Another note (to myself) my files for this are in /u1/Projects/OpenOCD.
Part 1 gave a general introduction to OpenOCD, along with mixed results using Versaloon as a JTAG adapter. I spent a day building a cable adapter for my Segger J-link clone that allows me to connect its 20 pin cable to the 14 pin JTAG connector on my Ebaz board with a Xilinx Zynq chip.
Just launching OpenOCD, I see these messages:
Warn : An adapter speed is not selected in the init scripts. OpenOCD will try to run the adapter at the low speed (100 kHz) Warn : To remove this warnings and achieve reasonable communication speed with the target, set "adapter speed" or "jtag_rclk" in the init scripts. Info : J-Link ARM V8 compiled Nov 28 2014 13:44:46 Info : Hardware version: 8.00 Info : VTarget = 3.338 V Info : clock speed 100 kHz Warn : There are no enabled taps. AUTO PROBING MIGHT NOT WORK!! Info : JTAG tap: auto0.tap tap/device found: 0x13722093 (mfg: 0x049 (Xilinx), part: 0x3722, ver: 0x1) Info : JTAG tap: auto1.tap tap/device found: 0x4ba00477 (mfg: 0x23b (ARM Ltd), part: 0xba00, ver: 0x4) Warn : AUTO auto0.tap - use "jtag newtap auto0 tap -irlen 2 -expected-id 0x13722093" Warn : AUTO auto1.tap - use "jtag newtap auto1 tap -irlen 2 -expected-id 0x4ba00477"So, OpenOCD detects two JTAG "tap"s, one by Xilinx (probably the FPGA or PL part of the Zynq), and another by ARM (probably the dual core ARM processor).
Among the files in /usr/share/openocd I found /usr/share/openocd/scripts/target/zynq_7000.cfg. I made a copy of this, commenting out the portions related to the FPGA (PL) part of the Zynq chip leaving me with this:
jtag newtap zynq_pl bs -irlen 6 -ircapture 0x1 -irmask 0x03 \
-expected-id 0x23727093 \
-expected-id 0x13722093 \
-expected-id 0x03727093 \
-expected-id 0x03736093
jtag newtap zynq cpu -irlen 4 -ircapture 0x1 -irmask 0xf -expected-id 0x4ba00477
dap create zynq.dap -chain-position zynq.cpu
target create zynq.cpu0 cortex_a -dap zynq.dap \
-coreid 0 -dbgbase 0x80090000
target create zynq.cpu1 cortex_a -dap zynq.dap \
-coreid 1 -dbgbase 0x80092000
Then I type this command:
openocd -f /usr/share/openocd/scripts/interface/jlink.cfg -c "transport select jtag" -f z1.cfg Open On-Chip Debugger 0.12.0 Info : Listening on port 6666 for tcl connections Info : Listening on port 4444 for telnet connections Warn : An adapter speed is not selected in the init scripts. OpenOCD will try to run the adapter at the low speed (100 kHz) Warn : To remove this warnings and achieve reasonable communication speed with the target, set "adapter speed" or "jtag_rclk" in the init scripts. Info : J-Link ARM V8 compiled Nov 28 2014 13:44:46 Info : Hardware version: 8.00 Info : VTarget = 3.338 V Info : clock speed 100 kHz Info : JTAG tap: zynq_pl.bs tap/device found: 0x13722093 (mfg: 0x049 (Xilinx), part: 0x3722, ver: 0x1) Info : JTAG tap: zynq.cpu tap/device found: 0x4ba00477 (mfg: 0x23b (ARM Ltd), part: 0xba00, ver: 0x4) Info : zynq.cpu0: hardware has 6 breakpoints, 4 watchpoints Info : zynq.cpu1: hardware has 6 breakpoints, 4 watchpoints Info : starting gdb server for zynq.cpu0 on 3333 Info : Listening on port 3333 for gdb connections Info : starting gdb server for zynq.cpu1 on 3334 Info : Listening on port 3334 for gdb connectionsThis is real progress. I am not sure whether my previous difficulties were related to bugs in Versaloon or whether I had somehow gotten the Zynq into a bad mood by giving "newtap" commands out of order, but this gives us the results we are looking for. I'll also note that we can stop and then restart openocd without confusion. The thing to do now is to take some time to inspect what we have done in some detail.
