1 /*! \file jtagarm7tdmi.c
2 \brief ARM7TDMI JTAG (AT91R40008)
8 #include "jtagarm7tdmi.h"
11 /**** 20-pin Connection Information (pin1 is on top-right for both connectors)****
12 GoodFET -> 7TDMI 20-pin connector (HE-10 connector)
19 9 4,6,8,10,12,14,16,18,20 (GND)
20 11 17/3 (nTRST) (different sources suggest 17 or 3 alternately)
21 ********************************/
23 /**** 14-pin Connection Information (pin1 is on top-right for both connectors)****
24 GoodFET -> 7TDMI 14-pin connector
34 http://hri.sourceforge.net/tools/jtag_faq_org.html
35 ********************************/
42 /****************************************************************
43 Enabling jtag likely differs with most platforms. We will attempt to enable most from here. Override jtagarm7tdmi_start() to extend for other implementations
44 ARM7TDMI enables three different scan chains:
45 * Chain0 - "entire periphery" including data bus
46 * Chain1 - core data bus (subset of Chain0) - Instruction Pipeline
47 * Chain2 - EmbeddedICE Logic Registers - This is our way into the fun stuff.
51 You can disable EmbeddedICE-RT by setting the DBGEN input LOW.
53 Hard wiring the DBGEN input LOW permanently disables all debug functionality.
54 When DBGEN is LOW, it inhibits DBGDEWPT, DBGIEBKPT, and EDBGRQ to
55 the core, and DBGACK from the ARM9E-S core is always LOW.
60 When the ARM9E-S core is in debug state, you can examine the core and system state
61 by forcing the load and store multiples into the instruction pipeline.
62 Before you can examine the core and system state, the debugger must determine
63 whether the processor entered debug from Thumb state or ARM state, by examining
64 bit 4 of the EmbeddedICE-RT debug status register. If bit 4 is HIGH, the core has
65 entered debug from Thumb state.
66 For more details about determining the core state, see Determining the core and system
71 --- olimex - http://www.olimex.com/dev/pdf/arm-jtag.pdf
72 JTAG signals description:
73 PIN.1 (VTREF) Target voltage sense. Used to indicate the target’s operating voltage to thedebug tool.
74 PIN.2 (VTARGET) Target voltage. May be used to supply power to the debug tool.
75 PIN.3 (nTRST) JTAG TAP reset, this signal should be pulled up to Vcc in target board.
76 PIN4,6, 8, 10,12,14,16,18,20 Ground. The Gnd-Signal-Gnd-Signal strategy implemented on the 20-way connection scheme improves noiseimmunity on the target connect cable.
77 *PIN.5 (TDI) JTAG serial data in, should be pulled up to Vcc on target board.
78 *PIN.7 (TMS) JTAG TAP Mode Select, should be pulled up to Vcc on target board.
79 *PIN.9 (TCK) JTAG clock.
80 PIN.11 (RTCK) JTAG retimed clock.Implemented on certain ASIC ARM implementations the host ASIC may need to synchronize external inputs (such as JTAG inputs) with its own internal clock.
81 *PIN.13 (TDO) JTAG serial data out.
82 *PIN.15 (nSRST) Target system reset.
83 *PIN.17 (DBGRQ) Asynchronous debug request. DBGRQ allows an external signal to force the ARM core into debug mode, should be pull down to GND.
84 PIN.19 (DBGACK) Debug acknowledge. The ARM core acknowledges debug-mode inresponse to a DBGRQ input.
86 ****************************************************************/
89 /************************** JTAGARM7TDMI Primitives ****************************/
90 void jtag_goto_shift_ir() {
100 void jtag_goto_shift_dr() {
108 void jtag_reset_to_runtest_idle() {
117 jtag_arm_tcktock(); // now in Reset state
119 jtag_arm_tcktock(); // now in Run-Test/Idle state
122 void jtag_arm_tcktock() {
129 //! Set up the pins for JTAG mode.
141 // ! Start JTAG, setup pins, reset TAP and return IDCODE
142 unsigned long jtagarm7tdmi_start() {
144 //Known-good starting position.
145 //Might be unnecessary.
161 jtagarm7tdmi_resettap();
162 return jtagarm7tdmi_idcode();
166 //! Reset TAP State Machine
167 void jtagarm7tdmi_resettap(){ // PROVEN
169 jtag_reset_to_runtest_idle();
173 // NOTE: important: THIS MODULE REVOLVES AROUND RETURNING TO RUNTEST/IDLE, OR THE FUNCTIONAL EQUIVALENT
176 //! Shift N bits over TDI/TDO. May choose LSB or MSB, and select whether to terminate (TMS-high on last bit) and whether to return to RUNTEST/IDLE
177 unsigned long jtagarmtransn(unsigned long word, unsigned char bitcount, unsigned char lsb, unsigned char end, unsigned char retidle){ // PROVEN
179 unsigned long high = 1;
182 for (bit=(bitcount-1)/8; bit>0; bit--)
184 high <<= ((bitcount-1)%8);
