DIGIC VI[]
QEMU log:
FC000008: MCR p15,0,Rd,cr6,cr2,0: RGNR <- 0x0 FC000010: MCR p15,0,Rd,cr6,cr1,0: DRBAR <- 0x0 FC000018: MCR p15,0,Rd,cr6,cr1,2: DRSR <- 0x3F FC000020: MCR p15,0,Rd,cr6,cr1,4: DRACR <- 0x320 FC000028: MCR p15,0,Rd,cr1,cr0,0: SCTLR <- (old & ~0x20000) | 0x1 => 0x2001 (enable MPU, disable background region; hivecs is enabled) FE020040: MCR p15,0,Rd,cr9,cr1,1: BTCM <- (old & 0x7D) | 0x1 FE025884: MCR p15,0,Rd,cr6,cr2,0: RGNR <- 0x1 FE02588C: MCR p15,0,Rd,cr6,cr1,0: DRBAR <- 0x0 FE025894: MCR p15,0,Rd,cr6,cr1,4: DRACR <- 0x329 FE02589C: MCR p15,0,Rd,cr6,cr1,2: DRSR <- 0x3B FE0258A4: MCR p15,0,Rd,cr6,cr2,0: RGNR <- 0x2 FE0258AC: MCR p15,0,Rd,cr6,cr1,0: DRBAR <- 0xBFE00000 FE0258B4: MCR p15,0,Rd,cr6,cr1,4: DRACR <- 0x324 FE0258BC: MCR p15,0,Rd,cr6,cr1,2: DRSR <- 0x29 FE0258C4: MCR p15,0,Rd,cr6,cr2,0: RGNR <- 0x4 FE0258CC: MCR p15,0,Rd,cr6,cr1,0: DRBAR <- 0xDFE00000 FE0258D4: MCR p15,0,Rd,cr6,cr1,4: DRACR <- 0x324 FE0258DC: MCR p15,0,Rd,cr6,cr1,2: DRSR <- 0x29 FE0258E4: MCR p15,0,Rd,cr6,cr2,0: RGNR <- 0x5 FE0258EC: MCR p15,0,Rd,cr6,cr1,0: DRBAR <- 0xEE000000 FE0258F4: MCR p15,0,Rd,cr6,cr1,4: DRACR <- 0x329 FE0258FC: MCR p15,0,Rd,cr6,cr1,2: DRSR <- 0x31 FE025904: MCR p15,0,Rd,cr6,cr2,0: RGNR <- 0x6 FE02590C: MCR p15,0,Rd,cr6,cr1,0: DRBAR <- 0xFE000000 FE025914: MCR p15,0,Rd,cr6,cr1,4: DRACR <- 0x329 FE02591C: MCR p15,0,Rd,cr6,cr1,2: DRSR <- 0x31 FE025924: MCR p15,0,Rd,cr6,cr2,0: RGNR <- 0x3 FE02592C: MCR p15,0,Rd,cr6,cr1,0: DRBAR <- 0xC0000000 FE025934: MCR p15,0,Rd,cr6,cr1,4: DRACR <- 0x305 FE02593C: MCR p15,0,Rd,cr6,cr1,2: DRSR <- 0x3B FE025944: MCR p15,0,Rd,cr15,cr5,0: UNK <- 0x0 FE025944: MCR p15,0,Rd,cr1,cr0,0: SCTLR <- (old & ~0x1002000) | 0x1004 => 0x1005 (clear VE, disable hivecs, enable instruction and data caches) FE020400: MCR p15,0,Rd,cr9,cr1,0: ATCM <- (old & 0x7D) | 0x80000001
[ init:fe237fa9 ] Memory region: start=00000000 end=00000000 flags=00000001 [ init:fe237fbf ] Memory region: start=00000000 end=00000000 flags=00000002 [ init:fe237fcb ] Memory region: start=E0000000 end=FFFFFFFF flags=00000020 [ init:fe237ffd ] Memory region: start=FE000000 end=FFFFFFFF flags=00000008 [ init:fe237ffd ] Memory region: start=EE000000 end=EFFFFFFF flags=00000008 [ init:fe237ffd ] Memory region: start=DFE00000 end=DFFFFFFF flags=00000004 [ init:fe237ffd ] Memory region: start=C0000000 end=FFFFFFFF flags=00000010 [ init:fe237ffd ] Memory region: start=BFE00000 end=BFFFFFFF flags=00000004 [ init:fe237ffd ] Memory region: start=00000000 end=3FFFFFFF flags=00000008 [ init:fe237ffd ] Memory region: start=00000000 end=FFFFFFFF flags=00000004 [ init:fe237e5f ] Memory region: start=00000000 end=FFFFFFFF flags=00000000
Register Description
RGNR = MPU Region Number Register DRBAR = Data Region Base Address Register DRSR = Data Region Size and Enable Register DRACR = Data Region Access Control Register SCTLR = System Control Register (?) ATCM = DTCMRR = Data TCM Region Register (TCM = Tightly Coupled Memory) BTCM = ITCMRR = Instruction or unified TCM Region Register
