Memory-mapped I/O ports on CX and NAND Memory Layout: Difference between pages

From Hackspire
(Difference between pages)
Jump to navigation Jump to search
(Update link to SP804 documentation)
 
m (→‎Manuf Format: Fix a link)
 
Line 1: Line 1:
==00000000 - Boot1 ROM==
NAND pages are 528-bytes long (512 + 16-bytes OOB area) on TI-Nspire and 2112-bytes long (2048 + 64-bytes OOB) on TI-Nspire CX/CM/CX II.
128kB of on-chip ROM.


==10000000 - SDRAM==
==Layout on Classic/CX/CM==


32 MiB SDRAM on CM or 64 MiB on CX. Managed by 0x8FFF0000.
* pages 0000 to 001F (Nspire) or 0000 to 003F (CX/CM): written to /phoenix/manuf.dat at each boot.
** Offset 000-003: 3C B0 6E 79
** Offset 804-805: model ID (little-endian): 0C (Nspire CAS), 0D (Nspire Lab Cradle), 0E (Nspire), 0F (Nspire CX CAS), 10 (Nspire CX), 11 (Nspire CM CAS), 12 (Nspire CM)
** Offset 806-807: unknown - 00 00 or 10 00
** Offset 808-80F: optional default language (CX/CM), filled with FF if missing - ISO 639 supported language string padded with 00 (for exemple fr, en, ar, zh_CN for TI-Nspire CX-C or CM-C...)
** Offset 818-81B: signature - 91 5F 9E 4C (CX/CM)
** Offset 81C-81F: features (little-endian) - 0x05 (CM + CX Napoca), 0x85 (CX CR/HW-J+), 0x185 (CX CR4/HW-W+)
** Offset 820-823: default keypad - 4C 00 00 00 (CX/CM)
** Offset 824-825: lcd width - 40 01 (CX/CM)
** Offset 826-827: lcd height - F0 00 (CX/CM)
** Offset 228-229: lcd bpp - 10 00 (CX/CM)
** Offset 82A-82B: lcd color - 01 00 (CX/CM)
** Offset 82C-82F: offset diags - 00 00 32 00 (CX/CM)
** Offset 830-833: offset boot2 - 00 00 02 00 (CX/CM)
** Offset 834-837: offset boot data - 00 00 2C 00 (CX/CM)
** Offset 838-83B: offset file system - 00 00 40 00 (CX/CM)
** Offset 83C-83F: config clock - 02 10 56 00 (CX/CM)
** Offset 840-843: SDRAM config: 12 80 01 FC for 64MB (CX) or 11 80 01 FE for 32MB (CM)
*** Offset 840: SDRAM size in MB - keep 6 lowest bytes - size is 4*2^((value/8)+(value%8))
** Offset 844-847: lcd spi count - 02 00 00 00 (CX/CM)
** Offset 848-887: lcd spi data filled with 0xFF - 06 00 00 00 5C 00 00 00 30 00 00 00 04 00 00 00  (CX/CM)
** Offset 888-889: lcd light min - 1A 01 (CX/CM)
** Offset 88A-88B: lcd light max - CE 01 (CX/CM)
** Offset 88C-88D: lcd light default - 6A 01 (CX/CM)
** Offset 88E-88F: lcd light increment - 14 00 (CX/CM)
** Offset 890-893: 0C 01 A2 18 (CX/CM)
** Offset 894-923: display informations on the 12 elements of the splash screen (CX/CM): horizontal display offset + vertical display offset + width + height (2-bytes each) + data offset (4-bytes)
*** Offset 894-89F: Low Battery error icon [diplayed unknown]
*** Offset 8A0-8AB: Boot1 Recoverable Error icon [displayed 8th]
*** Offset 8AC-8B7: Send Diagnostics Software info icon [displayed 8th]
*** Offset 8B8-8C3: Boot2 Recoverable Error icon [displayed 8th]
*** Offset 8C4-8CF: Unrecoverable Error icon [displayed 8th]
*** Offset 8D0-8DB: Progress Bar Background [displayed 6th]
*** Offset 8DC-8E7: Progress Bar [displayed 7th]
*** Offset 8E8-8F3: permanent element #1 (background) [displayed 1st]
*** Offset 8F4-8FF: permanent element #2 (unused) [displayed 2nd]
*** Offset 900-90B: permanent element #3 (unused) [displayed 3th]
*** Offset 90C-917: permanent element #4 (unused) [displayed 4th]
*** Offset 918-923: permanent element #5 (unused) [displayed 5th]
** Offset 924-927: compressed splash screen data size
** Offset 928-92B: uncompressed splash screen data size (0x0000FA40 on CX EVT, 0x00029CD0 on all CX/CM)
** Offset 92C-92F: ? (0x00000756 on CX EVT, 0x000006D3 on all CX/CM)
** Offset 930-???: compressed splash screen data (same compression format as the boot2)
** Offset ???-???: TI-Certificate - fields present :
*** Production : 0x290 (0x100), 0x290 (0x100), 0x340 (0x1A4), 0x290 (0x100), 0x340 (0x115), 0x290 (0x100), 0xFFFF0 (0)
*** Development : 0x290 (0x100), 0x290 (0x100), 0x340 (0x1A4), 0x240 (0x80), 0x290 (0x100), 0x340 (0x115), 0x290 (0x100), 0xFFFF0 (0)
* pages 0020 to 0A7F (Nspire) or 0040 to 057F (CX/CM): boot2 image
* pages 0A80 to 0AFF (Nspire) or 0580 to 063F (CX/CM): "bootdata" (every time this is modified, the next available page is used; if all 128 pages are in use, then the whole area is erased first)
** Offset 00-03: Marker AA C6 8C 92
** Offset 04-07: Downgrade protection: minimum OS version allowed as a 4-bytes word (major-minor-lower1-lower2). Written during OS installation with the value found in the second field 8020 of the [[OS_upgrade_files#Structure OS upgrade file|OS upgrade file]]
** Offset 08-0F: Hold the press-to-test status (word, word, long word)
***Offset 08-09: press to test mode
****00 : none
****01 : 84+ mode (OS is going to prompt for a 84+ keypad if not installed on next reboot)
****02 : fully restricted (all listed features disabled) - LED flashes in green
****03 : partially restricted (no or some listed features disables) - LED flashes in orange
****04 : old mode not used any more, for OS 1.x/2.x - at that time there were only 2 features which could be disabled - meant that one feature had been selected but not botg - LED flashes in green+orange
****06 : for Netherlands/Europe (since OS 4.3) - no programming, and easily disabled through any USB transfer - LED flashes in orange
***0A-0B : clear PTT folders content on next reboot (1 during the 1st reboot after (re)enabling PTT - default 0)
***0C-0D : disabled features in PTT mode - default 0
****Mode 3 :
*****bit 0 : geometry
*****bit 1 : drag&move in graphs
*****bit 2 : vectors
*****bit 3 : isPrime()
*****bit 4 : diff eq
*****bit 5 : ineq graphing
*****bit 6 : 3D graphing
*****bit 7 : rel/coniq graphing
*****bit 8 : trig
*****both bits 9+10 : logbase()
*****both bits 11+12 : poly and simult solving
****Mode 2 : all 13 previous bits are 1
****Mode 6 : all 13 previous bits are 0
***0E-0F : unkown - default 0 - sometimes 0x8000 in PTT mode
** Offset 10-13: If nonzero, BOOT1 will attempt to run DIAGS by default; if zero, it will skip straight to BOOT2. (Either behavior can be overridden with the Esc+Menu+G key combination.)
** Offset 14-1A: TI-84 Plus emulator 0A1 certificate field
** Offset 1B-1E: TI-84 Plus emulator 041 certificate field
** Offset 1F-61: TI-84 Plus emulator 0A2 certificate field
** Offset 64-67: (OS 1.6+) Default LCD contrast (if not in range from 0x76 to 0x8A, assumed to be 0x80)
* pages 0B00 to 0F7F (Nspire) or 0640 to 079F (CX) or 0640 to 7BF (CM): diags software
* pages 0F80 to 0FFF (Nspire) or 0780 to 07FF (CX): diags test results
* pages from 1000 (Nspire) or 0800 (CX) or 07C0 (CM): factory images or filesystem


