Difference between revisions of "F00D"

From Vita Development Wiki
Jump to navigation Jump to search
 
(4 intermediate revisions by one other user not shown)
Line 2: Line 2:
 
== Related pages ==
 
== Related pages ==
  
* [[Private:F00D basics]]
+
* [[F00D Processor]]
* [[Private:Secure Kernel]]
+
* [[F00D Communication Ports]]
* [[Private:Second Loader]]
+
* [[F00D Commands]]
* [[Private:Sm modules]]
+
* [[F00D basics]]
* [[Private:Ernie Secure]]
+
* [[F00D Key Ring Controller]]
 +
* [[F00D Key Ring Base]]
 +
* [[Secure Kernel]]
 +
* [[Second Loader]]
 +
* [[Sm modules]]
 +
* [[Ernie Secure]]
  
 
== Reset ==
 
== Reset ==
Although the MeP architecture docs specify that with EVM=0, the reset/NMI vector base is at 0x00000000 it is observed that the vector base is actually at 0x00040000. However, EVA/IVA still work as expected when EVM=1. Both secure_kernel and second_loader set EVM=0 at the start. This is likely modified hardware behavior and the vector base remapping might be done when the bootrom is unmapped.
+
Although the MeP architecture docs specify that with EVM=0 the reset/NMI vector base is at 0x00000000, it is observed that the vector base is actually at 0x00040000. However, EVA/IVA still works as expected when EVM=1. Both secure_kernel and second_loader set EVM=0 at the start. This is likely modified hardware behavior and the vector base remapping might be done when the bootrom is unmapped.
  
 
== Devices ==
 
== Devices ==
  
{| class="wikitable"
+
See [[Physical_Memory#F00D_Processor]] for physical memory mapping.
|-
 
! Address !! Device
 
|-
 
| 0xE0000000 || [[Private:Communication Ports]]
 
|-
 
| 0xE0010000 || F00D Reset
 
|-
 
| 0xE0020000 || ?
 
|-
 
| 0xE0030000 || [[Private:Key Ring Controller]]
 
|-
 
| 0xE0040000 || [[Private:Math Processor]]
 
|-
 
| 0xE0050000 || [[Private:Bigmac]]
 
|-
 
| 0xE0058000 || [[Private:Keyring Regs]] [[Private:Key Ring Base]]
 
|-
 
| 0xE0070000 || ?
 
|-
 
| 0xE00C0000 || ?
 
 
 
|}
 
  
 
=== 0xE0010000 ===
 
=== 0xE0010000 ===
Line 45: Line 28:
 
| 0xE0010000 || TZ sets to 1 then 0 and it appears F00D resets
 
| 0xE0010000 || TZ sets to 1 then 0 and it appears F00D resets
 
|-
 
|-
| 0xE0010004 || Read by second_loader, check against mask & 5 and & 8. Read by TZ after setting reset, checks bit 0x80000000. Seen as 0x80000005. Writing values to it from f00d does nothing.
+
| 0xE0010004 || Read by second_loader, check against mask & 5 and & 8. Read by TZ after setting reset, checks bit 0x80000000. Seen as 0x80000005. Writing values to it from F00D does nothing.
 
|}
 
|}
  
Line 54: Line 37:
 
! Address !! Description
 
! Address !! Description
 
|-
 
|-
| 0xE0020000 || Second_loader sets it to 0x30003, secure_kernel sets it to 0x2000F. bit 0x10000 allows ARM to reset f00d. bit 0x1 sets bootrom to load secure_kernel.
+
| 0xE0020000 || second_loader sets it to 0x30003, secure_kernel sets it to 0x2000F. bit 0x10000 allows ARM to reset f00d. bit 0x1 sets bootrom to load secure_kernel.
 
|-
 
|-
 
| 0xE0020004 || Read by second_loader, check against 0x8000001F, also set by second_loader when setting 0x30003 above
 
| 0xE0020004 || Read by second_loader, check against 0x8000001F, also set by second_loader when setting 0x30003 above

Latest revision as of 13:46, 17 January 2020

Related pages

Reset

Although the MeP architecture docs specify that with EVM=0 the reset/NMI vector base is at 0x00000000, it is observed that the vector base is actually at 0x00040000. However, EVA/IVA still works as expected when EVM=1. Both secure_kernel and second_loader set EVM=0 at the start. This is likely modified hardware behavior and the vector base remapping might be done when the bootrom is unmapped.

Devices

See Physical_Memory#F00D_Processor for physical memory mapping.

0xE0010000

Address Description
0xE0010000 TZ sets to 1 then 0 and it appears F00D resets
0xE0010004 Read by second_loader, check against mask & 5 and & 8. Read by TZ after setting reset, checks bit 0x80000000. Seen as 0x80000005. Writing values to it from F00D does nothing.

0xE0020000

Address Description
0xE0020000 second_loader sets it to 0x30003, secure_kernel sets it to 0x2000F. bit 0x10000 allows ARM to reset f00d. bit 0x1 sets bootrom to load secure_kernel.
0xE0020004 Read by second_loader, check against 0x8000001F, also set by second_loader when setting 0x30003 above
0xE0020020 checked for 0 by second_loader
0xE0020100 256 bit key from slot 0x602 is copied here by second_loader

0xE0070000

Address Description
0xE0070000 Seen as 1. Set 0, then 1 after writing to 0xE0070008.
0xE0070008 Set to 0x020E020F in second_loader, eMMC related?
0xE007000C Seen as 2
0xE0070014 Set to 6 under some condition in second_loader