Editing Hardware Registers

= Introduction =

With the exception of interrupts, almost all the interaction with the PSP hardware is done through memory mapped IO (MMIO) accesses in the 0xBC000000~0xBFFFFFFF address range. The physical address of this range is actually 0x1C000000~0x1FFFFFFF, but we must OR in the 0x40000000 un-cached flag and the 0x80000000 kernel access flag. Knowing how to communicate with the hardware is vital to understanding the inner workings of the PSP.

= 0xA7F00000: L2 cache =

If we believe in the sysmem NIDs, 04g+ seem to have a "L2" cache we can send commands (writeback/invalidate/probe) to through this address.

0xA7F80020 and 0xA7F80000~ also exist.

TODO need more info.

= 0xBC000000: Memory management =

{| class="wikitable sortable"
|-
! Physical Address !! Size !! R/W !! Description
|-
| 0xBC000000 ||	4 ||	RW ||	Memory Protection 0x08000000 -> 0x081FFFFFF

Bit 0: 0x08000000 -> 0x08003FFFF User Read Enable 

Bit 1: 0x08000000 -> 0x08003FFFF User Write Enable

Bit 2: 0x08000000 -> 0x08003FFFF Kernel Read Enable

Bit 3: 0x08000000 -> 0x08003FFFF Kernel Write Enable

Bit 4: 0x08040000 -> 0x0807FFFFF User Read Enable

Bit 5: 0x08040000 -> 0x0807FFFFF User Write Enable

Bit 6: 0x08040000 -> 0x0807FFFFF Kernel Read Enable

Bit 7: 0x08040000 -> 0x0807FFFFF Kernel Write Enable

Bit 8: 0x08080000 -> 0x080BFFFFF User Read Enable

Bit 9: 0x08080000 -> 0x080BFFFFF User Write Enable

Bit 10: 0x08080000 -> 0x080BFFFFF Kernel Read Enable

Bit 11: 0x08080000 -> 0x080BFFFFF Kernel Write Enable

Bit 12: 0x080C0000 -> 0x080FFFFFF User Read Enable

Bit 13: 0x080C0000 -> 0x080FFFFFF User Write Enable

Bit 14: 0x080C0000 -> 0x080FFFFFF Kernel Read Enable

Bit 15: 0x080C0000 -> 0x080FFFFFF Kernel Write Enable

Bit 16: 0x08100000 -> 0x0813FFFFF User Read Enable

Bit 17: 0x08100000 -> 0x0813FFFFF User Write Enable

Bit 18: 0x08100000 -> 0x0813FFFFF Kernel Read Enable

Bit 19: 0x08100000 -> 0x0813FFFFF Kernel Write Enable

Bit 20: 0x08140000 -> 0x0817FFFFF User Read Enable

Bit 21: 0x08140000 -> 0x0817FFFFF User Write Enable

Bit 22: 0x08140000 -> 0x0817FFFFF Kernel Read Enable

Bit 23: 0x08140000 -> 0x0817FFFFF Kernel Write Enable

Bit 24: 0x08180000 -> 0x081BFFFFF User Read Enable

Bit 25: 0x08180000 -> 0x081BFFFFF User Write Enable

Bit 26: 0x08180000 -> 0x081BFFFFF Kernel Read Enable

Bit 27: 0x08180000 -> 0x081BFFFFF Kernel Write Enable

Bit 28: 0x081C0000 -> 0x081FFFFFF User Read Enable

Bit 29: 0x081C0000 -> 0x081FFFFFF User Write Enable

Bit 30: 0x081C0000 -> 0x081FFFFFF Kernel Read Enable

Bit 31: 0x081C0000 -> 0x081FFFFFF Kernel Write Enable
|-
| 0xBC000004 ||	4 ||	RW ||	Memory Protection 0x08200000 -> 0x083FFFFFF
Bit 0: 0x08200000 -> 0x08203FFFF User Read Enable 

Bit 1: 0x08200000 -> 0x08203FFFF User Write Enable

Bit 2: 0x08200000 -> 0x08203FFFF Kernel Read Enable

Bit 3: 0x08200000 -> 0x08203FFFF Kernel Write Enable

Bit 4: 0x08240000 -> 0x0827FFFFF User Read Enable

Bit 5: 0x08240000 -> 0x0827FFFFF User Write Enable

Bit 6: 0x08240000 -> 0x0827FFFFF Kernel Read Enable

Bit 7: 0x08240000 -> 0x0827FFFFF Kernel Write Enable

Bit 8: 0x08280000 -> 0x082BFFFFF User Read Enable

Bit 9: 0x08280000 -> 0x082BFFFFF User Write Enable

Bit 10: 0x08280000 -> 0x082BFFFFF Kernel Read Enable

Bit 11: 0x08280000 -> 0x082BFFFFF Kernel Write Enable

Bit 12: 0x082C0000 -> 0x082FFFFFF User Read Enable

Bit 13: 0x082C0000 -> 0x082FFFFFF User Write Enable

Bit 14: 0x082C0000 -> 0x082FFFFFF Kernel Read Enable

Bit 15: 0x082C0000 -> 0x082FFFFFF Kernel Write Enable

Bit 16: 0x08300000 -> 0x0833FFFFF User Read Enable

Bit 17: 0x08300000 -> 0x0833FFFFF User Write Enable

Bit 18: 0x08300000 -> 0x0833FFFFF Kernel Read Enable

Bit 19: 0x08300000 -> 0x0833FFFFF Kernel Write Enable

Bit 20: 0x08340000 -> 0x0837FFFFF User Read Enable

Bit 21: 0x08340000 -> 0x0837FFFFF User Write Enable

Bit 22: 0x08340000 -> 0x0837FFFFF Kernel Read Enable

Bit 23: 0x08340000 -> 0x0837FFFFF Kernel Write Enable

Bit 24: 0x08380000 -> 0x083BFFFFF User Read Enable

Bit 25: 0x08380000 -> 0x083BFFFFF User Write Enable

Bit 26: 0x083C0000 -> 0x083BFFFFF Kernel Read Enable

Bit 27: 0x083C0000 -> 0x083BFFFFF Kernel Write Enable

Bit 28: 0x083C0000 -> 0x083FFFFFF User Read Enable

Bit 29: 0x083C0000 -> 0x083FFFFFF User Write Enable

Bit 30: 0x083C0000 -> 0x083FFFFFF Kernel Read Enable

Bit 31: 0x083C0000 -> 0x083FFFFFF Kernel Write Enable
|-
| 0xBC000008 ||	4 ||	RW 	|| Memory Protection 0x08400000 -> 0x085FFFFFF

Bit 0: 0x08400000 -> 0x08403FFFF User Read Enable 

Bit 1: 0x08400000 -> 0x08403FFFF User Write Enable

Bit 2: 0x08400000 -> 0x08403FFFF Kernel Read Enable

Bit 3: 0x08400000 -> 0x08403FFFF Kernel Write Enable

Bit 4: 0x08440000 -> 0x0847FFFFF User Read Enable

Bit 5: 0x08440000 -> 0x0847FFFFF User Write Enable

Bit 6: 0x08440000 -> 0x0847FFFFF Kernel Read Enable

Bit 7: 0x08440000 -> 0x0847FFFFF Kernel Write Enable

Bit 8: 0x08480000 -> 0x084BFFFFF User Read Enable

Bit 9: 0x08480000 -> 0x084BFFFFF User Write Enable

Bit 10: 0x08480000 -> 0x084BFFFFF Kernel Read Enable

Bit 11: 0x08480000 -> 0x084BFFFFF Kernel Write Enable

Bit 12: 0x084c0000 -> 0x084FFFFFF User Read Enable

Bit 13: 0x084c0000 -> 0x084FFFFFF User Write Enable

Bit 14: 0x084c0000 -> 0x084FFFFFF Kernel Read Enable

Bit 15: 0x084c0000 -> 0x084FFFFFF Kernel Write Enable

Bit 16: 0x08500000 -> 0x0853FFFFF User Read Enable

Bit 17: 0x08500000 -> 0x0853FFFFF User Write Enable

Bit 18: 0x08500000 -> 0x0853FFFFF Kernel Read Enable

Bit 19: 0x08500000 -> 0x0853FFFFF Kernel Write Enable

Bit 20: 0x08540000 -> 0x0857FFFFF User Read Enable

Bit 21: 0x08540000 -> 0x0857FFFFF User Write Enable

Bit 22: 0x08540000 -> 0x0857FFFFF Kernel Read Enable

Bit 23: 0x08540000 -> 0x0857FFFFF Kernel Write Enable

Bit 24: 0x08580000 -> 0x085BFFFFF User Read Enable

Bit 25: 0x08580000 -> 0x085BFFFFF User Write Enable

Bit 26: 0x08580000 -> 0x085BFFFFF Kernel Read Enable

Bit 27: 0x08580000 -> 0x085BFFFFF Kernel Write Enable

Bit 28: 0x085c0000 -> 0x085FFFFFF User Read Enable

Bit 29: 0x085c0000 -> 0x085FFFFFF User Write Enable

Bit 30: 0x085c0000 -> 0x085FFFFFF Kernel Read Enable

Bit 31: 0x085c0000 -> 0x085FFFFFF Kernel Write Enable
|-
| 0xBC00000C ||	4 ||	RW ||	Memory Protection 0x08600000 -> 0x087FFFFFF

