1 /***************************************************************************
2 * Copyright (C) 2005 by Dominic Rath *
3 * Dominic.Rath@gmx.de *
5 * Copyright (C) 2007-2010 Øyvind Harboe *
6 * oyvind.harboe@zylin.com *
8 * Copyright (C) 2008 by Spencer Oliver *
9 * spen@spen-soft.co.uk *
11 * This program is free software; you can redistribute it and/or modify *
12 * it under the terms of the GNU General Public License as published by *
13 * the Free Software Foundation; either version 2 of the License, or *
14 * (at your option) any later version. *
16 * This program is distributed in the hope that it will be useful, *
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of *
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the *
19 * GNU General Public License for more details. *
21 * You should have received a copy of the GNU General Public License *
22 * along with this program; if not, write to the *
23 * Free Software Foundation, Inc., *
24 * 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. *
25 ***************************************************************************/
30 #include "embeddedice.h"
36 * This provides lowlevel glue to the EmbeddedICE (or EmbeddedICE-RT)
37 * module found on scan chain 2 in ARM7, ARM9, and some other families
38 * of ARM cores. The module is called "EmbeddedICE-RT" if it has
39 * monitor mode support.
41 * EmbeddedICE provides basic watchpoint/breakpoint hardware and a Debug
42 * Communications Channel (DCC) used to read or write 32-bit words to
43 * OpenOCD-aware code running on the target CPU.
44 * Newer modules also include vector catch hardware. Some versions
45 * support hardware single-stepping, "monitor mode" debug (which is not
46 * currently supported by OpenOCD), or extended reporting on why the
47 * core entered debug mode.
50 static int embeddedice_set_reg_w_exec(struct reg
*reg
, uint8_t *buf
);
53 * From: ARM9E-S TRM, DDI 0165, table C-4 (and similar, for other cores)
63 /* width is assigned based on EICE version */
66 .name
= "debug_status",
68 /* width is assigned based on EICE version */
80 [EICE_W0_ADDR_VALUE
] = {
81 .name
= "watch_0_addr_value",
85 [EICE_W0_ADDR_MASK
] = {
86 .name
= "watch_0_addr_mask",
90 [EICE_W0_DATA_VALUE
] = {
91 .name
= "watch_0_data_value",
95 [EICE_W0_DATA_MASK
] = {
96 .name
= "watch_0_data_mask",
100 [EICE_W0_CONTROL_VALUE
] = {
101 .name
= "watch_0_control_value",
105 [EICE_W0_CONTROL_MASK
] = {
106 .name
= "watch_0_control_mask",
110 [EICE_W1_ADDR_VALUE
] = {
111 .name
= "watch_1_addr_value",
115 [EICE_W1_ADDR_MASK
] = {
116 .name
= "watch_1_addr_mask",
120 [EICE_W1_DATA_VALUE
] = {
121 .name
= "watch_1_data_value",
125 [EICE_W1_DATA_MASK
] = {
126 .name
= "watch_1_data_mask",
130 [EICE_W1_CONTROL_VALUE
] = {
131 .name
= "watch_1_control_value",
135 [EICE_W1_CONTROL_MASK
] = {
136 .name
= "watch_1_control_mask",
140 /* vector_catch isn't always present */
142 .name
= "vector_catch",
149 static int embeddedice_get_reg(struct reg
*reg
)
153 if ((retval
= embeddedice_read_reg(reg
)) != ERROR_OK
)
154 LOG_ERROR("error queueing EmbeddedICE register read");
155 else if ((retval
= jtag_execute_queue()) != ERROR_OK
)
156 LOG_ERROR("EmbeddedICE register read failed");
161 static const struct reg_arch_type eice_reg_type
= {
162 .get
= embeddedice_get_reg
,
163 .set
= embeddedice_set_reg_w_exec
,
167 * Probe EmbeddedICE module and set up local records of its registers.
168 * Different versions of the modules have different capabilities, such as
169 * hardware support for vector_catch, single stepping, and monitor mode.
