You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

638 lines
18 KiB

  1. /***************************************************************************
  2. * Copyright (C) 2005 by Dominic Rath *
  3. * Dominic.Rath@gmx.de *
  4. * *
  5. * Copyright (C) 2007,2008,2009 √ėyvind Harboe *
  6. * oyvind.harboe@zylin.com *
  7. * *
  8. * Copyright (C) 2008 by Spencer Oliver *
  9. * spen@spen-soft.co.uk *
  10. * *
  11. * This program is free software; you can redistribute it and/or modify *
  12. * it under the terms of the GNU General Public License as published by *
  13. * the Free Software Foundation; either version 2 of the License, or *
  14. * (at your option) any later version. *
  15. * *
  16. * This program is distributed in the hope that it will be useful, *
  17. * but WITHOUT ANY WARRANTY; without even the implied warranty of *
  18. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the *
  19. * GNU General Public License for more details. *
  20. * *
  21. * You should have received a copy of the GNU General Public License *
  22. * along with this program; if not, write to the *
  23. * Free Software Foundation, Inc., *
  24. * 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. *
  25. ***************************************************************************/
  26. #ifdef HAVE_CONFIG_H
  27. #include "config.h"
  28. #endif
  29. #include "embeddedice.h"
  30. #include "register.h"
  31. /**
  32. * @file
  33. *
  34. * This provides lowlevel glue to the EmbeddedICE (or EmbeddedICE-RT)
  35. * module found on scan chain 2 in ARM7, ARM9, and some other families
  36. * of ARM cores. The module is called "EmbeddedICE-RT" if it has
  37. * monitor mode support.
  38. *
  39. * EmbeddedICE provides basic watchpoint/breakpoint hardware and a Debug
  40. * Communications Channel (DCC) used to read or write 32-bit words to
  41. * OpenOCD-aware code running on the target CPU.
  42. * Newer modules also include vector catch hardware. Some versions
  43. * support hardware single-stepping, "monitor mode" debug (which is not
  44. * currently supported by OpenOCD), or extended reporting on why the
  45. * core entered debug mode.
  46. */
  47. /*
  48. * From: ARM9E-S TRM, DDI 0165, table C-4 (and similar, for other cores)
  49. */
  50. static const struct {
  51. char *name;
  52. unsigned short addr;
  53. unsigned short width;
  54. } eice_regs[] = {
  55. [EICE_DBG_CTRL] = {
  56. .name = "debug_ctrl",
  57. .addr = 0,
  58. /* width is assigned based on EICE version */
  59. },
  60. [EICE_DBG_STAT] = {
  61. .name = "debug_status",
  62. .addr = 1,
  63. /* width is assigned based on EICE version */
  64. },
  65. [EICE_COMMS_CTRL] = {
  66. .name = "comms_ctrl",
  67. .addr = 4,
  68. .width = 6,
  69. },
  70. [EICE_COMMS_DATA] = {
  71. .name = "comms_data",
  72. .addr = 5,
  73. .width = 32,
  74. },
  75. [EICE_W0_ADDR_VALUE] = {
  76. .name = "watch_0_addr_value",
  77. .addr = 8,
  78. .width = 32,
  79. },
  80. [EICE_W0_ADDR_MASK] = {
  81. .name = "watch_0_addr_mask",
  82. .addr = 9,
  83. .width = 32,
  84. },
  85. [EICE_W0_DATA_VALUE ] = {
  86. .name = "watch_0_data_value",
  87. .addr = 10,
  88. .width = 32,
  89. },
  90. [EICE_W0_DATA_MASK] = {
  91. .name = "watch_0_data_mask",
  92. .addr = 11,
  93. .width = 32,
  94. },
  95. [EICE_W0_CONTROL_VALUE] = {
  96. .name = "watch_0_control_value",
  97. .addr = 12,
  98. .width = 9,
  99. },
  100. [EICE_W0_CONTROL_MASK] = {
  101. .name = "watch_0_control_mask",
  102. .addr = 13,
  103. .width = 8,
  104. },
  105. [EICE_W1_ADDR_VALUE] = {
  106. .name = "watch_1_addr_value",
  107. .addr = 16,
