 0000h - ? W_X_00Ah ;(related to rx filter) reg[012h] = 0000h - W_IE ;disable interrupts (again) reg[010h] = FFFFh - W_IF ;acknowledge/clear any interrupts reg[254h] = 0000h - W_CONFIG_254h ; reg[0B4h] = FFFFh - W_TXBUF_RESET ;--reset all TXBUF_LOC's reg[080h] = 0000h - W_TXBUF_BEACON ;disable automatic beacon transmission reg[02Ah] = 0000h - W_AID_FULL ;\clear AID reg[028h] = 0000h - W_AID_LOW ;/ reg[0E8h] = 0000h - W_US_COUNTCNT ;disable microsecond counter reg[0EAh] = 0000h - W_US_COMPARECNT ;disable microsecond compare reg[0EEh] = 0001h - W_CMD_COUNTCNT ;(is 0001h on reset anyways) reg[0ECh] = 3F03h - W_CONFIG_0ECh ; reg[1A2h] = 0001h - ? ; reg[1A0h] = 0000h - ? ; reg[110h] = 0800h - W_PRE_BEACON ; reg[0BCh] = 0001h - W_PREAMBLE ;disable short preamble reg[0D4h] = 0003h - W_CONFIG_0D4h ; reg[0D8h] = 0004h - W_CONFIG_0D8h ; reg[0DAh] = 0602h - W_RX_LEN_CROP ; reg[076h] = 0000h - W_TXBUF_GAPDISP ;disable gap/skip (offset=zero) |
reg[146h] = firmware[044h] ;W_CONFIG_146h reg[148h] = firmware[046h] ;W_CONFIG_148h reg[14Ah] = firmware[048h] ;W_CONFIG_14Ah reg[14Ch] = firmware[04Ah] ;W_CONFIG_14Ch reg[120h] = firmware[04Ch] ;W_CONFIG_120h reg[122h] = firmware[04Eh] ;W_CONFIG_122h reg[154h] = firmware[050h] ;W_CONFIG_154h reg[144h] = firmware[052h] ;W_CONFIG_144h reg[130h] = firmware[054h] ;W_CONFIG_130h reg[132h] = firmware[056h] ;W_CONFIG_132h reg[140h] = firmware[058h] ;W_CONFIG_140h reg[142h] = firmware[05Ah] ;W_CONFIG_142h reg[038h] = firmware[05Ch] ;W_POWER_TX reg[124h] = firmware[05Eh] ;W_CONFIG_124h reg[128h] = firmware[060h] ;W_CONFIG_128h reg[150h] = firmware[062h] ;W_CONFIG_150h |
numbits = BYTE firmware[041h] ;usually 18h
numbytes = (numbits+7)/8 ;usually 3
reg[0x184] = (numbits+80h) AND 017Fh -- W_RF_CNT
for i=0 to BYTE firmware[042h]-1 ;number of entries (usually 0Ch) (0..0Bh)
if BYTE firmware[040h]=3
RF[i]=firmware[0CEh+i]
else
RF_Write(numbytes at firmware[0CEh+i*numbytes])
endif
|
(this should be not required, already set by firmware bootcode) reg[160h] = 0100h ;W_BB_MODE BB[0..68h] = firmware[64h+(0..68h)] |
copy 6 bytes from firmware[036h] to mac address at 0x04800018 (why again ?) |
reg[02Ch]=0007h ;W_TX_RETRYLIMIT - XXX needs to be set for every transmit? Set channel (see section on changing channels) Set Mode 2 -- sets bottom 3 bits of W_MODE_WEP to 2 Set Wep Mode / key -- Wep mode is bits 3..5 of W_MODE_WEP BB[13h] = 00h ;CCA operation (use only carrier sense, without ED) BB[35h] = 1Fh ;Energy Detection Threshold (ED) |
reg[032h] = 8000h -- W_WEP_CNT ;Enable WEP processing reg[134h] = FFFFh -- W_BEACONCOUNT2;reset post-beacon counter to LONG time reg[028h] = 0000h -- W_AID_LOW ;\clear W_AID value, again?! reg[02Ah] = 0000h -- W_AID_FULL ;/ reg[0E8h] = 0001h -- W_US_COUNTCNT ;enable microsecond counter reg[038h] = 0000h -- W_POWER_TX ;disable transmit power save reg[020h] = 0000h -- W_BSSID_0 ;\ reg[022h] = 0000h -- W_BSSID_1 ; clear BSSID reg[024h] = 0000h -- W_BSSID_2 ;/ |
reg[0AEh] = 000Dh -- W_TXREQ_SET ;flush all pending transmits (uh?) |
reg[030h] = 8000h W_RXCNT ;enable RX system (done again below) reg[050h] = 4C00h W_RXBUF_BEGIN ;(example values) reg[052h] = 5F60h W_RXBUF_END ;(length = 4960 bytes) reg[056h] = 0C00h/2 W_RXBUF_WR_ADDR ;fifo begin latch address reg[05Ah] = 0C00h/2 W_RXBUF_READCSR ;fifo end, same as begin at start. reg[062h] = 5F60h-2 W_RXBUF_GAP ;(set gap<end) (zero should work, too) reg[030h] = 8001h W_RXCNT ;enable, and latch new fifo values to hardware |
reg[030h] = 8000h W_RXCNT enable receive (again?)
reg[010h] = FFFFh W_IF clear interrupt flags
reg[012h] = whatever W_IE set enabled interrupts
reg[1AEh] = 1FFFh W_RXSTAT_OVF_IE desired STAT Overflow interrupts
reg[1AAh] = 0000h W_RXSTAT_INC_IE desired STAT Increase interrupts
reg[0D0h] = 0181h W_RXFILTER set to 0x581 when you successfully connect
to an access point and fill W_BSSID with a mac
address for it. (W_RXFILTER) [not sure on the values
for this yet]
reg[0E0h] = 000Bh -- W_RXFILTER2 ;
reg[008h] = 0000h -- ? W_TXSTATCNT ;(again?)
reg[00Ah] = 0000h -- ? W_X_00Ah ;(related to rx filter) (again?)
reg[004h] = 0001h -- W_MODE_RST ;hardware mode
reg[0E8h] = 0001h -- W_US_COUNTCNT ;enable microsecond counter (again?)
reg[0EAh] = 0001h -- W_US_COMPARECNT ;enable microsecond compare
reg[048h] = 0000h -- W_POWER_? ;[disabling a power saving technique]
reg[038h].Bit1 = 0 -- W_POWER_TX ;[this too]
reg[048h] = 0000h -- W_POWER_? ;[umm, it's done again. necessary?]
reg[0AEh] = 0002h -- W_TXREQ_SET ;
reg[03Ch].Bit1 = 1 -- W_POWERSTATE ;queue enable power (RX power, we believe)
reg[0ACh] = FFFFh -- W_TXREQ_RESET;reset LOC1..3
|
| DS Wifi Flowcharts |
(1) Copy the TX Header followed by the 802.11 packet to send anywhere it
will fit in MAC memory (halfword-aligned)
(2) Take the offset from start of MAC memory that you put the packet,
divide it by 2, and or with 0x8000 - store this in one of the
W_TXBUF_LOC registers
(3) Set W_TX_RETRYLIMIT, to allow your packet to be retried until an ack is
received (set it to 7, or something similar)
(4) Store the bit associated with the W_TXBUF_LOC register you used
into W_TXREQ_SET - this will send the packet.
(5) You can then read the result data in W_TXSTAT when the TX is over
(you can tell either by polling or interrupt) to find out how many
retries were used, and if the packet was ACK'd
|
(1) Calculate the length of the new packet (read "received frame length"
which is +8 bytes from the start of the packet) - total frame length
is (12 + received frame length) padded to a multiple of 4 bytes.
(2) Read the data out of the RX FIFO area (keep in mind it's a circular
buffer and you may have to wrap around the end of the buffer)
(3) Set the value of W_RXBUF_READCSR to the location of the next packet
(add the length of the packet, and wrap around if necessary)
|
RF[firmware[F2h+(ch-1)*6]/40000h] = firmware[F2h+(ch-1)*6] AND 3FFFFh RF[firmware[F5h+(ch-1)*6]/40000h] = firmware[F5h+(ch-1)*6] AND 3FFFFh delay a few milliseconds ;huh? IF RF[09h].bit16=0 ;External Gain (default) BB[1Eh]=firmware[146h+(ch-1)] ;set BB.Gain register ELSEIF RF[09h].bit15=0 ;Internal Gain from TXVGC Bits RF[09h].Bit10..14 = (firmware[154h+(ch-1)] AND 1Fh) ;set RF.TXVGC Bits ENDIF |
num_initial_regs = firmware[042h]
addr=0CEh+num_initial_regs
num_bb_writes = firmware[addr]
num_rf_writes = firmware[43h]
addr=addr+1
for i=1 to num_bb_writes
BB[firmware[addr]] = firmware[addr+ch]
addr=addr+15
next i
for i=1 to num_rf_writes
RF[firmware[addr]] = firmware[addr+ch]
addr=addr+15
next i
|
| DS Wifi Hardware Headers |
Addr Siz Expl.
00h 2 Status - In: Don't care - Out: Status (0000h=Failed, 0001h=Okay)
02h 2 Unknown - In: Don't care
Bit0: Usually zero.
Bit1..15 --------> flags for multiboot slaves number 1..15
(Should be usually zero, except when sending multiplay commands
via W_TXBUF_CMD. In that case, the slave flags should be ALSO
stored in the second halfword of the FRAME BODY. Actually, the
hardware seems to use only that entry (in the BODY), rather than
using this entry (in the hardware header)).
04h 1 Unknown - In: Must be 00h..02h (should be 00h)
(03h..FFh result in error: W_TXSTAT.Bit1 gets set, but
nethertheless header entry[00h] is kept set to 0001h=Okay)
;00h = use W_TX_SEQNO (if enabled in TXBUF_LOCn)
;01h = force NOT to use W_TX_SEQNO (even if it is enabled in LOCn)
;02h = seems to behave same as 01h
05h 1 Unknown - In: Don't care - Out: Set to 00h
06h 2 Unknown - In: Don't care
08h 1 Transfer Rate (0Ah=1Mbit/s, 14h=2Mbit/s) (other values=1MBit/s, too)
09h 1 Unknown - In: Don't care
0Ah 2 Length of IEEE Frame Header+Body+checksum(s) in bytes
(14bits, upper 2bits are unused/don't care)
|
Addr Siz Expl.
00h 2 Flags
Bit0-3: Frame type/subtype:
0 managment/any frame (except beacon and invalid subtypes)
1 managment/beacon frame
5 control/ps-poll frame
8 data/any frame (subtype0..7) (ie. except invalid subtypes)
C,D,E,F unknown (firmware is checking for that values)
---
C firmware uses it for data/cf-poll frame, FromDs (*)
D firmware uses it for data/cf-ack frame, FromDs
E,F firmware uses it for data/cf-ack frame, ToDs
(*) with DA=broadcast
---
Bit4: Seems to be always set
Bit5-7: Seems to be always zero
Bit8: Set when FC.Bit10 is set (more fragments)
Bit9: Set when the lower-4bit of Sequence Control are nonzero,
it is also set when FC.Bit10 is set (more fragments)
So, probably, it is set on fragment-mismatch-errors
Bit10-14: Seems to be always zero
Bit15: Set when Frame Header's BSSID value equals W_BSSID register
02h 2 Unknown (usually 0040h)
04h 2 Time since last packet (eg. when receiving beacons: total random on
first some packets, but later on it gets equal to Beacon Interval)
In other cases, this value is equal to the 1st 2 bytes of the DA ?
[Above time/da effects might be explained by other reason: maybe
this entry is left unchanged, simply containing old WifiRAM value?]
06h 2 Transfer Rate (N*100kbit/s) (ie. 14h for 2Mbit/s)
08h 2 Length of IEEE Frame Header+Body in bytes (excluding FCS checksum)
0Ah 1 MAX RSSI ;\Received Signal Strength Indicator
0Bh 1 MIN RSSI ;/
|
| DS Wifi Nintendo Beacons |
802.11 management frame 802.11 beacon header (Timestamp,BeaconInterval,Capability?) Supported rates (tagged IE, advertises 1 Mbit and 2 Mbit) DS parameter set (tagged IE, note: Distribution System, not Nintendo DS) TIM vector (tagged IE, transmitted as empty) Custom extension (tagged IE, tag DDh, see below) |
Offset Description 00h Nintendo Beacon OUI (00h,09h,BFh,00h) 04h Stepping Offset for 4808134h/W_BEACONCOUNT2 (always 000Ah) 06h Strange Timestamp (W_US_COUNT*2-VCOUNT*7Fh)/128 (0000h for multiboot) 08h 01 00 0Ah 40 00 0Ch 24 00 0Eh 40 00 10h Randomly generated stream code 12h Number of bytes from entry 18h and up (70h for multiboot) (0 if Empty) 13h Beacon Type (0Bh=Multiboot, 01h=Multicart/Pictochat, 09h=Empty) 14h 0100 0008 (some kind of max,min values?) |
18h No data. |
18h Custom data, usually containing the host name, either in 8bit ascii,
or 16bit unicode format. Sometimes taken from Firmware User Settings,
and sometimes from Cartridge Backup Memory.
|
18h Fixed (always 2348h) 1Ah xxxx 1Ch Chatroom number (00h..03h for Chatroom A..D) 1Dh Number of users already connected (01h..10h) (including host) 1Eh Fixed (always 0004h) |
18h 24 00 40 00 (varies from game to game)
1Ch End of advertisement flag (00 for non-end, 02 for end packets)
1Dh Always 00, 01, 02, or 04
1Eh Number of players already connected
1Fh Sequence number (0 .. total_advertisement_length)
20h Checksum (on entries 22h and up)
chksum=0, for i=22h to 86h step 2, chksum=chksum+halfword[i], next i,
chksum=FFFFh AND NOT (chksum+chksum/10000h)
22h Sequence number in non-final packet, # of players in final packet
23h Total advertisement length - 1 (in beacons)
24h Datasize in bytes (2 byte little-endian)
(0062h for seq 0..7, 0048h for seq 8, 0001h for seq 9)
26h Data (always 62h bytes, padded with 00h if Datasize<62h)
|
Offset Size Description 000h 32 Icon Palette (same as for ROM Cartridge Icon) 020h 512 Icon Bitmap (same as for ROM Cartridge Icon) 220h 1 Unknown (0Bh) 221h 1 Length of hosting name ;(probably same as firmware 222h 20 Name of hosting DS (10 UCS-2) ;user name?) 236h 1 Max number of players 237h 1 Unknown (00h) 238h 96 Game name (48 UCS-2) (same as 1st line of ROM Cartridge Title) 298h 192 Description (96 UCS-2) (same as further lines of ROM Cart Title) 358h 64 00's if no users are connected <---WRONG: LEN=1, not 64 398h 0 End of data if no users are connected |
Host A advertises a game in beacon frames as described above Client B sends an authentication request (sequence 1) to A ;\step 1 Host A replies with an ACK ;/ Host A sends an authentication reply (sequence 2) to B ;\step 2 (uh, no ACK here?) ;/ Client B sends an association request ;\step 3 Host A replies with an ACK ;/ Host A sends an association response ;\step 4 Client B replies with an ACK ;/ |
| DS Wifi Nintendo DS Download Play |
Host sends some Pings, client(s) send PongReplies Host sends more Pings, client(s) send UsernameReplies Host sends RSA frame, client(s) send RsaReply Host sends NDS header, client(s) send DataReply Host sends ARM9 binary, client(s) send DataReply Host sends ARM7 binary, client(s) send DataReply Host sends Done message, no reply from client(s) |
03:09:BF:00:00:00 host to client main data flow ;via 4808090h/W_TXBUF_CMD 03:09:BF:00:00:10 client to host replies ;via 4808094h/W_TXBUF_REPLY1 03:09:BF:00:00:03 host to client feedback flow ;acknowledges the replies? |
00h 2 Value for W_CMD_REPLYTIME (0106h) 02h 2 Slave Flags, bit1..15 for slave 1..15 (1=connected) (eg. 0002h) 04h 1 Size in halfwords 05h 1 Flags 06h 1 Command (01h=Ping/NameRequest, 03h=RSA, 04h=DataPacket, 05h=Done) For Command 01h (Ping): ;\ 07h 4 Unused (zerofilled) ; For Command 03h (RSA): ; 07h E0h RSA Signature Frame (see below) ; Payload For Command 04h (Data Packet): ; 07h 1 Unknown (zero) ; 08h 2 Packet Number (0000h and up) ; 0Ah .. Data ; For Command 05h (Done): ; 07h .. Unknown ;/ For all commands (whatever trailing three bytes): xxh 3 Unknown (00h,02h,00h) |
00h 2 Unknown/fixed (8104h) 02h 1 Reply Type (00h=Pong, 07h=Username, 08h=RsaReply, 09h=DataReply) For Reply Type 00h (PongReply): 03h 7 Unused (zerofilled) For Reply Type 07h (UsernameReply): 03h 1 Username fragment (01h..04h) 04h 6 Username Char[0,1,2] ;for fragment 01h 04h 6 Username Char[3,4,5] ;for fragment 02h 04h 6 Username Char[6,7,8] ;for fragment 03h 04h 6 Username Char[9], bytes 01h,00h,00h,00h ;for fragment 04h For Reply Type 08h (RsaReply): 03h 7 Unused (garbage, usually same as Name fragment 02h) For Reply Type 09h (DataReply): 03h 2 Last packet (the packet number being acknowledged) 05h 2 Best packet (the highest continuous packet number seen so far) 07h 3 Unused (zerofilled) |
00h 1 Unknown (random/garbage?) (unknown value... maybe per slave flags?) 01h 3 Unused (zerofilled) |
00h 4 ARM9 execute address 04h 4 ARM7 execute address 08h 4 Zerofilled 0Ch 4 Header destination (temp) 10h 4 Header destination (actual) 14h 4 Header size (160h) 18h 4 Zerofilled 1Ch 4 ARM9 destination address (temp) 20h 4 ARM9 destination address (actual) 24h 4 ARM9 binary size 28h 4 Zerofilled 2Ch 4 ARM7 destination address (temp) (usually 22C0000h in Main RAM) 30h 4 ARM7 destination address (actual) (usually somewhere in WRAM) 34h 4 ARM7 binary size 38h 4 Unknown (00000001h) 3Ch 4 Signature ID (61h,63h,01h,00h) (aka "ac", or backwards "ca") ;\ 40h 80h Signature RSA (RSA signature in OpenPGP SHA1 format) ; C0h 4 Signature Footer ;/ C4h 36 Zerofilled E8h - End of frame payload |
00h 14h SHA1 on Header 14h 14h SHA1 on ARM9 bootcode 28h 14h SHA1 on ARM7 bootcode 3Ch 4 Signature Footer (the four bytes from [C0h]) |
Over the Hedge (download contains a 2D minigame) |
Eragon Lara Croft Tomb Raider Legend Magnetica Metroid Prime Hunters Demo Submarine Tech Demo (and many trailers with non-playable movie clips) |
| DS Wifi IEEE802.11 Frames |
10..30 bytes MAC Header 0..2312 bytes Frame Body (in practice, network MTU is circa 1500 bytes max) 4 bytes Frame Check Sequence (FCS) (aka checksum) |
Size Content 2 Frame Control Field (FC) 2 Duration/ID 6 Address 1 (6) Address 2 (if any) (6) Address 3 (if any) (2) Sequence Control (if any) (6) Address 4 (if any) |
Bit Expl. 0-1 Protocol Version (0=Current, 1..3=Reserved) 2-3 Type (0=Managment, 1=Control, 2=Data, 3=Reserved) 4-7 Subtype (see next chapters) (meaning depends on above Type) 8 To Distribution System (DS) 9 From Distribution System (DS) 10 More Fragments 11 Retry 12 Power Managment (0=Active, 1=STA will enter Power-Safe mode after..) 13 More Data 14 Wired Equivalent Privacy (WEP) Encryption (0=No, 1=Yes) 15 Order |
0000h..7FFFh Duration (0-32767)
8000h Fixed value within frames transmitted during the CFP
(CFP=Contention Free Period)
8001h..BFFFh Reserved
C000h Reserved
C001h..C7D7h Association ID (AID) (1..2007) in PS-Poll frames
C7D8h..FFFFh Reserved
|
0 Group Flag (0=Individual Address, 1=Group Address) 1 Local Flag (0=Universally Administered Address, 1=Locally Administered) 2-23 22bit Manufacturer ID (assigned by IEEE) 24-47 24bit Device ID (assigned by the Manufacturer) |
00 09 BF xx xx xx NDS-Consoles (Original NDS with firmware v1-v5) 00 16 56 xx xx xx NDS-Consoles (Newer NDS-Lite with firmware v6 and up) 00 23 CC xx xx xx DSi-Consoles (Original DSi with early mainboard; nocash) 00 24 1E xx xx xx DSi-Consoles (Another DSi; scanlime) 40 F4 07 xx xx xx DSI Consoles (with DWM-W024; nocash) 03 09 BF 00 00 00 NDS-Multiboot: host to client (main data flow) 03 09 BF 00 00 10 NDS-Multiboot: client to host (replies) 03 09 BF 00 00 03 NDS-Multiboot: host to client (acknowledges replies) FF FF FF FF FF FF Broadcast to all stations (eg. Beacons) |
Bit Expl. 0-3 Fragment Number (0=First (or only) fragment) 4-15 Sequence Number |
3 bytes Initialization Vector (WEP IV) 1 byte Pad (6bit, all zero), Key ID (2bit) 1..? bytes Data (encrypted data) 4 bytes ICV (encrypted CRC32 across Data) |
| DS Wifi IEEE802.11 Managment Frames (Type=0) |
FC(2), Duration(2), DA(6), SA(6), BSSID(6), Sequence Control(2) |
Subtype Frame Body
0 Association request Capability, ListenInterval, SSID, SuppRates
1 Association response Capability, Status, AID, SuppRates
2 Reassociation request Capability, ListenInterval, CurrAP, SSID, SuppRates
3 Reassociation response Capability, Status, AID, SuppRates
4 Probe request SSID, SuppRates
5 Probe response Same as for Beacon (but without TIM)
8 Beacon Timestamp,BeaconInterval,Capability,SSID,SuppRates,
FH Parameter Set (when using Frequency Hopping),
DS Parameter Set (when using Direct Sequence),
CF Parameter Set (when supporting PCF),
IBSS Parameter Set (when in an IBSS),
TIM (when generated by AP)
9 Announcement traffic indication message (ATIM) Body is "null" (=none?)
A Disassociation ReasonCode
B Authentication AuthAlgorithm, AuthSequence, Status, ChallengeText
C Deauthentication ReasonCode
|
Timestamp: value of the TSFTIMER (see 11.1) of a frame's source. Uh? |
Current AP (Access Point): MAC Address of AP with which station is associated |
Capability Information (see list below) Status code (see list below) (0000h=Successful, other=Error code) Reason code (see list below) (Error code) Association ID (AID) (C000h+1..2007) Authentication Algorithm (0=Open System, 1=Shared Key, 2..FFFFh=Reserved) Authentication Transaction Sequence Number (Open System:1-2, Shared Key:1-4) Beacon Interval (Time between beacons, N*1024 us) Listen Interval (see note below) |
ID LEN Expl.
00h 00h-20h SSID Service Set Identity (LEN=0 for broadcast SSID) (ASCII)
01h 01h-08h Supported rates; each (nn AND 7Fh)*500kbit/s, bit7=flag
02h 05h FH (Frequency Hopping) Parameter Set
DwellTime(16bit), HopSet, HopPattern, HopIndex
03h 01h DS (Distribution System) Parameter Set; Channel (01h..0Eh)
04h 06h CF Parameter Set; Count, Period, MaxDuration, RemainDuration
05h 04h..FEh TIM; Count,Period,Control, 1-251 bytes PartialVirtualBitmap
06h 02h IBSS Parameter Set; ATIM Window length (16bit)
07h-0Fh - Reserved
(07h) .. 802.11d Country
(08h) .. 802.11d Hopping Pattern Params
(09h) .. 802.11d Hopping Pattern Table
(0Ah) .. 802.11d Request
10h 02h..FEh Challenge text; 1-253 bytes Authentication data
(Used only for Shared Key sequence no 2,3)
(none such for Open System)
(none such for Shared key sequence no 1,4)
11h-1Fh - Reserved for challenge text extension
20h-FFh - Reserved
(20h) .. 802.11h Power Constraint
(21h) .. 802.11h Power Capability
(22h) .. 802.11h TPC Request (Transmit Power Control)
(23h) .. 802.11h TPC Report
(24h) .. 802.11h Supported Channels
(25h) .. 802.11h Channel Switch Announcement
(26h) .. 802.11h Measurement Request
(27h) .. 802.11h Measurement Report
(28h) .. 802.11h Quiet
(29h) .. 802.11h IBSS DFS
2Ah .. 802.11g ERP Information (spotted in newer beacons)
30h var 802.11i Reserved but used for WPA2 RSNIE <-- officially
32h .. 802.11g Extended Supported Rates (spotted in newer beacons)
DDh var Reserved but used for WPA RSNIE <-- vendor specific
DDh var Reserved but used by Nintendo for NDS-Multiboot beacons
2Dh .. Unknown (spotted in newer beacons)
2Fh .. Unknown (spotted in newer beacons)
3Dh .. Unknown (spotted in newer beacons)
7Fh .. Unknown (spotted in newer beacons)
|
Bit0 ESS Bit1 IBSS Bit2 CF-Pollable Bit3 CF-Poll Request Bit4 Privacy Bit5 Short Preamble (IEEE802.11b only) Bit6 PBCC (IEEE802.11b only) Bit7 Channel Agility (IEEE802.11b only) Bit5-7 Reserved (0) (original IEEE802.11 specs) Bit8-15 Reserved (0) |
... used to indicate to the AP how often an STA wakes to listen to Beacon management frames. The value of this parameter is the STA's Listen Interval parameter of the MLME-Associate. request primitive and is expressed in units of Beacon Interval. |
00h Reserved
01h Unspecified reason
02h Previous authentication no longer valid
03h Deauthenticated because sending station is leaving (or has left) IBSS
or ESS
04h Disassociated due to inactivity
05h Disassociated because AP is unable to handle all currently associated
stations
06h Class 2 frame received from nonauthenticated station
07h Class 3 frame received from nonassociated station
08h Disassociated because sending station is leaving (or has left) BSS
09h Station requesting (re)association is not authenticated with responding
station
0Ah..FFFFh Reserved
|
00h Successful
01h Unspecified failure
02h..09h Reserved
0Ah Cannot support all requested cap's in the Capability Information field
0Bh Reassociation denied due to inability to confirm that association exists
0Ch Association denied due to reason outside the scope of this standard
0Dh Responding station doesn't support the specified authentication algorithm
0Eh Received an Authentication frame with authentication transaction sequence
number out of expected sequence
0Fh Authentication rejected because of challenge failure
10h Authentication rejected due to timeout waiting for next frame in sequence
11h Association denied because AP is unable to handle additional associated
stations
12h Association denied due to requesting station not supporting all of the
data rates in the BSSBasicRateSet parameter
13h Association denied due to requesting station not supporting
the Short Preamble option (IEEE802.11b only)
14h Association denied due to requesting station not supporting
the PBCC Modulation option (IEEE802.11b only)
15h Association denied due to requesting station not supporting
the Channel Agility option (IEEE802.11b only)
13h-15h Reserved (original IEEE802.11 specs)
16h..FFFFh Reserved
|
| DS Wifi IEEE802.11 Control and Data Frames (Type=1 and 2) |
Subtype Frame Header 0-9 Reserved - - - - A Power Save (PS)-Poll FC AID BSSID TA B Request To Send (RTS) FC Duration RA TA C Clear To Send (CTS) FC Duration RA - D Acknowledgment (ACK) FC Duration RA - E Contention-Free (CF)-End FC Duration RA BSSID F CF-End + CF-Ack FC Duration RA BSSID |
FC, Duration/ID, Address 1, Address 2, Address 3, Sequence Control, Address 4 (only on From DS to DS), Frame Body, FCS. |
Frame Control Address 1 Address 2 Address 3 Address 4 From STA to STA DA SA BSSID - From DS to STA DA BSSID SA - From STA to DS BSSID SA DA - From DS to DS RA TA DA SA |
0 Data 1 Data + CF-Ack 2 Data + CF-Poll 3 Data + CF-Ack + CF-Poll 4 Null function (no data) 5 CF-Ack (no data) 6 CF-Poll (no data) 7 CF-Ack + CF-Poll (no data) 8-F Reserved |
| DS Wifi WPA/WPA2 Handshake Messages (EAPOL) |
00h 2 Version/Type (or Type/Version?) (01 03) 02h 2 Length of [04h..end] (005Fh+LEN) ;BIG-ENDIAN 04h 1 Descriptor Type (FEh=WPA, 02h=WPA2) 05h 2 Key Information (flags, see below) ;BIG-ENDIAN 07h 2 Key Length (0=None, 20h=TKIP, 10h=CCMP, 05h/0Dh=WEP) ;BIG-ENDIAN 09h 8 Key Replay Counter (usually 0 or 1 in first message) ;BIG-ENDIAN 11h 32 Key Nonce (ANonce/SNonce) 31h 16 Key Data IV (RC4 uses IV+KEK) (not used for AES-Key-Wrap) 41h 8 Key RSC (TSC/PN) (whatever, for GTK) ;LITTLE-ENDIAN 49h 8 Reserved (zerofilled) 51h 16 Key MIC on [00h..end] (with MIC initially zerofilled) ;HMAC 61h 2 Key Data Length (LEN) (00 nn) ;BIG-ENDIAN 63h LEN Key Data (can be encrypted in certain messages) |
0-2 Key Descriptor Version (1=WPA/MD5/RC4, 2=WPA2/SHA1/AESkeywrap) 3 Key Type (0=Group, 1=Pairwise) 4-5 Reserved (0) or WPA Group Key Index (1 or 2) (zero for WPA2) 6 Install (0=No, 1=Yes, configure temporal key) 7 Key Ack (0=No, 1=Yes, AP wants a reply; with same Key Replay Counter) 8 Key MIC (0=No, 1=Yes, key frame contains MIC) 9 Secure (0=No, 1=Yes, initial key-exchange complete) 10 Error (0=No, 1=Yes, MIC failure and Request=1) 11 Request (0=No, 1=Yes, request AP to invoke a new handshake) 12 Encrypted(0=No, 1=Yes, Key Data is encrypted; via RC4 or AESkeywrap) 13-15 Reserved (0) |
00h 1 Element ID (for WPA: DDh=RSNIE - for WPA2: 30h=RSNIE, DDh=KDE) 01h 1 Element Length of [02h..end] 02h .. Element Data (OUI's etc.) |
EAPOL Descriptor Type values WPA WPA2 Meaning FEh 02h Indicates if ElementIDs and OUIs are WPA or WPA2 EAPOL Key Information flags/values 0089h 008Ah Handshake #1 ;\ 0109h 010Ah Handshake #2 ; 4-way Handshake 01C9h 13CAh Handshake #3 ; 0109h(again) 030Ah Handshake #4 ;/ 0391h/03A1h 1382h Handshake #5 ;\Group Key Handshake 0311h/0321h 0302h Handshake #6 ;/ EAPOL Key Data Element IDs DDh 30h Element ID for RSNIE (Robust Network Security info) - DDh Element ID for KDE (Key Data Encapsulation) - DDh Element ID for padding (followed by 00h-bytes) RSNIE Prefix OUI's (WPA only): 00-50-F2-01 - Element Vendor OUI for RSNIE RSNIE Group Cipher suite selector OUI's (aka Multicast): 00-50-F2-01 00-0F-AC-01 RSNIE Group Cipher WEP-40 (default for US/NSA) 00-50-F2-02 00-0F-AC-02 RSNIE Group Cipher TKIP (default for WPA) 00-50-F2-04 00-0F-AC-04 RSNIE Group Cipher CCMP (default for WPA2) 00-50-F2-05 00-0F-AC-05 RSNIE Group Cipher WEP-104 (default for WEP) RSNIE Pairwise Cipher suite selector OUI's (aka Unicast): 00-50-F2-00 00-0F-AC-00 RSNIE Pairwise Cipher None (WEP, Group Cipher only) 00-50-F2-02 00-0F-AC-02 RSNIE Pairwise Cipher TKIP (default for WPA) 00-50-F2-04 00-0F-AC-04 RSNIE Pairwise Cipher CCMP (default for WPA2) RSNIE Authentication AKM suite selector OUI's : 00-50-F2-01 00-0F-AC-01 RSNIE Authentication over IEEE 802.1X (radius?) 00-50-F2-02 00-0F-AC-02 RSNIE Authentication over PSK (default/home use) KDE Key Data Encapsulation OUI's (WPA2 only): - 00-0F-AC-01 KDE GTK (followed by 2+N bytes) - 00-0F-AC-02 KDE STAKey (followed by 2+6+N bytes) - 00-0F-AC-03 KDE MAC address (followed by 6 bytes) - 00-0F-AC-04 KDE PMKID (followed by 16 bytes) |
WPA2 RSNIE (Robust Network Security Information Element): 00h 1 Element ID (30h=RSNIE for WPA2) 01h 1 Element Len of [02h..end] (usually 14h) 02h 2 RSNIE Version 1 (01 00) ;WHATEVER-ENDIAN? 04h 4 RSNIE Group Cipher Suite OUI (CCMP) (00 0F AC 04) 08h 2 RSNIE Pairwise Cipher Suite Count (1) (01 00) ;LITTLE-ENDIAN 0Ah 4 RSNIE Pairwise Cipher Suite OUI (CCMP) (00 0F AC 04) 0Eh 2 RSNIE Authentication Count (1) (01 00) ;LITTLE-ENDIAN 10h 4 RSNIE Authentication OUI (PSK) (00 0F AC 02) 14h 2 RSNIE Capabilities (00 00) ;LITTLE-ENDIAN? 16h (2) RSNIE Optional PMKID Count ;\usually none such ;LITTLE-ENDIAN 18h (16)RSNIE Optional PMKID's ;/ WPA RSNIE (Robust Network Security Information Element): 00h 1 Element ID (DDh=Vendor/RSNIE for WPA) 01h 1 Element Len of [02h..end] (usually 16h or 18h) 02h 4 Element Vendor OUI for RSNIE (00 50 F2 01) ;<-- WPA only 06h 2 RSNIE Version value? (1) (01 00) ;WHATEVER-ENDIAN? 08h 4 RSNIE Mcast OUI (TKIP) (00 50 F2 02) 0Ch 2 RSNIE Ucast Count (1) (01 00) ;LITTLE-ENDIAN 0Eh 4 RSNIE Ucast OUI (TKIP) (00 50 F2 02) 12h 2 RSNIE Auth AKM Count (1) (01 00) ;LITTLE-ENDIAN 14h 4 RSNIE Auth AKM OUI (PSK) (00 50 F2 02) 18h (2) RSNIE Capabilities maybe? (00 00) ;LITTLE-ENDIAN? RSN Capabilities flags (usually 0000h) (also spotted: 0C 00): 0 RSN Pre-Auth capabilities 1 RSN No Pairwise capabilities 2-3 RSN PTKSA Replay Counters (0..3 = 1,2,4,16 replay counters) 4-5 RSN GTKSA Replay Counters (0..3 = 1,2,4,16 replay counters) 6 Managment Frame Protection Required 7 Managment Frame Protection Capable 8 Joint Multi-band RSNA 9 PeerKey Enabled 10 SPP A-MSDU Capable 11 SPP A-MSDU Required 12 PBAC 13 Ext Key ID for Unicast 14-15 Reserved (0) |
WPA2 KDE GTK (Key Data Encapsulation for Group Key, in encrypted Key Data): 00h 1 Element ID (DDh=KDE for WPA2) 01h 1 Element Len (16h) 02h 4 KDE OUI GTK (00-0F-AC-01) (occurs in message 3/5) 06h 1 KDE GTK Key ID (01h or 02h) ;bit2: Tx ? 07h 1 KDE GTK Reserved (00h) 08h 16 KDE GTK Key GTK (for Key ID from above byte [06h]) WPA2 KDE PKMID (Key Data Encapsulation for PKMID) (optional, not needed): 00h 1 Element ID (DDh=KDE for WPA2) 01h 1 Element Len (14h) 02h 4 KDE OUI PMKID (00-0F-AC-04) (optionally occurs in message 1) 06h 16 KDE PMKID (useless checksum on PMK, sometimes exposed in message 1) WPA2 KDE Padding (for padding Key Data to Nx8 bytes for AES-Key-wrap): 00h 1 Element ID (DDh=KDE for WPA2) 01h 0-6 Padding (00h) (aka Element Len=00h) WPA GTK (raw Group Key; without Element ID or KDE-style encapsulation): 00h 16 Key GTK (for Key ID from Key Information bit4-5) (in message 5) |
| DS Wifi WPA/WPA2 Keys and MICs |
PSK Preshared Key (based on password and SSID) PMK Pairwise Master Key (same as PSK) PTK Pairwise Transient Key (based on PMK, AA, SPA, ANonce, SNonce) KCK EAPOL Key Confirmation Key (PTK.bit0..127) ;for handshake MIC's KEK EAPOL Key Encryption Key (PTK.bit128..255) ;for handshake Key Data TK Temporal Key (TKIP:PTK.bit256..511, CCMP:PTK.bit256..383) GMK Group Master Key (don't care, used only internally by the access point) GTK Group Transient Key (for multicast/broadcast) (based on GMK, AA, GNonce) |
password ASCII password for the Wifi network SSID ASCII name of access point AA MAC address of access point (BSSID) SPA MAC address of DSi console Anonce Random number from access point (handshake message #1 and #3) Snonce Random number from console (handshake message #2) Gnonce Random number internally used by access point (don't care) |
MIC Message Integrity Code, checksum on EAPOL messages PMKID PMK ID, checksum on PMK and AA, SPA (optional, don't care) |
for i=0 to (dstlen-1)/14
call SHA1HMAC(src,srclen, key,keylen, tmpdst)
tmpsum[0..13] = tmpdst[0..13]
for j=1 to numrounds-1 ;only if numrounds>1
tmpsrc[0..13] = tmpdst[0..13], tmpsrclen=14
call SHA1HMAC(tmpsrc,tmpsrclen, key,keylen, tmpdst)
tmpsum[0..13] = tmpsum[0..13] XOR tmpdst[0..13]
next j
src[srclen-1] = src[srclen-1] + 01h ;increase last byte of src
len=min(14,(dstlen-i*14))
dst[i*14+(0..(len-1))] = tmpsum[0..(len-1)]
next i
src[srclen-1] = src[srclen-1] - (dstlen+13)/14 ;undo increments, if desired
|
key = password, keylen = len(password) ;ASCII string src = ssid + bytes(00h,00h,00h,01h), srclen = len(ssid)+4 ;ASCII string dst = PSK, dstlen = 32, numrounds=4096 call PRF(key,keylen, src,srclen, dst,dstlen, numrounds) PMK=PSK |
src[0..21] = "Pairwise key expansion" src[22] = byte(00h) src[23..28] = min(AA,SPA) ;\MAC addresses (AA=BSSID, SPA=console) src[29..34] = max(AA,SPA) ;/ src[35..66] = min(ANonce,SNonce) ;\nonces from 4-way handshake message 1+2 src[67..98] = max(ANonce,SNonce) ;/ src[99] = byte(00h) srclen = 22+1+6+6+32+32+1 = 100 key=PSK, keylen=32, numrounds=1 dst=PTK, dstlen=64 ;WPA needs dstlen=64 (WPA2 would also work with len=48) call PRF(key,keylen, src,srclen, dst,dstlen, numrounds) KCK = PTK[00h..0Fh] ;-for EAPOL handshake MIC checksums KEK = PTK[10h..1Fh] ;-for EAPOL handshake Key Data decryption TK.key = PTK[20h..2Fh] ;-for data packets TX.tx = PTK[30h..37h] ;\needed for WPA/TKIP only (not WPA2/AES) TX.rx = PTK[38h..3Fh] ;/ TK.keyindex = 0 |
GTK.key = GTK[00h..0Fh] ;-for data packets GTX.tx = GTK[10h..17h] ;\needed for WPA/TKIP only (not WPA2/AES) GTX.rx = GTK[18h..1Fh] ;/ GTK.keyindex = 1 or 2 ;WPA: from EAPOL Key Information bit4-5 GTK.keyindex = 1 or 2 ;WPA2: from EAPOL Key Data KDE entry |
oldmic = EAPOL[51h..60h] EAPOL[51h..60h] = zerofill src=EAPOL, srclen=EAPOL[02h]*100h+EAPOL[03h] key=KCK, keylen=16 if (EAPOL[06h] AND 07h)=1 then call MD5HMAC(src,srclen, key,keylen, dst) if (EAPOL[06h] AND 07h)=2 then call SHA1HMAC(src,srclen, key,keylen, dst) newmic = dst[0..0Fh] ;16-byte MD5 result, or first 16byte of SHA1 result EAPOL[51h..60h] = newmic if newmic <> oldmic then error ;when verifying MIC |
key=PMK, keylen=32 src[0..7] = "PMK Name" src[8..13] = AA ;aka MAC address of access point (BSSID) src[14..19] = SPA ;aka MAC address of console srclen = 8+6+6 = 20 call SHA1HMAC(src,srclen, key,keylen, dst) PMKID = dst[0..0Fh] ;first 16byte of SHA1 result |
src[0..18] = "Group key expansion" src[19] = byte(00h) src[20..25] = AA ;MAC address (AA=BSSID) src[26..57] = GNonce ;whaever random/timer/index src[58] = byte(00h) srclen = 19+1+6+32+1 = 59 key=GMK, keylen=32, numrounds=1 ;whatever random key dst=GTK, dstlen=32 call PRF(key,keylen, src,srclen, dst,dstlen, numrounds) |
| DS Wifi WPA/WPA2 Encryption |
Encrypt/Decrypt WPA/WEP packets --> RC4 (Rivest Cipher 4 aka ARC4) Encrypt/Decrypt WPA EAPOL key data --> RC4 (Rivest Cipher 4 aka ARC4) Encrypt/Decrypt WPA2 EAPOL key data --> AES-Key-Wrap/Unwrap Encrypt/Decrypt WPA2 packets --> AES-CCMP (AES-CTR-with-CBC-MAC) |
RC4(src,dst,len,preskip,key,keylen):
for i=0 to FFh, sbox[i]=i, next i ;-clear sbox
j=0 ;\
for i=0 to FFh ;
j=(j+sbox[i]+key[i mod keylen]) and FFh ; apply key
swap(sbox[i],sbox[j] ;
next i ;/
i=0, j=0
for k=1 to preskip+len
i=(i+1) and FFh, j=(j+sbox[i]) and FFh, swap(sbox[i],sbox[j])
if preskip>0 then preskip=preskip-1
else [dst]=[src] xor sbox[(sbox[i]+sbox[j]) and FFh], dst=dst+1, src=src+1
next k
parameters for WEP/WPA packets (done by hardware):
key=iv(3)+password(5/13), keylen=3+5/13 ;WEP Key=WEP.IV+Password
key=iv(3)+from PTK???, keylen=3+??? ;WPA Key=WEP.IV+???
src=data(n)+icv(4), srclen=n+4 ;src, for WEP
src=data(n)+mic(8)+icv(4), srclen=n+8+4 ;src, for WPA
preskip=0
parameters for WPA EAPOL key data (requires software implementation):
key=EAPOL[31h..40h]+KEK[00h..0Fh], keylen=10h+10h ;Key = EAPOL Key IV + KEK
src=EAPOL+63h, srclen=bigendian(EAPOL[61h]) ;src, for WPA
preskip=100h
|
AES-Key-Wrap/Unwrap(src,dst,len,key,keylen,mode) (for WPA2 EAPOL Key Data)
if (len and 7)<>0 then error ;must be multiple of 8 ;-verify len
aes_setkey(mode,key,keylen) ;-init key
if mode=ENCRYPT and [src+00h..07h]<>A6A6A6A6A6A6A6A6h then error ;-verify IV
if mode=ENCRYPT then org=dst+8, count=1 ;-for wrap
if mode=DECRYPT then org=dst+len-8, count=((len-8)/8)*6 ;-for unwrap
[dst+0..len-1] = [src+0..len-1] ;copy IV+DATA to dst
[tmp+00h..07h] = [dst+00h..07h] ;read IV from dst+0
for i=1 to 6
ptr=org
for j=1 to (len-8)/8
[tmp+08h..0Fh] = [ptr+00h..07h] ;read DATA from dst+index
if mode=ENCRYPT then aes_crypt_block(ENCRYPT,tmp,tmp) ;encrypt tmp
[tmp+07h]=[tmp+07h] xor count ;adjust byte[7]
if mode=DECRYPT then aes_crypt_block(DECRYPT,tmp,tmp) ;decrypt tmp
[ptr+00h..07h] = [tmp+08h..0Fh] ;writeback DATA to dst+index
if mode=ENCRYPT then ptr=ptr+8, count=count+1
if mode=DECRYPT then ptr=ptr-8, count=count-1
next j
next i
[dst+00h..07h] = [tmp+00h..07h] ;writeback IV to dst+0
if mode=DECRYPT and [dst+00h..07h]<>A6A6A6A6A6A6A6A6h then error ;-verify IV
Parameters for Wrap/Unwrap:
mode=ENCRYPT ;<-- for Wrap (encrypt, used by access points)
mode=DECRYPT ;<-- for Unwrap (decrypt, used by clients)
key=KEK, keylen=10h bytes (128bit)
src=EAPOL+63h, srclen=bigendian(EAPOL[61h])
|
.. MAC Header ;-Normal Header 1 TSC1 ;\ WEPSeed[1]=(TSC1 OR 20h) AND 7Fh 1 WEPSeed[1] ; WEP IV and Flags 1 TSC0 (LSB) ; (Flags: bit0-4=Rsvd, bit5=ExtIV, bit6-7=KeyID) 1 Flags ;/ (bit5: 0=No/WEP, 1=Yes/TKIP) 1 TSC2 ;\ 1 TSC3 ; WPA Extended IV 1 TSC4 ; 1 TSC5 (MSB) ;/ .. Data ;-Normal Data ;\ 8 MIC ;-WPA MIC "Michael" ; encrypted area 4 ICV ;-WEP ICV ;/ 4 FCS ;-Normal FCS |
.. MAC Header ;-Normal Header 1 PN0 (LSB) ;\ 1 PN1 ; CCMP Header (IV and Flags) 1 Rsvd ; (Flags: bit0-4=Rsvd, bit5=ExtIV, bit6-7=KeyID) 1 Flags ; (bit5: 0=No/WEP, 1=Yes/TKIP) 1 PN2 ; 1 PN3 ; 1 PN4 ; 1 PN5 (MSB) ;/ .. Data ;-Normal Data ;\encrypted area 8 MIC ;-CCMP MIC "AES MAC?" ;/ 4 FCS ;-Normal FCS |
6 DA 6 SA 1 Priority (0) (reserved for future) 3 Zero (0) (also reserved for future) .. Data 8 MIC (M0..M7) (aka L0..L3, R0..R3) |
TTAK = Phase1 (TK, TA, TSC) WEP seed = Phase2 (TTAK, TK, TSC) |
| DS Xboo |
Console Pin/Names Parallel Port Pin/Names RFU.9 FMW.1 D ---|>|--- DSUB.14 CNTR.14 AutoLF RFU.6 FMW.2 C ---|>|--- DSUB.1 CNTR.1 Strobe RFU.10 FMW.3 /RES ---|>|--- DSUB.16 CNTR.31 Init RFU.7 FMW.4 /S ---|>|--- DSUB.17 CNTR.36 Select RFU.5 FMW.5 /W --. SL1A - - N.C. RFU.28 FMW.6 VCC __| SL1B - - N.C. RFU.2,12 FMW.7 VSS --------- DSUB.18-25 CNTR.19-30 Ground RFU.8 FMW.8 Q --------- DSUB.11 CNTR.11 Busy P00 Joypad-A ---|>|--- DSUB.2 CNTR.2 D0 P01 Joypad-B ---|>|--- DSUB.3 CNTR.3 D1 P02 Joypad-Select ---|>|--- DSUB.4 CNTR.4 D2 P03 Joypad-Start ---|>|--- DSUB.5 CNTR.5 D3 P04 Joypad-Right ---|>|--- DSUB.6 CNTR.6 D4 P05 Joypad-Left ---|>|--- DSUB.7 CNTR.7 D5 P06 Joypad-Up ---|>|--- DSUB.8 CNTR.8 D6 P07 Joypad-Down ---|>|--- DSUB.9 CNTR.9 D7 RTC.1 INT aka SI --------- DSUB.10 CNTR.10 /Ack |
http://problemkaputt.de/nds-pins.gif (GIF-Image, 7.5KBytes) |
| DSi Reference |
| DSi Basic Differences to NDS |
4004020h - SCFG_WL 4004C04h - GPIO_WIFI BPTWL[30h] - Wifi LED related (also needed to enable Atheros Wifi SDIO) |
| DSi I/O Map |
0000000h 64Kbyte ARM7 BIOS (unlike NDS which had only 16KB) 2000000h 16MByte Main RAM (unlike NDS which had only 4MB) 3000000h 800Kbyte Shared RAM (unlike NDS which had only 32KB) 4004000h New DSi I/O Ports 8000000h Fake GBA Slot (32MB+64KB) (FFh-filled; when mapped to current CPU) C000000h Mirror of 16Mbyte Main RAM D000000h Open Bus? in retail version, Extra 16Mbyte MainRAM in debug version FFFF000h 64Kbyte ARM9 BIOS (unlike NDS which had only 4KB) |
4000004h 2 DISPSTAT (new Bit6, LCD Initialization Ready Flag) 4000204h 2 EXMEMCNT (removed Bit0-7, ie. the GBA-slot related bits) 4000210h 4 IE (new interrupt sources, removed GBA-slot IRQ) 4000214h 4 IF (new interrupt sources, removed GBA-slot IRQ) 40021A0h 4 Unknown, nonzero, probably same/silimar as on DSi7 side 40021A4h 4 Unknown, zero, probably same/silimar as on DSi7 side 40021A8h .. 40021Bxh .. 4102010h 4 |
4004000h 2 SCFG_A9ROM DSi - NDS9 - ROM Status (R) [0000h] 4004004h 2 SCFG_CLK DSi - NDS9 - New Block Clock Control (R/W) 4004006h 2 SCFG_RST DSi - NDS9 - New Block Reset (R/W) 4004008h 4 SCFG_EXT DSi - NDS9 - Extended Features (R/W) 4004010h 2 SCFG_MC Memory Card Interface Status (16bit) (undocumented) |
4004040h 4 MBK1 WRAM-A Slots for Bank 0,1,2,3 ;\Global ARM7+ARM9 4004044h 4 MBK2 WRAM-B Slots for Bank 0,1,2,3 ; Slot Mapping 4004048h 4 MBK3 WRAM-B Slots for Bank 4,5,6,7 ; (R or R/W, depending 400404Ch 4 MBK4 WRAM-C Slots for Bank 0,1,2,3 ; on MBK9 setting) 4004050h 4 MBK5 WRAM-C Slots for Bank 4,5,6,7 ;/ 4004054h 4 MBK6 WRAM-A Address Range ;\Local ARM9 Side 4004058h 4 MBK7 WRAM-B Address Range ; (R/W) 400405Ch 4 MBK8 WRAM-C Address Range ;/ 4004060h 4 MBK9 WRAM-A/B/C Slot Write Protect (R) |
4004100h 4 NDMAGCNT NewDMA Global Control ;-Control 4004104h 4 NDMA0SAD NewDMA0 Source Address ;\ 4004108h 4 NDMA0DAD NewDMA0 Destination Address ; 400410Ch 4 NDMA0TCNT NewDMA0 Total Length for Repeats ; NewDMA0 4004110h 4 NDMA0WCNT NewDMA0 Logical Block Size ; 4004114h 4 NDMA0BCNT NewDMA0 Block Transfer Timing/Interval ; 4004118h 4 NDMA0FDATA NewDMA0 Fill Data ; 400411Ch 4 NDMA0CNT NewDMA0 Control ;/ 4004120h 4 NDMA1SAD ;\ 4004124h 4 NDMA1DAD ; 4004128h 4 NDMA1TCNT ; NewDMA1 400412Ch 4 NDMA1WCNT ; 4004130h 4 NDMA1BCNT ; 4004134h 4 NDMA1FDATA ; 4004138h 4 NDMA1CNT ;/ 400413Ch 4 NDMA2SAD ;\ 4004140h 4 NDMA2DAD ; 4004144h 4 NDMA2TCNT ; NewDMA2 4004148h 4 NDMA2WCNT ; 400414Ch 4 NDMA2BCNT ; 4004150h 4 NDMA2FDATA ; 4004154h 4 NDMA2CNT ;/ 4004158h 4 NDMA3SAD ;\ 400415Ch 4 NDMA3DAD ; 4004160h 4 NDMA3TCNT ; NewDMA3 4004164h 4 NDMA3WCNT ; 4004168h 4 NDMA3BCNT ; 400416Ch 4 NDMA3FDATA ; 4004170h 4 NDMA3CNT ;/ |
4004200h 2 CAM_MCNT Camera Module Control (16bit) 4004202h 2 CAM_CNT Camera Control (16bit) 4004204h 4 CAM_DAT Camera Data (32bit) 4004210h 4 CAM_SOFS Camera Trimming Starting Position Setting (32bit) 4004214h 4 CAM_EOFS Camera Trimming Ending Position Setting (32bit) |
4004300h 2 DSP_PDATA DSP Transfer Data (16bit) 4004304h 2 DSP_PADR DSP Transfer Address (16bit) 4004308h 2 DSP_PCFG DSP Configuration (16bit) 400430Ch 2 DSP_PSTS DSP Status (16bit) 4004310h 2 DSP_PSEM DSP ARM9-to-DSP Semaphore (16bit) 4004314h 2 DSP_PMASK DSP DSP-to-ARM9 Semaphore Mask (16bit) 4004318h 2 DSP_PCLEAR DSP DSP-to-ARM9 Semaphore Clear (W) (16bit) 400431Ch 2 DSP_SEM DSP DSP-to-ARM9 Semaphore Data (16bit) 4004320h 2 DSP_CMD0 DSP Command Register 0 (16bit) 4004324h 2 DSP_REP0 DSP Reply Register 0 (16bit) 4004328h 2 DSP_CMD1 DSP Command Register 1 (16bit) 400432Ch 2 DSP_REP1 DSP Reply Register 1 (16bit) 4004330h 2 DSP_CMD2 DSP Command Register 2 (16bit) 4004334h 2 DSP_REP2 DSP Reply Register 2 (16bit) 4004340h 40h Unknown (looks like mirror of 4004300h..400433Fh) 4004380h 40h Unknown (looks like mirror of 4004300h..400433Fh) 40043C0h 40h Unknown (looks like mirror of 4004300h..400433Fh) |
4000004h 2 DISPSTAT (new Bit6, LCD Initialization Ready Flag) (as DSi9?) 4000204h 2 EXMEMCNT (removed Bit0-7: GBA-slot related bits) (as DSi9?) 4000210h 4 IE (new interrupt sources, removed GBA-slot IRQ) 4000214h 4 IF (new interrupt sources, removed GBA-slot IRQ) 4000218h IE2 (new register with more new interrupt sources) 400021Ch IF2 (new register with more new interrupt sources) |
40021A0h 4 Unknown, nonzero, probably related to below 40021A4h 40021A4h 4 Unknown, related to 40001A4h (Gamecard Bus ROMCTRL) 40021A8h .. 40021Bxh .. 4102010h 4 |
4004000h 1 SCFG_A9ROM used by BIOS and SystemFlaw (bit0,1) 4004001h 1 SCFG_A7ROM used by BIOS and SystemFlaw (bit0,1,2) 4004004h 2 SCFG_CLK7 used by SystemFlaw 4004006h 2 SCFG_JTAG Debugger Control 4004008h 4 SCFG_EXT7 used by SystemFlaw 4004010h 2 SCFG_MC Memory Card Interface Control (R/W) 4004012h 2 SCFG_1988H Unknown, there is something (?) (SysMenu: 1988h) 4004014h 2 SCFG_264CH Unknown, there is something (?) (SysMenu: 264Ch) 4004020h 2 SCFG_WL Wireless Disable ;bit0 = wifi? 4004024h 2 SCFG_OP Debugger Type (R) ;bit0-1 = (0=retail, ?=debug) |
4004040h 4 MBK1 WRAM-A Slots for Bank 0,1,2,3 ;\ 4004044h 4 MBK2 WRAM-B Slots for Bank 0,1,2,3 ; Global ARM7+ARM9 4004048h 4 MBK3 WRAM-B Slots for Bank 4,5,6,7 ; Slot Mapping (R) 400404Ch 4 MBK4 WRAM-C Slots for Bank 0,1,2,3 ; (set on ARM9 side) 4004050h 4 MBK5 WRAM-C Slots for Bank 4,5,6,7 ;/ 4004054h 4 MBK6 WRAM-A Address Range ;\Local ARM7 Side 4004058h 4 MBK7 WRAM-B Address Range ; (R/W) 400405Ch 4 MBK8 WRAM-C Address Range ;/ 4004060h 4 MBK9 WRAM-A/B/C Slot Write Protect (R/W) |
4004100h 74h NewDMA (new DMA, as on ARM9i, see there) |
4004400h 4 AES_CNT (R/W) 4004404h 4 AES_BLKCNT (W) 4004408h 4 AES_WRFIFO (W) 400440Ch 4 AES_RDFIFO (R) 4004420h 16 AES_IV (W) 4004430h 16 AES_MAC (W) 4004440h 48 AES_KEY0 (W) ;used for modcrypt 4004470h 48 AES_KEY1 (W) ;used for ? 40044A0h 48 AES_KEY2 (W) ;used for JPEG signatures 40044D0h 48 AES_KEY3 (W) ;used for eMMC sectors |
4004500h 1 I2C_DATA 4004501h 1 I2C_CNT |
4004600h 2 MIC_CNT ? 4004604h 4 MIC_DATA ? |
4004700h 2 SNDEXCNT <-- can be read even in DS mode! |
4004800h 2 SD_CMD Command and Response/Data Type 4004802h 2 SD_CARD_PORT_SELECT (SD/MMC:020Fh, SDIO:010Fh) 4004804h 4 SD_CMD_PARAM0-1 Argument (32bit, 2 halfwords) 4004808h 2 SD_STOP_INTERNAL_ACTION 400480Ah 2 SD_DATA16_BLK_COUNT "Transfer Block Count" 400480Ch 16 SD_RESPONSE0-7 (128bit, 8 halfwords) 400481Ch 4 SD_IRQ_STATUS0-1 ;IRQ Status (0=ack, 1=req) 4004820h 4 SD_IRQ_MASK0-1 ;IRQ Disable (0=enable, 1=disable) 4004824h 2 SD_CARD_CLK_CTL Card Clock Control 4004826h 2 SD_DATA16_BLK_LEN Memory Card Transfer Data Length 4004828h 2 SD_CARD_OPTION Memory Card Option Setup (can be C0FFh) 400482Ah 2 Fixed always zero? 400482Ch 4 SD_ERROR_DETAIL_STATUS0-1 Error Detail Status 4004830h 2 SD_DATA16_FIFO Data Port (SD_FIFO?) 4004832h 2 Fixed always zero? ;(TC6371AF:BUF1 Data MSBs?) 4004834h 2 SD_CARD_IRQ_CTL ;(SD_TRANSACTION_CTL) 4004836h 2 SD_CARD_IRQ_STAT ;(SD_CARD_INTERRUPT_CONTROL) 4004838h 2 SD_CARD_IRQ_MASK ;(SDCTL_CLK_AND_WAIT_CTL) 400483Ah 2 Fixed always zero? ;(SDCTL_SDIO_HOST_INFORMATION) 400483Ch 2 Fixed always zero? ;(SDCTL_ERROR_CONTROL) 400483Eh 2 Fixed always zero? ;(TC6387XB: LED_CONTROL) 4004840h 2 Fixed always 003Fh? 4004842h 2 Fixed always 002Ah? 4004844h 6Eh Fixed always zerofilled? 40048B2h 2 Fixed always FFFFh? 40048B4h 6 Fixed always zerofilled? 40048BAh 2 Fixed always 0200h? 40048BCh 1Ch Fixed always zerofilled? 40048D8h 2 SD_DATA_CTL 40048DAh 6 Fixed always zerofilled? 40048E0h 2 SD_SOFT_RESET Software Reset (bit0=SRST=0=reset) 40048E2h 2 Fixed always 0009h? ;(RESERVED2/9, TC6371AF:CORE_REV) 40048E4h 2 Fixed always zero? 40048E6h 2 Fixed always zero? ;(RESERVED3, TC6371AF:BUF_ADR) 40048E8h 2 Fixed always zero? ;(TC6371AF:Resp_Header) 40048EAh 6 Fixed always zerofilled? 40048F0h 2 Fixed always zero? ;(RESERVED10) 40048F2h 2 ? Can be 0003h 40048F4h 2 ? Can be 0770h 40048F6h 2 SD_WRPROTECT_2 (R) ;Write protect for eMMC (RESERVED4) 40048F8h 4 SD_EXT_IRQ_STAT0-1 ;Insert/eject for eMMC (RESERVED5-6) 40048FCh 4 SD_EXT_IRQ_MASK0-1 ;(TC6371AF:Revision) (RESERVED7-8) 4004900h 2 SD_DATA32_IRQ 4004902h 2 Fixed always zero? 4004904h 2 SD_DATA32_BLK_LEN 4004906h 2 Fixed always zero? 4004908h 2 SD_DATA32_BLK_COUNT 400490Ah 2 Fixed always zero? 400490Ch 4 SD_DATA32_FIFO 4004910h F0h Fixed always zerofilled? |
4004A00h 512 SDIO_xxx (same as SD_xxx at 4004800h..40049FFh, see there) 4004A02h 2 SDIO_CARD_PORT_SELECT (slightly different than 4004802h) |
4004C00h 1 GPIO Data In (R) (even in DS mode) 4004C00h 1 GPIO Data Out (W) 4004C01h 1 GPIO Data Direction (R/W) 4004C02h 1 GPIO Interrupt Edge Select (R/W) 4004C03h 1 GPIO Interrupt Enable (R/W) 4004C04h 2 GPIO_WIFI (R/W) |
4004D00h 8 CPU/Console ID Code (64bit) (R) 4004D08h 2 CPU/Console ID Flag (1bit) (R) |
8030200h 2 GBA area, accessed alongsides with SDIO port [4004A30h] (bug?) |
| DSi Control Registers (SCFG) |
0 ARM9 BIOS Upper 32K half of DSi BIOS (0=Enabled, 1=Disabled) 1 ARM9 BIOS for NDS Mode (0=DSi BIOS, 1=NDS BIOS) 2-15 Unused (0) 16-31 Unspecified (0) |
00h DSi ROM mapped at FFFFxxxxh, full 64K enabled (during bootstage 1 only) 01h DSi ROM mapped at FFFFxxxxh, lower 32K only 03h NDS ROM mapped at FFFFxxxxh (internal setting) 00h NDS ROM mapped at FFFFxxxxh (visible setting due to SCFG_EXT.bit31=0) |
0 ARM9 BIOS Upper 32K half of DSi BIOS (0=Enabled, 1=Disabled) 1 ARM9 BIOS for NDS Mode (0=DSi BIOS, 1=NDS BIOS) 2-7 Unused (0) 8 ARM7 BIOS Upper 32K half of DSi BIOS (0=Enabled, 1=Disabled) 9 ARM7 BIOS for NDS Mode (0=DSi BIOS, 1=NDS BIOS) 10 Access to Console ID registers (0=Enabled, 1=Disabled) (4004Dxxh) 11-31 Unused (0) |
0 ARM9 CPU Clock (0=NITRO/67.03MHz, 1=TWL/134.06MHz) (TCM/Cache)
1 Teak DSP Block Clock (0=Stop, 1=Run)
2 Camera Interface Clock (0=Stop, 1=Run)
3-6 Unused (0)
7 New Shared RAM Clock (0=Stop, 1=Run) (set via ARM7) (R)
8 Camera External Clock (0=Disable, 1=Enable) ("outputs at 16.76MHz")
9-15 Unused (0)
16-31 See below (Port 4004006h, SCFG_RST)
|
0 SD/MMC Clock (0=Stop, 1=Run) (should be same as SCFG_EXT7.bit18) 1 Unknown/used (0=Stop, 1=Run) (?) (maybe SDIO/wifi clock or so?) 2 Unknown/used (0=Stop, 1=Run) (?) 3-6 Unused (0) 7 New Shared RAM Clock (0=Stop, 1=Run) 8 Touchscreen Clock (0=Stop, 1=Run) (needed for touchscr input) 9-15 Unused (0) 16-31 See below (Port 4004006h, SCFG_JTAG) |
0 DSP Block Reset (0=Apply Reset, 1=Release Reset) 1-15 Unused (0) |
0 ARM7SEL (set when debugger can do ARM7 debugging) 1 CPU JTAG Enable 2-7 Unused (0) 8 DSP JTAG Enable 9-15 Unused (0) |
0 Revised ARM9 DMA Circuit (0=NITRO, 1=Revised) 1 Revised Geometry Circuit (0=NITRO, 1=Revised) 2 Revised Renderer Circuit (0=NITRO, 1=Revised) 3 Revised 2D Engine Circuit (0=NITRO, 1=Revised) 4 Revised Divider Circuit (0=NITRO, 1=Revised) 5-6 Unused (0) 7 Revised Card Interface Circuit (0=NITRO, 1=Revised) 8 Extended ARM9 Interrupts (0=NITRO, 1=Extended) 9-11 Unused (0) 12 Extended LCD Circuit (0=NITRO, 1=Extended) 13 Extended VRAM Access (0=NITRO, 1=Extended) 14-15 Main Memory RAM Limit (0..1=4MB/DS, 2=16MB/DSi, 3=32MB/DSiDebugger) 16 Access to New DMA Controller (0=Disable, 1=Enable) (40041xxh) 17 Access to Camera Interface (0=Disable, 1=Enable) (40042xxh) 18 Access to Teak DSP Block (0=Disable, 1=Enable) (40043xxh) 19-23 Unused (0) 24 Access to 2nd NDS Cart Slot (0=Disable, 1=Enable) (set via ARM7) (R) 25 Access to New Shared WRAM (0=Disable, 1=Enable) (set via ARM7) (R) 26-30 Unused (0) 31 Access to SCFG/MBK registers (0=Disable, 1=Enable) (4004000h-4004063h) |
8307F100h for DSi firmware, DSi cartridges and DSiware 03000000h for NDS cartridges (and DSiware in NDS mode, eg. Pictochat) |
Mode 2000000h-2FFFFFFh C000000h-CFFFFFFh D000000h-DFFFFFFh 4MB (0 or 1) 1st 4MB (+mirrors) Zerofilled Zerofilled 16MB (2) 1st 16MB 1st 16MB (mirror) 1st 16MB (mirror) 32MB (3) 1st 16MB 1st 16MB (mirror) Open bus (or 2nd 16MB) |
0 Revised ARM7 DMA Circuit (0=NITRO, 1=Revised) 1 Revised Sound DMA (0=NITRO, 1=Revised) 2 Revised Sound (0=NITRO, 1=Revised) 3-6 Unused (0) 7 Revised Card Interface Circuit (0=NITRO, 1=Revised) (set via ARM9) (R) 8 Extended ARM7 Interrupts (0=NITRO, 1=Extended) (4000218h) 9 Undocumented/Unknown ?? (0=NITRO, 1=Extended) (?) 10 Extended Sound DMA ? (0=NITRO, 1=Extended) (?) 11 Undocumented/Unknown ?? (0=NITRO, 1=Extended) (?) 12 Extended LCD Circuit (0=NITRO, 1=Extended) (set via ARM9) (R) 13 Extended VRAM Access (0=NITRO, 1=Extended) (set via ARM9) (R) 14-15 Main Memory RAM Limit (0..1=4MB, 2=16MB, 3=32MB) (set via ARM9) (R) 16 Access to New DMA Controller (0=Disable, 1=Enable) (40041xxh) 17 Access to AES Unit (0=Disable, 1=Enable) (40044xxh) 18 Access to SD/MMC registers (0=Disable, 1=Enable) (40048xxh-40049xxh) 19 Access to SDIO Wifi registers (0=Disable, 1=Enable) (4004Axxh-4004Bxxh) 20 Access to Microphone regs (0=Disable, 1=Enable) (40046xxh) 21 Access to SNDEXCNT register (0=Disable, 1=Enable) (40047xxh) 22 Access to I2C registers (0=Disable, 1=Enable) (40045xxh) 23 Access to GPIO registers (0=Disable, 1=Enable) (4004Cxxh) 24 Access to 2nd NDS Cart Slot (0=Disable, 1=Enable) (40021xxh) 25 Access to New Shared WRAM (0=Disable, 1=Enable) (3xxxxxxh) 26-27 Unused (0) 28 Undocumented/Unknown (0=???, 1=Normal) (?) 29-30 Unused (0) 31 Access to SCFG/MBK registers (0=Disable, 1=Enable) (4004000h-4004063h) |
93FFFB06h for DSi Firmware (Bootcode and SysMenu/Launcher) 13FFFB06h for DSiware (eg. SysSettings, Flipnote, PaperPlane) 13FBFB06h for DSi Cartridges (eg. System Flaw) (bit18=0=sdmmc off) 12A03000h for NDS cartridges (and DSiware in NDS mode, eg. Pictochat) |
0 1st NDS Slot Game Cartridge (0=Inserted, 1=Ejected) (R) 1 1st NDS Slot Unknown/Undocumented (0) 2-3 1st NDS Slot Power State (0=Off, 1=PrepareOn, 2=On, 3=RequestOff) (R/W) 4 2nd NDS Slot Game Cartridge (always 1=Ejected) ;\DSi (R) 5 2nd NDS Slot Unknown/Undocumented (0) ; prototype 6-7 2nd NDS Slot Power State (always 0=Off) ;/relict (R/W) 8-14 Unknown/Undocumented (0) 15 Swap NDS Slots (0=Normal, 1=Swap) (R/W) 16-31 ARM7: See Port 4004012h, ARM9: Unspecified (0) |
0=Power is off 1=Prepare Power on (shall be MANUALLY changed to state=2) 2=Power is on 3=Request Power off (will be AUTOMATICALLY changed to state=0) |
wait until state<>3 ;wait if pwr off busy? exit if state<>0 ;exit if already on? wait 1ms, then set state=1 ;prepare pwr on? or want RESET ? wait 10ms, then set state=2 ;apply pwr on? ;better: 1ms wait 27ms, then set ROMCTRL=20000000h ;release reset signal ;better: 0ms wait 120ms ;more insane delay? ;better: 1ms |
wait until state<>3 ;wait if pwr off busy? exit if state<>2 ;exit if already off? set state=3 ;request pwr off? wait until state=0 ;wait until pwr off <-- SLOW: 153ms!!! |
0-15 Unknown (R/W) |
0 OFFB, Related to Wifi Enable flag from TWLCFGn.dat files? 1-15 Unknown/unused (0) |
0-1 Debug Hardware Type (0=Retail, other=debug variants) 2-3 Unknown/unused (0) 4 Unknown (maybe used, since it isn't masked & copied to RAM) 5-15 Unknown/unused (0) |
| DSi XpertTeak (DSP) |
| DSi Teak Misc |
TeakLite Architecture Specification Revision 4.41 (DSP Group Inc.) OakDSPCore Technical Manuals for CWDSP1640 or CWDSP167x (LSI Logic) OakDSPCore DSP Subsystem AT75C (Atmel) |
TeakLite II disassembler dll in RVDS (RealView Developer Suite) 4.0 Pro |
0000h..7FFFh X Space (for RAM, with 1-stage write-buffer) ;min zero 8000h..87FFh Z Space (for Memory-mapped I/O, no write-buffer) ;min zero 8800h..FFFFh Y Space (for RAM, with 1-stage write-buffer)) ;min 1Kword |
NumCycles = max(NumberOfOpcodeWords, NumberOfDataReadsWrites) |
| DSi Teak I/O Ports (on ARM9 Side) |
0-15 Data (one stage of the 16-stage Read FIFO) |
0-15 Data (one stage of the 16-stage Write FIFO) |
0-15 Lower 16bit of Address in DSP Memory |
0 DSP Reset (0=Release, 1=Reset) ;should be held "1" for 8 DSP clks 1 Address Auto-Increment (0=Off, 1=On) 2-3 DSP Read Data Length (0=1 word, 1=8 words, 2=16 words, 3=Free-Run) 4 DSP Read Start Flag (mem transfer via Read FIFO) (1=Start) 5 Interrupt Enable Read FIFO Full (0=Off, 1=On) 6 Interrupt Enable Read FIFO Not-Empty (0=Off, 1=On) 7 Interrupt Enable Write FIFO Full (0=Off, 1=On) 8 Interrupt Enable Write FIFO Empty (0=Off, 1=On) 9 Interrupt Enable Reply Register 0 (0=Off, 1=On) 10 Interrupt Enable Reply Register 1 (0=Off, 1=On) 11 Interrupt Enable Reply Register 2 (0=Off, 1=On) 12-15 DSP Memory Transfer (0=Data Memory, 1=MMIO Register, 5=Program Memory) |
0 Read Transfer Underway Flag (0=No, 1=Yes/From DSP Memory) 1 Write Transfer Underway Flag (0=No, 1=Yes/To DSP Memory) 2 Peripheral Reset Flag (0=No/Ready, 1=Reset/Busy) 3-4 Unused 5 Read FIFO Full Flag (0=No, 1=Yes) 6 Read FIFO Not-Empty Flag (0=No, 1=Yes) ;ARM9 may read DSP_PDATA 7 Write FIFO Full Flag (0=No, 1=Yes) 8 Write FIFO Empty Flag (0=No, 1=Yes) 9 Semaphore IRQ Flag (0=None, 1=IRQ) 10 Reply Register 0 Update Flag (0=Was Written by DSP, 1=No) 11 Reply Register 1 Update Flag (0=Was Written by DSP, 1=No) 12 Reply Register 2 Update Flag (0=Was Written by DSP, 1=No) 13 Command Register 0 Read Flag (0=Was Read by DSP, 1=No) 14 Command Register 1 Read Flag (0=Was Read by DSP, 1=No) 15 Command Register 2 Read Flag (0=Was Read by DSP, 1=No) |
0-15 ARM9-to-DSP Semaphore 0..15 Flags (0=Off, 1=On) |
0-15 DSP-to-ARM9 Semaphore 0..15 Interrupt Disable (0=Enable, 1=Disable) |
0-15 DSP-to-ARM9 Semaphore 0..15 Clear (0=No Change, 1=Clear) |
0-15 DSP-to-ARM9 Semaphore 0..15 Flags (0=Off, 1=On) |
0-15 Command/Data to DSP |
0-15 Reply/Data from DSP |
| DSi Teak I/O Map (on Teak side) |
8000h 3300 3300 3300 R Fixed 3300h 8002h 3300 3300 3300 R Fixed 3300h (maybe mirror of port 8000h) |
8004h 0000 0000 87FF 8006h ? ? ? ?? DANGER (crashes on read) 8008h..800Eh 3300 3300 3300 R Fixed 3300h (maybe mirror of port 8000h) |
8010h 0000 0000 0003 8012h 0000 0000 0003 8014h 0000 0000 FFFF 8016h 0000 0000 0000 8018h 0000 0000 BDEF ;...(writing [8018h]=8018h causes "8238h") 801Ah C902 C902 C902 R used for chip detect (for xpert_offsets_tbl) 801Ch 0003 0003 0003 801Eh 0003 0003 0003 |
8020h 0000 0000 ?? DANGER (causes TRAP exception) 8022h 0000 0000 0000 8024h 0000 0000 FFFF R/W 8026h 0000 0000 FFFF R/W 8028h 0000 0000 0000 802Ah 0000 0000 0000 802Ch 0000 0000 FFFF R/W 802Eh 0000 0000 FFFF R/W 8030h 0000 0000 ;\ <-- DANGER 8032h 0000 0000 0000 ; 8034h 0000 0000 FFFF ; looks like resembling port 8020h..802Fh 8036h 0000 0000 FFFF ; 8038h 0000 0000 0000 ; 803Ah 0000 0000 0000 ; 803Ch 0000 0000 FFFF ; 803Eh 0000 0000 FFFF ;/ 8040h..804Eh 3300 3300 3300 R Fixed 3300h (maybe mirror of port 8000h) |
8050h 7000 0000 F03F 8052h 0000 0000 7F7F 8054h 0000 0000 0000 8056h 0000 0000 0001 8058h 0000 0000 0000 805Ah..805Eh F03F F03F F03F R Mirror of port 8050h |
8060h 0105 0105 0105 <-- or other value (034Fh when [NNNNh]=NNNNh) 8061h 0000 0000 0000 8062h FFFF 0000 FFFF ;\ 8063h 0F03 0000 0F03 ;/ 8064h FFFF 0000 FFFF ;\ 8065h 0F03 0000 0F03 ;/ 8066h FFFF 0000 FFFF ;\ 8067h 0F03 0000 0F03 ;/ 8068h 00FF 0000 00FF ;\ 8069h 00FF 0000 00FF ; 806Ah 00FF 0000 00FF ;/ 806Bh FFFF 0000 FFFF 806Ch FFFF 0000 FFFF 806Dh 0000 0000 DANGER (causes TRAP exception) 806Eh 3001 0000 FFFF 806Fh 0000 0000 BFFF 8070h 0000 0000 0001 8072h 0000 0000 FFFF 8074h C000 C000 C000 8076h..807Eh 0105 0105 0105 R Mirror of port 8060h |
8080h C00E 0000 FFFF 8082h 0001 0000 0001 8084h 8000 DANGER 8086h 0000 DANGER 8088h 0000 0000 07BF 808Ah 0000 0000 07BF 808Ch 0000 0000 07BF 808Eh 0000 0000 07BF 8090h 0000 0000 06BF ;! 8092h 0000 0000 05BF ;! 8094h 0000 0000 07BF 8096h 0000 0000 0002 8098h 0000 0000 0302 809Ah 0000 0000 0003 809Ch 0000 0000 0003 809Eh 0000 0000 0003 80A0h 0000 0000 0003 80A2h 0000 0000 0003 80A4h 0000 0000 0003 80A6h 0000 0000 0003 80A8h 0000 0000 0003 80AAh 0000 0000 FFFF waitstates? writing FFFFh causes SLOWDOWN? 80ACh 0000 0000 FFFF 80AEh 0000 0000 FFFF 80B0h..80BEh FFFF FFFF FFFF R Mirror of port 8080h |
80C0h xxxx xxxx xxxx R/W T_REPLY0 (to ARM) 80C2h 4300 4300 4300 R T_CMD0 (from ARM) 80C4h 0000 0000 FFFF R/W T_REPLY1 (to ARM) 80C6h 3123 3123 3123 R T_CMD1 (from ARM) 80C8h 0000 0000 FFFF R/W T_REPLY2 (to ARM) 80CAh 3223 3223 3223 R T_CMD2 (from ARM) 80CCh 0000 0000 FFFF R/W APBP_SetSemaphore DSP-to-ARM (R/W) 80CEh 0000 ?? (unknown, maybe semaphore irq-mask?) (R/W) 80D0h 0000 ?? APBP_AckSemaphore ARM-to-DSP (W) 1=clr 80D2h AFFE AFFE AFFE R APBP_GetSemaphore ARM-to-DSP (R) 80D4h 0000 ?? (parts R/W, irq mask?)(DANGER: can crash cpu) 80D6h 03C0 03C0 03C0 R command/reply flags 80D8h 3B00 3B00 3B00 R <-- ..can be this or that 80DAh..80DEh 0000 0000 0000 R Fixed 0000h |
80E0h 0000 0000 0000 R Fixed 0000h 80E2h+N*6 0000 0000 0FBF R/W ;\whatever N=0..2(0010h=?,0020h=?,0025h=dma?) 80E4h+N*6 0000 0000 03FF R/W ; whatever N=0..2(0200h=read, 0300h=write) 80E6h+N*6 0000 0000 00FF R/W ;/whatever N=0..2(bit0-7=dma0..7,0000h=reset) 80F4h 0000 0000 FC00 R/W 80F6h 0000 0000 0000 ?? 80F8h 0000 0000 0000 ?? 80FAh 0000 0000 FFFF R/W 80FCh FFFF 0000 FFFF R/W 80FEh 0000 0000 FFFF R/W |
8100h FFFF 0000 FFFF 8102h 0FFF 0000 0FFF 8104h 0000 0000 FFFF 8106h 0000 0000 FFFF 8108h 0000 0000 FFFF 810Ah 0000 0000 FFFF 810Ch 0014 0014 0014 R Mirror of port 811Ah 810Eh 0000 0000 FFFF 8110h 0000 0000 00FF 8112h 0000 DANGER 8114h 1E20 R/W miu_config_page_memory_limits (done 2x) 8116h 1E20 0100 403F 8118h 1E20 0100 403F 811Ah 0014 00x4 R/W DANGER crashes (but bit4 can be cleared) 811Ch 0004 0000 007F 811Eh 8000 R/W miu_relocate_mmio (8000h AND FC00h) (done 1x) 8120h 0000 0000 000F 8122h 0000 0000 007F 8124h..813Eh 0014 0014 0014 R Mirror of port 811Ah |
8140h+N*4 0000 0000 FFFF ;\whatever, for Index N=0..0Eh 8142h+N*4 0000 0000 803F ;/ 817Ch 0000 0000 FFFF ;\whatever, for Index 0Fh 817Eh 0000 0000 C03F ;/ ;<--with bit14! |
8180h 0000 0000 0000 ?? 8182h 0000 0000 0000 ?? 8184h 0001 0000 00FF R/W channel enable flag(s)? 8186h 0000 0000 00FF R/W 8188h..818Ch 0000 0000 0000 R Fixed 0000h seox (end of transfer flags?) 818Eh 3210 0000 7777 R/W ;\ 8190h 7654 0000 7777 R/W ;/ 8192h 0000 0000 7C03 R/W 8194h..81B4h 0000 0000 0000 R Fixed 0000h 81B6h 0000 0000 FFFF R/W 81B8h 0000 0000 FFFF R/W 81BAh 0000 0000 FFFF R/W 81BCh 0000 0000 FFFF R/W 81BEh 0000 0000 0007 R/W gcs_dtcca (dma channel; bank for 81C0h-81DEh) 81C0h:0..7 0000 0000 FFFF R/W ;\ ;\maybe addr1? ;lo ;\ 81C2h:0..7 0000 0000 FFFF R/W ; ;/ ;hi ; 81C4h:0..7 0000 0000 FFFF R/W ; ;\maybe addr2? ;lo ; five actual params 81C6h:0..7 0000 0000 FFFF R/W ; ;/ ;hi ; 81C8h:0..7 FFFF 0001 FFFF R/W ; ;-maybe len? ;/ 81CAh:0..7 0001 0001 FFFF R/W ; ;-usually 1 ;\ 81CCh:0..7 0001 0001 FFFF R/W ; ;-usually 1 ; config stuff for 81CEh:0..7 0001 0000 FFFF R/W ; ;-2,4,2,1 ; memory type, 81D0h:0..7 0001 0000 FFFF R/W ; ;-4,2,2,1 ; transfer direction, 81D2h:0..7 0001 0000 FFFF R/W ; ;-2,4,0,1 ; etc? 81D4h:0..7 0001 0000 FFFF R/W ; ;-4,2,0,1 ; (code vs data 81D6h:0..7 0001 0000 FFFF R/W ; ;-0,0,0,1 ; memory and such) 81D8h:0..7 0001 0000 FFFF R/W ; ;-0,0,0,1 ; 81DAh:0..7 F200 0000 F7FF R/W ; ;-670h,607h,400h,250h; 81DCh:0..7 0000 0000 1FF7 R/W ; ;-usually 300h ; 81DEh:0..7 0000 0000 00FF R/W ;/ ;-usually 0 ;/ 81E0h..81FEh 0000 0000 0000 R Fixed 0000h |
8200h 4020 4020 4020 R interrupt request flags (0=none, 1=irq) 8202h 0000 0000 0000 W interrupt acknowledge (0=ack, 1=no change) 8204h 0000 0000 FFFF ?? force IRQ flag set? (0=no change, 1=set?) 8206h 0000 0000 FFFF R/W enable as int0 (0=disable, 1=enable) 8208h 0000 0000 FFFF R/W enable as int1 (0=disable, 1=enable) 820Ah 0000 0000 FFFF R/W enable as int2 (0=disable, 1=enable) 820Ch 0000 0000 FFFF R/W enable as vint (0=disable, 1=enable) 820Eh 2000 0000 FFFF R/W (lsb of type0..3) 8210h 2000 0000 FFFF R/W (msb of type0..3) 8212h+N*4 0003 0000 8003 R/W ;\(lsw for irq 0..15) (bit0-1,15 are R/W) 8214h+N*4 FC00 0000 FFFF R/W ;/(msw for irq 0..15) for vint: proc? (16bit) 8252h 0000 0000 FFFF R/W ?? 8254h 0000 0000 5555 R/W ?? 8256h 0000 0000 5555 R/W ?? 8258h..827Eh 0000 0000 0000 R Fixed 0000h (or 6004h when [NNNNh]=NNNNh) |
8280h+N*80h 0005 0000 FFFF .. ;\ 8282h+N*80h 0000 0000 7FE7 ; 8284h+N*80h 0000 0000 0FE7 ; btdmp_prepare_receive_channel params 8286h+N*80h 0000 0000 0003 ; 8288h+N*80h 1FFF 0000 1FFF ; 828Ah+N*80h 0000 0000 0FFF ; 828Ch+N*80h 0000 0000 3FFF ;/ 828Eh+N*80h 0000 0000 FFFF ;\ 8290h+N*80h 0000 0000 FFFF ;/ 8292h+... 0000 0000 0000 R Fixed 0000h 829Eh+N*80h 0000 0000 8000 btdmp_enable_receive_channel (0=off, ?=on) 82A0h+N*80h 0005 0000 FFFF ... ;\ 82A2h+N*80h 0000 0000 7FE7 ; 82A4h+N*80h 0000 0000 0FE7 ; btdmp_prepare_transmit_channel params 82A6h+N*80h 0000 0000 0003 ; 82A8h+N*80h 1FFF 0000 1FFF ; 82AAh+N*80h 0000 0000 0FFF ; 82ACh+N*80h 0000 0000 3FFF ;/ 82AEh+N*80h 0000 0000 FFFF ;\ 82B0h+N*80h 0000 0000 FFFF ;/ 82B2h+... 0000 0000 0000 R Fixed 0000h 82BEh+N*80h 0000 0000 8000 btdmp_enable_transmit_channel(0=off, ?=on) 82C0h+N*80h 001x 001F 001F R DSPAudio_UpdateFifo, state1 (bit3=recv) 82C2h+N*80h 0057 005x 0057 R DSPAudio_UpdateFifo, state2 (bit3/4=send) 82C4h+N*80h E0A1 FFFF E0A1 R? DSPAudio_UpdateFifo, recv 82C6h+N*80h 0000 0000 0000 W DSPAudio_SendToOutput, send 82C8h+N*80h 0000 0000 0003 ?? 82CAh+N*80h 0000 0000 0003 btdmp_fifo_flush_transmit_channel 82CCh+... 0000 0000 0000 R Fixed 0000h 8380h..867Eh 03C0 03C0 03C0 R Mirror of Port 80D6h |
8680h..87FEh 03C0 03C0 03C0 R Mirror of Port 80D6h |
? ? ? ? ? ? ? APBP AHBM MIU ? DMA ICU AUDIO ?
#0 3333 0000 0010 0020 0050 0060 0080 00A0 3333 00C0 3333 0100 0180 0200 3333
#1 0000 0004 0010 0020 0050 0060 0080 00C0 00E0 0100 0140 0180 0200 0280 0680
#2 3333 0004 0010 3333 3333 0020 0040 3333 3333 0060 3333 3333 0120 3333 3333
|
| DSi Teak I/O Ports (on Teak Side) |
xx=[baseIO+06h] whatever (reading does crash/halt/hang the teak CPU) a1=[baseIO+1Ah] used to detect hardware type (for xpert_offsets_tbl) |
[apbpIO+00h]=a0l APBP_SetReplyRegister0 a0=[apbpIO+02h] APBP_GetCommandRegister0 ;80C2h (that is, set1) [apbpIO+04h]=a0l APBP_SetReplyRegister1 a0=[apbpIO+06h] APBP_GetCommandRegister1 ;80C6h (that is, set1) [apbpIO+08h]=a0l APBP_SetReplyRegister2 a0=[apbpIO+0Ah] APBP_GetCommandRegister2 ;80CAh (that is, set1) [apbpIO+0Ch]=a0l APBP_SetSemaphore DSP-to-ARM (R/W) [apbpIO+0Eh] (unknown, maybe semaphore irq-mask?) (R/W) [apbpIO+10h] APBP_AckSemaphore ARM-to-DSP (W) 1=clr [IO+12h] bits [apbpIO+12h] APBP_GetSemaphore ARM-to-DSP (R) [apbpIO+14h] (unused) (parts R/W) (DANGER: can crash cpu) test[apbpIO+16h].bit5 APBP_CheckReplyRegister0 <-- unreliable ? test[apbpIO+16h].bit6 APBP_CheckReplyRegister1 test[apbpIO+16h].bit7 APBP_CheckReplyRegister2 ;IO+16 mirrored to end test[apbpIO+16h].bit8 APBP_CheckCommandRegister0 ; of IO area! test[apbpIO+16h].bit12 APBP_CheckCommandRegister1 test[apbpIO+16h].bit13 APBP_CheckCommandRegister2 test[apbpIO+16h].bit9 APBP_CheckSemaphoreRequest [apbpIO+18h] (unknown, Ex00h, some status?) [apbpIO+1Ah] (unknown/unused, zero, not R/W) [apbpIO+1Ch] (unknown/unused, zero, not R/W) [apbpIO+1Eh] (unknown/unused, zero, not R/W) (unimplemented) APBP_GetSemaphore (unimplemented) APBP_ClearSemaphore (unimplemented) APBP_MaskSemaphore |
[ahbmIO+N*06h+02h+00h]=x whatever (0010h=?, 0020h=?, 0025h=dma?) [ahbmIO+N*06h+02h+02h]=x whatever (0200h=read, 0300h=write) [ahbmIO+N*06h+02h+04h]=x whatever (xxxxh=?, 0000h=reset) |
[miuIO+14h]=xxxx ;miu_config_page_memory_limits (done 2x) [miuIO+1Eh]=a1 AND FC00h ;miu_relocate_mmio (8000h) (done 1x) |
xxx |
[dmaIO+04h] channel enable flag(s)? [dmaIO+08h..] seox (end of transfer flags? in multiple bits/registers?) [dmaIO+3Eh] gcs_dtcca (control register or so) [dmaIO+40h] param [dmaIO+42h] param [dmaIO+44h] param [dmaIO+46h] param [dmaIO+48h] param [dmaIO+4Ah] param [dmaIO+4Ch] param [dmaIO+4Eh] param [dmaIO+50h] param [dmaIO+52h] param [dmaIO+54h] param [dmaIO+56h] param [dmaIO+58h] param [dmaIO+5Ah] param [dmaIO+5Ch] param [dmaIO+5Eh] param |
[icuIO+00h].bit9..15 IRQ interrupt request flags (0=none, 1=irq) [icuIO+02h].bit9..15 IRQ interrupt acknowledge (0=ack, 1=no change) [icuIO+04h].bit0..12,14..15 IRQ force IRQ flag set? (0=no change, 1=set irq) [icuIO+06h].bit9..15 IRQ enable as int0 (0=disable, 1=enable) [icuIO+08h].bit9..15 IRQ enable as int1 (0=disable, 1=enable) [icuIO+0Ah].bit9..15 IRQ enable as int2 (0=disable, 1=enable) [icuIO+0Ch].bit9..15 IRQ enable as vint (0=disable, 1=enable) [icuIO+0Eh].bit9..15 IRQ (lsb of type0..3) [icuIO+10h].bit9..15 IRQ (msb of type0..3) [icuIO+12h+(9..15)*4] IRQ (lsw for irq 9..15) (bit0-1,15 are R/W) [icuIO+14h+(9..15)*4] IRQ (msw for irq 9..15) for vint: proc? (16bit) |
icu.ack 00h-08h - icu.ack 09h timer_1 int2 (05A0h) icu.ack 0Ah timer_0 int1a (0590h) icu.ack 0Bh btdmp int1b (05C0h) icu.ack 0Ch-0Dh - icu.ack 0Eh apbp int0 (0550h..0580h) (cmd0,cmd1,cmd2,semaphorerequest) icu.ack 0Fh dma vint (05B0h) (DSPAudio_UpdateFifo) (v=VariableVect?) |
code:00000h ;start (reset) code:00002h ;trap_handler (trap/break) code:00004h ;nmi_handler code:00006h ;int0_handler code:0000Eh ;int1_handler code:00016h ;int2_handler variable?? ;vint_handler (without push/pop?) |
test [audioIO+40h].bit3 DSPAudio_UpdateFifo, state1 (recv) test [audioIO+42h].bit4 DSPAudio_UpdateFifo, state2 (send) a0=[audioIO+44h] DSPAudio_UpdateFifo, recv test [audioIO+42h].bit3 DSPAudio_SendToOutput, state [audioIO+46h]=x DSPAudio_SendToOutput, send [audioIO+N*80h+00h]=x btdmp_prepare_receive_channel, param0, bit9=irq? [audioIO+N*80h+02h]=x btdmp_prepare_receive_channel, param1 [audioIO+N*80h+04h]=x btdmp_prepare_receive_channel, param2 [audioIO+N*80h+06h]=x btdmp_prepare_receive_channel, param3 [audioIO+N*80h+08h]=x btdmp_prepare_receive_channel, param4 [audioIO+N*80h+0Ah]=x btdmp_prepare_receive_channel, param5 [audioIO+N*80h+0Ch]=x btdmp_prepare_receive_channel, param6 [audioIO+N*80h+1Eh]=x btdmp_enable_receive_channel (0=disable, [9013h]=enable) [audioIO+N*80h+20h]=x btdmp_prepare_transmit_channel, param0, bit8=irq? [audioIO+N*80h+22h]=x btdmp_prepare_transmit_channel, param1 [audioIO+N*80h+24h]=x btdmp_prepare_transmit_channel, param2 [audioIO+N*80h+26h]=x btdmp_prepare_transmit_channel, param3 [audioIO+N*80h+28h]=x btdmp_prepare_transmit_channel, param4 [audioIO+N*80h+2Ah]=x btdmp_prepare_transmit_channel, param5 [audioIO+N*80h+2Ch]=x btdmp_prepare_transmit_channel, param6 [audioIO+N*80h+3Eh]=x btdmp_enable_transmit_channel(0=disable, [9013h]=enable) [audioIO+N*80h+4Ah]=[9012h] btdmp_fifo_flush_transmit_channel |
xxx |
| DSi Teak CPU Registers |
a0e:a0h:a0l (4:16:16 bits) = a0 (36bit) ;TL2: 40bit (8:16:16) a1e:a1h:a1l (4:16:16 bits) = a1 (36bit) ;TL2: 40bit (8:16:16) b0e:b0h:b0l (4:16:16 bits) = b0 (36bit) ;TL2: 40bit (8:16:16) b1e:b1h:b1l (4:16:16 bits) = b1 (36bit) ;TL2: 40bit (8:16:16) |
r0 ;TL ;16bit ;\ r1 ;TL ;16bit ; r2 ;TL ;16bit ; old TL1 registers r3 ;TL ;16bit ; r4 ;TL ;16bit ; r5 ;TL ;16bit ;/ r6 ;TL2 ;16bit ;<-- new TL2 register r7 ;TL ;16bit ;<-- aka rb (with optional immediate, MemR7Imm) |
x0 ;TL ;16bit ;- y0 ;TL ;16bit ;- x1 ;TL2 ;16bit ;- y1 ;TL2 ;16bit ;- p0 ;TL ;33bit! ;\Px ;TL2: 33bit p0e:p0 ? ;TL1: 32bit? p1 ;TL2 ;33bit! ;/ ;TL2: 33bit p1e:p1 ? ;TL1: N/A p0h ;TL ;16bit ; ;<-- aka ph ;<-- called "p0" (aka "p") in "RegisterP0" |
Unsigned = Unsigned * Unsigned ;use shift 0 Unsigned = Unsigned * Signed ;use shift +1 Unsigned = Signed * Signed ;use shift +2 Signed = Unsigned * Unsigned ;use shift -1 Signed = Unsigned * Signed ;use shift 0 Signed = Signed * Signed ;use shift +1 |
pc ;TL ;18bit! ;-program counter (TL2: 18bit, TL1: 16bit) sp ;TL ;16bit ;-stack pointer (decreasing on push/call) sv ;TL ;16bit ;-shift value (negative=right) (for shift-by-register) mixp ;TL ;16bit ;-related to min/max/mind/maxd lc ;TL ;16bit ;-Loop Counter (of block repeat) repc ;TL ;16bit ;-Repeat Counter (for "rep" opcode) dvm ;TL ;16bit ;-Data Value Match (data breakpoints) (and for trap) |
vtr0 ;TL2 16bit ;\related to vtrshr,vtrmov,vtrclr vtr1 ;TL2 16bit ;/(saved C/C1 carry flags for Viterby decoding) prpage ;TL2 4bit ;-??? (bit0-3 used/dangerous, bit4-15 always 0) |
ext0 ;TL ;16bit ext1 ;TL ;16bit ext2 ;TL ;16bit ext3 ;TL ;16bit |
page ;TL ;8bit "load" st1.bit0-7 (page for MemImm8) ;aka "lpg" ps ;TL ;2bit "load" st1.bit10-11 (product shifter for multiply?) ps01 ;TL2 ;4bit "load" mod0...? (maybe separate "ps" for p0 and p1 ?) movpd ;TL2 ;2bit "load" stt2.bit6-7 (page for reading DATA from ProgMem) modi ;TL ;9bit "load" cfgi.bit7-15 =imm9 modj ;TL ;9bit "load" cfgj.bit7-15 =imm9 stepi ;TL ;7bit "load" cfgi.bit0-6 =imm7 stepj ;TL ;7bit "load" cfgj.bit0-6 =imm7 |
st0 bit0,2-11 ;\control/status (cntx) st1 bit10-11 (and "swap": bit0-7) ; (TL2: probably also SttMod) st2 bit0-7 ;/ a0 <--> b0 manualswap only? ;\accumulators (swap) a1 <--> b1 autoswapped? ;/ r0 <--> r0b ;\ r1 <--> r1b ; r4 <--> r4b ; BankFlags (banke) r7 <--> r7b ;TL2 ; cfgi <--> cfgib ; cfgj <--> cfgjb ;TL2 ;/ Ar,Arp <--> ? ;TL2 ;-? (bankr and/or cntx) |
dmod ;TL ;suffix ;\ dmodi ;TL2 ;suffix ; dmodj ;TL2 ;suffix ; dmodij ;TL2 ;suffix ;/ context;TL ;suffix ;<-- (related to "cntx") eu ;TL ;suffix ;<-- (aka "Axheu", now "Axh,eu") dbrv ;TL2 ;suffix ;\for "bitrev" ebrv ;TL2 ;suffix ;/ s ;TL ;suffix ;\param for "cntx" opcode ;"s" also for opcode 88D1h r ;TL ;suffix ;/ |
TL: x y p ph rb lpg a0heu a1heu TL2: x0 y0 p0 p0h r7 page a0h,eu a1h,eu |
| DSi Teak CPU Control/Status Registers |
Old registers (for TeakLite): st0/st1/st2, and icr New registers (for TeakLiteII): stt0/stt1/stt2, and mod0/mod1/mod2/mod3 |
ZMNVCEL- add, addh, addl, cmp, cmpu, sub, subh, subl, inc, dec, neg ZMNVCEL- maa, maasu, mac, macsu, macus, macuu, msu, sqra, rnd, pacr, movr ZMN-C--- or ZM--C--- addv, cmpv, subv, and ZMN--E-- clr, clrr, copy, divs, swap, not, xor ZMN--0L- lim ZMNVCELR norm ZMN-CE-- rol, ror ZMN-CE-- movs, movsi, shfc, shfi, shl, shl4, shr, shr4 ;for logical shift ZMNVCEL- movs, movsi, shfc, shfi, shl, shl4, shr, shr4 ;for arithmetic shift ZMN--E-- mov, movp, pop ;when dst=ac,bc (whut?) ;\ xxxxxxxx mov, movp, pop ;when dst=st0 ; mov etc. ------L- mov, push ;when src=aXL,aXH,bXL,bXH ; -------- mov, movp, pop, push ;when src/dst neither of above ;/ ZMN--E-- cntx s ;store shadows (new flags for a1) ;\cntx ZMNVCELR cntx r ;restore shadows (old flags) ;/ ZM------ set, rst, chng Z------- tst0, tst1, tstb -M------ max, maxd, min -------R modr -------- mpy, mpyi, mpysu, sqr, exp -------- banke, dint, eint, load, nop, bkrep, rep, break, trap, movd -------- br, brr, call, calla, callr, ret, retd, reti, retid, rets |
__________________________ Old registers (TeakLite) __________________________ |
0 SAT R/W Saturation Mode (0=Off, 1=Saturate "Ax to data") ;mod0.0 1 IE R/W Interrupt Enable (0=Disable, 1=Enable) ;dint/eint ;mod3.7 2 IM0 R/W Interrupt INT0 Mask (0=Disable, 1=Enable if IE=1) ;mod3.8 3 IM1 R/W Interrupt INT1 Mask (0=Disable, 1=Enable if IE=1) ;mod3.9 4 R R/W Flag: rN is Zero ;see Cond nr ;stt1.4 5 L R/W Flag: Limit ;see Cond l ;L=(LM or VL) ;stt0.0+1 6 E R/W Flag: Extension ;see Cond e ;stt0.2 7 C R/W Flag: Carry ;see Cond c ;stt0.3 8 V R/W Flag: Overflow ;see Cond v ;stt0.4 9 N R/W Flag: Normalized ;see Cond nn ;stt0.5 10 M R/W Flag: Minus ;see Cond gt,ge,lt,le ;stt0.6 11 Z R/W Flag: Zero ;see Cond eq,neq,gt,le ;stt0.7 12-15 a0e R/W Accumulator 0 Extension Bits ;a0.32-35 |
0-7 PAGE R/W Data Memory Page (for MemImm8) (see "load page") ;mod1.0-7
8-9 - - Reserved (read: always set) ;-
10-11 PS R/W Product Shifter for P0 (see "load ps")(multiply?) ;mod0.10-11
(0=No Shift, 1=SHR1, 2=SHL1, 3=SHL2)
12-15 a1e R/W Accumulator 1 Extension Bits ;a1.32-35
|
0-3 MDn R/W Enable cfgi.modi modulo for R0..R3 (0=Off, 1=On) ;mod2.0-3 4-5 MDn R/W Enable cfgj.modj modulo for R4..R5 (0=Off, 1=On) ;mod2.4-5 6 IM2 R/W Interrupt INT2 Mask (0=Disable, 1=Enable if IE=1) ;mod3.10 7 S R/W Shift Mode (0=Arithmetic, 1=Logic) ;mod0.7 8 OU0 R/W OUSER0 User Output Pin ;mod0.8 9 OU1 R/W OUSER1 User Output Pin ;mod0.9 10 IU0 R IUSER0 User Input Pin (zero) ;see Cond iu0,niu0 ;stt1.?? 11 IU1 R IUSER1 User Input Pin (zero) ;see Cond iu1 ;stt1.?? 12 - - Reserved (read: always set) ;- 13 IP2 R Interrupt Pending INT2 (0=No, 1=IRQ) ;stt2.2 14 IP0 R Interrupt Pending INT0 (0=No, 1=IRQ) ;stt2.0 15 IP1 R Interrupt Pending INT1 (0=No, 1=IRQ) ;stt2.1 |
0 NMIC R/W NMI Context switching enable (0=Off, 1=On) ;mod3.0 1 IC0 R/W INT0 Context switching enable (0=Off, 1=On) ;mod3.1 2 IC1 R/W INT1 Context switching enable (0=Off, 1=On) ;mod3.2 3 IC2 R/W INT2 Context switching enable (0=Off, 1=On) ;mod3.3 4 LP R InLoop (when inside one or more "bkrep" loops) ;stt2.15 5-7 BCn R Block repeat nest. counter ;see "bkrep" ;stt2.12-14 8-15 - - Reserved (read: always set) ;- |
_________________________ New registers (TeakLiteII) _________________________ |
0 LM R/W Flag: Limit, set if saturation has/had occured ;st0.5 1 VL R/W Flag: LatchedV, set if overflow has/had occurred ;st0.5, too 2 E R/W Flag: Extension ;see Cond e ;st0.6 3 C R/W Flag: Carry ;see Cond c ;st0.7 4 V R/W Flag: Overflow ;see Cond v ;st0.8 5 N R/W Flag: Normalized ;see Cond nn ;st0.9 6 M R/W Flag: Minus ;see Cond gt,ge,lt,le ;st0.10 7 Z R/W Flag: Zero ;see Cond eq,neq,gt,le ;st0.11 8-10 - - Unknown (reads as zero) 11 C1 R/W Flag: Carry1 (2nd carry, for dual-operation opcodes) 12-15 - - Unknown (reads as zero) |
0-3 - - Unknown (reads as zero) 4 R R/W Flag: rN is Zero ;see Cond nr ;st0.4 5-13 - - Unknown (reads as zero) (IU1 and IU0 should be here!) 14 P0E R/W Upper bit of 33bit P0 register ;\shifted-in on ;p0.32 15 P1E R/W Upper bit of 33bit P1 register ;/arith right shifts ;p1.32 |
0 IP0 R Interrupt Pending INT0 (0=No, 1=IRQ) ;st2.14
1 IP1 R Interrupt Pending INT1 (0=No, 1=IRQ) ;st2.15
2 IP2 R Interrupt Pending INT2 (0=No, 1=IRQ) ;st2.13
3 IPV R Interrupt Pending VINT ;-
4-5 - - Unknown (reads as zero) ;-
6-7 PCMhi R/W Program Memory Bank (for ProgMemRn/ProgMemAxl) ("load movpd")
8-11 - - Unknown (reads as zero) ;-
12-14 BCn R Block repeat nest. counter ;see "bkrep" ;icr.5-7
15 LP R InLoop (when inside one or more "bkrep" loops) ;icr.4
|
0 SAT R/W Saturation Mode (0=Off, 1=Saturate "Ax to data"?) ;st0.0
1 SATA R/W Saturation Mode on store (0=Off, 1="(Ax op data) to Ax"?)
2 ? R Unknown (reads as one)
3 - - Unknown (reads as zero)
4 - - Unknown (reads as zero)
5-6 HWM R/W Halfword Multiply ... Modify y0 (and y1?)
0=read y0/y1 directly (full 16bit words)
1=Takes y0>>8 and y1>>8 (logic shift)
2=Takes y0&0xFF and y1&0xFF
3=Takes y0>>8 and y1&&0xFF
7 S R/W Shift Mode (0=Arithmetic, 1=Logic) ;st2.7
8 OU0 R/W OUSER0 User Output Pin ;st2.8
9 OU1 R/W OUSER1 User Output Pin ;st2.9
10-11 PS0 R/W Product Shifter for P0 (see "load ps")(multiply?) ;st1.10-11
12 - - Unknown (reads as zero)
13-14 PS1 R/W Product Shifter for P1 (see "load ps")(multiply?)
15 - - Unknown (reads as zero)
|
0-7 PAGE R/W Data Memory Page (for MemImm8) (see "load page") ;st1.0-7
8-11 - - Unknown (reads as zero)
12 STP16 R/W banke opcode (0=exchange cfgi/cfgj, 1=cfgi/cfgj+stepi0/stepj0)
1=use stepi0/j0 instead of stepi/j for stepping Rn registers
13 CMD R/W Change Modulo mode (0=New TL2 style, 1=TL1 style)
14 EPI R/W Unknown (1=Set R3=0 after any "modr R3" or "access[R3]"?)
15 EPJ R/W Unknown (1=Set R7=0 after any "modr R7" or "access[R7]"?)
|
0-3 MDn R/W Enable cfgi.modi modulo for R0..R3 (0=Off, 1=On) ;st2.0-3 4-5 MDn R/W Enable cfgj.modj modulo for R4..R5 (0=Off, 1=On) ;st2.4-5 6-7 MDn R/W Enable cfgj.modj modulo for R6..R7 (0=Off, 1=On) ;TL2 only 8-11 BRn R/W Step +s for R0..R3 (0=cfgi.stepi, 1=stepi0) 12-15 BRn R/W Step +s for R4..R7 (0=cfgj.stepi, 1=stepj0) |
0 NMIC R/W NMI Context switching enable (0=Off, 1=On) ;icr.0 1 IC0 R/W INT0 Context switching enable (0=Off, 1=On) ;icr.1 2 IC1 R/W INT1 Context switching enable (0=Off, 1=On) ;icr.2 3 IC2 R/W INT2 Context switching enable (0=Off, 1=On) ;icr.3 4 OU2 R/W Unknown (R/W) 5 OU3 R/W Unknown (R/W) 6 OU4 ? ---DANGER BIT--- (1=hangs/crashes when set) 7 IE R/W Interrupt Enable (0=Disable, 1=Enable) ;dint/eint ;st0.1 8 IM0 R/W Interrupt INT0 Mask (0=Disable, 1=Enable if IE=1) ;st0.2 9 IM1 R/W Interrupt INT1 Mask (0=Disable, 1=Enable if IE=1) ;st0.3 10 IM2 R/W Interrupt INT2 Mask (0=Disable, 1=Enable if IE=1) ;st2.6 11 IMV R/W Interrupt VINT Mask (0=Disable, 1=Enable if IE=1?) 12 - - Unknown (reads as zero) 13 CCNTA R/W Unknown (R/W) 14 CPC R/W Stack word order for PC on call/ret (0=Normal, 1=Reversed) 15 CREP R/W Unknown (R/W) |
| DSi Teak CPU Address Config/Step/Modulo |
_______________________________ Address Config _______________________________ |
0-2 R/W PM1/PM3 Post Modify Step (0..7 = +0,+1,-1,+s,+2,-2,+2,-2) 3-4 R/W CS1/CS3 Offset (0..3 = +0,+1,-1,-1) 5-7 R/W PM0/PM2 Post Modify Step (0..7 = +0,+1,-1,+s,+2,-2,+2,-2) 8-9 R/W CS0/CS2 Offset (0..3 = +0,+1,-1,-1) 10-12 R/W RN1/RN3 Register (0..7 = R0..R7) 13-15 R/W RN0/RN2 Register (0..7 = R0..R7) |
0-2 R/W PIn Post Modify Step I (0..7 = +0,+1,-1,+s,+2,-2,+2,-2) 3-4 R/W CIn Offset I (0..3 = +0,+1,-1,-1) 5-7 R/W PJn Post Modify Step J (0..7 = +0,+1,-1,+s,+2,-2,+2,-2) 8-9 R/W CJn Offset J (0..3 = +0,+1,-1,-1) 10-11 R/W RIn Register I (0..3 = R0..R3) 12 - - Unused (always zero) 13-14 R/W RJn Register J (0..3 = R4..R7) 15 - - Unused (always zero) |
________________________________ Step/Modulo ________________________________ |
0-6 stepi/stepj (7bit) (see "load stepi/stepj") ;step "Rn+s" ? 7-15 modi/modj (9bit) (see "load modi/modj") |
0-16 stepi0/stepj0 |
| DSi TeakLite II Instruction Set Encoding |
Base Ver Opcode (with parameter bits located at @bitnumber and up)
D4FBh TL add MemImm16@16, Ax@8
A600h TL add MemImm8@0, Ax@8
86C0h TL add Imm16@16, Ax@8
C600h TL add Imm8u@0, Ax@8
D4DBh TL add MemR7Imm16@16, Ax@8
4600h TL add MemR7Imm7s@0, Ax@8
8680h TL add MemRn@0, Ax@8 || Rn@0stepZIDS@3
86A0h TL add RegisterP0@0, Ax@8
D2DAh TL2 add Ab@10, Bx@0
5DF0h TL2 add Bx@1, Ax@0
9070h TL2 add MemR01@8, sv, Abh@2 || sub MemR01@8offsZI@0, sv, Abl@2
|| mov Abl@2, MemR45@8 || R01@8stepII2@0, R45@8stepII2@1
5DB0h TL2 add MemR04@1, sv, Abh@2 || sub MemR04@1offsZI@0, sv, Abl@2
|| R04@1stepII2@0
6F80h TL2 add MemR45@2, MemR01@2, Abh@3
|| add MemR45@2offsZI@1, MemR01@2offsZI@0, Abl@3
|| R01@2stepII2@0, R45@2stepII2@1
6FA0h TL2 add MemR45@2, MemR01@2, Abh@3
|| sub MemR45@2offsZI@1, MemR01@2offsZI@0, Abl@3
|| R01@2stepII2@0, R45@2stepII2@1
5E30h TL2 add MemR45@8, sv, Abh@2 || sub MemR45@8offsZI@1, sv, Abl@2
|| mov Abl@2, MemR01@8 || R01@8stepII2@0, R45@8stepII2@1
5DC0h TL2 add p0, p1, Ab@2
D782h TL2 add p1, Ax@0
5DF8h TL2 add Px@1, Bx@0
D38Bh TL2 add r6, Ax@4
4590h TL2 add3 p0, p1, Ab@2
4592h TL2 add3a p0, p1, Ab@2
4593h TL2 add3aa p0, p1, Ab@2
5DC1h TL2 adda p0, p1, Ab@2
B200h TL addh MemImm8@0, Ax@8
9280h TL addh MemRn@0, Ax@8 || Rn@0stepZIDS@3
92A0h TL addh Register@0, Ax@8
9464h TL2 addh r6, Ax@0
90E0h TL2 addhp MemR0425@2, Px@4, Ax@8 || R0425@2stepII2D2S@0 ;p=ProgMem? Px?
B400h TL addl MemImm8@0, Ax@8
9480h TL addl MemRn@0, Ax@8 || Rn@0stepZIDS@3
94A0h TL addl Register@0, Ax@8
9466h TL2 addl r6, Ax@0
906Ch TL2 addsub p0, p1, Ab@0
49C2h TL2 addsub p1, p0, Ab@4
916Ch TL2 addsuba p0, p1, Ab@0
49C3h TL2 addsuba p1, p0, Ab@4
E700h TL addv Imm16@16, MemImm8@0
86E0h TL addv Imm16@16, MemRn@0 || Rn@0stepZIDS@3
87E0h TL addv Imm16@16, Register@0
47BBh TL2 addv Imm16@16, r6
D4F9h TL and MemImm16@16, Ax@8
A200h TL and MemImm8@0, Ax@8
82C0h TL and Imm16@16, Ax@8
C200h TL and Imm8u@0, Ax@8
D4D9h TL and MemR7Imm16@16, Ax@8
4200h TL and MemR7Imm7s@0, Ax@8
8280h TL and MemRn@0, Ax@8 || Rn@0stepZIDS@3
82A0h TL and RegisterP0@0, Ax@8
6770h TL2 and Ab@2, Ab@0, Ax@12 ;TL2 only
D389h TL2 and r6, Ax@4
4B80h TL banke BankFlags6@0 ;{r0}{,r1}{,r4}{,cfgi}{,r7}{,cfgj}
8CDFh TL2 bankr ;without operand ?
8CDCh TL2 bankr Ar@0
8CD0h TL2 bankr Ar@2, Arp@0
8CD8h TL2 bankr Arp@0
5EB8h TL2 bitrev Rn@0
D7E8h TL2 bitrev Rn@0, dbrv
D7E0h TL2 bitrev Rn@0, ebrv
5C00h TL bkrep NoReverse, Imm8u@0, Address16@16
5D00h TL bkrep NoReverse, Register@0, Address18@16and5
8FDCh TL2 bkrep NoReverse, r6, Address18@16and0
DA9Ch TL2 bkreprst MemR0425@0
5F48h TL2 bkreprst MemSp, Unused2@0
DADCh TL2 bkrepsto MemR0425@0, Unused1@10
9468h TL2 bkrepsto MemSp, Unused3@0
4180h TL br Address18@16and4, Cond@0
D3C0h TL break ;break
5000h TL brr RelAddr7@4, Cond@0
41C0h TL call Address18@16and4, Cond@0
D480h TL calla Axl@8
D381h TL2 calla Ax@4
1000h TL callr RelAddr7@4, Cond@0
9068h TL2 cbs Axh@0, Axh@not0, r0, ge
9168h TL2 cbs Axh@0, Axh@not0, r0, gt
D49Eh TL2 cbs Axh@8, Bxh@5, r0, ge
D49Fh TL2 cbs Axh@8, Bxh@5, r0, gt
D5C0h TL2 cbs MemR01@2, MemR45@2, ge || R01@2stepII2@0, R45@2stepII2@1
D5C8h TL2 cbs MemR01@2, MemR45@2, gt || R01@2stepII2@0, R45@2stepII2@1
E500h TL chng Imm16@16, MemImm8@0
84E0h TL chng Imm16@16, MemRn@0 || Rn@0stepZIDS@3
85E0h TL chng Imm16@16, Register@0
47BAh TL2 chng Imm16@16, r6
0038h TL2 chng Imm16@16, SttMod@0
6760h TL clr Implied ConstZero, Ax@12, Cond@0 ;aX=0
6F60h TL clr Implied ConstZero, Bx@12, Cond@0 ;bX=0
8ED0h TL2 clr Implied ConstZero, Ab@2, Ab@0
5DFEh TL2 clrp p0
5DFFh TL2 clrp p0, p1
5DFDh TL2 clrp p1
67C0h TL clrr Implied Const8000h, Ax@12, Cond@0 ;aX=8000h
6F70h TL2 clrr Implied Const8000h, Bx@12, Cond@0 ;bX=8000h
8DD0h TL2 clrr Implied Const8000h, Ab@2, Ab@0
D4FEh TL cmp MemImm16@16, Ax@8
AC00h TL cmp MemImm8@0, Ax@8
8CC0h TL cmp Imm16@16, Ax@8
CC00h TL cmp Imm8u@0, Ax@8
D4DEh TL cmp MemR7Imm16@16, Ax@8
4C00h TL cmp MemR7Imm7s@0, Ax@8
8C80h TL cmp MemRn@0, Ax@8 || Rn@0stepZIDS@3
8CA0h TL cmp RegisterP0@0, Ax@8
4D8Ch TL2 cmp Ax@1, Bx@0
D483h TL2 cmp b0, b1
D583h TL2 cmp b1, b0
DA9Ah TL2 cmp Bx@10, Ax@0
8B63h TL2 cmp p1, Ax@4
D38Eh TL2 cmp r6, Ax@4
BE00h TL cmpu MemImm8@0, Ax@8
9E80h TL cmpu MemRn@0, Ax@8 || Rn@0stepZIDS@3
9EA0h TL cmpu Register@0, Ax@8
8A63h TL2 cmpu r6, Ax@3
ED00h TL cmpv Imm16@16, MemImm8@0
8CE0h TL cmpv Imm16@16, MemRn@0 || Rn@0stepZIDS@3
8DE0h TL cmpv Imm16@16, Register@0
47BEh TL2 cmpv Imm16@16, r6
D390h TL cntx r ;restore shadows
D380h TL cntx s ;store shadows
67F0h TL copy Implied Ax@not12, Ax@12, Cond@0 ;aX=aY
67E0h TL dec Implied Const1, Ax@12, Cond@0 ;aX=aX-1
43C0h TL dint ;IE=0, interrupt disable
0E00h TL divs MemImm8@0, Ax@8
4380h TL eint ;IE=1, interrupt enable
9460h TL exp Bx@0, Implied sv
9060h TL exp Bx@0, Implied sv, Ax@8
9C40h TL exp MemRn@0, Implied sv || Rn@0stepZIDS@3
9840h TL exp MemRn@0, Implied sv, Ax@8 || Rn@0stepZIDS@3
9040h TL exp RegisterP0@0, Implied sv, Ax@8
9440h TL exp RegisterP0@0, Implied sv
D7C1h TL2 exp r6, Implied sv
D382h TL2 exp r6, Implied sv, Ax@4
67D0h TL inc Implied Const1, Ax@12, Cond@0 ;aX=aX+1
49C0h TL lim a0 ;aka a0,a0
49D0h TL lim a0, a1
49F0h TL lim a1 ;aka a1,a1
49E0h TL lim a1, a0
4D80h TL load Imm2u@0, ps ;st1.bit11-10=imm2
DB80h TL load Imm7s@0, stepi ;cfgi.LSB=imm7
DF80h TL load Imm7s@0, stepj ;cfgj.LSB=imm7
0400h TL load Imm8u@0, page ;st1.LSBs=imm8 ;aka "lpg"
0200h TL load Imm9u@0, modi ;cfgi.MSB=imm9
0A00h TL load Imm9u@0, modj ;cfgj.MSB=imm9
D7D8h TL2 load Imm2u@1, movpd, Unused1@0 ;stt2.bit6.7 (page for ProgMem)
0010h TL2 load Imm4u@0, ps01 ;mod0.bit10-11,13-14 and st1.10-11 ?
D400h TL maa MemR45@2, MemR0123@0, Ax@11
|| R0123@0stepZIDS@3, R45@2stepZIDS@5
8400h TL maa MemRn@0, Imm16@16, Ax@11 || Rn@0stepZIDS@3
8420h TL maa y0, MemRn@0, Ax@11 || Rn@0stepZIDS@3
8440h TL maa y0, Register@0, Ax@11
E400h TL maa y0, MemImm8@0, Ax@11
5EA8h TL2 maa y0, r6, Ax@0
D700h TL maasu MemR45@2, MemR0123@0, Ax@11
|| R0123@0stepZIDS@3, R45@2stepZIDS@5
8700h TL maasu MemRn@0, Imm16@16, Ax@11 || Rn@0stepZIDS@3
8720h TL maasu y0, MemRn@0, Ax@11 || Rn@0stepZIDS@3
8740h TL maasu y0, Register@0, Ax@11
5EAEh TL2 maasu y0, r6, Ax@0
D200h TL mac MemR45@2, MemR0123@0, Ax@11
|| R0123@0stepZIDS@3, R45@2stepZIDS@5
8200h TL mac MemRn@0, Imm16@16, Ax@11 || Rn@0stepZIDS@3
8220h TL mac y0, MemRn@0, Ax@11 || Rn@0stepZIDS@3
8240h TL mac y0, Register@0, Ax@11
E200h TL mac y0, MemImm8@0, Ax@11
5EA4h TL2 mac y0, r6, Ax@0
4D84h TL2 mac y0, x1, Ax@1, Unused1@0
5E28h TL2 mac1 MemR45@2, MemR01@2, Ax@8 || R01@2stepII2@0, R45@2stepII2@1
D600h TL macsu MemR45@2, MemR0123@0, Ax@11
|| R0123@0stepZIDS@3, R45@2stepZIDS@5
8600h TL macsu MemRn@0, Imm16@16, Ax@11 || Rn@0stepZIDS@3
E600h TL macsu y0, MemImm8@0, Ax@11
8620h TL macsu y0, MemRn@0, Ax@11 || Rn@0stepZIDS@3
8640h TL macsu y0, Register@0, Ax@11
5EACh TL2 macsu y0, r6, Ax@0
D300h TL macus MemR45@2, MemR0123@0, Ax@11
|| R0123@0stepZIDS@3, R45@2stepZIDS@5
8300h TL macus MemRn@0, Imm16@16, Ax@11 || Rn@0stepZIDS@3
8320h TL macus y0, MemRn@0, Ax@11 || Rn@0stepZIDS@3
8340h TL macus y0, Register@0, Ax@11
5EA6h TL2 macus y0, r6, Ax@0
D500h TL macuu MemR45@2, MemR0123@0, Ax@11
|| R0123@0stepZIDS@3, R45@2stepZIDS@5
8500h TL macuu MemRn@0, Imm16@16, Ax@11 || Rn@0stepZIDS@3
8520h TL macuu y0, MemRn@0, Ax@11 || Rn@0stepZIDS@3
8540h TL macuu y0, Register@0, Ax@11
5EAAh TL2 macuu y0, r6, Ax@0
8460h TL max NoReverse, Ax@8, Implied Ax@not8, Bogus MemR0, ge,
Implied mixp, Implied r0 || R0stepZIDS@3 ;when aY >= aX
8660h TL max NoReverse, Ax@8, Implied Ax@not8, Bogus MemR0, gt,
Implied mixp, Implied r0 || R0stepZIDS@3 ;when aY > aX
5E21h TL2 max a0h, a1h || max a0l, a1l || vtrshr
5F21h TL2 max a1h, a0h || max a1l, a0l || vtrshr
D784h TL2 max Axh@1, Bxh@0 || max Axl@1, Bxl@0 || vtrshr
4A40h TL2 max Axh@3, Bxh@4 || max Axl@3, Bxl@4 || mov Axl@not3, MemR04@1
|| vtrshr || R04@1stepII2@0
4A44h TL2 max Axh@3, Bxh@4 || max Axl@3, Bxl@4 || mov Axh@not3, MemR04@1
|| vtrshr || R04@1stepII2@0
45A0h TL2 max Axh@4, Bxh@3 || max Axl@4, Bxl@3 || mov Axh@not4, MemR45@2
|| mov Axl@not4, MemR01@2 || vtrshr
|| R01@2stepII2@0, R45@2stepII2@1
D590h TL2 max Axh@6, Bxh@5 || max Axl@6, Bxl@5 || mov Axh@not6, MemR01@2
|| mov Axl@not6, MemR45@2 || vtrshr
|| R01@2stepII2@0, R45@2stepII2@1
4A60h TL2 max Bxh@4, Axh@3 || max Bxl@4, Axl@3 || mov Bxl@not4, MemR04@1
|| vtrshr || R04@1stepII2@0
4A64h TL2 max Bxh@4, Axh@3 || max Bxl@4, Axl@3 || mov Bxh@not4, MemR04@1
|| vtrshr || R04@1stepII2@0
8060h TL maxd NoReverse, Ax@8, MemR0, ge, Implied mixp, Implied r0
|| R0stepZIDS@3 ;when (r0) >= aX
8260h TL maxd NoReverse, Ax@8, MemR0, gt, Implied mixp, Implied r0
|| R0stepZIDS@3 ;when (r0) > aX
8860h TL min NoReverse, Ax@8, Implied Ax@not8, Bogus MemR0, le,
Implied mixp, Implied r0 || R0stepZIDS@3 ;when aY <= aX
8A60h TL min NoReverse, Ax@8, Implied Ax@not8, Bogus MemR0, lt,
Implied mixp, Implied r0 || R0stepZIDS@3 ;when aY < aX
43C2h TL2 min Axh@0, Axh@not0 || min Axl@0, Axl@not0 || vtrshr
D2B8h TL2 min Axh@11, Bxh@10 || min Axl@11, Bxl@10
|| mov Axh@not11, MemR01@2 || mov Axl@not11, MemR45@2
|| vtrshr || R01@2stepII2@0, R45@2stepII2@1
4A00h TL2 min Axh@3, Bxh@4 || min Axl@3, Bxl@4 || mov Axl@not3, MemR04@1
|| vtrshr || R04@1stepII2@0
4A04h TL2 min Axh@3, Bxh@4 || min Axl@3, Bxl@4 || mov Axh@not3, MemR04@1
|| vtrshr || R04@1stepII2@0
45E0h TL2 min Axh@4, Bxh@3 || min Axl@4, Bxl@3 || mov Axh@not4, MemR45@2
|| mov Axl@not4, MemR01@2 || vtrshr
|| R01@2stepII2@0, R45@2stepII2@1
D4BAh TL2 min Axh@8, Bxh@0 || min Axl@8, Bxl@0 || vtrshr
4A20h TL2 min Bxh@4, Axh@3 || min Bxl@4, Axl@3 || mov Bxl@not4, MemR04@1
|| vtrshr || R04@1stepII2@0
4A24h TL2 min Bxh@4, Axh@3 || min Bxl@4, Axl@3 || mov Bxh@not4, MemR04@1
|| vtrshr || R04@1stepII2@0
47A0h TL2 mind NoReverse, Ax@3, MemR0, le, Implied mixp, Implied r0
|| R0stepZIDS@0
47A4h TL2 mind NoReverse, Ax@3, MemR0, lt, Implied mixp, Implied r0
|| R0stepZIDS@0
0080h TL modr MemRn@0stepZIDS@3
00A0h TL modr MemRn@0stepZIDS@3, dmod ;Disable modulo
D294h TL2 modr MemR0123@10stepII2D2S0@0 || modr MemR4567@10stepII2D2S0@5
0D80h TL2 modr MemR0123@5stepII2D2S0@1 || modr MemR4567@5stepII2D2S0@3, dmod
0D81h TL2 modr MemR0123@5stepII2D2S0@1, dmod
|| modr MemR4567@5stepII2D2S0@3, dmod
8464h TL2 modr MemR0123@8stepII2D2S0@0, dmod || modr MemR4567@8stepII2D2S0@3
5DA0h TL2 modr MemRn@0stepD2
5DA8h TL2 modr MemRn@0stepD2, dmod
4990h TL2 modr MemRn@0stepI2
4998h TL2 modr MemRn@0stepI2, dmod
D290h TL mov Ab@10, Ab@5
D298h TL mov Abl@10, dvm
D2D8h TL mov Abl@10, x0
3000h TL mov Ablh@9, MemImm8@0
D4BCh TL mov Axl@8, MemImm16@16
D49Ch TL mov Axl@8, MemR7Imm16@16
DC80h TL mov Axl@8, MemR7Imm7s@0
D4B8h TL mov MemImm16@16, Ax@8
6100h TL mov MemImm8@0, Ab@11
6200h TL mov MemImm8@0, Ablh@10
6500h TL mov MemImm8@0, Axh@12, eu ;aka Axheu
6000h TL mov MemImm8@0, R0123457y0@10
6D00h TL mov MemImm8@0, sv
D491h TL mov dvm, Ab@5
D492h TL mov icr, Ab@5
5E20h TL mov Imm16@16, Bx@8
5E00h TL mov Imm16@16, Register@0
4F80h TL mov Imm5u@0, icr ;uh, but icr is 8bit wide (only 4bit are R/W)?
2500h TL mov Imm8s@0, Axh@12 ;signed!
2900h TL mov Imm8s@0, ext0
2D00h TL mov Imm8s@0, ext1
3900h TL mov Imm8s@0, ext2
3D00h TL mov Imm8s@0, ext3
2300h TL mov Imm8s@0, R0123457y0@10 ;signed!
0500h TL mov Imm8s@0, sv
2100h TL mov Imm8u@0, Axl@12 ;unsigned!
D498h TL mov MemR7Imm16@16, Ax@8
D880h TL mov MemR7Imm7s@0, Ax@8
98C0h TL mov MemRn@0, Bx@8 || Rn@0stepZIDS@3
1C00h TL mov MemRn@0, Register@5 || Rn@0stepZIDS@3
47E0h TL mov MemSp, Register@0
47C0h TL mov mixp, Register@0
2000h TL mov R0123457y0@9, MemImm8@0
4FC0h TL mov Register@0, icr
5E80h TL mov Register@0, mixp
1800h TL mov Register@5, MemRn@0 || Rn@0stepZIDS@3
5EC0h TL mov RegisterP0@0, Bx@5
5800h TL mov RegisterP0@0, Register@5
D490h TL mov repc, Ab@5
7D00h TL mov sv, MemImm8@0
D493h TL mov x0, Ab@5
D49Bh TL2 mov a0h, stepi0
D59Bh TL2 mov a0h, stepj0
4390h TL2 mov a0h, MemR0425@2 || mov y0, MemR0425@2offsZIDZ@0
|| R0425@2stepII2D2S@0
43D0h TL2 mov a1h, MemR0425@2 || mov y0, MemR0425@2offsZIDZ@0
|| R0425@2stepII2D2S@0
8FD4h TL2 mov Ab@0, p0
43A0h TL2 mov Abh@3, MemR01@2 || mov Abl@3, MemR45@2
|| R01@2stepII2@0, R45@2stepII2@1
43E0h TL2 mov Abh@3, MemR45@2 || mov Abl@3, MemR01@2
|| R01@2stepII2@0, R45@2stepII2@1
9D40h TL2 mov Abh@4, MemR04@1 || mov Abh@2, MemR04@1offsZI@0
|| R04@1stepII2@0
9164h TL2 mov Abl@0, prpage
9064h TL2 mov Abl@0, repc
D394h TL2 mov Abl@0, x1
D384h TL2 mov Abl@0, y1
9540h TL2 mov Abl@3, ArArp@0
9C60h TL2 mov Abl@3, SttMod@0
9560h TL2 mov ArArp@0, Abl@3
D488h TL2 mov ArArp@0, MemR04@8 || R04@8stepII2@5
5F50h TL2 mov ArArpSttMod@0, MemR7Imm16@16
886Bh TL2 mov Ax@8, pc
8C60h TL2 mov Axh@4, MemR4567@8 || mov MemR0123@8, Axh@4
|| R0123@8stepII2D2S@0, R4567@8stepII2D2S@2
4800h TL2 mov Axh@6, MemR0123@4 || movr MemR4567@4, Axh@6
|| R0123@4stepII2D2S@0, R4567@4stepII2D2S@2
4900h TL2 mov Axh@6, MemR0123@4 || mov MemR4567@4, Axh@6
|| R0123@4stepII2D2S@0, R4567@4stepII2D2S@2
7F80h TL2 mov Axh@6, MemR4567@4 || movr MemR0123@4, Axh@6
|| R0123@4stepII2D2S@0, R4567@4stepII2D2S@2
8863h TL2 mov Bx@8, pc
0008h TL2 mov Imm16@16, ArArp@0
0023h TL2 mov Imm16@16, r6
0001h TL2 mov Imm16@16, repc
8971h TL2 mov Imm16@16, stepi0
8979h TL2 mov Imm16@16, stepj0
0030h TL2 mov Imm16@16, SttMod@0
5DD0h TL2 mov Imm4u@0, prpage
80C4h TL2 mov MemR01@9, Abh@10 || mov MemR45@9, Abl@10
|| R01@9stepII2@0, R45@9stepII2@8
D292h TL2 mov MemR0425@10_MemR0425@10offsZIDZ@5, Px@0
|| R0425@10stepII2D2S@5
D7D4h TL2 mov MemR04@1, repc || R04@1stepII2@0
5F4Ch TL2 mov MemR04@1, sv || sub3 MemR04@1, p0, p1, b0 || R04@1stepII2@0
D4B4h TL2 mov MemR04@1, sv || sub3rnd MemR04@1, p0, p1, b1 || R04@1stepII2@0
DE9Ch TL2 mov MemR04@1, sv || sub3rnd MemR04@1, p0, p1, b0 || R04@1stepII2@0
4B40h TL2 mov MemR04@3, sv || addsub MemR04@3, p1, p0, Bx@0
|| R04@3stepII2@2
4B42h TL2 mov MemR04@3, sv || addsubrnd MemR04@3, p1, p0, Bx@0
|| R04@3stepII2@2
8062h TL2 mov MemR04@4, ArArp@8 || R04@4stepII2@3
8063h TL2 mov MemR04@4, SttMod@8 || R04@4stepII2@3
9960h TL2 mov MemR04@4, sv || addsub MemR04@4, p1, p0, Bx@2
|| R04@4stepD2S@3 ;<-- ordered p1, p0 here !
99E0h TL2 mov MemR04@4, sv || addsubrnd MemR04@4, p1, p0, Bx@2
|| R04@4stepD2S@3 ;<-- ordered p1, p0 here !
9860h TL2 mov MemR04@4, sv || sub3 MemR04@4, p0, p1, Bx@2
|| R04@4stepD2S@3
98E0h TL2 mov MemR04@4, sv || sub3rnd MemR04@4, p0, p1, Bx@2
|| R04@4stepD2S@3
8873h TL2 mov MemR04@8, sv || sub3 MemR04@8, p0, p1, b1 || R04@8stepII2@3
D4C0h TL2 mov MemR45@5, Abh@2 || mov MemR01@5, Abl@2
|| R01@5stepII2@0, R45@5stepII2@1
4D90h TL2 mov MemR7Imm16@16, ArArpSttMod@0
D2DCh TL2 mov MemR7Imm16@16, repc, Unused2@0, Unused1@10
1B20h TL2 mov MemRn@0, r6 || Rn@0stepZIDS@3 ;override 1800h (mov a1,MemRn@0)
D29Ch TL2 mov MemSp, r6, Unused2@0, Unused1@10
8A73h TL2 mov mixp, Bx@3
4381h TL2 mov mixp, r6
4382h TL2 mov p0h, Bx@0
D3C2h TL2 mov p0h, r6
4B60h TL2 mov p0h, Register@0 ;<-- here "p0h" as source
8FD8h TL2 mov p1, Ab@0
88D0h TL2 mov Px@1, MemR0425@8_MemR0425@8offsZIDZ@2 || R0425@8stepII2D2S@2
88D1h TL2 mov Px@1, MemR0425@8_MemR0425@8offsZIDZ@2,s || R0425@8stepII2D2S@2
D481h TL2 mov r6, Bx@8
1B00h TL2 mov r6, MemRn@0 || Rn@0stepZIDS@3 ;override 1800h (mov a0,MemRn@0)
43C1h TL2 mov r6, mixp
5F00h TL2 mov r6, Register@0
5F60h TL2 mov Register@0, r6
D2D9h TL2 mov repc, Abl@10
D7D0h TL2 mov repc, MemR04@1 || R04@1stepII2@0
D3C8h TL2 mov repc, MemR7Imm16@16, Unused3@0
D482h TL2 mov stepi0, a0h
D582h TL2 mov stepj0, a0h
D2F8h TL2 mov SttMod@0, Abl@10
49C1h TL2 mov x1, Ab@4
D299h TL2 mov y1, Ab@10
5EB0h TL2 mov prpage, Abl@0
49A0h TL2 mov SttMod@0, MemR04@4 || R04@4stepII2@3
4DC0h TL2 mova Ab@4, MemR0425@2_MemR0425@2offsZIDZ@0 || R0425@2stepII2D2S@0
4BC0h TL2 mova MemR0425@2_MemR0425@2offsZIDZ@0, Ab@4 || R0425@2stepII2D2S@0
5F80h TL movd MemR0123@0,ProgMemR45@2 || R0123@0stepZIDS@3, R45@2stepZIDS@5
0040h TL movp ProgMemAxl@5, Register@0
0D40h TL2 movp ProgMemAx@5, Register@0
0600h TL movp ProgMemRn@0, MemR0123@5 || R0123@5stepZIDS@7, Rn@0stepZIDS@3
D499h TL2 movpdw ProgMemAx@8_ProgMemAx@8offsI, pc
8864h TL movr MemR0425@3, Abh@8 || R0425@3stepII2D2S@0 ;op*10000h+8000h
9CE0h TL movr MemRn@0, Ax@8 || Rn@0stepZIDS@3
9CC0h TL movr RegisterP0@0, Ax@8
5DF4h TL2 movr Bx@1, Ax@0
8961h TL2 movr r6, Ax@3
6300h TL movs Implied sv, MemImm8@0, Ab@11
0180h TL movs Implied sv, MemRn@0, Ab@5 || Rn@0stepZIDS@3
0100h TL movs Implied sv, RegisterP0@0, Ab@5
5F42h TL2 movs Implied sv, r6, Ax@0
4080h TL movsi Implied Imm5s@0, R0123457y0@9, Ab@5, Bogus Imm5s@0
D000h TL mpy MemR45@2, MemR0123@0 || R0123@0stepZIDS@3, R45@2stepZIDS@5
8000h TL mpy MemRn@0, Imm16@16 || Rn@0stepZIDS@3
8020h TL mpy y0, MemRn@0 || Rn@0stepZIDS@3
8040h TL mpy y0, Register@0
E000h TL mpy y0, MemImm8@0
5EA0h TL2 mpy y0, r6
CB00h TL2 mpy MemR45@5, MemR01@5 || mpysu MemR45@5offsZI@4, MemR01@5offsZI@3
|| sub3 p0, p1, Ab@6 || R01@5stepII2@3, R45@5stepII2@4
CB01h TL2 mpy MemR45@5, MemR01@5 || mpyus MemR45@5offsZI@4, MemR01@5offsZI@3
|| sub3 p0, p1, Ab@6 || R01@5stepII2@3, R45@5stepII2@4
CB02h TL2 mpy MemR45@5, MemR01@5 || mpysu MemR45@5offsZI@4, MemR01@5offsZI@3
|| sub3a p0, p1, Ab@6 || R01@5stepII2@3, R45@5stepII2@4
CB03h TL2 mpy MemR45@5, MemR01@5 || mpyus MemR45@5offsZI@4, MemR01@5offsZI@3
|| sub3a p0, p1, Ab@6 || R01@5stepII2@3, R45@5stepII2@4
CB04h TL2 mpy MemR45@5, MemR01@5 || mpysu MemR45@5offsZI@4, MemR01@5offsZI@3
|| add3 p0, p1, Ab@6 || R01@5stepII2@3, R45@5stepII2@4
CB05h TL2 mpy MemR45@5, MemR01@5 || mpyus MemR45@5offsZI@4, MemR01@5offsZI@3
|| add3 p0, p1, Ab@6 || R01@5stepII2@3, R45@5stepII2@4
CB06h TL2 mpy MemR45@5, MemR01@5 || mpysu MemR45@5offsZI@4, MemR01@5offsZI@3
|| add3a p0, p1, Ab@6 || R01@5stepII2@3, R45@5stepII2@4
CB07h TL2 mpy MemR45@5, MemR01@5 || mpyus MemR45@5offsZI@4, MemR01@5offsZI@3
|| add3a p0, p1, Ab@6 || R01@5stepII2@3, R45@5stepII2@4
D5E0h TL2 mpy MemR04@1, x1 || mpy y1, x0 || sub3 p0, p1, Ax@3
|| R04@1stepII2@0
D5E4h TL2 mpy MemR04@1, x1 || mpy y1, x0 || add3 p0, p1, Ax@3
|| R04@1stepII2@0
C800h TL2 mpy MemR4567@4, MemR0123@4
|| mpy MemR4567@4offsZIDZ@2, MemR0123@4offsZIDZ@0
|| add3 p0, p1, Ab@6 || R0123@4stepII2D2S@0, R4567@4stepII2D2S@2
C900h TL2 mpy MemR4567@4, MemR0123@4
|| mpy MemR4567@4offsZIDZ@2, MemR0123@4offsZIDZ@0
|| sub3 p0, p1, Ab@6 || R0123@4stepII2D2S@0, R4567@4stepII2D2S@2
80C2h TL2 mpy MemR45@0, MemR01@0 || mpy MemR45@0offsZI@9, MemR01@0offsZI@8
|| add3a p0, p1, Ab@10 || R01@0stepII2@8, R45@0stepII2@9
49C8h TL2 mpy MemR45@2, MemR01@2 || mpy MemR45@2offsZI@1, MemR01@2offsZI@0
|| sub3a p0, p1, Ab@4 || R01@2stepII2@0, R45@2stepII2@1
80C8h TL2 mpy MemR45@2, MemR01@2 || mpy MemR45@2offsZI@1, MemR01@2offsZI@0
|| addsub p0, p1, Ab@10 || R01@2stepII2@0, R45@2stepII2@1
81C8h TL2 mpy MemR45@2, MemR01@2 || mpy MemR45@2offsZI@1, MemR01@2offsZI@0
|| addsuba p0, p1, Ab@10 || R01@2stepII2@0, R45@2stepII2@1
82C8h TL2 mpy MemR45@2, MemR01@2 || mpy MemR45@2offsZI@1, MemR01@2offsZI@0
|| add p0, p1, Ab@10 || R01@2stepII2@0, R45@2stepII2@1
83C8h TL2 mpy MemR45@2, MemR01@2 || mpy MemR45@2offsZI@1, MemR01@2offsZI@0
|| adda p0, p1, Ab@10 || R01@2stepII2@0, R45@2stepII2@1
00C0h TL2 mpy MemR45@3, MemR01@3 || mpy MemR45@3offsZI@2, MemR01@3offsZI@1
|| sub p0, p1, Ab@4 || R01@3stepII2@1, R45@3stepII2@2
00C1h TL2 mpy MemR45@3, MemR01@3 || mpy MemR45@3offsZI@2, MemR01@3offsZI@1
|| suba p0, p1, Ab@4 || R01@3stepII2@1, R45@3stepII2@2
0D20h TL2 mpy MemR45@3, MemR01@3 || mpyus MemR45@3offsZI@2, MemR01@3offsZI@1
|| add3a p0, p1, Ax@0, dmodi || R01@3stepII2@1, R45@3stepII2@2
0D30h TL2 mpy MemR45@3, MemR01@3 || mpyus MemR45@3offsZI@2, MemR01@3offsZI@1
|| add3a p0, p1, Ax@0, dmodj || R01@3stepII2@1, R45@3stepII2@2
4B50h TL2 mpy MemR45@3, MemR01@3 || mpyus MemR45@3offsZI@2, MemR01@3offsZI@1
|| add3a p0, p1, Ax@0, dmodij || R01@3stepII2@1, R45@3stepII2@2
D7A0h TL2 mpy MemR45@3, MemR01@3 || mpy MemR45@3offsZI@2, MemR01@3offsZI@1
|| add3 sv, p0, p1, Ax@4 || R01@3stepII2@1, R45@3stepII2@2
D7A1h TL2 mpy MemR45@3, MemR01@3 || mpy MemR45@3offsZI@2, MemR01@3offsZI@1
|| add3rnd sv, p0, p1, Ax@4 || R01@3stepII2@1, R45@3stepII2@2
9861h TL2 mpy MemR45@4, MemR01@4 || mpy MemR45@4offsZI@3, MemR01@4offsZI@2
|| add3 p0, p1, Ax@8, dmodj || R01@4stepII2@2, R45@4stepII2@3
9862h TL2 mpy MemR45@4, MemR01@4 || mpy MemR45@4offsZI@3, MemR01@4offsZI@2
|| add3 p0, p1, Ax@8, dmodi || R01@4stepII2@2, R45@4stepII2@3
9863h TL2 mpy MemR45@4, MemR01@4 || mpy MemR45@4offsZI@3, MemR01@4offsZI@2
|| add3 p0, p1, Ax@8, dmodij || R01@4stepII2@2, R45@4stepII2@3
98E1h TL2 mpy MemR45@4, MemR01@4 || mpy MemR45@4offsZI@3, MemR01@4offsZI@2
|| add3a p0, p1, Ax@8, dmodj || R01@4stepII2@2, R45@4stepII2@3
98E2h TL2 mpy MemR45@4, MemR01@4 || mpy MemR45@4offsZI@3, MemR01@4offsZI@2
|| add3a p0, p1, Ax@8, dmodi || R01@4stepII2@2, R45@4stepII2@3
98E3h TL2 mpy MemR45@4, MemR01@4 || mpy MemR45@4offsZI@3, MemR01@4offsZI@2
|| add3a p0, p1, Ax@8, dmodij || R01@4stepII2@2, R45@4stepII2@3
4DA0h TL2 mpy y0, MemR04@3 || mpyus y1, MemR04@3offsZI@2
|| sub3 p0, p1, Ax@4 || R04@3stepII2@2
4DA1h TL2 mpy y0, MemR04@3 || mpyus y1, MemR04@3offsZI@2
|| sub3a p0, p1, Ax@4 || R04@3stepII2@2
4DA2h TL2 mpy y0, MemR04@3 || mpyus y1, MemR04@3offsZI@2
|| add3 p0, p1, Ax@4 || R04@3stepII2@2
4DA3h TL2 mpy y0, MemR04@3 || mpyus y1, MemR04@3offsZI@2
|| add3a p0, p1, Ax@4 || R04@3stepII2@2
94E0h TL2 mpy y0, MemR04@4 || mpy y1, MemR04@4offsZI@3
|| sub3 p0, p1, Ax@8 || R04@4stepII2@3
94E2h TL2 mpy y0, MemR04@4 || mpy y1, MemR04@4offsZI@3
|| sub3a p0, p1, Ax@8 || R04@4stepII2@3
94E4h TL2 mpy y0, MemR04@4 || mpy y1, MemR04@4offsZI@3
|| add3 p0, p1, Ax@8 || R04@4stepII2@3
94E6h TL2 mpy y0, MemR04@4 || mpy y1, MemR04@4offsZI@3
|| add3a p0, p1, Ax@8 || R04@4stepII2@3
94E1h TL2 mpy y0, MemR04@4 || mpysu y1, MemR04@4offsZI@3
|| sub3 p0, p1, Ax@8 || R04@4stepII2@3
94E3h TL2 mpy y0, MemR04@4 || mpysu y1, MemR04@4offsZI@3
|| sub3a p0, p1, Ax@8 || R04@4stepII2@3
94E5h TL2 mpy y0, MemR04@4 || mpysu y1, MemR04@4offsZI@3
|| add3 p0, p1, Ax@8 || R04@4stepII2@3
94E7h TL2 mpy y0, MemR04@4 || mpysu y1, MemR04@4offsZI@3
|| add3a p0, p1, Ax@8 || R04@4stepII2@3
8862h TL2 mpy y0, x1 || mpy MemR04@4, x0 || sub3 p0, p1, Ax@8
|| R04@4stepII2@3
8A62h TL2 mpy y0, x1 || mpy MemR04@4, x0 || add3 p0, p1, Ax@8
|| R04@4stepII2@3
4D88h TL2 mpy y0, x1 || mpy y1, x0 || sub p0, p1, Ax@1
5E24h TL2 mpy y0, x1 || mpy y1, x0 || add p0, p1, Ab@0
8061h TL2 mpy y0, x1 || mpy y1, x0 || add3 p0, p1, Ab@8
8071h TL2 mpy y0, x1 || mpy y1, x0 || add3a p0, p1, Ab@8
8461h TL2 mpy y0, x1 || mpy y1, x0 || sub3 p0, p1, Ab@8
8471h TL2 mpy y0, x1 || mpy y1, x0 || sub3a p0, p1, Ab@8
D484h TL2 mpy y0, x1 || mpy y1, x0 || add3aa p0, p1, Ab@0
D49Dh TL2 mpy y0, x1 || mpy y1, x0 || sub p0, p1, Bx@5
D4A0h TL2 mpy y0, x1 || mpy y1, x0 || addsub p0, p1, Ab@0
4FA0h TL2 mpy y0, x1 || mpy y1, x0 || add3 p0, p1, Ab@3
|| mov Axh@6, MemR04@1 || mov Bxh@2, MemR04@1offsZI@0
|| R04@1stepII2@0
5818h TL2 mpy y0, x1 || mpy y1, x0 || addsub sv, p0, p1, Ax@0
|| mov Axh@0, MemR0425@7 || mov Axh@not0, MemR0425@7offsZI@6
|| R0425@7stepII2@6 ;override 5800h+18h (mov a0, Register)
5838h TL2 mpy y0, x1 || mpy y1, x0 || addsubrnd sv, p0, p1, Ax@0
|| mov Axh@0, MemR0425@7 || mov Axh@not0, MemR0425@7offsZI@6
|| R0425@7stepII2@6 ;override 5800h+38h (mov a1, Register)
80D0h TL2 mpy y0, x1 || mpy y1, x0 || addsub sv, p0, p1, Ax@10
|| mov Axh@9, MemR04@3 || mov Bxh@8, MemR04@3offsZI@2
|| R04@3stepII2@2
80D1h TL2 mpy y0, x1 || mpy y1, x0 || addsubrnd sv, p0, p1, Ax@10
|| mov Axh@9, MemR04@3 || mov Bxh@8, MemR04@3offsZI@2
|| R04@3stepII2@2
80D2h TL2 mpy y0, x1 || mpy y1, x0 || add3 sv, p0, p1, Ax@10
|| mov Axh@9, MemR04@3 || mov Bxh@8, MemR04@3offsZI@2
|| R04@3stepII2@2
80D3h TL2 mpy y0, x1 || mpy y1, x0 || add3rnd sv, p0, p1, Ax@10
|| mov Axh@9, MemR04@3 || mov Bxh@8, MemR04@3offsZI@2
|| R04@3stepII2@2
D3A0h TL2 mpy y0, x1 || mpy y1, x0 || addsub p0, p1, Ab@3
|| mov Axh@6, MemR04@1 || mov Bxh@2, MemR04@1offsZI@0
|| R04@1stepII2@0
4D89h TL2 mpy y0, x1 || mpyus y1, x0 || sub p0, p1, Ax@1
5F24h TL2 mpy y0, x1 || mpyus y1, x0 || add p0, p1, Ab@0
8069h TL2 mpy y0, x1 || mpyus y1, x0 || add3 p0, p1, Ab@8
8079h TL2 mpy y0, x1 || mpyus y1, x0 || add3a p0, p1, Ab@8
8469h TL2 mpy y0, x1 || mpyus y1, x0 || sub3 p0, p1, Ab@8
8479h TL2 mpy y0, x1 || mpyus y1, x0 || sub3a p0, p1, Ab@8
D584h TL2 mpy y0, x1 || mpyus y1, x0 || add3aa p0, p1, Ab@0
D59Dh TL2 mpy y0, x1 || mpyus y1, x0 || sub p0, p1, Bx@5
D5A0h TL2 mpy y0, x1 || mpyus y1, x0 || addsub p0, p1, Ab@0
0800h TL mpyi NoReverse, Implied p0, y0, Imm8s@0 ;multiply ;aka "mpys"
D100h TL mpysu MemR45@2, MemR0123@0 || R0123@0stepZIDS@3, R45@2stepZIDS@5
8100h TL mpysu MemRn@0, Imm16@16 || Rn@0stepZIDS@3
8120h TL mpysu y0, MemRn@0 || Rn@0stepZIDS@3
8140h TL mpysu y0, Register@0
CA00h TL2 mpysu MemR45@5, MemR01@5
|| mpysu MemR45@5offsZI@4, MemR01@5offsZI@3
|| sub3a p0, p1, Ab@6 || R01@5stepII2@3, R45@5stepII2@4
CA01h TL2 mpysu MemR45@5, MemR01@5
|| mpyus MemR45@5offsZI@4, MemR01@5offsZI@3
|| sub3a p0, p1, Ab@6 || R01@5stepII2@3, R45@5stepII2@4
CA02h TL2 mpysu MemR45@5, MemR01@5
|| mpysu MemR45@5offsZI@4, MemR01@5offsZI@3
|| sub3aa p0, p1, Ab@6 || R01@5stepII2@3, R45@5stepII2@4
CA03h TL2 mpysu MemR45@5, MemR01@5
|| mpyus MemR45@5offsZI@4, MemR01@5offsZI@3
|| sub3aa p0, p1, Ab@6 || R01@5stepII2@3, R45@5stepII2@4
CA04h TL2 mpysu MemR45@5, MemR01@5
|| mpysu MemR45@5offsZI@4, MemR01@5offsZI@3
|| add3a p0, p1, Ab@6 || R01@5stepII2@3, R45@5stepII2@4
CA05h TL2 mpysu MemR45@5, MemR01@5
|| mpyus MemR45@5offsZI@4, MemR01@5offsZI@3
|| add3a p0, p1, Ab@6 || R01@5stepII2@3, R45@5stepII2@4
CA06h TL2 mpysu MemR45@5, MemR01@5
|| mpysu MemR45@5offsZI@4, MemR01@5offsZI@3
|| add3aa p0, p1, Ab@6 || R01@5stepII2@3, R45@5stepII2@4
CA07h TL2 mpysu MemR45@5, MemR01@5
|| mpyus MemR45@5offsZI@4, MemR01@5offsZI@3
|| add3aa p0, p1, Ab@6 || R01@5stepII2@3, R45@5stepII2@4
5EA2h TL2 mpysu y0, r6
D080h TL msu MemR45@2,MemR0123@0,Ax@8 || R0123@0stepZIDS@3, R45@2stepZIDS@5
90C0h TL msu MemRn@0, Imm16@16, Ax@8 || Rn@0stepZIDS@3 ;multiply, subtract
9080h TL msu y0, MemRn@0, Ax@8 || Rn@0stepZIDS@3
90A0h TL msu y0, Register@0, Ax@8
B000h TL msu y0,MemImm8@0, Ax@8
9462h TL2 msu y0, r6, Ax@0
8264h TL2 msusu y0, MemR0425@3, Ax@8 || R0425@3stepII2D2S@0
6790h TL neg Ax@12, Cond@0 ;aX=0-aX
0000h TL nop
94C0h TL norm Ax@8, Bogus MemRn@0 || Rn@0stepZIDS@3 ;if N=0 (aX=aX*2,rN+/-)
6780h TL not Ax@12, Cond@0 ;aX=not aX
D4F8h TL or MemImm16@16, Ax@8
A000h TL or MemImm8@0, Ax@8
80C0h TL or Imm16@16, Ax@8
C000h TL or Imm8u@0, Ax@8
D4D8h TL or MemR7Imm16@16, Ax@8
4000h TL or MemR7Imm7s@0, Ax@8
8080h TL or MemRn@0, Ax@8 || Rn@0stepZIDS@3
80A0h TL or RegisterP0@0, Ax@8
D291h TL2 or Ab@10, Ax@6, Ax@5
D4A4h TL2 or Ax@8, Bx@1, Ax@0
D3C4h TL2 or b0, Bx@1, Ax@0
D7C4h TL2 or b1, Bx@1, Ax@0
D388h TL2 or r6, Ax@4
67B0h TL pacr Implied Const8000h, Implied p0, Ax@12, Cond@0 ;aX=shfP+8000h
D7C2h TL2 pacr1 Implied Const8000h, Implied p1, Ax@0
5E60h TL pop Register@0
47B4h TL2 pop Abe@0
80C7h TL2 pop ArArpSttMod@8
0006h TL2 pop Bx@5, Unused1@0
D7F4h TL2 pop prpage, Unused2@0
D496h TL2 pop Px@0
0024h TL2 pop r6, Unused1@0
D7F0h TL2 pop repc, Unused2@0
D494h TL2 pop x0
D495h TL2 pop x1
0004h TL2 pop y1, Unused1@0
47B0h TL2 popa Ab@0
5F40h TL push Imm16@16
5E40h TL push Register@0
D7C8h TL2 push Abe@1, Unused1@0
D3D0h TL2 push ArArpSttMod@0
D7FCh TL2 push prpage, Unused2@0
D78Ch TL2 push Px@1, Unused1@0
D4D7h TL2 push r6, Unused1@5
D7F8h TL2 push repc, Unused2@0
D4D4h TL2 push x0, Unused1@5
D4D5h TL2 push x1, Unused1@5
D4D6h TL2 push y1, Unused1@5
4384h TL2 pusha Ax@6, Unused2@0
D788h TL2 pusha Bx@1, Unused1@0
0C00h TL rep Imm8u@0 ;repeat next opcode N+1 times
0D00h TL rep Register@0 ;repeat next opcode N+1 times
0002h TL2 rep r6, Unused1@0
4580h TL ret Cond@0 ;=pop pc
D780h TL retd ;delayed return (after 2 clks)
45C0h TL reti Cond@0 ;Don't context switch
45D0h TL reti Cond@0, context ;Do context switch
D7C0h TL retid ;delayed, from interrupt
D3C3h TL2 retid context
0900h TL rets Imm8u@0 ;ret+dealloc sp (for INCOMING pushed params)
67A0h TL rnd Implied Const8000h, Ax@12, Cond@0 ;aX=aX+8000h
6750h TL rol Implied Const1, Ax@12, Cond@0 ;aX=aX rcl 1 (37bit rotate)
6F50h TL rol Implied Const1, Bx@12, Cond@0 ;bX=bX rcl 1 (37bit rotate)
6740h TL ror Implied Const1, Ax@12, Cond@0 ;aX=aX rcr 1 (37bit rotate)
6F40h TL ror Implied Const1, Bx@12, Cond@0 ;bX=bX rcr 1 (37bit rotate)
E300h TL rst Imm16@16, MemImm8@0
82E0h TL rst Imm16@16, MemRn@0 || Rn@0stepZIDS@3
83E0h TL rst Imm16@16, Register@0
47B9h TL2 rst Imm16@16, r6
4388h TL2 rst Imm16@16, SttMod@0
E100h TL set Imm16@16, MemImm8@0
80E0h TL set Imm16@16, MemRn@0 || Rn@0stepZIDS@3
81E0h TL set Imm16@16, Register@0
47B8h TL2 set Imm16@16, r6
43C8h TL2 set Imm16@16, SttMod@0
D280h TL shfc Implied sv, Ab@10, Ab@5, Cond@0
9240h TL shfi Implied Imm6s@0, Ab@10, Ab@7, Bogus Imm6s@0
6720h TL shl Implied Const1, Ax@12, Cond@0 ;aX=aX*2
6F20h TL shl Implied Const1, Bx@12, Cond@0 ;bX=bX*2
6730h TL shl4 Implied Const4, Ax@12, Cond@0 ;aX=aX*10h
6F30h TL shl4 Implied Const4, Bx@12, Cond@0 ;bX=bX*10h
6700h TL shr Implied Const1, Ax@12, Cond@0 ;aX=aX/2
6F00h TL shr Implied Const1, Bx@12, Cond@0 ;bX=bX/2
6710h TL shr4 Implied Const4, Ax@12, Cond@0 ;aX=aX/10h
6F10h TL shr4 Implied Const4, Bx@12, Cond@0 ;bX=bX/10h
BA00h TL sqr MemImm8@0
9A80h TL sqr MemRn@0 || Rn@0stepZIDS@3
9AA0h TL sqr Register@0
D790h TL2 sqr Abh@2 || sqr Abl@2 || add3 p0, p1, Ab@0
49C4h TL2 sqr Abh@4 || mpysu Abh@4, Abl@4 || add3a p0, p1, Ab@0
4B00h TL2 sqr MemR0425@4 || sqr MemR0425@4offsZIDZ@2 || add3 p0, p1, Ab@0
|| R0425@4stepII2D2S@2
5F41h TL2 sqr r6
BC00h TL sqra MemImm8@0, Ax@8
9C80h TL sqra MemRn@0, Ax@8 || Rn@0stepZIDS@3
9CA0h TL sqra Register@0, Ax@8
9062h TL2 sqra r6, Ax@8, Unused1@0
D4FFh TL sub MemImm16@16, Ax@8
AE00h TL sub MemImm8@0, Ax@8
8EC0h TL sub Imm16@16, Ax@8
CE00h TL sub Imm8u@0, Ax@8
D4DFh TL sub MemR7Imm16@16, Ax@8
4E00h TL sub MemR7Imm7s@0, Ax@8
8E80h TL sub MemRn@0, Ax@8 || Rn@0stepZIDS@3
8EA0h TL sub RegisterP0@0, Ax@8
8A61h TL2 sub Ab@3, Bx@8
8861h TL2 sub Bx@4, Ax@3
8064h TL2 sub MemR01@8, sv, Abh@3 || add MemR01@8offsZI@0, sv, Abl@3
|| mov MemR45@8, sv || R01@8stepII2@0, R45@8stepII2@1
5DE0h TL2 sub MemR04@1, sv, Abh@2 || add MemR04@1offsZI@0, sv, Abl@2
|| R04@1stepII2@0
6FC0h TL2 sub MemR45@2, MemR01@2, Abh@3
|| add MemR45@2offsZI@1, MemR01@2offsZI@0, Abl@3
|| R01@2stepII2@0, R45@2stepII2@1
6FE0h TL2 sub MemR45@2, MemR01@2, Abh@3
|| sub MemR45@2offsZI@1, MemR01@2offsZI@0, Abl@3
|| R01@2stepII2@0, R45@2stepII2@1
5D80h TL2 sub MemR45@2, sv, Abh@3 || add MemR45@2offsZI@1, sv, Abl@3
|| mov MemR01@2, sv || R01@2stepII2@0, R45@2stepII2@1
5DC2h TL2 sub p0, p1, Ab@2
D4B9h TL2 sub p1, Ax@8
8FD0h TL2 sub Px@1, Bx@0
D38Fh TL2 sub r6, Ax@4
80C6h TL2 sub3 p0, p1, Ab@10
82C6h TL2 sub3a p0, p1, Ab@10
83C6h TL2 sub3aa p0, p1, Ab@10
5DC3h TL2 suba p0, p1, Ab@2
B600h TL subh MemImm8@0, Ax@8
9680h TL subh MemRn@0, Ax@8 || Rn@0stepZIDS@3
96A0h TL subh Register@0, Ax@8
5E23h TL2 subh r6, Ax@8
B800h TL subl MemImm8@0, Ax@8
9880h TL subl MemRn@0, Ax@8 || Rn@0stepZIDS@3
98A0h TL subl Register@0, Ax@8
5E22h TL2 subl r6, Ax@8
EF00h TL subv Imm16@16, MemImm8@0
8EE0h TL subv Imm16@16, MemRn@0 || Rn@0stepZIDS@3
8FE0h TL subv Imm16@16, Register@0
47BFh TL2 subv Imm16@16, r6
4980h TL swap SwapTypes4@0
0020h TL trap ;software interrupt
A800h TL tst0 Axl@8, MemImm8@0
8880h TL tst0 Axl@8, MemRn@0 || Rn@0stepZIDS@3
88A0h TL tst0 Axl@8, Register@0
E900h TL tst0 Imm16@16, MemImm8@0
88E0h TL tst0 Imm16@16, MemRn@0 || Rn@0stepZIDS@3
89E0h TL tst0 Imm16@16, Register@0
D38Ch TL2 tst0 Axl@4, r6
47BCh TL2 tst0 Imm16@16, r6
9470h TL2 tst0 Imm16@16, SttMod@0
AA00h TL tst1 Axl@8, MemImm8@0 Implied Not
8A80h TL tst1 Axl@8, MemRn@0 Implied Not || Rn@0stepZIDS@3
8AA0h TL tst1 Axl@8, Register@0 Implied Not
EB00h TL tst1 Imm16@16, MemImm8@0 Implied Not
8AE0h TL tst1 Imm16@16, MemRn@0 Implied Not || Rn@0stepZIDS@3
8BE0h TL tst1 Imm16@16, Register@0 Implied Not
D38Dh TL2 tst1 Axl@4, r6 Implied Not
47BDh TL2 tst1 Imm16@16, r6 Implied Not
9478h TL2 tst1 Imm16@16, SttMod@0 Implied Not
80C1h TL2 tst4b a0l, MemR0425@10 || R0425@10stepII2D2S@8
4780h TL2 tst4b a0l, MemR0425@2, Ax@4 || R0425@2stepII2D2S@0
F000h TL tstb NoReverse, Implied Not MemImm8@0, Imm4bitno@8
9020h TL tstb NoReverse, Implied Not MemRn@0, Imm4bitno@8 || Rn@0stepZIDS@3
9000h TL tstb NoReverse, Implied Not Register@0, Imm4bitno@8
9018h TL2 tstb NoReverse, Implied Not r6, Imm4bitno@8 ;override tstb a0,Imm4
0028h TL2 tstb NoReverse, Implied Not SttMod@0, Imm4bitno@16, Unused12@20
5F45h TL2 vtrclr vtr0 ;vtr0=0 ;for Viterbi decoding...
5F47h TL2 vtrclr vtr0, vtr1 ;vtr0=0, vtr1=0 ;(saved C/C1 carry flags)
5F46h TL2 vtrclr vtr1 ;vtr1=0
D383h TL2 vtrmov Axl@4 ;Axl=(vtr1 and FF00h)+(vtr0/100h)
D29Ah TL2 vtrmov vtr0, Axl@0 ;Axl=vtr0
D69Ah TL2 vtrmov vtr1, Axl@0 ;Axl=vtr1
D781h TL2 vtrshr ;vtr0=vtr0/2+C*8000h, vtr1=vtr1/2+C1*8000h
D4FAh TL xor MemImm16@16, Ax@8
A400h TL xor MemImm8@0, Ax@8
84C0h TL xor Imm16@16, Ax@8
C400h TL xor Imm8u@0, Ax@8
D4DAh TL xor MemR7Imm16@16, Ax@8
4400h TL xor MemR7Imm7s@0, Ax@8
8480h TL xor MemRn@0, Ax@8 || Rn@0stepZIDS@3
84A0h TL xor RegisterP0@0, Ax@8
D38Ah TL2 xor r6, Ax@4
8800h TL undefined Unused5@0, Unused1@8 ;(mpy/mpys without A in bit11)
8820h TL undefined Unused5@0, Unused1@8 ;(mpy/mpys without A in bit11)
8840h TL undefined Unused5@0, Unused1@8 ;(mpy/mpys without A in bit11)
D800h TL undefined Unused7@0, Unused1@8 ;(mpy/mpys without A in bit11)
9B80h TL undefined Unused6@0 ;(sqr without A in bit8)
BB00h TL undefined Unused8@0 ;(sqr without A in bit8)
E800h TL undefined Unused8@0 ;(mpy without A in bit11)
5EA1h TL2 undefined Unused1@1 ;(mpy/mpys without A in bit11)
5DFCh TL2 undefined
8CDEh TL2 undefined
D3C1h TL2 undefined
5EB4h TL2 undefined Unused2@0
|
| DSi TeakLite II Operand Encoding |
name native nocash MemRn (Rn) [Rn] MemSp (sp) [sp] ProgMemRn (Rn) [code:movpd:Rn] ProgMemAxl (Axl) [code:movpd:Axl] ProgMemAx (Ax) [code:Ax] ProgMemAx_.. (Ax),(Ax+) [code:Ax]:[code:Ax+] MemImm8 0xNN [page:NNh] MemImm16 [##0xNNNN] [NNNNh] MemR7Imm7s (r7+#0xNN), (r7+#-NNN) [r7+/-NNh] MemR7Imm16 (r7+##0xNNNN) [r7+NNNNh] |
Address18 0xNNNNN NNNNNh ;for bkrep/br/call Address16 0xNNNN NNNNh ;for bkrep RelAddr7 0xNNNN NNNNh ;for jmp ImmN: #0xNNNN NNNNh ImmNs: #0xNN, #-NNN +/-NNh Imm16: ##0xNNNN NNNNh Imm4bitno: ... 1 shl N ConstZero <implied> 0000h Const1 <implied> 0001h Const4 <implied> 0004h Const8000h <implied> 8000h |
Register: RegisterP0: Ax: Axl: Axh: Px: 00: r0 00: r0 0: a0 0: a0l 0: a0h 0: p0 01: r1 01: r1 1: a1 1: a1l 1: a1h 1: p1 02: r2 02: r2 03: r3 03: r3 Bx: Bxl: Bxh: Ablh: 04: r4 04: r4 0: b0 0: b0l 0: b0h 0: b0l 05: r5 05: r5 1: b1 1: b1l 1: b1h 1: b0h 06: r7 06: r7 2: b1l 07: y0 07: y0 Ab: Abl: Abh: Abe: 3: b1h 08: st0 08: st0 0: b0 0: b0l 0: b0h 0: b0e 4: a0l 09: st1 09: st1 1: b1 1: b1l 1: b1h 1: b1e 5: a0h 0A: st2 0A: st2 2: a0 2: a0l 2: a0h 2: a0e 6: a1l 0B: p0h !! 0B: p0 !! 3: a1 3: a1l 3: a1h 3: a1e 7: a1h 0C: pc 0C: pc 0D: sp 0D: sp Cond: 0E: cfgi 0E: cfgi 0: true ;Always ;always 0F: cfgj 0F: cfgj 1: eq ;Equal to zero ;Z=1 10: b0h 10: b0h 2: neq ;Not equal to zero ;Z=0 11: b1h 11: b1h 3: gt ;Greater than zero ;M=0 and Z=0 12: b0l 12: b0l 4: ge ;Greater or equal to zero ;M=0 13: b1l 13: b1l 5: lt ;Less than zero ;M=1 14: ext0 14: ext0 6: le ;Less or equal to zero ;M=1 or Z=1 15: ext1 15: ext1 7: nn ;Normalize flag is cleared ;N=0 16: ext2 16: ext2 8: c ;Carry flag is set ;C=1 17: ext3 17: ext3 9: v ;Overflow flag is set ;V=1 18: a0 18: a0 A: e ;Extension flag is set ;E=1 19: a1 19: a1 B: l ;Limit flag is set ;L=1 1A: a0l 1A: a0l C: nr ;R flag is cleared ;R=0 1B: a1l 1B: a1l D: niu0 ;Input user pin 0 cleared ;IUSER0=0 1C: a0h 1C: a0h E: iu0 ;Input user pin 0 set ;IUSER0=1 1D: a1h 1D: a1h F: iu1 ;Input user pin 1 set ;IUSER1=1 1E: lc 1E: lc 1F: sv 1F: sv |
R0123457y0: Rn: ArArpSttMod: ArArp: SttMod:
0: r0 0: r0 0: ar0 0: ar0 0: stt0
1: r1 1: r1 1: ar1 1: ar1 1: stt1
2: r2 2: r2 2: arp0 2: arp0 2: stt2
3: r3 3: r3 3: arp1 3: arp1 3: reserved
4: r4 4: r4 4: arp2 4: arp2 4: mod0
5: r5 5: r5 5: arp3 5: arp3 5: mod1
6: r7 ;aka rb 6: r6 ;TL2 only 6: reserved 6: reserved 6: mod2
7: y0 ;aka y 7: r7 ;TL2 only 7: reserved 7: reserved 7: mod3
8: stt0
R01: R04: R45: 9: stt1 Ar: BankFlags:
0: r0 0: r0 0:r4 A: stt2 0: ar0 01h: cfgi
1: r1 1: r4 1:r5 B: reserved 1: ar1 02h: r4
C: mod0 04h: r1
R0123: R0425: R4567: D: mod1 Arp: 08h: r0
0: r0 0: r0 0: r4 E: mod2 0: arp0 10h: r7 ;TL2
1: r1 1: r4 1: r5 F: mod3 1: arp1 20h: cfgj ;TL2
2: r2 2: r2 2: r6 2: arp2
3: r3 3: r5 3: r7 3: arp3
|
SwapTypes: val native nocash ;meaning 0: (a0,b0) a0,b0 ;a0 <--> b0 ;flags(a0) 1: (a0,b1) a0,b1 ;a0 <--> b1 ;flags(a0) 2: (a1,b0) a1,b0 ;a1 <--> b0 ;flags(a1) 3: (a1,b1) a1,b1 ;a1 <--> b1 ;flags(a1) 4: (a0,b0),(a1,b1) a0:a1,b0:b1 ;a0 <--> b0 and a1 <--> b1 ;flags(a0) 5: (a0,b1),(a1,b0) a0:a1,b1:b0 ;a0 <--> b1 and a1 <--> b0 ;flags(a0) 6: (a0,b0,a1) a1,b0,a0 ;a0 --> b0 --> a1 ;flags(a1) 7: (a0,b1,a1) a1,b1,a0 ;a0 --> b1 --> a1 ;flags(a1) 8: (a1,b0,a0) a0,b0,a1 ;a1 --> b0 --> a0 ;flags(a0) 9: (a1,b1,a0) a0,b1,a1 ;a1 --> b1 --> a0 ;flags(a0) A: (b0,a0,b1) b1,a0,b0 ;b0 --> a0 --> b1 ;flags(a0)! B: (b0,a1,b1) b1,a1,b0 ;b0 --> a1 --> b1 ;flags(a1)! C: (b1,a0,b0) b0,a0,b1 ;b1 --> a0 --> b0 ;flags(a0)! D: (b1,a1,b0) b0,a1,b1 ;b1 --> a1 --> b0 ;flags(a1)! E: reserved reserved ;- ;- F: reserved reserved ;- ;- |
offsZI: ;maybe offsAr01 ? 0: '' ;Z (zero) 1: '+' ;I (increment) offsI: 0: '+' ;I (increment) offsZIDZ: ;aka offsAr0123 0: '' ;Z (zero) 1: '+' ;I (increment) 2: '-' ;D (decrement) 3: '' ;Z (zero) stepZIDS: 0: '' ;Z (zero) 1: '+1' ;I (increment) 2: '-1' ;D (decrement) 3: '+s' ;S (add step) ;XXX ? see "stepi" and "stepj" modrstepZIDS: 0: '' ;Z (zero) 1: '+' ;I (increment) 2: '-' ;D (decrement) 3: '+s' ;S (add step) ;XXX ? see "stepi" and "stepj" stepII2D2S: ;aka stepAr0123@ 0: '+1' ;I (increment) 1: '+2' ;I2 (increment twice) 2: '-2' ;D2 (decrement twice) 3: '+s' ;S (add step) ;XXX ? see "stepi" and "stepj" stepD2S: 0: '-2' ;D2 (decrement twice) 1: '+s' ' ;S (add step) ;XXX ? see "stepi" and "stepj" modrstepII2D2S0: 0: '+' ;I (increment) 1: '+2' ;I2 (increment twice) 2: '-2' ;D2 (decrement twice) 3: '+s0' ;S0 (add step0 ?) ;XXX ?? see "stepi0" and "stepj0" stepII2: 0: '+1' ;I (increment) 1: '+2' ;I2 (increment twice) modrstepI2: 0: '+2' ;I2 (increment twice) modrstepD2: 0: '-2' ;D2 (decrement twice) |
| DSi New Shared WRAM (for ARM7, ARM9, DSP) |
Old WRAM-0/1 32Kbytes (2x16K), mappable to ARM7, or ARM9 New WRAM-A 256Kbytes (4x64K), mappable to ARM7, or ARM9 New WRAM-B 256Kbytes (8x32K), mappable to ARM7, ARM9, or DSP-program memory New WRAM-C 256Kbytes (8x32K), mappable to ARM7, ARM9, or DSP-data memory |
____________________________ Slot Write Protect ______________________________ |
0-3 WRAM-A, Port 4004040h-4004043h Write (0=Writeable by ARM9, 1=Read-only) 4-7 Unknown/Unused (0) 8-15 WRAM-B, Port 4004044h-400404Bh Write (0=Writeable by ARM9, 1=Read-only) 16-23 WRAM-C, Port 400404Ch-4004053h Write (0=Writeable by ARM9, 1=Read-only) 24-31 Unknown/Unused (0) ;but, carthdr has nonzero data for it? |
______________________________ Slot Allocation ______________________________ |
0 Master (0=ARM9, 1=ARM7) 1 Not used 2-3 Offset (0..3) (slot 0..3) (LSB of address in 64Kbyte units) 4-6 Not used 7 Enable (0=Disable, 1=Enable) |
0-1 Master (0=ARM9, 1=ARM7, 2 or 3=DSP/code) 2-4 Offset (0..7) (slot 0..7) (LSB of address in 32Kbyte units) 5-6 Not used (0) 7 Enable (0=Disable, 1=Enable) |
0-1 Master (0=ARM9, 1=ARM7, 2 or 3=DSP/data) 2-4 Offset (0..7) (slot 0..7) (LSB of address in 32Kbyte units) 5-6 Not used (0) 7 Enable (0=Disable, 1=Enable) |
______________________________ Address Mapping ______________________________ |
0-3 Not used (0) 4-11 Start Address (3000000h+N*10000h) ;=3000000h..3FF0000h 12-13 Image Size (0 or 1=64KB/Slot0, 2=128KB/Slot0+1+2??, 3=256KB/Slot0..3) 14-19 Not used (0) 20-28 End Address (3000000h+N*10000h-1) ;=2FFFFFFh..4FEFFFFh 29-31 Not used (0) |
0-2 Not used (0) 3-11 Start Address (3000000h+N*8000h) ;=3000000h..3FF8000h 12-13 Image Size (0=32K/Slot0,1=64KB/Slot0-1,2=128KB/Slot0-3,3=256KB/Slot0-7) 14-18 Not used (0) 19-28 End Address (3000000h+N*8000h-1) ;=2FFFFFFh..4FF7FFFh 29-31 Not used (0) |
___________________________________ Notes ___________________________________ |
Slots 0,1,2,3,0,1,2,3,0,1,2,3,0,1,2,3,etc. |
Slots -,-,-,-,-,-,2,3,0,1,2,3,-,-,-,-,etc. |
Slots -,-,-,-,-,-,2,z,0,1,2,z,-,-,-,-,etc. |
New Shared-WRAM-A Highest Priority New Shared-WRAM-B High Priority New Shared-WRAM-C Low Priority Old Shared-WRAM-0/1 Lowest Priority Old ARM7-WRAM Whatever Priority (unknown...) I/O ports 4xxxxxxh Whatever Priority (unknown...) |
Unknown what happens when selecting multiple WRAM blocks to the same slot? |
| DSi New DMA |
0-15 Unused (0) 16-19 Cycle Selection (0=None, 1..15=1..16384 clks) ;1 SHL (N-1) 20-30 Unused (0) 31 DMA Arbitration Mode (0=NDMA0=HighestPriority, 1=RoundRobinPriority) |
0-1 Unused (0) 2-31 DMA Source/Destination Address, in 4-byte steps |
0-27 Total Number of Words to Transfer (1..0FFFFFFFh, or 0=10000000h) 28-31 Unused (0) |
0-23 Number of Words to Transfer (1..00FFFFFFh, or 0=01000000h) 24-31 Unused (0) |
0-15 Interval Timer (1..FFFFh, or 0=Infinite/TillTransferEnd) 16-17 Prescaler (33.514MHz SHR (n*2)) ;0=33MHz, 1=8MHz, 2=2MHz, 3=0.5MHz 18-31 Unused (0) |
0-31 Fill Data (can be used as Fixed Source Data for memfill's) |
0-9 Unused (0) 10-11 Dest Address Update (0=Increment, 1=Decrement, 2=Fixed, 3=Reserved) 12 Dest Address Reload (0=No, 1=Reload at (logical blk?) transfer end) 13-14 Source Address Update (0=Increment, 1=Decrement, 2=Fixed, 3=FillData) 15 Source Address Reload (0=No, 1=Reload at (logical blk?) transfer end) 16-19 Physical Block Size (0..0Fh=1..32768 words, aka (1 SHL n) words) 20-23 Unused (0) 24-28 DMA Startup Mode (00h..1Fh, see ARM7/ARM9 startup lists below) 29 DMA Repeat Mode (0=Repeat until NDMAxTCNT, 1=Repeat infinitely) 30 DMA Interrupt Enable (0=Disable, 1=Enable) 31 DMA Enable/Busy (0=Disable, 1=Enable/Busy) |
00h Timer0 ;\ 01h Timer1 ; new NDMA-specific modes 02h Timer2 ; 03h Timer3 ;/ 04h DS Cartridge Slot 05h Reserved (maybe 2nd DS-Cart Slot, or GBA slot relict?) 06h V-Blank 07h H-Blank (but not during V-blank) 08h Display Sync (sync to H-blank drawing) ;Uh, what is BLANK-DRAWING ?? 09h Work RAM (what?) (=probably Main memory display, as on NDS) 0Ah Geometry Command FIFO 0Bh Camera ;-new NDMA-specific mode 0Ch..0Fh Reserved 10h..1Fh Start immediately (without repeat) |
00h Timer0 ;\ 01h Timer1 ; new NDMA-specific modes 02h Timer2 ; 03h Timer3 ;/ 04h DS Cartridge Slot 05h Reserved? (maybe 2nd DS-Cart Slot, or GBA slot relict?) 06h V-Blank 07h NDS-Wifi 08h SD/MMC (SD_DATA32_FIFO) ;\ 09h DSi-Wifi (SDIO_DATA32_FIFO) ; 0Ah AES in (AES_WRFIFO) ; new NDMA-specific modes 0Bh AES out (AES_RDFIFO) ; 0Ch MIC? ;/ 0Dh..0Fh Reserved? 10h..1Fh Start immediately (without repeat) |
| DSi SoundExt |
0-3 NITRO/DSP ratio (valid range is 0 to 8) (R/W) 4-12 Unknown/Unused (0) (0?) 13 Sound/Microphone I2S frequency (0=32.73 kHz, 1=47.61 kHz) (R or R/W) 14 Mute status (?=Mute WHAT?) (R/W) 15 Enable Microphone (and Sound Output!) (1=Enable) (R/W) |
00h DSP sound 8/8, NITRO sound 0/8 (=DSP sound only) 01h DSP sound 7/8, NITRO sound 1/8 02h DSP sound 6/8, NITRO sound 2/8 03h DSP sound 5/8, NITRO sound 3/8 04h DSP sound 4/8, NITRO sound 4/8 (=half volume for DSP and NITRO each) 05h DSP sound 3/8, NITRO sound 5/8 06h DSP sound 2/8, NITRO sound 6/8 07h DSP sound 1/8, NITRO sound 7/8 08h DSP sound 0/8, NITRO sound 8/8 (=NITRO sound only) 09h..0Fh Reserved |
| DSi Advanced Encryption Standard (AES) |
| DSi AES I/O Ports |
0-4 Write FIFO Count (00h..10h words) (00h=Empty, 10h=Full) (R)
5-9 Read FIFO Count (00h..10h words) (00h=Empty, 10h=Full) (R)
10 Write FIFO Flush (0=No change, 1=Flush) (N/A or W)
11 Read FIFO Flush (0=No change, 1=Flush) (N/A or W)
12-13 Write FIFO DMA Size (0..3 = 16,12,8,4 words) (2=Normal=8) (R or R/W)
14-15 Read FIFO DMA Size (0..3 = 4,8,12,16 words) (1=Normal=8) (R or R/W)
16-18 CCM MAC Size, max(4,(N*2+2)) bytes, (usually 7=16 bytes) (R or R/W)
19 CCM Pass Associated Data to RDFIFO (0=No/Normal, 1=Yes) (R or R/W)
Bit19=1 is a bit glitchy: The data should theoretically arrive in
RDFIFO immediately after writing 4 words to WRFIFO, but actually,
Bit19=1 seems to cause 4 words held hidden in neither FIFO, until
the first Payload block is written (at that point, the hidden
associated words are suddenly appearing into RDFIFO)
20 CCM MAC Verify Source (0=From AES_WRFIFO, 1=From AES_MAC) (R or R/W)
21 CCM MAC Verify Result (0=Invalid/Busy, 1=Verified/Okay) (R)
22-23 Unknown/Unused (0) (0)
24 Key Select (0=No change, 1=Apply key selected in Bit26-27) (W)
25 Key Schedule Busy (uh, always 0=ready?) (rather sth else busy?) (R)
26-27 Key Slot (0..3=KEY0..KEY3, applied via Bit24) (R or R/W)
28-29 Mode (0=CCM/decrypt, 1=CCM/encrypt, 2=CTR, 3=Same as 2) (R or R/W)
30 Interrupt Enable (0=Disable, 1=Enable IRQ on Transfer End) (R or R/W)
31 Start/Enable (0=Disable/Ready, 1=Enable/Busy) (R/W)
|
0-15 Number of Extra associated data blocks for AES-CCM (unused for AES-CTR) 16-31 Number of Payload data blocks (0..FFFFh = 0..FFFF0h bytes) |
0-31 Data |
For AES-CTR mode: CTR[00h..0Fh] = AES_IV[00h..0Fh]
CBC[00h..0Fh] = not used by AES-CTR mode
For AES-CCM mode: CTR[00h..0Fh] = 00h,00h,00h,AES_IV[00h..0Bh],02h
CBC[00h..0Fh] = x0h,xxh,0xh,AES_IV[00h..0Bh],flg
|
AES-CCM Encryption: MAC is returned in AES_RDFIFO after transfer AES-CCM Decryption, AES_CNT.20=0: MAC written to AES_WRFIFO after transfer AES-CCM Decryption, AES_CNT.20=1: MAC written to AES_MAC before transfer |
Byte 00h-0Fh Normal 128bit Key ;\use either normal key, Byte 10h-1Fh Special 128bit Key_X ; or special key_x/y Byte 20h-2Fh Special 128bit Key_Y ;/ |
Key = ((Key_X XOR Key_Y) + FFFEFB4E295902582A680F5F1A4F3E79h) ROL 42 |
| DSi AES Little-Endian High Level Functions |
aes_setkey(ENCRYPT,key,key_size] ;-init key
[ctr+0..15] = [iv+0..15] ;-init ctr
n=[nc_off]
while len>0 ;code is 100% same for ENCRYPT and DECRYPT ;\
if n=0 ; encrypt
aes_crypt_block(ENCRYPT,ctr,tmp) ; or decrypt
littleendian(ctr)=littleendian(ctr)+1 ;increment counter ; message
[dst] = [src] xor [tmp+n] ;
src=src+1, dst=dst+1, len=len-1, n=(n+1) and 0Fh ;/
[nc_off]=n
|
if mac_len<4 or mac_len>16 or (mac_len and 1)=1 then error ;\limits
if iv_len<7 or iv_len>13 then error ;/
aes_setkey(ENCRYPT,key,key_size] ;-init key
ctr_len = 15-iv_len ;\
[ctr+15]=ctr_len-1 ;bit3..7=zero ;1 byte (ctr_len) ; init ctr
[ctr+(15-iv_len)..14] = [iv+0..(iv_len-1)] ;7..13 bytes (iv) ;
[ctr+0..(14-iv_len)]=littleendian(0) ;8..2 bytes (counter=0) ;/
[cbc+0..15]=littleendian(msg_len) ;-[(iv_len+1)..15]=msg_len ;\
if [cbc+15..15-iv_len]<>0 then error ;msg_len overlaps iv/flags ;
[cbc+(15-iv_len)..14]=[iv+0..iv_len-1] ;-[1..iv_len]=iv/nonce ;
[cbc+15].bit7=0 ;reserved/zero ;\ ; init cbc
[cbc+15].bit6=(xtra_len>0) ; [15]=flags ;
[cbc+15].bit5..3=(mac_len/2-1) ; ;
[cbc+15].bit2..0=(ctr_len-1) ;/ ;
aes_crypt_block(ENCRYPT,cbc,cbc) ;UPDATE_CBC_MAC ;/
if NintendoDSi then ;\
a=0 ;the DSi hardware doesn't support xtra_len encoding at all ;
elseif xtra_len<0FF00h then ;
[cbc+14..15]=[cbc+14..15] xor littleendian(xtra_len), a=2 ; weird
elseif xtra_len<100000000h then ; encoding
[cbc+14..15]=[cbc+14..15] xor littleendian(FFFEh) ; for
[cbc+10..13]=[cbc+10..13] xor littleendian(xtra_len), a=6 ; xtra_len
else ;
[cbc+14..15]=[cbc+14..15] xor littleendian(FFFFh) ;
[cbc+6..13] =[cbc+6..13] xor littleendian(xtra_len), a=10 ;/
while xtra_len>0 ;\scatter
z=min(xtra_len,16-a) ; cbc by
[cbc+16-a-z..(15-a)]=[cbc+16-a-z..(15-a)] xor [xtra+0..(z-1)] ; xtra
aes_crypt_block(ENCRYPT,cbc,cbc) ;UPDATE_CBC_MAC ; (if any)
xtra=xtra+z, xtra_len=xtra_len-z, a=0 ;/
while msg_len>0 ;\
littleendian(ctr)=littleendian(ctr)+1 ;increment counter ;
aes_crypt_block(ENCRYPT,ctr,tmp) ;CTR_CRYPT ;
z=min(msg_len,16) ; encrypt
if mode=ENCRYPT ; or decrypt
[cbc+(16-z)..15] = [cbc+(16-z)..15] xor [src+0..(z-1)] ; message
[dst+0..(z-1)] = [src+0..(z-1)] xor [tmp+(16-z)..15] ; body
if mode=DECRYPT ;
[cbc+(16-z)..15] = [cbc+(16-z)..15] xor [dst+0..(z-1)] ;
aes_crypt_block(ENCRYPT,cbc,cbc) ;UPDATE_CBC_MAC ;
src=src+z, dst=dst+z, msg_len=msg_len-z ;/
[ctr+0..(14-iv_len)]=littleendian(0) ;reset counter=0 ;\
aes_crypt_block(ENCRYPT,ctr,tmp) ;CTR_CRYPT ; message
[cbc+0..15] = [cbc+0..15] xor [tmp+0..15] ; auth code
z=mac_len ; (mac)
IF mode=ENCRYPT then [mac+0..(z-1)] = [cbc+(16-z)..15] ;
IF mode=DECRYPT and [mac+0..(z-1)] <> [cbc+(16-z)..15] then error;/
|
aes_setkey(mode,key,key_size] ;-init key
[cbc+0..15] = [iv+0..15] ;-init cbc
if (len AND 0Fh)>0 then error
while len>0 ;\
if mode=ENCRYPT ;
[dst+0..15] = [src+0..15] xor [cbc+0..15] ;
aes_crypt_block(mode,dst,dst) ; encrypt
[cbc+0..15] = [dst+0..15] ; or decrypt
if mode=DECRYPT ; message
[tmp+0..15] = [src+0..15] ;
aes_crypt_block(mode,src,dst) ;
[dst+0..15] = [dst+0..15] xor [cbc+0..15] ;
[cbc+0..15] = [tmp+0..15] ;
src=src+16, dst=dst+16, len=len-16 ;/
|
aes_setkey(ENCRYPT,key,key_size] ;-init key
[cfb+0..15] = [iv+0..15] ;-init cfb
n=[iv_off]
while len>0 ;\
if n=0 then aes_crypt_block(ENCRYPT,cfb,cfb) ; encrypt
if mode=DECRYPT then c=[src], [dst]=c xor [cfb+n], [cfb+n]=c ; or decrypt
if mode=ENCRYPT then c=[cfb+n] xor [src], [cfb+n]=c, [dst]=c ; message
src=src+1, dst=dst+1, len=len-1, n=(n+1) and 0Fh ;/
[iv_off]=n
|
aes_setkey(ENCRYPT,key,key_size] ;-init key
[cfb+0..15] = [iv+0..15] ;-init cfb
n=[iv_off]
while len>0 ;\
aes_crypt_block(ENCRYPT,cfb,tmp) ;
[cfb+1..15] = [cfb+0..14] ;shift with 8-bit step ; encrypt
if mode=DECRYPT then [cfb+0] = [src+(n xor 0Fh)] ; or decrypt
[dst+(n xor 0Fh)] = [src+(n xor 0Fh)] xor [tmp+15] ;shift-in ; message
if mode=ENCRYPT then [cfb+0] = [dst+(n xor 0Fh)] ;
len=len-1, n=n+1 ;/
[iv_off]=n
|
aes_setkey(mode,key,key_size] ;-init key
if (len AND 0Fh)>0 then error
while len>0 ;\encrypt
aes_crypt_block(mode,src,dst) ; or decrypt
src=src+16, dst=dst+16, len=len-16 ;/message
|
| DSi AES Little-Endian Core Function and Key Schedule |
aes_crypt_block(mode,src,dst):
Y0 = RK[0] xor [src+00h]
Y1 = RK[1] xor [src+04h]
Y2 = RK[2] xor [src+08h]
Y3 = RK[3] xor [src+0Ch]
;below code depending on mode: <---ENCRYPT---> -or- <---DECRYPT--->
for i=1 to nr-1
X0 = RK[i*4+0] xor scatter32(FT,Y1,Y2,Y3,Y0) -or- (RT,Y3,Y2,Y1,Y0)
X1 = RK[i*4+1] xor scatter32(FT,Y2,Y3,Y0,Y1) -or- (RT,Y0,Y3,Y2,Y1)
X2 = RK[i*4+2] xor scatter32(FT,Y3,Y0,Y1,Y2) -or- (RT,Y1,Y0,Y3,Y2)
X3 = RK[i*4+3] xor scatter32(FT,Y0,Y1,Y2,Y3) -or- (RT,Y2,Y1,Y0,Y3)
Y0=X0, Y1=X1, Y2=X2, Y3=X3
[dst+00h] = RK[nr*4+0] xor scatter8(FSb,Y1,Y2,Y3,Y0) -or- (RSb,Y3,Y2,Y1,Y0)
[dst+04h] = RK[nr*4+1] xor scatter8(FSb,Y2,Y3,Y0,Y1) -or- (RSb,Y0,Y3,Y2,Y1)
[dst+08h] = RK[nr*4+2] xor scatter8(FSb,Y3,Y0,Y1,Y2) -or- (RSb,Y1,Y0,Y3,Y2)
[dst+0Ch] = RK[nr*4+3] xor scatter8(FSb,Y0,Y1,Y2,Y3) -or- (RSb,Y2,Y1,Y0,Y3)
|
scatter32(TAB,a,b,c,d): scatter8(TAB,a,b,c,d): w= (TAB[a.bit0..7] ror 24) w.bit0..7 = TAB[a.bit0..7] w=w xor (TAB[b.bit8..15] ror 16) w.bit8..15 = TAB[b.bit8..15] w=w xor (TAB[c.bit16..23] ror 8) w.bit16..23 = TAB[c.bit16..23] w=w xor (TAB[d.bit24..31]) w.bit24..31 = TAB[d.bit24..31] return w return w |
aes_setkey(mode,key,keysize): ;out: RK[0..43/51/59], nr=10/12/14
aes_generate_tables ;<-- unless tables are already initialized
if keysize<>128 and keysize<>192 and keysize<>256 then error ;size in bits
rc=01h, j=0, jj=keysize/32, nr=jj+6 ;jj=4,6,8 ;\
for i=0 to (nr+1)*4-1 ;nr=10,12,14 ; copy 16/24/32-byte key
if i<jj then w=[key+(jj-1-i)*4+0..3] ; to RK[0..3/5/7]
else w=w xor RK[(i-jj) xor 3] ; and, make
RK[i xor 3]=w, j=j+1 ; RK[4/6/8..43/51/59]
if j=jj then ;
w=scatter8(FSb,w,w,w,w) ;
w=(w rol 8) xor (rc shl 24) ;
j=0, rc=rc*2, if rc>0FFh then rc=rc xor 11Bh ;
if j=4 and jj=8 then w=scatter8(FSb,w,w,w,w) ;/
if mode=DECRYPT then
for i=0 to nr/2-1 ;swap entries (except middle one)
for j=0 to 3
w=RK[i*4+j], v=RK[nr*4-i*4+j]
RK[i*4+j]=v, RK[nr*4-i*4+j]=w
for i=4 to nr*4-1 ;modify entries (except RK[0..3] and RK[nr*4+0..3])
w=RK[i], w=scatter8(FSb,w,w,w,w), RK[i]=scatter32(RT,w,w,w,w)
|
| DSi AES Little-Endian Tables and Test Values |
aes_generate_tables:
for i=0 to 0FFh ;compute pow and log tables...
if i=0 then x=01h, else x=x xor x*2, if x>0FFh then x=x xor 11Bh
pow[i]=x, log[x]=i
for i=0 to 0FFh ;generate the forward and reverse S-boxes...
x=pow[0FFh-log[i]]
x=x xor (x rol 1) xor (x rol 2) xor (x rol 3) xor (x rol 4) xor 63h
if i=0 then x=63h
FSb[i]=x, RSb[x]=i
for i=0 to 0FFh ;generate the forward and reverse tables...
x=FSb[i]*2, if x>0FFh then x=x xor 11Bh
FT[i]=(FSb[i]*00010101h) xor (x*01000001h)
w=00000000h, x=RSb[i]
if x<>00h then ;ie. not at i=63h
w=w+pow[(log[x]+log[0Eh]) mod 00FFh]*1000000h
w=w+pow[(log[x]+log[09h]) mod 00FFh]*10000h
w=w+pow[(log[x]+log[0Dh]) mod 00FFh]*100h
w=w+pow[(log[x]+log[0Bh]) mod 00FFh]*1h
RT[i]=w
|
aes_generate_tables_results: pow[00h..FFh] = 01,03,05,0F,11,..,C7,52,F6,01 ;pow ;\needed temporarily log[00h..FFh] = 00,FF,19,01,32,..,C0,F7,70,07 ;log ;/for table creation FSb[00h..FFh] = 63,7C,77,7B,F2,..,B0,54,BB,16 ;Forward S-box RSb[00h..FFh] = 52,09,6A,D5,30,..,55,21,0C,7D ;Reverse S-box FT[00h..FFh] = C66363A5,F87C7C84,..,2C16163A ;Forward Table RT[00h..FFh] = 51F4A750,7E416553,..,D0B85742 ;Reverse Table |
aes_setkey_results: key = "AES-Test-Key-Str-1234567-Abcdefg" ;use only 1st bytes for 128/192bit 128bit ENCRYPT --> RK[0..9..30..43] = 2D534541..2783080F..93AF7DF0..827EE10D 192bit ENCRYPT --> RK[0..9..30..51] = 79654B2D..9708FA95..2529372B..C66C19FA 256bit ENCRYPT --> RK[0..9..30..59] = 3332312D..DF5C92A5..74174E2E..3C8ADAE6 128bit DECRYPT --> RK[0..9..30..43] = AEABCD4D..ECD33F19..8C87B246..7274532D 192bit DECRYPT --> RK[0..9..30..51] = AFA9796F..72A3EFE5..455646C7..37363534 256bit DECRYPT --> RK[0..9..30..59] = 0ED52830..4601F929..415A7D65..67666564 |
aes_crypt_results: [key+0..15] = "AES-Test-Key-Str-1234567-Abcdefg" [iv+0..15] = "Nonce/InitVector" [xtra+0..20] = "Extra-Associated-Data" ;\for CCM iv_len=12, mac_len=16, xtra_len=xx ;/ Unencrypted: [dta+0..113Fh] = "Unencrypted-Data", 190h x "TestPadding" AES-ECB: [dta+0..113Fh] = 20,24,73,88,..,44,A8,D6,A8 ;\ AES-CBC: [dta+0..113Fh] = A4,6F,7A,F2,..,58,C9,02,B4 ; AES-CFB128: [dta+0..113Fh] = 20,C6,DB,35,..,9A,83,7F,DB ; keysize=128 AES-CFB8: [dta+0..113Fh] = 55,C7,75,1C,..,24,6E,A6,D1 ; AES-CTR: [dta+0..113Fh] = 20,C6,DB,35,..,AB,09,0C,75 ; AES-CCM: [dta+0..113Fh] = C8,37,D7,F1,..,7B,EF,FC,12 ; AES-CCM (ori): [mac+0..0Fh] = xx,xx,xx,xx,..,xx,xx,xx,xx ; AES-CCM (DSi): [mac+0..0Fh] = xx,xx,xx,xx,..,xx,xx,xx,xx ;/ AES-ECB: [dta+0..113Fh] = CC,B6,4D,17,..,D3,56,3E,64 ;-keysize=192 AES-ECB: [dta+0..113Fh] = A9,A9,9B,3E,..,8A,C6,13,A1 ;-keysize=256 |
| DSi AES Big-Endian High Level Functions |
aes_setkey(ENCRYPT,key,key_size] ;-init key
[ctr+0..15] = [iv+0..15] ;-init ctr
n=[nc_off]
while len>0 ;code is 100% same for ENCRYPT and DECRYPT ;\
if n=0 ; encrypt
aes_crypt_block(ENCRYPT,ctr,tmp) ; or decrypt
bigendian(ctr)=bigendian(ctr)+1 ;increment counter ; message
[dst] = [src] xor [tmp+n] ;
src=src+1, dst=dst+1, len=len-1, n=(n+1) and 0Fh ;/
[nc_off]=n
|
if mac_len<4 or mac_len>16 or (mac_len and 1)=1 then error ;\limits
if iv_len<7 or iv_len>13 then error ;/
aes_setkey(ENCRYPT,key,key_size] ;-init key
ctr_len = 15-iv_len ;\
[ctr+0]=ctr_len-1 ;bit3..7=zero ;1 byte (ctr_len) ; init ctr
[ctr+1..iv_len] = [iv+0..(iv_len-1)] ;7..13 bytes (iv) ;
[ctr+(iv_len+1)..15]=bigendian(0) ;8..2 bytes (counter=0) ;/
[cbc+0..15]=bigendian(msg_len) ;-[(iv_len+1)..15]=msg_len ;\
if [cbc+0..iv_len]<>0 then error ;errif msg_len overlaps iv/flags;
[cbc+1..iv_len]=[iv+0..iv_len-1] ;-[1..iv_len]=iv (aka nonce) ;
[cbc+0].bit7=0 ;reserved/zero ;\ ; init cbc
[cbc+0].bit6=(xtra_len>0) ; [0]=flags ;
[cbc+0].bit5..3=(mac_len/2-1) ; ;
[cbc+0].bit2..0=(ctr_len-1) ;/ ;
aes_crypt_block(ENCRYPT,cbc,cbc) ;UPDATE_CBC_MAC ;/
if NintendoDSi then ;\
a=0 ;the DSi hardware doesn't support xtra_len encoding at all ;
elseif xtra_len<0FF00h then ;
[cbc+0..1]=[cbc+0..1] xor bigendian(xtra_len), a=2 ; weird
elseif xtra_len<100000000h then ; encoding
[cbc+0..1]=[cbc+0..1] xor bigendian(FFFEh) ; for
[cbc+2..5]=[cbc+2..5] xor bigendian(xtra_len), a=6 ; xtra_len
else ;
[cbc+0..1]=[cbc+0..1] xor bigendian(FFFFh) ;
[cbc+2..9]=[cbc+2..9] xor bigendian(xtra_len), a=10 ;/
while xtra_len>0 ;\scatter
z=min(xtra_len,16-a) ; cbc by
[cbc+a..(a+z-1)]=[cbc+a..(a+z-1)] xor [xtra+0..(z-1)] ; xtra
aes_crypt_block(ENCRYPT,cbc,cbc) ;UPDATE_CBC_MAC ; (if any)
xtra=xtra+z, xtra_len=xtra_len-z, a=0 ;/
while msg_len>0 ;\
bigendian(ctr)=bigendian(ctr)+1 ;increment counter ;
aes_crypt_block(ENCRYPT,ctr,tmp) ;CTR_CRYPT ;
z=min(msg_len,16) ; encrypt
if mode=ENCRYPT ; or decrypt
[cbc+0..(z-1)] = [cbc+0..(z-1)] xor [src+0..(z-1)] ; message
[dst+0..(z-1)] = [src+0..(z-1)] xor [tmp+0..(z-1)] ; body
if mode=DECRYPT ;
[cbc+0..(z-1)] = [cbc+0..(z-1)] xor [dst+0..(z-1)] ;
aes_crypt_block(ENCRYPT,cbc,cbc) ;UPDATE_CBC_MAC ;
src=src+z, dst=dst+z, msg_len=msg_len-z ;/
[ctr+(iv_len+1)..15]=bigendian(0) ;reset counter=0 ;\
aes_crypt_block(ENCRYPT,ctr,tmp) ;CTR_CRYPT ; message
[cbc+0..15] = [cbc+0..15] xor [tmp+0..15] ; auth code
z=mac_len ; (mac)
IF mode=ENCRYPT then [mac+0..(z-1)] = [cbc+0..(z-1)] ;
IF mode=DECRYPT and [mac+0..(z-1)] <> [cbc+0..(z-1)] then error ;/
|
aes_setkey(mode,key,key_size] ;-init key
[cbc+0..15] = [iv+0..15] ;-init cbc
if (len AND 0Fh)>0 then error
while len>0 ;\
if mode=ENCRYPT ;
[dst+0..15] = [src+0..15] xor [cbc+0..15] ;
aes_crypt_block(mode,dst,dst) ; encrypt
[cbc+0..15] = [dst+0..15] ; or decrypt
if mode=DECRYPT ; message
[tmp+0..15] = [src+0..15] ;
aes_crypt_block(mode,src,dst) ;
[dst+0..15] = [dst+0..15] xor [cbc+0..15] ;
[cbc+0..15] = [tmp+0..15] ;
src=src+16, dst=dst+16, len=len-16 ;/
|
aes_setkey(ENCRYPT,key,key_size] ;-init key
[cfb+0..15] = [iv+0..15] ;-init cfb
n=[iv_off]
while len>0 ;\
if n=0 then aes_crypt_block(ENCRYPT,cfb,cfb) ; encrypt
if mode=DECRYPT then c=[src], [dst]=c xor [cfb+n], [cfb+n]=c ; or decrypt
if mode=ENCRYPT then c=[cfb+n] xor [src], [cfb+n]=c, [dst]=c ; message
src=src+1, dst=dst+1, len=len-1, n=(n+1) and 0Fh ;/
[iv_off]=n
|
aes_setkey(ENCRYPT,key,key_size] ;-init key
[cfb+0..15] = [iv+0..15] ;-init cfb
while len>0 ;\
aes_crypt_block(ENCRYPT,cfb,tmp) ;
[cfb+0..14] = [cfb+1..15] ;shift with 8-bit step ; encrypt
if mode=DECRYPT then [cfb+15] = [src] ; or decrypt
[dst] = [src] xor [tmp+0] ;shift-in new 8-bits ; message
if mode=ENCRYPT then [cfb+15] = [dst] ;
src=src+1, dst=dst+1, len=len-1 ;/
|
aes_setkey(mode,key,key_size] ;-init key
if (len AND 0Fh)>0 then error
while len>0 ;\encrypt
aes_crypt_block(mode,src,dst) ; or decrypt
src=src+16, dst=dst+16, len=len-16 ;/message
|
| DSi AES Big-Endian Core Function and Key Schedule |
aes_crypt_block(mode,src,dst):
Y0 = RK[0] xor [src+00h]
Y1 = RK[1] xor [src+04h]
Y2 = RK[2] xor [src+08h]
Y3 = RK[3] xor [src+0Ch]
;below code depending on mode: <---ENCRYPT---> -or- <---DECRYPT--->
for i=1 to nr-1
X0 = RK[i*4+0] xor scatter32(FT,Y0,Y1,Y2,Y3) -or- (RT,Y0,Y3,Y2,Y1)
X1 = RK[i*4+1] xor scatter32(FT,Y1,Y2,Y3,Y0) -or- (RT,Y1,Y0,Y3,Y2)
X2 = RK[i*4+2] xor scatter32(FT,Y2,Y3,Y0,Y1) -or- (RT,Y2,Y1,Y0,Y3)
X3 = RK[i*4+3] xor scatter32(FT,Y3,Y0,Y1,Y2) -or- (RT,Y3,Y2,Y1,Y0)
Y0=X0, Y1=X1, Y2=X2, Y3=X3
[dst+00h] = RK[nr*4+0] xor scatter8(FSb,Y0,Y1,Y2,Y3) -or- (RSb,Y0,Y3,Y2,Y1)
[dst+04h] = RK[nr*4+1] xor scatter8(FSb,Y1,Y2,Y3,Y0) -or- (RSb,Y1,Y0,Y3,Y2)
[dst+08h] = RK[nr*4+2] xor scatter8(FSb,Y2,Y3,Y0,Y1) -or- (RSb,Y2,Y1,Y0,Y3)
[dst+0Ch] = RK[nr*4+3] xor scatter8(FSb,Y3,Y0,Y1,Y2) -or- (RSb,Y3,Y2,Y1,Y0)
|
scatter32(TAB,a,b,c,d): scatter8(TAB,a,b,c,d): w= (TAB[a.bit0..7]) w.bit0..7 = TAB[a.bit0..7] w=w xor (TAB[b.bit8..15] rol 8) w.bit8..15 = TAB[b.bit8..15] w=w xor (TAB[c.bit16..23] rol 16) w.bit16..23 = TAB[c.bit16..23] w=w xor (TAB[d.bit24..31] rol 24) w.bit24..31 = TAB[d.bit24..31] return w return w |
aes_setkey(mode,key,keysize): ;out: RK[0..43/51/59], nr=10/12/14
aes_generate_tables ;<-- unless tables are already initialized
if keysize<>128 and keysize<>192 and keysize<>256 then error ;size in bits
rc=01h, j=0, jj=keysize/32, nr=jj+6 ;jj=4,6,8 ;\
for i=0 to (nr+1)*4-1 ;nr=10,12,14 ; copy 16/24/32-byte key
if i<jj then w=[key+i*4+0..3] ; to RK[0..3/5/7]
else w=w xor RK[i-jj] ; and, make
RK[i]=w, j=j+1 ; RK[4/6/8..43/51/59]
if j=jj then ;
w=scatter8(FSb,w,w,w,w) ;
w=(w ror 8) xor (rc) ;
j=0, rc=rc*2, if rc>0FFh then rc=rc xor 11Bh ;
if j=4 and jj=8 then w=scatter8(FSb,w,w,w,w) ;/
if mode=DECRYPT then
for i=0 to nr/2-1 ;swap entries (except middle one)
for j=0 to 3
w=RK[i*4+j], v=RK[nr*4-i*4+j]
RK[i*4+j]=v, RK[nr*4-i*4+j]=w
for i=4 to nr*4-1 ;modify entries (except RK[0..3] and RK[nr*4+0..3])
w=RK[i], w=scatter8(FSb,w,w,w,w), RK[i]=scatter32(RT,w,w,w,w)
|
| DSi AES Big-Endian Tables and Test Values |
aes_generate_tables:
for i=0 to 0FFh ;compute pow and log tables...
if i=0 then x=01h, else x=x xor x*2, if x>0FFh then x=x xor 11Bh
pow[i]=x, log[x]=i
for i=0 to 0FFh ;generate the forward and reverse S-boxes...
x=pow[0FFh-log[i]]
x=x xor (x rol 1) xor (x rol 2) xor (x rol 3) xor (x rol 4) xor 63h
if i=0 then x=63h
FSb[i]=x, RSb[x]=i
for i=0 to 0FFh ;generate the forward and reverse tables...
x=FSb[i]*2, if x>0FFh then x=x xor 11Bh
FT[i]=(FSb[i]*01010100h) xor (x*01000001h)
w=00000000h, x=RSb[i]
if x<>00h then ;ie. not at i=63h
w=w+pow[(log[x]+log[0Eh]) mod 00FFh]*1h
w=w+pow[(log[x]+log[09h]) mod 00FFh]*100h
w=w+pow[(log[x]+log[0Dh]) mod 00FFh]*10000h
w=w+pow[(log[x]+log[0Bh]) mod 00FFh]*1000000h
RT[i]=w
|
aes_generate_tables_results: pow[00h..FFh] = 01,03,05,0F,11,..,C7,52,F6,01 ;pow ;\needed temporarily log[00h..FFh] = 00,FF,19,01,32,..,C0,F7,70,07 ;log ;/for table creation FSb[00h..FFh] = 63,7C,77,7B,F2,..,B0,54,BB,16 ;Forward S-box RSb[00h..FFh] = 52,09,6A,D5,30,..,55,21,0C,7D ;Reverse S-box FT[00h..FFh] = A56363C6,847C7CF8,..,3A16162C ;Forward Table RT[00h..FFh] = 50A7F451,5365417E,..,4257B8D0 ;Reverse Table |
aes_setkey_results: key = "AES-Test-Key-Str-1234567-Abcdefg" ;use only 1st bytes for 128/192bit 128bit ENCRYPT --> RK[0..9..30..43] = 2D534541..ED0DC6FA..43DAC81C..0F5026BB 192bit ENCRYPT --> RK[0..9..30..51] = 2D534541..4AAB3D82..29CA38D2..CA4DFE3B 256bit ENCRYPT --> RK[0..9..30..59] = 2D534541..1AA51359..CCB886C8..88956C9C 128bit DECRYPT --> RK[0..9..30..43] = F653079B..47DD8A1C..1C2070A7..7274532D 192bit DECRYPT --> RK[0..9..30..51] = 3CEC6AFF..C4F96B6F..AE36B4AE..7274532D 256bit DECRYPT --> RK[0..9..30..59] = DE7ADCD9..8C559ADD..067A387E..7274532D |
aes_crypt_results: [key+0..15] = "AES-Test-Key-Str-1234567-Abcdefg" [iv+0..15] = "Nonce/InitVector" [xtra+0..20] = "Extra-Associated-Data" ;\for CCM iv_len=12, mac_len=16, xtra_len=21 ;/ Unencrypted: [dta+0..113Fh] = "Unencrypted-Data", 190h x "TestPadding" AES-ECB: [dta+0..113Fh] = 5F,BD,04,DB,..,E4,07,F4,B6 ;\ AES-CBC: [dta+0..113Fh] = 0B,BB,53,FA,..,DD,28,6D,AE ; AES-CFB128: [dta+0..113Fh] = F4,75,4F,0E,..,73,B5,D7,E7 ; keysize=128 AES-CFB8: [dta+0..113Fh] = F4,10,6A,83,..,BF,1B,16,3E ; AES-CTR: [dta+0..113Fh] = F4,75,4F,0E,..,04,DF,EB,BA ; AES-CCM: [dta+0..113Fh] = FD,1A,6D,98,..,EE,FD,68,F6 ; AES-CCM (ori): [mac+0..0Fh] = FD,F9,FE,85,..,4F,50,3C,AF ; AES-CCM (DSi): [mac+0..0Fh] = xx,xx,xx,xx,..,xx,xx,xx,xx ;/ AES-ECB: [dta+0..113Fh] = 0E,69,F5,1A,..,9A,5F,7A,9A ;-keysize=192 AES-ECB: [dta+0..113Fh] = C6,FB,68,C1,..,14,89,6C,E0 ;-keysize=256 |
| DSi ES Block Encryption |
FAT16:\sys\dev.kp FAT16:\ticket\000300tt\4ggggggg.tik (tickets) SD Card: .bin files (aka Tad Files) twl-*.der files (within the "verdata" NARC file) |
00000h BLKLEN Data Block (AES-CCM encrypted) BLKLEN+00h 10h Data Checksum (AES-CCM MAC value on above Data) BLKLEN+10h 1 Fixed 3Ah (AES-CTR encrypted) BLKLEN+11h 0Ch Nonce (unencrypted) BLKLEN+1Dh 1 BLKLEN.bit16-23 (AES-CTR encrypted) BLKLEN+1Eh 1 BLKLEN.bit8-15 (AES-CTR encrypted) BLKLEN+1Fh 1 BLKLEN.bit0-7 (AES-CTR encrypted) |
IV[00h..0Bh]=[BLKLEN+11h..1Ch] ;Nonce IV[0Ch..0Fh]=Don't care (not used for CCM) |
00000h BLKLEN Data Block (AES-CCM) |
IV[00h..02h]=BLKLEN/10h + 1 ;CTR value for last 16-byte block IV[03h..0Eh]=[BLKLEN+11h..1Ch] ;Nonce IV[0Fh]=02h ;Indicate 3-byte wide CTR (fixed on DSi) |
IV[00h]=00h ;Zero IV[01h..0Ch]=[BLKLEN+11h..1Ch] ;Nonce IV[0Dh..0Fh]=00h,00h,00h ;Zero |
BLKLEN+10h 1 Fixed 3Ah (AES-CTR encrypted) BLKLEN+11h 0Ch Nonce (unencrypted) BLKLEN+1Dh 1 BLKLEN.bit16-23 (AES-CTR encrypted) BLKLEN+1Eh 1 BLKLEN.bit8-15 (AES-CTR encrypted) BLKLEN+1Fh 1 BLKLEN.bit0-7 (AES-CTR encrypted) |
BLKLEN+10h 1 Fixed 3Ah (unencrypted) (to be verified) BLKLEN+11h 0Ch Nonce (AES-CTR encrypted) (useless/garbage) BLKLEN+1Dh 1 BLKLEN.bit16-23 (unencrypted) (to be verified) BLKLEN+1Eh 1 BLKLEN.bit8-15 (unencrypted) (to be verified) BLKLEN+1Fh 1 BLKLEN.bit0-7 (unencrypted) (to be verified) |
| DSi Cartridge Header |
012h 1 Unitcode (00h=NDS, 02h=NDS+DSi, 03h=DSi) (bit1=DSi)
01Ch 1 NDS: Reserved / DSi: Flags (03h=Normal, 0Bh=Sys, 0Fh=Debug/Sys)
bit0 Has TWL-Exclusive Region ;MUST be 1 for DSi titles?
bit1 Modcrypted (0=No, 1=Yes, see [220h..22Fh])
bit2 Modcrypt key select (0=Retail, 1=Debug)
bit3 Disable Debug ?
