PIF-NUS: Difference between revisions
Fraser.mips (talk | contribs) m (Added CIC details) |
Fraser.mips (talk | contribs) m (→CIC: Added PIF details) |
||
Line 70: | Line 70: | ||
{| class="wikitable" |
{| class="wikitable" |
||
|+CIC Pinout (16 Pin DIP Package) |
|+CIC Pinout (16 Pin DIP Package) |
||
!Function |
!N64 Function |
||
!SM5 Function |
|||
!Number |
!Number |
||
! |
! |
||
!Number |
!Number |
||
!Function |
!SM5 Function |
||
!N64 Function |
|||
|- |
|- |
||
|VDD |
|||
|VDD |
|VDD |
||
|Pin 1 |
|Pin 1 |
||
| |
| |
||
|Pin 16 |
|Pin 16 |
||
|VDD |
|||
|VDD |
|VDD |
||
|- |
|- |
||
| |
|||
|P5:0 |
|P5:0 |
||
|Pin 2 |
|Pin 2 |
||
Line 87: | Line 92: | ||
|Pin 15 |
|Pin 15 |
||
|P2:0 |
|P2:0 |
||
|D_OUT |
|||
|- |
|- |
||
| |
|||
|P5:1 |
|P5:1 |
||
|Pin 3 |
|Pin 3 |
||
Line 93: | Line 100: | ||
|Pin 14 |
|Pin 14 |
||
|P2:1 |
|P2:1 |
||
|D_IN |
|||
|- |
|- |
||
| |
|||
|P5:2 |
|P5:2 |
||
|Pin 4 |
|Pin 4 |
||
Line 99: | Line 108: | ||
|Pin 13 |
|Pin 13 |
||
|P2:2 |
|P2:2 |
||
|GND |
|||
|- |
|- |
||
| |
|||
|P5:3 |
|P5:3 |
||
|Pin 5 |
|Pin 5 |
||
Line 105: | Line 116: | ||
|Pin 12 |
|Pin 12 |
||
|P2:3 |
|P2:3 |
||
| |
|||
|- |
|- |
||
|GND |
|||
|TS:0 |
|TS:0 |
||
|Pin 6 |
|Pin 6 |
||
| |
| |
||
|Pin 11 |
|Pin 11 |
||
|CLK |
|||
|CLK |
|CLK |
||
|- |
|- |
||
|GND |
|||
|TS:1 |
|TS:1 |
||
|Pin 7 |
|Pin 7 |
||
Line 117: | Line 132: | ||
|Pin 10 |
|Pin 10 |
||
|TIO |
|TIO |
||
| |
|||
|- |
|- |
||
|GND |
|||
|GND |
|GND |
||
|Pin 8 |
|Pin 8 |
||
Line 123: | Line 140: | ||
|Pin 9 |
|Pin 9 |
||
|Reset |
|Reset |
||
|!RESET |
|||
|} |
|} |
||
The test modes of the CIC are available on most (all?) retail cartridges. |
The test modes of the CIC are available on most (all?) retail cartridges. |
||
==== To Enable Test Mode(s) ==== |
===== To Enable Test Mode(s) ===== |
||
Pulling TS:0 and/or TS:1 high before power on will place the SM5 controller in one of 3 test modes. ('''Which test modes and which pin states are unknown''') It's also unclear if you can change between test modes while the unit is powered on. |
Pulling TS:0 and/or TS:1 high before power on will place the SM5 controller in one of 3 test modes. ('''Which test modes and which pin states are unknown''') It's also unclear if you can change between test modes while the unit is powered on. |
||
Line 133: | Line 151: | ||
It's unknown how slowly you can clock the CIC. |
It's unknown how slowly you can clock the CIC. |
||
==== In Test Mode ==== |
===== In Test Mode ===== |
||
Which mode is still unclear but the following functionality is available. |
Which mode is still unclear but the following functionality is available. |
||
===== Arbitrary Code Execution ===== |
====== Arbitrary Code Execution ====== |
||
Instructions can be set 1 nibble at a time on Port 5 pins, most instructions are 1 byte long so they must be entered 1 nibble at a time then toggle the clock line. |
Instructions can be set 1 nibble at a time on Port 5 pins, most instructions are 1 byte long so they must be entered 1 nibble at a time then toggle the clock line. |
||
Line 145: | Line 163: | ||
The Stop instruction is encoded as 0x76 which will assist in determining if the high or low nibble should be input first. This instruction also stops the TIO clock upon execution, so we have a clear external indication of success. |