  108. .width = 32,
  109. },
  110. [EICE_W1_ADDR_MASK] = {
  111. .name = "watch_1_addr_mask",
  112. .addr = 17,
  113. .width = 32,
  114. },
  115. [EICE_W1_DATA_VALUE] = {
  116. .name = "watch_1_data_value",
  117. .addr = 18,
  118. .width = 32,
  119. },
  120. [EICE_W1_DATA_MASK] = {
  121. .name = "watch_1_data_mask",
  122. .addr = 19,
  123. .width = 32,
  124. },
  125. [EICE_W1_CONTROL_VALUE] = {
  126. .name = "watch_1_control_value",
  127. .addr = 20,
  128. .width = 9,
  129. },
  130. [EICE_W1_CONTROL_MASK] = {
  131. .name = "watch_1_control_mask",
  132. .addr = 21,
  133. .width = 8,
  134. },
  135. /* vector_catch isn't always present */
  136. [EICE_VEC_CATCH] = {
  137. .name = "vector_catch",
  138. .addr = 2,
  139. .width = 8,
  140. },
  141. };
  142. static int embeddedice_get_reg(struct reg *reg)
  143. {
  144. int retval;
  145. if ((retval = embeddedice_read_reg(reg)) != ERROR_OK)
  146. LOG_ERROR("error queueing EmbeddedICE register read");
  147. else if ((retval = jtag_execute_queue()) != ERROR_OK)
  148. LOG_ERROR("EmbeddedICE register read failed");
  149. return retval;
  150. }
  151. static const struct reg_arch_type eice_reg_type = {
  152. .get = embeddedice_get_reg,
  153. .set = embeddedice_set_reg_w_exec,
  154. };
  155. /**
  156. * Probe EmbeddedICE module and set up local records of its registers.
  157. * Different versions of the modules have different capabilities, such as
  158. * hardware support for vector_catch, single stepping, and monitor mode.
  159. */
  160. struct reg_cache *
  161. embeddedice_build_reg_cache(struct target *target, struct arm7_9_common *arm7_9)
  162. {
  163. int retval;
  164. struct reg_cache *reg_cache = malloc(sizeof(struct reg_cache));
  165. struct reg *reg_list = NULL;
  166. struct embeddedice_reg *arch_info = NULL;
  167. struct arm_jtag *jtag_info = &arm7_9->jtag_info;
  168. int num_regs = ARRAY_SIZE(eice_regs);
  169. int i;
  170. int eice_version = 0;
  171. /* vector_catch isn't always present */
  172. if (!arm7_9->has_vector_catch)
  173. num_regs--;
  174. /* the actual registers are kept in two arrays */
  175. reg_list = calloc(num_regs, sizeof(struct reg));
  176. arch_info = calloc(num_regs, sizeof(struct embeddedice_reg));
  177. /* fill in values for the reg cache */
  178. reg_cache->name = "EmbeddedICE registers";
  179. reg_cache->next = NULL;
  180. reg_cache->reg_list = reg_list;
  181. reg_cache->num_regs = num_regs;
  182. /* set up registers */
  183. for (i = 0; i < num_regs; i++)
  184. {
  185. reg_list[i].name = eice_regs[i].name;
  186. reg_list[i].size = eice_regs[i].width;
  187. reg_list[i].dirty = 0;
  188. reg_list[i].valid = 0;
  189. reg_list[i].value = calloc(1, 4);
  190. reg_list[i].arch_info = &arch_info[i];
  191. reg_list[i].type = &eice_reg_type;
  192. arch_info[i].addr = eice_regs[i].addr;
  193. arch_info[i].jtag_info = jtag_info;
  194. }
  195. /* identify EmbeddedICE version by reading DCC control register */
  196. embeddedice_read_reg(&reg_list[EICE_COMMS_CTRL]);
  197. if ((retval = jtag_execute_queue()) != ERROR_OK)
  198. {
  199. for (i = 0; i < num_regs; i++)
  200. {
  201. free(reg_list[i].value);
  202. }
  203. free(reg_list);
  204. free(reg_cache);
  205. free(arch_info);
  206. return NULL;
  207. }
  208. eice_version = buf_get_u32(reg_list[EICE_COMMS_CTRL].value, 28, 4);
  209. LOG_INFO("Embedded ICE version %d", eice_version);
  210. switch (eice_version)
  211. {
  212. case 1:
  213. /* ARM7TDMI r3, ARM7TDMI-S r3
  214. *
  215. * REVISIT docs say ARM7TDMI-S r4 uses version 1 but
  216. * that it has 6-bit CTRL and 5-bit STAT... doc bug?
