Contents
Accessing Object Memory
The Object Memory is accessed by writing the Object Control word to Register 0x0160, then writing or reading the data from Registers 0x0164 (Data, Low 16 bits) and 0x166 (Data, High 16 bits).
Object Control Word
Mask |
Meaning |
0x02000000 |
Automatically increment address on read |
0x01000000 |
Automatically increment address of write |
0x00070000 |
|
0x0000FFFF |
Address Offset |
Address Offset
The Address Offset actually addresses a word (32 bits) of Object Memory. Note that this means the auto increment values will move the address to the next 32 bit word in the Object Memory. The offsets in each of the sections below are given here by byte offsets instead of 32 bit offsets (as required for addressing). To address these properly, shift the address right by 2 to find the value used in the Address Offset. If the byte offset is 32 bit aligned, use the Data Low Register (0x0164). If the byte offset isn't 32 bit aligned, use the Data High Register (0x0166).
Object Selection Values
Value |
Object |
Size |
0 |
Microcode Memory |
?? |
1 |
4096 bytes |
|
2 |
64 16-bit words (r0-r63) |
|
3 |
Internal Hardware Register |
?? |
4 |
RCMTA (receive match transmitter address, core revision >= 5 only, see Crypto Engine) |
?? |
Objects
Microcode Memory
Shared Memory
Warning: This table is not sorted by offset but by usage group!
Offset |
Size |
Usage |
|
Misc. Variables |
|||
0x000E |
2 |
802.11 SIFS time (usec) (?) |
|
0x0010 |
2 |
802.11 Slot Time |
|
0x0016 |
2 |
802.11 Core Revision |
|
0x0034 |
2 |
RX Padding Data Offset (relevant for PIO mode only, set to 0) |
|
0x004E |
2 |
OFDM/CCK delta in CCK power boost mode |
|
0x0050 |
2 |
||
0x0052 |
2 |
||
0x005C |
2 |
antenna swap threshold |
|
0x005E |
2 |
Host Flags for uCode options (low 16 bits) |
|
0x0060 |
2 |
Host Flags for uCode options (middle 16 bits) |
|
0x0062 |
2 |
Host Flags for uCode options (high 16 bits) |
|
0x0066 |
2 |
Radar Register |
|
0x006E |
2 |
PHY noise directly after TX (lower 8 bits only) |
|
0x0072 |
2 |
RF RX SP Register 1 |
|
0x00A0 |
2 |
Current Channel (low 8 bits, 0x100 is set if 5 GHz channel, 0x200 is 40 MHz flag) |
|
0x0108 |
2 |
Last posted Frame ID to the broadcast/multicast (BCMC) FIFO |
|
TSSI information |
|||
0x0058 |
2 |
TSSI for the last 4 CCK frames |
|
0x005a |
2 |
||
0x0068 |
2 |
TSSI for the last 4 OFDM frames (A) |
|
0x006a |
2 |
||
0x0070 |
2 |
TSSI for the last 4 OFDM frames (G) |
|
0x0072 |
2 |
||
TX FIFO Variables |
|||
0x0098 |
2 |
TX FIFO Size for FIFOs 0 and 1 (FIFO 0 in lower byte, FIFO 1 in higher byte) |
|
0x009A |
2 |
TX FIFO Size for FIFOs 2 and 3 (as above, 2 in lower, 3 in higher) |
|
0x009C |
2 |
TX FIFO Size for FIFOs 4 and 5 |
|
0x009E |
2 |
TX FIFO Size for FIFOs 6 and 7 (always 0) |
|
Background Noise |
|||
0x0088 |
2 |
Measure JSSI 0 |
|
0x008A |
2 |
Measure JSSI 1 |
|
0x008C |
2 |
Measure JSSI AUX (channel at time of measurement) |
|
WEP Variables |
|||
0x003C |
2 |
Default IV location |
|
0x003E |
2 |
Number of soft RX transmitter addresses (max 8) |
|
0x0056 |
2 |
Key table pointer |
|
0x02E0 |
- |
TKIP Phase 1 keys. Array indexed by key index consisting of 14-byte entries containing the phase 1 key and the IV32 in each entry. Used on RX. |
|
0x05D4 |
#possible key indizes * 2 |
Key Index/Algo Block (16 times (key index<<4) | algorithm) |
|
0x05F4 |
8 * 6 |
PSM transmitter address match block (8 MAC addresses, only on core rev < 5) |
|
WME Variables |
|||
0x0030 |
2 |
TXF Current Index |
|
0x0240 |
- |
EDCF Q Info |
|
Power Save Mode related Variables |
|||
0x004C |
2 |
NOSLPZNAT DTIM |
|
Beacon/Access Point Variables |
|||
0x0018 |
2 |
Beacon 0 Template Length |
|
0x001A |
2 |
Beacon 1 Template Length |
|
0x001C |
2 |
Beacon Transmit TSF Offset (should contain time it takes from MAC through PHY until the first bit of TSF hits the air) |
|
0x001E |
2 |
TIM Position (in Beacon, set to the start of the TIM information element) |
