Getting CPU configuration from CP15

chr

138
IXUS 82 IS

Re: Getting CPU configuration from CP15

« Reply #10 on: 19 / August / 2008, 07:40:15 »

Advertisements

Hi!

Running qemu turns out, that some of the coprocessor registers are not supported.

@reyalp: yes, there are some bugs: The regions base addresses are all wrong:

Code: (sh) [Select]

Protection Region 0 0x0000003D
  Enable               0x1 1
  Size                 0x1E 30 [2G]
  Undef0_7             0x0 0
  Base                 0x0 0
Protection Region 1 0xC000002F
  Enable               0x1 1
  Size                 0x17 23 [16M]
  Undef0_7             0x0 0
  Base                 0x60000 393216
Protection Region 2 0x00000031
  Enable               0x1 1
  Size                 0x18 24 [32M]
  Undef0_7             0x0 0
  Base                 0x0 0
Protection Region 3 0x10000031
  Enable               0x1 1
  Size                 0x18 24 [32M]
  Undef0_7             0x0 0
  Base                 0x8000 32768

Here's my manual interpretation of the sd1100 firmware, init camera:

Code: (c) [Select]

void __attribute__((naked,noinline)) sub_FF81000C_my() {
 asm volatile (
  "ldr r1,  =0xc0410000 \n"
  "mov r0, #0 \n" // ; 0x0
  "str r0, [r1] \n"
  
  // disable cache, MPU, etc.
  "mov r1, #120 \n" // ; 0x78 // sets SBO "should be one" only
  "mcr 15, 0, r1, cr1, cr0, {0} \n"

  "mov r1, #0 \n" // ; 0x0
  "mcr 15, 0, r1, cr7, cr10, {4} \n"// drain write buffers
  "mcr 15, 0, r1, cr7, cr5, {0} \n" // flush icache
  "mcr 15, 0, r1, cr7, cr6, {0} \n" // flush dcache

  // define Protection Regions 0-5
  "mov r0, #61 \n" // ; 0x3d                   // size 2GB base 0x0
  "mcr 15, 0, r0, cr6, cr0, {0} \n" // prot. mem reg. 0
  "mov r0, #-1073741777 \n" // ; 0xc000002f // size 16M base 0xc0000000
  "mcr 15, 0, r0, cr6, cr1, {0} \n"
  "mov r0, #49 \n" // ; 0x31                   // size 32M base 0x0
  "mcr 15, 0, r0, cr6, cr2, {0} \n"
  "ldr r0,  =0x10000031 \n"                    // size 32M base 0x10000000
  "mcr 15, 0, r0, cr6, cr3, {0} \n"
  "mov r0, #1073741847 \n" // ; 0x40000017     // size  4k base 0x40000000
  "mcr 15, 0, r0, cr6, cr4, {0} \n"
  "ldr r0,  =0xff80002d \n"                    // size  8M base 0xff800000
  "mcr 15, 0, r0, cr6, cr5, {0} \n"

  "mov r0, #52 \n" // ; 0x34        // regions 2,4,5
  "mcr 15, 0, r0, cr2, cr0, {0} \n" // data cache
  "mov r0, #52 \n" // ; 0x34
  "mcr 15, 0, r0, cr2, cr0, {1} \n" // instr cache

  // write buffer ctrl
  "mov r0, #52 \n" // ; 0x34        // regions 2,4,5
  "mcr 15, 0, r0, cr3, cr0, {0} \n"
  // Region prot. r/w
  "ldr r0,  =0x03333330 \n"         // region 0,7 = --, 1-6 = rw
  "mcr 15, 0, r0, cr5, cr0, {2} \n" // data access
  "ldr r0,  =0x03333330 \n"
  "mcr 15, 0, r0, cr5, cr0, {3} \n" // instr access

// This one is in every boot.c: "Changes CPU speed?" - nope!
  "mrc 15, 0, r0, cr1, cr0, {0} \n"
  "orr r0, r0, #4096 \n" // ; 0x1000 // enable L1 instruction cache
  "orr r0, r0, #4 \n" // ; 0x4        // L1 unified/data cache enable
  "orr r0, r0, #1 \n" // ; 0x1        // MMU or Protection Unit enable
  "mcr 15, 0, r0, cr1, cr0, {0} \n"