region | base | size | end | info |
---|---|---|---|---|
0 | 0x0 | 0x100000000 (4Gb) | 0x100000000 | non-shareable, can contain executable code, PL1:R/W PL0:R/W, cacheable: inner non-cacheable, outer non-cacheable
SCTLR: V(High exception vectors (Hivecs), base address 0xFFFF0000), M(MPU enabled) TCM: ITCMRR, (current Instruction or unified Region Register) - enabled, base address=0x0(given as the physical address of the TCM in the memory map), size=unknown |
1 | 0x0 | 0x40000000 (1Gb) | 0x40000000 | non-shareable, can contain executable code, PL1:R/W PL0:R/W, cacheable: outer Write-Back, Write-Allocate; inner Write-Back, Write-Allocate |
2 | 0xBFE00000 | 0x200000 (2Mb) | 0xC0000000 | shareable, PL1:R/W PL0:R/W, can contain executable code, cacheable: inner non-cacheable, outer non-cacheable |
3 | 0xC0000000 | 0x40000000 (1Gb) | 0x100000000 | shareable, can contain executable code, PL1:R/W PL0:R/W, Shareable Device (memory type: Device)
SCTLR: I(Instruction caches enabled), C(Data and unified caches enabled), M(MPU enabled) TCM: DTCMRR, (current Data TCM Region Register) - enabled, base address=0x80000 (given as the physical address of the TCM in the memory map), size=unknown |
4 | 0xDFE00000 | 0x200000 (2Mb) | 0xE0000000 | shareable, PL1:R/W PL0:R/W, can contain executable code, cacheable: inner non-cacheable, outer non-cacheable |
5 | 0xEE000000 | 0x2000000 (32Mb) | 0xF0000000 | non-shareable, can contain executable code, PL1:R/W PL0:R/W, cacheable: outer Write-Back, Write-Allocate; inner Write-Back, Write-Allocate |
6 | 0xFE000000 | 0x2000000 (32Mb) | 0x100000000 | non-shareable, can contain executable code, PL1:R/W PL0:R/W, cacheable: outer Write-Back, Write-Allocate; inner Write-Back, Write-Allocate |
Here is a tentative to describe memory usage of the firmware
Digic IV[]
start | length | name | description |
---|---|---|---|
0x800000 | updater location | ||
0xf0010000 | 0x540000? | copy of 0xff010000 | |
0xf8000000 | 0x10000 | Flags and config area*. copy of 0xff800000 | |
.0xf8000000 | 4? | 0=enableMainFirmware, -1=disableMainFirmware | |
.0xf8000004 | 4? | 0=disableBootdisk, -1=enableBootdisk | |
.0xf800000c | 4? | 0=disableFirmware, -1=enableFirmware | |
0xf8010000 | 0x540000 with single Digic? | Main firmware. copy of 0xff810000 | for dual Digic camera, a second and shorter firmware (<0x1c0000 bytes) is targeted at 0xf8010000. |
0xf8300000 | about 0x35000 | FixData. only for 2nd Digic with shorter firmware? | seen in 7d 121 update. 1st patch. Identical to data targeted to 0xf8910000 |
0xf85b0000 | about 0x1f0000 | ? | seen in 7d 121 update |
0xf8760000 | 0x60000 or 0x30000 | FPGA config*. | |
0xf8790000 | 0x60000 or 0x30000 | FPGA config? | seen with 1dm4 106. same length as 0xf8760000 content. only for dual digic. |
0xf87c0000 | 0x20000 | Bind resource* | |
0xf87e0000 | 0x10000 | Bootrom cipher extension* | |
0xf87f0000 | 0x10000 | Bootloader (bootrom)* | |
0xf88f0000 | 0x20000 | RingData | |
0xf8910000 | 0x40000 | FixData | |
0xf8950000 | 0x20000? | ||
0xf8970000 | 0x30000 | RasenData | |
0xf8a00000 | 0x2c0000 | TuneData | |
.0xf8eb0000 | ? | LensData. | |
0xf8cc0000 | ? | ? | |
0xff010000 | 0x540000? | Main firmware (500D/T1i, 7D) |
(*) from this message on CHDK forum : 5D Mark II by memset (14Mar2009)
Digic IV EOS ROM map 0xF8000000 - ROM0 (64Mb) 0xF0000000 - ROM1 (32Mb) 0xF8000000 - 0xF0010000 - Flags & config area 0xF8010000 - 0xF874FFFF - User area 0xF8760000 - 0xF87BFFFF - FPGA config 0xF87C0000 - 0xF7DFFFFF - Bind resource 0xF87E0000 - 0xF87EFFFF - Bootrom cipher extension 0xF87F0000 - 0xF87FFFFF - Bootloader (bootrom) FPGA config area: byte-by-byte interleaved bitstreams: bitstream 0: Xilinx Spartan-3E XC3S250E bitstream 1: Xilinx Spartan-3E XC3S100E
See also Setting up memory maps hudson (9May2009)
below for 5DMark II 1.0.7 and 7D 1.1.0:
5d Mark II, 1.0.7[]
;http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.ddi0201d/I1039570.html ;Register 6, Protection Region Base and Size Registers ROM:FFFF2368 MOV R0, #0x3F ;region0, 0x3f=0011 1111 : base=0, size=4Gb (0xffff ffff) MCR p15, 0, R0,c6,c0 MOV R0, #0x3D ;region1, 0x3d=0011 1101 : base=0, size=2Gb (0x8000 0000) MCR p15, 0, R0,c6,c1 LDR R0, =0xE0000039 ;region2, 0x39=0011 1001 : base=0xe000 0000, size=512Mb (0x2000 0000) MCR p15, 0, R0,c6,c2 MOV R0, #0xC0000039 ;region3, 0x39=0011 1001 : base=0xc000 0000, size=512Mb (0x2000 0000) MCR p15, 0, R0,c6,c3 LDR R0, =unk_FF80002D ;region4, 0x2D=0010 1101 : base=0xff80 0000, size=8Mb (0x0080 0000) MCR p15, 0, R0,c6,c4 MOV R0, #0x39 ;region5, 0x39=0011 1001 : base=0, size=512Mb (0x2000 0000) MCR p15, 0, R0,c6,c5 LDR R0, =0xF780002D ;region6, 0x2d=0010 1101 : base=0xf780 0000, size=8Mb (0x0080 0000) MCR p15, 0, R0,c6,c6
7D, 1.1.0[]
ROM:FFFF2364 MOV R0, #0x3F ;region0, 0x3f=0011 1111 : base=0, size=4Gb (0xffff ffff) ROM:FFFF2368 MCR p15, 0, R0,c6,c0 ROM:FFFF236C MOV R0, #0x3D ;region1, 0x3d=0011 1101 : base=0, size=2Gb (0x8000 0000) ROM:FFFF2370 MCR p15, 0, R0,c6,c1 ROM:FFFF2374 LDR R0, =0xE0000039 ;region2, 0x39=0011 1001 : base=0xe000 0000, size=512Mb (0x2000 0000) ROM:FFFF2378 MCR p15, 0, R0,c6,c2 ROM:FFFF237C MOV R0, #0xC0000039 ;region3, 0x39=0011 1001 : base=0xc000 0000, size=512Mb (0x2000 0000) ROM:FFFF2380 MCR p15, 0, R0,c6,c3 ROM:FFFF2384 LDR R0, =unk_FF80002F ;region4, 0x2F=0010 1111 : base=0xff80 0000, size=16Mb (0x0100 0000) ROM:FFFF2388 MCR p15, 0, R0,c6,c4 ROM:FFFF238C MOV R0, #0x39 ;region5, 0x39=0011 1001 : base=0, size=512Mb (0x2000 0000) ROM:FFFF2390 MCR p15, 0, R0,c6,c5 ROM:FFFF2394 MOV R0, #0x8000002F ;region6, 0x2F=0010 1111 : base=0x8000 0000, size=16Mb (0x0100 0000) ROM:FFFF2398 MCR p15, 0, R0,c6,c6
550D 1.0.8[]
ROM:F8FF22B0 sub_F8FF22B0 ; CODE XREF: ROM:F8FF0608�p ROM:F8FF22B0 MOV R0, #0x3F ROM:F8FF22B4 MCR p15, 0, R0,c6,c0 ROM:F8FF22B8 MOV R0, #0x3D ROM:F8FF22BC MCR p15, 0, R0,c6,c1 ROM:F8FF22C0 LDR R0, =0xE0000039 ROM:F8FF22C4 MCR p15, 0, R0,c6,c2 ROM:F8FF22C8 MOV R0, #0xC0000039 ROM:F8FF22CC MCR p15, 0, R0,c6,c3 ROM:F8FF22D0 LDR R0, =0xFF00002F ROM:F8FF22D4 MCR p15, 0, R0,c6,c4 ROM:F8FF22D8 MOV R0, #0x39 ROM:F8FF22DC MCR p15, 0, R0,c6,c5 ROM:F8FF22E0 LDR R0, =0xF780002D ROM:F8FF22E4 MCR p15, 0, R0,c6,c6 ROM:F8FF22E8 MOV R0, #0x70 ROM:F8FF22EC MCR p15, 0, R0,c2,c0 ROM:F8FF22F0 MCR p15, 0, R0,c3,c0 ROM:F8FF22F4 MCR p15, 0, R0,c2,c0, 1 ROM:F8FF22F8 LDR R0, =0x3FFF ROM:F8FF22FC MCR p15, 0, R0,c5,c0 ROM:F8FF2300 MCR p15, 0, R0,c5,c0, 1 ROM:F8FF2304 MRC p15, 0, R0,c1,c0 ROM:F8FF2308 ORR R0, R0, #1 ROM:F8FF230C ORR R0, R0, #0x1000 ROM:F8FF2310 ORR R0, R0, #4 ROM:F8FF2314 ORR R0, R0, #0xC0000000 ROM:F8FF2318 ORR R0, R0, #8 ROM:F8FF231C ORR R0, R0, #0x10 ROM:F8FF2320 ORR R0, R0, #0x20 ROM:F8FF2324 ORR R0, R0, #0x40 ROM:F8FF2328 MCR p15, 0, R0,c1,c0 ROM:F8FF232C RET ROM:F8FF232C ; End of function sub_F8FF22B0
Based on this ARM code :
base | length | end | usage |
0x00000000 | 0x20000000 (512Mb) | 0x20000000 | 5D and 7D |
0x00000000 | 0x80000000 (2Gb) | 0x80000000 | 5D and 7D |
0x80000000 | 0x01000000 (16Mb) | 0x81000000 | 7D only (dual digic) |
0xc0000000 | 0x20000000 (512Mb) | 0xe0000000 | |
0xe0000000 | 0x20000000 (512Mb) | 0xffffffff | |
0xf7800000 | 5D Mark II: 0x00800000 (8Mb) | 0xf8000000 | 5dm2 only (single digic) |
0xff800000 | 7D: 0x01000000 (16Mb) | >0xfffffffff !! | |
0xff800000 | 5D Mark II: 0x00800000 (8Mb) | 0xffffffff |
Digic III[]
start | length | name | description |
---|---|---|---|
0x00000000 | 0x40000000 (1Gb) | ||
0xC0000000 | 0x20000000 (512Mb) | ||
0xF8000000 | 0x00400000 (4Mb) | ||
0xFF800000 | 0x00800000 (8Mb) |
from ARM memory protection code of
- 1000d boot code (0xFFFF1C8C in 1.0.5 [1]msg34042.html#msg34042%7C dump)
- and 40D boot code (0xFFFF1CCC in 1.0.8 dump)
Hardware registers[]
Registers start at 0xc0220000.
QEMU[]
00000000 - 3FFFFFFF: eos.ram 40000000 - 7FFFFFFF: eos.ram_uncached F0000000 - F0FFFFFF: eos.rom0 F1000000 - F1FFFFFF: eos.rom0_mirror_F1 F2000000 - F2FFFFFF: eos.rom0_mirror_F2 F3000000 - F3FFFFFF: eos.rom0_mirror_F3 F4000000 - F4FFFFFF: eos.rom0_mirror_F4 F5000000 - F5FFFFFF: eos.rom0_mirror_F5 F6000000 - F6FFFFFF: eos.rom0_mirror_F6 F7000000 - F7FFFFFF: eos.rom0_mirror_F7 F8000000 - F8FFFFFF: eos.rom1 F9000000 - F9FFFFFF: eos.rom1_mirror_F9 FA000000 - FAFFFFFF: eos.rom1_mirror_FA FB000000 - FBFFFFFF: eos.rom1_mirror_FB FC000000 - FCFFFFFF: eos.rom1_mirror_FC FD000000 - FDFFFFFF: eos.rom1_mirror_FD FE000000 - FEFFFFFF: eos.rom1_mirror_FE FF000000 - FFFFFFFF: eos.rom1_mirror_FF C0000000 - CFFFFFFF: eos.iomem