Turning a STM32 Evaluation Board into a Programmer and Debugger

The STM32F4Discovery evaluation board is allegedly build to program remote targets. It features a header that that has a debug-out Serial Wire Debug (SWD) configuration. The documentation and examples that exemplify this technique are sparse. The header features the following signals (see UM1472 for further info):

• Pin1 Voltage from target application (do not use),
• Pin2 SWD Clock: Connect to SWCLK of the target (PA14 on STM32s),
• Pin3 GND: Connect to GND of the target (needed to share the signal ground),
• Pin4 SWD I/O: Connect to SWDIO of the target (PA13 on STM32s),
• Pin5 NRST: Connect to the target reset pin (RST on STM32s),
• Pin6 SWO: SWD trace data line (optional and therefore not subject to this post).

If it would be that easy to just connect the signals then this tutorial could stop here. Unfortunately, to get things setup the board has to be modified further. The SWD data lines are obviously used by the STM32F407 that sits on the board. It is easy to have exclusive access to these lines as follows:

·         Remove the jumpers on CN3.

That way thedebugger portion of the discovery board will only share the SWD signals with the SWD connector. 

Furthermore, the debugger shares the reset line of the target with the on-board chip as well. If this line is not cut, the internal circuit of the on-board chip will prevent the signal to be properly used for remote applications. Instead of adding a jumper that would make it easy for people to fix this, the STM guys decided to add a solder bride.

·         Replace the solder bridge SB11 with a jumper as shown in the following.

In order to be safe and avoid adverse affects, one can remove the power to the on-board chip. The STM people added a jumper that can be replaced with an ampere-meter to measure the power consumption of the chip.

·         Remove JP1/PPI to cut the power to the on-board chip.

In order to be sure that I can program other chips of the STM32-family, I used a STM32VLDiscovery board as my guinea pig. As seen in the picture, I shared the signal ground (GND) and provided 3V to the 3.3V pin of the target board from the STM32F4Discovery. The reset line and SWD signals were connected as described above.

All people who have no real operating system (i.e., M$ Windows), can download and use the STLink utility from STM. It provides crude access to the chip that is connected to the SWD port.

·         Select “Target” -> “Connect…”
Watch the status line and confirm that the connected chip matches the outcome you expect. In my case I use the debugger to connect to a STM32VLDiscovery that has a STM32F100 chip.

·         Select “Target” -> “Program”
This allows you to upload an ELF or HEX file to the target board. The programming process should not take longer than a few milliseconds.

For all the advanced people there is OpenOCD for Linux. I am using a development version (v0.7.x) from their git repository. When you build OpenOCD from source (not covered in this article) make sure you enable the STLink support. Shown below is my example file to flash the ELF file into the STM32VLDiscovery.

OpenOCD can be invoked by just calling “openocd” in the directory where the ELF- and the configuration files reside.

## openocd.cfg file for STLINK/v2 to program
# an STM32F1xx chip.
#
# @author Thomas Reidemeister

# Use STLink/V2 protocol
source [find interface/stlink-v2.cfg]

# Use STM32F1x
source [find target/stm32f1x_stlink.cfg]

# Connect to target
init

# Reset target into halt
# Hint: _reset_ clears breakpoint buffer and puts the 
#  system in defined state.
#  The target must be _halted_ to write to flash.
reset halt

# Write the image to the target
flash write_image erase main.elf
# uncomment the line if you want to have things verified
#verify_image main.elf

# execute the target
reset run

# close down OpenOCD
shutdown 

In conclusion, I have shown how to use the debugger portion of the STM32F4Discovery in a debug-out configuration to debug an external target. To make it hard, I picked a different chip from their value line series.

Although I am not a big fan of Windows, the STLink software seems to be a great way to upgrade the firmware of the debugger itself. The reader should note that the STM engineers already use internal pull-ups for the debug circuit of the STM. As a result it is possible to just connect the power supply, ground pins, PA13, and PA14 on a remote target on most STM32 processors. Be sure to check out the “Getting started with XXX hardware development” application notes of your STM32 target to confirm this.

