The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "S5L8720 (Hardware)"
ChronicDev (talk | contribs) (→=Revision Number) |
ChronicDev (talk | contribs) (→VIC - Register Table) |
||
Line 159: | Line 159: | ||
<tr> |
<tr> |
||
<td width=50%><center>0xFE0 through 0xFEC</center></td> |
<td width=50%><center>0xFE0 through 0xFEC</center></td> |
||
− | <td width=50%><center>Peripheral Identification Registers</center></td> |
+ | <td width=50%><center>[http://www.theiphonewiki.com/wiki/index.php?title=S5L8720_%28Hardware%29#Peripheral_Identification_Registers Peripheral Identification Registers]</center></td> |
+ | </tr> |
||
+ | <tr> |
||
+ | <td width=50%><center>0xFF0 through 0xFFC</center></td> |
||
+ | <td width=50%><center>PrimeCell Identification Registers<br><br> |
||
+ | <b>Register 0xFF0</b>: Should read as 0x0D<br> |
||
+ | <b>Register 0xFF4</b>: Should read as 0xF0<br> |
||
+ | <b>Register 0xFF8</b>: Should read as 0x05<br> |
||
+ | <b>Register 0xFFC</b>: Should read as 0xB1</center></td> |
||
</tr> |
</tr> |
||
</table> |
</table> |
Revision as of 19:38, 16 February 2009
This should help people reversing iBoot and friends. It is a work in progress.
Contents
DMA (Direct Memory Access)
Base (dmac1): 0x39900000 |
|
VIC (Vectored Interrupt Controller) [PL192]
It appears to use an ARM PrimeCell PL192. You can read the technical reference manual here.
Peripheral Identification Registers
The four registers 0xfe0, 0xfe4, 0xfe8, and 0xfec, are four "8-bit registers that can be conceptually treated as one 32-bit register" according to the technical reference manual. Here are some explanations about these registers if you don't feel like digging through the reference manual. If you do, read pages 64 through 66.
Values for the S5L8720
0x38e00fe0: 00000092 0x38e00fe4: 00000011 0x38e00fe8: 00000004 0x38e00fec: 00000000
Part Number
Bits 7 through 0 of register 0xfe0 is one portion of the part number (0x92), then bits 3 through 0 of register 0xfe4 is the other portion of it (0x1). If you do some annoying shifting, to put it together, you get 0x192 (0x92|0x11<<8&0xFFF==0x192). 0x192 indicates that it is an ARM PrimeCell PL192.
Designer
Bits 7 through 4 of register 0xfe4 is one portion of the designer tag (0x1), then bits 3 through 0 of register 0xfe8 is the other portion of it (0x4). Like above, we can do (0x11 | 0x4<<4) and we get 0x41, which is "A" in ASCII, meaning it was designed by ARM Limited.
Revision Number
Unlike the above two, this one is pretty easy. Bits 7 through 4 of register 0xfe8 is the revision number, which is "0" at least for the iPod touch 2G.
Configuration
The reference manual simply states that bits 7 through 2 should read back as 0, and nothing more about them. It also states that bits 1 through 0 indicate the number of interrupts supported, which appear to be 32 for the iPod touch 2G (0b00=32 Supported, 0b01=64 Supported, 0b10=128 Supported, 0b11=256 Supported).
Register Table
Base (vic1): 0x38E01000 |
|
Register 0xFF0: Should read as 0x0D |
WDT (Watchdog Timer)
NOTE: It seems that you can disable Watchdog Timer by rewriting this register to 0x00000000, and you can reboot the device by rewriting it to 0x100000 |
|
USB
OTG-PHYCTRL
OTG
ARM7 (Second CPU)
To halt the ARM7: Write 0x0 then 0x10 to this register |
|
To run code, halt the ARM7, write the load address of the code to this register, write 0x3FF0000 to register 0x114, then resume the ARM7 |
|
I don't know exactly what this register does, but I named it like this because 0x3FF0000 is written to this register when there is a load address of code to be jumped to in register 0x110 |
UART
Base (uart1): 0x3DB00000 Base (uart2): 0x3DC00000 Base (uart3): 0x3DD00000 |
|
Bit 0: If 1, Rx buffer has data, if 0, Rx buffer is empty |
|
Bit 0: If 1, overrun error |
|