Difference between revisions of "Nano 4G"
(Add status registers) |
|||
Line 9: | Line 9: | ||
| Samsung S5L8720 | | Samsung S5L8720 | ||
| 339S0049 ARM, K4X56323PI-KGC4, YWE025QH 825, APL0278A00, N1B2HOP 0831 | | 339S0049 ARM, K4X56323PI-KGC4, YWE025QH 825, APL0278A00, N1B2HOP 0831 | ||
− | | | + | | ARM1176JZF-S processor. It is definitely worth knowing that this is the exact same processor used in the iTouch 2G. This could mean that some of the same exploits for that could possibly be used. [http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) Here] is a very interesting page about the S5L8720 processor. |
|- | |- | ||
| | | | ||
Line 50: | Line 50: | ||
==Reverse Engineering Results== | ==Reverse Engineering Results== | ||
Timers: These clockgates have been found to be related to timers: 37, 55, 56, 57, 58, 59, 60, 69, 70, 128, 129, 130, 131, 132, 133, 134, 150 and 151. | Timers: These clockgates have been found to be related to timers: 37, 55, 56, 57, 58, 59, 60, 69, 70, 128, 129, 130, 131, 132, 133, 134, 150 and 151. | ||
+ | |||
+ | ==Status registers== | ||
+ | We dumped all c0 coprocessor registers: | ||
+ | |||
+ | ===c0,c0=== | ||
+ | '''Value:''' 0x410FB764 | ||
+ | |||
+ | '''Interpretation:''' ARM1176 rev. 4 | ||
+ | ===c0,c1=== | ||
+ | '''Value:''' 0x1D152152 | ||
+ | |||
+ | '''Interpretation:''' DCache/ICache 16KB each, 4 way associative, 32 bytes line size | ||
+ | ===c0,c2=== | ||
+ | '''Value:''' 0x00000000 | ||
+ | |||
+ | '''Interpretation:''' No TCM | ||
+ | ===c0,c3=== | ||
+ | '''Value:''' 0x00000800 | ||
+ | |||
+ | '''Interpretation:''' Unified TLB, 8 lockable entries | ||
+ | ===c1,c0=== | ||
+ | '''Value:''' 0x00000111 | ||
+ | |||
+ | '''Interpretation:''' ARM/Thumb1/Jazelle support, no Thumb2 support | ||
+ | ===c1,c1=== | ||
+ | '''Value:''' 0x00000011 | ||
+ | |||
+ | '''Interpretation:''' Trustzone v1 | ||
+ | ===c1,c2=== | ||
+ | '''Value:''' 0x00000033 | ||
+ | |||
+ | '''Interpretation:''' Supports debug model v6.1, both applications processor and secure | ||
+ | ===c1,c3=== | ||
+ | '''Value:''' 0x00000000 | ||
+ | |||
+ | '''Interpretation:''' No auxiliary features | ||
+ | ===c1,c4=== | ||
+ | '''Value:''' 0x01130003 | ||
+ | |||
+ | '''Interpretation:''' FCSE, Auxiliary Control register, ARMv6 TCM/DMA, no DMA cache coherency, no multicore cache coherency, VMSA v7 | ||
+ | ===c1,c5=== | ||
+ | |||
+ | '''Value:''' 0x10030302 | ||
+ | |||
+ | '''Interpretation:''' Branch target buffer, Harvard architecture, various cache operations supported (see TRM) | ||
+ | ===c1,c6=== | ||
+ | |||
+ | '''Value:''' 0x01222100 | ||
+ | |||
+ | '''Interpretation:''' WFI, Data synchronization barrier, Prefetch flush, Data memory barrier, various TLB/cache operations supported (see TRM), no prefetch cache range operation | ||
+ | |||
+ | ===c1,c7=== | ||
+ | '''Value:''' 0x00000000 | ||
+ | |||
+ | '''Interpretation:''' No hierarchical cache maintenance support | ||
+ | ===c2,c0=== | ||
+ | '''Value:''' 0x00140011 | ||
+ | |||
+ | '''Interpretation:''' Supports BKPT, CDP, CDP2, LDC, LDC2, MCD, MCD2, MRC, MRC2, STC, STC2, MCRR, MCRR2, MRRC, MRRC2, CLZ, SWP and SWPB, doesn't support division, combined compare and branch or bitfield instructions | ||
+ | ===c2,c1=== | ||
+ | '''Value:''' 0x12002111 | ||
+ | |||