172 embeddedice_build_reg_cache(struct target
*target
, struct arm7_9_common
*arm7_9
)
175 struct reg_cache
*reg_cache
= malloc(sizeof(struct reg_cache
));
176 struct reg
*reg_list
= NULL
;
177 struct embeddedice_reg
*arch_info
= NULL
;
178 struct arm_jtag
*jtag_info
= &arm7_9
->jtag_info
;
179 int num_regs
= ARRAY_SIZE(eice_regs
);
181 int eice_version
= 0;
183 /* vector_catch isn't always present */
184 if (!arm7_9
->has_vector_catch
)
187 /* the actual registers are kept in two arrays */
188 reg_list
= calloc(num_regs
, sizeof(struct reg
));
189 arch_info
= calloc(num_regs
, sizeof(struct embeddedice_reg
));
191 /* fill in values for the reg cache */
192 reg_cache
->name
= "EmbeddedICE registers";
193 reg_cache
->next
= NULL
;
194 reg_cache
->reg_list
= reg_list
;
195 reg_cache
->num_regs
= num_regs
;
197 /* FIXME the second watchpoint unit on Feroceon and Dragonite
198 * seems not to work ... we should have a way to not set up
199 * its four registers here!
202 /* set up registers */
203 for (i
= 0; i
< num_regs
; i
++)
205 reg_list
[i
].name
= eice_regs
[i
].name
;
206 reg_list
[i
].size
= eice_regs
[i
].width
;
207 reg_list
[i
].dirty
= 0;
208 reg_list
[i
].valid
= 0;
209 reg_list
[i
].value
= calloc(1, 4);
210 reg_list
[i
].arch_info
= &arch_info
[i
];
211 reg_list
[i
].type
= &eice_reg_type
;
212 arch_info
[i
].addr
= eice_regs
[i
].addr
;
213 arch_info
[i
].jtag_info
= jtag_info
;
216 /* identify EmbeddedICE version by reading DCC control register */
217 embeddedice_read_reg(®_list
[EICE_COMMS_CTRL
]);
218 if ((retval
= jtag_execute_queue()) != ERROR_OK
)
220 for (i
= 0; i
< num_regs
; i
++)
222 free(reg_list
[i
].value
);
230 eice_version
= buf_get_u32(reg_list
[EICE_COMMS_CTRL
].value
, 28, 4);
231 LOG_INFO("Embedded ICE version %d", eice_version
);
233 switch (eice_version
)
236 /* ARM7TDMI r3, ARM7TDMI-S r3
238 * REVISIT docs say ARM7TDMI-S r4 uses version 1 but
239 * that it has 6-bit CTRL and 5-bit STAT... doc bug?
240 * ARM7TDMI r4 docs say EICE v4.
242 reg_list
[EICE_DBG_CTRL
].size
= 3;
243 reg_list
[EICE_DBG_STAT
].size
= 5;
247 reg_list
[EICE_DBG_CTRL
].size
= 4;
248 reg_list
[EICE_DBG_STAT
].size
= 5;
249 arm7_9
->has_single_step
= 1;
252 LOG_ERROR("EmbeddedICE v%d handling might be broken",
254 reg_list
[EICE_DBG_CTRL
].size
= 6;
255 reg_list
[EICE_DBG_STAT
].size
= 5;
256 arm7_9
->has_single_step
= 1;
257 arm7_9
->has_monitor_mode
= 1;
261 reg_list
[EICE_DBG_CTRL
].size
= 6;
262 reg_list
[EICE_DBG_STAT
].size
= 5;
263 arm7_9
->has_monitor_mode
= 1;
267 reg_list
[EICE_DBG_CTRL
].size
= 6;
268 reg_list
[EICE_DBG_STAT
].size
= 5;
269 arm7_9
->has_single_step
= 1;
270 arm7_9
->has_monitor_mode
= 1;
273 /* ARM7EJ-S, ARM9E-S rev 2, ARM9EJ-S */
274 reg_list
[EICE_DBG_CTRL
].size
= 6;
275 reg_list
[EICE_DBG_STAT
].size
= 10;
276 /* DBG_STAT has MOE bits */
277 arm7_9
->has_monitor_mode
= 1;
280 LOG_ERROR("EmbeddedICE v%d handling might be broken",
282 reg_list
[EICE_DBG_CTRL
].size
= 6;
283 reg_list
[EICE_DBG_STAT
].size
= 5;
284 arm7_9
->has_monitor_mode
= 1;
288 * The Feroceon implementation has the version number
289 * in some unusual bits. Let feroceon.c validate it
290 * and do the appropriate setup itself.
292 if (strcmp(target_type_name(target
), "feroceon") == 0 ||
293 strcmp(target_type_name(target
), "dragonite") == 0)
295 LOG_ERROR("unknown EmbeddedICE version "
296 "(comms ctrl: 0x%8.8" PRIx32
")",
297 buf_get_u32(reg_list
[EICE_COMMS_CTRL
].value
, 0, 32));
300 /* On Feroceon and Dragonite the second unit is seemingly missing. */
301 LOG_INFO("%s: hardware has %d breakpoint/watchpoint unit%s",
302 target_name(target
), arm7_9
->wp_available_max
,
303 (arm7_9
->wp_available_max
!= 1) ? "s" : "");
309 * Initialize EmbeddedICE module, if needed.
