NAND Memory Layout and Memory-mapped I/O ports on CX II: Difference between pages

From Hackspire
(Difference between pages)
Jump to navigation Jump to search
(Add flag for captivate touchpad)
 
(Add back 90050000 - I2C controller)
 
Line 1: Line 1:
NAND pages are 528-bytes long (512 + 16-bytes OOB area) on TI-Nspire and 2112-bytes long (2048 + 64-bytes OOB) on TI-Nspire CX/CM/CX II.
Not all parts have been discovered and researched yet, so the information on this page is not complete.


==Layout on Classic/CX/CM==
==00000000 - Boot1 ROM==


* pages 0000 to 001F (Nspire) or 0000 to 003F (CX/CM): written to /phoenix/manuf.dat at each boot.
128kB of on-chip ROM.
** Offset 000-003: 3C B0 6E 79
** Offset 804-805: model ID (little-endian): 0C (Nspire CAS), 0D (Nspire Lab Cradle), 0E (Nspire), 0F (Nspire CX CAS), 10 (Nspire CX), 11 (Nspire CM CAS), 12 (Nspire CM)
** Offset 806-807: unknown - 00 00 or 10 00
** Offset 808-80F: optional default language (CX/CM), filled with FF if missing - ISO 639 supported language string padded with 00 (for exemple fr, en, ar, zh_CN for TI-Nspire CX-C or CM-C...)
** Offset 818-81B: signature - 91 5F 9E 4C (CX/CM)
** Offset 81C-81F: features (little-endian) - 0x05 (CM + CX Napoca), 0x85 (CX CR/HW-J+), 0x185 (CX CR4/HW-W+)
** Offset 820-823: default keypad - 4C 00 00 00 (CX/CM)
** Offset 824-825: lcd width - 40 01 (CX/CM)
** Offset 826-827: lcd height - F0 00 (CX/CM)
** Offset 228-229: lcd bpp - 10 00 (CX/CM)
** Offset 82A-82B: lcd color - 01 00 (CX/CM)
** Offset 82C-82F: offset diags - 00 00 32 00 (CX/CM)
** Offset 830-833: offset boot2 - 00 00 02 00 (CX/CM)
** Offset 834-837: offset boot data - 00 00 2C 00 (CX/CM)
** Offset 838-83B: offset file system - 00 00 40 00 (CX/CM)
** Offset 83C-83F: config clock - 02 10 56 00 (CX/CM)
** Offset 840-843: SDRAM config: 12 80 01 FC for 64MB (CX) or 11 80 01 FE for 32MB (CM)
*** Offset 840: SDRAM size in MB - keep 6 lowest bytes - size is 4*2^((value/8)+(value%8))
** Offset 844-847: lcd spi count - 02 00 00 00 (CX/CM)
** Offset 848-887: lcd spi data filled with 0xFF - 06 00 00 00 5C 00 00 00 30 00 00 00 04 00 00 00  (CX/CM)
** Offset 888-889: lcd light min - 1A 01 (CX/CM)
** Offset 88A-88B: lcd light max - CE 01 (CX/CM)
** Offset 88C-88D: lcd light default - 6A 01 (CX/CM)
** Offset 88E-88F: lcd light increment - 14 00 (CX/CM)
** Offset 890-893: 0C 01 A2 18 (CX/CM)
** Offset 894-923: display informations on the 12 elements of the splash screen (CX/CM): horizontal display offset + vertical display offset + width + height (2-bytes each) + data offset (4-bytes)
*** Offset 894-89F: Low Battery error icon [diplayed unknown]
*** Offset 8A0-8AB: Boot1 Recoverable Error icon [displayed 8th]
*** Offset 8AC-8B7: Send Diagnostics Software info icon [displayed 8th]
*** Offset 8B8-8C3: Boot2 Recoverable Error icon [displayed 8th]
*** Offset 8C4-8CF: Unrecoverable Error icon [displayed 8th]
*** Offset 8D0-8DB: Progress Bar Background [displayed 6th]
*** Offset 8DC-8E7: Progress Bar [displayed 7th]
*** Offset 8E8-8F3: permanent element #1 (background) [displayed 1st]
*** Offset 8F4-8FF: permanent element #2 (unused) [displayed 2nd]
*** Offset 900-90B: permanent element #3 (unused) [displayed 3th]
*** Offset 90C-917: permanent element #4 (unused) [displayed 4th]
*** Offset 918-923: permanent element #5 (unused) [displayed 5th]
** Offset 924-927: compressed splash screen data size
** Offset 928-92B: uncompressed splash screen data size (0x0000FA40 on CX EVT, 0x00029CD0 on all CX/CM)
** Offset 92C-92F: ? (0x00000756 on CX EVT, 0x000006D3 on all CX/CM)
** Offset 930-???: compressed splash screen data (same compression format as the boot2)
** Offset ???