w86l488y
wm9705
pxa263
sharp lz9fc22
2x infineon hy839l256160ac-7.5
intel 3300l0ztd0 (flash likely)



address 0 has intl startaflash K3
TWO of them as 32 bit paralle
so commands issues need to be issues word-wise, 

for exmaple to write the "read config" register
we write 0x00600000 and then 0x00030003
since the command is 0x60 0x03 and we are issuing to two 16-bit wide memories at once!!!
addr pins are tied together on them. thus the data of the command (issued as address for that one)
is sent to both at once (0xa308 in this case, which means thye'll see 0x28c2[aka lsr 2] (one div2 since they need halfword address andnot byte adress, another since there are two))
	sync burst, latency code 5, 8-word burst

boot code writes to static chip select 1 (0x04000000)
it is configured as a 32-bit wide SRAM
this is more strataflash. manufacturer code 0x90 is verified
this one is configured as 0x28308 (flash sees 0xA0C2)

			GPLR						GPDR						GRER						GFER						GAFR
in cradle	0f0a9023 03ff7ffe 0300c400	ce22c140 fcffab83 0001ffff	00c12e1c 00000010 003e0000	00c93e3d 00000010 003e0000	80000004 a5000018 699a9550 aaa5aaaa aaaaaaaa 00005000
not cradled	0f0a9423 e3ff7ffe 0300c779	ce22c140 fcffab83 0001ffff	00c12e1c 00000010 003e0000	00c93e3d 00000010 003e0000	80000004 a5000018 699a9550 aaa5aaaa aaaaaaaa 00004000
bootloader	0a581c0d 00ff0002 00010000	0a22c140 00ffab83 0001c000	00000000 00000000 00000000	00000000 00000000 00000000	80000004 00000018 999a9550 0005aaaa a0000000 00005000


XXX: rememebr gpio dirs and AFRs reversed for gpios 85+

bootloader diagnostic mode is entered  if system is booted with hard #2 (contacts) and jog wheel select pressed!

#	val	DIR	EDG	AFR	USE
0	1	0	F	0	power button (active low)
1	1	0		1	gpio reset (active low)
2	0	0	RF	0	BUTTON - hard #2: contacts (active high)
3	0	0	RF	0	BUTTON - hard #1: calendar (active high)
4	0	0	RF	0	BUTTON - hard #3: inbox (active high)
5	1	0	F	0	BUTTON - battery door open detect (high when closed)
6	0	1		0	
7	0	0		0	
8	0	1		0	
9	0	0	RF	0	BUTTON - right tiny button: wireless (active high)
10	?	0	RF	0				low when in cradle
11	0	0	RF	0	BUTTON - hard #4: home (active high)
12	1	0	F	0	sd chip interrupt?
13	0	0	RF	0	BUTTON - left tiny button: voice rec (active high)
14	0	1		0	
15	1	1		2	nCS1
16	0	0	RF	0	BUTTON - jog wheel up (active high)
17	1	1		2	PWM1 (lcd backlight?)
18	0	0		1	RDY (external memory controller signal). BUT also set to input by audio code ..... ?????
19	1	0	F	0	
20	0	0		0	
21	0	1		0	
22	0	0	RF	0	BUTTON - jog wheel select (active high)
23	0	0	RF	0	BUTTON - jog wheel down (active high)
24	1	0		0	"is charging" active low
25	1	1		0	
26	1	1		0	not output in bootloader
27	1	1		0	
28	0	0		1	AC97 bit_clk
29	0	0		1	AC97 sdata_in0
30	0	1		2	AC97 sdata_out
31	0	1		2	AC97 sync
32	0	1		0	
33	1	1		0	sd controller reset active low
34	1	0		1	FFUART RX
35	1	0		1	FFUART CTS
36	1	0	RF	1	FFUART DCD
37	1	0		1	FFUART DSR
38	1	0		1	FFUART RI
39	1	1		2	FFUART TX
40	1	1		2	FFUART DTR
41	1	1		2	FFUART RTS
42	1	0		1	BTUART RX
43	1	1		2	BTUART TX
44	1	0		1	BTUART CTS
45	1	1		2	BTUART RTS
46	1	0		2	STUART RX		bl configures this for afr 1 (irrx)
47	0	1		1	STUART TX		bl configures this for afr 2 (irtx)
48	1	1		2	nPOE (memory)
49	1	1		2	nPWE (memory)
50	1	1		2	nPIOR (memory)
51	1	1		2	nPIOW (memory)
52	1	1		2	nPCE1 (memory)
53	1	1		2	nPCE2 (memory)
54	1	1		2	nPSKTSEL (memory)
55	1	1		2	nPREG (memory)
56	1	0		1	nPWAIT (memory)
57	1	0		1	nIOIS16 (memory)
58	0	1		2	LDD0 (display)
59	0	1		2	LDD1 (display)
60	0	1		2	LDD2 (display)
61	?	1		2	LDD3 (display)
62	?	1		2	LDD4 (display)
63	?	1		2	LDD5 (display)
64	?	1		2	LDD6 (display)
65	0	1		2	LDD7 (display)
66	0	1		2	LDD8 (display)
67	?	1		2	LDD9 (display)
68	?	1		2	LDD10 (display)
69	?	1		2	LDD11 (display)
70	?	1		2	LDD12 (display)
71	0	1		2	LDD13 (display)
72	?	1		2	LDD14 (display)
73	?	1		2	LDD15 (display)
74	1	1		2	LCD FCLK (display)
75	0	1		2	LCD LCLK (display)
76	0	1		2	LPC PCLK (display)
77	0	1		2	LCD ACBIAS (display)
78	1	1		2	nCS2 (memory)
79	1	1		2	nCS3 (memory)
80	0	1		0	
81	0	0	RF	0	BUTTON - navpad - right (active high)
82	0	0	RF	0	BUTTON - navpad - up (active high)
83	0	0	RF	0	BUTTON - navpad - select (active high)
84	0	0	RF	0	BUTTON - navpad - down (active high)
85	0	0	RF	0	BUTTON - navpad - left (active high)
86	0	0(out)	1	used as gpio only in cradle ???
87	0	0(out)	1	
88	1	0(out)	0	RDnWR (memory)
89	1	0(out)	0	AC97 reset