(And a couple more toys to play with :D)

On Designing Boot Loaders and Grey-box-Testing Firmware (Part 2/2)

In the past tutorial, we have established how to integrate two pieces of code together, exemplifying a boot-loader and firmware interaction. The difference to the previous scenario is that in a test-suite, you actually need to maintain a symmetric interaction among those two different pieces of code. There are several approaches how this can be achieved.

• Explicitly pin each data-structure to specific locations in the memory. So each of the code pieces knows where to look for the others code and data.
• Pin an entry point of the firmware to a specific memory section that registers tests in another shared memory section.
• Pin an entry point of the firmware to a specific memory section that registers tests in a data-structure provided by the test-suite.

Looking at the different options it becomes apparent, why we talk about “grey-box testing”. In all cases we need to know some memory sections within the other pieces of code. The approaches differ by the number of memory sections required to be pinned. In addition, you might want to load tests dynamically through the boot loader requiring additional pinned sections.

Step One: How to Customize the Locations of Code and Data

In principle you want to place individual data structures and code into labelled memory sections, defining the location and label in the linker script and referencing label in GCC for the linker. The attribute-section paradigm allows us to do so. Suppose we want to load a function called test into a block of memory at an absolute address. First, we need to define this memory section in the linker script as follows:

MEMORY
{
    ram        : ORIGIN = 0x10200000, LENGTH = 1M
}

SECTIONS
{
.text :
    {
    *(.text)
    *(.rodata*)
    } > ram

.data :
    {
    *(.data)
    } > ram

.bss :
    {
    *(.bss)
    } > ram

__TESTS__ 0x10300000:
    {
    *(__TESTS__)
    }
}

Second, we need to reference this section in the code. This is done by declaring an attribute in the function’s specification as follows:

void __attribute__ ((section ("__TEST_INIT__"))) init_tests() {
...
}

The listing shows that the function is indeed stored at that particular location.

Sections:
Idx Name          Size      VMA       LMA       File off  Algn
...
3 __TEST_INIT__ 00000030  10400000  10400000  00006000  2**1
...
Disassembly of section __TEST_INIT__:

10400000 :
...

Likewise global data structures and variables can be stored at such particular locations.

typedef struct {
void (*test1_fun)();
} TestFixture;

TestFixture __attribute__ ((section("__TESTS__"))) tests;

Step Two: Designing the Tests

We proposed three options for the test integration in the introduction.

Option One: (Naïve) Tell everything

The first naïve approach is to actually pin each testable primitive and global data structure to a particular memory region. In this scenario, all entry points to these primitives and global data structures are declared in the linker script of the test code. The linker script of the firmware declares all of those sections and the primitives are pinned to these sections using the attribute-section paradigm. This approach reduces the overhead of implementing tests vastly, since all locations are defined and no futher registration of the firmware with the tests is needed. Expected results can be directly checked against the data structures. However, maintaining the linker scripts in-sync, handling fragmentation of the firmware code (i.e., huge gaps between the declared sections) and changing the firmware code incur at significant overhead.

Option Two: Let the Firmware Register with a Global Data Structure

This approach is geared to minimize the overhead of maintaining the memory locations. In this scenario the firmware voluntarily registers with the test code, placing the information into a shared data-structure. In this scenario, two locations need to be shared across the firmware and the test-code.

• The location of the registration routine that is to be implemented by the firmware code.
• The location of the global data structure that contains the test information.

In addition the specification of the test data structure as well as the registration interface need to be shared among the two pieces of code. This can be achieved by sharing a common header file.