-???: TI-Certificate - fields present :
*** Production : 0x290 (0x100), 0x290 (0x100), 0x340 (0x1A4), 0x290 (0x100), 0x340 (0x115), 0x290 (0x100), 0xFFFF0 (0)
*** Development : 0x290 (0x100), 0x290 (0x100), 0x340 (0x1A4), 0x240 (0x80), 0x290 (0x100), 0x340 (0x115), 0x290 (0x100), 0xFFFF0 (0)
* pages 0020 to 0A7F (Nspire) or 0040 to 057F (CX/CM): boot2 image
* pages 0A80 to 0AFF (Nspire) or 0580 to 063F (CX/CM): "bootdata" (every time this is modified, the next available page is used; if all 128 pages are in use, then the whole area is erased first)
** Offset 00-03: Marker AA C6 8C 92
** Offset 04-07: Downgrade protection: minimum OS version allowed as a 4-bytes word (major-minor-lower1-lower2). Written during OS installation with the value found in the second field 8020 of the [[OS_upgrade_files#Structure OS upgrade file|OS upgrade file]]
** Offset 08-0F: Hold the press-to-test status (word, word, long word)
***Offset 08-09: press to test mode
****00 : none
****01 : 84+ mode (OS is going to prompt for a 84+ keypad if not installed on next reboot)
****02 : fully restricted (all listed features disabled) - LED flashes in green
****03 : partially restricted (no or some listed features disables) - LED flashes in orange
****04 : old mode not used any more, for OS 1.x/2.x - at that time there were only 2 features which could be disabled - meant that one feature had been selected but not botg - LED flashes in green+orange
****06 : for Netherlands/Europe (since OS 4.3) - no programming, and easily disabled through any USB transfer - LED flashes in orange
***0A-0B : clear PTT folders content on next reboot (1 during the 1st reboot after (re)enabling PTT - default 0)
***0C-0D : disabled features in PTT mode - default 0
****Mode 3 :
*****bit 0 : geometry
*****bit 1 : drag&move in graphs
*****bit 2 : vectors
*****bit 3 : isPrime()
*****bit 4 : diff eq
*****bit 5 : ineq graphing
*****bit 6 : 3D graphing
*****bit 7 : rel/coniq graphing
*****bit 8 : trig
*****both bits 9+10 : logbase()
*****both bits 11+12 : poly and simult solving
****Mode 2 : all 13 previous bits are 1
****Mode 6 : all 13 previous bits are 0
***0E-0F : unkown - default 0 - sometimes 0x8000 in PTT mode
** Offset 10-13: If nonzero, BOOT1 will attempt to run DIAGS by default; if zero, it will skip straight to BOOT2. (Either behavior can be overridden with the Esc+Menu+G key combination.)
** Offset 14-1A: TI-84 Plus emulator 0A1 certificate field
** Offset 1B-1E: TI-84 Plus emulator 041 certificate field
** Offset 1F-61: TI-84 Plus emulator 0A2 certificate field
** Offset 64-67: (OS 1.6+) Default LCD contrast (if not in range from 0x76 to 0x8A, assumed to be 0x80)
* pages 0B00 to 0F7F (Nspire) or 0640 to 079F (CX) or 0640 to 7BF (CM): diags software
* pages 0F80 to 0FFF (Nspire) or 0780 to 07FF (CX): diags test results
* pages from 1000 (Nspire) or 0800 (CX) or 07C0 (CM): factory images or filesystem


===Factory images===
==10000000 - SDRAM==


At startup, boot2 checks the NAND flash for a pre-loaded factory image. The format is a 32-byte header followed by the .tnc/.tno file contents:
64 MiB, managed by 0x90120000.


