1 /***************************************************************************
2 * Copyright (C) 2005 by Dominic Rath *
3 * Dominic.Rath@gmx.de *
5 * Copyright (C) 2007-2010 Øyvind Harboe *
6 * oyvind.harboe@zylin.com *
8 * Copyright (C) 2008 by Spencer Oliver *
9 * spen@spen-soft.co.uk *
11 * This program is free software; you can redistribute it and/or modify *
12 * it under the terms of the GNU General Public License as published by *
13 * the Free Software Foundation; either version 2 of the License, or *
14 * (at your option) any later version. *
16 * This program is distributed in the hope that it will be useful, *
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of *
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the *
19 * GNU General Public License for more details. *
21 * You should have received a copy of the GNU General Public License *
22 * along with this program. If not, see <http://www.gnu.org/licenses/>. *
23 ***************************************************************************/
29 #include "embeddedice.h"
31 #include <helper/time_support.h>
36 * This provides lowlevel glue to the EmbeddedICE (or EmbeddedICE-RT)
37 * module found on scan chain 2 in ARM7, ARM9, and some other families
38 * of ARM cores. The module is called "EmbeddedICE-RT" if it has
39 * monitor mode support.
41 * EmbeddedICE provides basic watchpoint/breakpoint hardware and a Debug
42 * Communications Channel (DCC) used to read or write 32-bit words to
43 * OpenOCD-aware code running on the target CPU.
44 * Newer modules also include vector catch hardware. Some versions
45 * support hardware single-stepping, "monitor mode" debug (which is not
46 * currently supported by OpenOCD), or extended reporting on why the
47 * core entered debug mode.
50 static int embeddedice_set_reg_w_exec(struct reg
*reg
, uint8_t *buf
);
53 * From: ARM9E-S TRM, DDI 0165, table C-4 (and similar, for other cores)
63 /* width is assigned based on EICE version */
66 .name
= "debug_status",
68 /* width is assigned based on EICE version */
80 [EICE_W0_ADDR_VALUE
] = {
81 .name
= "watch_0_addr_value",
85 [EICE_W0_ADDR_MASK
] = {
86 .name
= "watch_0_addr_mask",
90 [EICE_W0_DATA_VALUE
] = {
91 .name
= "watch_0_data_value",
95 [EICE_W0_DATA_MASK
] = {
96 .name
= "watch_0_data_mask",
100 [EICE_W0_CONTROL_VALUE
] = {
101 .name
= "watch_0_control_value",
105 [EICE_W0_CONTROL_MASK
] = {
106 .name
= "watch_0_control_mask",
110 [EICE_W1_ADDR_VALUE
] = {
111 .name
= "watch_1_addr_value",
115 [EICE_W1_ADDR_MASK
] = {
116 .name
= "watch_1_addr_mask",
120 [EICE_W1_DATA_VALUE
] = {
121 .name
= "watch_1_data_value",
125 [EICE_W1_DATA_MASK
] = {
126 .name
= "watch_1_data_mask",
130 [EICE_W1_CONTROL_VALUE
] = {
131 .name
= "watch_1_control_value",
135 [EICE_W1_CONTROL_MASK
] = {
136 .name
= "watch_1_control_mask",
140 /* vector_catch isn't always present */
142 .name
= "vector_catch",
148 static int embeddedice_get_reg(struct reg
*reg
)
150 int retval
= embeddedice_read_reg(reg
);
151 if (retval
!= ERROR_OK
) {
152 LOG_ERROR("error queueing EmbeddedICE register read");
156 retval
= jtag_execute_queue();
157 if (retval
!= ERROR_OK
)
158 LOG_ERROR("EmbeddedICE register read failed");
163 static const struct reg_arch_type eice_reg_type
= {
164 .get
= embeddedice_get_reg
,
165 .set
= embeddedice_set_reg_w_exec
,
169 * Probe EmbeddedICE module and set up local records of its registers.
170 * Different versions of the modules have different capabilities, such as
171 * hardware support for vector_catch, single stepping, and monitor mode.