189 for (bit = bitcount; bit > 0; bit--) {
190 /* write MOSI on trailing edge of previous clock */
198 SETTMS;//TMS high on last bit to exit.
202 /* read MISO on trailing edge */
208 for (bit = bitcount; bit > 0; bit--) {
209 /* write MOSI on trailing edge of previous clock */
214 word = (word & mask) << 1;
217 SETTMS;//TMS high on last bit to exit.
221 /* read MISO on trailing edge */
243 /************************************************************************
244 * ARM7TDMI core has 6 primary registers to be connected between TDI/TDO
247 * * Scan Chain Select Register (4 bits_lsb)
248 * * Scan Chain 0 (64+* bits: 32_databits_lsb + ctrlbits + 32_addrbits_msb)
249 * * Scan Chain 1 (33 bits: 32_bits + BREAKPT)
250 * * Scan Chain 2 (38 bits: rw + 5_regbits_msb + 32_databits_msb)
251 ************************************************************************/
255 /************************** Basic JTAG Verb Commands *******************************/
256 //! Grab the core ID.
257 unsigned long jtagarm7tdmi_idcode(){ // PROVEN
258 jtagarm7tdmi_resettap();
260 jtagarmtransn(ARM7TDMI_IR_IDCODE, 4, LSB, END, RETIDLE);
262 return jtagarmtransn(0,32, LSB, END, RETIDLE);
265 //! Connect Bypass Register to TDO/TDI
266 unsigned char jtagarm7tdmi_bypass(){ // PROVEN
267 jtagarm7tdmi_resettap();
269 return jtagarmtransn(ARM7TDMI_IR_BYPASS, 4, LSB, END, NORETIDLE);
271 //! INTEST verb - do internal test
272 unsigned char jtagarm7tdmi_intest() {
273 jtagarm7tdmi_resettap();
275 return jtagarmtransn(ARM7TDMI_IR_INTEST, 4, LSB, END, NORETIDLE);
279 unsigned char jtagarm7tdmi_extest() {
280 jtagarm7tdmi_resettap();
282 return jtagarmtransn(ARM7TDMI_IR_EXTEST, 4, LSB, END, NORETIDLE);
286 //unsigned long jtagarm7tdmi_sample() {
287 // jtagarm7tdmi_ir_shift4(ARM7TDMI_IR_SAMPLE); // ???? same here.
288 // return jtagtransn(0,32);
292 unsigned char jtagarm7tdmi_restart() {
293 jtagarm7tdmi_resettap();
295 return jtagarmtransn(ARM7TDMI_IR_RESTART, 4, LSB, END, RETIDLE);
298 //! ARM7TDMI_IR_CLAMP 0x5
299 //unsigned long jtagarm7tdmi_clamp() {
300 // jtagarm7tdmi_resettap();
302 // jtagarmtransn(ARM7TDMI_IR_CLAMP, 4, LSB, END, NORETIDLE);
304 // return jtagarmtransn(0, 32, LSB, END, RETIDLE);
307 //! ARM7TDMI_IR_HIGHZ 0x7
308 //unsigned char jtagarm7tdmi_highz() {
309 // jtagarm7tdmi_resettap();
311 // return jtagarmtransn(ARM7TDMI_IR_HIGHZ, 4, LSB, END, NORETIDLE);
314 //! define ARM7TDMI_IR_CLAMPZ 0x9
315 //unsigned char jtagarm7tdmi_clampz() {
316 // jtagarm7tdmi_resettap();
318 // return jtagarmtransn(ARM7TDMI_IR_CLAMPZ, 4, LSB, END, NORETIDLE);
322 //! Connect the appropriate scan chain to TDO/TDI. SCAN_N, INTEST, ENDS IN SHIFT_DR!!!!!
323 unsigned long jtagarm7tdmi_scan(int chain, int testmode) { // PROVEN
325 When selecting a scan chain the “Run Test/Idle” state should never be reached, other-
326 wise, when in debug state, the core will not be correctly isolated and intrusive
327 commands occur. Therefore, it is recommended to pass directly from the “Update”
328 state” to the “Select DR” state each time the “Update” state is reached.
330 unsigned long retval;
331 if (current_chain != chain) { // breaks shit when going from idcode back to scan chain
333 jtagarmtransn(ARM7TDMI_IR_SCAN_N, 4, LSB, END, NORETIDLE);
335 retval = jtagarmtransn(chain, 4, LSB, END, NORETIDLE);
336 current_chain = chain;
338 retval = current_chain;
339 // put in test mode...
341 jtagarmtransn(testmode, 4, LSB, END, RETIDLE);
346 //! Connect the appropriate scan chain to TDO/TDI. SCAN_N, INTEST, ENDS IN SHIFT_DR!!!!!
