Sunday, January 3, 2016

Inside the armv1 - the Read Bus B, ALU Output Bus, and Address Bus

This is my fifth post describing the armv1. My earlier posts can be found here:

Ken Shirriff has also written about the arm internals here.


In this blog I'll finish describing the remaining buses - Read Bus A, the ALU Output Bus, and the Address Bus. I covered Read Bus A in an earlier post. To help set the context I reproduce the chip floorplan (but remember, this diagram incorrectly labels read bus A and read bus B the wrong way around):

Read Bus A

This should be a simple bus, as according to the floorplan, the output of the second read port of the register bank should just feed the ALU port. But it turns out it's not quite so simple:



It turns out that the bottom 8 bits also feeds the Shift Decoder logic. This path is needed for the processor to implement the shift-option where a register specifies the number of bits by which the input operand is shifted.

The other surprise is that there is an option for  b0 to b5 to be sourced from the BIT CTR logic. This path is to implement the LDM/STM instructions - the first register to be loaded/saved needs to be offset from the base-register by the number of registers selected (depending on the instruction options).

Otherwise Read Bus A is like Read Bus B in that it relies on a precharge (driven by the phi 2 clock), and is inverted logic.

ALU Output Bus, Incrementer, and Address Bus

The reverse-engineered circuitry associated with the ALU Output Bus, Incrementer, and Address Bus is as follows. This is the circuit associated with bit 3:


Note that the Address Bus/Incrementer circuitry has two extra connections into the r15 (PC) register cells: an additional read signal, and an additional write signal. The new write signal operates in exactly the same way as described in my earlier post (shorts the output of one of the inverters).

The incrementer circuitry is in the centre of the diagram and comprises the 3x exclusive-nor gates, and 2-input nor gate. The control line input (7091) determines whether the circuit increments or decrements the input value (there's more about this control line below).

As with ALU described in an earlier blog, the input values to the incrementer are captured and stored by the transmission gate during the phase 1 clock time. The Carry In/Carry Out logic is slightly different for odd/even bits. This is also as described in the ALU and is to eliminate an inverter per bit and so reduce propagation delays. The Carry In signal on the first bit of the incrementer is hard-wired to 1.

Also note that the lowest 2 bits and the highest 6 bits of the PC are absent, leaving just 24 bits with circuit above. For the remaining 8 bits the incrementer isn't populated and the associated multiplexer input bits are set to zero.

The input to the incrementer is chosen by a 4-way multiplexer. The multiplexer is shown in simplified form here as the details are very similar to what we've seen already (e.g. Read Bus Decoding).

The circuit above is a little more complex than I was expecting. By experimenting with some sample programs the following becomes apparent:

  • When an instruction updates the PC (e.g. mov pc, r0), the register is updated directly through the write-select line as with any other register write; however in addition, the write value is also selected via input 1 of the multiplexer so that it can be latched by the transmission gate and be incremented ready for fetching the next instruction.
  • When a LDM/STM instruction executes (Load/Store multiple registers), the transmission gate captures the starting load/store address and the incrementer updates the address for each of the registers to be loaded/stored. Only when the last register is loaded/saved is the transmission gate re-initialised with the PC value.

The 0-input to the multiplexer varies depending on the bit, as shown in the table below.


These 3x inputs come via inverters from the TRAP CTRL region of the chip and are associated with selecting the interrupt dispatch address as per the Vector Table below:



Reverse engineering of the control signal 7091 is especially puzzling. The circuit is:


This circuit really is a complex way of generating a 1 output! If this control signal is genuinely always 1 then the incrementer circuit could be substantially simpler - 2 of the exclusive nor gates could be eliminated altogether. On reviewing the chip layout itself it becomes stranger still (the image below is rotated 90 degrees):


The 0 input signals are routed a long way from the transistors themselves, even though a ground signal is right nearby, and the output, which goes nowhere, is routed in a similar area. Is it possible that part of the circuit was intended for some additional functionality which was partially implemented and then disabled at a late stage in the layout process? Any suggestions would be welcome.

Address Output Pins

The circuitry associated with the address output pins is very straightforward:

With aen_internal held low the address pins go into tri-state mode.

Conclusion

We've now reverse engineered all the remaining internal data and address buses and learnt how the incrementer circuit is used both the update the PC and to implement the LDM/STM instruction. We're reverse-engineered about 2,200 transistors in the circuits above.



9 comments:

  1. ACTIVE & FRESH CC FULLZ WITH BALANCE

    Price $5 per each CC

    DETAILS
    =>CARD TYPE
    =>FIRST NAME & LAST NAME
    =>CC NUMBER
    =>EXPIRY DATE
    =>CVV
    =>FULL ADDRESS (ZIP CODE, CITY/TOWN, STATE)
    =>PHONE NUMBER,DOB,SSN
    =>MOTHER'S MAIDEN NAME
    =>VERIFIED BY VISA
    =>CVV2

    *Time wasters or cheap questioners please stay away
    *You can buy for your specific states too
    *Payment in advance

    Contact Us:
    -->Whatsapp > +923172721122
    -->Email > leads.sellers1212@gmail.com
    -->Telegram > @leadsupplier
    -->ICQ > 752822040

    US FRESH, TESTED & VERIFIED SSN LEADS
    $1 PER EACH

    (INFO)

    First Name | Last Name | SSN | Dob | Address | State | City | Zip | Phone Number | Account Number | Bank NAME | DL Number |

    Home Owner | IP Address | MMN | Income

    *Hope for the long term deal
    *If anyone need leads In bulk, I'll definetly negotiate