For the time being, I intend to ignore the TAP for the FPGA (PL). But it is important to configure it via a newtap command (and in the proper order) or things will get confused. There is plenty more about all of this in Section 10 of the OpenOCD manual.
The important and exciting thing for our purposes is that we have a TAP configured for the ARM processor pair, with the name "zynq.cpu".
dap create zynq.dap -chain-position zynq.cpuThe main point of a DAP is to then define debug targets, which are what GDB will be looking for.
target create zynq.cpu0 cortex_a -dap zynq.dap -coreid 0 -dbgbase 0x80090000 target create zynq.cpu1 cortex_a -dap zynq.dap -coreid 1 -dbgbase 0x80092000Where do the "dbgbase" values come from? At this point, who knows?
> targets
TargetName Type Endian TapName State
-- ------------------ ---------- ------ ------------------ ------------
0 zynq.cpu0 cortex_a little zynq.cpu running
1* zynq.cpu1 cortex_a little zynq.cpu running
And there are our two cores. The type (cortex_a) indicates an ARMv7-A core with an MMU.
The asterisk next to core 1 indicates that it is the current target, and this is
probably not what we want. There is a "target" command with a multitude of options.
> targets zynq.cpu0
> targets
TargetName Type Endian TapName State
-- ------------------ ---------- ------ ------------------ ------------
0* zynq.cpu0 cortex_a little zynq.cpu running
1 zynq.cpu1 cortex_a little zynq.cpu running
> halt
DSCR_DTR_RX_FULL, dscr 0x4b08e003
zynq.cpu0: MPIDR level2 0, cluster 0, core 0, multi core, no SMT
target halted in ARM state due to debug-request, current mode: Supervisor
cpsr: 0x00030093 pc: 0xc0116288
MMU: enabled, D-Cache: enabled, I-Cache: enabled
> targets
TargetName Type Endian TapName State
-- ------------------ ---------- ------ ------------------ ------------
0* zynq.cpu0 cortex_a little zynq.cpu halted
1 zynq.cpu1 cortex_a little zynq.cpu running
> resume
Note that this only halts core 0 (the current target).
Once we type "resume" we are back to running linux as though nothing ever happened.
I reboot linux, then type "d" to get to the U-boot prompt. I can type "targets 1" to switch to core 1. It scolds me, but does what I want.
> targets 1
use 'zynq.cpu1' as target identifier, not '1'
> targets
TargetName Type Endian TapName State
-- ------------------ ---------- ------ ------------------ ------------
0 zynq.cpu0 cortex_a little zynq.cpu running
1* zynq.cpu1 cortex_a little zynq.cpu running
> halt
zynq.cpu1: MPIDR level2 0, cluster 0, core 1, multi core, no SMT
target halted in ARM state due to debug-request, current mode: Supervisor
cpsr: 0x000001d3 pc: 0xffffff34
MMU: disabled, D-Cache: disabled, I-Cache: disabled
> arm disassemble 0xffffff00 64
0xffffff00 0004 f800 .byte 0x04, 0x00, 0x00, 0xf8
0xffffff04 767b 0000 andeq r7, r0, fp, ror r6
0xffffff08 0000 0000 andeq r0, r0, r0
0xffffff0c 0000 0000 andeq r0, r0, r0
0xffffff10 0000 0000 andeq r0, r0, r0
0xffffff14 0000 0000 andeq r0, r0, r0
0xffffff18 0004 0000 andeq r0, r0, r4
0xffffff1c 0000 0000 andeq r0, r0, r0
0xffffff20 f04f f57f dsb sy
0xffffff24 f002 e320 wfe
0xffffff28 fffc eaff b #0xffffff20
0xffffff2c f04f f57f dsb sy
0xffffff30 f002 e320 wfe
0xffffff34 000f e3e0 mvn r0, #0xf
0xffffff38 e000 e590 ldr lr, [r0]
0xffffff3c 00d4 e37e cmn lr, #0xd4
0xffffff40 fff9 0aff beq #0xffffff2c
0xffffff44 0f15 ee07 mcr p15, #0, r0, c7, c5, #0
0xffffff48 0fd5 ee07 mcr p15, #0, r0, c7, c5, #6
0xffffff4c 0f17 ee08 mcr p15, #0, r0, c8, c7, #0
0xffffff50 4000 e3a0 mov r4, #0
0xffffff54 4f10 ee01 mcr p15, #0, r4, c1, c0, #0
0xffffff58 ff1e e12f bx lr
0xffffff5c 0000 0000 andeq r0, r0, r0
0xffffff60 0000 0000 andeq r0, r0, r0
0xfffffff0 ff2c ffff .byte 0x2c, 0xff, 0xff, 0xff
So, there you have it. Core 1 "parked" in a typical wait loop in OCM (on chip memory).
