search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
target/xtensa: avoid IHI for writes to non-executable memory
[openocd.git] / src / flash / nor / qn908x.c
blob8cd7a2f04ab72cf9b0a0ae88845ad878a86adcb7
1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /***************************************************************************
3 * Copyright (C) 2020 iosabi *
4 * iosabi <iosabi@protonmail.com> *
5 ***************************************************************************/
6
7 #ifdef HAVE_CONFIG_H
8 #include "config.h"
9 #endif
10
11 #include "imp.h"
12
13 #include <helper/binarybuffer.h>
14 #include <helper/bits.h>
15 #include <helper/crc32.h>
16 #include <helper/time_support.h>
17 #include <helper/types.h>
18
19 /* The QN908x has two flash regions, one is the main flash region holding the
20 * user code and the second one is a small (0x800 bytes) "Flash information
21 * page" that can't be written to by the user. This page contains information
22 * programmed at the factory.
23 *
24 * The main flash region is normally 512 KiB, there's a field in the "Flash
25 * information page" that allows to specify for 256 KiB size chips. However, at
26 * the time of writing, none of the variants in the market have 256 KiB.
27 *
28 * The flash is divided into blocks of 256 KiB each, therefore containing two
29 * blocks. A block is subdivided into pages, of 2048 bytes. A page is the
30 * smallest region that can be erased or protected independently, although it
31 * is also possible to erase a whole block or both blocks. A page is subdivided
32 * into 8 rows of 64 words (32-bit words). The word subdivision is only
33 * relevant because DMA can write multiple words in the same row in the same
34 * flash program operation.
35 *
36 * For the Flash information page we are only interested in the last
37 * 0x100 bytes which contain a CRC-32 checksum of that 0x100 bytes long region
38 * and a field stating the size of the flash. This is also a good check that
39 * we are dealing with the right chip/flash configuration and is used in the
40 * probe() function.
41 */
42 #define QN908X_FLASH_BASE 0x01000000
43
44 #define QN908X_FLASH_PAGE_SIZE 2048
45 #define QN908X_FLASH_PAGES_PER_BLOCK 128
46 #define QN908X_FLASH_MAX_BLOCKS 2
47 #define QN908X_FLASH_BLOCK_SIZE \
48 (QN908X_FLASH_PAGES_PER_BLOCK * QN908X_FLASH_PAGE_SIZE)
49 #define QN908X_FLASH_IRQ_VECTOR_CHECKSUM_POS 0x1c
50 #define QN908X_FLASH_IRQ_VECTOR_CHECKSUM_SIZE 4
51 #define QN908X_FLASH_IRQ_VECTOR_CHECKSUM_END \
52 (QN908X_FLASH_IRQ_VECTOR_CHECKSUM_POS + QN908X_FLASH_IRQ_VECTOR_CHECKSUM_SIZE)
53
54
55 /* Flash information page memory fields. */
56 #define QN908X_INFO_PAGE_BASE 0x210b0000u
57 #define QN908X_INFO_PAGE_CRC32 (QN908X_INFO_PAGE_BASE + 0x700)
58 #define QN908X_INFO_PAGE_CRC_START (QN908X_INFO_PAGE_BASE + 0x704)
59 #define QN908X_INFO_PAGE_BOOTLOADER_VER (QN908X_INFO_PAGE_BASE + 0x704)
60 #define QN908X_INFO_PAGE_FLASH_SIZE (QN908X_INFO_PAGE_BASE + 0x708)
61 #define QN908X_INFO_PAGE_BLUETOOTH_ADDR (QN908X_INFO_PAGE_BASE + 0x7fa)
62 #define QN908X_INFO_PAGE_CRC_END (QN908X_INFO_PAGE_BASE + 0x800)
63
64
65 /* Possible values of the QN908X_INFO_PAGE_FLASH_SIZE field. */
66 enum qn908x_info_page_flash_size {
67 QN908X_FLASH_SIZE_512K = 0xfffff0ff,
68 QN908X_FLASH_SIZE_256K = 0xffffe0ff,
69 };
70
71 /* QN908x "Flash memory controller", described in section 28 of the user
72 * manual. In the NXP SDK this peripheral is called "FLASH", however we use the
73 * name "FMC" (Flash Memory Controller) here when referring to the controller
74 * to avoid confusion with other "flash" terms in OpenOCD. */
75 #define QN908X_FMC_BASE 0x40081000u
76 #define QN908X_FMC_INI_RD_EN (QN908X_FMC_BASE + 0x00)
77 #define QN908X_FMC_ERASE_CTRL (QN908X_FMC_BASE + 0x04)
78 #define QN908X_FMC_ERASE_TIME (QN908X_FMC_BASE + 0x08)
79 #define QN908X_FMC_TIME_CTRL (QN908X_FMC_BASE + 0x0c)
80 #define QN908X_FMC_SMART_CTRL (QN908X_FMC_BASE + 0x10)
81 #define QN908X_FMC_INT_STAT (QN908X_FMC_BASE + 0x18)
82 #define QN908X_FMC_LOCK_STAT_0 (QN908X_FMC_BASE + 0x20)
83 #define QN908X_FMC_LOCK_STAT_1 (QN908X_FMC_BASE + 0x24)
84 #define QN908X_FMC_LOCK_STAT_2 (QN908X_FMC_BASE + 0x28)
85 #define QN908X_FMC_LOCK_STAT_3 (QN908X_FMC_BASE + 0x2c)
86 #define QN908X_FMC_LOCK_STAT_4 (QN908X_FMC_BASE + 0x30)
87 #define QN908X_FMC_LOCK_STAT_5 (QN908X_FMC_BASE + 0x34)
88 #define QN908X_FMC_LOCK_STAT_6 (QN908X_FMC_BASE + 0x38)
89 #define QN908X_FMC_LOCK_STAT_7 (QN908X_FMC_BASE + 0x3c)
90 #define QN908X_FMC_LOCK_STAT_8 (QN908X_FMC_BASE + 0x40)
91 #define QN908X_FMC_STATUS1 (QN908X_FMC_BASE + 0x48)
92 #define QN908X_FMC_DEBUG_PASSWORD (QN908X_FMC_BASE + 0xa8)
