4dsdev
Views: 613,634 Main | Rules/FAQ | Memberlist | Active users | Last posts | Calendar | Stats | Online users | Search 11-20-17 05:52 PM
Guest:

0 users reading SCFG_MC - Memory Card Interface Status | 1 bot

Main - Reverse-engineering - SCFG_MC - Memory Card Interface Status New reply


nocash
Posted on 10-25-15 09:09 AM Link | #558
The DSi is having a "SCFG_MC - Memory Card Interface Status" register, see http://problemkaputt.de/gbatek.htm#dsicontrolregistersscfg for details (aside from the cartidge insert/eject flag, there isn't much known about it yet though).

My current theory is that the register contains 4bits for the NDS cart slot, and another 4bits for the second NDS cart slot (DSi prototypes seem to have had two slots).

So essentially, there are only 4bits used and it should be very simple to understand what the register is doing - the problem is that it's read-only on ARM9 side. It should be read/write-able on ARM7 side, but it's unfortunately disabled after booting, and thus not write-able with existing DSi exploits...

Does the 3DS have anything similar? And is it write-able on 3DS exploits, and know what the separate bits are doing?

The register is fairly important for booting/emulating the DSi firmware (at the moment, no$gba can boot the firmware only when having the register set to "no cartridge inserted" - thus making it impossible to debug the cartridge boot process).

nocash
Posted on 11-18-15 08:31 AM Link | #751
I have more or less solved that problem. With current exploits, I have no way to verify my conclusions on real hardware - but at least I got it emulated well enough to satisfy the firmware and to get through the firmware boot process.

The main issue is that the "Power State" bits are read/write-able, but, after writing "3", the hardware seems to be automatically changing the written value to "0".

4004010h - DSi9 - SCFG_MC - Memory Card Interface Status (R)
4004010h - DSi7 - SCFG_MC - Memory Card Interface Control (R/W)
0 1st NDS Slot Game Cartridge (0=Inserted, 1=Ejected) (R)
1 1st NDS Slot Unknown/Undocumented (0)
2-3 1st NDS Slot Power State (0=Off, 1=PrepareOn, 2=On, 3=RequestOff) (R/W)
4 2nd NDS Slot Game Cartridge (always 1=Ejected) ;\DSi (R)
5 2nd NDS Slot Unknown/Undocumented (0) ; prototype
6-7 2nd NDS Slot Power State (always 0=Off) ;/relict (R/W)
8-15 Unknown/Undocumented (0)
16-31 ARM7: See Port 4004012h, ARM9: Unspecified (0)
NDS-Slot related. Bit3 (and maybe Bit2) are probably R/W on ARM7 side (though
the register is disabled on ARM7 side in cooking coach exploit, so R/W isn't
possible in practice).
Note: Additionally, the NDS slot Reset pin can be toggled (via ROMCTRL.Bit29;
that bit is writeable on ARM7 side on DSi; which wasn't supported on NDS).
Power state values:
0=Power is off
1=Prepare Power on (shall be MANUALLY changed to state=2)
2=Power is on
3=Request Power off (will be AUTOMATICALLY changed to state=0)
power_on:
wait until state<>3 ;wait if pwr off busy?
exit if state<>0 ;exit if already on?
wait 1ms, then set state=1 ;prepare pwr on? or want RESET ?
wait 10ms, then set state=2 ;apply pwr on?
wait 27ms, then set ROMCTRL=20000000h ;reset cart? or rather RELEASE reset?
wait 120ms ;more insane delay?
power_off:
wait until state<>3 ;wait if pwr off busy?
exit if state<>2 ;exit if already off?
set state=3 ;request pwr off?
wait until state=0 ;wait until pwr off?
Power Off is also done automatically by hardware when ejecting the cartridge.

Turned out that register is important even for DSiware: With cartridge marked as "Ejected", the firmware can reach the boot menu - but trying to start a DSiware title from within bootmenu doesn't work when the "Power State" bits are handled properly.


Main - Reverse-engineering - SCFG_MC - Memory Card Interface Status New reply

Page rendered in 0.029 seconds. (2048KB of memory used)
MySQL - queries: 27, rows: 65/65, time: 0.021 seconds.
[powered by Acmlm] Acmlmboard 2.064 (2015-10-07)
© 2005-2008 Acmlm, Xkeeper, blackhole89 et al.