GoodFETCCSPI added sniffdisect verb that tries to load dot15d4 scapy library to use...
[goodfet] / client / GoodFETAT91X40.py
1 from GoodFETARM7 import *
2 import ATMEL_USART as usart
3 """
4 This is the ARM7 series of microcontrollers from Atmel, including:
5 * AT91M40800
6 * AT91R40807
7 * AT91M40807
8 * AT91R40008
9
10 """
11 ##### FLASH UPLOADER CODE
12 EBI_BASE =       0xFFE00000
13 EBI_OFF_CSR0 =   0x0
14 EBI_OFF_CSR1 =   0x4
15 EBI_OFF_CSR2 =   0x8
16 EBI_OFF_CSR3 =   0xc
17 EBI_OFF_CSR4 =   0x10
18 EBI_OFF_CSR5 =   0x14
19 EBI_OFF_CSR6 =   0x18
20 EBI_OFF_CSR7 =   0x1c
21 EBI_CSR0_MASK =  0xFFFF0000
22 EBI_OFF_RCR =    0x20
23 EBI_OFF_MCR =    0x24
24
25 EBI_CSR0 =      EBI_BASE + EBI_OFF_CSR0
26 EBI_CSR1 =      EBI_BASE + EBI_OFF_CSR1
27 EBI_CSR2 =      EBI_BASE + EBI_OFF_CSR2
28 EBI_CSR3 =      EBI_BASE + EBI_OFF_CSR3
29 EBI_CSR4 =      EBI_BASE + EBI_OFF_CSR4
30 EBI_CSR5 =      EBI_BASE + EBI_OFF_CSR5
31 EBI_CSR6 =      EBI_BASE + EBI_OFF_CSR6
32 EBI_CSR7 =      EBI_BASE + EBI_OFF_CSR7
33 EBI_MCR =       EBI_BASE + EBI_OFF_MCR
34
35 REMAP_CMD =      0x00000001
36 MEM_CTRL_VAL =   0x00000006
37
38
39 SF_CHIP_ID =     0xFFF00000         # AT91R40 series, not sure on others
40 SF_CIDR_MASK =   0x0FFFFF00
41
42 PS_BASE =        0xFFFF4000
43 PS_CR =          PS_BASE
44 PS_PCER =        PS_BASE + 0x4
45 PS_PCDR =        PS_BASE + 0x8
46 PS_PCSR =        PS_BASE + 0xC
47 PS_US0 =         1<<2
48 PS_US1 =         1<<3
49 PS_TC0 =         1<<4
50 PS_TC1 =         1<<5
51 PS_TC2 =         1<<6
52 PS_PIO =         1<<8
53
54 AIC_INT_SOURCES = (
55         ("FIQ","Fast Interrupt"),
56         ("SWIRQ","Software Interrupt"),
57         ("US0IRQ","USART Channel 0 Interrupt"),
58         ("US1IRQ","USART Channel 1 Interrupt"),
59         ("TC0IRQ","Timer Channel 0 Interrupt"),
60         ("TC1IRQ","Timer Channel 1 Interrupt"),
61         ("TC2IRQ","Timer Channel 2 Interrupt"),
62         ("WDIRQ", "Watchdog Interrupt"),
63         ("PIOIRQ","Parallel I/O Controller Interrupt"),
64         (None,None),
65         (None,None),
66         (None,None),
67         (None,None),
68         (None,None),
69         (None,None),
70         (None,None),
71         ("IRQ0","External Interrupt 0"),
72         ("IRQ1","External Interrupt 0"),
73         ("IRQ0","External Interrupt 0"),
74         (None,None),
75         (None,None),
76         (None,None),
77         (None,None),
78         (None,None),
79         (None,None),
80         (None,None),
81         (None,None),
82         (None,None),
83         (None,None),
84         (None,None),
85         (None,None),
86         (None,None),
87         )
88
89 def aic_smr_decode(smr):
90     output = ["Interrupt Priority: %s"%(smr&7),
91             "Interrupt Source Type: %s"%("Low Level Sensitive","Negative Edge Triggered","High Level Sensitive","Positive Edge Triggered")[(smr>>5)],
92             ]
93     return "\n".join(output)
94
95 AIC_BASE = 0xFFFFF000
96 AIC_SMR = [(AIC_BASE+(x*4), "Source Mode Register %d"%x)  for x in xrange(32)]
97 AIC_SVR = [(AIC_BASE+0x80+(x*4), "Source Vector Register %d"%x)  for x in xrange(32)]
98 AIC_IVR = AIC_BASE + 0x100
