FreeCalypso > hg > freecalypso-docs
annotate Calypso-JTAG-notes @ 23:14391ad53281
FCDEV3B-repackaging article removed for legal reasons
The idea expressed in that article, namely the idea that some party other than
Mother Mychaela could be permitted to create a derived work based on FCDEV3B
board design and have it be accepted into the FreeCalypso family, is no longer
allowed by our current stance on the matters of intellectual property,
particularly Falconia IP.
For technical content, the new FC-modem-family and Quadband-ideas articles
should fully supplant this old FCDEV3B-repackaging article.
| author | Mychaela Falconia <falcon@freecalypso.org> |
|---|---|
| date | Wed, 23 Oct 2019 00:43:21 +0000 |
| parents | 7ba5c951803c |
| children |
| rev | line source |
|---|---|
|
18
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
1 This document describes the quirks of Calypso JTAG in an abstract, tool- |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
2 independent sense, and also covers the little bit of experience we've had with |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
3 TI's original official tools, but does not delve into OpenOCD specifics. |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
4 For OpenOCD-on-Calypso custom config and instructions, please refer to the |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
5 freecalyps-hwlab repository - but the present document should still be read |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
6 first. |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
7 |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
8 Unconventional reset structure |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
9 ============================== |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
10 |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
11 The first major way in which the JTAG interface on Calypso development boards |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
12 (or more generally, what is available in the Calypso+Iota chipset) differs from |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
13 "canonical" JTAG is that this chipset does NOT have reset signals that are |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
14 anything like classic TRST or SRST. Instead there is only one bundled-with-JTAG |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
15 reset signal (we call it XDS_RESET) which is turned into Iota nTESTRESET through |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
16 a transistor circuit - please refer to the Calypso-test-reset article. Aside |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
17 from its effects on the VRPC state machine described in that article, this test |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
18 reset can be thought of as a simultaneous combination of an equivalent of TRST |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
19 (all JTAG logic is hard-reset), an equivalent of SRST (the Calypso is fully |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
20 reset and proceeds with a cold boot) and more (all hardware is reset at a very |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
21 deep level), but comparisons to classic TRST and SRST aren't really appropriate |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
22 as the latter signals simply don't exist in our chipset. |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
23 |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
24 However, despite its highly unconventional nature, this XDS_RESET signal |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
25 provided along with JTAG on TI's development boards performs a very important |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
26 function: this combination of JTAG and test reset allows a "reset and hold |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
27 still" maneuvre where all hardware is put into its pristine state with a very |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
28 deep reset, but the ARM7 CPU is halted before it gets a chance to execute any |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
29 instructions from the reset vector. This ability is not particularly important |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
30 on current Calypso hardware with a working and enabled boot ROM, but it was |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
31 vital on earlier platforms without this boot ROM: if the flash is blank or |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
32 contains a bad code image, or if RAM is mapped onto the boot chip select |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
33 instead of flash, allowing the ARM7 core to execute garbage out of reset is |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
34 bad, whereas having a "reset and hold still" ability allows guaranteed reliable |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
35 recovery and bootstrapping from a blank or bricked state. As explained later |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
36 in this article, this "reset and hold still" maneuvre is executed by first |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
37 giving the target a test reset pulse (which unstoppably blows away all prior hw |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
38 state), then immediately (the timing is critical) performing certain |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
39 manipulations via the JTAG scan chain - thus the bundling of the XDS_RESET |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
40 signal with JTAG is important. |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
41 |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
42 EMU0 and EMU1 signals |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
43 ===================== |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
44 |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
45 In addition to the 4 standard JTAG signals TCK, TDI, TDO and TMS, the Calypso |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
46 provides two TI-proprietary signals called EMU0 and EMU1. (The test reset goes |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
47 to the Iota ABB, not to the Calypso.) These EMU0 and EMU1 signals are brought |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
48 out to the 14-pin JTAG connector on TI's D-Sample and E-Sample boards, and also |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
49 on our FCDEV3B. |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
50 |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
51 The function of these two signals is completely unknown: all we know is that |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
52 they are listed as "bidirectional in/out" in the cal000.pdf document, and that |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
53 same-named signals also exist on TI's general-purpose DSP chips, both C54x and |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
54 the newer families, where they are also very poorly documented. We don't know |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
55 what these EMU0/1 signals do on the Calypso, and it is a particular unknown |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
56 whether they are specific to the DSP part or if the ARM7 part can also make use |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
57 of them somehow. |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
58 |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
59 I (Mother Mychaela) previously thought that these signals might facilitate a |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
60 way to halt the ARM7 core without going through the scan chain, or a different |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
61 way to halt directly out of reset than the one we ultimately found, but a |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
62 recent experiment has shown that pulling either or both of these signals low |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
63 (they are pulled up on target boards) has absolutely no visible effect on ARM7 |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
64 code execution, whether they are pulled low coming out of test reset or while |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
65 running. Thus until we recover more understanding of what is going on inside |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
66 the chip, we are going to ignore these two signals and leave them unconnected. |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
67 |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
68 Iota not included in the JTAG scan chain |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
69 ======================================== |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
70 |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
71 In addition to the Calypso chip itself (the DBB), the Iota ABB chip also has |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
72 JTAG pins and could potentially be included in the scan chain. However, this |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
73 wiring arrangement is not typically used: both on TI's D-Sample board and on |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
74 our own FCDEV3B (based on Leonardo schematics) the JTAG interface is wired only |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
75 to the Calypso and not to Iota. The same arrangement has also been found in |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
76 all historical commercial phones and modems that provide a JTAG interface. |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
77 |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
78 We don't have any plans to change this arrangement in any of our future designs: |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
79 in the absence of 100% complete understanding of the internals of both chips, |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
80 there is no telling what unexpected gotcha may occur if the Iota chip is |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
81 included in the same scan chain as the Calypso, hence we are not doing that. |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
82 |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
83 ARM7 and C54x DSP cores |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
84 ======================= |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
85 |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
86 The regular JTAG scan chain inside the Calypso goes through two TAPs |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
87 corresponding to the two processor cores. The ARM7 TAP with a 4-bit IR is |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
88 closer to TDI, and the C54x DSP TAP with an 8-bit IR is closer to TDO. The |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
89 debug interface to the ARM7 core through its respective TAP is consistent with |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
90 public ARM7TDMI documentation from ARM except for one important quirk described |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
91 below, but we know absolutely nothing about the DSP TAP and its debug protocol |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
92 other than how to put it into BYPASS so we can operate on the ARM. |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
93 |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
94 It appears from passing references in some TI documents that they did intend to |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
95 have an ability to debug the Calypso DSP via JTAG "emulation", and TI's CCS |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
96 software working through TI's XDS510 or XDS560 hardware (the same setup that |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
97 successfully connects to the ARM7 part of the Calypso) supports C54x targets. |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
98 However, we have no idea how any potential JTAG access to the DSP would interact |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
99 with its reset control coming from the ARM or with its power saving modes, and |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
100 it is very likely that there are some security mechanisms restricting debug |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
101 access to the DSP (perhaps needing some secret key to unlock it), thus being |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
102 able to debug the DSP via JTAG is not something we can realistically hope for |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
103 unless we either buy out the complete chip design from TI or physically |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
104 reverse-engineer the chip transistor by transistor, both options being equally |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
105 cost-prohibitive. At our current level of budgetary means, our ability to use |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
106 the JTAG interface on the Calypso is limited to the ARM7 part, not the DSP. |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
107 |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
108 Non-standard extension to the ARM7TDMI TAP |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
109 ========================================== |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
110 |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
111 We know that TI made at least one non-standard extension to the ARM7TDMI TAP in |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
112 the Calypso because it implements at least one additional opcode that does not |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
113 appear in any public documentation from ARM. When connecting to this ARM7 |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
114 target, TI's CCS software working through XDS510 or XDS560 hardware apparently |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
115 scans a 0xB opcode (4'b1011) through the IR, and then apparently scans 2'b10 |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
116 through the 2-bit DR selected by this opcode. (I said "apparently" because so |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
117 far the only people who have actually sniffed the JTAG communications produced |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
118 by the XDS+CCS combo were OsmocomBB people, not anyone from the FreeCalypso |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
119 team, hence we don't have any authentic knowledge currently.) Experiments with |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
120 OpenOCD show that the just-described sequence of IR and DR scans with an |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
121 unknown instruction and an unknown data register is necessary in order to allow |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
122 halting the ARM7 core: if we try to halt it in the standard ARM7TDMI way (either |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
123 via DBGRQ or via a catch-all breakpoint unit setup) without doing the magic |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
124 sequence first, no halt is effected. |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
125 |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
126 Fortunately though, after we issue the non-understood magic sequence once, all |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
127 subsequent ARM7TDMI halt/resume manipulations done in the standard way appear |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
128 to work just fine, no more quirks. The only time when the "halt unlock" magic |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
129 sequence needs to be repeated is after a reset, which is expected. |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
130 |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
131 Interaction with the watchdog timer |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
132 =================================== |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
133 |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
134 The Calypso chip includes a watchdog timer feature; if this watchdog timer is |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
135 enabled and allowed to expire, it effects a fairly deep reset of the chip. The |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
136 Calypso boot ROM code and most firmware designs do a step early on to disable |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
137 this watchdog, and it is not subsequently re-enabled except to effect a reboot |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
138 when so desired, but as the ARM7 core first comes out of reset and starts |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
139 executing instructions from the reset vector (whether ROM or external memory), |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
140 the watchdog timer is enabled and ticking. This watchdog timer interacts with |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
141 JTAG as follows: |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
142 |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
143 1) When the ARM7 core is halted via JTAG, the watchdog timer (if enabled) is |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
144 NOT stopped or paused, but keeps ticking. |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
145 |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
146 2) If a watchdog reset occurs while the ARM7 core is halted, everything goes |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
147 out of whack, consistent with the note in standard ARM7TDMI documentation |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
148 which says that a reset must not be applied to the core while it is in debug |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
149 halt state. |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
150 |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
151 Therefore, if the ARM7 core is to be halted at a time when the watchdog timer |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
152 is enabled and ticking, the halt operation must be quickly followed by two |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
153 system bus write operations (mwh command in OpenOCD) to the WATCHDOG_TIM_MODE |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
154 register, executing the watchdog disable sequence before the timer is allowed |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
155 to expire while halted. |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
156 |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
157 JTAG clock speed |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
158 ================ |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
159 |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
160 It is often stated that the JTAG clock speed must be no greater than 1/6 of the |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
161 system clock speed when talking to ARM cores, and that JTAG access is blocked |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
162 when the core goes into a power saving mode with the clock stopped. Neither of |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
163 these constraints applies to our beloved Calypso though: the stated issues occur |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
164 in chip designs which internally synchronize JTAG signals including TCK to their |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
165 system clock, but Calypso and its predecessors don't do that, they use the hard |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
166 macrocell version of the ARM7TDMI core instead, use TCK directly to clock JTAG- |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
167 specific logic and perform "hard" clock switching for debug mode. |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
168 |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
169 According to the available cal000_a.pdf document, the maximum TCK frequency |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
170 supported by the Calypso is 10 MHz, which also appears to be the only TCK |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
171 frequency which TI's older XDS510 "emulator" pods can produce without hardware |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
172 modifications. This 10 MHz TCK frequency can be used no matter what frequency |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
173 is fed to Calypso's main CLKTCXO clock input or what frequency the ARM7 core is |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
174 configured to run at, and JTAG keeps working even when the main clock is |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
175 completely stopped. |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
176 |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
177 It is possible to halt the Calypso ARM7 core when it is in a sleep mode, even |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
178 in deep sleep: manipulation of internal scan chain 2 to set DBGRQ is a JTAG-only |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
179 operation, contained entirely in the TCK clock domain, thus it works even with |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
180 the main VCXO stopped, and the actual halt occurs on wakeup when the ARM7 core |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
181 regains its regular clock and sees the internal DBGRQ signal asserted. |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
182 |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
183 Halting immediately out of reset |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
184 ================================ |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
185 |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
186 To me (Mother Mychaela) it always seemed evident that the Calypso and its |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
187 predecessors had to have some way to perform a "reset and hold still" maneuvre, |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
188 as this capability was absolutely essential for deterministic bootstrapping and |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
189 recovery of boards before the Calypso boot ROM subsumed that function. However, |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
190 the exact manipulations required to achieve this effect have remained elusive |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
191 for a long time until I found the answer in May-June of 2019. The trick is NOT |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
192 done through EMU0/1 pins like I once thought, and the method used on many other |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
193 chips involving classic TRST and SRST signals is clearly not applicable to the |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
194 Calypso given its very different reset structure. |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
195 |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
196 The answer lies in the clocking architecture of TI GSM chipsets, involving a |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
197 VCXO that is started and stopped and a 32.768 kHz clock which is always running. |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
198 When the Calypso starts its boot process in response to the ON_nOFF signal |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
199 going from low to high (in the XDS-triggered test reset scenario this event |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
200 immediately follows the release of external reset), the main VCXO is off (i.e., |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
201 it hasn't been started yet) and only the 32.768 kHz clock is running. At this |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
202 point the ARM7 core receives no clock at all (the 32.768 kHz clock is never fed |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
203 to the ARM7), and the ULPD block (the same block that handles deep sleep) goes |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
204 through the sequence of first enabling the main VCXO, then waiting for it to |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
205 stabilize. This sequence takes about 8192 cycles of the slow clock (about |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
206 250 ms), and only at the completion of this sequence the ARM7 core gets its |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