93 #define QN908X_FMC_ERASE_PASSWORD (QN908X_FMC_BASE + 0xac)
94
95 #define QN908X_FMC_INI_RD_EN_INI_RD_EN_MASK BIT(0)
96
97 #define QN908X_FMC_STATUS1_FSH_ERA_BUSY_L_MASK BIT(9)
98 #define QN908X_FMC_STATUS1_FSH_WR_BUSY_L_MASK BIT(10)
99 #define QN908X_FMC_STATUS1_FSH_ERA_BUSY_H_MASK BIT(12)
100 #define QN908X_FMC_STATUS1_FSH_WR_BUSY_H_MASK BIT(13)
101 #define QN908X_FMC_STATUS1_INI_RD_DONE_MASK BIT(15)
102 #define QN908X_FMC_STATUS1_FSH_STA_MASK BIT(26)
103
104 #define QN908X_FMC_ERASE_CTRL_PAGE_IDXL_SHIFT 0
105 #define QN908X_FMC_ERASE_CTRL_PAGE_IDXH_SHIFT 8
106 #define QN908X_FMC_ERASE_CTRL_HALF_ERASEL_EN_SHIFT 28
107 #define QN908X_FMC_ERASE_CTRL_HALF_ERASEH_EN_SHIFT 29
108 #define QN908X_FMC_ERASE_CTRL_PAGE_ERASEL_EN_SHIFT 30
109 #define QN908X_FMC_ERASE_CTRL_PAGE_ERASEH_EN_SHIFT 31
110
111 #define QN908X_FMC_INT_STAT_AHBL_INT_MASK BIT(0)
112 #define QN908X_FMC_INT_STAT_LOCKL_INT_MASK BIT(1)
113 #define QN908X_FMC_INT_STAT_ERASEL_INT_MASK BIT(2)
114 #define QN908X_FMC_INT_STAT_WRITEL_INT_MASK BIT(3)
115 #define QN908X_FMC_INT_STAT_WR_BUFL_INT_MASK BIT(4)
116 #define QN908X_FMC_INT_STAT_WRITE_FAIL_L_INT_MASK BIT(5)
117 #define QN908X_FMC_INT_STAT_ERASE_FAIL_L_INT_MASK BIT(6)
118 #define QN908X_FMC_INT_STAT_AHBH_INT_MASK BIT(8)
119 #define QN908X_FMC_INT_STAT_LOCKH_INT_MASK BIT(9)
120 #define QN908X_FMC_INT_STAT_ERASEH_INT_MASK BIT(10)
121 #define QN908X_FMC_INT_STAT_WRITEH_INT_MASK BIT(11)
122 #define QN908X_FMC_INT_STAT_WR_BUFH_INT_MASK BIT(12)
123 #define QN908X_FMC_INT_STAT_WRITE_FAIL_H_INT_MASK BIT(13)
124 #define QN908X_FMC_INT_STAT_ERASE_FAIL_H_INT_MASK BIT(14)
125
126 #define QN908X_FMC_SMART_CTRL_PRGML_EN_MASK BIT(0)
127 #define QN908X_FMC_SMART_CTRL_PRGMH_EN_MASK BIT(1)
128 #define QN908X_FMC_SMART_CTRL_SMART_WRITEL_EN_MASK BIT(2)
129 #define QN908X_FMC_SMART_CTRL_SMART_WRITEH_EN_MASK BIT(3)
130 #define QN908X_FMC_SMART_CTRL_SMART_ERASEL_EN_MASK BIT(4)
131 #define QN908X_FMC_SMART_CTRL_SMART_ERASEH_EN_MASK BIT(5)
132 #define QN908X_FMC_SMART_CTRL_MAX_WRITE_MASK 0xf00u
133 #define QN908X_FMC_SMART_CTRL_MAX_WRITE_SHIFT 8u
134 #define QN908X_FMC_SMART_CTRL_MAX_WRITE(x) \
135 (((uint32_t)(((uint32_t)(x)) << QN908X_FMC_SMART_CTRL_MAX_WRITE_SHIFT)) \
136 & QN908X_FMC_SMART_CTRL_MAX_WRITE_MASK)
137 #define QN908X_FMC_SMART_CTRL_MAX_ERASE_MASK 0x3f000u
138 #define QN908X_FMC_SMART_CTRL_MAX_ERASE_SHIFT 12u
139 #define QN908X_FMC_SMART_CTRL_MAX_ERASE(x) \
140 (((uint32_t)(((uint32_t)(x)) << QN908X_FMC_SMART_CTRL_MAX_ERASE_SHIFT)) \
141 & QN908X_FMC_SMART_CTRL_MAX_ERASE_MASK)
142
143 #define QN908X_FMC_SMART_CTRL_MAX_ERASE_RETRIES 9
144 #define QN908X_FMC_SMART_CTRL_MAX_WRITE_RETRIES 9
145
146 #define QN908X_FMC_TIME_CTRL_PRGM_CYCLE_MASK 0xfffu
147 #define QN908X_FMC_TIME_CTRL_PRGM_CYCLE_SHIFT 0u
148 #define QN908X_FMC_TIME_CTRL_PRGM_CYCLE(x) \
149 (((uint32_t)(((uint32_t)(x)) << QN908X_FMC_TIME_CTRL_PRGM_CYCLE_SHIFT)) \
150 & QN908X_FMC_TIME_CTRL_PRGM_CYCLE_MASK)
151 #define QN908X_FMC_TIME_CTRL_TIME_BASE_MASK 0xff000u
152 #define QN908X_FMC_TIME_CTRL_TIME_BASE_SHIFT 12u
153 #define QN908X_FMC_TIME_CTRL_TIME_BASE(x) \
154 (((uint32_t)(((uint32_t)(x)) << QN908X_FMC_TIME_CTRL_TIME_BASE_SHIFT)) \
155 & QN908X_FMC_TIME_CTRL_TIME_BASE_MASK)
156
157 #define QN908X_FMC_LOCK_STAT_8_MASS_ERASE_LOCK_EN BIT(0)
158 #define QN908X_FMC_LOCK_STAT_8_FSH_PROTECT_EN BIT(1)
159 #define QN908X_FMC_LOCK_STAT_8_MEM_PROTECT_EN BIT(2)
160 #define QN908X_FMC_LOCK_STAT_8_PROTECT_ANY (BIT(1) | BIT(2))
161
162 /* See Table 418 "Flash lock and protect description" in the user manual */
163 #define QN908X_FLASH_LOCK_ADDR (QN908X_FLASH_BASE + 0x7f820)
164 /* Allow mass erase */
165 #define QN908X_FLASH_LOCK_ENABLE_MASS_ERASE BIT(0)
166 /* disallow flash access from SWD */
167 #define QN908X_FLASH_LOCK_ENABLE_FLASH_PROTECTION BIT(1)
168 /* disallow SRAM access from SWD */
169 #define QN908X_FLASH_LOCK_ENABLE_MEMORY_PROTECTION BIT(2)
170
171 /* Page lock information located at the beginning of the last page. */
172 struct qn908x_flash_page_lock {
173 uint8_t bits[QN908X_FLASH_MAX_BLOCKS * QN908X_FLASH_PAGES_PER_BLOCK / 8];
174 uint8_t protection;
175 uint8_t _reserved[3];
176 /* nvds_size is unused here, but we need to preserve it across erases
177 * when locking and unlocking pages. */
178 uint8_t nvds_size[4];
179 } __attribute__ ((packed));
180
181 /* Clock configuration is stored in the SYSCON. */
182 #define QN908X_SYSCON_BASE 0x40000000u
183 #define QN908X_SYSCON_CLK_EN (QN908X_SYSCON_BASE + 0x00cu)
184 #define QN908X_SYSCON_CLK_CTRL (QN908X_SYSCON_BASE + 0x010u)
185 #define QN908X_SYSCON_CHIP_ID (QN908X_SYSCON_BASE + 0x108u)
186 #define QN908X_SYSCON_XTAL_CTRL (QN908X_SYSCON_BASE + 0x180u)
