# HG changeset patch # User Mychaela Falconia # Date 1540536107 0 # Node ID dc0e9c91d54a8ef76173c49e57f7b236f9fabfbc # Parent 43829da8231240148523b710183467edf768398c Flash-boot-modes article added (migrated from freecalypso-tools) diff -r 43829da82312 -r dc0e9c91d54a Flash-boot-modes --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/Flash-boot-modes Fri Oct 26 06:41:47 2018 +0000 @@ -0,0 +1,53 @@ +The Calypso chip includes an on-die boot ROM that allows the boot process to be +interrupted and diverted by an external host sending some special characters +into either of the two UARTs; this mechanism is what allows us to load code into +RAM and to reload the flash on Calypso GSM devices without having to resort to +JTAG or chip desoldering or other extreme measures. In normal operation, when +the boot path is NOT being diverted by an external serial download, the boot ROM +transfers control to the regular firmware in the flash - but there are two +different modes in which the flash fw image may be booted. + +In order for the flash fw image to be considered bootable by the Calypso boot +ROM, the 32-bit word at flash address 0x2000 must equal either 0 or 1; if it +equals any other value, the boot ROM will consider the flash fw image to be +invalid (e.g., blank flash) and will wait forever for a serial download instead +of proceeding with flash boot. Depending on whether this word at 0x2000 equals +0 or 1, the flash fw image will be booted in one of two very different ways; +we shall call them flash boot mode 0 and flash boot mode 1, respectively. + +In flash boot mode 0 the following 32-bit word at flash address 0x2004 must +contain the address of the flash fw image entry point (ARM/Thumb selection in +the least-significant bit); the boot ROM will simply jump to this address with +a BX instruction. When the flash fw image is booted in this manner, the boot +ROM is still mapped at address 0 and the first 8 KiB of flash are inaccessible +except via the 0x03000000 alternate mapping, unless the firmware later changes +the FFFF:FB10 register. This boot mode is intended for flash fw images that +use the interrupt and exception vectors in the ROM (branching to IRAM addresses +0x80001C-0x800034) for their interrupt and exception handling. + +Flash boot mode 1 is different: instead of jumping directly to the flash fw +image, the boot ROM copies a small piece of its code into IRAM and jumps to that +code; the copied code disables the boot ROM via the FFFF:FB10 register (puts +the external flash at address 0) and induces a processor reset through the +watchdog timer. It is not clear to us exactly what blocks are affected by the +watchdog reset, but bits 9:8 of the FFFF:FB10 register are not reset, hence +the ARM processor now boots from the reset vector in the flash as if the boot +ROM weren't there - and the latter really is not there after having disabled +itself. + +Flash boot mode 0 is only usable on Calypso C035 silicon (the "new" kind); +while all commercial Calypso GSM devices targeted by FreeCalypso feature Calypso +chips of the correct "new" kind, the people at TI who wrote and maintained their +official firmware also had to work with older Calypso C05 chips featured on the +early D-Sample and Leonardo boards. The earlier boot ROM code version in those +early Calypso chips also implements the two boot modes which we call mode 0 and +mode 1, but its implementation of mode 0 is broken and unusable, therefore TI's +firmware people only used flash boot mode 1. On the other hand, newer firmware +designs made for current rather than historical hardware will probably find +mode 0 to be cleaner, more intuitive and more convenient. + +All TI official firmwares use flash boot mode 1, our FreeCalypso Magnetite +firmware does likewise, being a direct derivative of TI's TCS211 fw, but our +gcc-built FC Selenite firmware uses flash boot mode 0, as the assembly code +pieces and linker script magic are entirely new (our own original design) in +the gcc-built version.