Zaurus

Contents

Zaurus C750

Angel remote debug interface (with CE-170TS cable)

Angel Debug Monitor for Collie Version 0.42 for SL-C700/5600
 : Serial/FIQ : MMU on, Caches enabled : Clock Switching on
1.20 (ARM Ltd  / Intel White Angel v208a) built on Feb 21 2003 at 12:41:06
,PpMc
(gdb) target rdi /dev/ttyUSB0
Could not open device "/dev/ttyUSB0"
(gdb) target rdi /dev/ttyS0  
Angel Debug Monitor for Collie Version 0.42 for SL-C700/5600
 : Serial/FIQ : MMU on, Caches enabled : Clock Switching on
1.20 (ARM Ltd  / Intel White Angel v208a) built on Feb 21 2003 at 12:41:06
 SerConnected to ARM RDI target.

Hello world example program:

static const char hello_world[] = "Hello World!\n";

void __attribute((naked)) _start(void) { asm(
"       mov r0, #0x04    /* Write0 */\n" \
"       ldr r1, =hello_world         \n" \
"       swi 0x123456                 \n" \
"       mov r0, #0x18    /* ReportException */\n" \
"       ldr r1, =0x20026 /* ADP_Stopped_ApplicationExit */\n" \
"       swi 0x123456"
); }

running with qemu-arm:

$ qemu-arm ./test
Hello World!

running with gdb on remote target:

$ gdb
GNU gdb 5.3
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "--host=i686-pc-linux-gnu --target=arm-elf".
(gdb) target rdi /dev/ttyS0 115200
Angel Debug Monitor for Collie Version 0.42 for SL-C700/5600
 : Serial/FIQ : MMU on, Caches enabled : Clock Switching on
1.20 (ARM Ltd  / Intel White Angel v208a) built on Feb 21 2003 at 12:41:06
 SerConnected to ARM RDI target.
(gdb) load test
Loading section .text, size 0x20 lma 0x8074
Loading section .rodata, size 0x10 lma 0x8094
Start address 0x8074, load size 48
Transfer rate: 384 bits in <1 sec, 24 bytes/write.
(gdb) cont
Continuing.
Hello World!

Program exited normally.

PXA255 memory map

nCS0 
0x00000000 - 0x03ffffff (used for rom)
nCS1 
0x04000000 - 0x07ffffff (?)
nCS2 
0x08000000 - 0x0bffffff (used for w100)
nCS3 
0x0c000000 - 0x0fffffff (used for nand)
nCS4 
0x10000000 - 0x13ffffff (scoop @ 0x10800000)
nCS5 
0x14000000 - 0x17ffffff (?)
cf0  
0x20000000 - 0x2fffffff (pcmcia/cf)
cf1  
0x30000000 - 0x3fffffff (pcmcia/cf)
sdr0 
0xa0000000 - 0xa3ffffff (sdram bank 0)
sdr1 
0xa4000000 - 0xa7ffffff (sdram bank 1)
sdr2 
0xa8000000 - 0xabffffff (sdram bank 2)
sdr3 
0xac000000 - 0xafffffff (sdram bank 3)
regs 
0x40000000 - 0x4bffffff (memory mapped register)

Angel memory map

ROM is remapped to 0x04000000 - 0x07ffffff, SCOOP remapped at 0xd200000 - 0xd2010000, code loaded using gdb runs at beginning of logical address space, but memory is also mapped at it's physical location (except for the remapped rom/scoop).

virtual addresses:

scoop  
0xd2000000
nand cpld 
0xd4000000
rom  
0x04000000

MSC0

MSC0 
0x7ff01888
RBUFF0 
0 (slow device)
RRR0 
1 (recovery time 2 memclks)
RDN0 
8 (rom delay next access 9 memclks)
RDF0 
8 (rom delay first access 9 memclks)
RBW0 
1 (rom bus width 16 bits)
RT0  
0 (nonburst rom or flash)
RBUFF1 
0
RRR1 
7 (14 memclks)
RDN1 
15 (16 memclks)
RDF1 
15 (16 memclks)
RBW1 
0 (32 bits)
RT1  
0 (nonburst rom or flash)

MSC1

MSC1 
0x1244123C
RBUFF2 
0 (slow)
RRR2 
1
RDN2 
2
RDF2 
3
RBW2 
1 (16 bits)
RT2  
4 (variable latency io)
RBUFF3 
0 (slow)
RRR3 
1
RDN3 
2
RDF3 
4
RBW3 
0 (32 bits)
RT3  
4 (variable latency io)