This scenario is useful when the test information is known beforehand. It also enables testing slightly modified versions of the firmware because the test code does not need to be aware of the location of the primitives or data structures. The firmware voluntarily provides this information through the registration routine. Both linker scripts define the section of the global data structure. Both linker scripts define the sections of the global data structure and registration routine. In order to avoid adverse effects the test code may prevent explicit writing to the registration routine. Here the test linker script:

MEMORY
{
    sram     : ORIGIN = 0x10200000, LENGTH = 1M
}

__FIRMWARE_ = 0x10100000;

/* firmware's test registration routine */
__REGISTER_TEST__ = 0x10300000;

SECTIONS
{
...
    /* shared test data goes here */
    __TEST_DATA__ 0x10400000:
    {
    *(__TEST_DATA__)
    }
}

And the firmware linker script looks like this:

MEMORY
{
    sram     : ORIGIN = 0x10100000, LENGTH = 1M
}

SECTIONS
{
...
/* firmware's test registration routine */
__REGISTER_TEST__ 0x10300000:
    {
    *(__REGISTER_TEST__)
    }

/* shared test data goes here */
__TEST_DATA__ 0x10400000:
    {
    *(__TEST_DATA__)
    }
}

The shared header among the firmware and the test code defining the structure of the shared data structure and the registration interface:

typedef struct {
void (*firmware_fun)();
} TestFixture;

TestFixture __attribute__ ((section("__TEST_DATA__"))) gTestFixture;

extern void __REGISTER_TEST__();

The test code inside the bootloader simply registers with the firmware and invokes the required primitives of the firmware:

int main(void)
{
    debug_puts("Inside boot-loader test suite!\r\n");

    /* register test structure */
    __REGISTER_TEST__();
    /* execute a firmware function to test */
    gTestFixture.firmware_fun();

    debug_puts("Inside boot-loader again!\r\n");

    return 0;
}

The location of the registration code inside the firmware is pinned as follows:

void  __attribute__ ((section ("__REGISTER_TEST__"))) test_register() {
gTestFixture.firmware_fun = myprimitive;
}

Merging the test suite with the firmware and executing it in the coldfire simulator, as described in Part one of this tutorial, yields the following output. The test code can be obtained from option2.zip (see attachments below).

Use CTRL-C (SIGINT) to cause autovector interrupt 7 (return to monitor)
Loading memory modules...
Loading board configuration...
  Opened [/usr/local/coldfire/share/coldfire/cjdesign-5307.board]
Board ID: CJDesign
CPU: 5307 (Motorola Coldfire 5307)
  unimplemented instructions: CPUSHL PULSE WDDATA WDEBUG
  69 instructions registered
  building instruction cache... done.
Memory segments: dram  timer0  timer1  uart0(on port 5206)
           uart1(on port 5207)  sim  flash  sram

!!! Remember to telnet to the above ports if you want to see any output!
Hard Reset...
Initializing monitor...
Enter 'help' for help.
dBug> dl merged.s19
Downloading S-Record...
Done downloading S-Record.
dBug> go 0x10200000
... telnet on uart0
Inside boot-loader test suite!
Inside firmware primitive!
Inside boot-loader again!

Option Three: Only Register with the Firmware

This option obviates the use of a shared data structure and may be used in the case where the test code has access to enough memory to allocate its own data structures. Usually, the constraints on boot loaders and such testers are relatively low that this is not an option. In this case we only have to share parts of the test data structure and the specification of the registration interface. The only difference to the previous example is that now the registration routine takes a pointer to the test structure provided by the test code. In addition only the prefix of the structure needs to be identical across the two pieces of code. For example the test code may choose to store test results in the structure that are hidden from the firmware. Let’s look at an example. As follows the specification of the test structure for the bootloader. Notice the removal of the pinned global variable and the additional value.

typedef struct {
void (*firmware_fun)();
int someTestingValue;
} TestFixture;

extern void __REGISTER_TEST__(TestFixture *tests);

And here the specification of the test structure for the firmware:

typedef struct {
void (*firmware_fun)();
} TestFixture;

This time the test definition structure is allocated by the bootloader and passed in as parameter to the firmware. The example code is included in option3.zip (see attachments below). The interaction with the simulator is identical to the previous example.

