Raspberry Pi 4 Bringup

OpenOCD

Figure out the DAP/TAP IDs of the ARM chip of the board and create a board config file for OpenOCD.

Follow this guide for RPi 3:

https://www.suse.com/c/debugging-raspberry-pi-3-with-jtag/

Note that DEBUG/CTI ports are different from A53.

AP ID register 0x24770002
	Type is MEM-AP APB
MEM-AP BASE 0x80020003
	Valid ROM table present
		Component base address 0x80020000
		Peripheral ID 0x01000bfa97
		Designer is 0x1bf, Broadcom
		Part is 0xa97, Unrecognized 
		Component class is 0x1, ROM table
		MEMTYPE system memory not present: dedicated debug bus
	ROMTABLE[0x0] = 0x3e0003
		Component base address 0x80400000
		Peripheral ID 0x04001bb4a4
		Designer is 0x4bb, ARM Ltd.
		Part is 0x4a4, Cortex-A72 ROM (ROM Table)
		Component class is 0x1, ROM table
		MEMTYPE system memory not present: dedicated debug bus
	[L01] ROMTABLE[0x0] = 0x10003
		Component base address 0x80410000
		Peripheral ID 0x04001bbd08
		Designer is 0x4bb, ARM Ltd.
		Part is 0xd08, Cortex-A72 Debug (Debug Unit)
		Component class is 0x9, CoreSight component
		Type is 0x15, Debug Logic, Processor
	[L01] ROMTABLE[0x4] = 0x20003
		Component base address 0x80420000
		Peripheral ID 0x04004bb906
		Designer is 0x4bb, ARM Ltd.
		Part is 0x906, CoreSight CTI (Cross Trigger)
		Component class is 0x9, CoreSight component
		Type is 0x14, Debug Control, Trigger Matrix
	[L01] ROMTABLE[0x8] = 0x30003
		Component base address 0x80430000
		Peripheral ID 0x04001bb9d8
		Designer is 0x4bb, ARM Ltd.
		Part is 0x9d8, Cortex-A72 PMU (Performance Monitor Unit)
		Component class is 0x9, CoreSight component
		Type is 0x16, Performance Monitor, Processor
	[L01] ROMTABLE[0xc] = 0x40002
		Component not present
	[L01] ROMTABLE[0x10] = 0x110003
		Component base address 0x80510000
		Peripheral ID 0x04001bbd08
		Designer is 0x4bb, ARM Ltd.
		Part is 0xd08, Cortex-A72 Debug (Debug Unit)
		Component class is 0x9, CoreSight component
		Type is 0x15, Debug Logic, Processor
	[L01] ROMTABLE[0x14] = 0x120003
		Component base address 0x80520000
		Peripheral ID 0x04004bb906
		Designer is 0x4bb, ARM Ltd.
		Part is 0x906, CoreSight CTI (Cross Trigger)
		Component class is 0x9, CoreSight component
		Type is 0x14, Debug Control, Trigger Matrix
	[L01] ROMTABLE[0x18] = 0x130003
		Component base address 0x80530000
		Peripheral ID 0x04001bb9d8
		Designer is 0x4bb, ARM Ltd.
		Part is 0x9d8, Cortex-A72 PMU (Performance Monitor Unit)
		Component class is 0x9, CoreSight component
		Type is 0x16, Performance Monitor, Processor
	[L01] ROMTABLE[0x1c] = 0x140002
		Component not present
	[L01] ROMTABLE[0x20] = 0x210003
		Component base address 0x80610000
		Peripheral ID 0x04001bbd08
		Designer is 0x4bb, ARM Ltd.
		Part is 0xd08, Cortex-A72 Debug (Debug Unit)
		Component class is 0x9, CoreSight component
		Type is 0x15, Debug Logic, Processor
	[L01] ROMTABLE[0x24] = 0x220003
		Component base address 0x80620000
		Peripheral ID 0x04004bb906
		Designer is 0x4bb, ARM Ltd.
		Part is 0x906, CoreSight CTI (Cross Trigger)
		Component class is 0x9, CoreSight component
		Type is 0x14, Debug Control, Trigger Matrix
	[L01] ROMTABLE[0x28] = 0x230003
		Component base address 0x80630000
		Peripheral ID 0x04001bb9d8
		Designer is 0x4bb, ARM Ltd.
		Part is 0x9d8, Cortex-A72 PMU (Performance Monitor Unit)
		Component class is 0x9, CoreSight component
		Type is 0x16, Performance Monitor, Processor
	[L01] ROMTABLE[0x2c] = 0x240002
		Component not present
	[L01] ROMTABLE[0x30] = 0x310003
		Component base address 0x80710000
		Peripheral ID 0x04001bbd08
		Designer is 0x4bb, ARM Ltd.
		Part is 0xd08, Cortex-A72 Debug (Debug Unit)
		Component class is 0x9, CoreSight component
		Type is 0x15, Debug Logic, Processor
	[L01] ROMTABLE[0x34] = 0x320003
		Component base address 0x80720000
		Peripheral ID 0x04004bb906
		Designer is 0x4bb, ARM Ltd.
		Part is 0x906, CoreSight CTI (Cross Trigger)
		Component class is 0x9, CoreSight component
		Type is 0x14, Debug Control, Trigger Matrix
	[L01] ROMTABLE[0x38] = 0x330003
		Component base address 0x80730000
		Peripheral ID 0x04001bb9d8
		Designer is 0x4bb, ARM Ltd.
		Part is 0x9d8, Cortex-A72 PMU (Performance Monitor Unit)
		Component class is 0x9, CoreSight component
		Type is 0x16, Performance Monitor, Processor
	[L01] ROMTABLE[0x3c] = 0x340002
		Component not present
	[L01] ROMTABLE[0x40] = 0x0
	[L01] 	End of ROM table
	ROMTABLE[0x4] = 0x0
		End of ROM table