207 first clock. But during that 250 ms time window the JTAG logic is out of its |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
208 reset and functioning, and it can be operated because Calypso JTAG does not |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
209 depend on the main ARM clock which is stopped. |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
210 |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
211 The following sequence of steps successfully achieves the effect of resetting |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
212 the Calypso+Iota chipset and all board-level peripherals that are subservient |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
213 to it, and halting the Calypso directly at the reset vector before the first |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
214 instruction is executed: |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
215 |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
216 1) Give the chipset a test reset pulse via the XDS_RESET line; the exact |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
217 required duration is not known, but my OpenOCD-based proof of concept gives |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
218 a 50 ms pulse. |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
219 |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
220 2) Immediately after releasing the reset or after a short delay (my PoC does a |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
221 10 ms delay), start exercising the JTAG scan chain, which has been fully |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
222 reset - it will be responsive at this point. |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
223 |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
224 3) Perform the "magic" IR and DR scans to enable halting ability, just like we |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
225 do when we wish to halt an already-running Calypso. |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
226 |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
227 4) Going through scan chain 2 inside the ARM7TDMI TAP, set the DBGRQ bit. |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
228 All steps up to this one must happen before Calypso ULPD enables the |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
229 VCXO-derived clock to the ARM7. |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
230 |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
231 5) Also going through scan chain 2, poll and wait for DBGACK to get set, |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
232 indicating that the ARM7TDMI core halted - this event will happen when the |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
233 core gets its first clocks. |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
234 |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
235 6) Once the ARM7TDMI core is halted, perform the two mwh operations to the |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
236 0xFFFFF804 register (WATCHDOG_TIM_MODE) to disable the watchdog, otherwise |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
237 it will generate another internal reset and mess up the system state. |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
238 |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
239 We never found any built-in provision in TI's CCS (see below) or any script for |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
240 CCS that does the above, instead I (Mother Mychaela) found it on my own by |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
241 thinking about how it could possibly be done, and proved the idea working |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
242 with an OpenOCD setup presented in the freecalypso-hwlab repository. |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
243 |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
244 Original official TI tools |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
245 ========================== |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
246 |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
247 TI's original and official tool for operating on Calypso JTAG was their Code |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
248 Composer Studio (CCS) software, working through TI's XDS510 and XDS560 |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
249 "emulator" hardware. The original hardware solution was the XDS510, and I mean |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
250 the original XDS510 which was an ISA card made by TI themselves, not any of the |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
251 later "XDS510-class" "emulators" made by companies acting as TI's 3rd-party |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
252 partners. The next successor to this original XDS510 was the original XDS560, |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
253 also made by TI themselves and distinct from the later "XDS560-class" devices |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
254 by TI's 3rd-party partner companies. The original XDS560 is a PCI card rather |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
255 than ISA, thus a little easier to get working in 2019, and also more readily |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
256 available on ebay. Both XDS510 and XDS560 consist of a desktop PC card (ISA or |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
257 PCI) and an active pod, and the pod has a non-detachable target connection cable |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
258 coming out of it, terminating in a female connector mating with the TI-style |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
259 14-pin JTAG header. The pod connector fits perfectly to TI's original D-Sample |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
260 board, but on our FCDEV3B it fails to fit because the JTAG and dual UART headers |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
261 are too close together. Therefore, anyone who is interested in connecting TI's |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
262 original XDS510 or XDS560 to an FCDEV3B would need to get some male-to-female |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
263 jumper wires or make a custom-crimped interposer cable. |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
264 |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
265 The version of CCS which we found to work with these "emulator" adapters (both |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
266 XDS510 and XDS560) and with Calypso targets is this one: |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
267 |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
268 ftp://ftp.freecalypso.org/pub/GSM/TI_tools/CCS/CCS_3.3.83.20_win32.zip |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
269 |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
270 In order to get this CCS to work with a Calypso target, you will need to create |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
271 a "custom board" configuration in CCS setup - none of the predefined board |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
272 configs shipped with CCS will work. To create the needed "custom board" config, |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
273 select your "emulator" (XDS510 or XDS560), then add an ARM7 target and a |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
274 TMS320C5400 target in this order, which is the order from TDI to TDO. With this |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
275 custom config saved, running CCS brings up what they call the Parallel Debug |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
276 Manager, which supposedly supports coordinated debugging of both ARM and DSP |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
277 cores. However, I (Mother Mychaela) have not tried connecting to the DSP part, |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
278 only ARM7; another FreeCalypso community member who also got a working XDS510 |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
279 setup talking to an FCDEV3B did try it, but saw what appears to be garbage. As |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
