If the processor has entered debug state from Thumb state, the simplest course of action is for the debugger to force the core back into ARM state. Once this is done, the debugger can always execute the same sequence of instructions to determine the processor’s state.

To force the processor into ARM state, the following sequence of Thumb instructions should be executed on the core:

STR R0, [R1] ; Save R0 before use

MOV R0,  PC  ; Copy PC into R1

STR R0, [R1] ; Save the PC in R1

BX PC        ; Jump into ARM state

MOV R8, R8   ; NOP

MOV R8, R8   ; NOP

The above use of R0 as the base register for the stores is for illustration only—any register could be used.

Since all Thumb instructions are only 16 bits long, the simplest course of action when shifting them into scan chain 1 is to repeat the instruction twice on the instruction data bus bits. For example, the encoding for BX R0 is 0x4700. If 0x47004700 is shifted into the 32 bits of the instruction data bus of scan chain 1, then the debugger does not have to keep track of from which half of the bus the processor expects to read instructions.

From this point on, the processor state can be determined by the sequences of ARM instructions described below.

Once the processor is in ARM state, typically the first instruction executed would be:

STMIA R0, {R0-R15}

This causes the contents of the registers to be made visible on the data bus. These values can then be sampled and shifted out.

After determining the values in the current bank of registers, it may be desirable to access banked registers. This can only be done by changing mode. Normally, a mode change may only occur if the core is already in a privileged mode. However, while in debug state, a mode change from any mode into any other mode may occur. Note that the debugger must restore the original mode before exiting debug state.

For example, assume that the debugger has been asked to return the state of the USER mode and FIQ mode registers, and debug state was entered in supervisor mode.

The instruction sequence could be:

STMIA R0,  {R0-R15} ; Save current registers

MRS   R0, CPSR

STR   R0, R1        ; Save CPSR to determine current mode

BIC   R0, 0x1F      ; Clear mode bits

ORR   R0, 0x10      ; Select USER mode

MSR   CPSR, R0      ; Enter USER mode

STMIA R0, {R13-R14} ; Save registers not previously visible

ORR   R0, 0x01      ; Select FIQ mode

MSR   CPSR, R0      ; Enter FIQ mode

STMIA R1, {R8-R14}  ; Save banked FIQ registers

All these instructions are said to execute at debug speed. Debug speed is much slower than system speed since between each core clock, 67 scan clocks occur in order to shift in an instruction, or shift out data. Executing instructions more slowly than usual is fine for accessing the core’s state since the ARM9TDMI is fully static. However, this same method cannot be used for determining the state of the rest of the system.

While in debug state, only the following instructions may be inserted into the instruction pipeline for execution: