Memory map
Jump to navigation
Jump to search
The GameCube has one 24MB bank of 1T SRAM that is used for all code and data, spread across two external chips; there is also a chip containing 16MB of ARAM, which could be used for storing data (though it was not directly mapped into memory, instead only being accessible via DSP).
The Wii moves all 24MB of 1T-SRAM (referred to as MEM1) inside the Hollywood package, and adds an additional 64MB of GDDR3 RAM (MEM2). During normal operation, IOS reserves the upper 12-16MB of MEM2 for its own use; the rest can freely be used for code or data by running PPC code. MEM1 is slightly faster than MEM2. The Wii does not have the ARAM chip; instead, DSP can access MEM1 or MEM2. When using MIOS, the bottom 16 MB of MEM2 is used to emulate ARAM; the Tweezer Attack allowed accessing the rest of MEM2.
The IOS Heap range is usually 0x933E0000 – 0x93400000, as shown in registers 0x80003130(Start), 0x80003134(End). Pointers in this area are often passed back and forth between IOS and code running on Broadway. The top of MEM2 memory is allocated to IOS, and protected from access by some Hollywood Registers.
| Start Address | End Address | Physical Address | Physical End Address | Size | Description |
|---|---|---|---|---|---|
| 0x80000000 | 0x817FFFFF | 0x00000000 | 0x017FFFFF | 24 MB | MEM1 Memory (Cached) |
| 0xC0000000 | 0xC17FFFFF | 0x00000000 | 0x017FFFFF | 24 MB | MEM1 Memory (Uncached) |
| 0x90000000 | 0x93FFFFFF | 0x10000000 | 0x13FFFFFF | 64 MB | MEM2 Memory (Cached) |
| 0xD0000000 | 0xD3FFFFFF | 0x10000000 | 0x13FFFFFF | 64 MB | MEM2 Memory (Uncached) |
| 0xCD000000 | 0xCD008000 | 0x0D000000 | 0x0D008000 | 32 KB | Hollywood Registers (shared with Starlet) |
| Not Mapped | Not Mapped | 0x0C000000[check] | 0x0C008003[check] | 32 KB | Broadway hardware registers |
| Not Mapped | Not Mapped | 0xFFF00100 | 0xFFF0013F | 64 bytes | EXI boot code mirror |
Broadway / IOS Global Memory Locations
| Address | Size | (Typical) Value | Description |
|---|---|---|---|
| 0x80000000 | 4 | 0x52535045 | Game Code 'RSPE' (Wii Sports) |
| 0x80000004 | 2 | 0x3031 (01) | Maker code |
| 0x80000006 | 1 | 0 | Disc Number (multidisc games) |
| 0x80000007 | 1 | ? | Disc Version |
| 0x80000008 | 1 | ? | Disc Streaming flag |
| 0x80000009 | 1 | ? | Disc Streaming buffer size |
| 0x80000018 | 4 | 0x5D1C9EA3 | Disc layout magic (Wii) |
| 0x8000001C | 4 | 0xC2339F3D | Disc layout magic (GC) |
| 0x80000020 | 4 | 0x0D15EA5E | Nintendo Standard Boot Code. |
| 0x80000024 | 4 | 0x00000001 | Version (set by apploader) |
| 0x80000028 | 4 | 0x01800000 | Memory Size (Physical) 24MB |
| 0x8000002C | 4 | 0x00000023 | Production Board Model |
| 0x80000030 | 4 | 0x00000000 | Arena Low |
| 0x80000034 | 4 | 0x817FEC60 | Arena High |
| 0x80000038 | 4 | 0x817FEC60 | Start of FST (varies in all games) |
| 0x8000003C | 4 | 0x00001394 | Maximum FST Size (varies in all games) |
| 0x80000040 | 4 | ? | Beginning of the DB global struct |
| 0x80000044 | 4 | ? | DB marked exception mask |
| 0x80000048 | 4 | 0x81340000 | DB exception destination |
| 0x8000004C | 4 | ? | DB return address |
| 0x80000060 | 0x24 | OSDBIntegrator Debugger Hook | Hook to be jumped to by debugged exceptions, but is disabled in production software. If nothing is written to it, SDK titles will write the 0x20 bytes of instructions here. |
| 0x800000C0 | 4 | ? | Current OSContext instance (real mode) |
| 0x800000C4 | 4 | 0xffffff00 | User interrupt mask |
