

### Arm Debugger: Attach or Up Choose the correct debug scenario

Alex Merkle, Lauterbach Engineering GmbH & Co. KG February 01, 2022

◆□▶ ◆□▶ ◆三▶ ◆三▶ ○○○



- 1. Preface
- 2. Example U-Boot

- > TRACE32 offers multiple commands to establish a connection to a target platform
- Goal of this document is to help choosing the correct approach for the use case
- > Within this document we will use the terms Attach and Up scenarios
- > The essential difference at a glance
- > Attach scenarios establish the debug connection but do not reset/restart the target platform
- > Up scenarios will reset/restart the target platform before establishing the debug connection
- > This document will mainly put focus on *Up* scenarios

< D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D > < D

Throughout this document the following TERMs are used (aligned with ARM TF-A)

- bl1 1st bootloader, ROM, loads secondary bootloader bl2 from external media
- bl2 2nd bootloader, RAM, may load multiple next stage bootloaders (bl31/bl32/bl33/...)
- b131 runtime firmware, RAM, keeps running in Monitor mode and offers firmware functionalities e.g. PSCI, SPD, ...
- b132 trusted OS, RAM, OS running in secure zone e.g. OP-Tee
- **b133** nonsecure bootloader, RAM, typically u-boot, fastboot, coreboot bootloader offering first interactive shell
- OS rich OS, RAM, e.g. Linux/Qnx/VxWorks or hypervisor Xen/L4Re/Qnx/Coqos

Sac

(日) (월) (분) (분) (분)

### typical TF-A bootflow



See also https://www.lauterbach.com/projects\_download/ training\_manuals/arm\_trustzone.pdf for the meaning of access-classes ZS:/M:/H:/NS:.

Legend: • Reset/Core start  $\rightarrow$  Code alive, executing -- Code alive, inactive

5/22

590

э

イロト イロト イヨト イヨト

### typical TF-A bootflow



5/22



### typical TF-A bootflow



 $\equiv$ 

- TRACE32 assumes that communication with the target platform can take place with nSRST/nReset line asserted
- TRACE32 can stop the core as soon as it starts



- > TRACE32 offers diverse SYStem.Option's to relax the SYStem.Mode Up behavior
- SYStem.Option ResBreak OFF will force TRACE32 not to communicate with the target platform with nSRST/nReset asserted
- ightarrow  $\Rightarrow$  Target platform will boot for *some* time



nar

-



| WaitReset                             | IDCODE/DAPPWR/DBGREG                   | SoC specific          |
|---------------------------------------|----------------------------------------|-----------------------|
| RESet                                 | RESet                                  | RESet                 |
| SYStem.CPU <>                         | SYStem.CPU <>                          | SYStem.CPU <>         |
| SYStem.Option ResBreak OFF            | SYStem.Option ResBreak OFF             |                       |
| SYStem.Option WaitReset <time></time> | SYStem.Option WaitIDCODE <time></time> |                       |
|                                       | SYStem.Option WaitDAPPWR <time></time> |                       |
|                                       | SYStem.Option WaitDBGREG <time></time> | ???                   |
| SYStem.Option NoPRCRReset ON          | SYStem.Option NoPRCRReset ON           |                       |
| [CORE.ASSIGN <1. 2.>]                 | [CORE.ASSIGN <1. 2.>]                  | [CORE.ASSIGN <1. 2.>] |
| SYStem.Up                             | SYStem.Up                              | SYStem.Up             |

- ▷ More information can be found in *TRACE32: Help* → *Processor Architecture Manual*
- ARMv8: ~~/pdf/debugger\_armv8v9.pdf chapter Configure Debugger for SoC Specific Reset Behavior
- $\triangleright$  Example scripts: ~~/demo/arm/hardware/... or TRACE32: File  $\rightarrow$  Search for Script
- Complicated? Yes, SoC internal security, power-management, reset circuitry, ... implications become visible to the end-user

8/22

Sar

In order to debug a specific bootstage we need to connect before this stage begins  $\triangleright$ 



- In order to debug a specific bootstage we need to connect before this stage begins  $\triangleright$
- Example: in order to debug bootloader b12 we need to connect before it starts  $\triangleright$





- In order to debug a specific bootstage we need to connect before this stage begins 5
- Example: in order to debug bootloader b12 we need to connect before it starts ⊳
- Referring to our example it's enough as long as we stop while bl1 stage (ROM), thus a short ⊳ target boot time (buzzword ResBreak OFF) is okay





- In order to debug a specific bootstage we need to connect before this stage begins 5
- Example: in order to debug bootloader b12 we need to connect before it starts ⊳
- Referring to our example it's enough as long as we stop while bl1 stage (ROM), thus a short ⊳ target boot time (buzzword ResBreak OFF) is okav
- 5 Causality can be relaxed e.g. by putting a busy waiting loop into the bootloader



