• State Resolved
  • Locked Locked
  • Replies 4 replies
  • Subscribers 98 subscribers
  • Views 368 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

ROM Bootloader on DM6437 AIS question

Carl Allendorph
Prodigy 170 points

Hello,

I'm reading the Application Report SPRAAG0D "Using the TMS320DM643x Bootloader" and I have a question about the way the bootloader handles CRCs.

On page 27, it talks about the Request CRC Command. The REQ CRC command consists of the opcode, a CRC value, and a SEEK value. It says the SEEK value is "to be interpreted as a negative number and should be added to the current address in AIS."

So does this mean that bootloader subtracts the SEEK value from the current address. Or is the SEEK value encoded in 2's complement and added to the current address.

Is there a max value that the SEEK value can be? Can it be the full 32-bit range?

What I am trying to do is setup a bootloader that lets me jump to an alternate firmware image if there is a CRC error. Basically, I want to use the REQ CRC command as a jump if  CRC!=0. My AIS sequence looks like this (I have enabled the CRC at an earlier point):

0x58535908     # Startover    --- Starting Address is 0x1000

0x58535902     #  Request CRC

0x000000FF     #  Actual CRC should be 0x00000000, but I want to jump so I prog differently

0x00000FA4    # I want to jump to 0x2000

I am programming a STARTOVER command, a REQ CRC command, and then a 0x000000FF as the CRC. THis in theory, should make the AIS use the SEEK value to jump to a location of my choosing in the flash image space.

Does the SEEK need to be referenced from the REQ CRC OPcode or the address of the SEEK value?

Anyone have any thoughts on this ?

 

 

 

  • 0
    Prodigy 170 points

    Is this the proper forum to post this question?

    Thanks,

    ~C

  • 0
    Prodigy 170 points

    It seems that the SEEK value must be referenced from the Request CRC command. The value seems to be encoded in 2's complement and added to the address of the Request CRC command. However, I still can't get the DSP's ROM bootloader to jump to the location I want.

    Anybody have any ideas? Does the bootloader in the ROM only allow jumping back, not jumping forward?

    If anyone is interested, this is how I am programming the first few bytes of the flash:

    #define AIS_CMD_SECTLOAD     0x58535901
    #define AIS_CMD_REQCRC        0x58535902
    #define AIS_CMD_ENCRC        0x58535903
    #define AIS_CMD_DISCRC        0x58535904
    #define AIS_CMD_JUMP        0x58535905
    #define AIS_CMD_JUMPCLOSE    0x58535906
    #define AIS_CMD_SET         0x58535907
    #define AIS_CMD_STARTOVER    0x58535908
    #define AIS_CMD_SECTFILL    0x5853590A
    #define AIS_CMD_GET            0x5853590C
    #define AIS_CMD_EXECFUNC    0x5853590D

    const int MBR[] = {0x00000003,    // 24-bit SPI mode setup word
        0x41504954,  // AIS Script Magic Word
        AIS_CMD_EXECFUNC,  //Function Execute Command
        0x00030000,  //   Selects PLL configuration function, with 3 arguments
        0x00000015,  //   PLLM value
        0x00000000,  //   PLLDIV 0
        0x00000000,  //   Clock source
        AIS_CMD_EXECFUNC,  //Function Execute Command
        0x00090002,  //   Selects DDR memory configuration, with 9 arguments
        0x00000017,  //   DDR PLLM
        0x00000001,  //   PLL SRC
        0x0000000B,  //   DDR CLLK DIV
        0x00000000,  //   VBPE CLK DIV
        0x50006405,  //   DDR Control register mask
        0x00138832,  //   SDRAM Config register mask
        0x28923211,  //   SDRAM Timer 0 register mask
        0x0016C722,  //   SDRAM Timer 1 register mask
        0x000004EF,  //   SDRAM Refresh control register mask
        AIS_CMD_ENCRC,    // Enable the CRC Check to make a jump
        AIS_CMD_STARTOVER,    // Reset the CRC to 0
        AIS_CMD_REQCRC,  // Request the CRC to start the JUMP
        0x000000FF,    //    This is the expected CRC is 0x00000000, so we use any other value to make the jump
        JUMPSECT_BASE-0x50  //     This is the relative address that will be added to the current address, 0x1000 - 0x50
    };

  • 0
    Prodigy 170 points

    Alright, so I figured out why this doesn't work. First, as Bernie pointed out, the startover command does more than the bootloader app note lets on. It actually restarts the entire boot process. Second, the documentation for the Request CRC function is completely wrong for the dm6437. The REQ CRC's seek value is actually added to address of the word directly after the SEEK. So the address that it jumps to is actually (&SEEK + 4) + SEEK, where the & is the c operator for the address. Here is an example that actually works for the dm6437 - I can't speak for any of the other devices in this line. 

    Notice that the SEEK value is 0x2FA8, and the address I want to jump to 0x3000. This means the jump originates from 0x58, not from 0x4C like the documentation suggests.

     

    Addr (Hex)          Data (Hex)

    "000000000  03 00 00 00 54 49 50 41-0D 59 53 58 00 00 03 00

    "000000010  15 00 00 00 00 00 00 00-00 00 00 00 0D 59 53 58

    "000000020  02 00 09 00 17 00 00 00-01 00 00 00 0B 00 00 00

    "000000030  00 00 00 00 05 64 00 50-32 88 13 00 11 32 92 28

    "000000040  22 C7 16 00 EF 04 00 00-03 59 53 58 02 59 53 58

    "000000050  FF 00 00 00 A8 2F 00 00-00 00 00 00 FF FF FF FF

     

    My Firmware Space

    "000003000  01 59 53 58 54 1B B6 83-0C 00 00 00 34 10 B6 83

    "000003010  10 06 B6 83 00 00 00 00-01 59 53 58 B8 39 B6 83

    Etc…

     

     

  • 0 in reply to Carl Allendorph
    TI__Mastermind 41665 points

    Thank you for posting your solution! I did not even catch that this thread was on here.

    It does look like the SEEK will go off of the address after the SEEK value itself, I apologize for not catching this previously, this seems to be a bug/feature of the RBL, at least for SPI boot (I think NAND as well but I have not really dug into that code). What is happening is every time the AIS interpreter code reads a value from SPI the pointer it uses to read the value gets updated, the same pointer that you are adding the SEEK value to (!). I did not catch this previously because I was only looking at the AIS code and what it does with SEEK, which does not actually increment the pointer so it looks like you would be offsetting from the command as opposed to the value after the SEEK. So the AIS interpreter reads the SEEK value and by doing so moves the pointer ahead to the next word, thus when you add the SEEK value you are offsetting from the word after the SEEK value. The documentation is not very obvious that this is the case, it elludes to it by saying 'current address in AIS' which happens to be the address following the SEEK value. I intend to get this clarified in the documentation, as you suggest this may apply to other parts as well.