MSC2

MSC2 
0x7ff012f4
RBUFF4 
0 (slow)
RRR4 
1
RDN4 
2
RDF4 
15
RBW4 
0 (32 bits)
RT4  
4 (variable latency io)

Memory

NAND interface CPLD

Registers (all 8bit)

0x0c000000 
ECCLPLB (line parity bit 7-0)
0x0c000004 
ECCLPUB (line parity bit 15-8)
0x0c000008 
ECCCP (column parity bit 5-0)
0x0c00000c 
ECCCNTR (ecc byte counter)
0x0c000010 
ECCCLRR (ecc clear)
0x0c000014 
FLASHIO (read/write from flash)
0x0c000018 
FLASHCTL (flash control signals)
bit0 => FLCE0 (chip enable 0)
bit1 => FLCLE (column latch enable)
bit2 => FLALE (address latch enable)
bit3 => FLWP (write protect)
bit4 => FLCE1 (chip enable 1)
bit5 => FLRYBY (readybusy)

Note: Experiments showed that the NAND-Flash CE is connected to CE0, but the 2.4 sharp_sl Linux driver always turns on CE0 _and_ CE1. If the CPLD does indeed feature a CE1 out and this is accessible on the board, it should be possible to add a second NAND Flash chip on top of the old one:

Trying to read id from Flash on CE0
Got maker=98 device=76
Trying to read id from Flash on CE1
Got maker=00 device=00

CE1 is available on a testpad (tested using a kernel module toggling CE0 and CE1+GreenLED alternatingly every second):

          TP6
            TP5
          TP4
---------   TP3
|Xilinx | TP2
|CPLD   |   TP1
|       |
---------


TP1 => CE0
TP2 => CE1! (unused?)
TP3 => /WP
TP4 => /WE
TP5 => ALE
TP6 => CLE

The C750 P2ROM has two seperate functions for changing ce0 and for changing ce1 state:

loc_404AD28_nand_cpld_ctl_ce0
                MOVL    R1, 0xD4000018
                CMP     R0, #1
                BNE     loc_404AD48
                LDR     R0, [R1]
                BIC     R0, R0, #1
                STR     R0, [R1]
                B       locret_404AD54
loc_404AD48
                LDR     R0, [R1]
                ORR     R0, R0, #1
                STR     R0, [R1] 
locret_404AD54
                RET
loc_404AD58_nand_cpld_ctl_ce1
                MOVL    R1, 0xD4000018
                CMP     R0, #1
                BNE     loc_404AD78
                LDR     R0, [R1]
                BIC     R0, R0, #0x10
                STR     R0, [R1]
                B       locret_404AD84
loc_404AD78
                LDR     R0, [R1]
                ORR     R0, R0, #0x10
                STR     R0, [R1]
locret_404AD84
                RET

The nand functions I looked at used only the function for ce0.

SCOOP GPIO

gpio directions

GPCR 
0x03F2 => 0000001111110010
PA10,12,13,20-22 input
PA11,14-19 output

gpio map

nGPIO Direction Name Function
PA10 in ? ?
PA11 out green led green (email) led
PA12 in switch A display backlight on/off (1 = clamshell closed and display facing keyboard; 0 = clamshell open or display facing outwards)
PA13 in switch B display rotation sense (0 = clamshell open; 1 = old pda style)
PA14 out mute_l audio mute left
PA15 out mute_r audio mute right
PA16 out akin_pullup for audio remote control (RC timing to measure button resistor value)
PA17 out apm_on ?
PA18 out backlight_cont ?
PA19 out mic_bias maybe controls phantom power for electret microphone?

PXA GPIO

gpio map

nGPIO Direction Edge detect Function Comment
0 in no Key pressed low-active
1 in both external power active high-active
2 in high ATI Imageon W100 interrupt pin high-active

pxa gpios from include/asm-arm/arch-pxa/poodle.h

GP0 
Key pressed
GP1 
AC in
GP4 
HP_IN ???
GP5 
touch pad
GP6 
SD_CLK
GP7 
SD_WP
GP8 
SD_INT
GP9 
SD_DETECT
GP10 
GA_INT
GP11 
wakeup ('change battery')
GP13 
battery low / battery cover
GP14 
CF_CD / CF_STSCHG
GP15 
removcon_int
GP16 
CO / chrg_full
GP17 
CF_IRQ
GP21 
ADC_TEMP_ON
GP22 
IR_ON
GP33 
SD_PWR
GP36 
bypass_on
GP38 
charge_on