* Offset 00-13: String "***PRELOAD_IMAGE***"
==90000000 - General Purpose I/O (GPIO)==
* Offset 14-17: 55 F0 01 55
* Offset 18-1B: (unknown)
* Offset 1C-1F: Size of image (in big-endian)


If boot2 finds this header, the user is prompted to press 'I' on the keypad. After that, the image is copied to RAM before creating the filesystem (The filesystem also starts at page 0x1000, so it cannot co-exist with a factory image), and is installed the same as if it had been received from the serial port.
See [[GPIO Pins]]


==Layout on CX II==
==90010000 - Fast timer==


===Partitions===
The same interface as 900C0000/900D0000, see [[#900D0000 - Second timer|Second timer]].


Partitions are aligned to erase block size (64 pages) and so the size and offsets in the table below are given in blocks.
==90020000 - Serial UART==


{| class="wikitable"
[http://infocenter.arm.com/help/topic/com.arm.doc.ddi0183f/DDI0183.pdf PL011].
|-
  ! Name!! Size!! Offset
|-
  | Manuf || 1 || 0
|-
  | Bootloader || 4 || 1
|-
  | PTT Data || 1 || 5
|-
  | ??? || 1 || 6
|-
  | DevCert || 1 || 7
|-
  | OS Loader || 3 || 8
|-
  | Installer || 8 || 11
|-
  | Other Installer || 8 || 19
|-
  | OS Data (?) || 2 || 27
|-
  | Diags || 5 || 29
|-
  | ? || ? || ?
|-
  | Logging || 87 (?) || 114
|-
  | File System || ? || ?
|-
  | ? || ? || ?
|}


===Manuf Format===
==90030000 - Fastboot RAM==


The Manuf on CX II uses the same fields format as seen in [OS upgrade files].
4KiB of RAM, not cleared on resets/reboots.


: 5000 : Top-level field
Only the lower 12 bits of the address are used, so the content aliases at 0x1000 and so on.
:: 5100 - 2 : Product ID
 
:: 5200 - 2 : Unknown
The OS uses that to store some data which is used during boot to restore the previous state of the device.
:: 5300 - x : Language
 
:: 5400 - 4 : Hardware flags. Bit 0 is 1 if the "CapTIvate" touchpad is used.
The installer images use the area at 0x200 to store some variables for tracking the progress.
:: 5500 - x : Optional: If present, the bootrom runs this as code
 
:: 5600 - 4 : Unknown
==90040000 - SPI controller==
:: 57y0 - 4 : Unknown (repeats with different values for y)
 
:: 5500 - x : Contains pairs of addr/value to write
FTSSP010 SPI controller connected to the LCD.
: 290 - 256 : 2048-bit Signature
 
: 290 - 256 : 2048-bit Signature (another one?)
==90050000 - I2C controller==
: 340 - 420 : Public key (?)
 
:: 270 - 1: ?
The Touchpad on the CX II is accessed through this controller. See [[Keypads#Touchpad I²C]] for protocol details. It seems to be a Synopsys Designware I2C adapter.
:: 260 - 140: 1024-bit public key (?)
 
