Contents
802.11 Core Register Layout
Sizes is given in bytes. Host access is through the register offsets as given here, Microcode access is at 0x600 plus register offset as given here divided by two. The last column indicates where the regular driver uses a given register, host, ucode or initial values (IV).
Offset |
Size |
Name/Function |
Availability (core revision) |
Used by |
|
Device Control |
|||||
0x000C |
4 |
BIS Status |
|
host |
|
0x0010 |
4 |
BIS Status 2 |
|
host |
|
0x0018 |
4 |
General Purpose Timer |
>= 3 |
host |
|
0x01e8 |
4 |
PHY PLL control |
>= 16 |
host |
|
Interrupt Control |
|||||
0x0020 |
4 |
|
host |
||
0x0024 |
4 |
|
host |
||
0x0028 |
4 |
|
host |
||
0x002C |
4 |
|
host |
||
0x0030 |
4 |
|
host |
||
0x0034 |
4 |
|
host |
||
0x0038 |
4 |
|
host |
||
0x003C |
4 |
|
host |
||
0x0040 |
4 |
|
host |
||
0x0044 |
4 |
|
host |
||
0x0048 |
4 |
|
host |
||
0x004C |
4 |
|
host |
||
0x0050 |
4 |
|
host |
||
0x0054 |
4 |
|
host |
||
0x0058 |
4 |
|
host |
||
0x005C |
4 |
|
host |
||
TX/RX Interrupts Per Frame and Timeout (IPFT) |
|||||
0x0100 |
4 |
DMA/PIO IPFT 1 |
|
host |
|
0x0104 |
4 |
DMA/PIO IPFT 2 |
|
host |
|
0x0108 |
4 |
DMA/PIO IPFT 3 |
|
host |
|
0x010C |
4 |
DMA/PIO IPFT 4 |
|
host |
|
MAC Registers |
|||||
0x0120 |
4 |
|
host |
||
0x0124 |
4 |
|
host |
||
0x0128 |
4 |
|
host |
||
0x012C |
4 |
|
host |
||
Transmit Template |
|||||
0x0130 |
4 |
|
host |
||
0x0134 |
4 |
|
host |
||
0x0140 |
4 |
PMQ host status (read only!) |
|
host |
|
0x0140 |
2 |
PMQ control (read/write) |
|
host |
|
0x0144 |
4 |
PMQ pattern (low) |
|
host |
|
0x0148 |
4 |
PMQ pattern (high) |
|
host |
|
Registers |
|||||
0x0150 |
4 |
|
host |
||
0x0154 |
4 |
PSM Debug |
>= 3 |
host |
|
0x0158 |
4 |
PHY Debug |
>= 3 |
host |
|
0x015c |
4 |
MAC capabilities |
>= 13 |
host |
|
0x01a4 |
4 |
MAC capabilities high |
? |
host |
|
Extended Internal Objects |
|||||
0x0160 |
4 |
|
host |
||
0x0164 |
4 |
|
host |
||
TX Status |
|||||
0x0170 |
4 |
Frame TX Status |
>= 5 |
host |
|
0x0174 |
4 |
Frame TX Status 2 |
>= 5 |
host |
|
Timing Synchronization Function (TSF) Host Acccess |
|||||
0x0180 |
4 |
>= 3 |
host |
||
0x0184 |
4 |
>= 3 |
host |
||
0x0188 |
4 |
>= 3 |
host |
||
0x018C |
4 |
TSF Contention Free Period Start |
>= 3 |
host |
|
0x0190 |
4 |
TSF Contention Free Period Max Duration |
>= 3 |
host |
|
DMA Layout - Core Revision < 11 |
|||||
0x0200 |
16 |
32 Bit DMA TX Channel 0 |
|
host |
|
0x0210 |
16 |
32 Bit DMA RX Channel 0 |
|
host |
|
0x0220 |
16 |
32 Bit DMA TX Channel 1 |
|
host |
|
0x0230 |
16 |
32 Bit DMA RX Channel 1 |
|
host |
|
0x0240 |
16 |
32 Bit DMA TX Channel 2 |
|
host |
|
0x0250 |
16 |
32 Bit DMA RX Channel 2 |
|
host |
|
0x0260 |
16 |
32 Bit DMA TX Channel 3 |
|
host |
|
0x0270 |
16 |
32 Bit DMA RX Channel 3 |
|
host |
|
0x0280 |
16 |
32 Bit DMA TX Channel 4 |
|
host |
|
0x0290 |
16 |
32 Bit DMA RX Channel 4 |
|
host |
|
0x02A0 |
16 |
32 Bit DMA TX Channel 5 |
|
host |
|
0x02B0 |
16 |
32 Bit DMA RX Channel 5 |
|
host |
|
0x02C0 |
16 |
32 Bit DMA TX Channel 6 |
|
host |
|
0x02D0 |
16 |
32 Bit DMA RX Channel 6 |
|
host |
|
0x02E0 |
16 |
32 Bit DMA TX Channel 7 |
|
host |
|
0x02F0 |
16 |
32 Bit DMA RX Channel 7 |
|
host |
|
0x0300 |
8 |
2/4 Byte PIO TX Queue 0 |
(Core Revision >= 8 uses 4 Byte) |
host |
|
0x0308 |
8 |
2/4 Byte PIO RX Queue 0 |
(Core Revision >= 8 uses 4 Byte) |
host |
|
0x0310 |
8 |
2/4 Byte PIO TX Queue 1 |
(Core Revision >= 8 uses 4 Byte) |
host |
|
0x0318 |
8 |
2/4 Byte PIO RX Queue 1 |
(Core Revision >= 8 uses 4 Byte) |
host |
|
0x0320 |
8 |
2/4 Byte PIO TX Queue 2 |
(Core Revision >= 8 uses 4 Byte) |
host |
|
0x0328 |
8 |
2/4 Byte PIO RX Queue 2 |
(Core Revision >= 8 uses 4 Byte) |
host |
|
0x0330 |
8 |
2/4 Byte PIO TX Queue 3 |
(Core Revision >= 8 uses 4 Byte) |
host |
|
0x0338 |
8 |
2/4 Byte PIO RX Queue 3 |
(Core Revision >= 8 uses 4 Byte) |
host |
|
0x0340 |
8 |
2/4 Byte PIO TX Queue 4 |
(Core Revision >= 8 uses 4 Byte) |
host |
|
0x0348 |
8 |
2/4 Byte PIO RX Queue 4 |
(Core Revision >= 8 uses 4 Byte) |
host |
|
0x0350 |
8 |
2/4 Byte PIO TX Queue 5 |
(Core Revision >= 8 uses 4 Byte) |
host |
|
0x0358 |
8 |
2/4 Byte PIO RX Queue 5 |