+ | '''Interpretation:''' Supports BXJ, BX, BLX, PC loads have BX behavior, supports SXTB, SXTAB, SXTB16, SXTAB16, SXTH, SXTAH, UXTB, | ||
+ | UXTAB, UXTB16, UXTAB16, UXTH, UXTAH, SRS, RFE, CPS, LDM(2), LDM(3), STM(2) and SETEND | ||
+ | ===c2,c2=== | ||
+ | '''Value:''' 0x11231121 | ||
+ | |||
+ | '''Interpretation:''' Supports REV, REV16, REVSH, MRS, MSR, UMULL, UMLAL, UMAAL, SMULL, SMLAL, SMLABB, SMLABT, SMLALBB, SMLALBT, SMLALTB, SMLALTT, SMLATB, SMLATT, SMLAWB, SMLAWT, SMULBB, SMULBT, SMULTB, SMULTT, SMULWB, SMULWT, SMLAD, SMLADX, SMLALD, SMLALDX, SMLSD, SMLSDX, SMLSLD, SMLSLDX, SMMLA, SMMLAR, SMMLS, SMMLSR, SMMUL, SMMULR, SMUAD, SMUADX, SMUSD, SMUSDX, MLA, restartable LDM/STM, PLD, LDRD, STRD and Q bit in PSRs | ||
+ | ===c2,c3=== | ||
+ | '''Value:''' 0x01102131 | ||
+ | |||
+ | '''Interpretation:''' Supports true NOP, Thumb MOV(3)/CPU, LDREX, STREX, LDREXB, LDREXH, LDREXD, STREXB, STREXH, STREXD, CLREX, SVC, PKHBT, PKHTB, QADD16, QADD8, QADDSUBX, QSUB16, QSUB8, QSUBADDX, SADD16, SADD8, SADDSUBX, SEL, SHADD16, SHADD8, SHADDSUBX, SHSUB16, SHSUB8, SHSUBADDX, SSAT, SSAT16, SSUB16, SSUB8, SSUBADDX, SXTAB16, SXTB16, UADD16, UADD8, UADDSUBX, UHADD16, UHADD8, UHADDSUBX, UHSUB16, UHSUB8, UHSUBADDX, UQADD16, UQADD8, UQADDSUBX, UQSUB16, UQSUB8, UQSUBADDX, USAD8, USADA8, USAT, USAT16, USUB16, USUB8, USUBADDX, UXTAB16, UXTB16, QADD, QDADD, QDSUB, QSUB, and the Q and GE[3:0] bits in the PSRs. Does nut support branch table and Thumb2 instructions. | ||
+ | ===c2,c4=== | ||
+ | '''Value:''' 0x00001141 | ||
+ | |||
+ | '''Interpretation:''' Supports SMC, writeback instructions, shift of loads and stores by 0-3 bits to the left, constant shift options, register controlled shift options, LDRBT, LDRT, STRBT and STRT. No barrier instructions support. | ||
+ | ===c2,c5=== | ||
+ | '''Value:''' 0x00000000 | ||
+ | |||
+ | '''Interpretation:''' No additional implementation defined instruction set extensions | ||
==Helpful pages== | ==Helpful pages== |
Revision as of 17:34, 9 July 2011
Contents
Components
Label | Component | Part | Markings | Notes |
---|---|---|---|---|
2 | CPU | Samsung S5L8720 | 339S0049 ARM, K4X56323PI-KGC4, YWE025QH 825, APL0278A00, N1B2HOP 0831 | ARM1176JZF-S processor. It is definitely worth knowing that this is the exact same processor used in the iTouch 2G. This could mean that some of the same exploits for that could possibly be used. Here is a very interesting page about the S5L8720 processor. |
SDRAM | 32MB, probably MDDR. Integrated into the processor, similar to the iPod Touch and iPhone lines. | |||
4 | Accelerometer | LIS331DL | 33DL, 2827 | The newer Touch's, iPhone's, and even the iPad have similar accelerometers, and I've discovered a pattern in the chip names. |
6 | NAND Flash | Varies | TH58NVG6D1DLA87, U20516, JAPAN, 0826MAE | |
5 | Audio codec | Probably Cirrus | 338S055C, 189N0824, SGP | I determined this because the Nano 5G has a similar chip, which we are sure of the identity. One person lifted this chip and found that the pins connect to the LCD connector. Not much info was given, and it could just be a common ground, but the identity of this chip is still up in the air. |
1 | Power manager | D1759 | 338S0687-AC, 08288HBB | |
3 |
Reverse Engineering Results
Timers: These clockgates have been found to be related to timers: 37, 55, 56, 57, 58, 59, 60, 69, 70, 128, 129, 130, 131, 132, 133, 134, 150 and 151.
Status registers
We dumped all c0 coprocessor registers:
c0,c0
Value: 0x410FB764
Interpretation: ARM1176 rev. 4
c0,c1
Value: 0x1D152152
Interpretation: DCache/ICache 16KB each, 4 way associative, 32 bytes line size
c0,c2
Value: 0x00000000
Interpretation: No TCM
c0,c3
Value: 0x00000800
Interpretation: Unified TLB, 8 lockable entries
c1,c0
Value: 0x00000111
Interpretation: ARM/Thumb1/Jazelle support, no Thumb2 support
c1,c1
Value: 0x00000011
Interpretation: Trustzone v1
c1,c2
Value: 0x00000033
Interpretation: Supports debug model v6.1, both applications processor and secure
c1,c3
Value: 0x00000000
Interpretation: No auxiliary features
c1,c4
Value: 0x01130003
Interpretation: FCSE, Auxiliary Control register, ARMv6 TCM/DMA, no DMA cache coherency, no multicore cache coherency, VMSA v7
c1,c5
Value: 0x10030302
Interpretation: Branch target buffer, Harvard architecture, various cache operations supported (see TRM)
c1,c6
Value: 0x01222100
Interpretation: WFI, Data synchronization barrier, Prefetch flush, Data memory barrier, various TLB/cache operations supported (see TRM), no prefetch cache range operation
c1,c7
Value: 0x00000000
Interpretation: No hierarchical cache maintenance support
c2,c0
Value: 0x00140011
Interpretation: Supports BKPT, CDP, CDP2, LDC, LDC2, MCD, MCD2, MRC, MRC2, STC, STC2, MCRR, MCRR2, MRRC, MRRC2, CLZ, SWP and SWPB, doesn't support division, combined compare and branch or bitfield instructions
c2,c1
Value: 0x12002111
Interpretation: Supports BXJ, BX, BLX, PC loads have BX behavior, supports SXTB, SXTAB, SXTB16, SXTAB16, SXTH, SXTAH, UXTB, UXTAB, UXTB16, UXTAB16, UXTH, UXTAH, SRS, RFE, CPS, LDM(2), LDM(3), STM(2) and SETEND
c2,c2
Value: 0x11231121
Interpretation: Supports REV, REV16, REVSH, MRS, MSR, UMULL, UMLAL, UMAAL, SMULL, SMLAL, SMLABB, SMLABT, SMLALBB, SMLALBT, SMLALTB, SMLALTT, SMLATB, SMLATT, SMLAWB, SMLAWT, SMULBB, SMULBT, SMULTB, SMULTT, SMULWB, SMULWT, SMLAD, SMLADX, SMLALD, SMLALDX, SMLSD, SMLSDX, SMLSLD, SMLSLDX, SMMLA, SMMLAR, SMMLS, SMMLSR, SMMUL, SMMULR, SMUAD, SMUADX, SMUSD, SMUSDX, MLA, restartable LDM/STM, PLD, LDRD, STRD and Q bit in PSRs
c2,c3
Value: 0x01102131
Interpretation: Supports true NOP, Thumb MOV(3)/CPU, LDREX, STREX, LDREXB, LDREXH, LDREXD, STREXB, STREXH, STREXD, CLREX, SVC, PKHBT, PKHTB, QADD16, QADD8, QADDSUBX, QSUB16, QSUB8, QSUBADDX, SADD16, SADD8, SADDSUBX, SEL, SHADD16, SHADD8, SHADDSUBX, SHSUB16, SHSUB8, SHSUBADDX, SSAT, SSAT16, SSUB16, SSUB8, SSUBADDX, SXTAB16, SXTB16, UADD16, UADD8, UADDSUBX, UHADD16, UHADD8, UHADDSUBX, UHSUB16, UHSUB8, UHSUBADDX, UQADD16, UQADD8, UQADDSUBX, UQSUB16, UQSUB8, UQSUBADDX, USAD8, USADA8, USAT, USAT16, USUB16, USUB8, USUBADDX, UXTAB16, UXTB16, QADD, QDADD, QDSUB, QSUB, and the Q and GE[3:0] bits in the PSRs. Does nut support branch table and Thumb2 instructions.
c2,c4
Value: 0x00001141
Interpretation: Supports SMC, writeback instructions, shift of loads and stores by 0-3 bits to the left, constant shift options, register controlled shift options, LDRBT, LDRT, STRBT and STRT. No barrier instructions support.
c2,c5
Value: 0x00000000
Interpretation: No additional implementation defined instruction set extensions
Helpful pages
Teardowns:
Other: