2 * Boot a Marvell SoC, with Xmodem over UART0.
3 * supports Kirkwood, Dove, Avanta, Armada 370, Armada XP, Armada 375,
4 * Armada 38x and Armada 39x.
6 * (c) 2012 Daniel Stodden <daniel.stodden@gmail.com>
7 * (c) 2021 Pali Rohár <pali@kernel.org>
8 * (c) 2021 Marek Behún <kabel@kernel.org>
11 * - "88F6180, 88F6190, 88F6192, and 88F6281: Integrated Controller: Functional
12 * Specifications" December 2, 2008. Chapter 24.2 "BootROM Firmware".
13 * https://web.archive.org/web/20130730091033/https://www.marvell.com/embedded-processors/kirkwood/assets/FS_88F6180_9x_6281_OpenSource.pdf
14 * - "88AP510: High-Performance SoC with Integrated CPU, 2D/3D Graphics
15 * Processor, and High-Definition Video Decoder: Functional Specifications"
16 * August 3, 2011. Chapter 5 "BootROM Firmware"
17 * https://web.archive.org/web/20120130172443/https://www.marvell.com/application-processors/armada-500/assets/Armada-510-Functional-Spec.pdf
18 * - "88F6665, 88F6660, 88F6658, 88F6655, 88F6655F, 88F6650, 88F6650F, 88F6610,
19 * and 88F6610F Avanta LP Family Integrated Single/Dual CPU Ecosystem for
20 * Gateway (GW), Home Gateway Unit (HGU), and Single Family Unit (SFU)
21 * Functional Specifications" Doc. No. MV-S108952-00, Rev. A. November 7, 2013.
22 * Chapter 7 "Boot Flow"
23 * CONFIDENTIAL, no public documentation available
24 * - "88F6710, 88F6707, and 88F6W11: ARMADA(R) 370 SoC: Functional Specifications"
25 * May 26, 2014. Chapter 6 "BootROM Firmware".
26 * https://web.archive.org/web/20140617183701/https://www.marvell.com/embedded-processors/armada-300/assets/ARMADA370-FunctionalSpec-datasheet.pdf
27 * - "MV78230, MV78260, and MV78460: ARMADA(R) XP Family of Highly Integrated
28 * Multi-Core ARMv7 Based SoC Processors: Functional Specifications"
29 * May 29, 2014. Chapter 6 "BootROM Firmware".
30 * https://web.archive.org/web/20180829171131/https://www.marvell.com/embedded-processors/armada-xp/assets/ARMADA-XP-Functional-SpecDatasheet.pdf
31 * - "BobCat2 Control and Management Subsystem Functional Specifications"
32 * Doc. No. MV-S109400-00, Rev. A. December 4, 2014.
33 * Chapter 1.6 BootROM Firmware
34 * CONFIDENTIAL, no public documentation available
35 * - "AlleyCat3 and PONCat3 Highly Integrated 1/10 Gigabit Ethernet Switch
36 * Control and Management Subsystem: Functional Specifications"
37 * Doc. No. MV-S109693-00, Rev. A. May 20, 2014.
38 * Chapter 1.6 BootROM Firmware
39 * CONFIDENTIAL, no public documentation available
40 * - "ARMADA(R) 375 Value-Performance Dual Core CPU System on Chip: Functional
41 * Specifications" Doc. No. MV-S109377-00, Rev. A. September 18, 2013.
42 * Chapter 7 "Boot Sequence"
43 * CONFIDENTIAL, no public documentation available
44 * - "88F6810, 88F6811, 88F6821, 88F6W21, 88F6820, and 88F6828: ARMADA(R) 38x
45 * Family High-Performance Single/Dual CPU System on Chip: Functional
46 * Specifications" Doc. No. MV-S109094-00, Rev. C. August 2, 2015.
47 * Chapter 7 "Boot Flow"
48 * CONFIDENTIAL, no public documentation available
49 * - "88F6920, 88F6925 and 88F6928: ARMADA(R) 39x High-Performance Dual Core CPU
50 * System on Chip Functional Specifications" Doc. No. MV-S109896-00, Rev. B.
51 * December 22, 2015. Chapter 7 "Boot Flow"
52 * CONFIDENTIAL, no public documentation available
53 * - "Marvell boot image parser", Marvell U-Boot 2013.01, version 18.06. September 17, 2015.
54 * https://github.com/MarvellEmbeddedProcessors/u-boot-marvell/blob/u-boot-2013.01-armada-18.06/tools/marvell/doimage_mv/hdrparser.c
55 * - "Marvell doimage Tool", Marvell U-Boot 2013.01, version 18.06. August 30, 2015.
56 * https://github.com/MarvellEmbeddedProcessors/u-boot-marvell/blob/u-boot-2013.01-armada-18.06/tools/marvell/doimage_mv/doimage.c
58 * Storage location / offset of different image types:
59 * - IBR_HDR_SPI_ID (0x5A):
60 * SPI image can be stored at any 2 MB aligned offset in the first 16 MB of
61 * SPI-NOR or parallel-NOR. Despite the type name it really can be stored on
62 * parallel-NOR and cannot be stored on other SPI devices, like SPI-NAND.
63 * So it should have been named NOR image, not SPI image. This image type
64 * supports XIP - Execute In Place directly from NOR memory. Destination
65 * address of the XIP image is set to 0xFFFFFFFF and execute address to the
66 * absolute offset in bytes from the beginning of NOR memory.
68 * - IBR_HDR_NAND_ID (0x8B):
69 * NAND image can be stored either at any 2 MB aligned offset in the first
70 * 16 MB of SPI-NAND or at any blocksize aligned offset in the first 64 MB
73 * - IBR_HDR_PEX_ID (0x9C):
74 * PEX image is used for booting from PCI Express device. Source address
75 * stored in image is ignored by BootROM. It is not the BootROM who parses
76 * or loads data part of the PEX image. BootROM just configures SoC to the
77 * PCIe endpoint mode and let the PCIe device on the other end of the PCIe
78 * link (which must be in Root Complex mode) to load kwbimage into SoC's
79 * memory and tell BootROM physical address.
81 * - IBR_HDR_UART_ID (0x69):
82 * UART image can be transfered via xmodem protocol over first UART.
83 * Unlike all other image types, header size stored in the image must be
84 * multiply of the 128 bytes (for all other image types it can be any size)
85 * and data part of the image does not have to contain 32-bit checksum
86 * (all other image types must have valid 32-bit checksum in its data part).
87 * And data size stored in the image is ignored. A38x BootROM determinates
88 * size of the data part implicitly by the end of the xmodem transfer.
89 * A38x BootROM has a bug which cause that BootROM loads data part of UART
90 * image into RAM target address increased by one byte when source address
91 * and header size stored in the image header are not same. So UART image
92 * should be constructed in a way that there is no gap between header and
95 * - IBR_HDR_I2C_ID (0x4D):
96 * It is unknown for what kind of storage is used this image. It is not
97 * specified in any document from References section.
99 * - IBR_HDR_SATA_ID (0x78):
100 * SATA image can be stored at sector 1 (after the MBR table), sector 34
101 * (after the GPT table) or at any next sector which is aligned to 2 MB and
102 * is in the first 16 MB of SATA disk. Note that source address in SATA image
103 * is stored in sector unit and not in bytes like for any other images.
104 * Unfortunately sector size is disk specific, in most cases it is 512 bytes
105 * but there are also Native 4K SATA disks which have 4096 bytes long sectors.
107 * - IBR_HDR_SDIO_ID (0xAE):
108 * SDIO image can be stored on different medias:
111 * - eMMC HW boot partition
112 * - eMMC user data partition / MMC card
113 * It cannot be stored on SDIO card despite the image name.
115 * For SD(SC)/SDHC/SDXC cards, image can be stored at the same locations as
116 * the SATA image (sector 1, sector 34 or any 2 MB aligned sector) but within
117 * the first 64 MB. SDHC and SDXC cards have fixed 512 bytes long sector size.
118 * Old SD(SC) cards unfortunately can have also different sector sizes, mostly
119 * 1024 bytes long sector sizes and also can be changed at runtime.
121 * For MMC-compatible devices, image can be stored at offset 0 or at offset
122 * 2 MB. If MMC device supports HW boot partitions then image must be stored
123 * on the HW partition as is configured in the EXT_CSC register (it can be
124 * either boot or user data).