:: 2A0 - 270: 2048-bit public key (?)
* 90050000 (R/W): Control register?
: 340 - 277 : Public key (?)
* 90050004 (?): ?
:: 270 - 1: ?
* 90050010 (R/W): Data/command register
:: 2A0 - 270: 2048-bit public key (?)
* 90050014 (R/W): Speed divider for high period (standard speed) OS: 0x9c
: 290 - 256: 2048-bit Signature (yet another one?)
* 90050018 (R/W): Speed divider for low period (standard speed) OS: 0xea
: FFF0 - 0 : End
* 9005001c (R/W): Speed divider for high period (high speed) OS: 0x3b
* 90050020 (R/W): Speed divider for low period (high speed) OS: 0x2b
* 9005002c (R/W?): Interrupt status
* 90050030 (R/W): Interrupt mask
* 90050040 (R/W): Interrupt clear. Write 1 bits to clear
* 9005006c (R/W): Enable register
* 90050070 (R): Status register
* 90050074 (R?/W): TX FIFO?
* 90050078 (R?/W): RX FIFO?
* 900500f4 (?): ?
* 90050080 (?): ?
 
==90060000 - Watchdog timer==
 
Possibly an [http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.ddi0270b/index.html ARM SP805] or compatible. Runs at the APB clock frequency.
 
==90070000 - Second Serial UART==
 
[http://infocenter.arm.com/help/topic/com.arm.doc.ddi0183f/DDI0183.pdf PL011].
 
==90080000 - Cradle SPI Controller==
 
An FTSSP010 for communicating with the EEPROM in the cradle.
 
==90090000 - Real-Time Clock (RTC)==
 
Similar to the [http://infocenter.arm.com/help/topic/com.arm.doc.ddi0224b/index.html ARM PrimeCell PL031], but interrupt registers are different.
 
* 90090000 (R): Current time, increments by 1 every second.
* 90090004 (R/W): Alarm value. When the time passes this, interrupt becomes active.
* 90090008 (R/W): Sets the value of 90090000 (clock will not read new time until a couple seconds later). Reads last value written.
* 9009000C (R/W): Interrupt mask (1-bit)
* 90090010 (R/W): Masked interrupt status, reads 1 if interrupt active and mask bit is set. Write 1 to acknowledge.
* 90090014 (R): Status
** Bit 0: Time setting in progress
** Bit 1: Alarm setting in progress
** Bit 2: Interrupt acknowledgment in progress
** Bit 3: Interrupt mask setting in progress
 
==900A0000 - Miscellaneous==
 
Seems to be similar to CX and Classic, except for the model ID at 900A0000 which is now 0x202.
 
==900B0000 - ADC==
 
A Faraday FTADCC010.
 
==900C0000 - First timer==
 
Same port structure as [[#900D0000 - Second timer|Second timer]].
 
==900D0000 - Second timer==
 
Timer is a [http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.ddi0271d/Babehiha.html SP804].
 
==900E0000 - Keypad controller==
 
See also [[Keypads]] for information about the keypads themselves.
 
* 900E0000 (R/W):
** Bits 0-1: Scan mode
*** Mode 0: Idle.
*** Mode 1: Indiscriminate key detection. Data registers are not updated, but whenever any key is pressed, interrupt bit 2 is set (and cannot be cleared until the key is released).
*** Mode 2: Single scan. The keypad is scanned once, and then the mode returns to 0.
*** Mode 3: Continuous scan. When scanning completes, it just starts over again after a delay.
** Bits 2-15: Number of APB cycles to wait before scanning each row
** Bits 16-31: Number of APB cycles to wait between scans
* 900E0004 (R/W):
** Bits 0-7: Number of rows to read (later rows are not updated in 900E0010-900E002F, and just read as whatever they were before being disabled)
** Bits 8-15: Number of columns to read (later column bits in a row are set to 1 when it is updated)
* 900E0008 (R/W): Keypad interrupt status/acknowledge (3-bit). Write "1" bits to acknowledge.
** Bit 0: Keypad scan complete
** Bit 1: Keypad data register changed
** Bit 2: Key pressed in mode 1
* 900E000C (R/W): Keypad interrupt mask (3-bit). Set each bit to 1 if the corresponding event in [900E0008] should cause an interrupt.
* 900E0010-900E002F (R): Keypad data, one halfword per row.
* 900E0030-900E003F (R/W): Keypad GPIOs. Each register is 20 bits, with one bit per GPIO. The role of each register is unknown.
* 900E0040 (R/W): Interrupt enable. Bits unknown but seems to be related to touchpad. Causes interrupt on touchpad touched.
* 900E0044 (R/W): Interrupt status. Bits unknown. Write 1s to acknowledge.
* 900E0048 (R/W): Unknown
 
==90120000 - SDRAM Controller==
 
An FTDDR3030.
 