173 struct reg_cache
*embeddedice_build_reg_cache(struct target
*target
,
174 struct arm7_9_common
*arm7_9
)
177 struct reg_cache
*reg_cache
= malloc(sizeof(struct reg_cache
));
178 struct reg
*reg_list
= NULL
;
179 struct embeddedice_reg
*arch_info
= NULL
;
180 struct arm_jtag
*jtag_info
= &arm7_9
->jtag_info
;
181 int num_regs
= ARRAY_SIZE(eice_regs
);
183 int eice_version
= 0;
185 /* vector_catch isn't always present */
186 if (!arm7_9
->has_vector_catch
)
189 /* the actual registers are kept in two arrays */
190 reg_list
= calloc(num_regs
, sizeof(struct reg
));
191 arch_info
= calloc(num_regs
, sizeof(struct embeddedice_reg
));
193 /* fill in values for the reg cache */
194 reg_cache
->name
= "EmbeddedICE registers";
195 reg_cache
->next
= NULL
;
196 reg_cache
->reg_list
= reg_list
;
197 reg_cache
->num_regs
= num_regs
;
199 /* FIXME the second watchpoint unit on Feroceon and Dragonite
200 * seems not to work ... we should have a way to not set up
201 * its four registers here!
204 /* set up registers */
205 for (i
= 0; i
< num_regs
; i
++) {
206 reg_list
[i
].name
= eice_regs
[i
].name
;
207 reg_list
[i
].size
= eice_regs
[i
].width
;
208 reg_list
[i
].dirty
= false;
209 reg_list
[i
].valid
= false;
210 reg_list
[i
].value
= calloc(1, 4);
211 reg_list
[i
].arch_info
= &arch_info
[i
];
212 reg_list
[i
].type
= &eice_reg_type
;
213 arch_info
[i
].addr
= eice_regs
[i
].addr
;
214 arch_info
[i
].jtag_info
= jtag_info
;
217 /* identify EmbeddedICE version by reading DCC control register */
218 embeddedice_read_reg(®_list
[EICE_COMMS_CTRL
]);
219 retval
= jtag_execute_queue();
220 if (retval
!= ERROR_OK
) {
221 for (i
= 0; i
< num_regs
; i
++)
222 free(reg_list
[i
].value
);
229 eice_version
= buf_get_u32(reg_list
[EICE_COMMS_CTRL
].value
, 28, 4);
230 LOG_INFO("Embedded ICE version %d", eice_version
);
232 switch (eice_version
) {
234 /* ARM7TDMI r3, ARM7TDMI-S r3
236 * REVISIT docs say ARM7TDMI-S r4 uses version 1 but
237 * that it has 6-bit CTRL and 5-bit STAT... doc bug?
238 * ARM7TDMI r4 docs say EICE v4.
240 reg_list
[EICE_DBG_CTRL
].size
= 3;
241 reg_list
[EICE_DBG_STAT
].size
= 5;
245 reg_list
[EICE_DBG_CTRL
].size
= 4;
246 reg_list
[EICE_DBG_STAT
].size
= 5;
247 arm7_9
->has_single_step
= 1;
250 LOG_ERROR("EmbeddedICE v%d handling might be broken",
252 reg_list
[EICE_DBG_CTRL
].size
= 6;
253 reg_list
[EICE_DBG_STAT
].size
= 5;
254 arm7_9
->has_single_step
= 1;
255 arm7_9
->has_monitor_mode
= 1;
259 reg_list
[EICE_DBG_CTRL
].size
= 6;
260 reg_list
[EICE_DBG_STAT
].size
= 5;
261 arm7_9
->has_monitor_mode
= 1;
265 reg_list
[EICE_DBG_CTRL
].size
= 6;
266 reg_list
[EICE_DBG_STAT
].size
= 5;
267 arm7_9
->has_single_step
= 1;
268 arm7_9
->has_monitor_mode
= 1;
271 /* ARM7EJ-S, ARM9E-S rev 2, ARM9EJ-S */
272 reg_list
[EICE_DBG_CTRL
].size
= 6;
273 reg_list
[EICE_DBG_STAT
].size
= 10;
274 /* DBG_STAT has MOE bits */
275 arm7_9
->has_monitor_mode
= 1;
278 LOG_ERROR("EmbeddedICE v%d handling might be broken",
280 reg_list
[EICE_DBG_CTRL
].size
= 6;
281 reg_list
[EICE_DBG_STAT
].size
= 5;
282 arm7_9
->has_monitor_mode
= 1;
286 * The Feroceon implementation has the version number
287 * in some unusual bits. Let feroceon.c validate it
288 * and do the appropriate setup itself.
290 if (strcmp(target_type_name(target
), "feroceon") == 0 ||
291 strcmp(target_type_name(target
), "dragonite") == 0)
293 LOG_ERROR("unknown EmbeddedICE version "
294 "(comms ctrl: 0x%8.8" PRIx32
")",
295 buf_get_u32(reg_list
[EICE_COMMS_CTRL
].value
, 0, 32));
298 /* On Feroceon and Dragonite the second unit is seemingly missing. */
299 LOG_INFO("%s: hardware has %d breakpoint/watchpoint unit%s",
300 target_name(target
), arm7_9
->wp_available_max
,
301 (arm7_9
->wp_available_max
!= 1) ? "s" : "");
307 * Free all memory allocated for EmbeddedICE register cache
309 void embeddedice_free_reg_cache(struct reg_cache
*reg_cache
)
314 for (unsigned int i
= 0; i
< reg_cache
->num_regs
; i
++)
315 free(reg_cache
->reg_list
[i
].value
);
317 free(reg_cache
->reg_list
[0].arch_info
);
318 free(reg_cache
->reg_list
);
323 * Initialize EmbeddedICE module, if needed.
325 int embeddedice_setup(struct target
*target
)
328 struct arm7_9_common
*arm7_9
= target_to_arm7_9(target
);
330 /* Explicitly disable monitor mode. For now we only support halting
331 * debug ... we don't know how to talk with a resident debug monitor
332 * that manages break requests. ARM's "Angel Debug Monitor" is one
333 * common example of such code.
335 if (arm7_9
->has_monitor_mode
) {
336 struct reg
*dbg_ctrl
= &arm7_9
->eice_cache
->reg_list
[EICE_DBG_CTRL
];
338 embeddedice_read_reg(dbg_ctrl
);
339 retval
= jtag_execute_queue();
340 if (retval
!= ERROR_OK
)
342 buf_set_u32(dbg_ctrl
->value
, 4, 1, 0);
343 embeddedice_set_reg_w_exec(dbg_ctrl
, dbg_ctrl
->value
);
345 return jtag_execute_queue();
349 * Queue a read for an EmbeddedICE register into the register cache,
350 * optionally checking the value read.
351 * Note that at this level, all registers are 32 bits wide.
353 int embeddedice_read_reg_w_check(struct reg
*reg
,
354 uint8_t *check_value
, uint8_t *check_mask
)
356 struct embeddedice_reg
*ice_reg
= reg
->arch_info
;
357 uint8_t reg_addr
= ice_reg
->addr
& 0x1f;
358 struct scan_field fields
[3];
359 uint8_t field1_out
[1];
360 uint8_t field2_out
[1];
363 retval
= arm_jtag_scann(ice_reg
->jtag_info
, 0x2, TAP_IDLE
);
364 if (retval
!= ERROR_OK
)
367 retval
= arm_jtag_set_instr(ice_reg
->jtag_info
->tap
,
368 ice_reg
->jtag_info
->intest_instr
, NULL
, TAP_IDLE
);
369 if (retval
!= ERROR_OK
)
372 /* bits 31:0 -- data (ignored here) */
373 fields
[0].num_bits
= 32;
374 fields
[0].out_value
= reg
->value
;
375 fields
[0].in_value
= NULL
;
376 fields
[0].check_value
= NULL
;
377 fields
[0].check_mask
= NULL
;
379 /* bits 36:32 -- register */
380 fields
[1].num_bits
= 5;
381 fields
[1].out_value
= field1_out
;
382 field1_out
[0] = reg_addr
;
383 fields
[1].in_value
= NULL
;
384 fields
[1].check_value
= NULL
;
385 fields
[1].check_mask
= NULL
;
387 /* bit 37 -- 0/read */
388 fields
[2].num_bits
= 1;
389 fields
[2].out_value
= field2_out
;
391 fields
[2].in_value
= NULL
;
392 fields
[2].check_value
= NULL
;
393 fields
[2].check_mask
= NULL
;
395 /* traverse Update-DR, setting address for the next read */
396 jtag_add_dr_scan(ice_reg
->jtag_info
->tap
, 3, fields
, TAP_IDLE
);
398 /* bits 31:0 -- the data we're reading (and maybe checking) */
399 fields
[0].in_value
= reg
->value
;
400 fields
[0].check_value
= check_value
;
401 fields
[0].check_mask
= check_mask
;
403 /* when reading the DCC data register, leaving the address field set to
404 * EICE_COMMS_DATA would read the register twice
405 * reading the control register is safe
407 field1_out
[0] = eice_regs
[EICE_COMMS_CTRL
].addr
;
409 /* traverse Update-DR, reading but with no other side effects */
410 jtag_add_dr_scan_check(ice_reg
->jtag_info
->tap
, 3, fields
, TAP_IDLE
);
416 * Receive a block of size 32-bit words from the DCC.
417 * We assume the target is always going to be fast enough (relative to
418 * the JTAG clock) that the debugger won't need to poll the handshake
419 * bit. The JTAG clock is usually at least six times slower than the
420 * functional clock, so the 50+ JTAG clocks needed to receive the word
421 * allow hundreds of instruction cycles (per word) in the target.
423 int embeddedice_receive(struct arm_jtag
*jtag_info
, uint32_t *data
, uint32_t size
)
425 struct scan_field fields
[3];
426 uint8_t field1_out
[1];
427 uint8_t field2_out
[1];
430 retval
= arm_jtag_scann(jtag_info
, 0x2, TAP_IDLE
);
431 if (retval
!= ERROR_OK
)
433 retval
= arm_jtag_set_instr(jtag_info
->tap
, jtag_info
->intest_instr
, NULL
, TAP_IDLE
);
434 if (retval
!= ERROR_OK
)
437 fields
[0].num_bits
= 32;
438 fields
[0].out_value
= NULL
;
439 fields
[0].in_value
= NULL
;
441 fields
[1].num_bits
= 5;
442 fields
[1].out_value
= field1_out
;
443 field1_out
[0] = eice_regs
[EICE_COMMS_DATA
].addr
;
444 fields
[1].in_value
= NULL
;
446 fields
[2].num_bits
= 1;
447 fields
[2].out_value
= field2_out
;
449 fields
[2].in_value
= NULL
;
451 jtag_add_dr_scan(jtag_info
->tap
, 3, fields
, TAP_IDLE
);
454 /* when reading the last item, set the register address to the DCC control reg,
455 * to avoid reading additional data from the DCC data reg
458 field1_out
[0] = eice_regs
[EICE_COMMS_CTRL
].addr
;
460 fields
[0].in_value
= (uint8_t *)data
;
461 jtag_add_dr_scan(jtag_info
->tap
, 3, fields
, TAP_IDLE
);
462 jtag_add_callback(arm_le_to_h_u32
, (jtag_callback_data_t
)data
);
468 return jtag_execute_queue();
472 * Queue a read for an EmbeddedICE register into the register cache,
473 * not checking the value read.
475 int embeddedice_read_reg(struct reg
*reg
)
477 return embeddedice_read_reg_w_check(reg
, NULL
, NULL
);
481 * Queue a write for an EmbeddedICE register, updating the register cache.
482 * Uses embeddedice_write_reg().
484 void embeddedice_set_reg(struct reg
*reg
, uint32_t value
)
486 embeddedice_write_reg(reg
, value
);
488 buf_set_u32(reg
->value
, 0, reg
->size
, value
);
495 * Write an EmbeddedICE register, updating the register cache.
496 * Uses embeddedice_set_reg(); not queued.
498 static int embeddedice_set_reg_w_exec(struct reg
*reg
, uint8_t *buf
)
502 embeddedice_set_reg(reg
, buf_get_u32(buf
, 0, reg
->size
));
503 retval
= jtag_execute_queue();
504 if (retval
!= ERROR_OK
)
505 LOG_ERROR("register write failed");
510 * Queue a write for an EmbeddedICE register, bypassing the register cache.
512 void embeddedice_write_reg(struct reg
*reg
, uint32_t value
)
514 struct embeddedice_reg
*ice_reg
= reg
->arch_info
;
516 LOG_DEBUG("%i: 0x%8.8" PRIx32
"", ice_reg
->addr
, value
);
518 arm_jtag_scann(ice_reg
->jtag_info
, 0x2, TAP_IDLE
);
520 arm_jtag_set_instr(ice_reg
->jtag_info
->tap
, ice_reg
->jtag_info
->intest_instr
, NULL
, TAP_IDLE
);
522 uint8_t reg_addr
= ice_reg
->addr
& 0x1f;
523 embeddedice_write_reg_inner(ice_reg
->jtag_info
->tap
, reg_addr
, value
);
527 * Queue a write for an EmbeddedICE register, using cached value.
528 * Uses embeddedice_write_reg().
530 void embeddedice_store_reg(struct reg
*reg
)
532 embeddedice_write_reg(reg
, buf_get_u32(reg
->value
, 0, reg
->size
));
536 * Send a block of size 32-bit words to the DCC.
537 * We assume the target is always going to be fast enough (relative to
538 * the JTAG clock) that the debugger won't need to poll the handshake
539 * bit. The JTAG clock is usually at least six times slower than the
540 * functional clock, so the 50+ JTAG clocks needed to receive the word
541 * allow hundreds of instruction cycles (per word) in the target.
543 int embeddedice_send(struct arm_jtag
*jtag_info
, uint32_t *data
, uint32_t size
)
545 struct scan_field fields
[3];
546 uint8_t field0_out
[4];
547 uint8_t field1_out
[1];
548 uint8_t field2_out
[1];
551 retval
= arm_jtag_scann(jtag_info
, 0x2, TAP_IDLE
);
552 if (retval
!= ERROR_OK
)
554 retval
= arm_jtag_set_instr(jtag_info
->tap
, jtag_info
->intest_instr
, NULL
, TAP_IDLE
);
555 if (retval
!= ERROR_OK
)
558 fields
[0].num_bits
= 32;
559 fields
[0].out_value
= field0_out
;
560 fields
[0].in_value
= NULL
;
562 fields
[1].num_bits
= 5;
563 fields
[1].out_value
= field1_out
;
564 field1_out
[0] = eice_regs
[EICE_COMMS_DATA
].addr
;
565 fields
[1].in_value
= NULL
;
567 fields
[2].num_bits
= 1;
568 fields
[2].out_value
= field2_out
;
571 fields
[2].in_value
= NULL
;
574 buf_set_u32(field0_out
, 0, 32, *data
);
575 jtag_add_dr_scan(jtag_info
->tap
, 3, fields
, TAP_IDLE
);
581 /* call to jtag_execute_queue() intentionally omitted */
586 * Poll DCC control register until read or write handshake completes.
