FreeCalypso > hg > freecalypso-reveng
comparison compal/audio/reg-read-guide @ 377:34490934ff02
compal/audio/reg-read-guide written
| author | Mychaela Falconia <falcon@freecalypso.org> |
|---|---|
| date | Sat, 09 Oct 2021 20:24:03 +0000 |
| parents | |
| children |
comparison
equal
deleted
inserted
replaced
| 376:9b3e5be96bab | 377:34490934ff02 |
|---|---|
| 1 Here is an idea - what if we break into a running C139 phone fw with tfc139, | |
| 2 then run fc-loadtool as usual, but instead of operating on the flash, use | |
| 3 r16 and abbr commands inside fc-loadtool to read out various audio config | |
| 4 settings established by the official fw? Specifically use r16 to read out | |
| 5 some DSP API words (AEC and FIR blocks), and use abbr to read Iota ABB | |
| 6 registers dealing with audio. Why do we need to go this convoluted route | |
| 7 with tfc139 break-in followed by fc-loadtool, why not some easier way? | |
| 8 Answer: C139 and other C1xx firmwares don't have ETM (thus no r16 and | |
| 9 certainly no high-level aur operations), they do implement the old TM3 | |
| 10 protocol which we use to break in, but their implementation of oabbr is | |
| 11 broken, returns garbage. | |
| 12 | |
| 13 DSP NDB start address is 0xFFD001A8, contains AEC control words | |
| 14 | |
| 15 d_aec_ctrl should be at 0xFFD001A8 + 0x90 = 0xFFD00238 | |
| 16 | |
| 17 the 8 words starting with d_cont_filter should be at | |
| 18 0xFFD001A8 + 0x6A2 = 0xFFD0084A | |
| 19 | |
| 20 DSP PARAM start address is 0xFFD00862, contains FIR coefficients | |
| 21 | |
| 22 UL FIR coefficients: 31 words starting at 0xFFD00862 + 0xA6 = 0xFFD00908 | |
| 23 DL FIR coefficients: 31 words starting at 0xFFD00862 + 0xE4 = 0xFFD00946 | |
| 24 | |
| 25 Iota ABB registers of interest: | |
| 26 | |
| 27 VBCTRL1: abbr 1 8 | |
| 28 VBCTRL2: abbr 1 11 | |
| 29 VBPOP: abbr 1 10 | |
| 30 VBUCTRL: abbr 1 7 | |
| 31 VBDCTRL: abbr 0 6 |