MMU configuration (E0004C7A, see emulation log posted earlier):
BOTH: DACR <- 0x55555555 Client. Accesses are checked against the permission bits in the translation tables (all 16 entries)
BOTH: TTBCR <- 7 TTBCR.N = 7 (TTBR0 "size", see [url=https://www.systems.ethz.ch/sites/default/files/file/aos2014/slides/02-MMUsEtc.pdf]AOS p23[/url])
CPU0: TTBR0_EL1 <- 0xE0004800 Translation table for low addresses (from 0 to 1FFFFFF)
CPU1: TTBR0_EL1 <- 0xE0004880 Translation table for low addresses (from 0 to 1FFFFFF)
BOTH: TTBR1_EL1 <- 0xE0000080 Translation table for high addresses (all others)
BOTH: CONTEXTIDR(S) <- MPIDR Context ID Register <- current CPU
BOTH: TLBIALL <- 0x0 Instruction TLB Invalidate All
BOTH: SCTLR <- 0x40C50879 SCTLR |= 1 (enable MMU)
Memory map (see QEMU's target-arm/helper/helper.c:get_phys_addr_v6 and
Cortex A series Programmer's Guide, chapter 8 - MMU ):
CPU0:
00001000-00001FFF -> 00000000-00000FFF (-1000) O:NCACH I:WB,WA P:RW
00002000-3FFFFFFF -> 00002000-3FFFFFFF ( +0) O:NCACH I:WB,WA P:RW
CPU1:
00001000-3FFFFFFF -> 00001000-3FFFFFFF ( +0) O:NCACH I:WB,WA P:RW
Both:
40000000-BFFFFFFF -> 40000000-BFFFFFFF ( +0) O:NCACH I:NCACH P:RW
C0000000-C1FFFFFF -> C0000000-C1FFFFFF ( +0) Device P:RW XN
C4000000-C4FFFFFF -> C4000000-C4FFFFFF ( +0) Device P:RW XN
C8000000-CAFFFFFF -> C8000000-CAFFFFFF ( +0) Device P:RW XN
D0000000-D0FFFFFF -> D0000000-D0FFFFFF ( +0) Device P:RW XN
D2000000-D2FFFFFF -> D2000000-D2FFFFFF ( +0) Device P:RW XN
D4000000-D5FFFFFF -> D4000000-D5FFFFFF ( +0) Device P:RW XN
D8000000-D9FFFFFF -> D8000000-D9FFFFFF ( +0) Device P:RW XN
DE000000-DEFFFFFF -> DE000000-DEFFFFFF ( +0) Device P:RW XN
DF000000-DFFFFFFF -> DF000000-DFFFFFFF ( +0) O:NCACH I:WB,WA P:RW
E0000000-E7FFFFFF -> E0000000-E7FFFFFF ( +0) O:WB,WA I:WB,WA P:R
E8000000-EFFFFFFF -> E8000000-EFFFFFFF ( +0) Strongly-ordered P:R XN
F0000000-F7FFFFFF -> F0000000-F7FFFFFF ( +0) O:WB,WA I:WB,WA P:R
F8000000-FFFFFFFF -> F8000000-FFFFFFFF ( +0) Strongly-ordered P:R XN
So, the MMU does mostly a flat mapping, and virtually all of the memory is visible from both CPUs, except for a 4K page private to each core, at virtual address 0x1000.