Step Three: Dynamic Tests

In many cases the space constraints for the test code are limited. So flashing an entire precompiled suite of tests may be impossible or undesirable. In order to overcome this issue you may want to consider dynamic tests. In this scenario only individual tests are uploaded through the boot loader and executed against the firmware. This approach can be combined with all of the above methods. In addition to the specified memory sections required by the test procedure (see Step two) you also need to define a section that holds the dynamic code. In the boot loader this section is referenced as array to store and replace the code and as function pointer to execute the test. The following example shows this with an already written array that is stored at the location of the test-code. The example code of the test is shown as follows:

/* dynamically loaded structure */
unsigned char __attribute__ ((section("__TEST_CODE__")))code [] = {
...
};
...
extern int __TEST_CODE__();
extern unsigned char * code;

...

int main(void)
{
  debug_puts("Inside boot-loader test suite!\r\n");

  /* perform test from loaded array */
  __TEST_CODE__();

  debug_puts("Inside boot-loader again!\r\n");

  return 0;
}

To build the test code, you link it using a script that places the text, data and bss segment at the location of the test-code; or pin the test function explicitly to the section of the test code of the boot loader. The former option is useful, when the tests consist of several subroutine calls. The latter is useful for unit tests consisting of a single function call, having no global data structures. In addition, you might want to consider allocating a separate stack inside the test routine to avoid corruption.

The array containing the test cases can be created from the SREC-S19 file of the compiled test-case. The python script srec_to_c.py included in the sample code performs that conversion for continous S19 files.

Discussion

In this tutorial, we have shown how to leverage the boot-loader-firmware-paradigm introduced in the previous part of this tutorial to perform dynamic firmware testing. It is up to the software engineer to select the degree to which the firmware has to interact with the tests to register with the test-suite.

In addition to the procedures shown, you may want to consider using your host systems timers to check the progress of executed tests. If the firmware does not register with the tests properly or a test becomes stalled, the boot loader can be able to recover itself using a timer interrupt.

A substantial risk using these approaches is that the firmware and the bootloader still share the same address space. You may want to consider introducing explicit checks that ensure that the firmware does not touch boot loader code (i.e., through heap operations) and vice-versa.

The srec_to_c.py script performs the transformation of the test-case’s SREC/S19 files to the array. You can modify this script to create binary images that are uploaded through your devices interface.

Sample Code:

• option2.zip
• option3.zip
• dynamic_tests.zip

On Designing Boot Loaders and Grey-box-Testing Firmware (Part 1/2)

I am currently TAing SE350. The students’ deliverable is a small real-time executive kernel (RTX) that runs on a Freescale Coldfire chip. We got the idea of building an automated embedded test suite for the students’ term projects. However, instead of having to compile the students’ code from scratch we would only want to take their firmware binary directly and test it. This testing would involve injecting several test processes in the students’ OS. These tests would stress their implementation and dump the results to a serial port of the actual Coldfire board. Having worked in the embedded field this problem is similar to integrating boot-loaders with firmware. In the project, the boot-loader is the testing code and the actual firmware is the code to be tested.

You end up with two pieces of binary code that will be programmed into your device. So the challenge is to make them talk to each other. In the case of the boot-loader, you have the boot-loader invoking the firmware, and in the case of the testing code the testing code invokes the RTX.

In the following sections, I describe the steps for…

• Building a tool-chain,
• Developing the boot-loader-, firmware-code,
• And integrating the different SREC/S19 files

In the second part I will describe how to leverage the established framework to design a native testing suite.

Step 1: What tools do I need?

In order to run stuff on bare (i.e., no existing OS) chips you need to have a tool chain that translates your source code into ELF files (ELF = Executable and linkable format) and SREC/S19 files for flashing it onto the device. We need:

• Binutils,
• The GNU C Compiler,
• And the Coldfire simulator.

A detailed description, how to build these tools is already here on my website.

