1 /***************************************************************************
2 * Copyright (C) 2005 by Dominic Rath *
3 * Dominic.Rath@gmx.de *
5 * Copyright (C) 2007,2008,2009 Øyvind Harboe *
6 * oyvind.harboe@zylin.com *
8 * Copyright (C) 2008 by Spencer Oliver *
9 * spen@spen-soft.co.uk *
11 * This program is free software; you can redistribute it and/or modify *
12 * it under the terms of the GNU General Public License as published by *
13 * the Free Software Foundation; either version 2 of the License, or *
14 * (at your option) any later version. *
16 * This program is distributed in the hope that it will be useful, *
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of *
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the *
19 * GNU General Public License for more details. *
21 * You should have received a copy of the GNU General Public License *
22 * along with this program; if not, write to the *
23 * Free Software Foundation, Inc., *
24 * 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. *
25 ***************************************************************************/
30 #include "embeddedice.h"
36 * This provides lowlevel glue to the EmbeddedICE (or EmbeddedICE-RT)
37 * module found on scan chain 2 in ARM7, ARM9, and some other families
40 * EmbeddedICE provides basic watchpoint/breakpoint hardware and a Debug
41 * Communications Channel (DCC) used to read or write 32-bit words to
42 * OpenOCD-aware code running on the target CPU.
43 * Newer modules also include vector catch hardware. Some versions
44 * support hardware single-stepping, "monitor mode" debug (which is not
45 * currently supported by OpenOCD), or extended reporting on why the
46 * core entered debug mode.
50 * From: ARM9E-S TRM, DDI 0165, table C-4 (and similar, for other cores)
60 /* width is assigned based on EICE version */
63 .name
= "debug_status",
65 /* width is assigned based on EICE version */
77 [EICE_W0_ADDR_VALUE
] = {
78 .name
= "watch_0_addr_value",
82 [EICE_W0_ADDR_MASK
] = {
83 .name
= "watch_0_addr_mask",
87 [EICE_W0_DATA_VALUE
] = {
88 .name
= "watch_0_data_value",
92 [EICE_W0_DATA_MASK
] = {
93 .name
= "watch_0_data_mask",
97 [EICE_W0_CONTROL_VALUE
] = {
98 .name
= "watch_0_control_value",
102 [EICE_W0_CONTROL_MASK
] = {
103 .name
= "watch_0_control_mask",
107 [EICE_W1_ADDR_VALUE
] = {
108 .name
= "watch_1_addr_value",
112 [EICE_W1_ADDR_MASK
] = {
113 .name
= "watch_1_addr_mask",
117 [EICE_W1_DATA_VALUE
] = {
118 .name
= "watch_1_data_value",
122 [EICE_W1_DATA_MASK
] = {
123 .name
= "watch_1_data_mask",
127 [EICE_W1_CONTROL_VALUE
] = {
128 .name
= "watch_1_control_value",
132 [EICE_W1_CONTROL_MASK
] = {
133 .name
= "watch_1_control_mask",
137 /* vector_catch isn't always present */
139 .name
= "vector_catch",
146 static int embeddedice_get_reg(struct reg
*reg
)
150 if ((retval
= embeddedice_read_reg(reg
)) != ERROR_OK
)
151 LOG_ERROR("error queueing EmbeddedICE register read");
152 else if ((retval
= jtag_execute_queue()) != ERROR_OK
)
153 LOG_ERROR("EmbeddedICE register read failed");
158 static const struct reg_arch_type eice_reg_type
= {
159 .get
= embeddedice_get_reg
,
160 .set
= embeddedice_set_reg_w_exec
,
164 * Probe EmbeddedICE module and set up local records of its registers.
165 * Different versions of the modules have different capabilities, such as
166 * hardware support for vector_catch, single stepping, and monitor mode.