(Core Revision >= 8 uses 4 Byte) |
host |
|
0x0360 |
8 |
2/4 Byte PIO TX Queue 6 |
(Core Revision >= 8 uses 4 Byte) |
host |
|
0x0368 |
8 |
2/4 Byte PIO RX Queue 6 |
(Core Revision >= 8 uses 4 Byte) |
host |
|
0x0370 |
8 |
2/4 Byte PIO TX Queue 7 |
(Core Revision >= 8 uses 4 Byte) |
host |
|
0x0378 |
8 |
2/4 Byte PIO RX Queue 7 |
(Core Revision >= 8 uses 4 Byte) |
host |
|
DMA Layout - Core Revision >= 11 |
|||||
0x0200 |
64 |
|
host |
||
0x0240 |
64 |
|
host |
||
0x0280 |
64 |
|
host |
||
0x02C0 |
64 |
|
host |
||
0x0300 |
64 |
|
host |
||
0x0340 |
64 |
|
host |
||
FIFO Diagnostic Port Access |
|||||
0x0380 |
4 |
FIFO Diagnostic Address |
|
? |
|
0x0384 |
4 |
FIFO Diagnostic Data (Low 32 bits) |
|
? |
|
0x0388 |
4 |
FIFO Diagnostic Data (High 32 bits) |
|
? |
|
Time Delay Between RF Disable and Radio Shutdown |
|||||
0x03DC |
4 |
RF Disable Delay (time in units of 0.05 μs, runs off 20 MHz clock, set to 500ms) |
>= 10 |
? |
|
PHY Registers |
|||||
0x03E0 |
2 |
|
host |
||
0x03E2 |
2 |
PHY BB Config (B PHY only? others seem to have it in the PHY Registers) |
|
host |
|
0x03E4 |
2 |
PHY ADC Bias |
|
host |
|
0x03E6 |
2 |
PHY 0 |
|
host |
|
0x03E8 |
2 |
PHY RX Status 0 |
|
host |
|
0x03EA |
2 |
PHY RX Status 1 |
|
host |
|
0x03EC |
2 |
PHY 1 |
|
host |
|
0x03EE |
2 |
PHY TX Error |
|
host |
|
0x03F0 |
2 |
PHY Channel |
|
host |
|
0x03F4 |
2 |
PHY Test |
TX Test? |
host |
|
0x03F6 |
2 |
Radio Register Address (PHY 2) |
|
host |
|
0x03F8 |
2 |
Radio Register Data High (PHY 3) |
|
host |
|
0x03FA |
2 |
Radio Register Data Low (PHY 4) |
|
host |
|
0x03FC |
2 |
|
host |
||
0x03FE |
2 |
|
host |
||
Internal Hardware Register (IHR) Region (0x400 - 0x7FE) |
|||||
Receive Engine (RXE) |
|||||
0x0400 |
2 |
Receive header length (in bytes) |
|
IV |
|
0x0402 |
2 |
Receive memory address (in 16-bit words) |
|
IV |
|
0x0404 |
2 |
Receive copy length (amount of bytes the RXE copies into SHM) |
|
IV |
|
0x0406 |
2 |
Receive FIFO Control 0 |
|
ucode |
|
0x0408 |
2 |
Receive FIFO Control 1. Handles data exchange between receiver and FIFO (to host) |
|
ucode |
|
0x040A |
2 |
Received Frame Count (??) |
|
ucode |
|
0x040E |
2 |
RXE Receive Header Offset (in 16-bit words; the RXE will take the RX header from SHM at this location) |
|
ucode |
|
0x0410 |
2 |
RXE Receive Header Length (in 16-bit words; indicates how many words the RXE will put into the RX header) |
|
ucode |
|
0x0412 |
2 |
PHY RX Status 0 (cf. 802.11/RX) |
|
ucode |
|
0x0414 |
2 |
PHY RX Status 1 (cf. 802.11/RX) |
|
ucode |
|
0x0416 |
2 |
? |
|
ucode |
|
0x0418 |
2 |
RXE Frame Length (in bytes, reports even while RX in progress and hence increases during reception) |
|
ucode |
|
0x041A |
2 |
? |
|
ucode |
|
0x041C |
2 |
RXE Receive flags (0x2000 is set if received with OFDM on a G PHY) |
|
ucode |
|
0x0420 |
2 |
RCM control; to use, write 0x20 ORed with 6, 9 or 12 and then the MAC address into RCM match data (three writes). External conditions are updated then? What are 6, 9, 12? |
|
ucode |
|
0x0422 |
2 |
RCM Match Data |
|
ucode |
|
0x0424 |
2 |
RCM Match Mask |
|
- |
|
0x0426 |
2 |
RCM Match Delay |
|
- |
|
0x0428 |
2 |
RCM Condition Mask Low |
|
? |
|
0x042A |
2 |
RCM Condition Mask High |
|
? |
|
0x042C |
2 |
RCM Condition Delay |
|
? |
|
0x0430 |
2 |
PHY register control/address (0x4000 is a busy bit, before doing anything wait for it to clear; to read write 0x1000 ORed with the required address and spin until 0x1000 is clear, then read EXT IHR data; to write write the data to EXT IHR data and then 0x2000 ORed with the required address and spin until 0x2000 is clear |
|
ucode |
|
0x0432 |
2 |
PHY register data |
|
ucode |
|
0x0434 |
2 |
PHY RX Status 2 (cf. 802.11/RX) |
|
ucode |
|
0x0436 |
2 |
PHY RX Status 3 (cf. 802.11/RX) |
|
ucode |
|
0x0438 |
2 |
PHY Mode |
|
? |
|
0x043A |
2 |
RCM TA control. Set to 1 to start matching (write address before), spin until bit 0 is unset again. After that, if bit 1 (mask 0x2) is set, a match was successful and bits 2-8 (mask 0xfc) contain the index of the match |
|
ucode |
|
0x043C |
2 |
RCM TA Size (number of MAC addresses in the special memory) |
|
host |
|
0x043E |
