Difference between revisions of "Starlet memory map"

From WiiBrew
Jump to navigation Jump to search
(OTP address range from svpe on irc discussion)
Line 170: Line 170:
 
|| || || 0x40 || ppc boot buffer
 
|| || || 0x40 || ppc boot buffer
 
|}
 
|}
 +
[[Category:Wii_Hardware]]

Revision as of 03:18, 2 August 2008

This page lists the known Starlet I/O registers. Much of this info comes from Segher & tmbinc's private notes.

Memory map

I/O is at x'0d80_0000 (Starlet private) and x'0d00_0000 (shared with the Broadway). That is to say, the contents of 0x0d8x are selectively mirrored to 0x0d0x. This may change depending on some of the registers (e.g. when MIOS is active).

There is internal SRAM at x'fffe_0000, 128kB of it; this stores the kernel code and data, minus the crypto code.

The GDDR3 is at x'1000_0000, 64MB of it; the upper 12MB are exclusive for use by the Starlet, the rest is shared with the Broadway.

0x0D0xxxxx may be an AMBA AHB bus.

IO Memory

base function offset description contents/example
x'0d01_0000 NAND
0000 W command 9F000000 (CMD 00: start read sector)
8030B840 (CMD 30: data (starts DMA 0x840 bytes))
80FF8000 (CMD FF: reset)
00008000 means: wait for R/#B to go down
1F000000 is the mask of the address bytes to send. (10 = AA, 08 = BB, .., 01 = FF in 08,0c)
0000 R status MSB means busy
0004 W config
0008 W address #0 0000AABB
000C W address #1 CCDDEEFF
0010 W data addr target address for DMA (0x800 main bytes)
0014 W ecc addr target address for DMA (0x40 spare bytes)
x'0d02_0000 AES
0000 W command 1000 for "do not reload IV"??
0000 R status MSB means busy
0004 W data addr either source or dst DMA
0008 W data addr "
000C W key fifo write 4 words to set key
0010 W IV fifo write 4 words to set IV
x'0d03_0000 SHA-1
x'0d05_0000 OHC !#0
x'0d06_0000 OHC !#1
x'0d07_0000 SDHC !#0
x'0d07_0100 SDHC !#1
x'0d80_0000 hollywood control 0x400 bytes of control registers; these registers are mirrored every 0x400 bytes from 0x0d80000 to 0x0d805fff
x'0d80_0000 IPC reg 0: request pointer To make an IOS request, the physical address of an IOS command struct is written here by the Broadway. Then, Broadway sets bit 0 of IPC reg 1 to indicate a request is ready.
x'0d80_0004 IPC reg 1: semaphore flags Broadway sets bits here as "doorbells" to indicate status; Starlet responds by setting flags here.
x'0d80_0008 IPC reg 2: Reply pointer When an IOS request has completed, IOS will modify the original command struct passed in IPC reg 0, copy that pointer to reg 2, then set reg 1 to 0x14 to indicate a reply is ready.
x'0d80_0010 timer (core clock divided by 128)
x'0d80_0014 alarm (interrupt 0 is fired when the timer reaches this value)
x'0d80_0030 something related to interrupts; typical value is 0x854da94f. Pressing the RESET button will set the 0x20000 bit.
x'0d80_0034 ???
x'0d80_0038 active interrupts (write 1 to clear). Pressing the RESET button will set the 0x20000 bit (interrupt 18). Pressing the POWER button will set the 0x800 bit (interrupt 11).
x'0d80_003C enabled interrupts clear 0x40000 for legacy di
x'0d80_0060 ???
x'0d80_0070 ??? set 0x10 for legacy DI; 0x1 to allow write to exi boot buffer
x'0d80_00C0 GPIO probably data: 0x200 for eject; 0x100 sensor bar enable; 0x20 for tray led
x'0d80_00C4 GPIO probably direction
x'0d80_00DC ???
x'0d80_00E0 GPIO 0x08 -- set to enable DC/DC converter,
x'0d80_00E1 GPIO
x'0d80_00E2 GPIO debug / "POST" port -- connected to 8 testpads. boot0 / 1 / 2 output simple codes to indicate boot status.
x'0d80_00E3 GPIO
x'0d80_00E4 GPIO probably direction
x'0d80_00EC ???
x'0d80_00F0 ? typical value is 0x0070fff6; pressing the POWER button will set the 0x1 bit
x'0d80_00F4 ???
x'0d80_00FC ???
x'0d80_0100 ???
x'0d80_010C ???
x'0d80_0110 ???
x'0d80_0114 ???
x'0d80_0118 ???
x'0d80_011C ???
x'0d80_0120 ???
x'0d80_0130 ???
x'0d80_0134 ???
x'0d80_0138 ???
x'0d80_0180 ??? set 0x40 for legacy DI; 0x100000 set after loadEXI (boot code)
x'0d80_0188 ???
x'0d80_018C ???
x'0d80_0190 ??? involved in DSKPLL init
x'0d80_0194 ??? 0x400 is DI reset (low active) / involved in DSKPLL init
x'0d80_0198 ??? set to 0x00FFFFFF as part of "interface / subsytem powerup"
x'0d80_01B0 ??? ACRPLLSYS
x'0d80_01B0 ??? ACRPLLSYSEXT
x'0d80_01B8 ??? involved in DSKPLL init
x'0d80_01BC ???
x'0d80_01C0 ???
x'0d80_01DC ??? set to 0x00FFFFFF as part of "interface / subsytem powerup"
x'0d80_01EC OTP OTP read address (addresses run from 0x80000000..0x8000001f)
x'0d80_01F0 OTP OTP data
x'0d80_0214 ???
x'0d80_0224 - 03ff unused
x'0d80_6000 DI looks almost identical to the Gamecube DI interface
x'0d80_6800 EXI
0x40 ppc boot buffer