Cmep basics: Difference between revisions
Jump to navigation
Jump to search
m (2 revisions imported) |
No edit summary |
||
(4 intermediate revisions by 3 users not shown) | |||
Line 1: | Line 1: | ||
== Address Space == | |||
{| class="wikitable" | |||
! Offset | |||
! Size | |||
! Description | |||
|- | |||
| 0x0 | |||
| 0x20000 | |||
| CMeP SRAM entire | |||
|- | |||
| 0x0 | |||
| 0x4000 | |||
| BootROM. cleared by first_loader. boottime only. | |||
|- | |||
| 0x1C000 | |||
| 0x4000 | |||
| first_loader. boottime only. | |||
|- | |||
| 0x0 | |||
| 0x1C000 | |||
| second_loader. | |||
|- | |||
| 0x0 | |||
| 0x8A00 | |||
| secure_kernel. | |||
|- | |||
| 0x8B00 | |||
| 0x15000 | |||
| sm. also scratch area. | |||
|} | |||
== Calling convention == | == Calling convention == | ||
* $1 = arg0 | * $1 = arg0 | ||
* $2 = arg1 | * $2 = arg1 | ||
Line 5: | Line 39: | ||
* $4 = arg3 | * $4 = arg3 | ||
Unmodified by callee: $5, $6, $7, $8 | Unmodified by callee: $5, $6, $7, $8. | ||
Clobbered by callee: $9, $10, $11, $12 | Clobbered by callee: $9, $10, $11, $12. | ||
== Exception == | |||
When an exception occurs in CMeP, it jumps to address 0x40000 (or 0x800000) + excp_offset. | |||
Below is the list corresponding to the exceptions (based version 3.xx). | |||
{| class="wikitable" | |||
! Exception | |||
! Offset | |||
! BootROM | |||
! second_loader | |||
! secure_kernel | |||
|- | |||
| Reset | |||
| 0x0 | |||
| Jump to main function | |||
| Jump to main function | |||
| Jump to main function | |||
|- | |||
| NMI | |||
| 0x4 | |||
| infloop | |||
| no handler | |||
| no handler | |||
|- | |||
| RI | |||
| 0x8 | |||
| infloop | |||
| no handler | |||
| there handler | |||
|- | |||
| ZDIV | |||
| 0xC | |||
| infloop | |||
| no handler | |||
| there handler | |||
|- | |||
| BRK | |||
| 0x10 | |||
| infloop | |||
| no handler | |||
| no handler | |||
|- | |||
| SWI | |||
| 0x14 | |||
| infloop | |||
| no handler | |||
| there handler | |||
|- | |||
| DBG | |||
| 0x18 | |||
| infloop | |||
| no handler | |||
| infloop | |||
|- | |||
| DSP | |||
| 0x1C | |||
| infloop | |||
| no handler | |||
| no handler | |||
|- | |||
| COP | |||
| 0x20 | |||
| infloop | |||
| no handler | |||
| no handler | |||
|- | |||
| - | |||
| 0x24 | |||
| infloop | |||
| no handler | |||
| no handler | |||
|- | |||
| - | |||
| 0x28 | |||
| infloop | |||
| no handler | |||
| no handler | |||
|- | |||
| - | |||
| 0x2C | |||
| infloop | |||
| no handler | |||
| no handler | |||
|} | |||
There are also 32 interrupt vectors after the exception vector at offset 0x30. | |||
Interrupt is all infloop in BootROM, Also all no handler in second_loader | |||
{| class="wikitable" | |||
! Interrupt | |||
! Offset | |||
! Description | |||
|- | |||
| - | |||
| 0x30 | |||
| no handler | |||
|- | |||
| intr | |||
| 0x34 | |||
| setting on 0x100301. Runs at intr_index from global function slot in secure_kernel. | |||
|- | |||
| intr | |||
| 0x38 | |||
| setting on 0x100301. Runs at intr_index from global function slot in secure_kernel. | |||
|- | |||
| intr | |||
| 0x3C | |||
| setting on 0x100301. Runs at intr_index from global function slot in secure_kernel. | |||
|- | |||
| intr | |||
| 0x40 | |||
| setting on 0x100301. Runs at intr_index from global function slot in secure_kernel. | |||
|- | |||
| intr | |||
| 0x44 | |||
| setting on 0x100301. Runs at intr_index from global function slot in secure_kernel. | |||
|- | |||
| intr | |||
| 0x48 | |||
| setting on 0x100301. Runs at intr_index from global function slot in secure_kernel. | |||
|- | |||
| - | |||
| 0x4C | |||
| no handler | |||
|- | |||
| Arm2Cry (0xE0000010) | |||
| 0x50 | |||
| Fixed | |||
|- | |||
| Arm2Cry (0xE0000014) | |||
| 0x54 | |||
| Per secure modules | |||
|- | |||
| intr | |||
| 0x58 | |||
| setting on 0x100301. Runs at intr_index from global function slot in secure_kernel. | |||
|- | |||
| intr | |||
| 0x5C | |||
| setting on 0x100301. Runs at intr_index from global function slot in secure_kernel. | |||
|- | |||
| - | |||
| 0x60 ~ 0xAC | |||
| - | |||
|} | |||
== Configuration == | == Configuration == | ||
Note: | Note: These registers were dumped with a [[Secure Modules|Secure Module]] exploit. Some options are read/write so it might differ. | ||
=== $cfg === | === $cfg === | ||
Latest revision as of 18:08, 15 June 2024
Address Space
Offset | Size | Description |
---|---|---|
0x0 | 0x20000 | CMeP SRAM entire |
0x0 | 0x4000 | BootROM. cleared by first_loader. boottime only. |
0x1C000 | 0x4000 | first_loader. boottime only. |
0x0 | 0x1C000 | second_loader. |
0x0 | 0x8A00 | secure_kernel. |
0x8B00 | 0x15000 | sm. also scratch area. |
Calling convention
- $1 = arg0
- $2 = arg1
- $3 = arg2
- $4 = arg3
Unmodified by callee: $5, $6, $7, $8.
