bcm-specs

[Specification

The MMIO here refers to an 8K memory mapped I/O area that is used by the chipset. Except where noted otherwise (notably on the BackPlane page), this refers to the registers of the wireless core. All other memory is accessed through this memory.

/!\ Note that the MMIO needs to be enabled by the BackPlane before use. Not doing this usually results in the card (and the computer) freezing, requiring a reboot.

MMIO Registers by Offset

Offset

Size (bytes)

Description

0x18

4

Used by Cram feature on Rev 3 or newer cards

0x20

4

DMA/PIO Interrupt Reason (Controller 1)

0x24

4

DMA/PIO Interrupt Mask (Controller 1)

0x28

4

DMA/PIO Interrupt Reason (Controller 2)

0x2C

4

DMA/PIO Interrupt Mask (Controller 2)

0x30

4

DMA/PIO Interrupt Reason (Controller 3)

0x34

4

DMA/PIO Interrupt Mask (Controller 3)

0x38

4

DMA/PIO Interrupt Reason (Controller 4)

0x3C

4

DMA/PIO Interrupt Mask (Controller 4)

0x40

4

DMA/PIO Interrupt Reason (Controller 5)

0x44

4

DMA/PIO Interrupt Mask (Controller 5)

0x48

4

DMA/PIO Interrupt Reason (Controller 6)

0x4C

4

DMA/PIO Interrupt Mask (Controller 6)

0x120

4

StatusBitField

0x124

4

Reg124BitField

0x128

4

Generic Interrupt Reason (non-DMA interrupts) (see Interrupts)

0x12C

4

Generic Interrupt Mask Register

0x130

4

TemplateRam Address

0x134

4

TemplateRam Data (affected by SBF_REGISTER_BYTESWAP)

0x140

4

Power Management Bitfield (Documented in PowerManagementQueue)

0x144

6

PowerManagementQueue MAC (Octet 0 = is the lowest 8 bits of 0x144)

0x158

4

(corerev >= 3 only) if bit 16 is set, the radio is hardware-disabled. Most likely no other function. (cf. 0x49A)

0x160

4

SHM Control

0x164

2

SHM Data - High 16 Bits R/W (can be used as 32 bit register for high and low together)

0x166

2

SHM Data - Low 16 Bits R/W

0x170

4

TransmitStatus indicator

0x174

4

TransmitStatus data

0x180

4

lower 32 bits of the TSF 64 bit value (revision >= 3 cores only, see Timing)

0x184

4

upper 32 bits of the TSF 64 bit value (revision >= 3 cores only, see Timing)

0x188

4

beacon interval * (1<<16); the lowest bit indicates if the ATIM window is set/valid (slight FIXME here) (revision >= 3 cores only, see Timing)

0x18C

4

TBTT (revision >= 3 cores only, see Timing)

0x190

4

ATIM window (revision >= 3 cores only, relevant only in ad-hoc mode)

0x200

-

DMA Register Space

0x300

-

PIO Register Space (SB Rev < 0xB)

0x3E0

2

PHYVersioning Register

0x3E2

2

A/B PHY Radio Bit Field (?) - Known to contain antenna div

0x3E6

2

Baseband Attenuation for B/G PHYs Revision 0

0x3E8

2

AntennaBitField (?)

0x3EC

2

Is written with 0x3F22 at the start of PHY initialization on B PHYs, rev 2 and 4. Is written with 0x3F3F when doing 2050 radio calibration(?) and we have a B PHY

0x3F0

2

Channel Register

0x3F6

2

RadioRegister Control Offset

0x3F8

2

RadioRegister Data - High 16 Bits R/W

0x3FA

2

RadioRegister Data - Low 16 Bits R/W

0x3FC

2

PHYRegister Control Offset

0x3FE

2

PHYRegister Data - 16 Bits R/W

0x420

2

MacAddressFilter control register

0x422

2

MacAddressFilter data register

0x43C

2

always set to 0x32 when clearing the security hardware (corerev >= 5 only)

0x49A

2

(corerev < 3 only) if bit 4 is not set, the radio is hardware-disabled. Most likely no other function. (cf. 0x158))

0x49C

2

GPIO Control Register - GPIO Pin On/Off

0x49E

2

GPIO Control Register - GPIO Pin Enable

0x520

2

Unknown Control Register

0x540

2

Unknown Data Register

0x604

2

TTBT in usecs for BSS#3 (?) (revision < 3 cores only)

0x606

2

Beacon Interval >> 6 for BSS#3 (?) (revision < 3 cores only)

0x608

2

0x60C

2

ATIM Window BSS#3? (?) (revision < 3 cores only)

0x60E

2

The lowest bit indicates if the ATIM window is set/valid for BSS#3 (?) (revision < 3 cores only, see Timing)

0x610

2

Beacon Interval for BSS#3 (?) (revision < 3 cores only)

0x632

2

TSF (bits 15 - 0) (revision < 3 cores only)

0x634

2

TSF (bits 31 - 16) (revision < 3 cores only)

0x636

2

TSF (bits 47 - 32) (revision < 3 cores only)

0x638

2

TSF (bits 63 - 48) (revision < 3 cores only)

0x65A

2

RNG, not known how it generates random values but they are rather good

0x684

2

slot time + 510, see SlotTiming

0x6A8

2

Fast Powerup Delay Control

Also see PCI mapped memory on BackPlane, offsets above 0x1000 are in the SPROM.


Exported/Archived from the wiki to HTML on 2016-10-27