F00D

From Vita Development Wiki
Revision as of 16:35, 4 September 2018 by Yifan Lu (talk | contribs)
Jump to navigation Jump to search

Related pages

Reset

Although the MeP architecture docs specify that with EVM=0, the reset/NMI vector base is at 0x00000000 it is observed that the vector base is actually at 0x00040000. However, EVA/IVA still work as expected when EVM=1. Both secure_kernel and second_loader set EVM=0 at the start. This is likely modified hardware behavior and the vector base remapping might be done when the bootrom is unmapped.

Devices

Address Device
0xE0000000 Private:Communication Ports
0xE0010000 F00D Reset
0xE0020000 ?
0xE0030000 Private:Key Ring Controller
0xE0040000 Private:Math Processor
0xE0050000 Private:Bigmac
0xE0058000 Private:Keyring Regs Private:Key Ring Base
0xE0070000 ?
0xE00C0000 ?

0xE0010000

Address Description
0xE0010000 TZ sets to 1 then 0 and it appears F00D resets
0xE0010004 Read by second_loader, check against mask & 5 and & 8. Read by TZ after setting reset, checks bit 0x80000000. Seen as 0x80000005. Writing values to it from f00d does nothing.

0xE0020000

Address Description
0xE0020000 Second_loader sets it to 0x30003, secure_kernel sets it to 0x2000F. bit 0x10000 allows ARM to reset f00d. bit 0x1 sets bootrom to load secure_kernel.
0xE0020004 Read by second_loader, check against 0x8000001F, also set by second_loader when setting 0x30003 above
0xE0020020 checked for 0 by second_loader
0xE0020100 256 bit key from slot 0x602 is copied here by second_loader

0xE0070000

Address Description
0xE0070000 Seen as 1. Set 0, then 1 after writing to 0xE0070008.
0xE0070008 Set to 0x020E020F in second_loader, eMMC related?
0xE007000C Seen as 2
0xE0070014 Set to 6 under some condition in second_loader