Search code examples
armjtag

How to load binary to DRAM with JLink JTAG to debug?


I am doing a ARM+RTOS project, and I want to download the binary to target board with JLink JTAG.
But every time 'loadbin a.bin 0x40000000' will report error -1, and says 'failed to read memory', 0x40000000 is the starting address of DRAM.

I have to use 'r' command to reset JTAG port to read memory back.
The JLINK driver is 6.72 installed in Ubuntu-20.04.5, the ARM is an allwinner chip (cortex-a7).

I am wondering how to download the binary image into DRAM thru JLink JTAG to debug.

Updated with more details.

The board is based on sun8i, with 2 ARMv7 cores.
The JLink can identify the JTAG adapter as follows,

Connecting to target via JTAG
ConfigTargetSettings() start
Setting up: AW Cortex-A7
ConfigTargetSettings() end
TotalIRLen = 4, IRPrint = 0x01
JTAG chain detection found 1 devices:
 #0 Id: 0x5BA00477, IRLen: 04, CoreSight JTAG-DP
AP map detection skipped. Manually configured AP map found.
AP[0]: AHB-AP (IDR: Not set)
AP[1]: APB-AP (IDR: Not set)
Using preconfigured AP[1] as APB-AP
AP[1]: APB-AP found
ROMTbl[0][0]: CompAddr: 80050000 CID: B105900D, PID:04-004BB906 CTI
ROMTbl[0][1]: CompAddr: 81000000 CID: B105100D, PID:08-00A9CC32 ROM Table
ROMTbl[1][0]: CompAddr: 81010000 CID: 00000000, PID:00-00000000 ???
ROMTbl[1][1]: CompAddr: 81020000 CID: 00000000, PID:00-00000000 ???
ROMTbl[1][2]: CompAddr: 81400000 CID: B105100D, PID:04-000BB4A7 ROM Table
ROMTbl[2][0]: CompAddr: 81410000 CID: B105900D, PID:04-005BBC07 Cortex-A7
Found Cortex-A7 r0p5
6 code breakpoints, 4 data breakpoints
Debug architecture ARMv7.1
Data endian: little
Main ID register: 0x410FC075
I-Cache L1: 32 KB, 512 Sets, 32 Bytes/Line, 2-Way
D-Cache L1: 32 KB, 128 Sets, 64 Bytes/Line, 4-Way
Unified-Cache L2: 256 KB, 512 Sets, 64 Bytes/Line, 8-Way
System control register:
  Instruction endian: little
  Level-1 instruction cache enabled
  Level-1 data cache enabled
  MMU enabled
  Branch prediction enabled
Memory zones:
  [0]: Default (Default access mode)
  [1]: AHB-AP (AP0) (DMA like acc. in AP0 addr. space)
  [2]: APB-AP (AP1) (DMA like acc. in AP1 addr. space)
Cortex-A7 identified.

The JLinkGDBServer and gdb can attach and debug the code running (burned with a tool in Windows) in RAM, such as reading memory, modify memory etc.

But the gdb command of load a.elf will fail with error in memory writing.

And the loadbin a.bin 0x40000000 in JLinkExe also failed with memory writing.

with steps of loading add.c from Frant in my system

The JLinkGDBServer is running in another xterm, and run gdb-multiarch

(gdb) monitor reset
Resetting target
(gdb) x/8x 0x40000000
0x40000000:     0xea00001e      0x736f7472      0x00000000      0xa143480d
0x40000010:     0x0008b630      0x0008b630      0x0008b630      0x2e302e30

(gdb) load add.elf
`/home/t/develop/ctest/add.elf' has changed; re-reading symbols.
(no debugging symbols found)
Loading section .note.gnu.build-id, size 0x24 lma 0x100b4
Loading section .text, size 0x64 lma 0x40000000
Start address 0x40000000, load size 136
Transfer rate: 5 KB/sec, 68 bytes/write.