99 AIC_FVR = AIC_BASE + 0x104
100 AIC_ISR = AIC_BASE + 0x108
101 AIC_IPR = AIC_BASE + 0x10c
102 AIC_IMR = AIC_BASE + 0x110
103 AIC_CISR = AIC_BASE + 0x114
104 AIC_IECR = AIC_BASE + 0x120
105 AIC_IDCR = AIC_BASE + 0x124
106 AIC_ICCR = AIC_BASE + 0x128
107 AIC_ISCR = AIC_BASE + 0x12c
108 AIC_EOICR = AIC_BASE + 0x130
109 AIC_SPU = AIC_BASE + 0x134
110
111
112 PIO_BASE = 0xFFFF0000
113 PIO_PER =   PIO_BASE + 0x0
114 PIO_PDR =   PIO_BASE + 0x4
115 PIO_PSR =   PIO_BASE + 0x8
116 PIO_OER =   PIO_BASE + 0x10
117 PIO_ODR =   PIO_BASE + 0x14
118 PIO_OSR =   PIO_BASE + 0x18
119 PIO_SODR =  PIO_BASE + 0x30
120 PIO_CODR =  PIO_BASE + 0x34
121 PIO_ODSR =  PIO_BASE + 0x38
122 PIO_CDSR =  PIO_BASE + 0x3c
123 PIO_IER =   PIO_BASE + 0x40
124 PIO_IDR =   PIO_BASE + 0x44
125 PIO_IMR =   PIO_BASE + 0x48
126 PIO_ISR =   PIO_BASE + 0x4c
127
128 WD_BASE = 0xFFFF8000
129 WD_OMR  =   WD_BASE + 0x0
130 WD_CMR  =   WD_BASE + 0x4
131 WD_CR   =   WD_BASE + 0x8
132 WD_SR   =   WD_BASE + 0xc
133
134 SF_BASE = 0xFFF00000
135 SF_CIDR =   SF_BASE + 0x0
136 SF_EXID =   SF_BASE + 0x4
137 SF_RSR =    SF_BASE + 0x8
138 SF_MMR =    SF_BASE + 0xC
139 SF_PMR =    SF_BASE + 0x18
140
141 #* Flash
142 FLASH_BASE_ADDR =    0x1000000
143 WAIT =               300000
144 FLASH_CODE_MASK =    0x000000FF
145
146 #*Flash AT49 codes
147 ATMEL_MANUFACTURED =         0x001F
148 FLASH_AT49BV_UNKNOW =        0xFFFF
149 FLASH_AT49BV8011 =           0x00CB
150 FLASH_AT49BV8011T =          0x004A
151 FLASH_AT49BV16x4 =           0x00C0
152 FLASH_AT49BV16x4T =          0x00C2
153
154 #*Flash AT29 codes
155 FLASH_AT29LV1024 =               0X26
156 FLASH_AT29C020 =                 0XDA
157
158 #* Flash Program information
159 FLASH_PRG_SIZE =     0x800   #* 2Kbytes
160 FLASH_PRG_DEST =     0x20    #* Address on the target
161 START_PRG =          0x20
162
163 #* Parameter for Flash_XV_Send_Data functions
164 ERASE =  1
165 PROGRAM =0
166
167 MIRROR =     1
168 NO_MIRROR =  0
169
170 ERASE_DATA = 0
171
172 #* Load program parameters
173 NB_REG =     13
174 SIZE_DATA =  4
175
176 #* Flash LV Send Data parameters
177 SIZE_256_BYTES = 0x100
178 PACKET_SIZE =64
179
180 NB_PRG =     3
181
182 #* Periph
183 EBI =    0
184 PLL =    1
185
186 #* Targets
187 EB40 =   0x04080700
188 EB40A =  0x04000800
189 EB42 =   0x04280000
190 EB55 =   0x05580000
191 EB63 =   0x06320000
192 EBMASK = 0x0fffff00
193
194 NB_TARGET_SUPPORTED =    6
195
196 #* Flash type
197 FLASH_LV =   0
198 FLASH_BV =   1
199
200 #* Flash Program Address 
201 FLASH_LV_PRG =   0x01018000
202 FLASH_BV_PRG =   0x0101A000
203
204 EBI_READ    = 4
205 EBI_WRITE   = 2
206
207 ebi_memory_map_items = {
208         EBI_OFF_CSR0:("Chip Select Register 0", "EBI_CSR0", EBI_READ|EBI_WRITE,0x0000203e),
209         EBI_OFF_CSR1:("Chip Select Register 1", "EBI_CSR1", EBI_READ|EBI_WRITE,0x10000000),
210         EBI_OFF_CSR2:("Chip Select Register 2", "EBI_CSR2", EBI_READ|EBI_WRITE,0x20000000),
211         EBI_OFF_CSR3:("Chip Select Register 3", "EBI_CSR3", EBI_READ|EBI_WRITE,0x30000000),
212         EBI_OFF_CSR4:("Chip Select Register 4", "EBI_CSR4", EBI_READ|EBI_WRITE,0x40000000),
