Accessing Object Memory

The Object Memory is accessed by writing the Object Control word to Register 0x0160, then writing or reading the data from Registers 0x0164 (Data, Low 16 bits) and 0x166 (Data, High 16 bits).

Object Control Word

Mask

Meaning

0x02000000

Automatically increment address on read

0x01000000

Automatically increment address of write

0x00070000

Object Selection

0x0000FFFF

Address Offset

Address Offset

The Address Offset actually addresses a word (32 bits) of Object Memory. Note that this means the auto increment values will move the address to the next 32 bit word in the Object Memory. The offsets in each of the sections below are given here by byte offsets instead of 32 bit offsets (as required for addressing). To address these properly, shift the address right by 2 to find the value used in the Address Offset. If the byte offset is 32 bit aligned, use the Data Low Register (0x0164). If the byte offset isn't 32 bit aligned, use the Data High Register (0x0166).

Object Selection Values

Value

Object

Size

0

Microcode Memory

??

1

Shared Memory

4096 bytes

2

Microcode registers

64 16-bit words (r0-r63)

3

Internal Hardware Register

??

4

RCMTA (receive match transmitter address, core revision >= 5 only, see Crypto Engine)

??

Objects

Microcode Memory

Shared Memory

Warning: This table is not sorted by offset but by usage group!

Offset

Size

Usage

Misc. Variables

0x000E

2

802.11 SIFS time (usec) (?)

0x0010

2

802.11 Slot Time

0x0016

2

802.11 Core Revision

0x0034

2

RX Padding Data Offset (relevant for PIO mode only, set to 0)

0x004E

2

OFDM/CCK delta in CCK power boost mode

0x0050

2

PHY Version

0x0052

2

PHY Type

0x005C

2

antenna swap threshold

0x005E

2

Host Flags for uCode options (low 16 bits)

0x0060

2

Host Flags for uCode options (middle 16 bits)

0x0062

2

Host Flags for uCode options (high 16 bits)

0x0066

2

Radar Register

0x006E

2

PHY noise directly after TX (lower 8 bits only)

0x0072

2

RF RX SP Register 1

0x00A0

2

Current Channel (low 8 bits, 0x100 is set if 5 GHz channel, 0x200 is 40 MHz flag)

0x0108

2

Last posted Frame ID to the broadcast/multicast (BCMC) FIFO

TSSI information

0x0058

2

TSSI for the last 4 CCK frames

0x005a

2

0x0068

2

TSSI for the last 4 OFDM frames (A)

0x006a

2

0x0070

2

TSSI for the last 4 OFDM frames (G)

0x0072

2

TX FIFO Variables

0x0098

2

TX FIFO Size for FIFOs 0 and 1 (FIFO 0 in lower byte, FIFO 1 in higher byte)

0x009A

2

TX FIFO Size for FIFOs 2 and 3 (as above, 2 in lower, 3 in higher)

0x009C

2

TX FIFO Size for FIFOs 4 and 5

0x009E

2

TX FIFO Size for FIFOs 6 and 7 (always 0)

Background Noise

0x0088

2

Measure JSSI 0

0x008A

2

Measure JSSI 1

0x008C

2

Measure JSSI AUX (channel at time of measurement)

WEP Variables

0x003C

2

Default IV location

0x003E

2

Number of soft RX transmitter addresses (max 8)

0x0056

2

Key table pointer

0x02E0

-

TKIP Phase 1 keys. Array indexed by key index consisting of 14-byte entries containing the phase 1 key and the IV32 in each entry. Used on RX.

0x05D4

#possible key indizes * 2

Key Index/Algo Block (16 times (key index<<4) | algorithm)

0x05F4

8 * 6

PSM transmitter address match block (8 MAC addresses, only on core rev < 5)

WME Variables

0x0030

2

TXF Current Index

0x0240

-

EDCF Q Info

Power Save Mode related Variables

0x004C

2

NOSLPZNAT DTIM

Beacon/Access Point Variables

0x0018

2

Beacon 0 Template Length

0x001A

2

Beacon 1 Template Length

0x001C

2

Beacon Transmit TSF Offset (should contain time it takes from MAC through PHY until the first bit of TSF hits the air)

0x001E

2

TIM Position (in Beacon, set to the start of the TIM information element)

0x0012

2

DTIM Period, used to update the TIM information element and count down to DTIM

0x00A8

2

last broadcast/multicast frame ID, if 0xffff then all frames are treated as the last, see TX

0x0044

2

Short Frame Fallback Retry Limit (beacon related??)