  217. * ARM7TDMI r4 docs say EICE v4.
  218. */
  219. reg_list[EICE_DBG_CTRL].size = 3;
  220. reg_list[EICE_DBG_STAT].size = 5;
  221. break;
  222. case 2:
  223. /* ARM9TDMI */
  224. reg_list[EICE_DBG_CTRL].size = 4;
  225. reg_list[EICE_DBG_STAT].size = 5;
  226. arm7_9->has_single_step = 1;
  227. break;
  228. case 3:
  229. LOG_ERROR("EmbeddedICE v%d handling might be broken",
  230. eice_version);
  231. reg_list[EICE_DBG_CTRL].size = 6;
  232. reg_list[EICE_DBG_STAT].size = 5;
  233. arm7_9->has_single_step = 1;
  234. arm7_9->has_monitor_mode = 1;
  235. break;
  236. case 4:
  237. /* ARM7TDMI r4 */
  238. reg_list[EICE_DBG_CTRL].size = 6;
  239. reg_list[EICE_DBG_STAT].size = 5;
  240. arm7_9->has_monitor_mode = 1;
  241. break;
  242. case 5:
  243. /* ARM9E-S rev 1 */
  244. reg_list[EICE_DBG_CTRL].size = 6;
  245. reg_list[EICE_DBG_STAT].size = 5;
  246. arm7_9->has_single_step = 1;
  247. arm7_9->has_monitor_mode = 1;
  248. break;
  249. case 6:
  250. /* ARM7EJ-S, ARM9E-S rev 2, ARM9EJ-S */
  251. reg_list[EICE_DBG_CTRL].size = 6;
  252. reg_list[EICE_DBG_STAT].size = 10;
  253. /* DBG_STAT has MOE bits */
  254. arm7_9->has_monitor_mode = 1;
  255. break;
  256. case 7:
  257. LOG_ERROR("EmbeddedICE v%d handling might be broken",
  258. eice_version);
  259. reg_list[EICE_DBG_CTRL].size = 6;
  260. reg_list[EICE_DBG_STAT].size = 5;
  261. arm7_9->has_monitor_mode = 1;
  262. break;
  263. default:
  264. /*
  265. * The Feroceon implementation has the version number
  266. * in some unusual bits. Let feroceon.c validate it
  267. * and do the appropriate setup itself.
  268. */
  269. if (strcmp(target_type_name(target), "feroceon") == 0 ||
  270. strcmp(target_type_name(target), "dragonite") == 0)
  271. break;
  272. LOG_ERROR("unknown EmbeddedICE version "
  273. "(comms ctrl: 0x%8.8" PRIx32 ")",
  274. buf_get_u32(reg_list[EICE_COMMS_CTRL].value, 0, 32));
  275. }
  276. LOG_INFO("%s: hardware has 2 breakpoints or watchpoints",
  277. target_name(target));
  278. return reg_cache;
  279. }
  280. /**
  281. * Initialize EmbeddedICE module, if needed.
  282. */
  283. int embeddedice_setup(struct target *target)
  284. {
  285. int retval;
  286. struct arm7_9_common *arm7_9 = target_to_arm7_9(target);
  287. /* Explicitly disable monitor mode. For now we only support halting
  288. * debug ... we don't know how to talk with a resident debug monitor
  289. * that manages break requests. ARM's "Angel Debug Monitor" is one
  290. * common example of such code.
  291. */
  292. if (arm7_9->has_monitor_mode)
  293. {
  294. struct reg *dbg_ctrl = &arm7_9->eice_cache->reg_list[EICE_DBG_CTRL];
  295. embeddedice_read_reg(dbg_ctrl);
  296. if ((retval = jtag_execute_queue()) != ERROR_OK)
  297. return retval;
  298. buf_set_u32(dbg_ctrl->value, 4, 1, 0);
  299. embeddedice_set_reg_w_exec(dbg_ctrl, dbg_ctrl->value);
  300. }
  301. return jtag_execute_queue();
  302. }
  303. /**
  304. * Queue a read for an EmbeddedICE register into the register cache,
  305. * optionally checking the value read.