126 * Note that source address for SDIO image is stored in byte unit, like for
127 * any other images (except SATA). Marvell Functional Specifications for
128 * A38x and A39x SoCs say that source address is in sector units, but this
129 * is purely incorrect information. A385 BootROM really expects source address
130 * for SDIO images in bytes and also Marvell tools generate SDIO image with
131 * source address in byte units.
134 #include "kwbimage.h"
149 #include <sys/stat.h>
153 #include "termios_linux.h"
159 * These functions are in <term.h> header file, but this header file conflicts
160 * with "termios_linux.h" header file. So declare these functions manually.
162 extern int setupterm(const char *, int, int *);
163 extern char *tigetstr(const char *);
166 * Marvell BootROM UART Sensing
169 static unsigned char kwboot_msg_boot
[] = {
170 0xBB, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77
173 static unsigned char kwboot_msg_debug
[] = {
174 0xDD, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77
177 /* Defines known to work on Kirkwood */
178 #define KWBOOT_MSG_RSP_TIMEO 50 /* ms */
180 /* Defines known to work on Armada XP */
181 #define KWBOOT_MSG_RSP_TIMEO_AXP 10 /* ms */
187 #define SOH 1 /* sender start of block header */
188 #define EOT 4 /* sender end of block transfer */
189 #define ACK 6 /* target block ack */
190 #define NAK 21 /* target block negative ack */
192 #define KWBOOT_XM_BLKSZ 128 /* xmodem block size */
194 struct kwboot_block
{
198 uint8_t data
[KWBOOT_XM_BLKSZ
];
202 #define KWBOOT_BLK_RSP_TIMEO 2000 /* ms */
203 #define KWBOOT_HDR_RSP_TIMEO 10000 /* ms */
205 /* ARM code to change baudrate */
206 static unsigned char kwboot_baud_code
[] = {
207 /* ; #define UART_BASE 0xd0012000 */
208 /* ; #define DLL 0x00 */
209 /* ; #define DLH 0x04 */
210 /* ; #define LCR 0x0c */
211 /* ; #define DLAB 0x80 */
212 /* ; #define LSR 0x14 */
213 /* ; #define TEMT 0x40 */
214 /* ; #define DIV_ROUND(a, b) ((a + b/2) / b) */
216 /* ; u32 set_baudrate(u32 old_b, u32 new_b) { */
218 /* ; (!(readl(UART_BASE + LSR) & TEMT)); */
219 /* ; u32 lcr = readl(UART_BASE + LCR); */
220 /* ; writel(UART_BASE + LCR, lcr | DLAB); */
221 /* ; u8 old_dll = readl(UART_BASE + DLL); */
222 /* ; u8 old_dlh = readl(UART_BASE + DLH); */
223 /* ; u16 old_dl = old_dll | (old_dlh << 8); */
224 /* ; u32 clk = old_b * old_dl; */
225 /* ; u16 new_dl = DIV_ROUND(clk, new_b); */
226 /* ; u8 new_dll = new_dl & 0xff; */
227 /* ; u8 new_dlh = (new_dl >> 8) & 0xff; */
228 /* ; writel(UART_BASE + DLL, new_dll); */
229 /* ; writel(UART_BASE + DLH, new_dlh); */
230 /* ; writel(UART_BASE + LCR, lcr & ~DLAB); */
235 /* ; r0 = UART_BASE */
236 0x0d, 0x02, 0xa0, 0xe3, /* mov r0, #0xd0000000 */
237 0x12, 0x0a, 0x80, 0xe3, /* orr r0, r0, #0x12000 */
239 /* ; Wait until Transmitter FIFO is Empty */
240 /* .Lloop_txempty: */
241 /* ; r1 = UART_BASE[LSR] & TEMT */
242 0x14, 0x10, 0x90, 0xe5, /* ldr r1, [r0, #0x14] */
243 0x40, 0x00, 0x11, 0xe3, /* tst r1, #0x40 */
244 0xfc, 0xff, 0xff, 0x0a, /* beq .Lloop_txempty */
246 /* ; Set Divisor Latch Access Bit */
247 /* ; UART_BASE[LCR] |= DLAB */
248 0x0c, 0x10, 0x90, 0xe5, /* ldr r1, [r0, #0x0c] */
249 0x80, 0x10, 0x81, 0xe3, /* orr r1, r1, #0x80 */
250 0x0c, 0x10, 0x80, 0xe5, /* str r1, [r0, #0x0c] */
252 /* ; Read current Divisor Latch */
253 /* ; r1 = UART_BASE[DLH]<<8 | UART_BASE[DLL] */
254 0x00, 0x10, 0x90, 0xe5, /* ldr r1, [r0, #0x00] */
255 0xff, 0x10, 0x01, 0xe2, /* and r1, r1, #0xff */
256 0x01, 0x20, 0xa0, 0xe1, /* mov r2, r1 */
257 0x04, 0x10, 0x90, 0xe5, /* ldr r1, [r0, #0x04] */
258 0xff, 0x10, 0x01, 0xe2, /* and r1, r1, #0xff */
259 0x41, 0x14, 0xa0, 0xe1, /* asr r1, r1, #8 */
260 0x02, 0x10, 0x81, 0xe1, /* orr r1, r1, r2 */
262 /* ; Read old baudrate value */
263 /* ; r2 = old_baudrate */
264 0x74, 0x20, 0x9f, 0xe5, /* ldr r2, old_baudrate */
266 /* ; Calculate base clock */
268 0x92, 0x01, 0x01, 0xe0, /* mul r1, r2, r1 */
270 /* ; Read new baudrate value */
271 /* ; r2 = new_baudrate */
272 0x70, 0x20, 0x9f, 0xe5, /* ldr r2, new_baudrate */
274 /* ; Calculate new Divisor Latch */
275 /* ; r1 = DIV_ROUND(r1, r2) = */
276 /* ; = (r1 + r2/2) / r2 */
277 0xa2, 0x10, 0x81, 0xe0, /* add r1, r1, r2, lsr #1 */
278 0x02, 0x40, 0xa0, 0xe1, /* mov r4, r2 */
279 0xa1, 0x00, 0x54, 0xe1, /* cmp r4, r1, lsr #1 */
281 0x84, 0x40, 0xa0, 0x91, /* movls r4, r4, lsl #1 */
282 0xa1, 0x00, 0x54, 0xe1, /* cmp r4, r1, lsr #1 */
283 0xfc, 0xff, 0xff, 0x9a, /* bls .Lloop_div1 */
284 0x00, 0x30, 0xa0, 0xe3, /* mov r3, #0 */
286 0x04, 0x00, 0x51, 0xe1, /* cmp r1, r4 */
287 0x04, 0x10, 0x41, 0x20, /* subhs r1, r1, r4 */
288 0x03, 0x30, 0xa3, 0xe0, /* adc r3, r3, r3 */
289 0xa4, 0x40, 0xa0, 0xe1, /* mov r4, r4, lsr #1 */
290 0x02, 0x00, 0x54, 0xe1, /* cmp r4, r2 */
291 0xf9, 0xff, 0xff, 0x2a, /* bhs .Lloop_div2 */
292 0x03, 0x10, 0xa0, 0xe1, /* mov r1, r3 */
294 /* ; Set new Divisor Latch Low */
295 /* ; UART_BASE[DLL] = r1 & 0xff */
296 0x01, 0x20, 0xa0, 0xe1, /* mov r2, r1 */
297 0xff, 0x20, 0x02, 0xe2, /* and r2, r2, #0xff */
298 0x00, 0x20, 0x80, 0xe5, /* str r2, [r0, #0x00] */
300 /* ; Set new Divisor Latch High */
301 /* ; UART_BASE[DLH] = r1>>8 & 0xff */
302 0x41, 0x24, 0xa0, 0xe1, /* asr r2, r1, #8 */
303 0xff, 0x20, 0x02, 0xe2, /* and r2, r2, #0xff */