And with core 1 halted, U-Boot still stays running just fine via Core 0.
What does this code do? The mvn instruction loads and flips all the bits, so it would yield 0xfffffff0 in r0. It would then read from this address and compare to the negative of 0xd4 (which is .... 0xffffff2c just as we see stored there).
If this value changes, we fall out of the loop and after performing some processor state fiddling we jump (via bx lr) to the address placed there. This all makes sense.
We have hardware breakpoints (via the "bp" command") and can look at all the ARM registers (more than you would imagine) using the "reg" command.
> reset halt JTAG tap: zynq_pl.bs tap/device found: 0x13722093 (mfg: 0x049 (Xilinx), part: 0x3722, ver: 0x1) JTAG tap: zynq.cpu tap/device found: 0x4ba00477 (mfg: 0x23b (ARM Ltd), part: 0xba00, ver: 0x4) zynq.cpu0: how to reset?I think it is a bug that it asks "how to reset?" given that I told it "reset halt". The bug is simply the message that makes you think you typed something wrong, whereas in fact it actually has a hardware issue. It should say "unable to reset" perhaps.
Maybe this can be fixed by some reset configuration, but I am well aware that the Ebaz does not provide any reset signals on the JTAG connector and this may be the root of this issue.
bp addr len - set a breakpoint rbp addr -- remove breakpoint at address rbp all -- remove all breakpointsWhy do breakpoints have a length? I do this to set a breakpoint. U-boot is running.
halt bp 0x200 4 resumeThen I type the command "reset" to U-boot. It performs a reset and the breakpoint endures. This looks promising:
zynq.cpu0: hardware has 6 breakpoints, 4 watchpoints > bp IVA breakpoint: 0x00000200, 0x4, 0x0bThe acronym "IVA" is an ARM thing standing for "instruction virtual address". No luck so far. I am hoping of course to get a breakpoint to catch the bootrom code running. Apparently this was a sw breakpoing by default.
So let's try again, but now set hardware breakpoints:
> rbp all > bp 0x200 8 hw breakpoint set at 0x00000200 > bp 0x1200 8 hw breakpoint set at 0x00001200 > bp 0x2200 8 hw breakpoint set at 0x00002200 > bp 0xffff0200 8 hw breakpoint set at 0xffff0200 > bp Breakpoint(IVA): 0x00000200, 0x8, 0 Breakpoint(IVA): 0x00001200, 0x8, 1 Breakpoint(IVA): 0x00002200, 0x8, 2 Breakpoint(IVA): 0xffff0200, 0x8, 3 > resumeThen we type reset to U-boot and get:
target halted in ARM state due to breakpoint, current mode: IRQ cpsr: 0x600001d2 pc: 0x00000200 MMU: disabled, D-Cache: disabled, I-Cache: disabledAha, now that seems more like it.
> arm disassemble 0 256
0x00000000 0049 ea00 b #0x12c
0x00000004 0025 ea00 b #0xa0
0x00000008 002b ea00 b #0xbc
0x0000000c 003b ea00 b #0x100
0x00000010 0032 ea00 b #0xe0
0x00000014 f000 e320 nop
0x00000018 0000 ea00 b #0x20
0x0000001c 000f ea00 b #0x60
0x00000020 500f e92d push {r0, r1, r2, r3, ip, lr}
0x00000024 0b10 ed2d vpush {d0, d1, d2, d3, d4, d5, d6, d7}
0x00000028 0b20 ed6d vpush {d16, d17, d18, d19, d20, d21, d22, d23, d24, d25, d26, d27, d28, d29, d30, d31}
0x0000002c 1a10 eef1 vmrs r1, fpscr
0x00000030 1004 e52d str r1, [sp, #-4]!
0x00000034 1a10 eef8 vmrs r1, fpexc
0x00000038 1004 e52d str r1, [sp, #-4]!
