Cmep basics

Calling convention

 * $1 = arg0
 * $2 = arg1
 * $3 = arg2
 * $4 = arg3

Unmodified by callee: $5, $6, $7, $8.

Clobbered by callee: $9, $10, $11, $12.

Exception
When an exception occurs in CMeP, it jumps to address 0x40000 (or 0x800000) + excp_offset.

Below is the list corresponding to the exceptions (based version 3.xx).

There are also 32 interrupt vectors after the exception vector at offset 0x30.

Interrupt is all infloop in BootROM, Also all no handler in second_loader

Configuration
Note: These registers were dumped with a Secure Module exploit. Some options are read/write so it might differ.

$cfg
0xF00004AA

$ccfg
0x5B105B08

$rcfg
0x01000100

$opt
0x03FD0201

This register is read-only.


 * CBS = 00: coprocessor data bus width 32-bit
 * DBS = 00: DSP data bus width 32-bit
 * 0
 * HWE = 0: hardware engine off
 * DIV = 1: 32-bit divide instruction on
 * MUL = 1: multiply instruction on
 * BIT = 1: bit manipulation instruction on
 * SAT = 1: saturation instruction on
 * CLP = 1: clip instruction on
 * MIN = 1: min/max instruction on
 * AVE = 1: average instruction on
 * ABS = 1: abs instruction on
 * 0
 * LDZ = 1: leading zero instruction on
 * BIS = 00: bus interface width is 32-bit
 * LBS = 00: local bus interface width is 32-bit
 * 0
 * TCN = 010: 2 timer/counter channels
 * 0
 * VL64 = 0: 64-bit VLIW off
 * VL32 = 0: 32-bit VLIW off
 * COP = 0: coprocessor off
 * 0
 * DSP = 0: DSP off
 * UCI = 0: UCI off
 * DBG = 1: DBG on