311 int embeddedice_setup(struct target
*target
)
314 struct arm7_9_common
*arm7_9
= target_to_arm7_9(target
);
316 /* Explicitly disable monitor mode. For now we only support halting
317 * debug ... we don't know how to talk with a resident debug monitor
318 * that manages break requests. ARM's "Angel Debug Monitor" is one
319 * common example of such code.
321 if (arm7_9
->has_monitor_mode
)
323 struct reg
*dbg_ctrl
= &arm7_9
->eice_cache
->reg_list
[EICE_DBG_CTRL
];
325 embeddedice_read_reg(dbg_ctrl
);
326 if ((retval
= jtag_execute_queue()) != ERROR_OK
)
328 buf_set_u32(dbg_ctrl
->value
, 4, 1, 0);
329 embeddedice_set_reg_w_exec(dbg_ctrl
, dbg_ctrl
->value
);
331 return jtag_execute_queue();
335 * Queue a read for an EmbeddedICE register into the register cache,
336 * optionally checking the value read.
337 * Note that at this level, all registers are 32 bits wide.
339 int embeddedice_read_reg_w_check(struct reg
*reg
,
340 uint8_t *check_value
, uint8_t *check_mask
)
342 struct embeddedice_reg
*ice_reg
= reg
->arch_info
;
343 uint8_t reg_addr
= ice_reg
->addr
& 0x1f;
344 struct scan_field fields
[3];
345 uint8_t field1_out
[1];
346 uint8_t field2_out
[1];
348 arm_jtag_scann(ice_reg
->jtag_info
, 0x2, TAP_IDLE
);
350 arm_jtag_set_instr(ice_reg
->jtag_info
, ice_reg
->jtag_info
->intest_instr
, NULL
, TAP_IDLE
);
352 /* bits 31:0 -- data (ignored here) */
353 fields
[0].num_bits
= 32;
354 fields
[0].out_value
= reg
->value
;
355 fields
[0].in_value
= NULL
;
356 fields
[0].check_value
= NULL
;
357 fields
[0].check_mask
= NULL
;
359 /* bits 36:32 -- register */
360 fields
[1].num_bits
= 5;
361 fields
[1].out_value
= field1_out
;
362 field1_out
[0] = reg_addr
;
363 fields
[1].in_value
= NULL
;
364 fields
[1].check_value
= NULL
;
365 fields
[1].check_mask
= NULL
;
367 /* bit 37 -- 0/read */
368 fields
[2].num_bits
= 1;
369 fields
[2].out_value
= field2_out
;
371 fields
[2].in_value
= NULL
;
372 fields
[2].check_value
= NULL
;
373 fields
[2].check_mask
= NULL
;
375 /* traverse Update-DR, setting address for the next read */
376 jtag_add_dr_scan(ice_reg
->jtag_info
->tap
, 3, fields
, TAP_IDLE
);
378 /* bits 31:0 -- the data we're reading (and maybe checking) */
379 fields
[0].in_value
= reg
->value
;
380 fields
[0].check_value
= check_value
;
381 fields
[0].check_mask
= check_mask
;
383 /* when reading the DCC data register, leaving the address field set to
384 * EICE_COMMS_DATA would read the register twice
385 * reading the control register is safe
387 field1_out
[0] = eice_regs
[EICE_COMMS_CTRL
].addr
;
389 /* traverse Update-DR, reading but with no other side effects */
390 jtag_add_dr_scan_check(ice_reg
->jtag_info
->tap
, 3, fields
, TAP_IDLE
);
396 * Receive a block of size 32-bit words from the DCC.
397 * We assume the target is always going to be fast enough (relative to
398 * the JTAG clock) that the debugger won't need to poll the handshake
399 * bit. The JTAG clock is usually at least six times slower than the
400 * functional clock, so the 50+ JTAG clocks needed to receive the word
401 * allow hundreds of instruction cycles (per word) in the target.