0x0000003c 2125 eb00 bl #0x84d8
0x00000040 1004 e49d pop {r1}
0x00000044 1a10 eee8 vmsr fpexc, r1
0x00000048 1004 e49d pop {r1}
0x0000004c 1a10 eee1 vmsr fpscr, r1
0x00000050 0b20 ecfd vpop {d16, d17, d18, d19, d20, d21, d22, d23, d24, d25, d26, d27, d28, d29, d30, d31}
0x00000054 0b10 ecbd vpop {d0, d1, d2, d3, d4, d5, d6, d7}
0x00000058 500f e8bd pop {r0, r1, r2, r3, ip, lr}
0x0000005c f004 e25e subs pc, lr, #4
0x00000060 500f e92d push {r0, r1, r2, r3, ip, lr}
0x00000064 0b10 ed2d vpush {d0, d1, d2, d3, d4, d5, d6, d7}
0x00000068 0b20 ed6d vpush {d16, d17, d18, d19, d20, d21, d22, d23, d24, d25, d26, d27, d28, d29, d30, d31}
0x0000006c 1a10 eef1 vmrs r1, fpscr
0x00000070 1004 e52d str r1, [sp, #-4]!
0x00000074 1a10 eef8 vmrs r1, fpexc
0x00000078 1004 e52d str r1, [sp, #-4]!
0x0000007c 2110 eb00 bl #0x84c4
0x00000080 1004 e49d pop {r1}
0x00000084 1a10 eee8 vmsr fpexc, r1
0x00000088 1004 e49d pop {r1}
0x0000008c 1a10 eee1 vmsr fpscr, r1
0x00000090 0b20 ecfd vpop {d16, d17, d18, d19, d20, d21, d22, d23, d24, d25, d26, d27, d28, d29, d30, d31}
0x00000094 0b10 ecbd vpop {d0, d1, d2, d3, d4, d5, d6, d7}
0x00000098 500f e8bd pop {r0, r1, r2, r3, ip, lr}
0x0000009c f004 e25e subs pc, lr, #4
0x000000a0 500f e92d push {r0, r1, r2, r3, ip, lr}
0x000000a4 0074 e59f ldr r0, [pc, #0x74]
0x000000a8 1004 e24e sub r1, lr, #4
0x000000ac 1000 e580 str r1, [r0]
0x000000b0 210d eb00 bl #0x84ec
0x000000b4 500f e8bd pop {r0, r1, r2, r3, ip, lr}
0x000000b8 f00e e1b0 movs pc, lr
0x000000bc 500f e92d push {r0, r1, r2, r3, ip, lr}
0x000000c0 0020 e310 tst r0, #0x20
0x000000c4 00b2 115e ldrhne r0, [lr, #-2]
0x000000c8 0cff 13c0 bicne r0, r0, #0xff00
0x000000cc 0004 051e ldreq r0, [lr, #-4]
0x000000d0 04ff 03c0 biceq r0, r0, #0xff000000
0x000000d4 2109 eb00 bl #0x8500
0x000000d8 500f e8bd pop {r0, r1, r2, r3, ip, lr}
0x000000dc f00e e1b0 movs pc, lr
0x000000e0 f04f f57f dsb sy
0x000000e4 500f e92d push {r0, r1, r2, r3, ip, lr}
0x000000e8 0034 e59f ldr r0, [pc, #0x34]
0x000000ec 1008 e24e sub r1, lr, #8
0x000000f0 1000 e580 str r1, [r0]
0x000000f4 2106 eb00 bl #0x8514
0x000000f8 500f e8bd pop {r0, r1, r2, r3, ip, lr}
0x000000fc f008 e25e subs pc, lr, #8
0x00000100 f04f f57f dsb sy
0x00000104 500f e92d push {r0, r1, r2, r3, ip, lr}
0x00000108 0018 e59f ldr r0, [pc, #0x18]
0x0000010c 1004 e24e sub r1, lr, #4
0x00000110 1000 e580 str r1, [r0]
0x00000114 2103 eb00 bl #0x8528
0x00000118 500f e8bd pop {r0, r1, r2, r3, ip, lr}
0x0000011c f004 e25e subs pc, lr, #4
0x00000120 0cf4 0002 strdeq r0, r1, [r2], -r4
0x00000124 0cfc 0002 strdeq r0, r1, [r2], -ip
0x00000128 0cf8 0002 strdeq r0, r1, [r2], -r8
