==============================
MT1939 Firmware TS01 USB Notes
==============================

I was originally documenting USB engine registers on the processor I found
them on, but now it seems like much of what's going on is in registers that
are shared between CPUs and the division of responsibility is largely because
of conventions or other unseen constraints.

Registers:

   41f4b00-ff, mapped into both ARM and 8051

- Incoming USB requests are processed by the ARM
- Completion and status seems to be handled by the 8051
- Inputs and outputs appear to be accessed via byte FIFO registers in the 4b00 space.


Important RAM addresses:

  [2000cf0]     DRAM mapping base
  [2000cf4]     USB buffer base address (sample: 347600)
  [2000d8c]     (Last address read/written via this buffer)

This buffer referenced by cf4 seems to live at 1f4f600 in TS01.
It's accessed via a poke routine at d694c.

The bits from dumping this area, excluding things that seem to be
uninitialized DRAM. First it starts with some things that seem to be
dynamically allocated:

0008550: 77 ee 77 ee dd bb dd bb 77 ee 77 ee dd bb dd bb  w.w.....w.w.....  ARM: 1f51766
0008560: 77 ee 77 ee dd bb dd bb 77 ee 77 ee dd bb dd bb  w.w.....w.w.....
0008570: 77 ee 77 ee dd bb dd bb 77 ee 77 ee dd bb 5d bb  w.w.....w.w...].
0008580: 77 ee 77 ee dd bb dd bb 77 ee 77 ee dd bb dd bb  w.w.....w.w.....
0008590: 77 ee 77 ee dd bb dd bb 77 ee 77 ee dd bb dd bb  w.w.....w.w.....
00085a0: 77 ee 77 ee dd be 05 80 00 32 1f 00 00 00 54 53  w.w......2....TS
00085b0: 53 54 63 6f 72 70 42 44 44 56 44 57 20 53 45 2d  STcorpBDDVDW SE-
00085c0: 35 30 36 43 42 20 54 53 30 31 20 20 30 35 32 38  506CB TS01  0528
00085d0: 20 20 20 20 20 20 20 00 00 00 00 00 00 00 00 00         .........
00085e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00085f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0008600: 00 00 00 00 00 00 01 0a 00 20 00 00 00 00 00 00  ......... ......
0008610: 00 00 05 32 00 c5 08 00 00 00 00 00 00 00 00 00  ...2............
0008620: 00 96 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0008630: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0008640: 00 00 00 00 00 00 08 0a 04 00 00 00 00 00 00 00  ................
0008650: 00 00 0d 06 00 0b 00 3c 00 4b 0e 0e 04 00 00 00  .......<.K......
0008660: 00 4b 01 ff 02 ff 00 00 00 00 18 1a 00 01 00 01  .K..............
0008670: 00 00 00 00 00 01 00 01 00 00 00 00 00 00 00 00  ................
0008680: 00 01 00 01 00 00 1a 0a 00 03 00 00 01 86 00 00  ................
0008690: 01 c2 1c 0a 00 00 00 00 00 00 00 00 00 00 1d 0a  ................
00086a0: 00 00 00 00 00 07 00 00 00 00 2a 42 3f 37 f1 77  ..........*B?7.w
00086b0: 29 23 10 89 01 00 10 00 00 00 00 10 10 89 00 00  )#..............
00086c0: 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00086d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00086e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 0e  ..............0.
00086f0: 11 11 00 00 00 00 00 00 00 00 00 00 00 00 01 0a  ................