==90130000 - Unknown Controller for the LCD Backlight==
 
The OS controls the LCD backlight by writing to 90130018.
 
==90140000 - Power management==
 
A new "Aladdin PMU" unit. Not much known.
 
* 90140000 (R/?): Reason for waking up from low-power mode.
* 90140050 (R/W): Disable bus access to peripherals. Reads will just return the last word read from anywhere in the address range, and writes will be ignored.
** Bit 9: [[#C8010000 - Triple DES encryption]]
** Bit 10: [[#CC000000 - SHA-256 hash generator]]
** Bit 13: [[#90060000 - Watchdog timer]] (?)
** Bit 26: [[#90050000 - I2C controller]] (?)
* 90140050 (R/W): Disable bus access to peripherals. Reads will just return the last word read from anywhere in the address range, and writes will be ignored.
 
==A0000000 - Boot1 ROM again==
 
Mirror of the ROM at 0.
 
==A4000000 - Internal SRAM==
 
0x40000 bytes SRAM, managed by the controller at ?.
 
==A8000000 - Magic VRAM==
 
0x25800 bytes SRAM for an LCD framebuffer.
 
It is wired up in a way that the written data is X-Y swapped and rotated, so that writing a 320x240 image with (0/0) at the top left results in a 320x320 image in the right orientation for the LCD.
This means that it can't be used as generic RAM. How this mechanism works isn't known yet.
 
==B0000000 - USB OTG/Host/Device controller (top)==
 
An FOTG210 connected to the top USB port.
 
==B4000000 - USB OTG/Host/Device controller (bottom)==
 
An FOTG210 connected to the bottom USB port (dock connector).
 
==B8000000 - SPI NAND controller==
 
An FTSPI020 with a MICRON 1Gb flash at CS 1.
 
==BC000000 - DMA controller==
 
An FTDMAC020 with main SDRAM and LCD RAM (everything?) connected to AHB1. The OS uses this to copy the framebuffer into LCD RAM.
 
==C0000000 - LCD controller==
 
A [http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.ddi0293c/index.html PL111].
 
==C8010000 - Triple DES encryption==
 
Implements the [http://en.wikipedia.org/wiki/Triple_DES Triple DES encryption algorithm].
 
* C8010000 (R/W): Right half of block
* C8010004 (R/W): Left half of block. Writing this causes the block to be encrypted/decrypted.
* C8010008 (R/W): Right 32 bits of key 1
* C801000C (R/W):
** Bits 0-23: Left 24 bits of key 1
** Bit 30: Set to 0 to encrypt, 1 to decrypt
* C8010010 (R/W): Right 32 bits of key 2
* C8010014 (R/W): Left 24 bits of key 2
* C8010018 (R/W): Right 32 bits of key 3
* C801001C (R/W): Left 24 bits of key 3
 
==CC000000 - SHA-256 hash generator==
 
Implements the [http://en.wikipedia.org/wiki/SHA_hash_functions SHA-256 hash algorithm], which is used in cryptographic signatures.
 
* CC000000 (R): Busy if bit 0 set
* CC000000 (W): Write 0x10 and then 0x0 to initialize. Write 0xA to process first block, 0xE to process subsequent blocks
* CC000008 (R/W): Some sort of bus write-allow register? If a bit is set, it allows R/W access to the registers of the peripheral, if clear, R/O access only. Don't know what it's doing here, but it's here anyway.
** Bit 8: [[#CC000000 - SHA-256 hash generator]]
** Bit 10: ?
* CC000010-CC00004F (R/W): 512-bit block
* CC000060-CC00007F (R): 256-bit state
 
==DC000000 - Interrupt controller==
See [[Interrupts]]. The controller is a [http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.ddi0181e/index.html PL190].