169 embeddedice_build_reg_cache(struct target
*target
, struct arm7_9_common
*arm7_9
)
172 struct reg_cache
*reg_cache
= malloc(sizeof(struct reg_cache
));
173 struct reg
*reg_list
= NULL
;
174 struct embeddedice_reg
*arch_info
= NULL
;
175 struct arm_jtag
*jtag_info
= &arm7_9
->jtag_info
;
176 int num_regs
= ARRAY_SIZE(eice_regs
);
178 int eice_version
= 0;
180 /* vector_catch isn't always present */
181 if (!arm7_9
->has_vector_catch
)
184 /* the actual registers are kept in two arrays */
185 reg_list
= calloc(num_regs
, sizeof(struct reg
));
186 arch_info
= calloc(num_regs
, sizeof(struct embeddedice_reg
));
188 /* fill in values for the reg cache */
189 reg_cache
->name
= "EmbeddedICE registers";
190 reg_cache
->next
= NULL
;
191 reg_cache
->reg_list
= reg_list
;
192 reg_cache
->num_regs
= num_regs
;
194 /* set up registers */
195 for (i
= 0; i
< num_regs
; i
++)
197 reg_list
[i
].name
= eice_regs
[i
].name
;
198 reg_list
[i
].size
= eice_regs
[i
].width
;
199 reg_list
[i
].dirty
= 0;
200 reg_list
[i
].valid
= 0;
201 reg_list
[i
].value
= calloc(1, 4);
202 reg_list
[i
].arch_info
= &arch_info
[i
];
203 reg_list
[i
].type
= &eice_reg_type
;
204 arch_info
[i
].addr
= eice_regs
[i
].addr
;
205 arch_info
[i
].jtag_info
= jtag_info
;
208 /* identify EmbeddedICE version by reading DCC control register */
209 embeddedice_read_reg(®_list
[EICE_COMMS_CTRL
]);
210 if ((retval
= jtag_execute_queue()) != ERROR_OK
)
212 for (i
= 0; i
< num_regs
; i
++)
214 free(reg_list
[i
].value
);
222 eice_version
= buf_get_u32(reg_list
[EICE_COMMS_CTRL
].value
, 28, 4);
223 LOG_INFO("Embedded ICE version %d", eice_version
);
225 switch (eice_version
)
228 /* ARM7TDMI r3, ARM7TDMI-S r3
230 * REVISIT docs say ARM7TDMI-S r4 uses version 1 but
231 * that it has 6-bit CTRL and 5-bit STAT... doc bug?
232 * ARM7TDMI r4 docs say EICE v4.
234 reg_list
[EICE_DBG_CTRL
].size
= 3;
235 reg_list
[EICE_DBG_STAT
].size
= 5;
239 reg_list
[EICE_DBG_CTRL
].size
= 4;
240 reg_list
[EICE_DBG_STAT
].size
= 5;
241 arm7_9
->has_single_step
= 1;
244 LOG_ERROR("EmbeddedICE v%d handling might be broken",
246 reg_list
[EICE_DBG_CTRL
].size
= 6;
247 reg_list
[EICE_DBG_STAT
].size
= 5;
248 arm7_9
->has_single_step
= 1;
249 arm7_9
->has_monitor_mode
= 1;
253 reg_list
[EICE_DBG_CTRL
].size
= 6;
254 reg_list
[EICE_DBG_STAT
].size
= 5;
255 arm7_9
->has_monitor_mode
= 1;
259 reg_list
[EICE_DBG_CTRL
].size
= 6;
260 reg_list
[EICE_DBG_STAT
].size
= 5;
261 arm7_9
->has_single_step
= 1;
262 arm7_9
->has_monitor_mode
= 1;
265 /* ARM7EJ-S, ARM9E-S rev 2, ARM9EJ-S */
266 reg_list
[EICE_DBG_CTRL
].size
= 6;
267 reg_list
[EICE_DBG_STAT
].size
= 10;
268 /* DBG_STAT has MOE bits */
269 arm7_9
->has_monitor_mode
= 1;
272 LOG_ERROR("EmbeddedICE v%d handling might be broken",
274 reg_list
[EICE_DBG_CTRL
].size
= 6;
275 reg_list
[EICE_DBG_STAT
].size
= 5;
276 arm7_9
->has_monitor_mode
= 1;
280 * The Feroceon implementation has the version number
281 * in some unusual bits. Let feroceon.c validate it
282 * and do the appropriate setup itself.
284 if (strcmp(target_get_name(target
), "feroceon") == 0 ||
285 strcmp(target_get_name(target
), "dragonite") == 0)
287 LOG_ERROR("unknown EmbeddedICE version "
288 "(comms ctrl: 0x%8.8" PRIx32
")",
289 buf_get_u32(reg_list
[EICE_COMMS_CTRL
].value
, 0, 32));
296 * Initialize EmbeddedICE module, if needed.
298 int embeddedice_setup(struct target
*target
)
301 struct arm7_9_common
*arm7_9
= target_to_arm7_9(target
);
303 /* Explicitly disable monitor mode. For now we only support halting
304 * debug ... we don't know how to talk with a resident debug monitor
305 * that manages break requests. ARM's "Angel Debug Monitor" is one
306 * common example of such code.