Step 2: Where to put my firmware code?

If you are going to integrate two pieces of code, you need to make sure they do not overlap in flash and do not access themselves in an undesired fashion. Since you are developing on the bare hardware, you actually have complete control over the former property and can enforce the latter by a careful code design. Your generated ELF file will consist of three major sections, as follows:

• The text segment (.text), where your executable code goes,
• The data segment (.data), where initialized global variables go,
• The BSS segment (.bss), where uninitialized global variables go.

Note that the BSS segment exists for some historic reason and in almost all OS lectures it is implied by the data segment (i.e. data := data + BSS). By convention the text segment starts at a lower address than data and BSS segments. When your program is executed the data the values of the data and BSS segments are copied into the main memory. However the size is not established at runtime. The program’s stack for function calls and local variables resides on the heap which is by convention allocated after the BSS segment and grows dynamically. The GNU tool-chain you just build includes the GNU Linker that allows specifying these locations explicitly by linker scripts (i.e., LD files). GNU LD files have a simple structure describing:

• The memory banks and locations,
• How to spread your code across those locations.

The following simple example file describes an embedded system (i.e. in my case: CJDesign’s MCF5307 board). Most evaluation boards, like mine, come with a huge SRAM and actually have a ROM that allows you to load stuff in main memory. As such, we will dump all code into SRAM for testing purposes. The following example specifies the assignment 1 MB at address 0x10100000 to SRAM and dumps all sections of the code into that segment. Hint the space after the section names is required to ensure the uniqueness of the names. The actual code will execute from the SRAM start address, which is 0x10100000.

/* firmware.ld */
MEMORY
{
  sram        : ORIGIN = 0x10100000, LENGTH = 1M
}

SECTIONS
{
  .text :
  {
    *(.text)
    *(.rodata*)
  } > sram

  .data :
  {
    *(.data)
  } > sram

  .bss :
  {
    *(.bss)
  } > sram
}

A note for SE350 students: Guys please do not attempt to hack the linker file provided by the course. You may run into serious trouble by using my linker script or hacking the existing one!

Step 3: Building your firmware

To compile and link your source (firmware.c) with this file, use the following command.

m68k-elf-gcc -Tfirmware.ld -Map=firmware.map –o firmware.elf firmware.c

You may want to generate a listing of the file to see that everything is at the expected location, as follows:

m68k-elf-objdump -xdC firmware.bin > firmware.lst

In order to flash or deliver this file to the customer we actually need to convert it into the Motorola S19/SREC file as follows.

m68k-elf-objcopy --output-format=srec firmware.bin firmware.s19

Step 4: Building the other piece of code

What’s left to build is the boot-loader. In order to ensure distinct flash and memory regions you need to provide another linker script that puts all the boot-loader code into a different location than the other code. A wise choice is to put this code as far away from the actual firmware as possible, possibly at the end of the available memory. The following code offsets the memory bank by 1MB and dumps the code there.

/* bootloader.ld */
MEMORY
{
  sram        : ORIGIN = 0x10200000, LENGTH = 1M
}

__FIRMWARE__ = 0x10100000;

SECTIONS
{
  .text :
  {
    *(.text)
    *(.rodata*)
  } > sram

  .data :
  {
    *(.data)
  } > sram

  .bss :
  {
    *(.bss)
  } > sram
}

In order to invoke the firmware we need to put a symbol inside the linker script that identifies the expected starting address of the firmware, which is in this case called firmware. This symbol can be used from the C-code directly as function call. In order to avoid any compilation warnings you should forward declare this function as external. The compilation and transformation into the S19 file is analog to creating the firmware code. You should end up with a bootloader.s19.

Step 5: Throwing things together

In practice when you build an embedded device. It should have the boot-loader and some firmware programmed in when it leaves assembly. In many cases the interface that the end-user has to the device (i.e. a USB connector) is different from what you have during assembly (e.g., an in-system flash tool). As such it is necessary to throw the boot-loader and the firmware together.

