F00D

From Vita Development Wiki

Related pages

Reset

Although the MeP architecture docs specify that with EVM=0, the reset/NMI vector base is at 0x00000000 it is observed that the vector base is actually at 0x00040000. However, EVA/IVA still work as expected when EVM=1. Both secure_kernel and second_loader set EVM=0 at the start. This is likely modified hardware behavior and the vector base remapping might be done when the bootrom is unmapped.

Devices

Address Device
0xE0000000 F00D Communication Ports
0xE0010000 F00D Reset
0xE0020000 ?
0xE0030000 F00D Key Ring Controller
0xE0040000 F00D Math Processor
0xE0050000 Bigmac
0xE0058000 F00D Keyring Regs F00D Key Ring Base
0xE0070000 ?
0xE00C0000 ?

0xE0010000

Address Description
0xE0010000 TZ sets to 1 then 0 and it appears F00D resets
0xE0010004 Read by second_loader, check against mask & 5 and & 8. Read by TZ after setting reset, checks bit 0x80000000. Seen as 0x80000005. Writing values to it from f00d does nothing.

0xE0020000

Address Description
0xE0020000 Second_loader sets it to 0x30003, secure_kernel sets it to 0x2000F. bit 0x10000 allows ARM to reset f00d. bit 0x1 sets bootrom to load secure_kernel.
0xE0020004 Read by second_loader, check against 0x8000001F, also set by second_loader when setting 0x30003 above
0xE0020020 checked for 0 by second_loader
0xE0020100 256 bit key from slot 0x602 is copied here by second_loader

0xE0070000

Address Description
0xE0070000 Seen as 1. Set 0, then 1 after writing to 0xE0070008.
0xE0070008 Set to 0x020E020F in second_loader, eMMC related?
0xE007000C Seen as 2
0xE0070014 Set to 6 under some condition in second_loader