187
188 /* Internal 16MHz / 8MHz clock used by the erase operation. */
189 #define QN908X_SYSCON_CLK_EN_CLK_DP_EN_MASK BIT(21)
190
191 #define SYSCON_XTAL_CTRL_XTAL_DIV_MASK BIT(31)
192
193 #define SYSCON_CLK_CTRL_AHB_DIV_MASK 0x1FFF0u
194 #define SYSCON_CLK_CTRL_AHB_DIV_SHIFT 4u
195 #define SYSCON_CLK_CTRL_CLK_XTAL_SEL_MASK BIT(19)
196 #define SYSCON_CLK_CTRL_CLK_OSC32M_DIV_MASK BIT(20)
197 #define SYSCON_CLK_CTRL_SYS_CLK_SEL_MASK 0xC0000000u
198 #define SYSCON_CLK_CTRL_SYS_CLK_SEL_SHIFT 30u
199
200 #define CLOCK_16MHZ 16000000u
201 #define CLOCK_32MHZ 32000000u
202 #define CLOCK_32KHZ 32000u
203
204 /* Watchdog block registers */
205 #define QN908X_WDT_BASE 0x40001000u
206 #define QN908X_WDT_CTRL (QN908X_WDT_BASE + 0x08u)
207 #define QN908X_WDT_LOCK (QN908X_WDT_BASE + 0x20u)
208
209 struct qn908x_flash_bank {
210 /* The number of flash blocks. Initially set to zero until the flash
211 * is probed. This determines the size of the flash. */
212 unsigned int num_blocks;
213
214 unsigned int user_bank_size;
215 bool calc_checksum;
216
217 /* Whether we allow to flash an image that disables SWD access, potentially
218 * bricking the device since the image can't be reflashed from SWD. */
219 bool allow_swd_disabled;
220
221 bool page_lock_loaded;
222 struct qn908x_flash_page_lock page_lock;
223 };
224
225 /* 500 ms timeout. */
226 #define QN908X_DEFAULT_TIMEOUT_MS 500
227
228 /* Forward declaration of commands. */
229 static int qn908x_probe(struct flash_bank *bank);
230 static int qn908x_write(struct flash_bank *bank, const uint8_t *buffer,
231 uint32_t offset, uint32_t count);
232
233 /* Update the value of a register with a mask. This helper allows to read a
234 * register, modify a subset of the bits and write back the value, which is a
235 * common operation when modifying only a bit filed in a register. */
236 static int qn908x_update_reg(struct target *target, target_addr_t reg,
237 uint32_t mask, uint32_t value)
238 {
239 uint32_t orig_value = 0;
240 uint32_t new_value;
241 int retval;
242 if (mask != 0xffffffff) {
243 /* No need to read the old value if we request a mask of 32 bits. */
244 retval = target_read_u32(target, reg, &orig_value);
245 if (retval != ERROR_OK) {
246 LOG_DEBUG("Error reading reg at " TARGET_ADDR_FMT
247 ": %d", reg, retval);
248 return retval;
249 }
250 }
251 new_value = (orig_value & ~mask) | (value & mask);
252 retval = target_write_u32(target, reg, new_value);
253 if (retval != ERROR_OK) {
254 LOG_DEBUG("Error writing reg at " TARGET_ADDR_FMT " with 0x%08"
255 PRIx32 ": %d", reg, new_value, retval);
256 return retval;
257 }
258 if (mask == 0xffffffff) {
259 LOG_DEBUG("Updated reg at " TARGET_ADDR_FMT ": ?? -> 0x%.08"
260 PRIx32 "", reg, new_value);
261 } else {
262 LOG_DEBUG("Updated reg at " TARGET_ADDR_FMT ": 0x%.08" PRIx32
263 " -> 0x%.08" PRIx32, reg, orig_value, new_value);
264 }
265 return ERROR_OK;
266 }
267
268 /* Load lock bit and protection bit and load redundancy page info.
269 * This populates the LOCK_STAT_n registers with the values from the lock page,
270 * making protection bit changes to the last page effective. */
271 static int qn908x_load_lock_stat(struct target *target)
272 {
273 int retval = target_write_u32(target, QN908X_FMC_INI_RD_EN,
274 QN908X_FMC_INI_RD_EN_INI_RD_EN_MASK);
275 if (retval != ERROR_OK)
276 return retval;
277
278 uint32_t status1;
279 const uint32_t status_mask = QN908X_FMC_STATUS1_FSH_STA_MASK
280 | QN908X_FMC_STATUS1_INI_RD_DONE_MASK;
281 do {
282 retval = target_read_u32(target, QN908X_FMC_STATUS1, &status1);
283 if (retval != ERROR_OK)
284 return retval;
285 } while ((status1 & status_mask) != QN908X_FMC_STATUS1_INI_RD_DONE_MASK);
286
287 for (int i = 0; i <= 8; i++) {
288 uint32_t addr = QN908X_FMC_LOCK_STAT_0 + i * 4;
289 uint32_t lock_stat;
290 if (target_read_u32(target, addr, &lock_stat) == ERROR_OK)
291 LOG_DEBUG("LOCK_STAT_%d = 0x%08" PRIx32, i, lock_stat);
292 }
293 return ERROR_OK;
294 }
295
296 /* Initializes the FMC controller registers for allowing writing. */
297 static int qn908x_init_flash(struct target *target)
298 {
299 /* Determine the current clock configuration. */
300 uint32_t clk_ctrl;
301 int retval = target_read_u32(target, QN908X_SYSCON_CLK_CTRL, &clk_ctrl);
302 if (retval != ERROR_OK)
303 return retval;
304
305 uint32_t clk_sel = (clk_ctrl & SYSCON_CLK_CTRL_SYS_CLK_SEL_MASK)
306 >> SYSCON_CLK_CTRL_SYS_CLK_SEL_SHIFT;
307 LOG_DEBUG("Clock clk_sel=0x%08" PRIu32, clk_sel);
308
309 /* Core clock frequency. */
310 uint32_t core_freq = 0;
311 switch (clk_sel) {
312 case 0: /* RCO 32 MHz */
313 core_freq = (clk_ctrl & SYSCON_CLK_CTRL_CLK_OSC32M_DIV_MASK) ?
