Editing Hardware Registers

Jump to navigation Jump to search
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.

Latest revision Your text
Line 1: Line 1:
= Introduction =
= 0x07F00000: L2 cache =
 
With the exception of interrupts, almost all the interaction with the PSP hardware is done through memory mapped IO (MMIO) accesses in the 0xBC000000~0xBFFFFFFF address range. The physical address of this range is actually 0x1C000000~0x1FFFFFFF, but we must OR in the 0x40000000 un-cached flag and the 0x80000000 kernel access flag. Knowing how to communicate with the hardware is vital to understanding the inner workings of the PSP.
 
= 0xA7F00000: L2 cache =


If we believe in the sysmem NIDs, 04g+ seem to have a "L2" cache we can send commands (writeback/invalidate/probe) to through this address.
If we believe in the sysmem NIDs, 04g+ seem to have a "L2" cache we can send commands (writeback/invalidate/probe) to through this address.


0xA7F80020 and 0xA7F80000~ also exist.
0x07F80000~ also exists.


TODO need more info.
TODO need more info.
Line 17: Line 13:
! Physical Address !! Size !! R/W !! Description
! Physical Address !! Size !! R/W !! Description
|-
|-
| 0xBC000000 || 4 || RW || Memory Protection 0x08000000 -> 0x081FFFFFF
| 0xBC000000 || 4 || RW || Memory Protection 0x08000000 -> 0x081FFFFFF  
|-
|}


Bit 0: 0x08000000 -> 0x08003FFFF User Read Enable
{| class="wikitable sortable"
 
|-
Bit 1: 0x08000000 -> 0x08003FFFF User Write Enable
! Bit(s) !! Usage
 
|-
Bit 2: 0x08000000 -> 0x08003FFFF Kernel Read Enable
| 31 || 0x081C0000 -> 0x081FFFFFF Kernel Write Enable
 
|-
Bit 3: 0x08000000 -> 0x08003FFFF Kernel Write Enable
| 30 || 0x081C0000 -> 0x081FFFFFF Kernel Read Enable
 
|-
Bit 4: 0x08040000 -> 0x0807FFFFF User Read Enable
| 29 || 0x081C0000 -> 0x081FFFFFF User Write Enable
 
|-
Bit 5: 0x08040000 -> 0x0807FFFFF User Write Enable
| 28 || 0x081C0000 -> 0x081FFFFFF User Read Enable
 
|-
Bit 6: 0x08040000 -> 0x0807FFFFF Kernel Read Enable
| 27 || 0x08180000 -> 0x081BFFFFF Kernel Write Enable
 
|-
Bit 7: 0x08040000 -> 0x0807FFFFF Kernel Write Enable
| 26 || 0x08180000 -> 0x081BFFFFF Kernel Read Enable
 
|-
Bit 8: 0x08080000 -> 0x080BFFFFF User Read Enable
| 25 || 0x08180000 -> 0x081BFFFFF User Write Enable
 
|-
Bit 9: 0x08080000 -> 0x080BFFFFF User Write Enable
| 24 || 0x08180000 -> 0x081BFFFFF User Read Enable
 
|-
Bit 10: 0x08080000 -> 0x080BFFFFF Kernel Read Enable
| 23 || 0x08140000 -> 0x0817FFFFF Kernel Write Enable
 
|-
Bit 11: 0x08080000 -> 0x080BFFFFF Kernel Write Enable
| 22 || 0x08140000 -> 0x0817FFFFF Kernel Read Enable
 
|-
Bit 12: 0x080C0000 -> 0x080FFFFFF User Read Enable
| 21 || 0x08140000 -> 0x0817FFFFF User Write Enable
 
|-
Bit 13: 0x080C0000 -> 0x080FFFFFF User Write Enable
| 20 || 0x08140000 -> 0x0817FFFFF User Read Enable
 
|-
Bit 14: 0x080C0000 -> 0x080FFFFFF Kernel Read Enable
| 19 || 0x08100000 -> 0x0813FFFFF Kernel Write Enable
 
Bit 15: 0x080C0000 -> 0x080FFFFFF Kernel Write Enable
 
Bit 16: 0x08100000 -> 0x0813FFFFF User Read Enable
 
Bit 17: 0x08100000 -> 0x0813FFFFF User Write Enable
 
Bit 18: 0x08100000 -> 0x0813FFFFF Kernel Read Enable
 
Bit 19: 0x08100000 -> 0x0813FFFFF Kernel Write Enable
 
Bit 20: 0x08140000 -> 0x0817FFFFF User Read Enable
 
Bit 21: 0x08140000 -> 0x0817FFFFF User Write Enable
 
Bit 22: 0x08140000 -> 0x0817FFFFF Kernel Read Enable
 
Bit 23: 0x08140000 -> 0x0817FFFFF Kernel Write Enable
 
Bit 24: 0x08180000 -> 0x081BFFFFF User Read Enable
 
Bit 25: 0x08180000 -> 0x081BFFFFF User Write Enable
 
Bit 26: 0x08180000 -> 0x081BFFFFF Kernel Read Enable
 
Bit 27: 0x08180000 -> 0x081BFFFFF Kernel Write Enable
 
Bit 28: 0x081C0000 -> 0x081FFFFFF User Read Enable
 
Bit 29: 0x081C0000 -> 0x081FFFFFF User Write Enable
 
Bit 30: 0x081C0000 -> 0x081FFFFFF Kernel Read Enable
 
Bit 31: 0x081C0000 -> 0x081FFFFFF Kernel Write Enable
|-
|-
| 0xBC000004 || 4 || RW || Memory Protection 0x08200000 -> 0x083FFFFFF
| 18 || 0x08100000 -> 0x0813FFFFF Kernel Read Enable
Bit 0: 0x08200000 -> 0x08203FFFF User Read Enable  
|-
 
| 17 || 0x08100000 -> 0x0813FFFFF User Write Enable
Bit 1: 0x08200000 -> 0x08203FFFF User Write Enable
|-
| 16 || 0x08100000 -> 0x0813FFFFF User Read Enable
|-
| 15 || 0x080C0000 -> 0x080FFFFFF Kernel Write Enable
|-
| 14 || 0x080C0000 -> 0x080FFFFFF Kernel Read Enable
|-
| 13 || 0x080C0000 -> 0x080FFFFFF User Write Enable
|-
| 12 || 0x080C0000 -> 0x080FFFFFF User Read Enable
|-
| 11 || 0x08080000 -> 0x080BFFFFF Kernel Write Enable
|-
| 10 || 0x08080000 -> 0x080BFFFFF Kernel Read Enable
|-
| 9 || 0x08080000 -> 0x080BFFFFF User Write Enable
|-
| 8 || 0x08080000 -> 0x080BFFFFF User Read Enable
|-
| 7 || 0x08040000 -> 0x0807FFFFF Kernel Write Enable
|-
| 6 || 0x08040000 -> 0x0807FFFFF Kernel Read Enable
|-
| 5 || 0x08040000 -> 0x0807FFFFF User Write Enable
|-
| 4 || 0x08040000 -> 0x0807FFFFF User Read Enable
|-
| 3 || 0x08000000 -> 0x08003FFFF Kernel Write Enable
|-
| 2 || 0x08000000 -> 0x08003FFFF Kernel Read Enable
|-
| 1 || 0x08000000 -> 0x08003FFFF User Write Enable
|-
| 0 || 0x08000000 -> 0x08003FFFF User Read Enable
|-
|}


Bit 2: 0x08200000 -> 0x08203FFFF Kernel Read Enable
{| class="wikitable sortable"
 
|-
Bit 3: 0x08200000 -> 0x08203FFFF Kernel Write Enable
! Physical Address !! Size !! R/W !! Description
 
|-
Bit 4: 0x08240000 -> 0x0827FFFFF User Read Enable
| 0xBC000004 || 4 || RW || Memory Protection 0x08200000 -> 0x083FFFFFF
 
|-
Bit 5: 0x08240000 -> 0x0827FFFFF User Write Enable
|}


Bit 6: 0x08240000 -> 0x0827FFFFF Kernel Read Enable
{| class="wikitable sortable"
 
|-
Bit 7: 0x08240000 -> 0x0827FFFFF Kernel Write Enable
! Bit(s) !! Usage
 
|-
Bit 8: 0x08280000 -> 0x082BFFFFF User Read Enable
| 31 || 0x083C0000 -> 0x083FFFFFF Kernel Write Enable
 
|-
Bit 9: 0x08280000 -> 0x082BFFFFF User Write Enable
| 30 || 0x083C0000 -> 0x083FFFFFF Kernel Read Enable
 
|-
Bit 10: 0x08280000 -> 0x082BFFFFF Kernel Read Enable
| 29 || 0x083C0000 -> 0x083FFFFFF User Write Enable
 
|-
Bit 11: 0x08280000 -> 0x082BFFFFF Kernel Write Enable
| 28 || 0x083C0000 -> 0x083FFFFFF User Read Enable
 
|-
Bit 12: 0x082C0000 -> 0x082FFFFFF User Read Enable
| 27 || 0x083C0000 -> 0x083BFFFFF Kernel Write Enable
 
|-
Bit 13: 0x082C0000 -> 0x082FFFFFF User Write Enable
| 26 || 0x083C0000 -> 0x083BFFFFF Kernel Read Enable
 
|-
Bit 14: 0x082C0000 -> 0x082FFFFFF Kernel Read Enable
| 25 || 0x08380000 -> 0x083BFFFFF User Write Enable
 
|-
Bit 15: 0x082C0000 -> 0x082FFFFFF Kernel Write Enable
| 24 || 0x08380000 -> 0x083BFFFFF User Read Enable
 
|-
Bit 16: 0x08300000 -> 0x0833FFFFF User Read Enable
| 23 || 0x08340000 -> 0x0837FFFFF Kernel Write Enable
 
|-
Bit 17: 0x08300000 -> 0x0833FFFFF User Write Enable
| 22 || 0x08340000 -> 0x0837FFFFF Kernel Read Enable
 
|-
Bit 18: 0x08300000 -> 0x0833FFFFF Kernel Read Enable
| 21 || 0x08340000 -> 0x0837FFFFF User Write Enable
 
|-
Bit 19: 0x08300000 -> 0x0833FFFFF Kernel Write Enable
| 20 || 0x08340000 -> 0x0837FFFFF User Read Enable
 
|-
Bit 20: 0x08340000 -> 0x0837FFFFF User Read Enable
| 19 || 0x08300000 -> 0x0833FFFFF Kernel Write Enable
 
|-
Bit 21: 0x08340000 -> 0x0837FFFFF User Write Enable
| 18 || 0x08300000 -> 0x0833FFFFF Kernel Read Enable
 
|-
Bit 22: 0x08340000 -> 0x0837FFFFF Kernel Read Enable
| 17 || 0x08300000 -> 0x0833FFFFF User Write Enable
 
|-
Bit 23: 0x08340000 -> 0x0837FFFFF Kernel Write Enable
| 16 || 0x08300000 -> 0x0833FFFFF User Read Enable
 
Bit 24: 0x08380000 -> 0x083BFFFFF User Read Enable
 
Bit 25: 0x08380000 -> 0x083BFFFFF User Write Enable
 
Bit 26: 0x083C0000 -> 0x083BFFFFF Kernel Read Enable
 
Bit 27: 0x083C0000 -> 0x083BFFFFF Kernel Write Enable
 
Bit 28: 0x083C0000 -> 0x083FFFFFF User Read Enable
 
Bit 29: 0x083C0000 -> 0x083FFFFFF User Write Enable
 
Bit 30: 0x083C0000 -> 0x083FFFFFF Kernel Read Enable
 
Bit 31: 0x083C0000 -> 0x083FFFFFF Kernel Write Enable
|-
|-
| 0xBC000008 || 4 || RW || Memory Protection 0x08400000 -> 0x085FFFFFF
| 15 || 0x082C0000 -> 0x082FFFFFF Kernel Write Enable
 
|-
Bit 0: 0x08400000 -> 0x08403FFFF User Read Enable  
| 14 || 0x082C0000 -> 0x082FFFFFF Kernel Read Enable
 
|-
Bit 1: 0x08400000 -> 0x08403FFFF User Write Enable
| 13 || 0x082C0000 -> 0x082FFFFFF User Write Enable
 
|-
Bit 2: 0x08400000 -> 0x08403FFFF Kernel Read Enable
| 12 || 0x082C0000 -> 0x082FFFFFF User Read Enable
 
|-
Bit 3: 0x08400000 -> 0x08403FFFF Kernel Write Enable
| 11 || 0x08280000 -> 0x082BFFFFF Kernel Write Enable
|-
| 10 || 0x08280000 -> 0x082BFFFFF Kernel Read Enable
|-
| 9 || 0x08280000 -> 0x082BFFFFF User Write Enable
|-
| 8 || 0x08280000 -> 0x082BFFFFF User Read Enable
|-
| 7 || 0x08240000 -> 0x0827FFFFF Kernel Write Enable
|-
| 6 || 0x08240000 -> 0x0827FFFFF Kernel Read Enable
|-
| 5 || 0x08240000 -> 0x0827FFFFF User Write Enable
|-
| 4 || 0x08240000 -> 0x0827FFFFF User Read Enable
|-
| 3 || 0x08200000 -> 0x08203FFFF Kernel Write Enable
|-
| 2 || 0x08200000 -> 0x08203FFFF Kernel Read Enable
|-
| 1 || 0x08200000 -> 0x08203FFFF User Write Enable
|-
| 0 || 0x08200000 -> 0x08203FFFF User Read Enable
|-
|}


Bit 4: 0x08440000 -> 0x0847FFFFF User Read Enable
{| class="wikitable sortable"
|-
! Physical Address !! Size !! R/W !! Description
|-
| 0xBC000008 || 4 || RW || Memory Protection 0x08400000 -> 0x085FFFFFF
|-
|}


Bit 5: 0x08440000 -> 0x0847FFFFF User Write Enable
{| class="wikitable sortable"
 
|-
Bit 6: 0x08440000 -> 0x0847FFFFF Kernel Read Enable
! Bit(s) !! Usage
 
Bit 7: 0x08440000 -> 0x0847FFFFF Kernel Write Enable
 
Bit 8: 0x08480000 -> 0x084BFFFFF User Read Enable
 
Bit 9: 0x08480000 -> 0x084BFFFFF User Write Enable
 
Bit 10: 0x08480000 -> 0x084BFFFFF Kernel Read Enable
 
Bit 11: 0x08480000 -> 0x084BFFFFF Kernel Write Enable
 
Bit 12: 0x084c0000 -> 0x084FFFFFF User Read Enable
 
Bit 13: 0x084c0000 -> 0x084FFFFFF User Write Enable
 
Bit 14: 0x084c0000 -> 0x084FFFFFF Kernel Read Enable
 
Bit 15: 0x084c0000 -> 0x084FFFFFF Kernel Write Enable
 
Bit 16: 0x08500000 -> 0x0853FFFFF User Read Enable
 
Bit 17: 0x08500000 -> 0x0853FFFFF User Write Enable
 
Bit 18: 0x08500000 -> 0x0853FFFFF Kernel Read Enable
 
Bit 19: 0x08500000 -> 0x0853FFFFF Kernel Write Enable
 
Bit 20: 0x08540000 -> 0x0857FFFFF User Read Enable
 
Bit 21: 0x08540000 -> 0x0857FFFFF User Write Enable
 
Bit 22: 0x08540000 -> 0x0857FFFFF Kernel Read Enable
 
Bit 23: 0x08540000 -> 0x0857FFFFF Kernel Write Enable
 
Bit 24: 0x08580000 -> 0x085BFFFFF User Read Enable
 
Bit 25: 0x08580000 -> 0x085BFFFFF User Write Enable
 
Bit 26: 0x08580000 -> 0x085BFFFFF Kernel Read Enable
 
Bit 27: 0x08580000 -> 0x085BFFFFF Kernel Write Enable
 
Bit 28: 0x085c0000 -> 0x085FFFFFF User Read Enable
 
Bit 29: 0x085c0000 -> 0x085FFFFFF User Write Enable
 
Bit 30: 0x085c0000 -> 0x085FFFFFF Kernel Read Enable
 
Bit 31: 0x085c0000 -> 0x085FFFFFF Kernel Write Enable
|-
|-
| 0xBC00000C || 4 || RW || Memory Protection 0x08600000 -> 0x087FFFFFF
| 31 || 0x085c0000 -> 0x085FFFFFF Kernel Write Enable
 
|-
Bit 0: 0x08600000 -> 0x08603FFFF User Read Enable  
| 30 || 0x085c0000 -> 0x085FFFFFF Kernel Read Enable
 
|-
Bit 1: 0x08600000 -> 0x08603FFFF User Write Enable
| 29 || 0x085c0000 -> 0x085FFFFFF User Write Enable
 
|-
Bit 2: 0x08600000 -> 0x08603FFFF Kernel Read Enable
| 28 || 0x085c0000 -> 0x085FFFFFF User Read Enable
 
|-
Bit 3: 0x08600000 -> 0x08603FFFF Kernel Write Enable
| 27 || 0x08580000 -> 0x085BFFFFF Kernel Write Enable
 
|-
Bit 4: 0x08640000 -> 0x0867FFFFF User Read Enable
| 26 || 0x08580000 -> 0x085BFFFFF Kernel Read Enable
 
|-
Bit 5: 0x08640000 -> 0x0867FFFFF User Write Enable
| 25 || 0x08580000 -> 0x085BFFFFF User Write Enable
 
|-
Bit 6: 0x08640000 -> 0x0867FFFFF Kernel Read Enable
| 24 || 0x08580000 -> 0x085BFFFFF User Read Enable
 
|-
Bit 7: 0x08640000 -> 0x0867FFFFF Kernel Write Enable
| 23 || 0x08540000 -> 0x0857FFFFF Kernel Write Enable
 
|-
Bit 8: 0x08680000 -> 0x086BFFFFF User Read Enable
| 22 || 0x08540000 -> 0x0857FFFFF Kernel Read Enable
 
|-
Bit 9: 0x08680000 -> 0x086BFFFFF User Write Enable
| 21 || 0x08540000 -> 0x0857FFFFF User Write Enable
 
|-
Bit 10: 0x08680000 -> 0x086BFFFFF Kernel Read Enable
| 20 || 0x08540000 -> 0x0857FFFFF User Read Enable
 
|-
Bit 11: 0x08680000 -> 0x086BFFFFF Kernel Write Enable
| 19 || 0x08500000 -> 0x0853FFFFF Kernel Write Enable
 
|-
Bit 12: 0x086c0000 -> 0x086FFFFFF User Read Enable
| 18 || 0x08500000 -> 0x0853FFFFF Kernel Read Enable
 
Bit 13: 0x086c0000 -> 0x086FFFFFF User Write Enable
 
Bit 14: 0x086c0000 -> 0x086FFFFFF Kernel Read Enable
 
Bit 15: 0x086c0000 -> 0x086FFFFFF Kernel Write Enable
 
Bit 16: 0x08700000 -> 0x0873FFFFF User Read Enable
 
Bit 17: 0x08700000 -> 0x0873FFFFF User Write Enable
 
Bit 18: 0x08700000 -> 0x0873FFFFF Kernel Read Enable
 
Bit 19: 0x08700000 -> 0x0873FFFFF Kernel Write Enable
 
Bit 20: 0x08740000 -> 0x0877FFFFF User Read Enable
 
Bit 21: 0x08740000 -> 0x0877FFFFF User Write Enable
 
Bit 22: 0x08740000 -> 0x0877FFFFF Kernel Read Enable
 
Bit 23: 0x08740000 -> 0x0877FFFFF Kernel Write Enable
 
Bit 24: 0x08780000 -> 0x087BFFFFF User Read Enable
 
Bit 25: 0x08780000 -> 0x087BFFFFF User Write Enable
 
Bit 26: 0x08780000 -> 0x087BFFFFF Kernel Read Enable
 
Bit 27: 0x08780000 -> 0x087BFFFFF Kernel Write Enable
 
Bit 28: 0x087c0000 -> 0x087FFFFFF User Read Enable
 
Bit 29: 0x087c0000 -> 0x087FFFFFF User Write Enable
 
Bit 30: 0x087c0000 -> 0x087FFFFFF Kernel Read Enable
 
Bit 31: 0x087c0000 -> 0x087FFFFFF Kernel Write Enable
|-
|-
| 0xBC000030 || 32 || RW || Hardware register user read/write enable (range unknown). Used to access profiler from an user.
| 17 || 0x08500000 -> 0x0853FFFFF User Write Enable
 
Granularity that this (and the next ones) work on is not known.
 
For each 1 bit an IO range is exposed to usermode for Read/Write.
 
To find the usermode address, subtract 0x60000000 from the kernelmode one (ie start addresses with 0x5 instead of 0xB).
 
It may be 2 bits for user read/write for each range of size 0x100000. For the profiler, located at 0xBC400000, the mask 0x300 is applied.
|-
|-
| 0xBC000034 || 32 || RW || Hardware register user read/write enable (range unknown)
| 16 || 0x08500000 -> 0x0853FFFFF User Read Enable
|-
|-
| 0xBC000038 || 32 || RW || Hardware register user read/write enable (range unknown)
| 15 || 0x084c0000 -> 0x084FFFFFF Kernel Write Enable
|-
|-
| 0xBC00003C || 32 || RW || Hardware register user read/write enable (range unknown)
| 14 || 0x084c0000 -> 0x084FFFFFF Kernel Read Enable
|-
|-
| 0xBC000040 || 32 || RW || Hardware register user read/write enable (range unknown)
| 13 || 0x084c0000 -> 0x084FFFFFF User Write Enable
|-
|-
| 0xBC000044 || 32 || RW || Hardware register user read/write enable (range unknown)
| 12 || 0x084c0000 -> 0x084FFFFFF User Read Enable
|-
|-
| 0xBC000048 || 32 || RW || Set 1 to disable extended memory partitions??
| 11 || 0x08480000 -> 0x084BFFFFF Kernel Write Enable
|-
|-
| 0xBC00004C || 32 || R? || Unknown
| 10 || 0x08480000 -> 0x084BFFFFF Kernel Read Enable
|-
|-
| 0xBC000050 || 32 || ? || Reads 0x07EFFFFF
| 9 || 0x08480000 -> 0x084BFFFFF User Write Enable
|-
|-
|}
| 8 || 0x08480000 -> 0x084BFFFFF User Read Enable
 
= 0xBC100000: System Controller =
 
{| class="wikitable"
|-
|-
! Address
| 7 || 0x08440000 -> 0x0847FFFFF Kernel Write Enable
! Size
! Read/write
! Description
|-
|-
| 0xBC100000 || 4 || RW || NMI enable mask
| 6 || 0x08440000 -> 0x0847FFFFF Kernel Read Enable
 
Bits 0-15 = user NMI enable mask?
 