GPIOS 58..63 are also used to identify device type:
here is how: set as high. set as outputs. wait 2ms. set as inputs, read 100 times, last read is value. 
basically this tests for pull downs and gives 6 bits of "features"
what we know:
 bit 62 having a pulldown means low end device (300mhz, half the ram)
 bits 59 and 63 set BT features. pulldown only on 63 means we have BT. other values means no BT


mysteries:
	* how to control that mux for serial debug output
	* way to measure backup battery
	* way to charge backup battery


LCD config: 
LCCR regs: 003008f9 3a0f34ef 04000d3f 04900008


on wakeup from sleep, after gpios and memories are inited, the code will
checksum 0x59 WORDS from 0xA0031000 as follows. that value is compared against PSPR
if they match, wakup sequence is initiated. see rom at 0x002668

==== SD chip ===
//MSC value for SD controller: 0x77797FF1
//sd controller wired to 0x0c000000, same as T3 basically
gpio0 is card detect. pin is low when card is inserted, this means the bit will read high when card inserted(chip inverts inputs when reporting them)
gpio1..gpio3 are configured as outputs, outputting low
gpio4 is card lock detect. low when card is UNLOCKED, this means the bit will read high when unlocked (chip inverts inputs when reporting them)

when running sd chip is as follows:
direct:
	001 [sta]  = 0x081f
	011 [int]  = 0x009f
	100 [gpio] = 0x310e
	101 [gINT] = 0x3001
indirect:
	0000 [sett/sta] = 0x0449
	0001 [sdio]     = 0x8f00
	0010 [mDfmt]    = 0x8200
	0011 [mBCnt]    = 0x0001
	0100 [sDfmt]    = 0x0200
	0101 [dBCnt]    = 0x0001
	0110 [nakTo]    = 0x0000
	0111 [errSta]   = 0x0000
	1000 [hostIf]   = 0xbe00
	1001 [test]     = 0x0000
	1010 [id]       = 0x488c


==== audio codec config when running WinCE ====
only-nonzero-valued regs shown

	AC97[00h] = 0x6150
	AC97[02h] = 0x8202
	AC97[04h] = 0x8808
	AC97[06h] = 0x8002
	AC97[0ah] = 0x8000
	AC97[0ch] = 0x8008
	AC97[0eh] = 0x8000
	AC97[10h] = 0x9f1f
	AC97[12h] = 0x8808
	AC97[14h] = 0x8808
	AC97[16h] = 0x8808
	AC97[18h] = 0x0606
	AC97[1ch] = 0x8f0f
	AC97[26h] = 0xe708
	AC97[28h] = 0x0605
	AC97[2ah] = 0x0001
	AC97[2ch] = 0xac44
	AC97[32h] = 0xac44
	AC97[3ah] = 0x2000
	AC97[5ah] = 0x0020
	AC97[5ch] = 0x4000
	AC97[76h] = 0x7f38	poll = 0, PCBEEP sampled, slot = 5(val 0), slen = 1, DEL = 3, 750Hz, continuous conversion, 
	AC97[78h] = 0xf054	digitizer on, PR4 reset on pen down wake, stop conversions when pen is up, PENDET not inverted, busy flag off, no waiting for overloding data, pressure current 200uA, ignore phone and pcbeep, mask pin statuc, hi halts conversion, 4/15 Vmid for detector
	AC97[7ah] = 0x7789	pen up, ?, ?
	AC97[7ch] = 0x574d
	AC97[7eh] = 0x4c05

