The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "S5L8720 (Hardware)"
ChronicDev (talk | contribs) (Removing information I am not 100% about, will add back after later verification /rce) |
ChronicDev (talk | contribs) (Removing information I am not 100% about, will add back after later verification /rce) |
||
Line 264: | Line 264: | ||
<td width=50%><center><b>Register</b></center></td> |
<td width=50%><center><b>Register</b></center></td> |
||
<td width=50%><center><b>Description</b></center></td> |
<td width=50%><center><b>Description</b></center></td> |
||
− | </tr> |
||
− | <tr> |
||
− | <td width=50%><center>0x0</center></td> |
||
− | <td width=50%><center>Line Control</center></td> |
||
− | </tr> |
||
− | <tr> |
||
− | <td width=50%><center>0x4</center></td> |
||
− | <td width=50%><center>Control</center></td> |
||
− | </tr> |
||
− | <tr> |
||
− | <td width=50%><center>0x8</center></td> |
||
− | <td width=50%><center>FIFO Control</center></td> |
||
− | </tr> |
||
− | <tr> |
||
− | <td width=50%><center>0xC</center></td> |
||
− | <td width=50%><center>Modem Control (uart0 and uart1 only)</center></td> |
||
− | </tr> |
||
− | <tr> |
||
− | <td width=50%><center>0x10</center></td> |
||
− | <td width=50%><center>Tx / Rx Status<br><br> |
||
− | <b>Bit 0</b>: If 1, Rx buffer has data, if 0, Rx buffer is empty<br> |
||
− | <b>Bit 1</b>: If 1, Rx buffer is empty, if 0, it is not empty<br></center></td> |
||
− | <tr> |
||
− | <td width=50%><center>0x14</center></td> |
||
− | <td width=50%><center>Rx Error<br><br> |
||
− | <b>Bit 0</b>: If 1, overrun error<br> |
||
− | <b>Bit 1</b>: If 1, parity error<br> |
||
− | <b>Bit 2</b>: If 1, frame error<br> |
||
− | <b>Bit 3</b>: If 1, break signal<br></center></td> |
||
− | </tr> |
||
− | <tr> |
||
− | <td width=50%><center>0x18</center></td> |
||
− | <td width=50%><center>FIFO Status</center></td> |
||
− | </tr> |
||
− | <tr> |
||
− | <td width=50%><center>0x1C</center></td> |
||
− | <td width=50%><center>Modem Status (uart0 and uart1 only)</center></td> |
||
− | </tr> |
||
− | <tr> |
||
− | <td width=50%><center>0x20</center></td> |
||
− | <td width=50%><center>Tx Buffer (write-only)</center></td> |
||
− | </tr> |
||
− | <tr> |
||
− | <td width=50%><center>0x24</center></td> |
||
− | <td width=50%><center>Rx Buffer (read-only)</center></td> |
||
− | </tr> |
||
− | <tr> |
||
− | <td width=50%><center>0x28</center></td> |
||
− | <td width=50%><center>Baud Rate Divisor</center></td> |
||
− | </tr> |
||
− | <tr> |
||
− | <td width=50%><center>0x2C</center></td> |
||
− | <td width=50%><center>???</center></td> |
||
− | </tr> |
||
− | <tr> |
||
− | <td width=50%><center>0x30</center></td> |
||
− | <td width=50%><center>Interrupt Pending</center></td> |
||
− | </tr> |
||
− | <tr> |
||
− | <td width=50%><center>0x34</center></td> |
||
− | <td width=50%><center>Interrupt Source Pending</center></td> |
||
− | </tr> |
||
− | <tr> |
||
− | <td width=50%><center>0x38</center></td> |
||
− | <td width=50%><center>Interrupt Mask</center></td> |
||
</tr> |
</tr> |
||
</table> |
</table> |
Revision as of 02:36, 23 February 2009
This should help people reversing iBoot and friends. It is a work in progress.
Contents
DMA (PL080)
This appears to use an ARM PrimeCell PL080. You can read the technical reference manual here.
Base (dmac1): 0x39900000 |
|
VIC (PL192)
This appears to use an ARM PrimeCell PL192. You can read the technical reference manual here.
Register Table
Base (vic1): 0x38E01000 |
|
Register 0xFF0: Should read as 0x0D |
Peripheral Identification Registers
The four registers 0xfe0, 0xfe4, 0xfe8, and 0xfec, are four "8-bit registers that can be conceptually treated as one 32-bit register" according to the technical reference manual. Here are some explanations about these registers if you don't feel like digging through the reference manual. If you do, read pages 64 through 66.
Values for the S5L8720
0x38e00fe0: 00000092 0x38e00fe4: 00000011 0x38e00fe8: 00000004 0x38e00fec: 00000000
Part Number
Bits 7 through 0 of register 0xfe0 is one portion of the part number (0x92), then bits 3 through 0 of register 0xfe4 is the other portion of it (0x1). If you do some annoying shifting, to put it together, you get 0x192 (0x92|0x11<<8&0xFFF==0x192). 0x192 indicates that it is an ARM PrimeCell PL192.
Designer
Bits 7 through 4 of register 0xfe4 is one portion of the designer tag (0x1), then bits 3 through 0 of register 0xfe8 is the other portion of it (0x4). Like above, we can do (0x11 | 0x4<<4) and we get 0x41, which is "A" in ASCII, meaning it was designed by ARM Limited.
Revision Number
Unlike the above two, this one is pretty easy. Bits 7 through 4 of register 0xfe8 is the revision number, which is "0" at least for the iPod touch 2G.
Configuration
The reference manual simply states that bits 7 through 2 should read back as 0, and nothing more about them. It also states that bits 1 through 0 indicate the number of interrupts supported, which appear to be 32 for the iPod touch 2G (0b00=32 Supported, 0b01=64 Supported, 0b10=128 Supported, 0b11=256 Supported).
CHIPID
All information here was gathered by reversing iBoot and friends.
Chip ID: Bits 31 through 16 (0x8720, meaning it is an S5L8720) |
WDT (Watchdog Timer)
NOTE: It seems that you can disable Watchdog Timer by rewriting this register to 0x00000000, and you can reboot the device by rewriting it to 0x100000 |
|
ARM7 (Second CPU)
All information here was gathered by looking at the code for the ARM7 Go command, as well as noticing the 0x38000000==0xb8000000 alias that the S5L8720 seems to have.
To halt the ARM7: Write 0x0 then 0x10 to this register |
|
To run code, halt the ARM7, write the load address of the code to this register, write 0x3FF0000 to register 0x114, then resume the ARM7 |
|
I don't know exactly what this register does, but I named it like this because 0x3FF0000 is written to this register when there is a load address of code to be jumped to in register 0x110 |
UART
Base (uart1): 0x3DB00000 Base (uart2): 0x3DC00000 Base (uart3): 0x3DD00000 |
|