10/22

500

< □ > < @ > < E > < E > < E</p>

### CORE.ASSIGN

- > Syntax: CORE.ASSIGN <> [<>, [...]]
- Conditions: only available and required if the selected SYStem.CPU <> selects a multicore cluster e.g. 8x Cortex-A55
- CORE.ASSIGN allows to select physical cores of the multicore cluster and merges them into one SMP system
  - CORE.ASSIGN 3. selects physical core 3
- CORE.ASSIGN 1. 2. 3. selects physical cores 1 2 3 as one SMP system
- Rule of thumb: Key for success not only when debugging boot-scenarios, assign only cores which are up and running
- Reason: accessing unpowered/unclocked resources from the debug logic might trigger unrecoverable errors, highly target platform specific behavior

### CORE.ASSIGN

Rule of thumb: Key for success not only when debugging boot-scenarios, assign only cores which are up and running



590

E

### CORE.ASSIGN

#### Homogeneous Multicore

- All cores use the same core architecture and type
- CORE.ASSIGN is linear indexed

B::|core.assign assignment: 1, 2, 3, 4 (CA55, CA55, CA55, CA55)

> Bootcore is most likely CORE.ASSIGN 1.

#### **Heterogeneous Multicore**

- Cores use the same architecture but different types
- CORE.ASSIGN is tick/tock indexed ARM big.LITTLE, DynamlQ

B::core.assign assignment: 1, 2, 3, 4 (CA76, CA55, CA76, CA55)

Bootcore is either CORE.ASSIGN 1.

or CORE.ASSIGN 2.

 $\Rightarrow$  Check example scripts ~~/demo/arm/hardware/... Correct setting may depend on BOOTMODE lines or BOOTIMAGE, target platform specific!

na c

Arm Debugger: Attach or U<sub>1</sub>

Sac

### Breakpoints

- use ONCHIP Breakpoints to stop at every entry point of a new bootloader stage
- starting from the entry point, software breakpoints may be used within that bootloader stage
- Why ONCHIP breakpoints?
- Task of a bootloader is to load the code for the next bootstages
  ⇒ software breakpoints set in the next bootstages may get overwritten by the current bootloader stage
- Task of a bootloader is to initialize hardware e.g. DRAM ⇒ software breakpoints can't be set into untrained DRAM
- Syntax: Break.Set <address|symbol> /Onchip
- Further ONCHIP Breakpoint like features available Onchip Triggers or ARM ETM



### Code Breakpoints

#### Core logic - single address

Break.Set 0x80080000 /Program /Onchip Break.Set \_head /Program /Onchip Break.Set sYmbol.SECADDRESS(.head.text) /Program /Onchip

See also: ~~/pdf/debugger\_armv8v9.pdf - Breakpoints

### ETM logic - address range [optional]

ETM.StoppingBreakpoints ON Break.Set <range> /Program /Onchip Break.Set 0x80000000++0x0fffffff /Program /Onchip

### Onchip Triggers - exception level

Reminder: All those address comparisons use virtual addresses.

14/22 ∽q @



#### 1. Preface

#### 2. Example U-Boot

▲□▶ ▲□▶ ▲三▶ ▲三▶ 三三 - のへで

Scenario: Connect in u-boot shell Use cases:

- debug u-boot command >
- load/patch OS code using TRACE32  $\triangleright$
- debug OS boot 5
- remote control of u-boot shell 5

Can be solved as a *Attach* and *Up* scenario.

| R:TERM #1                                                                                                                             |         |
|---------------------------------------------------------------------------------------------------------------------------------------|---------|
| U-Boot 2019.07-rc4-gc17c4a29 (Jan 30 2020 - 17:07:25 +0000) vexpress_aemv&<br>aarch64 semi, Build: jenkins-armlt-platforms-release-77 | a fvp 🔨 |
| DRAM: 2 GIB<br>Flash: 64 Mi8<br>™® Warning - bad CRC, using default environment                                                       |         |
| In: serial_p101x<br>Out: serial_p101x<br>Err: serial_p101x<br>Net: SeVG1111-0                                                         |         |
| Error: SMC91111-0 address not set.<br>111 ary key to stop autoboot: 0<br>sim-popen: ExRoR of -1 for file devtree.dtb'                 |         |
| semilosting load failed, try booting with contents of DRAM<br>Bad Linux ARM64 Image magic!<br>Fyp#<br>Fyp#                            |         |