304 0x04, 0x20, 0x80, 0xe5, /* str r2, [r0, #0x04] */
306 /* ; Clear Divisor Latch Access Bit */
307 /* ; UART_BASE[LCR] &= ~DLAB */
308 0x0c, 0x10, 0x90, 0xe5, /* ldr r1, [r0, #0x0c] */
309 0x80, 0x10, 0xc1, 0xe3, /* bic r1, r1, #0x80 */
310 0x0c, 0x10, 0x80, 0xe5, /* str r1, [r0, #0x0c] */
312 /* ; Loop 0x2dc000 (2998272) cycles */
313 /* ; which is about 5ms on 1200 MHz CPU */
314 /* ; r1 = 0x2dc000 */
315 0xb7, 0x19, 0xa0, 0xe3, /* mov r1, #0x2dc000 */
317 0x01, 0x10, 0x41, 0xe2, /* sub r1, r1, #1 */
318 0x00, 0x00, 0x51, 0xe3, /* cmp r1, #0 */
319 0xfc, 0xff, 0xff, 0x1a, /* bne .Lloop_sleep */
321 /* ; Jump to the end of execution */
322 0x01, 0x00, 0x00, 0xea, /* b end */
324 /* ; Placeholder for old baudrate value */
326 0x00, 0x00, 0x00, 0x00, /* .word 0 */
328 /* ; Placeholder for new baudrate value */
330 0x00, 0x00, 0x00, 0x00, /* .word 0 */
335 /* ARM code from binary header executed by BootROM before changing baudrate */
336 static unsigned char kwboot_baud_code_binhdr_pre
[] = {
337 /* ; #define UART_BASE 0xd0012000 */
338 /* ; #define THR 0x00 */
339 /* ; #define LSR 0x14 */
340 /* ; #define THRE 0x20 */
342 /* ; void send_preamble(void) { */
343 /* ; const u8 *str = "$baudratechange"; */
347 /* ; ((readl(UART_BASE + LSR) & THRE)); */
349 /* ; writel(UART_BASE + THR, c); */
353 /* ; Preserve registers for BootROM */
354 0xfe, 0x5f, 0x2d, 0xe9, /* push { r1 - r12, lr } */
356 /* ; r0 = UART_BASE */
357 0x0d, 0x02, 0xa0, 0xe3, /* mov r0, #0xd0000000 */
358 0x12, 0x0a, 0x80, 0xe3, /* orr r0, r0, #0x12000 */
360 /* ; r2 = address of preamble string */
361 0x00, 0x20, 0x8f, 0xe2, /* adr r2, .Lstr_preamble */
363 /* ; Skip preamble data section */
364 0x03, 0x00, 0x00, 0xea, /* b .Lloop_preamble */
366 /* ; Preamble string */
367 /* .Lstr_preamble: */
368 0x24, 0x62, 0x61, 0x75, /* .asciz "$baudratechange" */
369 0x64, 0x72, 0x61, 0x74,
370 0x65, 0x63, 0x68, 0x61,
371 0x6e, 0x67, 0x65, 0x00,
373 /* ; Send preamble string over UART */
374 /* .Lloop_preamble: */
376 /* ; Wait until Transmitter Holding is Empty */
378 /* ; r1 = UART_BASE[LSR] & THRE */
379 0x14, 0x10, 0x90, 0xe5, /* ldr r1, [r0, #0x14] */
380 0x20, 0x00, 0x11, 0xe3, /* tst r1, #0x20 */
381 0xfc, 0xff, 0xff, 0x0a, /* beq .Lloop_thre */
383 /* ; Put character into Transmitter FIFO */
385 0x01, 0x10, 0xd2, 0xe4, /* ldrb r1, [r2], #1 */
386 /* ; UART_BASE[THR] = r1 */
387 0x00, 0x10, 0x80, 0xe5, /* str r1, [r0, #0x0] */
389 /* ; Loop until end of preamble string */
390 0x00, 0x00, 0x51, 0xe3, /* cmp r1, #0 */
391 0xf8, 0xff, 0xff, 0x1a, /* bne .Lloop_preamble */
394 /* ARM code for returning from binary header back to BootROM */
395 static unsigned char kwboot_baud_code_binhdr_post
[] = {
396 /* ; Return 0 - no error */
397 0x00, 0x00, 0xa0, 0xe3, /* mov r0, #0 */
398 0xfe, 0x9f, 0xbd, 0xe8, /* pop { r1 - r12, pc } */
401 /* ARM code for jumping to the original image exec_addr */
402 static unsigned char kwboot_baud_code_data_jump
[] = {
403 0x04, 0xf0, 0x1f, 0xe5, /* ldr pc, exec_addr */
404 /* ; Placeholder for exec_addr */
406 0x00, 0x00, 0x00, 0x00, /* .word 0 */
409 static const char kwb_baud_magic
[16] = "$baudratechange";
411 static int kwboot_verbose
;
413 static int msg_rsp_timeo
= KWBOOT_MSG_RSP_TIMEO
;
414 static int blk_rsp_timeo
= KWBOOT_BLK_RSP_TIMEO
;
417 kwboot_write(int fd
, const char *buf
, size_t len
)
422 ssize_t wr
= write(fd
, buf
+ tot
, len
- tot
);
424 if (wr
< 0 && errno
== EINTR
)
436 kwboot_printv(const char *fmt
, ...)
440 if (kwboot_verbose
) {
451 const char seq
[] = { '-', '\\', '|', '/' };
453 static int state
, bs
;
455 if (state
% div
== 0) {
457 fputc(seq
[state
/ div
% sizeof(seq
)], stdout
);
473 __progress(int pct
, char c
)
475 const int width
= 70;
476 static const char *nl
= "";
479 if (pos
% width
== 0)
480 printf("%s%3d %% [", nl
, pct
);
485 pos
= (pos
+ 1) % width
;
488 while (pos
&& pos
++ < width
)
500 kwboot_progress(int _pct
, char c
)
515 kwboot_tty_recv(int fd
, void *buf
, size_t len
, int timeo
)
528 tv
.tv_usec
= timeo
* 1000;
529 if (tv
.tv_usec
> 1000000) {
530 tv
.tv_sec
+= tv
.tv_usec
/ 1000000;
531 tv
.tv_usec
%= 1000000;
535 nfds
= select(fd
+ 1, &rfds
, NULL
, NULL
, &tv
);
536 if (nfds
< 0 && errno
== EINTR
)
545 n
= read(fd
, buf
, len
);
546 if (n
< 0 && errno
== EINTR
)
551 buf
= (char *)buf
+ n
;
561 kwboot_tty_send(int fd
, const void *buf
, size_t len
, int nodrain
)
566 if (kwboot_write(fd
, buf
, len
) < 0)
576 kwboot_tty_send_char(int fd
, unsigned char c
)
578 return kwboot_tty_send(fd
, &c
, 1, 0);
582 kwboot_tty_baudrate_to_speed(int baudrate
)
731 _is_within_tolerance(int value
, int reference
, int tolerance
)
733 return 100 * value
>= reference
* (100 - tolerance
) &&
734 100 * value
<= reference
* (100 + tolerance
);
738 kwboot_tty_change_baudrate(int fd
, int baudrate
)
744 rc
= tcgetattr(fd
, &tio
);
748 speed
= kwboot_tty_baudrate_to_speed(baudrate
);
756 tio
.c_ospeed
= tio
.c_ispeed
= baudrate
;
759 rc
= cfsetospeed(&tio
, speed
);
763 rc
= cfsetispeed(&tio
, speed
);
767 rc
= tcsetattr(fd
, TCSANOW
, &tio
);
771 rc
= tcgetattr(fd
, &tio
);
775 if (cfgetospeed(&tio
) != speed
|| cfgetispeed(&tio
) != speed
)
780 * Check whether set baudrate is within 3% tolerance.
