SceVeneziaImage
The VENEZIA binary image module.
Module
This module doesn't contain any ARM code; instead, it holds the image for execution on the VENEZIA coprocessor.
The module doesn't import from any library, and doesn't export any library.
Segment | Description |
---|---|
.text |
Module metadata (SceModuleInfo , etc)
|
.data |
VENEZIA image |
The VENEZIA image is an executable binary for the MeP architecture. The binary is copied to physical address 0x40800000
by SceSblFwLoader (mapped at vaddr 0x28200000
).
On the VENEZIA MeP cores, the image is visible at address 0x800000
(i.e. the binary's base address is 0x800000
).
Image
General information
The image contains MeP code for SceNgs, SceAudioDec, JPEG encoder, decoder and CSC.
The MP3 decoder used is SoCrates MP3 Decoder FIXED-1-16
.
The AAC decoder used is Toshiba Enhanced MPEG-4 ADTS & RAW AACPLUS LC Decoder (Fixed Point) 0-04
.
All offsets in the following sections are relative to the start of the image, for vnzimg.skprx
from firmware ???.
More information is available in the VVNZRunner GitHub repository.
RPC calls
MeP code parses RPC calls from ARM (issued with sceVeneziaRpcCallGenericThunk()
in a function at 0x11482. It maps RPC call ID to a function with the following code:
void* get_function_by_id(int id) { if (id >= 0x200) return NULL; return FUNCTABLE[id]; } FUNCTABLE is located at 0xEADD0 and cointains pointers to other functions. An example of such a function is <code>vnsJpegEncoderEncode</code> located at 0x1F988.
VENEZIA memory model
Venezia works with memory by using physical addresses directly However since Venezia supports threading it includes memory mapping model to prevent race conditions This model is described in detail in the US20120324167A1 patent.
PRIVATE state
In this state, only a task that has changed a memory region to this state is permitted to perform a read/write access by the L1C/L2C. This access is achieved by accessing a virtual address that is mapped in a physical memory by the L1 CFL2C.
PROTECTED state
In this state, one or more tasks that belong to the same process and that have requested a transition to this state are permitted to perform a read access by the L1C/L2C. A task is not permitted to perform a write access to a memory region in this state.
PUBLIC state
In this state, tasks of which mapping set by the ATU is the same, that is, tasks that belong to the same process, share data. However, a task cannot directly access a memory region in this state. Only tasks that belong to the same process are permitted to access, after changing a memory in this state to the PRIVATE state or the PROTECTED state
UNMANAGED state
This state is a state that is not managed by the kernel. That is, this is a portion excluding the kernel management region out of memory regions that the memory has. Because the kernel does not manage consistency of caches in a memory region in this state, a task must hold consistency of the caches by taking responsibility, when a task uses this memory region.
Any memory must be switched to at least PUBLIC state to ensure cache coherence.
Functions
The VENEZIA image includes the following functions:
Toshiba functions
Those functions are described in the US20120324167A1 patent.
Offset | Function |
---|---|
0x11A30 | enter_memory_access_protocol
|
0x11ADC | leave_memory_access_protocol
|
0x11E02 | open_private_memory
|
0x11D34 | open_protected_memory
|
0x11C4E | open_public_memory
|
0x11E76 | close_private_memory
|
0x11DA8 | close_protected_memory
|
0x11CBC | close_public_memory
|
Sony functions
These functions are wrappers for the Toshiba functions, written by SCE.
See vnz/memory.h.
VENEZIA threads
VENEZIA can run up to 7 threads in parallel (one on each core). Threads are assigned to cores automatically and have a priority system.
See vnz/vthread.h.
Generic functions
Offset | Function |
---|---|
C stdlib | |
0x124F28 | memset
|
0x124F3C | abs
|
0x124F48 | memcpy
|
0x124F60 | memmove
|
softfp functions | |
0x124F90 | __mulsf3
|
0x125268 | __divsf3
|
0x125324 | __eqsf2
|
0x125686 | __fixsfsi
|
0x1256DC | __floatsisf
|
0x1253F0 | __gesf2
|
0x12536A | __gtsf2
|
0x1254FC | __lesf2
|
0x125476 | __ltsf2
|
0x1252DE | __nesf2
|