Code Review / openocd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | review | tree
history | raw | HEAD
jtag: linuxgpiod: drop extra parenthesis
[openocd.git] / src / flash / nor / qn908x.c
1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /***************************************************************************
3 * Copyright (C) 2020 iosabi *
4 * iosabi <iosabi@protonmail.com> *
5 ***************************************************************************/
6
7 #ifdef HAVE_CONFIG_H
8 #include "config.h"
9 #endif
10
11 #include "imp.h"
12
13 #include <helper/binarybuffer.h>
14 #include <helper/bits.h>
15 #include <helper/crc32.h>
16 #include <helper/time_support.h>
17 #include <helper/types.h>
18
19 /* The QN908x has two flash regions, one is the main flash region holding the
20 * user code and the second one is a small (0x800 bytes) "Flash information
21 * page" that can't be written to by the user. This page contains information
22 * programmed at the factory.
23 *
24 * The main flash region is normally 512 KiB, there's a field in the "Flash
25 * information page" that allows to specify for 256 KiB size chips. However, at
26 * the time of writing, none of the variants in the market have 256 KiB.
27 *
28 * The flash is divided into blocks of 256 KiB each, therefore containing two
29 * blocks. A block is subdivided into pages, of 2048 bytes. A page is the
30 * smallest region that can be erased or protected independently, although it
31 * is also possible to erase a whole block or both blocks. A page is subdivided
32 * into 8 rows of 64 words (32-bit words). The word subdivision is only
33 * relevant because DMA can write multiple words in the same row in the same
34 * flash program operation.
35 *
36 * For the Flash information page we are only interested in the last
37 * 0x100 bytes which contain a CRC-32 checksum of that 0x100 bytes long region
38 * and a field stating the size of the flash. This is also a good check that
39 * we are dealing with the right chip/flash configuration and is used in the
40 * probe() function.
41 */
42 #define QN908X_FLASH_BASE 0x01000000
43
44 #define QN908X_FLASH_PAGE_SIZE 2048
45 #define QN908X_FLASH_PAGES_PER_BLOCK 128
46 #define QN908X_FLASH_MAX_BLOCKS 2
47 #define QN908X_FLASH_BLOCK_SIZE \
48 (QN908X_FLASH_PAGES_PER_BLOCK * QN908X_FLASH_PAGE_SIZE)
49 #define QN908X_FLASH_IRQ_VECTOR_CHECKSUM_POS 0x1c
50 #define QN908X_FLASH_IRQ_VECTOR_CHECKSUM_SIZE 4
51 #define QN908X_FLASH_IRQ_VECTOR_CHECKSUM_END \
52 (QN908X_FLASH_IRQ_VECTOR_CHECKSUM_POS + QN908X_FLASH_IRQ_VECTOR_CHECKSUM_SIZE)
53
54
55 /* Flash information page memory fields. */
56 #define QN908X_INFO_PAGE_BASE 0x210b0000u
57 #define QN908X_INFO_PAGE_CRC32 (QN908X_INFO_PAGE_BASE + 0x700)
58 #define QN908X_INFO_PAGE_CRC_START (QN908X_INFO_PAGE_BASE + 0x704)
59 #define QN908X_INFO_PAGE_BOOTLOADER_VER (QN908X_INFO_PAGE_BASE + 0x704)
60 #define QN908X_INFO_PAGE_FLASH_SIZE (QN908X_INFO_PAGE_BASE + 0x708)
61 #define QN908X_INFO_PAGE_BLUETOOTH_ADDR (QN908X_INFO_PAGE_BASE + 0x7fa)
62 #define QN908X_INFO_PAGE_CRC_END (QN908X_INFO_PAGE_BASE + 0x800)
63
64
65 /* Possible values of the QN908X_INFO_PAGE_FLASH_SIZE field. */
66 enum qn908x_info_page_flash_size {
67 QN908X_FLASH_SIZE_512K = 0xfffff0ff,
68 QN908X_FLASH_SIZE_256K = 0xffffe0ff,
69 };
70
71 /* QN908x "Flash memory controller", described in section 28 of the user
72 * manual. In the NXP SDK this peripheral is called "FLASH", however we use the
73 * name "FMC" (Flash Memory Controller) here when referring to the controller
74 * to avoid confusion with other "flash" terms in OpenOCD. */
75 #define QN908X_FMC_BASE 0x40081000u
76 #define QN908X_FMC_INI_RD_EN (QN908X_FMC_BASE + 0x00)
77 #define QN908X_FMC_ERASE_CTRL (QN908X_FMC_BASE + 0x04)
78 #define QN908X_FMC_ERASE_TIME (QN908X_FMC_BASE + 0x08)
79 #define QN908X_FMC_TIME_CTRL (QN908X_FMC_BASE + 0x0c)
80 #define QN908X_FMC_SMART_CTRL (QN908X_FMC_BASE + 0x10)
81 #define QN908X_FMC_INT_STAT (QN908X_FMC_BASE + 0x18)
82 #define QN908X_FMC_LOCK_STAT_0 (QN908X_FMC_BASE + 0x20)
83 #define QN908X_FMC_LOCK_STAT_1 (QN908X_FMC_BASE + 0x24)
84 #define QN908X_FMC_LOCK_STAT_2 (QN908X_FMC_BASE + 0x28)
85 #define QN908X_FMC_LOCK_STAT_3 (QN908X_FMC_BASE + 0x2c)
86 #define QN908X_FMC_LOCK_STAT_4 (QN908X_FMC_BASE + 0x30)
87 #define QN908X_FMC_LOCK_STAT_5 (QN908X_FMC_BASE + 0x34)
88 #define QN908X_FMC_LOCK_STAT_6 (QN908X_FMC_BASE + 0x38)
89 #define QN908X_FMC_LOCK_STAT_7 (QN908X_FMC_BASE + 0x3c)
90 #define QN908X_FMC_LOCK_STAT_8 (QN908X_FMC_BASE + 0x40)
91 #define QN908X_FMC_STATUS1 (QN908X_FMC_BASE + 0x48)
92 #define QN908X_FMC_DEBUG_PASSWORD (QN908X_FMC_BASE + 0xa8)
93 #define QN908X_FMC_ERASE_PASSWORD (QN908X_FMC_BASE + 0xac)
94
95 #define QN908X_FMC_INI_RD_EN_INI_RD_EN_MASK BIT(0)
96
97 #define QN908X_FMC_STATUS1_FSH_ERA_BUSY_L_MASK BIT(9)
98 #define QN908X_FMC_STATUS1_FSH_WR_BUSY_L_MASK BIT(10)
99 #define QN908X_FMC_STATUS1_FSH_ERA_BUSY_H_MASK BIT(12)
100 #define QN908X_FMC_STATUS1_FSH_WR_BUSY_H_MASK BIT(13)
101 #define QN908X_FMC_STATUS1_INI_RD_DONE_MASK BIT(15)
102 #define QN908X_FMC_STATUS1_FSH_STA_MASK BIT(26)
103
104 #define QN908X_FMC_ERASE_CTRL_PAGE_IDXL_SHIFT 0
105 #define QN908X_FMC_ERASE_CTRL_PAGE_IDXH_SHIFT 8
106 #define QN908X_FMC_ERASE_CTRL_HALF_ERASEL_EN_SHIFT 28
107 #define QN908X_FMC_ERASE_CTRL_HALF_ERASEH_EN_SHIFT 29
108 #define QN908X_FMC_ERASE_CTRL_PAGE_ERASEL_EN_SHIFT 30
