Introduction to Cortex Serial Wire Debugging

Serial Wire Debug (SWD) provides a debug port for severely pin limited packages,

often the case for small package microcontrollers but also complex ASICs

where limiting pin-count is critical and can be the controlling factor in device costs.

SWD replaces the 5-pin JTAG port with a clock + single bi-directional data pin,

providing all the normal JTAG debug and test functionality plus real-time access to system memory

without halting the processor or requiring any target resident code.

SWD uses an ARM standard bi-directional wire protocol, defined in the ARM Debug Interface v5,

to pass data to and from the debugger and the target system in a highly efficient and standard way.

As a standard interface for ARM processor-based devices,

the software developer can count on a wide choice of interoperable tools

from ARM and third party tool vendors.

Host : Falling Edge Write, Falling Edge Read 

Target : Rising Edge Read, Rising Edge Write

 

SWD provides an easy and risk free migration from JTAG as the two signals,

SWDIO and SWCLK, are overlaid on the TMS and TCK pins,

allowing for bi-modal devices that provide the other JTAG signals.

These extra JTAG pins are available for other uses when in SWD mode.

SWD is compatible with all ARM processors and any processor

using JTAG for debug and provides access to debug registers in Cortex™ processors (A,R,M)

and the CoreSight debug infrastructure.   

 

JTAG to SWD switching

The SW-DP must use connection sequence of 50 clock cycles with data = 1.

And this sequence is also used as a line reset sequence which requires 50 consecutive 1s on the data input.

SWJ-DP enables either an SWD or JTAG protocol to be used on the debug port.

To do this, it implements a watcher circuit that detects a specific 16-bit selection sequence on the SWDIOTMSpin:

The 16-bit JTAG-to-SWD select sequence is defined to be 0b0111100111100111, MSB first.

This can be represented as 16'h79E7 if transmitted MSB first or 16'hE79E if transmitted LSB first.

The host must read IDCODE register after line request sequence.

This requirement gives confirmation that correct packet frame alignment has been achieved.

 

SWD Protocol Each successful SWD transfer consists of 3 parts:

• A header (always from the external debugger)

• An acknowledgement from the target (provided it recognises the header)

• A data payload, the direction of which is determined by the header.

A write transfer is shown in Figure 3 below.

A start bit is used to enable the line to idle, a period when the clock can be stopped or free running

(note that the clock also does not need to have a set frequency).

One bit defines the transfer as an AP access or a DAP access,

the direction of data on the SWD interface is provided,

and 2 address bits are given.

These address bits allow a sequence of AP accesses to use the 4 registers

in a bank of a specific AP without having to change the AP select register in the DP.

A parity bit and a stop bit are added to provide some tolerance to data corruption and hot plugging.

The header ends by driving the line high, where it should be held by a pull-up.

After the header, the target will respond (after a single cycle)

giving an indication of the status of the interface, and if the acknowledgement matches the OK pattern,

write data is sent with a parity bit.

A successful read transfer is similar, as shown in Figure 4.

The turn-round cycle (TRN in the diagrams) is placed after the data phase for a read,

as there is no change of direction between ACK and RDATA.

 

For both reads and writes, the packet is 46 clock cycles, with a payload of 32 bits.

In situations where the debugger hardware does not permit analysis and reaction to the ACK bits

(for example an ASIC vector replay tester, or a simple device on a high latency interface),

the packet timing can be fixed with these 46 cycle frames.

Improved bandwidth efficiency can be obtained in the normal mode of operation,

where the data phase is only present after an ‘OK’ acknowledge phase.

This mode uses a shorter packet, as shown in Figure 5 below

if the debug port is not yet ready to receive a new transaction.

 

This response indicates to the debugger that the debug port is still active,

and that the communication link is operating, but there is an outstanding transfer which has not completed.

This packet is 13 cycles long, and reduces the bandwidth penalty of performing debug accesses

which are faster than the target is able to accept them.

It is important to note that the protocol is optimised for performing blocks of transfers,

and both read and write data are buffered.

When a read transfer is issued on the SWD interface, the response will be the result from the previous read.

Thus to read an ASIC memory location, typically 3 transfers are necessary:

  1. • Write to the AP’s Transfer Address Register with the target address
  2. • Read the AP’s Data Transfer Register to initiate the transaction.
  3. • Read a benign register (DP status for example) to return the required target data.

Similarly, if it is necessary to determine that a write access to the system has completed,

that write has to be followed by a DP access, which can return a WAIT response if the write is still in progress.