0008700: 00 20 00 00 00 00 00 00 00 00 05 32 00 c5 08 00  . .........2....
0008710: 00 00 00 00 00 00 00 00 00 96 00 00 00 00 00 00  ................
0008720: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0008730: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 0a  ................
0008740: 04 00 00 00 00 00 00 00 00 00 0d 06 00 0b 00 3c  ...............<
0008750: 00 4b 0e 0e 04 00 00 00 00 4b 01 ff 02 ff 00 00  .K.......K......
0008760: 00 00 18 1a 00 01 00 01 00 00 00 00 00 01 00 01  ................
0008770: 00 00 00 00 00 00 00 00 00 01 00 01 00 00 1a 0a  ................
0008780: 00 03 00 00 01 86 00 00 01 c2 1c 0a 00 00 00 00  ................
0008790: 00 00 00 00 00 00 1d 0a 00 00 00 00 00 07 00 00  ................
00087a0: 00 00 2a 42 3f 37 f1 77 29 23 10 89 01 00 10 00  ..*B?7.w)#......
00087b0: 00 00 00 10 10 89 00 00 00 01 00 00 00 00 00 00  ................
00087c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00087d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00087e0: 00 00 00 00 00 00 30 0e 11 11 00 00 00 00 00 00  ......0.........
00087f0: 00 00 00 00 00 00 01 0a 85 ff 00 00 00 00 00 00  ................
0008800: 00 00 05 32 5f ff 0f 00 00 3f ff 00 ff ff ff ff  ...2_....?......
0008810: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff  ................
0008820: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff  ................
0008830: ff ff ff ff ff ff 08 0a 04 00 00 00 00 00 00 00  ................
0008840: 00 00 0d 06 00 00 00 00 00 00 0e 0e 00 00 00 00  ................
0008850: 00 00 03 ff 03 ff 00 00 00 00 18 1a 00 00 00 00  ................
0008860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0008870: 00 00 00 00 00 00 1a 0a 00 00 00 00 00 00 00 00  ................
0008880: 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 1d 0a  ................
0008890: 00 00 00 00 00 00 00 00 00 00 2a 42 00 00 00 00  ..........*B....
00088a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00088b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00088c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00088d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 0e  ..............0.
00088e0: 00 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00  ................
00088f0: 03 68 fe 5a 00 00 fe 58 00 00 fe 52 00 00 fe 51  .h.Z...X...R...Q
0008900: 00 00 fe 50 00 00 00 43 00 00 00 42 00 00 00 41  ...P...C...B...A
0008910: 00 00 00 40 00 00 00 2b 00 00 fe 2a 00 00 00 1b  ...@...+...*....
0008920: 00 00 00 1a 00 00 fe 18 00 00 fe 17 00 00 00 16  ................
0008930: 00 00 00 15 00 00 00 14 00 00 00 13 00 00 00 12  ................
0008940: 00 00 00 11 00 00 00 10 00 00 00 0a 00 00 00 09  ................
0008950: 00 00 00 08 00 00 00 02 00 00 00 01 0b 08 00 00  ................
0008960: 00 08 01 00 00 00 00 02 07 04 02 00 00 00 00 03  ................
0008970: 0b 04 29 00 00 00 00 04 08 04 08 00 00 00 00 10  ..).............
0008980: 00 08 00 00 08 00 00 00 01 00 00 1d 00 00 00 1e  ................