Bits 16-31 = kernel NMI enable mask?
|-
|-
| 0xBC100004 || 4 || RW || NMI flags (15 bits for NMI0 ~ NMI15)
| 5 || 0x08440000 -> 0x0847FFFFF User Write Enable
|-
|-
| 0xBC10000C || 4 || RW? || NMI12 control registers?
| 4 || 0x08440000 -> 0x0847FFFFF User Read Enable
|-
|-
| 0xBC100010 || 4 || RW? || NMI8 control registers?
| 3 || 0x08400000 -> 0x08403FFFF Kernel Write Enable
|-
|-
| 0xBC100014 || 4 || RW? || NMI9 control registers?
| 2 || 0x08400000 -> 0x08403FFFF Kernel Read Enable
|-
|-
| 0xBC100018 || 4 || RW? || NMI7 control registers?
| 1 || 0x08400000 -> 0x08403FFFF User Write Enable
|-
|-
| 0xBC10001C || 4 || RW? || NMI6 control registers?
| 0 || 0x08400000 -> 0x08403FFFF User Read Enable
|-
|-
| 0xBC100020 || 4 || RW? || NMI5 control registers?
|}
 
{| class="wikitable sortable"
|-
! Physical Address !! Size !! R/W !! Description
|-
|-
| 0xBC100024 || 4 || RW? || NMI4 control registers?
| 0xBC00000C || 4 || RW || Memory Protection 0x08600000 -> 0x087FFFFFF
|-
|}
 
{| class="wikitable sortable"
|-
! Bit(s) !! Usage
|-
| 31 || 0x087c0000 -> 0x087FFFFFF Kernel Write Enable
|-
|-
| 0xBC100028 || 4 || RW? || NMI3 control registers?
| 30 || 0x087c0000 -> 0x087FFFFFF Kernel Read Enable
|-
|-
| 0xBC10002C || 4 || RW? || NMI2 control registers?
| 29 || 0x087c0000 -> 0x087FFFFFF User Write Enable
|-
|-
| 0xBC100030 || 4 || RW? || NMI1 control registers?
| 28 || 0x087c0000 -> 0x087FFFFFF User Read Enable
|-
|-
| 0xBC100034 || 4 || RW? || NMI0 control registers?
| 27 || 0x08780000 -> 0x087BFFFFF Kernel Write Enable
|-
|-
| 0xBC10003C || 4 || RW || Unknown - used by sceSysreg_driver_0x4841B2D2, sceSysreg_driver_0x4E5C86AA, sceSysregDoTimerEvent
| 26 || 0x08780000 -> 0x087BFFFFF Kernel Read Enable
|-
|-
| 0xBC100040 || 4 || RW || Bits 0-1 = RAM size (0=16MB, 1=32MB, 2=64MB, 3=128MB)
| 25 || 0x08780000 -> 0x087BFFFFF User Write Enable
 
Bit 11 = ? (read-only)
 
Bits 24-31 = tachyon version
|-
|-
| 0xBC100044 || 4 || RW || SC/ME RPC interrupt. Writing 1 to bit 0 posts an interrupt to the opposite CPU
| 24 || 0x08780000 -> 0x087BFFFFF User Read Enable
|-
|-
| 0xBC100048 || 4 || RW || SC/ME semaphore. Appears to be a shared lock for both CPUs. Can be used as a spinlock
| 23 || 0x08740000 -> 0x0877FFFFF Kernel Write Enable
|-
|-
| 0xBC10004C || 4 || RW || Reset enable (set bit to assert RESET, clear to clear RESET)
| 22 || 0x08740000 -> 0x0877FFFFF Kernel Read Enable
 
|-
Bit 0 = Top
| 21 || 0x08740000 -> 0x0877FFFFF User Write Enable
|-
| 20 || 0x08740000 -> 0x0877FFFFF User Read Enable
|-
| 19 || 0x08700000 -> 0x0873FFFFF Kernel Write Enable
|-
| 18 || 0x08700000 -> 0x0873FFFFF Kernel Read Enable
|-
| 17 || 0x08700000 -> 0x0873FFFFF User Write Enable
|-
| 16 || 0x08700000 -> 0x0873FFFFF User Read Enable
|-
| 15 || 0x086c0000 -> 0x086FFFFFF Kernel Write Enable
|-
| 14 || 0x086c0000 -> 0x086FFFFFF Kernel Read Enable
|-
| 13 || 0x086c0000 -> 0x086FFFFFF User Write Enable
|-
| 12 || 0x086c0000 -> 0x086FFFFFF User Read Enable
|-
| 11 || 0x08680000 -> 0x086BFFFFF Kernel Write Enable
|-
| 10 || 0x08680000 -> 0x086BFFFFF Kernel Read Enable
|-
| 9 || 0x08680000 -> 0x086BFFFFF User Write Enable
|-
| 8 || 0x08680000 -> 0x086BFFFFF User Read Enable
|-
| 7 || 0x08640000 -> 0x0867FFFFF Kernel Write Enable
|-
| 6 || 0x08640000 -> 0x0867FFFFF Kernel Read Enable
|-
| 5 || 0x08640000 -> 0x0867FFFFF User Write Enable
|-
| 4 || 0x08640000 -> 0x0867FFFFF User Read Enable
|-
| 3 || 0x08600000 -> 0x08603FFFF Kernel Write Enable
|-
| 2 || 0x08600000 -> 0x08603FFFF Kernel Read Enable
|-
| 1 || 0x08600000 -> 0x08603FFFF User Write Enable
|-
| 0 || 0x08600000 -> 0x08603FFFF User Read Enable
|-
|}


Bit 1 = SC
{| class="wikitable sortable"
|-
! Physical Address !! Size !! R/W !! Description
|-
| 0xBC000030 || 32 || RW || Hardware register user read/write enable (range unknown). Used to access profiler from an user.
|-
| 0xBC000034 || 32 || RW || Hardware register user read/write enable (range unknown)
|-
| 0xBC000038 || 32 || RW || Hardware register user read/write enable (range unknown)
|-
| 0xBC00003C || 32 || RW || Hardware register user read/write enable (range unknown)
|-
| 0xBC000040 || 32 || RW || Hardware register user read/write enable (range unknown)
|-
| 0xBC000044 || 32 || RW || Hardware register user read/write enable (range unknown)
|-
| 0xBC000048 || 32 || RW || Hardware register user read/write enable (range unknown)
|-
| 0xBC00004C || 32 || RW || Hardware register user read/write enable (range unknown)
|-
|}


Bit 2 = ME
Granularity that these work on is not known. For each 1 bit an IO range is exposed to usermode for Read/Write. To find the usermode address, subtract 0x60000000 from the kernelmode one.


Bit 3 = AW
{| class="wikitable sortable"
 
|-
Bit 4 = VME
! Physical Address !! Size !! R/W !! Description
|-
| 0xBC000050 || 32 || ? || Reads 0x07EFFFFF
|-
|}


Bit 5 = AVC
= 0xBC100000: System Controller =


Bit 6 = USB
{| class="wikitable"
|-
! Address
! Size
! Read/write
! Description
|-
| 0xBC100000 || 4 || RW || NMI enable mask


Bit 7 = ATA
Bits 0-15 = user NMI enable mask?


Bits 8-9 = Memstick Interface
Bits 16-31 = kernel NMI enable mask?
 
|-
Bit 10 = KIRK
| 0xBC100004 || 4 || RW || NMI flags (15 bits for NMI0 ~ NMI15)
 
|-
Bit 12 = ATA HDD
| 0xBC10000C || 4 || RW? || NMI12 control registers?
|-
| 0xBC100010 || 4 || RW? || NMI8 control registers?
|-
| 0xBC100014 || 4 || RW? || NMI9 control registers?
|-
| 0xBC100018 || 4 || RW? || NMI7 control registers?
|-
| 0xBC10001C || 4 || RW? || NMI6 control registers?
|-
| 0xBC100020 || 4 || RW? || NMI5 control registers?
|-
| 0xBC100024 || 4 || RW? || NMI4 control registers?
|-
| 0xBC100028 || 4 || RW? || NMI3 control registers?
|-
| 0xBC10002C || 4 || RW? || NMI2 control registers?
|-
| 0xBC100030 || 4 || RW? || NMI1 control registers?
|-
| 0xBC100034 || 4 || RW? || NMI0 control registers?
|-
| 0xBC10003C || 4 || RW || Unknown - used by sceSysreg_driver_0x4841B2D2, sceSysreg_driver_0x4E5C86AA, sceSysregDoTimerEvent
|-
| 0xBC100040 || 4 || RW || Bits 0-1 = RAM size (0=16MB, 1=32MB, 2=64MB, 3=128MB)


Bit 13 = USB Host
Bit 11 = ? (read-only)


Bits 14-15 = Memstick related?
Bits 24-31 = tachyon version
 
|-
Bit 16 = ?
| 0xBC100044 || 4 || RW || SC/ME RPC interrupt. Writing 1 to bit 0 posts an interrupt to the opposite CPU
|-
| 0xBC100048 || 4 || RW || SC/ME semaphore. Appears to be a shared lock for both CPUs. Can be used as a spinlock
|-
|-
| 0xBC100050 || 4 || RW || Bus clock enable (set a bit to enable clocking to the device, clear it to disable clocking)
| 0xBC10004C || 4 || RW || Reset enable (set bit to assert RESET, clear to clear RESET)


Bit 0 = ME
Bit 0 = Top


Bit 1 = AW RegA Bus
Bit 1 = SC


Bit 2 = AW RegB Bus
Bit 2 = ME


Bit 3 = AW Edram Bus
Bit 3 = AW


Bit 4 = DMACPlus
Bit 4 = VME


Bits 5-6 = DMAC
Bit 5 = AVC


Bit 7 = KIRK
Bit 6 = USB


Bit 8 = ATA
Bit 7 = ATA


Bit 9 = USB
Bits 8-9 = Memstick Interface


Bits 10-11 = Memstick Interface
Bit 10 = KIRK


Bit 12 = NAND (EMCDDR)
Bit 12 = ATA HDD


Bit 13 = NAND (EMCSM)
Bit 13 = USB Host


Bit 14 = APB (?)
Bits 14-15 = Memstick related?


Bits 15-16 = Audio
Bit 16 = ?
|-
| 0xBC100050 || 4 || RW || Bus clock enable (set a bit to enable clocking to the device, clear it to disable clocking)


Bit 17 = ATA HDD
Bit 0 = ME


Bit 18 = USB host
Bit 1 = AW RegA Bus


Bits 19-20 = ?
Bit 2 = AW RegB Bus
|-
| 0xBC100054 || 4 || RW || Clock enable


Bit 0 = ATA
Bit 3 = AW Edram Bus


Bit 1 = ATA HDD
Bit 4 = DMACPlus


Bit 4 = USB
Bits 5-6 = DMAC


Bit 7 = ?
Bit 7 = KIRK


Bits 8-9 = Memstick interface
Bit 8 = ATA


Bit 12 = EMCDDR (NAND)
Bit 9 = USB


Bit 16 = USB host
Bits 10-11 = Memstick Interface


Bits 20-21 = ?
Bit 12 = NAND (EMCDDR)


Bit 22 = ?
Bit 13 = NAND (EMCSM)
|-
| 0xBC100058 || 4 || RW || Clock enable


Bits 0-5 = SPI 0-5
Bit 14 = APB (?)


Bits 6-11 = UART 0-5
Bits 15-16 = Audio


Bits 12-15 = APB (Arm Peripheral Bus) Timer 0-3
Bit 17 = ATA HDD


Bits 16-17 = Audio 0-1
Bit 18 = USB host


Bits 18 = LCD Controller
Bits 19-20 = ?
|-
| 0xBC100054 || 4 || RW || Clock enable


Bits 19 = PWM
Bit 0 = ATA


Bits 20 = ?
Bit 1 = ATA HDD
 
Bit 4 = ?
 
Bit 7 = ?
 
Bits 8-9 = Memstick interface
 
Bit 12 = EMCDDR (NAND)
 
Bit 16 = USB host
 
Bits 20-21 = ?
 
Bit 22 = ?
|-
| 0xBC100058 || 4 || RW || Clock enable


Bits 21 = I2C
Bits 0-5 = SPI 0-5


Bit 22 = SIRCS (Sony Serial Infra-Red Control)
Bits 6-11 = UART 0-5
 
Bits 12-15 = APB (?) 0-3
 
Bits 16-17 = Audio 0-1
 
Bit 22 = SIRCS (?)


Bit 23 = GPIO
Bit 23 = GPIO
Line 498: Line 535:
| 0xBC100064 || 4 || RW || SPI clock select
| 0xBC100064 || 4 || RW || SPI clock select
|-
|-
| 0xBC100068 || 4 || RW || Bits 0-7: PLL frequency
| 0xBC100068 || 4 || RW || 0xF - PLL get/set out select
 
Bits 16-31: unknown, checked against by the iplloader, possibly related to jigkick
|-
| 0xBC100070 || 4 || RW || Set Avc power
|-
|-
| 0xBC100074 || 4 || RW || Unknown
| 0xBC100074 || 4 || RW || Unknown
|-
|-
| 0xBC100078 || 4 || RW || I/O enable
| 0xBC100078 || 4 || RW || I/O enable (?) (TODO: verify indices)


Bit 1 = EMCSM
Bit 0 = NAND


Bit 2 = USB
Bit 1 = USB


Bit 3 = ATA
Bit 2 = ATA


Bits 4-5 = MSIF
Bits 3-4 = Memstick Interface


Bit 6 = LCDC
Bit 5 = LCDC


Bits 7-8 = Audio
Bit 6-7 = Audio


Bit 9 = I2c
Bit 8 = IIC


Bit 10 = Sircs
Bit 9 = SIRCS


Bit 11 = AudioClkout
Bit 10 = Audio?