| 0x800000C8 | 4 | 0 | Revolution OS interrupt mask |
| 0x800000CC | 4 | 0 | Value indicating the current video mode. 0 = NTSC, 1 = PAL, 2 = MPAL |
| 0x800000D4 | 4 | ? | Current OSContext instance (translated mode) |
| 0x800000D8 | 4 | 0 | OSContext to save FPRs to (NULL if floating point mode hasn't been used since the last interrupt) |
| 0x800000DC | 4 | ? | Pointer to the earliest created OSThread |
| 0x800000E0 | 4 | ? | Pointer to the most recently created OSThread |
| 0x800000E4 | 4 | ? | Pointer to the current OSThread |
| 0x800000EC | 4 | 0x81800000 | Dev Debugger Monitor Address (If present) |
| 0x800000F0 | 4 | 0x01800000 | Simulated Memory Size |
| 0x800000F4 | 4 | 0x817FDF80 | Pointer to data read from partition's bi2.bin, set by apploader, or the emulated bi2.bin created by the NAND Boot Program |
| 0x800000F8 | 4 | 0x0E7BE2C0 | Console Bus Speed |
| 0x800000FC | 4 | 0x2B73A840 | Console CPU Speed |
| 0x80000100 | 0x1700 | Exception handlers (0x100 bytes reserved for each handler) | |
| 0x80001800 | 0x1800 | Unused exception handler area, the SDK does not use or clear it. It is often used by homebrew to store persistent code here like Gecko OS's code handler, Bluebomb or The Homebrew Channel's reload stub, which libogc jumps to upon homebrew exit. | |
| 0x80003000 | 0x3c | ? | Exception vector area |
| 0x80003040 | 4 | ? | __OSInterrupt table. |
| 0x800030C0 | 8 | ? | EXI Probe start times, for both channels 0 and 1. |
| 0x800030C8 | 4 | ? | Related to Nintendo's dynamic linking system (REL). Pointer to the first loaded REL file. |
| 0x800030CC | 4 | ? | Related to Nintendo's dynamic linking system (REL). Pointer to the last loaded REL file. |
| 0x800030D0 | 4 | 0 | Pointer to a REL module name table, or 0. Added to the name offset in each REL file. |
| 0x800030D8 | 8 | 0x005498F053407000 | System time, measured as time since January 1st 2000 in units of 1/40500000th of a second. |
| 0x800030E4 | 2 | ? | __OSPADButton. Apploader puts button state of GCN port 4 at game start here for Gamecube NR disc support |
| 0x800030E6 | 2 | ? | DVD Device Code Address |
| 0x800030E8 | 4 | ? | Debug-related info |
| 0x800030F0 | 4 | 0x00000000 | DOL Execute Parameters |
| 0x80003100 | 4 | ? | Physical MEM1 size |
| 0x80003104 | 4 | ? | Simulated MEM1 size |
| 0x8000310C | 4 | ? | MEM1 Arena Start (start of usable memory by the game) |
| 0x80003110 | 4 | ? | MEM1 Arena End (end of usable memory by the game) |
| 0x80003118 | 4 | 0x04000000 | Physical MEM2 size. (0x3118-0x314C are set by IOS upon reload.) |
| 0x8000311C | 4 | 0x04000000 | Simulated MEM2 size. |
| 0x80003120 | 4 | 0x93400000 | End of MEM2 addressable to PPC. |
| 0x80003124 | 4 | 0x90000800 | Usable MEM2 Start (start of usable memory by the game) |
| 0x80003128 | 4 | 0x933E0000 | Usable MEM2 End (end of usable memory by the game) |
| 0x80003130 | 4 | 0x933E0000 | IOS IPC Buffer Start |
| 0x80003134 | 4 | 0x93400000 | IOS IPC Buffer End |
| 0x80003138 | 4 | 0x00000011 | Hollywood Version |
| 0x80003140 | 4 | 0x00090204 | IOS version (090204 = IOS9, v2.4) |
| 0x80003144 | 4 | 0x00062507 | IOS Build Date (62507 = 06/25/07 = June 25, 2007) |
| 0x80003148 | 4 | 0x93600000 | IOS Reserved Heap Start |
| 0x8000314C | 4 | 0x93620000 | IOS Reserved Heap End |
| 0x80003158 | 4 | 0x0000FF16 | GDDR Vendor Code |
| 0x8000315C | 1 | 0x80 | During the boot process, u32 0x315c is first set to 0xdeadbeef by IOS in the boot_ppc syscall. The value is set to 0x80 by the NAND Boot Program to indicate that it was loaded by the boot program (and probably 0x81 by apploaders) |