SWD has a similar packet format which is used when a sticky bit is set.

This uses the FAULT response as shown in Figure 6 below.

The FAULT response indicates that the link is still active,

but the debug port will only respond to a read of its ID or Status registers,

or a write to its ABORT register which is used to clear the state of any sticky bits once they have been read.

Using these responses, the status of the debug interface and the status of the debug infrastructure are separated,

making it possible for a debug session to remain connected when system clocks are stopped.

If there is a fault and access via a system port becomes deadlocked,

the active AP can be instructed to terminate its transaction on the DAP bus.

In addition to allowing the AP to be interrogated and its state determined,

this frees up any remaining debug infrastructure in the target device giving the possibility of probing the deadlock scenario,

possibly giving valuable insight into the cause of the lockup.

Conclusion

The development of the Serial Wire Debug interface standard and protocol

has provided a reduced pin count alternative to JTAG,

which has the additional benefits of higher performance

and error detection that a packet-based communication protocol can bring.

Serial Wire Debug is an effective mechanism for accessing a modern busbased debug and trace design,

the packet nature of the communication being wellmatched with this bus-based architecture.

References 1.

http://www.arm.com/products/solutions/CoreSight.html

 

3.2.1. Packet request phase

The request phase consists of 8 bits. The meaning of each bit in the request is illustrated below.

  • Start -- A single start bit, with value 1.
  • APnDP -- A single bit, indicating whether the Debug Port or the Access Port Access Register is to be accessed. 1 for accessing AP.
  • RnW -- A single bit, this bit is 0 for an write access, or 1 for a read access.
  • A[2:3] -- Two bits, giving the A[3:2] address field for the DP or AP register address.
  • Parity -- A single odd parity bit is made over the APnDP, RnW and A[2:3] bits.
    The number of bits set to 1 is odd, then the parity bit is set to 1.
  • Stop -- A single stop bit. In the synchronousSWD protocol this is always 0.
  • Park -- A single bit, with value 1.
  • SWD Line : Start : APnDP : RnW : A[2] : A[3] : Parity : Stop : Park

3.2.2. Acknowledge response phase

ACK phase is a three-bit(LSB-first) target to host response. Three type ACK response.

  • OK Response -- It indicates successful operation, value is b001. : SWD Line : 1 0 0  
  • WAIT response -- The host must retry the operation later, value is b010. : SWD Line : 0 1 0
  • FAULT response -- If the target responds with FAULT, an error has occurred and one of the sticky bits in CTRL/STAT is set.
    The host can check the sticky error bits to see what kind of error has occurred.
    It must clear the sticky bits in ABORT register before using any AP commands,
    because the target will always respond with FAULT as long as one of the sticky error bits are set.
    Value is b100. : SWD Line : 0 0 1

3.2.3. Data transfer phase

It contains 32 data bits and 1 parity bit.

The The parity check is made over the 32 data bits.

The number of bits set to 1 is odd, then the parity bit is set to 1.

3.2.4. Turnaround period

From figure above, there is Trn -- Turnaround period between each phase.

Every time the SWDIO changes data direction, a one-cycle turnaround period is inserted which both sides should ignore.

This means there is always a turnaround period between the request and acknowledge.

On a write request, there is a turnaround period between acknowledge and the data phase.

On a read request there is a a turnaround after the data phase.

 

 

LPC ARM Cortex-based microcontrollers from NXP can be controlled via SWD,

ARM’s Serial Wire Debug protocol and the Coresight register set which allow nonintrusive debugging.

This blog post series summarizes use of the SWD protocol to do basic debugging functions on the Cortex-M0

and presents demonstration code and a simple hardware design to implement a USB-to-SWD bridge.

With additional software the SWD-to-USB bridge could allow debugging

or flash programming from a computer or other USB host device.

Serial Wire Debug (SWD) Fundamentals.

The SWD interface has two signal wires, SWCLK and SWDIO.

SWCLK or Serial Wire Clock is driven by the master and synchronizes the SWD data transfer.

SWDIO or Serial Wire Data Input/Output is driven by either the master or the target.

Every SWD transaction starts with the master driving SWDIO

but switches to having the target drive SWDIO at some point.

I/O levels and thresholds on SWCLK and SWDIO should be set to match the I/O voltage of the target.

In the simplistic hardware design given in this document,

we assume that the target voltage is 3.3V and no provisions are made to adjust to lower target voltages.

SWD Levels and Edges.

Since SWD is a bi-directional communications standard with only one data line,

data needs to be written to the bus by both the master and the slave.

Every SWD transaction begins with the master controlling SWDIO.

After a turnaround period, the slave controls SWDIO,

then control switches back to the master.

Whenever the bus is idle, the clock should be high and the master controls the bus.

When the master is in control of SWDIO, it clocks data out on the falling edge of SWCLK

and the slave latches the data on the rising edge of SWCLK.

When the slave takes over SWDIO, it presents data to SWDIO on the rising edge of SWCLK

and the master latches the incoming data on the falling edge of SWCLK.

In both cases, SWCLK is driven by the master.

The 1/2 and 1 1/2 period 1 values on SWDIO are called “turnaround periods” in the SWD specification.

They need to be driven by the host to prevent the bus from being dragged low by coupling of transitions on the SWDCLK.

If the SWD target detects that SWDIO is not 1 during the turnaround period,

it will go into an error state and not respond to any further transactions.

SWD Protocol.

The swd protocol consists of read and write transactions.

Both types of transactions have three phases.

These phases are the request phase, the acknowledge phase, and the data phase.

All of the data sent over SWD is sent in little-endian order and is sent least-significant-bit first.

 

 

During the request phase the host requests a read or write operation on the target

and indicates whether the Debug Port or Access Port is being accessed.

The Debug Port is a set of four important registers within the Cortex debug port that perform very basic operations.

The Access Port is a larger address space of 64 registers which are useful for accessing the microcontroller’s main bus.

The request phase consists of eight bits of data, some of which are constant.

 

The acknowledge phase consists of three bits where the SWD target indicates status to the host.

 

 

The data phase is where data is sent from the host to the target during a write operation.

Data is sent from the target to the master during a read operation.

The data phase consists of 33 bits- 32 bits of data (lsb first) followed by 1 bit of parity.

 

Request phase data

bit numberbit valuebit description

  • 0 (lsb)always 1start bit
  • 1 1 for Access PortSWD Port select- selects Access Port or Debug Port
  • 2 1 for Readread select- selects whether this is a read or a write transaction
  • 3 address bit 2bit 2 of read or write address (bits 0 and 1 are 0)
  • 4 address bit 3bit 3 of read or write address (bits 0 and 1 are 0)
  • 5 parity1 if sum of request phase bits 1-4 is odd
  • 6 always 0stop bit
  • 7 (msb)always 1park bit

Acknowledge phase data

bit numberbit valuebit description
0-2 acknowledge value

  • 1- means acknowledge, no error
  • 2- means wait, target not ready
  • 4- means fault or error
  • 7- typically means the target is disconnected

SWD Read and Write Details.

The SWD port supports reading and writing to the Debug Port and the Access Port.

The Cortex Debug Port consists of 4 32-bit registers.

When executing an SWD transaction, a Debug Port transaction is specified by leaving bit 1 (port select)

set to zero during the request phase of the SWD transaction.

The address is specified by bits 3 and 4.

Read is specified by setting bit 2 as 1, writes by clearing bit 2 to 0.

Writes do not actually complete until after the following SWD command

or until receiving a “flush” which is simply eight 0s clocked out onto SWDIO.

The Cortex Access Port address space has 64 32-bit registers.

Because only two bits of address are specified in the SWD request phase,

four more bits of address need to be set by using the AP Select register at address 8 on the Debug Port.

To execute a transaction on the Access Port, typically the Debug Port AP Select register

must be written first before the Access Port is written.

When executing a read on the Access Port, the result returned will be that of the previous read.

Therefore when executing a read operation, a 2nd dummy read must be done to get the results.

If executing a sequence of reads, only one dummy read is needed to get the first result.

There is no need for a dummy read between every read in a sequence.

Please note that both the Debug Port and the Access Port are NOT part of the Cortex CPU core’s general address space.

These ports and their registers only exist inside the SWD debug port.

For details on these registers and their uses please see the ARM Debug Interface v5 Architecture Specification documentation and errata.

Initializing SWD.

The SWD protocol allows full control of an LPC microcontroller.

Because of this, it is critical that the port be insensitive to noise under a wide range of design conditions.

To make the SWD port insensitive to noise, an unlock or connection sequence must be executed before the port can be used.

The unlock sequence consists of several different steps.

