1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
|
/*
* Copyright © 2001 Stephen Williams (steve@icarus.com)
* Copyright © 2001-2002 David Brownell (dbrownell@users.sourceforge.net)
* Copyright © 2008 Roger Williams (rawqux@users.sourceforge.net)
* Copyright © 2012 Pete Batard (pete@akeo.ie)
*
* This source code is free software; you can redistribute it
* and/or modify it in source code form under the terms of the GNU
* General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option)
* any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
*/
#include <stdio.h>
#include <errno.h>
#include <stdlib.h>
#include <string.h>
#include <stdint.h>
#include "libusb.h"
#include "ezusb.h"
extern void logerror(const char *format, ...)
__attribute__ ((format(printf, 1, 2)));
/*
* This file contains functions for uploading firmware into Cypress
* EZ-USB microcontrollers. These chips use control endpoint 0 and vendor
* specific commands to support writing into the on-chip SRAM. They also
* support writing into the CPUCS register, which is how we reset the
* processor after loading firmware (including the reset vector).
*
* These Cypress devices are 8-bit 8051 based microcontrollers with
* special support for USB I/O. They come in several packages, and
* some can be set up with external memory when device costs allow.
* Note that the design was originally by AnchorChips, so you may find
* references to that vendor (which was later merged into Cypress).
* The Cypress FX parts are largely compatible with the Anchorhip ones.
*/
int verbose;
/*
* return true if [addr,addr+len] includes external RAM
* for Anchorchips EZ-USB or Cypress EZ-USB FX
*/
static bool fx_is_external(uint32_t addr, size_t len)
{
/* with 8KB RAM, 0x0000-0x1b3f can be written
* we can't tell if it's a 4KB device here
*/
if (addr <= 0x1b3f)
return ((addr + len) > 0x1b40);
/* there may be more RAM; unclear if we can write it.
* some bulk buffers may be unused, 0x1b3f-0x1f3f
* firmware can set ISODISAB for 2KB at 0x2000-0x27ff
*/
return true;
}
/*
* return true if [addr,addr+len] includes external RAM
* for Cypress EZ-USB FX2
*/
static bool fx2_is_external(uint32_t addr, size_t len)
{
/* 1st 8KB for data/code, 0x0000-0x1fff */
if (addr <= 0x1fff)
return ((addr + len) > 0x2000);
/* and 512 for data, 0xe000-0xe1ff */
else if (addr >= 0xe000 && addr <= 0xe1ff)
return ((addr + len) > 0xe200);
/* otherwise, it's certainly external */
else
return true;
}
/*
* return true if [addr,addr+len] includes external RAM
* for Cypress EZ-USB FX2LP
*/
static bool fx2lp_is_external(uint32_t addr, size_t len)
{
/* 1st 16KB for data/code, 0x0000-0x3fff */
if (addr <= 0x3fff)
return ((addr + len) > 0x4000);
/* and 512 for data, 0xe000-0xe1ff */
else if (addr >= 0xe000 && addr <= 0xe1ff)
return ((addr + len) > 0xe200);
/* otherwise, it's certainly external */
else
return true;
}
/*****************************************************************************/
/*
* These are the requests (bRequest) that the bootstrap loader is expected
* to recognize. The codes are reserved by Cypress, and these values match
* what EZ-USB hardware, or "Vend_Ax" firmware (2nd stage loader) uses.
* Cypress' "a3load" is nice because it supports both FX and FX2, although
* it doesn't have the EEPROM support (subset of "Vend_Ax").
*/
#define RW_INTERNAL 0xA0 /* hardware implements this one */
#define RW_MEMORY 0xA3
/*
* Issues the specified vendor-specific write request.
*/
static int ezusb_write(libusb_device_handle *device, const char *label,
uint8_t opcode, uint32_t addr, const unsigned char *data, size_t len)
{
int status;
if (verbose)
logerror("%s, addr 0x%08x len %4u (0x%04x)\n", label, addr, (unsigned)len, (unsigned)len);
status = libusb_control_transfer(device,
LIBUSB_ENDPOINT_OUT | LIBUSB_REQUEST_TYPE_VENDOR | LIBUSB_RECIPIENT_DEVICE,
opcode, addr & 0xFFFF, addr >> 16,
(unsigned char*)data, (uint16_t)len, 1000);
if (status != len) {
if (status < 0)
logerror("%s: %s\n", label, libusb_error_name(status));
else
logerror("%s ==> %d\n", label, status);
}
return (status < 0) ? -EIO : 0;
}
/*
* Modifies the CPUCS register to stop or reset the CPU.
* Returns false on error.