308 if (arm7_9
->has_monitor_mode
)
310 struct reg
*dbg_ctrl
= &arm7_9
->eice_cache
->reg_list
[EICE_DBG_CTRL
];
312 embeddedice_read_reg(dbg_ctrl
);
313 if ((retval
= jtag_execute_queue()) != ERROR_OK
)
315 buf_set_u32(dbg_ctrl
->value
, 4, 1, 0);
316 embeddedice_set_reg_w_exec(dbg_ctrl
, dbg_ctrl
->value
);
318 return jtag_execute_queue();
322 * Queue a read for an EmbeddedICE register into the register cache,
323 * optionally checking the value read.
324 * Note that at this level, all registers are 32 bits wide.
326 int embeddedice_read_reg_w_check(struct reg
*reg
,
327 uint8_t *check_value
, uint8_t *check_mask
)
329 struct embeddedice_reg
*ice_reg
= reg
->arch_info
;
330 uint8_t reg_addr
= ice_reg
->addr
& 0x1f;
331 struct scan_field fields
[3];
332 uint8_t field1_out
[1];
333 uint8_t field2_out
[1];
335 jtag_set_end_state(TAP_IDLE
);
336 arm_jtag_scann(ice_reg
->jtag_info
, 0x2);
338 arm_jtag_set_instr(ice_reg
->jtag_info
, ice_reg
->jtag_info
->intest_instr
, NULL
);
340 /* bits 31:0 -- data (ignored here) */
341 fields
[0].tap
= ice_reg
->jtag_info
->tap
;
342 fields
[0].num_bits
= 32;
343 fields
[0].out_value
= reg
->value
;
344 fields
[0].in_value
= NULL
;
345 fields
[0].check_value
= NULL
;
346 fields
[0].check_mask
= NULL
;
348 /* bits 36:32 -- register */
349 fields
[1].tap
= ice_reg
->jtag_info
->tap
;
350 fields
[1].num_bits
= 5;
351 fields
[1].out_value
= field1_out
;
352 buf_set_u32(fields
[1].out_value
, 0, 5, reg_addr
);
353 fields
[1].in_value
= NULL
;
354 fields
[1].check_value
= NULL
;
355 fields
[1].check_mask
= NULL
;
357 /* bit 37 -- 0/read */
358 fields
[2].tap
= ice_reg
->jtag_info
->tap
;
359 fields
[2].num_bits
= 1;
360 fields
[2].out_value
= field2_out
;
361 buf_set_u32(fields
[2].out_value
, 0, 1, 0);
362 fields
[2].in_value
= NULL
;
363 fields
[2].check_value
= NULL
;
364 fields
[2].check_mask
= NULL
;
366 /* traverse Update-DR, setting address for the next read */
367 jtag_add_dr_scan(3, fields
, jtag_get_end_state());
369 /* bits 31:0 -- the data we're reading (and maybe checking) */
370 fields
[0].in_value
= reg
->value
;
371 fields
[0].check_value
= check_value
;
372 fields
[0].check_mask
= check_mask
;
374 /* when reading the DCC data register, leaving the address field set to
375 * EICE_COMMS_DATA would read the register twice
376 * reading the control register is safe
378 buf_set_u32(fields
[1].out_value
, 0, 5, eice_regs
[EICE_COMMS_CTRL
].addr
);
380 /* traverse Update-DR, reading but with no other side effects */
381 jtag_add_dr_scan_check(3, fields
, jtag_get_end_state());
387 * Receive a block of size 32-bit words from the DCC.
388 * We assume the target is always going to be fast enough (relative to
389 * the JTAG clock) that the debugger won't need to poll the handshake
390 * bit. The JTAG clock is usually at least six times slower than the
391 * functional clock, so the 50+ JTAG clocks needed to receive the word
392 * allow hundreds of instruction cycles (per word) in the target.
394 int embeddedice_receive(struct arm_jtag
*jtag_info
, uint32_t *data
, uint32_t size
)
396 struct scan_field fields
[3];
397 uint8_t field1_out
[1];
398 uint8_t field2_out
[1];
400 jtag_set_end_state(TAP_IDLE
);
401 arm_jtag_scann(jtag_info
, 0x2);
402 arm_jtag_set_instr(jtag_info
, jtag_info
->intest_instr
, NULL
);
404 fields
[0].tap
= jtag_info
->tap
;
405 fields
[0].num_bits
= 32;
406 fields
[0].out_value
= NULL
;
407 fields
[0].in_value
= NULL
;
409 fields
[1].tap
= jtag_info
->tap
;
410 fields
[1].num_bits
= 5;
411 fields
[1].out_value
= field1_out
;
412 buf_set_u32(fields
[1].out_value
, 0, 5, eice_regs
[EICE_COMMS_DATA
].addr
);
413 fields
[1].in_value
= NULL
;
415 fields
[2].tap
= jtag_info
->tap
;
416 fields
[2].num_bits
= 1;
417 fields
[2].out_value
= field2_out
;
418 buf_set_u32(fields
[2].out_value
, 0, 1, 0);
419 fields
[2].in_value
= NULL
;
421 jtag_add_dr_scan(3, fields
, jtag_get_end_state());
425 /* when reading the last item, set the register address to the DCC control reg,
426 * to avoid reading additional data from the DCC data reg
429 buf_set_u32(fields
[1].out_value
, 0, 5,
430 eice_regs
[EICE_COMMS_CTRL
].addr
);
432 fields
[0].in_value
= (uint8_t *)data
;
433 jtag_add_dr_scan(3, fields
, jtag_get_end_state());
434 jtag_add_callback(arm_le_to_h_u32
, (jtag_callback_data_t
)data
);
440 return jtag_execute_queue();
444 * Queue a read for an EmbeddedICE register into the register cache,
445 * not checking the value read.