01Dh 1 NDS: Region / DSi: Permit jump (00h=Normal, 01h=System Settings)
bit0 jump (always include title at [2FFD800h..])
bit1 tmpjump (?)
068h 4 Icon/Title offset (same as NDS, but with new extra entries)
080h 4 Total Used ROM size, EXCLUDING DSi area
088h 4 NDS: Reserved / ARM9 Parameters Table Offset ??? ;base=[028h]
08Ch 4 NDS: Reserved / ARM7 Parameters Table Offset ??? ;base=[038h]
090h 2 NDS: Reserved / NTR ROM Region End/80000h ;\usually both same
092h 2 NDS: Reserved / TWL ROM Region Start/80000h ;/(zero for DSiware)
|
(012h)1 Unitcode (must be 00h for non-DSi carts) (020h)16 Changed ARM9/ARM7 areas (DSi-in-NDS-mode more restricted than NDS) 088h 4 Unknown (B8h,4Bh,00h,00h) (similar as in DSi carts) 1BFh 1 Flags (40h=RSA+TwoHMACs, 60h=RSA+ThreeHMACs) 33Ch 14 HMAC for Icon/Title (only if [1BFh]=60h) ;as Whitelist Phase 3 378h 14 HMAC for 160h-byte header and ARM9+ARM7 areas ;as Whitelist Phase 1 38Ch 14 HMAC for OverlayARM9+NitroFAT (zero if no overlay) ;as Phase 2 F80h 128 RSA signature |
ARM9 2004000h..227FFFFh (siz=27C000h) (for NDS mode: 2000000h and up) ARM7 2380000h..23BFFFFh (siz=40000h) ARM9i 2400000h..267FFFFh (siz=280000h) ARM7i 2E80000h..2F87FFFh (siz=108000h) |
Main 2000000h..2FFC000h (excluding bootstrap at 23FEE00h..23FF000h) WRAM 3000000h..380F000h (excluding bootstrap at 3FFF600h..3FFF800h) |
180h 20 Global MBK1..MBK5 Setting, WRAM Slots
194h 12 Local ARM9 MBK6..MBK8 Setting, WRAM Areas
1A0h 12 Local ARM7 MBK6..MBK8 Setting, WRAM Areas
1ACh 3 Global MBK9 Setting, WRAM Slot Write Protect
1AFh 1 Global WRAMCNT Setting (usually 03h) (FCh/00h in SysMenu/Settings)
1B0h 4 Region flags (bit0=JPN, bit1=USA, bit2=EUR, bit3=AUS, bit4=CHN,
bit5=KOR, bit6-31=Reserved) (FFFFFFFFh=Region Free)
1B4h 4 Access control (AES Key Select)
bit0 Common Client Key ;want 380F000h=3FFC600h+00h "common key"
bit1 AES Slot B ;380F010h=3FFC400h+180h and KEY1=unchanged
bit2 AES Slot C ;380F020h=3FFC400h+190h and KEY2.Y=3FFC400h+1A0h
bit3 SD Card ;want Device I
bit4 NAND Access ;want Device A-H and KEY3=intact
bit5 Game Card Power On ;tested with bit8
bit6 Shared2 File ;used... but WHAT for?
bit7 Sign JPEG For Launcher (AES Slot B);select 1 of 2 jpeg keys?
bit8 Game Card NTR Mode ;tested with bit5
bit9 SSL Client Cert (AES Slot A) ;KEY0=3FFC600h+30h (twl-*.der)
bit10 Sign JPEG For User (AES Slot B) ;\
bit11 Photo Read Access ; seems to be unused
bit12 Photo Write Access ; (and, usually ZERO,
bit13 SD Card Read Access ; even if the stuff is
bit14 SD Card Write Access ; accessed)
bit15 Game Card Save Read Access ; (bit11 set in flipnote)
bit16 Game Card Save Write Access ;/
bit31 Debugger Common Client Key ;want 380F000h=3FFC600h+10h
1B8h 4 ARM7 SCFG_EXT7 setting (bit0,1,2,10,18,31)
1BCh 3 Reserved/flags? (zerofilled)
1BFh 1 Flags (usually 01h) (DSiware Browser: 0Bh)
bit0: TSC Touchscreen/Sound Controller Mode (0=NDS, 1=DSi)
bit1: Require EULA Agreement
bit2: Custom Icon (0=No/Normal, 1=Use banner.sav)
bit3: Show Nintendo Wi-Fi Connection icon in Launcher
bit4: Show DS Wireless icon in Launcher
bit5: NDS cart with icon SHA1 (DSi firmware v1.4 and up)
bit6: NDS cart with header RSA (DSi firmware v1.0 and up)
bit7: Developer App
1C0h 4 ARM9i ROM Offset (usually XX03000h, XX=1MB-boundary after NDS area)
1C4h 4 Reserved (zero)
1C8h 4 ARM9i RAM Load address
1CCh 4 ARM9i Size
1D0h 4 ARM7i ROM Offset
1D4h 4 SD/MMC Device List ARM7 RAM Addr; 400h-byte initialized by firmware
1D8h 4 ARM7i RAM Load address
1DCh 4 ARM7i Size
1E0h 4 Digest NTR region offset (usually same as ARM9 rom offs, 0004000h)
1E4h 4 Digest NTR region length
1E8h 4 Digest TWL region offset (usually same as ARM9i rom offs, XX03000h)
1ECh 4 Digest TWL region length
1F0h 4 Digest Sector Hashtable offset ;\SHA1-HMAC's on all sectors
1F4h 4 Digest Sector Hashtable length ;/in above NTR+TWL regions
1F8h 4 Digest Block Hashtable offset ;\SHA1-HMAC's on each N entries
1FCh 4 Digest Block Hashtable length ;/in above Sector Hashtable
200h 4 Digest Sector size (eg. 400h bytes per sector)
204h 4 Digest Block sectorcount (eg. 20h sectors per block)
208h 4 Icon/Title size (usually 23C0h for DSi) (older 840h-byte works too)
20Ch 1 SD/MMC size of "shared2\0000" file in 32Kbyte units? (dsi sound)
20Dh 1 SD/MMC size of "shared2\0001" file in 32Kbyte units?
;or are shared2 sizes rather counted in 16Kbyte cluster units?
20Eh 1 EULA Version (01h) ? !
20Fh 1 Use Ratings (00h) ? !
210h 4 Total Used ROM size, INCLUDING DSi area (optional, can be 0)
214h 1 SD/MMC size of "shared2\0002" file in 32Kbyte units?
215h 1 SD/MMC size of "shared2\0003" file in 32Kbyte units?
216h 1 SD/MMC size of "shared2\0004" file in 32Kbyte units?
217h 1 SD/MMC size of "shared2\0005" file in 32Kbyte units?
218h 4 ARM9i Parameters Table Offset (84 D0 04 00) ??? ;base=[028h]
21Ch 4 ARM7i Parameters Table Offset (2C 05 00 00) ??? ;base=[038h]
220h 4 Modcrypt area 1 offset ;usually same as ARM9i rom offs (XX03000h)
224h 4 Modcrypt area 1 size ;usually min(4000h,ARM9iSize+Fh AND not Fh)
228h 4 Modcrypt area 2 offset (0=None)
22Ch 4 Modcrypt area 2 size (0=None)
230h 4 Title ID, Emagcode (aka Gamecode spelled backwards)
234h 1 Title ID, Filetype (00h=Cartridge, 04h=DSiware, 05h=System Fun
Tools, [0Fh=Non-executable datafile without cart header],
15h=System Base Tools, 17h=System Menu)
235h 1 Title ID, Zero (00h=Normal)
236h 1 Title ID, Three (03h=DSi) (as opposed to Wii or 3DS)
237h 1 Title ID, Zero (00h=Normal)
238h 4 SD/MMC (DSiware) "public.sav" filesize in bytes (0=none)
23Ch 4 SD/MMC (DSiware) "private.sav" filesize in bytes (0=none)
240h 176 Reserved (zero-filled)
|
2F0h 10h Parental Control Age Ratings (for different countries/areas)
Bit7: Rating exists for local country/area
Bit6: Game is prohibited in local country/area?
Bit5: Unused
Bit4-0: Age rating for local country/area (years)
2F0h 1 CERO (Japan) (0=None/A, 12=B, 15=C, 17=D, 18=Z)
2F1h 1 ESRB (US/Canada) (0=None, 3=EC, 6=E, 10=E10+, 13=T, 17=M)
2F2h 1 Reserved (0=None)
2F3h 1 USK (Germany) (0=None, 6=6+, 12=12+, 16=16+, 18=18+)
2F4h 1 PEGI (Pan-Europe) (0=None, 3=3+, 7=7+, 12=12+, 16=16+, 18=18+)
2F5h 1 Reserved (0=None)
2F6h 1 PEGI (Portugal) (0=None, 4=4+, 6=6+, 12=12+, 16=16+, 18=18+)
2F7h 1 PEGI and BBFC (UK) (0=None, 3, 4=4+/U, 7, 8=8+/PG, 12, 15, 16, 18)
2F8h 1 AGCB (Australia) (0=None/G, 7=PG, 14=M, 15=MA15+, plus 18=R18+?)
2F9h 1 GRB (South Korea) (0=None, 12=12+, 15=15+, 18=18+)
2FAh 6 Reserved (6x) (0=None)
N/A? - DEJUS (Brazil) (L, 10, 12, 14, 16, 18)
N/A? - GSRMR (Taiwan) (formerly CSRR) (0,6,12,18) (and GSRMR: 15)
N/A? - PEGI (Finland) (discontinued 2007, shortly before DSi launch)
bit0-4 Rating (0..18)
bit6 Pending
bit7 Enabled
|
300h 20 SHA1-HMAC hash ARM9 (with encrypted secure area) ;[020h,02Ch]
314h 20 SHA1-HMAC hash ARM7 ;[030h,03Ch]
328h 20 SHA1-HMAC hash Digest master ;[1F8h,1FCh]
33Ch 20 SHA1-HMAC hash Icon/Title (also in newer NDS titles) ;[068h,208h]
350h 20 SHA1-HMAC hash ARM9i (decrypted) ;[1C0h,1CCh]
364h 20 SHA1-HMAC hash ARM7i (decrypted) ;[1D0h,1DCh]
378h 20 Reserved (zero-filled) (but used for non-whitelisted NDS titles)
38Ch 20 Reserved (zero-filled) (but used for non-whitelisted NDS titles)
3A0h 20 SHA1-HMAC hash ARM9 (without 16Kbyte secure area) ;[020h,02Ch]
3B4h 2636 Reserved (zero-filled)
E00h 180h Reserved and unchecked region, always zero. Used for passing
arguments in debug environment.
F80h 80h RSA-SHA1 signature across header entries [000h..DFFh]
|
1000h..3FFFh Non-Load area in ROMs... but contains sth in DSiWare files!?! |
No need for NDS backwards compatibility (since DSiware is DSi only) Entry 3A0h can be zero-filled (in LAUNCHER) |
Modcrypt Area 1 IV[0..F]: First 16 bytes of the ARM9 SHA1-HMAC [300h..30Fh] Modcrypt Area 2 IV[0..F]: First 16 bytes of the ARM7 SHA1-HMAC [314h..323h] |
IF header[01Ch].Bit1=0
None (modcrypt disabled)
ELSEIF header[01Ch].Bit2 OR header[1BFh].Bit7 THEN (probably for prototypes)
Debug KEY[0..F]: First 16 bytes of the header [000h..00Fh]
ELSE (commonly used for retail software)
Retail KEY_X[0..7]: Fixed 8-byte ASCII string ("Nintendo")
Retail KEY_X[8..B]: The 4-byte gamecode, forwards [00Ch..00Fh]
Retail KEY_X[C..F]: The 4-byte gamecode, backwards [00Fh..00Ch]
Retail KEY_Y[0..F]: First 16 bytes of the ARM9i SHA1-HMAC [350h..35Fh]
|
| DSi Touchscreen/Sound Controller |
| DSi Touchscreen Access |
0 Direction for following data bytes (0=Write, 1=Read) 1-7 INDEX (00h..7Fh) for following data bytes (auto-increasing) |
00h R/W MODE register (should be 03h or FCh) |
01h R Unknown (00h) 02h..06h mix Unknown (18h,87h,22h,04h,20h) (writeable: FFh,BFh,F7h,E7h,EDh) 07h..08h R Unknown (00h,00h) 09h R State (40h=Released, 80h=Pressed) 0Ah..0Ch R Unknown (00h,00h,00h) 0Dh mix Unknown (01h on 1st read, 00h thereafter?) (upper 6bit R/W) 0Eh mix State (ADh=Released, ACh=Pressed) (upper 6bit R/W) 0Fh R/W Unknown (A0h,88h,81h) 12h..14h mix Unknown (usually 00h-filled) (writeable: E7h,FFh,07h) 15h R Unknown (00h) 16h..21h R/W Unknown Six 16bit values (0000h..1FFFh) (usually 0000h) 22h..7Fh R Unknown (00h-filled) |
01h..0Ah R Five Touchscreen X Coodinates (big-endian MSB,LSB each) 0Bh..14h R Five Touchscreen Y Coodinates (big-endian MSB,LSB each) 15h..7Fh R Reserved (garbage) (further Touchscreen X/Y Coodinates) |
01h..0Fh 00 01 44 00 00 00 00 00 00 00 00 00 00 00 00 10h..1Fh 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20h..2Fh 03 00 00 00 80 99 11 08 00 00 00 00 00 00 00 00 30h..3Fh 00 00 09 34 32 12 03 02 03 66 60 00 19 05 00 D4 40h..4Fh 00 08 08 00 19 38 00 00 00 00 00 EE 10 D8 7E E3 50h..5Fh 00 00 80 00 00 00 00 00 7F 00 00 00 00 00 00 00 60h..6Fh 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70h..7Fh 00 00 00 00 D2 24 00 00 00 00 00 00 00 00 00 00 |
01h..0Fh 00 01 44 03 A1 15 00 00 00 00 87 83 00 80 80 ;<-- 10h..1Fh 08 00 87 83 80 80 04 00 00 00 01 00 00 00 01 00 ;<-- 20h..2Fh 00 00 00 00 80 99 11 08 00 00 00 00 00 00 00 00 ;<- 30h..3Fh 00 00 01 34 32 12 02 02 03 66 60 00 19 05 00 D4 ;<- 40h..4Fh 00 08 08 00 0F 38 00 00 00 00 00 EE 10 D8 7E E3 ;<- 50h..5Fh 00 00 80 00 00 00 00 00 7F 00 00 00 00 00 00 00 60h..6Fh 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70h..7Fh 00 00 00 00 D2 24 00 00 00 00 00 00 00 00 00 00 80h.. 00... |
01h..0Fh 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10h..1Fh 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20h..2Fh D6 20 F0 44 9E 9E A7 A7 4E 4E 15 15 20 86 00 43 ; 30h..3Fh 40 40 61 00 00 00 00 00 00 00 00 00 00 00 00 00 ; 40h..4Fh 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50h..5Fh 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60h..6Fh 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70h..7Fh 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80h.. 00... |
same as above. |
All 00h-filled |
01h..0Fh 00 01 17 01 17 7D D3 7F E1 80 1F 7F C1 7F FF 10h..1Fh 00 00 00 00 00 00 00 00 7F FF 00 00 00 00 00 00 20h..2Fh 00 00 7F FF 00 00 00 00 00 00 00 00 7F FF 00 00 30h..3Fh 00 00 00 00 00 00 7F FF 00 00 00 00 00 00 00 00 40h..4Fh 00 00 00 00 00 00 00 00 7F FF 00 00 00 00 7F FF 50h..5Fh 00 00 00 00 00 00 00 00 7F FF 00 00 00 00 00 00 60h..6Fh 00 00 7F FF 00 00 00 00 00 00 00 00 7F FF 00 00 70h..7Fh 00 00 00 00 00 00 7F FF 00 00 00 00 00 00 00 00 80h.. 00... |
after index 7Fh, actually it REPEATs last byte (instead 00s) |
01h..0Fh 00 00 00 00 00 00 00 00 00 00 24 00 00 09 00 ;<-- 10h..1Fh 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ... 00... |
01h..0Fh<01>00 00 01 00 01 00 00 00 00 00 00 00 00 00 00 ;<-- !! 10h..1Fh 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ... 00... 70h..7Fh 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FF ;<-- 80h... FF... ;<-- |
if (TSC[3:09h] AND 40h)<>0 then return(not_pressed) ;ADC Ready Flag if (TSC[3:0Eh] AND 03h)<>0 then return(not_pressed) ;Undocumented Flags? return(pressed) |
touchdata[0..19] = TSC[FCh:01h..14h] ;read page FCh, index(1..20)
rawx=0, rawy=0
for i=0 to 8 step 2
x = touchdata[i+0]*100h+touchdata[i+1]
y = touchdata[i+10]*100h+touchdata[i+11]
if (x or y) and F000h then return(not_pressed)
rawx=rawx+x, rawy=rawy+y
return(rawx/5, rawy/5)
|
0-11 Coordinate (0..FFFh) (usually 000h when not pressed) 12-14 State (0=Pressed, 7=Released) (or sometimes also 1 or 3=Released) 15 State Changed (0=No, 1=Newly pressed/released; cleared after read) |
| DSi TSC, Register Summary |
7bit index: selected via the first SPI byte, with direction flag in bit0 8bit page: selected by writing to index 00h, ie. to TSC[xxh:00h] |
TSC[xxh:00h] - Page Select Register (00h) |
TSC[0:01h] - Software Reset (00h) TSC[0:02h] - Reserved (xxh) (R) TSC[0:03h] - Overtemperature OT Flag (02h..FFh) (R) TSC[0:04h] - Clock-Gen Muxing (00h) TSC[0:05h] - PLL P and R-Values (11h) TSC[0:06h] - PLL J-Value (04h) TSC[0:07h,08h] - PLL D-Value MSB,LSB (0000h) TSC[0:09h,0Ah] - Reserved (xxh) TSC[0:0Bh] - DAC NDAC Value (01h) TSC[0:0Ch] - DAC MDAC Value (01h) TSC[0:0Dh,0Eh] - DAC DOSR Value MSB,LSB (0080h) TSC[0:0Fh] - DAC IDAC Value (80h) TSC[0:10h] - DAC miniDSP Engine Interpolation (08h) TSC[0:11h] - Reserved (xxh) TSC[0:12h] - ADC NADC Value (01h) TSC[0:13h] - ADC MADC Value (01h) TSC[0:14h] - ADC AOSR Value (80h) TSC[0:15h] - ADC IADC Value (80h) TSC[0:16h] - ADC miniDSP Engine Decimation (04h) TSC[0:17h,18h] - Reserved (xxh) TSC[0:19h] - CLKOUT MUX (00h) TSC[0:1Ah] - CLKOUT Divider M Value (01h) |
TSC[0:1Bh] - Codec Interface Control 1 (00h) (R/W) TSC[0:1Ch] - Data-Slot Offset Programmability (00h) TSC[0:1Dh] - Codec Interface Control 2 (00h) TSC[0:1Eh] - BCLK Divider N Value (01h) TSC[0:1Fh] - Codec Secondary Interface Control 1 (00h) TSC[0:20h] - Codec Secondary Interface Control 2 (00h) TSC[0:21h] - Codec Secondary Interface Control 3 (00h) TSC[0:22h] - I2C Bus Condition (00h) TSC[0:23h] - Reserved (xxh) |
TSC[0:24h] - ADC Flag Register (0xh) (R) TSC[0:25h] - DAC Flag Register (00h) (R) TSC[0:26h] - DAC Flag Register (00h) (R) TSC[0:27h] - Overflow Flags (00h) (R) TSC[0:28h..2Bh] - Reserved (xxh) TSC[0:2Ch] - Interrupt Flags DAC, sticky (00h..30h) (R) TSC[0:2Dh] - Interrupt Flags ADC, sticky (00h..18h) (R) TSC[0:2Eh] - Interrupt Flags DAC, non-sticky? (00h..30h) (R) TSC[0:2Fh] - Interrupt Flags ADC, non-sticky? (00h..18h) (R) TSC[0:30h] - INT1 Control Register (Select INT1 Sources) (00h) TSC[0:31h] - INT2 Control Register (Select INT2 Sources) (00h) TSC[0:32h] - INT1 and INT2 Control Register (00h) |
TSC[0:33h] - GPIO1 In/Out Pin Control (00h..C2h) TSC[0:34h] - GPIO2 In/Out Pin Control (00h..C2h) TSC[0:35h] - SDOUT (OUT Pin) Control (12h) TSC[0:36h] - SDIN (IN Pin) Control (02h or 03h) TSC[0:37h] - MISO (OUT Pin) Control (02h) TSC[0:38h] - SCLK (IN Pin) Control (02h..03h) TSC[0:39h] - GPI1 and GPI2 Pin Control (00h..11h) TSC[0:3Ah] - GPI3 Pin Control (00h..10h) TSC[0:3Bh] - Reserved (xxh) |
TSC[0:3Ch] - DAC Instruction Set (01h) TSC[0:3Dh] - ADC Instruction Set (04h) TSC[0:3Eh] - Programmable Instruction Mode-Control Bits (00h) TSC[0:3Fh] - DAC Data-Path Setup (14h) TSC[0:40h] - DAC Volume Control (0Ch) TSC[0:41h] - DAC Left Volume Control (00h) TSC[0:42h] - DAC Right Volume Control (00h) TSC[0:43h] - Headset Detection (00h..60h) TSC[0:44h] - DRC Control 1 (0Fh) TSC[0:45h] - DRC Control 2 (38h) TSC[0:46h] - DRC Control 3 (00h) TSC[0:47h] - Beep Generator and Left Beep Volume (00h) TSC[0:48h] - Beep Generator and Right Beep Volume (00h) TSC[0:49h,4Ah,4Bh] - Beep Length MSB,MID,LSB (0000EEh) TSC[0:4Ch,4Dh] - Beep Frequency Sin(x) MSB,LSB (10D8h) TSC[0:4Eh,4Fh] - Beep Frequency Cos(x) MSB,LSB (7EE3h) TSC[0:50h] - Reserved (xxh) TSC[0:51h] - ADC Digital Mic (00h) TSC[0:52h] - ADC Digital Volume Control Fine Adjust (80h) TSC[0:53h] - ADC Digital Volume Control Coarse Adjust (00h) TSC[0:54h,55h] - Reserved (xxh) |
TSC[0:56h] - AGC Control 1 (00h) TSC[0:57h] - AGC Control 2 (00h) TSC[0:58h] - AGC Maximum Gain (7Fh, uh that's 7Fh=Reserved?) TSC[0:59h] - AGC Attack Time (00h) TSC[0:5Ah] - AGC Decay Time (00h) TSC[0:5Bh] - AGC Noise Debounce (00h) TSC[0:5Ch] - AGC Signal Debounce (00h) TSC[0:5Dh] - AGC Gain-Applied Reading (xxh) (R) TSC[0:5Eh...65h] - Reserved (xxh) TSC[0:66h] - ADC DC Measurement 1 (00h) TSC[0:67h] - ADC DC Measurement 2 (00h) TSC[0:68h,69h,6Ah] - ADC DC Measurement Output MSB,MID,LSB (R) (000000h) TSC[0:6Bh...73h] - Reserved (xxh) TSC[0:74h] - VOL/MICDET-Pin SAR ADC - Volume Control (00h) TSC[0:75h] - VOL/MICDET-Pin Gain (xxh) (R) TSC[0:76h...7Fh] - Reserved (xxh) |
TSC[1:01h..1Dh] - Reserved (xxh) TSC[1:1Eh] - Headphone and Speaker Amplifier Error Control (00h) TSC[1:1Fh] - Headphone Drivers (04h) TSC[1:20h] - Class-D Speaker Amplifier (06h) TSC[1:21h] - HP Output Drivers POP Removal Settings (3Eh) TSC[1:22h] - Output Driver PGA Ramp-Down Period Control (00h) TSC[1:23h] - DAC_L and DAC_R Output Mixer Routing (00h) TSC[1:24h] - Analog Volume to HPL (Left Headphone) (7Fh) TSC[1:25h] - Analog Volume to HPR (Right Headphone) (7Fh) TSC[1:26h] - Analog Volume to SPL (Left Speaker) (7Fh) TSC[1:27h] - Analog Volume to SPR (Right Speaker) (7Fh) TSC[1:28h] - HPL Driver (Left Headphone) (02h) TSC[1:29h] - HPR Driver (Right Headphone) (02h) TSC[1:2Ah] - SPL Driver (Left Speaker) (00h) TSC[1:2Bh] - SPR Driver (Right Speaker) (00h) TSC[1:2Ch] - HP Driver Control (00h) TSC[1:2Dh] - Reserved (xxh) TSC[1:2Eh] - MICBIAS (00h) TSC[1:2Fh] - MIC PGA (80h) TSC[1:30h] - P-Terminal Delta-Sigma Mono ADC Channel Fine-Gain Input (00h) TSC[1:31h] - M-Terminal ADC Input Selection (00h) TSC[1:32h] - Input CM Settings (00h) TSC[1:33h..FFh] - Reserved (xxh) |
TSC[2:01h..FFh] - Reserved (00h) |
TSC[3:01h] - Reserved (xxh) TSC[3:02h] - SAR ADC Control 1 (00h) TSC[3:03h] - SAR ADC Control 2 (00h) TSC[3:04h] - Precharge and Sense (00h) TSC[3:05h] - Panel Voltage Stabilization (00h) TSC[3:06h] - Voltage Reference (20h) TSC[3:07h,08h] - Reserved (xxh) TSC[3:09h] - Status Bits 1 (40h) (R) TSC[3:0Ah] - Status Bits 2 (00h) (R) TSC[3:0Bh,0Ch] - Reserved (xxh) TSC[3:0Dh] - Buffer Mode (03h) TSC[3:0Eh] - Reserved / Undocumented (read by DSi for Pen Down Test) (0Fh) TSC[3:0Fh] - Scan Mode Timer (40h) TSC[3:10h] - Scan Mode Timer Clock (81h) TSC[3:11h] - SAR ADC Clock (81h) TSC[3:12h] - Debounce Time for Pen-Up Detection (00h) TSC[3:13h] - Auto AUX Measurement Selection (00h) TSC[3:14h] - Touch-Screen Pen Down (00h) TSC[3:15h] - Threshold Check Flags Register (00h) (R) TSC[3:16h,17h] - AUX1 Maximum Value Check MSB,LSB (0000h) TSC[3:18h,19h] - AUX1 Minimum Value Check MSB,LSB (0000h) TSC[3:1Ah,1Bh] - AUX2 Maximum Value Check MSB,LSB (0000h) TSC[3:1Ch,1Dh] - AUX2 Minimum Value Check MSB,LSB (0000h) TSC[3:1Eh,1Fh] - Temperature(TEMP1/TEMP2) Maximum Value Check MSB,LSB (0000h) TSC[3:20h,21h] - Temperature(TEMP1/TEMP2) Minimum Value Check MSB,LSB (0000h) TSC[3:22h...29h] - Reserved (xxh) TSC[3:2Ah,2Bh] - X-Coordinate Data MSB,LSB (0000h) (R) TSC[3:2Ch,2Dh] - Y-Coordinate Data MSB,LSB (0000h) (R) TSC[3:2Eh,2Fh] - Z1 Register MSB,LSB (0000h) (R) TSC[3:30h,31h] - Z2 Register MSB,LSB (0000h) (R) TSC[3:32h...35h] - Reserved (xxh) TSC[3:36h,37h] - AUX1 Data MSB,LSB (0000h) (R) TSC[3:38h,39h] - AUX2 Data MSB,LSB (0000h) (R) TSC[3:3Ah,3Bh] - VBAT Data MSB,LSB (0000h) (R) TSC[3:3Ch...41h] - Reserved (xxh) TSC[3:42h,43h] - TEMP1 Data Register MSB,LSB (0000h) (R) TSC[3:44h,45h] - TEMP2 Data Register MSB,LSB (0000h) (R) TSC[3:46h...7Fh] - Reserved (xxh) |
TSC[04h..05h:xxh] - ADC Coefficient RAM (126 x 16bit) TSC[06h..07h:xxh] - Reserved (00h) TSC[08h:01h] - DAC Coefficient RAM Control (00h) TSC[08h..0Bh:xxh] - DAC Coefficient RAM, DAC Buffer A (252 x 16bit) TSC[0Ch..0Fh:xxh] - DAC Coefficient RAM, DAC Buffer B (252 x 16bit) TSC[10h..1Fh:xxh] - Reserved (00h) TSC[20h..2Bh:xxh] - ADC DSP Engine Instruction RAM (384 x 24bit) TSC[2Ch..3Fh:xxh] - Reserved (00h) TSC[40h..5Fh:xxh] - DAC DSP Engine Instruction RAM (1024 x 24bit) TSC[60h..FBh:xxh] - Reserved (00h) |
TSC[FCh:01h..xxh] - Buffer Mode Data MSB,LSB (xxxxh) (R) TSC[FCh:xxh..7Fh] - Reserved (xxh) |
TSC[FDh:xxh] - Contains some non-zero values (DSi specific?) TSC[FEh:xxh] - Reserved (00h) TSC[FFh:xxh] - Accessing this page changes operation (DSi specific?) |
| DSi TSC[0:00h..1Ah], Basic PLL and Timing Control |
7-0 Page Select (00h..FEh) (FFh=Undocumented, enter special mode?) |
7-1 Reserved. Write only zeros to these bits. 0 Software Reset (0=No change, 1=Reset) |
7-0 Reserved. Do not write to this register. |
7-2 Reserved. Do not write to these bits. (R) 1 Overtemperature protection flag (0=Alert, 1=Normal) (R) 0 Reserved. Do not write to these bits. (R/W?) |
7-4 Reserved. Write only zeros to these bits. 3-2 Select PLL_CLKIN (0=MCLK, 1=BCLK, 2=GPIO1, 3=SDIN) 1-0 Select CODEC_CLKIN (0=MCLK, 1=BCLK, 2=GPIO1, 3=PLL_CLK) |
7 PLL Enable (0=Power down, 1=Power up) 6-4 PLL Divider P (1..7=Div1..7, or 0=Div8) 3-0 PLL Multiplier R (1..15=Mul1..15, or 0=Mul16) |
7-6 Reserved. Write only zeros to these bits. 5-0 PLL Multiplier J (1..63=Mul1..63, or 0=Reserved) |
15-14 Reserved. Write only zeros to these bits. 13-0 PLL fractional multiplier D-Val (14bit) |
7-0 Reserved. Write only zeros to these bits. |
7 DAC NDAC Divider Enable (0=Power down, 1=Power up) 6-0 DAC NDAC Divider (1..127=Div1..127, or 0=Div128) |
7 DAC MDAC Divider Enable (0=Power down, 1=Power up) 6-0 DAC MDAC Divider (1..127=Div1..127, or 0=Div128) |
15-10 Reserved 9-0 DAC OSR value "DOSR" (1..1023, or 0=1024) |
7-0 Number of instructions for DAC miniDSP engine (IDAC=N*4)
(1..255 = 4..1020 (N*4), or 0=1024)
|
7-4 Reserved. Do not write to these registers. 3-0 Interpolation ratio in DAC miniDSP engine (1..15, or 0=16) |
7-0 Reserved. Do not write to this register. |
7 ADC NADC divider is powered
0: ADC NADC divider is powered down and ADC_DSP_CLK = DAC_DSP_CLK.
1: ADC NADC divider is powered up.
6-0 ADC NADC divider (1..127, or 0=128)
|
7 ADC MADC divider is powered
0: ADC MADC divider is powered down and ADC_MOD_CLK = DAC_MOD_CLK.
1: ADC MADC divider is powered up.
6-0 ADC MADC divider (1..127, or 0=128)
|
7-0 ADC OSR "AOSR" divider (1..255, or 0=256) |
7-0 Number of instruction for ADC miniDSP engine (IADC=N*2)
(1..192 = 2..384 (N*2), or 0,193..255=Reserved)
|
7-4 Reserved 3-0 Decimation ratio in ADC miniDSP engine (1..15, or 0=16) |
7-0 Reserved. Do not write to these registers. |
7-3 Reserved
2-0 CDIV_CLKIN (0=MCLK, 1=BCLK, 2=SDIN, 3=PLL_CLK, 4=DAC_CLK(DSP),
5=DAC_MOD_CLK, 6=ADC_CLK(DSP), 7=ADC_MOD_CLK)
|
7 CLKOUT divider M Enable (0=Powered down, 1=Powered up) 6-0 CLKOUT divider M (1..127, or 0=128) |
| DSi TSC[0:1Bh..23h], Codec Control |
7-6 Codec interface type (0=I2S, 1=DSP, 2=RJF, 3=LJF)
5-4 Codec interface word length (0..3=16,20,24,32 bits)
3 BCLK Direction (0=Input, 1=Output)
2 WCLK Direction (0=Input, 1=Output)
1 Reserved
0 Driving SDOUT to High-Impedance for the Extra BCLK
Cycle When Data Is Not Being Transferred (0=Disabled, 1=Enabled)
|
7-0 Offset (0..255 = 0..255 BCLKs) |
7-6 Reserved 5 SDIN-to-SDOUT loopback (0=Disable, 1=Enable) 4 ADC-to-DAC loopback (0=Disable, 1=Enable) 3 BCLK Invert (0=No, 1=Invert) 2 BCLK and WCLK active even with Codec powered down (0=No, 1=Yes) 1-0 BDIV_CLKIN (0=DAC_CLK, 1=DAC_MOD_CLK, 2=ADC_CLK, 3=ADC_MOD_CLK) |
7 BCLK divider N Enable (0=Powered down, 1=Powered up) 6-0 BCLK divider N (1..127, or 0=128) |
7-5 Secondary BCLK is obtained from ;\(0=GPIO1, 1=SCLK, 2=MISO, 3=SDOUT, 4-2 Secondary WCLK is obtained from ;/ 4=GPIO2, 5=GPI1, 6=GPI2, 7=GPI3) 1-0 Secondary SDIN is obtained from (0=GPIO1, 1=SCLK, 2=GPIO2, 3=GPI1) |
7-5 ADC_WCLK is obtained from (0=GPIO1, 1=SCLK, 2=MISO, 3=Reserved, 4 Reserved 4=GPIO2, 5=GPI1, 6=GPI2, 7=GPI3) 3 Codec/ClockGen BCLK source (0=Primary BCLK, 1=Secondary BCLK) 2 Codec WCLK source (0=Primary WCLK, 1=Secondary WCLK) 1 Codec ADC_WCLK source (0=DAC_WCLK, 1=ADC_WCLK) 0 Codec SDIN source (0=Primary SDIN, 1=Secondary SDIN) |
7 Primary BCLK output (0=Internally generated BCLK, 1=Secondary BCLK) 6 Secondary BCLK output (0=Primary BCLK, 1=Internally generated BCLK) 5-4 Primary WCLK output (0=DAC_fS, 1=ADC_fS, 2=Secondary WCLK, 3=Reserved) 3-2 Secondary WCLK output (0=Primary WCLK, 1=DAC_fS, 2=ADC_fS, 3=Reserved) 1 Primary SDOUT (0=SDOUT from codec, 1=Secondary SDIN) 0 Secondary SDOUT (0=Primary SDIN, 1=SDOUT from codec) |
7-6 Reserved. Write only the reset value to these bits. 5 Accept I2C general-call address (0=No/Ignore, 1=Yes/Accept) 4-0 Reserved. Write only zeros to these bits. |
7-0 Reserved. Write only zeros to these bits. |
| DSi TSC[0:24h..32h], Status and Interrupt Flags |
7 ADC PGA applied gain = programmed gain (0=Differs, 1=Equal) (R) 6 ADC powered (0=Powered down, 1=Powered up) (R) 5 AGC saturated (0=No/inrange, 1=Yes/saturated to max) (R) 4-0 Reserved. Write only zeros to these bits. |
7 Left-channel DAC powered (0=Powered down, 1=Powered up) (R) 6 Reserved. Write only zero to this bit. 5 Left Headphone HPL driver powered (0=Powered down, 1=Powered up) (R) 4 Left-channel class-D driver powered (0=Powered down, 1=Powered up) (R) 3 Right-channel DAC powered (0=Powered down, 1=Powered up) (R) 2 Reserved. Write only zero to this bit. 1 Right Headphone HPR driver powered (0=Powered down, 1=Powered up) (R) 0 Right-channel class-D driver powered (0=Powered down, 1=Powered up) (R) |
7-5 Reserved. Do not write to these bits. 4 Left-channel DAC PGA applied gain=programmed gain (0=Differs, 1=Equal) 3-1 Reserved. Write only zeros to these bits. 0 Right-channel DAC PGA applied gain=programmed gain (0=Differs, 1=Equal) |
7 Left-Channel DAC Overflow Flag (0=None, 1=Overflow) (R) 6 Right-Channel DAC Overflow Flag (0=None, 1=Overflow) (R) 5 DAC Barrel Shifter Output Overflow Flag (0=None, 1=Overflow) (R) 4 Reserved. Write only zeros to these bits. 3 Delta-Sigma Mono ADC Overflow Flag (0=None, 1=Overflow) (R) 2 Reserved. Write only zero to this bit. 1 ADC Barrel Shifter Output Overflow Flag (0=None, 1=Overflow) (R) 0 Reserved. Write only zero to this bit. |
7-0 Reserved. Write only the reset value to these bits. |
7 Short-circuit detected at HPL/left class-D driver (0=No, 1=Yes) 6 Short-circuit detected at HPR/right class-D driver (0=No, 1=Yes) 5 Headset button pressed (0=No, 1=Yes) 4 Headset insertion/removal is detected (0=No, 1=Yes) 3 Left DAC signal power vs signal threshold of DRC (0=Less/Equal,1=Above) 2 Right DAC signal power vs signal threshold of DRC(0=Less/Equal,1=Above) 1 DAC miniDSP Engine Standard Interrupt-Port Output (0=Read 0, 1=Read 1) 0 DAC miniDSP Engine Auxiliary Interrupt-Port Output (0=Read 0, 1=Read 1) |
7 Reserved. Write only zero to this bit.
6 ADC signal power vs noise threshold for AGC (0=Greater, 1=Less)
5 Reserved. Write only zeros to these bits.
4 ADC miniDSP Engine Standard Interrupt Port Output (0=Read 0, 1=Read 1)
3 ADC miniDSP Engine Auxiliary Interrupt Port Output (0=Read 0, 1=Read 1)
2 DC measurement using Delta Sigma Audio ADC
(0=Not available, 1=Not available, too, uh?)
1-0 Reserved. Write only zeros to these bits.
|
7 Short circuit detected at HPL/left class-D driver (0=No, 1=Yes) 6 Short circuit detected at HPR/right class-D driver (0=No, 1=Yes) 5 Headset button pressed (0=No, 1=Yes) 4 Headset removal/insertion detected (0=Removal, 1=Insertion) 3 Left DAC signal power vs signal threshold of DRC (0=Below, 1=Above) 2 Right DAC signal power vs signal threshold of DRC (0=Below, 1=Above) 1 DAC miniDSP Engine Standard Interrupt Port Output (0=Read 0, 1=Read 1) 0 DAC miniDSP Engine Auxiliary Interrupt Port Output (0=Read 0, 1=Read 1) |
7 Reserved
6 Delta-sigma mono ADC signal power vs noise threshold for left AGC
5 Reserved (0=Greater, 1=Less)
4 ADC miniDSP Engine Standard Interrupt Port Output (0=Read 0, 1=Read 1)
3 ADC miniDSP Engine Auxiliary Interrupt Port Output (0=Read 0, 1=Read 1)
2 DC measurement using Delta Sigma Audio ADC
(0=Not available, 1=Not available, too, uh?)
1-0 Reserved. Write only zeros to these bits.
|
7 Headset-insertion detect (0=Off, 1=On) 6 Button-press detect (0=Off, 1=On) 5 DAC DRC signal-power (0=Off, 1=On) 4 ADC AGC noise (0=Off, 1=On) 3 Short-circuit (0=Off, 1=On) 2 Engine-generated (0=Off, 1=On) 1 DC measurement using Delta Sigma Audio ADC data-available (0=Off, 1=On) 0 INT duration (0=Pulse Once, 1=Pulse Repeatedly until Acknowledge) |
7 INT1 upon SAR measurement data-out-of-threshold range (0=Off, 1=Off?) 6 INT1 upon Pen touch/SAR data-available (0=Off, 1=On) 5 INT2 upon SAR measurement data-out-of-threshold range (0=Off, 1=Off?) 4 Reserved 3 Pen touch detected (0=No, 1=Touch) (R) 2 Data available for read (0=No, 1=Available) (R) 1 SAR data out of programmed threshold range (0=No, 1=Out) (R) 0 Reserved. Write only the default value to this bit. (R) |
| DSi TSC[0:33h..3Bh], Pin Control |
7-6 Reserved. Do not write any value other than reset value.
5-2 GPIOx Mode (R/W)
0 = GPIOx disabled (input and output buffers powered down)
1 = GPIOx input mode (as secondary BCLK/WCLK/SDIN input, or
as ADC_WCLK input, Dig_Mic_In or in ClockGen block)
2 = GPIOx input mode (as GPI general-purpose input)
3 = GPIOx output = general-purpose output
4 = GPIOx output = CLKOUT output
5 = GPIOx output = INT1 output
6 = GPIOx output = INT2 output
7 = GPIOx output = ADC_WCLK output for codec interface
8 = GPIOx output = secondary BCLK output for codec interface
9 = GPIOx output = secondary WCLK output for codec interface
10 = GPIOx output = ADC_MOD_CLK output for the digital microphone
11 = GPIOx output = secondary SDOUT for codec interface
12 = GPIOx output = TouchScreen/SAR ADC interrupt (active-low),
13-15 = Reserved as PINTDAV signal
1 GPIOx input buffer value (0 or 1) (R)
0 GPIOx general-purpose output value (0 or 1) (R/W)
|
7-5 Reserved
4 SDOUT bus keeper (0=Enabled, 1=Disabled)
3-1 SDOUT Mode
0 = SDOUT disabled (output buffer powered down)
1 = SDOUT = primary SDOUT output for codec interface
2 = SDOUT = general-purpose output
3 = SDOUT = CLKOUT output
4 = SDOUT = INT1 output
5 = SDOUT = INT2 output
6 = SDOUT = secondary BCLK output for codec interface
7 = SDOUT = secondary WCLK output for codec interface
0 SDOUT general-purpose output value (0 or 1)
|
7-3 Reserved
2-1 SDIN Mode
0 = SDIN disabled (input buffer powered down)
1 = SDIN enabled (as codec SDIN, Dig_Mic_In, or in ClockGen block)
2 = SDIN enabled (as GPI general-purpose input)
3 = Reserved
0 SDIN input-buffer value (0 or 1) (R)
|
7-5 Reserved
4-1 MISO Mode
0 = MISO disabled (output buffer powered down)
1 = MISO = MISO output for SPI interface (or disabled for I2C)
2 = General-purpose output
3 = MISO = CLKOUT output
4 = MISO = INT1 output
5 = MISO = INT2 output
6 = MISO = ADC_WCLK output for codec interface
7 = MISO = ADC_MOD_CLK output for the digital microphone
8 = MISO = secondary SDOUT for codec interface
9 = MISO = secondary BCLK output for codec interface
10 = MISO = secondary WCLK output for codec interface
11-15 = Reserved
0 MISO general-purpose output value (0 or 1)
|
7-3 Reserved
2-1 SCLK Mode
0 = SCLK disabled (input buffer powered down)
1 = SCLK enabled (for the SPI interface)
2 = SCLK enabled (as a GPI general-purpose input)
3 = SCLK enabled (as secondary SDIN/BCLK/WCLK input,
or as ADC_WCLK input, or Dig_Mic_In)
0 SCLK input buffer value (0 or 1) (R)
|
7 Reserved. Write only zero to this bit.
6-5 GPI1 Mode
0 = GPI1 disabled (input buffer powered down)
1 = GPI1 enabled (as secondary SDIN/BCLK/WCLK input, or ADC_WCLK inp)
2 = GPI1 enabled (as a GPI general-purpose input)
3 = Reserved (unlike below GPI2)
4 GPI1 pin value (0 or 1) (R)
3 Reserved. Write only zero to this bit.
2-1 GPI2 Mode
0 = GPI2 disabled (input buffer powered down)
1 = GPI2 enabled (as secondary BCLK/WCLK input, or ADC_WCLK input)
2 = GPI2 enabled (as a GPI general-purpose input)
3 = GPI2 enabled (as an HP_SP input)
0 GPI2 pin value (0 or 1) (R)
|
7 Reserved. Write only zero to this bit.
6-5 GPI3 Mode
0 = GPI3 disabled (input buffer powered down)
1 = GPI3 enabled (as secondary BCLK/WCLK input, or ADC_WCLK input)
2 = GPI3 enabled (as a GPI general purpose input)
3 = Reserved (Undocumented - used by DSi?)
4 GPI3 pin value (0 or 1) (R)
3-0 Reserved. Write only zeros to these bits.
|
7-0 Reserved. Write only zeros to these bits. |
| DSi TSC[0:3Ch..55h], DAC/ADC and Beep |
7-5 Reserved. Write only default value.
4-0 DAC Signal Processing Block
0 = DAC miniDSP is used for signal processing
1..25 = DAC Signal Processing Block PRB_P1 .. PRB_P25
26..31 = Reserved. Do not use.
|
7-5 Reserved. Write only default values.
4-0 ADC Signal Processing Block
0 = ADC miniDSP is used for signal processing
1..3 = Reserved
4..6 = ADC Signal Processing Block PRB_R4 .. PRB_R6
7..9 = Reserved
10..12 = ADC Signal Processing Block PRB_R10 .. PRB_R12
13..15 = Reserved
16..18 = ADC Signal Processing Block PRB_R16 .. PRB_R18
19..31 = Reserved. Do not write these sequences to these bits.
|
7 Reserved 6 ADC miniDSP Engine Auxiliary Control bit A (0 or 1) 5 ADC miniDSP Engine Auxiliary Control bit B (0 or 1) 4 Reset ADC miniDSP instruction counter at start of new frame (0=Yes) 3 Reserved 2 DAC miniDSP Engine Auxiliary Control bit A (0 or 1) 1 DAC miniDSP Engine Auxiliary Control bit B (0 or 1) 0 Reset DAC miniDSP instruction counter at start of new frame (0=Yes) |
7 Left-channel DAC (0=Powered down, 1=Powered up)
6 Right-channel DAC (0=Powered down, 1=Powered up)
5-4 Left-channel DAC data path (0=Off, 1=Left Data, 2=Right Data, 3=Both)
3-2 Right-channel DAC data path (0=Off, 1=Right Data, 2=Left Data, 3=Both)
1-0 DAC channel volume control soft-stepping (0=One step per sample,
1=One step per 2 samples, 2=Disabled, 3=Reserved)
|
7-4 Reserved. Write only zeros to these bits.
3 Left-channel DAC (0=Not muted, 1=Muted)
2 Right-channel DAC (0=Not muted, 1=Muted)
1-0 DAC Mono/Stereo Volume
0: Use Left/Right volume control for Left/Right channels ("stereo")
1: Use Right volume control for Both channels ("mono")
2: Use Left volume control for Both channels ("mono")
3: Same as 0 ("stereo")
|
7-0 Digital gain in 0.5dB units (-127..+48 = -63.5dB..+24dB, Other=Reserved) |
7 Headset detection Enable (0=Disabled, 1=Enabled)
6-5 Headset detection (0=None, 1=Headset, 2=Reserved, 3=Headset+Mic) (R)
4-2 Debounce for Glitch Rejection During Headset Detection
(0..5 = 16ms, 32ms, 64ms, 128ms, 256ms, 512ms, 6..7=Reserved)
(when TSC[3:10h] set to 1MHz)
1-0 Debounce for Glitch Rejection During Headset Button-Press Detection
(0..3 = 0ms, 8ms, 16ms, 32ms) (when TSC[3:10h] set to 1MHz)
|
7 Reserved. Write only the reset value to these bits. 6 DRC for left channel (0=Disabled, 1=Enabled) 5 DRC for right channel (0=Disabled, 1=Enabled) 4-2 DRC threshold (0..7 = -3dB,-6dB,-9dB,-12dB,-15dB,-18dB,-21dB,-24dB) 1-0 DRC hysteresis (0..3 = +0dB,+1dB,+2dB,+3dB) |
7 Reserved. Write only the reset value to these bits.
6-3 DRC Hold Time
0 = DRC Hold Disabled ;-disable
1 = 32 DAC Word Clocks ;\
2 = 64 DAC Word Clocks ;
3 = 128 DAC Word Clocks ;
4 = 256 DAC Word Clocks ; powers of 2
5 = 512 DAC Word Clocks ;
6 = 1024 DAC Word Clocks ;
7 = 2048 DAC Word Clocks ;
8 = 4096 DAC Word Clocks ;
9 = 8192 DAC Word Clocks ;
10 = 16384 DAC Word Clocks ;/
11 = 1*32768 DAC Word Clocks ;\
12 = 2*32768 DAC Word Clocks ;
13 = 3*32768 DAC Word Clocks ; multiples of 32768
14 = 4*32768 DAC Word Clocks ;
15 = 5*32768 DAC Word Clocks ;/
2-0 Reserved. Write only the reset value to these bits.
|
7-4 DRC attack rate, "(4 SHR N) dB per DAC Word Clock"
(0=4dB, 1=2dB, 2=1dB, ..., 15=0.000122dB per DAC Word Clock)
3-0 DRC decay rate, "(1 SHR (N+6)) dB per DAC Word Clock"
(0=0.0156dB, 1=0.00781dB, ..., 15=0.000000476dB per DAC Word Clock)
|
7 Beep Generator Enable (0=Disabled/Duration ended, 1=Enabled/Busy)
(self-clearing based on beep duration)
6 Auto beep generator on pen touch (0=Disabled, 1=Enabled)
(CODEC_CLKIN should be available for this and is
used whenever touch is detected).
5-0 Left-channel beep volume control "(2-N)dB" (0..63 = +2dB .. -61dB)
|
7-6 Beep Mono/Stereo Volume
0: Use Left/Right volume control for Left/Right channels ("stereo")
1: Use Right volume control for Both channels ("mono")
2: Use Left volume control for Both channels ("mono")
3: Same as 0 ("stereo")
5-0 Right-channel beep volume control "(2-N)dB" (0..63 = +2dB .. -61dB)
|
23-0 Number of samples for which beep need to be generated (24bit) |
15-0 Beep Frequency sin/cos values (16bit, each) |
7-0 Reserved. Write only the reset value to these bits. |
7 ADC channel (0=Powered Down, 1=Powered Up)
6 Reserved
5-4 Digital microphone input (0=GPIO1, 1=SCLK, 2=SDIN, 3=GPIO2)
3 Digital microphone for delta-sigma mono ADC channel (0=Off, 1=On)
2 Reserved
1-0 ADC channel volume control soft-stepping (0=One step per sample,
1=One step per 2 samples, 2=Disabled, 3=Reserved)
|
7 ADC channel (0=Not muted, 1=Muted)
6-4 Delta-Sigma Mono ADC Channel Volume Control Fine Gain
(0=0dB, 1=-0.1dB, 2=-0.2dB, 3=-0.3dB, 4=-0.4dB, 5..7=Reserved)
3-0 Reserved. Write only zeros to these bits.
|
7 Reserved
6-0 Delta-Sigma Mono ADC Channel Volume Control Coarse Gain
0..39 = Reserved
40 = -12 dB
39 = -11.5 dB
...
103 = +19.5 dB
104 = +20 dB
105..127 = Reserved
|
7-0 Reserved. Write only the reset value to these bits. |
| DSi TSC[0:56h..7Fh], AGC and ADC |
7 AGC (0=Disabled, 1=Enabled)
6-4 AGC target level (0=-5.5dB, 1=-8dB, 2=-10dB, 3=-12dB,
4=-14dB, 5=-17dB, 6=-20dB, 7=-24dB)
3-0 Reserved. Write only zeros to these bits.
|
7-6 AGC hysterysis setting (0=1dB, 1=2dB, 2=4dB, 3=Disable AGC hysterysis)
5-1 AGC noise threshold (and silence detection)
0 = AGC noise/silence detection is disabled.
1 = AGC noise threshold = -30dB
2 = AGC noise threshold = -32dB
3 = AGC noise threshold = -34dB
...
29 = AGC noise threshold = -86dB
30 = AGC noise threshold = -88dB
31 = AGC noise threshold = -90dB
0 Reserved. Write only zero to this bit.
|
7 Reserved. Write only zero to this bit. 6-0 AGC maximum gain in 0.5dB units (0..119=0..+59.5dB, 120..127=Reserved) |
7-3 AGC attack/decay time, (N*2+1)*32/fS (0..31 = 1*32/fS .. 63*32/fS) 2-0 AGC attack/decay time Multiply factor, 1 SHL N (0..7 = 1..128) |
7-5 Reserved. Write only zeros to these bits.
4-0 AGC noise debounce
0..5 = 0/fS, 4/fS, 8/fS, 16/fS, 32/fS, 64/fS ;\powers of 2
6..10 = 128/fS, 256/fS, 512/fS, 1024/fS, 2048/fS ;/
11..14 = 1*4096/fS, 2*4096/fS, 3*4096/fS ;\multiples
14..31 = 4*4096/fS, .., 20*4096/fS, 21*4096/fS ;/of 4096
|
7-4 Reserved. Write only zeros to these bits.
3-0 AGC signal debounce
0..5 = 0/fS, 4/fS, 8/fS, 16/fS, 32/fS, 64/fS ;\powers of 2
6..9 = 128/fS, 256/fS, 512/fS, 1024/fS ;/
10..13 = 1*2048/fS, 2*2048/fS, 3*2048/fS ;\multiples
13..15 = 4*2048/fS, 5*2048/fS, 6*2048/fS ;/of 2048
|
7-0 Gain applied by AGC in 0.5dB units (-24..+119 = -12dB..+59.5dB) (R) |
7-0 Reserved. Do not write to these registers. |
7 DC measurement for mono ADC channel (0=Disabled, 1=Enabled)
6 Reserved. Write only reset value.
5 DC measurement is done based on
0: 1st order sinc filter with averaging of 2^D.
1: 1st order low-pass IIR filter whose coefficients
are calculated based on D value.
4-0 DC Meaurement D setting (1..20 = D=1 .. D=20) (0 or 21..31=Reserved)
|
7 Reserved. Write only reset value.
6 DC measurement data update (0=Enabled, 1=Disabled/allow stable reading)
(Disabled: user can read the last updated data without corruption)
5 For IIR based DC measurement, the measurment value is
0: the instantaneous output of the IIR filter
1: update before periodic clearing of the IIR filter
4-0 IIR based DC measurment, average time setting:
0 Infinite average is used
1 Averaging time is 2^1 ADC modulator clock periods
2 Averaging time is 2^2 ADC modulator clock periods
...
19 Averaging time is 2^19 ADC modulator clock periods
20 Averaging time is 2^20 ADC modulator clock periods
21..31 Reserved. Don't use.
|
23-0 ADC DC Measurement Output (24bit) |
7-0 Reserved. Do not write to these registers. |
7 DAC volume control is controlled by,
0: controlled by control register (7-bit Vol ADC is powered down)
1: controlled by pin.
6 Clock for the 7-bit Vol ADC for pin volume control,
0: Internal on-chip RC oscillator
1: External MCLK
5-4 Hysteresis
0: No hysteresis for volume control ADC output
1: Hysteresis of +/-1 bit
2: Hysteresis of +/-2 bits
3: Reserved. Do not write this sequence to these bits.
3 Reserved. Write only reset value.
2-0 Throughput of the 7-bit Vol ADC for pin volume control,
When Bit6=1 and external MCLK is 12MHz:
(0..7=15.625Hz, 31.25Hz, 62.5Hz, 125Hz, 250Hz, 500Hz, 1000Hz, 2000Hz)
When Bit6=0 (use Internal oscillator):
(0..7=10.68Hz, 21.35Hz, 42.71Hz, 85Hz?, 170Hz, 340Hz, 680Hz, 1370Hz)
|
7 Reserved. Write only zero to this bit.
6-0 Gain applied by pin volume control
0 = +18 dB
1 = +17.5 dB
2 = +17 dB
...
35 = +0.5 dB
36 = 0 dB
37 = -0.5 dB
...
89 = -26.5 dB
90 = -27 dB ;below in 1dB steps instead of 0.5dB steps !
91 = -28 dB
...
125 = -62 dB
126 = -63 dB
127 = Reserved
|
7-0 Reserved. Do not write to these registers. |
| DSi TSC[1:xxh], DAC and ADC Routing, PGA, Power-Controls and MISC Logic |
7-0 Reserved. Do not write to these registers. |
7-2 Reserved 1 Reset HPL/HPR power-up bits upon short-circuit detect (0=Yes, 1=No) 0 Reset SPL/SPR power-up bits upon short-circuit detect (0=Yes, 1=No) |
7 HPL output driver (0=Powered down, 1=Powered up)
6 HPR output driver (0=Powered down, 1=Powered up)
5 Reserved. Write only zero to this bit.
4-3 Output common-mode voltage (0=1.35V, 1=1.5V, 2=1.65V, 3=1.8V)
2 Reserved. Write only 1 to this bit. (!!!)
1 Action when short-circuit protection is enabled/detected,
0=Limit the maximum current to the load.
1=Power down the output driver.
0 Short-circuit detected on the headphone driver (0=No, 1=Yes) (R)
|
7 Left-channel class-D output driver (0=Powered down, 1=Powered up) 6 Right-channel class-D output driver (0=Powered down, 1=Powered up) 5-1 Reserved. Write only the reset value (00011b) to these bits (!!!) 0 Short-circuit is detected on the class-D driver (0=No, 1=Yes) (R) |
7 If power down sequence is activated by device software power down
using TSC[1:2Eh].Bit7 then power down DAC,
0: simultaneously with the HP and SP amplifiers.
1: after HP and SP amplifiers are completely powered down.
(the latter setting is to optimize power-down POP).
6-3 Driver power-on time (at 8.2MHz) (1=15.3us, 2=153us, 3=1.53ms,
4=15.3ms,5=76.2ms, 6=153ms, 7=304ms, 8=610ms, 9=1.22s, 10=3.04s,
11=6.1s, 12..15=Reserved)
2-1 Driver ramp-up step time (8.2MHz) (0=0ms, 1=0.98ms, 2=1.95ms, 3=3.9ms)
0 Weakly driven output common-mode voltage is generated from,
0=resistor divider of the AVDD supply.
1=band-gap reference.
|
7 Reserved. Write only the reset value to this bit. (USED on DSi!)
6-4 Speaker Power-Up Wait Time (at 8.2MHz) (0=0 ms, 1=3.04 ms, 2=7.62 ms,
3=12.2 ms, 4=15.3 ms, 5=19.8 ms, 6=24.4 ms, 7=30.5 ms)
3-0 Reserved. Write only the reset value to these bits.
|
7-6 DAC_L route (0=Nowhere, 1=To L-Mixer, 2=Direct to HPL, 3=Reserved) 5 MIC input routed to the left-channel mixer amplifier (0=No, 1=Yes) 4 AUX1 input routed to the left-channel mixer amplifier (0=No, 1=Yes) 3-2 DAC_R route (0=Nowhere, 1=To R-Mixer, 2=Direct to HPR, 3=Reserved) 1 AUX1 input routed to the right-channel mixer amplifier (0=No, 1=Yes) 0 HPL driver output routed to HPR driver (for differential) (0=No, 1=Yes) |
7 Analog volume control routed to HPx/SPx output driver (0=No, 1=Yes) 6-0 Analog volume control gain (non-linear) (0 dB to -78 dB) |
7 Reserved. Write only zero to this bit.
6-3 HPx driver PGA (0..9 = 0dB..9dB, 10..15=Reserved)
2 HPx driver (0=Muted, 1=Not muted)
1 HPx driver during power down (0=Weakly driven to a common mode,
1=High-impedance)
0 All programmed gains to HPx have been applied (0=Not yet, 1=Yes/all) (R)
|
7-5 Reserved. Write only zeros to these bits. 4-3 SPx class-D driver output stage gain (0=6dB, 1=12dB, 2=18dB, 3=24dB) 2 SPx class-D driver (0=Muted, 1=Not muted) 1 Reserved. Write only zero to this bit. 0 All programmed gains to SPx have been applied (0=Not yet, 1=Yes/all) (R) |
7-5 Debounce time for the headset short-circuit detection
(0..7 = 0us, 8us, 16us, 32us, 64us, 128us, 256us)
(when TSC[3:10h] set to 1MHz)
4-3 DAC Performance (0=Normal, 1=Increased, 2=Reserved, 3=Further Increased)
(increased: by increased current, further: by increased current gain)
2 HPL output driver type (0=Headphone, 1=Lineout)
1 HPR output driver type (0=Headphone, 1=Lineout)
0 Reserved. Write only zero to this bit.
|
7-0 Reserved. Do not write to these registers. |
7 Device software power-down (0=Disabled, 1=PowerDown?-Enabled)
6-4 Reserved. Write only zeros to these bits.
3 Programmed MICBIAS is powered up when,
0: not if headset detection is enabled but headset isn't inserted.
1: always, even if headset isn't inserted.
2 Reserved. Write only zero to this bit.
1-0 MICBIAS output (0=Off, 1=2V, 2=2.5V, 3=AVDD)
|
7 MIC PGA (0=Controlled by bits6-0, 1=Force 0dB) 6-0 PGA in 0.5dB units (0..119 = 0..59.5dB, 120..127=Reserved) |
7-6 MIC to MIC PGA feed-forward (0=Off, 1=10kOhm, 2=20kOhm, 3=40kOhm) 5-4 AUX1 to MIC PGA feed-forward (0=Off, 1=10kOhm, 2=20kOhm, 3=40kOhm) 3-2 AUX2 to MIC PGA feed-forward (0=Off, 1=10kOhm, 2=20kOhm, 3=40kOhm) 1-0 Reserved. Write only zeros to these bits. |
7-6 CM to MIC PGA feed-forward (0=Off, 1=10kOhm, 2=20kOhm, 3=40kOhm) 5-4 AUX2 to MIC PGA feed-forward (0=Off, 1=10kOhm, 2=20kOhm, 3=40kOhm) 3-0 Reserved. Write only zeros to these bits. |
7 MIC input (0=Floating, 1=Connected to CM internally)
(when not used for MIC PGA and analog bypass)
6 AUX1 input (0=Floating, 1=Connected to CM internally)
(when not used for MIC PGA and analog bypass)
5 AUX2 input (0=Floating, 1=Connected to CM internally)
(when not used for MIC PGA)
4-1 Reserved. Write only zeros to these bits.
0 All programmed gains to ADC have been applied (0=Not yet, 1=Yes/all) (R)
|
7-0 Reserved. Write only the reset value to these bits. |
| DSi TSC[3:xxh], Touchscreen/SAR Control and TSC[FCh:xxh], Buffer |
7-0 Reserved. Write only the reset value to these bits. |
7 Stop (0=Normal mode, 1=Stop conversion and power down SAR ADC)
6-5 SAR ADC resolution (0=12bit, 1=8bit, 2=10bit, 3=12bit)
4-3 SAR ADC clock divider
0 = 1 (Use for 8bit resolution mode only) (This divider is only
for the conversion clock generation, not for other logic.)
1 = 2 (Use for 8bit/10bit resolution mode only)
2 = 4 (Recommended for better performance in 8bit/10bit mode)
3 = 8 (Recommended for better performance in 12bit mode)
(See Figure 5-40, uh?)
2 Filter used for on-chip data averaging (0=Mean, 1=Median) (if enabled)
1-0 On-chip data averaging for mean/median filter
0 = On-chip data averaging disabled
1 = 4-data averaging (mean), or 5-data averaging (median)
2 = 8-data averaging (mean), or 9-data averaging (median)
3 = 16-data averaging (mean), or 15-data averaging (median)
|
7 Conversions controlled,
0: Host-controlled conversions
1: Self-controlled conversions for touch screen based on pen touch
6 Reserved. Write only zero to this bit.
5-2 Conversion mode
0 = No scan
1 = Scan X/Y ;\Even in host-controlled mode ;\until either
2 = Scan X/Y/Z1/Z2 ;/ ; pen is lifted,
3 = Scan X ;\ ; or a stop bit
4 = Scan Y ; Only in self-controlled mode ; TSC[3:02h].Bit7
5 = Scan Z1/Z2 ;/ ;/is sent
6 = VBAT measurement
7 = AUX2 measurement
8 = AUX1 measurement
9 = Auto scan. Sequence used is AUX1, AUX2, VBAT.
Each of these inputs can be enabled or disabled independently
using TSC[3:13h], and with that sequence is modified accordingly.
Scan continues until stop bit TSC[3:02h].Bit7 is sent,
or Bit5-2 of this register are changed.
10 = TEMP1 measurement
11 = Port scan: AUX1, AUX2, VBAT
12 = TEMP2 measurement
13-15 = Reserved. Do not write these sequences to these bits.
1-0 Interrupt pin (GPIO1 or GPIO2 pin)
0 = PEN-interrupt /PENIRQ (active low)
1 = Data-available /DATA_AVA (active low)
2 = PEN-interrupt PENIRQ and Data-available DATA_AVA (active high)
3 = Reserved
|
7 Pen touch detection (0=Enabled, 1=Disabled)
6-4 Precharge time before touch detection
(0..7 = 0.25us, 1us, 3us, 10us, 30us, 100us, 300us, 1000us)
(when TSC[3:11h] set to 8MHz)
3 Reserved. Write only zero to this bit.
2-0 Sense time during touch detection
(0..7 = 1us, 2us, 3us, 10us, 30us, 100us, 300us, 1000us)
(when TSC[3:11h] set to 8MHz)
|
7-6 SAR comparator bias current (0=Normal, 1..3=Increase by 25%, 50%, 100%)
(use Increase to support higher conversion clock)
5 Sample duration (0=Default, 1=Doubled; for higher impedance)
4-3 Reserved. Write only zeroes to these bits.
2-0 Panel voltage stabilization time before conversion
(0..7 = 0.25us, 1us, 3us, 10us, 30us, 100us, 300us, 1000us)
(when TSC[3:11h] set to 8MHz)
|
7 Reference for Non-touch-screen Measurement (0=External, 1=Internal)
6 Internal reference voltage (0=1.25V, 1=2.5V)
5 Internal reference powered (0=Always, 1=Only during conversion)
4 Reserved
3-2 Reference Stabilization Time before Conversion
(0=0us, 1=100us, 2=500us, 3=1ms) (when TSC[3:11h] set to 8MHz)
1 Reserved
0 Battery measurement input (0=VBAT<=VREF, 1=VBAT=BAT)
|
7-0 Reserved. Write only the reset value to these bits. |
7 Pen Touch detected (0=Not detected, 1=Detected) (R) 6 ADC Ready (0=Busy, 1=Ready) (R) 5 New data is available (0=None, 1=Yes) (R) 4 Reserved. Write only the reset value to this bit. 3 New X data is available (0=None, 1=Yes) (R) 2 New Y data is available (0=None, 1=Yes) (R) 1 New Z1 data is available (0=None, 1=Yes) (R) 0 New Z2 data is available (0=None, 1=Yes) (R) |
7 New AUX1 data is available (0=None, 1=Yes) (R) 6 New AUX2 data is available (0=None, 1=Yes) (R) 5 New VBAT data is available (0=None, 1=Yes) (R) 4-2 Reserved. Write only zeros to these bits. 1 New TEMP1 data is available (0=None, 1=Yes) (R) 0 New TEMP2 data is available (0=None, 1=Yes) (R) |
7-0 Reserved. Write only the reset value to these bits. |
7 Buffer Mode Enable (0=Disabled, Enabled)
(when disabled: RDPTR/WRPTR/TGPTR are set to their default values)
6 Buffer Mode Type (0=Countinuos-conversion, 1=Single-shot)
5-3 Trigger level for conversion "(N+1)*8*number of converted data"
0..7 = (8..64)*number of converted data
uh, does "X*number of converted data" mean "after X conversions"?
2 Reserved
1 Buffer Full (0=No, 1=Full; contains 64 unread converted data) (R)
0 Buffer Empty (0=No, 1=Empty; contains 0 unread converted data) (R)
|
7-0 Reserved. Write only the reset value to these bits. |
7 Programmable delay for Touch-screen measurement (0=Disable, 1=Enable)
6-4 Programmable interval timer delay
(0..7 = 8ms, 1ms, 2ms, 3ms, 4ms, 5ms, 6ms, 7ms)
(when TSC[3:10h] set to 1MHz)
3 Programmable delay for Non-touch-screen auto measurement (1=Enable)
2-0 Programmable interval timer delay (0..7 = 1.12min, 3.36min,
5.59min, 7.83min, 10.01min, 12.30min, 14.54min, 16.78min)
(uh, what is that? minutes? minimum? or what?)
(when TSC[3:10h] set to 1MHz)
|
7 Clock used for Programmable Delay Timer (0=Internal Osc/8, 1=Ext. MCLK)
6-0 MCLK Divider to Generate 1-MHz Clock for the Programmable Delay Timer
(1..127=Div1..127, or 0=Div128)
|
7 Clock used for SAR ADC and TSC FSM (0=Internal Osc/1, 1=External MCLK) 6-0 MCLK Divider for the SAR (min 40ns) (1..127=Div1..127, or 0=Div128) |
7 Interface used for the buffer data reading (0=SPI, 1=I2C)
6 SAR/buffer data update is,
0: held automatically (to avoid simultaneous buffer read and write
operations) based on internal detection logic.
1: held using software control and TSC[3:12h].Bit5.
5 SAR/buffer data update is (only if above Bit6=1),
0: enabled all the time
1: stopped so that user can read the last updated data
without any data corruption.
4-3 Reserved. Write only zeros to these bits.
2-0 Pen-touch removal detection with debounce
(0..7 = 0us, 8us, 16us, 32us, 64us, 128us, 256us, 512us)
(when TSC[3:10h] set to 1MHz)
|
7 Auto AUX1 measurement during auto non-touch screen scan (0=Off, 1=On) 6 Auto AUX2 measurement during auto non-touch screen scan (0=Off, 1=On) 5 Auto VBAT measurement during auto non-touch screen scan (0=Off, 1=On) 4 Auto TEMP measurement during auto non-touch screen scan (0=Off, 1=On) 3 TEMP Measurement (0=Use TEMP1, 1=Use TEMP2) 2 AUX1 Usage (0=Voltage measurement, 1=Resistance measurement) 1 AUX2 Usage (0=Voltage measurement, 1=Resistance measurement) 0 Resistance measurement bias (0=Internal bias, 1=External bias) |
7-3 Reserved
2-0 Debounce Time for Pen-Down Detection
(0..7 = 0us, 64us, 128us, 256us, 512us, 1024us, 2048us, 4096us)
(when TSC[3:10h] set to 1MHz)
|
7-6 Reserved. Write only zeros to these bits. 5 AUX1 Maximum (0=Inrange, 1=Exceeds Limit; Equal/Above MAX) 4 AUX1 Minimum (0=Inrange, 1=Exceeds Limit; Equal/Below MIN) 3 AUX2 Maximum (0=Inrange, 1=Exceeds Limit; Equal/Above MAX) 2 AUX2 Minimum (0=Inrange, 1=Exceeds Limit; Equal/Below MIN) 1 TEMP Maximum (0=Inrange, 1=Exceeds Limit; Equal/Above MAX) 0 TEMP Minimum (0=Inrange, 1=Exceeds Limit; Equal/Below MIN) |
15-13 Reserved
12 Threshold check (0=Disabled, 1=Enabled)
(valid for auto/non-auto scan measurement).
11-0 Threshold code (12bit)
|
7-0 Reserved. Write only the reset value to these bits. |
15-0 Coordinate (16bit, each) |
7-0 Reserved. Write only the reset value to these bits. |
15-0 Data from AUX1/AUX2/VBAT inputs accordingly |
7-0 Reserved. Write only the reset value to these bits. |
15-0 Data from TEMP1/TEMP2 inputs accordingly |
7-0 Reserved. Write only the reset value to these bits. |
15 Ring-buffer Full (1=All 64 entries are unread) 14 Ring-buffer Empty (1=All 64 entries are read) 13 Reserved (uh?) 12 Data ID (0=X/Z1/BAT/AUX2, 1=Y/Z2/AUX1/TEMP) 11-0 Converted data (12bit) |
7-0 Reserved. Write only the reset value to these bits. |
| DSi TSC[04h..05h:xxh], ADC Digital Filter Coefficient RAM |
ADC miniDSP ADC FIR Filter Special
Coefficients Coefficients Coefficients
TSC[4:00h] Page Select - -
TSC[4:01h] Reserved - -
TSC[4:02h..07h] C1..C3 - N0,N1,D1 for AGC LPF
(first-order IIR, used
as averager to detect level)
TSC[4:08h..0Dh] C4..C6 - N0,N1,D1 for ADC-programmable
first-order IIR
TSC[4:0Eh..17h] C7..C11 FIR0..FIR4 N0,N1,N2,D1,D2 for ADC Biquad A
TSC[4:18h..21h] C12..C16 FIR5..FIR9 N0,N1,N2,D1,D2 for ADC Biquad B
TSC[4:22h..2Bh] C17..C21 FIR10..FIR14 N0,N1,N2,D1,D2 for ADC Biquad C
TSC[4:2Ch..35h] C22..C26 FIR15..FIR19 N0,N1,N2,D1,D2 for ADC Biquad D
TSC[4:36h..3Fh] C27..C31 FIR20..FIR24 N0,N1,N2,D1,D2 for ADC Biquad E
TSC[4:40h..7Fh] C32..C63 - -
TSC[5:00h] Page Select - -
TSC[5:01h] Reserved - -
TSC[5:02h..7Fh] C65..C127 - -
|
| DSi TSC[08h..0Fh:xxh], DAC Digital Filter Coefficient RAM |
7-4 Reserved. Write only the reset value.
3 DAC miniDSP generated flag for toggling MSB of coefficient RAM address
(only used in non-adaptive mode) (R)
2 DAC Adaptive Filtering in DAC miniDSP (0=Disabled, 1=Enabled) (R/W)
1 DAC Adaptive Filter Buffer Control Flag (R)
aka DAC Coefficient Buffers in adaptive filter mode
0: miniDSP accesses Buffer A,
external control interface (=the user?) accesses Buffer B
1: miniDSP accesses Buffer B,
external control interface (=the user?) accesses Buffer A
0 DAC Adaptive Filter Buffer Switch Control (R/W)
0: DAC coefficient buffers will not be switched at next frame boundary
1: DAC coefficient buffers will be switched at next frame boundary
(only if adaptive filtering mode is enabled)
This bit will self-clear on switching.
|
DAC miniDSP Special
(DAC Buffer A) DAC-programmable
Coefficient Coefficient
TSC[8:00h] Page Select -
TSC[8:01h] Control - (see above)
TSC[8:02h..0Bh] C1..C5 N0,N1,N2,D1,D2 for Left Biquad A ;N0=7FFFh
TSC[8:0Ch..15h] C6..C10 N0,N1,N2,D1,D2 for Left Biquad B ;N1,N2,D1,
TSC[8:16h..1Fh] C11..C15 N0,N1,N2,D1,D2 for Left Biquad C ; D2=0
TSC[8:20h..29h] C16..C20 N0,N1,N2,D1,D2 for Left Biquad D
TSC[8:2Ah..33h] C21..C25 N0,N1,N2,D1,D2 for Left Biquad E
TSC[8:34h..3Dh] C26..C30 N0,N1,N2,D1,D2 for Left Biquad F
TSC[8:3Eh..3Fh] C31 -
TSC[8:40h..41h] C32 for 3D PGA for PRB_P23, PRB_P24 and PRB_P25
TSC[8:42h..4Bh] C33..C37 N0,N1,N2,D1,D2 for Right Biquad A
TSC[8:4Ch..55h] C38..C42 N0,N1,N2,D1,D2 for Right Biquad B
TSC[8:56h..5Fh] C43..C47 N0,N1,N2,D1,D2 for Right Biquad C
TSC[8:60h..69h] C48..C52 N0,N1,N2,D1,D2 for Right Biquad D
TSC[8:6Ah..73h] C53..C57 N0,N1,N2,D1,D2 for Right Biquad E
TSC[8:74h..7Dh] C58..C62 N0,N1,N2,D1,D2 for Right Biquad F
TSC[8:7Eh..7Fh] C63 -
TSC[9:00h] Page Select -
TSC[9:01h] Reserved - (do not write to this register)
TSC[9:02h..07h] C65..C67 N0,N1,D1 for Left first-order IIR
TSC[9:08h..0Dh] C68..C70 N0,N1,D1 for Right first-order IIR
TSC[9:0Eh..13h] C71..C73 N0,N1,D1 for DRC first-order high-pass filter
TSC[9:14h..19h] C74..C76 N0,N1,D1 for DRC first-order low-pass filter
TSC[9:1Ah..7Fh] C77..C127 -
TSC[A:00h] Page Select -
TSC[A:01h] Reserved - (do not write to this register)
TSC[A:02h..7Fh] C129..C191 -
TSC[B:00h] Page Select -
TSC[B:01h] Reserved - (do not write to this register)
TSC[B:02h..7Fh] C193..C255 -
|
DAC miniDSP Special
(DAC Buffer A) DAC-programmable
Coefficient Coefficient
TSC[C:02h..0Bh] C1..C5 Unknown ;\
TSC[C:0Ch..15h] C6..C10 Unknown ;
TSC[C:16h..1Fh] C11..C15 Unknown ; maybe Left Biquad A..F
TSC[C:20h..29h] C16..C20 Unknown ; as for Buffer A
TSC[C:2Ah..33h] C21..C25 Unknown ;
TSC[C:34h..3Dh] C26..C30 Unknown ;/
TSC[C:3Eh..3Fh] C31 -
TSC[C:40h..41h] C32 Unknown maybe 3D PGA as for Buffer A
TSC[C:42h..4Bh] C33..C37 Unknown ;\
TSC[C:4Ch..55h] C38..C42 Unknown ;
TSC[C:56h..5Fh] C43..C47 Unknown ; maybe Right Biquad A..F
TSC[C:60h..69h] C48..C52 Unknown ; as for Buffer A
TSC[C:6Ah..73h] C53..C57 Unknown ;
TSC[C:74h..7Dh] C58..C62 Unknown ;/
TSC[C:7Eh..7Fh] C63 -
TSC[D:00h] Page Select -
TSC[D:01h] Reserved - (do not write to this register)
TSC[D:02h..07h] C65..C67 Unknown ;\
TSC[D:08h..0Dh] C68..C70 Unknown ; maybe IRR and DRC
TSC[D:0Eh..13h] C71..C73 Unknown ; as for Buffer A
TSC[D:14h..19h] C74..C76 Unknown ;/
TSC[D:1Ah..7Fh] C77..C127 -
TSC[E:00h] Page Select -
TSC[E:01h] Reserved - (do not write to this register)
TSC[E:02h..7Fh] C129..C191 -
TSC[F:00h] Page Select -
TSC[F:01h] Reserved - (do not write to this register)
TSC[F:02h..7Fh] C193..C255 -
|
| DSi TSC[20h..2Bh:xxh], TSC[40h..5Fh:xxh] ADC/DAC Instruction RAM |
TSC[20h..2Bh:00h] Page Select TSC[20h..2Bh:01h] Reserved TSC[20h:02h...61h] ADC Instructions 0...31 TSC[21h:02h...61h] ADC Instructions 32...63 TSC[22h:02h...61h] ADC Instructions 64...95 TSC[23h:02h...61h] ADC Instructions 96...127 TSC[24h:02h...61h] ADC Instructions 128...159 TSC[25h:02h...61h] ADC Instructions 160...191 TSC[26h:02h...61h] ADC Instructions 192...223 TSC[27h:02h...61h] ADC Instructions 224...255 TSC[28h:02h...61h] ADC Instructions 256...287 TSC[29h:02h...61h] ADC Instructions 288...319 TSC[2Ah:02h...61h] ADC Instructions 320...351 TSC[2Bh:02h...61h] ADC Instructions 352...383 TSC[20h..2Bh:62h..7Fh] Reserved |
TSC[40h..5Fh:00h] Page Select TSC[40h..5Fh:01h] Reserved TSC[40h:02h...61h] DAC Instructions 0...31 TSC[41h:02h...61h] DAC Instructions 32...63 TSC[42h:02h...61h] DAC Instructions 64...95 TSC[43h:02h...61h] DAC Instructions 96...127 TSC[44h:02h...61h] DAC Instructions 128...159 TSC[45h:02h...61h] DAC Instructions 160...191 TSC[46h:02h...61h] DAC Instructions 192...223 TSC[47h:02h...61h] DAC Instructions 224...255 TSC[48h:02h...61h] DAC Instructions 256...287 TSC[49h:02h...61h] DAC Instructions 288...319 TSC[4Ah:02h...61h] DAC Instructions 320...351 TSC[4Bh:02h...61h] DAC Instructions 352...383 TSC[4Ch:02h...61h] DAC Instructions 384...415 TSC[4Dh:02h...61h] DAC Instructions 416...447 TSC[4Eh:02h...61h] DAC Instructions 448...479 TSC[4Fh:02h...61h] DAC Instructions 480...511 TSC[50h:02h...61h] DAC Instructions 512...543 TSC[51h:02h...61h] DAC Instructions 544...575 TSC[52h:02h...61h] DAC Instructions 576...607 TSC[53h:02h...61h] DAC Instructions 608...639 TSC[54h:02h...61h] DAC Instructions 640...671 TSC[55h:02h...61h] DAC Instructions 672...703 TSC[56h:02h...61h] DAC Instructions 704...735 TSC[57h:02h...61h] DAC Instructions 736...767 TSC[58h:02h...61h] DAC Instructions 768...799 TSC[59h:02h...61h] DAC Instructions 800...831 TSC[5Ah:02h...61h] DAC Instructions 832...863 TSC[5Bh:02h...61h] DAC Instructions 864...895 TSC[5Ch:02h...61h] DAC Instructions 896...927 TSC[5Dh:02h...61h] DAC Instructions 928...959 TSC[5Eh:02h...61h] DAC Instructions 960...991 TSC[5Fh:02h...61h] DAC Instructions 992...1023 TSC[40h..5Fh:62h..7Fh] Reserved |
| DSi I2C Bus |
Register Width Description
02h 1 Used for DSi IRQ6 IF flags
uh, IF.Bit6 would be Timer3overflow ?
or, IF2.Bit6 would be PowerButton ?
04h 1 Unknown (bit0 toggled)
|
Device Delay Bit0 Description 7Ah 0 No 0 Camera0(internal?) ;Aptina MT9V113 (SelfPortrait) 78h 0 No 1 Camera1(external?) ;Aptina MT9V113 (External) A0h 0 No 2 Camera0 config (Ext) ;\maybe for other manufacturer? E0h 0 No 3 Camera1 config (Self);/ 4Ah 180h Yes 4 BPTWL Chip (LED/Volume/Powerbutton/Reset) 40h 0 Yes 5 ? 90h 0 Yes 6 ? |
xxh Power Managment Device (connected to BPTWL chip) 50h I2C bus potentiometer (volume D/A converter) (connected to BPTWL chip) A0h I2C bus EEPROM (connected to Atheros wifi chip) |
| DSi I2C I/O Ports |
0-7 Data (or Device, or Register) |
0 Stop (0=No, 1=Stop/last byte) 1 Start (0=No, 1=Start/first byte) 2 Error (0=No, 1=Pause/Flush? after Error, used with/after Stop) 3 Unknown/unused (0) 4 Ack Flag (0=Error, 1=Okay) (For DataRead: W, for DataWrite: R) 5 Data Direction (0=Write, 1=Read) 6 Interrupt Enable (0=Disable, 1=Enable) 7 Start/busy (0=Ready, 1=Start/busy) |
For Writing: Write Device+0 (with Start condition) ;\ Write Index byte(s) ; write index + data Write Data byte(s) (last byte with Stop condition) ;/ For Reading: Write Device+0 (with Start condition) ;\1st step: write index Write Index byte(s) (last byte with Stop condition) ;/ Write Device+1 (with Start condition) ;\2nd step: read data Read Data byte(s) (last byte with Stop condition) ;/ |
Invoke byte-transfer Do WaitByLoop (needed for the BPTWL device only) Wait for start/busy flag to get zero |
| DSi I2C Signals |
START D7 D6 D5 D4 D3 D2 D1 D0 ACK D7 D6/ .. /D1 D0 ACK STOP
__ ___ ___ ___ ___ ___ ___ ___ ___ ___ __/ /___ ___ ___
SDA |__|___|___|___|___|___|___|___|___|___|___|_/ .. /|___|___|______|
____ _ _ _ _ _ _ _ _ _ _ / / _ _ _ _____
SCL |_| |_| |_| |_| |_| |_| |_| |_| |_| |_| |/ .. / |_| |_| |_| |_|
/ /
<--><------------------------------><--><--------------------><--><-->
Start Device/Direction Byte Ack Index/Data Byte(s) Ack Stop
|
if (send_start) then i2c_start_cond() ;-start (if so) for i=7 downto 0, i2c_write_bit(databyte.bit(i)), next i ;-write 8bit nack = i2c_read_bit() ;-read nack if (send_stop) then i2c_stop_cond() ;-stop (if so) return nack ;return 0 if ack by the slave. ;-return nack |
for i=7 downto 0, databyte.bit(i)=i2c_read_bit(), next i ;-read 8bit i2c_write_bit(nack) ;-write nack if (send_stop) then i2c_stop_cond() ;-stop (if so) return databyte ;-return databyte |
if (bit) then SDA=HighZ else SDA=Low ;- I2C_delay() ;- SCL=HighZ wait until SCL=High (or timeout) ;-wait (for clock stretching) if (bit=1 and SDA=Low) then arbitration_lost();-errif other HW pulls SDA=low I2C_delay() ;- SCL=Low ;- |
SDA=HighZ ;-let the slave drive data I2C_delay() ;-delay (one half clk) SCL=HighZ wait until SCL=High (or timeout) ;-wait (for clock stretching) bit = SDA ;- I2C_delay() ;-delay (one half clk) SCL=Low ;- return bit ;- |
if (started) then ;if started, do a restart cond
SDA=HighZ ;-set SDA to 1
I2C_delay()
SCL=HighZ
wait until SCL=High (or timeout) ;-wait (for clock stretching)
I2C_delay() ;Repeated start setup time, minimum 4.7us
if (SDA=Low) then arbitration_lost()
SDA=Low ;-
I2C_delay()
SCL=Low
started = true
|
SDA=Low ;- I2C_delay() ;- SCL=HighZ ;- wait until SCL=High (or timeout) ;-wait (for clock stretching) I2C_delay() ;Stop bit setup time, minimum 4us if (SDA=Low) then arbitration_lost() I2C_delay() started = false |
| DSi I2C Device 4Ah (BPTWL chip) |
00h R Version/Speed (usually 33h) (00h..20h=Slow, 21h..FFh=Fast)
01h R Unknown (00h)
02h R Unknown (50h)
03h-0Fh - Reserved (5Ah-filled)
10h R Power Button (bit0=WasWhat?, bit1=IsDown, bit3=WasDown?)
(bit0/3 are cleared after reading)
11h R/W Reset (00h=No, 01h=Force Reset, 02h=???)
12h R/W Power Button Tapping (00h=Auto-Reset, 01h=IRQ)
13h-1Fh - Reserved (5Ah-filled)
20h R Battery State (bit0..3=Battery Level, bit7=Charge)
21h R/W Unknown (07h)
22h-2Fh - Reserved (5Ah-filled)
30h R/W Wifi LED related (13h=Normal/Auto?, 12h=Force Wifi LED Off)
31h R/W Camera LED (00h=Off, 01h=On, 02h=Blink)
32h-3Fh - Reserved (5Ah-filled)
40h R/W Volume Level (00h..1Fh) ;\nonvolatile!
41h R/W Backlight Level (00h..04h) ;/
42h-5Fh - Reserved (5Ah-filled)
60h ?? Unknown (00h) FFh: Disable I2C reading, and Purple Power LED?
61h R Unknown (01h)
62h R Unknown (50h)
63h R/W Unknown (00h) FFh: Purple Power LED (red+blue on)
64h-6Fh - Reserved (5Ah-filled)
70h R/W Bootflag (00h=Coldboot, 01h=Warmboot/SkipHealthSafety)
71h R/W Unknown (00h)
72h-77h R/W Unknown (00h-filled)
78h-7Fh - Reserved (5Ah-filled)
80h R/W Unknown (10h)
81h R/W Unknown (64h)
82h-FFh - Reserved (5Ah-filled)
|
Forced volume (for alerts) (ie. alternately to current "user volume") |
Short tap --> reset (warmboot, go to DSi menu, without health and safety) Hold 1 second --> power-off |
Auto-Reset (used for NDS games) IRQ (supposed to be used with Manual-Reset) (used for DSi games) Forced Power-off (for games which fail to handle the IRQ within 5 seconds) |
0x10 1 Power flags. When bit0 is set, arm7 does a system reset.
When bit1 or bit3 are set, arm7 does a shutdown. Bits 0-2
are used for DSi IRQ6 IF flags (uh, rather IF2 maybe?).
0x20 1 Battery flags. When zero the battery is at critical level,
arm7 does a shutdown. Bit7 is set when the battery is
charging. Battery levels in the low 4-bits: battery icon
bars full 0xF, 3 bars 0xB, 2 bars 0x7, one solid red bar
0x3, and one blinking red bar 0x1. When plugging in or
removing recharge cord, this value increases/decreases
between the real battery level and 0xF, thus the battery
level while bit7 is set is useless.
|
DSi: Renesas Electronics "BPTWL, KG07K" ;reg[00h]=33h DSiXL: Renesas Electronics "BP UTL-1, KG08" ;reg[00h]=BBh or B7h 3DS: Renesas Electronics "UC CTR" ;reg[00h]=? |
| DSi Autoload on Warmboot |
2000000h Autoload Parameters for newly loaded title ;<-- optional extra 2000300h Autoload via numeric Title ID ;<-- official method 2000800h Autoload via string "device:\path\filename" ;<-- alternate method 2FFD800h Title List (jump-able titles for use at 2000300h) BPTWL[70h].bit0 Warmboot flag ;<-- required flag BPTWL[11h].bit0 Trigger reset ;<-- trigger reset |
2000000h 8 AutoParam Old Title ID (former title) ;carthdr[230h] 2000008h 1 AutoParam Unknown/Unused 2000009h 1 AutoParam Flags (03h=Stuff is used?) 200000Ah 2 AutoParam Old Maker code ;carthdr[010h] 200000Ch 2 AutoParam Unknown (02ECh) ;\counter/length/indices/whatever? 200000Eh 2 AutoParam Unknown (0000h) ;/ 2000010h 2 AutoParam CRC16 on [000h..2FFh], initial=FFFFh, [010h]=0000h 2000012h 2 AutoParam Unknown/Unused (000Fh = want Internet Settings?) 2000014h 2ECh AutoParam Unknown... some buffer... string maybe? |
2000300h 4 AutoLoad ID ("TLNC")
2000304h 1 AutoLoad Unknown/unused (usually 01h)
2000305h 1 AutoLoad Length of data at 2000308h (01h..18h,for CRC,18h=norm)
2000306h 2 AutoLoad CRC16 of data at 2000308h (with initial value FFFFh)
2000308h 8 AutoLoad Old Title ID (former title) (can be 0=anonymous)
2000310h 8 AutoLoad New Title ID (new title to be started,0=none/launcher)
2000318h 4 AutoLoad Flags (bit0, 1-3, 4, 5,6,7) ;usually 16bit, once 32bit
200031Ch 4 AutoLoad Unused (but part of checksummed area when CRC len=18h)
2000320h E0h AutoLoad Unused (but zerofilled upon erasing autoload area)
|
0 IsValid (somehow enables/disables HealthSafety when TitleID is wrong?) 1-3 Boottype (01h=Cartridge, 02h=Landing, 03h=DSiware) (see below) 4 Unknown 5 Unknown 6 LoadCompl (causes some error when set) (loading completed flag?) 7 Unknown 8-15 Unused 16-31 Unused (usually not accessed at all, with normal 16bit reads) |
01h = Cartridge (with NewTitleID) (with RSA signed header, or Whitelisted)
02h = Landing ("nand:/tmp/jump.app") (with RSA signed DownloadPlay footer)
03h = DSiware (with NewTitleID) (with RSA signed header)
|
2000800h 12 Unlaunch Auto-load ID ("AutoLoadInfo")
200080Ch 2 Unlaunch Length for CRC16 (fixed, must be 3F0h)
200080Eh 2 Unlaunch CRC16 (across 2000810h..2000BFFh, initial value FFFFh)
2000810h 4 Unlaunch Flags
2000814h 2 Unlaunch Upper screen BG color (0..7FFFh)
2000816h 2 Unlaunch Lower screen BG color (0..7FFFh)
2000818h 20h Unlaunch Reserved (zero)
2000838h 208h Unlaunch Device:/Path/Filename.ext (16bit Unicode,end by 0000h)
2000A40h 1C0h Unlaunch Reserved (zero)
|
0 Load the title at 2000838h 1 Use colors 2000814h (use if loaded title is KNOWN to use such colors) 2-31 Reserved (zero) |
"nand:/path/name.ext",0000h File on 1st partition of internal eMMC "sdmc:/path/name.ext",0000h File on 1st partition of external SD/MMC "cart:",0000h ROM cartridge (in NDS cartridge slot) "menu:",0000h Force starting unlaunch filemenu "sett:",0000h Force starting unlaunch options menu "wifi:",0000h Force starting unlaunch wifiboot overlay |
2FFD800h 1 Titles: Number of titles in below lists (max 76h) 2FFD801h 0Fh Titles: Zerofilled 2FFD810h 10h Titles: Pub Flags (1bit each) ;same maker plus public.sav 2FFD820h 10h Titles: Prv Flags (1bit each) ;same maker plus private.sav 2FFD830h 10h Titles: Jmp Flags (1bit each) ;jumpable or current-title 2FFD840h 10h Titles: Mkr Flags (1bit each) ;same maker 2FFD850h 3B0h Titles: Title IDs (8 bytes each) |
[010h].bit0-15 Maker (must match current title for Mkr Flags) [01Dh].bir0 Jump (must be set for Jmp Flags) [230h].bit0-63 Title ID (must be nonzero for being listed) [238h].bit0-31 Public.sav size (must be nonzero for Pub Flags) [23Ch].bit0-31 Private.sav size (must be nonzero for Prv Flags) |
00030015484E42xxh ;System Settings 00030005484E4441h ;DS Download Play 00030005484E4541h ;Pictochat 00030004484E47xxh ;Nintendo DSi Browser (if installed) |
| DSi Aptina Camera Initialization |
AptWr ,0001Ah,00003h ;RESET_AND_MISC_CONTROL (issue reset) ;\reset
AptWr ,0001Ah,00000h ;RESET_AND_MISC_CONTROL (release reset) ;/
AptWr ,00018h,04028h ;STANDBY_CONTROL (wakeup) ;\
AptWr ,0001Eh,00201h ;PAD_SLEW ; wakeup
AptWr ,00016h,042DFh ;CLOCKS_CONTROL ;
AptWaitClr,00018h,04000h ;STANDBY_CONTROL (wait for WakeupDone) ;
AptWaitSet,0301Ah,00004h ;UNDOC_CORE_301A (wait for WakeupDone) ;/
AptWrMcu ,002F0h,00000h ;UNDOC! RAM?
AptWrMcu ,002F2h,00210h ;UNDOC! RAM?
AptWrMcu ,002F4h,0001Ah ;UNDOC! RAM?
AptWrMcu ,02145h,002F4h ;UNDOC! SEQ?
AptWrMcu ,0A134h, 001h ;UNDOC! SEQ?
AptSetMcu ,0A115h, 002h ;SEQ_CAP_MODE (set bit1=video)
AptWrMcu ,02755h,00002h ;MODE_OUTPUT_FORMAT_A (bit5=0=YUV) ;\select
AptWrMcu ,02757h,00002h ;MODE_OUTPUT_FORMAT_B ;/YUV mode
AptWr ,00014h,02145h ;PLL_CONTROL ;\
AptWr ,00010h,00111h ;PLL_DIVIDERS ; match
AptWr ,00012h,00000h ;PLL_P_DIVIDERS ; PLL
AptWr ,00014h,0244Bh ;PLL_CONTROL ; to DSi
AptWr ,00014h,0304Bh ;PLL_CONTROL ; timings
AptWaitSet,00014h,08000h ;PLL_CONTROL (wait for PLL Lock okay) ;
AptClr ,00014h,00001h ;PLL_CONTROL (disable PLL Bypass) ;/
AptWrMcu ,02703h,00100h ;MODE_OUTPUT_WIDTH_A ;\Size A
AptWrMcu ,02705h,000C0h ;MODE_OUTPUT_HEIGHT_A ;/ 256x192
AptWrMcu ,02707h,00280h ;MODE_OUTPUT_WIDTH_B ;\Size B
AptWrMcu ,02709h,001E0h ;MODE_OUTPUT_HEIGHT_B ;/ 640x480
AptWrMcu ,02715h,00001h ;MODE_SENSOR_ROW_SPEED_A ;\
AptWrMcu ,02719h,0001Ah ;MODE_SENSOR_FINE_CORRECTION_A ;
AptWrMcu ,0271Bh,0006Bh ;MODE_SENSOR_FINE_IT_MIN_A ; Sensor A
AptWrMcu ,0271Dh,0006Bh ;MODE_SENSOR_FINE_IT_MAX_MARGIN_A ;
AptWrMcu ,0271Fh,002C0h ;MODE_SENSOR_FRAME_LENGTH_A ;
AptWrMcu ,02721h,0034Bh ;MODE_SENSOR_LINE_LENGTH_PCK_A ;/
AptWrMcu ,0A20Bh, 000h ;AE_MIN_INDEX ;\AE min/max
AptWrMcu ,0A20Ch, 006h ;AE_MAX_INDEX ;/
AptWrMcu ,0272Bh,00001h ;MODE_SENSOR_ROW_SPEED_B ;\
AptWrMcu ,0272Fh,0001Ah ;MODE_SENSOR_FINE_CORRECTION_B ;
AptWrMcu ,02731h,0006Bh ;MODE_SENSOR_FINE_IT_MIN_B ; Sensor B
AptWrMcu ,02733h,0006Bh ;MODE_SENSOR_FINE_IT_MAX_MARGIN_B ;
AptWrMcu ,02735h,002C0h ;MODE_SENSOR_FRAME_LENGTH_B ;
AptWrMcu ,02737h,0034Bh ;MODE_SENSOR_LINE_LENGTH_PCK_B ;/
AptSet ,03210h,00008h ;COLOR_PIPELINE_CONTROL (PGA pixel shading..)
AptWrMcu ,0A208h, 000h ;UNDOC! RESERVED_AE_08
AptWrMcu ,0A24Ch, 020h ;AE_TARGETBUFFERSPEED
AptWrMcu ,0A24Fh, 070h ;AE_BASETARGET
If Device=7Ah ;\
AptWrMcu,02717h,00024h ;MODE_SENSOR_READ_MODE_A ; Read Mode
AptWrMcu,0272Dh,00024h ;MODE_SENSOR_READ_MODE_B ; with x-flip
Else (xflip) ; on internal
AptWrMcu,02717h,00025h ;MODE_SENSOR_READ_MODE_A ; camera
AptWrMcu,0272Dh,00025h ;MODE_SENSOR_READ_MODE_B ;/
If Device=7Ah ;\
AptWrMcu,0A202h, 022h ;AE_WINDOW_POS ;
AptWrMcu,0A203h, 0BBh ;AE_WINDOW_SIZE ;
Else (?) ;
AptWrMcu,0A202h, 000h ;AE_WINDOW_POS ;
AptWrMcu,0A203h, 0FFh ;AE_WINDOW_SIZE ;/
AptSet ,00016h,00020h ;CLOCKS_CONTROL (set bit5=1, reserved)
AptWrMcu ,0A115h, 072h ;SEQ_CAP_MODE (was already manipulated above)
AptWrMcu ,0A11Fh, 001h ;SEQ_PREVIEW_1_AWB ;\
If Device=7Ah ;
AptWr ,0326Ch,00900h ;APERTURE_PARAMETERS ;
AptWrMcu,0AB22h, 001h ;HG_LL_APCORR1 ;
Else (?) ;
AptWr ,0326Ch,01000h ;APERTURE_PARAMETERS ;
AptWrMcu,0AB22h, 002h ;HG_LL_APCORR1 ;/
AptWrMcu ,0A103h, 006h ;SEQ_CMD (06h=RefreshMode)
AptWaitMcuClr,0A103h, 00Fh ;SEQ_CMD (wait above to become ZERO)
AptWrMcu ,0A103h, 005h ;SEQ_CMD (05h=Refresh)
AptWaitMcuClr,0A103h, 00Fh ;SEQ_CMD (wait above to become ZERO)
|
AptClr ,00018h,00001h ;STANDBY_CONTROL (bit0=0=wakeup) ;\ AptWaitClr,00018h,04000h ;STANDBY_CONTROL (wait for WakeupDone) ; Wakeup AptWaitSet,0301Ah,00004h ;UNDOC_CORE_301A (wait for WakeupDone) ;/ AptWr ,03012h,000xxh ;COARSE_INTEGRATION_TIME (Y Time) AptSet ,0001Ah,00200h ;RESET_AND_MISC_CONTROL (Parallel On) ;-Data on |
AptClr ,0001Ah,00200h ;RESET_AND_MISC_CONTROL (Parallel Off) ;-Data off AptSet ,00018h,00001h ;STANDBY_CONTROL (set bit0=1=Standby) ;\ AptWaitSet,00018h,04000h ;STANDBY_CONTROL (wait for StandbyDone) ; Standby AptWaitClr,0301Ah,00004h ;UNDOC_CORE_301A (wait for StandbyDone) ;/ |
| DSi Aptina Camera Registers: SYSCTL (0000h-0051h) |
0000h 2 CHIP_VERSION_REG Model ID (2580h=MT9D113) (R)
0006h .. RESERVED_SYSCTL_06 Reserved
0010h 2 PLL_DIVIDERS PLL Dividers (def=0366h)
0-7 PLL M-Divider value (uh, actually a Multiplier?!)
8-13 PLL N-Divider value
14-15 Unused (0)
Because the input clock frequency is unknown, the sensor starts
up with the PLL disabled. The PLL takes time to power up. During
this time, the behavior of its output clock signal is not
guaranteed. The PLL output frequency is determined by two
constants, M and N, and the input clock frequency.
VCO = Fin * 2 * M / (N+1)
PLL_output_frequency = VCO / (P1+1)
The PLL can generate a master clock signal whose frequency is up
to 85 MHz (input clock from 6 MHz through 54 MHz).
0012h 2 PLL_P_DIVIDERS PLL P Dividers (def=00F5h)
0-3 P1 (00h..0Fh)
4-7 Unspecified
8-11 P3 (00h..0Fh)
12-13 Division ratio of word clock/clockn from bit_clock (0..3)
14 Unused (0)
15 Unspecified
0014h 2 PLL_CONTROL PLL Control (def=21F9h)
0 PLL Bypass
1 PLL Enable
2-3 Reserved (0..3)
4-7 Reserved (0..0Fh)
8 Reset_cntr
9 Reserved
10 Reserved
11 Reserved
12 Reserved
13 Reserved
14 Unused (0)
15 PLL Lock (R)
0016h 2 CLOCKS_CONTROL Clocks Control
0 Reserved
1 Reserved
2 Reserved
3 Reserved
4 Reserved
5 Reserved/UNDOC/USED (manipulated by DSi)
6 Reserved
7 Reserved
8 Reserved
9 clk_clkin_en
11-12 Reserved
13 Reserved
15 Reserved
0018h 2 STANDBY_CONTROL Standby Control and Status (def=4029h)
0 Ship (uh?) (0=Enable various regs, 1=Standby)
1 Reserved
2 Stop MCU
3 en_IRQ
4 Reserved
5 Reserved
6-13 Unused (0)
14 Standby_done (0=WakeupDone, 1=StandbyDone) (R?)
(takes MUCH time?)
15 Reserved (R)
001Ah 2 RESET_AND_MISC_CONTROL Reset and Control (def=0050h) (0-0333h)
0 Reset SOC I2C
1 MIPI_TX_Reset
2 Unused (0)
3 MIPI_TX_en (=Serial Data?)
4 IP_PD_en (=Parallel Data or what?)
5 Reserved
6 Sensor_full_res
7 Unused (0)
8 OE_N_Enable
9 Parallel_enable (=Parallel Data?)
10 Unused (0)
11 Reserved
12-15 Unused (0)
001Ch 2 MCU_BOOT_MODE MCU Boot Mode
0 Reset MCU
1 Reserved
2 Reserved
3 Reserved
4-7 Reserved (0..0Fh)
8-15 Reserved (0..FFh) (R)
001Eh 2 PAD_SLEW Pad Slew Control (def=0400h)
0-2 Parallel Data Output Slew Rate Control (0-7)
3 Unused (0)
4-6 GPIO Slew Rate Control (0-7)
7 Unused (0)
8-10 PCLK aka PXLCLK Slew Rate Control (0-7)
11-15 Unused (0)
0020h .. RESERVED_SYSCTL_20 Reserved
0022h 2 VDD_DIS_COUNTER VDD_DIS_COUNTER (0..FFFFh, def=0438h)
0024h 2 GPI_STATUS GPI_STATUS (0..000Fh) (R)
0026h .. RESERVED_SYSCTL_26 Reserved
0028h 2 EN_VDD_DIS_SOFT EN_VDD_DIS_SOFT (0..0001h, def=0001h)
0050h .. RESERVED_SYSCTL_50 Reserved
|
| DSi Aptina Camera Registers: RX_SS, FUSE, XDMA (0100h-099Fh) |
0100h .. RESERVED_RX_SS_100 Reserved 0102h 2 TEST_PXL_RED Test Pixel Red ;\Default value is 1FFh 0104h 2 TEST_PXL_G1 Test Pixel Green1 ; for Gray Flat Field 0106h 2 TEST_PXL_G2 Test Pixel Green2 ; (0..03FFh, def=01FFh) 0108h 2 TEST_PXL_BLUE Test Pixel Blue ;/ 010Ah .. RESERVED_RX_SS_10A-116 Reserved |
0800h .. RESERVED_FUSE_ROM_800-81E Reserved |
0982h .. RESERVED_XDMA_982 Reserved
098Ch 2 MCU_ADDRESS MCU Address (0000h..FFFFh)
0-7 driver_variable (0..FFh)
8-12 driver_id (0..1Fh) (eg. 3=AWB, 7=MODE, etc.)
13-14 address space (0=Physical/RAM/SFR, 1=Logical/Variables)
15 access_8_bit (0=16bit, 1=8bit; converted to 16bit)
0990h 8x2 MCU_DATA_0-7 MCU Data 0..7 (8 x 16bit)
|
| DSi Aptina Camera Registers: CORE (3000h-31FFh, 38xxh) |
3000h .. RESERVED_CORE_3000 Reserved (same as CHIP_VERSION_REG)
3002h 2 Y_ADDR_START Y1 ;\Image Position/Size ;def=0004h
3004h 2 X_ADDR_START X1 ; (up to including ;def=0004h
3006h 2 Y_ADDR_END Y2 ; X2,Y2) (0-07FFh) ;def=04BBh
3008h 2 X_ADDR_END X2 ;/ ;def=064Bh
300Ah 2 FRAME_LENGTH_LINES Y Total ;\Total X/Y Size with ;def=0512h
300Ch 2 LINE_LENGTH_PCK X Total ;/blanking (0..FFFFh) ;def=0886h
3010h .. RESERVED_CORE_3010 Reserved
3012h 2 COARSE_INTEGRATION_TIME Y Time ;\Integration Time in ;def=0010h
3014h 2 FINE_INTEGRATION_TIME X Time ;/lines/pix (0..FFFFh);def=00F6h
3016h 2 ROW_SPEED Row Speed (def=0111h)
0-2 Pixclk_speed (0..7)
3 Unused (0)
4-6 Reserved
7 Unused (0)
8-10 Reserved
11-15 Unused (0)
3018h .. RESERVED_CORE_3018-3019 Reserved
301Ah UNDOC_CORE_301A Undocumented Status Reg (mask=D7FFh)
0-1 Unspecified
2 Undoc/USED (1=WakeupDone) (opposite of 0018h.bit14)
3-4 Unspecified
5 Whatever "demo_system, version_reg_write, value=1"
6-8 Unspecified
9 Mask_corrupted_frames (alias of 3022h.bit0)
10 Unspecified
11 Unused (0)
12 Unspecified
13 Unused (0)
14 Unspecified
15 Grouped_parameter_hold (alias of 3022h.bit8)
301Ch .. RESERVED_CORE_301C-3020 Reserved
3022h 2 GROUPED_PARAMETER_HOLD_MASK_CORRUPTED_FRAMES
0 Mask_corrupted_frames (alias of Reg 301Ah.bit9)
1-7 Unused (0)
8 Grouped_parameter_hold (alias of Reg 301Ah.bit15)
9-15 Unused (0)
3024h 2 PIXEL_ORDER Pixel Order (mask=0300h, 0..0300h) (R)
3026h .. RESERVED_CORE_3026 Reserved
3028h 2 ANALOGUE_GAIN_CODE_GLOBAL Analog Global ;\
302Ah 2 ANALOGUE_GAIN_CODE_GREENR Analog GreenR ; Analogue Gain Codes
302Ch 2 ANALOGUE_GAIN_CODE_RED Analog Red ; with 3bit fraction
302Eh 2 ANALOGUE_GAIN_CODE_BLUE Analog Blue ; (0..007Fh, def=000Bh)
3030h 2 ANALOGUE_GAIN_CODE_GREENB Analog GreenB ;/
3032h 2 DIGITAL_GAIN_GREENR Digital GreenR ;\Digital Gain with
3034h 2 DIGITAL_GAIN_RED Digital Red ; 8bit dummy-fraction
3036h 2 DIGITAL_GAIN_BLUE Digital Blue ; (bit8-10=Gain, 0..7)
3038h 2 DIGITAL_GAIN_GREENB Digital GreenB ;/(mask=0700h,def=100h)
303Ah .. RESERVED_CORE_303A-3C Reserved
3040h 2 READ_MODE Read Mode (0-DEFFh, def=0024h)
0 horiz_mirror
1 vert_flip
2-4 y_odd_inc (0..7)
5-7 x_odd_inc (0..7)
8 Unused (0)
9 low_power
10 xy_bin_en
11 x_bin_en
12 bin_sum (Enable summing mode for binning)
13 read_mode_y_sumen
14 Reserved
15 Reserved
3044h .. RESERVED_CORE_3044-3048 Reserved
304Ah 2 OTPM_CONTROL One-time Programmable Memory? Control
0 auto_wr_start ;\
1 auto_wr_end (finished) (R) ; automatic write sequence
2 auto_wr_success (okay) (R) ;/
3 unspecified
4 auto_rd_start ;\
5 auto_rd_end (finished) (R) ; automatic read sequence
6 auto_rd_success (okay) (R) ;/
7-15 Unused (0)
3050h .. RESERVED_CORE_3050-3054 Reserved
3056h 2 GREEN1_GAIN Gain Green1 ;\
3058h 2 BLUE_GAIN Gain Blue ; Gain Values
305Ah 2 RED_GAIN Gain Red ; (0..0FFFh,
305Ch 2 GREEN2_GAIN Gain Green2 ; def=022Ch)
0-6 Initial Gain (0..7Fh, with 5bit fraction) ;
7-8 Analog Gain (0..3) (bit8+1)*(bit7+1)*(initial_gain/32)
9-11 Digital Gain (1..7) ;
12-15 Unused (0) ;/
305Eh .. RESERVED_CORE_305E-31DF Reserved
31E0h 2 UNDOC_CORE_31E0 (mask=E003h, 0..8001h, def=0001h) USED!
Used by DSi (set to 0001h) (reportedly "PIX_DEF_ID")
31E2h .. RESERVED_CORE_31E2-31F9 Reserved
31FAh 2 UNDOC_CORE_31FA Whatever (mask=FFFFh, def=CDEFh)
0-4 Unspecified
5-11 Whatever "demo_system, version_reg_read, value=3"
12-15 Unspecified
31FCh .. RESERVED_CORE_305E-31FE Reserved
|
3800h .. RESERVED_CORE_3800-3802 Reserved |
| DSi Aptina Camera Registers: SOC1 (3210h-33FDh) |
3210h 2 COLOR_PIPELINE_CONTROL (mask=05B8h, 0..05B0h, def=01B0h)
3 Enable PGA pixel shading correction
All coefficients and other configuration settings
(including other fields in this register) must be set up
before enabling shading correction.
4 Enable 2D aperture correction
5 Enable color correction
7 Enable gamma correction
8 Decimator (1=Enable scale)
10 Reserved
3216h .. RESERVED_SOC1_3216-321A Reserved
321Ch 2 OFIFO_CONTROL_STATUS Ofifo control status 1 (def=0003h)
0-3 txfifo_bypass
(0=tx_fifo, 1=sensor, 2=sam observe, 3=cpipe format,
4=test walking ones cpipe frequency,
5=test walking ones sensor frequency,
6=RESERVED, 7=test PIXCLK, 8..F=Unspecified)
4-6 Unused (0)
7 sensor_bypass (0=cpipe, 1=sensor)
8 Reserved
9 Reserved
10 Reserved
11 Reserved
12 Reserved (R)
13 Reserved (R)
14 Reserved (R)
15 Reserved (R)
321Eh 2 OFIFO_CONTROL_STATUS_2 Ofifo control status 2 (def=0010h)
0-9 Reserved (0..3FFh)
10 Disable PV output clock during blank (1=disable)
11-15 Reserved (0..1Fh)
3220h .. RESERVED_SOC1_3220 Reserved
3222h 2 LOWER_X_BOUND_ZOOM_WINDOW Lower X ;def=? ;\Zoom Window
3224h 2 UPPER_X_BOUND_ZOOM_WINDOW Upper X ;def=063Fh ; Boundaries
3226h 2 LOWER_Y_BOUND_ZOOM_WINDOW Lower Y ;def=? ; (0..07FFh)
3228h 2 UPPER_Y_BOUND_ZOOM_WINDOW Upper Y ;def=04AFh ;/
322Ah 2 UNDOC_SOC1_322A (mask=0016h, 0..0016h) USED by DSi!
322Ch 2 WEIGHT_HORIZ_DECIMATION Scaling Weight X ;\Scaling Weight X,Y
322Eh 2 WEIGHT_VERTICAL_DECIMATION Scaling Weight Y ;/(0..0FFFh, def=800h)
323Eh 2 UNDOC_SOC1_323E (0..FFFFh, def=1A2Dh) (DSi: C22Ch)
3240h 2 UNDOC_SOC1_3240 (0..FFFFh, def=C814h) (DSi: 6214h)
3242h .. RESERVED_SOC1_3242 Reserved
3244h 2 UNDOC_SOC1_3244 (mask=03FFh, range=0..00FFh?, def=0310)
3254h .. RESERVED_SOC1_3254-326A Reserved
326Ch 2 APERTURE_PARAMETERS Aperture Params (0..7FFFh, def=0A08h)
0-7 2D aperture threshold (knee) (00h-FFh)
8-10 2D aperture gain (0-7)
11-13 2D aperture gain's exponent (0-7)
14 Abs (1=force aperture gain be positive)
15 Unused (0)
326Eh .. RESERVED_SOC1_326E-3276 Reserved
327Ah 2 BLACK_LEVEL_1ST_RED Offset Red ;\Offsets subtracted
327Ch 2 BLACK_LEVEL_1ST_GREEN1 Offset Green1 ; from RGB pixels
327Eh 2 BLACK_LEVEL_1ST_GREEN2 Offset Green2 ; (0000-01FFh/03FFh,
3280h 2 BLACK_LEVEL_1ST_BLUE Offset Blue ;/def=002Ah)
328Eh 2 THRESH_EDGE_DETECT Demosaic Edge Threshold (def=000Ch)
3290h 2 TEST_PATTERN Test Pattern Enable/Width
0-4 Unused (0)
5 en_walk_ones_tp Enable Test Pattern (0=disable, 1=enable)
6 walk_ones_10 Pattern Width (0=8-bit, 1=10-bit)
7-15 Unused (0)
329Eh .. RESERVED_SOC1_329E-32A0 Reserved
32C0h 2 COLOR_CORR_MATRIX_SCALE_14 Exponents C11..C22 (0-7FFFh, def=3923h)
32C2h 2 COLOR_CORR_MATRIX_SCALE_11 Exponents C23..C33 (0-0FFFh, def=0724h)
32C4h 2 COLOR_CORR_MATRIX_1_2 Elements C11=LSB, C12=MSB (def=7DCCh)
32C6h 2 COLOR_CORR_MATRIX_3_4 Elements C13=LSB, C21=MSB (def=2711h)
32C8h 2 COLOR_CORR_MATRIX_5_6 Elements C22=LSB, C23=MSB (def=62E5h)
32CAh 2 COLOR_CORR_MATRIX_7_8 Elements C31=LSB, C32=MSB (def=690Dh)
32CCh 2 COLOR_CORR_MATRIX_9 Element C33=LSB, Signs=MSB (def=2DCDh)
32D4h 2 DIGITAL_GAIN_1_RED Gain for Red channel ;\Digital Gain1
32D6h 2 DIGITAL_GAIN_1_GREEN1 Gain for Green1 channel ; (mul 128,
32D8h 2 DIGITAL_GAIN_1_GREEN2 Gain for Green2 channel ; 0000h..03FFh,
32DAh 2 DIGITAL_GAIN_1_BLUE Gain for Blue channel ;/def=0080h)
32F4h .. RESERVED_SOC1_32F4-332E Reserved
3330h 2 OUTPUT_FORMAT_TEST OUTPUT_FORMAT_TEST (0..0FFFh)
0 Disable Cr channel
1 Disable Y channel
2 Disable Cb channel
3-5 Test ramp output
6 8+2 bypass
7 Reserved
8 Enable Lens Correction Bypass
9 Reserved
10 Reserved
11 Reserved
12-15 Unused (0)
3332h .. RESERVED_SOC1_3332-334A Reserved
337Ch 2 YUV_YCBCR_CONTROL YUV_YCBCR_CONTROL (0..000Fh, def=0006h)
0 Mult_y_uv (normalize Y in 16-235; U and V in 16-240)
1 Coefficient control
2 Add 128 to U and V
3 Clip Y in 16-235; U and V in 16-240
4-15 Unused (0)
337Eh 2 Y_RGB_OFFSET Y_RGB Offset
0-7 Reserved (0..FFh)
8-15 Y offset (0..FFh)
33E6h .. RESERVED_SOC1_33E6-33EE Reserved
33F4h 2 KERNEL_CONFIG Kernel Config (0..01FFh, def=0003h)
0 Defect correction (DC) enable
1 Reserved
2 Reserved
3 Noise reduction (NR) enable
4 Reserved
5 Reserved
6 Reserved
7 Reserved
8 Reserved
33F6h .. RESERVED_SOC1_33F6-33FC Reserved
|
| DSi Aptina Camera Registers: SOC2 (3400h-3729h) |
3400h 2 MIPI_CONTROL MIPI_Control (def=782Eh)
0 MIPI restart enable
1 MIPI standby
2 Continuous MIPI clock
3 Frame boundary sync bit (R)
4 Wait until eof to react to standby
5 Reserved
6-8 MIPI channel number
9 Unused (0) or Reserved (REV3)
10-15 Data Type (1Eh=YUV422_8bit, 20h=RGB444, 21h=RGB555,
22h=RGB565, 2Ah=RAW8, 2Bh=RAW10)
3402h 2 MIPI_STATUS MIPI_Status (def=0011h)
0 MIPI in standby (R)
1-3 Unused (0)
4 MIPI aka MIPICCP idle (R)
5 MIPI ready to receive data (R)
6-8 Unused (0)
9 Reserved (R)
10 Reserved (R)
11 Reserved
12 Reserved
13-15 Unused (0)
3404h 2 CUSTOM_SHORT_PKT MIPI_Custom_Short_Packet (0000h-3F00h)
0-5 Unused (0)
6 frame_cnt_reset (sent in frame start/end short packets)
7 frame_cnt_en (Insert frame counter value in WC field)
8-10 custom_short_packet_data_type
11 custom_short_packet_request
12 custom_short_packet_frame_sync
13 custom_short_packet_reset (R)
14-15 Unused (0)
3408h 2 LINE_BYTE_CNT MIPI line byte count (def=0C80h)
340Ch 2 CUSTOM_SHORT_PKT_WC WC field of a custom short packet
340Eh .. RESERVED_SOC2_340E-341A Reserved
3580h 2 AE_ZONE_X AE Window/Zone X (def=1300h)
0-7: ae_zone_x_start (00h..FFh) (div8) ;for WINDOW
8-15: ae_zone_x_width (00h..FFh) (div8, minus 1) ;for each ZONE
3582h 2 AE_ZONE_Y AE Window/Zone Y (def=0E00h)
0-7: ae_zone_y_start (00h..FFh) (div8) ;for WINDOW
8-15: ae_zone_y_width (00h..FFh) (div8, minus 1) ;for each ZONE
3584h 2 AE_WINDOW_SIZE_LO LSBs ;\Size of each AE zone in pixels
3586h 2 AE_WINDOW_SIZE_HI MSBs ;/(0..0001FFFFh, def=000x4B00h ?)
3588h .. RESERVED_SOC2_3588-35AE Reserved
35B0h UNDOC_SOC2_35B0 (mask=FFFFh, 0..FFFFh, def=05FAh) USED!
35B2h .. RESERVED_SOC2_35B2-3602 Reserved
3604h 20 R_GAMMA_CURVE_KNEES_0-18 Red Gamma Curve Knees 0..18 (1B00h,..)
3618h 20 G_GAMMA_CURVE_KNEES_0-18 Green Gamma Curve Knees 0..18 (1B00h,..)
362Ch 20 B_GAMMA_CURVE_KNEES_0-18 Blue Gamma Curve Knees 0..18 (1B00h,..)
Above 20-byte knees consist of ten 16bit values (Knee0 in LSB)
Due to the 16bit-big-endian format, the byte-order is:
Knee1,Knee0,Knee3,Knee2,...,Knee17,Knee16,UNUSED,Knee18
3640h .. RESERVED_SOC2_3640 Reserved
3642h 2 POLY_ORIGIN_R Center Row (max 07FFh, def=025Ch)
3644h 2 POLY_ORIGIN_C Center Column (max 07FFh, def=0324h)
3646h .. RESERVED_SOC2_3646-364C Reserved
364Eh 5x2 P_GR_P0Q0-4 P0Q for Green1 ;\P0 Coefficients
3658h 5x2 P_RD_P0Q0-4 P0Q for Red ; (5 x float16 each)
3662h 5x2 P_BL_P0Q0-4 P0Q for Blue ; (0010h,... each)
366Ch 5x2 P_GB_P0Q0-4 P0Q for Green2 ;/
3676h 5x2 P_GR_P1Q0-4 P1Q for Green1 ;\
3680h 5x2 P_RD_P1Q0-4 P1Q for Red ; P1 Coefficients
368Ah 5x2 P_BL_P1Q0-4 P1Q for Blue ; (5 x float16 each)
3694h 5x2 P_GB_P1Q0-4 P1Q for Green2 ;/
369Eh 5x2 P_GR_P2Q0-4 P2Q for Green1 ;\
36A8h 5x2 P_RD_P2Q0-4 P2Q for Red ; P2 Coefficients
36B2h 5x2 P_BL_P2Q0-4 P2Q for Blue ; (5 x float16 each)
36BCh 5x2 P_GB_P2Q0-4 P2Q for Green2 ;/
36C6h 5x2 P_GR_P3Q0-4 P3Q for Green1 ;\
36D0h 5x2 P_RD_P3Q0-4 P3Q for Red ; P3 Coefficients
36DAh 5x2 P_BL_P3Q0-4 P3Q for Blue ; (5 x float16 each)
36E4h 5x2 P_GB_P3Q0-4 P3Q for Green2 ;/
36EEh 5x2 P_GR_P4Q0-4 P4Q for Green1 ;\
36F8h 5x2 P_RD_P4Q0-4 P4Q for Red ; P4 Coefficients
3702h 5x2 P_BL_P4Q0-4 P4Q for Blue ; (5 x float16 each)
370Ch 5x2 P_GB_P4Q0-4 P4Q for Green2 ;/
3716h .. RESERVED_SOC2_3716-3278 Reserved
|
| DSi Aptina Camera Variables: RAM/SFR/MON (GPIO/Monitor) (MCU:0000h-20xxh) |
02F0h 2 UNDOC_RAM_02F0 (set to 0000h by DSi games) 02F2h 2 UNDOC_RAM_02F2 (set to 0210h by DSi games) 02F4h 2 UNDOC_RAM_02F4 (set to 001Ah by DSi games) |
1040h .. RESERVED_SFR_1040-1050 Reserved
1060h .. RESERVED_SFR_1060-1066 Reserved (REV3)
1070h 2 GPIO_DATA GPIO Data (0..1E00h)
0-8 Unused (0)
9-12 gpio_3_0_data
13-15 Unused (0)
1072h 2 RESERVED_SFR_1072 Reserved
1074h 2 GPIO_OUTPUT_SET GPIO Set (0..0C00h/1E00h?) (W)
0-8 Unused (0)
9-12 gpio_3_0_output_toggle (uh, toggle or set?)
13-15 Unused (0)
1076h 2 GPIO_OUTPUT_CLEAR GPIO Clear (0..0C00h/1E00h?) (W)
0-8 Unused (0)
9-12 gpio_3_0_output_clear
13-15 Unused (0)
1078h 2 GPIO_DIR GPIO Direction (0..1E00h, def=1E00h)
0-8 Unused (0)
9 gpio_0_dir (0=Output, 1=Input) ;(LSB0 of 10bit Output)
10 gpio_1_dir (0=Output, 1=Input) ;(LSB1 of 10bit Output)
11 gpio_2_dir (0=Output, 1=Input) ;(Flash/Shutter Pulse)
12 gpio_3_dir (0=Output, 1=Input) ;(OE_BAR for Databus)
13-15 Unused (0)
107Ah .. RESERVED_SFR_107A-10FD Reserved
|
2000h 5 RESERVED_MON_00-04 Reserved
2005h 1 MON_CMD Monitor Command (0..FFh)
2006h 2 MON_ARG1 Monitor First Argument (0..FFFFh)
2008h .. RESERVED_MON_08-22 Reserved
2024h 2 MON_PATCH_ID_0 Monitor First Patch (0..FFFFh) (REV1)
0-7 mon_patch_0_version (00h-0Fh)
The version number of the first patch (R)
8-15 mon_patch_0_number (00h-0Fh)
Identifies which patch the first patch is (R)
2024h 1 MON_PATCH_ID_0 (mask=FFh) (R) ;\unlike above (REV3)
2025h 1 MON_PATCH_ID_1 (0..FF) ;/REV1 specs (REV3)
2026h 1 MON_PATCH_ID_2 (0..FF) (REV3)
2027h 1 RESERVED_MON_27 Reserved (REV3)
|
| DSi Aptina Camera Variables: SEQ (Sequencer) (MCU:21xxh) |
2100h .. RESERVED_SEQ_00 Reserved
2102h 1 SEQ_MODE SEQ Mode (enables "drivers") (def=0Fh)
0 Enable AE (ID=2)
1 Enable FD (ID=4)
2 Enable AWB (ID=3)
3 Enable HG (ID=11)
4-7 Unspecified
2103h 1 SEQ_CMD SEQ Cmd (0..FFh, def=01h)
0-7 Cmd (0=Run, 1=Preview, 2=Capture, 3=Standby,
4=Lock, 5=Refresh, 6=Refresh Mode)
2104h 1 SEQ_STATE SEQ State (0..FFh)
0-7 State (0=Run, 1=ToPreview, 2=Enter, 3=Preview
4=Leave, 5=ToCapture, 6=Enter, 7=Capture,
8=Leave, 9=Standby)
2105h .. RESERVED_SEQ_05 Reserved
2106h 1 SEQ_FLASHTYPE Type of flash to be used
0-6 Flash Type (0=None, 1=LED, 2=Xenon, 3=XenonBurst)
7 Set flash to LOCK mode (0=Normal, 1=LOCK mode)
2107h .. RESERVED_SEQ_07-08 Reserved
2109h 1 SEQ_AE_FASTBUFF AE Fast Buff (0..FFh, def=10h)
210Ah 1 SEQ_AE_FASTSTEP AE Fast Step (0..FFh, def=02h)
210Bh 1 SEQ_AWB_CONTBUFF AWB Cont Buff (0..FFh, def=08h)
210Ch 1 SEQ_AWB_CONTSTEP AWB Cont Step (0..FFh, def=02h)
210Dh .. RESERVED_SEQ_0D-10 Reserved
2111h 1 SEQ_OPTIONS SEQ Options (0..FFh, def=08h)
0 Reserved
1 Reserved
2 Reserved
3 seq_crop_win_ae, Use crop window for AE statistics
4 seq_crop_win_awb, Use crop window for AWB statistics
7 Reserved
2112h .. RESERVED_SEQ_12 Reserved
2113h 2 SEQ_FLASH_TH SEQ Flash TH (0..FFFFh)
2115h 1 SEQ_CAP_MODE Capture mode (in Capture state only)
0 Xenon Flash (Still Only)
1 Video
2 Turn Flash off before last frame in capture state
4 Video AE on
5 Video AWB on
6 Video HG on
2116h 1 SEQ_CAP_NUMFRAMES Num still frames captured (0..FFh,def=3)
2117h 1 SEQ_PREVIEW_0_AE Preview 0 AE (PREVIEW ENTER) ;\
0-3 AE (0=Off, 1=Fast, 2=Manual, 3=Continuous, 4=MDR) ;
4-7 Unspecified (0..5) (0..0Fh for PREVIEW_2/3) ; Pre-
2118h 1 SEQ_PREVIEW_0_FD Preview 0 FD (PREVIEW ENTER) ; view
0-7 FD (0=Off, 1=Continuous, 2=Manual) ; 0
2119h 1 SEQ_PREVIEW_0_AWB Preview 0 AWB (PREVIEW ENTER) ;
0-7 AWB (0=Off, 1=On) ; PRE-
211Ah 1 SEQ_PREVIEW_0_HG Preview 0 HG (PREVIEW ENTER) ; VIEW
0-7 HG (0=Off, 1=Fast, 2=Manual, 3=Continuous) ; ENTER
211Bh 1 SEQ_PREVIEW_0_FLASH Flash Config (0..FFh) ;
0-6 Flash (0=Off,1=On,2=Locked,3=AutoEvaluate,7=UserDef) ;
7 Reserved ;
211Ch 1 SEQ_PREVIEW_0_SKIPFRAME Skipframe State Config (def=40h) ;
0-3 Unspecified ;
4 Unspecified (except PREVIEW_2: Reserved) ;
5 Skip_led_on ;
6 Skip_state (0=No skip state, 1=Skip state) ;
7 Turn_off_fen ;/
211Dh 1 SEQ_PREVIEW_1_AE ;\ def=01h
211Eh 1 SEQ_PREVIEW_1_FD ; Preview 1 (PREVIEW) def=01h
211Fh 1 SEQ_PREVIEW_1_AWB ; (same as Preview 0, but def=01h
2120h 1 SEQ_PREVIEW_1_HG ; without AE=MDR, def=01h
2121h 1 SEQ_PREVIEW_1_FLASH ; without HG=Manual/Continous)
2122h 1 SEQ_PREVIEW_1_SKIPFRAME ;/ def=N/A
2123h 1 SEQ_PREVIEW_2_AE ;\
2124h 1 SEQ_PREVIEW_2_FD ; Preview 2 (PREVIEW LEAVE)
2125h 1 SEQ_PREVIEW_2_AWB ; (same as Preview 0, but
2126h 1 SEQ_PREVIEW_2_HG ; without HG=Manual/Continous)
2127h 1 SEQ_PREVIEW_2_FLASH ;
2128h 1 SEQ_PREVIEW_2_SKIPFRAME ;/
2129h 1 SEQ_PREVIEW_3_AE ;\
212Ah 1 SEQ_PREVIEW_3_FD ; Preview 3 (CAPTURE ENTER)
212Bh 1 SEQ_PREVIEW_3_AWB ; (same as Preview 0)
212Ch 1 SEQ_PREVIEW_3_HG ;
212Dh 1 SEQ_PREVIEW_3_FLASH ;
212Eh 1 SEQ_PREVIEW_3_SKIPFRAME ;/
212Fh .. RESERVED_SEQ_2F-33 Reserved
2134h 1 UNDOC_SEQ_34 (0..FFh)
2135h .. RESERVED_SEQ_35-44 Reserved
2145h 2 UNDOC_SEQ_45 (0..FFFFh)
2147h .. RESERVED_SEQ_47-59 Reserved
|
| DSi Aptina Camera Variables: AE (Auto Exposure) (MCU:22xxh) |
2200h .. RESERVED_AE_00 Reserved
2202h 1 AE_WINDOW_POS AE Window Position Y0 and X0
0-3 X0 (in units of 1/16th of frame width) (0..0Fh)
4-7 Y0 (in units of 1/16th of frame height) (0..0Fh)
2203h 1 AE_WINDOW_SIZE AE Window Height and Width (def=FFh)
0-3 Width (units of 1/16th of frame width, minus 1) (0..0Fh)
4-7 Height (units of 1/16th of frame height, minus 1) (0..0Fh)
2204h .. RESERVED_AE_04 Reserved
2206h 1 AE_TARGET AE Target Brightness (0..FFh, def=32h)
2207h 1 AE_GATE AE Sensitivity (0..FFh, def=04h)
2208h .. UNDOC_AE_08 (0..FFh, def=02h)
2209h .. RESERVED_AE_09-0A Reserved
220Bh 1 AE_MIN_INDEX Min (0-FFh)
220Ch 1 AE_MAX_INDEX Max allowed zone number (0-FFh,def=18h)
220Dh 1 AE_MIN_VIRTGAIN Min allowed virtual gain (0-FFh,def=10h)
220Eh 1 AE_MAX_VIRTGAIN Max allowed virtual gain (0-FFh,def=80h)
220Fh .. RESERVED_AE_0F-11 Reserved
2212h 2 AE_MAX_DGAIN_AE1 Max digital gain pre-LC (def=8000h)
2214h .. RESERVED_AE_14-16 Reserved
2217h 1 AE_STATUS AE Status
0 AE_at_limit (1=AE reached limit)
1 R9_changed (1=Need to skip frame)
2 Ready (0=AE not ready, 1=AE ready)
3-7 Unused (0)
2218h 1 AE_CURRENT_Y Last measured luma (0-FFh,def=4Bh) (R)
2219h 2 AE_R12 Curr shutter delay (def=0279h) (R)
221Bh 1 AE_INDEX Curr zone integration time (def=04h) (R)
221Ch 1 AE_VIRTGAIN Curr virtual gain (0-FFh,def=10h) (R)
221Dh .. RESERVED_AE_1D-1E Reserved
221Fh 2 AE_DGAIN_AE1 Current digital gain pre-LC (def=0080h)
2221h .. RESERVED_AE_21 Reserved
2222h 2 AE_R9 Current R9:0 value (0-FFFFh, def=0010h)
2224h .. RESERVED_AE_24-2C Reserved
222Dh 2 AE_R9_STEP Integration time per zone (def=009Dh)
222Fh .. RESERVED_AE_2F-49 Reserved
224Ah 1 AE_TARGETMIN Min value for target (0..FFh, def=32h)
224Bh 1 AE_TARGETMAX Max value for target (0..FFh, def=96h)
224Ch 1 AE_TARGETBUFFERSPEED Target Buffer Speed (0..FFh, def=0Ch)
224Dh .. RESERVED_AE_4D Reserved
224Fh 1 AE_BASETARGET Target Base (0..FFh, def=36h)
2250h .. RESERVED_AE_50-61 Reserved
2262h .. RESERVED_AE_62-64 Reserved (REV3)
|
| DSi Aptina Camera Variables: AWB (Auto White Balance) (MCU:23xxh) |
2300h .. RESERVED_AWB_00 Reserved
2302h 1 AWB_WINDOW_POS AWB Window Position Y0 and X0
0-3 X0 (in units of 1/16th of frame width) (0..0Fh)
4-7 Y0 (in units of 1/16th of frame height) (0..0Fh)
2303h 1 AWB_WINDOW_SIZE AWB Window Size (def=EFh)
0-3 Width (units of 1/16th of frame width, minus 1) (0..0Fh)
4-7 Height (units of 1/16th of frame height, minus 1) (0..0Fh)
2304h .. RESERVED_AWB_04 Reserved
2306h 3x2 AWB_CCM_L_0-2 Left CCM K11,K12,K13 (0180h,FF00h,0080h)
230Ch 3x2 AWB_CCM_L_3-5 Left CCM K21,K22,K23 (FF66h,0180h,FFEEh)
2312h 3x2 AWB_CCM_L_6-8 Left CCM K31,K32,K33 (FFCDh,FECDh,019Ah)
2318h 2 AWB_CCM_L_9 Left CCM Red/Green gain (0020h)
231Ah 2 AWB_CCM_L_10 Left CCM Blue/Green gain (0033h)
231Ch 3x2 AWB_CCM_RL_0-2 DeltaCCM D11,D12,D13 (0100h,FF9Ah,xxxxh)
2322h 3x2 AWB_CCM_RL_3-5 DeltaCCM D21,D22,D23 (004Dh,FFCDh,FFB8h)
2328h 3x2 AWB_CCM_RL_6-8 DeltaCCM D31,D32,D33 (004Dh,0080h,FF66h)
232Eh 2 AWB_CCM_RL_9 DeltaCCM Red/Green gain (0008h)
2330h 2 AWB_CCM_RL_10 DeltaCCM Blue/Green gain (FFF7h)
2332h 3x2 AWB_CCM_0-2 Curr CCM C11,C12,C13 (01BAh,FF5Bh,FFF1h)
2338h 3x2 AWB_CCM_3-5 Curr CCM C21,C22,C23 (FFC7h,01B9h,FF87h)
233Eh 3x2 AWB_CCM_6-8 Curr CCM C31,C32,C33 (FFF9h,FF32h,01DCh)
2344h 2 AWB_CCM_9 Curr CCM Red/Green gain (003Ch)
2346h 2 AWB_CCM_10 Curr CCM Blue/Green gain (002Bh)
2348h 1 AWB_GAIN_BUFFER_SPEED Gain Speed (1-20h, def=08h, 20h=fastest)
2349h 1 AWB_JUMP_DIVISOR Jump Divisor (1-FFh, def=02h, 1=fastest)
234Ah 1 AWB_GAIN_MIN Min AWB Red (def=59h) ;\Digital Gain
234Bh 1 AWB_GAIN_MAX Max allowed Red (def=B6h) ; Min/max
234Ch 1 AWB_GAINMIN_B Min AWB (def=59h) ; (0..FFh)
234Dh 1 AWB_GAINMAX_B Max allowed (def=A6h) ;/
234Eh 1 AWB_GAIN_R Current R digital gain ;\Current Gain
234Fh 1 AWB_GAIN_G Current G digital gain ; (0..FFh,
2350h 1 AWB_GAIN_B Current B digital gain ;/def=80h)
2351h 1 AWB_CCM_POSITION_MIN Min/Left (def=?) ;\(range 0..FFh,
2352h 1 AWB_CCM_POSITION_MAX Max/Right (def=7Fh) ; 00h=incandescent,
2353h 1 AWB_CCM_POSITION Position (def=40h) ;/7Fh=daylight)
2354h 1 AWB_SATURATION Saturation (0..FFh, def=80h, 80h=100%)
2355h 1 AWB_MODE Misc control for AWB (0..FFh)
0 Steady (1=AWB is done)
1 Limits Reached (1=AWB limit is reached)
2 Reserved
3 Reserved
4 Reserved
5 Force_unit_dgains
6 NormCCM_off
2356h 2 AWB_GAINR_BUF Time-buffered R gain (0..FFFFh)
2358h 2 AWB_GAINB_BUF Time-buffered B gain (0..FFFFh)
235Ah .. RESERVED_AWB_5A-5C Reserved
235Dh 1 AWB_STEADY_BGAIN_OUT_MIN (0-FF, def=78h)
235Eh 1 AWB_STEADY_BGAIN_OUT_MAX (0-FF, def=86h)
235Fh 1 AWB_STEADY_BGAIN_IN_MIN (0-FF, def=7Eh)
2360h 1 AWB_STEADY_BGAIN_IN_MAX (0-FF, def=82h)
2361h 2 UNDOC_AWB_61 (0..FFFFh, def=0040h)
2363h 1 AWB_TG_MIN0 True Gray minimum (0..FFh, def=D2h)
2364h 1 AWB_TG_MAX0 True Gray maximum (0..FFh, def=F6h)
2365h 1 AWB_X0 (0-FFh, def=10h)
2366h 1 AWB_KR_L (0-FFh, def=80h)
2367h 1 AWB_KG_L (0-FFh, def=80h)
2368h 1 AWB_KB_L (0-FFh, def=80h)
2369h 1 AWB_KR_R (0-FFh, def=80h)
236Ah 1 AWB_KG_R (0-FFh, def=80h)
236Bh 1 AWB_KB_R (0-FFh, def=80h)
236Ch .. RESERVED_AWB_6C-6E Reserved
|
| DSi Aptina Camera Variables: FD (Anti-Flicker) (MCU:24xxh) |
2400h .. RESERVED_FD_00 Reserved
2402h 1 FD_WINDOW_POSH Window Pos H (0..FFh, def=1Dh)
0-3 Width (in units of 1/16th of frame width, minus 1) (0..0Fh)
4-7 X0 (=position/origin or so?) (0..0Fh)
2403h 1 FD_WINDOW_HEIGHT FlickerMeasurementWindowHeight (def=04h)
0-5 Flicker measurement window height in rows (0..3Fh)
6-7 Unspecified
2404h 1 FD_MODE Flicked Detection switches/indicators
0-3 Reserved (0..0Fh) (R)
4 Debug_mode (0=Disable, 1=Enable single period mode)
5 Curr Flicker State (0=60Hz, 1=50Hz) (R)
6 Curr Settings (0=60Hz, 1=50Hz)
7 Manual Mode (0=Disable, 1=Enable)
2405h .. RESERVED_FD_05-07 Reserved
2408h 1 FD_SEARCH_F1_50 Search F1 50Hz (0..FFh, def=33h)
2409h 1 FD_SEARCH_F2_50 Search F2 50Hz (0..FFh, def=35h)
240Ah 1 FD_SEARCH_F1_60 Search F1 60Hz (0..FFh, def=29h)
240Bh 1 FD_SEARCH_F2_60 Search F2 60Hz (0..FFh, def=2Bh)
240Ch 1 UNDOC_FD_0C (0..FFh)
240Dh 1 FD_STAT_MIN Stat Min (0..FFh, def=03h)
240Eh 1 FD_STAT_MAX Stat Max (0..FFh, def=05h)
240Fh .. RESERVED_FD_0F Reserved
2410h 1 FD_MIN_AMPLITUDE Ignore Signals below Min (0..FFh, def=5)
2411h 2 FD_R9_STEP_F60_A 60HzA (def=0D4h) ;\Minimal Shutter Width
2413h 2 FD_R9_STEP_F50_A 50HzA (def=103h) ; Steps for 60Hz/50H AC
2415h 2 FD_R9_STEP_F60_B 60HzB (def=09Dh) ; in Context A/B
2417h 2 FD_R9_STEP_F50_B 50HzB (def=0B8h) ;/(0..FFFFh)
2419h .. RESERVED_FD_19-7B Reserved
|
| DSi Aptina Camera Variables: MODE (Mode/Context) (MCU:27xxh) |
2700h .. RESERVED_MODE_00-02 Reserved
2703h 2 MODE_OUTPUT_WIDTH_A (CX) (0..FFFFh, def=0320h) ;\Size A
2705h 2 MODE_OUTPUT_HEIGHT_A (CY) (0..FFFFh, def=0258h) ;/
2707h 2 MODE_OUTPUT_WIDTH_B (0..FFFFh, def=0640h) ;\Size B
2709h 2 MODE_OUTPUT_HEIGHT_B (0..FFFFh, def=04B0h) ;/
270Bh 1 MODE_A_MIPI_VC (0..07h) (REV3) ;-Mipi A
270Ch 1 MODE_B_MIPI_VC (0..07h) (REV3) ;-Mipi B
270Dh 2 MODE_SENSOR_ROW_START_A (Y1) (0..FFFFh) ;\
270Fh 2 MODE_SENSOR_COL_START_A (X1) (0..FFFFh) ;
2711h 2 MODE_SENSOR_ROW_END_A (Y2) (0..FFFFh, def=040Dh) ;
2713h 2 MODE_SENSOR_COL_END_A (X2) (0..FFFFh, def=050Dh) ; Sensor
2715h 2 MODE_SENSOR_ROW_SPEED_A (0..0777h, def=0112h) ; A
0-2: pixclk_speed (0..7) ;
1ADC: Pclk = 2 mclks * bits[0:2] ;
2ADC: bits[0:2] ;
4-6: Reserved (0..7) ;
8-10: Reserved (0..7) ;
2717h 2 MODE_SENSOR_READ_MODE_A (0..FFFFh, def=046Ch) ;
0: horiz_mirror ;
1: vert_flip ;
2-4: y_odd_inc (0..7) ;
5-7: x_odd_inc (0..7) ;
9: low_power ;
10: xy_bin_en ;
11: x_bin_en ;
2719h 2 MODE_SENSOR_FINE_CORRECTION_A (0..FFFFh, def=007Bh) ;
271Bh 2 MODE_SENSOR_FINE_IT_MIN_A (0..FFFFh, def=0408h) ;
271Dh 2 MODE_SENSOR_FINE_IT_MAX_MARGIN_A (0..FFFFh, def=00ABh) ;
271Fh 2 MODE_SENSOR_FRAME_LENGTH_A (0..FFFFh, def=0293h) ;
2721h 2 MODE_SENSOR_LINE_LENGTH_PCK_A (0..FFFFh, def=07D0h) ;/
2723h 2 MODE_SENSOR_ROW_START_B (0..FFFFh, def=0004h) ;\
2725h 2 MODE_SENSOR_COL_START_B (0..FFFFh, def=0004h) ; Sensor
2727h 2 MODE_SENSOR_ROW_END_B (0..FFFFh, def=040Bh) ; B
2729h 2 MODE_SENSOR_COL_END_B (0..FFFFh, def=050Bh) ;
272Bh 2 MODE_SENSOR_ROW_SPEED_B (0..0777h, def=0111h) ; (same
272Dh 2 MODE_SENSOR_READ_MODE_B (0..FFFFh, def=0024h) ; as
272Fh 2 MODE_SENSOR_FINE_CORRECTION_B (0..FFFFh, def=00A4h) ; Sensor
2731h 2 MODE_SENSOR_FINE_IT_MIN_B (0..FFFFh, def=0408h) ; A, see
2733h 2 MODE_SENSOR_FINE_IT_MAX_MARGIN_B (0..FFFFh, def=00A4h) ; there)
2735h 2 MODE_SENSOR_FRAME_LENGTH_B (0..FFFFh, def=04EDh) ;
2737h 2 MODE_SENSOR_LINE_LENGTH_PCK_B (0..FFFFh, def=0D06h) ;/
2739h 2 MODE_CROP_X0_A (0..FFFFh) ;\
273Bh 2 MODE_CROP_X1_A (0..FFFFh, def=031Fh) ; Crop A
273Dh 2 MODE_CROP_Y0_A (0..FFFFh) ;
273Fh 2 MODE_CROP_Y1_A (0..FFFFh, def=0257h) ;/
2741h .. RESERVED_MODE_41-45 Reserved
2747h 2 MODE_CROP_X0_B (0..FFFFh) ;\
2749h 2 MODE_CROP_X1_B (0..FFFFh, def=063Fh) ; Crop B
274Bh 2 MODE_CROP_Y0_B (0..FFFFh) ;
274Dh 2 MODE_CROP_Y1_B (0..FFFFh, def=04AFh) ;/
274Fh .. RESERVED_MODE_4F-53 Reserved
2755h 2 MODE_OUTPUT_FORMAT_A Format A (0..FFFFh ;\
2757h 2 MODE_OUTPUT_FORMAT_B Format B (0..FFFFh ;
0 swap_channels (swap Cb/Cr in YUV and R/B in RGB);
1 swap_chrominance_luma ; Format
2 bayer_out (Progressive Bayer) ; A/B
3 monochrome (0..1) ;
4 Reserved ;
5 output_mode (0=YUV, 1=RGB) ;
6-7 RGB Format (0=565, 1=555, 2=444xh, 3:x444h) ;
8 Processed Bayer (0..1) ;
9 Invert out_clk (0..1) (REV3) ;
10-15 Unspecified ;/
2759h 2 MODE_SPEC_EFFECTS_A Effects A (def=6440h) ;\
275Bh 2 MODE_SPEC_EFFECTS_B Effects B (def=6440h) ;
0-2 Selection (1=Mono, 2=Sepia, 3=Negative, ; Effects
4=Solarization, 5=Solarization w/ UV) ; A/B
3-5 Dither_bitwidth ;
6 Dither_luma ;
8-15 Solarization Threshold (0..7 for diff effects) ;/
275Dh 1 MODE_Y_RGB_OFFSET_A Offset A (00h..FFh) ;\Offset
275Eh 1 MODE_Y_RGB_OFFSET_B Offset B (00h..FFh) ;/A/B
275Fh 2 MODE_COMMON_MODE_SETTINGS_BRIGHT_COLOR_KILL ;\
Shadow register for 35A4h in SOC2 ;
0-2 Color kill saturation point (0..7) ; Kill
3-5 Bright color kill gain (0..7) ; Bright
6-8 Bright color kill threshold (0..7) ;
9 Signal_ctrl (1=use luma as min/max value) ;
10 en_kl (1=enable bright color kill) ;
11-15 Unspecified ;/
2761h 2 MODE_COMMON_MODE_SETTINGS_DARK_COLOR_KILL ;\
Shadow register for 35A2h in SOC2 ;
0-2 Dark color kill gain (0..7) ; Kill
3-5 Dark color kill threshold (0..7) ; Dark
6 Signal_ctrl (1=use luma as min/max value) ;
7 en_dark_kl (1=enable dark color kill) ;
8-15 Unspecified ;/
2763h 2 MODE_COMMON_MODE_SETTINGS_FX_SEPIA_SETTINGS ;\
0-7 Sepia constants for Cr (00h..FFh) ; Sepia
8-15 Sepia constants for Cb (00h..FFh) ;/
2765h 1 MODE_COMMON_MODE_SETTINGS_FILTER_MODE ;\
Shadow register for 326Eh in SOC1 ;
0-2 UV Filter mode (0..7) ; Filter
3-4 Y Filter mode (0..3) ;
5 Enable_y_filter (enable y permanently) ;
6 Threshold_switch, switch for adaptive Y filter threshold
7 Off_switch, B/W filter enable switch ;/
2766h 1 MODE_COMMON_MODE_SETTINGS_TEST_MODE Test (00h..FFh)
0-? Test Pattern (0=None?, 1=Flat, 2=Ramp, 3=ColorBars,
4=VertStripes, 5=Noise, 6=HoriStripes)
Output test pattern (instead camera image)
requires "Refresh Command" sent to Sequencer
2767h .. RESERVED_MODE_67-68 Reserved
|
| DSi Aptina Camera Variables: HG (Histogram) (MCU:2Bxxh) |
2B00h .. RESERVED_HG_00-03 Reserved
2B04h 1 HG_MAX_DLEVEL DarkLevel Limit (0..FFh, def=40h)
2B05h .. RESERVED_HG_05 Reserved
2B06h 1 HG_PERCENT Percent? (0..FFh, def=03h)
2B07h .. RESERVED_HG_07 Reserved
2B08h 1 HG_DLEVEL DarkLevel (0..FFh, def=10h)
2B09h .. RESERVED_HG_09-16 Reserved
2B17h 1 HG_AVERAGELUMA Average Luma (0..FFh)
2B18h .. RESERVED_HG_18-1A Reserved
2B1Bh 2 HG_BRIGHTNESSMETRIC Brightness Metric (0..FFFFh)
2B1Dh .. RESERVED_HG_1D Reserved
2B1Fh 1 HG_LLMODE Low Light mode controls (def=C4h)
0-3 Brightness Metric Prescaler (01h..0Fh)
4-5 Unused (0)
6 HG_2d_corr_vs_clusterdc
7 Clusterdc_vs_gains
2B20h 1 HG_LL_SAT1 LL_SAT1 (0..FFh, def=43h)
2B21h 1 UNDOC_HG_21 Whatever (0..FFh, def=10h)
2B22h 1 HG_LL_APCORR1 LL_APCORR1 (0..FFh, def=03h)
2B23h 1 UNDOC_HG_23 Whatever (0..FFh, def=04h)
2B24h 1 HG_LL_SAT2 LL_SAT2 (0..FFh, def=0Ch)
2B25h 1 HG_LL_INTERPTHRESH2 LL_INTERPTHRESH2 (0..FFh, def=23h)
2B26h 1 HG_LL_APCORR2 LL_APCORR2 (0..FFh)
2B27h 1 HG_LL_APTHRESH2 LL_APTHRESH2 (0..FFh, def=04h)
2B28h 2 HG_LL_BRIGHTNESSSTART LL_BRIGHTNESSSTART (0..FFFFh, def=0A8Ch)
2B2Ah 2 HG_LL_BRIGHTNESSSTOP LL_BRIGHTNESSSTOP (0..FFFFh, def=34BCh)
2B2Ch 1 HG_NR_START_R NR_START_R (0..FFh, def=06h)
2B2Dh 1 HG_NR_START_G NR_START_G (0..FFh, def=0Eh)
2B2Eh 1 HG_NR_START_B NR_START_B (0..FFh, def=06h)
2B2Fh 1 HG_NR_START_OL NR_START_OL (0..FFh, def=06h)
2B30h 1 HG_NR_STOP_R NR_STOP_R (0..FFh, def=1Eh)
2B31h 1 HG_NR_STOP_G NR_STOP_G (0..FFh, def=1Eh)
2B32h 1 HG_NR_STOP_B NR_STOP_B (0..FFh, def=1Eh)
2B33h 1 HG_NR_STOP_OL NR_STOP_OL (0..FFh, def=1Eh)
2B34h 1 HG_NR_GAINSTART NR_GAINSTART (0..FFh, def=08h)
2B35h 1 HG_NR_GAINSTOP NR_GAINSTOP (0..FFh, def=80h)
2B36h 1 HG_CLUSTERDC_TH CLUSTERDC_TH (0..FFh, def=1Eh)
2B37h 1 HG_GAMMA_MORPH_CTRL Gamma Morphing Control (0..FFh, def=3)
0-1 Enable Gamma Morph (0=Disable, 1=Use Table A, 2=Use Table B,
3=AutoMorph between Table A and B based on BrightnessMetric)
2-7 Unspecified
2B38h 2 HG_GAMMASTARTMORPH Gamma Start Morph (0..FFFFh, def=0A8Ch)
2B3Ah 2 HG_GAMMASTOPMORPH Gamma Stop Morph (0..FFFFh, def=34BCh)
2B3Ch 19 HG_GAMMA_TABLE_A_0-18 Gamma Table A for normal light condition
Default=xx,1B,2E,4C,78,98,B0,E8,CF,D9,E1,E8,EE,F2,F6,F9,FB,FD,FF
2B4Fh 19 HG_GAMMA_TABLE_B_0-18 Gamma Table B for low light condition
Default=xx,0F,1A,2E,50,6A,80,91,A1,AF,BB,C6,D0,D9,E2,EA,F1,F9,FF
Above 2 tables have normal byte-order (Entry0,Entry1,...,Entry18)
2B62h 2 HG_FTB_START_BM (0..FFFFh, def=7FBCh) (REV3)
2B64h 2 HG_FTB_STOP_BM (0..FFFFh, def=82DCh) (REV3)
2B66h 2 HG_CLUSTER_DC_BM (0..FFFFh, def=4A38h) (REV3)
|
| DSi Alternate Cameras from Unknown Manufacturer |
003h, 1,001h ;<-- bank maybe?
009h, 3,0E2h,002h,002h
004h, 1,010h
004h, 1,0A0h
004h, 2,090h,04Ch
00Dh, 1,0FFh
016h, 1,053h
018h, 3,002h,001h,00Fh
020h, 1,000h
023h, 2,000h,000h
034h, 8,000h,003h,000h,003h,001h,002h,000h,0C2h
03Dh, 4,050h,050h,000h,067h
042h, 1,01Ch
04Ah, 2,043h,0F8h
04Eh, 7,028h,0FCh,000h,024h,014h,008h,008h
056h,13,000h,018h,028h,034h,044h,056h,06Eh,080h,0A4h,0C2h,0D6h,0E8h,0F4h
065h,12,00Fh,038h,008h,000h,01Fh,01Fh,01Fh,01Fh,01Fh,01Fh,01Fh,01Fh
07Ah,17,039h,03Bh,03Ah,036h,03Ch,03Ch,03Ah,03Ch,03Ch,03Ch,03Ah,03Ch,038h
03Ah,031h,03Ah,082h
08Dh,22,08Ah,090h,096h,09Ch,0A4h,0AAh,0B0h,0B6h,0BCh,0C4h,0CAh,0D0h,0D6h
0DCh,0E4h,0EAh,0F0h,0F2h,0F4h,0F6h,0F8h,0FAh
0A9h, 1,02Bh
0ABh, 3,02Eh,000h,050h
0AFh, 1,070h
0B2h, 4,03Ch,068h,049h,070h
0B7h,21,032h,000h,00Eh,0F8h,00Ch,07Ah,040h,000h,000h,010h,044h,064h,052h
012h,001h,0D7h,004h,002h,024h,002h,024h
0D4h, 5,004h,004h,008h,00Ah,010h
016h, 1,0F7h
0DEh, 2,002h,024h
016h, 1,053h
0E1h, 1,034h
0FFh, 1,00Fh
003h, 1,002h ;<-- bank maybe?
005h, 2,06Dh,004h
011h, 4,004h,048h,004h,048h
016h, 2,00Ch,0D8h
019h, 2,00Ch,0D8h
01Eh, 6,002h,024h,070h,000h,001h,06Eh
026h, 7,008h,00Fh,00Fh,006h,0FFh,0FFh,003h
02Eh,19,07Eh,088h,074h,07Eh,008h,010h,080h,008h,084h,078h,001h,003h,00Ah
025h,060h,0B0h,006h,000h,000h
042h, 7,080h,010h,010h,010h,040h,080h,0FFh
04Ah,30,000h,000h,001h,0E5h,001h,0E0h,000h,070h,002h,0F0h,000h,02Eh,001h
0F3h,000h,005h,000h,000h,001h,000h,000h,0C0h,000h,026h,000h,01Ch
000h,0B3h,000h,086h
069h,36,000h,000h,006h,014h,014h,01Fh,000h,000h,000h,000h,000h,01Fh,000h
000h,010h,010h,010h,01Fh,000h,000h,004h,004h,004h,01Fh,000h,000h
000h,000h,000h,01Fh,000h,000h,010h,010h,010h,01Fh
095h, 1,084h
097h,18,002h,000h,0FFh,0FFh,000h,0FFh,0FFh,000h,000h,0FFh,0FFh,000h,0FFh
0FFh,000h,0F8h,014h,010h
0AAh,13,044h,098h,08Ch,09Ch,048h,08Ch,08Ah,09Ch,046h,02Ah,080h,008h,026h
0B8h, 8,02Ah,084h,000h,026h,02Ah,080h,008h,020h
0C1h,10,038h,020h,01Fh,01Dh,034h,020h,01Fh,01Dh,045h,05Dh
0CCh, 2,020h,020h
0D0h, 3,080h,000h,0FFh
003h, 1,000h ;<-- bank maybe?
013h, 2,000h,04Ch
01Dh, 2,000h,04Ch
015h, 2,001h,05Fh
055h, 2,001h,05Eh
031h, 6,006h,068h,00Ch,005h,004h,047h
047h, 2,000h,003h
04Ah, 3,0A0h,000h,003h
04Fh, 2,000h,003h
059h, 2,000h,001h
05Fh, 2,000h,001h
066h, 1,09Eh
06Eh, 2,07Fh,003h
075h, 1,050h
07Ah, 2,000h,001h
07Eh, 1,020h
082h, 1,038h
084h,14,003h,040h,003h,040h,000h,000h,040h,003h,0FFh,002h,008h,020h,018h,006h
093h,11,020h,040h,040h,01Fh,002h,000h,000h,000h,000h,000h,000h
003h, 1,001h ;<-- bank maybe?
00Fh, 1,0C9h ;or, for Device E0h: 00Fh, 1,0C8h
052h, 3,004h,008h,008h ;or, for Device E0h: N/A
003h, 1,002h ;<-- bank maybe?
026h, 1,008h ;or, for Device E0h: 026h, 1,000h
0CCh, 2,0C0h,0C0h ;or, for Device E0h: N/A
0B4h, 1,000h ;or, for Device E0h: N/A
0B6h, 1,026h ;or, for Device E0h: N/A
0B9h, 3,000h,008h,026h ;or, for Device E0h: N/A
0BDh, 1,000h ;or, for Device E0h: N/A
026h, 1,008h ;or, for Device E0h: N/A
003h, 1,001h ;<-- bank maybe?
02Dh, 1,0FFh
004h, 1,020h
|
003h, 1,002h ;<-- bank maybe? 0A7h, 1,014h 003h, 1,001h ;<-- bank maybe? 004h, 1,0A0h 004h, 1,090h 02Dh, 1,000h 004h, 1,098h |
C1h, 8,038h,030h,01Fh,01Fh,02Ch,030h,01Fh,01Fh C1h, 8,038h,030h,01Fh,01Fh,038h,030h,01Fh,01Fh C1h, 8,02Ch,030h,01Fh,01Fh,02Ch,030h,01Fh,01Fh C1h, 8,02Ch,030h,01Fh,01Fh,02Ch,030h,01Fh,01Fh C1h, 8,02Ch,030h,01Fh,01Fh,02Ch,030h,01Fh,01Fh C1h, 8,02Ch,030h,01Fh,01Fh,02Ch,030h,01Fh,01Fh C1h, 8,030h,028h,018h,018h,034h,028h,008h,018h C1h, 8,030h,028h,018h,018h,030h,028h,008h,018h C1h, 8,028h,028h,018h,018h,028h,028h,008h,018h C1h, 8,028h,028h,018h,018h,028h,028h,008h,018h C1h, 8,028h,028h,018h,018h,028h,028h,008h,018h C1h, 8,028h,028h,018h,018h,028h,028h,008h,018h |
| DSi Cameras |
0 Unknown (R or R/W) 1 Unknown (1=Enable?) (R or R/W) 2-4 Unknown (R or R/W) 5 Unknown (1=Enable?) (0=CamI2C fails?) (R or R/W) 6 Unknown (R or R/W) 7 Unknown (gets set automatically?) (R?) 8-15 Unknown/Unused (00h) (0?) |
0-3 Number of DMA scanlines minus 1 (usually 3=Four Scanlines) (R or R/W) 4 Data request? or Data overrun? or so? (R) 5 Clear bit4, and flush CAM_DAT till next Camera Vblank? (W) 6-7 Unknown/Unused (0) (0?) 8-9 ? Set to 2 during init, 0 on cameras shutdown (R/W) 10 ? Set to 1 during init, 0 on cameras shutdown (R/W) 11 IRQ Enable (0=Disable, 1=Enable) (R/W) 12 Unknown/Unused (0) (0?) 13 Color Format (0=Direct/YUV422, 1=Convert YUV-to-RGB555) (R or R/W) 14 Trimming Enable (0=Normal/FullPicture, 1=Crop via SOFS/EOFS) (R or R/W) 15 Transfer Enable (0=Disable/AllowConfig, 1=Enable/Transfer) (R/W) |
0-7 First Pixel Luminance (Y) (unsigned, 00h..FFh, FFh=white) 8-15 Both Pixels Blue (Cb aka U) (unsigned, 00h..FFh, 80h=gray) 16-23 Second Pixel Luminance (Y) (unsigned, 00h..FFh, FFh=white) 24-31 Both Pixels Red (Cr aka V) (unsigned, 00h..FFh, 80h=gray) |
0-4 First Pixel Red Intensity (0..31) 5-9 First Pixel Green Intensity (0..31) 10-14 First Pixel Blue Intensity (0..31) 15 First Pixel Alpha (always 1=NonTransparent) 16-20 Second Pixel Red Intensity (0..31) 21-25 Second Pixel Green Intensity (0..31) 26-30 Second Pixel Blue Intensity (0..31) 31 Second Pixel Alpha (always 1=NonTransparent) |
R = Y+(Cr-80h)*1.402 G = Y-(Cr-80h)*0.714)-(Cb-80h)*0.344 B = Y+(Cb-80h)*1.772 |
0 Unused (0) (0) 1-9 X-Offset (0..1FFh) in words (ie. 2-pixel units)? (R or R/W) 10-15 Unused (0) (0) 16-24 Y-Offset (0..1FFh) in scanlines? (R or R/W) 25-31 Unused (0) (0) |
[4004004h]=[4004004h] OR 0004h ;SCFG_CLK, CamInterfaceClock = ON [4004200h]=0000h, delay(1Eh) ;CAM_MCNT, Camera Module Control [4004004h]=[4004004h] OR 0100h, delay(1Eh) ;SCFG_CLK, CamExternal Clock = ON [4004200h]=0022h, delay(2008h) ;CAM_MCNT, Camera Module Control [4004004h]=[4004004h] AND NOT 0100h ;SCFG_CLK, CamExternal Clock = OFF [4004202h]=[4004202h] AND NOT 8000h ;CAM_CNT, allow changing params [4004202h]=[4004202h] OR 0020h ;CAM_CNT, whatever? [4004202h]=([4004202h] AND NOT 0300h) OR 0200h [4004202h]=[4004202h] OR 0400h [4004202h]=[4004202h] OR 0800h [4004004h]=[4004004h] OR 0100h, delay(14h) ;SCFG_CLK, CamExternal Clock = ON issue "aptina_code_list_init" via I2C bus on ARM7 side [4004004h]=[4004004h] AND NOT 0100h ;SCFG_CLK, CamExternal Clock = OFF [4004004h]=[4004004h] OR 0100h, delay(14h) ;SCFG_CLK, CamExternal Clock = ON issue "aptina_code_list_activate" via I2C bus on ARM7 side [4004202h]=[4004202h] OR 2000h [4004202h]=([4004202h] AND NOT 000Fh) OR 0003h [4004202h]=[4004202h] OR 0020h [4004202h]=[4004202h] OR 8000h ;CAM_CNT, start transfer [4004120h]=04004204h ;NDMA1SAD, source CAM_DTA [4004124h]=0xxxxxxxh ;NDMA1DAD, dest RAM/VRAM [4004128h]=00006000h ;NDMA1TCNT, len for 256x192 total [400412Ch]=00000200h ;NDMA1WCNT, len for 256x4 blocks [4004130h]=00000002h ;NDMA1BCNT, timing interval or so [4004138h]=8B044000h ;NDMA1CNT, start camera DMA |
640*480 VGA (0.3 Megapixel) No zoom and no flash. |
Nintendo DSi Camera System Menu (can take photos, and can display JPG's with "Star" sticker) Flipnote (doesn't directly support camera hardware, but can import JPG's) |
Asphalt 4 : Elite Racing (DSiWare) Brain Challenge (DSiWare) Classic Word Games Cooking Coach Pop SuperStar : Road To Celebrity (DSiWare) Real Football 2009 (DSiWare) WarioWare : Snapped! (DSiWare) iCarly Pokemon Black,White (2010,JP) Castle of Magic (DSiWare) Photo Dojo (DSiWare) System Flaw (mis-uses camera as gyro sensor) |
| DSi SD/MMC Protocol and I/O Ports |
| DSi SD/MMC I/O Ports: Command/Param/Response/Data |
15 undoc Unknown/undoc (read/write-able)
14 undoc Security Cmd? (0=Normal, 1=Whatever/Security?) (sdio?)
13 undoc Data Length (0=Single Block, 1=Multiple Blocks)
12 undoc Data Direction (0=Write, 1=Read)
11 NTDT Data Transfer (0=No data, 1=With data)
10-8 REP2-0 Response Type (0=Auto, 1..2=Unknown/Reserved, 3=None, 4=48bit,
5=48bit+Busy, 6=136bit, 7=48bitOcrWithoutCRC7)
7-6 CMD1-0 Command Type (0=CMD, 1=ACMD, 2..3=unknown, maybe GEN WR/RD?)
