| Copyright © 2000, 2001 ARM Limited. All rights reserved. | ARM DDI 0151C |
| Non-Confidential | |
 PDF version | |
| Home > Debug Support > Test data registers > Scan chains 4 and 15, the ARM920T memory system |
| |||
| Home > Debug Support > Test data registers > Scan chains 4 and 15, the ARM920T memory system | |||
On entry to debug state, the debugger must extract and save the state of CP15. It is advisable that the caches and MMUs are then switched off to prevent any debug accesses to memory altering their state. At this point, the debugger can non-invasively determine the state of the memory system. When in debug state, the debugger can see the state of the ARM920T memory system. This includes:
CP15
caches
MMU
PA TAG RAM.
Scan chains 4 and 15 are reserved for this use.
This scan chain is 40 bits long. The format of the scan chain is dependent on the access mode used. The formats for both modes for scan chain 15 are shown in Table 9.7.
Table 9.7. Scan chain 15 format and access modes
Scan chain bit | Interpreted access mode | Physical access mode | ||
|---|---|---|---|---|
Function | Read/write | Function | Read/write | |
39 | 0 | Write | nR/W | Write |
38:33 | 000000 | Write | Register address | Write |
32:1 | Instruction word | Write | Register value | Read/write |
0 | 0 | Write | 1 | Write |
With scan chain 15 selected, TDI is connected to bit 39 and TDO is connected to bit 0. An access using this scan chain allows all of the CP15 registers to be read and written, the cache CAM and RAM to be read, and the TLB CAM and RAM to be read. There are two access modes available using scan chain 15. These are:
You can do a physical access mode operation using scan chain 15 as follows:
In SHIFT-DR, shift in the read/write bit, register address and register value for writing, shown in Table 9.8.
Move through UPDATE-DR. For a write, the register is updated here.
For reading, return to SHIFT-DR through CAPTURE-DR and shift out the register value.
Table 9.8 shows the bit format for scan chain 15 physical access mode operations.
Table 9.8. Scan chain 15 physical access mode bit format
Scan chain bit | Function | Read/ write |
|---|---|---|
39 | nR/W | Write |
38:33 | Register address | Write |
32:1 | Register value | Read/ write |
0 | 1 | Write |
The mapping of the 6-bit register address field to the CP15 registers for physical access mode is shown in Table 9.9.
Table 9.9. Physical access mapping to CP15 registers
Address | Register | ||||
|---|---|---|---|---|---|
[38] | [37:34] | [33] | Number | Name | Type |
0 |
| 0 | C0 | ID register | Read |
0 |
| 1 | C0 | Cache type | Read |
0 |
| 0 | C1 | Control | Read/write |
0 |
| 0 | C9 | Data cache lockdown | Read |
0 |
| 1 | C9 | Instruction cache lockdown | Read |
0 |
| 0 | C13 | Process ID | Read/write |
0 |
| 0 | C15.State | Test state | Read/write |
1 |
| 1 | C15.C.I.Ind | Instruction cache index | Read |
1 |
| 1 | C15.C.D.Ind | Data cache index | Read |
1 |
| 1 | C15.C.I | Instruction cache | Read/write |
1 |
| 1 | C15.C.D | Data cache | Read/write |
1 |
| 0 | C15.M.I | Instruction MMU | Read |
1 |
| 0 | C15.M.D | Data MMU | Read |
You can do an interpreted access mode operation using scan chain 15 as follows:
A physical access read-modify-write to C15 (test state) must be done in order to set bit 0, CP15 interpret.
The required MCR/MRC instruction
word is shifted in to scan chain 15.
A system-speed LDR (read) or STR (write)
is performed on the ARM9TDMI.
CP15 responds to this LDR/STR by
executing the coprocessor instruction in its scan chain.
In the case of a LDR, the data
is returned to the ARM9TDMI and can be captured onto scan chain
1 by performing an STR.
In the case of an STR, the interpreted MCR completes
with the data that is issued from the ARM9TDMI.
A physical access read-modify-write to C15 (test state) must be done in order to clear CP15 interpret, bit 0.
Table 9.10 shows the bit format for scan chain 15 interpreted access mode operations.
Table 9.10. Scan chain 15 interpreted access mode bit format
Scan chain bit | Function | Read/ write |
|---|---|---|
39 | 0 | Write |
38:33 | 000000 | Write |
32:1 | Instruction word | Write |
0 | 0 | Write |
The mapping of the 32-bit instruction word field to the remaining CP15 registers supported for interpreted access mode is shown in Table 9.11, Table 9.12, and Table 9.13. This supported subset is used for cache and MMU debug operations. Using interpreted accesses for other CP15 register operations produces UNPREDICTABLE behavior. The construction of a CP15 instruction word from ARM assembler is shown in Figure 2.1.
