2 * Copyright © 2001 Stephen Williams (steve@icarus.com)
3 * Copyright © 2001-2002 David Brownell (dbrownell@users.sourceforge.net)
4 * Copyright © 2008 Roger Williams (rawqux@users.sourceforge.net)
5 * Copyright © 2012 Pete Batard (pete@akeo.ie)
6 * Copyright © 2013 Federico Manzan (f.manzan@gmail.com)
8 * This source code is free software; you can redistribute it
9 * and/or modify it in source code form under the terms of the GNU
10 * General Public License as published by the Free Software
11 * Foundation; either version 2 of the License, or (at your option)
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
19 * You should have received a copy of the GNU General Public License
20 * along with this program; if not, write to the Free Software
21 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
32 extern void logerror(const char *format
, ...)
33 __attribute__ ((format(printf
, 1, 2)));
36 * This file contains functions for uploading firmware into Cypress
37 * EZ-USB microcontrollers. These chips use control endpoint 0 and vendor
38 * specific commands to support writing into the on-chip SRAM. They also
39 * support writing into the CPUCS register, which is how we reset the
40 * processor after loading firmware (including the reset vector).
42 * These Cypress devices are 8-bit 8051 based microcontrollers with
43 * special support for USB I/O. They come in several packages, and
44 * some can be set up with external memory when device costs allow.
45 * Note that the design was originally by AnchorChips, so you may find
46 * references to that vendor (which was later merged into Cypress).
47 * The Cypress FX parts are largely compatible with the Anchorhip ones.
53 * return true if [addr,addr+len] includes external RAM
54 * for Anchorchips EZ-USB or Cypress EZ-USB FX
56 static bool fx_is_external(uint32_t addr
, size_t len
)
58 /* with 8KB RAM, 0x0000-0x1b3f can be written
59 * we can't tell if it's a 4KB device here
62 return ((addr
+ len
) > 0x1b40);
64 /* there may be more RAM; unclear if we can write it.
65 * some bulk buffers may be unused, 0x1b3f-0x1f3f
66 * firmware can set ISODISAB for 2KB at 0x2000-0x27ff
72 * return true if [addr,addr+len] includes external RAM
73 * for Cypress EZ-USB FX2
75 static bool fx2_is_external(uint32_t addr
, size_t len
)
77 /* 1st 8KB for data/code, 0x0000-0x1fff */
79 return ((addr
+ len
) > 0x2000);
81 /* and 512 for data, 0xe000-0xe1ff */
82 else if (addr
>= 0xe000 && addr
<= 0xe1ff)
83 return ((addr
+ len
) > 0xe200);
85 /* otherwise, it's certainly external */
91 * return true if [addr,addr+len] includes external RAM
92 * for Cypress EZ-USB FX2LP
94 static bool fx2lp_is_external(uint32_t addr
, size_t len
)
96 /* 1st 16KB for data/code, 0x0000-0x3fff */
98 return ((addr
+ len
) > 0x4000);
100 /* and 512 for data, 0xe000-0xe1ff */
101 else if (addr
>= 0xe000 && addr
<= 0xe1ff)
102 return ((addr
+ len
) > 0xe200);
104 /* otherwise, it's certainly external */
110 /*****************************************************************************/
113 * These are the requests (bRequest) that the bootstrap loader is expected
114 * to recognize. The codes are reserved by Cypress, and these values match
115 * what EZ-USB hardware, or "Vend_Ax" firmware (2nd stage loader) uses.
116 * Cypress' "a3load" is nice because it supports both FX and FX2, although
117 * it doesn't have the EEPROM support (subset of "Vend_Ax").
119 #define RW_INTERNAL 0xA0 /* hardware implements this one */
120 #define RW_MEMORY 0xA3
123 * Issues the specified vendor-specific write request.
125 static int ezusb_write(libusb_device_handle
*device
, const char *label
,
126 uint8_t opcode
, uint32_t addr
, const unsigned char *data
, size_t len
)
131 logerror("%s, addr 0x%08x len %4u (0x%04x)\n", label
, addr
, (unsigned)len
, (unsigned)len
);
132 status
= libusb_control_transfer(device
,
133 LIBUSB_ENDPOINT_OUT
| LIBUSB_REQUEST_TYPE_VENDOR
| LIBUSB_RECIPIENT_DEVICE
,
134 opcode
, addr
& 0xFFFF, addr
>> 16,
135 (unsigned char*)data
, (uint16_t)len
, 1000);
138 logerror("%s: %s\n", label
, libusb_error_name(status
));
140 logerror("%s ==> %d\n", label
, status
);
142 return (status
< 0) ? -EIO
: 0;
146 * Issues the specified vendor-specific read request.
148 static int ezusb_read(libusb_device_handle
*device
, const char *label
,
149 uint8_t opcode
, uint32_t addr
, const unsigned char *data
, size_t len
)
154 logerror("%s, addr 0x%08x len %4u (0x%04x)\n", label
, addr
, (unsigned)len
, (unsigned)len
);
155 status
= libusb_control_transfer(device
,
156 LIBUSB_ENDPOINT_IN
| LIBUSB_REQUEST_TYPE_VENDOR
| LIBUSB_RECIPIENT_DEVICE
,
157 opcode
, addr
& 0xFFFF, addr
>> 16,
158 (unsigned char*)data
, (uint16_t)len
, 1000);
161 logerror("%s: %s\n", label
, libusb_error_name(status
));
163 logerror("%s ==> %d\n", label
, status
);
165 return (status
< 0) ? -EIO
: 0;
169 * Modifies the CPUCS register to stop or reset the CPU.
170 * Returns false on error.
172 static bool ezusb_cpucs(libusb_device_handle
*device
, uint32_t addr
, bool doRun
)
175 uint8_t data
= doRun
? 0x00 : 0x01;
178 logerror("%s\n", data
? "stop CPU" : "reset CPU");
179 status
= libusb_control_transfer(device
,
180 LIBUSB_ENDPOINT_OUT
| LIBUSB_REQUEST_TYPE_VENDOR
| LIBUSB_RECIPIENT_DEVICE
,
181 RW_INTERNAL
, addr
& 0xFFFF, addr
>> 16,
184 /* We may get an I/O error from libusbx as the device disappears */
185 ((!doRun
) || (status
!= LIBUSB_ERROR_IO
)))
187 const char *mesg
= "can't modify CPUCS";
189 logerror("%s: %s\n", mesg
, libusb_error_name(status
));
191 logerror("%s\n", mesg
);
198 * Send an FX3 jumpt to address command
199 * Returns false on error.
201 static bool ezusb_fx3_jump(libusb_device_handle
*device
, uint32_t addr
)
206 logerror("transfer execution to Program Entry at 0x%08x\n", addr
);
207 status
= libusb_control_transfer(device
,
208 LIBUSB_ENDPOINT_OUT
| LIBUSB_REQUEST_TYPE_VENDOR
| LIBUSB_RECIPIENT_DEVICE
,
209 RW_INTERNAL
, addr
& 0xFFFF, addr
>> 16,
211 /* We may get an I/O error from libusbx as the device disappears */
212 if ((status
!= 0) && (status
!= LIBUSB_ERROR_IO
))
214 const char *mesg
= "failed to send jump command";
216 logerror("%s: %s\n", mesg
, libusb_error_name(status
));
218 logerror("%s\n", mesg
);
224 /*****************************************************************************/
227 * Parse an Intel HEX image file and invoke the poke() function on the
228 * various segments to implement policies such as writing to RAM (with
229 * a one or two stage loader setup, depending on the firmware) or to
230 * EEPROM (two stages required).
232 * image - the hex image file
233 * context - for use by poke()
234 * is_external - if non-null, used to check which segments go into
235 * external memory (writable only by software loader)
236 * poke - called with each memory segment; errors indicated
237 * by returning negative values.
239 * Caller is responsible for halting CPU as needed, such as when
240 * overwriting a second stage loader.
242 static int parse_ihex(FILE *image
, void *context
,
243 bool (*is_external
)(uint32_t addr
, size_t len
),
244 int (*poke
) (void *context
, uint32_t addr
, bool external
,
245 const unsigned char *data
, size_t len
))
247 unsigned char data
[1023];
248 uint32_t data_addr
= 0;
252 bool external
= false;
254 /* Read the input file as an IHEX file, and report the memory segments
255 * as we go. Each line holds a max of 16 bytes, but uploading is
256 * faster (and EEPROM space smaller) if we merge those lines into larger
257 * chunks. Most hex files keep memory segments together, which makes
258 * such merging all but free. (But it may still be worth sorting the
259 * hex files to make up for undesirable behavior from tools.)
261 * Note that EEPROM segments max out at 1023 bytes; the upload protocol
262 * allows segments of up to 64 KBytes (more than a loader could handle).
270 cp
= fgets(buf
, sizeof(buf
), image
);
272 logerror("EOF without EOF record!\n");
276 /* EXTENSION: "# comment-till-end-of-line", for copyrights etc */
281 logerror("not an ihex record: %s", buf
);
285 /* ignore any newline */
286 cp
= strchr(buf
, '\n');
291 logerror("** LINE: %s\n", buf
);
293 /* Read the length field (up to 16 bytes) */
296 len
= strtoul(buf
+1, NULL
, 16);
299 /* Read the target offset (address up to 64KB) */
302 off
= (int)strtoul(buf
+3, NULL
, 16);
305 /* Initialize data_addr */
311 /* Read the record type */
314 type
= (char)strtoul(buf
+7, NULL
, 16);
317 /* If this is an EOF record, then make it so. */
320 logerror("EOF on hexfile\n");
325 logerror("unsupported record type: %u\n", type
);
329 if ((len
* 2) + 11 > strlen(buf
)) {
330 logerror("record too short?\n");
334 /* FIXME check for _physically_ contiguous not just virtually
335 * e.g. on FX2 0x1f00-0x2100 includes both on-chip and external
336 * memory so it's not really contiguous */
338 /* flush the saved data if it's not contiguous,
339 * or when we've buffered as much as we can.
342 && (off
!= (data_addr
+ data_len
)
344 || (data_len
+ len
) > sizeof(data
))) {
346 external
= is_external(data_addr
, data_len
);
347 rc
= poke(context
, data_addr
, external
, data
, data_len
);
354 /* append to saved data, flush later */
355 for (idx
= 0, cp
= buf
+9 ; idx
< len
; idx
+= 1, cp
+= 2) {
358 data
[data_len
+ idx
] = (uint8_t)strtoul(cp
, NULL
, 16);
365 /* flush any data remaining */
368 external
= is_external(data_addr
, data_len
);
369 rc
= poke(context
, data_addr
, external
, data
, data_len
);
377 * Parse a binary image file and write it as is to the target.
378 * Applies to Cypress BIX images for RAM or Cypress IIC images
381 * image - the BIX image file
382 * context - for use by poke()
383 * is_external - if non-null, used to check which segments go into
384 * external memory (writable only by software loader)
385 * poke - called with each memory segment; errors indicated
386 * by returning negative values.
388 * Caller is responsible for halting CPU as needed, such as when
389 * overwriting a second stage loader.
391 static int parse_bin(FILE *image
, void *context
,
392 bool (*is_external
)(uint32_t addr
, size_t len
), int (*poke
)(void *context
,
393 uint32_t addr
, bool external
, const unsigned char *data
, size_t len
))
395 unsigned char data
[4096];
396 uint32_t data_addr
= 0;
399 bool external
= false;
402 data_len
= fread(data
, 1, 4096, image
);
406 external
= is_external(data_addr
, data_len
);
407 rc
= poke(context
, data_addr
, external
, data
, data_len
);
410 data_addr
+= (uint32_t)data_len
;
412 return feof(image
)?0:-1;
416 * Parse a Cypress IIC image file and invoke the poke() function on the
417 * various segments for writing to RAM
419 * image - the IIC image file
420 * context - for use by poke()
421 * is_external - if non-null, used to check which segments go into
422 * external memory (writable only by software loader)
423 * poke - called with each memory segment; errors indicated
424 * by returning negative values.
426 * Caller is responsible for halting CPU as needed, such as when
427 * overwriting a second stage loader.
429 static int parse_iic(FILE *image
, void *context
,
430 bool (*is_external
)(uint32_t addr
, size_t len
),
431 int (*poke
)(void *context
, uint32_t addr
, bool external
, const unsigned char *data
, size_t len
))
433 unsigned char data
[4096];
434 uint32_t data_addr
= 0;
435 size_t data_len
= 0, read_len
;
436 uint8_t block_header
[4];
438 bool external
= false;
439 long file_size
, initial_pos
= ftell(image
);
441 fseek(image
, 0L, SEEK_END
);
442 file_size
= ftell(image
);
443 fseek(image
, initial_pos
, SEEK_SET
);
445 /* Ignore the trailing reset IIC data (5 bytes) */
446 if (ftell(image
) >= (file_size
- 5))
448 if (fread(&block_header
, 1, sizeof(block_header
), image
) != 4) {
449 logerror("unable to read IIC block header\n");
452 data_len
= (block_header
[0] << 8) + block_header
[1];
453 data_addr
= (block_header
[2] << 8) + block_header
[3];
454 if (data_len
> sizeof(data
)) {
455 /* If this is ever reported as an error, switch to using malloc/realloc */
456 logerror("IIC data block too small - please report this error to libusbx.org\n");
459 read_len
= fread(data
, 1, data_len
, image
);
460 if (read_len
!= data_len
) {
461 logerror("read error\n");
465 external
= is_external(data_addr
, data_len
);
466 rc
= poke(context
, data_addr
, external
, data
, data_len
);
473 /* the parse call will be selected according to the image type */
474 static int (*parse
[IMG_TYPE_MAX
])(FILE *image
, void *context
, bool (*is_external
)(uint32_t addr
, size_t len
),
475 int (*poke
)(void *context
, uint32_t addr
, bool external
, const unsigned char *data
, size_t len
))
476 = { parse_ihex
, parse_iic
, parse_bin
};
478 /*****************************************************************************/
481 * For writing to RAM using a first (hardware) or second (software)
482 * stage loader and 0xA0 or 0xA3 vendor requests
486 internal_only
, /* hardware first-stage loader */
487 skip_internal
, /* first phase, second-stage loader */
488 skip_external
/* second phase, second-stage loader */
491 struct ram_poke_context
{
492 libusb_device_handle
*device
;
497 #define RETRY_LIMIT 5
499 static int ram_poke(void *context
, uint32_t addr
, bool external
,
500 const unsigned char *data
, size_t len
)
502 struct ram_poke_context
*ctx
= (struct ram_poke_context
*)context
;
507 case internal_only
: /* CPU should be stopped */
509 logerror("can't write %u bytes external memory at 0x%08x\n",
510 (unsigned)len
, addr
);
514 case skip_internal
: /* CPU must be running */
517 logerror("SKIP on-chip RAM, %u bytes at 0x%08x\n",
518 (unsigned)len
, addr
);
523 case skip_external
: /* CPU should be stopped */
526 logerror("SKIP external RAM, %u bytes at 0x%08x\n",
527 (unsigned)len
, addr
);
541 /* Retry this till we get a real error. Control messages are not
542 * NAKed (just dropped) so time out means is a real problem.
544 while ((rc
= ezusb_write(ctx
->device
,
545 external
? "write external" : "write on-chip",
546 external
? RW_MEMORY
: RW_INTERNAL
,
547 addr
, data
, len
)) < 0
548 && retry
< RETRY_LIMIT
) {
549 if (rc
!= LIBUSB_ERROR_TIMEOUT
)
557 * Load a Cypress Image file into target RAM.
558 * See http://www.cypress.com/?docID=41351 (AN76405 PDF) for more info.
560 static int fx3_load_ram(libusb_device_handle
*device
, const char *path
)
562 uint32_t dCheckSum
, dExpectedCheckSum
, dAddress
, i
, dLen
, dLength
;
564 unsigned char *bBuf
, hBuf
[4], blBuf
[4], rBuf
[4096];
568 image
= fopen(path
, "rb");
570 logerror("unable to open '%s' for input\n", path
);
573 logerror("open firmware image %s for RAM upload\n", path
);
576 if (fread(hBuf
, sizeof(char), sizeof(hBuf
), image
) != sizeof(hBuf
)) {
577 logerror("could not read image header");
582 // check "CY" signature byte and format
583 if ((hBuf
[0] != 'C') || (hBuf
[1] != 'Y')) {
584 logerror("image doesn't have a CYpress signature\n");
593 logerror("normal FW binary %s image with checksum\n", (hBuf
[2]&0x01)?"data":"executable");
596 logerror("security binary image is not currently supported\n");
600 logerror("VID:PID image is not currently supported\n");
604 logerror("invalid image type 0x%02X\n", hBuf
[3]);
609 // Read the bootloader version
611 if ((ezusb_read(device
, "read bootloader version", RW_INTERNAL
, 0xFFFF0020, blBuf
, 4) < 0)) {
612 logerror("Could not read bootloader version\n");
616 logerror("FX3 bootloader version: 0x%02X%02X%02X%02X\n", blBuf
[3], blBuf
[2], blBuf
[1], blBuf
[0]);
621 logerror("writing image...\n");
623 if ((fread(&dLength
, sizeof(uint32_t), 1, image
) != 1) || // read dLength
624 (fread(&dAddress
, sizeof(uint32_t), 1, image
) != 1)) { // read dAddress
625 logerror("could not read image");
632 dImageBuf
= calloc(dLength
, sizeof(uint32_t));
633 if (dImageBuf
== NULL
) {
634 logerror("could not allocate buffer for image chunk\n");
640 if (fread(dImageBuf
, sizeof(uint32_t), dLength
, image
) != dLength
) {
641 logerror("could not read image");
646 for (i
= 0; i
< dLength
; i
++)
647 dCheckSum
+= dImageBuf
[i
];
648 dLength
<<= 2; // convert to Byte length
649 bBuf
= (unsigned char*) dImageBuf
;
651 while (dLength
> 0) {
652 dLen
= 4096; // 4K max
655 if ((ezusb_write(device
, "write firmware", RW_INTERNAL
, dAddress
, bBuf
, dLen
) < 0) ||
656 (ezusb_read(device
, "read firmware", RW_INTERNAL
, dAddress
, rBuf
, dLen
) < 0)) {
657 logerror("R/W error\n");
662 // Verify data: rBuf with bBuf
663 for (i
= 0; i
< dLen
; i
++) {
664 if (rBuf
[i
] != bBuf
[i
]) {
665 logerror("verify error");
679 // read pre-computed checksum data
680 if ((fread(&dExpectedCheckSum
, sizeof(uint32_t), 1, image
) != 1) ||
681 (dCheckSum
!= dExpectedCheckSum
)) {
682 logerror("checksum error\n");
687 // transfer execution to Program Entry
688 if (!ezusb_fx3_jump(device
, dAddress
)) {
698 * Load a firmware file into target RAM. device is the open libusbx
699 * device, and the path is the name of the source file. Open the file,
700 * parse the bytes, and write them in one or two phases.
702 * If stage == 0, this uses the first stage loader, built into EZ-USB
703 * hardware but limited to writing on-chip memory or CPUCS. Everything
704 * is written during one stage, unless there's an error such as the image
705 * holding data that needs to be written to external memory.
707 * Otherwise, things are written in two stages. First the external
708 * memory is written, expecting a second stage loader to have already
709 * been loaded. Then file is re-parsed and on-chip memory is written.
711 int ezusb_load_ram(libusb_device_handle
*device
, const char *path
, int fx_type
, int img_type
, int stage
)
715 bool (*is_external
)(uint32_t off
, size_t len
);
716 struct ram_poke_context ctx
;
718 uint8_t iic_header
[8] = { 0 };
721 if (fx_type
== FX_TYPE_FX3
)
722 return fx3_load_ram(device
, path
);
724 image
= fopen(path
, "rb");
726 logerror("%s: unable to open for input.\n", path
);
728 } else if (verbose
> 1)
729 logerror("open firmware image %s for RAM upload\n", path
);
731 if (img_type
== IMG_TYPE_IIC
) {
732 if ( (fread(iic_header
, 1, sizeof(iic_header
), image
) != sizeof(iic_header
))
733 || (((fx_type
== FX_TYPE_FX2LP
) || (fx_type
== FX_TYPE_FX2
)) && (iic_header
[0] != 0xC2))
734 || ((fx_type
== FX_TYPE_AN21
) && (iic_header
[0] != 0xB2))
735 || ((fx_type
== FX_TYPE_FX1
) && (iic_header
[0] != 0xB6)) ) {
736 logerror("IIC image does not contain executable code - cannot load to RAM.\n");
742 /* EZ-USB original/FX and FX2 devices differ, apart from the 8051 core */
746 is_external
= fx2lp_is_external
;
750 is_external
= fx2_is_external
;
754 is_external
= fx_is_external
;
758 /* use only first stage loader? */
760 ctx
.mode
= internal_only
;
762 /* if required, halt the CPU while we overwrite its code/data */
763 if (cpucs_addr
&& !ezusb_cpucs(device
, cpucs_addr
, false))
769 /* 2nd stage, first part? loader was already uploaded */
771 ctx
.mode
= skip_internal
;
773 /* let CPU run; overwrite the 2nd stage loader later */
775 logerror("2nd stage: write external memory\n");
778 /* scan the image, first (maybe only) time */
780 ctx
.total
= ctx
.count
= 0;
781 status
= parse
[img_type
](image
, &ctx
, is_external
, ram_poke
);
783 logerror("unable to upload %s\n", path
);
788 /* second part of 2nd stage: rescan */
789 // TODO: what should we do for non HEX images there?
791 ctx
.mode
= skip_external
;
793 /* if needed, halt the CPU while we overwrite the 1st stage loader */
794 if (cpucs_addr
&& !ezusb_cpucs(device
, cpucs_addr
, false))
800 /* at least write the interrupt vectors (at 0x0000) for reset! */
803 logerror("2nd stage: write on-chip memory\n");
804 status
= parse_ihex(image
, &ctx
, is_external
, ram_poke
);
806 logerror("unable to completely upload %s\n", path
);
813 logerror("... WROTE: %d bytes, %d segments, avg %d\n",
814 (int)ctx
.total
, (int)ctx
.count
, (int)(ctx
.total
/ctx
.count
));
816 /* if required, reset the CPU so it runs what we just uploaded */
817 if (cpucs_addr
&& !ezusb_cpucs(device
, cpucs_addr
, true))