347 unsigned long jtagarm7tdmi_scan_intest(int chain) { // PROVEN
348 return jtagarm7tdmi_scan(chain, ARM7TDMI_IR_INTEST);
354 //! push an instruction into the pipeline - Assumes scan-chain 1 is already INTEST
355 unsigned long jtagarm7tdmi_instr_primitive(unsigned long instr, char breakpt){
356 unsigned long retval;
357 jtagarm7tdmi_scan_intest(1);
360 // if the next instruction is to run using MCLK (master clock), set TDI
364 count_sysspd_instr_since_debug++;
369 count_dbgspd_instr_since_debug++;
373 // Now shift in the 32 bits
374 retval = jtagarmtransn(instr, 32, MSB, END, RETIDLE); // Must return to RUN-TEST/IDLE state for instruction to enter pipeline, and causes debug clock.
375 //jtag_arm_tcktock();
381 unsigned long jtagarm7tdmi_nop(char breakpt){
382 //jtagarm7tdmi_scan_intest(1);
384 //return jtagarmtransn(ARM_INSTR_NOP, 32, LSB, END, NORETIDLE);
385 return jtagarm7tdmi_instr_primitive(ARM_INSTR_NOP, breakpt);
388 /* stolen from ARM DDI0029G documentation, translated using ARM Architecture Reference Manual (14128.pdf)
389 STR R0, [R0]; Save R0 before use
390 MOV R0, PC ; Copy PC into R0
391 STR R0, [R0]; Now save the PC in R0
392 BX PC ; Jump into ARM state
399 //! set the current mode to ARM, returns PC (FIXME). Should be used by haltcpu(), which should also store PC and the THUMB state, for use by releasecpu();
400 unsigned long jtagarm7tdmi_setMode_ARM(){ // PROVEN
401 unsigned long retval = 0xff;
402 while ((jtagarm7tdmi_get_dbgstate() & JTAG_ARM7TDMI_DBG_TBIT)&& retval-- > 0){
403 cmddataword[6] = jtagarm7tdmi_instr_primitive(THUMB_INSTR_NOP,0);
404 cmddataword[1] = jtagarm7tdmi_instr_primitive(THUMB_INSTR_STR_R0_r0,0);
405 cmddataword[2] = jtagarm7tdmi_instr_primitive(THUMB_INSTR_MOV_R0_PC,0);
406 cmddataword[3] = jtagarm7tdmi_instr_primitive(THUMB_INSTR_STR_R0_r0,0);
407 cmddataword[4] = jtagarm7tdmi_instr_primitive(THUMB_INSTR_BX_PC,0);
408 cmddataword[5] = jtagarm7tdmi_instr_primitive(THUMB_INSTR_NOP,0);
409 cmddataword[6] = jtagarm7tdmi_instr_primitive(THUMB_INSTR_NOP,0);
410 jtagarm7tdmi_resettap(); // seems necessary for some reason. ugh.
418 /************************* EmbeddedICE Primitives ****************************/
419 //! shifter for writing to chain2 (EmbeddedICE).
420 unsigned long eice_write(unsigned char reg, unsigned long data){
421 unsigned long retval, temp;
422 jtagarm7tdmi_scan_intest(2);
423 // Now shift in the 32 bits
425 retval = jtagarmtransn(data, 32, LSB, NOEND, NORETIDLE); // send in the data - 32-bits lsb
426 temp = jtagarmtransn(reg, 5, LSB, NOEND, NORETIDLE); // send in the register address - 5 bits lsb
427 jtagarmtransn(1, 1, LSB, END, RETIDLE); // send in the WRITE bit
429 //SETTMS; // Last Bit - Exit UPDATE_DR
430 //// is this update a read/write or just read?
432 //jtag_arm_tcktock();
437 //! shifter for reading from chain2 (EmbeddedICE).
438 unsigned long eice_read(unsigned char reg){ // PROVEN
440 jtagarm7tdmi_scan_intest(2);
442 // send in the register address - 5 bits LSB
444 temp = jtagarmtransn(reg, 5, LSB, NOEND, NORETIDLE);
446 // clear TDI to select "read only"
447 jtagarmtransn(0, 1, LSB, END, RETIDLE);
450 // Now shift out the 32 bits
451 return(jtagarmtransn(0, 32, LSB, END, RETIDLE)); // atmel arm jtag docs pp.10-11: LSB first
458 /************************* ICEBreaker/EmbeddedICE Stuff ******************************/
459 //! Grab debug register
460 unsigned long jtagarm7tdmi_get_dbgstate() { // ICE Debug register, *NOT* ARM register DSCR // PROVEN
461 //jtagarm7tdmi_resettap();
462 return eice_read(EICE_DBGSTATUS);
465 //! Grab debug register
466 unsigned long jtagarm7tdmi_get_dbgctrl() {
467 return eice_read(EICE_DBGCTRL);
470 //! Update debug register
471 unsigned long jtagarm7tdmi_set_dbgctrl(unsigned long bits) {
472 return eice_write(EICE_DBGCTRL, bits);