|
0x0012 |
2 |
DTIM Period, used to update the TIM information element and count down to DTIM |
|
0x00A8 |
2 |
last broadcast/multicast frame ID, if 0xffff then all frames are treated as the last, see TX |
|
0x0044 |
2 |
Short Frame Fallback Retry Limit (beacon related??) |
|
0x0046 |
2 |
Long Frame Fallback Retry Limit (beacon related??) |
|
0x0054 |
2 |
Beacon PHY control word (see PHY TX Control Word) |
|
0x00B0 |
2 |
Extended bytes for Beacon PHY control word (N) |
|
ACK/CTS Variables |
|||
0x0022 |
2 |
ACK/CTS PHY control word (see PHY TX Control Word) |
|
Probe Response Variables |
|||
0x0048 |
2 |
Probe Response SSID Length |
|
0x004A |
2 |
Probe Response Template Length |
|
0x0074 |
2 |
Probe Response Max Time (timeout after which probe responses are no longer sent, in microseconds, 0 is infinite) |
|
0x0160 |
- |
Probe Response SSID |
|
0x0188 |
2 |
Probe Response PHY control word (see PHY TX Control Word) |
|
Rate Tables |
|||
0x01C0 |
- |
Pointer to OFDM direct map (word addressed) |
|
0x01E0 |
- |
Pointer to OFDM basic rate map (word addressed) |
|
0x0200 |
- |
Pointer to CCK direct map (word addressed) |
|
0x0220 |
- |
Pointer to CCK basic rate map (word addressed) |
|
uCode soft registers |
|||
0x0000 |
2 |
uCode revision (high 16 bits) |
|
0x0002 |
2 |
uCode revision (low 16 bits) |
|
0x0004 |
2 |
uCode date (year:4,month:4,day:8) |
|
0x0006 |
2 |
uCode time (hour:5,minute:6,second:5) |
|
0x0040 |
2 |
uCode debug status code (Possible values are 0: invalid, 1: init, 2: active, 3: suspended, 4: asleep (PS)) |
|
0x0080 |
2 |
Maximum number of frames in a burst |
|
0x0094 |
2 |
Pre-wakeup for synth. PU [μs] |
|
0x0096 |
2 |
Pre-TBTT [μs] |
|
MAC statistics |
|||
0x00E0 |
2 |
# TX Frames Sent (Including Data, ACK, RTS, CTS, Control and Management, including retransmissions) |
|
0x00E2 |
2 |
# TX RTS |
|
0x00E4 |
2 |
# TX CTS |
|
0x00E6 |
2 |
# TX ACK |
|
0x00E8 |
2 |
# TX DNL (?) |
|
0x00EA |
2 |
# TX Beacons |
|
0x00EC |
16 |
Per-FIFO Count of TX Underflows (8 of them, 2 bytes each) |
|
0x00FC |
2 |
# TX Template Underflows (the MAC was too slow to transmit ACK/CTS or BCN) |
|
0x00FE |
2 |
# TX PHY Error (The type is reported in TX Status) |
|
0x0104 |
2 |
# RX Too Long (Limit is 2346 bytes) |
|
0x0106 |
2 |
# RX Too Short (Not enough bytes for frame type) |
|
0x0108 |
2 |
# RX Invalid MAC Header (Either Protocol Version is not 0, or the frame type isn't Data, Control or Management) |
|
0x010A |
2 |
# RX Bad FCS (Frames where CRC Failed) |
|
0x010C |
2 |
# RX Bad PLCP (Parity Check of PLCP Header Failed) |
|
0x010E |
2 |
# RX CRS Glitch (Preamble is okay, but not the Header) |
|
0x0110 |
2 |
# RX Frames with good PLCP |
|
0x0112 |
2 |
# RX Data Frames with Good FCS and Matching RA |
|
0x0114 |
2 |
# RX Management Frames with Good FCS and Matching RA |
|
0x0116 |
2 |
# RX Control Frames with Good FCS and Matching RA |
|
0x0118 |
2 |
# RX Unicast RTS addressed to MAC with good FCS |
|
0x011A |
2 |
# RX Unicast CTS addressed to MAC with good FCS |
|
0x011C |
2 |
# RX Unicast ACK with good FCS |
|
0x011E |
2 |
# RX Data Frames with Good FCS and not matching RA |
|
0x0120 |
2 |
# RX Management Frames with Good FCS and not matching RA |
|
0x0122 |
2 |
# RX Control Frames with Good FCS and not matching RA |
|
0x0124 |
2 |
# RX RTS Not Addressed to MAC |
|
0x0126 |
2 |
# RX CTS Not Addressed to MAC |
|
0x0128 |
2 |
# RX Multicast Data Frames |
|
0x012A |
2 |
# RX Multicast Management Frames |
|
0x012C |
2 |
# RX Multicast Control Frames |
|
0x012E |
2 |
# RX Beacons from member of BSS |
|
0x0130 |
2 |
# RX Unicast Frames addressed to the MAC from other BSS |
|
0x0132 |
2 |
# RX Beacons from other BSS |
|
0x0134 |
2 |
# RX Number of Response Timeouts for Transmitted Frames expecting a response |
|
0x0136 |
2 |
# TX Beacons cancled due to receipt of beacon (IBSS) |
|
0x013A |
2 |
# RX FIFO 0 Overflows |
|
0x013C |
2 |
# RX FIFO 1 Overflows |
|
0x013E |
