note: the Cortina CS3516 datasheet is not publicly available. All informations provided here are from observation and reverse-engineering, i.e only suppositions.

CORTINA

ASIC Gemini CPU from Storlink, the SL3516 /CS3516

  • ARM based micro-controller (V4 harden macro FA526 from Faraday)
  • AHB/APB BUS
    • PCI BUS → interrupts?
    • WATCHDOG
    • UART
    • TIMER
    • LCD
    • RTC
    • SATA
    • LPC
    • INTERRUPT
    • SSP
    • POWER
    • CIR
    • GPIO

Memory Map

GEMINI_FLASH_BASE 0x30000000
GEMINI_GLOBAL_BASE 0x40000000
GEMINI_WATCHDOG_BASE 0x41000000
GEMINI_UART_BASE 0x42000000
GEMINI_TIMER_BASE 0x43000000
GEMINI_LCD_BASE 0x44000000
GEMINI_RTC_BASE 0x45000000
GEMINI_SATA_BASE 0x46000000
GEMINI_LPC_HOST_BASE 0x47000000
GEMINI_LPC_IO_BASE 0x47800000
GEMINI_INTERRUPT_BASE 0x48000000
GEMINI_SSP_CTRL_BASE 0x4A000000
GEMINI_POWER_CTRL_BASE 0x4B000000
GEMINI_CIR_BASE 0x4C000000
GEMINI_GPIO_BASE(x) (0x4D000000 + (x) * 0x1000000)
GEMINI_PCI_IO_BASE 0x50000000
GEMINI_PCI_MEM_BASE 0x58000000
GEMINI_TOE_BASE 0x60000000
GEMINI_GMAC0_BASE 0x6000A000
GEMINI_GMAC1_BASE 0x6000E000
GEMINI_SECURITY_BASE 0x62000000
GEMINI_IDE0_BASE 0x63000000
GEMINI_IDE1_BASE 0x63400000
GEMINI_RAID_BASE 0x64000000
GEMINI_FLASH_CTRL_BASE 0x65000000
GEMINI_DRAM_CTRL_BASE 0x66000000
GEMINI_GENERAL_DMA_BASE 0x67000000
GEMINI_USB0_BASE 0x68000000
GEMINI_USB1_BASE 0x69000000
GEMINI_BIG_ENDIAN_BASE 0x80000000
GEMINI_TIMER1_BASE GEMINI_TIMER_BASE
GEMINI_TIMER2_BASE (GEMINI_TIMER_BASE + 0x10)
GEMINI_TIMER3_BASE (GEMINI_TIMER_BASE + 0x20)

IRQs

IRQ_SERIRQ1 31
IRQ_SERIRQ0 30
IRQ_PCID 29
IRQ_PCIC 28
IRQ_PCIB 27
IRQ_PWR 26
IRQ_CIR 25
IRQ_GPIO(x) (22 + (x))
IRQ_SSP 21
IRQ_LPC 20
IRQ_LCD 19
IRQ_UART 18
IRQ_RTC 17
IRQ_TIMER3 16
IRQ_TIMER2 15
IRQ_TIMER1 14
IRQ_FLASH 12
IRQ_USB1 11
IRQ_USB0 10
IRQ_DMA 9
IRQ_PCI 8
IRQ_IPSEC 7
IRQ_RAID 6
IRQ_IDE1 5
IRQ_IDE0 4
IRQ_WATCHDOG 3
IRQ_GMAC1 2
IRQ_GMAC0 1
IRQ_IPI 0

note: all infomations provided here are from observation and reverse-engineering, i.e only suppositions

FARADAY

  • ARM V4 based micro-controller macro FA526
  • openocd was used to break the arm at boot and make a memory dump

dumped memory is already an elf

TODO: 4 bytes PC counter in openocd needs fix for target FA526

arm-objcopy -I binary -O elf32-littlearm -B arm\
--rename-section .data=.text,readonly,code,load,contents,alloc\
--redefine-sym _binary_cs3516_0x_bin_start=main\
--redefine-sym _binary_cs3516_0x_bin_end=_end\
--redefine-sym _binary_cs3516_0x_bin_size=_size cs3516_0x.bin\
bootrom.elf

arm-objdump -x bootrom.elf 

arm-objdump -m arm -D bootrom.elf > bootrom.s

various notes

openocd.git

git clone git://openocd.git.sourceforge.net/gitroot/openocd/openocd openocd.git
cd openocd.git
./bootstrap 
./configure --enable-maintainer-mode --enable-parport --enable-ft2232_libftdi 
make

openocd

grab 0.2 source from http://developer.berlios.de/projects/openocd

wget http://download.berlios.de/openocd/openocd-0.4.0.tar.bz2
tar xjvf openocd-0.4.0.tar.bz2
cd openocd-0.4.0/
./configure --enable-parport; make; sudo make install

openocd -f openocd_920.cfg

Open On-Chip Debugger 0.4.0 (2010-07-31-15:56)
Licensed under GNU GPL v2
For bug reports, read
	http://openocd.berlios.de/doc/doxygen/bugs.html
parport port = 0x0
trst_and_srst separate srst_gates_jtag trst_push_pull srst_open_drain
dcc downloads are enabled
Info : clock speed 500 kHz
Info : JTAG tap: cs351x.cpu tap/device found: 0x00526fa1 (mfg: 0x7d0, part: 0x0526, ver: 0x0)
Info : Embedded ICE version 2
Info : cs351x.cpu: hardware has 2 breakpoint/watchpoint units

telnet localhost 4444

reset run
halt
resume

insight

grab insight-6.8-1.tar.bz2 from http://sourceware.org/insight/downloads.php

./configure   --program-prefix=arm- --target=arm-elf --disable-werror
make -j2
make install
arm-insight arch/arm/boot/compressed/vmlinux

'File | Target Settings', set the Connections to: 'Target: Remote/TCP', 'Hostname: localhost' and 'Port: 3333'

* arm reset from insight gdb console : 'monitor reset' or monitor 'soft_reset_halt'

gdb

(gdb) target remote myhost:3333
(gdb) mon targets
    TargetName         Type       Endian TapName            State       
--  ------------------ ---------- ------ ------------------ ------------
 0* cs351x.cpu         fa526      little cs351x.cpu         halted
(gdb) x/128 0x68000000
0x68000000:	0x01000010	0x00000001	0x00000006	0x00000000
0x68000010:	0x00080b00	0x00001000	0x00000000	0x00000000
...................

Jtag

wriggler with nRST asserted: pull up pin 13 of 74hc244 to open the circuit

 
Back to top
cortina.txt · Last modified: 2012/02/20 23:14 (external edit)
 
 
chimeric.de = chi`s home Valid CSS Driven by DokuWiki do yourself a favour and use a real browser - get firefox!! Recent changes RSS feed Valid XHTML 1.0