1 /***************************************************************************
2 * Copyright (C) 2005 by Dominic Rath *
3 * Dominic.Rath@gmx.de *
5 * Copyright (C) 2007-2010 Øyvind Harboe *
6 * oyvind.harboe@zylin.com *
8 * Copyright (C) 2008 by Spencer Oliver *
9 * spen@spen-soft.co.uk *
11 * This program is free software; you can redistribute it and/or modify *
12 * it under the terms of the GNU General Public License as published by *
13 * the Free Software Foundation; either version 2 of the License, or *
14 * (at your option) any later version. *
16 * This program is distributed in the hope that it will be useful, *
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of *
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the *
19 * GNU General Public License for more details. *
21 * You should have received a copy of the GNU General Public License *
22 * along with this program; if not, write to the *
23 * Free Software Foundation, Inc., *
24 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. *
25 ***************************************************************************/
31 #include "embeddedice.h"
37 * This provides lowlevel glue to the EmbeddedICE (or EmbeddedICE-RT)
38 * module found on scan chain 2 in ARM7, ARM9, and some other families
39 * of ARM cores. The module is called "EmbeddedICE-RT" if it has
40 * monitor mode support.
42 * EmbeddedICE provides basic watchpoint/breakpoint hardware and a Debug
43 * Communications Channel (DCC) used to read or write 32-bit words to
44 * OpenOCD-aware code running on the target CPU.
45 * Newer modules also include vector catch hardware. Some versions
46 * support hardware single-stepping, "monitor mode" debug (which is not
47 * currently supported by OpenOCD), or extended reporting on why the
48 * core entered debug mode.
51 static int embeddedice_set_reg_w_exec(struct reg
*reg
, uint8_t *buf
);
54 * From: ARM9E-S TRM, DDI 0165, table C-4 (and similar, for other cores)
64 /* width is assigned based on EICE version */
67 .name
= "debug_status",
69 /* width is assigned based on EICE version */
81 [EICE_W0_ADDR_VALUE
] = {
82 .name
= "watch_0_addr_value",
86 [EICE_W0_ADDR_MASK
] = {
87 .name
= "watch_0_addr_mask",
91 [EICE_W0_DATA_VALUE
] = {
92 .name
= "watch_0_data_value",
96 [EICE_W0_DATA_MASK
] = {
97 .name
= "watch_0_data_mask",
101 [EICE_W0_CONTROL_VALUE
] = {
102 .name
= "watch_0_control_value",
106 [EICE_W0_CONTROL_MASK
] = {
107 .name
= "watch_0_control_mask",
111 [EICE_W1_ADDR_VALUE
] = {
112 .name
= "watch_1_addr_value",
116 [EICE_W1_ADDR_MASK
] = {
117 .name
= "watch_1_addr_mask",
121 [EICE_W1_DATA_VALUE
] = {
122 .name
= "watch_1_data_value",
126 [EICE_W1_DATA_MASK
] = {
127 .name
= "watch_1_data_mask",
131 [EICE_W1_CONTROL_VALUE
] = {
132 .name
= "watch_1_control_value",
136 [EICE_W1_CONTROL_MASK
] = {
137 .name
= "watch_1_control_mask",
141 /* vector_catch isn't always present */
143 .name
= "vector_catch",
149 static int embeddedice_get_reg(struct reg
*reg
)
151 int retval
= embeddedice_read_reg(reg
);
152 if (retval
!= ERROR_OK
) {
153 LOG_ERROR("error queueing EmbeddedICE register read");
157 retval
= jtag_execute_queue();
158 if (retval
!= ERROR_OK
)
159 LOG_ERROR("EmbeddedICE register read failed");
164 static const struct reg_arch_type eice_reg_type
= {
165 .get
= embeddedice_get_reg
,
166 .set
= embeddedice_set_reg_w_exec
,
170 * Probe EmbeddedICE module and set up local records of its registers.