ADC Vref = 3.3
volume reg 0x02 controles headphones
volume reg oxo6 controls speaker
switching is automatic at hardware level

PHIZ bit needs to be set to not corrupt ADC info
all the 4 misc ADCs in the touch screen area are used for battery reporting!
There is a controlable precision 0.2 ohm shunt switchable via CPLD mask 0x8000

backupBatteryMilliVolts = AUXADC * 1393 / 1755
batteryVoltage = BMON * 4200 / 1770		//using shunt contorl this can also be used to measure current (measure volts both ways, subtract, multiply by 50)
batteryTemperature: PHONE => interpolate_temp_tab	//only usable when shunt is off (cpld bit high), AND not charging

interpolate_temp_tab:	inputs (adc) {138, 1339, 2020, 2360, 2600}  => outputs (units of 1/10 degree C) {1000, 450, 250, 100, 0};
																	=> "TEMP RANGE" output (for other calcs, also interpolated to integer) { 0, 1, 2, 3, 4}. if over limit, 3





when running clk configs are 00000241 000179ef 00000003
when running IC is configured as so: 00000000 86700f00 00000000 00000000 00000000 00000001
when running timers are configured as: OSMR: {0x17b0d5de, 0x17a4c379, 0x00000000, 0x00000000}, OIER=0x00000001 OWER=0x00000000 OSCR=0x17b0c93e OSSR=0x00000000







TTBR appears to be at 0xA0080000
as mapped, high vectors are used, adn the vectors 0xffff0000 is PA 0xA0084000 
it has 8 vector handlers, each: LDR PC, [PC, #0x3D8] this loading from 0x3E0 away from itself
this addressed area at VA 0xffff03E0 is PA 0xA00843E0 

initial mem map is:
<va, pa, numMB>
<0x80000000, 0x00000000, 0x20>	//internal flash
<0x82000000, 0x04000000, 0x20>	//external flash
<0x84000000, 0xA0000000, 0x40>	//RAM
<0x88000000, 0xA4000000, 0x40>	//RAM
<0x8C000000, 0x40000000, 0x20>	//MMIO
<0x8E000000, 0x20000000, 0x20>	//PCMCIA slot 0
<0x90000000, 0x28000000, 0x20>	//PCMCIA slot 0
<0x92000000, 0x2C000000, 0x40>	//PCMCIA slot 0
<0x96000000, 0x30000000, 0x20>	//PCMCIA slot 1
<0x98000000, 0x38000000, 0x20>	//PCMCIA slot 1
<0x9A000000, 0x3C000000, 0x40>	//PCMCIA slot 1
<0x9E000000, 0xE0000000, 1>		//invalid PA (likely for dcache flushing)
<0x9E100000, 0x48000000, 1>		//mem controlr
<0x9E200000, 0x44000000, 1>		//display
<0x9E400000, 0x08000000, 4>		//static CS2 (CPLD?)
<0x9E800000, 0x0C000000, 4>		//static CS3 (SD chip)

//when runnig the system has the following partial kernel-space map (not complete)
// 0xa0000000 -> 0x00000000 32M (built in flash)
// 0xa2000000 -> 0x04000000 64M (external flash)
// 0xa4000000 -> 0xa0000000 64M (all of ram)
// 0xac000000 -> 0x40000000 32M (all 0x40000000 periphs)
// 0xbe000000 -> 0xe0000000 1M (invalid PA ???)
// 0xbe100000 -> 0x48000000 1M (mem ctrlr)
// 0xbe200000 -> 0x44000000 1M (lcd ctrlr)
// 0xbe400000 -> 0x08000000 4M (some sort of a CPLD?)
// 0xbe800000 -> 0x0c000000 4M (SD chip)


