No public BCM4500 datasheet exists. All register addresses and functions on this page were determined through firmware disassembly, I2C bus captures, and behavioral testing. Register names are conventions used throughout this documentation, not official Broadcom nomenclature.
This page consolidates every known register address used by the SkyWalker-1 hardware into a single lookup reference.
These registers are accessed via standard I2C read/write to the BCM4500 at 7-bit address 0x08 (write byte 0x10, read byte 0x11).
Address Name R/W Function 0xA2 Status R Readiness status. Returns 0x02 when powered on, no signal locked. Polled during boot probe and signal strength readback . 0xA4 Lock R Signal lock indicator. Bit 5 (mask 0x20) = signal locked. Read by GET_SIGNAL_LOCK (0x90). The kernel treats any non-zero value as locked. 0xA6 Indirect Page W Page/address select for the indirect register protocol . Typically written with 0x00 (page 0). 0xA7 Indirect Data R/W Data register for indirect reads and writes. Supports auto-increment for multi-byte writes within a single I2C transaction. 0xA8 Indirect Command R/W Command register. Write 0x01 = indirect read, 0x03 = indirect write. Read to poll: bit 0 clear = command complete. 0xF9 Demod Status R Extended demodulator status. Read by GET_DEMOD_STATUS (0x99) in v2.13 firmware. Also polled by the v2.13 INT0 handler. Not accessed by v2.06 or Rev.2.
Registers 0xA6, 0xA7, and 0xA8 form a triad that provides access to the BCM4500’s internal register space. The sequence is always: select page (0xA6) → write/read data (0xA7) → execute command (0xA8) → poll 0xA8 for completion.
See Demodulator — Indirect Register Protocol for the full byte-level I2C sequences.
These are the BCM4500 internal registers accessed through the 0xA6/0xA7/0xA8 indirect protocol. All known registers are on page 0x00.
Register Size Function Read By 0x00—0x01 2 bytes SNR value (16-bit, little-endian). Bytes 0—1 of GET_SIGNAL_STRENGTH (0x87) response. Signal Monitoring 0x02—0x05 4 bytes AGC and diagnostic data. Bytes 2—5 of GET_SIGNAL_STRENGTH (0x87) response. Signal Monitoring
Three blocks written during BCM4500 firmware load. The first byte of each block is the starting register address.
Block Start Reg Length Data (hex) Purpose 0 0x06 7 bytes 06 0b 17 38 9f d9 80Primary demod configuration 1 0x07 8 bytes 07 09 39 4f 00 65 b7 10Secondary demod configuration 2 0x0F 3 bytes 0f 0c 09Final demod configuration
Blocks 0 and 1 both write to register 0x07 and above, meaning block 1 overwrites the tail end of block 0. This is intentional: block 0 sets initial defaults, block 1 refines registers 0x07—0x0E, and block 2 configures the 0x0F—0x11 range independently. All stock firmware versions use the same init block data.
After modulation dispatch, the tuning protocol writes frequency, symbol rate, FEC, and modulation parameters into BCM4500 page 0 registers via the indirect write protocol. The exact target register range depends on the configuration data length (typically 12—18 bytes starting at register 0x00).
External RAM (XRAM) addresses used by the FX2 microcontroller for tuning state and configuration. These are not BCM4500 registers — they are FX2 memory locations that hold data destined for or read from the demodulator.
Address Name Function 0xE0EB FEC Code Rate Looked up from the FEC table for the active modulation. DCII modes use fixed value 0xFC. DSS/BPSK modes OR the lookup with 0x80. 0xE0EC Modulation Type 0x09 for DVB-S, Turbo, DSS, and BPSK modes. DCII modes load from the DCII lookup table. 0xE0F5 Demod Mode 0x10 for most modes. DCII variants use 0x10 (combo), 0x11 (offset QPSK), 0x12 (I-stream), or 0x16 (Q-stream). 0xE0F6 Turbo Flag 0x00 = standard FEC. 0x01 = turbo FEC (QPSK/8PSK/16QAM turbo modes).
Address Size Content Source 0xE0CB—0xE0CE 4 bytes Symbol rate (big-endian) Byte-reversed from EP0BUF[0—3] during TUNE_8PSK 0xE0DB—0xE0DE 4 bytes IF frequency (big-endian) Byte-reversed from EP0BUF[4—7] during TUNE_8PSK
Populated at boot from CODE-space initialization tables. Indexed by the FEC rate byte from the TUNE_8PSK command payload.
Base Address Modulation Max Index Rates 0xE0B1 Turbo 8PSK 5 Turbo-specific code rates 0xE0B7 Turbo QPSK 5 Turbo-specific code rates 0xE0BC Turbo 16QAM 1 Single code rate 0xE0BD DCII (all variants) 9 Combined code + modulation values 0xE0F9 DVB-S QPSK / DSS / BPSK 7 1/2, 2/3, 3/4, 5/6, 7/8, auto, none
Address Size Content 0xE080—0xE08E 15 bytes External calibration data loaded by FW2 and FW3 into demod registers at 0xE6C0—0xE6CD. Not used by FW1 (hardcoded config).