781 * If BOTHER is defined, Linux always fills out c_ospeed / c_ispeed
784 if (!_is_within_tolerance(tio
.c_ospeed
, baudrate
, 3))
787 if (!_is_within_tolerance(tio
.c_ispeed
, baudrate
, 3))
794 fprintf(stderr
, "Could not set baudrate to requested value\n");
800 kwboot_open_tty(const char *path
, int baudrate
)
807 fd
= open(path
, O_RDWR
| O_NOCTTY
| O_NDELAY
);
811 rc
= tcgetattr(fd
, &tio
);
816 tio
.c_cflag
|= CREAD
| CLOCAL
;
817 tio
.c_cflag
&= ~(CSTOPB
| HUPCL
| CRTSCTS
);
821 rc
= tcsetattr(fd
, TCSANOW
, &tio
);
825 flags
= fcntl(fd
, F_GETFL
);
829 rc
= fcntl(fd
, F_SETFL
, flags
& ~O_NDELAY
);
833 rc
= kwboot_tty_change_baudrate(fd
, baudrate
);
848 kwboot_msg_write_handler(void *arg
)
850 int tty
= *(int *)((void **)arg
)[0];
851 const void *msg
= ((void **)arg
)[1];
852 int rsp_timeo
= msg_rsp_timeo
;
853 int i
, dummy_oldtype
;
855 /* allow to cancel this thread at any time */
856 pthread_setcanceltype(PTHREAD_CANCEL_ASYNCHRONOUS
, &dummy_oldtype
);
859 /* write 128 samples of message pattern into the output queue without waiting */
860 for (i
= 0; i
< 128; i
++) {
861 if (kwboot_tty_send(tty
, msg
, 8, 1) < 0) {
862 perror("\nFailed to send message pattern");
866 /* wait until output queue is transmitted and then make pause */
867 if (tcdrain(tty
) < 0) {
868 perror("\nFailed to send message pattern");
871 /* BootROM requires pause on UART after it detects message pattern */
872 usleep(rsp_timeo
* 1000);
877 kwboot_msg_start_thread(pthread_t
*thread
, int *tty
, void *msg
)
884 rc
= pthread_create(thread
, NULL
, kwboot_msg_write_handler
, arg
);
894 kwboot_msg_stop_thread(pthread_t thread
)
898 rc
= pthread_cancel(thread
);
904 rc
= pthread_join(thread
, NULL
);
914 kwboot_bootmsg(int tty
)
916 struct kwboot_block block
;
917 pthread_t write_thread
;
921 /* flush input and output queue */
922 tcflush(tty
, TCIOFLUSH
);
924 rc
= kwboot_msg_start_thread(&write_thread
, &tty
, kwboot_msg_boot
);
926 perror("Failed to start write thread");
930 kwboot_printv("Sending boot message. Please reboot the target...");
936 rc
= kwboot_tty_recv(tty
, &c
, 1, msg_rsp_timeo
);
937 if (rc
&& errno
== ETIMEDOUT
) {
950 rc
= kwboot_msg_stop_thread(write_thread
);
952 perror("Failed to stop write thread");
958 perror("Failed to read response for boot message pattern");
963 * At this stage we have sent more boot message patterns and BootROM
964 * (at least on Armada XP and 385) started interpreting sent bytes as
965 * part of xmodem packets. If BootROM is expecting SOH byte as start of
966 * a xmodem packet and it receives byte 0xff, then it throws it away and
967 * sends a NAK reply to host. If BootROM does not receive any byte for
968 * 2s when expecting some continuation of the xmodem packet, it throws
969 * away the partially received xmodem data and sends NAK reply to host.
971 * Therefore for starting xmodem transfer we have two options: Either
972 * wait 2s or send 132 0xff bytes (which is the size of xmodem packet)
973 * to ensure that BootROM throws away any partially received data.
976 /* flush output queue with remaining boot message patterns */
977 rc
= tcflush(tty
, TCOFLUSH
);
979 perror("Failed to flush output queue");
983 /* send one xmodem packet with 0xff bytes to force BootROM to re-sync */
984 memset(&block
, 0xff, sizeof(block
));
985 rc
= kwboot_tty_send(tty
, &block
, sizeof(block
), 0);
987 perror("Failed to send sync sequence");
992 * Sending 132 bytes via 115200B/8-N-1 takes 11.45 ms, reading 132 bytes
993 * takes 11.45 ms, so waiting for 30 ms should be enough.
997 /* flush remaining NAK replies from input queue */
998 rc
= tcflush(tty
, TCIFLUSH
);
1000 perror("Failed to flush input queue");
1008 kwboot_debugmsg(int tty
)
1010 unsigned char buf
[8192];
1011 pthread_t write_thread
;
1012 int rc
, err
, i
, pos
;
1015 /* flush input and output queue */
1016 tcflush(tty
, TCIOFLUSH
);
1018 rc
= kwboot_msg_start_thread(&write_thread
, &tty
, kwboot_msg_debug
);
1020 perror("Failed to start write thread");
1024 kwboot_printv("Sending debug message. Please reboot the target...");
1030 /* Read immediately all bytes in queue without waiting */
1031 rc
= read(tty
, buf
+ off
, sizeof(buf
) - off
);
1032 if ((rc
< 0 && errno
== EINTR
) || rc
== 0) {
1034 } else if (rc
< 0) {
1043 * Check if we received at least 4 debug message patterns
1044 * (console echo from BootROM) in cyclic buffer
1047 for (pos
= 0; pos
< sizeof(kwboot_msg_debug
); pos
++)
1048 if (buf
[off
] == kwboot_msg_debug
[(pos
+ off
) % sizeof(kwboot_msg_debug
)])
1051 for (i
= off
; i
>= 0; i
--)
1052 if (buf
[i
] != kwboot_msg_debug
[(pos
+ i
) % sizeof(kwboot_msg_debug
)])
1057 if (off
>= 4 * sizeof(kwboot_msg_debug
))
1060 /* If not move valid suffix from end of the buffer to the beginning of buffer */
1061 memmove(buf
, buf
+ i
+ 1, off
);
1064 kwboot_printv("\n");
1066 rc
= kwboot_msg_stop_thread(write_thread
);
1068 perror("Failed to stop write thread");
1074 perror("Failed to read response for debug message pattern");
1078 /* flush output queue with remaining debug message patterns */
1079 rc
= tcflush(tty
, TCOFLUSH
);
1081 perror("Failed to flush output queue");
1085 kwboot_printv("Clearing input buffer...\n");
1088 * Wait until BootROM transmit all remaining echo characters.
1089 * Experimentally it was measured that for Armada 385 BootROM
1090 * it is required to wait at least 0.415s. So wait 0.5s.
1095 * In off variable is stored number of characters received after the
1096 * successful detection of echo reply. So these characters are console
1097 * echo for other following debug message patterns. BootROM may have in
1098 * its output queue other echo characters which were being transmitting
1099 * before above sleep call. So read remaining number of echo characters
1100 * sent by the BootROM now.
1102 while ((rc
= kwboot_tty_recv(tty
, &buf
[0], 1, 0)) == 0)
1104 if (errno
!= ETIMEDOUT
) {
1105 perror("Failed to read response");
1110 * Clear every echo character set by the BootROM by backspace byte.
1111 * This is required prior writing any command to the BootROM debug
1112 * because BootROM command line buffer has limited size. If length
1113 * of the command is larger than buffer size then it looks like
1114 * that Armada 385 BootROM crashes after sending ENTER. So erase it.
1115 * Experimentally it was measured that for Armada 385 BootROM it is
1116 * required to send at least 3 backspace bytes for one echo character.
1117 * This is unknown why. But lets do it.
