43 lines
1.9 KiB
Markdown
43 lines
1.9 KiB
Markdown
Apple proprietary instructions seem to be in the 0x0020xxxx range.
|
|
|
|
```
|
|
00200000 - 002007ff MUL53, see https://gist.github.com/TrungNguyen1909/5b323edda9a21550a1621af506e8ce5f
|
|
|
|
00200800 | rD << 5 | rS wkdmc, compress memory page
|
|
- rS is the source page address (page-aligned, bottom bits ignored)
|
|
- rD is the destination compressed data address (64b aligned, bottom bits ignored)
|
|
- Status/info gets returned in rS.
|
|
|
|
00200c00 | rD << 5 | rS wkdmd, uncompress memory page
|
|
- rS is the source compressed data address (64b aligned, bottom bits ignored)
|
|
- rD is the destination compressed data address (page-aligned, bottom bits ignored)
|
|
- Status/info gets returned in rS.
|
|
|
|
00201000 - 002012df AMX, see https://gist.github.com/dougallj/7a75a3be1ec69ca550e7c36dc75e0d6f
|
|
If AMX is not enabled (default), these fault with ESR_EL2 = 0xfe000003
|
|
|
|
..222~23f "hole" of unknown instructions
|
|
|
|
002012e0 - 0020143f Faults with unknown instruction
|
|
|
|
*00201400 gexit, Exit guarded mode. Used by macOS; must need some enable (faults by default).
|
|
*00201420 | imm5 genter, Enter guarded mode. Used by macOS; must need some enable (faults by default).
|
|
imm5 stored in ESR_GLx[5:0]
|
|
|
|
00201440 | rA at_as1elx, Translate address. Returns in the same register:
|
|
[63:56] MAIR attributes for translation (not index!)
|
|
[??:12] Physical address
|
|
[11:00] Flags/status/etc. 0x80x = unmapped, x varies depending on PT level that faulted?
|
|
|
|
This seems to be the same as the PAR_EL1 system register, used as the output for the *official* ARM translate address instructions.
|
|
|
|
00201460 sdsb osh
|
|
00201461 sdsb nsh
|
|
00201462 sdsb ish - used by iBoot trampoline
|
|
00201463 sdsb sy
|
|
|
|
00201464 ~ Faults with unknown instruction
|
|
|
|
|
|
```
|