DSP

• DSP_PSTS bits 10..12 (REP0..REP2) are active-high (as in, 1=was written by DSP), while GBAtek says they're active-low


• DSP_PCFG bits 12..15 have an undocumented transer mode (7: ARM9 bus loopback): transfers to/from the ARM9 bus, cf. DSP-internal DMA transfer mode 7. This mode requres some additional setup: you first need to set the following DSP-internal DMA registers to the following values (using transfer mode 1):
  
  
  [0x81BE] = 0 // select channel 0
  [0x81C6] = 0xABCD // destination address, high 16-bit
  [0x80E2] = 0 | (0<<1) | (1<<4) // configure AHBM (DSP->ARM9 DMA) // example value works for 16-bit transfers (see GBATek/Teakra docs for details)
  [0x80E4] = (1<<9) | 1<<8) // resp. mandatory bit, direction (0=read, 1=write) (see GBATek/Teakra docs for details)
  [0x80E6] = 1 // enable channel 0
  
  
  Then perform a transfer as follows (the example writes 0x1337 to 0xABCDEF98):
  
  
  DSP_PADR = 0xEF98 // destination address, low 16-bit
  DSP_PDATA = 0x1337 // for a write, read from this address for a read
  

Posted by Generic aka RSDuck

it's just that the Windows scheduler gives defocused graphical applications less cpu time, because if you don't focus them, you probably aren't interested in seeing what's happening in them at fullspeed.

IR cartridges

• 0x00: savegame escape byte: as long as chip select is held, the bytes that follow will be treated like a regular savegame transfer. These can also happen at any clock speed, but the 0x00 byte itself needs to be transferred at 1 MHz. (This bit was already known.)
• 0x01: receive data from IR: one command byte (0x01) is written, after which data bytes are read by the DS. The first byte read indicates the amount of bytes that will follow. It doesn't seem to be able to receive more than 255 bytes afaics. Bytes written to perform the reads are unused as far as I know, but usually set to 0 (HGSS does this, at least).
  
  • When there are zero bytes to read, you still have to deselect the SPI chip, or the next transfer will fail. Disable the 'chip select hold' bit in AUXSPICNT and send a zero byte.
• 0x02: send data over IR: this one has no length prefix, chip select is used to determine when the transfer ends, as usual.
• 0x03: write byte to in-cart IR MCU RAM: send high addr byte and low addr byte, then send a data byte. Writes the data byte to the specified address in the in-cartridge IR MCU. Discovered by nocash.
• 0x04: read byte from in-cart IR MCU RAM: send high addr byte and low addr byte, then read a data byte. Can be used to dump the ROM inside the in-cart IR MCU. Discovered by nocash.
• 0x05: write word to in-cart IR MCU RAM: send high addr byte and low addr byte, then send two data bytes. Discovered by nocash.
• 0x06: read word from in-cart IR MCU RAM: send high addr byte and low addr byte, then read two data bytes. Discovered by nocash.
• 0x07: mystery command, purpose unclear. Discovered by nocash.
• 0x08: not too sure about this, but probably a status thing. A command byte (0x08) is sent, and a status byte(?) is received from the cart. HGSS seems to always send two of these one after another, carts seem to return 0x00 on the first one and 0xaa for the second, unless other IR devices are sending actively, then both bytes are 0xaa. Allegedly, "Walk With Me" and similar games don't have this command.

Function

• GCNT bit 0 does nothing. 3dbrew made it sound like it could be used to enable/disable NDMA globally, but it doesn't seem to do anything?
• inc/dec/fix modes, FDATA work as expected.
• Both the physical and logical block counts are just word sizes (or log2 thereof in the case of the physical block count). The logical block count (WCNT) is just the total amount of words transferred, it's not used a multiple of the physical block count, it's only a word count. It also doesn't have to be a multiple or has to be aligned or anything like that.
• When accessing peripherals/devices, WCNT signifies the number of words that should be transferred by one peripheral event (when using the corresponding startup mode), and before the next peripheral event. When the device uses a FIFO, this register should contain the size of the FIFO, in words.
• The timer (BCNT) doesn't implement any sort of timeout/deadline/... for the transfer to finish or it'll be cancelled, it's only for inserting delays. (Not sure why I tested this, I might've just been confused by the name.) It is meant to insert delays, see below for more details on that.
• TCNT RESET mode does indeed reset the src or dest address after each logical block, not after each physical block.