171 * Different versions of the modules have different capabilities, such as
172 * hardware support for vector_catch, single stepping, and monitor mode.
174 struct reg_cache
*embeddedice_build_reg_cache(struct target
*target
,
175 struct arm7_9_common
*arm7_9
)
178 struct reg_cache
*reg_cache
= malloc(sizeof(struct reg_cache
));
179 struct reg
*reg_list
= NULL
;
180 struct embeddedice_reg
*arch_info
= NULL
;
181 struct arm_jtag
*jtag_info
= &arm7_9
->jtag_info
;
182 int num_regs
= ARRAY_SIZE(eice_regs
);
184 int eice_version
= 0;
186 /* vector_catch isn't always present */
187 if (!arm7_9
->has_vector_catch
)
190 /* the actual registers are kept in two arrays */
191 reg_list
= calloc(num_regs
, sizeof(struct reg
));
192 arch_info
= calloc(num_regs
, sizeof(struct embeddedice_reg
));
194 /* fill in values for the reg cache */
195 reg_cache
->name
= "EmbeddedICE registers";
196 reg_cache
->next
= NULL
;
197 reg_cache
->reg_list
= reg_list
;
198 reg_cache
->num_regs
= num_regs
;
200 /* FIXME the second watchpoint unit on Feroceon and Dragonite
201 * seems not to work ... we should have a way to not set up
202 * its four registers here!
205 /* set up registers */
206 for (i
= 0; i
< num_regs
; i
++) {
207 reg_list
[i
].name
= eice_regs
[i
].name
;
208 reg_list
[i
].size
= eice_regs
[i
].width
;
209 reg_list
[i
].dirty
= 0;
210 reg_list
[i
].valid
= 0;
211 reg_list
[i
].value
= calloc(1, 4);
212 reg_list
[i
].arch_info
= &arch_info
[i
];
213 reg_list
[i
].type
= &eice_reg_type
;
214 arch_info
[i
].addr
= eice_regs
[i
].addr
;
215 arch_info
[i
].jtag_info
= jtag_info
;
218 /* identify EmbeddedICE version by reading DCC control register */
219 embeddedice_read_reg(®_list
[EICE_COMMS_CTRL
]);
220 retval
= jtag_execute_queue();
221 if (retval
!= ERROR_OK
) {
222 for (i
= 0; i
< num_regs
; i
++)
223 free(reg_list
[i
].value
);
230 eice_version
= buf_get_u32(reg_list
[EICE_COMMS_CTRL
].value
, 28, 4);
231 LOG_INFO("Embedded ICE version %d", eice_version
);
233 switch (eice_version
) {
235 /* ARM7TDMI r3, ARM7TDMI-S r3
237 * REVISIT docs say ARM7TDMI-S r4 uses version 1 but
238 * that it has 6-bit CTRL and 5-bit STAT... doc bug?
239 * ARM7TDMI r4 docs say EICE v4.
241 reg_list
[EICE_DBG_CTRL
].size
= 3;
242 reg_list
[EICE_DBG_STAT
].size
= 5;
246 reg_list
[EICE_DBG_CTRL
].size
= 4;
247 reg_list
[EICE_DBG_STAT
].size
= 5;
248 arm7_9
->has_single_step
= 1;
251 LOG_ERROR("EmbeddedICE v%d handling might be broken",
253 reg_list
[EICE_DBG_CTRL
].size
= 6;
254 reg_list
[EICE_DBG_STAT
].size
= 5;
255 arm7_9
->has_single_step
= 1;
256 arm7_9
->has_monitor_mode
= 1;
260 reg_list
[EICE_DBG_CTRL
].size
= 6;
261 reg_list
[EICE_DBG_STAT
].size
= 5;
262 arm7_9
->has_monitor_mode
= 1;
266 reg_list
[EICE_DBG_CTRL
].size
= 6;
267 reg_list
[EICE_DBG_STAT
].size
= 5;
268 arm7_9
->has_single_step
= 1;
269 arm7_9
->has_monitor_mode
= 1;
272 /* ARM7EJ-S, ARM9E-S rev 2, ARM9EJ-S */
273 reg_list
[EICE_DBG_CTRL
].size
= 6;
274 reg_list
[EICE_DBG_STAT
].size
= 10;
275 /* DBG_STAT has MOE bits */
276 arm7_9
->has_monitor_mode
= 1;
279 LOG_ERROR("EmbeddedICE v%d handling might be broken",
281 reg_list
[EICE_DBG_CTRL
].size
= 6;
282 reg_list
[EICE_DBG_STAT
].size
= 5;
283 arm7_9
->has_monitor_mode
= 1;
287 * The Feroceon implementation has the version number
288 * in some unusual bits. Let feroceon.c validate it
289 * and do the appropriate setup itself.