109 #define QN908X_FMC_ERASE_CTRL_PAGE_ERASEH_EN_SHIFT 31
110
111 #define QN908X_FMC_INT_STAT_AHBL_INT_MASK BIT(0)
112 #define QN908X_FMC_INT_STAT_LOCKL_INT_MASK BIT(1)
113 #define QN908X_FMC_INT_STAT_ERASEL_INT_MASK BIT(2)
114 #define QN908X_FMC_INT_STAT_WRITEL_INT_MASK BIT(3)
115 #define QN908X_FMC_INT_STAT_WR_BUFL_INT_MASK BIT(4)
116 #define QN908X_FMC_INT_STAT_WRITE_FAIL_L_INT_MASK BIT(5)
117 #define QN908X_FMC_INT_STAT_ERASE_FAIL_L_INT_MASK BIT(6)
118 #define QN908X_FMC_INT_STAT_AHBH_INT_MASK BIT(8)
119 #define QN908X_FMC_INT_STAT_LOCKH_INT_MASK BIT(9)
120 #define QN908X_FMC_INT_STAT_ERASEH_INT_MASK BIT(10)
121 #define QN908X_FMC_INT_STAT_WRITEH_INT_MASK BIT(11)
122 #define QN908X_FMC_INT_STAT_WR_BUFH_INT_MASK BIT(12)
123 #define QN908X_FMC_INT_STAT_WRITE_FAIL_H_INT_MASK BIT(13)
124 #define QN908X_FMC_INT_STAT_ERASE_FAIL_H_INT_MASK BIT(14)
125
126 #define QN908X_FMC_SMART_CTRL_PRGML_EN_MASK BIT(0)
127 #define QN908X_FMC_SMART_CTRL_PRGMH_EN_MASK BIT(1)
128 #define QN908X_FMC_SMART_CTRL_SMART_WRITEL_EN_MASK BIT(2)
129 #define QN908X_FMC_SMART_CTRL_SMART_WRITEH_EN_MASK BIT(3)
130 #define QN908X_FMC_SMART_CTRL_SMART_ERASEL_EN_MASK BIT(4)
131 #define QN908X_FMC_SMART_CTRL_SMART_ERASEH_EN_MASK BIT(5)
132 #define QN908X_FMC_SMART_CTRL_MAX_WRITE_MASK 0xf00u
133 #define QN908X_FMC_SMART_CTRL_MAX_WRITE_SHIFT 8u
134 #define QN908X_FMC_SMART_CTRL_MAX_WRITE(x) \
135 (((uint32_t)(((uint32_t)(x)) << QN908X_FMC_SMART_CTRL_MAX_WRITE_SHIFT)) \
136 & QN908X_FMC_SMART_CTRL_MAX_WRITE_MASK)
137 #define QN908X_FMC_SMART_CTRL_MAX_ERASE_MASK 0x3f000u
138 #define QN908X_FMC_SMART_CTRL_MAX_ERASE_SHIFT 12u
139 #define QN908X_FMC_SMART_CTRL_MAX_ERASE(x) \
140 (((uint32_t)(((uint32_t)(x)) << QN908X_FMC_SMART_CTRL_MAX_ERASE_SHIFT)) \
141 & QN908X_FMC_SMART_CTRL_MAX_ERASE_MASK)
142
143 #define QN908X_FMC_SMART_CTRL_MAX_ERASE_RETRIES 9
144 #define QN908X_FMC_SMART_CTRL_MAX_WRITE_RETRIES 9
145
146 #define QN908X_FMC_TIME_CTRL_PRGM_CYCLE_MASK 0xfffu
147 #define QN908X_FMC_TIME_CTRL_PRGM_CYCLE_SHIFT 0u
148 #define QN908X_FMC_TIME_CTRL_PRGM_CYCLE(x) \
149 (((uint32_t)(((uint32_t)(x)) << QN908X_FMC_TIME_CTRL_PRGM_CYCLE_SHIFT)) \
150 & QN908X_FMC_TIME_CTRL_PRGM_CYCLE_MASK)
151 #define QN908X_FMC_TIME_CTRL_TIME_BASE_MASK 0xff000u
152 #define QN908X_FMC_TIME_CTRL_TIME_BASE_SHIFT 12u
153 #define QN908X_FMC_TIME_CTRL_TIME_BASE(x) \
154 (((uint32_t)(((uint32_t)(x)) << QN908X_FMC_TIME_CTRL_TIME_BASE_SHIFT)) \
155 & QN908X_FMC_TIME_CTRL_TIME_BASE_MASK)
156
157 #define QN908X_FMC_LOCK_STAT_8_MASS_ERASE_LOCK_EN BIT(0)
158 #define QN908X_FMC_LOCK_STAT_8_FSH_PROTECT_EN BIT(1)
159 #define QN908X_FMC_LOCK_STAT_8_MEM_PROTECT_EN BIT(2)
160 #define QN908X_FMC_LOCK_STAT_8_PROTECT_ANY (BIT(1) | BIT(2))
161
162 /* See Table 418 "Flash lock and protect description" in the user manual */
163 #define QN908X_FLASH_LOCK_ADDR (QN908X_FLASH_BASE + 0x7f820)
164 /* Allow mass erase */
165 #define QN908X_FLASH_LOCK_ENABLE_MASS_ERASE BIT(0)
166 /* disallow flash access from SWD */
167 #define QN908X_FLASH_LOCK_ENABLE_FLASH_PROTECTION BIT(1)
168 /* disallow SRAM access from SWD */
169 #define QN908X_FLASH_LOCK_ENABLE_MEMORY_PROTECTION BIT(2)
170
171 /* Page lock information located at the beginning of the last page. */
172 struct qn908x_flash_page_lock {
173 uint8_t bits[QN908X_FLASH_MAX_BLOCKS * QN908X_FLASH_PAGES_PER_BLOCK / 8];
174 uint8_t protection;
175 uint8_t _reserved[3];
176 /* nvds_size is unused here, but we need to preserve it across erases
177 * when locking and unlocking pages. */
178 uint8_t nvds_size[4];
179 } __attribute__ ((packed));
180
181 /* Clock configuration is stored in the SYSCON. */
182 #define QN908X_SYSCON_BASE 0x40000000u
183 #define QN908X_SYSCON_CLK_EN (QN908X_SYSCON_BASE + 0x00cu)
184 #define QN908X_SYSCON_CLK_CTRL (QN908X_SYSCON_BASE + 0x010u)
185 #define QN908X_SYSCON_CHIP_ID (QN908X_SYSCON_BASE + 0x108u)
186 #define QN908X_SYSCON_XTAL_CTRL (QN908X_SYSCON_BASE + 0x180u)
187
188 /* Internal 16MHz / 8MHz clock used by the erase operation. */
189 #define QN908X_SYSCON_CLK_EN_CLK_DP_EN_MASK BIT(21)
190
191 #define SYSCON_XTAL_CTRL_XTAL_DIV_MASK BIT(31)
192
193 #define SYSCON_CLK_CTRL_AHB_DIV_MASK 0x1FFF0u
194 #define SYSCON_CLK_CTRL_AHB_DIV_SHIFT 4u
195 #define SYSCON_CLK_CTRL_CLK_XTAL_SEL_MASK BIT(19)
196 #define SYSCON_CLK_CTRL_CLK_OSC32M_DIV_MASK BIT(20)
197 #define SYSCON_CLK_CTRL_SYS_CLK_SEL_MASK 0xC0000000u
198 #define SYSCON_CLK_CTRL_SYS_CLK_SEL_SHIFT 30u
199
200 #define CLOCK_16MHZ 16000000u
201 #define CLOCK_32MHZ 32000000u
202 #define CLOCK_32KHZ 32000u
203
204 /* Watchdog block registers */
205 #define QN908X_WDT_BASE 0x40001000u
206 #define QN908X_WDT_CTRL (QN908X_WDT_BASE + 0x08u)
207 #define QN908X_WDT_LOCK (QN908X_WDT_BASE + 0x20u)
208
209 struct qn908x_flash_bank {
210 /* The number of flash blocks. Initially set to zero until the flash
211 * is probed. This determines the size of the flash. */
212 unsigned int num_blocks;
213
214 unsigned int user_bank_size;
215 bool calc_checksum;
216
217 /* Whether we allow to flash an image that disables SWD access, potentially
218 * bricking the device since the image can't be reflashed from SWD. */
219 bool allow_swd_disabled;
220
221 bool page_lock_loaded;
222 struct qn908x_flash_page_lock page_lock;
223 };
224
225 /* 500 ms timeout. */
226 #define QN908X_DEFAULT_TIMEOUT_MS 500
227
228 /* Forward declaration of commands. */
229 static int qn908x_probe(struct flash_bank *bank);