0x0000012c 1fb0 ee10 mrc p15, #0, r1, c0, c0, #5
0x00000130 100f e201 and r1, r1, #0xf
0x00000134 0000 e351 cmp r1, #0
0x00000138 0001 0a00 beq #0x144
0x0000013c f002 e320 wfe
0x00000140 fffd eaff b #0x13c
0x00000144 030c e59f ldr r0, [pc, #0x30c]
0x00000148 1000 e590 ldr r1, [r0]
0x0000014c 1080 e211 ands r1, r1, #0x80
0x00000150 0009 0a00 beq #0x17c
0x00000154 0300 e59f ldr r0, [pc, #0x300]
0x00000158 1300 e59f ldr r1, [pc, #0x300]
0x0000015c 1000 e580 str r1, [r0]
0x00000160 02fc e59f ldr r0, [pc, #0x2fc]
0x00000164 1000 e590 ldr r1, [r0]
0x00000168 1022 e381 orr r1, r1, #0x22
0x0000016c 1000 e580 str r1, [r0]
0x00000170 02f0 e59f ldr r0, [pc, #0x2f0]
0x00000174 12f0 e59f ldr r1, [pc, #0x2f0]
0x00000178 1000 e580 str r1, [r0]
0x0000017c 0f10 ee10 mrc p15, #0, r0, c0, c0, #0
0x00000180 560f e200 and r5, r0, #0xf00000
0x00000184 600f e200 and r6, r0, #0xf
0x00000188 6825 e186 orr r6, r6, r5, lsr #16
0x0000018c 0022 e356 cmp r6, #0x22
0x00000190 af30 de1f mrcle p15, #0, sl, c15, c0, #1
0x00000194 a010 d38a orrle sl, sl, #0x10
0x00000198 af30 de0f mcrle p15, #0, sl, c15, c0, #1
0x0000019c 0602 e335 teq r5, #0x200000
0x000001a0 af30 0e1f mrceq p15, #0, sl, c15, c0, #1
0x000001a4 a040 038a orreq sl, sl, #0x40
0x000001a8 af30 0e0f mcreq p15, #0, sl, c15, c0, #1
0x000001ac 02bc e59f ldr r0, [pc, #0x2bc]
0x000001b0 0f10 ee0c mcr p15, #0, r0, c12, c0, #0
0x000001b4 72b8 e59f ldr r7, [pc, #0x2b8]
0x000001b8 62b8 e59f ldr r6, [pc, #0x2b8]
0x000001bc 6000 e587 str r6, [r7]
0x000001c0 0000 e3a0 mov r0, #0
0x000001c4 0f17 ee08 mcr p15, #0, r0, c8, c7, #0
0x000001c8 0f15 ee07 mcr p15, #0, r0, c7, c5, #0
0x000001cc 0fd5 ee07 mcr p15, #0, r0, c7, c5, #6
0x000001d0 007c eb00 bl #0x3c8
0x000001d4 0f10 ee11 mrc p15, #0, r0, c1, c0, #0
0x000001d8 0001 e3c0 bic r0, r0, #1
0x000001dc 0f10 ee01 mcr p15, #0, r0, c1, c0, #0
0x000001e0 0000 e10f mrs r0, apsr
0x000001e4 101f e3e0 mvn r1, #0x1f
0x000001e8 2000 e001 and r2, r1, r0
0x000001ec 2012 e382 orr r2, r2, #0x12
0x000001f0 f002 e129 msr cpsr_fc, r2
0x000001f4 d280 e59f ldr sp, [pc, #0x280]
0x000001f8 2c02 e3c2 bic r2, r2, #0x200
0x000001fc f002 e16f msr spsr_fsxc, r2
0x00000200 0000 e10f mrs r0, apsr
0x00000204 101f e3e0 mvn r1, #0x1f
0x00000208 2000 e001 and r2, r1, r0
0x0000020c 2013 e382 orr r2, r2, #0x13
0x00000210 f002 e129 msr cpsr_fc, r2
0x00000214 d264 e59f ldr sp, [pc, #0x264]
0x00000218 2c02 e3c2 bic r2, r2, #0x200
0x0000021c f002 e16f msr spsr_fsxc, r2
0x00000220 0000 e10f mrs r0, apsr
0x00000224 101f e3e0 mvn r1, #0x1f
0x00000228 2000 e001 and r2, r1, r0
0x0000022c 2017 e382 orr r2, r2, #0x17
0x00000230 f002 e129 msr cpsr_fc, r2
0x00000234 d248 e59f ldr sp, [pc, #0x248]