1120 memset(buf
, '\x08', sizeof(buf
));
1121 while (off
> sizeof(buf
)) {
1122 rc
= kwboot_tty_send(tty
, buf
, sizeof(buf
), 1);
1124 perror("Failed to send clear sequence");
1129 rc
= kwboot_tty_send(tty
, buf
, off
, 0);
1131 perror("Failed to send clear sequence");
1135 usleep(msg_rsp_timeo
* 1000);
1136 rc
= tcflush(tty
, TCIFLUSH
);
1138 perror("Failed to flush input queue");
1146 kwboot_xm_makeblock(struct kwboot_block
*block
, const void *data
,
1147 size_t size
, int pnum
)
1153 block
->_pnum
= ~block
->pnum
;
1155 n
= size
< KWBOOT_XM_BLKSZ
? size
: KWBOOT_XM_BLKSZ
;
1156 memcpy(&block
->data
[0], data
, n
);
1157 memset(&block
->data
[n
], 0, KWBOOT_XM_BLKSZ
- n
);
1160 for (i
= 0; i
< n
; i
++)
1161 block
->csum
+= block
->data
[i
];
1171 if (clock_gettime(CLOCK_MONOTONIC
, &ts
)) {
1172 static int err_print
;
1175 perror("clock_gettime() does not work");
1179 /* this will just make the timeout not work */
1183 return ts
.tv_sec
* 1000ULL + (ts
.tv_nsec
+ 500000) / 1000000;
1187 _is_xm_reply(char c
)
1189 return c
== ACK
|| c
== NAK
;
1193 _xm_reply_to_error(int c
)
1213 kwboot_baud_magic_handle(int fd
, char c
, int baudrate
)
1215 static size_t rcv_len
;
1217 if (rcv_len
< sizeof(kwb_baud_magic
)) {
1218 /* try to recognize whole magic word */
1219 if (c
== kwb_baud_magic
[rcv_len
]) {
1222 printf("%.*s%c", (int)rcv_len
, kwb_baud_magic
, c
);
1228 if (rcv_len
== sizeof(kwb_baud_magic
)) {
1229 /* magic word received */
1230 kwboot_printv("\nChanging baudrate to %d Bd\n", baudrate
);
1232 return kwboot_tty_change_baudrate(fd
, baudrate
) ? : 1;
1239 kwboot_xm_recv_reply(int fd
, char *c
, int stop_on_non_xm
,
1240 int ignore_nak_reply
,
1241 int allow_non_xm
, int *non_xm_print
,
1242 int baudrate
, int *baud_changed
)
1244 int timeout
= allow_non_xm
? KWBOOT_HDR_RSP_TIMEO
: blk_rsp_timeo
;
1245 uint64_t recv_until
= _now() + timeout
;
1249 rc
= kwboot_tty_recv(fd
, c
, 1, timeout
);
1251 if (errno
!= ETIMEDOUT
)
1253 else if (allow_non_xm
&& *non_xm_print
)
1259 /* If received xmodem reply, end. */
1260 if (_is_xm_reply(*c
)) {
1261 if (*c
== NAK
&& ignore_nak_reply
) {
1262 timeout
= recv_until
- _now();
1270 * If receiving/printing non-xmodem text output is allowed and
1271 * such a byte was received, we want to increase receiving time
1273 * - print the byte, if it is not part of baudrate change magic
1274 * sequence while baudrate change was requested (-B option)
1276 * Otherwise decrease timeout by time elapsed.
1279 recv_until
= _now() + timeout
;
1281 if (baudrate
&& !*baud_changed
) {
1282 rc
= kwboot_baud_magic_handle(fd
, *c
, baudrate
);
1289 } else if (!baudrate
|| !*baud_changed
) {
1297 timeout
= recv_until
- _now();
1309 kwboot_xm_sendblock(int fd
, struct kwboot_block
*block
, int allow_non_xm
,
1310 int *done_print
, int baudrate
, int allow_retries
)
1312 int non_xm_print
, baud_changed
;
1313 int rc
, err
, retries
;
1322 rc
= kwboot_tty_send(fd
, block
, sizeof(*block
), 1);
1326 if (allow_non_xm
&& !*done_print
) {
1327 kwboot_progress(100, '.');
1328 kwboot_printv("Done\n");
1332 rc
= kwboot_xm_recv_reply(fd
, &c
, retries
< 3,
1334 allow_non_xm
, &non_xm_print
,
1335 baudrate
, &baud_changed
);
1339 if (!allow_non_xm
&& c
!= ACK
) {
1340 if (c
== NAK
&& allow_retries
&& retries
+ 1 < 16)
1341 kwboot_progress(-1, '+');
1343 kwboot_progress(-1, 'E');
1345 } while (c
== NAK
&& allow_retries
&& retries
++ < 16);
1348 kwboot_printv("\n");
1350 if (allow_non_xm
&& baudrate
&& !baud_changed
) {
1351 fprintf(stderr
, "Baudrate was not changed\n");
1356 return _xm_reply_to_error(c
);
1359 kwboot_printv("\n");
1365 kwboot_xm_finish(int fd
)
1370 kwboot_printv("Finishing transfer\n");
1374 rc
= kwboot_tty_send_char(fd
, EOT
);
1378 rc
= kwboot_xm_recv_reply(fd
, &c
, retries
< 3,
1383 } while (c
== NAK
&& retries
++ < 16);
1385 return _xm_reply_to_error(c
);
1389 kwboot_xmodem_one(int tty
, int *pnum
, int header
, const uint8_t *data
,
1390 size_t size
, int baudrate
)
1396 kwboot_printv("Sending boot image %s (%zu bytes)...\n",
1397 header
? "header" : "data", size
);
1402 while (sent
< size
) {
1403 struct kwboot_block block
;
1407 blksz
= kwboot_xm_makeblock(&block
, data
, left
, (*pnum
)++);
1410 last_block
= (left
<= blksz
);
1413 * Handling of repeated xmodem packets is completely broken in
1414 * Armada 385 BootROM - it completely ignores xmodem packet
1415 * numbers, they are only used for checksum verification.
1416 * BootROM can handle a retry of the xmodem packet only during
1417 * the transmission of kwbimage header and only if BootROM
1418 * itself sent NAK response to previous attempt (it does it on
1419 * checksum failure). During the transmission of kwbimage data
1420 * part, BootROM always expects next xmodem packet, even if it
1421 * sent NAK to previous attempt - there is absolutely no way to
1422 * repair incorrectly transmitted xmodem packet during kwbimage
1423 * data part upload. Also, if kwboot receives non-ACK/NAK
1424 * response (meaning that original BootROM response was damaged
1425 * on UART) there is no way to detect if BootROM accepted xmodem
1426 * packet or not and no way to check if kwboot could repeat the
1429 * Stop transfer and return failure if kwboot receives unknown
1430 * reply if non-xmodem reply is not allowed (for all xmodem
1431 * packets except the last header packet) or when non-ACK reply
1432 * is received during data part transfer.
1434 rc
= kwboot_xm_sendblock(tty
, &block
, header
&& last_block
,
1435 &done_print
, baudrate
, header
);
1443 kwboot_progress(sent
* 100 / size
, '.');
1447 kwboot_printv("Done\n");
1451 kwboot_printv("\n");
1456 kwboot_xmodem(int tty
, const void *_img
, size_t size
, int baudrate
)
1458 const uint8_t *img
= _img
;
1462 hdrsz
= kwbheader_size(img
);
1465 * If header size is not aligned to xmodem block size (which applies
1466 * for all images in kwbimage v0 format) then we have to ensure that
1467 * the last xmodem block of header contains beginning of the data
1468 * followed by the header. So align header size to xmodem block size.
1470 hdrsz
+= (KWBOOT_XM_BLKSZ
- hdrsz
% KWBOOT_XM_BLKSZ
) % KWBOOT_XM_BLKSZ
;
1476 rc
= kwboot_xmodem_one(tty
, &pnum
, 1, img
, hdrsz
, baudrate
);
1481 * If we have already sent image data as a part of the last
1482 * xmodem header block then we have nothing more to send.
1487 rc
= kwboot_xmodem_one(tty
, &pnum
, 0, img
, size
, 0);
1492 rc
= kwboot_xm_finish(tty
);
1497 kwboot_printv("\nChanging baudrate back to 115200 Bd\n\n");
1498 rc
= kwboot_tty_change_baudrate(tty
, 115200);
1507 kwboot_term_pipe(int in
, int out
, const char *quit
, int *s
, const char *kbs
, int *k
)
1512 nin
= read(in
, buf
, sizeof(buf
));
1521 for (i
= 0; i
< nin
; i
++) {
1522 if ((quit
|| kbs
) &&
1523 (!quit
|| buf
[i
] != quit
[*s
]) &&
1524 (!kbs
|| buf
[i
] != kbs
[*k
])) {
1529 prefix
= (*s
>= *k
) ? quit
: kbs
;
1530 plen
= (*s
>= *k
) ? *s
: *k
;
1539 if (plen
> i
&& kwboot_write(out
, prefix
, plen
- i
) < 0)
1543 if (quit
&& buf
[i
] == quit
[*s
]) {
1546 nin
= (i
> *s
) ? (i
- *s
) : 0;
1553 if (kbs
&& buf
[i
] == kbs
[*k
]) {
1556 if (i
> *k
+ noff
&&
1557 kwboot_write(out
, buf
+ noff
, i
- *k
- noff
) < 0)
1560 * Replace backspace key by '\b' (0x08)
1561 * byte which is the only recognized
1562 * backspace byte by Marvell BootROM.