| 0x8000315D | 1 | 0? | "Enable legacy DI" mode? 0x81 = false, anything else means true (though typically set to 0x80). Required to be set when loading Gamecube apploader. |
| 0x8000315E | 2 | 0x0113 | "Devkit boot program version", written to by the system menu. The value carries over to disc games. 0x0113 appears to mean v1.13. |
| 0x80003160 | 4 | 0x00000000 | Init semaphore (1-2 main() waits for this to clear) |
| 0x80003164 | 4 | 0x00000000 | GC (MIOS) mode flag, set to 1 by boot2 when MIOS triggers a shutdown; the System Menu reads this and turns off the console if it is set to 1 and state.dat is set appropriately. |
| 0x80003180 | 4 | 0x52535045 | Game ID 'RSPE' Wii Sports ID. If these 4 bytes don't match the ID at 80000000, WC24 mode in games is disabled. |
| 0x80003184 | 1 | 0x80 | Application type. 0x80 for disc games, 0x81 for channels. |
| 0x80003186 | 1 | 0x00 | Application type 2. Appears to be set to the when a game loads a channel (e.g. Mario Kart Wii loading the region select menu will result in this being 0x80 from the disc and the main application type being 0x81, or the Wii Fit channel transitioning to the Wii Fit disc will result in this being 0x81 and the main type being 0x80). |
| 0x80003188 | 4 | 0x00351011 | Minimum IOS version (2 bytes for the major version, 2 bytes for the title version) |
| 0x8000318C | 4 | 0x00000000 | Title Booted from NAND (Launch Code) |
| 0x80003190 | 4 | 0x00000000 | Title Booted from NAND (Return Code) |
| 0x80003194 | 4 | 0x00000000 | While reading a disc, the system menu reads the first partition table (0x20 bytes from 0x00040020) and stores a pointer to the data partition entry. When launching the disc game, it copies the partition type to 0x3194. The partition type for data partitions is 0, so typically this location always has 0. |
| 0x80003198 | 4 | data partition offset | While reading a disc, the system menu reads the first partition table (0x20 bytes from 0x00040020) and stores a pointer to the data partition entry. When launching the disc game, it copies the partition offset to 0x3198. |
| 0x8000319C | 1 | 0x80 | Set by the apploader to 0x80 for single-layer discs and 0x81 for dual-layer discs (determined by whether 0x7ed40000 is the value at offset 0x30 in the partition's bi2.bin; it seems that that value is 0 for single-layer discs). Early titles' apploaders do not set it at all, leaving the value as 0. This controls the out-of-bounds Error #001 read for titles that do make such a read: they try to read at 0x7ed40000 for dual-layer discs and 0x460a0000 for single-layer discs. |
| 0x80003400 | 0x400 | "BS1" boot code | |
| 0x80003F00 | 0x132c100 (~19.2MB) | Standard application executable area | |
| 0x81330000 | 0x4d0000 (~4.8MB) | Loader executable area, also used by a NAND Boot Program |
By convention, applications should use the 0x80003F00 – 0x81330000 area for executable code and data loaded as part of their ELF/DOL, while loaders should use from 0x81330000 onwards. Applications can use the loader area and MEM2 as data work space once they are running, but they should restrict the sections contained in the DOL or ELF to the executable area only, since MEM2 is reserved as work area for the loader at that time. To preserve "return to loader" functionality, applications should never use the 0x80001800-0x80003000 area.