Editing Hardware Registers

Jump to navigation Jump to search
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.

Latest revision Your text
Line 1: Line 1:
= Introduction =
= Introduction =


With the exception of interrupts, almost all the interaction with the PSP hardware is done through memory mapped IO (MMIO) accesses in the 0xBC000000~0xBFFFFFFF address range. The physical address of this range is actually 0x1C000000~0x1FFFFFFF, but we must OR in the 0x40000000 un-cached flag and the 0x80000000 kernel access flag. Knowing how to communicate with the hardware is vital to understanding the inner workings of the PSP.
On the PSP, except interruptions, almost all the interaction with the hardware is done through memory accesses to "hardware registers" located at the 0xBC000000~0xBFFFFFFF range (actually 0x1C000000~0x1FFFFFFF to which we add the 0x4 uncached flag and the 0x8 kernel flag). Which is the reason why documenting this is vital to understand the PSP hardware.


= 0xA7F00000: L2 cache =
= 0xA7F00000: L2 cache =
Line 451: Line 451:
Bits 6-11 = UART 0-5
Bits 6-11 = UART 0-5


Bits 12-15 = APB (Arm Peripheral Bus) Timer 0-3
Bits 12-15 = APB (?) 0-3


Bits 16-17 = Audio 0-1
Bits 16-17 = Audio 0-1


Bits 18 = LCD Controller
Bits 19-21 = ?


Bits 19 = PWM
Bit 22 = SIRCS (?)
 
Bits 20 = ?
 
Bits 21 = I2C
 
Bit 22 = SIRCS (Sony Serial Infra-Red Control)


Bit 23 = GPIO
Bit 23 = GPIO
Line 498: Line 492:
| 0xBC100064 || 4 || RW || SPI clock select
| 0xBC100064 || 4 || RW || SPI clock select
|-
|-
| 0xBC100068 || 4 || RW || Bits 0-7: PLL frequency
| 0xBC100068 || 4 || RW || 0xF - PLL get/set out select (PLL frequency?)
 
Bits 16-31: unknown, checked against by the iplloader, possibly related to jigkick
|-
|-
| 0xBC100070 || 4 || RW || Set Avc power
| 0xBC100070 || 4 || RW || Set Avc power
Line 506: Line 498:
| 0xBC100074 || 4 || RW || Unknown
| 0xBC100074 || 4 || RW || Unknown
|-
|-
| 0xBC100078 || 4 || RW || I/O enable
| 0xBC100078 || 4 || RW || I/O enable (?) (TODO: verify indices)


Bit 1 = EMCSM
Bit 0 = NAND


Bit 2 = USB
Bit 1 = USB


Bit 3 = ATA
Bit 2 = ATA


Bits 4-5 = MSIF
Bits 3-4 = Memstick Interface


Bit 6 = LCDC
Bit 5 = LCDC


Bits 7-8 = Audio
Bit 6-7 = Audio


Bit 9 = I2c
Bit 8 = IIC


Bit 10 = Sircs
Bit 9 = SIRCS


Bit 11 = AudioClkout
Bit 10 = Audio?


Bit 12 = Key (?)
Bit 11 = KEY


Bit 13 = PWM
Bit 12 = PWM


Bit 14 = ATA HDD
Bits 13-18 = UART
 
Bit 15 = TBD - needs more sysreg reversing
 
Bits 16-21 = UART 0-5
 
Bits 22-23 = TBD - needs more sysreg reversing
 
Bits 24-29 = SPI 0-5
 
Bits 30-31 = TBD - needs more sysreg reversing


Bits 19-24 = SPI
|-
|-
| 0xBC10007C || 4 || RW || Either GPIO pin enable, or GPIO pin direction
| 0xBC10007C || 4 || RW || Either GPIO pin enable, or GPIO pin direction
Line 873: Line 856:
|-
|-
|}
|}
= 0xBC700000: ? =


= 0xBC800000: DMACPlus =
= 0xBC800000: DMACPlus =
Line 1,703: Line 1,688:
| 0xBDE00008 || 4 || RW || Set to 1 on error by the command subroutine
| 0xBDE00008 || 4 || RW || Set to 1 on error by the command subroutine
|-
|-
| 0xBDE0000C || 4 || RW || Set to 1 to start processing, or 2 to start processing phase2
| 0xBDE0000C || 4 || RW || Set to 1 to start processing
|-
|-
| 0xBDE00010 || 4 || RW || KIRK command
| 0xBDE00010 || 4 || RW || KIRK command
Line 1,928: Line 1,913:
|-
|-
| 0xBE0000D0 || 4 || ? || ??
| 0xBE0000D0 || 4 || ? || ??
|-
|}
|}


= 0xBE100000: MagicGate Type-R =
= 0xBE100000: MagicGate hardware for memory stick? =
 
{| class="wikitable"
|-
! Address
! Size
! Read/write
! Description
|-
| 0xBE100000 || ? || ? || Unknown
|-
| 0xBE100010 || ? || ? || ?Key size (in bits)?. ex: 0x100 (hardcoded)
|-
| 0xBE100020 || ? || ? || Unknown
|-
| 0xBE100038 || ? || ? || Hardware version 1
|-
| 0xBE100040 || 0x10 || ? || Key
|-
| 0xBE100050 || 8 || ? || Unknown
|-
| 0xBE100060 || 0x10 || ? || IV
|-
| 0xBE100080 || ? || ? || Control
|-
| 0xBE100084 || ? || ? || Status
|-
| 0xBE100088 || ? || ? || Algorithm
|-
| 0xBE100090 || ? || ? || Unknown. Value at bit 8 is used.
|-
| 0xBE100094 || ? || ? || Size
|-
| 0xBE100098 || ? || ? || Hardware version 2
|-
| 0xBE1000A0 || ?0x800? || ? || Input buffer
|}


= 0xBE140000: LCDC =
= 0xBE140000: LCDC =
Line 2,111: Line 2,061:
| 0xBE240018 || 4 || RW || Is rising edge (?)
| 0xBE240018 || 4 || RW || Is rising edge (?)
|-
|-
| 0xBE24001C || 4 || RW || Interrupt enable
| 0xBE24001C || 4 || RW || Is interrupt enabled
|-
|-
| 0xBE240020 || 4 || R? || Interrupt Status
| 0xBE240020 || 4 || R? || Is interrupt triggered
|-
|-
| 0xBE240024 || 4 || W || Acknowledge interrupt
| 0xBE240024 || 4 || W || Acknowledge interrupt
|-
|-
| 0xBE240030 || 4 || RW || Capture port enable
| 0xBE240030 || 4 || RW || Is capture port (?)
|-
|-
| 0xBD240034 || 4 || RW || Timer capture enable
| 0xBD240034 || 4 || RW || Is timer capture enabled (?)
|-
|-
| 0xBE240040 || 4 || RW || Is input on (?)
| 0xBE240040 || 4 || RW || Is input on (?)
Line 2,132: Line 2,082:


= 0xBE4C0000 & 0xBE500000: UART =
= 0xBE4C0000 & 0xBE500000: UART =
[https://developer.arm.com/documentation/ddi0183/f/programmer-s-model/summary-of-registers?lang=en ARM PrimeCell UART PL011]


There are two similar UART controllers:
There are two similar UART controllers:
Line 2,185: Line 2,133:


= 0xBE580000: Syscon =
= 0xBE580000: Syscon =
[https://developer.arm.com/documentation/ddi0194/h/programmer-s-model/summary-of-primecell-ssp-registers?lang=en ARM PrimeCell Synchronous Serial port PL022]
TODO: validate register mappings


{| class="wikitable"
{| class="wikitable"
Line 2,250: Line 2,195:
|-
|-
|}
|}
= 0xBE600000: ? =


= 0xBE740000: Display =
= 0xBE740000: Display =
Line 2,278: Line 2,225:
|}
|}


= 0xBE780000: Display (Slim) =
= 0xBFC00000: MIPS Reset Vector =
 
{| class="wikitable"
|-
! Address
! Size
! Read/write
! Description
|-
| 0xBE780000 || 4 || ? || Unknown
|-
| 0xBE78001C || 4 || ? || Unknown
|}
 
= 0xBFC00000 & 0xBFD00000 & 0xBFE00000: MIPS Reset Vector and RAM =
 
Note this is not a hardware register *per se*.
 
At boot time, the PSP [[iplloader]] is mapped to read-only 0xBFC00000 then executed. An additional 4096-byte scratchpad-like RAM is accessible at 0xBFD00000 and used as a temporary space to decrypt the IPL blocks.
Then, once the CPU is reset (0xBC10004C |= 2), the iplloader is unmapped, and the memory which was then at 0xBFD00000 is now mapped at 0xBFC00000 and execution restarts at 0xBFC00000.
 
On devkit, bloadp is copied to 0xBFE00000 then executed. IPL blocks are usually copied to 0xBFE01000, decrypted in place then executed.


= 0xBFF00000: NAND DMA buffer =
= 0xBFF00000: NAND DMA buffer =
Line 2,320: Line 2,246:
= References =
= References =


* [http://daifukkat.su/docs/psptek/ PSPTEK]
* [http://daifukkat.su/docs/psptek/ PSPTEK] (done)
* [https://gigawiz.github.io/yapspd/html_chapters_split/chap8.html yapspd]
* [https://gigawiz.github.io/yapspd/html_chapters_split/chap8.html yapspd] (done)
* [https://github.com/uofw/uofw uOFW]
* [https://github.com/uofw/uofw uOFW] (todo: some more info to grab in some modules)
* [https://github.com/jpcsp/jpcsp Jpcsp]
* [https://github.com/jpcsp/jpcsp Jpcsp] (todo: contains a lot of stuff)
Please note that all contributions to PSP Developer wiki are considered to be released under the GNU Free Documentation License 1.2 (see PSP Developer wiki:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To protect the wiki against automated edit spam, we kindly ask you to solve the following hCaptcha:

Cancel Editing help (opens in new window)
Retrieved from "http://www.psdevwiki.com/psp/Hardware_Registers"