2 |
# RX FIFO 2 Overflows |
|
0x0140 |
2 |
# TX Status FIFO Overflows (Obsolete) |
|
0x0142 |
2 |
# Power Management Queue Overflows |
|
0x0144 |
2 |
# RX Probe Requests that made it into the PMQ FIFO |
|
0x0146 |
2 |
# RX Probe Request Overflow in the AP |
|
0x0148 |
2 |
# TX Probe Response Fail (AP sent probe response but didn't get an ACK) |
|
0x014A |
2 |
# TX Probe Response Success (ACK RX) |
|
0x014C |
2 |
# Probe Request Timeout (Dropped from PRQ FIFO because probe response couldn't be sent out before the limit expired) |
|
0x014E |
2 |
# RX Afterburner NACK |
|
0x0150 |
2 |
# Frames completed without transmission because of Afterburner Re-Queue |
|
0x0152 |
2 |
# TX Afterburner NACK |
|
0x0154 |
2 |
# TX Glitch NACK (Obsolete) |
|
0x0156 |
2 |
# TX Burst (Obsolete) |
|
0x0158 |
2 |
# RX Burst (Obsolete) |
|
Hardware power control |
|||
0x0024 |
2 |
TX power N (count?) |
|
0x0026 |
2 |
TX power target |
|
0x0028 |
2 |
TX power max |
|
0x0032 |
2 |
TX power current |
|
0x0064 |
2 |
radio power (not hw power related?) |
|
0x0310 |
8 |
Power Vector (Used LO Control Values) |
Rate Tables
The shared memory contains somewhere (decided by initial values) four tables (maps) containing pointers to the rate table entries (that each contain PLCP headers and duration fields for ACK, CTS and Probe response frames.) The direct tables are not to be changed, they always are a one-to-one mapping, but the basic rate maps must be maintained by the driver so that the the hardware can just look up information it needs.
The tables/maps whose SHM offsets are given in the SHM locations above each have 16 entries, indexed by the lower 4 bits of the PLCP signal field. All four of these tables contain shared memory offsets that point to entries in the actual table containing the PLCP headers etc.
The direct map tables are used to map a given PHY rate to the rate table entry corresponding to that rate, the basic rate map tables map a given PHY rate to the next lower basic rate.
A rate table entry consists of many fields, the exact size and structure is determined by the initial values and not really relevant. But at offset 10 into a rate table entry there is the four-byte probe response PLCP, offset 16 the probe reponse duration field and at offset 18 (not always, only 802.11N?) some pctl1 word. [fixme]
To illustrate:
map register (pointer above) | +------+ | | | +--- points to ---> < idx 0 , idx 1 , idx 2 , idx 3 , ... , idx 15 > | +-----------------------+ | | +--- points to -----> +------- rate table entry -------+ | (at unknown memory location) | | 0..9 | unknown data | | 10..14 | probe resp. plcp | | 16..17 | probe resp. duration | | ...?? | unknown data | +--------------------------------+
Those fields only need to be updated when the firmware probe response offload feature is used.
However, for normal operation, the basic rate maps must be modified to map the incoming frame bitrate to the correct response frame (CTS/ACK) bitrate. That is, if the AP announces only basic rates 1 and 2 MBit then the basic rate map must be modified in a way that all pointers in it point to the 1 or 2 MBit rate table entry. To do this, use the pointers from the "direct Map" which always maps directly to the correct rate table entry for each plcp index.
Microcode registers
The microcode registers are word-indexed for read/write, not byte-indexed like the shared memory.
The following table documents what the original microcode uses the various registers for.
Register |
Usage |
r3 |
Minimum Contention Window |
r4 |
Maximum Contention Window |
r5 |
Current Contention Window |
r6 |
Short Retry Count limit |
r7 |
Long Retry Count limit |
r8 |
Current DTIM count |
r9 |
sequence counter |
r21 |
Beacon 0 template length (not for v4?) |
r22 |
Beacon 1 template length (not for v4?) |
r23 |
Short frame transmit count threshold for rate fallback |
r24 |
Long frame transmit count threshold for rate fallback |