291 if (strcmp(target_type_name(target
), "feroceon") == 0 ||
292 strcmp(target_type_name(target
), "dragonite") == 0)
294 LOG_ERROR("unknown EmbeddedICE version "
295 "(comms ctrl: 0x%8.8" PRIx32
")",
296 buf_get_u32(reg_list
[EICE_COMMS_CTRL
].value
, 0, 32));
299 /* On Feroceon and Dragonite the second unit is seemingly missing. */
300 LOG_INFO("%s: hardware has %d breakpoint/watchpoint unit%s",
301 target_name(target
), arm7_9
->wp_available_max
,
302 (arm7_9
->wp_available_max
!= 1) ? "s" : "");
308 * Initialize EmbeddedICE module, if needed.
310 int embeddedice_setup(struct target
*target
)
313 struct arm7_9_common
*arm7_9
= target_to_arm7_9(target
);
315 /* Explicitly disable monitor mode. For now we only support halting
316 * debug ... we don't know how to talk with a resident debug monitor
317 * that manages break requests. ARM's "Angel Debug Monitor" is one
318 * common example of such code.
320 if (arm7_9
->has_monitor_mode
) {
321 struct reg
*dbg_ctrl
= &arm7_9
->eice_cache
->reg_list
[EICE_DBG_CTRL
];
323 embeddedice_read_reg(dbg_ctrl
);
324 retval
= jtag_execute_queue();
325 if (retval
!= ERROR_OK
)
327 buf_set_u32(dbg_ctrl
->value
, 4, 1, 0);
328 embeddedice_set_reg_w_exec(dbg_ctrl
, dbg_ctrl
->value
);
330 return jtag_execute_queue();
334 * Queue a read for an EmbeddedICE register into the register cache,
335 * optionally checking the value read.
336 * Note that at this level, all registers are 32 bits wide.
338 int embeddedice_read_reg_w_check(struct reg
*reg
,
339 uint8_t *check_value
, uint8_t *check_mask
)
341 struct embeddedice_reg
*ice_reg
= reg
->arch_info
;
342 uint8_t reg_addr
= ice_reg
->addr
& 0x1f;
343 struct scan_field fields
[3];
344 uint8_t field1_out
[1];
345 uint8_t field2_out
[1];
348 retval
= arm_jtag_scann(ice_reg
->jtag_info
, 0x2, TAP_IDLE
);
349 if (retval
!= ERROR_OK
)
352 retval
= arm_jtag_set_instr(ice_reg
->jtag_info
,
353 ice_reg
->jtag_info
->intest_instr
, NULL
, TAP_IDLE
);
354 if (retval
!= ERROR_OK
)
357 /* bits 31:0 -- data (ignored here) */
358 fields
[0].num_bits
= 32;
359 fields
[0].out_value
= reg
->value
;
360 fields
[0].in_value
= NULL
;
361 fields
[0].check_value
= NULL
;
362 fields
[0].check_mask
= NULL
;
364 /* bits 36:32 -- register */
365 fields
[1].num_bits
= 5;
366 fields
[1].out_value
= field1_out
;
367 field1_out
[0] = reg_addr
;
368 fields
[1].in_value
= NULL
;
369 fields
[1].check_value
= NULL
;
370 fields
[1].check_mask
= NULL
;
372 /* bit 37 -- 0/read */
373 fields
[2].num_bits
= 1;
374 fields
[2].out_value
= field2_out
;
376 fields
[2].in_value
= NULL
;
377 fields
[2].check_value
= NULL
;
378 fields
[2].check_mask
= NULL
;
