# Raspberry Pi 4 Bringup

## OpenOCD

Figure out the DAP/TAP IDs of the ARM chip of the board and create a board config file for OpenOCD.

Follow this guide for RPi 3:

<https://www.suse.com/c/debugging-raspberry-pi-3-with-jtag/>

Note that DEBUG/CTI ports are different from A53.&#x20;

```
AP ID register 0x24770002
	Type is MEM-AP APB
MEM-AP BASE 0x80020003
	Valid ROM table present
		Component base address 0x80020000
		Peripheral ID 0x01000bfa97
		Designer is 0x1bf, Broadcom
		Part is 0xa97, Unrecognized 
		Component class is 0x1, ROM table
		MEMTYPE system memory not present: dedicated debug bus
	ROMTABLE[0x0] = 0x3e0003
		Component base address 0x80400000
		Peripheral ID 0x04001bb4a4
		Designer is 0x4bb, ARM Ltd.
		Part is 0x4a4, Cortex-A72 ROM (ROM Table)
		Component class is 0x1, ROM table
		MEMTYPE system memory not present: dedicated debug bus
	[L01] ROMTABLE[0x0] = 0x10003
		Component base address 0x80410000
		Peripheral ID 0x04001bbd08
		Designer is 0x4bb, ARM Ltd.
		Part is 0xd08, Cortex-A72 Debug (Debug Unit)
		Component class is 0x9, CoreSight component
		Type is 0x15, Debug Logic, Processor
	[L01] ROMTABLE[0x4] = 0x20003
		Component base address 0x80420000
		Peripheral ID 0x04004bb906
		Designer is 0x4bb, ARM Ltd.
		Part is 0x906, CoreSight CTI (Cross Trigger)
		Component class is 0x9, CoreSight component
		Type is 0x14, Debug Control, Trigger Matrix
	[L01] ROMTABLE[0x8] = 0x30003
		Component base address 0x80430000
		Peripheral ID 0x04001bb9d8
		Designer is 0x4bb, ARM Ltd.
		Part is 0x9d8, Cortex-A72 PMU (Performance Monitor Unit)
		Component class is 0x9, CoreSight component
		Type is 0x16, Performance Monitor, Processor
	[L01] ROMTABLE[0xc] = 0x40002
		Component not present
	[L01] ROMTABLE[0x10] = 0x110003
		Component base address 0x80510000
		Peripheral ID 0x04001bbd08
		Designer is 0x4bb, ARM Ltd.
		Part is 0xd08, Cortex-A72 Debug (Debug Unit)
		Component class is 0x9, CoreSight component
		Type is 0x15, Debug Logic, Processor
	[L01] ROMTABLE[0x14] = 0x120003
		Component base address 0x80520000
		Peripheral ID 0x04004bb906
		Designer is 0x4bb, ARM Ltd.
		Part is 0x906, CoreSight CTI (Cross Trigger)
		Component class is 0x9, CoreSight component
		Type is 0x14, Debug Control, Trigger Matrix
	[L01] ROMTABLE[0x18] = 0x130003
		Component base address 0x80530000
		Peripheral ID 0x04001bb9d8
		Designer is 0x4bb, ARM Ltd.
		Part is 0x9d8, Cortex-A72 PMU (Performance Monitor Unit)
		Component class is 0x9, CoreSight component
		Type is 0x16, Performance Monitor, Processor
	[L01] ROMTABLE[0x1c] = 0x140002
		Component not present
	[L01] ROMTABLE[0x20] = 0x210003
		Component base address 0x80610000
		Peripheral ID 0x04001bbd08
		Designer is 0x4bb, ARM Ltd.
		Part is 0xd08, Cortex-A72 Debug (Debug Unit)
		Component class is 0x9, CoreSight component
		Type is 0x15, Debug Logic, Processor
	[L01] ROMTABLE[0x24] = 0x220003
		Component base address 0x80620000
		Peripheral ID 0x04004bb906
		Designer is 0x4bb, ARM Ltd.
		Part is 0x906, CoreSight CTI (Cross Trigger)
		Component class is 0x9, CoreSight component
		Type is 0x14, Debug Control, Trigger Matrix
	[L01] ROMTABLE[0x28] = 0x230003
		Component base address 0x80630000
		Peripheral ID 0x04001bb9d8
		Designer is 0x4bb, ARM Ltd.
		Part is 0x9d8, Cortex-A72 PMU (Performance Monitor Unit)
		Component class is 0x9, CoreSight component
		Type is 0x16, Performance Monitor, Processor
	[L01] ROMTABLE[0x2c] = 0x240002
		Component not present
	[L01] ROMTABLE[0x30] = 0x310003
		Component base address 0x80710000
		Peripheral ID 0x04001bbd08
		Designer is 0x4bb, ARM Ltd.
		Part is 0xd08, Cortex-A72 Debug (Debug Unit)
		Component class is 0x9, CoreSight component
		Type is 0x15, Debug Logic, Processor
	[L01] ROMTABLE[0x34] = 0x320003
		Component base address 0x80720000
		Peripheral ID 0x04004bb906
		Designer is 0x4bb, ARM Ltd.
		Part is 0x906, CoreSight CTI (Cross Trigger)
		Component class is 0x9, CoreSight component
		Type is 0x14, Debug Control, Trigger Matrix
	[L01] ROMTABLE[0x38] = 0x330003
		Component base address 0x80730000
		Peripheral ID 0x04001bb9d8
		Designer is 0x4bb, ARM Ltd.
		Part is 0x9d8, Cortex-A72 PMU (Performance Monitor Unit)
		Component class is 0x9, CoreSight component
		Type is 0x16, Performance Monitor, Processor
	[L01] ROMTABLE[0x3c] = 0x340002
		Component not present
	[L01] ROMTABLE[0x40] = 0x0
	[L01] 	End of ROM table
	ROMTABLE[0x4] = 0x0
		End of ROM table