0008990: 08 04 03 00 00 00 00 1f 08 04 01 00 01 00 00 20  ............... 
00089a0: 04 0c 00 00 00 00 00 00 08 00 00 00 01 00 00 21  ...............!
00089b0: 0c 08 00 00 00 00 00 00 00 00 00 23 08 08 00 00  ...........#....
00089c0: 00 00 00 00 00 00 00 24 04 04 80 00 00 00 aa 25  .......$.......%
00089d0: 00 08 00 00 80 00 00 00 00 00 00 26 00 00 aa 27  ...........&...'
00089e0: 00 04 00 00 00 00 aa 28 04 04 01 00 00 00 00 2a  .......(.......*
00089f0: 04 04 01 00 00 00 00 2b 00 04 01 00 00 00 00 2c  .......+.......,
0008a00: 00 04 03 00 00 00 00 2d 08 04 46 00 3f 0f 00 2e  .......-..F.?...
0008a10: 04 04 7f 00 0d 00 00 2f 08 04 4e 00 00 00 00 33  ......./..N....3
0008a20: 00 08 00 00 00 02 01 10 00 00 aa 34 00 04 01 00  ...........4....
0008a30: 00 01 00 37 00 04 00 0f 00 00 00 38 00 04 00 00  ...7.......8....
0008a40: 00 00 aa 3a 00 04 01 00 00 00 00 3b 00 04 01 00  ...:.......;....
0008a50: 00 00 00 40 08 1c 01 00 00 00 00 0e 00 00 00 00  ...@............
0008a60: 00 00 00 06 00 00 00 00 00 00 00 02 00 00 00 00  ................
0008a70: 00 00 00 41 04 14 01 00 00 00 00 0c 00 00 00 00  ...A............
0008a80: 00 00 00 06 00 00 00 00 00 00 aa 50 04 08 00 00  ...........P....
0008a90: 00 00 00 00 00 00 aa 51 04 08 01 00 00 00 01 00  .......Q........
0008aa0: 00 00 aa 52 04 04 01 00 00 00 00 80 00 04 00 00  ...R............
0008ab0: 00 00 01 00 03 00 01 01 00 04 00 00 00 00 01 03  ................
0008ac0: 00 04 03 00 01 00 01 04 07 04 00 00 00 00 01 05  ................
0008ad0: 07 04 00 00 00 00 01 06 04 04 00 00 00 01 01 07  ................
0008ae0: 14 04 1f 00 00 00 01 08 03 10 53 31 35 45 36 59  ..........S15E6Y
0008af0: 4d 46 32 30 30 47 52 53 20 20 01 09 00 00 01 0a  MF200GRS  ......
0008b00: 00 0c 46 44 43 00 53 44 43 00 54 4f 43 00 01 0b  ..FDC.SDC.TOC...
0008b10: 00 04 00 00 00 01 01 0d 08 04 1f 01 02 01 aa 0e  ................
0008b20: 00 04 00 00 00 00 aa 10 00 04 00 00 00 00 aa 33  ...............3
0008b30: 04 04 00 00 00 00 aa 52 04 04 00 00 00 00 aa 53  .......R.......S
0008b40: 04 04 00 00 00 00 22 44 88 11 82 11 22 44 22 44  ......"D...."D"D
0008b50: 88 11 88 11 22 44 22 44 88 11 88 11 22 44 22 44  ...."D"D...."D"D
0008b60: 88 11 88 11 22 44 22 44 88 11 88 11 22 44 22 44  ...."D"D...."D"D
0008b70: 88 11 88 11 22 44 22 44 88 11 88 11 22 44 22 44  ...."D"D...."D"D
0008b80: 88 11 88 11 22 44 22 44 88 11 88 11 22 44 22 44  ...."D"D...."D"D
0008b90: 88 11 88 11 22 44 22 44 88 11 88 11 22 44 22 44  ...."D"D...."D"D
0008ba0: 88 11 88 11 22 41 22 44 88 11 88 11 22 44 22 44  ...."A"D...."D"D
...
000c300: 77 ee 7d ee dd bb dd bb 77 ee 77 ee dd bb dd bb  w.}.....w.w.....      ARM: 1f5b900
000c310: 77 ee 77 ee dd bb dd bb 77 ee 77 ee dd bb dd bb  w.w.....w.w.....
000c320: 77 ee 77 ee dd bb dd bb 77 ee 77 ee dd bb dd bb  w.w.....w.w.....
000c330: 77 ee 77 ee dd bb dd bb 77 ee 77 ee dd bb dd bb  w.w.....w.w.....
000c340: 77 ee 77 ee dd bb dd bb 77 ee 7d ee dd bb dd bb  w.w.....w.}.....
000c350: 77 ee 77 ee dd bb dd bb 77 ee 77 ee dd bb dd bb  w.w.....w.w.....
000c360: 77 ee 77 ee dd bb 