==8FFF0000 - SDRAM controller==
===Factory images===


A DMC-340 r1p0.
At startup, boot2 checks the NAND flash for a pre-loaded factory image. The format is a 32-byte header followed by the .tnc/.tno file contents:


==8FFF1000 - NAND controller==
* Offset 00-13: String "***PRELOAD_IMAGE***"
* Offset 14-17: 55 F0 01 55
* Offset 18-1B: (unknown)
* Offset 1C-1F: Size of image (in big-endian)


A PL351 r1p2.
If boot2 finds this header, the user is prompted to press 'I' on the keypad. After that, the image is copied to RAM before creating the filesystem (The filesystem also starts at page 0x1000, so it cannot co-exist with a factory image), and is installed the same as if it had been received from the serial port.


==90000000 - General Purpose I/O (GPIO)==
==Layout on CX II==


See [[GPIO Pins]]
===Partitions===


==90010000 - Fast timer==
Partitions are aligned to erase block size (64 pages) and so the size and offsets in the table below are given in blocks.


The same interface as 900C0000/900D0000, but runs at the speed of the APB clock (22.5MHz) rather than 32kHz.
The OS is not stored in the file system, but separately in its own partition.
<br>The speed of the timers seems to be configurable, see [[timers]].<br>
An [https://developer.arm.com/documentation/ddi0271/d/ SP804].


==90020000 - Serial UART==
{| class="wikitable"
|-
  ! Name!! Size!! Offset
|-
  | Manuf || 1 || 0
|-
  | Bootloader || 4 || 1
|-
  | PTT Data || 1 || 5
|-
  | ??? || 1 || 6
|-
  | DevCert || 1 || 7
|-
  | OS Loader || 3 || 8
|-
  | Installer || 8 || 11
|-
  | Other Installer || 8 || 19
|-
  | OS Data (?) || 2 || 27
|-
  | Diags || 5 || 29
|-
  | ? || ? || ?
|-
  | OS file (weird header) || ? || 36
|-
  | Logging || 87 (?) || 114
|-
  | File System || ? || ?
|-
  | ? || ? || ?
|}


[http://infocenter.arm.com/help/topic/com.arm.doc.ddi0183f/DDI0183.pdf PL011].
===Manuf Format===


==90030000 - Fastboot RAM==
The Manuf on CX II uses the same fields format as seen in [[OS upgrade files]].