314 CLOCK_16MHZ : CLOCK_32MHZ;
315 break;
316 case 1: /* Xin frequency */
317 {
318 uint32_t clk_xtal;
319 retval = target_read_u32(target, QN908X_SYSCON_XTAL_CTRL, &clk_xtal);
320 if (retval != ERROR_OK)
321 return retval;
322 core_freq = (clk_ctrl & SYSCON_CLK_CTRL_CLK_XTAL_SEL_MASK)
323 && (clk_xtal & SYSCON_XTAL_CTRL_XTAL_DIV_MASK)
324 ? CLOCK_32MHZ : CLOCK_16MHZ;
325 }
326 break;
327 case 2: /* 32 Kz */
328 core_freq = CLOCK_32KHZ;
329 break;
330 default:
331 return ERROR_FAIL;
332 }
333
334 uint32_t ahb_div = (clk_ctrl & SYSCON_CLK_CTRL_AHB_DIV_MASK)
335 >> SYSCON_CLK_CTRL_AHB_DIV_SHIFT;
336 uint32_t ahb_freq = core_freq / (ahb_div + 1);
337
338 LOG_DEBUG("Core freq: %" PRIu32 " Hz | AHB freq: %" PRIu32 " Hz",
339 core_freq, ahb_freq);
340
341 /* TIME_BASE is 2uS at the current AHB clock speed. */
342 retval = target_write_u32(target, QN908X_FMC_TIME_CTRL,
343 QN908X_FMC_TIME_CTRL_TIME_BASE(2 * ahb_freq / 1000000) |
344 QN908X_FMC_TIME_CTRL_PRGM_CYCLE(30));
345 if (retval != ERROR_OK)
346 return retval;
347
348 return qn908x_load_lock_stat(target);
349 }
350
351 /* flash bank qn908x <base> <size> 0 0 <target#> [calc_checksum] */
352 FLASH_BANK_COMMAND_HANDLER(qn908x_flash_bank_command)
353 {
354 struct qn908x_flash_bank *qn908x_info;
355
356 if (CMD_ARGC < 6 || CMD_ARGC > 7)
357 return ERROR_COMMAND_SYNTAX_ERROR;
358
359 if (bank->base != QN908X_FLASH_BASE) {
360 LOG_ERROR("Address " TARGET_ADDR_FMT
361 " is an invalid bank address (try 0x%08" PRIx32 ")",
362 bank->base, QN908X_FLASH_BASE);
363 return ERROR_COMMAND_ARGUMENT_INVALID;
364 }
365
366 qn908x_info = malloc(sizeof(struct qn908x_flash_bank));
367
368 if (!qn908x_info)
369 return ERROR_FAIL;
370
371 bank->driver_priv = qn908x_info;
372 qn908x_info->num_blocks = 0;
373 qn908x_info->user_bank_size = bank->size;
374 qn908x_info->page_lock_loaded = false;
375 qn908x_info->allow_swd_disabled = false;
376
377 qn908x_info->calc_checksum = false;
378 if (CMD_ARGC == 7) {
379 if (strcmp(CMD_ARGV[6], "calc_checksum")) {
380 free(qn908x_info);
381 return ERROR_COMMAND_ARGUMENT_INVALID;
382 }
383 qn908x_info->calc_checksum = true;
384 }
385
386 return ERROR_OK;
387 }
388
389 static int qn908x_read_page_lock(struct flash_bank *bank)
390 {
391 struct qn908x_flash_bank *qn908x_info = bank->driver_priv;
392
393 if (bank->target->state != TARGET_HALTED) {
394 LOG_ERROR("Target not halted");
395 return ERROR_TARGET_NOT_HALTED;
396 }
397
398 /* The last page of the flash contains the "Flash lock and protect"
399 * information. It is not clear where this is located on chips with only
400 * one block. */
401 uint32_t prot_offset = qn908x_info->num_blocks * QN908X_FLASH_BLOCK_SIZE
402 - QN908X_FLASH_PAGE_SIZE;
403
404 int retval = target_read_memory(bank->target, bank->base + prot_offset, 4,
405 sizeof(qn908x_info->page_lock) / 4,
406 (void *)(&qn908x_info->page_lock));
407 if (retval != ERROR_OK)
408 return retval;
409 LOG_DEBUG("Flash protection = 0x%02" PRIx8,
410 qn908x_info->page_lock.protection);
411
412 qn908x_info->page_lock_loaded = true;
413 return ERROR_OK;
414 }
415
416 static int qn908x_busy_check(struct target *target)
417 {
418 uint32_t status1;
419 int retval = target_read_u32(target, QN908X_FMC_STATUS1, &status1);
420 if (retval != ERROR_OK)
421 return retval;
422
423 if ((status1 & (QN908X_FMC_STATUS1_FSH_ERA_BUSY_L_MASK
424 | QN908X_FMC_STATUS1_FSH_WR_BUSY_L_MASK
425 | QN908X_FMC_STATUS1_FSH_ERA_BUSY_H_MASK
426 | QN908X_FMC_STATUS1_FSH_WR_BUSY_H_MASK)))
427 return ERROR_FLASH_BUSY;
428 return ERROR_OK;
429 }
430
431 static int qn908x_status_check(struct target *target)
432 {
433 uint32_t int_stat;
434 int retval = target_read_u32(target, QN908X_FMC_INT_STAT, &int_stat);
435 if (retval != ERROR_OK)
436 return retval;
437
438 /* The error bits for block 0 and block 1 have the exact same layout, only
439 * that block 1 error bits are shifted by 8 bits. We use this fact to
440 * loop over the blocks */
441 for (unsigned int block = 0; block <= 1; block++) {
442 unsigned int shift = (block) ? 8 : 0;
443 if (int_stat & (QN908X_FMC_INT_STAT_AHBL_INT_MASK << shift)) {
444 LOG_ERROR("AHB error on block %u", block);
445 return ERROR_FAIL;
446 }
447
448 if (int_stat & (QN908X_FMC_INT_STAT_LOCKL_INT_MASK << shift)) {
449 LOG_ERROR("Locked page being accessed error on block %u", block);
450 return ERROR_FAIL;
451 }
452
453 if (int_stat & (QN908X_FMC_INT_STAT_WRITE_FAIL_L_INT_MASK << shift)) {
454 LOG_ERROR("Smart write on block %u failed", block);
455 return ERROR_FAIL;
456 }
457
458 if ((int_stat & (QN908X_FMC_INT_STAT_ERASE_FAIL_L_INT_MASK << shift))
459 || (int_stat & (QN908X_FMC_INT_STAT_ERASE_FAIL_H_INT_MASK << shift))) {
460 LOG_ERROR("Smart erase on block %u failed", block);
461 return ERROR_FAIL;
462 }
463 }
464
465 return ERROR_OK;
466 }
467
468 static int qn908x_wait_for_idle(struct target *target, int64_t timeout_ms)
469 {
470 int64_t ms_start = timeval_ms();
471
472 int busy = ERROR_FLASH_BUSY;
473 while (busy != ERROR_OK) {
474 busy = qn908x_busy_check(target);
475 if (busy != ERROR_OK && busy != ERROR_FLASH_BUSY)
476 return busy;
477 if (timeval_ms() - ms_start > timeout_ms) {
478 LOG_ERROR("Timeout waiting to be idle.");
479 return ERROR_TIMEOUT_REACHED;
480 }
481 }
482 return ERROR_OK;
483 }
484
485 /* Set up the chip to perform an erase (page or block) operation. */
486 static int qn908x_setup_erase(struct target *target)
487 {
488 int retval;
489 if (target->state != TARGET_HALTED) {
490 LOG_ERROR("Target not halted");
491 return ERROR_TARGET_NOT_HALTED;
492 }
493
494 /* Enable 8MHz clock. */
495 retval = qn908x_update_reg(target, QN908X_SYSCON_CLK_EN,
496 QN908X_SYSCON_CLK_EN_CLK_DP_EN_MASK,
497 QN908X_SYSCON_CLK_EN_CLK_DP_EN_MASK);
498 if (retval != ERROR_OK)
499 return retval;
500
501 /* Set ERASE_TIME to 2ms for smart erase. */
502 retval = qn908x_update_reg(target, QN908X_FMC_ERASE_TIME,
503 (1u << 20) - 1,
504 2000 * 8); /* 2000 uS * 8 MHz = x cycles */
505 if (retval != ERROR_OK)
506 return retval;
507
508 /* Set up smart erase. SWD can only perform smart erase. */
509 uint32_t ctrl_val = QN908X_FMC_SMART_CTRL_SMART_ERASEH_EN_MASK
510 | QN908X_FMC_SMART_CTRL_SMART_ERASEL_EN_MASK
511 | QN908X_FMC_SMART_CTRL_MAX_ERASE(QN908X_FMC_SMART_CTRL_MAX_ERASE_RETRIES)
512 | QN908X_FMC_SMART_CTRL_MAX_WRITE(QN908X_FMC_SMART_CTRL_MAX_WRITE_RETRIES);
513 retval = target_write_u32(target, QN908X_FMC_SMART_CTRL, ctrl_val);
514 if (retval != ERROR_OK)
515 return retval;
516
517 retval = qn908x_wait_for_idle(target, QN908X_DEFAULT_TIMEOUT_MS);
518 if (retval != ERROR_OK)
519 return retval;
520
521 return ERROR_OK;
522 }
523
524 static int qn908x_erase(struct flash_bank *bank, unsigned int first,
525 unsigned int last)
526 {
527 struct qn908x_flash_bank *qn908x_info = bank->driver_priv;
528 int retval = ERROR_OK;
529
530 if (!qn908x_info->num_blocks) {
531 if (qn908x_probe(bank) != ERROR_OK)
532 return ERROR_FLASH_BANK_NOT_PROBED;
533 }
534
535 retval = qn908x_setup_erase(bank->target);
536 if (retval != ERROR_OK)
537 return retval;
538
539 for (unsigned int i = first; i <= last; i++) {
540 if (i >= bank->num_sectors)
541 return ERROR_FLASH_SECTOR_INVALID;
542 uint32_t block_idx = i / QN908X_FLASH_PAGES_PER_BLOCK;
543 uint32_t page_idx = i % QN908X_FLASH_PAGES_PER_BLOCK;
544 if (block_idx >= qn908x_info->num_blocks)
545 return ERROR_FLASH_SECTOR_INVALID;
546
547 LOG_DEBUG("Erasing page %" PRIu32 " of block %" PRIu32,
548 page_idx, block_idx);
549
550 /* Depending on the block the page we are erasing is located we
551 * need to use a different set of bits in the registers. */
552 uint32_t ctrl_page_idx_shift = block_idx ?