Bit 12 = Key (?)
Bit 11 = KEY


Bit 13 = PWM
Bit 12 = PWM


Bit 14 = ATA HDD
Bits 13-18 = UART


Bit 15 = TBD - needs more sysreg reversing
Bits 19-24 = SPI
 
|-
Bits 16-21 = UART 0-5
 
Bits 22-23 = TBD - needs more sysreg reversing
 
Bits 24-29 = SPI 0-5
 
Bits 30-31 = TBD - needs more sysreg reversing
 
|-
| 0xBC10007C || 4 || RW || Either GPIO pin enable, or GPIO pin direction
| 0xBC10007C || 4 || RW || Either GPIO pin enable, or GPIO pin direction
|-
|-
Line 579: Line 603:
|}
|}


= 0xBC200000: CPU/bus frequency =
= 0xBC200000: System Controller? =


{| class="wikitable"
{| class="wikitable"
Line 588: Line 612:
! Description
! Description
|-
|-
| 0xBC200000 || 4 || RW || CPU frequency
| 0xBC200000 || 4 || RW || Unknown (used by sceSysreg_driver)
 
Bits 0-8 = denominator
 
Bits 16-24 = numerator
 
|-
|-
| 0xBC200004 || 4 || RW || Bus frequency (same bits as above)
| 0xBC200004 || 4 || RW || Unknown (used by sceSysreg_driver)
|}
|}


Line 607: Line 626:
! Description
! Description
|-
|-
| 0xBC300000 || 4 || RW || Flags for the unmasked interrupts out of the first 32 interrupts (see below for the list of interrupts)
| 0xBC300000 || 4 || RW || Unknown
|-
|-
| 0xBC300004 || 4 || RW || Flags for the first 32 interrupts
| 0xBC300004 || 4 || RW || Flags for the first 32 interrupts (see below for the list of interrupts)
|-
|-
| 0xBC300008 || 4 || RW || Mask for the first 32 interrupts
| 0xBC300008 || 4 || RW || Mask for the first 32 interrupts (see below for the list of interrupts)
|-
|-
| 0xBC300010 || 4 || RW || Flags for the unmasked interrupts out of the next 32 interrupts
| 0xBC300010 || 4 || RW || Unknown
|-
|-
| 0xBC300014 || 4 || RW || Flags for the next 32 interrupts
| 0xBC300014 || 4 || RW || Flags for the next 32 interrupts
Line 619: Line 638:
| 0xBC300018 || 4 || RW || Mask for the next 32 interrupts
| 0xBC300018 || 4 || RW || Mask for the next 32 interrupts
|-
|-
| 0xBC300020 || 4 || RW || Flags for the unmasked interrupts out of the last 32 interrupts
| 0xBC300020 || 4 || RW || Unknown
|-
|-
| 0xBC300024 || 4 || RW || Flags for the last 32 interrupts
| 0xBC300024 || 4 || RW || Flags for other interrupts?
|-
|-
| 0xBC300028 || 4 || RW || Mask for the last 32 interrupts
| 0xBC300028 || 4 || RW || Mask for other interrupts?
|-
|-
|}
|}
Line 661: Line 680:
| 13 || KEY
| 13 || KEY
|-
|-
| 14 || IrDA (SIRS)
| 14 || IrDA
|-
|-
| 15 || Systimer 0
| 15 || Systimer 0
Line 686: Line 705:
|-
|-
| 26 || USB_MAIN
| 26 || USB_MAIN
|-
| 27 || eFlash ATA2
|-
| 28 || eFlash DMA
|-
|-
| 30 || Display VSync
| 30 || Display VSync
Line 838: Line 853:
|-
|-
| 0xBC50003C || 4 ||    RW || Same as above, for hardware timer 3
| 0xBC50003C || 4 ||    RW || Same as above, for hardware timer 3
|-
| 0xBC500100 || 4 ||    R  || Get status read-only (?) for hardware timer 1
|-
| 0xBC500110 || 4 ||    R  || Get status read-only (?) for hardware timer 1
|-
| 0xBC500120 || 4 ||    R  || Get status read-only (?) for hardware timer 1
|-
| 0xBC500130 || 4 ||    R  || Get status read-only (?) for hardware timer 1
|-
|-
| 0xBC5003D0 || 4 ||    RW || Same as 0xBC500000, but with the current PSP's system time value. A timer's current count is computed by subtracting the timer's base time (the init time point) from this value.
| 0xBC5003D0 || 4 ||    RW || Same as 0xBC500000, but with the current PSP's system time value. A timer's current count is computed by subtracting the timer's base time (the init time point) from this value.
Line 873: Line 880:
|-
|-
|}
|}
= 0xBC700000: ? =


= 0xBC800000: DMACPlus =
= 0xBC800000: DMACPlus =
Line 999: Line 1,008:
|}
|}


== DMA processing ==
== Unknown ==


{| class="wikitable"
{| class="wikitable"
Line 1,008: Line 1,017:
! Description
! Description
|-
|-
| 0xBC800180 || 4 || RW || DMA channel 0 source address
| 0xBC800180 || ? || ? || Unknown
|-
|-
| 0xBC800184 || 4 || RW || DMA channel 0 destination address
|}
|-
| 0xBC800188 || 4 || RW || DMA channel 0 address for the next instruction (which is another source/destination/attr/status set)
|-
| 0xBC80018C || 4 || RW || DMA channel 0 attributes


Bits 0-11: length
= 0xBC900000: DMAC related =


Bits 12-14: src step
= 0xBCA00000: DMAC related =


Bits 15-17: dst step
= 0xBCC00000: VME Control =


Bits 18-20: src length shift
These can only be accessed from the ME CPU.


Bits 21-23: dst length shift
{| class="wikitable"
 
Bits 24-25: unknown
 
Bit 26: src increment
 
Bit 27: dst increment
 
Bit 31: trigger interrupt
|-
|-
| 0xBC800190 || 4 || RW || DMA channel 0 status
! Address
 
! Size
Bit 0: in progress
! Read/write
 
! Description
Bits 4-7: DDR value
|-
 
| 0xBCC00010 || 4 || RW || VME reset: writing anything here causes the VME to reset; it reads 0xFFFFFFFF while resetting, and 0 when reset is complete
Bit 8: DDR required
|-
| 0xBCC00030 || 4 || W? || Unknown, 8 is stored there when the ME boots
|-
|-
| 0xBC8001A0 || 20 || RW || Same as above, for DMA channel 1
| 0xBCC00040 || 4 || W? || Unknown, 2 is stored there when the ME boots
|-
|-
| 0xBC8001C0 || 20 || RW || Same as above, for DMA channel 2
| 0xBCC00070 || 4 || W? || Unknown, 1 is stored there when the ME boots
|-
|-
|}
|}


= 0xBC900000 & 0xBCA00000: DMAC =
= 0xBD000000: DDR? =


TODO: this could be the same as 0xBC800000, just for more processors (8 for 0xBC900000, 8 for 0xBCA00000)
= 0xBD100000: NAND Flash =


{| class="wikitable"
{| class="wikitable"
|-
|-
! Address !! Size !! R/W !! Description
! Address
! Size
! Read/write
! Description
|-
|-
| 0xBC900020 || 4 || W? || Unknown (DMA soft request-related)
| 0xBD101000 || 4 || R || NAND control
|-
| 0xBC900024 || 4 || W? || Unknown (DMA soft request-related)
|-
| 0xBC900028 || 4 || W? || Unknown (DMA soft request-related)
|-
| 0xBC90002C || 4 || W? || Unknown (DMA soft request-related)
|-
| 0xBC900100 || 4 || RW || DMA channel 0 status


Bit 0 = ?
Bit 16 = read ECC (0 = don't calculate, 1 = calculate)


Bit 1 = reads 1 when channel reset/reboot in complete
Bit 17 = write ECC (0 = don't calculate, 1 = calculate)
 
Bit 2 = write 1 to require a reset/reboot
|-
|-
| 0xBC900108 || 4 || RW || Set to 0xFF on reboot
| 0xBD101004 || 4 || R || NAND status
|-
| 0xBC900110 || 4 || RW || Set to 0xFF on reboot
|-
| 0xBC900130 || 4 || RW || Bit 0 set to 0 on reboot
|-
| 0xBC900120 || 32 || RW || Same as above, for DMA channel 1
|-
| 0xBC900140 || 32 || RW || Same as above, for DMA channel 2
|-
| 0xBC900160 || 32 || RW || Same as above, for DMA channel 3
|-
| 0xBC900180 || 32 || RW || Same as above, for DMA channel 4
|-
| 0xBC9001A0 || 32 || RW || Same as above, for DMA channel 5
|-
| 0xBC9001C0 || 32 || RW || Same as above, for DMA channel 6
|-
| 0xBC9001E0 || 32 || RW || Same as above, for DMA channel 7
|-
| 0xBCA00100 || 32 || RW || Same as above, for DMA channel 8
|-
| 0xBCA00120 || 32 || RW || Same as above, for DMA channel 9
|-
| 0xBCA00140 || 32 || RW || Same as above, for DMA channel 10
|-
| 0xBCA00160 || 32 || RW || Same as above, for DMA channel 11
|-
| 0xBCA00180 || 32 || RW || Same as above, for DMA channel 12
|-
| 0xBCA001A0 || 32 || RW || Same as above, for DMA channel 13
|-
| 0xBCA001C0 || 32 || RW || Same as above, for DMA channel 14
|-
| 0xBCA001E0 || 32 || RW || Same as above, for DMA channel 15
|-
|}


= 0xBCC00000: VME Control =
Bit 0 = status (0 = busy, 1 = ready)


These can only be accessed from the ME CPU.
Bit 7 = write protection (1 = write protected)
|-
| 0xBD101008 || 4 || W || NAND command


{| class="wikitable"
0x00/0x01 = read (1?)
|-
 
! Address
0x50 = read (2?)
! Size
 
! Read/write
0x90 = read ID
! Description
|-
| 0xBCC00010 || 4 || RW || VME reset: writing anything here causes the VME to reset; it reads 0xFFFFFFFF while resetting, and 0 when reset is complete
|-
| 0xBCC00030 || 4 || W? || Unknown, 8 is stored there when the ME boots
|-
| 0xBCC00040 || 4 || W? || Unknown, 2 is stored there when the ME boots
|-
| 0xBCC00070 || 4 || W? || Unknown, 1 is stored there when the ME boots
|-
|}


= 0xBD000000: DDR =
0xFF = reset


{| class="wikitable"
0x80, or 0x10 at 2nd cycle = page program
|-
 
! Address
0x00, or 0x8A at 2nd cycle = copy-back program
! Size
 
! Read/write
0x60, or 0xD0 at 2nd cycle = block erase
! Description
 
0x70 = read status
|-
|-
| 0xBD000004 || 4 || RW || DDR flush
| 0xBD10100C || 4 || W || NAND address.
 
Bits 10-26: page to access.
 
Possibly just LBA >> 1?
|-
|-
| 0xBD000020 || 4 || RW || Unknown
| 0xBD101014 || 4 || W || NAND reset? (bit 0)
|-
|-
| 0xBD000024 || 4 || RW || Unknown
| 0xBD101020 || 4 || W || NAND DMA address
|-
| 0xBD00002C || 4 || RW || Unknown, used by IPL
|-
| 0xBD000030 || 4 || RW || Unknown, used during sceDdrChangePllClock()
|-
| 0xBD000034 || 4 || RW || Unknown, used during sceDdrChangePllClock()
|-
| 0xBD000038 || 4 || RW || Unknown, used by IPL
|-
| 0xBD000040 || 4 || RW || Unknown, used during sceDdrChangePllClock()
|-
| 0xBD000044 || 4 || RW || Unknown, used during sceDdrChangePllClock()
|-
|}


= 0xBD100000: NAND Flash =
Bits 10-26: page to access during DMA.