4KiB of RAM, not cleared on resets/reboots.
: 5000 : Top-level field
:: 5100 - 2 : Product ID
:: 5200 - 2 : Unknown
:: 5300 - x : Language
:: 5400 - 4 : Hardware flags. Bit 0 is 1 if the "CapTIvate" touchpad is used.
:: 5500 - x : Optional: If present, the bootrom runs this as code
:: 5600 - 4 : Unknown
:: 57y0 - 4 : Unknown (repeats with different values for y)
:: 5500 - x : Contains pairs of addr/value to write
: 290 - 256 : 2048-bit Signature
: 290 - 256 : 2048-bit Signature (another one?)
: 340 - 420 : Public key (?)
:: 270 - 1: ?
:: 260 - 140: 1024-bit public key (?)
:: 2A0 - 270: 2048-bit public key (?)
: 340 - 277 : Public key (?)
:: 270 - 1: ?
:: 2A0 - 270: 2048-bit public key (?)
: 290 - 256: 2048-bit Signature (yet another one?)
: FFF0 - 0 : End


Only the lower 12 bits of the address are used, so the content aliases at 0x1000 and so on.
===Bootdata Format===


The OS uses that to store some data which is used during boot to restore the previous state of the device.
Like for previous versions, every time this is modified, the next available page is used. If all 128 pages are in use, the whole area is erased first.


The installer images use the area at 0x200 to store some variables for tracking the progress.
: 000 - 003 : Signature: 44 41 54 41 ('D' 'A' 'T' 'A')
 
: 004 - 007 : Boot type (0 = OS Loader, 1 = Installer, 2 = Diags)
==90040000 - SPI controller==
: 008 - 00B : Which installer to boot (0 = Installer, 1 = Other installer)
 
: 00C - 00F : Minimum OS version (little endian, e.g. 00 00 00 05)
A PL022 for communicating with the LCD panel controller, which is probably an ILI9341 or ILI9340.
: 010 - 01B : Unknown, filled with 00
Used on CX HW-W+ only.
: 01C - 3FF : Blank, filled with FF
 
: 400 - 7FF : Blank, filled with 00
==90050000 - I2C controller==
:: 780 - 783 : Unknown, starts with 21
 
The Touchpad on the CX is accessed through this controller. See [[Keypads#Touchpad I²C]] for protocol details. It seems to be a Synopsys Designware I2C adapter.
 
* 90050000 (R/W): Control register?
* 90050004 (?): ?
* 90050010 (R/W): Data/command register
* 90050014 (R/W): Speed divider for high period (standard speed) OS: 0x9c
* 90050018 (R/W): Speed divider for low period (standard speed) OS: 0xea
* 9005001c (R/W): Speed divider for high period (high speed) OS: 0x3b
* 90050020 (R/W): Speed divider for low period (high speed) OS: 0x2b
* 9005002c (R/W?): Interrupt status
* 90050030 (R/W): Interrupt mask
* 90050040 (R/W): Interrupt clear. Write 1 bits to clear
* 9005006c (R/W): Enable register
* 90050070 (R): Status register
* 90050074 (R?/W): TX FIFO?
* 90050078 (R?/W): RX FIFO?
* 900500f4 (?): ?
* 90050080 (?): ?
 
==90060000 - Watchdog timer==
 
Possibly an [http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.ddi0270b/index.html ARM SP805] or compatible. Runs at the APB clock frequency.
 
==90090000 - Real-Time Clock (RTC)==
 
Similar to the [http://infocenter.arm.com/help/topic/com.arm.doc.ddi0224b/index.html ARM PrimeCell PL031], but interrupt registers are different.
 
At least on HW-AA it's a standard PL031 with no registers changed.
 
* 90090000 (R): Current time, increments by 1 every second.
* 90090004 (R/W): Alarm value. When the time passes this, interrupt becomes active.
* 90090008 (R/W): Sets the value of 90090000 (clock will not read new time until a couple seconds later). Reads last value written.
* 9009000C (R/W): Interrupt mask (1-bit)
* 90090010 (R/W): Masked interrupt status, reads 1 if interrupt active and mask bit is set. Write 1 to acknowledge.
* 90090014 (R): Status
** Bit 0: Time setting in progress
** Bit 1: Alarm setting in progress
** Bit 2: Interrupt acknowledgment in progress
** Bit 3: Interrupt mask setting in progress
 
==900A0000 - Miscellaneous==
 
* 900A0000 (R): ? 0x101
* 900A0004 (R/W): Set bit 0x20 to enable TI-84+ keypad link port. Other bits likely control functions of peripherals as well.
* 900A0008 (W): Write a 2 to cause a hardware reset
* 900A0028-900A002C (R): These registers together give a 64-bit number (28 is low, 2C is high) which comprises 56 data bits and 8 parity checking bits, allowing any single-bit error in it to be detected and corrected.
** Parity bit 0: Check of all data bits
** Parity bits 1, 2, 4, 8, 16, and 32: Checks of the data bits whose positions, expressed in binary, have that respective bit set.
** Data bits 3, 5-7, 9-15, 17-31, and 33-55: Serial number (middle part of the calculator's Product ID)
** Data bits 56-57: Unknown
** Data bits 58-62: "ASIC user flags"; must match the 80E0 field in an OS image. 01 = CAS, 00 = non-CAS, 03 = CM CAS, 02 = CM non-CAS.
** Parity bit 63: Check of parity bits 1, 2, 4, 8, 16, and 32.
* 900A0F04 (R/W): Unknown; Boot1 sets this to 0x1D
 
