FreeCalypso > hg > freecalypso-reveng
view compal/audio/reg-read-guide @ 377:34490934ff02
compal/audio/reg-read-guide written
author | Mychaela Falconia <falcon@freecalypso.org> |
---|---|
date | Sat, 09 Oct 2021 20:24:03 +0000 |
parents | |
children |
line wrap: on
line source
Here is an idea - what if we break into a running C139 phone fw with tfc139, then run fc-loadtool as usual, but instead of operating on the flash, use r16 and abbr commands inside fc-loadtool to read out various audio config settings established by the official fw? Specifically use r16 to read out some DSP API words (AEC and FIR blocks), and use abbr to read Iota ABB registers dealing with audio. Why do we need to go this convoluted route with tfc139 break-in followed by fc-loadtool, why not some easier way? Answer: C139 and other C1xx firmwares don't have ETM (thus no r16 and certainly no high-level aur operations), they do implement the old TM3 protocol which we use to break in, but their implementation of oabbr is broken, returns garbage. DSP NDB start address is 0xFFD001A8, contains AEC control words d_aec_ctrl should be at 0xFFD001A8 + 0x90 = 0xFFD00238 the 8 words starting with d_cont_filter should be at 0xFFD001A8 + 0x6A2 = 0xFFD0084A DSP PARAM start address is 0xFFD00862, contains FIR coefficients UL FIR coefficients: 31 words starting at 0xFFD00862 + 0xA6 = 0xFFD00908 DL FIR coefficients: 31 words starting at 0xFFD00862 + 0xE4 = 0xFFD00946 Iota ABB registers of interest: VBCTRL1: abbr 1 8 VBCTRL2: abbr 1 11 VBPOP: abbr 1 10 VBUCTRL: abbr 1 7 VBDCTRL: abbr 0 6