Difference between revisions of "Cmep basics"
Jump to navigation
Jump to search
m (Yifan Lu moved page Private:F00D basics to F00D basics without leaving a redirect) |
|||
(3 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
+ | |||
+ | == Address Space == | ||
+ | |||
+ | {| class="wikitable" | ||
+ | ! Offset | ||
+ | ! Size | ||
+ | ! Description | ||
+ | |- | ||
+ | | 0x0 | ||
+ | | 0x20000 | ||
+ | | CMeP SRAM entire | ||
+ | |- | ||
+ | | 0x0 | ||
+ | | 0x4000 | ||
+ | | BootROM. cleared by first_loader. boottime only. | ||
+ | |- | ||
+ | | 0x1C000 | ||
+ | | 0x4000 | ||
+ | | first_loader. boottime only. | ||
+ | |- | ||
+ | | 0x0 | ||
+ | | 0x1C000 | ||
+ | | second_loader. | ||
+ | |- | ||
+ | | 0x0 | ||
+ | | 0x8A00 | ||
+ | | secure_kernel. | ||
+ | |- | ||
+ | | 0x8B00 | ||
+ | | 0x15000 | ||
+ | | sm. also scratch area. | ||
+ | |} | ||
+ | |||
== Calling convention == | == Calling convention == | ||
+ | |||
* $1 = arg0 | * $1 = arg0 | ||
* $2 = arg1 | * $2 = arg1 | ||
Line 5: | Line 39: | ||
* $4 = arg3 | * $4 = arg3 | ||
− | Unmodified by callee: $5, $6, $7, $8 | + | Unmodified by callee: $5, $6, $7, $8. |
− | Clobbered by callee: $9, $10, $11, $12 | + | Clobbered by callee: $9, $10, $11, $12. |
+ | == Exception == | ||
+ | |||
+ | When an exception occurs in CMeP, it jumps to address 0x40000 (or 0x800000) + excp_offset. | ||
+ | |||
+ | Below is the list corresponding to the exceptions (based version 3.xx). | ||
+ | |||
+ | {| class="wikitable" | ||
+ | ! Exception | ||
+ | ! Offset | ||
+ | ! BootROM | ||
+ | ! second_loader | ||
+ | ! secure_kernel | ||
+ | |- | ||
+ | | Reset | ||
+ | | 0x0 | ||
+ | | Jump to main function | ||
+ | | Jump to main function | ||
+ | | Jump to main function | ||
+ | |- | ||
+ | | NMI | ||
+ | | 0x4 | ||
+ | | infloop | ||
+ | | no handler | ||
+ | | no handler | ||
+ | |- | ||
+ | | RI | ||
+ | | 0x8 | ||
+ | | infloop | ||
+ | | no handler | ||
+ | | there handler | ||
+ | |- | ||
+ | | ZDIV | ||
+ | | 0xC | ||
+ | | infloop | ||
+ | | no handler | ||
+ | | there handler | ||
+ | |- | ||
+ | | BRK | ||
+ | | 0x10 | ||
+ | | infloop | ||
+ | | no handler | ||
+ | | no handler | ||
+ | |- | ||
+ | | SWI | ||
+ | | 0x14 | ||
+ | | infloop | ||
+ | | no handler | ||
+ | | there handler | ||
+ | |- | ||
+ | | DBG | ||
+ | | 0x18 | ||
+ | | infloop | ||
+ | | no handler | ||
+ | | infloop | ||
+ | |- | ||
+ | | DSP | ||
+ | | 0x1C | ||
+ | | infloop | ||
+ | | no handler | ||
+ | | no handler | ||
+ | |- | ||
+ | | COP | ||
+ | | 0x20 | ||
+ | | infloop | ||
+ | | no handler | ||
+ | | no handler | ||
+ | |- | ||
+ | | - | ||
+ | | 0x24 | ||
+ | | infloop | ||
+ | | no handler | ||
+ | | no handler | ||
+ | |- | ||
+ | | - | ||
+ | | 0x28 | ||
+ | | infloop | ||
+ | | no handler | ||
+ | | no handler | ||
+ | |- | ||
+ | | - | ||
+ | | 0x2C | ||
+ | | infloop | ||
+ | | no handler | ||
+ | | no handler | ||
+ | |} | ||
+ | |||
+ | There are also 32 interrupt vectors after the exception vector at offset 0x30. | ||
+ | |||
+ | Interrupt is all infloop in BootROM, Also all no handler in second_loader | ||
+ | |||
+ | {| class="wikitable" | ||
+ | ! Interrupt | ||
+ | ! Offset | ||
+ | ! Description | ||
+ | |- | ||
+ | | - | ||
+ | | 0x30 | ||
+ | | no handler | ||
+ | |- | ||
+ | | intr | ||
+ | | 0x34 | ||
+ | | setting on 0x100301. Runs at intr_index from global function slot in secure_kernel. | ||
+ | |- | ||
+ | | intr | ||
+ | | 0x38 | ||
+ | | setting on 0x100301. Runs at intr_index from global function slot in secure_kernel. | ||
+ | |- | ||
+ | | intr | ||
+ | | 0x3C | ||
+ | | setting on 0x100301. Runs at intr_index from global function slot in secure_kernel. | ||
+ | |- | ||
+ | | intr | ||
+ | | 0x40 | ||
+ | | setting on 0x100301. Runs at intr_index from global function slot in secure_kernel. | ||
+ | |- | ||
+ | | intr | ||
+ | | 0x44 | ||
+ | | setting on 0x100301. Runs at intr_index from global function slot in secure_kernel. | ||
+ | |- | ||
+ | | intr | ||
+ | | 0x48 | ||
+ | | setting on 0x100301. Runs at intr_index from global function slot in secure_kernel. | ||
+ | |- | ||
+ | | - | ||
+ | | 0x4C | ||
+ | | no handler | ||
+ | |- | ||
+ | | Arm2Cry (0xE0000010) | ||
