S5L8720 (Hardware)

From The iPhone Wiki
Revision as of 20:14, 11 February 2009 by ChronicDev (talk | contribs)
Jump to: navigation, search

This should help people reversing iBoot and friends. It is a work in progress.

VIC (Vectored Interrupt Controller)

Base (vic0): 0x38E00000
Base (vic1): 0x38E01000
Register
Description
0x0
IRQ Status
0x4
FIQ Status
0x8
Raw Interrupt Status
0xC
Interrupt Select (0=IRQ, 1=FIQ)
0x10
Interrupt Enable (0=Disabled, 1=Enabled)
0x14
Interrupt Enable Clear (Write-Only; 0=No Effect, 1=Interrupt enabled with previous reg disabled)
0x18
Software Interrupt (0=Disabled, 1=Enabled)
0x1C
Software Interrupt Clear (Write-Only; 0=No Effect, 1=Interrupt enabled with previous reg disabled)
0x20
Register Protection Mode. If bit 0 is set to 1, then Protection Mode is on and only privileged mode writes will work.
0x24
Software Interrupt Priority Mask (0=Masked, 1=Not Masked)
0x100
Vector Addresses
0x200
Vector Priority Levels
0xFE0 through 0xFEC
Not sure what these four registers are, because I can confirm that at least SecureROM, probably iBoot and such too, will simply read them when initializing the vectored interrupt controller. It does nothing about the contents...I'll post a snippet from IDA in the discussion page, but if anyone knows what these do, put it here.

WDT (Watchdog Timer)

Base: 0x3C800000
Register
Description
0x0
Control Register

NOTE: It seems that you can disable Watchdog Timer by rewriting this register to 0x00000000, and you can reboot the device by rewriting it to 0x100000
0x4
Watchdog Timeout Duration
0xC
Interrupt Clear

USB

OTG-PHYCTRL

Base: 0x3C400000
Register
Description
0x0
Power Control
0x4
Clock Control
0x8
Reset Control

OTG

Base: 0x38400000
Register
Description
0x0
Control
0x4
Interrupt
0x8
AHB Config
0xC
Core Config
0x10
Core Reset
0x14
Core Interrupt
0x18
Core Interrupt Mask
0x1C and 0x20
Rx Status Debug
0x24
Rx FIFO Size
0x28
Non-Periodic Transmit FIFO Size
TBC...
TBC...

ARM7

Base: 0x38600000
Register
Description
0x100
Running Status

To halt the ARM7: Write 0x0 then 0x10 to this register

To make it resume: Write 0x1 to this register
0x110
Code Address

To run code, halt the ARM7, write the load address of the code to this register, write 0x3FF0000 to register 0x114, then resume the ARM7
0x114
"Code Waiting"

I don't know exactly what this register does, but I named it like this because 0x3FF0000 is written to this register when there is a load address of code to be jumped to in register 0x110