{| class="wikitable"
Possibly just LBA >> 1?
|-
|-
! Address
| 0xBD101024 || 4 || RW || NAND DMA control
! Size
! Read/write
! Description
|-
| 0xBD101000 || 4 || R || NAND control


Bit 16 = read ECC (0 = don't calculate, 1 = calculate)
Bit 0 = DMA transfer progress (0 = stopped, 1 = running)


Bit 17 = write ECC (0 = don't calculate, 1 = calculate)
Bit 1 = transfer direction (0 = NAND -> MEM, 1 = MEM -> NAND)
|-
| 0xBD101004 || 4 || R || NAND status


Bit 0 = status (0 = busy, 1 = ready)
Bit 8 = page data transfer enabled


Bit 7 = write protection (1 = write protected)
Bit 9 = spare data transfer enabled
|-
| 0xBD101028 || 4 || R || NAND DMA status
|-
| 0xBD101038 || 4 || RW || NAND DMA intr?
|-
|-
| 0xBD101008 || 4 || W || NAND command
| 0xBD101200 || 4 || RW || NAND resume? (0x0B040205 to resume)
 
|-
0x00/0x01 = read (1?)
| 0xBD101300 || 4 || RW || NAND serial data
|-
|}


0x50 = read (2?)
= 0xBD200000: MemoryStick =


0x90 = read ID
= 0xBD300000: WLAN =


0xFF = reset
= 0xBD400000: Graphics Engine =


0x80, or 0x10 at 2nd cycle = page program
{| class="wikitable"
|-
! Physical Address !! Size !! R/W !! Description
|-
| 0xBD400000 || 4 || RW || RW bit 1: set to 1 to reset, wait until bit is 0 to know the GE has been reset
|-
| 0xBD400004 || 4 || RW? || Unknown (accessible through sceGeSet/GetReg() and passed to the interrupt handlers but unused)
|-
| 0xBD400008 || 4 || R || RO bits 0x0000FFFF: shifted left by 10, gives the EDRAM hardware size (sceGeEdramGetHwSize()) (only used for tachyon < 0x00500000)
|-
| 0xBD400100 || 4 || RW || RW bit 0x001: 0 = stopped, 1 = running


0x00, or 0x8A at 2nd cycle = copy-back program
R  bit 0x002: 0 = branching condition true, 1 = false


0x60, or 0xD0 at 2nd cycle = block erase
R  bit 0x100: 1 = is at depth 1 (or 2) of calls


0x70 = read status
R  bit 0x200: 1 = is at depth 2 of calls
|-
|-
| 0xBD10100C || 4 || W || NAND address.
| 0xBD400104 || 4 || RW? || Unknown (accessible through sceGeSet/GetReg() but unused)
 
Bits 10-26: page to access.
 
Possibly just LBA >> 1?
|-
|-
| 0xBD101014 || 4 || W || NAND reset? (bit 0)
| 0xBD400108 || 4 || RW || Address of the display list currently being run
|-
|-
| 0xBD101020 || 4 || W || NAND DMA address
| 0xBD40010C || 4 || RW || Stall address of the display list (0 = no stall address)
 
Bits 10-26: page to access during DMA.
 
Possibly just LBA >> 1?
|-
|-
| 0xBD101024 || 4 || RW || NAND DMA control
| 0xBD400110 || 4 || RW || First return address (after the first CALL command)
 
Bit 0 = DMA transfer progress (0 = stopped, 1 = running)
 
Bit 1 = transfer direction (0 = NAND -> MEM, 1 = MEM -> NAND)
 
Bit 8 = page data transfer enabled
 
Bit 9 = spare data transfer enabled
|-
|-
| 0xBD101028 || 4 || R || NAND DMA status
| 0xBD400114 || 4 || RW || Second return address (after the second CALL command)
|-
|-
| 0xBD101038 || 4 || RW || NAND DMA intr?
| 0xBD400118 || 4 || RW || Address of vertices (for bezier etc)
|-
|-
| 0xBD101200 || 4 || RW || NAND resume? (0x0B040205 to resume)
| 0xBD40011C || 4 || RW || Address of indices (for bezier etc)
|-
|-
| 0xBD101300 || 4 || RW || NAND serial data
| 0xBD400120 || 4 || RW || Address of the origin (set by ORIGIN, destination address for JUMP/BJUMP/CALL after adding BASE and the address specified in the command)
|-
|-
|}
| 0xBD400124 || 4 || RW || Same as above, for the first call
 
= 0xBD200000: MemoryStick =
 
{| class="wikitable"
|-
|-
! Address !! Size !! R/W !! Description
| 0xBD400128 || 4 || RW || Same as above, for the second call
|-
|-
| 0xBD200000 || 2 || RW || MemoryStick interrupt
| 0xBD400200 || 4 || RW || Bit 1 set by sceGeSetGeometryClock(), exact usage unknown
 
Bit 0 = reg address
 
Bit 4 = cmdnk (command cannot be executed)
 
Bit 5 = breq (buffer request)
 
Bit 6 = error
 
Bit 7 = ced (command end)
 
|-
|-
| 0xBD200002 || 2 || W? || Unknown
| 0xBD400300 || 4 || RW || Unknown (accessible through sceGeSet/GetReg() but unused)
|-
|-
| 0xBD200004 || 2 || RW || Command state
| 0xBD400304 || 4 || R || Current interrupt status?
 
Bit 0: busy
 
|-
|-
| 0xBD200010 || 2 || W? || Number of pages
| 0xBD400308 || 4 || RW || Currently accepted interrupts? (1 = SIGNAL, 2 = END, 4 = FINISH, 8 = ERROR)
|-
|-
| 0xBD200012 || 2 || W? || OOB length
| 0xBD40030C || 4 || W? || Set to the value of 0xBD400308 on init & reset
|-
|-
| 0xBD200014 || 2 || W? || Start block
| 0xBD400310 || 4 || W? || Set current interrupt status? Set to the value of 0xBD400308 on init & reset
|-
|-
| 0xBD200016 || 2 || W? || Set command to read and set page LBA
| 0xBD400400 || 4 || RW || Set to 4 when the used edram size is 0x00200000 and 2 when it's 0x00400000 (!)
|-
|-
| 0xBD200020 || 2 || W? || Unknown
| 0xBD400800 || 1024 || R || Each type a command is executed by the GE, its value, including arguments, is saved here (4 bytes per command)
|-
|-
| 0xBD200024 || 2 || R || Read OOB data
| 0xBD400C00 || 384 || R || BONE matrices
|-
|-
| 0xBD200024 || 1 || W || Write command data
| 0xBD400D80 || 48 || R || WORLD matrices
|-
|-
| 0xBD200028 || 2 or 4 || RW || Read/write page data
| 0xBD400DB0 || 48 || R || VIEW matrices
|-
|-
| 0xBD200030 || 4 || RW || Start TPC
| 0xBD400DE0 || 48 || R || PROJ matrices
 
|-
Bits 0-9 = size
| 0xBD400E20 || 48 || R || TGEN matrices
 
Bits 12-31 = TPC code
 
Code 1 = read MG status
 
Code 2 = read page data
 
Code 3 = read short data
 
Code 4 = read reg
 
Code 5 = read IO data
 
Code 7 = get int
 
Code 8 = set rw reg address
 
Code 9 = ex set cmd
 
Code 10 = write IO data
 
Code 11 = write reg
 
Code 12 = write short data
 
Code 13 = write page data
 
Code 14 = set cmd
 
|-
|-
| 0xBD200034 || 2 or 4 || RW || Read/write TPC data
| 0xBD400E50 || 48 || R || COUNT matrices (probably)
|-
|-
| 0xBD200038 || 2 or 4 || RW || Memstick status
|}


Bits 0-3 = bits 4-7 from the reg address register
= 0xBD500000: Graphics Engine EDRAM =


Bit 8 = timeout
{| class="wikitable"
 
Bit 9 = CRC error
 
Bit 12 = ready
 
Bit 13 = unknown
 
Bit 14 = FIFO RW
|-
|-
| 0xBD20003C || 4 || RW || Memstick sys
! Address
 
! Size
Bit 9 = command
! Read/write
 
! Description
Bit 11 = interrupt
 
Bit 15 = reset
|-
|-
| 0xBD200040 || 4 || RW || Unknown
| 0xBD500000 || 4 || RW || Unknown, bits 0x00F00000 set by sceGeEdramSetRefreshParam's 4th argument
|-
|-
|}
| 0xBD500010 || 4 || RW || Set to 2 before reset and 0 after reset is done, bit 1 seems to be initialization (used by sceGeEdramInit())
 
= 0xBD300000: WLAN =
 
The interface to the WLAN is the same as to the Memorystick, just with different commands.
 
= 0xBD400000: Graphics Engine =
 
{| class="wikitable"
|-
|-
! Physical Address !! Size !! R/W !! Description
| 0xBD500020 || 4 || RW || Set to 0x6C4 by default and bits 0x007FFFFF set by sceGeEdramSetRefreshParam's second argument
|-
|-
| 0xBD400000 || 4 || RW || RW bit 1: set to 1 to reset, wait until bit is 0 to know the GE has been reset
| 0xBD500030 || 4 || RW || Bits 0x000003FF set by sceGeEdramSetRefreshParam's third argument
|-
|-
| 0xBD400004 || 4 || RW? || Unknown (accessible through sceGeSet/GetReg() and passed to the interrupt handlers but unused)
| 0xBD500040 || 4 || RW || Set to 1 in sceGeEdramInit(), and to 3 if sceGeEdramSetRefreshParam's first argument (mode) is 1 and the bit 2 isn't set
|-
|-
| 0xBD400008 || 4 || R || RO bits 0x0000FFFF: shifted left by 10, gives the EDRAM hardware size (sceGeEdramGetHwSize()) (only used for tachyon < 0x00500000)
| 0xBD500050 || 4 || RW || Unknown, accessible through sceGeSetReg/GetReg()
|-
|-
| 0xBD400100 || 4 || RW || RW bit 0x001: 0 = stopped, 1 = running
| 0xBD500060 || 4 || RW || Unknown, accessible through sceGeSetReg/GetReg()
 
R  bit 0x002: 0 = branching condition true, 1 = false
 
R  bit 0x100: 1 = is at depth 1 (or 2) of calls
 
R  bit 0x200: 1 = is at depth 2 of calls
|-
|-
| 0xBD400104 || 4 || RW? || Status? (accessible through sceGeSet/GetReg() but unused)
| 0xBD500070 || 4 || RW || Bit 1: disable address translation
|-
|-
| 0xBD400108 || 4 || RW || Address of the display list currently being run
| 0xBD500080 || 4 || RW || The address translation value
|-
|-
| 0xBD40010C || 4 || RW || Stall address of the display list (0 = no stall address)
| 0xBD500090 || 4 || RW || Unknown, set to 3 in sceGeEdramInit(), accessible through sceGeSetReg/GetReg()
|-
|-
| 0xBD400110 || 4 || RW || First return address (after the first CALL command)
| 0xBD5000A0 || 4 || RW || Unknown, accessible through sceGeSetReg/GetReg()
|-
|-
| 0xBD400114 || 4 || RW || Second return address (after the second CALL command)
|}
|-
 
| 0xBD400118 || 4 || RW || Address of vertices (for bezier etc)
= 0xBD600000: ATA/UMD =
 