//in bootloader self test mode the map is 
0x80000000-0x81FFFFFF -> 0x00000000-0x01FFFFFF dom0 ap1 cb
0x82000000-0x83FFFFFF -> 0x04000000-0x05FFFFFF dom0 ap1 cb
0x84000000-0x8BFFFFFF -> 0xA0000000-0xA7FFFFFF dom0 ap1 cb
0x8C000000-0x8DFFFFFF -> 0x40000000-0x41FFFFFF dom0 ap1 cb
0x8E000000-0x8FFFFFFF -> 0x20000000-0x21FFFFFF dom0 ap1 cb
0x90000000-0x91FFFFFF -> 0x28000000-0x29FFFFFF dom0 ap1 cb
0x92000000-0x97FFFFFF -> 0x2C000000-0x31FFFFFF dom0 ap1 cb
0x98000000-0x99FFFFFF -> 0x38000000-0x39FFFFFF dom0 ap1 cb
0x9A000000-0x9DFFFFFF -> 0x3C000000-0x3FFFFFFF dom0 ap1 cb
0x9E000000-0x9E0FFFFF -> 0xE0000000-0xE00FFFFF dom0 ap1 cb
0x9E100000-0x9E1FFFFF -> 0x48000000-0x480FFFFF dom0 ap1 cb
0x9E200000-0x9E2FFFFF -> 0x44000000-0x440FFFFF dom0 ap1 cb
0x9E400000-0x9E7FFFFF -> 0x08000000-0x083FFFFF dom0 ap1 cb
0x9E800000-0x9EBFFFFF -> 0x0C000000-0x0C3FFFFF dom0 ap1 cb
0xA0000000-0xA1FFFFFF -> 0x00000000-0x01FFFFFF dom0 ap1   
0xA2000000-0xA3FFFFFF -> 0x04000000-0x05FFFFFF dom0 ap1   
0xA4000000-0xABFFFFFF -> 0xA0000000-0xA7FFFFFF dom0 ap1   
0xAC000000-0xADFFFFFF -> 0x40000000-0x41FFFFFF dom0 ap1   
0xAE000000-0xAFFFFFFF -> 0x20000000-0x21FFFFFF dom0 ap1   
0xB0000000-0xB1FFFFFF -> 0x28000000-0x29FFFFFF dom0 ap1   
0xB2000000-0xB7FFFFFF -> 0x2C000000-0x31FFFFFF dom0 ap1   
0xB8000000-0xB9FFFFFF -> 0x38000000-0x39FFFFFF dom0 ap1   
0xBA000000-0xBDFFFFFF -> 0x3C000000-0x3FFFFFFF dom0 ap1   
0xBE000000-0xBE0FFFFF -> 0xE0000000-0xE00FFFFF dom0 ap1   
0xBE100000-0xBE1FFFFF -> 0x48000000-0x480FFFFF dom0 ap1   
0xBE200000-0xBE2FFFFF -> 0x44000000-0x440FFFFF dom0 ap1   
0xBE400000-0xBE7FFFFF -> 0x08000000-0x083FFFFF dom0 ap1   
0xBE800000-0xBEBFFFFF -> 0x0C000000-0x0C3FFFFF dom0 ap1   



CPLD (PA 0x08000000) is just a single writeable word register which cannot be read (must cache value locally)
function <cpld_control@0x84105F6C(u32 setBits, u32 clearBits, bool skipMutex)> controls the write and cache
CPLD is actualyl just a 16-bit latch
chip further form crystel is likely lower bits
seen values are summarized below. thus we know the following:

0x00000001 - audio codec
0x00000002 - flash chips write enable (set to enable)
0x00000004 - audio amp speakers and phones
0x00000008 - ?
0x00000010 - LCD ac bias power (turning off - it still works but inverted and ghosted, maybe ac bias)
0x00000020 - LCD panel power (turning off turns screen white instantly)
0x00000040 - backlight power
0x00000080 - usb iface power or mux or something (set to 1 to enable usb to communicate with the outside world)
0x00000100 - writing as 1 makes green led blink (orange comes off if on by charging)
0x00000200 - sd iface/card power (active high)
0x00000400 - writing as 1 makess orange led blink if not in charger
0x00000800 - ? [not seen]
0x00001000 - LCD conditioning chip power (turning off fades disaply out with no updates, can see line where things went bad)
0x00002000 - ?
0x00004000 - ?	related to serial port (seen in serial driver). possibly BT
0x00008000 - shunt control for power measurament. if LOW will power device via 0.2 ohm resistor. if high, directly (thus high preferred for usual operation)