Address Size Content 0xE740—0xE749 10 bytes EP0BUF — USB control transfer buffer. Contains the raw TUNE_8PSK payload before parsing.
Internal RAM (IRAM) addresses vary between firmware versions due to different stack pointer placement. This table maps the key locations for each version.
Location v2.06 Rev.2 v2.10 v2.13 FW1/FW2 v2.13 FW3 Stack pointer (SP) 0x72 0x4F 0x50 0x52 Config status byte 0x6D 0x4E 0x4F 0x51 I2C buffer high — 0x48 0x48 0x4A I2C buffer low — 0x49 0x49 0x4B
The config status byte is returned by GET_8PSK_CONFIG (0x80). See Config Status for bit definitions.
Location Address Function Modulation type 0x4D Copied from EP0BUF[8] during TUNE_8PSK parsing FEC rate index 0x4F Copied from EP0BUF[9] during TUNE_8PSK parsing
On v2.13 FW1/FW2, the FEC rate index (IRAM 0x4F) shares the same address as the config status byte. The firmware distinguishes between contexts — the FEC index is only written during tune operations, while config status is read/written at other times. FW3 avoids this collision by moving the config status to 0x51.
The custom firmware built with SDCC + fx2lib uses C variables instead of fixed IRAM addresses. The compiler manages allocation, so addresses are not guaranteed stable across builds. Key variables:
Variable Type Purpose config_statusvolatile BYTEConfiguration status byte boot_stagevolatile BYTEBoot progress (0x00 = not started, 0xFF = complete) i2c_buf[16]__xdata BYTEI2C scratch buffer for writes i2c_rd[8]__xdata BYTEI2C scratch buffer for reads tm_result[10]__xdata BYTETune monitor result buffer
Core FX2LP registers used for USB control transfers, CPU management, and peripheral configuration.
Register Address Function CPUCS 0xE600 CPU control/status. Write 0x01 to halt, 0x00 to run. Bits 4:3 select clock speed (10 = 48 MHz). IFCONFIG 0xE601 Interface configuration. Value 0xEE = internal 48 MHz clock, GPIF master, async mode. REVCTL 0xE60B Revision control. Value 0x03 = NOAUTOARM + SKIPCOMMIT (required for manual EP management). EP2FIFOCFG 0xE618 EP2 FIFO configuration. Value 0x0C = AUTOIN + ZEROLENIN, 8-bit data bus.
Populated by the FX2 hardware when a SETUP packet arrives on EP0. The vendor command dispatcher reads SETUPDAT[1] to determine the command.
Register Address Content SETUPDAT[0] 0xE6B8 bmRequestType (0x40 = vendor OUT, 0xC0 = vendor IN) SETUPDAT[1] 0xE6B9 bRequest (vendor command ID: 0x80—0xB9) SETUPDAT[2] 0xE6BA wValueL SETUPDAT[3] 0xE6BB wValueH SETUPDAT[4] 0xE6BC wIndexL SETUPDAT[5] 0xE6BD wIndexH SETUPDAT[6] 0xE6BE wLengthL SETUPDAT[7] 0xE6BF wLengthH
Register Address Function EP0BCH 0xE68A EP0 byte count high. EP0BCL 0xE68B EP0 byte count low. Writing this register arms the EP0 IN transfer. EP0BUF 0xE740 EP0 data buffer start (64 bytes). Contains TUNE_8PSK payload bytes 0xE740—0xE749.
Address Function 0xE0B6 LNB voltage control register. Written by SET_LNB_VOLTAGE (0x8B) in the custom firmware.
The Cypress FX2LP’s built-in I2C master controller uses three hardware registers in the SFR-mapped XRAM space.
Register Address Function I2CS 0xE678 Control/Status. Bit fields: DONE (bit 0), ACK (bit 1), BERR (bit 2), ID (bits 4:3), LASTRD (bit 5), STOP (bit 6), START (bit 7). I2DAT 0xE679 Data register. Write to transmit a byte, read to receive. First write after START sends the slave address byte. I2CTL 0xE67A Control register. Bit 0 = 400 kHz mode (set by all firmware versions at init). Bit 1 = STOPIE (stop interrupt enable).
7-bit Address 8-bit Write 8-bit Read Device 0x08 0x10 0x11 BCM4500 demodulator (operating address) 0x10 0x20 0x21 Tuner / LNB controller 0x51 0xA2 0xA3 Configuration EEPROM (serial number, calibration, firmware storage) 0x3F 0x7E 0x7F BCM4500 alternate probe address (v2.13 boot detection only) 0x7F 0xFE 0xFF BCM4500 alternate probe address (v2.13 boot detection only)
See I2C Bus Architecture for bus topology and the STOP Corruption Bug for the spurious STOP issue affecting the FX2 controller.
Every documentation page that references specific registers or memory addresses: