JTAG on HiKey
I've been working on getting a open source JTAG debugging solution working on HiKey. This page documents the current status, and how to get this setup and working.
The first step is to solder on the JTAG connector. The unpopulated header is at J10 on the underside of the circuit board. The connector that you need to buy is a "FTSH-105-01-L-DV". It can be purchased from Farnell here (note the image is for a larger connector).
http://uk.farnell.com/samtec/ftsh-105-01-l-dv/header-1-27mm-smd-10way/dp/1667759
Once the connector is soldered on it should look something like this
OpenOCD supports many different JTAG dongles. The one I choose to use was the TinCanTools flyswatter2, which is $89 from http://www.tincantools.com/JTAG/Flyswatter2.html. This is a FTDI based device which is well supported in OpenOCD. The flyswatter2 comes with a variety of cables and adapters. I'm using the standard ARM 20 pin cable. I have then purchased a JTAG (2x10 2.54mm) to SWD (2x5 1.27mm) Cable Adapter Board from AdaFruit along with a 10 pin 2x5 1.27mm cable
- http://www.adafruit.com/products/2094?utm_source=contextly&utm_medium=module-related&utm_campaign=129798
- See http://www.adafruit.com/products/1675?utm_source=contextly&utm_medium=module-related&utm_campaign=129798
Once this is all connected it should look something like this
The armv8 code isn't currently merged to mainline, the latest code I've found is on the following gerrit http://openocd.zylin.com/#/c/2523/.
A GIT repo which is based off this gerrit which also includes a includes a hi6220 configuration file can be cloned here
git clone ssh://git@git.linaro.org:/people/peter.griffin/openocd-code
git checkout armv8
cd openocd-code
git submodule update --init --recursive
autoreconf -iv
Install any pre-requisite libraries (e.g. FTDI libs if your JTAG is FTDI based)
cd openocd-code
export PKG_CONFIG_PATH=/usr/lib/x86_64-linux-gnu/pkgconfig/
./configure --enable-ftdi
make
make install
Firstly ensure everything is connected like the photo above, and power on the board. Then issue the following command
src/openocd -f ./tcl/interface/ftdi/flyswatter2.cfg -f ./tcl/target/hi6220.cfg
If all goes well you should see trace like the following: -
Open On-Chip Debugger 0.9.0-dev-00241-gd356c86-dirty (2015-07-10-08:20)
Licensed under GNU GPL v2
For bug reports, read
http://openocd.sourceforge.net/doc/doxygen/bugs.html
adapter speed: 10 kHz
Error: session transport was not selected. Use 'transport select <transport>'
Info : session transport was not selected, defaulting to JTAG
jtag_ntrst_delay: 100
trst_and_srst combined srst_gates_jtag trst_push_pull srst_open_drain connect_deassert_srst
hi6220.cpu
Info : clock speed 10 kHz
Info : JTAG tap: hi6220.dap tap/device found: 0x5ba00477 (mfg: 0x23b, part: 0xba00, ver: 0x5)
Info : hi6220.cpu: hardware has 6 breakpoints, 4 watchpoints
If you see trace like this
Open On-Chip Debugger 0.9.0-dev-00241-gd356c86-dirty (2015-07-10-08:20)
Licensed under GNU GPL v2
For bug reports, read
http://openocd.sourceforge.net/doc/doxygen/bugs.html
adapter speed: 10 kHz
Error: session transport was not selected. Use 'transport select <transport>'
Info : session transport was not selected, defaulting to JTAG
jtag_ntrst_delay: 100
trst_and_srst combined srst_gates_jtag trst_push_pull srst_open_drain connect_deassert_srst
hi6220.cpu
Info : clock speed 10 kHz
Error: JTAG scan chain interrogation failed: all ones
Error: Check JTAG interface, timings, target power, etc.
Error: Trying to use configured scan chain anyway...
Error: hi6220.dap: IR capture error; saw 0x0f not 0x01
Warn : Bypassing JTAG setup events due to errors
Warn : Invalid ACK 0x7 in JTAG-DP transaction
Check the following: -
- Soldering of the JTAG connector
- The cables are plugged in securely
- The board is correctly powered.
- Everything is connected like in the photo above
Once openocd has connected to the target you can connect via the telnet interface.
telnet localhost 4444
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Open On-Chip Debugger
> halt
number of cache level 2
cache l2 present :not supported
hi6220.cpu cluster 0 core 0 multi core
target state: halted
target halted in ARM64 state due to debug-request, current mode: EL2H
cpsr: 0x800003c9 pc: 0x3ef7e908
MMU: disabled, D-Cache: disabled, I-Cache: disabled
This command was issued whilst sat at the u-boot prompt.
> reg
===== arm v8 registers
(0) r0 (/64): 0x0000000000000090 (dirty)
(1) r1 (/64): 0x00000000F8015000
(2) r2 (/64): 0x000000003EF9C000
(3) r3 (/64): 0x0000000000000018
(4) r4 (/64): 0x000000003EFA3B88
(5) r5 (/64): 0x0000000000000100
(6) r6 (/64): 0x0000000000000000
(7) r7 (/64): 0x0000000000000001
(8) r8 (/64): 0x000000003EF9BC50
(9) r9 (/64): 0x0000000009F61000
(10) r10 (/64): 0x000000003E75C468
(11) r11 (/64): 0x000000003EF8F000
(12) r12 (/64): 0x000000000000000F
(13) r13 (/64): 0x0000000000000000
(14) r14 (/64): 0x0000000000000000
(15) r15 (/64): 0x0000000000000000
(16) r16 (/64): 0x0000000000000000
(17) r17 (/64): 0x0000000000000000
(18) r18 (/64): 0x000000003E75EE38
(19) r19 (/64): 0x000000003EFBACF0
(20) r20 (/64): 0x000000003EFBACF0
(21) r21 (/64): 0x0000000000000009
(22) r22 (/64): 0x000000003EF99799
(23) r23 (/64): 0x000000003EF90C00
(24) r24 (/64): 0x000000003EFBA000
(25) r25 (/64): 0x0000000000000000
(26) r26 (/64): 0x0000000000000001
(27) r27 (/64): 0x0000000000000000
(28) r28 (/64): 0x000000003EF8E000
(29) r29 (/64): 0x000000003E75EBE0
(30) r30 (/64): 0x000000003EF77798
(31) sp (/64): 0x000000003E75EBE0
(32) pc (/64): 0x000000003EF7E908
(33) xPSR (/64): 0x00000000800003C9
> bp 0x35000000 4 hw
breakpoint set at 0x 35000000
> resume
and in u-boot force the processor to jump to this address (which is the start of u-boot)
INFO: BL3-1: Preparing for EL3 exit to normal world
INFO: BL3-1: Next image address = 0x35000000
INFO: BL3-1: Next image spsr = 0x3c9
U-Boot 2015.04-00007-g1b3d379-dirty (May 27 2015 - 10:18:16) hikey_aemv8a
DRAM: 1008 MiB
MMC: sd_card_detect: SD card present
HiKey DWMMC: 0, HiKey DWMMC: 1
In: serial
Out: serial
Err: serial
Net: Net Initialization Skipped
No ethernet found.