2 |
RCM TA upper 16 bits of MAC address to match (aa:bb of aa:bb:cc:dd:ee:ff) |
|
ucode |
|
0x0440 |
2 |
RCM TA middle 16 bits of MAC address to match |
|
ucode |
|
0x0442 |
2 |
RCM TA lower 16 bits of MAC address to match |
|
ucode |
|
Programmable State Machine (PSM) |
|||||
0x0480 |
2 |
MAC nap time (in cycles of a ~88MHz clock) |
|
ucode |
|
0x0482 |
2 |
MAC Control (high 16 bits) |
|
ucode |
|
0x0484 |
2 |
MAC Interrupt Status Low |
|
ucode |
|
0x0486 |
2 |
MAC Interrupt Status High. Writing to these registers causes the interrupt bit to be set and an interrupt to be triggered. |
|
ucode |
|
0x0488 |
2 |
MAC Interrupt Mask Low |
|
- |
|
0x048A |
2 |
MAC Interrupt Mask High |
|
- |
|
0x048C |
2 |
MAC ??? |
|
ucode |
|
0x048E |
2 |
MAC Command (if a bit is written from the ucode it turns off, iow. the MAC can write a bitmask of bits to turn off here) |
|
ucode |
|
0x0490 |
2 |
BRC |
|
ucode (IV?) |
|
0x0492 |
2 |
PHY HDR Parameter |
|
ucode |
|
0x0494 |
2 |
Postcard |
|
- |
|
0x0496 |
2 |
Postcard Location Low |
|
- |
|
0x0498 |
2 |
Postcard Location High |
|
- |
|
0x049A |
2 |
GPIO In |
|
ucode |
|
0x049C |
2 |
GPIO Out |
|
ucode |
|
0x049E |
2 |
GPIO Output Enable |
|
ucode |
|
0x04A0 |
2 |
BRED 0 |
|
- |
|
0x04A2 |
2 |
BRED 1 |
|
- |
|
0x04A4 |
2 |
BRED 2 |
|
- |
|
0x04A6 |
2 |
BRED 3 |
|
- |
|
0x04A8 |
2 |
BRCL 0 |
|
ucode |
|
0x04AA |
2 |
BRCL 1 |
|
ucode |
|
0x04AC |
2 |
BRCL 2 |
|
ucode |
|
0x04AE |
2 |
BRCL 3 |
|
ucode |
|
0x04B0 |
2 |
BRPO 0 |
|
ucode |
|
0x04B2 |
2 |
BRPO 1 |
|
ucode |
|
0x04B4 |
2 |
BRPO 2 |
|
ucode |
|
0x04B6 |
2 |
BRPO 3 |
|
ucode |
|
0x04B8 |
2 |
BRWK 0 |
|
- |
|
0x04BA |
2 |
BRWK 1 |
|
- |
|
0x04BC |
2 |
BRWK 2 |
|
- |
|
0x04BE |
2 |
BRWK 3 |
|
ucode |
|
0x04C0 |
2 |
Base 0 (offset registers) |
|
ucode |
|
0x04C2 |
2 |
Base 1 |
|
ucode |
|
0x04C4 |
2 |
Base 2 |
|
ucode |
|
0x04C6 |
2 |
Base 3 |
|
ucode |
|
0x04C8 |
2 |
Base 4 |
|
ucode |
|
0x04CA |
2 |
Base 5 |
|
ucode |
|
0x04CC |
2 |
Base 6 |
|
ucode |
|
0x04D0 |
2 |
PC Register 0 (link registers) |
|
ucode |
|
0x04D2 |
2 |
PC Register 1 |
|
ucode |
|
0x04D4 |
2 |
PC Register 2 |
|
ucode |
|
0x04D6 |
2 |
PC Register 3 |
|
ucode |
|
0x04D8 |
2 |
PSM conditions (bitwise) [to be tested!] |
|
ucode |
|
Transmit Engine (TXE) (0) (0x0500 - 0x057E) |
|||||
0x0500 |
2 |
|
ucode |
||
0x0502 |
2 |
TXE AUX (flags? bits 0 and 1 seem to be used only) |
|
ucode |
|
0x0504 |
2 |
TXE TS COPY OFFSET: offset is relative to byte 0 of the packet (PLCP), used if bit 0x100 in TXE Control is 1 |
|
host/IV? |
|
0x0506 |
2 |
TXE Timeout (bit 0x8000 seems to be special, value in microseconds, but what does it do?) |
|
ucode |
|
0x0508 |
2 |
TXE WM 0 |
|
ucode |
|
0x050A |
2 |
TXE WM 1 |
|
ucode |
|
0x050C |
2 |
TXE PHY Control, cf. PHY TX Control Word |
|
ucode |
|
0x050E |
2 |
TXE Status |
|
ucode |
|
0x0518 - 0x051e |
8 |
TX Status FIFO access |
>= 5 |
ucode |
|
0x0518 |
2 |
TXE Status FIFO Value 0 (lower 16 bits of mmio register 0x170) |
|||
0x051a |
2 |
TXE Status FIFO Value 1 (upper 16 bits of mmio register 0x170) |
|||
0x051c |
2 |
TXE Status FIFO Value 2 (lower 16 bits of mmio register 0x174) |
|||
0x051e |
2 |
TXE Status FIFO Value 3 (upper 16 bits of mmio register 0x174) |
|||
Transmit Control |
|||||
0x0520 |
2 |
Transmit FIFO Def - used to define the extension of the FIFO - See the Template/FIFO Memory |
|
|
|
0x0522 |
2 |
TXE number of packets in the active FIFO queue |
|
ucode |
|
0x0524 |
2 |
TXE number of bytes in the active FIFO queue |
|
ucode |
|
0x0526 |
2 |
TXE offset to byte 0 of the current packet in the active FIFO queue |
|
ucode |
|
0x0528 |
2 |
TXE offset to the selected byte of the current packet in the active FIFO queue |
|
ucode |
|
0x0540 |
2 |
Transmit FIFO Command |
>= 9? |
ucode |
|
0x0542 |
2 |
Transmit FIFO Flush |
bitmask of which FIFOs a flush was requested on (?), when a bit is written then the flush seems to be signalled as complete (?) |
ucode |
|
0x0544 |
2 |
Transmit FIFO Threshold |
|
? |
|
0x0546 |
2 |
Transmit FIFO Ready (bitfield) |
|
ucode |
|
0x0548 |
2 |
Transmit FIFO PRI Ready |
|
? |
|
0x054A |
2 |
Transmit FIFO RQ PRI |
|
? |
|
0x054C |
2 |
