Editing Hardware Registers

Jump to navigation Jump to search
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.

Latest revision Your text
Line 1: Line 1:
= Introduction =
= Introduction =


With the exception of interrupts, almost all the interaction with the PSP hardware is done through memory mapped IO (MMIO) accesses in the 0xBC000000~0xBFFFFFFF address range. The physical address of this range is actually 0x1C000000~0x1FFFFFFF, but we must OR in the 0x40000000 un-cached flag and the 0x80000000 kernel access flag. Knowing how to communicate with the hardware is vital to understanding the inner workings of the PSP.
On the PSP, except interruptions, almost all the interaction with the hardware is done through memory accesses to "hardware registers" located at the 0xBC000000~0xBFFFFFFF range (actually 0x1C000000~0x1FFFFFFF to which we add the 0x4 uncached flag and the 0x8 kernel flag). Which is the reason why documenting this is vital to understand the PSP hardware.


= 0xA7F00000: L2 cache =
= 0xA7F00000: L2 cache =
Line 451: Line 451:
Bits 6-11 = UART 0-5
Bits 6-11 = UART 0-5


Bits 12-15 = APB (Arm Peripheral Bus) Timer 0-3
Bits 12-15 = APB (?) 0-3


Bits 16-17 = Audio 0-1
Bits 16-17 = Audio 0-1


Bits 18 = LCD Controller
Bits 19-21 = ?


Bits 19 = PWM
Bit 22 = SIRCS (?)
 
Bits 20 = ?
 
Bits 21 = I2C
 
Bit 22 = SIRCS (Sony Serial Infra-Red Control)


Bit 23 = GPIO
Bit 23 = GPIO
Line 498: Line 492:
| 0xBC100064 || 4 || RW || SPI clock select
| 0xBC100064 || 4 || RW || SPI clock select
|-
|-
| 0xBC100068 || 4 || RW || Bits 0-7: PLL frequency
| 0xBC100068 || 4 || RW || 0xF - PLL get/set out select (PLL frequency?)
 
Bits 16-31: unknown, checked against by the iplloader, possibly related to jigkick
|-
|-
| 0xBC100070 || 4 || RW || Set Avc power
| 0xBC100070 || 4 || RW || Set Avc power
Line 506: Line 498:
| 0xBC100074 || 4 || RW || Unknown
| 0xBC100074 || 4 || RW || Unknown
|-
|-
| 0xBC100078 || 4 || RW || I/O enable
| 0xBC100078 || 4 || RW || I/O enable (?) (TODO: verify indices)
 
Bit 1 = EMCSM
 
Bit 2 = USB
 
Bit 3 = ATA
 
Bits 4-5 = MSIF
 
Bit 6 = LCDC


Bits 7-8 = Audio
Bit 0 = NAND


Bit 9 = I2c
Bit 1 = USB


Bit 10 = Sircs
Bit 2 = ATA


Bit 11 = AudioClkout
Bits 3-4 = Memstick Interface


Bit 12 = Key (?)
Bit 5 = LCDC


Bit 13 = PWM
Bit 6-7 = Audio


Bit 14 = ATA HDD
Bit 8 = IIC


Bit 15 = TBD - needs more sysreg reversing
Bit 9 = SIRCS


Bits 16-21 = UART 0-5
Bit 10 = Audio?


Bits 22-23 = TBD - needs more sysreg reversing
Bit 11 = KEY


Bits 24-29 = SPI 0-5
Bit 12 = PWM


Bits 30-31 = TBD - needs more sysreg reversing
Bits 13-18 = UART


Bits 19-24 = SPI
|-
|-
| 0xBC10007C || 4 || RW || Either GPIO pin enable, or GPIO pin direction
| 0xBC10007C || 4 || RW || Either GPIO pin enable, or GPIO pin direction
Line 873: Line 856:
|-
|-
|}
|}
= 0xBC700000: ? =


= 0xBC800000: DMACPlus =
= 0xBC800000: DMACPlus =
Line 1,497: Line 1,482:
| 0xBD700007 || 1 || RW || Command
| 0xBD700007 || 1 || RW || Command