The lower addresses seem to be transient; the area starting at c366 uses
hardcoded offsets. This seems to be a parameter block referenced by the USB
code on the ARM side.

    [ad66]        Written twice in get_status (?)

USB configuration block, 7 bytes, read in sequence by TS01 19a3c

    [c366] +00    Device state
                    00 = not addressed
                    02 = addressed

    [c367] +01
    [c368] +02
    [c369] +03
    [c36a] +04
    [c36b] +05

    [c36c] +06    USB device address


   c366:                   03 01 01 01 00 00 0a 00

USB device descriptor:

   c36e:                                           12 01 
000c370: 00 02 00 00 00 40 8d 0e 56 19 00 00 01 02 03 01  .....@..V.......

000c380: 09 07 20 00 01 01 04 a0 fa 09 04 00 00 02 08 02  .. .............
000c390: 50 05 07 05 81 02 40 00 00 07 05 02 02 40 00 00  P.....@......@..
000c3a0: 04 03 09 04 1a 03 4d 00 65 00 64 00 69 00 61 00  ......M.e.d.i.a.
000c3b0: 54 00 65 00 6b 00 20 00 49 00 6e 00 63 00 10 03  T.e.k. .I.n.c...
000c3c0: 4d 00 4d 00 31 00 39 00 35 00 36 00 20 00 20 03  M.M.1.9.5.6. . .      <-- These are the live string descriptors
000c3d0: 53 31 35 45 36 59 4d 46 32 30 30 47 52 53 20 20  S15E6YMF200GRS  
000c3e0: 01 09 00 00 01 0a 00 0c 46 44 43 00 53 44 10 03  ........FDC.SD..
000c3f0: 44 00 65 00 66 00 61 00 75 00 6c 00 74 00 1c 03  D.e.f.a.u.l.t...
000c400: 36 00 32 00 33 00 38 00 2d 00 2d 00 53 00 74 00  6.2.3.8.-.-.S.t.
000c410: 6f 00 72 00 61 00 67 00 65 00 77 ee dd bb dd bb  o.r.a.g.e.w.....
000c420: 7d ee 77 ee dd bb dd bb 77 ee 77 ee dd bb dd bb  }.w.....w.w.....
000c430: 77 ee 77 ee dd bb dd bb 77 ee 77 ee dd bb dd bb  w.w.....w.w.....
...
000c480: 77 ee 77 ee dd bb dd bb 77 ee 77 ee dd bb dd bb  w.w.....w.w.....
000c490: 77 ee 77 ee dd bb dd bb 77 ee 77 ee dd bb dd bb  w.w.....w.w.....
000c4a0: 0a 06 00 02 00 00 00 40 01 00 77 ee dd bb dd bb  .......@..w.....
000c4b0: 77 ee 77 ee dd bb dd ab 77 ee 77 ee dd bb dd bb  w.w.....w.w.....
000c4c0: 77 ee 77 ee dd bb dd bb 77 ee 77 ee dd ab dd bb  w.w.....w.w.....
...


=================
Interrupt Handler
=================

The USB interrupt is multiplexed onto vector 0x18.

At 1f320, the handler checks flags registers:

   [4040064]  masked with 3008, nonzero
   [4040078]  masked with 80000, nonzero, low byte saved

Using the USB debug interface with the backdoor for log output, we can trace
the IRQ handler. This prints the values of [4040064] and [4040078] when the
conditions match:

%%hook -b 1f32a
console(SysTime::now());
println(" : usb irq", r0, r1);

For a single USB storage round-trip (%sc a ac) there are two IRQs:

  57.032,054 : usb irq 00000000 00080000  <- Storage OUT received
  57.041,933 : usb irq 00002000 00000000  <- Final IN ack'ed 10ms later

When enumerating the device with USB Prober:

 161.511,552 : usb irq 00000000 00080000
 161.521,556 : usb irq 00002000 00000000
 168.903,245 : usb irq 00001000 00000000
 168.914,541 : usb irq 00001000 00000000
 168.925,647 : usb irq 00001000 00000000
 168.936,794 : usb irq 00001000 00000000
 168.947,952 : usb irq 00001000 00000000
 168.959,173 : usb irq 00001000 00000000
 168.970,294 : usb irq 00001000 00000000
 168.981,492 : usb irq 00001000 00000000
 168.992,691 : usb irq 00001000 00000000
 169.003,892 : usb irq 00001000 00000000
 169.014,923 : usb irq 00001000 00000000
 169.026,041 : usb irq 00001000 00000000
 169.037,210 : usb irq 00001000 00000000
 169.048,328 : usb irq 00001000 00000000
 169.059,467 : usb irq 00001000 00000000
 169.070,491 : usb irq 00001000 00000000
 169.081,596 : usb irq 00001000 00000000
 169.092,687 : usb irq 00001000 00000000
 169.103,839 : usb irq 00001000 00000000
 169.114,887 : usb irq 00001000 00000000
 169.126,249 : usb irq 00001000 00000000
 169.137,477 : usb irq 00001000 00000000
 169.148,532 : usb irq 00001000 00000000
 169.159,713 : usb irq 00001000 00000000
 169.170,850 : usb irq 00001000 00000000

%%hook 1f32a
console(SysTime::now());
bitbang_console();
SysTime::wait_ms(2000);
println(" : usb irq", r0, r1);
bitbang_console();

  This slows down the USB traffic enough to clearly show what the IRQ bits are
  for, if one has access to a real-time USB log.


These interrupts end up at usb_handle_irq_1f29c
  r0 = [4040064] (SETUP, IN flags)
  r1 = [4040078] (OUT flag and endpoint)

Looking at the OUT handler at d7d86

Stores data about the incoming packet at 2000ee4

In [192]: rd 2000ee4 20
 32 / 32 bytes read 
                                  Begin SCSI CDB
                                  v
02000ee4  10 00 00 00 80 00 0c ac ac 6c 6f 63 e4 0e 00 02   .........loc....
02000ef4  04 00 00 00 10 00 00 00 00 ff ff ff 00 00 ff ff   ................