Transmit Template RAM offset (in bytes, for transmissions from Template RAM) |
|
ucode |
|
0x0550, 0x0562, 0x0562 |
6 |
write access to Template RAM |
|
ucode |
|
0x0550 |
2 |
Transmit Template Pointer (byte offset into Template RAM, the low 2 bits are control bits and must be clear when writing) |
|||
0x0560 |
2 |
Transmit Template Data Low |
|||
0x0562 |
2 |
Transmit Template Data High |
|||
0x0568 |
2 |
Transmit Select (unknown meaning) |
|
ucode |
|
0x056A |
2 |
Transmit byte count (length of template to transmit) |
|
ucode |
|
0x056C |
2 |
Transmit SHM offset (in bytes, ??) |
|
ucode |
|
Transmit Modify Engine (0x0580 - 0x05FE) |
|||||
0x0580 - 0x05be |
32*2 |
Template fill mask. for any bit that is 1 here, the bit is taken from Template fill values instead of the regular channel (which is Template RAM, or the TX from driver, or ...) These registers seem to reset to all-zeroes after use. |
|
ucode |
|
0x05c0 - 0x05fe |
32*2 |
Template fill values |
|
ucode |
|
Timing Syncronization Function (TSF) |
|||||
0x0600 |
2 |
?? (default to 0x8000?) |
|
ucode |
|
0x0602 |
2 |
?? (default to 0x8000?), after first TBTT expires, it switches to 0x8600. |
|
ucode |
|
0x0604 |
2 |
TSF CFP Start Low |
|
ucode |
|
0x0606 |
2 |
TSF CFP Start High: computed adding value in 0x610 * 1024 to TSF CFP Start High Old |
|
ucode |
|
0x0608 |
2 |
TSF CFP Start Low Old |
|
ucode |
|
0x060A |
2 |
|
ucode |
||
0x060C |
2 |
??, seems to be always 0 |
|
ucode |
|
0x060E |
2 |
??, seems to be always 0 |
|
ucode |
|
0x0610 |
2 |
TSF CFP Interval in unit of 1024us |
|
ucode |
|
0x0612 |
2 |
TSF CFP Pre-TBTT in us: COND_TX_TBTTEXPIRE expiration at TSF CFP Start - TSF CFP Pre-TBTT |
|
ucode |
|
0x0614 |
2 |
??, seems to be always 0 |
|
ucode |
|
0x0616 |
2 |
??, seems to be always 0 |
|
ucode |
|
0x0618 |
2 |
??, seems to be always 0 |
|
ucode |
|
0x061A |
2 |
??, seems to be always 0 |
|
ucode |
|
0x061C |
2 |
??, seems to be always 0 |
|
ucode |
|
0x061E |
2 |
??, seems to be always 0 |
|
ucode |
|
0x0620 |
2 |
copy of 0x0608 |
|
ucode |
|
0x0622 |
2 |
copy of 0x060A |
|
ucode |
|
0x0624 |
2 |
??, seems to be always 0 |
|
ucode |
|
0x0626 |
2 |
countdown to TBTT LO |
|
ucode |
|
0x0628 |
2 |
countdown to TBTT HI, starts at value in 0x610 * 1024 |
|
ucode |
|
0x062A |
2 |
??, seems to be always 0 |
|
ucode |
|
0x062C |
2 |
TX FES time (frame exchange sequence duration?) |
|
ucode |
|
0x0632 |
2 |
mac timer & 0x0000 0000 0000 FFFF |
|
ucode (host for rev < 3) |
|
0x0634 |
2 |
mac timer & 0x0000 0000 FFFF 0000 |
|
ucode (host for rev < 3) |
|
0x0636 |
2 |
mac timer & 0x0000 FFFF 0000 0000 |
|
ucode (host for rev < 3) |
|
0x0638 |
2 |
mac timer & 0xFFFF 0000 0000 0000 |
|
ucode (host for rev < 3) |
|
0x063A |
2 |
TSF TX Offset (offset to current TSF when writing the TSF into a beacon template at tx) |
|
ucode |
|
0x063C |
2 |
??, seems to be always 0 |
|
ucode |
|
0x063E |
2 |
Time of first MPDU bit in received packet |
|
ucode |
|
0x0640 |
2 |
It tracks some event in the CFP interval, refreshed PER interval |
|
ucode |
|
0x0642 |
2 |
Time of last MPDU bit in received packet |
|
ucode |
|
0x0646 |
2 |
TSF GPT0 Stat (same as TSF GPT2 Stat) |
|
ucode |
|
0x0648 |
2 |
TSF GPT1 Stat (same as TSF GPT2 Stat) |
|
ucode |
|
0x064A |
2 |
TSF GPT0 Counter low |
|
ucode |
|
0x064C |
2 |
TSF GPT1 Counter low |
|
ucode |
|
0x064E |
2 |
TSF GPT0 Counter high |
|
ucode |
|
0x0650 |
2 |
TSF GPT1 Counter high |
|
ucode |
|
0x0652 |
2 |
TSF GPT0 Value low |
|
ucode |
|
0x0654 |
2 |
TSF GPT1 Value low |
|
ucode |
|
0x0656 |
2 |
TSF GPT0 Value high |
|
ucode |
|
0x0658 |
2 |
TSF GPT1 Value high |
|
ucode |
|
0x065A |
2 |
TSF Random (sometimes written, but what happens then?) |
|
ucode/host |
|
General Purpose Timer (GPT) 2 |
|||||
0x0664 |
2 |
TSF GPT2 ?? |
|
ucode |
|
0x0666 |
2 |
TSF GPT2 Stat: 0x8000: start; 0x4000: on: 8MHz, off: same ~88MHz as nap timer |
|
ucode |
|
0x0668 |
2 |
TSF GPT2 Counter Low |
|
ucode |
|
0x066A |
2 |
TSF GPT2 Counter High |
|
ucode |
|
0x066C |
2 |
TSF GPT2 Value Low |
|
ucode |
|
0x066E |
2 |
TSF GPT2 Value High |
|
ucode |
|
0x0670 |
2 |
TSF GPT All Stat, bit 1/3/5 reports GPT0/1/2 expiration |