1564 if (write(out
, "\x08", 1) < 0)
1580 nin
-= (nin
> i
) ? i
: nin
;
1584 if (nin
> noff
&& kwboot_write(out
, buf
+ noff
, nin
- noff
) < 0)
1591 kwboot_terminal(int tty
)
1594 const char *kbs
= NULL
;
1595 const char *quit
= "\34c";
1596 struct termios otio
, tio
;
1602 rc
= tcgetattr(in
, &otio
);
1606 rc
= tcsetattr(in
, TCSANOW
, &tio
);
1609 perror("tcsetattr");
1614 * Get sequence for backspace key used by the current
1615 * terminal. Every occurrence of this sequence will be
1616 * replaced by '\b' byte which is the only recognized
1617 * backspace byte by Marvell BootROM.
1619 * Note that we cannot read this sequence from termios
1620 * c_cc[VERASE] as VERASE is valid only when ICANON is
1621 * set in termios c_lflag, which is not case for us.
1623 * Also most terminals do not set termios c_cc[VERASE]
1624 * as c_cc[VERASE] can specify only one-byte sequence
1625 * and instead let applications to read (possible
1626 * multi-byte) sequence for backspace key from "kbs"
1627 * terminfo database based on $TERM env variable.
1629 * So read "kbs" from terminfo database via tigetstr()
1630 * call after successful setupterm(). Most terminals
1631 * use byte 0x7F for backspace key, so replacement with
1634 if (setupterm(NULL
, STDOUT_FILENO
, &rc
) == 0) {
1635 kbs
= tigetstr("kbs");
1636 if (kbs
== (char *)-1)
1640 kwboot_printv("[Type Ctrl-%c + %c to quit]\r\n",
1641 quit
[0] | 0100, quit
[1]);
1655 nfds
= nfds
< tty
? tty
: nfds
;
1659 nfds
= nfds
< in
? in
: nfds
;
1662 nfds
= select(nfds
+ 1, &rfds
, NULL
, NULL
, NULL
);
1666 if (FD_ISSET(tty
, &rfds
)) {
1667 rc
= kwboot_term_pipe(tty
, STDOUT_FILENO
, NULL
, NULL
, NULL
, NULL
);
1672 if (in
>= 0 && FD_ISSET(in
, &rfds
)) {
1673 rc
= kwboot_term_pipe(in
, tty
, quit
, &s
, kbs
, &k
);
1677 } while (quit
[s
] != 0);
1680 tcsetattr(in
, TCSANOW
, &otio
);
1687 kwboot_read_image(const char *path
, size_t *size
, size_t reserve
)
1697 fd
= open(path
, O_RDONLY
);
1701 len
= lseek(fd
, 0, SEEK_END
);
1702 if (len
== (off_t
)-1)
1705 if (lseek(fd
, 0, SEEK_SET
) == (off_t
)-1)
1708 img
= malloc(len
+ reserve
);
1714 ssize_t rd
= read(fd
, img
+ tot
, len
- tot
);
1721 if (!rd
&& tot
< len
) {
1741 kwboot_hdr_csum8(const void *hdr
)
1743 const uint8_t *data
= hdr
;
1747 size
= kwbheader_size_for_csum(hdr
);
1749 for (csum
= 0; size
-- > 0; data
++)
1756 kwboot_img_csum32_ptr(void *img
)
1758 struct main_hdr_v1
*hdr
= img
;
1761 datasz
= le32_to_cpu(hdr
->blocksize
) - sizeof(uint32_t);
1763 return img
+ le32_to_cpu(hdr
->srcaddr
) + datasz
;
1767 kwboot_img_csum32(const void *img
)
1769 const struct main_hdr_v1
*hdr
= img
;
1770 uint32_t datasz
, csum
= 0;
1771 const uint32_t *data
;
1773 datasz
= le32_to_cpu(hdr
->blocksize
) - sizeof(csum
);
1774 if (datasz
% sizeof(uint32_t))
1777 data
= img
+ le32_to_cpu(hdr
->srcaddr
);
1778 while (datasz
> 0) {
1779 csum
+= le32_to_cpu(*data
++);
1783 return cpu_to_le32(csum
);
1787 kwboot_img_is_secure(void *img
)
1789 struct opt_hdr_v1
*ohdr
;
1791 for_each_opt_hdr_v1 (ohdr
, img
)
1792 if (ohdr
->headertype
== OPT_HDR_V1_SECURE_TYPE
)
1799 kwboot_img_has_ddr_init(void *img
)
1801 const struct register_set_hdr_v1
*rhdr
;
1802 const struct main_hdr_v0
*hdr0
;
1803 struct opt_hdr_v1
*ohdr
;
1808 * kwbimage v0 image headers contain DDR init code either in
1809 * extension header or in binary code header.
1811 if (kwbimage_version(img
) == 0) {
1813 return hdr0
->ext
|| hdr0
->bin
;
1817 * kwbimage v1 image headers contain DDR init code either in binary
1818 * code header or in a register set list header with SDRAM_SETUP.
1820 for_each_opt_hdr_v1 (ohdr
, img
) {
1821 if (ohdr
->headertype
== OPT_HDR_V1_BINARY_TYPE
)
1823 if (ohdr
->headertype
== OPT_HDR_V1_REGISTER_TYPE
) {
1824 rhdr
= (const struct register_set_hdr_v1
*)ohdr
;
1825 ohdrsz
= opt_hdr_v1_size(ohdr
);
1826 if (ohdrsz
>= sizeof(*ohdr
) + sizeof(rhdr
->data
[0].last_entry
)) {
1827 ohdrsz
-= sizeof(*ohdr
) + sizeof(rhdr
->data
[0].last_entry
);
1828 last
= ohdrsz
/ sizeof(rhdr
->data
[0].entry
);
1829 if (rhdr
->data
[last
].last_entry
.delay
==
1830 REGISTER_SET_HDR_OPT_DELAY_SDRAM_SETUP
)
1840 kwboot_img_grow_data_right(void *img
, size_t *size
, size_t grow
)
1842 struct main_hdr_v1
*hdr
= img
;
1846 * 32-bit checksum comes after end of image code, so we will be putting
1847 * new code there. So we get this pointer and then increase data size
1848 * (since increasing data size changes kwboot_img_csum32_ptr() return
1851 result
= kwboot_img_csum32_ptr(img
);
1852 hdr
->blocksize
= cpu_to_le32(le32_to_cpu(hdr
->blocksize
) + grow
);
1859 kwboot_img_grow_hdr(void *img
, size_t *size
, size_t grow
)
1861 uint32_t hdrsz
, datasz
, srcaddr
;
1862 struct main_hdr_v1
*hdr
= img
;
1863 struct opt_hdr_v1
*ohdr
;
1866 srcaddr
= le32_to_cpu(hdr
->srcaddr
);
1868 /* calculate real used space in kwbimage header */
1869 if (kwbimage_version(img
) == 0) {
1870 hdrsz
= kwbheader_size(img
);
1872 hdrsz
= sizeof(*hdr
);
1873 for_each_opt_hdr_v1 (ohdr
, hdr
)
1874 hdrsz
+= opt_hdr_v1_size(ohdr
);
1877 data
= (uint8_t *)img
+ srcaddr
;
1878 datasz
= *size
- srcaddr
;
1880 /* only move data if there is not enough space */
1881 if (hdrsz
+ grow
> srcaddr
) {
1882 size_t need
= hdrsz
+ grow
- srcaddr
;
1884 /* move data by enough bytes */
1885 memmove(data
+ need
, data
, datasz
);
1887 hdr
->srcaddr
= cpu_to_le32(srcaddr
+ need
);
1891 if (kwbimage_version(img
) == 1) {
1893 if (hdrsz
> kwbheader_size(img
)) {
1894 hdr
->headersz_msb
= hdrsz
>> 16;
1895 hdr
->headersz_lsb
= cpu_to_le16(hdrsz
& 0xffff);
1901 kwboot_add_bin_ohdr_v1(void *img
, size_t *size
, uint32_t binsz
)
1903 struct main_hdr_v1
*hdr
= img
;
1904 struct opt_hdr_v1
*ohdr
;
1911 for_each_opt_hdr_v1 (ohdr
, img
)
1912 if (opt_hdr_v1_next(ohdr
) == NULL
)
1915 prev_ext
= opt_hdr_v1_ext(ohdr
);
1916 ohdr
= _opt_hdr_v1_next(ohdr
);
1918 ohdr
= (void *)(hdr
+ 1);
1919 prev_ext
= &hdr
->ext
;
1923 * ARM executable code inside the BIN header on some mvebu platforms
1924 * (e.g. A370, AXP) must always be aligned with the 128-bit boundary.