  // set TCM data region register
  // addr = 0x40000000
  // size 4K
  "mov r1, #1073741830 \n" // ; 0x40000006
  "mcr 15, 0, r1, cr9, cr1, {0} \n"

  // set TCM instruction region
  // smart cache(?)
  // size 4K base 0x0
  "mov r1, #6 \n" // ; 0x6
  "mcr 15, 0, r1, cr9, cr1, {1} \n"
  // enabel TCM
  "mrc 15, 0, r1, cr1, cr0, {0} \n"
  "orr r1, r1, #327680 \n" // ; 0x50000 // DRAM (bit[16]), IRAM (bit[18]) 
  "mcr 15, 0, r1, cr1, cr0, {0} \n"

So I guess, the ixus80-sd1100 has got 32MB RAM.

« Last Edit: 19 / August / 2008, 07:43:16 by chr »

Logged

reyalp

13059

Re: Getting CPU configuration from CP15

« Reply #11 on: 19 / August / 2008, 14:44:45 »

Quote from: chr on 19 / August / 2008, 07:40:15

Hi!

Running qemu turns out, that some of the coprocessor registers are not supported.

@reyalp: yes, there are some bugs: The regions base addresses are all wrong:

Those are the values of the base address field, which is NOT the actual base address.

Actually, the base address is combined with the other fields, so if you just ignore the lower part of the registers, you get the correct base address.

I actually updated cpuinfo.c to reflect this after posting. Sorry for not making that clear from the start. Your manual decoding looks very similar to mine for the a540 (interestingly, the ROM region on mine starts at FF8 even though the actual ROM starts at FFC)

On my system, the HCLK, MCLK and LCLK can be read like this:

Code: [Select]

+    if(conf.debug_display == DEBUG_DISPLAY_CLOCKS) {
+        sprintf(sbuf,"hclk %d",*(int *)(0xC0400044));
+     draw_string(16,16,sbuf, conf.osd_color);
+        sprintf(sbuf,"lclk %d",*(int *)(0xC0400048));
+     draw_string(16,32,sbuf, conf.osd_color);
+        sprintf(sbuf,"mclk %d",*(int *)(0xC040004c));
+     draw_string(16,48,sbuf, conf.osd_color);
+ }

LCLK was the only one I could see changing on the fly. The values are an enum: = 72, 1=36, 3=18. 2 is a mystery

You can look for "printclock" to check the addresses.

edit: here's a bit from my notes on the a540 memory layout

Code: [Select]

0x0000 0000 region 0 start. -- nocache nobuf
 0x0000 0000 region 2 start. RW cache buf
  0x0000 0000 ITCM start
  0x0000 0FFF ITCM end
  0x0000 1900 Copied from FFEF3DF0 (firmware code + init data)
  0x0000 D210 Zeroed (firmware BSS ?)
  0x0009 22CC end zeroed
  0x0009 22D0 chdk start
  0x000E 72D0 chdk end
 0x01FF FFFF region 2 end / RAM end
 0x1000 0000 region 3 start. RW nocache nobuf
  0x103C 79A0 bitmap fb start
  0x105B 8AC0 raw buffer start
  0x10D1 33B0 raw buffer end
  0x105F 17A0 viewport fb start
 0x11FF FFFF region 3 end
 0x4000 0000 region 4 start. RW cache buf
  0x4000 0000 DTCM start
  0x4000 0FFF DTCM end
 0x4000 0FFF region 4 end
0x7FFF FFFF region 0 end
0xC000 0000 region 1 start. RW nocache nobuf
 0xC020 0000 ? mmio ?
 0xC040 0000 ? mmio ?
0xC0FF FFFF region 1 end
0xFF80 0000 region 5 start. RW cache buf
 0xFFC0 0000 ROM start
  0xFFEF 3DF0 copied data start
  0XFFEF F6FF end
0xFFFF FFFF region 4 / ROM ends

cpuinfo.c (6.12 kB - downloaded 116 times.)

CPUINFO-REC.TXT (4.41 kB - downloaded 122 times.)

« Last Edit: 19 / August / 2008, 15:20:56 by reyalp »

Logged

Don't forget what the H stands for.

chr

138
IXUS 82 IS

Re: Getting CPU configuration from CP15

« Reply #12 on: 20 / August / 2008, 05:18:33 »

Quote from: reyalp on 19 / August / 2008, 14:44:45

Quote from: chr on 19 / August / 2008, 07:40:15
Hi!

Running qemu turns out, that some of the coprocessor registers are not supported.

@reyalp: yes, there are some bugs: The regions base addresses are all wrong:
Those are the values of the base address field, which is NOT the actual base address.

Actually, the base address is combined with the other fields, so if you just ignore the lower part of the registers, you get the correct base address.

I actually updated cpuinfo.c to reflect this after posting. Sorry for not making that clear from the start. Your manual decoding looks very similar to mine for the a540 (interestingly, the ROM region on mine starts at FF8 even though the actual ROM starts at FFC)

But finally we understood what was wrong

I was very confused about the cp settings because I was looking in the ARM reference. The 946e-s is correct. The documents are a 'bit' different.

The ROM is 8MB but usually udumper just extract the part we need for porting. I also looked at the rest of it and I guess that stuff is simply before FFC in your cam. I found a lot of thumb code, i18n stuff and very interesting: the missing part of the boot process! Funny, the damn diskboot.bin decoding exists there a second time.

Here, this piece has a funny magic:


ffff0000:   ea000001    b   ffff000c <_binary_ffdd_start+0x21000c>
ffff0004:   e59f02a4    ldr r0, [pc, #676]  ; ffff02b0: (ffff3308)  **"orldthewuer conq" 
ffff0008:   e1a0f00e    mov pc, lr

Here, some strings:

Code: [Select]

ffff05b4 #RomStarter Ver1.02 for EC243
ffff05d4 UART loopback switch ON...
ffff05f4 UART loopback switch OFF...
ffff0614 Rescue Loader
ffff0628  Signature is OFF...
ffff0752 < Verify Error >
ffff076a Start Program on RAM
ffff08ba !!!!Mount SD-Card ERROR
ffff08d6 -- -------------------------
ffff08f4 DISKBOOT.BIN
ffff0904 DISKBOOT.BIN is started.
ffff0920 --- DISKBOOT.BIN start ABORT!!! ---
ffff0948 ROMWRITE.BIN
ffff0958 ROMWRITE.BIN is started.
ffff0974 --- ROMWRITE.BIN start ABORT!!! ---
ffff099c UPGRADER.BIN
ffff09ac UPGRADER.BIN is started.
ffff09c8 --- BIN FILE LOAD ERROR ---
ffff09e8 --- UPGRADER.BIN start ABORT!!! ---
ffff0da4 DISKBOOT.BIN ReadError
ffff0dc0 MBR ReadError
ffff0dd4 BootSector ReadError
ffff0dec FORMAT ERROR (NOT FAT12/16)
ffff0e0c ROOTDIR  ReadError
ffff0e24  Not Found
ffff0e34 FAT  ReadError
ffff0e48 DiskBoot Copy ERROR
ffff0e62  Cluster = 0 : Free Space!!!
ffff1130 SD-Card is not Ready. (ACMD41: WAIT BUSY TIMEOUT)
ffff1168 GET CID ERROR
ffff1178 GET RCA ERROR
...
ffff2015  CheckSip is performed.
ffff2031  Is it all right? (N/y)
ffff2171 >> debug shell startted <<
ffff2644  [OK]
ffff264c  [NG]
ffff2654 Adr:
ffff265c ,Write:
ffff2664 ,Read:
ffff2b9d  FROM sum is
ffff2bb5  Data bus check for all DRAM cell :
ffff2bdd  Address bus check for all DRAM cell :
ffff2c09  Data bus check (Simple version) :
ffff2c31  Address bus check (Simple version) :
ffff2dc1  Writing to ROM :
ffff2ddd  SiP check start
ffff2df0 UUUU
ffff2df5 Test Case :
ffff2e05  Write data is 0x55555555
ffff2e21  Write data is 0xAAAAAAAA
ffff2e3d  Write data is 0x00000000
ffff2e59  Write data is 0xFFFFFFFF
ffff2fe0 gaonisoy  R
ffff3003 (  R"
ffff30ea aB@02
ffff31e5  ?     Help
ffff31ee  h     Help
ffff31f7  d <adr> <size>    Dump memory
ffff3213  e <adr>   Edit memory
ffff3228  i  adr        Input
ffff3237  o  adr  data  Output
ffff324c  r <adr>   Rom edit (A bit is corrected to 0)
ffff3278  q     Quit ( =Reset )
ffff328c  c     CheckSiP ( don't return! )
ffff32ab --- example ---

Logged

reyalp

13059

Re: Getting CPU configuration from CP15

« Reply #13 on: 20 / August / 2008, 15:20:20 »

Quote from: chr on 20 / August / 2008, 05:18:33

But finally we understood what was wrong I was very confused about the cp settings because I was looking in the ARM reference. The 946e-s is correct. The documents are a 'bit' different.

Yes, I noticed that the generic docs seemed to give rather different descriptions of some of those things than the 946es tech ref. Some of that has to do with whether the system has an MMU or not AFAIK, but I was definitely confused trying to interpret the CP15 stuff before I looked at the 946 doc.

Quote

The ROM is 8MB but usually udumper just extract the part we need for porting. I also looked at the rest of it and I guess that stuff is simply before FFC in your cam. I found a lot of thumb code, i18n stuff and very interesting: the missing part of the boot process! Funny, the damn diskboot.bin decoding exists there a second time.

Some cameras are configured with a 4 meg ROM area starting at FFC. I guess I'll try dumping the full 8 megs on mine at some point. The sx100 cpuinfo attached here for example (which is a bit strange because it's a digic III/dryos cam

)

Logged

Don't forget what the H stands for.

alvm

Re: Getting CPU configuration from CP15

« Reply #14 on: 02 / June / 2012, 15:50:01 »

CPU info for a800 (DIGICIII) and a810 (DIGIC4)

cpuinfo_a800.txt (4.56 kB - downloaded 75 times.)

cpuinfo_a810.txt (4.56 kB - downloaded 76 times.)

Logged

reyalp

13059

Re: Getting CPU configuration from CP15

« Reply #15 on: 02 / June / 2012, 16:38:43 »

Quote from: alvm on 02 / June / 2012, 15:50:01

CPU info for a800 (DIGICIII) and a810 (DIGIC4)

Thanks. Still arm946E-S, just slightly different memory configuration. Would be interesting to see digic V and a DryOS R50 cam

Logged

Don't forget what the H stands for.

yukia10

32
SX50_100c

Re: Getting CPU configuration from CP15

« Reply #16 on: 01 / May / 2013, 06:38:16 »

CPU info for sx50hs (DIGIC5)

CPUINFO_SX50HS.TXT (4.43 kB - downloaded 38 times.)

Logged

reyalp

13059

Re: Getting CPU configuration from CP15

« Reply #17 on: 01 / May / 2013, 12:46:55 »

Quote from: yukia10 on 01 / May / 2013, 06:38:16

CPU info for sx50hs (DIGIC5)

This is interesting, indicates caches are 32K instead of 8K.

lib/armutil/cache.c should be updated.

Otherwise looks pretty much the same.

Logged

Don't forget what the H stands for.

yukia10

32
SX50_100c

Re: Getting CPU configuration from CP15

« Reply #18 on: 01 / May / 2013, 17:16:13 »

Quote from: reyalp on 01 / May / 2013, 12:46:55

Otherwise looks pretty much the same.

Region 7 may be a minor difference and may have been discussed here.

Logged

reyalp

13059

Re: Getting CPU configuration from CP15

« Reply #19 on: 02 / May / 2013, 17:16:19 »

Here's an updated version of my cpuinfo patch for the current trunk. I'll probably add this to svn, although it seems a bit silly for something that most likely only needs to be run once per CPU generation. This is a module so the only overhead is a menu item.

Also, as mentioned in http://chdk.setepontos.com/index.php?topic=2509.msg100073#msg100073 I updated the cache code.

cpuinfo-trunk-2753.patch (12.72 kB - downloaded 31 times.)

Logged

Don't forget what the H stands for.