This page only describes what we knew earlier, with the v4 driver we have learned much more, described on ObjectMemory.
Addressing in the SHM
The SHM is accessed through MMIO offsets 0x160 (Control), 0x164 (Data, Low 16 bits) and 0x166 (Data, High 16 bits).
A 32 bit control word is used for addressing in the SHM. A control word can be broken up into two parts, the routing information (High 16 bits) and the memory offset to address (Low 16 bits). Note that these addresses are actually pointers to a word in the SHM, not a byte, so when the address is incremented (in either the internal counter or from a supplied address), it is pointing to the next aligned word.
The routing information dictates which shared memory is being accessed.
Routing Value |
Usage |
0x0001 |
Shared Memory (Default if no control word is given) |
0x0002 |
802.11 Settings |
0x0003 |
PCM Data |
0x0004 |
Security Hardware MAC Address list (only if the core revision is >= 5) [MAC addresses 4-53] |
0x0300 |
Microcode |
0x0301 |
Initial Value Microcode(?) |
Note that the Shared Memory addresses are given as byte addresses instead of 32 bit word addresses.
Reading from the SHM
Reading from the SHM is accomplished by first writing the control word to MMIO offset 0x160. If a 32 bit value is to be read, read it as a 32 bit value from 0x164. If a 16bit value is to be read, read it from MMIO 0x164 for the aligned read and 0x166 for the unaligned read. Note that after the memory read is complete, the internal pointer will move to the next aligned offset, moved 32 bits ahead, even for a 16 bit read.
Writing to the SHM
Writing to the SHM is accomplished by first writing the control word to MMIO offset 0x160. If a 32 bit value is to be written, write it as a 32 bit value to 0x164. If a 16bit value is to be written, write it to MMIO 0x164 for the aligned write and 0x166 for the unaligned write. Note that after the memory write is complete, the internal pointer will move to the next aligned offset, moved 32 bits ahead, even for a 16 bit write.
SHM Offsets and Usage
0x0001 - Shared Memory
The Shared Memory offsets are given here by byte offsets instead of 32 bit offsets (as required for addressing). To address these properly, you will have to use the proper 32 bit offset and then decide whether the address is aligned or unaligned.
Offset |
PHY |
Usage |
0x0000 |
|
uCode Revision High 16 bits |
0x0002 |
|
uCode Revision Low 16 bits |
0x0012 |
|
DTIM period, keep updated when joining a BSS |
0x0010 |
|
Slot Time, see SlotTiming |
0x0016 |
|
Core Revision |
0x001C |
|
Time the Beacon TSF is off (?) |
0x001E |
|
VOS |
0x0024 |
|
Hardware Power Control |
0x0026 |
|
Hardware Power Control |
0x0028 |
|
Hardware Power Control |
0x0032 |
|
Hardware Power Control - TX Power |
0x003E |
|
Security MAC Address Count (on Core Revision < 5) |
0x0048 |
|
SSID Length (Used by Probe Response Matching) |
0x004E |
|
|
0x0050 |
|
PHY Revision |
0x0052 |
|
PHY Type (A:0, B:1, G:2, N:4) |
0x0054 |
|
Bit 0 is set if the rate is a clause 17 rate |
0x0056 |
|
Secondary WSEC Key Data Offset (Read only during init and saved) |
0x0058 |
B/G |
TSSI (1) - Really two 8 bit values, used to compute Estimated Power out value |
0x005A |
B/G |
TSSI (1) - Really two 8 bit values, used to compute Estimated Power out value |
0x005E |
|
|
0x0064 |
B/G |
Radio Attenuation |
0x0066 |
A |
Used by APHY Radar Detection |
0x0068 |
A |
TSSI |
0x006A |
A |
TSSI |
0x006E |
B/G |
RSSI Noise (see RSSINoisePostprocessing) |
0x0070 |
B/G |
TSSI (2) - Really two 8 bit values, used to compute Estimated Power out value |
0x0072 |
B/G |
TSSI (2) - Really two 8 bit values, used to compute Estimated Power out value |
0x0074 |
|
Probe Response Timeout |
0x0080 to 0x00EE |
|
Statistics area (since these values are 16 bit values they can overflow easily) |
0x0100 to 0x011E (rev <= 4) or to 0x016A |
|
Security control fields |
0x0120 to 0x015F |
|
Security Hardware MAC Address list (on Core Revision < 5) [MAC addresses 8 - 15, the other 4 (4-7) are in the MacAddressFilter] |
0x0180 to 0x0380 |
|
WSEC Key Data (16 items with a max of 32 bytes each) |
0x0380 |
|
Probe Response SSID |
0x0400 |
|
Frameburst Packet Size (8 or 16 are the only values used) |
0x0408 |
|
Noise Sample |
0x040A |
|
Noise Sample |
0x040C |
|
Channel in Radio Format |
0x0420 |
|
Used in 802.11h channel switching |
0x0480 to 0x049F |
|
OFDM Rates (copy from) |
0x04A0 to 0x04BF |
|
OFDM Rates (copy to) |
0x04C0 to 0x04DF |
|
Non-OFDM Rates (copy from) |
0x04E0 to 0x04FF |
|
Non-OFDM Rates (copy to) |
0x089C to 0x08A4 |
|
Used LO Control Bitmap (8 bytes) |
0x0002 - 802.11 Settings
There are some special 802.11 related values here (all 32 bits wide).
Word Offset |
Usage |
Default value from InitialValues |
0x03 |
Minimum Contention Window |
0x1F for B/G, 0xF for A, see below |
0x04 |
Maximum Contention Window |
0x3FF |
0x05 |
|
0x1F for B/G, 0xF for A, see below |
0x06 |
Short Retry Limit (Max 0xF) |
7 |
0x07 |
Long Retry Limit (Max 0xF) |
4 |
0x08 |
|
0xFFFF |
0x09 |
|
0 |
0x0A |
|
0 |
0x0B |
|
0 |
0x0C |
|
0 |
0x0D |
|
0 |
0x0E |
|
0 |
0x0F |
|
0 |
0x10 |
|
see 0x05 |
0x11 |
|
0 |
0x12 |
|
0 |
0x13 |
|
0 |
0x14 |
|
0x100 |
0x19 |
|
0x3E6 |
0x1A |
|
0x3E6 |
0x1B |
|
0 |
Those that are different between the PHY types are the contention window minimum value which is 0xF for 802.11a and 0x1F for 802.11b/g, and a few others that also differ just in 0xF vs. 0x1F. I'd appreciate hints on where these values occur in the spec. It is possible, however, that the default minimum CW is written in two places (0x00020005 and 0x00020010).
0x0003 - PCM Data
The PCM data is writen to address 0x01EB as 32 bit words. For more on the PCM, see PCMUpload. This also seems to be the routing number for the IHR register. (Anyone have a guess as to what IHR is?) The "bitfields in the table below are only ever written to with 0x4000, and only when writing. Perhaps this is a "data incoming" switch?
Offset |
Function |
0x0133 |
IHR Bitfield (?) |
0x0134 |
IHR Write (Low 16 bits) |
0x0135 |
IHR Write (High 16 bits) |
0x0136 |
IHR Read (Low 16 bits |
0x0137 |
IHR Read (High 16 bits) |
0x01EA |
PCM Bitfield (?) |
0x01EB |
PCM Data Upload |
0x0004 - Security Hardware MAC Address list
If the core revision is 5 or higher, the hardware decryption address list is here. The MAC is written as a big endian value and is written as an int and a short. The next MAC skips the two bytes left over and starts on the next aligned word.
0x0300 - Microcode
The microcode is written here as 32 bit words starting at 0x0000. For more on the microcode see MicrocodeUpload.
0x0301
The initial value microcode is written as part of the InitialValues on DeviceInitialization.