Bit 0: 0x08600000 -> 0x08603FFFF User Read Enable 

Bit 1: 0x08600000 -> 0x08603FFFF User Write Enable

Bit 2: 0x08600000 -> 0x08603FFFF Kernel Read Enable

Bit 3: 0x08600000 -> 0x08603FFFF Kernel Write Enable

Bit 4: 0x08640000 -> 0x0867FFFFF User Read Enable

Bit 5: 0x08640000 -> 0x0867FFFFF User Write Enable

Bit 6: 0x08640000 -> 0x0867FFFFF Kernel Read Enable

Bit 7: 0x08640000 -> 0x0867FFFFF Kernel Write Enable

Bit 8: 0x08680000 -> 0x086BFFFFF User Read Enable

Bit 9: 0x08680000 -> 0x086BFFFFF User Write Enable

Bit 10: 0x08680000 -> 0x086BFFFFF Kernel Read Enable

Bit 11: 0x08680000 -> 0x086BFFFFF Kernel Write Enable

Bit 12: 0x086c0000 -> 0x086FFFFFF User Read Enable

Bit 13: 0x086c0000 -> 0x086FFFFFF User Write Enable

Bit 14: 0x086c0000 -> 0x086FFFFFF Kernel Read Enable

Bit 15: 0x086c0000 -> 0x086FFFFFF Kernel Write Enable

Bit 16: 0x08700000 -> 0x0873FFFFF User Read Enable

Bit 17: 0x08700000 -> 0x0873FFFFF User Write Enable

Bit 18: 0x08700000 -> 0x0873FFFFF Kernel Read Enable

Bit 19: 0x08700000 -> 0x0873FFFFF Kernel Write Enable

Bit 20: 0x08740000 -> 0x0877FFFFF User Read Enable

Bit 21: 0x08740000 -> 0x0877FFFFF User Write Enable

Bit 22: 0x08740000 -> 0x0877FFFFF Kernel Read Enable

Bit 23: 0x08740000 -> 0x0877FFFFF Kernel Write Enable

Bit 24: 0x08780000 -> 0x087BFFFFF User Read Enable

Bit 25: 0x08780000 -> 0x087BFFFFF User Write Enable

Bit 26: 0x08780000 -> 0x087BFFFFF Kernel Read Enable

Bit 27: 0x08780000 -> 0x087BFFFFF Kernel Write Enable

Bit 28: 0x087c0000 -> 0x087FFFFFF User Read Enable

Bit 29: 0x087c0000 -> 0x087FFFFFF User Write Enable

Bit 30: 0x087c0000 -> 0x087FFFFFF Kernel Read Enable

Bit 31: 0x087c0000 -> 0x087FFFFFF Kernel Write Enable
|-
| 0xBC000030 ||	32 ||	RW || Hardware register user read/write enable (range unknown). Used to access profiler from an user.

Granularity that this (and the next ones) work on is not known.

For each 1 bit an IO range is exposed to usermode for Read/Write.

To find the usermode address, subtract 0x60000000 from the kernelmode one (ie start addresses with 0x5 instead of 0xB).

It may be 2 bits for user read/write for each range of size 0x100000. For the profiler, located at 0xBC400000, the mask 0x300 is applied.
|-
| 0xBC000034 ||	32 ||	RW || Hardware register user read/write enable (range unknown)
|-
| 0xBC000038 ||	32 ||	RW || Hardware register user read/write enable (range unknown)
|-
| 0xBC00003C ||	32 ||	RW || Hardware register user read/write enable (range unknown)
|-
| 0xBC000040 ||	32 ||	RW || Hardware register user read/write enable (range unknown)
|-
| 0xBC000044 ||	32 ||	RW || Hardware register user read/write enable (range unknown)
|-
| 0xBC000048 ||	32 || RW || Set 1 to disable extended memory partitions??
|-
| 0xBC00004C ||	32 || R? || Unknown
|-
| 0xBC000050 || 32 || ? || Reads 0x07EFFFFF
|-
|}

= 0xBC100000: System Controller =

{| class="wikitable"
|-
! Address
! Size
! Read/write
! Description
|-
| 0xBC100000 || 4 || RW || NMI enable mask

Bits 0-15 = user NMI enable mask?

Bits 16-31 = kernel NMI enable mask?
|-
| 0xBC100004 || 4 || RW || NMI flags (15 bits for NMI0 ~ NMI15)
|-
| 0xBC10000C || 4 || RW? || NMI12 control registers?
|-
| 0xBC100010 || 4 || RW? || NMI8 control registers?
|-
| 0xBC100014 || 4 || RW? || NMI9 control registers?
|-
| 0xBC100018 || 4 || RW? || NMI7 control registers?
|-
| 0xBC10001C || 4 || RW? || NMI6 control registers?
|-
| 0xBC100020 || 4 || RW? || NMI5 control registers?
|-
| 0xBC100024 || 4 || RW? || NMI4 control registers?
|-
| 0xBC100028 || 4 || RW? || NMI3 control registers?
|-
| 0xBC10002C || 4 || RW? || NMI2 control registers?
|-
| 0xBC100030 || 4 || RW? || NMI1 control registers?
|-
| 0xBC100034 || 4 || RW? || NMI0 control registers?
|-
| 0xBC10003C || 4 || RW || Unknown - used by sceSysreg_driver_0x4841B2D2, sceSysreg_driver_0x4E5C86AA, sceSysregDoTimerEvent
|-
| 0xBC100040 || 4 || RW || Bits 0-1 = RAM size (0=16MB, 1=32MB, 2=64MB, 3=128MB)

Bit 11 = ? (read-only)

Bits 24-31 = tachyon version
|-
| 0xBC100044 || 4 || RW || SC/ME RPC interrupt. Writing 1 to bit 0 posts an interrupt to the opposite CPU
|-
| 0xBC100048 || 4 || RW || SC/ME semaphore. Appears to be a shared lock for both CPUs. Can be used as a spinlock
|-
| 0xBC10004C || 4 || RW || Reset enable (set bit to assert RESET, clear to clear RESET)

Bit 0 = Top

Bit 1 = SC

Bit 2 = ME

Bit 3 = AW

Bit 4 = VME

Bit 5 = AVC

Bit 6 = USB

Bit 7 = ATA

Bits 8-9 = Memstick Interface

Bit 10 = KIRK

Bit 12 = ATA HDD

Bit 13 = USB Host

Bits 14-15 = Memstick related?

Bit 16 = ?
|-
| 0xBC100050 || 4 || RW || Bus clock enable (set a bit to enable clocking to the device, clear it to disable clocking)

Bit 0 = ME

Bit 1 = AW RegA Bus

Bit 2 = AW RegB Bus

Bit 3 = AW Edram Bus

Bit 4 = DMACPlus

Bits 5-6 = DMAC

Bit 7 = KIRK

Bit 8 = ATA

Bit 9 = USB

Bits 10-11 = Memstick Interface

Bit 12 = NAND (EMCDDR)

Bit 13 = NAND (EMCSM)

Bit 14 = APB (?)

Bits 15-16 = Audio

Bit 17 = ATA HDD

Bit 18 = USB host

Bits 19-20 = ?
|-
| 0xBC100054 || 4 || RW || Clock enable

Bit 0 = ATA

Bit 1 = ATA HDD

Bit 4 = USB

Bit 7 = ?

Bits 8-9 = Memstick interface

Bit 12 = EMCDDR (NAND)

Bit 16 = USB host

Bits 20-21 = ?

Bit 22 = ?
|-
| 0xBC100058 || 4 || RW || Clock enable

Bits 0-5 = SPI 0-5

Bits 6-11 = UART 0-5

Bits 12-15 = APB (Arm Peripheral Bus) Timer 0-3

Bits 16-17 = Audio 0-1

Bits 18 = LCD Controller

Bits 19 = PWM

Bits 20 = ?

Bits 21 = I2C

Bit 22 = SIRCS (Sony Serial Infra-Red Control)

Bit 23 = GPIO

Bit 24 = Audio clock out

Bit 25 = ?
|-
| 0xBC10005C || 4 || RW || Clock select

Bits 0-1 = 1st Memorystick interface 

Bits 2-3 = 2nd Memorystick interface

Bits 4-5 = ATA HDD

Bits 6-7 = ATA
|-
| 0xBC100060 || 4 || RW || Clock select

Bits 0-2 = APB timer 0

Bits 4-6 = APB timer 1

Bits 8-10 = APB timer 2

Bits 12-14 = APB timer 3

Bit 18 = Audio clock out

Bit 24 = ?

|-
| 0xBC100064 || 4 || RW || SPI clock select
|-
| 0xBC100068 || 4 || RW || Bits 0-7: PLL frequency

Bits 16-31: unknown, checked against by the PRE-IPL, possibly related to jigkick
|-
| 0xBC100070 || 4 || RW || Set Avc power
|-
| 0xBC100074 || 4 || RW || Unknown
|-
| 0xBC100078 || 4 || RW || I/O enable

Bit 1 = EMCSM

Bit 2 = USB

Bit 3 = ATA

Bits 4-5 = MSIF

Bit 6 = LCDC

Bits 7-8 = Audio

Bit 9 = I2c

Bit 10 = Sircs

Bit 11 = AudioClkout

Bit 12 = Key (?)