==900B0000 - Power management==
 
* 900B0000 (R/W): [[Clock speed]] load value
* 900B0004 (R/W): 25-bit mask of which events may wake the hardware up from low-power mode.
** Bit 10: Unknown, probably the [[#90100000 - TI-84 Plus link port|TI-84 Plus link port]]
** Bit 12: [[#90090000 - Real-Time Clock (RTC)|RTC]] interrupt
** Bit 13: Unknown, probably ON key or USB activity
** Bit 17: Battery door open/close?
** Bit 23: Keypad remove/replace?
* 900B0008 (R/W): Reason for waking up from low-power mode. Write "1" bits to acknowledge.
* 900B000C (R/W): Clock speed control. Write 4 to set the clock speed according to the value in 900B0000. If interrupts are disabled the new clock speed will only become effective after exiting the program. Write 3A to enter low-power mode; this requires various peripherals to be prepared and probably works by stopping the clock.
* 900B0010 (R/W): ON interrupt mask (1-bit). 1 if ON interrupt should be serviced or 0 if not.
* 900B0014 (R/W): Bit 0 is set if ON interrupt is requested. Bit 1 also causes an interrupt, but the cause is unknown (and it is not masked by [900B0010]) - it is set after writing 4 to 900B000C. Write "1" bits to reset the requests.
* 900B0018 (R/W): Disable bus access to peripherals. Reads will just return the last word read from anywhere in the address range, and writes will be ignored.
** Bit 4: [[#C4000000 - Analog-to-Digital Converter (ADC)]]
** Bit 5: [[#B0000000 - USB OTG controller]]
** Bit 6: [[#B4000000 - USB HOST controller]]
** Bit 7: [[#B8010000 - SRAM Controller]]
** Bit 10: [[#CC000000 - SHA-256 hash generator]]
** Bit 11: [[#900C0000 - First timer]]
** Bit 12: [[#900D0000 - Second timer]]
** Bit 13: [[#90060000 - Watchdog timer]]
** Bit 17: [[#90020000 - Serial UART]]
** Bit 22: [[#90110000_-_LED]]?
* 900B0020 (R/W): ? - Possibly another peripheral bus access disable register.
* 900B0024 (R): Reads current clock speed value (see 900B0000 for details)
* 900B0028 (R): Bit 4 (0x10) clear when ON key pressed
 
==900C0000 - First timer==
 
An [https://developer.arm.com/documentation/ddi0271/d/ SP804].
<br>The speed of the timers seems to be configurable, see [[timers]].
 
==900D0000 - Second timer==
 
An [https://developer.arm.com/documentation/ddi0271/d/ SP804].
<br>The speed of the timers seems to be configurable, see [[timers]].
 
==900E0000 - Keypad controller==
 
See also [[Keypads]] for information about the keypads themselves.
 
* 900E0000 (R/W):
** Bits 0-1: Scan mode
*** Mode 0: Idle.
*** Mode 1: Indiscriminate key detection. Data registers are not updated, but whenever any key is pressed, interrupt bit 2 is set (and cannot be cleared until the key is released).
*** Mode 2: Single scan. The keypad is scanned once, and then the mode returns to 0.
*** Mode 3: Continuous scan. When scanning completes, it just starts over again after a delay.
** Bits 2-15: Number of APB cycles to wait before scanning each row
** Bits 16-31: Number of APB cycles to wait between scans
* 900E0004 (R/W):
** Bits 0-7: Number of rows to read (later rows are not updated in 900E0010-900E002F, and just read as whatever they were before being disabled)
** Bits 8-15: Number of columns to read (later column bits in a row are set to 1 when it is updated)
* 900E0008 (R/W): Keypad interrupt status/acknowledge (3-bit). Write "1" bits to acknowledge.
** Bit 0: Keypad scan complete
** Bit 1: Keypad data register changed
** Bit 2: Key pressed in mode 1
* 900E000C (R/W): Keypad interrupt mask (3-bit). Set each bit to 1 if the corresponding event in [900E0008] should cause an interrupt.
* 900E0010-900E002F (R): Keypad data, one halfword per row.
* 900E0030-900E003F (R/W): Keypad GPIOs. Each register is 20 bits, with one bit per GPIO. The role of each register is unknown.
* 900E0040 (R/W): Interrupt enable. Bits unknown but seems to be related to touchpad. Causes interrupt on touchpad touched.
* 900E0044 (R/W): Interrupt status. Bits unknown. Write 1s to acknowledge.
* 900E0048 (R/W): Unknown
 
==900F0000 - HDQ/1-Wire and LCD contrast==
 
The HDQ/1-Wire registers resemble those on the TI OMAP processors, and are possibly used to communicate with the wireless cradle. There is no conceivable reason for the LCD contrast register to be part of the same module, but here it is. :-(
 
* 900F0004 (W): Transmitted data
* 900F0008 (R): Received data
* 900F000C (R/W): Control/status
* 900F0010 (R): Interrupt status (automatically acknowledged when read)
* 900F0020 (R/W): LCD contrast/backlight. Valid range for contrast: 0x11a to 0x1ce; normal value is 0x174. However, it can range from 0x100 (backlight off) to about 0x1d0 (about max brightness).
 