588 int embeddedice_handshake(struct arm_jtag
*jtag_info
, int hsbit
, uint32_t timeout
)
590 struct scan_field fields
[3];
591 uint8_t field0_in
[4];
592 uint8_t field1_out
[1];
593 uint8_t field2_out
[1];
597 struct timeval timeout_end
;
599 if (hsbit
== EICE_COMM_CTRL_WBIT
)
601 else if (hsbit
== EICE_COMM_CTRL_RBIT
)
604 LOG_ERROR("Invalid arguments");
605 return ERROR_COMMAND_SYNTAX_ERROR
;
608 retval
= arm_jtag_scann(jtag_info
, 0x2, TAP_IDLE
);
609 if (retval
!= ERROR_OK
)
611 retval
= arm_jtag_set_instr(jtag_info
->tap
, jtag_info
->intest_instr
, NULL
, TAP_IDLE
);
612 if (retval
!= ERROR_OK
)
615 fields
[0].num_bits
= 32;
616 fields
[0].out_value
= NULL
;
617 fields
[0].in_value
= field0_in
;
619 fields
[1].num_bits
= 5;
620 fields
[1].out_value
= field1_out
;
621 field1_out
[0] = eice_regs
[EICE_COMMS_DATA
].addr
;
622 fields
[1].in_value
= NULL
;
624 fields
[2].num_bits
= 1;
625 fields
[2].out_value
= field2_out
;
627 fields
[2].in_value
= NULL
;
629 jtag_add_dr_scan(jtag_info
->tap
, 3, fields
, TAP_IDLE
);
630 gettimeofday(&timeout_end
, NULL
);
631 timeval_add_time(&timeout_end
, 0, timeout
* 1000);
633 jtag_add_dr_scan(jtag_info
->tap
, 3, fields
, TAP_IDLE
);
634 retval
= jtag_execute_queue();
635 if (retval
!= ERROR_OK
)
638 if (buf_get_u32(field0_in
, hsbit
, 1) == hsact
)
641 gettimeofday(&now
, NULL
);
642 } while (timeval_compare(&now
, &timeout_end
) <= 0);
644 LOG_ERROR("embeddedice handshake timeout");
645 return ERROR_TARGET_TIMEOUT
;
648 #ifndef HAVE_JTAG_MINIDRIVER_H
650 * This is an inner loop of the open loop DCC write of data to target
652 void embeddedice_write_dcc(struct jtag_tap
*tap
,
653 int reg_addr
, const uint8_t *buffer
, int little
, int count
)
657 for (i
= 0; i
< count
; i
++) {
658 embeddedice_write_reg_inner(tap
, reg_addr
,
659 fast_target_buffer_get_u32(buffer
, little
));
664 /* provided by minidriver */
Linking to existing account procedure
If you already have an account and want to add another login method
you
MUST first sign in with your existing account and
then change URL to read
https://review.openocd.org/login/?link
to get to this page again but this time it'll work for linking. Thank you.
SSH host keys fingerprints
1024 SHA256:YKx8b7u5ZWdcbp7/4AeXNaqElP49m6QrwfXaqQGJAOk gerrit-code-review@openocd.zylin.com (DSA)
384 SHA256:jHIbSQa4REvwCFG4cq5LBlBLxmxSqelQPem/EXIrxjk gerrit-code-review@openocd.org (ECDSA)
521 SHA256:UAOPYkU9Fjtcao0Ul/Rrlnj/OsQvt+pgdYSZ4jOYdgs gerrit-code-review@openocd.org (ECDSA)
256 SHA256:A13M5QlnozFOvTllybRZH6vm7iSt0XLxbA48yfc2yfY gerrit-code-review@openocd.org (ECDSA)
256 SHA256:spYMBqEYoAOtK7yZBrcwE8ZpYt6b68Cfh9yEVetvbXg gerrit-code-review@openocd.org (ED25519)
+--[ED25519 256]--+
|=.. |
|+o.. . |
|*.o . . |
|+B . . . |
|Bo. = o S |
|Oo.+ + = |
|oB=.* = . o |
| =+=.+ + E |
|. .=o . o |
+----[SHA256]-----+
2048 SHA256:0Onrb7/PHjpo6iVZ7xQX2riKN83FJ3KGU0TvI0TaFG4 gerrit-code-review@openocd.zylin.com (RSA)