Bit 13 = PWM

Bit 14 = ATA HDD

Bit 15 = TBD - needs more sysreg reversing

Bits 16-21 = UART 0-5

Bits 22-23 = TBD - needs more sysreg reversing

Bits 24-29 = SPI 0-5

Bits 30-31 = TBD - needs more sysreg reversing 

|-
| 0xBC10007C || 4 || RW || Either GPIO pin enable, or GPIO pin direction
|-
| 0xBC100080 || 4 || RW ||

Bit 0 = USB connect status

Bits 1-3 = USB interrupt

Bits 4-7: MemoryStick0 connect intr

Bits 8-11: MemoryStick1 connect intr
|-
| 0xBC100088 || 4 || RW || NMI13 control register?
|-
| 0xBC100090 || 4 || R? || Related to fuse Id
|-
| 0xBC100094 || 4 || R? || Related to fuse Id
|-
| 0xBC100098 || 4 || R? || Related to fuse config
|-
| 0xBC1000A0 || 4 || RW || NMI10 control register?
|-
| 0xBC1000A4 || 4 || RW || NMI11 control register?
|-
| 0xBC1000B0 || 4 || RW || Bits 0-2 = USB host intr
|-
| 0xBC1000E0 || 4 || RW || NMI14 control register?
|-
| 0xBC1000E4 || 4 || RW || NMI15 control register?
|-
| 0xBC1000E8 || 4 || RW || Unknown
|-
| 0xBC100100 || 4 || RW || Unknown
|-
|}

= 0xBC200000: CPU/bus frequency =

{| class="wikitable"
|-
! Address
! Size
! Read/write
! Description
|-
| 0xBC200000 || 4 || RW || CPU frequency

Bits 0-8 = denominator

Bits 16-24 = numerator

|-
| 0xBC200004 || 4 || RW || Bus frequency (same bits as above)
|}

= 0xBC300000: Interrupt Manager =

{| class="wikitable"
|-
! Address
! Size
! Read/write
! Description
|-
| 0xBC300000 || 4 || RW || Flags for the unmasked interrupts out of the first 32 interrupts (see below for the list of interrupts)
|-
| 0xBC300004 || 4 || RW || Flags for the first 32 interrupts
|-
| 0xBC300008 || 4 || RW || Mask for the first 32 interrupts
|-
| 0xBC300010 || 4 || RW || Flags for the unmasked interrupts out of the next 32 interrupts
|-
| 0xBC300014 || 4 || RW || Flags for the next 32 interrupts
|-
| 0xBC300018 || 4 || RW || Mask for the next 32 interrupts
|-
| 0xBC300020 || 4 || RW || Flags for the unmasked interrupts out of the last 32 interrupts
|-
| 0xBC300024 || 4 || RW || Flags for the last 32 interrupts
|-
| 0xBC300028 || 4 || RW || Mask for the last 32 interrupts
|-
|}

{| class="wikitable"
|-
! Interrupt ID
! Description
|-
|-
| 0 || All UARTs
|-
| 1 || All SPIs
|-
| 2 || All timer expirations
|-
| 3 || All USBs
|-
| 4 || GPIO
|-
| 5 || ATA/ATAPI
|-
| 6 || UMD Manager
|-
| 7 || Memstick (MSCM0)
|-
| 8 || WLAN
|-
| 9 || MG
|-
| 10 || AUDIO1
|-
| 11 || AUDIO2
|-
| 12 || I2C
|-
| 13 || KEY
|-
| 14 || IrDA (SIRS)
|-
| 15 || Systimer 0
|-
| 16 || Systimer 1
|-
| 17 || Systimer 2
|-
| 18 || Systimer 3
|-
| 19 || Thread0?
|-
| 20 || NAND
|-
| 21 || DMAC+
|-
| 22 || DMA0
|-
| 23 || DMA1
|-
| 24 || MEMLMD?
|-
| 25 || GE
|-
| 26 || USB_MAIN
|-
| 27 || eFlash ATA2
|-
| 28 || eFlash DMA
|-
| 30 || Display VSync
|-
| 31 || MediaEngine
|-
| 32 || UART1
|-
| 33 || UART2
|-
| 34 || UART3
|-
| 35 || UART4
|-
| 36 || HP Remote
|-
| 37 || UART6
|-
| 40 || SPI1
|-
| 41 || SPI2
|-
| 42 || SPI3
|-
| 43 || SPI4
|-
| 44 || SPI5
|-
| 45 || SPI6
|-
| 48 || TIM1_PERI
|-
| 49 || TIM2_PERI
|-
| 50 || TIM3_PERI
|-
| 51 || TIM4_PERI
|-
| 56 || USB Resume
|-
| 57 || USB Ready
|-
| 58 || USB Connect
|-
| 59 || USB Disconnect
|-
| 60 || Memstick Insert (MSCM1)
|-
| 61 || Memstick Insert (MSCM1)
|-
| 62 || WLAN
|-
| 63 || WLAN
|-
| 64 || SOFT1
|-
| 65 || SOFT2
|-
| 66 || CPUTIMER
|-
|}

= 0xBC400000: Profiler =

{| class="wikitable"
|-
! Address !! Size !! R/W !! Description
|-
| 0xBC400000 || 4 || RW || Profiler enable (bit 0 = enabled status)
|-
| 0xBC400004 || 4 || RW || System clock cycles
|-
| 0xBC400008 || 4 || RW || CPU clock cycles
|-
| 0xBC40000C || 4 || RW || Total stalled cycles
|-
| 0xBC400010 || 4 || RW || Internal stalled cycles
|-
| 0xBC400014 || 4 || RW || Memory stalled cycles
|-
| 0xBC400018 || 4 || RW || Coprocessor stalled cycles
|-
| 0xBC40001C || 4 || RW || VFPU stalled cycles
|-
| 0xBC400020 || 4 || RW || Sleep cycles
|-
| 0xBC400024 || 4 || RW || Bus access cycles
|-
| 0xBC400028 || 4 || RW || Uncached load count
|-
| 0xBC40002C || 4 || RW || Uncached store count
|-
| 0xBC400030 || 4 || RW || Cached load count
|-
| 0xBC400034 || 4 || RW || Cached store count
|-
| 0xBC400038 || 4 || RW || I-cache miss count
|-
| 0xBC40003C || 4 || RW || D-cache miss count
|-
| 0xBC400040 || 4 || RW || D-cache writeback count
|-
| 0xBC400044 || 4 || RW || Coprocessor 0 instruction count
|-
| 0xBC400048 || 4 || RW || FPU instruction count
|-
| 0xBC40004C || 4 || RW || VFPU instruction count
|-
| 0xBC400050 || 4 || RW || Local bus cycles
|-
|}

= 0xBC500000: Hardware Timer =

{| class="wikitable"
|-
! Physical Address !! Size !! R/W !! Description
|-
| 0xBC500000 ||	4 ||	RW || Timer data for hardware timer 0. Bits 31-22: the current timer mode. Bits 21-0: The system time when the timer was stopped. It is overwritten every time the timer is stopped.
|-
| 0xBC500004 || 4 ||    R? || The base time of the hardware timer 0 (assumed)
|-
| 0xBC500008 || 4 ||    RW || The numerator of the timer's prescale
|-
| 0xBC50000C || 4 ||    RW || The denominator of the timer's prescale
|-
| 0xBC500010 || 4 ||    RW || Same as above, for hardware timer 1
|-
| 0xBC500014 || 4 ||    R? || Same as above, for hardware timer 1
|-
| 0xBC500018 || 4 ||    RW || Same as above, for hardware timer 1
|-
| 0xBC50001C || 4 ||    RW || Same as above, for hardware timer 1
|-
| 0xBC500020 || 4 ||    RW || Same as above, for hardware timer 2
|-
| 0xBC500024 || 4 ||    R? || Same as above, for hardware timer 2
|-
| 0xBC500028 || 4 ||    RW || Same as above, for hardware timer 2
|-
| 0xBC50002C || 4 ||    RW || Same as above, for hardware timer 2
|-
| 0xBC500030 || 4 ||    RW || Same as above, for hardware timer 3
|-
| 0xBC500034 || 4 ||    R? || Same as above, for hardware timer 3
|-
| 0xBC500038 || 4 ||    RW || Same as above, for hardware timer 3
|-
| 0xBC50003C || 4 ||    RW || Same as above, for hardware timer 3
|-
| 0xBC500100 || 4 ||    R  || Get status read-only (?) for hardware timer 1
|-
| 0xBC500110 || 4 ||    R  || Get status read-only (?) for hardware timer 1
|-
| 0xBC500120 || 4 ||    R  || Get status read-only (?) for hardware timer 1
|-
| 0xBC500130 || 4 ||    R  || Get status read-only (?) for hardware timer 1
|-
| 0xBC5003D0 || 4 ||    RW || Same as 0xBC500000, but with the current PSP's system time value. A timer's current count is computed by subtracting the timer's base time (the init time point) from this value.
|-
| 0xBC5003E0 || 4 ||    RW || Same as above, for hardware timer 1
|-
| 0xBC5003F0 || 4 ||    RW || Same as above, for hardware timer 2
|-
| 0xBC500400 || 4 ||    RW || Same as above, for hardware timer 3
|-
|}