380 /* traverse Update-DR, setting address for the next read */
381 jtag_add_dr_scan(ice_reg
->jtag_info
->tap
, 3, fields
, TAP_IDLE
);
383 /* bits 31:0 -- the data we're reading (and maybe checking) */
384 fields
[0].in_value
= reg
->value
;
385 fields
[0].check_value
= check_value
;
386 fields
[0].check_mask
= check_mask
;
388 /* when reading the DCC data register, leaving the address field set to
389 * EICE_COMMS_DATA would read the register twice
390 * reading the control register is safe
392 field1_out
[0] = eice_regs
[EICE_COMMS_CTRL
].addr
;
394 /* traverse Update-DR, reading but with no other side effects */
395 jtag_add_dr_scan_check(ice_reg
->jtag_info
->tap
, 3, fields
, TAP_IDLE
);
401 * Receive a block of size 32-bit words from the DCC.
402 * We assume the target is always going to be fast enough (relative to
403 * the JTAG clock) that the debugger won't need to poll the handshake
404 * bit. The JTAG clock is usually at least six times slower than the
405 * functional clock, so the 50+ JTAG clocks needed to receive the word
406 * allow hundreds of instruction cycles (per word) in the target.
408 int embeddedice_receive(struct arm_jtag
*jtag_info
, uint32_t *data
, uint32_t size
)
410 struct scan_field fields
[3];
411 uint8_t field1_out
[1];
412 uint8_t field2_out
[1];
415 retval
= arm_jtag_scann(jtag_info
, 0x2, TAP_IDLE
);
416 if (retval
!= ERROR_OK
)
418 retval
= arm_jtag_set_instr(jtag_info
, jtag_info
->intest_instr
, NULL
, TAP_IDLE
);
419 if (retval
!= ERROR_OK
)
422 fields
[0].num_bits
= 32;
423 fields
[0].out_value
= NULL
;
424 fields
[0].in_value
= NULL
;
426 fields
[1].num_bits
= 5;
427 fields
[1].out_value
= field1_out
;
428 field1_out
[0] = eice_regs
[EICE_COMMS_DATA
].addr
;
429 fields
[1].in_value
= NULL
;
431 fields
[2].num_bits
= 1;
432 fields
[2].out_value
= field2_out
;
434 fields
[2].in_value
= NULL
;
436 jtag_add_dr_scan(jtag_info
->tap
, 3, fields
, TAP_IDLE
);
439 /* when reading the last item, set the register address to the DCC control reg,
440 * to avoid reading additional data from the DCC data reg
443 field1_out
[0] = eice_regs
[EICE_COMMS_CTRL
].addr
;
445 fields
[0].in_value
= (uint8_t *)data
;
446 jtag_add_dr_scan(jtag_info
->tap
, 3, fields
, TAP_IDLE
);
447 jtag_add_callback(arm_le_to_h_u32
, (jtag_callback_data_t
)data
);
453 return jtag_execute_queue();
457 * Queue a read for an EmbeddedICE register into the register cache,
458 * not checking the value read.
460 int embeddedice_read_reg(struct reg
*reg
)
462 return embeddedice_read_reg_w_check(reg
, NULL
, NULL
);
466 * Queue a write for an EmbeddedICE register, updating the register cache.
467 * Uses embeddedice_write_reg().
