Difference between revisions of "F00D"

From Vita Development Wiki
Jump to navigation Jump to search
 
(9 intermediate revisions by 3 users not shown)
Line 2: Line 2:
 
== Related pages ==
 
== Related pages ==
  
* [[Private:F00D basics]]
+
* [[F00D Processor]]
* [[Private:Secure Kernel]]
+
* [[F00D Communication Ports]]
* [[Private:Second Loader]]
+
* [[F00D Commands]]
* [[Private:Sm modules]]
+
* [[F00D basics]]
* [[Private:Ernie Secure]]
+
* [[F00D Key Ring Controller]]
 +
* [[F00D Key Ring Base]]
 +
* [[Secure Kernel]]
 +
* [[Second Loader]]
 +
* [[Sm modules]]
 +
* [[Ernie Secure]]
  
 
== Reset ==
 
== Reset ==
Although the MeP architecture docs specify that with EVM=0, the reset/NMI vector base is at 0x00000000 it is observed that the vector base is actually at 0x00040000. However, EVA/IVA still work as expected when EVM=1. Both secure_kernel and second_loader set EVM=0 at the start. This is likely modified hardware behavior and the vector base remapping might be done when the bootrom is unmapped.
+
 
 +
Although the MeP architecture documentations specify that with EVM=0 the reset/NMI vector base is at 0x00000000, it is observed that the vector base is actually at 0x00040000. However, EVA/IVA still works as expected when EVM=1. Both secure_kernel and second_loader set EVM=0 at the start. This is likely modified hardware behavior and the vector base remapping might be done when the bootrom is unmapped.
  
 
== Devices ==
 
== Devices ==
  
{| class="wikitable"
+
See [[Physical_Memory#cmep]] for physical memory mapping.
|-
 
! Address !! Device
 
|-
 
| 0xE0000000 || [[Private:Communication Ports]]
 
|-
 
| 0xE0010000 || F00D Reset
 
|-
 
| 0xE0020000 || ?
 
|-
 
| 0xE0030000 || [[Private:Key Ring Controller]]
 
|-
 
| 0xE0040000 || [[Private:Math Processor]]
 
|-
 
| 0xE0050000 || [[Private:Bigmac]]
 
|-
 
| 0xE0058000 || [[Private:Keyring Regs]] [[Private:Key Ring Base]]
 
|-
 
| 0xE0070000 || ?
 
|-
 
| 0xE00C0000 || ?
 
 
 
|}
 
 
 
=== 0xE0010000 ===
 
 
 
{| class="wikitable"
 
|-
 
! Address !! Description
 
|-
 
| 0xE0010000 || TZ sets to 1 then 0 and it appears F00D resets
 
|-
 
| 0xE0010004 || Read by second_loader, check against mask & 5 and & 8. Read by TZ after setting reset, checks bit 0x80000000. Seen as 0x80000005. Writing values to it from f00d does nothing.
 
|}
 
 
 
=== 0xE0020000 ===
 
 
 
{| class="wikitable"
 
|-
 
! Address !! Description
 
|-
 
| 0xE0020000 || Second_loader sets it to 0x30003, secure_kernel sets it to 0x2000F. bit 0x10000 allows ARM to reset f00d. bit 0x1 sets bootrom to load secure_kernel.
 
|-
 
| 0xE0020004 || Read by second_loader, check against 0x8000001F, also set by second_loader when setting 0x30003 above
 
|-
 
| 0xE0020020 || checked for 0 by second_loader
 
|-
 
| 0xE0020100 || 256 bit key from slot 0x602 is copied here by second_loader
 
|-
 
|}
 
 
 
=== 0xE0070000 ===
 
  
{| class="wikitable"
+
See [[F00D Keyring Regs]].
|-
 
! Address !! Description
 
|-
 
| 0xE0070000 || Seen as 1. Set 0, then 1 after writing to 0xE0070008.
 
|-
 
| 0xE0070008 || Set to 0x020E020F in second_loader, eMMC related?
 
|-
 
| 0xE007000C || Seen as 2
 
|-
 
| 0xE0070014 || Set to 6 under some condition in second_loader
 
|}
 

Latest revision as of 11:48, 20 February 2022

Related pages

Reset

Although the MeP architecture documentations specify that with EVM=0 the reset/NMI vector base is at 0x00000000, it is observed that the vector base is actually at 0x00040000. However, EVA/IVA still works as expected when EVM=1. Both secure_kernel and second_loader set EVM=0 at the start. This is likely modified hardware behavior and the vector base remapping might be done when the bootrom is unmapped.

Devices

See Physical_Memory#cmep for physical memory mapping.

See F00D Keyring Regs.