|
ucode |
|
Interframe Space (IFS) |
|||||
0x0680 |
2 |
IFS DURATION1: Seems a duration (>15ms maybe a maximum duration?) |
|
ucode |
|
0x0682 |
2 |
IFS DURATION2: Seems a duration (a short duration, 64us? maybe for txing?) |
|
ucode |
|
0x0684 |
2 |
IFS SLOT DURATION: setup slot duration in us by assigning 0x1FE + (slot duration in us) |
|
ucode |
|
0x0686 |
2 |
IFS DURATION3: Seems a duration (MTU @1Mb/s? Beacon? ~ 2300us) |
|
ucode |
|
0x0688 |
2 |
IFS CONTROL |
|
ucode |
|
0x068A |
2 |
IFS BACKOFF DELAY. It controls the backoff delay before sending the next data or management frame in units of slots. |
|
ucode |
|
0x068C |
2 |
IFS SLOT. It implements a two-phase countdown at the end of which IFS BACKOFF DELAY is decremented. |
|
ucode |
|
0x068E |
2 |
IFS IDLE COUNTER. It counts the number of slots since medium idle. |
|
ucode |
|
0x0690 |
2 |
|
ucode |
||
0x0692 |
2 |
IFS BUSY COUNTER. It counts the number of us during which the medium is busy (either bit 10 or bit 11 of IFS STATUS are on) |
|
ucode |
|
0x0694 |
2 |
IFS TX COUNTER. It counts the number of us for the current outgoing transmission. Reset to zero at each tx start. |
|
ucode |
|
Slow Clock Control (SCC) |
|||||
0x06A0 |
2 |
SCC Control |
>= 5 |
ucode |
|
0x06A2 |
2 |
SCC Timer Low |
>= 5 |
ucode |
|
0x06A4 |
2 |
SCC Timer High |
>= 5 |
ucode |
|
0x06A6 |
2 |
SCC Divisor |
>= 5 |
ucode |
|
0x06A8 |
2 |
SCC Fast Powerup Delay |
>= 5 |
ucode |
|
0x06AA |
2 |
SCC Period |
>= 5 |
? |
|
0x06AC |
2 |
SCC Period Divisor |
>= 5 |
? |
|
Bluetooth Coexistence (BTCX) |
|||||
0x06B4 |
2 |
BTCX Control |
>= 13 |
? |
|
0x06B6 |
2 |
BTCX Status |
>= 13 |
? |
|
0x06B8 |
2 |
BTCX Transmit Control (?) |
>= 13 |
? |
|
0x06BA |
2 |
BTCX ? |
>= 13 |
? |
|
0x06BC |
2 |
BTCX ? |
>= 13 |
? |
|
0x06BE |
2 |
BTCX ? |
>= 13 |
? |
|
Network Allocation Vector (NAV) |
|||||
0x0700 |
2 |
NAV CONTROL: default to 0x3C (unknown mean). Bit 12 enables NAV countdown according to value in NAV RESERVATION. When set, countdown does not start immediately(why?) |
|
ucode |
|
0x0702 |
2 |
NAV STAT: is 1 when NAV countdown is running. |
|
ucode |
|
0x0704 |
2 |
NAV COUNTER: it's a 8MHz countdown, when counting down, medium is (nav) busy (see IFS STAT). Countdown value is computed from NAV RESERVATION. |
|
ucode |
|
0x0706 |
2 |
?? |
|
ucode |
|
0x070C |
2 |
NAV RESERVATION: time in microseconds the medium is supposed to be busy (nav). Ucode sets to rx frame duration when required. |
|
ucode |
|
0x070E |
2 |
?? |
|
ucode |
|
0x0710 |
2 |
?? |
|
ucode |
|
0x0712 |
2 |
?? Always set to 0x164 |
|
ucode |
|
WEP |
|||||
0x07C0 |
2 |
WEP Control |
|
ucode |
|
0x07C2 |
2 |
WEP IV Location; offset of data (beginning of IV) within a frame that is to be encrypted |
|
ucode |
|
0x07C4 |
2 |
WEP IV Key |
|
ucode |
|
0x07C6 |
2 |
WEP WKey |
|
ucode |
|
0x07D0 |
2 |
?? |
|
ucode |
|
0x07D2 |
2 |
?? |
|
ucode |
|
0x07D4 |
2 |
?? |
|
ucode |
|
0x07D6 |
2 |
WEP AES Control (0 = regular, 1 = legacy) |
|
ucode |
|
PMQ |
|||||
0x07E0 |
2 |
PMQ Control Low |
|
ucode |
|
0x07E2 |
2 |
PMQ Control High |
|
ucode |
|
0x07E4 |
2 |
PMQ Pat 0 |
|
ucode |
|
0x07E6 |
2 |
PMQ Pat 1 |
|
ucode |
|
0x07E8 |
2 |
PMQ Pat 2 |
|
ucode |
|
0x07EA |
2 |
PMQ Data |
|
ucode |
|
0x07EC |
2 |
PMQ Data or(igin?) |
|
ucode |
|
0x07EE |
2 |
?? |
|
ucode |
|
SHM Region (0x800 - 0xEFE) |
|||||
Common Core Configuration Registers |
|||||
0x0F00 |
256 |
|
host |
||
DMA/PIO Interrupt Status
Offset |
Function |
Notes |
0x01000000 |
Transmit Interrupt |
|
0x00010000 |
Receive Interrupt |
|
0x00008000 |
Transmit FIFO Underflow Error |
Fatal |
0x00004000 |
Receive FIFO Underflow Error |
Fatal |
0x00002000 |
Receive Descriptor Underflow Error |
Non-fatal |
0x00001000 |
Descriptor Protocol Error |
Fatal |
0x00000800 |
PCI Data Error |
Fatal |
0x00000400 |
PCI Descriptor Error |
Fatal |
@FIXME@ - Check this If a fatal error occurs, you need to reset the chip (Core Reset followed by Initialization).
TX/RX Interrupts Per Frame / Timeout
These registers appear to control the number of interrupts per frame for the active DMA/PIO Queues.
Each of these registers is laid out as below:
