Cmep basics: Difference between revisions

From Vita Development Wiki
Jump to navigation Jump to search
m (Yifan Lu moved page Private:F00D basics to F00D basics without leaving a redirect)
No edit summary
 
(3 intermediate revisions by 2 users not shown)
Line 1: Line 1:
== Address Space ==
{| class="wikitable"
! Offset
! Size
! Description
|-
| 0x0
| 0x20000
| CMeP SRAM entire
|-
| 0x0
| 0x4000
| BootROM. cleared by first_loader. boottime only.
|-
| 0x1C000
| 0x4000
| first_loader. boottime only.
|-
| 0x0
| 0x1C000
| second_loader.
|-
| 0x0
| 0x8A00
| secure_kernel.
|-
| 0x8B00
| 0x15000
| sm. also scratch area.
|}
== Calling convention ==
== Calling convention ==
* $1 = arg0
* $1 = arg0
* $2 = arg1
* $2 = arg1
Line 5: Line 39:
* $4 = arg3
* $4 = arg3


Unmodified by callee: $5, $6, $7, $8
Unmodified by callee: $5, $6, $7, $8.


Clobbered by callee: $9, $10, $11, $12
Clobbered by callee: $9, $10, $11, $12.


== Exception ==
When an exception occurs in CMeP, it jumps to address 0x40000 (or 0x800000) + excp_offset.
Below is the list corresponding to the exceptions (based version 3.xx).
{| class="wikitable"
! Exception
! Offset
! BootROM
! second_loader
! secure_kernel
|-
| Reset
| 0x0
| Jump to main function
| Jump to main function
| Jump to main function
|-
| NMI
| 0x4
| infloop
| no handler
| no handler
|-
| RI
| 0x8
| infloop
| no handler
| there handler
|-
| ZDIV
| 0xC
| infloop
| no handler
| there handler
|-
| BRK
| 0x10
| infloop
| no handler
| no handler
|-
| SWI
| 0x14
| infloop
| no handler
| there handler
|-
| DBG
| 0x18
| infloop
| no handler
| infloop
|-
| DSP
| 0x1C
| infloop
| no handler
| no handler
|-
| COP
| 0x20
| infloop
| no handler
| no handler
|-
| -
| 0x24
| infloop
| no handler
| no handler
|-
| -
| 0x28
| infloop
| no handler
| no handler
|-
| -
| 0x2C
| infloop
| no handler
| no handler
|}
There are also 32 interrupt vectors after the exception vector at offset 0x30.
Interrupt is all infloop in BootROM, Also all no handler in second_loader
{| class="wikitable"
! Interrupt
! Offset
! Description
|-
| -
| 0x30
| no handler
|-
| intr
| 0x34
| setting on 0x100301. Runs at intr_index from global function slot in secure_kernel.
|-
| intr
| 0x38
| setting on 0x100301. Runs at intr_index from global function slot in secure_kernel.
|-
| intr
| 0x3C
| setting on 0x100301. Runs at intr_index from global function slot in secure_kernel.
|-
| intr
| 0x40
| setting on 0x100301. Runs at intr_index from global function slot in secure_kernel.
|-
| intr
| 0x44
| setting on 0x100301. Runs at intr_index from global function slot in secure_kernel.
|-
| intr
| 0x48
| setting on 0x100301. Runs at intr_index from global function slot in secure_kernel.
|-
| -
| 0x4C
| no handler
|-
| Arm2Cry (0xE0000010)
| 0x50
| Fixed
|-
| Arm2Cry (0xE0000014)
| 0x54
| Per secure modules
|-
| intr
| 0x58
| setting on 0x100301. Runs at intr_index from global function slot in secure_kernel.
|-
| intr
| 0x5C
| setting on 0x100301. Runs at intr_index from global function slot in secure_kernel.
|-
| -
| 0x60 ~ 0xAC
| -
|}


== Configuration ==
== Configuration ==


Note: This is dumped with a sm exploit. Some options are read/write so it might differ.
Note: These registers were dumped with a [[Secure Modules|Secure Module]] exploit. Some options are read/write so it might differ.
 
=== $cfg ===
=== $cfg ===



Latest revision as of 18:08, 15 June 2024

Address Space

Offset Size Description
0x0 0x20000 CMeP SRAM entire
0x0 0x4000 BootROM. cleared by first_loader. boottime only.
0x1C000 0x4000 first_loader. boottime only.
0x0 0x1C000 second_loader.
0x0 0x8A00 secure_kernel.
0x8B00 0x15000 sm. also scratch area.

Calling convention

  • $1 = arg0
  • $2 = arg1
  • $3 = arg2
  • $4 = arg3

Unmodified by callee: $5, $6, $7, $8.

Clobbered by callee: $9, $10, $11, $12.

Exception

When an exception occurs in CMeP, it jumps to address 0x40000 (or 0x800000) + excp_offset.

Below is the list corresponding to the exceptions (based version 3.xx).

Exception Offset BootROM second_loader secure_kernel
Reset 0x0 Jump to main function Jump to main function Jump to main function
NMI 0x4 infloop no handler no handler
RI 0x8 infloop no handler there handler
ZDIV 0xC infloop no handler there handler
BRK 0x10 infloop no handler no handler
SWI 0x14 infloop no handler there handler
DBG 0x18 infloop no handler infloop
DSP 0x1C infloop no handler no handler
COP 0x20 infloop no handler no handler
- 0x24 infloop no handler no handler
- 0x28 infloop no handler no handler
- 0x2C infloop no handler no handler

There are also 32 interrupt vectors after the exception vector at offset 0x30.

Interrupt is all infloop in BootROM, Also all no handler in second_loader

Interrupt Offset Description
- 0x30 no handler
intr 0x34 setting on 0x100301. Runs at intr_index from global function slot in secure_kernel.
intr 0x38 setting on 0x100301. Runs at intr_index from global function slot in secure_kernel.
intr 0x3C setting on 0x100301. Runs at intr_index from global function slot in secure_kernel.
intr 0x40 setting on 0x100301. Runs at intr_index from global function slot in secure_kernel.
intr 0x44 setting on 0x100301. Runs at intr_index from global function slot in secure_kernel.
intr 0x48 setting on 0x100301. Runs at intr_index from global function slot in secure_kernel.
- 0x4C no handler
Arm2Cry (0xE0000010) 0x50 Fixed
Arm2Cry (0xE0000014) 0x54 Per secure modules
intr 0x58 setting on 0x100301. Runs at intr_index from global function slot in secure_kernel.
intr 0x5C setting on 0x100301. Runs at intr_index from global function slot in secure_kernel.
- 0x60 ~ 0xAC -

Configuration

Note: These registers were dumped with a Secure Module exploit. Some options are read/write so it might differ.

$cfg

0xF00004AA

$ccfg

0x5B105B08

$rcfg

0x01000100

$opt

0x03FD0201

This register is read-only.

  • CBS = 00: coprocessor data bus width 32-bit
  • DBS = 00: DSP data bus width 32-bit
  • 0
  • HWE = 0: hardware engine off
  • DIV = 1: 32-bit divide instruction on
  • MUL = 1: multiply instruction on
  • BIT = 1: bit manipulation instruction on
  • SAT = 1: saturation instruction on
  • CLP = 1: clip instruction on
  • MIN = 1: min/max instruction on
  • AVE = 1: average instruction on
  • ABS = 1: abs instruction on
  • 0
  • LDZ = 1: leading zero instruction on
  • BIS = 00: bus interface width is 32-bit
  • LBS = 00: local bus interface width is 32-bit
  • 0
  • TCN = 010: 2 timer/counter channels
  • 0
  • VL64 = 0: 64-bit VLIW off
  • VL32 = 0: 32-bit VLIW off
  • COP = 0: coprocessor off
  • 0
  • DSP = 0: DSP off
  • UCI = 0: UCI off
  • DBG = 1: DBG on