+ | | 0x50 | ||
+ | | Fixed | ||
+ | |- | ||
+ | | Arm2Cry (0xE0000014) | ||
+ | | 0x54 | ||
+ | | Per secure modules | ||
+ | |- | ||
+ | | intr | ||
+ | | 0x58 | ||
+ | | setting on 0x100301. Runs at intr_index from global function slot in secure_kernel. | ||
+ | |- | ||
+ | | intr | ||
+ | | 0x5C | ||
+ | | setting on 0x100301. Runs at intr_index from global function slot in secure_kernel. | ||
+ | |- | ||
+ | | - | ||
+ | | 0x60 ~ 0xAC | ||
+ | | - | ||
+ | |} | ||
== Configuration == | == Configuration == | ||
− | Note: | + | Note: These registers were dumped with a [[Secure Modules|Secure Module]] exploit. Some options are read/write so it might differ. |
+ | |||
=== $cfg === | === $cfg === | ||
Latest revision as of 18:08, 15 June 2024
Address Space
Offset | Size | Description |
---|---|---|
0x0 | 0x20000 | CMeP SRAM entire |
0x0 | 0x4000 | BootROM. cleared by first_loader. boottime only. |
0x1C000 | 0x4000 | first_loader. boottime only. |
0x0 | 0x1C000 | second_loader. |
0x0 | 0x8A00 | secure_kernel. |
0x8B00 | 0x15000 | sm. also scratch area. |
Calling convention
- $1 = arg0
- $2 = arg1
- $3 = arg2
- $4 = arg3
Unmodified by callee: $5, $6, $7, $8.
Clobbered by callee: $9, $10, $11, $12.
Exception
When an exception occurs in CMeP, it jumps to address 0x40000 (or 0x800000) + excp_offset.
Below is the list corresponding to the exceptions (based version 3.xx).
Exception | Offset | BootROM | second_loader | secure_kernel |
---|---|---|---|---|
Reset | 0x0 | Jump to main function | Jump to main function | Jump to main function |
NMI | 0x4 | infloop | no handler | no handler |
RI | 0x8 | infloop | no handler | there handler |
ZDIV | 0xC | infloop | no handler | there handler |
BRK | 0x10 | infloop | no handler | no handler |
SWI | 0x14 | infloop | no handler | there handler |
DBG | 0x18 | infloop | no handler | infloop |
DSP | 0x1C | infloop | no handler | no handler |
COP | 0x20 | infloop | no handler | no handler |
- | 0x24 | infloop | no handler | no handler |
- | 0x28 | infloop | no handler | no handler |
- | 0x2C | infloop | no handler | no handler |
There are also 32 interrupt vectors after the exception vector at offset 0x30.
Interrupt is all infloop in BootROM, Also all no handler in second_loader
Interrupt | Offset | Description |
---|---|---|
- | 0x30 | no handler |
intr | 0x34 | setting on 0x100301. Runs at intr_index from global function slot in secure_kernel. |
intr | 0x38 | setting on 0x100301. Runs at intr_index from global function slot in secure_kernel. |
intr | 0x3C | setting on 0x100301. Runs at intr_index from global function slot in secure_kernel. |
intr | 0x40 | setting on 0x100301. Runs at intr_index from global function slot in secure_kernel. |
intr | 0x44 | setting on 0x100301. Runs at intr_index from global function slot in secure_kernel. |
intr | 0x48 | setting on 0x100301. Runs at intr_index from global function slot in secure_kernel. |
- | 0x4C | no handler |
Arm2Cry (0xE0000010) | 0x50 | Fixed |
Arm2Cry (0xE0000014) | 0x54 | Per secure modules |
intr | 0x58 | setting on 0x100301. Runs at intr_index from global function slot in secure_kernel. |
intr | 0x5C | setting on 0x100301. Runs at intr_index from global function slot in secure_kernel. |
- | 0x60 ~ 0xAC | - |
Configuration
Note: These registers were dumped with a Secure Module exploit. Some options are read/write so it might differ.
$cfg
0xF00004AA
$ccfg
0x5B105B08
$rcfg
0x01000100
$opt
0x03FD0201
This register is read-only.
- CBS = 00: coprocessor data bus width 32-bit
- DBS = 00: DSP data bus width 32-bit
- 0
- HWE = 0: hardware engine off
- DIV = 1: 32-bit divide instruction on
- MUL = 1: multiply instruction on
- BIT = 1: bit manipulation instruction on
- SAT = 1: saturation instruction on
- CLP = 1: clip instruction on
- MIN = 1: min/max instruction on
- AVE = 1: average instruction on
- ABS = 1: abs instruction on
- 0
- LDZ = 1: leading zero instruction on
- BIS = 00: bus interface width is 32-bit
- LBS = 00: local bus interface width is 32-bit
- 0
- TCN = 010: 2 timer/counter channels
- 0
- VL64 = 0: 64-bit VLIW off
- VL32 = 0: 32-bit VLIW off
- COP = 0: coprocessor off
- 0
- DSP = 0: DSP off
- UCI = 0: UCI off
- DBG = 1: DBG on