SWD Unlock Sequence Steps

step numberdescription

  • 1 The Host needs to switch the target from JTAG to SWD mode by clocking 0xE79E onto SWDCLK/SWDIO
  • 2 SWD connection sequence- clock out more than 50 binary 1s
  • 3 Must read the Debug Port IDCODE register (address 0)
  • 4 Turn on Debug Port by settings bits 28 and 30 at DP address 4
  • 5 Write AP select (debug port address 8) to 0xF0 (to prep for AP read of 0xFC)
  • 6 Unlock Access Port by reading AP ID register (AP address 0xFC)

 

Read_IDCODE.png

Send_0xE79E.png

 

Programming internal SRAM over SWD

1. Introduction
This documentation describe how to programming ARM Cortex M3 internal SRAM over SWD(Serial Wire Debug) interface.
For this purpose, something we too know.
SWD communication protocol.
We need to know Low level timing requirement, that is foundation to exchange command and data between debugger and target MCU.
Read/write data from/to internal SRAM.
We need to know how to program firmware into desired address, like SRAM(0x20000000).
That needs us to know SW-DAP registers usage. Pass address and data over those registers and then into internal SRAM.
Make code running from SRAM.
We need to change vector table entry from internal flash to SRAM; And SP and PC also needed change to SRAM location.
That need us to know the cortex M3 debug and system registers usage.
 
We choose Silabs SiM3U167 as target MCU in this implementation.
We implement a high level protocol with python script, it calls Silabs provided DLL file interface to access Silabs USB Debug Adapter.
Also, we provide a firmware running from C8051F380,
it contains a full implementation on both low level communicating timing and high level programming SRAM protocol.
 
2. Serial Wire Debug overview
Serial Wire Debug (SWD) is a 2-pin (SWDIO/SWCLK) electrical alternative JTAG interface that has the same JTAG protocol on top.
SWD uses an ARM CPU standard bi-directional wire protocol, defined in the ARM Debug Interface v5.
This enables the debugger to become another AMBA bus master for access to system memory and peripheral or debug registers.
The Debug Access Port(DAP) is split into two main control units. the Debug Port (DP) and the Access Port (AP),
and the physical connection to the debugger is part of the DP.
 
The DAP supports two types of access, Debug Port (DP) accesses and Access Port (AP)accesses.
External device to communicate directly with Serial Wire Debug Port(SW-DP) over SWDIO/SCLK pins.
And SW-DP in turn can access one or several Access Ports(APs) the give access to the rest of the system.
The MEM-AP is important AP which provide a way to access all memory and peripheral registers residing on the internal AHB/APB buses.
Figure 1 ARM Debug Interface MEM-AP Implementation
 
One of the four registers within the DP is the AP Select Register, SELECT.
This register specifies a particular Access Port, and a bank of four 32-bit words within the register map of that AP.
It enables up to 256 Access Ports to be implemented, and gives access to any one of 16 four-word banks of registers on the selected AP.
 
3. SWD protocol
 
This section gives an overview of the bi-directional operation of the protocol.
It illustrates each of the possible sequences of operations on the Serial Wire Debug interface data connection.
 
3.1. Connection and line reset sequence
 
The SW-DP must use connection sequence of 50 clock cycles with data = 1.
And this sequence is also used as a line reset sequence which requires 50 consecutive 1s on the data input.
 
JTAG to SWD switching
 
SWJ-DP enables either an SWD or JTAG protocol to be used on the debug port.
To do this, it implements a watcher circuit that detects a specific 16-bit selection sequence on the SWDIOTMS pin:
 
The 16-bit JTAG-to-SWD select sequence is defined to be 0b0111100111100111, MSB first.
This can be represented as 16'h79E7 if transmitted MSB first or 16'hE79E if transmitted LSB first.
 
The host must read IDCODE register after line request sequence.
This requirement gives confirmation that correct packet frame alignment has been achieved.
 
3.2. Successful transaction operation
 
A successful transaction contains three phases.
·         Host sending an eight-bit write packet request to target.
·         Target response with a three-bit OK acknowledge to host.
·         A 33-bit data phase, either from host or target depends on write/read operation.
 
Figure 2 Serial Wire Debug successful write operation

 

3.2.1. Packet request phase

The request phase consists of 8 bits. The meaning of each bit in the request is illustrated below.
·         Start -- A single start bit, with value 1.
·         APnDP -- A single bit, indicating whether the Debug Port or the Access Port Access Register is to be accessed. 1 for accessing AP.
·         RnW -- A single bit, this bit is 0 for an write access, or 1 for a read access.
·         A[2:3] -- Two bits, giving the A[3:2] address field for the DP or AP register address.
·         Parity -- A single odd parity bit is made over the APnDP, RnW and A[2:3] bits. The number of bits set to 1 is odd, then the parity bit is set to 1.
·         Stop -- A single stop bit. In the synchronousSWD protocol this is always 0.
·         Park -- A single bit, with value 1.
 
3.2.2. Acknowledge response phase
ACK phase is a three-bit(LSB-first) target to host response. Three type ACK response.
·         OK Response -- It indicates successful operation, value is b001.
·         WAIT response -- The host must retry the operation later, value is b010.
·         FAULT response -- If the target responds with FAULT, an error has occurred and one of the sticky bits in CTRL/STAT is set. The host can check the sticky error bits to see what kind of error has occurred. It must clear the sticky bits in ABORT register before using any AP commands, because the target will always respond with FAULT as long as one of the sticky error bits are set. Value is b100.
 
3.2.3. Data transfer phase
It contains 32 data bits and 1 parity bit. The The parity check is made over the 32 data bits. The number of bits set to 1 is odd, then the parity bit is set to 1.
 
3.2.4. Turnaround period
From figure above, there is Trn -- Turnaround period between each phase. Every time the SWDIO changes data direction, a one-cycle turnaround period is inserted which both sides should ignore. This means there is always a turnaround period between the request and acknowledge. On a write request, there is a turnaround period between acknowledge and the data phase. On a read request there is a a turnaround after the data phase.
 
4. Serial Write Debug Port(SW-DP) Registers
This section will give a brief overview over the SW-DP registers.
Table 1 SW-DP registers
Address
Read
Write
0x00
IDCODE
ABORT
0x04
CTRL/STAT
CTRL/STAT
0x08
RESEND
SELECT
0x0C
RDBUFF
N/A
4.1. The Identification Code Register, IDCODE
IDCODE register provides a identification information about SW-DP.
On the EFM32 or SiM3U devices with a Cortex-M3 or Cortex-M4 core this register should read 0x2BA01477.
For devices with a CortexM0+ core the register should read 0x0BC11477.
 
4.2. The AP Abort Register, ABORT
ABORT register main purpose is to force a DAP abort, and on a SW-DP it is also used to clear error and sticky flag conditions.
Here are the bit assignments of AP Abort register.
Table 2 ABORT register bit assignments
Bits
Function
Description
[31:5]
-
Reserved
[4]
ORUNERRCLR
Write 1 to this bit to clear the STICKYORUN overrun error flag to 0.
[3]
WDERRCLR
Write 1 to this bit to clear the WDATAERR write data error flag to 0
[2]
STKERRCLR
Write 1 to this bit to clear the STICKYERR sticky error flag to 0.
[1]
STKCMPCLRa
Write 1 to this bit to clear the STICKYCMP sticky compare flag to 0.
[0]
DAPABORT
Write 1 to this bit to generate a DAP abort. This aborts the current AP transaction. Do this only if the debugger has received WAIT responses over an extended period.
You might want to find what caused the flag to be set to 1. Typically:
·         For the STICKYCMP or STICKYERR flag, you must find which location was accessed to cause the flag to be set to 1.
·         For the WDATAERR flag, you must resend the corrupted data.
·         For the STICKYORUN flag, you must find which DP or AP transaction caused the overflow. You then have to repeat your transactions from that point.
 
4.3. The Control/Status Register, CTRL/STAT
 
CTRL/STAT register provides control of the DP and status information about the DP.
Figure 3 Control/Status Register bit assignments
         Bit [28] CDBGPWRUPREQ is the signal from the debug interface to the power controller, used to request the system power controller to fully power-up and enable clocks in the debug power domain.
·         Bit [30] CSYSPWRUPREQ is the signal from the debug interface to the power controller, used to request the system power controller to fully power-up and enable clocks in the system power domain.
The debugger must write a 1 to the CDBGPWRUPREQ and CSYSPWRUPREQ bits before using the AHB-AP. The STICKYERR bit is set if an error is returned by a AP transaction. While the STICKYERR bit is set any SWD request will return a FAULT response. To clear the STICKYERR bit, use the ABORT register.
 
4.4. The AP Select Register, SELECT
SELECT register specifies a particular Access Port, and a bank of four 32-bit words within the register map of that AP. It enables up to 256 Access Ports to be implemented, and gives access to any one of 16 four-word banks of registers on the selected AP.
Table 3 Bit assignments for the AP Select Register, SELECT
Bits
Function
Description
[31:24]
APSEL
Selects the current AP.
[7:4]
APBANKSEL
Selects the active four-word register bank on the current AP
 
4.5. The Read Buffer, RDBUFF
RDBUFF register return the result of a previous read, without initiating a new AP transaction.
If you require the value from an AP register read, that A read of the DP Read Buffer must be followed.
 
5. Memory Access Port(MEM-AP) Registers
 
A MEM-AP provides a DAP with access to a memory subsystem.
Since memory, peripherals and debug components are all memory mapped,
the MEM-AP can be used to both program and debug Cortex M3.
Table 4 MEM-AP registers
Address
Bank
Function
Description
0x00
0x00
CSW
Control/Status Word Register
0x04
0x00
TAR
Transfer Address Register
0x0C
0x00
DRW
Data Read/Write Register
0xFC
0x0F
IDR
Identification Register
 
5.1. Control/Status Word (CSW) Register
CSW register configures and controls accesses through the MEM-AP to or from a connect memory system.
Table 5 Bit assignments for the MEM-AP Control/Status Word Register, CSW
Bits
Function
Description
[30:24]
Prot
Bus access protection control. This field enables the debugger to specify protection flags for a debug access.
[5:4]
AddrInc
Address auto-increment and packing mode.
[2:0]
Size
b000: 8 bits; b001: 16 bits; b010: 32 bits
 
5.2. The Transfer Address Register (TAR)
TAR register holds the memory address to be accessed. The contents of TAR can be incremented automatically on a successful DRW access with b01 set in AddrInc field of CSW register.
 
5.3. The Data Read/Write Register (DRW)
DRW register is used to either write or read from the address held in TAR. To write a value to an internal memory address, first write the address to the TAR register, then write the value to DRW. To read a memory address, first write the address to TAR, then read the value in DRW.
 
5.4. The Identification Register, (IDR)
IDR register identifies the Access Port. To read this register, the APBANKSEL field should be set to 0xF. And then IDR register can be read with address 0x0C(ADDR[3:2] = b11). The IDR register should return the value 0x24770011 on devices with a Cortex-M3 or Cortex-M4 core. On devices with a Cortex-M0+ it should return 0x0477003
 
6. Debug and system Registers
 
This section will go through the Cortex M3 Debug registers. With debug registers, we can set core into halt mode and can change core registers, like SP or PC.
Table 6 Debug and system registers
Address
Name
Description
0xE000EDF0
DHCSR
Debug Halting Control and Status Register
0xE000EDF4
DCRSR
Debug Core Register Selector Register
0xE000EDF8
DCRDR
Debug Core Register Data Register
0xE000EDFC
DEMCR
Debug Exception and Monitor Control Register
0xE000ED0C
AIRCR
Application Interrupt and Reset Control Register
 
6.1. Debug Halting Control and Status Register, DHCSR
DHCSR register controls halting debug. Halting debug is enabled when C_DEBUGEN is set to 1.
Table 7 DHCSR bit assignments
Bits
Name
Function
[31:16]
DBGKEY
Debug key: A debugger must write 0xA05Fto this field to enable write accesses to bits [15:0], otherwise the processor ignores the write access.
[16]
S_REGRDY
A handshake flag for transfers through the DCRDR: 0 = There has been a write to the DCRDR, but the transfer is not complete; 1 = The transfer to or from the DCRDR is complete.
[0]
C_DEBUGEN
Halting debug enable bit: 1 = Enabled
 
6.2. Debug Core Register Selector Register, DCRSR
DCRSR register provides debug access to the ARM core registers, special-purpose registers, and Floating-point extension registers. A write to DCRSR specifies the resister to transfer.
Table 8 DCRSR bit assignments
Bits
Name
Function
[16]
REGWnR
0 = read; 1= write
[6:0]
REGSEL
Specifies the ARM core register, special-purpose register, or Floating-point extension register, to transfer: R0-R12, SP, LR, DebugReturnAddr, xPSR, MSP, PSP, etc.
DebugReturnAddress is the address of the first instruction to be executed on exit from Debug state.
 
6.3. Debug Core Register Data Register, DCRDR
DCRDR register provides debug access to ARM core register, special-purpose registers,and Floating-point extension registers. The DCRDR is the data register for these accesses.
Use of DCRSR and DCRDR
·         To transfer a data word to an ARM core register, special-purpose register, orFloating-point extension register, a debugger:
o    Writes the required word to DCRDR.
o    Writes to the DCRSR, with the REGSEL value indicating the required register, and the REGWnR bit as 1 to indicate a write access. This write clears the DHCSR S_REGRDY bit to 0.
o    If required, polls DHCSR until DHCSR.S_REGRDY reads-as-one. This shows that the processor has transferred the DCRDR value to the selected register.
·         To transfer a data word from an ARM core register, special-purpose register, or Floating-point extension register, a debugger:
o    Writes to the DCRSR, with the REGSEL value indicating the required register, and the REGWnR bit as 0 to indicate a read access. This write clears the DHCSR.S_REGRDY bit to 0.
o    Polls DHCSR until DHCSR.S_REGRDY reads-as-one. This shows that the processor has transferred the value of the selected register to DCRDR.
o    Reads the required value from DCRDR.
 
6.4. Debug Exception and Monitor Control Register, DEMCR
DEMCR register manages vector catch behavior and DebugMonitor handling when debugging. Bits [23:16] provide DebugMonitor exception control. Bits [15:0] provide Debug state, halting debug, control.
Table 9 DEMCR bit assignments
Bits
Name
Function
[10]
VC_HARDERR
Enable halting debug trap on a HardFault exception
[9]
VC_INTERR
Enable halting debug trap on a fault occurring during exception entry or exception return.
[8]
VC_BUSERR
Enable halting debug trap on a BusFault exception.
[7]
VC_STATERR
Enable halting debug trap on a UsageFault exception caused by a state information error, for example an Undefined Instruction exception.
[6]
VC_CHKERR
Enable halting debug trap on a UsageFault exception caused by a checking error, for example an alignment check error.
[5]
VC_NOCPERR
Enable halting debug trap on a UsageFault caused by an access to a Coprocessor.
[4]
VC_MMERR
Enable halting debug trap on a MemManage exception.
[0]
VC_CORERESET
Enable Reset Vector Catch. This causes a Local reset to halt a running system.
Vector catch is the mechanism for generating a debug event and entering Debug state when a particular exception occurs. Vector catching is only supported by halting debug.
 
6.5. Application Interrupt and Reset Control Register, AIRCR
AIRCR register sets or returns interrupt control data.
Table 10 AIRCR bit assignments
Bits
Name
Function
[31:16]
VECTKEY
Vector Key. Register writes must write 0x05FAto this field, otherwise the write is ignored.On reads, returns 0xFA05.
[15]
ENDIANNESS
0 = Little endian; 1 = Big endian
[10:8]
PRIGROUP
Priority grouping
[2]
SYSRESETREQ
Writing 1 to this bit asserts a signal to the external system to request a Local reset.
[1]
VECTCLRACTIVE
Writing 1 to this bit clears all active state information for fixed and configurable exceptions.
[0]
VECTRESET
Writing 1 to this bit causes a local system reset.
 
7. SRAM programing
This section demonstrate step by step how to programming internal SRAM over SWD.
 
7.1. Initialization
Before suing the SW-DP an initialization sequence must be performed to establish communication and bring the SW-DP to a know state.
·         Send more than 50 SWCLKTCK cycles with SWDIOTMS=1. This ensures that both SWD and JTAG are in their reset states.
·         Send the 16-bit JTAG-to-SWD select sequence on SWDIOTMS
·         Send more than 50 SWCLKTCK cycles with SWDIOTMS=1. This ensures that if SWJ-DP was already in SWD mode, before sending the select sequence, the SWD goes to line reset.
·         Perform a READID to validate that SWJ-DP has switched to SWD operation.
 
7.2. Halt the core
Before programming internal SRAM, the ARM Cortex M3 should first be reset and halted. It gets the core and peripherals into a know state and prohibit the core from accidentally running partial code while writing the program.
There debug and system registers and one Silabs extent AP register CHIPAP_CTRL1 are used for this purpose. CHIPAP_CTRL1 address = 0x1, APSEL = 0x0A. bit 3 core_reset_ap, To hold the CortexM3 core in reset this bit should be written to one.
The process is as follow:
·         Write 0x08 to CHIPAP_CTRL1.
·         Write 0xA05F0001 to DHCSR, which halting debug enabled.
·         Write 0x01 to DEMCR. This enable Reset Vector Catch.
·         Write 0xFA050004 to AIRCR. This reset the core.
·         Write 0x00 to CHIPAP_CTRL1.
Now the core will be halted on first instruction and all peripherals and registers will have their reset value.
 
7.3. Memory and core register access.
 
7.3.1 Access memory
·         Set 32 bit width and auto increment in CSW register.
·         Write memory address in TAR register
·         Access DRW register for read/write data.
Here is the python script example
def swd_write_mem(uda, address, data_ws, length):
    # Auto increment addresses
    uda.QueueWrite(DP_SELECT, MEMAP_BANK_0)
    uda.QueueWrite(MEMAP_CSW, 0x23000012)
    uda.QueueWrite(MEMAP_TAR, address)
    for x in range (0, length):
        uda.QueueWrite(MEMAP_DRW, data_ws[x])
        uda.StartTransfers()

def swd_read_mem(uda, address, length):
    data_ws = []
    # Auto increment addresses
    uda.QueueWrite(DP_SELECT, MEMAP_BANK_0)
    uda.QueueWrite(MEMAP_CSW, 0x23000012)
    uda.QueueWrite(MEMAP_TAR, address)
    for x in range (0, length):
        uda.QueueRead(MEMAP_DRW)
        data_ws.append(uda.StartTransfers()[0])
    return data_ws

 7.3.2 Access core registers

Read:
·         Set 32 bit width in CSW register
·         Write DCRSR address into TAR register.
·         Write core register index Rn into DRW register.
·         Write DCRDR address into TAR register.
·         Read core register value from DRW register.
Write:
·         Set 32 bit width in CSW register
·         Write DCRDR address into TAR register.
·         Write core value into DRW register.
·         Write DCRSR address into TAR register.
·         Write core register index Rn and REGWnR = 1 into DRW register.
Here is the python script example
def swd_write_core_register(uda, n, val):
    uda.QueueWrite(DP_SELECT, MEMAP_BANK_0)
    uda.QueueWrite(MEMAP_CSW, 0x23000002)
    uda.QueueWrite(MEMAP_TAR, DCRDR)
    uda.QueueWrite(MEMAP_DRW, val)
    uda.StartTransfers()
    uda.QueueWrite(MEMAP_TAR, DCRSR)
    uda.QueueWrite(MEMAP_DRW, n | (1 << 16))
    uda.StartTransfers()

def swd_read_core_register(uda, n):
    uda.QueueWrite(DP_SELECT, MEMAP_BANK_0)
    uda.QueueWrite(MEMAP_CSW, 0x23000002)
    uda.QueueWrite(MEMAP_TAR, DCRSR)
    uda.QueueWrite(MEMAP_DRW, n)
    uda.StartTransfers()
    uda.QueueWrite(MEMAP_TAR, DCRDR)
    uda.QueueRead(MEMAP_DRW)
    val = uda.StartTransfers()[0]
    return val

 7.3.3 Programming firmware into internal SRAM

The process is followed
·         Read firmware from disk.
·         Write firmware into internal SRAM by swd_write_mem() function.
·         Read back firmware by swd_read_mem() to verify the integrity.
·         Update vector table entry in 0xe000ed08 to SRAM start position 0x20000000.
·         Update R15(PC) with reset vector address. It locates at second word position in firmware.
·         Update R13(SP) with stack address defined in first word in firmware.
·         Exist debug mode by writing 0xA05F0000 into DHCSR register.
Here is the python script example
 f = open("sim3u1xx_USBHID_ram.bin",mode = 'rb')
    data = f.read()
    swd_write_mem(uda, 0x20000000, data, len)
    .
    .
    .
    swd_write_mem(uda, 0xe000ed08, 0x20000000, 1)
    swd_write_core_register(uda, 15, data[1]& 0xFFFFFFFE)
    swd_write_core_register(uda, 13, data[0])
    write_AHB(uda, DHCSR, 0xA05F0000)

 

Then we can see firmware runs from internal SRAM.
 
8. Source code
 
9. Reference
·         Adi5 ARM Debug Interface v5 Architecture Specification.
·         Adi51 ARM Debug Interface v5 Architecture Specification ADIv5.1 Supplement.
·         Cm3trm Cortex-M3 Revision r2p1 Technical Reference Manual
·         ARMv7-M ARMv7-M Architecture Reference Manual
·         CoreSight DAP-Lite CoreSight DAP-Lite Technical Reference Manual
 
LICENSE
 
The MIT License (MIT)
Copyright (c) 2014 Mark Ding(mark.ding@hotmail.com)
 
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sub-license, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
 
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 
posted @ 2015-08-21 18:46  IAmAProgrammer  阅读(21908)  评论(0编辑  收藏  举报