1925 * This requirement can be met by inserting dummy arguments into
1926 * BIN header, if needed.
1928 offset
= &ohdr
->data
[4] - (char *)img
;
1929 num_args
= ((16 - offset
% 16) % 16) / sizeof(uint32_t);
1931 ohdrsz
= sizeof(*ohdr
) + 4 + 4 * num_args
+ binsz
+ 4;
1932 kwboot_img_grow_hdr(hdr
, size
, ohdrsz
);
1936 ohdr
->headertype
= OPT_HDR_V1_BINARY_TYPE
;
1937 ohdr
->headersz_msb
= ohdrsz
>> 16;
1938 ohdr
->headersz_lsb
= cpu_to_le16(ohdrsz
& 0xffff);
1940 memset(&ohdr
->data
[0], 0, ohdrsz
- sizeof(*ohdr
));
1941 *(uint32_t *)&ohdr
->data
[0] = cpu_to_le32(num_args
);
1943 return &ohdr
->data
[4 + 4 * num_args
];
1947 _inject_baudrate_change_code(void *img
, size_t *size
, int for_data
,
1948 int old_baud
, int new_baud
)
1950 struct main_hdr_v1
*hdr
= img
;
1951 uint32_t orig_datasz
;
1956 orig_datasz
= le32_to_cpu(hdr
->blocksize
) - sizeof(uint32_t);
1958 codesz
= sizeof(kwboot_baud_code
) +
1959 sizeof(kwboot_baud_code_data_jump
);
1960 code
= kwboot_img_grow_data_right(img
, size
, codesz
);
1962 codesz
= sizeof(kwboot_baud_code_binhdr_pre
) +
1963 sizeof(kwboot_baud_code
) +
1964 sizeof(kwboot_baud_code_binhdr_post
);
1965 code
= kwboot_add_bin_ohdr_v1(img
, size
, codesz
);
1967 codesz
= sizeof(kwboot_baud_code_binhdr_pre
);
1968 memcpy(code
, kwboot_baud_code_binhdr_pre
, codesz
);
1972 codesz
= sizeof(kwboot_baud_code
) - 2 * sizeof(uint32_t);
1973 memcpy(code
, kwboot_baud_code
, codesz
);
1975 *(uint32_t *)code
= cpu_to_le32(old_baud
);
1976 code
+= sizeof(uint32_t);
1977 *(uint32_t *)code
= cpu_to_le32(new_baud
);
1978 code
+= sizeof(uint32_t);
1981 codesz
= sizeof(kwboot_baud_code_data_jump
) - sizeof(uint32_t);
1982 memcpy(code
, kwboot_baud_code_data_jump
, codesz
);
1984 *(uint32_t *)code
= hdr
->execaddr
;
1985 code
+= sizeof(uint32_t);
1986 hdr
->execaddr
= cpu_to_le32(le32_to_cpu(hdr
->destaddr
) + orig_datasz
);
1988 codesz
= sizeof(kwboot_baud_code_binhdr_post
);
1989 memcpy(code
, kwboot_baud_code_binhdr_post
, codesz
);
1995 kwboot_img_guess_sata_blksz(void *img
, uint32_t blkoff
, uint32_t data_size
, size_t total_size
)
1997 uint32_t sum
, *ptr
, *end
;
2001 * Try all possible sector sizes which are power of two,
2002 * at least 512 bytes and up to the 32 kB.
2004 for (blksz
= 512; blksz
< 0x10000; blksz
*= 2) {
2005 if (blkoff
* blksz
> total_size
||
2006 blkoff
* blksz
+ data_size
> total_size
||
2011 * Calculate data checksum and if it matches
2012 * then tried blksz should be correct.
2014 ptr
= img
+ blkoff
* blksz
;
2015 end
= (void *)ptr
+ data_size
- 4;
2016 for (sum
= 0; ptr
< end
; ptr
++)
2023 /* Fallback to 512 bytes */
2028 kwboot_img_type(uint8_t blockid
)
2031 case IBR_HDR_I2C_ID
: return "I2C";
2032 case IBR_HDR_SPI_ID
: return "SPI";
2033 case IBR_HDR_NAND_ID
: return "NAND";
2034 case IBR_HDR_SATA_ID
: return "SATA";
2035 case IBR_HDR_PEX_ID
: return "PEX";
2036 case IBR_HDR_UART_ID
: return "UART";
2037 case IBR_HDR_SDIO_ID
: return "SDIO";
2038 default: return "unknown";
2043 kwboot_img_patch(void *img
, size_t *size
, int baudrate
)
2045 struct main_hdr_v1
*hdr
;
2046 struct opt_hdr_v1
*ohdr
;
2055 if (*size
< sizeof(struct main_hdr_v1
)) {
2056 fprintf(stderr
, "Invalid image header size\n");
2060 image_ver
= kwbimage_version(img
);
2061 if (image_ver
!= 0 && image_ver
!= 1) {
2062 fprintf(stderr
, "Invalid image header version\n");
2066 hdrsz
= kwbheader_size(hdr
);
2068 if (*size
< hdrsz
) {
2069 fprintf(stderr
, "Invalid image header size\n");
2073 kwboot_printv("Detected kwbimage v%d with %s boot signature\n", image_ver
, kwboot_img_type(hdr
->blockid
));
2075 csum
= kwboot_hdr_csum8(hdr
) - hdr
->checksum
;
2076 if (csum
!= hdr
->checksum
) {
2077 fprintf(stderr
, "Image has invalid header checksum stored in image header\n");
2081 srcaddr
= le32_to_cpu(hdr
->srcaddr
);
2083 switch (hdr
->blockid
) {
2084 case IBR_HDR_SATA_ID
:
2085 hdr
->srcaddr
= cpu_to_le32(srcaddr
* kwboot_img_guess_sata_blksz(img
, srcaddr
, le32_to_cpu(hdr
->blocksize
), *size
));
2088 case IBR_HDR_PEX_ID
:
2089 if (srcaddr
== 0xFFFFFFFF)
2090 hdr
->srcaddr
= cpu_to_le32(hdrsz
);
2093 case IBR_HDR_SPI_ID
:
2094 if (hdr
->destaddr
== cpu_to_le32(0xFFFFFFFF)) {
2095 kwboot_printv("Patching destination and execution addresses from SPI/NOR XIP area to DDR area 0x00800000\n");
2096 hdr
->destaddr
= cpu_to_le32(0x00800000 + le32_to_cpu(hdr
->srcaddr
));
2097 hdr
->execaddr
= cpu_to_le32(0x00800000 + le32_to_cpu(hdr
->execaddr
));
2102 if (hdrsz
> le32_to_cpu(hdr
->srcaddr
)) {
2103 fprintf(stderr
, "Image has invalid data offset stored in image header\n");
2107 if (*size
< le32_to_cpu(hdr
->srcaddr
) + le32_to_cpu(hdr
->blocksize
)) {
2108 fprintf(stderr
, "Image has invalid data size stored in image header\n");
2112 for_each_opt_hdr_v1 (ohdr
, hdr
) {
2113 if (!opt_hdr_v1_valid_size(ohdr
, (const uint8_t *)hdr
+ hdrsz
)) {
2114 fprintf(stderr
, "Invalid optional image header\n");
2120 * The 32-bit data checksum is optional for UART image. If it is not
2121 * present (checksum detected as invalid) then grow data part of the
2122 * image for the checksum, so it can be inserted there.
2124 if (kwboot_img_csum32(img
) != *kwboot_img_csum32_ptr(img
)) {
2125 if (hdr
->blockid
!= IBR_HDR_UART_ID
) {
2126 fprintf(stderr
, "Image has invalid data checksum\n");
2129 kwboot_img_grow_data_right(img
, size
, sizeof(uint32_t));
2130 /* Update the 32-bit data checksum */
2131 *kwboot_img_csum32_ptr(img
) = kwboot_img_csum32(img
);
2134 if (!kwboot_img_has_ddr_init(img
) &&
2135 (le32_to_cpu(hdr
->destaddr
) < 0x40000000 ||
2136 le32_to_cpu(hdr
->destaddr
) + le32_to_cpu(hdr
->blocksize
) > 0x40034000)) {
2137 fprintf(stderr
, "Image does not contain DDR init code needed for UART booting\n");
2141 is_secure
= kwboot_img_is_secure(img
);
2143 if (hdr
->blockid
!= IBR_HDR_UART_ID
) {
2146 "Image has secure header with signature for non-UART booting\n");
2150 kwboot_printv("Patching image boot signature to UART\n");
2151 hdr
->blockid
= IBR_HDR_UART_ID
;
2155 if (image_ver
== 1) {
2157 * Tell BootROM to send BootROM messages to UART port
2158 * number 0 (used also for UART booting) with default
2159 * baudrate (which should be 115200) and do not touch
2160 * UART MPP configuration.