Mask |
Function |
0xFF000000 |
Frame Count |
0x00FFFFFF |
Time Out |
MAC Registers
MAC Control
Offset |
Function |
0x80000000 |
G Mode |
0x40000000 |
Discard Power Management Queue (if set, microcode will not insert entries into the power management queue) |
0x20000000 |
Discard TX Status |
0x10000000 |
TBTT Hold |
0x08000000 |
Closed Network (if set, the microcode will not respond to broadcast probe responses) |
0x04000000 |
|
0x02000000 |
|
0x01000000 |
Promiscuous Mode |
0x00800000 |
Keep Bad Frames |
0x00400000 |
Keep Control Frames |
0x00200000 |
Keep Frames with bad PLCP - In later versions, this bit seems to mean "Lock" PHY (Used only for 802.11 core revisions 11 and 12) |
0x00100000 |
Beacons Promiscuous (if disabled, MAC filters beacons like regular packets) |
0x00080000 |
Radio Lock |
0x00040000 |
AP Mode |
0x00020000 |
Infra Mode |
0x00010000 |
Big Endian Mode |
0x0000C000 |
GPOUT Select Mask |
0x00002000 |
PSM Debug Enabled |
0x00001000 |
|
0x00000800 |
|
0x00000400 |
IHR Region Enabled |
0x00000200 |
SHM Upper |
0x00000100 |
SHM Enabled |
0x00000080 |
|
0x00000040 |
|
0x00000020 |
|
0x00000010 |
|
0x00000008 |
|
0x00000004 |
PSM Jump 0 |
0x00000002 |
PSM Run |
0x00000001 |
MAC Enabled |
MAC Command
Mask |
Function |
0x00000010 |
BG Noise |
0x00000008 |
CCA |
0x00000004 |
directed frame queue valid (IBSS power save mode, ATIM) |
0x00000002 |
Beacon 1 busy/valid |
0x00000001 |
Beacon 0 busy/valid |
The beacon busy/valid bits are to be set by the driver when it updates the beacons, and are cleared by the microcode when the driver is free to change them again. After setting them, you should not touch the beacon templates until they are clear again. The microcode will raise the "Beacon Template available" interrupt (see below) when any of the templates become available for driver modification. Hence, when a beacon must be changed, it may be possible that the driver has to wait until the next interrupt.
MAC Interrupt Status
Offset |
Function |
Notes |
0x80000000 |
General Purpose Time Out |
Core Revision 3 or greater |
0x40000000 |
PHY Status, Changed G Modes |
|
0x20000000 |
TX Completed |
Core Revision 5 or greater |
0x10000000 |
RF Disable Changed (used changed rfkill button state) |
Core Revision 10 or greater, lower revisions poll the relevant register which is revision dependent |
0x08000000 |
|
|
0x04000000 |
|
|
0x02000000 |
|
|
0x01000000 |
|
|
0x00800000 |
|
|
0x00400000 |
MAC has detected stuck bluetooth pin |
|
0x00200000 |
radio/phy powered back up |
|
0x00100000 |
probe response queue needs work |
|
0x00080000 |
MBSS DTIM TBTT indication |
|
0x00040000 |
Background Noise Sample Ready |
(set by ucode) |
0x00020000 |
CCA Measurement Complete |
(set by ucode) |
0x00010000 |
TX FIFO Suspend/Flush Complete |
(set by ucode) |
0x00008000 |
DMA Interrupts |
|
0x00004000 |
General Purpose Timer 1 |
|
0x00002000 |
General Purpose Timer 0 (PSM microcode watchdog); reset chip if it is raised |
|
0x00001000 |
Power Management Event |
|
0x00000800 |
PHY TX Error |
|
0x00000400 |
Non-Specifc Gen-Stat bit set by PSM |
(set by ucode) |
0x00000200 |
MAC TX Error |
|
0x00000100 |
Non-Specifc Gen-Stat bit set by PSM |
(set by ucode) |
0x00000080 |
Non-Specifc Gen-Stat bit set by PSM |
(set by ucode) |
0x00000040 |
Power Management Queue Entries Available |
(set by ucode) |
0x00000020 |
End of ATIM Window (IBSS) |
(set by ucode) |
0x00000010 |
Beacon Cancelled (IBSS) |
(set by ucode) |
0x00000008 |
Beacon TX successful |
(set by ucode) |
0x00000004 |
TBTT Indication |
(set by ucode) |
0x00000002 |
Beacon Template available |
(set by ucode) |
0x00000001 |
MAC Suspended |
(set by ucode) |
About the mask: when the ucode sets any of these bits the actual PCI (or SSB in fact) interrupt line will be triggered when the bit it has written is not present in the status bits yet and is present in the mask. The mask, however, does not influence the bits that are set in the status register when reading it. Hence, if the mask is 0, then no interrupt will ever trigger but when reading the interrupt status register the bits that the ucode wanted to set will still be set.