Cmd 0x00 = nop
Cmd 0x08 = reset
 
Cmd 0x08 = device reset
 
Cmd 0x70 = seek
 
Cmd 0x90 = exec device diagnostic


Cmd 0xA0 = packet
Cmd 0xA0 = packet
Cmd 0xA1 = identify packet device
Cmd 0xC6 = set multiplue


Cmd 0xC8 = read
Cmd 0xC8 = read
Line 1,515: Line 1,490:
Cmd 0xCA = write
Cmd 0xCA = write


Cmd 0xDE = media lock
Cmd 0xE0 = standby now 1
 
Cmd 0xDF = media unlock
 
Cmd 0xE0 = standby
 
Cmd 0xE2 = standby immediate
 
Cmd 0xE3 = idle
 
Cmd 0xE5 = check power mode


Cmd 0xE6 = sleep
Cmd 0xE6 = sleep
Line 1,532: Line 1,497:


Cmd 0xEC = ID ATA
Cmd 0xEC = ID ATA
Cmd 0xED = media eject


Cmd 0xEF = set features
Cmd 0xEF = set features
Cmd 0xF0 = psp reset


|-
|-
Line 1,727: Line 1,688:
| 0xBDE00008 || 4 || RW || Set to 1 on error by the command subroutine
| 0xBDE00008 || 4 || RW || Set to 1 on error by the command subroutine
|-
|-
| 0xBDE0000C || 4 || RW || Set to 1 to start processing, or 2 to start processing phase2
| 0xBDE0000C || 4 || RW || Set to 1 to start processing
|-
|-
| 0xBDE00010 || 4 || RW || KIRK command
| 0xBDE00010 || 4 || RW || KIRK command
Line 1,800: Line 1,761:
|}
|}


= 0xBDF00000: SPOCK =
= 0xBDF00000: UMD =


{| class="wikitable"
{| class="wikitable"
|-
|-
! Address !! Size !! R/W !! Description
! Address !! Size !! R/W !! Description
|-
| 0xBDF00000 || 4 || R || Spock signature 'SPOK'
|-
| 0xBDF00004 || 4 || R || Spock version '0050'
|-
|-
| 0xBC900008 || 4 || RW || Reset
| 0xBC900008 || 4 || RW || Reset
Line 1,814: Line 1,771:
Bit 0 = reset
Bit 0 = reset
|-
|-
| 0xBDF00010 || 4 || RW || Set command
| 0xBC900010 || 4 || RW || Set command


Value 0x01 = ?
Value 0x01 = ?


Value 0x02 = Authentication
Value 0x02 = ?


Value 0x03 = ?
Value 0x03 = ?
Line 1,826: Line 1,783:
Value 0x05 = write QTGP3 () at the first transfer address
Value 0x05 = write QTGP3 () at the first transfer address


Value 0x08 = Decrypt MKI
Value 0x08 = find region


Value 0x09 = Decrypt key from IDStorage
Value 0x09 = ?


Value 0x0A = Decrypt read data sector (not used/skipped, it decrypts sectors on the fly)
Value 0x0A = read data


Value 0x0B = ?
Value 0x0B = ?
Value 0x0C = ?
|-
|-
| 0xBD900014 || 4 || R? || Unknown
| 0xBD900014 || 4 || R? || Unknown
|-
|-
| 0xBDF00018 || 4 || RW || Drive mode flags, value == 0x111 for DVD mode, otherwice UMD mode.
| 0xBD900018 || 4 || R? || Unknown flags
|-
|-
| 0xBD90001C || 4 || R? || Unknown
| 0xBD90001C || 4 || R? || Unknown
Line 1,846: Line 1,801:
| 0xBD900024 || 4 || RW || Clear interrupt?
| 0xBD900024 || 4 || RW || Clear interrupt?
|-
|-
| 0xBDF00028 || 4 || RW || Enable interrupt
| 0xBD900028 || 4 || RW || Enable interrupt?
|-
|-
| 0xBD90002C || 4 || RW || Disable interrupt?
| 0xBD90002C || 4 || RW || Disable interrupt?
|-
|-
| 0xBDF00030 || 4 || R || Error Status
| 0xBD900030 || 4 || RW || Unknown, set to 4
|-
|-
| 0xBD900038 || 4 || RW || Unknown, set to 4
| 0xBD900038 || 4 || RW || Unknown, set to 4
Line 1,909: Line 1,864:
! Description
! Description
|-
|-
| 0xBE000000 || 4 || RW || Audio init/reset?
| 0xBE000000 || 4 || W? || Audio init/reset?
|-
|-
| 0xBE000004 || 4 || W? || Disable audio input/output?
| 0xBE000004 || 4 || W? || Enable audio input/output?


