diff doc/Loadtool-flash-support @ 517:809829dbc58a

new flash support documented
author Mychaela Falconia <falcon@freecalypso.org>
date Sat, 01 Jun 2019 06:46:46 +0000
parents
children
line wrap: on
line diff
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/doc/Loadtool-flash-support	Sat Jun 01 06:46:46 2019 +0000
@@ -0,0 +1,219 @@
+fc-loadtool is our tool for reading and writing the non-volatile flash memory
+on all of our supported target devices, and the set of targets which it needs
+to support keeps growing.  Here are some of the challenges we have to deal with:
+
+* Some Calypso board designs use AMD-style flash, others use Intel-style flash.
+  Initially we only supported AMD-style flash chips that were used in our first
+  targets (Openmoko GTA02 and Pirelli DP-L10), then we got other targets that
+  have Intel-style flash.  So far we have not yet run into a case where both
+  kinds of flash can be encountered on the same target family, but our current
+  design supports this possibility.
+
+* All Calypso devices which we currently support have flash chips with non-
+  uniform sector geometries, i.e., the area that would otherwise be the first
+  or the last sector is subdivided into smaller sectors (erase units).  Both
+  "top boot" (small sectors at high addresses) and "bottom boot" (small sectors
+  at low addresses) geometries are found among our targets, as well as flashes
+  that have small sectors at both ends.  The exact sector geometry needs to be
+  known to the flash manipulation tool in order to perform correct flash erase
+  and program operations.
+
+* While most Calypso devices have a single flash chip providing a single bank
+  of flash (can be as small as 2 MiB or as big as 8 MiB), some of our targets
+  (our own FCDEV3B and the Pirelli DP-L10 phone from which the idea was copied)
+  provide two flash chip select banks of 8 MiB each.  To make the matters even
+  more complicated, all of that flash is actually a single 16 MiB chip that has
+  two chip selects instead of one, specifically designed for processors like
+  our Calypso that can only address a maximum of 8 MiB per chip select.
+
+* It is a fixed target property whether a given board is wired for only one
+  flash chip select or allows the possibility of dual-bank flash, and if a
+  second flash chip select is provided for, which Calypso chip select it is
+  wired to.
+
+Given the existence of the CFI (Common Flash Interface) standard and the fact
+that every flash chip we have encountered so far in a Calypso device does have
+a readable CFI structure, one may naively think that the most sensible way to
+support all of our possible flash configurations would be to read and parse the
+CFI structure in a device-agnostic way (i.e., without special cases for specific
+chip types) and thus support "everything".  But here are the problems with this
+simplistic approach:
+
+* On boards that have 16 MiB of flash in a Spansion S71PL129J or S71PL129N chip,
+  it makes the most sense for us to treat this big flash as two separate banks
+  of 8 MiB each - but the CFI structure describes a single 16 MiB flash chip.
+
+* AMD-style flashes with "top boot" geometries are among our repertoire of
+  devices to be supported, and they have their regions listed in the wrong order
+  in the CFI structure - one needs to look in the AMD-specific part outside of
+  the vendor-neutral geometry structure to see the true "top boot" geometry.
+
+* Intel-style flashes with independent read/write partitions such that each
+  partition has its own status register and its own "read array" vs. "read SR"
+  state require special handling in our architecture, but autoconfiguring this
+  quirk agnostically from CFI seems too difficult to me, and I wouldn't trust
+  it.
+
+Our previous architectural attempts
+===================================
+
+Initially we only supported two flash chip types, Samsung K5A32xx_T (Openmoko
+GTA02) and Spansion S71PL129N (Pirelli DP-L10) with strictly manual selection:
+-h gta02 selected one and -h pirelli selected the other via hardware parameter
+files.  There was an ID check to prevent bogosity from wrong manual selection,
+but no autodetection or autoconfiguration.  Then we added Compal target support;
+aside from Mot C155/156 which has partition quirks that were only discovered
+much later, these phones have simple Intel-style flashes without any of the CFI
+problems listed above, thus they were handled via CFI.  Thus we had a hybrid
+architecture: Openmoko, Pirelli and FCDEV3B targets were handled by way of
+manual selection and ID checks to catch errors, whereas Compal targets were
+handled by way of CFI-based autodetection and autoconfiguration.