The Stop instruction is encoded as 0x76 which will assist in determining if the high or low nibble should be input first. This instruction also stops the TIO clock upon execution, so we have a clear external indication of success. |
||
===== Output Data ===== |
====== Output Data ====== |
||
Port 2 of the CIC can be used to output either the AREG register or the Program Counter (PC), it's unclear at this time if the difference is achieved with different test modes or by modifying internal configuration registers. |
Port 2 of the CIC can be used to output either the AREG register or the Program Counter (PC), it's unclear at this time if the difference is achieved with different test modes or by modifying internal configuration registers. |
||
Line 159: | Line 177: | ||
Being in test mode seems to have a side effect on this instruction, inputting only the Jump instruction followed by a zero nibble, the second byte is loaded from the ROM, which is an instruction but is treated as data. The Jump instruction is then executed and the PC can be viewed on Port 2, as well |
Being in test mode seems to have a side effect on this instruction, inputting only the Jump instruction followed by a zero nibble, the second byte is loaded from the ROM, which is an instruction but is treated as data. The Jump instruction is then executed and the PC can be viewed on Port 2, as well |
||
==== PIF ==== |
|||
[[File:PIF decap pins labeled.png|alt=PIF Decapped with Pins numbered|thumb|PIF Decapped with Pins numbered]] |
|||
The PIF handles a lot of very core functions in the console. |
|||
{| class="wikitable" |
|||
|+PIF Pinout (28 Pin SOP Package) |
|||
!N64 Function |
|||
!SM5 Function |
|||
!Pin |
|||
! |
|||
!Pin |
|||
!SM5 Fuction |
|||
!N64 Function |
|||
|- |
|||
| |
|||
| |
|||
|Pin 1 |
|||
| |
|||
|Pin 28 |
|||
|VDD |
|||
|VDD |
|||
|- |
|||
| |
|||
| |
|||
|Pin 2 |
|||
| |
|||
|Pin 27 |
|||
| |
|||
|Reset Button |
|||
|- |
|||
| |
|||
| |
|||
|Pin 3 |
|||
| |
|||
|Pin 26 |
|||
| |
|||
|N/C (No Connect) |
|||
|- |
|||
| |
|||
| |
|||
|Pin 4 |
|||
| |
|||
|Pin 25 |
|||
| |
|||
|INT 2 VR4300 CPU |
|||
|- |
|||
| |
|||
| |
|||
|Pin 5 |
|||
| |
|||
|Pin 24 |
|||
| |
|||
|EEPROM ?? |
|||
|- |
|||
| |
|||
| |
|||
|Pin 6 |
|||
| |
|||
|Pin 23 |
|||
| |
|||
|EEPROM ?? |
|||
|- |
|||
|NMI VR4300 CPU |
|||
| |
|||
|Pin 7 |
|||
| |
|||
|Pin 22 |
|||
| |
|||
|Player 4 Controller |
|||
|- |
|||
| |
|||
| |
|||
|Pin 8 |
|||
| |
|||
|Pin 21 |
|||
| |
|||
|Player 4 Enable |
|||
|- |
|||
|PIF CLK Input |
|||
| |
|||
|Pin 9 |
|||
| |
|||
|Pin 20 |
|||
| |
|||
|Player 3 Controller |
|||
|- |
|||
|GND |
|||
|?? |
|||
|Pin 10 |
|||
| |
|||
|Pin 19 |
|||
| |
|||
|Player 3 Enable |
|||
|- |
|||
|PIF ADR |
|||
| |
|||
|Pin 11 |
|||
| |
|||
|Pin 18 |
|||
| |
|||
|Player 2 Controller |
|||
|- |
|||
|GND |
|||
|?? |
|||
|Pin 12 |
|||
| |
|||
|Pin 17 |
|||
| |
|||
|Player 2 Enable |
|||
|- |
|||
|PIF DAT |
|||
| |
|||
|Pin 13 |
|||
| |
|||
|Pin 16 |
|||
| |
|||
|Player 1 Controller |
|||
|- |
|||
|GND |
|||
|GND?? |
|||
|Pin 14 |
|||
| |
|||
|Pin 15 |
|||
| |
|||
|Player 1 Enable |
|||
|} |
|||
=== References === |
=== References === |
Revision as of 21:30, 16 August 2020
The Peripheral Interface, or PIF manages many of the critical functions of the N64 console.