230 static int qn908x_write(struct flash_bank *bank, const uint8_t *buffer,
231 uint32_t offset, uint32_t count);
232
233 /* Update the value of a register with a mask. This helper allows to read a
234 * register, modify a subset of the bits and write back the value, which is a
235 * common operation when modifying only a bit filed in a register. */
236 static int qn908x_update_reg(struct target *target, target_addr_t reg,
237 uint32_t mask, uint32_t value)
238 {
239 uint32_t orig_value = 0;
240 uint32_t new_value;
241 int retval;
242 if (mask != 0xffffffff) {
243 /* No need to read the old value if we request a mask of 32 bits. */
244 retval = target_read_u32(target, reg, &orig_value);
245 if (retval != ERROR_OK) {
246 LOG_DEBUG("Error reading reg at " TARGET_ADDR_FMT
247 ": %d", reg, retval);
248 return retval;
249 }
250 }
251 new_value = (orig_value & ~mask) | (value & mask);
252 retval = target_write_u32(target, reg, new_value);
253 if (retval != ERROR_OK) {
254 LOG_DEBUG("Error writing reg at " TARGET_ADDR_FMT " with 0x%08"
255 PRIx32 ": %d", reg, new_value, retval);
256 return retval;
257 }
258 if (mask == 0xffffffff) {
259 LOG_DEBUG("Updated reg at " TARGET_ADDR_FMT ": ?? -> 0x%.08"
260 PRIx32 "", reg, new_value);
261 } else {
262 LOG_DEBUG("Updated reg at " TARGET_ADDR_FMT ": 0x%.08" PRIx32
263 " -> 0x%.08" PRIx32, reg, orig_value, new_value);
264 }
265 return ERROR_OK;
266 }
267
268 /* Load lock bit and protection bit and load redundancy page info.
269 * This populates the LOCK_STAT_n registers with the values from the lock page,
270 * making protection bit changes to the last page effective. */
271 static int qn908x_load_lock_stat(struct target *target)
272 {
273 int retval = target_write_u32(target, QN908X_FMC_INI_RD_EN,
274 QN908X_FMC_INI_RD_EN_INI_RD_EN_MASK);
275 if (retval != ERROR_OK)
276 return retval;
277
278 uint32_t status1;
279 const uint32_t status_mask = QN908X_FMC_STATUS1_FSH_STA_MASK
280 | QN908X_FMC_STATUS1_INI_RD_DONE_MASK;
281 do {
282 retval = target_read_u32(target, QN908X_FMC_STATUS1, &status1);
283 if (retval != ERROR_OK)
284 return retval;
285 } while ((status1 & status_mask) != QN908X_FMC_STATUS1_INI_RD_DONE_MASK);
286
287 for (int i = 0; i <= 8; i++) {
288 uint32_t addr = QN908X_FMC_LOCK_STAT_0 + i * 4;
289 uint32_t lock_stat;
290 if (target_read_u32(target, addr, &lock_stat) == ERROR_OK)
291 LOG_DEBUG("LOCK_STAT_%d = 0x%08" PRIx32, i, lock_stat);
292 }
293 return ERROR_OK;
294 }
295
296 /* Initializes the FMC controller registers for allowing writing. */
297 static int qn908x_init_flash(struct target *target)
298 {
299 /* Determine the current clock configuration. */
300 uint32_t clk_ctrl;
301 int retval = target_read_u32(target, QN908X_SYSCON_CLK_CTRL, &clk_ctrl);
302 if (retval != ERROR_OK)
303 return retval;
304
305 uint32_t clk_sel = (clk_ctrl & SYSCON_CLK_CTRL_SYS_CLK_SEL_MASK)
306 >> SYSCON_CLK_CTRL_SYS_CLK_SEL_SHIFT;
307 LOG_DEBUG("Clock clk_sel=0x%08" PRIu32, clk_sel);
308
309 /* Core clock frequency. */
310 uint32_t core_freq = 0;
311 switch (clk_sel) {
312 case 0: /* RCO 32 MHz */
313 core_freq = (clk_ctrl & SYSCON_CLK_CTRL_CLK_OSC32M_DIV_MASK) ?
314 CLOCK_16MHZ : CLOCK_32MHZ;
315 break;
316 case 1: /* Xin frequency */
317 {
318 uint32_t clk_xtal;
319 retval = target_read_u32(target, QN908X_SYSCON_XTAL_CTRL, &clk_xtal);
320 if (retval != ERROR_OK)
321 return retval;
322 core_freq = (clk_ctrl & SYSCON_CLK_CTRL_CLK_XTAL_SEL_MASK)
323 && (clk_xtal & SYSCON_XTAL_CTRL_XTAL_DIV_MASK)
324 ? CLOCK_32MHZ : CLOCK_16MHZ;
325 }
326 break;
327 case 2: /* 32 Kz */
328 core_freq = CLOCK_32KHZ;
329 break;
330 default:
331 return ERROR_FAIL;
332 }
333
334 uint32_t ahb_div = (clk_ctrl & SYSCON_CLK_CTRL_AHB_DIV_MASK)
335 >> SYSCON_CLK_CTRL_AHB_DIV_SHIFT;
336 uint32_t ahb_freq = core_freq / (ahb_div + 1);
337
338 LOG_DEBUG("Core freq: %" PRIu32 " Hz | AHB freq: %" PRIu32 " Hz",
339 core_freq, ahb_freq);
340
341 /* TIME_BASE is 2uS at the current AHB clock speed. */
342 retval = target_write_u32(target, QN908X_FMC_TIME_CTRL,
343 QN908X_FMC_TIME_CTRL_TIME_BASE(2 * ahb_freq / 1000000) |
344 QN908X_FMC_TIME_CTRL_PRGM_CYCLE(30));
345 if (retval != ERROR_OK)
346 return retval;
347
348 return qn908x_load_lock_stat(target);
349 }
350
351 /* flash bank qn908x <base> <size> 0 0 <target#> [calc_checksum] */
352 FLASH_BANK_COMMAND_HANDLER(qn908x_flash_bank_command)
353 {
354 struct qn908x_flash_bank *qn908x_info;
355
356 if (CMD_ARGC < 6 || CMD_ARGC > 7)
357 return ERROR_COMMAND_SYNTAX_ERROR;
358
359 if (bank->base != QN908X_FLASH_BASE) {
360 LOG_ERROR("Address " TARGET_ADDR_FMT
361 " is an invalid bank address (try 0x%08" PRIx32 ")",
362 bank->base, QN908X_FLASH_BASE);
363 return ERROR_COMMAND_ARGUMENT_INVALID;
364 }
365
366 qn908x_info = malloc(sizeof(struct qn908x_flash_bank));
367
368 if (!qn908x_info)
369 return ERROR_FAIL;
370
371 bank->driver_priv = qn908x_info;
372 qn908x_info->num_blocks = 0;
373 qn908x_info->user_bank_size = bank->size;
374 qn908x_info->page_lock_loaded = false;
375 qn908x_info->allow_swd_disabled = false;
376
377 qn908x_info->calc_checksum = false;
378 if (CMD_ARGC == 7) {
379 if (strcmp(CMD_ARGV[6], "calc_checksum")) {
380 free(qn908x_info);
381 return ERROR_COMMAND_ARGUMENT_INVALID;
382 }
383 qn908x_info->calc_checksum = true;
384 }
385
386 return ERROR_OK;
387 }
388
389 static int qn908x_read_page_lock(struct flash_bank *bank)
390 {