477 //! Set and Enable Watchpoint 0
478 void jtagarm7tdmi_set_watchpoint0(unsigned long addr, unsigned long addrmask, unsigned long data, unsigned long datamask, unsigned long ctrl, unsigned long ctrlmask){
479 // store watchpoint info? - not right now
482 eice_write(EICE_WP0ADDR, addr); // write 0 in watchpoint 0 address
483 eice_write(EICE_WP0ADDRMASK, addrmask); // write 0xffffffff in watchpoint 0 address mask
484 eice_write(EICE_WP0DATA, data); // write 0 in watchpoint 0 data
485 eice_write(EICE_WP0DATAMASK, datamask); // write 0xffffffff in watchpoint 0 data mask
486 eice_write(EICE_WP0CTRL, ctrlmask); // write 0x00000100 in watchpoint 0 control value register (enables watchpoint)
487 eice_write(EICE_WP0CTRLMASK, ctrlmask); // write 0xfffffff7 in watchpoint 0 control mask - only detect the fetch instruction
490 //! Set and Enable Watchpoint 1
491 void jtagarm7tdmi_set_watchpoint1(unsigned long addr, unsigned long addrmask, unsigned long data, unsigned long datamask, unsigned long ctrl, unsigned long ctrlmask){
492 // store watchpoint info? - not right now
495 eice_write(EICE_WP1ADDR, addr); // write 0 in watchpoint 1 address
496 eice_write(EICE_WP1ADDRMASK, addrmask); // write 0xffffffff in watchpoint 1 address mask
497 eice_write(EICE_WP1DATA, data); // write 0 in watchpoint 1 data
498 eice_write(EICE_WP1DATAMASK, datamask); // write 0xffffffff in watchpoint 1 data mask
499 eice_write(EICE_WP1CTRL, ctrl); // write 0x00000100 in watchpoint 1 control value register (enables watchpoint)
500 eice_write(EICE_WP1CTRLMASK, ctrlmask); // write 0xfffffff7 in watchpoint 1 control mask - only detect the fetch instruction
503 //! Disable Watchpoint 0
504 void jtagarm7tdmi_disable_watchpoint0(){
505 eice_write(EICE_WP0CTRL, 0x0); // write 0 in watchpoint 0 control value - disables watchpoint 0
508 //! Disable Watchpoint 1
509 void jtagarm7tdmi_disable_watchpoint1(){
510 eice_write(EICE_WP1CTRL, 0x0); // write 0 in watchpoint 0 control value - disables watchpoint 0
515 /******************** Complex Commands **************************/
516 //! Push an instruction into the CPU pipeline
517 // NOTE! Must provide EXECNOPARM for parameter if no parm is required.
518 unsigned long test_exec(unsigned long instr, unsigned long parameter, unsigned char systemspeed) {
519 unsigned long retval;
521 cmddatalong[1] = jtagarm7tdmi_nop( 0);
522 cmddatalong[2] = jtagarm7tdmi_nop(systemspeed);
523 cmddatalong[3] = jtagarm7tdmi_instr_primitive(instr, 0); // write 32-bit instruction code into DR
524 cmddatalong[4] = jtagarm7tdmi_nop( 0);
525 cmddatalong[5] = jtagarm7tdmi_nop( 0);
526 cmddatalong[6] = jtagarm7tdmi_instr_primitive(parameter, 0); // inject long
527 cmddatalong[7] = jtagarm7tdmi_nop( 0);
528 cmddatalong[8] = jtagarm7tdmi_nop( 0);
529 cmddatalong[9] = jtagarm7tdmi_nop( 0);
530 retval = cmddatalong[9];
536 //! Push an instruction into the CPU pipeline
537 // NOTE! Must provide EXECNOPARM for parameter if no parm is required.
538 unsigned long jtagarm7tdmi_exec(unsigned long instr, unsigned long parameter, unsigned char systemspeed) {
539 unsigned long retval;
541 cmddatalong[1] = jtagarm7tdmi_nop( 0);
542 cmddatalong[2] = jtagarm7tdmi_nop(systemspeed);
543 cmddatalong[3] = jtagarm7tdmi_instr_primitive(instr, 0); // write 32-bit instruction code into DR
544 cmddatalong[4] = jtagarm7tdmi_nop( 0);
545 cmddatalong[5] = jtagarm7tdmi_nop( 0);
546 cmddatalong[6] = jtagarm7tdmi_instr_primitive(parameter, 0); // inject long
547 cmddatalong[7] = jtagarm7tdmi_nop( 0);
548 retval = jtagarm7tdmi_nop( 0);
549 cmddatalong[9] = jtagarm7tdmi_nop( 0);
550 cmddatalong[8] = retval;
555 //! Retrieve a 32-bit Register value
556 unsigned long jtagarm7tdmi_get_register(unsigned char reg) {
557 unsigned long retval = 0, instr;
558 // push nop into pipeline - clean out the pipeline...
559 cmddatalong[2] = jtagarm7tdmi_nop( 0);
561 instr = ARM_READ_REG | (reg<<12); // push STR Rx, [R14] into pipeline
562 cmddatalong[1] = jtagarm7tdmi_instr_primitive(instr, 0);
563 cmddatalong[2] = jtagarm7tdmi_nop( 0); // push nop into pipeline - fetched
564 cmddatalong[3] = jtagarm7tdmi_nop( 0); // push nop into pipeline - decoded
565 cmddatalong[4] = jtagarm7tdmi_nop( 0); // push nop into pipeline - executed
566 //retval = jtagarmtransn(ARM_INSTR_NOP, 32, LSB, END, NORETIDLE); //DEBUGGING NOT FOR RESALE!
567 retval = jtagarm7tdmi_nop( 0); // recover 32-bit word
568 cmddatalong[5] = retval;
569 cmddatalong[6] = jtagarm7tdmi_nop( 0);
570 cmddatalong[7] = jtagarm7tdmi_nop( 0);
571 cmddatalong[8] = jtagarm7tdmi_nop( 0);
575 //! Set a 32-bit Register value
576 unsigned long jtagarm7tdmi_set_register(unsigned char reg, unsigned long val) {
577 unsigned long retval = 0, instr;
578 cmddatalong[2] = jtagarm7tdmi_nop( 0); // push nop into pipeline - clean out the pipeline...
580 instr = ARM_WRITE_REG | (reg<<12); // push LDR Rx, [R14] into pipeline
581 cmddatalong[1] = jtagarm7tdmi_instr_primitive(instr, 0);
582 cmddatalong[2] = jtagarm7tdmi_nop( 0); // push nop into pipeline - fetched
583 cmddatalong[3] = jtagarm7tdmi_nop( 0); // push nop into pipeline - decoded
585 cmddatalong[4] = jtagarm7tdmi_instr_primitive(val, 0); // push 32-bit word on data bus - execute state
586 cmddatalong[5] = jtagarm7tdmi_nop( 0); // push nop into pipeline - executed
588 if (reg == ARM_REG_PC){
589 cmddatalong[6] = jtagarm7tdmi_nop( 0);
590 cmddatalong[7] = jtagarm7tdmi_nop( 0);
592 cmddatalong[8] = jtagarm7tdmi_nop( 0);
594 retval = cmddatalong[5];
600 //! Get all registers. Return an array
601 unsigned long* jtagarm7tdmi_get_registers() {
602 cmddatalong[1] = jtagarm7tdmi_instr_primitive(ARM_INSTR_SKANKREGS,0);
603 cmddatalong[2] = jtagarm7tdmi_nop( 0);
604 cmddatalong[3] = jtagarm7tdmi_nop( 0);
605 cmddatalong[4] = jtagarm7tdmi_nop( 0);
606 cmddatalong[5] = jtagarm7tdmi_nop( 0);
607 cmddatalong[6] = jtagarm7tdmi_nop( 0);
608 cmddatalong[7] = jtagarm7tdmi_nop( 0);
609 cmddatalong[8] = jtagarm7tdmi_nop( 0);
610 cmddatalong[9] = jtagarm7tdmi_nop( 0);
611 cmddatalong[10] = jtagarm7tdmi_nop( 0);
612 cmddatalong[11] = jtagarm7tdmi_nop( 0);
613 cmddatalong[12] = jtagarm7tdmi_nop( 0);
614 cmddatalong[13] = jtagarm7tdmi_nop( 0);
615 cmddatalong[14] = jtagarm7tdmi_nop( 0);
616 cmddatalong[15] = jtagarm7tdmi_nop( 0);
617 cmddatalong[16] = jtagarm7tdmi_nop( 0);
618 cmddatalong[17] = jtagarm7tdmi_nop( 0);
619 cmddatalong[18] = jtagarm7tdmi_nop( 0);
620 cmddatalong[19] = jtagarm7tdmi_nop( 0);
621 cmddatalong[20] = jtagarm7tdmi_nop( 0);
625 //! Retrieve the CPSR Register value
626 unsigned long jtagarm7tdmi_get_regCPSR() {
627 unsigned long retval = 0;
629 cmddatalong[1] = jtagarm7tdmi_nop( 0); // push nop into pipeline - clean out the pipeline...
630 cmddatalong[2] = jtagarm7tdmi_instr_primitive(ARM_INSTR_MRS_R0_CPSR, 0); // push MRS_R0, CPSR into pipeline
631 cmddatalong[3] = jtagarm7tdmi_nop( 0); // push nop into pipeline - fetched
632 cmddatalong[4] = jtagarm7tdmi_nop( 0); // push nop into pipeline - decoded
633 cmddatalong[5] = jtagarm7tdmi_nop( 0); // push nop into pipeline - executed
634 retval = jtagarm7tdmi_nop( 0); // recover 32-bit word
635 cmddatalong[6] = retval;
639 //! Retrieve the CPSR Register value
640 unsigned long jtagarm7tdmi_set_regCPSR(unsigned long val) {
641 unsigned long retval = 0;
643 cmddatalong[1] = jtagarm7tdmi_nop( 0); // push nop into pipeline - clean out the pipeline...
644 cmddatalong[1] = jtagarm7tdmi_instr_primitive(ARM_INSTR_MSR_cpsr_cxsf_R0, 0); // push MSR cpsr_cxsf, R0 into pipeline
645 cmddatalong[2] = jtagarm7tdmi_nop( 0); // push nop into pipeline - fetched
646 cmddatalong[3] = jtagarm7tdmi_nop( 0); // push nop into pipeline - decoded
648 retval = jtagarm7tdmi_instr_primitive(val, 0);// push 32-bit word on data bus
649 cmddatalong[5] = jtagarm7tdmi_nop( 0); // push nop into pipeline - executed
650 cmddatalong[4] = retval;
654 //! Write data to address - Assume TAP in run-test/idle state
655 unsigned long jtagarm7tdmi_writemem(unsigned long adr, unsigned long data){
656 unsigned long r0=0, r1=-1;
658 r0 = jtagarm7tdmi_get_register(0); // store R0 and R1
659 r1 = jtagarm7tdmi_get_register(1);
660 jtagarm7tdmi_set_register(0, adr); // write address into R0
661 jtagarm7tdmi_set_register(1, data); // write data in R1
662 jtagarm7tdmi_nop( 0); // push nop into pipeline to "clean" it ???
663 jtagarm7tdmi_nop( 1); // push nop into pipeline with BREAKPT set
664 jtagarm7tdmi_instr_primitive(ARM_INSTR_LDR_R1_r0_4, 0); // push LDR R1, R0, #4 into instruction pipeline
665 jtagarm7tdmi_nop( 0); // push nop into pipeline
666 jtagarm7tdmi_set_register(1, r1); // restore R0 and R1
667 jtagarm7tdmi_set_register(0, r0);
674 //! Read data from address
675 unsigned long jtagarm7tdmi_readmem(unsigned long adr){
676 unsigned long retval = 0;
677 unsigned long r0=0, r1=-1;
678 int waitcount = 0xfff;
680 r0 = jtagarm7tdmi_get_register(0); // store R0 and R1
681 r1 = jtagarm7tdmi_get_register(1);
682 jtagarm7tdmi_set_register(0, adr); // write address into R0
683 jtagarm7tdmi_nop( 0); // push nop into pipeline to "clean" it ???
684 jtagarm7tdmi_nop( 1); // push nop into pipeline with BREAKPT set
685 jtagarm7tdmi_instr_primitive(ARM_INSTR_LDR_R1_r0_4, 0); // push LDR R1, R0, #4 into instruction pipeline
686 jtagarm7tdmi_nop( 0); // push nop into pipeline
687 jtagarm7tdmi_restart(); // SHIFT_IR with RESTART instruction
689 // Poll the Debug Status Register for DBGACK and nMREQ to be HIGH
690 while ((jtagarm7tdmi_get_dbgstate() & 9) == 0 && waitcount > 0){
694 if (waitcount == 0xffff){
697 retval = jtagarm7tdmi_get_register(1); // read memory value from R1 register
698 jtagarm7tdmi_set_register(1, r1); // restore R0 and R1
699 jtagarm7tdmi_set_register(0, r0);
705 //! Read Program Counter
706 unsigned long jtagarm7tdmi_getpc(){
707 return jtagarm7tdmi_get_register(ARM_REG_PC);
710 //! Set Program Counter
711 unsigned long jtagarm7tdmi_setpc(unsigned long adr){
712 return jtagarm7tdmi_set_register(ARM_REG_PC, adr);
715 //! Halt CPU - returns 0xffff if the operation fails to complete within
716 unsigned long jtagarm7tdmi_haltcpu(){ // PROVEN
717 int waitcount = 0xfff;
719 // store watchpoint info? - not right now
720 eice_write(EICE_WP1ADDR, 0); // write 0 in watchpoint 1 address
721 eice_write(EICE_WP1ADDRMASK, 0xffffffff); // write 0xffffffff in watchpoint 1 address mask
722 eice_write(EICE_WP1DATA, 0); // write 0 in watchpoint 1 data
723 eice_write(EICE_WP1DATAMASK, 0xffffffff); // write 0xffffffff in watchpoint 1 data mask
724 eice_write(EICE_WP1CTRL, 0x100); //!!!!! WTF! THIS IS SUPPOSED TO BE 9 bits wide?!? // write 0x00000100 in watchpoint 1 control value register (enables watchpoint)
725 eice_write(EICE_WP1CTRLMASK, 0xfffffff7); //!!!!! WTF! THIS IS SUPPOSED TO BE 8 bits wide?!? // write 0xfffffff7 in watchpoint 1 control mask - only detect the fetch instruction
727 // poll until debug status says the cpu is in debug mode
728 while (!(jtagarm7tdmi_get_dbgstate() & 0x1) && waitcount-- > 0){
731 eice_write(EICE_WP1CTRL, 0x0); // write 0 in watchpoint 0 control value - disables watchpoint 0
733 // store the debug state
734 last_halt_debug_state = jtagarm7tdmi_get_dbgstate();
735 last_halt_pc = jtagarm7tdmi_getpc() - 4; // assume -4 for entering debug mode via watchpoint.
736 count_dbgspd_instr_since_debug = 0;
737 count_sysspd_instr_since_debug = 0;
739 // get into ARM mode if the T flag is set (Thumb mode)
740 while (jtagarm7tdmi_get_dbgstate() & JTAG_ARM7TDMI_DBG_TBIT && waitcount-- > 0) {
741 jtagarm7tdmi_setMode_ARM();
743 jtagarm7tdmi_resettap();
747 unsigned long jtagarm7tdmi_releasecpu(){
748 int waitcount = 0xfff;
750 // somehow determine what PC should be (a couple ways possible, calculations required)
751 jtagarm7tdmi_nop(0); // NOP
752 jtagarm7tdmi_nop(1); // NOP/BREAKPT
754 if (last_halt_debug_state & JTAG_ARM7TDMI_DBG_TBIT){ // FIXME: FORNICATED! BX requires register, thus more instrs... could we get away with the same instruction but +1 to offset?
755 instr = ARM_INSTR_B_PC + 0x1000001 - (count_dbgspd_instr_since_debug) - (count_sysspd_instr_since_debug*3); //FIXME: make this right - can't we just do an a7solute b/bx?
756 jtagarm7tdmi_instr_primitive(instr,0);
758 instr = ARM_INSTR_B_PC + 0x1000000 - (count_dbgspd_instr_since_debug*4) - (count_sysspd_instr_since_debug*12);
759 jtagarm7tdmi_instr_primitive(instr,0);
763 jtagarmtransn(ARM7TDMI_IR_RESTART,4,LSB,END,RETIDLE); // VERB_RESTART
765 // wait until restart-bit set in debug state register
766 while ((jtagarm7tdmi_get_dbgstate() & JTAG_ARM7TDMI_DBG_DBGACK) && waitcount > 0){
770 last_halt_debug_state = -1;
778 ///////////////////////////////////////////////////////////////////////////////////////////////////
779 //! Handles ARM7TDMI JTAG commands. Forwards others to JTAG.
780 void jtagarm7tdmihandle(unsigned char app, unsigned char verb, unsigned long len){
781 register char blocks;
783 unsigned int i,val,mlop;
786 jtagarm7tdmi_resettap();
791 cmddatalong[0] = jtagarm7tdmi_start();
792 cmddatalong[2] = jtagarm7tdmi_haltcpu();
793 //jtagarm7tdmi_resettap();
794 cmddatalong[1] = jtagarm7tdmi_get_dbgstate();
796 // DEBUG: FIXME: NOT PART OF OPERATIONAL CODE
797 //for (mlop=2;mlop<4;mlop++){
798 // jtagarm7tdmi_set_register(mlop, 0x43424140);
800 /////////////////////////////////////////////
801 txdata(app,verb,0xc);
803 case JTAGARM7TDMI_READMEM:
805 blocks=(len>4?cmddata[4]:1);
809 txhead(app,verb,len);
813 jtagarm7tdmi_resettap();
816 val=jtagarm7tdmi_readmem(at);
820 serial_tx((val&0xFF00)>>8);
825 case JTAGARM7TDMI_GET_CHIP_ID:
826 jtagarm7tdmi_resettap();
827 cmddatalong[0] = jtagarm7tdmi_idcode();
832 case JTAGARM7TDMI_WRITEMEM:
834 jtagarm7tdmi_resettap();
835 jtagarm7tdmi_writemem(cmddatalong[0],
837 cmddataword[0]=jtagarm7tdmi_readmem(cmddatalong[0]);
841 case JTAGARM7TDMI_HALTCPU:
842 cmddatalong[0] = jtagarm7tdmi_haltcpu();
845 case JTAGARM7TDMI_RELEASECPU:
846 jtagarm7tdmi_resettap();
847 cmddatalong[0] = jtagarm7tdmi_releasecpu();
850 //unimplemented functions
851 //case JTAGARM7TDMI_SETINSTRFETCH:
852 //case JTAGARM7TDMI_WRITEFLASH:
853 //case JTAGARM7TDMI_ERASEFLASH:
854 case JTAGARM7TDMI_SET_PC:
855 cmddatalong[0] = jtagarm7tdmi_setpc(cmddatalong[0]);
858 case JTAGARM7TDMI_GET_DEBUG_CTRL:
859 cmddatalong[0] = jtagarm7tdmi_get_dbgctrl();
862 case JTAGARM7TDMI_SET_DEBUG_CTRL:
863 cmddatalong[0] = jtagarm7tdmi_set_dbgctrl(cmddata[0]);
866 case JTAGARM7TDMI_GET_PC:
867 cmddatalong[0] = jtagarm7tdmi_getpc();
870 case JTAGARM7TDMI_GET_DEBUG_STATE:
871 //jtagarm7tdmi_resettap(); // Shouldn't need this, but currently do. FIXME!