Alternate Function Configuration

When running angel debug monitor:

pxa gpio reg dump:
GAFR0=591A801001001000 GAFR1=0005AAAA900A8451 GAFR2=00000002A0000000
GPLR0=8D5F5829 GPLR1=03FF43BC GPLR2=00C1C000
GPDR0=D3F8B040 GPDR1=00FFA7C3 GPDR2=0001C000
GRER0=00000000 GRER1=00000000 GRER2=00000000
GFER0=00000000 GFER1=00000000 GFER2=00000000
GEDR0=00000000 GEDR1=00000000 GEDR2=00000000

When running cacko 2.4.18:

GAFR0=0x5918801001001000 GAFR1=0x0005AAAA600A8451 GAFR2=0x00000002A0000000 
GPLR0=0x8D5E6D2B GPLR1=0x03BFFB96 GPLR2=0x01C1FFFC 
GPDR0=0xD3F8B040 GPDR1=0x00FFAFC3 GPDR2=0x0001FFFC 
GRER0=0x00000A12 GRER1=0xFC000000 GRER2=0x00000003 
GFER0=0x00004A3A GFER1=0x00000000 GFER2=0x00000000 
GEDR0=0x00000000 GEDR1=0x00000000 GEDR2=0x00000000 
GAFR0_L 
0x01001000 => 0001000001000000 (Bit 0+1 == AF0)
GP0-5,GP7-11,GP13-15 => GPIO
GP6 => MMCCLK
GP12 => 32kHz out
GAFR0_U 
0x59188010 => 1121012020000100 (Bit 0+1 == AF16)
GP18 => Ext. Bus Ready
GP23 => SSP clock
GP25 => SSP transmit
GP26 => SSP receive
GP28 => AC97 bit_clk (in) / I2S bit_clk (out)
GP29 => I2S Sdata_in
GP30 => I2S Sdata_out
GP31 => I2S sync
GAFR1_L 
0x600A8451 => 1200002220101101 (AF32-47)
GP32 => AC97 Sdata_in1 (in) / I2C sysclk (out)
GP34 => FFUART receive
GP35 => FFUART cts
GP37 => FFUART dsr
GP39 => FFUART txd
GP40 => FFUART dtr
GP41 => FFUART rts
GP46 => STD_UART receive data
GP47 => STD_UART transmit data
GAFR1_U 
0x0005AAAA => 0000001122222222 (AF48-63)
GP48 => OE for Card Space
GP49 => WE for Card Space
GP50 => IORE for CS
GP51 => IOWE for CS
GP52 => Card Enable 1 for CS
GP53 => Card Enable 2 for CS
GP54 => Socket Select for CS
GP55 => Card Address bit 26
GP56 => Wait signal for CS
GP57 => Bus Width select for IO Card Space
GAFR2_L 
0xA0000000 => 2200000000000000 (AF64-79)
GP78 => Active low chip select 2
GP79 => Active low chip select 3
GAFR2_U 
0x00000002 => 0000000000000002 (AF80-84)
GP80 => Active low chip select 4

GPIO direction

0 == input, 1 == output

GPDR0 
0xD3F8B040 => 11010011111110001011000001000000 (PD31-PD0)
GP0-5,7-11,14,16-18,26,27,29 input
GP6,12-13,15,19-25,30,31 output
GPDR1 
0x00FFAFC3 => 00000000111111111010111111000011 (PD63-PD32)
GP34-37,44,46,56-63 input
GP32,33,38-43,45,47-55 output
GPDR2 
0x0001FFFC => 00000000000000011111111111111100 (PD80-PD64)
GP64,65 input
GP66-80 output

GPIO edge detect

0 == disable, 1 == enable

rising edge

GRER0 
0x00000A12 => 00000000000000000000101000010010
GRER1 
0xFC000000 => 11111100000000000000000000000000
GRER2 
0x00000003 => 00000000000000000000000000000011
GP1,4,9,11,58-65 enable

falling edge

GFER0 
0x00004A3A => 00000000000000000100101000111010
GFER1 
0x00000000 => 00000000000000000000000000000000
GFER2 
0x00000000 => 00000000000000000000000000000000
GP1,3-5,9,11,14 enable

NAND Diag

Fun fact: In the Zaurus NAND Diag Extra Menu, the "***DEMO***" item displays bitmaps from an SD-Card (also CF? untested). These have to be named SLIDE00.BMP, SLIDE01.BMP etc. Truecolor 480x640 bitmaps seem to work, others untested.

Sharp 'nandlogical' flash translation layer

The boot partition from 0x000000 to 0x6fffff is managed using the Sharp 'nandlogical' FTL. This FTL reserves 24 erase blocks for wear leveling (so the logical address space is only 0x000000 to 0x69ffff. Flash erase block size is 0x4000, 24*0x4000 == 0x60000).