213         EBI_OFF_CSR5:("Chip Select Register 5", "EBI_CSR5", EBI_READ|EBI_WRITE,0x50000000),
214         EBI_OFF_CSR6:("Chip Select Register 6", "EBI_CSR6", EBI_READ|EBI_WRITE,0x60000000),
215         EBI_OFF_CSR7:("Chip Select Register 7", "EBI_CSR7", EBI_READ|EBI_WRITE,0x70000000),
216         EBI_OFF_MCR: ("Memory Control Register","EBI_MCR",  EBI_READ|EBI_WRITE,0),
217         }
218
219 def ebi_csr_decode(reg):
220     addr = reg>>20
221     csen = (reg>>13)&1
222     bat =  (reg>>12)&1
223     tdf =  (reg>>9)&7
224     pages =(reg>>7)&3
225     wse =  (reg>>5)&1
226     nws =  (reg>>2)&7
227     dbw =  (reg&3)
228     output = ["(register: %x)"%reg,
229             "Base Address: %s"%hex(addr<<20),
230             "Chip Select: %s"%("False","True")[csen],
231             "Byte Access Type: %s"%("Byte-Write","Byte-Access")[bat],
232             "Data Float Output Time: %d cycles added"%tdf,
233             "Page Size: %d MB"%(1,4,16,64)[pages],
234             "Wait State: %s"%("disabled","enabled")[wse],
235             "Wait States: %d"%nws,
236             "Data Bus Size: %d bits"%(0,16,8,0)[dbw],
237             ]
238     return "\n".join(output)
239
240 mcr_ale = {
241         0: ("A20,A21,A22,A23", 16, "None", "EBI_ALE_16M"),
242         1: ("A20,A21,A22,A23", 16, "None", "EBI_ALE_16M"),
243         2: ("A20,A21,A22,A23", 16, "None", "EBI_ALE_16M"),
244         3: ("A20,A21,A22,A23", 16, "None", "EBI_ALE_16M"),
245         4: ("A20,A21,A22", 8, "CS4", "EBI_ALE_8M"),
246         5: ("A20,A21", 4, "CS4,CS5", "EBI_ALE_4M"),
247         6: ("A20", 2, "CS4,CS5,CS6", "EBI_ALE_2M"),
248         7: ("None", 1, "CS4,CS5,CS6,CS7", "EBI_ALE_1M"),
249         }
250
251 def mcr_decode(mcr):
252     validAddrBits,maxAddrSpace,validCS,codeLabel = mcr_ale[mcr&7]
253     drp = mcr>>4
254     output = ["Valid Address Bits: %s"%validAddrBits,
255             "Maximum Address Space: %xMB"%maxAddrSpace,
256             "Valid Chip Select: %s"%validCS,
257             "Code Label:  %s"%codeLabel,
258             ("Standard Read Protocol for all external memory devices enabled (EBI_DRP_STANDARD)","Early Read Protocol for all external memory devices enabled (EBI_DRP_EARLY)")[drp]
259             ]
260     return "\n".join(output)
261
262 def wd_omr_decode(omr):
263     return "\n".join(["External Signal: %s"%("disabled","enabled")[(omr>>3)&1],
264             "External Signal: %s"%("disabled","enabled")[(omr>>3)&1],
265             "Interrupt: %s"%("disabled","enabled")[(omr>>2)&1],
266             "Reset: %s"%("disabled","enabled")[(omr>>1)&1],
267             "Watch Dog: %s"%("disabled","enabled")[(omr)&1],
268             ])
269 def wd_cmr_decode(cmr):
270     return "MCK/%d"%(8,32,128,1024)[(cmr>>2)&0xf]
271
272
273
274
275
276 class GoodFETAT91X40(GoodFETARM):
277     def __init__(self):
278         GoodFETARM.__init__(self)
279         self.usart0 = usart.USART(usart.USART0_BASE)
280         self.usart1 = usart.USART(usart.USART1_BASE)
281     def getChipSelectReg(self, chipnum):
282         addr = EBI_BASE + (chipnum*4)
283         reg, = self.ARMreadChunk(addr,1)
284         return reg
285     def getChipSelectRegstr(self, chipnum):
