Most CPUs have specialized JTAG operations to support debugging. OpenOCD packages most such operations in its standard command framework. Some of those operations don't fit well in that framework, so they are exposed here as architecture or implementation (core) specific commands.
CPUs based on ARM cores may include standard tracing interfaces, based on an “Embedded Trace Module” (ETM) which sends voluminous address and data bus trace records to a “Trace Port”.
ETM support in OpenOCD doesn't seem to be widely used yet.
Issues: ETM support may be buggy, and at least some etm config parameters should be detected by asking the ETM for them.
ETM trigger events could also implement a kind of complex hardware breakpoint, much more powerful than the simple watchpoint hardware exported by EmbeddedICE modules. Such breakpoints can be triggered even when using the dummy trace port driver.
It seems like a GDB hookup should be possible, as well as tracing only during specific states (perhaps handling IRQ 23 or calls foo()).
There should be GUI tools to manipulate saved trace data and help analyse it in conjunction with the source code. It's unclear how much of a common interface is shared with the current XScale trace support, or should be shared with eventual Nexus-style trace module support.
At this writing (November 2009) only ARM7, ARM9, and ARM11 support for ETM modules is available. The code should be able to work with some newer cores; but not all of them support this original style of JTAG access.
ETM setup is coupled with the trace port driver configuration.
Declares the ETM associated with target, and associates it with a given trace port driver. See Trace Port Drivers.
Several of the parameters must reflect the trace port capabilities, which are a function of silicon capabilties (exposed later using etm info) and of what hardware is connected to that port (such as an external pod, or ETB). The width must be either 4, 8, or 16, except with ETMv3.0 and newer modules which may also support 1, 2, 24, 32, 48, and 64 bit widths. (With those versions, etm info also shows whether the selected port width and mode are supported.)
The mode must be normal, multiplexed, or demultiplexed. The clocking must be half or full.Warning: With ETMv3.0 and newer, the bits set with the mode and clocking parameters both control the mode. This modified mode does not map to the values supported by previous ETM modules, so this syntax is subject to change.Note: You can see the ETM registers using the reg command. Not all possible registers are present in every ETM. Most of the registers are write-only, and are used to configure what CPU activities are traced.
Displays information about the current target's ETM. This includes resource counts from the
ETM_CONFIGregister, as well as silicon capabilities (except on rather old modules). from the
Displays status of the current target's ETM and trace port driver: is the ETM idle, or is it collecting data? Did trace data overflow? Was it triggered?
Displays what data that ETM will collect. If arguments are provided, first configures that data. When the configuration changes, tracing is stopped and any buffered trace data is invalidated.
- type ... describing how data accesses are traced, when they pass any ViewData filtering that that was set up. The value is one of none (save nothing), data (save data), address (save addresses), all (save data and addresses)
- context_id_bits ... 0, 8, 16, or 32
- cycle_accurate ... enable or disable cycle-accurate instruction tracing. Before ETMv3, enabling this causes much extra data to be recorded.
- branch_output ... enable or disable. Disable this unless you need to try reconstructing the instruction trace stream without an image of the code.
Displays whether ETM triggering debug entry (like a breakpoint) is enabled or disabled, after optionally modifying that configuration. The default behaviour is disable. Any change takes effect after the next etm start.
By using script commands to configure ETM registers, you can make the processor enter debug state automatically when certain conditions, more complex than supported by the breakpoint hardware, happen.
After setting up the ETM, you can use it to collect data. That data can be exported to files for later analysis. It can also be parsed with OpenOCD, for basic sanity checking.
To configure what is being traced, you will need to write various trace registers using reg ETM_* commands. For the definitions of these registers, read ARM publication IHI 0014, “Embedded Trace Macrocell, Architecture Specification”. Be aware that most of the relevant registers are write-only, and that ETM resources are limited. There are only a handful of address comparators, data comparators, counters, and so on.
Examples of scenarios you might arrange to trace include:
At this writing, September 2009, there are no Tcl utility procedures to help set up any common tracing scenarios.
Reads trace data into memory, if it wasn't already present. Decodes and prints the data that was collected.
To use an ETM trace port it must be associated with a driver.
Use the dummy driver if you are configuring an ETM that's not connected to anything (on-chip ETB or off-chip trace connector). This driver lets OpenOCD talk to the ETM, but it does not expose any trace data collection.
Use the etb driver if you are configuring an ETM to use on-chip ETB memory.— Config Command: etb config target etb_tap
Associates the ETM for target with the ETB at etb_tap. You can see the ETB registers using the reg command.— Command: etb trigger_percent [percent]
This displays, or optionally changes, ETB behavior after the ETM's configured trigger event fires. It controls how much more trace data is saved after the (single) trace trigger becomes active.
- The default corresponds to trace around usage, recording 50 percent data before the event and the rest afterwards.
- The minimum value of percent is 2 percent, recording almost exclusively data before the trigger. Such extreme trace before usage can help figure out what caused that event to happen.
- The maximum value of percent is 100 percent, recording data almost exclusively after the event. This extreme trace after usage might help sort out how the event caused trouble.
This driver isn't available unless OpenOCD was explicitly configured with the --enable-oocd_trace option. You probably don't want to configure it unless you've built the appropriate prototype hardware; it's proof-of-concept software.
Use the oocd_trace driver if you are configuring an ETM that's connected to an off-chip trace connector.— Config Command: oocd_trace config target tty
Associates the ETM for target with a trace driver which collects data through the serial port tty.
These commands should be available on all ARM processors. They are available in addition to other core-specific commands that may be available.
Displays the core_state, optionally changing it to process either arm or thumb instructions. The target may later be resumed in the currently set core_state. (Processors may also support the Jazelle state, but that is not currently supported in OpenOCD.)
Disassembles count instructions starting at address. If count is not specified, a single instruction is disassembled. If thumb is specified, or the low bit of the address is set, Thumb2 (mixed 16/32-bit) instructions are used; else ARM (32-bit) instructions are used. (Processors may also support the Jazelle state, but those instructions are not currently understood by OpenOCD.)
Note that all Thumb instructions are Thumb2 instructions, so older processors (without Thumb2 support) will still see correct disassembly of Thumb code. Also, ThumbEE opcodes are the same as Thumb2, with a handful of exceptions. ThumbEE disassembly currently has no explicit support.
Write value to a coprocessor pX register passing parameters CRn, CRm, opcodes opc1 and opc2, and using the MCR instruction. (Parameter sequence matches the ARM instruction, but omits an ARM register.)
Read a coprocessor pX register passing parameters CRn, CRm, opcodes opc1 and opc2, and the MRC instruction. Returns the result so it can be manipulated by Jim scripts. (Parameter sequence matches the ARM instruction, but omits an ARM register.)
Display a table of all banked core registers, fetching the current value from every core mode if necessary.
Semihosting allows for code executing on an ARM target to use the I/O facilities on the host computer i.e. the system where OpenOCD is running. The target application must be linked against a library implementing the ARM semihosting convention that forwards operation requests by using a special SVC instruction that is trapped at the Supervisor Call vector by OpenOCD.
The ARMv4 and ARMv5 architectures are widely used in embedded systems, and introduced core parts of the instruction set in use today. That includes the Thumb instruction set, introduced in the ARMv4T variant.
These commands are specific to ARM7 and ARM9 cores, like ARM7TDMI, ARM720T, ARM9TDMI, ARM920T or ARM926EJ-S. They are available in addition to the ARM commands, and any other core-specific commands that may be available.
Displays the value of the flag controlling use of the the EmbeddedIce DBGRQ signal to force entry into debug mode, instead of breakpoints. If a boolean parameter is provided, first assigns that flag.
This should be safe for all but ARM7TDMI-S cores (like NXP LPC). This feature is enabled by default on most ARM9 cores, including ARM9TDMI, ARM920T, and ARM926EJ-S.
DCC downloads offer a huge speed increase, but might be unsafe, especially with targets running at very low speeds. This command was introduced with OpenOCD rev. 60, and requires a few bytes of working area.
Displays the value of the flag controlling use of memory writes and reads that don't check completion of the operation. If a boolean parameter is provided, first assigns that flag.
This provides a huge speed increase, especially with USB JTAG cables (FT2232), but might be unsafe if used with targets running at very low speeds, like the 32kHz startup clock of an AT91RM9200.
These commands are available to ARM720T based CPUs, which are implementations of the ARMv4T architecture based on the ARM7TDMI-S integer core. They are available in addition to the ARM and ARM7/ARM9 commands.
DEPRECATED – avoid using this. Use the arm mrc or arm mcr commands instead.
Display cp15 register returned by the ARM instruction opcode; else if a value is provided, that value is written to that register. The opcode should be the value of either an MRC or MCR instruction.
ARM9-family cores are built around ARM9TDMI or ARM9E (including ARM9EJS) integer processors. Such cores include the ARM920T, ARM926EJ-S, and ARM966.
