This should help people reversing iBoot and friends. It is a work in progress.
SHA1
DMA (PL080)
This appears to use an ARM PrimeCell PL080. You can read the technical reference manual here.
Base: 0x38000000 |
Register |
Description |
0x20 through 0x30 |
Output SHA1 hash |
Base (dmac0): 0x38200000 Base (dmac1): 0x39900000 |
Register |
Description |
0x0 |
Interrupt Status |
0x4 |
TC Status (If HIGH, transaction complete) |
0x8 |
TC Interrupt Clear |
0xC |
Error Interrupt Status |
0x10 |
Error Interrupt Clear |
0x14 |
TC Interrupt Status Before Masking (Raw) |
0x18 |
Error Interrupt Status Before Masking (Raw) |
0x1C |
DMA Channels Enabled |
0x30 |
Controller Configuration |
0x34 |
Enable / Disable Synchronization |
0x100 |
Channel 0 Source Address |
0x104 |
Channel 0 Destination Address |
0x108 |
Channel 0 Linked List Address |
0x10C |
Channel 0 Control 1 |
0x110 |
Channel 0 Control 2 |
0x114 |
Channel 0 Configuration |
VIC (PL192)
This appears to use an ARM PrimeCell PL192. You can read the technical reference manual here.
Base (vic0): 0x38E00000 Base (vic1): 0x38E01000 |
Register |
Description |
0x0 |
IRQ Status |
0x4 |
FIQ Status |
0x8 |
Raw Interrupt Status |
0xC |
Interrupt Select (0=IRQ, 1=FIQ) |
0x10 |
Interrupt Enable (0=Disabled, 1=Enabled) |
0x14 |
Interrupt Enable Clear (Write-Only; 0=No Effect, 1=Interrupt enabled with previous reg disabled) |
0x18 |
Software Interrupt (0=Disabled, 1=Enabled) |
0x1C |
Software Interrupt Clear (Write-Only; 0=No Effect, 1=Interrupt enabled with previous reg disabled) |
0x20 |
Register Protection Mode. If bit 0 is set to 1, then Protection Mode is on and only privileged mode writes will work. |
0x24 |
Software Interrupt Priority Mask (0=Masked, 1=Not Masked) |
0x100 |
Vector Addresses |
0x200 |
Vector Priority Levels |
0xFE0 through 0xFEC |
Peripheral Identification Registers
Part Number
Bits 7 through 0 of register 0xFE0 is one portion of the part number (0x92), then bits 3 through 0 of register 0xFE4 is the other portion of it (0x1). If you do some annoying shifting, to put it together, you get 0x192 (0x92|0x11<<8&0xFFF==0x192). 0x192 indicates that it is an ARM PrimeCell PL192.
Designer
Bits 7 through 4 of register 0xFE4 is one portion of the designer tag (0x1), then bits 3 through 0 of register 0xFE8 is the other portion of it (0x4). Like above, we can do (0x11 | 0x4<<4) and we get 0x41, which is "A" in ASCII, meaning it was designed by ARM Limited.
Revision Number
Unlike the above two, this one is pretty easy. Bits 7 through 4 of register 0xFE8 is the revision number, which is "0" at least for the iPod touch 2G.
Configuration
The reference manual simply states that bits 7 through 2 should read back as 0, and nothing more about them. It also states that bits 1 through 0 indicate the number of interrupts supported, which appear to be 32 for the iPod touch 2G (0b00=32 Supported, 0b01=64 Supported, 0b10=128 Supported, 0b11=256 Supported).
|
0xFF0 through 0xFFC |
PrimeCell Identification Registers
Register 0xFF0: Should read as 0x0D
Register 0xFF4: Should read as 0xF0
Register 0xFF8: Should read as 0x05
Register 0xFFC: Should read as 0xB1 |
CHIPID
All information here was gathered by reversing iBoot and friends.
Base: 0x3D100000 |
Register |
Description |
0x0 |
Unused & Unreferenced Register |
0x4 |
Not yet documented |
0x8 |
Chip Info
Chip ID: Bits 31 through 16 (0x8720, meaning it is an S5L8720)
SCEP: Bits 15 through 1 (0x01)
|
WDT (Watchdog Timer)
Base: 0x3C800000 |
Register |
Description |
0x0 |
Control Register
NOTE: It seems that you can disable Watchdog Timer by rewriting this register to 0x00000000, and you can reboot the device by rewriting it to 0x100000 |
0x4 |
Watchdog Timeout Duration |
0xC |
Interrupt Clear |
ARM7 (Second CPU)
All information here was gathered by looking at the code for the ARM7 Go command, as well as noticing the 0x38000000==0xb8000000 alias that the S5L8720 seems to have.
Base: 0x38600000 |
Register |
Description |
0x100 |
Running Status
To halt the ARM7: Write 0x0 then 0x10 to this register
To make it resume: Write 0x1 to this register |
0x110 |
Code Address
To run code, halt the ARM7, write the load address of the code to this register, write 0x3FF0000 to register 0x114, then resume the ARM7 |
0x114 |
"Code Waiting"
I don't know exactly what this register does, but I named it like this because 0x3FF0000 is written to this register when there is a load address of code to be jumped to in register 0x110 |
UART
Base (uart0): 0x3CC00000 Base (uart1): 0x3DB00000 Base (uart2): 0x3DC00000 Base (uart3): 0x3DD00000
|
Register |
Description |
Links