See also Dmac5 which is a similar device.
There are two channels, one located at paddr 0xE0050000 and another at 0xE0050080.
- 0: src
- 1: dst
- 2: size
- 3: function
- 4: keyslot
- 5: iv
- 6: next (for paddr list) -1 to halt
- 7: start paddr list decrypt (pass paddr of first block)
- 8: status (1 = running, 2 = error)
Overall seems similar to Dmac5 but commands are OR'd with 0x2080.
At paddr 0xE005003C there is a 4-byte PRNG (Pseudo Random Number Generator).
AES key or HMAC key is written to 0xE0050200. However, if func&0x80 is true, instead of writing the key it writes keyslot ID to 0xE0050010.
Function 0x0 is memcpy.
Function 0xC is memset. Memset-value is written to dmac_device+0x104. On FW 3.60, the memset-value is seen at offset +0x34.
If you set bit28 in function, dst is keyslot-id instead of physical address. This is used to generate random key 0x22 and 0x23 for suspendbuf.