0x0046

2

Long Frame Fallback Retry Limit (beacon related??)

0x0054

2

Beacon PHY control word (see PHY TX Control Word)

0x00B0

2

Extended bytes for Beacon PHY control word (N)

ACK/CTS Variables

0x0022

2

ACK/CTS PHY control word (see PHY TX Control Word)

Probe Response Variables

0x0048

2

Probe Response SSID Length

0x004A

2

Probe Response Template Length

0x0074

2

Probe Response Max Time (timeout after which probe responses are no longer sent, in microseconds, 0 is infinite)

0x0160

-

Probe Response SSID

0x0188

2

Probe Response PHY control word (see PHY TX Control Word)

Rate Tables

0x01C0

-

Pointer to OFDM direct map (word addressed)

0x01E0

-

Pointer to OFDM basic rate map (word addressed)

0x0200

-

Pointer to CCK direct map (word addressed)

0x0220

-

Pointer to CCK basic rate map (word addressed)

uCode soft registers

0x0000

2

uCode revision (high 16 bits)

0x0002

2

uCode revision (low 16 bits)

0x0004

2

uCode date (year:4,month:4,day:8)

0x0006

2

uCode time (hour:5,minute:6,second:5)

0x0040

2

uCode debug status code (Possible values are 0: invalid, 1: init, 2: active, 3: suspended, 4: asleep (PS))

0x0080

2

Maximum number of frames in a burst

0x0094

2

Pre-wakeup for synth. PU [μs]

0x0096

2

Pre-TBTT [μs]

MAC statistics

0x00E0

2

# TX Frames Sent (Including Data, ACK, RTS, CTS, Control and Management, including retransmissions)

0x00E2

2

# TX RTS

0x00E4

2

# TX CTS

0x00E6

2

# TX ACK

0x00E8

2

# TX DNL (?)

0x00EA

2

# TX Beacons

0x00EC

16

Per-FIFO Count of TX Underflows (8 of them, 2 bytes each)