==90110000 - LED==
 
* 90110B00 (R/W): Control register
** Bit 0: Set this bit to enable green light blink data. If green blink data iteration is not on, the green light state is read from bit 0 of green blink data.
** Bit 1: Set this bit and bit 6 to enable green blink data iteration.
** Bit 2: Set this bit to force green light off. Overrides bit 4.
** Bit 3: Set this bit to force red light off. Overrides bits 5 and 13.
** Bit 4: Set this bit to force green light on.
** Bit 5: Set this bit to force red light on.
** Bit 6: See this bit and bit 1 to enable green blink data iteration. Reset before modifying green blink data or delay.
** Bit 9: Set this bit to enable red light blink data. If red blink data iteration is not on, the red light state is read from bit 0 of red blink data.
** Bit 10: Set this bit and bit 12 to enable red blink data iteration.
** Bit 12: Set this bit and bit 10 to enable red blink data iteration. Reset before modifying red blink data or delay.
** Bit 13: Forces red light on if bit 4 is 0, or red light off if bit 4 is 1. (?)
* 90110B04 (R/W): Green blink data. 32 bits of on and off state, represented by 1 and 0. Iteration is done from bit 31 to bit 0 repeatedly.
* 90110B08 (R/W): Green blink delay (negative). OS sets this to -2048.
* 90110B0C (R/W): Red blink data. 32 bits of on and off state, represented by 1 and 0. Iteration is done from bit 31 to bit 0 repeatedly.
* 90110B10 (R/W): Red blink delay (negative). OS sets this to -2048.
 
Note: If red and green lights are on at the same time, the color becomes yellow.
 
==A4000000 - Internal SRAM==
 
0x20000 bytes SRAM, managed by the controller at 0xB8000000.
 
==B0000000 - USB OTG controller==
 
The OTG controller on all models is a ChipIdea-based dual-role USB controller. It only supports full speed communications so the PFSC bit (bit 24) must be set in the PORTSC register when in host mode. Otherwise, it'll attempt to connect at high speed for devices that support it and will never succeed in enumerating them.
 
Documentation can be found in the [http://www.freescale.com/files/dsp/doc/ref_manual/IMX23RM.pdf IMX233 reference manual].
The host interface is, again, based on EHCI; but the register defaults are different. The addresses have been adjusted from the ones contained in the IMX233 reference manual.
 
* Module identification registers
** B0000000: HW_USBCTRL_ID - default 0xE241FA05
** B0000004: HW_USBCTRL_HWGENERAL - default 0x00000015
** B0000008: HW_USBCTRL_HWHOST - default 0x10020001
** B000000C: HW_USBCTRL_HWDEVICE - default 0x0000000B
** B0000010: HW_USBCTRL_HWTXBUF - default 0x40060910
** B0000014: HW_USBCTRL_HWRXBUF - default 0x00000710
* Capability registers
** B0000100: HW_USBCTRL_CAPLENGTH - default 0x01000040
** B0000104: HW_USBCTRL_HCSPARAMS - default 0x00010011
** B0000108: HW_USBCTRL_HCCPARAMS - default 0x00000006
** B0000120: HW_USBCTRL_DCIVERSION - default 0x00000001
** B0000124: HW_USBCTRL_DCCPARAMS - default 0x00000185 (host-capable, device-capable, 5 endpoints)
* Operational registers
** B0000140: HW_USBCTRL_USBCMD - default 0x00080B00 in host mode, 0x00080000 in device mode
** B0000144: HW_USBCTRL_USBSTS - default 0x00001000 in host mode, 0x00000000 in device mode
** B0000148: HW_USBCTRL_USBINTR - default 0x00000000
** B000014C: HW_USBCTRL_FRINDEX - default 0x00000000
** B0000154: (in host mode) HW_USBCTRL_PERIODICLISTBASE - default 0x00000000
** B0000154: (in device mode) HW_USBCTRL_DEVICEADDR - default 0x00000000
** B0000158: (in host mode) HW_USBCTRL_ASYNCLISTADDR - default 0x00000000
** B0000158: (in device mode) HW_USBCTRL_ENDPOINTLISTADDR - default 0x00000000
** B000015C: HW_USBCTRL_TTCTRL - default 0x00000000
** B0000160: HW_USBCTRL_BURSTSIZE - default 0x00001010
** B0000164: HW_USBCTRL_TXFILLTUNING - default 0x000000000
** B000016C: HW_USBCTRL_IC_USB - default 0x00000000
** B0000170: HW_USBCTRL_ULPI - default 0x00000000
** B0000178: HW_USBCTRL_ENDPTNAK - default 0x00000000
** B000017C: HW_USBCTRL_ENDPTNAKEN - default 0x00000000
** B0000184: HW_USBCTRL_PORTSC1 - default 0x10000000
** B00001A4: HW_USBCTRL_OTGSC - default 0x00000120
** B00001A8: HW_USBCTRL_USBMODE - default 0x00000000
** B00001AC: HW_USBCTRL_ENDPTSETUPSTAT - default 0x00000000
** B00001B0: HW_USBCTRL_ENDPTPRIME - default 0x00000000
** B00001B4: HW_USBCTRL_ENDPTFLUSH - default 0x00000000
** B00001B8: HW_USBCTRL_ENDPTSTAT - default 0x00000000
** B00001BC: HW_USBCTRL_ENDPTCOMPLETE - default 0x00000000
** B00001C0: HW_USBCTRL_ENDPTCTRL0 - default 0x00100010
** B00001C4: HW_USBCTRL_ENDPTCTRL1 - default 0x00000000
** B00001C8: HW_USBCTRL_ENDPTCTRL2 - default 0x00000000
** B00001CC: HW_USBCTRL_ENDPTCTRL3 - default 0x00000000
** B00001D0: HW_USBCTRL_ENDPTCTRL4 - default 0x00000000
 