*/
static bool ezusb_cpucs(libusb_device_handle *device, uint32_t addr, bool doRun)
{
int status;
uint8_t data = doRun ? 0x00 : 0x01;
if (verbose)
logerror("%s\n", data ? "stop CPU" : "reset CPU");
status = libusb_control_transfer(device,
LIBUSB_ENDPOINT_OUT | LIBUSB_REQUEST_TYPE_VENDOR | LIBUSB_RECIPIENT_DEVICE,
RW_INTERNAL, addr & 0xFFFF, addr >> 16,
&data, 1, 1000);
if ((status != 1) &&
/* We may get an I/O error from libusbx as the device disappears */
((!doRun) || (status != LIBUSB_ERROR_IO)))
{
const char *mesg = "can't modify CPUCS";
if (status < 0)
logerror("%s: %s\n", mesg, libusb_error_name(status));
else
logerror("%s\n", mesg);
return false;
} else
return true;
}
/*****************************************************************************/
/*
* Parse an Intel HEX image file and invoke the poke() function on the
* various segments to implement policies such as writing to RAM (with
* a one or two stage loader setup, depending on the firmware) or to
* EEPROM (two stages required).
*
* image - the hex image file
* context - for use by poke()
* is_external - if non-null, used to check which segments go into
* external memory (writable only by software loader)
* poke - called with each memory segment; errors indicated
* by returning negative values.
*
* Caller is responsible for halting CPU as needed, such as when
* overwriting a second stage loader.
*/
static int parse_ihex(FILE *image, void *context,
bool (*is_external)(uint32_t addr, size_t len),
int (*poke) (void *context, uint32_t addr, bool external,
const unsigned char *data, size_t len))
{
unsigned char data[1023];
uint32_t data_addr = 0;
size_t data_len = 0;
int rc;
int first_line = 1;
bool external = false;
/* Read the input file as an IHEX file, and report the memory segments
* as we go. Each line holds a max of 16 bytes, but uploading is
* faster (and EEPROM space smaller) if we merge those lines into larger
* chunks. Most hex files keep memory segments together, which makes
* such merging all but free. (But it may still be worth sorting the
* hex files to make up for undesirable behavior from tools.)
*
* Note that EEPROM segments max out at 1023 bytes; the upload protocol
* allows segments of up to 64 KBytes (more than a loader could handle).
*/
for (;;) {
char buf[512], *cp;
char tmp, type;
size_t len;
unsigned idx, off;
cp = fgets(buf, sizeof(buf), image);
if (cp == NULL) {
logerror("EOF without EOF record!\n");
break;
}
/* EXTENSION: "# comment-till-end-of-line", for copyrights etc */
if (buf[0] == '#')
continue;
if (buf[0] != ':') {
logerror("not an ihex record: %s", buf);
return -2;
}
/* ignore any newline */
cp = strchr(buf, '\n');
if (cp)
*cp = 0;
if (verbose >= 3)
logerror("** LINE: %s\n", buf);
/* Read the length field (up to 16 bytes) */
tmp = buf[3];
buf[3] = 0;
len = strtoul(buf+1, NULL, 16);
buf[3] = tmp;
/* Read the target offset (address up to 64KB) */
tmp = buf[7];
buf[7] = 0;
off = strtoul(buf+3, NULL, 16);
buf[7] = tmp;
/* Initialize data_addr */
if (first_line) {
data_addr = off;
first_line = 0;
}
/* Read the record type */
tmp = buf[9];
buf[9] = 0;
type = (char)strtoul(buf+7, NULL, 16);
buf[9] = tmp;
/* If this is an EOF record, then make it so. */
if (type == 1) {
if (verbose >= 2)
logerror("EOF on hexfile\n");
break;
}
if (type != 0) {
logerror("unsupported record type: %u\n", type);
return -3;
}
if ((len * 2) + 11 > strlen(buf)) {
logerror("record too short?\n");
return -4;
}
/* FIXME check for _physically_ contiguous not just virtually
* e.g. on FX2 0x1f00-0x2100 includes both on-chip and external
* memory so it's not really contiguous */
/* flush the saved data if it's not contiguous,
* or when we've buffered as much as we can.
*/
if (data_len != 0
&& (off != (data_addr + data_len)
/* || !merge */
|| (data_len + len) > sizeof(data))) {
if (is_external)
external = is_external(data_addr, data_len);
rc = poke(context, data_addr, external, data, data_len);
if (rc < 0)
return -1;
data_addr = off;
data_len = 0;
}
/* append to saved data, flush later */
for (idx = 0, cp = buf+9 ; idx < len ; idx += 1, cp += 2) {
tmp = cp[2];
cp[2] = 0;
data[data_len + idx] = (uint8_t)strtoul(cp, NULL, 16);
cp[2] = tmp;
}
data_len += len;
}
/* flush any data remaining */
if (data_len != 0) {
if (is_external)
external = is_external(data_addr, data_len);
rc = poke(context, data_addr, external, data, data_len);
if (rc < 0)
return -1;
}
return 0;
}
/*
* Parse a binary image file and write it as is to the target.