(gdb) x/8x 0x40000000
0x40000000 <main>:      Cannot access memory at address 0x40000000

Before loading elf to DRAM, memory at 0x40000000 (start of DRAM) can be read from GDB. But after loading elf, that memory cannot be read from GDB.

The JLinkGDBServer also reported...

Downloading 36 bytes @ address 0x000100B4
Downloading 100 bytes @ address 0x40000000
Writing register (PC = 0x40000000)
Reading all registers
WARNING: Failed to read memory @ address 0x40000000

Then, I changed to use JLinkExe to load a binary file of 4KB (all 0s) as follows,

J-Link>r
Reset delay: 0 ms
Reset type NORMAL: Toggle reset pin and halt CPU core.
J-Link>mem32 0x40000000 16
40000000 = EA00001E 736F7472 00000000 A143480D
40000010 = 0008B630 0008B630 0008B630 2E302E30
40000020 = 00000030 2E302E30 00000030 40000000
40000030 = 00000000 00000000 00000000 00000000
40000040 = 00000000 00000000 00000000 00000000
40000050 = 00000040 00000000
J-Link>loadbin zero.bin 0x40000000
Downloading file [zero.bin]...
Unspecified error -1
J-Link>

Tried with sunxi-fel tool

(base):~/tools/sunxi-tools-master$ sudo ./sunxi-fel -v --list
USB device 001:035   Allwinner R528    93406400:0c004814:0146880a:044713cd

(base):~/tools/sunxi-tools-master$ sudo ./sunxi-fel -p write 0x40000000 ~/u-boot.bin
usb_bulk_send() ERROR -7: Operation timed out

(base):~/tools/sunxi-tools-master$ sudo ./sunxi-fel -v --list
usb_bulk_send() ERROR -7: Operation timed out

Firstly, sunxi-fel can detect and list the attached device.
Then to load u-boot.bin to DRAM hit an error (Maybe from DRAM not initialized).
Last, the sunxi-fel cannot detect and list the attached device, I have to power cycle the board to bring it back.


Solution

  • This is not clear from your original question what the state of your device is prior to your attempt, nor what exact model of SBC you are using.

    However, here are two different approaches you could probably use for achieving your goal. Ubuntu 22.04, Jlink software V7.84c, a JLink EDU and a FriendlyElec nanopi-2 neo with an Allwinner H3 were used for the purpose of this answer.

    They could probably be adapted to a different 32 bit Alwinner SoC having JTAG support, and an SBC having the JTAG signals properly wired.

    It worked for me using a nanopi2-m1 and an orangepi-zero.

    You have two issues to solve here prior to be able to upload your binary usin g the JLink probe:

    • Making sure the SDRAM controller is configured so that the SDRAM will be readable/writable,
    • Enable the JTAG on some PIO port supporting the JTAG functionality: for example, the reset value for the H3 PA Configure Register is 0x77777777, that is the JAG functionality is not enable at reset. As a side-effect, if you are resetting the SoC using the JLink probe, you will lose the JTAG connectivity.

    Approach #1 - using u-boot

    In this case, the u-boot SPL will obviously already have configured the SDRAM controller, and its content will be usable, and you will just have to enable the JTAG functionality on PIO port A.

    You will need to write the value 0x77223333 into the PA Configure Register at address 0x01c20800 in order to enable the JTAG functionality on PIO port A- please refer to 4.22.1. Port Controller Register List and 4.22.2. Port Controller Register Description of the Allwinner H3 Datasheet.

