The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
S5L8720 (Hardware)
This should help people reversing iBoot and friends. It is a work in progress.
Contents
DMA
This appears to use an ARM PrimeCell PL080. You can read the technical reference manual here.
Base (dmac1): 0x39900000 |
|
VIC (PL192)
This appears to use an ARM PrimeCell PL192. You can read the technical reference manual here.
Register Table
Base (vic1): 0x38E01000 |
|
Register 0xFF0: Should read as 0x0D |
Peripheral Identification Registers
The four registers 0xfe0, 0xfe4, 0xfe8, and 0xfec, are four "8-bit registers that can be conceptually treated as one 32-bit register" according to the technical reference manual. Here are some explanations about these registers if you don't feel like digging through the reference manual. If you do, read pages 64 through 66.
Values for the S5L8720
0x38e00fe0: 00000092 0x38e00fe4: 00000011 0x38e00fe8: 00000004 0x38e00fec: 00000000
Part Number
Bits 7 through 0 of register 0xfe0 is one portion of the part number (0x92), then bits 3 through 0 of register 0xfe4 is the other portion of it (0x1). If you do some annoying shifting, to put it together, you get 0x192 (0x92|0x11<<8&0xFFF==0x192). 0x192 indicates that it is an ARM PrimeCell PL192.
Designer
Bits 7 through 4 of register 0xfe4 is one portion of the designer tag (0x1), then bits 3 through 0 of register 0xfe8 is the other portion of it (0x4). Like above, we can do (0x11 | 0x4<<4) and we get 0x41, which is "A" in ASCII, meaning it was designed by ARM Limited.
Revision Number
Unlike the above two, this one is pretty easy. Bits 7 through 4 of register 0xfe8 is the revision number, which is "0" at least for the iPod touch 2G.
Configuration
The reference manual simply states that bits 7 through 2 should read back as 0, and nothing more about them. It also states that bits 1 through 0 indicate the number of interrupts supported, which appear to be 32 for the iPod touch 2G (0b00=32 Supported, 0b01=64 Supported, 0b10=128 Supported, 0b11=256 Supported).
WDT (Watchdog Timer)
NOTE: It seems that you can disable Watchdog Timer by rewriting this register to 0x00000000, and you can reboot the device by rewriting it to 0x100000 |
|
USB
OTG-PHYCTRL
OTG
ARM7 (Second CPU)
To halt the ARM7: Write 0x0 then 0x10 to this register |
|
To run code, halt the ARM7, write the load address of the code to this register, write 0x3FF0000 to register 0x114, then resume the ARM7 |
|
I don't know exactly what this register does, but I named it like this because 0x3FF0000 is written to this register when there is a load address of code to be jumped to in register 0x110 |
UART
Base (uart1): 0x3DB00000 Base (uart2): 0x3DC00000 Base (uart3): 0x3DD00000 |
|
Bit 0: If 1, Rx buffer has data, if 0, Rx buffer is empty |
|
Bit 0: If 1, overrun error |
|