Access ordering and priority

• NDMA has priority over old DMA. This is especially visible when there are multiple ODMA and NDMA channels waiting to be resumed as soon as one NDMA channel is suspended through BCNT: first the NDMA channels will be picked (first to last), and ony then the ODMA channels. ODMA transfers cannot be suspended during their entire lifetime, however, not even by GCNT round-robin mode (unlike NDMA). That is, an ODMA transfer acts like a single NDMA physical block transfer.
• Letting NDMA channels suspend using BCNT seems to restart the next available one. GCNT setting seems to change nothing in this situation
• GCNT does indeed seem to be made to let the CPU have some time to do stuff while DMA is running.
• Scheduling between NDMA channels (BCNT) and between NDMA and the CPU (GCNT) seems to happen according to the following rules:
  • Under NO circumstances is a physical block transfer interrupted, paused, aborted, or anything. It always completes once it has started, regardless of whatever may happen (except maybe a full power down of the entire SoC).
  • NDMA startup seems to have a few cycles delay, enough for the CPU to access the bus once or twice (in my case, copy TIMER0_DATA to somewhere in main RAM). Sadly, I don't have an exact number. (However, this seems to contradict the earlier observations wrt. ODMA vs NDMA startup priority behavior?) At this point, the "GCNT timer" starts.
  • Once a physical block has been transferred, the channel suspends for the time specified in BCNT (or, if it is 0, immediately continues with the next block). If the next channel is enabled, this one will start transfers. If no others are enabled, the CPU is now allowed to master the bus. This is true even if GCNT is set to highest-priority!
  • Once the "GCNT timer" expires, first, the hardware waits for the current physical block to finish transferring (if there is any currently happening), once that's finished, the CPU is allowed to run (for the same amount of cycles as specified in GCNT? I think it is). If all channels are either inactive or suspended due to BCNT, the CPU is resumed immediately.
  • In other words, only BCNT controls the priority and switching between NDMA channels, only GCNT controls switching between NDMA globally and the CPU. GCNT knows nothing about scheduling between DMA channels themselves, BCNT however, does seem to be at least slightly aware that it can relinquish control over to the CPU when all NDMA channels are either suspended or inactive. GCNT switches bus master every period, while BCNT causes a pause after every physical block transfer, it doesn't do a suspend/resume after every timer period.
• As every channel is at least suspended for the amount of time specified in BCNT, channels can be fired in at least a round-robin fashion. However, when the BCNT period is smaller than the time it takes for a physical block to be transferred, the lowest pending channel is always resumed first, (regardless of GCNT setting)(?).

Timing stuff

• NDMA seems to copy data as fast as ODMA (often pretty much exactly the same speed). However, NDMA seems to have slightly less variance on the timing in some tests, but more in others?.
• Physical block sizing/moving to the next one doesn't seem to cause any delays (as in, there's no delay between finishing one physical block and starting the next one), or at least not as far as I've noticed. This is also true for writing to main RAM, so, a new phsyical block is still considered sequential access.
• Main RAM writes are slow, lmao (at least when comparing main RAM->VRAM and VRAM->main RAM copies, VRAM->main seems to need 40% extra cycles (60k vs 100k timer ticks) for a copy of bank A).
• Pausing transfers using BCNT between physical blocks does seem to insert delays, however, with a VRAM->main RAM copy, these seem to be disproportionate to the actual delay inserted. Therefore, this probably does cause new nonsequential accesses on the start of the next block. HOWEVER, timing variability seems to go down DRASTICALLY with higher BCNT values!
  • `BCNT=0 P16 32kwords vram2main` -> `N=100897 sigma=4005`
  • `BCNT=1 P16 32kwords vram2main` -> `N=110634 sigma=1635`: higher than expected
  • `BCNT=8 P16 32kwords vram2main` -> `N=118801 sigma= 597`: lower! than expected
  • `BCNT=16 P16 32kwords vram2main` -> `N=135170 sigma= 255`: lower! than expected
  • `BCNT=0 P16 32kwords main2vram` -> `N= 67846 sigma=3128`
  • `BCNT=1 P16 32kwords main2vram` -> `N= 83990 sigma= 920`: higher than expected
  • `BCNT=8 P16 32kwords main2vram` -> `N= 94221 sigma= 784`: lower! than expected
  • `BCNT=16 P16 32kwords main2vram` -> `N=110595 sigma= 463`: lower! than expected
  • `BCNT=0 P16 32kwords vrmA2vrmB` -> `N= 65623 sigma=3112`
  • `BCNT=1 P16 32kwords vrmA2vrmB` -> `N= 69651 sigma= 816`: ok
  • `BCNT=8 P16 32kwords vrmA2vrmB` -> `N= 83974 sigma= 226`: ok
  • `BCNT=16 P16 32kwords vrmA2vrmB` -> `N=100352 sigma= 447`: ok, WTF stddev?
  Sample size of 256 for all cases. `P16` means a physical block size of 16 words. Units of `N` and `σ` are timer 0 ticks (clockdiv set to 1, so 33 MHz).
• GCNT round-robin mode timing does seem to add delays, linear(?) to the amount of cycles specififed in GCNT (so exponential to the actual value in that register).
  • `GCNT=1<<0 P1 32kwords vrmA2vrmB' -> `N=65630 sigma= 3543`
  • `GCNT=1<<1 P1 32kwords vrmA2vrmB' -> `N=65625 sigma= 3216`
  • `GCNT=1<<4 P1 32kwords vrmA2vrmB' -> `N=65623 sigma= 3117`
  • `GCNT=1<<8 P1 32kwords vrmA2vrmB' -> `N=65680 sigma= 3202`
  • `GCNT=1<<a P1 32kwords vrmA2vrmB' -> `N=66017 sigma= 4176`
  • `GCNT=1<<c P1 32kwords vrmA2vrmB' -> `N=67530 sigma= 5084`: +3.125% cf. 0
  • `GCNT=1<<e P1 32kwords vrmA2vrmB' -> `N=73650 sigma= 9418`: +12.5%
  • `GCNT=1<<f P1 32kwords vrmA2vrmB' -> `N=81810 sigma=16886`: +25%
• FDATA/FILL mode doesn't incur an access penalty, unlike ODMA. It's fast. Clearing an entire VRAM bank takes 32k cycles, probably fewer when you enable the 32-bit VRAM bus enhancement.
• Just like other types of accesses/DMA, copies with the source and destination within the same region (eg. both in main RAM, both in the same VRAM or (N)WRAM bank), are really slow (intra-main RAM can be up to 6 times slower than a VRAM-to-main RAM copy, inter-VRAM A takes 1.5x the time of a VRAM A -> VRAM B copy. The physical block size, again, has no effect on whether an access is deemed sequential or nonsequential.

Posted by Digifiend

ARM7 bootloader dumped? Might be useful later, but not right now. Isn't ARM9 needed as well?

Aptina MT9V113 internal MCU stuff

SFRs

• 0x1040: watchdog reset: write 0 to this address to calm down the watchdog timer.
• 0x1048: "high-precision timer": 32-bit timer value that probaly increases by 1 every 16 MHz tick.
• 0x1050: "pagetable" pointer: pointer to a list of 16 addresses used to determine to which physical addresses the virtual ones will resolve.
• 0x1060..0x1066: "ring bus access" or so, not too sure what this is, but it looks like it gives you some sort of DMA access. Sadly, I don't know which registers in this range are address ones, and which ones are used for data.
• 0x1070: GPIO (already documented on GBATEK, didn't touch it myself.)

Address translation

System RAM layout

• 0x000..0x047: SEQ
• 0x05d..0x0c0: AF
• 0x100..0x11f: page table
• 0x120..0x13f: unused shadow pagetable? idk
• 0x140..0x168: MONITOR
• 0x165..0x1d2: AWB
• 0x1d4..0x1f4: FD
• 0x220..0x286: HG
• 0x282..0x2ea: MODE (yes this overlaps with HG)
• 0x300..0x37f: ??? (maybe stack but I doubt it)
• 0x380..0x3ff: stack

Running code on the HC11

Datasheets

• https://datasheets.su/DS/OnSemi/MT9V113-D.pdf: not that informative, but explains the basics (also wow, a .su domain)
• https://files.niemo.de/aptina_pdfs/Image_sensor_1slash11-inch_SOC_component_data_sheet.pdf: similar quality as above, a bit more informative
• https://www.plexishop.it/pdf/MT9D111.pdf: has some info on how the firmware works, but still annoyingly superficial
• https://files.niemo.de/aptina_pdfs/MT9D111_Dev_Guide.book.pdf: has some info on a "safe mode"? Idk if that I2C register exists on the MT9V113, though (the XDMA I2C addresses of the D111 seem to be different).