5-0 CIX Command Index (0..3Fh, command index)
|
31-0 Parameter value for CMD |
31-0 Response 127-32 Older Responses |
119-0 120bit Response 127-120 Zero (always?) |
.----------. CPU
o--| FIFO16_A |--o o---------------- 4004830h
serial '----------' \ 16bit
SD/MMC ---o o---------o
bus \ .----------. \ .--------. CPU/NDMA
o--| FIFO16_B |--o o---| FIFO32 |--- 400490Ch
'----------' '--------' 32bit
|
15-13 Always zero 12 Unknown (usually 1) (R?) 11-6 Always zero 5 Unknown (read/write-able) (usually 0) (R/W) 4 Unknown (usually 1) (R?) 3-2 Always zero 1 Select 16bit/32bit Data Mode (0=DATA16, 1=DATA32, see 4004900h) (R/W) 0 Always zero |
15-0 Number of Data Blocks for multiple read/write commands (0..FFFFh) |
15-10 Always zero 9-0 Data Block Length in bytes (for DATA16: clipped to max 0200h by hw) |
15-0 Data (Read/Write one block (usually 100h halfwords) upon RXRDY/TXRQ) |
31-0 Data (Read/Write one block (usually 80h words) upon RX32RDY/TX32RQ) |
| DSi SD/MMC I/O Ports: Interrupt/Status |
Bit Stat Mask Function 0 SREP MREP CMDRESPEND (response end) (or R1b: busy end) 1 0 0 Unknown/unused (always 0) 2 SRWA MRWA DATAEND (set after (last) data block end) 3 SCOT MCOT CARD_REMOVE (0=No event, 1=Is/was newly ejected) ;\ 4 SCIN MCIN CARD_INSERT (0=No event, 1=Is/was newly inserted) ; SD 5 undoc 0 SIGSTATE (0=Ejected, 1=Inserted) (SDIO: always 1) ; Slot 6 0 0 Unknown/unused (always 0) ; Sw's 7 undoc 0 WRPROTECT (0=Locked/Ejected, 1=Unlocked/HalfEjected);/ 8 undoc undoc CARD_REMOVE_A (0=No event, 1=High-to-Low occurred) ;\SD 9 undoc undoc CARD_INSERT_A (0=No event, 1=Low-to-High occurred) ; Slot 10 undoc 0 SIGSTATE_A (usually 1=High) ;also as so for SDIO ;/Data3 11 0 0 Unknown/unused (always 0) 12 0 0 Unknown/unused (always 0) 13 0 0 Unknown/unused (always 0) 14 0 0 Unknown/unused (always 0) 15 0 0 Unknown/unused (always 0) 16 SCIX MCIX CMD_IDX_ERR Bad CMD-index in response (RCMDE,SCMDE) 17 SCRC MCRC CRCFAIL CRC response error (WCRCE,RCRCE,SCRCE,CCRCE) 18 SEND MEND STOPBIT_ERR End bit error (WEBER,REBER,SEBER,CEBER) 19 SDTO MDTO DATATIMEOUT Data Timeout (NRCS,NWCS,KBSY) 20 SFOF MFOF RXOVERFLOW HOST tried write full 21 SFUF MFUF TXUNDERRUN HOST tried read empty 22 SCTO MCTO CMDTIMEOUT Response start-bit timeout (NRS,NSR) 23 ??? 0 Unknown/undoc (usually set) (zero after sending TX data?) 24 SBRE MBRE RXRDY (fifo not empty) (request data read) 25 SBWE MBWE TXRQ (datafifoempty?) (request data write) 26 0 0 Unknown/unused (always 0) 27 undoc undoc Unknown/undoc (bit27 is mask-able in IRQ_MASK) 28 0 0 Unknown/unused (always 0) 29 undoc 0 CMD_READY? (inverse of BUSY?) (unlike toshiba ILFSL/IFSMSK) 30 undoc 0 CMD_BUSY (CMD_BUSY=0 shortly before CMD_READY=1?) 31 ILA IMSK Illegal Command Access (old CMD still busy, or wrong NTDT) |
Bit Stat Mask Function 15 undoc undoc SomeIRQ (triggered SOMETIMES on forced CMDTIMEOUT?) 14 undoc undoc SomeIRQ (triggered near DATAEND?) 13-3 0 0 Always zero 2 undoc undoc SomeIRQ (triggered on forced TXUNDERRUN?) 1 undoc undoc SomeIRQ (triggered about once per datablock?) 0 CINT0 CIMSK0 CardIRQ (triggered by /IRQ aka Data1 pin; for SDIO devices) |
Bit Stat Mask Function 0 SCOT MCOT CARD_REMOVE (0=No event, 1=Is/was newly ejected) ;\eMMC 1 SCIN MCIN CARD_INSERT (0=No event, 1=Is/was newly inserted) ; Slot 2 undoc 1 SIGSTATE (MMC: Always 1=Inserted) (SDIO: always 0);/Sw 3 0 RW Unknown (stat always 0, but mask is R/W) ;\maybe another 4 0 RW Unknown (stat always 0, but mask is R/W) ; unimplemented 5 0 1 Unknown (stat always 0, and mask always 1) ;/device? 6 0 RW Unknown (stat always 0, but mask is R/W) ;\maybe yet one 7 0 RW Unknown (stat always 0, but mask is R/W) ; more? 8-15 0 0 Unknown/unused (always 0) ;/ 16 ?? RW Unknown (stat can be 0/1) (R/W? or rather R?) 17 ?? RW Unknown (stat can be 0/1) (R/W? or rather R?) 18 ?? 1 Unknown (1=normal, 0=data/read from card to fifo busy?) (R) 19 0 RW Unknown (stat always 0, but mask is R/W) 20 0 RW Unknown (stat always 0, but mask is R/W) 21 0 1 Unknown (stat always 0, and mask always 1) 22 0 RW Unknown (stat always 0, but mask is R/W) 23 0 RW Unknown (stat always 0, but mask is R/W) 24-31 0 0 Unknown/unused (always 0) |
15-10 Always zero 9 Enable setting SD_CARD_IRQ_STAT.bit14 and cause nothing special? (R/W) 8 Enable setting SD_CARD_IRQ_STAT.bit15 and cause CMDTIMEOUT? (R/W) 7-3 Always zero 2 Enable setting SD_CARD_IRQ_STAT.bit2 and cause TXUNDERRUN? (R/W) 1 Always zero 0 Enable setting SD_CARD_IRQ_STAT.bit0 (CardIRQ upon Data1=LOW) (R/W) |
15-13 Always zero 12 TX32RQ IRQ Enable (0=Disable, 1=Enable) (R/W) 11 RX32RDY IRQ Enable (0=Disable, 1=Enable) (R/W) 10 Clear FIFO32 (0=No change, 1=Force FIFO32 Empty) (W) 9 TX32RQ IRQ Flag (0=IRQ, 1=No) (0=FIFO32 Empty) (R) 8 RX32RDY IRQ Flag (0=No, 1=IRQ) (1=FIFO32 Full) (R) 7-2 Always zero 1 Select 16bit/32bit Data Mode (0=DATA16, 1=DATA32, see 40048D8h) (R/W) 0 Always zero |
31-23 0 Always zero 22 KBSY Timeout for CRC status busy ;\STAT.19 21 NWCS Timeout for CRC status (can occur for Data Write) ; (SDTO) 20 NRCS Timeout for Data start-bit, or for Post Data Busy ;/ 19-18 0 Always zero 17 NRS Response Timeout for auto-issued CMD12 ;\STAT.22 16 NCR Response Timeout for non-auto-issued CMD's ;/(SCTO) 15-14 0 Always zero 13 undoc Unknown/undoc (always 1) ;-Always 1 12 0 Always zero 11 WCRCE CRC error for Write CRC status for a write command ;\ 10 RCRCE CRC error for Read Data ; STAT.17 9 SCRCE CRC error for a Response for auto-issued CMD12 ; (SCRC) 8 CCRCE CRC error for a Response for non-auto-issued CMD's ;/ 5 WEBER End bit error for Write CRC status ;\ 4 REBER End bit error for Read Data ; STAT.18 3 SEBER End bit error for Response for auto-issued CMD12 ; (SEND) 2 CEBER End bit error for Response for non-auto-issued CMD's ;/ 1? SCMDE Bad CMD-index in Response of auto-issued CMD12 ;\STAT.16 0 RCMDE Bad CMD-index in Response of non-auto-issued CMD's ;/(SCIX) |
15-1 Always zero 0 WRPROTECT_2 for onboard eMMC (usually/always 0=Unlocked) (R) |
- first acknowledge IF2.bit8 (must be done before next step) - then check for pending IRQs in IRQ_STATUS and DATA32_IRQ, and process all of them |
| DSi SD/MMC I/O Ports: Control Registers |
15-11 Always zero 10 Unknown (should be set on write) (reads as zero) (1=CardIRQ off!) (W) 9-8 Unknown (Always 2 for SD/4004802h, always 1 for SDIO/4004A02h) (R) 7-4 Always zero 3-1 Unknown (read/write-able) (R/W) 0 Port Select (0=SD Card Slot, 1=Onboard eMMC) (for SDIO: Unknown) (R/W) |
15 undoc Bus Width (0=4bit, 1=1bit) (R/W) 14 undoc Unknown (usually set) (R?) 13-9 0 Always zero 8 undoc Unknown (firmware tries to toggle this after CLK change?) (W?) 7-4 RTO Data start/busy timeout (2000h SHL 0..14, or 15=100h SDCLK's)(R/W) 0-3 TO? Unknown (another timeout, maybe for SDIO? in 32KHz units?) (R/W) |
15-11 Always zero ;unlike Toshiba: no HCLK divider-disable in bit15) 10 Unknown (0=Normal, 1=Unknown, doesn't affect SDCLK output?) (R/W) 9 SDCLK Freeze (0=Normal, 1=Freezes SDCLK output) (R/W) 8 SDCLK Pin Enable (0=Force SDCLK=LOW, 1=Output SDCLK=HCLK/n) (R/W) 7-0 HCLK Div (0,1,2,4,8,16,32,64,128 = Div2,4,8,16,32,64,128,256,512) (R/W) |
15-9 Always zero 8 Auto-Stop (1=Automatically send CMD12 after BLK_COUNT blocks) (R/W) 7-1 Always zero 0 Unknown (firmware often clears this bit, but never sets it?) (R/W) |
15-3 Always zero 2 Unknown (always 1) (R?) 1 Unknown (always 1) (though firmware tries to toggle this bit) (R?) 0 SRST Soft Reset (0=Reset, 1=Release) (R/W) |
SD_STOP_INTERNAL_ACTION = 0000h SD_RESPONSE0-7 = zerofilled SD_IRQ_STATUS0-1 = all IRQ flags acknowledged SD_ERROR_DETAIL_STATUS0-1 = all bits cleared (except bit13/always set) SD_CARD_CLK_CTL = bit 8 and 10 cleared SD_CARD_OPTION = 40EEh SD_CARD_IRQ_STAT = 0000h Internal FIFO16 address is reset to first halfword of FIFO_A Reading FIFO16 returns 0000h (but old content reappears when releasing reset) |
| DSi SD/MMC I/O Ports: Unknown/Unused Registers |
15-2 Always zero 1-0 Unknown (0..3) (R/W) |
15-11 Always zero 10-8 Unknown (0..7) (R/W) 7 Always zero 6-4 Unknown (0..7) (R/W) 3-0 Always zero |
400482Ah/4004A2Ah 2 Fixed always zero? 4004832h/4004A32h 2 Fixed always zero? ;(TC6371AF:BUF1 Data MSBs?) 400483Ah/4004A3Ah 2 Fixed always zero? ;(SDCTL_SDIO_HOST_INFORMATION) 400483Ch/4004A3Ch 2 Fixed always zero? ;(SDCTL_ERROR_CONTROL) 400483Eh/4004A3Eh 2 Fixed always zero? ;(TC6387XB: LED_CONTROL) 4004840h/4004A40h 2 Fixed always 003Fh? 4004842h/4004A42h 2 Fixed always 002Ah? 4004844h/4004A44h 6Eh Fixed always zerofilled? 40048B2h/4004AB2h 2 Fixed always FFFFh? 40048B4h/4004AB4h 6 Fixed always zerofilled? 40048BAh/4004ABAh 2 Fixed always 0200h? 40048BCh/4004ABCh 1Ch Fixed always zerofilled? 40048DAh/4004ADAh 6 Fixed always zerofilled? 40048E2h/4004AE2h 2 Fixed always 0009h? ;(RESERVED2/9, TC6371AF:CORE_REV) 40048E4h/4004AE4h 2 Fixed always zero? 40048E6h/4004AE6h 2 Fixed always zero? ;(RESERVED3, TC6371AF:BUF_ADR) 40048E8h/4004AE8h 2 Fixed always zero? ;(TC6371AF:Resp_Header) 40048EAh/4004AEAh 6 Fixed always zerofilled? 40048F0h/4004AF0h 2 Fixed always zero? ;(RESERVED10) 4004902h/4004B02h 2 Fixed always zero? 4004906h/4004B06h 2 Fixed always zero? 400490Ah/4004B0Ah 2 Fixed always zero? 4004910h/4004B10h F0h Fixed always zerofilled? |
| DSi SD/MMC I/O Ports: Misc |
Chip Year Pages Features Toshiba TC6371AF 2000-2002 58 SD/MMC/Smart/PCI (old/basic specs, no SDIO) Toshiba TC6380AF 2001-2002 90 SD/MMC/SDIO/SmartMedia Toshiba TC6387XB 2001-2002 62 SD/MMC/SDIO/SDLED Toshiba TC6391XB 2002 202 SD/MMC/SDIO/SmartMedia/USB/LCD/etc. Toshiba TC6393XB ? ;\unknown features, no datasheet exists (the chips Toshiba T7L66XB ? ;/are mentioned in tmio_mmc.h and tmio_mmc.c source) |
| DSi SD/MMC Protocol: Command/Response/Register Summary |
CMD0 sd/mmc spi GO_IDLE_STATE (CMD0 with arg=stuff) (type=bc) CMD0 mmc GO_PRE_IDLE_STATE (CMD0 with arg=F0F0F0F0h) (type=bc) CMD0 mmc BOOT_INITIATION (CMD0 with arg=FFFFFFFAh, type=N/A) CMD1 sd/mmc spi SEND_OP_COND (On SD Cards: SPI only) CMD2 sd/mmc ALL_GET_CID (type=bcr) CMD3 sd GET_RELATIVE_ADDR (type=bcr) CMD3 mmc SET_RELATIVE_ADDR (type=ac) CMD4 sd/mmc SET_DSR (type=bc) CMD5 sd spi Reserved for I/O cards (see "SDIO Card Specification") CMD5 mmc ? SLEEP_AWAKE (type=ac) (MMC only, IO_SEND_OP_COND on SDIO) CMD7 sd/mmc SELECT_DESELECT_CARD (type=ac) ;actually: (type=bcr) CMD8 sd spi SET_IF_COND (type=bcr) CMD8 mmc spi GET_EXT_CSD (type=adtc) CMD9 sd/mmc spi GET_CSD (type=ac) (SPI: type=adtc) CMD10 sd/mmc spi GET_CID (type=ac) (SPI: type=adtc) CMD11 sd VOLTAGE_SWITCH (type=ac) CMD12 sd/mmc spi STOP_TRANSMISSION (type=ac) CMD13 sd/mmc spi GET_STATUS (type=ac) (sends 16bit status in SPI Mode) CMD14 mmc BUSTEST_R (type=adtc) (MMC only, Reserved on SD) CMD19 mmc BUSTEST_W (type=adtc) (MMC only, SET_TUNING_BLOCK on SD) CMD15 sd/mmc GO_INACTIVE_STATE (type=ac) |
CMD16 sd/mmc spi SET_BLOCKLEN (type=ac) CMD17 sd/mmc spi READ_SINGLE_BLOCK (type=adtc) CMD18 sd/mmc spi READ_MULTIPLE_BLOCK (type=adtc) CMD19 sd SET_TUNING_BLOCK (type=adtc) CMD20 sd SPEED_CLASS_CONTROL (type=ac) CMD22 sd Reserved CMD23 sd/mmc-spi SET_BLOCK_COUNT (type=ac) (SPI supported ONLY on MMC?) |
CMD16 sd/mmc spi SET_BLOCKLEN (type=ac) CMD20 sd SPEED_CLASS_CONTROL (type=ac) CMD23 sd/mmc-spi SET_BLOCK_COUNT (type=ac) (SPI supported ONLY on MMC?) CMD24 sd/mmc spi WRITE_BLOCK (type=adtc) CMD25 sd/mmc spi WRITE_MULTIPLE_BLOCK (type=adtc) CMD26 sd/mmc Reserved For Manufacturer (MMC: PROGRAM_CID) CMD27 sd/mmc spi PROGRAM_CSD (type=adtc) |
CMD28 sd/mmc spi SET_WRITE_PROT (type=ac) CMD29 sd/mmc spi CLR_WRITE_PROT (type=ac) CMD30 sd/mmc spi GET_WRITE_PROT (type=adtc) CMD31 - SD: Reserved CMD31 mmc MMC: SEND_WRITE_PROT_TYPE (type=adtc) |
CMD32 sd spi ERASE_WR_BLK_START (type=ac) CMD33 sd spi ERASE_WR_BLK_END (type=ac) CMD32-34 mmc spi Reserved for compatibility with older MMC cards (uh?) CMD35 mmc spi ERASE_GROUP_START (type=ac) CMD36 mmc spi ERASE_GROUP_END (type=ac) CMD37 mmc spi Reserved for compatibility with older MMC cards (uh?) CMD38 sd/mmc spi ERASE (type=ac) CMD39 - Reserved CMD41 - Reserved |
CMD16 sd/mmc spi SET_BLOCKLEN (type=ac) CMD40 sd Defined by DPS Spec (Data Protection System) (type=adtc) CMD42 sd/mmc spi LOCK_UNLOCK (type=adtc) CMD43-47 - Reserved CMD51 - Reserved |
CMD39-40 mmc MMCA Optional Command, currently not supported CMD55-56 mmc MMCA Optional Command, currently not supported CMD55 sd spi APP_CMD (type=ac) ;\also defined for MMC, CMD56 sd spi GEN_CMD (type=adtc) ;/but ONLY in SPI mode !!?? CMD60-63 sd/mmc spi Reserved for manufacturer |
CMD5 sdio spi SDIO: IO_SEND_OP_COND CMD52 sdio spi SDIO: IO_RW_DIRECT CMD53 sdio spi SDIO: IO_RW_EXTENDED CMD54 - SDIO: Reserved CMD39 mmcio MMCIO: FAST_IO (type=ac) CMD40 mmcio MMCIO: GO_IRQ_STATE (type=bcr) |
CMD6 mmc spi SWITCH (type=ac) ;related to EXT_CSD register CMD6 sd spi SWITCH_FUNC (type=adtc) CMD34-37 sd+spi Reserved for Command Systems from CMD6 ;\SPI CMD50,57 sd+spi Reserved for Command Systems from CMD6 ;/ CMD34-35 sd Reserved ;\ CMD36-37 sd Undoc (description field is held blank) ; Non-SPI CMD50,57 sd Undoc (description field is held blank) ;/ |
CMD21 sd Reserved for DPS Specification (Data Protection System) CMD48 sd READ_EXTR_SINGLE (type=adtc) CMD49 sd WRITE_EXTR_SINGLE (type=adtc) CMD58 sd READ_EXTR_MULTI (type=adtc) ;SPI: READ_OCR CMD59 sd WRITE_EXTR_MULTI (type=adtc) ;SPI: CRC_ON_OFF |
CMD11 mmc READ_DAT_UNTIL_STOP (class 1) (type=adtc) CMD20 mmc WRITE_DAT_UNTIL_STOP (class 3) (type=adtc) |
CMD58 sd/mmc+spi READ_OCR ;SPI-only ;SD Mode: READ_EXTR_MULTI CMD59 sd/mmc+spi CRC_ON_OFF ;SPI-only ;SD Mode: WRITE_EXTR_MULTI |
ACMD6 sd SET_BUS_WIDTH (type=ac) ACMD13 sd spi SD_STATUS (type=adtc) (get 512bit SSR) ACMD22 sd spi GET_NUM_WR_BLOCKS (type=adtc) ACMD23 sd spi SET_WR_BLK_ERASE_COUNT (type=ac) ACMD41 sd spi SD_SEND_OP_COND (type=bcr) ;SPI: reduced functionality ACMD42 sd spi SET_CLR_CARD_DETECT (type=ac) ACMD51 sd spi GET_SCR (type=adtc) ACMD1-5 - Reserved ACMD7-12 - Reserved ACMD14-16 sd Reserved for DPS Specification (Data Protection System) ACMD17 - Reserved ACMD18 sd spi Reserved for SD security applications ACMD19-21 - Reserved ACMD24 - Reserved ACMD25 sd spi Reserved for SD security applications ACMD26 sd spi Reserved for SD security applications ACMD27 - Shall not use this command ACMD28 sd Reserved for DPS Specification (Data Protection System) ACMD29 - Reserved ACMD30-35 sd Reserved for Security Specification ACMD36-37 - Reserved ACMD38 sd spi Reserved for SD security applications ACMD39-40 - Reserved ACMD43-49 sd spi Reserved for SD security applications ACMD52-54 sd Reserved for Security Specification ACMD55 - Not exist (equivalent to CMD55) ACMD56-59 sd Reserved for Security Specification ACMD0 - Unknown/Unused/Undocumented ACMD50 - Unknown/Unused/Undocumented ACMD60-63 - Unknown/Unused/Undocumented |
CSR 32bit sd/mmc spi Card Status: command error & state information OCR 32bit sd/mmc spi Operation Conditions Register CID 128bit sd/mmc spi Card Identification CSD 128bit sd/mmc spi Card-Specific Data (CSD Version 1.0 and 2.0) RCA 16bit sd/mmc Relative Card Address (not used in SPI mode) DSR 16bit sd/mmc spi Driver Stage Register (optional) SSR 512bit sd spi SD Card Status Register: Extended status field SCR 64bit sd spi SD Card Configuration Register EXT_CSD 4096bit mmc spi MMC Extended CSD Register (status & config) PWD 128bit sd/mmc spi Password (Card Lock) (max 16 bytes) PWD_LEN 8bit sd/mmc spi Password Length (0..16 max) (0=no password) |
N/A 0bit CMD0, CMD4, CMD15 No response R1 48bit Normal CMDs/ACMDs 32bit CSR Card Status R1b 48bit Busy CMDs/ACMDs 32bit CSR Card Status (and DATA=busy) R2 136bit CMD9 120bit CSD Card-Specific Data R2 136bit CMD2, CMD10 120bit CID Card Identification R3 48bit ACMD41, MMC:CMD1 32bit OCR Register (without crc7) R4 - - Reserved for SDIO R5 - - Reserved for SDIO R6 48bit CMD3 16bit RCA and cut-down 16bit CSR R7 48bit CMD8 32bit Card interface condition |
R1 8bit Normal CMDs/ACMDs 8bit CSR Card Status R1b 8bit Busy CMDs/ACMDs 8bit CSR Card Status (and DATA=busy) R2 16bit CMD13, ACMD13 16bit CSR Card Status R3 40bit CMD58 8bit CSR and 32bit OCR R4 - - Reserved for SDIO R5 - - Reserved for SDIO R6 - - Reserved R7 40bit CMD8 8bit CSR and 32bit Card interface condition ERROR 8bit Only first 8bit sent upon Illegal Command or Command CRC Error |
CMD17,18 R sd/mmc spi READ_SINGLE_BLOCK, READ_MULTIPLE_BLOCK CMD24,25 W sd/mmc spi WRITE_BLOCK, WRITE_MULTIPLE_BLOCK CMD8 R mmc spi GET_EXT_CSD (4096bit) CMD9 R sd/mmc spi GET_CSD (128bit) ;\in SPI Mode only (Non-SPI mode CMD10 R sd/mmc spi GET_CID (128bit) ;/sends that info as CMD response) ACMD13 R sd spi SD_STATUS (512bit SSR register) ACMD22 R sd spi GET_NUM_WR_BLOCKS (32bit counter) ACMD51 R sd spi GET_SCR (64bit SCR register) CMD14,19 R/W mmc BUSTEST_R, BUSTEST_W CMD19 W? sd SET_TUNING_BLOCK (512bit tuning pattern) CMD27 W sd/mmc spi PROGRAM_CSD (128bit CSD register) CMD30 R sd/mmc spi GET_WRITE_PROT (32bit write-protect flags) CMD31 R mmc GET_WRITE_PROT_TYPE (32x2bit write-protect types) CMD42 W sd/mmc spi LOCK_UNLOCK (password header/data) CMD6 ?? sd spi SWITCH_FUNC CMD40 ? sd Defined by DPS Spec (Data Protection System) CMD48,49 R/W sd READ_EXTR_SINGLE, WRITE_EXTR_SINGLE CMD58,59 R/W sd READ_EXTR_MULTI, WRITE_EXTR_MULTI CMD56 R/W sd spi GEN_CMD CMD11 R mmc READ_DAT_UNTIL_STOP (class 1) (type=adtc) CMD20 W mmc WRITE_DAT_UNTIL_STOP (class 3) (type=adtc) xR1b R sd/mmc spi Busy signal for commands with "R1b" response |
Official Name Renamed ALL_SEND_CID ALL_GET_CID SEND_CID GET_CID SEND_CSD GET_CSD SEND_STATUS GET_STATUS SEND_RELATIVE_ADDR GET_RELATIVE_ADDR SEND_SCR GET_SCR SEND_EXT_CSD GET_EXT_CSD SEND_WRITE_PROT GET_WRITE_PROT SEND_WRITE_PROT_TYPE GET_WRITE_PROT_TYPE SEND_NUM_WR_BLOCKS GET_NUM_WR_BLOCKS SEND_IF_COND SET_IF_COND ;-to card SEND_TUNING_BLOCK SET_TUNING_BLOCK ;-to card SEND_OP_COND ... SD_SEND_OP_COND ... |
CMD0 Terminate SD transaction and reset SD-TRAN state.
CMD3 Returns Device ID in the response instead of RCA
CMD4 Illegal
CMD6 Function Group 1 and 3 are not used.
CMD7 Device ID is set to the argument instead of RCA
CMD13 Device operation is up to implementation during data transfer (eg. CTS)
CMD11 Illegal
CMD12 Normally, TLEN (data length) in UHS-II packet is used to stop data
transfer.
CMD12 Should be used to abort an operation when illegal situation occurs.
CMD15 Illegal
CMD19 Illegal
CMD23 Not Affected. TLEN in UHS-II packet is used to specify data length.
CMD55 Not Affected. ACMD is set by APP field in UHS-II packet.
ACMD6 Illegal
ACMD42 Illegal
|
| DSi SD/MMC Protocol: General Commands |
31-0 stuff bits |
31-12 reserved bits 11-8 supply voltage (VHS) 7-0 check pattern |
47 Start Bit (0) ;\ 46 Transmission To Host (0) ; 1st byte 45-40 Command (the 6bit CMD being responded to) ;/ 39-20 Reserved (zero filled) (20bit) ;\2nd..4th byte 19-16 Voltage accepted (see below) (4bit) ;/ 23-8 Echo-back of check pattern (8bit) ;-5th byte 7-1 CRC7 ;\6th byte 0 End Bit (1) ;/ |
39-32 R1 (8bit Card Status, same as in normal SPI command responses) 31-28 Command version (???) (4bit) 27-12 Reserved (0) (16bit) 11-8 Voltage Accepted (see below) (4bit) 7-0 Echo-back of check pattern (8bit) |
0001b = 2.7-3.6V 0010b = Reserved for Low Voltage Range 0100b = Reserved 1000b = Reserved Others = Not Defined |
31-0 reserved bits (0) |
31-0 stuff bits |
31-16 RCA 15-0 reserved bits (0) |
31-1 stuff bits 0 CRC option (0=off, 1=on) |
31-2 stuff bits 1-0 Bus width for Data transfers (0=1bit, 2=4bit, 1/3=reserved). |
31-1 stuff bits 0 set_cd (0=Disconnect, 1=Connect) |
31-16 RCA (SPI Mode: stuff bits) 15-0 stuff bits |
31-1 stuff bits 0 RD/WR Direction (0=Write to Card, 1=Read from Card) |
General purpose data For SDSC, block length is set via SET_BLOCKLEN command. For SDHC/SDXC, block length is fixed to 512 bytes. |
31-0 stuff bits |
test pattern (2bit per DATA line? eg. 8bit pattern in 4bit-mode?) |
| DSi SD/MMC Protocol: Block Read/Write Commands |
31-0 Block length (for Block Read, Block Write, Lock, and GEN_CMD) |
31-28 Speed Class Control (for Block Read, and Block Write commands) 27-0 Reserved (0) |
31-0 Block Count (MMC: only lower 16bit used, upper 16bit=reserved) |
________________________ Block-Oriented READ Commands ________________________ |
31-0 data address (SDSC: in 1-byte units, SDHC/SDXC: in 512-byte units) |
data |
31-0 data address (SDSC: in 1-byte units, SDHC/SDXC: in 512-byte units) |
data |
31-0 reserved bits (0) |
64 bytes (512bit) tuning pattern is sent for SDR50 and SDR104. |
_______________________ Block-Oriented WRITE Commands _______________________ |
31-0 data address (SDSC: in 1-byte units, SDHC/SDXC: in 512-byte units) |
data |
31-0 data address (SDSC: in 1-byte units, SDHC/SDXC: in 512-byte units) |
data |
31-0 stuff bits |
31-0 Number of the written (without errors) write blocks (32bit) |
31-23 stuff bits 22-0 Number of blocks |
_____________________ Byte-Streaming READ/WRITE Commands _____________________ |
31-0 data address (SDSC: in 1-byte units, SDHC/SDXC: in 512-byte units) |
data |
| DSi SD/MMC Protocol: Special Extra Commands |
_________________________ Write PROTECTION Commands _________________________ |
31-0 data address (SDSC: in 1-byte units, SDHC/SDXC: Unsupported) |
31-0 data address (SDSC: in 1-byte units, SDHC/SDXC: Unsupported) |
31-0 Flags (1=write-protected) (bit0=addressed group, bit1..31=next groups) |
31-0 data address (SDSC: in 1-byte units, SDHC/SDXC: Unsupported) |
63-0 Flags (1=write-protected) (bit0-1=addressed group, bit2..63=next) |
_______________________________ Erase Commands _______________________________ |
31-0 data address (SDSC: in 1-byte units, SDHC/SDXC: in 512-byte units) |
31-0 data address (MMC: in WHAT units?) |
31-0 stuff bits |
________________________________ I/O Commands ________________________________ |
CMD5 SDIO: IO_SEND_OP_COND CMD52 SDIO: IO_RW_DIRECT CMD53 SDIO: IO_RW_EXTENDED |
__________________________ Switch Function Commands __________________________ |
31 Mode (0=Check function, 1=Switch function) 30-24 reserved (All '0') 23-20 function group 6: Reserved (0h or Fh) 19-16 function group 5: Reserved (0h or Fh) 15-12 function group 4: Power Limit ;SPI Mode: Reserved (0h or Fh) 11-8 function group 3: Drive Strength ;SPI Mode: Reserved (0h or Fh) 7-4 function group 2: Command System 3-0 function group 1: Access Mode |
unknown |
________________________ Function Extension Commands ________________________ |
31 MIO (0=Memory, 1=I/O) 30-27 FNO 26 Reserved (0) 25-9 ADDR 8-0 LEN |
whatever |
31 MIO (0=Memory, 1=I/O) 30-27 FNO 26 MW 25-9 ADDR 8-0 LEN/MASK |
whatever |
31 MIO (0=Memory, 1=I/O) 30-27 FNO 26 BUS (0=512B, 1=32KB) 25-9 ADDR 8-0 BUC |
whatever |
31 MIO (0=Memory, 1=I/O) 30-27 FNO 26 BUS (0=512B, 1=32KB) 25-9 ADDR 8-0 BUC |
whatever |
| DSi SD/MMC Protocol: CSR Register (32bit Card Status Register) |
31-16 RCA (SPI Mode: stuff bits) 15-0 stuff bits |
47 Start Bit (0) ;\ 46 Transmission To Host (0) ; 1st byte 45-40 Command (the 6bit CMD being responded to) ;/ 39-8 CSR Card Status Register (32bit) (see below) ;-2nd..5th byte 7-1 CRC7 ;\6th byte 0 End Bit (1) ;/ |
15-0 CSR Card Status Register (16bit) (see below) ;-1st..2nd byte |
Bit Typ Clr Identifier Meaning
31 ERX C OUT_OF_RANGE (1=Command's argument was out of range)
30 ERX C ADDRESS_ERROR (1=Misaligned address/block len mismatch)
29 ERX C BLOCK_LEN_ERROR (1=Wrong block length, bytelen mismatch)
28 ER C ERASE_SEQ_ERROR (1=Error in erase command sequence)
27 ERX C ERASE_PARAM (1=Wrong erease selection of write-blocks)
26 ERX C WP_VIOLATION (1=Write failed due to write-protection)
25 SX A CARD_IS_LOCKED (1=Card is locked by the host)
24 ERX C LOCK_UNLOCK_FAILED (1=Lock/unlock sequence or password error)
23 ER B COM_CRC_ERROR (1=CRC check of previous command failed)
22 ER B ILLEGAL_COMMAND (1=Command not legal for the card state)
21 ERX C CARD_ECC_FAILED (1=Internal error correction failed)
20 ERX C CC_ERROR (1=Internal card controller error)
19 ERX C ERROR (1=General error, or Unknown error)
18 - - Reserved (eMMC: UNDERRUN)
17 - - Reserved (eMMC: OVERRUN) (eSD: DEFERRED_RESPONSE)
16 ERX C CSD_OVERWRITE (1=read-only CSD section doesn't match card
content, or attempted to reverse the
Copy/WP bits)
15 ERX C WP_ERASE_SKIP (1=partial erase error due to write-protect)
14 SX A CARD_ECC_DISABLED (1=Internal error correction wasn't used)
13 SR C ERASE_RESET (1=Erase sequence was aborted)
12-9 SX B CURRENT_STATE (00h..0Fh=state, see below)
8 SX A READY_FOR_DATA (1=Ready/buffer is empty)
7 EX C SWITCH_ERROR (1=SWITCH command refused, MMC only)
6 - - Reserved/Unspecified (description is left blank)
5 SR C APP_CMD (1=Card will expect ACMD)
4 - - Reserved for SD I/O Card
3 ER C AKE_SEQ_ERROR (1=Authentication Sequence Error)
2 - - Reserved for application specific commands
1-0 - - Reserved for manufacturer test mode
|
These bits indicate the OLD state of card when receiving the command, (ie. if the command does change the state, then the NEW state won't be seen until the NEXT command returns the new updated status bits) 00h = idle 01h = ready 02h = ident 03h = stby 04h = tran ;<-- normal state (when waiting for read/write commands) 05h = data ;data read (CMD8,CMD11,CMD17,CMD18,CMD30,CMD56/R) 06h = rcv ;data write (CMD20?,CMD24,CMD25,CMD26,CMD27,CMD42,CMD56/W) 07h = prg ;erase/wprot (CMD6,CMD28,CMD29,CMD38) 08h = dis 09h = btst ;bus test write (CMD19, MMC only) 0Ah = slp ;sleep (CMD5, MMC only) 0Bh-0Eh = reserved 0Fh = reserved for I/O mode (SDIO-only devices, without SD-memory) N/A = ina ;inactive (CMD15) (card is killed, and can't send status) N/A = irq ;interrupt mode (CMD40, MMC only) N/A = pre ;pre-idle (MMC only) |
E: Error bit. S: Status bit. R: Flag may get set within response of current command. X: Flag may get set within response of NEXT command (with R1 response) |
A: According to the card current state.
B: Always related to the previous command. Reception of a valid command
will clear it (with a delay of one command).
C: Clear by read.
|
FIRST BYTE of all SPI Responses: 7 always 0 ;\ 6 parameter error ; These 8bit are returned in ALL normal 5 address error ; SPI commands (with 8bit "R1" response) 4 erase sequence error ; and, 3 com crc error ; the same 8bits are also returned 2 illegal command ; as FIRST BYTE in SPI commands with 1 erase reset ; longer responses 0 in idle state ;/ SECOND BYTE of SPI "R2" Response: 7 out of range, or csd overwrite ;\ 6 erase param ; 5 wp violation ; These extra 8bits are returned 4 card ecc failed ; as SECOND BYTE in SPI commands 3 CC error ; with 16bit "R2" status response 2 error ; (ie. in CMD13 and ACMD13) 1 wp erase skip, or lock/unlock cmd failed ; 0 Card is locked ;/ |
Bits 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12-9 8 5 CMD3 x x x x CMD6 x x x x x x x x CMD7 x x x x x x x x x x x x x x x CMD11 x x x x x CMD12 x x x x x x x x x x x CMD13 x x x x x x x x x x x x x x x x CMD16 x x x x x x x x x x x x x x x CMD17 x x x x x x x x x x x x x x x x CMD18 x x x x x x x x x x x x x x x x CMD19 x x x x x x x x x x x x x x x x CMD20 x x x x x x x x x x x x x x x x x x CMD23 x x x x x x x x x x x x x x x x x CMD24 x x x x x x x x x x x x x x x x x x CMD25 x x x x x x x x x x x x x x x x x x CMD26 x x x x x x x x x x x x x x CMD27 x x x x x x x x x x x x x x CMD28 x x x x x x x x x x x x x x x CMD29 x x x x x x x x x x x x x x x CMD30 x x x x x x x x x x x x x x x CMD32 x x x x x x x x x x x x x x x x CMD33 x x x x x x x x x x x x x x x x CMD38 x x x x x x x x x x x x x x x CMD42 x x x x x x x x x x x x x x CMD48 x x x x x x x x x x x x x x x x x x CMD49 x x x x x x x x x x x x x x x x x x CMD55 x x x x x x x x x x x x x x x CMD56 x x x x x x x x x x x x x x x x CMD58 x x x x x x x x x x x x x x x x x x CMD59 x x x x x x x x x x x x x x x x x x ACMD6 x x x x x x x x x x x x x x x x ACMD13 x x x x x x x x x x x x x x x ACMD22 x x x x x x x x x x x x x x x ACMD23 x x x x x x x x x x x x x x x ACMD42 x x x x x x x x x x x x x x x ACMD51 x x x x x x x x x x x x x x x |
| DSi SD/MMC Protocol: SSR Register (512bit SD Status Register) |
31-0 stuff bits |
511-0 SSR Register (512bit) |
Bits Type Clr Identifier
511-510 SR A DAT_BUS_WIDTH (0..3, see below)
509 SR A SECURED_MODE (0=Normal, 1=Secured) (Part 3 Security Specs)
508-502 - - Reserved for Security Functions (Part 3 Security Specs)
501-496 - - Reserved
495-480 SR A SD_CARD_TYPE (0..FFFFh, see below)
479-448 SR A SIZE_OF_PROTECTED_AREA Size of protected area (see below)
447-440 SR A SPEED_CLASS Speed Class of the card (see below)
439-432 SR A PERFORMANCE_MOVE Performance of move indicated by 1 MB/s step
431-428 SR A AU_SIZE Size of AU (see below)
427-424 - - Reserved
423-408 SR A ERASE_SIZE Number of AUs to be erased at a time
407-402 SR A ERASE_TIMEOUT Timeout value for erasing areas
specified by UNIT_OF_ERASE_AU (see below)
401-400 SR A ERASE_OFFSET Fixed offset value added to erase time
399-396 SR A UHS_SPEED_GRADE Speed Grade for UHS mode (see below)
395-392 SR A UHS_AU_SIZE Size of AU for UHS mode (see below)
391-312 - - Reserved
311-0 - - Reserved for manufacturer
|
00h = 1 bit width (default) 01h = reserved 02h = 4 bit width 03h = reserved |
0000h = Regular SD RD/WR Card 0001h = SD ROM Card 0002h = OTP 0004h,0008h,0010h,0020h,0040h,0080h = Reserved for future variations 01xxh..FFxxh = Reserved for Cards that don't comply to Physical Layer Specs |
Protected Area = SIZE_OF_PROTECTED_AREA_* MULT * BLOCK_LEN. SIZE_OF_PROTECTED_AREA is specified by the unit in MULT*BLOCK_LEN. |
Protected Area = SIZE_OF_PROTECTED_AREA SIZE_OF_PROTECTED_AREA is specified by the unit in byte. |
00h Speed Class 0 01h Speed Class 2 02h Speed Class 4 03h Speed Class 6 04h Speed Class 10 05h-FFh Reserved for future/faster classes |
00h Sequential Write 01h 1 [MB/sec] 02h 2 [MB/sec] ... ... FEh 254 [MB/sec] FFh Infinity |
00h Not Defined 01h 16 KB 02h 32 KB 03h 64 KB 04h 128 KB 05h 256 KB 06h 512 KB 07h 1 MB 08h 2 MB 09h 4 MB 0Ah 8 MB 0Bh 12 MB (!) 0Ch 16 MB 0Dh 24 MB (!) 0Eh 32 MB 0Fh 64 MB |
Card Capacity up to 64MB up to 256MB up to 512MB up to 32GB up to 2TB Maximum AU Size 512 KB 1 MB 2 MB 4 MB1 64MB |
0000h Erase Time-out Calculation is not supported. 0001h 1 AU 0002h 2 AU 0003h 3 AU ... ... FFFFh 65535 AU |
00h Erase Time-out Calculation is not supported. 01h 1 [sec] 02h 2 [sec] 03h 3 [sec] ... ... 3Fh 63 [sec] |
00h 0 [sec] 01h 1 [sec] 02h 2 [sec] 03h 3 [sec] |
00h Less than 10MB/sec 01h 10MB/sec and above 02h-0Fh Reserved |
00h Not Defined 01h-06h Not Used 07h 1 MB 08h 2 MB 09h 4 MB 0Ah 8 MB 0Bh 12 MB (!) 0Ch 16 MB 0Dh 24 MB (!) 0Eh 32 MB 0Fh 64 MB |
| DSi SD/MMC Protocol: OCR Register (32bit Operation Conditions Register) |
31-0 OCR without busy (ie. without the power-up busy flag in bit31) |
31 Reserved (0) ;\special case (applies 30 HCS (Host Capacity Support information) ; to SD-cards in SPI-mode 29-0 Reserved (0) ;/only) |
31-0 stuff bits |
39-32 R1 (8bit Card Status, same as in normal SPI command responses) 31-0 OCR (32bit) |
31 reserved bit 30 HCS(OCR[30]) (Host Capacity Support information) 29 reserved for eSD ;\ 28 XPC Max Power Consumption (watts); SPI Mode: Reserved 27-25 reserved bits ; (ie. only bit30 is used for SPI) 24 S18R ; (ie. ACMD41 is SAME as SPI CMD1 ?) 23-0 VDD Voltage Window(OCR[23-0]) ;/ |
47 Start Bit (0) ;\ 46 Transmission To Host (0) ; 1st byte 45-40 Reserved (111111) (instead of Command value) ;/ 39-8 OCR (32bit) ;-2nd..5th byte 7-1 Reserved (111111) (instead of CRC7) ;\6th byte 0 End Bit (1) ;/ |
XPC=0: 0.36W (100mA at 3.6V on VDD1) (max) but speed class is not supported. XPC=1: 0.54W (150mA at 3.6V on VDD1) (max) and speed class is supported. |
31 Card power up status bit (0=Busy, 1=Ready)
30 Card Capacity Status (CCS) (valid only if above Bit31 indicates Ready)
CCS=0 SDSC Card (addressed in 1-byte units) ;MMC max 2GB
CCS=1 SDHC/SDXC card (addressed in 512-byte units) ;MMC > 2GB
29 UHS-II Card Status
28-25 Reserved
24 Switching to 1.8V Accepted (S18A) (Only UHS-I card supports this bit)
23 3.5-3.6 ;\
22 3.4-3.5 ;
21 3.3-3.4 ;
20 3.2-3.3 ;
19 3.1-3.2 ; VDD Voltage Window
18 3.0-3.1 ;
17 2.9-3.0 ;
16 2.8-2.9 ;
15 2.7-2.8 ;
14-8 Reserved (MMC: 2.0V .. 2.6V) ; ;<-- uh, probably in opposite order?
7 Reserved for Low Voltage Range ;
6-4 Reserved ;
3-0 Reserved ;/
|
| DSi SD/MMC Protocol: CID Register (128bit Card Identification) |
31-0 stuff bits |
31-16 RCA (SPI Mode: stuff bits) 15-0 stuff bits |
135 Start Bit (0) ;\ 134 Transmission To Host (0) ; 1st byte 133-128 Reserved (111111) (instead of Command value) ;/ 127-8 CID (120bit) (15 bytes) ;\aka 128bit ;-2nd..16th byte 7-1 CRC7 ; when including ;\17th byte 0 End Bit (1) ;/CRC7+EndBit ;/ |
127-0 CID (128bit) ... or 120bit ? |
Bit Siz Field Name 127-120 8 MID Manufacturer ID (binary) ;\assigned by SD-3C, LLC 119-104 16 OID OEM/Application ID (ASCII) ;/ 103-64 40 PNM Product name (ASCII) 63-56 8 PRV Product revision (BCD, 00h-99h) (eg 62h = rev 6.2) 55-24 32 PSN Product serial number (32bit) 23-20 4 - Reserved (zero) 19-8 12 MDT Manufacturing date (yymh) (m=1..12, yy=0..255?; +2000) 7-1 7 CRC CRC7 checksum 0 1 1 Stop bit (always 1) |
Bit Siz Field Name 127-120 8 MID Manufacturer ID (binary) ;\assigned by MMCA 119-104 16 OID OEM/Application ID (binary) ;/ ... or ... 127-120 8 MID Manufacturer ID (binary) ;\assigned by MMCA/JEDEC 119-114 6 - Reserved (0) ; 113-112 2 CBX Device (0=Card, 1=BGA, 2=POP) ; 119-104 8 OID OEM/Application ID (binary) ;/ 103-56 48 PNM Product name (ASCII) 55-48 8 PRV Product revision (BCD, 00h-99h) (eg 62h = rev 6.2) 47-16 32 PSN Product serial number (32bit) 15-8 8 MDT Manufacturing date (myh) (m=1..12, y=0..15; +1997) 7-1 7 CRC CRC7 checksum 0 1 1 Stop bit (always 1) |
MY ss ss ss ss 03 4D 30 30 46 50 41 00 00 15 00 ;DSi Samsung KMAPF0000M-S998 MY ss ss ss ss 32 57 37 31 36 35 4D 00 01 15 00 ;DSi Samsung KLM5617EFW-B301 MY ss ss ss ss 30 36 35 32 43 4D 4D 4E 01 FE 00 ;DSi ST NAND02GAH0LZC5 rev30 MY ss ss ss ss 31 36 35 32 43 4D 4D 4E 01 FE 00 ;DSi ST NAND02GAH0LZC5 rev31 MY ss ss ss ss 03 47 31 30 43 4D 4D 00 01 11 00 ;3DS CID |
| DSi SD/MMC Protocol: CSD Register (128bit Card-Specific Data) |
31-16 RCA (SPI Mode: stuff bits) 15-0 stuff bits |
135 Start Bit (0) ;\ 134 Transmission To Host (0) ; 1st byte 133-128 Reserved (111111) (instead of Command value) ;/ 127-8 CSD (120bit) (15 bytes) ;\aka 128bit ;-2nd..16th byte 7-1 CRC7 ; when including ;\17th byte 0 End Bit (1) ;/CRC7+EndBit ;/ |
127-0 CID (128bit) ... or 120bit ? |
31-0 stuff bits |
128-0 CSD register (whole 128bit) (read-only bits must be unchanged) |
Bit Siz Type Name Field Value 127-126 2 R CSD structure version CSD_STRUCTURE 00b 125-122 4 R MMC: System spec version SPEC_VERS .. 125-122 4 R SD: reserved - 0000b 121-120 2 R reserved - 00b 119-112 8 R data read access-time-1 TAAC xxh 111-104 8 R data read access-time-2 NSAC xxh 103-96 8 R max data transfer rate TRAN_SPEED 32h or 5Ah 95-84 12 R card command classes CCC 01x110110101b 83-80 4 R max read data block len READ_BL_LEN xh 79 1 R partial blocks for read allowed READ_BL_PARTIAL 1b 78 1 R write block misalignment WRITE_BLK_MISALIGN xb 77 1 R read block misalignment READ_BLK_MISALIGN xb 76 1 R DSR implemented DSR_IMP xb 75-74 2 R reserved - 00b 73-70 4 R SDHC/SDXC: reserved - 0000b 69-48 22 R SDHC/SDXC: device size C_SIZE ... 47 1 R SDHC/SDXC: reserved - 0 73-62 12 R MMC/SDSC: device size C_SIZE xxxh 61-59 3 R MMC/SDSC: max read current @VDD min VDD_R_CURR_MIN xxxb 58-56 3 R MMC/SDSC: max read current @VDD max VDD_R_CURR_MAX xxxb 55-53 3 R MMC/SDSC: max write current @VDD min VDD_W_CURR_MIN xxxb 52-50 3 R MMC/SDSC: max write current @VDD max VDD_W_CURR_MAX xxxb 49-47 3 R MMC/SDSC: device size multiplier C_SIZE_MULT xxxb 46-42 5 R MMC: Erase Group Size ERASE_GRP_SIZE .. 41-37 5 R MMC: Erase Group Multiplier ERASE_GRP_MULT .. 36-32 5 R MMC: Write Protect Grp Size WP_GRP_SIZE .. 46 1 R SD: erase single block enable ERASE_BLK_EN xb 45-39 7 R SD: erase sector size SECTOR_SIZE xxxxxxxb 38-32 7 R SD: write protect group size WP_GRP_SIZE xxxxxxxb 31 1 R write protect group enable WP_GRP_ENABLE xb 30-29 2 R MMC: Manufacturer default ECC DEFAULT_ECC .. 30-29 2 R SD: reserved (do not use) - 00b 28-26 3 R write speed factor R2W_FACTOR xxxb 25-22 4 R max write data block len WRITE_BL_LEN xxxxb 21 1 R partial blocks for write allowed WRITE_BL_PARTIAL xb 20-17 4 R reserved - 0000b 16 1 R SD: reserved - 0 16 1 R MMC: Content Protection Applicat. CONTENT_PROP_APP .. 15 1 R/W(1) File format group FILE_FORMAT_GRP xb 15 1 R SDHC/SDXC: reserved (FILE_FORMAT_GRP)0 14 1 R/W(1) copy flag COPY xb 13 1 R/W(1) permanent write protection PERM_WRITE_PROTECT xb 12 1 R/W temporary write protection TMP_WRITE_PROTECT xb 11-10 2 R/W(1) File format FILE_FORMAT xxb 11-10 2 R SDHC/SDXC: reserved (FILE_FORMAT) 00b 9-8 2 R/W MMC: ECC Code ECC .. 9-8 2 R/W SDSC: reserved, R/W - 00b 9-8 2 R SDHC/SDXC: reserved, R - 00b 7-1 7 R/W CRC CRC xxxxxxxb 0 1 - not used, always '1' - 1b |
8 16 24 32 40 48 56 64 72 80 88 96 104112120pad ;<--bit numbers 40 40 96 E9 7F DB F6 DF 01 59 0F 2A 01 26 90 00 ;DSi CSD KMAPF0000M-S998 40 40 8E FF 03 DB F6 DF 01 59 0F 32 01 27 90 00 ;DSi CSD KLM5617EFW-B301 00 40 8A E0 BF FF 7F F5 80 59 0F 32 01 2F 90 00 ;DSi CSD NAND02GAH0LZC5 rev30 00 40 8A E0 BF FF 7F F5 80 59 0F 32 01 2F 90 00 ;DSi CSD NAND02GAH0LZC5 rev31 ? 00 ;3DS CSD |
bit name KMAPF0000M KLM5617EFW NAND02GAH0LZC5 112-119 TAAC 26h=1.5ms 27h=15ms 2Fh=20ms 96-103 TRAN_SPEED 2Ah=20MHz 32h=25MHz 32h=25MHz 79 READ_BL_PARTIAL 0=No(?) 0=No(?) 1=Yes 62-73 C_SIZE 77Fh=240MB 77Fh=240MB 3D5h=245.5MB 59-61 VDD_R_CURR_MIN 6=60mA 6=60mA 7=100mA 56-58 VDD_R_CURR_MAX 6=80mA 6=80mA 7=200mA 53-55 VDD_W_CURR_MIN 6=60mA 6=60mA 7=100mA 50-52 VDD_W_CURR_MAX 6=80mA 6=80mA 7=200mA 47-49 C_SIZE_MULT 6=256 6=256 7=512 42-46 ERASE_GRP_SIZE 1Fh=32x32 00h=1x32 1Fh=32x32 32-36 WP_GRP_SIZE 09h=10 1Fh=32 00h=1 26-28 R2W_FACTOR 05h=32x 03h=8x 02h=4x 14 COPY 1=Copy 1=Copy 0=Original |
00h CSD version No. 1.0 MMC Version 1.0 - 1.2 01h CSD version No. 1.1 MMC Version 1.4 - 2.2 02h CSD version No. 1.2 MMC Version 3.1 - 3.2 - 3.31 - 4.0 - 4.1- 4.2 03h Version is coded in the CSD_STRUCTURE byte in the EXT_CSD register |
00h CSD Version 1.0 SDSC (Standard Capacity) 01h CSD Version 2.0 SDHC/SDXC (High Capacity and Extended Capacity) 02h-03h Reserved |
00h MMC System Specification Version 1.0 - 1.2 01h MMC System Specification Version 1.4 02h MMC System Specification Version 2.0 - 2.2 03h MMC System Specification Version 3.1 - 3.2 - 3.31 04h MMC System Specification Version 4.0 - 4.1 - 4.2 05h-0Fh Reserved |
7 Reserved
6-3 Time value
0=reserved, 1=1.0, 2=1.2, 3=1.3, 4=1.5, 5=2.0, 6=2.5, 7=3.0,
8=3.5, 9=4.0, A=4.5, B=5.0, C=5.5, D=6.0, E=7.0, F=8.0
2-0 Time unit
0=1ns, 1=10ns, 2=100ns, 3=1us, 4=10us, 5=100us, 6=1ms, 7=10ms
|
7 Reserved
6-3 Time value
0=reserved, 1=1.0, 2=1.2, 3=1.3, 4=1.5, 5=2.0, 6=2.5, 7=3.0,
8=3.5, 9=4.0, A=4.5, B=5.0, C=5.5, D=6.0, E=7.0, F=8.0
2-0 Transfer rate unit
0=100kbit/s, 1=1Mbit/s, 2=10Mbit/s, 3=100Mbit/s, 4..7=reserved
MMC: same as above, but specified in <Hz> instead of <bits/s>
|
11 Supports Command Class 11 - Function Extension Commands (SD) 10 Supports Command Class 10 - Switch Function Commands (SD) 9 Supports Command Class 9 - I/O Mode Commands (SDIO/MMCIO) 8 Supports Command Class 8 - Application-Specific Commands 7 Supports Command Class 7 - Password Lock Commands 6 Supports Command Class 6 - Block-Oriented Write Protection Commands 5 Supports Command Class 5 - Erase Commands 4 Supports Command Class 4 - Block-Oriented Write Commands 3 Supports Command Class 3 - WRITE_DAT_UNTIL_STOP (MMC) 2 Supports Command Class 2 - Block-Oriented Read Commands 1 Supports Command Class 1 - READ_DAT_UNTIL_STOP (MMC) 0 Supports Command Class 0 - Basic Commands |
3-0 Setting |
00h..08h Reserved 09h Block length 512 Bytes (2^9) 0Ah Block length 1024 Bytes (2^10) 0Bh Block length 2048 Bytes (2^11) 0Ch..0Fh Reserved |
WRITE_BLK_MISALIGN=0 crossing physical block boundaries is invalid WRITE_BLK_MISALIGN=1 crossing physical block boundaries is allowed |
READ_BLK_MISALIGN=0 crossing physical block boundaries is invalid READ_BLK_MISALIGN=1 crossing physical block boundaries is allowed |
DSR_IMP=0 no DSR implemented DSR_IMP=1 DSR implemented |
memory capacity = BLOCKNR * BLOCK_LEN |
BLOCKNR = (C_SIZE+1) * MULT MULT = 2^(C_SIZE_MULT+2) ;(C_SIZE_MULT < 8) BLOCK_LEN = 2^READ_BL_LEN ;(READ_BL_LEN < 12) |
2-0 0=0.5mA, 1=1mA, 2=5mA, 3=10mA, 4=25mA, 5=35mA, 6=60mA, 7=100mA |
2-0 0=1mA, 1=5mA, 2=10mA, 3=25mA, 4=35mA, 5=45mA, 6=80mA, 7=200mA |
2-0 Device Size Factor (0..7 = Factor 4,8,16,32,64,128,256,512) |
Figure 5-1: ERASE_BLK_EN = 0 Example
Physical Block (per CSD)
0 1 2 3 4 5 6
0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789
<----- Host Erase Address Range ------->
<---------- Erase Area ---------------------------------------------->
<---------- Erase Unit Size ------><------- Erase Unit Size --------->
|
Figure 5-2: ERASE_BLK_EN = 1 Example
Physical Block (per CSD)
0 1 2 3 4 5 6
0123456789 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789
<----- Host Erase Address Range ------->
<----- Erase Area --------------------->
|
size of erasable unit = (ERASE_GRP_SIZE + 1) * (ERASE_GRP_MULT + 1) |
ECC ECC type Maximum number of correctable bits per block 00h None (default) Mone 01h BCH (542,512) 3 02h-03h Reserved - |
2-0 Multiples of read access time (0..5=Mul 1,2,4,8,16,32, 6..7=Reserved) |
3-0 Block Length |
00h..08h Reserved 09h 512 bytes (2^9) 0Ah 1024 Bytes (2^10) 0Bh 2048 Bytes (2^11) 0Ch..0Fh Reserved |
FILE_FORMAT_GRP FILE_FORMAT Type
0 0 Hard disk-like file system with partition table
0 1 DOS FAT (floppy-like) with boot sector only
(no partition table)
0 2 Universal File Format
0 3 Others/Unknown
1 0, 1, 2, 3 Reserved
|
| DSi SD/MMC Protocol: CSD Register (128bit Card-Specific Data) Version 2.0 |
Bit Siz Type Name Field Value 127-126 2 R CSD structure CSD_STRUCTURE 01b 125-120 6 R reserved - 000000b 119-112 8 R data read access-time-1 (TAAC) 0Eh 111-104 8 R data read access-time-2 (NSAC) 00h 103-96 8 R max data transfer rate (TRAN_SPEED) 32h,5Ah,0Bh,2Bh 95-84 12 R card command classes CCC x1x110110101b 83-80 4 R max read data block length (READ_BL_LEN) 9 79 1 R partial blocks for read allowed (READ_BL_PARTIAL) 0 78 1 R write block misalignment (WRITE_BLK_MISALIGN) 0 77 1 R read block misalignment (READ_BLK_MISALIGN) 0 76 1 R DSR implemented DSR_IMP x 75-70 6 R reserved - 000000b 69-48 22 R device size C_SIZE xxxxxxh 47 1 R reserved - 0 46 1 R erase single block enable (ERASE_BLK_EN) 1 45-39 7 R erase sector size (SECTOR_SIZE) 7Fh 38-32 7 R write protect group size (WP_GRP_SIZE) 00h 31 1 R write protect group enable (WP_GRP_ENABLE) 0 30-29 2 R reserved - 00b 28-26 3 R write speed factor (R2W_FACTOR) 010b 25-22 4 R max write data block length (WRITE_BL_LEN) 9 21 1 R partial blocks for write allowed (WRITE_BL_PARTIAL) 0 20-16 5 R reserved - 00000b 15 1 R File format group (FILE_FORMAT_GRP) 0 14 1 R/W(1) copy flag COPY x 13 1 R/W(1) permanent write protection PERM_WRITE_PROTECT x 12 1 R/W temporary write protection TMP_WRITE_PROTECT x 11-10 2 R File format (FILE_FORMAT) 00b 9-8 2 R reserved - 00b 7-1 7 R/W CRC CRC xxh 0 1 - not used, always '1' - 1 |
memory capacity = (C_SIZE+1) * 512KByte |
32h SDSC/SDHC/SDXC in Default Speed mode (25MHz) 5Ah SDSC/SDHC/SDXC in High Speed mode (50MHz) 0Bh SDHC/SDXC in SDR50 or DDR50 mode (100Mbit/sec) 2Bh SDHC/SDXC in SDR104 mode (200Mbit/sec) |
| DSi SD/MMC Protocol: EXT_CSD Register (4096bit Extended CSD Register) (MMC) |
31-0 stuff bits |
4095-0 EXT_CSD Register (4096bit) |
31-26 6bit Reserved (0)
25-24 2bit Access
00h Change Command Set (EXT_CSD[191] = parameter bit2-0)
01h Set bits (EXT_CSD[index] = EXT_CSD[index] OR value)
02h Clr bits (EXT_CSD[index] = EXT_CSD[index] AND NOT value)
03h Write (EXT_CSD[index] = value)
23-16 8bit Index (0..191) ;\used only if "Access=1..3"
15-8 8bit Value (0..255) ;/
7-3 5bit Reserved (0)
2-0 3bit Cmd Set (0..7) ;-used only if "Access=0"
|
Properties Segment
Byte Siz Type Name Field
511-505 7 - Reserved(1) -
504 1 R Supported Command Sets S_CMD_SET
503-216 288 - Reserved(1) -
215-212 4 R moviNAND only: Sector Count SEC_COUNT
211 1 - Reserved -
Minimum Write Performance for
210 1 R 8bit @52MHz MIN_PERF_W_8_52
Minimum Read Performance for
209 1 R 8bit @52MHz MIN_PERF_R_8_52
Minimum Write Performance for
208 1 R 8bit @26MHz / 4bit @52MHz MIN_PERF_W_8_26_4_52
Minimum Read Performance for
207 1 R 8bit @26MHz / 4bit @52MHz MIN_PERF_R_8_26_4_52
Minimum Write Performance for
206 1 R 4bit @26MHz MIN_PERF_W_4_26
Minimum Read Performance for
205 1 R 4bit @26MHz MIN_PERF_R_4_26
204 1 - Reserved(1) -
203 1 R Power Class for 26MHz @ 3.6V PWR_CL_26_360
202 1 R Power Class for 52MHz @ 3.6V PWR_CL_52_360
201 1 R Power Class for 26MHz @ 1.95V PWR_CL_26_195
200 1 R Power Class for 52MHz @ 1.95V PWR_CL_52_195
199-197 3 - Reserved(1) -
196 1 R Card Type CARD_TYPE
195 1 - Reserved(1) -
194 1 R CSD Structure Version CSD_STRUCTURE
193 1 - Reserved(1) -
192 C0h 1 R Extended CSD Revision EXT_CSD_REV
Modes Segment
191 BFh 1 R/W Command Set CMD_SET
190 BEh 1 - Reserved(1) -
189 BDh 1 RO Command Set Revision CMD_SET_REV
188 BCh 1 - Reserved(1) -
187 BBh 1 R/W Power Class POWER_CLASS
186 BAh 1 - Reserved(1) -
185 B9h 1 R/W High Speed Interface Timing HS_TIMING
184 B8h 1 - Reserved(1) -
183 B7h 1 WO Bus Width Mode BUS_WIDTH
182 B6h ? ?
181 B5h 1 - Reserved -
180 B h 1 RO moviNAND only: Erased Memory Content ERASED_MEM_CONT
180-0 181 - Reserved(a) -
|
Bit Command Set 7-5 Reserved 4 moviNAND only: ATA on MMC 3 moviNAND only: SecureMCC 2.0 2 Content Protection SecureMMC 1 SecureMMC 0 Standard MMC |
Value Performance
0x00 For Cards not reaching the 2.4MB/s minimum value
0x08 Class A: 2.4MB/s and is the lowest allowed value for MMCplus and
MMCmobile(16x150kB/s)
0x0A Class B: 3.0MB/s and is the next allowed value (20x150kB/s)
0x0F Class C: 4.5MB/s and is the next allowed value (30x150kB/s)
0x14 Class D: 6.0MB/s and is the next allowed value (40x150kB/s)
0x1E Class E: 9.0MB/s and is the next allowed value (60x150kB/s)
This is also the highest class which any MMCplus or MMCmobile card
is needed to support in low bus category operation mode (26MHz with
4bit data bus).
A MMCplus or MMCmobile card supporting any higher class than this
have to support this class also (in low category bus operation mode).
0x28 Class F: Equals 12.0MB/s and is the next allowed value (80x150kB/s)
0x32 Class G: Equals 15.0MB/s and is the next allowed value (100x150kB/s)
0x3C Class H: Equals 18.0MB/s and is the next allowed value (120x150kB/s)
0x46 Class J: Equals 21.0MB/s and is the next allowed value (140x150kB/s)
This is also the highest class which any MMCplus or MMCmobile card
is needed to support in mid bus category operation mode (26MHz with
8bit data bus or 52MHz with 4bit data bus).
A MMCplus or MMCmobile card supporting any higher class than this
have to support this Class (in mid category bus operation mode) and
Class E also (in low category bus operation mode).
0x50 Class K: Equals 24.0MB/s and is the next allowed value (160x150kB/s)
0x64 Class M: Equals 30.0MB/s and is the next allowed value (200x150kB/s)
0x78 Class O: Equals 36.0MB/s and is the next allowed value (240x150kB/s)
0x8C Class R: Equals 42.0MB/s and is the next allowed value (280x150kB/s)
0xA0 Class T: Equals 48.0MB/s and is the last defined value (320x150kB/s)
|
Voltage Value Max RMS Current Max Peak Current Remarks
3.6V 0 100 mA 200 mA Default current
1 120 mA 220 mA consumption for
2 150 mA 250 mA high voltage cards
3 180 mA 280 mA
4 200 mA 300 mA
5 220 mA 320 mA
6 250 mA 350 mA
7 300 mA 400 mA
8 350 mA 450 mA
9 400 mA 500 mA
10 450 mA 550 mA
11-15 Reserved for future use
1.95V 0 65 mA 130 mA Default current
1 70 mA 140 mA consumption for
2 80 mA 160 mA Dual voltage cards
3 90 mA 180 mA (if any, not moviNAND)
4 100 mA 200 mA
5 120 mA 220 mA
6 140 mA 240 mA
7 160 mA 260 mA
8 180 mA 280 mA
9 200 mA 300 mA
10 250 mA 350 mA
6-15 Reserved for future use
|
- Maximum bus frequency - Maximum operating voltage - Worst case functional operation - Worst case environmental parameters (temperature,...) |
Bit Card Type 7-2 Reserved 1 High Speed MultiMediaCard @ 52MHz 0 High Speed MultiMediaCard @ 26MHz |
CSD_STRUCTURE CSD structure version Valid for System Specification Version 0 CSD version No. 1.0 Version 1.0 - 1.2 1 CSD version No. 1.1 Version 1.4 - 2.2 2 CSD version No. 1.2 Version 3.1-3.2-3.31-4.0-4.1-4.2 3 Reserved for future use 4-255 Reserved for future use |
EXT_CSD_REV Extended CSD Revision 0 Revision 1.0 1 Revision 1.1 2 Revision 1.2 (moviNAND) 3-255 Reserved |
Code MMC Revisions 0 v4.0 1-255 Reserved |
Bits Description 7-4 Reserved 3-0 Card power class code (See Table 5-29) |
Value Bus Mode 0 1 bit data bus (MMC, with old 7pin connector) 1 4 bit data bus (MMCplus, with SD-card-compatible 9pin connector) 2 8 bit data bus (MMCplus, with special 13pin connector) 3-255 Reserved |
Value Erased Memory content 00h Erased memory range shall be '0' 01h Erased memory range shall be '1' 02h-FFh Reserved |
| DSi SD/MMC Protocol: RCA Register (16bit Relative Card Address) |
31-0 stuff bits |
47 Start Bit (0) ;\ 46 Transmission To Host (0) ; 1st byte 45-40 Command (the 6bit CMD being responded to) ;/ 39-24 New published RCA of the card ;-16bit ;-2nd..3th byte 23-22 CSR Card Status, bit 23-22 ;\ ;\ 21 CSR Card Status, bit 19 ; 16bit ; 4nd..5th byte 20-8 CSR Card Status, bit 12-0 ;/ ;/ 7-1 CRC7 ;\6th byte 0 End Bit (1) ;/ |
31-16 RCA 15-0 stuff bits |
31-16 RCA 15-0 stuff bits |
31-16 RCA 15 Sleep/Awake flag (0=Awake/stby, 1=Sleep/slp) 14-0 stuff bits |
CMD0 sd/mmc spi GO_IDLE_STATE (type=bc) CMD2 sd/mmc ALL_GET_CID (type=bcr) CMD3 sd GET_RELATIVE_ADDR (type=bcr) CMD4 sd/mmc SET_DSR (type=bc) CMD7 sd/mmc SELECT_DESELECT_CARD (type=ac) ;actually: (type=bcr) CMD8 sd spi SET_IF_COND (type=bcr) ACMD41 sd spi SD_SEND_OP_COND (type=bcr) ;SPI: reduced functionality |
| DSi SD/MMC Protocol: DSR Register (16bit Driver Stage Register) (Optional) |
31-16 DSR 15-0 stuff bits |
| DSi SD/MMC Protocol: SCR Register (64bit SD Card Configuration Register) |
31-0 stuff bits |
63-0 SCR Register (8bytes, aka 64bit) |
Bit Siz Typ Description Field ;common 63-60 4 R SCR Structure SCR_STRUCTURE ;\00h or 59-56 4 R SD Memory Card - Spec. Version SD_SPEC ;/01h 55 1 R data_status_after erases DATA_STAT_AFTER_ERASE ;\ 54-52 3 R CPRM Security Support SD_SECURITY ; A5h 51-48 4 R DAT Bus widths supported SD_BUS_WIDTHS ;/ 47 1 R Spec. Version 3.00 or higher SD_SPEC3 ;\ 46-43 4 R Extended Security Support EX_SECURITY ; 0000h 42 1 R Spec. Version 4.00 or higher SD_SPEC4 ; 41-36 6 R Reserved - ; 35-32 4 R Command Support bits CMD_SUPPORT ;/ 31-0 32 R reserved for manufacturer usage - ;-var |
SCR_STRUCTURE SCR Structure Version SD Physical Layer Specification Version 00h SCR version 1.0 Version 1.01-4.00 01h..0Fh reserved |
SD_SPEC SD_SPEC3 SD_SPEC4 Physical Layer Specification Version Number
0 0 0 Version 1.0 and 1.01
1 0 0 Version 1.10
2 0 0 Version 2.00
2 1 0 Version 3.0X
2 1 1 Version 4.XX
Others Reserved
|
(1) The card does not support CMD6 (2) The card does not support CMD8 (3) User area capacity shall be up to 2GB |
(1) The card shall support CMD6 (2) The card does not support CMD8 (3) User area capacity shall be up to 2GB |
(1) The card shall support CMD6 (2) The card shall support CMD8 (3) The card shall support CMD42 (4) User area capacity shall be up to 2GB (SDSC) or 32GB (SDHC) (5) Speed Class shall be supported (SDHC) |
(1) The card shall support CMD6
(2) The card shall support CMD8
(3) The card shall support CMD42
(4) User area capacity shall be up to 2GB (SDSC) or 32GB (SDHC)
User area capacity shall be more than or equal to 32GB and up to 2TB (SDXC)
(5) Speed Class shall be supported (SDHC or SDXC)
|
A card supports any of following functions shall satisfy essential conditions of Version 3.00 Card (1) Speed Class supported under the conditions defined in Version 3.00 (2) UHS-I supported card (3) CMD23 supported card |
(1) Same as the essential conditions of Version 3.00 device
(2) Support any of additional functions defined by Version 4.XX:
Followings functions (a) to (c) are defined by Version 4.00.
(a) Support of CMD48 and CMD49
(b) Support of UHS-II mode
(c) Support of DPS (Data Protection System)
Followings functions (d) to (f) are defined by Version 4.10.
(d) Support of CMD58 and CMD59
(e) Support of Power Management Functions
(f) Support of Speed Grade 1 for UHS-II mode
|
00h No Security 01h Not Used 02h SDSC Card (CPRM Security Version 1.01) 03h SDHC Card (CPRM Security Version 2.00) 04h SDXC Card (CPRM Security Version 3.xx) 05h-07h Reserved |
SDSC Card sets this field to 2 (Version 1.01). SDHC Card sets this field to 3 (Version 2.00). SDXC Card sets this field to 4 (Version 3.xx). |
Bit 3 Reserved Bit 2 4 bit (DAT0-3) Bit 1 Reserved Bit 0 1 bit (DAT0) |
00h Extended Security is not supported.
01h..0Fh Extended Security is supported. SCR[44-43] is defined by the
Part A4 Data Protection System Specification. SCR[46-45] is
reserved for future extension.
|
Bit Supported Command Command CCC Remark 35 Extension Register Multi-Block CMD58/59 11 Optional. 34 Extension Register Single Block CMD48/49 11 Optional. 33 Set Block Count CMD23 2,4 Mandatory for UHS104 card 32 Speed Class Control CMD20 2,4 Mandatory for SDXC card |
| DSi SD/MMC Protocol: PWD Register (128bit Password plus 8bit Password len) |
Defined by DPS Spec. |
unknown |
31-0 Reserved bits (0) |
Note: Before using this command, the size of the following data block (ie.
"1st..Nth/Extra" byte) must be set via SET_BLOCKLEN command (CMD16).
1st byte: Flags
Bit7-4 Reserved (0)
Bit3 ERASE Force Erase (1=Erase WHOLE CARD and clear password)
Bit1 LOCK_UNLOCK Lock card (0=Unlock, 1=Lock) (default on power up: Lock)
Bit1 CLR_PWD Clears password (0=no, 1=yes)
Bit0 SET_PWD Set new password (0=no, 1=yes)
2nd byte: PWDS_LEN Length of the Password(s) in bytes ("3rd..Nth" byte)
3rd..Nth byte: Password (old password, if SET_PWD: followed by new password)
Extra byte: Alignment padding (only in DDR50 mode, if above is odd num bytes)
|
| DSi SD/MMC Protocol: State |
Command old state --> idle readyidentstby tran data rcv prg dis ina
DONE Operation Complete ---- ---- ---- ---- ---- tran ---- tran stby ----
class 0
CMD0 GO_IDLE_STATE ok idle idle idle idle idle idle idle idle ----
CMD2 ALL_SEND_CID ---- ident---- ---- ---- ---- ---- ---- ---- ----
CMD3 SEND_RELATIVE_ADDR ---- ---- stby ok ---- ---- ---- ---- ---- ----
CMD4 SET_DSR ---- ---- ---- ok ---- ---- ---- ---- ---- ----
CMD7 SELECT_DESELECT_CARD
card is addressed ---- ---- ---- tran ---- ---- ---- ---- prg ----
card is not addr. ---- ---- ---- ok stby stby ---- dis ---- ----
CMD8 SEND_IF_COND ok ---- ---- ---- ---- ---- ---- ---- ---- ----
CMD9 SEND_CSD ---- ---- ---- ok ---- ---- ---- ---- ---- ----
CMD10 SEND_CID ---- ---- ---- ok ---- ---- ---- ---- ---- ----
CMD11 VOLTAGE_SWITCH ---- ok ---- ---- ---- ---- ---- ---- ---- ----
CMD12 STOP_TRANSMISSION ---- ---- ---- ---- ---- tran prg ---- ---- ----
CMD13 SEND_STATUS ---- ---- ---- ok ok ok ok ok ok ----
CMD15 GO_INACTIVE_STATE ---- ---- ---- ina ina ina ina ina ina ----
class 2
CMD16 SET_BLOCKLEN ---- ---- ---- ---- ok ---- ---- ---- ---- ----
CMD17 READ_SINGLE_BLOCK ---- ---- ---- ---- data ---- ---- ---- ---- ----
CMD18 READ_MULTIPLE_BLOCK ---- ---- ---- ---- data ---- ---- ---- ---- ----
CMD19 SEND_TUNING_BLOCK ---- ---- ---- ---- data ---- ---- ---- ---- ----
CMD20 SPEED_CLASS_CONTROL ---- ---- ---- ---- prg ---- ---- ---- ---- ----
CMD23 ---- ---- ---- ---- ok ---- ---- ---- ---- ----
class 4
CMD16 SET_BLOCKLEN (2)---- ---- ---- ---- ok ---- ---- ---- ---- ----
CMD20 SPEED_CLASS_CONTROL(2)---- ---- ---- ---- prg ---- ---- ---- ---- ----
CMD23 SET_BLOCK_COUNT ---- ---- ---- ---- ok ---- ---- ---- ---- ----
CMD24 WRITE_BLOCK ---- ---- ---- ---- rcv ---- ---- ---- ---- ----
CMD25 WRITE_MULTIPLE_BLOCK ---- ---- ---- ---- rcv ---- ---- ---- ---- ----
CMD27 PROGRAM_CSD ---- ---- ---- ---- rcv ---- ---- ---- ---- ----
class 6
CMD28 SET_WRITE_PROT ---- ---- ---- ---- prg ---- ---- ---- ---- ----
CMD29 CLR_WRITE_PROT ---- ---- ---- ---- prg ---- ---- ---- ---- ----
CMD30 SEND_WRITE_PROT ---- ---- ---- ---- data ---- ---- ---- ---- ----
class 5
CMD32 ERASE_WR_BLK_START ---- ---- ---- ---- ok ---- ---- ---- ---- ----
CMD33 ERASE_WR_BLK_END ---- ---- ---- ---- ok ---- ---- ---- ---- ----
CMD38 ERASE ---- ---- ---- ---- prg ---- ---- ---- ---- ----
class 7
CMD40 Read Block (DPS Spec) ---- ---- ---- ---- data ---- ---- ---- ---- ----
CMD42 LOCK_UNLOCK ---- ---- ---- ---- rcv ---- ---- ---- ---- ----
class 8
CMD55 APP_CMD ok ---- ---- ok ok ok ok ok ok ----
CMD56 GEN_CMD, RD/WR=0 ---- ---- ---- ---- rcv ---- ---- ---- ---- ----
GEN_CMD, RD/WR=1 ---- ---- ---- ---- data ---- ---- ---- ---- ----
ACMD6 SET_BUS_WIDTH ---- ---- ---- ---- ok ---- ---- ---- ---- ----
ACMD13 SD_STATUS ---- ---- ---- ---- data ---- ---- ---- ---- ----
ACMD22 SEND_NUM_WR_BLOCKS ---- ---- ---- ---- data ---- ---- ---- ---- ----
ACMD23 SET_WR_BLK_ERASE_CO. ---- ---- ---- ---- ok ---- ---- ---- ---- ----
ACMD41 SD_SEND_OP_COND
OCR check is OK
and card is not busy ready---- ---- ---- ---- ---- ---- ---- ---- ----
OCR check is OK
and card is busy(2) ok ---- ---- ---- ---- ---- ---- ---- ---- ----
OCR check fails
query mode ina ---- ---- ---- ---- ---- ---- ---- ---- ----
ACMD42 SET_CLR_CARD_DETECT ---- ---- ---- ---- ok ---- ---- ---- ---- ----
ACMD51 SEND_SCR ---- ---- ---- ---- data ---- ---- ---- ---- ----
class 9
class 10 (1)
CMD6 SWITCH_FUNC ---- ---- ---- ---- data ---- ---- ---- ---- ----
class 11
CMD48 READ_EXTR_SINGLE ---- ---- ---- ---- data ---- ---- ---- ---- ----
CMD49 WRITE_EXTR_SINGLE ---- ---- ---- ---- rcv ---- ---- ---- ---- ----
CMD58 READ_EXTR_MULTI ---- ---- ---- ---- data ---- ---- ---- ---- ----
CMD59 WRITE_EXTR_MULTI ---- ---- ---- ---- rcv ---- ---- ---- ---- ----
ACMD14-16 Refer to DPS Specification (class 8)
ACMD28 Refer to DPS Specification (class 8)
ACMD18,25,26,38,
43,44,45,46,47,48,49 Refer to the "Part3 Security Specification" for
information about the SD Security Features (class 8)
CMD52-CMD54 Refer to the "SDIO Card Specification" (class 9)
CMD21 Refer to DPS Specification (class 11)
CMD34-37,50,57 Refer to each command system specification (class 10)
CMD41,CMD43-47 reserved (class 11)
CMD60...CMD63 reserved for manufacturer (class 11)
SPI Mode
CMD1 SEND_OP_COND SPI-only
CMD58 READ_OCR SPI-only
CMD59 CRC_ON_OFF SPI-only
|
- Card executes internal initialization process - When HCS in the argument is set to 0 to SDHC or SDXC Card. |
---- command is treated as illegal command ok command is accepted, and card stays in SAME state xxx command is accepted, and card switches to "xxx" state |
Command old state --> idl rdy idt stb trn dta tst rcv prg dis ina slp irq
Class Independent
ERR CRC error --- --- --- --- --- --- --- --- --- --- --- --- stb
ERR command not supported--- --- --- --- --- --- --- --- --- --- --- --- stb
Class 0
CMD0 (arg=00000000h) ok idl idl idl idl idl idl idl idl idl --- idl stb
GO_IDLE_STATE
CMD0 (arg=F0F0F0F0h) pre pre pre pre pre pre pre pre pre pre --- pre stb
GO_PRE_IDLE_STATE
CMD0 (arg=FFFFFFFAh) initiate alternative boot operation
BOOT_INITIATION
CMD1 SEND_OP_COND
card VDD range ok rdy --- --- --- --- --- --- --- --- --- --- --- stb
card is busy ok --- --- --- --- --- --- --- --- --- --- --- stb
card VDD range bad ina --- --- --- --- --- --- --- --- --- --- --- stb
CMD2 ALL_SEND_CID
card wins bus --- idt --- --- --- --- --- --- --- --- --- --- stb
card loses bus --- ok --- --- --- --- --- --- --- --- --- --- stb
CMD3 SET_RELATIVE_ADDR --- --- stb --- --- --- --- --- --- --- --- --- stb
CMD4 SET_DSR --- --- --- ok --- --- --- --- --- --- --- --- stb
CMD5 SLEEP_AWAKE --- --- --- slp -?- -?- -?- -?- -?- -?- -?- stb stb
CMD6 SWITCH --- --- --- --- prg --- --- --- --- --- --- --- stb
CMD7 SELECT_DESELECT_CARD
card is addressed --- --- --- trn --- --- --- --- --- prg --- --- stb
card is not addr. --- --- --- --- stb stb --- --- dis --- --- --- stb
CMD8 SEND_EXT_CSD --- --- --- --- dta --- --- --- --- --- --- --- stb
CMD9 SEND_CSD --- --- --- ok --- --- --- --- --- --- --- --- stb
CMD10 SEND_CID --- --- --- ok --- --- --- --- --- --- --- --- stb
CMD12 STOP_TRANSMISSION --- --- --- --- --- trn --- prg --- --- --- --- stb
CMD13 SEND_STATUS --- --- --- ok ok ok ok ok ok ok --- --- stb
CMD14 BUSTEST_R --- --- --- --- --- --- trn --- --- --- --- --- stb
CMD15 GO_INACTIVE_STATE --- --- --- ina ina ina ina ina ina ina --- --- stb
CMD19 BUSTEST_W --- --- --- --- tst --- --- --- --- --- --- --- stb
Class 1
CMD11 READ_DAT_UNTIL_STOP --- --- --- --- dta --- --- --- --- --- --- --- stb
Class 2
CMD16 SET_BLOCKLEN --- --- --- --- ok --- --- --- --- --- --- --- stb
CMD17 READ_SINGLE_BLOCK --- --- --- --- dta --- --- --- --- --- --- --- stb
CMD18 READ_MULTIPLE_BLOCK --- --- --- --- dta --- --- --- --- --- --- --- stb
CMD23 SET_BLOCK_COUNT --- --- --- --- ok --- --- --- --- --- --- --- stb
Class 3
CMD20 WRITE_DAT_UNTIL_STOP--- --- --- --- rcv --- --- --- --- --- --- --- stb
Class 4
CMD16 SET_BLOCKLEN see class 2
CMD23 SET_BLOCK_COUNT see class 2
CMD24 WRITE_BLOCK --- --- --- --- rcv --- --- --- rcv1--- --- --- stb
CMD25 WRITE_MULTIPLE_BL. --- --- --- --- rcv --- --- --- rcv2--- --- --- stb
CMD26 PROGRAM_CID --- --- --- --- rcv --- --- --- --- --- --- --- stb
CMD27 PROGRAM_CSD --- --- --- --- rcv --- --- --- --- --- --- --- stb
Class 6
CMD28 SET_WRITE_PROT --- --- --- --- prg --- --- --- --- --- --- --- stb
CMD29 CLR_WRITE_PROT --- --- --- --- prg --- --- --- --- --- --- --- stb
CMD30 SEND_WRITE_PROT --- --- --- --- dta --- --- --- --- --- --- --- stb
CMD31 SEND_WRITE_PROT_TYPE--- --- --- --- dta --- --- --- --- --- --- --- stb
Class 5
CMD35 ERASE_GROUP_START --- --- --- --- ok --- --- --- --- --- --- --- stb
CMD36 ERASE_GROUP_END --- --- --- --- ok --- --- --- --- --- --- --- stb
CMD38 ERASE --- --- --- --- prg --- --- --- --- --- --- --- stb
Class 7
CMD16 SET_BLOCKLEN see class 2
CMD42 LOCK_UNLOCK --- --- --- --- rcv --- --- --- --- --- --- --- stb
Class 8
CMD55 APP_CMD --- --- --- ok ok ok ok ok ok ok --- --- ok
CMD56 GEN_CMD, RD/WR=0 --- --- --- --- rcv --- --- --- --- --- --- --- stb
GEN_CMD, RD/WR=1 --- --- --- --- dta --- --- --- --- --- --- --- stb
Class 9
CMD39 FAST_IO --- --- --- ok --- --- --- --- --- --- --- --- stb
CMD40 GO_IRQ_STATE --- --- --- irq --- --- --- --- --- --- --- --- stb
Class 10-11
CMD41, CMD43..CMD54 Reserved
CMD57..CMD59 Reserved
CMD60..CMD63 Reserved for Manufacturer
SPI Mode
CMD58 READ_OCR SPI-only
CMD59 CRC_ON_OFF SPI-only
|
pre Pre-idle idl idle rdy ready idt ident stb stby trn tran dta data tst btst |
| DSi SD/MMC Protocol: Signals |
__ start bit __ checksum bits (CRC-CCITT)
| |
| <------------data bits-------------> | __ stop bit
| | |
DAT0 0 1st 2nd 3rd 4th 5th 6th 7th ... last crc 1
|
__ start bit __ checksum bits (CRC-CCITT)
| |
| <--data bits--> | __ stop bit
| | |
DAT3 0 1st 5th ... ... crc 1
DAT2 0 2nd 6th ... ... crc 1
DAT1 0 3rd 7th ... ... crc 1
DAT0 0 4th 8th ... last crc 1
|
| DSi SDIO Special SDIO Commands |
31 R/W Flag (0=Read, 1=Write) 30-28 Function Number (3bit) 27 Read-after-write (RAW) Flag (if Bit31=1=Write, and Bit27=1) 26 Stuff (unspecified, should be probably 0, but is 1 on DSi) 25-9 Register Address (17bit) 8 Stuff (unspecified, should be probably 0, but is 1 on DSi) 7-0 Write Data (8bit), or Stuff bits (for read) |
47 Start Bit (0) ;\
46 Transmission To Host (0) ; 1st byte
45-40 Command (the 6bit CMD being responded to) ;/
39-24 Stuff Bits ;-2nd..3rd byte
23-16 Response Flags ;-4th byte
7 COM_CRC_ERROR
6 ILLEGAL_COMMAND
5-4 IO_CURRENT STATE (0=dis, 1=cmd, 2=trn(cmd53), 3=rfu)
3 ERROR
2 RFU (reserved for future use)
1 INVALID_FUNCTION_NUMBER
0 OUT_OF_RANGE
15-8 Read or Write Data (8bit) ;-5th byte
7-1 CRC7 ;\6th byte
0 End Bit (1) ;/
|
8bit modified R1 response
7 start bit (0)
6 parameter error (0=okay, 1=error)
5 RFU (0)
4 function number error (0=okay, 1=error)
3 COM CRC error (0=okay, 1=error)
2 illegal command (0=okay, 1=error)
1 RFU (0)
0 in idle state (0=no, 1=idle)
8bit Read or Write Data
|
31 R/W Flag (0=Read, 1=Write) 30-28 Function Number (3bit) (0=CIA) 27 Block Mode (0=Bytes, 1=Blocks/optional) 26 OP Code (0=Fixed Address, 1=Incrementing Address) 25-9 Register Address (17bit) 8-0 Byte/Block Count (9bit) (1..511) (0=512 Bytes, or 0=Infinite Blocks) |
For Byte Mode: Similar to CMD17/CMD24 (single block) For Block Mode: Similar to CMD18/CMD25 (multiple block) For Block Mode: CMD52:STOP_TRANSMISSION only needed if using "InfiniteBlocks" |
31-25 stuff bits (0) 24 Switching to 1.8V Request (S18R) 23 I/O OCR VDD Voltage Window 3.5V-3.6V 22 I/O OCR VDD Voltage Window 3.4V-3.5V 21 I/O OCR VDD Voltage Window 3.3V-3.4V 20 I/O OCR VDD Voltage Window 3.2V-3.3V 19 I/O OCR VDD Voltage Window 3.1V-3.2V 18 I/O OCR VDD Voltage Window 3.0V-3.1V 17 I/O OCR VDD Voltage Window 2.9V-3.0V 16 I/O OCR VDD Voltage Window 2.8V-2.9V 15 I/O OCR VDD Voltage Window 2.7V-2.8V 14 I/O OCR VDD Voltage Window 2.6V-2.7V 13 I/O OCR VDD Voltage Window 2.5V-2.6V 12 I/O OCR VDD Voltage Window 2.4V-2.5V 11 I/O OCR VDD Voltage Window 2.3V-2.4V 10 I/O OCR VDD Voltage Window 2.2V-2.3V 9 I/O OCR VDD Voltage Window 2.1V-2.2V 8 I/O OCR VDD Voltage Window 2.0V-2.1V 7-4 I/O OCR VDD Voltage Window Reserved 3-0 I/O OCR VDD Voltage Window Reserved |
47 Start Bit (0) ;\ 46 Transmission To Host (0) ; 1st byte 45-40 Reserved (111111) (instead of Command value) ;/ 39 Card is ready to operate after init ;\ 38-36 Number of I/O Functions ; 35 Memory Present ; 2nd byte 34-33 Stuff bits (0) ; 32 Switching to 1.8V Accepted (S18R) (not SPI) ;/ 31-8 I/O OCR (24bit) ;-3rd..5th byte 7-1 Reserved (111111) (instead of CRC7) ;\6th byte 0 End Bit (1) ;/ |
8bit modified R1 Response
7 start bit (0)
6 parameter error (0=okay, 1=error)
5 RFU (0)
4 function number error (0=okay, 1=error)
3 COM CRC error (0=okay, 1=error)
2 illegal command (0=okay, 1=error)
1 RFU (0)
0 in idle state (0=no, 1=idle)
32bit same as SD Response bit39-8 (but without S18R bit)
|
- SCFG_EXT7.bit19 needed for SDIO controller (else 4004Axxh-4004Bxxh disabled) - SCFG_CLK7.bit??? maybe SDIO clock enable somewhere here? - SCFG_WL.bit0 probably needed, too - GPIO_WIFI.bit8 needed for AR6013G chips (else SDIO Function 1 fails) - BPTWL[30h] needed for LED and SDIO (else SDIO fails badly) - RTC.FOUT pin as configured by firmware (else WMI commands/events fail) |
Command ini stb cmd trn ina
CMD3 SET_RELATIVE_ADDR stb ok --- --- ---
CMD5 IO_SEND_OP_COND ok --- --- --- ---
ocr bad ina --- --- --- ---
CMD7 SELECT_CARD --- cmd ok --- ---
DESELECT_CARD --- ok stb --- ---
CMD15 GO_INACTIVE_STATE ina ina ina --- ---
CMD52 IO_RW_DIRECT --- --- ok (cmd)---
CMD53 IO_RW_EXTENDED --- --- trn --- ---
|
CMD0 GO_IDLE_STATE for entering SPI mode only (but does NOT reset SDIO) CMD8 SEND_IF_COND optional for SDHC/SDXC CMD11 VOLTAGE_SWITCH optional for UHS-I CMD19 SEND_TUNING_BLOCK optional for UHS-I CMD59 CRC_ON_OFF spi-only |
____________________________ I/O Commands for MMC____________________________ |
31-16 RCA 15 Register Write Flag 14-8 Register Address 7-0 Register Data |
47 Start Bit (0) ;\ 46 Transmission To Host (0) ; 1st byte 45-40 Command (the 6bit CMD being responded to) ;/ 39-24 RCA ;-2nd..3rd byte 23 Status (0=Bad, 1=Successful) ;\4th byte 22-16 Register Address ;/ 15-8 Read Register Contents ;-5th byte 7-1 CRC7 ;\6th byte 0 End Bit (1) ;/ |
31-0 Stuff Bits |
47 Start Bit (0) ;\ 46 Transmission To Host (0) ; 1st byte 45-40 Command (the 6bit CMD being responded to) ;/ 39-24 RCA ;-2nd..3rd byte 23-8 Not defined (may be used for IRQ data) ;-4th..5th byte 7-1 CRC7 ;\6th byte 0 End Bit (1) ;/ |
| DSi SDIO Memory and I/O Maps |
0:00000h..000FFh Card Common Control Registers (CCCR) 0:00100h..001FFh Function Basic Registers (FBR) for Function 1 0:00200h..002FFh Function Basic Registers (FBR) for Function 2 0:00300h..003FFh Function Basic Registers (FBR) for Function 3 0:00400h..004FFh Function Basic Registers (FBR) for Function 4 0:00500h..005FFh Function Basic Registers (FBR) for Function 5 0:00600h..006FFh Function Basic Registers (FBR) for Function 6 0:00700h..007FFh Function Basic Registers (FBR) for Function 7 0:00800h..00FFFh Reserved for Future 0:01000h..17FFFh Card Information Structures (Common CIS and Func 1-7 CIS) 0:18000h..1FFFFh Reserved for Future |
n:00000h..1FFFFh Registers (seven 128K spaces, one for each function) |
CSA:00000h..FFFFFh 16Mbyte FAT12/FAT16 (accessed indirectly via "Window") |
0:00000h 2 CCCR: Revision (R) 0:00002h 2 CCCR: I/O Function Enable/Ready (R/W) 0:00004h 2 CCCR: Interrupt Enable/Pending (R/W) 0:00006h 1 CCCR: I/O Abort (W) 0:00007h 1 CCCR: Bus Interface Control (R/W) 0:00008h 1 CCCR: Card Capability 0:00009h 3 CCCR: Common CIS Pointer, Lo/Mid/Hi 0:0000Ch 1 CCCR: Bus Suspend 0:0000Dh 1 CCCR: Function Select (R/W) 0:0000Eh 2 CCCR: Exec/Ready Flags (R) 0:00010h 2 CCCR: CMD53 Block Size for Function 0, Lo/Hi (R/W) 0:00012h 1 CCCR: Power Control 0:00013h 2 CCCR: Bus Speed Select 0:00015h 1 CCCR: Driver Strength 0:00016h 1 CCCR: Interrupt Extension 0:00017h D9h CCCR: Reserved for Future 0:000F0h 10h CCCR: Reserved for Vendors |
0:00n00h 1 FBR(n): Misc 0:00n01h 1 FBR(n): Extended standard SDIO Function interface code 0:00n02h 1 FBR(n): Misc 0:00n02h 7 FBR(n): Reserved for Future 0:00n09h 3 FBR(n): Pointer to Card Information Structure (CIS), Lo/Mid/Hi 0:00n0Ch 3 FBR(n): Code Storage Area (CSA) Address, Lo/Mid/Hi 0:00n0Fh 1 FBR(n): Code Storage Area (CSA) Data "Window" 0:00n10h 2 FBR(n): CMD53 Block Size for Function n, Lo/Hi 0:00n12h EEh FBR(n): Reserved for Future |
| DSi SDIO Common Control Registers (CCCR) |
0-3 CCCR/FBR Format Version (0=v1.00, 1=v1.10, 2=v2.00, 3=v3.00) (R) 4-7 SDIO Spec Version (0=v1.00, 1=v1.10, 2=v1.20, 3=v2.00, 4=v3.00) (R) 8-11 SD Physical Layer Spec (0=v1.01, 1=v1.10, 2=v2.00, 3=v3.0x) (R) 12-15 Reserved for Future (-) |
0 Reserved for Future (-) 1-7 SDIO Function 1..7 Enable Flags (0=Disable, 1=Enable) (R/W) 8 Reserved for Future (-) 9-15 SDIO Function 1..7 Ready Flags (0=Disabled/Busy, 1=Ready) (R) |
0 SDIO Interrupt Master Enable (0=Disable, 1=Enable) (R/W) 1-7 SDIO Function 1..7 Interrupt Enable (0=Disable, 1=Enable) (R/W) 8 Reserved for Future (-) 9-15 SDIO Function 1..7 Interrupt Pending (0=No, 1=IRQ) (R) |
0-2 SDIO Function Number to be Aborted (0=None?, 1..7=Function 1..7) (W)
XXXsee pg 35
3 Reset SDIO Card (0=Normal, 1=Reset) (W)
4-7 Reserved for Future (-)
|
0-1 Bus Width (0=1bit, 1=Reserved, 2=4bit, 3=EmbeddedSDIO/8bit) (R/W) 2 Support 8bit Bus Flag (0=No, 1=Yes/EmbeddedSDIO only) (R) 3-4 Reserved for Future (-) 5 Enable Continous SPI Interrupt (0=Disable, 1=Enable) (R/W) 6 Support Continous SPI Interrupt (0=No, 1=Yes) (R) 7 Card Detect Disable (0=Enable Pull-up on DAT3 pin, 1=Disable) (R/W) |
0 Support Direct Command (CMD52) during Data Transfer (0=No, 1=Yes) (R) 1 Support Multi-Block transfer (CMD53.block mode) (0=No, 1=Yes) (R) 2 Support Read Wait Control (RWC via DAT2 pin) (0=No, 1=Yes) (R) 3 Support Bus Control Suspend/Resume (0=No, 1=Yes) (R) 4 Support Block Gap Interrupt during Multi-Block (0=No, 1=Yes) (R) 5 Enable Block Gap Interrupt during Multi-Block (0=No, 1=Enable) (R/W) 6 Low Speed Card (0=Full-Speed, 1=Low-Speed) (R) 7 Support 4bit Mode for Low-Speed Card (0=No, 1=Yes) (R) |
0-16 Pointer to Card Common Card Information Structure (Common CIS) (R) 17-23 Unspecified (probably reserved) (-) |
0 Bus Status XXX see pg 37 (R) 1 Bus Release Request XXX see pg 38 (R) 2-7 Reserved for Future (-) |
0-3 Select Function (0=CIA, 1..7=Function 1..7, 8=Memory Card) (R/W) 4-6 Reserved for Future (-) 7 Data Flag (more data after resuming) (0=No, 1=Yes) (R) |
0 Command Execution Flag for Memory (=SD/Combo? or CSA?) (R) 1-7 Command Execution Flags for Function 1..7 (0=Busy, 1=Ready) (R) 8 Read/Write Ready Flag for Memory (=SD/Combo? or CSA?) (R) 9-15 Read/Write Ready Flags for Function 1..7 (0=Busy, 1=Ready) (R) |
0-15 CMD53 Block size for Function(0) (0001h..0800h) (0=None) (R/W) |
0 Support Master Power Control (0=No, 1=Yes) (R) 1 Enable Master Power Control (0=No/max 720mW, 1=Yes/allow more) (R/W) 2-7 Reserved for Future (-) |
0 Support High-Speed Mode (SDR25 or higher) (0=No, 1=Yes) (R) 1-3 Bus Speed Select (0=SDR12, 1=SDR25, 2=SDR50, 3=SDR104, 4=DDR50) (R/W) 4-7 Reserved for Future (-) 8 Support UHS-I SDR50 (usable in 1.8V mode only) (0=No, 1=Yes) (R) 9 Support UHS-I SDR104 (usable in 1.8V mode only) (0=No, 1=Yes) (R) 10 Support UHS-I DDR50 (usable in 1.8V mode only) (0=No, 1=Yes) (R) 11-15 Reserved for Future |
0 Support Driver Type A ;\see Physical Layer Specs (0=No, 1=Yes) (R) 1 Support Driver Type C ; version 3.0x for details (0=No, 1=Yes) (R) 2 Support Driver Type D ;/ (0=No, 1=Yes) (R) 3 Reserved for Future (-) 5-4 Driver Type Select (0=Default/B, 1=Type A, 2=Type C, 3=Type D) (R/W) 7-6 Reserved for Future (-) |
0 Support Asynchronous Interrupt in 4bit mode (0=No, 1=Yes) (R) 1 Enable Asynchronous Interrupt in 4bit mode (0=No, 1=Enable) (R/W) 7-2 Reserved for Future (-) |
| DSi SDIO Function Basic Registers (FBR) |
0-3 Standard SDIO Function Interface Code (R) 4-5 Reserved for Future (-) 6 Code Storage Area (CSA) Supported (0=No, 1=Yes) (R) 7 Code Storage Area (CSA) Enable (0=Block reads/writes, 1=Enable) (R/W) 8-15 Extended standard SDIO Function interface code (when bit0-3=0Fh) (R) |
0h:00h = No SDIO standard interface (eg. Atheros Wifi in DSi) 1h:00h = SDIO Standard UART 2h:00h = SDIO Bluetooth Type-A standard interface 3h:00h = SDIO Bluetooth Type-B standard interface 4h:00h = SDIO GPS standard interface 5h:00h = SDIO Camera standard interface 6h:00h = SDIO PHS standard interface 7h:00h = SDIO WLAN interface 8h:00h = Embedded SDIO-ATA standard interface 9h:00h = SDIO Bluetooth Type-A Alternate MAC PHY (AMP) standard interface Ah:00h = Reserved for Future Bh:00h = Reserved for Future Ch:00h = Reserved for Future Dh:00h = Reserved for Future Eh:00h = Reserved for Future Fh:00h..FFh = Reserved for Future |
0 Support Power Selection (0=No, 1=Yes) (R) 1 Enable Power Selection (0=Normal Current, 1=Lower Current) (R/W) 2-3 Reserved for Future (-) 4-7 Power State (R/W) |
0-16 Pointer to Function(n)'s Card Information Structure (Function CIS)(R) 17-23 Unspecified (probably reserved) (-) |
0-23 Pointer to CSA memory (incremented after CSA data read/write) (R/W) |
0-7 Data (to/from auto-incrementing CSA Address) (R for ROM, R/W otherwise) |
0-15 CMD53 Block size for Function(n) (0001h..0800h) (0=None) (R/W) |
| DSi SDIO Card Information Structures (CIS) |
PC Card Standard, Volume 4, Metaformat Specification |
00h CISTPL_code 01h Offset to next tuple (n) (aka size of body) 02h+(0..n-1) Body (n bytes) |
00h = CISTPL_NULL Null Tuple 10h = CISTPL_CHECKSUM Checksum Control 15h = CISTPL_VERS_1 Level 1 Version/Product Information 16h = CISTPL_ALTSTR Alternate Language String 20h = CISTPL_MANFID Manufacturer ID 21h = CISTPL_FUNCID Function ID 22h = CISTPL_FUNCE Function Extensions 80h-8Fh = Vendor specific Vendor specific 91h = CISTPL_SDIO_STD Info for Standard SDIO Functions 92h = CISTPL_SDIO_EXT Reserved for future SDIO stuff FFh = CISTPL_END End-of-chain |
00h Tuple ID (00h) 01h Tuple Size (00h) |
00h Tuple ID (10h) 01h Tuple Size (?) ... Unknown |
00h Tuple ID (15h) 01h Tuple Size (?) ... Unknown |
00h Tuple ID (20h) 01h Tuple Size (at least 4) 02h-03h Manufacturer ID (assigned by JEIDA or PCMCIA) 04h-05h Part Number/Revision (manufacturer specific) |
00h Tuple ID (21h) 01h Tuple Size (2) 02h Card Function Code (0Ch for SDIO) 03h System initialization bit mask (Not used, 00h) |
00h Tuple ID (22h) 01h Tuple Size (..) 02h Type of extended data 03h..xxh Function information |
00h Tuple ID (22h)
01h Tuple Size (04h+2*N)
02h Type of extended data (00h=Type 00h)
03h-04h Max Block Size for Function 0 (0001h or higher)
05h Max Transfer Speed for Function 0-7 (specified as Value*Unit bits/s)
bit0-2: Unit (0=0.1M, 1=1M, 2=10M, 3=100M, 4..7=Reserved)
bit3-6: Value (0=Reserved, 1=1, 2=1.2, 3=1.3, 4=1.5, 5=2, 6=2.5,
7=3, 8=3.5, 9=4, 10=4.5, 11=5, 12=5.5, 13=6, 14=7, 15=8)
bit7: Reserved
06h... N two-byte pairs (TC,CP) for 1..N ;(N=([01h]-4)/2)
|
00h Tuple ID (22h) 01h Tuple Size (2Ah) 02h Type of extended data (01h=Type 01h) 03h Function Info (bit0=WakeUpSupport, bit1..7=Reserved) 04h Standard SDIO Function version (2x4bit maj.min, or 00h=Nonstandard) 05h-08h Card Product Serial Number PSN (32bit) (unique value, or 0=None) 09h-0Ch CSA Size in bytes available for this Function (32bit) 0Dh CSA Property (bit0=WriteProtected/ReadOnly, bit1=NoReformatting) 0Eh-0Fh Max Block Size for this Function (0001h or higher) 10h-13h Operation Condition OCR (same as in ACMD41 for SD Memory devices) 14h-16h 3x8bit Operation Power (Min/Average/Max) (0..254mA, or 255=more) 17h-19h 3x8bit Standby Power (Min/Average/Max) (0..254mA, or 255=more) 1Ah-1Dh 2x16bit Bandwidth (Min/Optimal) (1..65535 KB/sec, or 0=None) 1Eh-1Fh Timeout for Enable-till-Ready in 10ms units (max 655.35 seconds) 20h-23h 2x16bit Operation 3.3V (Average/Max) (1..65535mA, or 0=?) 24h-25h 2x16bit High-Current-Mode 3.3V (Average/Max) (1..65535mA, or 0=?) 28h-2Bh 2x16bit Low-Current-Mode 3.3V (Average/Max) (1..65535mA, or 0=?) |
00h Tuple ID (22h) 01h Tuple Size (02h+N*2) (N=1..15, for up to 15 power states) 02h Type of extended data (02h=Type 02h) 03h Fixed value (00h) 04h..xxh Nx16bit Max consumption in Power State 1..N (0..65535mW) |
00h Tuple ID (91h) 01h Tuple Size (02h..FFh) 02h SDIO STD ID (the 4+8bit Interface Type in FBR, squeezed into 8bits?) 03h SDIO STD Type ;\depends on Interface Type 04h... SDIO STD Data (if any) ;/ |
00h Tuple ID (92h) 01h Tuple Size (?) 02h... Reserved (if any) |
00h Tuple ID (FFh) |
| DSi SD/MMC Filesystem |
| DSi SD/MMC Partition Table (aka Master Boot Record aka MBR) |
0000 00 00 00 00 00 00 00 00 .. .. .. .. 00 00 ;bootcode (zero) 01BE 00 03 18 04 06 0F E0 3B 77 08 00 00 89 6F 06 00 ;1st partition (main) 01CE 00 02 CE 3C 06 0F E0 BE 4D 78 06 00 B3 05 01 00 ;2nd partition (photo) 01DE 00 02 DE BF 01 0F E0 BF 5D 7E 07 00 A3 01 00 00 ;3rd partition (extra) 01EE 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;4th partition (none) 01FE 55 AA ;mbr id (55h,AAh) |
000h 446 bootcode (zerofilled on DSi) ;-bootcode 1BEh+n*10h 1 status (00h) ;\ 1BFh+n*10h 3 chsFirst ; four 1C2h+n*10h 1 type (00h=unused, 01h=FAT12, 06h=FAT16B) ; partitions 1C3h+n*10h 3 chsLast ; (n=0..3) 1C6h+n*10h 4 lbaFirst ;\logical block addresses/sizes ; 1CAh+n*10h 4 lbaSize ;/counted in 200h-byte sectors ;/ 1FEh 2 mbrsig (55h,AAh) ;-MBR ID |
0-7 Head Bit0-7 (00h..FEh) (or less common, 00h..FFh) 8-13 Sector Bit0-5 (01h..3Fh) 14-15 Cylinder Bit8-9 16-23 Cylinder Bit0-7 (000h..3FFh, with above bit8-7) |
LBA = (Cylinder*32*16) + (Head*32) + (Sector-1) |
http://en.wikipedia.org/wiki/Master_Boot_Record http://en.wikipedia.org/wiki/Partition_type <-- rather meaningless |
| DSi SD/MMC Filesystem (FAT) |
000h 3 80x86 jump opcode (DSi: E9h,00h,00h) 003h 8 ascii disk name (DSi: "TWL ") 00Bh 2 bytes / sector (DSi: 0200h) 00Dh 1 sectors / cluster (DSi: 20h) 00Eh 2 sectors / boot-record (DSi: 0001h) 010h 1 number of FAT-copys (DSi: 02h) 011h 2 entrys / root-directory (DSi: 0200h) 013h 2 sectors / disk (DSi: 0000h) 015h 1 ID (DSi: F8h=HDD) 016h 2 sectors / FAT (DSi: A:0034h, B:0009h) 018h 2 sectors / track (DSi: 0020h) 01Ah 2 heads / disk (DSi: 0010h) 01Ch 2 number of reserved sectors (DSi: None such entry!) 01Ch 4 LBA First "hidden" (DSi: A:00000877h, B:0006784Dh) 020h 4 LBA Size (total sectors)(DSi: A:00066F89h, B:000105B3h) 024h 1 Drive Number (DSi: A:00h, B:01h) 025h 1 Flags (reserved) (DSi: 00h) 026h 1 EBPB Version (DSi: 29h) (that is, DOS 4.0 EBPB) 027h 4 Volume Serial Number (DSi: 12345678h) 02Bh 11 Volume Label (DSi: " ") 036h 8 Filesystem Type (DSi: 00h-filled) 03Eh 448 Bootcode (DSi: 00h-filled) 1FEh 2 Signature (DSi: 55h,AAh) |
011h 2 Must be 0 (number of root entries, is variable-length FAT chain) 016h 2 Must be 0 (sectors per fat, instead use 32bit value at 024h) 024h 4 sectors / FAT (new 32bit value instead of old entry 016h) 028h 2 ExtFlags (related to "active" FAT copy) 02Ah 2 Version of FAT32 filesystem (minor, major) (should be 0.0) 02Ch 4 Cluster number of first Root directory cluster (usually/often 2) 030h 2 Sector number of FSINFO in reserved area (usually 0001h) 032h 2 Sector number of VBR backup copy in reserved area (usually 0006h) 034h 12 Reserved for future ;Should be zerofilled 040h 1 Drive Number ;\ 041h 1 Flags (reserved) ; as old 042h 1 EBPB Version ;Must be 29h (that is, DOS 4.0 EBPB) ; entries 043h 4 Volume Serial Number ; at 024h 047h 11 Volume Label ; 052h 8 Filesystem Type ;Must be "FAT32 " ;/ |
000h 4 Value 41615252h (aka "RRaA") 004h 480 Reserved (should be 0) 1E4h 4 Value 61417272h (aka "rrAa") 1E8h 4 Hint on number of free clusters (or FFFFFFFFh=unknown) 1ECh 4 Hint on first free cluster number (or FFFFFFFFh=unknown) 1F0h 12 Reserved (should be 0) 1FCh 4 Value AA550000h |
(x000)(0)000 unused, free (x000)(0)001 ??? (x000)(0)002... pointer to next cluster in chain (0)002..(F)FEF (xFFF)(F)FF0-6 reserved (no part of chain, not free) (xFFF)(F)FF7 defect cluster, don't use (xFFF)(F)FF8-F last cluster of chain |
00-07 8 Filename (first byte: 00=free entry, 2E=dir, E5=deleted entry)
08-0A 3 Filename extension
0B 1 Fileattribute
bit0 read only
bit1 hidden
bit2 system
bit3 volume label
bit4 subdirectory
bit5 archive-flag
bit6 reserved
bit7 reserved
0C-0D 2 Reserved, or stuff
0E-0F 2 Reserved, or Creation Timestamp
10-11 2 Reserved, or Creation Datestamp
12-13 2 Reserved, or Last Access Datestamp
14-15 2 Reserved, or MSBs of Cluster (for FAT32)
16-17 2 Last Modify Timestamp: HHHHHMMM, MMMSSSSS
18-19 2 Last Modify Datestamp: YYYYYYYM, MMMDDDDD
1A-1B 2 Pointer to first Cluster of file
1C-1F 4 Filesize in bytes (always 0 for directories)
|
00h 1 Sequence Number (bit6: last logical, first physical LFN entry,
bit5: 0, bit4-0: number 01h..14h (1Fh)) (or E5h=deleted entry)
01h 10 Long Filename characters (five UCS-2 characters)
0Bh 1 Attributes (always 0Fh for LFN prefix)
0Ch 1 Type (always 00h)
0Dh 1 Short Filename Checksum
sum=00h, for i=0 to 10, sum = (sum ROR 1) + shortname_char[i], next i
0Eh 12 Long Filename characters (six UCS-2 characters)
1Ah 2 First cluster (always 0000h)
1Ch 4 Long Filename characters (two UCS-2 characters)
|
Entry 1: LFN Prefix (43h) "me.ext", 0000h, 6xFFFFh Entry 2: LFN Prefix (02h) "y long filena" Entry 3: LFN Prefix (01h) "File with ver" Entry 4: Normal 8.3 short filename entry "FILEWI~1.EXT" |
| DSi SD/MMC Internal NAND Layout |
Offset Size Description
00000000h 200h PC-style MBR, encrypted with a per-console key
00000200h 200h Stage 2 Boot Info Block 1 (used)
00000400h 200h Stage 2 Boot Info Block 2 (unused, same as above)
00000600h 200h Stage 2 Boot Info Block 3 (unused, nonsense NAND offsets)
00000800h 26600h Stage 2 ARM9 Bootcode (encrypted with universal key)
00026E00h 27600h Stage 2 ARM7 Bootcode (encrypted with universal key)
0004E400h 400h Stage 2 Footer -- unknown format, but first 10 bytes
are (unencrypted) build number of Stage 2 bootloader
0004E800h B1200h Unused (all 00h)
000FFA00h 400h Diagnostic area. (often contains build date of
device in plaintext) Blank in never-before-booted
DSi. Might be written to during firmware updates.
000FFE00h 200h Unused (all FFh)
00100000h EE00h Unused (all 00h)
0010EE00h CDF1200h 1st partition (205.9Mbyte) (main, encrypted, FAT16)
0CF00000h 9A00h Unused (all 00h)
0CF09A00h 20B6600h 2nd partition (32.7Mbyte) (photo, encrypted, FAT12)
For 240.0MB chips (Samsung KMAPF0000M-S998 or KLM5617EFW-B301):
0EFC0000h BA00h Unused (all 00h)
0EFCBA00h 34600h 3rd partition (0.2Mbyte) (extra, unformatted)
0F000000h - End of 240MByte Address Space
For 245.5MB chips (ST NAND02GAH0LZC5, both rev30 and rev31):
0EFC0000h B600h Unused (all 00h?) (smaller unused area as in 240MB chip)
0EFCB600h 5B4A00h 3rd partition (5.7Mbyte) (extra, unformatted)
0F580000h - End of 245.5MByte Address Space
|
000h 20h Zerofilled 020h 4 ARM9 Bootcode NAND Offset (800h) (Info Block 3: 80400h) 024h 4 ARM9 Bootcode Size actual (26410h) 028h 4 ARM9 Bootcode RAM Address / Entry (37B8000h) 02Ch 4 ARM9 Bootcode Size rounded-up (26600h) 030h 4 ARM7 Bootcode NAND Offset (26E00h) (Info Block 3: A6A00h) 034h 4 ARM7 Bootcode Size actual (27588h) 038h 4 ARM7 Bootcode RAM Address / Entry (37B8000h) 03Ch 4 ARM7 Bootcode Size rounded-up (27600h) 040h BFh Zerofilled 0FFh 1 Unknown (0Ch) 100h 80h RSA Block (B3,FF,EC,E5,..) (Boot Info Block 3: 5B,E1,7A,9F,..) 180h 14h Global MBK1..MBK5 Slot Settings 194h 0Ch Local ARM9 MBK6..MBK8 Settings 1A0h 0Ch Local ARM7 MBK6..MBK8 Settings 1ACh 4 Global MBK9 Slot Write Protect (FF000000h) 1B0h 50h Zerofilled |
Pre 0Bh Leading RSA Padding (01,FF,FF,FF,FF,FF,FF,FF,FF,FF,00)
00h 10h AES_Engine Key Y for ARM9/ARM7 Bootcode (EC,07,00,00,...)
10h 14h SHA1 on WifiFlash[00h..27h] and eMMCBootInfo[00h..FFh,180h..1FFh]
3DS: reportedly NAND/MBR[00h..27h] instead of WifiFlash[00h..27h]??
24h 14h SHA1 on decrypted ARM9 Bootcode, with the actual binary size.
38h 14h SHA1 on decrypted ARM7 Bootcode, with the actual binary size.
4Ch 14h Zerofilled
60h 14h SHA1 on above 60h-byte area at [00h..5Fh] (63,D2,FC,6E,...)
|
RSA_KEY = F1,F5,1A,FF,... ;-from 3DS TWL_FIRM (for RSA Block) IV[0..3] = +size ;\ IV[4..7] = -size ; size rounded up to 200h boundary, ie. IV[8..B] = -size-1 ; from Boot Info Block entries [02Ch,03Ch] IV[C..F] = 00000000h ;/ KEY_X[0..F] = "Nintendo DS",... ;-same as Key X for "Tad Files" KEY_Y[0..F] = EC,07,00,00,... ;-from RSA Block (see above) |
IV[0..F]: SHA1(CID)+Address/10h ;-eMMC Chip ID KEY_X[0..3]: [4004D00h] ;\ KEY_X[4..7]: [4004D00h] XOR 24EE6906h ; CPU/Console ID KEY_X[8..B]: [4004D04h] XOR E65B601Dh ; KEY_X[C..F]: [4004D04h] ;/ KEY_Y[0..F]: 0AB9DC76h,BD4DC4D3h,202DDD1Dh,E1A00005h ;-Constant |
CID = [2FFD7BCh] = dd,ss,ss,ss,ss,03,4D,30,30,46,50,41,00,00,15,00 SHA1(CID) = SWI_27h(SHA1value,2FFD7BCh,10h) |
"NUS Downloader" allows to download and decrypt system updates "DSi SRL Extract" allows to decrypt DSiware files (when copied to SD card) "TWLTool" decrypt/encrypt eMMC images (firmware downgrading, dsiware-hax) "TWLbf" and "bfCL" bruteforce Console ID or CID (or both) from eMMC images |
| DSi SD/MMC Bootloader |
Stage 1: Load Stage 2 from NAND Boot Sectors (via code in BIOS ROM) Stage 2: Load Stage 3 from NAND Filesystem Stage 3: Contains GUI and allows to boot Cartridges or NAND files |
Initialize the encryption hardware Read the contents of NVRAM Initialize both LCDs Read blocks (but not files) from the NAND flash Perform some variety of integrity check on all data it reads(signature,CRC,?) Display basic hexadecimal error codes Possibly factory-programming the NAND flash? Might also do basic power-on self test of peripherals |
Error Code Description
0000FE00 Error communicating NAND chip (It's missing, CLK shorted, etc.)
0000FEFC Integrity error in first block of Stage 2 (address at 220h)
0000FEFD Integrity error in second block of Stage 2 (address at 230h)
0000FEFE Boot sector integrity error (Sector 200h not valid), or error
in NVRAM contents.
|
00000220 00 08 00 00 10 64 02 00 00 80 7b 03 00 66 02 00 |.....d....{..f..|
00000230 00 6e 02 00 88 75 02 00 00 80 7b 03 00 76 02 00 |.n...u....{..v..|
00000240 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
|
1. The NAND flash is partially re-initialized
2. Sector 0 is read from the NAND. Appears to be (encrypted) DOS-style MBR.
3. The MBR signature and the type of the first partition are verified.
4. Filesystem metadata is read from sectors starting around 0x100000. The
metadata appears to be in FAT format with long filenames.
5. Multiple files are loaded from the filesystem. The exact read addresses
will vary depending on your DSi's firmware version and the state of
its filesystem when you performed the last firmware update. On a brand
new DSi, it appears that the DSi Menu itself is loaded from 0xb20000
after two small metadata files are read from 0xb1c000 and 0x7a0000.
|
Text Description
"Error: 1-2435-8325" Invalid signature or partition type in MBR,
invalid starting LBA.
"Error: 2-2435-8325" Error reading fat/sectors from eMMC
"Error: 3-2435-8325" DSi Menu integrity checks failed
|
| DSi SD/MMC Device List |
000h 54h*11 Device List (max 11 entries) 39Ch 24h Zerofilled 3C0h 40h Name 'nand:/title/000300tt/4ggggggg/content/000000vv.app' + 00h's |
00h 1 Drive Letter ("A".."I")
01h 1 Flags (see below)
02h 1 Access Rights (bit1=Write, bit2=Read)
03h 1 Zero
04h 10h Device Name (eg. "nand" or "dataPub") (zeropadded)
14h 40h Path (eg. "/" or "nand:/shared1") (zeropadded)
|
0 Physical Drive (0=External SD/MMC Slot, 1=Internal eMMC) 1-2 Zero (maybe MSBs of Drive) 3-4 Device Type (0=Physical, 1=Virtual/File, 2=Virtual/Folder, 3=Reserved) 5 Partition (0=1st, 1=2nd) 6 Zero (maybe MSB of Partition) 7 Encrypt? (set for eMMC physical devices; not for virtual, not for SD) |
Letter/Flags Name Path ;Notes 'A',81h,06h,00h 'nand' '/' ;eMMC Cart Partition 1 'B',A1h,06h,00h 'nand2' '/' ;eMMC Cart Partition 2 'C',11h,04h,00h 'content' 'nand:/title/000300tt/4ggggggg/content' 'D',11h,04h,00h 'shared1' 'nand:/shared1' ;TWLCFGn.dat 'E',11h,06h,00h 'shared2' 'nand:/shared2' ;Sound and wrap.bin 'F',31h,06h,00h 'photo' 'nand2:/photo' ;Camera photos/frames 'G',09h,06h,00h 'dataPrv' 'nand:/title/000300tt/4ggggggg/data/private.sav' 'H',09h,06h,00h 'dataPub' 'nand:/title/000300tt/4ggggggg/data/public.sav' 'I',00h,06h,00h 'sdmc' '/' ;SD Cart Partition 1 |
'C',09h,06h,00h 'share' 'nand:/shared2/0000' ;Sound file |
'verdata' for Version Data NARC file 'rom' for executable's NitroROM filesystem 'otherPub' 'otherPrv' |
'nand:/<tmpjump>' --> 'nand:/tmp/jump.app' 'nand:/<sharedFont>' --> 'nand:/sys/TWLFontTable.dat' 'nand:/<verdata>' --> 'nand:/title/0003000f/484e4c%02x/content/%08x.app' 'nand:/<banner>' --> ..... '/data/banner.sav' ':<srl>' --> ..... |
"nand:/../CONTENT/title.tmd" "nand:/../CONTENT/00000002.app" "nand:/../DATA/public.sav" "nand:/../DATA/private.sav" |
"sdmc:/../My Folder Name/Filpnote Studio (EUR.AUS).dsi" "sdmc:/../My Folder Name/Filpnote Studio (EUR.AUS).pub" "sdmc:/../My Folder Name/Filpnote Studio (EUR.AUS).prv" |
"sdmc:/../MYFOLD~1/FLIPN~12.DSI" "sdmc:/../MYFOLD~1/FLIPN~10.PUB" "sdmc:/../MYFOLD~1/FLIPNO~2.PRV" |
| DSi SD/MMC Complete List of SD/MMC Files/Folders |
SYS <DIR> sys LOG <DIR> log PRODUCT LOG 0000023D product.log SYSMENU LOG 00004000 sysmenu.log SHOP LOG 00000020 shop.log HWINFO_S DAT 00004000 HWINFO_S.dat HWINFO_N DAT 00004000 HWINFO_N.dat CERT SYS 00000F40 cert.sys HWID SGN 00000100 HWID.sgn TWLFON~1 DAT 000D2C40 TWLFontTable.dat DEV KP 000001BE dev.kp TITLE <DIR> title 00030017 <DIR> 00030017 (aka System Menu) 484E4150 <DIR> 484e4150 (aka Launcher) DATA <DIR> data PRIVATE SAV 00004000 private.sav CONTENT <DIR> content TITLE TMD 00000208 title.tmd 00000002 APP 0019E400 00000002.app 00030015 <DIR> 00030015 (aka System Base Tools) 484E4250 <DIR> 484e4250 (aka System Settings) DATA <DIR> data CONTENT <DIR> content TITLE TMD 00000208 title.tmd 00000002 APP 00285C00 00000002.app 484E4650 <DIR> 484e4650 (aka Nintendo DSi Shop) DATA <DIR> data PRIVATE SAV 00004000 private.sav EC CFG 00000134 ec.cfg CONTENT <DIR> content 00000004 APP 00526400 00000004.app TITLE TMD 00000208 title.tmd 0003000F <DIR> 0003000f (aka System Data) 484E4341 <DIR> 484e4341 (aka Wifi Firmware) DATA <DIR> data CONTENT <DIR> content TITLE TMD 00000208 title.tmd 00000002 APP 00017E60 00000002.app 484E4841 <DIR> 484e4841 (aka Nintendo DS Cart Whitelist) DATA <DIR> data CONTENT <DIR> content TITLE TMD 00000208 title.tmd 00000001 APP 0004B1D0 00000001.app 484E4C50 <DIR> 484e4c50 (aka Version Data) DATA <DIR> data CONTENT <DIR> content 00000004 APP 00001B50 00000004.app TITLE TMD 00000208 title.tmd 00030005 <DIR> 00030005 (aka System Fun Tools) 484E4441 <DIR> 484e4441 (aka DS Download Play) DATA <DIR> data CONTENT <DIR> content TITLE TMD 00000208 title.tmd 00000001 APP 00069BC0 00000001.app 484E4541 <DIR> 484e4541 (aka Pictochat) DATA <DIR> data CONTENT <DIR> content 00000000 APP 00074FC0 00000000.app TITLE TMD 00000208 title.tmd 484E4950 <DIR> 484e4950 (aka Nintendo DSi Camera) DATA <DIR> data PRIVATE SAV 00080000 private.sav CONTENT <DIR> content TITLE TMD 00000208 title.tmd 00000002 APP 00443C00 00000002.app 484E4A50 <DIR> 484e4a50 (aka Nintendo Zone) DATA <DIR> data PRIVATE SAV 00100000 private.sav CONTENT <DIR> content 00000003 APP 0014D000 00000003.app TITLE TMD 00000208 title.tmd 484E4B50 <DIR> 484e4b50 (aka Nintendo DSi Sound) DATA <DIR> data PRIVATE SAV 00080000 private.sav CONTENT <DIR> content 00000002 APP 00451000 00000002.app TITLE TMD 00000208 title.tmd 00030004 <DIR> 00030004 (aka DSiware) 484E4750 <DIR> 484e4750 (aka Nintendo DSi Browser) DATA <DIR> data PRIVATE SAV 00200000 private.sav CONTENT <DIR> content 00000001 APP 008F1C00 00000001.app TITLE TMD 00000208 title.tmd 4B475556 <DIR> 4b475556 (aka Flipnote Studio) DATA <DIR> data PUBLIC SAV 007F0000 public.sav CONTENT <DIR> content 00000000 APP 00348400 00000000.app TITLE TMD 00000208 title.tmd TICKET <DIR> ticket 00030017 <DIR> 00030017 (aka System Menu) 484E4150 TIK 000002C4 484e4150.tik (aka Launcher) 00030015 <DIR> 00030015 (aka System Base Tools) 484E4250 TIK 000002C4 484e4250.tik (aka System Settings) 484E4650 TIK 000002C4 484e4650.tik (aka Nintendo DSi Shop) 0003000F <DIR> 0003000f (aka System Data) 484E4341 TIK 000002C4 484e4341.tik (aka Wifi Firmware) 484E4841 TIK 000002C4 484e4841.tik (aka Nintendo DS Cart Whitelist) 484E4C50 TIK 000002C4 484e4c50.tik (aka Version Data) 00030005 <DIR> 00030005 (aka System Fun Tools) 484E4441 TIK 000002C4 484e4441.tik (aka DS Download Play) 484E4541 TIK 000002C4 484e4541.tik (aka Pictochat) 484E4950 TIK 000002C4 484e4950.tik (aka Nintendo DSi Camera) 484E4A50 TIK 000002C4 484e4a50.tik (aka Nintendo Zone) 484E4B50 TIK 000002C4 484e4b50.tik (aka Nintendo DSi Sound) 00030004 <DIR> 00030004 (aka DSiware) 484E4750 TIK 000002C4 484e4750.tik (aka Nintendo DSi Browser) 4B414D56 TIK 000002C4 4b414d56.tik (aka Paper Plane) 4B443956 TIK 000002C4 4b443956.tik (aka Dr. Mario) 4B475556 TIK 000002C4 4b475556.tik (aka Flipnote Studio) 4B4D3958 TIK 000002C4 4b4d3958.tik (aka Magic Made Fun: Deep Psyche) SHARED1 <DIR> shared1 TWLCFG0 DAT 00004000 TWLCFG0.dat TWLCFG1 DAT 00004000 TWLCFG1.dat SHARED2 <DIR> shared2 LAUNCHER <DIR> launcher WRAP BIN 00004000 wrap.bin 0000 00200000 0000 IMPORT <DIR> import TMP <DIR> tmp ES <DIR> es WRITE <DIR> write PROGRESS <DIR> progress |
PHOTO <DIR> photo PRIVATE <DIR> private DS <DIR> ds APP <DIR> app 484E494A <DIR> 484E494A (aka Nintendo DSi Camera Stuff) PIT BIN 00001F60 pit.bin DCIM <DIR> DCIM 100NIN02 <DIR> 100NIN02 HNI_0008 JPG 0000AB51 HNI_0008.JPG HNI_0009 JPG 00009A96 HNI_0009.JPG HNI_0010 JPG 0000932B HNI_0010.JPG HNI_0011 JPG 00009CB8 HNI_0011.JPG HNI_0012 JPG 00009CA9 HNI_0012.JPG HNI_0013 JPG 00009A3B HNI_0013.JPG |
PRIVATE <DIR> private DS <DIR> ds TITLE <DIR> title ;\ 484E4750 BIN 9.180K 484E4750.bin (aka Nintendo DSi Browser) ; dsiware 4B475556 BIN 11.510K 4B475556.bin (aka Flipnote Studio) ; games HNB_ LST 2K HNB_.lst (content: "VUGKPGNH") ;/ APP <DIR> app 484E494A <DIR> 484E494A (aka Nintendo DSi Camera Stuff) ;\ PIT BIN 47K pit.bin ; camera DCIM <DIR> DCIM ; frames 100NIN02 <DIR> 100NIN02 ; HNI_0001 JPG 45K HNI_0001.JPG ;-frame/mask ;/ 4B475556 <DIR> 4B475556 (aka Flipnote Studio Stuff) ;\ RECENT10 PLS 4K recent10.pls ; MARK0 PLS 8K mark0.pls ; flipnote MARK1 PLS 8K mark1.pls ; stuff MARK2 PLS 8K mark2.pls ; MARK3 PLS 8K mark3.pls ; 001 <DIR> 001 ; DIRMEMO2 LST 157K dirmemo2.lst ; F08243~1 PPM 467K F08243_0E5E2296197E5_000.ppm ;/ DCIM <DIR> DCIM 101NIN02 <DIR> 101NIN02 ;<-- can be 100NIN02 thru 999NIN02 HNI_0001 JPG 43K HNI_0001.JPG ;\dsi camera photos HNI_0002 JPG 17K HNI_0002.JPG ; (names are numbered differently HNI_0003 JPG 39K HNI_0003.JPG ;/as on eMMC where they came from) |
| DSi SD/MMC Summary of SD/MMC Files/Folders |
000000vv Title Version (lowercase hex32bit) from tmd[1E4h] as carthdr[1Eh] 4ggggggg Title ID Gamecode (hex) as carthdr[230h..233h] 000300tt Title ID Filetype (hex) as carthdr[234h..237h] HNI_nnnn Camera photo/frame files (nnnn = 0001..0100 decimal) nnnNIN02 Camera photo/frame folders (nnn = 100..999 decimal) |
00030000 ROM Cartridges (as so for ROMs, doesn't appear in SD/MMC files) 00030004 DSiware (browser, flipnote, and games) (if any installed) 00030005 System Fun Tools (camera, sound, zone, pictochat, ds download play) 0003000f System Data (non-executable, without carthdr) 00030015 System Base Tools (system settings, dsi shop, 3ds transfer tool) 00030017 System Menu (launcher) |
484e41gg System Menu (Launcher)
484e42gg System Settings
484e4341 Wifi Firmware (non-executable datafile) (all regions)
484e4441 DS Download Play (all regions)
484e4541 Pictochat (all regions) (no update available)
484e46gg Nintendo DSi Shop
484e47gg Nintendo DSi Browser
484e4841 Nintendo DS Cart Whitelist (non-executable datafile) (all regions)
484e49gg Nintendo DSi Camera
484e4agg Nintendo Zone (doesn't exist in Korea)
484e4bgg Nintendo DSi Sound
484e4cgg Version Data (non-executable datafile)
484e4fgg Nintendo 3DS Transfer Tool
484E494A Nintendo DSi Camera Data (uppercase) ("japan") (aka all regions)
4b44474a Dokodemo Wii no Ma (japan only)
4b4755gg Flipnote Studio (doesn't exist in Korea/China)
4bgggggg DSiware games... (whatever games you have purchased, if any)
|
FAT16:\ticket\000300tt\4ggggggg.tik (encrypted) ;ticket (708 bytes) FAT16:\title\000300tt\4ggggggg\content\title.tmd ;tmd (520 bytes) FAT16:\title\000300tt\4ggggggg\content\000000vv.app ;executable (decrypted) FAT16:\title\000300tt\4ggggggg\data\public.sav ;size as carthdr[238h] FAT16:\title\000300tt\4ggggggg\data\private.sav ;size as carthdr[23Ch] FAT16:\title\000300tt\4ggggggg\data\ec.cfg ;dsi shop only FAT16:\title\000300tt\4ggggggg\data\banner.sav ;if carthdr[1BFh].bit2=1 |
FAT16:\shared1\TWLCFG0.dat ;16K FAT16:\shared1\TWLCFG1.dat ;16K FAT16:\shared2\launcher\wrap.bin ;16K FAT16:\shared2\0000 ;2048K (sound recorder) FAT16:\sys\log\product.log ;573 bytes FAT16:\sys\log\sysmenu.log ;16K FAT16:\sys\log\shop.log ;32 bytes FAT16:\sys\HWINFO_S.dat ;16K FAT16:\sys\HWINFO_N.dat ;16K FAT16:\sys\cert.sys ;3904 bytes (or 2560 bytes) FAT16:\sys\HWID.sgn ;256 bytes (unknown purpose/content) FAT16:\sys\TWLFontTable.dat ;843.1K (D2C40h bytes) (compressed) FAT16:\sys\dev.kp ;446 bytes (encrypted) FAT16:\import\ ;empty folder FAT16:\progress\ ;empty folder FAT16:\tmp\es\write\ ;empty folder |
FAT12:\photo\DCIM\100NIN02\HNI_nnnn.JPG ;camera photos FAT12:\photo\private\ds\app\484E494A\pit.bin ;camera info FAT12:\photo\private\ds\app\484E494A\DCIM\100NIN02\HNI_nnnn.JPG;camera frames |
SD:\private\ds\title\4GGGGGGG.bin ;executable/data in one file (encrypted) SD:\private\ds\title\HNB_.lst ;list of gamecodes |
SD:\DCIM\nnnNIN02\HNI_nnnn.JPG ;camera photos SD:\private\ds\app\484E494A\pit.bin ;camera info SD:\private\ds\app\484E494A\DCIM\nnnNIN02\HNI_nnnn.JPG ;camera frames |
SD:\private\ds\app\4B4755GG\recent10.pls ;Recently saved path/filenames SD:\private\ds\app\4B4755GG\mark0.pls ;Heart sticker path/filenames SD:\private\ds\app\4B4755GG\mark1.pls ;Crown sticker path/filenames SD:\private\ds\app\4B4755GG\mark2.pls ;Music sticker path/filenames SD:\private\ds\app\4B4755GG\mark3.pls ;Skull sticker path/filenames SD:\private\ds\app\4B4755GG\001\dirmemo2.lst ;List of all files in folder SD:\private\ds\app\4B4755GG\001\XNNNNN_NNNNNNNNNNNNN_NNN.ppm ;normal SD:\private\ds\app\4B4755GG\YYYYMMDD\NNN\XNNNNN_NNNNNNNNNNNNN_NNN.ppm ;backup SD:\private\ds\app\4B4755GG\gif\XNNNNN_NNNNNNNNNNNNN_NNN.gif ;gif |
SD:\...\*.aac SD:\...\*.m4a |
http://nus.cdn.t.shop.nintendowifi.net/ccs/download/000300tt4ggggggg/tmd http://nus.cdn.t.shop.nintendowifi.net/ccs/download/000300tt4ggggggg/cetk http://nus.cdn.t.shop.nintendowifi.net/ccs/download/000300tt4ggggggg/000000vv |
d:\...\TITLES\000300tt4ggggggg\ddd\000000vv ;executable (encrypted) d:\...\TITLES\000300tt4ggggggg\ddd\000000vv.APP ;executable (decrypted) d:\...\TITLES\000300tt4ggggggg\ddd\CETK ;cetk (2468 bytes) d:\...\TITLES\000300tt4ggggggg\ddd\TMD ;tmd (520 bytes) |
| DSi SD/MMC Images |
XXX currently, the double-clicked file will be saved as "TEMP.TMP", XXX in no$gba folder (there is no "Save as" dialog yet) |
DSi-#.mmc ;eMMC for machine 1..12 (# = 1..C hex) |
0000000h .. Encrypted eMMC image (usually 240Mbyte for DSi)
F000000h 16 Footer ID ("DSi eMMC CID/CPU")
F000010h 16 eMMC CID (dd ss ss ss ss 03 4D 30 30 46 50 41 00 00 15 00)
F000020h 8 CPU/Console ID (nn n1 nn nn nn nn xn 08)
F000028h 24 Reserved (zerofilled)
|
DSi-#.sd ;SD Card for machine 1..12 (# = 1..C hex) |
| DSi SD/MMC DSiware Files on Internal eMMC Storage |
KEY_X[00h..03h] = 4E00004Ah ;\ KEY_X[04h..07h] = 4A00004Eh ; same as for Tad KEY_X[08h..0Bh] = Port[4004D00h+4] xor C80C4B72h ; KEY_X[0Ch..0Fh] = Port[4004D00h+0] ;/ KEY_Y[00h..0Fh] = Constant (E5,CC,5A,8B,...) ;from ARM7BIOS |
Data Management (in System Settings), DSi Shop, and 3DS transfer tool |
0000h 14h SHA1 on entries [014h..03Fh]
0014h 14h SHA1 on entries [040h..177h]
0028h 4 ID ("APWR") (aka 'WRAP' with mis-ordered letters)
002Ch 4 Size of entries at [040h..177h] (00000138h, aka 39*8)
0030h 10h Zerofilled
0040h 138h Space for 39 Title IDs (as at cart[230h]) (8x00h=unused entry)
0178h 3E88h Unknown (looks like random/garbage, or encrypted junk)
|
0000h 4 ID ("TSSV")
0004h 4 Zerofilled (used somehow, can be nonzero?)
0008h 2 CRC16 on [000h..0153h], initial value 5356h, assume [008h]=0000h
000Ah 6 Zerofilled
0010h 39x8 Title IDs (gg,gg,gg,gg,tt,00,03,00) (0=NDS CartSlot or Unused)
0148h 8 Zerofilled
0150h 4 Index of NDS CartSlot Entry (0..39)
|
| DSi SD/MMC DSiware Files on External SD Card (.bin aka Tad Files) |
000h 1200 List of 300 gamecodes, spelled backwards (or zero = unused entry) 4B0h 1 Language (0=Jap, 1=Eng, 2=Fre, 3=Ger, 4=Ita, 5=Spa, 6=Chi, 7=Kor?) 4B1h 3 Zero 4B4h 2 CRC16 on entries [000h..4B3h] (with initial value FFFFh) 4B6h 2 Zero |
Offset Size Key Description 000000h 4000h+20h FIX Icon/Title 004020h B4h+20h FIX Header 0040F4h 440h+20h FIX Footer (certificates/hashes) 004554h 208h+20h VAR title.tmd (usually 208h bytes; but could be bigger) 00477Ch size+N*20h VAR 000000vv.app ... 0 ? seven N/A parts (unknown if/when they are used) ... size+N*20h FIX public.sav (if any) ... ? ? banner.sav (if any) |
KEY_X[00h..0Fh] = Constant ("Nintendo DS",...)
KEY_Y[00h..0Fh] = Constant (66 82 32 04 ...) ;from ARM7BIOS
since above X/Y are constant, that gives a fixed normal key:
KEY[00h..0Fh] = Constant (3D A3 EA 33 ...) ;as used in "dsi srl extract"
|
KEY_X[00h..03h] = 4E00004Ah ;\ KEY_X[04h..07h] = 4A00004Eh ; same as for dev.kp KEY_X[08h..0Bh] = Port[4004D00h+4] xor C80C4B72h ; KEY_X[0Ch..0Fh] = Port[4004D00h+0] ;/ KEY_Y[00h..0Fh] = Constant (CC FC A7 03 ...) ;from ARM7BIOS |
0000h 23C0h Icon/Title (usually 23C0h bytes) ;see carthdr[068h,208h] 23C0h 1C40h Zerofilled (padding to get 4000h byte size) |
000h 4 Fixed ID "4ANT" (aka TNA4, spelled backwards)
004h 2 Maker Code, spelled backwards ("10"=Nintendo) ;carthdr[010h]
006h 1 Zero
007h 1 Title version (vv) ;carthdr[01Eh]
008h 6 DSi MAC Address, spelled backwards ;wifi_flash[036h]
00Eh 2 Zero
010h 16 Some console ID from HWINFO_N.dat ;datfile[8Ch..9Bh]
020h 8 Title ID (gg gg gg gg 04 00 03 00) ;carthdr[230h]
028h 4 Size of title.tmd (usually 208h+20h)
02Ch 4 Size of 000000vv.app (size+N*20h) ;carthdr[210h]
030h 4*7 Size of seven N/A parts (0)
04Ch 4 Size of public.sav (size+N*20h) ;carthdr[238h]
050h 4 Size of banner.sav? (usually 0) ;carthdr[1BFh].bit2=1
054h 8 * 4 List of eight Content IDs in same order as title.tmd
074h 0x3e Reserved section per tmds, uh? (mostly zero, plus garbage?)
0B2h 2 Unknown (zero)
|
000h 20 SHA1 of Icon/Title 014h 20 SHA1 of TNA4 028h 20 SHA1 of title.tmd 03Ch 20 SHA1 of 000000vv.app 040h 20*7 SHA1 of seven N/A parts (unused, can be whatever garbage) 0DCh 20 SHA1 of public.sav 0F0h 20 SHA1 of banner.sav 104h 3Ch ECC signature of [000h..103h] with AP cert 140h 180h AP cert, signed by TW cert 2C0h 180h TW cert, specific to a console (see dev.kp) |
140h 4 Signature Type (00,01,00,02) (ECC, sect233r1, non-RSA) ;\
144h 3Ch Signature Hex numbers... across... below? ; AP cert
180h 40h Signature padding/alignment (zerofilled) ; 180h-byte
1C0h 40h Signature Name "Root-CA..-MS..-TW..-08..", 00h-padded ;
"Root-CA00000001-MS00000008-TWxxxxxxxx-08nnnnnnnnnnn1nn";
200h 4 Key Type (00,00,00,02) (ECC, sect233r1, non-RSA) ;
204h 40h Key Name "AP00030015484e42gg", 00h-padded ;sys.settings ;
244h 4 Key Random/time/type/flags/chksum? ;<-- ZERO here ;
248h 3Ch Key Public ECC Key (point X,Y) (random/per game?) ;
284h 3Ch Key padding/alignment (zerofilled) ;/
2C0h 4 Signature Type (00,01,00,02) (ECC, sect233r1, non-RSA) ;\
2C4h 3Ch Signature Hex numbers... across... below? ; TW cert
300h 40h Signature padding/alignment (zerofilled) ; 180h-byte
340h 40h Signature Name "Root-CA00000001-MS00000008", 00h-padded ; (same as
380h 4 Key Type (00,00,00,02) (ECC, sect233r1, non-RSA) ; dev.kp,
384h 40h Key Name "TWxxxxxxxx-08nnnnnnnnnnn1nn", 00h-padded ; excluding
3C4h 4 Key Random/time/type/flags/chksum? ; private
3C8h 3Ch Key Public ECC Key (point X,Y) ; key)
404h 3Ch Key padding/alignment (zerofilled) ;/
|
| DSi SD/MMC DSiware Files from Nintendo's Server |
Server: "000000vv" (AES-CBC encrypted, raw) eMMC: "000000vv.app" (decrypted, raw) SD Card: "GGGGGGGG.bin" (ES-block encrypted, with extra data) |
KEY[00h..0Fh] = Common Key (AF,1B,F5,16,...) ;from ARM7BIOS IV[00h..07h] = Title ID (00,03,00,tt,gg,gg,gg,gg) ;from tik/cetk[1DCh] IV[08h..0Fh] = Zerofilled ;padding Input: Encrypted Title Key ;from tik/cetk[1BFh] Output: Decrypted Title Key ;for use in next step |
KEY[00h..0Fh] = Decrypted Title Key ;from above step IV[00h..01h] = Usually Zero (or "Index" from tmd?) ;from tmd[1E8h+N*24h] ? IV[02h..0Fh] = Zerofilled ;padding Input: Encrypted file "000000vv" ;from http download Output: Decrypted file "000000vv.app" ;saved on eMMC |
http://nus.cdn.t.shop.nintendowifi.net/ccs/download/00030015484e4250/tmd http://nus.cdn.t.shop.nintendowifi.net/ccs/download/00030015484e4250/cetk http://nus.cdn.t.shop.nintendowifi.net/ccs/download/00030015484e4250/00000002 http://nus.cdn.t.shop.nintendowifi.net/ccs/download/00030015484e4250/00000003 |
| DSi SD/MMC DSiware Tickets and Title metadata |
Server: "cetk" unencrypted, 2468 bytes (2A4h+700h), tik+certificate eMMC: "gggggggg.tik" encrypted, 708 bytes (2A4h+20h), tik+es_block SD Card: N/A N/A, tickets aren't exported to SD card |
000h 4 Signature Type (00h,01h,00h,01h) (100h-byte RSA) 004h 100h Signature RSA-OpenPGP-SHA1 across 140h..2A3h 104h 3Ch Signature padding/alignment (zerofilled) 140h 40h Signature Name "Root-CA00000001-XS00000006", 00h-padded 180h 3Ch ECDH data for one-time installation keys? ;zero for free tik's 1BCh 3 Zero 1BFh 10h Encrypted AES-CBC Title Key 1CFh 1 Zero 1D0h 8 Ticket ID (00,03,xx,xx,xx,xx,xx,xx) ? 1D8h 4 Console ID (see dev.kp "TWxxxxxxxx", zero for free system updates) 1DCh 8 Title ID (00,03,00,17,"HNAP") ;cart[230h] 1E4h 2 Zero (Wii: mostly FFFFh) 1E6h 2 Title Version (vv,00) (LITTLE-ENDIAN!?) ;NEWEST ;cart[01Eh] 1E8h 4 Zero (Wii: Permitted Titles Mask) 1ECh 4 Zero (Wii: Permit mask) 1F0h 1 Zero (Wii: Allow Title Export using PRNG key, 0=No, 1=Yes) 1F1h 1 Zero (Wii: Common Key Index, 0=Normal, 1=Korea) (DSi: Always 0) 1F2h 2Fh Zero 221h 1 Unknown (01h) (Wii: Unknown, 00h=Non-VC, 01h=VC) 222h 20h FFh-filled (Wii: Content access permissions, 1 bit per content) 242h 20h 00h-filled (Wii: Content access permissions, 1 bit per content) 262h 2 Zero 264h 4 Zero ;Wii: Time Limit Enable (0=Disable, 1=Enable) 268h 4 Zero ;Wii: Time Limit Seconds (uh, seconds since/till when?) 26Ch 38h Zero ;Wii: Seven more Time Limits (Enable, Seconds) 2A4h 700h Certificates (see below) (only in "cetk", not in ".tik) |
Server: "tmd" unencrypted, 2312 bytes (208h+700h), tmd+certificate Server: "tmd.nn" as above, OLDER tmd versions (nn=0,1,256,257,512,etc) eMMC: "title.tmd" unencrypted, 520 bytes (208h+0), tmd SD Card: "GGGGGGGG.bin" encrypted, huge file, contains .app+tmd+sav files |
000h 4 Signature Type (00h,01h,00h,01h) (100h-byte RSA) 004h 100h Signature RSA-OpenPGP-SHA1 across 140h..207h 104h 3Ch Signature padding/alignment (zerofilled) 140h 40h Signature Name "Root-CA00000001-CP00000007", 00h-padded 180h 1 Version (00h) 181h 1 ca_crl_version (00h) 182h 1 signer_crl_version (00h) 183h 1 Zero (padding/align 4h) 184h 8 System Version (0) 18Ch 8 Title ID (00,03,00,17,"HNAP") ;cart[230h] 194h 4 Title Type (0) 198h 2 Group ID (eg. "01"=Nintendo) ;cart[010h] 19Ah 4 SD/MMC "public.sav" filesize in bytes (0=none) ;cart[238h] 19Eh 4 SD/MMC "private.sav" filesize in bytes (0=none) ;cart[23Ch] 1A2h 8 Zerofilled 1AAh 10h Parental Control Age Ratings ;cart[2F0h] 1BAh 1Eh Zerofilled 1D8h 4 Access rights (0) 1DCh 2 Title Version (vv,00) (LITTLE-ENDIAN!?) ;NEWEST ;cart[01Eh] 1DEh 2 Number of contents (at 1E4h and up) (usually 00h,01h) 1E0h 2 boot index (0) 1E2h 2 Zerofilled (padding/align 4h) 1E4h+N*24h 4 Content ID (00,00,00,vv) ;lowercase/hex ;"0000000vv.app" 1E8h+N*24h 2 Content Index (00,00) 1EAh+N*24h 2 Content Type (00,01) ;aka DSi .app 1ECh+N*24h 8 Content Size (00,00,00,00,00,19,E4,00) ;NEWEST ;cart[210h] 1F4h+N*24h 14h Content SHA1 (on decrypted ".app" file);NEWEST 208h+.. 700h Certificates (see below) (only in "tmd", not in ".tmd) |
cert cetk tmd siz content 000h 2A4h 208h 4 Signature Type (00h,01h,00h,01h) ;\ 004h 2A8h 20Ch 100h Signature ; 104h 3A8h 30Ch 3Ch Signature padding/alignment (zerofilled) ; 140h 3E4h 348h 40h Signature Name "Root-CA00000001", 00h-padded ; 300h bytes 180h 424h 388h 4 Key Type (00,00,00,01) (100h-byte RSA) ; 184h 428h 38Ch 40h Key Name "XS00000006", 00h-padded ; 1C4h 468h 3CCh 4 Key Random/time/type/flags/chksum? ; 1C8h 46Ch 3D0h 100h Key Public RSA Key ; 2C8h 56Ch 4D0h 4 Key Public RSA Exponent? (00,01,00,01) ; 2CCh 570h 4D4h 34h Key padding/alignment (zerofilled) ;/ 300h 5A4h 508h 4 Signature Type (00h,01h,00h,00h) ;\ 304h 5A8h 50Ch 200h Signature ; 504h 7A8h 70Ch 3Ch Signature padding/alignment (zerofilled) ; 540h 7E4h 748h 40h Signature Name "Root" (padded with 00h) ; 400h bytes 580h 824h 788h 4 Key Type (00,00,00,01) (100h-byte RSA) ; 584h 828h 78Ch 40h Key Name "CA00000001", 00h-padded ; 5C4h 868h 7CCh 4 Key Random/time/type/flags/chksum? ; 5C8h 86Ch 7D0h 100h Key Public RSA Key ; 6C8h 86Ch 8D0h 4 Key Public RSA Exponent? (00,01,00,01) ; 6CCh 970h 8D4h 34h Key padding/alignment (zerofilled) ;/ |
| DSi SD/MMC Firmware dev.kp and cert.sys Certificate Files |
000h 300h Public RSA Key "XS00000006" signed by "Root-CA00000001" 300h 400h Public RSA Key "CA00000001" signed by "Root" 700h 300h Public RSA Key "CP00000007" signed by "Root-CA00000001" Below NOT in Korea? Or NOT when notyet connected to DSi Shop? A00h 240h Public ECC Key "MS00000008" signed by "Root-CA00000001" C40h 300h Public RSA Key "XS00000003" signed by "Root-CA00000001" |
000h 300h Public RSA Key "CP00000005" signed by "Root-CA00000002" 300h 300h Public RSA Key "XS00000006" signed by "Root-CA00000002" 600h 400h Public RSA Key "CA00000002" signed by "Root" A00h 300h Public RSA Key "CP00000007" signed by "Root-CA00000002" |
000h 4 Signature Type (00,01,00,01) (100h-byte RSA) ;\ 004h 100h Signature RSA-OpenPGP-SHA1 across 140h..2FF ; 104h 3Ch Signature padding/alignment (zerofilled) ; 140h 40h Signature Name "Root-CA00000001", 00h-padded ; 180h 4 Key Type (00,00,00,01) (100h-byte RSA) ; 184h 40h Key Name "XS00000006", 00h-padded ; 1C4h 4 Key Random/time/type/flags/chksum? ; 1C8h 100h Key Public RSA Key (92,FF,96,40..) ; 2C8h 4 Key Public RSA Exponent? (00,01,00,01) ; 2CCh 34h Key padding/alignment (zerofilled) ;/ 300h 4 Signature Type (00,01,00,00) (200h-byte RSA) (!) ;\ 304h 200h Signature RSA-OpenPGP-SHA1 across 540h..6FF ; 504h 3Ch Signature padding/alignment (zerofilled) ; 540h 40h Signature Name "Root", 00h-padded ; 580h 4 Key Type (00,00,00,01) (100h-byte RSA) ; 584h 40h Key Name "CA00000001", 00h-padded ; 5C4h 4 Key Random/time/type/flags/chksum? ; 5C8h 100h Key Public RSA Key (B2,79,C9,E2..) ; 6C8h 4 Key Public RSA Exponent? (00,01,00,01) ; 6CCh 34h Key padding/alignment (zerofilled) ;/ 700h 4 Signature Type (00,01,00,00) (100h-byte RSA) ;\ 704h 100h Signature RSA-OpenPGP-SHA1 across 840h..9FF ; 804h 3Ch Signature padding/alignment (zerofilled) ; 840h 40h Signature Name "Root-CA00000001", 00h-padded ; 880h 4 Key Type (00,00,00,01) (100h-byte RSA) ; 884h 40h Key Name "CP00000007", 00h-padded ; 8C4h 4 Key Random/time/type/flags/chksum? ; 8C8h 100h Key Public RSA Key (93,BC,0D,1F..) ; 9C8h 4 Key Public RSA Exponent? (00,01,00,01) ; 9CCh 34h Key padding/alignment (zerofilled) ;/ Below NOT when notyet connected to DSi Shop: A00h 4 Signature Type (00,01,00,01) (100h-byte RSA) ;\ A04h 100h Signature RSA-OpenPGP-SHA1 across B40h..C3F ; B04h 3Ch Signature padding/alignment (zerofilled) ; B40h 40h Signature Name "Root-CA00000001", 00h-padded ; B80h 4 Key Type (00,00,00,02) (ECC, sect233r1, non-RSA) ; B84h 40h Key Name "MS00000008", 00h-padded ; BC4h 4 Key Random/time/type/flags/chksum? ; BC8h 3Ch Key Public ECC Key (point X,Y) (01,93,6D,08..) ; C04h 3Ch Key padding/alignment (zerofilled) ;/ C40h 4 Signature Type (00,01,00,01) (100h-byte RSA) ;\ C44h 100h Signature RSA-OpenPGP-SHA1 across D80h..F3F ; D44h 3Ch Signature padding/alignment (zerofilled) ; D80h 40h Signature Name "Root-CA00000001", 00h-padded ; DC0h 4 Key Type (00,00,00,01) (100h-byte RSA) ; DC4h 40h Key Name "XS00000003", 00h-padded ; D04h 4 Key Random/time/type/flags/chksum? ; E08h 100h Key Public RSA Key (AD,07,A9,37..) ; F08h 4 Key Public RSA Exponent? (00,01,00,01) ; F0Ch 34h Key padding/alignment (zerofilled) ;/ |
Root-CA00000001: used for signing the four certificates below
Root-CA00000001-CP00000007: used for signing TMDs ("Content Protection"?)
Root-CA00000001-MS00000008: used for signing per-console ECC keys ("Master"?)
Root-CA00000001-XS00000003: used for signing tickets from the DSiWare Shop
Root-CA00000001-XS00000006: used for signing (common) tickets ("access"?)
|
KEY_X[00h..03h] = 4E00004Ah ;\ KEY_X[04h..07h] = 4A00004Eh ; same as for Tad KEY_X[08h..0Bh] = Port[4004D00h+4] xor C80C4B72h ; KEY_X[0Ch..0Fh] = Port[4004D00h+0] ;/ KEY_Y[00h..0Fh] = Constant (E5,CC,5A,8B,...) ;from ARM7BIOS |
000h 4 Signature Type (00,01,00,02) (ECC, sect233r1, non-RSA) ;\ 004h 3Ch Signature Hex numbers... across... below? ; 040h 40h Signature padding/alignment (zerofilled) ; 080h 40h Signature Name "Root-CA00000001-MS00000008", 00h-padded ; 0C0h 4 Key Type (00,00,00,02) (ECC, sect233r1, non-RSA) ; 0C4h 40h Key Name "TWxxxxxxxx-08nnnnnnnnnnn1nn", 00h-padded ; 104h 4 Key Random/time/type/flags/chksum? ; 108h 3Ch Key Public ECC Key (point X,Y) ;<-- public key ; 144h 3Ch Key padding/alignment (zerofilled) ; 180h 1Eh Key Private ECC Key ;<-- private key ;/ |
"TW" might be for DSi only (ie. it might be different on DSi XL or 3DS?) "xxxxxxxx" is 8-digit lower-case hex number (unknown where from; for .tik) "08nnnnnnnnnnn1nn" is 16-digit lower-case hex number (from Port 4004D00h) |
Signature across rest of block -- type = 0x00010002, ECC 0000000: 00 01 00 02 00 db da 21 3b e1 f1 bf bb 4d dc 1d 0000010: 60 29 da 19 42 1e 66 4f a8 e5 27 a1 d4 ea 46 7d 0000020: 9b b4 00 95 c5 0d e8 fa ef a7 8d e9 bc 54 da c1 0000030: 24 94 0b 7c ad a8 61 d5 05 97 c2 64 38 ad 18 f9 |
0000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
Key used to sign this cert (Root-CA00000001-MS00000008) 0000080: 52 6f 6f 74 2d 43 41 30 30 30 30 30 30 30 31 2d Root-CA00000001- 0000090: 4d 53 30 30 30 30 30 30 30 38 00 00 00 00 00 00 MS00000008 00000a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00000b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
Console ID string 00000c0: 00 00 00 02 54 57 63 37 39 64 63 65 63 39 2d 30 ....TWc79dcec9-0 00000d0: 38 61 32 30 32 38 37 30 31 30 38 34 31 31 38 00 8a2028701084118. 00000e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00000f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
Public ECC key (30 bytes, starting at 0x108) 0000100: 00 00 00 00 6f dd de 42 01 e0 34 a3 19 bc a9 af 0000110: 50 fe 8a ac 75 08 07 a9 3a 2c 21 51 93 ae 4a 90 0000120: 6e 62 41 f1 a2 fe 00 00 3d 0a 13 97 da 53 17 98 0000130: 69 38 65 67 ca f4 9c 87 ec 44 b7 eb d0 ec b8 3d 0000140: 23 cf 7a 35 00 00 00 00 00 00 00 00 00 00 00 00 0000150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0000160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0000170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
Private per-console ECC key, used for signing files on SD 0000180: 01 12 9d e0 77 82 44 d3 ee 99 ad ce e5 fa fa ed 0000190: c9 ab 8e a1 f9 b5 c8 14 3c 74 74 f8 19 3a |
| DSi SD/MMC Firmware Font File |
0000h 80h RSA-SHA1 on entries [0080h..009Fh] (23h,8Bh,F9h,08h,...) 0080h 4 Date? (00h,31h,07h,08h=Norm, 27h,05h,09h=Korea) 0084h 1 Number of NFTR resources (3=Norm, 9=Korea) 0085h 1 Zerofilled 0086h 1 Unknown (0=Norm, 5=Korea) 0087h 5 Zerofilled 008Ch 14h SHA1 on below resource headers at [00A0h+(0..NUM*40h-1)] 00A0h+N*40h 20h Resource Name in ASCII, padded with 00h 00C0h+N*40h 4 Compressed Resource Size in .dat file ;\compressed 00C4h+N*40h 4 Compressed Resource Start in .dat file ;/ 00C8h+N*40h 4 Decompressed Resource Size ;-decompressed 00CCh+N*40h 14h SHA1 on Compressed Resource at [Start+0..Size-1] ... .. Compressed Font Resources (with 16-byte alignment padding) |
"TBF1_l.NFTR" ;0 Large 16x21 pixels ;\Normal (blurry: 4 colors used) "TBF1_m.NFTR" ;1 Medium 12x16 pixels ; 2bpp, 7365 characters, Unicode "TBF1_s.NFTR" ;2 Small 10x12 pixels ;/ (china?) ;3 (china?) ;4 (china?) ;5 "TBF1-kr_l.NFTR" ;6 Large 16x21 pixels ;\Korea (crisp-clear: 2 colors used) "TBF1-kr_m.NFTR" ;7 Medium 12x16 pixels ; 2bpp, 3679 characters, Unicode "TBF1-kr_s.NFTR" ;8 Small 10x12 pixels ;/ |
.. uncompressed area (usually 15h bytes) ... compressed area (decompressed backwards) .. footer: padding (to 4-byte boundary) 3 footer: size of footer+compressed area (offset to compressed.bottom) 1 footer: size of footer (offset to compressed.top) 4 footer: extra DEST size (offset to decompressed.top) .. zeropadding to 10h-byte boundary |
| DS Cartridge Nitro Font Resource Format |
.NFTR Raw uncompressed Nitro Font Resource .ZFTR LZ11-compressed Nitro Font Resource .dat Archive with three LZrev-compressed Nitro Font Resources (used on DSi) |
00h 4 Chunk ID "RTFN" (Nitro Font Resource) 04h 2 Byte Order (FEFFh) (indicates that above is to be read backwards) 06h 2 Version (0100h..0102h) (usually 0101h or 0102h) 08h 4 Decompressed Resource Size (000A3278h) (including the NFTR header) 0Ch 2 Offset to "FNIF" Chunk, aka Size of "RTFN" Chunk (0010h) 0Eh 2 Total number of following Chunks (0003h+NumCharMaps) (0018h) |
00h 4 Chunk ID "FNIF" (Font Info) 04h 4 Chunk Size (1Ch or 20h) 08h 1 Unknown/unused (zero) 09h xxx 1 Height ;or Height+/-1 0Ah xxx 1 Unknown (usually 00h, or sometimes 1Fh) 0Bh 2 Unknown/unused (zero) 0Dh xxx 1 Width ;\or Width+1 0Eh xxx 1 Width_bis (?) ;/ 0Fh 1 Encoding (0=UTF8, 1=Unicode, 2=SJIS, 3=CP1252) (usually 1) 10h 4 Offset to Character Glyph chunk, plus 8 14h 4 Offset to Character Width chunk, plus 8 18h 4 Offset to first Character Map chunk, plus 8 1Ch (1) Tile Height ;\present only 1Dh xxx (1) Max Width or so +/-? ; when above 1Eh (1) Underline location ; Chunk Size = 20h 1Fh (1) Unknown/unused (zero) ;/(version 0102h) |
00h 4 Chunk ID "PLGC" (Character Glyph) 04h 4 Chunk Size (10h+NumTiles*siz+padding) 08h 1 Tile Width in pixels 09h 1 Tile Height in pixels 0Ah 2 Tile Size in bytes (siz=width*height*bpp+7)/8) 0Ch 1 Underline location 0Dh 1 Max proportional Width including left/right spacing 0Eh 1 Tile Depth (bits per pixel) (usually 1 or 2, sometimes 3) 0Fh 1 Tile Rotation (0=None/normal, other=see below) 10h ... Tile Bitmaps ... ... Padding to 4-byte boundary (zerofilled) |
00h 4 Chunk ID "HDWC" (Character Width) 04h 4 Chunk Size (10h+NumTiles*3+padding) 08h 2 First Tile Number (should be 0000h) 0Ah 2 Last Tile Number (should be NumTiles-1) 0Ch 4 Unknown/unused (zero) 10h+N*3 1 Left Spacing (to be inserted left of character bitmap) 11h+N*3 1 Width of Character Bitmap (excluding left/right spacing) 12h+N*3 1 Total Width of Character (including left/right spacing) ... ... Padding to 4-byte boundary (zerofilled) |
00h 4 Chunk ID "PAMC" (Character Map) 04h 4 Chunk Size (14h+...+padding) 08h 2 First Character (eg. 0020h=First ASCII Char) 0Ah 2 Last Character (eg. 007Eh=Last ASCII Char) 0Ch 4 Map Type (0..2, for entry 14h and up, see there) 10h 4 Offset to next Character Map, plus 8 (0=None, no further) |
14h 2 TileNo for First Char (and increasing for further chars) 16h 2 Padding to 4-byte boundary (zerofilled) |
14h+N*2 2 TileNo's for First..Last Char (FFFFh=None; no tile assigned) ... 0/2 Padding to 4-byte boundary (zerofilled) |
14h 2 Number of following Char=Tile groups... 16h+N*4 2 Character Number 18h+N*4 2 Tile Number ... 2 Padding to 4-byte boundary (zerofilled) |
| LZ Decompression Functions |
typ=byte[src], fin=dst+(word[src]/100h), src=src+4
@@collect_more:
flagbits=[src], src=src+1, numflags=8
@@decompress_lop:
if dst>=fin then goto @@decompress_done
if numflags=0 then goto @@collect_more
numflags=numflags-1, flagbits=flagbits*2
if (flagbits AND 100h)=0 then
[dst]=[src], dst=dst+1, src=src+1
else
if typ=10h ;LZSS (BIOS SWI compatible)
len=3
elseif typ=11h ;LZ11 (special extended format)
if [src]/10h>1 then len=001h
if [src]/10h<1 then len=011h+([src] AND 0Fh)*10h, src=src+1
if [src]/10h=1 then len=111h+([src] AND 0Fh)*1000h+[src+1]*10h, src=src+2
endif
len=len+[src]/10h, disp=001h+([src] AND 0Fh)*100h+[src+1], src=src+2
for i=1 to len, [dst]=[dst-disp], dst=dst+1, next i
endif
goto @@decompress_lop
@@decompress_done:
ret
|
allocate buf(dest_size), copy "src_size" bytes from file to buf
src=buf+src_size ;origin = pointing after footer
dst=src+(word[src-4])-1 ;dst = src plus extra len
fin=src-(word[src-8] AND 00FFFFFFh) ;fin = src minus compressed_len
src=src-(byte[src-5])-1 ;src = src minus footer_len
@@collect_more:
flagbits=[src], src=src-1, numflags=8
@@decompress_lop:
if src<=fin then goto @@decompress_done
if numflags=0 then goto @@collect_more
numflags=numflags-1, flagbits=flagbits*2
if (flagbits AND 100h)=0 then
[dst]=[src], dst=dst-1, src=src-1
else
len=([src]/10h)+3, disp=([src] AND 0Fh)*100h+([src-1])+3, src=src-2
for i=1 to len, [dst]=[dst+disp], dst=dst-1, next i
endif
goto @@decompress_lop
@@decompress_done:
ret
|
| DSi SD/MMC Firmware Log Files |
0000h 20h Zerofilled |
0,BOARD,START,1.5,09/01/14,14:52,000055, , 0,BOARD,OK,1.5,09/01/14,14:53,000055, , 0,TP_CAL,OK,2.0, , , ,(647 811)-(3478 3245), 0,AGING,OK,1.0, , , ,Time=60:20(m:s) Count=32, 0,FINAL,START,1.5,09/01/15,09:52,000084,TWL Ver.2.0, 0,FINAL,OK,1.5,09/01/15,09:52,000084,TWL Ver.2.0, 0,MIC,OK,2.1, , , ,All Test Passed, 0,CAMERA,OK,2.1, , , , , 0,WRFU,START,0.60,09/01/15,10:03,000143,P000063 G000143 717cfde74f5ef6763473, 0,WRFU,OK,0.60,09/01/15,10:04,000143,PCVer:1.7f R-53 -55 E0.00 0.00, 0,IMPORT,START,1.0, , , , , 0,IMPORT,OK,1.0, , , ,Region=EUR, 0,NCHECK,OK,1.0, , , , , |
#FFT 13-08-18[SUN] 12:37:10 title: HNAP DHT_PAHSE1_FAILED (sub info): hash1 - 8dfc..59 #FFT 13-08-18[SUN] 12:37:10 title: HNAP DHT_PAHSE1_FAILED (sub info): calc_hash - 7eca..f5 #FFT 13-08-18[SUN] 12:37:11 title: HNAP menuRedIplManager.cpp [l.514] RED FATAL 0000000010000000 (0000000041575445) #FFT 13-08-18[SUN] 12:37:11 title: HNAP menuResetCallback.cpp [l.50] type 0 #FFT 13-08-18[SUN] 13:44:16 title: HNAP DHT_PAHSE1_FAILED (sub info): hash1Addr-02799e38 #FFT 13-08-18[SUN] 13:44:16 title: HNAP DHT_PAHSE1_FAILED (sub info): hash1 - 8dfc..59 ... ... #FFT 13-09-10[TUE] 22:07:39 title: HNAP menuResetCallback.cpp [l.50] type 0 #FFT 13-09-14[SAT] 14:59:16 title: HNAP SYSMi_LoadTitleThreadFunc: some error has occurred. #FFT 13-09-14[SAT] 14:59:16 title: HNAP SYSMi_AuthenticateTitleThreadFunc: loaded 1 times. #FFT 13-09-14[SAT] 14:59:17 title: HNAP menuRedIplManager.cpp [l.514] RED FATAL 0000800000002100 (0003000049524544) #FFT 13-09-14[SAT] 14:59:17 title: HNAP menuResetCallback.cpp [l.50] type 0 #FFT 00-01-03[MON] 20:50:18 title: HNAP WHITELIST_NOTFOUND (sub info): no entry for phase 1/2. #FFT 00-01-03[MON] 20:50:18 title: HNAP WHITELIST_NOTFOUND (sub info): no entry for phase 3. #FFT 00-01-03[MON] 20:50:18 title: HNAP SYSMi_LoadTitleThreadFunc: some error has occurred. #FFT 00-01-03[MON] 20:50:18 title: HNAP SYSMi_AuthenticateTitleThreadFunc: loaded 1 times. #FFT 00-01-03[MON] 20:50:19 title: HNAP menuRedIplManager.cpp [l.514] RED FATAL 0000800008000100 (000000004143454b) #FFT 00-01-03[MON] 20:50:19 title: HNAP menuResetCallback.cpp [l.50] type 0 #FFT 00-01-05[WED] 01:03:16 title: HNAP WHITELIST_NOTFOUND (sub info): no entry for phase 1/2. ... ... #FFT 00-01-01[SAT] 00:02:37 title: HNAP SYSMi_AuthenticateTitleThreadFunc: loaded 1 times. #FFT 00-01-01[SAT] 00:02:38 title: HNAP menuRedIplManager.cpp [l.514] RED FATAL 0002004000000100 (00000000414e5045) #FFT 00-01-01[SAT] 00:02:38 title: HNAP menuResetCallback.cpp [l.50] type 0 |
| DSi SD/MMC Firmware Misc Files |
0000h 80h RSA-SHA1-HMAC across entries [0088h..00A3h]
(with RSA key from Bootsectors, and also from Launcher)
(with SHA1-HMAC key = SHA1([4004D00h..4004D07h], aka Console ID)
0080h 4 Header, Version or so (00000001h)
0084h 4 Header, Size of entries at [0088h..00A3h] (0000001Ch)
0088h 4 Bitmask for Supported Languages (3Eh for Europe) (as wifi_flash)
008Ch 4 Unknown (00,00,00,00) (bit0=flag for 4004020h.bit0=wifi ?)
0090h 1 Console Region (0=JPN, 1=USA, 2=EUR, 3=AUS, 4=CHN, 5=KOR)
0091h 12 Serial/Barcode (ASCII, 11-12 characters; see console sticker)
009Dh 3 Unknown (00,00,3C) ;"<"
00A0h 4 Title ID LSBs for Launcher ("PANH", aka HNAP spelled backwards)
00A4h 3F5Ch Unused (FFh-filled)
|
0000h 14h SHA1 on entries [088h..09Bh] 0014h 6Ch Zerofilled 0080h 4 Header, Version or so (00000001h) 0084h 4 Header, Size of entries at [0088h..009Bh] (00000014h) 0088h 4 Some per-console ID (used what for?) 008Ch 10h Some per-console ID (used in "Tad Files") 009Ch 3F64h Unused (FFh-filled) |
0000h 100h RSA-OpenPGP-SHA1 across... whatever? |
voice18111008215651000010001.dat ;14402h bytes voice20131018211242000010001.dat ;14402h bytes voice19111008215708000010001.dat ;14402h bytes voice00131018211411003110001.dat ;14402h bytes voice01150418144405002110001.dat ;14402h bytes voiceNNYYMMDDHHMMSS00NN10001.dat ;14402h bytes |
| DSi SD/MMC Firmware Wifi Firmware |
DSi Firmware 1.0 --> Wifi Firmware v0 (supports AR6002) DSi Firmware 1.1 thru 1.2 --> Unknown (presumably v0 or v1) DSi Firmware 1.3 --> Wifi Firmware v1 (supports AR6002) DSi Firmware 1.4 thru 1.4.5 --> Wifi Firmware v2 (supports AR6002+AR6013) Note: The AR6002 part is exact same in v1 and v2 (with same SHA1 in Part 1) However, part 1.c was slightly smaller in v0, apparently some small bugfix. |
00000h 80h RSA-SHA1 (on [00080h..0009Fh]) (via RSA key from BIOS) ;\ 00080h 14h Header SHA1 (on [000A0h..000FFh]) ; SHA 00094h 4 Header Size (00000060h, for entries 000A0h..000FFh) ; 00098h 8 Zerofilled ;/ 000A0h 2 Version (0000h,0001h,0002h for v0,v1,v2) ;\ 000A2h 1 Number of parts (01h..02h) ;(02h in v2 only) ; Header 000A3h 1 Unknown/zero? (00h) ; 000A4h 4 Part 1 Start (00000100h) ;(in v1: E0h) ;\Part 1 ; with IDs 000A8h 4 Part 1 Size (00013AC0h) ; DWM-W015; as in wifi 000ACh 4 Part 1 ID (00000001h) (=DWM-W015) ; AR6002G ; flash[1FDh] 000B0h 14h Part 1 SHA1 (on [00100h..13BBFh]) ;/ ; 000C4h 4 Part 2 Start (00013BC0h) ;\Part 2 ; ;\ 000C8h 4 Part 2 Size (000042A0h) ; DWM-W024; ; not in 000CCh 4 Part 2 ID (00000002h) (=DWM-W024) ; AR6013G ; ; version 1 000D0h 14h Part 2 SHA1 (on [13BC0h..17E5Fh]) ;/ ; ;/ 000E4h 1Ch Zerofilled (padding to 20h-byte boundary) ;/ 00100h 1 Part 1 num subheader's (04h) (a/b/c/d) ;\ 00101h 1 Part 1 num ChipID's (02h) ; 00102h 2 Part 1 offset to ChipID's (0044h) ; 00104h 10h Part 1.a firm/main (00000080h,00013458h,80000001h,00502400h) ; 00114h 10h Part 1.b database (000134E0h,000002BCh,00000002h,0052D944h) ; 00124h 10h Part 1.c stub/code (000137A0h,000002DEh,00000004h,00515000h) ; 00134h 10h Part 1.d stub/data (00013A80h,00000030h,00000005h,00502400h) ; 00144h 8 Part 1 ChipID 1 ;alternate IDs ? (02010001h,20000188h) ; 0014Ch 8 Part 1 ChipID 2 ;CHIP_ID, ROM_VERSION (02000001h,20000188h) ; 00154h 4 Part 1 Firmware Version: 2.1.0.123 (2100007Bh) ; 00158h 0Ch Part 1 RAM vars/base/size (00500400h,00500000h,0002E000h) ; 00164h 1Ch Zerofilled ; 00180h 13460h Part 1.a data (13458h compressed bytes, +8 bytes zeropadding); 135E0h 2C0h Part 1.b data (2BCh bytes, +04h bytes zeropadding) ;database ; 138A0h 2E0h Part 1.c data (2DEh bytes, +02h bytes zeropadding) ;stubcode ; 13B80h 40h Part 1.d data (30h bytes, +10h bytes zeropadding) ;stubdata ;/ 13BC0h 1 Part 2 num subheader's (04h) ;\ 13BC1h 1 Part 2 num ChipID's (02h) ; 13BC2h 2 Part 2 offset to ChipID's (0044h) ; 13BC4h 10h Part 2.a firm/main (00000080h,00002EECh,80000001h,00524C00h) ; 13BD4h 10h Part 2.b database (00002F80h,00000FC0h,00000002h,0053F040h) ; 13BE4h 10h Part 2.c stub/code (00003F40h,00000312h,00000004h,00527000h) ; 13BF4h 10h Part 2.d stub/data (00004260h,00000038h,00000005h,00524C00h) ; 13C04h 8 Part 2 ChipID 1 ;CHIP_ID, ROM_VERSION (0D000000h,23000024h) ; 13C0Ch 8 Part 2 ChipID 2 ;alternate IDs? (0D000001h,23000024h) ; 13C14h 4 Part 2 Firmware Version: 2.3.0.108 (2300006Ch) ; 13C18h 0Ch Part 2 RAM vars/base/size (00520000h,00520000h,00020000h) ; 13C24h 1Ch Zerofilled ; 13C40h 2F00h Part 2.a data (2EECh compressed bytes,+14h bytes zeropadding); 16B40h FC0h Part 2.b data (FC0h bytes, +00h bytes zeropadding) ; 17B00h 320h Part 2.c data (312h bytes, +0Eh bytes zeropadding) ; 17E20h 40h Part 2.d data (38h bytes, +08h bytes zeropadding) ;/ |
Part 1.a data: 9F,FF,FF,FF,FF,FF,FF,00,00,00,00,9F,04,04,.. Part 2.a data: 5E,00,00,00,00,5E,04,04,5E,08,08,41,5F,49,.. |
| DSi SD/MMC Firmware System Settings Data Files |
2000400h 128h TWLCFGn.dat bytes [088h..1AFh] 2FFFC80h 70h Wifi FLASH User Settings (fmw[newest_user_settings]) 2FFFDFCh 4 Pointer to 2000400h |
if [2FFFDFCh]=0 then [2FFFDFCh]=2000400h |
File RAM Siz Description
000h - 14h SHA1 on entries [088h..1AFh]
014h - 6Ch Zerofilled
080h - 1 Version or so (01h)
081h - 1 Update Counter (0..7Fh, wraps after 7bit) ;fmw_user[070h]
082h - 2 Zero (0000h)
084h - 4 Size of below RAM area (00000128h)
088h 000h 1 Unknown (0Fh) (bit3 set when wireless comms are enabled)
089h 001h 2 Zerofilled
08Bh 003h 1 Unknown (01h) (happens to be 00h after.. country change?)
08Ch 004h 1 Zero
08Dh 005h 1 Country code, same as Wii country codes (eg. 40h=Albania)
08Eh 006h 1 Selected Language (eg. 1=English) ;fmw_user[064h,075h]
08Fh 007h 1 RTC Year (last date change) (max 63h=2099) ;fmw_user[066h]
090h 008h 4 RTC Offset (difference in seconds on change) ;fmw_user[068h]
094h 00Ch 4 Zerofilled (or FFh-filled) (=MSBs of above?)
098h 010h 1 Flags (01h) (bit0 set when EULA was accepted) (0=newcountry?)
...or EULA version (to be same/higher than carthdr[20Eh])?
099h 011h 9 Zerofilled
0A2h 01Ah 1 Alarm Hour (0..17h) ;fmw_user[052h]
0A3h 01Bh 1 Alarm Minute (0..3Bh) ;fmw_user[053h]
0A4h 01Ch 2 Zerofilled
0A6h 01Eh 1 Alarm Enable (0=Off, 1=On) ;fmw_user[056h]
0A7h 01Fh 2 Zerofilled
0A9h 021h 4 Unknown (09 1E 00 03) (2nd.byte.LSB E=English, F=French ??)
0ADh 025h 3 Zerofilled
0B0h 028h 8 Title ID (most recent System Menu selection) ;cart[230h]
0B8h 030h 2x2 TSC calib (adc.x1,y1) 12bit ADC-position ;fmw_user[058h]
0BCh 034h 2x1 TSC calib (scr.x1,y1) 8bit pixel-position ;fmw_user[05Ch]
0BEh 036h 2x2 TSC calib (adc.x2,y2) 12bit ADC-position ;fmw_user[05Eh]
0C2h 03Ah 2x1 TSC calib (scr.x2,y2) 8bit pixel-position ;fmw_user[062h]
0C4h 03Ch 4 Unknown (9C 20 01 02)
0C8h 040h 4 Zerofilled
0CCh 044h 1 Favorite color (also Sysmenu Cursor Color) ;fmw_user[002h]
0CDh 045h 1 Zero
0CEh 046h 2 Birthday (month, day) ;fmw_user[003h..004h]
0D0h 048h 14h+2 Nickname (UCS-2), max 10 chars+EOL ;fmw_user[006h..019h]
0E6h 05Eh 34h+2 Message (UCS-2), max 26 chars+EOL ;fmw_user[01Ch..04Fh]
11Ch 094h 1 Parental Controls Flags (bit0=Parental, bit1-6=Pictochat,etc)
11Dh 095h 6 Zero
123h 09Bh 1 Parental Controls Region (0=Off, 3=German/USK, 4=French?)
124h 09Ch 1 Parental Controls Years of Age Rating (00h..14h) ;cart[2F0h]
125h 09Dh 1 Parental Controls Secret Question (00h..05h)
126h 09Eh 1 Parental Controls Unknown (can be 00h, 06h, or 07h)
127h 09Fh 2 Zero
129h 0A1h 4+1 Parental Controls PIN (ASCII digits) 4 digits+EOL
12Eh 0A6h 80h+2 Parental Controls Secret Answer (UCS-2), max 64 chars+EOL
1B0h - 3E50h Unused (FFh-filled)
|
- 1E0h 1 WlFirm Type (1=DWM-W015, 2=DWM-W024) (as wifi_flash[1FDh]) - 1E1h 1 WlFirm Unknown (zero) - 1E2h 2 WlFirm CRC16 with initial value FFFFh on [1E4h..1EFh] - 1E4h 0Ch WlFirm Version? RAM_area? (as from "Wifi Firmware" file) - 1F0h 10h WlFirm Unknown (zero) - 200h 14h Hexvalues from HWINFO_N.dat - 214h 0Ch Unused/padding? (zero) |
Language and Flags 2 fmw_user[064h] (particulary: Flags) More Parental Control stuff |
| DSi SD/MMC Firmware Version Data File |
00000001..00000009 jpn (9 versions) 00000003..00000009 usa/eur/aus (7 versions) 00000001..00000006 chn (6 versions) 00000002..00000006 kor (5 versions) |
0000h 80h RSA-SHA1 on entries [0080h..end of file] 0080h ... NARC (Nitro Archive) ... |
twl-nup-cert.der - server cert for software update server
twl-nup-prvkey.der - client-side private key for software update server
twl-shop-cert.der - server cert for Shopping Channel server
twl-shop-prvkey.der - client-side private key for Shopping Channel server
NintendoCA-G2.der - Certificate Authority cert, used to sign the other certs
eula_url.bin - URL to the EULA text for this system update,
generally https://cfh.t.app.nintendowifi.net/eula/
nup_host.bin - server to query for the next system update,
generally nus.t.shop.nintendowifi.net:443
time_stamp.bin - build date for this version, eg. 00281108 (28 Nov 2008)
user_area_size.bin - eg. 08000000h (signed) (=128Mbyte?) (aka 1024 "blocks"?)
version.bin - machine and human-readable version numbers for this
version of the System Menu, eg.
0000: 01000300 31002e00 33004500 00000000 ....1...3.E.....
0010: 00000000 00000000 00000000 00000000 ................
bytes 0 and 1 are the major version number, bytes 2 and 3 are the minor
version number, and the rest of the file is the human-readable
UCS-2 version number displayed in the Settings menu as the "System Menu
Version".
|
KEY[00h..0Fh] = Constant (08,2F,61,38,...) ;from ARM7BIOS |
0.1 31 Jul 2008 Pre-release v0.1A (accidentally included in v1.0J) 1.0 09 Sep 2008 Pre-installed v1.0J version (the actual file in v1.0J) 1.0? 22 Oct 2008? First Update(??) to Japanese Region DSi System Menu 1.1? ? dsibrew:NoneSuch?, wikipedia:Preinstalled1stJpnVersion?? 1.2 18 Dec 2008 Second Update to Japanese Region DSi System Menu 1.3 03 Apr 2009 Launch Day (USA, EUR, AUS), new "start DSi Camera" button 1.4 29 Jul 2009 Blocks NDS flashcarts, Facebook support to share photos 1.4.1 07 Sep 2010 Blocks more NDS flashcarts 1.4.2 10 May 2011 Blocks DSiWare exploits on SD card (sudokuhax etc.) 1.4.3 29 Jun 2011 Blocks more NDS flashcarts (only whitelist was updated) 1.4.4 21 Mar 2012 Blocks DSi cart exploits (CookingCoach/ClassicWordGames) 1.4.5 11 Dec 2012 Blocks more NDS flashcards |
| DSi SD/MMC Firmware Nintendo DS Cart Whitelist File |
Part 1 ("NDHT") is same in v1.0 through v1.4.5:
00000h 4 ID "NDHT" ;\
00004h 80h RSA-SHA1 on [00084h..286A7h] ;
00084h 4 Number of titles (00000D76h) (=3446) ;
00088h D76h*30h Titles (30h bytes each, with two SHA1s) ;/
Part 2 ("NDHX") is same in v1.4 through v1.4.5 (doesn't exist in v1.3):
286A8h 4 ID "NDHX" ;\
286ACh 80h RSA-SHA1 on [2872Ch..4AFBFh] ;
2872Ch 4 Number of titles (000013BCh) (=5052) ;
28730h 13BCh*1Ch Titles (1Ch bytes each, only one SHA1) ;/
Part 3 ("NDHI") differs in v1.4 versus v1.4.5 (doesn't exist in v1.3):
4AFC0h 4 ID "NDHI" ;\
4AFC4h 80h RSA-SHA1 on [4B044h..4B1B7h] ;
4B044h 4 Number of titles (04h in v1.4E) ;60h in v1.4.5E ;
4B048h 4*5Ch Specials for A3TE,A6WE,YF7E,YOUF ;/
Footer:
4B1B8h 13 Version String ("2832",0Dh,0Ah,"10619",0Dh,0Ah in v1.4E) ;\
4B1C5h 11 Random garbage (padding to 10h-byte boundary) ;/
|
00000000.app v1.0J (at 286A8h) "2435",0Ah,"8325",0Ah ;with LF's 00000000.app v1.3U (at 286A8h) "2435",0Ah,"8325",0Ah ;with LF's 00000001.app v1.4E (at 4B1B8h) "2832",0Dh,0Ah,"10619",0Dh,0Ah ;with CRLF's 0000000x.app v... (?) 00000006.app v1.4.5E (at 4D2C8h) "3067",0Ah,"11437",0Ah ;with LF's |
This contains all NDS titles released prior to DSi firmware v1.0. Start Length Description 000h 4 Title ID (Gamecode) 004h 4 Title version 008h 20 Phase 1 SHA1-HMAC on 160h-byte cartheader and ARM9+ARM7 areas (?) 01Ch 20 Phase 2 SHA1-HMAC on ARM9 Overlay and NitroFAT (zero if no overlay) |
This contains all NDS titles released prior to DSi firmware v1.4. 000h 4 Title ID (Gamecode) 004h 4 Title version 008h 20 Phase 3 SHA1-HMAC on Icon/Title |
This contains extra checks for detecting hacked/exploited NDS titles. 000h 4 Title ID (Gamecode) 004h 4 Title version 008h 8*8 Offset+Length for up to 8 regions (or 0,0=None) 048h 20 Phase 4 SHA1-HMAC on above region(s) |
41 4D 46 45 00 00 00 00 ;\ 95 9A B3 09 B7 4E AF 29 2E 97 61 B9 DC E9 5F FE 86 5C 91 4E ; NDHT D3 94 43 02 64 3A AF C5 D1 E1 3B C0 47 4A A2 98 AB 5D 71 8F ;/ 41 4D 46 45 00 00 00 00 ;\NDHX 51 24 FE EF D4 3C 22 42 CC 17 13 0A 72 F8 FA 3B 4D 83 2A B1 ;/ |
NTR-A3TE-USA = Tak: The Great Juju Challenge NTR-A6WE-USA = FIFA World Cup 2006 NTR-YF7E-USA = Fish Tycoon NTR-YOUF-FRA = Samantha Oups! |
cart[1BFh].bit6 = Cart Header RSA Signature exists cart[1BFh].bit5 = Cart Header has Icon SHA1 at [33Ch] cart[378h] = SHA1 (same as whitelist Phase 1) cart[38Ch] = SHA1 (same as whitelist Phase 2) cart[33Ch] = SHA1 (same as whitelist Phase 3) (if above bit5=1) |
| DSi SD/MMC Camera Files - Overview |
FAT12:\photo\DCIM\100NIN02\HNI_nnnn.JPG ;camera photos FAT12:\photo\private\ds\app\484E494A\pit.bin ;camera info FAT12:\photo\private\ds\app\484E494A\DCIM\100NIN02\HNI_nnnn.JPG;camera frames |
SD:\DCIM\nnnNIN02\HNI_nnnn.JPG ;camera photos SD:\private\ds\app\484E494A\pit.bin ;camera info SD:\private\ds\app\484E494A\DCIM\nnnNIN02\HNI_nnnn.JPG ;camera frames |
| DSi SD/MMC Camera Files - JPEG's |
Offs ID Len Data 0000h FFD8h ;(start of image) ;SOI 0002h FFE1h,10C4h,"Exif",00h,00h,<Exif Body> ;(extra "Exif" data) ;APP1 10C8h FFC0h,0011h,08h,01E0h,0280h,03h,012100h,021101h,031101h ;SOF0 10DBh FFDBh,0084h, 00 06 04 05 06 05 04 06 06 05 06 07 07 .. 28 28 28 ;DQT 1161h FFC4h,01A2h, 00 00 01 05 01 01 01 .. .. F8 F9 FA ;DHT 1305h FFDAh,000Ch,03h,010002h,110311h,003F00h ;(start of scan) ;SOS 1313h E6 76 F4 DD 4F 0A 3B 60 0F 4C D7 9E 9A 93 3D 4B EE 98 B8 .. .. AB4Fh FFD9h ;(end of image) ;EOI |
Offs Siz ExID Type Length Offset ;<-- Format for "IFD" Tables 0000h 4 "MM",002Ah ;Big-Endian (aka Motorola) 0004h 4 00000008h ;first IFD offset (IFD0) |
0008h 2 0009h ;number of IFD0 entries
000Ah 12 010Fh,0002h,00000009h,0000007Ah ;Maker ("Nintendo",0)
0016h 12 0110h,0002h,0000000Bh,00000084h ;Model ("NintendoDS",0)
0022h 12 011Ah,0005h,00000001h,00000090h ;Resolution X (72 dpi)
002Eh 12 011Bh,0005h,00000001h,00000098h ;Resolution Y (72 dpi)
003Ah 12 0128h,0003h,00000001h,00020000h ;Resolution Unit (2=Inches)
0046h 12 0131h,0002h,00000005h,000000A0h ;Firmware (Gamecode backwards)
0052h 12 0132h,0002h,00000014h,000000A6h ;Date/Time Modified
005Eh 12 0213h,0003h,00000001h,00020000h ;Subsampling (2=datum point)
006Ah 12 8769h,0004h,00000001h,000000BAh ;Exif SubIFD offset
0076h 4 000001DEh ;next IFD offset (IFD1)
007Ah 9+1 "Nintendo",00h,00h ;Maker ("Nintendo",0,0)
0084h 11+1 "NintendoDS",00h,00h ;Model ("NintendoDS",0,0)
0090h 00000048h,00000001h ;Resolution X (72 dpi)
0098h 00000048h,00000001h ;Resolution Y (72 dpi)
00A0h 5+1 "PINH",00h,00h ;aka HNIP ;Firmware (Gamecode backwards)
00A6h 20 "YYYY:MM:DD HH:MM:SS",00h ;Date/Time Modified
|
00BAh 2 000Ah ;number of Sub IFD entries
00BCh 12 9000h,0007h,00000004h,30323230h ;Exif Version ("0220")
00C8h 12 9003h,0002h,00000014h,00000138h ;Date/Time Original
00D4h 12 9004h,0002h,00000014h,0000014Ch ;Date/Time Digitized
00E0h 12 9101h,0007h,00000004h,01020300h ;Components (Y,Cb,Cr)
00ECh 12 927Ch,0007h,00000042h,00000160h ;Maker dependent internal data
00F8h 12 A000h,0007h,00000004h,30313030h ;Flashpix Version ("0100")
0104h 12 A001h,0003h,00000001h,00010000h ;Color Space (1=Normal=sRGB)
0110h 12 A002h,0004h,00000001h,00000280h ;Pixel Dimension X (640)
011Ch 12 A003h,0004h,00000001h,000001E0h ;Pixel Dimension Y (480)
0128h 12 A005h,0004h,00000001h,000001A2h ;Interoperability IFD (R98)
0134h 4 00000000h ;next IFD offset (none)
0138h 20 "YYYY:MM:DD HH:MM:SS",00h ;Date/Time Original
014Ch 20 "YYYY:MM:DD HH:MM:SS",00h ;Date/Time Digitized
|
0160h 2 0002h ;number of IFD entries 0162h 12 1000h,0007h,0000001Ch,0000017Eh ;DSi Signature (IV+MAC) 016Eh 12 1001h,0007h,00000008h,0000019Ah ;DSi Whatever Zero (Frame info?) 017Ah 4 00000000h ;next IFD offset (none) 017Eh 12 2E AB A5 D1 FD A8 .. .. ;DSi Signature (IV) ;\ 018Ah 16 xx xx xx xx xx xx .. .. ;DSi Signature (MAC) ;/ 019Ah 8 0000000000000000h ;<-- different for Frames |
01A2h 2 0003h ;number of IFD entries
01A4h 12 0001h,0002h,00000004h,52393800h ;Stipulated File ("R98",0)
01B0h 12 0002h,0007h,00000004h,30313030h ;Whatever ("0100")
01BCh 12 1000h,0002h,00000012h,000001CCh ;Whatever (JPEG Exif Ver 2.2",0)
01C8h 4 00000000h ;next IFD offset (none)
01CCh 18 "JPEG Exif Ver 2.2",00h ;Whatever (JPEG Exif Ver 2.2",0)
|
01DEh 2 0006h ;number of IFD1 entries 01E0h 12 0103h,0003h,00000001h,00060000h ;Compression (1=JPEG) 01ECh 12 011Ah,0005h,00000001h,0000022Ch ;Resolution X (72 dpi) 01F8h 12 011Bh,0005h,00000001h,00000234h ;Resolution Y (72 dpi) 0204h 12 0128h,0003h,00000001h,00020000h ;Resolution Unit (2=Inches) 0210h 12 0201h,0004h,00000001h,0000023Ch ;Jpeg Offset 021Ch 12 0202h,0004h,00000001h,00000xxxh ;Jpeg Size (eg. E80h) 0228h 4 00000000h ;next IFD offset (none) 022Ch 8 00000048h,00000001h ;Resolution X (72 dpi) 0234h 8 00000048h,00000001h ;Resolution Y (72 dpi) |
023Ch 2 FFD8h ;(start of thumbnail/image) ;SOI 023Eh 13h FFC0h,0011h,08h,0078h,00A0h,03h,012100h,021101h,031101h ;SOF0 0251h 86h FFDBh,0084h, 00 0A 07 07 08 07 .. .. ;DQT 02D7h 1A4h FFC4h,01A2h, 00 00 01 05 01 .. .. F8 F9 FA ;DHT 047Bh 0Eh FFDAh,000Ch,03h,010002h,110311h,003F00h ;(start of scan) ;SOS 0489h ... CC 55 14 F0 3D 2B 8B 4B 9D C2 E3 BD 18 A5 B0 09 B6 .. .. 10xxh 2 FFD9h ;(end of thumbnail/image) ;EOI |
IV[00h..0Bh] = First 0Ch-bytes of signature KEY[00h..0Fh] = Constant (70,88,52,06,...) ;from BIOS ROM Zerofill the 1Ch-byte signature area in the JPEG file Probably zeropad(?) the JPEG file (if filesize isn't a multiple of 16 bytes) Pass the whole JPEG as "extra associated data" to the AES-CCM hardware Copy the IV value and computed MAC value back to the JPEG's signature area |
0001h = 8bit Unsigned 0002h = 7bit ASCII 0003h = 16bit Unsigned 0004h = 32bit Unsigned 0005h = 64bit Unsigned Rational (32bit numerator, plus 32bit denominator) 0006h = Reserved 0007h = 8bit General Purpose 0009h = 32bit Signed 000Ah = 64bit Signed Rational (32bit numerator, plus 32bit denominator) 000Bh..FFFFh = Reserved |
| DSi SD/MMC Camera Files - pit.bin |
0000h 8 ID ("0TIP00_1") (maybe meant to read as PIT01_00 or so)
0008h 2 Number of pit.bin entries (3000 for SD Card) (500 for eMMC)
000Ah 2 Unknown (0001h)
000Ch 2 Next Photo Folder-Number minus 100 (xxxNIN02)
000Eh 2 Next Photo File-Number minus 1 (HNB_0xxx.JPG)
0010h 2 Next Frame Folder-Number minus 100 (xxxNIN02)
0012h 2 Next Frame File-Number minus 1 (HNB_0xxx.JPG)
0014h 2 CRC16 of whole file (with initial value 0000h, and with
entry [0014h] being treated as 0000h for calculation)
0016h 2 Size of Header (0018h)
0018h+N*10h 4 Entry N, Time/Date (seconds since 01 Jan 2000)
001Ch+N*10h 8 Entry N, Unknown (zerofilled)
0024h+N*10h 4 Entry N, Flags (see below)
0 Used Entry Flag (0=Unused/Deleted, 1=Used)
1-10 Folder-Number minus 100 (xxxNIN02)
11-17 File-Number minus 1 (0..99 = HNB_0001..0100.JPG)
18-19 Sticker (0=None, 1=Star, 2=Clover, 3=Heart)
20-21 Type (0,3=Photo, 1=Frame, 2=?)