391 struct qn908x_flash_bank *qn908x_info = bank->driver_priv;
392
393 if (bank->target->state != TARGET_HALTED) {
394 LOG_ERROR("Target not halted");
395 return ERROR_TARGET_NOT_HALTED;
396 }
397
398 /* The last page of the flash contains the "Flash lock and protect"
399 * information. It is not clear where this is located on chips with only
400 * one block. */
401 uint32_t prot_offset = qn908x_info->num_blocks * QN908X_FLASH_BLOCK_SIZE
402 - QN908X_FLASH_PAGE_SIZE;
403
404 int retval = target_read_memory(bank->target, bank->base + prot_offset, 4,
405 sizeof(qn908x_info->page_lock) / 4,
406 (void *)(&qn908x_info->page_lock));
407 if (retval != ERROR_OK)
408 return retval;
409 LOG_DEBUG("Flash protection = 0x%02" PRIx8,
410 qn908x_info->page_lock.protection);
411
412 qn908x_info->page_lock_loaded = true;
413 return ERROR_OK;
414 }
415
416 static int qn908x_busy_check(struct target *target)
417 {
418 uint32_t status1;
419 int retval = target_read_u32(target, QN908X_FMC_STATUS1, &status1);
420 if (retval != ERROR_OK)
421 return retval;
422
423 if ((status1 & (QN908X_FMC_STATUS1_FSH_ERA_BUSY_L_MASK
424 | QN908X_FMC_STATUS1_FSH_WR_BUSY_L_MASK
425 | QN908X_FMC_STATUS1_FSH_ERA_BUSY_H_MASK
426 | QN908X_FMC_STATUS1_FSH_WR_BUSY_H_MASK)))
427 return ERROR_FLASH_BUSY;
428 return ERROR_OK;
429 }
430
431 static int qn908x_status_check(struct target *target)
432 {
433 uint32_t int_stat;
434 int retval = target_read_u32(target, QN908X_FMC_INT_STAT, &int_stat);
435 if (retval != ERROR_OK)
436 return retval;
437
438 /* The error bits for block 0 and block 1 have the exact same layout, only
439 * that block 1 error bits are shifted by 8 bits. We use this fact to
440 * loop over the blocks */
441 for (unsigned int block = 0; block <= 1; block++) {
442 unsigned int shift = (block) ? 8 : 0;
443 if (int_stat & (QN908X_FMC_INT_STAT_AHBL_INT_MASK << shift)) {
444 LOG_ERROR("AHB error on block %u", block);
445 return ERROR_FAIL;
446 }
447
448 if (int_stat & (QN908X_FMC_INT_STAT_LOCKL_INT_MASK << shift)) {
449 LOG_ERROR("Locked page being accessed error on block %u", block);
450 return ERROR_FAIL;
451 }
452
453 if (int_stat & (QN908X_FMC_INT_STAT_WRITE_FAIL_L_INT_MASK << shift)) {
454 LOG_ERROR("Smart write on block %u failed", block);
455 return ERROR_FAIL;
456 }
457
458 if ((int_stat & (QN908X_FMC_INT_STAT_ERASE_FAIL_L_INT_MASK << shift))
459 || (int_stat & (QN908X_FMC_INT_STAT_ERASE_FAIL_H_INT_MASK << shift))) {
460 LOG_ERROR("Smart erase on block %u failed", block);
461 return ERROR_FAIL;
462 }
463 }
464
465 return ERROR_OK;
466 }
467
468 static int qn908x_wait_for_idle(struct target *target, int64_t timeout_ms)
469 {
470 int64_t ms_start = timeval_ms();
471
472 int busy = ERROR_FLASH_BUSY;
473 while (busy != ERROR_OK) {
474 busy = qn908x_busy_check(target);
475 if (busy != ERROR_OK && busy != ERROR_FLASH_BUSY)
476 return busy;
477 if (timeval_ms() - ms_start > timeout_ms) {
478 LOG_ERROR("Timeout waiting to be idle.");
479 return ERROR_TIMEOUT_REACHED;
480 }
481 }
482 return ERROR_OK;
483 }
484
485 /* Set up the chip to perform an erase (page or block) operation. */
486 static int qn908x_setup_erase(struct target *target)
487 {
488 int retval;
489 if (target->state != TARGET_HALTED) {
490 LOG_ERROR("Target not halted");
491 return ERROR_TARGET_NOT_HALTED;
492 }
493
494 /* Enable 8MHz clock. */
495 retval = qn908x_update_reg(target, QN908X_SYSCON_CLK_EN,
496 QN908X_SYSCON_CLK_EN_CLK_DP_EN_MASK,
497 QN908X_SYSCON_CLK_EN_CLK_DP_EN_MASK);
498 if (retval != ERROR_OK)
499 return retval;
500
501 /* Set ERASE_TIME to 2ms for smart erase. */
502 retval = qn908x_update_reg(target, QN908X_FMC_ERASE_TIME,
503 (1u << 20) - 1,
504 2000 * 8); /* 2000 uS * 8 MHz = x cycles */
505 if (retval != ERROR_OK)
506 return retval;
507
508 /* Set up smart erase. SWD can only perform smart erase. */
509 uint32_t ctrl_val = QN908X_FMC_SMART_CTRL_SMART_ERASEH_EN_MASK
510 | QN908X_FMC_SMART_CTRL_SMART_ERASEL_EN_MASK
511 | QN908X_FMC_SMART_CTRL_MAX_ERASE(QN908X_FMC_SMART_CTRL_MAX_ERASE_RETRIES)
512 | QN908X_FMC_SMART_CTRL_MAX_WRITE(QN908X_FMC_SMART_CTRL_MAX_WRITE_RETRIES);
513 retval = target_write_u32(target, QN908X_FMC_SMART_CTRL, ctrl_val);
514 if (retval != ERROR_OK)
515 return retval;
516
517 retval = qn908x_wait_for_idle(target, QN908X_DEFAULT_TIMEOUT_MS);
518 if (retval != ERROR_OK)
519 return retval;
520
521 return ERROR_OK;
522 }
523
524 static int qn908x_erase(struct flash_bank *bank, unsigned int first,
525 unsigned int last)
526 {
527 struct qn908x_flash_bank *qn908x_info = bank->driver_priv;
528 int retval = ERROR_OK;
529
530 if (!qn908x_info->num_blocks) {
531 if (qn908x_probe(bank) != ERROR_OK)
532 return ERROR_FLASH_BANK_NOT_PROBED;
533 }
534
535 retval = qn908x_setup_erase(bank->target);
536 if (retval != ERROR_OK)
537 return retval;
538
539 for (unsigned int i = first; i <= last; i++) {
540 if (i >= bank->num_sectors)
541 return ERROR_FLASH_SECTOR_INVALID;
542 uint32_t block_idx = i / QN908X_FLASH_PAGES_PER_BLOCK;
543 uint32_t page_idx = i % QN908X_FLASH_PAGES_PER_BLOCK;
544 if (block_idx >= qn908x_info->num_blocks)
545 return ERROR_FLASH_SECTOR_INVALID;
546
547 LOG_DEBUG("Erasing page %" PRIu32 " of block %" PRIu32,
548 page_idx, block_idx);
549
550 /* Depending on the block the page we are erasing is located we
551 * need to use a different set of bits in the registers. */
552 uint32_t ctrl_page_idx_shift = block_idx ?