Revision as of 17:44, 30 September 2020

Not all parts have been discovered and researched yet, so the information on this page is not complete.

00000000 - Boot1 ROM

128kB of on-chip ROM.

10000000 - SDRAM

64 MiB, managed by 0x90120000.

90000000 - General Purpose I/O (GPIO)

See GPIO Pins

90010000 - Fast timer

The same interface as 900C0000/900D0000, see Second timer.

90020000 - Serial UART

PL011.

90030000 - Fastboot RAM

4KiB of RAM, not cleared on resets/reboots.

Only the lower 12 bits of the address are used, so the content aliases at 0x1000 and so on.

The OS uses that to store some data which is used during boot to restore the previous state of the device.

The installer images use the area at 0x200 to store some variables for tracking the progress.

90040000 - SPI controller

FTSSP010 SPI controller connected to the LCD.

90050000 - I2C controller

The Touchpad on the CX II is accessed through this controller. See Keypads#Touchpad I²C for protocol details. It seems to be a Synopsys Designware I2C adapter.

  • 90050000 (R/W): Control register?
  • 90050004 (?): ?
  • 90050010 (R/W): Data/command register
  • 90050014 (R/W): Speed divider for high period (standard speed) OS: 0x9c
  • 90050018 (R/W): Speed divider for low period (standard speed) OS: 0xea
  • 9005001c (R/W): Speed divider for high period (high speed) OS: 0x3b
  • 90050020 (R/W): Speed divider for low period (high speed) OS: 0x2b
  • 9005002c (R/W?): Interrupt status
  • 90050030 (R/W): Interrupt mask
  • 90050040 (R/W): Interrupt clear. Write 1 bits to clear
  • 9005006c (R/W): Enable register
  • 90050070 (R): Status register
  • 90050074 (R?/W): TX FIFO?
  • 90050078 (R?/W): RX FIFO?
  • 900500f4 (?): ?
  • 90050080 (?): ?

90060000 - Watchdog timer

Possibly an ARM SP805 or compatible. Runs at the APB clock frequency.

90070000 - Second Serial UART

PL011.

90080000 - Cradle SPI Controller

An FTSSP010 for communicating with the EEPROM in the cradle.

90090000 - Real-Time Clock (RTC)

Similar to the ARM PrimeCell PL031, but interrupt registers are different.

  • 90090000 (R): Current time, increments by 1 every second.
  • 90090004 (R/W): Alarm value. When the time passes this, interrupt becomes active.
  • 90090008 (R/W): Sets the value of 90090000 (clock will not read new time until a couple seconds later). Reads last value written.
  • 9009000C (R/W): Interrupt mask (1-bit)
  • 90090010 (R/W): Masked interrupt status, reads 1 if interrupt active and mask bit is set. Write 1 to acknowledge.
  • 90090014 (R): Status
    • Bit 0: Time setting in progress
    • Bit 1: Alarm setting in progress
    • Bit 2: Interrupt acknowledgment in progress
    • Bit 3: Interrupt mask setting in progress

900A0000 - Miscellaneous

Seems to be similar to CX and Classic, except for the model ID at 900A0000 which is now 0x202.

900B0000 - ADC

A Faraday FTADCC010.

900C0000 - First timer

Same port structure as Second timer.

900D0000 - Second timer

Timer is a SP804.

900E0000 - Keypad controller

See also Keypads for information about the keypads themselves.

