Zaurus
Contents |
Zaurus C750
Angel remote debug interface (with CE-170TS cable)
- Compile gdb with rdi support: Use gdb-5.3/gcc-3.3, 'configure --target=arm-elf'
- Remove battery from Zaurus, hold down D+A, insert battery
- If serial port was connected, at 9600 baud it should show:
Angel Debug Monitor for Collie Version 0.42 for SL-C700/5600 : Serial/FIQ : MMU on, Caches enabled : Clock Switching on 1.20 (ARM Ltd / Intel White Angel v208a) built on Feb 21 2003 at 12:41:06 ,PpMc
- In arm-gdb use 'target rdi /dev/ttyS0' (Symlink ttyUSB0 to ttyS0 or ttyS1, rdi target is picky on device name)
(gdb) target rdi /dev/ttyUSB0 Could not open device "/dev/ttyUSB0" (gdb) target rdi /dev/ttyS0 Angel Debug Monitor for Collie Version 0.42 for SL-C700/5600 : Serial/FIQ : MMU on, Caches enabled : Clock Switching on 1.20 (ARM Ltd / Intel White Angel v208a) built on Feb 21 2003 at 12:41:06 SerConnected to ARM RDI target.
- udev rule for automatic symlinking: 'SUBSYSTEMS=="usb", KERNEL=="ttyUSB*", SYMLINK+="ttyS4"'
- Use 'target rdi /dev/ttyS4 115200' for higher baudrate
Hello world example program:
static const char hello_world[] = "Hello World!\n"; void __attribute((naked)) _start(void) { asm( " mov r0, #0x04 /* Write0 */\n" \ " ldr r1, =hello_world \n" \ " swi 0x123456 \n" \ " mov r0, #0x18 /* ReportException */\n" \ " ldr r1, =0x20026 /* ADP_Stopped_ApplicationExit */\n" \ " swi 0x123456" ); }
running with qemu-arm:
$ qemu-arm ./test Hello World!
running with gdb on remote target:
$ gdb GNU gdb 5.3 Copyright 2002 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "--host=i686-pc-linux-gnu --target=arm-elf". (gdb) target rdi /dev/ttyS0 115200 Angel Debug Monitor for Collie Version 0.42 for SL-C700/5600 : Serial/FIQ : MMU on, Caches enabled : Clock Switching on 1.20 (ARM Ltd / Intel White Angel v208a) built on Feb 21 2003 at 12:41:06 SerConnected to ARM RDI target. (gdb) load test Loading section .text, size 0x20 lma 0x8074 Loading section .rodata, size 0x10 lma 0x8094 Start address 0x8074, load size 48 Transfer rate: 384 bits in <1 sec, 24 bytes/write. (gdb) cont Continuing. Hello World! Program exited normally.
PXA255 memory map
- nCS0
- 0x00000000 - 0x03ffffff (used for rom)
- nCS1
- 0x04000000 - 0x07ffffff (?)
- nCS2
- 0x08000000 - 0x0bffffff (used for w100)
- nCS3
- 0x0c000000 - 0x0fffffff (used for nand)
- nCS4
- 0x10000000 - 0x13ffffff (scoop @ 0x10800000)
- nCS5
- 0x14000000 - 0x17ffffff (?)
- cf0
- 0x20000000 - 0x2fffffff (pcmcia/cf)
- cf1
- 0x30000000 - 0x3fffffff (pcmcia/cf)
- sdr0
- 0xa0000000 - 0xa3ffffff (sdram bank 0)
- sdr1
- 0xa4000000 - 0xa7ffffff (sdram bank 1)
- sdr2
- 0xa8000000 - 0xabffffff (sdram bank 2)
- sdr3
- 0xac000000 - 0xafffffff (sdram bank 3)
- regs
- 0x40000000 - 0x4bffffff (memory mapped register)
Angel memory map
ROM is remapped to 0x04000000 - 0x07ffffff, SCOOP remapped at 0xd200000 - 0xd2010000, code loaded using gdb runs at beginning of logical address space, but memory is also mapped at it's physical location (except for the remapped rom/scoop).
