Memory System

From Vita Development Wiki
Revision as of 18:18, 1 May 2023 by CreepNT (talk | contribs) (Initial draft)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Kermit memory system internals

This is all based on assumptions and may be completely wrong.

Terminology

  • Agent

A device connected to the memory system.

  • Access

An interface between an Agent and the memory

  • TA

Short for Target Access?

  • IA

Short for Initiator Access?

  • Transaction

A data exchange performed via the memory bus system. Transactions transfer data between an IA and a TA. A transaction from X (an IA) to Y (a TA) is initiated by X and targets Y.

  • Bus

Short for time-shared bus. A link between agents on which a single transaction may be in progress at a time.

  • XBar

Short for Crossbar. A link between agents on which multiple transactions may be in progress at a time (as long as they do not target the same TA).

  • Arbiter

This could be a single physical device of the memory system that allocates access to the bus/XBar to IAs (most plausible hypothesis). However, the PS Vita may instead be using a decentralized bus arbitration system in which there is no single arbiter.

  • Bus Master

When a transaction is occurring on a bus, the agent that started the transaction is referred to as the Bus Master.


There are three revisions of the memory system layout: One for Kermit1.0 ES1, one for Kermit1.0 ES2 (not documented but close to ES3) and one for Kermit1.0 ES3, ES4, and Kermit1.5 ES1.

In the following sections, you may see register names such as BEBT and SBEBT mentioned. Unless otherwise specified, a register prefixed with S is merely the ARM Secure variant of the register (e.g. SBEBT is BEBT for ARM Secure). Everything that applies to a register should apply to its Secure variant, except that the register is updated by Secure bus transactions, instead of Non-Secure bus transactions.

Control registers

There are several MMIO registers available to alter the behavior of the memory system, or query information about the memory system's state.

IA/TA registers

A common register group associated to every IA or TA of the memory system. The register group is 0x1000 bytes sized (but maybe not all room is used).

(List of physical address for all these interfaces can be found on Physical Memory page - names start with SSX_ - will be migrated here at some point)

Known registers
Name Offset in group Size Usage/Notes
STATUS 0x28 0x8 Bit 0x0100_0000 indicates an error
ERROR_LOG 0x58 0x8
ADDR 0x60 0x8

Bus Error handling

When a bus error occurs, an interrupt is delivered to ARM Secure (intr_code 0x1F) or Non-Secure (intr_code 0x20). The OS considers all bus errors to be fatal and installs interrupt handlers that stop the system.

This requires more testing, but it seems that device-initiated bus errors (e.g. DMAC) are routed to Non-Secure interrupt; but there may be other rules to consider.

It is unknown whether or not CMeP can receive bus error interrupts or how CMeP fits in the memory system.

Clear TA error

In old firmwares (e.g. 0.920 - pre-ES3, so this may no longer be valid), there exists a function named BusErrorClearTA which works the following way.

First, choose a bus/XBar that will serve as start point (MainXBar for ES2). Second, recursively build a list of all TAs connected to this start point. Repeat the process for all TAs that are busses or XBars. Third, walk the obtained tree. Check the STATUS of all TAs. If an error is present, repeat the procedure recursively (if bus/XBar) then clear the error.

To clear the error, simply write 0x0000_0000_01000_0000ull to STATUS

NOTE: old firmwares do not have informations about IAs, only TAs. This could explain the routine's name, but also means this procedure may also work/be needed on IA side.

Misc

The memory system is able to distinguish if a transaction is originating from ARM Secure state or Non-Secure state because ARM Cortex-A9 processors with Security Extensions have an additional bit indicating whether the access is Secure or Non-Secure added to all memory system transactions.

?All devices on the Kermit bus diagram that have an IA are treated as ARM NS.? (attempting to perform a DMAC memcpy() from Secure to Non-Secure LPDDR0 region results in a NS bus error)

On ES1 hardware, the bus registers are prefixed with SMX instead of SSX. The meaning of both these acronyms is unknown.