447 int embeddedice_read_reg(struct reg
*reg
)
449 return embeddedice_read_reg_w_check(reg
, NULL
, NULL
);
453 * Queue a write for an EmbeddedICE register, updating the register cache.
454 * Uses embeddedice_write_reg().
456 void embeddedice_set_reg(struct reg
*reg
, uint32_t value
)
458 embeddedice_write_reg(reg
, value
);
460 buf_set_u32(reg
->value
, 0, reg
->size
, value
);
467 * Write an EmbeddedICE register, updating the register cache.
468 * Uses embeddedice_set_reg(); not queued.
470 int embeddedice_set_reg_w_exec(struct reg
*reg
, uint8_t *buf
)
474 embeddedice_set_reg(reg
, buf_get_u32(buf
, 0, reg
->size
));
475 if ((retval
= jtag_execute_queue()) != ERROR_OK
)
476 LOG_ERROR("register write failed");
481 * Queue a write for an EmbeddedICE register, bypassing the register cache.
483 void embeddedice_write_reg(struct reg
*reg
, uint32_t value
)
485 struct embeddedice_reg
*ice_reg
= reg
->arch_info
;
487 LOG_DEBUG("%i: 0x%8.8" PRIx32
"", ice_reg
->addr
, value
);
489 jtag_set_end_state(TAP_IDLE
);
490 arm_jtag_scann(ice_reg
->jtag_info
, 0x2);
492 arm_jtag_set_instr(ice_reg
->jtag_info
, ice_reg
->jtag_info
->intest_instr
, NULL
);
494 uint8_t reg_addr
= ice_reg
->addr
& 0x1f;
495 embeddedice_write_reg_inner(ice_reg
->jtag_info
->tap
, reg_addr
, value
);
499 * Queue a write for an EmbeddedICE register, using cached value.
500 * Uses embeddedice_write_reg().
502 void embeddedice_store_reg(struct reg
*reg
)
504 embeddedice_write_reg(reg
, buf_get_u32(reg
->value
, 0, reg
->size
));
508 * Send a block of size 32-bit words to the DCC.
509 * We assume the target is always going to be fast enough (relative to
510 * the JTAG clock) that the debugger won't need to poll the handshake
511 * bit. The JTAG clock is usually at least six times slower than the
512 * functional clock, so the 50+ JTAG clocks needed to receive the word
513 * allow hundreds of instruction cycles (per word) in the target.
515 int embeddedice_send(struct arm_jtag
*jtag_info
, uint32_t *data
, uint32_t size
)
517 struct scan_field fields
[3];
518 uint8_t field0_out
[4];
519 uint8_t field1_out
[1];
520 uint8_t field2_out
[1];
522 jtag_set_end_state(TAP_IDLE
);
523 arm_jtag_scann(jtag_info
, 0x2);
524 arm_jtag_set_instr(jtag_info
, jtag_info
->intest_instr
, NULL
);
526 fields
[0].tap
= jtag_info
->tap
;
527 fields
[0].num_bits
= 32;
528 fields
[0].out_value
= field0_out
;
529 fields
[0].in_value
= NULL
;
531 fields
[1].tap
= jtag_info
->tap
;
532 fields
[1].num_bits
= 5;
533 fields
[1].out_value
= field1_out
;
534 buf_set_u32(fields
[1].out_value
, 0, 5, eice_regs
[EICE_COMMS_DATA
].addr
);
535 fields
[1].in_value
= NULL
;
537 fields
[2].tap
= jtag_info
->tap
;
538 fields
[2].num_bits
= 1;
539 fields
[2].out_value
= field2_out
;
540 buf_set_u32(fields
[2].out_value
, 0, 1, 1);
542 fields
[2].in_value
= NULL
;
546 buf_set_u32(fields
[0].out_value
, 0, 32, *data
);
547 jtag_add_dr_scan(3, fields
, jtag_get_end_state());
553 /* call to jtag_execute_queue() intentionally omitted */
558 * Poll DCC control register until read or write handshake completes.