Bit 0: enable output
Bit 0: enable output
Line 1,921: Line 1,876:
Bit 3: ??
Bit 3: ??
|-
|-
| 0xBE000008 || 4 || W? || Same as 0xBE000004 but with reversed bits; enable audio input/output?
| 0xBE000008 || 4 || W? || Same as 0xBE000004 but with reversed bits; maybe stop/empty buffer?
|-
|-
| 0xBE00000C || 4 || RW || Seems to contain the current value for 0xBE000004 (ie the current enabled input/outputs)
| 0xBE00000C || 4 || R? || Seems to contain the current value for 0xBE000004 (ie the current enabled input/outputs)
|-
|-
| 0xBE000010 || 4 || W? || Similar to 0xBE000004 but set only when starting playing something, and input bit is set only for loopback test?
| 0xBE000010 || 4 || W? || Similar to 0xBE000004 but set only when starting playing something, and input bit is set only for loopback test?
Line 1,935: Line 1,890:
| 0xBE000020 || 4 || W? || Another similar set of flags
| 0xBE000020 || 4 || W? || Another similar set of flags
|-
|-
| 0xBE000024 || 4 || W? || Another similar set of flags (enabled interrupts?)
| 0xBE000024 || 4 || W? || Another similar set of flags
|-
|-
| 0xBE000028 || 4 || RW || Another similar set of flags
| 0xBE000028 || 4 || W? || Another similar set of flags
|-
|-
| 0xBE00002C || 4 || W? || Another similar set of flags
| 0xBE00002C || 4 || W? || Another similar set of flags
Line 1,947: Line 1,902:
| 0xBE000040 || 4 || RW || Frequency-related??
| 0xBE000040 || 4 || RW || Frequency-related??
|-
|-
| 0xBE000044 || 4 || W? || Hardware frequency?
| 0xBE000044 || 4 || W? || Frequency-related??
|-
|-
| 0xBE000050 || 4 || RW || Volume?
| 0xBE000050 || 4 || RW || Volume?
|-
|-
| 0xBE000060 || 4 || W? || Send audio data?
| 0xBE000060 || 4 || ? || ??
|-
|-
| 0xBE000070 || 4 || W? || Send audio data?
| 0xBE000070 || 4 || ? || ??
|-
|-
| 0xBE000080 || 4 || ? || ??
| 0xBE000080 || 4 || ? || ??
|-
|-
| 0xBE0000D0 || 4 || ? || ??
| 0xBE0000D0 || 4 || ? || ??
|-
|}
|}


= 0xBE100000: MagicGate Type-R =
= 0xBE100000: MagicGate hardware for memory stick? =
 
= 0xBE140000: LCDC =


{| class="wikitable"
{| class="wikitable"
Line 1,969: Line 1,927:
! Description
! Description
|-
|-
| 0xBE100000 || ? || ? || Unknown
| 0xBE140000 || 4 || RW || First LCDC controller enable
|-
 