- Console startup and piracy protections
- Stores the first 2 stages of the Initial Program Load (IPL) that is executed by the VR4300 CPU
- Console reset button to avoid corrupting save game data
- Controller and EEPROM read/write via JoyBus protocol
Console startup
- PIF holds all of the console components in reset mode, listening for cartridge CIC
- Cartridge sends 4 bits (nibble) including region encoding
- Cartridge sends 4 bit encrypted seed value
- Cartridge sends 4 bit checksum
- PIF checks that these are the expected values
- If the values don't match (same scenario if no cartridge is inserted)
- The user would generally reset using the button or power off
- Remove/Re-insert cartridge (or change games)
- Power on (go to step #1)
- If the values don't match (same scenario if no cartridge is inserted)
- PIF writes the encrypted seed value to memory address 0xBFC0'07E4
- PIF releases the reset pin for the whole console
- The PIF (console) and CIC (cartridge) communication continues as long as the console is powered on
- If there is ever a failure in the data exchange the console will be reset.
- VR4300 requests RAM address 0xBFC0'0000 from the Memory Management Unit inside the RCP
- IPL1: The MMU then loads the MIPS code from a storage area of the PIF chip
- These instructions are executed directly in this very slow manner.
- Thankfully IPL1 is only 52 instructions + some looping
- Some really basic hardware initialization
- Copy IPL2 to the RSP IMEM address range
- IPL 2 is executed by the VR4300 but reading the instructions from the RSP's IMEM
- More general hardware initialization
- If it's determined to be a 64DD disk it will jump to 0xA600'0000
- Load IPL3 from the cartridge into the RSP's DMEM
- The IPL3 code is CRC checked
- Set 0xBFC0'0000 range to "invisible"
- Jump to RSP DMEM to execute IPL3
- IPL3 is executed by the VR4300 but reading the instructions from the RSP's DMEM
- Initialize RDRAM
- Depending on reset type
- Power On: Invalidate VR4300 ICache & DCache
- Reset : Writeback VR4300 ICache & DCache
- Move IPL3 execution from DMEM to RDRAM
- DMA 1 MB of Game code to RDRAM
- Authenticate 1 MB of Game Program
- Reset RSP
- Clear Interrupts
- Clear IPL3 from DMEM
- Clear IPL2 from IMEM
- Jump to Game code in RDRAM
Console Reset
- User presses Console Reset button
- PIF reads the button state
- PIF Toggles VR4300 Interrupt 2 (INT2)
- PIF Waits 0.5 seconds
- This is the time and opportunity for the game to finish saving game data to avoid corruption
- PIF Toggles VR4300 Non-Maskable Interrupt (NMI)
- Which resets the console components
Controller and EEPROM communication
In addition to managing the Joybus Protocol for connected hardware like controllers and connected accessory PAKs
Sharp SM5 4-bit Microcontrollers
The PIF and CIC (inside the cartridge) are both custom versions of Sharp branded SM5 4-bit microcontrollers. These microcontrollers were also used in the Game & Watch handheld games, so Nintendo already had developers that were familiar with them. While the core functionality of the PIF and CIC are generally understood, the microcontroller model is custom and therefore not well known.
There has been some effort to reverse engineer the PIF and CIC communication to ease the process for creating compatible flash carts. At least 2 projects went through the time effort and money to decap the chips and view the internals of to better understand what they are doing.
CIC
All of the CIC actions described below have been done successfully as part of a University project, but some of the details are lacking whether it was on purpose or lost in the language translation (authors live in Germany) is unknown.