  306. * Note that at this level, all registers are 32 bits wide.
  307. */
  308. int embeddedice_read_reg_w_check(struct reg *reg,
  309. uint8_t *check_value, uint8_t *check_mask)
  310. {
  311. struct embeddedice_reg *ice_reg = reg->arch_info;
  312. uint8_t reg_addr = ice_reg->addr & 0x1f;
  313. struct scan_field fields[3];
  314. uint8_t field1_out[1];
  315. uint8_t field2_out[1];
  316. jtag_set_end_state(TAP_IDLE);
  317. arm_jtag_scann(ice_reg->jtag_info, 0x2);
  318. arm_jtag_set_instr(ice_reg->jtag_info, ice_reg->jtag_info->intest_instr, NULL);
  319. /* bits 31:0 -- data (ignored here) */
  320. fields[0].tap = ice_reg->jtag_info->tap;
  321. fields[0].num_bits = 32;
  322. fields[0].out_value = reg->value;
  323. fields[0].in_value = NULL;
  324. fields[0].check_value = NULL;
  325. fields[0].check_mask = NULL;
  326. /* bits 36:32 -- register */
  327. fields[1].tap = ice_reg->jtag_info->tap;
  328. fields[1].num_bits = 5;
  329. fields[1].out_value = field1_out;
  330. fields[1].out_value[0] = reg_addr;
  331. fields[1].in_value = NULL;
  332. fields[1].check_value = NULL;
  333. fields[1].check_mask = NULL;
  334. /* bit 37 -- 0/read */
  335. fields[2].tap = ice_reg->jtag_info->tap;
  336. fields[2].num_bits = 1;
  337. fields[2].out_value = field2_out;
  338. fields[2].out_value[0] = 0;
  339. fields[2].in_value = NULL;
  340. fields[2].check_value = NULL;
  341. fields[2].check_mask = NULL;
  342. /* traverse Update-DR, setting address for the next read */
  343. jtag_add_dr_scan(3, fields, jtag_get_end_state());
  344. /* bits 31:0 -- the data we're reading (and maybe checking) */
  345. fields[0].in_value = reg->value;
  346. fields[0].check_value = check_value;
  347. fields[0].check_mask = check_mask;
  348. /* when reading the DCC data register, leaving the address field set to
  349. * EICE_COMMS_DATA would read the register twice
  350. * reading the control register is safe
  351. */
  352. fields[1].out_value[0] = eice_regs[EICE_COMMS_CTRL].addr;
  353. /* traverse Update-DR, reading but with no other side effects */
  354. jtag_add_dr_scan_check(3, fields, jtag_get_end_state());
  355. return ERROR_OK;
  356. }
  357. /**
  358. * Receive a block of size 32-bit words from the DCC.
  359. * We assume the target is always going to be fast enough (relative to
  360. * the JTAG clock) that the debugger won't need to poll the handshake
  361. * bit. The JTAG clock is usually at least six times slower than the
  362. * functional clock, so the 50+ JTAG clocks needed to receive the word
  363. * allow hundreds of instruction cycles (per word) in the target.