Hit any key to stop autoboot: 0
# go 0x35000000
## Starting application at 0x35000000 ...
you can see in OpenOCD telnet we hit the breakpoint
target state: halted
target halted in ARM64 state due to breakpoint, current mode: EL2H
cpsr: 0x600003c9 pc: 0x35000000
MMU: disabled, D-Cache: disabled, I-Cache: disabled
now remove the breakpoint so we can try single stepping
rbp 0x35000000
> step
target state: halted
target halted in ARM64 state due to breakpoint, current mode: EL2H
cpsr: 0x600003c9 pc: 0x35000028
MMU: disabled, D-Cache: disabled, I-Cache: disabled
timeout waiting for target halt
in procedure 'step'
> step
target state: halted
target halted in ARM64 state due to breakpoint, current mode: EL2H
cpsr: 0x600003c9 pc: 0x3500002c
MMU: disabled, D-Cache: disabled, I-Cache: disabled
timeout waiting for target halt
in procedure 'step'
> step
target state: halted
target halted in ARM64 state due to breakpoint, current mode: EL2H
cpsr: 0x600003c9 pc: 0x35000030
MMU: disabled, D-Cache: disabled, I-Cache: disabled
timeout waiting for target halt
in procedure 'step'
<snip>
> step
target state: halted
target halted in ARM64 state due to breakpoint, current mode: EL2H
cpsr: 0x600003c9 pc: 0x35000074
MMU: disabled, D-Cache: disabled, I-Cache: disabled
timeout waiting for target halt
in procedure 'step'
> step
target state: halted
target halted in ARM64 state due to breakpoint, current mode: EL2H
cpsr: 0x600003c9 pc: 0x35000084
MMU: disabled, D-Cache: disabled, I-Cache: disabled
timeout waiting for target halt
in procedure 'step'
> step
target state: halted
target halted in ARM64 state due to breakpoint, current mode: EL2H
cpsr: 0x600003c9 pc: 0x35000090
MMU: disabled, D-Cache: disabled, I-Cache: disabled
timeout waiting for target halt
in procedure 'step'
We can validate the last few single steps, with a disassembly of the u-boot binary. You can see that that to validate what happened
0000000035000028 <reset>:
35000028: 10003ec0 adr x0, 35000800 <vectors>
3500002c: d5384241 mrs x1, currentel
35000030: f100303f cmp x1, #0xc
35000034: 540000a0 b.eq 35000048 <reset+0x20>
35000038: f100203f cmp x1, #0x8
3500003c: 54000160 b.eq 35000068 <reset+0x40>
35000040: f100103f cmp x1, #0x4
35000044: 540001a0 b.eq 35000078 <reset+0x50>
35000048: d51ec000 msr vbar_el3, x0
3500004c: d53e1100 mrs x0, scr_el3
35000050: b2400c00 orr x0, x0, #0xf
35000054: d51e1100 msr scr_el3, x0
35000058: d51e115f msr cptr_el3, xzr
3500005c: 580005a0 ldr x0, 35000110 <c_runtime_cpu_setup+0x3c>
35000060: d51be000 msr cntfrq_el0, x0
35000064: 14000008 b 35000084 <reset+0x5c>
35000068: d51cc000 msr vbar_el2, x0
3500006c: d2867fe0 mov x0, #0x33ff // #13311
35000070: d51c1140 msr cptr_el2, x0
35000074: 14000004 b 35000084 <reset+0x5c>
35000078: d518c000 msr vbar_el1, x0
3500007c: d2a00600 mov x0, #0x300000 // #3145728
35000080: d5181040 msr cpacr_el1, x0
35000084: 94000003 bl 35000090 <apply_core_errata>
35000088: 9400000b bl 350000b4 <lowlevel_init>
3500008c: 940004d7 bl 350013e8 <_main>
0000000035000090 <apply_core_errata>:
35000090: aa1e03fd mov x29, x30
35000094: d5380000 mrs x0, midr_el1
> halt
number of cache level 2
cache l2 present :not supported
hi6220.cpu cluster 0 core 0 multi core
target state: halted
target halted in ARM64 state due to debug-request, current mode: EL2H
cpsr: 0x800003c9 pc: 0x3ef7e908
MMU: disabled, D-Cache: disabled, I-Cache: disabled
> mww 0x36000000 0xdeadbeef
> resume
and then validate with u-boot
# md 0x36000000
36000000: deadbeef 555555d5 5c355555 5575555d .....UUUUU5\]UuU
> mdw 0x35000000 1
abort occurred - dscr = 0x0704725b
error
in procedure 'mdw'
DSCR is documented in H9.2.41 (page of 5155) of the ARM ARM. The cumulative error flag is set. We need to debug what is happening here.