note: the Cortina CS3516 datasheet is not publicly available. All informations provided here are from observation and reverse-engineering, i.e only suppositions.

====== CORTINA ======

ASIC Gemini CPU from Storlink, the SL3516 /CS3516
  * ARM based micro-controller (V4 harden macro FA526 from Faraday)
  * AHB/APB BUS
     * PCI BUS -> interrupts?
     * WATCHDOG
     * UART
     * TIMER
     * LCD
     * RTC
     * SATA
     * LPC
     * INTERRUPT
     * SSP
     * POWER
     * CIR
     * GPIO

===== Memory Map =====

| GEMINI_FLASH_BASE | 0x30000000 |
| GEMINI_GLOBAL_BASE | 0x40000000 |
| GEMINI_WATCHDOG_BASE | 0x41000000 |
| GEMINI_UART_BASE | 0x42000000 |
| GEMINI_TIMER_BASE | 0x43000000 |
| GEMINI_LCD_BASE | 0x44000000 |
| GEMINI_RTC_BASE | 0x45000000 |
| GEMINI_SATA_BASE | 0x46000000 |
| GEMINI_LPC_HOST_BASE | 0x47000000 |
| GEMINI_LPC_IO_BASE | 0x47800000 |
| GEMINI_INTERRUPT_BASE | 0x48000000 |
| GEMINI_SSP_CTRL_BASE | 0x4A000000 |
| GEMINI_POWER_CTRL_BASE | 0x4B000000 |
| GEMINI_CIR_BASE | 0x4C000000 |
| GEMINI_GPIO_BASE(x) | (0x4D000000 + (x) * 0x1000000) |
| GEMINI_PCI_IO_BASE | 0x50000000 |
| GEMINI_PCI_MEM_BASE | 0x58000000 |
| GEMINI_TOE_BASE | 0x60000000 |
| GEMINI_GMAC0_BASE | 0x6000A000 |
| GEMINI_GMAC1_BASE | 0x6000E000 |
| GEMINI_SECURITY_BASE | 0x62000000 |
| GEMINI_IDE0_BASE | 0x63000000 |
| GEMINI_IDE1_BASE | 0x63400000 |
| GEMINI_RAID_BASE | 0x64000000 |
| GEMINI_FLASH_CTRL_BASE | 0x65000000 |
| GEMINI_DRAM_CTRL_BASE | 0x66000000 |
| GEMINI_GENERAL_DMA_BASE | 0x67000000 |
| GEMINI_USB0_BASE | 0x68000000 |
| GEMINI_USB1_BASE | 0x69000000 |
| GEMINI_BIG_ENDIAN_BASE | 0x80000000 |
| GEMINI_TIMER1_BASE	 | GEMINI_TIMER_BASE |
| GEMINI_TIMER2_BASE	 | (GEMINI_TIMER_BASE + 0x10) |
| GEMINI_TIMER3_BASE	 | (GEMINI_TIMER_BASE + 0x20) |

===== IRQs =====

| IRQ_SERIRQ1 | 31 |
| IRQ_SERIRQ0 | 30 |
| IRQ_PCID | 29 |
| IRQ_PCIC | 28 |
| IRQ_PCIB | 27 |
| IRQ_PWR | 26 |
| IRQ_CIR | 25 |
| IRQ_GPIO(x) | (22 + (x)) |
| IRQ_SSP | 21 |
| IRQ_LPC | 20 |
| IRQ_LCD | 19 |
| IRQ_UART | 18 |
| IRQ_RTC | 17 |
| IRQ_TIMER3 | 16 |
| IRQ_TIMER2 | 15 |
| IRQ_TIMER1 | 14 |
| IRQ_FLASH | 12 |
| IRQ_USB1 | 11 |
| IRQ_USB0 | 10 |
| IRQ_DMA | 9 |
| IRQ_PCI | 8 |
| IRQ_IPSEC | 7 |
| IRQ_RAID | 6 |
| IRQ_IDE1 | 5 |
| IRQ_IDE0 | 4 |
| IRQ_WATCHDOG | 3 |
| IRQ_GMAC1 | 2 |
| IRQ_GMAC0 | 1 |
| IRQ_IPI | 0 |

note: all infomations provided here are from observation and reverse-engineering, i.e only suppositions

====== FARADAY ======
  * ARM V4 based micro-controller macro FA526

  * openocd was used to break the arm at boot and make a memory dump

dumped memory is already an elf

TODO: 4 bytes PC counter in openocd needs fix for target FA526

<code>
arm-objcopy -I binary -O elf32-littlearm -B arm\
--rename-section .data=.text,readonly,code,load,contents,alloc\
--redefine-sym _binary_cs3516_0x_bin_start=main\
--redefine-sym _binary_cs3516_0x_bin_end=_end\
--redefine-sym _binary_cs3516_0x_bin_size=_size cs3516_0x.bin\
bootrom.elf

arm-objdump -x bootrom.elf 

arm-objdump -m arm -D bootrom.elf > bootrom.s
</code>
==== various notes ====

=== openocd.git  ===
<code>
git clone git://openocd.git.sourceforge.net/gitroot/openocd/openocd openocd.git
cd openocd.git
./bootstrap 
./configure --enable-maintainer-mode --enable-parport --enable-ft2232_libftdi 
make
</code>
=== openocd  ===
grab 0.2 source from http://developer.berlios.de/projects/openocd
<code>
wget http://download.berlios.de/openocd/openocd-0.4.0.tar.bz2
tar xjvf openocd-0.4.0.tar.bz2
cd openocd-0.4.0/
./configure --enable-parport; make; sudo make install
</code>

openocd -f openocd_920.cfg 
<code>
Open On-Chip Debugger 0.4.0 (2010-07-31-15:56)
Licensed under GNU GPL v2
For bug reports, read
	http://openocd.berlios.de/doc/doxygen/bugs.html
parport port = 0x0
trst_and_srst separate srst_gates_jtag trst_push_pull srst_open_drain
dcc downloads are enabled
Info : clock speed 500 kHz
Info : JTAG tap: cs351x.cpu tap/device found: 0x00526fa1 (mfg: 0x7d0, part: 0x0526, ver: 0x0)
Info : Embedded ICE version 2
Info : cs351x.cpu: hardware has 2 breakpoint/watchpoint units
</code>
telnet localhost 4444
<code>
reset run
halt
resume
</code>
=== insight ===

grab insight-6.8-1.tar.bz2 from http://sourceware.org/insight/downloads.php
<code>
./configure   --program-prefix=arm- --target=arm-elf --disable-werror
make -j2
make install
arm-insight arch/arm/boot/compressed/vmlinux</code> 
'File | Target Settings', set the Connections to: 'Target: Remote/TCP', 'Hostname: localhost' and 'Port: 3333'

* arm reset from insight gdb console : 'monitor reset' or monitor 'soft_reset_halt'
=== gdb ===
<code>
(gdb) target remote myhost:3333
(gdb) mon targets
    TargetName         Type       Endian TapName            State       
--  ------------------ ---------- ------ ------------------ ------------
 0* cs351x.cpu         fa526      little cs351x.cpu         halted
(gdb) x/128 0x68000000
0x68000000:	0x01000010	0x00000001	0x00000006	0x00000000
0x68000010:	0x00080b00	0x00001000	0x00000000	0x00000000
...................
</code>

=== Jtag ===
wriggler with nRST asserted: pull up pin 13 of 74hc244 to open the circuit