0x00000238 2c02 e3c2 bic r2, r2, #0x200
0x0000023c f002 e16f msr spsr_fsxc, r2
0x00000240 0000 e10f mrs r0, apsr
0x00000244 101f e3e0 mvn r1, #0x1f
0x00000248 2000 e001 and r2, r1, r0
0x0000024c 2011 e382 orr r2, r2, #0x11
0x00000250 f002 e129 msr cpsr_fc, r2
0x00000254 d22c e59f ldr sp, [pc, #0x22c]
0x00000258 2c02 e3c2 bic r2, r2, #0x200
0x0000025c f002 e16f msr spsr_fsxc, r2
0x00000260 0000 e10f mrs r0, apsr
0x00000264 101f e3e0 mvn r1, #0x1f
0x00000268 2000 e001 and r2, r1, r0
0x0000026c 201b e382 orr r2, r2, #0x1b
0x00000270 f002 e129 msr cpsr_fc, r2
0x00000274 d210 e59f ldr sp, [pc, #0x210]
0x00000278 2c02 e3c2 bic r2, r2, #0x200
0x0000027c f002 e16f msr spsr_fsxc, r2
0x00000280 0000 e10f mrs r0, apsr
0x00000284 101f e3e0 mvn r1, #0x1f
0x00000288 2000 e001 and r2, r1, r0
0x0000028c 201f e382 orr r2, r2, #0x1f
0x00000290 f002 e129 msr cpsr_fc, r2
0x00000294 d1f4 e59f ldr sp, [pc, #0x1f4]
0x00000298 71f4 e59f ldr r7, [pc, #0x1f4]
0x0000029c 0000 e597 ldr r0, [r7]
0x000002a0 0001 e380 orr r0, r0, #1
0x000002a4 0000 e587 str r0, [r7]
0x000002a8 01e8 e59f ldr r0, [pc, #0x1e8]
0x000002ac 005b e380 orr r0, r0, #0x5b
0x000002b0 0f10 ee02 mcr p15, #0, r0, c2, c0, #0
0x000002b4 0000 e3e0 mvn r0, #0
0x000002b8 0f10 ee03 mcr p15, #0, r0, c3, c0, #0
0x000002bc 01d8 e59f ldr r0, [pc, #0x1d8]
0x000002c0 0f10 ee01 mcr p15, #0, r0, c1, c0, #0
0x000002c4 f04f f57f dsb sy
0x000002c8 f06f f57f isb sy
0x000002cc 0f30 ee11 mrc p15, #0, r0, c1, c0, #1
0x000002d0 0040 e380 orr r0, r0, #0x40
0x000002d4 0001 e380 orr r0, r0, #1
0x000002d8 0f30 ee01 mcr p15, #0, r0, c1, c0, #1
0x000002dc 01bc e59f ldr r0, [pc, #0x1bc]
0x000002e0 1000 e3a0 mov r1, #0
0x000002e4 1000 e580 str r1, [r0]
0x000002e8 01b4 e59f ldr r0, [pc, #0x1b4]
0x000002ec 1000 e590 ldr r1, [r0]
0x000002f0 21b0 e59f ldr r2, [pc, #0x1b0]
0x000002f4 1002 e181 orr r1, r1, r2
0x000002f8 1000 e580 str r1, [r0]
0x000002fc 01a8 e59f ldr r0, [pc, #0x1a8]
0x00000300 11a8 e59f ldr r1, [pc, #0x1a8]
0x00000304 1000 e580 str r1, [r0]
0x00000308 01a4 e59f ldr r0, [pc, #0x1a4]
0x0000030c 11a4 e59f ldr r1, [pc, #0x1a4]
0x00000310 1000 e580 str r1, [r0]
0x00000314 01a0 e59f ldr r0, [pc, #0x1a0]
0x00000318 2158 e59f ldr r2, [pc, #0x158]
0x0000031c 2000 e580 str r2, [r0]
0x00000320 0198 e59f ldr r0, [pc, #0x198]
0x00000324 1000 e590 ldr r1, [r0]
0x00000328 0000 e351 cmp r1, #0
0x0000032c fffc 1aff bne #0x324
0x00000330 018c e59f ldr r0, [pc, #0x18c]
0x00000334 1000 e590 ldr r1, [r0]
0x00000338 0188 e59f ldr r0, [pc, #0x188]
0x0000033c 1000 e580 str r1, [r0]
0x00000340 0114 e59f ldr r0, [pc, #0x114]
0x00000344 1114 e59f ldr r1, [pc, #0x114]