N64 Function | SM5 Function | Number | Number | SM5 Function | N64 Function | |
---|---|---|---|---|---|---|
VDD | VDD | Pin 1 | Pin 16 | VDD | VDD | |
P5:0 | Pin 2 | Pin 15 | P2:0 | D_OUT | ||
P5:1 | Pin 3 | Pin 14 | P2:1 | D_IN | ||
P5:2 | Pin 4 | Pin 13 | P2:2 | GND | ||
P5:3 | Pin 5 | Pin 12 | P2:3 | |||
GND | TS:0 | Pin 6 | Pin 11 | CLK | CLK | |
GND | TS:1 | Pin 7 | Pin 10 | TIO | ||
GND | GND | Pin 8 | Pin 9 | Reset | !RESET |
The test modes of the CIC are available on most (all?) retail cartridges.
To Enable Test Mode(s)
Pulling TS:0 and/or TS:1 high before power on will place the SM5 controller in one of 3 test modes. (Which test modes and which pin states are unknown) It's also unclear if you can change between test modes while the unit is powered on.
The fourth state is standard usage with TS:0 and TS:1 tied to ground.
It's unknown how slowly you can clock the CIC.
In Test Mode
Which mode is still unclear but the following functionality is available.
Arbitrary Code Execution
Instructions can be set 1 nibble at a time on Port 5 pins, most instructions are 1 byte long so they must be entered 1 nibble at a time then toggle the clock line.
Halt Instruction
The Halt instruction is encoded as 0x77 which is nice because it doesn't matter which nibble you send first. This instruction also has a nice benefit of causing a clear external change, the TIO line defaults to the Clock signal but after the Halt instruction it stops outputting a clock signal.
Stop Instruction
The Stop instruction is encoded as 0x76 which will assist in determining if the high or low nibble should be input first. This instruction also stops the TIO clock upon execution, so we have a clear external indication of success.
Output Data
Port 2 of the CIC can be used to output either the AREG register or the Program Counter (PC), it's unclear at this time if the difference is achieved with different test modes or by modifying internal configuration registers.
NOTE: On power up Port 2 is configured for Input, an internal configuration register must be modified to make it output.
Load Constant into Accumulator LDX
The LDX instuction can be used to populate the AREG with a known value that can be checked on Port 2
Dumping the CIC code
This process is very confusing so it may take some experimentation to work out the exact steps and details, the original document tries to explain but it feels like some details are missing.
Jump Instructions are 2 bytes, the first nibble is the instruction and the following 12 bits are the destination address.
Being in test mode seems to have a side effect on this instruction, inputting only the Jump instruction followed by a zero nibble, the second byte is loaded from the ROM, which is an instruction but is treated as data. The Jump instruction is then executed and the PC can be viewed on Port 2, as well
PIF
The PIF handles a lot of very core functions in the console.
N64 Function | SM5 Function | Pin | Pin | SM5 Fuction | N64 Function | |
---|---|---|---|---|---|---|
Pin 1 | Pin 28 | VDD | VDD | |||
Pin 2 | Pin 27 | Reset Button | ||||
Pin 3 | Pin 26 | N/C (No Connect) | ||||
Pin 4 | Pin 25 | INT 2 VR4300 CPU | ||||
Pin 5 | Pin 24 | EEPROM ?? | ||||
Pin 6 | Pin 23 | EEPROM ?? | ||||
NMI VR4300 CPU | Pin 7 | Pin 22 | Player 4 Controller | |||
Pin 8 | Pin 21 | Player 4 Enable | ||||
PIF CLK Input | Pin 9 | Pin 20 | Player 3 Controller | |||
GND | ?? | Pin 10 | Pin 19 | Player 3 Enable | ||
PIF ADR | Pin 11 | Pin 18 | Player 2 Controller | |||
GND | ?? | Pin 12 | Pin 17 | Player 2 Enable | ||
PIF DAT | Pin 13 | Pin 16 | Player 1 Controller | |||
GND | GND?? | Pin 14 | Pin 15 | Player 1 Enable |
References
https://sites.google.com/site/consoleprotocols/home/techinfo/lowlevel/pif12
https://code.google.com/archive/p/mupen64plus/wikis/SoftResetNotes.wiki