Clobbered by callee: $9, $10, $11, $12.
Exception
When an exception occurs in CMeP, it jumps to address 0x40000 (or 0x800000) + excp_offset.
Below is the list corresponding to the exceptions (based version 3.xx).
Exception | Offset | BootROM | second_loader | secure_kernel |
---|---|---|---|---|
Reset | 0x0 | Jump to main function | Jump to main function | Jump to main function |
NMI | 0x4 | infloop | no handler | no handler |
RI | 0x8 | infloop | no handler | there handler |
ZDIV | 0xC | infloop | no handler | there handler |
BRK | 0x10 | infloop | no handler | no handler |
SWI | 0x14 | infloop | no handler | there handler |
DBG | 0x18 | infloop | no handler | infloop |
DSP | 0x1C | infloop | no handler | no handler |
COP | 0x20 | infloop | no handler | no handler |
- | 0x24 | infloop | no handler | no handler |
- | 0x28 | infloop | no handler | no handler |
- | 0x2C | infloop | no handler | no handler |
There are also 32 interrupt vectors after the exception vector at offset 0x30.
Interrupt is all infloop in BootROM, Also all no handler in second_loader
Interrupt | Offset | Description |
---|---|---|
- | 0x30 | no handler |
intr | 0x34 | setting on 0x100301. Runs at intr_index from global function slot in secure_kernel. |
intr | 0x38 | setting on 0x100301. Runs at intr_index from global function slot in secure_kernel. |
intr | 0x3C | setting on 0x100301. Runs at intr_index from global function slot in secure_kernel. |
intr | 0x40 | setting on 0x100301. Runs at intr_index from global function slot in secure_kernel. |
intr | 0x44 | setting on 0x100301. Runs at intr_index from global function slot in secure_kernel. |
intr | 0x48 | setting on 0x100301. Runs at intr_index from global function slot in secure_kernel. |
- | 0x4C | no handler |
Arm2Cry (0xE0000010) | 0x50 | Fixed |
Arm2Cry (0xE0000014) | 0x54 | Per secure modules |
intr | 0x58 | setting on 0x100301. Runs at intr_index from global function slot in secure_kernel. |
intr | 0x5C | setting on 0x100301. Runs at intr_index from global function slot in secure_kernel. |
- | 0x60 ~ 0xAC | - |
Configuration
Note: These registers were dumped with a Secure Module exploit. Some options are read/write so it might differ.
$cfg
0xF00004AA
$ccfg
0x5B105B08
$rcfg
0x01000100
$opt
0x03FD0201
This register is read-only.
- CBS = 00: coprocessor data bus width 32-bit
- DBS = 00: DSP data bus width 32-bit
- 0
- HWE = 0: hardware engine off
- DIV = 1: 32-bit divide instruction on
- MUL = 1: multiply instruction on
- BIT = 1: bit manipulation instruction on
- SAT = 1: saturation instruction on
- CLP = 1: clip instruction on
- MIN = 1: min/max instruction on
- AVE = 1: average instruction on
- ABS = 1: abs instruction on
- 0
- LDZ = 1: leading zero instruction on
- BIS = 00: bus interface width is 32-bit
- LBS = 00: local bus interface width is 32-bit
- 0
- TCN = 010: 2 timer/counter channels
- 0
- VL64 = 0: 64-bit VLIW off
- VL32 = 0: 32-bit VLIW off
- COP = 0: coprocessor off
- 0
- DSP = 0: DSP off
- UCI = 0: UCI off
- DBG = 1: DBG on