Cmep basics

From Vita Development Wiki
Revision as of 06:59, 10 September 2023 by Princess of Sleeping (talk | contribs)
Jump to navigation Jump to search

Calling convention

  • $1 = arg0
  • $2 = arg1
  • $3 = arg2
  • $4 = arg3

Unmodified by callee: $5, $6, $7, $8.

Clobbered by callee: $9, $10, $11, $12.

Exception

When an exception occurs in CMeP, it jumps to address 0x40000 (or 0x800000) + excp_offset.

Below is the list corresponding to the exceptions (based version 3.xx).

Exception Offset BootROM second_loader secure_kernel
Reset 0x0 Jump to main function Jump to main function Jump to main function
NMI 0x4 infloop no handler no handler
RI 0x8 infloop no handler there handler
ZDIV 0xC infloop no handler there handler
BRK 0x10 infloop no handler no handler
SWI 0x14 infloop no handler there handler
DBG 0x18 infloop no handler infloop
DSP 0x1C infloop no handler no handler
COP 0x20 infloop no handler no handler
- 0x24 infloop no handler no handler
- 0x28 infloop no handler no handler
- 0x2C infloop no handler no handler

There are also 32 interrupt vectors after the exception vector at offset 0x30.

Interrupt is all infloop in BootROM, Also all no handler in second_loader

Interrupt Offset Description
- 0x30 no handler
intr 0x34 setting on 0x100301. Runs at intr_index from global function slot in secure_kernel.
intr 0x38 setting on 0x100301. Runs at intr_index from global function slot in secure_kernel.
intr 0x3C setting on 0x100301. Runs at intr_index from global function slot in secure_kernel.
intr 0x40 setting on 0x100301. Runs at intr_index from global function slot in secure_kernel.
intr 0x44 setting on 0x100301. Runs at intr_index from global function slot in secure_kernel.
intr 0x48 setting on 0x100301. Runs at intr_index from global function slot in secure_kernel.
- 0x4C no handler
Arm2Cry (0xE0000010) 0x50 Fixed
Arm2Cry (0xE0000014) 0x54 Per secure modules
intr 0x58 setting on 0x100301. Runs at intr_index from global function slot in secure_kernel.
intr 0x5C setting on 0x100301. Runs at intr_index from global function slot in secure_kernel.
- 0x60 ~ 0xAC -

Configuration

Note: These registers were dumped with a Secure Module exploit. Some options are read/write so it might differ.

$cfg

0xF00004AA

$ccfg

0x5B105B08

$rcfg

0x01000100

$opt

0x03FD0201

This register is read-only.

  • CBS = 00: coprocessor data bus width 32-bit
  • DBS = 00: DSP data bus width 32-bit
  • 0
  • HWE = 0: hardware engine off
  • DIV = 1: 32-bit divide instruction on
  • MUL = 1: multiply instruction on
  • BIT = 1: bit manipulation instruction on
  • SAT = 1: saturation instruction on
  • CLP = 1: clip instruction on
  • MIN = 1: min/max instruction on
  • AVE = 1: average instruction on
  • ABS = 1: abs instruction on
  • 0
  • LDZ = 1: leading zero instruction on
  • BIS = 00: bus interface width is 32-bit
  • LBS = 00: local bus interface width is 32-bit
  • 0
  • TCN = 010: 2 timer/counter channels
  • 0
  • VL64 = 0: 64-bit VLIW off
  • VL32 = 0: 32-bit VLIW off
  • COP = 0: coprocessor off
  • 0
  • DSP = 0: DSP off
  • UCI = 0: UCI off
  • DBG = 1: DBG on