  364. */
  365. int embeddedice_receive(struct arm_jtag *jtag_info, uint32_t *data, uint32_t size)
  366. {
  367. struct scan_field fields[3];
  368. uint8_t field1_out[1];
  369. uint8_t field2_out[1];
  370. jtag_set_end_state(TAP_IDLE);
  371. arm_jtag_scann(jtag_info, 0x2);
  372. arm_jtag_set_instr(jtag_info, jtag_info->intest_instr, NULL);
  373. fields[0].tap = jtag_info->tap;
  374. fields[0].num_bits = 32;
  375. fields[0].out_value = NULL;
  376. fields[0].in_value = NULL;
  377. fields[1].tap = jtag_info->tap;
  378. fields[1].num_bits = 5;
  379. fields[1].out_value = field1_out;
  380. fields[1].out_value[0] = eice_regs[EICE_COMMS_DATA].addr;
  381. fields[1].in_value = NULL;
  382. fields[2].tap = jtag_info->tap;
  383. fields[2].num_bits = 1;
  384. fields[2].out_value = field2_out;
  385. fields[2].out_value[0] = 0;
  386. fields[2].in_value = NULL;
  387. jtag_add_dr_scan(3, fields, jtag_get_end_state());
  388. while (size > 0)
  389. {
  390. /* when reading the last item, set the register address to the DCC control reg,
  391. * to avoid reading additional data from the DCC data reg
  392. */
  393. if (size == 1)
  394. fields[1].out_value[0] = eice_regs[EICE_COMMS_CTRL].addr;
  395. fields[0].in_value = (uint8_t *)data;
  396. jtag_add_dr_scan(3, fields, jtag_get_end_state());
  397. jtag_add_callback(arm_le_to_h_u32, (jtag_callback_data_t)data);
  398. data++;
  399. size--;
  400. }
  401. return jtag_execute_queue();
  402. }
  403. /**
  404. * Queue a read for an EmbeddedICE register into the register cache,
  405. * not checking the value read.
  406. */
  407. int embeddedice_read_reg(struct reg *reg)
  408. {
  409. return embeddedice_read_reg_w_check(reg, NULL, NULL);
  410. }
  411. /**
  412. * Queue a write for an EmbeddedICE register, updating the register cache.
  413. * Uses embeddedice_write_reg().
  414. */
  415. void embeddedice_set_reg(struct reg *reg, uint32_t value)
  416. {
  417. embeddedice_write_reg(reg, value);
  418. buf_set_u32(reg->value, 0, reg->size, value);
  419. reg->valid = 1;
  420. reg->dirty = 0;
  421. }
  422. /**
  423. * Write an EmbeddedICE register, updating the register cache.
  424. * Uses embeddedice_set_reg(); not queued.
  425. */
  426. int embeddedice_set_reg_w_exec(struct reg *reg, uint8_t *buf)
  427. {
  428. int retval;
  429. embeddedice_set_reg(reg, buf_get_u32(buf, 0, reg->size));
  430. if ((retval = jtag_execute_queue()) != ERROR_OK)
  431. LOG_ERROR("register write failed");
  432. return retval;
  433. }
  434. /**
  435. * Queue a write for an EmbeddedICE register, bypassing the register cache.
  436. */
  437. void embeddedice_write_reg(struct reg *reg, uint32_t value)
  438. {
  439. struct embeddedice_reg *ice_reg = reg->arch_info;
  440. LOG_DEBUG("%i: 0x%8.8" PRIx32 "", ice_reg->addr, value);
  441. jtag_set_end_state(TAP_IDLE);
  442. arm_jtag_scann(ice_reg->jtag_info, 0x2);
  443. arm_jtag_set_instr(ice_reg->jtag_info, ice_reg->jtag_info->intest_instr, NULL);
  444. uint8_t reg_addr = ice_reg->addr & 0x1f;
  445. embeddedice_write_reg_inner(ice_reg->jtag_info->tap, reg_addr, value);
  446. }
  447. /**
  448. * Queue a write for an EmbeddedICE register, using cached value.
  449. * Uses embeddedice_write_reg().
  450. */
  451. void embeddedice_store_reg(struct reg *reg)
  452. {
  453. embeddedice_write_reg(reg, buf_get_u32(reg->value, 0, reg->size));
  454. }
  455. /**
  456. * Send a block of size 32-bit words to the DCC.
  457. * We assume the target is always going to be fast enough (relative to
  458. * the JTAG clock) that the debugger won't need to poll the handshake
  459. * bit. The JTAG clock is usually at least six times slower than the
  460. * functional clock, so the 50+ JTAG clocks needed to receive the word
  461. * allow hundreds of instruction cycles (per word) in the target.
