FreeCalypso > hg > freecalypso-reveng
diff compal/audio/reg-read-guide @ 377:34490934ff02
compal/audio/reg-read-guide written
author | Mychaela Falconia <falcon@freecalypso.org> |
---|---|
date | Sat, 09 Oct 2021 20:24:03 +0000 |
parents | |
children |
line wrap: on
line diff
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/compal/audio/reg-read-guide Sat Oct 09 20:24:03 2021 +0000 @@ -0,0 +1,31 @@ +Here is an idea - what if we break into a running C139 phone fw with tfc139, +then run fc-loadtool as usual, but instead of operating on the flash, use +r16 and abbr commands inside fc-loadtool to read out various audio config +settings established by the official fw? Specifically use r16 to read out +some DSP API words (AEC and FIR blocks), and use abbr to read Iota ABB +registers dealing with audio. Why do we need to go this convoluted route +with tfc139 break-in followed by fc-loadtool, why not some easier way? +Answer: C139 and other C1xx firmwares don't have ETM (thus no r16 and +certainly no high-level aur operations), they do implement the old TM3 +protocol which we use to break in, but their implementation of oabbr is +broken, returns garbage. + +DSP NDB start address is 0xFFD001A8, contains AEC control words + +d_aec_ctrl should be at 0xFFD001A8 + 0x90 = 0xFFD00238 + +the 8 words starting with d_cont_filter should be at +0xFFD001A8 + 0x6A2 = 0xFFD0084A + +DSP PARAM start address is 0xFFD00862, contains FIR coefficients + +UL FIR coefficients: 31 words starting at 0xFFD00862 + 0xA6 = 0xFFD00908 +DL FIR coefficients: 31 words starting at 0xFFD00862 + 0xE4 = 0xFFD00946 + +Iota ABB registers of interest: + +VBCTRL1: abbr 1 8 +VBCTRL2: abbr 1 11 +VBPOP: abbr 1 10 +VBUCTRL: abbr 1 7 +VBDCTRL: abbr 0 6