diff -ru qemu-snapshot-2007-10-11_05/target-arm/helper.c qemu-patched/target-arm/helper.c
--- qemu-snapshot-2007-10-11_05/target-arm/helper.c	2007-09-17 07:08:01.000000000 +1000
+++ qemu-patched/target-arm/helper.c	2007-10-15 11:33:49.000000000 +1000
@@ -703,6 +703,7 @@
         break;
     case 3: /* MMU Domain access control / MPU write buffer control.  */
         env->cp15.c3 = val;
+        tlb_flush(env, 1); /* Flush TLB as domain not tracked in TLB */
         break;
     case 4: /* Reserved.  */
         goto bad_reg;
@@ -813,8 +814,6 @@
     case 13: /* Process ID.  */
         switch (op2) {
         case 0:
-            if (!arm_feature(env, ARM_FEATURE_MPU))
-                goto bad_reg;
             /* Unlike real hardware the qemu TLB uses virtual addresses,
                not modified virtual addresses, so this causes a TLB flush.
              */