+
+Then it was discovered that the 8 MiB Intel-style flash on the D-Sample board
+and on Mot C155/156 has partition quirks which our CFI-based autoconfiguration
+(looking at vendor-agnostic geometry bits only) could not take care of, and the
+solution was to move these targets from CFI-based autoconfiguration to the same
+kind of fixed device selection and configuration as was used for AMD flashes.
+At that point our flash handling architecture became a mess, and when I started
+questioning how to extend it further as the need arises to support more
+different flash chip types on a wide variety of Calypso targets, it became
+clear that a redesign was needed.
+
+Our current architecture
+========================
+
+In our current architecture the only flash configuration that is indicated
+statically in the hardware parameter files (selected with the -h option,
+practically meaning predefined target configurations) is board wiring
+information.  There are 3 possibilities that can be configured:
+
+flash single-4M base_addr		-- wired for 1 bank of up to 4 MiB
+flash single-8M base_addr		-- wired for 1 bank of up to 8 MiB
+flash dual-8M bank0_base bank1_base	-- wired for 2 banks of up to 8 MiB each
+
+Naturally the dual-8M configuration only makes sense for boards that are wired
+with a provision for a second flash bank, in which case the second bank base
+address will depend on the board wiring, i.e., which Calypso chip select it is.
+(Bank 0 base address will normally be 0x03000000, i.e., the alternate nCS0
+mapping that needs to be used when the boot ROM is mapped at 0.)  The choice
+between single-4M and single-8M needs to match whether or not the associated
+init script includes a "w16 fffef006 0008" command to enable ADD22.
+
+Beyond this board wiring configuration, the rest of flash support is based on a
+hard-coded table of all supported devices (a table that can grow indefinitely)
+plus autodetection amongst this supported set.  In other words, fc-loadtool will
+only operate on a given flash chip if it explicitly knows about that chip, but
+the set of supported chips can be indefinitely extended without hitting
+architectural barriers, and our autodetection logic will detect and handle any
+supported chip on any board target.
+
+Autodetection details
+=====================
+
+The flash chip autodetection operation proceeds as follows:
+
+* A sequence of writes is done to put the chip into the Read ID mode,
+  equivalent to the following hypothetical C code with base_addr being an
+  integer:
+
+  *(volatile uint16_t *)(base_addr + 0xAAA) = 0xAA;
+  *(volatile uint16_t *)(base_addr + 0x554) = 0x55;
+  *(volatile uint16_t *)(base_addr + 0xAAA) = 0x90;
+
+* 16-bit words at base_addr offsets of 0 and 2 (where the manufacturer and
+  device ID codes are expected to reside) are read, and this ID is looked up in
+  a table.  If the ID code is not known, we give up and don't allow any flash
+  operations.
+
+* For most ID codes, if we have found the code in our table, we know what device
+  we should expect.  But before we go ahead and assume that the command set and
+  the geometry are as we think based on the ID code, we also do a CFI check.
+  Specifically, we put the flash chip into CFI query mode, read a defined set
+  of word locations (can be different for each chip type), and require these
+  words to match our compiled-in table.  Thus we guard against the possibility
+  of some other flash chip having the same ID code (yes, there are known
+  instances of ID code reuse) but having a different geometry.
+
+* Some ID codes receive more complex handling.  Right now the only such case is
+  Spansion PL-J/PL-N flash.  PL129J and PL129N flashes have different geometries
+  and thus must be distinguished, but they have exactly the same ID codes and
+  can only be distinguished by CFI.  We have CFI match tables for PL129J and
+  for PL129N; we try to match the CFI bits provided by the chip against one
+  table first, and if it fails to match, we try the other.  (As an optimization,
+  we try the PL129N table first, as the N flash is the one found in real-world
+  Pirelli DP-L10 specimen and used on our FCDEV3B.)  If the CFI matches neither
+  table, we give up and don't allow any flash operations.