    U-Boot SPL 2023.01 (Jan 24 2023 - 15:18:15 -0500)
    DRAM: 512 MiB
    Trying to boot from MMC1
    
    
    U-Boot 2023.01 (Jan 24 2023 - 15:18:15 -0500) Allwinner Technology
    
    CPU:   Allwinner H3 (SUN8I 1680)
    Model: FriendlyARM NanoPi NEO
    DRAM:  512 MiB
    Core:  60 devices, 17 uclasses, devicetree: separate
    WDT:   Not starting watchdog@1c20ca0
    MMC:   mmc@1c0f000: 0
    Loading Environment from FAT... OK
    In:    serial
    Out:   serial
    Err:   serial
    Net:   eth0: ethernet@1c30000
    starting USB...
    Bus usb@1c1a000: probe failed, error -2
    Bus usb@1c1a400: probe failed, error -2
    Bus usb@1c1d000: USB EHCI 1.00
    Bus usb@1c1d400: USB OHCI 1.0
    scanning bus usb@1c1d000 for devices... 1 USB Device(s) found
    scanning bus usb@1c1d400 for devices... 1 USB Device(s) found
           scanning usb for storage devices... 0 Storage Device(s) found
    =>
    

    Enabling JTAG on PA:

     mw.l 0x01c20800 0x77223333 1
     =>
    

    Starting the JLink GDD server - Ubuntu system:

    <!-- language-all: lang-text -->
    
    /opt/jlink$/opt/JLink_Linux_V784c_x86_64/JLinkGDBServerCLExe -select USB -device Cortex-A7 -endian little -if JTAG -speed 4000 -noir -noLocalhostOnly -nologtofile -port 2331 -SWOPort 2332 -TelnetPort 2333
    SEGGER J-Link GDB Server V7.84c Command Line Version
    
    JLinkARM.dll V7.84c (DLL compiled Jan 20 2023 12:25:58)
    
    Command line: -select USB -device Cortex-A7 -endian little -if JTAG -speed 4000 -noir -noLocalhostOnly -nologtofile -port 2331 -SWOPort 2332 -TelnetPort 2333
    -----GDB Server start settings-----
    GDBInit file:                  none
    GDB Server Listening port:     2331
    SWO raw output listening port: 2332
    Terminal I/O port:             2333
    Accept remote connection:      yes
    Generate logfile:              off
    Verify download:               off
    Init regs on start:            off
    Silent mode:                   off
    Single run mode:               off
    Target connection timeout:     0 ms
    ------J-Link related settings------
    J-Link Host interface:         USB
    J-Link script:                 none
    J-Link settings file:          none
    ------Target related settings------
    Target device:                 Cortex-A7
    Target device parameters:      none
    Target interface:              JTAG
    Target interface speed:        4000kHz
    Target endian:                 little
    
    Connecting to J-Link...
    J-Link is connected.
    Firmware: J-Link ARM V8 compiled Nov 28 2014 13:44:46
    Hardware: V8.00
    S/N: ********
    OEM: SEGGER-EDU
    Feature(s): FlashBP, GDB
    Checking target voltage...
    Target voltage: 3.31 V
    Listening on TCP/IP port 2331
    Connecting to target...
    
    J-Link found 1 JTAG device, Total IRLen = 4
    JTAG ID: 0x5BA00477 (Cortex-A7)
    Connected to target
    Waiting for GDB connection...
    

    At this stage, the JLink GDB server successfully connected the H3 using the JTAG interface.

    We now need a small example program - add.c

    int main(int argc, char** argv) {
        const int count = 5;
        int result = 0;
    
        for (int i = 1; i < count; i++) {
            result = result + i;
        }
    
    done:
            // We should rather use 'WFI' here.
            goto done;
    }
    

    Compiling add.elf:

    /opt/arm/10/gcc-arm-10.3-2021.07-x86_64-arm-none-eabi/bin/arm-none-eabi-gcc -O0 -nostdlib -nostartfiles -e main -Wl,-Ttext=0x0000000042000000 -o add.elf add.c
    /opt/arm/10/gcc-arm-10.3-2021.07-x86_64-arm-none-eabi/bin/arm-none-eabi-objdump -D -j .text add.elf > add.lst
    
    cat add.lst
    
    add.elf:     file format elf32-littlearm
    
    Disassembly of section .text:
    
