search

sifive / freedom-u540-c000-bootloader

Freedom U540-C000 Bootloader Code
Other
85 stars 39 forks source link

Bootrom challenge notes #5

Open zhuowei opened 6 years ago

zhuowei commented 6 years ago

I started annotating the bootrom dump at https://gist.github.com/zhuowei/d6ff16f05faf13ba9e946345d4840db6. I generated the dump with Objdump:

riscv64-unknown-elf-objcopy --change-addresses=0x10000 -I binary -O elf64-littleriscv -B riscv bootrom.bin bootrom.elf
riscv64-unknown-elf-objdump -DrCt bootrom.elf >dumped.txt

and added the method names by comparing the disassembly with the disasembly of the zsbl built from this repo using the latest (2018.7) SiFive toolchain.

Edit 1: Pushed my changes to https://github.com/zhuowei/freedom-u540-c000-bootloader/tree/tweaking

Building this repo with both the 2018-07 toolchain and the oldest toolchain I can find (20170503), the

call main

pseudoinstruction in start.S compiles to a jal, but in the bootrom it compiles to a pair of auipc/jalr instructions:

   100ca:   00000097            auipc   ra,0x0
   100ce:   05a080e7            jalr    90(ra)

I tried both code models and that didn't make a difference either. Otherwise _prog_start is identical to the bootrom version (except for the offsets) once SKIP_ECC_WIPEDOWN is defined.

Edit 2:

I switched to the 20170503 toolchain, since it generates identical code for init_uart as the bootrom code, while the latest toolchain generates it in a different order.

I tried passing in -Wl,--no-relax to the linker to solve the auipc/jalr issue; this doesn't work: this changes all the calls to methods to auipc/jalr pairs, but some calls such as the call to handle_trap in trap_entry and the call to ux00boot_load_gpt_partition in main do use the shorter single jal instruction. This suggests that the bootrom was built with a compiler similar to the 20170503 release, but with a linker that has different support for relaxation.

I don't know how to proceed from here. Try even older compilers?

Edit 3: the dtb in the bootrom is also slightly different from the dts file included here: https://gist.github.com/zhuowei/d6ff16f05faf13ba9e946345d4840db6#file-gistfile1-txt

ddevault commented 6 years ago

I pushed the old device tree to my fork:

https://github.com/SirCmpwn/freedom-u540-c000-bootloader/tree/reproducable-builds

scintill commented 6 years ago

I've had the same struggles as the summary at top. @tmagik, can you tell us what exact toolchain was used?

tmagik commented 6 years ago

Try this:

https://github.com/riscv/riscv-tools/commit/3921adb93efb6e9422701209b6926fbc8b693059