553 QN908X_FMC_ERASE_CTRL_PAGE_IDXH_SHIFT :
554 QN908X_FMC_ERASE_CTRL_PAGE_IDXL_SHIFT;
555 uint32_t ctrl_erase_en_shift = block_idx ?
556 QN908X_FMC_ERASE_CTRL_PAGE_ERASEH_EN_SHIFT :
557 QN908X_FMC_ERASE_CTRL_PAGE_ERASEL_EN_SHIFT;
558
559 retval = target_write_u32(bank->target, QN908X_FMC_ERASE_CTRL,
560 BIT(ctrl_erase_en_shift) | (page_idx << ctrl_page_idx_shift));
561 if (retval != ERROR_OK)
562 return retval;
563
564 retval = qn908x_wait_for_idle(bank->target, QN908X_DEFAULT_TIMEOUT_MS);
565 if (retval != ERROR_OK)
566 return retval;
567
568 retval = qn908x_status_check(bank->target);
569 if (retval != ERROR_OK)
570 return retval;
571 }
572
573 return retval;
574 }
575
576 static int qn908x_protect(struct flash_bank *bank, int set, unsigned int first,
577 unsigned int last)
578 {
579 struct qn908x_flash_bank *qn908x_info = bank->driver_priv;
580
581 if (bank->target->state != TARGET_HALTED) {
582 LOG_ERROR("Target not halted");
583 return ERROR_TARGET_NOT_HALTED;
584 }
585
586 if (!qn908x_info->page_lock_loaded) {
587 int retval = qn908x_read_page_lock(bank);
588 if (retval != ERROR_OK)
589 return retval;
590 }
591
592 /* Use [first, last) interval open on the right side from now on. */
593 last++;
594 /* We use sectors as prot_blocks. */
595 bool needs_update = false;
596 for (unsigned int i = first; i < last; i++) {
597 if (set != (((qn908x_info->page_lock.bits[i / 8] >> (i % 8)) & 1) ^ 1))
598 needs_update = true;
599 }
600
601 /* Check that flash protection still allows SWD access to flash and RAM,
602 * otherwise we won't be able to re-flash this chip from SWD unless we do a
603 * mass erase. */
604 if (qn908x_info->page_lock.protection & QN908X_FMC_LOCK_STAT_8_PROTECT_ANY) {
605 LOG_WARNING("SWD flash/RAM access disabled in the Flash lock and "
606 "protect descriptor. You might need to issue a mass_erase to "
607 "regain SWD access to this chip after reboot.");
608 }
609
610 if (!needs_update)
611 return ERROR_OK;
612
613 int last_page = qn908x_info->num_blocks * QN908X_FLASH_PAGES_PER_BLOCK - 1;
614 int retval;
615
616 if (qn908x_info->page_lock.bits[sizeof(qn908x_info->page_lock.bits) - 1] & 0x80) {
617 /* A bit 1 in the MSB in the page_lock.bits array means that the last
618 * page is unlocked, so we can just erase it. */
619 retval = qn908x_erase(bank, last_page, last_page);
620 if (retval != ERROR_OK)
621 return retval;
622 } else {
623 /* TODO: The last page is locked and we can't erase unless we use the
624 * ERASE_PASSWORD from code running on the device. For this we need to
625 * copy a little program to RAM and execute the erase command from
626 * there since there's no way to override the page protection from
627 * SWD. */
628 LOG_ERROR("Unprotecting the last page is not supported. Issue a "
629 "\"qn908x mass_erase\" command to erase the whole flash, "
630 "including the last page and its protection.");
631 return ERROR_FAIL;
632 }
633
634 for (unsigned int i = first / 8; i < (last + 7) / 8; i++) {
635 /* first_mask contains a bit set if the bit corresponds to a block id
636 * that is larger or equal than first. This is basically 0xff in all
637 * cases except potentially the first iteration. */
638 uint8_t first_mask = (first <= i * 8)
639 ? 0xff : 0xff ^ ((1u << (first - i * 8)) - 1);
640 /* Similar to first_mask, this contains a bit set if the corresponding
641 * is smaller than last. */
642 uint8_t last_mask = (i * 8 + 8 <= last)
643 ? 0xff : ((1u << (last - i * 8)) - 1);
644
645 uint8_t mask = first_mask & last_mask;
646 LOG_DEBUG("protect set=%d bits[%d] with mask=0x%02x", set, i, mask);
647 /* To "set" the protection bit means to clear the bit in the page_lock
648 * bit array. */
649 if (set)
650 qn908x_info->page_lock.bits[i] &= ~mask;
651 else
652 qn908x_info->page_lock.bits[i] |= mask;
653 }
654
655 retval = qn908x_write(bank, (void *)(&qn908x_info->page_lock),
656 last_page * QN908X_FLASH_PAGE_SIZE, sizeof(qn908x_info->page_lock));
657 if (retval != ERROR_OK)
658 return retval;
659
660 /* Reload the lock_stat to make the changes effective. */
661 retval = qn908x_load_lock_stat(bank->target);
662 if (retval != ERROR_OK)
663 return retval;
664
665 for (unsigned int i = first; i < last; i++)
666 bank->sectors[i].is_protected = set;
667
668 return ERROR_OK;
669 }
670
671 static int qn908x_write(struct flash_bank *bank, const uint8_t *buffer,
672 uint32_t offset, uint32_t count)
673 {
674 struct qn908x_flash_bank *qn908x_info = bank->driver_priv;
675 int retval = ERROR_OK;
676
677 if (bank->target->state != TARGET_HALTED) {
678 LOG_ERROR("Target not halted");
679 return ERROR_TARGET_NOT_HALTED;
680 }
681
682 /* The flash infrastructure was requested to align writes to 32 bit */
683 assert(((offset % 4) == 0) && ((count % 4) == 0));
684
685 /* Compute the calc_checksum even if it wasn't requested. */
686 uint32_t checksum = 0;
687 if (offset == 0 && count >= 0x20) {
688 for (int i = 0; i < 7; i++)
689 checksum += buf_get_u32(buffer + (i * 4), 0, 32);
690 checksum = 0 - checksum;
691 LOG_DEBUG("computed image checksum: 0x%8.8" PRIx32, checksum);
692 uint32_t stored_checksum = buf_get_u32(buffer + 7 * 4, 0, 32);