virtual addresses:
- scoop
- 0xd2000000
- nand cpld
- 0xd4000000
- rom
- 0x04000000
MSC0
- MSC0
- 0x7ff01888
- RBUFF0
- 0 (slow device)
- RRR0
- 1 (recovery time 2 memclks)
- RDN0
- 8 (rom delay next access 9 memclks)
- RDF0
- 8 (rom delay first access 9 memclks)
- RBW0
- 1 (rom bus width 16 bits)
- RT0
- 0 (nonburst rom or flash)
- RBUFF1
- 0
- RRR1
- 7 (14 memclks)
- RDN1
- 15 (16 memclks)
- RDF1
- 15 (16 memclks)
- RBW1
- 0 (32 bits)
- RT1
- 0 (nonburst rom or flash)
MSC1
- MSC1
- 0x1244123C
- RBUFF2
- 0 (slow)
- RRR2
- 1
- RDN2
- 2
- RDF2
- 3
- RBW2
- 1 (16 bits)
- RT2
- 4 (variable latency io)
- RBUFF3
- 0 (slow)
- RRR3
- 1
- RDN3
- 2
- RDF3
- 4
- RBW3
- 0 (32 bits)
- RT3
- 4 (variable latency io)
MSC2
- MSC2
- 0x7ff012f4
- RBUFF4
- 0 (slow)
- RRR4
- 1
- RDN4
- 2
- RDF4
- 15
- RBW4
- 0 (32 bits)
- RT4
- 4 (variable latency io)
Memory
- 8MByte ROM (OTP? NOR-Flash?) at physical address 0x00000000, mirrored (at least) at 0x00800000
- 64MByte NAND-Flash interfaced using Xilinx Coolrunner-II CPLD (7 registers at physical address 0x0c000000)
- 64MByte RAM at physical address 0xa0000000
- Graphics aperture (ATI Imageon W100) at physical address 0x08000000, including 2MB of video ram
NAND interface CPLD
Registers (all 8bit)
- 0x0c000000
- ECCLPLB (line parity bit 7-0)
- 0x0c000004
- ECCLPUB (line parity bit 15-8)
- 0x0c000008
- ECCCP (column parity bit 5-0)
- 0x0c00000c
- ECCCNTR (ecc byte counter)
- 0x0c000010
- ECCCLRR (ecc clear)
- 0x0c000014
- FLASHIO (read/write from flash)
- 0x0c000018
- FLASHCTL (flash control signals)
- bit0 => FLCE0 (chip enable 0)
- bit1 => FLCLE (column latch enable)
- bit2 => FLALE (address latch enable)
- bit3 => FLWP (write protect)
- bit4 => FLCE1 (chip enable 1)
- bit5 => FLRYBY (readybusy)
Note: Experiments showed that the NAND-Flash CE is connected to CE0, but the 2.4 sharp_sl Linux driver always turns on CE0 _and_ CE1. If the CPLD does indeed feature a CE1 out and this is accessible on the board, it should be possible to add a second NAND Flash chip on top of the old one:
Trying to read id from Flash on CE0 Got maker=98 device=76 Trying to read id from Flash on CE1 Got maker=00 device=00
CE1 is available on a testpad (tested using a kernel module toggling CE0 and CE1+GreenLED alternatingly every second):
TP6 TP5 TP4 --------- TP3 |Xilinx | TP2 |CPLD | TP1 | | --------- TP1 => CE0 TP2 => CE1! (unused?) TP3 => /WP TP4 => /WE TP5 => ALE TP6 => CLE
The C750 P2ROM has two seperate functions for changing ce0 and for changing ce1 state:
loc_404AD28_nand_cpld_ctl_ce0 MOVL R1, 0xD4000018 CMP R0, #1 BNE loc_404AD48 LDR R0, [R1] BIC R0, R0, #1 STR R0, [R1] B locret_404AD54 loc_404AD48 LDR R0, [R1] ORR R0, R0, #1 STR R0, [R1] locret_404AD54 RET loc_404AD58_nand_cpld_ctl_ce1 MOVL R1, 0xD4000018 CMP R0, #1 BNE loc_404AD78 LDR R0, [R1] BIC R0, R0, #0x10 STR R0, [R1] B locret_404AD84 loc_404AD78 LDR R0, [R1] ORR R0, R0, #0x10 STR R0, [R1] locret_404AD84 RET
The nand functions I looked at used only the function for ce0.
SCOOP GPIO
gpio directions
- GPCR
- 0x03F2 => 0000001111110010
- PA10,12,13,20-22 input
- PA11,14-19 output
gpio map
nGPIO | Direction | Name | Function |
---|---|---|---|
PA10 | in | ? | ? |
PA11 | out | green led | green (email) led |
PA12 | in | switch A | display backlight on/off (1 = clamshell closed and display facing keyboard; 0 = clamshell open or display facing outwards) |
PA13 | in | switch B | display rotation sense (0 = clamshell open; 1 = old pda style) |
PA14 | out | mute_l | audio mute left |
PA15 | out | mute_r | audio mute right |
PA16 | out | akin_pullup | for audio remote control (RC timing to measure button resistor value) |
PA17 | out | apm_on | ? |
PA18 | out | backlight_cont | ? |
PA19 | out | mic_bias | maybe controls phantom power for electret microphone? |
PXA GPIO
gpio map
nGPIO | Direction | Edge detect | Function | Comment |
---|---|---|---|---|
0 | in | no | Key pressed | low-active |
1 | in | both | external power active | high-active |
2 | in | high | ATI Imageon W100 interrupt pin | high-active |
pxa gpios from include/asm-arm/arch-pxa/poodle.h
- GP0
- Key pressed
- GP1
- AC in
- GP4
- HP_IN ???