469 void embeddedice_set_reg(struct reg
*reg
, uint32_t value
)
471 embeddedice_write_reg(reg
, value
);
473 buf_set_u32(reg
->value
, 0, reg
->size
, value
);
480 * Write an EmbeddedICE register, updating the register cache.
481 * Uses embeddedice_set_reg(); not queued.
483 static int embeddedice_set_reg_w_exec(struct reg
*reg
, uint8_t *buf
)
487 embeddedice_set_reg(reg
, buf_get_u32(buf
, 0, reg
->size
));
488 retval
= jtag_execute_queue();
489 if (retval
!= ERROR_OK
)
490 LOG_ERROR("register write failed");
495 * Queue a write for an EmbeddedICE register, bypassing the register cache.
497 void embeddedice_write_reg(struct reg
*reg
, uint32_t value
)
499 struct embeddedice_reg
*ice_reg
= reg
->arch_info
;
501 LOG_DEBUG("%i: 0x%8.8" PRIx32
"", ice_reg
->addr
, value
);
503 arm_jtag_scann(ice_reg
->jtag_info
, 0x2, TAP_IDLE
);
505 arm_jtag_set_instr(ice_reg
->jtag_info
, ice_reg
->jtag_info
->intest_instr
, NULL
, TAP_IDLE
);
507 uint8_t reg_addr
= ice_reg
->addr
& 0x1f;
508 embeddedice_write_reg_inner(ice_reg
->jtag_info
->tap
, reg_addr
, value
);
512 * Queue a write for an EmbeddedICE register, using cached value.
513 * Uses embeddedice_write_reg().
515 void embeddedice_store_reg(struct reg
*reg
)
517 embeddedice_write_reg(reg
, buf_get_u32(reg
->value
, 0, reg
->size
));
521 * Send a block of size 32-bit words to the DCC.
522 * We assume the target is always going to be fast enough (relative to
523 * the JTAG clock) that the debugger won't need to poll the handshake
524 * bit. The JTAG clock is usually at least six times slower than the
525 * functional clock, so the 50+ JTAG clocks needed to receive the word
526 * allow hundreds of instruction cycles (per word) in the target.
528 int embeddedice_send(struct arm_jtag
*jtag_info
, uint32_t *data
, uint32_t size
)
530 struct scan_field fields
[3];
531 uint8_t field0_out
[4];
532 uint8_t field1_out
[1];
533 uint8_t field2_out
[1];
536 retval
= arm_jtag_scann(jtag_info
, 0x2, TAP_IDLE
);
537 if (retval
!= ERROR_OK
)
539 retval
= arm_jtag_set_instr(jtag_info
, jtag_info
->intest_instr
, NULL
, TAP_IDLE
);
540 if (retval
!= ERROR_OK
)
543 fields
[0].num_bits
= 32;
544 fields
[0].out_value
= field0_out
;
545 fields
[0].in_value
= NULL
;
547 fields
[1].num_bits
= 5;
548 fields
[1].out_value
= field1_out
;
549 field1_out
[0] = eice_regs
[EICE_COMMS_DATA
].addr
;
550 fields
[1].in_value
= NULL
;
552 fields
[2].num_bits
= 1;
553 fields
[2].out_value
= field2_out
;
556 fields
[2].in_value
= NULL
;
559 buf_set_u32(field0_out
, 0, 32, *data
);
560 jtag_add_dr_scan(jtag_info
->tap
, 3, fields
, TAP_IDLE
);
566 /* call to jtag_execute_queue() intentionally omitted */
571 * Poll DCC control register until read or write handshake completes.