693 if (checksum != stored_checksum) {
694 LOG_WARNING("Image vector table checksum mismatch: expected 0x%08"
695 PRIx32 " but found 0x%08" PRIx32,
696 checksum, stored_checksum);
697 if (!qn908x_info->calc_checksum)
698 LOG_WARNING("This device will not boot, use calc_checksum in "
699 "the flash bank.");
700 else
701 LOG_WARNING("Updating checksum, verification will fail.");
702 }
703 }
704
705 /* Check the Code Read Protection (CRP) word for invalid values or not
706 * allowed ones. */
707 if (offset <= 0x20 && offset + count >= 0x24) {
708 uint32_t crp = buf_get_u32(buffer + 0x20 - offset, 0, 32);
709 /* 2-bit fields at bits 10, 12, 14, 16 and 18 must not be 00 or 11. */
710 for (int i = 10; i <= 18; i += 2) {
711 uint32_t field = (crp >> i) & 3;
712 if (field == 0 || field == 3) {
713 LOG_DEBUG("Code Read Protection = 0x%08" PRIx32, crp);
714 LOG_ERROR("The Code Read Protection (CRP) field at bit %d is "
715 "invalid (%" PRIu32 "). An invalid value could make "
716 "the flash inaccessible.", i, field);
717 return ERROR_FAIL;
718 }
719 }
720
721 uint32_t swd_allowed = (crp >> 18) & 3;
722 if (swd_allowed != 2) {
723 LOG_WARNING("The Code Read Protection (CRP) in this image "
724 "(0x%08" PRIx32 ") is disabling the SWD access, which is "
725 "currently used by OpenOCD to flash this device. After "
726 "reboot, this device will not be accessible to OpenOCD "
727 "anymore.", crp);
728 if (!qn908x_info->allow_swd_disabled) {
729 LOG_ERROR("Disabling SWD is not allowed, run "
730 "\"qn908x allow_brick\" before if you really want to "
731 "disable SWD. You won't be able to access this chip "
732 "anymore from OpenOCD.");
733 return ERROR_FAIL;
734 }
735 }
736 }
737
738 retval = qn908x_wait_for_idle(bank->target, QN908X_DEFAULT_TIMEOUT_MS);
739 if (retval != ERROR_OK)
740 return retval;
741
742 uint32_t smart_ctrl = QN908X_FMC_SMART_CTRL_SMART_WRITEL_EN_MASK
743 | QN908X_FMC_SMART_CTRL_PRGML_EN_MASK
744 | QN908X_FMC_SMART_CTRL_MAX_WRITE(QN908X_FMC_SMART_CTRL_MAX_WRITE_RETRIES);
745 if (qn908x_info->num_blocks > 1) {
746 smart_ctrl |= QN908X_FMC_SMART_CTRL_SMART_WRITEH_EN_MASK
747 | QN908X_FMC_SMART_CTRL_PRGMH_EN_MASK;
748 }
749 retval = target_write_u32(bank->target, QN908X_FMC_SMART_CTRL, smart_ctrl);
750 if (retval != ERROR_OK)
751 return retval;
752
753 /* Write data page-wise, as suggested in the examples in section
754 * 28.5.2 "Flash write" of user manual UM11023 in revision 1.1
755 * (February 2018). */
756 while (count > 0) {
757 uint32_t next_offset = (offset & ~(QN908X_FLASH_PAGE_SIZE - 1)) + QN908X_FLASH_PAGE_SIZE;
758 uint32_t chunk_len = next_offset - offset;
759 if (chunk_len > count)
760 chunk_len = count;
761
762 if (offset == 0
763 && chunk_len >= QN908X_FLASH_IRQ_VECTOR_CHECKSUM_END
764 && qn908x_info->calc_checksum) {
765 /* write data prior to checksum */
766 retval = target_write_buffer(bank->target, bank->base,
767 QN908X_FLASH_IRQ_VECTOR_CHECKSUM_POS, buffer);
768 if (retval != ERROR_OK)
769 return retval;
770
771 /* write computed crc checksum instead of provided data */
772 retval = target_write_u32(bank->target, bank->base + QN908X_FLASH_IRQ_VECTOR_CHECKSUM_POS, checksum);
773 if (retval != ERROR_OK)
774 return retval;
775
776 retval = target_write_buffer(bank->target,
777 bank->base + QN908X_FLASH_IRQ_VECTOR_CHECKSUM_END,
778 chunk_len - QN908X_FLASH_IRQ_VECTOR_CHECKSUM_END,
779 buffer + QN908X_FLASH_IRQ_VECTOR_CHECKSUM_END);
780 } else {
781 retval = target_write_buffer(bank->target, bank->base + offset,
782 chunk_len, buffer);
783 }
784
785 if (retval != ERROR_OK)
786 return retval;
787
788 keep_alive();
789 buffer += chunk_len;
790 count -= chunk_len;
791 offset = next_offset;
792
793 /* Wait for FMC to complete write */
794 retval = qn908x_wait_for_idle(bank->target, QN908X_DEFAULT_TIMEOUT_MS);
795 if (retval != ERROR_OK)
796 return retval;
797
798 /* Check if FMC reported any errors */
799 retval = qn908x_status_check(bank->target);
800 if (retval != ERROR_OK)
801 return retval;
802 }
803
804 return retval;
805 }
806
807 static int is_flash_protected(struct flash_bank *bank, bool *is_protected)
808 {
809 int retval;
810 uint32_t lock_stat;
811 retval = target_read_u32(bank->target, QN908X_FMC_LOCK_STAT_8, &lock_stat);
812 if (retval)
813 return retval;
814
815 *is_protected = false;
816 if (lock_stat & QN908X_FMC_LOCK_STAT_8_PROTECT_ANY)
817 *is_protected = true;
818
819 return ERROR_OK;
820 }
821
822 static int qn908x_probe(struct flash_bank *bank)
823 {
824 int retval;
825 struct qn908x_flash_bank *qn908x_info = bank->driver_priv;
826 uint8_t info_page[QN908X_INFO_PAGE_CRC_END - QN908X_INFO_PAGE_CRC_START];
827 qn908x_info->num_blocks = 0;
828
829 /* When the SWD access to the RAM is locked by the LOCK_STAT_8 register we
830 * can't access the info page to verify the chip/bank version and it will
831 * read all zeros. This situation prevents the bank from being initialized
832 * at all so no other operation can be performed. The only option to
833 * re-flash the chip is to perform a mass_erase from SWD, which can be
834 * performed even if the mass_erase operation is locked as well.
835 * We attempt to read the info page and redirect the user to perform a
836 * mass_erase if we detect this situation. */
837 retval = target_read_memory(bank->target, QN908X_INFO_PAGE_CRC_START,
838 sizeof(uint32_t), sizeof(info_page) / sizeof(uint32_t),
839 info_page);
840 if (retval != ERROR_OK)
841 return retval;
842
843 const uint32_t crc_seed = 0xffffffff;
844 /* The QN908x uses the standard little endian CRC32 polynomial and all ones
845 * as seed. The CRC32 is however finalized by one last xor operation that
846 * is not part of the common CRC32 implementation, so we do that by hand */
847 uint32_t computed_crc = crc32_le(CRC32_POLY_LE, crc_seed,
848 info_page, sizeof(info_page));
849 computed_crc ^= crc_seed;
850 uint32_t read_crc;
851 retval = target_read_u32(bank->target, QN908X_INFO_PAGE_CRC32, &read_crc);
852 if (retval != ERROR_OK)
853 return retval;
854
855 if (computed_crc != read_crc) {
856 uint32_t info_page_or = 0;
857 for (unsigned int i = 0; i < sizeof(info_page); i++)
858 info_page_or |= info_page[i];
859 bool is_protected;
860 retval = is_flash_protected(bank, &is_protected);
861 if (retval != ERROR_OK)
862 return retval;
863
864 if (info_page_or == 0 && is_protected) {
865 LOG_ERROR("The flash or memory in this chip is protected and "
866 "cannot be accessed from the SWD interface. However, a "
867 "\"qn908x mass_erase\" can erase the device and lift this "
868 "protection.");
869 return ERROR_FAIL;
870 }
871
872 LOG_ERROR("Flash information page CRC32 mismatch, found 0x%08"
873 PRIx32 " but computed 0x%08" PRIx32 ". Flash size unknown",
874 read_crc, computed_crc);
875 return ERROR_FAIL;
876 }
877
878 uint32_t flash_size_fld = target_buffer_get_u32(bank->target,
879 info_page + (QN908X_INFO_PAGE_FLASH_SIZE - QN908X_INFO_PAGE_CRC_START));
880
881 switch (flash_size_fld) {
882 case QN908X_FLASH_SIZE_512K:
883 qn908x_info->num_blocks = 2;
884 break;
885 case QN908X_FLASH_SIZE_256K:
886 qn908x_info->num_blocks = 1;
887 break;
888 default:
889 LOG_ERROR("Unknown Flash size field: 0x%08" PRIx32,
890 flash_size_fld);
891 return ERROR_FAIL;
892 }
893
894 bank->size = qn908x_info->num_blocks * QN908X_FLASH_BLOCK_SIZE;
895 bank->write_start_alignment = 4;
896 bank->write_end_alignment = 4;
897
898 /* The flash supports erasing and protecting individual pages. */
899 bank->num_sectors = qn908x_info->num_blocks *
900 QN908X_FLASH_PAGES_PER_BLOCK;
901 bank->sectors = alloc_block_array(0, QN908X_FLASH_PAGE_SIZE,
902 bank->num_sectors);
903 if (!bank->sectors)
904 return ERROR_FAIL;
905
906 retval = qn908x_init_flash(bank->target);
907 if (retval != ERROR_OK)
908 return retval;
909
910 LOG_INFO("Detected flash size: %d KiB", bank->size / 1024);
911
912 return ERROR_OK;
913 }
914
915 static int qn908x_auto_probe(struct flash_bank *bank)
916 {
917 struct qn908x_flash_bank *qn908x_info = bank->driver_priv;
918 if (qn908x_info->num_blocks != 0)
919 return ERROR_OK;
920 LOG_DEBUG("auto_probe");
921 return qn908x_probe(bank);
922 }
923
924 static int qn908x_protect_check(struct flash_bank *bank)
925 {
926 struct qn908x_flash_bank *qn908x_info = bank->driver_priv;
927
928 int retval = qn908x_read_page_lock(bank);
929 if (retval != ERROR_OK)
930 return retval;
931
932 for (uint32_t i = 0;
933 i < qn908x_info->num_blocks * QN908X_FLASH_PAGES_PER_BLOCK;
934 i++) {
935 /* A bit 0 in page_lock means page is locked. */
936 bank->sectors[i].is_protected =
937 ((qn908x_info->page_lock.bits[i / 8] >> (i % 8)) & 1) ^ 1;
938 }
939 return ERROR_OK;
940 }
941
942 static int qn908x_get_info(struct flash_bank *bank,
943 struct command_invocation *cmd)
944 {
945 uint32_t bootloader_version;
946 uint32_t chip_id;
947 uint8_t bluetooth[6];
948 int retval;
949 struct qn908x_flash_bank *qn908x_info = bank->driver_priv;
950
951 retval = target_read_u32(bank->target, QN908X_SYSCON_CHIP_ID, &chip_id);
952 if (retval != ERROR_OK) {
953 command_print_sameline(cmd, "Cannot read QN908x chip ID.");
954 return retval;
955 }
956 retval = target_read_u32(bank->target, QN908X_INFO_PAGE_BOOTLOADER_VER,
957 &bootloader_version);
958 if (retval != ERROR_OK) {
959 command_print_sameline(cmd, "Cannot read from QN908x info page.");
960 return retval;
961 }
962
963 retval = target_read_memory(bank->target, QN908X_INFO_PAGE_BLUETOOTH_ADDR,
964 1, sizeof(bluetooth), bluetooth);
965 if (retval != ERROR_OK) {
966 command_print_sameline(cmd, "Cannot read QN908x bluetooth L2 address.");
967 return retval;
968 }
969
970 command_print_sameline(cmd, "qn908x: chip id: 0x%" PRIx32, chip_id);
971
972 command_print_sameline(cmd, " bdaddr: "
973 "%02" PRIx8 ":%02" PRIx8 ":%02" PRIx8
974 ":%02" PRIx8 ":%02" PRIx8 ":%02" PRIx8,
975 bluetooth[0], bluetooth[1], bluetooth[2],
976 bluetooth[3], bluetooth[4], bluetooth[5]);
977
978 command_print_sameline(cmd, " bootloader: %08" PRIx32, bootloader_version);
979
980 command_print_sameline(cmd, " blocks: %" PRIu32, qn908x_info->num_blocks);
981
982 return ERROR_OK;
983 }
984
985 COMMAND_HANDLER(qn908x_handle_allow_brick_command)
986 {
987 int retval;
988
989 struct target *target = get_current_target(CMD_CTX);
990 struct flash_bank *bank = NULL;
991
992 if (CMD_ARGC != 0)
993 return ERROR_COMMAND_SYNTAX_ERROR;
994
995 retval = get_flash_bank_by_addr(target, QN908X_FLASH_BASE, true, &bank);
996 if (retval != ERROR_OK)
997 return retval;
998
999 /* If get_flash_bank_by_addr() did not find the flash bank, it should have
1000 * returned and error code instead of ERROR_OK */
1001 assert(bank);
1002 struct qn908x_flash_bank *qn908x_info = bank->driver_priv;
1003
1004 LOG_WARNING("Flashing images that disable SWD in qn908x is now allowed.");
1005 qn908x_info->allow_swd_disabled = true;
1006
1007 return ERROR_OK;
1008 }
1009
1010 COMMAND_HANDLER(qn908x_handle_disable_wdog_command)
1011 {
1012 int retval;
1013 struct target *target = get_current_target(CMD_CTX);
1014
1015 if (CMD_ARGC != 0)
1016 return ERROR_COMMAND_SYNTAX_ERROR;
1017
1018 if (target->state != TARGET_HALTED) {
1019 command_print(CMD, "Target not halted");
1020 return ERROR_TARGET_NOT_HALTED;
1021 }
1022
1023 /* To change any value in the watchdog block (WDT) we need to first write
1024 * 0x1ACCE551 to the LOCK register, and we can then set it back to any other
1025 * value to prevent accidental changes to the watchdog. */
1026 retval = target_write_u32(target, QN908X_WDT_LOCK, 0x1ACCE551);
1027 if (retval != ERROR_OK)
1028 return retval;
1029
1030 retval = target_write_u32(target, QN908X_WDT_CTRL, 0);
1031 if (retval != ERROR_OK)
1032 return retval;
1033
1034 return target_write_u32(target, QN908X_WDT_LOCK, 0);
1035 }
1036
1037 COMMAND_HANDLER(qn908x_handle_mass_erase_command)
1038 {
1039 int retval;
1040 bool keep_lock = false;
1041 if (CMD_ARGC > 1)
1042 return ERROR_COMMAND_SYNTAX_ERROR;
1043 if (CMD_ARGC == 1) {
1044 if (strcmp("keep_lock", CMD_ARGV[0]))
1045 return ERROR_COMMAND_ARGUMENT_INVALID;