Use `gdb-multiarch`

(gdb) set architecture aarch64
(gdb) target remote :3333

Boot Sequence

Firmware Config

I set config.txt parameters as shown in config.txt column. In particular, arm_64bit=1 needs to be set, otherwise EL2 will be in aarch32 mode. OpenOCD sucks at supporting aarch32.

The board loads kernel8.img to 0x80000 and jump there in EL2H, meaning Hypervisor mode with handler stack.

Interesting discoveries:

• HCR.RW=0 This is not OK for a 64-bit kernel.

• The CPU supports some CRC instructions but not more advanced crypto instructions.

• Mix-endian, 16-bit ASID and 44-bit PA.

(gdb) disas
Dump of assembler code for function _start:
   0x0000000000080000 <+0>:	mrs	x0, sctlr_el2
   0x0000000000080004 <+4>:	mrs	x1, hcr_el2
   0x0000000000080008 <+8>:	mrs	x2, elr_el2
   0x000000000008000c <+12>:	mrs	x3, spsr_el2
   0x0000000000080010 <+16>:	mrs	x4, id_aa64isar0_el1
   0x0000000000080014 <+20>:	mrs	x5, id_aa64isar1_el1
   0x0000000000080018 <+24>:	mrs	x6, id_aa64mmfr0_el1
   0x000000000008001c <+28>:	mrs	x7, id_aa64mmfr1_el1
   0x0000000000080020 <+32>:	mrs	x8, id_aa64pfr0_el1
   0x0000000000080024 <+36>:	mrs	x9, id_aa64pfr1_el1
   0x0000000000080028 <+40>:	mrs	x10, vbar_el2
=> 0x000000000008002c <+44>:	b	0x8002c <_start+44>
End of assembler dump.
(gdb) p/x $x0
$1 = 0x30c50830
(gdb) p/x $x1
$2 = 0x0
(gdb) p/x $x2
$3 = 0x4050020039655fdd
(gdb) p/x $x3
$4 = 0x10
(gdb) p/x $x4
$5 = 0x10000
(gdb) p/x $x5
$6 = 0x0
(gdb) p/x $x6
$7 = 0x1124
(gdb) p/x $x7
$8 = 0x0
(gdb) p/x $x8
$9 = 0x2222
(gdb) p/x $x9
$10 = 0x0
(gdb) p/x $x10
$11 = 0x0

Some Bare Metal Stuff

• Serial console Hello World

• Device memory reading from serial (for exploring devices/registers)

• Figure out initial state and optional features (crypto) for CPUs