FMSS

From freemyipod.org
Revision as of 20:06, 17 March 2023 by Q3k (talk | contribs) (FMC (Flash Memory Controller))
Jump to: navigation, search

FMSS is seemingly the name of the flash memory controller on the S5L8702, S5L8710, S5L8720 and S5L8730.

There is no publicly available information about it, and the following has been gathered from reverse engineering RetailOS and iOS builds for the S5L8720 (iPod touch). A very similar controller is present in the S5L8700X datasheet.

Subsystems

FMC (Flash Memory Controller)

This is the component responsible for the actual bus transfers on the NAND bus.

Offset Register Name Description
0x000 FMCTRL0 General control register.
  • Bit 0: Enable
  • Bits [1..8]: CE/Bank number
  • Bit 10: DMA enable?
  • Bits [12..14]: Hold clocks
  • Bits [16..18]: Setup clocks
  • Bits [28..30]: EDO clocks
0x004 FMCTRL1 Transfer control register.
  • Bit 0: Start address transfer.
  • Bit 1: Start read transfer.
  • Bit 2: Start write transfer.
  • Bit 4: ???
  • Bit 5: Clear ???
  • Bit 6: Clear write FIFO
  • Bit 7: Clear read FIFO
0x008 FMCMD NAND command number. Eg. 0x90: read NAND ID. Documented in JEDEC docs and NAND chip datasheets.
0x00C FMADDR0 Lower bits of address to be written in NAND address transfer. See JEDEC docs and NAND chip datasheets.
0x010 FMADDR1 Higher bits of address to be written in NAND address transfer. See JEDEC docs and NAND chip datasheets.
0x02C FMANUM Number of bytes to transfer during address transfer minus one (ie. countdown counter).
0x030 FMDNUM Number of bytes to transfer during data transfer minus one (ie. countdown counter).
0x048 FMSTAT Controller status.
  • Bit 0: flash busy?
  • Bit 1: command done. Write to clear.
  • Bit 2: address done. Write to clear.
  • Bit 3: transfer done. Write to clear.
  • Bit 23: flash has become busy? Write to clear.

To be documented fully.

ECC (Error Correction Code)

To be documented.

CS (Code Sequencer)

A little custom core that executes a custom bytecode. 9 32-bit general purpose registers. Controlled by the host CPU. It has access to the host memory and the rest of the FMSS peripherals, and operates by performing accesses to the FMC and ECC subsystems.

The bytecode is documented at lemonjesus/S5L8702-FMISS-Tools.

Other devices / SoCs

S5L8700X (non-Apple) and S5L8900

A similar controller is present, called simply the FMC. It has no code sequencing functionality.

On the S5L8900 the built-in CalmRISC16e core that's part of the ADM (Audio DSP Module) is used as a code sequencer in iOS.

S5L8950 / A6

The controller is called 'PPNFMSS' and seems to use the same CS bytecode, and a generally similar register layout.