573 int embeddedice_handshake(struct arm_jtag
*jtag_info
, int hsbit
, uint32_t timeout
)
575 struct scan_field fields
[3];
576 uint8_t field0_in
[4];
577 uint8_t field1_out
[1];
578 uint8_t field2_out
[1];
584 if (hsbit
== EICE_COMM_CTRL_WBIT
)
586 else if (hsbit
== EICE_COMM_CTRL_RBIT
)
589 LOG_ERROR("Invalid arguments");
590 return ERROR_COMMAND_SYNTAX_ERROR
;
593 retval
= arm_jtag_scann(jtag_info
, 0x2, TAP_IDLE
);
594 if (retval
!= ERROR_OK
)
596 retval
= arm_jtag_set_instr(jtag_info
, jtag_info
->intest_instr
, NULL
, TAP_IDLE
);
597 if (retval
!= ERROR_OK
)
600 fields
[0].num_bits
= 32;
601 fields
[0].out_value
= NULL
;
602 fields
[0].in_value
= field0_in
;
604 fields
[1].num_bits
= 5;
605 fields
[1].out_value
= field1_out
;
606 field1_out
[0] = eice_regs
[EICE_COMMS_DATA
].addr
;
607 fields
[1].in_value
= NULL
;
609 fields
[2].num_bits
= 1;
610 fields
[2].out_value
= field2_out
;
612 fields
[2].in_value
= NULL
;
614 jtag_add_dr_scan(jtag_info
->tap
, 3, fields
, TAP_IDLE
);
615 gettimeofday(&lap
, NULL
);
617 jtag_add_dr_scan(jtag_info
->tap
, 3, fields
, TAP_IDLE
);
618 retval
= jtag_execute_queue();
619 if (retval
!= ERROR_OK
)
622 if (buf_get_u32(field0_in
, hsbit
, 1) == hsact
)
625 gettimeofday(&now
, NULL
);
626 } while ((uint32_t)((now
.tv_sec
- lap
.tv_sec
) * 1000
627 + (now
.tv_usec
- lap
.tv_usec
) / 1000) <= timeout
);
629 LOG_ERROR("embeddedice handshake timeout");
630 return ERROR_TARGET_TIMEOUT
;
633 #ifndef HAVE_JTAG_MINIDRIVER_H
635 * This is an inner loop of the open loop DCC write of data to target
637 void embeddedice_write_dcc(struct jtag_tap
*tap
,
638 int reg_addr
, const uint8_t *buffer
, int little
, int count
)
642 for (i
= 0; i
< count
; i
++) {
643 embeddedice_write_reg_inner(tap
, reg_addr
,
644 fast_target_buffer_get_u32(buffer
, little
));
649 /* provided by minidriver */
Linking to existing account procedure
If you already have an account and want to add another login method
you
MUST first sign in with your existing account and
then change URL to read
https://review.openocd.org/login/?link
to get to this page again but this time it'll work for linking. Thank you.
SSH host keys fingerprints
1024 SHA256:YKx8b7u5ZWdcbp7/4AeXNaqElP49m6QrwfXaqQGJAOk gerrit-code-review@openocd.zylin.com (DSA)
384 SHA256:jHIbSQa4REvwCFG4cq5LBlBLxmxSqelQPem/EXIrxjk gerrit-code-review@openocd.org (ECDSA)
521 SHA256:UAOPYkU9Fjtcao0Ul/Rrlnj/OsQvt+pgdYSZ4jOYdgs gerrit-code-review@openocd.org (ECDSA)
256 SHA256:A13M5QlnozFOvTllybRZH6vm7iSt0XLxbA48yfc2yfY gerrit-code-review@openocd.org (ECDSA)
256 SHA256:spYMBqEYoAOtK7yZBrcwE8ZpYt6b68Cfh9yEVetvbXg gerrit-code-review@openocd.org (ED25519)
+--[ED25519 256]--+
|=.. |
|+o.. . |
|*.o . . |
|+B . . . |
|Bo. = o S |
|Oo.+ + = |
|oB=.* = . o |
| =+=.+ + E |
|. .=o . o |
+----[SHA256]-----+
2048 SHA256:0Onrb7/PHjpo6iVZ7xQX2riKN83FJ3KGU0TvI0TaFG4 gerrit-code-review@openocd.zylin.com (RSA)