| 0xBE100010 || ? || ? || ?Key size (in bits)?. ex: 0x100 (hardcoded)
Bits 0-1 = 3 to enable first LCDC controller (tachyon version < 0x800000; otherwise it's set to 0)
|-
| 0xBE100020 || ? || ? || Unknown
|-
| 0xBE100038 || ? || ? || Hardware version 1
|-
| 0xBE100040 || 0x10 || ? || Key
|-
| 0xBE100050 || 8 || ? || Unknown
|-
| 0xBE100060 || 0x10 || ? || IV
|-
| 0xBE100080 || ? || ? || Control
|-
| 0xBE100084 || ? || ? || Status
|-
| 0xBE100088 || ? || ? || Algorithm
|-
| 0xBE100090 || ? || ? || Unknown. Value at bit 8 is used.
|-
| 0xBE100094 || ? || ? || Size
|-
| 0xBE100098 || ? || ? || Hardware version 2
|-
| 0xBE1000A0 || ?0x800? || ? || Input buffer
|}
 
= 0xBE140000: LCDC =
 
{| class="wikitable"
|-
! Address
! Size
! Read/write
! Description
|-
| 0xBE140000 || 4 || RW || First LCDC controller enable
 
Bits 0-1 = 3 to enable first LCDC controller (tachyon version < 0x800000; otherwise it's set to 0)
|-
|-
| 0xBE140004 || 4 || RW || Synchronization difference: (xsync / zoom) - ysync
| 0xBE140004 || 4 || RW || Synchronization difference: (xsync / zoom) - ysync
Line 2,072: Line 1,992:
|-
|-
| 0xBE140198 || 4 || RW || Unknown (0x910 - 0xE38)
| 0xBE140198 || 4 || RW || Unknown (0x910 - 0xE38)
|-
| 0xBE1401A0 || 4 || RW || Display flags?
|-
| 0xBE1401B0 || 4 || RW || Display clock?
|-
|-
| 0xBE140200 || 4 || W || Set to 1 on initialization
| 0xBE140200 || 4 || W || Set to 1 on initialization
Line 2,083: Line 1,999:
= 0xBE200000: I2c =
= 0xBE200000: I2c =


= 0xBE240000: GPIO =


{| class="wikitable"
{| class="wikitable"
Line 2,091: Line 2,008:
! Description
! Description
|-
|-
| 0xBE200000 || 4 || R? || Unknown
| 0xBE240000 || 4 || RW || Unknown
|-
|-
| 0xBE200004 || 4 || RW || Command
| 0xBE240004 || 4 || R || GPIO read pin (1 bit = 1 pin)
 
Value 0x85 = unknown (used after writing the transmit data)
 
Value 0x8A = receive data
 
Value 0x87 = unknown (used after writing the transmit data)
 
|-
| 0xBE200008 || 4 || RW || Data length
|-
| 0xBE20000C || 4 || R? || Read/write data
|-
| 0xBE200010 || 4 || RW || Unknown
|-
| 0xBE200014 || 4 || RW || Unknown
|-
| 0xBE20001C || 4 || RW || Unknown
|-
| 0xBE200028 || 4 || R? || Clear/read interrupt
|-
| 0xBE20002C || 4 || W? || Unknown
|-
|}
 
= 0xBE240000: GPIO =
 
{| class="wikitable"
|-
! Address
! Size
! Read/write
! Description
|-
| 0xBE240000 || 4 || RW || Is output (?)
|-
| 0xBE240004 || 4 || R || GPIO read pin (1 bit = 1 pin)
|-
|-
| 0xBE240008 || 4 || W || GPIO set pin (1 bit = 1 pin)
| 0xBE240008 || 4 || W || GPIO set pin (1 bit = 1 pin)
Line 2,135: Line 2,016:
| 0xBE24000C || 4 || W|| GPIO clear pin (1 bit = 1 pin)
| 0xBE24000C || 4 || W|| GPIO clear pin (1 bit = 1 pin)
|-
|-
| 0xBE240010 || 4 || RW || Is edge detection (?)
| 0xBE240010 || 4 || ? || Unknown
|-
| 0xBE240014 || 4 || RW || Is falling edge (?)
|-
| 0xBE240018 || 4 || RW || Is rising edge (?)
|-
|-
| 0xBE24001C || 4 || RW || Interrupt enable
| 0xBE240014 || 4 || ? || Unknown
|-
|-
| 0xBE240020 || 4 || R? || Interrupt Status
| 0xBE240018 || 4 || ? || Unknown
|-
|-
| 0xBE240024 || 4 || W || Acknowledge interrupt
| 0xBE24001C || 4 || ? || Unknown
|-
|-
| 0xBE240030 || 4 || RW || Capture port enable
| 0xBE240020 || 4 || ? || Unknown
|-
|-
| 0xBD240034 || 4 || RW || Timer capture enable
| 0xBE240030 || 4 || ? || Unknown
|-
|-
| 0xBE240040 || 4 || RW || Is input on (?)
| 0xBE240040 || 4 || ? || Unknown
|-
|-
| 0xBE240048 || 4 || W? || Unknown
| 0xBE240048 || 4 || ? || Unknown
|-
|-
|}
|}
Line 2,159: Line 2,036:
= 0xBE300000: Power management? =
= 0xBE300000: Power management? =


Seems to be composed of 3 controllers, each of size 0x20.
= 0xBE400000 & 0xBE500000: UART =


= 0xBE4C0000 & 0xBE500000: UART =
The second 'xx' bytes of the addresses can be 0x40, 0x44, 0x48, 0x4C, 0x50, 0x54, 0x58, 0x5C for the different UART ports (1-8, in that order).


[https://developer.arm.com/documentation/ddi0183/f/programmer-s-model/summary-of-registers?lang=en ARM PrimeCell UART PL011]
Note that:
 
* UART1 = ?
There are two similar UART controllers:
* UART2 = ?
* At 0xBE4C0000: UART4 = ?
* UART3 = ?
* At 0xBE500000: UART3 = Headphone/remote SIO
* UART4 = ?
 
* UART5 = Headphone/remote SIO
There is also possibly an infrared controller at 0xBE540000.
* UART6 = Infrared
 
* UART7 = Syscon
UART port numbers vary depending on documentations.
* UART8 = PSP 2k+ display-related
 
Some documentations seem to argue that there are 8 controllers for 0xBE40 to 0xBE5C, but the syscon interface looks very different so it might not be the case.


{| class="wikitable"
{| class="wikitable"
Line 2,189: Line 2,064:
Reading reads a byte from the Rx buffer and advances the read position.
Reading reads a byte from the Rx buffer and advances the read position.
The FIFO is 32(?) bytes long.
The FIFO is 32(?) bytes long.
|-
| 0xBExx0004 || 4 || RW || Unknown
|-
|-
| 0xBExx0018 || 4 || RW || Port status
| 0xBExx0018 || 4 || RW || Port status
Line 2,202: Line 2,075:
| 0xBExx0028 || 4 || W || Lower bits of baudrate divisor, ie (96000000 / baudrate) & 0x3f
| 0xBExx0028 || 4 || W || Lower bits of baudrate divisor, ie (96000000 / baudrate) & 0x3f
|-
|-
| 0xBExx002C || 4 || RW || Set bits 5-6 to set the baud rate?
| 0xBExx002C || 4 || W || Set bits 5-6 to set the baud rate?
|-
| 0xBExx0030 || 4 || RW || Unknown
|-
| 0xBExx0034 || 4 || RW || Unknown
|-
| 0xBExx0038 || 4 || RW || Unknown
|-
| 0xBExx0044 || 4 || RW || Clear interrupt?
|-
|-
|}
|}


= 0xBE580000: Syscon =
= 0xBE600000: ? =
[https://developer.arm.com/documentation/ddi0194/h/programmer-s-model/summary-of-primecell-ssp-registers?lang=en ARM PrimeCell Synchronous Serial port PL022]
 
TODO: validate register mappings
 
{| class="wikitable"
|-
! Address
! Size
! Read/write
! Description
|-
| 0xBE580000 || 4 || W? || Unknown (0xCF is written there at initialization time)
|-
| 0xBE580004 || 4 || RW || Flags
 