= 0xBC600000: System time =
{| class="wikitable sortable"
|-
! Physical Address !! Size !! R/W !! Description
|-
|  0xBC600000 ||	32 ||	RW ||	System time in microseconds. Wraps around every 1.1 hours? 
|-
|  0xBC600004 ||	32 ||	RW ||	Alarm time, raises interrupt (19?) when system time hits this number
|-
|  0xBC600008 ||	32 ||	RW ||   Unknown, typically 0x30 but can be written
|-
|  0xBC60000C ||	32 ||	RW ||   Unknown, typically 1 but can be written. (Writing 0 caused a hang, maybe disables timer incrementing?)
|-
|  0xBC600010 ||	32 ||	RW ||   Unknown, typically 0
|-
|}

= 0xBC700000: ? =

= 0xBC800000: DMACPlus =

== DMACPlus general registers ==

{| class="wikitable"
|-
! Address
! Size
! Read/write
! Description
|-
| 0xBC800004 || 4 || RW || Pending "operation success" interrupts
|-
| 0xBC800008 || 4 || RW || Clear "operation success" interrupts
|-
| 0xBC80000C || 4 || RW || Pending "operation error" interrupts
|-
| 0xBC800010 || 4 || RW || Clear "operation error" interrupts
|-
| 0xBC800014 || 4 || RW || Enable "operation success" interrupts
|-
| 0xBC800018 || 4 || RW || Enable "operation error" interrupts
|-
|}

=== Interrupt bits ===
{| class="wikitable"
|-
! Bit
! Interrupt
|-
| 0 || DmacplusLcdc
|-
| 1 || AVC
|-
| 2 || Sc2Me
|-
| 3 || Me2Sc
|-
| 4 || Sc128
|-
|}

== Framebuffer scanout registers (DmacplusLcdc) ==

{| class="wikitable"
|-
! Address
! Size
! Read/write
! Description
|-
| 0xBC800100 || 4 || RW || Framebuffer address (bits[28:0])
|-
| 0xBC800104 || 4 || RW || Framebuffer pixelformat (0 = RGBA8888, 1 = RGB565, 2 = RGBA5551, 3 = RGBA4444)
|-
| 0xBC800108 || 4 || RW || Framebuffer width
|-
| 0xBC80010C || 4 || RW || Framebuffer stride
|-
| 0xBC800110 || 4 || RW || Framebuffer scanout configuration: Bit[0] = Enable framebuffer scanout to LCD controller, Bits[31:29] = ??
|-
|}

== CSC registers ==

{| class="wikitable"
|-
! Address
! Size
! Read/write
! Description
|-
| 0xBC800120 || 4 || RW || CSC source buffer pYBuffer address
|-
| 0xBC800124 || 4 || RW || CSC source buffer pYBuffer2 address
|-
| 0xBC800128 || 4 || RW || CSC source buffer pCrBuffer address
|-
| 0xBC80012C || 4 || RW || CSC source buffer pCbBuffer address
|-
| 0xBC800130 || 4 || RW || CSC source buffer pCrBuffer2 address
|-
| 0xBC800134 || 4 || RW || CSC source buffer pCbBuffer2 address
|-
| 0xBC800138 || 4 || RW || CSC source buffer height
|-
| 0xBC80013C || 4 || RW || CSC source buffer width
|-
| 0xBC800140 || 4 || RW || Buffer size: Bits[22:16] = height/16, Bits[13:8] = width/16, Bit[2] = unk, Bit[1] = unk, Bit[0] = use VME or AVC (AVC = 0, VME = 1)
|-
| 0xBC800144 || 4 || RW || CSC destination RGB buffer address
|-
| 0xBC800148 || 4 || RW || CSC destination RGB2 buffer address
|-
| 0xBC80014C || 4 || RW || CSC parameters: Bit[0] = has RGB2 buffer, Bits[7:1] = pixelformat, Bits[31:8] = buffer stride
|-
| 0xBC800150 || 4 || RW || First row (3 values) of the 3x3 CSC matrix. Each value is 10 bits long, Q3.7 fixed-point format, starting at bit i * 16 of the register.
|-
| 0xBC800154 || 4 || RW || Second row (3 values) of the 3x3 CSC matrix. Each value is 10 bits long, Q3.7 fixed-point format, starting at bit i * 16 of the register.
|-
| 0xBC800158 || 4 || RW || Third row (3 values) of the 3x3 CSC matrix. Each value is 10 bits long, Q3.7 fixed-point format, starting at bit i * 16 of the register.
|-
| 0xBC80015C || 4 || RW || Other parameters of CSC matrix (post matrix multiplication addition coefficients, etc). Bits[7:0] = footroom, Bit[8] = unk.
|-
| 0xBC800160 || 4 || RW || Start CSC? 0xD is written here.
|-
|}

=== CSC source buffer valid ranges ===
Note: It seems the CSC source buffer address can only be inside one of the following ranges in the following table (otherwise AVC "operation error" interrupt is triggered). The destination buffer doesn't have such limitations.
{| class="wikitable"
|-
! Start
! End
! Notes
|-
| 0x00000000 || 0x00400000 ||
|-
| 0x04000000 || 0x04200000 || VRAM? always read as 0s
|-
| 0x08300000 || 0x0C000000 ||
|-
|}

== DMA processing ==

{| class="wikitable"
|-
! Address
! Size
! Read/write
! Description
|-
| 0xBC800180 || 4 || RW || DMA channel 0 source address
|-
| 0xBC800184 || 4 || RW || DMA channel 0 destination address
|-
| 0xBC800188 || 4 || RW || DMA channel 0 address for the next instruction (which is another source/destination/attr/status set)
|-
| 0xBC80018C || 4 || RW || DMA channel 0 attributes

Bits 0-11: length

Bits 12-14: src step

Bits 15-17: dst step

Bits 18-20: src length shift

Bits 21-23: dst length shift

Bits 24-25: unknown

Bit 26: src increment

Bit 27: dst increment

Bit 31: trigger interrupt
|-
| 0xBC800190 || 4 || RW || DMA channel 0 status

Bit 0: in progress

Bits 4-7: DDR value

Bit 8: DDR required
|-
| 0xBC8001A0 || 20 || RW || Same as above, for DMA channel 1
|-
| 0xBC8001C0 || 20 || RW || Same as above, for DMA channel 2
|-
|}

= 0xBC900000 & 0xBCA00000: DMAC =

TODO: this could be the same as 0xBC800000, just for more processors (8 for 0xBC900000, 8 for 0xBCA00000)

{| class="wikitable"
|-
! Address !! Size !! R/W !! Description
|-
| 0xBC900020 || 4 || W? || Unknown (DMA soft request-related)
|-
| 0xBC900024 || 4 || W? || Unknown (DMA soft request-related)
|-
| 0xBC900028 || 4 || W? || Unknown (DMA soft request-related)
|-
| 0xBC90002C || 4 || W? || Unknown (DMA soft request-related)
|-
| 0xBC900100 || 4 || RW || DMA channel 0 status

Bit 0 = ?

Bit 1 = reads 1 when channel reset/reboot in complete

Bit 2 = write 1 to require a reset/reboot
|-
| 0xBC900108 || 4 || RW || Set to 0xFF on reboot
|-
| 0xBC900110 || 4 || RW || Set to 0xFF on reboot
|-
| 0xBC900130 || 4 || RW || Bit 0 set to 0 on reboot
|-
| 0xBC900120 || 32 || RW || Same as above, for DMA channel 1
|-
| 0xBC900140 || 32 || RW || Same as above, for DMA channel 2
|-
| 0xBC900160 || 32 || RW || Same as above, for DMA channel 3
|-
| 0xBC900180 || 32 || RW || Same as above, for DMA channel 4
|-
| 0xBC9001A0 || 32 || RW || Same as above, for DMA channel 5
|-
| 0xBC9001C0 || 32 || RW || Same as above, for DMA channel 6
|-
| 0xBC9001E0 || 32 || RW || Same as above, for DMA channel 7
|-
| 0xBCA00100 || 32 || RW || Same as above, for DMA channel 8
|-
| 0xBCA00120 || 32 || RW || Same as above, for DMA channel 9
|-
| 0xBCA00140 || 32 || RW || Same as above, for DMA channel 10
|-
| 0xBCA00160 || 32 || RW || Same as above, for DMA channel 11
|-
| 0xBCA00180 || 32 || RW || Same as above, for DMA channel 12
|-
| 0xBCA001A0 || 32 || RW || Same as above, for DMA channel 13
|-
| 0xBCA001C0 || 32 || RW || Same as above, for DMA channel 14
|-
| 0xBCA001E0 || 32 || RW || Same as above, for DMA channel 15
|-
|}

= 0xBCC00000: VME Control =

These can only be accessed from the ME CPU.

