Thanks to Krater, who published an IDA plug-in for the BlackFin processor he wrote, I am attempting to reverse engineer the Rigol firmware. Actually, it is not as difficult as it sounds to be: I have quickly spotted four ELF headers that boot the FLASH memory contents into the SDRAM system memory space, using the internal processor Boot-ROM. Funny thing is that even though C-type identifiers can be spotted within the firmware, some small portions of it seem to have been written in pure assembly! Of course, I could be wrong in that because the compiler could be using ready-made assembly routines in the background, since the .ASM black arts seem to be too difficult for the newer breeds of "engineers," who do not feel the need to know the inner workings of things, to be exercised...
-George
[...]
SRAM0:20000000 # ===========================================================================
SRAM0:20000000
SRAM0:20000000 # Segment type: Pure data
SRAM0:20000000 LOADER_00: dd 0xFF800060 # First LOADER from RESET
SRAM0:20000004 _COUNT_00: dd 4 # LDR_01 at: 0x20000000 + 0x0004 = 0x2000000E
SRAM0:20000008 _FLAGS_00: dw 0x10 # Action: IGNORE
SRAM0:2000000A _BLOCK_00: dd 0xAE
SRAM0:2000000E # ---------------------------------------------------------------------------
SRAM0:2000000E LOADER_01: dd 0xFFA08000 # LDR_00 at: 0x20000000
SRAM0:20000012 _COUNT_01: dd 0x98 # LDR_02 at: 0x20000018 + 0x0098 = 0x200000B0
SRAM0:20000016 _FLAGS_01: dw 0 # Action: BLOCK_COPY
SRAM0:20000018 # ---------------------------------------------------------------------------
SRAM0:20000018
SRAM0:20000018 _BLOCK_01:
SRAM0:20000018 [--SP] = ASTAT; # Register-file preservation to the stack
SRAM0:2000001A [--SP] = RETS;
SRAM0:2000001C [--SP] = (R7:0);
SRAM0:2000001E [--SP] = (P5:0);
SRAM0:20000020 [--SP] = I0;
SRAM0:20000022 [--SP] = I1;
SRAM0:20000024 [--SP] = I2;
SRAM0:20000026 [--SP] = I3;
SRAM0:20000028 [--SP] = B0;
SRAM0:2000002A [--SP] = B1;
SRAM0:2000002C [--SP] = B2;
SRAM0:2000002E [--SP] = B3;
SRAM0:20000030 [--SP] = M0;
SRAM0:20000032 [--SP] = M1;
SRAM0:20000034 [--SP] = M2;
SRAM0:20000036 [--SP] = M3;
SRAM0:20000038 [--SP] = L0;
SRAM0:2000003A [--SP] = L1;
SRAM0:2000003C [--SP] = L2;
SRAM0:2000003E [--SP] = L3;
SRAM0:20000040 P0.L = 0xa18; # P0=0xffc00a18
SRAM0:20000044 P0.H = 0xffc0; # SDRAM Refresh Rate Control Register
SRAM0:20000044 -> EBIU_SDRRC
SRAM0:20000048 R0 = 0xfff (Z); # RDIV = 0xFFF (slowest refresh rate)
SRAM0:2000004C W[P0] = R0;
SRAM0:2000004E SSYNC;
SRAM0:20000050 P0.L = 0xa14; # P0=0xffc00a14
SRAM0:20000054 P0.H = 0xffc0; # SDRAM Bank Control Register
SRAM0:20000054 -> EBIU_SDBCTL
SRAM0:20000058 R0 = 0x11 (Z); # SDRAM enabled; size: 16 MB; column address width: 9 bits
SRAM0:2000005C [P0] = R0;
SRAM0:2000005E SSYNC;
SRAM0:20000060 P0.L = 0xa10; # P0=0xffc00a10
SRAM0:20000064 P0.H = 0xffc0; # SDRAM Global Control Register
SRAM0:20000064 -> EBIU_SDGCTL
SRAM0:20000068 R0.L = 0x998d; # R0=0x998d
SRAM0:2000006C R0.H = 0x91; # R0=0x91998d
SRAM0:2000006C -> 0x91998d
SRAM0:20000070 [P0] = R0;