22-23 Unknown (0,2=Normal?, 1=?, 3=Error)
24-31 Unused (zero)
xxx8h 8 Padding for 16-byte filesize alignment (zerofilled)
|
- Delete "pit.bin" (it'll be recreated with ALL jpgs, sticker flags are lost) - Replace an existing 'listed' file by a new file with same filename - Manually edit "pit.bin" and adjust its CRC16 checksum |
| DSi SD/MMC Flipnote Files |
Flipnote(public.sav):\eula.txt ;128 Kbytes, 20000h - zerofilled Flipnote(public.sav):\option.bin ;256 bytes, 100h - options Flipnote(public.sav):\mark0.pls ;8000 bytes, 1F40h - Heart sticker Flipnote(public.sav):\mark1.pls ;8000 bytes, 1F40h - Crown sticker Flipnote(public.sav):\mark2.pls ;8000 bytes, 1F40h - Music sticker Flipnote(public.sav):\mark3.pls ;8000 bytes, 1F40h - Skull sticker Flipnote(public.sav):\recent10.pls ;4000 bytes, FA0h - Recently saved Flipnote(public.sav):\friend.pls ;28800 bytes, 7080h - F7,A0,CD,zeroes.. Flipnote(public.sav):\remind.pls ;10240 bytes, 2800h - F7,A0,CD,zeroes.. Flipnote(public.sav):\latest1.pls ;256 bytes, 100h - xxxxxxxx,zeroes.. Flipnote(public.sav):\nand.pls ;160000 bytes, 27100h - All files Flipnote(public.sav):\ugo\0NN\XNNNNN_NNNNNNNNNNNNN_NNN.ppm - flipnotes |
0000h 1 Unknown (02h) (?) 0001h 1 Stylus (00h=Right Hand, 01h=Left Hand) 0002h 1 Sound Effects (00h=On, 01h=Off) 0003h 1 Unknown (01h) (?) 0004h 1 Unknown (00h) (?) 0005h 1 Unknown (01h) (?) 0006h 1 Unknown (01h) (?) 0007h 1 Unknown (03h) (?) 0008h 1 Unknown (02h) (?) 0009h 1 Unknown (01h) (?) 000Ah 1 Unknown (00h) (?) 000Bh 1 Unknown (01h) (?) 000Ch 1 Advanced Tools (00h=Off, 01h=On) 000Dh 1 Pages to Trace (01h..04h=1..4) 000Eh 1 Frog Display (01h=Off, 01h=On) 000Fh 1 Start on Calendar (00h=Off, 01h=On) 0010h 8 Flipnote Studio ID (64bit User ID) (fixed) 0018h 2 Checksum (see below) 001Ah 2 Date of Birth, Year (076Ch..0840h=1900..2112) 001Bh 1 Date of Birth, Month (01h..0Ch=1..12) 001Ch 1 Date of Birth, Day (01h..1Fh=1..31) 001Eh E2h Unknown/unused (zerofilled) |
0000h N*3Fh List of filenames (if any) ;\encrypted N*3Fh+0 1 End of filename list (00h) ;/ N*3Fh+1 2 Crippled MD5 checksum bytes [6,8] ;\unencrypted N*3Fh+3 SIZ-N*3Fh-3 Padding to end of file (zerofilled) ;/ |
"sdmc:/private/ds/app/4B4755GG/001/XNNNNN_NNNNNNNNNNNNN_NNN.ppm",0Ah |
F7h,4Ch,6Ah,3Ah,FBh,82h,A6h,37h,6Eh,11h,38h,CFh,A0h,DDh,85h,C0h C7h,9Bh,C4h,D8h,DDh,28h,8Ah,87h,53h,20h,EEh,E0h,0Bh,EBh,43h,A0h DBh,55h,0Fh,75h,36h,37h,EBh,35h,6Ah,34h,7Fh,B5h,0Fh,99h,F7h,EFh 43h,25h,CEh,A0h,29h,46h,D9h,D4h,4Dh,BBh,04h,66h,68h,08h,F1h,F8h |
0000h N*1Dh List of filenames (if any) ;\encrypted N*1Dh+0 1 End of filename list (00h) ;/ N*1Dh+1 2 MD5 checksum bytes [6,8] ;\unencrypted N*1Dh+3 SIZ-N*1Dh-3 Padding to end of file (zerofilled) ;/ |
"XNNNNN_NNNNNNNNNNNNN_NNN.ppm",0Ah |
0000h 4 File ID ("PARA")
0004h 4 Size of Animation Data (vid)
0008h 4 Size of Audio Data (aud) (0=none)
000Ch 2 Number of Frames minus 1 (NF-1)
000Eh 2 Unknown (always 24h,00h)
0010h 2 Lock Flag (0=Open, 1=Locked, prevent editing)
0012h 2 Preview frame number
0014h 22 Nickname of Original Author (UCS-2) ;\max 10 characters
002Ah 22 Nickname of Last Editor (UCS-2) ; (plus ending zero)
0040h 22 Nickname of User (?) (UCS-2) ;/
0056h 8 User ID of Original Author (Flipnote Studio ID)
005Eh 8 User ID of Last Editor (Flipnote Studio ID)
0066h 18 Filename of Original File (3xHEX, 13xASCII, 2xVER)
0078h 18 Filename of Current File (3xHEX, 13xASCII, 2xVER)
008Ah 8 User ID of Previous Editor (Flipnote Studio ID)
0092h 8 Filename Fragment (3xHEX, 5xHEX)
009Ah 4 Time/Date (seconds since 1st Jan 2000)
009Eh 2 Zerofilled
00A0h 600h Preview Bitmap (8x6 tiles, aka 64x48 pixels, 4bpp)
06A0h 2 Size of Animation Table (4*NF)
06A2h 4 Zerofilled
06A6h 2 Flags (bit0=Can be set?, bit1=Loop/Repeat, bit6=Set?)
06A8h 4*NF Animation Table (offsets in Animation Data for each frame)
... (vid) Animation Data Frame(s)
... 1*NF Audio Flags for each Frame (bit0-2: Effect 1-3, bit3-7: Zero)
... .. Padding (0..3 bytes zerofilled, for alignment of next entry)
... 4 Size of Background music in bytes (0=not used/empty)
... 4 Size of Sound effect #1 in bytes (0=not used/empty, max 2000h)
... 4 Size of Sound effect #2 in bytes (0=not used/empty, max 2000h)
... 4 Size of Sound effect #3 in bytes (0=not used/empty, max 2000h)
... 1 Framespeed for playback (1..8) aka "8 minus N"
... 1 Framespeed when BGM was recorded (1..8) aka "8-decimal"
... 14 Zerofilled
... (aud) Audio Data (BGM, followed by Effects 1, 2, 3) (if any)
... 80h RSA-OpenPGP-SHA1 across all preceeding bytes
... 10h Zerofilled
|
Start Length Description 0000h 1 Pen and Paper information 0001h 48 Layer 1 Line Encoding (48 bytes = 2bit per 192 lines) 0031h 48 Layer 2 Line Encoding (48 bytes = 2bit per 192 lines) 0061h ... Frame Data for Layer 1 ... ... Frame Data for Layer 2 |
0 Paper (0=Black, 1=White) 1-2 Layer 1 (0=None, 1=Inverse of Paper, 2=Red, 3=Blue) 3-4 Layer 2 (0=None, 1=Inverse of Paper, 2=Red, 3=Blue) 5-6 Unknown 7 New Frame (0=Change between last frame, 1=Totally new frame) |
0 = Skip Line (0 bytes) (0 pixels) 1 = Packed Line (4+N bytes) (32bit flags, plus Nx8 pixels) 2 = Inverse Line (4+N bytes) (32bit flags, plus Nx8 inverted pixels) 3 = Raw Line (32 bytes) (256 pixels) |
First comes the BGM (if used) Then comes sound effect #1 (if used) Then comes sound effect #2 (if used) Then comes sound effect #3 (if used) |
Header = Filename = Meaning 3xHEX = XNNNNN = Based on MAC address (the "X" in "XNNNNN" is what?) 13xASCII= NNNNNNNNNNNNN = Some 13-digit random number or so as ASCII string 5xHEX = NNNNNNNNNN = First 10-digits of above 13-digit string 2xVER = NNN.ppm = Trailing version(?) number (hex, decimal?) |
<-hex--> <-----ascii-----------------> <-asc--> <-n->
Filename (ori) D3 5B 20 30 39 30 39 38 34 31 43 44 42 45 42 31 00 00
Filename (curr) D3 5B 20 30 39 30 39 38 34 31 43 44 42 45 42 31 02 00
<-hex--> <--hex------->
Filename (frag) D3 5B 20 09 09 84 1C DB
|
Color Purpose (appearance) Preview Selected 00h N/A (transparent) 1F-1F-1F 1F-1F-1F 01h Black (dark grey) 13-13-13 0A-0A-0A 02h White (white) 1F-1F-1F 1F-1F-1F 03h White+Black (grey) 19-19-19 13-13-13 04h Red (red) 1F-12-12 1F-09-09 05h Red+Black (dark red) 1B-13-13 18-0A-0A 06h Red+White (pink) 1F-19-19 1F-15-15 07h N/A (green) 0E-1F-0E 02-1F-02 08h Blue (blue) 12-12-1F 09-09-1F 09h Blue+Black (dark blue) 13-13-1A 0A-0A-16 0Ah Blue+White (light blue) 19-19-1F 15-15-1F 0Bh N/A (green) 0E-1F-0E 02-1F-02 0Ch Red+Blue (magenta) 1A-13-1A 16-0B-16 0Dh N/A (green) 0E-1F-0E 02-1F-02 0Eh N/A (green) 0E-1F-0E 02-1F-02 0Fh N/A (green) 0E-1F-0E 02-1F-02 |
| DSi Atheros Wifi SDIO Interface |
| DSi Atheros Wifi SDIO Function 0 Register Summary |
0:00000 2 Revision (0011h = CCCRv1.10, SDIOv1.10, SDv1.01) ;\ 0:00002 2 Function (0202h = Function 1 enabled/ready) ; 0:00004 2 Interrupt Flags(0000h = None enabled/pending) ; 0:00006 1 Abort/Reset (00h) ; 0:00007 1 Bus Interface (82h = 4bit mode, pulldown=off) ; 0:00008 1 Card Capability(17h) ; CCCR 0:00009 3 CIS0 Pointer (001000h = CIS0 at 0:01000h) ; 0:0000C .. ..suspend..? (zero-filled) ; 0:00010 2 Block Size (0000h = Function 0 Block Size, variable); 0:00012 1 Power Control (03h = supports/uses more than 720mW) ; 0:00013 2 Bus Speed (0000h = Supports only SDR12) ; 0:00015 1 Driver Strength(00h) ; 0:00016 1 Interrupt Ext (00h = No aysnc IRQ support in 4bit mode); 0:00017 E9h Reserved (zero-filled) ;/ 0:00100 2 Interface Type (0000h=Not SDIO standard, no CSA) ;\ 0:00102 1 Power (00h=No power selection) ; 0:00103 6 Reserved (zero-filled) ; 0:00109 3 CIS1 Pointer (001100h = CIS1 at 0:01100h) ; FBR1 0:0010C 4 CSA Stuff (zero-filled, CSA isn't supported) ; 0:00110 2 Block Size (0080h = Function 1 Block Size, variable); 0:00112 EEh Reserved (zero-filled) ;/ 0:00200 600h FBR2..FBR7 (zero-filled) ;-FBRn 0:00800 800h Reserved (zero-filled) ;-N/A 0:01000 01 03 D9 01 FF ;DEVICE (D9h=FUNCSPEC,01h=Siz,FFh=End;\ 0:01005 20 04 71 02 00 02 ;MANFID (0271h=Atheros, 0200h=AR6002); 0:0100B 21 02 0C 00 ;FUNCID (0Ch,00h=Standard for SDIO) ; 0:0100F 22 04 00 00 08 32 ;FUNCE (0800h=MaxBlkSiz,32h=25Mbit/s); CIS0 0:01015 1A 05 01 01 00 02 07 ;\ ;CONFIG ; 0:0101C 1B 08 C1 41 30 30 FF FF 32 00 ; PROM? ;CFTABLE_ENTRY; 0:01026 14 00 ; RAM? ;NO_LINK ; 0:01028..01044 FF-filled (1Dh bytes) ;uh? ;/ ;END ; 0:01045..010FF 00-filled (BBh bytes) ;unused ;/ 0:01100 20 04 71 02 00 02 ;MANFID (0271h=Atheros, 0200h=AR6002);\ 0:01106 21 02 0C 00 ;FUNCID (0Ch,00h=Standard for SDIO) ; 0:0110A 22 2A 01 ;FUNCE ; 0:0110D 01 11 ;FUNCE WakeUpSupport(01h), v1.1(11h) ; 0:0110F 00 00 00 00 ;FUNCE Serial Number (00000000h=None) ; 0:01113 00 00 00 00 00 ;FUNCE CSA Stuff (00000000h,00h=None) ; 0:01118 00 08 ;FUNCE Max Block Size (0800h) ; CIS1 0:0111A 00 00 FF 80 ;FUNCE OCR (80FF0000h) ; 0:0111E 00 00 00 ;FUNCE Operate Min/Avg/Max (00,00,00) ; 0:01121 00 01 0A ;FUNCE Standby Min/Avg/Max (00,01,0A) ; 0:01124 00 00 00 00 ;FUNCE Bandwidth Min/Opt (0000h,0000h) ; 0:01128 00 00 ;FUNCE Timeout Enable-till-Rdy (0000h) ; 0:0112A 00 00 00 00 ;FUNCE Operation Avg/Max (0000h,0000h); 0:0112E 00 01 00 01 ;FUNCE HighCurrentAvg/Max (0100h,0100h); 0:01132 00 01 00 01 ;FUNCE LowCurrent Avg/Max (0100h,0100h); 0:01136 80 01 06 ;VENDOR ; 0:01139 81 01 07 ;VENDOR ; 0:0113C 82 01 DF ;VENDOR ; 0:0113F FF ;END ; 0:01140 01 ;Garbage? ; 0:01141..011FF 00-filled (BFh bytes) ;unused ;/ 0:01200..02FFF mirrors of 01000h..011FFh (CIS0 and CIS1) (1E00h bytes);\N/A 0:03000.. 00-filled (.... bytes) ;unused... reserved ;/ |
0:00000 11 00 02 02 00 00 00 82 17 00 10 00 00 00 00 00 ;\ 0:00010 00 00 03 00 00 00 00 ; 0:00017..000FF unused (zerofilled) ;/ 0:00100 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 ;\ 0:00110 80 00 ; 0:00112..00FFF unused (zerofilled) ;/ 0:01000 01 03 D9 01 FF ;\ 0:01005 20 04 71 02 00 02 ;hif.h: 271h ; 0:0100B 21 02 0C 00 ; 0:0100F 22 04 00 00 08 32 ; 0:01015 1A 05 01 01 00 02 07 ;\ ; 0:0101C 1B 08 C1 41 30 30 FF FF 32 00 ; PROM? ; 0:01026 14 00 ; RAM? ; 0:01028..01044 FF-filled (1Dh bytes) uh? ;/ ; 0:01045..010FF 00-filled ;/ 0:01100 20 04 71 02 00 02 ;\ 0:01106 21 02 0C 00 ; 0:0110A 22 2A 01 01 11 00 00 00 00 00 00 00 00 00 00 08 00 00 0:0111C FF 80 00 00 00 00 01 0A 00 00 00 00 00 00 00 00 0:0112C 00 00 00 01 00 01 00 01 00 01 0:01136 80 01 06 ; 0:01139 81 01 07 ; 0:0113C 82 01 DF ; 0:0113F FF 01 00 ; 0:01142..011FF 00-filled ;/ 0:01200..02FFF mirrors of 01000..011FF (common cis and function 1 cis) ? 0:03000.. 00-filled |
| DSi Atheros Wifi SDIO Function 1 Register Summary |
1:00000..000FF Mbox0 (100h bytes) <--DMA----------> Internal 256MB 1:00100..001FF Mbox1 (100h bytes) <--DMA----------> Internal 256MB 1:00200..002FF Mbox2 (100h bytes) <--DMA----------> Internal 256MB 1:00300..003FF Mbox3 (100h bytes) <--DMA----------> Internal 256MB 1:00400..005FF Control Registers <--WINDOW_DATA--> Internal 256MB 1:00600..007FF CIS Window; Window ---huh???-------> Internal 256MB ??? 1:00800..00FFF Mbox0 Alias (bigger 800h bytes alias) 1:01000..017FF Mbox1 Alias (bigger 800h bytes alias) 1:01800..01FFF Mbox2 Alias (bigger 800h bytes alias) 1:02000..027FF Mbox3 Alias (bigger 800h bytes alias) 1:02800..03FFF Extra Mbox0 Alias "for future usage" (1800h bytes) 1:04000..1FFFF Unspecified |
1:00000h 100h Mbox0 (100h bytes) <--DMA----------> Internal 256MB
1:00100h 100h Mbox1 (100h bytes) <--DMA----------> Internal 256MB
1:00200h 100h Mbox2 (100h bytes) <--DMA----------> Internal 256MB
1:00300h 100h Mbox3 (100h bytes) <--DMA----------> Internal 256MB
1:00400h 1 HOST_INT_STATUS (R)
1:00401h 1 CPU_INT_STATUS (R/W)
1:00402h 1 ERROR_INT_STATUS (R/W)
1:00403h 1 COUNTER_INT_STATUS (R)
1:00404h 1 MBOX_FRAME (R)
1:00405h 1 RX_LOOKAHEAD_VALID (R)
1:00406h 1 HOST_INT_STATUS2 ;\GMBOX related, hw4/hw6 only
1:00407h 1 GMBOX_RX_AVAIL ;/
1:00408h 1x4 RX_LOOKAHEAD0[0..3] (R)
1:0040Ch 1x4 RX_LOOKAHEAD1[0..3] (R)
1:00410h 1x4 RX_LOOKAHEAD2[0..3] (R)
1:00414h 1x4 RX_LOOKAHEAD3[0..3] (R)
1:00418h 1 (HOST_)INT_STATUS_ENABLE (R/W)
1:00419h 1 CPU_INT_STATUS_ENABLE (R/W)
1:0041Ah 1 ERROR_(INT_)STATUS_ENABLE (R/W)
1:0041Bh 1 COUNTER_INT_STATUS_ENABLE (R/W)
1:0041Ch 1x4 PAD1 (FFh,6Eh,D7h,BFh - maybe some mirror?)
1:00420h 1x8 COUNT[0..7] (R/W)
1:00428h 1x24 PAD2
00428h 4 - (mirror of 1:00468h?)
0042Ch 4 - (mirror of 1:0041Ch?)
00430h 4 - (mirror of 1:00410h?)
00434h 4 - (mirror of 1:00...h?)
00438h 4 - (mirror of 1:00468h?)
0043Ch 4 - (mirror of 1:0041Ch?)
1:00440h 4x8 COUNT_DEC[0..7] (R, or Write=any)
1:00460h 1x8 SCRATCH[0..7] (R/W)
1:00468h 1 FIFO_TIMEOUT (R/W)
1:00469h 1 FIFO_TIMEOUT_ENABLE (R/W)
1:0046Ah 1 DISABLE_SLEEP (R/W)
1:0046Bh 1x3 -
1:0046Eh 1 LOCAL_BUS_ENDIAN (R/W) (AR6001 only, not hw2/hw4/hw6)
1:0046Fh 1 -
1:00470h 1 LOCAL_BUS (R and R/W)
1:00471h 1x1 PAD4
1:00472h 1 INT_WLAN (R/W)
1:00473h 1x1 PAD5
1:00474h 4 WINDOW_DATA (R/W) ;\
1:00478h 4 WINDOW_WRITE_ADDR (W) ;
1:0047Ch 4 WINDOW_READ_ADDR (W) ;/
1:00480h 1 HOST_CTRL_SPI_CONFIG (R/W)
1:00481h 1 HOST_CTRL_SPI_STATUS (R/W)
1:00482h 1 NON_ASSOC_SLEEP_EN ;hw2/hw4/hw6 (but didn't exist on AR6001)
1:00483h 1 CPU_DBG_SEL ;\DBG, hw4/hw6 only
1:00484h 1x4 CPU_DBG[0..3] ;/
1:00488h 1 (HOST_)INT_STATUS2_ENABLE (R/W);\
1:00489h 1x7 PAD6 ; GMBOX related, hw4/hw6 only
1:00490h 1x8 GMBOX_RX_LOOKAHEAD[0..7] ;
1:00498h 1 GMBOX_RX_LOOKAHEAD_MUX ;/
1:00499h 1x359 PAD7
1:00600h 1x512 CIS_WINDOW[0..511] (R/W?!) ;SDIO 0:01000h..0:011FFh
1:00800h 800h Mbox0 Alias (bigger 800h bytes alias)
1:01000h 800h Mbox1 Alias (bigger 800h bytes alias)
1:01800h 800h Mbox2 Alias (bigger 800h bytes alias)
1:02000h 800h Mbox3 Alias (bigger 800h bytes alias)
1:02800h 1800h Extra Mbox0 Alias "for future usage" (1800h bytes)
1:04000h 1C000h Unspecified
|
| DSi Atheros Wifi - SDIO Function 1 I/O - mbox_wlan_host_reg |
added several new "GMBOX" registers (hw4/hw6) added new CPU_DBG registers (hw4/hw6) added three new "UART_HCI_FRAMER_xxx" error bits (hw4/hw6) renamed "DRAGON_INT" (hw2) "INT" (hw4/hw6) renamed "SPI_xxx" (hw2) to "HOST_CTRL_SPI_xxx" (hw4/hw6) |
0-3 MBOX_DATA MBOX0..3 Data pending (RX FIFO not empty) 4 COUNTER Secondary IRQ from COUNTER_INT_STATUS 5 INT Copy of internal CPU's interrupt line (aka DRAGON_INT) 6 CPU Secondary IRQ from CPU_INT_STATUS 7 ERROR Secondary IRQ from ERROR_INT_STATUS |
0-7 BIT Interrupt 0..7 from internal CPU |
0 TX_OVERFLOW (host tried to write to a full MBOX) 1 RX_UNDERFLOW (host tried to read from an empty MBOX) 2 WAKEUP (client has entered ON-state) 3 SPI Error Interrupt ;STATUS only (not STATUS_ENABLE) (R) 4 hw4/hw6: UART_HCI_FRAMER_UNDERFLOW ;\ 5 hw4/hw6: UART_HCI_FRAMER_OVERFLOW ; hw4/hw6 only 6 hw4/hw6: UART_HCI_FRAMER_SYNC_ERROR ;/ 7 - |
0-7 COUNT[0..7] is nonzero |
0 hw4/hw6: GMBOX_DATA ;\ 1 hw4/hw6: GMBOX_TX_OVERFLOW ; hw4/hw6 only 2 hw4/hw6: GMBOX_RX_UNDERFLOW ;/ 3-7 - |
0-3 MBOX0..3 contains a SOM (start of message) byte in RX FIFO (1=Yes) 4-7 MBOX0..3 contains a EOM (end of message) byte in RX FIFO (1=Yes) |
0-3 MBOX0..3 contains at least 4 bytes in RX FIFO (1=Yes) 4-7 - |
0-6 hw4/hw6: BYTE ;-hw4/hw6 only 7 - |
0-7 MBOX RX FIFO Head-3 byte ;\what is that? 8-15 MBOX RX FIFO Head-2 byte ; head "minus" N, or maybe 16-23 MBOX RX FIFO Head-1 byte ;/head "plus index" N? 24-31 MBOX RX FIFO Head byte |
0-7 Credit Counter Value |
0-7 Credit Counter Value 8-31 Zero? (dummy padding for 32bit access) |
0-7 General Purpose Value |
0-7 Timeout (01h..FFh) (00h=Reserved/don't use) |
0 Enable FIFO Timeouts (0=Disable, 1=Enable) 1-7 - |
0 Prevent Sleep (0=Allow Sleep, 1=Prevent Sleep) 1 Prevent Sleep when Host IRQ pending (0=Allow Sleep, 1=Prevent Sleep) 2-7 - |
0 AR6001 only: (0=Little Endian, 1=Big Endian) ;-not hw2/hw4/hw6 1-7 - |
0-1 Current Chip State (0=Shutdown, 1=On, 2=Sleep, 3=Wakeup) (R) 2 AR6001 only: KEEP_AWAKE (R/W) ;\ 3 AR6001 only: IO_ENABLE (R/W) ; not hw2/hw4/hw6 4 AR6001 only: SOFT_RESET (R/W) ;/ 5-7 - |
0-7 "VECTOR" or interrupt 0..7 ? (0=No change, 1=Set) |
0-31 DATA |
0-1 Ignored 2-27 ADDR (in 4-byte steps) 28-31 ? |
For a memory write: First write WINDOW_DATA, then write WINDOW_WRITE_ADDR For a memory read: First write WINDOW_READ_ADDR, then read WINDOW_DATA |
0-1 DATA_SIZE (0=8bit, 1=16bit, 2=32bit, 3=Reserved) (addr = always 16bit) 2 TEST_MODE (0=Normal, 1=Loopback/Echo) 3 INTERRUPT_ENABLE (0=Disable, 1=Enable) 4 SPI_RESET (0=Normal Operation, 1=Reset SPI core) 5 AR6001 only, not AR6002? - SPI_CLK_OFFSET (R) 6 - 7 AR6001 only, not AR6002? - ENDIAN (R/W) |
0 READY (0=Command Pending, 1=Completed/Ready) (R) 1 WR_ERR (0=Okay, 1=Write-Error) (write: 0=No change, 1=Ack) (R/ack) 2 RD_ERR (0=Okay, 1=Read-Error) (write: 0=No change, 1=Ack) (R/ack) 3 ADDR_ERR (0=Okay, 1=Addr-Error) (write: 0=No change?, 1=Ack?) 4 AR6001 only, not AR6002? - IFF_ERR 5 AR6001 only, not AR6002? - DMA_OVER 6-7 - |
0 BIT 1-7 - |
0-5 BIT ;-hw4/hw6 only 6-7 - |
0-7 DATA ;-hw4/hw6 only |
0-7 DATA ;-hw4/hw6 only |
0 SEL ;-hw4/hw6 only 1-7 - |
0-7 DATA |
| DSi Atheros Wifi Misc |
AR6001 with MIPS CPU, 18x18 pin BGA package ;not used in DSi/3DS AR6002 with Xtensa CPU, 13x13 pin BGA package ;used in early DSi AR6013 unknown details (built-in MM3218?) ;used in later DSi AR6014 unknown details (similar to AR6013?) ;used in 3DS |
http://www.datasheetspdf.com/PDF/AR6002/705769/6 ;AR6002 datasheet 56 pages http://www.datasheetspdf.com/PDF/AR6001X/900300/1 ;AR6001 datasheet 148 pages http://svn.openmoko.org/developers/nbd/ar6k/ ;AR6K source code |
ATH_TX_H ;\maybe some/all of these do just indicate traffic WL_RXPE ; (for blinking the wifi LED, if it is enabled) WL_TXPE ;/ /WIFI_RST ;-Reset or so |
| DSi Atheros Wifi - Command Summary |
00h BMI_NO_COMMAND Invalid (ignored) 01h BMI_DONE Launch Firmware 02h BMI_READ_MEMORY Read Memory 03h BMI_WRITE_MEMORY (normal) Write Memory 03h BMI_WRITE_MEMORY (with dest=00001234h) Segmented Write (not in DSi) 04h BMI_EXECUTE Execute 05h BMI_SET_APP_START Set App Start 06h BMI_READ_SOC_REGISTER Read Register 07h BMI_WRITE_SOC_REGISTER Write Register 08h BMI_GET_TARGET_ID aka BMI_GET_TARGET_INFO Get Version 09h BMI_ROMPATCH_INSTALL TCAM/BCAM_xxxxx 0Ah BMI_ROMPATCH_UNINSTALL TCAM/BCAM_Clr_index_and_xxx 0Bh BMI_ROMPATCH_ACTIVATE TCAM/BCAM_Set_indices ;\ 0Ch BMI_ROMPATCH_DEACTIVATE TCAM/BCAM_Clr_indices ;/ 0Dh BMI_LZ_STREAM_START LZ Uncompress Stream Start 0Eh BMI_LZ_DATA LZ Data Input 0Fh BMI_NVRAM_PROCESS ;not implemented in DSi Invalid (ignored) 10h..FFFFFFFFh Unused Invalid (ignored) |
00h 2 Values 00h,00h ;or 01h,01h 02h 2 Length (of parameters, plus 0..2 ?) 04h 2 Values 00h,00h 06h 2 Command ID (xxxxh) (spotted values are 0002h, 0004h, 0008h) 08h LEN-(0..2) Command Parameters .. .. Whatever .. .. Zerofilled (till 80h-byte size) |
0001h WMI_CONNECT_CMD 0002h WMI_RECONNECT_CMD 0003h WMI_DISCONNECT_CMD 0004h WMI_SYNCHRONIZE_CMD 0005h WMI_CREATE_PSTREAM_CMD ;aka WMI_CRE_PRIORITY_STREAM 0006h WMI_DELETE_PSTREAM_CMD ;aka WMI_DEL_PRIORITY_STREAM 0007h WMI_START_SCAN_CMD 0008h WMI_SET_SCAN_PARAMS_CMD 0009h WMI_SET_BSS_FILTER_CMD ;aka WMI_BSS_FILTER_CMD 000Ah WMI_SET_PROBED_SSID_CMD 000Bh WMI_SET_LISTEN_INT_CMD 000Ch WMI_SET_BMISS_TIME_CMD 000Dh WMI_SET_DISC_TIMEOUT_CMD ;aka WMI_SET_DISCONNECT_TIMEOUT 000Eh WMI_GET_CHANNEL_LIST_CMD ;reply 000Eh ;aka WMI_CHANNEL_LIST 000Fh WMI_SET_BEACON_INT_CMD 0010h WMI_GET_STATISTICS_CMD ;reply WMI_REPORT_STATISTICS 0011h WMI_SET_CHANNEL_PARAMS_CMD ;aka WMI_CHANNEL_PARAMS_CMD 0012h WMI_SET_POWER_MODE_CMD ;aka WMI_POWER_MODE_CMD 0013h WMI_SET_IBSS_PM_CAPS_CMD ;aka WMI_IBSS_PM_CAPS_CMD 0014h WMI_SET_POWER_PARAMS_CMD ;aka WMI_POWER_PARAMS_CMD 0015h WMI_SET_POWERSAVE_TIMERS_POLICY_CMD ;aka WMI_POWERSAVE... 0016h WMI_ADD_CIPHER_KEY_CMD 0017h WMI_DELETE_CIPHER_KEY_CMD 0018h WMI_ADD_KRK_CMD 0019h WMI_DELETE_KRK_CMD 001Ah WMI_SET_PMKID_CMD 001Bh WMI_SET_TX_PWR_CMD 001Ch WMI_GET_TX_PWR_CMD ;aka WMI_TX_PWR ;reply 001Ch 001Dh WMI_SET_ASSOC_INFO_CMD 001Eh WMI_ADD_BAD_AP_CMD 001Fh WMI_DELETE_BAD_AP_CMD 0020h WMI_SET_TKIP_COUNTERMEASURES_CMD 0021h WMI_RSSI_THRESHOLD_PARAMS_CMD 0022h WMI_TARGET_ERROR_REPORT_BITMASK_CMD 0023h WMI_SET_ACCESS_PARAMS_CMD 0024h WMI_SET_RETRY_LIMITS_CMD 0025h WMI_SET_OPT_MODE_CMD 0026h WMI_OPT_TX_FRAME_CMD 0027h WMI_SET_VOICE_PKT_SIZE_CMD 0028h WMI_SET_MAX_SP_LEN_CMD 0029h WMI_SET_ROAM_CTRL_CMD 002Ah WMI_GET_ROAM_TBL_CMD ;aka REPORT_ROAM_TBL,TARGET_ROAM_TBL ;reply 100Fh 002Bh WMI_GET_ROAM_DATA_CMD ;reply 1015h ? ;\ 002Ch WMI_ENABLE_RM_CMD ; not implemented in DSi 002Dh WMI_SET_MAX_OFFHOME_DURATION_CMD ;/ 002Eh WMI_EXTENSION_CMD ;prefix for WMIX "Non-wireless extensions"... 002Eh:2001h WMIX_DSETOPEN_REPLY_CMD ;reply to 3001h ;\not implemented in DSi 002Eh:2002h WMIX_DSETDATA_REPLY_CMD ;reply to 3003h ;/ 002Eh:2003h WMIX_GPIO_OUTPUT_SET_CMD ;reply=3006h ;\ 002Eh:2004h WMIX_GPIO_INPUT_GET_CMD ;reply=3005h ; 002Eh:2005h WMIX_GPIO_REGISTER_SET_CMD ;reply=3006h, too ; GPIO 002Eh:2006h WMIX_GPIO_REGISTER_GET_CMD ;reply=3005h, too ; 002Eh:2007h WMIX_GPIO_INTR_ACK_CMD ;reply to 3004h ;/ 002Eh:2008h WMIX_HB_CHALLENGE_RESP_CMD ;reply=3007h ;-HB=heartbeat 002Eh:2009h WMIX_DBGLOG_CFG_MODULE_CMD 002Eh:200Ah WMIX_PROF_CFG_CMD ;\ 002Eh:200Bh WMIX_PROF_ADDR_SET_CMD ; 002Eh:200Ch WMIX_PROF_START_CMD ; not implemented in DSi 002Eh:200Dh WMIX_PROF_STOP_CMD ; 002Eh:200Eh WMIX_PROF_COUNT_GET_CMD ;reply 3009h ;/ 002Fh WMI_SNR_THRESHOLD_PARAMS_CMD 0030h WMI_LQ_THRESHOLD_PARAMS_CMD 0031h WMI_SET_LPREAMBLE_CMD 0032h WMI_SET_RTS_CMD 0033h WMI_CLR_RSSI_SNR_CMD 0034h WMI_SET_FIXRATES_CMD ;aka WMI_FIX_RATES_CMD 0035h WMI_GET_FIXRATES_CMD ;reply 0035h 0036h WMI_SET_AUTH_MODE_CMD ;aka WMI_SET_RECONNECT_AUTH_MODE_CMD |
0037h WMI_SET_REASSOC_MODE_CMD 0038h WMI_SET_WMM_CMD 0039h WMI_SET_WMM_TXOP_CMD ;NOT! WMI_SET_QOS_SUPP_CMD ;<-- this NOT here! 003Ah WMI_TEST_CMD ;-not implemented in DSi 003Bh WMI_SET_BT_STATUS_CMD ;\AR6002 Bluetooth Coexistence only? 003Ch WMI_SET_BT_PARAMS_CMD ;/ 003Dh WMI_SET_KEEPALIVE_CMD 003Eh WMI_GET_KEEPALIVE_CMD ;reply 003Eh 003Fh WMI_SET_APPIE_CMD ;aka SET_APP_IE 0040h WMI_GET_APPIE_CMD ;aka GET_APP_IE ;reply=? ;-not implemented in DSi 0041h WMI_SET_WSC_STATUS_CMD ;aka WSC_REG 0042h WMI_SET_HOST_SLEEP_MODE_CMD ;\ 0043h WMI_SET_WOW_MODE_CMD ; 0044h WMI_GET_WOW_LIST_CMD ;reply=1018h ; Wake on Wireless (WOW) 0045h WMI_ADD_WOW_PATTERN_CMD ; 0046h WMI_DEL_WOW_PATTERN_CMD ;/ ;below four as of "AR6kSDK.build_sw.18/include/wmi.h" (from 2006) ;0047h WMI_SET_MAC_ADDRESS_CMD (later moved to F003h) ;0048h WMI_SET_AKMP_PARAMS_CMD (later moved to F004h) ;0049h WMI_SET_PMKID_LIST_CMD (later moved to F005h) ;004Ah WMI_GET_PMKID_LIST_CMD (later moved to F006h) 0047h WMI_SET_FRAMERATES_CMD ;aka WMI_FRAME_RATES_CMD 0048h WMI_SET_AP_PS_CMD ;aka WMI_AP_PS_CMD 0049h WMI_SET_QOS_SUPP_CMD ;<-- this shall be HERE 004Ah WMI_SET_IE_CMD ;new cmd from 2012 ;\ 08xxh WILOCITY types ;\wil6210 stuff ; not implemented in DSi 09xxh Performance monitoring ;/ ;/ 8000h WMI_THIN_RESERVED_START ;\ 8000h WMI_THIN_CONFIG_CMD ; 8001h WMI_THIN_SET_MIB_CMD ; not implemented in DSi 8002h WMI_THIN_GET_MIB_CMD ;reply=8001h ; (thin commands 8003h WMI_THIN_JOIN_CMD ;\newer ; from wmi_thin.h) 8004h WMI_THIN_CONNECT_CMD ; versions ; 8005h WMI_THIN_RESET_CMD ;/only ; 8FFFh WMI_THIN_RESERVED_END ;/ |
F000h WMI_SET_BITRATE_CMD ;aka WMI_BIT_RATE_CMD F001h WMI_GET_BITRATE_CMD ;reply=F001h F002h WMI_SET_WHALPARAM_CMD ;aka WHAL_PARAMCMD F003h WMI_SET_MAC_ADDRESS_CMD ;formerly 0047h ;-not implemented in DSi F004h WMI_SET_AKMP_PARAMS_CMD ;formerly 0048h F005h WMI_SET_PMKID_LIST_CMD ;formerly 0049h F006h WMI_GET_PMKID_LIST_CMD ;formerly 004Ah ;reply 1019h |
F007h WMI_ABORT_SCAN_CMD F008h WMI_SET_TARGET_EVENT_REPORT_CMD F009h WMI_UNUSED1 or WMI_PYXIS_CONFIG_CMD ;\Unused (or Pyxis specific F00Ah WMI_UNUSED2 or WMI_PYXIS_OPERATION_CMD ;/commands) F00Bh WMI_AP_HIDDEN_SSID_CMD ;\ F00Ch WMI_AP_SET_NUM_STA_CMD aka WMI_AP_NUM_STA_CMD ; F00Dh WMI_AP_ACL_POLICY_CMD ; F00Eh WMI_AP_ACL_MAC_LIST_CMD aka WMI_AP_ACL_MAC_CMD ; F00Fh WMI_AP_CONFIG_COMMIT_CMD ; AP mode commands F010h WMI_AP_SET_MLME_CMD ; F011h WMI_AP_SET_PVB_CMD ; F012h WMI_AP_CONN_INACT_CMD ; F013h WMI_AP_PROT_SCAN_TIME_CMD ; F014h WMI_AP_SET_COUNTRY_CMD ;aka WMI_SET_COUNTRY_CMD ; F015h WMI_AP_SET_DTIM_CMD ; F016h WMI_AP_MODE_STAT_CMD ;formerly N/A ;/ F017h WMI_SET_IP_CMD ;formerly F016h ;\ F018h WMI_SET_PARAMS_CMD ;formerly F017h ;reply=101Fh ; F019h WMI_SET_MCAST_FILTER_CMD ;formerly F018h ; F01Ah WMI_DEL_MCAST_FILTER_CMD ;formerly F019h ;/ F01Bh WMI_ALLOW_AGGR_CMD ;\ F01Ch WMI_ADDBA_REQ_CMD ; F01Dh WMI_DELBA_REQ_CMD ; F01Eh WMI_SET_HT_CAP_CMD ; F01Fh WMI_SET_HT_OP_CMD ; F020h WMI_SET_TX_SELECT_RATES_CMD ; F021h WMI_SET_TX_SGI_PARAM_CMD ; F022h WMI_SET_RATE_POLICY_CMD ;/ F023h WMI_HCI_CMD_CMD aka WMI_HCI_CMD ;\ F024h WMI_RX_FRAME_FORMAT_CMD ; F025h WMI_SET_THIN_MODE_CMD ; F026h WMI_SET_BT_WLAN_CONN_PRECEDENCE_CMD ;/ F027h WMI_AP_SET_11BG_RATESET_CMD ;\ F028h WMI_SET_PMK_CMD ; F029h WMI_MCAST_FILTER_CMD ;/ F02Ah WMI_SET_BTCOEX_FE_ANT_CMD ;\ F02Bh WMI_SET_BTCOEX_COLOCATED_BT_DEV_CMD ; F02Ch WMI_SET_BTCOEX_SCO_CONFIG_CMD ; AR6003 F02Dh WMI_SET_BTCOEX_A2DP_CONFIG_CMD ; Bluetooth Coexistence F02Eh WMI_SET_BTCOEX_ACLCOEX_CONFIG_CMD ; F02Fh WMI_SET_BTCOEX_BTINQUIRY_PAGE_CONFIG_CMD ; F030h WMI_SET_BTCOEX_DEBUG_CMD ; F031h WMI_SET_BTCOEX_BT_OPERATING_STATUS_CMD ; F032h WMI_GET_BTCOEX_STATS_CMD ;reply=1026h..1028h ; F033h WMI_GET_BTCOEX_CONFIG_CMD ;reply=1027h..1029h ;/ F034h WMI_SET_DFS_ENABLE_CMD ;aka WMI_SET_DFS_CMD maybe ? ;\ F035h WMI_SET_DFS_MINRSSITHRESH_CMD ;aka WMI_SET_DFS_CMD too ?? ; DFS F036h WMI_SET_DFS_MAXPULSEDUR_CMD ;aka WMI_SET_DFS_CMD too ?? ; F037h WMI_DFS_RADAR_DETECTED_CMD ;aka WMI_RADAR_DETECTED_CMD ;/ F038h WMI_P2P_SET_CONFIG_CMD ;\ ;<-- confirmed to be F038h F039h WMI_WPS_SET_CONFIG_CMD ;P2P related ; F03Ah WMI_SET_REQ_DEV_ATTR_CMD ;P2P related ; P2P CMDS F03Bh WMI_P2P_FIND_CMD ; F03Ch WMI_P2P_STOP_FIND_CMD ; F03Dh WMI_P2P_GO_NEG_START_CMD ; F03Eh WMI_P2P_LISTEN_CMD ;/ F03Fh WMI_CONFIG_TX_MAC_RULES_CMD ;\ ;<-- claimed to be F040h ? F040h WMI_SET_PROMISCUOUS_MODE_CMD ; F041h WMI_RX_FRAME_FILTER_CMD ; F042h WMI_SET_CHANNEL_CMD ;/ F043h WMI_WAC_ENABLE_CMD aka WMI_ENABLE_WAC_CMD ;\ F044h WMI_WAC_SCAN_REPLY_CMD ; WAC commands F045h WMI_WAC_CTRL_REQ_CMD ;/ F046h WMI_SET_DIV_PARAMS_CMD aka WMI_DIV_PARAMS_CMD F047h WMI_GET_PMK_CMD ;reply? ;\ F048h WMI_SET_PASSPHRASE_CMD ;/ F049h WMI_SEND_ASSOC_RES_CMD ;aka WMI_SEND_ASSOCRES_CMD ;\ASSOC F04Ah WMI_SET_ASSOC_REQ_RELAY_CMD ;aka WMI_SET_ASSOCREQ_RELAY ;/ |
F04Bh or F04Dh WMI_ACS_CTRL_CMD ;aka WMI_ACS_CTRL_MSG ;-ACS sub-commands F04Ch or F052h WMI_SET_EXCESS_TX_RETRY_THRES_CMD F04Dh or N/A WMI_SET_TBD_TIME_CMD ;-added for wmiconfig command for TBD F04Eh or N/A WMI_PKTLOG_ENABLE_CMD ;\Pktlog cmds F04Fh or N/A WMI_PKTLOG_DISABLE_CMD ;/(code from 2012 only) F050h or F053h WMI_P2P_GO_NEG_REQ_RSP_CMD ;\ F051h or F054h WMI_P2P_GRP_INIT_CMD ; F052h or F055h WMI_P2P_GRP_FORMATION_DONE_CMD ; F053h or F056h WMI_P2P_INVITE_CMD ; More P2P commands F054h or F057h WMI_P2P_INVITE_REQ_RSP_CMD ; F055h or F058h WMI_P2P_PROV_DISC_REQ_CMD ; F056h or F059h WMI_P2P_SET_CMD ;/ F057h or F04Bh WMI_GET_RFKILL_MODE_CMD ;\RFKILL F058h or F04Ch WMI_SET_RFKILL_MODE_CMD ;aka WMI_RFKILL_MODE_CMD ;/ F059h or F05Ah WMI_AP_SET_APSD_CMD ;\More AP commands F05Ah or F05Bh WMI_AP_APSD_BUFFERED_TRAFFIC_CMD ;/ F05Bh or F05Ch WMI_P2P_SDPD_TX_CMD ;\ F05Ch or F05Dh WMI_P2P_STOP_SDPD_CMD ; More P2P commands F05Dh or F05Eh WMI_P2P_CANCEL_CMD ;/ F05Eh or F04Eh WMI_STORERECALL_CONFIGURE_CMD ;\Ultra low power F05Fh or F04Fh WMI_STORERECALL_RECALL_CMD ; store/recall commands F060h or F050h WMI_STORERECALL_HOST_READY_CMD ;/ F061h or F051h WMI_FORCE_TARGET_ASSERT_CMD ;- F062h or N/A WMI_SET_PROBED_SSID_EX_CMD ;\ F063h or N/A WMI_SET_NETWORK_LIST_OFFLOAD_CMD ; F064h or N/A WMI_SET_ARP_NS_OFFLOAD_CMD ; F065h or N/A WMI_ADD_WOW_EXT_PATTERN_CMD ; NEW stuff F066h or N/A WMI_GTK_OFFLOAD_OP_CMD ; (code from 2012 only) F067h or N/A WMI_REMAIN_ON_CHNL_CMD ; F068h or N/A WMI_CANCEL_REMAIN_ON_CHNL_CMD ; F069h or N/A WMI_SEND_ACTION_CMD ; F06Ah or N/A WMI_PROBE_REQ_REPORT_CMD ; F06Bh or N/A WMI_DISABLE_11B_RATES_CMD ; F06Ch or N/A WMI_SEND_PROBE_RESPONSE_CMD ; F06Dh or N/A WMI_GET_P2P_INFO_CMD ; F06Eh or N/A WMI_AP_JOIN_BSS_CMD ;/ ? WMI_SET_ADHOC_BSSID_CMD ;-old, not implemented? |
| DSi Atheros Wifi - Response Summary |
00h 2 Values 01h,02h ;or 00h,02h in case of "obscure values" 02h 2 Length (excluding trailing zerofilled area) 04h 2 Values 08h,00h ;or 0Ch,00h 06h 2 Event ID (100xh) ;or "obscure values" (0001h, 0003h, 0201h) 08h LEN-0Ah Event/Response Data (Length-0Ah bytes) .. 2 Values 02h,06h .. 80h-LEN Zerofilled (till 80h-byte size) ;sometimes contains a D0h-byte? |
000Eh WMI_GET_CHANNEL_LIST_CMD 001Ch WMI_GET_TX_PWR_CMD 0035h WMI_GET_FIXRATES_CMD 003Eh WMI_GET_KEEPALIVE_CMD F001h WMI_GET_BITRATE_CMD |
? WMI_GET_APPIE_CMD ;aka GET_APP_IE ;\not implemented in DSi ? WMI_AP_MODE_STAT_CMD ;has reply? ;/ |
? WMI_CRE_PRIORITY_STREAM_REPLY ;\ ? WMI_DEL_PRIORITY_STREAM_REPLY ; not implemented in DSi ? WMI_FRAME_RATES_REPLY ;/ |
1001h WMI_READY_EVENT 1002h WMI_CONNECT_EVENT 1003h WMI_DISCONNECT_EVENT 1004h WMI_BSSINFO_EVENT ;aka WMI_BSS_INFO 1005h WMI_CMDERROR_EVENT ;aka WMI_CMD_ERROR_EVENT ;for CMD 01h,11h,16h,26h 1006h WMI_REGDOMAIN_EVENT ;aka WMI_REG_DOMAIN_EVENT 1007h WMI_PSTREAM_TIMEOUT_EVENT 1008h WMI_NEIGHBOR_REPORT_EVENT 1009h WMI_TKIP_MICERR_EVENT 100Ah WMI_SCAN_COMPLETE_EVENT 100Bh WMI_REPORT_STATISTICS_EVENT ;related to CMD 0010h ? 100Ch WMI_RSSI_THRESHOLD_EVENT 100Dh WMI_ERROR_REPORT_EVENT ;aka WMI_TARGET_ERROR_REPORT_EVENT 100Eh WMI_OPT_RX_FRAME_EVENT ;aka WMI_OPT_RX_INFO 100Fh WMI_REPORT_ROAM_TBL_EVENT ;related to CMD 002Ah ? 1010h WMI_EXTENSION_EVENT ;prefix for WMIX events... 1010h:3001h WMIX_DSETOPENREQ_EVENT ;request 2001h ;\ 1010h:3002h WMIX_DSETCLOSE_EVENT ;request close ; not implemented in DSi 1010h:3003h WMIX_DSETDATAREQ_EVENT ;request 2002h ;/ 1010h:3004h WMIX_GPIO_INTR_EVENT ;used (interrupt) 1010h:3005h WMIX_GPIO_DATA_EVENT ;used (reply to 2004h and 2006h) 1010h:3006h WMIX_GPIO_ACK_EVENT ;used (reply to 2003h and 2005h) 1010h:3007h WMIX_HB_CHALLENGE_RESP_EVENT ;used (reply to 2008h) 1010h:3008h WMIX_DBGLOG_EVENT ;used (probably related to 2009h) 1010h:3009h WMIX_PROF_COUNT_EVENT ;-not implemented in DSi 1011h WMI_CAC_EVENT 1012h WMI_SNR_THRESHOLD_EVENT 1013h WMI_LQ_THRESHOLD_EVENT 1014h WMI_TX_RETRY_ERR_EVENT 1015h WMI_REPORT_ROAM_DATA_EVENT ;related to 002Bh? ;\not implemented in DSi 1016h WMI_TEST_EVENT ;/ 1017h WMI_APLIST_EVENT 1018h WMI_GET_WOW_LIST_EVENT ;reply to CMD 0044h 1019h WMI_GET_PMKID_LIST_EVENT ;reply to CMD F006h |
101Ah WMI_CHANNEL_CHANGE_EVENT ;<-- used on DSi ? |
101Bh WMI_PEER_NODE_EVENT 101Ch WMI_PSPOLL_EVENT ;aka WMI_PS_POLL_EVENT ;AP mode related? 101Dh WMI_DTIMEXPIRY_EVENT 101Eh WMI_WLAN_VERSION_EVENT 101Fh WMI_SET_PARAMS_REPLY_EVENT ;reply to CMD F018h (reply to "SET" cmd!) 1020h WMI_ADDBA_REQ_EVENT 1021h WMI_ADDBA_RESP_EVENT 1022h WMI_DELBA_REQ_EVENT aka WMI_DELBA_EVENT 1023h WMI_TX_COMPLETE_EVENT 1024h WMI_HCI_EVENT_EVENT aka WMI_HCI_EVENT 1025h WMI_ACL_DATA_EVENT 1026h WMI_REPORT_SLEEP_STATE_EVENT ;formerly N/A 1027h WMI_WAPI_REKEY_EVENT ;formerly N/A, or 1026h if WAPI_ENABLE 1028h WMI_REPORT_BTCOEX_STATS_EVENT ;formerly 1026h/1027h ;reply to F032h 1029h WMI_REPORT_BTCOEX_CONFIG_EVENT ;formerly 1027h/1028h ;reply to F033h 102Ah WMI_GET_PMK_EVENT aka WMI_GET_PMK_REPLY 102Bh WMI_DFS_HOST_ATTACH_EVENT ;\ 102Ch WMI_DFS_HOST_INIT_EVENT ; 102Dh WMI_DFS_RESET_DELAYLINES_EVENT ; 102Eh WMI_DFS_RESET_RADARQ_EVENT ; 102Fh WMI_DFS_RESET_AR_EVENT ; DFS Events 1030h WMI_DFS_RESET_ARQ_EVENT ; 1031h WMI_DFS_SET_DUR_MULTIPLIER_EVENT ; 1032h WMI_DFS_SET_BANGRADAR_EVENT ; 1033h WMI_DFS_SET_DEBUGLEVEL_EVENT ; 1034h WMI_DFS_PHYERR_EVENT ;/ 1035h WMI_CCX_RM_STATUS_EVENT ;-CCX Evants ;uh, EvAntS? 1036h WMI_P2P_GO_NEG_RESULT_EVENT ;-P2P Events ;uh, EventS? 1037h WMI_WAC_SCAN_DONE_EVENT ;\ 1038h WMI_WAC_REPORT_BSS_EVENT ; WAC 1039h WMI_WAC_START_WPS_EVENT ; 103Ah WMI_WAC_CTRL_REQ_REPLY_EVENT ;/ 103Bh WMI_RFKILL_STATE_CHANGE_EVENT ;\RFKILL Events 103Ch WMI_RFKILL_GET_MODE_CMD_EVENT ;/ 103Dh WMI_P2P_GO_NEG_REQ_EVENT ;\ 103Eh WMI_P2P_INVITE_REQ_EVENT ; 103Fh WMI_P2P_INVITE_RCVD_RESULT_EVENT ; 1040h WMI_P2P_INVITE_SENT_RESULT_EVENT ; More P2P Events 1041h WMI_P2P_PROV_DISC_RESP_EVENT ; 1042h WMI_P2P_PROV_DISC_REQ_EVENT ; 1043h WMI_P2P_START_SDPD_EVENT ; 1044h WMI_P2P_SDPD_RX_EVENT ;/ 1045h WMI_SET_HOST_SLEEP_MODE_CMD_PROCESSED_EVENT ;-avoid AR6003 crash 8000h WMI_THIN_EVENTID_RESERVED_START ;\ 8001h WMI_THIN_GET_MIB_EVENT ; THIN events (wmi_thin.h) 8002h WMI_THIN_JOIN_EVENT ; 8FFFh WMI_THIN_EVENTID_RESERVED_END ;/ 9000h WMI_SET_CHANNEL_EVENT ;\ 9001h WMI_ASSOC_REQ_EVENT aka WMI_ASSOCREQ_EVENT ; More events, 9002h WMI_ACS_EVENT ;generic ACS event ; somehow located 9003h WMI_REPORT_WMM_PARAMS_EVENT ; after THIN area 9004h WMI_STORERECALL_STORE_EVENT ;/ |
10xxh WMI_REPORT_WMM_PARAMS_EVENT ;-moved to 10xxh or so 10xxh WMI_WAC_REJECT_WPS_EVENT ;-NEW 9003h WMI_STORERECALL_STORE_EVENT ;-move to HERE 9004h WMI_WOW_EXT_WAKE_EVENT ;\ 9005h WMI_GTK_OFFLOAD_STATUS_EVENT ; 9006h WMI_NETWORK_LIST_OFFLOAD_EVENT ; 9007h WMI_REMAIN_ON_CHNL_EVENT ; NEW 9008h WMI_CANCEL_REMAIN_ON_CHNL_EVENT ; 9009h WMI_TX_STATUS_EVENT ; 900Ah WMI_RX_PROBE_REQ_EVENT ; 900Bh WMI_P2P_CAPABILITIES_EVENT ; 900Ch WMI_RX_ACTION_EVENT ; 900Dh WMI_P2P_INFO_EVENT ;/ |
| DSi Atheros Wifi - Host Interest Area in RAM |
AR6002_HOST_INTEREST_ADDRESS = 00500400h ;older DSi AR6013_HOST_INTEREST_ADDRESS = 00520000h ;newer DSi AR6014_HOST_INTEREST_ADDRESS = Unknown ;3DS and New3DS AR6003_HOST_INTEREST_ADDRESS = 00540600h MCKINLEY_HOST_INTEREST_ADDRESS = 00400600h |
00h hi_app_host_interest ;-Pointer to application-defined area, if any.
; (set by Target application during startup)
04h hi_failure_state ;-Pointer to register dump area after Target crash
08h hi_dbglog_hdr ;-Pointer to debug logging header
0Ch hi_flash_is_present ;Indicates whether or not flash is present on Target
;NB: flash_is_present indicator is here not just because it might be
;of interest to the Host; but also because it's set early on by
;Target's startup asm code and we need it to have a special RAM
;address so that it doesn't get reinitialized with the rest of data.
10h hi_option_flag ;-Various flags (see below)
14h hi_serial_enable ;-Boolean whether to output (additional) TTY messages
18h hi_dset_list_head ;-Start address of DataSet index, if any
1Ch hi_app_start ;-Override BMI_DONE Target application start address
20h hi_skip_clock_init ;\
24h hi_core_clock_setting ;
28h hi_cpu_clock_setting ; Clock and voltage tuning
2Ch hi_system_sleep_setting ;
30h hi_xtal_control_setting ;
34h hi_pll_ctrl_setting_24ghz ;
38h hi_pll_ctrl_setting_5ghz ;
3Ch hi_ref_voltage_trim_setting ;
40h hi_clock_info ;/
44h hi_bank0_addr_value ;\Flash configuration overrides, used only
48h hi_bank0_read_value ; when firmware is not executing from flash
4Ch hi_bank0_write_value ; (when using flash, modify the global
50h hi_bank0_config_value ;/variables with equivalent names)
54h hi_board_data ;\Pointer to Board Data (eg. from I2C
58h hi_board_data_initialized ;/EEPROM) and data present/init flag
5Ch hi_dset_RAM_index_table ;-
60h hi_desired_baud_rate ;\ ;<-- for TTY/UART (default=9600 decimal)
64h hi_dbglog_config ;
68h hi_end_RAM_reserve_sz ;
6Ch hi_mbox_io_block_sz ;/
70h hi_num_bpatch_streams ;-Unused (supposedly was used before 2010)
74h hi_mbox_isr_yield_limit ;-
78h hi_refclk_hz ;-OSC ;on DSi: 26,000,000 decimal (26MHz)
Below seems to be newer stuff... not implemented in DSi... (?)
7Ch hi_ext_clk_detected ;\
80h hi_dbg_uart_txpin ;
84h hi_dbg_uart_rxpin ;
88h hi_hci_uart_baud ;
8Ch hi_hci_uart_pin_assignments ;/ ;<-- byte[0]=tx, [1]=rx, [2]=rts, [3]=cts
90h hi_hci_uart_baud_scale_val ;\
94h hi_hci_uart_baud_step_val ;/
98h hi_allocram_start ;\
9Ch hi_allocram_sz ;/
A0h hi_hci_bridge_flags ;\
A4h hi_hci_uart_support_pins ;/
;NOTE: byte[0]=RESET pin (bit7 is polarity), byte[1..3]=for future use
A8h hi_hci_uart_pwr_mgmt_params ;-
;Bit[1]: 0=UART FC active low, 1=UART FC active high
;Bit[16-31]: wakeup timeout in ms
ACh hi_board_ext_data ;\Pointer to extended board Data, and
B0h hi_board_ext_data_config ;/Config/flags (bit0=valid, bit16-31=size)
B4h hi_reset_flag ;\warmboot flags, valid when [B8h]=12345678h
B8h hi_reset_flag_valid ;/
BCh hi_hci_uart_pwr_mgmt_params_ext ;-bit[0-31]: idle timeout in ms
C0h hi_acs_flags ;-ACS flags
C4h hi_console_flags ;
C8h hi_nvram_state ;
CCh hi_option_flag2 ;
D0h hi_sw_version_override ;\If non-zero, override values sent to Host
D4h hi_abi_version_override ;/in WMI_READY event
D8h hi_test_apps_related ;-test applications flags
DCh hi_ota_testscript ;-location of test script
E0h hi_cal_data ;-location of CAL data
E4h..FFh ;reserved
|
AR6K_OPTION_BMI_DISABLE = 01h ;bit0 Disable BMI comm with Host AR6K_OPTION_SERIAL_ENABLE = 02h ;bit1 Enable UART serial port TTY messages AR6K_OPTION_WDT_DISABLE = 04h ;bit2 WatchDog Timer override AR6K_OPTION_SLEEP_DISABLE = 08h ;bit3 Disable system sleep AR6K_OPTION_STOP_BOOT = 10h ;bit4 Stop boot processes (for ATE) AR6K_OPTION_ENABLE_NOANI = 20h ;bit5 Operate without ANI AR6K_OPTION_DSET_DISABLE = 40h ;bit6 Ignore DataSets AR6K_OPTION_IGNORE_FLASH = 80h ;bit7 Ignore flash during bootup |
0 HI_OPTION_TIMER_WAR ;Enable timer workaround
1 HI_OPTION_BMI_CRED_LIMIT ;Limit BMI command credits
2 HI_OPTION_RELAY_DOT11_HDR ;Relay Dot11 hdr to/from host
3 HI_OPTION_MAC_ADDR_METHOD ;MAC addr method 0=locally administred
; 1=globally unique addrs
4 HI_OPTION_ENABLE_RFKILL ;RF Kill Enable Feature
5 HI_OPTION_ENABLE_PROFILE ;Enable CPU profiling
6 HI_OPTION_DISABLE_DBGLOG ;Disable debug logging
7 HI_OPTION_SKIP_ERA_TRACKING ;Skip Era Tracking
8 HI_OPTION_PAPRD_DISABLE ;Disable PAPRD (debug)
9-11 HI_OPTION_NUM_DEV ;num dev (3bit)
12-27 HI_OPTION_DEV_MODE ;dev mode (16bit) (aka 4xMODE, 4xSUBMODE?)
28 HI_OPTION_NO_LFT_STBL ;Disable LowFreq LF Timer Stabilization
29 HI_OPTION_SKIP_REG_SCAN ;Skip regulatory scan
30 HI_OPTION_INIT_REG_SCAN ;Do regulatory scan during init before
; sending WMI ready event to host
31 HI_OPTION_FW_BRIDGE ;Firmware bridging
|
HI_OPTION_FW_MODE_IBSS = 00h ;IBSS Mode HI_OPTION_FW_MODE_BSS_STA = 01h ;STA Mode HI_OPTION_FW_MODE_AP = 02h ;AP Mode HI_OPTION_FW_MODE_BT30AMP = 03h ;BT30 AMP Mode |
HI_OPTION_FW_SUBMODE_NONE = 00h ;Normal mode HI_OPTION_FW_SUBMODE_P2PDEV = 01h ;p2p device mode HI_OPTION_FW_SUBMODE_P2PCLIENT = 02h ;p2p client mode HI_OPTION_FW_SUBMODE_P2PGO = 03h ;p2p go mode |
.--------.-------.-------.-------.-------.-------.-------.-------. | SUB | SUB | SUB | SUB | | | | | |MODE[3] |MODE[2]|MODE[1]|MODE[0]|MODE[3]|MODE[2]|MODE[1]|MODE[0]| | (2) | (2) | (2) | (2) | (2) | (2) | (2) | (2) | '--------'-------'-------'-------'-------'-------'-------'-------' HI_OPTION_FW_MODE_BITS 0x2 ;\ HI_OPTION_FW_MODE_MASK 0x3 ; MODE HI_OPTION_FW_MODE_SHIFT 0xC ;bit12-13 (2bit) per device? ; HI_OPTION_ALL_FW_MODE_MASK 0xFF ;bit12-19 (8bit) per 4 devices? ;/ HI_OPTION_FW_SUBMODE_BITS 0x2 ;\ HI_OPTION_FW_SUBMODE_MASK 0x3 ; SUB- HI_OPTION_FW_SUBMODE_SHIFT 0x14 ;bit20-21 (2bit) per device? ; MODE HI_OPTION_ALL_FW_SUBMODE_MASK 0xFF00 ;bit20-27 (8bit) per 4 devices? ; HI_OPTION_ALL_FW_SUBMODE_SHIFT 0x8 ;/ |
0 HI_OPTION_OFFLOAD_AMSDU ;aka OFFLAOD 1 HI_OPTION_DFS_SUPPORT ;-only in newer code from 2011 or so 2 HI_OPTION_ENABLE_RFKILL ;\ 3 HI_OPTION_RADIO_RETENTION_DISABLE ; 4 HI_OPTION_EARLY_CFG_DONE ; only in newer code from 2015 or so 5 HI_OPTION_DISABLE_CDC_MAX_PERF_WAR ; 6 HI_OPTION_USE_EXT_LDO ; 7 HI_OPTION_DBUART_SUPPORT ; 8 Reserved? ; 9 HT_OPTION_GPIO_WAKEUP_SUPPORT ;HT? ;/ 10-31 Reserved |
0 HI_RESET_FLAG_PRESERVE_APP_START ;preserve App Start address 1 HI_RESET_FLAG_PRESERVE_HOST_INTEREST ;preserve Host Interest 2 HI_RESET_FLAG_PRESERVE_ROMDATA ;preserve ROM data 3 HI_RESET_FLAG_PRESERVE_NVRAM_STATE 4 HI_RESET_FLAG_PRESERVE_BOOT_INFO ;\only in newer code from 2015 or so 5 HI_RESET_FLAG_WARM_RESET ;/ 6-31 Reserved |
0 HI_ACS_FLAGS_ENABLED ;ACS is enabled 1 HI_ACS_FLAGS_USE_WWAN ;Use physical WWAN device 2 HI_ACS_FLAGS_TEST_VAP ;Use test VAP 3-31 Reserved |
0-2 HI_CONSOLE_FLAGS_UART ;UART ID (0=Default) 3 HI_CONSOLE_FLAGS_BAUD_SELECT ;Baud Select (0=9600, 1=115200) 4-30 Reserved 31 HI_CONSOLE_FLAGS_ENABLE ;Enable Console |
0 HI_TEST_APPS_TESTSCRIPT_LOADED 1 HI_TEST_APPS_CAL_DATA_AVAIL 2-31 Reserved |
AR6002_VTOP(vaddr) = ((vaddr) & 0x001fffff) ;\uh, 2Mbyte space? AR6003_VTOP(vaddr) = ((vaddr) & 0x001fffff) ;/(shouldn't that be 4Mbyte?) MCKINLEY_VTOP(vaddr) = ((vaddr)) ;whatever, maybe uses a different CPU/HW |
AR6002_REV2_APP_START_OVERRIDE 0x911A00 ;\ AR6002_REV2_DATASET_PATCH_ADDRESS 0x52D8B0 ; AR6002 AR6002_REV2_APP_LOAD_ADDRESS 0x502070 ;/ AR6003_REV2_APP_START_OVERRIDE 0x944C00 ;\ AR6003_REV2_APP_LOAD_ADDRESS 0x543180 ; AR6003_REV2_BOARD_EXT_DATA_ADDRESS 0x57E500 ; AR6003 REV2 AR6003_REV2_DATASET_PATCH_ADDRESS 0x57E884 ; AR6003_REV2_RAM_RESERVE_SIZE 6912 ;/ AR6003_REV3_APP_START_OVERRIDE 0x945D20 ;\ AR6003_REV3_APP_LOAD_ADDRESS 0x545000 ; AR6003_REV3_BOARD_EXT_DATA_ADDRESS 0x542330 ; AR6003 REV3 AR6003_REV3_DATASET_PATCH_ADDRESS 0x57FEC8 ; AR6003_REV3_RAM_RESERVE_SIZE 512 ; AR6003_REV3_RAM_RESERVE_SIZE_TCMD 4352 ;/ |
| DSi Atheros Wifi - BMI Bootloader Commands |
BMI Commands --> After RESET WMI Commands --> After uploading and sending BMI_DONE |
____________________________ Execute Functions ____________________________ |
Send 32bit Command (00000001h) |
Send 32bit Command (00000004h) Send 32bit Entrypoint Send 32bit Argument Receive 32bit Return Value |
Send 32bit Command (00000005h) Send 32bit Entrypoint |
___________________________ Read/Write Functions ___________________________ |
Send 32bit Command (00000002h) Send 32bit Address Send 32bit Length (should be max 80h or 200h or so (?) due to MBOX size) Receive LEN bytes, read from [address and up] |
Send 32bit Command (00000003h) Send 32bit Address (or special value for "Segmented Write", see below) Send 32bit Length (should be max 1F4h due to MBOX size) Send LEN bytes, written to [address and up] |
Send 32bit Command (00000006h) Send 32bit Address Receive 32bit Word from [address] |
Send 32bit Command (00000007h) Send 32bit Address Send 32bit Word to [address] |
Send 32bit Command (0000000Dh) Send 32bit Destination Start Address for BMI_CMD(0Eh) |
Send 32bit Command (0000000Eh) Send 32bit Length (should be max 1F8h due to MBOX size) Send LEN compressed bytes, decompressed to incrementing destination address |
___________________________ ROM Patch Functions ___________________________ |
Send 32bit Command (00000009h) Send 32bit Target ROM Address Send 32bit Target RAM Address or Value (depending on Target Type) Send 32bit Size (in bytes) Send 32bit Activate (0=Install without activate, 1=Install and activate) Receive 32bit PatchID |
Send 32bit Command (0000000Ah) Send 32bit PatchID (to be uninstalled & deactivated) |
Send 32bit Command (0000000Bh/0000000Ch) Send 32bit Number of patches (N) Send Nx32bit List of PatchID's (to be activated/deactivated) |
______________________________ Misc Functions ______________________________ |
Send 32bit Command (00000008h) Receive 32bit Value (FFFFFFFFh) ;ROM version (or FFFFFFFFh) If above value is FFFFFFFFh then following extra data is appended: Receive 32bit Value (0000000Ch) ;total size of extra data Receive 32bit Value (20000188h) ;ROM version Receive 32bit Value (00000002h) ;TARGET_TYPE (2=AR6002) |
Send 32bit Command (0000000Fh) Send 16x8bit Name (16 characters, in "LE format", uh?) Receive 32bit Value returned from last executed NVRAM segment (or 0=None) |
Send 32bit Command (00000000h, or 0000000Fh..FFFFFFFFh) |
Send 32bit Command (00000003h) <-- same as Write Memory command Send 32bit Address (00001234h) <-- special value for Segmented Write Send 32bit Length (should be max 1F4h due to MBOX size) Send LEN bytes, as described below... |
00h 4 File ID (544D4753h) ("SGMT")
04h 4 File Flags (0=Raw, 1=BMI_SGMTFILE_FLAG_COMPRESS)
|
00h 4 Destination Address (the actual address, no special value here) 04h 4 Segment Length (N) (or special value FFFFFFFxh) 08h N Data (N bytes) (no data when N=FFFFFFFxh) |
FFFFFFFFh ;End of segmented data file (should occur as last segment) FFFFFFFEh ;Board Data (write "hi_board_data+Address", instead raw "Address") FFFFFFFDh ;Set App Start=Addresss; like BMI_CMD(05h) FFFFFFFCh ;Call Address; like BMI_CMD(04h), but without param/return value |
1) Use BMI_LZ_STREAM_START with Addr=00001234h, followed by BMI_LZ_DATA, or 2) Use BMI_WRITE_MEMORY with Addr=00001234h and file header Flags=1. |
| DSi Atheros Wifi - MBOX Transfer Headers |
Func[0:00005h] R 1 Interrupt Flags (bit1=Function 1 IRQ) Func[1:00400h] R 10h Interrupt Status, etc. and Lookahead Func[1:00800h..00FFF] R/W .. MBOX0 |
00h 1 Type (00h=BootInfo, 01h=WMI Command, 02h=Data Packet) 01h 1 Request Ack (00h=No, 01h=Yes) 02h 2 Length of entries [06h..end] (LEN) 04h 2 ? 06h LEN Body (BootInfo/Event/Data) .. .. Padding to 80h-byte boundary (for SDIO block size 80h) |
06h .. related to BE/BK/VI/VO stuff (best effort, background, video, voice) |
06h 2 WMI Command Number 08h .. Parameters |
06h 2 <Unknown6>?? 0000h or 1C00h ;maybe whatever ? 08h 6 Destination (MAC Addr of Router) (or FF:FF:FF:FF:FF:FF=Broadcast) 0Eh 6 Source (MAC Addr of DSi console) 14h 2 Length Data at [16h...] ;(LEN1-10h) ;<-- BIG-ENDIAN !!! 16h .. Data (usually starting with LLC stuff, ie. AAh,AAh,03h,00h...) |
06h 1 Garbage (usually LSB of a previously used WMI command number) 07h 1 Unknown (02h) |
00h 1 Type (00h=Ack only, 01h=WMI Event, 02h=Data Packet) 01h 1 Ack Present (00h=No, 02h=Yes) 02h 2 Length of entries [06h..end] (LEN1+LEN2) 04h 1 Length of Ack at [06h+LEN1..end] (LEN2) ;garbage when [01h]=00h 05h 1 ? (00h,20h?,7Fh,F4h,FFh) 06h LEN1 Body (Event/Data) 06h+LEN1 LEN2 Ack List .. .. Padding to 80h-byte boundary (for SDIO block size 80h) |
06h - N/A (or boot request info; occurs only shortly after BMI) |
06h 2 WMI Event Number 08h .. Parameters |
06h 1 RSSI (Received Signal Strength Indicator) (00h..3Ch) (aka 0..60) 07h 1 <Unknown7> 00h 08h 6 Destination (MAC Addr of DSi console) (or FF:FF:FF:FF:FF:FF=Broadcast) 0Eh 6 Source (MAC Addr of Router) 14h 2 Length of Data entries at [16h..(end-xtracrap)] ;<-- BIG-ENDIAN !!! 16h .. Data (usually LLC stuff, ie. AAh,AAh,03h.. or, once F0h,F0h,03h..??) |
X+00h List Item Type (01h=Ack, 02h=Lookahead) X+01h List Item Len (02h*N for Ack's, 06h for Lookahead) X+02h List Item data |
Y+00h Ack Item Type (01h=Command Ack, 02h=Data Ack, 05h=Data Ack, too?) Y+01h Ack Item Count? (usually 1) (or 2 for double-ack?) |
Z+00h Lookahead valid ID1 (00h=No, 55h=Valid) Z+01h Lookahead MBOX0 (or garbage if ID1/ID2 not valid) Z+05h Lookahead valid ID2 (00h=No, AAh=Valid) |
without 3rd address field without WEP entries (those are apparently automatically inserted) without Frame Control, Duration/ID, Sequence Control there seem to be only Data Frames (no Managment/Control Frames) |
| DSi Atheros Wifi - WMI Misc Commands |
00h A_UINT8 1 dataSyncMap ;00h, 01h, or 09h used? |
00h A_UINT8 1 bssFilter; /* see WMI_BSS_FILTER 01h A_UINT8 1 reserved1; /* For alignment 02h A_UINT16 2 reserved2; /* For alignment 04h A_UINT32 4 ieMask; |
NONE_BSS_FILTER = 00h ;no beacons forwarded ALL_BSS_FILTER = 01h ;all beacons forwarded PROFILE_FILTER = 02h ;only beacons matching profile ALL_BUT_PROFILE_FILTER = 03h ;all but beacons matching profile CURRENT_BSS_FILTER = 04h ;only beacons matching current BSS ALL_BUT_BSS_FILTER = 05h ;all but beacons matching BSS PROBED_SSID_FILTER = 06h ;beacons matching probed ssid LAST_BSS_FILTER = 07h ;marker only |
00h A_UINT8 1 entryIndex; /* 0 to MAX_PROBED_SSID_INDEX 01h A_UINT8 1 flag; /* WMI_SSID_FLG 02h A_UINT8 1 ssidLength; 03h A_UINT8 32 ssid[32]; |
DISABLE_SSID_FLAG = 00h /* disables entry SPECIFIC_SSID_FLAG = 01h /* probes specified ssid ANY_SSID_FLAG = 02h /* probes for any ssid |
00h A_UINT16 2 listenInterval; 02h A_UINT16 2 numBeacons; |
MIN_LISTEN_INTERVAL = 15 ;min = 15 MAX_LISTEN_INTERVAL = 5000 ;max = 5000 or 3000, uh? MIN_LISTEN_BEACONS = 1 MAX_LISTEN_BEACONS = 500 |
00h A_UINT16 2 bmissTime; 02h A_UINT16 2 numBeacons; |
MIN_BMISS_TIME = 1000 MAX_BMISS_TIME = 5000 MIN_BMISS_BEACONS = 1 MAX_BMISS_BEACONS = 50 |
00h A_UINT16 2 beaconInterval; |
00h A_UINT8 6 bssid[ATH_MAC_LEN]; 06h A_UINT8 1 enable; /* PMKID_ENABLE_FLG 07h A_UINT8 16 pmkid[WMI_PMKID_LEN]; |
PMKID_DISABLE = 0 PMKID_ENABLE = 1 |
00h A_UINT8 1 ieType 01h A_UINT8 1 bufferSize 02h A_UINT8 N*1 assocInfo[1] ;up to WMI_MAX_ASSOC_INFO_LEN |
WMI_MAX_ASSOC_INFO_TYPE = 2 WMI_CCX_VER_IE = 2 /* ieType to set CCX Version IE WMI_MAX_ASSOC_INFO_LEN = 240 |
00h A_UINT8 1 badApIndex ;0 to WMI_MAX_BAD_AP_INDEX 01h A_UINT8 6 bssid[ATH_MAC_LEN] WMI_MAX_BAD_AP_INDEX = 1 |
00h A_UINT8 1 badApIndex ;0 to WMI_MAX_BAD_AP_INDEX |
00h A_UINT16 2 txop ;in units of 32 usec 02h A_UINT8 1 eCWmin 03h A_UINT8 1 eCWmax 04h A_UINT8 1 aifsn 05h A_UINT8 1 ac WMI_DEFAULT_TXOP_ACPARAM = 0 /* implies one MSDU WMI_DEFAULT_ECWMIN_ACPARAM = 4 /* corresponds to CWmin of 15 WMI_DEFAULT_ECWMAX_ACPARAM = 10 /* corresponds to CWmax of 1023 WMI_MAX_CW_ACPARAM = 15 /* maximum eCWmin or eCWmax WMI_DEFAULT_AIFSN_ACPARAM = 2 WMI_MAX_AIFSN_ACPARAM = 15 |
00h A_UINT8 optMode (documented in code from 2008 only) |
SPECIAL_OFF = unknown (maybe 0 or 1 or so) ;\ SPECIAL_ON = SPECIAL_OFF+1 ; code from 2008 only PYXIS_ADHOC_ON = SPECIAL_OFF+2 ; (removed/undoc in 2010) PYXIS_ADHOC_OFF = SPECIAL_OFF+3 ;/ |
Unknown (11h bytes?) (or maybe TRANSFER PACKET data?) (why called "OPT"?) |
00h A_UINT16 2 voicePktSize |
00h A_UINT8 1 maxSPLen |
DELIVER_ALL_PKT = 00h
DELIVER_2_PKT = 01h
DELIVER_4_PKT = 02h
DELIVER_6_PKT = 03h
|
00h UNIT32? 4 WMIX Command (values 2001h and up) ;WMIX_CMD_HDR 04h ... .. WMIX Parameter(s) |
00h A_UINT32 4 cookie ;usually increasing 1,2,3,4,5,etc. 04h A_UINT32 4 source ;usually 0 |
00h A_UINT32 frequency ;\unknown purpose, sounds like command/params, 04h A_UINT8 threshold ;/but there's no WMIcmd(xxxxh) value assigned |
01h 02h <---- total size (on DSi it's 01h, ie. left column) 00h 00h A_UINT8 1 status -- 01h A_UINT8 1 preamblePolicy |
WMI_LPREAMBLE_DISABLED = 0 WMI_LPREAMBLE_ENABLED = 1 |
WMI_IGNORE_BARKER_IN_ERP = 0 WMI_DONOT_IGNORE_BARKER_IN_ERP = 1 |
00h A_UINT16 2 threshold |
00h A_UINT8 1 mode |
RECONN_DO_AUTH = 00h RECONN_NOT_AUTH = 01h |
00h A_UINT8 1 mode |
REASSOC_DO_DISASSOC = 00h REASSOC_DONOT_DISASSOC = 01h |
00h A_UINT8 1 status |
WMI_WMM_DISABLED = 0 WMI_WMM_ENABLED = 1 |
00h A_UINT8 1 txopEnable |
WMI_TXOP_DISABLED = 0 WMI_TXOP_ENABLED = 1 |
00h A_UINT8 1 keepaliveInterval |
A_BOOL 4 configured
A_UINT8 1 keepaliveInterval
|
00h A_UINT8 1 mgmtFrmType ;one of WMI_MGMT_FRAME_TYPE 01h A_UINT8 1 ieLen ;Length of the IE to be added to the MGMT frame 02h A_UINT8 N*1 ieInfo[1] ; |
WMI_FRAME_BEACON = 0 WMI_FRAME_PROBE_REQ = 1 WMI_FRAME_PROBE_RESP = 2 WMI_FRAME_ASSOC_REQ = 3 WMI_FRAME_ASSOC_RESP = 4 |
WMI_MAX_IE_LEN = 255 |
Unknown (none? or maybe UINT8 or so, maybe with values listed below) DSi uses 1 byte parameter. WSC_REG_ACTIVE = 1 WSC_REG_INACTIVE = 0 |
00h A_UINT8 1 status; |
00h A_UINT8 1 whalCmdId; ;see WHAL_CMDID enumeration 01h A_UINT8 .. data[1]; ;aka SETCABTO structure ? |
WHAL_SETCABTO_CMDID = 1 |
A_UINT8 cabTimeOut; |
00h A_UINT32 4 akmpInfo; |
00h A_UINT32 4 numPMKID; 04h WMI_PMKID N*.. pmkidList[WMI_MAX_PMKID_CACHE]; |
A_UINT8 pmkid[WMI_PMKID_LEN]; |
Unknown (none?) |
00h A_UINT32 4 numPMKID; 04h A_UINT8 N*6 bssidList[ATH_MAC_LEN][1]; .. WMI_PMKID N*1 pmkidList[1]; |
A_UINT8 pmkid[WMI_PMKID_LEN];
|
| DSi Atheros Wifi - WMI Misc Events |
00h A_UINT8 6 macaddr[ATH_MAC_LEN] ;MAC addr of DSi console 06h A_UINT8 1 phyCapability (=02h aka "11G") ;WMI_PHY_CAPABILITY 07h A_UINT8 1 unused/padding 08h A_UINT32 4 version (=2100007Bh/2300006Ch) (firmware version) |
00h A_UINT8 6 macaddr[ATH_MAC_LEN] 06h A_UINT8 1 phyCapability ;WMI_PHY_CAPABILITY |
00h A_UINT32 4 version 04h A_UINT8 6 macaddr[ATH_MAC_LEN] 0Ah A_UINT8 1 phyCapability ;WMI_PHY_CAPABILITY |
00h A_UINT32 4 sw_version 04h A_UINT32 4 abi_version 08h A_UINT8 6 macaddr[ATH_MAC_LEN] 0Eh A_UINT8 1 phyCapability ;WMI_PHY_CAPABILITY |
WMI_11A_CAPABILITY = 1 WMI_11G_CAPABILITY = 2 WMI_11AG_CAPABILITY = 3 WMI_11NA_CAPABILITY = 4 WMI_11NG_CAPABILITY = 5 WMI_11NAG_CAPABILITY = 6 |
When version<2: 00h A_UINT16 2 channel ;in MHz ;\ 02h A_UINT8 1 frameType ;see WMI_BI_FTYPE ; 03h A_UINT8 1 snr ;eg. 33h ; WMI_BSS_INFO_HDR 04h A_INT16 2 rssi ;eg. FFD4h aka "33h-95" ; version 1 (10h bytes) 06h A_UINT8 6 bssid[ATH_MAC_LEN] ; 0Ch A_UINT32 4 ieMask ;/ 10h BODY ... beacon or probe-response frame body ;-Body (timestamp etc) When version>=2: 00h A_UINT16 2 channel ;in MHz ;\ 02h A_UINT8 1 frameType ;see WMI_BI_FTYPE ; WMI_BSS_INFO_HDR2 03h A_UINT8 1 snr (implies "rssi=snr-95" in v2) ; version 2 (0Ch bytes) 04h A_UINT8 6 bssid[ATH_MAC_LEN] ; 0Ah A_UINT16 2 ieMask (only 2 bytes in v2) ;/ 0Ch BODY ... beacon or probe-response frame body ;-Body (timestamp etc) |
- Reduce the ieMask to 2 bytes as only two bit flags are used - Remove rssi and compute it on the host. rssi = snr - 95 |
BEACON_FTYPE = 01h PROBERESP_FTYPE = 02h ACTION_MGMT_FTYPE = 03h PROBEREQ_FTYPE = 04h |
BSS_ELEMID_CHANSWITCH = 01h ;value for bit0? (or bit-number for bit1?) BSS_ELEMID_ATHEROS = 02h ;value for bit1? (or bit-number for bit2?) |
00h A_UINT32 4 regDomain ;80000188h on DSi (after firmware upload) |
00h A_INT8 1 numberOfAps; 01h WMI_NEIGHBOR_INFO N*7 neighbor[1]; |
A_UINT8 6 bssid[ATH_MAC_LEN];
A_UINT8 1 bssFlags; /* see WMI_BSS_FLAGS
|
WMI_DEFAULT_BSS_FLAGS = 00h WMI_PREAUTH_CAPABLE_BSS = 01h WMI_PMKID_VALID_BSS = 02h |
00h A_UINT16 2 channel ;\ 02h A_UINT8 1 frameType ;see WMI_OPT_FTYPE ; special frame info header 03h A_INT8 1 snr ; 04h A_UINT8 6 srcAddr[ATH_MAC_LEN] ; 0Ah A_UINT8 6 bssid[ATH_MAC_LEN] ;/ 10h ... .. body (having WHAT length?) ;-special frame body |
00h A_UINT32 4 cookie; ;\same reply-format as command parameters 04h A_UINT32 4 source; ;/ |
00h A_UINT8 1 ac; 01h A_UINT8 1 cac_indication; 02h A_UINT8 1 statusCode; 03h A_UINT8 3Fh tspecSuggestion[WMM_TSPEC_IE_LEN]; |
CAC_INDICATION_ADMISSION = 00h CAC_INDICATION_ADMISSION_RESP = 01h CAC_INDICATION_DELETE = 02h CAC_INDICATION_NO_RESP = 03h |
00h A_UINT8 1 apListVer; 01h A_UINT8 1 numAP; 02h WMI_AP_INFO N*8 apList[1]; |
APLIST_VER1 = 1,
|
typedef PREPACK union {
WMI_AP_INFO_V1 8 apInfoV1;
} POSTPACK WMI_AP_INFO;
|
A_UINT8 6 bssid[ATH_MAC_LEN];
A_UINT16 2 channel;
|
| DSi Atheros Wifi - WMI Connect Functions |
00h A_UINT8 1 networkType ;somewhat NETWORK_TYPE related ? (1) 01h A_UINT8 1 dot11AuthMode ;aka DOT11_AUTH_MODE ? (1=Open, 2=WEP) 02h A_UINT8 1 authMode ;aka AUTH_MODE ? (1) 03h A_UINT8 1 pairwiseCryptoType ;aka CRYPTO_TYPE (1=Open, 2=WEP) 04h A_UINT8 1 pairwiseCryptoLen (0) 05h A_UINT8 1 groupCryptoType ;aka CRYPTO_TYPE (1=Open, 2=WEP) 06h A_UINT8 1 groupCryptoLen (0) 07h A_UINT8 1 ssidLength 08h A_UCHAR 32 ssid[WMI_MAX_SSID_LEN] 28h A_UINT16 2 channel ;in MHz 2Ah A_UINT8 6 bssid[ATH_MAC_LEN] 30h A_UINT32 4 ctrl_flags (0) |
INFRA_NETWORK = 01h ;DSi uses 01h for Open/WEP/WPA/WPA2 ADHOC_NETWORK = 02h ADHOC_CREATOR = 04h AP_NETWORK = 10h |
SUBTYPE_NONE = unknown (maybe 0 or 1 or so?) SUBTYPE_BT = SUBTYPE_NONE+1 SUBTYPE_P2PDEV = SUBTYPE_NONE+2 SUBTYPE_P2PCLIENT = SUBTYPE_NONE+3 SUBTYPE_P2PGO = SUBTYPE_NONE+4 |
OPEN_AUTH = 01h ;DSi uses 01h for Open/WPA/WPA2 SHARED_AUTH = 02h ;DSi uses 02h for WEP LEAP_AUTH = 04h /* different from IEEE_AUTH_MODE definitions |
WMI_NONE_AUTH = 01h ;DSi uses 01h for Open/WEP WMI_WPA_AUTH = 02h ;\whatever maybe for RADIUS? WMI_WPA2_AUTH = 04h ;/ WMI_WPA_PSK_AUTH = 08h ;DSi uses 03h (not 08h) for WPA-PSK WMI_WPA2_PSK_AUTH = 10h ;DSi uses 05h (not 10h) for WPA2-PSK WMI_WPA_AUTH_CCKM = 20h ;\whatever for "Cisco Centralized Key Management"? WMI_WPA2_AUTH_CCKM = 40h ;/ |
NONE_CRYPT = 01h ;DSi uses 01h for Open WEP_CRYPT = 02h ;DSi uses 02h for WEP TKIP_CRYPT = 04h ;DSi uses 03h (not 04h) for WPA AES_CRYPT = 08h ;DSi uses 04h (not 08h) for WPA2 WAPI_CRYPT = 10h ;only if WAPI_ENABLE |
0 CONNECT_ASSOC_POLICY_USER = 0001h 1 CONNECT_SEND_REASSOC = 0002h 2 CONNECT_IGNORE_WPAx_GROUP_CIPHER = 0004h 3 CONNECT_PROFILE_MATCH_DONE = 0008h 4 CONNECT_IGNORE_AAC_BEACON = 0010h 5 CONNECT_CSA_FOLLOW_BSS = 0020h 6 CONNECT_PYXIS_REMOTE = 0040h ;-old code from 2008 6 CONNECT_DO_WPA_OFFLOAD = 0040h ;\ 7 CONNECT_DO_NOT_DEAUTH = 0080h ; new code from 2010 8 CONNECT_WPS_FLAG = 0100h ; 9 CONNECT_IGNORE_BSSID_HINT = 0200h ; 16 AP_NO_DISASSOC_UPON_DEAUTH = 10000h ;/ <--AP configuration flags |
00h A_UINT16 2 channel ;hint 02h A_UINT8 6 bssid[ATH_MAC_LEN] ;mandatory if set |
Unknown (none?) |
00h A_UINT8 1 disconnectTimeout ;seconds |
When "infra_ibss_bss": ;<-- occurs for my WPA2 connect 00h A_UINT16 2 channel ;in MHz 02h A_UINT8 6 bssid[ATH_MAC_LEN] ; 08h A_UINT16 2 listenInterval ;0064h 0Ah A_UINT16 2 beaconInterval ;0064h 0Ch A_UINT32 4 networkType ;00000001h When "ap_sta": 00h A_UINT8 1 phymode 01h A_UINT8 1 aid 02h A_UINT8 6 mac_addr[ATH_MAC_LEN] 08h A_UINT8 1 auth 09h A_UINT8 1 keymgmt 0Ah A_UINT16 2 cipher 0Ch A_UINT8 1 apsd_info 0Dh A_UINT8 3 unused[3] When "ap_bss": 00h A_UINT16 2 channel 02h A_UINT8 6 bssid[ATH_MAC_LEN] 08h A_UINT8 8 unused[8] And, in all three cases: 10h A_UINT8 1 beaconIeLen ;16h 11h A_UINT8 1 assocReqLen ;2Fh 12h A_UINT8 1 assocRespLen ;16h 13h A_UINT8 .. assocInfo[1] ;whatever 100 bytes? |
00h A_UINT16 2 protocolReasonStatus; /* reason code, see 802.11 spec. 02h A_UINT8 6 bssid[ATH_MAC_LEN]; /* set if known 08h A_UINT8 1 disconnectReason ; /* see WMI_DISCONNECT_REASON 09h A_UINT8 1 assocRespLen; 0Ah A_UINT8 N*1 assocInfo[1]; |
NO_NETWORK_AVAIL = 01h LOST_LINK = 02h ;-bmiss DISCONNECT_CMD = 03h BSS_DISCONNECTED = 04h AUTH_FAILED = 05h ASSOC_FAILED = 06h NO_RESOURCES_AVAIL = 07h CSERV_DISCONNECT = 08h INVALID_PROFILE = 0Ah DOT11H_CHANNEL_SWITCH = 0Bh PROFILE_MISMATCH = 0Ch PYXIS_VIRT_ADHOC_DISC = 0Dh ;-old code from 2008 CONNECTION_EVICTED = 0Dh ;\ IBSS_MERGE = 0Eh ; new code from 2010 EXCESS_TX_RETRY = 0Fh ;/ <--TX frames failed after excessive retries |
| DSi Atheros Wifi - WMI Channel and Cipher Functions |
None |
00h A_UINT8 1 reserved1 ;whatever (zero) 01h A_UINT8 1 numChannels ;number of channels in reply (N) 02h A_UINT16 N*2 channelList[1] ;channels in MHz 02h+N*2 2 Zero (0000h) ;undocumented (end of list or so) |
00h A_UINT8 1 reserved1 ;whatever (?) 01h A_UINT8 1 scanParam ;set if enable scan 02h A_UINT8 1 phyMode ;see WMI_PHY_MODE 03h A_UINT8 1 numChannels ;how many channels follow 04h A_UINT16 N*2 channelList[1] ;channels in MHz |
WMI_11A_MODE = 01h WMI_11G_MODE = 02h WMI_11AG_MODE = 03h WMI_11B_MODE = 04h WMI_11GONLY_MODE = 05h |
00h A_UINT16 2 oldChannel; ;\uh, old is 16bit and new is 32bit? 02h A_UINT32 4 newChannel; ;/(DSi does really send 6 bytes) |
2Ch 2Dh 33h <---- total size (on DSi it's 2Dh, ie. middle column) 00h 00h 00h A_UINT8 1 keyIndex ;aka WMI_MAX_KEY_INDEX ? 01h 01h 01h A_UINT8 1 keyType ;aka CRYPTO_TYPE 02h 02h 02h A_UINT8 1 keyUsage ;KEY_USAGE 03h 03h 03h A_UINT8 1 keyLength 04h 04h 04h A_UINT8 8 keyRSC[8] ;key replay sequence counter 0Ch 0Ch 0Ch A_UINT8 32 key[WMI_MAX_KEY_LEN] ;aka password -- 2Ch 2Ch A_UINT8 1 key_op_ctrl ;Additional Key Control information -- -- 2Dh A_UINT8 6 key_macaddr[ATH_MAC_LEN] |
PAIRWISE_USAGE = 00h ;<-- DSi browser uses THIS for WPA/WPA2 key 0 GROUP_USAGE = 01h ;<-- DSi browser uses THIS for WEP/WPA/WPA2 key 1..3 TX_USAGE = 02h ;<-- reportedly "default Tx Key - Static WEP only" Undoc (or 01h+02h) = 03h ;<-- DSi browser uses THIS for WEP key 0 |
Bit 0 - Initialise TSC - default is Initialize KEY_OP_INIT_TSC = 01h KEY_OP_INIT_RSC = 02h KEY_OP_INIT_WAPIPN = 10h (only if "WAPI_ENABLE") KEY_OP_INIT_VAL = 03h ;<-- Default Initialise the TSC & RSC ;used by DSi KEY_OP_VALID_MASK = 03h |
WMI_MIN_KEY_INDEX = 0 WMI_MAX_KEY_INDEX = 3 ;<-- when not "WAPI_ENABLE" WMI_MAX_KEY_INDEX = 7 ;<-- when "WAPI_ENABLE" (wapi grpKey 0-3, prwKey 4-7) WMI_MAX_KEY_LEN = 32 |
KeyIndex=0, key=PTK[20h..2Fh]+PTK[38h..3Fh]+PTK[30h..37h], RSC=0 KeyIndex=1/2, key=GTK[00h..0Fh]+PTK[18h..1Fh]+PTK[10h..17h], RSC=EAPOL RSC |
00h A_UINT8 1 keyIndex |
00h A_UINT8 16 krk[WMI_KRK_LEN] |
Unknown (none?) (or maybe same as for ADD_KRK ?) (seems to be NONE on DSi) |
00h A_UINT8 1 cm_en ;WMI_TKIP_CM_CONTROL |
WMI_TKIP_CM_DISABLE = 00h WMI_TKIP_CM_ENABLE = 01h |
00h A_UINT8 1 keyid 01h A_UINT8 1 ismcast |
| DSi Atheros Wifi - WMI Scan Functions |
00h A_BOOL 4 forceFgScan 04h A_BOOL 4 isLegacy For Legacy Cisco AP compatibility 08h A_UINT32 4 homeDwellTime Max duration in the home channel (msec) 0Ch A_UINT32 4 forceScanInterval Time interval between scans (msec) 10h A_UINT8 1 scanType WMI_SCAN_TYPE 11h A_UINT8 1 numChannels how many channels follow 12h A_UINT16 N*2 channelList[1] channels in MHz |
WMI_LONG_SCAN = 0 WMI_SHORT_SCAN = 1 |
WMI_PYXIS_PAS_DSCVR = 0 WMI_PYXIS_ACT_DSCVR = 1 |
00h A_UINT16 2 fg_start_period ;seconds 02h A_UINT16 2 fg_end_period ;seconds 04h A_UINT16 2 bg_period ;seconds 06h A_UINT16 2 maxact_chdwell_time ;msec 08h A_UINT16 2 pas_chdwell_time ;msec 0Ah A_UINT8 1 shortScanRatio ;how many shorts scan for one long 0Bh A_UINT8 1 scanCtrlFlags 0Ch A_UINT16 2 minact_chdwell_time ;msec 0Eh A_UINT16 2 maxact_scan_per_ssid ;max active scans per ssid 10h A_UINT32 4 max_dfsch_act_time ;msec |
CONNECT_SCAN_CTRL_FLAGS = 01h ;set if can scan in the Connect cmd
SCAN_CONNECTED_CTRL_FLAGS = 02h ;set if scan for the SSID it is
; already connected to
ACTIVE_SCAN_CTRL_FLAGS = 04h ;set if enable active scan
ROAM_SCAN_CTRL_FLAGS = 08h ;set if enable roam scan when bmiss
; and lowrssi
REPORT_BSSINFO_CTRL_FLAGS = 10h ;set if follows customer BSSINFO
; reporting rule
ENABLE_AUTO_CTRL_FLAGS = 20h ;if disabled, target doesn't
; scan after a disconnect event
ENABLE_SCAN_ABORT_EVENT = 40h ;Scan complete event with canceled status
; will be generated when a scan is
; prempted before it gets completed
#define CAN_SCAN_IN_CONNECT(flags) (flags & CONNECT_SCAN_CTRL_FLAGS)
#define CAN_SCAN_CONNECTED(flags) (flags & SCAN_CONNECTED_CTRL_FLAGS)
#define ENABLE_ACTIVE_SCAN(flags) (flags & ACTIVE_SCAN_CTRL_FLAGS)
#define ENABLE_ROAM_SCAN(flags) (flags & ROAM_SCAN_CTRL_FLAGS)
#define CONFIG_REPORT_BSSINFO(flags) (flags & REPORT_BSSINFO_CTRL_FLAGS)
#define IS_AUTO_SCAN_ENABLED(flags) (flags & ENABLE_AUTO_CTRL_FLAGS)
#define SCAN_ABORT_EVENT_ENABLED(flags) (flags & ENABLE_SCAN_ABORT_EVENT)
|
00h A_INT32 4 status; ;aka "staus" |
| DSi Atheros Wifi - WMI Bit Rate Functions |
02h 08h <---- total size (on DSi it's 02h, ie. left column) 00h -- A_UINT16 2 fixRateMask ;0..0FFFh ;see WMI_BIT_RATE -- 00h A_UINT32 4 fixRateMask(0) ;0..0FFFFFFFh ;see WMI_BIT_RATE -- 04h A_UINT32 4 fixRateMask(1) ;0..0FFFFFFFh ;see WMI_BIT_RATE #define FIX_RATE_1Mb ((A_UINT32)0x1) #define FIX_RATE_2Mb ((A_UINT32)0x2) #define FIX_RATE_5_5Mb ((A_UINT32)0x4) #define FIX_RATE_11Mb ((A_UINT32)0x8) #define FIX_RATE_6Mb ((A_UINT32)0x10) #define FIX_RATE_9Mb ((A_UINT32)0x20) #define FIX_RATE_12Mb ((A_UINT32)0x40) #define FIX_RATE_18Mb ((A_UINT32)0x80) #define FIX_RATE_24Mb ((A_UINT32)0x100) #define FIX_RATE_36Mb ((A_UINT32)0x200) #define FIX_RATE_48Mb ((A_UINT32)0x400) #define FIX_RATE_54Mb ((A_UINT32)0x800) |
#define FIX_RATE_MCS_0_20 ((A_UINT32)0x1000) #define FIX_RATE_MCS_1_20 ((A_UINT32)0x2000) #define FIX_RATE_MCS_2_20 ((A_UINT32)0x4000) #define FIX_RATE_MCS_3_20 ((A_UINT32)0x8000) #define FIX_RATE_MCS_4_20 ((A_UINT32)0x10000) #define FIX_RATE_MCS_5_20 ((A_UINT32)0x20000) #define FIX_RATE_MCS_6_20 ((A_UINT32)0x40000) #define FIX_RATE_MCS_7_20 ((A_UINT32)0x80000) #define FIX_RATE_MCS_0_40 ((A_UINT32)0x100000) #define FIX_RATE_MCS_1_40 ((A_UINT32)0x200000) #define FIX_RATE_MCS_2_40 ((A_UINT32)0x400000) #define FIX_RATE_MCS_3_40 ((A_UINT32)0x800000) #define FIX_RATE_MCS_4_40 ((A_UINT32)0x1000000) #define FIX_RATE_MCS_5_40 ((A_UINT32)0x2000000) #define FIX_RATE_MCS_6_40 ((A_UINT32)0x4000000) #define FIX_RATE_MCS_7_40 ((A_UINT32)0x8000000) |
Unknown (none?) |
02h 08h <---- total size (on DSi it's 02h, ie. left column) 00h -- A_UINT16 2 fixRateMask ;0..0FFFh ;see WMI_BIT_RATE -- 00h A_UINT32 4 fixRateMask(0) ;0..0FFFFFFFh ;see WMI_BIT_RATE -- 04h A_UINT32 4 fixRateMask(1) ;0..0FFFFFFFh ;see WMI_BIT_RATE |
04h 0Ch <---- total size (on DSi it's 04h, ie. left column) 00h 00h A_UINT8 1 bEnableMask ;? 01h 01h A_UINT8 1 frameType ;? ;type and subtype 02h -- A_UINT16 2 frameRateMask ;0..0FFFh ;see WMI_BIT_RATE -- 02h A_UINT8 2 reserved[2] ;for alignment -- 04h A_UINT32 4 frameRateMask(0) ;0..0FFFFFFFh ;see WMI_BIT_RATE -- 08h A_UINT32 4 frameRateMask(1) ;0..0FFFFFFFh ;see WMI_BIT_RATE |
Unknown (if any) (it's NONE, no reply in DSi Browser) |
00h A_INT8 1 rateIndex (FFh=Auto) ;see WMI_BIT_RATE 01h A_INT8 1 mgmtRateIndex (00h=1Mbit/s) 02h A_INT8 1 ctlRateIndex (00h=1Mbit/s) |
RATE_AUTO = -1 RATE_1Mb = 0 RATE_2Mb = 1 RATE_5_5Mb = 2 RATE_11Mb = 3 RATE_6Mb = 4 RATE_9Mb = 5 RATE_12Mb = 6 RATE_18Mb = 7 RATE_24Mb = 8 RATE_36Mb = 9 RATE_48Mb = 10 RATE_54Mb = 11 |
RATE_MCS_0_20 = 12 RATE_MCS_1_20 = 13 RATE_MCS_2_20 = 14 RATE_MCS_3_20 = 15 RATE_MCS_4_20 = 16 RATE_MCS_5_20 = 17 RATE_MCS_6_20 = 18 RATE_MCS_7_20 = 19 RATE_MCS_0_40 = 20 RATE_MCS_1_40 = 21 RATE_MCS_2_40 = 22 RATE_MCS_3_40 = 23 RATE_MCS_4_40 = 24 RATE_MCS_5_40 = 25 RATE_MCS_6_40 = 26 RATE_MCS_7_40 = 27 |
Unknown (none?) |
00h A_INT8 1 rateIndex ;see WMI_BIT_RATE |
| DSi Atheros Wifi - WMI Threshold Functions |
00h A_UINT32 4 pollTime ;Polling time as a factor of LI
04h A_INT16 2 thresholdAbove1_Val ;lowest of upper
06h A_INT16 2 thresholdAbove2_Val
08h A_INT16 2 thresholdAbove3_Val
0Ah A_INT16 2 thresholdAbove4_Val
0Ch A_INT16 2 thresholdAbove5_Val
0Eh A_INT16 2 thresholdAbove6_Val ;highest of upper
10h A_INT16 2 thresholdBelow1_Val ;lowest of bellow
12h A_INT16 2 thresholdBelow2_Val
14h A_INT16 2 thresholdBelow3_Val
16h A_INT16 2 thresholdBelow4_Val
18h A_INT16 2 thresholdBelow5_Val
1Ah A_INT16 2 thresholdBelow6_Val ;highest of bellow
1Ch A_UINT8 1 weight ;"alpha"
1Dh A_UINT8 3 reserved[3]
Setting the polltime to 0 would disable polling.
Threshold values are in the ascending order, and should agree to:
(lowThreshold_lowerVal < lowThreshold_upperVal < highThreshold_lowerVal
< highThreshold_upperVal)
|
00h A_UINT32 4 pollTime ;Polling time as a factor of LI 04h A_UINT8 1 weight ;"alpha" 05h A_UINT8 1 thresholdAbove1_Val ;lowest of uppper ;uh, ppper? 06h A_UINT8 1 thresholdAbove2_Val 07h A_UINT8 1 thresholdAbove3_Val 08h A_UINT8 1 thresholdAbove4_Val ;highest of upper 09h A_UINT8 1 thresholdBelow1_Val ;lowest of bellow ;uh bell? 0Ah A_UINT8 1 thresholdBelow2_Val 0Bh A_UINT8 1 thresholdBelow3_Val 0Ch A_UINT8 1 thresholdBelow4_Val ;highest of bellow ;uh bell? 0Dh A_UINT8 3 reserved[3] |
00h A_UINT8 1 enable ;<-- enable (unlike SNR command) 01h A_UINT8 1 thresholdAbove1_Val ;\these parameters seem to be same as 02h A_UINT8 1 thresholdAbove2_Val ; for WMI_SNR_THRESHOLD_PARAMS_CMD 03h A_UINT8 1 thresholdAbove3_Val ; 04h A_UINT8 1 thresholdAbove4_Val ; 05h A_UINT8 1 thresholdBelow1_Val ; 06h A_UINT8 1 thresholdBelow2_Val ; 07h A_UINT8 1 thresholdBelow3_Val ; 08h A_UINT8 1 thresholdBelow4_Val ; 09h A_UINT8 3 reserved[3] ;/ |
Unknown (none?) |
00h A_INT16 2 rssi; 02h A_UINT8 1 range; |
WMI_RSSI_THRESHOLD1_ABOVE = 0 WMI_RSSI_THRESHOLD2_ABOVE = 1 WMI_RSSI_THRESHOLD3_ABOVE = 2 WMI_RSSI_THRESHOLD4_ABOVE = 3 WMI_RSSI_THRESHOLD5_ABOVE = 4 WMI_RSSI_THRESHOLD6_ABOVE = 5 WMI_RSSI_THRESHOLD1_BELOW = 6 WMI_RSSI_THRESHOLD2_BELOW = 7 WMI_RSSI_THRESHOLD3_BELOW = 8 WMI_RSSI_THRESHOLD4_BELOW = 9 WMI_RSSI_THRESHOLD5_BELOW = 10 WMI_RSSI_THRESHOLD6_BELOW = 11 |
00h A_UINT8 1 range ;WMI_SNR_THRESHOLD_VAL 01h A_UINT8 1 snr |
WMI_SNR_THRESHOLD1_ABOVE = 1 WMI_SNR_THRESHOLD1_BELOW = 2 WMI_SNR_THRESHOLD2_ABOVE = 3 WMI_SNR_THRESHOLD2_BELOW = 4 WMI_SNR_THRESHOLD3_ABOVE = 5 WMI_SNR_THRESHOLD3_BELOW = 6 WMI_SNR_THRESHOLD4_ABOVE = 7 WMI_SNR_THRESHOLD4_BELOW = 8 |
00h A_INT32 4 lq 04h A_UINT8 1 range ;WMI_LQ_THRESHOLD_VAL |
WMI_LQ_THRESHOLD1_ABOVE = 1 WMI_LQ_THRESHOLD1_BELOW = 2 WMI_LQ_THRESHOLD2_ABOVE = 3 WMI_LQ_THRESHOLD2_BELOW = 4 WMI_LQ_THRESHOLD3_ABOVE = 5 WMI_LQ_THRESHOLD3_BELOW = 6 WMI_LQ_THRESHOLD4_ABOVE = 7 WMI_LQ_THRESHOLD4_BELOW = 8 |
| DSi Atheros Wifi - WMI Error, Retry and Debug Functions |
00h A_UINT8 1 frameType ;WMI_FRAMETYPE 01h A_UINT8 1 trafficClass ;applies only to DATA_FRAMETYPE 02h A_UINT8 1 maxRetries 03h A_UINT8 1 enableNotify |
WMI_MIN_RETRIES = 2 WMI_MAX_RETRIES = 13 |
MGMT_FRAMETYPE = 0 CONTROL_FRAMETYPE = 1 DATA_FRAMETYPE = 2 |
00h A_UINT32 4 bitmask ;... probably "WMI_TARGET_ERROR_VAL" ? |
00h A_UINT16 2 commandId ;on DSi, this can be: 0001h,0011h,0016h,0026h 02h A_UINT8 1 errorCode ;on DSi, this can be: 01h,02h |
INVALID_PARAM = 01h ILLEGAL_STATE = 02h INTERNAL_ERROR = 03h DFS_CHANNEL = 04h |
00h A_UINT32 4 errorVal |
WMI_TARGET_PM_ERR_FAIL = 00000001h WMI_TARGET_KEY_NOT_FOUND = 00000002h WMI_TARGET_DECRYPTION_ERR = 00000004h WMI_TARGET_BMISS = 00000008h WMI_PSDISABLE_NODE_JOIN = 00000010h WMI_TARGET_COM_ERR = 00000020h WMI_TARGET_FATAL_ERR = 00000040h WMI_TARGET_BCN_FOUND = 00000080h |
00h A_UINT8 1 retrys |
00h A_UINT32 4 cfgvalid ;mask with valid config bits (uh, what?) When some case: 04h A_UINT32 4 dbglog_config ;see "dbglog_config" description below When some other case: 04h A_UINT32 4 value ;uh, what "value" (maybe alias for above?) |
Bit0-15 DBGLOG_MODULE_LOG_ENABLE ;logging enable flags for module 0-15 Bit16 DBGLOG_REPORTING_ENABLED ;reporting enable flag Bit17-19 DBGLOG_TIMESTAMP_RESOLUTION ;timestamp resolution (default=1 ms) Bit20-29 DBGLOG_REPORT_SIZE ;report size in number of messages Bit30-31 Reserved ;reserved |
Bit0-15 DBGLOG_TIMESTAMP ;contains bit8-23 of the LF0 timer (0..FFFFh) Bit16-25 DBGLOG_DBGID ;minor ID (defined in "dbglog_id.h") Bit26-29 DBGLOG_MODULEID ;major ID (defined in "dbglog.h") Bit30-31 DBGLOG_NUM_ARGS ;whatever "num args" |
Unknown (?) (probably related/enabled by WMIX_DBGLOG_CFG_MODULE_CMD) |
| DSi Atheros Wifi - WMI Priority Stream Functions |
old 3Fh 40h <---- total size (on DSi it's 3Fh, ie. middle column) 0Bh 00h 00h A_UINT32 4 minServiceInt ;in msec (14h=20) 0Fh 04h 04h A_UINT32 4 maxServiceInt ;in msec (14h=20) 13h 08h 08h A_UINT32 4 inactivityInt ;in msec (98967Fh=9999999) 17h 0Ch 0Ch A_UINT32 4 suspensionInt ;in msec (-1) 1Bh 10h 10h A_UINT32 4 serviceStartTime (0) 1Fh 14h 14h A_UINT32 4 minDataRate ;in bps (14500h=83200) 23h 18h 18h A_UINT32 4 meanDataRate ;in bps (14500h=83200) 27h 1Ch 1Ch A_UINT32 4 peakDataRate ;in bps (14500h=83200) 2Bh 20h 20h A_UINT32 4 maxBurstSize (0) 2Fh 24h 24h A_UINT32 4 delayBound (0) 33h 28h 28h A_UINT32 4 minPhyRate ;in bps (5B8D80h=6000000) 37h 2Ch 2Ch A_UINT32 4 sba (2000h=8192) 3Bh 30h 30h A_UINT32 4 mediumTime (0) 07h 34h 34h A_UINT16 2 nominalMSDU ;in octeCts (80D0h=?) 09h 36h 36h A_UINT16 2 maxMSDU ;in octeCts (00D0h=?) 00h 38h 38h A_UINT8 1 trafficClass (00h) 01h 39h 39h A_UINT8 1 trafficDirection ;DIR_TYPE (02h=Bidir) 02h 3Ah 3Ah A_UINT8 1 rxQueueNum (FFh) 03h 3Bh 3Bh A_UINT8 1 trafficType ;TRAFFIC_TYPE (01h=Periodic) 04h 3Ch 3Ch A_UINT8 1 voicePSCapability ;VOICEPS_CAP_TYPE (00h) 05h 3Dh 3Dh A_UINT8 1 tsid (05h) 06h 3Eh 3Eh A_UINT8 1 userPriority ;802.1D user priority (00h) - - 3Fh A_UINT8 1 nominalPHY ;nominal phy rate |
UPLINK_TRAFFIC = 0 DNLINK_TRAFFIC = 1 BIDIR_TRAFFIC = 2 |
TRAFFIC_TYPE_APERIODIC = 0 TRAFFIC_TYPE_PERIODIC = 1 |
DISABLE_FOR_THIS_AC = 0 ENABLE_FOR_THIS_AC = 1 ENABLE_FOR_ALL_AC = 2 |
00h A_UINT8 1 txQueueNumber 01h A_UINT8 1 rxQueueNumber 02h A_UINT8 1 trafficDirection 03h A_UINT8 1 trafficClass 04h A_UINT8 1 tsid |
00h A_UINT8 1 txQueueNumber 01h A_UINT8 1 rxQueueNumber 02h A_UINT8 1 trafficDirection 03h A_UINT8 1 trafficClass |
| DSi Atheros Wifi - WMI Roam Functions |
PREPACK union {
.. A_UINT8 bssid[ATH_MAC_LEN] ;WMI_FORCE_ROAM
.. A_UINT8 roamMode ;WMI_SET_ROAM_MODE
.. WMI_BSS_BIAS_INFO bssBiasInfo ;WMI_SET_HOST_BIAS
.. WMI_LOWRSSI_SCAN_PARAMS lrScanParams
} POSTPACK info
.. A_UINT8 roamCtrlType
|
WMI_FORCE_ROAM = 1 ;Roam to the specified BSSID
WMI_SET_ROAM_MODE = 2 ;default ,progd bias, no roam
WMI_SET_HOST_BIAS = 3 ;Set the Host Bias
WMI_SET_LOWRSSI_SCAN_PARAMS = 4 ;Set lowrssi Scan parameters
|
WMI_DEFAULT_ROAM_MODE = 1 ;RSSI based ROAM
WMI_HOST_BIAS_ROAM_MODE = 2 ;HOST BIAS based ROAM
WMI_LOCK_BSS_MODE = 3 ;Lock to the Current BSS - no Roam
|
WMI_BSS_BIAS typedef PREPACK struct:
6 A_UINT8 bssid[ATH_MAC_LEN]
1 A_INT8 bias
WMI_BSS_BIAS_INFO typedef PREPACK struct:
00h 1 A_UINT8 numBss
01h 7*N WMI_BSS_BIAS bssBias[1]
WMI_LOWRSSI_SCAN_PARAMS typedef PREPACK struct WMI_LOWRSSI_SCAN_PARAMS:
00h 2 A_UINT16 lowrssi_scan_period
02h 2 A_INT16 lowrssi_scan_threshold
04h 2 A_INT16 lowrssi_roam_threshold
06h 1 A_UINT8 roam_rssi_floor
07h 1 A_UINT8 reserved[1] ;for alignment
|
Unknown (none?) |
00h A_UINT16 2 roamMode 02h A_UINT16 2 numEntries 04h WMI_BSS_ROAM_INFO N*10h bssRoamInfo[1] |
A_INT32 4 roam_util
A_UINT8 6 bssid[ATH_MAC_LEN]
A_INT8 1 rssi
A_INT8 1 rssidt
A_INT8 1 last_rssi
A_INT8 1 util
A_INT8 1 bias
A_UINT8 1 reserved ;for alignment
|
| DSi Atheros Wifi - WMI Power Functions |
00h A_UINT8 1 powerMode ;WMI_POWER_MODE |
REC_POWER = 01h MAX_PERF_POWER = 02h |
00h A_UINT8 1 power_saving 01h A_UINT8 1 ttl ;number of beacon periods 02h A_UINT16 2 atim_windows ;msec 04h A_UINT16 2 timeout_value ;msec |
ADHOC_PS_DISABLE = 1 ADHOC_PS_ATH = 2 ADHOC_PS_IEEE = 3 ADHOC_PS_OTHER = 4 |
06h 0Ch <---- total size (on DSi it's 06h, ie. left column) 00h 00h A_UINT16 2 idle_period ;msec 02h 02h A_UINT16 2 pspoll_number 04h 04h A_UINT16 2 dtim_policy -- 06h A_UINT16 2 tx_wakeup_policy -- 08h A_UINT16 2 num_tx_to_wakeup -- 0Ah A_UINT16 2 ps_fail_event_policy |
IGNORE_DTIM = 01h NORMAL_DTIM = 02h STICK_DTIM = 03h AUTO_DTIM = 04h |
TX_WAKEUP_UPON_SLEEP = 1 TX_DONT_WAKEUP_UPON_SLEEP = 2 |
SEND_POWER_SAVE_FAIL_EVENT_ALWAYS = 1 IGNORE_POWER_SAVE_FAIL_EVENT_DURING_SCAN = 2 |
00h A_UINT16 2 psPollTimeout (msec)
02h A_UINT16 2 triggerTimeout (msec)
04h A_UINT32 4 apsdTimPolicy (TIM behavior with ques (=?) APSD enabled.
Default is IGNORE_TIM_ALL_QUEUES_APSD)
08h A_UINT32 4 simulatedAPSDTimPolicy (TIM behavior with simulated APSD
enabled. Default is PROCESS_TIM_SIMULATED_APSD)
|
IGNORE_TIM_ALL_QUEUES_APSD = 0 PROCESS_TIM_ALL_QUEUES_APSD = 1 IGNORE_TIM_SIMULATED_APSD = 2 PROCESS_TIM_SIMULATED_APSD = 3 |
00h A_UINT8 1 dbM ;in dbM units |
None |
00h A_UINT8 1 dbM ;in dbM units |
04h 0Ah <---- total size (on DSi it's 04h, ie. left column) 00h - WHATEVER 4 whatever (01h,A4h,F7h,FFh) (type/timings?) - 00h A_UINT32 4 idle_time ;in msec - 04h A_UINT32 4 ps_period ;in usec - 08h A_UINT8 1 sleep_period ;in ps periods (=above "ps_period"?) - 09h A_UINT8 1 psType ;AP power save type |
AP_PS_DISABLE = 1 AP_PS_ATH = 2 |
| DSi Atheros Wifi - WMI Statistics Function |
Unknown (none?) |
A9h D5h EDh <---- total size (on DSi it's D5h, ie. middle column) -- 00h 00h A_UINT32 4 lqVal ;- <-- newer version only -- 04h 04h A_INT32 4 noise_floor_calibation ;- <-- newer version only -- 08h 08h A_UINT32 4 power_save_failure_cnt ;\pm_stats_t (new) -- -- 0Ch A_UINT16 2 stop_tx_failure_cnt ; <-- NEWEST version only -- -- 0Eh A_UINT16 2 atim_tx_failure_cnt ; <-- NEWEST version only -- -- 10h A_UINT16 2 atim_rx_failure_cnt ; <-- NEWEST version only -- -- 12h A_UINT16 2 bcn_rx_failure_cnt ;/ <-- NEWEST version only 00h 0Ch 14h A_UINT32 4 tx_packets ;\ 04h 10h 18h A_UINT32 4 tx_bytes ; 08h 14h 1Ch A_UINT32 4 tx_unicast_pkts ; 0Ch 18h 20h A_UINT32 4 tx_unicast_bytes ; tx_stats_t 10h 1Ch 24h A_UINT32 4 tx_multicast_pkts ; 14h 20h 28h A_UINT32 4 tx_multicast_bytes ; 18h 24h 2Ch A_UINT32 4 tx_broadcast_pkts ; 1Ch 28h 30h A_UINT32 4 tx_broadcast_bytes ; 20h 2Ch 34h A_UINT32 4 tx_rts_success_cnt ; 24h 30h 38h A_UINT32 16 tx_packet_per_ac[4] ; -- 40h 48h A_UINT32 16 tx_errors_per_ac[4] ; <-- newer version only 34h 50h 58h A_UINT32 4 tx_errors ; 38h 54h 5Ch A_UINT32 4 tx_failed_cnt ; 3Ch 58h 60h A_UINT32 4 tx_retry_cnt ; -- -- 64h A_UINT32 4 tx_mult_retry_cnt ; <-- NEWEST version only 40h 5Ch 68h A_UINT32 4 tx_rts_fail_cnt ; -- 60h 6Ch A_INT32 4 tx_unicast_rate ;/ <-- newer version only 44h 64h 70h A_UINT32 4 rx_packets ;\ 48h 68h 74h A_UINT32 4 rx_bytes ; 4Ch 6Ch 78h A_UINT32 4 rx_unicast_pkts ; 50h 70h 7Ch A_UINT32 4 rx_unicast_bytes ; 54h 74h 80h A_UINT32 4 rx_multicast_pkts ; rx_stats_t 58h 78h 84h A_UINT32 4 rx_multicast_bytes ; 5Ch 7Ch 88h A_UINT32 4 rx_broadcast_pkts ; 60h 80h 8Ch A_UINT32 4 rx_broadcast_bytes ; 64h 84h 90h A_UINT32 4 rx_fragment_pkt ; 68h 88h 94h A_UINT32 4 rx_errors ; 6Ch 8Ch 98h A_UINT32 4 rx_crcerr ; 70h 90h 9Ch A_UINT32 4 rx_key_cache_miss ; 74h 94h A0h A_UINT32 4 rx_decrypt_err ; 78h 98h A4h A_UINT32 4 rx_duplicate_frames ; -- 9Ch A8h A_INT32 4 rx_unicast_rate ;/ <-- newer version only 7Ch A0h ACh A_UINT32 4 tkip_local_mic_failure ;\ 80h A4h B0h A_UINT32 4 tkip_counter_measures_invoked ; 84h A8h B4h A_UINT32 4 tkip_replays ; tkip_ccmp_stats_t 88h ACh B8h A_UINT32 4 tkip_format_errors ; 8Ch B0h BCh A_UINT32 4 ccmp_format_errors ; 90h B4h C0h A_UINT32 4 ccmp_replays ;/ -- B8h C4h A_UINT32 4 wow_num_pkts_dropped ;\ -- BCh C8h A_UINT16 2 wow_num_events_discarded ; wlan_wow_stats_t -- BEh CAh A_UINT8 1 wow_num_host_pkt_wakeups ; -- BFh CBh A_UINT8 1 wow_num_host_event_wakeups ;/ -- -- CCh A_UINT32 4 arp_received ;\ -- -- D0h A_UINT32 4 arp_matched ; arp_stats_t -- -- D4h A_UINT32 4 arp_replied ;/ 94h C0h D8h A_UINT32 4 cs_bmiss_cnt ;\ 98h C4h DCh A_UINT32 4 cs_lowRssi_cnt ; 9Ch C8h E0h A_UINT16 2 cs_connect_cnt ; cserv_stats_t 9Eh CAh E2h A_UINT16 2 cs_disconnect_cnt ; A0h CCh E4h A_INT16 2 cs_aveBeacon_rssi ; -- CEh E6h A_UINT16 2 cs_roam_count ; <-- newer version only -- D0h E8h A_INT16 2 cs_rssi ; <-- newer version only -- D2h EAh A_UINT8 1 cs_snr ; <-- newer version only -- D3h EBh A_UINT8 1 cs_aveBeacon_snr ; <-- newer version only A2h D4h ECh A_UINT8 1 cs_lastRoam_msec ;/ A3h -- -- A_UINT32 4 power_save_failure_cnt ;-pm_stats_t (old) A7h -- -- A_INT16 2 noise_floor_calibation ;-old version only |
| DSi Atheros Wifi - WMI Bluetooth Coexistence (older AR6002) |
Older AR6002 from 2008 ;-original Bluetooth COEX version Newer AR6002 from 2008 ;\same commands as above, but with entirely different Newer AR6002 from 2010 ;/parameters (and minor changes for 2008 vs 2010) AR6003 from 2010 ;-completely different commands for Bluetooth COEX |
00h A_UINT8 1 streamType ;aka BT_STREAM_TYPE ? 01h A_UINT8 1 status ;aka BT_STREAM_STATUS ? |
BT_STREAM_UNDEF = 0 ;\ BT_STREAM_SCO = 1 ;SCO stream ; only this three types in Older AR6002 BT_STREAM_A2DP = 2 ;A2DP stream ;/ |
BT_STATUS_UNDEF = 0 ;\ BT_STATUS_START = 1 ; this five states in Older AR6002 BT_STATUS_STOP = 2 ; (Newer A6002 has added/removed/renamed states) BT_STATUS_RESUME = 3 ; BT_STATUS_SUSPEND = 4 ;/ |
when paramType=1=BT_PARAM_SCO: ;SCO stream parameters (BT_PARAMS_SCO) 00h A_UINT8 1 noSCOPkts 01h A_UINT8 1 pspollTimeout 02h A_UINT8 1 stompbt 03h PAD 12h undefined/padding when paramType=2=BT_PARAM_A2DP: ;whatever (BT_PARAMS_A2DP) 00h A_UINT32 4 period 04h A_UINT32 4 dutycycle 08h A_UINT8 1 stompbt 09h PAD 0Ch undefined/padding when paramType=3=BT_PARAM_MISC and paramSubType=1=WLAN_PROTECT_POLICY: 00h A_UINT32 4 period 04h A_UINT32 4 dutycycle 08h A_UINT8 1 stompbt 09h A_UINT8 1 policy 0Ah A_UINT8 1 paramSubType (=1 in this case) 0Bh PAD 0Ah undefined/padding when paramType=3=BT_PARAM_MISC and paramSubType=2=WLAN_COEX_CTRL_FLAGS: 00h A_UINT16 2 wlanCtrlFlags 02h PAD 8 undefined/padding 0Ah A_UINT8 1 paramSubType (=2 in this case) 0Bh PAD 0Ah undefined/padding when paramType=4=BT_PARAM_REGS: ;co-existence register params (BT_COEX_REGS) 00h A_UINT32 4 mode 04h A_UINT32 4 scoWghts 08h A_UINT32 4 a2dpWghts 0Ch A_UINT32 4 genWghts 10h A_UINT32 4 mode2 14h A_UINT8 1 setVal and, in all cases: 15h A_UINT8 1 paramType ;<-- selects which of the above to use |
WLAN_PROTECT_PER_STREAM = 01h /* default WLAN_PROTECT_ANY_TX = 02h |
WLAN_DISABLE_COEX_IN_DISCONNECT = 0001h ;default WLAN_KEEP_COEX_IN_DISCONNECT = 0002h WLAN_STOMPBT_IN_DISCONNECT = 0004h WLAN_DISABLE_COEX_IN_ROAM = 0010h ;default WLAN_KEEP_COEX_IN_ROAM = 0020h WLAN_STOMPBT_IN_ROAM = 0040h WLAN_DISABLE_COEX_IN_SCAN = 0100h ;default WLAN_KEEP_COEX_IN_SCAN = 0200h WLAN_STOMPBT_IN_SCAN = 0400h WLAN_DISABLE_COEX_BT_OFF = 1000h ;default WLAN_KEEP_COEX_BT_OFF = 2000h WLAN_STOMPBT_BT_OFF = 4000h |
| DSi Atheros Wifi - WMI Wake on Wireless (WOW) Functions |
00h A_BOOL 4 awake; 04h A_BOOL 4 asleep; |
04h ??h <---- total size (on DSi it's 04h, ie. left column) 00h 00h A_BOOL 4 enable_wow -- 04h WMI_WOW_FILTER .. filter ;UINTx or so? with "WMI_WOW_FILTER" value? -- .. A_UINT16 2 hostReqDelay |
WOW_FILTER_SSID = 01h |
00h A_UINT8 1 filter_list_id; |
00h A_UINT8 1 num_filters /* number of patterns in reply 01h A_UINT8 1 this_filter_num /* filter # x of total num_filters 02h A_UINT8 1 wow_mode 03h A_UINT8 1 host_mode 04h WOW_FILTER N*84h wow_filters[1] |
A_UINT8 1 wow_valid_filter;
A_UINT8 1 wow_filter_id;
A_UINT8 1 wow_filter_size;
A_UINT8 1 wow_filter_offset;
A_UINT8 40h wow_filter_mask[WOW_MASK_SIZE];
A_UINT8 40h wow_filter_pattern[WOW_PATTERN_SIZE];
|
A_UINT8 1 wow_valid_list;
A_UINT8 1 wow_list_id;
A_UINT8 1 wow_num_filters;
A_UINT8 1 wow_total_list_size;
WOW_FILTER 4*84h list[WOW_MAX_FILTERS_PER_LIST];
#define WOW_MAX_FILTER_LISTS = 1 /* 4 */
#define WOW_MAX_FILTERS_PER_LIST = 4
#define WOW_PATTERN_SIZE = 64
#define WOW_MASK_SIZE = 64
|
00h A_UINT8 1 filter_list_id; 01h A_UINT8 1 filter_size; 02h A_UINT8 1 filter_offset; 03h A_UINT8 .. filter[1]; |
00h A_UINT16 2 filter_list_id; 02h A_UINT16 2 filter_id; |
| DSi Atheros Wifi - WMI General Purpose I/O (GPIO) Functions |
00h A_UINT32 4 set_mask; /* pins to set 04h A_UINT32 4 clear_mask; /* pins to clear 08h A_UINT32 4 enable_mask; /* pins to enable for output 0Ch A_UINT32 4 disable_mask; /* pins to disable/tristate |
Unknown (none?) |
00h A_UINT32 4 gpioreg_id; /* GPIO register ID 04h A_UINT32 4 value; /* value to write |
00h A_UINT32 4 gpioreg_id; /* GPIO register to read |
A_UINT32 ack_mask; /* interrupts to acknowledge
|
00h A_UINT32 4 intr_mask; /* pending GPIO interrupts 04h A_UINT32 4 input_values; /* recent GPIO input values |
00h A_UINT32 4 value; 04h A_UINT32 4 reg_id; |
Unknown (none?) (confirms GPIO_xxx_SET commands) |
AR6001_GPIO_PIN_COUNT = 18 AR6002_GPIO_PIN_COUNT = 18 ;aka hw2.0 AR6003_GPIO_PIN_COUNT = 28 ;aka hw4.0 ;XXX shouldn't that be 26 ? MCKINLEY_GPIO_PIN_COUNT = 57 ;aka hw6.0 |
GPIO_ID_OUT = 00000000h GPIO_ID_OUT_W1TS = 00000001h GPIO_ID_OUT_W1TC = 00000002h GPIO_ID_ENABLE = 00000003h GPIO_ID_ENABLE_W1TS = 00000004h GPIO_ID_ENABLE_W1TC = 00000005h GPIO_ID_IN = 00000006h GPIO_ID_STATUS = 00000007h GPIO_ID_STATUS_W1TS = 00000008h GPIO_ID_STATUS_W1TC = 00000009h GPIO_ID_PIN0 = 0000000Ah GPIO_ID_PIN(n) = (GPIO_ID_PIN0+(n)) ;=0000000Ah and up GPIO_ID_NONE = FFFFFFFFh GPIO_ID_OFFSET_FLAG = 80000000h GPIO_ID_REG_MASK = 7fffffffh GPIO_ID_IS_OFFSET(reg_id) = (((reg_id) & GPIO_ID_OFFSET_FLAG) != 0) |
| DSi Atheros Wifi - Unimplemented WMI Misc Functions |
Unknown (none?) |
;-not implemented in DSi ;related to 002Bh? |
PREPACK union {
00h WMI_TARGET_ROAM_TIME roamTime;
} POSTPACK u;
14h A_UINT8 roamDataType ;
|
ROAM_DATA_TIME = 1 /* Get The Roam Time Data |
00h A_UINT32 4 disassoc_time 04h A_UINT32 4 no_txrx_time 08h A_UINT32 4 assoc_time 0Ch A_UINT32 4 allow_txrx_time 10h A_UINT8 6 disassoc_bssid[ATH_MAC_LEN] 16h A_INT8 1 disassoc_bss_rssi 17h A_UINT8 6 assoc_bssid[ATH_MAC_LEN] ;UNALIGNED!!! 1Dh A_INT8 1 assoc_bss_rssi |
00h A_BOOL 4 enable_radio_measurements; |
00h A_UINT8 1 max_offhome_duration; |
00h A_UINT32 4 period; /* Time (in 30.5us ticks) between samples 04h A_UINT32 4 nbins; |
00h A_UINT32 4 addr; |
00h A_UINT32 4 addr; 04h A_UINT32 4 count; |
Unknown (maybe related to file "testcmd.h"?) |
Unknown (maybe related to file "testcmd.h"?) (or general purpose?) |
Unknown (none?) |
EVENTID is unknown (maybe 0040h, ie. same as GET_APPIE_CMD) Reply structure is unknown (maybe same parameter structure for SET_APPIE_CMD) |
00h u8 1 ie_id; 01h u8 1 ie_field; /* enum wmi_ie_field_type 02h u8 1 ie_len; 03h u8 1 reserved; 04h u8 .. ie_info[0]; |
WMI_RSN_IE_CAPB = 01h WMI_IE_FULL = FFh /* indicats full IE ;uh, kittykats? |
not implemented in DSi |
00h A_UINT8 6 macaddr[ATH_MAC_LEN]; |
Unknown (none?) |
00h A_UINT32 1 evtConfig; |
DISCONN_EVT_IN_RECONN = 0 /* default NO_DISCONN_EVT_IN_RECONN = 1 |
00h A_UINT32 4*2 ips[MAX_IP_ADDRS] ;IP in Network Byte Order |
00h A_UINT32 4 opcode; 04h A_UINT32 4 length; 08h A_CHAR ... buffer[1]; /* WMI_SET_PARAMS |
00h A_INT8 1 status; /* WMI_SET_PARAMS_REPLY |
00h A_UINT8 6 multicast_mac[ATH_MAC_LEN]; /* WMI_SET_MCAST_FILTER |
Unknown (None?) (or maybe same as for WMI_SET_MCAST_FILTER_CMD ?) |
00h A_UINT8 1 enable; /* WMI_MCAST_FILTER |
00h A_UINT16 2 tx_allow_aggr (16bit mask to allow tx/uplink ADDBA
negotiation - bit position indicates tid)
02h A_UINT16 2 rx_allow_aggr (16bit mask to allow rx/donwlink ADDBA
negotiation - bit position indicates tid)
|
00h A_UINT8 1 tid |
00h A_UINT8 1 tid 01h A_UINT8 1 is_sender_initiator |
00h A_UINT8 1 tid 01h A_UINT8 1 win_sz 02h A_UINT16 2 st_seq_no 04h A_UINT8 1 status "f/w response for ADDBA Req; OK(0) or failure(!=0)" |
00h A_UINT8 1 tid 01h A_UINT8 1 status /* OK(0), failure (!=0) 02h A_UINT16 2 amsdu_sz /* Three values: Not supported(0), 3839, 8k |
00h A_UINT8 1 tid; 01h A_UINT8 1 is_peer_initiator; 02h A_UINT16 2 reason_code; |
00h A_UINT8 1 band (specifies which band to apply these values) 01h A_UINT8 1 enable (allows 11n to be disabled on a per band basis) 02h A_UINT8 1 chan_width_40M_supported 03h A_UINT8 1 short_GI_20MHz 04h A_UINT8 1 short_GI_40MHz 05h A_UINT8 1 intolerance_40MHz 06h A_UINT8 1 max_ampdu_len_exp |
00h A_UINT8 1 sta_chan_width; |
00h A_UINT32 4*8*2 rateMasks[WMI_MODE_MAX * WMI_MAX_RATE_MASK]; |
00h A_UINT32 4*2 sgiMask[WMI_MAX_RATE_MASK]; 08h A_UINT8 1 sgiPERThreshold; |
00h A_UINT32 4*2 rateField[WMI_MAX_RATE_MASK]
(rateField: "1 bit per rate corresponding to index")
08h A_UINT8 1 id ;range 1..5 (aka 1..WMI_RATE_POLICY_ID_MAX)
09h A_UINT8 1 shortTrys
0Ah A_UINT8 1 longTrys
0Bh A_UINT8 1 reserved ;padding
|
00h A_UINT16 2 cmd_buf_sz; /* HCI cmd buffer size 02h A_UINT8 .. buf[1]; /* Absolute HCI cmd (see file "hci.h") |
00h A_UINT16 2 evt_buf_sz; /* HCI event buffer size 02h A_UINT8 .. buf[1]; /* HCI event (see file "hci.h") |
00h A_UINT8 1 metaVersion ;version of meta data for rx packets
;(0-7=valid, 0=default)
01h A_UINT8 1 dot11Hdr ;1=leave .11 header intact,
;0=default/replace .11 header with .3
02h A_UINT8 1 defragOnHost ;1=defragmentation is performed by host,
;0=performed by target <default>
03h A_UINT8 1 reserved[1] ;alignment
|
00h A_UINT8 1 enable ;0=default/normal mode, 1=operate in thin mode 01h A_UINT8 3 reserved[3] |
00h A_UINT8 1 precedence; |
BT_WLAN_CONN_PRECDENCE_WLAN = 0 ;default BT_WLAN_CONN_PRECDENCE_PAL = 1 |
00h A_UINT32 4 rules ;combination of WMI_WRT_xxx values (see "wmi_thin.h") |
00h A_UINT8 1 enable (0=default/normal mode, 1=promiscuous mode) |
00h A_UINT16 2 filtermask(0) ;WMI_FILTERMASK_MGMT 02h A_UINT16 2 filtermask(1) ;WMI_FILTERMASK_CTRL 04h A_UINT16 2 filtermask(2) ;WMI_FILTERMASK_DATA 06h A_UINT16 2 reserved ;alignment |
00h A_UINT16 2 channel ;frequency in MHz -- //A_UINT8 - mode ;outcommented (HT20 or HT40 flag?) -- //A_UINT8 - secondary ;outcommented (HT40 2nd channel above/below flag?) |
00h A_UINT8 1 result ;WMI_SET_CHANNEL_RES (or WMI_THIN_JOIN_RESULT??) 01h A_UINT8 3 reserved[3] ;alignment |
WMI_SET_CHANNEL_RES_SUCCESS = 0 WMI_SET_CHANNEL_RES_FAIL = 1 |
00h A_UINT32 4 divIdleTime; 04h A_UINT8 1 antRssiThresh; 05h A_UINT8 1 divEnable; 06h A_UINT16 2 active_treshold_rate; |
00h A_UINT8 20h pmk[WMI_PMK_LEN]; |
Unknown (none?) |
00h A_UINT8 20h pmk[WMI_PMK_LEN]; |
00h A_UCHAR 20h ssid[WMI_MAX_SSID_LEN]; 20h A_UINT8 40h passphrase[WMI_PASSPHRASE_LEN]; 60h A_UINT8 1 ssid_len; 61h A_UINT8 1 passphrase_len; |
00h A_UINT8 1 host_accept; 01h A_UINT8 1 host_reasonCode; 02h A_UINT8 1 target_status; 03h A_UINT8 6 sta_mac_addr[ATH_MAC_LEN]; 09h A_UINT8 1 rspType; |
00h A_UINT8 1 enable; |
00h A_UINT8 1 status; 01h A_UINT8 1 rspType; |
00h A_UINT8 1 ctrl_id; /* control identifier (aka sub-command?) 01h A_UINT8 1 length; /* number of bytes of data to follow 02h A_UINT8 .. data[1]; /* start of control data |
00h A_UINT8 1 event_id; /* event identifier 01h A_UINT8 1 length; /* number of bytes of data that follows 02h A_UINT8 .. data[1]; /* start of event data |
00h A_UINT32 4 threshold; |
Unknown (None?) |
EVENTID is unknown (maybe 0040h, ie. same as GET_APPIE_CMD) Reply structure is unknown (maybe same parameter structure for SET_APPIE_CMD) |
00h A_UINT8 1 status; /* PSTREAM_REPLY_STATUS 01h A_UINT8 1 txQueueNumber; 02h A_UINT8 1 rxQueueNumber; 03h A_UINT8 1 trafficClass; 04h A_UINT8 1 trafficDirection; /* DIR_TYPE |
A_SUCCEEDED = A_OK = 0 A_FAILED_DELETE_STREAM_DOESNOT_EXIST = 250 A_SUCCEEDED_MODIFY_STREAM = 251 A_FAILED_INVALID_STREAM = 252 A_FAILED_MAX_THINSTREAMS = 253 A_FAILED_CREATE_REMOVE_PSTREAM_FIRST = 254 |
00h A_UINT8 1 status; ;\ 01h A_UINT8 1 txQueueNumber; ; same as WMI_CRE_PRIORITY_STREAM_REPLY 02h A_UINT8 1 rxQueueNumber; ;/ 03h A_UINT8 1 trafficDirection; ;\unlike WMI_CRE_PRIORITY_STREAM_REPLY 04h A_UINT8 1 trafficClass; ;/(entries are swapped) |
00h A_UINT8 1 eventCode; 01h A_UINT8 6 peerMacAddr[ATH_MAC_LEN]; |
PEER_NODE_JOIN_EVENT = 00h PEER_NODE_LEAVE_EVENT = 01h PEER_FIRST_NODE_JOIN_EVENT = 10h PEER_LAST_NODE_LEAVE_EVENT = 11h |
Unknown (if any) |
00h A_UINT32 4 version; |
00h A_UINT8 1 numMessages ;number of tx comp msgs following 01h A_UINT8 1 msgLen ;length in bytes for each individual msg following 02h A_UINT8 1 msgType ;version of tx complete msg data following 03h A_UINT8 1 reserved When msgType=01h=WMI_TXCOMPLETE_VERSION_1 04h ... .. individual message(s) (see TX_COMPLETE_MSG_V1 structure) When msgType=Other 04h ... .. reserved for other MSG types (none such defined yet) |
00h A_UINT8 1 status /* one of TX_COMPLETE_STATUS_xxx values
01h A_UINT8 1 pktID /* packet ID to identify parent packet
02h A_UINT8 1 rateIdx /* rate index on successful transmission
03h A_UINT8 1 ackFailures /* number of ACK failures in tx attempt
#if 0 ;optional "host delivery time" params currently ommitted...
-- A_UINT32 queueDelay /* usec delay measured Tx Start time
-- A_UINT32 mediaDelay /* usec delay measured ACK rx time
#endif
|
TX_COMPLETE_STATUS_SUCCESS = 0 TX_COMPLETE_STATUS_RETRIES = 1 TX_COMPLETE_STATUS_NOLINK = 2 TX_COMPLETE_STATUS_TIMEOUT = 3 TX_COMPLETE_STATUS_OTHER = 4 |
Unknown (what?) |
00h A_UINT32 4 sleepState; |
WMI_REPORT_SLEEP_STATUS_IS_DEEP_SLEEP = 0 WMI_REPORT_SLEEP_STATUS_IS_AWAKE = 1 |
00h A_UINT8 1 type; 01h A_UINT8 6 macAddr[ATH_MAC_LEN]; |
WAPI_REKEY_UCAST = 1 WAPI_REKEY_MCAST = 2 |
00h A_INT32 4 rm_type ;\one of these MIGHT be "WMI_CCX_RM_STATUS_TYPE" ? 04h A_INT32 4 status ;/ |
WMI_CCX_RM_STATUS_UNKNOWN = 0 WMI_CCX_RM_REPORT_SENT = 1 WMI_CCX_RM_REFUSE_REPORT_SENT = 2 |
Unknown (if any?) |
00h wmm_params 6*4 wmm_params[4]; |
00h A_UINT8 1 acm; /* ACM parameter 01h A_UINT8 1 aifsn; /* AIFSN parameters 02h A_UINT8 1 logcwmin; /* cwmin in exponential form 03h A_UINT8 1 logcwmax; /* cwmax in exponential form 04h A_UINT16 2 txopLimit; /* txopLimit |
00h A_UINT8 6 bssid[ATH_MAC_LEN]; |
| DSi Atheros Wifi - Unimplemented WMI Bluetooth Coexistence (newer AR6002) |
BT_PARAM_SCO_PSPOLL_LATENCY_ONE_FOURTH = 1 ;aka 25% BT_PARAM_SCO_PSPOLL_LATENCY_HALF = 2 ;aka 50% BT_PARAM_SCO_PSPOLL_LATENCY_THREE_FOURTH = 3 ;aka 75% |
BT_PARAMS_SCO_STOMP_SCO_NEVER = 1 BT_PARAMS_SCO_STOMP_SCO_ALWAYS = 2 BT_PARAMS_SCO_STOMP_SCO_IN_LOWRSSI = 3 |
BT_ANT_TYPE_UNDEF = 0 ;aka "Disabled (default)" BT_ANT_TYPE_DUAL = 1 BT_ANT_TYPE_SPLITTER = 2 BT_ANT_TYPE_SWITCH = 3 BT_ANT_TYPE_HIGH_ISO_DUAL = 4 ;<-- not in "code aurora" |
BT_COLOCATED_DEV_BTS4020 = 0 BT_COLCATED_DEV_CSR = 1 BT_COLOCATED_DEV_VALKYRIE = 2 ;aka BT_COLOCATED_DEV_VALKYRIe |
00h A_UINT8 1 streamType; ;aka BT_STREAM_TYPE ? 01h A_UINT8 1 status; ;aka BT_STREAM_STATUS ? |
BT_STREAM_UNDEF = 0 BT_STREAM_SCO = 1 ;SCO stream BT_STREAM_A2DP = 2 ;A2DP stream BT_STREAM_SCAN = 3 ;BT Discovery or Page ;\"Newer AR6002 from 2008-2010" BT_STREAM_ESCO = 4 ;Whatever ;/ BT_STREAM_ALL = 5 ;Whatever ;-"Newer AR6002 from 2008 only" |
BT_STATUS_UNDEF = 0 BT_STATUS_START = 1 ;-renamed to BT_STATUS_ON in code from 2010 BT_STATUS_STOP = 2 ;-renamed to BT_STATUS_OFF in code from 2010 BT_STATUS_RESUME = 3 ;\defined in "Older/Newer AR6002 from 2008" BT_STATUS_SUSPEND = 4 ;/(not in "Newer AR6002 for 2010") BT_STATUS_SUSPEND_A2DP = 5 ;\defined in "Newer AR6002 from 2008") BT_STATUS_SUSPEND_SCO = 6 ; (not in "Older AR6002 for 2008") BT_STATUS_SUSPEND_ACL = 7 ; (not in "Newer AR6002 for 2010") BT_STATUS_SUSPEND_SCAN = 8 ;/ |
1Fh 19h <--- total size (1Fh for code from 2008, 19h for code from 2010)
when paramType=1=BT_PARAM_SCO: ;SCO stream parameters (BT_PARAMS_SCO)
00h 00h A_UINT32 4 numScoCyclesForceTrigger (Number SCO cycles after which
force a pspoll, default=10)
04h 04h A_UINT32 4 dataResponseTimeout (Timeout Waiting for Downlink pkt in
response for ps-poll, default=10 ms)
08h 08h A_UINT32 4 stompScoRules ;aka BT_PARAMS_SCO_STOMP_RULES ?
0Ch 0Ch A_UINT32 4 scoOptFlags (SCO Options Flags)
10h -- A_UINT32 4 p2lrpOptModeBound ;\PacketToLowRatePacketRatio's
14h -- A_UINT32 4 p2lrpNonOptModeBound ;/
18h 10h A_UINT8 1 stompDutyCyleVal (SCO cycles to limit ps-poll queuing
if stomped)
19h 11h A_UINT8 1 stompDutyCyleMaxVal (firmware increases stomp duty cycle
gradually uptill this value on need basis)
1Ah 12h A_UINT8 1 psPollLatencyFraction (Fraction of idle period, within
which additional ps-polls can be queued)
1Bh 13h A_UINT8 1 noSCOSlots (Number of SCO Tx/Rx slots. HVx,EV3,2EV3=2)
1Ch 14h A_UINT8 1 noIdleSlots (Number of Bluetooth idle slots between
consecutive SCO Tx/Rx slots. HVx,EV3=4, 2EV3=10)
1Dh -- A_UINT8 1 reserved8 (maintain word algnment) (uh, really?)
-- 15h A_UINT8 1 scoOptOffRssi (RSSI value below which we go to ps poll)
-- 16h A_UINT8 1 scoOptOnRssi (RSSI value above which we reenter opt mode)
-- 17h A_UINT8 1 scoOptRtsCount
when paramType=2=BT_PARAM_A2DP: ;whatever (BT_PARAMS_A2DP)
00h 00h A_UINT32 4 a2dpWlanUsageLimit (MAX time firmware uses the medium for
wlan, after it identifies the idle time, default=30 ms)
04h 04h A_UINT32 4 a2dpBurstCntMin (Minimum number of bluetooth data frames
to replenish Wlan Usage limit, default 3)
08h 08h A_UINT32 4 a2dpDataRespTimeout
0Ch 0Ch A_UINT32 4 a2dpOptFlags (A2DP Option flags)
10h -- A_UINT32 4 p2lrpOptModeBound ;\PacketToLowRatePacketRatio's
14h -- A_UINT32 4 p2lrpNonOptModeBound ;/
18h -- A_UINT16 2 reserved16 (maintain word alignment)
1Ah 10h A_UINT8 1 isCoLocatedBtRoleMaster
1Bh -- A_UINT8 1 reserved8 (maintain word alignment)
1Ch -- PAD 2 undefined/padding
-- 11h A_UINT8 1 a2dpOptOffRssi (RSSI value below which we go to ps poll)
-- 12h A_UINT8 1 a2dpOptOnRssi(RSSI value above which we reenter opt mode)
-- 13h A_UINT8 1 a2dpOptRtsCount
-- 14h PAD 4 undefined/padding
when paramType=3=BT_PARAM_ANTENNA_CONFIG:
00h 00h A_UINT8 1 antType aka BT_ANT_FRONTEND_CONFIG
01h -- PAD 1Dh undefined/padding
-- 01h PAD 17h undefined/padding
when paramType=4=BT_PARAM_COLOCATED_BT_DEVICE:
00h 00h A_UINT8 1 coLocatedBtDev aka BT_COLOCATED_DEV_TYPE
01h -- PAD 1Dh undefined/padding
-- 01h PAD 17h undefined/padding
when paramType=5=BT_PARAM_ACLCOEX: ;whatever (BT_PARAMS_ACLCOEX)
;During BT ftp/ BT OPP or any another data based acl profile on bluetooth
;(non a2dp).
00h 00h A_UINT32 4 aclWlanMediumUsageTime (Wlan usage time during
Acl (non-a2dp) coexistence, default=30 ms)
04h 04h A_UINT32 4 aclBtMediumUsageTime (Bt usage time during
acl coexistence, default=30 ms)
08h 08h A_UINT32 4 aclDataRespTimeout
0Ch 0Ch A_UINT32 4 aclDetectTimeout (ACL coexistence enabled if we get
10 Pkts in X ms, default=100 ms)
10h 10h A_UINT32 4 aclmaxPktCnt (No of ACL pkts to receive before
enabling ACL coex)
14h -- PAD 0Ah undefined/padding
-- 14h PAD 4 undefined/padding
when paramType=6=BT_PARAM_11A_SEPARATE_ANT:
00h 00h UNKNOWN ? unknown (maybe same as antType ?)
xxh -- PAD .. undefined/padding
-- xxh PAD .. undefined/padding
and, in all cases:
1Eh 18h A_UINT8 1 paramType
|
Bit0 Allow Close Range Optimization ;\all versions Bit1 Force awake during close range ;/ Bit2 If set use (host supplied) threshold ;\Newer AR6002 Bit3..23 Unused ;/from 2008 Bit2 If set use host supplied RSSI for OPT ;\ Bit3 If set use host supplied RTS COUNT for OPT ; Newer AR6002 Bit4..7 Unused ; from 2010 Bit8..15 Low Data Rate Min Cnt ; Bit16..23 Low Data Rate Max Cnt ;/ Bit24..31 Undocumented (unused?) ;-all versions |
p2lrpOptModeBound: Minimum ratio required to STAY IN opt mode p2lrpNonOptModeBound: Minimum ratio required to SWITCH TO opt mode |
| DSi Atheros Wifi - Unimplemented WMI Bluetooth Coexistence (AR6003) |
00h A_UINT8 1 btcoexFeAntType
1 - WMI_BTCOEX_FE_ANT_SINGLE for single antenna front end
2 - WMI_BTCOEX_FE_ANT_DUAL for dual antenna front end
(for isolations less 35dB, for higher isolation there
is not need to pass this command).
(not implemented)
|
WMI_BTCOEX_NOT_ENABLED = 0 WMI_BTCOEX_FE_ANT_SINGLE = 1 WMI_BTCOEX_FE_ANT_DUAL = 2 WMI_BTCOEX_FE_ANT_DUAL_HIGH_ISO = 3 WMI_BTCOEX_FE_ANT_BYPASS_MODE = 4 WMI_BTCOEX_FE_ANT_COMBINE_MODE = 5 |
00h A_UINT8 1 btcoexCoLocatedBTdev; 1 - Qcom BT (3 -wire PTA)
2 - CSR BT (3 wire PTA)
3 - Atheros 3001 BT (3 wire PTA)
4 - STE bluetooth (4-wire ePTA)
5 - Atheros 3002 BT (4-wire MCI)
default=3 (Atheros 3001 BT )
|
--------------- BTCOEX_SCO_CONFIG scoConfig;
00h A_UINT32 4 scoSlots (Number of SCO Tx/Rx slots: HVx,EV3,2EV3 = 2)
04h A_UINT32 4 scoIdleSlots (Number of Bluetooth idle slots between
consecutive SCO Tx/Rx slots: HVx,EV3 = 4, 2EV3 = 10)
08h A_UINT32 4 scoFlags; SCO Options Flags:
Bit0 Allow Close Range Optimization
Bit1 Is EDR capable or Not
Bit2 IS Co-located Bt role Master
Bit3 Firmware determines the periodicity of SCO
0Ch A_UINT32 4 linkId (applicable to STE-BT - not used)
--------------- BTCOEX_PSPOLLMODE_SCO_CONFIG scoPspollConfig;
10h A_UINT32 4 scoCyclesForceTrigger (Number SCO cycles after which
force a pspoll, default=10)
14h A_UINT32 4 scoDataResponseTimeout (Timeout Waiting for Downlink pkt
in response for ps-poll, default=20 ms)
18h A_UINT32 4 scoStompDutyCyleVal (not implemented)
1Ch A_UINT32 4 scoStompDutyCyleMaxVal (not implemented)
20h A_UINT32 4 scoPsPollLatencyFraction (Fraction of idle period, within
which additional ps-polls can be queued
1 - 1/4 of idle duration
2 - 1/2 of idle duration
3 - 3/4 of idle duration
default=2 (1/2)
--------------- BTCOEX_OPTMODE_SCO_CONFIG scoOptModeConfig;
24h A_UINT32 4 scoStompCntIn100ms (max number of SCO stomp in 100ms
allowed in opt mode. If exceeds the configured value,
switch to ps-poll mode, default=3)
28h A_UINT32 4 scoContStompMax (max number of continous stomp allowed in
opt mode. if excedded switch to pspoll mode, default=3)
2Ch A_UINT32 4 scoMinlowRateMbps (Low rate threshold)
|
30h A_UINT32 4 scoLowRateCnt (number of low rate pkts (< scoMinlowRateMbps)
allowed in 100 ms. If exceeded switch/stay to ps-poll mode,
lower stay in opt mode, default=36)
34h A_UINT32 4 scoHighPktRatio "(Total Rx pkts in 100 ms + 1)/((Total tx
pkts in 100 ms - No of high rate pkts in 100 ms) + 1) in
100 ms"
if exceeded switch/stay in opt mode and if lower
switch/stay in pspoll mode.
default=5 (80% of high rates)
38h A_UINT32 4 scoMaxAggrSize (Max number of Rx subframes allowed in this
mode. (Firmware re-negogiates max number of aggregates if
it was negogiated to higher value, default=1,
Recommended value Basic rate headsets = 1, EDR (2-EV3) =4.
--------------- BTCOEX_WLANSCAN_SCO_CONFIG scoWlanScanConfig;
3Ch A_UINT32 4 scanInterval;
40h A_UINT32 4 maxScanStompCnt;
|
Aliases for "scoFlags": #define WMI_SCO_CONFIG_FLAG_ALLOW_OPTIMIZATION (1 << 0) #define WMI_SCO_CONFIG_FLAG_IS_EDR_CAPABLE (1 << 1) #define WMI_SCO_CONFIG_FLAG_IS_BT_MASTER (1 << 2) #define WMI_SCO_CONFIG_FLAG_FW_DETECT_OF_PER (1 << 3) |
--------------- BTCOEX_A2DP_CONFIG a2dpConfig;
00h A_UINT32 4 a2dpFlags; 2DP Option flags:
Bit0 Allow Close Range Optimization
Bit1 IS EDR capable
Bit2 IS Co-located Bt role Master
Bit3 a2dp traffic is high priority
Bit4 Fw detect the role of bluetooth.
04h A_UINT32 4 linkId (Applicable only to STE-BT - not used)
--------------- BTCOEX_PSPOLLMODE_A2DP_CONFIG a2dppspollConfig;
08h A_UINT32 4 a2dpWlanMaxDur (MAX time firmware uses the medium for
wlan, after it identifies the idle time, default=30 ms)
0Ch A_UINT32 4 a2dpMinBurstCnt (Minimum number of bluetooth data frames
to replenish Wlan Usage limit, default=3)
10h A_UINT32 4 a2dpDataRespTimeout (Max duration firmware waits for
downlink by stomping on bluetooth after ps-poll is
acknowledged, default=20 ms)
--------------- BTCOEX_OPTMODE_A2DP_CONFIG a2dpOptConfig;
14h A_UINT32 4 a2dpMinlowRateMbps (Low rate threshold)
18h A_UINT32 4 a2dpLowRateCnt (number of low rate pkts
(<a2dpMinlowRateMbps) allowed in 100 ms.
If exceeded switch/stay to ps-poll mode, lower stay in
opt mode, default=36)
1Ch A_UINT32 4 a2dpHighPktRatio "(Total Rx pkts in 100 ms + 1)/
((Total tx pkts in 100 ms - No of high rate pkts in 100 ms)
+ 1) in 100 ms", if exceeded switch/stay in opt mode and
if lower switch/stay in pspoll mode.
default=5 (80% of high rates)
20h A_UINT32 4 a2dpMaxAggrSize (Max number of Rx subframes allowed in this
mode. (Firmware re-negogiates max number of aggregates if
it was negogiated to higher value, default=1.
Recommended value Basic rate headsets = 1, EDR (2-EV3) =8)
24h A_UINT32 4 a2dpPktStompCnt (number of a2dp pkts that can be stomped
per burst, default=6)
|
Aliases for "a2dpFlags": #define WMI_A2DP_CONFIG_FLAG_ALLOW_OPTIMIZATION (1 << 0) #define WMI_A2DP_CONFIG_FLAG_IS_EDR_CAPABLE (1 << 1) #define WMI_A2DP_CONFIG_FLAG_IS_BT_ROLE_MASTER (1 << 2) #define WMI_A2DP_CONFIG_FLAG_IS_A2DP_HIGH_PRI (1 << 3) #define WMI_A2DP_CONFIG_FLAG_FIND_BT_ROLE (1 << 4) |
--------------- BTCOEX_ACLCOEX_CONFIG aclCoexConfig;
00h A_UINT32 4 aclWlanMediumDur (Wlan usage time during Acl (non-a2dp)
coexistence, default=30 ms)
04h A_UINT32 4 aclBtMediumDur (Bt usage time during acl coexistence,
default=30 ms)
08h A_UINT32 4 aclDetectTimeout (BT activity observation time limit.
In this time duration, number of bt pkts are counted.
If the Cnt reaches "aclPktCntLowerLimit" value for
"aclIterToEnableCoex" iteration continuously, firmware gets
into ACL coexistence mode. Similarly, if bt traffic count
during ACL coexistence has not reached "aclPktCntLowerLimit"
continuously for "aclIterToEnableCoex", then ACL coexistence
is disabled, default=100 ms)
0Ch A_UINT32 4 aclPktCntLowerLimit (Acl Pkt Cnt to be received in duration
of "aclDetectTimeout" for "aclIterForEnDis" times to
enabling ACL coex. Similar logic is used to disable acl
coexistence. (If "aclPktCntLowerLimit" cnt of acl pkts
are not seen by the for "aclIterForEnDis" then acl
coexistence is disabled), default=10)
10h A_UINT32 4 aclIterForEnDis (number of Iteration of
"aclPktCntLowerLimit" for Enabling and Disabling Acl
Coexistence, default=3)
14h A_UINT32 4 aclPktCntUpperLimit (This is upperBound limit, if there is
more than "aclPktCntUpperLimit" seen in "aclDetectTimeout",
ACL coexistence is enabled right away, default=15)
18h A_UINT32 4 aclCoexFlags A2DP Option flags:
Bit0 Allow Close Range Optimization
Bit1 disable Firmware detection
(Currently supported configuration is aclCoexFlags=0)
1Ch A_UINT32 4 linkId; ;Applicable only for STE-BT - not used
--------------- BTCOEX_PSPOLLMODE_ACLCOEX_CONFIG aclCoexPspollConfig;
20h A_UINT32 4 aclDataRespTimeout (Max duration firmware waits for downlink
by stomping on bluetooth after ps-poll is acknowledged,
default=20 ms)
--------------- BTCOEX_OPTMODE_ACLCOEX_CONFIG aclCoexOptConfig;
24h A_UINT32 4 aclCoexMinlowRateMbps ;\
28h A_UINT32 4 aclCoexLowRateCnt ;
2Ch A_UINT32 4 aclCoexHighPktRatio ; Not implemented yet
30h A_UINT32 4 aclCoexMaxAggrSize ;
34h A_UINT32 4 aclPktStompCnt ;/
|
(Not implemented yet) (uh, what?)
|
Aliases for "aclCoexFlags": #define WMI_ACLCOEX_FLAGS_ALLOW_OPTIMIZATION (1 << 0) #define WMI_ACLCOEX_FLAGS_DISABLE_FW_DETECTION (1 << 1) |
00h A_UINT32 4 btInquiryDataFetchFrequency (The frequency of querying the
AP for data (via pspoll) is configured by this parameter,
default=10 ms)
04h A_UINT32 4 protectBmissDurPostBtInquiry (The firmware will continue to
be in inquiry state for configured duration, after inquiry
completion. This is to ensure other bluetooth transactions
(RDP, SDP profiles, link key exchange, etc.) goes through
smoothly without wifi stomping, default=10 secs)
08h A_UINT32 4 maxpageStomp (Applicable only for STE-BT interface.
Currently not used)
0Ch A_UINT32 4 btInquiryPageFlag (Not used)
|
00h A_UINT32 4 btcoexDbgParam1 ;\ 04h A_UINT32 4 btcoexDbgParam2 ; Used for firmware development 08h A_UINT32 4 btcoexDbgParam3 ; and debugging 0Ch A_UINT32 4 btcoexDbgParam4 ; 10h A_UINT32 4 btcoexDbgParam5 ;/ |
00h A_UINT32 4 btProfileType (1=SCO, 2=A2DP, 3=INQUIRY_PAGE, 4=ACLCOEX) 04h A_UINT32 4 btOperatingStatus ;aka BT_STREAM_STATUS on AR6002 ? 08h A_UINT32 4 btLinkId |
WMI_BTCOEX_BT_PROFILE_SCO = 1 WMI_BTCOEX_BT_PROFILE_A2DP = 2 WMI_BTCOEX_BT_PROFILE_INQUIRY_PAGE = 3 WMI_BTCOEX_BT_PROFILE_ACLCOEX = 4 |
Unknown (none?) |
00h A_UINT32 4 btProfileType (1=SCO, 2=A2DP, 3=INQUIRY_PAGE, 4=ACLCOEX) 04h A_UINT32 4 linkId (not used) (reserved/dummy?) |
00h A_UINT32 4 btProfileType (1=SCO, 2=A2DP, 3=INQUIRY_PAGE, 4=ACLCOEX)
04h A_UINT32 4 linkId (not used)
PREPACK union -- below are same as parameters from corresponding CMD's:
08h .. WMI_SET_BTCOEX_SCO_CONFIG_CMD scoConfigCmd;
08h .. WMI_SET_BTCOEX_A2DP_CONFIG_CMD a2dpConfigCmd;
08h .. WMI_SET_BTCOEX_ACLCOEX_CONFIG_CMD aclcoexConfig;
08h .. WMI_SET_BTCOEX_BTINQUIRY_PAGE_CONFIG_CMD btinquiryPageConfigCmd;
|
--------------- BTCOEX_GENERAL_STATS coexStats; 00h A_UINT32 4 highRatePktCnt; 04h A_UINT32 4 firstBmissCnt; 08h A_UINT32 4 psPollFailureCnt; 0Ch A_UINT32 4 nullFrameFailureCnt; 10h A_UINT32 4 optModeTransitionCnt; --------------- BTCOEX_SCO_STATS scoStats; 14h A_UINT32 4 scoStompCntAvg; 18h A_UINT32 4 scoStompIn100ms; 1Ch A_UINT32 4 scoMaxContStomp; 20h A_UINT32 4 scoAvgNoRetries; 24h A_UINT32 4 scoMaxNoRetriesIn100ms; --------------- BTCOEX_A2DP_STATS a2dpStats; 28h A_UINT32 4 a2dpBurstCnt; 2Ch A_UINT32 4 a2dpMaxBurstCnt; 30h A_UINT32 4 a2dpAvgIdletimeIn100ms; 34h A_UINT32 4 a2dpAvgStompCnt; --------------- BTCOEX_ACLCOEX_STATS aclCoexStats; 38h A_UINT32 4 aclPktCntInBtTime; 3Ch A_UINT32 4 aclStompCntInWlanTime; 40h A_UINT32 4 aclPktCntIn100ms; |
| DSi Atheros Wifi - Unimplemented WMI DataSet Functions |
00h A_UINT32 4 dset_id ;-ID of requested DataSet (see "dsetid.h") 04h A_UINT32 4 targ_dset_handle ;\to be echo'ed in REPLY_CMD 08h A_UINT32 4 targ_reply_fn ; (host doesn't need to deal with this) 0Ch A_UINT32 4 targ_reply_arg ;/ |
00h A_UINT32 4 access_cookie ;-some kind of "filehandle" on host side 04h A_UINT32 4 offset ;\source offset & length of requested data 08h A_UINT32 4 length ;/ 0Ch A_UINT32 4 targ_buf ;\to be echo'ed in REPLY_CMD 10h A_UINT32 4 targ_reply_fn ; (host doesn't need to deal with this) 14h A_UINT32 4 targ_reply_arg ;/ |
00h A_UINT32 4 access_cookie ;-some kind of "filehandle" on host side |
00h A_UINT32 4 status ;-what status ? 04h A_UINT32 4 targ_dset_handle ;\ 08h A_UINT32 4 targ_reply_fn ; to be echo'ed from open EVENT 0Ch A_UINT32 4 targ_reply_arg ;/ 10h A_UINT32 4 access_cookie ;-some kind of "filehandle" on host side 14h A_UINT32 4 size ;-what size ? 18h A_UINT32 4 version ;-what version ? |
00h A_UINT32 4 status ;-what status ? 04h A_UINT32 4 targ_buf ;\ 08h A_UINT32 4 targ_reply_fn ; to be echo'ed from data EVENT 0Ch A_UINT32 4 targ_reply_arg ;/ 10h A_UINT32 4 length ;\requested data 14h A_UINT8 LEN buf[length] ;/ |
| DSi Atheros Wifi - Unimplemented WMI AP Mode Functions |
AP_MAX_NUM_STA = 4 ;for old AR6002_REV2 version AP_MAX_NUM_STA = 10 ;for newer versions NUM_DEV = 3 ;Maximum no. of virtual interface supported NUM_CONN = (AP_MAX_NUM_STA + NUM_DEV) AP_ACL_SIZE = 10 IEEE80211_MAX_IE = 256 MCAST_AID = 0FFh ;Spl. AID used to set DTIM flag in the beacons DEF_AP_COUNTRY_CODE = "US " DEF_AP_WMODE_G = WMI_11G_MODE DEF_AP_WMODE_AG = WMI_11AG_MODE DEF_AP_DTIM = 5 DEF_BEACON_INTERVAL = 100 AP_DISCONNECT_STA_LEFT = 101 ;\ AP_DISCONNECT_FROM_HOST = 102 ; AP_DISCONNECT_COMM_TIMEOUT = 103 ; AP mode disconnect reasons AP_DISCONNECT_MAX_STA = 104 ; (101..107 decimal): AP_DISCONNECT_ACL = 105 ; AP_DISCONNECT_STA_ROAM = 106 ; AP_DISCONNECT_DFS_CHANNEL = 107 ;/ |
00h A_UINT8 1 hidden_ssid; |
00h A_UINT8 1 num_sta; |
00h A_UINT8 1 policy; #define AP_ACL_DISABLE = 00h #define AP_ACL_ALLOW_MAC = 01h #define AP_ACL_DENY_MAC = 02h #define AP_ACL_RETAIN_LIST_MASK = 80h |
00h A_UINT8 1 action; 01h A_UINT8 1 index; 02h A_UINT8 6 mac[ATH_MAC_LEN]; 08h A_UINT8 1 wildcard; |
A_UINT16 2 index; A_UINT8 ... acl_mac[AP_ACL_SIZE][ATH_MAC_LEN]; A_UINT8 .. wildcard[AP_ACL_SIZE]; A_UINT8 1 policy; |
00h A_UINT8 6 mac[ATH_MAC_LEN]; 06h A_UINT16 2 reason; /* 802.11 reason code 08h A_UINT8 1 cmd; /* operation to perform |
WMI_AP_MLME_ASSOC 1 /* associate station WMI_AP_DISASSOC 2 /* disassociate station WMI_AP_DEAUTH 3 /* deauthenticate station WMI_AP_MLME_AUTHORIZE 4 /* authorize station WMI_AP_MLME_UNAUTHORIZE 5 /* unauthorize station |
00h A_BOOL 4 flag; 04h A_UINT16 2 rsvd; 06h A_UINT16 2 aid; |
00h A_UINT32 4 period; |
00h A_UINT32 4 period_min; 04h A_UINT32 4 dwell_ms; |
00h A_UCHAR 3 countryCode[3]; |
00h A_UINT8 1 dtim; |
Unknown (if any) |
Unknown (if any) |
00h A_UINT32 action; 04h WMI_PER_STA_STAT sta[AP_MAX_NUM_STA]; |
AP_GET_STATS = 0 AP_CLEAR_STATS = 1 |
00h A_UINT32 tx_bytes; 04h A_UINT32 tx_pkts; 08h A_UINT32 tx_error; 0Ch A_UINT32 tx_discard; 10h A_UINT32 rx_bytes; 14h A_UINT32 rx_pkts; 18h A_UINT32 rx_error; 1Ch A_UINT32 rx_discard; 20h A_UINT32 aid; |
00h A_UINT8 1 rateset; AP_11BG_RATESET1 = 1 AP_11BG_RATESET2 = 2 DEF_AP_11BG_RATESET = AP_11BG_RATESET1 |
00h A_UINT8 1 enable; |
00h A_UINT16 2 aid; 02h A_UINT16 2 bitmap; 04h A_UINT32 4 flags; |
WMI_AP_APSD_NO_DELIVERY_FRAMES_FOR_THIS_TRIGGER = 01h |
00h A_UINT16 2 aid; |
| DSi Atheros Wifi - Unimplemented WMI DFS Functions |
Unknown (maybe WMI_SET_DFS_CMD structure?) |
00h A_UINT8 1 enable; |
XXX see file "dfs_common.h" |
00h A_UINT16 2 chan_index; 02h A_INT8 1 bang_radar; |
00h A_UINT64 8 ext_chan_busy_ts; 08h A_UINT8 1 enable_ar; 09h A_UINT8 1 enable_radar; |
00h A_UINT32 4 dfs_domain; |
Unknown (if any) (not defined in file "dfs_common.h") |
00h A_UINT8 1 num_events; 01h dfs_event_info .. ev_info[WMI_DFS_EVENT_MAX_BUFFER_SIZE]; |
00h A_UINT64 8 full_ts; /* 64-bit full timestamp from interrupt time 08h A_UINT32 4 ts; /* Original 15 bit recv timestamp 0Ch A_UINT32 4 ext_chan_busy; /* Ext chan busy % 10h A_UINT8 1 rssi; /* rssi of radar event 11h A_UINT8 1 dur; /* duration of radar pulse 12h A_UINT8 1 chanindex; /* Channel of event 13h A_UINT8 1 flags; |
PRIMARY_CH = 0 ;\flags.bit0 EXT_CH = 1 ;/ AR_EVENT = 0 ;\flags.bit1 DFS_EVENT = 2 ;/ |
DFS_UNINIT_DOMAIN = 0 ;Uninitialized dfs domain DFS_FCC_DOMAIN = 1 ;FCC3 dfs domain DFS_ETSI_DOMAIN = 2 ;ETSI dfs domain DFS_MKK4_DOMAIN = 3 ;Japan dfs domain MAX_BIN5_DUR = 131 ;rounded from 131.25=(105*1.25) ;DFS related TRAFFIC_DETECTED = 1 ;whatever ;DFS related ATH_DEBUG_DFS = 00000100h ;Minimal DFS debug ;\ ATH_DEBUG_DFS1 = 00000200h ;Normal DFS debug ; should match the ATH_DEBUG_DFS2 = 00000400h ;Maximal DFS debug ; table from if_ath.c ATH_DEBUG_DFS3 = 00000800h ;matched filterID display ;/ |
| DSi Atheros Wifi - Unimplemented WMI P2P Functions |
00h A_UINT8 1 ssidLength; 01h A_UINT8 20h ssid[WMI_MAX_SSID_LEN]; |
00h A_UINT8 1 go_intent; 01h A_UINT8 3 country[3]; 04h A_UINT8 1 reg_class; 05h A_UINT8 1 listen_channel; 06h A_UINT8 1 op_reg_class; 07h A_UINT8 1 op_channel; 09h A_UINT16 2 config_methods; |
00h device_type_tuple 4 pri_dev_type; -- outcommented? 0 //A_UINT8 pri_device_type[8]; 04h device_type_tuple 4*5 sec_dev_type[MAX_P2P_SEC_DEVICE_TYPES]; 18h A_UINT8 10h uuid[WPS_UUID_LEN]; 28h A_UINT8 20h device_name[WPS_MAX_DEVNAME_LEN]; 48h A_UINT8 1 dev_name_len; |
00h A_UINT16 2 categ; 02h A_UINT16 2 sub_categ; |
00h device_type_tuple 4 pri_dev_type; 04h device_type_tuple 4*5 sec_dev_type[MAX_P2P_SEC_DEVICE_TYPES]; 18h A_UINT8 6 device_addr[ATH_MAC_LEN]; |
00h A_UINT32 4 timeout; 04h A_ENUM .. type; ;A_UINTx or so? ;aka WMI_P2P_DISC_TYPE |
WMI_P2P_FIND_START_WITH_FULL = Unknown (0 or 1 or so) WMI_P2P_FIND_ONLY_SOCIAL = WMI_P2P_FIND_START_WITH_FULL+1 WMI_P2P_FIND_PROGRESSIVE = WMI_P2P_FIND_START_WITH_FULL+2 |
Unknown (none?) |
00h A_UINT16 2 listen_freq; 02h A_UINT16 2 force_freq; 04h A_UINT16 2 go_oper_freq; 06h A_UINT8 1 dialog_token; 07h A_UINT8 6 peer_addr[ATH_MAC_LEN]; 0Dh A_UINT8 6 own_interface_addr[ATH_MAC_LEN]; 13h A_UINT8 6 member_in_go_dev[ATH_MAC_LEN]; 19h A_UINT8 1 go_dev_dialog_token; 1Ah P2P_SSID 21h peer_go_ssid; 3Bh A_UINT8 1 wps_method; 3Ch A_UINT8 1 dev_capab; 3Dh A_INT8 1 go_intent; 3Eh A_UINT8 1 persistent_grp; |
00h A_UINT32 4 timeout; |
000h A_UINT16 2 listen_freq; 002h A_UINT16 2 force_freq; 004h A_UINT8 1 status; 005h A_INT8 1 go_intent; 006h A_UINT8 200h wps_buf[512]; 206h A_UINT16 2 wps_buflen; 208h A_UINT8 200h p2p_buf[512]; 408h A_UINT16 2 p2p_buflen; 40Ah A_UINT8 1 dialog_token; 40Bh A_UINT8 1 wps_method; 40Ch A_UINT8 1 persistent_grp; 40Dh A_UINT8 6 sa[ATH_MAC_LEN]; |
00h A_UINT8 1 persistent_group; 01h A_UINT8 1 group_formation; |
00h A_UINT8 6 peer_addr[ATH_MAC_LEN]; 06h A_UINT8 1 grp_formation_status; |
00h A_ENUM .. role; ;A_UINTx or so? ;WMI_P2P_INVITE_ROLE .. A_UINT16 2 listen_freq; .. A_UINT16 2 force_freq; .. A_UINT8 1 dialog_token; .. A_UINT8 6 peer_addr[ATH_MAC_LEN]; .. A_UINT8 6 bssid[ATH_MAC_LEN]; .. A_UINT8 6 go_dev_addr[ATH_MAC_LEN]; .. P2P_SSID 21h ssid; .. A_UINT8 1 is_persistent; .. A_UINT8 1 wps_method; |
WMI_P2P_INVITE_ROLE_GO = Unknown (0 or 1 or so) WMI_P2P_INVITE_ROLE_ACTIVE_GO = WMI_P2P_INVITE_ROLE_GO+1 WMI_P2P_INVITE_ROLE_CLIENT = WMI_P2P_INVITE_ROLE_GO+2 |
000h A_UINT16 2 force_freq; 002h A_UINT8 1 status; 003h A_UINT8 1 dialog_token; 004h A_UINT8 200h p2p_buf[512]; 204h A_UINT16 2 p2p_buflen; 206h A_UINT8 1 is_go; 207h A_UINT8 6 group_bssid[ATH_MAC_LEN]; |
00h A_UINT16 2 wps_method; 02h A_UINT16 2 listen_freq; 04h A_UINT8 1 dialog_token; 05h A_UINT8 6 peer[ATH_MAC_LEN]; 0Bh A_UINT8 6 go_dev_addr[ATH_MAC_LEN]; 11h P2P_SSID 21h go_oper_ssid; |
00h A_UINT8 1 config_id; ;set to one of WMI_P2P_CONF_ID When config_id=1=WMI_P2P_CONFID_LISTEN_CHANNEL ;WMI_P2P_LISTEN_CHANNEL 01h A_UINT8 1 reg_class; 02h A_UINT8 1 listen_channel; When config_id=2=WMI_P2P_CONFID_CROSS_CONNECT ;WMI_P2P_SET_CROSS_CONNECT 01h A_UINT8 1 flag; When config_id=3=WMI_P2P_CONFID_SSID_POSTFIX ;WMI_P2P_SET_SSID_POSTFIX 01h A_UINT8 17h ssid_postfix[WMI_MAX_SSID_LEN-9]; 18h A_UINT8 1 ssid_postfix_len; When config_id=4=WMI_P2P_CONFID_INTRA_BSS ;WMI_P2P_SET_INTRA_BSS 01h A_UINT8 1 flag; When config_id=5=WMI_P2P_CONFID_CONCURRENT_MODE ;WMI_P2P_SET_CONCURRENT_MODE 01h A_UINT8 1 flag; When config_id=6=WMI_P2P_CONFID_GO_INTENT ;WMI_P2P_SET_GO_INTENT 01h A_UINT8 1 value; When config_id=7=WMI_P2P_CONFID_DEV_NAME ;WMI_P2P_SET_DEV_NAME 01h A_UINT8 20h dev_name[WPS_MAX_DEVNAME_LEN]; 21h A_UINT8 1 dev_name_len; |
000h A_UINT8 1 type; 001h A_UINT8 1 dialog_token; 002h A_UINT8 1 frag_id; 003h A_UINT8 1 reserved1; /* alignment 004h A_UINT8 6 peer_addr[ATH_MAC_LEN]; 00Ah A_UINT16 2 freq; 00Ch A_UINT16 2 status_code; 00Eh A_UINT16 2 comeback_delay; 010h A_UINT16 2 tlv_length; 012h A_UINT16 2 update_indic; 014h A_UINT16 2 total_length; 016h A_UINT16 2 reserved2; /* future 018h A_UINT8 400h tlv[WMI_P2P_MAX_TLV_LEN]; |
WMI_P2P_SD_TYPE_GAS_INITIAL_REQ = 01h WMI_P2P_SD_TYPE_GAS_INITIAL_RESP = 02h WMI_P2P_SD_TYPE_GAS_COMEBACK_REQ = 03h WMI_P2P_SD_TYPE_GAS_COMEBACK_RESP = 04h WMI_P2P_PD_TYPE_RESP = 05h WMI_P2P_SD_TYPE_STATUS_IND = 06h |
WMI_P2P_SDPD_TRANSACTION_PENDING = 01h WMI_P2P_SDPD_TRANSACTION_COMP = 02h |
Unknown (none?) |
Unknown (none?) |
00h A_UINT16 2 freq; 02h A_INT8 1 status; 03h A_UINT8 1 role_go; 04h A_UINT8 20h ssid[WMI_MAX_SSID_LEN]; 24h A_UINT8 1 ssid_len; 25h A_CHAR 9 pass_phrase[WMI_MAX_PASSPHRASE_LEN]; 2Eh A_UINT8 6 peer_device_addr[ATH_MAC_LEN]; 34h A_UINT8 6 peer_interface_addr[ATH_MAC_LEN]; 3Ah A_UINT8 1 wps_method; 3Bh A_UINT8 1 persistent_grp; |
000h A_UINT8 6 sa[ATH_MAC_LEN]; 006h A_UINT8 200h wps_buf[512]; 206h A_UINT16 2 wps_buflen; 208h A_UINT8 200h p2p_buf[512]; 408h A_UINT16 2 p2p_buflen; 40Ah A_UINT8 1 dialog_token; |
000h A_UINT8 200h p2p_buf[512]; 200h A_UINT16 2 p2p_buflen; 202h A_UINT8 6 sa[ATH_MAC_LEN]; 208h A_UINT8 6 bssid[ATH_MAC_LEN]; 20Eh A_UINT8 6 go_dev_addr[ATH_MAC_LEN]; 214h P2P_SSID 21h ssid; 235h A_UINT8 1 is_persistent; 236h A_UINT8 1 dialog_token; |
00h A_UINT16 2 oper_freq; 02h A_UINT8 6 sa[ATH_MAC_LEN]; 08h A_UINT8 6 bssid[ATH_MAC_LEN]; 0Eh A_UINT8 1 is_bssid_valid; 0Fh A_UINT8 6 go_dev_addr[ATH_MAC_LEN]; 15h P2P_SSID 21h ssid; 36h A_UINT8 1 status; |
00h A_UINT8 1 status; 01h A_UINT8 6 bssid[ATH_MAC_LEN]; 07h A_UINT8 1 is_bssid_valid; |
00h A_UINT8 6 peer[ATH_MAC_LEN]; 06h A_UINT16 2 config_methods; |
00h A_UINT8 6 sa[ATH_MAC_LEN]; 06h A_UINT16 2 wps_config_method; 08h A_UINT8 6 dev_addr[ATH_MAC_LEN]; 0Eh A_UINT8 8 pri_dev_type[WPS_DEV_TYPE_LEN]; 16h A_UINT8 20h device_name[WPS_MAX_DEVNAME_LEN]; 36h A_UINT8 1 dev_name_len; 37h A_UINT16 2 dev_config_methods; 39h A_UINT8 1 device_capab; 3Ah A_UINT8 1 group_capab; |
Unknown (none?) |
00h A_UINT8 1 type; 01h A_UINT8 1 transaction_status; 02h A_UINT8 1 dialog_token; 03h A_UINT8 1 frag_id; 04h A_UINT8 6 peer_addr[ATH_MAC_LEN]; 0Ah A_UINT16 2 freq; 0Ch A_UINT16 2 status_code; 0Eh A_UINT16 2 comeback_delay; 10h A_UINT16 2 tlv_length; 12h A_UINT16 2 update_indic; 14h VAR .. Variable length TLV will be placed after the event |
| DSi Atheros Wifi - Unimplemented WMI WAC Functions |
00h A_UINT32 4 period; 04h A_UINT32 4 threshold; 08h A_INT32 4 rssi; 0Ch A_BOOL 4 enable; 10h A_CHAR 8 wps_pin[8]; ;WPS related? |
00h A_ENUM .. cmdid ;A_UINTx or so? (WAC_SUBCMD) |
WAC_MORE_SCAN = -1 WAC_SEND_PROBE_IDX = 0 |
00h A_UINT8 1 req; ;aka WAC_REQUEST_TYPE 01h A_UINT8 1 cmd; ;aka WAC_COMMAND 02h A_UINT8 1 frame; ;aka WAC_FRAME_TYPE 03h A_UINT8 11h ie[17]; 14h A_INT32 4 status; ;aka WAC_STATUS |
WAC_SET = Unknown (0 or 1 or so) WAC_GET = WAC_SET+1 |
WAC_ADD = Unknown (0 or 1 or so) WAC_DEL = WAC_ADD+1 WAC_GET_STATUS = WAC_ADD+2 WAC_GET_IE = WAC_ADD+3 |
PRBREQ = Unknown (0 or 1 or so) PRBRSP = PRBREQ+1 BEACON = PRBREQ+2 |
WAC_FAILED_NO_WAC_AP = -4 WAC_FAILED_LOW_RSSI = -3 WAC_FAILED_INVALID_PARAM = -2 WAC_FAILED_REJECTED = -1 WAC_SUCCESS = 0 WAC_DISABLED = 1 WAC_PROCEED_FIRST_PHASE = 2 WAC_PROCEED_SECOND_PHASE = 3 |
Unknown (if any?) |
When some case: 00h A_UINT8 11h ie[17]; When some other case: 00h A_INT32 4 wac_status; |
00h A_UINT8 6 bssid[ATH_MAC_LEN]; 06h A_UINT8 8 pin[8]; ;aka "wps_pin[8]" presumably? |
| DSi Atheros Wifi - Unimplemented WMI RF Kill and Store/Recall Functions |
Unknown (none?) |
00h A_UINT8 1 GPIOPinNumber ;GPIO related 01h A_UINT8 1 IntrType ;? 02h A_UINT8 1 RadioState ;RFKILL_RADIO_STATE |
RADIO_STATE_OFF = 01h RADIO_STATE_ON = 02h RADIO_STATE_INVALID = FFh |
Unknown (if any?) |
Unknown (maybe some format as in "SET_RFKILL" command parameters?) |
00h A_UINT8 1 enable (probably some flag) 01h A_UINT8 1 recipient (only one value defined: STRRCL_RECIPIENT_HOST = 1) |
00h A_UINT32 4 length; ;number of bytes of data to follow 04h A_UINT8 .. data[1]; ;start of "RECALL" data |
00h A_UINT32 4 sleep_msec; 04h A_UINT8 1 store_after_tx_empty; 05h A_UINT8 1 store_after_fresh_beacon_rx; |
00h A_UINT32 4 msec_sleep; ;time between power off/on 04h A_UINT32 4 length; ;length of following data 08h A_UINT8 .. data[1]; ;start of "STORE" data |
| DSi Atheros Wifi - Unimplemented WMI THIN Functions |
00h A_UINT32 4 cfgField ;combination of WMI_THIN_CFG_... 04h A_UINT16 2 length ;length in bytes of appended sub-command(s) 06h A_UINT8 2 reserved[2] ;align padding 08h ... .. structure(s) selected in "cfgField"... |
+00h A_UINT8 1 version (the versioned type of messages to use, 0=disable)
+01h A_UINT8 1 countThreshold (msg count threshold triggering a tx
complete message)
+02h A_UINT16 2 timeThreshold (timeout interval in MSEC triggering a
tx complete message)
|
+00h A_UINT8 1 enable (1=send decrypt errors to the host, 0=don't) +01h A_UINT8 3 reserved[3] (align padding) |
Unused. |
+00h A_UINT32 4 rules (combination of WMI_WRT_... values) |
+00h A_UINT32 4 rules (combination of WMI_FILT_... values) |
+00h A_UINT8 1 enable (enables/disables firmware cipher encapsulation) +01h A_UINT8 3 reserved[3] (align padding) |
WMI_THIN_CFG_TXCOMP = 00000001h WMI_THIN_CFG_DECRYPT = 00000002h WMI_THIN_CFG_MAC_RULES = 00000004h ;old version (or planned for future?) WMI_THIN_UNUSED1 = 00000004h ;current version WMI_THIN_CFG_FILTER_RULES = 00000008h WMI_THIN_CFG_CIPHER_ENCAP = 00000010h |
00h A_UINT16 2 length; /* the length in bytes of the appended MIB data 02h A_UINT8 1 mibID; /* the ID of the MIB element being set 03h A_UINT8 1 reserved; /* align padding |
00h A_UINT8 1 mibID; /* the ID of the MIB element being set 01h A_UINT8 3 reserved[3]; /* align padding |
00h A_UINT32 4 basicRateMask; /* bit mask of basic rates 04h A_UINT32 4 beaconIntval; /* TUs 08h A_UINT16 2 atimWindow; /* TUs 0Ah A_UINT16 2 channel; /* frequency in MHz 0Ch A_UINT8 1 networkType; /* INFRA_NETWORK | ADHOC_NETWORK 0Dh A_UINT8 1 ssidLength; /* 0 - 32 0Eh A_UINT8 1 probe; /* != 0 : issue probe req at start 0Fh A_UINT8 1 reserved; /* alignment 10h A_UCHAR 20h ssid[WMI_MAX_SSID_LEN]; 30h A_UINT8 6 bssid[ATH_MAC_LEN]; |
00h A_UINT16 2 dtim; /* dtim interval in num beacons 02h A_UINT16 2 aid; /* 80211 association ID from Assoc resp |
00h A_UINT8 4 reserved[4]; |
Unknown (maybe same/similar format as for "SET_MIB" command parameters?) |
00h A_UINT8 1 result (the result of the join command) 01h A_UINT8 3 reserved[3]; /* alignment |
WMI_THIN_JOIN_RES_SUCCESS = 0 ;device has joined the network WMI_THIN_JOIN_RES_FAIL = 1 ;failed for unspecified reason WMI_THIN_JOIN_RES_TIMEOUT = 2 ;failed due to no beacon rx in time limit WMI_THIN_JOIN_RES_BAD_PARAM = 3 ;failed due to bad cmd param WMI_THIN_JOIN_RES_IBSS_START = 4 ;device started new IBSS network |
When mibID=01h=MIB_ID_STA_MAC; WMI_THIN_MIB_STA_MAC struct: (R)
00h A_UINT8 6 addr[ATH_MAC_LEN];
When mibID=02h=MIB_ID_RX_LIFE_TIME; WMI_THIN_MIB_RX_LIFE_TIME struct: (-)
00h A_UINT32 4 time (units = msec)
When mibID=03h=MIB_ID_SLOT_TIME; WMI_THIN_MIB_SLOT_TIME struct: (R/W)
00h A_UINT32 4 time (units = usec)
When mibID=04h=MIB_ID_RTS_THRESHOLD; WMI_THIN_MIB_RTS_THRESHOLD struct: (R/W)
00h A_UINT16 2 length (units = bytes)
When mibID=05h=MIB_ID_CTS_TO_SELF; WMI_THIN_MIB_CTS_TO_SELF struct: (R/W)
00h A_UINT8 1 enable (1=on, 0=off)
When mibID=06h=MIB_ID_TEMPLATE_FRAME; WMI_THIN_MIB_TEMPLATE_FRAME struct: (W)
00h A_UINT8 1 type (type of frame, 0..5, see below "FRM" values)
01h A_UINT8 1 rate (tx rate to be used, one of WMI_BIT_RATE)
02h A_UINT16 2 length (num bytes following this structure as template data)
04h .. .. template data
Frame "type" values: frame max length:
TEMPLATE_FRM_PROBE_REQ = 0 FRM_LEN_PROBE_REQ = 256 ;\Symbian dictates a
TEMPLATE_FRM_BEACON = 1 FRM_LEN_BEACON = 256 ; minimum of 256 for
TEMPLATE_FRM_PROBE_RESP= 2 FRM_LEN_PROBE_RESP = 256 ;/these 3 frame types
TEMPLATE_FRM_NULL = 3 FRM_LEN_NULL = 32
TEMPLATE_FRM_QOS_NULL = 4 FRM_LEN_QOS_NULL = 32
TEMPLATE_FRM_PSPOLL = 5 FRM_LEN_PSPOLL = 32
Total sum of above lengths: TEMPLATE_FRM_LEN_SUM = 256+256+256+32+32+32
When mibID=07h=MIB_ID_RXFRAME_FILTER; WMI_THIN_MIB_RXFRAME_FILTER struct:(R/W)
00h A_UINT32 4 filterMask;
FRAME_FILTER_PROMISCUOUS = 00000001h
FRAME_FILTER_BSSID = 00000002h
When mibID=08h=MIB_ID_BEACON_FILTER_TABLE; Several structure(s)...? (W)
There are three related sturctures; the actual "TABLE", and additional
"TABLE_OUI" and "TABLE_HEADER"; unknown which of those structure(s) are
meant to be used here...
WMI_THIN_MIB_BEACON_FILTER_TABLE structure:
00h A_UINT8 1 ie;
01h A_UINT8 1 treatment;
IE_FILTER_TREATMENT_CHANGE = 1
IE_FILTER_TREATMENT_APPEAR = 2
WMI_THIN_MIB_BEACON_FILTER_TABLE_OUI structure:
00h A_UINT8 1 ie;
01h A_UINT8 1 treatment;
02h A_UINT8 3 oui[3];
05h A_UINT8 1 type;
06h A_UINT16 2 version;
WMI_THIN_MIB_BEACON_FILTER_TABLE_HEADER structure:
00h A_UINT16 2 numElements
02h A_UINT8 1 entrySize (sizeof(WMI_THIN_MIB_BEACON_FILTER_TABLE) on
03h A_UINT8 1 reserved host cpu may be 2 may be 4)
When mibID=09h=MIB_ID_BEACON_FILTER; WMI_THIN_MIB_BEACON_FILTER struct: (R/W)
00h A_UINT32 4 count (num beacons between deliveries)
04h A_UINT8 1 enable;
05h A_UINT8 3 reserved[3];
When mibID=0Ah=MIB_ID_BEACON_LOST_COUNT; WMI_THIN_MIB_BEACON_LOST_COUNT: (W)
00h A_UINT32 4 count (num consec lost beacons after which send event)
When mibID=0Bh=MIB_ID_RSSI_THRESHOLD; WMI_THIN_MIB_RSSI_THRESHOLD struct: (W)
00h A_UINT8 1 rssi (the low threshold which can trigger an event warning)
01h A_UINT8 1 tolerance (the range above and below the threshold to
prevent event flooding to the host)
02h A_UINT8 1 count (the sample count of consecutive frames necessary to
trigger an event)
03h A_UINT8 1 reserved[1] (padding)
When mibID=0Ch=MIB_ID_HT_CAP; WMI_THIN_MIB_HT_CAP struct: (-)
00h A_UINT32 4 cap;
04h A_UINT32 4 rxRateField;
08h A_UINT32 4 beamForming;
0Ch A_UINT8 6 addr[ATH_MAC_LEN];
12h A_UINT8 1 enable;
13h A_UINT8 1 stbc;
14h A_UINT8 1 maxAMPDU;
15h A_UINT8 1 msduSpacing;
16h A_UINT8 1 mcsFeedback;
17h A_UINT8 1 antennaSelCap;
When mibID=0Dh=MIB_ID_HT_OP; WMI_THIN_MIB_HT_OP struct: (-)
00h A_UINT32 4 infoField;
04h A_UINT32 4 basicRateField;
08h A_UINT8 1 protection;
09h A_UINT8 1 secondChanneloffset;
0Ah A_UINT8 1 channelWidth;
0Bh A_UINT8 1 reserved;
When mibID=0Eh=MIB_ID_HT_2ND_BEACON; WMI_THIN_MIB_HT_2ND_BEACON struct: (-)
00h A_UINT8 1 cfg (see below SECOND_BEACON_xxx values)
01h A_UINT8 3 reserved[3] (padding)
SECOND_BEACON_PRIMARY = 1
SECOND_BEACON_EITHER = 2
SECOND_BEACON_SECONDARY = 3
When mibID=0Fh=MIB_ID_HT_BLOCK_ACK; WMI_THIN_MIB_HT_BLOCK_ACK struct: (-)
00h A_UINT8 1 txTIDField
01h A_UINT8 1 rxTIDField
02h A_UINT8 2 reserved[2] (padding)
When mibID=10h=MIB_ID_PREAMBLE; WMI_THIN_MIB_PREAMBLE struct: (R/W)
00h A_UINT8 1 enableLong (1=long preamble, 0=short preamble)
01h A_UINT8 3 reserved[3]
When mibID=N/A=MIB_ID_GROUP_ADDR_TABLE ;[NOT IMPLEMENTED] (-)
When mibID=N/A=MIB_ID_WEP_DEFAULT_KEY_ID ;satisfied by wmi_addKey_cmd() (-)
When mibID=N/A=MIB_ID_TX_POWER ;[NOT IMPLEMENTED] (-)
When mibID=N/A=MIB_ID_ARP_IP_TABLE ;[NOT IMPLEMENTED] (-)
When mibID=N/A=MIB_ID_SLEEP_MODE ;[NOT IMPLEMENTED] (-)
When mibID=N/A=MIB_ID_WAKE_INTERVAL ;[NOT IMPLEMENTED] (-)
When mibID=N/A=MIB_ID_STAT_TABLE ;[NOT IMPLEMENTED] (-)
When mibID=N/A=MIB_ID_IBSS_PWR_SAVE ;[NOT IMPLEMENTED] (-)
When mibID=N/A=MIB_ID_COUNTERS_TABLE ;[NOT IMPLEMENTED] (-)
When mibID=N/A=MIB_ID_ETHERTYPE_FILTER ;[NOT IMPLEMENTED] (-)
When mibID=N/A=MIB_ID_BC_UDP_FILTER ;[NOT IMPLEMENTED] (-)
N/A
|
WMI_WRT_VER_TYPE = 00000001h
WMI_WRT_DURATION = 00000002h
WMI_WRT_DIRECTION = 00000004h
WMI_WRT_POWER = 00000008h
WMI_WRT_WEP = 00000010h
WMI_WRT_MORE = 00000020h
WMI_WRT_BSSID = 00000040h
WMI_WRT_QOS = 00000080h
WMI_WRT_SEQNO = 00000100h
WMI_GUARD_TX = 00000200h ;prevent TX ops that are not allowed for a
; current state
WMI_WRT_DEFAULT_CONFIG = 3FFh ;<-- default all bits set
|
| DSi Atheros Wifi - Unimplemented WMI Pyxis Functions |
Config Header: 00h A_UINT16 2 pyxisConfigType ;One of WMI_PYXIS_CONFIG_TYPE 02h A_UINT16 2 pyxisConfigLen ;Length in Bytes of Information that follows When pyxisConfigType=0=WMI_PYXIS_GEN_PARAMS 04h A_UINT32 2 dataWindowSizeMin 08h A_UINT32 2 dataWindowSizeMax 0Ch A_UINT8 1 maxJoiners When pyxisConfigType=1=WMI_PYXIS_DSCVR_PARAMS 04h A_UINT32 4 dscvrWindow 08h A_UINT32 4 dscvrInterval 0Ch A_UINT32 4 dscvrLife 10h A_UINT32 4 probeInterval 14h A_UINT32 4 probePeriod 18h A_UINT16 2 dscvrChannel When pyxisConfigType=2=WMI_PYXIS_SET_TX_MODE 04h A_BOOL 4 mode |
Command Header:
00h A_UINT16 2 pyxisCmd
02h A_UINT16 2 pyxisCmdLen ;Length following this header
When pyxisCmd=0=WMI_PYXIS_DISC_PEER
04h A_UINT8 6 peerMacAddr[ATH_MAC_LEN]
When pyxisCmd=1=WMI_PYXIS_JOIN_PEER
04h A_UINT32 4 ctrl_flags (One of the Bits determines if it
is Virt Adhoc/the device is to join a BSS)
08h A_UINT16 2 channel ;Data Channel
0Ah A_UINT8 1 networkType ;network type
0Bh A_UINT8 1 dot11AuthMode ;OPEN_AUTH
0Ch A_UINT8 1 authMode ;NONE_AUTH
0Dh A_UINT8 1 pairwiseCryptoType ;One of NONE_CRYPT, AES_CRYPT
0Eh A_UINT8 1 pairwiseCryptoLen ;0 since ADD_KEY passes the length
0Fh A_UINT8 1 groupCryptoType ;One of NONE_CRYPT, AES_CRYPT
10h A_UINT8 1 groupCryptoLen ;0 since ADD_KEY passes the length
11h A_UINT8 6 peerMacAddr[ATH_MAC_LEN] ;BSSID of peer network
17h A_UINT8 6 nwBSSID[ATH_MAC_LEN] ;BSSID of the Pyxis Adhoc Network
When pyxisCmd=?=WHAT? below is also "incompletely-defined" as pyxisCmd:
04h A_BOOL 4 mode (what is this here? dupe of WMI_PYXIS_CONFIG_CMD?)
|
| DSi Atheros Wifi I2C EEPROM |
device = A0h + direction_flag + (addr/100h)*2 ;for devices with 8bit index device = A0h + direction_flag ;for devices with 16bit index |
000h 4 Maybe Size, ID, or Version? (00000300h) 004h 2 Checksum (all halfwords at [0..2FFh] XORed shall give FFFFh) 006h 2 Unknown 008h 2 Country+8000h ;eg. 8000h+188h=JP, 8000h+348h=US (REG_DOMAIN) 00Ah 6 MAC Address (must be same as in SPI FLASH) 010h 4 Type/version? (MSB must be 60h, verified by ARM7) 014h 4 Zerofilled 018h 5 Unknown 01Dh 1Fh Zerofilled 03Ch 70h FFh-filled 0ACh 8 Zerofilled 0B4h 12 Unknown 0C0h 20 Unknown 0D4h 18h Zerofilled 0ECh 4 Unknown 0F0h 4 Unknown, overwritten by [0ECh] after loading 0F4h 12 Unknown, similar to data at 0B4h ? 100h 20 Unknown, similar to data at 0C0h ? 114h 2Ch Zerofilled 140h 8 FFh-filled 148h 4 Unknown 14Ch 88h Zerofilled 1D4h 3x18 Unknown 212h 18 Zerofilled 224h 4x4 Unknown ;\ 234h 2x4 Unknown ; 23Ch 3x4 Unknown ; together 15x4 maybe ? 248h 12 Unknown ; 254h 3x4 Unknown ;/ 260h 60h Unknown 2C0h 40h Zerofilled 300h 100h Not used (not loaded to RAM) |
| DSi Atheros Wifi Internal Hardware |
| DSi Atheros Wifi - Xtensa CPU Registers |
- AR Address registers A0..A15 (general purpose registers) - PC Program Counter |
A0 general purpose (and return address for CALL/RET opcodes) A1 general purpose (commonly used as stack pointer) A2..A15 general purpose |
CALL4 saves A0..A3 and moves A4..A15 to A0..A11 ;\and, probably copies CALL8 saves A0..A7 and moves A8..A15 to A0..A7 ; old A1 to new A1 (?), CALL12 saves A0..A11 and moves A12..A15 to A0..A3 ;/and new A0=ret_addr ENTRY used at begin of sub-functions (allocate local variables on stack) RETW windowed return (deallocate locals, and undo the CALL4/8/12 rotation) |
0 00h LBEG Loop Begin ;\ 1 01h LEND Loop End ; Loop option 2 02h LCOUNT Loop Count ;/ 3 03h SAR Shift-Amount Register ;-Core 4 04h BR Boolean Registers (16x1bit) ;-Boolean option 5 05h LITBASE Literal Base ;-Literal base option 12 0Ch SCOMPARE1 ;-Multiprocessor... vs S32C1I 16 10h ACCLO Accumulator low (32bit) ;\ 17 11h ACCHI Accumulator high (8bit) ; 32 20h MR0 MAC16 register m0 (32bit) ; MAC16 option 33 21h MR1 MAC16 register m1 (32bit) ; 34 22h MR2 MAC16 register m2 (32bit) ; 35 23h MR3 MAC16 register m3 (32bit) ;/ 177 B1h EPC[1] Exception Program Counter ;\ 232 E8h EXCAUSE Cause of last Exception ; 209 D1h EXCSAVE[1] ; 230 E6h PS ; Exception option 230 E6h PS.EXCM ; 238 EEH EXCVADDR ; 192 C0h DEPC ;/ see PS.INTLEVEL ;-Interrupt option 178..183 B2h.. EPC[2..7] ;\ 194..199 C2h.. EPS[2..7] ; High-Priority Interrupt option 210..215 D2h.. EXCSAVE[2..7] ;/ 234 EAh CCOUNT ;\Timer Interrupt option 240-242 F0h CCOMPARE ;/ - AR[NAREG] ;\ 72 48h WindowBase ; Windowed Register option 73 49h WindowStart ; 230 E6h PS.CALLINC ; 230 E6h PS.OWB ; 230 E6h PS.WOE ;/ 244-247 F4h.. MISC ;-Misc Special Register option 236 ECh ICOUNT ;\ 237 EDh ICOUNTLEVEL ; 128-129 80h.. IBREAKA ; 96 60h IBREAKENABLE ; Debug option 144-145 90h.. DBREAKA ; 160-161 A0h.. DBREAKC ; 233 E9h DEBUGCAUSE ; 104 68h DDR ;/ 230 E6h PS.RING ;\ 83 53h PTEVADDR ; 90 5Ah RASID ; MMU option 91 5Bh ITLBCFG ; 92 5Ch DTLBCFG ; see ITLB ; see DTLB ;/ 98 62h CACHEATTR ;- 99 63h ATOMCTL ;- 224 E0h CPENABLE ;- 226 E2h INTERRUPT (R);\ 226 E2h INTSET (W); Interrupt 227 E3h INTCLEAR ; 228 E4h INTENABLE ;/ 106 6Ah MEPC ;\ 107 6Bh MEPS ; 108 6Ch MESAVE ; Memory ECC/Parity 109 6Dh MESR ; 110 6Eh MECR ; 111 6Fh MEVADDR ;/ 89 59h MMID ;-Trace Port 231 E7h VECBASE ;- 235 EBh PRID ;-Processor ID |
0-223 0-DFh Available for designer extensions 192-255 C0h.. Reserved by Tensilica (conflicts with above "available" info?) 231 E7h THREADPTR ;-Thread Pointer 232 E8h FCR (float control) ;\ 233 E9h FSR (float status) ; Float - FR (f0..f15?) ;/ |
| DSi Atheros Wifi - Xtensa CPU Core Opcodes |
Opcode Native Nocash Expl. ii0st2h L8UI at,as,imm movb at,[as+imm8] Load 8bit Unsigned ii1st2h L16UI at,as,imm*2 movh at,[as+imm8*2] Load 16bit Unsigned ii9st2h L16SI at,as,imm*2 movsh at,[as+imm8*2] Load 16bit Signed ii2st2h L32I at,as,imm*4 mov at,[as+imm8*4] Load 32bit ii4st2h S8I at,as,imm movb [as+imm8],at Store 8bit ii5st2h S16I at,as,imm*2 movh [as+imm8*2],at Store 16bit ii6st2h S32I at,as,imm*4 mov [as+imm8*4],at Store 32bit iiiit1h L32R at,adr movp at,literal Load 32bit literal pool iiAit2h MOVI at,imm12 mov at,+/-imm12 Move Immediate(signed) 83rst0h MOVEQZ ar,as,at movz at,ar,as Move if at=0 ;zero 93rst0h MOVNEZ ar,as,at movnz at,ar,as Move if at<>0 ;nonzero A3rst0h MOVLTZ ar,as,at movs at,ar,as Move if at<0 ;negative B3rst0h MOVGEZ ar,as,at movns at,ar,as Move if at>=0 ;positive |
Opcode Native Nocash Expl. iiCst2h ADDI at,as,imm8 add at,as,+/-imm8 Add Immediate (signed) iiDst2h ADDMI at,as,imm add at,as,+/-imm8*256 Add Immediate*100h 80rst0h ADD ar,as,at add ar,as,at Add (as+at) 90rst0h ADDX2 ar,as,at add ar,at,as*2 Add shift1 (as*2+at) A0rst0h ADDX4 ar,as,at add ar,at,as*4 Add shift2 (as*4+at) B0rst0h ADDX8 ar,as,at add ar,at,as*8 Add shift3 (as*8+at) C0rst0h SUB ar,as,at sub ar,as,at Subtract (as-at) D0rst0h SUBX2 ar,as,at sub ar,as*2,at Sub shift1 (as*2-at) E0rst0h SUBX4 ar,as,at sub ar,as*4,at Sub shift2 (as*4-at) F0rst0h SUBX8 ar,as,at sub ar,as*8,at Sub shift3 (as*8-at) 60r0t0h NEG ar,at neg ar,at Negate 60r1t0h ABS ar,at abs ar,at Absolute Value 10rst0h AND ar,as,at and ar,as,at Bitwise Logical And 20rst0h OR ar,as,at or ar,as,at ;akaMOV Bitwise Logical Or 30rst0h XOR ar,as,at xor ar,as,at Bitwise Logical Xor |
Opcode Native Nocash Expl. 01rsi0h SLLI ar,as,32-imm5 shl ar,as,32-imm5 Shift Left Logical 21rit0h SRAI ar,at,imm5 sar ar,at,imm5 Shift Right Arithmetic 41rit0h SRLI ar,at,imm4 shr ar,at,imm4 Shift Right Logical m4rst0h EXTUI ar,at,s,m shrmask ar,at,imm5,mask ExtractUnsignedImm 81rst0h SRC ar,as,at shr ar,as,at,shiftreg Shift Right Combined 91r0t0h SRL ar,at shr ar,at,shiftreg Shift Right Logical A1rs00h SLL ar,as shl ar,as,shiftreg ?? Shift Left Logical B1r0t0h SRA ar,at sar ar,at,shiftreg Shift Right Arithmetic 400s00h SSR as mov shiftreg,as SetShiftAm for RightSh 401s00h SSL as sub shiftreg,32,as SetShiftAm for LeftSh 402s00h SSA8L as mov shiftreg,as*8 SetShiftAmFor LE shift 403s00h SSA8B as sub shiftreg,32,as*8 SetShiftAmFor BE shift 404i.0h SSAI imm5 mov shiftreg,imm5sar SetShiftAm Immediate |
Opcode Native Nocash Expl. iiii06h J adr jmp rel18 Unconditional Jump 000sA0h JX as jmp as Unconditional Jump Reg iiii05h CALL0 adr call0 rel18x4 Non-windowed Call 000sC0h CALLX0 as call0 as Non-windowed Call Reg 000080h RET ;(jx a0) ret ;(jx a0) Non-Windowed Return |
Opcode Native Nocash Branch if... iiis16h BEQZ as,adr jz as,rel12 as=0 iiis56h BNEZ as,adr jnz as,rel12 as<>0 iiis96h BLTZ as,adr js as,rel12 as<0 (signed) iiisD6h BGEZ as,adr jns as,rel12 as>=0 (signed) iics26h BEQI as,c,adr je as,const4,rel8 as=Imm4(c) iics66h BNEI as,c,adr jne as,const4,rel8 as<>Imm4(c) iicsA6h BLTI as,c,adr jl as,const4,rel8 as<Imm4(c) (signed) iicsE6h BGEI as,c,adr jge as,const4,rel8 as>=Imm4(c) (signed) iicsB6h BLTUI as,c,adr jb as,const4u,rel8 as<UnsiImm4 (unsigned) iicsF6h BGEUI as,c,adr jae as,const4u,rel8 as>=UnsiImm4 (unsigned) ii1st7h BEQ as,at,adr je as,at,rel8 as=at equal ii9st7h BNE as,at,adr jne as,at,rel8 as<>at not equal ii2st7h BLT as,at,adr jl as,at,rel8 as<at less (signed) iiAst7h BGE as,at,adr jge as,at,rel8 as>=at gt/eq (signed) ii3st7h BLTU as,at,adr jb as,at,rel8 as<at less (unsigned) iiBst7h BGEU as,at,adr jae as,at,rel8 as>=at gt/eq (unsigned) ii0st7h BNONE as,at,adr tstjz as,at,rel8 (as AND at)=0 ;none ii8st7h BANY as,at,adr tstjnz as,at,rel8 (as AND at)<>0 ;any set ii4st7h BALL as,at,adr tstje as,at,rel8 (as AND at)=at ;all set iiCst7h BNALL as,at,adr tstjne as,at,rel8 (as AND at)<>at;not all ii5st7h BBC as,at,adr tstjz as,1 shl at,rel8 (as AND (1 shl at))=0 ii6sb7h BBCI as,b,adr tstjz as,1 shl imm5,r8 (as AND (1 shl imm))=0 iiDst7h BBS as,at,adr tstjnz as,1 shl at,rel8 (as AND (1 shl at))<>0 iiEsb7h BBSI as,b,adr tstjnz as,1 shl imm5,r8 (as AND (1 shl imm))<>0 |
Opcode Native Nocash Expl. 406st0h RER at,as mov at,ext[as] ReadExternal Register 407st0h WER at,as mov ext[as],at WriteExternalRegister 03iit0h RSR at,imm8 mov at,special[imm8] ReadSpecial Register 13iit0h WSR at,imm8 mov special[imm8],at WriteSpecialRegister 61iit0h XSR at,imm8 xchg at,special[imm8] ExchangeSpecialRegister 002000h ISYNC isync Instruction Fetch Sync 002010h RSYNC rsync Register Read Sync 002020h ESYNC esync Execute Synchronize 002030h DSYNC dsync Load/Store Synchronize 0020C0h MEMW memwait Memory Wait 0020D0h EXTW extwait External Wait 0020F0h NOP nop No-Operation |
MOV ar,as Macro (=OR ar,as,as) NOP Alias for "OR An,An,An" (alternate, instead of 0020F0h) J.L adr,as Macro (J or LiteralLoad+JX) BBCI.L as,b,adr Macro Branch Bit Clear Imm5 LE BBSI.L as,b,adr Macro Branch Bit Set Imm5 LE SRLI ar,at,imm5 Alias for "SRLI ar,at,imm4" or EXTUI (when imm5>=16) |
mov br,bs or br,bs,bs mov br,0 and br,bs,not bs mov br,1 or br,bs,not bs sub at,as,imm add at,as,-imm mov sfr_xxx mov special[imm8] alu ax,... alu ax,ax,... |
| DSi Atheros Wifi - Xtensa CPU Optional General Opcodes |
Opcode Native Nocash 008st0h ANY4 bt,bs or bt,bs..bs+3 Any 4 Booleans True 009st0h ALL4 bt,bs and bt,bs..bs+3 All 4 Booleans True 00Ast0h ANY8 bt,bs or bt,bs..bs+7 Any 8 Booleans True 00Bst0h ALL8 bt,bs and bt,bs..bs+7 All 8 Booleans True 02rst0h ANDB br,bs,bt and br,bs,bt BooleanAnd 12rst0h ANDBC br,bs,bt and br,bs,not bt BooleanAndComplement(t) 22rst0h ORB br,bs,bt or br,bs,bt BooleanOr 32rst0h ORBC br,bs,bt or br,bs,not bt BooleanOrComplement(t) 42rst0h XORB br,bs,bt xor br,bs,bt Boolean Xor C3rst0h MOVF ar,as,bt movz bt,ar,as Move if False D3rst0h MOVT ar,as,bt movnz bt,ar,as Move if True ii0s76h BF bs,adr jz bs,rel8 Branch if False ii1s76h BT bs,adr jnz bs,rel8 Branch if True |
40Est0h NSA at,as nsa at,as Normaliz.ShiftAmount 40Fst0h NSAU at,as nsau at,as Norma.ShiftAmUnsigned 23rsi0h SEXT ar,as,imm sext ar,as,imm4+7 Sign Extend 7..22 33rsi0h CLAMPS ar,as,imm clamps ar,as,imm4+7 Signed Clamp minmax 43rst0h MIN ar,as,at min ar,as,at Minimum Value Signed 53rst0h MAX ar,as,at max ar,as,at Maximum Value Signed 63rst0h MINU ar,as,at minu ar,as,at Minimum Value Unsigned 73rst0h MAXU ar,as,at maxu ar,as,at Maximum Value Unsigned |
ii8s76h LOOP as,adr loop as,rel8abs Loop ii9s76h LOOPNEZ as,adr loopnz as,rel8abs Loop if NotEqual zero iiAs76h LOOPGTZ as,adr loopgtz as,rel8abs Loop if Greater zero |
iiii15h CALL4 adr call4 rel18x4 Call RotateWinBy4 iiii25h CALL8 adr call8 rel18x4 Call RotateWinBy8 iiii35h CALL12 adr call12 rel18x4 Call RotateWinBy12 000sD0h CALLX4 as call4 as Call RegRotateBy4 000sE0h CALLX8 as call8 as Call RegRotateBy8 000sF0h CALLX12 as call12 as Call RegRotateBy12 iiis36h ENTRY as,imm*8 entry as,imm12*8 Subroutine Entry 000090h RETW retw Windowed-Return 003400h RFWO ret_wo RetFromWinOverflow 003500h RFWU ret_wu RetFromWinUnderflw 001st0h MOVSP at,as movsp at,as Move to Stack Ptr 4080i0h ROTW imm4 rotw imm4 Rotate Window -8..+7 09ist0h L32E at,as,imm mov_e at,[as-imm*4] Load32bitException 49ist0h S32E at,as,imm mov_e [as-imm*4],at StrWinForExcepts |
--ist8h L32I.N at,as,imm4*4 mov at,[as+imm4*4] Load 32bit --ist9h S32I.N at,as,imm4*4 mov [as+imm4*4],at Store 32bit --rstAh ADD.N ar,as,at add ar,as,at Add --rsiBh ADDI.N ar,as,imm4 add ar,as,imm4 Add Imm (0=-1 or 1..15) --is0Ch MOVI.N as,imm mov as,imm7 Move Imm (-32..95) --is8Ch BEQZ.N as,adr jz as,rel6abs Branch if as=0 --isCCh BNEZ.N as,adr jnz as,rel6abs Branch if as<>0 --0stDh MOV.N at,as mov at,as Move --F00Dh RET.N ;(jx a0) ret ;jx a0 Non-Windowed Return --F01Dh RETW.N retw Windowed Return --F06Dh ILL.N ill Xcept Illegal Instr. --Fi2Dh BREAK.N imm4 break imm4 Debug Breakpoint --F03Dh NOP.N nop No-Operation |
C1rst0h MUL16U ar,as,at umul16 ar,as,at Multiply16bitUnsigned D1rst0h MUL16S ar,as,at smul16 ar,as,at Multiply16bitSigned |
82rst0h MULL ar,as,at mul ar,as,at Multiply Low A2rst0h MULUH ar,as,at umulhi ar,as,at MultiplyUnsignedHigh B2rst0h MULSH ar,as,at smulhi ar,as,at MultiplySignedHigh |
C2rst0h QUOU ar,as,at udiv ar,as,at Quotient Unsigned D2rst0h QUOS ar,as,at sdiv ar,as,at Quotient Signed E2rst0h REMU ar,as,at udivrem ar,as,at Remainder Unsigned F2rst0h REMS ar,as,at sdivrem ar,as,at Remainder Signed |
| DSi Atheros Wifi - Xtensa CPU Optional Exception/Cache/MMU Opcodes |
006it0h RSIL at,level xchg at,ps,intlevel i Read/Set IntLevel 007i00h WAITI level waiti ps,intlevel i Set IntLevel and Wait |
003i10h RFI level ret_i level RetFromHiPrioInt |
000000h ILL ill Illegal Instruction 002080h EXCW xceptwait Exception Wait 003000h RFE ret_e RetFromException 003100h RFUE ret_ue RetFromUserModeExcept 003200h RFDE ret_de RetFromDoubleExcept 005000h SYSCALL syscall System Call |
004xy0h BREAK imm4,imm4 break imm8 Breakpoint F1E000h RFDO ret_do RetFromDebugOperat. F1Es10h RFDD ;s=??? rer_dd imm1 RetFromDebugDispatch |
003020h RFME ret_me RetFromMemError |
E3rii0h RUR ar,imm8 mov ar,user[imm8] Read User Register F3iit0h WUR at,imm8 mov user[imm8],at WriteUserRegister |
503st0h RITLB0 at,as mov at,itlb0[as] Read InstTLB Virtual 507st0h RITLB1 at,as mov at,itlb1[as] Read InstTLB Translat 50Bst0h RDTLB0 at,as mov at,dtlb0[as] Read DataTLB Virtual 50Fst0h RDTLB1 at,as mov at,dtlb1[as] Read DataTLB Translat 504s00h IITLB as inv itlb[as] Invalidate InstTLB 50Cs00h IDTLB as inv dtlb[as] Invalidate DataTLB 505st0h PITLB at,as probe at,itlb[as] Probe InstTLB 50Dst0h PDTLB at,as probe at,dtlb[as] Probe DataTLB 506st0h WITLB at,as mov itlb[as],at Write InstTLB Entry 50Est0h WDTLB at,as mov dtlb[as],at Write DataTLB Entry |
iiBst2h L32AI at,as,i*4 mov_m at,[as+imm8*4] Load 32bit Acquire iiFst2h S32RI at,as,imm*4 mov_m [as+imm8*4],at Store 32bit Release |
iiEst2h S32C1I at,as,imm*4 s32c1i at,[as+imm8*4] CompareCond |
i07s82h DPFL as,imm4*16 cach_dpfl [as+imm4*16] PrefetchAndLock * i27s82h DHU as,imm4*16 cach_dhu [as+imm4*16] HitUnlock i37s82h DIU as,imm4*16 cach_diu [as+imm4*16] Index Unlock i47s82h DIWB as,imm4*16 cach_diwb [as+imm4*16] Index Writeback i57s82h DIWBI as,imm4*16 cach_diwbi [as+imm4*16] Index WbInvali. ii7s02h DPFR as,imm8*4 cach_dpfr [as+imm8*4] PrefetchForRead ii7s12h DPFW as,imm8*4 cach_dpfw [as+imm8*4] PrefetchForWrite ii7s22h DPFRO as,imm8*4 cach_dpfro [as+imm8*4] PrefetchForRdOnce ii7s32h DPFWO as,imm8*4 cach_dpfwo [as+imm8*4] PrefetchForWrOnce ii7s42h DHWB as,imm8*4 cach_dhwb [as+imm8*4] HitWriteback ii7s52h DHWBI as,imm8*4 cach_dhwbi [as+imm8*4] HitWritebackInv. ii7s62h DHI as,imm8*4 cach_dhi [as+imm8*4] HitInvalidate ii7s72h DII as,imm8*4 cach_dii [as+imm8*4] Index Invalidate |
i07sD2h IPFL as,imm4*16 cach_ipfl [as+imm4*16] PrefetchAndLock * i27sD2h IHU as,imm4*16 cach_ihu [as+imm4*16] Hit Unlock i37sD2h IIU as,imm4*16 cach_iiu [as+imm4*16] Index Unlock ii7sC2h IPF as,imm8*4 cach_ipf [as+imm8*4] Prefetch ii7sE2h IHI as,imm8*4 cach_ihi [as+imm8*4] Hit Invalidate ii7sF2h III as,imm8*4 cach_iii [as+imm8*4] Index Invalidate |
F18st0h LDCT at,as cach_mov at,dCachTag[as] LoadDataCacheTag F10st0h LICT at,as cach_mov at,iCachTag[as] LoadInstCacheTag F12st0h LICW at,as cach_mov at,iCachDta[as] LoadInstCacheWord F19st0h SDCT at,as cach_mov dCachTag[as],at StoreDataCacheTag F11st0h SICT at,as cach_mov iCachTag[as],at StoreInstCacheTag F13st0h SICW at,as cach_mov iCachDta[as],at StoreInstCacheWord |
71xxx0h ACCER ... accer ... Unknown/Unspecified |
x6xxx0h CUST ... cust ... DesignerDefinedOpcodes |
005100h SIMCALL simcall Non-HW Simulator-Call |
| DSi Atheros Wifi - Xtensa CPU Optional Floating-Point Opcodes |
08rst0h LSX fr,as,at f_mov fr,[as+at] LoadSingleIndexed ii0st3h LSI ft,as,imm*4 f_mov ft,[as+imm8*4] LoadSingleImmediate 48rst0h SSX fr,as,at f_mov [as+at],fr Store Single Indexed ii4st3h SSI ft,as,imm*4 f_mov [as+imm8*4],ft Store Single Immedia. 18rst0h LSXU fr,as,at f_movupd fr,[as+at] LoadSingleIndexed+Upd ii8st3h LSIU ft,as,imm*4 f_movupd ft,[as+imm8*4] LoadSingleImm+Update 58rst0h SSXU fr,as,at f_movupd [as+at],fr Store Single Indx+Upd iiCst3h SSIU ft,as,imm*4 f_movupd [as+imm8*4],ft Store Single Imm+Upd. 0Arst0h ADD.S fr,fs,ft f_add fr,fs,ft Add Single 1Arst0h SUB.S fr,fs,ft f_sub fr,fs,ft Subtract Single 2Arst0h MUL.S fr,fs,ft f_mul fr,fs,ft Multipy Single 4Arst0h MADD.S fr,fs,ft f_muladd fr,fs,ft Multiply+Add Single 5Arst0h MSUB.S fr,fs,ft f_mulsub fr,fs,ft Multiply+Sub Single 8Arsi0h ROUND.S ar,fs,imm4 f_round ar,fs,pow4 Round Single to Fixed 9Arsi0h TRUNC.S ar,fs,imm4 f_trunc ar,fs,pow4 TruncateSingleToFixed EArsi0h UTRUNC.S ar,fs,imm4 f_utrunc ar,fs,pow4 UnsignedTruncatetoFix AArsi0h FLOOR.S ar,fs,imm4 f_floor ar,fs,pow4 FloorSingleToFixed BArsi0h CEIL.S ar,fs,imm4 f_ceil ar,fs,pow4 Ceiling SingleToFixed CArsi0h FLOAT.S fr,as,imm4 f_float fr,as,frac4 ConvertFixedToSingle DArsi0h UFLOAT.S fr,as,imm4 f_ufloat fr,as,frac4 UnsignedFixedToSingle FArs00h MOV.S fr,fs f_mov fr,fs Move Single FArs10h ABS.S fr,fs f_abs fr,fs Absolute Value Single FArs40h RFR ar,fs f_mov ar,fs Move FR to AR FArs50h WFR fr,as f_mov fr,as Move AR to FR FArs60h NEG.S fr,fs f_neg fr,fs Negate Single 1Brst0h UN.S br,fs,ft f_cmp_un br,fs,ft CompareSingle Unord 2Brst0h OEQ.S br,fs,ft f_cmp_oeq br,fs,ft CompareSingle Equal 3Brst0h UEQ.S br,fs,ft f_cmp_ueq br,fs,ft CompareSingle UnordEq 4Brst0h OLT.S br,fs,ft f_cmp_olt br,fs,ft CompareSingle OrdLt 5Brst0h ULT.S br,fs,ft f_cmp_ult br,fs,ft CompareSingle UnorLt 6Brst0h OLE.S br,fs,ft f_cmp_ole br,fs,ft CompareSingle OrdLt/Eq 7Brst0h ULE.S br,fs,ft f_cmp_ule br,fs,ft CompareSingle UnorLtEq 8Brst0h MOVEQZ.S fr,fs,at f_movz at,fr,fs Move Single if at=0 9Brst0h MOVNEZ.S fr,fs,at f_movnz at,fr,fs Move Single if at<>0 ABrst0h MOVLTZ.S fr,fs,at f_movs at,fr,fs Move Single if at<0 BBrst0h MOVGEZ.S fr,fs,at f_movns at,fr,fs Move Single if at>=0 CBrst0h MOVF.S fr,fs,bt f_movz bt,fr,fs Move Single if bt=0 DBrst0h MOVT.S fr,fs,bt f_movnz bt,fr,fs Move Single if bt=1 |
| DSi Atheros Wifi - Xtensa CPU Optional MAC16 Opcodes |
mw = m0..m3 mx = m0..m1 my = m2..m3 as,at = a0..a15 acc = special register acchi(8bit):acclo(32bit) 700st4h UMUL.AA.LL as,at umul acc,as_l,at_l ;\ 710st4h UMUL.AA.HL as,at umul acc,as_h,at_l ; Unsigned Mul 720st4h UMUL.AA.LH as,at umul acc,as_l,at_h ; acc=as*at 730st4h UMUL.AA.HH as,at umul acc,as_h,at_h ;/ 24x0y4h MUL.DD.LL mx,my smul acc,mx_l,my_l ;\ 25x0y4h MUL.DD.HL mx,my smul acc,mx_h,my_l ; Signed Mul 26x0y4h MUL.DD.LH mx,my smul acc,mx_l,my_h ; acc=mx*my 27x0y4h MUL.DD.HH mx,my smul acc,mx_h,my_h ;/ 340sy4h MUL.AD.LL as,my smul acc,as_l,my_l ;\ 350sy4h MUL.AD.HL as,my smul acc,as_h,my_l ; Signed Mul 360sy4h MUL.AD.LH as,my smul acc,as_l,my_h ; acc=as*my 370sy4h MUL.AD.HH as,my smul acc,as_h,my_h ;/ 64x0t4h MUL.DA.LL mx,at smul acc,mx_l,at_l ;\ 65x0t4h MUL.DA.HL mx,at smul acc,mx_h,at_l ; Signed Mul 66x0t4h MUL.DA.LH mx,at smul acc,mx_l,at_h ; acc=mx*at 67x0t4h MUL.DA.HH mx,at smul acc,mx_h,at_h ;/ 740st4h MUL.AA.LL as,at smul acc,as_l,at_l ;\ 750st4h MUL.AA.HL as,at smul acc,as_h,at_l ; Signed Mul 760st4h MUL.AA.LH as,at smul acc,as_l,at_h ; acc=as*at 770st4h MUL.AA.HH as,at smul acc,as_h,at_h ;/ 28x0y4h MULA.DD.LL mx,my smuladd acc,mx_l,my_l ;\ 29x0y4h MULA.DD.HL mx,my smuladd acc,mx_h,my_l ; Signed MulAdd 2Ax0y4h MULA.DD.LH mx,my smuladd acc,mx_l,my_h ; acc=acc+mx*my 2Bx0y4h MULA.DD.HH mx,my smuladd acc,mx_h,my_h ;/ 380sy4h MULA.AD.LL as,my smuladd acc,as_l,my_l ;\ 390sy4h MULA.AD.HL as,my smuladd acc,as_h,my_l ; Signed MulAdd 3A0sy4h MULA.AD.LH as,my smuladd acc,as_l,my_h ; acc=acc+as*my 3B0sy4h MULA.AD.HH as,my smuladd acc,as_h,my_h ;/ 68x0t4h MULA.DA.LL mx,at smuladd acc,mx_l,at_l ;\ 69x0t4h MULA.DA.HL mx,at smuladd acc,mx_h,at_l ; Signed MulAdd 6Ax0t4h MULA.DA.LH mx,at smuladd acc,mx_l,at_h ; acc=acc+mx*at 6Bx0t4h MULA.DA.HH mx,at smuladd acc,mx_h,at_h ;/ 780st4h MULA.AA.LL as,at smuladd acc,as_l,at_l ;\ 790st4h MULA.AA.HL as,at smuladd acc,as_h,at_l ; Signed MulAdd 7A0st4h MULA.AA.LH as,at smuladd acc,as_l,at_h ; acc=acc+as*at 7B0st4h MULA.AA.HH as,at smuladd acc,as_h,at_h ;/ 2Cx0y4h MULS.DD.LL mx,my smulsub acc,mx_l,my_l ;\ 2Dx0y4h MULS.DD.HL mx,my smulsub acc,mx_h,my_l ; Signed MulSub 2Ex0y4h MULS.DD.LH mx,my smulsub acc,mx_l,my_h ; acc=acc-mx*my 2Fx0y4h MULS.DD.HH mx,my smulsub acc,mx_h,my_h ;/ 3C0sy4h MULS.AD.LL as,my smulsub acc,as_l,my_l ;\ 3D0sy4h MULS.AD.HL as,my smulsub acc,as_h,my_l ; Signed MulSub 3E0sy4h MULS.AD.LH as,my smulsub acc,as_l,my_h ; acc=acc-as*my 3F0sy4h MULS.AD.HH as,my smulsub acc,as_h,my_h ;/ 6Cx0t4h MULS.DA.LL mx,at smulsub acc,mx_l,at_l ;\ 6Dx0t4h MULS.DA.HL mx,at smulsub acc,mx_h,at_l ; Signed MulSub 6Ex0t4h MULS.DA.LH mx,at smulsub acc,mx_l,at_h ; acc=acc-mx*at 6Fx0t4h MULS.DA.HH mx,at smulsub acc,mx_h,at_h ;/ 7C0st4h MULS.AA.LL as,at smulsub acc,as_l,at_l ;\ 7D0st4h MULS.AA.HL as,at smulsub acc,as_h,at_l ; Signed MulSub 7E0st4h MULS.AA.LH as,at smulsub acc,as_l,at_h ; acc=acc-as*at 7F0st4h MULS.AA.HH as,at smulsub acc,as_h,at_h ;/ 80ws04h LDINC mw,as movupd mw,[as+4] ;Load+AutoInc 90ws04h LDDEC mw,as movupd mw,[as-4] ;Load+AutoDec |
08wsy4h MULA.DD.LL.LDINC mw,as,mx,my smuladd_movupd acc,mx_l,my_l,mw,[as+4] 09wsy4h MULA.DD.HL.LDINC mw,as,mx,my smuladd_movupd acc,mx_h,my_l,mw,[as+4] 0Awsy4h MULA.DD.LH.LDINC mw,as,mx,my smuladd_movupd acc,mx_l,my_h,mw,[as+4] 0Bwsy4h MULA.DD.HH.LDINC mw,as,mx,my smuladd_movupd acc,mx_h,my_h,mw,[as+4] 18wsy4h MULA.DD.LL.LDDEC mw,as,mx,my smuladd_movupd acc,mx_l,my_l,mw,[as-4] 19wsy4h MULA.DD.HL.LDDEC mw,as,mx,my smuladd_movupd acc,mx_h,my_l,mw,[as-4] 1Awsy4h MULA.DD.LH.LDDEC mw,as,mx,my smuladd_movupd acc,mx_l,my_h,mw,[as-4] 1Bwsy4h MULA.DD.HH.LDDEC mw,as,mx,my smuladd_movupd acc,mx_h,my_h,mw,[as-4] 48wst4h MULA.DA.LL.LDINC mw,as,mx,at smuladd_movupd acc,mx_l,at_l,mw,[as+4] 49wst4h MULA.DA.HL.LDINC mw,as,mx,at smuladd_movupd acc,mx_h,at_l,mw,[as+4] 4Awst4h MULA.DA.LH.LDINC mw,as,mx,at smuladd_movupd acc,mx_l,at_h,mw,[as+4] 4Bwst4h MULA.DA.HH.LDINC mw,as,mx,at smuladd_movupd acc,mx_h,at_h,mw,[as+4] 58wst4h MULA.DA.LL.LDDEC mw,as,mx,at smuladd_movupd acc,mx_l,at_l,mw,[as-4] 59wst4h MULA.DA.HL.LDDEC mw,as,mx,at smuladd_movupd acc,mx_h,at_l,mw,[as-4] 5Awst4h MULA.DA.LH.LDDEC mw,as,mx,at smuladd_movupd acc,mx_l,at_h,mw,[as-4] 5Bwst4h MULA.DA.HH.LDDEC mw,as,mx,at smuladd_movupd acc,mx_h,at_h,mw,[as-4] |
| DSi Atheros Wifi - Xtensa CPU Opcode Encoding Tables |
23-20 19-16 15-12 11-8 7-4 3-0 Type
op2 op1 r s t op0 RRR
imm4 op1 r s t op0 RRI4
imm8--------> r s t op0 RRI8
imm16-------------------> t op0 RRI16
op2 op1 rs--------> t op0 RSR
offset----------------------> n op0 CALL
op2 op1 r s m n op0 CALLX
imm8--------> r s m n op0 BRI8
imm12-------------> s m n op0 BRI8
r s t op0 RRRN
imm.l s imm.h op0 RI7 (bit7="i")
imm.l s imm.h op0 RI6 (bit7="i", bit6="z")
|
ROOT\ op0 ROOT\QRST op0=0, op1 ROOT\QRST\RST0 op0=0, op1=0, op2 ROOT\QRST\RST0\ST0 op0=0, op1=0, op2=0, r ROOT\QRST\RST0\ST0\SNM0 op0=0, op1=0, op2=0, r=0, mn ROOT\QRST\RST0\ST0\SYNC op0=0, op1=0, op2=0, r=2, t ROOT\QRST\RST0\ST0\RFEI op0=0, op1=0, op2=0, r=3, t ROOT\QRST\RST0\ST0\RFEI\RFET op0=0, op1=0, op2=0, r=3, t=0, s ROOT\QRST\RST0\ST1 op0=0, op1=0, op2=4, r ROOT\QRST\RST0\TLB op0=0, op1=0, op2=5, r ROOT\QRST\RST0\RT0 op0=0, op1=0, op2=6, s ROOT\QRST\RST1 op0=0, op1=1, op2 ROOT\QRST\RST1\IMP op0=0, op1=1, op2=F, r ROOT\QRST\RST1\IMP\RFDX op0=0, op1=1, op2=F, r=E, t ROOT\QRST\RST2 op0=0, op1=2, op2 ROOT\QRST\RST3 op0=0, op1=3, op2 ROOT\QRST\LSCX op0=0, op1=8, op2 ROOT\QRST\LSC4 op0=0, op1=9, op2 ROOT\QRST\FP0 op0=0, op1=A, op2 ROOT\QRST\FP0\FP1OP op0=0, op1=A, op2=F, t ROOT\QRST\FP1 op0=0, op1=B, op2 ROOT\LSAI op0=2, r ROOT\LSAI\CACHE op0=2, r=7, t ROOT\LSAI\CACHE\DCE op0=2, r=7, t=8, op1 ROOT\LSAI\CACHE\ICE op0=2, r=7, t=D, op1 ROOT\LSCI op0=3, r ROOT\MAC16 op0=4, op2 ROOT\MAC16\MACID op0=4, op2=0, op1 ROOT\MAC16\MACCD op0=4, op2=1, op1 ROOT\MAC16\MACDD op0=4, op2=2, op1 ROOT\MAC16\MACAD op0=4, op2=3, op1 ROOT\MAC16\MACIA op0=4, op2=4, op1 ROOT\MAC16\MACCA op0=4, op2=5, op1 ROOT\MAC16\MACDA op0=4, op2=6, op1 ROOT\MAC16\MACAA op0=4, op2=7, op1 ROOT\MAC16\MACI op0=4, op2=8, op1 ROOT\MAC16\MACC op0=4, op2=9, op1 ROOT\CALLN op0=5, mn ROOT\SI op0=6, mn (and \SI\BZ, \SI\BI0, \SI\BI1) ROOT\SI\BI1\B1 op0=6, mn=7, r ROOT\B op0=7, r ROOT\ST2 op0=C, t ROOT\ST3 op0=D, r ROOT\ST3\S3 op0=D, r=F, t |
ROOT\ ROOT\QRST ROOT\QRST\RS ROOT\QRST\RST0\ST0
op0 op1 op2 r
0 --> QRST --> RST0 --> ST0 --> SNM0
1 L32R --> RST1 AND MOVSP
2 --> LSAI --> RST2 OR --> SYNC
3 --> LSCIp --> RST3 XOR --> RFEIx
4 --> MAC16d EXTUI ;\ --> ST1 BREAKx
5 --> CALLN EXTUI ;/ --> TLB SYSCALLx
6 --> SI CUST0 ;\ --> RT0 RSILx
7 --> B CUST1 ;/ reserved WAITIx (t=0)
8 L32I.Nn ;\ --> LSCXp ADD ANY4p
9 S32I.Nn ; --> LSC4 ADDX2 ALL4p
A ADD.Nn ; narrow --> FP0f ADDX4 ANY8p
B ADDI.Nn ; 16bit --> FP1f ADDX8 ALL8p
C --> ST2n ; reserved SUB reserved
D --> ST3n ;/ reserved SUBX2 reserved
E reserved reserved SUBX4 reserved
F reserved reserved SUBX8 reserved
|
..\RST0\ST0\SNM0 ..\RST0\ST0\SYNC ..\RST0\ST0\RFEI ..\ST0\RFEI\RFET
mn t t s
0 ILL ;\ ISYNC --> RFETx RFEx
1 reserved ; ILL RSYNC RFIx RFUEx
2 reserved ; ESYNC RFME (s=0) RFDEx
3 reserved ;/ DSYNC reserved reserved
4 reserved ;\ reserved reserved RFWOw
5 reserved ; N/A reserved reserved RFWUw
6 reserved ; reserved reserved reserved
7 reserved ;/ reserved reserved reserved
8 RET ;\ EXCW reserved reserved
9 RETWw ; JR reserved reserved reserved
A JX ; reserved reserved reserved
B reserved ;/ reserved reserved reserved
C CALLX0 ;\ MEMW reserved reserved
D CALLX4w ; CALLX EXTW reserved reserved
E CALLX8w ; reserved reserved reserved
F CALLX12w ;/ NOP/reserved reserved reserved
|
..\RST0\ST1 ..\RST0\TLB ..\RST0\RT0 ROOT\QRST\RST1
r r s op2
0 SSR (t=0) reserved NEG SLLI ;\
1 SSL (t=0) reserved ABS SLLI ;/
2 SSA8L (t=0) reserved reserved SRAI ;\
3 SSA8B (t=0) RITLB0 reserved SRAI ;/
4 SSAI (t=0) IITLB (t=0) reserved SRLI ;-
5 reserved PITLB reserved reserved
6 RER WITLB reserved XSR
7 WER RITLB1 reserved --> ACCER (?)
8 ROTWw (s=0) reserved reserved SRC
9 reserved reserved reserved SRL (s=0)
A reserved reserved reserved SLL (t=0)
B reserved RDTLB0 reserved SRA (s=0)
C reserved IDTLB (t=0) reserved MUL16U
D reserved PDTLB reserved MUL16S
E NSAu WDTLB reserved reserved
F NSAUu RDTLB1 reserved --> IMP
|
..\RST1\IMP ..\RST1\IMP\RFDX ROOT\QRST\RST2 ROOT\QRST\RST3
r t op2 op2
0 LICT RFDO (s=0) ABDBp RSR
1 SICT RFDD (s=0,1) ANDBCp WSR
2 LICW reserved ORBp SEXTu
3 SICW reserved ORBCp CLAMPSu
4 reserved reserved XORBp MINu
5 reserved reserved reserved MAXu
6 reserved reserved reserved MINUu
7 reserved reserved reserved MAXUu
8 LDCT reserved MULLi MOVEQZ
9 SDCT reserved reserved MOVNEZ
A reserved reserved MULUHi MOVLTZ
B reserved reserved MULSHi MOVGEZ
C reserved reserved QUOUi MOVFp
D reserved reserved QUOSi MOVTp
E --> RFDX reserved REMUi RUR
F reserved reserved REMSi WUR
|
ROOT\QRST\LSCX ROOT\QRST\LSC4 ROOT\QRST\FP0 ROOT\QRST\FP0\FP1OP
op2 op2 op2 t
0 LSXf L32E ADD.Sf MOV.Sf
1 LSXUf reserved SUB.Sf ABS.Sf
2 reserved reserved MUL.Sf reserved
3 reserved reserved reserved reserved
4 SSXf S32E MADD.Sf RFRf
5 SSXUf reserved MSUB.Sf WFRf
6 reserved reserved reserved NEG.Sf
7 reserved reserved reserved reserved
8 reserved reserved ROUND.Sf reserved
9 reserved reserved TRUNC.Sf reserved
A reserved reserved FLOOR.Sf reserved
B reserved reserved CEIL.Sf reserved
C reserved reserved FLOAT.Sf reserved
D reserved reserved UFLOAT.Sf reserved
E reserved reserved UTRUNC.Sf reserved
F reserved reserved --> FP1OPf reserved
|
ROOT\QRST\FP1 ROOT\LSAI ROOT\LSAI\CACHE ..\CACHE\DCE
op2 r t op1
0 reserved L8UI DPFRc DPFLl
1 UN.Sf L16UI DPFWc reserved
2 OEQ.Sf L32I DPFROc DHUl
3 UEQ.Sf reserved DPFWOc DIUl
4 OLT.Sf S8I DHWBc DIWBc
5 ULT.Sf S16I DHWBIc DIWBIc
6 OLE.Sf S32I DHIc reserved
7 ULE.Sf --> CACHEc DIIc reserved
8 MOVEQZ.Sf reserved --> DCEc reserved
9 MOVNEZ.Sf L16SI reserved reserved
A MOVLTZ.Sf MOVI reserved reserved
B MOVGEZ.Sf L32AIy reserved reserved
C MOVF.Sf ADDI IPFc reserved
D MOVT.Sf ADDMI --> ICEc reserved
E reserved S32C1Iy IHIc reserved
F reserved S32RIy IIIc reserved
|
..\CACHE\ICE ROOT\LSCI ROOT\CALLN ROOT\SI
op1 r mn mn
0 IPFLl LSIf CALL0 ;\ J
1 reserved reserved CALL4 ; BEQZ
2 IHUl reserved CALL8 ; BEQI
3 IIUl reserved CALL12 ;/ ENTRYw
4 reserved SSIf CALL0 ;\ J
5 reserved reserved CALL4 ; BNEZ
6 reserved reserved CALL8 ; BNEI
7 reserved reserved CALL12 ;/ --> B1
8 reserved LSIUf CALL0 ;\ J
9 reserved reserved CALL4 ; BLTZ
A reserved reserved CALL8 ; BLTI
B reserved reserved CALL12 ;/ BLTUI
C reserved SSIUf CALL0 ;\ J
D reserved reserved CALL4 ; BGEZ
E reserved reserved CALL8 ; BGEI
F reserved reserved CALL12 ;/ BGEUI
|
ROOT\SI\BI1\B1 ROOT\B ROOT\ST2 ROOT\ST3
r r t r
0 BFp BNONE MOVI.Nn ;\ MOV.Nn
1 BTp BEQ MOVI.Nn ; reserved
2 reserved BLT MOVI.Nn ; reserved
3 reserved BLTU MOVI.Nn ; reserved
4 reserved BALL MOVI.Nn ; reserved
5 reserved BBC MOVI.Nn ; reserved
6 reserved BBCI ;\ MOVI.Nn ; reserved
7 reserved BBCI ;/ MOVI.Nn ;/ reserved
8 LOOP BANY BEQZ.Nn ;\ reserved
9 LOOPNEZ BNE BEQZ.Nn ; reserved
A LOOPGTZ BGE BEQZ.Nn ; reserved
B reserved BGEU BEQZ.Nn ;/ reserved
C reserved BNALL BNEZ.Nn ;\ reserved
D reserved BBS BNEZ.Nn ; reserved
E reserved BBSI ;\ BNEZ.Nn ; reserved
F reserved BBSI ;/ BNEZ.Nn ;/ --> S3
|
ROOT\ST3\S3 ROOT\MAC16 ROOT\MAC16\MACI ROOT\MAC16\MACC
t op2 op1 op1
0 RET.Nn --> MACID LDINC LDDEC
1 RETW.Nwn --> MACCD reserved reserved
2 BREAK.Nn --> MACDD reserved reserved
3 NOP.Nn --> MACAD reserved reserved
4 reserved --> MACIA reserved reserved
5 reserved --> MACCA reserved reserved
6 ILL.Nn --> MACDA reserved reserved
7 reserved --> MACAA reserved reserved
8 reserved --> MACI reserved reserved
9 reserved --> MACC reserved reserved
A reserved reserved reserved reserved
B reserved reserved reserved reserved
C reserved reserved reserved reserved
D reserved reserved reserved reserved
E reserved reserved reserved reserved
F reserved reserved reserved reserved
|
ROOT\MAC16\MACID ROOT\MAC16\MACCD ROOT\MAC16\MACIA ROOT\MAC16\MACCA
op1 op1 op1 op1
0 reserved reserved reserved reserved
1 reserved reserved reserved reserved
2 reserved reserved reserved reserved
3 reserved reserved reserved reserved
4 reserved reserved reserved reserved
5 reserved reserved reserved reserved
6 reserved reserved reserved reserved
7 reserved reserved reserved reserved
8 MULA.DD.LL.LDINC MULA.DD.LL.LDDEC MULA.DA.LL.LDINC MULA.DA.LL.LDDEC
9 MULA.DD.HL.LDINC MULA.DD.HL.LDDEC MULA.DA.HL.LDINC MULA.DA.HL.LDDEC
A MULA.DD.LH.LDINC MULA.DD.LH.LDDEC MULA.DA.LH.LDINC MULA.DA.LH.LDDEC
B MULA.DD.HH.LDINC MULA.DD.HH.LDDEC MULA.DA.HH.LDINC MULA.DA.HH.LDDEC
C reserved reserved reserved reserved
D reserved reserved reserved reserved
E reserved reserved reserved reserved
F reserved reserved reserved reserved
|
ROOT\MAC16\MACDD ROOT\MAC16\MACAD ROOT\MAC16\MACDA ROOT\MAC16\MACAA
op1 op1 op1 op1
0 reserved reserved reserved UMUL.AA.LL
1 reserved reserved reserved UMUL.AA.HL
2 reserved reserved reserved UMUL.AA.LH
3 reserved reserved reserved UMUL.AA.HH
4 MUL.DD.LL MUL.AD.LL MUL.DA.LL MUL.AA.LL
5 MUL.DD.HL MUL.AD.HL MUL.DA.HL MUL.AA.HL
6 MUL.DD.LH MUL.AD.LH MUL.DA.LH MUL.AA.LH
7 MUL.DD.HH MUL.AD.HH MUL.DA.HH MUL.AA.HH
8 MULA.DD.LL MULA.AD.LL MULA.DA.LL MULA.AA.LL
9 MULA.DD.HL MULA.AD.HL MULA.DA.HL MULA.AA.HL
A MULA.DD.LH MULA.AD.LH MULA.DA.LH MULA.AA.LH
B MULA.DD.HH MULA.AD.HH MULA.DA.HH MULA.AA.HH
C MULS.DD.LL MULS.AD.LL MULS.DA.LL MULS.AA.LL
D MULS.DD.HL MULS.AD.HL MULS.DA.HL MULS.AA.HL
E MULS.DD.LH MULS.AD.LH MULS.DA.LH MULS.AA.LH
F MULS.DD.HH MULS.AD.HH MULS.DA.HH MULS.AA.HH
|
| DSi Atheros Wifi - Internal Memory Map |
00000000h I/O Ports 000E0000h ROM ;\as so on AR6002 (other AR60xx chips may use 00100000h RAM ;/slightly different addresses). |
00000000h..003FFFFh used for I/O Port read/write ;1st mirror 00400000h..007FFFFh used for ROM and RAM data read/write ;2nd mirror 00800000h..00BFFFFh used for ROM and RAM opcode read ;3rd mirror 00C00000h..FFFFFFFh normally unused ;4th..1024th |
AR60xx chip name AR6002 AR6003 AR6004 AR6013 AR6014 AR6002_rev alias REV2 REV4 REV6 ? ? hw name hw2 hw4 hw6 hw...? hw...? Nintendo DSi/3DS Old DSi N/A N/A New DSi 3DS/New3DS Wifi Board DWM-W015 N/A N/A DWM-W024 DWM-W028 SPI FLASH ID Byte 01h N/A N/A 02h 03h SPI FLASH Size 128K N/A N/A ? ? I2C EEPROM SizeUsed 300h ? ? ? ? ROM Size (Kbyte) 80K 256K 512K ? ? RAM Size (Kbyte) 184K 256K 256-288K? 128K? ? IRAM Size (Kbyte) N/A N/A 160K? ? ? ROM ID version 2.0.0.392 ? ? 2.3.0.36 ? Firmware version 2.1.0.123 ? ? 2.3.0.108 ? ROM Base 0E0000h 0E0000h 100000h 0E0000h ? ROM Reset Entry 8E0000h ? ? ? ? RAM Base 100000h 140000h? 000000h?? 120000h? ? RAM Host Interest 500400h 540600h 400600h?? 520000h ? RAM Start or Free 502400h ? ? 524C00h ? RAM BMI_DONE Entry 515000h ? ? ? ? CPU Litbase 52F000h+1 ? ? 54C000h+1 ? IRAM Base N/A N/A 998000h ? ? ROM Size (hex) 14000h 40000h 80000h ? ? RAM Size (hex) 2E000h 40000h 4xxxxh? 20000h? ? ROM ID hex 20000188h ? ? 23000024h ? Firm ID hex 2100007Bh ? ? 2300006Ch ? CHIP_ID used 02000001h ? ? 0D000000h ? CHIP_ID alternate? 02010001h ? ? 0D00000xh ? BB_D2_CHIP_ID has any? ? ? ? ? |
Entrypoint: ROM_Base+0 Exception Vectors: ROM_Base+xxx ? DataSet Address: ROM_Base+ROM_Size-8 MBIST Cksum: ROM_Base+ROM_Size-4 ;MBIST = memory built-in-self-test ? |
AR6002 = AR6002_REV2 = include\AR6002\hw2.0 AR6003 = AR6002_REV4 = include\AR6002\hw4.0 AR6004 = AR6002_REV6 = include\AR6002\hw6.0 |
| DSi Atheros Wifi - Internal I/O Map Summary (hw2.0) |
004000h 1C4h Clock/RTC Registers (rtc_reg.h) (hw2.0) 008000h 208h Memory Controller (TCAM) (vmc_reg.h) (hw2.0) 00C000h 40h Serial UART (uart_reg.h) (hw2.0) 010000h 18h Serial I2C/SPI Interface (si_reg.h) (hw2.0) 0140F4h 4 GPIO Registers (gpio_reg.h) (hw2.0) 018000h 114h MBOX Registers (mbox_reg.h) (hw2.0) 01A000h 2000h HOST_IF_WINDOW (mbox_reg.h) (hw2.0) 01C000h 64h Analog Intf Registers (analog_reg.h) (hw2.0) 01C080h 10h Analog Intf Registers (analog_intf_reg.h) (hw2.0) 020000h ? MAC DMA maybe, if any ? 028000h 1800h MAC PCU Registers (mac_pcu.h) (hw2.0) 029800h ? BB/LC maybe, if any ? |
004000h 4 (WLAN_)RESET_CONTROL 004004h 4 (WLAN_)XTAL_CONTROL 004008h 4 (WLAN_)TCXO_DETECT 00400Ch 4 (WLAN_)XTAL_TEST 004010h 4 (WLAN_)QUADRATURE 004014h 4 (WLAN_)PLL_CONTROL 004018h 4 (WLAN_)PLL_SETTLE 00401Ch 4 (WLAN_)XTAL_SETTLE 004020h 4 (WLAN_)CPU_CLOCK 004024h 4 (WLAN_)CLOCK_OUT 004028h 4 (WLAN_)CLOCK_CONTROL 00402Ch 4 (WLAN_)BIAS_OVERRIDE 004030h 4 (WLAN_)WDT_CONTROL ;\ 004034h 4 (WLAN_)WDT_STATUS ; 004038h 4 (WLAN_)WDT ; Watchdog Timer 00403Ch 4 (WLAN_)WDT_COUNT ; 004040h 4 (WLAN_)WDT_RESET ;/ 004044h 4 (WLAN_)INT_STATUS ;-Interrupt Status 004048h 4 (WLAN_)LF_TIMER0 ;\ 00404Ch 4 (WLAN_)LF_TIMER_COUNT0 ; Low-Freq Timer 004050h 4 (WLAN_)LF_TIMER_CONTROL0 ; 004054h 4 (WLAN_)LF_TIMER_STATUS0 ;/ 004058h 4 (WLAN_)LF_TIMER1 ;\ 00405Ch 4 (WLAN_)LF_TIMER_COUNT1 ; Low-Freq Timer 004060h 4 (WLAN_)LF_TIMER_CONTROL1 ; 004064h 4 (WLAN_)LF_TIMER_STATUS1 ;/ 004068h 4 (WLAN_)LF_TIMER2 ;\ 00406Ch 4 (WLAN_)LF_TIMER_COUNT2 ; Low-Freq Timer 004070h 4 (WLAN_)LF_TIMER_CONTROL2 ; 004074h 4 (WLAN_)LF_TIMER_STATUS2 ;/ 004078h 4 (WLAN_)LF_TIMER3 ;\ 00407Ch 4 (WLAN_)LF_TIMER_COUNT3 ; Low-Freq Timer 004080h 4 (WLAN_)LF_TIMER_CONTROL3 ; 004084h 4 (WLAN_)LF_TIMER_STATUS3 ;/ 004088h 4 (WLAN_)HF_TIMER ;\ 00408Ch 4 (WLAN_)HF_TIMER_COUNT ; High-Freq Timer 004090h 4 (WLAN_)HF_LF_COUNT ;<-- ; 004094h 4 (WLAN_)HF_TIMER_CONTROL ; 004098h 4 (WLAN_)HF_TIMER_STATUS ;/ 00409Ch 4 (WLAN_)RTC_CONTROL ;\ 0040A0h 4 (WLAN_)RTC_TIME ; 0040A4h 4 (WLAN_)RTC_DATE ; 0040A8h 4 (WLAN_)RTC_SET_TIME ; Real-Time Clock 0040ACh 4 (WLAN_)RTC_SET_DATE ; 0040B0h 4 (WLAN_)RTC_SET_ALARM ; 0040B4h 4 (WLAN_)RTC_CONFIG ; 0040B8h 4 (WLAN_)RTC_ALARM_STATUS ;/ 0040BCh 4 (WLAN_)UART_WAKEUP 0040C0h 4 (WLAN_)RESET_CAUSE 0040C4h 4 (WLAN_)SYSTEM_SLEEP 0040C8h 4 (WLAN_)SDIO_WRAPPER 0040CCh 4 (WLAN_)MAC_SLEEP_CONTROL 0040D0h 4 (WLAN_)KEEP_AWAKE 0040D4h 4 (WLAN_)LPO_CAL_TIME ;\ 0040D8h 4 (WLAN_)LPO_INIT_DIVIDEND_INT ; 0040DCh 4 (WLAN_)LPO_INIT_DIVIDEND_FRACTION ; 0040E0h 4 (WLAN_)LPO_CAL ; 0040E4h 4 (WLAN_)LPO_CAL_TEST_CONTROL ; 0040E8h 4 (WLAN_)LPO_CAL_TEST_STATUS ;/ 0040ECh 4 (WLAN_)CHIP_ID 0040F0h 4 (WLAN_)DERIVED_RTC_CLK 0040F4h 4 MAC_PCU_SLP32_MODE 0040F8h 4 MAC_PCU_SLP32_WAKE 0040FCh 4 MAC_PCU_SLP32_INC 004100h 4 MAC_PCU_SLP_MIB1 004104h 4 MAC_PCU_SLP_MIB2 004108h 4 MAC_PCU_SLP_MIB3 00410Ch 4 MAC_PCU_SLP_BEACON ;<-- hw2.0 only (not hw4.0) 004110h 4 (WLAN_)POWER_REG ;\located here in hw2.0 004114h 4 (WLAN_)CORE_CLK_CTRL ;/ 004118h 1x8 PAD0 ;\ 004120h 4x8 SDIO_SETUP_CIRCUIT[8] ; 004140h 4 SDIO_SETUP_CONFIG ; 004144h 4 CPU_SETUP_CONFIG ; hw2.0 only (not hw4.0) 004148h 1x24 PAD1 ; 004160h 4x8 CPU_SETUP_CIRCUIT[8] ; 004180h 4 BB_SETUP_CONFIG ; 004184h 1x28 PAD2 ; 0041A0h 4x8 BB_SETUP_CIRCUIT[8] ;/ 0041C0h 4 (WLAN_)GPIO_WAKEUP_CONTROL ;-located here in hw2.0 |
008000h 4x32 (WLAN_)MC_TCAM_VALID[0..31] ;\ 008080h 4x32 (WLAN_)MC_TCAM_MASK[0..31] ; ROM Patches 008100h 4x32 (WLAN_)MC_TCAM_COMPARE[0..31] ; 008180h 4x32 (WLAN_)MC_TCAM_TARGET[0..31] ;/ 008200h 4 (WLAN_)ADDR_ERROR_CONTROL ;\ADDR_ERROR 008204h 4 (WLAN_)ADDR_ERROR_STATUS ;/ |
00C000h 4 (WLAN_UART_)RBR - RX Data FIFO (R) (when DLAB=0) 00C000h 4 (WLAN_UART_)THR - TX Data FIFO (W) (when DLAB=0) 00C000h 4 (WLAN_UART_)DLL - Baudrate Divisor LSB (R/W) (when DLAB=1) 00C004h 4 (WLAN_UART_)IER - Interrupt Control (R/W) (when DLAB=0) 00C004h 4 (WLAN_UART_)DLH - Baudrate Divisor MSB (R/W) (when DLAB=1) 00C008h 4 (WLAN_UART_)IIR - Interrupt Status (R) 00C008h 4 (WLAN_UART_)FCR - FIFO Control (W) 00C00Ch 4 (WLAN_UART_)LCR - Character Format Control (R/W) 00C010h 4 (WLAN_UART_)MCR - Handshaking Control (R/W) 00C014h 4 (WLAN_UART_)LSR - RX/TX Status (R) (W=don't do) 00C018h 4 (WLAN_UART_)MSR - Handshaking Status (R) (W=don't do) 00C01Ch 4 (WLAN_UART_)SCR - Scratch (R/W) 00C020h 4 (WLAN_UART_)SRBR - (mirror of RBR?) (when DLAB=0?) 00C024h 1x4 PAD0 00C028h 4 (WLAN_UART_)SIIR - (mirror or IIR?) 00C02Ch 4 (WLAN_UART_?)MWR - Whatever "M Write Register?" 00C030h 1x4 PAD1 00C034h 4 (WLAN_UART_)SLSR - (mirror or LSR?) <-- used by AR6002 ROM 00C038h 4 (WLAN_UART_)SMSR - (mirror of MSR?) 00C03Ch 4 (WLAN_UART_?)MRR - Whatever "M Read Register?" |
010000h 4 SI_CONFIG 010004h 4 SI_CS 010008h 4 SI_TX_DATA0 01000Ch 4 SI_TX_DATA1 010010h 4 SI_RX_DATA0 010014h 4 SI_RX_DATA1 |
014000h 4 (WLAN_)GPIO_OUT ;\GPIO Output Data 014004h 4 (WLAN_)GPIO_OUT_W1TS ; (direct, and Write-1-To-Set/Clr) 014008h 4 (WLAN_)GPIO_OUT_W1TC ;/ 01400Ch 4 (WLAN_)GPIO_ENABLE ;\GPIO Output Enable 014010h 4 (WLAN_)GPIO_ENABLE_W1TS ; (direct, and Write-1-To-Set/Clr) 014014h 4 (WLAN_)GPIO_ENABLE_W1TC ;/ 014018h 4 (WLAN_)GPIO_IN ;-GPIO Input 01401Ch 4 (WLAN_)GPIO_STATUS ;\GPIO Interrupt Status 014020h 4 (WLAN_)GPIO_STATUS_W1TS ; (direct, and Write-1-To-Set/Clr) 014024h 4 (WLAN_)GPIO_STATUS_W1TC ;/ 014028h 4 (WLAN_)GPIO_PIN0 ;GPIO0 Bluetooth coex BT_PRIORITY 01402Ch 4 (WLAN_)GPIO_PIN1 ;GPIO1 Bluetooth coex WLAN_ACTIVE 014030h 4 (WLAN_)GPIO_PIN2 ;GPIO2 Bluetooth coex BT_FREQUENCY 014034h 4 (WLAN_)GPIO_PIN3 ;GPIO3 Bluetooth coex BT_ACTIVE 014038h 4 (WLAN_)GPIO_PIN4 ;GPIO4 SDIO/GSPI interface select 01403Ch 4 (WLAN_)GPIO_PIN5 ;GPIO5 SDIO/GSPI interface select 014040h 4 (WLAN_)GPIO_PIN6 ;GPIO6 - 014044h 4 (WLAN_)GPIO_PIN7 ;GPIO7 TRST for JTAG debug 014048h 4 (WLAN_)GPIO_PIN8 ;GPIO8 external 32kHz clock in 01404Ch 4 (WLAN_)GPIO_PIN9 ;GPIO9 I2C SCL or SPI CLK 014050h 4 (WLAN_)GPIO_PIN10 ;GPIO10 I2C SDA or SPI MISO 014054h 4 (WLAN_)GPIO_PIN11 ;GPIO11 UART RXD or SPI MOSI 014058h 4 (WLAN_)GPIO_PIN12 ;GPIO12 UART TXD or SPI /CS 01405Ch 4 (WLAN_)GPIO_PIN13 ;GPIO13 Reset in for JTAG debug 014060h 4 (WLAN_)GPIO_PIN14 ;GPIO14 UART CTS 014064h 4 (WLAN_)GPIO_PIN15 ;GPIO15 UART RTS 014068h 4 (WLAN_)GPIO_PIN16 ;GPIO16 - 01406Ch 4 (WLAN_)GPIO_PIN17 ;GPIO17 - 014070h 4 SDIO_PIN - Config: Pad Pull/Strength 014074h 4 CLK_REQ_PIN - Config: Pad Pull/Strength/AteOeLow 014078h 4 (WLAN_)SIGMA_DELTA 01407Ch 4 (WLAN_)DEBUG_CONTROL 014080h 4 (WLAN_)DEBUG_INPUT_SEL 014084h 4 (WLAN_)DEBUG_OUT 014088h 4 LA_CONTROL 01408Ch 4 LA_CLOCK 014090h 4 LA_STATUS 014094h 4 LA_TRIGGER_SAMPLE 014098h 4 LA_TRIGGER_POSITION 01409Ch 4 LA_PRE_TRIGGER 0140A0h 4 LA_POST_TRIGGER 0140A4h 4 LA_FILTER_CONTROL 0140A8h 4 LA_FILTER_DATA 0140ACh 4 LA_FILTER_WILDCARD 0140B0h 4 LA_TRIGGERA_DATA 0140B4h 4 LA_TRIGGERA_WILDCARD 0140B8h 4 LA_TRIGGERB_DATA 0140BCh 4 LA_TRIGGERB_WILDCARD 0140C0h 4 LA_TRIGGER 0140C4h 4 LA_FIFO 0140C8h 4x2 LA[0..1] 0140D0h 4 ANT_PIN - Config: Pad Pull/Strength 0140D4h 4 ANTD_PIN - Config: Pad Pull 0140D8h 4 GPIO_PIN - Config: Pad Pull/Strength 0140DCh 4 GPIO_H_PIN - Config: Pad Pull 0140E0h 4 BT_PIN - Config: Pad Pull/Strength 0140E4h 4 BT_WLAN_PIN - Config: Pad Pull 0140E8h 4 SI_UART_PIN - Config: Pad Pull/Strength 0140ECh 4 CLK32K_PIN - Config: Pad Pull 0140F0h 4 (WLAN_)RESET_TUPLE_STATUS |
018000h 4x4 (WLAN_)MBOX_FIFO[0..3] 018010h 4 (WLAN_)MBOX_FIFO_STATUS 018014h 4 (WLAN_)MBOX_DMA_POLICY 018018h 4 (WLAN_)MBOX0_DMA_RX_DESCRIPTOR_BASE 01801Ch 4 (WLAN_)MBOX0_DMA_RX_CONTROL 018020h 4 (WLAN_)MBOX0_DMA_TX_DESCRIPTOR_BASE 018024h 4 (WLAN_)MBOX0_DMA_TX_CONTROL 018028h 4 (WLAN_)MBOX1_DMA_RX_DESCRIPTOR_BASE 01802Ch 4 (WLAN_)MBOX1_DMA_RX_CONTROL 018030h 4 (WLAN_)MBOX1_DMA_TX_DESCRIPTOR_BASE 018034h 4 (WLAN_)MBOX1_DMA_TX_CONTROL 018038h 4 (WLAN_)MBOX2_DMA_RX_DESCRIPTOR_BASE 01803Ch 4 (WLAN_)MBOX2_DMA_RX_CONTROL 018040h 4 (WLAN_)MBOX2_DMA_TX_DESCRIPTOR_BASE 018044h 4 (WLAN_)MBOX2_DMA_TX_CONTROL 018048h 4 (WLAN_)MBOX3_DMA_RX_DESCRIPTOR_BASE 01804Ch 4 (WLAN_)MBOX3_DMA_RX_CONTROL 018050h 4 (WLAN_)MBOX3_DMA_TX_DESCRIPTOR_BASE 018054h 4 (WLAN_)MBOX3_DMA_TX_CONTROL 018058h 4 (WLAN_)MBOX_INT_STATUS 01805Ch 4 (WLAN_)MBOX_INT_ENABLE 018060h 4 (WLAN_)INT_HOST 018064h 1x28 PAD0 018080h 4x8 (WLAN_)LOCAL_COUNT[0..7] 0180A0h 4x8 (WLAN_)COUNT_INC[0..7] 0180C0h 4x8 (WLAN_)LOCAL_SCRATCH[0..7] 0180E0h 4 (WLAN_)USE_LOCAL_BUS 0180E4h 4 (WLAN_)SDIO_CONFIG 0180E8h 4 (WLAN_)MBOX_DEBUG 0180ECh 4 (WLAN_)MBOX_FIFO_RESET 0180F0h 4x4 (WLAN_)MBOX_TXFIFO_POP[0..3] 018100h 4x4 (WLAN_)MBOX_RXFIFO_POP[0..3] 018110h 4 (WLAN_)SDIO_DEBUG 018114h 1x7916 PAD1 01A000h 4x2048 (WLAN_)HOST_IF_WINDOW[0..2047] |
01C000h 4 SYNTH_SYNTH1 ;\ 01C004h 4 SYNTH_SYNTH2 ; 01C008h 4 SYNTH_SYNTH3 ; 01C00Ch 4 SYNTH_SYNTH4 ; also defined in "synth_reg.h" 01C010h 4 SYNTH_SYNTH5 ; 01C014h 4 SYNTH_SYNTH6 ; 01C018h 4 SYNTH_SYNTH7 ; 01C01Ch 4 SYNTH_SYNTH8 ;/ 01C020h 4 RF5G_RF5G1 ;\also defined in "rf5G_reg.h" 01C024h 4 RF5G_RF5G2 ;/ 01C028h 4 RF2G_RF2G1 ;\also defined in "rf2G_reg.h" 01C02Ch 4 RF2G_RF2G2 ;/ 01C030h 4 TOP_GAIN ;\also defined in "top_reg.h" 01C034h 4 TOP_TOP ;/ 01C038h 4 BIAS_BIAS_SEL ;\ 01C03Ch 4 BIAS_BIAS1 ; also defined in "bias_reg.h" 01C040h 4 BIAS_BIAS2 ; 01C044h 4 BIAS_BIAS3 ;/ 01C048h 4 TXPC_TXPC ;\also defined in "txpc_reg.h" 01C04Ch 4 TXPC_MISC ;/ 01C050h 4 RXTXBB_RXTXBB1 ;\ 01C054h 4 RXTXBB_RXTXBB2 ; also defined in "rxtxbb_reg.h" 01C058h 4 RXTXBB_RXTXBB3 ; 01C05Ch 4 RXTXBB_RXTXBB4 ;/ 01C060h 4 ADDAC_ADDAC1 ;-also defined in "addac.h" 01C064h 1x1Ch - |
01C080h 4 SW_OVERRIDE ;\ 01C084h 4 SIN_VAL ; defined ONLY in "analog_intf_reg.h" 01C088h 4 SW_SCLK ; 01C08Ch 4 SW_CNTL ;/ |
028000h (00h) - REG_STA_ID0 ;aka MAC_PCU_STA_ADDR_L32 028004h (01h) - REG_STA_ID1 ;aka MAC_PCU_STA_ADDR_U16 028008h (02h) - REG_BSS_ID0 ;aka MAC_PCU_BSSID_L32 02800Ch (03h) - REG_BSS_ID1 ;aka MAC_PCU_BSSID_U16 028010h (04h) - MAC_PCU_REG_BCNRSSI ;aka MAC_PCU_BCN_RSSI_AVE 028014h (05h) - REG_TIME_OUT ;aka MAC_PCU_ACK_CTS_TIMEOUT 028018h (06h) - MAC_PCU_REG_BCNSIG ;aka MAC_PCU_BCN_RSSI_CTL 02801Ch (07h) - REG_USEC ;aka MAC_PCU_USEC_LATENCY 028020h (08h) - REG_BEACON 028024h (09h) - REG_CFP_PERIOD ;aka (MAC_???)PCU_MAX_CFP_DUR (?) 028028h (0Ah) - REG_TIMER0 02802Ch (0Bh) - REG_TIMER1 028030h (0Ch) - REG_TIMER2 028034h (0Dh) - REG_TIMER3 028038h (0Eh) - REG_CFP_DUR ;aka (MAC_???)PCU_MAX_CFP_DUR (?) 02803Ch (0Fh) - REG_RX_FILTER ;aka MAC_PCU_RX_FILTER 028040h (10h) - REG_MCAST_FIL0 ;aka MAC_PCU_MCAST_FILTER_L32 028044h (11h) - REG_MCAST_FIL1 ;aka MAC_PCU_MCAST_FILTER_U32 028048h (12h) - MAC_PCU_REG_DIAGSW ;aka MAC_PCU_DIAG_SW 02804Ch (13h) - REG_TSF_L32 028050h (14h) - REG_TSF_U32 028054h (15h) - REG_TST_ADDAC ;aka MAC_PCU_TST_ADDAC 028058h (16h) - REG_DEF_ANT ;aka MAC_PCU_DEF_ANTENNA 02805Ch (17h) - MAC_PCU_REG_MUTE_MASKS0 ;aka MAC_PCU_AES_MUTE_MASK_0 028060h (18h) - MAC_PCU_REG_MUTE_MASKS1 ;aka MAC_PCU_AES_MUTE_MASK_1 028064h (19h) - MAC_PCU_REG_GATED_CLKS ;aka MAC_PCU_GATED_CLKS 028068h (1Ah) - MAC_PCU_REG_OBS2 ;aka MAC_PCU_OBS_BUS_2 02806Ch (1Bh) - MAC_PCU_REG_OBS1 ;aka MAC_PCU_OBS_BUS_1 028070h (1Ch..1Fh) - N/A 028080h (20h) - REG_LAST_TSTP ;aka MAC_PCU_LAST_BEACON_TSF (?) 028084h (21h) - REG_NAV ;aka MAC_PCU_NAV 028088h (22h) - REG_RTS_OK ;aka MAC_PCU_RTS_SUCCESS_CNT 02808Ch (23h) - REG_RTS_FAIL ;aka MAC_PCU_RTS_FAIL_CNT 028090h (24h) - REG_ACK_FAIL ;aka MAC_PCU_ACK_FAIL_CNT 028094h (25h) - REG_FCS_FAIL ;aka MAC_PCU_FCS_FAIL_CNT 028098h (26h) - REG_BEACON_CNT ;aka MAC_PCU_BEACON_CNT 02809Ch (27h..2Fh) - N/A 0280C0h (30h) - MAC_PCU_REG_XRMODE ;aka MAC_PCU_XRMODE 0280C4h (31h) - MAC_PCU_REG_XRDEL ;aka MAC_PCU_XRDEL 0280C8h (32h) - MAC_PCU_REG_XRTO ;aka MAC_PCU_XRTO 0280CCh (33h) - MAC_PCU_REG_XRCRP ;aka MAC_PCU_XRCRP 0280D0h (34h) - MAC_PCU_REG_XRSTMP ;aka MAC_PCU_XRSTMP 0280D4h (35h) - MAC_PCU_REG_SLP1 ;aka MAC_PCU_SLP1 ;\moved to 0280D8h (36h) - MAC_PCU_REG_SLP2 ;aka MAC_PCU_SLP2 ; 004xxxh/005xxxh 0280DCh (37h) - (//MAC_PCU_REG_SLP3) ;aka MAC_PCU_SLP3 ;/in hw4/hw6 (!) 0280E0h (38h) - MAC_PCU_REG_BSSMSKL ;aka MAC_PCU_ADDR1_MASK_L32 0280E4h (39h) - MAC_PCU_REG_BSSMSKH ;aka MAC_PCU_ADDR1_MASK_U16 0280E8h (3Ah) - MAC_PCU_REG_TPC ;aka MAC_PCU_TPC 0280ECh (3Bh) - MAC_PCU_REG_TFC ;aka MAC_PCU_TX_FRAME_CNT 0280F0h (3Ch) - MAC_PCU_REG_RFC ;aka MAC_PCU_RX_FRAME_CNT 0280F4h (3Dh) - MAC_PCU_REG_RCC ;aka MAC_PCU_RX_CLEAR_CNT 0280F8h (3Eh) - MAC_PCU_REG_CC ;aka MAC_PCU_CYCLE_CNT 0280FCh (3Fh) - MAC_PCU_REG_QT1 ;aka MAC_PCU_QUIET_TIME_1 028100h (40h) - MAC_PCU_REG_QT2 ;aka MAC_PCU_QUIET_TIME_2 028104h (41h) - MAC_PCU_REG_TSF 028108h (42h) - MAC_PCU_REG_NOACK ;aka MAC_PCU_QOS_NO_ACK 02810Ch (43h) - MAC_PCU_REG_PHYERR ;aka MAC_PCU_PHY_ERROR_MASK 028110h (44h) - MAC_PCU_REG_XRLAT ;aka MAC_PCU_XRLAT 028114h (45h) - MAC_PCU_REG_ACKSIFS_RESERVED 028118h (46h) - MAC_PCU_REG_MICQOSCTL ;aka MAC_PCU_MIC_QOS_CONTROL 02811Ch (47h) - MAC_PCU_REG_MICQOSSEL ;aka MAC_PCU_MIC_QOS_SELECT 028120h (48h) - MAC_PCU_REG_MISCMODE ;aka MAC_PCU_MISC_MODE 028124h (49h) - MAC_PCU_REG_FILTOFDM ;aka MAC_PCU_FILTER_OFDM_CNT 028128h (4Ah) - MAC_PCU_REG_FILTCCK ;aka MAC_PCU_FILTER_CCK_CNT 02812Ch (4Bh) - MAC_PCU_REG_PHYCNT1 ;aka MAC_PCU_PHY_ERR_CNT_1 028130h (4Ch) - MAC_PCU_REG_PHYCNTMASK1 ;aka MAC_PCU_PHY_ERR_CNT_1_MASK 028134h (4Dh) - MAC_PCU_REG_PHYCNT2 ;aka MAC_PCU_PHY_ERR_CNT_2 028138h (4Eh) - MAC_PCU_REG_PHYCNTMASK2 ;aka MAC_PCU_PHY_ERR_CNT_2_MASK 02813Ch (4Fh) - MAC_PCU_REG_TSFTHRESH ;aka MAC_PCU_TSF_THRESHOLD 028140h (50h) - outcommented:MAC_PCU_REG_TSFCAL ;Misc 028144h (51h) - MAC_PCU_REG_PHYERR_EIFS ;aka MAC_PCU_PHY_ERROR_EIFS_MASK 028148h (52h) - outcommented:MAC_PCU_REG_SYNC1 ;Time 02814Ch (53h) - outcommented:MAC_PCU_REG_SYNC2 ;Misc 028150h (54h) - outcommented:MAC_PCU_REG_SYNC3 ;MCAST Addr_L 028154h (55h) - outcommented:MAC_PCU_REG_SYNC4 ;MCAST Addr_U 028158h (56h) - outcommented:MAC_PCU_REG_SYNC5 ;RX Time 02815Ch (57h) - outcommented:MAC_PCU_REG_SYNC6 ;INC 028160h (58h) - outcommented:MAC_PCU_REG_SYNC7 ;Last Time 028164h (59h) - outcommented:MAC_PCU_REG_SYNC8 ;Updated Time 028168h (5Ah) - MAC_PCU_REG_PHYCNT3 ;aka MAC_PCU_PHY_ERR_CNT_3 02816Ch (5Bh) - MAC_PCU_REG_PHYCNTMASK3 ;aka MAC_PCU_PHY_ERR_CNT_3_MASK 028170h (5Ch) - MAC_PCU_REG_BTMODE ;aka MAC_PCU_BLUETOOTH_MODE 028174h (5Dh) - MAC_PCU_REG_BTWEIGHT ;aka MAC_PCU_BLUETOOTH_WEIGHTS 028178h (5Eh) - MAC_PCU_REG_HCF ;aka MAC_PCU_HCF_TIMEOUT 02817Ch (5Fh) - MAC_PCU_REG_BTMODE2 ;aka MAC_PCU_BLUETOOTH_MODE2 028180h (60h..67h) - MAC_PCU_REG_BFCOEF1[0..7] 0281A0h (68h..6Fh) - N/A 0281C0h (70h) - MAC_PCU_REG_BFCOEF2 0281C4h (71h) - MAC_PCU_REG_KCMASK 0281C8h (72h..73h) - N/A 0281D0h (74h) - MAC_PCU_REG_TXSIFS ;aka MAC_PCU_TXSIFS 0281D4h (75h..7Ah) - N/A 0281ECh (7Bh) - MAC_PCU_REG_TXOP_X ;aka MAC_PCU_TXOP_X 0281F0h (7Ch) - MAC_PCU_REG_TXOP_0_3 ;aka MAC_PCU_TXOP_0_3 0281F4h (7Dh) - MAC_PCU_REG_TXOP_4_7 ;aka MAC_PCU_TXOP_4_7 0281F8h (7Eh) - MAC_PCU_REG_TXOP_8_11 ;aka MAC_PCU_TXOP_8_11 0281FCh (7Fh) - MAC_PCU_REG_TXOP_12_15 ;aka MAC_PCU_TXOP_12_15 028200h (80h..87h) - MAC_PCU_REG_GNRCTMR_N[0..7] ;aka GENERIC_TIMERSxxx? 028220h (88h..8Fh) - MAC_PCU_REG_GNRCTMR_P[0..7] ;aka GENERIC_TIMERSxxx? 028240h (90h) - MAC_PCU_REG_GNRCTMR_M ;aka MAC_PCU_GENERIC_TIMERS_MODE 028244h (91h) - MAC_PCU_REG_SLP32_MODE 028248h (92h) - MAC_PCU_REG_SLP32_WAKE 02824Ch (93h) - MAC_PCU_REG_SLP32_TSF_INC 028250h (94h) - MAC_PCU_REG_SLPMIB1 028254h (95h) - MAC_PCU_REG_SLPMIB2 028258h (96h) - MAC_PCU_REG_SLPMIB3 02825Ch (97h) - MAC_PCU_REG_MISCMODE2 ;aka MAC_PCU_MISC_MODE2 028260h (98h) - MAC_PCU_REG_SLP4 028264h (99h) - MAC_PCU_REG_SLP5 028268h (9Ah) - MAC_PCU_REG_MCICTL ;\ 02826Ch (9Bh) - MAC_PCU_REG_MCIISR ; 028270h (9Ch) - MAC_PCU_REG_MCIIER ; 028274h (9Dh) - MAC_PCU_REG_MCIWLP ; 028278h (9Eh) - MAC_PCU_REG_MCIARW ; 02827Ch (9Fh) - MAC_PCU_REG_MCIARR ; whatever MCI stuff 028280h (A0h) - MAC_PCU_REG_MCIADW ; 028284h (A1h) - MAC_PCU_REG_MCIADR ; 028288h (A2h) - MAC_PCU_REG_MCIFRW ; 02828Ch (A3h) - MAC_PCU_REG_MCIFRR ; 028290h (A4h) - MAC_PCU_REG_MCIQRW ; 028294h (A5h) - MAC_PCU_REG_MCIQRR ; 028298h (A6h) - MAC_PCU_REG_MCIGRW ; 02829Ch (A7h) - MAC_PCU_REG_MCIGRR ; 0282A0h (A8h) - MAC_PCU_REG_MCISTAT ;/ 0282A4h (A9h) - MAC_PCU_REG_BASIC_RATE_SET0 ;aka MAC_PCU_BASIC_RATE_SET0 0282A8h (AAh) - MAC_PCU_REG_BASIC_RATE_SET1 ;aka MAC_PCU_BASIC_RATE_SET1 0282ACh (ABh) - MAC_PCU_REG_BASIC_RATE_SET2 ;aka MAC_PCU_BASIC_RATE_SET2 0282B0h (ACh) - MAC_PCU_REG_SEC_BSSID_L32 ;aka MAC_PCU_BSSID2_L32 0282B4h (ADh) - MAC_PCU_REG_SEC_BSSID_U16 ;aka MAC_PCU_BSSID2_U16 0282B8h (AEh..13Fh) - N/A 028500h (140h..17Fh) - MAC_PCU_REG_FTYPE[0..3Fh] 028600h (180h..19Fh) - N/A 028680h (1A0h..1BFh) - MAC_PCU_REG_ACKSIFSMEM_RESERVED[0..1Fh] 028700h (1C0h..1DFh) - MAC_PCU_REG_DUR[0..1Fh] 028780h (1E0h..1EFh) - N/A 0287C0h (1F0h..1F7h) - MAC_PCU_REG_RTD[0..7] 0287E0h (1F8h..1FFh) - MAC_PCU_REG_DTR[0..7] 028800h (200h..5FFh) - MAC_PCU_REG_KC[0..3FFh] 029800h (600h..) - maybe something else comes here? |
| DSi Atheros Wifi - Internal I/O Map Summary (hw4.0) |
004000h 2E8h (rtc_wlan_reg.h) 008000h 630h Memory Controller (BCAM) (vmc_wlan_reg.h) 00C000h 14h (uart_reg.h) 00D000h .. DBG_UART_BASE_ADDRESS ;another UART, as above, for debug? 00E000h 38h (umbox_wlan_reg.h) 010000h 18h (si_reg.h) 014000h BCh (gpio_athr_wlan_reg.h) 018000h 12Ch (mbox_wlan_reg.h) 01A000h 20000h WLAN_HOST_IF_WINDOW (mbox_wlan_reg.h) 01C000h 748h (analog_intf_athr_wlan_reg.h) 020000h DCh WMAC DMA and IRQ (mac_dma_reg.h) 020800h 244h WMAC QCU Queue (mac_dma_reg.h) 021000h 274h WMAC DCU (mac_dma_reg.h) 028000h C00h MAC_PCU (mac_pcu_reg.h) 029800h 800h MAC_PCU_BASEBAND_0 (bb_lc_reg.h) 02A000h 1210h MAC_PCU_BASEBAND_1 (bb_lc_reg.h) 02C000h 1000h MAC_PCU_BASEBAND_2 (mac_pcu_reg.h) 02D000h 1000h MAC_PCU_BASEBAND_3 (mac_pcu_reg.h) 02E000h 800h MAC_PCU_BUF (mac_pcu_reg.h) 030100h 68h (rdma_reg.h) 031000h 1000h (efuse_reg.h) |
004000h 4 WLAN_RESET_CONTROL 004004h 4 WLAN_XTAL_CONTROL 004008h 4 WLAN_TCXO_DETECT 00400Ch 4 WLAN_XTAL_TEST 004010h 4 WLAN_QUADRATURE 004014h 4 WLAN_PLL_CONTROL 004018h 4 WLAN_PLL_SETTLE 00401Ch 4 WLAN_XTAL_SETTLE 004020h 4 WLAN_CPU_CLOCK 004024h 4 WLAN_CLOCK_OUT 004028h 4 WLAN_CLOCK_CONTROL 00402Ch 4 WLAN_BIAS_OVERRIDE 004030h 4 WLAN_WDT_CONTROL ;\ 004034h 4 WLAN_WDT_STATUS ; 004038h 4 WLAN_WDT ; Watchdog Timer 00403Ch 4 WLAN_WDT_COUNT ; 004040h 4 WLAN_WDT_RESET ;/ 004044h 4 WLAN_INT_STATUS ;-Interrupt Status 004048h 4 WLAN_LF_TIMER0 ;\ 00404Ch 4 WLAN_LF_TIMER_COUNT0 ; Low-Freq Timer 0 004050h 4 WLAN_LF_TIMER_CONTROL0 ; 004054h 4 WLAN_LF_TIMER_STATUS0 ;/ 004058h 4 WLAN_LF_TIMER1 ;\ 00405Ch 4 WLAN_LF_TIMER_COUNT1 ; Low-Freq Timer 1 004060h 4 WLAN_LF_TIMER_CONTROL1 ; 004064h 4 WLAN_LF_TIMER_STATUS1 ;/ 004068h 4 WLAN_LF_TIMER2 ;\ 00406Ch 4 WLAN_LF_TIMER_COUNT2 ; Low-Freq Timer 2 004070h 4 WLAN_LF_TIMER_CONTROL2 ; 004074h 4 WLAN_LF_TIMER_STATUS2 ;/ 004078h 4 WLAN_LF_TIMER3 ;\ 00407Ch 4 WLAN_LF_TIMER_COUNT3 ; Low-Freq Timer 3 004080h 4 WLAN_LF_TIMER_CONTROL3 ; 004084h 4 WLAN_LF_TIMER_STATUS3 ;/ 004088h 4 WLAN_HF_TIMER ;\ 00408Ch 4 WLAN_HF_TIMER_COUNT ; High-Freq Timer 004090h 4 WLAN_HF_LF_COUNT ;<-- ; 004094h 4 WLAN_HF_TIMER_CONTROL ; 004098h 4 WLAN_HF_TIMER_STATUS ;/ 00409Ch 4 WLAN_RTC_CONTROL ;\ 0040A0h 4 WLAN_RTC_TIME ; 0040A4h 4 WLAN_RTC_DATE ; 0040A8h 4 WLAN_RTC_SET_TIME ; Real-Time Clock 0040ACh 4 WLAN_RTC_SET_DATE ; 0040B0h 4 WLAN_RTC_SET_ALARM ; 0040B4h 4 WLAN_RTC_CONFIG ; 0040B8h 4 WLAN_RTC_ALARM_STATUS ;/ 0040BCh 4 WLAN_UART_WAKEUP 0040C0h 4 WLAN_RESET_CAUSE 0040C4h 4 WLAN_SYSTEM_SLEEP 0040C8h 4 WLAN_SDIO_WRAPPER 0040CCh 4 WLAN_MAC_SLEEP_CONTROL 0040D0h 4 WLAN_KEEP_AWAKE 0040D4h 4 WLAN_LPO_CAL_TIME ;\ 0040D8h 4 WLAN_LPO_INIT_DIVIDEND_INT ; 0040DCh 4 WLAN_LPO_INIT_DIVIDEND_FRACTION ; LPO 0040E0h 4 WLAN_LPO_CAL ; 0040E4h 4 WLAN_LPO_CAL_TEST_CONTROL ; 0040E8h 4 WLAN_LPO_CAL_TEST_STATUS ;/ 0040ECh 4 WLAN_CHIP_ID ;-Chip ID 0040F0h 4 WLAN_DERIVED_RTC_CLK 0040F4h 4 MAC_PCU_SLP32_MODE ;\ 0040F8h 4 MAC_PCU_SLP32_WAKE ; 0040FCh 4 MAC_PCU_SLP32_INC ; 004100h 4 MAC_PCU_SLP_MIB1 ; 004104h 4 MAC_PCU_SLP_MIB2 ; 004108h 4 MAC_PCU_SLP_MIB3 ;/ 00410Ch 4 WLAN_POWER_REG ;\located here in hw4.0 004110h 4 WLAN_CORE_CLK_CTRL ; (other address as in hw2.0) 004114h 4 WLAN_GPIO_WAKEUP_CONTROL ;/ (below 4118h..42E8h is new in hw4.0, didn't exist in hw2.0) 004118h 4 (WLAN_)HT 00411Ch 4 MAC_PCU_TSF_L32 004120h 4 MAC_PCU_TSF_U32 004124h 4 MAC_PCU_WBTIMER 004128h 1x24 PAD0 004140h 4x16 MAC_PCU_GENERIC_TIMERS[0..15] 004180h 4 MAC_PCU_GENERIC_TIMERS_MODE 004184h 1x60 PAD1 0041C0h 4x16 MAC_PCU_GENERIC_TIMERS2[0..15] 004200h 4 MAC_PCU_GENERIC_TIMERS_MODE2 004204h 4 MAC_PCU_SLP1 004208h 4 MAC_PCU_SLP2 00420Ch 4 MAC_PCU_RESET_TSF 004210h 4 MAC_PCU_TSF_ADD_PLL 004214h 4 SLEEP_RETENTION 004218h 4 BTCOEXCTRL ;\ 00421Ch 4 WBSYNC_PRIORITY1 ; 004220h 4 WBSYNC_PRIORITY2 ; 004224h 4 WBSYNC_PRIORITY3 ; 004228h 4 BTCOEX0 ;SYNC_DUR ; 00422Ch 4 BTCOEX1 ;CLK_THRES ; 004230h 4 BTCOEX2 ;FRAME_THRES ; Bluetooth 004234h 4 BTCOEX3 ;CLK_CNT ; Coexistance 004238h 4 BTCOEX4 ;FRAME_CNT ; 00423Ch 4 BTCOEX5 ;IDLE_CNT ; 004240h 4 BTCOEX6 ;IDLE_RESET_LVL_BITMAP ; 004244h 4 LOCK ; 004248h 4 NOLOCK_PRIORITY ; 00424Ch 4 WBSYNC ; 004250h 4 WBSYNC1 ; 004254h 4 WBSYNC2 ; 004258h 4 WBSYNC3 ; 00425Ch 4 WB_TIMER_TARGET ; 004260h 4 WB_TIMER_SLOP ; 004264h 4 BTCOEX_INT_EN ; 004268h 4 BTCOEX_INT_STAT ; 00426Ch 4 BTPRIORITY_INT_EN ; 004270h 4 BTPRIORITY_INT_STAT ; 004274h 4 BTPRIORITY_STOMP_INT_EN ; 004278h 4 BTPRIORITY_STOMP_INT_STAT ;/ 00427Ch 4 MAC_PCU_BMISS_TIMEOUT 004280h 4 MAC_PCU_CAB_AWAKE 004284h 4 LP_PERF_COUNTER 004288h 4 LP_PERF_LIGHT_SLEEP 00428Ch 4 LP_PERF_DEEP_SLEEP 004290h 4 LP_PERF_ON 004294h 4 ST_64_BIT ;\ 004298h 4 MESSAGE_WR ; also Bluetooth Coex 00429Ch 4 MESSAGE_WR_P ; related? (sorted as 0042A0h 4 MESSAGE_RD ; so in hw6 files) 0042A4h 4 MESSAGE_RD_P ;/ 0042A8h 4 CHIP_MODE 0042ACh 4 CLK_REQ_FALL_EDGE 0042B0h 4 OTP 0042B4h 4 OTP_STATUS 0042B8h 4 PMU 0042BCh 1x4 PAD2 0042C0h 4x2 PMU_CONFIG[0..1] 0042C8h 4 PMU_BYPASS 0042CCh 4 MAC_PCU_TSF2_L32 0042D0h 4 MAC_PCU_TSF2_U32 0042D4h 4 MAC_PCU_GENERIC_TIMERS_MODE3 0042D8h 4 MAC_PCU_DIRECT_CONNECT 0042DCh 4 THERM_CTRL1 0042E0h 4 THERM_CTRL2 0042E4h 4 THERM_CTRL3 0042E8h - unused/unspecified |
008000h 4x128 WLAN_MC_BCAM_VALID[0..127] ;\ 008200h 4x128 WLAN_MC_BCAM_COMPARE[0..127] ; ROM Patches 008400h 4x128 WLAN_MC_BCAM_TARGET[0..127] ;/ 008600h 4 WLAN_APB_ADDR_ERROR_CONTROL ;\ 008604h 4 WLAN_APB_ADDR_ERROR_STATUS ; ADDR_ERROR 008608h 4 WLAN_AHB_ADDR_ERROR_CONTROL ; 00860Ch 4 WLAN_AHB_ADDR_ERROR_STATUS ;/ 008610h 4 WLAN_BCAM_CONFLICT_ERROR 008614h 4 WLAN_CPU_PERF_CNT 008618h 4 WLAN_CPU_INST_FETCH 00861Ch 4 WLAN_CPU_DATA_FETCH 008620h 4 WLAN_CPU_RAM1_CONFLICT 008624h 4 WLAN_CPU_RAM2_CONFLICT 008628h 4 WLAN_CPU_RAM3_CONFLICT 00862Ch 4 WLAN_CPU_RAM4_CONFLICT 008630h - unused/unspecified |
00C000h 4 UART_DATA 00C004h 4 UART_CONTROL 00C008h 4 UART_CLKDIV 00C00Ch 4 UART_INT 00C010h 4 UART_INT_EN 00C014h - unused/unspecified 00D000h .. DBG_UART_BASE_ADDRESS ;another UART, as above, for debug? 00Dxxxh - unused/unspecified |
00E000h 4x2 UMBOX_FIFO[0..1] 00E008h 4 UMBOX_FIFO_STATUS 00E00Ch 4 UMBOX_DMA_POLICY 00E010h 4 UMBOX0_DMA_RX_DESCRIPTOR_BASE 00E014h 4 UMBOX0_DMA_RX_CONTROL 00E018h 4 UMBOX0_DMA_TX_DESCRIPTOR_BASE 00E01Ch 4 UMBOX0_DMA_TX_CONTROL 00E020h 4 UMBOX_FIFO_TIMEOUT 00E024h 4 UMBOX_INT_STATUS 00E028h 4 UMBOX_INT_ENABLE 00E02Ch 4 UMBOX_DEBUG 00E030h 4 UMBOX_FIFO_RESET 00E034h 4 UMBOX_HCI_FRAMER 00E038h - unused/unspecified |
010000h 4 SI_CONFIG 010004h 4 SI_CS 010008h 4 SI_TX_DATA0 01000Ch 4 SI_TX_DATA1 010010h 4 SI_RX_DATA0 010014h 4 SI_RX_DATA1 010018h - unused/unspecified |
014000h 4 WLAN_GPIO_OUT ;\GPIO Output Data 014004h 4 WLAN_GPIO_OUT_W1TS ; (direct, and Write-1-To-Set/Clr) 014008h 4 WLAN_GPIO_OUT_W1TC ;/ 01400Ch 4 WLAN_GPIO_ENABLE ;\GPIO Output Enable 014010h 4 WLAN_GPIO_ENABLE_W1TS ; (direct, and Write-1-To-Set/Clr) 014014h 4 WLAN_GPIO_ENABLE_W1TC ;/ 014018h 4 WLAN_GPIO_IN ;-GPIO Input 01401Ch 4 WLAN_GPIO_STATUS ;\GPIO Interrupt Status 014020h 4 WLAN_GPIO_STATUS_W1TS ; (direct, and Write-1-To-Set/Clr) 014024h 4 WLAN_GPIO_STATUS_W1TC ;/ 014028h 4 WLAN_GPIO_PIN0 ;GPIO0 Bluetooth coex BT_FREQUENCY 01402Ch 4 WLAN_GPIO_PIN1 ;GPIO1 Bluetooth coex WLAN_ACTIVE 014030h 4 WLAN_GPIO_PIN2 ;GPIO2 Bluetooth coex BT_ACTIVE I2C SCL 014034h 4 WLAN_GPIO_PIN3 ;GPIO3 Bluetooth coex BT_PRIORITY I2C SDA 014038h 4 WLAN_GPIO_PIN4 ;GPIO4 - 01403Ch 4 WLAN_GPIO_PIN5 ;GPIO5 JTAG TMS input 014040h 4 WLAN_GPIO_PIN6 ;GPIO6 JTAG TCK input 014044h 4 WLAN_GPIO_PIN7 ;GPIO7 JTAG TDI input 014048h 4 WLAN_GPIO_PIN8 ;GPIO8 JTAG TDO output 01404Ch 4 WLAN_GPIO_PIN9 ;GPIO9 SDIO CMD 014050h 4 WLAN_GPIO_PIN10 ;GPIO10 SDIO D3 014054h 4 WLAN_GPIO_PIN11 ;GPIO11 SDIO D2 014058h 4 WLAN_GPIO_PIN12 ;GPIO12 SDIO D1 01405Ch 4 WLAN_GPIO_PIN13 ;GPIO13 SDIO D0 014060h 4 WLAN_GPIO_PIN14 ;GPIO14 SDIO CLK 014064h 4 WLAN_GPIO_PIN15 ;GPIO15 HCI UART TXD 014068h 4 WLAN_GPIO_PIN16 ;GPIO16 HCI UART RTS 01406Ch 4 WLAN_GPIO_PIN17 ;GPIO17 HCI UART RXD 014070h 4 WLAN_GPIO_PIN18 ;GPIO18 HCI UART CTS 014074h 4 WLAN_GPIO_PIN19 ;GPIO19 SDIO/GSPI interface select 014078h 4 WLAN_GPIO_PIN20 ;GPIO20 SDIO/GSPI interface select 01407Ch 4 WLAN_GPIO_PIN21 ;GPIO21 external input sleep clock 014080h 4 WLAN_GPIO_PIN22 ;GPIO22 wake on wireless input (WOW) 014084h 4 WLAN_GPIO_PIN23 ;GPIO23 reference clk output to BT chip 014088h 4 WLAN_GPIO_PIN24 ;GPIO24 request clk from BT chip 01408Ch 4 WLAN_GPIO_PIN25 ;GPIO25 request reference clk (CLK_REQ) 014090h 4 SDIO 014094h 4 FUNC_BUS 014098h 4 WL_SOC_APB 01409Ch 4 WLAN_SIGMA_DELTA 0140A0h 4 WL_BOOTSTRAP 0140A4h 4 CLOCK_GPIO 0140A8h 4 WLAN_DEBUG_CONTROL 0140ACh 4 WLAN_DEBUG_INPUT_SEL 0140B0h 4 WLAN_DEBUG_OUT 0140B4h 4 WLAN_RESET_TUPLE_STATUS 0140B8h 4 ANTENNA_SLEEP_CONTROL 0140BCh - unused/unspecified |
018000h 4x4 WLAN_MBOX_FIFO[0..3] 018010h 4 WLAN_MBOX_FIFO_STATUS 018014h 4 WLAN_MBOX_DMA_POLICY 018018h 4 WLAN_MBOX0_DMA_RX_DESCRIPTOR_BASE ;\ 01801Ch 4 WLAN_MBOX0_DMA_RX_CONTROL ; MBOX 0 018020h 4 WLAN_MBOX0_DMA_TX_DESCRIPTOR_BASE ; 018024h 4 WLAN_MBOX0_DMA_TX_CONTROL ;/ 018028h 4 WLAN_MBOX1_DMA_RX_DESCRIPTOR_BASE ;\ 01802Ch 4 WLAN_MBOX1_DMA_RX_CONTROL ; MBOX 1 018030h 4 WLAN_MBOX1_DMA_TX_DESCRIPTOR_BASE ; 018034h 4 WLAN_MBOX1_DMA_TX_CONTROL ;/ 018038h 4 WLAN_MBOX2_DMA_RX_DESCRIPTOR_BASE ;\ 01803Ch 4 WLAN_MBOX2_DMA_RX_CONTROL ; MBOX 2 018040h 4 WLAN_MBOX2_DMA_TX_DESCRIPTOR_BASE ; 018044h 4 WLAN_MBOX2_DMA_TX_CONTROL ;/ 018048h 4 WLAN_MBOX3_DMA_RX_DESCRIPTOR_BASE ;\ 01804Ch 4 WLAN_MBOX3_DMA_RX_CONTROL ; MBOX 3 018050h 4 WLAN_MBOX3_DMA_TX_DESCRIPTOR_BASE ; 018054h 4 WLAN_MBOX3_DMA_TX_CONTROL ;/ 018058h 4 WLAN_MBOX_INT_STATUS ;\Interrupt 01805Ch 4 WLAN_MBOX_INT_ENABLE ;/ 018060h 4 WLAN_INT_HOST ;IRQ to sdio/host 018064h 1x28 PAD0 018080h 4x8 WLAN_LOCAL_COUNT[0..7] ;SDIO func1 ? 0180A0h 4x8 WLAN_COUNT_INC[0..7] ;SDIO func1 ? 0180C0h 4x8 WLAN_LOCAL_SCRATCH[0..7] ;SDIO func1 ? 0180E0h 4 WLAN_USE_LOCAL_BUS 0180E4h 4 WLAN_SDIO_CONFIG ;SDIO func0 ? 0180E8h 4 WLAN_MBOX_DEBUG 0180ECh 4 WLAN_MBOX_FIFO_RESET 0180F0h 4x4 WLAN_MBOX_TXFIFO_POP[0..3] 018100h 4x4 WLAN_MBOX_RXFIFO_POP[0..3] 018110h 4 WLAN_SDIO_DEBUG 018114h 4 WLAN_GMBOX0_DMA_RX_DESCRIPTOR_BASE ;\ 018118h 4 WLAN_GMBOX0_DMA_RX_CONTROL ; 01811Ch 4 WLAN_GMBOX0_DMA_TX_DESCRIPTOR_BASE ; new (unlike hw2.0) 018120h 4 WLAN_GMBOX0_DMA_TX_CONTROL ; 018124h 4 WLAN_GMBOX_INT_STATUS ; 018128h 4 WLAN_GMBOX_INT_ENABLE ;/ 01812Ch 1x7892 PAD1 01A000h 4x2048 WLAN_HOST_IF_WINDOW[0..2047] |
01C000h 4 RXRF_BIAS1 01C004h 4 RXRF_BIAS2 01C008h 4 RXRF_GAINSTAGES 01C00Ch 4 RXRF_AGC 01C010h 1x48 PAD__0 01C040h 4 TXRF1 01C044h 4 TXRF2 01C048h 4 TXRF3 01C04Ch 4 TXRF4 01C050h 4 TXRF5 01C054h 4 TXRF6 01C058h 4 TXRF7 ;PADRVGNTAB_0..4 ;\ 01C05Ch 4 TXRF8 ;PADRVGNTAB_5..9 ; 01C060h 4 TXRF9 ;PADRVGNTAB_10..14 ;/ 01C064h 4 TXRF10 01C068h 4 TXRF11 01C06Ch 4 TXRF12 01C070h 1x16 PAD__1 01C080h 4 SYNTH1 01C084h 4 SYNTH2 01C088h 4 SYNTH3 01C08Ch 4 SYNTH4 01C090h 4 SYNTH5 01C094h 4 SYNTH6 01C098h 4 SYNTH7 01C09Ch 4 SYNTH8 01C0A0h 4 SYNTH9 01C0A4h 4 SYNTH10 01C0A8h 4 SYNTH11 01C0ACh 4 SYNTH12 01C0B0h 4 SYNTH13 01C0B4h 4 SYNTH14 01C0B8h 1x8 PAD__2 01C0C0h 4 BIAS1 01C0C4h 4 BIAS2 01C0C8h 4 BIAS3 01C0CCh 4 BIAS4 01C0D0h 1x48 PAD__3 01C100h 4 RXTX1 01C104h 4 RXTX2 01C108h 4 RXTX3 01C10Ch 1x52 PAD__4 01C140h 4 BB1 01C144h 4 BB2 01C148h 4 BB3 01C14Ch 1x308 PAD__5 01C280h 4 PLLCLKMODA 01C284h 4 PLLCLKMODA2 01C288h 4 TOP 01C28Ch 4 THERM 01C290h 4 XTAL 01C294h 1x236 PAD__6 01C380h 4 RBIST_CNTRL ;with extra bit in newer revision 01C384h 4 TX_DC_OFFSET 01C388h 4 TX_TONEGEN0 01C38Ch 4 TX_TONEGEN1 01C390h 4 TX_LFTONEGEN0 01C394h 4 TX_LINEAR_RAMP_I 01C398h 4 TX_LINEAR_RAMP_Q 01C39Ch 4 TX_PRBS_MAG 01C3A0h 4 TX_PRBS_SEED_I 01C3A4h 4 TX_PRBS_SEED_Q 01C3A8h 4 CMAC_DC_CANCEL 01C3ACh 4 CMAC_DC_OFFSET 01C3B0h 4 CMAC_CORR 01C3B4h 4 CMAC_POWER 01C3B8h 4 CMAC_CROSS_CORR 01C3BCh 4 CMAC_I2Q2 01C3C0h 4 CMAC_POWER_HPF 01C3C4h 4 RXDAC_SET1 01C3C8h 4 RXDAC_SET2 01C3CCh 4 RXDAC_LONG_SHIFT 01C3D0h 4 CMAC_RESULTS_I 01C3D4h 4 CMAC_RESULTS_Q 01C3D8h 1x872 PAD__7 01C740h 4 PMU1 01C744h 4 PMU2 01C748h - unused/unspecified |
020000h 1x8 - 020008h 4 MAC_DMA_CR - MAC Control Register 02000Ch 4 MAC_DMA_RXDP - MAC receive queue descriptor pointer 020010h 4 - 020014h 4 MAC_DMA_CFG - MAC configuration and status register 020018h 4 - 02001Ch 4 - 020020h 4 MAC_DMA_MIRT - Maximum rate threshold register 020024h 4 MAC_DMA_IER - MAC Interrupt enable register 020028h 4 MAC_DMA_TIMT - Transmit Interrupt Mitigation Threshold 02002Ch 4 MAC_DMA_RIMT - Receive Interrupt Mitigation Threshold 020030h 4 MAC_DMA_TXCFG - MAC tx DMA size config register 020034h 4 MAC_DMA_RXCFG - MAC rx DMA size config register 020038h 4 - 02003Ch 4 - 020040h 4 MAC_DMA_MIBC - MAC MIB control register 020044h 4 MAC_DMA_TOPS - MAC timeout prescale count 020048h 4 MAC_DMA_RXNPTO - MAC no frame received timeout 02004Ch 4 MAC_DMA_TXNPTO - MAC no frame trasmitted timeout 020050h 4 MAC_DMA_RPGTO - MAC receive frame gap timeout 020054h 4 MAC_DMA_RPCNT - MAC receive frame count limit 020058h 4 MAC_DMA_MACMISC - MAC miscellaneous control/status register 02005Ch .. - MAC IRQ... 020080h 4 MAC_DMA_ISR - Primary Interrupt Status Register ;\ 020084h 4 MAC_DMA_ISR_S0 - Secondary Interrupt 0 Status TX OK/DESC ; 020088h 4 MAC_DMA_ISR_S1 - Secondary Interrupt 1 Status TX ERR/EOL ; 02008Ch 4 MAC_DMA_ISR_S2 - Secondary Interrupt 2 Status TX URN/MISC ; 020090h 4 MAC_DMA_ISR_S3 - Secondary Interrupt 3 Status QCBR OVF/URN ; 020094h 4 MAC_DMA_ISR_S4 - Secondary Interrupt 4 Status QTRIG ; 020098h 4 MAC_DMA_ISR_S5 - Secondary Interrupt 5 Status TIMERS ;/ 02009Ch 4 - 0200A0h 4 MAC_DMA_IMR - Primary Interrupt Mask Register ;\ 0200A4h 4 MAC_DMA_IMR_S0 - Secondary Interrupt 0 Mask TX OK/DESC ; 0200A8h 4 MAC_DMA_IMR_S1 - Secondary Interrupt 1 Mask TX ERR/EOL ; 0200ACh 4 MAC_DMA_IMR_S2 - Secondary Interrupt 2 Mask TX URN/MISC ; 0200B0h 4 MAC_DMA_IMR_S3 - Secondary Interrupt 3 Mask QCBR OVF/URN ; 0200B4h 4 MAC_DMA_IMR_S4 - Secondary Interrupt 4 Mask QTRIG ; 0200B8h 4 MAC_DMA_IMR_S5 - Secondary Interrupt 5 Mask TIMERS ;/ 0200BCh 4 - 0200C0h 4 MAC_DMA_ISR_RAC - Primary Interrupt Read-and-Clear ;\ 0200C4h 4 MAC_DMA_ISR_S0_S - Secondary 0 Read-and-Clear TX OK/DESC ; 0200C8h 4 MAC_DMA_ISR_S1_S - Secondary 1 Read-and-Clear TX ERR/EOL ; 0200CCh 4 MAC_DMA_ISR_S2_S - Secondary 2 Read-and-Clear TX URN/MISC ; 0200D0h 4 MAC_DMA_ISR_S3_S - Secondary 3 Read-and-Clear QCBR OVF/URN ; 0200D4h 4 MAC_DMA_ISR_S4_S - Secondary 4 Read-and-Clear QTRIG ; 0200D8h 4 MAC_DMA_ISR_S5_S - Secondary 5 Read-and-Clear TIMERS ;/ 0200DCh .. - MAC QCU... 020800h 4x10 MAC_DMA_Q(0..9)_TXDP ;MAC Transmit Queue descr.ptr 020828h .. - 020840h 4 MAC_DMA_Q_TXE ;MAC Transmit Queue enable 020844h .. - 020880h 4 MAC_DMA_Q_TXD ;MAC Transmit Queue disable 020884h .. - 0208C0h 4x10 MAC_DMA_Q(0..9)_CBRCFG ;MAC CBR configuration 0208E8h .. - 020900h 4x10 MAC_DMA_Q(0..9)_RDYTIMECFG ;MAC ReadyTime configuration 020928h .. - 020940h 4 MAC_DMA_Q_ONESHOTMAC_DMAM_SC ;MAC OneShotArm set control 020944h .. - 020980h 4 MAC_DMA_Q_ONESHOTMAC_DMAM_CC ;MAC OneShotArm clear control 020984h .. - 0209C0h 4x10 MAC_DMA_Q(0..9)_MISC ;MAC Misc QCU settings 0209E8h .. - 020A00h 4x10 MAC_DMA_Q(0..9)_STS ;MAC Misc QCU status/counter 020A28h .. - 020A40h 4 MAC_DMA_Q_RDYTIMESHDN ;MAC ReadyTimeShutdown status 020A44h .. - MAC DCU... 021000h 4x10 MAC_DMA_D(0..9)_QCUMASK - MAC QCU Mask (DCU-to-QCU or so?) 021028h 8 - 021030h 4 MAC_DMA_D_GBL_IFS_SIFS - DCU global SIFS settings 021034h 12 - 021040h 4x10 MAC_DMA_D(0..9)_LCL_IFS - MAC DCU-specific IFS settings 021068h 8 - 021070h 4 MAC_DMA_D_GBL_IFS_SLOT - DC global slot interval 021074h 12 - 021080h 4x10 MAC_DMA_D(0..9)_RETRY_LIMIT - MAC Retry limits 0210A8h 8 - 0210B0h 4 MAC_DMA_D_GBL_IFS_EIFS - DCU global EIFS setting 0210B4h 12 - 0210C0h 4x10 MAC_DMA_D(0..9)_CHNTIME - MAC ChannelTime settings 0210E8h 8 - 0210F0h 4 MAC_DMA_D_GBL_IFS_MISC - DCU global misc. IFS settings 0210F4h 12 - 021100h 4x10 MAC_DMA_D(0..9)_MISC - MAC Misc DCU-specific settings 021128h .. - 021140h 4 MAC_DMA_D_SEQNUM - MAC Frame sequence number 021144h .. - 021180h 4x10 MAC_DMA_D(0..9)_EOL - 0211A8h .. - 021230h 4 MAC_DMA_D_FPCTL - DCU frame prefetch settings 021234h .. - 021270h 4 MAC_DMA_D_TXPSE - DCU transmit pause control/status 021274h .. - |
028000h 4 MAC_PCU_STA_ADDR_L32 028004h 4 MAC_PCU_STA_ADDR_U16 028008h 4 MAC_PCU_BSSID_L32 02800Ch 4 MAC_PCU_BSSID_U16 028010h 4 MAC_PCU_BCN_RSSI_AVE 028014h 4 MAC_PCU_ACK_CTS_TIMEOUT 028018h 4 MAC_PCU_BCN_RSSI_CTL 02801Ch 4 MAC_PCU_USEC_LATENCY 028020h 4 PCU_MAX_CFP_DUR 028024h 4 MAC_PCU_RX_FILTER 028028h 4 MAC_PCU_MCAST_FILTER_L32 02802Ch 4 MAC_PCU_MCAST_FILTER_U32 028030h 4 MAC_PCU_DIAG_SW 028034h 4 MAC_PCU_TST_ADDAC 028038h 4 MAC_PCU_DEF_ANTENNA 02803Ch 4 MAC_PCU_AES_MUTE_MASK_0 028040h 4 MAC_PCU_AES_MUTE_MASK_1 028044h 4 MAC_PCU_GATED_CLKS 028048h 4 MAC_PCU_OBS_BUS_2 02804Ch 4 MAC_PCU_OBS_BUS_1 028050h 4 MAC_PCU_DYM_MIMO_PWR_SAVE 028054h 4 MAC_PCU_LAST_BEACON_TSF 028058h 4 MAC_PCU_NAV 02805Ch 4 MAC_PCU_RTS_SUCCESS_CNT 028060h 4 MAC_PCU_RTS_FAIL_CNT 028064h 4 MAC_PCU_ACK_FAIL_CNT 028068h 4 MAC_PCU_FCS_FAIL_CNT 02806Ch 4 MAC_PCU_BEACON_CNT 028070h 4 MAC_PCU_XRMODE 028074h 4 MAC_PCU_XRDEL 028078h 4 MAC_PCU_XRTO 02807Ch 4 MAC_PCU_XRCRP 028080h 4 MAC_PCU_XRSTMP 028084h 4 MAC_PCU_ADDR1_MASK_L32 028088h 4 MAC_PCU_ADDR1_MASK_U16 02808Ch 4 MAC_PCU_TPC 028090h 4 MAC_PCU_TX_FRAME_CNT 028094h 4 MAC_PCU_RX_FRAME_CNT 028098h 4 MAC_PCU_RX_CLEAR_CNT 02809Ch 4 MAC_PCU_CYCLE_CNT 0280A0h 4 MAC_PCU_QUIET_TIME_1 0280A4h 4 MAC_PCU_QUIET_TIME_2 0280A8h 4 MAC_PCU_QOS_NO_ACK 0280ACh 4 MAC_PCU_PHY_ERROR_MASK 0280B0h 4 MAC_PCU_XRLAT 0280B4h 4 MAC_PCU_RXBUF 0280B8h 4 MAC_PCU_MIC_QOS_CONTROL 0280BCh 4 MAC_PCU_MIC_QOS_SELECT 0280C0h 4 MAC_PCU_MISC_MODE 0280C4h 4 MAC_PCU_FILTER_OFDM_CNT 0280C8h 4 MAC_PCU_FILTER_CCK_CNT 0280CCh 4 MAC_PCU_PHY_ERR_CNT_1 0280D0h 4 MAC_PCU_PHY_ERR_CNT_1_MASK 0280D4h 4 MAC_PCU_PHY_ERR_CNT_2 0280D8h 4 MAC_PCU_PHY_ERR_CNT_2_MASK 0280DCh 4 MAC_PCU_TSF_THRESHOLD 0280E0h 4 MAC_PCU_PHY_ERROR_EIFS_MASK 0280E4h 4 MAC_PCU_PHY_ERR_CNT_3 0280E8h 4 MAC_PCU_PHY_ERR_CNT_3_MASK 0280ECh 4 MAC_PCU_BLUETOOTH_MODE 0280F0h 4 MAC_PCU_BLUETOOTH_WEIGHTS 0280F4h 4 MAC_PCU_BLUETOOTH_MODE2 0280F8h 4 MAC_PCU_TXSIFS 0280FCh 4 MAC_PCU_TXOP_X 028100h 4 MAC_PCU_TXOP_0_3 028104h 4 MAC_PCU_TXOP_4_7 028108h 4 MAC_PCU_TXOP_8_11 02810Ch 4 MAC_PCU_TXOP_12_15 028110h 4 MAC_PCU_LOGIC_ANALYZER 028114h 4 MAC_PCU_LOGIC_ANALYZER_32L 028118h 4 MAC_PCU_LOGIC_ANALYZER_16U 02811Ch 4 MAC_PCU_PHY_ERR_CNT_MASK_CONT 028120h 4 MAC_PCU_AZIMUTH_MODE 028124h 4 MAC_PCU_20_40_MODE 028128h 4 MAC_PCU_RX_CLEAR_DIFF_CNT 02812Ch 4 MAC_PCU_SELF_GEN_ANTENNA_MASK 028130h 4 MAC_PCU_BA_BAR_CONTROL 028134h 4 MAC_PCU_LEGACY_PLCP_SPOOF 028138h 4 MAC_PCU_PHY_ERROR_MASK_CONT 02813Ch 4 MAC_PCU_TX_TIMER 028140h 4 MAC_PCU_TXBUF_CTRL 028144h 4 MAC_PCU_MISC_MODE2 ;with extra bit in newer revision 028148h 4 MAC_PCU_ALT_AES_MUTE_MASK 02814Ch 4 MAC_PCU_AZIMUTH_TIME_STAMP 028150h 4 MAC_PCU_MAX_CFP_DUR 028154h 4 MAC_PCU_HCF_TIMEOUT 028158h 4 MAC_PCU_BLUETOOTH_WEIGHTS2 02815Ch 4 MAC_PCU_BLUETOOTH_TSF_BT_ACTIVE 028160h 4 MAC_PCU_BLUETOOTH_TSF_BT_PRIORITY 028164h 4 MAC_PCU_BLUETOOTH_MODE3 028168h 4 MAC_PCU_BLUETOOTH_MODE4 02816Ch 1x148 PAD0 028200h 4x64 MAC_PCU_BT_BT[0..63] 028300h 4 MAC_PCU_BT_BT_ASYNC 028304h 4 MAC_PCU_BT_WL_1 028308h 4 MAC_PCU_BT_WL_2 02830Ch 4 MAC_PCU_BT_WL_3 028310h 4 MAC_PCU_BT_WL_4 028314h 4 MAC_PCU_COEX_EPTA 028318h 4 MAC_PCU_COEX_LNAMAXGAIN1 02831Ch 4 MAC_PCU_COEX_LNAMAXGAIN2 028320h 4 MAC_PCU_COEX_LNAMAXGAIN3 028324h 4 MAC_PCU_COEX_LNAMAXGAIN4 028328h 4 MAC_PCU_BASIC_RATE_SET0 02832Ch 4 MAC_PCU_BASIC_RATE_SET1 028330h 4 MAC_PCU_BASIC_RATE_SET2 028334h 4 MAC_PCU_BASIC_RATE_SET3 028338h 4 MAC_PCU_RX_INT_STATUS0 02833Ch 4 MAC_PCU_RX_INT_STATUS1 028340h 4 MAC_PCU_RX_INT_STATUS2 028344h 4 MAC_PCU_RX_INT_STATUS3 028348h 4 HT_HALF_GI_RATE1 02834Ch 4 HT_HALF_GI_RATE2 028350h 4 HT_FULL_GI_RATE1 028354h 4 HT_FULL_GI_RATE2 028358h 4 LEGACY_RATE1 02835Ch 4 LEGACY_RATE2 028360h 4 LEGACY_RATE3 028364h 4 RX_INT_FILTER ;with extra bit in newer revision 028368h 4 RX_INT_OVERFLOW 02836Ch 4 RX_FILTER_THRESH(0) 028370h 4 RX_FILTER_THRESH1 028374h 4 RX_PRIORITY_THRESH0 028378h 4 RX_PRIORITY_THRESH1 02837Ch 4 RX_PRIORITY_THRESH2 028380h 4 RX_PRIORITY_THRESH3 028384h 4 RX_PRIORITY_OFFSET0 028388h 4 RX_PRIORITY_OFFSET1 02838Ch 4 RX_PRIORITY_OFFSET2 028390h 4 RX_PRIORITY_OFFSET3 028394h 4 RX_PRIORITY_OFFSET4 028398h 4 RX_PRIORITY_OFFSET5 02839Ch 4 MAC_PCU_BSSID2_L32 0283A0h 4 MAC_PCU_BSSID2_U16 0283A4h 4 MAC_PCU_TSF1_STATUS_L32 0283A8h 4 MAC_PCU_TSF1_STATUS_U32 0283ACh 4 MAC_PCU_TSF2_STATUS_L32 0283B0h 4 MAC_PCU_TSF2_STATUS_U32 0283B4h 1x76 PAD1 028400h 4x64 MAC_PCU_TXBUF_BA[0..63] 028500h 1x768 PAD2 028800h 4x256 MAC_PCU_KEY_CACHE_1[0..255] 028C00h 1x3072 PAD3 029800h 4x512 MAC_PCU_BASEBAND_0[0..511] ;\aka BB_xxx ports 02A000h 4x2048 MAC_PCU_BASEBAND_1[0..2047] ;/(see below) 02C000h 4x1024 MAC_PCU_BASEBAND_2[0..1023] ;\ 02D000h 4x1024 MAC_PCU_BASEBAND_3[0..1023] ; after BB registers 02E000h 4x512 MAC_PCU_BUF[0..511] ;/ 02E800h - unused/unspecified |
"BASEBAND_0" 029800h 4 BB_TEST_CONTROLS 029804h 4 BB_GEN_CONTROLS 029808h 4 BB_TEST_CONTROLS_STATUS 02980Ch 4 BB_TIMING_CONTROLS_1 029810h 4 BB_TIMING_CONTROLS_2 029814h 4 BB_TIMING_CONTROLS_3 029818h 4 BB_D2_CHIP_ID 02981Ch 4 BB_ACTIVE 029820h 4 BB_TX_TIMING_1 029824h 4 BB_TX_TIMING_2 029828h 4 BB_TX_TIMING_3 02982Ch 4 BB_ADDAC_PARALLEL_CONTROL 029830h 1x4 PAD__1 029834h 4 BB_XPA_TIMING_CONTROL 029838h 4 BB_MISC_PA_CONTROL 02983Ch 4 BB_TSTDAC_CONSTANT 029840h 4 BB_FIND_SIGNAL_LOW 029844h 4 BB_SETTLING_TIME 029848h 4 BB_GAIN_FORCE_MAX_GAINS_B0 02984Ch 4 BB_GAINS_MIN_OFFSETS_B0 029850h 4 BB_DESIRED_SIGSIZE 029854h 4 BB_TIMING_CONTROL_3A 029858h 4 BB_FIND_SIGNAL 02985Ch 4 BB_AGC 029860h 4 BB_AGC_CONTROL 029864h 4 BB_CCA_B0 029868h 4 BB_SFCORR 02986Ch 4 BB_SELF_CORR_LOW 029870h 1x4 PAD__2 029874h 4 BB_SYNTH_CONTROL 029878h 4 BB_ADDAC_CLK_SELECT 02987Ch 4 BB_PLL_CNTL 029880h 1x128 PAD__3 029900h 4 BB_VIT_SPUR_MASK_A 029904h 4 BB_VIT_SPUR_MASK_B 029908h 4 BB_PILOT_SPUR_MASK 02990Ch 4 BB_CHAN_SPUR_MASK 029910h 4 BB_SPECTRAL_SCAN 029914h 4 BB_ANALOG_POWER_ON_TIME 029918h 4 BB_SEARCH_START_DELAY 02991Ch 4 BB_MAX_RX_LENGTH 029920h 4 BB_TIMING_CONTROL_4 029924h 4 BB_TIMING_CONTROL_5 029928h 4 BB_PHYONLY_WARM_RESET 02992Ch 4 BB_PHYONLY_CONTROL 029930h 1x4 PAD__4 029934h 4 BB_POWERTX_RATE1 ;Power TX 0..3 029938h 4 BB_POWERTX_RATE2 ;Power TX 4..7 02993Ch 4 BB_POWERTX_MAX ;Power TX Flags 029940h 4 BB_EXTENSION_RADAR 029944h 4 BB_FRAME_CONTROL 029948h 4 BB_TIMING_CONTROL_6 02994Ch 4 BB_SPUR_MASK_CONTROLS 029950h 4 BB_RX_IQ_CORR_B0 029954h 4 BB_RADAR_DETECTION 029958h 4 BB_RADAR_DETECTION_2 02995Ch 4 BB_TX_PHASE_RAMP_B0 029960h 4 BB_SWITCH_TABLE_CHN_B0 029964h 4 BB_SWITCH_TABLE_COM1 029968h 4 BB_CCA_CTRL_2_B0 02996Ch 4 BB_SWITCH_TABLE_COM2 029970h 4 BB_RESTART 029974h 1x4 PAD__5 029978h 4 BB_SCRAMBLER_SEED 02997Ch 4 BB_RFBUS_REQUEST 029980h 1x32 PAD__6 0299A0h 4 BB_TIMING_CONTROL_11 0299A4h 4 BB_MULTICHAIN_ENABLE 0299A8h 4 BB_MULTICHAIN_CONTROL 0299ACh 4 BB_MULTICHAIN_GAIN_CTRL 0299B0h 1x4 PAD__7 0299B4h 4 BB_ADC_GAIN_DC_CORR_B0 0299B8h 4 BB_EXT_CHAN_PWR_THR_1 0299BCh 4 BB_EXT_CHAN_PWR_THR_2_B0 0299C0h 4 BB_EXT_CHAN_SCORR_THR 0299C4h 4 BB_EXT_CHAN_DETECT_WIN 0299C8h 4 BB_PWR_THR_20_40_DET 0299CCh 1x4 PAD__8 0299D0h 4 BB_SHORT_GI_DELTA_SLOPE 0299D4h 1x8 PAD__9 0299DCh 4 BB_CHANINFO_CTRL 0299E0h 4 BB_HEAVY_CLIP_CTRL 0299E4h 4 BB_HEAVY_CLIP_20 0299E8h 4 BB_HEAVY_CLIP_40 0299ECh 4 BB_RIFS_SRCH 0299F0h 4 BB_IQ_ADC_CAL_MODE 0299F4h 1x8 PAD__10 0299FCh 4 BB_PER_CHAIN_CSD 029A00h 4x128 BB_RX_OCGAIN[0..127] 029C00h 4 BB_TX_CRC 029C04h 1x12 PAD__11 029C10h 4 BB_IQ_ADC_MEAS_0_B0 029C14h 4 BB_IQ_ADC_MEAS_1_B0 029C18h 4 BB_IQ_ADC_MEAS_2_B0 029C1Ch 4 BB_IQ_ADC_MEAS_3_B0 029C20h 4 BB_RFBUS_GRANT 029C24h 4 BB_TSTADC 029C28h 4 BB_TSTDAC 029C2Ch 1x4 PAD__12 029C30h 4 BB_ILLEGAL_TX_RATE 029C34h 4 BB_SPUR_REPORT_B0 029C38h 4 BB_CHANNEL_STATUS 029C3Ch 4 BB_RSSI_B0 029C40h 4 BB_SPUR_EST_CCK_REPORT_B0 029C44h 1x104 PAD__13 ;(old 1x172) 029CF0h 4 BB_CHAN_INFO_NOISE_PWR ;\ 029CF4h 4 BB_CHAN_INFO_GAIN_DIFF ; located HERE in 029CF8h 4 BB_CHAN_INFO_FINE_TIMING ; older revision 029CFCh 4 BB_CHAN_INFO_GAIN_B0 ; (unlike below) 029D00h 4x60 BB_CHAN_INFO_CHAN_TAB_B0[0..59] ;/ 029CACh 4 BB_CHAN_INFO_NOISE_PWR ;\ 029CB0h 4 BB_CHAN_INFO_GAIN_DIFF ; located HERE in 029CB4h 4 BB_CHAN_INFO_FINE_TIMING ; newer revision 029CB8h 4 BB_CHAN_INFO_GAIN_B0 ; (unlike above) 029CBCh 4x60 BB_CHAN_INFO_CHAN_TAB_B0[0..59] ;/ 029DACh 1x56 PAD__14 ;(old 1x528 at 9DF0h) 029DE4h 4 BB_PAPRD_AM2AM_MASK ;\ 029DE8h 4 BB_PAPRD_AM2PM_MASK ; 029DECh 4 BB_PAPRD_HT40_MASK ; 029DF0h 4 BB_PAPRD_CTRL0 ; exists ONLY in 029DF4h 4 BB_PAPRD_CTRL1 ; newer revision 029DF8h 4 BB_PA_GAIN123 ; 029DFCh 4 BB_PA_GAIN45 ; 029E00h 4x8 BB_PAPRD_PRE_POST_SCALE_(0..7) ; 029E20h 4x120 BB_PAPRD_MEM_TAB[....] ;/ "BASEBAND_1" 02A000h 4 BB_PEAK_DET_CTRL_1 02A004h 4 BB_PEAK_DET_CTRL_2 02A008h 4 BB_RX_GAIN_BOUNDS_1 02A00Ch 4 BB_RX_GAIN_BOUNDS_2 02A010h 4 BB_PEAK_DET_CAL_CTRL 02A014h 4 BB_AGC_DIG_DC_CTRL 02A018h 4 BB_AGC_DIG_DC_STATUS_I_B0 02A01Ch 4 BB_AGC_DIG_DC_STATUS_Q_B0 02A020h 1x468 PAD__15 02A1F4h 4 BB_BBB_TXFIR_0 02A1F8h 4 BB_BBB_TXFIR_1 02A1FCh 4 BB_BBB_TXFIR_2 02A200h 4 BB_MODES_SELECT 02A204h 4 BB_BBB_TX_CTRL 02A208h 4 BB_BBB_SIG_DETECT 02A20Ch 4 BB_EXT_ATTEN_SWITCH_CTL_B0 02A210h 4 BB_BBB_RX_CTRL_1 02A214h 4 BB_BBB_RX_CTRL_2 02A218h 4 BB_BBB_RX_CTRL_3 02A21Ch 4 BB_BBB_RX_CTRL_4 02A220h 4 BB_BBB_RX_CTRL_5 02A224h 4 BB_BBB_RX_CTRL_6 02A228h 4 BB_BBB_DAGC_CTRL 02A22Ch 4 BB_FORCE_CLKEN_CCK 02A230h 4 BB_RX_CLEAR_DELAY 02A234h 4 BB_POWERTX_RATE3 ;Power TX 1L,2L,2S 02A238h 4 BB_POWERTX_RATE4 ;Power TX 55L,55S,11L,11S 02A23Ch 1x4 PAD__16 02A240h 4 BB_CCK_SPUR_MIT 02A244h 4 BB_PANIC_WATCHDOG_STATUS 02A248h 4 BB_PANIC_WATCHDOG_CTRL_1 02A24Ch 4 BB_PANIC_WATCHDOG_CTRL_2 02A250h 4 BB_IQCORR_CTRL_CCK ;with extra bit in newer revision 02A254h 4 BB_BLUETOOTH_CNTL 02A258h 4 BB_TPC_1 02A25Ch 4 BB_TPC_2 02A260h 4 BB_TPC_3 02A264h 4 BB_TPC_4_B0 02A268h 4 BB_ANALOG_SWAP 02A26Ch 4 BB_TPC_5_B0 02A270h 4 BB_TPC_6_B0 02A274h 4 BB_TPC_7 02A278h 4 BB_TPC_8 02A27Ch 4 BB_TPC_9 02A280h 4x32 BB_PDADC_TAB_B0[0..31] 02A300h 4x16 BB_CL_TAB_B0[0..15] 02A340h 4 BB_CL_MAP_0_B0 02A344h 4 BB_CL_MAP_1_B0 02A348h 4 BB_CL_MAP_2_B0 02A34Ch 4 BB_CL_MAP_3_B0 02A350h 1x8 PAD__17 02A358h 4 BB_CL_CAL_CTRL 02A35Ch 4 BB_CL_MAP_PAL_0_B0 ;\ 02A360h 4 BB_CL_MAP_PAL_1_B0 ; exists ONLY in 02A364h 4 BB_CL_MAP_PAL_2_B0 ; newer revision 02A368h 4 BB_CL_MAP_PAL_3_B0 ;/ 02A36Ch 1x28 PAD__18 ;(old 1x44 at A35Ch) 02A388h 4 BB_RIFS 02A38Ch 4 BB_POWERTX_RATE5 ;Power TX HT20_0..3 02A390h 4 BB_POWERTX_RATE6 ;Power TX HT20_4..7 02A394h 4 BB_TPC_10 02A398h 4 BB_TPC_11_B0 02A39Ch 4 BB_CAL_CHAIN_MASK 02A3A0h 1x28 PAD__19 02A3BCh 4 BB_POWERTX_SUB ;Power TX Sub_for_2chain 02A3C0h 4 BB_POWERTX_RATE7 ;Power TX HT40_0..3 02A3C4h 4 BB_POWERTX_RATE8 ;Power TX HT40_4..7 02A3C8h 4 BB_POWERTX_RATE9 ;Power TX DUP40/EXT20_CCK/OFDM 02A3CCh 4 BB_POWERTX_RATE10 ;Power TX HT20_8..11 02A3D0h 4 BB_POWERTX_RATE11 ;Power TX HT20/40_12/13 02A3D4h 4 BB_POWERTX_RATE12 ;Power TX HT40_8..11 02A3D8h 4 BB_FORCE_ANALOG 02A3DCh 4 BB_TPC_12 02A3E0h 4 BB_TPC_13 02A3E4h 4 BB_TPC_14 02A3E8h 4 BB_TPC_15 02A3ECh 4 BB_TPC_16 02A3F0h 4 BB_TPC_17 02A3F4h 4 BB_TPC_18 02A3F8h 4 BB_TPC_19 02A3FCh 4 BB_TPC_20 02A400h 4x32 BB_TX_GAIN_TAB_(1..32) 02A480h 4x32 BB_TX_GAIN_TAB_PAL_(1..32) 02A500h 1x24 PAD__20 02A518h 4x16 BB_CALTX_GAIN_SET_(0,2,4,6,..,28,30) 02A558h 4x96 BB_TXIQCAL_MEAS_B0[0..95] 02A6D8h 4 BB_TXIQCAL_START 02A6DCh 4 BB_TXIQCAL_CONTROL_0 02A6E0h 4 BB_TXIQCAL_CONTROL_1 02A6E4h 4 BB_TXIQCAL_CONTROL_2 02A6E8h 4 BB_TXIQCAL_CONTROL_3 02A6ECh 4 BB_TXIQ_CORR_COEFF_01_B0 02A6F0h 4 BB_TXIQ_CORR_COEFF_23_B0 02A6F4h 4 BB_TXIQ_CORR_COEFF_45_B0 02A6F8h 4 BB_TXIQ_CORR_COEFF_67_B0 02A6FCh 4 BB_TXIQ_CORR_COEFF_89_B0 02A700h 4 BB_TXIQ_CORR_COEFF_AB_B0 02A704h 4 BB_TXIQ_CORR_COEFF_CD_B0 02A708h 4 BB_TXIQ_CORR_COEFF_EF_B0 02A70Ch 4 BB_CAL_RXBB_GAIN_TBL_0 02A710h 4 BB_CAL_RXBB_GAIN_TBL_4 02A714h 4 BB_CAL_RXBB_GAIN_TBL_8 02A718h 4 BB_CAL_RXBB_GAIN_TBL_12 02A71Ch 4 BB_CAL_RXBB_GAIN_TBL_16 02A720h 4 BB_CAL_RXBB_GAIN_TBL_20 02A724h 4 BB_CAL_RXBB_GAIN_TBL_24 02A728h 4 BB_TXIQCAL_STATUS_B0 02A72Ch 4 BB_PAPRD_TRAINER_CNTL1 ;\ 02A730h 4 BB_PAPRD_TRAINER_CNTL2 ; 02A734h 4 BB_PAPRD_TRAINER_CNTL3 ; exists ONLY in 02A738h 4 BB_PAPRD_TRAINER_CNTL4 ; newer revision 02A73Ch 4 BB_PAPRD_TRAINER_STAT1 ; 02A740h 4 BB_PAPRD_TRAINER_STAT2 ; 02A744h 4 BB_PAPRD_TRAINER_STAT3 ;/ 02A748h 1x144 PAD__21 ;(old 1x172 at A72Ch) 02A7D8h 4 BB_FCAL_1 02A7DCh 4 BB_FCAL_2_B0 02A7E0h 4 BB_RADAR_BW_FILTER 02A7E4h 4 BB_DFT_TONE_CTRL_B0 02A7E8h 4 BB_THERM_ADC_1 02A7ECh 4 BB_THERM_ADC_2 02A7F0h 4 BB_THERM_ADC_3 02A7F4h 4 BB_THERM_ADC_4 02A7F8h 4 BB_TX_FORCED_GAIN 02A7FCh 4 BB_ECO_CTRL 02A800h 1x72 PAD__22 02A848h 4 BB_GAIN_FORCE_MAX_GAINS_B1 02A84Ch 4 BB_GAINS_MIN_OFFSETS_B1 02A850h 1x432 PAD__23 02AA00h 4x128 BB_RX_OCGAIN2[0..127] 02AC00h 1x1548 PAD__24 02B20Ch 4 BB_EXT_ATTEN_SWITCH_CTL_B1 02B210h - unused/unspecified |
02C000h 4x1024 MAC_PCU_BASEBAND_2[0..1023] ;\ 02D000h 4x1024 MAC_PCU_BASEBAND_3[0..1023] ; after BB registers 02E000h 4x512 MAC_PCU_BUF[0..511] ;/ 02E800h - unused/unspecified |
030100h 4 DMA_CONFIG 030104h 4 DMA_CONTROL 030108h 4 DMA_SRC 03010Ch 4 DMA_DEST 030110h 4 DMA_LENGTH 030114h 4 VMC_BASE 030118h 4 INDIRECT_REG 03011Ch 4 INDIRECT_RETURN 030120h 4x16 RDMA_REGION_(0..15)_ 030160h 4 DMA_STATUS 030164h 4 DMA_INT_EN 030168h - unused/unspecified |
031000h 4 EFUSE_WR_ENABLE_REG 031004h 4 EFUSE_INT_ENABLE_REG 031008h 4 EFUSE_INT_STATUS_REG 03100Ch 4 BITMASK_WR_REG 031010h 4 VDDQ_SETTLE_TIME_REG 031014h 4 RD_STROBE_PW_REG 031018h 4 PG_STROBE_PW_REG 03101Ch 1x2020 PAD0 031800h 4x512 EFUSE_INTF[0..511] 032000h - unused/unspecified |
| DSi Atheros Wifi - Internal I/O Map Summary (hw6.0) |
004000h 33Ch (rtc_soc_reg.h) xxx240h 1Ch (rtc_sync_reg.h) ;-unknown base address 005000h 164h (rtc_wlan_reg.h) 006000h 264h (wlan_coex_reg.h) 007000h 94h (bt_coex_reg.h) 008000h .. MIT (what is that...?) (maybe related to MITSUMI mode?) 00C000h 14h (uart_reg.h) 00D000h ... DBG_UART (another UART ?) 00E000h 38h (umbox_wlan_reg.h) 010000h 18h Serial I2C/SPI (si_reg.h) 010018h 18h ADDR_ERROR (si_reg.h) 014000h 170h (gpio_athr_wlan_reg.h) 018000h 130h (mbox_wlan_reg.h) 01A000h 2000h WLAN_HOST_IF_WINDOW (mbox_wlan_reg.h) 01C000h 748h (analog_intf_athr_wlan_reg.h) 020000h 130h (wmac_dma_reg.h) 020800h 24Ch (wmac_qcu_reg.h) 021000h 7FCh (wmac_dcu_reg.h) 028000h 1000h (wmac_pcu_reg.h) 029800h 3F8h bb_reg.h (1) - bb_chn_reg_map 029C00h 24h bb_reg.h (2) - bb_mrc_reg_map 029D00h 1Ch bb_reg.h (3) - bb_bbb_reg_map 029E00h 400h bb_reg.h (4) - bb_agc_reg_map 02A200h 5F8h bb_reg.h (5) - bb_sm_reg_map 02A800h 3F8h bb_reg.h (6) - bb_chn1_reg_map 02AE00h 400h bb_reg.h (7) - bb_agc1_reg_map 02B200h 5F8h bb_reg.h (8) - bb_sm1_reg_map 02C800h 400h bb_reg.h (9) - bb_chn3_reg_map (DUMMY) 02CE00h 184h bb_reg.h (10) - bb_agc3_reg_map (mostly DUMMY) 02D200h 600h bb_reg.h (11) - bb_sm3_reg_map (DUMMY) 02D800h 20h bb_reg.h (12) - mit_local_reg_map, aka bb_mit_reg_map 02E000h 4x2048 MAC_PCU_BUF (wmac_pcu_reg.h) 030000h 1800h EFUSE (efuse_wlan_reg.h) 034000h 1Ch STEREO 0 (stereo_reg.h) 035000h 58h (chk_sum_seg_acc_reg.h) 036000h ? STEREO 1 (maybe same format as STEREO 0 ?) 038000h 3Ch (mmac_reg.h) 039000h 0Ch (fpga_reg.h) 040000h 8 (bridge_intr_reg.h) 040100h 8 (mii_reg.h) 040200h 28h (mdio_reg.h) 040800h 20h (bridge_chain_gmac_0_rx_reg.h) 040C00h 1Ch (bridge_chain_gmac_0_tx_reg.h) 050000h .. SVD (what is that...?) 054000h ... (usb_cast_reg.h) ;<--- located at 54000h (?) 054100h .. usb RX chain 0..5 at 00054100h+(0..5)*100h (?) 054700h .. usb TX chain 0..5 at 00054700h+(0..5)*100h (?) 054C00h ... UART2 (yet another UART ?) 054D00h A8h (rdma_reg.h) 054E00h 50h (athrI2cSlaveApbCsr.h) 055000h 40h I2S (mbox_i2s_reg.h) 056000h .. I2S_1 (maybe same format as above "mbox_i2s_reg.h"?) xxxxxxh A00h (map_rf_reg.h) ;\unknown base address xxxxxxh 20h (odin_reg.h) ;/ |
004000h 4 SOC_RESET_CONTROL 004004h 4 SOC_TCXO_DETECT 004008h 4 SOC_XTAL_TEST 00400Ch 1x20 PAD0 004020h 4 SOC_CPU_CLOCK 004024h 1x4 PAD1 004028h 4 SOC_CLOCK_CONTROL 00402Ch 1x4 PAD2 004030h 4 SOC_WDT_CONTROL ;\ 004034h 4 SOC_WDT_STATUS ; 004038h 4 SOC_WDT ; Watchdog Timer 00403Ch 4 SOC_WDT_COUNT ; 004040h 4 SOC_WDT_RESET ;/ 004044h 4 SOC_INT_STATUS ;-Interrupt Status 004048h 4 SOC_LF_TIMER0 ;\ 00404Ch 4 SOC_LF_TIMER_COUNT0 ; Low-Freq Timer 004050h 4 SOC_LF_TIMER_CONTROL0 ; 004054h 4 SOC_LF_TIMER_STATUS0 ;/ 004058h 4 SOC_LF_TIMER1 ;\ 00405Ch 4 SOC_LF_TIMER_COUNT1 ; Low-Freq Timer 004060h 4 SOC_LF_TIMER_CONTROL1 ; 004064h 4 SOC_LF_TIMER_STATUS1 ;/ 004068h 4 SOC_LF_TIMER2 ;\ 00406Ch 4 SOC_LF_TIMER_COUNT2 ; Low-Freq Timer 004070h 4 SOC_LF_TIMER_CONTROL2 ; 004074h 4 SOC_LF_TIMER_STATUS2 ;/ 004078h 4 SOC_LF_TIMER3 ;\ 00407Ch 4 SOC_LF_TIMER_COUNT3 ; Low-Freq Timer 004080h 4 SOC_LF_TIMER_CONTROL3 ; 004084h 4 SOC_LF_TIMER_STATUS3 ;/ 004088h 4 SOC_HF_TIMER ;\ 00408Ch 4 SOC_HF_TIMER_COUNT ; High-Freq Timer 004090h 4 SOC_HF_LF_COUNT ;<-- ; 004094h 4 SOC_HF_TIMER_CONTROL ; 004098h 4 SOC_HF_TIMER_STATUS ;/ 00409Ch 4 SOC_RTC_CONTROL ;\ 0040A0h 4 SOC_RTC_TIME ; 0040A4h 4 SOC_RTC_DATE ; 0040A8h 4 SOC_RTC_SET_TIME ; Real-Time Clock 0040ACh 4 SOC_RTC_SET_DATE ; 0040B0h 4 SOC_RTC_SET_ALARM ; 0040B4h 4 SOC_RTC_CONFIG ; 0040B8h 4 SOC_RTC_ALARM_STATUS ;/ 0040BCh 4 SOC_UART_WAKEUP 0040C0h 4 SOC_RESET_CAUSE 0040C4h 4 SOC_SYSTEM_SLEEP 0040C8h 4 SOC_SDIO_WRAPPER 0040CCh 4 SOC_INT_STATUS1 0040D0h 1x4 PAD3 0040D4h 4 SOC_LPO_CAL_TIME ;\ 0040D8h 4 SOC_LPO_INIT_DIVIDEND_INT ; 0040DCh 4 SOC_LPO_INIT_DIVIDEND_FRACTION ; LPO 0040E0h 4 SOC_LPO_CAL ; 0040E4h 4 SOC_LPO_CAL_TEST_CONTROL ; 0040E8h 4 SOC_LPO_CAL_TEST_STATUS ;/ 0040ECh 4 LEGACY_SOC_CHIP_ID ;\Chip ID 0040F0h 4 SOC_CHIP_ID ;/ 0040F4h 1x24 PAD4 00410Ch 4 SOC_POWER_REG 004110h 4 SOC_CORE_CLK_CTRL 004114h 4 SOC_GPIO_WAKEUP_CONTROL 004118h 1x252 PAD5 004214h 4 SLEEP_RETENTION 004218h 1x108 PAD6 004284h 4 LP_PERF_COUNTER ;\ 004288h 4 LP_PERF_LIGHT_SLEEP ; Perf 00428Ch 4 LP_PERF_DEEP_SLEEP ; 004290h 4 LP_PERF_ON ;/ 004294h 1x20 PAD7 0042A8h 4 CHIP_MODE 0042ACh 4 CLK_REQ_FALL_EDGE 0042B0h 4 OTP ;\OTP 0042B4h 4 OTP_STATUS ;/ 0042B8h 4 PMU 0042BCh 4 PMU_CONFIG 0042C0h 4 PMU_PAREG 0042C4h 4 PMU_BYPASS 0042C8h 1x20 PAD8 0042DCh 4 THERM_CTRL1 ;\ 0042E0h 4 THERM_CTRL2 ; Therm 0042E4h 4 THERM_CTRL3 ;/ 0042E8h 4 LISTEN_MODE1 0042ECh 4 LISTEN_MODE2 0042F0h 4 AUDIO_PLL_CONFIG 0042F4h 4 AUDIO_PLL_MODULATION 0042F8h 4 AUDIO_PLL_MOD_STEP 0042FCh 4 CURRENT_AUDIO_PLL_MODULATION 004300h 4 ETH_PLL_CONFIG 004304h 4 CPU_PLL_CONFIG 004308h 4 BB_PLL_CONFIG 00430Ch 4 ETH_XMII 004310h 4 USB_PHY_CONFIG 004314h 4 MITSUMI_INT_CONTROL_REG 004318h 4 MITSUMI_INT_STATUS_REG 00431Ch 4 CURRENT_WORKING_MODE 004320h 4 RTC_SLEEP_COUNT 004324h 4 MIT2_VAP 004328h 4 SECOND_HOST_INFT 00432Ch 4 SDIO_HOST 004330h 4 ENTERPRISE_CONFIG 004334h 4 RTC_DEBUG_BUS 004338h 4 RTC_EXT_CLK_BUF |
000000h 1x576 PAD__0 000240h 4 RTC_SYNC_RESET 000244h 4 RTC_SYNC_STATUS 000248h 4 RTC_SYNC_DERIVED 00024Ch 4 RTC_SYNC_FORCE_WAKE 000250h 4 RTC_SYNC_INTR_CAUSE 000254h 4 RTC_SYNC_INTR_ENABLE 000258h 4 RTC_SYNC_INTR_MASK 00025Ch .. - |
005000h 4 WLAN_RESET_CONTROL 005004h 4 WLAN_XTAL_CONTROL 005008h 4 WLAN_REG_CONTROL0 00500Ch 4 WLAN_REG_CONTROL1 005010h 4 WLAN_QUADRATURE 005014h 4 WLAN_PLL_CONTROL 005018h 4 WLAN_PLL_SETTLE 00501Ch 4 WLAN_XTAL_SETTLE 005020h 4 WLAN_CLOCK_OUT 005024h 4 WLAN_BIAS_OVERRIDE 005028h 4 WLAN_RESET_CAUSE 00502Ch 4 WLAN_SYSTEM_SLEEP 005030h 4 WLAN_MAC_SLEEP_CONTROL 005034h 4 WLAN_KEEP_AWAKE 005038h 4 WLAN_DERIVED_RTC_CLK 00503Ch 4 MAC_PCU_SLP32_MODE 005040h 4 MAC_PCU_SLP32_WAKE 005044h 4 MAC_PCU_SLP32_INC 005048h 4 MAC_PCU_SLP_MIB1 00504Ch 4 MAC_PCU_SLP_MIB2 005050h 4 MAC_PCU_SLP_MIB3 005054h 4 MAC_PCU_TSF_L32 005058h 4 MAC_PCU_TSF_U32 00505Ch 4 MAC_PCU_WBTIMER_0 005060h 4 MAC_PCU_WBTIMER_1 005064h 4x16 MAC_PCU_GENERIC_TIMERS[0..15] 0050A4h 1x24 PAD__0 0050BCh 4 MAC_PCU_GENERIC_TIMERS_MODE 0050C0h 4 MAC_PCU_SLP1 0050C4h 4 MAC_PCU_SLP2 0050C8h 4 MAC_PCU_SLP3 0050CCh 4 MAC_PCU_SLP4 0050D0h 4 MAC_PCU_RESET_TSF 0050D4h 4 MAC_PCU_TSF2_L32 0050D8h 4 MAC_PCU_TSF2_U32 0050DCh 4x16 MAC_PCU_GENERIC_TIMERS2[0..15] 00511Ch 1x24 PAD__1 005134h 4 MAC_PCU_GENERIC_TIMERS_MODE2 005138h 1x12 PAD__2 005144h 4 MAC_PCU_TSF_THRESHOLD 005148h 4 WLAN_HT 00514Ch 1x4 PAD__3 005150h 4 MAC_PCU_GENERIC_TIMERS_TSF_SEL 005154h 4 MAC_PCU_BMISS_TIMEOUT 005158h 4 MAC_PCU_BMISS2_TIMEOUT 00515Ch 4 RTC_AXI_AHB_BRIDGE 005160h 4 UNIFIED_MAC_REVID 005164h .. - |
006000h 4 MCI_COMMAND0 006004h 4 MCI_COMMAND1 006008h 4 MCI_COMMAND2 00600Ch 4 MCI_RX_CTRL 006010h 4 MCI_TX_CTRL 006014h 4 MCI_MSG_ATTRIBUTES_TABLE 006018h 4 MCI_SCHD_TABLE_0 00601Ch 4 MCI_SCHD_TABLE_1 006020h 4 MCI_GPM_0 006024h 4 MCI_GPM_1 006028h 4 MCI_INTERRUPT_RAW 00602Ch 4 MCI_INTERRUPT_EN 006030h 4 MCI_REMOTE_CPU_INT 006034h 4 MCI_REMOTE_CPU_INT_EN 006038h 4 MCI_INTERRUPT_RX_MSG_RAW 00603Ch 4 MCI_INTERRUPT_RX_MSG_EN 006040h 4 MCI_CPU_INT 006044h 4 MCI_RX_STATUS 006048h 4 MCI_CONT_STATUS 00604Ch 4 MCI_BT_PRI0 006050h 4 MCI_BT_PRI1 006054h 4 MCI_BT_PRI2 006058h 4 MCI_BT_PRI3 00605Ch 4 MCI_BT_PRI 006060h 4 MCI_WL_FREQ0 006064h 4 MCI_WL_FREQ1 006068h 4 MCI_WL_FREQ2 00606Ch 4 MCI_GAIN 006070h 4 MCI_WBTIMER1 006074h 4 MCI_WBTIMER2 006078h 4 MCI_WBTIMER3 00607Ch 4 MCI_WBTIMER4 006080h 4 MCI_MAXGAIN 006084h 1x40 PAD__0 0060ACh 4 BTCOEX_CTRL 0060B0h 1x156 PAD__1 00614Ch 4 BTCOEX_CTRL2 006150h 1x260 PAD__2 006254h 4 BTCOEX_DBG 006258h 4 MCI_LAST_HW_MSG_HDR 00625Ch 4 MCI_LAST_HW_MSG_BDY 006260h 4 MCI_MAXGAIN_RST 006264h .. - |
007000h 4 BTCOEXCTRL ;\ 007004h 4 WBSYNC_PRIORITY1 ; 007008h 4 WBSYNC_PRIORITY2 ; 00700Ch 4 WBSYNC_PRIORITY3 ; 007010h 4 BTCOEX0 ;SYNC_DUR ; 007014h 4 BTCOEX1 ;CLK_THRES ; 007018h 4 BTCOEX2 ;FRAME_THRES ; 00701Ch 4 BTCOEX3 ;CLK_CNT ; moved from 004218h (hw4) 007020h 4 BTCOEX4 ;FRAME_CNT ; to 007000h (hw6) 007024h 4 BTCOEX5 ;IDLE_CNT ; 007028h 4 BTCOEX6 ;IDLE_RESET_LVL_BITMAP ; 00702Ch 4 LOCK ; 007030h 4 NOLOCK_PRIORITY ; 007034h 4 WBSYNC ; 007038h 4 WBSYNC1 ; 00703Ch 4 WBSYNC2 ; 007040h 4 WBSYNC3 ; 007044h 4 WB_TIMER_TARGET ; 007048h 4 WB_TIMER_SLOP ; 00704Ch 4 BTCOEX_INT_EN ; 007050h 4 BTCOEX_INT_STAT ; 007054h 4 BTPRIORITY_INT_EN ; 007058h 4 BTPRIORITY_INT_STAT ; 00705Ch 4 BTPRIORITY_STOMP_INT_EN ; 007060h 4 BTPRIORITY_STOMP_INT_STAT ;/ 007064h 4 ST_64_BIT ;\ 007068h 4 MESSAGE_WR ; moved from 004294h (hw4) 00706Ch 4 MESSAGE_WR_P ; to 007064h (hw6) 007070h 4 MESSAGE_RD ; 007074h 4 MESSAGE_RD_P ;/ 007078h 4 BTPRIORITY_INT ;\ 00707Ch 4 SCO_PARAMS ; 007080h 4 SCO_PRIORITY ; 007084h 4 SCO_SYNC ; new, hw6.0 only 007088h 4 BTCOEX_RAW_STAT ; 00708Ch 4 BTPRIORITY_RAW_STAT ; 007090h 4 BTPRIORITY_STOMP_RAW_STAT ;/ |
00C000h 4 UART_DATA 00C004h 4 UART_CONTROL 00C008h 4 UART_CLKDIV 00C00Ch 4 UART_INT 00C010h 4 UART_INT_EN 00C014h .. - 00D000h .. ?? |
00E000h 4x2 UMBOX_FIFO[0..1] 00E008h 4 UMBOX_FIFO_STATUS 00E00Ch 4 UMBOX_DMA_POLICY 00E010h 4 UMBOX0_DMA_RX_DESCRIPTOR_BASE 00E014h 4 UMBOX0_DMA_RX_CONTROL 00E018h 4 UMBOX0_DMA_TX_DESCRIPTOR_BASE 00E01Ch 4 UMBOX0_DMA_TX_CONTROL 00E020h 4 UMBOX_FIFO_TIMEOUT 00E024h 4 UMBOX_INT_STATUS 00E028h 4 UMBOX_INT_ENABLE 00E02Ch 4 UMBOX_DEBUG 00E030h 4 UMBOX_FIFO_RESET 00E034h 4 UMBOX_HCI_FRAMER |
010000h 4 SI_CONFIG 010004h 4 SI_CS 010008h 4 SI_TX_DATA0 01000Ch 4 SI_TX_DATA1 010010h 4 SI_RX_DATA0 010014h 4 SI_RX_DATA1 |
010018h 4 WLAN_APB_ADDR_ERROR_CONTROL ;\ 01001Ch 4 WLAN_APB_ADDR_ERROR_STATUS ; ADDR_ERROR 010020h 4 WLAN_AHB_ADDR_ERROR_CONTROL ; (located at 8xxxh in hw4) 010024h 4 WLAN_AHB_ADDR_ERROR_STATUS ;/ 010028h 4 WLAN_AHB_CONFIG 01002Ch 4 WLAN_MEMORY_MAP |
014000h 4 WLAN_GPIO_OUT_LOW ;\ 014004h 4 WLAN_GPIO_OUT_W1TS_LOW ; 014008h 4 WLAN_GPIO_OUT_W1TC_LOW ; GPIO Output Data 01400Ch 4 WLAN_GPIO_OUT_HIGH ; (direct, and Write-1-To-Set/Clr) 014010h 4 WLAN_GPIO_OUT_W1TS_HIGH ; 014014h 4 WLAN_GPIO_OUT_W1TC_HIGH ;/ 014018h 4 WLAN_GPIO_ENABLE_LOW ;\ 01401Ch 4 WLAN_GPIO_ENABLE_W1TS_LOW ; 014020h 4 WLAN_GPIO_ENABLE_W1TC_LOW ; GPIO Output Enable 014024h 4 WLAN_GPIO_ENABLE_HIGH ; (direct, and Set/Clr) 014028h 4 WLAN_GPIO_ENABLE_W1TS_HIGH ; 01402Ch 4 WLAN_GPIO_ENABLE_W1TC_HIGH ;/ 014030h 4 WLAN_GPIO_IN_LOW ;\ 014034h 4 WLAN_GPIO_STATUS_LOW ;\ ; GPIO Input 014038h 4 WLAN_GPIO_IN_HIGH ; ;/ 01403Ch 4 WLAN_GPIO_STATUS_HIGH ; 014040h 4 WLAN_GPIO_STATUS_W1TS_LOW ; GPIO Interrupt Status 014044h 4 WLAN_GPIO_STATUS_W1TC_LOW ; (direct, and Set/Clr) 014048h 4 WLAN_GPIO_STATUS_W1TS_HIGH ; 01404Ch 4 WLAN_GPIO_STATUS_W1TC_HIGH ;/ 014050h 4 WLAN_GPIO_PIN0 ;GPIO0 or SDIO_CMD 014054h 4 WLAN_GPIO_PIN1 ;GPIO1 or SDIO_D3 014058h 4 WLAN_GPIO_PIN2 ;GPIO2 or SDIO_D2 01405Ch 4 WLAN_GPIO_PIN3 ;GPIO3 or SDIO_D1 014060h 4 WLAN_GPIO_PIN4 ;GPIO4 or SDIO_D0 014064h 4 WLAN_GPIO_PIN5 ;GPIO5 or SDIO_CLK 014068h 4 WLAN_GPIO_PIN6 ;GPIO6 01406Ch 4 WLAN_GPIO_PIN7 ;GPIO7 014070h 4 WLAN_GPIO_PIN8 ;... 014074h 4 WLAN_GPIO_PIN9 ;.. 014078h 4 WLAN_GPIO_PIN10 01407Ch 4 WLAN_GPIO_PIN11 014080h 4 WLAN_GPIO_PIN12 014084h 4 WLAN_GPIO_PIN13 014088h 4 WLAN_GPIO_PIN14 01408Ch 4 WLAN_GPIO_PIN15 014090h 4 WLAN_GPIO_PIN16 014094h 4 WLAN_GPIO_PIN17 014098h 4 WLAN_GPIO_PIN18 01409Ch 4 WLAN_GPIO_PIN19 0140A0h 4 WLAN_GPIO_PIN20 0140A4h 4 WLAN_GPIO_PIN21 0140A8h 4 WLAN_GPIO_PIN22 0140ACh 4 WLAN_GPIO_PIN23 0140B0h 4 WLAN_GPIO_PIN24 0140B4h 4 WLAN_GPIO_PIN25 0140B8h 4 WLAN_GPIO_PIN26 0140BCh 4 WLAN_GPIO_PIN27 0140C0h 4 WLAN_GPIO_PIN28 0140C4h 4 WLAN_GPIO_PIN29 0140C8h 4 WLAN_GPIO_PIN30 0140CCh 4 WLAN_GPIO_PIN31 0140D0h 4 WLAN_GPIO_PIN32 0140D4h 4 WLAN_GPIO_PIN33 0140D8h 4 WLAN_GPIO_PIN34 0140DCh 4 WLAN_GPIO_PIN35 0140E0h 4 WLAN_GPIO_PIN36 0140E4h 4 WLAN_GPIO_PIN37 0140E8h 4 WLAN_GPIO_PIN38 0140ECh 4 WLAN_GPIO_PIN39 0140F0h 4 WLAN_GPIO_PIN40 0140F4h 4 WLAN_GPIO_PIN41 0140F8h 4 WLAN_GPIO_PIN42 0140FCh 4 WLAN_GPIO_PIN43 014100h 4 WLAN_GPIO_PIN44 014104h 4 WLAN_GPIO_PIN45 014108h 4 WLAN_GPIO_PIN46 01410Ch 4 WLAN_GPIO_PIN47 014110h 4 WLAN_GPIO_PIN48 014114h 4 WLAN_GPIO_PIN49 014118h 4 WLAN_GPIO_PIN50 01411Ch 4 WLAN_GPIO_PIN51 014120h 4 WLAN_GPIO_PIN52 014124h 4 WLAN_GPIO_PIN53 014128h 4 WLAN_GPIO_PIN54 01412Ch 4 WLAN_GPIO_PIN55 014130h 4 WLAN_GPIO_PIN56 014134h 4 SDIO 014138h 4 WL_SOC_APB 01413Ch 4 WLAN_SIGMA_DELTA 014140h 4 WL_BOOTSTRAP 014144h 4 CORE_BOOTSTRAP_LOW 014148h 4 CORE_BOOTSTRAP_HIGH 01414Ch 4 WLAN_DEBUG_CONTROL 014150h 4 WLAN_DEBUG_INPUT_SEL 014154h 4 WLAN_DEBUG_OUT 014158h 4 WLAN_RESET_TUPLE_STATUS 01415Ch 4 ANTENNA_CONTROL 014160h 4 SDIO2 014164h 4 SDHC 014168h 4 AMBA_DEBUG_BUS 01416Ch 4 CPU_MBIST |
018000h 4x4 WLAN_MBOX_FIFO[0..3] 018010h 4 WLAN_MBOX_FIFO_STATUS 018014h 4 WLAN_MBOX_DMA_POLICY 018018h 4 WLAN_MBOX0_DMA_RX_DESCRIPTOR_BASE ;\ 01801Ch 4 WLAN_MBOX0_DMA_RX_CONTROL ; MBOX 0 018020h 4 WLAN_MBOX0_DMA_TX_DESCRIPTOR_BASE ; 018024h 4 WLAN_MBOX0_DMA_TX_CONTROL ;/ 018028h 4 WLAN_MBOX1_DMA_RX_DESCRIPTOR_BASE ;\ 01802Ch 4 WLAN_MBOX1_DMA_RX_CONTROL ; MBOX 1 018030h 4 WLAN_MBOX1_DMA_TX_DESCRIPTOR_BASE ; 018034h 4 WLAN_MBOX1_DMA_TX_CONTROL ;/ 018038h 4 WLAN_MBOX2_DMA_RX_DESCRIPTOR_BASE ;\ 01803Ch 4 WLAN_MBOX2_DMA_RX_CONTROL ; MBOX 2 018040h 4 WLAN_MBOX2_DMA_TX_DESCRIPTOR_BASE ; 018044h 4 WLAN_MBOX2_DMA_TX_CONTROL ;/ 018048h 4 WLAN_MBOX3_DMA_RX_DESCRIPTOR_BASE ;\ 01804Ch 4 WLAN_MBOX3_DMA_RX_CONTROL ; MBOX 3 018050h 4 WLAN_MBOX3_DMA_TX_DESCRIPTOR_BASE ; 018054h 4 WLAN_MBOX3_DMA_TX_CONTROL ;/ 018058h 4 WLAN_MBOX_INT_STATUS ;\Interrupt 01805Ch 4 WLAN_MBOX_INT_ENABLE ;/ 018060h 4 WLAN_INT_HOST 018064h 1x28 PAD0 018080h 4x8 WLAN_LOCAL_COUNT[0..7] 0180A0h 4x8 WLAN_COUNT_INC[0..7] 0180C0h 4x8 WLAN_LOCAL_SCRATCH[0..7] 0180E0h 4 WLAN_USE_LOCAL_BUS 0180E4h 4 WLAN_SDIO_CONFIG 0180E8h 4 WLAN_MBOX_DEBUG 0180ECh 4 WLAN_MBOX_FIFO_RESET 0180F0h 4x4 WLAN_MBOX_TXFIFO_POP[0..3] 018100h 4x4 WLAN_MBOX_RXFIFO_POP[0..3] 018110h 4 WLAN_SDIO_DEBUG 018114h 4 WLAN_GMBOX0_DMA_RX_DESCRIPTOR_BASE ;\ 018118h 4 WLAN_GMBOX0_DMA_RX_CONTROL ; 01811Ch 4 WLAN_GMBOX0_DMA_TX_DESCRIPTOR_BASE ; hw4.0 and hw6.0 018120h 4 WLAN_GMBOX0_DMA_TX_CONTROL ; 018124h 4 WLAN_GMBOX_INT_STATUS ; 018128h 4 WLAN_GMBOX_INT_ENABLE ;/ 01812Ch 4 STE_MODE ;<-- hw6.0 only 018130h 1x7888 PAD1 01A000h 4x2048 WLAN_HOST_IF_WINDOW[0..2047] |
01C000h 4 RXRF_BIAS1 01C004h 4 RXRF_BIAS2 01C008h 4 RXRF_GAINSTAGES 01C00Ch 4 RXRF_AGC 01C010h 1x48 PAD__0 01C040h 4 TXRF1 01C044h 4 TXRF2 01C048h 4 TXRF3 01C04Ch 4 TXRF4 01C050h 4 TXRF5 01C054h 4 TXRF6 01C058h 4 TXRF7 01C05Ch 4 TXRF8 01C060h 4 TXRF9 01C064h 4 TXRF10 01C068h 4 TXRF11 01C06Ch 4 TXRF12 01C070h 1x16 PAD__1 01C080h 4 SYNTH1 01C084h 4 SYNTH2 01C088h 4 SYNTH3 01C08Ch 4 SYNTH4 01C090h 4 SYNTH5 01C094h 4 SYNTH6 01C098h 4 SYNTH7 01C09Ch 4 SYNTH8 01C0A0h 4 SYNTH9 01C0A4h 4 SYNTH10 01C0A8h 4 SYNTH11 01C0ACh 4 SYNTH12 01C0B0h 4 SYNTH13 01C0B4h 4 SYNTH14 01C0B8h 1x8 PAD__2 01C0C0h 4 BIAS1 01C0C4h 4 BIAS2 01C0C8h 4 BIAS3 01C0CCh 4 BIAS4 01C0D0h 1x48 PAD__3 01C100h 4 RXTX1 01C104h 4 RXTX2 01C108h 4 RXTX3 01C10Ch 1x52 PAD__4 01C140h 4 BB1 01C144h 4 BB2 01C148h 4 BB3 01C14Ch 1x308 PAD__5 01C280h 4 PLLCLKMODA 01C284h 4 PLLCLKMODA2 01C288h 4 TOP 01C28Ch 4 THERM 01C290h 4 XTAL 01C294h 1x236 PAD__6 01C380h 4 RBIST_CNTRL 01C384h 4 TX_DC_OFFSET 01C388h 4 TX_TONEGEN0 01C38Ch 4 TX_TONEGEN1 01C390h 4 TX_LFTONEGEN0 01C394h 4 TX_LINEAR_RAMP_I 01C398h 4 TX_LINEAR_RAMP_Q 01C39Ch 4 TX_PRBS_MAG 01C3A0h 4 TX_PRBS_SEED_I 01C3A4h 4 TX_PRBS_SEED_Q 01C3A8h 4 CMAC_DC_CANCEL 01C3ACh 4 CMAC_DC_OFFSET 01C3B0h 4 CMAC_CORR 01C3B4h 4 CMAC_POWER 01C3B8h 4 CMAC_CROSS_CORR 01C3BCh 4 CMAC_I2Q2 01C3C0h 4 CMAC_POWER_HPF 01C3C4h 4 RXDAC_SET1 01C3C8h 4 RXDAC_SET2 01C3CCh 4 RXDAC_LONG_SHIFT 01C3D0h 4 CMAC_RESULTS_I 01C3D4h 4 CMAC_RESULTS_Q 01C3D8h 1x872 PAD__7 01C740h 4 PMU1 01C744h 4 PMU2 |
020000h 1x8 PAD__0 020008h 4 MAC_DMA_CR 020004h 1x4 PAD__1 02000Ch 1x4 PAD__1 020014h 4 MAC_DMA_CFG 020018h 4 MAC_DMA_RXBUFPTR_THRESH 02001Ch 4 MAC_DMA_TXDPPTR_THRESH 020020h 4 MAC_DMA_MIRT 020024h 4 MAC_DMA_GLOBAL_IER 020028h 4 MAC_DMA_TIMT_0 02002Ch 4 MAC_DMA_RIMT 020030h 4 MAC_DMA_TXCFG 020034h 4 MAC_DMA_RXCFG 020038h 4 MAC_DMA_RXJLA 02003Ch 1x4 PAD__2 020040h 4 MAC_DMA_MIBC 020044h 4 MAC_DMA_TOPS 020048h 4 MAC_DMA_RXNPTO 02004Ch 4 MAC_DMA_TXNPTO 020050h 4 MAC_DMA_RPGTO 020054h 1x4 PAD__3 020058h 4 MAC_DMA_MACMISC 02005Ch 4 MAC_DMA_INTER 020060h 4 MAC_DMA_DATABUF 020064h 4 MAC_DMA_GTT 020068h 4 MAC_DMA_GTTM 02006Ch 4 MAC_DMA_CST 020070h 4 MAC_DMA_RXDP_SIZE 020074h 4 MAC_DMA_RX_QUEUE_HP_RXDP 020078h 4 MAC_DMA_RX_QUEUE_LP_RXDP 02007Ch 1x4 PAD__4 020080h 4 MAC_DMA_ISR_P - Primary Interrupt Status Register ;\ 020084h 4 MAC_DMA_ISR_S0 - Secondary Interrupt 0 Status TX OK/DESC ; 020088h 4 MAC_DMA_ISR_S1 - Secondary Interrupt 1 Status TX ERR/EOL ; 02008Ch 4 MAC_DMA_ISR_S2 - Secondary Interrupt 2 Status TX URN/MISC ; 020090h 4 MAC_DMA_ISR_S3 - Secondary Interrupt 3 Status QCBR OVF/URN ; 020094h 4 MAC_DMA_ISR_S4 - Secondary Interrupt 4 Status QTRIG ; 020098h 4 MAC_DMA_ISR_S5 - Secondary Interrupt 5 Status TIMERS ; 02009Ch 4 MAC_DMA_ISR_S6 - Secondary Interrupt 6 Status UNKNOWN? ;/ 0200A0h 4 MAC_DMA_IMR_P - Primary Interrupt Mask Register ;\ 0200A4h 4 MAC_DMA_IMR_S0 - Secondary Interrupt 0 Mask TX OK/DESC ; 0200A8h 4 MAC_DMA_IMR_S1 - Secondary Interrupt 1 Mask TX ERR/EOL ; 0200ACh 4 MAC_DMA_IMR_S2 - Secondary Interrupt 2 Mask TX URN/MISC ; 0200B0h 4 MAC_DMA_IMR_S3 - Secondary Interrupt 3 Mask QCBR OVF/URN ; 0200B4h 4 MAC_DMA_IMR_S4 - Secondary Interrupt 4 Mask QTRIG ; 0200B8h 4 MAC_DMA_IMR_S5 - Secondary Interrupt 5 Mask TIMERS ; 0200BCh 4 MAC_DMA_IMR_S6 - Secondary Interrupt 6 Mask UNKNOWN? ;/ 0200C0h 4 MAC_DMA_ISR_P_RAC - Primary Interrupt Read-and-Clear ;\ 0200C4h 4 MAC_DMA_ISR_S0_S - Secondary 0 Read-and-Clr TX OK/DESC ; 0200C8h 4 MAC_DMA_ISR_S1_S - Secondary 1 Read-and-Clr TX ERR/EOL ; 0200CCh 4 MAC_DMA_ISR_S6_S - Secondary 6? Read-and-Clr UNKNOWN? <-- ; 0200D0h 4 MAC_DMA_ISR_S2_S - Secondary 2? Read-and-Clr TX URN/MISC ; 0200D4h 4 MAC_DMA_ISR_S3_S - Secondary 3? Read-and-Clr QCBR OVF/URN ; 0200D8h 4 MAC_DMA_ISR_S4_S - Secondary 4? Read-and-Clr QTRIG ; 0200DCh 4 MAC_DMA_ISR_S5_S - Secondary 5? Read-and-Clr TIMERS ;/ 0200E0h 4 MAC_DMA_DMADBG_0 0200E4h 4 MAC_DMA_DMADBG_1 0200E8h 4 MAC_DMA_DMADBG_2 0200ECh 4 MAC_DMA_DMADBG_3 0200F0h 4 MAC_DMA_DMADBG_4 0200F4h 4 MAC_DMA_DMADBG_5 0200F8h 4 MAC_DMA_DMADBG_6 0200FCh 4 MAC_DMA_DMADBG_7 020100h 4 MAC_DMA_QCU_TXDP_REMAINING_QCU_7_0 020104h 4 MAC_DMA_QCU_TXDP_REMAINING_QCU_9_8 020108h 4 MAC_DMA_TIMT_1 ;note: "MAC_DMA_TIMT_0" is at 020028h 02010Ch 4 MAC_DMA_TIMT_2 020110h 4 MAC_DMA_TIMT_3 020114h 4 MAC_DMA_TIMT_4 020118h 4 MAC_DMA_TIMT_5 02011Ch 4 MAC_DMA_TIMT_6 020120h 4 MAC_DMA_TIMT_7 020124h 4 MAC_DMA_TIMT_8 020128h 4 MAC_DMA_TIMT_9 02012Ch 4 MAC_DMA_CHKACC |
020800h 4x10 MAC_QCU_TXDP[0..9] 020828h 1x8 PAD__1 020830h 4 MAC_QCU_STATUS_RING_START 020834h 4 MAC_QCU_STATUS_RING_END 020838h 4 MAC_QCU_STATUS_RING_CURRENT 02083Ch 1x4 PAD__2 020840h 4 MAC_QCU_TXE 020844h 1x60 PAD__3 020880h 4 MAC_QCU_TXD 020884h 1x60 PAD__4 0208C0h 4x10 MAC_QCU_CBR[0..9] 0208E8h 1x24 PAD__5 020900h 4x10 MAC_QCU_RDYTIME[0..9] 020928h 1x24 PAD__6 020940h 4 MAC_QCU_ONESHOT_ARM_SC 020944h 1x60 PAD__7 020980h 4 MAC_QCU_ONESHOT_ARM_CC 020984h 1x60 PAD__8 0209C0h 4x10 MAC_QCU_MISC[0..9] 0209E8h 1x24 PAD__9 020A00h 4x10 MAC_QCU_CNT[0..9] 020A28h 1x24 PAD__10 020A40h 4 MAC_QCU_RDYTIME_SHDN 020A44h 4 MAC_QCU_DESC_CRC_CHK 020A48h 4 MAC_QCU_EOL |
021000h 4x10 MAC_DCU_QCUMASK[0..9] 021028h 1x8 PAD__1 021030h 4 MAC_DCU_GBL_IFS_SIFS 021034h 1x4 PAD__2 021038h 4 MAC_DCU_TXFILTER_DCU0_31_0 02103Ch 4 MAC_DCU_TXFILTER_DCU8_31_0 021040h 4x10 MAC_DCU_LCL_IFS[0..9] 021068h 1x8 PAD__3 021070h 4 MAC_DCU_GBL_IFS_SLOT 021074h 1x4 PAD__4 021078h 4 MAC_DCU_TXFILTER_DCU0_63_32 02107Ch 4 MAC_DCU_TXFILTER_DCU8_63_32 021080h 4x10 MAC_DCU_RETRY_LIMIT[0..9] 0210A8h 1x8 PAD__5 0210B0h 4 MAC_DCU_GBL_IFS_EIFS 0210B4h 1x4 PAD__6 0210B8h 4 MAC_DCU_TXFILTER_DCU0_95_64 0210BCh 4 MAC_DCU_TXFILTER_DCU8_95_64 0210C0h 4x10 MAC_DCU_CHANNEL_TIME[0..9] 0210E8h 1x8 PAD__7 0210F0h 4 MAC_DCU_GBL_IFS_MISC 0210F4h 1x4 PAD__8 0210F8h 4 MAC_DCU_TXFILTER_DCU0_127_96 0210FCh 4 MAC_DCU_TXFILTER_DCU8_127_96 021100h 4x10 MAC_DCU_MISC[0..9] 021128h 1x16 PAD__9 021138h 4 MAC_DCU_TXFILTER_DCU1_31_0 02113Ch 4 MAC_DCU_TXFILTER_DCU9_31_0 021140h 4 MAC_DCU_SEQ 021144h 1x52 PAD__10 021178h 4 MAC_DCU_TXFILTER_DCU1_63_32 02117Ch 4 MAC_DCU_TXFILTER_DCU9_63_32 021180h 1x56 PAD__11 0211B8h 4 MAC_DCU_TXFILTER_DCU1_95_64 0211BCh 4 MAC_DCU_TXFILTER_DCU9_95_64 0211C0h 1x56 PAD__12 0211F8h 4 MAC_DCU_TXFILTER_DCU1_127_96 0211FCh 4 MAC_DCU_TXFILTER_DCU9_127_96 021200h 1x56 PAD__13 021238h 4 MAC_DCU_TXFILTER_DCU2_31_0 02123Ch 1x52 PAD__14 021270h 4 MAC_DCU_PAUSE 021274h 1x4 PAD__15 021278h 4 MAC_DCU_TXFILTER_DCU2_63_32 02127Ch 1x52 PAD__16 0212B0h 4 MAC_DCU_WOW_KACFG 0212B4h 1x4 PAD__17 0212B8h 4 MAC_DCU_TXFILTER_DCU2_95_64 0212BCh 1x52 PAD__18 0212F0h 4 MAC_DCU_TXSLOT 0212F4h 1x4 PAD__19 0212F8h 4 MAC_DCU_TXFILTER_DCU2_127_96 0212FCh 1x60 PAD__20 021338h 4 MAC_DCU_TXFILTER_DCU3_31_0 ;\ 02133Ch 1x60 PAD__21 ; 021378h 4 MAC_DCU_TXFILTER_DCU3_63_32 ; 02137Ch 1x60 PAD__22 ; 0213B8h 4 MAC_DCU_TXFILTER_DCU3_95_64 ; 0213BCh 1x60 PAD__23 ; 0213F8h 4 MAC_DCU_TXFILTER_DCU3_127_96 ;/ 0213FCh 1x60 PAD__24 021438h 4 MAC_DCU_TXFILTER_DCU4_31_0 02143Ch 4 MAC_DCU_TXFILTER_CLEAR 021440h 1x56 PAD__25 021478h 4 MAC_DCU_TXFILTER_DCU4_63_32 02147Ch 4 MAC_DCU_TXFILTER_SET 021480h 1x56 PAD__26 0214B8h 4 MAC_DCU_TXFILTER_DCU4_95_64 0214BCh 1x60 PAD__27 0214F8h 4 MAC_DCU_TXFILTER_DCU4_127_96 0214FCh 1x60 PAD__28 021538h 4 MAC_DCU_TXFILTER_DCU5_31_0 ;\ 02153Ch 1x60 PAD__29 ; 021578h 4 MAC_DCU_TXFILTER_DCU5_63_32 ; 02157Ch 1x60 PAD__30 ; 0215B8h 4 MAC_DCU_TXFILTER_DCU5_95_64 ; 0215BCh 1x60 PAD__31 ; 0215F8h 4 MAC_DCU_TXFILTER_DCU5_127_96 ;/ 0215FCh 1x60 PAD__32 021638h 4 MAC_DCU_TXFILTER_DCU6_31_0 ;\ 02163Ch 1x60 PAD__33 ; 021678h 4 MAC_DCU_TXFILTER_DCU6_63_32 ; 02167Ch 1x60 PAD__34 ; 0216B8h 4 MAC_DCU_TXFILTER_DCU6_95_64 ; 0216BCh 1x60 PAD__35 ; 0216F8h 4 MAC_DCU_TXFILTER_DCU6_127_96 ;/ 0216FCh 1x60 PAD__36 021738h 4 MAC_DCU_TXFILTER_DCU7_31_0 ;\ 02173Ch 1x60 PAD__37 ; 021778h 4 MAC_DCU_TXFILTER_DCU7_63_32 ; 02177Ch 1x60 PAD__38 ; 0217B8h 4 MAC_DCU_TXFILTER_DCU7_95_64 ; 0217BCh 1x60 PAD__39 ; 0217F8h 4 MAC_DCU_TXFILTER_DCU7_127_96 ;/ |
028000h 4 MAC_PCU_STA_ADDR_L32 028004h 4 MAC_PCU_STA_ADDR_U16 028008h 4 MAC_PCU_BSSID_L32 02800Ch 4 MAC_PCU_BSSID_U16 028010h 4 MAC_PCU_BCN_RSSI_AVE 028014h 4 MAC_PCU_ACK_CTS_TIMEOUT 028018h 4 MAC_PCU_BCN_RSSI_CTL 02801Ch 4 MAC_PCU_USEC_LATENCY 028020h 4 MAC_PCU_BCN_RSSI_CTL2 028024h 4 MAC_PCU_BT_WL_1 028028h 4 MAC_PCU_BT_WL_2 02802Ch 4 MAC_PCU_BT_WL_3 028030h 4 MAC_PCU_BT_WL_4 028034h 4 MAC_PCU_COEX_EPTA 028038h 4 MAC_PCU_MAX_CFP_DUR 02803Ch 4 MAC_PCU_RX_FILTER 028040h 4 MAC_PCU_MCAST_FILTER_L32 028044h 4 MAC_PCU_MCAST_FILTER_U32 028048h 4 MAC_PCU_DIAG_SW 02804Ch 1x8 PAD__1 028054h 4 MAC_PCU_TST_ADDAC 028058h 4 MAC_PCU_DEF_ANTENNA 02805Ch 4 MAC_PCU_AES_MUTE_MASK_0 028060h 4 MAC_PCU_AES_MUTE_MASK_1 028064h 4 MAC_PCU_GATED_CLKS 028068h 4 MAC_PCU_OBS_BUS_2 02806Ch 4 MAC_PCU_OBS_BUS_1 028070h 4 MAC_PCU_DYM_MIMO_PWR_SAVE 028074h 1x12 PAD__2 028080h 4 MAC_PCU_LAST_BEACON_TSF 028084h 4 MAC_PCU_NAV 028088h 4 MAC_PCU_RTS_SUCCESS_CNT 02808Ch 4 MAC_PCU_RTS_FAIL_CNT 028090h 4 MAC_PCU_ACK_FAIL_CNT 028094h 4 MAC_PCU_FCS_FAIL_CNT 028098h 4 MAC_PCU_BEACON_CNT 02809Ch 4 MAC_PCU_BEACON2_CNT 0280A0h 4 MAC_PCU_BASIC_SET 0280A4h 4 MAC_PCU_MGMT_SEQ 0280A8h 4 MAC_PCU_BF_RPT1 0280ACh 4 MAC_PCU_BF_RPT2 0280B0h 4 MAC_PCU_TX_ANT_1 0280B4h 4 MAC_PCU_TX_ANT_2 0280B8h 4 MAC_PCU_TX_ANT_3 0280BCh 4 MAC_PCU_TX_ANT_4 0280C0h 4 MAC_PCU_XRMODE 0280C4h 4 MAC_PCU_XRDEL 0280C8h 4 MAC_PCU_XRTO 0280CCh 4 MAC_PCU_XRCRP 0280D0h 4 MAC_PCU_XRSTMP 0280D4h 1x8 PAD__3 0280DCh 4 MAC_PCU_SELF_GEN_DEFAULT 0280E0h 4 MAC_PCU_ADDR1_MASK_L32 0280E4h 4 MAC_PCU_ADDR1_MASK_U16 0280E8h 4 MAC_PCU_TPC 0280ECh 4 MAC_PCU_TX_FRAME_CNT 0280F0h 4 MAC_PCU_RX_FRAME_CNT 0280F4h 4 MAC_PCU_RX_CLEAR_CNT 0280F8h 4 MAC_PCU_CYCLE_CNT 0280FCh 4 MAC_PCU_QUIET_TIME_1 028100h 4 MAC_PCU_QUIET_TIME_2 028104h 1x4 PAD__4 028108h 4 MAC_PCU_QOS_NO_ACK 02810Ch 4 MAC_PCU_PHY_ERROR_MASK 028110h 4 MAC_PCU_XRLAT 028114h 4 MAC_PCU_RXBUF 028118h 4 MAC_PCU_MIC_QOS_CONTROL 02811Ch 4 MAC_PCU_MIC_QOS_SELECT 028120h 4 MAC_PCU_MISC_MODE 028124h 4 MAC_PCU_FILTER_OFDM_CNT 028128h 4 MAC_PCU_FILTER_CCK_CNT 02812Ch 4 MAC_PCU_PHY_ERR_CNT_1 028130h 4 MAC_PCU_PHY_ERR_CNT_1_MASK 028134h 4 MAC_PCU_PHY_ERR_CNT_2 028138h 4 MAC_PCU_PHY_ERR_CNT_2_MASK 02813Ch 1x8 PAD__5 028144h 4 MAC_PCU_PHY_ERROR_EIFS_MASK 028148h 1x8 PAD__6 028150h 4 MAC_PCU_COEX_LNAMAXGAIN1 028154h 4 MAC_PCU_COEX_LNAMAXGAIN2 028158h 4 MAC_PCU_COEX_LNAMAXGAIN3 02815Ch 4 MAC_PCU_COEX_LNAMAXGAIN4 028160h 1x8 PAD__7 028168h 4 MAC_PCU_PHY_ERR_CNT_3 02816Ch 4 MAC_PCU_PHY_ERR_CNT_3_MASK 028170h 4 MAC_PCU_BLUETOOTH_MODE 028174h 1x4 PAD__8 028178h 4 MAC_PCU_HCF_TIMEOUT 02817Ch 4 MAC_PCU_BLUETOOTH_MODE2 028180h 1x72 PAD__9 0281C8h 4 MAC_PCU_BLUETOOTH_TSF_BT_ACTIVE 0281CCh 4 MAC_PCU_BLUETOOTH_TSF_BT_PRIORITY 0281D0h 4 MAC_PCU_TXSIFS 0281D4h 4 MAC_PCU_BLUETOOTH_MODE3 0281D8h 4 MAC_PCU_BLUETOOTH_MODE4 0281DCh 4 MAC_PCU_BLUETOOTH_MODE5 0281E0h 4 MAC_PCU_BLUETOOTH_WEIGHTS 0281E4h 4 MAC_PCU_BT_BT_ASYNC 0281E8h 1x4 PAD__10 0281ECh 4 MAC_PCU_TXOP_X 0281F0h 4 MAC_PCU_TXOP_0_3 0281F4h 4 MAC_PCU_TXOP_4_7 0281F8h 4 MAC_PCU_TXOP_8_11 0281FCh 4 MAC_PCU_TXOP_12_15 028200h 4 MAC_PCU_TDMA_TXFRAME_START_TIME_TRIGGER_LSB 028204h 4 MAC_PCU_TDMA_TXFRAME_START_TIME_TRIGGER_MSB 028208h 4 MAC_PCU_TDMA_SLOT_ALERT_CNTL 02820Ch 1x80 PAD__11 02825Ch 4 MAC_PCU_WOW1 ;WOW Misc 028260h 4 MAC_PCU_WOW2 ;WOW AIFS/SLOT/TRY_CNT 028264h 4 MAC_PCU_LOGIC_ANALYZER 028268h 4 MAC_PCU_LOGIC_ANALYZER_32L 02826Ch 4 MAC_PCU_LOGIC_ANALYZER_16U 028270h 4 MAC_PCU_WOW3_BEACON_FAIL ;WOW Beacon Fail Enable 028274h 4 MAC_PCU_WOW3_BEACON ;WOW Beacon Timeout 028278h 4 MAC_PCU_WOW3_KEEP_ALIVE ;WOW Keep-Alive Timeout 02827Ch 4 MAC_PCU_WOW_KA ;WOW Auto/Fail/BkoffCs Enable/Disable 028280h 1x4 PAD__12 028284h 4 PCU_1US 028288h 4 PCU_KA 02828Ch 4 WOW_EXACT ;WOW Exact Length/Offset 1 028290h 1x4 PAD__13 028294h 4 PCU_WOW4 ;WOW Offset 0..3 028298h 4 PCU_WOW5 ;WOW Offset 4..7 02829Ch 4 MAC_PCU_PHY_ERR_CNT_MASK_CONT 0282A0h 1x96 PAD__14 028300h 4 MAC_PCU_AZIMUTH_MODE 028304h 1x16 PAD__15 028314h 4 MAC_PCU_AZIMUTH_TIME_STAMP 028318h 4 MAC_PCU_20_40_MODE 02831Ch 4 MAC_PCU_H_XFER_TIMEOUT 028320h 1x8 PAD__16 028328h 4 MAC_PCU_RX_CLEAR_DIFF_CNT 02832Ch 4 MAC_PCU_SELF_GEN_ANTENNA_MASK 028330h 4 MAC_PCU_BA_BAR_CONTROL 028334h 4 MAC_PCU_LEGACY_PLCP_SPOOF 028338h 4 MAC_PCU_PHY_ERROR_MASK_CONT 02833Ch 4 MAC_PCU_TX_TIMER 028340h 4 MAC_PCU_TXBUF_CTRL 028344h 4 MAC_PCU_MISC_MODE2 028348h 4 MAC_PCU_ALT_AES_MUTE_MASK 02834Ch 4 MAC_PCU_WOW6 ;;WOW RX Buf Start Addr (R) 028350h 4 ASYNC_FIFO_REG1 028354h 4 ASYNC_FIFO_REG2 028358h 4 ASYNC_FIFO_REG3 02835Ch 4 MAC_PCU_WOW5 ;WOW RX Abort Enable 028360h 4 MAC_PCU_WOW_LENGTH1 ;WOW Pattern 0..3 028364h 4 MAC_PCU_WOW_LENGTH2 ;WOW Pattern 4..7 028368h 4 WOW_PATTERN_MATCH_LESS_THAN_256_BYTES 02836Ch 1x4 PAD__17 028370h 4 MAC_PCU_WOW4 ;WOW Pattern Enable/Detect 028374h 4 WOW2_EXACT ;WOW Exact Length/Offset 2 ;\ 028378h 4 PCU_WOW6 ;WOW Offset 8..11 ; 02837Ch 4 PCU_WOW7 ;WOW Offset 12..15 ; 028380h 4 MAC_PCU_WOW_LENGTH3 ;WOW Pattern 8..11 ; 028384h 4 MAC_PCU_WOW_LENGTH4 ;WOW Pattern 12..15 ;/ 028388h 4 MAC_PCU_LOCATION_MODE_CONTROL 02838Ch 4 MAC_PCU_LOCATION_MODE_TIMER 028390h 1x8 PAD__18 028398h 4 MAC_PCU_BSSID2_L32 02839Ch 4 MAC_PCU_BSSID2_U16 0283A0h 4 MAC_PCU_DIRECT_CONNECT 0283A4h 4 MAC_PCU_TID_TO_AC 0283A8h 4 MAC_PCU_HP_QUEUE 0283ACh 1x16 PAD__19 0283BCh 4 MAC_PCU_AGC_SATURATION_CNT0 0283C0h 4 MAC_PCU_AGC_SATURATION_CNT1 0283C4h 4 MAC_PCU_AGC_SATURATION_CNT2 0283C8h 4 MAC_PCU_HW_BCN_PROC1 0283CCh 4 MAC_PCU_HW_BCN_PROC2 0283D0h 4 MAC_PCU_MISC_MODE3 0283D4h 4 MAC_PCU_MISC_MODE4 0283D8h 1x4 PAD__20 0283DCh 4 MAC_PCU_PS_FILTER 0283E0h 4 MAC_PCU_BASIC_RATE_SET0 0283E4h 4 MAC_PCU_BASIC_RATE_SET1 0283E8h 4 MAC_PCU_BASIC_RATE_SET2 0283ECh 4 MAC_PCU_BASIC_RATE_SET3 0283F0h 1x16 PAD__21 028400h 4x64 MAC_PCU_TXBUF_BA[0..63] 028500h 4x64 MAC_PCU_BT_BT[0..63] 028600h 4 MAC_PCU_RX_INT_STATUS0 028604h 4 MAC_PCU_RX_INT_STATUS1 028608h 4 MAC_PCU_RX_INT_STATUS2 02860Ch 4 MAC_PCU_RX_INT_STATUS3 028610h 4 HT_HALF_GI_RATE1 028614h 4 HT_HALF_GI_RATE2 028618h 4 HT_FULL_GI_RATE1 02861Ch 4 HT_FULL_GI_RATE2 028620h 4 LEGACY_RATE1 028624h 4 LEGACY_RATE2 028628h 4 LEGACY_RATE3 02862Ch 4 RX_INT_FILTER 028630h 4 RX_INT_OVERFLOW 028634h 4 RX_FILTER_THRESH0 028638h 4 RX_FILTER_THRESH1 02863Ch 4 RX_PRIORITY_THRESH0 028640h 4 RX_PRIORITY_THRESH1 028644h 4 RX_PRIORITY_THRESH2 028648h 4 RX_PRIORITY_THRESH3 02864Ch 4 RX_PRIORITY_OFFSET0 028650h 4 RX_PRIORITY_OFFSET1 028654h 4 RX_PRIORITY_OFFSET2 028658h 4 RX_PRIORITY_OFFSET3 02865Ch 4 RX_PRIORITY_OFFSET4 028660h 4 RX_PRIORITY_OFFSET5 028664h 4 MAC_PCU_LAST_BEACON2_TSF 028668h 4 MAC_PCU_PHY_ERROR_AIFS 02866Ch 4 MAC_PCU_PHY_ERROR_AIFS_MASK 028670h 4 MAC_PCU_FILTER_RSSI_AVE 028674h 4 MAC_PCU_TBD_FILTER 028678h 4 MAC_PCU_BT_ANT_SLEEP_EXTEND 02867Ch 1x388 PAD__22 028800h 4x512 MAC_PCU_KEY_CACHE[0..511] 029000h 1x20480 PAD__23 ;<-- this includes BB regs 02E000h 4x2048 MAC_PCU_BUF[0..2047] ;<-- this after BB regs |