For the MCR, Rd has been replaced by r0,
because the register being used as the source data is governed by
the STR. For the MRC, Rd has
been replaced by r0, because the register being used as the destination
is governed by the LDR.
The mapping of the 32-bit instruction word field to the remaining CP15 registers for interpreted access mode is shown in Table 9.11. The construction of a CP15 instruction word from ARM assembler is shown in CP15 register map summary.
Table 9.11. Interpreted access mapping to CP15 registers
ARM920T instruction | Function | Rd | Ra | CP15 instruction |
|---|---|---|---|---|
| STR Rd,[Ra] | Write I TTB | TTB | - | MCR p15,5,r0,c15,c1,2 |
| LDR Rd,[Ra] | Read I TTB | TTB | - | MRC p15,5,r0,c15,c1,2 |
| STR Rd,[Ra] | Write D TTB | TTB | - | MCR p15,5,r0,c15,c2,2 |
| LDR Rd,[Ra] | Read D TTB | TTB | - | MRC p15,0,r0,c2,c2,2 |
| STR Rd,[Ra] | Write I DAC | DAC | - | MCR p15,5,r0,c15,c1,3 |
| LDR Rd,[Ra] | Read I DAC | DAC | - | MRC p15,5,r0,c15,c1,3 |
| STR Rd,[Ra] | Write D DAC | DAC | - | MCR p15,5,r0,c15,c2,3 |
| LDR Rd,[Ra] | Read D DAC | DAC | - | MRC p15,0,r0,c3,c0,0 |
| STR Rd,[Ra] | Write I FSR | FSR | - | MCR p15,0,r0,c5,c0,1 |
| LDR Rd,[Ra] | Read I FSR | FSR | - | MRC p15,0,r0,c5,c0,1 |
| STR Rd,[Ra] | Write D FSR | FSR | - | MCR p15,0,r0,c5,c0,0 |
| LDR Rd,[Ra] | Read D FSR | FSR | - | MRC p15,0,r0,c5,c0,0 |
| STR Rd,[Ra] | Write I FAR | FAR | - | MCR p15,0,r0,c6,c0,1 |
| LDR Rd,[Ra] | Read I FAR | FAR | - | MRC p15,0,r0,c6,c0,1 |
| STR Rd,[Ra] | Write D FAR | FAR | - | MCR p15,0,r0,c6,c0,0 |
| LDR Rd,[Ra] | Read D FAR | FAR | - | MRC p15,0,r0,c6,c0,0 |
| STR Rd,[Ra] | ICache invalidate all | - | - | MCR p15,0,r0,c7,c5,0 |
| STR Rd,[Ra] | ICache invalidate entry | - | Tag, Seg | MCR p15,0,r0,c7,c5,1 |
| STR Rd,[Ra] | DCache invalidate all | - | - | MCR p15,0,r0,c7,c6,0 |
| STR Rd,[Ra] | DCache invalidate entry | - | Tag, Seg | MCR p15,0,r0,c7,c6,1 |
| STR Rd,[Ra] | Write ICache victim | - | Victim, Seg | MCR p15,0,r0,c9,c1,1 |
| STR Rd,[Ra] | Write DCache victim | - | Victim, Seg | MCR p15,0,r0,c9,c1,0 |
| STR Rd,[Ra] | Write ICache victim and lockdown base | - | Victim | MCR p15,0,r0,c9,c0,1 |
| STR Rd,[Ra] | Write DCache victim and lockdown base | - | Victim | MCR p15,0,r0,c9,c0,0 |
| STR Rd,[Ra] | Write I TLB lockdown | Base,Victim | - | MCR p15,0,r0,c10,c0,1 |
| LDR Rd,[Ra] | Read I TLB lockdown | Base,Victim | - | MRC p15,0,r0,c10,c0,1 |
| STR Rd,[Ra] | Write D TLB lockdown | Base,Victim | - | MCR p15,0,r0,c10,c0,0 |
| LDR Rd,[Ra] | Read D TLB lockdown | Base,Victim | - | MRC p15,0,r0,c10,c0,0 |
Table 9.12. Interpreted access mapping to the MMU
| ARM920T instruction | Function | Rd/Rlist | Ra | CP15 instruction |
|---|---|---|---|---|
| LDR Rd,[Ra] or LDMIA Ra,[Rlist] | I CAM Read | MVA Tag, Size, V, P | - | MCR p15,4,r0,c15,c5,4 |
| LDR Rd,[Ra] or LDMIA Ra,[Rlist] | I RAM1 Read | Protection | - | MCR p15,4,r0,c15,c9,4 |
| LDR Rd,[Ra]or LDMIA Ra,[Rlist] | I RAM2 Read | PA Tag, Size | - | MCR p15,4,r0,c15,c1,5 |
| LDR Rd,[Ra]or LDMIA Ra,[Rlist] | D CAM Read | MVA Tag, Size, V, P | - | MCR p15,4,r0,c15,c6,4 |
| LDR Rd,[Ra]or LDMIA Ra,[Rlist] | D RAM1 Read | Protection | - | MCR p15,4,r0,c15,c10,4 |
