Difference between revisions of "FMSS"

From freemyipod.org
Jump to: navigation, search
(CS (Code Sequencer))
(CS (Code Sequencer))
Line 64: Line 64:
 
! Offset !! Register Name !! Description
 
! Offset !! Register Name !! Description
 
|-
 
|-
 +
|-
 +
| 0xC04 || CS_IP || Sequencer's instruction pointer.
 
| 0xC08 || CS_STATUS ||
 
| 0xC08 || CS_STATUS ||
 
|-
 
|-

Revision as of 02:57, 11 October 2023

FMSS is seemingly the name of the flash memory controller on the S5L8702, S5L8710, S5L8720 and S5L8730.

There is no publicly available information about it, and the following has been gathered from reverse engineering RetailOS and iOS builds for the S5L8720 (iPod touch). A very similar controller is present in the S5L8700X datasheet.

Subsystems

FMC (Flash Memory Controller)

This is the component responsible for the actual bus transfers on the NAND bus.

Offset Register Name Description
0x000 FMCTRL0 General control register.
  • Bit 0: Enable
  • Bits [1..8]: CE/Bank number
  • Bit 10: DMA enable?
  • Bits [12..14]: Hold clocks
  • Bits [16..18]: Setup clocks
  • Bits [28..30]: EDO clocks
0x004 FMCTRL1 Transfer control register.
  • Bit 0: Start address transfer.
  • Bit 1: Start read transfer.
  • Bit 2: Start write transfer.
  • Bit 4: ???
  • Bit 5: Clear ???
  • Bit 6: Clear write FIFO
  • Bit 7: Clear read FIFO
0x008 FMCMD NAND command number. Eg. 0x90: read NAND ID. Documented in JEDEC docs and NAND chip datasheets.
0x00C FMADDR0 Lower bits of address to be written in NAND address transfer. See JEDEC docs and NAND chip datasheets.
0x010 FMADDR1 Higher bits of address to be written in NAND address transfer. See JEDEC docs and NAND chip datasheets.
0x02C FMANUM Number of bytes to transfer during address transfer minus one (ie. countdown counter).
0x030 FMDNUM Number of bytes to transfer during data transfer minus one (ie. countdown counter).
0x048 FMSTAT Controller status.
  • Bit 0: flash busy?
  • Bit 1: command done. Write to clear.
  • Bit 2: address done. Write to clear.
  • Bit 3: transfer done. Write to clear.
  • Bit 23: flash has become busy? Write to clear.

To be documented fully.

ECC (Error Correction Code)

To be documented.

CS (Code Sequencer)

A little custom core that executes a custom bytecode. 9 32-bit general purpose registers. Controlled by the host CPU. It has access to the host memory and the rest of the FMSS peripherals, and operates by performing accesses to the FMC and ECC subsystems.

The bytecode is documented at lemonjesus/S5L8702-FMISS-Tools.

Offset Register Name Description
0xC04 CS_IP Sequencer's instruction pointer. 0xC08 CS_STATUS
0xC0C CS_IRQ
0xC60 CS_BUF_RST
0xC64 CS_BUF_RST_OK
0xC6C CS_BUF_START

Other devices / SoCs

S5L8700X (non-Apple) and S5L8900

A similar controller is present, called simply the FMC. It has no code sequencing functionality.

On the S5L8900 the built-in CalmRISC16e core that's part of the ADM (Audio DSP Module) is used as a code sequencer in iOS.