MAC capabilities
This register contains a bitfield of capabilities in the core.
Bit |
Meaning |
Notes |
31 |
TKIP MIC hardware |
core rev 15 does not support this even if bit is set! |
30 |
TKIP phase 2 key calculation hardware |
|
29 |
Bluetooth coexistance pins |
|
28 |
Multi-BSS hardware |
|
25-19 |
RX fifo size in blocks of 512 bytes |
|
18-16 |
number of RX fifos |
|
15-13 |
Microcode size (0: 3328 commands, 1: 4096 commands) |
|
9-3 |
TX fifo size in blocks of 512 bytes |
|
2-0 |
number of TX fifos |
|
High word:
Bit |
Meaning |
1-3 |
SHM size (core rev >= 16): 0: 1024x32 bits, 1: 1536x32 bits |
0 |
external radio coexistence |
DMA Channel Status
This is a bitfield, indexed by TX FIFO #, which contains MAC acknowlegement of a TX FIFO suspend request. The bit is unset if the request was acknowleged.
TSF Timer
This is a 64 bit value, read the TSF Timer Low register, then the TSF Timer High register to get an atomic read.
TSF Contention Free Period Rep
Mask |
Function |
0xFFFFFFC0 |
C. Beacon Interval Mask |
0x00000001 |
CFPP |
DMA Registers
DMA/PIO Channel (Core Revision >= 11)
Offset |
Size |
Function |
0x0000 |
24 |
64 Bit DMA TX Channel |
0x0018 |
8 |
4 Byte PIO TX Queue |
0x0020 |
24 |
64 Bit DMA RX Channel |
0x0038 |
8 |
4 Byte PIO RX Queue |
RX Registers
RX FIFO CONTROL1 (Core Revision >= 5)
Bit |
Meaning |
Notes |
11 |
Always 1(?) |
|
5 |
Set to 1 to insert a 16bit word between the RX header and the received data before sending on the FIFO |
|
4 |
Set to 1 to reset the receiver: hardware header and the received data are removed from the buffer and the FIFO |
|
2 |
Set to 1 to disconnect receiver from the FIFO |
|
1 |
Set to 1 to move received data from the receiver to the FIFO |
See note(1) below |
0 |
Set to 1 to push byte in the FIFO towards host |
See note(1) below |
Note(1): after the PLCP of a packet is received, the ucode enables data passing between the receiver and the FIFO by switching on bit 1 and off bit 0. From this moment the hardware stops detecting if the medium is idle (see bit 3-0 of IFS STATUS). When rx is complete, then the ucode switches off bit 1 and on bit 0. This pushes the packet in the FIFO up to the host: to be sure the transfer completes, it is necessary to check that the FIFO begins working AND stop working by checking COND_RX_FIFOBUSY. At the end the reciever can receive a new packet and from this point on the hardware restarts checking if the medium is idle (see bit 3-0 of IFS STATUS).
TX Registers
TXE Control (Core Revision >= 5)
Set this register to schedule a transmission in the future.
Mask |
Meaning |
Notes |
0x0001 |
set to 0, no tx is scheduled and tx engine disabled. Set to 1 to enable tx engine: transmission will happen in the future according to requested delay (see line below) |
|
0x0006 |
tx delay: 0, 10us; 1, 20us; 2, 30us; 3, 0(immediate tx) |
|
0x0008 |
set to 0 when transmitting acks, beacons and fragments following the first one (carrier sense related?) |
|
0x0010 |
set to 0 when transmitting acks and fragments following the first one (carrier sense related?) |
|
0x0020 |
set to 1 to enable sym war |
|
0x0080 |
set to 1 to transmit a beacon, in this case only CCK can be used |
|
0x0100 |
set to 1 to copy the clock in the next packet, offset is reg. 0x504 or spr082 |
|
0x0200 |
set to 1 for atim indication |
|
0x0C00 |
set to 00 for acks and fragments |
|
0x2000 |
set to 1 for atim indication |
|
0x4000 |
set to 1 to let hardware computing and adding fcs at the end of the packet. If set to 0 then data has to include four more bytes at the end, they will be transmitted in place of FCS and they can be forced to a wrong FCS |
|
IFS Registers
IFS STATUS (Core Revision >= 5)
Bit |
Meaning |
Notes |
15 |
Flip to 1 when time reserved for receiving PLCP has passed |
|
14 |
? |
|
13 |
? |
|
12 |
? |
|
11 |
Flip to 1 when rx'ing or tx'ing (same time receiver flips on, may 1us after transmitter flips on) |
See notes below. |
10 |
Flip to 1 when rx'ing or tx'ing (same time receiver or transmitter flips on) |
See notes below. |
9 |
Flip to 1 when receiver has started decoding |
When bit 8 is on (tx active) this bit is always off, see notes below. |
8 |
Flip to 1 when transmitter is working |
See notes below. |
7 |
Flip to 1 when backoff (reg 0x68A or spr145) is zero |
|
6 |
Always 0(?) |
|
5 |
Always 0(?) |
|
4 |
Flip to 1 when time reserved for receiving MPDU has passed |
|
3 |
Flip to 1 when channel is sensed free (phy+nav) for more than two slots |
|
2 |
Flip to 1 when channel is sensed free (phy+nav) for more than one slot |
|
1 |
Flip to 1 when channel is sensed free (physically) |
See notes below. |
0 |
Flip to 1 when channel is sensed free (virtually through NAV) |
See notes below. |
Note(1): when COND_TX_NOW is triggered means that the transmitter has started its job. At the same time of COND_TX_NOW, bit 8 and 10 flips to 1, bit 11 may retard 1 us. For this reason bit 1 could be still 1 when bit 8 and 10 are 1.