029800h 4 BB_TIMING_CONTROLS_1 029804h 4 BB_TIMING_CONTROLS_2 029808h 4 BB_TIMING_CONTROLS_3 02980Ch 4 BB_TIMING_CONTROL_4 029810h 4 BB_TIMING_CONTROL_5 029814h 4 BB_TIMING_CONTROL_6 029818h 4 BB_TIMING_CONTROL_11 02981Ch 4 BB_SPUR_MASK_CONTROLS 029820h 4 BB_FIND_SIGNAL_LOW 029824h 4 BB_SFCORR 029828h 4 BB_SELF_CORR_LOW 02982Ch 4 BB_EXT_CHAN_SCORR_THR 029830h 4 BB_EXT_CHAN_PWR_THR_2_B0 029834h 4 BB_RADAR_DETECTION 029838h 4 BB_RADAR_DETECTION_2 02983Ch 4 BB_EXTENSION_RADAR 029840h 1x64 PAD__0 029880h 4 BB_MULTICHAIN_CONTROL 029884h 4 BB_PER_CHAIN_CSD 029888h 1x24 PAD__1 0298A0h 4 BB_TX_CRC 0298A4h 4 BB_TSTDAC_CONSTANT 0298A8h 4 BB_SPUR_REPORT_B0 0298ACh 1x4 PAD__2 0298B0h 4 BB_TXIQCAL_CONTROL_3 0298B4h 1x8 PAD__3 0298BCh 4 BB_GREEN_TX_CONTROL_1 0298C0h 4 BB_IQ_ADC_MEAS_0_B0 0298C4h 4 BB_IQ_ADC_MEAS_1_B0 0298C8h 4 BB_IQ_ADC_MEAS_2_B0 0298CCh 4 BB_IQ_ADC_MEAS_3_B0 0298D0h 4 BB_TX_PHASE_RAMP_B0 0298D4h 4 BB_ADC_GAIN_DC_CORR_B0 0298D8h 1x4 PAD__4 0298DCh 4 BB_RX_IQ_CORR_B0 0298E0h 1x4 PAD__5 0298E4h 4 BB_PAPRD_AM2AM_MASK 0298E8h 4 BB_PAPRD_AM2PM_MASK 0298ECh 4 BB_PAPRD_HT40_MASK 0298F0h 4 BB_PAPRD_CTRL0_B0 0298F4h 4 BB_PAPRD_CTRL1_B0 0298F8h 4 BB_PA_GAIN123_B0 0298FCh 4 BB_PA_GAIN45_B0 029900h 4 BB_PAPRD_PRE_POST_SCALE_0_B0 029904h 4 BB_PAPRD_PRE_POST_SCALE_1_B0 029908h 4 BB_PAPRD_PRE_POST_SCALE_2_B0 02990Ch 4 BB_PAPRD_PRE_POST_SCALE_3_B0 029910h 4 BB_PAPRD_PRE_POST_SCALE_4_B0 029914h 4 BB_PAPRD_PRE_POST_SCALE_5_B0 029918h 4 BB_PAPRD_PRE_POST_SCALE_6_B0 02991Ch 4 BB_PAPRD_PRE_POST_SCALE_7_B0 029920h 4x120 BB_PAPRD_MEM_TAB_B0[0..119] 029B00h 4x60 BB_CHAN_INFO_CHAN_TAB_B0[0..59] 029BF0h 4 BB_CHN_TABLES_INTF_ADDR 029BF4h 4 BB_CHN_TABLES_INTF_DATA |
029C00h 4 BB_TIMING_CONTROL_3A 029C04h 4 BB_LDPC_CNTL1 029C08h 4 BB_LDPC_CNTL2 029C0Ch 4 BB_PILOT_SPUR_MASK 029C10h 4 BB_CHAN_SPUR_MASK 029C14h 4 BB_SHORT_GI_DELTA_SLOPE 029C18h 4 BB_ML_CNTL1 029C1Ch 4 BB_ML_CNTL2 029C20h 4 BB_TSTADC |
029D00h 4 BB_BBB_RX_CTRL_1 029D04h 4 BB_BBB_RX_CTRL_2 029D08h 4 BB_BBB_RX_CTRL_3 029D0Ch 4 BB_BBB_RX_CTRL_4 029D10h 4 BB_BBB_RX_CTRL_5 029D14h 4 BB_BBB_RX_CTRL_6 029D18h 4 BB_FORCE_CLKEN_CCK |
029E00h 4 BB_SETTLING_TIME 029E04h 4 BB_GAIN_FORCE_MAX_GAINS_B0 029E08h 4 BB_GAINS_MIN_OFFSETS 029E0Ch 4 BB_DESIRED_SIGSIZE 029E10h 4 BB_FIND_SIGNAL 029E14h 4 BB_AGC 029E18h 4 BB_EXT_ATTEN_SWITCH_CTL_B0 029E1Ch 4 BB_CCA_B0 029E20h 4 BB_CCA_CTRL_2_B0 029E24h 4 BB_RESTART 029E28h 4 BB_MULTICHAIN_GAIN_CTRL 029E2Ch 4 BB_EXT_CHAN_PWR_THR_1 029E30h 4 BB_EXT_CHAN_DETECT_WIN 029E34h 4 BB_PWR_THR_20_40_DET 029E38h 4 BB_RIFS_SRCH 029E3Ch 4 BB_PEAK_DET_CTRL_1 029E40h 4 BB_PEAK_DET_CTRL_2 029E44h 4 BB_RX_GAIN_BOUNDS_1 029E48h 4 BB_RX_GAIN_BOUNDS_2 029E4Ch 4 BB_PEAK_DET_CAL_CTRL 029E50h 4 BB_AGC_DIG_DC_CTRL 029E54h 4 BB_BT_COEX_1 029E58h 4 BB_BT_COEX_2 029E5Ch 4 BB_BT_COEX_3 029E60h 4 BB_BT_COEX_4 029E64h 4 BB_BT_COEX_5 029E68h 4 BB_REDPWR_CTRL_1 029E6Ch 4 BB_REDPWR_CTRL_2 029E70h 1x272 PAD__0 029F80h 4 BB_RSSI_B0 029F84h 4 BB_SPUR_EST_CCK_REPORT_B0 029F88h 4 BB_AGC_DIG_DC_STATUS_I_B0 029F8Ch 4 BB_AGC_DIG_DC_STATUS_Q_B0 029F90h 4 BB_DC_CAL_STATUS_B0 029F94h 1x44 PAD__1 029FC0h 4 BB_BBB_SIG_DETECT 029FC4h 4 BB_BBB_DAGC_CTRL 029FC8h 4 BB_IQCORR_CTRL_CCK 029FCCh 4 BB_CCK_SPUR_MIT 029FD0h 4 BB_MRC_CCK_CTRL 029FD4h 4 BB_CCK_BLOCKER_DET 029FD8h 1x40 PAD__2 02A000h 4x128 BB_RX_OCGAIN[0..127] |
02A200h 4 BB_D2_CHIP_ID 02A204h 4 BB_GEN_CONTROLS 02A208h 4 BB_MODES_SELECT 02A20Ch 4 BB_ACTIVE 02A210h 1x16 PAD__0 02A220h 4 BB_VIT_SPUR_MASK_A 02A224h 4 BB_VIT_SPUR_MASK_B 02A228h 4 BB_SPECTRAL_SCAN 02A22Ch 4 BB_RADAR_BW_FILTER 02A230h 4 BB_SEARCH_START_DELAY 02A234h 4 BB_MAX_RX_LENGTH 02A238h 4 BB_FRAME_CONTROL 02A23Ch 4 BB_RFBUS_REQUEST 02A240h 4 BB_RFBUS_GRANT 02A244h 4 BB_RIFS 02A248h 4 BB_SPECTRAL_SCAN_2 02A24Ch 1x4 PAD__1 02A250h 4 BB_RX_CLEAR_DELAY 02A254h 4 BB_ANALOG_POWER_ON_TIME 02A258h 4 BB_TX_TIMING_1 02A25Ch 4 BB_TX_TIMING_2 02A260h 4 BB_TX_TIMING_3 02A264h 4 BB_XPA_TIMING_CONTROL 02A268h 1x24 PAD__2 02A280h 4 BB_MISC_PA_CONTROL 02A284h 4 BB_SWITCH_TABLE_CHN_B0 02A288h 4 BB_SWITCH_TABLE_COM1 02A28Ch 4 BB_SWITCH_TABLE_COM2 02A290h 1x16 PAD__3 02A2A0h 4 BB_MULTICHAIN_ENABLE 02A2A4h 1x28 PAD__4 02A2C0h 4 BB_CAL_CHAIN_MASK 02A2C4h 4 BB_AGC_CONTROL 02A2C8h 4 BB_IQ_ADC_CAL_MODE 02A2CCh 4 BB_FCAL_1 02A2D0h 4 BB_FCAL_2_B0 02A2D4h 4 BB_DFT_TONE_CTRL_B0 02A2D8h 4 BB_CL_CAL_CTRL 02A2DCh 4 BB_CL_MAP_0_B0 02A2E0h 4 BB_CL_MAP_1_B0 02A2E4h 4 BB_CL_MAP_2_B0 02A2E8h 4 BB_CL_MAP_3_B0 02A2ECh 4 BB_CL_MAP_PAL_0_B0 02A2F0h 4 BB_CL_MAP_PAL_1_B0 02A2F4h 4 BB_CL_MAP_PAL_2_B0 02A2F8h 4 BB_CL_MAP_PAL_3_B0 02A2FCh 1x4 PAD__5 02A300h 4x16 BB_CL_TAB_B0[0..15] 02A340h 4 BB_SYNTH_CONTROL 02A344h 4 BB_ADDAC_CLK_SELECT 02A348h 4 BB_PLL_CNTL 02A34Ch 4 BB_ANALOG_SWAP 02A350h 4 BB_ADDAC_PARALLEL_CONTROL 02A354h 1x4 PAD__6 02A358h 4 BB_FORCE_ANALOG 02A35Ch 1x4 PAD__7 02A360h 4 BB_TEST_CONTROLS 02A364h 4 BB_TEST_CONTROLS_STATUS 02A368h 4 BB_TSTDAC 02A36Ch 4 BB_CHANNEL_STATUS 02A370h 4 BB_CHANINFO_CTRL 02A374h 4 BB_CHAN_INFO_NOISE_PWR 02A378h 4 BB_CHAN_INFO_GAIN_DIFF 02A37Ch 4 BB_CHAN_INFO_FINE_TIMING 02A380h 4 BB_CHAN_INFO_GAIN_B0 02A384h 4 BB_SM_HIST 02A388h 1x8 PAD__8 02A390h 4 BB_SCRAMBLER_SEED 02A394h 4 BB_BBB_TX_CTRL 02A398h 4 BB_BBB_TXFIR_0 02A39Ch 4 BB_BBB_TXFIR_1 02A3A0h 4 BB_BBB_TXFIR_2 02A3A4h 4 BB_HEAVY_CLIP_CTRL 02A3A8h 4 BB_HEAVY_CLIP_20 02A3ACh 4 BB_HEAVY_CLIP_40 02A3B0h 4 BB_ILLEGAL_TX_RATE 02A3B4h 1x12 PAD__9 02A3C0h 4 BB_POWERTX_RATE1 ;Power TX 0..3 02A3C4h 4 BB_POWERTX_RATE2 ;Power TX 4..7 02A3C8h 4 BB_POWERTX_RATE3 ;Power TX 1L,2L,2S 02A3CCh 4 BB_POWERTX_RATE4 ;Power TX 55L,55S,11L,11S 02A3D0h 4 BB_POWERTX_RATE5 ;Power TX HT20_0..3 02A3D4h 4 BB_POWERTX_RATE6 ;Power TX HT20_4..7 02A3D8h 4 BB_POWERTX_RATE7 ;Power TX HT40_0..3 02A3DCh 4 BB_POWERTX_RATE8 ;Power TX HT40_4..7 02A3E0h 4 BB_POWERTX_RATE9 ;Power TX DUP40/EXT20_CCK/OFDM 02A3E4h 4 BB_POWERTX_RATE10 ;Power TX HT20_8..11 02A3E8h 4 BB_POWERTX_RATE11 ;Power TX HT20/40_12/13 02A3ECh 4 BB_POWERTX_RATE12 ;Power TX HT40_8..11 02A3F0h 4 BB_POWERTX_MAX ;Power TX Flags 02A3F4h 4 BB_POWERTX_SUB ;Power TX Sub_for_2chain 02A3F8h 4 BB_TPC_1 02A3FCh 4 BB_TPC_2 02A400h 4 BB_TPC_3 02A404h 4 BB_TPC_4_B0 02A408h 4 BB_TPC_5_B0 02A40Ch 4 BB_TPC_6_B0 02A410h 4 BB_TPC_7 02A414h 4 BB_TPC_8 02A418h 4 BB_TPC_9 02A41Ch 4 BB_TPC_10 02A420h 4 BB_TPC_11_B0 02A424h 4 BB_TPC_12 02A428h 4 BB_TPC_13 02A42Ch 4 BB_TPC_14 02A430h 4 BB_TPC_15 02A434h 4 BB_TPC_16 02A438h 4 BB_TPC_17 02A43Ch 4 BB_TPC_18 02A440h 4 BB_TPC_19_B0 02A444h 4 BB_TPC_20 02A448h 4 BB_THERM_ADC_1 02A44Ch 4 BB_THERM_ADC_2 02A450h 4 BB_THERM_ADC_3 02A454h 4 BB_THERM_ADC_4 02A458h 4 BB_TX_FORCED_GAIN 02A45Ch 1x36 PAD__10 02A480h 4x32 BB_PDADC_TAB_B0[0..31] 02A500h 4x32 BB_TX_GAIN_TAB_(1..32) 02A580h 4 BB_RTT_CTRL 02A584h 4 BB_RTT_TABLE_SW_INTF_B0 02A588h 4 BB_RTT_TABLE_SW_INTF_1_B0 02A58Ch 4 BB_TX_GAIN_TAB_1_16_LSB_EXT 02A590h 4 BB_TX_GAIN_TAB_17_32_LSB_EXT 02A594h 1x108 PAD__11 02A600h 4x16 BB_CALTX_GAIN_SET_(0,2,4,6,..,28,30) 02A640h 1x4 PAD__12 02A644h 4 BB_TXIQCAL_CONTROL_0 02A648h 4 BB_TXIQCAL_CONTROL_1 02A64Ch 4 BB_TXIQCAL_CONTROL_2 02A650h 4 BB_TXIQ_CORR_COEFF_01_B0 02A654h 4 BB_TXIQ_CORR_COEFF_23_B0 02A658h 4 BB_TXIQ_CORR_COEFF_45_B0 02A65Ch 4 BB_TXIQ_CORR_COEFF_67_B0 02A660h 4 BB_TXIQ_CORR_COEFF_89_B0 02A664h 4 BB_TXIQ_CORR_COEFF_AB_B0 02A668h 4 BB_TXIQ_CORR_COEFF_CD_B0 02A66Ch 4 BB_TXIQ_CORR_COEFF_EF_B0 02A670h 4 BB_CAL_RXBB_GAIN_TBL_0 02A674h 4 BB_CAL_RXBB_GAIN_TBL_4 02A678h 4 BB_CAL_RXBB_GAIN_TBL_8 02A67Ch 4 BB_CAL_RXBB_GAIN_TBL_12 02A680h 4 BB_CAL_RXBB_GAIN_TBL_16 02A684h 4 BB_CAL_RXBB_GAIN_TBL_20 02A688h 4 BB_CAL_RXBB_GAIN_TBL_24 02A68Ch 4 BB_TXIQCAL_STATUS_B0 02A690h 4 BB_PAPRD_TRAINER_CNTL1 02A694h 4 BB_PAPRD_TRAINER_CNTL2 02A698h 4 BB_PAPRD_TRAINER_CNTL3 02A69Ch 4 BB_PAPRD_TRAINER_CNTL4 02A6A0h 4 BB_PAPRD_TRAINER_STAT1 02A6A4h 4 BB_PAPRD_TRAINER_STAT2 02A6A8h 4 BB_PAPRD_TRAINER_STAT3 02A6ACh 1x276 PAD__13 02A7C0h 4 BB_WATCHDOG_STATUS 02A7C4h 4 BB_WATCHDOG_CTRL_1 02A7C8h 4 BB_WATCHDOG_CTRL_2 02A7CCh 4 BB_BLUETOOTH_CNTL 02A7D0h 4 BB_PHYONLY_WARM_RESET 02A7D4h 4 BB_PHYONLY_CONTROL 02A7D8h 1x4 PAD__14 02A7DCh 4 BB_ECO_CTRL 02A7E0h 1x16 PAD__15 02A7F0h 4 BB_TABLES_INTF_ADDR_B0 02A7F4h 4 BB_TABLES_INTF_DATA_B0 |
02A800h 1x48 PAD__0 02A830h 4 BB_EXT_CHAN_PWR_THR_2_B1 02A834h 1x116 PAD__1 02A8A8h 4 BB_SPUR_REPORT_B1 02A8ACh 1x20 PAD__2 02A8C0h 4 BB_IQ_ADC_MEAS_0_B1 02A8C4h 4 BB_IQ_ADC_MEAS_1_B1 02A8C8h 4 BB_IQ_ADC_MEAS_2_B1 02A8CCh 4 BB_IQ_ADC_MEAS_3_B1 02A8D0h 4 BB_TX_PHASE_RAMP_B1 02A8D4h 4 BB_ADC_GAIN_DC_CORR_B1 02A8D8h 1x4 PAD__3 02A8DCh 4 BB_RX_IQ_CORR_B1 02A8E0h 1x16 PAD__4 02A8F0h 4 BB_PAPRD_CTRL0_B1 02A8F4h 4 BB_PAPRD_CTRL1_B1 02A8F8h 4 BB_PA_GAIN123_B1 02A8FCh 4 BB_PA_GAIN45_B1 02A900h 4 BB_PAPRD_PRE_POST_SCALE_0_B1 02A904h 4 BB_PAPRD_PRE_POST_SCALE_1_B1 02A908h 4 BB_PAPRD_PRE_POST_SCALE_2_B1 02A90Ch 4 BB_PAPRD_PRE_POST_SCALE_3_B1 02A910h 4 BB_PAPRD_PRE_POST_SCALE_4_B1 02A914h 4 BB_PAPRD_PRE_POST_SCALE_5_B1 02A918h 4 BB_PAPRD_PRE_POST_SCALE_6_B1 02A91Ch 4 BB_PAPRD_PRE_POST_SCALE_7_B1 02A920h 4x120 BB_PAPRD_MEM_TAB_B1[0..119] 02AB00h 4x60 BB_CHAN_INFO_CHAN_TAB_B1[0..59] 02ABF0h 4 BB_CHN1_TABLES_INTF_ADDR 02ABF4h 4 BB_CHN1_TABLES_INTF_DATA |
02AE00h 1x4 PAD__0 02AE04h 4 BB_GAIN_FORCE_MAX_GAINS_B1 02AE08h 1x16 PAD__1 02AE18h 4 BB_EXT_ATTEN_SWITCH_CTL_B1 02AE1Ch 4 BB_CCA_B1 02AE20h 4 BB_CCA_CTRL_2_B1 02AE24h 1x348 PAD__2 02AF80h 4 BB_RSSI_B1 02AF84h 4 BB_SPUR_EST_CCK_REPORT_B1 02AF88h 4 BB_AGC_DIG_DC_STATUS_I_B1 02AF8Ch 4 BB_AGC_DIG_DC_STATUS_Q_B1 02AF90h 4 BB_DC_CAL_STATUS_B1 02AF94h 1x108 PAD__3 02B000h 4x128 BB_RX_OCGAIN2[0..127] |
02B200h 1x132 PAD__0 02B284h 4 BB_SWITCH_TABLE_CHN_B1 02B288h 1x72 PAD__1 02B2D0h 4 BB_FCAL_2_B1 02B2D4h 4 BB_DFT_TONE_CTRL_B1 02B2D8h 1x4 PAD__2 02B2DCh 4 BB_CL_MAP_0_B1 02B2E0h 4 BB_CL_MAP_1_B1 02B2E4h 4 BB_CL_MAP_2_B1 02B2E8h 4 BB_CL_MAP_3_B1 02B2ECh 4 BB_CL_MAP_PAL_0_B1 02B2F0h 4 BB_CL_MAP_PAL_1_B1 02B2F4h 4 BB_CL_MAP_PAL_2_B1 02B2F8h 4 BB_CL_MAP_PAL_3_B1 02B2FCh 1x4 PAD__3 02B300h 4x16 BB_CL_TAB_B1[0..15] 02B340h 1x64 PAD__4 02B380h 4 BB_CHAN_INFO_GAIN_B1 02B384h 1x128 PAD__5 02B404h 4 BB_TPC_4_B1 02B408h 4 BB_TPC_5_B1 02B40Ch 4 BB_TPC_6_B1 02B410h 1x16 PAD__6 02B420h 4 BB_TPC_11_B1 02B424h 1x28 PAD__7 02B440h 4 BB_TPC_19_B1 02B444h 1x60 PAD__8 02B480h 4x32 BB_PDADC_TAB_B1[0..31] 02B500h 1x132 PAD__9 02B584h 4 BB_RTT_TABLE_SW_INTF_B1 02B588h 4 BB_RTT_TABLE_SW_INTF_1_B1 02B58Ch 1x196 PAD__10 02B650h 4 BB_TXIQ_CORR_COEFF_01_B1 02B654h 4 BB_TXIQ_CORR_COEFF_23_B1 02B658h 4 BB_TXIQ_CORR_COEFF_45_B1 02B65Ch 4 BB_TXIQ_CORR_COEFF_67_B1 02B660h 4 BB_TXIQ_CORR_COEFF_89_B1 02B664h 4 BB_TXIQ_CORR_COEFF_AB_B1 02B668h 4 BB_TXIQ_CORR_COEFF_CD_B1 02B66Ch 4 BB_TXIQ_CORR_COEFF_EF_B1 02B670h 1x28 PAD__11 02B68Ch 4 BB_TXIQCAL_STATUS_B1 02B690h 1x352 PAD__12 02B7F0h 4 BB_TABLES_INTF_ADDR_B1 02B7F4h 4 BB_TABLES_INTF_DATA_B1 |
02C800h 4x256 BB_DUMMY1[0..255] |
02CE00h 4 BB_DUMMY 02CE04h 1x380 PAD__0 02CF80h 4 BB_RSSI_B3 |
02D200h 4x384 BB_DUMMY2[0..383] |
02D800h 4 BB_MIT_RF_CNTL 02D804h 4 BB_MIT_CCA_CNTL 02D808h 4 BB_MIT_RSSI_CNTL_1 02D80Ch 4 BB_MIT_RSSI_CNTL_2 02D810h 4 BB_MIT_TX_CNTL 02D814h 4 BB_MIT_RX_CNTL 02D818h 4 BB_MIT_OUT_CNTL 02D81Ch 4 BB_MIT_SPARE_CNTL |
02E000h 4x2048 MAC_PCU_BUF[0..2047] |
030000h 4 EFUSE_WR_ENABLE_REG 030004h 4 EFUSE_INT_ENABLE_REG 030008h 4 EFUSE_INT_STATUS_REG 03000Ch 4 BITMASK_WR_REG 030010h 4 VDDQ_SETTLE_TIME_REG 030014h 4 VDDQ_HOLD_TIME_REG 030018h 4 RD_STROBE_PW_REG 03001Ch 4 PG_STROBE_PW_REG 030020h 4 PGENB_SETUP_HOLD_TIME_REG 030024h 4 STROBE_PULSE_INTERVAL_REG 030028h 4 CSB_ADDR_LOAD_SETUP_HOLD_REG 03002Ch 1x2004 PAD0 030800h 4x512 EFUSE_INTF0[0..511] 031000h 4x512 EFUSE_INTF1[0..511] |
034000h 4 STEREO0_CONFIG ;\Stereo 0 034004h 4 STEREO0_VOLUME ;/ 034008h 4 STEREO_MASTER_CLOCK ;-Stereo Master 03400Ch 4 STEREO0_TX_SAMPLE_CNT_LSB ;\ 034010h 4 STEREO0_TX_SAMPLE_CNT_MSB ; Stereo 0 034014h 4 STEREO0_RX_SAMPLE_CNT_LSB ; 034018h 4 STEREO0_RX_SAMPLE_CNT_MSB ;/ |
035000h 4 CHKSUM_ACC_DMATX_CONTROL0 035004h 4 CHKSUM_ACC_DMATX_CONTROL1 035008h 4 CHKSUM_ACC_DMATX_CONTROL2 03500Ch 4 CHKSUM_ACC_DMATX_CONTROL3 035010h 4 CHKSUM_ACC_DMATX_DESC0 035014h 4 CHKSUM_ACC_DMATX_DESC1 035018h 4 CHKSUM_ACC_DMATX_DESC2 03501Ch 4 CHKSUM_ACC_DMATX_DESC3 035020h 4 CHKSUM_ACC_DMATX_DESC_STATUS 035024h 4 CHKSUM_ACC_DMATX_ARB_CFG 035028h 4 CHKSUM_ACC_RR_PKTCNT01 03502Ch 4 CHKSUM_ACC_RR_PKTCNT23 035030h 4 CHKSUM_ACC_TXST_PKTCNT 035034h 4 CHKSUM_ACC_DMARX_CONTROL 035038h 4 CHKSUM_ACC_DMARX_DESC 03503Ch 4 CHKSUM_ACC_DMARX_DESC_STATUS 035040h 4 CHKSUM_ACC_INTR 035044h 4 CHKSUM_ACC_IMASK 035048h 4 CHKSUM_ACC_ARB_BURST 03504Ch 1x4 PAD__0 035050h 4 CHKSUM_ACC_RESET_DMA 035054h 4 CHKSUM_CONFIG |
038000h 4 RX_FRAME0 038004h 4 RX_FRAME_0 038008h 4 RX_FRAME1 03800Ch 4 RX_FRAME_1 038010h 4 MMAC_INTERRUPT_RAW 038014h 4 MMAC_INTERRUPT_EN 038018h 4 RX_PARAM1 03801Ch 4 RX_PARAM0 038020h 4 TX_COMMAND0 038024h 4 TX_COMMAND 038028h 4 TX_PARAM 03802Ch 4 BEACON_PARAM 038030h 4 BEACON 038034h 4 TSF_L 038038h 4 TSF_U |
039000h 4 FPGA_REG1 039004h 4 FPGA_REG2 039008h 4 FPGA_REG4 |
040000h 4 INTERRUPT 040004h 4 INTERRUPT_MASK |
040100h 4 MII0_CNTL 040104h 4 STAT_CNTL |
040200h 4x8 MDIO_REG[0..7] 040220h 4 MDIO_ISR 040224h 4 PHY_ADDR |
040800h 4 GMAC_RX_0_DESC_START_ADDRESS 040804h 4 GMAC_RX_0_DMA_START 040808h 4 GMAC_RX_0_BURST_SIZE 04080Ch 4 GMAC_RX_0_PKT_OFFSET 040810h 4 GMAC_RX_0_CHECKSUM 040814h 4 GMAC_RX_0_DBG_RX 040818h 4 GMAC_RX_0_DBG_RX_CUR_ADDR 04081Ch 4 GMAC_RX_0_DATA_SWAP |
040C00h 4 GMAC_TX_0_DESC_START_ADDRESS 040C04h 4 GMAC_TX_0_DMA_START 040C08h 4 GMAC_TX_0_INTERRUPT_LIMIT 040C0Ch 4 GMAC_TX_0_BURST_SIZE 040C10h 4 GMAC_TX_0_DBG_TX 040C14h 4 GMAC_TX_0_DBG_TX_CUR_ADDR 040C18h 4 GMAC_TX_0_DATA_SWAP |
054000h 4 ENDP0 054004h 1x4 PAD0 054008h 4 OUT1ENDP 05400Ch 4 IN1ENDP 054010h 4 OUT2ENDP 054014h 4 IN2ENDP 054018h 4 OUT3ENDP 05401Ch 4 IN3ENDP 054020h 4 OUT4ENDP 054024h 4 IN4ENDP 054028h 4 OUT5ENDP 05402Ch 4 IN5ENDP 054030h 1x92 PAD1 05408Ch 4 USBMODESTATUS 054090h 1x248 PAD2 054188h 4 EPIRQ 05418Ch 4 USBIRQ 054190h 1x4 PAD3 054194h 4 EPIEN 054198h 4 PIEN 05419Ch 1x8 PAD4 0541A4h 4 FNCTRL 0541A8h 1x20 PAD5 0541BCh 4 OTGREG 0541C0h 1x12 PAD6 0541CCh 4 DMASTART 0541D0h 4 DMASTOP 0541D4h 1x556 PAD7 054400h 4 EP0DMAADDR 054404h 1x28 PAD8 054420h 4 EP1DMAADDR 054424h 1x8 PAD9 05442Ch 4 OUT1DMACTRL 054430h 1x16 PAD10 054440h 4 EP2DMAADDR 054444h 1x8 PAD11 05444Ch 4 OUT2DMACTRL 054450h 1x16 PAD12 054460h 4 EP3DMAADDR 054464h 1x8 PAD13 05446Ch 4 OUT3DMACTRL 054470h 1x16 PAD14 054480h 4 EP4DMAADDR 054484h 1x8 PAD15 05448Ch 4 OUT4DMACTRL 054490h 1x16 PAD16 0544A0h 4 EP5DMAADDR 0544A4h 1x8 PAD17 0544ACh 4 OUT5DMACTRL 0544B0h 1x539472 PAD18 ;pad to BASE + 84000h 0D8000h 4 USB_IP_BASE |
054D00h 4 DMA_CONFIG 054D04h 4 DMA_CONTROL 054D08h 4 DMA_SRC 054D0Ch 4 DMA_DEST 054D10h 4 DMA_LENGTH 054D14h 4 VMC_BASE 054D18h 4 INDIRECT_REG 054D1Ch 4 INDIRECT_RETURN 054D20h 4x16 RDMA_REGION_(0..15)_ 054DA0h 4 DMA_STATUS 054DA4h 4 DMA_INT_EN |
054E00h 4 I2CFIFOCONTROL 054E04h 4 I2CFIFOREADPTR 054E08h 4 I2CFIFOREADUPDATE 054E0Ch 4 I2CFIFOREADBASEADDR 054E10h 4 I2CFIFOWRITEPTR 054E14h 4 I2CFIFOWRITEUPDATE 054E18h 4 I2CFIFOWRITEBASEADDR 054E1Ch 4 I2CMEMCONTROL 054E20h 4 I2CMEMBASEADDR 054E24h 4 I2CREGREADDATA 054E28h 4 I2CREGWRITEDATA 054E2Ch 4 I2CREGCONTROL 054E30h 4 I2CCSRREADDATA 054E34h 4 I2CCSRWRITEDATA 054E38h 4 I2CCSRCONTROL 054E3Ch 4 I2CFILTERSIZE 054E40h 4 I2CADDR 054E44h 4 I2CINT 054E48h 4 I2CINTEN 054E4Ch 4 I2CINTCSR |
055000h 4x1 MBOX_FIFO ;<-- defined as array of ONE word (?) 055004h 4 MBOX_FIFO_STATUS 055008h 4 MBOX_DMA_POLICY 05500Ch 4 MBOX0_DMA_RX_DESCRIPTOR_BASE 055010h 4 MBOX0_DMA_RX_CONTROL 055014h 4 MBOX0_DMA_TX_DESCRIPTOR_BASE 055018h 4 MBOX0_DMA_TX_CONTROL 05501Ch 4 MBOX_FRAME 055020h 4 FIFO_TIMEOUT 055024h 4 MBOX_INT_STATUS 055028h 4 MBOX_INT_ENABLE 05502Ch 4 MBOX_FIFO_RESET 055030h 4 MBOX_DEBUG_CHAIN0 055034h 4 MBOX_DEBUG_CHAIN1 055038h 4 MBOX_DEBUG_CHAIN0_SIGNALS 05503Ch 4 MBOX_DEBUG_CHAIN1_SIGNALS |
xxx000h 4x256 RAM1[0..255] xxx400h 4x12 INT_PENDING[0..11] xxx430h 4 BB_WR_MASK_0 ;\ xxx434h 4 BB_WR_MASK_1 ; BB Write Mask 0..3 xxx438h 4 BB_WR_MASK_2 ; xxx43Ch 4 BB_WR_MASK_3 ;/ xxx440h 4 RF_WR_MASK_0 ;\RF Write Mask 0..1 xxx444h 4 RF_WR_MASK_1 ;/ xxx448h 4 BB_RD_MASK_0 ;\ xxx44Ch 4 BB_RD_MASK_1 ; BB Read Mask 0..3 xxx450h 4 BB_RD_MASK_2 ; xxx454h 4 BB_RD_MASK_3 ;/ xxx458h 4 RF_RD_MASK_0 ;\RF Read Mask 0..1 xxx45Ch 4 RF_RD_MASK_1 ;/ xxx460h 4 INT_SRC xxx464h 1x924 PAD__0 xxx800h 4x128 RAM2[0..127] |
xxx000h 4 PHY_CTRL0 xxx004h 4 PHY_CTRL1 xxx008h 4 PHY_CTRL2 xxx00Ch 4 PHY_CTRL3 xxx010h 4 PHY_CTRL4 xxx014h 4 PHY_CTRL5 xxx018h 4 PHY_CTRL6 xxx01Ch 4 PHY_STATUS |
| DSi Atheros Wifi - Internal I/O - Unknown and Unused Registers (hw2) |
00D000h - DBG_UART Registers ;\don't exist in hw2.0 ? 00E000h - UMBOX Registers ;/ 020000h - WMAC DMA and IRQ ;\ 020800h - WMAC QCU Queue ; these MIGHT EXIST in hw2.0, too ? 021000h - WMAC DCU ; (not defined in hw2.0 source code though) 029800h - BB/LC Registers ;/ 030100h - RDMA Registers ;\don't exist in hw2.0 ? 031000h - EFUSE Registers ;/ |
000000 Deadc0de 004000 sth (01 00 00 00, 00 00 00 00) ;"RTC" 005000 Deadc0de 008000 sth (00 00 00 00, 00 00 00 00) ;"VMC?" 009000 Deadc0de ;should contain UART etc. (maybe disabled?) 014000 sth (00 00 00 00, 00 00 00 00) (--crash-- at 0140cx) ;"GPIO?" 015000 Deadc0de 018000 sth (00 01 0E 00, 00 01 0E 00) ;\MBOX 019000 sth (00 01 0E 00, 00 01 0E 00) ;/ 01A000 sth (00 01 0E 00, 00 01 0E 00) ;\MBOX:HOST_IF? 01B000 sth (--crash-- at 01B00x) ;/ 01C000 sth (00 00 14 00, D8 48 45 0E) ;-ANALOG? 01D000 Deadc0de 020000 sth (00's) ;\DMA? 021000 sth (01 00 00 00, 02 00 00 00) ;/ 022000 sth (00's) ;\ ;\same as 023000 sth (01 00 00 00, 02 00 00 00) ; ;/DMA? 024000 sth (00's) ; ?? 025000 sth (00's) ; 026000 sth (00's) ; 027000 sth (00's) ;/ 028000 sth (<--- mac addr ---> 86 38) ;\MAC_PCU? mac_pcu.h ? 029000 sth (14 E1 38 8A, 80 73 00 00) ;/ ;\ 02A000 sth (00's) ; BB at 29800h? 02B000 sth (00's) ;/ 02C000 sth (00's) ;- 02D000 sth (00's) ;- 02E000 sth (00's) ;- 02F000 sth (00's) ;- 030000 Deadc0de ;RDMA?? and (not?) EFUSE?? 040000 Deadbeef ;\ 050000 Deadbeef ; 060000 Deadbeef ; 070000 Deadbeef ;/ 080000 004F1B74 ;\ 090000 004F1B74 ; 0A0000 004F1B74 ; mirror of ROM word at [0F3FF8] (second-last-word) 0B0000 004F1B74 ; 0C0000 004F1B74 ; 0D0000 004F1B74 ;/ 0E0000 sth (06 10 00 00, 21 22 22 22) ;\80K ROM (14000h bytes) 0F0000 sth (00 00 05 60, FF DF FF FF) ;/ 0F4000 004F1B74 ;-mirror of ROM word at [0F3FF8] (second-last-word) 100000 sth (48 0F 8E 00, 70 14 50 00) ;\ 110000 sth ; 184K RAM (2E000h bytes) 120000 sth ;/ 12E000 98A8A2AA ;\ ... ; 1FF000 98A8A2AA ;/ 200000 Deadbeef ;\ 300000 Deadbeef ;/ 00400000 looks like mirror of 000000 0041B000 looks like mirror of 01B000 --crash-- ... probably more mirrors... FFC00000 looks like mirror of 000000 FFC1B000 looks like mirror of 01B000 --crash-- ... probably more mirrors till FFFFFFFF |
000000 zerofilled 004000 sth (01 00 00 00, 00 00 00 00) ;"RTC" 005000 zerofilled 040000 Deadbeef 080000 zerofilled 0E0000 06 10 00 00 21 22 22 22 00 00 00 E0 83 00 8E 00 ... ;ROM? 109DC0 zerofilled ;ROM? 10C000 14 19 52 00 ... ;ROM? 114000 zerofilled ;ROM? 120000 A0 B2 52 00 ;=52B2A0h (app_defined_area) ;RAM 140000 zerofilled 200000 Deadbeef 400000..FFFFFFFF not checked (probably mirrors of above?) |
| DSi Atheros Wifi - Internal I/O - 004000h - RTC/Clock SOC (hw2/hw4/hw6) |
0 SI0_RST 1 UART_RST 2 MBOX_RST 3 - 4 hw2/hw4: MAC_WARM_RST ;-moved to 005000h.bit0 in hw6 ;\hw2/hw4 only 5 hw2/hw4: MAC_COLD_RST ;-moved to 005000h.bit1 in hw6 ;/ 6 CPU_WARM_RST 7 hw2/hw4: WARM_RST ;-moved to 005000h.bit2 in hw6 ;-hw2/hw4 only 8 COLD_RST (0=no change, 1=reset) ;-also in 005000h.bit3 in hw6 9 RST_OUT 10 hw2/hw4: VMC_REMAP_RESET ;removed in hw6 ;-hw2/hw4 only 11 CPU_INIT_RESET 12 hw4: BB_WARM_RST ;-moved to 005000h.bit4 in hw6 ;\hw4 only 13 hw4: BB_COLD_RST ;-moved to 005000h.bit5 in hw6 ; (not hw2, and 14 hw4: DEBUG_UART_RST ;-moved to bit16 in hw6 ;/moved in hw6) 12 hw6: MIT_ADAPTOR_RST ;\ 13 hw6: MIT_REG_MAPPING_RST ; 14-15 hw6: - ; 16 hw6: DEBUG_UART_RST ;<-- moved from old bit14 ; 17 hw6: UART2_RST ; 18 hw6: CHECKSUM_ACC_RST ; 19 hw6: I2S_MBOX_RST ; 20 hw6: I2S_RST ; 21 hw6: GE0_RST ; 22 hw6: MDIO_RST ; hw6 23 hw6: MMAC_RST ; 24 hw6: USB_RST ; 25 hw6: USB_PHY_RST ; 26 hw6: USB_PHY_ARST ; 27 hw6: I2C_SLAVE_RST ; 28 hw6: I2S_1_MBOX_RST ; 29 hw6: I2S_1_RST ; 30 hw6: SPI2_RST ; 31 hw6: SDIO2_RST ;/ |
0 PRESENT |
0 NOTCXODET |
0-1 STANDARD |
0 SI0_CLK 1 hw2: UART_CLK ;0=enable? ;<-- hw2 only (removed in hw4/hw6) 2 LF_CLK32 |
______________________________ Watchdog Timer ______________________________ |
0-2 ACTION |
0 INTERRUPT |
0-21 TARGET |
0-21 VALUE |
0 VALUE |
_____________________________ Interrupt Status _____________________________ |
0 WDT_INT ;-Watchdog Timer 1 ERROR 2 UART ;-Serial UART 3 GPIO ;-GPIO 4 SI ;-Serial I2C/SPI 5 KEYPAD 6 LF_TIMER0 ;\ 7 LF_TIMER1 ; Low-Freq Timer 0..3 8 LF_TIMER2 ; and 9 LF_TIMER3 ; High-Freq Timer 10 HF_TIMER ;/ 11 RTC_ALARM ;-Real-Time Clock Alarm 12 MAILBOX 13 MAC ;-maybe this is "MAC's INTA#" (see WMAC IRQ) ? 14 RTC_POWER 15 hw4/hw6: BTCOEX ;Bluetooth Coex ;\ 16 hw4/hw6: RDMA ; 17 hw4/hw6: GENERIC_MBOX (aka GMBOX) ; hw4/hw6 18 hw4/hw6: UART_MBOX ; 19 hw4/hw6: EFUSE_OVERWRITE ; 20 hw4/hw6: THERM ; 21 hw4/hw6: HCI_UART ;/ 22 hw6: MODE_SWITCH ;\ 23 hw6: RF_SLEEP_RISING ; 24 hw6: BBP_SLEEP_RISING ; 25 hw6: FLIGHT_MODE ; 26 hw6: MIT_REG_ACCESS ; hw6 only 27 hw6: MMAC ; 28 hw6: USBIP ; 29 hw6: USBDMA ; 30 hw6: SDIO2_MBOX ; 31 hw6: STE_MBOX ;/ |
0 MAC_1 ;\ 1 MAC_2 ; 2 MAC_3 ; 3 MAC_4 ; hw6 only 4 CKSUM ; (additional bits, extending 5 I2C_S ; the bits in port 004044h) 6 GMAC ; 7 MDIO ; 8 I2S ; 9 I2S_1 ;/ |
__________________ Low-Freq Timer 0-3 and High-Freq Timer __________________ |
For LF Timer 0-3: 0-31 TARGET For HF Timer: 12-31 TARGET ;<-- not bit0-31 for HF timer |
For LF Timer 0-3: 0-31 VALUE For HF Timer: 12-31 VALUE ;<-- not bit0-31 for HF timer |
0-31 VALUE ;<-- extra for HF timer |
For both LF and HF: 0 RESET 1 AUTO_RESTART For LF Timer 0-3: 2 ENABLE For HF Timer: 2 ON ;<-- extra bit for HF timer 3 ENABLE ;<-- moved to bit3 |
0 INTERRUPT |
_____________________________ Real-Time Clock _____________________________ |
0 LOAD_ALARM 1 LOAD_RTC 2 ENABLE |
0-6 SECOND 8-14 MINUTE 16-21 HOUR 24-26 WEEK_DAY |
0-5 MONTH_DAY 8-12 MONTH 16-23 YEAR |
0-6 SECOND 8-14 MINUTE 16-21 HOUR |
0 DSE 1 TWELVE_HOUR 2 BCD |
0 INTERRUPT 1 ENABLE |
_________________________________ Chip ID _________________________________ |
0-3 VERSION_ID (4bit, usually 0 or 1) 4-15 CONFIG_ID (12bit, usually 0) 16-31 DEVICE_ID (16bit, usually xx00h or xx01h for AR60xx, eg. 0D00h=AR6013) |
AR6002: 02010001h or 02000001h (the latter one being actually used in DSi) AR6013: 0D000000h or 0D000001h (unknown which one is actually used in DSi) |
___________________________________ Misc ___________________________________ |
0 ENABLE |
0-2 Cause of most recent Reset event (LAST) |
00h = SYS_RST_L pin was asserted 01h = Host wrote to the SDIO reset register 02h = Software wrote RTC_CONTROL_COLD_RST register (aka COLD_RST bit?) 03h = Software wrote RTC_CONTROL_WARM_RST register (aka WARM_RST bit?) 04h = Software wrote RTC_CONTROL_CPU_RST register (aka CPU_WARM_RST bit?) 05h = Watchdog Timer has expired 06h..07h = Reserved |
0 DISABLE 1 LIGHT 2 MAC_IF 3 MBOX 4 HOST_IF 5 hw6: MCI ;-hw6 only |
0 ON 1 SOC_ON 2 WAKEUP 3 SLEEP |
0 POWER_EN 1 WLAN_PWD_EN 2 hw2: WLAN_SCALE_EN ;\ 2 hw4: WLAN_ISO_EN ; hw2/hw4 (renamed from hw2:SCALE 3 hw2: SOC_SCALE_EN ; to hw4:ISO, and removed in hw6) 3 hw4: SOC_ISO_EN ;/ 4 RADIO_PWD_EN 5 hw2/hw4: WLAN_ISO_CNTL ;\hw2/hw4 (removed? in hw6) 6 hw2/hw4: WLAN_ISO_DIS ;/ 7 CPU_INT_ENABLE 8-11 hw2/hw4: VLVL ;-hw2/hw4 (removed? in hw6) 12 hw4/hw6: WLAN_MAC_PWD_EN ;\ 13 hw4/hw6: WLAN_BB_PWD_EN ; hw4/hw6 14 hw4/hw6: DEBUG_EN ;/ 15 hw4: SLEEP_MAKE_N_BREAK_EN ;\hw4+hw6, but changed/renamed? 15 hw6: DEEP_SLEEP_EN ;/ 16 hw6: DISCON_MODE_EN ;\hw6 17 hw6: SWREG_VS_EN ;/ |
0-2 DIV |
0 ENABLE |
0 ENABLE 1 MODE 2-9 TIME |
___________________________________ LPO ___________________________________ |
0-13 LENGTH |
0-23 VALUE |
0-10 VALUE |
0-19 COUNT 20 ENABLE |
0-4 hw2/hw4: RTC_CYCLES (5bit) ;\hw2/hw4 (5bit) 5 hw2/hw4: ENABLE ;/ 0-15 hw6: RTC_CYCLES (16bit) ;\hw6 (expanded to 16bit) 16 hw6: ENABLE ;/(and moved enable flag) |
0-15 COUNT 16 READY |
__________________________ below in hw4/hw6 only __________________________ |
0 EN |
0-31 CNT |
___________________________________ MISC ___________________________________ |
0-1 BIT |
0-7 DELAY 31 EN |
___________________________________ OTP ___________________________________ |
0 VDD12_EN 1 LDO25_EN |
0 VDD12_EN_READY 1 LDO25_EN_READY |
___________________________________ PMU ___________________________________ |
0-1 REG_WAKEUP_TIME_SEL |
0-15 VALUE ... whatever... (2x16bit) 16-31 - |
0-4 VALUE |
0-2 LVL_CTR |
0 hw4/hw6: PAREG ;-hw4/hw6 ;\ 1 hw4: DREG ;-removed in hw6 ;\hw4 ; hw4/hw6 only 2 hw4: SWREG ;-moved to bit1 in hw6 ;/ ; (not hw2) 1 hw6: SWREG ;-formerly in bit2 ;-hw6 ;/ |
________________________________ THERM CTRL ________________________________ |
0 INT_STATUS 1 INT_EN 2 MEASURE 3-4 TYPE 5-11 WIDTH 12-15 WIDTH_ARBITOR 16 BYPASS |
0-7 LOW 8-15 HIGH 16-23 SAMPLE 24 ADC_ON 25 ADC_OFF |
0-7 ADC_OFFSET 8-16 ADC_GAIN |
____________________________ below in hw6 only ____________________________ |
0 ENABLE 1 CLOCK_GATE 2 TIMER_OVERFLOW_WAKE 3-18 TIMER_THRESH_WAKE 19 TIMER_CLEAR |
0-15 TIMER_TRIGGER_WAKE |
0-3 REFDIV 4 BYPASS 5 PLLPWD 7-9 POSTPLLDIV 12-14 EXT_DIV 31 UPDATING |
0 START 1-6 TGT_DIV_INT 11-28 TGT_DIV_FRAC |
0-3 UPDATE_CNT 4-13 INT 14-31 FRAC |
1-6 INT 10-27 FRAC |
0-4 REFDIV 5 BYPASS 6 PLLPWD 7-9 OUTDIV 12-17 INT 18-27 FRAC 28 RANGE 29 GE0 30 GE0_MASTER |
0-4 REFDIV 6 PLLPWD 7-9 OUTDIV 12-17 INT 20-25 FRAC 28 RANGE |
0-17 FRAC |
0-7 PHASE0_COUNT 8-15 PHASE1_COUNT 16-23 OFFSET_COUNT 24 OFFSET_PHASE 25 GIGE 26-27 TX_DELAY 28-29 RX_DELAY 30 GIGE_QUAD 31 TX_INVERT |
0 HOSTMODE 1 PLL_PWD 2 TESTMODE 3 REFDIV 4-7 REFCLK_SEL |
0 MODE_SWITCH 1 RF_SLEEP 2 BBP_SLEEP 3 FLIGHT_MODE |
0 VALUE 1 NOT_FIRST_MIT_MODE 2 MIT_REG_WR_TRIGGER_EN 5 MIT_FORCE_ACTIVE_ON |
0-5 THRESHOLD |
0 MODE |
0 SDIO_MODE |
0 RESET |
0 LOCATION_DISABLE 1 LOOPBACK_DISABLE 2 MIN_PKT_SIZE_DISABLE 3 TXBF_DISABLE 4 CH_10MHZ_DISABLE 5 CH_5MHZ_DISABLE 6 CHAIN1_DISABLE 7 DUAL_BAND_DISABLE 8 GREEN_TX_DISABLE 9 LDPC_DISABLE 10 STBC_DISABLE 11 SWCOM_IDLE_MODE 12 TPC_LOWER_PERFORMANCE |
0 SEL |
0 EN |
| DSi Atheros Wifi - Internal I/O - 00x000h - RTC/Clock WLAN (hw2/hw4/hw6) |
0 TCXO |
0-1 hw2/hw4: DAC (2bit) ;\expanded DAC from 2bit (hw2/hw4) to 3bit (hw6) 0-2 hw6: DAC (3bit) ; (and removed SEL bit in hw6) 2 hw2/hw4: SEL ;/ 4-5 hw2: ADC (2bit) ;\expanded ADC from 2bit (hw2) to 4bit (hw4) 4-7 hw4/hw6: ADC (4bit) ;/ |
0-9 DIV 12-15 hw2/hw4: REFDIV (4bit) 10-13 hw6: REFDIV (4bit, now here) 14-15 hw6: CLK_SEL ;<-- maybe replaces removed "SEL" in WLAN_QUADRATURE? 16 BYPASS 17 UPDATING (R) 18 NOPWD 19 MAC_OVERRIDE 20 DIG_TEST_CLK |
0-11 hw2/hw4: TIME (12bit) ;\decreased from 12bit to 11bit in hw6 0-10 hw6: TIME (11bit) ;/ |
0-7 hw2/hw4: TIME (8bit) ;\decreased from 8bit to 7bit in hw6 0-6 hw6: TIME (7bit) ;/ |
0-3 hw2/hw4: SELECT (4bit) ;\raised from 4bit to 5bit in hw6, 0-4 hw6: SELECT (5bit) ; and added new DELAY field in hw6 5-7 hw6: DELAY (3bit, new) ;/ |
0 ON |
0-1 hw2/hw4: ENABLE ;\ 0 hw6: ENABLE ; reduced from 2bit to 1bit in hw6 1 hw6: RESERVED ;/ 2 hw6: HSEL_WMAC_ENABLE ;-new in hw6 |
0-7 COUNT |
1-15 PERIOD 16-17 hw2/hw4: FORCE ;-hw2/hw4 only (removed in hw6) 18 EXTERNAL_DETECT (R) 20 EXTERNAL_DETECT_EN |
________________________ SLP or SLOP or SLEEP or so ________________________ |
0-19 HALF_CLK_LATENCY 20 ENABLE ;<-- see hw2 note ;-hw2/hw4/hw6 (on hw2 in mirror only) 21 hw2: TSF_WRITE_PENDING ;\changed/renamed in hw2/hw4 21 hw4/hw6: TSF_WRITE_STATUS (R) ;/ 22 hw4/hw6: DISABLE_32KHZ ;\ 23 hw4/hw6: FORCE_BIAS_BLOCK_ON ; hw4/hw6 only (unspecified in hw2) 24 hw4/hw6: TSF2_WRITE_STATUS (R) ;/ |
0-15 XTL_TIME |
0-19 TSF_INC |
0-31 SLEEP_CNT |
0-31 CYCLE_CNT |
0 CLR_CNT 1 PENDING (R) |
0-18 hw2: outcommented: NEXT_DTIM) (hw2: ini:2AAAAh) ;\outcommented 20 hw2: outcommented: ENH_SLEEP_ENABLE) (hw2: ini:1) ;/ 0-4 hw2/hw6: CAB_TIMEOUT_EXT (hw2: ini:0) ;-hw2/hw6 0-15 hw4: CAB_TIMEOUT ;-hw4 19 ASSUME_DTIM (hw2: ini:0) ;-hw2/hw4/hw6 20 hw6: BUG_59985_FIX_ENABLE ;-hw6 21-31 hw2/hw6: CAB_TIMEOUT (hw2: ini:5) ;-hw2/hw6 |
0-18 hw2: outcommented: NEXT_TIM (hw2: ini:55555h) ;-outcommented 0-15 hw4: BEACON_TIMEOUT ;-hw4 0-4 hw2/hw6: BEACON_TIMEOUT_EXT (hw2: ini:0) ;\hw2/hw6 21-31 hw2/hw6: BEACON_TIMEOUT (hw2: ini:2) ;/ |
0-15 hw2: outcommented: TIM_PERIOD (hw2: ini:2) ;\outcommented 16-31 hw2: outcommented: DTIM_PERIOD (hw2: ini:3) ;/ |
0-15 hw2/hw6: CAB_AWAKE_DUR (hw2: ini:0005h) ;\hw2/hw6 16 hw2/hw6: CAB_AWAKE_ENABLE (hw2: ini:0) ;/ |
0-15 hw6: BEACON2_TIMEOUT 16-30 hw6: CAB2_TIMEOUT 31 hw6: ASSUME_DTIM2 |
______________________________ Generic Timers ______________________________ |
0-31 hw2, for "GNRCTMR_N" entries: GNRCTMR_N (32bit) 0-27 hw2, for "GNRCTMR_P" entries: GNRCTMR_P (only 28bit here) 0-31 hw4/hw6: DATA (32bit) |
- hw2 has "8xTMR_N" plus "8xTMR_P" - hw4/6 has "16xTIMER" plus "16xTIMER2" |
- hw2 has 1x8 ENABLE bits (for 8+8 timer entries) - hw4 has 2x16 ENABLE bits (for 16+16 timer entries) - hw6 has 2x8 ENABLE bits (for 16+16 timer entries, too) |
0-15 hw4: ENABLE (16bit) ;\hw4 (the other bits are 16-31 hw4: - ;/moved to "MODE3" in hw4) 0-7 hw6: ENABLE (8bit) ;\ 8-10 hw6: OVERFLOW_INDEX (3bit) (R) ; hw2/hw6 11 hw6: - ; 12-31 hw6: THRESH (20bit) ;/ |
0-15 hw4: ENABLE (16bit) ;-hw4 0-7 hw6: ENABLE (8bit) ;\ 8-11 hw6: OVERFLOW_INDEX (4bit) (R) ; hw6 12-15 hw6: OVERFLOW_INDEX2 (4bit) (R) ;/ |
0-19 hw4: THRESH ;\hw4 only (in hw2/hw6 this stuff is 24-27 hw4: OVERFLOW_INDEX ;/located in "MODE" instead of "MODE3") |
0-15 VALUE |
__________________________ below in hw4/hw6 only __________________________ |
0 MODE |
0-63 VALUE |
0-63 VALUE |
0 ENABLE ;-hw6 only |
0-31 VALUE |
24 ONE_SHOT ;aka "one shot RESET_TSF" ;<-- see "REG_BEACON" in hw2 25 ONE_SHOT2 |
0-23 VALUE (aka BMISS_TIMEOUT) 24 ENABLE (aka BMISS_TIMEOUT_ENABLE) |
____________________________ below in hw2 only ____________________________ |
0-23 hw2: BMISS_TIMEOUT ;\hw2 only 24 hw2: BMISS_TIMEOUT_ENABLE ;/ |
0-7 hw2: VECTOR |
0 hw2: CLEAR 1 hw2: ENABLE |
____________________________ below in hw4 only ____________________________ |
0-7 hw4: VALUE |
0-15 hw4: DURATION 16 hw4: ENABLE |
0 hw4: AP_STA_ENABLE 1 hw4: AP_TSF_1_2_SEL 2 hw4: STA_TSF_1_2_SEL |
____________________________ below in hw6 only ____________________________ |
0 MAC_WARM_RST ;-moved from 004000h.bit4 ;\ 1 MAC_COLD_RST ;-moved from 004000h.bit5 ; 2 WARM_RST ;-moved from 004000h.bit7 ; 3 COLD_RST ;-also in 004000h.bit8 ; 4 BB_WARM_RST ;-moved from 004000h.bit12 ; 5 BB_COLD_RST ;-moved from 004000h.bit13 ;/ 6 RADIO_SRESET ;-new hw6 bit ;\ 7 MCI_RESET ;-new hw6 bit ;/ |
0-31 SWREG_BITS |
0 SWREG_PROGRAM 1-2 OTPREG_LVL |
0-2 LAST (R) |
0 DISABLE 1 LIGHT 2 MAC_IF (R) |
0-1 hw6: MAX_BEATS |
0-31 hw6: VALUE (R) |
| DSi Atheros Wifi - Internal I/O - 0xx240h - RTC/Clock SYNC (hw6) |
0 RESET_L |
0 SHUTDOWN_STATE (R) 1 ON_STATE (R) 2 SLEEP_STATE (R) 3 WAKEUP_STATE (R) 4 WRESET (R) 5 PLL_CHANGING (R) |
0 BYPASS 1 FORCE 2 FORCE_SWREG_PWD (W) 3 FORCE_LPO_PWD (W) |
0 ENABLE (R) 1 INTR |
0 SHUTDOWN_STATE 1 ON_STATE 2 SLEEP_STATE 3 WAKEUP_STATE 4 SLEEP_ACCESS 5 PLL_CHANGING |
0 SHUTDOWN_STATE 1 ON_STATE 2 SLEEP_STATE 3 WAKEUP_STATE 4 SLEEP_ACCESS 5 PLL_CHANGING |
0 SHUTDOWN_STATE 1 ON_STATE 2 SLEEP_STATE 3 WAKEUP_STATE 4 SLEEP_ACCESS 5 PLL_CHANGING |
| DSi Atheros Wifi - Internal I/O - 006000h - WLAN Coex (MCI) (hw6) |
0-7 HEADER 8-12 LEN 13 DISABLE_TIMESTAMP |
0-31 ADDR |
0 RESET_TX 1 RESET_RX 2-9 RESET_RX_NUM_CYCLES |
0 DISABLE_TIMESTAMP 1 DISABLE_MAXGAIN_RESET 2 DISABLE_MAXGAIN_WBTIMER_RESET |
0-1 CLK_DIV 2 DISABLE_LNA_UPDATES 3-23 GAIN_UPDATE_FREQ 24-27 GAIN_UPDATE_NUM |
0-15 CHECKSUM_EN 16-31 INVALID_HDR |
0-31 BASE_ADDR |
0-15 OWN 16-31 SW_REQ_OWN |
0-31 START_ADDR |
0-15 LEN 16-31 WRITE_PTR (R) |
0 SW_MSG_DONE 1 CPU_INT_MSG 2 RX_CKSUM_FAIL 3 RX_INVALID_HDR 4 RX_HW_MSG_FAIL 5 RX_SW_MSG_FAIL 7 TX_HW_MSG_FAIL 8 TX_SW_MSG_FAIL 9 RX_MSG 10 REMOTE_SLEEP_UPDATE 11-26 BT_PRI 27 BT_PRI_THRESH 28 BT_FREQ 29 BT_STOMP |
0-31 BODY |
0 REMOTE_RESET 1 LNA_CTRL 2 CONT_NACK 3 CONT_INFO 4 CONT_RST 5 SCHD_INFO 6 CPU_INT 8 GPM 9 LNA_INFO 10 SYS_SLEEPING 11 SYS_WAKING 12 REQ_WAKE |
0-31 MSG |
8-11 SCHD_MSG_INDEX (R) 12 REMOTE_SLEEP (R) |
0-7 RSSI_POWER (R) 8-15 PRIORITY (R) 16 TX (R) 17-20 LINKID (R) 21-27 CHANNEL (R) 28-31 OWNER (R) |
0-7 VAL0 8-15 VAL1 16-23 VAL2 24-31 VAL3 |
0-7 THRESH |
0-31 MASK |
0-31 MASK |
0-15 MASK |
0-7 OFFSET1 8-15 OFFSET2 |
0-31 TARGET |
0-7 GAIN1 8-15 GAIN2 16-23 GAIN3 24-31 GAIN4 |
2 MCI_MODE_ENABLE |
0-7 RESERVED2 8-10 OBS_SEL |
0-31 OBS (R) |
0-7 HDR (R) 8-10 LEN (R) |
0-31 BDY (R) |
0-31 TARGET |
| DSi Atheros Wifi - Internal I/O - 00x000h - Bluetooth Coex (hw4/hw6) |
0-7 GAP 8 CLK_CNT_EN 9 FRAME_CNT_EN 10 IDLE_CNT_EN 11 SYNC_DET_EN 12-17 PRIORITY_TIME 18-22 FREQ_TIME 23-24 PTA_MODE 25 WBSYNC_ON_BEACON 26 hw4: WBTIMER_ENABLE ;hw4 only 27 unspecified 28 hw6: RFGAIN_VALID_SRC ;hw6 only |
0-7 SYNC_DUR |
0-20 CLK_THRES |
0-7 FRAME_THRES |
0-20 CLK_CNT |
0-7 FRAME_CNT |
0-15 IDLE_CNT |
0-31 IDLE_RESET_LVL_BITMAP |
0-7 TUNLOCK_MASTER 8-15 TLOCK_MASTER 16-23 TUNLOCK_SLAVE 24-31 TLOCK_SLAVE |
0-31 BITMAP |
0-31 BTCLOCK (R) (read-only, according to hw6) |
0-31 VALUE |
0-9 VALUE |
0 CLK_CNT 1 FRAME_CNT 2 END 3 SYNC 4 NOSYNC 5 BTPRIORITY ;<-- for INT_STAT (but, N/A for INT_EN) (R) 6 BTPRIORITY_STOMP ;<-- for INT_STAT (but, N/A for INT_EN) (R) 7 WB_TIMER 8 I2C_MESG_RECV ;<-- for INT_STAT (but, "ST_MESG_RECV" for INT_EN?) 9 I2C_MESG_SENT 10 I2C_TX_FAILED 11 I2C_RECV_OVERFLOW |
0-31 BITMAP |
0-31 BITMAP |
0 MODE 1-5 SOC_CLK_DIVIDE_RATIO 6 CLOCK_GATE 7 DRIVE_MODE 8 REQ_ACK_NOT_PULLED_DOWN 9-26 TIMEOUT |
0-31 TYPE |
0-31 PARAMETER |
_________ below hw6 only _________ |
0-7 DELAY |
0-13 PERIOD 14-23 SLOP |
0-31 BITMAP |
0-31 BTCLOCK |
0 CLK_CNT 1 FRAME_CNT 2 END 3 SYNC 4 NOSYNC 7 WB_TIMER |
0-31 BITMAP |
0-31 BITMAP |
| DSi Atheros Wifi - Internal I/O - 00x000h - Memory Control (hw2/hw4/hw6) |
______________________ hw2 ROM Patches (TCAM) ______________________ |
0 BIT (?=Patch Enable) |
0-2 SIZE (... patch area, selectable 32-bytes or bigger or so?) |
5-21 KEY (Patch ROM Address in 32-byte steps) (probably 0E0000h and up?) |
5-21 ADDR (Patch RAM Address in 32-byte steps) (probably 100000h and up?) |
______________________ hw4 ROM Patches (BCAM) ______________________ |
0 BIT some "bit" (128 x 1bit) (?=Patch Enable) 1-31 - |
0-1 - 2-19 KEY some "key" (128 x 18bit) (Patch Address in 4-byte steps) 20-31 - |
0-31 INST some "inst" (128 x 32bit) (Patch Data) |
0 DPORT_FLAG 1 IPORT_FLAG 2-31 - |
_______________________ hw6 ROM Patches (?) _______________________ |
______________________ ADDR_ERROR Registers ______________________ |
0 ENABLE 1 QUAL_ENABLE 2-31 - |
0-24 ADDRESS 25 WRITE 26-31 - |
0 ENABLE 1-31 - |
0-23 ADDRESS 24-29 - 30 MBOX 31 MAC |
______________________ hw4 MISC Registers ______________________ |
0 EN 1-31 - |
0-31 CNT |
0-11 CNT 12-31 - |
______________________ hw6 MISC Registers ______________________ |
0 MAX_BURST_4 1 MAX_BURST_8 2 MAX_BURST_16 |
0 ONE_IRAM_BANK 1 TWO_IRAM_BANKS 2 THREE_IRAM_BANKS 3 FOUR_IRAM_BANKS |
______________________ Xtensa CPU ______________________ |
set ITLB[(0..7)*20000000h] to values (1,2,2,2,2,2,2,2) set DTLB[(0..7)*20000000h] to values (1,2,2,2,2,2,2,2) |
| DSi Atheros Wifi - Internal I/O - 00C000h - Serial UART (hw2/hw4/hw6) |
LOCAL_SCRATCH[0].bit1 AR6K_OPTION_SERIAL_ENABLE --> TTY master enable targaddr[14h] hi_serial_enable --> enable additional TTY msg's during BMI targaddr[60h] hi_desired_baud_rate --> for TTY/UART (default=9600 decimal) targaddr[C4h] hi_console_flags - whatever, UART related, maybe newer firmware |
______________________ hw2 UART Registers ______________________ |
0-7 Data (with 16-byte FIFO) |
0-7 Data (with 16-byte FIFO) |
0 ERBFI Received Data Available Interrupt (0=Disable, 1=Enable) 1 ETBEI Transmitter Holding Register Empty Interrupt (0=Disable, 1=Enable) 2 ELSI Receiver Line Status Interrupt (0=Disable, 1=Enable) 3 EDDSI Modem Status Interrupt (0=Disable, 1=Enable) 4-7 - Not used (always zero) |
0-7 Divisor Latch LSB/MSB, should be set to "divisor = XIN / (baudrate*16)" |
0 Interrupt Pending Flag (0=Pending, 1=None) ;\IID 1-3 Interrupt ID, 3bit (0..7=see below) (always 00h when Bit0=1) ;/ 4-5 Not used (always zero) 6 FIFOs Enabled (always zero in TL16C450 mode) ;\these bits have same 7 FIFOs Enabled (always zero in TL16C450 mode) ;/value as "FIFO Enable" |
ID Prio Expl. 00h 4 Handshaking inputs CTS,DSR,RI,DCD have changed (Ack: Read MSR) 01h 3 Transmitter Holding Register Empty (Ack: Write THR or Read IIR) 02h 2 RX FIFO has reached selected trigger level (Ack: Read RBR) 03h 1 RX Overrun/Parity/Framing Error, or Break Interrupt (Ack: Read LSR) 06h 2 RX FIFO non-empty & wasn't processed for longer time(Ack: Read RBRh) |
0 FIFO Enable (0=Disable, 1=Enable) (Enables access to FIFO related bits) 1 Receiver FIFO Reset (0=No Change, 1=Clear RX FIFO) (RCVR_FIFO_RST) 2 Transmitter FIFO Reset (0=No Change, 1=Clear TX FIFO) (XMIT_FIFO_RST) 3 DMA Mode Select (Mode for /RXRDY and /TXRDY) (0=Mode 0, 1=Mode 1) 4-5 Not used (should be zero) 6-7 Receiver FIFO Trigger (0..3 = 1,4,8,14 bytes) (RCVR_TRIG) |
0-1 Character Word Length (0..3 = 5,6,7,8 bits) (CLS) 2 Number of Stop Bits (0=1bit, 1=2bit; for 5bit chars: only 1.5bit) 3 Parity Enable (PEN) (0=None, 1=Enable Parity or 9th data bit) 4 Parity Type/9th Data bit (0=Odd, 1=Even) (EPS) 5 Unused in hw2? ;for TL16C550AN: Bit4-5 can be 2=Set9thBit, 3=Clear9thBit 6 Set Break (0=Normal, 1=Break, Force SOUT to Low) 7 Divisor Latch Access (0=Normal I/O, 1=Divisor Latch I/O) (DLAB) |
0 DTR Output Level for /DTR pin (Data Terminal Ready) (0=High, 1=Low) 1 RTS Output Level for /RTS pin (Request to Send) (0=High, 1=Low) 2 OUT1 Output Level for /OUT1 pin (General Purpose) (0=High, 1=Low) 3 OUT2 Output Level for /OUT2 pin (General Purpose) (0=High, 1=Low) 4/5? LOOP Loopback Mode (0=Normal, 1=Testmode, loopback TX to RX) 5-7 Not used (always zero) |
0 RX Data Ready (DR) (0=RX FIFO Empty, 1=RX Data Available) 1 RX Overrun Error (OE) (0=Okay, 1=Error) (RX when RX FIFO Full) 2 RX Parity Error (PE) (0=Okay, 1=Error) (RX parity bad) 3 RX Framing Error (FE) (0=Okay, 1=Error) (RX stop bit bad) 4 RX Break Interrupt (BI) (0=Normal, 1=Break) (RX line LOW for long time) 5 Transmitter Holding Register (THRE) (1=TX FIFO is empty) 6 Transmitter Empty (TEMT) (0=No, 1=Yes, TX FIFO and TX Shift both empty) 7 At least one Overrun/Parity/Framing Error in RX FIFO (0=No, 1=Yes/Error) |
0 DCTS Change flag for /CTS pin ;ClearToSend ;\change flags (0=none, 1 DDSR Change flag for /DSR pin ;DataSetReady ; 1=changed since last 2 TERI Change flag for /RI pin ;RingIndicator ; read) (automatically 3 DDCD Change flag for /DCD pin ;DataCarrierDetect ;/cleared after read) 4 CTS Input Level on /CTS pin ;ClearToSend ;\ 5 DSR Input Level on /DSR pin ;DataSetReady ; current levels 6 RI Input Level on /RI pin ;RingIndicator ; (inverted ?) 7 DCD Input Level on /DCD pin ;DataCarrierDetect ;/ |
0-7 General Purpose Storage (eg. read/write-able for UART chip detection) |
0-31 whatever... 32bit wide (unlike other UART registers) (?) (UART related?) |
______________________ hw4/hw6 UART Registers ______________________ |
WLAN_UART_BASE_ADDRESS = 0000C000h ;hw4/hw6 WLAN_DBG_UART_BASE_ADDRESS = 0000D000h ;hw4/hw6 WLAN_UART2_BASE_ADDRESS = 00054C00h ;hw6 |
0-7 TXRX_DATA 8 RX_CSR 9 TX_CSR |
0 PARITY_EVEN 1 PARITY_ENABLE 2 IFC_DCE 3 IFC_ENABLE 4 FLOW_INVERT 5 FLOW_ENABLE 6 DMA_ENABLE 7 RX_READY_ORIDE 8 TX_READY_ORIDE 9 SERIAL_TX_READY 10 RX_BREAK 11 TX_BREAK 12 HOST_INT 13 HOST_INT_ENABLE 14 TX_BUSY 15 RX_BUSY |
0-15 CLK_STEP 16-23 CLK_SCALE |
0 RX_VALID_INT 1 TX_READY_INT 2 RX_FRAMING_ERR_INT 3 RX_OFLOW_ERR_INT 4 TX_OFLOW_ERR_INT 5 RX_PARITY_ERR_INT 6 RX_BREAK_ON_INT 7 RX_BREAK_OFF_INT 8 RX_FULL_INT 9 TX_EMPTY_INT |
| DSi Atheros Wifi - Internal I/O - 00E000h - UMBOX Registers (hw4/hw6) |
0-8 DATA ... uh, twice[0..1], with 9bit each ? |
0 RX_FULL 1 RX_EMPTY 2 TX_FULL 3 TX_EMPTY |
0 RX_ORDER 1 RX_QUANTUM 2 TX_ORDER 3 TX_QUANTUM |
2-27 ADDRESS |
0 STOP 1 START 2 RESUME |
0-7 VALUE 8 ENABLE_SET |
0 RX_NOT_FULL 1 TX_NOT_EMPTY 2 RX_UNDERFLOW 3 TX_OVERFLOW 4 HCI_SYNC_ERROR 5 TX_DMA_COMPLETE 6 TX_DMA_EOM_COMPLETE 7 RX_DMA_COMPLETE 8 HCI_FRAMER_OVERFLOW 9 HCI_FRAMER_UNDERFLOW |
0-2 SEL |
0 INIT |
0-1 CONFIG_MODE 2 OVERFLOW 3 UNDERFLOW 4 SYNC_ERROR 5 ENABLE 6 CRC_OVERRIDE |
| DSi Atheros Wifi - Internal I/O - 010000h - Serial I2C/SPI (hw2/hw4/hw6) |
0-3 DIVIDER (probably transfer rate, should be 6 on DSi) 4 INACTIVE_CLK (whatever, should be 1 for I2C) 5 INACTIVE_DATA (whatever, should be 1 for I2C) 6 POS_DRIVE (whatever, should be zero for I2C) 7 POS_SAMPLE (whatever, should be 1 for I2C) 8-15 - 16 I2C (0=SPI, 1=I2C) 17 - 18 BIDIR_OD_DATA (whatever, should be 1 for I2C) 19 ERR_INT (whatever, enable or status?) |
0-3 TX_CNT Number of TX bytes (0..8) (should be 1..8 for I2C device) 4-7 RX_CNT Number of RX bytes (0..8) 8 START Write 1 to start transfer 9 DONE_INT Status (0=Busy, 1=Done/Okay) 10 DONE_ERR Status (1=Error) 11-13 BIT_CNT_IN_LAST_BYTE (0=Normal/8bit, 1..7=whatever) |
0-7 DATA0 1st TX byte (device number in case of I2C mode) 8-15 DATA1 2nd TX byte (if any) 16-23 DATA2 ... 24-31 DATA3 .. 32-39 DATA4 40-47 DATA5 48-55 DATA6 56-63 DATA7 |
0-7 DATA0 1st RX byte (if any) 8-15 DATA1 2nd RX byte (if any) 16-23 DATA2 ... 24-31 DATA3 .. 32-39 DATA4 40-47 DATA5 48-55 DATA6 56-63 DATA7 |
| DSi Atheros Wifi - Internal I/O - 014000h - GPIO 18/26/57 pin (hw2/hw4/hw6) |
0-17 hw2: DATA (for pin 0..17) 0-25 hw4: DATA (for pin 0..25) 0-63 hw6: DATA (for pin 0..56) (and bit57-63=unused or so?) |
0-17 hw2: DATA (for pin 0..17) 0-25 hw4: DATA (for pin 0..25) 0-63 hw6: DATA (for pin 0..56) (and bit57-63=unused or so?) |
0-17 hw2: DATA (for pin 0..17) 0-25 hw4: DATA (for pin 0..25) 0-63 hw6: DATA (for pin 0..56) (and bit57-63=unused or so?) |
0-17 hw2: INTERRUPT (for pin 0..17) 0-25 hw4: INTERRUPT (for pin 0..25) 0-63 hw6: INTERRUPT (for pin 0..56) (and bit57-63=unused or so?) |
______________________________ hw2 GPIO ports ______________________________ |
0 SOURCE 1 - 2 PAD_DRIVER 3-6 - 7-9 INT_TYPE 10 WAKEUP_ENABLE 11-12 CONFIG |
______________________________ hw4 GPIO ports ______________________________ |
0 SOURCE 1 - 2 PAD_DRIVER 3-4 PAD_STRENGTH ;\pull/strength supported for PIN0..PIN22 only 5-6 PAD_PULL ;/(bit3-6 are unused in PIN23..PIN25 registers) 7-9 INT_TYPE 10 WAKEUP_ENABLE 11-13 CONFIG |
______________________________ hw6 GPIO ports ______________________________ |
0 SOURCE 1 - 2 PAD_DRIVER 3-4 PAD_STRENGTH 5-6 PAD_PULL 7-9 INT_TYPE 10 WAKEUP_ENABLE 11-14 CONFIG |
_____________________________ hw2/hw4/hw6 stuff _____________________________ |
0-7 TARGET 8-15 PRESCALAR ;uh, scalar? 16 ENABLE |
0 ENABLE ;-hw2/hw4/hw6 1 hw2: OBS_OE_L ;-hw2 only (bit1 removed in hw4/hw6) |
0-3 SRC ;-hw2/hw4/hw6 4-5 hw4/hw6: SHIFT ;-hw4/hw6 |
0-17 DATA (whatever) (always 18bit, no matter if GPIO with 18,25,57 pins) |
0-7 PIN_RESET_TUPLE 8-11 TEST_RESET_TUPLE |
_______________________________ hw4/hw6 stuff _______________________________ |
0 PINS_EN |
0 TOGGLE |
0-22 hw4: STATUS (23bit) ;maybe for pin 0..22 (but not pin 23-25 ?) 0-11 hw6: STATUS (12bit) ;maybe for pin 0..57 (with below "CORE_BOOTSTRAP") 12 hw6: CPU_MBIST_EN |
0-31 hw6: STATUS (32bit) (extra bits, expanding STATUS in "WL_BOOTSTRAP"?) |
0-12 hw6: STATUS (13bit) (extra bits, expanding STATUS in "WL_BOOTSTRAP"?) |
0-4 hw4: ENABLE (5bit) ;\ 5-9 hw4: VALUE (5bit) ; hw4 "ANTENNA_SLEEP_CONTROL" 10-14 hw4: OVERRIDE (5bit) ;/ 0-3 hw6: ENABLE (4bit) ;\ 4-7 hw6: VALUE (4bit) ; 8-11 hw6: OVERRIDE (4bit) ; 12-13 hw6: LED_SEL (2bit) ; hw6 "ANTENNA_CONTROL" 14 hw6: SPI_MODE ; 15 hw6: SPI_CS ; 16 hw6: RX_CLEAR ;/ |
_________________________________ hw6 stuff _________________________________ |
0-4 SEL |
0 DONE 1 GLOBAL_FAIL 2-10 BLOCK_FAIL |
_________________________________ hw4 stuff _________________________________ |
0-21 OE_L 22 GPIO_MODE |
0 hw4: BT_CLK_OUT_EN 1 hw4: BT_CLK_REQ_EN 2 hw4: CLK_REQ_OUT_EN |
____________________________ hw2 GPIO PIN config ____________________________ |
0-1 hw2: PAD_PULL |
0-1 hw2: PAD_STRENGTH 2-3 hw2: PAD_PULL |
0-1 hw2: PAD_STRENGTH 2-3 hw2: PAD_PULL 4 hw2: ATE_OE_L |
_______________________________ hw2 LA stuff _______________________________ |
0 hw2: TRIGGERED 1 hw2: RUN |
0-7 hw2: DIV |
0 hw2: INTERRUPT |
0-15 hw2: COUNT |
0-15 hw2: VALUE |
0-15 hw2: COUNT |
0 hw2: DELTA |
0-17 hw2: MATCH ... maybe related to GPIO_PIN0..17 ? |
0-2 hw2: EVENT |
0 hw2: EMPTY 1 hw2: FULL |
0-17 hw2: DATA |
| DSi Atheros Wifi - Internal I/O - 018000h - MBOX Registers (hw2/hw4/hw6) |
GMBOX registers exist in hw4/hw6 only STE_MODE register exists in hw6 only WLAN_MBOX_INT_xxx bit18,19 exist in hw6 only |
___________________________ Manual MBOX Transfer ___________________________ |
0-7 DATA: DATABYTE 8-11 DATA: zero? 12-15 DATA: zero? maybe copy of MBOX_FIFO_STATUS bit12-15 ? (FULL) 16-19 DATA: looks like copy of MBOX_FIFO_STATUS bit16-19 ? (EMPTY) 20-31 - |
0 DATA ... uh 4x1bit ? for MBOX0..3 ? 1-31 - |
0 DATA ... uh 4x1bit ? for MBOX0..3 ? 1-31 - |
____________________________ DMA MBOX Transfer ____________________________ |
0 RX_ORDER 1 RX_QUANTUM 2 TX_ORDER 3 TX_QUANTUM 4-31 - |
0-1 - 2-27 ADDRESS 28-31 - |
0 STOP 1 START 2 RESUME 3-31 - |
__________________________________ Status __________________________________ |
0-11 - 12-15 FULL flags for MBOX 0..3 16-19 EMPTY flags for MBOX 0..3 20-31 - |
0-7 HOST Interrupt 0..7 from Host ;SDIO 1:00472h.bit0..7 8-11 RX_NOT_FULL MBOX0..3 RX FIFO Not Full 12-15 TX_NOT_EMPTY MBOX0..3 TX FIFO Not Empty 16 RX_UNDERFLOW MBOX RX Underflow (tried to read from empty fifo) 17 TX_OVERFLOW MBOX TX Overflow (tried to write to full fifo) 18 hw6: FRAME_DONE ;\hw6.0 only 19 hw6: NO_RX_MBOX_DATA_AVA ;/ 20-23 TX_DMA_COMPLETE MBOX0..3 TX DMA Complete 24-27 TX_DMA_EOM_COMPLETE MBOX0..3 TX DMA Complete .. End of message? 28-31 RX_DMA_COMPLETE MBOX0..3 RX DMA Complete |
0 RX_NOT_FULL 1 TX_NOT_EMPTY 2 TX_DMA_COMPLETE 3 TX_DMA_EOM_COMPLETE 4 RX_DMA_COMPLETE 5 RX_UNDERFLOW 6 TX_OVERFLOW 7-31 - |
______________________________ SDIO Handshake ______________________________ |
0-7 VECTOR Interrupt 0..7 to Host ;SDIO 1:00401h.bit0..7 8-31 - |
0-7 VALUE (credit counter) ;SDIO 1:00420h..00427h 8-31 - |
0-7 VALUE (scratch) ;SDIO 1:00460h..00467h 8-31 - |
0 PIN_INIT ;whatever, maybe PCI bus related (non-SDIO) ? 1-31 - |
0 CCCR_IOR1 ;SDIO Func I/O Ready bit1 ? ;SDIO 0:00002h.bit1 1-31 - |
0-7 DATA ;SDIO 1:00000h..007FFh 8-31 - |
___________________________________ Misc ___________________________________ |
0-2 SEL 3-31 - |
0 INIT 1-31 - |
0-3 SEL 4-31 - |
0 SEL 1-2 PHA_POL 3 SEL_16BIT 4 SWAP 5 RST 6 SPI_CTRL_EN |
| DSi Atheros Wifi - Internal I/O - 01C000h - Analog Intf (hw2) |
0 MONITOR_SYNTHLOCKVCOK 1 MONITOR_VC2LOW 2 MONITOR_VC2HIGH 3 MONITOR_FB_DIV2 4 MONITOR_REF 5 MONITOR_FB 6 PWUP_LOBUF5G_PD 7 PWUP_LOMIX_PD 8 PWUP_LODIV_PD 9 PWUP_VCOBUF_PD 10-12 SEL_VCMONABUS 13 CON_IVCOBUF 14 CON_IVCOREG 15 CON_VDDVCOREG 16 SPARE_PWD 17 SLIDINGIF 18-19 VCOREGBIAS 20-21 VCOREGLEVEL 22 VCOREGBYPASS 23 PWD_LOBUF5G 24 FORCE_LO_ON 25 PWD_LOMIX 26 PWD_LODIV 27 PWD_PRESC 28 PWD_VCO 29 PWD_VCMON 30 PWD_CP 31 PWD_BIAS |
0-2 SPARE_BITS 3-4 LOOP_CS 5-9 LOOP_RS 10-14 LOOP_CP 15-19 LOOP_3RD_ORDER_R 20-22 VC_LOW_REF 23-25 VC_MID_REF 26-28 VC_HI_REF 29-31 VC_CAL_REF |
0-5 WAIT_VC_CHECK 6-11 WAIT_CAL_LIN 12-17 WAIT_CAL_BIN 18-23 WAIT_PWRUP 24-29 WAIT_SHORTR_PWRUP 30 SEL_CLK_DIV2 31 DIS_CLK_XTAL |
0 FORCE_SHIFTREG 1 LONGSHIFTSEL 2-3 SPARE_MISC 4 SEL_CLKXTAL_EDGE 5 PSCOUNT_FBSEL 6-7 SDM_DITHER 8 SDM_MODE 9 SDM_DISABLE 10 RESET_PRESC 11-12 PRESCSEL 13 PFD_DISABLE 14 PFDDELAY 15-16 REFDIVSEL 17 VCOCAPPULLUP 18-25 VCOCAP_OVR 26 FORCE_VCOCAP 27 FORCE_PINVC 28 SHORTR_UNTIL_LOCKED 29 ALWAYS_SHORTR 30 DIS_LOSTVC 31 DIS_LIN_CAPSEARCH |
0-1 SPARE 2-3 LOBUF5GTUNE_OVR 4 FORCE_LOBUF5GTUNE 5-8 CAPRANGE3 9-12 CAPRANGE2 13-16 CAPRANGE1 17-20 LOOPLEAKCUR 21 CPLOWLK 22 CPSTEERING_EN 23-24 CPBIAS 25-27 SLOPE_IP 28-31 LOOP_IP0 |
0-2 SPARE_BIAS 3-4 VCOBUFBIAS 5-7 ICVCO 8-10 ICSPAREB 11-13 ICSPAREA 14-16 ICLOMIX 17-19 ICLODIV 20-22 ICPRESC 23-25 IRSPARE 26-28 IRVCMON 29-31 IRCP |
0-2 SPARE_READ 3-4 LOBUF5GTUNE 5-8 LOOP_IP 9 VC2LOW 10 VC2HIGH 11 RESET_SDM_B 12 RESET_PSCOUNTERS 13 RESET_PFD 14 RESET_RFD 15 SHORT_R 16-23 VCO_CAP_ST 24 PIN_VC 25 SYNTH_LOCK_VC_OK 26 CAP_SEARCH 27-30 SYNTH_SM_STATE 31 SYNTH_ON |
0 FORCE_FRACLSB 1-17 CHANFRAC 18-26 CHANSEL 27 SPARE 28-29 AMODEREFSEL 30 FRACMODE 31 LOADSYNTHCHANNEL |
0-1 SPARE 2 REGLO_BYPASS5 3 LO5CONTROL 4-6 LO5_ATB_SEL 7 PDREGLO5 8 PDLO5AGC 9 PDQBUF5 10 PDLO5MIX 11 PDLO5DIV 12-14 TX5_ATB_SEL 15-17 OB5 18-20 DB5 21-23 PWDTXPKD 24-26 TUNE_PADRV5 27 PDPAOUT5 28 PDPADRV5 29 PDTXBUF5 30 PDTXMIX5 31 PDTXLO5 |
0-1 SPARE 2-4 TUNE_LO 5 ENABLE_PCA 6-7 LNA5_ATTENMODE 8 REGFE_BYPASS5 9-11 BVGM5 12-14 BCSLNA5 15-17 BRFVGA5 18-20 TUNE_RFVGA5 21 PDREGFE5 22 PDRFVGA5 23 PDCSLNA5 24 PDVGM5 25 PDCMOSLO5 26-28 RX5_ATB_SEL 29-31 AGCLO_B |
0-4 SPARE 5 SHORTLNA2 6 LOCONTROL 7 SELLNA 8-10 RF_ATB_SEL 11-13 FE_ATB_SEL 14-16 OB 17-19 DB 20-22 BLNA2 23-25 BLNA1BUF 26-28 BLNA1F 29-31 BLNA1 |
0-16 SPARE 17 ENABLE_PCB 18 REGLO_BYPASS 19 REGLNA_BYPASS 20 PDTXMIX 21 PDTXLO 22 PDRXLO 23 PDRFGM 24 PDREGLO 25 PDREGLNA 26 PDPAOUT 27 PDPADRV 28 PDDIV 29 PDCSLNA 30 PDCGLNABUF 31 PDCGLNA |
0 SPARE 1-2 RX6DBHIQGAIN 3-5 RX1DBLOQGAIN 6-7 RX6DBLOQGAIN 8-10 RFGMGN 11-12 RFVGA5GAIN 13-16 LNAGAIN 17 LNAON 18-20 PAOUT2GN 21-23 PADRVGN 24 PABUF5GN 25-26 TXV2IGAIN 27-29 TX1DBLOQGAIN 30-31 TX6DBLOQGAIN |
0 FORCE_XPAON 1 INT2GND 2 PAD2GND 3 INTH2PAD 4 INT2PAD 5-7 REVID 8-9 DATAOUTSEL 10 PDBIAS 11 SYNTHON_FORCE 12 SCLKEN_FORCE 13 OSCON 14 PWDCLKIN 15 LOCALXTAL 16 PWDDAC 17 PWDADC 18 PWDPLL 19 LOCALADDAC 20 CALTX 21 PAON 22 TXON 23 RXON 24 SYNTHON 25 BMODE 26 CAL_RESIDUE 27 CALDC 28 CALFC 29 LOCALMODE 30 LOCALRXGAIN 31 LOCALTXGAIN |
0 PWD_ICLDO25 1-3 PWD_ICTXPC25 4-6 PWD_ICTSENS25 7-9 PWD_ICXTAL25 10-12 PWD_ICCOMPBIAS25 13 PWD_ICCPLL25 14 PWD_ICREFOPAMPBIAS25 15 PWD_IRREFMASTERBIAS12P5 16 PWD_IRDACREGREF12P5 17-19 PWD_ICREFBUFBIAS12P5 20 SPARE 21-24 SEL_SPARE 25-30 SEL_BIAS 31 PADON |
0-1 SPARE 2-4 PWD_IC5GMIXQ25 5-7 PWD_IC5GQB25 8-10 PWD_IC5GTXBUF25 11-13 PWD_IC5GTXPA25 14 PWD_IC5GRXRF25 15 PWD_ICDETECTORA25 16 PWD_ICDETECTORB25 17-19 PWD_IC2GLNAREG25 20-22 PWD_IC2GLOREG25 23-25 PWD_IC2GRFFE25 26-28 PWD_IC2GVGM25 29-31 PWD_ICDAC2BB25 |
0-2 PWD_IR5GRFVREF2525 3-5 PWD_IR2GLNAREG25 6-8 PWD_IR2GLOREG25 9-11 PWD_IR2GTXMIX25 12 PWD_IRLDO25 13-15 PWD_IRTXPC25 16-18 PWD_IRTSENS25 19-21 PWD_IRXTAL25 22 PWD_IRPLL25 23-25 PWD_IC5GLOREG25 26-28 PWD_IC5GDIV25 29-31 PWD_IC5GMIXI25 |
0 SPARE 1-3 PWD_ICDACREG12P5 4-6 PWD_IR25SPARE2 7-9 PWD_IR25SPARE1 10-12 PWD_IC25SPARE2 13-15 PWD_IC25SPARE1 16 PWD_IRBB50 17 PWD_IRSYNTH50 18-20 PWD_IC2GDIV50 21 PWD_ICBB50 22 PWD_ICSYNTH50 23-25 PWD_ICDAC50 26-28 PWD_IR5GAGC25 29-31 PWD_IR5GTXMIX25 |
0-1 ATBSEL 2 SELCOUNT 3-4 SELINIT 5 ON1STSYNTHON 6-13 N 14-15 TSMODE 16 SELCMOUT 17 SELMODREF 18 CLKDELAY 19 NEGOUT 20 CURHALF 21 TESTPWDPC 22-27 TESTDAC 28-29 TESTGAIN 30 TEST 31 SELINTPD |
0-5 SPARE 6-7 XTALDIV 8-17 DECOUT 18-20 SPARE_A 21 SELTSN 22 SELTSP 23 LOCALBIAS2X 24 LOCALBIAS 25 PWDXINPAD 26 PWDCLKIND 27 NOTCXODET 28 LDO_TEST_MODE 29-30 LEVEL 31 FLIPBMODE |
0 PDHIQ 1 PDLOQ 2 PDOFFSETI2V 3 PDOFFSETHIQ 4 PDOFFSETLOQ 5 PDRXTXBB 6 PDI2V 7 PDV2I 8 PDDACINTERFACE 6-16 SEL_ATB 17-18 FNOTCH 19-31 SPARE |
0 PATH_OVERRIDE 1 PATH1LOQ_EN 2 PATH2LOQ_EN 3 PATH3LOQ_EN 4 PATH1HIQ_EN 5 PATH2HIQ_EN 6 FILTERDOUBLEBW 7 LOCALFILTERTUNING 8-12 FILTERFC 13-14 CMSEL 15 SEL_I2V_TEST 16 SEL_HIQ_TEST 17 SEL_LOQ_TEST 18 SEL_DAC_TEST 19 SELBUFFER 20 SHORTBUFFER 21-22 SPARE 23-25 IBN_37P5_OSI2V_CTRL 26-28 IBN_37P5_OSLO_CTRL 29-31 IBN_37P5_OSHI_CTRL |
0-2 IBN_100U_TEST_CTRL 3-5 IBRN_12P5_CM_CTRL 6-8 IBN_25U_LO2_CTRL 9-11 IBN_25U_LO1_CTRL 12-14 IBN_25U_HI2_CTRL 15-17 IBN_25U_HI1_CTRL 18-20 IBN_25U_I2V_CTRL 21-23 IBN_25U_BKV2I_CTRL 24-26 IBN_25U_CM_BUFAMP_CTRL 27-31 SPARE |
0-4 OFSTCORRI2VQ 5-9 OFSTCORRI2VI 10-14 OFSTCORRLOQ 15-19 OFSTCORRLOI 20-24 OFSTCORRHIQ 25-29 OFSTCORRHII 30 LOCALOFFSET 31 SPARE |
0-5 SPARE 6 DISABLE_DAC_REG 7-8 CM_SEL 9 INV_CLK160_ADC 10 SELMANPWDS 11 FORCEMSBLOW 12 PWDDAC 13 PWDADC 14 PWDPLL 15-22 PLL_FILTER 23-25 PLL_ICP 26-27 PLL_ATB 28-30 PLL_SCLAMP 31 PLL_SVREG |
0 ENABLE 1 SUPDATE_DELAY |
0 SIN |
0 SW_SCLK |
0 SW_SOUT 1 SW_SUPDATE 2 SW_SCAPTURE |
| DSi Atheros Wifi - Internal I/O - 01C000h - Analog Intf (hw4/hw6) |
0001C050h one new bit in hw6.0 0001C148h several new bits in hw6.0 0001C740h added/removed/renumbered bits in hw6.0 0001C744h two changed/renamed bits in hw6.0 |
0 SPARE 1-3 PWD_IR25SPARE 4-6 PWD_IR25LO18 7-9 PWD_IC25LO36 10-12 PWD_IC25MXR2_5GH 13-15 PWD_IC25MXR5GH 16-18 PWD_IC25VGA5G 19-21 PWD_IC75LNA5G 22-24 PWD_IR25LO24 25-27 PWD_IC25MXR2GH 28-30 PWD_IC75LNA2G 31 PWD_BIAS |
0 SPARE 1-3 PKEN 4-6 VCMVALUE 7 PWD_VCMBUF 8-10 PWD_IR25SPAREH 11-13 PWD_IR25SPARE 14-16 PWD_IC25LNABUF 17-19 PWD_IR25AGCH 20-22 PWD_IR25AGC 23-25 PWD_IC25AGC 26-28 PWD_IC25VCMBUF 29-31 PWD_IR25VCM |
0 SPARE 1 LNAON_CALDC 2-3 VGA5G_CAP 4-5 LNA5G_CAP 6 LNA5G_SHORTINP 7 PWD_LO5G 8 PWD_VGA5G 9 PWD_MXR5G 10 PWD_LNA5G 11-12 LNA2G_CAP 13 LNA2G_SHORTINP 14 LNA2G_LP 15 PWD_LO2G 16 PWD_MXR2G 17 PWD_LNA2G 18-19 MXR5G_GAIN_OVR 20-22 VGA5G_GAIN_OVR 23-25 LNA5G_GAIN_OVR 26-27 MXR2G_GAIN_OVR 28-30 LNA2G_GAIN_OVR 31 RX_OVERRIDE |
0 RF5G_ON_DURING_CALPA 1 RF2G_ON_DURING_CALPA 2 AGC_OUT (R) 3 LNABUFGAIN2X 4 LNABUF_PWD_OVR 5 PWD_LNABUF 6-8 AGC_FALL_CTRL 9-14 AGC5G_CALDAC_OVR 15-18 AGC5G_DBDAC_OVR 19-24 AGC2G_CALDAC_OVR 25-28 AGC2G_DBDAC_OVR 29 AGC_CAL_OVR 30 AGC_ON_OVR 31 AGC_OVERRIDE |
0 PDLOBUF5G 1 PDLODIV5G 2 LOBUF5GFORCED 3 LODIV5GFORCED 4-7 PADRV2GN5G 8-11 PADRV3GN5G 12-15 PADRV4GN5G 16 LOCALTXGAIN5G 17 PDOUT2G 18 PDDR2G 19 PDMXR2G 20 PDLOBUF2G 21 PDLODIV2G 22 LOBUF2GFORCED 23 LODIV2GFORCED 24-30 PADRVGN2G 31 LOCALTXGAIN2G |
0-2 D3B5G 3-5 D4B5G 6-8 OCAS2G 9-11 DCAS2G 12-14 OB2G_PALOFF 15-17 OB2G_QAM 18-20 OB2G_PSK 21-23 OB2G_CCK 24-26 DB2G 27-30 PDOUT5G 31 PDMXR5G |
0-1 FILTR2G 2 PWDFB2_2G 3 PWDFB1_2G 4 PDFB2G 5-6 RDIV5G 7-9 CAPDIV5G 10 PDPREDIST5G 11-12 RDIV2G 13 PDPREDIST2G 14-16 OCAS5G 17-19 D2CAS5G 20-22 D3CAS5G 23-25 D4CAS5G 26-28 OB5G 29-31 D2B5G |
0-1 PK1B2G_CCK 2-4 MIOB2G_QAM 5-7 MIOB2G_PSK 8-10 MIOB2G_CCK 11-13 COMP2G_QAM 14-16 COMP2G_PSK 17-19 COMP2G_CCK 20-22 AMP2B2G_QAM 23-25 AMP2B2G_PSK 26-28 AMP2B2G_CCK 29-31 AMP2CAS2G |
0 hw4: SPARE5 0 hw6: TXMODPALONLY ;-hw6.0 only 1 PAL_LOCKED (R) 2 FBHI2G (R) 3 FBLO2G (R) 4 NOPALGAIN2G 5 ENPACAL2G 6-12 OFFSET2G 13 ENOFFSETCAL2G 14-16 REFHI2G 17-19 REFLO2G 20-21 PALCLAMP2G 22-23 PK2B2G_QAM 24-25 PK2B2G_PSK 26-27 PK2B2G_CCK 28-29 PK1B2G_QAM 30-31 PK1B2G_PSK |
0 PALCLKGATE2G 1-8 PALFLUCTCOUNT2G 9-10 PALFLUCTGAIN2G 11 PALNOFLUCT2G 12-14 GAINSTEP2G 15 USE_GAIN_DELTA2G 16-19 CAPDIV_I2G 20-23 PADRVGN_INDEX_I2G 24-26 VCMONDELAY2G 27-30 CAPDIV2G 31 CAPDIV2GOVR |
0-1 SPARE7 2-7 PADRVGNTAB_4 8-13 PADRVGNTAB_3 14-19 PADRVGNTAB_2 20-25 PADRVGNTAB_1 26-31 PADRVGNTAB_0 |
0-1 SPARE8 2-7 PADRVGNTAB_9 8-13 PADRVGNTAB_8 14-19 PADRVGNTAB_7 20-25 PADRVGNTAB_6 26-31 PADRVGNTAB_5 |
0-1 SPARE9 2-7 PADRVGNTAB_14 8-13 PADRVGNTAB_13 14-19 PADRVGNTAB_12 20-25 PADRVGNTAB_11 26-31 PADRVGNTAB_10 |
0-2 SPARE10 3 PDOUT5G_3CALTX 4-6 D3B5GCALTX 7-9 D4B5GCALTX 10-16 PADRVGN2GCALTX 17-19 DB2GCALTX 20 CALTXSHIFT 21 CALTXSHIFTOVR 22-27 PADRVGN2G_SMOUT (R) 28-31 PADRVGN_INDEX2G_SMOUT (R) |
0-1 SPARE11 2-4 PWD_IR25MIXDIV5G 5-7 PWD_IR25PA2G 8-10 PWD_IR25MIXBIAS2G 11-13 PWD_IR25MIXDIV2G 14-16 PWD_ICSPARE 17-19 PWD_IC25TEMPSEN 20-22 PWD_IC25PA5G2 23-25 PWD_IC25PA5G1 26-28 PWD_IC25MIXBUF5G 29-31 PWD_IC25PA2G |
0-7 SPARE12_2 (R) 8-9 SPARE12_1 10-13 ATBSEL5G 14-16 ATBSEL2G 17-19 PWD_IRSPARE 20-22 PWD_IR25TEMPSEN 23-25 PWD_IR25PA5G2 26-28 PWD_IR25PA5G1 29-31 PWD_IR25MIXBIAS5G |
0-2 SEL_VCMONABUS 3-5 SEL_VCOABUS 6 MONITOR_SYNTHLOCKVCOK 7 MONITOR_VC2LOW 8 MONITOR_VC2HIGH 9 MONITOR_FB_DIV2 10 MONITOR_REF 11 MONITOR_FB 12 SEVENBITVCOCAP 13-15 PWUP_PD 16 PWD_VCOBUF 17-18 VCOBUFGAIN 19-20 VCOREGLEVEL 21 VCOREGBYPASS 22 PWUP_LOREF 23 PWD_LOMIX 24 PWD_LODIV 25 PWD_LOBUF5G 26 PWD_LOBUF2G 27 PWD_PRESC 28 PWD_VCO 29 PWD_VCMON 30 PWD_CP 31 PWD_BIAS |
0-3 CAPRANGE3 4-7 CAPRANGE2 8-11 CAPRANGE1 12-15 LOOPLEAKCUR_INTN 16 CPLOWLK_INTN 17 CPSTEERING_EN_INTN 18-19 CPBIAS_INTN 20-22 VC_LOW_REF 23-25 VC_MID_REF 26-28 VC_HI_REF 29-31 VC_CAL_REF |
0-5 WAIT_VC_CHECK 6-11 WAIT_CAL_LIN 12-17 WAIT_CAL_BIN 18-23 WAIT_PWRUP 24-29 WAIT_SHORTR_PWRUP 30 SEL_CLK_DIV2 31 DIS_CLK_XTAL |
0 PS_SINGLE_PULSE 1 LONGSHIFTSEL 2-3 LOBUF5GTUNE_OVR 4 FORCE_LOBUF5GTUNE 5 PSCOUNT_FBSEL 6-7 SDM_DITHER1 8 SDM_MODE 9 SDM_DISABLE 10 RESET_PRESC 11-12 PRESCSEL 13 PFD_DISABLE 14 PFDDELAY_FRACN 15 FORCE_LO_ON 16 CLKXTAL_EDGE_SEL 17 VCOCAPPULLUP 18-25 VCOCAP_OVR 26 FORCE_VCOCAP 27 FORCE_PINVC 28 SHORTR_UNTIL_LOCKED 29 ALWAYS_SHORTR 30 DIS_LOSTVC 31 DIS_LIN_CAPSEARCH |
0-1 VCOBIAS 2-4 PWDB_ICLOBUF5G50 5-7 PWDB_ICLOBUF2G50 8-10 PWDB_ICVCO25 11-13 PWDB_ICVCOREG25 14 PWDB_IRVCOREG50 15-17 PWDB_ICLOMIX 18-20 PWDB_ICLODIV50 21-23 PWDB_ICPRESC50 24-26 PWDB_IRVCMON25 27-29 PWDB_IRPFDCP 30-31 SDM_DITHER2 |
0-1 LOBUF5GTUNE (R) 2-8 LOOP_IP (R) 9 VC2LOW (R) 10 VC2HIGH (R) 11 RESET_SDM_B (R) 12 RESET_PSCOUNTERS (R) 13 RESET_PFD (R) 14 RESET_RFD (R) 15 SHORT_R (R) 16-23 VCO_CAP_ST (R) 24 PIN_VC (R) 25 SYNTH_LOCK_VC_OK (R) 26 CAP_SEARCH (R) 27-30 SYNTH_SM_STATE (R) 31 SYNTH_ON (R) |
0 OVRCHANDECODER 1 FORCE_FRACLSB 2-18 CHANFRAC 19-27 CHANSEL 28-29 AMODEREFSEL 30 FRACMODE 31 LOADSYNTHCHANNEL |
0 CPSTEERING_EN_FRACN 1-7 LOOP_ICPB 8-11 LOOP_CSB 12-16 LOOP_RSB 17-21 LOOP_CPB 22-26 LOOP_3RD_ORDER_RB 27-31 REFDIVB |
0 PFDDELAY_INTN 1-3 SLOPE_ICPA0 4-7 LOOP_ICPA0 8-11 LOOP_CSA0 12-16 LOOP_RSA0 17-21 LOOP_CPA0 22-26 LOOP_3RD_ORDER_RA 27-31 REFDIVA |
0-1 SPARE10A 2-4 PWDB_ICLOBIAS50 5-7 PWDB_IRSPARE25 8-10 PWDB_ICSPARE25 11-13 SLOPE_ICPA1 14-17 LOOP_ICPA1 18-21 LOOP_CSA1 22-26 LOOP_RSA1 27-31 LOOP_CPA1 |
0-4 SPARE11A 5 FORCE_LOBUF5G_ON 6-7 LOREFSEL 8-9 LOBUF2GTUNE 10 CPSTEERING_MODE 11-13 SLOPE_ICPA2 14-17 LOOP_ICPA2 18-21 LOOP_CSA2 22-26 LOOP_RSA2 27-31 LOOP_CPA2 |
0-9 SPARE12A 10-13 LOOPLEAKCUR_FRACN 14 CPLOWLK_FRACN 15-16 CPBIAS_FRACN 17 SYNTHDIGOUTEN 18 STRCONT 19-22 VREFMUL3 23-26 VREFMUL2 27-30 VREFMUL1 31 CLK_DOUBLER_EN |
0 SPARE13A 1-3 SLOPE_ICPA_FRACN 4-7 LOOP_ICPA_FRACN 8-11 LOOP_CSA_FRACN 12-16 LOOP_RSA_FRACN 17-21 LOOP_CPA_FRACN 22-26 LOOP_3RD_ORDER_RA_FRACN 27-31 REFDIVA_FRACN |
0-1 SPARE14A 2-3 LOBUF5GTUNE_3 4-5 LOBUF2GTUNE_3 6-7 LOBUF5GTUNE_2 8-9 LOBUF2GTUNE_2 10 PWD_LOBUF5G_3 11 PWD_LOBUF2G_3 12 PWD_LOBUF5G_2 13 PWD_LOBUF2G_2 14-16 PWUPLO23_PD 17-19 PWDB_ICLOBUF5G50_3 20-22 PWDB_ICLOBUF2G50_3 23-25 PWDB_ICLOBUF5G50_2 26-28 PWDB_ICLOBUF2G50_2 29-31 PWDB_ICLVLSHFT |
0-6 SPARE1 7-9 PWD_IC25V2IQ 10-12 PWD_IC25V2II 13-15 PWD_IC25BB 16-18 PWD_IC25DAC 19-21 PWD_IC25FIR 22-24 PWD_IC25ADC 25-31 BIAS_SEL |
0-4 SPARE2 5-7 PWD_IC25XPA 8-10 PWD_IC25XTAL 11-13 PWD_IC25TXRF 14-16 PWD_IC25RXRF 17-19 PWD_IC25SYNTH 20-22 PWD_IC25PLLREG 23-25 PWD_IC25PLLCP2 26-28 PWD_IC25PLLCP 29-31 PWD_IC25PLLGM |
0-1 SPARE3 2-4 PWD_IR25SAR 5-7 PWD_IR25TXRF 8-10 PWD_IR25RXRF 11-13 PWD_IR25SYNTH 14-16 PWD_IR25PLLREG 17-19 PWD_IR25BB 20-22 PWD_IR50DAC 23-25 PWD_IR25DAC 26-28 PWD_IR25FIR 29-31 PWD_IR50ADC |
0-10 SPARE4 11-13 PWD_IR25SPARED 14-16 PWD_IR25SPAREC 17-19 PWD_IR25SPAREB 20-22 PWD_IR25XPA 23-25 PWD_IC25SPAREC 26-28 PWD_IC25SPAREB 29-31 PWD_IC25SPAREA |
0 SCFIR_GAIN 1 MANRXGAIN 2-5 AGC_DBDAC 6 OVR_AGC_DBDAC 7 ENABLE_PAL 8 ENABLE_PAL_OVR 9-11 TX1DB_BIQUAD 12-13 TX6DB_BIQUAD 14 PADRVHALFGN2G 15-18 PADRV2GN 19-22 PADRV3GN5G 23-26 PADRV4GN5G 27-30 TXBB_GC 31 MANTXGAIN |
0 BMODE 1 BMODE_OVR 2 SYNTHON 3 SYNTHON_OVR 4-5 BW_ST 6 BW_ST_OVR 7 TXON 8 TXON_OVR 9 PAON 10 PAON_OVR 11 RXON 12 RXON_OVR 13 AGCON 14 AGCON_OVR 15-17 TXMOD 18 TXMOD_OVR 19-21 RX1DB_BIQUAD 22-23 RX6DB_BIQUAD 24-25 MXRGAIN 26-28 VGAGAIN 29-31 LNAGAIN |
0-2 SPARE3 3 SPURON 4 PAL_LOCKEDEN 5 DACFULLSCALE 6 ADCSHORT 7 DACPWD 8 DACPWD_OVR 9 ADCPWD 10 ADCPWD_OVR 11-16 AGC_CALDAC 17 AGC_CAL 18 AGC_CAL_OVR 19 LOFORCEDON 20 CALRESIDUE 21 CALRESIDUE_OVR 22 CALFC 23 CALFC_OVR 24 CALTX 25 CALTX_OVR 26 CALTXSHIFT 27 CALTXSHIFT_OVR 28 CALPA 29 CALPA_OVR 30 TURBOADC 31 TURBOADC_OVR |
0 I2V_CURR2X 1 ENABLE_LOQ 2 FORCE_LOQ 3 ENABLE_NOTCH 4 FORCE_NOTCH 5 ENABLE_BIQUAD 6 FORCE_BIQUAD 7 ENABLE_OSDAC 8 FORCE_OSDAC 9 ENABLE_V2I 10 FORCE_V2I 11 ENABLE_I2V 12 FORCE_I2V 13-15 CMSEL 16-17 ATBSEL 18 PD_OSDAC_CALTX_CALPA 19-23 OFSTCORRI2VQ 24-28 OFSTCORRI2VI 29 LOCALOFFSET 30-31 RANGE_OSDAC |
0-3 SPARE 4-7 MXR_HIGHGAINMASK 8-9 SEL_TEST 10-14 RCFILTER_CAP 15 OVERRIDE_RCFILTER_CAP 16-19 FNOTCH 20 OVERRIDE_FNOTCH 21-25 FILTERFC 26 OVERRIDE_FILTERFC 27 I2V2RXOUT_EN 28 BQ2RXOUT_EN 29 RXIN2I2V_EN 30 RXIN2BQ_EN 31 SWITCH_OVERRIDE |
0-7 SPARE 8-15 hw4: SPARE 8-9 hw6: SEL_OFST_READBK ;\ 10 hw6: OVERRIDE_RXONLY_FILTERFC ; hw6.0 only 11-15 hw6: RXONLY_FILTERFC ;/ 16-20 FILTERFC (R) 21-25 OFSTCORRI2VQ (R) 26-30 OFSTCORRI2VI (R) 31 EN_TXBBCONSTCUR |
0 PWD_PLLSDM 1 PWDPLL 2-16 PLLFRAC 17-20 REFDIV 21-30 DIV 31 LOCAL_PLL |
0-3 SPARE 4 DACPWD 5 ADCPWD 6 LOCAL_ADDAC 7-8 DAC_CLK_SEL 9-12 ADC_CLK_SEL 13 LOCAL_CLKMODA 14 PLLBYPASS 15 LOCAL_PLLBYPASS 16-17 PLLATB 18 PLL_SVREG 19 HI_FREQ_EN 20 RST_WARM_INT_L 21 RST_WARM_OVR 22-23 PLL_KVCO 24-26 PLLICP 27-31 PLLFILTER |
0-2 SPARE 3 PWDBIAS 4 FLIP_XPABIAS 5 XPAON2 6 XPAON5 7 XPASHORT2GND 8-11 XPABIASLVL 12 XPABIAS_EN 13 ATBSELECT 14 LOCAL_XPA 15 XPABIAS_BYPASS 16 TEST_PADQ_EN 17 TEST_PADI_EN 18 TESTIQ_RSEL 19 TESTIQ_BUFEN 20 PAD2GND 21 INTH2PAD 22 INTH2GND 23 INT2PAD 24 INT2GND 25 PWDPALCLK 26 INV_CLK320_ADC 27 FLIP_REFCLK40 28 FLIP_PLLCLK320 29 FLIP_PLLCLK160 30-31 CLK_SEL |
0-2 LOREG_LVL 3-5 RFREG_LVL 6 SAR_ADC_DONE (R) 7-14 SAR_ADC_OUT (R) 15-22 SAR_DACTEST_CODE 23 SAR_DACTEST_EN 24 SAR_ADCCAL_EN 25-26 THERMSEL 27 SAR_SLOW_EN 28 THERMSTART 29 SAR_AUTOPWD_EN 30 THERMON 31 LOCAL_THERM |
0-5 SPARE 6 XTAL_NOTCXODET 7 LOCALBIAS2X 8 LOCAL_XTAL 9 XTAL_PWDCLKIN 10 XTAL_OSCON 11 XTAL_PWDCLKD 12 XTAL_LOCALBIAS 13 XTAL_SHRTXIN 14-15 XTAL_DRVSTR 16-22 XTAL_CAPOUTDAC 23-29 XTAL_CAPINDAC 30 XTAL_BIAS2X 31 TCXODET (R) |
0 ATE_TONEGEN_DC_ENABLE 1 ATE_TONEGEN_TONE0_ENABLE 2 ATE_TONEGEN_TONE1_ENABLE 3 ATE_TONEGEN_LFTONE0_ENABLE 4 ATE_TONEGEN_LINRAMP_ENABLE_I 5 ATE_TONEGEN_LINRAMP_ENABLE_Q 6 ATE_TONEGEN_PRBS_ENABLE_I 7 ATE_TONEGEN_PRBS_ENABLE_Q 8 ATE_CMAC_DC_WRITE_TO_CANCEL 9 ATE_CMAC_DC_ENABLE 10 ATE_CMAC_CORR_ENABLE 11 ATE_CMAC_POWER_ENABLE 12 ATE_CMAC_IQ_ENABLE 13 ATE_CMAC_I2Q2_ENABLE 14 ATE_CMAC_POWER_HPF_ENABLE 15 ATE_RXDAC_CALIBRATE 16 ATE_RBIST_ENABLE 17 ATE_ADC_CLK_INVERT ;-newer revision only |
0-10 ATE_TONEGEN_DC_I 16-26 ATE_TONEGEN_DC_Q |
0-6 ATE_TONEGEN_TONE_FREQ 8-11 ATE_TONEGEN_TONE_A_EXP 16-23 ATE_TONEGEN_TONE_A_MAN 24-30 ATE_TONEGEN_TONE_TAU_K |
0-10 ATE_TONEGEN_LINRAMP_INIT 12-21 ATE_TONEGEN_LINRAMP_DWELL 24-29 ATE_TONEGEN_LINRAMP_STEP |
0-9 ATE_TONEGEN_PRBS_MAGNITUDE_I 16-25 ATE_TONEGEN_PRBS_MAGNITUDE_Q |
0-30 ATE_TONEGEN_PRBS_SEED |
0-30 ATE_TONEGEN_PRBS_SEED |
0-9 ATE_CMAC_DC_CANCEL_I 16-25 ATE_CMAC_DC_CANCEL_Q |
0-3 ATE_CMAC_DC_CYCLES |
0-4 ATE_CMAC_CORR_CYCLES 8-13 ATE_CMAC_CORR_FREQ |
0-3 ATE_CMAC_POWER_CYCLES |
0-3 ATE_CMAC_IQ_CYCLES |
0-3 ATE_CMAC_I2Q2_CYCLES |
0-3 ATE_CMAC_POWER_HPF_CYCLES 4-7 ATE_CMAC_POWER_HPF_WAIT |
0-1 ATE_RXDAC_MUX 4 ATE_RXDAC_HI_GAIN 8-13 ATE_RXDAC_CAL_WAIT 16-19 ATE_RXDAC_CAL_MEASURE_TIME |
0-4 ATE_RXDAC_I_HI 8-12 ATE_RXDAC_Q_HI 16-20 ATE_RXDAC_I_LOW 24-28 ATE_RXDAC_Q_LOW |
0-4 ATE_RXDAC_I_STATIC 8-12 ATE_RXDAC_Q_STATIC |
0-31 ATE_CMAC_RESULTS |
0-31 ATE_CMAC_RESULTS |
hw4 hw6 name 0-10 0-3 SPARE ;-unused 11 4 OTP_V25_PWD ;-OTP V25 12 5 PAREGON_MAN ;\PA REG - 6 PAREGON_OVERRIDE_EN ;/ 13 7 OTPREGON_MAN ;\OTP REG - 8 OTPREGON_OVERRIDE_EN ;/ 14 9 DREGON_MAN ;\DREG - 10 DREGON_OVERRIDE_EN ;/ 15 11 DISCONTMODEEN ;\DISCONT MODE - 12 SWREGDISCONT_OVERRIDE_EN ;/ 16 13 SWREGON_MAN ;\ - 14 SWREGON_OVERRIDE_EN ; 17-18 15-16 SWREG_FREQCUR ; 19-21 17-19 SWREG_FREQCAP ; SW REG - 20 SWREGFREQ_OVERRIDE_EN ; 22-23 21-22 SWREG_LVLCTR ; - 23 SWREGLVL_OVERRIDE_EN ;/ 24-25 - hw4:SREG_LVLCTR ;-SREG ;<---- removed in hw6 (!) 26-27 24-25 DREG_LVLCTR ;\DREG - 26 DREGLVL_OVERRIDE_EN ;/ 28 27 PAREG_XPNP ;\ 29-31 28-30 PAREG_LVLCTR ; PA REG - 31 PAREGLVL_OVERRIDE_EN ;/ |
0-7 SPARE 8 VBATT_1_3TOATB 9 VBATT_1_2TOATB 10 VBATT_2_3TOATB 11 PWD_BANDGAP_MAN 12 PWD_LFO_MAN 13 VBATT_LT_3P2 14 VBATT_LT_2P8 15 VBATT_GT_4P2 16 hw4: PMU_MAN_OVERRIDE_EN ;\changed/renamed in hw4/hw6 16 hw6: PMU_XPNP_OVERRIDE_EN ;/ 17-18 VBATT_GT_LVLCTR 19 SWREGVSSL2ATB 20-21 SWREGVSSL_LVLCTR 22 SWREGVDDH2ATB 23-24 SWREGVDDH_LVLCTR 25-27 SWREG2ATB 28 OTPREG2ATB 29-30 OTPREG_LVLCTR 31 hw4: DREG_LVLCTR_MANOVR_EN ;\changed/renamed in hw4/hw6 31 hw6: OTPREG_LVLCTR_MANOVR_EN ;/ |
| DSi Atheros Wifi - Internal I/O - 020000h - WMAC DMA (hw4/hw6) |
0-1 - 2 hw4: Receive enable (RXE) (R) ;\one bit in hw4, 2 hw6: Receive LP enable (RXE_LP) (R) ; two bits in hw6 3 hw6: Receive HP enable (RXE_HP) (R) ;/ 4 - 5 Receive disable (RXD) 6 One-shot software interrupt (SWI) (R) |
.. Pointer <------------ HW4 ONLY |
0 Byteswap TX descriptor words (BE_MODE_XMIT_DESC) 1 Byteswap TX data buffer words (BE_MODE_XMIT_DATA) 2 Byteswap RX descriptor words (BE_MODE_RCV_DESC) 3 Byteswap RX data buffer words (BE_MODE_RCV_DATA) 4 Byteswap register access data words (BE_MODE_MMR) 5 AP/adhoc indication (ADHOC) (0=AP, 1=Adhoc) 6-7 - 8 PHY OK status (PHY_OK) (R) 9 hw6: EEPROM_BUSY (R) ;-hw6 only 10 Clock gating disable (CLKGATE_DIS) 11 hw6: HALT_REQ ;\ 12 hw6: HALT_ACK (R) ; 13-16 - ; 17-18 hw6: REQ_Q_FULL_THRESHOLD ; hw6 only 19 hw6: MISSING_TX_INTR_FIX_ENABLE ; 20 hw6: LEGACY_INT_MIT_MODE_ENABLE ; 21 hw6: RESET_INT_MIT_CNTRS ;/ |
0-3 hw6: HP_DATA ;\hw6 only 8-14 hw6: LP_DATA ;/ |
0-3 DATA ;-hw6 only |
0-15 Threshold (RATE_THRESH) |
0 Global interrupt enable (0=Disable, 1=Enable) |
0-15 Last packet threshold (LAST_PKT_THRESH) 16-31 First packet threshold (FIRST_PKT_THRESH) |
0-2 hw6: DMA_SIZE (maybe as in RXCFG below?) ;-hw6 only (???) 3 - 4-9 Frame trigger level (TRIGLVL) 10 hw6: JUMBO_EN ;-hw6 only (??) 11 ADHOC_BEACON_ATIM_TX_POLICY (hw6name: BCN_PAST_ATIM_DIS) 12 hw6: ATIM_DEFER_DIS ;\ 13 - ; 14 hw6: RTCI_DIS ; hw6 only (?) 15-16 - ; 17 hw6: DIS_RETRY_UNDERRUN ; 18 hw6: DIS_CW_INC_QUIET_COLL ; 19 hw6: RTS_FAIL_EXCESSIVE_RETRIES ;/ |
MAC_DMA_FTRIG_IMMED = 0x00000000 ;bytes in PCU TX FIFO before air MAC_DMA_FTRIG_64B = 0x00000010 ;default MAC_DMA_FTRIG_128B = 0x00000020 MAC_DMA_FTRIG_192B = 0x00000030 MAC_DMA_FTRIG_256B = 0x00000040 ;5 bits total |
0-2 DMA Size (0..7 = 4,8,16,32,64,128,256,512 bytes) 3-4 hw6: ZERO_LEN_DMA_EN ;-hw6: two bits? 4 hw4: Enable DMA of zero-length frame ;-hw4: one bit? 5 hw6: JUMBO_EN ;\ 6 hw6: JUMBO_WRAP_EN ; hw6 only (?) 7 hw6: SLEEP_RX_PEND_EN ;/ |
MAC_DMA_RXCFG_DMASIZE_4B = 0x00000000 ;DMA size 4 bytes (TXCFG + RXCFG) MAC_DMA_RXCFG_DMASIZE_8B = 0x00000001 ;DMA size 8 bytes MAC_DMA_RXCFG_DMASIZE_16B = 0x00000002 ;DMA size 16 bytes MAC_DMA_RXCFG_DMASIZE_32B = 0x00000003 ;DMA size 32 bytes MAC_DMA_RXCFG_DMASIZE_64B = 0x00000004 ;DMA size 64 bytes MAC_DMA_RXCFG_DMASIZE_128B = 0x00000005 ;DMA size 128 bytes MAC_DMA_RXCFG_DMASIZE_256B = 0x00000006 ;DMA size 256 bytes MAC_DMA_RXCFG_DMASIZE_512B = 0x00000007 ;DMA size 512 bytes |
31-2 DATA (R) ;-hw6 only |
0 counter overflow warning (WARNING) (R) 1 freeze MIB counters (FREEZE) 2 clear MIB counters (CLEAR) 3 MIB counter strobe, increment all (STROBE) (R) |
0-15 Timeout prescale (TIMEOUT) |
0-9 No frame received timeout (TIMEOUT) |
0-9 No frame transmitted timeout (TIMEOUT)
10-19 QCU Mask (QCU 0-9) ;QCU's for which frame completions will cause
a reset of the no frame xmit'd timeout
|
0-9 Receive frame gap timeout (TIMEOUT) |
0-4 Receive frame count limit ;-hw4 only |
4 hw6: FORCE_PCI_EXT ;-hw6 only 5-8 DMA observation bus mux select (DMA_OBS_MUXSEL) 9-11 MISC observation bus mux select (MISC_OBS_MUXSEL) 12-14 MAC observation bus mux select (lsb) (MISC_F2_OBS_LOW_MUXSEL) 15-17 MAC observation bus mux select (msb) (MISC_F2_OBS_HIGH_MUXSEL) |
____________ below in hw6 only ____________ |
0 REQ 1-2 MSI_RX_SRC 3-4 MSI_TX_SRC |
0-11 LEN |
0-15 COUNT 16-31 LIMIT |
0 USEC_STROBE 1 IGNORE_CHAN_IDLE 2 RESET_ON_CHAN_IDLE 3 CST_USEC_STROBE 4 DISABLE_QCU_FR_ACTIVE_GTT 5 DISABLE_QCU_FR_ACTIVE_BT |
0-7 LP (R) 8-12 HP (R) |
0-31 ADDR |
0-31 DATA (R) ;-hw6 only |
0-39 For QCU 0-9 (4bits each) (R) ;\hw6 only 40-63 - ;/ |
0-15 LAST_PKT_THRESH 16-31 FIRST_PKT_THRESH |
0 CHKSUM_SEL |
| DSi Atheros Wifi - Internal I/O - 020080h - WMAC IRQ Interrupt (hw4/hw6) |
0 At least one frame received sans errors ;\ 1 Receive interrupt request ; 2 Receive error interrupt ; RX 3 No frame received within timeout clock ; 4 Received descriptor empty interrupt ; 5 Receive FIFO overrun interrupt ;/ 6 Transmit okay interrupt ;\ ;<-- ISR_S0.Bit0..9 7 Transmit interrupt request ; 8 Transmit error interrupt ; TX ;<-- ISR_S1.Bit0..9 9 No frame transmitted interrupt ; 10 Transmit descriptor empty interrupt ; 11 Transmit FIFO underrun interrupt ;/ ;<-- ISR_S2.Bit0..9 12 MIB interrupt - see MIBC 13 Software interrupt 14 PHY receive error interrupt 15 Key-cache miss interrupt 16 Beacon rssi high threshold interrupt ;aka Beacon rssi hi threshold 17 Beacon threshold interrupt ;aka Beacon rssi lo threshold 18 Beacon missed interrupt 19 Maximum transmit interrupt rate 20 Beacon not ready interrupt ;aka BNR interrupt 21 An unexpected bus error has occurred 22 - 23 Beacon Misc (TIM, CABEND, DTIMSYNC, BCNTO) ;<-- ISR_S2.Bit24..27 24 Maximum receive interrupt rate 25 QCU CBR overflow interrupt ;<-- ISR_S3.Bit0..9 26 QCU CBR underrun interrupt ;<-- ISR_S3.Bit16..27 27 QCU scheduling trigger interrupt ;<-- ISR_S4.Bit0..9 28 GENTMR interrupt (aka GENERIC_TIMERS... and/or ISR_S5?) 29 HCFTO interrupt 30 Transmit completion mitigation interrupt 31 Receive completion mitigation interrupt |
0-9 TXOK (QCU 0-9) ;--> Primary_ISR.Bit6 16-27 TXDESC (QCU 0-9) ;--> Primary_ISR. ?? |
0-9 TXERR (QCU 0-9) ;--> Primary_ISR.Bit8 16-27 TXEOL (QCU 0-9) |
0-9 TXURN (QCU 0-9) ;--> Primary_ISR.Bit11 10 - 11 RX_INT ;RX 12 WL_STOMPED 13 RX_PTR_BAD ;RX 14 BT_LOW_PRIORITY_RISING 15 BT_LOW_PRIORITY_FALLING 16 BB_PANIC_IRQ 17 BT_STOMPED 18 BT_ACTIVE_RISING 19 BT_ACTIVE_FALLING 20 BT_PRIORITY_RISING 21 BT_PRIORITY_FALLING 22 CST 23 GTT 24 TIM ;\ 25 CABEND ; Beacon Misc --> Primary_ISR.Bit23 26 DTIMSYNC ; 27 BCNTO ;/ 28 CABTO 29 DTIM 30 TSFOOR 31 - |
0-9 QCBROVF (QCU 0-9) ;--> Primary_ISR.Bit25 16-27 QCBRURN (QCU 0-9) ;--> Primary_ISR.Bit26 |
0-9 QTRIG (QCU 0-9) ;--> Primary_ISR.Bit27 |
0 TBTT_TIMER_TRIGGER ;-TBTT timer 1 DBA_TIMER_TRIGGER ;\ 2 SBA_TIMER_TRIGGER ; 3 HCF_TIMER_TRIGGER ; 4 TIM_TIMER_TRIGGER ; timer's 5 DTIM_TIMER_TRIGGER ; 6 QUIET_TIMER_TRIGGER ; 7 NDP_TIMER_TRIGGER ; 8-15 GENERIC_TIMER2_TRIGGER ;/ 16 TIMER_OVERFLOW ;<-- which timer overflow ? 17 DBA_TIMER_THRESHOLD ;\ 18 SBA_TIMER_THRESHOLD ; 19 HCF_TIMER_THRESHOLD ; 20 TIM_TIMER_THRESHOLD ; threshold's 21 DTIM_TIMER_THRESHOLD ; 22 QUIET_TIMER_THRESHOLD ; 23 NDP_TIMER_THRESHOLD ; 24-31 GENERIC_TIMER2_THRESHOLD ;/ |
0-31 ?? (probably related to the new "hw6" registers in MAC DMA chapter) |
| DSi Atheros Wifi - Internal I/O - 020800h - WMAC QCU Queue (hw4/hw6) |
0-31 DATA ... unspecified ;MAC Transmit Queue descriptor pointer |
0-9 DATA |
0-23 CBR interval (us) (INTERVAL) ;\MAC CBR configuration 24-31 CBR overflow threshold (OVF_THRESH) ;/ |
0-23 CBR interval (us) (DURATION) ;\MAC ReadyTime configuration 24 CBR enable (EN) ;/ |
0-9 SET/CLEAR |
0-3 Frame Scheduling Policy mask (FSP):
0=ASAP ;\
1=CBR ; defined as so for
2=DMA Beacon Alert gated ; hw4 (maybe same
3=TIM gated ; for hw6)
4=Beacon-sent-gated ;/
4 OneShot enable (ONESHOT_EN)
5 CBR expired counter disable incr (NOFR, empty q)
6 CBR expired counter disable incr (NOBCNFR, empty beacon q)
7 Beacon use indication (IS_BCN)
8 CBR expired counter limit enable (CBR_EXP_INC_LIMIT)
9 Enable TXE cleared on ReadyTime expired or VEOL (TXE_CLR_ON_CBR_END)
10 CBR expired counter reset (MMR_CBR_EXP_CNT_CLR_EN)
11 FR_ABORT_REQ_EN DCU frame early termination request control
|
0-1 FR_PEND: Pending Frame Count (R) ;\MAC Misc QCU status/counter 8-15 CBR_EXP: CBR expired counter (R) ;/ |
0-9 SHUTDOWN: MAC ReadyTimeShutdown status (flags for QCU 0-9 ?) |
_____________ below in hw6 only _____________ |
0-31 ADDR |
0-31 ADDR |
0-31 ADDRESS (R) |
0 EN |
0-9 DUR_CAL_EN |
| DSi Atheros Wifi - Internal I/O - 021000h - WMAC DCU (hw4/hw6) |
0-9 QCU Mask (QCU 0-9) |
0-15 DURATION ;-DCU global SIFS settings |
0-9 CW_MIN ;\ 10-19 CW_MAX ; MAC DCU-specific IFS settings 20-27 AIFS ; 28 hw6: LONG_AIFS ;-hw6 only ; 29-31 - ;/ |
0-15 DURATION ;DC global slot interval |
0-3 frame RTS failure limit (FRFL) ;\ 4-7 - ; MAC Retry limits 8-13 station RTS failure limit (SRFL) ; 14-19 station short retry limit (SDFL) ; 20-31 - ;/ |
0-15 DURATION ;-DCU global EIFS setting |
0-15 ChannelTime duration (us) (DURATION) ;\MAC ChannelTime settings 16 ChannelTime enable (ENABLE) ;/ |
0-2 LFSR slice select (LFSR_SLICE_SEL) ;\ 3 Turbo mode indication (TURBO_MODE) ; 4-9 hw6: SIFS_DUR_USEC ;-hw6 only ; 10-19 - ; 20-21 DCU arbiter delay (ARB_DLY) ; DCU global misc. 22 hw6: SIFS_RST_UNCOND ;\ ; IFS settings 23 hw6: AIFS_RST_UNCOND ; ; 24 hw6: LFSR_SLICE_RANDOM_DIS ; hw6 only ; 25-26 hw6: CHAN_SLOT_WIN_DUR ; ; 27 hw6: CHAN_SLOT_ALWAYS ;/ ; 28 IGNORE_BACKOFF ; 29 hw6: SLOT_COUNT_RST_UNCOND ;-hw6 only ; 30-31 - ;/ |
0-5 BKOFF_THRESH ;\ 6 SFC_RST_AT_TS_END_EN ; 7 CW_RST_AT_TS_END_DIS ; 8 FRAG_BURST_WAIT_QCU_EN ; 9 FRAG_BURST_BKOFF_EN ; MAC Miscellaneous 10 - ; DCU-specific settings 11 HCF_POLL_EN ; 12 BKOFF_PF ; (specified as so for hw6) 13 - ; (hw4 bit numbers are undocumented, 14-15 VIRT_COLL_POLICY ; although... actually the SAME bits 16 IS_BCN ; ARE documented, but for the "EOL" 17 ARB_LOCKOUT_IF_EN ; registers instead of for "MISC"...?) 18 LOCKOUT_GBL_EN ; 19 LOCKOUT_IGNORE ; 20 SEQNUM_FREEZE ; 21 POST_BKOFF_SKIP ; 22 VIRT_COLL_CW_INC_EN ; 23 RETRY_ON_BLOWN_IFS_EN ; 24 SIFS_BURST_CHAN_BUSY_IGNORE ; 25-31 - ;/ |
0-31 NUM |
0-9 REQUEST ;\DCU transmit pause control/status 16 STATUS (R) ;/ |
_____________ below in hw4 only _____________ |
... unspecified |
0-5 Backoff threshold
6 End of transmission series station RTS/data failure count reset policy
7 End of transmission series CW reset policy
8 Fragment Starvation Policy
9 Backoff during a frag burst
10 -
11 HFC poll enable
12 Backoff persistence factor setting
13
14-15 Mask for Virtual collision handling policy
(0=Normal, 1=Ignore, 2..3=Unspecified)
16 Beacon use indication
17-18 Mask for DCU arbiter lockout control
(0=No Lockout, 1=Intra-frame, 2=Global, 3=Unspecified)
19 DCU arbiter lockout ignore control
20 Sequence number increment disable
21 Post-frame backoff disable
22 Virtual coll. handling policy
23 Blown IFS handling policy
24-31 -
|
_____________ below in hw6 only _____________ |
0 TX_EN 1 TIM_EN 4-11 BCN_CNT 12-23 RX_TIMEOUT_CNT |
0-15 MASK |
0-31 DATA |
0-31 DATA |
0-31 DATA |
0-31 DATA (R) |
0-31 DATA (R) |
0-31 DATA (R) |
0-31 DATA (R) |
0-31 DATA (R) |
0-31 DATA (R) |
0-31 DATA (R) |
0-31 DATA (R) |
0-31 DATA (R) |
| DSi Atheros Wifi - Internal I/O - 028000h - WMAC PCU (hw2/hw4/hw6) |
0-47 ADDR (called STA_ADDR in hw2) (local MAC address) 48 STA_AP (called AP in hw2) 49 ADHOC 50 PW_SAVE (called PWR_SV in hw2) 51 KEYSRCH_DIS (called NO_KEYSRCH in hw2) 52 PCF 53 USE_DEFANT (called USE_DEF_ANT in hw2) 54 DEFANT_UPDATE (called DEF_ANT_UPDATE in hw2) 55 RTS_USE_DEF (called RTS_DEF_ANT in hw2) 56 ACKCTS_6MB 57 BASE_RATE_11B (called RATE_11B in hw2) 58 SECTOR_SELF_GEN 59 CRPT_MIC_ENABLE 60 KSRCH_MODE 61 PRESERVE_SEQNUM 62 CBCIV_ENDIAN 63 ADHOC_MCAST_SEARCH |
0-47 ADDR (called BSSID in hw2) 48-58 AID (11bit, although claimed to be 16bit wide, bit48-63 in hw2) |
0-47 ADDR (hw2: SEC_BSSID, ini:0) ;\hw2/hw4/hw6 48 ENABLE (hw2: SEC_BSSID_ENABLE, ini:0) ;/ 49-51 - 52-62 hw6: AID ;-hw 6 only 63 - |
0-11 AVE_VALUE (aka hw2:BCN_RSSI_AVE ini:800h) (R) ;-hw2/hw4/hw6 16-27 hw6: AVE_VALUE2 (R) ;-hw6 only |
0-13 ACK_TIMEOUT (aka 16bit wide, bit0-15: ACK_TIME_OUT in hw2) 16-29 CTS_TIMEOUT (aka 16bit wide, bit16-31: CTS_TIME_OUT in hw2) |
0-7 RSSI_LOW_THRESH (aka hw2: BCN_RSSI_LO_THR, ini:0) 8-15 MISS_THRESH (aka hw2: BCN_MISS_THR, ini:FFh) 16-23 RSSI_HIGH_THRESH (aka hw2: BCN_RSSI_HI_THR, ini:7Fh) 24-28 WEIGHT (aka hw2: BCN_RSSI_WEIGHT, ini:0) 29 RESET (aka hw2: BCN_RSSI_RESET) |
<-- hw2 (REG_USEC) --> <--- hw4/hw6 ----------> 0-6 USEC (7bit) 0-7 USEC (8bit) 7-13 USEC32 (7bit) 8-13 - (-) 14-18 TX_DELAY (5bit) 14-22 TX_LATENCY (9bit) 19-24 RX_DELAY (6bit) 23-28 RX_LATENCY (6bit) |
0 UNICAST 1 MULTICAST 2 BROADCAST 3 CONTROL 4 BEACON 5 PROMISCUOUS 6 XR_POLL 7 PROBE_REQ 8 hw2: outcommented: SYNC ;\hw4 and hw6 (outcommented in hw2) 8 hw4/hw6: SYNC_FRAME ;/ 9 MY_BEACON 10 hw4/hw6: COMPRESSED_BAR ;\ 11 hw4/hw6: COMPRESSED_BA ; 12 hw4/hw6: UNCOMPRESSED_BA_BAR ; hw4 and hw6 13 hw4/hw6: ASSUME_RADAR ; 14 hw4/hw6: PS_POLL ; 15 hw4/hw6: MCAST_BCAST_ALL ; 16 hw4/hw6: RST_DLMTR_CNT_DISABLE ;/ 17 hw4: FROM_TO_DS ;\ 18-23 hw4: GENERIC_FTYPE ; hw4 only (moved to bit20-28 in hw6) 24-25 hw4: GENERIC_FILTER ;/ 17 hw6: HW_BCN_PROC_ENABLE ;\ 18 hw6: MGMT_ACTION_MCAST ; hw6 only 19 hw6: CONTROL_WRAPPER ; 20 hw6: FROM_TO_DS ; ;\these bits were formerly 21-26 hw6: GENERIC_FTYPE ; ; in bit17-25 in hw4) 27-28 hw6: GENERIC_FILTER ; ;/ 29 hw6: MY_BEACON2 ;/ |
0-63 VALUE (aka hw2: unspecified) |
0 INVALID_KEY_NO_ACK (aka hw2:DIS_WEP_ACK ;ini:0) 1 NO_ACK (aka hw2:DIS_ACK ;ini:0) 2 NO_CTS (aka hw2:DIS_CTS ;ini:0) 3 NO_ENCRYPT (aka hw2:DIS_ENC ;ini:0) 4 NO_DECRYPT (aka hw2:DIS_DEC ;ini:0) 5 HALT_RX (aka hw2:DIS_RX ;ini:0) 6 LOOP_BACK (aka hw2:LOOP_BACK ;ini:0) 7 CORRUPT_FCS (aka hw2:CORR_FCS ;ini:0) 8 DUMP_CHAN_INFO (aka hw2:CHAN_INFO ;ini:0) 9-16 - (aka hw2: RESERVED) (aka hw2:RESERVED ;ini:0) 17 ACCEPT_NON_V0 (aka hw2:ACCEPT_NONV0 ;ini:0) 18-19 OBS_SEL_1_0 (aka hw2:OBS_SEL_0_1 ;ini:0) 20 RX_CLEAR_HIGH (aka hw2:RXCLR_HIGH ;ini:0) 21 IGNORE_NAV (aka hw2:IGNORE_NAV ;ini:0) 22 CHAN_IDLE_HIGH (aka hw2:CHANIDLE_HIGH ;ini:0) 23 PHYERR_ENABLE_EIFS_CTL (aka hw2:PHYERR_ENABLE_NEW ;ini:0) 24 DUAL_CHAIN_CHAN_INFO (aka hw2:DUAL_CHAIN_CHAN_INFO ;ini:0) 25 FORCE_RX_ABORT (aka hw2:FORCE_RX_ABORT ;ini:0) 26 SATURATE_CYCLE_CNT (aka hw2:SATURATE_CYCLE_CNT ;ini:0) 27 OBS_SEL_2 (aka hw2:OBS_SEL_2 ;ini:0) 28 hw4/hw6: RX_CLEAR_CTL_LOW ;\ 29 hw4/hw6: RX_CLEAR_EXT_LOW ; hw4/hw6 only 30-31 hw4/hw6: DEBUG_MODE ;/ |
0 hw2: TEST_MODE ;\ 1 hw2: TEST_LOOP ; hw2 (moved to bit1-14 in hw4/hw6) 2-12 hw2: LOOP_LEN ; 13 hw2: TEST_UPPER_8B ;/ 14 hw2: TEST_MSB ;-hw2 only 15 hw2: TEST_CAPTURE ;-hw2 (moved to bit19 in hw4/hw6) |
0 hw4/hw6: CONT_TX ;-hw4/hw6 only 1 hw4/hw6: TESTMODE ;\ 2 hw4/hw6: LOOP ; hw4/hw6 (formerly bit0-13 in hw2) 3-13 hw4/hw6: LOOP_LEN ; 14 hw4/hw6: UPPER_8B ;/ 15 hw6: SAMPLE_SIZE_2K ;-hw6 only 16 hw4/hw6: TRIG_SEL ;\ 17 hw4/hw6: TRIG_POLARITY ; hw4/hw6 only 18 hw4/hw6: CONT_TEST (R) ;/ 19 hw4/hw6: TEST_CAPTURE ;-hw4/hw6 (formerly bit15 in hw2) 20 hw4/hw6: TEST_ARM ;-hw4/hw6 only |
0-23 VALUE ;\hw4/hw6 (and maybe hw2, too) 24 TX_DEF_ANT_SEL ;/ 25 hw6: SLOW_TX_ANT_EN ;\ 26 hw6: TX_CUR_ANT ; hw6 only 27 hw6: FAST_DEF_ANT ;/ 28 RX_LNA_CONFIG_SEL ;-hw4/hw6 (and maybe hw2, too) 29 hw6: FAST_TX_ANT_EN ;\ 30 hw6: RX_ANT_EN ; hw6 only 31 hw6: RX_ANT_DIV_ON ;/ |
0-15 FC (hw2: ini:C7FFh) 16-31 QOS (hw2: ini:FFFFh) |
0-15 SEQ (hw2: ini:000Fh) 16-31 FC_MGMT (hw2: ini:E7FFh) |
0 - (aka hw2: outcommented: SYNC, ini:1) 1 GATED_TX (aka hw2: TX, ini:0) 2 GATED_RX (aka hw2: RX, ini:0) 3 GATED_REG (aka hw2: REG, ini:0) |
0-17 VALUE (aka hw2: OBS_BUS) (R) ;-hw2/hw4/hw6 18-21 hw6: WCF_STATE (R) ;\ 22 hw6: WCF0_FULL (R) ; 23 hw6: WCF1_FULL (R) ; hw6 only 24-28 hw6: WCF_COUNT (R) ; 29 hw6: MACBB_ALL_AWAKE (R) ;/ |
0 PCU_DIRECTED (R) 1 PCU_RX_END (R) 2 RX_WEP (R) 3 RX_MY_BEACON (R) 4 FILTER_PASS (R) 5 TX_HCF (R) 6 TM_QUIET_TIME (aka hw2: QUIET_TIME) (R) 7 PCU_CHANNEL_IDLE (aka hw2: CHAN_IDLE) (R) 8 TX_HOLD (R) 9 TX_FRAME (R) 10 RX_FRAME (R) 11 RX_CLEAR (R) 12-17 WEP_STATE (R) 20-23 hw2: RX_STATE (4bit) (R) ;\hw2 (less bits) 24-28 hw2: TX_STATE (5bit) (R) ;/ 20-24 hw4/hw6: RX_STATE (5bit) (R) ;\hw4/hw6 (one more 25-30 hw4/hw6: TX_STATE (6bit) (R) ;/bit than hw2 each) |
0-31 VALUE (hw2: unspecified/LAST_TSTP) (R) |
0-25 VALUE (hw2: unspecified/NAV) |
0-15 VALUE (COUNT or so?) (hw2: unspecified) (R) |
0-5 POLL_TYPE (hw2: ini:1Ah) 7 WAIT_FOR_POLL (hw2: ini:0) 20-31 FRAME_HOLD (hw2: ini:680 decimal) |
0-15 SLOT_DELAY (hw2: ini:360 (decimal) 16-31 CHIRP_DATA_DELAY (hw2: ini:1680 decimal) |
0-15 CHIRP_TIMEOUT (hw2: ini:7200 decimal) 16-31 POLL_TIMEOUT (hw2: ini:5000 decimal) |
0 SEND_CHIRP (hw2: ini:0) 16-31 CHIRP_GAP (hw2: ini:500 decimal) |
0 RX_ABORT_RSSI (hw2: ini:0) 1 RX_ABORT_BSSID (hw2: ini:0) 2 TX_STOMP_RSSI (hw2: ini:0) 3 TX_STOMP_BSSID (hw2: ini:0) 4 TX_STOMP_DATA (hw2: ini:0) 5 RX_ABORT_DATA (hw2: ini:0) 8-15 TX_STOMP_RSSI_THRESH (hw2: ini:25h) 16-23 RX_ABORT_RSSI_THRESH (hw2: ini:25h) |
0-47 VALUE (aka hw2:BSSID_MASK, ini:FFFFFFFFFFFFh) |
0-5 ACK_PWR (hw2: ini:3Fh) 8-13 CTS_PWR (hw2: ini:3Fh) 16-21 CHIRP_PWR (hw2: ini:3Fh) 24-29 hw6: RPT_PWR ;-hw6 only |
0-31 VALUE (aka COUNT or so?) (aka hw2: CNT, ini:0) |
0-15 hw2: NEXT_QUIET (hw2: ini:0) ;\hw2 only (not hw4/hw6) 16 hw2: QUIET_ENABLE (hw2: ini:0) ;/ 17 ACK_CTS_ENABLE (hw2: ini:1) ;-hw2/hw4/hw6 |
0-15 hw2: QUIET_PERIOD (hw2: ini:0002h) ;\differs in 0-15 hw4: - ; hw2, hw4, hw6 0-15 hw6: DURATION2 ;-hw6 only ;/ 16-31 DURATION (aka hw2: QUIET_DURATION, ini:0001h) ;-hw2/hw/hw6 |
0-3 TWO_BIT_VALUES (hw2: NOACK_2_BIT_VALUES, ini:2) 4-6 BIT_OFFSET (hw2: NOACK_BIT_OFFSET, ini:5) 7-8 BYTE_OFFSET (hw2: NOACK_BYTE_OFFSET, ini:0) |
0-31 VALUE (hw2: PHYERR_MASK, ini:0) |
0-11 VALUE (hw2: XR_TX_DELAY, ini:168h) |
0-10 HIGH_PRIORITY_THRSHD ;\hw4/hw6 only (not hw2) 11 REG_RD_ENABLE ;/ |
0-15 VALUE_0..7 (2bit each) (aka hw2: MICQOSCTL, ini:00AAh) 16 ENABLE (aka hw2: MICQOSCTL_ENABLE, ini:1) |
0-31 VALUE_0..7 (4bit each) (aka hw2: MICQOSSEL, ini:00003210h) |
0-23 VALUE (count or so?) (hw2: CNT, ini:0) |
0-23 VALUE (count or so?) (hw2: PHYCNT, ini:0) |
0-31 VALUE (mask or so?) (hw2: PHYCNTMASK, ini:0) |
0-15 VALUE (hw2: TSFTHRESH, ini:FFFFh) |
0-31 VALUE (hw2: MASK, ini:0) |
________________________________ Misc Mode ________________________________ |
0 BSSID_MATCH_FORCE (hw2: ini:0) 1 hw2: ACKSIFS_MEMORY_RESERVED (hw2: ini:0) 1 hw4/hw6: DEBUG_MODE_AD 2 MIC_NEW_LOCATION(_ENABLE) (hw2: ini:0) 3 TX_ADD_TSF (hw2: ini:0) 4 CCK_SIFS_MODE (hw2: ini:0) 5 hw2: BFCOEF_MODE_RESERVED (hw2: ini:0) 6 hw2: BFCOEF_ENABLE (hw2: ini:0) 7 hw2: BFCOEF_UPDATE_SELF_GEN (hw2: ini:1) 8 hw2: BFCOEF_MCAST (hw2: ini:1) 9 hw2: DUAL_CHAIN_ANT_MODE (hw2: ini:0) 10 hw2: FALCON_DESC_MODE (hw2: ini:0) 5-8 hw4: - 5 hw6: RXSM2SVD_PRE_RST 6 hw6: RCV_DELAY_SOUNDING_IM_TXBF 7-8 hw6: - 9 hw4/hw6: DEBUG_MODE_BA_BITMAP 10 hw4/hw6: DEBUG_MODE_SIFS 11 KC_RX_ANT_UPDATE (hw2: ini:1) 12 TXOP_TBTT_LIMIT(_ENABLE) (hw2: ini:0) 13 hw2: FALCON_BB_INTERFACE (hw2: ini:0) 14 MISS_BEACON_IN_SLEEP (hw2: ini:1) 15-16 - 17 hw2: BUG_12306_FIX_ENABLE (hw2: ini:1) 18 FORCE_QUIET_COLLISION (hw2: ini:0) 19 hw2: BUG_12549_FORCE_TXBF (hw2: ini:0) 20 BT_ANT_PREVENTS_RX (hw2: ini:1) 21 TBTT_PROTECT (hw2: ini:1) 22 HCF_POLL_CANCELS_NAV (hw2: ini:1) 23 RX_HCF_POLL_ENABLE (hw2: ini:1) 24 CLEAR_VMF (hw2: ini:0) 25 CLEAR_FIRST_HCF (hw2: ini:0) 26 hw2: ADHOC_MCAST_KEYID_ENABLE (hw2: ini:0) 27 hw2: ALLOW_RAC (hw2: ini:0) 28-31 hw2: - 26 hw4/hw6: CLEAR_BA_VALID 27 hw4/hw6: SEL_EVM 28 hw4/hw6: ALWAYS_PERFORM_KEY_SEARCH 29 hw4/hw6: USE_EOP_PTR_FOR_DMA_WR 30-31 hw4/hw6: DEBUG_MODE |
0 hw2: MGMT_CRYPTO_ENABLE (ini:0) ;moved to bit1 in hw4 ;\ 1 hw2: NO_CRYPTO_FOR_NON_DATA_PKT(ini:0) ;moved to bit2 in hw4 ; hw2 2-7 hw2: RESERVED ;/ 0 hw4/hw6: BUG_21532_FIX_ENABLE ;\ 1 hw4/hw6: MGMT_CRYPTO_ENABLE ; hw4/hw6 2 hw4/hw6: NO_CRYPTO_FOR_NON_DATA_PKT ;/ 3 hw4: RESERVED 3 hw6: BUG_58603_FIX_ENABLE ;-hw6 4 hw6 and hw4.2: BUG_58057_FIX_ENABLE ;-hw4.2 and up (not hw2 and hw4.0) 5 hw4/hw6: RESERVED ;\ 6 hw4/hw6: ADHOC_MCAST_KEYID_ENABLE ; hw4/hw6 7 hw4/hw6: CFP_IGNORE ;/ 8-15 MGMT_QOS ;-all hw 16 hw2: BC_MC_WAPI_MODE (ini:0) ;moved to bit18 in hw4 ;\ 17 hw2: IGNORE_TXOP_FOR_1ST_PKT (ini:0) ;moved to bit22 in hw4 ; hw2 18 hw2: IGNORE_TXOP_IF_ZERO (ini:0) ;moved to bit23 in hw4 ; 19-31 hw2_ RESERVED ;/ 16 hw4/hw6: ENABLE_LOAD_NAV_BEACON_DURATION ;\ 17 hw4/hw6: AGG_WEP ; 18 hw4/hw6: BC_MC_WAPI_MODE ; 19 hw4/hw6: DUR_ACCOUNT_BY_BA ; hw4/hw6 20 hw4/hw6: BUG_28676 ; 21 hw4/hw6: CLEAR_MORE_FRAG ; 22 hw4/hw6: IGNORE_TXOP_1ST_PKT ;/ 23 hw4: IGNORE_TXOP_IF_ZERO ;moved to MISC_MODE3.bit22 in hw6 ;\ 24 hw4: PM_FIELD_FOR_DAT ;moved to MISC_MODE3.bit24 in hw6 ; 25 hw4: PM_FIELD_FOR_MGMT ;moved to MISC_MODE3.bit25 in hw6 ; hw4 26 hw4: BEACON_FROM_TO_DS ;moved to MISC_MODE3.bit23 in hw6? ; 27 hw4: RCV_TIMESTAMP_FIX ;moved to bit25 in hw6 ; 28-31 hw4: RESERVED ;/ 23 hw6: MPDU_DENSITY_STS_FIX ;\ 24 hw6: MPDU_DENSITY_WAIT_WEP ; 25 hw6: RCV_TIMESTAMP_FIX ;moved from bit27 in hw4 ; 27 hw6: DECOUPLE_DECRYPTION ; hw6 28 hw6: H_TO_SW_DEBUG_MODE ; 29 hw6: TXBF_ACT_RPT_DONE_PASS ; 30 hw6: PCU_LOOP_TXBF ; 31 hw6: CLEAR_WEP_TXBUSY_ON_TXURN ;/ |
0 BUG_55702_FIX_ENABLE 1 AES_3STREAM 2 REGULAR_SOUNDING 3 BUG_58011_FIX_ENABLE 4 BUG_56991_FIX_ENABLE 5 WOW_ADDR1_MASK_ENABLE 6 BUG_61936_FIX_ENABLE 7 CHECK_LENGTH_FOR_BA 8-15 BA_FRAME_LENGTH 16 MATCH_TID_FOR_BA 17 WAPI_ORDER_MASK 18 BB_LDPC_EN 19 SELF_GEN_SMOOTHING 20 SMOOTHING_FORCE 21 ALLOW_RAC 22 IGNORE_TXOP_IF_ZER0 ;uh, ZerNull or Zero? ;moved from MODE2.bit23 23 BEACON_FROM_TO_DS_CHECK ;moved from MODE2.bit26? 24 PM_FIELD_FOR_DAT ;moved from MODE2.bit24 25 PM_FIELD_FOR_MGMT ;moved from MODE2.bit25 26 PM_FIELD2_FOR_CTL 27 PM_FIELD2_FOR_DAT 28 PM_FIELD2_FOR_MGT 29 KEY_MISS_FIX 30 PER_STA_WEP_ENTRY_ENABLE 31 TIME_BASED_DISCARD_EN |
0 BC_MC_WAPI_MODE2_EN 1 BC_MC_WAPI_MODE2 2 SYNC_TSF_ON_BEACON 3 SYNC_TSF_ON_BCAST_PROBE_RESP 4 SYNC_TSF_ON_MCAST_PROBE_RESP 5 SYNC_TSF_ON_UCAST_MOON_PROBE_RESP 6 SYNC_TSF_ON_UCAST_PROBE_RESP |
______________________________ Basic Rate Set ______________________________ |
Bitfields for hw2 RATE_SET0 register: 0-4 BRATE_1MB_L (hw2: ini:#CCK_RATE_1Mb_L) 5-9 BRATE_2MB_L (hw2: ini:#CCK_RATE_2Mb_L) 10-14 BRATE_2MB_S (hw2: ini:#CCK_RATE_2Mb_S) 15-19 BRATE_5_5MB_L (hw2: ini:#CCK_RATE_5_5Mb_L) 20-24 BRATE_5_5MB_S (hw2: ini:#CCK_RATE_5_5Mb_S) 25-29 BRATE_11MB_L (hw2: ini:#CCK_RATE_11Mb_L) Bitfields for hw2 RATE_SET1 register: 0-4 BRATE_11MB_S (hw2: ini:#CCK_RATE_11Mb_S) 5-9 BRATE_6MB (hw2: ini:#OFDM_RATE_6Mb) 10-14 BRATE_9MB (hw2: ini:#OFDM_RATE_6Mb, too?) 15-19 BRATE_12MB (hw2: ini:#OFDM_RATE_12Mb) 20-24 BRATE_18MB (hw2: ini:#OFDM_RATE_12Mb, too?) 25-29 BRATE_24MB (hw2: ini:#OFDM_RATE_24Mb) Bitfields for hw2 RATE_SET2 register: 0-4 BRATE_36MB (hw2: ini:#OFDM_RATE_24Mb, too?) 5-9 BRATE_48MB (hw2: ini:#OFDM_RATE_24Mb, too?) 10-14 BRATE_54MB (hw2: ini:#OFDM_RATE_24Mb, too?) |
OFDM_RATE_6Mb = 0Bh CCK_RATE_1Mb_L = 1Bh XR_RATE_0_25Mb = 03h OFDM_RATE_9Mb = 0Fh CCK_RATE_2Mb_L = 1Ah XR_RATE_0_5Mb = 07h OFDM_RATE_12Mb = 0Ah CCK_RATE_2Mb_S = 1Eh XR_RATE_1Mb = 02h OFDM_RATE_18Mb = 0Eh CCK_RATE_5_5Mb_L = 19h XR_RATE_2Mb = 06h OFDM_RATE_24Mb = 09h CCK_RATE_5_5Mb_S = 1Dh XR_RATE_3Mb = 01h OFDM_RATE_36Mb = 0Dh CCK_RATE_11Mb_L = 18h (the XR_stuff might be OFDM_RATE_48Mb = 08h CCK_RATE_11Mb_S = 1Ch unrelated to RATE_SET) OFDM_RATE_54Mb = 0Ch |
0-24 VALUE (maybe this 25bit value is meant to contain 5 rates of 5bit ?) |
______________________________ Bluetooth Mode ______________________________ |
0-7 TIME_EXTEND (hw2: ini:20h) 8 TX_STATE_EXTEND (hw2: ini:1) 9 TX_FRAME_EXTEND (hw2: ini:1) 10-11 MODE (hw2: ini:3) 12 QUIET (hw2: ini:1) 13-16 QCU_THRESH (hw2: ini:1) 17 RX_CLEAR_POLARITY (hw2: ini:0) 18-23 PRIORITY_TIME (hw2: ini:05h) 24-31 FIRST_SLOT_TIME (hw2: ini:9Bh) |
0-7 BCN_MISS_THRESH (hw2: ini:0) 8-15 BCN_MISS_CNT (R) 16 HOLD_RX_CLEAR (hw2: ini:0) 17 SLEEP_ALLOW_BT_ACCESS (hw2: WL_CONTROL_ANT, ini:0) 18 hw2: RESPOND_TO_BT_ACTIVE (hw2: ini:0) ;-hw2 only 19 PROTECT_BT_AFTER_WAKEUP (hw2: ini:0) 20 DISABLE_BT_ANT (hw2: ini:0) 21 hw4/hw6: QUIET_2_WIRE ;\ 22-23 hw4/hw6: WL_ACTIVE_MODE ; 24 hw4/hw6: WL_TXRX_SEPARATE ; 25 hw4/hw6: RS_DISCARD_EXTEND ; hw4/hw6 only 26-27 hw4/hw6: TSF_BT_ACTIVE_CTRL ; 28-29 hw4/hw6: TSF_BT_PRIORITY_CTRL ; 30 hw4/hw6: INTERRUPT_ENABLE ; 31 hw4/hw6: PHY_ERR_BT_COLL_ENABLE ;/ |
0-7 WL_ACTIVE_TIME ;\ 8-15 WL_QC_TIME ; 16-19 ALLOW_CONCURRENT_ACCESS ; 20 hw4: SHARED_RX ;<-- hw4 ; 20 hw6: AGC_SATURATION_CNT_ENABLE ;<-- hw6 ; hw4/hw6 only (not hw2) 21 WL_PRIORITY_OFFSET_EN ; 22 RFGAIN_LOCK_SRC ; 23 DYNAMIC_PRI_EN ; 24 DYNAMIC_TOGGLE_WLA_EN ; 25-26 SLOT_SLOP ; 27 BT_TX_ON_EN ; 28-31 BT_PRIORITY_EXTEND_THRES ;/ |
0-15 BT_ACTIVE_EXTEND ;\hw4/hw6 only (not hw2) 16-31 BT_PRIORITY_EXTEND ;/ |
0-2 MCI_WL_LEVEL_MULT ;\ 3 TX_ON_SRC ; 4-19 TIMER_TARGET ; hw6 only (not hw2/hw4) 20 SHARED_RX ; 21 USE_BTP_EXT ;/ |
0-15 BT_WEIGHT (hw2: ini:FA50h) 16-31 WL_WEIGHT (hw2: ini:FAA4h) |
16-31 WL_WEIGHT_CONTD (extends "WL_WEIGHT" or so) ;-hw4 only (not hw2/hw6) |
_______________________________ hw2/hw6 only _______________________________ |
0-15 VALUE (hw2: TIMEOUT, ini:100h) ;-hw2/hw6 only (not hw4) |
0-7 SIFS_TIME (hw2: ini: 16 decimal) 8-11 TX_LATENCY (hw2: ini:2) 12-14 ACK_SHIFT (hw2: ini:3) |
0-7 VALUE (hw2: TXOP_X, ini:0) |
0-7 TXOP_0 / TXOP_4 / TXOP_8 / TXOP_12 (hw2: ini:0) 8-15 TXOP_1 / TXOP_5 / TXOP_9 / TXOP_13 (hw2: ini:0) 16-23 TXOP_2 / TXOP_6 / TXOP_10 / TXOP_14 (hw2: ini:0) 24-31 TXOP_3 / TXOP_7 / TXOP_11 / TXOP_15 (hw2: ini:0) |
_______________________________ hw4/hw6 only _______________________________ |
0-31 WEIGHT |
0-5 LINKID 6-12 WT_IDX |
0-3 TXHP_WEIGHT ;\ 4-7 TXLP_WEIGHT ; hw4/hw6 only (not hw2) 8-11 RXHP_WEIGHT ; 12-15 RXLP_WEIGHT ;/ |
0 HOLD ;\ 1 CLEAR ; 2 STATE (R) ; hw4/hw6 only (not hw2) 3 ENABLE ; 4-7 QCU_SEL ; 8-17 INT_ADDR (R) ; 18-31 DIAG_MODE ;/ |
0-47 MASK ;\hw4/hw6 only (not hw2) 48-31 - ;/ |
0-31 VALUE (R) ;-hw4/hw6 only (not hw2) |
0-31 VALUE (R) ;-hw4/hw6 only (not hw2) |
0-7 MAXGAIN1 ;\that are 4 gain value ;\ 8-15 MAXGAIN2 ; for each of the 4 registers ; hw4/hw6 only (not hw2) 16-23 MAXGAIN3 ; (ie. 16 values in total) ; 24-31 MAXGAIN4 ;/ ;/ |
0 hw4/hw6: USE_MAC_CTRL ;\ 1 hw4/hw6: HW_CTRL_EN ; 2 hw4/hw6: SW_CHAIN_MASK_SEL ; hw4/hw6 only 4-6 hw4/hw6: LOW_PWR_CHAIN_MASK ; 8-10 hw4/hw6: HI_PWR_CHAIN_MASK ;/ |
0-7 MASK1 8-15 MASK2 16-23 MASK3 |
0 DISABLE_TSF_UPDATE 1 KEY_SEARCH_AD1 2 TX_TSF_STATUS_SEL 3 RX_TSF_STATUS_SEL 4 CLK_EN 5 TX_DESC_EN 6 ACK_CTS_MATCH_TX_AD2 7 BA_USES_AD1 8 hw6: WMAC_CLK_SEL 9 hw6: FILTER_PASS_HOLD |
0-31 VALUE |
0 JOINED_RX_CLEAR 1 EXT_PIFS_ENABLE 2 TX_HT20_ON_EXT_BUSY 3 SWAMPED_FORCES_RX_CLEAR_CTL_IDLE 4-15 PIFS_CYCLES |
0-31 VALUE |
0-2 VALUE 3 hw6: ONE_RESP_EN 4 hw6: FORCE_CHAIN_0 |
0-3 COMPRESSED_OFFSET 4-7 ACK_POLICY_OFFSET 8 COMPRESSED_VALUE 9 ACK_POLICY_VALUE 10 FORCE_NO_MATCH 11 TX_BA_CLEAR_BA_VALID 12 UPDATE_BA_BITMAP_QOS_NULL |
0-7 EIFS_MINUS_DIFS 8-12 MIN_LENGTH |
0-7 MASK_VALUE 16-23 EIFS_VALUE 24-31 hw6: AIFS_VALUE |
0-14 TX_TIMER 15 TX_TIMER_ENABLE 16-19 RIFS_TIMER 20-24 QUIET_TIMER 25 QUIET_TIMER_ENABLE |
0-11 USABLE_ENTRIES 16 TX_FIFO_WRAP_ENABLE |
16-31 QOS |
0-7 FRAME_CONTROL_L (R) 8-15 FRAME_CONTROL_H (R) 16-23 DURATION_L (R) 24-31 DURATION_H (R) |
0-17 VALUE (R) |
0-26 VALUE (R) |
0-23 VALUE (R) |
0-7 MCS0 / MCS4 8-15 MCS1 / MCS5 16-23 MCS2 / MCS6 24-31 MCS3 / MCS7 |
0-7 MCS0 / MCS4 8-15 MCS1 / MCS5 16-23 MCS2 / MCS6 24-31 MCS3 / MCS7 |
0-5 RATE8 / RATE13 / RATE26 6-11 RATE9 / RATE14 / RATE27 12-17 RATE10 / RATE15 / RATE28 18-23 RATE11 / RATE24 / RATE29 24-29 RATE12 / RATE25 / RATE30 |
0 ENABLE 1 DIRECTED 2 BCAST 3 MCAST 4 RTS 5 ACK 6 CTS 7 RETRY 8 MORE_DATA 9 MORE_FRAG 10 RATE_HIGH 11 RATE_LOW 12 RSSI 13 LENGTH_HIGH 14 LENGTH_LOW 15 EOSP 16 AMPDU 17 hw4.2: BEACON ;-hw6 and newer "hw4.2" revision only 18 hw6: RSSI_HIGH ;-hw6 only |
0 STATUS |
0-7 RATE_HIGH 8-15 RATE_LOW 16-23 RSSI_LOW 24-31 hw6: RSSI_HIGH |
0-11 LENGTH_HIGH 12-23 LENGTH_LOW |
0-7 RATE_HIGH 8-15 RATE_LOW 16-23 RSSI_HIGH 24-31 RSSI_LOW |
0-11 LENGTH_HIGH 12-23 LENGTH_LOW 24-31 XCAST_RSSI_HIGH |
0-7 PRESP_RSSI_HIGH 8-15 MGMT_RSSI_HIGH 16-23 BEACON_RSSI_HIGH 24-31 NULL_RSSI_HIGH |
0-7 PREQ_RSSI_HIGH 8-15 PS_POLL_RSSI_HIGH |
0-5 PHY_RATE_HIGH 6-11 PHY_RATE_LOW 12-17 RSSI_HIGH 18-23 RSSI_LOW 24-29 XCAST_RSSI_HIGH |
0-5 LENGTH_HIGH 6-11 LENGTH_LOW 12-17 PRESP_RSSI_HIGH 18-23 RETX 24-29 RTS |
0-5 XCAST 6-11 PRESP 12-17 ATIM 18-23 MGMT 24-29 BEACON |
0-5 MORE 6-11 EOSP 12-17 AMPDU 18-23 AMSDU 24-29 PS_POLL |
0-5 PREQ 6-11 NULL 12-17 BEACON_SSID 18-23 MGMT_RSSI_HIGH 24-29 BEACON_RSSI_HIGH |
0-5 NULL_RSSI_HIGH 6-11 PREQ_RSSI_HIGH 12-17 PS_POLL_RSSI_HIGH |
0-31 WEIGHT |
0-31 DATA |
0-31 DATA |
0-31 DATA |
_________________________________ hw6 only _________________________________ |
0-31 MCS ;-hw6 only |
0-11 MIN ;\hw6 only 16-27 MAX ;/ |
0-7 V_ACTION_VALUE ;\ 8-15 CV_ACTION_VALUE ; hw6 only 16-23 CATEGORY_VALUE ; 24-27 FRAME_SUBTYPE_VALUE ; 28-29 FRAME_TYPE_VALUE ;/ |
0-3 FRAME_SUBTYPE_VALUE ;-hw6 only |
0-31 VALUE ;-hw6 only |
0-15 VALUE ;-formerly bit0-15 of "PCU_MAX_CFP_DUR" 16-19 USEC_FRAC_NUMERATOR ;-formerly bit0-3 of "MAC_PCU_MAX_CFP_DUR" 24-27 USEC_FRAC_DENOMINATOR ;-formerly bit4-7 of "MAC_PCU_MAX_CFP_DUR" |
0-7 RSSI2_LOW_THRESH 16-23 RSSI2_HIGH_THRESH 29 RESET2 |
0-2 MMSS ;\ 3-4 CEC ; hw6 only 5 STAGGER_SOUNDING ;/ |
0-4 VALUE ;\ 5 DISABLE ; 6 EXTXBF_IMMEDIATE_RESP ; hw6 only 7 DELAY_EXTXBF_ONLY_UPLOAD_H ; 8 EXTXBF_NOACK_NORPT ;/ |
0-31 VALUE |
0-31 VALUE |
0-15 VALUE |
0-6 SCALER |
0-11 DEL |
0-29 DBG |
0-27 DBG |
0-9 DBG 10 DATAPATH_SEL 31 SFT_RST_N |
0 ENABLE 1 UPLOAD_H_DISABLE |
0-31 VALUE |
0 TSF2_ENABLE 1 TS_TSF_SEL 2 TSF1_UPDATE 3 TSF2_UPDATE 4 MY_BEACON_OVERRIDE 5 MY_BEACON2_OVERRIDE 6 BMISS_CNT_TSF_SEL 7 BMISS_CNT_OVERRIDE 8-31 RESERVED |
0-31 DATA |
0 ENABLE 1 AC_MASK_BE 2 AC_MASK_BK 3 AC_MASK_VI 4 AC_MASK_VO 5 HPQON_UAPSD 6 FRAME_FILTER_ENABLE0 7 FRAME_BSSID_MATCH0 8-9 FRAME_TYPE0 10-11 FRAME_TYPE_MASK0 12-15 FRAME_SUBTYPE0 16-19 FRAME_SUBTYPE_MASK0 20 UAPSD_EN 21 PM_CHANGE 22 NON_UAPSD_EN 23 UAPSD_AC_MUST_MATCH 24 UAPSD_ONLY_QOS |
0-31 VALUE |
0 CRC_ENABLE 1 RESET_CRC 2 EXCLUDE_BCN_INTVL 3 EXCLUDE_CAP_INFO 4 EXCLUDE_TIM_ELM 5 EXCLUDE_ELM0 6 EXCLUDE_ELM1 7 EXCLUDE_ELM2 8-15 ELM0_ID 16-23 ELM1_ID 24-31 ELM2_ID |
0 FILTER_INTERVAL_ENABLE 1 RESET_INTERVAL 2 EXCLUDE_ELM3 8-15 FILTER_INTERVAL 16-23 ELM3_ID |
0 ENABLE 1 PS_SAVE_ENABLE |
0 MASK_ENABLE |
0-31 VALUE |
0-7 AVE_VALUE 8-10 NUM_FRAMES_EXPONENT 11 ENABLE 12 RESET |
0 USE_WBTIMER_TX_TS 1 USE_WBTIMER_RX_TS |
0-15 CNT |
_____________________ Wake on Wireless (WOW) hw6 only _____________________ |
0-7 PATTERN_ENABLE 8-15 PATTERN_DETECT (R) 16 MAGIC_ENABLE 17 MAGIC_DETECT (R) 18 INTR_ENABLE 19 INTR_DETECT (R) 20 KEEP_ALIVE_FAIL (R) 21 BEACON_FAIL (R) 28-31 CW_BITS |
0-7 AIFS 8-15 SLOT 16-23 TRY_CNT |
0 ENABLE |
0-31 TIMEOUT |
0-7 PATTERN_ENABLE 8-15 PATTERN_DETECT (R) |
0-15 RX_ABORT_ENABLE |
0-15 RXBUF_START_ADDR (R) |
0 AUTO_DISABLE 1 FAIL_DISABLE 2 BKOFF_CS_ENABLE |
0-7 OFFSET0 / OFFSET4 / OFFSET8 / OFFSET12 ;<-- 1st offset in LSBs 8-15 OFFSET1 / OFFSET5 / OFFSET9 / OFFSET13 16-23 OFFSET2 / OFFSET6 / OFFSET10 / OFFSET14 24-31 OFFSET3 / OFFSET7 / OFFSET11 / OFFSET15 |
0-7 PATTERN_3 / PATTERN_7 / PATTERN_11 / PATTERN_15 8-15 PATTERN_2 / PATTERN_6 / PATTERN_10 / PATTERN_14 16-23 PATTERN_1 / PATTERN_5 / PATTERN_9 / PATTERN_13 24-31 PATTERN_0 / PATTERN_4 / PATTERN_8 / PATTERN_12 ;1st pattern in MSBs |
0-7 LENGTH 8-15 OFFSET |
0-15 EN |
_________________________________ hw4 only _________________________________ |
0-15 VALUE |
0-3 USEC_FRAC_NUMERATOR 4-7 USEC_FRAC_DENOMINATOR |
0-63 VALUE |
0-63 VALUE |
0-31 DATA |
0-31 DATA |
_________________________________ hw2 only _________________________________ |
0 BFCOEF_RX_UPDATE_NORMAL 1 BFCOEF_RX_UPDATE_SELF_GEN 2 BFCOEF_TX_ENABLE_NORMAL 3 BFCOEF_TX_ENABLE_SELF_GEN 4 BFCOEF_TX_ENABLE_GEN 5 BFCOEF_TX_ENABLE_MCAST 6 FILTER_PASS_IF_ALL 7 FILTER_PASS_IF_DIRECTED 8 FILTER_PASS_IF_MCAST 9 FILTER_PASS_IF_BCAST 10 FILTER_PASS_MC_BC_BSSID |
0-15 BEACON_PERIOD 16-22 TIM_OFFSET 23 unspecified 24 RESET_TSF <--- related to hw4/hw6: see MAC_PCU_RESET_TSF ? |
unspecified |
unspecified ;MAYBE related to MAC_PCU_BT_WL_1..4 or so in hw4/hw6 (?) |
unspecified |
0-7 TSF_INCREMENT (hw2: ini:1) ;-hw2 only |
0-7 ACKSIFS_INCREMENT_RESERVED (hw2: ini:0) ;-hw2 only |
0-9 NORMAL_RESERVED 10-19 TURBO_RESERVED |
0-15 DUR_RATE_TO_DURATION |
0-4 RTD_RATE_TO_DB_0 8-12 RTD_RATE_TO_DB_1 16-20 RTD_RATE_TO_DB_2 24-28 RTD_RATE_TO_DB_3 |
0-4 DTR_DB_TO_RATE_0 8-12 DTR_DB_TO_RATE_1 16-20 DTR_DB_TO_RATE_2 24-28 DTR_DB_TO_RATE_3 |
0-31 KC_KEY_31_0 ;aka byte 00h..03h ? 0-15 KC_KEY_47_32 ;aka byte 04h..05h (and 06h..07h unused?) ? 0-31 KC_KEY_79_48 ;aka byte 08h..0Bh ? 0-15 KC_KEY_95_80 ;aka byte 0Ch..0Dh (and 0Eh..0Fh unused?) ? 0-31 KC_KEY_127_96 ;aka byte 10h..13h ? 0-2 KC_KEY_TYPE ;\ 3 KC_LAST_ANTENNA ; 4-8 KC_ASYNC_ACK_OFFSET ; 9 KC_UPDATE_BEAM_FORMING ;aka byte 14h..15h (and 16h..17h unused?) ? 10 KC_RX_CHAIN_0_ACK_ANT ; 11 KC_RX_CHAIN_1_ACK_ANT ; 12 KC_TX_CHAIN_0_ANT_SEL ; 13 KC_TX_CHAIN_1_ANT_SEL ; 14 KC_TX_CHAIN_SEL ;/ 0-31 KC_ADDR_32_1 ;aka byte 18h..1Bh ? (no bit 0 ?) 0-14 KC_ADDR_47_33 ;aka byte 1Ch..1Dh (and 1Eh..1Fh unused?) ? 1 KC_VALID ;aka byte 20h (and 21h..xxh unused?) ? |
0-23 TSF 24-30 KEYIDX 31 KEY_VALID (hw2: ini:0) |
0-22 THRESH (hw2: ini:0) 23 unspecified 24-31 LOCK (hw2: ini:0) |
0-15 KCMASK_47_32 (hw2: ini:0000h) 16 KCMASK_31_0 (hw2: ini:0) |
___________________________ hw2 "MCI" registers ___________________________ |
0 MCI_ENABLE (hw2: ini:0) 1 OLA_ENABLE (hw2: ini:1) 2 PREEMPT_ENABLE (hw2: ini:1) 3 CHANNEL_BUSY_ENABLE (hw2: ini:1) 4-9 EARLY_NOTIFY_DELAY (hw2: ini:5) 10 BMISS_FORCE_WL (hw2: ini:0) 11 SLEEP_FORCE_BT (hw2: ini:1) 12 HP_QCU_STOMP_BT (hw2: ini:0) 31 MCI_BUSY |
0 ACT_RPT_RCV_INT (hw2: stat and enable: ini:0) 1 ACT_DEN_RCV_INT (hw2: stat and enable: ini:0) 2 FRQ_RPT_RCV_INT (hw2: stat and enable: ini:0) 3 QOS_RPT_RCV_INT (hw2: stat and enable: ini:0) 4 GEN_RPT_RCV_INT (hw2: stat and enable: ini:0) |
unspecified |
unspecified |
0-7 ACT_RPT_RCV_CNT (hw2: ini:0) 8-15 QC_CNT (hw2: ini:0) 16-23 OLA_CNT (hw2: ini:0) 24-31 PREEMPT_CNT (hw2: ini:0) |
___________ hw2 MAC_PCU registers (moved to RTC WLAN in hw4/hw6) ___________ |
__________________________ outcommented hw2 stuff __________________________ |
0-3 outcommented:COUNT (hw2: ini:8) ;\ 4-7 outcommented:INTERVAL (hw2: ini:0Ah) ; hw2 only 8 outcommented:ENABLE (hw2: ini:1) ; (although it's 9 outcommented:AUTO_CAL (hw2: ini:1) ; outcommented even 10 outcommented:VALUE_WE (hw2: ini:0) ; in hw2 source code) 16-31 outcommented:VALUE (hw2: ini:8000h) ;/ |
0-7 outcommented:TIME_OFFSET (hw2: ini:0) 8 outcommented:MASTER (hw2: ini:0) 9 outcommented:REPLACE (hw2: ini:0) 10 outcommented:TUNE (hw2: ini:0) 11 outcommented:CLEAR (hw2: ini:0) 16-31 outcommented:INTR_THRESH (hw2: ini:FFFFh) |
0-30 outcommented:TIME 31 - |
0-47 outcommented:MCAST_ADDR (hw2: ini:0) 48-63 - |
0-31 outcommented:INC |
| DSi Atheros Wifi - Internal I/O - 029800h - BB Baseband (hw4/hw6) |
0-3 CF_TSTTRIG_SEL 4 CF_TSTTRIG 5-6 CF_RFSHIFT_SEL 8-9 CARDBUS_MODE 10 CLKOUT_IS_CLK32 13 ENABLE_RFSILENT_BB 15 ENABLE_MINI_OBS 17 SLOW_CLK160 18 AGC_OBS_SEL_3 19-22 CF_BBB_OBS_SEL 23 RX_OBS_SEL_5TH_BIT 24 AGC_OBS_SEL_4 28 FORCE_AGC_CLEAR 30-31 TSTDAC_OUT_SEL |
0 TURBO 1 CF_SHORT20 2 DYN_20_40 3 DYN_20_40_PRI_ONLY 4 DYN_20_40_PRI_CHN 5 DYN_20_40_EXT_CHN 6 HT_ENABLE 7 ALLOW_SHORT_GI 8 CF_2_CHAINS_USE_WALSH 9 hw4: CF_SINGLE_HT_LTF1 ;-hw4 9 hw6: CF_3_CHAINS_USE_WALSH ;-hw6 10 GF_ENABLE 11 hw4: BYPASS_DAC_FIFO_N ;-hw4 11 hw6: ENABLE_DAC_ASYNC_FIFO ;\ 14 hw6: BOND_OPT_CHAIN_SEL ; 15 hw6: STATIC20_MODE_HT40_PACKET_HANDLING ; 16 hw6: STATIC20_MODE_HT40_PACKET_ERROR_RPT ; hw6 17 hw6: ENABLE_CSD_PHASE_DITHERING ; 18-24 hw6: UNSUPP_HT_RATE_THRESHOLD ; 25 hw6: EN_ERR_TX_CHAIN_MASK_ZERO ; 26 hw6: IS_MCKINLEY_TPC ;/ |
0 CF_TSTDAC_EN 1 CF_TX_SRC_IS_TSTDAC 2-4 CF_TX_OBS_SEL 5-6 CF_TX_OBS_MUX_SEL 7 CF_TX_SRC_ALTERNATE 8 CF_TSTADC_EN 9 CF_RX_SRC_IS_TSTADC 10-13 RX_OBS_SEL 14 DISABLE_A2_WARM_RESET 15 RESET_A2 16-18 AGC_OBS_SEL 19 CF_ENABLE_FFT_DUMP 23 CF_DEBUGPORT_IN 27 DISABLE_AGC_TO_A2 28 CF_DEBUGPORT_EN 29-30 CF_DEBUGPORT_SEL |
0-6 STE_THR 7-12 STE_TO_LONG1 13-16 TIMING_BACKOFF 17 ENABLE_HT_FINE_PPM 18-19 HT_FINE_PPM_STREAM 20-21 HT_FINE_PPM_QAM 22 ENABLE_LONG_CHANFIL 23 ENABLE_RX_STBC 24 ENABLE_CHANNEL_FILTER 25-26 FALSE_ALARM 27 ENABLE_LONG_RESCALE 28 TIMING_LEAK_ENABLE 29-30 COARSE_PPM_SELECT 31 FFT_SCALING |
0-11 FORCED_DELTA_PHI_SYMBOL 12 FORCE_DELTA_PHI_SYMBOL 13 ENABLE_MAGNITUDE_TRACK 14 ENABLE_SLOPE_FILTER 15 ENABLE_OFFSET_FILTER 16-22 DC_OFF_DELTAF_THRES 24-26 DC_OFF_TIM_CONST 27 ENABLE_DC_OFFSET 28 ENABLE_DC_OFFSET_TRACK 29 ENABLE_WEIGHTING 30 TRACEBACK128 31 ENABLE_HT_FINE_TIMING |
0-7 PPM_RESCUE_INTERVAL 8 ENABLE_PPM_RESCUE 9 ENABLE_FINE_PPM 10 ENABLE_FINE_INTERP 11 CONTINUOUS_PPM_RESCUE 12 ENABLE_DF_CHANEST 13-16 DELTA_SLOPE_COEF_EXP 17-31 DELTA_SLOPE_COEF_MAN |
0-7 OLD_ID (R) 8-31 ID (R) |
0 CF_ACTIVE |
0-7 TX_FRAME_TO_ADC_OFF 8-15 TX_FRAME_TO_A2_RX_OFF 16-23 TX_FRAME_TO_DAC_ON 24-31 TX_FRAME_TO_A2_TX_ON |
0-7 TX_FRAME_TO_TX_D_START 8-15 TX_FRAME_TO_PA_ON 16-23 TX_END_TO_PA_OFF 24-31 TX_END_TO_A2_TX_OFF |
0-7 TX_END_TO_DAC_OFF 8-15 TX_FRAME_TO_THERM_CHAIN_ON 16-23 TX_END_TO_A2_RX_ON 24-31 TX_END_TO_ADC_ON |
12 OFF_DACLPMODE 13 OFF_PWDDAC 15 OFF_PWDADC 28 ON_DACLPMODE 29 ON_PWDDAC 31 ON_PWDADC |
0-7 TX_FRAME_TO_XPAA_ON 8-15 TX_FRAME_TO_XPAB_ON 16-23 TX_END_TO_XPAA_OFF 24-31 TX_END_TO_XPAB_OFF |
0 XPAA_ACTIVE_HIGH 1 XPAB_ACTIVE_HIGH 2 ENABLE_XPAA 3 ENABLE_XPAB |
0-10 CF_TSTDAC_CONSTANT_I 11-21 CF_TSTDAC_CONSTANT_Q |
0-5 RELSTEP_LOW 6-11 FIRSTEP_LOW 12-19 FIRPWR_LOW 20-23 YCOK_MAX_LOW 24-30 LONG_SC_THRESH |
0-6 AGC_SETTLING 7-13 SWITCH_SETTLING 14-19 ADCSAT_THRL 20-25 ADCSAT_THRH 26-29 LBRESET_ADVANCE |
7-13 hw4: XATTEN1_HYST_MARGIN_0/1 ;\ ;\separate settings in B0/B1 14-20 hw4: XATTEN2_HYST_MARGIN_0/1 ; hw4 ;/ 21 hw4: GAIN_FORCE ; ;\global setting (not in B1) 31 hw4: ENABLE_SHARED_RX ;/ ;/ 0-7 hw6: RF_GAIN_F_0/1 ;\ ;\ 8-15 hw6: MB_GAIN_F_0/1 ; ; 16 hw6: XATTEN1_SW_F_0/1 ; hw6 ; separate settings in B0/B1 17 hw6: XATTEN2_SW_F_0/1 ; ; 18-24 hw6: XATTEN1_HYST_MARGIN_0/1 ; ; 25-31 hw6: XATTEN2_HYST_MARGIN_0/1 ;/ ;/ |
0-6 OFFSETC1 ;\ ;\global setting 7-11 OFFSETC2 ; hw4/hw6 ; (not in B1 register) 12-16 OFFSETC3 ;/ ;/ 17-24 hw4: RF_GAIN_F_0/1 ;\ ;\separate settings 25 hw4: XATTEN1_SW_F_0/1 ; hw4 ; in B0/B1 registers 26 hw4: XATTEN2_SW_F_0/1 ;/ ;/ 17 hw6: GAIN_FORCE ;\ ;\ 18 hw6: CF_AGC_HIST_ENABLE ; ; global setting 19 hw6: CF_AGC_HIST_GC ; hw6 ; (hw6 doesn't have 20 hw6: CF_AGC_HIST_VOTING ; ; a B1 register at all) 21 hw6: CF_AGC_HIST_PHY_ERR ;/ ;/ |
0-7 ADC_DESIRED_SIZE 20-27 TOTAL_DESIRED 28-29 INIT_GC_COUNT_MAX 30 REDUCE_INIT_GC_COUNT 31 ENA_INIT_GAIN |
0-6 STE_THR_HI_RSSI ;-hw4/hw6 7 hw6: USE_HTSIG1_20_40_BW_VALUE ;-hw6 |
0-5 RELSTEP 6-11 RELPWR 12-17 FIRSTEP 18-25 FIRPWR 26-31 M1COUNT_MAX |
0-6 COARSEPWR_CONST 7-14 COARSE_LOW 15-21 COARSE_HIGH 22-29 QUICK_DROP 30-31 RSSI_OUT_SELECT |
0 DO_CALIBRATE 1 DO_NOISEFLOOR 3-5 MIN_NUM_GAIN_CHANGE 6-9 YCOK_MAX 10 LEAKY_BUCKET_ENABLE 11 CAL_ENABLE 12 USE_TABLE_SEED 13 AGC_UPDATE_TABLE_SEED 15 ENABLE_NOISEFLOOR 16 ENABLE_FLTR_CAL 17 NO_UPDATE_NOISEFLOOR 18 EXTEND_NF_PWR_MEAS 19 CLC_SUCCESS (R) 20 ENABLE_PKDET_CAL |
0-8 CF_MAXCCAPWR_0 ;-separate settings (on hw6) 9-11 CF_CCA_COUNT_MAXC ;\global setting (not in B1) 12-19 CF_THRESH62 ;/ 20-28 MINCCAPWR_0 (R) ;-separate settings (on hw6) |
0-4 M2COUNT_THR 5-10 ADCSAT_THRESH 11-16 ADCSAT_ICOUNT 17-23 M1_THRES 24-30 M2_THRES |
0 USE_SELF_CORR_LOW 1-7 M1COUNT_MAX_LOW 8-13 M2COUNT_THR_LOW 14-20 M1_THRESH_LOW 21-27 M2_THRESH_LOW |
0-16 RFCHANFRAC 17-25 RFCHANNEL 26-27 RFAMODEREFSEL 28 RFFRACMODE 29 RFBMODE 30 RFSYNTH_CTRL_SSHIFT |
2-3 BB_DAC_CLK_SELECT 4-5 BB_ADC_CLK_SELECT |
0-9 BB_PLL_DIV 10-13 BB_PLL_REFDIV 14-15 BB_PLL_CLK_SEL 16 BB_PLLBYPASS 17-27 BB_PLL_SETTLE_TIME |
0-9 CF_PUNC_MASK_A / CF_PUNC_MASK_B 10-16 CF_PUNC_MASK_IDX_A / CF_PUNC_MASK_IDX_B |
0-4 CF_PILOT_MASK_A / CF_CHAN_MASK_A 5-11 CF_PILOT_MASK_IDX_A / CF_CHAN_MASK_IDX_A 12-16 CF_PILOT_MASK_B / CF_CHAN_MASK_B 17-23 CF_PILOT_MASK_IDX_B / CF_CHAN_MASK_IDX_B |
0 SPECTRAL_SCAN_ENA 1 SPECTRAL_SCAN_ACTIVE 2 DISABLE_RADAR_TCTL_RST 3 DISABLE_PULSE_COARSE_LOW 4-7 SPECTRAL_SCAN_FFT_PERIOD 8-15 SPECTRAL_SCAN_PERIOD 16-27 SPECTRAL_SCAN_COUNT 28 SPECTRAL_SCAN_SHORT_RPT 29 SPECTRAL_SCAN_PRIORITY 30 SPECTRAL_SCAN_USE_ERR5 31 hw6: SPECTRAL_SCAN_COMPRESSED_RPT ;-hw6 |
0 hw6: SPECTRAL_SCAN_RPT_MODE ;\hw6 1-8 hw6: SPECTRAL_SCAN_NOISE_FLOOR_REF ;/ |
0-13 ACTIVE_TO_RECEIVE |
0-11 SEARCH_START_DELAY 12 ENABLE_FLT_SVD 13 ENABLE_SEND_CHAN 14 hw6: RX_SOUNDING_ENABLE 15 hw6: RM_HCSD4SVD |
0-11 MAX_RX_LENGTH 12-29 MAX_HT_LENGTH |
12-15 CAL_LG_COUNT_MAX 16 DO_GAIN_DC_IQ_CAL 17-20 USE_PILOT_TRACK_DF 21-27 EARLY_TRIGGER_THR 28 ENABLE_PILOT_MASK 29 ENABLE_CHAN_MASK 30 ENABLE_SPUR_FILTER 31 ENABLE_SPUR_RSSI |
0 ENABLE_CYCPWR_THR1 1-7 CYCPWR_THR1 15 ENABLE_RSSI_THR1A 16-22 RSSI_THR1A 23-29 LONG_SC_THRESH_HI_RSSI 30 FORCED_AGC_STR_PRI 31 FORCED_AGC_STR_PRI_EN |
0 PHYONLY_RST_WARM_L |
0 RX_DRAIN_RATE 1 LATE_TX_SIGNAL_SYMBOL 2 GENERATE_SCRAMBLER 3 TX_ANTENNA_SELECT 4 STATIC_TX_ANTENNA 5 RX_ANTENNA_SELECT 6 STATIC_RX_ANTENNA 7 EN_LOW_FREQ_SLEEP |
6 USE_PER_PACKET_POWERTX_MAX 7 hw6: USE_PER_PACKET_OLPC_GAIN_DELTA_ADJ |
8-13 BLOCKER40_MAX_RADAR 14 ENABLE_EXT_RADAR 15-22 RADAR_DC_PWR_THRESH 23-30 RADAR_LB_DC_CAP 31 DISABLE_ADCSAT_HOLD |
0-1 CF_OVERLAP_WINDOW 2 CF_SCALE_SHORT 3-5 CF_TX_CLIP 6-7 CF_TX_DOUBLESAMP_DAC 8-15 TX_END_ADJUST 16 PREPEND_CHAN_INFO 17 SHORT_HIGH_PAR_NORM 18 EN_ERR_GREEN_FIELD 19 hw4: EN_ERR_XR_POWER_RATIO 19 hw6: EN_ERR_STATIC20_MODE_HT40_PACKET 20 EN_ERR_OFDM_XCORR 21 EN_ERR_LONG_SC_THR 22 EN_ERR_TIM_LONG1 23 EN_ERR_TIM_EARLY_TRIG 24 EN_ERR_TIM_TIMEOUT 25 EN_ERR_SIGNAL_PARITY 26 EN_ERR_RATE_ILLEGAL 27 EN_ERR_LENGTH_ILLEGAL 28 hw4: EN_ERR_HT_SERVICE 28 hw6: NO_6MBPS_SERVICE_ERR 29 EN_ERR_SERVICE 30 EN_ERR_TX_UNDERRUN 31 EN_ERR_RX_ABORT |
0-7 HI_RSSI_THRESH 8-14 EARLY_TRIGGER_THR_HI_RSSI 15-20 OFDM_XCORR_THRESH 21-27 OFDM_XCORR_THRESH_HI_RSSI 28-31 LONG_MEDIUM_RATIO_THR |
0-7 SPUR_RSSI_THRESH 8 EN_VIT_SPUR_RSSI 17 ENABLE_MASK_PPM 18-25 MASK_RATE_CNTL 26 hw6: ENABLE_NF_RSSI_SPUR_MIT |
0-6 RX_IQCORR_Q_Q_COFF_0/1 ;\separate settings (on hw6) 7-13 RX_IQCORR_Q_I_COFF_0/1 ;/ 14 RX_IQCORR_ENABLE ;-global setting (not in B1) 15-21 LOOPBACK_IQCORR_Q_Q_COFF_0/1 ;\separate settings (on hw6) 22-28 LOOPBACK_IQCORR_Q_I_COFF_0/1 ;/ 29 LOOPBACK_IQCORR_ENABLE ;-global setting (not in B1) |
0 PULSE_DETECT_ENABLE 1-5 PULSE_IN_BAND_THRESH 6-11 PULSE_RSSI_THRESH 12-17 PULSE_HEIGHT_THRESH 18-23 RADAR_RSSI_THRESH 24-30 RADAR_FIRPWR_THRESH 31 ENABLE_RADAR_FFT |
0-7 RADAR_LENGTH_MAX 8-12 PULSE_RELSTEP_THRESH 13 ENABLE_PULSE_RELSTEP_CHECK 14 ENABLE_MAX_RADAR_RSSI 15 ENABLE_BLOCK_RADAR_CHECK 16-21 RADAR_RELPWR_THRESH 22 RADAR_USE_FIRPWR_128 23 ENABLE_RADAR_RELPWR_CHECK 24-26 CF_RADAR_BIN_THRESH_SEL 27 ENABLE_PULSE_GC_COUNT_CHECK |
0 CF_PHASE_RAMP_ENABLE 1-6 CF_PHASE_RAMP_BIAS 7-16 CF_PHASE_RAMP_INIT 17-24 CF_PHASE_RAMP_ALPHA |
0-1 SWITCH_TABLE_IDLE 2-3 SWITCH_TABLE_T 4-5 SWITCH_TABLE_R 6-7 SWITCH_TABLE_RX1 8-9 SWITCH_TABLE_RX12 10-11 SWITCH_TABLE_B |
0-3 SWITCH_TABLE_COM_IDLE 4-7 SWITCH_TABLE_COM_T1 8-11 SWITCH_TABLE_COM_T2 12-15 SWITCH_TABLE_COM_B 16-19 hw6: SWITCH_TABLE_COM_IDLE_ALT ;\hw6 20-23 hw6: SWITCH_TABLE_COM_SPDT ;/ |
0-8 MINCCAPWR_THR_0/1 ;-separate settings (on hw6) 9 ENABLE_MINCCAPWR_THR ;-global setting (not in B1) 10-17 NF_GAIN_COMP_0/1 ;-separate settings (on hw6) 18 THRESH62_MODE ;-global setting (not in B1) |
0-3 hw4: SWITCH_TABLE_COM_RA1NXAL1 ;\ 4-7 hw4: SWITCH_TABLE_COM_RA2NXAL1 ; 8-11 hw4: SWITCH_TABLE_COM_RA1XAL1 ; 12-15 hw4: SWITCH_TABLE_COM_RA2XAL1 ; hw4 16-19 hw4: SWITCH_TABLE_COM_RA1NXAL2 ; 20-23 hw4: SWITCH_TABLE_COM_RA2NXAL2 ; 24-27 hw4: SWITCH_TABLE_COM_RA1XAL2 ; 28-31 hw4: SWITCH_TABLE_COM_RA2XAL2 ;/ 0-3 hw6: SWITCH_TABLE_COM_RA1L1 ;\ 4-7 hw6: SWITCH_TABLE_COM_RA2L1 ; 8-11 hw6: SWITCH_TABLE_COM_RA1L2 ; hw6 12-15 hw6: SWITCH_TABLE_COM_RA2L2 ; 16-19 hw6: SWITCH_TABLE_COM_RA12 ;/ |
0 ENABLE_RESTART 1-5 RESTART_LGFIRPWR_DELTA 6 ENABLE_PWR_DROP_ERR 7-11 PWRDROP_LGFIRPWR_DELTA 12-17 OFDM_CCK_RSSI_BIAS 18-20 ANT_FAST_DIV_GC_LIMIT 21 ENABLE_ANT_FAST_DIV_M2FLAG 22-28 WEAK_RSSI_VOTE_THR 29 ENABLE_PWR_DROP_ERR_CCK 30 DISABLE_DC_RESTART 31 RESTART_MODE_BW40 |
0-6 FIXED_SCRAMBLER_SEED |
0 RFBUS_REQUEST |
0-19 SPUR_DELTA_PHASE 20-29 SPUR_FREQ_SD 30 USE_SPUR_FILTER_IN_AGC 31 USE_SPUR_FILTER_IN_SELFCOR |
0-2 RX_CHAIN_MASK |
0 FORCE_ANALOG_GAIN_DIFF 1-7 FORCED_GAIN_DIFF_01 8 SYNC_SYNTHON 9 USE_POSEDGE_REFCLK 10-20 CF_SHORT_SAT 22-28 FORCED_GAIN_DIFF_02 29 FORCE_SIGMA_ZERO |
0-7 QUICKDROP_LOW 8 ENABLE_CHECK_STRONG_ANT 9-14 ANT_FAST_DIV_BIAS 15-20 CAP_GAIN_RATIO_SNR 21 CAP_GAIN_RATIO_ENA 22 CAP_GAIN_RATIO_MODE 23 ENABLE_ANT_SW_RX_PROT 24 ENABLE_ANT_DIV_LNADIV 25-26 ANT_DIV_ALT_LNACONF 27-28 ANT_DIV_MAIN_LNACONF 29 ANT_DIV_ALT_GAINTB 30 ANT_DIV_MAIN_GAINTB |
0-5 ADC_GAIN_CORR_Q_COEFF_0/1 ;\ 6-11 ADC_GAIN_CORR_I_COEFF_0/1 ; separate settings (on hw6) 12-20 ADC_DC_CORR_Q_COEFF_0/1 ; 21-29 ADC_DC_CORR_I_COEFF_0/1 ;/ 30 ADC_GAIN_CORR_ENABLE ;\global setting (not in B1) 31 ADC_DC_CORR_ENABLE ;/ |
0-7 THRESH62_EXT 8-15 ANT_DIV_ALT_ANT_MINGAINIDX 16-20 ANT_DIV_ALT_ANT_DELTAGAINIDX 21-26 ANT_DIV_ALT_ANT_DELTANF |
0-8 CF_MAXCCAPWR_EXT_0/1 ;-separate settings (on hw6) 9-15 CYCPWR_THR1_EXT ;-global setting (not in B1) 16-24 MINCCAPWR_EXT_0/1 (R) ;-separate settings (on hw6) |
0-6 M1_THRES_EXT 7-13 M2_THRES_EXT 14-20 M1_THRES_LOW_EXT 21-27 M2_THRES_LOW_EXT 28 SPUR_SUBCHANNEL_SD |
0-3 DET_DIFF_WIN_WEAK 4-7 DET_DIFF_WIN_WEAK_LOW 8-12 DET_DIFF_WIN_WEAK_CCK 13-15 DET_20H_COUNT 16-18 DET_EXT_BLK_COUNT 19-24 WEAK_SIG_THR_CCK_EXT 25-28 DET_DIFF_WIN_THRESH |
0-4 PWRDIFF40_THRSTR 5-10 BLOCKER40_MAX 11-15 DET40_PWRSTEP_MAX 16-23 DET40_THR_SNR 24-28 DET40_PRI_BIAS 29 PWRSTEP40_ENA 30 LOWSNR40_ENA |
0-3 DELTA_SLOPE_COEF_EXP_SHORT_GI 4-18 DELTA_SLOPE_COEF_MAN_SHORT_GI |
0 CAPTURE_CHAN_INFO 1 DISABLE_CHANINFOMEM 2 hw6: CAPTURE_SOUNDING_PACKET 3 hw6: CHANINFOMEM_S2_READ |
0-8 CF_HEAVY_CLIP_ENABLE 9 PRE_EMP_HT40_ENABLE 10-17 hw6: HEAVY_CLIP_FACTOR_XR ;-hw6 (moved from hw4's BB_RIFS_SRCH) |
0-7 HEAVY_CLIP FACTOR_0 / FACTOR_4 8-15 HEAVY_CLIP FACTOR_1 / FACTOR_5 16-23 HEAVY_CLIP FACTOR_2 / FACTOR_6 24-31 HEAVY_CLIP FACTOR_3 / FACTOR_7 |
0-7 hw4: HEAVY_CLIP_FACTOR_XR ;-hw4 (moved to BB_HEAVY_CLIP_CTRL in hw6) 8-15 INIT_GAIN_DB_OFFSET 16-25 RIFS_INIT_DELAY 26 RIFS_DISABLE_PWRLOW_GC 27 RIFS_DISABLE_CCK_DET |
0-1 GAIN_DC_IQ_CAL_MODE 2 TEST_CALADCOFF |
0-4 CSD_CHN1_2CHAINS 5-9 CSD_CHN1_3CHAINS 10-14 CSD_CHN2_3CHAINS |
0-31 GAIN_ENTRY |
0-15 TX_CRC (R) |
0-31 GAIN_DC_IQ_CAL_MEAS (R) |
0 RFBUS_GRANT (R) 1 BT_ANT (R) |
0-9 TSTADC_OUT_Q (R) 10-19 TSTADC_OUT_I (R) |
0-9 TSTDAC_OUT_Q (R) 10-19 TSTDAC_OUT_I (R) |
0 ILLEGAL_TX_RATE (R) |
0-7 SPUR_EST_I (R) 8-15 SPUR_EST_Q (R) 16-31 POWER_WITH_SPUR_REMOVED (R) |
0 BT_ACTIVE (R) 1 RX_CLEAR_RAW (R) 2 RX_CLEAR_MAC (R) 3 RX_CLEAR_PAD (R) 4-5 BB_SW_OUT_0 (R) 6-7 BB_SW_OUT_1 (R) 8-9 BB_SW_OUT_2 (R) 10-13 BB_SW_COM_OUT (R) 14-16 ANT_DIV_CFG_USED (R) |
0-7 RSSI (R) 8-15 RSSI_EXT (R) |
0-7 SPUR_EST_SD_I_CCK (R) 8-15 SPUR_EST_SD_Q_CCK (R) 16-23 SPUR_EST_I_CCK (R) 24-31 SPUR_EST_Q_CCK (R) |
0-11 NOISE_POWER (R) |
0-11 FINE_PPM (R) 12-18 hw6: ANALOG_GAIN_DIFF_01 (R) ;-hw6 |
0-11 COARSE_PPM (R) 12-21 FINE_TIMING (R) |
0-7 CHAN_INFO_RSSI (R) 8-15 CHAN_INFO_RF_GAIN (R) 16 hw4: CHAN_INFO_XATTEN1_SW (R) ;\hw4 (and hw4.2) 17 hw4: CHAN_INFO_XATTEN2_SW (R) ;/ 16-22 hw6: CHAN_INFO_MB_GAIN (R) ;\ 23 hw6: CHAN_INFO_XATTEN1_SW (R) ; hw6 24 hw6: CHAN_INFO_XATTEN2_SW (R) ;/ |
0-5 hw4: MAN_Q_0 ;\ (R) ;\ 6-11 hw4: MAN_I_0 ; aka B0 ? (R) ; 12-15 hw4: EXP_0 ;/ (R) ; hw4 (and hw4.2) 16-21 hw4: MAN_Q_1 ;\ (R) ; 22-27 hw4: MAN_I_1 ; aka B1 ? (R) ; 28-31 hw4: EXP_1 ;/ (R) ;/ 0-31 hw6: CHANINFO_WORD (R) ;-hw6 |
0 USE_OC_GAIN_TABLE 1 USE_PEAK_DET 2-7 PEAK_DET_WIN_LEN 8-12 PEAK_DET_TALLY_THR_LOW(_0) 13-17 PEAK_DET_TALLY_THR_MED(_0) 18-22 PEAK_DET_TALLY_THR_HIGH(_0) 23-29 PEAK_DET_SETTLING 30 PWD_PKDET_DURING_CAL 31 PWD_PKDET_DURING_RX |
0-9 RFSAT_2_ADD_RFGAIN_DEL 10-14 RF_GAIN_DROP_DB_LOW(_0) 15-19 RF_GAIN_DROP_DB_MED(_0) 20-24 RF_GAIN_DROP_DB_HIGH(_0) 25-29 RF_GAIN_DROP_DB_NON(_0) 30 hw6: ENABLE_RFSAT_RESTART |
0-7 RX_MAX_MB_GAIN 8-15 RX_MAX_RF_GAIN_REF 16-23 RX_MAX_RF_GAIN 24 RX_OCGAIN_SEL_2G 25 RX_OCGAIN_SEL_5G |
0-7 GC_RSSI_LOW_DB 8-15 RF_GAIN_REF_BASE_ADDR 16-23 RF_GAIN_BASE_ADDR 24-31 RF_GAIN_DIV_BASE_ADDR |
0-5 PKDET_CAL_WIN_THR 6-11 PKDET_CAL_BIAS 12-13 PKDET_CAL_MEAS_TIME_SEL |
0 USE_DIG_DC 1-3 DIG_DC_SCALE_BIAS 4-9 DIG_DC_CORRECT_CAP 10 hw6: DIG_DC_SWITCH_CCK ;-hw6 16-31 DIG_DC_MIXER_SEL_MASK |
0-8 DIG_DC_C1 RES_I_0 / RES_Q_0 / RES_I_1 / RES_Q_1 (R) 9-17 DIG_DC_C2 RES_I_0 / RES_Q_0 / RES_I_1 / RES_Q_1 (R) 18-26 DIG_DC_C3 RES_I_0 / RES_Q_0 / RES_I_1 / RES_Q_1 (R) |
0-7 TXFIR COEFF_H0 (4bit) / COEFF_H4 (6bit) / COEFF_H8 (8bit) 8-15 TXFIR COEFF_H1 (4bit) / COEFF_H5 (6bit) / COEFF_H9 (8bit) 16-23 TXFIR COEFF_H2 (5bit) / COEFF_H6 (7bit) / COEFF_H10 (8bit) 24-31 TXFIR COEFF_H3 (5bit) / COEFF_H7 (7bit) / COEFF_H11 (8bit) |
0 CCK_MODE 2 DYN_OFDM_CCK_MODE 5 HALF_RATE_MODE 6 QUARTER_RATE_MODE 7 MAC_CLK_MODE 8 DISABLE_DYN_CCK_DET 9 hw6: SVD_HALF_RATE_MODE ;\hw6 10 hw6: DISABLE_DYN_FAST_ADC ;/ |
0 DISABLE_SCRAMBLER 1 USE_SCRAMBLER_SEED 2-3 TX_DAC_SCALE_CCK 4 TXFIR_JAPAN_CCK 5 ALLOW_1MBPS_SHORT 6-8 TX_CCK_DELAY_1 9-11 TX_CCK_DELAY_2 |
0-5 WEAK_SIG_THR_CCK 6-12 ANT_SWITCH_TIME 13 ENABLE_ANT_FAST_DIV 14 LB_ALPHA_128_CCK 15 LB_RX_ENABLE_CCK 16 CYC32_COARSE_DC_EST_CCK 17 CYC64_COARSE_DC_EST_CCK 18 ENABLE_COARSE_DC_CCK 19 CYC256_FINE_DC_EST_CCK 20 ENABLE_FINE_DC_CCK 21 DELAY_START_SYNC_CCK 22 USE_DC_EST_DURING_SRCH 23 hw6: BBB_MRC_OFF_NO_SWAP ;\hw6 24 hw6: SWAP_DEFAULT_CHAIN_CCK ;/ 31 ENABLE_BARKER_TWO_PHASE |