  462. */
  463. int embeddedice_send(struct arm_jtag *jtag_info, uint32_t *data, uint32_t size)
  464. {
  465. struct scan_field fields[3];
  466. uint8_t field0_out[4];
  467. uint8_t field1_out[1];
  468. uint8_t field2_out[1];
  469. jtag_set_end_state(TAP_IDLE);
  470. arm_jtag_scann(jtag_info, 0x2);
  471. arm_jtag_set_instr(jtag_info, jtag_info->intest_instr, NULL);
  472. fields[0].tap = jtag_info->tap;
  473. fields[0].num_bits = 32;
  474. fields[0].out_value = field0_out;
  475. fields[0].in_value = NULL;
  476. fields[1].tap = jtag_info->tap;
  477. fields[1].num_bits = 5;
  478. fields[1].out_value = field1_out;
  479. fields[1].out_value[0] = eice_regs[EICE_COMMS_DATA].addr;
  480. fields[1].in_value = NULL;
  481. fields[2].tap = jtag_info->tap;
  482. fields[2].num_bits = 1;
  483. fields[2].out_value = field2_out;
  484. fields[2].out_value[0] = 1;
  485. fields[2].in_value = NULL;
  486. while (size > 0)
  487. {
  488. buf_set_u32(fields[0].out_value, 0, 32, *data);
  489. jtag_add_dr_scan(3, fields, jtag_get_end_state());
  490. data++;
  491. size--;
  492. }
  493. /* call to jtag_execute_queue() intentionally omitted */
  494. return ERROR_OK;
  495. }
  496. /**
  497. * Poll DCC control register until read or write handshake completes.
  498. */
  499. int embeddedice_handshake(struct arm_jtag *jtag_info, int hsbit, uint32_t timeout)
  500. {
  501. struct scan_field fields[3];
  502. uint8_t field0_in[4];
  503. uint8_t field1_out[1];
  504. uint8_t field2_out[1];
  505. int retval;
  506. uint32_t hsact;
  507. struct timeval lap;
  508. struct timeval now;
  509. if (hsbit == EICE_COMM_CTRL_WBIT)
  510. hsact = 1;
  511. else if (hsbit == EICE_COMM_CTRL_RBIT)
  512. hsact = 0;
  513. else
  514. return ERROR_INVALID_ARGUMENTS;
  515. jtag_set_end_state(TAP_IDLE);
  516. arm_jtag_scann(jtag_info, 0x2);
  517. arm_jtag_set_instr(jtag_info, jtag_info->intest_instr, NULL);
  518. fields[0].tap = jtag_info->tap;
  519. fields[0].num_bits = 32;
  520. fields[0].out_value = NULL;
  521. fields[0].in_value = field0_in;
  522. fields[1].tap = jtag_info->tap;
  523. fields[1].num_bits = 5;
  524. fields[1].out_value = field1_out;
  525. fields[1].out_value[0] = eice_regs[EICE_COMMS_DATA].addr;
  526. fields[1].in_value = NULL;
  527. fields[2].tap = jtag_info->tap;
  528. fields[2].num_bits = 1;
  529. fields[2].out_value = field2_out;
  530. fields[2].out_value[0] = 0;
  531. fields[2].in_value = NULL;
  532. jtag_add_dr_scan(3, fields, jtag_get_end_state());
  533. gettimeofday(&lap, NULL);
  534. do {
  535. jtag_add_dr_scan(3, fields, jtag_get_end_state());
  536. if ((retval = jtag_execute_queue()) != ERROR_OK)
  537. return retval;
  538. if (buf_get_u32(field0_in, hsbit, 1) == hsact)
  539. return ERROR_OK;
  540. gettimeofday(&now, NULL);
  541. } while ((uint32_t)((now.tv_sec - lap.tv_sec) * 1000
  542. + (now.tv_usec - lap.tv_usec) / 1000) <= timeout);
  543. return ERROR_TARGET_TIMEOUT;
  544. }
  545. #ifndef HAVE_JTAG_MINIDRIVER_H
  546. /**
  547. * This is an inner loop of the open loop DCC write of data to target
  548. */
  549. void embeddedice_write_dcc(struct jtag_tap *tap,
  550. int reg_addr, uint8_t *buffer, int little, int count)
  551. {
  552. int i;
  553. for (i = 0; i < count; i++)
  554. {
  555. embeddedice_write_reg_inner(tap, reg_addr,
  556. fast_target_buffer_get_u32(buffer, little));
  557. buffer += 4;
  558. }
  559. }
  560. #else
  561. /* provided by minidriver */
  562. #endif