2163 hdr
->options
&= ~0x1F;
2164 hdr
->options
|= MAIN_HDR_V1_OPT_BAUD_DEFAULT
;
2165 hdr
->options
|= 0 << 3;
2168 ((struct main_hdr_v0
*)img
)->nandeccmode
= IBR_HDR_ECC_DISABLED
;
2169 hdr
->nandpagesize
= 0;
2173 if (image_ver
== 0) {
2175 "Cannot inject code for changing baudrate into v0 image header\n");
2181 "Cannot inject code for changing baudrate into image with secure header\n");
2186 * First inject code that changes the baudrate from the default
2187 * value of 115200 Bd to requested value. This code is inserted
2188 * as a new opt hdr, so it is executed by BootROM after the
2189 * header part is received.
2191 kwboot_printv("Injecting binary header code for changing baudrate to %d Bd\n",
2193 _inject_baudrate_change_code(img
, size
, 0, 115200, baudrate
);
2196 * Now inject code that changes the baudrate back to 115200 Bd.
2197 * This code is appended after the data part of the image, and
2198 * execaddr is changed so that it is executed before U-Boot
2201 kwboot_printv("Injecting code for changing baudrate back\n");
2202 _inject_baudrate_change_code(img
, size
, 1, baudrate
, 115200);
2204 /* Update the 32-bit data checksum */
2205 *kwboot_img_csum32_ptr(img
) = kwboot_img_csum32(img
);
2207 /* recompute header size */
2208 hdrsz
= kwbheader_size(hdr
);
2211 if (hdrsz
% KWBOOT_XM_BLKSZ
) {
2212 size_t grow
= KWBOOT_XM_BLKSZ
- hdrsz
% KWBOOT_XM_BLKSZ
;
2215 fprintf(stderr
, "Cannot align image with secure header\n");
2219 kwboot_printv("Aligning image header to Xmodem block size\n");
2220 kwboot_img_grow_hdr(img
, size
, grow
);
2224 * kwbimage v1 contains header size field and for UART type it
2225 * must be set to the aligned xmodem header size because BootROM
2226 * rounds header size down to xmodem block size.
2228 if (kwbimage_version(img
) == 1) {
2229 hdr
->headersz_msb
= hdrsz
>> 16;
2230 hdr
->headersz_lsb
= cpu_to_le16(hdrsz
& 0xffff);
2234 /* Header size and source address must be same for UART type due to A38x BootROM bug */
2235 if (hdrsz
!= le32_to_cpu(hdr
->srcaddr
)) {
2237 fprintf(stderr
, "Cannot align image with secure header\n");
2241 kwboot_printv("Removing gap between image header and data\n");
2242 memmove(img
+ hdrsz
, img
+ le32_to_cpu(hdr
->srcaddr
), le32_to_cpu(hdr
->blocksize
));
2243 hdr
->srcaddr
= cpu_to_le32(hdrsz
);
2246 hdr
->checksum
= kwboot_hdr_csum8(hdr
) - csum
;
2248 *size
= le32_to_cpu(hdr
->srcaddr
) + le32_to_cpu(hdr
->blocksize
);
2256 kwboot_usage(FILE *stream
, char *progname
)
2259 "Usage: %s [OPTIONS] [-b <image> | -D <image> | -b | -d ] [-B <baud> ] [-t] <TTY>\n",
2261 fprintf(stream
, "\n");
2263 " -b <image>: boot <image> with preamble (Kirkwood, Avanta, Armada 370/XP/375/38x/39x)\n");
2265 " -D <image>: boot <image> without preamble (Dove)\n");
2266 fprintf(stream
, " -b: enter xmodem boot mode\n");
2267 fprintf(stream
, " -d: enter console debug mode\n");
2268 fprintf(stream
, " -a: use timings for Armada XP\n");
2269 fprintf(stream
, " -s <resp-timeo>: use specific response-timeout\n");
2271 " -o <block-timeo>: use specific xmodem block timeout\n");
2272 fprintf(stream
, "\n");
2273 fprintf(stream
, " -t: mini terminal\n");
2274 fprintf(stream
, "\n");
2275 fprintf(stream
, " -B <baud>: set baud rate\n");
2276 fprintf(stream
, "\n");
2280 main(int argc
, char **argv
)
2282 const char *ttypath
, *imgpath
;
2283 int rv
, rc
, tty
, term
;
2288 size_t after_img_rsv
;
2301 after_img_rsv
= KWBOOT_XM_BLKSZ
;
2304 printf("kwboot version %s\n", PLAIN_VERSION
);
2306 kwboot_verbose
= isatty(STDOUT_FILENO
);
2309 prev_optind
= optind
;
2310 c
= getopt(argc
, argv
, "hbptaB:dD:q:s:o:");
2316 if (imgpath
|| bootmsg
|| debugmsg
)
2319 if (prev_optind
== optind
)
2321 /* Option -b could have optional argument which specify image path */
2322 if (optind
< argc
&& argv
[optind
] && argv
[optind
][0] != '-')
2323 imgpath
= argv
[optind
++];
2327 if (imgpath
|| bootmsg
|| debugmsg
)
2334 if (imgpath
|| bootmsg
|| debugmsg
)
2340 /* nop, for backward compatibility */
2348 msg_rsp_timeo
= KWBOOT_MSG_RSP_TIMEO_AXP
;
2352 /* nop, for backward compatibility */
2356 msg_rsp_timeo
= atoi(optarg
);
2360 blk_rsp_timeo
= atoi(optarg
);
2364 baudrate
= atoi(optarg
);
2374 if (!bootmsg
&& !term
&& !debugmsg
&& !imgpath
)
2378 * If there is no remaining argument but optional imgpath was parsed
2379 * then it means that optional imgpath was eaten by getopt parser.
2380 * Reassing imgpath to required ttypath argument.
2382 if (optind
== argc
&& imgpath
) {
2385 } else if (optind
+ 1 == argc
) {
2386 ttypath
= argv
[optind
];
2391 /* boot and debug message use baudrate 115200 */
2392 if (((bootmsg
&& !imgpath
) || debugmsg
) && baudrate
!= 115200) {
2393 fprintf(stderr
, "Baudrate other than 115200 cannot be used for this operation.\n");
2397 tty
= kwboot_open_tty(ttypath
, baudrate
);
2404 * initial baudrate for image transfer is always 115200,
2405 * the change to different baudrate is done only after the header is sent
2407 if (imgpath
&& baudrate
!= 115200) {
2408 rc
= kwboot_tty_change_baudrate(tty
, 115200);
2415 if (baudrate
== 115200)
2416 /* do not change baudrate during Xmodem to the same value */
2419 /* ensure we have enough space for baudrate change code */
2420 after_img_rsv
+= sizeof(struct opt_hdr_v1
) + 8 + 16 +
2421 sizeof(kwboot_baud_code_binhdr_pre
) +
2422 sizeof(kwboot_baud_code
) +
2423 sizeof(kwboot_baud_code_binhdr_post
) +
2425 sizeof(kwboot_baud_code
) +
2426 sizeof(kwboot_baud_code_data_jump
) +
2431 img
= kwboot_read_image(imgpath
, &size
, after_img_rsv
);
2437 rc
= kwboot_img_patch(img
, &size
, baudrate
);
2439 fprintf(stderr
, "%s: Invalid image.\n", imgpath
);
2445 rc
= kwboot_debugmsg(tty
);
2448 } else if (bootmsg
) {
2449 rc
= kwboot_bootmsg(tty
);
2455 rc
= kwboot_xmodem(tty
, img
, size
, baudrate
);
2463 rc
= kwboot_terminal(tty
);
2464 if (rc
&& !(errno
== EINTR
)) {
2481 kwboot_usage(rv
? stderr
: stdout
, basename(argv
[0]));