0x00000348 1000 e580 str r1, [r0]
0x0000034c 0178 e59f ldr r0, [pc, #0x178]
0x00000350 1178 e59f ldr r1, [pc, #0x178]
0x00000354 1000 e580 str r1, [r0]
0x00000358 0108 e59f ldr r0, [pc, #0x108]
0x0000035c 1108 e59f ldr r1, [pc, #0x108]
0x00000360 1000 e580 str r1, [r0]
0x00000364 0134 e59f ldr r0, [pc, #0x134]
0x00000368 1000 e590 ldr r1, [r0]
0x0000036c 2001 e3a0 mov r2, #1
0x00000370 1002 e181 orr r1, r1, r2
0x00000374 1000 e580 str r1, [r0]
0x00000378 0000 e1a0 mov r0, r0
0x0000037c 1f50 ee11 mrc p15, #0, r1, c1, c0, #2
0x00000380 160f e381 orr r1, r1, #0xf00000
0x00000384 1f50 ee01 mcr p15, #0, r1, c1, c0, #2
0x00000388 1a10 eef8 vmrs r1, fpexc
0x0000038c 1101 e381 orr r1, r1, #0x40000000
0x00000390 1a10 eee8 vmsr fpexc, r1
0x00000394 0f10 ee11 mrc p15, #0, r0, c1, c0, #0
0x00000398 0b02 e380 orr r0, r0, #0x800
0x0000039c 0f10 ee01 mcr p15, #0, r0, c1, c0, #0
0x000003a0 0f30 ee11 mrc p15, #0, r0, c1, c0, #1
0x000003a4 0004 e380 orr r0, r0, #4
0x000003a8 0002 e380 orr r0, r0, #2
0x000003ac 0f30 ee01 mcr p15, #0, r0, c1, c0, #1
0x000003b0 0000 e10f mrs r0, apsr
0x000003b4 0c01 e3c0 bic r0, r0, #0x100
0x000003b8 f000 e12e msr cpsr_fsx, r0
0x000003bc 2063 ea00 b #0x8550
0x000003c0 0000 e000 and r0, r0, r0
0x000003c4 fffe eaff b #0x3c4
0x000003c8 0f30 ee30 mrc p15, #1, r0, c0, c0, #1
0x000003cc 3407 e210 ands r3, r0, #0x7000000
0x000003d0 3ba3 e1a0 lsr r3, r3, #0x17
0x000003d4 001a 0a00 beq #0x444
0x000003d8 a000 e3a0 mov sl, #0
0x000003dc 20aa e08a add r2, sl, sl, lsr #1
0x000003e0 1230 e1a0 lsr r1, r0, r2
0x000003e4 1007 e201 and r1, r1, #7
0x000003e8 0002 e351 cmp r1, #2
0x000003ec 0011 ba00 blt #0x438
0x000003f0 af10 ee40 mcr p15, #2, sl, c0, c0, #0
0x000003f4 f06f f57f isb sy
0x000003f8 1f10 ee30 mrc p15, #1, r1, c0, c0, #0
0x000003fc 2007 e201 and r2, r1, #7
As a sanity check, I resume, cycle power, then interrupt U-boot so it
doesn't boot to linux, then do this:
halt > arm disassemble 0 20 0x00000000 0000 e59f ldr r0, [pc] 0x00000004 ff10 e12f bx r0 0x00000008 1400 0012 andseq r1, r2, r0, lsl #8 0x0000000c aecb aeb8 cdpge p14, #0xb, c10, c8, c11, #6 0x00000010 bcb8 9e9d mrcls p12, #4, fp, c13, c8, #5 0x00000014 181a baeb blt #0xffac6084 0x00000018 fffc 9e2d mcrls p15, #1, pc, c13, c12, #7 0x0000001c 86db b6ec usatlt r8, #0xc, fp, asr #0xd 0x00000020 bd98 fdae stc2 p13, c11, [lr, #0x260]!This is clearly different that what we had before. Only the first two lines actually look like code. No need for in-depth analysis, but this somewhat confirms that our breakpoints did catch bootrom code running and that we did dump bootrom contents. Maybe.
Tom's Computer Info / [email protected]