553 QN908X_FMC_ERASE_CTRL_PAGE_IDXH_SHIFT :
554 QN908X_FMC_ERASE_CTRL_PAGE_IDXL_SHIFT;
555 uint32_t ctrl_erase_en_shift = block_idx ?
556 QN908X_FMC_ERASE_CTRL_PAGE_ERASEH_EN_SHIFT :
557 QN908X_FMC_ERASE_CTRL_PAGE_ERASEL_EN_SHIFT;
558
559 retval = target_write_u32(bank->target, QN908X_FMC_ERASE_CTRL,
560 BIT(ctrl_erase_en_shift) | (page_idx << ctrl_page_idx_shift));
561 if (retval != ERROR_OK)
562 return retval;
563
564 retval = qn908x_wait_for_idle(bank->target, QN908X_DEFAULT_TIMEOUT_MS);
565 if (retval != ERROR_OK)
566 return retval;
567
568 retval = qn908x_status_check(bank->target);
569 if (retval != ERROR_OK)
570 return retval;
571 }
572
573 return retval;
574 }
575
576 static int qn908x_protect(struct flash_bank *bank, int set, unsigned int first,
577 unsigned int last)
578 {
579 struct qn908x_flash_bank *qn908x_info = bank->driver_priv;
580
581 if (bank->target->state != TARGET_HALTED) {
582 LOG_ERROR("Target not halted");
583 return ERROR_TARGET_NOT_HALTED;
584 }
585
586 if (!qn908x_info->page_lock_loaded) {
587 int retval = qn908x_read_page_lock(bank);
588 if (retval != ERROR_OK)
589 return retval;
590 }
591
592 /* Use [first, last) interval open on the right side from now on. */
593 last++;
594 /* We use sectors as prot_blocks. */
595 bool needs_update = false;
596 for (unsigned int i = first; i < last; i++) {
597 if (set != (((qn908x_info->page_lock.bits[i / 8] >> (i % 8)) & 1) ^ 1))
598 needs_update = true;
599 }
600
601 /* Check that flash protection still allows SWD access to flash and RAM,
602 * otherwise we won't be able to re-flash this chip from SWD unless we do a
603 * mass erase. */
604 if (qn908x_info->page_lock.protection & QN908X_FMC_LOCK_STAT_8_PROTECT_ANY) {
605 LOG_WARNING("SWD flash/RAM access disabled in the Flash lock and "
606 "protect descriptor. You might need to issue a mass_erase to "
607 "regain SWD access to this chip after reboot.");
608 }
609
610 if (!needs_update)
611 return ERROR_OK;
612
613 int last_page = qn908x_info->num_blocks * QN908X_FLASH_PAGES_PER_BLOCK - 1;
614 int retval;
615
616 if (qn908x_info->page_lock.bits[sizeof(qn908x_info->page_lock.bits) - 1] & 0x80) {
617 /* A bit 1 in the MSB in the page_lock.bits array means that the last
618 * page is unlocked, so we can just erase it. */
619 retval = qn908x_erase(bank, last_page, last_page);
620 if (retval != ERROR_OK)
621 return retval;
622 } else {
623 /* TODO: The last page is locked and we can't erase unless we use the
624 * ERASE_PASSWORD from code running on the device. For this we need to
625 * copy a little program to RAM and execute the erase command from
626 * there since there's no way to override the page protection from
627 * SWD. */
628 LOG_ERROR("Unprotecting the last page is not supported. Issue a "
629 "\"qn908x mass_erase\" command to erase the whole flash, "
630 "including the last page and its protection.");
631 return ERROR_FAIL;
632 }
633
634 for (unsigned int i = first / 8; i < (last + 7) / 8; i++) {
635 /* first_mask contains a bit set if the bit corresponds to a block id
636 * that is larger or equal than first. This is basically 0xff in all
637 * cases except potentially the first iteration. */
638 uint8_t first_mask = (first <= i * 8)
639 ? 0xff : 0xff ^ ((1u << (first - i * 8)) - 1);
640 /* Similar to first_mask, this contains a bit set if the corresponding
641 * is smaller than last. */
642 uint8_t last_mask = (i * 8 + 8 <= last)
643 ? 0xff : ((1u << (last - i * 8)) - 1);
644
645 uint8_t mask = first_mask & last_mask;
646 LOG_DEBUG("protect set=%d bits[%d] with mask=0x%02x", set, i, mask);
647 /* To "set" the protection bit means to clear the bit in the page_lock
648 * bit array. */
649 if (set)
650 qn908x_info->page_lock.bits[i] &= ~mask;
651 else
652 qn908x_info->page_lock.bits[i] |= mask;
653 }
654
655 retval = qn908x_write(bank, (void *)(&qn908x_info->page_lock),
656 last_page * QN908X_FLASH_PAGE_SIZE, sizeof(qn908x_info->page_lock));
657 if (retval != ERROR_OK)
658 return retval;
659
660 /* Reload the lock_stat to make the changes effective. */
661 retval = qn908x_load_lock_stat(bank->target);
662 if (retval != ERROR_OK)
663 return retval;
664
665 for (unsigned int i = first; i < last; i++)
666 bank->sectors[i].is_protected = set;
667
668 return ERROR_OK;
669 }
670
671 static int qn908x_write(struct flash_bank *bank, const uint8_t *buffer,
672 uint32_t offset, uint32_t count)
673 {
674 struct qn908x_flash_bank *qn908x_info = bank->driver_priv;
675 int retval = ERROR_OK;
676
677 if (bank->target->state != TARGET_HALTED) {
678 LOG_ERROR("Target not halted");
679 return ERROR_TARGET_NOT_HALTED;
680 }
681
682 /* The flash infrastructure was requested to align writes to 32 bit */
683 assert(((offset % 4) == 0) && ((count % 4) == 0));
684
685 /* Compute the calc_checksum even if it wasn't requested. */
686 uint32_t checksum = 0;
687 if (offset == 0 && count >= 0x20) {
688 for (int i = 0; i < 7; i++)
689 checksum += buf_get_u32(buffer + (i * 4), 0, 32);
690 checksum = 0 - checksum;
691 LOG_DEBUG("computed image checksum: 0x%8.8" PRIx32, checksum);
692 uint32_t stored_checksum = buf_get_u32(buffer + 7 * 4, 0, 32);