872 cmddatalong[0] = jtagarm7tdmi_get_dbgstate();
875 //case JTAGARM7TDMI_GET_WATCHPOINT:
876 //case JTAGARM7TDMI_SET_WATCHPOINT:
877 case JTAGARM7TDMI_GET_REGISTER:
878 jtagarm7tdmi_resettap();
879 cmddatalong[0] = jtagarm7tdmi_get_register(cmddata[0]);
882 case JTAGARM7TDMI_SET_REGISTER:
883 jtagarm7tdmi_resettap();
884 cmddatalong[0] = cmddatalong[1];
885 jtagarm7tdmi_set_register(cmddata[0], cmddatalong[1]);
888 case JTAGARM7TDMI_GET_REGISTERS:
889 jtagarm7tdmi_resettap();
890 jtagarm7tdmi_get_registers();
893 //case JTAGARM7TDMI_SET_REGISTERS:
894 case JTAGARM7TDMI_DEBUG_INSTR:
895 jtagarm7tdmi_resettap();
896 cmddataword[0] = jtagarm7tdmi_exec(cmddataword[0], cmddataword[1], cmddata[9]);
899 //case JTAGARM7TDMI_STEP_INSTR:
900 /* case JTAGARM7TDMI_READ_CODE_MEMORY:
901 case JTAGARM7TDMI_WRITE_FLASH_PAGE:
902 case JTAGARM7TDMI_READ_FLASH_PAGE:
903 case JTAGARM7TDMI_MASS_ERASE_FLASH:
904 case JTAGARM7TDMI_PROGRAM_FLASH:
905 case JTAGARM7TDMI_LOCKCHIP:
906 case JTAGARM7TDMI_CHIP_ERASE:
908 // Really ARM specific stuff
909 case JTAGARM7TDMI_GET_CPSR:
910 jtagarm7tdmi_resettap();
911 cmddatalong[0] = jtagarm7tdmi_get_regCPSR();
914 case JTAGARM7TDMI_SET_CPSR:
915 jtagarm7tdmi_resettap();
916 cmddatalong[0] = jtagarm7tdmi_set_regCPSR(cmddatalong[0]);
919 case JTAGARM7TDMI_GET_SPSR: // FIXME: NOT CORRECT
920 jtagarm7tdmi_resettap();
921 cmddatalong[0] = jtagarm7tdmi_get_regCPSR();
924 case JTAGARM7TDMI_SET_SPSR: // FIXME: NOT CORRECT
925 jtagarm7tdmi_resettap();
926 cmddatalong[0] = jtagarm7tdmi_set_regCPSR(cmddatalong[0]);
929 case JTAGARM7TDMI_SET_MODE_THUMB:
930 case JTAGARM7TDMI_SET_MODE_ARM:
931 jtagarm7tdmi_resettap();
932 cmddataword[0] = jtagarm7tdmi_setMode_ARM();
936 case 0xD0: // loopback test
937 jtagarm7tdmi_resettap();
938 cmddatalong[0] = jtagarm7tdmi_bypass(cmddatalong[0]);
941 case 0xD8: // EICE_READ
942 jtagarm7tdmi_resettap();
943 cmddatalong[0] = eice_read(cmddatalong[0]);
946 case 0xD9: // EICE_WRITE
947 jtagarm7tdmi_resettap();
948 cmddatalong[0] = eice_write(cmddatalong[0], cmddatalong[1]);
951 case 0xDA: // TEST MSB THROUGH CHAIN0 and CHAIN1
952 jtagarm7tdmi_resettap();
953 jtagarm7tdmi_scan_intest(0);
954 cmddatalong[0] = jtagarmtransn(0x41414141, 32, LSB, NOEND, NORETIDLE);
955 cmddatalong[1] = jtagarmtransn(0x42424242, 32, MSB, NOEND, NORETIDLE);
956 cmddatalong[2] = jtagarmtransn(0x43434343, 9, MSB, NOEND, NORETIDLE);
957 cmddatalong[3] = jtagarmtransn(0x44444444, 32, MSB, NOEND, NORETIDLE);
958 cmddatalong[4] = jtagarmtransn(cmddatalong[0], 32, LSB, NOEND, NORETIDLE);
959 cmddatalong[5] = jtagarmtransn(cmddatalong[1], 32, MSB, NOEND, NORETIDLE);
960 cmddatalong[6] = jtagarmtransn(cmddatalong[2], 9, MSB, NOEND, NORETIDLE);
961 cmddatalong[7] = jtagarmtransn(cmddatalong[3], 32, MSB, END, RETIDLE);
962 jtagarm7tdmi_resettap();
963 jtagarm7tdmi_scan_intest(1);
964 cmddatalong[8] = jtagarmtransn(0x41414141, 32, MSB, NOEND, NORETIDLE);
965 cmddatalong[9] = jtagarmtransn(0x44444444, 1, MSB, NOEND, NORETIDLE);
966 cmddatalong[10] = jtagarmtransn(cmddatalong[8], 32, MSB, NOEND, NORETIDLE);
967 cmddatalong[11] = jtagarmtransn(cmddatalong[9], 1, MSB, END, RETIDLE);
968 jtagarm7tdmi_resettap();
973 jtaghandle(app,verb,len);
projects / goodfet / blob