    42000000 <main>:
    42000000:       e52db004        push    {fp}            ; (str fp, [sp, #-4]!)
    42000004:       e28db000        add     fp, sp, #0
    42000008:       e24dd01c        sub     sp, sp, #28
    4200000c:       e50b0018        str     r0, [fp, #-24]  ; 0xffffffe8
    42000010:       e50b101c        str     r1, [fp, #-28]  ; 0xffffffe4
    42000014:       e3a03005        mov     r3, #5
    42000018:       e50b3010        str     r3, [fp, #-16]
    4200001c:       e3a03000        mov     r3, #0
    42000020:       e50b3008        str     r3, [fp, #-8]
    42000024:       e3a03001        mov     r3, #1
    42000028:       e50b300c        str     r3, [fp, #-12]
    4200002c:       ea000006        b       4200004c <main+0x4c>
    42000030:       e51b2008        ldr     r2, [fp, #-8]
    42000034:       e51b300c        ldr     r3, [fp, #-12]
    42000038:       e0823003        add     r3, r2, r3
    4200003c:       e50b3008        str     r3, [fp, #-8]
    42000040:       e51b300c        ldr     r3, [fp, #-12]
    42000044:       e2833001        add     r3, r3, #1
    42000048:       e50b300c        str     r3, [fp, #-12]
    4200004c:       e51b200c        ldr     r2, [fp, #-12]
    42000050:       e51b3010        ldr     r3, [fp, #-16]
    42000054:       e1520003        cmp     r2, r3
    42000058:       bafffff4        blt     42000030 <main+0x30>
    4200005c:       e1a00000        nop                     ; (mov r0, r0)
    42000060:       eafffffe        b       42000060 <main+0x60>
    

    Starting a GDB session and loading add.elf:

    /opt/gdb/gdb-12.1-arm-none-eabi-x86_64-linux-gnu/bin/arm-none-eabi-gdb 
    GNU gdb (GDB) 12.1
    Copyright (C) 2022 Free Software Foundation, Inc.
    License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
    This is free software: you are free to change and redistribute it.
    There is NO WARRANTY, to the extent permitted by law.
    Type "show copying" and "show warranty" for details.
    This GDB was configured as "--host=x86_64-linux-gnu --target=arm-none-eabi".
    Type "show configuration" for configuration details.
    For bug reporting instructions, please see:
    <https://www.gnu.org/software/gdb/bugs/>.
    Find the GDB manual and other documentation resources online at:
        <http://www.gnu.org/software/gdb/documentation/>.
    
    For help, type "help".
    Type "apropos word" to search for commands related to "word".
    (gdb) target remote localhost:2331
    Remote debugging using localhost:2331
    warning: No executable has been specified and target does not support
    determining executable automatically.  Try using the "file" command.
    0x42000004 in ?? ()
    (gdb) load add.elf
    Loading section .text, size 0x64 lma 0x42000000
    Start address 0x42000000, load size 100
    Transfer rate: 32 KB/sec, 100 bytes/write.
    (gdb) b *0x42000000
    Breakpoint 1 at 0x42000000
    

    At this stage, the program was load into the nanipo2-neo,and a break-point was set at 0x42000000.

    By switching to the TUI mode, we can step trough the program using the stepi command:

    Debugging add.elf GDB/JLink session in TUI mode

    Approach #2 - using FEL mode and sunxi-fel

    With this approach, you would boot your SBC in FEL mode, configure the SDRAM controller using the following command: sunxi-fel spl u-boot-sunxi-with-spl.bin, as explained on the FEL/USBBoot page of the linux-sunxi WEB site.

    Enabling the JTAG functionality could than be done using the following command: sunxi-fel writel 0x01c20800 0x77223333.

    Starting the JLink GDB server and launching a GDB debug session could then be done as described above.