The S19 format is a simple ASCII data exchange format, originally developed by Motorola, for executable code. It is widely accepted by most programmers for Motorola-based embedded systems. The files are processed line by line; each line contains a control code, a record size, an address, an optional data sequence and a checksum. You find the details here.

GNU Object Copy usually outputs:

• A block header (S0),
• A sequence of data records (S1-S3)
• And the start-address (S5-S9).

The block header usually contains the name of the file (e.g., firmware.s19 or bootloader.s19). Most ROM loaders on evaluation boards will actually processes start address record, which is in our case the declared origin of the SRAM, and fail to load if they do not find it, so it needs to be included.

So in order to put the boot-loader and the firmware together into one file you need to provide one header, the data of both programs and one starting address:

• Header: any of the firmware/boot-loader, or a custom header (see below)
• Data: concatenate the data records of both original programs
• Starting address: the start address of the boot-loader

Step 5a: Composing your own header

Yes, geeky people like me actually like implementing checksum algorithms and brand their creation. In order to do so we need to dive into the checksum procedure used by S-records. According to Wikipedia the checksum is “[…]the least significant byte of ones' complement of the sum of the values represented by the two hex digit pairs for the byte count, address and data fields.” So guys, its time to dig out those algorithm-class-notes and figure that out, … oh wait …, found it:

• Sum up all bytes starting from the byte count record.
• Set: checksum = 0xFF – (0x00FF & sum)

Why the hell would anyone use such a check-summing algorithm? The answer is simple: It can be easily checked! While processing the S19 records, you can actually sum everything up, including the provided checksum and should get 0xFF. That is a simple compare operation and that can be evaluated in no time.

Step 6: Testing your Creation

If you build the Coldfire simulator according to my instructions you can invoke the simulator as follows…

coldfire --board cjdesign-5307.board

and load the code like this…

Use CTRL-C (SIGINT) to cause autovector interrupt 7 (return to monitor)
Loading memory modules...
Loading board configuration...
        Opened [/usr/local/coldfire/share/coldfire/cjdesign-5307.board]
Board ID: CJDesign
CPU: 5307 (Motorola Coldfire 5307)
        unimplemented instructions: CPUSHL PULSE WDDATA WDEBUG
        69 instructions registered
        building instruction cache... done.

Memory segments: dram  timer0  timer1  uart0(on port 5206)
                 uart1(on port 5207)  sim  flash  sram

!!! Remember to telnet to the above ports if you want to see any output!

Hard Reset...
Initializing monitor...
Enter 'help' for help.
dBug> dl merged.s19
Downloading S-Record...
Done downloading S-Record.

dBug> go 0x10100000 <- the actual firmware
... some garbage, because RTS returns to nowhere...
dBug> go 0x10200000 <- the boot-loader invoking the firmware

You should yield the following output on the terminal (telnet localhost 5206).

Trying ::1...
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.

uart0
Inside firmware! <- 1st go of the firmware
Inside boot-loader! <- 2nd go inside firmware!
Inside firmware!
Back in boot-loader!

Discussion

In this part of the how-to I explained the basics of building two pieces of binary Coldfire code and integrating them into a single file that can be processed by most programmers and ROM-loaders. A popular application is the integration of boot-loader and firmware code for embedded system assembly. Another application is embedded grey box testing. In this technique, instead of a boot-loader a test-suite is evaluated against the firmware to check for potential defects. In the next post, I’ll describe how to design such a test framework.

You can find the sample code of this post here. The code will contain some modified linker scripts that deal with particular alignment problems of the simulator. Furthermore, the boot-loader and the firmware should have different stacks so some assembly files have been added to do so. The S19 merging is done by the python script merge.py.

References and Sample Code

• Sample Code
• My build instructions for the Coldfire GCC toolchain
• GNU linker script documentation
• S19/SREC format description
• Infos on text-, data-, and bss-segments
• A comprehensive Coldfire simulator