===Role switching===
 
During role switching some GPIO output registers are modified.
 
* GPIO2:
** Active low.
** Controls VBUS/pull-up (drives VBUS to 5v for host mode)
 
* USB-B: GPIO6
** Active low.
** Probably controls charging from USB
 
==B4000000 - USB HOST controller==
 
Same port structure as B0000000.
 
==B8001000 - SRAM Controller==
 
A [http://infocenter.arm.com/help/topic/com.arm.doc.ddi0380g/DDI0380G_smc_pl350_series_r2p1_trm.pdf PL352] r1p2.
 
==C0000000 - LCD controller==
 
A [http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.ddi0293c/index.html PL111].
 
==C4000000 - Analog-to-Digital Converter (ADC)==
 
Used to check various voltages. Channels 1 ("VBATT"), 2 ("VSYS"), and 4 ("B12") are used to check the battery status; channel 3 is used to determine which keypad is in use.
 
* C4000000 (R): Masked interrupt status (4 bits per channel: bits 0-3 are for channel 0, etc)
* C4000004 (R/W): Raw interrupt status, write 1 bits to acknowledge
* C4000008 (R/W): Interrupt enable register
* C4000100-C40001DF: Per-channel registers (channel 0 starts at C4000100, channel 1 at C4000120, etc.)
** +00 (R/W): Set bit 0 to start measurement; interrupt status bits 0 and 1 will be set when complete and the value will be stored in +10 register. Other commands do exist, including some that write to memory.
** +04 (R/W): Unknown (28 bits)
** +08 (R/W): Number of halfwords to write (25 bits)
** +0C (R/W): Base address (word-aligned)
** +10 (R): Read measured voltage. Scale for channels 1 and 2 is 155 units = 1 volt; scale for other channels is 310 units = 1 volt
** +14 (R/W): Speed (10 bits, set to AHB clock speed / 40000)
 
==C8010000 - Triple DES encryption==
 
Implements the [http://en.wikipedia.org/wiki/Triple_DES Triple DES encryption algorithm].
 
* C8010000 (R/W): Right half of block
* C8010004 (R/W): Left half of block. Writing this causes the block to be encrypted/decrypted.
* C8010008 (R/W): Right 32 bits of key 1
* C801000C (R/W):
** Bits 0-23: Left 24 bits of key 1
** Bit 30: Set to 0 to encrypt, 1 to decrypt
* C8010010 (R/W): Right 32 bits of key 2
* C8010014 (R/W): Left 24 bits of key 2
* C8010018 (R/W): Right 32 bits of key 3
* C801001C (R/W): Left 24 bits of key 3
 
==CC000000 - SHA-256 hash generator==
 
Implements the [http://en.wikipedia.org/wiki/SHA_hash_functions SHA-256 hash algorithm], which is used in cryptographic signatures.
 
* CC000000 (R): Busy if bit 0 set
* CC000000 (W): Write 0x10 and then 0x0 to initialize. Write 0xA to process first block, 0xE to process subsequent blocks
* CC000008 (R/W): Some sort of bus write-allow register? If a bit is set, it allows R/W access to the registers of the peripheral, if clear, R/O access only. Don't know what it's doing here, but it's here anyway.
** Bit 8: [[#CC000000 - SHA-256 hash generator]]
** Bit 10: ?
* CC000010-CC00004F (R/W): 512-bit block
* CC000060-CC00007F (R): 256-bit state
 
==DC000000 - Interrupt controller==
See [[Interrupts]]. The controller is a [http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.ddi0181e/index.html PL190].

Latest revision as of 19:20, 24 September 2023

NAND pages are 528-bytes long (512 + 16-bytes OOB area) on TI-Nspire and 2112-bytes long (2048 + 64-bytes OOB) on TI-Nspire CX/CM/CX II.