 (0x6000, 0xFFFF9FFF, 1) early in boot
-(0x200, 0, 1) for sd init
-(0, 0x200, 1) after done with SD
 (0x500, 0, 1) for LED test part 1
 (0, 0x500, 1) for LED test part 2
 (0, 4, 1) when enabling gpio reet on fata alert
 (1,0,1) befome wat i presume are audio tests
 (4,0,1) after wat i presume are audio tests
-(2,0,1) to enable flash write
-(0,2,1) to disable it
 (0,0x8001,1) before enabling gpio reset
-(0x80,0,1) before usb download from host
-(0,0x80,1) after usb download from host
 (0xc279, 0, 1) before what i presume are IR tests but also touch pwm
 (0,0x8001, 1) after what i presume are IR tests but also touch pwm
 (0,4,1) before enabling AC97 primary codec, possibly codec or amp power
-(0x40, 0, 1 )beofer screen backlight brigthness tests (maybe backlight brightness)
 (0xd271, 0, 1) when tests pass



               /   read from rom     \       /fixed as per BL\
system uuid is 17 00 03 00 a6 3f 9a 91 c8 00 00 50 bf e4 5c e5

readin the ID words 0x81..0x84 from internal flash produces. bottom 16 bits are the number...

I val [0x00000081] 0x001d0017
I val [0x00000082] 0x000a0003
I val [0x00000083] 0x3fb03fa6
I val [0x00000084] 0x48d9c99a







#define BATTERY_CHEMISTRY_ALKALINE     0x01
#define BATTERY_CHEMISTRY_NICD         0x02
#define BATTERY_CHEMISTRY_NIMH         0x03
#define BATTERY_CHEMISTRY_LION         0x04
#define BATTERY_CHEMISTRY_LIPOLY       0x05
#define BATTERY_CHEMISTRY_ZINCAIR      0x06
#define BATTERY_CHEMISTRY_UNKNOWN      0xFF

typedef struct _SYSTEM_POWER_STATUS_EX2 {
00		BYTE ACLineStatus;
01		BYTE BatteryFlag;
02		BYTE BatteryLifePercent;
03		BYTE Reserved1;
04		DWORD BatteryLifeTime;
08		DWORD BatteryFullLifeTime;
0c		BYTE Reserved2;
0d		BYTE BackupBatteryFlag;
0e		BYTE BackupBatteryLifePercent;
0f		BYTE Reserved3;
10		DWORD BackupBatteryLifeTime;
14		DWORD BackupBatteryFullLifeTime;
		// Above here is old struct, below are new fields
18		DWORD BatteryVoltage; 				// Reports Reading of battery voltage in millivolts (0..65535 mV)
1c		DWORD BatteryCurrent;				// Reports Instantaneous current drain (mA). 0..32767 for charge, 0 to -32768 for discharge
20		DWORD BatteryAverageCurrent; 		// Reports short term average of device current drain (mA). 0..32767 for charge, 0 to -32768 for discharge
24		DWORD BatteryAverageInterval;		// Reports time constant (mS) of integration used in reporting BatteryAverageCurrent	
28		DWORD BatterymAHourConsumed; 		// Reports long-term cumulative average DISCHARGE (mAH). Reset by charging or changing the batteries. 0 to 32767 mAH  
2c		DWORD BatteryTemperature;			// Reports Battery temp in 0.1 degree C (-3276.8 to 3276.7 degrees C)
30		DWORD BackupBatteryVoltage;			// Reports Reading of backup battery voltage
34		BYTE  BatteryChemistry; 		    // See Chemistry defines above

    // New fields can be added below, but don't change any existing ones
}   SYSTEM_POWER_STATUS_EX2, *PSYSTEM_POWER_STATUS_EX2, *LPSYSTEM_POWER_STATUS_EX2;


backupBatteryVolts = AUXADC * 1393 / 1755
normal (take 3 samples, for each):
	if (BMON >= 15)
		BMON -= 15;
	PCBEEP:
		if (not sure 0x10004520)
			PCBEEP -= 0x46
	
	average of the 3 bmon samples,  * 4200 / 1770


"PHONE" is 4095 (max) when charging. it is batt temp



TEMP_RANGE + ((PCBEEP_with_shunt_on - 1000) / 1000) * 4




stock bootloader uses 256KB of flash and can jump to an image at 0x40000

it can also write said image from card to there
insert card, filename must be /P16R_K*.NB0 for any value of "*"
it'll write it to flash at 0x40000


other names exist:
	"A" or "E" instead of "K" will write at 0, destroying the bootloader.
	"D" will just load to RAM at VA 0x84480000 (PA A0480000) and run after tuning off the mmu and jumping to PA 0xA00FA574. this i sused to load a new bootloader to RAM
	