693 if (checksum != stored_checksum) {
694 LOG_WARNING("Image vector table checksum mismatch: expected 0x%08"
695 PRIx32 " but found 0x%08" PRIx32,
696 checksum, stored_checksum);
697 if (!qn908x_info->calc_checksum)
698 LOG_WARNING("This device will not boot, use calc_checksum in "
699 "the flash bank.");
700 else
701 LOG_WARNING("Updating checksum, verification will fail.");
702 }
703 }
704
705 /* Check the Code Read Protection (CRP) word for invalid values or not
706 * allowed ones. */
707 if (offset <= 0x20 && offset + count >= 0x24) {
708 uint32_t crp = buf_get_u32(buffer + 0x20 - offset, 0, 32);
709 /* 2-bit fields at bits 10, 12, 14, 16 and 18 must not be 00 or 11. */
710 for (int i = 10; i <= 18; i += 2) {
711 uint32_t field = (crp >> i) & 3;
712 if (field == 0 || field == 3) {
713 LOG_DEBUG("Code Read Protection = 0x%08" PRIx32, crp);
714 LOG_ERROR("The Code Read Protection (CRP) field at bit %d is "
715 "invalid (%" PRIu32 "). An invalid value could make "
716 "the flash inaccessible.", i, field);
717 return ERROR_FAIL;
718 }
719 }
720
721 uint32_t swd_allowed = (crp >> 18) & 3;
722 if (swd_allowed != 2) {
723 LOG_WARNING("The Code Read Protection (CRP) in this image "
724 "(0x%08" PRIx32 ") is disabling the SWD access, which is "
725 "currently used by OpenOCD to flash this device. After "
726 "reboot, this device will not be accessible to OpenOCD "
727 "anymore.", crp);
728 if (!qn908x_info->allow_swd_disabled) {
729 LOG_ERROR("Disabling SWD is not allowed, run "
730 "\"qn908x allow_brick\" before if you really want to "
731 "disable SWD. You won't be able to access this chip "
732 "anymore from OpenOCD.");
733 return ERROR_FAIL;
734 }
735 }
736 }
737
738 retval = qn908x_wait_for_idle(bank->target, QN908X_DEFAULT_TIMEOUT_MS);
739 if (retval != ERROR_OK)
740 return retval;
741
742 uint32_t smart_ctrl = QN908X_FMC_SMART_CTRL_SMART_WRITEL_EN_MASK
743 | QN908X_FMC_SMART_CTRL_PRGML_EN_MASK
744 | QN908X_FMC_SMART_CTRL_MAX_WRITE(QN908X_FMC_SMART_CTRL_MAX_WRITE_RETRIES);
745 if (qn908x_info->num_blocks > 1) {
746 smart_ctrl |= QN908X_FMC_SMART_CTRL_SMART_WRITEH_EN_MASK
747 | QN908X_FMC_SMART_CTRL_PRGMH_EN_MASK;
748 }
749 retval = target_write_u32(bank->target, QN908X_FMC_SMART_CTRL, smart_ctrl);
750 if (retval != ERROR_OK)
751 return retval;
752
753 /* Write data page-wise, as suggested in the examples in section
754 * 28.5.2 "Flash write" of user manual UM11023 in revision 1.1
755 * (February 2018). */
756 while (count > 0) {
757 uint32_t next_offset = (offset & ~(QN908X_FLASH_PAGE_SIZE - 1)) + QN908X_FLASH_PAGE_SIZE;
758 uint32_t chunk_len = next_offset - offset;
759 if (chunk_len > count)
760 chunk_len = count;
761
762 if (offset == 0
763 && chunk_len >= QN908X_FLASH_IRQ_VECTOR_CHECKSUM_END
764 && qn908x_info->calc_checksum) {
765 /* write data prior to checksum */
766 retval = target_write_buffer(bank->target, bank->base,
767 QN908X_FLASH_IRQ_VECTOR_CHECKSUM_POS, buffer);
768 if (retval != ERROR_OK)
769 return retval;
770
771 /* write computed crc checksum instead of provided data */
772 retval = target_write_u32(bank->target, bank->base + QN908X_FLASH_IRQ_VECTOR_CHECKSUM_POS, checksum);
773 if (retval != ERROR_OK)
774 return retval;
775
776 retval = target_write_buffer(bank->target,
777 bank->base + QN908X_FLASH_IRQ_VECTOR_CHECKSUM_END,
778 chunk_len - QN908X_FLASH_IRQ_VECTOR_CHECKSUM_END,
779 buffer + QN908X_FLASH_IRQ_VECTOR_CHECKSUM_END);
780 } else {
781 retval = target_write_buffer(bank->target, bank->base + offset,
782 chunk_len, buffer);
783 }
784
785 if (retval != ERROR_OK)
786 return retval;
787
788 keep_alive();
789 buffer += chunk_len;
790 count -= chunk_len;
791 offset = next_offset;
792
793 /* Wait for FMC to complete write */
794 retval = qn908x_wait_for_idle(bank->target, QN908X_DEFAULT_TIMEOUT_MS);
795 if (retval != ERROR_OK)
796 return retval;
797
798 /* Check if FMC reported any errors */
799 retval = qn908x_status_check(bank->target);
800 if (retval != ERROR_OK)
801 return retval;
802 }
803
804 return retval;
805 }
806
807 static int is_flash_protected(struct flash_bank *bank, bool *is_protected)
808 {
809 int retval;
810 uint32_t lock_stat;
811 retval = target_read_u32(bank->target, QN908X_FMC_LOCK_STAT_8, &lock_stat);
812 if (retval)
813 return retval;
814
815 *is_protected = false;
816 if (lock_stat & QN908X_FMC_LOCK_STAT_8_PROTECT_ANY)
817 *is_protected = true;
818
819 return ERROR_OK;
820 }
821
822 static int qn908x_probe(struct flash_bank *bank)
823 {
824 int retval;
825 struct qn908x_flash_bank *qn908x_info = bank->driver_priv;
826 uint8_t info_page[QN908X_INFO_PAGE_CRC_END - QN908X_INFO_PAGE_CRC_START];
827 qn908x_info->num_blocks = 0;
828
829 /* When the SWD access to the RAM is locked by the LOCK_STAT_8 register we
830 * can't access the info page to verify the chip/bank version and it will
831 * read all zeros. This situation prevents the bank from being initialized
832 * at all so no other operation can be performed. The only option to
833 * re-flash the chip is to perform a mass_erase from SWD, which can be
834 * performed even if the mass_erase operation is locked as well.