1046 keep_lock = true;
1047 }
1048
1049 /* This operation can be performed without probing the bank since it is the
1050 * only way to unlock a chip when the flash and ram have been locked. */
1051 struct target *target = get_current_target(CMD_CTX);
1052
1053 retval = qn908x_setup_erase(target);
1054 if (retval != ERROR_OK)
1055 return retval;
1056
1057 /* Check the mass-erase locking status for information purposes only. This
1058 * lock applies to both the SWD and the code running in the core but can be
1059 * bypassed in either case. */
1060 uint32_t lock_stat_8;
1061 retval = target_read_u32(target, QN908X_FMC_LOCK_STAT_8, &lock_stat_8);
1062 LOG_DEBUG("LOCK_STAT_8 before erasing: 0x%" PRIx32, lock_stat_8);
1063 if (retval != ERROR_OK)
1064 return retval;
1065 if ((lock_stat_8 & QN908X_FMC_LOCK_STAT_8_MASS_ERASE_LOCK_EN) == 0) {
1066 LOG_INFO("mass_erase disabled by Flash lock and protection, forcing "
1067 "mass_erase.");
1068 }
1069 /* Set the DEBUG_PASSWORD so we can force the mass erase from the SWD. We do
1070 * this regardless of the lock status. */
1071 retval = target_write_u32(target, QN908X_FMC_DEBUG_PASSWORD, 0xCA1E093F);
1072 if (retval != ERROR_OK)
1073 return retval;
1074
1075 /* Erase both halves of the flash at the same time. These are actually done
1076 * sequentially but we need to send the command to erase both blocks since
1077 * doing so in a locked flash will change the LOCK_STAT_8 register to 0x01,
1078 * allowing us to access the (now erase) flash an memory. Erasing only one
1079 * block at a time does not reset the LOCK_STAT_8 register and therefore
1080 * will not grant access to program the chip. */
1081 uint32_t erase_cmd = (1u << QN908X_FMC_ERASE_CTRL_HALF_ERASEH_EN_SHIFT) |
1082 (1u << QN908X_FMC_ERASE_CTRL_HALF_ERASEL_EN_SHIFT);
1083 LOG_DEBUG("Erasing both blocks with command 0x%" PRIx32, erase_cmd);
1084
1085 retval = target_write_u32(target, QN908X_FMC_ERASE_CTRL, erase_cmd);
1086 if (retval != ERROR_OK)
1087 return retval;
1088
1089 retval = qn908x_wait_for_idle(target, QN908X_DEFAULT_TIMEOUT_MS);
1090 if (retval != ERROR_OK)
1091 return retval;
1092
1093 retval = qn908x_status_check(target);
1094 if (retval != ERROR_OK)
1095 return retval;
1096
1097 /* Set the debug password back to 0 to avoid accidental mass_erase. */
1098 retval = target_write_u32(target, QN908X_FMC_DEBUG_PASSWORD, 0);
1099 if (retval != ERROR_OK)
1100 return retval;
1101
1102 /* At this point the flash is erased and we are able to write to the flash
1103 * since the LOCK_STAT_8 gets updated to 0x01 after the mass_erase. However,
1104 * after a hard reboot this value will be realoaded from flash which after
1105 * an erase is 0xff. This means that after flashing an image that doesn't
1106 * set the protection bits we end up with a chip that we can't debug. We
1107 * update this value to 0x01 unless "keep_lock" is passed to allow the SWD
1108 * interface to debug the flash and RAM after a hard reset. */
1109 if (keep_lock)
1110 return retval;
1111
1112 retval = qn908x_init_flash(target);
1113 if (retval != ERROR_OK)
1114 return retval;
1115
1116 /* Unlock access to RAM and FLASH in the last page of the flash and
1117 * reloading */
1118 retval = qn908x_wait_for_idle(target, QN908X_DEFAULT_TIMEOUT_MS);
1119 if (retval != ERROR_OK)
1120 return retval;
1121
1122 uint32_t smart_ctrl = QN908X_FMC_SMART_CTRL_SMART_WRITEH_EN_MASK |
1123 QN908X_FMC_SMART_CTRL_PRGMH_EN_MASK;
1124 retval = target_write_u32(target, QN908X_FMC_SMART_CTRL, smart_ctrl);
1125 if (retval != ERROR_OK)
1126 return retval;
1127
1128 retval = target_write_u32(target, QN908X_FLASH_LOCK_ADDR,
1129 QN908X_FLASH_LOCK_ENABLE_MASS_ERASE);
1130 if (retval != ERROR_OK)
1131 return retval;
1132
1133 retval = qn908x_wait_for_idle(target, QN908X_DEFAULT_TIMEOUT_MS);
1134 if (retval != ERROR_OK)
1135 return retval;
1136
1137 /* Force a page_lock reload after the mass_erase . */
1138 retval = qn908x_load_lock_stat(target);
1139 if (retval != ERROR_OK)
1140 return retval;
1141
1142 return retval;
1143 }
1144
1145 static const struct command_registration qn908x_exec_command_handlers[] = {
1146 {
1147 .name = "allow_brick",
1148 .handler = qn908x_handle_allow_brick_command,
1149 .mode = COMMAND_EXEC,
1150 .help = "Allow writing images that disable SWD access in their "
1151 "Code Read Protection (CRP) word. Warning: This can make your "
1152 "chip inaccessible from OpenOCD or any other SWD debugger.",
1153 .usage = "",
1154 },
1155 {
1156 .name = "disable_wdog",
1157 .handler = qn908x_handle_disable_wdog_command,
1158 .mode = COMMAND_EXEC,
1159 .help = "Disabled the watchdog (WDT).",
1160 .usage = "",
1161 },
1162 {
1163 .name = "mass_erase",
1164 .handler = qn908x_handle_mass_erase_command,
1165 .mode = COMMAND_EXEC,
1166 .help = "Erase the whole flash chip.",
1167 .usage = "[keep_lock]",
1168 },
1169 COMMAND_REGISTRATION_DONE
1170 };
1171
1172 static const struct command_registration qn908x_command_handlers[] = {
1173 {
1174 .name = "qn908x",
1175 .mode = COMMAND_ANY,
1176 .help = "qn908x flash controller commands",
1177 .usage = "",
1178 .chain = qn908x_exec_command_handlers,
1179 },
1180 COMMAND_REGISTRATION_DONE
1181 };
1182
1183 const struct flash_driver qn908x_flash = {
1184 .name = "qn908x",
1185 .commands = qn908x_command_handlers,
1186 .flash_bank_command = qn908x_flash_bank_command,
1187 .info = qn908x_get_info,
1188 .erase = qn908x_erase,
1189 .protect = qn908x_protect,
1190 .write = qn908x_write,
1191 .read = default_flash_read,
1192 .probe = qn908x_probe,
1193 .auto_probe = qn908x_auto_probe,
1194 .erase_check = default_flash_blank_check,
1195 .protect_check = qn908x_protect_check,
1196 .free_driver_priv = default_flash_free_driver_priv,
1197 };
Open On-Chip Debugger

Linking to existing account procedure

If you already have an account and want to add another login method you MUST first sign in with your existing account and then change URL to read https://review.openocd.org/login/?link to get to this page again but this time it'll work for linking. Thank you.

SSH host keys fingerprints

1024 SHA256:YKx8b7u5ZWdcbp7/4AeXNaqElP49m6QrwfXaqQGJAOk gerrit-code-review@openocd.zylin.com (DSA)
384 SHA256:jHIbSQa4REvwCFG4cq5LBlBLxmxSqelQPem/EXIrxjk gerrit-code-review@openocd.org (ECDSA)
521 SHA256:UAOPYkU9Fjtcao0Ul/Rrlnj/OsQvt+pgdYSZ4jOYdgs gerrit-code-review@openocd.org (ECDSA)
256 SHA256:A13M5QlnozFOvTllybRZH6vm7iSt0XLxbA48yfc2yfY gerrit-code-review@openocd.org (ECDSA)
256 SHA256:spYMBqEYoAOtK7yZBrcwE8ZpYt6b68Cfh9yEVetvbXg gerrit-code-review@openocd.org (ED25519)
+--[ED25519 256]--+
|=..              |
|+o..   .         |
|*.o   . .        |
|+B . . .         |
|Bo. = o S        |
|Oo.+ + =         |
|oB=.* = . o      |
| =+=.+   + E     |
|. .=o   . o      |
+----[SHA256]-----+
2048 SHA256:0Onrb7/PHjpo6iVZ7xQX2riKN83FJ3KGU0TvI0TaFG4 gerrit-code-review@openocd.zylin.com (RSA)