{| class="wikitable"
|-
! Address
! Size
! Read/write
! Description
|-
| 0xBCC00010 || 4 || RW || VME reset: writing anything here causes the VME to reset; it reads 0xFFFFFFFF while resetting, and 0 when reset is complete
|-
| 0xBCC00030 || 4 || W? || Unknown, 8 is stored there when the ME boots
|-
| 0xBCC00040 || 4 || W? || Unknown, 2 is stored there when the ME boots
|-
| 0xBCC00070 || 4 || W? || Unknown, 1 is stored there when the ME boots
|-
|}

= 0xBD000000: DDR =

{| class="wikitable"
|-
! Address
! Size
! Read/write
! Description
|-
| 0xBD000004 || 4 || RW || DDR flush
|-
| 0xBD000020 || 4 || RW || Unknown
|-
| 0xBD000024 || 4 || RW || Unknown
|-
| 0xBD00002C || 4 || RW || Unknown, used by IPL
|-
| 0xBD000030 || 4 || RW || Unknown, used during sceDdrChangePllClock()
|-
| 0xBD000034 || 4 || RW || Unknown, used during sceDdrChangePllClock()
|-
| 0xBD000038 || 4 || RW || Unknown, used by IPL
|-
| 0xBD000040 || 4 || RW || Unknown, used during sceDdrChangePllClock()
|-
| 0xBD000044 || 4 || RW || Unknown, used during sceDdrChangePllClock()
|-
|}

= 0xBD100000: NAND Flash =

{| class="wikitable"
|-
! Address
! Size
! Read/write
! Description
|-
| 0xBD101000 || 4 || R || NAND control

Bit 16 = read ECC (0 = don't calculate, 1 = calculate)

Bit 17 = write ECC (0 = don't calculate, 1 = calculate)
|-
| 0xBD101004 || 4 || R || NAND status

Bit 0 = status (0 = busy, 1 = ready)

Bit 7 = write protection (1 = write protected)
|-
| 0xBD101008 || 4 || W || NAND command

0x00/0x01 = read (1?)

0x50 = read (2?)

0x90 = read ID

0xFF = reset

0x80, or 0x10 at 2nd cycle = page program

0x00, or 0x8A at 2nd cycle = copy-back program

0x60, or 0xD0 at 2nd cycle = block erase

0x70 = read status
|-
| 0xBD10100C || 4 || W || NAND address.

Bits 10-26: page to access.

Possibly just LBA >> 1?
|-
| 0xBD101014 || 4 || W || NAND reset? (bit 0)
|-
| 0xBD101020 || 4 || W || NAND DMA address

Bits 10-26: page to access during DMA.

Possibly just LBA >> 1?
|-
| 0xBD101024 || 4 || RW || NAND DMA control

Bit 0 = DMA transfer progress (0 = stopped, 1 = running)

Bit 1 = transfer direction (0 = NAND -> MEM, 1 = MEM -> NAND)

Bit 8 = page data transfer enabled

Bit 9 = spare data transfer enabled
|-
| 0xBD101028 || 4 || R || NAND DMA status
|-
| 0xBD101038 || 4 || RW || NAND DMA intr?
|-
| 0xBD101200 || 4 || RW || NAND resume? (0x0B040205 to resume)
|-
| 0xBD101300 || 4 || RW || NAND serial data
|-
|}

= 0xBD200000: MemoryStick =

{| class="wikitable"
|-
! Address !! Size !! R/W !! Description
|-
| 0xBD200000 || 2 || RW || MemoryStick interrupt

Bit 0 = reg address

Bit 4 = cmdnk (command cannot be executed)

Bit 5 = breq (buffer request)

Bit 6 = error

Bit 7 = ced (command end)

|-
| 0xBD200002 || 2 || W? || Unknown
|-
| 0xBD200004 || 2 || RW || Command state

Bit 0: busy

|-
| 0xBD200010 || 2 || W? || Number of pages
|-
| 0xBD200012 || 2 || W? || OOB length
|-
| 0xBD200014 || 2 || W? || Start block
|-
| 0xBD200016 || 2 || W? || Set command to read and set page LBA
|-
| 0xBD200020 || 2 || W? || Unknown
|-
| 0xBD200024 || 2 || R || Read OOB data
|-
| 0xBD200024 || 1 || W || Write command data
|-
| 0xBD200028 || 2 or 4 || RW || Read/write page data
|-
| 0xBD200030 || 4 || RW || Start TPC

Bits 0-9 = size

Bits 12-31 = TPC code

Code 1 = read MG status

Code 2 = read page data

Code 3 = read short data

Code 4 = read reg

Code 5 = read IO data

Code 7 = get int

Code 8 = set rw reg address

Code 9 = ex set cmd

Code 10 = write IO data

Code 11 = write reg

Code 12 = write short data

Code 13 = write page data

Code 14 = set cmd

|-
| 0xBD200034 || 2 or 4 || RW || Read/write TPC data
|-
| 0xBD200038 || 2 or 4 || RW || Memstick status

Bits 0-3 = bits 4-7 from the reg address register

Bit 8 = timeout

Bit 9 = CRC error

Bit 12 = ready

Bit 13 = unknown

Bit 14 = FIFO RW
|-
| 0xBD20003C || 4 || RW || Memstick sys

Bit 9 = command

Bit 11 = interrupt

Bit 15 = reset
|-
| 0xBD200040 || 4 || RW || Unknown
|-
|}

= 0xBD300000: WLAN =

The interface to the WLAN is the same as to the Memorystick, just with different commands.

= 0xBD400000: Graphics Engine =

{| class="wikitable"
|-
! Physical Address !! Size !! R/W !! Description
|-
| 0xBD400000 ||	4 || RW || RW bit 1: set to 1 to reset, wait until bit is 0 to know the GE has been reset
|-
| 0xBD400004 || 4 || RW? || Unknown (accessible through sceGeSet/GetReg() and passed to the interrupt handlers but unused)
|-
| 0xBD400008 || 4 || R || RO bits 0x0000FFFF: shifted left by 10, gives the EDRAM hardware size (sceGeEdramGetHwSize()) (only used for tachyon < 0x00500000)
|-
| 0xBD400100 || 4 || RW || RW bit 0x001: 0 = stopped, 1 = running

R  bit 0x002: 0 = branching condition true, 1 = false

R  bit 0x100: 1 = is at depth 1 (or 2) of calls

R  bit 0x200: 1 = is at depth 2 of calls
|-
| 0xBD400104 || 4 || RW? || Status? (accessible through sceGeSet/GetReg() but unused)
|-
| 0xBD400108 || 4 || RW || Address of the display list currently being run
|-
| 0xBD40010C || 4 || RW || Stall address of the display list (0 = no stall address)
|-
| 0xBD400110 || 4 || RW || First return address (after the first CALL command)
|-
| 0xBD400114 || 4 || RW || Second return address (after the second CALL command)
|-
| 0xBD400118 || 4 || RW || Address of vertices (for bezier etc)
|-
| 0xBD40011C || 4 || RW || Address of indices (for bezier etc)
|-
| 0xBD400120 || 4 || RW || Address of the origin (set by ORIGIN, destination address for JUMP/BJUMP/CALL after adding BASE and the address specified in the command)
|-
| 0xBD400124 || 4 || RW || Same as above, for the first call
|-
| 0xBD400128 || 4 || RW || Same as above, for the second call
|-
| 0xBD400200 || 4 || RW || Bit 1 set by sceGeSetGeometryClock(), exact usage unknown
|-
| 0xBD400300 || 4 || RW || Unknown (accessible through sceGeSet/GetReg() but unused)
|-
| 0xBD400304 || 4 || RW || Get/set current command status (1 = SIGNAL, 2 = END, 4 = FINISH, 8 = ERROR)
|-
| 0xBD400308 || 4 || RW || Get/clear interrupts
|-
| 0xBD40030C || 4 || W || Change interrupts (ie swap the status of specified interrupts)
|-
| 0xBD400310 || 4 || W || Change command status (ie swap the status of specified bits)
|-
| 0xBD400400 || 4 || RW || Set to 4 when the used edram size is 0x00200000 and 2 when it's 0x00400000 (!)
|-
| 0xBD400800 || 1024 || R || Each type a command is executed by the GE, its value, including arguments, is saved here (4 bytes per command)
|-
| 0xBD400C00 || 384 || R || BONE matrices
|-
| 0xBD400D80 || 48 || R || WORLD matrices
|-
| 0xBD400DB0 || 48 || R || VIEW matrices
|-
| 0xBD400DE0 || 48 || R || PROJ matrices
|-
| 0xBD400E20 || 48 || R || TGEN matrices
|-
| 0xBD400E50 || 48 || R || COUNT matrices (probably)
|-
|}