= 0xBD700000: ATA/UMD =
 
= 0xBD800000: USB =
 
= 0xBDE00000: KIRK =
 
{| class="wikitable"
|-
|-
| 0xBD40011C || 4 || RW || Address of indices (for bezier etc)
! Address
! Size
! Read/write
! Description
|-
|-
| 0xBD400120 || 4 || RW || Address of the origin (set by ORIGIN, destination address for JUMP/BJUMP/CALL after adding BASE and the address specified in the command)
| 0xBDE00000 || 4 || R || KIRK signature 'KIRK' (or 1?)
|-
|-
| 0xBD400124 || 4 || RW || Same as above, for the first call
| 0xBDE00004 || 4 || R || KIRK version '0010' (or 1?)
|-
|-
| 0xBD400128 || 4 || RW || Same as above, for the second call
| 0xBDE00008 || 4 || RW || Set to 1 on error by the command subroutine
|-
|-
| 0xBD400200 || 4 || RW || Bit 1 set by sceGeSetGeometryClock(), exact usage unknown
| 0xBDE0000C || 4 || RW || Set to 1 to start processing
|-
|-
| 0xBD400300 || 4 || RW || Unknown (accessible through sceGeSet/GetReg() but unused)
| 0xBDE00010 || 4 || RW || KIRK command
|-
 
| 0xBD400304 || 4 || RW || Get/set current command status (1 = SIGNAL, 2 = END, 4 = FINISH, 8 = ERROR)
0x01 = Private decrypt
|-
 
| 0xBD400308 || 4 || RW || Get/clear interrupts
0x02 = Encrypt (type2)
|-
| 0xBD40030C || 4 || W || Change interrupts (ie swap the status of specified interrupts)
|-
| 0xBD400310 || 4 || W || Change command status (ie swap the status of specified bits)
|-
| 0xBD400400 || 4 || RW || Set to 4 when the used edram size is 0x00200000 and 2 when it's 0x00400000 (!)
|-
| 0xBD400800 || 1024 || R || Each type a command is executed by the GE, its value, including arguments, is saved here (4 bytes per command)
|-
| 0xBD400C00 || 384 || R || BONE matrices
|-
| 0xBD400D80 || 48 || R || WORLD matrices
|-
| 0xBD400DB0 || 48 || R || VIEW matrices
|-
| 0xBD400DE0 || 48 || R || PROJ matrices
|-
| 0xBD400E20 || 48 || R || TGEN matrices
|-
| 0xBD400E50 || 48 || R || COUNT matrices (probably)
|-
|}


= 0xBD500000: Graphics Engine EDRAM =
0x03 = Decrypt (type2)


{| class="wikitable"
0x04 = Encrypt (type3) (IV = 0)
|-
 
! Address
0x05 = Encrypt (type3) (IV = Fuse)
! Size
 
! Read/write
0x06 = Encrypt (type3) (IV = User)
! Description
 
|-
0x07 = Decrypt (type3) (IV = 0)
| 0xBD500000 || 4 || RW || Unknown, bits 0x00F00000 set by sceGeEdramSetRefreshParam's 4th argument
 
|-
0x08 = Decrypt (type3) (IV = Fuse)
| 0xBD500010 || 4 || RW || Set to 2 before reset and 0 after reset is done, bit 1 seems to be initialization (used by sceGeEdramInit())
 
|-
0x09 = Decrypt (type3) (IV = User)
| 0xBD500020 || 4 || RW || Set to 0x6C4 by default and bits 0x007FFFFF set by sceGeEdramSetRefreshParam's second argument
 
|-
0x0A = Private Signature Check
| 0xBD500030 || 4 || RW || Bits 0x000003FF set by sceGeEdramSetRefreshParam's third argument
 
|-
0x0B = SHA-1 Hash
| 0xBD500040 || 4 || RW || Set to 1 in sceGeEdramInit(), and to 3 if sceGeEdramSetRefreshParam's first argument (mode) is 1 and the bit 2 isn't set
 
0x0C = ECDSA Key Generate
 
0x0D = ECDSA Point Multiply
 
0x0E = Pseudo-random Number Generator
 
0x0F = PRNG Seed? Init?
 
0x10 = ECDSA Sign
 
0x11 = ECDSA Signature Check
|-
|-
| 0xBD500050 || 4 || RW || Unknown, accessible through sceGeSetReg/GetReg()
| 0xBDE00014 || 4 || RW || Result of the command
|-
|-
| 0xBD500060 || 4 || RW || Unknown, accessible through sceGeSetReg/GetReg()
| 0xBDE00018 || 4 || RW || Unknown
|-
|-
| 0xBD500070 || 4 || RW || Bit 1: disable address translation
| 0xBDE0001C || 4 || RW || KIRK status
|-
 
| 0xBD500080 || 4 || RW || The address translation value
Bit 0 = phase finish
|-
 
| 0xBD500090 || 4 || RW || Unknown, set to 3 in sceGeEdramInit(), accessible through sceGeSetReg/GetReg()
Bit 1 = phase error?
|-
 
| 0xBD5000A0 || 4 || RW || Unknown, accessible through sceGeSetReg/GetReg()
Bit 4 = phase 2 needed
|-
|}


= 0xBD600000: ATA/UMD =
Bit 5 = ? (phase 1 error maybe?)


{| class="wikitable"
This should be used for checking processing status, and will notify when the processing has finished.
All bits are 0 while execution is still in progress.
If the command has two phases, Phase 2 Needed will be set when Phase Finish gets set.
Bit1 and bit5 are not well known, but it seems that bit1 is Error for Phase 1, and Success for Phase 2? Bit5 is only checked for Phase 1, and leads to the same error codepath as bit1.
|-
|-
! Address
| 0xBDE00020 || 4 || RW || Unknown
! Size
! Read/write
! Description
|-
|-
| 0xBD600000 || 4 || R? || Unknown (returns 0x00010033)
| 0xBDE00024 || 4 || RW || Unknown
|-
|-
| 0xBD600004 || 4 || W? || Unknown (0x04028002 is written here)
| 0xBDE00028 || 4 || RW || Set to the value of 0xBDE0001C at the end of the command subroutine
|-
|-
| 0xBD600010 || 4 || RW || Unknown (reset?)
| 0xBDE0002C || 4 || RW || KIRK source buffer (physical address)
|-
|-
| 0xBD600014 || 4 || W? || Unknown
| 0xBDE00030 || 4 || RW || KIRK destination buffer (physical address)
|-
|-
| 0xBD60001C || 4 || W? || Unknown (0x00020A0C is written here)
| 0xBDE0004C || 4 || RW || Unknown
|-
|-
| 0xBD600034 || 4 || RW || Unknown (0 is written here)
| 0xBDE00050 || 4 || RW || Unknown
|-
|-
| 0xBD600038 || 4 || W? || Unknown (0x00010100 is written here)
|}
 
= 0xBDF00000: UMD? =
 
= 0xBE000000: Audio =
 
= 0xBE100000: MagicGate hardware for memory stick? =
 
= 0xBE140000: LCDC =
 
{| class="wikitable"
|-
! Address
! Size
! Read/write
! Description
|-
| 0xBE140000 || 4 || RW || First LCDC controller enable
|-
|-
| 0xBD600040 || 4 || RW || Unknown (0 is written here, flag 0x2 is tested)
|}
{| class="wikitable"
|-
|-
| 0xBD600044 || 4 || W? || Unknown
! Bit(s)
! Usage
|-
| 0-1 || 3: enable first LCDC controller (tachyon version < 0x800000; otherwise it's set to 0)
|-
|-
|}
|}
= 0xBD700000: ATA/UMD =


{| class="wikitable"
{| class="wikitable"
Line 1,481: Line 1,356:
! Description
! Description
|-
|-
| 0xBD700000 || 2 || RW || Read/write data
| 0xBE140004 || 4 || RW || Synchronization difference: (xsync / zoom) - ysync
|-
|-
| 0xBD700001 || 1 || RW || Features (?)
| 0xBE140008 || 4 || RW || Unknown (fourth argument of sceLcdcCheckMode and sceLcdcSetMode)
|-
|-
| 0xBD700002 || 1 || RW || Sector count
| 0xBE140010 || 4 || RW || X back porch
|-
|-
| 0xBD700003 || 1 || RW || Sector number
| 0xBE140014 || 4 || RW || X sync width
|-
|-
| 0xBD700004 || 1 || RW || Cylinder low
| 0xBE140018 || 4 || RW || X front porch
|-
|-
| 0xBD700005 || 1 || RW || Cylinder high
| 0xBE14001C || 4 || RW || X resolution
|-
|-
| 0xBD700006 || 1 || RW || Drive
| 0xBE140020 || 4 || RW || Y back porch
|-
|-
| 0xBD700007 || 1 || RW || Command
| 0xBE140024 || 4 || RW || Y sync width
 
Cmd 0x00 = nop
 
Cmd 0x08 = device reset
 
Cmd 0x70 = seek
 
Cmd 0x90 = exec device diagnostic
 
Cmd 0xA0 = packet
 
Cmd 0xA1 = identify packet device
 
Cmd 0xC6 = set multiplue
 
Cmd 0xC8 = read
 
Cmd 0xCA = write
 
Cmd 0xDE = media lock
 
Cmd 0xDF = media unlock
 
Cmd 0xE0 = standby
 
Cmd 0xE2 = standby immediate
 
Cmd 0xE3 = idle
 
Cmd 0xE5 = check power mode
 
Cmd 0xE6 = sleep
 
Cmd 0xE7 = flush
 
Cmd 0xEC = ID ATA
 
Cmd 0xED = media eject
 
Cmd 0xEF = set features
 
Cmd 0xF0 = psp reset
 
|-
|-
| 0xBD700008 || 1 || W? || End of data
| 0xBE140028 || 4 || RW || Y front porch
|-
|-
| 0xBD70000E || 1 || RW || Control
| 0xBE14002C || 4 || RW || Y resolution
 
|-
Bit 2 = soft reset
| 0xBE140030 || 4 || R || HPC (?), returned by sceLcdcReadHPC()
|-
| 0xBE140034 || 4 || R || VPC (?), returned by sceLcdcReadVPC()
|-
| 0xBE140040 || 4 || RW || Y shift (between hardware & software resolution)
|-
| 0xBE140044 || 4 || RW || X shift (between hardware & software resolution)
|-
| 0xBE140048 || 4 || RW || Scaled X resolution
|-
| 0xBE14004C || 4 || RW || Scaled Y resolution (same as the physical Y resolution)
|-
| 0xBE140050 || 4 || RW || Unknown, set to 1, maybe used by sceLcdcReadUnderflow (to be verified)
|-
| 0xBE140070 || 4 || W || Set to 1 when running sceLcdcResume() or sceLcdcInit() on tachyon version >= 0x5000000
|-
|-
|}
|}


= 0xBD800000: USB =
The exact same registers are at 0xBE1401.., these ones being used for tachyon version >= 0x8000000 (PSP Go?). <br>
These registers are only set on tachyo version >= 0x8000000:


{| class="wikitable"
{| class="wikitable"
Line 1,557: Line 1,404:
! Description
! Description
|-
|-
| 0xBD800000 || 4 || RW || Get/set control of first sending endpoint
| 0xBE140180 || 4 || RW || Always set to 1 when 0xBE140184 - 0xBE140198 are used
 
|-
Bit 1 = unknown
| 0xBE140184 || 4 || RW || Scaled X resolution (read instead of the (real) X resolution above when enabled)
 
Bit 3 = unknown
 
Bits 4-5 = transfer type
 
Bit 6 = unknown
 
Bit 7 = unknown
 
Bit 8 = unknown
|-
|-
| 0xBD800004 || 4 || RW || Read/clear status of first sending endpoint
| 0xBE140188 || 4 || RW || Y resolution (read instead of the (real) Y resolution above when enabled)
 
Bits 4, 5, 6, 7, 9, 10, 14 = unknown
|-
|-
| 0xBD800008 || 4 || RW || Max packet size in words for first sending endpoint
| 0xBE14018C || 4 || RW || Unknown (0x580 - 0x678)
|-
|-
| 0xBD80000C || 4 || RW || Max packet size in bytes for first sending endpoint (possible value: 0x40)
| 0xBE140190 || 4 || RW || Unknown (0x4C4 - 0x71C)
|-
|-
| 0xBD800010 || 4 || RW || Unknown address, for first sending endpoint (0x80000000 is written there)
| 0xBE140194 || 4 || RW || Unknown (0xAFC - 0xCEC)
|-
|-
| 0xBD800014 || 4 || RW || Unknown address, for first sending endpoint (0x80000000 is written there)
| 0xBE140198 || 4 || RW || Unknown (0x910 - 0xE38)
|-
|-
| 0xBD800020 || 24 || RW || Same as above, for 2nd sending endpoint
| 0xBE140200 || 4 || W || Set to 1 on initialization
|-
|-
| 0xBD800040 || 24 || RW || Same as above, for 3rd sending endpoint
|}
|-
| 0xBD800060 || 24 || RW || Same as above, for 4th sending endpoint
|-
| 0xBD800080 || 24 || RW || Same as above, for 5th sending endpoint
|-
| 0xBD800200 || 24 || RW || Same as above, for 1st receiving endpoint
|-
| 0xBD800220 || 24 || RW || Same as above, for 2nd receiving endpoint
|-
| 0xBD800240 || 24 || RW || Same as above, for 3rd receiving endpoint
|-
| 0xBD800260 || 24 || RW || Same as above, for 4th receiving endpoint
|-
| 0xBD800280 || 24 || RW || Same as above, for 5th receiving endpoint
|-
| 0xBD800400 || 4 || RW || Unknown (possible values: 0xA0, 0x8 = activated without charging, 0x1)
|-
| 0xBD800404 || 4 || RW || Unknown
|-
| 0xBD800408 || 4 || R? || Unknown
|-
| 0xBD80040C || 4 || RW || Clear/read connection interrupt