560 int embeddedice_handshake(struct arm_jtag
*jtag_info
, int hsbit
, uint32_t timeout
)
562 struct scan_field fields
[3];
563 uint8_t field0_in
[4];
564 uint8_t field1_out
[1];
565 uint8_t field2_out
[1];
571 if (hsbit
== EICE_COMM_CTRL_WBIT
)
573 else if (hsbit
== EICE_COMM_CTRL_RBIT
)
576 return ERROR_INVALID_ARGUMENTS
;
578 jtag_set_end_state(TAP_IDLE
);
579 arm_jtag_scann(jtag_info
, 0x2);
580 arm_jtag_set_instr(jtag_info
, jtag_info
->intest_instr
, NULL
);
582 fields
[0].tap
= jtag_info
->tap
;
583 fields
[0].num_bits
= 32;
584 fields
[0].out_value
= NULL
;
585 fields
[0].in_value
= field0_in
;
587 fields
[1].tap
= jtag_info
->tap
;
588 fields
[1].num_bits
= 5;
589 fields
[1].out_value
= field1_out
;
590 buf_set_u32(fields
[1].out_value
, 0, 5, eice_regs
[EICE_COMMS_DATA
].addr
);
591 fields
[1].in_value
= NULL
;
593 fields
[2].tap
= jtag_info
->tap
;
594 fields
[2].num_bits
= 1;
595 fields
[2].out_value
= field2_out
;
596 buf_set_u32(fields
[2].out_value
, 0, 1, 0);
597 fields
[2].in_value
= NULL
;
599 jtag_add_dr_scan(3, fields
, jtag_get_end_state());
600 gettimeofday(&lap
, NULL
);
602 jtag_add_dr_scan(3, fields
, jtag_get_end_state());
603 if ((retval
= jtag_execute_queue()) != ERROR_OK
)
606 if (buf_get_u32(field0_in
, hsbit
, 1) == hsact
)
609 gettimeofday(&now
, NULL
);
610 } while ((uint32_t)((now
.tv_sec
- lap
.tv_sec
) * 1000
611 + (now
.tv_usec
- lap
.tv_usec
) / 1000) <= timeout
);
613 return ERROR_TARGET_TIMEOUT
;
616 #ifndef HAVE_JTAG_MINIDRIVER_H
618 * This is an inner loop of the open loop DCC write of data to target
620 void embeddedice_write_dcc(struct jtag_tap
*tap
,
621 int reg_addr
, uint8_t *buffer
, int little
, int count
)
625 for (i
= 0; i
< count
; i
++)
627 embeddedice_write_reg_inner(tap
, reg_addr
,
628 fast_target_buffer_get_u32(buffer
, little
));
633 /* provided by minidriver */
Linking to existing account procedure
If you already have an account and want to add another login method
you
MUST first sign in with your existing account and
then change URL to read
https://review.openocd.org/login/?link
to get to this page again but this time it'll work for linking. Thank you.
SSH host keys fingerprints
1024 SHA256:YKx8b7u5ZWdcbp7/4AeXNaqElP49m6QrwfXaqQGJAOk gerrit-code-review@openocd.zylin.com (DSA)
384 SHA256:jHIbSQa4REvwCFG4cq5LBlBLxmxSqelQPem/EXIrxjk gerrit-code-review@openocd.org (ECDSA)
521 SHA256:UAOPYkU9Fjtcao0Ul/Rrlnj/OsQvt+pgdYSZ4jOYdgs gerrit-code-review@openocd.org (ECDSA)
256 SHA256:A13M5QlnozFOvTllybRZH6vm7iSt0XLxbA48yfc2yfY gerrit-code-review@openocd.org (ECDSA)
256 SHA256:spYMBqEYoAOtK7yZBrcwE8ZpYt6b68Cfh9yEVetvbXg gerrit-code-review@openocd.org (ED25519)
+--[ED25519 256]--+
|=.. |
|+o.. . |
|*.o . . |
|+B . . . |
|Bo. = o S |
|Oo.+ + = |
|oB=.* = . o |
| =+=.+ + E |
|. .=o . o |
+----[SHA256]-----+
2048 SHA256:0Onrb7/PHjpo6iVZ7xQX2riKN83FJ3KGU0TvI0TaFG4 gerrit-code-review@openocd.zylin.com (RSA)