Note(2): bit 1 flips to 1 6-8 us after the last frame has been either received or transmitted. It is not clear if this behavior (bit 1 switching-on) can be disabled by setting some regs (e.g, why does it remain zero for 6-8 us even if nothing is on the channel?). When transmitter starts, this bit could remain 1 for 1us more. When receiver starts, this bit goes immediately to zero. When it flips to 1 IFS SLOT is reset to default value and IFS IDLE COUNTER is reset to zero.
Note(3) on bit 0 and 1: When they are both on, IFS SLOT countdown and IFS IDLE COUNTER go. They can switch on ONLY if there is no packet being received (see RX FIFOCTL1), but not immediately (see note (2) above).
Note(4) on bit 0: this bit reflects the NAV status. When NAV countdown is running, then bit 0 is off and COND_RX_IFS1 is on (it triggers after ~1us).
Note(5) on bit 11: When it switches on, COND_RX_IFS2 triggers after ~1us.
Note(6) on bit 9, 10 and 11: they seem to flip to 1 ONLY if a frame is detected (means, a SYNC of a PLCP is received, or transmitted and hence received). If no 802.11 preamble is detected, a strong signal in the same band doesn't seem to have any effect.
IFS SLOT (Core Revision >= 5)
Bit |
Meaning |
Notes |
15 |
0: countdown phase 1, 1: countdown phase 2 |
Phase 1 duration depends on the duration of the slot. Phase 2 is always 2us. |
14-0 |
Countdown value, decrements @ 8MHz. |
It decrements in 1/8us steps. |
When countdown goes zero in phase 2, the current slot ends and other IFS registers are modified accordingly. IFS SLOT is reset when bit 1 of IFS STATUS flip to 1 => defaults to (IFS SLOT DURATION - 2)*8, where IFS SLOT DURATION is the value of register 0x684 minus 0x1FE. E.g., if slot is 20us, IFS SLOT is set to 144 (phase 1). Countdown works when medium is idle (both bit 0 and bit 1 of IFS STATUS are 1, means that phy+nav idle indicator are both on). When channel is sensed busy, countdown stops independently of the countdown phase. When IFS SLOT countdown reaches zero during phase 1, IFS SLOT is reset to (16 | 0x8000) and phase 2 begins: at its end, either [bit 2 or 3 of IFS STATUS are set to one depending on how many slots passed since medium was free] or [if bit 2 and 3 of IFS STATUS are already on, IFS BACKOFF DELAY is decremented and IFS IDLE COUNTER is incremented]. Finally IFS SLOT restarts a new phase 1 countdown.
IFS BACKOFF DELAY (Core Revision >= 5)
It is setup after each transmission attempts by the ucode by loading a random value that is almost doubled after each failure (exponential backoff procedure). It counts down the number of slots written by the ucode: countdown restarts each time after a channel busy episode as soon as the medium has been detected idle (phy+nav) for a couple of slots (bit 0-3 of IFS STATUS are all 1). Countdown is paused during channel busy (either phy or nav).
IFS IDLE COUNTER (Core Revision >= 5)
It counts the number of idle slots after the first two since the medium was detected free. Counter's value is reset when bit 1 of IFS STATUS flip to 1: counter starts counting after a couple of idle slots (bit 0-3 of IFS STATUS are all 1). Countdown is interrupted when channel is busy (either phy or nav).
TSF CFP Notes
CFP "engine" is used for beacon transmission. Value stored in 0x610 expresses CFP interval in unit of 1024us (could that be changed?): it is used after CFP expiration (TBTT) to compute automatically the next TBTT by adding value in 0x610 multiplied by 1024 to the counter in 0x608-0x60A (TSF CFP Start Old) and storing the result in 0x604-0x606 (TSF CFP Start) which is then used to determine next TBTT expiration. When it occurs, the old value is moved to TSF CFP Start Old, and the procedure is repeated again and again. Value in 0x602 is originally 0x8000 but after the first expiration of the TBTT it turns to 0x8600, from this moment on condition 0x38 is true and can't be cleared by the firmware. Value in 0x612 expressed in us and subtracted to TSF CFP Start gives the times condition COND_TX_TBTTEXPIRE triggers: the firmware will then set up the beacon and schedule a beacon transmission that will occur at TBTT expiration.
Some weird things: value in 0x612 is 250 when AP (set by the kernel), it is 0x32 for monitor and sta and 2 for ad-hoc. But for a sta with a virtual monitor interface it is 2: this seems to be an error. It is not clear who actually sets the value 32 since the kernel does not and the initvals file simply set up a default 32 in the SHM copy but put 1 as default to 0x612. In STA mode, TBTT works before joining an AP, if the AP is joined after first TBTT expiration, then it will work, otherwise it will not. Independently of this, the value in 0x640 is refreshed every CFP Interval even if CFP times 0x604-0x606 and 0x608-0x60A are not refreshed.