  • 900E0000 (R/W):
    • Bits 0-1: Scan mode
      • Mode 0: Idle.
      • Mode 1: Indiscriminate key detection. Data registers are not updated, but whenever any key is pressed, interrupt bit 2 is set (and cannot be cleared until the key is released).
      • Mode 2: Single scan. The keypad is scanned once, and then the mode returns to 0.
      • Mode 3: Continuous scan. When scanning completes, it just starts over again after a delay.
    • Bits 2-15: Number of APB cycles to wait before scanning each row
    • Bits 16-31: Number of APB cycles to wait between scans
  • 900E0004 (R/W):
    • Bits 0-7: Number of rows to read (later rows are not updated in 900E0010-900E002F, and just read as whatever they were before being disabled)
    • Bits 8-15: Number of columns to read (later column bits in a row are set to 1 when it is updated)
  • 900E0008 (R/W): Keypad interrupt status/acknowledge (3-bit). Write "1" bits to acknowledge.
    • Bit 0: Keypad scan complete
    • Bit 1: Keypad data register changed
    • Bit 2: Key pressed in mode 1
  • 900E000C (R/W): Keypad interrupt mask (3-bit). Set each bit to 1 if the corresponding event in [900E0008] should cause an interrupt.
  • 900E0010-900E002F (R): Keypad data, one halfword per row.
  • 900E0030-900E003F (R/W): Keypad GPIOs. Each register is 20 bits, with one bit per GPIO. The role of each register is unknown.
  • 900E0040 (R/W): Interrupt enable. Bits unknown but seems to be related to touchpad. Causes interrupt on touchpad touched.
  • 900E0044 (R/W): Interrupt status. Bits unknown. Write 1s to acknowledge.
  • 900E0048 (R/W): Unknown

90120000 - SDRAM Controller

An FTDDR3030.

90130000 - Unknown Controller for the LCD Backlight

The OS controls the LCD backlight by writing to 90130018.

90140000 - Power management

A new "Aladdin PMU" unit. Not much known.

A0000000 - Boot1 ROM again

Mirror of the ROM at 0.

A4000000 - Internal SRAM

0x40000 bytes SRAM, managed by the controller at ?.

A8000000 - Magic VRAM

0x25800 bytes SRAM for an LCD framebuffer.

It is wired up in a way that the written data is X-Y swapped and rotated, so that writing a 320x240 image with (0/0) at the top left results in a 320x320 image in the right orientation for the LCD. This means that it can't be used as generic RAM. How this mechanism works isn't known yet.

B0000000 - USB OTG/Host/Device controller (top)

An FOTG210 connected to the top USB port.

B4000000 - USB OTG/Host/Device controller (bottom)

An FOTG210 connected to the bottom USB port (dock connector).

B8000000 - SPI NAND controller

An FTSPI020 with a MICRON 1Gb flash at CS 1.

BC000000 - DMA controller

An FTDMAC020 with main SDRAM and LCD RAM (everything?) connected to AHB1. The OS uses this to copy the framebuffer into LCD RAM.

C0000000 - LCD controller

A PL111.

C8010000 - Triple DES encryption

Implements the Triple DES encryption algorithm.

  • C8010000 (R/W): Right half of block
  • C8010004 (R/W): Left half of block. Writing this causes the block to be encrypted/decrypted.
  • C8010008 (R/W): Right 32 bits of key 1
  • C801000C (R/W):
    • Bits 0-23: Left 24 bits of key 1
    • Bit 30: Set to 0 to encrypt, 1 to decrypt
  • C8010010 (R/W): Right 32 bits of key 2
  • C8010014 (R/W): Left 24 bits of key 2
  • C8010018 (R/W): Right 32 bits of key 3
  • C801001C (R/W): Left 24 bits of key 3

CC000000 - SHA-256 hash generator

Implements the SHA-256 hash algorithm, which is used in cryptographic signatures.

  • CC000000 (R): Busy if bit 0 set
  • CC000000 (W): Write 0x10 and then 0x0 to initialize. Write 0xA to process first block, 0xE to process subsequent blocks
  • CC000008 (R/W): Some sort of bus write-allow register? If a bit is set, it allows R/W access to the registers of the peripheral, if clear, R/O access only. Don't know what it's doing here, but it's here anyway.
  • CC000010-CC00004F (R/W): 512-bit block
  • CC000060-CC00007F (R): 256-bit state

DC000000 - Interrupt controller

See Interrupts. The controller is a PL190.

Retrieved from "https://hackspire.org//index.php?title=NAND_Memory_Layout&oldid=1753"