Value 0 = connect
= 0xBE200000: I2c =


Value 1 = streaming
= 0xBE240000: GPIO =


Value 2 = detach 1
= 0xBE300000: Power management? =
 
Value 4 = detach 2
 
Value 6 = unknown
|-
| 0xBD800410 || 4 || RW || Set/get enabled connection interrupts (same bits as above)
|-
| 0xBD800414 || 4 || RW || Unknown
|-
| 0xBD800418 || 4 || RW || Disabled endpoints interfaces (bits 0-8 = sending, and bits 16-24 = receiving?)
|-
| 0xBD80041C || 4 || RW || Unknown (possible value: 0)
|-
| 0xBD800504 || 4 || W? || Unknown
|-
| 0xBD800508 || 4 || W? || Unknown
|-
| 0xBD80050C || 4 || W? || Unknown
|-
| 0xBD800510 || 4 || W? || Unknown
|-
| 0xBD800514 || 4 || W? || Unknown
|-
|}
 
= 0xBD900000: EFlash (PSP Go only) =
 
{| class="wikitable"
|-
! Address
! Size
! Read/write
! Description
|-
| 0xBD900004 || 4 || W? || Unknown, set to 0x04024002
|-
| 0xBD900010 || 4 || W? || Write 1 to reset
|-
| 0xBD900014 || 4 || W? || Unknown
|-
| 0xBD900018 || 4 || W? || Unknown
|-
| 0xBD900024 || 4 || W? || Unknown
|-
| 0xBD900028 || 4 || W? || Unknown
|-
| 0xBD90002C || 4 || W? || Unknown, set to 0
|-
| 0xBD900030 || 4 || W? || Unknown, set to 0
|-
| 0xBD900034 || 4 || RW || Unknown
|-
| 0xBD900038 || 4 || W? || Unknown
|-
| 0xBD900040 || 4 || W? || Unknown
|-
| 0xBD900044 || 4 || RW || Clear/read interrupt flag
|-
|}
 
= 0xBDA00000: EFlash ATA (PSP Go only) =
 
Same interface as 0xBD700000.
 
= 0xBDB00000: EFlash DMA =
 
{| class="wikitable"
|-
! Address
! Size
! Read/write
! Description
|-
| 0xBDB00008 || 4 || W? || Set to 1 to reset
|-
| 0xBDB00010 || 4 || W? || Control
 
Bit 0 = enable
 
Bit 1 = 1 if read from ATA, 0 if write to ATA
|-
| 0xBDB00020 || 4 || R? || Read interrupt flag
|-
| 0xBDB00024 || 4 || W? || Clear interrupt flag
|-
| 0xBDB00028 || 4 || RW || Unknown
|-
| 0xBDB0002C || 4 || W? || Unknown, clear bits from the previous register
|-
| 0xBDB00030 || 4 || W? || DMA address
|-
| 0xBDB00034 || 4 || W? || DMA size
|-
| 0xBDB00040 || 4 || W? || Unknown
|-
| 0xBDB00044 || 4 || W? || Unknown, set to 0
|}
 
= 0xBDE00000: KIRK =
 
{| class="wikitable"
|-
! Address
! Size
! Read/write
! Description
|-
| 0xBDE00000 || 4 || R || KIRK signature 'KIRK' (or 1?)
|-
| 0xBDE00004 || 4 || R || KIRK version '0010' (or 1?)
|-
| 0xBDE00008 || 4 || RW || Set to 1 on error by the command subroutine
|-
| 0xBDE0000C || 4 || RW || Set to 1 to start processing, or 2 to start processing phase2
|-
| 0xBDE00010 || 4 || RW || KIRK command
 
0x01 = Private decrypt
 
0x02 = Encrypt (type2)
 
0x03 = Decrypt (type2)
 
0x04 = Encrypt (type3) (IV = 0)
 
0x05 = Encrypt (type3) (IV = Fuse)
 
0x06 = Encrypt (type3) (IV = User)
 
0x07 = Decrypt (type3) (IV = 0)
 
0x08 = Decrypt (type3) (IV = Fuse)
 
0x09 = Decrypt (type3) (IV = User)
 
0x0A = Private Signature Check
 
0x0B = SHA-1 Hash
 
0x0C = ECDSA Key Generate
 
0x0D = ECDSA Point Multiply
 
0x0E = Pseudo-random Number Generator
 
0x0F = PRNG Seed? Init?
 
0x10 = ECDSA Sign
 
0x11 = ECDSA Signature Check
|-
| 0xBDE00014 || 4 || RW || Result of the command
|-
| 0xBDE00018 || 4 || RW || Unknown
|-
| 0xBDE0001C || 4 || RW || KIRK status
 
Bit 0 = phase finish
 
Bit 1 = phase error?
 
Bit 4 = phase 2 needed
 
Bit 5 = ? (phase 1 error maybe?)
 
This should be used for checking processing status, and will notify when the processing has finished.
All bits are 0 while execution is still in progress.
If the command has two phases, Phase 2 Needed will be set when Phase Finish gets set.
Bit1 and bit5 are not well known, but it seems that bit1 is Error for Phase 1, and Success for Phase 2? Bit5 is only checked for Phase 1, and leads to the same error codepath as bit1.
|-
| 0xBDE00020 || 4 || RW || Status async?
|-
| 0xBDE00024 || 4 || RW || Status async end?
|-
| 0xBDE00028 || 4 || RW || Set to the value of 0xBDE0001C at the end of the command subroutine
|-
| 0xBDE0002C || 4 || RW || KIRK source buffer (physical address)
|-
| 0xBDE00030 || 4 || RW || KIRK destination buffer (physical address)
|-
| 0xBDE0004C || 4 || RW || Unknown
|-
| 0xBDE00050 || 4 || RW || Unknown
|-
|}
 
= 0xBDF00000: SPOCK =
 
{| class="wikitable"
|-
! Address !! Size !! R/W !! Description
|-
| 0xBDF00000 || 4 || R || Spock signature 'SPOK'
|-
| 0xBDF00004 || 4 || R || Spock version '0050'
|-
| 0xBC900008 || 4 || RW || Reset
 
Bit 0 = reset
|-
| 0xBDF00010 || 4 || RW || Set command
 
Value 0x01 = ?
 
Value 0x02 = Authentication
 
Value 0x03 = ?
 
Value 0x04 = write QTGP2 () at the first transfer address
 
Value 0x05 = write QTGP3 () at the first transfer address
 
Value 0x08 = Decrypt MKI
 
Value 0x09 = Decrypt key from IDStorage
 
Value 0x0A = Decrypt read data sector (not used/skipped, it decrypts sectors on the fly)
 
Value 0x0B = ?
 
Value 0x0C = ?
|-
| 0xBD900014 || 4 || R? || Unknown
|-
| 0xBDF00018 || 4 || RW || Drive mode flags, value == 0x111 for DVD mode, otherwice UMD mode.
|-
| 0xBD90001C || 4 || R? || Unknown
|-
| 0xBD900020 || 4 || R? || Get interrupt flags?
|-
| 0xBD900024 || 4 || RW || Clear interrupt?
|-
| 0xBDF00028 || 4 || RW || Enable interrupt
|-
| 0xBD90002C || 4 || RW || Disable interrupt?
|-
| 0xBDF00030 || 4 || R || Error Status
|-
| 0xBD900038 || 4 || RW || Unknown, set to 4
|-
| 0xBD900040 || 4 || W? || Transfer address 0
|-
| 0xBD900044 || 4 || W? || Transfer size 0
|-
| 0xBD900048 || 4 || W? || Transfer address 1
|-
| 0xBD90004C || 4 || W? || Transfer size 1
|-
| 0xBD900050 || 4 || W? || Transfer address 2
|-
| 0xBD900054 || 4 || W? || Transfer size 2
|-
| 0xBD900058 || 4 || W? || Transfer address 3
|-
| 0xBD90005C || 4 || W? || Transfer size 3
|-
| 0xBD900060 || 4 || W? || Transfer address 4
|-
| 0xBD900064 || 4 || W? || Transfer size 4
|-
| 0xBD900068 || 4 || W? || Transfer address 5
|-
| 0xBD90006C || 4 || W? || Transfer size 5
|-
| 0xBD900070 || 4 || W? || Transfer address 6
|-
| 0xBD900074 || 4 || W? || Transfer size 6
|-
| 0xBD900078 || 4 || W? || Transfer address 7
|-
| 0xBD90007C || 4 || W? || Transfer size 7
|-
| 0xBD900080 || 4 || W? || Transfer address 8
|-
| 0xBD900084 || 4 || W? || Transfer size 8
|-
| 0xBD900088 || 4 || W? || Transfer address 9
|-
| 0xBD90008C || 4 || W? || Transfer size 9
|-
| 0xBD900090 || 4 || RW || Total transfer length
|-
| 0xBD900094 || 4 || W? || Unknown, can be 0 or 1
|-
|}
 
= 0xBE000000: Audio =
 
{| class="wikitable"
|-
! Address
! Size
! Read/write
! Description
|-
| 0xBE000000 || 4 || RW || Audio init/reset?
|-
| 0xBE000004 || 4 || W? || Disable audio input/output?
 
Bit 0: enable output
 
Bit 1: enable SRC output (?)
 
Bit 2: enable audio input
 
Bit 3: ??
|-
| 0xBE000008 || 4 || W? || Same as 0xBE000004 but with reversed bits; enable audio input/output?
|-
| 0xBE00000C || 4 || RW || Seems to contain the current value for 0xBE000004 (ie the current enabled input/outputs)
|-
| 0xBE000010 || 4 || W? || Similar to 0xBE000004 but set only when starting playing something, and input bit is set only for loopback test?
|-
| 0xBE000014 || 4 || W? || Unknown, set to 0x1208 = 4616 during initialization
|-
| 0xBE000018 || 4 || W? || Unknown, set to 0 during initialization
|-
| 0xBE00001C || 4 || R? || Similar to 0xBE000004; possibly bits which finished execution?
|-
| 0xBE000020 || 4 || W? || Another similar set of flags
|-
| 0xBE000024 || 4 || W? || Another similar set of flags (enabled interrupts?)
|-
| 0xBE000028 || 4 || RW || Another similar set of flags
|-
| 0xBE00002C || 4 || W? || Another similar set of flags
|-
| 0xBE000038 || 4 || W? || Set to 256 when frequency in 48kHz, 128 when it is 44.1kHz or during SRC output
|-
| 0xBE00003C || 4 || W? || Same as above, but not set at initialization time
|-
| 0xBE000040 || 4 || RW || Frequency-related??
|-
| 0xBE000044 || 4 || W? || Hardware frequency?
|-
| 0xBE000050 || 4 || RW || Volume?
|-
| 0xBE000060 || 4 || W? || Send audio data?
|-
| 0xBE000070 || 4 || W? || Send audio data?
|-
| 0xBE000080 || 4 || ? || ??
|-
| 0xBE0000D0 || 4 || ? || ??
|}
 
