Cmep basics
Jump to navigation
Jump to search
Address Space
| Offset | Size | Description |
|---|---|---|
| 0x0 | 0x20000 | CMeP SRAM entire |
| 0x0 | 0x4000 | BootROM. cleared by first_loader. boottime only. |
| 0x1C000 | 0x4000 | first_loader. boottime only. |
| 0x0 | 0x1C000 | second_loader. |
| 0x0 | 0x8A00 | secure_kernel. |
| 0x8B00 | 0x15000 | sm. also scratch area. |
Calling convention
- $1 = arg0
- $2 = arg1
- $3 = arg2
- $4 = arg3
Unmodified by callee: $5, $6, $7, $8.
Clobbered by callee: $9, $10, $11, $12.
Exception
When an exception occurs in CMeP, it jumps to address 0x40000 (or 0x800000) + excp_offset.
Below is the list corresponding to the exceptions (based version 3.xx).
| Exception | Offset | BootROM | second_loader | secure_kernel |
|---|---|---|---|---|
| Reset | 0x0 | Jump to main function | Jump to main function | Jump to main function |
| NMI | 0x4 | infloop | no handler | no handler |
| RI | 0x8 | infloop | no handler | there handler |
| ZDIV | 0xC | infloop | no handler | there handler |
| BRK | 0x10 | infloop | no handler | no handler |
| SWI | 0x14 | infloop | no handler | there handler |
| DBG | 0x18 | infloop | no handler | infloop |
| DSP | 0x1C | infloop | no handler | no handler |
| COP | 0x20 | infloop | no handler | no handler |
| - | 0x24 | infloop | no handler | no handler |
| - | 0x28 | infloop | no handler | no handler |
| - | 0x2C | infloop | no handler | no handler |
There are also 32 interrupt vectors after the exception vector at offset 0x30.
Interrupt is all infloop in BootROM, Also all no handler in second_loader
| Interrupt | Offset | Description |
|---|---|---|
| - | 0x30 | no handler |
| intr | 0x34 | setting on 0x100301. Runs at intr_index from global function slot in secure_kernel. |
| intr | 0x38 | setting on 0x100301. Runs at intr_index from global function slot in secure_kernel. |
| intr | 0x3C | setting on 0x100301. Runs at intr_index from global function slot in secure_kernel. |
| intr | 0x40 | setting on 0x100301. Runs at intr_index from global function slot in secure_kernel. |
| intr | 0x44 | setting on 0x100301. Runs at intr_index from global function slot in secure_kernel. |
| intr | 0x48 | setting on 0x100301. Runs at intr_index from global function slot in secure_kernel. |
| - | 0x4C | no handler |
| Arm2Cry (0xE0000010) | 0x50 | Fixed |
| Arm2Cry (0xE0000014) | 0x54 | Per secure modules |
| intr | 0x58 | setting on 0x100301. Runs at intr_index from global function slot in secure_kernel. |
| intr | 0x5C | setting on 0x100301. Runs at intr_index from global function slot in secure_kernel. |
| - | 0x60 ~ 0xAC | - |
Configuration
Note: These registers were dumped with a Secure Module exploit. Some options are read/write so it might differ.
$cfg
0xF00004AA
$ccfg
0x5B105B08
$rcfg
0x01000100
$opt
0x03FD0201
This register is read-only.
- CBS = 00: coprocessor data bus width 32-bit
- DBS = 00: DSP data bus width 32-bit
- 0
- HWE = 0: hardware engine off
- DIV = 1: 32-bit divide instruction on
- MUL = 1: multiply instruction on
- BIT = 1: bit manipulation instruction on
- SAT = 1: saturation instruction on
- CLP = 1: clip instruction on
- MIN = 1: min/max instruction on
- AVE = 1: average instruction on
- ABS = 1: abs instruction on
- 0
- LDZ = 1: leading zero instruction on
- BIS = 00: bus interface width is 32-bit
- LBS = 00: local bus interface width is 32-bit
- 0
- TCN = 010: 2 timer/counter channels
- 0
- VL64 = 0: 64-bit VLIW off
- VL32 = 0: 32-bit VLIW off
- COP = 0: coprocessor off
- 0
- DSP = 0: DSP off
- UCI = 0: UCI off
- DBG = 1: DBG on