```

Use \`gdb-multiarch\`

```
(gdb) set architecture aarch64
(gdb) target remote :3333
```

## Boot Sequence

### Firmware Config

I set `config.txt` parameters as shown in `config.txt` column. In particular, `arm_64bit=1` needs to be set, otherwise `EL2` will be in `aarch32` mode. OpenOCD sucks at supporting `aarch32`.

The board loads `kernel8.img` to `0x80000` and jump there in `EL2H`, meaning Hypervisor mode with handler stack.

Interesting discoveries:

* `HCR.RW=0` This is not OK for a 64-bit kernel.
* The CPU supports some CRC instructions but not more advanced crypto instructions.
* Mix-endian, 16-bit ASID and 44-bit PA.

```
(gdb) disas
Dump of assembler code for function _start:
   0x0000000000080000 <+0>:	mrs	x0, sctlr_el2
   0x0000000000080004 <+4>:	mrs	x1, hcr_el2
   0x0000000000080008 <+8>:	mrs	x2, elr_el2
   0x000000000008000c <+12>:	mrs	x3, spsr_el2
   0x0000000000080010 <+16>:	mrs	x4, id_aa64isar0_el1
   0x0000000000080014 <+20>:	mrs	x5, id_aa64isar1_el1
   0x0000000000080018 <+24>:	mrs	x6, id_aa64mmfr0_el1
   0x000000000008001c <+28>:	mrs	x7, id_aa64mmfr1_el1
   0x0000000000080020 <+32>:	mrs	x8, id_aa64pfr0_el1
   0x0000000000080024 <+36>:	mrs	x9, id_aa64pfr1_el1
   0x0000000000080028 <+40>:	mrs	x10, vbar_el2
=> 0x000000000008002c <+44>:	b	0x8002c <_start+44>
End of assembler dump.
(gdb) p/x $x0
$1 = 0x30c50830
(gdb) p/x $x1
$2 = 0x0
(gdb) p/x $x2
$3 = 0x4050020039655fdd
(gdb) p/x $x3
$4 = 0x10
(gdb) p/x $x4
$5 = 0x10000
(gdb) p/x $x5
$6 = 0x0
(gdb) p/x $x6
$7 = 0x1124
(gdb) p/x $x7
$8 = 0x0
(gdb) p/x $x8
$9 = 0x2222
(gdb) p/x $x9
$10 = 0x0
(gdb) p/x $x10
$11 = 0x0


```

## Some Bare Metal Stuff

* Serial console Hello World
* Device memory reading from serial (for exploring devices/registers)
* Figure out initial state and optional features (crypto) for CPUs


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://xihan94.gitbook.io/raspberry-pi/raspberry-pi-4-bringup.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.