0-5 XATTEN1_DB 6-11 XATTEN2_DB 12-16 XATTEN1_MARGIN 17-21 XATTEN2_MARGIN 22-26 hw6: XLNA_GAIN_DB ;-hw6 |
0-2 COARSE_TIM_THRESHOLD_2 3-7 COARSE_TIM_THRESHOLD 8-10 COARSE_TIM_N_SYNC 11-15 MAX_BAL_LONG 16-20 MAX_BAL_SHORT 21-23 RECON_LMS_STEP 24-30 SB_CHECK_WIN 31 EN_RX_ABORT_CCK |
0-5 FREQ_EST_N_AVG_LONG 6-11 CHAN_AVG_LONG 12-16 COARSE_TIM_THRESHOLD_3 17-21 FREQ_TRACK_UPDATE_PERIOD 22-25 FREQ_EST_SCALING_PERIOD 26-31 LOOP_COEF_DPSK_C2_DATA |
0-7 TIM_ADJUST_FREQ_DPSK 8-15 TIM_ADJUST_FREQ_CCK 16-23 TIMER_N_SFD |
0-3 TIMER_N_SYNC 4-15 TIM_ADJUST_TIMER_EXP 16 FORCE_UNLOCKED_CLOCKS 17 DYNAMIC_PREAM_SEL 18 SHORT_PREAMBLE 19-24 FREQ_EST_N_AVG_SHORT 25-30 CHAN_AVG_SHORT 31 hw6: USE_MRC_WEIGHT ;-hw6 |
0-4 LOOP_COEF_DPSK_C1_DATA 5-9 LOOP_COEF_DPSK_C1_HEAD 10-15 LOOP_COEF_DPSK_C2_HEAD 16-20 LOOP_COEF_CCK_C1 21-26 LOOP_COEF_CCK_C2 |
0-9 SYNC_START_DELAY 10 MAP_1S_TO_2S 11-20 START_IIR_DELAY 21 hw6: USE_MCORR_WEIGHT ;\ 22 hw6: USE_BKPWR_FOR_CENTER_INDEX ; 23 hw6: CCK_SEL_CHAIN_BY_EO ; hw6 24 hw6: FORCE_CCK_SEL_CHAIN ; 25 hw6: FORCE_CENTER_INDEX ;/ |
0 ENABLE_DAGC_CCK 1-8 DAGC_TARGET_PWR_CCK 9 ENABLE_BARKER_RSSI_THR 10-16 BARKER_RSSI_THR 17 ENABLE_FIRSTEP_SEL 18-23 FIRSTEP_2 24-27 FIRSTEP_COUNT_LGMAX 28-29 hw6: FORCE_RX_CHAIN_CCK_0 ;\hw6 30-31 hw6: FORCE_RX_CHAIN_CCK_1 ;/ |
0 FORCE_RX_ENABLE0 1 FORCE_RX_ENABLE1 2 FORCE_RX_ENABLE2 3 FORCE_RX_ENABLE3 4 FORCE_RX_ALWAYS 5 FORCE_TXSM_CLKEN |
0-9 OFDM_XR_RX_CLEAR_DELAY |
0 USE_CCK_SPUR_MIT 1-8 SPUR_RSSI_THR 9-28 CCK_SPUR_FREQ 29-30 SPUR_FILTER_TYPE |
0-2 (PANIC_)WATCHDOG_STATUS_1 3 hw4: (PANIC_)WATCHDOG_DET_HANG ;-hw4 3 hw6: (PANIC_)WATCHDOG_TIMEOUT ;-hw6 4-7 (PANIC_)WATCHDOG_STATUS_2 8-11 (PANIC_)WATCHDOG_STATUS_3 12-15 (PANIC_)WATCHDOG_STATUS_4 16-19 (PANIC_)WATCHDOG_STATUS_5 20-23 (PANIC_)WATCHDOG_STATUS_6 24-27 (PANIC_)WATCHDOG_STATUS_7 28-31 (PANIC_)WATCHDOG_STATUS_8 |
0 ENABLE_(PANIC_)WATCHDOG_(TIMEOUT_RESET_)NON_IDLE 1 ENABLE_(PANIC_)WATCHDOG_(TIMEOUT_RESET_)IDLE 2-15 (PANIC_)WATCHDOG_(TIMEOUT_RESET_)NON_IDLE_LIMIT 16-31 (PANIC_)WATCHDOG_(TIMEOUT_RESET_)IDLE_LIMIT |
0 FORCE_FAST_ADC_CLK 1 (PANIC_)WATCHDOG_(TIMEOUT_)RESET_ENA 2 (PANIC_)WATCHDOG_IRQ_ENA |
0-4 IQCORR_Q_Q_COFF_CCK 5-10 IQCORR_Q_I_COFF_CCK 11 ENABLE_IQCORR_CCK 12-13 RXCAL_MEAS_TIME_SEL 14-15 CLCAL_MEAS_TIME_SEL 16-20 CF_CLC_INIT_RFGAIN 21 hw4.2: CF_CLC_PAL_MODE ;-hw4.2 only (removed again in hw6) |
0 BT_BREAK_CCK_EN 1 BT_ANT_HALT_WLAN 2 hw6:ENABLE_RFBUS_GRANT_WAKEUP ;-hw6 |
0 FORCE_DAC_GAIN 1-5 FORCED_DAC_GAIN 6-13 PD_DC_OFFSET_TARGET 14-15 NUM_PD_GAIN 16-17 PD_GAIN_SETTING1 18-19 PD_GAIN_SETTING2 20-21 PD_GAIN_SETTING3 22 ENABLE_PD_CALIBRATE 23-28 PD_CALIBRATE_WAIT 29 FORCE_PDADC_GAIN 30-31 FORCED_PDADC_GAIN |
0-7 TX_FRAME_TO_PDADC_ON 8-15 TX_FRAME_TO_PD_ACC_OFDM 16-23 TX_FRAME_TO_PD_ACC_CCK |
0-7 TX_END_TO_PDADC_ON 8-15 TX_END_TO_PD_ACC_ON 16-18 PD_ACC_WINDOW_DC_OFF 19-21 PD_ACC_WINDOW_CAL 22-24 PD_ACC_WINDOW_OFDM 25-27 PD_ACC_WINDOW_CCK 31 TPC_CLK_GATE_ENABLE |
0 PD_AVG_VALID_0/1 (R) ;\ 1-8 PD_AVG_OUT_0/1 (R) ; 9-13 DAC_GAIN_0/1 (R) ; separate settings (on hw6) 14-19 TX_GAIN_SETTING_0/1 (R) ; 20-24 RATE_SENT_0/1 (R) ;/ 25-30 ERROR_EST_UPDATE_POWER_THRESH ;-global setting (not in B1) |
0-2 ANALOG_RX_SWAP_CNTL 3-5 ANALOG_TX_SWAP_CNTL 6 SWAP_ALT_CHN 7 ANALOG_DC_DAC_POLARITY 8 ANALOG_PKDET_DAC_POLARITY |
0-3 PD_GAIN_OVERLAP ;-global setting (not in B1) 4-9 PD_GAIN_BOUNDARY_1_0/1 ;\ 10-15 PD_GAIN_BOUNDARY_2_0/1 ; separate settings (on hw6) 16-21 PD_GAIN_BOUNDARY_3_0/1 ; 22-27 PD_GAIN_BOUNDARY_4_0/1 ;/ |
0-5 PD_DAC_SETTING_1 6-11 PD_DAC_SETTING_2 12-17 PD_DAC_SETTING_3 18-23 PD_DAC_SETTING_4 24-25 ERROR_EST_MODE 26-28 ERROR_EST_FILTER_COEFF |
0-5 TX_GAIN_TABLE_MAX 6-11 INIT_TX_GAIN_SETTING 12 EN_CL_GAIN_MOD 13 USE_TX_PD_IN_XPA 14 EXTEND_TX_FRAME_FOR_TPC 15 USE_INIT_TX_GAIN_SETTING_AFTER_WARM_RESET |
0-31 TAB_ENTRY (W) |
0-4 CL_GAIN_MOD 5-15 CARR_LK_DC_ADD_Q 16-26 CARR_LK_DC_ADD_I 27-30 BB_GAIN |
0-31 CL_MAP |
0 ENABLE_PARALLEL_CAL 1 ENABLE_CL_CALIBRATE 2-3 CF_CLC_TEST_POINT 4-7 CF_CLC_FORCED_PAGAIN 8-15 CARR_LEAK_MAX_OFFSET 16-21 CF_CLC_INIT_BBGAIN 22-29 CF_ADC_BOUND 30 USE_DAC_CL_CORRECTION 31 CL_MAP_HW_GEN |
25 DISABLE_FCC_FIX 26 ENABLE_RESET_TDOMAIN 27 DISABLE_FCC_FIX2 28 DISABLE_RIFS_CCK_FIX 29 DISABLE_ERROR_RESET_FIX 30 RADAR_USE_FDOMAIN_RESET |
0-5 POWERTX_0 / POWERTX_4 / POWERTX_1L / POWERTX_55L 8-13 POWERTX_1 / POWERTX_5 / - / POWERTX_55S 16-21 POWERTX_2 / POWERTX_6 / POWERTX_2L / POWERTX_11L 24-29 POWERTX_3 / POWERTX_7 / POWERTX_2S / POWERTX_11S |
0-5 POWERTX HT20_0 / HT20_4 / HT20_8 / HT20_12 8-13 POWERTX HT20_1 / HT20_5 / HT20_9 / HT20_13 16-21 POWERTX HT20_2 / HT20_6 / HT20_10 / HT40_12 24-29 POWERTX HT20_3 / HT20_7 / HT20_11 / HT40_13 |
0-5 POWERTX HT40_0 / HT40_4 / HT40_8 / DUP40_CCK 8-13 POWERTX HT40_1 / HT40_5 / HT40_9 / DUP40_OFDM 16-21 POWERTX HT40_2 / HT40_6 / HT40_10 / EXT20_CCK 24-29 POWERTX HT40_3 / HT40_7 / HT40_11 / EXT20_OFDM |
0-5 POWERTX SUB_FOR_2CHAIN |
0-4 DESIRED_SCALE_0 5-9 DESIRED_SCALE_1 10-14 DESIRED_SCALE_2 15-19 DESIRED_SCALE_3 20-24 DESIRED_SCALE_4 25-29 DESIRED_SCALE_5 |
0-4 DESIRED_SCALE_6 5-9 DESIRED_SCALE_7 10-14 DESIRED_SCALE_CCK 20 EN_PD_DC_OFFSET_THR 21-26 PD_DC_OFFSET_THR 27-30 WAIT_CALTX_SETTLE 31 DISABLE_PDADC_RESIDUAL_DC_REMOVAL |
0-4 DESIRED_SCALE HT20_0 / HT20_8 / HT40_0 / HT40_6 / HT40_8 5-9 DESIRED_SCALE HT20_1 / HT20_9 / HT40_1 / HT40_7 / HT40_9 10-14 DESIRED_SCALE HT20_2 / HT20_10 / HT40_2 / - / HT40_10 15-19 DESIRED_SCALE HT20_3 / HT20_11 / HT40_3 / - / HT40_11 20-24 DESIRED_SCALE HT20_4 / HT20_12 / HT40_4 / - / HT40_12 25-29 DESIRED_SCALE HT20_5 / HT20_13 / HT40_5 / - / HT40_13 |
0-4 DESIRED_SCALE HT20_6 ;\global setting (not in B1) 5-9 DESIRED_SCALE HT20_7 ;/ 16-23 OLPC_GAIN_DELTA_0/1 ;\ 24-31 hw4: OLPC_GAIN_DELTA_0/1_PAL_ON ;-hw4 ; separate settings (on hw6) 24-25 hw6: OLPC_GAIN_DELTA_0/1_LSB_EXT ;-hw6 ;/ |
0-2 CAL_CHAIN_MASK |
0 FORCE_XPAON 1-3 FORCED_XPAON 4 FORCE_PDADC_PWD 5-7 FORCED_PDADC_PWD |
8-13 PDADC_PAR_CORR_CCK 16-21 PDADC_PAR_CORR_OFDM 24-29 PDADC_PAR_CORR_HT40 |
0 ENABLE_PAL 1 ENABLE_PAL_CCK 2 ENABLE_PAL_OFDM_20 3 ENABLE_PAL_OFDM_40 4-9 PAL_POWER_THRESHOLD 10 FORCE_PAL_LOCKED 11-16 INIT_TX_GAIN_SETTING_PAL_ON |
0-7 THERM_CAL_VALUE 8-15 VOLT_CAL_VALUE 16 USE_LEGACY_TPC 17-22 hw6: MIN_POWER_THERM_VOLT_GAIN_CORR ;-hw6 |
0-7 ALPHA_THERM 8-15 ALPHA_THERM_PAL_ON 16-20 ALPHA_VOLT 21-25 ALPHA_VOLT_PAL_ON |
0-23 ENABLE_PAL_MCS_0..23 |
0-13 CALTX_GAIN_SET_nn table entry 0,2,4,6,...,28,30 accordingly 14-27 CALTX_GAIN_SET_nn table entry 1,3,5,7,...,29,31 accordingly 28-31 - |
0-31 TG_TABLE entry entry 1..32 accordingly |
0-31 TG_TABLE_LSB_EXT (sixteen 2bit entries per word) |
0 IQC_TX_TABLE_SEL 1-6 BASE_TX_TONE_DB 7-12 MAX_TX_TONE_GAIN 13-18 MIN_TX_TONE_GAIN 19-22 CALTXSHIFT_DELAY 23-29 LOOPBACK_DELAY 30 hw6: ENABLE_COMBINED_CARR_IQ_CAL ;\hw6 31 hw6: ENABLE_TXIQ_CALIBRATE ;/ |
0-5 RX_INIT_GAIN_DB 6-11 MAX_RX_GAIN_DB 12-17 MIN_RX_GAIN_DB 18-24 IQCORR_I_Q_COFF_DELPT |
0-3 IQC_FORCED_PAGAIN 4-8 IQCAL_MIN_TX_GAIN 9-13 IQCAL_MAX_TX_GAIN |
0-5 PWR_HIGH_DB 6-11 PWR_LOW_DB 12-21 IQCAL_TONE_PHS_STEP 22-23 DC_EST_LEN 24 ADC_SAT_LEN 25-26 ADC_SAT_SEL 27-28 IQCAL_MEAS_LEN 29-30 DESIRED_SIZE_DB 31 TX_IQCORR_EN |
0-13 IQC_COEFF_TABLE_n ;table entry (n=0,2,4,6,8,A,C,E) accordingly 14-27 IQC_COEFF_TABLE_n ;table entry (n=1,3,5,7,9,B,D,F) accordingly 28-31 - |
0-5 TXCAL_RX_BB_GAIN_TABLE_n ;table entry (n=0,4, 8,12,16,20,24) 6-11 TXCAL_RX_BB_GAIN_TABLE_n ;table entry (n=1,5, 9,13,17,21) 12-17 TXCAL_RX_BB_GAIN_TABLE_n ;table entry (n=2,6,10,14,18,22) 18-23 TXCAL_RX_BB_GAIN_TABLE_n ;table entry (n=3,7,11,15,19,23) 24-31 - |
0 TXIQCAL_FAILED (R) 1-5 CALIBRATED_GAINS (R) 6-11 TONE_GAIN_USED (R) 12-17 RX_GAIN_USED (R) 18-24 hw4: LAST_MEAS_ADDR (7bit) (R) ;-hw4 18-23 hw6: LAST_MEAS_ADDR (6bit) (R) ;-hw6 |
0-9 FLC_PB_FSTEP 10-19 FLC_SB_FSTEP 20-24 FLC_PB_ATTEN 25-29 FLC_SB_ATTEN |
0-2 FLC_PWR_THRESH ;-global setting (not in B1) 3-7 FLC_SW_CAP_VAL_0/1 ;-separate settings (on hw6) 8-9 FLC_BBMISCGAIN ;\ 10-12 FLC_BB1DBGAIN ; 13-14 FLC_BB6DBGAIN ; global setting (not in B1) 15 FLC_SW_CAP_SET ; 16-18 FLC_MEAS_WIN ;/ 20-24 FLC_CAP_VAL_STATUS_0/1 (R) ;-separate settings (on hw6) |
0 RADAR_AVG_BW_CHECK 1 RADAR_DC_SRC_SEL 2-3 RADAR_FIRPWR_SEL 4-5 RADAR_PULSE_WIDTH_SEL 8-14 RADAR_DC_FIRPWR_THRESH 15-20 RADAR_DC_PWR_BIAS 21-26 RADAR_BIN_MAX_BW |
0 DFT_TONE_EN 2-3 DFT_TONE_AMP_SEL 4-12 DFT_TONE_FREQ_ANG |
0-7 INIT_THERM_SETTING 8-15 INIT_VOLT_SETTING 16-23 INIT_ATB_SETTING 24-25 SAMPLES_CNT_CODING 26 USE_INIT_THERM_VOLT_ATB_AFTER_WARM_RESET 27 FORCE_THERM_VOLT_ATB_TO_INIT_SETTINGS 28 hw6: CHECK_DONE_FOR_1ST_ADC_MEAS_OF_EACH_FRAME ;\hw6 29 hw6: THERM_MEASURE_RESET ;/ |
0-11 MEASURE_THERM_FREQ 12-21 MEASURE_VOLT_FREQ 22-31 MEASURE_ATB_FREQ |
0-7 THERM_ADC_OFFSET 8-16 THERM_ADC_SCALED_GAIN 17-29 ADC_INTERVAL |
0-7 LATEST_THERM_VALUE (R) 8-15 LATEST_VOLT_VALUE (R) 16-23 LATEST_ATB_VALUE (R) 24 hw6: FORCE_THERM_CHAIN ;\hw6 25-27 hw6: PREFERRED_THERM_CHAIN ;/ |
0 FORCE_TX_GAIN 1-3 FORCED_TXBB1DBGAIN 4-5 FORCED_TXBB6DBGAIN 6-9 FORCED_TXMXRGAIN 10-13 FORCED_PADRVGNA 14-17 FORCED_PADRVGNB 18-21 FORCED_PADRVGNC 22-23 FORCED_PADRVGND 24 FORCED_ENABLE_PAL 25-27 hw6: FORCED_OB ;\ 28-30 hw6: FORCED_DB ; hw6 31 hw6: FORCED_GREEN_PAPRD_ENABLE ;/ |
0-7 ECO_CTRL |
______________ below in hw4.2 and hw6 only (not original hw4) ______________ |
0-24 PAPRD_AM2AM_MASK ;-newer revision only |
0-24 PAPRD_AM2PM_MASK ;-newer revision only |
0-24 PAPRD_HT40_MASK ;-newer revision only |
0 PAPRD_ENABLE ;\ 1 PAPRD_ADAPTIVE_USE_SINGLE_TABLE ; newer revision only 2-26 PAPRD_VALID_GAIN ; 27-31 PAPRD_MAG_THRSH ;/ |
0 PAPRD_ADAPTIVE_SCALING_ENABLE ;\ 1 PAPRD_ADAPTIVE_AM2AM_ENABLE ; 2 PAPRD_ADAPTIVE_AM2PM_ENABLE ; newer revision only 3-8 PAPRD_POWER_AT_AM2AM_CAL ; 9-16 PA_GAIN_SCALE_FACTOR ; 17-26 PAPRD_MAG_SCALE_FACTOR ; 27 PAPRD_TRAINER_IANDQ_SEL ;/ |
0-9 PA_GAIN1 ;\ 10-19 PA_GAIN2 ; newer revision only 20-29 PA_GAIN3 ;/ |
0-9 PA_GAIN4 ;\ 10-19 PA_GAIN5 ; newer revision only 20-24 PAPRD_ADAPTIVE_TABLE_VALID ;/ |
0-17 PAPRD_PRE_POST_SCALING ;-newer revision only |
0-21 PAPRD_MEM ;-newer revision only |
0-31 CL_MAP_PAL |
0 CF_PAPRD_TRAIN_ENABLE ;\ 1-7 CF_PAPRD_AGC2_SETTLING ; 8 CF_PAPRD_IQCORR_ENABLE ; newer revision only 9 CF_PAPRD_RX_BB_GAIN_FORCE ; 10 CF_PAPRD_TX_GAIN_FORCE ; 11 CF_PAPRD_LB_ENABLE ; 12-18 CF_PAPRD_LB_SKIP ;/ |
0-31 CF_PAPRD_INIT_RX_BB_GAIN ;-newer revision only |
0-5 CF_PAPRD_ADC_DESIRED_SIZE ;\ 6-11 CF_PAPRD_QUICK_DROP ; 12-16 CF_PAPRD_MIN_LOOPBACK_DEL ; 17-19 CF_PAPRD_NUM_CORR_STAGES ; newer revision only 20-23 CF_PAPRD_COARSE_CORR_LEN ; 24-27 CF_PAPRD_FINE_CORR_LEN ;/ 28 hw4.2: CF_PAPRD_BBTXMIX_DISABLE ;-hw4.2 28 hw6: CF_PAPRD_REUSE_CORR ;\hw6 29 hw6: CF_PAPRD_BBTXMIX_DISABLE ;/ |
0-11 CF_PAPRD_MIN_CORR ;\ 12-15 CF_PAPRD_SAFETY_DELTA ; newer revision only 16-25 CF_PAPRD_NUM_TRAIN_SAMPLES ;/ |
0 PAPRD_TRAIN_DONE ;\ 1 PAPRD_TRAIN_INCOMPLETE (R) ; 2 PAPRD_CORR_ERR (R) ; newer revision only 3 PAPRD_TRAIN_ACTIVE (R) ; 4-8 PAPRD_RX_GAIN_IDX (R) ; 9-16 PAPRD_AGC2_PWR (R) ;/ |
0-15 PAPRD_FINE_VAL (R) ;\ 16-20 PAPRD_COARSE_IDX (R) ; newer revision only 21-22 PAPRD_FINE_IDX (R) ;/ |
0-19 PAPRD_TRAIN_SAMPLES_CNT (R) ;-newer revision only |
____________________________ below on hw4 only ____________________________ |
0-31 TG_TABLE_PAL_ON entry 1..32 accordingly |
0-11 TXIQC_MEAS_DATA0_0 (R) ;entry 0,2,4,...,190 (?) 12-23 TXIQC_MEAS_DATA1_0 (R) ;entry 1,3,5,...,191 (?) 24-31 - |
0 DO_TX_IQCAL |
____________________________ below on hw6 only ____________________________ |
0-31 LDPC_LLR_SCALING0 |
0-15 LDPC_LLR_SCALING1 16-26 LDPC_LATENCY |
0-23 CF_ML_2S_WEIGHT_TABLE 24-25 CF_IS_FLAT_CH_THR_ML 26-27 CF_IS_FLAT_CH_THR_ZF |
0-23 CF_ML_3S_WEIGHT_TABLE |
0-4 PEAK_DET_TALLY_THR_LOW_1 5-9 PEAK_DET_TALLY_THR_MED_1 10-14 PEAK_DET_TALLY_THR_HIGH_1 15-19 RF_GAIN_DROP_DB_LOW_1 20-24 RF_GAIN_DROP_DB_MED_1 25-29 RF_GAIN_DROP_DB_HIGH_1 30 BT_TX_DISABLE_NF_CAL |
0-4 PEAK_DET_TALLY_THR_LOW_2 5-9 PEAK_DET_TALLY_THR_MED_2 10-14 PEAK_DET_TALLY_THR_HIGH_2 15-19 RF_GAIN_DROP_DB_LOW_2 20-24 RF_GAIN_DROP_DB_MED_2 25-29 RF_GAIN_DROP_DB_HIGH_2 30-31 RFSAT_RX_RX |
0-1 RFSAT_BT_SRCH_SRCH 2-3 RFSAT_BT_RX_SRCH 4-5 RFSAT_BT_SRCH_RX 6-7 RFSAT_WLAN_SRCH_SRCH 8-9 RFSAT_WLAN_RX_SRCH 10-11 RFSAT_WLAN_SRCH_RX 12-13 RFSAT_EQ_SRCH_SRCH 14-15 RFSAT_EQ_RX_SRCH 16-17 RFSAT_EQ_SRCH_RX 18-22 RF_GAIN_DROP_DB_NON_1 23-27 RF_GAIN_DROP_DB_NON_2 28-31 BT_RX_FIRPWR_INCR |
0-7 RFGAIN_EQV_LNA_0 / RFGAIN_EQV_LNA_4 8-15 RFGAIN_EQV_LNA_1 / RFGAIN_EQV_LNA_5 16-23 RFGAIN_EQV_LNA_2 / RFGAIN_EQV_LNA_6 24-31 RFGAIN_EQV_LNA_3 / RFGAIN_EQV_LNA_7 |
0-1 REDPWR_MODE 2 REDPWR_MODE_CLR 3 REDPWR_MODE_SET 4-8 GAIN_CORR_DB2 9-12 SCFIR_ADJ_GAIN 13-17 QUICKDROP_RF 18 BYPASS_FIR_F 19 ADC_HALF_REF_F |
0-6 SC01_SW_INDEX 7-13 SC10_SW_INDEX 14-20 LAST_SC0_INDEX |
0 BBB_MRC_EN 1 AGCDP_CCK_MRC_MUX_REG 2-4 AGCDP_CCK_PD_ACCU_THR_HI 5-7 AGCDP_CCK_PD_ACCU_THR_LOW 8-11 AGCDP_CCK_BARKER_RSSI_THR 12-16 AGCDP_CCK_MRC_BK_THR_HI 17-21 AGCDP_CCK_MRC_BK_THR_LOW 22-27 AGCDP_CCK_MIN_VALUE |
0 CCK_FREQ_SHIFT_BLOCKER_DETECTION 1 CCK_BLOCKER_DET_RESTART_WEAK_SIG 2-5 CCK_BLOCKER_DET_BKSUM_NUM 6-8 BK_VALID_DELAY 9-13 CCK_BLOCKER_DET_THR 14-19 CCK_BLOCKER_DET_DELAY_THR 20-25 CCK_BLOCKER_MONITOR_TIME 26 SKIP_RAMP_ENABLE 27-31 CCK_DET_RAMP_THR |
0 SM_REC_EN 1 SM_REC_MODE 2-3 SM_REC_TIME_RES 4-11 SM_REC_PART_EN 12-14 SM_REC_CHN_EN 15-18 SM_REC_DATA_NUM 19 SM_REC_AGC_SEL 20-22 SM_REC_MAC_TRIG 24-29 SM_REC_LAST_ADDR (R) |
0 ENA_RADIO_RETENTION 1-6 RESTORE_MASK 7 FORCE_RADIO_RESTORE |
0 GREEN_TX_ENABLE 1 GREEN_CASES |
0 MIT_FORCE_SYNTH_ON 1 MIT_FORCE_SYNTH_ON_EN 2 MIT_FORCE_ACTIVE_ON |
0-2 MIT_CCA_MODE_SEL 3-20 MIT_CCA_COUNT |
0-5 MIT_RSSI_TH 6-11 MIT_RX_RF_ATT_TH_H 12-17 MIT_RX_RF_ATT_TH_L 18-23 MIT_RX_RF_ATT_OFFSET 24-29 MIT_AGC_LIMIT |
0 MIT_AGC_SEL 1-11 MIT_RSSI_BASE |
0-7 MIT_TX_STA_CNT 8-21 MIT_TX_END_DLY_CNT 22 MIT_TX_THROUGH_ENA 23-25 MIT_TXHDR_CHAIN_MASK_CCK 26-28 MIT_TXHDR_PAPRD_TRAIN_MASK_CCK 29-30 MIT_TXHDR_CHAN_MODE_CCK |
0-7 MIT_RX_END_DLY_CNT 8 MIT_RX_THROUGH_ENA |
0-1 MIT_CLK_TUNE_MOD 2 MIT_NO_DATA_TO_ATH |
0-30 MIT_SPARE_IN 31 MIT_SPARE_OUT (R) |
0-4 OFFSETC1I (R) 5-9 OFFSETC1Q (R) 10-14 OFFSETC2I (R) 15-19 OFFSETC2Q (R) 20-24 OFFSETC3I (R) 25-29 OFFSETC3Q (R) |
0 SW_RTT_TABLE_ACCESS 1 SW_RTT_TABLE_WRITE 2-4 SW_RTT_TABLE_ADDR |
4-31 SW_RTT_TABLE_DATA |
2-17 TABLES_ADDR 31 ADDR_AUTO_INCR |
0-31 TABLES_DATA |
0 DUMMY (R) |
_______________________ missing B1 registers in hw4 _______________________ |
| DSi Atheros Wifi - Internal I/O - 0xxx00h - RDMA Registers (hw4/hw6) |
- base address changed from 30100h (hw4) to 54D00h (hw6) - number of regions has increased from 16 (hw4) to 32 (hw6) - accordingly, index for STATUS and INT_EN has has changed |
0 DMA_TYPE 1 RTC_PRIORITY 2 ENABLE_RETENTION 3 WLMAC_PWD_EN 4 WLBB_PWD_EN 5-31 - |
0 STOP 1 START 2-31 - |
0-1 - 2-31 ADDR |
0-11 WORDS 12-31 - |
0-1 - 2-31 ADDR |
0-1 - 2-31 ID |
0-1 - 2-31 ADDR |
0 NEXT 1 INDI 2-12 LENGTH 13-31 ADDR |
0 RUNNING ;STATUS only (not INT_EN) 1 STOPPED 2 DONE 3 ERROR 4-14 ERROR_CODE ;STATUS only (not INT_EN) 15-31 - |
| DSi Atheros Wifi - Internal I/O - 03x000h - EFUSE Registers (hw4/hw6) |
- base address changed from 31000h (hw4) to 30000h (hw6) - the single INTF region (hw4) replaced by two INTF regions (hw6) - four new registers added in hw6 - indices for the two STROBE registers have changed |
0 V 1-31 - |
0 V 1-31 - |
0-31 V |
0-31 V |
0-31 V |
0-31 V |
0-31 R |
0-31 V |
0-31 V |
0-31 V |
0-31 V |
| DSi Atheros Wifi - Internal I/O - 034000h - More Stuff (hw6) |
__________________________________ STEREO __________________________________ |
0-7 POSEDGE 8 MASTER 9 SAMPLE_CNT_CLEAR_TYPE 10 MCK_SEL 11 I2S_WORD_SIZE 12-13 DATA_WORD_SIZE 14-15 STEREO_MONO 16 MIC_WORD_SIZE 17 PCM_SWAP 18 I2S_DELAY 19 RESET 20 MIC_RESET 21 ENABLE 22 REFCLK_SEL 23 SPDIF_ENABLE |
0-4 CHANNEL0 8-12 CHANNEL1 |
0 MCK_SEL |
0-15 CH0 16-31 CH1 |
________________________________ CHKSUM SEG ________________________________ |
0 TXEN 1 LITTLEENDIAN |
0-31 ADDR |
0 UNDERRUN0 1 UNDERRUN1 2 UNDERRUN2 3 UNDERRUN3 4 BUSERROR 5-8 DESC_INTR 16-23 PKTCNT0 24-25 CHAIN_NUM (R) |
0 RRMODE 8-13 WGT0 14-19 WGT1 20-25 WGT2 26-31 WGT3 |
0-8 PKTCNT0 / PKTCNT2 ;9bit each 16-24 PKTCNT1 / PKTCNT3 |
0-7 N/A ? 8-15 PKTCNT1 ;8bit each 16-23 PKTCNT2 24-31 PKTCNT3 |
0 RXEN 1 LITTLEENDIAN |
0-31 ADDR |
0 OVERFLOW 1 BUSERROR 2 DESC_INTR 16-23 PKTCNT |
0-3 RX_VAL 4-16 TX_VAL |
0-9 MAX_TX 10 INCR16_EN 11 INCR8_EN 16-25 MAX_RX |
0 TX 1 RX |
0 CHKSUM_SWAP 4-9 TXFIFO_MAX_TH 16-21 TXFIFO_MIN_TH 22-31 SPARE |
___________________________________ MMAC ___________________________________ |
0 OWN 1-12 LEN (R) 13-14 SEQ_NUM (R) |
0-31 ADDR |
0 RX_DONE0 1 RX_CRC_FAIL0 2 ACK_RESP_FAIL0 3 RX_DONE1 4 RX_CRC_FAIL1 5 ACK_RESP_FAIL1 6 RX_ERR_OVERFLOW 7 TX_DONE 8 TX_DONE_ACK_MISSING 9 TX_DONE_ACK_RECEIVED 10 TX_ERROR |
0-31 VAP_ADDR_L |
0-15 VAP_ADDR_U 16-21 SIFS 22-23 CAPTURE_MODE 24-26 TYPE_FILTER 27 LIVE_MODE |
0-11 LEN 12 CRC 13 EXP_ACK |
0-31 ADDR |
0 ACK_MODE_EN 1-6 ACK_TIMEOUT 7-14 BACKOFF 15 FORCE_ACKF_RSSI 16-23 ACKF_RSSI |
0-15 INTERVAL 16-27 LEN 28 EN 29 CRC 30 RESET_TS |
0-31 ADDR |
0-31 COUNT |
___________________________________ FPGA ___________________________________ |
2 DCM_RELEASE 4-7 EMUL_RADIO_CLOCK_RATIO 8-9 LONG_SHIFT_CHAIN_OVERRIDE_INDEX 10 ENABLE_LONG_SHIFT_CHAIN_OVERRIDE_INDEX 11-15 LONG_SHIFT_DRIVE_PHASE 16-20 LONG_SHIFT_SAMPLE_PHASE 21-30 SPARE_FPGA_REG1 31 FPGA_SRIF_DELAY |
0-3 FPGA_PLATFORM_TYPE 4-7 FPGA_IP_RELEASE_VERSION 8-11 FPGA_IP_REVISION 12 FPGA_OWL_PLL_ENABLED 13 FPGA_LOOPBACK_I2C 14-31 FPGA_SPARE |
0 RADIO_0_TCK 1 RADIO_0_TDI 2 RADIO_0_TMS 3 RADIO_0_TDO |
_______________________________ BRIDGE INTR _______________________________ |
0-7 RX_(0..7)_COMPLETE 8-15 RX_(0..7)_END 16-23 TX_(0..7)_COMPLETE 24-31 TX_(0..7)_END |
___________________________________ MII ___________________________________ |
0-1 SELECT 2 MASTER 4-5 SPEED 8-9 RGMII_DELAY |
0 AUTOZ 1 CLRCNT 2 STEN 3 GIG |
___________________________________ MDIO ___________________________________ |
0-15 VALUE |
0-7 REGS 8-15 MASK |
0-2 VAL |
_______________________________ BRIDGE RX/TX _______________________________ |
0-31 ADDRESS |
0 START 4 RESTART |
0-3 COUNT 4-15 TIMEOUT |
0-1 BURST |
0-7 OFFSET |
0 TCP 1 UDP |
0-3 STATE |
16-31 FIFO_TOTAL_LEN 0-2 STATE |
0-31 ADDR |
0 SWAP 1 SWAPD |
_________________________________ USB CAST _________________________________ |
0-7 MAXP 16 STALL 17 HSNAK 20 DSTALL 23 CHGSETUP |
0-10 MAXP 18-19 TYPE 20-21 ISOD 22 STALL 23 VAL 24 ISOERR 28 HCSET ;<-- for INxENDP registers only (not OUTxENDP) |
0 LS 1 FS 2 HS 4 HOST 5 DEVICE |
0-15 IN 0..15 16-31 OUT 0..15 |
0 SUDAV IR 1 SOF IR 2 SUTOK IR 3 SUSP IR 4 URES IR 5 HSPEED IR 6 OVERFLOW IR 7 LPM IR 16-31 OUTP NGIRQ ? |
0-2 MFR 3-7 FRMNR0 8-13 FRMNR1 16-22 FNADDR 24-31 CLKGATE |
0 OTGIRQ_IDLEIRQ 1 OTGIRQ_SRPDETIRQ 2 OTGIRQ_LOCSOFIRQ 3 OTGIRQ_VBUSERRIRQ 4 OTGIRQ_PERIPHIRQ 8-11 OTGSTATE 16 OTGCTRL_BUSREQ 17 OTGCTRL_ABUSDROP 18 OTGCTRL_ASETBHNPEN 19 OTGCTRL_BHNPEN 20 OTGCTRL_SRPVBUSDETEN 21 OTGCTRL_SRPDATDETEN 23 OTGCTRL_FORCEBCONN 24 OTGSTATUS_BSE0SRP 25 OTGSTATUS_CONN 27 OTGSTATUS_ASESSVAL 28 OTGSTATUS_BSESSEND 29 OTGSTATUS_AVBUSVAL 30 OTGSTATUS_ID |
0-15 IN 0..15 16..31 OUT 0..15 |
2-31 ADDR |
2-15 RINGSIZ 16 ENDIAN 17 DMASTOP 18 DMASTART 20 DMATUNLIM 21 DMANINCR 22 DMARING 25 HLOCK 26-27 HSIZE 28-31 HRPROT |
? |
________________________________ I2C SLAVE ________________________________ |
0 FIFO RESET 1 FIFO PREFETCH 2-4 FIFO READ LENGTH 5-14 FIFO READ THRESHOLD 15 FIFO READ STALL 16-18 FIFO WRITE LENGTH 19-28 FIFO WRITE THRESHOLD 29 FIFO WRITE STALL |
0-9 WR PTR (R) 16-25 RD PTR (R) |
0-10 UPDATE |
0-31 BASE |
0 RESET 1 FLUSH |
0-31 BASE |
0-31 DATA |
0 RESET 1 READ STALL 2 WRITE STALL 3-5 READ COUNT (R) 6-8 WRITE COUNT (R) 9 READ EMPTY (R) 10 WRITE FULL (R) |
0-5 DATA (6bit, what is that?) |
0-7 READDELAY 8 CLOCKREQUESTENABLE 9-11 FILTERCLOCKSELECT 12-14 FILTERCLOCKSCALE 15-17 FILTERSDARXSELECT 18-20 FILTERSCLRXSELECT |
0-7 SDA RX SIZE 8-15 SCL RX SIZE |
0-6 FIFO ADDR 8-14 MEM ADDR 16-22 REG ADDR 24-30 CSR ADDR |
0 FIFO READ START INT ;\ 1 FIFO READ FINISH INT ; 2 FIFO WRITE START INT ; 3 FIFO WRITE FINISH INT ; R/W 4 REG READ START INT ; 5 REG READ FINISH INT ; 6 REG WRITE START INT ; 7 REG WRITE FINISH INT ;/ 8 FIFO READ EMPTY INT ;\ 9 FIFO WRITE FULL INT ; For Status: R 10 FIFO READ THRESHOLD INT ; For Enable: R/W 11 FIFO WRITE THRESHOLD INT ;/ 12 CSR INT ;-R/W |
0 INT ;Status (R) 1 INTEN ;Enable |
_________________________________ MAP I2S _________________________________ |
0-19 DATA |
0 FULL 2 EMPTY |
0 RX_ORDER 1 RX_QUANTUM 2 TX_ORDER 3 TX_QUANTUM 4-7 TX_FIFO_THRESH0 |
2-27 ADDRESS |
0 STOP 1 START 2 RESUME |
0 RX_SOM 2 RX_EOM |
0-7 VALUE 8 ENABLE |
0 RX_NOT_FULL 2 TX_NOT_EMPTY 4 RX_UNDERFLOW 5 TX_OVERFLOW 6 TX_DMA_COMPLETE 8 TX_DMA_EOM_COMPLETE 10 RX_DMA_COMPLETE |
0 TX_INIT 2 RX_INIT |
0-31 ADDRESS |
0-31 COLLECTION |
__________________________________ MAP RF __________________________________ |
0-31 REG (32bit x 12 entries) |
0-11 REG (12bit) (R) |
0-10 REG (11bit) |
0-8 REG (9bit) |
0-7 DATA (8bit) 8-31 - |
0-6 DATA (7bit) 7-31 - |
___________________________________ ODIN ___________________________________ |
0-2 PLL_ICP 3-5 PLL_RS 6-14 PLL_DIV 15-17 PLL_MOD 18 PLL_OVERIDE 19 TEST_SPEED_SELECT 20 RX_PATTERN_EN 21 TX_PATTERN_EN 22 ANA_LOOPBACK_EN 23 DIG_LOOPBACK_EN 24-31 LOOPBACK_ERR_CNT (R) |
0-1 RX_FILBW_SEL 2 RX_FORCERXON 3 RX_BYPASSEQ 4 RX_LOWR_PDET 5-6 RX_SELIR_100M 7 RX_SELVREF0P6 8 RX_SELVREF0P25 9-11 RX_RSVD 12 NO_PLL_PWD 13 FORCE_SUSPEND 18-19 TX_PATTERN_SEL 20 USE_PLL_LOCKDETECT 21-22 USE_PLL_LOCK_DLY_SEL 23-25 CLKOBS_SEL 26 ENABLE_REFCLK_GATE 27 DISABLE_CLK_GATING 31 PLL_OBS_MODE_N |
0 HSTXBIAS_PS_EN 1 HSRXPHASE_PS_EN 2-7 PWD_IPLL 8-13 PWD_ISP 20 TX_CAL_EN 21 TX_CAL_SEL 22-25 TX_MAN_CAL 26 TX_LCKDET_OVR 27-30 TX_RSVD 31 PWD_EXTBIAS |
0-18 PWD_ITX 21 TX_DISABLE_SHORT_DET 22-24 TX_SELTEST 25 TX_STARTCAL |
0-11 PWD_IRX |
0-6 TX_BIAS_DELAY 7-12 EB_WATERMARK 13 FORCE_IDDQ 14 FORCE_TEST_J 15 FORCE_TEST_K 16 FORCE_TEST_SE0_NAK 17 TEST_JK_OVERRIDE 18-19 XCVR_SEL 20 TERM_SEL 21 SUSPEND_N 22 DP_PULLDOWN 23 DM_PULLDOWN 24 HOST_DISCON_FIX_ON 25 HOST_DISCON_DETECT_ON 26-28 HOST_DISCON_SAMPLE_WIDTH |
0 AVALID 1 BVALID 2 VBUSVALID 3 SESSEND 4 IDDIG |
0-3 TX_CAL (R) |
| DSi GPIO Registers |
0 GPIO18[0] ;\maybe 1.8V signals? (1=normal) 1 GPIO18[1] ; (maybe these are the three "NC" pins on CPU, 2 GPIO18[2] ;/near to the other GPIO pins) 3 Unused (0) 4 GPIO33[0] Probably "GPIO330" test point on mainboard 5 GPIO33[1] Headphone connect (HP#SP) (0=None, 1=Connected) 6 GPIO33[2] Powerbutton interrupt (0=Short Keydown Pulse, 1=Normal) 7 GPIO33[3] sound enable output (ie. not a useful input) |
0-2 GPIO18[0-2] Data Output (0=Low, 1=High) 3 Unused (0) 4-7 GPIO33[0-3] Data Output (0=Low, 1=High) |
0-2 GPIO18[0-2] Data Direction (0=Normal/Input, 1=Output) 3 Unused (0) 4-7 GPIO33[0-3] Data Direction (0=Normal/Input, 1=Output) |
0-2 GPIO18[0-2] Interrupt Edge Select (0=Falling, 1=Rising) 3 Unused (0) 4-7 GPIO33[0-3] Interrupt Edge Select (0=Falling, 1=Rising) |
0-2 GPIO18[0-2] Interrupt Enable (0=Disable, 1=Enable) 3 Unused (0) 4-7 GPIO33[0-3] Interrupt Enable (0=Disable, 1=Enable) |
0 Unknown (firmware keeps this bit unchanged when writing) 1-7 Zero 8 Wifi Mode (0=New Atheros/DSi-Wifi mode, 1=Old NDS-Wifi mode) 9-15 Zero |
| DSi Console IDs |
CPU/Console ID - Found in Port 4004D00h, in AES Keys, and in Files eMMC CID Register - Found in Main RAM, and in eMMC CID register Serial/Barcode - Found in Main RAM, and on stickers, and in HWINFO_S.dat Wifi MAC Address - Found in Main RAM, and in Wifi FLASH Nintendo WFC ID - Found in Wifi FLASH |
0-63 CPU/Console ID Code |
08201nnnnnnnn1nnh for DSi (EUR) and DSi XL (USA) 08202nnnnnnnn1nnh for DSi XL 08203nnnnnnnn1nnh for DSi XL 08204nnnnnnnn1nnh for DSi 08A15???????????h for DSi 08A18nnnnnnnn1nnh for DSi (USA) (black) 08A19nnnnnnnn1nnh for DSi (USA) 08A20nnnnnnnn1nnh for DSi 08A21nnnnnnnn1nnh for DSi 08A22???????????h for DSi (USA) 6B27D20002000000h for n3DS |
0 CPU/Console ID Flag (0=Okay/Ready, 1=Bad/Busy) 1-15 Unknown/Unused (0) |
MY ss ss ss ss 03 4D 30 30 46 50 41 00 00 15 00 ;DSi Samsung KMAPF0000M-S998 MY ss ss ss ss 32 57 37 31 36 35 4D 00 01 15 00 ;DSi Samsumg KLM5617EFW-B301 MY ss ss ss ss 30 36 35 32 43 4D 4D 4E 01 FE 00 ;DSi ST NAND02GAH0LZC5 rev30 MY ss ss ss ss 31 36 35 32 43 4D 4D 4E 01 FE 00 ;DSi ST NAND02GAH0LZC5 rev31 MY ss ss ss ss 03 47 31 30 43 4D 4D 00 01 11 00 ;3DS |
TEFnnnnnnnnn DSi (europe) TEHnnnnnnnnn DSi (europe) TJHnnnnnnnnn DSi (japan) TWnnnnnnnnn DSi (us) WEFnnnnnnnnn DSi XL (europe) WWnnnnnnnnn DSi XL (us) VJNnnnnnnnnn DSi (debugger) |
00 22 4C xx xx xx ;seen in DSi XL 00 23 CC xx xx xx ;seen in DSi 00 24 1E xx xx xx ;seen in DSi 00 27 09 xx xx xx ;seen in DSi |
| DSi Unknown Registers |
ARM9: Can be set to 00000000h or 0000E043h ARM7: Can be set to 00000000h or 0000E043h |
ARM9: Can be set to 20000000h or FF7F7FFFh ARM7: Can be set to 00000000h or FF7F7FFFh |
0-1 Bits per sample? Or "stereo"? (0..2, 3=None) (R/W) 2-3 Sampling Rate (0..3=F/1, F/2, F/3, F/4) (R/W) 4-7 Unknown/Unused (0) (0?) 8 Status... (1=Empty?) (R) 9 Status... (1=Not empty?) (R) 10 Status... (1=More data?) (R) 11 Status... (1=Overrun?) (R) 12 Reset? (maybe clear MIC_DATA fifo?) (W?) 13 IRQ Enable ? ;\maybe one is not-empty and (R/W) 14 IRQ Enable, too ? ;/half-full or overrun ? (R/W) 15 Enable (R/W) |
I2S=32.73kHz --> F/1=32.73kHz, F/2=16.36kHz, F/3=10.91kHz, F/4=8.18kHz I2S=47.61kHz --> F/1=47.61kHz, F/2=23.81kHz, F/3=15.87kHz, F/4=11.90kHz |
0-31 Data |
| DSi Notes |
if ([4004000h] AND 03h)=01h then DSi_mode else NDS_mode |
;Caution: Below detection won't work with DSi exploits (because they are ; usually having the ARM7 SCFG registers disabled - it would be thus better ; to do the dection only on ARM9 side as described above, and then forward ; the result to ARM7 side). if ([4004008h] AND 80000000h)=0 then skip_detection_and_assume_NDS_mode else if ([4004000h] AND 03h)=01h then DSi_mode else NDS_mode |
| DSi Exploits |
https://davejmurphy.com/%25CD%25A1-%25CD%259C%25CA%2596-%25CD%25A1/ |
Region Price Title
US,EU/AU $2 Sudoku (Electronic Arts) (updated version in DSi shop)
US,EU/AU $5 Fieldrunners (original version still in DSi shop)
US,EU/AU $5 Guitar Rock Tour ("grtpwn") (no longer in DSi shop)
US,EU/AU,JP $8 Legends of Exidia (original version still in DSi shop)
US,...? Free Zelda 4 Swords (no longer in DSi shop)
|
Biggest Loser (US,EU) (works with firmware 1.4.5) (=on all DSi's, as of 2015) Cooking Coach (US,EU) (blocked in firmware 1.4.4 and up) Classic Word Games (US,EU) (blocked in firmware 1.4.4 and up) (uncomfortable) |
TWL-VBLV-EUU Biggest Loser USA (UK) ;(European title has "USA" suffix) TWL-VBLE-USA Biggest Loser (US) ;(US title doesn't have "USA" suffix) |
TWL-VCKE-USA My Healthy Cooking Coach (US) TWL-VCKV-UKV My Cooking Coach - Prepare Healthy Recipes (UK) TWL-VCKS-SPA Mi Experto en Cocina - Comida Saludable (ES) TWL-VCKF-FRA Mon Coach Personnel - Mes Recettes Plaisir et Ligne (FR) TWL-VCKI-ITA Il Mio Coach di Cucina - Prepara Cibi Sani e Gustosi (IT) TWL-VCKD-NOE Mein Koch-Coach - Gesund und Lecker Kochen (DE) |
TWL-VCWE-USA Classic Word Games (US) TWL-VCWV-UKV Classic Word Games (UK/EU) |
ARM7 cannot access to SCFG/MBK configuration and Console ID registers For DSiware Exploits: Cannot access DS Cartridge slot For Cartridge Exploits: Cannot access SD/MMC registers |
| DSi Regions |
Go to "System Settings" Check the firmware version on upper screen (eg. "Ver 1.4E" for Europe) Check the "Language" option, that should list languages for your region. Check the "Country" option, that should list all countries of your region. |
Japanese (only japanese, there is no language option at all) |
01h Japan (only japan, there is no country option at all) |
A0h China? |
Koerean (only korean, there is no language option at all) |
88h Korea (only korea, there is no country option at all) |
English (only english, there is no language option at all) |
41h Australia 5Fh New Zealand |
English Francais (=French) Espanol (=Spanish) |
08h Anguilla 09h Antigua and Barbuda 0Ah Argentina 0Bh Aruba 0Dh Barbados 0Eh Belize 0Fh Bolivia 10h Brazil 11h British Virgin Islands 12h Canada 13h Cayman Islands 14h Chile 15h Colombia 16h Costa Rica 17h Dominica 18h Dominican Republic 19h Ecuador 1Ah El Salvador 1Bh French Guiana 1Ch Grenada 1Dh Guadeloupe 1Eh Guatemala 1Fh Guyana 20h Haiti 21h Honduras 22h Jamaica 23h Martinique 24h Mexico 25h Montserrat 26h Netherlands Antilles 27h Nicaragua 28h Panama 29h Paraguay 2Ah Peru 2Bh Saint Kitts and Nevis 2Ch Saint Lucia 2Dh Saint Vincent and the Grenadines 99h Singapore 2Eh Suriname 0Ch The Bahamas 2Fh Trinidad and Tobago 30h Turks and Caicos Islands A8h United Arab Emirates 31h United States 32h Uruguay 33h US Virgin Islands 34h Venezuela |
English Francais (=French) Deutsch (=German) Espanol (=Spanish) Italiano (=Italian) |
40h Albania 42h Austria 43h Belgium 44h Bosnia and Herzegovnia 45h Botswana 46h Bulgaria 47h Croatia 48h Cyprus 49h Czech Republic 4Ah Denmark 4Bh Estonia 4Ch Finland 4Dh France 4Eh Germany 4Fh Greece 50h Hungary 51h Iceland 52h Ireland 53h Italy 54h Latvia 55h Lesotho 56h Liechtenstein 57h Lithuania 58h Luxembourg 59h Macedonia 5Ah Malta 5Bh Montenegro 5Ch Mozambique 5Dh Namibia 5Eh Netherlands 60h Norway 61h Poland 62h Portugal 63h Romania 64h Russia 65h Serbia 66h Slovakia 67h Slovenia 68h South Africa 69h Spain 6Ah Swaziland 6Bh Sweden 6Ch Switzerland 6Dh Turkey 6Eh United Kindgom 6Fh Zambia 70h Zimbabwe |
Europe/Africa: 71h 113: Azerbaijan 72h 114: Mauritania (Islamic Republic of Mauritania) 73h 115: Mali (Republic of Mali) 74h 116: Niger (Republic of Niger) 75h 117: Chad (Republic of Chad) 76h 118: Sudan (Republic of the Sudan) 77h 119: Eritrea (State of Eritrea) 78h 120: Djibouti (Republic of Djibouti) 79h 121: Somalia (Somali Republic) Southeast Asia: 80h 128: Taiwan 90h 144: Hong Kong 91h 145: Macao 98h 152: Indonesia 9Ah 154: Thailand 9Bh 155: Philippines 9Ch 156: Malaysia Middle East: A9h 169: India AAh 170: Egypt ABh 171: Oman ACh 172: Qatar ADh 173: Kuwait AEh 174: Saudi Arabia AFh 175: Syria B0h 176: Bahrain B1h 177: Jordan |
| 3DS Reference |
| 3DS Memory and I/O Map |
Old3DS Address Size Description Yes 00000000h 10000h Bootrom mirror ;is there also ITCM in ARM11 ? Yes 00010000h 10000h ARM11 Bootrom Yes 10000000h ? IO memory Yes 17E00000h 2000h MPCore private memory region No 17E10000h 1000h New3DS: L2C-310 Level 2 Cache Controller (2MB) Yes 18000000h 600000h VRAM (divided in two banks, VRAM and VRAMB) No 1F000000h 400000h New3DS: extra memory (maybe VRAM and/or QTM?) Yes 1FF00000h 80000h DSP memory Yes 1FF80000h 80000h AXI WRAM Yes 20000000h 8000000h FCRAM No 28000000h 8000000h New3DS: FCRAM extension Yes FFFF0000h 10000h Bootrom mirror (uh, ARM11 or ARM9 rom?) |
Old3DS Address Size Description Yes 00000000h "8000000h" Instruction TCM, repeating each 8000h bytes Yes 01FF8000h 8000h Instruction TCM (used here by kernel and titles) Yes 07FF8000h 8000h Instruction TCM (used here by bootrom) Yes 08000000h 100000h ARM9-only internal memory (and ARM7 regions) No 08100000h 80000h New3DS: ARM9-only extension (if any, if enabled) Yes 10000000h 8000000h IO memory Yes 18000000h 600000h VRAM (divided in two banks, VRAM and VRAMB) Yes 1FF00000h 80000h DSP memory Yes 1FF80000h 80000h AXI WRAM Yes 20000000h 8000000h FCRAM No 28000000h 8000000h New3DS: FCRAM extension Yes FFF00000h 4000h Data TCM (mapped here during bootrom) Yes FFFF0000h 10000h ARM9 Bootrom |
Physaddr Old3DS A9/A11 Category 10000000h Yes A9 CONFIG9 Registers 10001000h Yes A9 IRQ Registers 10002000h Yes A9 NDMA Registers DMA (alike DSi's NDMA) 10003000h Yes A9 TIMER Registers Timers (alike GBA/NDS/DSi) 10004000h Yes A9 CTRCARD Registers ROM cart in 3DS mode 10005000h A9 CTRCARD? 2nd ROM cart slot? 10006000h Yes A9 SDMMC Registers For eMMC and SD Card slot 10007000h A9 SDMMC? zeroes? ? 10008000h Yes A9 PXI Registers aka IPC 10009000h Yes A9 AES Registers Crypto 1000A000h Yes A9 SHA Registers Crypto 1000B000h Yes A9 RSA Registers Crypto 1000C000h Yes A9 XDMA Registers DMA 1000D800h Yes A9 SPICARD Registers Savedata in ROM carts? 10010000h Yes A9 CONFIG Registers More CONFIG9 registers 10011000h Yes A9 PRNG Registers Pseudo Random Generator 10012000h Yes A9 OTP Registers Console IDs 10018000h Yes A9 ARM7 Registers GBA/NDS/DSi mode config 10100000h Yes A11/A9 Debug WIFI SDIO Regs? 10101000h Yes A11/A9 HASH Registers Crypto (same as SHA) 10102000h Yes A11/A9 Y2R Registers YUV-to-RGB ? 10103000h Yes A11/A9 DSP Registers Teak DSP 10103400h Yes A11/A9 CSND Registers Sound channels? 10110000h Yes A11/A9 LGYFB0 LCD maybe? Legacy maybe? 10111000h Yes A11/A9 LGYFB1 LCD maybe? Legacy maybe? 10120000h Yes A11/A9 Camera Registers Cameras 10121000h Yes A11/A9 Camera Registers? Cameras? 10122000h Yes A11/A9 WIFI Registers SDIO Wifi 10123000h Yes A11/A9 ? SDIO? 10130000h No A11/A9 MVD Registers New3DS: Movie Decoder or so? 10131000h No A11/A9 MVD Registers New3DS: Movie Decoder or so? 10132000h No A11/A9 MVD Registers New3DS: Movie Decoder or so? 10140000h Yes A11/A9 CONFIG11 Registers 10141000h Yes A11/A9 CONFIG11 Registers 10142000h Yes A11/A9 SPI Registers SPI Bus1 (if any/used ?) 10143000h Yes A11/A9 SPI Registers SPI Bus2 (if any/used ?) 10144000h Yes A11/A9 I2C Registers I2C Bus1 (for 3DS devices) 10145000h Yes A11/A9 CODEC Registers ? 10146000h Yes A11/A9 HID Registers Keypad 10147000h Yes A11/A9 GPIO Registers 10148000h Yes A11/A9 I2C Registers I2C Bus2 (for 3DS gimmicks) 10160000h Yes A11/A9 SPI Registers SPI Bus0 (Wifi-Flash, etc?) 10161000h Yes A11/A9 I2C Registers I2C Bus0 (for DSi devices) 10162000h Yes A11/A9 MIC Registers Microphone 10163000h Yes A11/A9 PXI Registers aka IPC 10164000h Yes A11/A9 NTRCARD Registers ROM Cart in NDS/DSi mode? 10165000h Yes A11/A9 MP Registers ? 10170000h Yes A11/A9 MP Registers NDS-Wifi? 10171000h Yes A11/A9 MP Registers NDS-Wifi? 10172000h Yes A11/A9 ? NDS-Wifi? 10173000h Yes A11/A9 ? NDS-Wifi? 10174000h Yes A11/A9 MP Registers NDS-Wifi? 10175000h Yes A11/A9 MP Registers NDS-Wifi? 10176000h Yes A11/A9 MP Registers NDS-Wifi? 10177000h Yes A11/A9 MP Registers NDS-Wifi? 10178000h Yes A11/A9 MP Registers NDS-Wifi? 10180000h (end of above area) 10200000h Yes A11 CDMA DMA 10201000h Yes A11 ? ? 10202000h Yes A11 LCD Registers 10203000h Yes A11 DSP Registers Teak DSP 10203200h Yes A11 LCD Registers ? 10204000h Yes A11 ? ? 10206000h No A11 CDMA New3DS: DMA 10207000h No A11 MVD Registers New3DS: Movie Decoder or so? 1020F000h Yes A11 AXI ? 10300000h Yes A11 DMA region Maybe contains FIFOs or so? 10400000h (end of above area) 10400000h Yes A11 GPU Registers 17E00000h A11 ARM11 IRQ 17E01000h A11 ARM11 IRQ |
physaddr = virtaddr-1EC00000h+10100000h |
| 3DS MISC Registers 1 |
______________________________ ARM9 Interrupts _______________________________ |
0 DMAC_1_0 ;uh, are that the supposed FOUR NDMA channels? 1 DMAC_1_1 2 DMAC_1_2 3 DMAC_1_3 4 DMAC_1_4 5 DMAC_1_5 6 DMAC_1_6 7 DMAC_1_7 8 TIMER_0 9 TIMER_1 10 TIMER_2 11 TIMER_3 12 PXI_SYNC 13 PXI_NOT_FULL 14 PXI_NOT_EMPTY 15 AES 16 SDIO_1 ;blah, this is SDMMC, not SDIO 17 SDIO_1_ASYNC 18 SDIO_3 19 SDIO_3_ASYNC 20 DEBUG_RECV 21 DEBUG_SEND 22 RSA 23 CTR_CARD_1 24 CTR_CARD_2 25 CGC ;uh, what the fuck is a CGC ? 26 CGC_DET ;uh, what the fuck is a CGC ? 27 DS_CARD ;aka NTRCARD 28 DMAC_2 29 DMAC_2_ABORT 30 unknown/unspecified 31 unknown/unspecified |
_______________________________ NDMA Registers _______________________________ |
00h TIMER0? 01h TIMER1? 02h TIMER2? 03h TIMER3? 04h CTRCARD0 05h CTRCARD1 06h ? 07h EMMC 08h AES WD FREE 09h AES RD FREE 0Ah SHA 0Bh ? 0Ch ? 0Dh ? 0Eh ? 0Fh AES + SHA COMBINED? 10h..1Fh Start immediately (without repeat) |
______________________________ TIMER Registers _______________________________ |
"timers run at a frequency of 67,027,964.0 +/- 2^(-32) Hz" |
_____________________________ CTRCARD Registers ______________________________ |
Address Width Old3DS Name Used by 10004000h 4 Yes CTRCARD_CNT Process9 10004004h 4 Yes CTRCARD_BLKCNT Process9 10004008h 4 Yes CTRCARD_SECCNT Process9 10004010h 4 Yes CTRCARD_SECSEED Process9 10004020h 16 Yes CTRCARD_CMD Process9 10004030h 4 Yes CTRCARD_FIFO Process9 |
0-3 ? 4 CRC status (0=Okay, 1=Error?) 5-15 ? 16-19 Transfer size (0..8 = 0,4,10h,40h,200h,400h,800h,1000h,4000h bytes) 20-23 ? 24-26 Clock delay (0..5) 27 Data ready (0=Busy, 1=Ready) 28 Reset Pin (0=Low/Reset, 1=High/Release) 29 Transfer mode (0=Read, 1=Write) 30 Interrupt enable (0=Disable, 1=Enable) 31 Start (0=Idle, 1=Busy) |
0-15 Total data blocks to read from FIFO - 1 16-31 Total data blocks to write to FIFO - 1 |
0-1 unknown/unspecified 2 Latch key index 3-7 unknown/unspecified 8-9 Key index 10-14 unknown/unspecified 15 Latch seed 16-31 unknown/unspecified |
0-31 unknown/unspecified |
______________________________ SD/MMC Registers ______________________________ |
10006000h A9 SD/MMC (for SD Card Slot and internal eMMC) 10007000h A9 SDxx (normally all zeroes) (maybe SDIO wifi on ARM9 side?) 10100000h A11/A9 Debug SDIO Regs? 10122000h A11/A9 SDIO WIFI? this is wifi? 10123000h A11/A9 SDIO WIFI? this is whatever? |
3 SD card removal flag (Set to 1 when SD card is removed) 4 SD card insertion flag (Set to 1 when SD card is inserted) 5 SD card insertion status (0=Missing, 1=Inserted) |
Address Width Name 10122000h 2 WIFI_CMD 10006002h 2 ? 10122004h 2 WIFI_CMDARG0 10122006h 2 WIFI_CMDARG1 1012200ah 2 WIFI_BLKCOUNT 10122024h 2 WIFI_CLKCTL 10122026h 2 WIFI_BLKLEN |
_____________________________ CONFIG9 Registers ______________________________ |
Address Width Old3DS Name Used by 10000000h 1 Yes CFG9_SYSPROT9 Boot9 10000001h 1 Yes CFG9_SYSPROT11 Boot9 10000002h 1 Yes CFG9_RST11 Boot9 10000004h 4 Yes CFG9_DEBUGCTL 10000008h 1 Yes ? Boot9, Process9, TwlProcess9 1000000Ch 2 Yes CFG9_CARDCTL Process9 10000010h 1 Yes CFG9_CARDSTATUS Process9 10000012h 2 Yes CFG9_CARDCYCLES0 Boot9, Process9 10000014h 2 Yes CFG9_CARDCYCLES1 Boot9, Process9 10000020h 2 Yes CFG9_SDMMCCTL Process9 10000100h 2 Yes ? 10000200h 1 No CFG9_EXTMEMCNT9 NewKernel9 10000FFCh 4 Yes CFG9_MPCORECFG 10010000h 4 Yes CFG9_BOOTENV 10010010h 1 Yes CFG9_UNITINFO Process9 10010014h 1 Yes CFG9_TWLUNITINFO Process9 |
0 Disables ARM9 bootrom "(+8000h)" when set to 1, and enables access to
FCRAM. Cannot be cleared to 0 once set to 1. Boot9
1 Disables OTP area when set to 1. Cannot be cleared to 0 once set to 1.
NewKernel9Loader, Process9
2-31 Not used ;uh, but the register is only 8bit wide?
|
0 Disables ARM11 bootrom "(+8000h)" when set to 1, and enables access
to FCRAM. Cannot be cleared to 0 once set to 1. Boot9
1-31 Not used ;uh, but the register is only 8bit wide?
|
0 Presumably takes ARM11 out of reset. Cannot be set to 1 once it has
been cleared.
1-31 Not used ;uh, but the register is only 8bit wide?
|
0-xx unknown/unspecified |
0-1 ? 2-3 AES related? Value 3 written after write to AES_CTL 4-31 Reserved ;uh, that means what as opposed to Not used? and only 8bit! |
0-1 Gamecard active controller select (0=NTRCARD, 1=?, 2=CTRCARD0,
3=CTRCARD1) Process9
2-7 unknown/unspecified
8 Enable gamecard eject IRQ, maybe? Process9
9-xx unknown/unspecified
|
Selecting NTRCARD will activate the register space at 10164000h Selecting CTRCARD0 will activate the register space at 10004000h Selecting CTRCARD1 will activate the register space at 10005000h |
0 Cartridge-slot empty (0=inserted, 1=empty) Process9 1 unknown/unspecified 2-3 ? Process9 4-xx unknown/unspecified |
0-xx unknown/unspecified |
0 SD slot power. (1=Unknown?) Process9 1 eMMC power? NAND init hangs if set. (1=Set?) Process9 2-3 Other power supplies? Process9 4-5 unknown/unspecified 6 Never used by anything. Set at cold boot. 7 unknown/unspecified 8 ? This bit seems to do nothing. Process9 9 If not set force pulls all SD card lines high. Process9 10-xx unknown/unspecified |
0-xx unknown/unspecified |
0 Hide extended ARM9 memory (0=hidden, 1=shown) Kernel9 (New3DS) 1-31 Reserved |
_______________________________ IPC Registers ________________________________ |
Address Width Old3DS Name Used by 10008000h 4 Yes PXI_SYNC9 Boot9, Process9 ;-SYNC 10008004h 2 Yes PXI_CNT9 Boot9, Process9 ;\ 10008008h 4 Yes PXI_SEND9 ; FIFO 1000800Ch 4 Yes PXI_RECV9 ;/ 10163000h 4 Yes PXI_SYNC11 Boot11 ;-SYNC 10163004h 2 Yes PXI_CNT11 Boot11 ;\ 10163008h 4 Yes PXI_SEND11 ; FIFO 1016300Ch 4 Yes PXI_RECV11 ;/ |
0-7 R Data received from remote bits 8-15 (unrelated to SEND/RECV FIFOs) 8-15 R/W Data sent to remote bits 0-7 16-22 unknown/unspecified 23 ? ? 24-28 unknown/unspecified 29 W? Trigger PXI_SYNC11 IRQ (if enabled) 30 W? Trigger PXI_SYNC9 IRQ (if enabled) 31 RW PXI_SYNC IRQ enable (for local processor) |
0 R Send Fifo Empty Status (0=Not Empty, 1=Empty) 1 R Send Fifo Full Status (0=Not Full, 1=Full) 2 R/W Send Fifo Empty IRQ (0=Disable, 1=Enable) 3 W Send Fifo Clear (0=Nothing, 1=Flush Send Fifo) 4-7 unknown/unspecified 8 R Receive Fifo Empty (0=Not Empty, 1=Empty) 9 R Receive Fifo Full (0=Not Full, 1=Full) 10 R/W Receive Fifo Not Empty IRQ (0=Disable, 1=Enable) 11-13 unknown/unspecified 14 R/W Error, Read Empty/Send Full (0=No Error, 1=Error/Acknowledge) 15 R/W Enable Send/Receive Fifo (0=Disable, 1=Enable) |
| 3DS MISC Registers 2 |
_______________________________ PRNG Registers _______________________________ |
10011000h .. Pseudo Random Generator? Boot9, Process9 |
_______________________________ OTP Registers ________________________________ |
10012000h-10012100h persistent storage on SoC 10012100h-10012108h for passing the TWL console ID around |
000h 100h Console-unique data encrypted with AES-CBC. The normalkey
and IV are stored in Boot9 (retail/devunit have seperate
normalkey+IV for this). The last 20h-bytes of plaintext
are a SHA256 hash over the first E0h-bytes of plaintext.
100h 8 Before writing REG_SYSPROT9 bit1, the ARM9 copies the
8-byte TWL Console ID here. This sets the registers at
4004D00h for ARM7.
|
000h 90h Copied into ITCM. The encrypted version of this is what
New3DS-arm9loader hashes for key-generation.
000h 4 Always DEADB00Fh.
004h 4 u32 DeviceId.
008h 10h Fall-back keyY used for movable.sed keyY when
movable.sed doesn't exist in NAND (the last two words here
are used on retail for generating console-unique TWL
keydata/etc).
This is also used for "LocalFriendCodeSeed", etc.
018h 1 ?
019h 1 CTCert issuer type:
0 = retail "Nintendo CA - G3_NintendoCTR2prod",
non-zero = dev "Nintendo CA - G3_NintendoCTR2dev".
01Ah 6 Manufacturing date (of the SoC?). Usually month(s) before
the dates in the logs stored in TWLNAND. Each byte is one
field: year, month, day, hour, minute, second. Year is
encoded as year-1900 so that it fits in one byte.
020h 4 CTCert ECDSA exponent, this is byte-swapped
when plaintext_otp+18h is >=5.
024h 2 ?
026h 1Eh CTCert ECDSA private key
044h 3Ch CTCert ECDSA signature
080h 10h Zerofilled
090h 70h Used by Boot9 for generating the console-unique AES keyXs.
However, due to a bug(?) in Boot9, only the first
1Ch-bytes here actually affect console-unique key
generation. The rest of the data is used for hashing, but
that output hash only gets overwritten without being used
afterwards.
|
0E0h 20h SHA256 hash over the previous E0h-bytes. |
_______________________________ ARM7 Registers _______________________________ |
Address Size Type Name 10018000h 1 u8 ARM7_CNT 10018080h 32 Code ARM7_CODE 10018100h 2 u16 ARM7_SAVE_MODE 10018104h 2 u16 ARM7_?_CNT 10018108h 2 u16 ARM7_RTC_CNT? 10018110h 4 u32 ARM7_RTC_VAL_LO 10018114h 4 u32 ARM7_RTC_VAL_HI 10018118h 4 u32 ARM7_RTC_LO? 1001811Ch 4 u32 ARM7_RTC_HI? 10018120h 16 arm7_save_cfg_t ARM7_SAVE_CFG |
s8 year_since_2000_bcd; s8 month_bcd; s8 day_bcd; s8 day_of_week; s8 hour_bcd; s8 minute_bcd; s8 second_bcd; |
08060000h ? 03800000h, ARM7 WRAM (64K)
080B0000h ? 03000000h, GBA IWRAM (32K)
08080000h ? EEPROM/SRAM/Flash 512k/Flash 1Mbit (the 2 512k banks are
contiguous in memory). Appears to be mirrored at 080C0000h,
maybe first mapping is read-only and second is writable?
10018104h must be set to 1 before reading memory here, and
restored to its previous value afterwards
01FFC000h ? 01000000h, ARM9 ITCM under TWL (16K)
|
________________________________ Y2R Registers _______________________________ |
10102000h A11/A9 Y2R Registers Camera Services 10120000h A11/A9 Camera Registers Camera Services 10121000h A11/A9 Camera Registers Camera Services Mirror of 10120000h? 10300000h A11 DMA region (Y2R) CDMA wants these addresses (*) |
Address Width Old3DS Name Used by 10102000h 4 Yes Y2R_PARAMS Camera Services ;\ 10102004h 2 Yes Y2R_LINEW Camera Services ; 10102006h 2 Yes Y2R_LINES Camera Services ; 10102010h 10h Yes Y2R_COEFFICIENTS Camera Services ; 10102020h 2 Yes Y2R_ALPHA Camera Services ; 10102100h 20h Yes Y2R_??? Camera Services ;/ 10120000h ? Yes Camera registers (unknown, maybe alike DSi?) 10121000h ? Yes Camera registers (unknown, maybe alike DSi?) 10302000h 80h? Yes Y2R_INPUT_Y Camera Services ;\ 10302080h 80h? Yes Y2R_INPUT_U Camera Services ; 10302100h 80h? Yes Y2R_INPUT_V Camera Services ; DMA region 10302180h 80h? Yes Y2R_INPUT_X? Camera Services ; 10302200h 80h? Yes Y2R_OUTPUT_RGB Camera Services ;/ |
0-3 InputFormat 4-7 unknown/unspecified 8-9 OutputFormat 10-11 Rotation 12 BlockAlignment 13-14 unknown/unspecified 15 ? 16 ? 17 ? 18-20 unknown/unspecified 21 ? 22 ? 23 unknown/unspecified 24 ? 25 ? 26 ? 27 ? 28 ? 29 ? 30 Transfer end interrupt 31 Enable/Busy |
________________________________ SND Registers _______________________________ |
1EC03400h ... aka 10103400h |
00h 2 For Type0 Cmd 0xE, CSND module writes "u16 (cmdword[2] & 0xFFFF)" 02h 2 For Type0 Cmd 0xE, CSND module writes "0-(cmdword[2]>>16)" 04h 2 For Type0 Cmd 0xE, CSND module writes "0" 06h 2 For Type0 Cmd 0xE, CSND module writes "0" 08h 2 For Type0 Cmd 0xE, CSND module writes "(u16)cmdword[4]" 0Ah 2 For Type0 Cmd 0xE, CSND module writes "cmdword[4]>>16" 0Ch 4 Audio data physical address, for main channel (uh, main=L or R?) 10h 4 Audio data total byte-size (mask 7FFFFFFh?) 14h 4 Audio data physical address, for second channel (or 0=Mono) 18h 4 Audio something (Zero=Unknown, Nonzero=IMA-ADPCM) 1Ch 4 Audio something (Zero) |
________________________________ DSP Registers _______________________________ |
Address Width Old3DS Name 10203000h 2 Yes DSP_PDATA 10203004h 2 Yes DSP_PADR 10203008h 2 Yes DSP_PCFG 1020300Ch 2 Yes DSP_PSTS 10203010h 2 Yes DSP_PSEM 10203014h 2 Yes DSP_PMASK 10203018h 2 Yes DSP_PCLEAR 1020301Ch 2 Yes DSP_SEM 10203020h 2 Yes DSP_CMD0 10203024h 2 Yes DSP_REP0 10203028h 2 Yes DSP_CMD1 1020302Ch 2 Yes DSP_REP1 10203030h 2 Yes DSP_CMD2 10203034h 2 Yes DSP_REP2 |
| 3DS MISC Registers 3 |
_______________________________ CODEC Registers ______________________________ |
10145000h - Empty |
________________________________ HID Registers _______________________________ |
Address Width Old3DS Name Used by
10146000h 2 Yes HID_PAD Boot9, Boot11, Kernel11,
TwlBg, HID Services, dlp Services
10146002h 2 Yes HID_? TwlBg
|
0 Button A 1 Button B 2 Select 3 Start 4 DPAD Right 5 DPAD Left 6 DPAD Up 7 DPAD Down 8 Button R 9 Button L 10 Button X 11 Button Y 12-15 unknown/unspecified |
_______________________________ GPIO Registers _______________________________ |
Address Width Name GPIO bitmasks associated with this 10147000h 2 GPIO_DATA0 1, 2, 4 10147010h 4 GPIO_DATA1 8, 10h 10147014h 2 GPIO_DATA2 20h 10147020h 2 GPIO_DATA3 3FF40h (40h..20000h) 10147022h 2 GPIO_DATA3_INTERRUPT_CLEAR 3FF40h (40h..20000h) 10147024h 2 ?? 3FF40h (40h..20000h) 10147026h 2 ? ? 10147028h 2 GPIO_DATA4 40000h |
0-2 Used for GPIO bitmask 7h. 3 Unused by GPIO-sysmodule and TwlBg. 4 Only used by Boot11. 5-15 Unused by GPIO-sysmodule and TwlBg. |
0-1 Used for GPIO bitmask 18h. 2-31 Unused by GPIO-sysmodule and TwlBg. (but see below "10147010h") |
0-23 unknown/unspecified (but see above "GPIO_DATA1") 24 Enable/disable? GPIO interrupt 64h (bitmask 8h) 25 Enable/disable? GPIO interrupt 66h (bitmask 10h) 26-31 unknown/unspecified |
0 Used for GPIO bitmask 20h. 1-15 Unused by GPIO-sysmodule and TwlBg. |
0-11 Used for GPIO bitmask 3FFC0h. 12-31 Unused by GPIO-sysmodule and TwlBg. uh, but register is only 16bit? |
0-8 ? 9 Enable/disable interrupt 71h. 10-15 ? |
0 Used for GPIO bitmask 40000h. 1-15 Unused by GPIO-sysmodule and TwlBg. |
Address Value 10147000h 0003h 10147010h 00000002h 10147014h 0000h 10147020h 00000DFBh 10147024h 00000000h 10147028h 0000h |
________________________________ MIC Registers _______________________________ |
NAME PHYSICAL ADDRESS PROCESS VIRTUAL ADDRESS WIDTH REG_MIC_CNT 10162000h 1EC62000h 2 REG_MIC_DATA 10162004h 1EC62004h 4 |
0-1 unknown/unspecified 2-3 Sampling rate 4-15 unknown/unspecified |
_____________________________ NTRCARD Registers ______________________________ |
Address Width Name 10164000h 2 REG_NTRCARDMCNT 10164002h 2 REG_NTRCARDMDATA 10164004h 4 REG_NTRCARDROMCNT 10164008h 8 REG_NTRCARDCMD 10164010h 4 REG_NTRCARDSEEDX_L 10164014h 4 REG_NTRCARDSEEDY_L 10164018h 1 REG_NTRCARDSEEDX_H 1016401Ah 1 REG_NTRCARDSEEDY_H 1016401Ch 4 REG_NTRCARDFIFO |
0-13 unknown/unspecified 14 Interrupt enable (0=Disable, 1=Enable) 15 Enable (0=Disable, 1=Enable) |
0-22 unknown/unspecified 23 Data status (0=Busy, 1=Ready) 24-30 unknown/unspecified 31 Start (0=Idle, 1=Busy) |
________________________________ MP? Registers _______________________________ |
10165000h - unknown, maybe something alike NDS POWCNT2 for wifi-enable? 10170000h - probably NDS-Wifi WS0 region 10178000h - probably NDS-Wifi WS1 region |
________________________________ LCD Registers _______________________________ |
Physical Process virt Kernel virt Width Name 10202000h 1ED02000h FFFD6000h 4 Parallax barrier enable 10202004h 1ED02004h FFFD6004h 4 ? used by error screen? 10202200h 1ED02200h FFFD6200h 600h Top Screen LCD Configuration 10202A00h 1ED02A00h FFFD6A00h 600h Bottom Screen LCD Configuration 10203200h 1ED03200h FFFD7200h 40h ? |
000h 4 ? 004h 4 Fill Color ;aka Forced Blank maybe? 010h 4 ? 014h 4 ? 018h 4 ? 01Ch 4 ? 020h 4 ? 024h 4 ? 028h 4 ? 02Ch 4 ? 030h 4 ? 038h 4 ? 03Ch 4 ? 040h 4 Backlight 044h 4 ? 060h 4 ? 068h 4 ? 070h 4 ? 078h 4 ? 080h 4 ? 100h 100h LCD calibration data, from nand:/ro/sys/HWCAL0.dat offset 77Ch. 200h 100h used by bootrom? 300h 300h reportedly exist, part of 600h-byte area? |
0-7 Red component intensity 8-15 Green component intensity 16-23 Blue component intensity 24 Enable 25-31 ? |
| 3DS AES Registers |
_______________________________ AES Registers _______________________________ |
Address Width RW Old3DS Name 10009000h 4 RW Yes AES_CNT 10009004h 2 W Yes AES_MACBLKCNT 10009006h 2 W Yes AES_BLKCNT 10009008h 4 W Yes AES_WRFIFO 1000900Ch 4 R Yes AES_RDFIFO 10009010h 1 RW Yes AES_KEYSEL ;\new (unlike DSi) 10009011h 1 RW Yes AES_KEYCNT ;/ 10009020h 16 W Yes AES_CTR ;-supposedly actually IV 10009030h 16 W Yes AES_MAC 10009040h 48 W Yes AES_KEY0 10009070h 48 W Yes AES_KEY1 100090A0h 48 W Yes AES_KEY2 100090D0h 48 W Yes AES_KEY3 10009100h 4 W Yes AES_KEYFIFO ;\ 10009104h 4 W Yes AES_KEYXFIFO ; new (unlike DSi) 10009108h 4 W Yes AES_KEYYFIFO ;/ |
0-4 Write FIFO count (0-16)
5-9 Read FIFO count (0-16)
10 Flush write FIFO (1=Clear write FIFO)
11 Flush read fifo (1=Clear read FIFO)
12-13 Write FIFO DMA size (0=16, 1=12, 2=8, 3=4 words)
14-15 Read FIFO DMA size (0=4, 1=8, 2=12, 3=16 words)
16-18 MAC size (encoding = (maclen-2)/2)
19 ? (MAC related) (uh, probably same as on DSi?)
20 MAC input control (0=Read MAC from FIFO, 1=Read from MAC register)
21 MAC status (0=Invalid, 1=Verified)
Below bits (bit22-29) are other than DSi
22 Output endianness (0=Little endian, 1=Big endian)
23 Input endianness (0=Little endian, 1=Big endian)
24 Output word order (0=Reversed, 1=Normal) ;\uh, what is normal?
25 Input word order (0=Reversed, 1=Normal) ;/same order as endiannes?
26 Update keyslot (selects the keyslot specified by AES_KEYSEL when this
bit is set)
27-29 Mode (0=CCM decrypt, 1=CCM encrypt, 2=CTR, 3=CTR, 4=CBC decrypt,
5=CBC encrypt, 6=ECB decrypt, 7=ECB encrypt)
30 Interrupt Enable (0=Disable, 1=Enable)
31 Start (0=Idle, 1=Enable/Busy)
|
0-7 unknown/unspecified |
0-5 Keyslot
6 Hardware key-generator type (0=3DS, 1=DSi)
7 This normally has value 1 written here when updating keys.
0 = disable key FIFO flush,
1 = enable key FIFO flush.
|
| 3DS SHA and RSA Registers |
_______________________________ SHA Registers _______________________________ |
1000A000h A9 SHA Registers Boot9, Process9, NewKernel9Loader 10101000h A11/A9 HASH Registers Filesystem (except, for FIFO use 10301000h) |
Address Width Old3DS Name Used by 1000A000h 4 Yes SHA_CNT Boot9, Process9 1000A004h 4 Yes SHA_BLKCNT Process9 1000A040h 20h Yes SHA_HASH Process9 1000A080h 40h Yes SHA_FIFO Boot9, Process9 |
0 Start (0=Idle, 1=Enable/Busy)
1 Final round (0=Normal, 1=Enable/Busy)
2 Enable IRQ 0
3 Output Endianess (0=Little, 1=Big)
4-5 Mode (0=SHA256, 1=SHA224, 2=3=SHA1)
6 ?
7 ?
8 Clear FIFO? When set, the *entire* ARM9 hangs/crashes when attempting
to read SHA_INFIFO. uh, what is a SHA_INFIFO? and who/why read it?
9 Enable FIFO (0=write-only, 1=fifo)
10 Enable IRQ 1
11-15 unknown/unspecified
16 ?
17 ?
18-31 unknown/unspecified
|
0-31 unknown/unspecified (maybe ALL bits used? maybe len in bits or bytes?) |
_______________________________ RSA Registers _______________________________ |
Address Width Old3DS Name 1000B000h 4 Yes RSA_CNT 1000B0F0h 4 Yes RSA_UNKNOWN 1000B100h 10h Yes RSA_SLOT0 1000B110h 10h Yes RSA_SLOT1 1000B120h 10h Yes RSA_SLOT2 1000B130h 10h Yes RSA_SLOT3 1000B200h 4 Yes RSA_EXPFIFO 1000B400h 100h Yes RSA_MOD 1000B800h 100h Yes RSA_TXT |
0 Start (0=Idle, 1=Enable/Busy)
1 ?
2-3 unknown/unspecified
4-7 Keyslot (Bit6-7 don't actually affect the keyslot)
8 Endianness (0=Big endian, 1=Little endian).
Affects RSA_MOD, RSA_TXT, RSA_EXPFIFO.
9 Word order (0=Reversed order, 1=Normal order).
Affects RSA_MOD, RSA_TXT.
10-31 unknown/unspecified
|
0-31 unknown/unspecified |
0 Key status (0=Key has not been set yet, 1=Key has been set) 1 Key write-protect, this bit is RW (0=No protection, 1=Protected) 2-30 ? 31 ? |
0-31 unknown/unspecified |
0-31 unknown/unspecified |
0-31 FIFO, to be written in unknown word-order |
Slot 0 Arbitrary
Slot 1 CXI access desc (following the exheader)
Slot 2-3 Initialized by the ARM9 bootrom, but not used by any of the FIRMs.
It's unknown what the ARM9 bootrom uses these for, if anything.
|
| 3DS Corelink DMA Registers |
1000C000h Yes A9 XDMA Registers CoreLink DMA-330 r0p0 (two channels)
10200000h Yes A11 CDMA CoreLink DMA-330 r0p0 (eight channels)
Only used by bootrom on New3DS.
Uh, Old3DS has CDMA but doesn't use it?
Uh, does New3DS have different bootrom?
Maybe means that New3DS uses 10206000h
after completing bootrom code?
10206000h No A11 CDMA CoreLink DMA-330 r1p2 (eight channels)
This is the DMA engine actually being
used by the New3DS ARM11 kernel.
10300000h Yes A11 DMA region (aka FIFOs are here?)
|
sint8_t channel_sel; // @0 Selects which DMA channel to use:
0-7, -1 = don't care.
uint8_t endian_swap_size; // @1 Accepted values:
0=none, 2=16bit, 4=32bit, 8=64bit.
uint8_t flags; // @2 bit0: SRC_IS_PERIPHERAL,
bit1: DST_IS_PERIPHERAL,
bit2: SHALL_BLOCK,
bit3: KEEP_ALIVE,
bit6: SRC_IS_RAM,
bit7: DST_IS_RAM
uint8_t padding;
DmaSubConfig dst_cfg;
DmaSubConfig src_cfg;
|
sint8_t peripheral_id; // @0 If not *_IS_RAM set, this must be < 1Eh.
uint8_t allowed_burst_sizes; // @1 Accepted values:
4, 8, 4|8 = 12, 1|2|4|8 = 15
sint16_t gather_granule_size; // @2
sint16_t gather_stride; // @4 Has to be >= 0,
must not be 0 if peripheral_id == FFh.
sint16_t scatter_granule_size; // @6
sint16_t scatter_stride; // @8 Can be negative.
|
.peripheral_id = FFh, .allowed_burst_sizes = 1 | 2 | 4 | 8, .gather_granule_size = 80h, .gather_stride = 0, .scatter_granule_size = 80h, .scatter_stride = 0, |
02h camera (cam) Camera Port 1 03h camera (cam) Camera Port 2 04h nwm ? 05h nwm ? 06h camera (y2r) SetSendingY 07h camera (y2r) SetSendingU 08h camera (y2r) SetSendingV 09h camera (y2r) SetSendingYUYV 0Ah camera (y2r) SetReceiving 0Bh fs HASH 0Dh TwlBg LGYFB0/1 0Eh TwlBg LGYFB0/1 12h mvd (y2r2) SetSendingY 13h mvd (y2r2) SetSendingU 14h mvd (y2r2) SetSendingV 15h mvd (y2r2) SetSendingYUV 16h mvd (y2r2) SetReceiving 17h mvd Related to l2b 18h mvd Related to l2b 19h mvd Related to l2b 1Ah mvd Related to l2b |
00h Process9 CTRCARD 07h Process9 SHA |
| 3DS SPI CARD Registers |
Address Width Old3DS Name 1000D800h 4 Yes REG_SPICARDCNT 1000D804h 4 Yes REG_SPICARDASSERT 1000D808h 4 Yes REG_SPICARDSIZE 1000D80Ch 4 Yes REG_SPICARDFIFO 1000D810h 4 Yes REG_SPICARDFIFOSTAT 1000D814h 4 Yes ? 1000D818h 4 Yes ? 1000D81Ch 4 Yes ? |
0-5 Baud Rate 6-11 unknown/unspecified 12 Bus Mode 13 Transfer Mode (0=Read, 1=Write) 14 unknown/unspecified 15 Trigger (0=Idle, 1=Busy) |
0 asserting 1-31 unknown/unspecified |
0-31 Transfer size, uh, really 32bit wide? might be so. |
0-31 Data |
0 FIFO Full (0=Not full, 1=Full) 1-31 unknown/unspecified |
0-31 unknown/unspecified |
| 3DS CONFIG11 Registers |
Address Width Old3DS Name Used by 10140000h 1*8 Yes CFG11_SHAREDWRAM_32K_DATA<0-7> Boot11,Process9,DSP 10140008h 1*8 Yes CFG11_SHAREDWRAM_32K_CODE<0-7> Boot11,Process9,DSP 10140100h 2 Yes ? 10140102h 2 Yes ? 10140104h 1 Yes CFG11_FIQ_CNT Kernel11. 10140105h 1 Yes ? Kernel11. 10140108h 2 Yes Related to HID_? TwlBg 1014010Ch 2 Yes Related to HID_? TwlBg 10140140h 4 Yes CFG11_GPUPROT Kernel11 10140180h 1 Yes CFG11_WIFICNT TwlBg, NWM Services 101401C0h 4 Yes CFG11_SPI_CNT SPI Services, TwlBg 10140200h 4 Yes ? 10140400h 1 No Clock related? NewKernel11 10140410h 4 No Clock related? NewKernel11 10140420h 1 No CFG11_BOOTROM_OVERLAY_CNT NewKernel11 10140424h 4 No CFG11_BOOTROM_OVERLAY_VAL NewKernel11 10140428h 4 No ? 10140FFCh 2 Yes CFG11_SOCINFO Boot11, Kernel11 10141000h 2 Yes CFG11_GPU_STATUS Kernel11, TwlBg 10141008h 4 Yes CFG11_PTM_0 PTM, PDN 1014100Ch 4 Yes CFG11_PTM_1 PTM, TwlBg, PDN 10141100h 2 Yes CFG11_TWLMODE_0 TwlProcess9, TwlBg 10141104h 2 Yes CFG11_TWLMODE_1 TwlBg 10141108h 2 Yes CFG11_TWLMODE_2 TwlBg 1014110Ah 2 Yes CFG11_TWLMODE_HID TwlBg 1014110Ch 1 Yes CFG11_WIFIUNK NWM Services 10141110h 2 Yes ? TwlBg 10141112h 2 Yes ? TwlBg 10141114h 2 Yes CFG11_CODEC_0 Codec, TwlBg 10141116h 2 Yes CFG11_CODEC_1 Codec, TwlBg 10141118h 1 Yes ? TwlBg 10141119h 1 Yes ? TwlBg 10141120h 1 Yes ? TwlBg 10141200h 4 Yes CFG11_GPU_CNT Boot11, Kernel11, PDN, TwlBg 10141204h 4 Yes CFG11_GPU_CNT2 Boot11, Kernel11, TwlBg 10141210h 2 Yes CFG11_GPU_FCRAM_CNT Kernel11, TwlBg 10141220h 1 Yes CFG11_CODEC_CNT Boot11, TwlBg, PDN 10141224h 1 Yes CFG11_CAMERA_CNT PDN Services 10141230h 1 Yes CFG11_DSP_CNT Process9, PDN 10141300h 2 No CFG11_MPCORE_CLKCNT NewKernel11 10141304h 2 No CFG11_MPCORE_CNT NewKernel11 10141310h 1*4 No CFG11_MPCORE_BOOTCNT<0-3> NewKernel11 |
0-1 Master (0=ARM9?, 1=ARM11?, 2 or 3=DSP/data) 3 unknown/unspecified 2-4 Offset (0..7) (slot 0..7) (LSB of address in 32Kbyte units) 5-6 Not used (0) 7 Enable (0=Disable, 1=Enable) |
0-1 Master (0=ARM9?, 1=ARM11?, 2 or 3=DSP/code) 2-4 Offset (0..7) (slot 0..7) (LSB of address in 32Kbyte units) 5-6 Not used (0) 7 Enable (0=Disable, 1=Enable) |
0-3 Old FCRAM DMA cutoff size, 0 = no protection. 4-7 New FCRAM DMA cutoff size, 0 = no protection. ;<--New3DS only 8 AXIWRAM protection, 0 = accessible. 9-10 QTM DMA cutoff size ;<--New3DS only 11-31 Zeroes |
0 Enable wifi subsystem 1-7 unknown/unspecified |
0 Enable SPI Registers 10160000h ;\uh, actually, these do probably 1 Enable SPI Registers 10142000h ; toggle between "Manual" and "FIFO" 2 Enable SPI Registers 10143000h ;/modes, rather "enabling registers"? 3-31 unknown/unspecified |
0 Enable bootrom overlay functionality 1-xx unknown/unspecified |
0-31 The 32-bit value to overlay data-reads to bootrom with. |
0 1 on both Old3DS and New3DS. Boot11 1 1 on New3DS. Kernel11 2 Clock modifier: if set, use a 3x multiplier, otherwise 2x Kernel11 3-15 unknown/unspecified |
0-3 unknown/unspecified 4 Wifi-related? Set to 1 very early in NWM-module. 5-xx unknown/unspecified |
0 Enable GPU registers at 10400000h and up. 1-15 unknown/unspecified 16 Turn on LCD backlight. 17-31 unknown/unspecified |
0 Power on GPU? 1-xx unknown/unspecified |
0 unknown/unspecified 1 Enable/disable FCRAM. Bit2: Enable/disable operation in progress. 1-xx unknown/unspecified |
0 unknown 1 turn on/off DSP, rest = always 0 2-xx unknown/unspecified |
0 unknown 1 turn on/off cameras, rest = always 0 2-xx unknown/unspecified |
0 Enable clock multiplier? This must be set to 1 before writing a
non-zero value to bit1-2, otherwise freeze. This enables the New
3DS FCRAM extension.
1-2 Clock multiplier (0=1x, 1=2x, 2=3x, 3=hang)
3-14 unknown/unspecified
15 Busy
|
MPCore
timer/watchdog
prescaler value,
prior to
Higher-clockrate subtracting it
bit set in by 1 when
Register svcKernelSetState CFG11_SOCINFO writing it Clock-rate
value Param0 bit2 set into hw/state multiplier Description 01h No Yes 01h 1x 268MHz
02h No No 01h 1x 268MHz
05h Yes Yes 03h 3x 804MHz
03h Yes No 02h 2x 536MHz
Note: 536MHz "tested on New3DS" uh?
|
00h: Entire system hangs 01h: ? 02h: Entire system hangs 03h: ARM11 runs at 536MHz 04h: Entire system hangs 05h: ? 06h: Entire system hangs. 07h: Same result as 05h 08h: Entire system hangs. 09h: Entire system hangs. 0Ah: Entire system hangs. 0Bh: Same result as 03h (aka 536MHz) 0Ch: Entire system hangs 0Dh: Same result as 05h 0Eh: Entire system hangs. 0Fh: Same result as 05h 1Fh,2Fh,4Fh,8Fh,FFh: Same result as 05h |
0 ? 1-7 unknown/unspecified 8 ? 9-xx unknown/unspecified |
0 Enable bootrom instruction overlay, maybe? This bit is only
writable for core2 and core3.
1 Enable bootrom data overlay. This bit is only writable
for core2 and core3.
2-3 unknown/unspecified
4 Has core booted maybe?
5 Always 1?
6-7 unknown/unspecified
|
| 3DS SPI Registers |
Address Width Old3DS Name 10160000h 2 Yes SPI_BUS0_MANUAL_CNT ;\Manual Access ;\ 10160002h 1 Yes SPI_BUS0_MANUAL_DATA ;/ ; Bus 0 10160800h 4 Yes SPI_BUS0_FIFO_CNT ;\ ; Used for 10160804h 4 Yes SPI_BUS0_FIFO_DONE ; ; Wifi FLASH 10160808h 4 Yes SPI_BUS0_FIFO_BLKLEN ; FIFO Access ; and probably 1016080Ch 4 Yes SPI_BUS0_FIFO_DATA ; ; TSC and Powerman 10160810h 4 Yes SPI_BUS0_FIFO_STATUS ;/ ;/ 10142000h 2 Yes SPI_BUS1_MANUAL_CNT ;\Manual Access ;\ 10142002h 1 Yes SPI_BUS1_MANUAL_DATA ;/ ; 10142800h 4 Yes SPI_BUS1_FIFO_CNT ;\ ; Bus 1 10142804h 4 Yes SPI_BUS1_FIFO_DONE ; ; Unknown Purpose 10142808h 4 Yes SPI_BUS1_FIFO_BLKLEN ; FIFO Access ; 1014280Ch 4 Yes SPI_BUS1_FIFO_DATA ; ; 10142810h 4 Yes SPI_BUS1_FIFO_STATUS ;/ ;/ 10143000h 2 Yes SPI_BUS2_MANUAL_CNT ;\Manual Access ;\ 10143002h 1 Yes SPI_BUS2_MANUAL_DATA ;/ ; 10143800h 4 Yes SPI_BUS2_FIFO_CNT ;\ ; Bus 2 10143804h 4 Yes SPI_BUS2_FIFO_DONE ; ; Unknown Purpose 10143808h 4 Yes SPI_BUS2_FIFO_BLKLEN ; FIFO Access ; 1014380Ch 4 Yes SPI_BUS2_FIFO_DATA ; ; 10143810h 4 Yes SPI_BUS2_FIFO_STATUS ;/ ;/ |
___________________________ SPI Manual Access Mode ___________________________ |
Bit Name 0-1 Baudrate (0=4MHz, 1=2MHz, 2=1MHz, 3=512KHz) 2-6 This was added with 3DS. ;uh, what is "this"? 7 Busy Flag (0=Ready, 1=Busy) (presumably Read-only) 8-9 Device Select (0=Powerman., 1=Firmware, 2=Touchscreen) 10 Transfer Size (0=8bit/Normal, 1=16bit/Bugged) 11 Chipselect Hold (0=Deselect after transfer, 1=Keep selected) 12-13 Not used (Zero) 14 Interrupt Request (0=Disable, 1=Enable) 15 SPI Bus Enable (0=Disable, 1=Enable) |
____________________________ SPI FIFO Access Mode ____________________________ |
Bit Name 0-5 Baudrate? 6-7 Device Select 8-12 unknown/unspecified 13 Transfer Direction? (0=Incoming, 1=Outgoing) 14 unknown/unspecified 15 Busy/enable 16-31 unknown/unspecified Device id Device select bits 0, 3, >=6 0 1, 4 1 2, 5 2 Device id Used baudrate 3 5 0 2 |
0-31 unknown/unspecified |
0-31 unknown/unspecified |
0-31 32-bit FIFO for reading/writing data |
0 FIFO busy 1-31 unknown/unspecified |
| 3DS I2C Registers |
Address Width Old3DS Name 10161000h 1 Yes I2C_BUS0_DATA ;\ 10161001h 1 Yes I2C_BUS0_CNT ; BUS 0 (old DSi devices) 10161002h 2 Yes I2C_BUS0_CNTEX ; 10161004h 2 Yes I2C_BUS0_SCL ;/ 10144000h 1 Yes I2C_BUS1_DATA ;\ 10144001h 1 Yes I2C_BUS1_CNT ; BUS 1 (extra 3DS devices) 10144002h 2 Yes I2C_BUS1_CNTEX ; 10144004h 2 Yes I2C_BUS1_SCL ;/ 10148000h 1 Yes I2C_BUS2_DATA ;\ 10148001h 1 Yes I2C_BUS2_CNT ; BUS 2 (extra 3DS gimmicks) 10148002h 2 Yes I2C_BUS2_CNTEX ; 10148004h 2 Yes I2C_BUS2_SCL ;/ |
0 Stop (0=No, 1=Stop/last byte) 1 Start (0=No, 1=Start/first byte) 2 Pause (0=Transfer Data, 1=Pause after Error, used with/after Stop) 3 unknown/unspecified 4 Ack Flag (0=Error, 1=Okay) (For DataRead: W, for DataWrite: R) 5 Data Direction (0=Write, 1=Read) 6 Interrupt Enable (0=Disable, 1=Enable) 7 Start/busy (0=Ready, 1=Start/busy) |
0-1 ? Set to 2 normally 3-15 unknown/unspecified |
0-5 ? 6-7 unknown/unspecified 8-12 ? Set to 5 normally 13-15 unknown/unspecified |
id bus Write service Device description
0 1 4Ah "i2c::MCU" Power management? (same device addr as
the DSi power-management) (uh, what???)
1 1 7Ah "i2c::CAM" Camera0? (same dev-addr as DSi cam0)
2 1 78h "i2c::CAM" Camera1? (same dev-addr as DSi cam1)
3 2 4Ah "i2c::MCU" MCU
4 2 78h "i2c::CAM" ? maybe second external camera, for left or right?
5 2 2Ch "i2c::LCD" ? maybe upper or lower screen?
6 2 2Eh "i2c::LCD" ? maybe lower or upper screen?
7 2 40h "i2c::DEB" ?
8 2 44h "i2c::DEB" ?
9 3 A6h "i2c::HID" Unknown. The device table in I2C-module had
the device address changed from A6h to D6h
with 8.0.0-18.
10 3 D0h "i2c::HID" Gyroscope
11 3 D2h "i2c::HID" ?
12 3 A4h "i2c::HID" DebugPad
13 3 9Ah "i2c::IR" IR ;maybe IR transmitter/receiver? or IR camera??
14 3 A0h "i2c::EEP" eeprom?
15 2 EEh "i2c::NFC" New3DS-only NFC (Near-field communication)
16 1 40h "i2c::QTM" New3DS-only QTM (head tracking)
17 3 54h "i2c::IR" Used by IR-module starting with 8.0.0-18, for
New3DS-only HID via "ir:rst". This deviceid
doesn't seem to be supported by i2c module
on 8.0.0-18 (actual support was later added
in New3DS i2c module).
|
ro = read-only (writing is no-op)
rw = read-write
wo = write-only (reading will yield 00, FF, or unpredictable data)
d* = dynamic register (explaination below this table)
s* = shared register (explaination below this table)
ds = dynamic shared (explaination below this table)
0x00 s ro Version high
0x01 s ro Version low
0x02 d rw 2bit value, writing will mask away/"acknowledge" the
event, set to 3 by mcuMainLoop on reset if reset source
is Watchdog
bit0: RTC clock value got reset to defaults
bit1: Watchdog reset happened
0x03 ds rw Top screen flicker
0x04 ds rw Bottom screen flicker
0x05-0x07 s rw Danger zone - MCU unlock sequence is written here.
0x08 s ro Raw 3D slider position
0x09 s ro Volume slider state (00h..3Fh)
This is the same value returned by MCUHWC:GetSoundVolume
0x0A s ro ? (seems to be power management related?)
0x0B s ro Battery percentage
0x0C s ro ? (changes to 0 for a second when the charger is plugged
in then it resets to its previous value)
0x0D s ro System voltage
0x0E s ro ?
0x0F s ro Flags: bit7-5 are read via mcu::GPU. The rest of these
are read via mcu::RTC:
bit4 = BatteryChargeState.
bit3 = AdapterState.
bit1 = ShellState.
0x10-0x13 s ro Received interrupt bitmask, see register 0x18 for
possible values
If no interrupt was received this register is 0
0x14 s ro Unused and unwritable byte
0x15-0x17 s rw Unused and unreferenced free RAM! Good for userdata.
0x18-0x1B s rw Interrupt mask for register 0x10 (0=Enabled, 1=Disabled)
bit00: Power button press (for 27 "ticks")
bit01: Power button held (for 375 "ticks"; the 3DS
turns off regardless after a fixed time)
bit02: HOME button press (for 5 "ticks")
bit03: HOME button release
bit04: WiFi switch button
bit05: Shell close
bit06: Shell open
bit07: Fatal hardware condition(?) (sent when the MCU
gets reset by the Watchdog timer)
bit08: Charger removed
bit09: Charger plugged in
bit10: RTC alarm (when some conditions are met it's
sent when the current day and month and year
matches the current RTC time)
bit11: ??? (accelerometer related)
bit12: HID update
bit13: Battery dead(?)
bit14: Battery stop charging(?) (independent of charger
state)
bit15: Battery start charging(?)
Nonmaskable(?) interrupts
bit16: ???
bit17: ??? (opposite even for bit16)
bit22: Volume slider position change
bit23: ??? Register 0x0E update
bit24: ??? (the off event for below bit)
bit25: ??? (triggered when something related to the
GPU is turned on)
bit26: ??? (???)
bit27: ??? (???)
bit28: ??? (???)
bit29: Battery percentage status change (triggered at
10%, 5%, and 0% while discharging)
bit30: bit set by mcu sysmodule
bit31: bit set by mcu sysmodule
0x1C-0x1F s rw Unused and unreferenced free RAM! Good for userdata.
0x20 d wo System power control:
bit0: power off
bit1: reboot (unused?)
bit2: reboot (used by mcu sysmodule and LgyBg)
bit3: used by LgyBg to power off, causes hangs in
3DS-mode
bit4: an mcu::RTC command uses this, seems to do
something with the watchdog
Bit 4 sets a bit at a RAM address which seems to
control the watcdog timer state, then this
bit is immediately unmasked. This field has
a bitmask of 0x0F.
0x21 d wo ??? switches up input bits from 0123456-- to 12-0435-
then writes them to REG[0x5D] (0xFFC02)
0x22 d wo Used to set LCD states
bit0: don't push to LCDs
bit1: push to LCDs
bit2: bottom screen backlight off
bit3: bottom screen backlight on
bit4: top screen backlight off
bit5: top screen backlight on
Bits 4 and 5 have no effect on a 2DS because the
backlight source is the bottom screen. The rest of
the bits are masked away.
0x23 ?? wo ??? Seems to be stubbed, just returns the written value
from the write handler function.
0x24 s rw Watchdog timer. This must be set *before* the timer is
triggered, otherwise the old value is used. Value zero
disables the watchdog.
0x25 s rw ?
0x26 s rw ?
0x27 sd rw Raw volume slider state
0x28 s rw Brightness of the WiFi/Power LED
0x29 sd(5)rw Power LED state + some extra data
0x2A s rw WiFi LED state, non-0 value turns on the WiFi LED,
4 bits wide
0x2B s rw Camera LED state, 4bits wide,
0, 3, 6-0xF = off
1 = slowly blinking
2 = constantly on
4 = flash once
5 = delay before changing to 2
0x2C s rw 3D LED state, 4 bits wide
0x2D 0x64 wo This is used for controlling the notification LED (see
MCURTC:SetInfoLEDPatternHeader as well), when this
register is written. It's possible to write data here
with size less than 0x64, and only that portion of the
pattern data will get overwritten. Reading from this
register only returns zeroes, so it's considered
write-only. Writing past the size of this register
seems to do nothing.
0x2E s ro This returns the notification LED status when read
(1 means new cycle started)
0x2F s wo? ??? The write function for this register is stubbed.
0x30-0x36 ds rw RTC time (system clock). 7 bytes are read from this. The
upper nibble of each byte encodes 10s (BCD), so each
byte is post-processed with
(byte & 0xF) + (10 * (byte >> 4)).
byte 0: seconds
byte 1: minutes
byte 2: hours
byte 3: current week (unused) ;uh, not day of week?
byte 4: days
byte 5: months
byte 6: years
0x37 s rw RTC time byte 7: leap year counter / "watch error
correction" register (unused in code)
0x38-0x3C s rw RTC alarm registers
byte 0: minutes(???)
byte 1: hours(???)
byte 2: day
byte 3: month
byte 4: year
0x3B s rw Could be used on very old MCU_FIRM versions to upload
MCU firmware if some conditions are met.
0x3D
|
0x3E ds ro RTC tick counter / "ITMC" (when resets to 0 the seconds
increase)
Only reading 0x3D will update the in-RAM value ???
0x3F s wo 2 bits
bit0: turns off P00 and sets it to output mode (seems
to kill the entire SoC)
bit1: turns on a prohibited bit in an RTC Control
register and turns P12 into an output
0x40 s rw Pedometer state (?)
0x41 s rw Index selector for register 0x44
0x42 s rw Unused?
0x43 s rw Unused???, accelometer related
0x44 s rw ???, accelometer related
0x45-0x4A s ro Gyroscope 3D rotation from the 12bit ADC,
left shifted 4 to fit in a 16bit signed short
AXIS V=0x00 V=0x40 V=0xC0
Y (=roll) held vertically vertical right vertical left
Z? (=yaw) ??? ??? ???
X? (=pitch) held vertically ??? ???
0x4B s rw PedometerStepCount (for the current day)
0x4C
0x4D ?? ?? ??
0x4E d rw ??? this = (0xFFE9E & 1) ? 0x10 : 0
0x4F d(6) ro
0x50 s rw ???
0x51 s rw ???
0x52-0x57 s rw ?
0x58 s rw Register-mapped ADC register
DSP volume slider 0% volume offset (setting this to
0xFF will esentially mute the DSP as it's the volume
slider's maximum raw value)
0x59 s rw Register-mapped ADC register
DSP volume slider 100% volume offset (setting both
this and the above to 0 will disable the volume slider
with 100% volume, setting this to a lower value than
the above will make the volume slider have only 2
states; on and off)
0x5A s ro/rw Invalid, do not use! On newer MCU_FIRM versions
this is unused, but on older MCU_FIRM versions
this is a read-only counter.
0x5B-0x5F s - These registers are out of bounds (0xFFC00 and up),
they don't exist, writing is no-op, reading will
yield FFs.
0x60 ds rw Looping queue register
Writing to first byte resets the queue position
to the nth element Reading from this register
causes the values to shift up by "readsize-1"
(needs confirmation) bytes after returning
"readsize-1" bytes from the top of the stack
(first byte is read-only, so is always zero)
0x61 ds(0x100) rw Writing to this register pushes values on top of
register 0x60's stack. Reading from this register
doesn't advance the stack.
The first byte is used to store flags for
managing FIRM/NS state
bit0 = "WirelessDisabled",
bit1 = "SoftwareClosed",
bit2 = "PowerOffInitiated",
bit4 = "LegacyJumpProhibited".
This register survives a power-off, but it
resides in RAM, so its contents get lost on
battery pulls. This register doesn't seem to
actually control MCU behaviour by itself, it
just seems to be used for storing arbitrary data.
0x62-0x7E s - These registers don't exist, writing is no-op,
reading will yield FFs.
0x7F d(9-0x13) ro Various system state information.
byte 0x06: battery related? (seems to decrease
while charging and increase while discharging)
byte 0x09: system model (see Cfg:GetSystemModel
for values)
byte 0x0A: power LED related? 0 is off, 1 is red
byte 0x0D: RGB LED red intensity
byte 0x0E: RGB LED green intensity
byte 0x0F: RGB LED blue intensity
byte 0x11: WiFi LED brightness
byte 0x12: raw button states?
bit0: unset while power button is held
bit1: unset while home button is held
bit2: unset while Wifi slider is held
bit5: unset while the charging LED is active
bit6: unset while charger is plugged in
this byte is reset to 0 before an svcBreak
takes effect
On MCU_FIRM major version 1 the size of this
is 9, reading past the 9th byte will yield AA
instead of FF.
0x80-0xFF s - These registers don't exist, writing is no-op,
reading will yield FFs.
|
0x01 8 ?
0x11 8 ?
0x40 8 CMD_IN/CMD_RESULT1 Write to trigger a command? Seen
commands:
0xFF=Reset?,
0x62=IsFinished?.
Result is stored in
CMD_RESULT1:CMD_RESULT0.
0x41 8 CMD_RESULT0 Read result
0x50 8 ?
0x60 8 ?
0xFE 8 ?
|
Register Width Description 00h 21 DebugPad state. |
Register Size Description 00h R0 40h RHR / THR (data receive/send FIFO) 08h R1 1 IER 10h R2 1 FCR/IIR 18h R3 1 LCR 20h R4 1 MCR 28h R5 1 LSR 30h R6 1 MSR/TCR 38h R7 1 SPR/TLR 40h R8 1 TXLVL 48h R9 1 RXLVL 50h R10 1 IODir 58h R11 1 IOState 60h R12 1 IoIntEna 68h R13 1 reserved 70h R14 1 IOControl 78h R15 1 EFCR |
Offset Size Description 00h 1 Normally 10h? 01h 1 Command source / destination. 02h 1 CmdID 03h 1 Payload size. |
000000: 44 65 63 20 32 32 20 32 30 31 32 31 34 3a 35 33 Dec 22 201214:53 000010: 3a 35 30 01 05 0d 46 05 1b 79 20 07 32 30 37 39 :50...F..y .2079 000020: 31 42 35 1B5 |
CmdRequest[1] CmdID Payload data for parameters 2Eh 2Fh Firmware image for this chunk, size varies. |
| 3DS GPU EXTERNAL Registers |
User VA PA Size Name Comments
1EF00004h 10400004h 4 ?
1EF00010h 10400010h 16 Memory Fill1 "PSC0" GX command 2
1EF00020h 10400020h 16 Memory Fill2 "PSC1" GX command 2
1EF00030h 10400030h 4 ?
1EF00034h 10400034h 4 GPU Busy Bit31 = cmd-list busy
bit27 = PSC0 busy
bit26 = PSC1 busy
1EF00050h 10400050h 4 ? Writes 22221200h on GPU init
1EF00054h 10400054h 4 ? Writes FF2h on GPU init
1EF000C0h 104000C0h 4 Backlight control Writes 0 to allow backlights
to turn off, 20000000h to
force them always on.
1EF00400h 10400400h 100h Framebuffer Setup "PDC0" (top screen)
1EF00500h 10400500h 100h Framebuffer Setup "PDC1" (bottom)
1EF00C00h 10400C00h ? Transfer Engine "DMA"
1EF01000h 10401000h 4 ? Writes 0 on GPU init
and before the
Command List is used
1EF01080h 10401080h 4 ? Writes 12345678h on GPU init
1EF010C0h 104010C0h 4 ? Writes FFFFFFF0h on GPU init
1EF010D0h 104010D0h 4 ? Writes 1 on GPU init.
1EF014??h 104014??h 14h "PPF" ?
1EF018E0h 104018E0h 14h Command List "P3D"
|
User VA Description
1EF000X0h Buffer start physaddr >> 3
1EF000X4h Buffer end physaddr >> 3
1EF000X8h Fill value
1EF000XCh Control:
bit0 Start/busy
bit1 Finished
bit2-3 unknown/unspecified
bit8-9 Fill-width (0=16bit, 1=3=24bit, 2=32bit)
bit10-xx unknown/unspecified
|
Offset Name Comments
0x00 Pixel clock Higher values are slower, 12bits.
Setting this value too low will make the screen not be able
to sync any pixels other than a single one from the wrong
location. The lowest the screen can handle is 0x1C2, at
0x1C1 the display loses a few scanlines worth of pixel
clock (though not noticable).
0x04 HBlank timer(?) Seems to determine the horizontal blanking interval.
Setting this to lower than HTotal - HDisp will make the screen
not catch up with the scanlines, some will be skipped, some
will be misaligned.
Setting this to higher than HTotal - HDisp will make the
displayed image misaligned to the right.
Setting this to higher than HTotal seems to make the horizontal
synchronization never happen.
0x08 ? must be >= REG#0x00
0x0C ? must be >= REG#0x08
0x10 Vertical pixel interpolation(?) Some sort of delay in signal. Has
dither-like effect.
0x14 Horizontal data offset(?) ??? Seems to offset the screen to the
left if this value is high enough, but
can glitch out the syncing on the bottom
screen. High enough values will make the
screen skip too many "pixels". If this
value is higher or equal to *some value*
(aka. if less than one pixel per line is
displayed on the screen) then the screen
will lose synchronization.
0x18 ??? ???
0x20 Low: Horizontal pixel data offset(?)
High: ??? ??? extra pixels get inserted in the first displayed
scanline and thus the image gets shifted to the right.
Seems to make horizontal syncing a bit glitchy. If a
HSync occurs, the pixel data is suspended until the
first pixel is supposed to be displayed, then the pixel
stream will continue where it left off until a delayed
HSync gets processed relative to the pixel data.
0x24 Low: ???
High: ??? The low 12bit halfword seems to affect:
- the total amount of scanlines displayed
- vertical pixel data offset if the GPU can't VSync properly
- VSync length
0x28 VBlank timer(?) Seems to determine the vertical blanking interval.
Setting this to lower than VTotal-VDisp will cut off the
top VTotal - VDisp - thisvalue lines.
Setting this to higher than VTotal-VDisp will make the image
be pushed downwards with the overscan color visible.
Setting this to higher than HTotal will make the GPU skip
vertical pixel data synchronization (hence filling the
screen with the rest of the pixel data past the given
screen framebuffer size). Also will skip
thisvalue + somevalue - HTotal lines into the "global"
pixel buffer.
0x30 VTotal Total amount of vertical scanlines in the pixel buffer,
must be bigger than *an unknown blanking-like value*. If
this value is less than VDisp then the last two scanlines
will be repeated interlaced until VDisp is reached.
0x34 VDisp(?) Total amonut of vertical scanlines displayed (only for
top screen it seems like). If this value is less than
VTotal then the rest of the scanlines will not be updated
on the screen, so those will slowly fade out. Must be
bigger than *an unknown blanking-like value*, otherwise
an underflow will happen.
0x38 Vertical data offset(?) ??? Seems to offset the screen upwards
if this value is high enough. If this
value is higher or equal to *some value*
(aka. if less than one scanline is
displayed on the screen) then the screen
will lose synchronization.
0x44 ??? similar functionality to 0x10
0x48 ??? bit0 seems to disable HSync,
bit8 seems to disable VSync, rest of the bits aren't writable
0x4C Overscan filler color
0x50 Horizontal position counter read-only
0x54 Horizontal scanline (HBlank) counter read-only
0x5C ??? low u16: framebuffer width
high u16: framebuffer height??? (seems to be unused)
0x60 ??? low u16: timing data(?)
high u16: framebuffer total width (amount of pixels blitted
regardless of framebuffer width)
0x64 ??? low u16: unknown
high u16: framebuffer total height (amount of scanlines
blitted regardless of framebuffer height)
0x68 Framebuffer A first address ;\For top screen, this is the LEFT eye
0x6C Framebuffer A second address ;/buffer (both eyes for bottom screen)
0x70 Framebuffer format Bit0-15: framebuffer format, bit16-31: unknown
0x78 Framebuffer select Bit0: which framebuffer to display,
bit1-7: unknown
0x80 Color lookup table index select 8bits, write-only
0x84 Color lookup table indexed element
Contains the value of the color lookup table indexed by the
above register, 24bits, RGB8 (0x00BBGGRR)
Accessing this register will increase the index register by one
0x90 Framebuffer stride Distance in bytes between the start of two
framebuffer rows (must be a multiple of 8).
0x94 Framebuffer B first address ;\For top screen, this is the RIGHT eye
0x98 Framebuffer B second address ;/buffer (unused for bottom screen)
|
Bit Description
0-2 Color format (0-4, see below)
3 ?
4 Unused?
5 Enable parallax barrier (ie. 3D)
6 1=main screen, 0=sub screen. However if bit5=1, this bit is cleared
7 ?
8-9 Value 1=unknown: get rid of rainbow strip on top of screen,
3=unknown: black screen.
10-15 Unused?
|
Value Description 00h GL_RGBA8_OES 01h GL_RGB8_OES 02h GL_RGB565_OES 03h GL_RGB5_A1_OES 04h GL_RGBA4_OES |
1EF00C00h Input physical address >> 3
1EF00C04h Output physical address >> 3
1EF00C08h DisplayTransfer output width (bits 0-15) and height (bits 16-31)
1EF00C0Ch DisplayTransfer input width and height.
1EF00C10h Transfer flags. (See below)
1EF00C14h GSP module writes value 0 here prior to writing
to 1EF00C18h, for cmd3.
1EF00C18h Setting bit0 starts the transfer. Upon completion, bit0 is
unset and bit8 is set.
1EF00C1Ch ?
1EF00C20h TextureCopy total amount of data to copy, in bytes.
1EF00C24h TextureCopy input line width (bits 0-15) and gap (bits 16-31),
in 16 byte units.
1EF00C28h TextureCopy output line width and gap.
|
0 When set, the framebuffer data is flipped vertically.
1 When set, the input framebuffer is treated as linear and converted
to tiled in the output, converts tiled->linear when unset.
2 This bit is required when the output width is less than the input
width for the hardware to properly crop the lines, otherwise the
output will be mis-aligned.
3 Uses a TextureCopy mode transfer. See below for details.
4 Not writable
5 Don't perform tiled-linear conversion. Incompatible with bit 1, so
only tiled-tiled transfers can be done, not linear-linear.
6-7 Not writable
8-10 Input framebuffer color format, value0 and value1 are the same as
the LCD Source Framebuffer Formats (usually zero)
11 Not writable
12-14 Output framebuffer color format
15 Not writable
16 Use 32x32 block tiling mode, instead of the usual 8x8 one. Output
dimensions must be multiples of 32, even if cropping with bit 2
set above.
17-23 Not writable
24-25 Scale down the input image using a box filter.
0=No downscale, 1=2x1 downscale. 2=2x2 downscale, 3=invalid
26-31 Not writable
|
Address Description
1EF018E0h Buffer size in bytes >> 3
1EF018E8h Buffer physical address >> 3
1EF018F0h Setting bit0 to 1 enables processing GPU command
execution. Upon completion, bit0 seems to be reset to 0.
|
1EF00400h = 1C2h 1EF00404h = D1h 1EF00408h = 1C1h 1EF0040Ch = 1C1h 1EF00410h = 0 1EF00414h = CFh 1EF00418h = D1h 1EF0041Ch = 1C501C1h 1EF00420h = 10000h 1EF00424h = 19Dh 1EF00428h = 2 1EF0042Ch = 1C2h 1EF00430h = 1C2h 1EF00434h = 1C2h 1EF00438h = 1 1EF0043Ch = 2 1EF00440h = 1960192h 1EF00444h = 0 1EF00448h = 0 1EF0045Ch = 19000F0h 1EF00460h = 1c100d1h 1EF00464h = 1920002h 1EF00470h = 80340h 1EF0049Ch = 0 |
1EF00468h = 18300000h ;\later changed by GSP module when updating state, 1EF0046Ch = 18300000h ;/framebuffer 1EF00494h = 18300000h 1EF00498h = 18300000h 1EF00478h = 1 ;-doesn't stay 1, read as 0 1EF00474h = 10501h |
| 3DS ARM11 Interrupts |
17E00000h - ? 17E00100h - ? 17E00104h - ? 17E00108h - ? 17E0010Ch - IRQ status? (bit0..9 = IRQ number?) 17E00110h - IRQ ack or so? 17E00600h+N*20h+0 - ? 17E00600h+N*20h+8 - ? 17E00600h+N*20h+C - ? 17E00600h+4h - ? 17E00600h+30h - ? 17E00600h+34h - ? set to 12345678h then 87654321h 17E01000h - ? 17E01180h+? - ? 17E01200h+?? - ? ;1bit per IRQ (400h*1bit) 17E01280h - ? 17E01280h+?? - ? 17E01400h+IrqNo*1 - maybe prio/ctrl per irq? ;8bit per IRQ (400h*8bit) 17E01800h+IrqNo*1 - ? ;8bit per IRQ (400h*8bit) 17E01C00h+IrqNo/16 - ? ;2bit per IRQ (400h*2bit) |
IRQ Listener Description
00h MPCore software-interrupt. Not configured.
01h MPCore software-interrupt. Used by BOOT11 to kickstart
Core1.
02h-03h MPCore software-interrupt. Seem to be unused.
04h Kernel MPCore software-interrupt. Used to manage the
performance counter.
05h Kernel MPCore software-interrupt. Does apparently nothing.
06h Kernel MPCore software-interrupt. Extensively used by
KernelSetState (and contains most of the actual
code of the latter).
07h Kernel MPCore software-interrupt.
See KCacheMaintenanceInterruptEvent
08h Kernel MPCore software-interrupt. Used for scheduling.
09h Kernel MPCore software-interrupt. Used when handling
exceptions that require termination of a thread or
a process, and in some cases by
svcSetDebugThreadContext, to store VFP registers
in the thread's register storage.
0Ah Kernel TLB operations interrupt,
see KTLBOperationsInterruptEvent
0Bh-0Eh MPCore software-interrupt. Not configured.
0Fh dmnt/debugger MPCore software-interrupt. Used to abstract FIQ
(debug). This interrupt is never sent to core2
nor core3 on N3DS.
1Dh Kernel MPCore timer.
1Eh Kernel MPCore watchdog - set when the watchdog counter
reaches 0 in timer mode, causes interrupt 30 to set
as pending. Only set on core 1 as core 1's timer is
used for everything.
|
IRQ Listener Description 28h gsp, TwlBg PSC0 29h gsp, TwlBg PSC1 2Ah gsp, TwlBg PDC0 (VBlank0) 2Bh gsp, TwlBg PDC1 (VBlank1) 2Ch gsp, TwlBg PPF 2Dh gsp, TwlBg P3D 30h Kernel ? ;30h-37h DMA ? 39h Kernel DMA 3Ah Kernel DMA 3Bh Kernel DMA 40h nwm WIFI SDIO Controller at 10122000h 41h nwm ? 42h nwm_dev? WIFI SDIO Controller at 10100000h 45h mvd (New3DS) ? 46h mvd (New3DS) ? 48h camera ? 49h camera ? 4Ah dsp ? 4Bh camera Y2R Conversion Finished 4Ch TwlBg ? 4Dh TwlBg ? 4Eh mvd (New3DS) Y2R2 End Event 4Fh mvd (New3DS) Related to mvd services 50h pxi, TwlBg Sync 51h pxi, TwlBg ? 52h pxi, TwlBg Send Fifo Empty 53h pxi, TwlBg Receive Fifo Not Empty 54h i2c, TwlBg I2C Bus0 work done 55h i2c, TwlBg I2C Bus1 work done 56h spi, TwlBg ? 57h spi, TwlBg ? 58h Kernel PDN 59h TwlBg ? 5Ah mic ? 5Ch i2c, TwlBg I2C Bus2 work done 60h gpio, TwlBg Shell opened 62h gpio, TwlBg Shell closed 63h gpio, TwlBg Touchscreen 64h gpio, TwlBg Headphone jack plugged in/out 66h gpio, TwlBg ? 68h gpio, TwlBg IR 69h gpio, TwlBg ? 6Ah gpio, TwlBg ? 6Bh gpio, TwlBg ? 6Ch gpio, TwlBg ? 6Dh gpio, TwlBg ? 6Eh gpio, TwlBg ? 6Fh gpio, TwlBg ? 70h gpio, TwlBg ? 71h gpio, TwlBg MCU: HOME/POWER pressed/released or WiFi switch pressed 72h gpio, TwlBg ? 73h TwlBg ? 74h ? Gamecard related 75h ? Gamecard inserted 78h-7Bh Kernel Core 0-3 Performance monitor counter (any) overflow 7Ah-82h when PDN_MPCORE_CFG bit2 set ;\ or ; Kernel ? 7Ch-84h when PDN_MPCORE_CFG bit2 clear ;/ |
Offset Type Description
0x0 KBaseInterruptEvent * Pointer to the KBaseInterruptEvent object
for this interrupt
0x4 u8 Interrupt will be disabled by the IRQ handler
as soon as it is acknowledged.
Ignored for FIQ: the FIQ handler always sets
bit2 of PDN_FIQ_CNT
0x5 u8 Interrupt is disabled
0x6 u8 Interrupt priority
0x7 u8 Unused, alignment
|
Offset Type Description 0x0 InterruptData[224] Data for all hardware and software interrupts 0x700 KObjectMutex Mutex |
| 3DS NCSD Format |
NCCH Index Reserved Use 0 Executable Content (CXI) 1 E-Manual (CFA) 2 Download Play Child container (CFA) 6 New3DS Update Data (CFA) 7 Update Data (CFA) |
000h 100h RSA-2048 SHA-256 signature of the NCSD header
100h 4 Magic Number 'NCSD'
104h 4 Size of the NCSD image, in media units
(1 media unit = 200h bytes)
108h 8 Media ID
110h 8 Partitions FS type (0=None, 1=Normal, 3=FIRM, 4=AGB_FIRM save)
118h 8 Partitions crypt type (each byte corresponds to a partition
in the partition table)
120h (4+4)*8 Offset & Length partition table, in media units
160h A0h ...
For carts:
160h 20h Exheader SHA-256 hash
180h 4 Additional header size
184h 4 Sector zero offset
188h 8 Partition Flags (see below)
190h 40h=8*8 Partition ID table
1D0h 20h Reserved
1F0h 0Eh Reserved?
1FEh 1 Support for this was implemented with 9.6.0-X FIRM.
Bit0=1 enables using bits 1-2, it's unknown what these two
bits are actually used for (the value of these two bits get
compared with some other value during NCSD
verification/loading).
This appears to enable a new, likely hardware-based,
antipiracy check on cartridges.
1FFh 1 Support for this was implemented with 9.6.0-X FIRM, see below
regarding save crypto.
For NAND:
160h 5Eh Unknown
1BEh 42h Encrypted MBR partition-table, for the TWL partitions
(key-data used for this keyslot is console-unique).
|
Byte Description
00h Backup Write Wait Time (The time to wait to write save to backup
after the card is recognized (0-255 seconds)). NATIVE_FIRM loads
this flag from the gamecard NCSD header starting with 6.0.0-11.
03h Media Card Device (1=NOR Flash, 2=None, 3=BT) (SDK 3.X+)
04h Media Platform Index (1=CTR)
05h Media Type Index (0=Inner Device, 1=Card1, 2=Card2, 3=Extended Device)
06h Media Unit Size i.e. u32 MediaUnitSize = 0x200*2^flags[6];
07h Media Card Device (1=NOR Flash, 2=None, 3=BT) (Only SDK 2.X)
|
Byte Description
01h Starting with 6.0.0-11 NATIVE_FIRM will use this flag to determine
the gamecard savegame keyY method, when flag[3] is set.
0 = 2.0.0-2 hashed keyY,
1 = new keyY method implemented with 6.0.0-11.
0x0A = implemented with 9.3.0-X. On Old3DS this is identical to
the 2.2.0-4 crypto. On New3DS this is identical to the 2.2.0-4
crypto, except with New3DS-only gamecard savedata keyslots.
|
03h Support for this flag was implemented in NATIVE_FIRM with 2.0.0-2.
When this flag is set the hashed gamecard savegame keyY method is
used, this likely still uses the repeating-CTR however.
With 6.0.0-11 the system will determine the gamecard savegame keyY
method via flag[1], instead of just using the hashed keyY via this
flag.
07h This flag enables using the hashed gamecard savegame keyY method,
support for this flag was implemented in NATIVE_FIRM with 2.2.0-4.
All games with the NCSD image finalized since 2.2.0-4 (and contains
2.2.0-4+ in the system update partition) have this flag set, this
flag also enables using new CTR method as well.
|
Offset Size Description
200h 4 CARD2: Writable Address In Media Units (For 'On-Chip' Savedata)
CARD1: Always FFFFFFFFh.
204h 4 Card Info Bitmask
208h 108h Reserved1
310h 2 Title version
312h 2 Card revision
208h CEEh Reserved2
1000h 10h Card seed keyY (first u64 is Media ID (same as first NCCH
partitionId))
1010h 10h Encrypted card seed (AES-CCM, keyslot 3Bh for retail cards,
see CTRCARD_SECSEED)
1020h 10h Card seed AES-MAC
1030h 0Ch Card seed nonce
103Ch C4h Reserved3
1100h 100h Copy of first NCCH header (excluding RSA signature)
Development Card Info Header Extension:
1200h 200h CardDeviceReserved1
1400h 10h TitleKey
1410h F0h CardDeviceReserved2
|
| 3DS NCCH Format |
- first a NCCH header,
- followed by an extended header,
- followed by an access descriptor,
- followed by an optional plain binary region,
- followed by an optional executable filesystem (ExeFS) - (contains ARM11
code, Home menu icn/bnr and logo),
- and finally followed by an optional read-only filesystem (RomFS) - (Used
for external file storage).
|
- first a NCCH header,
- followed by an optional executable filesystem (ExeFS) (same as in CXI,
except no ARM11 code)
- followed by an optional read-only filesystem (RomFS)
|
ncchflag[3] FW Introduced Old3DS AES Keyslots 01h 7.0.0-X Yes 25h 0Ah 9.3.0-X No 18h 0Bh 9.6.0-X No 1Bh |
000h 100h RSA-2048 signature of the NCCH header, using SHA-256.
100h 4 Magic ID, always 'NCCH'
104h 4 Content size, in media units (1 media unit = 200h bytes)
108h 8 Partition ID
110h 2 Maker code
112h 2 Version
114h 4 When ncchflag[7]=20h starting with FIRM 9.6.0-X, this
is compared with the first output u32 from a SHA256 hash.
The data used for that hash is 18h-bytes: <10h-long
title-unique content lock seed> <programID from
NCCH+118h>. This hash is only used for verification of
the content lock seed, and is not the actual keyY.
118h 8 Program ID
120h 10h Reserved
130h 20h Logo Region SHA-256 hash. (For applications built with SDK
5+) (Supported from firmware: 5.0.0-11)
150h 10h Product code
160h 20h Extended header SHA-256 hash (SHA256 of 2x Alignment Size,
beginning at 00h of ExHeader)
180h 4 Extended header size, in bytes
184h 4 Reserved
188h 8 Flags (See Below)
190h 4 Plain region offset, in media units
194h 4 Plain region size, in media units
198h 4 Logo Region offset, in media units (For applications built
with SDK 5+) (Supported from firmware: 5.0.0-11)
19Ch 4 Logo Region size, in media units (For applications built
with SDK 5+) (Supported from firmware: 5.0.0-11)
1A0h 4 ExeFS offset, in media units
1A4h 4 ExeFS size, in media units
1A8h 4 ExeFS hash region size, in media units
1ACh 4 Reserved
1B0h 4 RomFS offset, in media units
1B4h 4 RomFS size, in media units
1B8h 4 RomFS hash region size, in media units
1BCh 4 Reserved
1C0h 20h ExeFS superblock SHA-256 hash - (SHA-256 hash, starting
at 00h of the ExeFS over the number of media units
specified in the ExeFS hash region size)
1E0h 20h RomFS superblock SHA-256 hash - (SHA-256 hash, starting
at 00h of the RomFS over the number of media units
specified in the RomFS hash region size)
|
Index Description
3 Crypto Method: When this is non-zero, a NCCH crypto method using
two keyslots is used (see above).
4 Content Platform: 1=CTR, 2=Snake (New 3DS).
5 Content Type Bit-masks: Data=0x1, Executable=0x2, SystemUpdate=0x4,
Manual=0x8, Child=(0x4|0x8), Trial=0x10.
When 'Data' is set, but not 'Executable', NCCH is a CFA.
Otherwise when 'Executable' is set, NCCH is a CXI.
6 Content Unit Size i.e. u32 ContentUnitSize = 0x200*2^flags[6];
7 Bit-masks: FixedCryptoKey=0x1, NoMountRomFs=0x2, NoCrypto=0x4,
using a new keyY generator = 0x20(starting with FIRM 9.6.0-X).
|
Signature: 720FF8F83F2A1E998322A026D1434165
ED19642ABC1CB2722135AA202BEAD60A
80BCD21C768C597B8268FEF2C64EA710
4C9BA5E12CFFBD1D0C619F4EF7B42CA7
DD8482CB4EB26720AD66CDA57ABCBCFB
D63268A6E2896A59B3B744E39E45B88A
ABB4C0980ACC6210818DCE6DAC838A10
95D0F66B352474D4B3DA4B333F49912D
29AF7EA58BC8C890B18C70B7D540A9FB
EBE24A5312055617D3353B28C3EB1D17
61021BEFF6AD22C384835B40BD44DFAD
981F6350F9458B17BCB5F768C92ABC93
2BCE9888855A8998F4CDE40C9543514A
C57B84EB75A680E7C742632614620D1D
A253284DF3DC01091EB3800C36FD62EE
BA15340F1FD498FAB67C0302E9CDA397
Magic: NCCH
Content size: 0x1cfef400
Partition id: 0004000000038c00
Maker code: 3436 ("46")
Version: 0002
Program id: 0004000000038c00
Temp flag: 00
Product code: CTR-P-ALGP
Extended header hash: 0C27E3C1DE7B2AE2D3114F32A4EEBF46
9AFD0CF352C11D4984C2A9F1D2144C63
Extended header size: 00000400
Flags: 0000030100000000
Plain region offset: 0x00004a00
Plain region size: 0x00000200
ExeFS offset: 0x00004c00
ExeFS size: 0x00143800
ExeFS hash region size: 0x00000200
RomFS offset: 0x00148400
RomFS size: 0x1ceab000
RomFS hash region size: 0x00000200
ExeFS Superblock Hash: 130C042615F647C4C63225EA9E67F8A2
7B15246B88FBC7A927257B84977B787B
RomFS Superblock Hash: A65BEE1060BB6A6821BBCEC600035B7E
64FB6EACA7F0960CFB1F5A37087728F7
|
04a00 5b 53 44 4b 2b 4e 49 4e 54 45 4e 44 4f 3a 43 54 [SDK+NINTENDO:CT 04a10 52 5f 53 44 4b 2d 30 5f 31 34 5f 32 33 5f 32 30 R_SDK-0_14_23_20 04a20 30 5f 6e 6f 6e 65 5d 00 5b 53 44 4b 2b 4e 49 4e 0_none].[SDK+NIN 04a30 54 45 4e 44 4f 3a 46 69 72 6d 77 61 72 65 2d 30 TENDO:Firmware-0 04a40 32 5f 32 37 5d 00 5b 53 44 4b 2b 4d 6f 62 69 63 2_27].[SDK+Mobic 04a50 6c 69 70 3a 44 65 62 6c 6f 63 6b 65 72 5f 31 5f lip:Deblocker_1_ 04a60 30 5f 32 5d 00 5b 53 44 4b 2b 4d 6f 62 69 63 6c 0_2].[SDK+Mobicl 04a70 69 70 3a 49 6d 61 41 64 70 63 6d 44 65 63 5f 31 ip:ImaAdpcmDec_1 04a80 5f 30 5f 30 5d 00 5b 53 44 4b 2b 4d 6f 62 69 63 _0_0].[SDK+Mobic 04a90 6c 69 70 3a 4d 6f 62 69 63 6c 69 70 44 65 63 5f lip:MobiclipDec_ 04aa0 31 5f 30 5f 31 5d 00 5b 53 44 4b 2b 4d 6f 62 69 1_0_1].[SDK+Mobi 04ab0 63 6c 69 70 3a 4d 6f 66 6c 65 78 44 65 6d 75 78 clip:MoflexDemux 04ac0 65 72 5f 31 5f 30 5f 32 5d 00 00 00 00 00 00 00 er_1_0_2]....... 04ad0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 04ae0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ |
[SDK+NINTENDO:CTR_SDK-0_14_23_200_none] [SDK+NINTENDO:Firmware-02_27] [SDK+Mobiclip:Deblocker_1_0_2] [SDK+Mobiclip:ImaAdpcmDec_1_0_0] [SDK+Mobiclip:MobiclipDec_1_0_1] [SDK+Mobiclip:MoflexDemuxer_1_0_2] |
00850 41 50 54 3A 55 00 00 00 24 68 69 6F 46 49 4F 00 APT:U...$hioFIO. 00860 24 68 6F 73 74 69 6F 30 24 68 6F 73 74 69 6F 31 $hostio0$hostio1 00870 61 63 3A 75 00 00 00 00 62 6F 73 73 3A 55 00 00 ac:u....boss:U.. 00880 63 61 6D 3A 75 00 00 00 63 65 63 64 3A 75 00 00 cam:u...cecd:u.. 00890 63 66 67 3A 75 00 00 00 64 6C 70 3A 46 4B 43 4C cfg:u...dlp:FKCL 008A0 64 6C 70 3A 53 52 56 52 64 73 70 3A 3A 44 53 50 dlp:SRVRdsp::DSP 008B0 66 72 64 3A 75 00 00 00 66 73 3A 55 53 45 52 00 frd:u...fs:USER. 008C0 67 73 70 3A 3A 47 70 75 68 69 64 3A 55 53 45 52 gsp::Gpuhid:USER 008D0 68 74 74 70 3A 43 00 00 6D 69 63 3A 75 00 00 00 http:C..mic:u... 008E0 6E 64 6D 3A 75 00 00 00 6E 65 77 73 3A 75 00 00 ndm:u...news:u.. 008F0 6E 77 6D 3A 3A 55 44 53 70 74 6D 3A 75 00 00 00 nwm::UDSptm:u... 00900 70 78 69 3A 64 65 76 00 73 6F 63 3A 55 00 00 00 pxi:dev.soc:U... 00910 73 73 6C 3A 43 00 00 00 79 32 72 3A 75 00 00 00 ssl:C...y2r:u... 00920 69 72 3A 55 53 45 52 00 6C 64 72 3A 72 6F 00 00 ir:USER.ldr:ro.. 00930 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00940 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00950 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00960 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ ... ... 009D0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 009E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 009F0 00 03 00 00 00 00 00 00 00 00 00 00 00 00 00 02 . ............. |
| 3DS Component List |
U1 bga "1048 0H, CPU CTR, (M)(C)2010, Nintendo, JAPAN ARM" (main cpu) U2 bga "F JAPAN, MB82M8080-07L, 1040 M90, E1" U3 bga "Texas Instruments, 93045A4, 0AAH86W GI" (PCB back, below YXAB) U4 bga "Texas Instruments, PAIC301DB, 0AA37DW, GI" U5 bga "TOSHIBA TH6BM263P1FBA18, VX2306, TAIWAN, 10459AE" U6 bga "UC CTR, 041KM73, KG10" U?? 16pin "CKP, TI 09W, ZF1T" (PCB back, above YXAB) U8 8pin "17040, 08A45" or so (PCB back, above POWER button) U9 bga "2048, 33DH, X1MAQ" or so (small, below/right of PAIC) U10 3pin "HOX" or "XOH" or so (PCB back, below/right of YXAB) U11 Xpin unsharp... INVENSENSE or so (right of main cpu) U12 6pin "EPB" (between main cpu and wifi socket) U13 6pin "?" (right of PAIC) Q1 6pin "JG" (PCB back, right of POWER button) Q4 6pin "?" (between PAIC and UC CTR) X1 4pin "16.756" osc (near main CPU) X2 4pin "CA038" osc (near UC CTR) Daughterboards: wifi, sd slot, battery, etc - unknown |
| 3DS Todo |
- Uploading and autostarting code via wifi - Having full access rights for executing ARM9 and ARM11 code - Not needing to wait for the damn slow OS to boot up |
| ARM CPU Reference |
| ARM CPU Overview |
8bit - Byte 16bit - Halfword 32bit - Word |
- Each single opcode provides more functionality, resulting in faster execution when using a 32bit bus memory system (such like opcodes stored in GBA Work RAM). - All registers R0-R15 can be accessed directly. |
- Not so fast when using 16bit memory system (but it still works though). - Program code occupies more memory space. |
- Faster execution up to approx 160% when using a 16bit bus memory system (such like opcodes stored in GBA GamePak ROM). - Reduces code size, decreases memory overload down to approx 65%. |
- Not as multi-functional opcodes as in ARM state, so it will be sometimes required use more than one opcode to gain a similar result as for a single opcode in ARM state. - Most opcodes allow only registers R0-R7 to be used directly. |
| ARM CPU Register Set |
System/User FIQ Supervisor Abort IRQ Undefined -------------------------------------------------------------- R0 R0 R0 R0 R0 R0 R1 R1 R1 R1 R1 R1 R2 R2 R2 R2 R2 R2 R3 R3 R3 R3 R3 R3 R4 R4 R4 R4 R4 R4 R5 R5 R5 R5 R5 R5 R6 R6 R6 R6 R6 R6 R7 R7 R7 R7 R7 R7 -------------------------------------------------------------- R8 R8_fiq R8 R8 R8 R8 R9 R9_fiq R9 R9 R9 R9 R10 R10_fiq R10 R10 R10 R10 R11 R11_fiq R11 R11 R11 R11 R12 R12_fiq R12 R12 R12 R12 R13 (SP) R13_fiq R13_svc R13_abt R13_irq R13_und R14 (LR) R14_fiq R14_svc R14_abt R14_irq R14_und R15 (PC) R15 R15 R15 R15 R15 -------------------------------------------------------------- CPSR CPSR CPSR CPSR CPSR CPSR -- SPSR_fiq SPSR_svc SPSR_abt SPSR_irq SPSR_und -------------------------------------------------------------- |
| ARM CPU Flags & Condition Field (cond) |
Code Suffix Flags Meaning 0: EQ Z=1 equal (zero) (same) 1: NE Z=0 not equal (nonzero) (not same) 2: CS/HS C=1 unsigned higher or same (carry set) 3: CC/LO C=0 unsigned lower (carry cleared) 4: MI N=1 negative (minus) 5: PL N=0 positive or zero (plus) 6: VS V=1 overflow (V set) 7: VC V=0 no overflow (V cleared) 8: HI C=1 and Z=0 unsigned higher 9: LS C=0 or Z=1 unsigned lower or same A: GE N=V greater or equal B: LT N<>V less than C: GT Z=0 and N=V greater than D: LE Z=1 or N<>V less or equal E: AL - always (the "AL" suffix can be omitted) F: NV - never (ARMv1,v2 only) (Reserved ARMv3 and up) |
Bit Expl. 31 N - Sign Flag (0=Not Signed, 1=Signed) ;\ 30 Z - Zero Flag (0=Not Zero, 1=Zero) ; Condition 29 C - Carry Flag (0=Borrow/No Carry, 1=Carry/No Borrow) ; Code Flags 28 V - Overflow Flag (0=No Overflow, 1=Overflow) ;/ 27 Q - Sticky Overflow (1=Sticky Overflow, ARMv5TE and up only) 26-8 Reserved (For future use) - Do not change manually! 7 I - IRQ disable (0=Enable, 1=Disable) ;\ 6 F - FIQ disable (0=Enable, 1=Disable) ; Control 5 T - State Bit (0=ARM, 1=THUMB) - Do not change manually!; Bits 4-0 M4-M0 - Mode Bits (See below) ;/ |
Binary Hex Dec Expl. 0xx00b 00h 0 - Old User ;\26bit Backward Compatibility modes 0xx01b 01h 1 - Old FIQ ; (supported only on ARMv3, except ARMv3G, 0xx10b 02h 2 - Old IRQ ; and on some non-T variants of ARMv4) 0xx11b 03h 3 - Old Supervisor ;/ 10000b 10h 16 - User (non-privileged) 10001b 11h 17 - FIQ 10010b 12h 18 - IRQ 10011b 13h 19 - Supervisor (SWI) 10111b 17h 23 - Abort 11011b 1Bh 27 - Undefined 11111b 1Fh 31 - System (privileged 'User' mode) (ARMv4 and up) |
| ARM CPU 26bit Memory Interface |
Bit Name Expl. 31-28 N,Z,C,V Flags (Sign, Zero, Carry, Overflow) 27-26 I,F Interrupt Disable bits (IRQ, FIQ) (1=Disable) 25-2 PC Program Counter, 24bit, Step 4 (64M range) 1-0 M1,M0 Mode (0=User, 1=FIQ, 2=IRQ, 3=Supervisor) |
R14_svc = PC ($+8, including old PSR bits) M1,M0 = 11b = supervisor mode, F=same, I=1, PC=14h, to continue at the fault location, return by SUBS PC,LR,8. |
| ARM CPU Exceptions |
Address Prio Exception Mode on Entry Interrupt Flags BASE+00h 1 Reset Supervisor (_svc) I=1, F=1 BASE+04h 7 Undefined Instruction Undefined (_und) I=1, F=unchanged BASE+08h 6 Software Interrupt (SWI) Supervisor (_svc) I=1, F=unchanged BASE+0Ch 5 Prefetch Abort Abort (_abt) I=1, F=unchanged BASE+10h 2 Data Abort Abort (_abt) I=1, F=unchanged BASE+14h ?? Address Exceeds 26bit Supervisor (_svc) I=1, F=unchanged BASE+18h 4 Normal Interrupt (IRQ) IRQ (_irq) I=1, F=unchanged BASE+1Ch 3 Fast Interrupt (FIQ) FIQ (_fiq) I=1, F=1 |
- R14_<new mode>=PC+nn ;save old PC, ie. return address - SPSR_<new mode>=CPSR ;save old flags - CPSR new T,M bits ;set to T=0 (ARM state), and M4-0=new mode - CPSR new I bit ;IRQs disabled (I=1), done by ALL exceptions - CPSR new F bit ;FIQs disabled (F=1), done by Reset and FIQ only - PC=exception_vector ;see table above |
SUBS PC,R14,4 ;both PC=R14_irq-4, and CPSR=SPSR_irq |
MOVS PC,R14 ;both PC=R14_svc, and CPSR=SPSR_svc |
MOVS PC,R14 ;both PC=R14_und, and CPSR=SPSR_und |
prefetch abort: SUBS PC,R14,#4 ;PC=R14_abt-4, and CPSR=SPSR_abt data abort: SUBS PC,R14,#8 ;PC=R14_abt-8, and CPSR=SPSR_abt |
| ARM CPU Memory Alignments |
LDRH Rd,[odd] --> LDRH Rd,[odd-1] ;forced align LDRSH Rd,[odd] --> LDRSH Rd,[odd-1] ;forced align |
LDRH Rd,[odd] --> LDRH Rd,[odd-1] ROR 8 ;read to bit0-7 and bit24-31 LDRSH Rd,[odd] --> LDRSB Rd,[odd] ;sign-expand BYTE value |
| ARM Instruction Summary |
Instruction Cycles Flags Expl.
MOV{cond}{S} Rd,Op2 1S+x+y NZc- Rd = Op2
MVN{cond}{S} Rd,Op2 1S+x+y NZc- Rd = NOT Op2
ORR{cond}{S} Rd,Rn,Op2 1S+x+y NZc- Rd = Rn OR Op2
EOR{cond}{S} Rd,Rn,Op2 1S+x+y NZc- Rd = Rn XOR Op2
AND{cond}{S} Rd,Rn,Op2 1S+x+y NZc- Rd = Rn AND Op2
BIC{cond}{S} Rd,Rn,Op2 1S+x+y NZc- Rd = Rn AND NOT Op2
TST{cond}{P} Rn,Op2 1S+x NZc- Void = Rn AND Op2
TEQ{cond}{P} Rn,Op2 1S+x NZc- Void = Rn XOR Op2
|
Instruction Cycles Flags Expl.
ADD{cond}{S} Rd,Rn,Op2 1S+x+y NZCV Rd = Rn+Op2
ADC{cond}{S} Rd,Rn,Op2 1S+x+y NZCV Rd = Rn+Op2+Cy
SUB{cond}{S} Rd,Rn,Op2 1S+x+y NZCV Rd = Rn-Op2
SBC{cond}{S} Rd,Rn,Op2 1S+x+y NZCV Rd = Rn-Op2+Cy-1
RSB{cond}{S} Rd,Rn,Op2 1S+x+y NZCV Rd = Op2-Rn
RSC{cond}{S} Rd,Rn,Op2 1S+x+y NZCV Rd = Op2-Rn+Cy-1
CMP{cond}{P} Rn,Op2 1S+x NZCV Void = Rn-Op2
CMN{cond}{P} Rn,Op2 1S+x NZCV Void = Rn+Op2
|
Instruction Cycles Flags Expl.
MUL{cond}{S} Rd,Rm,Rs 1S+mI NZx- Rd = Rm*Rs
MLA{cond}{S} Rd,Rm,Rs,Rn 1S+mI+1I NZx- Rd = Rm*Rs+Rn
UMULL{cond}{S} RdLo,RdHi,Rm,Rs 1S+mI+1I NZx- RdHiLo = Rm*Rs
UMLAL{cond}{S} RdLo,RdHi,Rm,Rs 1S+mI+2I NZx- RdHiLo = Rm*Rs+RdHiLo
SMULL{cond}{S} RdLo,RdHi,Rm,Rs 1S+mI+1I NZx- RdHiLo = Rm*Rs
SMLAL{cond}{S} RdLo,RdHi,Rm,Rs 1S+mI+2I NZx- RdHiLo = Rm*Rs+RdHiLo
SMLAxy{cond} Rd,Rm,Rs,Rn ARMv5TE(xP) ----q Rd=HalfRm*HalfRs+Rn
SMLAWy{cond} Rd,Rm,Rs,Rn ARMv5TE(xP) ----q Rd=(Rm*HalfRs)/10000h+Rn
SMULWy{cond} Rd,Rm,Rs ARMv5TE(xP) ---- Rd=(Rm*HalfRs)/10000h
SMLALxy{cond} RdLo,RdHi,Rm,Rs ARMv5TE(xP) ---- RdHiLo=RdHiLo+HalfRm*HalfRs
SMULxy{cond} Rd,Rm,Rs ARMv5TE(xP) ---- Rd=HalfRm*HalfRs
|
Instruction Cycles Flags Expl.
LDR{cond}{B}{T} Rd,<Address> 1S+1N+1I+y ---- Rd=[Rn+/-<offset>]
LDR{cond}H Rd,<Address> 1S+1N+1I+y ---- Load Unsigned halfword
LDR{cond}D Rd,<Address> ---- Load Dword ARMv5TE
LDR{cond}SB Rd,<Address> 1S+1N+1I+y ---- Load Signed byte
LDR{cond}SH Rd,<Address> 1S+1N+1I+y ---- Load Signed halfword
LDM{cond}{amod} Rn{!},<Rlist>{^} nS+1N+1I+y ---- Load Multiple
STR{cond}{B}{T} Rd,<Address> 2N ---- [Rn+/-<offset>]=Rd
STR{cond}H Rd,<Address> 2N ---- Store halfword
STR{cond}D Rd,<Address> ---- Store Dword ARMv5TE
STM{cond}{amod} Rn{!},<Rlist>{^} (n-1)S+2N ---- Store Multiple
SWP{cond}{B} Rd,Rm,[Rn] 1S+2N+1I ---- Rd=[Rn], [Rn]=Rm
PLD <Address> 1S ---- Prepare Cache ARMv5TE
|
Instruction Cycles Flags Expl.
B{cond} label 2S+1N ---- PC=$+8+/-32M
BL{cond} label 2S+1N ---- PC=$+8+/-32M, LR=$+4
BX{cond} Rn 2S+1N ---- PC=Rn, T=Rn.0 (THUMB/ARM)
BLX{cond} Rn 2S+1N ---- PC=Rn, T=Rn.0, LR=PC+4, ARM9
BLX label 2S+1N ---- PC=PC+$+/-32M, LR=$+4, T=1, ARM9
MRS{cond} Rd,Psr 1S ---- Rd=Psr
MSR{cond} Psr{_field},Op 1S (psr) Psr[field]=Op
SWI{cond} Imm24bit 2S+1N ---- PC=8, ARM Svc mode, LR=$+4
BKPT Imm16bit ??? ---- PC=C, ARM Abt mode, LR=$+4 ARM9
The Undefined Instruction 2S+1I+1N ---- PC=4, ARM Und mode, LR=$+4
cond=false 1S ---- Any opcode with condition=false
NOP 1S ---- R0=R0
|
CLZ{cond} Rd,Rm ??? ---- Count Leading Zeros ARMv5
QADD{cond} Rd,Rm,Rn ----q Rd=Rm+Rn ARMv5TE(xP)
QSUB{cond} Rd,Rm,Rn ----q Rd=Rm-Rn ARMv5TE(xP)
QDADD{cond} Rd,Rm,Rn ----q Rd=Rm+Rn*2 ARMv5TE(xP)
QDSUB{cond} Rd,Rm,Rn ----q Rd=Rm-Rn*2 ARMv5TE(xP)
|
Instruction Cycles Flags Expl.
CDP{cond} Pn,<cpopc>,Cd,Cn,Cm{,<cp>} 1S+bI ---- Coprocessor specific
STC{cond}{L} Pn,Cd,<Address> (n-1)S+2N+bI [address] = CRd
LDC{cond}{L} Pn,Cd,<Address> (n-1)S+2N+bI CRd = [address]
MCR{cond} Pn,<cpopc>,Rd,Cn,Cm{,<cp>} 1S+bI+1C CRn = Rn {<op> CRm}
MRC{cond} Pn,<cpopc>,Rd,Cn,Cm{,<cp>} 1S+(b+1)I+1C Rn = CRn {<op> CRm}
CDP2,STC2,LDC2,MCR2,MRC2 - ARMv5 Extensions similar above, without {cond}
MCRR{cond} Pn,<cpopc>,Rd,Rn,Cm ;write Rd,Rn to coproc ARMv5TE
MRRC{cond} Pn,<cpopc>,Rd,Rn,Cm ;read Rd,Rn from coproc ARMv5TE
|
|..3 ..................2 ..................1 ..................0| |1_0_9_8_7_6_5_4_3_2_1_0_9_8_7_6_5_4_3_2_1_0_9_8_7_6_5_4_3_2_1_0| |_Cond__|0_0_0|___Op__|S|__Rn___|__Rd___|__Shift__|Typ|0|__Rm___| DataProc |_Cond__|0_0_0|___Op__|S|__Rn___|__Rd___|__Rs___|0|Typ|1|__Rm___| DataProc |_Cond__|0_0_1|___Op__|S|__Rn___|__Rd___|_Shift_|___Immediate___| DataProc |_Cond__|0_0_1_1_0_0_1_0_0_0_0_0_1_1_1_1_0_0_0_0|_____Hint______| ARM11:Hint |_Cond__|0_0_1_1_0|P|1|0|_Field_|__Rd___|_Shift_|___Immediate___| PSR Imm |_Cond__|0_0_0_1_0|P|L|0|_Field_|__Rd___|0_0_0_0|0_0_0_0|__Rm___| PSR Reg |_Cond__|0_0_0_1_0_0_1_0_1_1_1_1_1_1_1_1_1_1_1_1|0_0|L|1|__Rn___| BX,BLX |1_1_1_0|0_0_0_1_0_0_1_0|_____immediate_________|0_1_1_1|_immed_| ARM9:BKPT |_Cond__|0_0_0_1_0_1_1_0_1_1_1_1|__Rd___|1_1_1_1|0_0_0_1|__Rm___| ARM9:CLZ |_Cond__|0_0_0_1_0|Op_|0|__Rn___|__Rd___|0_0_0_0|0_1_0_1|__Rm___| ARM9:QALU |_Cond__|0_0_0_1_1|_Op__|__Rn___|__Rd___|1_1_1_1_1_0_0_1|__Rm___| ARM11:LDREX |_Cond__|0_0_0_0_0_0|A|S|__Rd___|__Rn___|__Rs___|1_0_0_1|__Rm___| Multiply |_Cond__|0_0_0_0_1|U|A|S|_RdHi__|_RdLo__|__Rs___|1_0_0_1|__Rm___| MulLong |_Cond__|0_0_0_1_0|Op_|0|Rd/RdHi|Rn/RdLo|__Rs___|1|y|x|0|__Rm___| MulHalfARM9 |_Cond__|0_0_0_1_0|B|0_0|__Rn___|__Rd___|0_0_0_0|1_0_0_1|__Rm___| TransSwp12 |_Cond__|0_0_0|P|U|0|W|L|__Rn___|__Rd___|0_0_0_0|1|S|H|1|__Rm___| TransReg10 |_Cond__|0_0_0|P|U|1|W|L|__Rn___|__Rd___|OffsetH|1|S|H|1|OffsetL| TransImm10 |_Cond__|0_1_0|P|U|B|W|L|__Rn___|__Rd___|_________Offset________| TransImm9 |_Cond__|0_1_1|P|U|B|W|L|__Rn___|__Rd___|__Shift__|Typ|0|__Rm___| TransReg9 |_Cond__|0_1_1|________________xxx____________________|1|__xxx__| Undefined |1_1_1_1_0_1_0_1_0_1_1_1_1_1_1_1_1_1_1_1_0_0_0_0_0_0_0_1_1_1_1_1| ARM11:CLREX |_Cond__|1_0_0|P|U|S|W|L|__Rn___|__________Register_List________| BlockTrans |_Cond__|1_0_1|L|___________________Offset______________________| B,BL,BLX |_Cond__|1_1_0|P|U|N|W|L|__Rn___|__CRd__|__CP#__|____Offset_____| CoDataTrans |_Cond__|1_1_0_0_0_1_0|L|__Rn___|__Rd___|__CP#__|_CPopc_|__CRm__| CoRR ARM9 |_Cond__|1_1_1_0|_CPopc_|__CRn__|__CRd__|__CP#__|_CP__|0|__CRm__| CoDataOp |_Cond__|1_1_1_0|CPopc|L|__CRn__|__Rd___|__CP#__|_CP__|1|__CRm__| CoRegTrans |_Cond__|1_1_1_1|_____________Ignored_by_Processor______________| SWI |
Bit Expl.
31-28 Condition
27-20 Opcode
0001.1101b for LDREXB{cond} Rd, [Rn] ;Rd=[Rm]
0001.1111b for LDREXH{cond} Rd, [Rn] ;Rd=[Rm]
0001.1011b for LDREXD{cond} Rd, [Rn] ;Rd,Rd+1=[Rm]
0001.1100b for STREXB{cond} Rd, Rm, [Rn] ;[Rn]=Rm, Rd=flag
0001.1110b for STREXH{cond} Rd, Rm, [Rn] ;[Rn]=Rm, Rd=flag
0001.1010b for STREXD{cond} Rd, Rm, [Rn] ;[Rn]=Rm,Rm+1, Rd=flag
19-16 Rn - Base Register (R0-R14)
15-12 Rd - Destination Register (R0-R14)
11-4 Must be 1111.1001b for this instruction
3-0 Rm - Source Register (1111b for LDREX) (R0-R14)
|
Bit Expl. 31-0 Opcode 1111.0101.0111.1111.1111.0000.0001.1111b for CLREX |
Bit Expl.
31-28 Condition (should be always 0Eh=Always)
27-8 Opcode 0011.0010.0000.1111.0000b for NOP
7-0 Hint (no function, default should be usually zero)
XXX or is Hint<>0 for YIELD etc (alike THUMB)?
|
| ARM Opcodes: Branch and Branch with Link (B, BL, BX, BLX, SWI, BKPT) |
Bit Expl.
31-28 Condition (must be 1111b for BLX)
27-25 Must be "101" for this instruction
24 Opcode (0-1) (or Halfword Offset for BLX)
0: B{cond} label ;branch PC=PC+8+nn*4
1: BL{cond} label ;branch/link PC=PC+8+nn*4, LR=PC+4
H: BLX label ;ARM9 ;branch/link/thumb PC=PC+8+nn*4+H*2, LR=PC+4, T=1
23-0 nn - Signed Offset, step 4 (-32M..+32M in steps of 4)
|
Bit Expl.
31-28 Condition
27-8 Must be "0001.0010.1111.1111.1111" for this instruction
7-4 Opcode
0001b: BX{cond} Rn ;PC=Rn, T=Rn.0 (ARMv4T and ARMv5 and up)
0011b: BLX{cond} Rn ;PC=Rn, T=Rn.0, LR=PC+4 (ARMv5 and up)
3-0 Rn - Operand Register (R0-R14)
|
Bit Expl.
31-28 Condition (must be 1110b for BKPT, ie. Condition=always)
27-24 Opcode
1111b: SWI{cond} nn ;software interrupt
0001b: BKPT nn ;breakpoint (ARMv5 and up)
For SWI:
23-0 nn - Comment Field, ignored by processor (24bit value)
For BKPT:
23-20 Must be 0010b for BKPT
19-8 nn - upper 12bits of comment field, ignored by processor
7-4 Must be 0111b for BKPT
3-0 nn - lower 4bits of comment field, ignored by processor
|
R14_svc=PC+4 R14_abt=PC+4 ;save return address SPSR_svc=CPSR SPSR_abt=CPSR ;save CPSR flags CPSR=<changed> CPSR=<changed> ;Enter svc/abt, ARM state, IRQs disabled PC=VVVV0008h PC=VVVV000Ch ;jump to SWI/PrefetchAbort vector address |
Bit Expl. 31-28 Condition 27-25 Must be 011b for this instruction 24-5 Reserved for future use 4 Must be 1b for this instruction 3-0 Reserved for future use |
cond011xxxxxxxxxxxxxxxxxxxx1xxxx - reserved for future use (except below). cond01111111xxxxxxxxxxxx1111xxxx - free for user. |
| ARM Opcodes: Data Processing (ALU) |
Bit Expl.
