--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/compal/audio/reg-read-guide	Sat Oct 09 20:24:03 2021 +0000
@@ -0,0 +1,31 @@
+Here is an idea - what if we break into a running C139 phone fw with tfc139,
+then run fc-loadtool as usual, but instead of operating on the flash, use
+r16 and abbr commands inside fc-loadtool to read out various audio config
+settings established by the official fw?  Specifically use r16 to read out
+some DSP API words (AEC and FIR blocks), and use abbr to read Iota ABB
+registers dealing with audio.  Why do we need to go this convoluted route
+with tfc139 break-in followed by fc-loadtool, why not some easier way?
+Answer: C139 and other C1xx firmwares don't have ETM (thus no r16 and
+certainly no high-level aur operations), they do implement the old TM3
+protocol which we use to break in, but their implementation of oabbr is
+broken, returns garbage.
+
+DSP NDB start address is 0xFFD001A8, contains AEC control words
+
+d_aec_ctrl should be at 0xFFD001A8 + 0x90 = 0xFFD00238
+
+the 8 words starting with d_cont_filter should be at
+0xFFD001A8 + 0x6A2 = 0xFFD0084A
+
+DSP PARAM start address is 0xFFD00862, contains FIR coefficients
+
+UL FIR coefficients: 31 words starting at 0xFFD00862 + 0xA6 = 0xFFD00908
+DL FIR coefficients: 31 words starting at 0xFFD00862 + 0xE4 = 0xFFD00946
+
+Iota ABB registers of interest:
+
+VBCTRL1: abbr 1 8
+VBCTRL2: abbr 1 11
+VBPOP:   abbr 1 10
+VBUCTRL: abbr 1 7
+VBDCTRL: abbr 0 6