286         return ebi_csr_decode(self.getChipSelectReg(chipnum))
287     def setChipSelectReg(self, chipnum, value):
288         addr = EBI_BASE + (chipnum*4)
289         self.ARMwriteChunk(addr,[value])
290
291     def getEBIMemoryMap(self):
292         keys = ebi_memory_map_items.keys()
293         keys.sort()
294         output = [ "EBI Memory Map"]
295         for x in xrange(8):
296             desc,name,rw,default = ebi_memory_map_items[x*4]
297             output.append("\nMAP: %s (%s) - default: %x\n%s"%(name,desc,default,self.getChipSelectRegstr(x)))
298         return "\n".join(output)
299     def setRemap(self):
300         self.ARMwriteChunk(EBI_BASE + EBI_OFF_RCR,[REMAP_CMD])
301     def getMemoryControlRegister(self):
302         mcr, = self.ARMreadMem(EBI_MCR)
303         return mcr
304     def getMemoryControlRegisterstr(self):
305         return mcr_decode(self.getMemoryControlRegister())
306
307     def getInterruptSourceModeReg(self, regnum):
308         regval = self.ARMreadMem(AIC_SMR[regnum][0])
309         return retval
310     def getInterruptSourceModeRegstr(self, regnum):
311         return aic_smr_decode(self.getInterruptSourceModeReg(regnum))
312     def setInterruptSourceModeReg(self, regnum, val):
313         self.ARMwriteMem(AIC_SMR[regnum][0], val)
314
315     def getInterruptSourceVectorReg(self, regnum):
316         regval = self.ARMreadMem(AIC_SVR[regnum][0])
317         return retval
318     def setInterruptSourceModeReg(self, regnum, val):
319         self.ARMwriteMem(AIC_SVR[regnum][0], val)
320
321     def getIRQVectorReg(self):
322         return self.ARMreadMem(AIC_IVR)
323     def getFIQVectorReg(self):
324         return self.ARMreadMem(AIC_FVR)
325
326     def getInterruptStatusReg(self):
327         return self.ARMreadMem(AIC_ISR)
328     def getInterruptPendingReg(self):
329         return self.ARMreadMem(AIC_FSR)
330     def getInterruptMaskReg(self):
331         return self.ARMreadMem(AIC_IMR)
332     def getCoreInterruptStatusReg(self):
333         return self.ARMreadMem(AIC_CISR)
334     def enableInterrupt(self, interrupt):
335         self.ARMwriteMem(AIC_IECR, 1<<interrupt)
336     def disableInterrupt(self, interrupt):
337         self.ARMwriteMem(AIC_IDCR, 1<<interrupt)
338     def setInterruptCommandReg(self, interrupt):
339         self.ARMwriteMem(AIC_ISCR, 1<<interrupt)
340     def clearInterruptCommandReg(self, interrupt):
341         self.ARMwriteMem(AIC_ICCR, 1<<interrupt)
342     def clearCurrentInterrupt(self):
343         self.ARMwriteMem(AIC_EOICR, 1<<interrupt)
344     def getSpuriousVectorReg(self):
345         return self.ARMreadMem(AIC_SPU)
346     def setSpuriousVectorReg(self, val):
347         return self.ARMreadMem(AIC_SPU)
348
349     def enablePIOpin(self, mask):
350         self.ARMwriteMem(PIO_PER, mask)
351     def disablePIOpin(self, mask):
352         self.ARMwriteMem(PIO_PDR, mask)
353     def getPIOstatus(self):
354         return self.ARMreadMem(PIO_PSR)
355     def enablePIOoutput(self,mask):
356         self.ARMwriteMem(PIO_OER, mask)
357     def disablePIOoutput(self,mask):
358         self.ARMwriteMem(PIO_ODR, mask)
359     def getPIOoutputStatus(self):
360         return self.ARMreadMem(PIO_OSR)
361
362     def setOutputPin(self,mask):
363         self.ARMwriteMem(PIO_SODR, mask)
364     def clearOutputPin(self,mask):
365         self.ARMwriteMem(PIO_CODR, mask)
366     def getOutputDataStatusReg(self):
367         return self.ARMreadMem(PIO_ODSR)
368     def getPinDataStatusReg(self):
369         return self.ARMreadMem(PIO_PDSR)
370     def enablePIOinterrupt(self, mask):
371         self.ARMwriteMem(PIO_IER, mask)
372     def disablePIOinterrupt(self, mask):
373         self.ARMwriteMem(PIO_IDR, mask)
374     def getPIOinterruptMaskReg(self):
375         return self.ARMreadMem(PIO_IMR)
376     def getPIOinteruptStatusReg(self):
377         return self.ARMreadMem(PIO_ODSR)
378
379
380     def getWatchDogOverflowModeReg(self):
381         return self.ARMreadMem(WD_OMR)
382     def getWatchDogOverflowModeStr(self):
383         return wd_omr_decode(self.getWatchDogOverflowModeReg())
384     def setWatchDogOverflowModeReg(self, mode=0x2340):
385         self.ARMwriteMem(WD_OMR, mode)
386     def getWatchDogClockModeReg(self):
387         return self.ARMreadMem(WD_CMR)
388     def setWatchDogClockModeReg(self, mode=0x06e):
389         self.ARMwriteMem(WD_CMR, mode)
390     def setWatchDogControlReg(self, mode=0xC071):
391         self.ARMwriteMem(WD_CR, mode)
392     def getWatchDogStatusReg(self):
393         return self.ARMreadMem(WD_SR)
394
395     def getChipID(self):
396         chipid = self.ARMreadMem(SF_CIDR,1)
397         return chipid[0]
398     def getResetStatusReg(self):
399         return self.ARMreadMem(SF_RSR)
400     def getMemoryModeReg(self):
401         return self.ARMreadMem(SF_MMR)
402     def setMemoryModeReg(self, val=0):
403         self.ARMwriteMem(SF_MMR, val)
404     def getProtectModeReg(self):
405         return self.ARMreadMem(SF_PMR)
406     def setProtectModeReg(self, val=0x27a80000):
407         self.ARMwriteMem(SF_PMR, val)
408
409
410
411
412
413
414
415     def ARMwriteFirmware(self, firmware):
416         self.halt()
417         chipid = self.ARMgetChipID()
418         # FIXME: initialize PLL or EBI
419         self.ARMmassErase(chipid)
420         self.ARMset_regCPSR(PM_svc)   # set supervisor mode
421         # FIXME: download the "flash identifier" program into target RAM
422         self.ARMsetPC(PROGGYBASE)
423         self.release()
424         # get manufacturer crap through DCC (really??  screw this...)
425         self.halt()
426         if (self.ARMget_regCPSR() & PM_svc != PM_svc):
427             raise Exception("No longer in Supervisor mode after firmware upload")
428         # FIXME: download the downloader program into target RAM
429         self.ARMsetPC(PROGGYBASE)
430         self.release()
431         # FIXME: use DCC to upload the new firmware
432
433     def clearFlash(self):
434         pass
435
436     def readPages(self, addr, pagecount, pagesz=(1024*1024)):
437         global pages;
438         pages = []
439         for page in xrange(pagecount):
440             pages.append(self.ARMreadChunk(addr+(pagesz*page), pagesz))
441         return pages
442