* Applies to Cypress BIX images for RAM or Cypress IIC images
* for EEPROM.
*
* image - the BIX image file
* context - for use by poke()
* is_external - if non-null, used to check which segments go into
* external memory (writable only by software loader)
* poke - called with each memory segment; errors indicated
* by returning negative values.
*
* Caller is responsible for halting CPU as needed, such as when
* overwriting a second stage loader.
*/
static int parse_bin(FILE *image, void *context,
bool (*is_external)(uint32_t addr, size_t len), int (*poke)(void *context,
uint32_t addr, bool external, const unsigned char *data, size_t len))
{
unsigned char data[4096];
uint32_t data_addr = 0;
size_t data_len = 0;
int rc;
bool external = false;
for (;;) {
data_len = fread(data, 1, 4096, image);
if (data_len == 0)
break;
if (is_external)
external = is_external(data_addr, data_len);
rc = poke(context, data_addr, external, data, data_len);
if (rc < 0)
return -1;
data_addr += (uint32_t)data_len;
}
return feof(image)?0:-1;
}
/*
* Parse a Cypress IIC image file and invoke the poke() function on the
* various segments for writing to RAM
*
* image - the IIC image file
* context - for use by poke()
* is_external - if non-null, used to check which segments go into
* external memory (writable only by software loader)
* poke - called with each memory segment; errors indicated
* by returning negative values.
*
* Caller is responsible for halting CPU as needed, such as when
* overwriting a second stage loader.
*/
static int parse_iic(FILE *image, void *context,
bool (*is_external)(uint32_t addr, size_t len),
int (*poke)(void *context, uint32_t addr, bool external, const unsigned char *data, size_t len))
{
unsigned char data[4096];
uint32_t data_addr = 0;
size_t data_len = 0, read_len;
uint8_t block_header[4];
int rc;
bool external = false;
long file_size, initial_pos = ftell(image);
fseek(image, 0L, SEEK_END);
file_size = ftell(image);
fseek(image, initial_pos, SEEK_SET);
for (;;) {
/* Ignore the trailing reset IIC data (5 bytes) */
if (ftell(image) >= (file_size - 5))
break;
if (fread(&block_header, 1, sizeof(block_header), image) != 4) {
logerror("unable to read IIC block header\n");
return -1;
}
data_len = (block_header[0] << 8) + block_header[1];
data_addr = (block_header[2] << 8) + block_header[3];
if (data_len > sizeof(data)) {
/* If this is ever reported as an error, switch to using malloc/realloc */
logerror("IIC data block too small - please report this error to libusbx.org\n");
return -1;
}
read_len = fread(data, 1, data_len, image);
if (read_len != data_len) {
logerror("read error\n");
return -1;
}
if (is_external)
external = is_external(data_addr, data_len);
rc = poke(context, data_addr, external, data, data_len);
if (rc < 0)
return -1;
}
return 0;
}
/* the parse call will be selected according to the image type */
int (*parse[IMG_TYPE_MAX])(FILE *image, void *context, bool (*is_external)(uint32_t addr, size_t len),
int (*poke)(void *context, uint32_t addr, bool external, const unsigned char *data, size_t len))
= { parse_ihex, parse_iic, parse_bin };
/*****************************************************************************/
/*
* For writing to RAM using a first (hardware) or second (software)
* stage loader and 0xA0 or 0xA3 vendor requests
*/
typedef enum {
_undef = 0,
internal_only, /* hardware first-stage loader */
skip_internal, /* first phase, second-stage loader */
skip_external /* second phase, second-stage loader */
} ram_mode;
struct ram_poke_context {
libusb_device_handle *device;
ram_mode mode;
size_t total, count;
};
#define RETRY_LIMIT 5
static int ram_poke(void *context, uint32_t addr, bool external,
const unsigned char *data, size_t len)
{
struct ram_poke_context *ctx = (struct ram_poke_context*)context;
int rc;
unsigned retry = 0;
switch (ctx->mode) {
case internal_only: /* CPU should be stopped */
if (external) {
logerror("can't write %u bytes external memory at 0x%08x\n",
(unsigned)len, addr);
return -EINVAL;
}
break;
case skip_internal: /* CPU must be running */
if (!external) {
if (verbose >= 2) {
logerror("SKIP on-chip RAM, %u bytes at 0x%08x\n",
(unsigned)len, addr);
}
return 0;
}
break;
case skip_external: /* CPU should be stopped */
if (external) {
if (verbose >= 2) {
logerror("SKIP external RAM, %u bytes at 0x%08x\n",
(unsigned)len, addr);
}
return 0;
}
break;
case _undef:
default:
logerror("bug\n");
return -EDOM;
}
ctx->total += len;
ctx->count++;
/* Retry this till we get a real error. Control messages are not
* NAKed (just dropped) so time out means is a real problem.