Bit 1 = start syscon command
 
Bit 2 = reset data index
 
Bit 3 = in progress?
|-
| 0xBE580008 || 4 || RW || Read/write data
 
Bits 0-15: 16-bit data
|-
| 0xBE58000C || 4 || R? || Flags
 
Bit 0 = error
 
Bit 2 = not finished
|-
| 0xBE580014 || 4 || W? || Unknown (0 is written there)
|-
| 0xBE580018 || 4 || R? || Unknown
|-
| 0xBE580020 || 4 || W? || Unknown; clear error status?
|-
| 0xBE580024 || 4 || W? || Unknown (0 is written there)
|-
|}
 
= 0xBE5C0000: LCD controller (Slim) =
 
{| class="wikitable"
|-
! Address
! Size
! Read/write
! Description
|-
| 0xBE5C0000 || 4 || W? || Unknown
|-
| 0xBE5C0004 || 4 || W? || Unknown
|-
| 0xBE5C0008 || 4 || RW? || Unknown
|-
| 0xBE5C000C || 4 || R? || Unknown
|-
| 0xBE5C0010 || 4 || W? || Unknown
|-
| 0xBE5C0014 || 4 || W? || Unknown
|-
| 0xBE5C0024 || 4 || W? || Unknown
|-
|}
 
= 0xBE740000: Display =
 
{| class="wikitable"
|-
! Address
! Size
! Read/write
! Description
|-
| 0xBE740000 || 4 || W? || Unknown
|-
| 0xBE740004 || 4 || RW || Get/set row sync (?)
|-
| 0xBE740008 || 4 || R? || Get sync (?)
|-
| 0xBE74000C || 4 || W? || Unknown
|-
| 0xBE740010 || 4 || W? || Unknown
|-
| 0xBE740014 || 4 || W? || Unknown
|-
| 0xBE740020 || 4 || R? || Unknown
|-
| 0xBE740024 || 4 || W? || Unknown
|-
|}
 
= 0xBE780000: Display (Slim) =
 
{| class="wikitable"
|-
! Address
! Size
! Read/write
! Description
|-
| 0xBE780000 || 4 || ? || Unknown
|-
| 0xBE78001C || 4 || ? || Unknown
|}
 
= 0xBFC00000 & 0xBFD00000 & 0xBFE00000: MIPS Reset Vector and RAM =
 
Note this is not a hardware register *per se*.


At boot time, the PSP [[iplloader]] is mapped to read-only 0xBFC00000 then executed. An additional 4096-byte scratchpad-like RAM is accessible at 0xBFD00000 and used as a temporary space to decrypt the IPL blocks.
= 0xBE700000: Display =
Then, once the CPU is reset (0xBC10004C |= 2), the iplloader is unmapped, and the memory which was then at 0xBFD00000 is now mapped at 0xBFC00000 and execution restarts at 0xBFC00000.


On devkit, bloadp is copied to 0xBFE00000 then executed. IPL blocks are usually copied to 0xBFE01000, decrypted in place then executed.
= 0xBFC00000: MIPS Reset Vector =


= 0xBFF00000: NAND DMA buffer =
= 0xBFF00000: NAND DMA buffer =
Line 2,350: Line 2,104:
= References =
= References =


* [http://daifukkat.su/docs/psptek/ PSPTEK]
* [http://daifukkat.su/docs/psptek/ PSPTEK] (done)
* [https://gigawiz.github.io/yapspd/html_chapters_split/chap8.html yapspd]
* [https://gigawiz.github.io/yapspd/html_chapters_split/chap8.html yapspd] (done)
* [https://github.com/uofw/uofw uOFW]
* [https://github.com/uofw/uofw uOFW] (todo: some more info to grab in some modules)
* [https://github.com/jpcsp/jpcsp Jpcsp]
* [https://github.com/jpcsp/jpcsp Jpcsp] (todo: contains a lot of stuff)
Please note that all contributions to PSP Developer wiki are considered to be released under the GNU Free Documentation License 1.2 (see PSP Developer wiki:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To protect the wiki against automated edit spam, we kindly ask you to solve the following hCaptcha:

Cancel Editing help (opens in new window)
Retrieved from "http://www.psdevwiki.com/psp/Hardware_Registers"