= 0xBD500000: Graphics Engine EDRAM =

{| class="wikitable"
|-
! Address
! Size
! Read/write
! Description
|-
| 0xBD500000 || 4 || RW || Unknown, bits 0x00F00000 set by sceGeEdramSetRefreshParam's 4th argument
|-
| 0xBD500010 || 4 || RW || Set to 2 before reset and 0 after reset is done, bit 1 seems to be initialization (used by sceGeEdramInit())
|-
| 0xBD500020 || 4 || RW || Set to 0x6C4 by default and bits 0x007FFFFF set by sceGeEdramSetRefreshParam's second argument
|-
| 0xBD500030 || 4 || RW || Bits 0x000003FF set by sceGeEdramSetRefreshParam's third argument
|-
| 0xBD500040 || 4 || RW || Set to 1 in sceGeEdramInit(), and to 3 if sceGeEdramSetRefreshParam's first argument (mode) is 1 and the bit 2 isn't set
|-
| 0xBD500050 || 4 || RW || Unknown, accessible through sceGeSetReg/GetReg()
|-
| 0xBD500060 || 4 || RW || Unknown, accessible through sceGeSetReg/GetReg()
|-
| 0xBD500070 || 4 || RW || Bit 1: disable address translation
|-
| 0xBD500080 || 4 || RW || The address translation value
|-
| 0xBD500090 || 4 || RW || Unknown, set to 3 in sceGeEdramInit(), accessible through sceGeSetReg/GetReg()
|-
| 0xBD5000A0 || 4 || RW || Unknown, accessible through sceGeSetReg/GetReg()
|-
|}

= 0xBD600000: ATA/UMD =

{| class="wikitable"
|-
! Address
! Size
! Read/write
! Description
|-
| 0xBD600000 || 4 || R? || Unknown (returns 0x00010033)
|-
| 0xBD600004 || 4 || W? || Unknown (0x04028002 is written here)
|-
| 0xBD600010 || 4 || RW || Unknown (reset?)
|-
| 0xBD600014 || 4 || W? || Unknown
|-
| 0xBD60001C || 4 || W? || Unknown (0x00020A0C is written here)
|-
| 0xBD600034 || 4 || RW || Unknown (0 is written here)
|-
| 0xBD600038 || 4 || W? || Unknown (0x00010100 is written here)
|-
| 0xBD600040 || 4 || RW || Unknown (0 is written here, flag 0x2 is tested)
|-
| 0xBD600044 || 4 || W? || Unknown
|-
|}

= 0xBD700000: ATA/UMD =

{| class="wikitable"
|-
! Address
! Size
! Read/write
! Description
|-
| 0xBD700000 || 2 || RW || Read/write data
|-
| 0xBD700001 || 1 || RW || Features (?)
|-
| 0xBD700002 || 1 || RW || Sector count
|-
| 0xBD700003 || 1 || RW || Sector number
|-
| 0xBD700004 || 1 || RW || Cylinder low
|-
| 0xBD700005 || 1 || RW || Cylinder high
|-
| 0xBD700006 || 1 || RW || Drive
|-
| 0xBD700007 || 1 || RW || Command

Cmd 0x08 = reset

Cmd 0xA0 = packet

Cmd 0xC8 = read

Cmd 0xCA = write

Cmd 0xE0 = standby now 1

Cmd 0xE6 = sleep

Cmd 0xE7 = flush

Cmd 0xEC = ID ATA

Cmd 0xEF = set features

|-
| 0xBD700008 || 1 || W? || End of data
|-
| 0xBD70000E || 1 || RW || Control

Bit 2 = soft reset
|-
|}

= 0xBD800000: USB =

{| class="wikitable"
|-
! Address
! Size
! Read/write
! Description
|-
| 0xBD800000 || 4 || RW || Get/set control of first sending endpoint

Bit 1 = unknown

Bit 3 = unknown

Bits 4-5 = transfer type

Bit 6 = unknown

Bit 7 = unknown

Bit 8 = unknown
|-
| 0xBD800004 || 4 || RW || Read/clear status of first sending endpoint

Bits 4, 5, 6, 7, 9, 10, 14 = unknown
|-
| 0xBD800008 || 4 || RW || Max packet size in words for first sending endpoint
|-
| 0xBD80000C || 4 || RW || Max packet size in bytes for first sending endpoint (possible value: 0x40)
|-
| 0xBD800010 || 4 || RW || Unknown address, for first sending endpoint (0x80000000 is written there)
|-
| 0xBD800014 || 4 || RW || Unknown address, for first sending endpoint (0x80000000 is written there)
|-
| 0xBD800020 || 24 || RW || Same as above, for 2nd sending endpoint
|-
| 0xBD800040 || 24 || RW || Same as above, for 3rd sending endpoint
|-
| 0xBD800060 || 24 || RW || Same as above, for 4th sending endpoint
|-
| 0xBD800080 || 24 || RW || Same as above, for 5th sending endpoint
|-
| 0xBD800200 || 24 || RW || Same as above, for 1st receiving endpoint
|-
| 0xBD800220 || 24 || RW || Same as above, for 2nd receiving endpoint
|-
| 0xBD800240 || 24 || RW || Same as above, for 3rd receiving endpoint
|-
| 0xBD800260 || 24 || RW || Same as above, for 4th receiving endpoint
|-
| 0xBD800280 || 24 || RW || Same as above, for 5th receiving endpoint
|-
| 0xBD800400 || 4 || RW || Unknown (possible values: 0xA0, 0x8 = activated without charging, 0x1)
|-
| 0xBD800404 || 4 || RW || Unknown
|-
| 0xBD800408 || 4 || R? || Unknown
|-
| 0xBD80040C || 4 || RW || Clear/read connection interrupt

Value 0 = connect

Value 1 = streaming

Value 2 = detach 1

Value 4 = detach 2

Value 6 = unknown
|-
| 0xBD800410 || 4 || RW || Set/get enabled connection interrupts (same bits as above)
|-
| 0xBD800414 || 4 || RW || Unknown
|-
| 0xBD800418 || 4 || RW || Disabled endpoints interfaces (bits 0-8 = sending, and bits 16-24 = receiving?)
|-
| 0xBD80041C || 4 || RW || Unknown (possible value: 0)
|-
| 0xBD800504 || 4 || W? || Unknown
|-
| 0xBD800508 || 4 || W? || Unknown
|-
| 0xBD80050C || 4 || W? || Unknown
|-
| 0xBD800510 || 4 || W? || Unknown
|-
| 0xBD800514 || 4 || W? || Unknown
|-
|}

= 0xBD900000: EFlash (PSP Go only) =

{| class="wikitable"
|-
! Address
! Size
! Read/write
! Description
|-
| 0xBD900004 || 4 || W? || Unknown, set to 0x04024002
|-
| 0xBD900010 || 4 || W? || Write 1 to reset
|-
| 0xBD900014 || 4 || W? || Unknown
|-
| 0xBD900018 || 4 || W? || Unknown
|-
| 0xBD900024 || 4 || W? || Unknown
|-
| 0xBD900028 || 4 || W? || Unknown
|-
| 0xBD90002C || 4 || W? || Unknown, set to 0
|-
| 0xBD900030 || 4 || W? || Unknown, set to 0
|-
| 0xBD900034 || 4 || RW || Unknown
|-
| 0xBD900038 || 4 || W? || Unknown
|-
| 0xBD900040 || 4 || W? || Unknown
|-
| 0xBD900044 || 4 || RW || Clear/read interrupt flag
|-
|}

= 0xBDA00000: EFlash ATA (PSP Go only) =

Same interface as 0xBD700000.

= 0xBDB00000: EFlash DMA =

{| class="wikitable"
|-
! Address
! Size
! Read/write
! Description
|-
| 0xBDB00008 || 4 || W? || Set to 1 to reset
|-
| 0xBDB00010 || 4 || W? || Control

Bit 0 = enable

Bit 1 = 1 if read from ATA, 0 if write to ATA
|-
| 0xBDB00020 || 4 || R? || Read interrupt flag
|-
| 0xBDB00024 || 4 || W? || Clear interrupt flag
|-
| 0xBDB00028 || 4 || RW || Unknown
|-
| 0xBDB0002C || 4 || W? || Unknown, clear bits from the previous register
|-
| 0xBDB00030 || 4 || W? || DMA address
|-
| 0xBDB00034 || 4 || W? || DMA size
|-
| 0xBDB00040 || 4 || W? || Unknown
|-
| 0xBDB00044 || 4 || W? || Unknown, set to 0
|}

= 0xBDE00000: KIRK =

{| class="wikitable"
|-
! Address
! Size
! Read/write
! Description
|-
| 0xBDE00000 || 4 || R || KIRK signature 'KIRK' (or 1?)
|-
| 0xBDE00004 || 4 || R || KIRK version '0010' (or 1?)
|-
| 0xBDE00008 || 4 || RW || Set to 1 on error by the command subroutine
|-
| 0xBDE0000C || 4 || RW || Set to 1 to start processing, or 2 to start processing phase2
|-
| 0xBDE00010 || 4 || RW || KIRK command

0x01 = Private decrypt

0x02 = Encrypt (type2)

0x03 = Decrypt (type2)

0x04 = Encrypt (type3) (IV = 0)

0x05 = Encrypt (type3) (IV = Fuse)

0x06 = Encrypt (type3) (IV = User)

0x07 = Decrypt (type3) (IV = 0)

0x08 = Decrypt (type3) (IV = Fuse)

0x09 = Decrypt (type3) (IV = User)

0x0A = Private Signature Check

0x0B = SHA-1 Hash

0x0C = ECDSA Key Generate

0x0D = ECDSA Point Multiply

0x0E = Pseudo-random Number Generator

0x0F = PRNG Seed? Init?