Layout on Classic/CX/CM

  • pages 0000 to 001F (Nspire) or 0000 to 003F (CX/CM): written to /phoenix/manuf.dat at each boot.
    • Offset 000-003: 3C B0 6E 79
    • Offset 804-805: model ID (little-endian): 0C (Nspire CAS), 0D (Nspire Lab Cradle), 0E (Nspire), 0F (Nspire CX CAS), 10 (Nspire CX), 11 (Nspire CM CAS), 12 (Nspire CM)
    • Offset 806-807: unknown - 00 00 or 10 00
    • Offset 808-80F: optional default language (CX/CM), filled with FF if missing - ISO 639 supported language string padded with 00 (for exemple fr, en, ar, zh_CN for TI-Nspire CX-C or CM-C...)
    • Offset 818-81B: signature - 91 5F 9E 4C (CX/CM)
    • Offset 81C-81F: features (little-endian) - 0x05 (CM + CX Napoca), 0x85 (CX CR/HW-J+), 0x185 (CX CR4/HW-W+)
    • Offset 820-823: default keypad - 4C 00 00 00 (CX/CM)
    • Offset 824-825: lcd width - 40 01 (CX/CM)
    • Offset 826-827: lcd height - F0 00 (CX/CM)
    • Offset 228-229: lcd bpp - 10 00 (CX/CM)
    • Offset 82A-82B: lcd color - 01 00 (CX/CM)
    • Offset 82C-82F: offset diags - 00 00 32 00 (CX/CM)
    • Offset 830-833: offset boot2 - 00 00 02 00 (CX/CM)
    • Offset 834-837: offset boot data - 00 00 2C 00 (CX/CM)
    • Offset 838-83B: offset file system - 00 00 40 00 (CX/CM)
    • Offset 83C-83F: config clock - 02 10 56 00 (CX/CM)
    • Offset 840-843: SDRAM config: 12 80 01 FC for 64MB (CX) or 11 80 01 FE for 32MB (CM)
      • Offset 840: SDRAM size in MB - keep 6 lowest bytes - size is 4*2^((value/8)+(value%8))
    • Offset 844-847: lcd spi count - 02 00 00 00 (CX/CM)
    • Offset 848-887: lcd spi data filled with 0xFF - 06 00 00 00 5C 00 00 00 30 00 00 00 04 00 00 00 (CX/CM)
    • Offset 888-889: lcd light min - 1A 01 (CX/CM)
    • Offset 88A-88B: lcd light max - CE 01 (CX/CM)
    • Offset 88C-88D: lcd light default - 6A 01 (CX/CM)
    • Offset 88E-88F: lcd light increment - 14 00 (CX/CM)
    • Offset 890-893: 0C 01 A2 18 (CX/CM)
    • Offset 894-923: display informations on the 12 elements of the splash screen (CX/CM): horizontal display offset + vertical display offset + width + height (2-bytes each) + data offset (4-bytes)
      • Offset 894-89F: Low Battery error icon [diplayed unknown]
      • Offset 8A0-8AB: Boot1 Recoverable Error icon [displayed 8th]
      • Offset 8AC-8B7: Send Diagnostics Software info icon [displayed 8th]
      • Offset 8B8-8C3: Boot2 Recoverable Error icon [displayed 8th]
      • Offset 8C4-8CF: Unrecoverable Error icon [displayed 8th]
      • Offset 8D0-8DB: Progress Bar Background [displayed 6th]
      • Offset 8DC-8E7: Progress Bar [displayed 7th]
      • Offset 8E8-8F3: permanent element #1 (background) [displayed 1st]
      • Offset 8F4-8FF: permanent element #2 (unused) [displayed 2nd]
      • Offset 900-90B: permanent element #3 (unused) [displayed 3th]
      • Offset 90C-917: permanent element #4 (unused) [displayed 4th]
      • Offset 918-923: permanent element #5 (unused) [displayed 5th]
    • Offset 924-927: compressed splash screen data size
    • Offset 928-92B: uncompressed splash screen data size (0x0000FA40 on CX EVT, 0x00029CD0 on all CX/CM)
    • Offset 92C-92F: ? (0x00000756 on CX EVT, 0x000006D3 on all CX/CM)
    • Offset 930-???: compressed splash screen data (same compression format as the boot2)
    • Offset ???-???: TI-Certificate - fields present :
      • Production : 0x290 (0x100), 0x290 (0x100), 0x340 (0x1A4), 0x290 (0x100), 0x340 (0x115), 0x290 (0x100), 0xFFFF0 (0)
      • Development : 0x290 (0x100), 0x290 (0x100), 0x340 (0x1A4), 0x240 (0x80), 0x290 (0x100), 0x340 (0x115), 0x290 (0x100), 0xFFFF0 (0)
  • pages 0020 to 0A7F (Nspire) or 0040 to 057F (CX/CM): boot2 image
  • pages 0A80 to 0AFF (Nspire) or 0580 to 063F (CX/CM): "bootdata" (every time this is modified, the next available page is used; if all 128 pages are in use, then the whole area is erased first)
    • Offset 00-03: Marker AA C6 8C 92
    • Offset 04-07: Downgrade protection: minimum OS version allowed as a 4-bytes word (major-minor-lower1-lower2). Written during OS installation with the value found in the second field 8020 of the OS upgrade file
    • Offset 08-0F: Hold the press-to-test status (word, word, long word)
      • Offset 08-09: press to test mode
        • 00 : none
        • 01 : 84+ mode (OS is going to prompt for a 84+ keypad if not installed on next reboot)
        • 02 : fully restricted (all listed features disabled) - LED flashes in green
        • 03 : partially restricted (no or some listed features disables) - LED flashes in orange
        • 04 : old mode not used any more, for OS 1.x/2.x - at that time there were only 2 features which could be disabled - meant that one feature had been selected but not botg - LED flashes in green+orange
        • 06 : for Netherlands/Europe (since OS 4.3) - no programming, and easily disabled through any USB transfer - LED flashes in orange
      • 0A-0B : clear PTT folders content on next reboot (1 during the 1st reboot after (re)enabling PTT - default 0)
      • 0C-0D : disabled features in PTT mode - default 0
        • Mode 3 :
          • bit 0 : geometry
          • bit 1 : drag&move in graphs
          • bit 2 : vectors
          • bit 3 : isPrime()
          • bit 4 : diff eq
          • bit 5 : ineq graphing
          • bit 6 : 3D graphing
          • bit 7 : rel/coniq graphing
          • bit 8 : trig
          • both bits 9+10 : logbase()
          • both bits 11+12 : poly and simult solving
        • Mode 2 : all 13 previous bits are 1
        • Mode 6 : all 13 previous bits are 0
      • 0E-0F : unkown - default 0 - sometimes 0x8000 in PTT mode
    • Offset 10-13: If nonzero, BOOT1 will attempt to run DIAGS by default; if zero, it will skip straight to BOOT2. (Either behavior can be overridden with the Esc+Menu+G key combination.)
    • Offset 14-1A: TI-84 Plus emulator 0A1 certificate field
    • Offset 1B-1E: TI-84 Plus emulator 041 certificate field
    • Offset 1F-61: TI-84 Plus emulator 0A2 certificate field
    • Offset 64-67: (OS 1.6+) Default LCD contrast (if not in range from 0x76 to 0x8A, assumed to be 0x80)
  • pages 0B00 to 0F7F (Nspire) or 0640 to 079F (CX) or 0640 to 7BF (CM): diags software
  • pages 0F80 to 0FFF (Nspire) or 0780 to 07FF (CX): diags test results
  • pages from 1000 (Nspire) or 0800 (CX) or 07C0 (CM): factory images or filesystem

Factory images

At startup, boot2 checks the NAND flash for a pre-loaded factory image. The format is a 32-byte header followed by the .tnc/.tno file contents:

  • Offset 00-13: String "***PRELOAD_IMAGE***"
  • Offset 14-17: 55 F0 01 55
  • Offset 18-1B: (unknown)
  • Offset 1C-1F: Size of image (in big-endian)

If boot2 finds this header, the user is prompted to press 'I' on the keypad. After that, the image is copied to RAM before creating the filesystem (The filesystem also starts at page 0x1000, so it cannot co-exist with a factory image), and is installed the same as if it had been received from the serial port.

Layout on CX II

Partitions

Partitions are aligned to erase block size (64 pages) and so the size and offsets in the table below are given in blocks.

The OS is not stored in the file system, but separately in its own partition.

Name Size Offset
Manuf 1 0
Bootloader 4 1
PTT Data 1 5
??? 1 6
DevCert 1 7
OS Loader 3 8
Installer 8 11
Other Installer 8 19
OS Data (?) 2 27
Diags 5 29
? ? ?
OS file (weird header) ? 36
Logging 87 (?) 114
File System ? ?
? ? ?

Manuf Format

The Manuf on CX II uses the same fields format as seen in OS upgrade files.

5000 : Top-level field
5100 - 2 : Product ID
5200 - 2 : Unknown
5300 - x : Language
5400 - 4 : Hardware flags. Bit 0 is 1 if the "CapTIvate" touchpad is used.
5500 - x : Optional: If present, the bootrom runs this as code
5600 - 4 : Unknown
57y0 - 4 : Unknown (repeats with different values for y)
5500 - x : Contains pairs of addr/value to write
290 - 256 : 2048-bit Signature
290 - 256 : 2048-bit Signature (another one?)
340 - 420 : Public key (?)
270 - 1: ?
260 - 140: 1024-bit public key (?)
2A0 - 270: 2048-bit public key (?)
340 - 277 : Public key (?)
270 - 1: ?
2A0 - 270: 2048-bit public key (?)
290 - 256: 2048-bit Signature (yet another one?)
FFF0 - 0 : End

Bootdata Format

Like for previous versions, every time this is modified, the next available page is used. If all 128 pages are in use, the whole area is erased first.

000 - 003 : Signature: 44 41 54 41 ('D' 'A' 'T' 'A')
004 - 007 : Boot type (0 = OS Loader, 1 = Installer, 2 = Diags)
008 - 00B : Which installer to boot (0 = Installer, 1 = Other installer)
00C - 00F : Minimum OS version (little endian, e.g. 00 00 00 05)
010 - 01B : Unknown, filled with 00
01C - 3FF : Blank, filled with FF
400 - 7FF : Blank, filled with 00
780 - 783 : Unknown, starts with 21
Retrieved from "https://hackspire.org//index.php?title=Memory-mapped_I/O_ports_on_CX&oldid=1766"