*/
while ((rc = ezusb_write(ctx->device,
external ? "write external" : "write on-chip",
external ? RW_MEMORY : RW_INTERNAL,
addr, data, len)) < 0
&& retry < RETRY_LIMIT) {
if (rc != LIBUSB_ERROR_TIMEOUT)
break;
retry += 1;
}
return rc;
}
/*
* Load a firmware file into target RAM. device is the open libusbx
* device, and the path is the name of the source file. Open the file,
* parse the bytes, and write them in one or two phases.
*
* If stage == 0, this uses the first stage loader, built into EZ-USB
* hardware but limited to writing on-chip memory or CPUCS. Everything
* is written during one stage, unless there's an error such as the image
* holding data that needs to be written to external memory.
*
* Otherwise, things are written in two stages. First the external
* memory is written, expecting a second stage loader to have already
* been loaded. Then file is re-parsed and on-chip memory is written.
*/
int ezusb_load_ram(libusb_device_handle *device, const char *path, int fx_type, int img_type, int stage)
{
FILE *image;
uint32_t cpucs_addr;
bool (*is_external)(uint32_t off, size_t len);
struct ram_poke_context ctx;
int status;
uint8_t iic_header[8] = { 0 };
image = fopen(path, "rb");
if (image == NULL) {
logerror("%s: unable to open for input.\n", path);
return -2;
} else if (verbose)
logerror("open firmware image %s for RAM upload\n", path);
if (img_type == IMG_TYPE_IIC) {
if ( (fread(iic_header, 1, sizeof(iic_header), image) != sizeof(iic_header))
|| (((fx_type == FX_TYPE_FX2LP) || (fx_type == FX_TYPE_FX2)) && (iic_header[0] != 0xC2))
|| ((fx_type == FX_TYPE_AN21) && (iic_header[0] != 0xB2))
|| ((fx_type == FX_TYPE_FX1) && (iic_header[0] != 0xB6)) ) {
logerror("IIC image does not contain executable code - cannot load to RAM.\n");
return -1;
}
}
/* EZ-USB original/FX and FX2 devices differ, apart from the 8051 core */
switch(fx_type) {
case FX_TYPE_FX2LP:
cpucs_addr = 0xe600;
is_external = fx2lp_is_external;
break;
case FX_TYPE_FX2:
cpucs_addr = 0xe600;
is_external = fx2_is_external;
break;
default:
cpucs_addr = 0x7f92;
is_external = fx_is_external;
break;
}
/* use only first stage loader? */
if (stage == 0) {
ctx.mode = internal_only;
/* if required, halt the CPU while we overwrite its code/data */
if (cpucs_addr && !ezusb_cpucs(device, cpucs_addr, false))
return -1;
/* 2nd stage, first part? loader was already uploaded */
} else {
ctx.mode = skip_internal;
/* let CPU run; overwrite the 2nd stage loader later */
if (verbose)
logerror("2nd stage: write external memory\n");
}
/* scan the image, first (maybe only) time */
ctx.device = device;
ctx.total = ctx.count = 0;
status = parse[img_type](image, &ctx, is_external, ram_poke);
if (status < 0) {
logerror("unable to upload %s\n", path);
return status;
}
/* second part of 2nd stage: rescan */
// TODO: what should we do for non HEX images there?
if (stage) {
ctx.mode = skip_external;
/* if needed, halt the CPU while we overwrite the 1st stage loader */
if (cpucs_addr && !ezusb_cpucs(device, cpucs_addr, false))
return -1;
/* at least write the interrupt vectors (at 0x0000) for reset! */
rewind(image);
if (verbose)
logerror("2nd stage: write on-chip memory\n");
status = parse_ihex(image, &ctx, is_external, ram_poke);
if (status < 0) {
logerror("unable to completely upload %s\n", path);
return status;
}
}
if (verbose)
logerror("... WROTE: %d bytes, %d segments, avg %d\n",
(int)ctx.total, (int)ctx.count, (int)(ctx.total/ctx.count));
/* if required, reset the CPU so it runs what we just uploaded */
if (cpucs_addr && !ezusb_cpucs(device, cpucs_addr, true))
return -1;
return 0;
}
|