Memory System

From Vita Development Wiki
Revision as of 12:00, 23 October 2023 by CelesteBlue (talk | contribs)
Jump to navigation Jump to search

Kermit memory system internals

This is mostly based on assumptions and may be completely wrong.

Terminology

  • Agent

A device connected to the memory system.

  • TA

Short for Target Agent.

  • IA

Short for Initiator Agent.

  • Transaction

A data exchange performed via the memory bus system. Transactions transfer data between an IA and a TA. A transaction from X (an IA) to Y (a TA) is initiated by X and targets Y.

  • Bus

Short for time-shared bus. A link between agents on which a single transaction may be in progress at a time.

  • XBar

Short for Crossbar. A link between agents on which multiple transactions may be in progress at a time (as long as they do not target the same TA).

  • Arbiter

This could be a single physical device of the memory system that allocates access to the bus/XBar to IAs (most plausible hypothesis). However, the PS Vita may instead be using a decentralized bus arbitration system in which there is no single arbiter.

  • Bus Master

When a transaction is occurring on a bus, the agent that started the transaction is referred to as the Bus Master.

There are three revisions of the memory system layout: one for Kermit1.0 ES1, one for Kermit1.0 ES2 (not documented but close to ES3) and one for Kermit1.0 ES3, ES4, and Kermit1.5 ES1.

In the following sections, you may see register names such as BEBT and SBEBT mentioned. Unless otherwise specified, a register prefixed with S is merely the ARM Secure variant of the register (e.g. SBEBT is BEBT for ARM Secure). Everything that applies to a register should apply to its Secure variant, except that the register is updated by Secure bus transactions, instead of Non-Secure bus transactions.

Control registers

There are several MMIO registers available to alter the behavior of the memory system, or query information about the memory system's state.

IA/TA registers

A common register group associated to every IA or TA of the memory system. The register group is 0x1000 bytes sized (but maybe not all room is used).

(List of physical address for all these interfaces can be found on Physical Memory page - names start with SSX_ - will be migrated here at some point)

Known registers
Name Offset in group Size Usage/Notes
STATUS 0x28 0x8 Bit 0x0100_0000 indicates an error
ERROR_LOG 0x58 0x8
ADDR 0x60 0x8

Bus Errors

When a bus error occurs, an interrupt is delivered to ARM Secure (Interrupt ID 0x21=33) or Non-Secure (Interrupt ID 0x20=32). The OS considers all bus errors to be fatal. The interrupt handlers installed for these IDs perform a register dump then stop the system.

It appears that device-initiated bus errors (e.g. DMAC) are always routed to Non-Secure interrupt. There may be other rules to consider (e.g. some register to set whether a device is Secure/Non-Secure).

It is unknown whether or not CMeP can receive bus error interrupts or how CMeP fits in the memory system.

There are two kind of bus errors: Internal Bus error and Target Device error. An Internal Bus error occurs when the memory system fails to deliver a request to a target device - for example, trying to access non-existent memory. A Target Device error occurs when a device successfully receives a request but is unable to handle it - for example, accessing the non-existent part of a device's memory.

Bus Error Attribute

The bus error attribute is a 32-bit value that can be recovered in a per-device MMIO register (along with the bus error address).

The attribute holds multiple informations: who was the bus master when the error occurred, what bus command was ongoing, and (sometimes) the reason of the bus error.

Bus error attribute meaning
Bitmask Name Notes
0x003F_0000 master Bus master
0x0000_0700 cmd Ongoing command on the bus
0x0000_0008 Burst Access Error
0x0000_0004 Register Permission Error
0x0000_0001 Address Hole Error If set, the error occurred because the address was invalid.

Note that for some devices (Spad32K, Spad128K, Compati SRAM), the only valid attribute is 0x1, indicating an invalid address.

To decode the meaning of master and cmd, shift them by 16 and 8 respectively to obtain a value between 0-63/0-7 and use the following tables:

cmd decoding table
Value Command
0 Idle
1 Write
2 Read
3 ReadEx
4 ReadLinked
5 WriteNonPost
6 WriteConditional
7 Broadcast
master decoding table
Value Command
0 Reserved
1 ARM Core0
2 ARM Core1
3 ARM Core2
4 ARM Core3
5 ARM L2
6 Reserved
7 Reserved
8 Reserved
9 Reserved
10 Reserved
11 Reserved
12 Reserved
13 Reserved
14 Reserved
15 Reserved
16 DMAC0
17 DMAC1
18 DMAC2
19 DMAC3
20 DMAC4
21 DMAC5
22 Reserved
23 GPU
24 Venezia
25 VIP vdpd
26 VIP vdpm
27 VIP bap
28 Reserved
29 IFTU0a
30 IFTU0b
31 IFTU1a
32 IFTU1b
33 IFTU2
34 Reserved
35 Reserved
36 USB1 Host EHCI
37 USB1 Host OCHI
38 Reserved
39 Sensor in 0
40 Sensor in 1
41 Reserved
42 LCD DMAC
43 Performance Monitor
44 USB2 Device DMAC
45 Sub LCD
46 DMAC6
47 USB0 Host EHCI
48 USB0 Host OHCI
49 USB2 Host EHCI
50 USB2 Host OHCI
51 USB0 Device DMAC
52 Reserved
53 Reserved
54 Reserved
55 USB1 Device DMAC
56 Reserved
57 Reserved
58 Reserved
59 SD/HSMMC0
60 SD/HSMMC1
61 SD/HSMMC2
62 SD/HSMMC3
63 Memory Stick

Clear TA error

In old firmwares (e.g. 0.920 - pre-ES3, so this may no longer be valid), there exists inside the bus error module a function named BusErrorClearTA which works the following way.

First, choose a bus/XBar that will serve as start point (MainXBar for ES2). Second, recursively build a list of all TAs connected to this start point. Repeat the process for all TAs that are busses or XBars. Third, walk the obtained tree. Check the STATUS of all TAs. If an error is present, repeat the procedure recursively (if bus/XBar) then clear the error.

To detect an error, check if bit 0x01000_0000ull is present in STATUS To clear the error, simply write 0x01000_0000ull to STATUS.

NOTE: old firmwares do not have informations about IAs, only TAs. This could explain the routine's name, but also means this procedure may also work/be needed on IA side.

Miscellaneous

The memory system is able to distinguish if a transaction is originating from ARM Secure state or Non-Secure state because ARM Cortex-A9 processors with Security Extensions have a bit indicating whether the access is Secure or Non-Secure added to all memory system transactions.

Attempting to perform a DMAC memcpy() from Secure to Non-Secure LPDDR0 region results in a NS bus error. The current hypothesis is that all devices on the Kermit bus diagram that have an IA are treated as ARM NS.

On ES1 hardware, the bus registers are prefixed with SMX instead of SSX. The meaning of both these acronyms is unknown.