- GP5
- touch pad
- GP6
- SD_CLK
- GP7
- SD_WP
- GP8
- SD_INT
- GP9
- SD_DETECT
- GP10
- GA_INT
- GP11
- wakeup ('change battery')
- GP13
- battery low / battery cover
- GP14
- CF_CD / CF_STSCHG
- GP15
- removcon_int
- GP16
- CO / chrg_full
- GP17
- CF_IRQ
- GP21
- ADC_TEMP_ON
- GP22
- IR_ON
- GP33
- SD_PWR
- GP36
- bypass_on
- GP38
- charge_on
Alternate Function Configuration
When running angel debug monitor:
pxa gpio reg dump: GAFR0=591A801001001000 GAFR1=0005AAAA900A8451 GAFR2=00000002A0000000 GPLR0=8D5F5829 GPLR1=03FF43BC GPLR2=00C1C000 GPDR0=D3F8B040 GPDR1=00FFA7C3 GPDR2=0001C000 GRER0=00000000 GRER1=00000000 GRER2=00000000 GFER0=00000000 GFER1=00000000 GFER2=00000000 GEDR0=00000000 GEDR1=00000000 GEDR2=00000000
When running cacko 2.4.18:
GAFR0=0x5918801001001000 GAFR1=0x0005AAAA600A8451 GAFR2=0x00000002A0000000 GPLR0=0x8D5E6D2B GPLR1=0x03BFFB96 GPLR2=0x01C1FFFC GPDR0=0xD3F8B040 GPDR1=0x00FFAFC3 GPDR2=0x0001FFFC GRER0=0x00000A12 GRER1=0xFC000000 GRER2=0x00000003 GFER0=0x00004A3A GFER1=0x00000000 GFER2=0x00000000 GEDR0=0x00000000 GEDR1=0x00000000 GEDR2=0x00000000
- GAFR0_L
- 0x01001000 => 0001000001000000 (Bit 0+1 == AF0)
- GP0-5,GP7-11,GP13-15 => GPIO
- GP6 => MMCCLK
- GP12 => 32kHz out
- GAFR0_U
- 0x59188010 => 1121012020000100 (Bit 0+1 == AF16)
- GP18 => Ext. Bus Ready
- GP23 => SSP clock
- GP25 => SSP transmit
- GP26 => SSP receive
- GP28 => AC97 bit_clk (in) / I2S bit_clk (out)
- GP29 => I2S Sdata_in
- GP30 => I2S Sdata_out
- GP31 => I2S sync
- GAFR1_L
- 0x600A8451 => 1200002220101101 (AF32-47)
- GP32 => AC97 Sdata_in1 (in) / I2C sysclk (out)
- GP34 => FFUART receive
- GP35 => FFUART cts
- GP37 => FFUART dsr
- GP39 => FFUART txd
- GP40 => FFUART dtr
- GP41 => FFUART rts
- GP46 => STD_UART receive data
- GP47 => STD_UART transmit data
- GAFR1_U
- 0x0005AAAA => 0000001122222222 (AF48-63)
- GP48 => OE for Card Space
- GP49 => WE for Card Space
- GP50 => IORE for CS
- GP51 => IOWE for CS
- GP52 => Card Enable 1 for CS
- GP53 => Card Enable 2 for CS
- GP54 => Socket Select for CS
- GP55 => Card Address bit 26
- GP56 => Wait signal for CS
- GP57 => Bus Width select for IO Card Space
- GAFR2_L
- 0xA0000000 => 2200000000000000 (AF64-79)
- GP78 => Active low chip select 2
- GP79 => Active low chip select 3
- GAFR2_U
- 0x00000002 => 0000000000000002 (AF80-84)
- GP80 => Active low chip select 4
GPIO direction
0 == input, 1 == output
- GPDR0
- 0xD3F8B040 => 11010011111110001011000001000000 (PD31-PD0)
- GP0-5,7-11,14,16-18,26,27,29 input
- GP6,12-13,15,19-25,30,31 output
- GPDR1
- 0x00FFAFC3 => 00000000111111111010111111000011 (PD63-PD32)
- GP34-37,44,46,56-63 input
- GP32,33,38-43,45,47-55 output
- GPDR2
- 0x0001FFFC => 00000000000000011111111111111100 (PD80-PD64)
- GP64,65 input
- GP66-80 output
GPIO edge detect
0 == disable, 1 == enable
rising edge
- GRER0
- 0x00000A12 => 00000000000000000000101000010010
- GRER1
- 0xFC000000 => 11111100000000000000000000000000
- GRER2
- 0x00000003 => 00000000000000000000000000000011
- GP1,4,9,11,58-65 enable
falling edge
- GFER0
- 0x00004A3A => 00000000000000000100101000111010
- GFER1
- 0x00000000 => 00000000000000000000000000000000
- GFER2
- 0x00000000 => 00000000000000000000000000000000
- GP1,3-5,9,11,14 enable
NAND Diag
Fun fact: In the Zaurus NAND Diag Extra Menu, the "***DEMO***" item displays bitmaps from an SD-Card (also CF? untested). These have to be named SLIDE00.BMP, SLIDE01.BMP etc. Truecolor 480x640 bitmaps seem to work, others untested.
Sharp 'nandlogical' flash translation layer
The boot partition from 0x000000 to 0x6fffff is managed using the Sharp 'nandlogical' FTL. This FTL reserves 24 erase blocks for wear leveling (so the logical address space is only 0x000000 to 0x69ffff. Flash erase block size is 0x4000, 24*0x4000 == 0x60000).