Memory System
Kermit memory system internals
This is mostly based on assumptions and may be completely wrong.
Terminology
- Agent
A device connected to the memory system.
- TA
Short for Target Agent.
- IA
Short for Initiator Agent.
- Transaction
A data exchange performed via the memory bus system. Transactions transfer data between an IA and a TA. A transaction from X (an IA) to Y (a TA) is initiated by X and targets Y.
- Bus
Short for time-shared bus. A link between agents on which a single transaction may be in progress at a time.
- XBar
Short for Crossbar. A link between agents on which multiple transactions may be in progress at a time (as long as they do not target the same TA).
- Arbiter
This could be a single physical device of the memory system that allocates access to the bus/XBar to IAs (most plausible hypothesis). However, the PS Vita may instead be using a decentralized bus arbitration system in which there is no single arbiter.
- Bus Master
When a transaction is occurring on a bus, the agent that started the transaction is referred to as the Bus Master.
There are three revisions of the memory system layout: one for Kermit1.0 ES1, one for Kermit1.0 ES2 (not documented but close to ES3) and one for Kermit1.0 ES3, ES4, and Kermit1.5 ES1.
In the following sections, you may see register names such as BEBT
and SBEBT
mentioned.
Unless otherwise specified, a register prefixed with S
is merely the ARM Secure variant of the register (e.g. SBEBT
is BEBT
for ARM Secure).
Everything that applies to a register should apply to its Secure variant, except that the register is updated by Secure bus transactions, instead of Non-Secure bus transactions.
Control registers
There are several MMIO registers available to alter the behavior of the memory system, or query information about the memory system's state.
IA/TA registers
A common register group associated to every IA or TA of the memory system. The register group is 0x1000 bytes sized (but maybe not all room is used).
(List of physical address for all these interfaces can be found on Physical Memory page - names start with SSX_
- will be migrated here at some point)
Name | Offset in group | Size | Usage/Notes |
---|---|---|---|
STATUS | 0x28 | 0x8 | Bit 0x0100_0000 indicates an error |
ERROR_LOG | 0x58 | 0x8 | |
ADDR | 0x60 | 0x8 |
Bus Errors
When a bus error occurs, an interrupt is delivered to ARM Secure (Interrupt ID 0x21=33) or Non-Secure (Interrupt ID 0x20=32). The OS considers all bus errors to be fatal. The interrupt handlers installed for these IDs perform a register dump then stop the system.
It appears that device-initiated bus errors (e.g. DMAC) are always routed to Non-Secure interrupt. There may be other rules to consider (e.g. some register to set whether a device is Secure/Non-Secure).
It is unknown whether or not CMeP can receive bus error interrupts or how CMeP fits in the memory system.
There are two kind of bus errors: Internal Bus error and Target Device error. An Internal Bus error occurs when the memory system fails to deliver a request to a target device - for example, trying to access non-existent memory. A Target Device error occurs when a device successfully receives a request but is unable to handle it - for example, accessing the non-existent part of a device's memory.
Bus Error Attribute
The bus error attribute is a 32-bit value that can be recovered in a per-device MMIO register (along with the bus error address).
The attribute holds multiple informations: who was the bus master when the error occurred, what bus command was ongoing, and (sometimes) the reason of the bus error.
Bitmask | Name | Notes |
---|---|---|
0x003F_0000 |
master | Bus master |
0x0000_0700 |
cmd | Ongoing command on the bus |
0x0000_0008 |
Burst Access Error | |
0x0000_0004 |
Register Permission Error | |
0x0000_0001 |
Address Hole Error | If set, the error occurred because the address was invalid. |
Note that for some devices (Spad32K, Spad128K, Compati SRAM), the only valid attribute is 0x1
, indicating an invalid address.
To decode the meaning of master
and cmd
, shift them by 16 and 8 respectively to obtain a value between 0-63/0-7 and use the following tables:
Value | Command |
---|---|
0 | Idle |
1 | Write |
2 | Read |
3 | ReadEx |
4 | ReadLinked |
5 | WriteNonPost |
6 | WriteConditional |
7 | Broadcast |
Value | Command |
---|---|
0 | Reserved |
1 | ARM Core0 |
2 | ARM Core1 |
3 | ARM Core2 |
4 | ARM Core3 |
5 | ARM L2 |
6 | Reserved |
7 | Reserved |
8 | Reserved |
9 | Reserved |
10 | Reserved |
11 | Reserved |
12 | Reserved |
13 | Reserved |
14 | Reserved |
15 | Reserved |
16 | DMAC0 |
17 | DMAC1 |
18 | DMAC2 |
19 | DMAC3 |
20 | DMAC4 |
21 | DMAC5 |
22 | Reserved |
23 | GPU |
24 | Venezia |
25 | VIP vdpd |
26 | VIP vdpm |
27 | VIP bap |
28 | Reserved |
29 | IFTU0a |
30 | IFTU0b |
31 | IFTU1a |
32 | IFTU1b |
33 | IFTU2 |
34 | Reserved |
35 | Reserved |
36 | USB1 Host EHCI |
37 | USB1 Host OCHI |
38 | Reserved |
39 | Sensor in 0 |
40 | Sensor in 1 |
41 | Reserved |
42 | LCD DMAC |
43 | Performance Monitor |
44 | USB2 Device DMAC |
45 | Sub LCD |
46 | DMAC6 |
47 | USB0 Host EHCI |
48 | USB0 Host OHCI |
49 | USB2 Host EHCI |
50 | USB2 Host OHCI |
51 | USB0 Device DMAC |
52 | Reserved |
53 | Reserved |
54 | Reserved |
55 | USB1 Device DMAC |
56 | Reserved |
57 | Reserved |
58 | Reserved |
59 | SD/HSMMC0 |
60 | SD/HSMMC1 |
61 | SD/HSMMC2 |
62 | SD/HSMMC3 |
63 | Memory Stick |
Clear TA error
In old firmwares (e.g. 0.920 - pre-ES3, so this may no longer be valid), there exists inside the bus error module a function named BusErrorClearTA
which works the following way.
First, choose a bus/XBar that will serve as start point (MainXBar for ES2).
Second, recursively build a list of all TAs connected to this start point. Repeat the process for all TAs that are busses or XBars.
Third, walk the obtained tree. Check the STATUS
of all TAs. If an error is present, repeat the procedure recursively (if bus/XBar) then clear the error.
To detect an error, check if bit 0x01000_0000ull
is present in STATUS
To clear the error, simply write 0x01000_0000ull
to STATUS
.
NOTE: old firmwares do not have informations about IAs, only TAs. This could explain the routine's name, but also means this procedure may also work/be needed on IA side.
Miscellaneous
The memory system is able to distinguish if a transaction is originating from ARM Secure state or Non-Secure state because ARM Cortex-A9 processors with Security Extensions have a bit indicating whether the access is Secure or Non-Secure added to all memory system transactions.
Attempting to perform a DMAC memcpy() from Secure to Non-Secure LPDDR0 region results in a NS bus error. The current hypothesis is that all devices on the Kermit bus diagram that have an IA are treated as ARM NS.
On ES1 hardware, the bus registers are prefixed with SMX
instead of SSX
. The meaning of both these acronyms is unknown.