Vector Catch hardware provides a sort of dedicated breakpoint for hardware events such as reset, interrupt, and abort. You can use this to conserve normal breakpoint resources, so long as you're not concerned with code that branches directly to those hardware vectors.
This always finishes by listing the current configuration. If parameters are provided, it first reconfigures the vector catch hardware to intercept all of the hardware vectors, none of them, or a list with one or more of the following: reset undef swi pabt dabt irq fiq.
These commands are available to ARM920T based CPUs, which are implementations of the ARMv4T architecture built using the ARM9TDMI integer core. They are available in addition to the ARM, ARM7/ARM9, and ARM9 commands.
Print information about the caches found. This allows to see whether your target is an ARM920T (2x16kByte cache) or ARM922T (2x8kByte cache).
Display cp15 register regnum; else if a value is provided, that value is written to that register. This uses "physical access" and the register number is as shown in bits 38..33 of table 9-9 in the ARM920T TRM. (Not all registers can be written.)
DEPRECATED – avoid using this. Use the arm mrc or arm mcr commands instead.
Interpreted access using ARM instruction opcode, which should be the value of either an MRC or MCR instruction (as shown tables 9-11, 9-12, and 9-13 in the ARM920T TRM). If no value is provided, the result is displayed. Else if that value is written using the specified address, or using zero if no other address is provided.
Dump the content of ICache and DCache to a file named filename.
Dump the content of the ITLB and DTLB to a file named filename.
These commands are available to ARM926ej-s based CPUs, which are implementations of the ARMv5TEJ architecture based on the ARM9EJ-S integer core. They are available in addition to the ARM, ARM7/ARM9, and ARM9 commands.
The Feroceon cores also support these commands, although they are not built from ARM926ej-s designs.
These commands are available to ARM966 based CPUs, which are implementations of the ARMv5TE architecture. They are available in addition to the ARM, ARM7/ARM9, and ARM9 commands.
Display cp15 register regnum; else if a value is provided, that value is written to that register. The six bit regnum values are bits 37..32 from table 7-2 of the ARM966E-S TRM. There is no current control over bits 31..30 from that table, as required for BIST support.
Some notes about the debug implementation on the XScale CPUs:
The XScale CPU provides a special debug-only mini-instruction cache (mini-IC) in which exception vectors and target-resident debug handler code are placed by OpenOCD. In order to get access to the CPU, OpenOCD must point vector 0 (the reset vector) to the entry of the debug handler. However, this means that the complete first cacheline in the mini-IC is marked valid, which makes the CPU fetch all exception handlers from the mini-IC, ignoring the code in RAM.
To address this situation, OpenOCD provides the
vector_table command, which allows the user to explicity write
individual entries to either the high or low vector table stored in
It is recommended to place a pc-relative indirect branch in the vector table, and put the branch destination somewhere in memory. Doing so makes sure the code in the vector table stays constant regardless of code layout in memory:
_vectors: ldr pc,[pc,#0x100-8] ldr pc,[pc,#0x100-8] ldr pc,[pc,#0x100-8] ldr pc,[pc,#0x100-8] ldr pc,[pc,#0x100-8] ldr pc,[pc,#0x100-8] ldr pc,[pc,#0x100-8] ldr pc,[pc,#0x100-8] .org 0x100 .long real_reset_vector .long real_ui_handler .long real_swi_handler .long real_pf_abort .long real_data_abort .long 0 /* unused */ .long real_irq_handler .long real_fiq_handler
Alternatively, you may choose to keep some or all of the mini-IC
vector table entries synced with those written to memory by your
system software. The mini-IC can not be modified while the processor
is executing, but for each vector table entry not previously defined
xscale vector_table command, OpenOCD will copy the
value from memory to the mini-IC every time execution resumes from a
halt. This is done for both high and low vector tables (although the
table not in use may not be mapped to valid memory, and in this case
that copy operation will silently fail). This means that you will
need to briefly halt execution at some strategic point during system
start-up; e.g., after the software has initialized the vector table,
but before exceptions are enabled. A breakpoint can be used to
accomplish this once the appropriate location in the start-up code has
been identified. A watchpoint over the vector table region is helpful
in finding the location if you're not sure. Note that the same
situation exists any time the vector table is modified by the system
The debug handler must be placed somewhere in the address space using
xscale debug_handler command. The allowed locations for the
debug handler are either (0x800 - 0x1fef800) or (0xfe000800 -
0xfffff800). The default value is 0xfe000800.
XScale has resources to support two hardware breakpoints and two
watchpoints. However, the following restrictions on watchpoint
functionality apply: (1) the value and mask arguments to the
command are not supported, (2) the watchpoint length must be a
power of two and not less than four, and can not be greater than the
watchpoint address, and (3) a watchpoint with a length greater than
four consumes all the watchpoint hardware resources. This means that
at any one time, you can have enabled either two watchpoints with a
length of four, or one watchpoint with a length greater than four.
These commands are available to XScale based CPUs, which are implementations of the ARMv5TE architecture.
Changes the address used when cleaning the data cache.
Display cp15 register regnum; else if a value is provided, that value is written to that register.
Changes the address used for the specified target's debug handler.
Displays the trace buffer status, after optionally enabling or disabling the trace buffer and modifying how it is emptied.
Opens a trace image from filename, optionally rebasing its segment addresses by offset. The image type may be one of bin (binary), ihex (Intel hex), elf (ELF file), s19 (Motorola s19), mem, or builder.
The mask bits correspond with bit 16..23 in the DCSR:0x01 Trap Reset 0x02 Trap Undefined Instructions 0x04 Trap Software Interrupt 0x08 Trap Prefetch Abort 0x10 Trap Data Abort 0x20 reserved 0x40 Trap IRQ 0x80 Trap FIQ
Set an entry in the mini-IC vector table. There are two tables: one for low vectors (at 0x00000000), and one for high vectors (0xFFFF0000), each holding the 8 exception vectors. index can be 1-7, because vector 0 points to the debug handler entry and can not be overwritten. value holds the 32-bit opcode that is placed in the mini-IC.
Without arguments, the current settings are displayed.
Displays the value of the memwrite burst-enable flag, which is enabled by default. If a boolean parameter is provided, first assigns that flag. Burst writes are only used for memory writes larger than 1 word. They improve performance by assuming that the CPU has read each data word over JTAG and completed its write before the next word arrives, instead of polling for a status flag to verify that completion. This is usually safe, because JTAG runs much slower than the CPU.
Displays the value of the memwrite error_fatal flag, which is enabled by default. If a boolean parameter is provided, first assigns that flag. When set, certain memory write errors cause earlier transfer termination.
Displays the value of the flag controlling whether IRQs are enabled during single stepping; they are disabled by default. If a boolean parameter is provided, first assigns that.
Vector Catch hardware provides dedicated breakpoints for certain hardware events. The specific bit values are core-specific (as in fact is using coprocessor 14 register 7 itself) but all current ARM11 cores except the ARM1176 use the same six bits.
These commands are specific to ARM architecture v7 Debug Access Port (DAP), included on Cortex-M and Cortex-A systems. They are available in addition to other core-specific commands that may be available.
Displays ID register from AP num, defaulting to the currently selected AP.
Displays debug base address from MEM-AP num, defaulting to the currently selected AP.
Displays the ROM table for MEM-AP num, defaulting to the currently selected AP.
Displays the number of extra tck cycles in the JTAG idle to use for MEM-AP memory bus access [0-255], giving additional time to respond to reads. If value is defined, first assigns that.
fix CSW_SPROT from register AP_REG_CSW on selected dap. Defaulting to 0.
Control masking (disabling) interrupts during target step/resume.
The auto option handles interrupts during stepping a way they get served but don't disturb the program flow. The step command first allows pending interrupt handlers to execute, then disables interrupts and steps over the next instruction where the core was halted. After the step interrupts are enabled again. If the interrupt handlers don't complete within 500ms, the step command leaves with the core running.
Note that a free breakpoint is required for the auto option. If no breakpoint is available at the time of the step, then the step is taken with interrupts enabled, i.e. the same way the off option does.
Default is auto.
Parameters request interception of all of these hardware event vectors, none of them, or one or more of the following: hard_err for a HardFault exception; mm_err for a MemManage exception; bus_err for a BusFault exception; irq_err, state_err, chk_err, or nocp_err for various UsageFault exceptions; or reset. If NVIC setup code does not enable them, MemManage, BusFault, and UsageFault exceptions are mapped to HardFault. UsageFault checks for divide-by-zero and unaligned access must also be explicitly enabled.
This finishes by listing the current vector catch configuration.
Control reset handling. The default srst is to use srst if fitted, otherwise fallback to vectreset.
Using vectreset is a safe option for all current Cortex-M cores. This however has the disadvantage of only resetting the core, all peripherals are uneffected. A solution would be to use a
- srst use hardware srst if fitted otherwise fallback to vectreset.
- sysresetreq use NVIC SYSRESETREQ to reset system.
- vectreset use NVIC VECTRESET to reset system.
reset-initevent handler to manually reset the peripherals. See Target Events.
Intel Quark X10xx is the first product in the Quark family of SoCs. It is an IA-32 (Pentium x86 ISA) compatible SoC. The core CPU in the X10xx is codenamed Lakemont. Lakemont version 1 (LMT1) is used in X10xx. The CPU TAP (Lakemont TAP) is used for software debug and the CLTAP is used for SoC level operations. Useful docs are here: https://communities.intel.com/community/makers/documentation
The three main address spaces for x86 are memory, I/O and configuration space. These commands allow a user to read and write to the 64Kbyte I/O address space.
Display the contents of a 32-bit I/O port from address range 0x0000 - 0xffff.
Display the contents of a 16-bit I/O port from address range 0x0000 - 0xffff.
Display the contents of a 8-bit I/O port from address range 0x0000 - 0xffff.
Write the contents of a 32-bit I/O port to address range 0x0000 - 0xffff.
Write the contents of a 16-bit I/O port to address range 0x0000 - 0xffff.
Write the contents of a 8-bit I/O port to address range 0x0000 - 0xffff.
The OpenRISC CPU is a soft core. It is used in a programmable SoC which can be configured with any of the TAP / Debug Unit available.
Select between the Altera Virtual JTAG , Xilinx Virtual JTAG and Mohor TAP.
Select between the Advanced Debug Interface and the classic one.
An option can be passed as a second argument to the debug unit.
When using the Advanced Debug Interface, option = 1 means the RTL core is configured with ADBG_USE_HISPEED = 1. This configuration skips status checking between bytes while doing read or write bursts.
Add a new register in the cpu register list. This register will be included in the generated target descriptor file.
[feature] must be "org.gnu.gdb.or1k.group[0..10]".
[reg_group] can be anything. The default register list defines "system", "dmmu", "immu", "dcache", "icache", "mac", "debug", "perf", "power", "pic" and "timer" groups.
example:addreg rtest 0x1234 org.gnu.gdb.or1k.group0 system
Display all registers in group.
group can be "system", "dmmu", "immu", "dcache", "icache", "mac", "debug", "perf", "power", "pic", "timer" or any new group created with addreg command.
OpenOCD can process certain requests from target software, when the target uses appropriate libraries. The most powerful mechanism is semihosting, but there is also a lighter weight mechanism using only the DCC channel.
Currently target_request debugmsgs is supported only for arm7_9 and cortex_m cores. These messages are received as part of target polling, so you need to have poll on active to receive them. They are intrusive in that they will affect program execution times. If that is a problem, see ARM Hardware Tracing.
See libdcc in the contrib dir for more details. In addition to sending strings, characters, and arrays of various size integers from the target, libdcc also exports a software trace point mechanism. The target being debugged may issue trace messages which include a 24-bit trace point number. Trace point support includes two distinct mechanisms, each supported by a command:
The buffer may overflow, since it collects records continuously. It may be useful to use some of the 24 bits to represent a particular event, and other bits to hold data.
The array of counters is directly indexed by the trace point number, so trace points with higher numbers are not counted.
Linux-ARM kernels have a “Kernel low-level debugging via EmbeddedICE DCC channel” option (CONFIG_DEBUG_ICEDCC, depends on CONFIG_DEBUG_LL) which uses this mechanism to deliver messages before a serial console can be activated. This is not the same format used by libdcc. Other software, such as the U-Boot boot loader, sometimes does the same thing.
Displays current handling of target DCC message requests. These messages may be sent to the debugger while the target is running. The optional enable and charmsg parameters both enable the messages, while disable disables them.
With charmsg the DCC words each contain one character, as used by Linux with CONFIG_DEBUG_ICEDCC; otherwise the libdcc format is used.
With no parameter, displays all the trace points that have triggered in the order they triggered. With the parameter clear, erases all current trace history records. With a count parameter, allocates space for that many history records.
With no parameter, displays all trace point identifiers and how many times they have been triggered. With the parameter clear, erases all current trace point counters. With a numeric identifier parameter, creates a new a trace point counter and associates it with that identifier.
Important: The identifier and the trace point number are not related except by this command. These trace point numbers always start at zero (from server startup, or after trace point clear) and count up from there.