+
+The end effect of this logic is that we err on the side of caution: we only
+allow flash erase and program operations if we detect a flash chip which is
+fully known to us and fully matches our expectations, with both the ID codes
+and the CFI structure being as we expect.
+
+Adding support for new flash chip types
+=======================================
+
+All supported flash devices are listed in the fldevs.c source module; new
+devices that differ in geometry, command set or quirks need to be added there.
+The description of each flash device in fldevs.c also includes the CFI table
+that needs to matched to confirm the device in question.  A different module
+named flashid.c contains the autodetection function and the table of device ID
+codes; the latter table always needs to be extended, sometimes adding an
+entirely new device, othertimes adding a newly found ID code for some flash
+chip that is fully equivalent to an already supported one in terms of geometry,
+command set and relevant quirks.
+
+What do you do if you are an end user (not a FreeCalypso developer) and you got
+a Calypso device whose flash chip is not being recognized by fc-loadtool?
+Answer: you send the output of the "flash id" command (contains ID codes) and a
+dump of the CFI structure to Mother Mychaela for analysis.  To make a dump of
+the CFI structure, execute the following commands:
+
+loadtool> w16 030000aa 98
+loadtool> dump2bin 03000000 200 cfidump.bin
+
+Handling of dual-bank 16 MiB flash chips
+========================================
+
+The Calypso can only address a maximum of 8 MiB per chip select, thus 16 MiB or
+larger flash chips with a single chip select cannot be used in Calypso board
+designs.  However, there are some special 16 MiB flash chips that present
+themselves as two banks of 8 MiB each (even though the CFI structure describes
+a single 16 MiB chip), and such flash chips are used on the Pirelli DP-L10 and
+on our own FCDEV3B.
+
+The flash handling architecture of fc-loadtool allows two banks to be configured
+via a flash dual-8M setting in the hardware parameter file, and when that
+configuration is used (-h fcfam and -h pirelli), the two banks are treated as
+being entirely independent.  All regular flash commands operate only on the main
+bank, and a parallel set of flash2 commands operates on the secondary bank.
+The autodetection logic and the resulting configuration are done independently
+on each flash bank when it is first accessed, thus fc-loadtool would happily
+handle two separate flash chips of different types, even though such arrangement
+is not expected to occur in any Calypso device.  But when a PL129J or PL129N
+device is detected (the two dual-bank devices we currently support) on the
+autodetection probe of either bank, the operating geometry is configured
+appropriately based on which bank it is.
+
+Primary flash bank mapping at 0x03000000
+========================================
+
+When loadagent runs on the Calypso target controlled by fc-loadtool, the Calypso
+boot ROM will usually be mapped at 0, thus the alternate nCS0 mapping at
+0x03000000 needs to be used for flash access.  However, the Calypso chip (all
+versions we work with) has a little design bug in this part of the silicon:
+this alternate nCS0 mapping at 0x03000000 works only when the debug visibility
+bit in the API-RHEA control register (bit 6 in the FFFF:FB0E register) is set,
+and does not work otherwise.  This bit is initially set as the Calypso comes
+out of reset, and on most platforms we gain loadtool access via the boot ROM,
+hence the problem does not occur - but on Compal targets we gain loadtool
+access either through Compal's bootloader or via tfc139, and in both cases
+Compal's fw (either the full fw or the bootloader part) has already set the
+register in question to the runtime operational value of 0x2A (unchanged from
+TI's TCS211 reference fw), with the debug visibility bit cleared, hence the
+0x03000000 flash mapping no longer works.
+
+There are two possible solutions: we can write into the FFFF:FB10 register to
+disable the boot ROM and use the "regular" flash mapping at 0, which is what we
+used to do, or we can write into the FFFF:FB0E register and re-enable the debug
+visibility mode.  Right now we do the latter, allowing us to use the same
+0x03000000 flash mapping on all targets for consistency.