The MMIO here refers to an 8K memory mapped I/O area that is used by the chipset. Except where noted otherwise (notably on the BackPlane page), this refers to the registers of the wireless core. All other memory is accessed through this memory.
Note that the MMIO needs to be enabled by the BackPlane before use. Not doing this usually results in the card (and the computer) freezing, requiring a reboot.
MMIO Registers by Offset
Offset |
Size (bytes) |
Description |
0x18 |
4 |
Used by Cram feature on Rev 3 or newer cards |
0x20 |
4 |
|
0x24 |
4 |
|
0x28 |
4 |
|
0x2C |
4 |
|
0x30 |
4 |
|
0x34 |
4 |
|
0x38 |
4 |
|
0x3C |
4 |
|
0x40 |
4 |
|
0x44 |
4 |
|
0x48 |
4 |
|
0x4C |
4 |
|
0x120 |
4 |
|
0x124 |
4 |
|
0x128 |
4 |
Generic Interrupt Reason (non-DMA interrupts) (see Interrupts) |
0x12C |
4 |
Generic Interrupt Mask Register |
0x130 |
4 |
TemplateRam Address |
0x134 |
4 |
TemplateRam Data (affected by SBF_REGISTER_BYTESWAP) |
0x140 |
4 |
Power Management Bitfield (Documented in PowerManagementQueue) |
0x144 |
6 |
PowerManagementQueue MAC (Octet 0 = is the lowest 8 bits of 0x144) |
0x158 |
4 |
(corerev >= 3 only) if bit 16 is set, the radio is hardware-disabled. Most likely no other function. (cf. 0x49A) |
0x160 |
4 |
SHM Control |
0x164 |
2 |
SHM Data - High 16 Bits R/W (can be used as 32 bit register for high and low together) |
0x166 |
2 |
SHM Data - Low 16 Bits R/W |
0x170 |
4 |
TransmitStatus indicator |
0x174 |
4 |
TransmitStatus data |
0x180 |
4 |
lower 32 bits of the TSF 64 bit value (revision >= 3 cores only, see Timing) |
0x184 |
4 |
upper 32 bits of the TSF 64 bit value (revision >= 3 cores only, see Timing) |
0x188 |
4 |
beacon interval * (1<<16); the lowest bit indicates if the ATIM window is set/valid (slight FIXME here) (revision >= 3 cores only, see Timing) |
0x18C |
4 |
TBTT (revision >= 3 cores only, see Timing) |
0x190 |
4 |
ATIM window (revision >= 3 cores only, relevant only in ad-hoc mode) |
0x200 |
- |
DMA Register Space |
0x300 |
- |
PIO Register Space (SB Rev < 0xB) |
0x3E0 |
2 |
PHYVersioning Register |
0x3E2 |
2 |
A/B PHY Radio Bit Field (?) - Known to contain antenna div |
0x3E6 |
2 |
Baseband Attenuation for B/G PHYs Revision 0 |
0x3E8 |
2 |
AntennaBitField (?) |
0x3EC |
2 |
Is written with 0x3F22 at the start of PHY initialization on B PHYs, rev 2 and 4. Is written with 0x3F3F when doing 2050 radio calibration(?) and we have a B PHY |
0x3F0 |
2 |
Channel Register |
0x3F6 |
2 |
RadioRegister Control Offset |
0x3F8 |
2 |
RadioRegister Data - High 16 Bits R/W |
0x3FA |
2 |
RadioRegister Data - Low 16 Bits R/W |
0x3FC |
2 |
PHYRegister Control Offset |
0x3FE |
2 |
PHYRegister Data - 16 Bits R/W |
0x420 |
2 |
MacAddressFilter control register |
0x422 |
2 |
MacAddressFilter data register |
0x43C |
2 |
always set to 0x32 when clearing the security hardware (corerev >= 5 only) |
0x49A |
2 |
(corerev < 3 only) if bit 4 is not set, the radio is hardware-disabled. Most likely no other function. (cf. 0x158)) |
0x49C |
2 |
|
0x49E |
2 |
|
0x520 |
2 |
Unknown Control Register |
0x540 |
2 |
Unknown Data Register |
0x604 |
2 |
TTBT in usecs for BSS#3 (?) (revision < 3 cores only) |
0x606 |
2 |
Beacon Interval >> 6 for BSS#3 (?) (revision < 3 cores only) |
0x608 |
2 |
|
0x60C |
2 |
ATIM Window BSS#3? (?) (revision < 3 cores only) |
0x60E |
2 |
The lowest bit indicates if the ATIM window is set/valid for BSS#3 (?) (revision < 3 cores only, see Timing) |
0x610 |
2 |
Beacon Interval for BSS#3 (?) (revision < 3 cores only) |
0x632 |
2 |
TSF (bits 15 - 0) (revision < 3 cores only) |
0x634 |
2 |
TSF (bits 31 - 16) (revision < 3 cores only) |
0x636 |
2 |
TSF (bits 47 - 32) (revision < 3 cores only) |
0x638 |
2 |
TSF (bits 63 - 48) (revision < 3 cores only) |
0x65A |
2 |
RNG, not known how it generates random values but they are rather good |
0x684 |
2 |
slot time + 510, see SlotTiming |
0x6A8 |
2 |
Fast Powerup Delay Control |
Also see PCI mapped memory on BackPlane, offsets above 0x1000 are in the SPROM.