    US DUMP TRACK 1 & 2 WTIH PIN CODES ALSO AVAILABLE

    ReplyDelete
    Replies
    1. I got my already programmed and blanked ATM card to withdraw the maximum of $1,000 daily for a maximum of 20 days. I am so happy about this because i got mine last week and I have used it to get $20,000. Mike Fisher Hackers is giving out the card just to help the poor and needy though it is illegal but it is something nice and he is not like other scam pretending to have the blank ATM cards. And no one gets caught when using the card. get yours from Mike Fisher Hackers today! *email cyberhackingcompany@gmail.com


      Delete
    2. iI’m lauriel from New York, United States. I lost my job a few months back after my divorce with my wife. I tried everything positive to make sure I took good care of my kids but all failed, and I was in debt which makes everything worse. I was kicked out of my home and i had to live with my neighbor after pleading with her to allow me to stay with her for some days while I figured out how to get a home which she agreed to, but no one was willing to help anymore. I bumped into this page from google and I was excited about this, then I contacted the hackersBill Dean. I had just $200, so I pleaded with them to help me because of my condition but they never accepted. I believed in this, so I managed to pawn a few things and got $500. I ordered the $10,000 card and I got my card delivered to me by Ups 4 days later. I never believed my eyes! I was excited and upset as well, I managed to withdraw $2000 on the ATM and $2500 the second day. I went to Walmart and a grocery store and bought a couple of things for $3000. The card got blocked the third day and I contacted them and I was told it's a mistake from my end. I’m so happy, I have started all over again and have a good apartment with my kids you can contact him through is via email (globalatmcardhackingservice@gmail.com)or his whatsap contact (+1 301-887-5071) 

      Delete
    3. Dave'S Hacks: Inside The Armv1 - The Read Bus B, Alu Output Bus, And Address Bus >>>>> Download Now

      >>>>> Download Full

      Dave'S Hacks: Inside The Armv1 - The Read Bus B, Alu Output Bus, And Address Bus >>>>> Download LINK

      >>>>> Download Now

      Dave'S Hacks: Inside The Armv1 - The Read Bus B, Alu Output Bus, And Address Bus >>>>> Download Full

      >>>>> Download LINK 6U

      Delete
  2. SSN FULLZ AVAILABLE

    Fresh & valid spammed USA SSN+Dob Leads with DL available in bulk.

    >>1$ each SSN+DOB
    >>3$ each with SSN+DOB+DL
    >>5$ each for premium fullz (700+ credit score with replacement guarantee)

    Prices are negotiable in bulk order
    Serious buyer contact me no time wasters please
    Bulk order will be preferable

    CONTACT
    Telegram > @leadsupplier
    ICQ > 752822040
    Email > leads.sellers1212@gmail.com

    OTHER STUFF YOU CAN GET

    SSN+DOB Fullz
    CC's with CVV's (vbv & non-vbv)
    USA Photo ID'S (Front & back)

    All type of tutorials available
    (Carding, spamming, hacking, scam page, Cash outs, dumps cash outs)

    SQL Injector
    Premium Accounts (Netflix, Pornhub, etc)
    Paypal Logins
    Bitcoin Cracker
    SMTP Linux Root
    DUMPS with pins track 1 and 2
    WU & Bank transfers
    Socks, rdp's, vpn
    Php mailer
    Server I.P's
    HQ Emails with passwords
    All types of tools & tutorials.. & much more

    Looking for long term business
    For trust full vendor, feel free to contact

    CONTACT
    Telegram > @leadsupplier
    ICQ > 752822040
    Email > leads.sellers1212@gmail.com

    ReplyDelete
  3. All thanks to Mr Anderson for helping with my profits and making my fifth withdrawal possible. I'm here to share an amazing life changing opportunity with you. its called Bitcoin / Forex trading options. it is a highly lucrative business which can earn you as much as $2,570 in a week from an initial investment of just $200. I am living proof of this great business opportunity. If anyone is interested in trading on bitcoin or any cryptocurrency and want a successful trade without losing notify Mr Anderson now.Whatsapp: (+447883246472 )
    Email: tdameritrade077@gmail.com

    ReplyDelete
  4. Dave'S Hacks: Inside The Armv1 - The Read Bus B, Alu Output Bus, And Address Bus >>>>> Download Now

    >>>>> Download Full

    Dave'S Hacks: Inside The Armv1 - The Read Bus B, Alu Output Bus, And Address Bus >>>>> Download LINK

    >>>>> Download Now

    Dave'S Hacks: Inside The Armv1 - The Read Bus B, Alu Output Bus, And Address Bus >>>>> Download Full

    >>>>> Download LINK GB

    ReplyDelete
  5. Best Bitcoin Recovery Expert To Recover

    Have you lost hope of ever recovering your money from scam brokers? I have good news for you and yes it is 97% possible for you to recover
    your money through binary cash refund (BCRF)but to do this you need an expert ,I lost over 76,000$ to fake broker and I lost any hope of
    ever making profit through binary trading until I met an awesome recovery Hacker known as Ultimate Hacker Jerry who introduced me to (BCRF)..and to recover any lost money to any Cryptocurrency i was able to recover my money and with an amazing recovery Hacker guidance I have been able to make profits after recovering my lost funds. l recommend Jerry to anyone email him at (Ultimatehackerjerry@seznam. Cz) Don’t forget to mention Isaac recommended you

    ReplyDelete
  6. How to successfully Recover your money from stolen Bitcoin scam/Binary option. Here is an online hack expert and a perfect solution to recovering your loss assets and online access. Contact: hackrecoveryexpert @ mail. com ,
    whatapp & Telegram: +39 3510 5404 56.

    ReplyDelete