280 discussed earlier in this article, we are completely in the blind here, hence |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
281 this direction is not being seriously explored at the present. |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
282 |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
283 In order to play with just the ARM7 core, leaving the DSP alone, select the |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
284 ARM7 target in the Open menu in Parallel Debug Manager - the main CCS debug |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
285 window will then open, and it will be specific to the ARM7 target. In my own |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
286 testing all further operations were done from the latter window and its menus. |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
287 |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
288 Reset with TI's tools |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
289 --------------------- |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
290 |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
291 Both XDS510 and XDS560 "emulators" have only one reset output; on TI's general- |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
292 purpose DSP development boards outside of the GSM Skunkworks division this one |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
293 reset line was TRST, whereas on D-Sample and Leonardo boards (and on our |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
294 FCDEV3B) this signal is repurposed to drive Iota nTESTRESET through a clever |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
295 transistor circuit. TI's general-purpose (non-GSM) DSP chips and boards have |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
296 internal pull-downs on TRST rather than pull-ups (JTAG logic permanently held |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
297 down in reset when no "emulator" is connected), hence both XDS510 and XDS560 |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
298 pods drive this signal with an active push-pull driver - which is why Calypso |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
299 development boards include the special transistor circuit rather than connect |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
300 the XDS_RESET line (as we call it) directly to internal nTESTRESET. |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
301 |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
302 Prior to initialization, a "cold" XDS560 pod has its reset output held low, |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
303 thus the target board will be held down in test reset and will appear completely |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
304 unresponsive. To initialize the XDS560 and release it from reset, select |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
305 "Emulator Reset" from the Debug menu. For this operation to succeed, the LDO |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
306 regulators in the Iota ABB need to be turned on, putting out 2.8 V on the V-IO |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
307 rail which is used as the target voltage reference by the XDS560 pod, so you |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
308 will probably need to press either the PWON button or the RESET button on the |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
309 FCDEV3B initially - and if the green LED stays off after that button press, you |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
310 know that the board is being held down in test reset by the XDS560 pod. Then |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
311 do the "Emulator Reset" operation, at which point the green LED will turn on |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
312 and the board will boot normally. From this point onward, doing a repeated |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
313 "Emulator Reset" operation causes a low-then-high pulse to be put out on the |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
314 XDS_RESET line, resetting the board and once again causing it to go through a |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
315 fresh boot. |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
316 |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
317 Connecting to the ARM7 core and halting it |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
318 ------------------------------------------ |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
319 |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
320 Once the XDS560 has been initialized and the target board has been lifted out |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
321 of test reset with the "Emulator Reset" operation, you can execute the |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
322 "Connect target" operation, also in the Debug menu. This operation produces a |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
323 successful halt (I can only guess that this step is the point at which the |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
324 mysterious 0xB JTAG instruction and the unknown 2-bit register scan are issued, |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
325 unlocking the halting ability on this modified ARM7TDMI core), but the halt |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
326 happens at whichever point the ARM7 core happens to be in its code execution, |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
327 i.e., the generic, non-GSM-specific CCS has no knowledge of the peculiar timing |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
328 sequence that is required to achieve a halt directly out of reset on the |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
329 Calypso. It is my (Mychaela's) guess that CCS probably has some scripting |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
330 ability for more advanced users, and that TI's GSM Skunkworks division used |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
331 this custom scripting mechanism to do a sequence of {Emulator reset, then |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
332 connect to target and halt, then execute two register writes to disable the |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
333 watchdog} with machine rather human timing between the steps. Machine rather |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
334 than human timing is required in order to hit the 250 ms window between the |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
335 release of reset and the beginning of ARM core execution, and also to disable |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
336 the watchdog after the halt via two register writes before it goes off. |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
337 |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
338 Using OpenOCD on Calypso targets |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
339 ================================ |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
340 |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
341 Building on top of the work that was done almost a decade earlier by some people |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
342 in the OsmocomBB camp (they sniffed the magic "halt unlock" sequence from an |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
343 XDS+CCS setup and gained the ability to halt an already-running Calypso with |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
344 OpenOCD, albeit without the reset magic) and adding the more in-depth |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
345 understanding provided by Mother Mychaela, we now have the ability to use |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
346 OpenOCD with a simple FT2232D adapter (instead of TI's XDS+CCS) to connect to |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
347 JTAG on TI/FC development boards, both D-Sample and FCDEV3B, gaining the power |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
348 of Free Software instead of proprietary tools. For the details, please refer |
|
7ba5c951803c
Calypso-JTAG-notes article written
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
349 to the freecalypso-hwlab repository. |