diff --git a/POLL_SITE_MAP.md b/POLL_SITE_MAP.md
new file mode 100644
index 0000000..b5deddc
--- /dev/null
+++ b/POLL_SITE_MAP.md
@@ -0,0 +1,81 @@
+# Poll-site → register map (RK3588 DDR v1.19)
+
+Each of the 16 timeout-less poll sites in the v1.19 stock conservative
+blob, decoded against the RK3588 TRM Part 2 (Ch. 2, DMC) where
+possible. Sites without TRM coverage are Synopsys DWC PUB registers —
+not republished by Rockchip; names ending in `(RE)` are our educated
+guesses from the code context.
+
+Site index comes from `patch_timeouts_v3.py` (ascending-offset order
+after `find_poll_loops()`).
+
+## Early cluster (sites 0–7): 0x07b78..0x07f08
+
+| # | branch @ | body | load | addr (symbolic) | register | src |
+|---|---------|------|------|-----------------|----------|-----|
+| 0 | 0x07b78 | 2 | `ldr w1, [x0+0x114]` on x0=PHY+0x20000 | PHY + 0x20114 | `PHY_TRAIN_INTERLOCK_114` (RE) | —   |
+| 1 | 0x07ba4 | 2 | `ldr w1, [x26+0xb88]`  where x26=PHY+0x10000 | PHY + 0x10b88 | `PHY_SHADOW_BB8` (RE) | —   |
+| 2 | 0x07c8c | 3 | `ldr w0, [x1+0x14]`   where x1=DDRCTL+0x10000 | **DDRCTL + 0x10014** | `DDRCTL_PWRCTL`? (TBD — 0x14 offset in uMCTL2 is typically PWRCTL or STAT) | TRM (partial) |
+| 3 | 0x07ca8 | 2 | `ldr w1, [x0+0x514]`  where x0=DDRCTL+0x10000 | **DDRCTL + 0x10514** | **DDRCTL_DFISTAT** `dfi_init_complete` | **TRM Part 2 Ch.2** |
+| 4 | 0x07cd4 | 3 | `ldr w0, [x1+0x14]`   same pattern as site 2 | DDRCTL + 0x10014 | same as #2 | TRM (partial) |
+| 5 | 0x07ce8 | 3 | same +0x14 load, different mask | DDRCTL + 0x10014 | same as #2 | TRM (partial) |
+| 6 | 0x07d0c | 3 | `ldr w0, [x26+0xb88]` where x26=PHY+0x10000 | PHY + 0x10b88 | `PHY_SHADOW_BB8` (RE) — same reg as site 1, different mask | —   |
+| 7 | 0x07f08 | 3 | `ldr w1, [x0+0x14]`   same DDRCTL family | DDRCTL + 0x10014 | same as #2 | TRM (partial) |
+
+## Mid cluster (sites 8–10): 0x09124..0x0aaf8
+
+| # | branch @ | body | register | src |
+|---|---------|------|----------|-----|
+| 8  | 0x09124 | 3 | DDRCTL + (via x27) — needs further context trace | — |
+| 9  | 0x0aa84 | 3 | DDRCTL + (via x24) — ditto | — |
+| 10 | 0x0aaf8 | 3 | abs `0xff000024` per decoder — **SRAM mirror of a GRF?** non-obvious | — |
+
+**Site 10 is unusual** — absolute `0xff000024` is in the SRAM_BOOT
+region, not a controller or PHY block. Possibly a BL2 handoff word
+the blob waits on before continuing. Worth its own trace.
+
+## Late cluster (sites 11–15): 0x0d154..0x0d378
+
+| # | branch @ | body | register | src |
+|---|---------|------|----------|-----|
+| 11 | 0x0d154 | 3 | `ldr w5, [x0+0x14]` where x0=PHY+0x10000 → **PHY + 0x10014**, test `&0x7 == 1` | `PHY_STATE_014` (RE) — wait for state 1 | — |
+| 12 | 0x0d340 | 2 | `ldr w1, [x0+0x118]` where x0=PHY+0x8000 → PHY + 0x8118 | `PHY_STAT_A_118` (RE) — train_phy_block | — |
+| 13 | 0x0d34c | 2 | `ldr w1, [x0+0x120]` → PHY + 0x8120 | `PHY_STAT_B_120` (RE) | — |
+| 14 | 0x0d364 | 2 | `ldr w1, [x0+0x184]` → PHY + 0x8184 | `PHY_HANDSHAKE_184` (RE, ack assert) | — |
+| 15 | 0x0d378 | 2 | `ldr w1, [x0+0x184]` → PHY + 0x8184 | `PHY_HANDSHAKE_184` (RE, ack deassert) | — |
+
+## Summary by coverage
+
+- **TRM-documented (vendor-canonical names):** 1 site (site 3 — DDRCTL_DFISTAT).
+- **TRM-documented family (0x14 offset in uMCTL2 space, exact register TBD):** 4 sites (2, 4, 5, 7).
+- **DWC PUB / Innosilicon PHY — undocumented, RE names only:** 11 sites.
+
+## Known tensions
+
+1. **Site 3 tests DFISTAT bits[2:1] (mask 0x6), not bit[0].** Generic
+   uMCTL2 DFISTAT has only bit[0] defined (`dfi_init_complete`); bits
+   1+ are reserved. RK3588's blob treating bits[2:1] as meaningful
+   suggests Rockchip extended the DFISTAT register with vendor-specific
+   bits. Worth checking TRM bit tables for DFISTAT directly.
+
+2. **Sites 2/4/5/7 all poll DDRCTL + 0x10014** with different bit
+   masks (&0x7==1, &0x7==3, &0x30==0x20, &0x7==3). At offset +0x14 in
+   uMCTL2 is `STAT` (Operating Mode Status Register) per generic DWC
+   docs — `operating_mode[2:0]` field encodes: 0=Init, 1=Normal, 2=Power-down,
+   3=Self-refresh, 5=Deep-power-down, 6=Deep-power-down init. RK3588
+   probably follows this convention — these polls wait for the
+   controller to enter specific operating modes.
+
+3. **Site 10 at absolute `0xff000024`** is suspect. That region is
+   SRAM_BOOT in our emulator map. Possibly a BL2 handshake word. If
+   so, patching this site to "bounded retry" is safe — worst case
+   we skip one BL2 handoff. Should flag this separately.
+
+## Action items
+
+- Extract DFISTAT bit-field description from TRM Part 2 to confirm/deny
+  the RK3588 vendor extension hypothesis for site 3.
+- Extract STAT (+0x14) bit-field description from TRM to confirm/deny
+  the "operating_mode" mapping for sites 2/4/5/7.
+- Special-case site 10 in the bisection plan — it's not a normal PHY
+  poll and may need different treatment.