0x10 = ECDSA Sign

0x11 = ECDSA Signature Check
|-
| 0xBDE00014 || 4 || RW || Result of the command
|-
| 0xBDE00018 || 4 || RW || Unknown
|-
| 0xBDE0001C || 4 || RW || KIRK status

Bit 0 = phase finish

Bit 1 = phase error?

Bit 4 = phase 2 needed

Bit 5 = ? (phase 1 error maybe?)

This should be used for checking processing status, and will notify when the processing has finished.
All bits are 0 while execution is still in progress.
If the command has two phases, Phase 2 Needed will be set when Phase Finish gets set.
Bit1 and bit5 are not well known, but it seems that bit1 is Error for Phase 1, and Success for Phase 2? Bit5 is only checked for Phase 1, and leads to the same error codepath as bit1.
|-
| 0xBDE00020 || 4 || RW || Status async?
|-
| 0xBDE00024 || 4 || RW || Status async end?
|-
| 0xBDE00028 || 4 || RW || Set to the value of 0xBDE0001C at the end of the command subroutine
|-
| 0xBDE0002C || 4 || RW || KIRK source buffer (physical address)
|-
| 0xBDE00030 || 4 || RW || KIRK destination buffer (physical address)
|-
| 0xBDE0004C || 4 || RW || Unknown
|-
| 0xBDE00050 || 4 || RW || Unknown
|-
|}

= 0xBDF00000: UMD =

{| class="wikitable"
|-
! Address !! Size !! R/W !! Description
|-
| 0xBC900008 || 4 || RW || Reset

Bit 0 = reset
|-
| 0xBC900010 || 4 || RW || Set command

Value 0x01 = ?

Value 0x02 = ?

Value 0x03 = ?

Value 0x04 = write QTGP2 () at the first transfer address

Value 0x05 = write QTGP3 () at the first transfer address

Value 0x08 = find region

Value 0x09 = ?

Value 0x0A = read data

Value 0x0B = ?
|-
| 0xBD900014 || 4 || R? || Unknown
|-
| 0xBD900018 || 4 || R? || Unknown flags
|-
| 0xBD90001C || 4 || R? || Unknown
|-
| 0xBD900020 || 4 || R? || Get interrupt flags?
|-
| 0xBD900024 || 4 || RW || Clear interrupt?
|-
| 0xBD900028 || 4 || RW || Enable interrupt?
|-
| 0xBD90002C || 4 || RW || Disable interrupt?
|-
| 0xBD900030 || 4 || RW || Unknown, set to 4
|-
| 0xBD900038 || 4 || RW || Unknown, set to 4
|-
| 0xBD900040 || 4 || W? || Transfer address 0
|-
| 0xBD900044 || 4 || W? || Transfer size 0
|-
| 0xBD900048 || 4 || W? || Transfer address 1
|-
| 0xBD90004C || 4 || W? || Transfer size 1
|-
| 0xBD900050 || 4 || W? || Transfer address 2
|-
| 0xBD900054 || 4 || W? || Transfer size 2
|-
| 0xBD900058 || 4 || W? || Transfer address 3
|-
| 0xBD90005C || 4 || W? || Transfer size 3
|-
| 0xBD900060 || 4 || W? || Transfer address 4
|-
| 0xBD900064 || 4 || W? || Transfer size 4
|-
| 0xBD900068 || 4 || W? || Transfer address 5
|-
| 0xBD90006C || 4 || W? || Transfer size 5
|-
| 0xBD900070 || 4 || W? || Transfer address 6
|-
| 0xBD900074 || 4 || W? || Transfer size 6
|-
| 0xBD900078 || 4 || W? || Transfer address 7
|-
| 0xBD90007C || 4 || W? || Transfer size 7
|-
| 0xBD900080 || 4 || W? || Transfer address 8
|-
| 0xBD900084 || 4 || W? || Transfer size 8
|-
| 0xBD900088 || 4 || W? || Transfer address 9
|-
| 0xBD90008C || 4 || W? || Transfer size 9
|-
| 0xBD900090 || 4 || RW || Total transfer length
|-
| 0xBD900094 || 4 || W? || Unknown, can be 0 or 1
|-
|}

= 0xBE000000: Audio =

{| class="wikitable"
|-
! Address
! Size
! Read/write
! Description
|-
| 0xBE000000 || 4 || RW || Audio init/reset?
|-
| 0xBE000004 || 4 || W? || Disable audio input/output?

Bit 0: enable output

Bit 1: enable SRC output (?)

Bit 2: enable audio input

Bit 3: ??
|-
| 0xBE000008 || 4 || W? || Same as 0xBE000004 but with reversed bits; enable audio input/output?
|-
| 0xBE00000C || 4 || RW || Seems to contain the current value for 0xBE000004 (ie the current enabled input/outputs)
|-
| 0xBE000010 || 4 || W? || Similar to 0xBE000004 but set only when starting playing something, and input bit is set only for loopback test?
|-
| 0xBE000014 || 4 || W? || Unknown, set to 0x1208 = 4616 during initialization
|-
| 0xBE000018 || 4 || W? || Unknown, set to 0 during initialization
|-
| 0xBE00001C || 4 || R? || Similar to 0xBE000004; possibly bits which finished execution?
|-
| 0xBE000020 || 4 || W? || Another similar set of flags
|-
| 0xBE000024 || 4 || W? || Another similar set of flags (enabled interrupts?)
|-
| 0xBE000028 || 4 || RW || Another similar set of flags
|-
| 0xBE00002C || 4 || W? || Another similar set of flags
|-
| 0xBE000038 || 4 || W? || Set to 256 when frequency in 48kHz, 128 when it is 44.1kHz or during SRC output
|-
| 0xBE00003C || 4 || W? || Same as above, but not set at initialization time
|-
| 0xBE000040 || 4 || RW || Frequency-related??
|-
| 0xBE000044 || 4 || W? || Hardware frequency?
|-
| 0xBE000050 || 4 || RW || Volume?
|-
| 0xBE000060 || 4 || W? || Send audio data?
|-
| 0xBE000070 || 4 || W? || Send audio data?
|-
| 0xBE000080 || 4 || ? || ??
|-
| 0xBE0000D0 || 4 || ? || ??
|-
|}

= 0xBE100000: MagicGate hardware for memory stick? =

= 0xBE140000: LCDC =

{| class="wikitable"
|-
! Address
! Size
! Read/write
! Description
|-
| 0xBE140000 || 4 || RW || First LCDC controller enable

Bits 0-1 = 3 to enable first LCDC controller (tachyon version < 0x800000; otherwise it's set to 0)
|-
| 0xBE140004 || 4 || RW || Synchronization difference: (xsync / zoom) - ysync
|-
| 0xBE140008 || 4 || RW || Unknown (fourth argument of sceLcdcCheckMode and sceLcdcSetMode)
|-
| 0xBE140010 || 4 || RW || X back porch
|-
| 0xBE140014 || 4 || RW || X sync width
|-
| 0xBE140018 || 4 || RW || X front porch
|-
| 0xBE14001C || 4 || RW || X resolution
|-
| 0xBE140020 || 4 || RW || Y back porch
|-
| 0xBE140024 || 4 || RW || Y sync width
|-
| 0xBE140028 || 4 || RW || Y front porch
|-
| 0xBE14002C || 4 || RW || Y resolution
|-
| 0xBE140030 || 4 || R || HPC (?), returned by sceLcdcReadHPC()
|-
| 0xBE140034 || 4 || R || VPC (?), returned by sceLcdcReadVPC()
|-
| 0xBE140040 || 4 || RW || Y shift (between hardware & software resolution)
|-
| 0xBE140044 || 4 || RW || X shift (between hardware & software resolution)
|-
| 0xBE140048 || 4 || RW || Scaled X resolution
|-
| 0xBE14004C || 4 || RW || Scaled Y resolution (same as the physical Y resolution)
|-
| 0xBE140050 || 4 || RW || Unknown, set to 1, maybe used by sceLcdcReadUnderflow (to be verified)
|-
| 0xBE140070 || 4 || W || Set to 1 when running sceLcdcResume() or sceLcdcInit() on tachyon version >= 0x5000000
|-
|}

The exact same registers are at 0xBE1401.., these ones being used for tachyon version >= 0x8000000 (PSP Go?). <br>
These registers are only set on tachyo version >= 0x8000000:

{| class="wikitable"
|-
! Address
! Size
! Read/write
! Description
|-
| 0xBE140180 || 4 || RW || Always set to 1 when 0xBE140184 - 0xBE140198 are used
|-
| 0xBE140184 || 4 || RW || Scaled X resolution (read instead of the (real) X resolution above when enabled)
|-
| 0xBE140188 || 4 || RW || Y resolution (read instead of the (real) Y resolution above when enabled)
|-
| 0xBE14018C || 4 || RW || Unknown (0x580 - 0x678)
|-
| 0xBE140190 || 4 || RW || Unknown (0x4C4 - 0x71C)
|-
| 0xBE140194 || 4 || RW || Unknown (0xAFC - 0xCEC)
|-
| 0xBE140198 || 4 || RW || Unknown (0x910 - 0xE38)
|-
| 0xBE1401A0 || 4 || RW || Display flags?
|-
| 0xBE1401B0 || 4 || RW || Display clock?
|-
| 0xBE140200 || 4 || W || Set to 1 on initialization
|-
|}

= 0xBE200000: I2c =


{| class="wikitable"
|-
! Address
! Size
! Read/write
! Description
|-
| 0xBE200000 || 4 || R? || Unknown
|-
| 0xBE200004 || 4 || RW || Command

Value 0x85 = unknown (used after writing the transmit data)

Value 0x8A = receive data

Value 0x87 = unknown (used after writing the transmit data)

|-
| 0xBE200008 || 4 || RW || Data length
|-
| 0xBE20000C || 4 || R? || Read/write data
|-
| 0xBE200010 || 4 || RW || Unknown
|-
| 0xBE200014 || 4 || RW || Unknown
|-
| 0xBE20001C || 4 || RW || Unknown
|-
| 0xBE200028 || 4 || R? || Clear/read interrupt
|-
| 0xBE20002C || 4 || W? || Unknown
|-
|}

= 0xBE240000: GPIO =

{| class="wikitable"
|-
! Address
! Size
! Read/write
! Description
|-
| 0xBE240000 || 4 || RW || Is output (?)
|-
| 0xBE240004 || 4 || R || GPIO read pin (1 bit = 1 pin)
|-
| 0xBE240008 || 4 || W || GPIO set pin (1 bit = 1 pin)
|-
| 0xBE24000C || 4 || W|| GPIO clear pin (1 bit = 1 pin)
|-
| 0xBE240010 || 4 || RW || Is edge detection (?)
|-
| 0xBE240014 || 4 || RW || Is falling edge (?)
|-
| 0xBE240018 || 4 || RW || Is rising edge (?)
|-
| 0xBE24001C || 4 || RW || Interrupt enable
|-
| 0xBE240020 || 4 || R? || Interrupt Status
|-
| 0xBE240024 || 4 || W || Acknowledge interrupt
|-
| 0xBE240030 || 4 || RW || Capture port enable
|-
| 0xBD240034 || 4 || RW || Timer capture enable
|-
| 0xBE240040 || 4 || RW || Is input on (?)
|-
| 0xBE240048 || 4 || W? || Unknown
|-
|}

= 0xBE300000: Power management? =

Seems to be composed of 3 controllers, each of size 0x20.

= 0xBE4C0000 & 0xBE500000: UART =

[https://developer.arm.com/documentation/ddi0183/f/programmer-s-model/summary-of-registers?lang=en ARM PrimeCell UART PL011]

There are two similar UART controllers:
* At 0xBE4C0000: UART4 = ?
* At 0xBE500000: UART3 = Headphone/remote SIO

There is also possibly an infrared controller at 0xBE540000.

UART port numbers vary depending on documentations.

Some documentations seem to argue that there are 8 controllers for 0xBE40 to 0xBE5C, but the syscon interface looks very different so it might not be the case.

{| class="wikitable"
|-
! Address
! Size
! Read/write
! Description
|-
| 0xBExx0000 || 4 || RW || Read/write FIFO of the UART port

Bits 0-7 = data

Writing writes a byte to the Tx buffer and advances the write position.
Reading reads a byte from the Rx buffer and advances the read position.
The FIFO is 32(?) bytes long.
|-
| 0xBExx0004 || 4 || RW || Unknown
|-
| 0xBExx0018 || 4 || RW || Port status

Bit 4 = Rx buffer status is empty

Bit 5 = Tx buffer status is full
|-
| 0xBExx0024 || 4 || W || Upper bits of baudrate divisor, ie (96000000 / baudrate) >> 6
|-
| 0xBExx0028 || 4 || W || Lower bits of baudrate divisor, ie (96000000 / baudrate) & 0x3f
|-
| 0xBExx002C || 4 || RW || Set bits 5-6 to set the baud rate?
|-
| 0xBExx0030 || 4 || RW || Unknown
|-
| 0xBExx0034 || 4 || RW || Unknown
|-
| 0xBExx0038 || 4 || RW || Unknown
|-
| 0xBExx0044 || 4 || RW || Clear interrupt?
|-
|}

= 0xBE580000: Syscon =
[https://developer.arm.com/documentation/ddi0194/h/programmer-s-model/summary-of-primecell-ssp-registers?lang=en ARM PrimeCell Synchronous Serial port PL022]

TODO: validate register mappings

{| class="wikitable"
|-
! Address
! Size
! Read/write
! Description
|-
| 0xBE580000 || 4 || W? || Unknown (0xCF is written there at initialization time)
|-
| 0xBE580004 || 4 || RW || Flags

Bit 1 = start syscon command

Bit 2 = reset data index

Bit 3 = in progress?
|-
| 0xBE580008 || 4 || RW || Read/write data

Bits 0-15: 16-bit data
|-
| 0xBE58000C || 4 || R? || Flags

Bit 0 = error

Bit 2 = not finished
|-
| 0xBE580014 || 4 || W? || Unknown (0 is written there)
|-
| 0xBE580018 || 4 || R? || Unknown
|-
| 0xBE580020 || 4 || W? || Unknown; clear error status?
|-
| 0xBE580024 || 4 || W? || Unknown (0 is written there)
|-
|}

= 0xBE5C0000: LCD controller (Slim) =

{| class="wikitable"
|-
! Address
! Size
! Read/write
! Description
|-
| 0xBE5C0000 || 4 || W? || Unknown
|-
| 0xBE5C0004 || 4 || W? || Unknown
|-
| 0xBE5C0008 || 4 || RW? || Unknown
|-
| 0xBE5C000C || 4 || R? || Unknown
|-
| 0xBE5C0010 || 4 || W? || Unknown
|-
| 0xBE5C0014 || 4 || W? || Unknown
|-
| 0xBE5C0024 || 4 || W? || Unknown
|-
|}

= 0xBE600000: ? =

= 0xBE740000: Display =

{| class="wikitable"
|-
! Address
! Size
! Read/write
! Description
|-
| 0xBE740000 || 4 || W? || Unknown
|-
| 0xBE740004 || 4 || RW || Get/set row sync (?)
|-
| 0xBE740008 || 4 || R? || Get sync (?)
|-
| 0xBE74000C || 4 || W? || Unknown
|-
| 0xBE740010 || 4 || W? || Unknown
|-
| 0xBE740014 || 4 || W? || Unknown
|-
| 0xBE740020 || 4 || R? || Unknown
|-
| 0xBE740024 || 4 || W? || Unknown
|-
|}

= 0xBE780000: Display (Slim) =

{| class="wikitable"
|-
! Address
! Size
! Read/write
! Description
|-
| 0xBE780000 || 4 || ? || Unknown
|-
| 0xBE78001C || 4 || ? || Unknown
|}

= 0xBFC00000: MIPS Reset Vector =

The PSP [[PRE-IPL|iplloader]] is copied to 0xBFC00000 then executed.

bloadp is copied to 0xBFE00000 then executed.

IPL blocks are usually copied to 0xBFE01000, decrypted in place then executed.

= 0xBFF00000: NAND DMA buffer =

{| class="wikitable"
|-
! Address
! Size
! Read/write
! Description
|-
| 0xBFF00000 || 512 || RW || NAND DMA data buffer. These 512 bytes contain the page data to be transferred to/from the NAND during DMA. This does not include spare nor ECC information
|-
| 0xBFF00800 || 4 || RW || Calculated ECC for DMA data
|-
| 0xBFF00900 || 16 || RW || Spare data to be transferred from/to the NAND during DMA. This does not include spare nor ECC information
|-
|}

= References =

* [http://daifukkat.su/docs/psptek/ PSPTEK]
* [https://gigawiz.github.io/yapspd/html_chapters_split/chap8.html yapspd]
* [https://github.com/uofw/uofw uOFW]
* [https://github.com/jpcsp/jpcsp Jpcsp]