31-28 Condition
27-26 Must be 00b for this instruction
25 I - Immediate 2nd Operand Flag (0=Register, 1=Immediate)
24-21 Opcode (0-Fh) ;*=Arithmetic, otherwise Logical
0: AND{cond}{S} Rd,Rn,Op2 ;AND logical Rd = Rn AND Op2
1: EOR{cond}{S} Rd,Rn,Op2 ;XOR logical Rd = Rn XOR Op2
2: SUB{cond}{S} Rd,Rn,Op2 ;* ;subtract Rd = Rn-Op2
3: RSB{cond}{S} Rd,Rn,Op2 ;* ;subtract reversed Rd = Op2-Rn
4: ADD{cond}{S} Rd,Rn,Op2 ;* ;add Rd = Rn+Op2
5: ADC{cond}{S} Rd,Rn,Op2 ;* ;add with carry Rd = Rn+Op2+Cy
6: SBC{cond}{S} Rd,Rn,Op2 ;* ;sub with carry Rd = Rn-Op2+Cy-1
7: RSC{cond}{S} Rd,Rn,Op2 ;* ;sub cy. reversed Rd = Op2-Rn+Cy-1
8: TST{cond}{P} Rn,Op2 ;test Void = Rn AND Op2
9: TEQ{cond}{P} Rn,Op2 ;test exclusive Void = Rn XOR Op2
A: CMP{cond}{P} Rn,Op2 ;* ;compare Void = Rn-Op2
B: CMN{cond}{P} Rn,Op2 ;* ;compare neg. Void = Rn+Op2
C: ORR{cond}{S} Rd,Rn,Op2 ;OR logical Rd = Rn OR Op2
D: MOV{cond}{S} Rd,Op2 ;move Rd = Op2
E: BIC{cond}{S} Rd,Rn,Op2 ;bit clear Rd = Rn AND NOT Op2
F: MVN{cond}{S} Rd,Op2 ;not Rd = NOT Op2
20 S - Set Condition Codes (0=No, 1=Yes) (Must be 1 for opcode 8-B)
19-16 Rn - 1st Operand Register (R0..R15) (including PC=R15)
Must be 0000b for MOV/MVN.
15-12 Rd - Destination Register (R0..R15) (including PC=R15)
Must be 0000b (or 1111b) for CMP/CMN/TST/TEQ{P}.
When above Bit 25 I=0 (Register as 2nd Operand)
When below Bit 4 R=0 - Shift by Immediate
11-7 Is - Shift amount (1-31, 0=Special/See below)
When below Bit 4 R=1 - Shift by Register
11-8 Rs - Shift register (R0-R14) - only lower 8bit 0-255 used
7 Reserved, must be zero (otherwise multiply or undefined opcode)
6-5 Shift Type (0=LSL, 1=LSR, 2=ASR, 3=ROR)
4 R - Shift by Register Flag (0=Immediate, 1=Register)
3-0 Rm - 2nd Operand Register (R0..R15) (including PC=R15)
When above Bit 25 I=1 (Immediate as 2nd Operand)
11-8 Is - ROR-Shift applied to nn (0-30, in steps of 2)
7-0 nn - 2nd Operand Unsigned 8bit Immediate
|
LSL#0: No shift performed, ie. directly Op2=Rm, the C flag is NOT affected. LSR#0: Interpreted as LSR#32, ie. Op2 becomes zero, C becomes Bit 31 of Rm. ASR#0: Interpreted as ASR#32, ie. Op2 and C are filled by Bit 31 of Rm. ROR#0: Interpreted as RRX#1 (RCR), like ROR#1, but Op2 Bit 31 set to old C. |
V=not affected C=carryflag of shift operation (not affected if LSL#0 or Rs=00h) Z=zeroflag of result N=signflag of result (result bit 31) |
V=overflowflag of result C=carryflag of result Z=zeroflag of result N=signflag of result (result bit 31) |
R15=result ;modify PSR bits in R15, ARMv2 and below only. In user mode only N,Z,C,V bits of R15 can be changed. In other modes additionally I,F,M1,M0 can be changed. The PC bits in R15 are left unchanged in all modes. |
CPSR = SPSR_<current mode> PC = result For example: MOVS PC,R14 ;return from SWI (PC=R14_svc, CPSR=SPSR_svc). |
| ARM Opcodes: Multiply and Multiply-Accumulate (MUL, MLA) |
Bit Expl.
31-28 Condition
27-25 Must be 000b for this instruction
24-21 Opcode
0000b: MUL{cond}{S} Rd,Rm,Rs ;multiply Rd = Rm*Rs
0001b: MLA{cond}{S} Rd,Rm,Rs,Rn ;mul.& accumulate Rd = Rm*Rs+Rn
0100b: UMULL{cond}{S} RdLo,RdHi,Rm,Rs ;multiply RdHiLo=Rm*Rs
0101b: UMLAL{cond}{S} RdLo,RdHi,Rm,Rs ;mul.& acc. RdHiLo=Rm*Rs+RdHiLo
0110b: SMULL{cond}{S} RdLo,RdHi,Rm,Rs ;sign.mul. RdHiLo=Rm*Rs
0111b: SMLAL{cond}{S} RdLo,RdHi,Rm,Rs ;sign.m&a. RdHiLo=Rm*Rs+RdHiLo
1000b: SMLAxy{cond} Rd,Rm,Rs,Rn ;Rd=HalfRm*HalfRs+Rn
1001b: SMLAWy{cond} Rd,Rm,Rs,Rn ;Rd=(Rm*HalfRs)/10000h+Rn
1001b: SMULWy{cond} Rd,Rm,Rs ;Rd=(Rm*HalfRs)/10000h
1010b: SMLALxy{cond} RdLo,RdHi,Rm,Rs ;RdHiLo=RdHiLo+HalfRm*HalfRs
1011b: SMULxy{cond} Rd,Rm,Rs ;Rd=HalfRm*HalfRs
20 S - Set Condition Codes (0=No, 1=Yes) (Must be 0 for Halfword mul)
19-16 Rd (or RdHi) - Destination Register (R0-R14)
15-12 Rn (or RdLo) - Accumulate Register (R0-R14) (Set to 0000b if unused)
11-8 Rs - Operand Register (R0-R14)
For Non-Halfword Multiplies
7-4 Must be 1001b for these instructions
For Halfword Multiplies
7 Must be 1 for these instructions
6 y - Rs Top/Bottom flag (0=B=Lower 16bit, 1=T=Upper 16bit)
5 x - Rm Top/Bottom flag (as above), or 0 for SMLAW, or 1 for SMULW
4 Must be 0 for these instructions
3-0 Rm - Operand Register (R0-R14)
|
| ARM Opcodes: Special ARM9 Instructions (CLZ, QADD/QSUB) |
Bit Expl.
31-28 Condition
27-16 Must be 0001.0110.1111b for this instruction
Opcode (fixed)
CLZ{cond} Rd,Rm ;Rd=Number of leading zeros in Rm
15-12 Rd - Destination Register (R0-R14)
11-4 Must be 1111.0001b for this instruction
3-0 Rm - Source Register (R0-R14)
|
Bit Expl.
31-28 Condition
27-24 Must be 0001b for this instruction
23-20 Opcode
0000b: QADD{cond} Rd,Rm,Rn ;Rd=Rm+Rn
0010b: QSUB{cond} Rd,Rm,Rn ;Rd=Rm-Rn
0100b: QDADD{cond} Rd,Rm,Rn ;Rd=Rm+Rn*2 (doubled)
0110b: QDSUB{cond} Rd,Rm,Rn ;Rd=Rm-Rn*2 (doubled)
19-16 Rn - Second Source Register (R0-R14)
15-12 Rd - Destination Register (R0-R14)
11-4 Must be 00000101b for this instruction
3-0 Rm - First Source Register (R0-R14)
|
| ARM Opcodes: PSR Transfer (MRS, MSR) |
Bit Expl.
31-28 Condition
27-26 Must be 00b for this instruction
25 I - Immediate Operand Flag (0=Register, 1=Immediate) (Zero for MRS)
24-23 Must be 10b for this instruction
22 Psr - Source/Destination PSR (0=CPSR, 1=SPSR_<current mode>)
21 Opcode
0: MRS{cond} Rd,Psr ;Rd = Psr
1: MSR{cond} Psr{_field},Op ;Psr[field] = Op
20 Must be 0b for this instruction (otherwise TST,TEQ,CMP,CMN)
For MRS:
19-16 Must be 1111b for this instruction (otherwise SWP)
15-12 Rd - Destination Register (R0-R14)
11-0 Not used, must be zero.
For MSR:
19 f write to flags field Bit 31-24 (aka _flg)
18 s write to status field Bit 23-16 (reserved, don't change)
17 x write to extension field Bit 15-8 (reserved, don't change)
16 c write to control field Bit 7-0 (aka _ctl)
15-12 Not used, must be 1111b.
For MSR Psr,Rm (I=0)
11-4 Not used, must be zero. (otherwise BX)
3-0 Rm - Source Register <op> (R0-R14)
For MSR Psr,Imm (I=1)
11-8 Shift applied to Imm (ROR in steps of two 0-30)
7-0 Imm - Unsigned 8bit Immediate
In source code, a 32bit immediate should be specified as operand.
The assembler should then convert that into a shifted 8bit value.
|
| ARM Opcodes: Memory: Single Data Transfer (LDR, STR, PLD) |
Bit Expl.
31-28 Condition (Must be 1111b for PLD)
27-26 Must be 01b for this instruction
25 I - Immediate Offset Flag (0=Immediate, 1=Shifted Register)
24 P - Pre/Post (0=post; add offset after transfer, 1=pre; before trans.)
23 U - Up/Down Bit (0=down; subtract offset from base, 1=up; add to base)
22 B - Byte/Word bit (0=transfer 32bit/word, 1=transfer 8bit/byte)
When above Bit 24 P=0 (Post-indexing, write-back is ALWAYS enabled):
21 T - Memory Management (0=Normal, 1=Force non-privileged access)
When above Bit 24 P=1 (Pre-indexing, write-back is optional):
21 W - Write-back bit (0=no write-back, 1=write address into base)
20 L - Load/Store bit (0=Store to memory, 1=Load from memory)
0: STR{cond}{B}{T} Rd,<Address> ;[Rn+/-<offset>]=Rd
1: LDR{cond}{B}{T} Rd,<Address> ;Rd=[Rn+/-<offset>]
(1: PLD <Address> ;Prepare Cache for Load, see notes below)
Whereas, B=Byte, T=Force User Mode (only for POST-Indexing)
19-16 Rn - Base register (R0..R15) (including R15=PC+8)
15-12 Rd - Source/Destination Register (R0..R15) (including R15=PC+12)
When above I=0 (Immediate as Offset)
11-0 Unsigned 12bit Immediate Offset (0-4095, steps of 1)
When above I=1 (Register shifted by Immediate as Offset)
11-7 Is - Shift amount (1-31, 0=Special/See below)
6-5 Shift Type (0=LSL, 1=LSR, 2=ASR, 3=ROR)
4 Must be 0 (Reserved, see The Undefined Instruction)
3-0 Rm - Offset Register (R0..R14) (not including PC=R15)
|
<expression> ;an immediate used as address ;*** restriction: must be located in range PC+/-4095+8, if so, ;*** assembler will calculate offset and use PC (R15) as base. |
[Rn] ;offset = zero
[Rn, <#{+/-}expression>]{!} ;offset = immediate
[Rn, {+/-}Rm{,<shift>} ]{!} ;offset = register shifted by immediate
|
[Rn], <#{+/-}expression> ;offset = immediate
[Rn], {+/-}Rm{,<shift>} ;offset = register shifted by immediate
|
<shift> immediate shift such like LSL#4, ROR#2, etc. (see ALU opcodes).
{!} exclamation mark ("!") indicates write-back (Rn will be updated).
|
| ARM Opcodes: Memory: Halfword, Doubleword, and Signed Data Transfer |
Bit Expl.
31-28 Condition
27-25 Must be 000b for this instruction
24 P - Pre/Post (0=post; add offset after transfer, 1=pre; before trans.)
23 U - Up/Down Bit (0=down; subtract offset from base, 1=up; add to base)
22 I - Immediate Offset Flag (0=Register Offset, 1=Immediate Offset)
When above Bit 24 P=0 (Post-indexing, write-back is ALWAYS enabled):
21 Not used, must be zero (0)
When above Bit 24 P=1 (Pre-indexing, write-back is optional):
21 W - Write-back bit (0=no write-back, 1=write address into base)
20 L - Load/Store bit (0=Store to memory, 1=Load from memory)
19-16 Rn - Base register (R0-R15) (Including R15=PC+8)
15-12 Rd - Source/Destination Register (R0-R15) (Including R15=PC+12)
11-8 When above Bit 22 I=0 (Register as Offset):
Not used. Must be 0000b
When above Bit 22 I=1 (immediate as Offset):
Immediate Offset (upper 4bits)
7 Reserved, must be set (1)
6-5 Opcode (0-3)
When Bit 20 L=0 (Store) (and Doubleword Load/Store):
0: Reserved for SWP instruction
1: STR{cond}H Rd,<Address> ;Store halfword [a]=Rd
2: LDR{cond}D Rd,<Address> ;Load Doubleword R(d)=[a], R(d+1)=[a+4]
3: STR{cond}D Rd,<Address> ;Store Doubleword [a]=R(d), [a+4]=R(d+1)
When Bit 20 L=1 (Load):
0: Reserved.
1: LDR{cond}H Rd,<Address> ;Load Unsigned halfword (zero-extended)
2: LDR{cond}SB Rd,<Address> ;Load Signed byte (sign extended)
3: LDR{cond}SH Rd,<Address> ;Load Signed halfword (sign extended)
4 Reserved, must be set (1)
3-0 When above Bit 22 I=0:
Rm - Offset Register (R0-R14) (not including R15)
When above Bit 22 I=1:
Immediate Offset (lower 4bits) (0-255, together with upper bits)
|
<expression> ;an immediate used as address ;*** restriction: must be located in range PC+/-255+8, if so, ;*** assembler will calculate offset and use PC (R15) as base. |
[Rn] ;offset = zero
[Rn, <#{+/-}expression>]{!} ;offset = immediate
[Rn, {+/-}Rm]{!} ;offset = register
|
[Rn], <#{+/-}expression> ;offset = immediate
[Rn], {+/-}Rm ;offset = register
|
{!} exclamation mark ("!") indicates write-back (Rn will be updated).
|
| ARM Opcodes: Memory: Block Data Transfer (LDM, STM) |
Bit Expl.
31-28 Condition
27-25 Must be 100b for this instruction
24 P - Pre/Post (0=post; add offset after transfer, 1=pre; before trans.)
23 U - Up/Down Bit (0=down; subtract offset from base, 1=up; add to base)
22 S - PSR & force user bit (0=No, 1=load PSR or force user mode)
21 W - Write-back bit (0=no write-back, 1=write address into base)
20 L - Load/Store bit (0=Store to memory, 1=Load from memory)
0: STM{cond}{amod} Rn{!},<Rlist>{^} ;Store (Push)
1: LDM{cond}{amod} Rn{!},<Rlist>{^} ;Load (Pop)
Whereas, {!}=Write-Back (W), and {^}=PSR/User Mode (S)
19-16 Rn - Base register (R0-R14) (not including R15)
15-0 Rlist - Register List
(Above 'offset' is meant to be the number of words specified in Rlist.)
|
IB increment before ;P=1, U=1 IA increment after ;P=0, U=1 DB decrement before ;P=1, U=0 DA decrement after ;P=0, U=0 |
ED empty stack, descending ;LDM: P=1, U=1 ;STM: P=0, U=0 FD full stack, descending ; P=0, U=1 ; P=1, U=0 EA empty stack, ascending ; P=1, U=0 ; P=0, U=1 FA full stack, ascending ; P=0, U=0 ; P=1, U=1 |
STMFD=STMDB=PUSH STMED=STMDA STMFA=STMIB STMEA=STMIA LDMFD=LDMIA=POP LDMED=LDMIB LDMFA=LDMDA LDMEA=LDMDB |
PUSH/POP: full descending ;base register SP (R13) LDM/STM: increment after ;base register R0..R7 |
While R15 loaded, additionally: CPSR=SPSR_<current mode> |
Rlist is referring to User Bank Registers, R0-R15 (rather than register related to the current mode, such like R14_svc etc.) Base write-back should not be used for User bank transfer. Caution - When instruction is LDM: If the following instruction reads from a banked register (eg. R14_svc), then CPU might still read R14 instead; if necessary insert a dummy NOP. |
| ARM Opcodes: Memory: Single Data Swap (SWP) |
Bit Expl.
31-28 Condition
27-23 Must be 00010b for this instruction
Opcode (fixed)
SWP{cond}{B} Rd,Rm,[Rn] ;Rd=[Rn], [Rn]=Rm
22 B - Byte/Word bit (0=swap 32bit/word, 1=swap 8bit/byte)
21-20 Must be 00b for this instruction
19-16 Rn - Base register (R0-R14)
15-12 Rd - Destination Register (R0-R14)
11-4 Must be 00001001b for this instruction
3-0 Rm - Source Register (R0-R14)
|
| ARM Opcodes: Coprocessor Instructions (MRC/MCR, LDC/STC, CDP, MCRR/MRRC) |
Bit Expl.
31-28 Condition (or 1111b for MRC2/MCR2 opcodes on ARMv5 and up)
27-24 Must be 1110b for this instruction
23-21 CP Opc - Coprocessor operation code (0-7)
20 ARM-Opcode (0-1)
0: MCR{cond} Pn,<cpopc>,Rd,Cn,Cm{,<cp>} ;move from ARM to CoPro
0: MCR2 Pn,<cpopc>,Rd,Cn,Cm{,<cp>} ;move from ARM to CoPro
1: MRC{cond} Pn,<cpopc>,Rd,Cn,Cm{,<cp>} ;move from CoPro to ARM
1: MRC2 Pn,<cpopc>,Rd,Cn,Cm{,<cp>} ;move from CoPro to ARM
19-16 Cn - Coprocessor source/dest. Register (C0-C15)
15-12 Rd - ARM source/destination Register (R0-R15)
11-8 Pn - Coprocessor number (P0-P15)
7-5 CP - Coprocessor information (0-7)
4 Reserved, must be one (1) (otherwise CDP opcode)
3-0 Cm - Coprocessor operand Register (C0-C15)
|
Bit Expl.
31-28 Condition (or 1111b for LDC2/STC2 opcodes on ARMv5 and up)
27-25 Must be 110b for this instruction
24 P - Pre/Post (0=post; add offset after transfer, 1=pre; before trans.)
23 U - Up/Down Bit (0=down; subtract offset from base, 1=up; add to base)
22 N - Transfer length (0-1, interpretation depends on co-processor)
21 W - Write-back bit (0=no write-back, 1=write address into base)
20 Opcode (0-1)
0: STC{cond}{L} Pn,Cd,<Address> ;Store to memory (from coprocessor)
0: STC2{L} Pn,Cd,<Address> ;Store to memory (from coprocessor)
1: LDC{cond}{L} Pn,Cd,<Address> ;Read from memory (to coprocessor)
1: LDC2{L} Pn,Cd,<Address> ;Read from memory (to coprocessor)
whereas {L} indicates long transfer (Bit 22: N=1)
19-16 Rn - ARM Base Register (R0-R15) (R15=PC+8)
15-12 Cd - Coprocessor src/dest Register (C0-C15)
11-8 Pn - Coprocessor number (P0-P15)
7-0 Offset - Unsigned Immediate, step 4 (0-1020, in steps of 4)
|
Bit Expl.
31-28 Condition (or 1111b for CDP2 opcode on ARMv5 and up)
27-24 Must be 1110b for this instruction
ARM-Opcode (fixed)
CDP{cond} Pn,<cpopc>,Cd,Cn,Cm{,<cp>}
CDP2 Pn,<cpopc>,Cd,Cn,Cm{,<cp>}
23-20 CP Opc - Coprocessor operation code (0-15)
19-16 Cn - Coprocessor operand Register (C0-C15)
15-12 Cd - Coprocessor destination Register (C0-C15)
11-8 Pn - Coprocessor number (P0-P15)
7-5 CP - Coprocessor information (0-7)
4 Reserved, must be zero (otherwise MCR/MRC opcode)
3-0 Cm - Coprocessor operand Register (C0-C15)
|
Bit Expl.
31-28 Condition
27-21 Must be 1100010b for this instruction
20 L - Opcode (Load/Store)
0: MCRR{cond} Pn,opcode,Rd,Rn,Cm ;write Rd,Rn to coproc
1: MRRC{cond} Pn,opcode,Rd,Rn,Cm ;read Rd,Rn from coproc
19-16 Rn - Second source/dest register (R0-R14)
15-12 Rd - First source/dest register (R0-R14)
11-8 Pn - Coprocessor number (P0-P15)
7-4 CP Opc - Coprocessor operation code (0-15)
3-0 Cm - Coprocessor operand Register (C0-C15)
|
| THUMB Instruction Summary |
Instruction Cycles Flags Format Expl. MOV Rd,Imm8bit 1S NZ-- 3 Rd=nn MOV Rd,Rs 1S NZ00 2 Rd=Rs+0 MOV R0..14,R8..15 1S ---- 5 Rd=Rs MOV R8..14,R0..15 1S ---- 5 Rd=Rs MOV R15,R0..15 2S+1N ---- 5 PC=Rs MVN Rd,Rs 1S NZ-- 4 Rd=NOT Rs AND Rd,Rs 1S NZ-- 4 Rd=Rd AND Rs TST Rd,Rs 1S NZ-- 4 Void=Rd AND Rs BIC Rd,Rs 1S NZ-- 4 Rd=Rd AND NOT Rs ORR Rd,Rs 1S NZ-- 4 Rd=Rd OR Rs EOR Rd,Rs 1S NZ-- 4 Rd=Rd XOR Rs LSL Rd,Rs,Imm5bit 1S NZc- 1 Rd=Rs SHL nn LSL Rd,Rs 1S+1I NZc- 4 Rd=Rd SHL (Rs AND 0FFh) LSR Rd,Rs,Imm5bit 1S NZc- 1 Rd=Rs SHR nn LSR Rd,Rs 1S+1I NZc- 4 Rd=Rd SHR (Rs AND 0FFh) ASR Rd,Rs,Imm5bit 1S NZc- 1 Rd=Rs SAR nn ASR Rd,Rs 1S+1I NZc- 4 Rd=Rd SAR (Rs AND 0FFh) ROR Rd,Rs 1S+1I NZc- 4 Rd=Rd ROR (Rs AND 0FFh) NOP 1S ---- 5 R8=R8 |
Instruction Cycles Flags Format Expl. ADD Rd,Rs,Imm3bit 1S NZCV 2 Rd=Rs+nn ADD Rd,Imm8bit 1S NZCV 3 Rd=Rd+nn ADD Rd,Rs,Rn 1S NZCV 2 Rd=Rs+Rn ADD R0..14,R8..15 1S ---- 5 Rd=Rd+Rs ADD R8..14,R0..15 1S ---- 5 Rd=Rd+Rs ADD R15,R0..15 2S+1N ---- 5 PC=Rd+Rs ADD Rd,PC,Imm8bit*4 1S ---- 12 Rd=(($+4) AND NOT 2)+nn ADD Rd,SP,Imm8bit*4 1S ---- 12 Rd=SP+nn ADD SP,Imm7bit*4 1S ---- 13 SP=SP+nn ADD SP,-Imm7bit*4 1S ---- 13 SP=SP-nn ADC Rd,Rs 1S NZCV 4 Rd=Rd+Rs+Cy SUB Rd,Rs,Imm3Bit 1S NZCV 2 Rd=Rs-nn SUB Rd,Imm8bit 1S NZCV 3 Rd=Rd-nn SUB Rd,Rs,Rn 1S NZCV 2 Rd=Rs-Rn SBC Rd,Rs 1S NZCV 4 Rd=Rd-Rs-NOT Cy NEG Rd,Rs 1S NZCV 4 Rd=0-Rs CMP Rd,Imm8bit 1S NZCV 3 Void=Rd-nn CMP Rd,Rs 1S NZCV 4 Void=Rd-Rs CMP R0-15,R8-15 1S NZCV 5 Void=Rd-Rs CMP R8-15,R0-15 1S NZCV 5 Void=Rd-Rs CMN Rd,Rs 1S NZCV 4 Void=Rd+Rs MUL Rd,Rs 1S+mI NZx- 4 Rd=Rd*Rs |
Instruction Cycles Flags Format Expl.
B disp 2S+1N ---- 18 PC=$+/-2048
BL disp 3S+1N ---- 19 PC=$+/-4M, LR=$+5
B{cond=true} disp 2S+1N ---- 16 PC=$+/-0..256
B{cond=false} disp 1S ---- 16 N/A
BX R0..15 2S+1N ---- 5 PC=Rs, ARM/THUMB (Rs bit0)
SWI Imm8bit 2S+1N ---- 17 PC=8, ARM SVC mode, LR=$+2
BKPT Imm8bit ??? ---- 17 ??? ARM9 Prefetch Abort
BLX disp ??? ---- ??? ??? ARM9
BLX R0..R14 ??? ---- ??? ??? ARM9
POP {Rlist,}PC (n+1)S+2N+1I ---- 14
MOV R15,R0..15 2S+1N ---- 5 PC=Rs
ADD R15,R0..15 2S+1N ---- 5 PC=Rd+Rs
|
Instruction Cycles Flags Format Expl.
LDR Rd,[Rb,5bit*4] 1S+1N+1I ---- 9 Rd = WORD[Rb+nn]
LDR Rd,[PC,8bit*4] 1S+1N+1I ---- 6 Rd = WORD[PC+nn]
LDR Rd,[SP,8bit*4] 1S+1N+1I ---- 11 Rd = WORD[SP+nn]
LDR Rd,[Rb,Ro] 1S+1N+1I ---- 7 Rd = WORD[Rb+Ro]
LDRB Rd,[Rb,5bit*1] 1S+1N+1I ---- 9 Rd = BYTE[Rb+nn]
LDRB Rd,[Rb,Ro] 1S+1N+1I ---- 7 Rd = BYTE[Rb+Ro]
LDRH Rd,[Rb,5bit*2] 1S+1N+1I ---- 10 Rd = HALFWORD[Rb+nn]
LDRH Rd,[Rb,Ro] 1S+1N+1I ---- 8 Rd = HALFWORD[Rb+Ro]
LDSB Rd,[Rb,Ro] 1S+1N+1I ---- 8 Rd = SIGNED_BYTE[Rb+Ro]
LDSH Rd,[Rb,Ro] 1S+1N+1I ---- 8 Rd = SIGNED_HALFWORD[Rb+Ro]
STR Rd,[Rb,5bit*4] 2N ---- 9 WORD[Rb+nn] = Rd
STR Rd,[SP,8bit*4] 2N ---- 11 WORD[SP+nn] = Rd
STR Rd,[Rb,Ro] 2N ---- 7 WORD[Rb+Ro] = Rd
STRB Rd,[Rb,5bit*1] 2N ---- 9 BYTE[Rb+nn] = Rd
STRB Rd,[Rb,Ro] 2N ---- 7 BYTE[Rb+Ro] = Rd
STRH Rd,[Rb,5bit*2] 2N ---- 10 HALFWORD[Rb+nn] = Rd
STRH Rd,[Rb,Ro] 2N ---- 8 HALFWORD[Rb+Ro]=Rd
PUSH {Rlist}{LR} (n-1)S+2N ---- 14
POP {Rlist}{PC} ---- 14 (ARM9: with mode switch)
STMIA Rb!,{Rlist} (n-1)S+2N ---- 15
LDMIA Rb!,{Rlist} nS+1N+1I ---- 15
|
Form|_15|_14|_13|_12|_11|_10|_9_|_8_|_7_|_6_|_5_|_4_|_3_|_2_|_1_|_0_|
__1_|_0___0___0_|__Op___|_______Offset______|____Rs_____|____Rd_____|Shifted
__2_|_0___0___0___1___1_|_I,_Op_|___Rn/nn___|____Rs_____|____Rd_____|ADD/SUB
__3_|_0___0___1_|__Op___|____Rd_____|_____________Offset____________|Immedi.
__4_|_0___1___0___0___0___0_|______Op_______|____Rs_____|____Rd_____|AluOp
__5_|_0___1___0___0___0___1_|__Op___|Hd_|Hs_|____Rs_____|____Rd_____|HiReg/BX
__6_|_0___1___0___0___1_|____Rd_____|_____________Word______________|LDR PC
__7_|_0___1___0___1_|__Op___|_0_|___Ro______|____Rb_____|____Rd_____|LDR/STR
__8_|_0___1___0___1_|__Op___|_1_|___Ro______|____Rb_____|____Rd_____|""H/SB/SH
__9_|_0___1___1_|__Op___|_______Offset______|____Rb_____|____Rd_____|""{B}
_10_|_1___0___0___0_|Op_|_______Offset______|____Rb_____|____Rd_____|""H
_11_|_1___0___0___1_|Op_|____Rd_____|_____________Word______________|"" SP
_12_|_1___0___1___0_|Op_|____Rd_____|_____________Word______________|ADD PC/SP
_13_|_1___0___1___1___0___0___0___0_|_S_|___________Word____________|ADD SP,nn
_14_|_1___0___1___1_|Op_|_1___0_|_R_|____________Rlist______________|PUSH/POP
_17_|_1___0___1___1___1___1___1___0_|___________User_Data___________|ARM9:BKPT
_X__|_1___0___1___1___ .............................. |ARM11...
0110 011 Change Processor State CPS on page B4-2
0001 xxx Compare and Branch on Zero CBNZ, CBZ on page A6-52
1011 xxx Compare and Branch on Nonzero CBNZ, CBZ on page A6-52
0011 xxx Compare and Branch on Zero CBNZ, CBZ on page A6-52
1001 xxx Compare and Branch on Nonzero CBNZ, CBZ on page A6-52
0010 00x Signed Extend Halfword SXTH on page A6-256
0010 01x Signed Extend Byte SXTB on page A6-254
0010 10x Unsigned Extend Halfword UXTH on page A6-274
0010 11x Unsigned Extend Byte UXTB on page A6-272
1010 00x Byte-Reverse Word REV on page A6-191
1010 01x Byte-Reverse Packed Halfword REV16 on page A6-192
1010 11x Byte-Reverse Signed Halfword REVSH on page A6-193
1111 xxx If-Then, and hints If-Then, and hints on page A5-11
_15_|_1___1___0___0_|Op_|____Rb_____|____________Rlist______________|STM/LDM
_16_|_1___1___0___1_|_____Cond______|_________Signed_Offset_________|B{cond}
_U__|_1___1___0___1___1___1___1___0_|_____________var_______________|UndefARM9
_17_|_1___1___0___1___1___1___1___1_|___________User_Data___________|SWI
_18_|_1___1___1___0___0_|________________Offset_____________________|B
_19_|_1___1___1___0___1_|_________________________var___________|_0_|BLX.ARM9
_U__|_1___1___1___0___1_|_________________________var___________|_1_|UndefARM9
_19_|_1___1___1___1_|_H_|______________Offset_Low/High______________|BL,BLX
|
1011 0001 xxxxxxxx (reserved) 1011 0x1x xxxxxxxx (reserved) 1011 10xx xxxxxxxx (reserved) 1011 1111 xxxxxxxx (reserved) 1101 1110 xxxxxxxx (free for user) |
| THUMB Opcodes: Register Operations (ALU, BX) |
15-13 Must be 000b for 'move shifted register' instructions
12-11 Opcode
00b: LSL{S} Rd,Rs,#Offset (logical/arithmetic shift left)
01b: LSR{S} Rd,Rs,#Offset (logical shift right)
10b: ASR{S} Rd,Rs,#Offset (arithmetic shift right)
11b: Reserved (used for add/subtract instructions)
10-6 Offset (0-31)
5-3 Rs - Source register (R0..R7)
2-0 Rd - Destination register (R0..R7)
|
15-11 Must be 00011b for 'add/subtract' instructions
10-9 Opcode (0-3)
0: ADD{S} Rd,Rs,Rn ;add register Rd=Rs+Rn
1: SUB{S} Rd,Rs,Rn ;subtract register Rd=Rs-Rn
2: ADD{S} Rd,Rs,#nn ;add immediate Rd=Rs+nn
3: SUB{S} Rd,Rs,#nn ;subtract immediate Rd=Rs-nn
Pseudo/alias opcode with Imm=0:
2: MOV{ADDS} Rd,Rs ;move (affects cpsr) Rd=Rs+0
8-6 For Register Operand:
Rn - Register Operand (R0..R7)
For Immediate Operand:
nn - Immediate Value (0-7)
5-3 Rs - Source register (R0..R7)
2-0 Rd - Destination register (R0..R7)
|
15-13 Must be 001b for this type of instructions
12-11 Opcode
00b: MOV{S} Rd,#nn ;move Rd = #nn
01b: CMP{S} Rd,#nn ;compare Void = Rd - #nn
10b: ADD{S} Rd,#nn ;add Rd = Rd + #nn
11b: SUB{S} Rd,#nn ;subtract Rd = Rd - #nn
10-8 Rd - Destination Register (R0..R7)
7-0 nn - Unsigned Immediate (0-255)
|
15-10 Must be 010000b for this type of instructions
9-6 Opcode (0-Fh)
0: AND{S} Rd,Rs ;AND logical Rd = Rd AND Rs
1: EOR{S} Rd,Rs ;XOR logical Rd = Rd XOR Rs
2: LSL{S} Rd,Rs ;log. shift left Rd = Rd << (Rs AND 0FFh)
3: LSR{S} Rd,Rs ;log. shift right Rd = Rd >> (Rs AND 0FFh)
4: ASR{S} Rd,Rs ;arit shift right Rd = Rd SAR (Rs AND 0FFh)
5: ADC{S} Rd,Rs ;add with carry Rd = Rd + Rs + Cy
6: SBC{S} Rd,Rs ;sub with carry Rd = Rd - Rs - NOT Cy
7: ROR{S} Rd,Rs ;rotate right Rd = Rd ROR (Rs AND 0FFh)
8: TST Rd,Rs ;test Void = Rd AND Rs
9: NEG{S} Rd,Rs ;negate Rd = 0 - Rs
A: CMP Rd,Rs ;compare Void = Rd - Rs
B: CMN Rd,Rs ;neg.compare Void = Rd + Rs
C: ORR{S} Rd,Rs ;OR logical Rd = Rd OR Rs
D: MUL{S} Rd,Rs ;multiply Rd = Rd * Rs
E: BIC{S} Rd,Rs ;bit clear Rd = Rd AND NOT Rs
F: MVN{S} Rd,Rs ;not Rd = NOT Rs
5-3 Rs - Source Register (R0..R7)
2-0 Rd - Destination Register (R0..R7)
|
N,Z,C,V for ADC,SBC,NEG,CMP,CMN N,Z,C for LSL,LSR,ASR,ROR (carry flag unchanged if zero shift amount) N,Z,C for MUL on ARMv4 and below: carry flag destroyed N,Z for MUL on ARMv5 and above: carry flag unchanged N,Z for AND,EOR,TST,ORR,BIC,MVN |
1S for AND,EOR,ADC,SBC,TST,NEG,CMP,CMN,ORR,BIC,MVN 1S+1I for LSL,LSR,ASR,ROR 1S+mI for MUL on ARMv4 (m=1..4; depending on MSBs of incoming Rd value) 1S+mI for MUL on ARMv5 (m=3; fucking slow, no matter of MSBs of Rd value) |
15-10 Must be 010001b for this type of instructions
9-8 Opcode (0-3)
0: ADD Rd,Rs ;add Rd = Rd+Rs
1: CMP Rd,Rs ;compare Void = Rd-Rs ;CPSR affected
2: MOV Rd,Rs ;move Rd = Rs
2: NOP ;nop R8 = R8
3: BX Rs ;jump PC = Rs ;may switch THUMB/ARM
3: BLX Rs ;call PC = Rs ;may switch THUMB/ARM (ARM9)
7 MSBd - Destination Register most significant bit (or BL/BLX flag)
6 MSBs - Source Register most significant bit
5-3 Rs - Source Register (together with MSBs: R0..R15)
2-0 Rd - Destination Register (together with MSBd: R0..R15)
|
Processor will be switched into ARM mode! If so, Bit 1 of Rs must be cleared (32bit word aligned). Thus, BX PC (switch to ARM) may be issued from word-aligned address only, the destination is PC+4 (ie. the following halfword is skipped). |
1S for ADD/MOV/CMP 2S+1N for ADD/MOV with Rd=R15, and for BX |
| THUMB Opcodes: Memory Load/Store (LDR/STR) |
15-11 Must be 01001b for this type of instructions
N/A Opcode (fixed)
LDR Rd,[PC,#nn] ;load 32bit Rd = WORD[PC+nn]
10-8 Rd - Destination Register (R0..R7)
7-0 nn - Unsigned offset (0-1020 in steps of 4)
|
15-12 Must be 0101b for this type of instructions
11-10 Opcode (0-3)
0: STR Rd,[Rb,Ro] ;store 32bit data WORD[Rb+Ro] = Rd
1: STRB Rd,[Rb,Ro] ;store 8bit data BYTE[Rb+Ro] = Rd
2: LDR Rd,[Rb,Ro] ;load 32bit data Rd = WORD[Rb+Ro]
3: LDRB Rd,[Rb,Ro] ;load 8bit data Rd = BYTE[Rb+Ro]
9 Must be zero (0) for this type of instructions
8-6 Ro - Offset Register (R0..R7)
5-3 Rb - Base Register (R0..R7)
2-0 Rd - Source/Destination Register (R0..R7)
|
15-12 Must be 0101b for this type of instructions
11-10 Opcode (0-3)
0: STRH Rd,[Rb,Ro] ;store 16bit data HALFWORD[Rb+Ro] = Rd
1: LDSB Rd,[Rb,Ro] ;load sign-extended 8bit Rd = BYTE[Rb+Ro]
2: LDRH Rd,[Rb,Ro] ;load zero-extended 16bit Rd = HALFWORD[Rb+Ro]
3: LDSH Rd,[Rb,Ro] ;load sign-extended 16bit Rd = HALFWORD[Rb+Ro]
9 Must be set (1) for this type of instructions
8-6 Ro - Offset Register (R0..R7)
5-3 Rb - Base Register (R0..R7)
2-0 Rd - Source/Destination Register (R0..R7)
|
15-13 Must be 011b for this type of instructions
12-11 Opcode (0-3)
0: STR Rd,[Rb,#nn] ;store 32bit data WORD[Rb+nn] = Rd
1: LDR Rd,[Rb,#nn] ;load 32bit data Rd = WORD[Rb+nn]
2: STRB Rd,[Rb,#nn] ;store 8bit data BYTE[Rb+nn] = Rd
3: LDRB Rd,[Rb,#nn] ;load 8bit data Rd = BYTE[Rb+nn]
10-6 nn - Unsigned Offset (0-31 for BYTE, 0-124 for WORD)
5-3 Rb - Base Register (R0..R7)
2-0 Rd - Source/Destination Register (R0..R7)
|
15-12 Must be 1000b for this type of instructions
11 Opcode (0-1)
0: STRH Rd,[Rb,#nn] ;store 16bit data HALFWORD[Rb+nn] = Rd
1: LDRH Rd,[Rb,#nn] ;load 16bit data Rd = HALFWORD[Rb+nn]
10-6 nn - Unsigned Offset (0-62, step 2)
5-3 Rb - Base Register (R0..R7)
2-0 Rd - Source/Destination Register (R0..R7)
|
15-12 Must be 1001b for this type of instructions
11 Opcode (0-1)
0: STR Rd,[SP,#nn] ;store 32bit data WORD[SP+nn] = Rd
1: LDR Rd,[SP,#nn] ;load 32bit data Rd = WORD[SP+nn]
10-8 Rd - Source/Destination Register (R0..R7)
7-0 nn - Unsigned Offset (0-1020, step 4)
|
| THUMB Opcodes: Memory Addressing (ADD PC/SP) |
15-12 Must be 1010b for this type of instructions
11 Opcode/Source Register (0-1)
0: ADD Rd,PC,#nn ;Rd = (($+4) AND NOT 2) + nn
1: ADD Rd,SP,#nn ;Rd = SP + nn
10-8 Rd - Destination Register (R0..R7)
7-0 nn - Unsigned Offset (0-1020, step 4)
|
15-8 Must be 10110000b for this type of instructions
7 Opcode/Sign
0: ADD SP,#nn ;SP = SP + nn
1: ADD SP,#-nn ;SP = SP - nn
6-0 nn - Unsigned Offset (0-508, step 4)
|
| THUMB Opcodes: Memory Multiple Load/Store (PUSH/POP and LDM/STM) |
15-12 Must be 1011b for this type of instructions
11 Opcode (0-1)
0: PUSH {Rlist}{LR} ;store in memory, decrements SP (R13)
1: POP {Rlist}{PC} ;load from memory, increments SP (R13)
10-9 Must be 10b for this type of instructions
8 PC/LR Bit (0-1)
0: No
1: PUSH LR (R14), or POP PC (R15)
7-0 Rlist - List of Registers (R7..R0)
|
PUSH {R0-R3} ;push R0,R1,R2,R3
PUSH {R0,R2,LR} ;push R0,R2,LR
POP {R4,R7} ;pop R4,R7
POP {R2-R4,PC} ;pop R2,R3,R4,PC
|
15-12 Must be 1100b for this type of instructions
11 Opcode (0-1)
0: STMIA Rb!,{Rlist} ;store in memory, increments Rb
1: LDMIA Rb!,{Rlist} ;load from memory, increments Rb
10-8 Rb - Base register (modified) (R0-R7)
7-0 Rlist - List of Registers (R7..R0)
|
STMIA R7!,{R0-R2} ;store R0,R1,R2
LDMIA R0!,{R1,R5} ;store R1,R5
|
| THUMB Opcodes: Jumps and Calls |
15-12 Must be 1101b for this type of instructions
11-8 Opcode/Condition (0-Fh)
0: BEQ label ;Z=1 ;equal (zero) (same)
1: BNE label ;Z=0 ;not equal (nonzero) (not same)
2: BCS/BHS label ;C=1 ;unsigned higher or same (carry set)
3: BCC/BLO label ;C=0 ;unsigned lower (carry cleared)
4: BMI label ;N=1 ;negative (minus)
5: BPL label ;N=0 ;positive or zero (plus)
6: BVS label ;V=1 ;overflow (V set)
7: BVC label ;V=0 ;no overflow (V cleared)
8: BHI label ;C=1 and Z=0 ;unsigned higher
9: BLS label ;C=0 or Z=1 ;unsigned lower or same
A: BGE label ;N=V ;greater or equal
B: BLT label ;N<>V ;less than
C: BGT label ;Z=0 and N=V ;greater than
D: BLE label ;Z=1 or N<>V ;less or equal
E: Undefined, should not be used
F: Reserved for SWI instruction (see SWI opcode)
7-0 Signed Offset, step 2 ($+4-256..$+4+254)
|
2S+1N if condition true (jump executed) 1S if condition false |
15-11 Must be 11100b for this type of instructions
N/A Opcode (fixed)
B label ;branch (jump)
10-0 Signed Offset, step 2 ($+4-2048..$+4+2046)
|
First Instruction - LR = PC+4+(nn SHL 12)
15-11 Must be 11110b for BL/BLX type of instructions
10-0 nn - Upper 11 bits of Target Address
Second Instruction - PC = LR + (nn SHL 1), and LR = PC+2 OR 1 (and BLX: T=0)
15-11 Opcode
11111b: BL label ;branch long with link
11101b: BLX label ;branch long with link switch to ARM mode (ARM9)
10-0 nn - Lower 11 bits of Target Address (BLX: Bit0 Must be zero)
|
15-8 Opcode
11011111b: SWI nn ;software interrupt
10111110b: BKPT nn ;software breakpoint (ARMv5 and up)
7-0 nn - Comment Field, ignored by processor (8bit value) (0-255)
|
R14_svc=PC+2 R14_abt=PC+4 ;save return address SPSR_svc=CPSR SPSR_abt=CPSR ;save CPSR flags CPSR=<changed> CPSR=<changed> ;Enter svc/abt, ARM state, IRQs disabled PC=VVVV0008h PC=VVVV000Ch ;jump to SWI/PrefetchAbort vector address |
| ARM Pseudo Instructions and Directives |
nop mov r0,r0 ldr Rd,=Imm ldr Rd,[r15,disp] ;use .pool as parameter field add Rd,=addr add/sub Rd,r15,disp adr Rd,addr add/sub Rd,r15,disp adrl Rd,addr two add/sub opcodes with disp=xx00h+00yyh mov Rd,Imm mvn Rd,NOT Imm ;or vice-versa and Rd,Rn,Imm bic Rd,Rn,NOT Imm ;or vice-versa cmp Rd,Rn,Imm cmn Rd,Rn,-Imm ;or vice-versa add Rd,Rn,Imm sub Rd,Rn,-Imm ;or vice-versa |
nop mov r8,r8 ldr Rd,=Imm ldr Rd,[r15,disp] ;use .pool as parameter field add Rd,=addr add Rd,r15,disp adr Rd,addr add Rd,r15,disp mov Rd,Rs add Rd,Rs,0 ;with Rd,Rs in range r0-r7 each |
org adr assume following code from this address on .gba indicate GBA program .nds indicate NDS program .dsi indicate DSi program .fix fix GBA/NDS/DSi header checksum .ereader_create_bmp create GBA e-Reader dotcode .BMP file(s) (bitmaps) .ereader_create_raw create GBA e-Reader dotcode .RAW file (useless) .ereader_create_bin create GBA e-Reader dotcode .BIN file (smallest) .ereader_japan_plus japanese/plus (default is non-japanese) .ereader_japan_original japanese/original (with Z80-stub for GBA-code) .title 'Txt' defines a title (used for e-Reader dotcodes) .teak select TeakLiteII instruction set (for DSi DSP) .xtensa select Xtensa instruction set (for DSi Atheros Wifi) .norewrite do not delete existing output file (keep following data in file) .data? following defines RAM data structure (assembled to nowhere) .code following is normal ROM code/data (assembled to ROM image) .include includes specified source code file (no nesting/error handling) .import imports specified binary file (optional parameters: ,begin,len) .radix nn changes default numeric format (nn=2,8,10,16 = bin/oct/dec/hex) .errif expr generates an error message if expression is nonzero .if expr assembles following code only if expression is nonzero .else invert previous .if condition .endif terminate .if/.ifdef/.ifndef .ifdef sym assemble following only if symbol is defined .ifndef sym assemble following only if symbol is not defined .align nn aligns to an address divisible-by-nn, inserts 00's .msg defines a no$gba debugmessage string, such like .msg 'Init Okay' .brk defines a no$gba source code break opcode l equ n l=n l: [cmd] l=$ (global label) @@l: [cmd] @@l=$ (local label, all locals are reset at next global label) end end of source code db ... define 8bit data (bytes) dw ... define 16bit data (halfwords) dd ... define 32bit data (words) defs nn define nn bytes space (zero-filled) ;... defines a comment (ignored by the assembler) // alias for CRLF, eg. allows <db 'Text',0 // dw addr> in one line |
align .align 4 code16 .thumb align nn .align nn .code 16 .thumb % nn defs nn code32 .arm .space nn defs nn .code 32 .arm ..ds nn defs nn ltorg .pool x=n x equ n .ltorg .pool .equ x,n x equ n ..ltorg .pool .define x n x equ n dcb db (8bit data) incbin .import defb db (8bit data) @@@... ;comment .byte db (8bit data) @ ... ;comment .ascii db (8bit string) @*... ;comment dcw dw (16bit data) @... ;comment defw dw (16bit data) .text .code .hword dw (16bit data) .bss .data? dcd dd (32bit data) .global (ignored) defd dd (32bit data) .extern (ignored) .long dd (32bit data) .thumb_func (ignored) .word dw/dd, don't use #directive .directive .end end .fill nn,1,0 defs nn |
hs cs ;condition higher or same = carry set lo cc ;condition lower = carry cleared asl lsl ;arithmetic shift left = logical shift left |
Type Normal Alias Decimal 85 #85 &d85 Hexadecimal 55h #55h 0x55 #0x55 $55 &h55 Octal 125o 0o125 &o125 Ascii 'U' "U" Binary 01010101b %01010101 0b01010101 &b01010101 Roman &rLXXXV (very useful for arrays of kings and chapters) |
Prio Operator Aliases 8 (,) brackets 7 +,- sign 6 *,/,MOD,SHL,SHR MUL,DIV,<<,>> 5 +,- operation 4 EQ,GE,GT,LE,LT,NE =,>=,>,<=,<,<>,==,!= 3 NOT 2 AND 1 OR,XOR EOR |
mov r0,0ffh ;no C64-style "#", and no C-style "0x" required
stmia [r7]!,r0,r4-r5 ;square [base] brackets, no fancy {rlist} brackets
mov r0,cpsr ;no confusing MSR and MRS (whatever which is which)
mov r0,p0,0,c0,c0,0 ;no confusing MCR and MRC (whatever which is which)
ldr r0,[score] ;allows to use clean brackets for relative addresses
push rlist ;alias for stmfd [r13]!,rlist (and same for pop/ldmfd)
label: ;label definitions recommended to use ":" colons
|
| ARM CP14 ICEbreaker Debug Communications Channel |
MRC{cond} P14,0,Rd,C0,C0,0 ;Read Debug Comms Control Register
MRC{cond} P14,0,Rd,C1,C0,0 ;Read Debug Comms Data Register
MRC{cond} P14,0,Rd,C2,C0,0 ;Read Debug Comms Status Register
MCR{cond} P14,0,Rd,C1,C0,0 ;Write Debug Comms Data Register
MCR{cond} P14,0,Rd,C2,C0,0 ;Write Debug Comms Status Register
|
| ARM CP15 System Control Coprocessor |
| ARM CP15 Overview |
MCR{cond} P15,0,Rd,Cn,Cm,<cp> ;move from ARM to CP15
MRC{cond} P15,0,Rd,Cn,Cm,<cp> ;move from CP15 to ARM
|
Register Expl. C0,C0,0 Main ID Register (R) C0,C0,1 Cache Type and Size (R) C0,C0,2 TCM Physical Size (R) C0,C0,3 ARM11: TLB Type Register C0,C1,0 ARM11: Processor Feature Register 0 C0,C1,1 ARM11: Processor Feature Register 1 C0,C1,2 ARM11: Debug Feature Register 0 C0,C1,3 ARM11: Auxiliary Feature Register 0 C0,C1,4 ARM11: Memory Model Feature Register 0 C0,C1,5 ARM11: Memory Model Feature Register 1 C0,C1,6 ARM11: Memory Model Feature Register 2 C0,C1,7 ARM11: Memory Model Feature Register 3 C0,C2,0 ARM11: Set Attributes Register 0 C0,C2,1 ARM11: Set Attributes Register 1 C0,C2,2 ARM11: Set Attributes Register 2 C0,C2,3 ARM11: Set Attributes Register 3 C0,C2,4 ARM11: Set Attributes Register 4 C0,C2,5 ARM11: Set Attributes Register 5 |
C1,C0,0 Control Register (R/W, or R=Fixed) C1,C0,1 ARM11: Auxiliary Control Register C1,C0,2 ARM11: Coprocessor Access Control Register C2,C0,0 ARM11: Translation Table Base Register 0 C2,C0,1 ARM11: Translation Table Base Register 1 C2,C0,2 ARM11: Translation Table Base Control Register C3,C0,0 ARM11: Domain Access Control Register C5,C0,0 ARM11: Data Fault Status Register C5,C0,1 ARM11: Instruction Fault Status Register C6,C0,0 ARM11: Fault Address Register (FAR) C6,C0,1 ARM11: Watchpoint Fault Address Register (WFAR) C2,C0,0 PU Cachability Bits for Data/Unified Protection Region C2,C0,1 PU Cachability Bits for Instruction Protection Region C3,C0,0 PU Cache Write-Bufferability Bits for Data Protection Regions C5,C0,0 PU Access Permission Data/Unified Protection Region C5,C0,1 PU Access Permission Instruction Protection Region C5,C0,2 PU Extended Access Permission Data/Unified Protection Region C5,C0,3 PU Extended Access Permission Instruction Protection Region C6,C0..C7,0 PU Protection Unit Data/Unified Region 0..7 C6,C0..C7,1 PU Protection Unit Instruction Region 0..7 C7,Cm,Op2 Cache Commands and Halt Function (W) C9,C0,0 Cache Data Lockdown C9,C0,1 Cache Instruction Lockdown C9,C1,0 TCM Data TCM Base and Virtual Size C9,C1,1 TCM Instruction TCM Base and Virtual Size C13,Cm,Op2 Misc Process ID registers C15,Cm,Op2 Misc Implementation Defined and Test/Debug registers |
| ARM CP15 ID Codes |
12-15 ARM Era (0=Pre-ARM7, 7=ARM7, other=Post-ARM7) |
0-3 Revision Number
4-15 Primary Part Number (Bit12-15 must be other than 0 or 7)
(eg. 946h for ARM946)
16-19 Architecture (1=v4, 2=v4T, 3=v5, 4=v5T, 5=v5TE, 6=v6, ?=v7)
20-23 Variant Number
24-31 Implementor (41h=ARM, 44h=Digital Equipment Corp, 69h=Intel)
|
0-3 Revision Number 4-15 Primary Part Number (Bit12-15 must be 7) 16-22 Variant Number 23 Architecture (0=v3, 1=v4T) 24-31 Implementor (41h=ARM, 44h=Digital Equipment Corp, 69h=Intel) |
0-3 Revision Number 4-11 Processor ID LSBs (30h=ARM3/v2, 60h,61h,62=ARM600,610,620/v3) 12-31 Processor ID MSBs (fixed, 41560h) |
0-11 Instruction Cache (bits 0-1=len, 2=m, 3-5=assoc, 6-8=size, 9-11=zero)
12-23 Data Cache (bits 0-1=len, 2=m, 3-5=assoc, 6-8=size, 9-11=zero)
24 Separate Cache Flag (0=Unified, 1=Separate Data/Instruction Caches)
25-28 Cache Type (0,1,2,6,7=see below, other=reserved)
Type Method Cache cleaning Cache lock-down
0 Write-through Not needed Not supported
1 Write-back Read data block Not supported
2 Write-back Register 7 operations Not supported
6 Write-back Register 7 operations Format A
7 Write-back Register 7 operations Format B ;<-- NDS9
29-31 Reserved (zero)
|
Cache Absent = (ASSOC=0 and M=1) ;in that case overriding below Cache Size = 200h+(100h*M) shl SIZE ;min 0.5Kbytes, max 96Kbytes Associativity = (1+(0.5*M)) shl ASSOC ;min 1-way, max 192-way Line Length = 8 shl LEN ;min 8 bytes, max 64 bytes |
0-1 Reserved (0) 2 ITCM Absent (0=Present, 1=Absent) 3-5 Reserved (0) 6-9 ITCM Size (Size = 512 SHL N) (or 0=None) 10-13 Reserved (0) 14 DTCM Absent (0=Present, 1=Absent) 15-17 Reserved (0) 18-21 DTCM Size (Size = 512 SHL N) (or 0=None) 22-31 Reserved (0) |
| ARM CP15 Control Register |
0 MMU/PU Enable (0=Disable, 1=Enable) (Fixed 0 if none) 1 Alignment Fault Check (0=Disable, 1=Enable) (Fixed 0/1 if none/always on) 2 Data/Unified Cache (0=Disable, 1=Enable) (Fixed 0/1 if none/always on) 3 Write Buffer (0=Disable, 1=Enable) (Fixed 0/1 if none/always on) 4 Exception Handling (0=26bit, 1=32bit) (Fixed 1 if always 32bit) 5 26bit-address faults (0=Enable, 1=Disable) (Fixed 1 if always 32bit) 6 Abort Model (pre v4) (0=Early, 1=Late Abort) (Fixed 1 if ARMv4 and up) 7 Endian (0=Little, 1=Big) (Fixed 0/1 if fixed) 8 System Protection bit (MMU-only) 9 ROM Protection bit (MMU-only) 10 Implementation defined 11 Branch Prediction (0=Disable, 1=Enable) 12 Instruction Cache (0=Disable, 1=Enable) (ignored if Unified cache) 13 Exception Vectors (0=00000000h, 1=FFFF0000h) 14 Cache Replacement (0=Normal/PseudoRandom, 1=Predictable/RoundRobin) 15 Pre-ARMv5 Mode (0=Normal, 1=Pre ARMv5; LDM/LDR/POP_PC.Bit0/Thumb) 16 DTCM Enable (0=Disable, 1=Enable) 17 DTCM Load Mode (0=R/W, 1=DTCM Write-only) 18 ITCM Enable (0=Disable, 1=Enable) 19 ITCM Load Mode (0=R/W, 1=ITCM Write-only) 20-31 Reserved (keep these bits unchanged) (usually zero) |
| ARM CP15 Memory Managment Unit (MMU) |
C2,Cm,Op2 MMU Translation Table Base C3,Cm,Op2 MMU Domain Access Control C5,Cm,Op2 MMU Fault Status C6,Cm,Op2 MMU Fault Address C8,Cm,Op2 MMU TLB Control C10,Cm,Op2 MMU TLB Lockdown |
| ARM CP15 Protection Unit (PU) |
0-7 Cachable (C) bits for region 0-7 8-31 Reserved/zero |
0-7 Bufferable (B) bits for region 0-7 (0=Write-Through, 1=Write-Back) 8-31 Reserved/zero |
0-15 Access Permission (AP) bits for region 0-7 (Bits 0-1=AP0, 2-3=AP1, etc) 16-31 Reserved/zero |
0-31 Access Permission (AP) bits for region 0-7 (Bits 0-3=AP0, 4-7=AP1, etc) |
AP Privileged User 0 - - 1 R/W - 2 R/W R 3 R/W R/W 5 R - 6 R R |
0 Protection Region Enable (0=Disable, 1=Enable) 1-5 Protection Region Size (2 SHL X) ;min=(X=11)=4KB, max=(X=31)=4GB 6-11 Reserved/zero 12-31 Protection Region Base address (Addr = Y*4K; must be SIZE-aligned) |
| ARM CP15 Cache Control |
Cn,Cm,Op2 Rd ARM9 Command C7,C0,4 0 Yes Wait For Interrupt (Halt) C7,C5,0 0 Yes Invalidate Entire Instruction Cache C7,C5,1 VA Yes Invalidate Instruction Cache Line C7,C5,2 S/I - Invalidate Instruction Cache Line C7,C5,4 0 - Flush Prefetch Buffer C7,C5,6 0 - Flush Entire Branch Target Cache C7,C5,7 IMP? - Flush Branch Target Cache Entry C7,C6,0 0 Yes Invalidate Entire Data Cache C7,C6,1 VA Yes Invalidate Data Cache Line C7,C6,2 S/I - Invalidate Data Cache Line C7,C7,0 0 - Invalidate Entire Unified Cache C7,C7,1 VA - Invalidate Unified Cache Line C7,C7,2 S/I - Invalidate Unified Cache Line C7,C8,2 0 Yes Wait For Interrupt (Halt), alternately to C7,C0,4 C7,C10,1 VA Yes Clean Data Cache Line C7,C10,2 S/I Yes Clean Data Cache Line C7,C10,4 0 - Drain Write Buffer C7,C11,1 VA - Clean Unified Cache Line C7,C11,2 S/I - Clean Unified Cache Line C7,C13,1 VA Yes Prefetch Instruction Cache Line C7,C14,1 VA Yes Clean and Invalidate Data Cache Line C7,C14,2 S/I Yes Clean and Invalidate Data Cache Line C7,C15,1 VA - Clean and Invalidate Unified Cache Line C7,C15,2 S/I - Clean and Invalidate Unified Cache Line |
0 Not used, should be zero VA Virtual Address S/I Set/index; Bit 31..(32-A) = Index, Bit (L+S-1)..L = Set ? |
Invalidate means to forget all data Clean means to write-back dirty cache lines to underlaying memory (Clean is important when having "Cache Write-Bufferability" enabled in PU) |
0..(31-W) Reserved/zero (32-W)..31 Lockdown Block Index |
0..(W-1) Lockdown Block Index W..30 Reserved/zero 31 L |
| ARM CP15 Tightly Coupled Memory (TCM) |
0 Reserved (0) 1-5 Virtual Size (Size = 512 SHL N) ;min=(N=3)=4KB, max=(N=23)=4GB 6-11 Reserved (0) 12-31 Region Base (Base = X SHL 12) ;Base must be Size-aligned |
| ARM CP15 Misc |
0-24 Reserved/zero 25-31 Process ID (PID) (0-127) (0=Disable) |
IF addr<32M then addr=addr+PID*32M Respectively, with PID=0, the address remains unchanged (FCSE disabled). |
1. CPU outputs a virtual address (VA) 2. FCSE adjusts the VA to a modified virtual address (MVA) 3. Cache hits determined by examining the MVA, continue below if no hit 4. MMU translates MVA to physical address (PA) (if no MMU present: PA=MVA) 5. Memory access occurs at PA |
0-31 Process ID |
0-15 Data Control (see below) 16-31 Instruction Control (see below) |
0 Start bit (Write: 1=Start) (Read: 1=Busy) 1 Pause bit (1=Pause) 2 Enable bit (1=Enable) 3 Fail Flag (1=Error) (Read Only) 4 Complete Flag (1=Ready) (Read Only) 5-15 Size (2^(N+2) bytes) (min=N=1=8bytes, max=N=24=64MB) |
0-31 Word-aligned Destination Address within Memory Block (eg. within ITCM) |
0-31 Fillvalue for BIST |
0-8 Reserved (zero) 9 Disable Instruction Cache Linefill 10 Disable Data Cache Linefill 11 Disable Instruction Cache Streaming 12 Disable Data Cache Streaming 13-31 Reserved (zero/unpredictable) |
0..1 Reserved (zero) 2..4 Word Address 5..N Index N+1..29 Reserved (zero) 30..31 Segment |
0..1 Set 2..3 Dirty Bits 4 Valid 5..N Index N+1..31 TAG Address |
| ARM CPU Instruction Cycle Times |
Instruction Cycles Additional
---------------------------------------------------------------------
ALU 1S +1S+1N if R15 loaded, +1I if SHIFT(Rs)
MSR,MRS 1S
LDR 1S+1N+1I +1S+1N if R15 loaded
STR 2N
LDM nS+1N+1I +1S+1N if R15 loaded
STM (n-1)S+2N
SWP 1S+2N+1I
BL (THUMB) 3S+1N
B,BL 2S+1N
SWI,trap 2S+1N
MUL 1S+ml
MLA 1S+(m+1)I
MULL 1S+(m+1)I
MLAL 1S+(m+2)I
CDP 1S+bI
LDC,STC (n-1)S+2N+bI
MCR 1N+bI+1C
MRC 1S+(b+1)I+1C
{cond} false 1S
|
Q{D}ADD/SUB 1S+Interlock.
CLZ 1S.
LDR 1S+1N+1L
LDRB,LDRH,LDRmis 1S+1N+2L
LDR PC ...
STR 1S+1N (not 2N, and both in parallel)
|
n = number of words transferred b = number of cycles spent in coprocessor busy-wait loop m = depends on most significant byte(s) of multiplier operand |
| ARM CPU Versions |
| ARM CPU Data Sheet |
- Signal Description Pins of the original CPU, probably other for GBA. - Memory Interface Optional virtual memory circuits, etc. not for GBA. - Coprocessor Interface As far as I know, none such in GBA. - Debug Interface For external hardware-based debugging. - ICEBreaker Module For external hardware-based debugging also. - Instruction Cycle Operations Detailed: What happens during each cycle of each instruction. - DC Parameters (Power supply) - AC Parameters (Signal timings) |
http://www.arm.com/Documentation/UserMans/PDF/ARM7TDMI.html |
| BIOS Functions |
| BIOS Function Summary |
GBA NDS7 NDS9 DSi7 DSi9 Basic Functions 00h 00h 00h - - SoftReset 01h - - - - RegisterRamReset 02h 06h 06h 06h 06h Halt 03h 07h - 07h - Stop/Sleep 04h 04h 04h 04h 04h IntrWait ;DSi7/DSi9: both bugged? 05h 05h 05h 05h 05h VBlankIntrWait ;DSi7/DSi9: both bugged? 06h 09h 09h 09h 09h Div 07h - - - - DivArm 08h 0Dh 0Dh 0Dh 0Dh Sqrt 09h - - - - ArcTan 0Ah - - - - ArcTan2 0Bh 0Bh 0Bh 0Bh 0Bh CpuSet 0Ch 0Ch 0Ch 0Ch 0Ch CpuFastSet 0Dh - - - - GetBiosChecksum 0Eh - - - - BgAffineSet 0Fh - - - - ObjAffineSet GBA NDS7 NDS9 DSi7 DSi9 Decompression Functions 10h 10h 10h 10h 10h BitUnPack 11h 11h 11h 11h 11h LZ77UnCompReadNormalWrite8bit ;"Wram" 12h - - - - LZ77UnCompReadNormalWrite16bit ;"Vram" - - - 01h 01h LZ77UnCompReadByCallbackWrite8bit - 12h 12h 02h 02h LZ77UnCompReadByCallbackWrite16bit - - - 19h 19h LZ77UnCompReadByCallbackWrite16bit (same as above) 13h - - - - HuffUnCompReadNormal - 13h 13h 13h 13h HuffUnCompReadByCallback 14h 14h 14h 14h 14h RLUnCompReadNormalWrite8bit ;"Wram" 15h - - - - RLUnCompReadNormalWrite16bit ;"Vram" - 15h 15h 15h 15h RLUnCompReadByCallbackWrite16bit 16h - 16h - 16h Diff8bitUnFilterWrite8bit ;"Wram" 17h - - - - Diff8bitUnFilterWrite16bit ;"Vram" 18h - 18h - 18h Diff16bitUnFilter GBA NDS7 NDS9 DSi7 DSi9 Sound (and Multiboot/HardReset/CustomHalt) 19h 08h - 08h - SoundBias 1Ah - - - - SoundDriverInit 1Bh - - - - SoundDriverMode 1Ch - - - - SoundDriverMain 1Dh - - - - SoundDriverVSync 1Eh - - - - SoundChannelClear 1Fh - - - - MidiKey2Freq 20h - - - - SoundWhatever0 21h - - - - SoundWhatever1 22h - - - - SoundWhatever2 23h - - - - SoundWhatever3 24h - - - - SoundWhatever4 25h - - - - MultiBoot 26h - - - - HardReset 27h 1Fh - 1Fh - CustomHalt 28h - - - - SoundDriverVSyncOff 29h - - - - SoundDriverVSyncOn 2Ah - - - - SoundGetJumpList GBA NDS7 NDS9 DSi7 DSi9 New NDS Functions - 03h 03h 03h 03h WaitByLoop - 0Eh 0Eh 0Eh 0Eh GetCRC16 - 0Fh 0Fh - - IsDebugger - 1Ah - 1Ah - GetSineTable - 1Bh - 1Bh - GetPitchTable (DSi7: bugged) - 1Ch - 1Ch - GetVolumeTable - 1Dh - 1Dh - GetBootProcs (DSi7: only 1 proc) - - 1Fh - 1Fh CustomPost GBA NDS7 NDS9 DSi7 DSi9 New DSi Functions (RSA/SHA1) - - - 20h 20h RSA_Init_crypto_heap - - - 21h 21h RSA_Decrypt - - - 22h 22h RSA_Decrypt_Unpad - - - 23h 23h RSA_Decrypt_Unpad_OpenPGP_SHA1 - - - 24h 24h SHA1_Init - - - 25h 25h SHA1_Update - - - 26h 26h SHA1_Finish - - - 27h 27h SHA1_Init_update_fin - - - 28h 28h SHA1_Compare_20_bytes - - - 29h 29h SHA1_Random_maybe GBA NDS7 NDS9 DSi7 DSi9 Invalid Functions 2Bh+ 20h+ 20h+ - - Crash (SWI xxh..FFh do jump to garbage addresses) - xxh xxh - - Jump to 0 (on any SWI numbers not listed above) - - - 12h 12h No function (ignored) - - - 2Bh 2Bh No function (ignored) - - - 40h+ 40h+ Mirror (SWI 40h..FFh mirror to 00h..3Fh) - - - xxh xxh Hang (on any SWI numbers not listed above) |
| BIOS Differences between GBA and NDS functions |
| BIOS Arithmetic Functions |
r0 signed 32bit Number r1 signed 32bit Denom |
r0 Number DIV Denom ;signed r1 Number MOD Denom ;signed r3 ABS (Number DIV Denom) ;unsigned |
r0 unsigned 32bit number |
r0 unsigned 16bit number |
r0 Tan, 16bit (1bit sign, 1bit integral part, 14bit decimal part) |
r0 "-PI/2<THETA/<PI/2" in a range of C000h-4000h. |
r0 X, 16bit (1bit sign, 1bit integral part, 14bit decimal part) r1 Y, 16bit (1bit sign, 1bit integral part, 14bit decimal part) |
r0 0000h-FFFFh for 0<=THETA<2PI. |
| BIOS Rotation/Scaling Functions |
r0 Pointer to Source Data Field with entries as follows:
s32 Original data's center X coordinate (8bit fractional portion)
s32 Original data's center Y coordinate (8bit fractional portion)
s16 Display's center X coordinate
s16 Display's center Y coordinate
s16 Scaling ratio in X direction (8bit fractional portion)
s16 Scaling ratio in Y direction (8bit fractional portion)
u16 Angle of rotation (8bit fractional portion) Effective Range 0-FFFF
r1 Pointer to Destination Data Field with entries as follows:
s16 Difference in X coordinate along same line
s16 Difference in X coordinate along next line
s16 Difference in Y coordinate along same line
s16 Difference in Y coordinate along next line
s32 Start X coordinate
s32 Start Y coordinate
r2 Number of Calculations
|
r0 Source Address, pointing to data structure as such:
s16 Scaling ratio in X direction (8bit fractional portion)
s16 Scaling ratio in Y direction (8bit fractional portion)
u16 Angle of rotation (8bit fractional portion) Effective Range 0-FFFF
r1 Destination Address, pointing to data structure as such:
s16 Difference in X coordinate along same line
s16 Difference in X coordinate along next line
s16 Difference in Y coordinate along same line
s16 Difference in Y coordinate along next line
r2 Number of calculations
r3 Offset in bytes for parameter addresses (2=continuous, 8=OAM)
|
| BIOS Decompression Functions |
ReadNormal: Fast (src must be memory mapped) ReadByCallback: Slow (src can be non-memory, eg. serial Firmware SPI bus) Write8bitUnits: Fast (dest must support 8bit writes, eg. not VRAM) Write16bitUnits: Slow (dest must be halfword-aligned) (for VRAM) |
r0 Source Address (no alignment required)
r1 Destination Address (must be 32bit-word aligned)
r2 Pointer to UnPack information:
16bit Length of Source Data in bytes (0-FFFFh)
8bit Width of Source Units in bits (only 1,2,4,8 supported)
8bit Width of Destination Units in bits (only 1,2,4,8,16,32 supported)
32bit Data Offset (Bit 0-30), and Zero Data Flag (Bit 31)
The Data Offset is always added to all non-zero source units.
If the Zero Data Flag was set, it is also added to zero units.
|
unfiltered: 10 11 12 13 14 15 16 17 18 19 filtered: 10 +1 +1 +1 +1 +1 +1 +1 +1 +1 |
r0 Source address (must be aligned by 4) pointing to data as follows:
Data Header (32bit)
Bit 0-3 Data size (must be 1 for Diff8bit, 2 for Diff16bit)
Bit 4-7 Type (must be 8 for DiffFiltered)
Bit 8-31 24bit size after decompression
Data Units (each 8bit or 16bit depending on used SWI function)
Data0 ;original data
Data1-Data0 ;difference data
Data2-Data1 ;...
Data3-Data2
...
r1 Destination address
|
r0 Source Address, aligned by 4, pointing to:
Data Header (32bit)
Bit0-3 Data size in bit units (normally 4 or 8)
Bit4-7 Compressed type (must be 2 for Huffman)
Bit8-31 24bit size of decompressed data in bytes
Tree Size (8bit)
Bit0-7 Size of Tree Table/2-1 (ie. Offset to Compressed Bitstream)
Tree Table (list of 8bit nodes, starting with the root node)
Root Node and Non-Data-Child Nodes are:
Bit0-5 Offset to next child node,
Next child node0 is at (CurrentAddr AND NOT 1)+Offset*2+2
Next child node1 is at (CurrentAddr AND NOT 1)+Offset*2+2+1
Bit6 Node1 End Flag (1=Next child node is data)
Bit7 Node0 End Flag (1=Next child node is data)
Data nodes are (when End Flag was set in parent node):
Bit0-7 Data (upper bits should be zero if Data Size is less than 8)
Compressed Bitstream (stored in units of 32bits)
Bit0-31 Node Bits (Bit31=First Bit) (0=Node0, 1=Node1)
r1 Destination Address
r2 Callback temp buffer ;\for NDS/DSi "ReadByCallback" variants only
r3 Callback structure ;/(see Callback notes below)
|
r0 Source address, pointing to data as such:
Data header (32bit)
Bit 0-3 Reserved
Bit 4-7 Compressed type (must be 1 for LZ77)
Bit 8-31 Size of decompressed data
Repeat below. Each Flag Byte followed by eight Blocks.
Flag data (8bit)
Bit 0-7 Type Flags for next 8 Blocks, MSB first
Block Type 0 - Uncompressed - Copy 1 Byte from Source to Dest
Bit 0-7 One data byte to be copied to dest
Block Type 1 - Compressed - Copy N+3 Bytes from Dest-Disp-1 to Dest
Bit 0-3 Disp MSBs
Bit 4-7 Number of bytes to copy (minus 3)
Bit 8-15 Disp LSBs
r1 Destination address
r2 Callback parameter ;\for NDS/DSi "ReadByCallback" variants only
r3 Callback structure ;/(see Callback notes below)
|
r0 Source Address, pointing to data as such:
Data header (32bit)
Bit 0-3 Reserved
Bit 4-7 Compressed type (must be 3 for run-length)
Bit 8-31 Size of decompressed data
Repeat below. Each Flag Byte followed by one or more Data Bytes.
Flag data (8bit)
Bit 0-6 Expanded Data Length (uncompressed N-1, compressed N-3)
Bit 7 Flag (0=uncompressed, 1=compressed)
Data Byte(s) - N uncompressed bytes, or 1 byte repeated N times
r1 Destination Address
r2 Callback parameter ;\for NDS/DSi "ReadByCallback" variants only
r3 Callback structure ;/(see Callback notes below)
|
r2 = user defined callback parameter (passed on to Open function)
(or, for Huffman: pointer to temp buffer, max 200h bytes needed)
r3 = pointer to callback structure
|
Open_and_get_32bit (eg. LDR r0,[r0], get header) Close (optional, 0=none) Get_8bit (eg. LDRB r0,[r0]) Get_16bit (not used) Get_32bit (used by Huffman only) |
| BIOS Memory Copy |
r0 Source address (must be aligned by 4)
r1 Destination address (must be aligned by 4)
r2 Length/Mode
Bit 0-20 Wordcount (GBA: rounded-up to multiple of 8 words)
Bit 24 Fixed Source Address (0=Copy, 1=Fill by WORD[r0])
|
r0 Source address (must be aligned by 4 for 32bit, by 2 for 16bit)
r1 Destination address (must be aligned by 4 for 32bit, by 2 for 16bit)
r2 Length/Mode
Bit 0-20 Wordcount (for 32bit), or Halfwordcount (for 16bit)
Bit 24 Fixed Source Address (0=Copy, 1=Fill by {HALF}WORD[r0])
Bit 26 Datasize (0=16bit, 1=32bit)
|
| BIOS Halt Functions |
r0 0=Return immediately if an old flag was already set (NDS9: bugged!)
1=Discard old flags, wait until a NEW flag becomes set
r1 Interrupt flag(s) to wait for (same format as IE/IF registers)
r2 DSi7 only: Extra flags (same format as DSi7's IE2/IF2 registers)
|
Host GBA (16bit) NDS7 (32bit) NDS9 (32bit) DSi7-IF2 (32bit) Address [3007FF8h] [380FFF8h] [DTCM+3FF8h] [380FFC0h] |
r2 8bit parameter (GBA: 00h=Halt, 80h=Stop) (NDS7/DSi7: 80h=Halt, C0h=Sleep) |
| BIOS Reset Functions |
Host sp_svc sp_irq sp_sys zerofilled area return address GBA 3007FE0h 3007FA0h 3007F00h [3007E00h..3007FFFh] Flag[3007FFAh] NDS7 380FFDCh 380FFB0h 380FF00h [380FE00h..380FFFFh] Addr[27FFE34h] NDS9 0803FC0h 0803FA0h 0803EC0h [DTCM+3E00h..3FFFh] Addr[27FFE24h] |
r0 ResetFlags
Bit Expl.
0 Clear 256K on-board WRAM ;-don't use when returning to WRAM
1 Clear 32K on-chip WRAM ;-excluding last 200h bytes
2 Clear Palette
3 Clear VRAM
4 Clear OAM ;-zerofilled! does NOT disable OBJs!
5 Reset SIO registers ;-switches to general purpose mode!
6 Reset Sound registers
7 Reset all other registers (except SIO, Sound)
|
| BIOS Misc Functions |
r0 Delay value (should be in range 1..7FFFFFFFh) |
CPU Clock Cache BIOS Value for 1ms ARM7 33.51MHz none NDS/DSi r0=20BAh ;=20BAh ;-ARM7 ARM9 67.03MHz on NDS/DSi r0=20BAh*2 ;=4174h ;\ARM9 with cache ARM9 134.06MHz on DSi r0=20BAh*4 ;=82E8h ;/ ARM9 67.03MHz off NDS r0=20BAh/2 ;=105Dh ;\ ARM9 67.03MHz off DSi r0=20BAh/4 ;=082Eh ; ARM9 without cache ARM9 134.06MHz off DSi r0=20BAh/3 ;=0AE8h ;/ |
r0 Initial CRC value (16bit, usually FFFFh) r1 Start Address (must be aligned by 2) r2 Length in bytes (must be aligned by 2) |
val[0..7] = C0C1h,C181h,C301h,C601h,CC01h,D801h,F001h,A001h
for i=start to end
crc=crc xor byte[i]
for j=0 to 7
crc=crc shr 1:if carry then crc=crc xor (val[j] shl (7-j))
next j
next i
|
r0 Calculated 16bit CRC Value |
r0 Index (0..3Fh) (must be in that range, otherwise returns garbage) |
r0 Index (0..2FFh) (must be in that range, otherwise returns garbage) |
r0 Index (0..2D3h) (must be in that range, otherwise returns garbage) |
r0 32bit value, to be written to POSTFLG, Port 4000300h |
| BIOS Multi Boot (Single Game Pak) |
r0 Pointer to MultiBootParam structure
r1 Transfer Mode (undocumented)
0=256KHz, 32bit, Normal mode (fast and stable)
1=115KHz, 16bit, MultiPlay mode (default, slow, up to three slaves)
2=2MHz, 32bit, Normal mode (fastest but maybe unstable)
Note: HLL-programmers that are using the MultiBoot(param_ptr) macro cannot
specify the transfer mode and will be forcefully using MultiPlay mode.
|
r0 0=okay, 1=failed |
Addr Size Name/Expl. 14h 1 handshake_data (entry used for normal mode only) 19h 3 client_data[1,2,3] 1Ch 1 palette_data 1Eh 1 client_bit (Bit 1-3 set if child 1-3 detected) 20h 4 boot_srcp (typically 8000000h+0C0h) 24h 4 boot_endp (typically 8000000h+0C0h+length) |
Times Send Receive Expl. -----------------------Required Transfer Initiation in master program ... 6200 FFFF Slave not in multiplay/normal mode yet 1 6200 0000 Slave entered correct mode now 15 6200 720x Repeat 15 times, if failed: delay 1/16s and restart 1 610y 720x Recognition okay, exchange master/slave info 60h xxxx NN0x Transfer C0h bytes header data in units of 16bits 1 6200 000x Transfer of header data completed 1 620y 720x Exchange master/slave info again ... 63pp 720x Wait until all slaves reply 73cc instead 720x 1 63pp 73cc Send palette_data and receive client_data[1-3] 1 64hh 73uu Send handshake_data for final transfer completion -----------------------Below is SWI 25h MultiBoot handler in BIOS DELAY - - Wait 1/16 seconds at master side 1 llll 73rr Send length information and receive random data[1-3] LEN yyyy nnnn Transfer main data block in units of 16 or 32 bits 1 0065 nnnn Transfer of main data block completed, request CRC ... 0065 0074 Wait until all slaves reply 0075 instead 0074 1 0065 0075 All slaves ready for CRC transfer 1 0066 0075 Signalize that transfer of CRC follows 1 zzzz zzzz Exchange CRC must be same for master and slaves -----------------------Optional Handshake (NOT part of master/slave BIOS) ... .... .... Exchange whatever custom data |
y client_bit, bit(s) 1-3 set if slave(s) 1-3 detected x bit 1,2,or 3 set if slave 1,2,or 3 xxxx header data, transferred in 16bit (!) units (even in 32bit normal mode) nn response value for header transfer, decreasing 60h..01h pp palette_data cc random client_data[1..3] from slave 1-3, FFh if slave not exists hh handshake_data, 11h+client_data[1]+client_data[2]+client_data[3] uu random data, not used, ignore this value |
llll download length/4-34h rr random data from each slave for encryption, FFh if slave not exists yyyy encoded data in 16bit (multiplay) or 32bit (normal mode) units nnnn response value, lower 16bit of destadr in GBA memory (00C0h and up) zzzz 16bit download CRC value, must be same for master and slaves |
if normal_mode then c=C387h:x=C37Bh:k=43202F2Fh
if multiplay_mode then c=FFF8h:x=A517h:k=6465646Fh
m=dword(pp,cc,cc,cc):f=dword(hh,rr,rr,rr)
for ptr=000000C0h to (file_size-4) step 4
c=c xor data[ptr]:for i=1 to 32:c=c shr 1:if carry then c=c xor x:next
m=(6F646573h*m)+1
send_32_or_2x16 (data[ptr] xor (-2000000h-ptr) xor m xor k)
next
c=c xor f:for i=1 to 32:c=c shr 1:if carry then c=c xor x:next
wait_all_units_ready_for_checksum:send_32_or_1x16 (c)
|
| BIOS Sound Functions |
r0 WaveData* wa r1 u8 mk r2 u8 fp |
r0 u32 |
r0 BIAS level (0=Level 000h, any other value=Level 200h) r1 Delay Count (NDS/DSi only) (GBA uses a fixed delay count of 8) |
r0 Pointer to work area for sound driver, SoundArea structure as follows:
SoundArea (sa) Structure
u32 ident Flag the system checks to see whether the
work area has been initialized and whether it
is currently being accessed.
vu8 DmaCount User access prohibited
u8 reverb Variable for applying reverb effects to direct sound
u16 d1 User access prohibited
void (*func)() User access prohibited
int intp User access prohibited
void* NoUse User access prohibited
SndCh vchn[MAX] The structure array for controlling the direct
sound channels (currently 8 channels are
available). The term "channel" here does
not refer to hardware channels, but rather to
virtual constructs inside the sound driver.
s8 pcmbuf[PCM_BF*2]
SoundChannel Structure
u8 sf The flag indicating the status of this channel.
When 0 sound is stopped.
To start sound, set other parameters and
then write 80h to here.
To stop sound, logical OR 40h for a
release-attached off (key-off), or write zero
for a pause. The use of other bits is
prohibited.
u8 r1 User access prohibited
u8 rv Sound volume output to right side
u8 lv Sound volume output to left side
u8 at The attack value of the envelope. When the
sound starts, the volume begins at zero and
increases every 1/60 second. When it
reaches 255, the process moves on to the
next decay value.
u8 de The decay value of the envelope. It is
multiplied by "this value/256" every 1/60
sec. and when sustain value is reached, the
process moves to the sustain condition.
u8 su The sustain value of the envelope. The
sound is sustained by this amount.
(Actually, multiplied by rv/256, lv/256 and
output left and right.)
u8 re The release value of the envelope. Key-off
(logical OR 40h in sf) to enter this state.
The value is multiplied by "this value/256"
every 1/60 sec. and when it reaches zero,
this channel is completely stopped.
u8 r2[4] User access prohibited
u32 fr The frequency of the produced sound.
Write the value obtained with the
MidiKey2Freq function here.
WaveData* wp Pointer to the sound's waveform data. The waveform
data can be generated automatically from the AIFF
file using the tool (aif2agb.exe), so users normally
do not need to create this themselves.
u32 r3[6] User access prohibited
u8 r4[4] User access prohibited
WaveData Structure
u16 type Indicates the data type. This is currently not used.
u16 stat At the present time, non-looped (1 shot) waveform
is 0000h and forward loop is 4000h.
u32 freq This value is used to calculate the frequency.
It is obtained using the following formula:
sampling rate x 2^((180-original MIDI key)/12)
u32 loop Loop pointer (start of loop)
u32 size Number of samples (end position)
s8 data[] The actual waveform data. Takes (number of samples+1)
bytes of 8bit signed linear uncompressed data. The last
byte is zero for a non-looped waveform, and the same
value as the loop pointer data for a looped waveform.
|
r0 Sound driver operation mode
Bit Expl.
0-6 Direct Sound Reverb value (0-127, default=0) (ignored if Bit7=0)
7 Direct Sound Reverb set (0=ignore, 1=apply reverb value)
8-11 Direct Sound Simultaneously-produced (1-12 channels, default 8)
12-15 Direct Sound Master volume (1-15, default 15)
16-19 Direct Sound Playback Frequency (1-12 = 5734,7884,10512,13379,
15768,18157,21024,26758,31536,36314,40137,42048, def 4=13379 Hz)
20-23 Final number of D/A converter bits (8-11 = 9-6bits, def. 9=8bits)
24-31 Not used.
|
r0 Destination address (must be aligned by 4) (120h bytes buffer) |
| BIOS SHA1 Functions (DSi only) |
[struct+00h] = 67452301h ;\ [struct+04h] = EFCDAB89h ; [struct+08h] = 98BADCFEh ; initial SHA1 checksum value [struct+0Ch] = 10325476h ; [struct+10h] = C3D2E1F0h ;/ [struct+14h] = 00000000h ;lsw ;\total len in bits, initially zero [struct+18h] = 00000000h ;msw ;/ [struct+1Ch] = uninitialzed ;-buffer for incomplete fragment (40h bytes) [struct+5Ch] = 00000000h ;-incomplete fragment size if [struct+60h] = 00000000h then [struct+60h] = SHA1_Default_Callback |
[struct+14h]=[struct+14h]+len*8 ;64bit value ;-raise total len in bits
if [struct+5Ch]<>0 and [struct+5Ch]+len>=40h ;\
for i=[struct+5Ch] to 3Fh ; merge old incomplete chunk
[struct+1Ch+i]=[src], src=src+1, len=len-1; with new data and process it
SHA1_Callback(struct,struct+1Ch,40h) ; (if it gives a full chunk)
[struct+5Ch]=0 ;/
if len>=40h then ;\process full 40h-byte chunks
SHA1_Callback(struct,src,len AND NOT 3Fh) ; (if src isn't 4-byte aligned
src=src+(len AND NOT 3Fh) ; then the DSi BIOS internally
len=len AND 3Fh ;/copies all chunks to struct)
if len>0 then ;\
for i=[struct+5Ch] to [struct+5Ch]+len-1 ; memorize remaining bytes
[struct+1Ch+i]=[src], src=src+1, len=len-1; as incomplete chunk
[struct+5Ch]=[struct+5Ch]+1 ;/
|
[total_len]=bswap8byte([struct+14h]) ;get total len in bits in big-endian SHA1_Update(struct,value_80h,1) ;append end byte while [struct+5Ch]<>38h do SHA1_Update(struct,value_00h,1) ;append padding SHA1_Update(struct,total_len,8) ;append 64bit len [struct+14h]=bswap8byte([total_len]) ;restore total len, exclude above update [dst+00h]=bswap([struct+00h] ;msw ;\ [dst+04h]=bswap([struct+04h] ; store SHA1 result at dst [dst+08h]=bswap([struct+08h] ; (in big-endian) [dst+0Ch]=bswap([struct+0Ch] ; [dst+10h]=bswap([struct+10h] ;lsw ;/ |
for j=1 to len/40h
a=[struct+0], b=[struct+4], c=[struct+8], d=[struct+0Ch], e=[struct+10h]
for i=0 to 79
if i=0..15 then w[i] = bswap([src]), src=src+4
if i=16..79 then w[i] = (w[i-3] xor w[i-8] xor w[i-14] xor w[i-16]) rol 1
if i=0..19 then f=5A827999h + e + (d xor (b and (c xor d)))
if i=20..39 then f=6ED9EBA1h + e + (b xor c xor d)
if i=40..59 then f=8F1BBCDCh + e + ((b and c) or (d and (b or c)))
if i=60..79 then f=CA62C1D6h + e + (b xor c xor d)
e=d, d=c, c=(b ror 2), b=a, a=f + (a rol 5) + w[i]
[struct+0]=[struct+0]+a, [struct+4]=[struct+4]+b, [struct+8]=[struct+8]+c
[struct+0Ch]=[struct+0Ch]+d, [struct+10h]=[struct+10h]+e
|
[struct+60h]=00000000h ;want Init to install the default SHA1 callback SHA1_Init(struct) SHA1_Update(struct,src,srclen) SHA1_Finish(dst,struct) |
if dst=0 then exit(r0=1) ;uh, that's same return value as when okay if src=0 and srclen<>0 then exit(r0=0) [struct+60h]=00000000h ;\ SHA1_Init(struct) ; first compute normal SHA1 SHA1_Update(struct,src,srclen) ; (same as SHA1_Init_Update_Finish) SHA1_Finish(first_sha1,struct) ;/ @@lop1: i=13h ;start with LSB of big-endian 20-byte value ;\increment SHA1 value @@lop2: ; by one (with somewhat [first_sha1+i]=[first_sha1+i]+1, i=i-1 ; uncommon/bugged carry- if i>=0 and [first_sha1+i+1]=01h then goto @@lop2 ;/out to higher bytes) SHA1_Update(struct,first_sha1,14h) ;\compute 2nd SHA1 across 1st SHA1, SHA1_Finish(second_sha1,struct) ;/done without re-initializing struct for i=0 to min(14h,dstlen)-1, [dst]=[second_sha1+i], dst=dst+1 dstlen=dstlen-min(14h,dstlen) if dstlen<>0 then goto @@lop1 else exit(r0=1) |
if len(key)>40h then key=SHA1(key) ;convert LONG keys to 14h-bytes length if len(key)<40h then zero-pad key to 40h-bytes length for i=0 to 3Fh, [inner_key+i]=[key+i] xor 36h ;\ [struct+60h]=00000000h ; SHA1_Init(struct) ; compute 1st SHA1 SHA1_Update(struct,inner_key,40h) ; across inner key and data SHA1_Update(struct,src,srclen) ; SHA1_Finish(first_sha1,struct) ;/ for i=0 to 3Fh, [outer_key+i]=[key+i] xor 5Ch ;\ [struct+60h]=00000000h ; SHA1_Init(struct) ; compute final SHA1 SHA1_Update(struct,outer_key,40h) ; across outer key and 1st SHA1 SHA1_Update(struct,first_sha1,14h) ; SHA1_Finish(dst,struct) ;/ |
| BIOS RSA Functions (DSi only) |
[heap_nfo+0] = heap_start (rounded-up to 4-byte boundary) [heap_nfo+4] = heap_end (start+size, rounded-down to 4-byte boundary) [heap_nfo+8] = heap_size (matched to above rounded values) |
[ptr_nfo+0] = dst (usually 7Fh bytes, max 80h bytes) [ptr_nfo+4] = src (80h bytes) [ptr_nfo+8] = key (80h bytes) |
00h 1 Leading zero (00h) ;\ 01h 1 Block type (01h) ; padding 02h 5Ah Padding Bytes (FFh-filled) ; 5Ch 1 Padding End (00h) ;/ 5Dh 2 30h,junk(1) (30h,21h) ;-whatever 5Fh 2 30h,junk(1) (30h,09h) ;-whatever 61h 7 06h,len,junk(len) (06h,05h, 2Bh,0Eh,03h,02h,1Ah) ;-OID for SHA1 68h 2 05h,junk(1) (05h,00h) ;-whatver 6Ah 16h 04h,len,sha1(len) (04h,14h, sha1[14h bytes]) ;-SHA1 |
00h 1 "00" Leading zero (00h) 01h 1 "BT" Block type (always 01h on DSi) 02h 8+n "PS" Padding (FFh-filled, min 8 bytes, usually 69h bytes on DSi) 0Ah+n 1 "00" Padding end (00h) 0Bh+n 75h-n "D" Data (max 75h bytes, usually a 14h-byte SHA1 value on DSi) |
TWL_FIRM (F1,F5,1A,FF..) eMMC Boot Info (same key for retail+debug) BIOS:FFFF87F4h (C3,02,93,DE..) Key0: System Menu (Launcher) of Retail version BIOS:FFFF8874h (B6,18,D8,61..) Key1: System Fun Tools and Wifi Firmware BIOS:FFFF88F4h (DA,94,09,01..) Key2: System Base Tools (Settings, Shop) BIOS:FFFF8974h (95,6F,79,0D..) Key3: DSiWare and DSi ROM Cartridges BIOS:FFFF89F4h (D4,30,E3,7D..) Key4: Unknown ;\probably more/unused RSA keys BIOS:FFFF8A74h (BD,29,02,38..) Key5: Unknown ; (DSi only) BIOS:FFFF8AF4h (CF,8A,4B,15..) Key6: Unknown ; (doesn't exist on 3DS) BIOS:FFFF8B74h (A3,BC,C1,7C..) Key7: Unknown ;/ BIOS:FFFF9920h (30,33,26,D5..) Unknown (probably NOT a RSA key) Launcher (BA,F1,98,A4..) HWINFO_S.dat (with RSA-SHA1-HMAC) Launcher (9F,80,BC,5F..) Version Data and TWLFontTable.dat Launcher (C7,F4,1D,27..) DS Cart Whitelist (missing RSA in v1.4E) Launcher+NDS (9E,C1,CC,C0..) For wifi-booted NDS titles (DsDownloadPlay) Flipnote (C2,3C,BC,13..) Public key for Flipnote .ppm files Unknown (?) HWID.sgn Unknown (?) Newer NDS ROM Cartridges (have RSA, too?) DSi Shop (9D,69,36,28..) Unknown, seems to be RSA (100h bytes) Launcher (F8,24,6C,58..) Root key for cert.sys CA00000001(200h bytes) cert.sys (B2,79,C9,E2..) CA00000001 key for cert.sys keys(100h bytes) cert.sys (93,BC,0D,1F..) CP00000007 key for tmd's (100h bytes) cert.sys (AD,07,A9,37..) XS00000003 key for shop-tickets (100h bytes) cert.sys (92,FF,96,40..) XS00000006 key for free-tickets (100h bytes) cert.sys (01,93,6D,08..) MS00000008 key for dev.kp (ECC, non-RSA) dev.kp (per-console) TWxxxxxxxx... key for tad files (ECC, non-RSA) *.bin (random?) AP00030015484e42gg in tad files (ECC, non-RSA) Launcher+Boot (BC,FD,A1,FF..) Debug0: System Menu (Launcher, Debug version) Launcher (E9,9E,A7,9F..) Debug1: Launcher (A7,9F,54,A0..) Debug2: Launcher (AC,93,BB,3C..) Debug3: Public key for Debug DSiware/ROMs Debug Updater (E5,1C,BF,C7..) Debug Public key for HWInfo Debug Updater (C8,4B,38,2C..) Debug Public key for HWID.sgn (100h bytes) Launcher (D0,1F,E1,00..) Debug Root key for CA00000002 key(200h bytes) debug cert.sys (...) Debug CA00000002 key for cert.sys(100h bytes) debug cert.sys (...) Debug CP00000005 key for ...? (100h bytes) debug cert.sys (...) Debug CP00000007 key for ... (100h bytes) debug cert.sys (...) Debug XS00000006 key for ... (100h bytes) verdata (...) Public keys in Version Data file? Unknown (?) further keys...? |
Flipnote (26,A7,53,7E..) Private key for Flipnote .ppm files dev.kp (per-console) TWxxxxxxxx... key for tad files (ECC, non-RSA) (temp/unsaved?)(random?) AP00030015484e42gg tad files (ECC, non-RSA) verdata (...) Private keys in Version Data file? Debug Updater (77,FC,77,9E..) Private key for Debug HWID.sgn (100h bytes) Debug Updater (B5,7C,C2,85..) Private key for Debug HWInfo Debug SDK (95,DC,C8,18..) Private key for Debug DSiware/ROMs (Debug3) Unknown (?) further keys...? |
| BIOS RSA Basics |
Public Key formula: dest = src^10001h mod pubkey Private Key formula: dest = src^prvkey mod pubkey |
Recipient's Public Key --> Encrypt a message Recipient's Private Key --> Decrypt a message |
Sender's Private Key --> Encrypt/create a signature Sender's Public Key --> Decrypt/verify a signature |
00h 1 "00" Leading zero (00h) 01h 1 "BT" Block type (always 01h on DSi) 02h 8+n "PS" Padding (FFh-filled, min 8 bytes, usually 69h bytes on DSi) 0Ah+n 1 "00" Padding end (00h) 0Bh+n 75h-n "D" Data (max 75h bytes, usually a 14h-byte SHA1 value on DSi) |
pubkey = P * Q |
| BIOS RSA Pseudo Code |
base(rsa__number_size), bigbuf(rsa_number_size*2)
[base]=[src], [dst]=1, pow8bit=01h ;-init base, result, powbit
for i=1 to num_exp_bits
if [exp] AND pow8bit then rsa_mpi_mul_mod(dst,base) ;-mul result
rsa_mpi_mul_mod(base,base) ;-square base
pow8bit=pow8bit ROL 1, exp=exp+carry ;-next exp bit
next i
return
|
For the Private Key formula: Use exp=prvkey, num_exp_bits=rsa_number_size*8 For the Public Key formula: Use exp=ptr_to_10001h, num_exp_bits=17 |
rsa_mpi_mul(bigbuf,dst,src) ;-multiply rsa_mpi_mod(bigbuf,pubkey) ;-modulus [dst]=[bigbuf+0..rsa_number_size-1] ;-copy to dst return |
[dst+0]=0, oldmsw=0 ;-init first word and oldmsw
for i=0 to rsa_number_size-4 step 4 ;\
call @@inner_loop ; compute LSWs of destination
src2=src2+4 ;
next i ;/
src2=src2-4
for i=rsa_number_size-8 to 0 step -4 ;\
src1=src1+4 ; compute MSWs of destination
call @@inner_loop ;
next i ;/
return
;---
@@inner_loop:
[dst+4]=oldmsw, oldmsw=0
for j=0 to i step 4
msw:lsw = [src1+j]*[src2-j]
[dst+0]=[dst+0]+lsw
[dst+4]=[dst+4]+msw+cy
oldmsw=oldmsw+cy
next j
dst=dst+4
ret
|
ebx=rsa_number_size, dst=dst+ebx, i=ebx+4 @@type0_lop: ;\ if [dst+ebx-4]=0 then goto @@type0_next ; rsa_mpi_cmp(dst,src), if borrow then goto @@type1_next ; type0 rsa_mpi_sub(dst,src), if [dst+ebx-4]<>0 then goto @@type1_next ; loop @@type0_next: ; dst=dst-4, i=i-4, if i>0 then goto @@type0_lop ;/ goto @@done ;--- --- --- @@type1_lop: ;\ lsw=[dst+ebx-4], msw=[dst+ebx-0] ; if msw>=[src+ebx-4] then fac=FFFFFFFFh else fac=msw:lsw / [src+ebx-4] ; rsa_mpi_mulsub(dst,src,fac), if carry=0 then goto @@skip_add ; type1 @@add_more: ; loop rsa_mpi_add(dst,src) ; [dst+ebx]=[dst+ebx]+carry, if carry=0 then goto @@add_more ; @@skip_add: ; if [dst+ebx-4]=0 then goto @@type0_next ; @@type1_next: ; dst=dst-4, i=i-4, if i>0 then goto @@type1_lop ;/ @@done: return |
oldborrow=0, oldmsw=0 ;\
for i=0 to rsa_number_size-4 step 4 ; process
msw:lsw = [src+i]*fac, lsw=lsw+oldmsw, oldmsw=msw+carry ; rsa_number_size
[dst+i]=[dst+i]-lsw-oldborrow, oldborrow=borrow ; bytes, plus...
next i ;/
[dst+rsa_number_size]=[dst+rsa_number_size]-oldmsw-oldborrow ;-one extra word
return borrow ;(unlike "rsa_embedded" which returns INVERTED borrow)
|
carry = 0
for i=0 to rsa_number_size-4 step 4
[dst+i]=[dst+i]+[src+i]+carry
next i
return carry
|
borrow = 0
for i=0 to rsa_number_size-4 step 4
[dst+i]=[dst+i]-[src+i]-borrow
next i
return borrow
|
for i=rsa_number_size-4 to 0 step -4
temp=[dst+i]-[src+i], if not equal then return borrow
next i
return borrow
|
| BIOS RAM Usage |
3000000h 7F00h User Memory and User Stack (sp_usr=3007F00h) 3007F00h A0h Default Interrupt Stack (6 words/time) (sp_irq=3007FA0h) 3007FA0h 40h Default Supervisor Stack (4 words/time) (sp_svc=3007FE0h) 3007FE0h 10h Debug Exception Stack (4 words/time) (sp_xxx=3007FF0h) 3007FF0h 4 Pointer to Sound Buffer (for SWI Sound functions) 3007FF4h 3 Reserved (unused) 3007FF7h 1 Reserved (intro/nintendo logo related) 3007FF8h 2 IRQ IF Check Flags (for SWI IntrWait/VBlankIntrWait functions) 3007FFAh 1 Soft Reset Re-entry Flag (for SWI SoftReset function) 3007FFBh 1 Reserved (intro/multiboot slave related) 3007FFCh 4 Pointer to user IRQ handler (to 32bit ARM code) |
2000000h ... ARM7 and ARM9 bootcode can be loaded here (2000000h..23BFDFFh)
2400000h ... Debug bootcode can be loaded here (2400000h..27BFDFFh)
23FEE00h 168h Fragments of NDS9 firmware boot code
27FF800h 4 NDS Gamecart Chip ID 1
27FF804h 4 NDS Gamecart Chip ID 2
27FF808h 2 NDS Cart Header CRC (verified) ;hdr[15Eh]
27FF80Ah 2 NDS Cart Secure Area CRC (not verified ?) ;hdr[06Ch]
27FF80Ch 2 NDS Cart Missing/Bad CRC (0=Okay, 1=Missing/Bad)
27FF80Eh 2 NDS Cart Secure Area Bad (0=Okay, 1=Bad)
27FF810h 2 Boot handler task number (usually FFFFh at cart boot time)
27FF812h 2 Secure disable (0=Normal, 1=Disable; Cart[078h]=BIOS[1088h])
27FF814h 2 SIO Debug Connection Exists (0=No, 1=Yes)
27FF816h 2 RTC Status? (0=Okay, 1=Bad)
27FF818h 1 Random RTC ;random LSB from SIO debug detect handshake
27FF819h 37h Zerofilled by firmware
27FF850h 2 NDS7 BIOS CRC (5835h)
27FF860h 4 Somewhat copy of Cart[038h], nds7 ram addr (?)
27FF864h 4 Wifi FLASH User Settings Bad (0=Okay, 1=Bad)
27FF868h 4 Wifi FLASH User Settings FLASH Address (fmw[20h]*8)
maybe recommended to use above RAM cell instead FLASH entry?
27FF86Ch 4 Whatever (seems to be zero at cart boot time)
27FF870h 4 Whatever (seems to be zero at cart boot time)
27FF874h 2 Wifi FLASH firmware part5 crc16 (359Ah) (fmw[026h])
27FF876h 2 Wifi FLASH firmware part3/part4 crc16 (fmw[004h] or ZERO)
Above is usually ZERO at cart boot (set to fmw[004h] only
when running pictochat, or maybe also when changing user
settings)
27FF878h 08h Not used
27FF880h 4 Message from NDS9 to NDS7 (=7 at cart boot time)
27FF884h 4 NDS7 Boot Task (also checked by NDS9) (=6 at cart boot time)
27FF888h .. Whatever (seems to be zero at cart boot time)
27FF890h 4 Somewhat boot flags (somewhat B0002A22h)
bit10 part3/part4 loaded/decoded (bit3 set if bad crc)
bit28 part5 loaded/decoded with good crc
27FF894h 36Ch Not used (zero)
27FFC00h 4 NDS Gamecart Chip ID 1 (copy of 27FF800h)
27FFC04h 4 NDS Gamecart Chip ID 2 (copy of 27FF804h)
27FFC08h 2 NDS Cart Header CRC (copy of 27FF808h)
27FFC0Ah 2 NDS Cart Secure Area CRC (copy of 27FF80Ah)
27FFC0Ch 2 NDS Cart Missing/Bad CRC (copy of 27FF80Ch)
27FFC0Eh 2 NDS Cart Secure Area Bad (copy of 27FF80Eh)
27FFC10h 2 NDS7 BIOS CRC (5835h) (copy of <27FF850h>)
27FFC12h 2 Secure Disable (copy of 27FF812h)
27FFC14h 2 SIO Debug Exist (copy of 27FF814h)
27FFC16h 1 RTC Status? (<8bit> copy of 27FF816h)
27FFC17h 1 Random 8bit (copy of <27FF818h>)
27FFC18h 18h Not used (zero)
27FFC30h 2 GBA Cartridge Header[BEh], Reserved
27FFC32h 3 GBA Cartridge Header[B5h..B7h], Reserved
27FFC35h 1 Whatever flags ?
27FFC36h 2 GBA Cartridge Header[B0h], Maker Code
27FFC38h 4 GBA Cartridge Header[ACh], Gamecode
27FFC3Ch 4 Frame Counter (eg. 00000332h in no$gba with original firmware)
27FFC40h 2 Boot Indicator (0001h=normal; required for some NDS games)
27FFC42h 3Eh Not used (zero)
27FFC80h 70h Wifi FLASH User Settings (fmw[newest_user_settings])
27FFCF0h 10h Not used (zero)
27FFDxxh .. NDS9 Debug Exception Stack (stacktop=27FFD9Ch)
27FFD9Ch 4 NDS9 Debug Exception Vector (0=None)
27FFDA0h .. ...
27FFE00h 170h NDS Cart Header at 27FFE00h+0..16Fh
27FFF70h .. Not used (zerofilled at cart boot time)
27FFFF8h 2 NDS9 Scratch addr for SWI IsDebugger check
27FFFFAh 2 NDS7 Scratch addr for SWI IsDebugger check
27FFFFCh .. ...
27FFFFEh 2 Main Memory Control (on-chip power-down I/O port)
DTCM+3FF8h 4 NDS9 IRQ IF Check Bits (hardcoded RAM address)
DTCM+3FFCh 4 NDS9 IRQ Handler (hardcoded RAM address)
37F8000h FE00h ARM7 bootcode can be loaded here (37F8000h..3807DFFh)
380F700h 1D4h Fragments of NDS7 firmware boot code
380F980h 4 Unknown/garbage (set to FBDD37BBh, purpose unknown)
NOTE: Cooking Coach is doing similar crap at 37FCF1Ch ?!?!
380FFC0h 4 DSi7 IRQ IF2 Check Bits (hardcoded RAM address) (DSi only)
380FFDCh .. NDS7 Debug Stacktop / Debug Vector (0=None)
380FFF8h 4 NDS7 IRQ IF Check Bits (hardcoded RAM address)
380FFFCh 4 NDS7 IRQ Handler (hardcoded RAM address)
---
summary of nds memory used at cartridge boot time:
(all other memory zero-filled unless containing cartridge data)
37F8000h..3807E00h ;cartridge area (nds7 only)
2000000h..23BFE00h ;cartridge area (nds9 and nds7)
2400000h..27BFE00h ;cartridge area (debug ver)
23FEE00h..23FEF68h ;fragments of NDS9 firmware boot code
27FF800h..27FF85Fh ;various values (from BIOS boot code)
27FF860h..27FF893h ;various values (from Firmware boot code)
27FFC00h..27FFC41h ;various values (from Firmware boot code)
27FFC80h..27FFCE6h ;firmware user settings
27FFE00h..27FFF6Fh ;cart header
380F700h..380F8D4h ;fragments of NDS7 firmware boot code
380F980h ;set to FBDD37BBh
---
register settings at cartridge boot time:
nds9 r0..r11 = zero
nds9 r12,r14,r15 = entrypoint
nds9 r13 = 3002F7Ch (!)
nds9 r13_irq = 3003F80h
nds9 r13_svc = 3003FC0h
nds9 r14/spsr_irq= zero
nds9 r14/spsr_svc= zero
---
nds7 r0..r11 = zero
nds7 r12,r14,r15 = entrypoint
nds7 r13 = 380FD80h
nds7 r13_irq = 380FF80h
nds7 r13_svc = 380FFC0h
nds7 r14/spsr_irq= zero
nds7 r14/spsr_svc= zero
---
Observe that SWI SoftReset applies different stack pointers:
Host sp_svc sp_irq sp_sys zerofilled area return address
NDS7 380FFDCh 380FFB0h 380FF00h [380FE00h..380FFFFh] Addr[27FFE34h]
NDS9 0803FC0h 0803FA0h 0803EC0h [DTCM+3E00h..3FFFh] Addr[27FFE24h]
|
2000000h 8 AutoParam Old Title ID (former title) ;carthdr[230h]
2000008h 1 AutoParam Unknown/Unused
2000009h 1 AutoParam Flags (03h=Stuff is used?)
200000Ah 2 AutoParam Old Maker code ;carthdr[010h]
200000Ch 2 AutoParam Unknown (02ECh) ;\counter/length/indices/whatever?
200000Eh 2 AutoParam Unknown (0000h) ;/
2000010h 2 AutoParam CRC16 on [000h..2FFh], initial=FFFFh, [010h]=0000h
2000012h 2 AutoParam Unknown/Unused (000Fh = want Internet Settings?)
2000014h 2ECh AutoParam Unknown... some buffer... string maybe?
2000300h 4 AutoLoad ID ("TLNC") (also requires BPTWL[70h]=01h)
2000304h 1 AutoLoad Unknown/unused (usually 01h)
2000305h 1 AutoLoad Leng of data at 2000308h (01h..18h,for CRC,18h=norm)
2000306h 2 AutoLoad CRC16 of data at 2000308h (with initial value FFFFh)
2000308h 8 AutoLoad Old Title ID (former title) (can be 0=anonymous)
2000310h 8 AutoLoad New Title ID (new title to be started, 0=none)
2000318h 4 AutoLoad Flags (bit0,1-3,4,5,6,7) ;usually 16bit, once 32bit
200031Ch 4 AutoLoad Unused (but within checksummed area when CRC len=18h)
2000320h E0h AutoLoad Unused (but zerofilled upon erasing autoload area)
2000400h 128h System Settings from TWLCFGn.dat file (bytes 088h..1AFh)
20005E0h 1 WlFirm Type (1=DWM-W015, 2=DWM-W024) (as wifi_flash[1FDh])
20005E1h 1 WlFirm Unknown (zero)
20005E2h 2 WlFirm CRC16 with initial value FFFFh on [20005E4h..20005EFh]
20005E4h 4 WlFirm RAM vars (500400h) ;\
20005E8h 4 WlFirm RAM base (500000h) ; as from "Wifi Firmware" file
20005ECh 4 WlFirm RAM size (02E000h) ;/
20005F0h 10h WlFirm Unknown (zero)
2000600h 14h Hexvalues from HWINFO_N.dat
2000800h ... Unlaunch Auto-load feature (via "device:/Path/Filename.ext")
23FEE00h 200h DSi9 bootstrap relict
---
2FEE120h 4 "nand" <--- passed as so to launcher
2FF80xxh
2FF82xxh
2FF83xxh
2FF89xxh
2FF8Axxh
2FF8Bxxh
2FF8Cxxh
2FF8Dxxh ... Wifi MAC address, channel mask, etc.
2FF8Fxxh
2FF90xxh
2FF91xxh
2FF9208h FBDD37BBh (that odd "garbage" value occurs also on NDS)
2FFA1xxh
2FFA2xxh
2FFA5xxh
2FFA6xxh
2FFA680h 12 02FD4D80h,00000000h,00001980h
2FFA68Ch .. Zerofilled
---
2FFC000h 1000h Full Cart Header (as at 2FFE000h, but, FOR NDS ROM CARTRIDGE)
2FFD000h 7B0h Zerofilled
2FFD7B0h 8+1 Version Data Filename (eg. 30,30,30,30,30,30,30,34,00)
2FFD7B9h 1 Version Data Region (eg. 50h="P"=Europe)
2FFD7BAh 1 Unknown (00) ;bit0 = warmboot-flag-related
2FFD7BBh 1 Unknown (00)
2FFD7BCh 15+1 eMMC CID (dd,ss,ss,ss,ss,03,4D,30,30,46,50,41,00,00,15), 00
2FFD7CCh 15+1 eMMC CSD (40,40,96,E9,7F,DB,F6,DF,01,59,0F,2A,01,26,90), 00
2FFD7DCh 4 eMMC OCR (80,80,FF,80) ;20h
2FFD7E0h 8 eMMC SCR (00,04,00,00,00,00,00,00) (for MMC: dummy/4bit);24h
2FFD7E8h 2 eMMC RCA (01,00) ;2Ch
2FFD7EAh 2 eMMC Typ (01,00) (0=SD Card, 1=MMC Card) ;2Eh
2FFD7ECh 2 eMMC HCS (00,00) ;copy of OCR.bit30 (sector addressing) ;30h
2FFD7EEh 2 eMMC ? (00,00) ;32h
2FFD7F0h 4 eMMC ? (00,00,00,00) ;34h
2FFD7F4h 4 eMMC CSR (00,09,00,00) ;card status (state=tran) ;38h
2FFD7F8h 2 eMMC Port 4004824h setting (00,01) ;SD_CARD_CLK_CTL ;3Ch
2FFD7FAh 2 eMMC Port 4004828h setting (E0,40) ;SD_CARD_OPTION ;3Eh
2FFD7FCh 2 eMMC ? (00,00) ;40h
2FFD7FEh 2 eMMC Device (usually 0001h=eMMC) (0000h=SD/MMC Slot?) ;42h
2FFD800h 1 Titles: Number of titles in below lists (max 76h)
2FFD801h 0Fh Titles: Zerofilled
2FFD810h 10h Titles: Pub Flags (1bit each) ;same maker plus public.sav
2FFD820h 10h Titles: Prv Flags (1bit each) ;same maker plus private.sav
2FFD830h 10h Titles: Jmp Flags (1bit each) ;jumpable or current-title
2FFD840h 10h Titles: Mkr Flags (1bit each) ;same maker
2FFD850h 3B0h Titles: Title IDs (8 bytes each)
2FFDC00h 400h Zerofilled
2FFE000h 1000h DSi Full Cart Header (additionally to short headers)
2FFF000h 0Ch Zerofilled
2FFF00Ch 4 ? 0000007Fh
2FFF010h 4 ? 550E25B8h
2FFF014h 4 ? 02FF4000h
2FFF018h A68h Zerofilled
2FFFA80h 160h Short Cart header (as at 2FFFE00h, but, FOR NDS ROM CARTRIDGE)
2FFFBE0h 20h Zerofilled
|
2FFFC00h 4 NDS Gamecart Chip ID 2FFFC04h 20h Zerofilled 2FFFC24h 5 ? (04 00 73 01 03) 2FFFC29h 7 Zerofilled 2FFFC30h 12 GBA Cartridge Header (FF FF FF FF FF 00 FF FF FF FF FF FF) 2FFFC3Ch 4 Frame Counter maybe? (eg. 1F 01 00 00 in cooking coach) 2FFFC40h 2 Boot Indicator (1=ROM Cartridge,2=Wifi/tmp?,3=SD/MMC DSiware) 2FFFC42h 3Eh Not used (zero) 2FFFC80h 70h Wifi FLASH User Settings (fmw[newest_user_settings]) 2FFFCF0h 4 ? (3D 00 01 6E) (update counter and crc16 ?) 2FFFCF4h 6 Wifi MAC Address (00 23 CC xx xx xx) (fmw[036h]) 2FFFCFAh 2 Wifi Channels (usually 1041h = ch1+7+13) (based on fmw[03Ch]) 2FFFCFCh 4 Zero 2FFFD00h 68h Zerofilled 2FFFD68h 4 Bitmask for Supported Languages (3Eh for Europe);\ 2FFFD6Ch 4 Unknown (00,00,00,00) ; from 2FFFD70h 1 Console Region (0=JP,1=US,2=EU,3=AU,4=CHN,5=KOR); HWINFO_S.dat 2FFFD71h 12 Serial/Barcode (ASCII, 11-12 characters) ; 2FFFD7Dh 3 ? (00 00 3C) ;/ 2FFFD80h 0Ch Zerofilled 2FFFD8Ch 10h ARM9 debug exception stack (stacktop 2FFFD9Ch) 2FFFD9Ch 4 ARM9 debug exception vector (020D3E64h) 2FFFDA0h 4 02F80000h ;\ 2FFFDA4h 4 02FFA674h ; 2FFFDA8h 4 00000000h zero ; start addresses? 2FFFDACh 4 01FF86E0h itcm? ; 2FFFDB0h 4 027C00C0h ; 2FFFDB4h 4 02FFF000h ; 2FFFDB8h 4 03040000h wram? ; 2FFFDBCh 4 03800000h wram? ; 2FFFDC0h 4 0380C3B4h wram? ;/ 2FFFDC4h 4 02F80000h ;\ 2FFFDC8h 4 02FFC000h ptr to DSi Full Cart Header ; 2FFFDCCh 4 00000000h zero ; end addresses? 2FFFDD0h 4 02000000h ram bottom? ; (for above nine 2FFFDD4h 4 027C0780h ; start addresses) 2FFFDD8h 4 02FFF680h ; 2FFFDDCh 4 03040000h wram? ; 2FFFDE0h 4 03800000h wram? ; 2FFFDE4h 4 0380F780h wram? ;/ 2FFFDE8h 4 RTC Date at Boot (BCD) (yy,mm,dd,XX) (XX=maybe day-of-week?) 2FFFDECh 4 RTC Time at Boot (BCD) (hh,ss,mm,0) (hh.bit6=maybe PM or 24h?) 2FFFDF0h 4 Initial ARM7 Port 4004008h bits (13FBFB06h) (SCFG_EXT) 2FFFDF4h 1 Initial ARM7 Port 40040xxh bits (C4h) (SCFG_xxx) 2FFFDF5h 1 Initial ARM7 Port 400400xh bits (F0h) (SCFG_xxx) 2FFFDF6h 2+2 Zerofilled 2FFFDFAh 1 Warmboot Flag (bptwl[70h] OR 80h, ie. 80h=cold or 81h=warm) 2FFFDFBh 1 01h 2FFFDFCh 4 Pointer to TWLCFGn.dat (usually 2000400h) (or 0=2000400h) 2FFFE00h 160h Short Cart header (unlike NDS, only 160h, not 170h) 2FFFF60h A0h Zerofilled 37FA414h "nand:/title/....app" <-- [1D4h]+3C0h (without Device List!) 380C400h 22E4h BIOS Keys (as from Boot Stage 1, see there) 380F010h 10h AES key for dev.kp (E5,CC,5A,8B,...) (optional/for launcher) 380F600h 200h DSi7 bootstrap relict (at 3FFF600h aka mirrored to 380F600h) 380FFC0h 4 DSi7 IRQ IF2 Check Bits (hardcoded RAM address) (DSi only) 380FFC4h 4 DSi7 SCFG_EXT setting 380FFC8h 2 DSi7 SCFG_misc bits 380FFDCh .. DSi7 Debug Stacktop / Debug Vector (0=None) 380FFF8h 4 DSi7 IRQ IF Check Bits (hardcoded RAM address) 380FFFCh 4 DSi7 IRQ Handler (hardcoded RAM address) xxxxxxxh ? ARM7i and ARM9 bootcode can be loaded WHERE and WHERE? cart_header[1D4h] 400h SD/MMC Device List ARM7 RAM; initialized by firmware |
1FFC400h 400h BIOS Keys from FFFF87F4h (C3 02 93 DE ..) RSA keys (8x80h)
1FFC800h 80h BIOS Keys from FFFF9920h (30 33 26 D5 ..) Whatever
1FFC880h 14h Whatever, should/may be zerofilled?
1FFC894h 1048h BIOS Keys from FFFF99A0h (99 D5 20 5F ..) Blowfish/NDS-mode
1FFD8DCh 1048h BIOS Keys from FFFFA9E8h (D8 18 FA BF ..) Blowfish/unused?
3FFC400h 200h BIOS Keys from 00008188h (CA 13 31 79 ..) Whatever, 32x10h AES?
3FFC600h 40h BIOS Keys from 0000B5D8h (AF 1B F5 16 ..) Whatever, AES?
3FFC640h 14h Whatever, must be zerofilled
3FFC654h 1048h BIOS Keys from 0000C6D0h (59 AA 56 8E ..) Blowfish/DSi-mode
3FFD69Ch 1048h BIOS Keys from 0000D718h (54 86 13 3B ..) Blowfish/unused?
3FFE6E4h 44h eMMC Info (to be relocated to 2FFD7BCh, see there for details)
4004450h 8 AES Key0.X ("Nintendo") for modcrypt
4004480h 10h AES Key1.X (CPU/Console ID and constants) for dev.kp and Tad
40044B0h 10h AES Key2.X ("Nintendo DS",...) for Tad
40044E0h 1Ch AES Key3.X/Y (CPU/Console ID and constants) for eMMC
2000000h ... Warmboot Param (optional, passed on to New Title)
2000300h 20h Warmboot Info (optional, passed on to Launcher)
|
| BIOS Dumping |
GBA BIOS 16K (fully dumpable) NDS7 BIOS 16K (fully dumpable) NDS9 BIOS 4K (fully dumpable) DSi7 BIOS 64K (about 41K dumpable) DSi9 BIOS 64K (about 41K dumpable) DSiWifi BIOS 80K on older DSi (fully dumpable) DSiWifi BIOS Unknown size on newer DSi (probably fully dumpable) 3DSWifi BIOS Unknown size on 3DS (probably fully dumpable) |
ROM:00000000h EA000006 b 20h ;dsi7_reset_vector ROM:00000004h EA000006 b 24h ;dsi7_undef_handler ROM:00000008h EA00001F b 8Ch ;dsi7_swi_handler ROM:0000000Ch EA000004 b 24h ;dsi7_prefetch_abort_handler ROM:00000010h EA000003 b 24h ;dsi7_data_abort_handler ROM:00000014h EAFFFFFE b 14h ;reserved_vector ROM:00000018h EA000013 b 6Ch ;dsi7_irq_handler ROM:0000001Ch EA000000 b 24h ;dsi7_fiq_handler |
ROM:FFFF87F4h / TCM:1FFC400h (400h) (C3 02 93 DE ..) RSA keys (8x80h) ROM:FFFF9920h / TCM:1FFC800h (80h) (30 33 26 D5 ..) Whatever ROM:FFFF99A0h / TCM:1FFC894h (1048h) (99 D5 20 5F ..) Blowfish/NDS-mode ROM:FFFFA9E8h / TCM:1FFD8DCh (1048h) (D8 18 FA BF ..) Blowfish/unused? ROM:00008188h / RAM:3FFC400h (200h) (CA 13 31 79 ..) Whatever, 32x10h AES? ROM:0000B5D8h / RAM:3FFC600h (40h) (AF 1B F5 16 ..) Whatever, "common key"? ROM:0000C6D0h / RAM:3FFC654h (1048h) (59 AA 56 8E ..) Blowfish/DSi-mode ROM:0000D718h / RAM:3FFD69Ch (1048h) (54 86 13 3B ..) Blowfish/unused? |
ROM:FFFF87F4h / 3DS:01FFD000h 200h RSA keys 0..3 (4x80h) ROM:00008308h / 3DS:01FFD200h 80h some AES keys ROM:FFFF9920h / 3DS:01FFD280h 80h whatever ROM:0000B5D8h / 3DS:01FFD300h 40h AES keys and values (common etc) ROM:? / 3DS:01FFD340h A0h misc "Nintendo" string etc. ROM:0000C6D0h / 3DS:01FFD3E0h 1048h Blowfish for DSi-mode ROM:FFFF99A0h / 3DS:01FFE428h 1048h Blowfish for DS-mode |
Offset Size CRC32 00000h 8000h 5434691Dh ;\ 08000h 188h ? ; 08188h 180h E5632151h (not 3ds) ; 08308h 80h 64515306h ; 08388h 3250h ? ; 0B5D8h 20h 85BE2749h ; ARM7 0B5F8h 10h 25A46A54h (3ds only) ; 0B608h 10h E882B9A9h ; 0B618h 10B8h ? ; 0C6D0h 1048h 3B5CDF06h ; 0D718h 1048h 5AC363F9h (not 3ds) ; 0E860h 18A0h ? ;/ 10000h 8000h 11E7C1EAh ;\ 18000h 7F4h ? ; 187F4h 200h 4405D4BAh ; 189F4h 200h 2A32F2E7h (not 3ds) ; 18BF4h D2Ch ? ; ARM9 19920h 80h 2699A10Fh ; 199A0h 1048h A8F58AE7h ; 1A9E8h 1048h E94759ACh (not 3ds) ; 1BA30h 45D0h ? ;/ ? A0h 180DF59Bh (3ds only) ;-whatever, "Nintendo" string etc. ? 80h ........h (TWL-FIRM) ;-RSA key for eMMC boot info |
180DF59Bh (tcm/ram dump) (missing 10h bytes) 03A21235h (3ds dump) (missing 180h+200h+1048h+1048h bytes) CDAA8FF6h (combined dump) (missing only the unknown "?" areas) |
http://4dsdev.kuribo64.net/thread.php?id=130 |
| External Connectors |
| AUX GBA Game Pak Bus |
Pin Name Dir Expl. 1 VDD O Power Supply 3.3V DC 2 PHI O System Clock (selectable none, 4.19MHz, 8.38MHz, 16.78MHz) 3 /WR O Write Select ;\latched address to be incremented on 4 /RD O Read Select ;/rising edges of /RD or /WR signals 5 /CS O ROM Chip Select ;-A0..A15 to be latched on falling edge 6-21 AD0-15 I/O lower 16bit Address and/or 16bit ROM-data (see below) 22-29 A16-23 I/O upper 8bit ROM-Address or 8bit SRAM-data (see below) 30 /CS2 O SRAM Chip Select 31 /REQ I Interrupt request (/IREQ) or DMA request (/DREQ) 32 GND O Ground 0V |
| AUX DS Game Card Slot |
Pin Dir Name Connection in cartridge 1 > - GND (ROM all unused Pins, EEPROM Pin 4 = VSS) 2 Out CLK (4MB/s, ROM Pin 5, EEPROM Pin 6 = CLK) 3 N - ? (ROM Pin 17) (Seems to be not connected in console) 4 i Out /CS1 (ROM Pin 44) ROM Chipselect 5 n Out /RES (ROM Pin 42) Reset, switches ROM to unencrypted mode 6 t Out /CS2 (EPROM Pin 1) EEPROM Chipselect 7 e In IRQ (GND) 8 n - 3.3V (ROM Pins 2, 23, EEPROM Pins 3,7,8 = /W,/HOLD,VCC) 9 d I/O D0 (ROM Pin 18) 10 o I/O D1 (ROM Pin 19) 11 I/O D2 (ROM Pin 20) 12 C I/O D3 (ROM Pin 21) 13 0 I/O D4 (ROM Pin 24) 14 1 I/O D5 (ROM Pin 25) 15 - I/O D6 (ROM Pin 26, EEPROM Pin 2 = Q = Data EEPROM to NDS) 16 0 I/O D7 (ROM Pin 27, EEPROM Pin 5 = D = Data NDS to EEPROM) 17 1 - GND (ROM all unused Pins, EEPROM Pin 4 = VSS) |
| AUX Link Port |
Pin Name Cable 1 VDD35 N/A GBA Socket GBA Plug Old "8bit" Plug 2 SO Red ___________ _________ ___________ 3 SI Orange | 2 4 6 | / 2 4 6 \ | 2 4 6 | 4 SD Brown \_1_ 3 _5_/ \_1_ 3 _5_/ \_1__3__5_/ 5 SC Green '-' '-' 6 GND Blue Socket Outside View / Plug Inside View Shield Shield |
1 In DC (Supply 5.2VDC) ___________________ 2 Out V3 (SIO 3.3VDC) | 1 2 3 4 5 6 7 8 | 3 I/O SO (SIO RCNT.3) | ================= | 4 I/O SI (SIO RCNT.2) \_________________/ 5 I/O SD (SIO RCNT.1) 6 I/O SC (SIO RCNT.0) 7 OUT DG (SIO GROUND) 8 In DG (Supply GROUND) - - - (Shield not connected) |
Big Plug Middle Socket Small Plug Plug 1 Plug 2 SI _________________ ____ SI SI ______ ______SI SO ____________SO |__ | ___ SO SO ______><______SO GND____________GND______|____GND GND_____________GND SD ____________SD____________ SD SD SD SC ____________SC____________ SC SC _____________ SC Shield_______Shield_______Shield Shield_______Shield |
| AUX Sound/Headphone Socket and Battery/Power Supply |
Tip Audio Left ___ ___ _____+-----------+ Middle Audio Right (___|___|_____| | Base Ground L R GND +-----------+ |
Pin SP NDS Expl. 1 P31 SL Audio LOUT _____________ 2 P32 VIN Supply Input (DC 5.2V) SW| 5 ___ 1 |SL 3 P33 SR Audio ROUT | ---- ---- | 4 P34 SG Audio GND (via 100uF to GND) |_6__4 3__2_| 5 P35 SW Audio Speaker Disable (GND=Dis) GND SG\_/SR VIN 6 GND Supply GND Shield GND |
Pin Expl. __________ 1 Supply Input (DC 5.2V) / ====== \ 2 Supply GND GND |___2__1___| VIN |
PC +5V (red) --------|>|---|>|-------- GBA BT+ PC GND (black) ------------------------- GBA BT- |
| AUX DSi SD/MMC Pin-Outs |
Transfer Modes SPI-Mode 1-bit-Bus 4-bit-Bus SDIO MMC Cards Optional Yes MMCplus No SD Cards Yes Yes Optional?? Optional |
MMC MMCplus SD miniSD microSD SPI-Mode 1-bit-Bus 4-bit/8bit-Bus 1 1 1 1 2 /CS CardDetect Data3 2 2 2 2 3 DataIn CMD/REPLY CMD/REPLY 3 3 3 3 -- GND GND GND 4 4 4 4 4 VDD VDD VDD 5 5 5 5 5 CLK CLK CLK 6 6 6 6 6 GND GND GND 7 7 7 7 7 DataOut Data Data0 -- 8 8 8 8 /IRQ (SDIO) /IRQ (SDIO) Data1 or /IRQ (SDIO) -- 9 9 9 1 NC NC Data2 -- 10 -- -- -- NC NC Data4 ;\ -- 11 -- -- -- NC NC Data5 ; MMCplus -- 12 -- -- -- NC NC Data6 ; 8bit -- 13 -- -- -- NC NC Data7 ;/ -- -- -- 10 -- Reserved Reserved Reserved -- -- -- 11 -- Reserved Reserved Reserved |
-- -- CD CD CD Card Detect (senses if card is inserted) -- --- WP -- -- Write Protect (senses position of LOCK tab) |
______________________________
/ __ __ __ __ __ __ __ |
/ | | | | | | | | |
| | 1| 2| 3| 4| 5| 6| 7| |
| MMC |__|__|__|__|__|__|__| |
| ______________________________
| / __ __ __ __ __ __ __ _ |
| / __| | | | | | | | | |
| | | | 1| 2| 3| 4| 5| 6| 7|8| | MMCplus:
| | | 9|__|__|__|__|__|__|__| | | pinout is same as 9pin SD cards,
| | |_ |_ __ __ __ __ | | | with extra DAT4-7 on pin10-13
| | | | 1| 1| | 1| 1| | |
| |MMC | 9| 0| 1| | 2| 3| 8| |
| |plus|__|__|__| |__|__|__| |
| | ______________________________
| | / __ __ __ __ __ __ __ _ |
| | / __| | | | | | | | | |
| | | | | 1| 2| 3| 4| 5| 6| 7|8| |
| | | | 9|__|__|__|__|__|__|__|_| |
| | '. |__| SD .' SD Write Protect Tab
| | | _________________________ | <-- Unlock position
| | .' | _ _ _ _ _ _ _ _ _ _ _ | |# <-- LOCK position
| | | | | | | | |1|1| | | | | | | '.
| | | | |9|1|2|3|0|1|4|5|6|7|8| | |
|_| | | |_|_|_|_|_|_|_|_|_|_|_| | |
| | | miniSD \ |
| | | _________________ | |
| | | | _ _ _ _ _ _ _ _ | | |
| | | || | | | | | | | || | |
|_| | ||1|2|3|4|5|6|7|8|| | |
| | ||_|_|_|_|_|_|_|_|| | |
| | / | | |
| | |_ microSD | | |
| | | | | |
| | / | | |
| | | | | |
| | | | | |
| |_ | | ___| |
|____ |___________________| _____|
|
_______ CLK (SPI: CLK) _______ Data3 (SPI: /CS)
| | ______ Data0 (SPI: DataOut)
<#> <#> <#> || _____ Data1
EM14 R113 C130 ||| ____ Data2
.------------------------. ||||
| | <#> <####> # #
| | U5 C57 RA4 C54 C55
| Shielding-plate '---. o .------------------.
| | |o |
| | | |
| | | Samsung 834 |
| | | KMAPF0000M-S998 |
| CPU RAM | | |
| | | |
| | '------------------'
'----------------------------' R94 R54 C50 C51
| <#> <#> <#> <#>
| |
|___ shield = GND |___ CMD/REPLY (SPI: DataIn)
|
Win98 with External Card reader: Windows didn't recognize the MMC chip Win7 with External Card reader: Okay (recognized as "unformatted" disk) Win7 with Internal Card reader: Okay (recognized as "unformatted" disk) |
| AUX Opening the GBA |
| AUX Mainboard |
| AUX DSi Component Lists |
U1 352pin CPU TWL (under shielding plate) ;\under U2 ?pin RAM 8Mx16, Fujitsu MB82DBS08164D-70L, NEC uPD46128512AF1 ;/shield U3 56pin "TexasIns 72071B0" or "Mitsumi 3317A" (powerman?) (right of NAND) U4 48pin "AIC3000D, TI 89K, EXDK G4" (PAIC3 codec? above headphone socket) U5 ?pin Samsung KMAPF0000M-S998 (eMMC, 256Mbyte NAND FLASH) U6 36pin "BPTWL, K007K, 0902KM00D" (small/square, left of cartridge slot) U7 4pin "AOK, S8BXS" (ISL95810, i2c potentiometer) ;\on PCB U8 4pin "7BDS" (PCA9306, i2c voltage translator) ;/backside U9 12pin "199A, 01IU" (Seiko S-35199A01) (RTC) ;under shielding plate (A) U10 4pin "6800" or "688F" Hinge Magnet Sensor (PCB backside, near A/B/X/Y) U11 10pin ",\\ 908, 335A" or "2005D, 8350" (right of cartridge slot) U12 5pin "L8NX" or "C7JHN" (upper-right of PCB back-side) ;text layer (B) U13 5pin Backlight 1, "U01" or "KER" ;\lower-right board edge U14 5pin Backlight 2, "U01" or "KER" ;/see text-layer (B) U15 4pin ",\\ T34" (near external power input) U16 - N/A U17 6pin "VY" or "Z198" (in lower-right, on PCB backside) U18 6pin "YJ" (above headphone socket) U19 5pin "E30H6" or "L2SX" (at lower right of cartridge slot) Q1 6pin external power supply related Q2 pin N/A ? Q3 6pin ... above battery plug Q4 3pin maybe MUTE for SR ;\old TWL-CPU-01 mainboard only Q5 3pin maybe MUTE for SL ;/(replaced by Q17?/Q18? on newer boards) Q6 6pin MC1_VDD power ON (supply) Q7 3pin MC1_VDD power OFF (pulldown) Q8 pin N/A ? Q9 pin N/A ? Q10 pin N/A ? Q11 3pin BLUE (LED) ;\LEDs (note: the other LEDs, ORANGE Q12 3pin YELLOW (LED) ; and YELLOW, are driven directly) Q13 3pin CAM_LED ;/ Q14 3pin not installed (above powerman chip) Q15 3pin not installed (above powerman chip) Q16 3pin VDD-5 related, near DPAD socket Q17? 6pin maybe MUTE ;\ ;\new TWL-CPU-10 mainboard only Q18? 6pin maybe MUTE ;/ ;/(formerly Q4/Q5 on older boards) X1 4pin 16.756 (rectangular oscillator) ;\under shielding plate X2 4pin CB837 or CB822 (long slim osc) for RTC? ;/text layer: see (A) F1 2pin Fuse for external power input SW1 2pin Button A (right) SW2 2pin Button B (lower) SW3 2pin Button X (upper) SW4 2pin Button Y (left) SW5 2pin Button Select (lower) SW6 2pin Button Start (upper) P1 19pin NDS/DSi cartridge slot (17pin slot + 2pin switch at right side) P2 - N/A P3 - N/A P4 8pin External microphone/headphone combo socket P5 50pin Wifi-Daughterboard P6 - N/A P7 47pin To UPPER lcd screen (video+backlight+speakers) (on PCB backside) P8 37pin To LOWER lcd screen (video signals) P9 25pin To UPPER lcd screen (signals for both cameras, and camera led) P10 4pin To LOWER lcd screen (touchpad X-,Y-,X+,Y+) P11 2pin External Power Supply input (4.6V DC IN) P12 - N/A P13 - N/A P14 - N/A P15 15pin To battery/DPAD/PowerButton board (and onwards to 3xLEDs) P16 26pin To bottom cover (SD Slot and L/R/VOL+/- buttons) P17 2pin Battery cable (lower-right) ;see text-layer (B) P18 4pin To LOWER lcd screen (backlight cathode/anode) P19 1pin Shielding-Plate for CPU (lower clip) P20 1pin Shielding-Plate for CPU (upper clip) P21 1pin Shielding-Plate for CPU (right clip) P22 - N/A P23 2pin To Internal Microphone (via orange shielded wire) |
(A) For components underneath of shielding plate (B) For components in lower-right board edge (near battery connector) (C) For components at middle/right of cartridge slot (D) For components left of U4 (left board edge) (E) For components right of U4 (above headphone socket) (F) For components at lower/right of cartridge slot |
(A) at top/middle, for components at upper right edge (B) at middle/left, for components near upper right edge (C) at lower/left, for components left of Y-button (D) at lower/righz, for components at right edge |
U 56pin "Mitsumi, Japan, 844L, MM3218" (same as in DS Lite) U 132pin "ROCm, Atheros, AR6002G-AC1B, E19077.1B, 0844, Taiwan" U 8pin I2C EEPROM "408F, B837" (HN58X2408F; 1Kx8 for atheros calibration) U 8pin SPI FLASH big chip "45PE10V6, HPASC VS, KOR 8364, ST" ;\either one U 8pin SPI FLASH tiny chip "5A32, 8936?" ;/installed U 8pin "4P, K" or "S6, K" (odd 3+1+3+1 pin package, near antenna) U 4pin "3VP, OT" or "3VB, OS" (at board edge, near 50pin connector) X 4pin "26.000, 9848" (bigger oscillator, for atheros chip) X 4pin "22.000, xxxx" (smaller oscillator, for mitsumi chip) P 50pin Connector to Mainboard P 2pin Connector for Antenna (shielded white cable) |
U 76pin "ROCm, Atheros, AR6013G-AL1C" (or 80pin, with 4pins at edges?) U 8pin I2C EEPROM? "4DA?, D940?" ;maybe i2c eeprom for atheros U 8pin SPI FLASH "5A32, 8937?" ;FLASH (small solder pads) U 8pin SPI FLASH not installed (alternate bigger solder pads for FLASH?) U 4pin "?" (at board edge, near 50pin connector) X 4pin "??" (oscillator, near ROCm chip) P 50pin Connector to Mainboard P 2pin Connector for Antenna (shielded white cable) |
TH1 2pin Battery Thermal Sensor maybe? (about 10kOhm at room temperature) F1 2pin Battery Fuse SW1 2pin DPAD Up Button SW2 2pin DPAD Down Button SW3 2pin DPAD Left Button SW4 2pin DPAD Right Button SW5 2pin Power/Reset Button P1 15pin To Mainboard (P15) (button/led signals) (wire "15P-01") P2 6pin To 3xLEDs P3 3pin To battery (TWL-003 3.6V 840mAh 3Wh C/TWL-A-BP, Li-ion 00" Wire 2pin To Mainboard (P17) (battery supply) (red=vcc, black=gnd) |
D 2pin Left LED ;-wifi D 2pin Middle LED ;-charge D 2pin Right LED 1 ;\power "two-color-LED" D 2pin Right LED 2 ;/composed of 2 single LEDs Wire 6pin To Battery/DPAD Daughterboard |
Wire 4pin Touchpad Wire 4pin Backlight (actually 2pins, each 2 pins are same) Wire xxpin Video Signals LCD "LS033A1DG48R, 8X16Q U0003986" |
Orange Ribbon Cable: Video Signals, Backlight, and Speakers Black Ribbon Cable: Cameras and Camera LED Shielded Orange 2pin Wire: Microphone Shielded White 2pin Wire: Wifi PCB Antenna LCD "LS033A1DG38R, BX16Q L0005532" The speakers use red/black wires, which connect to the orange ribbon cable |
Whatever, not checked yet |
7 screws (two are under battery cover) |
P16: To bottom cover (SD Slot and L/R/VOL+/-) --> pull (away from board) |
P5: Wifi-board (without cable) --> pull (away from board) WHITE: Wifi-Antenna (shielded 2pin) --> pull (away from wifi-board) |
ORANGE P24 (shielded 2pin) --> pull (away from board) WHITE SUPPLY --> lift (use screwdriver & push away from board) 3x bigger white/black connectors --> lift black lid (at cable-side) 2x smaller black connectors --> lift black lid (at cable-end) (!!!) |
1x bigger white/black connector --> lift black lid (at cable-side) |
1x smaller black connector --> lift black lid (at cable-end) (!!!) 1x bigger white/black connectors --> lift black lid (at cable-side) (don't disconnect bigger connector if the other cable end is already disconnected from mainboard) (or if you did do, reassemble as follows: longer cable end to battery board, short cable end to mainboard) 1x battery cable (disconnect at mainboard side, see there) |
Disconnect upper LCD and mic/antenna from mainboard (see above) Remove 4 screws (all hidden under square rubber pieces) slide rear bezel upwards by two millimeters? push metal hinge inwards by three millimeters (under LED unit) |
| AUX DSi Internal Connectors |
1 GND 2 MC1_CLK 3 - 4 MC1_CS 5 MC1_RES 6 MC1_CS2 7 MC1_IREQ 8 MC1_VDD via Q6 to VDD33 (cpu signal preamplified from Q7) 9 MC1_IO0 10 MC1_IO1 11 MC1_IO2 12 MC1_IO3 13 MC1_IO4 14 MC1_IO5 15 MC1_IO6 16 MC1_IO7 17 GND 18 MC1_DET ;\switch closed when cart inserted 19 GND ;/ Shield GND |
1 GND ;\ ;\ 2 SL ; head- ; headphone gnd/left/right 3 SR ; phone ;/ 4 GND ; ;\headphone/speaker switch (pin 4+5 shortcut with each 5 HP#SP ;/ ;/other when no headphone connected) 6 MIC ;\ ;\microphone switch (pin6+7 shortcut when no mic connected) 7 Switch ; mic ;/(internal mic from P23 is then passed from pin7 to pin6) 8 GND ;/ |
GND 2 1 SDIO.CLK ;\
VDD18 4 3 GND ; SDIO for
VDD18 6 5 SDIO.DAT0 ; Atheros Wifi
GND 8 7 SDIO.DAT3 ; (CLK, CMD, DATA0-3)
VDD33 10 9 SDIO.DAT1 ;
VDD33 12 11 SDIO.CMD ;
GND 14 13 SDIO.DAT2 ;/
ATH_TX_H 16 15 DSi: NC (connected at wifi side!!!)
/WIFI_RST 18 17 DSi: NC (connected at wifi side?)
NC (connected at wifi side?) 20 19 GND
NC (connected at wifi side?) 22 21 RTC_FOUT (or RTC_F32K?) ;for Atheros?
NC (connected at wifi side?) 24 23 GND
IRQ? (goes near CPU irq pins) 26 25 DSi: NC (wifi: via 0 ohm MM3218.pin47)
/FLASH_WP (R122) 28 27 SPI_CS2 (wifi FLASH memory)
SPI_SCK 30 29 ... to MM3218.pin42
SPI_MISO 32 31 ... to MM3218.pin41
SPI_MOSI 34 33 ... to MM3218.pin38
to MM3218.pin15 ... 36 35 ... to MM3218.pin37
WL_RXPE 38 37 ... to MM3218.pin36
to MM3218.pin19 ... 40 39 ... to MM3218.pin35
GND 42 41 ... to MM3218.pin34
to MM3218.pin21 ... 44 43 ... to MM3218.pin28 (via 0 ohm) (+cap)
to MM3218.pin18 ... 46 45 GND
WL_TXPE 48 47 ... to MM3218.pin23 (via XX and CLxx)
RESET 50 49 GND
|
BLA2 1 2 BLC2 ;-backlight
SPLN 3 4 SPLN ;\left speaker
SPLP 5 6 SPLP ;/
SPRN 7 8 SPRN ;\right speaker
SPRP 9 10 SPRP ;/
VDD-5 11 12 VDD10
VDD5 13 14 GND
VSHD 15 16 VSHD
INI 17 18 GSP
GCK 19 20 LDB20
LDB21 21 22 LDB22
LDB23 23 24 LDB24
LDB25 25 26 LDG20
LDG21 27 28 LDG22
GND 29 30 LDG23
LDG24 31 32 LDG25
LDR20 33 34 LDR21
LDR22 35 36 LDR23
LDR24 37 38 LDR25
GND 39 40 DCLK
SPL 41 42 LS
GND 43 44 via C79 to COM2
REV 45 46 GND
COM2 47
|
VDD-5 1 2 VDD10
VDD5 3 4 GND
VSHD 5 6 VSHD
INI 7 8 GSP
GCK 9 10 LDB10
LDB11 11 12 LDB12
LDB13 13 14 LDB14
LDB15 15 16 LDG10
LDG11 17 18 LDG12
GND 19 20 LDG13
LDG14 21 22 LDG15
LDR10 23 24 LDR11
LDR12 25 26 LDR13
LDR14 27 28 LDR15
GND 29 30 DCLK
SPL 31 32 LS
GND 33 34 via C93 to COM1
REV 35 36 GND
COM1 37
|
GND 1 2 CAM_LED
VDD42 3 4 GND
R100 RCLK 5 6 GND
GND 7 8 HSYNC
VSYNC 9 10 CAM_D5 RA7
RA7 CAM_D6 11 12 CAM_D4 RA7
CAM_RST 13 14 SCL
SDA 15 16 CAM_D7 RA7
RA6 CAM_D0 17 18 CAM_D3 RA6
RA6 CAM_D1 19 20 CAM_D2 RA6
VDD28 21 22 GND
CKI 23 24 GND
VDD18 25
|
1 X- 2 Y- 3 X+ 4 Y+ |
1 VIN (+4.6V) 2 VGND (GND) Shield (GND) |
dpad up button P06 1 2 ORANGE (LED) Battery Charge
dpad right button P04 3 4 BLUE (LED) Power On/Good
dpad left button P05 5 6 YELLOW (LED) Wifi
dpad down button P07 7 8 RED (LED) Power On/Low
GND 9 10 VDD42 (to LEDs)
GND 11 12 TH on DPAD board (via R102 to TH on main)
middle battery pin DET 13 14 GND
power button PWSW 15
|
GND 2 1 SD10_CLK ;\
SD10_DATA0 4 3 SD10_VDD (aka VDD33) ;
SD10_DATA1 6 5 SD10_VDD (aka VDD33) ; pin 1..18
SD10_WP 8 7 GND ; to RIGHT side:
GND 10 9 SD10_CMD ; R-button, and
shoulder button R P08 12 11 GND ; SD-card slot
GND 14 13 SD10_DATA3 ;
SD10_CD 16 15 SD10_DATA2 ;
GND 18 17 GND ;/
GND 20 19 GND ;\pin 19..20
maybe display ;\ VDD5 22 21 VOLP (aka volume plus?) ; to LEFT side:
calibration? ; COM1 24 23 VOLN (aka volume minus?) ; L-button, VOL +/-
(at battery) ;/ COM2 26 25 P09 shoulder button L ;/and calibration
|
+ BT+ (plus) (red wire) - BT- (GND) (black wire) |
1 BLC1 ;\both same 2 BLC1 ;/ 3 BLA1 ;\both same 4 BLA1 ;/ |
Shield GND |
Pin MIC (from P4.Pin7, disconnected when external microphone connected) Shield GND |
1 YELLOW Wifi 2 BLUE Power On/Good 3 ORANGE Battery Charge 4 GND (for red+orange) 5 RED Power On/Low 6 VDD42 (for yellow+blue) |
| AUX DSi Chipset Pinouts |
http://problemkaputt.de/twl-core.jpg |
Wifi MC2 maybe MC1 SD/MMC eMMC SPI RTC IRQs
.---.---.---------------.---------------.-------.---.-------.-------.---.---.
|NC |wif|NC NC NC NC |D7 D3 IRQ CLK|D0 CLK|CLK|CS3 SCK|CS SCK|R7 |NC |
+---' | | | | | | .---' '---+
|wif wif|NC NC NC NC |D6 D2 DET CS |D1 CMD|D0 |CS2 MIS|SIO|PEN NC WIF|
| | | | | | +---+---. .---+
|wif wif|NC NC NC NC |D5 D1 PWR CS2|D2 CD |D1 |CS1 MOS|R00 R01|RTC|P09|
| '---. .---+ .---' .---' '---.---+ '---' |
|wif wif wif|NC NC |V33|D4 D0 RES|D3 WP |D3 D2 CMD| ? |P08 P07 P06 P05|
| '---+---' '-----------'-------'-----------'---+ |
|wif wif RXP TXP|GND V12 V33 GND V12 V33 G? V12 V33 GND V33|P04 P03 P02 P01|
| . . | +-----------. |
|DT3|wif wif ? |GND V33 V12 GND GND GND V33 G? GND V33 V12| ? RES NC |P00|
| '. . . . . .| | '---+
|CLK DT2 DT1 DT0|V33 GND V12 V33 GND V12 G? V12 GND GND V33|PMO VC5 PMS X |
+-----------. | '-----------. |
|V33 NC GND|CMD|V12 GND V33 GND V12 V33 GND V33 V12 V12 V33 GND GND GND|X |
| '---' .-----------. .-----------' |
|V33 NC V33 V33 GND V33 GND V33|- - - |GND GND GND GND|HP# IRQ ? GND|
+---. .---. | | | |
|B15|V33|NC |V33 V12 GND V12 V12|- - - |V12 V18 GND V12|NC NC NC GP |
| '---'---'---. | | +---------------+
|B14 B13 B12 B11|V33 GND V33 GND|- - - |V18 GND V18 GND|A1 D1 A0 D0 |
| | '-----------' | |
|B10 G15 G14 G13|GND V33 V12 GND V18 V12 V18 GND V18 V12 V18|A3 D3 A2 D2 |
| | | |
|G12 G11 G10 R15|V33 V12 GND V12 GND V18 GND V12 GND V18 GND|A5 D5 A4 D4 |
| | | |
|R14 R13 R12 R11|GND V33 V18 GND V18 V12 V18 GND V18 V12 V18|A7 D7 A6 D6 |
+-----------. | | |
|DCK GSP SPL|R10|V33 V12 GND V18 GND V18 GND V12 GND V18 GND|A9 D9 A8 D8 |
| .---'---'-------.-------.---.---.-------.-----------' |
|LS REV|B22 G24 G20 R22|D7 D3 |NC |RST|SCK WS |CE1 /OE A20 A11 D11 A10 D10|
| .---' | | | | | |
|GCK|B25 B21 G23 R25 R21|D6 D2 |NC |VSY|MCK SDO|NC CE2 A19 A13 D13 A12 D12|
| | | | | +---. | |
|INI|B24 B20 G22 R24 R20|D5 D1 |NC |HSY|SDA|SDI|/LB CLK A18 A21 A14 D15 D14|
+---+ .---+ '---' | +---' .---+
|NC |B23 G25 G21 R23|NC |D4 D0 CKI RCK|SCL|/UB ADV /WE A15 A17 A22 A16|NC |
'---'---------------'---'---------------'---'---------------------------'---'
LCD CAM I2C SND RAM o
|
A B C D E F G H J K L M N P
10 - - - - - - - - - - - - - -
9 - NC NC - A15 A21 A22 A16 NC VSS - NC NC -
8 - NC NC A11 A12 A13 A14 NC DQ15 DQ7 DQ14 NC NC -
7 - - - A8 A19 A9 A10 DQ6 DQ13 DQ12 DQ5 - - -
6 - - - /WE CE2 A20 - - DQ4 VDD NC - - -
5 - - - CLK /ADV (W) - - DQ3 VDD DQ11 - - -
4 - - - /LB /UB A18 A17 DQ1 DQ9 DQ10 DQ2 - - -
3 - NC - A7 A6 A5 A4 VSS /OE DQ0 DQ8 NC NC -
2 - NC NC - A3 A2 A1 A0 NC /CE1 - NC NC -
1 o - - - - - - - - - - - - - -
|
A B C D E F G H J K L M N P
10 NC NC NC NC NC NC VDD VSS NC NC NC NC NC NC
9 NC NC NC NC A15 A21 A22 A16 NC VSS NC NC NC NC
8 - - NC A11 A12 A13 A14 NC DQ15 DQ7 DQ14 NC - -
7 - - NC A8 A19 A9 A10 DQ6 DQ13 DQ12 DQ5 NC - -
6 - - NC /WE CE2 A20 NC NC DQ4 VDD NC NC - -
5 - - NC CLK /ADV /WAI NC VDD DQ3 VDD DQ11 VDD - -
4 - - NC /LB /UB A18 A17 DQ1 DQ9 DQ10 DQ2 VSS - -
3 - - VSS A7 A6 A5 A4 VSS /OE DQ0 DQ8 NC - -
2 NC NC NC NC A3 A2 A1 A0 NC /CE1 NC NC NC NC
1 o NC NC - NC NC NC VDD VSS NC NC NC NC NC NC
|
A B C D E F G H J K L M N P
10 NC NC NC - - - NC NC - - - NC NC NC
9 - NC NC - A15 A21 A22 A16 NC VSS - NC NC -
8 - - NC A11 A12 A13 A14 NC DQ15 DQ7 DQ14 NC - -
7 - - - A8 A19 A9 A10 DQ6 DQ13 DQ12 DQ5 - - -
6 - - NC /WE CE2 A20 NC NC DQ4 VCC NC NC - -
5 - - NC CLK /ADV /WAI NC NC DQ3 VCC DQ11 NC - -
4 - - - /LB /UB A18 A17 DQ1 DQ9 DQ10 DQ2 - - -
3 - - NC A7 A6 A5 A4 GND /OE DQ0 DQ8 NC - -
2 - NC NC NC A3 A2 A1 A0 NC /CE1 - NC NC -
1 o NC NC NC - - - NC NC - - - NC NC NC
|
1 GND (via CL9) 2 ADPO 3 EXTB+ 4 VDD33 5 RESET ;\ 6 SPI_SCK ; main cpu bus 7 SPI_MOSI ; (reset and spi) 8 SPI_MISO ; 9 SPI_CS1 ;/ <-- powerman (this does ALSO connect to U4) 10 GND 11 PMOFF 12 PWSWO 13 VCNT5 14 PM_SLP --- 15 B+ 16 VDD12 via L1 17 VDD12 18 GND 19 BLC1 ;\ 20 BLA1 via U13 ; backlight 1+2 21 BLA2 via U14 ; anode/cathode 22 BLC2 ;/ 23 GND 24 B+ 25 B+ 26 VDD18 via L2 27 VDD18 via L2 28 VDD18 --- 29 DET ;\battery contacts 30 BT+ ;/ ;\these are almost shortcut 31 VDET- ;/with each other (via 0 ohm R71) 32 PVDD 33 PWSW (when off: very few ohms to PVDD) 34 ... via R104 (100K) to Q3 (B+ enable or so?) 35 B+ 36 ... via to C18 to GND (seems to have no other connection) 37 GND 38 AOUT ;\to U6 39 GND ; 40 SCL1 ; ;\secondary IC2 bus (to U6) 41 SDA1 ;/ ;/ 42 VDD33 --- 43 GND via CL10 44 VDD5 input (sense if VDD5/C16 has reached voltage) 45 charge-pump for VDD5 (L7 and via DA3 to VDD5/C16) 46 charge-pump for VDD5 (L5 and C14) 47 VDD33 (via CL5) 48 VDD33 (via L3) 49 VDD33 50 VDD33 51 B+ 52 B+ 53 B+ 54 charge-pump for VDD42 (L7 and C23) 55 charge-pump for VDD42 (L7 and via D3 to VDD42/C22) 56 VDD42 input (sense if VDD42/C22 has reached voltage) |
Pin TSC2117 AIC3000D 1 MISO SPI_MISO 2 MOSI SPI_MOSI 3 /SS SPI_CS1 (powerman, this does ALSO connect to U3) 4 SCLK SPI_SCLK 5 GPIO1 SPI_CS3 (touchscreen) 6 GPIO2 PENIRQ 7 IOVSS GND 8 IOVDD VDD33 9 DVDD VDD18 10 SDOUT SND_SDI ;\ 11 SDIN SND_SDO ; 12 WLCK SND_WS ; serial sound input from main cpu --- ; (and serial output? microphone maybe?) 13 BCLK SND_SCLK ; 14 MCLK SND_MCLK ;/ 15 SDA ... via R107 to VDD18 ;\unused I2C bus (?) 16 SCL ... via R106 to VDD18 ;/ 17 VOL/M wiper (sound volume, from i2c potentiometer) "VOL/MICDET?" 18 MICBIAS LIN-related-1 ... to 6pin U18 19 MIC LIN (aka MIC via C31) 20 AUX1 LIN-related-2 ;\via 0ohm R108 to ... something on U18 21 AUX2 LIN-related-2 ;/ that is almost GND 22 AVSS GND 23 AVDD VDD33 24 VBAT GND --- 25 VREF VDD33 26 TSVSS GND 27 YN Y- ;\ 28 XN X- ; 29 DVSS GND ; touchscreen input 30 YP Y+ ; 31 XP X+ ;/ 32 TSVDD VDD33 33 SPLN SPLN ;\ 34 SLVSS GND ; 35 SLVDD B+ ; speaker output 36 SPLP SPLP ; --- ; 37 SPRN SPRN ; 38 SRVDD B+ ; 39 SRVSS GND ; 40 SPRP SPRP ;/ 41 HPL SL via CP2 and R88 ;\ 42 HVDD VDD33 ; 43 HVSS GND ; headphone output 44 HPR SR via CP3 and R89 ; 45 GPI3 MUTE via Q4/Q5 to SR/SL ; 46 GPI2 HP#SP switch ;/ 47 GPI1 VCNT5 48 /RESET RESET |
1 2 3 4 5 6 7 8 9 10 11 12 13 14
o A NC NC DAT0 DAT1 DAT2 NC NC NC NC NC NC NC NC NC
B NC DAT3 DAT4 DAT5 DAT6 DAT7 NC NC NC NC NC NC NC NC
C NC VDDI NC VSSQ NC VCCQ NC NC NC NC NC NC NC NC
D NC NC NC NC - - - - - - - NC NC NC
E NC NC NC - NC VCC VSS NC NC NC - NC NC NC
F NC NC NC - VCC - - - - NC - NC NC NC
G NC NC NC - VSS - - - - NC - NC NC NC
H NC NC NC - NC - - - - VSS - NC NC NC
J NC NC NC - NC - - - - VCC - NC NC NC
K NC NC NC - NC NC NC VSS VCC NC - NC NC NC
L NC NC NC - - - - - - - - NC NC NC
M NC NC NC VCCQ CMD CLK NC NC NC NC NC NC NC NC
N NC VSSQ NC VCCQ VSSQ NC NC NC NC NC NC NC NC NC
P NC NC VCCQ VSSQ VCCQ VSSQ NC NC NC NC NC NC NC NC
|
GND WL_TXPE P02(button) SDA'33 ADPO GND o
ATH_TX_H BLUE(LED) RED(LED) SCL'33 V33 GND
YELLOW(LED) VOLP button VOLN button PM_SLP V33' /WIFI_RST
SDA1 RESET SCL1 to C46 GND to U17
VDD28 GND CAM_LED PWSWO mFE /mRST
GND AOUT mFE'(R79) WL_RXPE /IRQ_O GND
|
1 /WP (DSi: VDD33) writeprotect 2 SCL (DSi: SCL1) i2c bus ;\from U6 3 SDA (DSi: SDA1) i2c bus ;/ 4 GND (DSi: GND) ground 5 RW (DSi: wiper) pot.wiper ;-to U4 6 RL (DSi: VDD18) pot.L 7 RH (DSi: GND) pot.H 8 VCC (DSi: VDD33) supply |
1 GND (DSi: GND) 2 VREF1 (DSi: VDD18) 3 SCL1 (DSi: SCL) ;\to U1 (CPU) 4 SDA1 (DSi: SDA) ;/ 5 SDA2 (DSi: SDA'33) ;\to U6 (LED/stuff) 6 SCL2 (DSi: SCL'33) ;/ 7 VREF2 (DSi: VDD33) 8 EN (DSi: VDD33) |
A B C D
3 CS /SCK VDD F32K
2 SIO CTRL /INT FOUT
1 o VSS XIN XOUT VDDL
|
1 VDD33 2 R7 (HINGE) ;to U1 3 GND 4 GND |
1 EXTB+ 2 Rosc 3 ORANGE (via R2) ;-charge LED 4 GND 5 TH' (via R76 to TH) ;\thermal sensor 6 TH (via R102 to DPAD board) ;/for battery? 7 B+ (?) 8 RICHG 9 BT+ 10 BT+ |
CAM_LED (via R68 and Q13) ;\ BLUE (via R21 and Q11) ; from U6 YELLOW (via R22 and Q12) ;/ RED (via R20) ;-from U6 (or to U6 ?) ORANGE (via R2) ;-from U11 |
1 VDD18 2 GND 3 VDD18 4 Antenna signal 5 Antenna shield 6 VDD18 7 VDD18 8 GND 9 NC 10 GND 11 GND 12 GND 13 NC 14 /RESET --- 15 ... to DSi mainboard connector pin 36 16 WL_TXPE 17 WL_RXPE 18 ... to DSi mainboard connector pin 46 !!! 19 ... to DSi mainboard connector pin 40 20 VDD33 21 ... to DSi mainboard connector pin 44 22 GND 23 ... via nearby big component ... to DSi mainboard connector pin 47 ? 24 VDD18 25 NC 26 22MHz 27 22MHz' 28 ... to DSi mainboard connector pin 43 (with cap to GND and via 0 ohm) --- 29 VDD33 30 via capacitor to VDD33 31 via 1K2 + 120K to GND (aka via 121.2K to GND) 32 VDD18 33 VDD18 34 ... to DSi mainboard connector pin 41 35 ... to DSi mainboard connector pin 39 36 ... to DSi mainboard connector pin 37 37 ... to DSi mainboard connector pin 35 38 ... to DSi mainboard connector pin 33 39 GND 40 VDD33 41 ... to DSi mainboard connector pin 31 42 ... to DSi mainboard connector pin 29 --- 43 VDD18 44 ... shortcut to MM3218.pin50, and via resistor to MM3218.pin46 45 VDD33 46 ... via resistor to MM3218.pin44+50 47 ... to DSi mainboard connector pin 25 (via 0 ohm) (+cap) (NC in DSi) 48 VDD33 49 GND 50 ... shortcut to MM3218.pin44, and via resistor to MM3218.pin46 51 ... via resistor to GND 52 VDD18 53 NC 54 NC 55 NC 56 NC |
1 2 3 4 5 6 7 8 9 10 11 12 13
A AGND RF2 RF2 RF2 RF2 PDET NC NC VDD18 VDD12 XTAL XTAL BT_CLK
OUTN OUTP INP INN BIAS XTAL I O OUT
B RF5 AGND VDD18 VDD12 VDD12 BIAS NC NC VDD12 VDD12 VDD18 BT_ DVDD12
INP FE LNA BIAS REF D_SYN BB XTAL CLKEN
C RF5 VDD12 - - AGND AGND AGND AGND AGND - - GPIO GPIO
INN FE 17 16
D PA5 NC - - - - - - - - - GPIO GPIO
BIAS 14 15
E RF5 VDD18 AGND - AGND AGND AGND AGND DVSS - - DVDD DVDD
OUT VCO GPIO1 GPIO0
F VDD12 VDD12 AGND - AGND AGND AGND AGND DVSS - DVSS GPIO GPIO
TX5 SYNTH 12 13
G XPA XPA AGND - AGND AGND AGND AGND DVSS - DVSS GPIO GPIIO
BIAS2 BIAS5 10 11
H VCCFE LDO_ AGND - AGND AGND AGND AGND DVSS - DVSS GPIO DVDD
M OUT 9 12
J ANTA VDDIO AGND - DVSS DVSS DVSS DVSS DVSS - DVSS CLK_ DVDD
ANT REQ 12
K ANTC ANTB - - - - - - - - - SYS_ CHIP_
RST_L PWD_L
L ANTD ANTE - - DVSS DVSS DVSS DVSS DVSS - - DVDD DVDD_
12 SDIO
M AGND GPIO0 GPIO2 DVDD GPIO4 GPIO6 GPIO8 TMS TCK TDO SDIO_ SDIO_ SDIO_
12 DATA3 DATA2 CLK
N DVDD GPIO1 GPIO3 DVDD_ GPIO5 GPIO7 DVDD_ DVDD TDI DVDD_ SDIO_ SDIO_ SDIO_
12 BT SDIO 12 SDIO CMD DATA1 DATA0
|
1 1.2V 2 VDD18 3 NC 4 NC 5 VDD18 6 NC 7 1.2V 8 VDD18 9 1.2V 10 NC 11 NC (except, wired to tespoint) 12 VDD33 13 via 0 ohm to ATH_TX_H ;<--with 0 ohm connection 14 via (N/A) to ATH_TX_H ;<--connection not installed 15 to a dead-end-via 16 to a dead-end-via 17 1.2V 18 P5.pin24 (plus testpoint) 19 NC (except, wired to tespoint) --- 20 VDD18 21 1.2V 22 I2C.SCL 23 I2C.SDA 24 P5.pin21 RTC 32KHZ via 0 ohm 25 /WIFI_RST 26 ATH_TX_H 27 SDKI.CMD 28 SDIO.CLK 29 VDD33 30 SDIO.DAT0 31 SDIO.DAT2 32 SDIO.DAT1 33 SDIO.DAT3 34 P5.pin22 35 P5.pin20 36 P5.pin17 37 1.2V 38 P5.pin15 --- 39 P5.pin36 40 VDD33 41 1.2V 42 P5.pin46 43 P5.pin44 44 P5.pin40 45 WL_TXPE 46 WL_RXPE 47 P5.pin47 48 P5.pin33 and 6.9ohm to P5.47 ? 49 P5.pin35 50 P5.pin39 51 VDD33 52 P5.pin37 53 P5.pin41 54 P5.pin29 55 P5.pin31 56 P5.pin26 ... IRQ? 57 1.2V --- 58 VDD18 59 XTALx 60 XTALx 61 1.2V 62 1.2V 63 VDD18 64 NC (except, wired to tespoint) 65 NC (except, wired to tespoint) 66 NC (except, wired to tespoint) 67 NC (except, wired to tespoint) 68 NC 69 via 6.1K to GND 70 1.2V 71 NC 72 NC 73 VDD18 74 RF2.OUTx 75 RF2.OUTx 76 VDD18 --- GND center plates P5.pin43 = NC on AR6013 boards? P5.pin25 = NC on AR6013 boards? (and NC on mainboard, too) P5.pin50 = RESET goes to Wifi FLASH only (not to MM3218 clone within AR6013G) |
| Pinouts - CPU - Signal Summary |
| Pinouts - CPU - Pinouts |
1 VDD3 17 D0 33 A0 49 WA4 65 VDD2 81 WD9 97 LDB5 113 CK1 2 IN35 18 A15 34 /CS 50 WA5 66 WD5 82 WD1 98 LDB4 114 CK2 3 TP8 19 A14 35 /RD 51 WA6 67 WD13 83 /WOE 99 LDB3 115 VDD2 4 TP0 20 A13 36 /WR 52 WA7 68 WD6 84 DCK 100 LDB2 116 GND 5 TP1 21 A12 37 PHI 53 /WLB 69 WD14 85 LP 101 LDB1 117 VDD2 6 SO1 22 A11 38 VDD35 54 /WUB 70 WD7 86 PS 102 GND 118 VCNT5 7 SO2 23 A10 39 GND 55 /WWE 71 WD15 87 LDR5 103 VDD3 119 TP9 8 Vin 24 A9 40 SC 56 WA8 72 WD8 88 LDR4 104 SPL 120 TP6 9 /RES 25 A8 41 SD 57 WA9 73 WD16 89 LDR3 105 CLS 121 TP5 10 D7 26 A7 42 SI 58 WA10 74 WA16 90 LDR2 106 SPS 122 TP7 11 D6 27 A6 43 SO 59 WA11 75 WD12 91 LDR1 107 MOD 123 TP4 12 D5 28 A5 44 VDD2 60 WA12 76 WD4 92 LDG5 108 REVC 124 /FIQ 13 D4 29 A4 45 WA0 61 WA13 77 WD11 93 LDG4 109 GNDed 125 /RESET 14 D3 30 A3 46 WA1 62 WA14 78 WD3 94 LDG3 110 GNDed 126 TP2 15 D2 31 A2 47 WA2 63 WA15 79 WD10 95 LDG2 111 GNDed 127 TP3 16 D1 32 A1 48 WA3 64 GND 80 WD2 96 LDG1 112 GNDed 128 GND |
1 IN35 21 D0 41 A0 61 WA4 81 WD13 101 GND 121 LDB4 141 GND 2 TP8 22 A15 42 /CS 62 WA5 82 WD6 102 VDD1 122 LDB3 142 VDD3 3 TP0 23 A14 43 /RD 63 WA6 83 WD14 103 GND 123 LDB2 143 GND 4 TP1 24 A13 44 /WR 64 WA7 84 WD7 104 VDD3 124 LDB1 144 VCNT5 5 SO1 25 A12 45 PHI 65 /WLB 85 WD15 105 DCK 125 GND 145 TP9 6 SO2 26 A11 46 VDD35 66 /WUB 86 WD8 106 LP 126 VDD3 146 TP6 7 Vin 27 GND 47 GND 67 GND 87 WD16 107 PS 127 SPL 147 TP5 8 VDD1 28 VDD35 48 SC 68 VDD2 88 WA16 108 LDR5 128 CLS 148 TP7 9 GND 29 A10 49 SD 69 /WWE 89 VDD2 109 LDR4 129 SPS 149 TP4 10 VDD35 30 A9 50 SI 70 WA8 90 GND 110 LDR3 130 MOD 150 /FIQ 11 /RES 31 A8 51 SO 71 WA9 91 WD12 111 LDR2 131 REVC 151 /RESET 12 D7 32 A7 52 VDD35 72 WA10 92 WD4 112 LDR1 132 GND 152 ? 13 D6 33 A6 53 GND 73 WA11 93 WD11 113 LDG5 133 GND 153 TP3 14 D5 34 A5 54 VDD1 74 WA12 94 WD3 114 LDG4 134 GND 154 TP2 15 D4 35 A4 55 GND 75 WA13 95 WD10 115 LDG3 135 GND 155 VDD3 16 D3 36 GND 56 VDD2 76 WA14 96 WD2 116 LDG2 136 VDD1 156 GND 17 D2 37 VDD35 57 WA0 77 WA15 97 WD9 117 LDG1 137 GND 18 GND 38 A3 58 WA1 78 GND 98 WD1 118 GND 138 CK1 19 VDD35 39 A2 59 WA2 79 VDD2 99 /WOE 119 VDD3 139 CK2 20 D1 40 A1 60 WA3 80 WD5 100 VDD2 120 LDB5 140 VDD2 |
| Pinouts - Audio Amplifiers |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 C38 FR1 FR2 FL1 FL2 GND RIN LIN C39 VOL SW VDD5 LOUT VCC3 ROUT VCC3 SP GND |
1-OUT A 2-IN A 3-BYPASS 4-GND 5-SHUTDOWN 6-IN B 7-OUT A 8-VDD.VQ5 |
| Pinouts - LCD Cables |
1 ? 6 GND 11 LDR2 16 LDG2 21 LDB3 26 SPS 31 P2-VSS 36 V4 2 VSHD 7 VSHD 12 LDR1 17 LDG1 22 LDB2 27 ? 32 P2-VCC 37 V3 3 DCK 8 LDR5 13 LDG5 18 GND 23 LDB1 28 MOD 33 ? 38 V2 4 LP 9 LDR4 14 LDG4 19 LDB5 24 SPL 29 VCOM 34 VDD5 39 V1 5 PS 10 LDR3 15 LDG3 20 LDB4 25 CLS 30 P2-VEE 35 GND 40 V0 |
1 VSHD 5 VSHD 9 LDR3 13 LDG4 17 GND 21 LDB2 25 SPS 29 P2VSS 33 U83 2 DCK 6 GND 10 LDR2 14 LDG3 18 LDB5 22 LDB1 26 MOD 30 COM 34 VDD5 3 LP 7 LDR5 11 LDR1 15 LDG2 19 LDB4 23 SPL 27 REVC 31 VDD5 4 PS 8 LDR4 12 LDG5 16 LDG1 20 LDB3 24 CLS 28 P2VDD 32 GND |
__GBA Mirco display socket (P1)____________________________________ 1-PS 6-5bit 11-MD 16-5bit 21-5bit 26-CL 31-GND 2-RV 7-5bit 12-SL 17-5bit 22-5bit 27-SS 32-GND 3-GND 8-5bit 13-CK 18-5bit 23-5bit 28-via C5 to VR1 33-V10 4-5bit 9-LP 14-GND 19-5bit 24-5bit 29-V5 34-V-5 5-5bit 10-VD 15-5bit 20-GND 25-5bit 30-to VR1 __GBA Mirco backlight socket (P3)__________________________________ 1-LC 2-LC 3-LA 4-LA |
___NDS upper screen/upper backlight/speakers socket (P3)_____________________ 1-SPLO 7-PS2 13-LDR2 19-GND 25-LDG2 31-LDB2 37-MOD2 43-VDD15 49-SPRO 2-SPLO 8-REV2 14-LDR1 20-DCLK2 26-LDG1 32-LDB1 38-GND 44-VDD-5 50-GND 3-SSC2 9-GND 15-LDR0 21-GND 27-LDG0 33-LDB0 39-VDD5 45-VDD-10 51-GND 4-ASC2 10-LDR5 16-LS2 22-LDG5 28-LDB5 34-GCK2 40-VDD10 46-LEDC2 5-GND 11-LDR4 17-VSHD 23-LDG4 29-LDB4 35-GSP2 41-COM2 47-LEDA2 6-SPL2 12-LDR3 18-DISP1 24-LDG3 30-LDB3 36-GND 42-GND 48-SPRO ___NDS lower screen socket (P4)______________________________________________ 1-SSC1 6-REV1 11-LDR2 16-DISP0 21-LDG4 26-LDB5 31-LDB0 36-GND 41-VDD15 2-ASC1 7-GND 12-LDR1 17-SPL1 22-LDG3 27-LDB4 32-GCK1 37-? 42-VDD10 3-GND 8-LDR5 13-LDR0 18-DCLK1 23-LDG2 28-LDB3 33-GSP1 38-VDD5 43-GND 4-? 9-LDR4 14-LS1 19-GND 24-LDG1 29-LDB2 34-VSHD 39-COM1 44-VDD-5 5-PS1 10-LDR3 15-VSHD 20-LDG5 25-LDG0 30-LDB1 35-MOD1 40-GND 45-VDD-10 ___NDS lower backlight socket (P5)____ ___NDS touchscreen socket (P6)______ 1:LEDA1 2:LEDA1 3:LEDC1 4:LEDC1 1:Y- 2:X- 3:Y+ 4:X+ |
___NDS-Lite upper screen/upper backlight/speakers socket (P3)________________ 1-VDD-5 6-MOD 11-LD2xx 16-LD2xx 21-LD2xx 26-LD2xx 31-LS 36-GND 41-SPRO 2-VDD10 7-GSP 12-LD2xx 17-LD2xx 22-LD2xx 27-LD2xx 32-VSHD 37-COM2 42-SG 3-VDD5 8-GCK 13-LD2xx 18-GND 23-LD2xx 28-GND 33-GND 38-LEDA2 43-SG 4-GND 9-LD2xx 14-LD2xx 19-LD2xx 24-LD2xx 29-DCLK 34-xx2? 39-LEDC2 44-SPLO 5-VSHD 10-LD2xx 15-LD2xx 20-LD2xx 25-LD2xx 30-SPL 35-REV 40-SPRO 45-SPLO ___NDS-Lite lower screen/lower backlight (P4)________________________________ 1-VDD-5 6-MOD 11-LD1xx 16-LD1xx 21-LD1xx 26-LD1xx 31-LS 36-GND 2-VDD10 7-GSP 12-LD1xx 17-LD1xx 22-LD1xx 27-LD1xx 32-VSHD 37-COM1 3-VDD5 8-GCK 13-LD1xx 18-GND 23-LD1xx 28-GND 33-GND 38-LEDA1 4-GND 9-LD1xx 14-LD1xx 19-LD1xx 24-LD1xx 29-DCLK 34-xx1? 39-LEDC1 5-VSHD 10-LD1xx 15-LD1xx 20-LD1xx 25-LD1xx 30-SPL 35-REV ___NDS-Lite touchscreen socket (P6)______ ___NDS-Lite white coax (P12)_____ 1:X- 2:Y- 3:X+ 4:Y+ Center:MICIN Shield:GND |
| Pinouts - Power Switches, DC/DC Converters, Reset Generators |
1 via resistor to GND (OFF) 2 VS (BT+) (ON) C VCC (to board) |
C1 VDD35 (to S2 when PRESSED, to S1 when RELEASED) S1 VDD3 (to C2 when PRESSED, to C1 when RELEASED) C2 IN35 (to S1 when PRESSED) S2 VDD5 (to C1 when PRESSED) |
1-VIN 2-VOUT5 3-CSS5 4-VDRV5 5-GND 6-VDRV3 7-CSS3 8-VOUT3 9-VCNT5 10-CSCP 11-REGEXT 12-VDD3 13-VDD2 14-/RESET 15-LOWBAT 16-VDD13 |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 ? ? REVC U3-COM V0 V1 ? ? ? GND ? V2 ? V3 V4 VDD5 U3-VDD ? |
1-VCC 2-SCP1 3-SCP2 4-VDRV3 5-VOUT3/VDD3 6-VDD2 7-VOUT1/VDD1 8-VDRV1 9-LOWBAT 10-VCNT5 11-LS5 12-? 13-GND 14-? 15-VOUT5/VDD5 16-VDRV5 |
1-TIN 2-U5C3 3-ADJ 4-U5VDD 5-VIN 6-? 7-U57 8-? 9-to-C29 10-to-C30 11-? 12-GND 13-VS 14-S- 15-S+ 16-U5OUT |
1 via C43 to GND 2 via R24 to C34 to R25 back to U2.2 3 via C35 to GND 4 via C36 to GND 5 6 audio.in ? (see BP) 7 via C48 to GND 8 via R21 to C46 to C47 to C38 to R23 to phones 9 VL (to U4) 10 via R27 to C33 to C44 to C49 to R22 to phones 11 via C45 to GND 12 audio.in ? (see BP) 13 via C41 to GND 14 phones (switch) 15 phones (tip via R22) 16 phones (mid via R23) 17 VCS 18 SP 19 GND 20 LB 21 via C52 to GND 22 via C53 to GND 23 RS (looks like RESET output) 24 to R37/C56 (looks like RESET input) 25 26 27 via C54 to V3 28 V3 29 GND 30 V3 31 VC 32 to C58 33 to R41/C58 34 GND 35 36 VC 37 VC 38 39 V5 40 GND 41 GND 42 43 44 45 B+ 46 S- 47 S+ 48 |
1- 5-GND 9- 13-XD 17- 21- 25- 29- 2- 6-GND 10- 14-to U4.7 18-XR 22-CN 26- 30- 3- 7- 11-XC 15- 19-V+ 23-CNS 27- 31-BP 4-LN 8- 12-GND 16- 20-V- 24- 28-V3 32- |
1 R50-EXTB+ 17 33 LEDC1 49 VCNT5 2 R39-ORANGE 18 34 GND 50 3 GND 19 VQ5 35 LEDC2 51 RST 4 20 36 52 5 Rxx-Q4 21 37 U10-LEDA2 53 6 INS+ 22 GND 38 54 7 INS- 23 VQ5 39 MIC.C53-AIN 55 VQ5 8 24 40 MIC.TSC.AUX 56 R24-SR 9 VDET 25 VDD3.3 41 GND 57 10 PVDD 26 GND 42 R38-RED 58 R22-SL 11 27 CL60-VDD3.3 43 R37-GREEN 59 GND 12 PWSW 28 VSHD 44 VDD3.3 60 VR3.PIN2 13 29 45 PWM.SPI.CLK 61 14 GND 30 VDD5 46 PWM.SPI.D 62 15 GND 31 U9-LEDA1 47 PWM.SPI.Q 63 16 VQ5 32 48 PWM.SPI.SEL 64 GND |
1 SW 17 33 LEDC1 49 VCNT5 2 R50-EXTB+ 18 34 GND 50 3 R39-ORANGE 19 VQ5 35 LEDC2 51 RST 4 GND 20 36 52 5 21 37 U10-LEDA2 53 6 R30-Q4 22 GND 38 54 7 INS+ 23 VQ5 39 MIC.C53-AIN 55 CL63-VQ5 8 INS- 24 40 MIC.TSC.AUX 56 R24-SR 9 VDET 25 VDD3.3 41 GND 57 SPRO 10 PVDD 26 GND 42 R38-RED 58 SPLO 11 27 CL60-VDD3.3 43 R37-GREEN 59 R22-SL 12 PWSW 28 VSHD 44 VDD3.3 60 GND 13 GND 29 45 PWM.SPI.CLK 61 R79-VR3.PIN2 14 GND 30 VDD5 46 PWM.SPI.D 62 15 GND 31 U9-LEDA1 47 PWM.SPI.Q 63 16 VQ5 32 48 PWM.SPI.SEL 64 |
1 PWSW (grounded when switch is pulled) 2 GND 3 GND 4 NC? (grounded when switch is not pulled) |
| Pinouts - Wifi |
1 N/A 6 FMW.CLK 11 ENABLE 16 RX.DTA? 21 BB./CS 26 22MHz 31 GND 2 GND 7 FMW./SEL 12 GND 17 TX.MAIN 22 RF./CS 27 GND 32 GND 3 high? 8 FMW.DTA.Q 13 GND 18 GND 23 BB.RF.CLK 28 VDD3.3 33 GND 4 RXTX.ON 9 FMW.DTA.D 14 TX.ON 19 TX.CLK 24 BB.RF.RD 29 VDD1.8 5 FMW./WP 10 FMW./RES 15 RX.ON 20 TX.DTA 25 BB.RF.WR 30 GND |
1 GND 6 GND 11 BB.RF.WR 16 VDD3.3 21 hi? 26 FMW.Q 2 lo? 7 hi? 12 BB.RF.CLK 17 GND 22 FMW./RES 27 FMW./WP 3 hi? 8 hi? 13 GND 18 RF./CS 23 GND 28 FMW./CS 4 hi? 9 GND 14 hi? 19 hi? 24 FMW.CLK 29 hi? 5 hi? 10 hi? 15 GND 20 BB./CS 25 FMW.D 30 GND |
1 5 9 13 17 21 RF.CLK 25 29 2 6 10 14 GND 18 22 26 30 3 7 11 15 19 RF.RD 23 27 31 4 8 12 16 20 RF./CS 24 28 32 |
1 GND 7 13 GND 19 25 31 37 TX.MAIN 43 2 8 14 20 26 32 BB./CS 38 RX.DTA? 44 3 9 15 BB.CLK 21 27 33 TX.DTA 39 RX.ON 45 GND 4 10 16 BB.WR 22 28 RST 34 RXTX.ON 40 TX.ON 46 5 11 17 BB.RD 23 29 35 TX.CLK 41 47 6 12 18 22MHz 24 30 36 42 48 |
1- 8-GND 15- 22-GND 29- 36- 43- 50- 2-GND 9- 16- 23- 30- 37- 44- 51- 3- 10-GND 17- 24- 31- 38- 45- 52- 4- 11-GND 18- 25- 32- 39-GND 46- 53- 5- 12-GND 19- 26- 33- 40- 47- 54- 6- 13- 20- 27- 34- 41- 48- 55- 7- 14- 21- 28- 35- 42- 49-GND 56- |
RX.DTA? __________________________________________________________ RXTX.ON __-----------------------_________________________________ RX.ON __---_______-------------_________________________________ TX.ON _____-------______________________________________________ TX.MAIN ________----______________________________________________ TX.CLK _____#__####______________________________________________ TX.DTA _____#__####______________________________________________ |
RX.DTA? __________________________________________________________ RXTX.ON -----------------------------------------------______----- RX.ON -----------------------------------------------_________-- TX.ON __________________________________________________________ TX.MAIN __________________________________________________________ TX.CLK __________________________________________________________ TX.DTA _______________________________________________---________ |
| Pinouts - Various |
1 A15 7 A9 13 IC 19 A6 25 A0 31 D2 37 VCC 43 D15 2 A14 8 A8 14 /UB 20 A5 26 /CE1 32 D10 38 D5 44 D8 3 A13 9 NC 15 /LB 21 A4 27 GND 33 D3 39 D13 45 D16 4 A12 10 NC 16 NC 22 A3 28 /OE 34 D11 40 D6 46 GND 5 A11 11 /WE 17 NC 23 A2 29 D1 35 D4 41 D14 47 NC 6 A10 12 CE2 18 A7 24 A1 30 D9 36 D12 42 D7 48 A16 |
______ _____
GND--|1 U8 6|-- U85 | |--VDD5
U82--|2 5|-- U85 U61-| Q12 | U83 ------> to display
U83--|3____4|-- U82 |_____|--Q12B Q12B <------ from button
U61--|1 U6 8|--VDD5 (X)---R51--VDD5 (X)---C70--GND
U62--|2 7|--VDD5 U62---R49--VDD5 U61---R40--GND
U62--|3 6|--(X) Q12B--R39--VDD5 U82---R38--GND
GND--|4____5|--NC? Q12B--C69--VDD5 U85---R50--U62
|
| AUX Xboo PC-to-GBA Multiboot Cable |
GBA Name Color SUBD CNTR Name 2 SO Red ------------- 10 10 /ACK 3 SI Orange ------------- 14 14 /AUTOLF 5 SC Green ------------- 1 1 /STROBE 6 GND Blue ------------- 19 19 GND |
4 SD Brown ------------- 17 36 /SELECT (double speed burst) 3 SI Orange ----[===]---- 2..9 2..9 D0..7 (pull-up, 560 Ohm) 5 SC Green ----[===]---- 2..9 2..9 D0..7 (pull-up, 560 Ohm) 4 SD Brown ----[===]---- 2..9 2..9 D0..7 (pull-up, 560 Ohm) START (mainboard) -----|>|----- 16 31 /INIT (auto-reset, 1N4148) SELECT (mainboard) -----|>|----- 16 31 /INIT (auto-reset, 1N4148) RESET (mainboard) -----||------ 16 31 /INIT (auto-reset, 300nF) |
Boot Mode_____Delay 0_______Delay 1_______Delay 2_____ Double Burst 0.1s - 1.8s 0.1s - 3.7s 0.1s - 5.3s Single Burst 0.1s - 3.6s 0.1s - 7.1s 0.1s - 10.6s Normal Bios 4.0s - 9.0s 4.0s - 12.7s 4.0s - 16.3s |
1) Connect it to the GBA link port. Advantage: No need to
open/modify the GBA. Disadvantage: You need a special plug,
(typically gained by removing it from a gameboy link cable).
2) Solder the cable directly to the GBA link port pins. Advantages:
No plug required & no need to open the GBA. Disadvantages:
You can't remove the cable, and the link port becomes unusable.
3) Solder the cable directly to the GBA mainboard. Advantage: No
plug required at the GBA side. Disadvantage: You'll always
have a cable leaping out of the GBA even when not using it,
unless you put a small standard plug between GBA and cable.
4) Install a Centronics socket in the GBA (between power switch
and headphone socket). Advantage: You can use a standard
printer cable. Disadvantages: You need to cut a big hole into
the GBAs battery box (which cannot be used anymore), the big
cable might be a bit uncomfortable when holding the GBA.
|
| AUX Xboo Flashcard Upload |
| AUX Xboo Burst Boot Backdoor |
Send (PC) Reply (GBA) "BRST" "BOOT" ;request burst, and reply <prepared> for boot <wait 1/16s> <process IRQ> ;long delay, allow slave to enter IRQ handler llllllll "OKAY" ;send length in bytes, reply <ready> to boot dddddddd -------- ;send data in 32bit units, reply don't care cccccccc cccccccc ;exchange crc (all data units added together) |
.arm ;select 32bit ARM instruction set .gba ;indicate that it's a gameboy advance program .fix ;automatically fix the cartridge header checksum org 2000000h ;origin in RAM for multiboot-cable/no$gba-cutdown programs ;------------------ ;cartridge header/multiboot header b rom_start ;-rom entry point dcb ...insert logo here... ;-nintento logo (156 bytes) dcb 'XBOO SAMPLE ' ;-title (12 bytes) dcb 0,0,0,0, 0,0 ;-game code (4 bytes), maker code (2 bytes) dcb 96h,0,0 ;-fixed value 96h, main unit code, device type dcb 0,0,0,0,0,0,0 ;-reserved (7 bytes) dcb 0 ;-software version number dcb 0 ;-header checksum (set by .fix) dcb 0,0 ;-reserved (2 bytes) b ram_start ;-multiboot ram entry point dcb 0,0 ;-multiboot reserved bytes (destroyed by BIOS) dcb 0,0 ;-blank padded (32bit alignment) ;------------------ irq_handler: ;interrupt handler (note: r0-r3 are pushed by BIOS) mov r1,4000000h ;\get I/O base address, ldr r0,[r1,200h] ;IE/IF ; read IE and IF, and r0,r0,r0,lsr 16 ; isolate occurred AND enabled irqs, add r3,r1,200h ;IF ; and acknowledge these in IF strh r0,[r3,2] ;/ ldrh r3,[r1,-8] ;\mix up with BIOS irq flags at 3007FF8h, orr r3,r3,r0 ; aka mirrored at 3FFFFF8h, this is required strh r3,[r1,-8] ;/when using the (VBlank-)IntrWait functions and r3,r0,80h ;IE/IF.7 SIO ;\ cmp r3,80h ; check if it's a burst boot interrupt ldreq r2,[r1,120h] ;SIODATA32 ; (if interrupt caused by serial transfer, ldreq r3,[msg_brst] ; and if received data is "BRST", cmpeq r2,r3 ; then jump to burst boot) beq burst_boot ;/ ;... insert your own interrupt handler code here ... bx lr ;-return to the BIOS interrupt handler ;------------------ burst_boot: ;requires incoming r1=4000000h ;... if your program uses DMA, disable any active DMA transfers here ... ldr r4,[msg_okay] ;\ bl sio_transfer ; receive transfer length/bytes & reply "OKAY" mov r2,r0 ;len ;/ mov r3,3000000h ;dst ;\ mov r4,0 ;crc ; @@lop: ; bl sio_transfer ; download burst loader to 3000000h and up stmia [r3]!,r0 ;dst ; add r4,r4,r0 ;crc ; subs r2,r2,4 ;len ; bhi @@lop ;/ bl sio_transfer ;-send crc value to master b 3000000h ;ARM state! ;-launch actual transfer / start the loader ;------------------ sio_transfer: ;serial transfer subroutine, 32bit normal mode, external clock str r4,[r1,120h] ;siodata32 ;-set reply/send data ldr r0,[r1,128h] ;siocnt ;\ orr r0,r0,80h ; activate slave transfer str r0,[r1,128h] ;siocnt ;/ @@wait: ;\ ldr r0,[r1,128h] ;siocnt ; wait until transfer completed tst r0,80h ; bne @@wait ;/ ldr r0,[r1,120h] ;siodata32 ;-get received data bx lr ;--- msg_boot dcb 'BOOT' ;\ msg_okay dcb "OKAY" ; ID codes for the burstboot protocol msg_brst dcb "BRST" ;/ ;------------------ download_rom_to_ram: mov r0,8000000h ;src/rom ;\ mov r1,2000000h ;dst/ram ; mov r2,40000h/16 ;length ; transfer the ROM content @@lop: ; into RAM (done in units of 4 words/16 bytes) ldmia [r0]!,r4,r5,r6,r7 ; currently fills whole 256K of RAM, stmia [r1]!,r4,r5,r6,r7 ; even though the proggy is smaller subs r2,r2,1 ; bne @@lop ;/ sub r15,lr,8000000h-2000000h ;-return (retadr rom/8000XXXh -> ram/2000XXXh) ;------------------ init_interrupts: mov r4,4000000h ;-base address for below I/O registers ldr r0,=irq_handler ;\install IRQ handler address str r0,[r4,-4] ;IRQ HANDLER ;/at 3FFFFFC aka 3007FFC mov r0,0008h ;\enable generating vblank irqs strh r0,[r4,4h] ;DISPSTAT ;/ mrs r0,cpsr ;\ bic r0,r0,80h ; cpu interrupt enable (clear i-flag) msr cpsr,r0 ;/ mov r0,0 ;\ str r0,[r4,134h] ;RCNT ; init SIO normal mode, external clock, ldr r0,=5080h ; 32bit, IRQ enable, transfer started str r0,[r4,128h] ;SIOCNT ; output "BOOT" (indicate burst boot prepared) ldr r0,[msg_boot] ; str r0,[r4,120h] ;SIODATA32 ;/ mov r0,1 ;\interrupt master enable str r0,[r4,208h] ;IME=1 ;/ mov r0,81h ;\enable execution of vblank IRQs, str r0,[r4,200h] ;IE=81h ;/and of SIO IRQs (burst boot) bx lr ;------------------ rom_start: ;entry point when booted from flashcart/rom bl download_rom_to_ram ;-download ROM to RAM (returns to ram_start) ram_start: ;entry point for multiboot/burstboot mov r0,0feh ;\reset all registers, and clear all memory swi 10000h ;RegisterRamReset ;/(except program code in wram at 2000000h) bl init_interrupts ;-install burst boot irq handler mov r4,4000000h ;\enable video, strh r4,[r4,000h] ;DISPCNT ;/by clearing the forced blank bit @@mainloop: swi 50000h ;VBlankIntrWait ;-wait one frame (cpu in low power mode) mov r5,5000000h ;\increment the backdrop palette color str r8,[r5] ; (ie. display a blinking screen) add r8,r8,1 ;/ b @@mainloop ;------------------ .pool end |
| About this Document |
| Index |