0x00FC

2

# TX Template Underflows (the MAC was too slow to transmit ACK/CTS or BCN)

0x00FE

2

# TX PHY Error (The type is reported in TX Status)

0x0104

2

# RX Too Long (Limit is 2346 bytes)

0x0106

2

# RX Too Short (Not enough bytes for frame type)

0x0108

2

# RX Invalid MAC Header (Either Protocol Version is not 0, or the frame type isn't Data, Control or Management)

0x010A

2

# RX Bad FCS (Frames where CRC Failed)

0x010C

2

# RX Bad PLCP (Parity Check of PLCP Header Failed)

0x010E

2

# RX CRS Glitch (Preamble is okay, but not the Header)

0x0110

2

# RX Frames with good PLCP

0x0112

2

# RX Data Frames with Good FCS and Matching RA

0x0114

2

# RX Management Frames with Good FCS and Matching RA

0x0116

2

# RX Control Frames with Good FCS and Matching RA

0x0118

2

# RX Unicast RTS addressed to MAC with good FCS

0x011A

2

# RX Unicast CTS addressed to MAC with good FCS

0x011C

2

# RX Unicast ACK with good FCS

0x011E

2

# RX Data Frames with Good FCS and not matching RA

0x0120

2

# RX Management Frames with Good FCS and not matching RA

0x0122

2

# RX Control Frames with Good FCS and not matching RA

0x0124

2

# RX RTS Not Addressed to MAC

0x0126

2

# RX CTS Not Addressed to MAC

0x0128

2

# RX Multicast Data Frames

0x012A

2

# RX Multicast Management Frames

0x012C

2

# RX Multicast Control Frames

0x012E

2

# RX Beacons from member of BSS

0x0130

2

# RX Unicast Frames addressed to the MAC from other BSS

0x0132

2

# RX Beacons from other BSS

0x0134

2

# RX Number of Response Timeouts for Transmitted Frames expecting a response

0x0136

2

# TX Beacons cancled due to receipt of beacon (IBSS)

0x013A

2

# RX FIFO 0 Overflows

0x013C

2

# RX FIFO 1 Overflows

0x013E

2

# RX FIFO 2 Overflows

0x0140

2

# TX Status FIFO Overflows (Obsolete)

0x0142

2

# Power Management Queue Overflows

0x0144

2

# RX Probe Requests that made it into the PMQ FIFO

0x0146

2

# RX Probe Request Overflow in the AP

0x0148

2

# TX Probe Response Fail (AP sent probe response but didn't get an ACK)

0x014A

2

# TX Probe Response Success (ACK RX)

0x014C

2

# Probe Request Timeout (Dropped from PRQ FIFO because probe response couldn't be sent out before the limit expired)

0x014E

2

# RX Afterburner NACK

0x0150

2

# Frames completed without transmission because of Afterburner Re-Queue

0x0152

2

# TX Afterburner NACK

0x0154

2

# TX Glitch NACK (Obsolete)

0x0156

2

# TX Burst (Obsolete)

0x0158

2

# RX Burst (Obsolete)

Hardware power control

0x0024

2

TX power N (count?)

0x0026

2

TX power target

0x0028

2

TX power max

0x0032

2

TX power current

0x0064

2

radio power (not hw power related?)

0x0310

8

Power Vector (Used LO Control Values)

Rate Tables

The shared memory contains somewhere (decided by initial values) four tables (maps) containing pointers to the rate table entries (that each contain PLCP headers and duration fields for ACK, CTS and Probe response frames.) The direct tables are not to be changed, they always are a one-to-one mapping, but the basic rate maps must be maintained by the driver so that the the hardware can just look up information it needs.

The tables/maps whose SHM offsets are given in the SHM locations above each have 16 entries, indexed by the lower 4 bits of the PLCP signal field. All four of these tables contain shared memory offsets that point to entries in the actual table containing the PLCP headers etc.

The direct map tables are used to map a given PHY rate to the rate table entry corresponding to that rate, the basic rate map tables map a given PHY rate to the next lower basic rate.

A rate table entry consists of many fields, the exact size and structure is determined by the initial values and not really relevant. But at offset 10 into a rate table entry there is the four-byte probe response PLCP, offset 16 the probe reponse duration field and at offset 18 (not always, only 802.11N?) some pctl1 word. [fixme]

To illustrate:

   map register (pointer above)
           |
    +------+
    |
    |
    |
    +--- points to ---> < idx 0 , idx 1 , idx 2 , idx 3 , ... , idx 15 >
                            |
    +-----------------------+
    |
    |
    +--- points to -----> +------- rate table entry -------+
                          |  (at unknown memory location)  |
                          | 0..9   | unknown data          |
                          | 10..14 | probe resp. plcp      |
                          | 16..17 | probe resp. duration  |
                          | ...??  | unknown data          |
                          +--------------------------------+

Those fields only need to be updated when the firmware probe response offload feature is used.

However, for normal operation, the basic rate maps must be modified to map the incoming frame bitrate to the correct response frame (CTS/ACK) bitrate. That is, if the AP announces only basic rates 1 and 2 MBit then the basic rate map must be modified in a way that all pointers in it point to the 1 or 2 MBit rate table entry. To do this, use the pointers from the "direct Map" which always maps directly to the correct rate table entry for each plcp index.

Microcode registers

The microcode registers are word-indexed for read/write, not byte-indexed like the shared memory.

The following table documents what the original microcode uses the various registers for.

Register

Usage

r3

Minimum Contention Window

r4

Maximum Contention Window

r5

Current Contention Window

r6

Short Retry Count limit

r7

Long Retry Count limit

r8

Current DTIM count

r9

sequence counter

r21

Beacon 0 template length (not for v4?)

r22

Beacon 1 template length (not for v4?)

r23

Short frame transmit count threshold for rate fallback

r24

Long frame transmit count threshold for rate fallback

802.11/ObjectMemory (last edited 2008-10-22 18:12:06 by JohannesBerg)