Memory map

The Memory Management Unit (MMU) in the CPU utilizes a large virtual memory space to map to various physical addresses in different ways. All memory accesses made by the CPU, whether instruction fetches or load/store instructions, use virtual addresses. The MMU uses five virtual memory segments to decide how the addresses will be mapped to the physical memory space.

Internally, all addresses are 64-bits wide. However, when in 32-bit addressing mode, the upper 32 bits are sign-extended.

Virtual Memory Map
The is the 32-bit virtual address space (used by most games and homebrew toolchains): For the directly mapped segments KSEG0 and KSEG1, addresses are directly translated to physical addresses by subtracting by the base address of the respective segment. Thus they can only map to the physical address range.

Refer to the Translation lookaside buffer article and the TLB mapping usage guide for more information about TLB mapped segments.

Physical Memory Map accesses
The physical memory map is implemented by RCP, as the VR4300 only talks directly to RCP. The bus between VR4300 and RCP is called SysAD. The RCP behaves differently with different access sizes depending on the specific area of the map and the subcomponent in charge of implementing it.

The SysAD bus is described at the hardware level in the SysAD page, but to understand the effects on memory map it is sufficient to understand how data is marshalled for reads and writes. Since SysAD is a 32-bit bus, 32-bit accesses are the "native" ones, and the other access sizes are made in a weird way built upon a 32-bit data exchange.


 * Reads: VR4300 puts the address on the bus and the size of the access (8, 16, 32, 64). The RCP typically returns a full (aligned) 32-bit word address (or two, in case of a 64-bit read), from which the VR4300 extracts the correct portion. For instance, when reading 8-bit from address, the RCP will put on the bus the 32-bit values at  , and the VR4300 will then just isolate the requested 8 bits.
 * Writes: VR4300 puts the address on the bus, the size of the access, and then the 32-bit value to be written. When the access is made using 8 or 16 bits, the value on the bus is prepared to match with the aligned 32-bit address. This is the same of what happens for reads, but this time it is the VR4300 to prepare the data. For instance, if register,   and the opcode   is run, the VR4300 puts on the bus the value  , that is  . It is then up to the RCP to see that, since the address is   (so offset 1 within the 32-bit word), it needs to isolate the the second byte  . So even if it is a 8-bit write opcode, other bits of the register   "leak" on the bus.

Notice that misaligned address are forbidden by MIPS architecture and they will result in an Address Exception. So all accesses that go through the memory map are always aligned to the access size (eg: aligned to 2 bytes for 16-bit reads/writes).

Range 0x0000'0000 - 0x03EF'FFFF (RDRAM memory)
The accesses in this area are handled by RCP via RI (Ram Interface). When the VR4300 reads or writes a location in this range, it gets stalled while the RI communicates with the RDRAM via the RAMBUS serial protocol. As soon as the read or write is finished, the VR4300 is released. Effectively, all reads and writes are synchronous (blocking) from the point of view of the VR4300, as you would expect when accessing a RAM. All access sizes work correctly: 8-bit, 16-bit, 32-bit, 64-bit.

The RDRAM area is the only ares in the memory map where the RCP supports cached accesses. This allows the VR4300 to issue the cache fills/flushes at the SysAD level to leverage the internal data and instruction cache (either via the KSEG0 directly-mapped segment, or through a TLB configured with the cache setting). Instead cache requests are ignored for all the other address ranges, and they will thus freeze the CPU requiring a hard reset.

Range 0x03F0'0000 - 0x03FF'FFFF (RDRAM registers)
The accesses in this area are handled by RCP via RI (Ram Interface). When the VR4300 reads or writes a location in this range, it gets stalled while the RI communicates with the RDRAM via the RAMBUS serial protocol. As soon as the read or write is finished, the VR4300 is released. Effectively, all reads and writes are synchronous (blocking) from the point of view of the VR4300, as you would expect when accessing a RAM.

Range 0x0400'0000 - 0x04FF'FFFF (RCP registers)
The accesses in this area are handled by RCP itself without going to an external bus, and are dispatched internally to the correct subsystem. Access to a register might optionally stall the VR4300 if the subsystem is designed to do so (eg: to perform a long blocking operation on write), but in general for standard registers, they are quite fast and take only 5-6 PClock cycles (MI regs are a bit faster and take about 2 cycles).

Accesses in this area are affected by a simplified hardware implementation of the RCP SysAD bus, so access size is ignored. Only uncached accesses are allowed; cached accesses will be ignored by RCP causing a VR4300 freeze, requiring a hard reboot. This means that:


 * Reads: RCP will ignore the requested access size and will just put the requested 32-bit word on the bus. Luckily, this is the correct behavior for 8-bit and 16-bit accesses (as explained above), so the VR4300 will be able to extract the correct portion. 64-bit reads instead will completely freeze the VR4300 (and thus the whole console), because it will stall waiting for the second word to appear on the bus that the RCP will never put.
 * Writes: RCP will ignore the requested access size and just write the word that was put on the bus directly into the hardware register. For 8-bit and 16-bit accesses, this means that the shifted value prepared by the VR4300 is the one that will be written verbatim. Reprising the example above, if,  , running   will write the value   to the RCP hardware register  . For 64-bit accesses, as they are written on the bus MSB-first, the RCP will write the MSB to the hardware register, ignoring the LSB.

Range 0x1FC0'0000 - 0x1FCF'FFFF (SI external bus)
TODO

Ranges 0x0500'0000 - 0x1FBF'FFFF and 0x1FD0'0000 - 0x7FFF'FFFF (PI external bus)
All accesses made by the VR4300 in these ranges are forward externally by RCP on the external PI bus. This allows the CPU to access external devices connected to the parallel bus like the cartridge ROM and SRAM.

Accesses in this area are affected by the same simplified SysAD implementation described above, so access size is ignored. Only uncached accesses are allowed; cached accesses will be ignored by RCP causing a VR4300 freeze, requiring a hard reboot. The effect is the same described before.

Moreover, there are two important additional details:


 * All writes are performed asynchronously by the PI. Making a write in this area will in fact just cause the PI to latch the value internally, and release the VR4300 immediately. The write will then happen in background. The status of the ongoing write will be reflected by the PI "I/O busy" status bit, which will be set to 1 until the write is finalized. While a write is ongoing, further writes are ignored, and reads (from any address) return the 32-bit value that is being written. For further information on this, please check the PI page. Notice that the PI doesn't know whether a certain device is read-only, so even writes in the ROM area follow this pattern; they are just ignored by the ROM itself.
 * The external PI bus is 16-bit. Given that the RCP only knows of 32-bit accesses (as access size is ignored), this means that each read or write performed by the VR4300 will cause exactly two reads or two writes on the PI bus: first the MSB at the address specified by the CPU (ignoring bit 0, so that the address is aligned to 16 bit), then the LSB at address+2. This might seem a small implementation detail, but it does actually cause an important and visible bug. For instance, if the VR4300 requests a 16-bit read at address, the RCP (that ignores access sizes) will do two 16-bit reads on the cartridge bus at   and  , and will put on the SysAD bus the 32-bit word at  . This is a violation of the SysAD protocol explained above: in fact, in reply to a 16-bit read at  , the RCP should have put on the bus the 32-bit word at   instead. Because of this, effectively a 16-bit read at   returns the 16-bit word at   instead.

Range 0x8000'0000 - 0xFFFF'FFFF (Unmapped)
This range is not handled by RCP. All writes are ignored, and reads lock up the VR4300 because the RCP is stalled and does not return any data on the bus.