| LDR Rd,[Ra]or LDMIA Ra,[Rlist] | D RAM2 Read | PA Tag, Size | - | MCR p15,4,r0,c15,c2,5 |
Table 9.13. Interpreted access mapping to the caches
| ARM920T instruction | Function | Rd/Rlist | Ra | CP15 instruction |
|---|---|---|---|---|
| LDR Rd,[Ra] or LDMIA Ra,[Rlist] | I CAM Read | Tag, Seg, Dirty | Seg | MCR p15,2,r0,c15,c5,2 |
| LDR Rd,[Ra] or LDMIA Ra,[Rlist] | I RAM Read | Data | Seg, Word | MCR p15,2,r0,c15,c9,2 |
| LDR Rd,[Ra]or LDMIA Ra,[Rlist] | D CAM Read | Tag, Seg, Dirty | Seg | MCR p15,2,r0,c15,c6,2 |
| LDR Rd,[Ra] or LDMIA Ra,[Rlist] | D RAM Read | Data | Seg, Word | MCR p15,2,r0,c15,c10,2 |
This is achieved through scan chain 1 and 15, using the physical access and interpreted access modes. The following steps explain how to read the Data TLB:
Physical access: Read-modify-write cp15, register 1, to turn off both the caches and MMU.
Physical access: Read-modify-write cp15, register 15, to set MMU test and CP15 interpret mode.
Interpreted access: LDR Rd,[Ra]. MCR = Read D TLB lockdown. This will read the Base and Victim to Rd.
Physical access: Read-modify-write CP15 register 15 to clear CP 15 interpret mode.
STR of Rd loaded in step (3). Capture on scan chain 1 and shift out.
Physical access: Read-modify-write CP15 register 15 to set CP15 interpret mode.
Interpreted access: STR Rd,[Ra]. MCR = Write D TLB lockdown, where Rd = Base[read in (3)], Victim[=0].
Interpreted access: 8 word LDM, LDMIA Ra,[Rlist]. MCR = D CAM Read. The CAM Read will increment the victim pointer on every access, so this will read entries 0-7.
Physical access: Read-modify-write CP15 register 15 to clear CP 15 interpret mode.
8 word STM of the values loaded in step (6). Capture these on scan chain 1 and shift out. These 8 values are the CAM Tag for entries 0-7.
Physical access: Read-modify-write CP15 register 15 to set CP15 interpret mode.
Repeat steps (8) to (11) eight times to read entries 0-63.
Interpreted access: STR Rd,[Ra]. MCR = Write D TLB lockdown, where Rd = Base[read in step (3)], Victim[=0].
Interpreted access: LDR Rd,[Ra]. MCR = D RAM1 Read. The RAM1 Read will increment the victim pointer on every access as MMU test in cp15, register 15, Test State register has been set.
Interpreted access: LDR Rd,[Ra]. MCR = D RAM2 Read. This uses a pipelined version of the last RAM1 read.
Physical access: Read-modify-write CP15 register 15 to clear CP 15 interpret mode.
2 word STM of the values loaded in steps (10) and (11). Capture these on scan chain 1 and shift out. These 2 values are RAM1 and RAM2 from entry 0.
Physical access: Read-modify-write CP15 register 15 to set CP15 interpret mode.
Repeat steps (14) to (18) 64 times to read RAM1 and RAM2 entries 0-63.
Interpreted access: STR Rd,[Ra]. MCR = Write D TLB lockdown, where Rd = Base[read in step (3)], Victim[read in step (3)].
Physical access: Read-modify-write cp15, register 15, to clear MMU test and CP15 interpret mode.
Physical access: Read-modify-write cp15, register 1, to turn on (restore state of) both the caches and MMU.
This is achieved through scan chain 1 and 15, using the physical access and interpreted access modes. The following steps explain how to read the DCache. They assume you are trying to read the contents of segment 2 of the DCache.
Physical access: Read-modify-write cp15, register 1, to turn off both the caches and MMU.
Physical access: Read-modify-write cp15, register 15, to set CP15 interpret mode.
Interpreted access: LDR Rd,[Ra]. MCR = D CAM Read, where Ra = Seg2. This will cause the current victim for segment 2 to be read into C15.C.D.Ind.
Physical access: Read C15.C.D.Ind which contains the victim of segment 2.
Interpreted access: STR Rd,[Ra]. MCR = Write DCache victim, where Ra = Victim0, Seg2. This sets the victim counter to 0 for segment 2, and configures the counter to increment after a CAM read or write. The Base remains unchanged.
Interpreted access: 8 word LDM, LDMIA Ra,[Rlist]. MCR = D RAM Read, where Ra = seg2, word0. The LDMIA will increment the word part of the address and move across the cache line from word0 to word7.
Interpreted access: LDR Rd,[Ra]. MCR = D CAM Read, where Ra = Seg2.
Physical access: Read-modify-write cp15, register 15, to clear CP15 interpret mode.
9 word STM of the values loaded in (6) and (7). Capture these on scan chain 1 and shift out. These 9 values are the CAM Tag and RAM cache line data for segment 2, index 0.
Physical access: Read-modify-write cp15, register 15, to set CP15 interpret mode.
Increment the victim (+1) and repeat steps (5) to (10) 64 times. This approach avoids using the auto increment capability of the victim counter. If the auto increment capability is used, the victim counter will loop back to the Base value when it reaches 63, so either the Victim must start at 0, or the Base must be read, set to 0, then restored after reading the memory.By starting the victim at 0, repeat steps (6) to (10) 64 times.
Interpreted access: STR Rd,[Ra]. MCR = Write DCache victim, where Ra = Victim, Seg2. The Victim value should be the value read and saved in step (5).
Repeat steps (3) to (12) for each segment.
Physical access: Read-modify-write cp15, register 15, to clear CP15 interpret mode.
Physical access: Read-modify-write cp15, register 1, to turn on (restore state of) both the caches and MMU.
This scan chain is 49 bits long, as shown in Table 9.14.
Table 9.14. Scan chain 4 format
Scan chain bit | Function | Read/ write |
|---|---|---|
48 | PA TAG sel TCK | Write |
47 | RAM enable | Write |
46 | Odd not even | Write |
45:40 | Scan index [5:0] | Write |
39:33 | Scan seg [6:0] | Write |
32 | PA TAG sync TCK | Read |
31:0 | WBPA | Read |
With scan chain 4 selected, TDI is connected to bit 48 and TDO is connected to bit 0. An access using this scan chain allows the physical address TAG RAM to be read.
Figure 9.7 shows the construction of write back physical addresses.
Although Scan Seg [6:0] is provided, only bits [2:0] are used in ARM920T to address segments 0-7. Bits [6:3] are defined for forwards compatibility.
To read an entry in the PA TAG RAM, you must execute the following sequence:
Write:
PA TAG sel TCK = 1
RAM enable = 0.
This synchronizes the PA TAG RAM to TCK, the test clock.
Read PA TAG sync TCK until it is 1.
This confirms that the PA TAG RAM is synchronized to TCK.
Write:
PA TAG sel TCK = 1
RAM enable = 1
odd not even
scan index bits [5:0]
scan seg bits [2:0].
Go through the UPDATE-DR state of the ARM920T TAP controller three times. The most efficient way of doing this, after doing the write in step 3 is to go through the following sequence. This avoids rewriting the values in step 3 on each iteration:
EXIT1-DR
UPDATE-DR
SELECT-DR-SCAN
CAPTURE-DR
Repeat (a) to (d) x 2
SHIFT-DR.
The PA TAG RAM requires three clock cycles to perform the read. Its clock is cycled in UPDATE-DR, and therefore this state must be passed through three times.
Read the Write Back Physical Address (WBPA).
Write:
PA TAG sel TCK = 0
RAM enable = 0.
Resynchronize the PA TAG RAM to the system clock.
Read PA TAG sync TCK until it is 0. This confirms that resynchronization has occurred.
You must repeat this sequence of steps (1 to 7) for the eight segments, corresponding to the eight DCache segments, and the 64 entries per segment, corresponding to the 64 entries in each DCache segment.
| Copyright © 2000, 2001 ARM Limited. All rights reserved. | ARM DDI 0151C |
| Non-Confidential | |
| PDF version | |
| Home > Debug Support > Test data registers > Scan chains 4 and 15, the ARM920T memory system |