835 * We attempt to read the info page and redirect the user to perform a
836 * mass_erase if we detect this situation. */
837 retval = target_read_memory(bank->target, QN908X_INFO_PAGE_CRC_START,
838 sizeof(uint32_t), sizeof(info_page) / sizeof(uint32_t),
839 info_page);
840 if (retval != ERROR_OK)
841 return retval;
842
843 const uint32_t crc_seed = 0xffffffff;
844 /* The QN908x uses the standard little endian CRC32 polynomial and all ones
845 * as seed. The CRC32 is however finalized by one last xor operation that
846 * is not part of the common CRC32 implementation, so we do that by hand */
847 uint32_t computed_crc = crc32_le(CRC32_POLY_LE, crc_seed,
848 info_page, sizeof(info_page));
849 computed_crc ^= crc_seed;
850 uint32_t read_crc;
851 retval = target_read_u32(bank->target, QN908X_INFO_PAGE_CRC32, &read_crc);
852 if (retval != ERROR_OK)
853 return retval;
854
855 if (computed_crc != read_crc) {
856 uint32_t info_page_or = 0;
857 for (unsigned int i = 0; i < sizeof(info_page); i++)
858 info_page_or |= info_page[i];
859 bool is_protected;
860 retval = is_flash_protected(bank, &is_protected);
861 if (retval != ERROR_OK)
862 return retval;
863
864 if (info_page_or == 0 && is_protected) {
865 LOG_ERROR("The flash or memory in this chip is protected and "
866 "cannot be accessed from the SWD interface. However, a "
867 "\"qn908x mass_erase\" can erase the device and lift this "
868 "protection.");
869 return ERROR_FAIL;
870 }
871
872 LOG_ERROR("Flash information page CRC32 mismatch, found 0x%08"
873 PRIx32 " but computed 0x%08" PRIx32 ". Flash size unknown",
874 read_crc, computed_crc);
875 return ERROR_FAIL;
876 }
877
878 uint32_t flash_size_fld = target_buffer_get_u32(bank->target,
879 info_page + (QN908X_INFO_PAGE_FLASH_SIZE - QN908X_INFO_PAGE_CRC_START));
880
881 switch (flash_size_fld) {
882 case QN908X_FLASH_SIZE_512K:
883 qn908x_info->num_blocks = 2;
884 break;
885 case QN908X_FLASH_SIZE_256K:
886 qn908x_info->num_blocks = 1;
887 break;
888 default:
889 LOG_ERROR("Unknown Flash size field: 0x%08" PRIx32,
890 flash_size_fld);
891 return ERROR_FAIL;
892 }
893
894 bank->size = qn908x_info->num_blocks * QN908X_FLASH_BLOCK_SIZE;
895 bank->write_start_alignment = 4;
896 bank->write_end_alignment = 4;
897
898 /* The flash supports erasing and protecting individual pages. */
899 bank->num_sectors = qn908x_info->num_blocks *
900 QN908X_FLASH_PAGES_PER_BLOCK;
901 bank->sectors = alloc_block_array(0, QN908X_FLASH_PAGE_SIZE,
902 bank->num_sectors);
903 if (!bank->sectors)
904 return ERROR_FAIL;
905
906 retval = qn908x_init_flash(bank->target);
907 if (retval != ERROR_OK)
908 return retval;
909
910 LOG_INFO("Detected flash size: %d KiB", bank->size / 1024);
911
912 return ERROR_OK;
913 }
914
915 static int qn908x_auto_probe(struct flash_bank *bank)
916 {
917 struct qn908x_flash_bank *qn908x_info = bank->driver_priv;
918 if (qn908x_info->num_blocks != 0)
919 return ERROR_OK;
920 LOG_DEBUG("auto_probe");
921 return qn908x_probe(bank);
922 }
923
924 static int qn908x_protect_check(struct flash_bank *bank)
925 {
926 struct qn908x_flash_bank *qn908x_info = bank->driver_priv;
927
928 int retval = qn908x_read_page_lock(bank);
929 if (retval != ERROR_OK)
930 return retval;
931
932 for (uint32_t i = 0;
933 i < qn908x_info->num_blocks * QN908X_FLASH_PAGES_PER_BLOCK;
934 i++) {
935 /* A bit 0 in page_lock means page is locked. */
936 bank->sectors[i].is_protected =
937 ((qn908x_info->page_lock.bits[i / 8] >> (i % 8)) & 1) ^ 1;
938 }
939 return ERROR_OK;
940 }
941
942 static int qn908x_get_info(struct flash_bank *bank,
943 struct command_invocation *cmd)
944 {
945 uint32_t bootloader_version;
946 uint32_t chip_id;
947 uint8_t bluetooth[6];
948 int retval;
949 struct qn908x_flash_bank *qn908x_info = bank->driver_priv;
950
951 retval = target_read_u32(bank->target, QN908X_SYSCON_CHIP_ID, &chip_id);
952 if (retval != ERROR_OK) {
953 command_print_sameline(cmd, "Cannot read QN908x chip ID.");
954 return retval;
955 }
956 retval = target_read_u32(bank->target, QN908X_INFO_PAGE_BOOTLOADER_VER,
957 &bootloader_version);
958 if (retval != ERROR_OK) {
959 command_print_sameline(cmd, "Cannot read from QN908x info page.");
960 return retval;
961 }
962
963 retval = target_read_memory(bank->target, QN908X_INFO_PAGE_BLUETOOTH_ADDR,
964 1, sizeof(bluetooth), bluetooth);
965 if (retval != ERROR_OK) {
966 command_print_sameline(cmd, "Cannot read QN908x bluetooth L2 address.");
967 return retval;
968 }
969
970 command_print_sameline(cmd, "qn908x: chip id: 0x%" PRIx32, chip_id);
971
972 command_print_sameline(cmd, " bdaddr: "
973 "%02" PRIx8 ":%02" PRIx8 ":%02" PRIx8
974 ":%02" PRIx8 ":%02" PRIx8 ":%02" PRIx8,
975 bluetooth[0], bluetooth[1], bluetooth[2],
976 bluetooth[3], bluetooth[4], bluetooth[5]);
977
978 command_print_sameline(cmd, " bootloader: %08" PRIx32, bootloader_version);
979
980 command_print_sameline(cmd, " blocks: %" PRIu32, qn908x_info->num_blocks);
981
982 return ERROR_OK;
983 }
984
985 COMMAND_HANDLER(qn908x_handle_allow_brick_command)
986 {
987 int retval;
988
989 struct target *target = get_current_target(CMD_CTX);
990 struct flash_bank *bank = NULL;
991
992 if (CMD_ARGC != 0)
993 return ERROR_COMMAND_SYNTAX_ERROR;
994
995 retval = get_flash_bank_by_addr(target, QN908X_FLASH_BASE, true, &bank);
996 if (retval != ERROR_OK)
997 return retval;
998
999 /* If get_flash_bank_by_addr() did not find the flash bank, it should have
1000 * returned and error code instead of ERROR_OK */
1001 assert(bank);
1002 struct qn908x_flash_bank *qn908x_info = bank->driver_priv;
1003
1004 LOG_WARNING("Flashing images that disable SWD in qn908x is now allowed.");
1005 qn908x_info->allow_swd_disabled = true;
1006
1007 return ERROR_OK;
1008 }
1009
1010 COMMAND_HANDLER(qn908x_handle_disable_wdog_command)
1011 {
1012 int retval;
1013 struct target *target = get_current_target(CMD_CTX);
1014
1015 if (CMD_ARGC != 0)
1016 return ERROR_COMMAND_SYNTAX_ERROR;
1017
1018 if (target->state != TARGET_HALTED) {
1019 command_print(CMD, "Target not halted");
1020 return ERROR_TARGET_NOT_HALTED;
1021 }
1022
1023 /* To change any value in the watchdog block (WDT) we need to first write
1024 * 0x1ACCE551 to the LOCK register, and we can then set it back to any other
1025 * value to prevent accidental changes to the watchdog. */