403 int embeddedice_receive(struct arm_jtag
*jtag_info
, uint32_t *data
, uint32_t size
)
405 struct scan_field fields
[3];
406 uint8_t field1_out
[1];
407 uint8_t field2_out
[1];
409 arm_jtag_scann(jtag_info
, 0x2, TAP_IDLE
);
410 arm_jtag_set_instr(jtag_info
, jtag_info
->intest_instr
, NULL
, TAP_IDLE
);
412 fields
[0].num_bits
= 32;
413 fields
[0].out_value
= NULL
;
414 fields
[0].in_value
= NULL
;
416 fields
[1].num_bits
= 5;
417 fields
[1].out_value
= field1_out
;
418 field1_out
[0] = eice_regs
[EICE_COMMS_DATA
].addr
;
419 fields
[1].in_value
= NULL
;
421 fields
[2].num_bits
= 1;
422 fields
[2].out_value
= field2_out
;
424 fields
[2].in_value
= NULL
;
426 jtag_add_dr_scan(jtag_info
->tap
, 3, fields
, TAP_IDLE
);
430 /* when reading the last item, set the register address to the DCC control reg,
431 * to avoid reading additional data from the DCC data reg
434 field1_out
[0] = eice_regs
[EICE_COMMS_CTRL
].addr
;
436 fields
[0].in_value
= (uint8_t *)data
;
437 jtag_add_dr_scan(jtag_info
->tap
, 3, fields
, TAP_IDLE
);
438 jtag_add_callback(arm_le_to_h_u32
, (jtag_callback_data_t
)data
);
444 return jtag_execute_queue();
448 * Queue a read for an EmbeddedICE register into the register cache,
449 * not checking the value read.
451 int embeddedice_read_reg(struct reg
*reg
)
453 return embeddedice_read_reg_w_check(reg
, NULL
, NULL
);
457 * Queue a write for an EmbeddedICE register, updating the register cache.
458 * Uses embeddedice_write_reg().
460 void embeddedice_set_reg(struct reg
*reg
, uint32_t value
)
462 embeddedice_write_reg(reg
, value
);
464 buf_set_u32(reg
->value
, 0, reg
->size
, value
);
471 * Write an EmbeddedICE register, updating the register cache.
472 * Uses embeddedice_set_reg(); not queued.
474 static int embeddedice_set_reg_w_exec(struct reg
*reg
, uint8_t *buf
)
478 embeddedice_set_reg(reg
, buf_get_u32(buf
, 0, reg
->size
));
479 if ((retval
= jtag_execute_queue()) != ERROR_OK
)
480 LOG_ERROR("register write failed");
485 * Queue a write for an EmbeddedICE register, bypassing the register cache.
487 void embeddedice_write_reg(struct reg
*reg
, uint32_t value
)
489 struct embeddedice_reg
*ice_reg
= reg
->arch_info
;
491 LOG_DEBUG("%i: 0x%8.8" PRIx32
"", ice_reg
->addr
, value
);
493 arm_jtag_scann(ice_reg
->jtag_info
, 0x2, TAP_IDLE
);
495 arm_jtag_set_instr(ice_reg
->jtag_info
, ice_reg
->jtag_info
->intest_instr
, NULL
, TAP_IDLE
);
497 uint8_t reg_addr
= ice_reg
->addr
& 0x1f;
498 embeddedice_write_reg_inner(ice_reg
->jtag_info
->tap
, reg_addr
, value
);
502 * Queue a write for an EmbeddedICE register, using cached value.
503 * Uses embeddedice_write_reg().
505 void embeddedice_store_reg(struct reg
*reg
)
507 embeddedice_write_reg(reg
, buf_get_u32(reg
->value
, 0, reg
->size
));
511 * Send a block of size 32-bit words to the DCC.
512 * We assume the target is always going to be fast enough (relative to
513 * the JTAG clock) that the debugger won't need to poll the handshake
514 * bit. The JTAG clock is usually at least six times slower than the
515 * functional clock, so the 50+ JTAG clocks needed to receive the word
516 * allow hundreds of instruction cycles (per word) in the target.
518 int embeddedice_send(struct arm_jtag
*jtag_info
, uint32_t *data
, uint32_t size
)
520 struct scan_field fields
[3];
521 uint8_t field0_out
[4];
522 uint8_t field1_out
[1];
523 uint8_t field2_out
[1];
525 arm_jtag_scann(jtag_info
, 0x2, TAP_IDLE
);
526 arm_jtag_set_instr(jtag_info
, jtag_info
->intest_instr
, NULL
, TAP_IDLE
);
528 fields
[0].num_bits
= 32;
529 fields
[0].out_value
= field0_out
;
530 fields
[0].in_value
= NULL
;
532 fields
[1].num_bits
= 5;
533 fields
[1].out_value
= field1_out
;
534 field1_out
[0] = eice_regs
[EICE_COMMS_DATA
].addr
;
535 fields
[1].in_value
= NULL
;
537 fields
[2].num_bits
= 1;
538 fields
[2].out_value
= field2_out
;
541 fields
[2].in_value
= NULL
;
545 buf_set_u32(field0_out
, 0, 32, *data
);
546 jtag_add_dr_scan(jtag_info
->tap
, 3, fields
, TAP_IDLE
);
552 /* call to jtag_execute_queue() intentionally omitted */
557 * Poll DCC control register until read or write handshake completes.