= 0xBE100000: MagicGate Type-R =
 
{| class="wikitable"
|-
! Address
! Size
! Read/write
! Description
|-
| 0xBE100000 || ? || ? || Unknown
|-
| 0xBE100010 || ? || ? || ?Key size (in bits)?. ex: 0x100 (hardcoded)
|-
| 0xBE100020 || ? || ? || Unknown
|-
| 0xBE100038 || ? || ? || Hardware version 1
|-
| 0xBE100040 || 0x10 || ? || Key
|-
| 0xBE100050 || 8 || ? || Unknown
|-
| 0xBE100060 || 0x10 || ? || IV
|-
| 0xBE100080 || ? || ? || Control
|-
| 0xBE100084 || ? || ? || Status
|-
| 0xBE100088 || ? || ? || Algorithm
|-
| 0xBE100090 || ? || ? || Unknown. Value at bit 8 is used.
|-
| 0xBE100094 || ? || ? || Size
|-
| 0xBE100098 || ? || ? || Hardware version 2
|-
| 0xBE1000A0 || ?0x800? || ? || Input buffer
|}
 
= 0xBE140000: LCDC =
 
{| class="wikitable"
|-
! Address
! Size
! Read/write
! Description
|-
| 0xBE140000 || 4 || RW || First LCDC controller enable
 
Bits 0-1 = 3 to enable first LCDC controller (tachyon version < 0x800000; otherwise it's set to 0)
|-
| 0xBE140004 || 4 || RW || Synchronization difference: (xsync / zoom) - ysync
|-
| 0xBE140008 || 4 || RW || Unknown (fourth argument of sceLcdcCheckMode and sceLcdcSetMode)
|-
| 0xBE140010 || 4 || RW || X back porch
|-
| 0xBE140014 || 4 || RW || X sync width
|-
| 0xBE140018 || 4 || RW || X front porch
|-
| 0xBE14001C || 4 || RW || X resolution
|-
| 0xBE140020 || 4 || RW || Y back porch
|-
| 0xBE140024 || 4 || RW || Y sync width
|-
| 0xBE140028 || 4 || RW || Y front porch
|-
| 0xBE14002C || 4 || RW || Y resolution
|-
| 0xBE140030 || 4 || R || HPC (?), returned by sceLcdcReadHPC()
|-
| 0xBE140034 || 4 || R || VPC (?), returned by sceLcdcReadVPC()
|-
| 0xBE140040 || 4 || RW || Y shift (between hardware & software resolution)
|-
| 0xBE140044 || 4 || RW || X shift (between hardware & software resolution)
|-
| 0xBE140048 || 4 || RW || Scaled X resolution
|-
| 0xBE14004C || 4 || RW || Scaled Y resolution (same as the physical Y resolution)
|-
| 0xBE140050 || 4 || RW || Unknown, set to 1, maybe used by sceLcdcReadUnderflow (to be verified)
|-
| 0xBE140070 || 4 || W || Set to 1 when running sceLcdcResume() or sceLcdcInit() on tachyon version >= 0x5000000
|-
|}
 
The exact same registers are at 0xBE1401.., these ones being used for tachyon version >= 0x8000000 (PSP Go?). <br>
These registers are only set on tachyo version >= 0x8000000:
 
{| class="wikitable"
|-
! Address
! Size
! Read/write
! Description
|-
| 0xBE140180 || 4 || RW || Always set to 1 when 0xBE140184 - 0xBE140198 are used
|-
| 0xBE140184 || 4 || RW || Scaled X resolution (read instead of the (real) X resolution above when enabled)
|-
| 0xBE140188 || 4 || RW || Y resolution (read instead of the (real) Y resolution above when enabled)
|-
| 0xBE14018C || 4 || RW || Unknown (0x580 - 0x678)
|-
| 0xBE140190 || 4 || RW || Unknown (0x4C4 - 0x71C)
|-
| 0xBE140194 || 4 || RW || Unknown (0xAFC - 0xCEC)
|-
| 0xBE140198 || 4 || RW || Unknown (0x910 - 0xE38)
|-
| 0xBE1401A0 || 4 || RW || Display flags?
|-
| 0xBE1401B0 || 4 || RW || Display clock?
|-
| 0xBE140200 || 4 || W || Set to 1 on initialization
|-
|}
 
= 0xBE200000: I2c =
 
 
{| class="wikitable"
|-
! Address
! Size
! Read/write
! Description
|-
| 0xBE200000 || 4 || R? || Unknown
|-
| 0xBE200004 || 4 || RW || Command
 
Value 0x85 = unknown (used after writing the transmit data)
 
Value 0x8A = receive data
 
Value 0x87 = unknown (used after writing the transmit data)
 
|-
| 0xBE200008 || 4 || RW || Data length
|-
| 0xBE20000C || 4 || R? || Read/write data
|-
| 0xBE200010 || 4 || RW || Unknown
|-
| 0xBE200014 || 4 || RW || Unknown
|-
| 0xBE20001C || 4 || RW || Unknown
|-
| 0xBE200028 || 4 || R? || Clear/read interrupt
|-
| 0xBE20002C || 4 || W? || Unknown
|-
|}
 
= 0xBE240000: GPIO =
 
{| class="wikitable"
|-
! Address
! Size
! Read/write
! Description
|-
| 0xBE240000 || 4 || RW || Is output (?)
|-
| 0xBE240004 || 4 || R || GPIO read pin (1 bit = 1 pin)
|-
| 0xBE240008 || 4 || W || GPIO set pin (1 bit = 1 pin)
|-
| 0xBE24000C || 4 || W|| GPIO clear pin (1 bit = 1 pin)
|-
| 0xBE240010 || 4 || RW || Is edge detection (?)
|-
| 0xBE240014 || 4 || RW || Is falling edge (?)
|-
| 0xBE240018 || 4 || RW || Is rising edge (?)
|-
| 0xBE24001C || 4 || RW || Interrupt enable
|-
| 0xBE240020 || 4 || R? || Interrupt Status
|-
| 0xBE240024 || 4 || W || Acknowledge interrupt
|-
| 0xBE240030 || 4 || RW || Capture port enable
|-
| 0xBD240034 || 4 || RW || Timer capture enable
|-
| 0xBE240040 || 4 || RW || Is input on (?)
|-
| 0xBE240048 || 4 || W? || Unknown
|-
|}
 
= 0xBE300000: Power management? =
 
Seems to be composed of 3 controllers, each of size 0x20.
 
= 0xBE4C0000 & 0xBE500000: UART =
 
[https://developer.arm.com/documentation/ddi0183/f/programmer-s-model/summary-of-registers?lang=en ARM PrimeCell UART PL011]
 
There are two similar UART controllers:
* At 0xBE4C0000: UART4 = ?
* At 0xBE500000: UART3 = Headphone/remote SIO
 
There is also possibly an infrared controller at 0xBE540000.
 
UART port numbers vary depending on documentations.
 
Some documentations seem to argue that there are 8 controllers for 0xBE40 to 0xBE5C, but the syscon interface looks very different so it might not be the case.
 
{| class="wikitable"
|-
! Address
! Size
! Read/write
! Description
|-
| 0xBExx0000 || 4 || RW || Read/write FIFO of the UART port
 
Bits 0-7 = data
 
Writing writes a byte to the Tx buffer and advances the write position.
Reading reads a byte from the Rx buffer and advances the read position.
The FIFO is 32(?) bytes long.
|-
| 0xBExx0004 || 4 || RW || Unknown
|-
| 0xBExx0018 || 4 || RW || Port status
 
Bit 4 = Rx buffer status is empty
 
Bit 5 = Tx buffer status is full
|-
| 0xBExx0024 || 4 || W || Upper bits of baudrate divisor, ie (96000000 / baudrate) >> 6
|-
| 0xBExx0028 || 4 || W || Lower bits of baudrate divisor, ie (96000000 / baudrate) & 0x3f
|-
| 0xBExx002C || 4 || RW || Set bits 5-6 to set the baud rate?
|-
| 0xBExx0030 || 4 || RW || Unknown
|-
| 0xBExx0034 || 4 || RW || Unknown
|-
| 0xBExx0038 || 4 || RW || Unknown
|-
| 0xBExx0044 || 4 || RW || Clear interrupt?
|-
|}
 
= 0xBE580000: Syscon =
[https://developer.arm.com/documentation/ddi0194/h/programmer-s-model/summary-of-primecell-ssp-registers?lang=en ARM PrimeCell Synchronous Serial port PL022]
 
TODO: validate register mappings
 
{| class="wikitable"
|-
! Address
! Size
! Read/write
! Description
|-
| 0xBE580000 || 4 || W? || Unknown (0xCF is written there at initialization time)
|-
| 0xBE580004 || 4 || RW || Flags
 
Bit 1 = start syscon command
 
Bit 2 = reset data index
 
Bit 3 = in progress?
|-
| 0xBE580008 || 4 || RW || Read/write data
 
Bits 0-15: 16-bit data
|-
| 0xBE58000C || 4 || R? || Flags
 
Bit 0 = error
 
Bit 2 = not finished
|-
| 0xBE580014 || 4 || W? || Unknown (0 is written there)
|-
| 0xBE580018 || 4 || R? || Unknown
|-
| 0xBE580020 || 4 || W? || Unknown; clear error status?
|-
| 0xBE580024 || 4 || W? || Unknown (0 is written there)
|-
|}
 
= 0xBE5C0000: LCD controller (Slim) =
 
{| class="wikitable"
|-
! Address
! Size
! Read/write
! Description
|-
| 0xBE5C0000 || 4 || W? || Unknown
|-
| 0xBE5C0004 || 4 || W? || Unknown
|-
| 0xBE5C0008 || 4 || RW? || Unknown
|-
| 0xBE5C000C || 4 || R? || Unknown
|-
| 0xBE5C0010 || 4 || W? || Unknown
|-
| 0xBE5C0014 || 4 || W? || Unknown
|-
| 0xBE5C0024 || 4 || W? || Unknown
|-
|}
 
= 0xBE740000: Display =
 
{| class="wikitable"
|-
! Address
! Size
! Read/write
! Description
|-
| 0xBE740000 || 4 || W? || Unknown
|-
| 0xBE740004 || 4 || RW || Get/set row sync (?)
|-
| 0xBE740008 || 4 || R? || Get sync (?)
|-
| 0xBE74000C || 4 || W? || Unknown
|-
| 0xBE740010 || 4 || W? || Unknown
|-
| 0xBE740014 || 4 || W? || Unknown
|-
| 0xBE740020 || 4 || R? || Unknown
|-
| 0xBE740024 || 4 || W? || Unknown
|-
|}


= 0xBE780000: Display (Slim) =
= 0xBE400000: UART 1-4 =


{| class="wikitable"
= 0xBE500000: UART 5-8 =
|-
! Address
! Size
! Read/write
! Description
|-
| 0xBE780000 || 4 || ? || Unknown
|-
| 0xBE78001C || 4 || ? || Unknown
|}
 
= 0xBFC00000 & 0xBFD00000 & 0xBFE00000: MIPS Reset Vector and RAM =


Note this is not a hardware register *per se*.
= 0xBE600000: ? =


At boot time, the PSP [[iplloader]] is mapped to read-only 0xBFC00000 then executed. An additional 4096-byte scratchpad-like RAM is accessible at 0xBFD00000 and used as a temporary space to decrypt the IPL blocks.
= 0xBE700000: Display =
Then, once the CPU is reset (0xBC10004C |= 2), the iplloader is unmapped, and the memory which was then at 0xBFD00000 is now mapped at 0xBFC00000 and execution restarts at 0xBFC00000.


On devkit, bloadp is copied to 0xBFE00000 then executed. IPL blocks are usually copied to 0xBFE01000, decrypted in place then executed.
= 0xBFC00000: MIPS Reset Vector =


= 0xBFF00000: NAND DMA buffer =
= 0xBFF00000: NAND DMA buffer =
Line 2,347: Line 1,454:
|-
|-
|}
|}
= References =
* [http://daifukkat.su/docs/psptek/ PSPTEK]
* [https://gigawiz.github.io/yapspd/html_chapters_split/chap8.html yapspd]
* [https://github.com/uofw/uofw uOFW]
* [https://github.com/jpcsp/jpcsp Jpcsp]
Please note that all contributions to PSP Developer wiki are considered to be released under the GNU Free Documentation License 1.2 (see PSP Developer wiki:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To protect the wiki against automated edit spam, we kindly ask you to solve the following hCaptcha:

Cancel Editing help (opens in new window)