1026 retval = target_write_u32(target, QN908X_WDT_LOCK, 0x1ACCE551);
1027 if (retval != ERROR_OK)
1028 return retval;
1029
1030 retval = target_write_u32(target, QN908X_WDT_CTRL, 0);
1031 if (retval != ERROR_OK)
1032 return retval;
1033
1034 return target_write_u32(target, QN908X_WDT_LOCK, 0);
1035 }
1036
1037 COMMAND_HANDLER(qn908x_handle_mass_erase_command)
1038 {
1039 int retval;
1040 bool keep_lock = false;
1041 if (CMD_ARGC > 1)
1042 return ERROR_COMMAND_SYNTAX_ERROR;
1043 if (CMD_ARGC == 1) {
1044 if (strcmp("keep_lock", CMD_ARGV[0]))
1045 return ERROR_COMMAND_ARGUMENT_INVALID;
1046 keep_lock = true;
1047 }
1048
1049 /* This operation can be performed without probing the bank since it is the
1050 * only way to unlock a chip when the flash and ram have been locked. */
1051 struct target *target = get_current_target(CMD_CTX);
1052
1053 retval = qn908x_setup_erase(target);
1054 if (retval != ERROR_OK)
1055 return retval;
1056
1057 /* Check the mass-erase locking status for information purposes only. This
1058 * lock applies to both the SWD and the code running in the core but can be
1059 * bypassed in either case. */
1060 uint32_t lock_stat_8;
1061 retval = target_read_u32(target, QN908X_FMC_LOCK_STAT_8, &lock_stat_8);
1062 LOG_DEBUG("LOCK_STAT_8 before erasing: 0x%" PRIx32, lock_stat_8);
1063 if (retval != ERROR_OK)
1064 return retval;
1065 if ((lock_stat_8 & QN908X_FMC_LOCK_STAT_8_MASS_ERASE_LOCK_EN) == 0) {
1066 LOG_INFO("mass_erase disabled by Flash lock and protection, forcing "
1067 "mass_erase.");
1068 }
1069 /* Set the DEBUG_PASSWORD so we can force the mass erase from the SWD. We do
1070 * this regardless of the lock status. */
1071 retval = target_write_u32(target, QN908X_FMC_DEBUG_PASSWORD, 0xCA1E093F);
1072 if (retval != ERROR_OK)
1073 return retval;
1074
1075 /* Erase both halves of the flash at the same time. These are actually done
1076 * sequentially but we need to send the command to erase both blocks since
1077 * doing so in a locked flash will change the LOCK_STAT_8 register to 0x01,
1078 * allowing us to access the (now erase) flash an memory. Erasing only one
1079 * block at a time does not reset the LOCK_STAT_8 register and therefore
1080 * will not grant access to program the chip. */
1081 uint32_t erase_cmd = (1u << QN908X_FMC_ERASE_CTRL_HALF_ERASEH_EN_SHIFT) |
1082 (1u << QN908X_FMC_ERASE_CTRL_HALF_ERASEL_EN_SHIFT);
1083 LOG_DEBUG("Erasing both blocks with command 0x%" PRIx32, erase_cmd);
1084
1085 retval = target_write_u32(target, QN908X_FMC_ERASE_CTRL, erase_cmd);
1086 if (retval != ERROR_OK)
1087 return retval;
1088
1089 retval = qn908x_wait_for_idle(target, QN908X_DEFAULT_TIMEOUT_MS);
1090 if (retval != ERROR_OK)
1091 return retval;
1092
1093 retval = qn908x_status_check(target);
1094 if (retval != ERROR_OK)
1095 return retval;
1096
1097 /* Set the debug password back to 0 to avoid accidental mass_erase. */
1098 retval = target_write_u32(target, QN908X_FMC_DEBUG_PASSWORD, 0);
1099 if (retval != ERROR_OK)
1100 return retval;
1101
1102 /* At this point the flash is erased and we are able to write to the flash
1103 * since the LOCK_STAT_8 gets updated to 0x01 after the mass_erase. However,
1104 * after a hard reboot this value will be realoaded from flash which after
1105 * an erase is 0xff. This means that after flashing an image that doesn't
1106 * set the protection bits we end up with a chip that we can't debug. We
1107 * update this value to 0x01 unless "keep_lock" is passed to allow the SWD
1108 * interface to debug the flash and RAM after a hard reset. */
1109 if (keep_lock)
1110 return retval;
1111
1112 retval = qn908x_init_flash(target);
1113 if (retval != ERROR_OK)
1114 return retval;
1115
1116 /* Unlock access to RAM and FLASH in the last page of the flash and
1117 * reloading */
1118 retval = qn908x_wait_for_idle(target, QN908X_DEFAULT_TIMEOUT_MS);
1119 if (retval != ERROR_OK)
1120 return retval;
1121
1122 uint32_t smart_ctrl = QN908X_FMC_SMART_CTRL_SMART_WRITEH_EN_MASK |
1123 QN908X_FMC_SMART_CTRL_PRGMH_EN_MASK;
1124 retval = target_write_u32(target, QN908X_FMC_SMART_CTRL, smart_ctrl);
1125 if (retval != ERROR_OK)
1126 return retval;
1127
1128 retval = target_write_u32(target, QN908X_FLASH_LOCK_ADDR,
1129 QN908X_FLASH_LOCK_ENABLE_MASS_ERASE);
1130 if (retval != ERROR_OK)
1131 return retval;
1132
1133 retval = qn908x_wait_for_idle(target, QN908X_DEFAULT_TIMEOUT_MS);
1134 if (retval != ERROR_OK)
1135 return retval;
1136
1137 /* Force a page_lock reload after the mass_erase . */
1138 retval = qn908x_load_lock_stat(target);
1139 if (retval != ERROR_OK)
1140 return retval;
1141
1142 return retval;
1143 }
1144
1145 static const struct command_registration qn908x_exec_command_handlers[] = {
1146 {
1147 .name = "allow_brick",
1148 .handler = qn908x_handle_allow_brick_command,
1149 .mode = COMMAND_EXEC,
1150 .help = "Allow writing images that disable SWD access in their "
1151 "Code Read Protection (CRP) word. Warning: This can make your "
1152 "chip inaccessible from OpenOCD or any other SWD debugger.",
1153 .usage = "",
1154 },
1155 {
1156 .name = "disable_wdog",
1157 .handler = qn908x_handle_disable_wdog_command,
1158 .mode = COMMAND_EXEC,
1159 .help = "Disabled the watchdog (WDT).",
1160 .usage = "",
1161 },
1162 {
1163 .name = "mass_erase",
1164 .handler = qn908x_handle_mass_erase_command,
1165 .mode = COMMAND_EXEC,
1166 .help = "Erase the whole flash chip.",
1167 .usage = "[keep_lock]",
1168 },
1169 COMMAND_REGISTRATION_DONE
1170 };
1171
1172 static const struct command_registration qn908x_command_handlers[] = {
1173 {
1174 .name = "qn908x",
1175 .mode = COMMAND_ANY,
1176 .help = "qn908x flash controller commands",
1177 .usage = "",
1178 .chain = qn908x_exec_command_handlers,
1179 },
1180 COMMAND_REGISTRATION_DONE
1181 };
1182
1183 const struct flash_driver qn908x_flash = {
1184 .name = "qn908x",
1185 .commands = qn908x_command_handlers,
1186 .flash_bank_command = qn908x_flash_bank_command,
1187 .info = qn908x_get_info,
1188 .erase = qn908x_erase,
1189 .protect = qn908x_protect,
1190 .write = qn908x_write,
1191 .read = default_flash_read,
1192 .probe = qn908x_probe,
1193 .auto_probe = qn908x_auto_probe,
1194 .erase_check = default_flash_blank_check,
1195 .protect_check = qn908x_protect_check,
1196 .free_driver_priv = default_flash_free_driver_priv,
1197 };
Official OpenOCD Mirror