559 int embeddedice_handshake(struct arm_jtag
*jtag_info
, int hsbit
, uint32_t timeout
)
561 struct scan_field fields
[3];
562 uint8_t field0_in
[4];
563 uint8_t field1_out
[1];
564 uint8_t field2_out
[1];
570 if (hsbit
== EICE_COMM_CTRL_WBIT
)
572 else if (hsbit
== EICE_COMM_CTRL_RBIT
)
575 return ERROR_INVALID_ARGUMENTS
;
577 arm_jtag_scann(jtag_info
, 0x2, TAP_IDLE
);
578 arm_jtag_set_instr(jtag_info
, jtag_info
->intest_instr
, NULL
, TAP_IDLE
);
580 fields
[0].num_bits
= 32;
581 fields
[0].out_value
= NULL
;
582 fields
[0].in_value
= field0_in
;
584 fields
[1].num_bits
= 5;
585 fields
[1].out_value
= field1_out
;
586 field1_out
[0] = eice_regs
[EICE_COMMS_DATA
].addr
;
587 fields
[1].in_value
= NULL
;
589 fields
[2].num_bits
= 1;
590 fields
[2].out_value
= field2_out
;
592 fields
[2].in_value
= NULL
;
594 jtag_add_dr_scan(jtag_info
->tap
, 3, fields
, TAP_IDLE
);
595 gettimeofday(&lap
, NULL
);
597 jtag_add_dr_scan(jtag_info
->tap
, 3, fields
, TAP_IDLE
);
598 if ((retval
= jtag_execute_queue()) != ERROR_OK
)
601 if (buf_get_u32(field0_in
, hsbit
, 1) == hsact
)
604 gettimeofday(&now
, NULL
);
605 } while ((uint32_t)((now
.tv_sec
- lap
.tv_sec
) * 1000
606 + (now
.tv_usec
- lap
.tv_usec
) / 1000) <= timeout
);
608 return ERROR_TARGET_TIMEOUT
;
611 #ifndef HAVE_JTAG_MINIDRIVER_H
613 * This is an inner loop of the open loop DCC write of data to target
615 void embeddedice_write_dcc(struct jtag_tap
*tap
,
616 int reg_addr
, uint8_t *buffer
, int little
, int count
)
620 for (i
= 0; i
< count
; i
++)
622 embeddedice_write_reg_inner(tap
, reg_addr
,
623 fast_target_buffer_get_u32(buffer
, little
));
628 /* provided by minidriver */
Linking to existing account procedure
If you already have an account and want to add another login method
you
MUST first sign in with your existing account and
then change URL to read
https://review.openocd.org/login/?link
to get to this page again but this time it'll work for linking. Thank you.
SSH host keys fingerprints
1024 SHA256:YKx8b7u5ZWdcbp7/4AeXNaqElP49m6QrwfXaqQGJAOk gerrit-code-review@openocd.zylin.com (DSA)
384 SHA256:jHIbSQa4REvwCFG4cq5LBlBLxmxSqelQPem/EXIrxjk gerrit-code-review@openocd.org (ECDSA)
521 SHA256:UAOPYkU9Fjtcao0Ul/Rrlnj/OsQvt+pgdYSZ4jOYdgs gerrit-code-review@openocd.org (ECDSA)
256 SHA256:A13M5QlnozFOvTllybRZH6vm7iSt0XLxbA48yfc2yfY gerrit-code-review@openocd.org (ECDSA)
256 SHA256:spYMBqEYoAOtK7yZBrcwE8ZpYt6b68Cfh9yEVetvbXg gerrit-code-review@openocd.org (ED25519)
+--[ED25519 256]--+
|=.. |
|+o.. . |
|*.o . . |
|+B . . . |
|Bo. = o S |
|Oo.+ + = |
|oB=.* = . o |
| =+=.+ + E |
|. .=o . o |
+----[SHA256]-----+
2048 SHA256:0Onrb7/PHjpo6iVZ7xQX2riKN83FJ3KGU0TvI0TaFG4 gerrit-code-review@openocd.zylin.com (RSA)