### Manual Attach

- connect serial terminal e.g. PUTTY/minicom
- press reset button/power cycle platform
- as soon as terminal string shows up, invoke D0 script in TRACE32
- script.cmm:
  - 1. reset settings of TRACE32
  - 2. configure TRACE32 for target platform
  - 3. connect and stop

|    | script.cmm                             |
|----|----------------------------------------|
| 1. | RESet                                  |
| 2. | SYStem.CPU <><br>[CORE.ASSIGN <1. 2.>] |
| 3. | SYStem.Mode Attach<br>Break            |
|    |                                        |
|    |                                        |

Sac

э

### TERM.TRIGGER

- script.cmm:
  - 1. reset settings of TRACE32
  - 2. configure TRACE32 for target platform
  - 3. ensure disconnect
  - 4. connect terminal/serial console
  - setup trigger for string *Hit any key* RESET target platform (assert nReset line)
  - 6. stop as soon as string appears in terminal
- $\Rightarrow$  an  $\mathit{Up}\xspace$  scenario without <code>SYStem.Mode</code> <code>Up</code>

| 1. | RESet                                                         |
|----|---------------------------------------------------------------|
| 2. | SYStem.CPU <><br>[CORE.ASSIGN <1. 2.>]                        |
| 3. | SYStem.Down                                                   |
| 4. | TERM.METHOD #1 COM<br>TERM.view                               |
| 5. | TERM.TRIGGER #1 "Hit any key"<br>SYStem.ResetOut              |
| 6. | SCREEN.WAIT TERM.TRIGGERED(#1)<br>SYStem.Mode Attach<br>Break |

18/22

### Using Symbols

#### > script.cmm:

- 1. reset settings of TRACE32
- 2. configure TRACE32 for target platform
- 3. use SYStem.Mode Up
- 4. load debug symbols only
- wait till temporary onchip breakpoint on start symbol of bootloader triggers
- 6. wait till temporary breakpoint in relocation procedure triggers
- 7. let bootloader perform relocation
- 8. wait till temporary breakpoint on key-press check triggers

|    | script.cmm                                                                             |
|----|----------------------------------------------------------------------------------------|
| 1. | RESet                                                                                  |
| 2. | SYStem.CPU <><br>[CORE.ASSIGN <1. 2.>]<br>[SYStem.Option]                              |
| 3. | SYStem.Up                                                                              |
| 4. | [Break.CONFIG MATCHZONE ON]<br>Data.LOAD.Elf u-boot /NoCODE                            |
| 5. | Goimage_copy_start /Onchip /Program<br>WAIT !STATE.RUN()                               |
| 6. | Go relocate_done<br>WAIT !STATE.RUN()                                                  |
| 7. | Go.Up<br>WAIT !STATE.RUN()                                                             |
|    | <pre>D0 ~~/demo/<arch>/bootloader/uboot/<br/>load_uboot_symbols_reloc.cmm</arch></pre> |
| 8. | Go tstc<br>WAIT !STATE.RUN()                                                           |
|    | < 口 > < 团 > < 臣 > < 臣 > 三百                                                             |

19/22

Sac

### Using Symbols

5

script.cmm:

triggers



#### 2 SYSte CORE. [SYSte 3 SYSte 1. reset settings of TRACE32 4 Data. 2. configure TRACE32 for target platform 5 TrOnc 3. use SYStem.Mode Up Go 4. load debug symbols only WAIT TrOnc 5. wait till cpu enters NonSecure EL2 6. wait till temporary breakpoint in relocation 6. Go re procedure triggers WAIT 7. let bootloader perform relocation 7. Go.Up 8. wait till temporary breakpoint on key-press check WAIT DO ~~ ٦ 8 Go ts WAIT

1.

| RESet                                                                                  |
|----------------------------------------------------------------------------------------|
| SYStem.CPU <><br>[CORE.ASSIGN <1. 2.>]<br>[SYStem.Option]<br>SYStem.Up                 |
| Data.LOAD.Elf u-boot /NoCODE                                                           |
| TrOnchip.Set NSEL2 ON<br>Go                                                            |
| WAIT !STATE.RUN()                                                                      |
| TrOnchip.Set NSEL2 OFF                                                                 |
| Go relocate_done                                                                       |
| WAIT !STATE.RUN()                                                                      |
| Go.Up                                                                                  |
| WAIT !STATE.RUN()                                                                      |
| <pre>D0 ~~/demo/<arch>/bootloader/uboot/<br/>load_uboot_symbols_reloc.cmm</arch></pre> |
| Go tstc                                                                                |
| WAIT !STATE.RUN()                                                                      |
|                                                                                        |

acrint cmm

20/22 Sar

# **Questions?**

REFERENCES

## Thank You!

Arm Debugger: Attach or Up

REPERENCE

5

-