SRAM0:20000072 SSYNC;
SRAM0:20000074 P0.L = 0xa00; # P0=0xffc00a00
SRAM0:20000078 P0.H = 0xffc0; # Asynchronous Memory Global Control Register
SRAM0:20000078 -> EBIU_AMGCTL
SRAM0:2000007C R0 = 0x4 (Z); # Asynchronous Memory Bank0 and Bank1 enabled
SRAM0:20000080 W[P0] = R0;
SRAM0:20000082 SSYNC;
SRAM0:20000084 SSYNC;
SRAM0:20000086 L3 = [SP++]; # Register-file restoration
SRAM0:20000088 L2 = [SP++];
SRAM0:2000008A L1 = [SP++];
SRAM0:2000008C L0 = [SP++];
SRAM0:2000008E M3 = [SP++];
SRAM0:20000090 M2 = [SP++];
SRAM0:20000092 M1 = [SP++];
SRAM0:20000094 M0 = [SP++];
SRAM0:20000096 B3 = [SP++];
SRAM0:20000098 B2 = [SP++];
SRAM0:2000009A B1 = [SP++];
SRAM0:2000009C B0 = [SP++];
SRAM0:2000009E I3 = [SP++];
SRAM0:200000A0 I2 = [SP++];
SRAM0:200000A2 I1 = [SP++];
SRAM0:200000A4 I0 = [SP++];
SRAM0:200000A6 (P5:0) = [SP++];
SRAM0:200000A8 (R7:0) = [SP++];
SRAM0:200000AA RETS = [SP++];
SRAM0:200000AC ASTAT = [SP++];
SRAM0:200000AE RTS; # Return from Subroutine
SRAM0:200000AE # ---------------------------------------------------------------------------
SRAM0:200000B0 LOADER_02: dd 0xFFA08000 # LDR_01 at: 0x2000000E
SRAM0:200000B4 _COUNT_02: dd 2 # LDR_03 at: 0x200000BA + 0x0002 = 0x200000BC
SRAM0:200000B8 _FLAGS_02: dw 8 # Action: INIT @ 0xFFA08000
SRAM0:200000BA _BLOCK_02: dw 0x166
SRAM0:200000BC # ---------------------------------------------------------------------------
SRAM0:200000BC LOADER_03: dd 0xFF800060 # LDR_02 at: 0x200000B0
SRAM0:200000C0 _COUNT_03: dd 4 # LDR_03 at: 0x200000C6 + 0x0004 = 0x200000CA
SRAM0:200000C4 _FLAGS_03: dw 0x10 # Action: IGNORE
SRAM0:200000C6 _BLOCK_03: dd 0x1494C8
SRAM0:200000CA # ---------------------------------------------------------------------------
SRAM0:200000CA LOADER_04: dd 4 # LDR_03 at: 0x200000BC
SRAM0:200000CE _COUNT_04: dd 0xFFFE # LDR_05 at: 0x200000D4 + 0xFFFE = 0x200100D2
SRAM0:200000D2 _FLAGS_04: dw 0 # Action: BLOCK_COPY
SRAM0:200000D4 # ---------------------------------------------------------------------------
SRAM0:200000D4
SRAM0:200000D4 _BLOCK_04: LINK 0x14; # CODE XREF: sub_2000017A+6C
[...]
Of course, I could be wrong in that because the compiler could be using ready-made assembly routines in the background, since the .ASM black arts seem to be too difficult for the newer breeds of "engineers," who do not feel the need to know the inner workings of things, to be exercised...
-George
Thank you Krater,
On the other hand, I am a hardware guy; this makes me see software as a necessary evil I have to deal with!
Since the time I have in my hands to spare is limited these days, I have not made any significant progress. Anyway, I know that this is not much but here it is:
After a hardware reset, and if the the processor boot-mode pins BMODE1:0 == 0b01, code execution begins at address 0x2000.0000, where the FLASH memory lies attached to the processor's asynchronous memory bus interface.
Here are the first 212 bytes of code, directly executed after power up or a hardware/watchdog reset:Code: [Select][...]
SRAM0:20000000 # ===========================================================================
SRAM0:20000000
SRAM0:20000000 # Segment type: Pure data
SRAM0:20000000 LOADER_00: dd 0xFF800060 # First LOADER from RESET
SRAM0:20000004 _COUNT_00: dd 4 # LDR_01 at: 0x20000000 + 0x0004 = 0x2000000E
SRAM0:20000008 _FLAGS_00: dw 0x10 # Action: IGNORE
SRAM0:2000000A _BLOCK_00: dd 0xAE
SRAM0:2000000E # ---------------------------------------------------------------------------
SRAM0:2000000E LOADER_01: dd 0xFFA08000 # LDR_00 at: 0x20000000
SRAM0:20000012 _COUNT_01: dd 0x98 # LDR_02 at: 0x20000018 + 0x0098 = 0x200000B0
SRAM0:20000016 _FLAGS_01: dw 0 # Action: BLOCK_COPY
SRAM0:20000018 # ---------------------------------------------------------------------------
SRAM0:20000018
SRAM0:20000018 _BLOCK_01:
SRAM0:20000018 [--SP] = ASTAT; # Register-file preservation to the stack
SRAM0:2000001A [--SP] = RETS;
SRAM0:2000001C [--SP] = (R7:0);
SRAM0:2000001E [--SP] = (P5:0);
SRAM0:20000020 [--SP] = I0;
SRAM0:20000022 [--SP] = I1;
SRAM0:20000024 [--SP] = I2;
SRAM0:20000026 [--SP] = I3;
SRAM0:20000028 [--SP] = B0;
SRAM0:2000002A [--SP] = B1;
SRAM0:2000002C [--SP] = B2;
SRAM0:2000002E [--SP] = B3;
SRAM0:20000030 [--SP] = M0;
SRAM0:20000032 [--SP] = M1;
SRAM0:20000034 [--SP] = M2;
SRAM0:20000036 [--SP] = M3;
SRAM0:20000038 [--SP] = L0;
SRAM0:2000003A [--SP] = L1;
SRAM0:2000003C [--SP] = L2;
SRAM0:2000003E [--SP] = L3;
SRAM0:20000040 P0.L = 0xa18; # P0=0xffc00a18
SRAM0:20000044 P0.H = 0xffc0; # SDRAM Refresh Rate Control Register
SRAM0:20000044 -> EBIU_SDRRC
SRAM0:20000048 R0 = 0xfff (Z); # RDIV = 0xFFF (slowest refresh rate)
SRAM0:2000004C W[P0] = R0;
SRAM0:2000004E SSYNC;
SRAM0:20000050 P0.L = 0xa14; # P0=0xffc00a14
SRAM0:20000054 P0.H = 0xffc0; # SDRAM Bank Control Register
SRAM0:20000054 -> EBIU_SDBCTL
SRAM0:20000058 R0 = 0x11 (Z); # SDRAM enabled; size: 16 MB; column address width: 9 bits
SRAM0:2000005C [P0] = R0;
SRAM0:2000005E SSYNC;
SRAM0:20000060 P0.L = 0xa10; # P0=0xffc00a10
SRAM0:20000064 P0.H = 0xffc0; # SDRAM Global Control Register
SRAM0:20000064 -> EBIU_SDGCTL
SRAM0:20000068 R0.L = 0x998d; # R0=0x998d
SRAM0:2000006C R0.H = 0x91; # R0=0x91998d
SRAM0:2000006C -> 0x91998d
SRAM0:20000070 [P0] = R0;
SRAM0:20000072 SSYNC;
SRAM0:20000074 P0.L = 0xa00; # P0=0xffc00a00
SRAM0:20000078 P0.H = 0xffc0; # Asynchronous Memory Global Control Register
SRAM0:20000078 -> EBIU_AMGCTL
SRAM0:2000007C R0 = 0x4 (Z); # Asynchronous Memory Bank0 and Bank1 enabled
SRAM0:20000080 W[P0] = R0;
SRAM0:20000082 SSYNC;
SRAM0:20000084 SSYNC;
SRAM0:20000086 L3 = [SP++]; # Register-file restoration
SRAM0:20000088 L2 = [SP++];
SRAM0:2000008A L1 = [SP++];
SRAM0:2000008C L0 = [SP++];
SRAM0:2000008E M3 = [SP++];
SRAM0:20000090 M2 = [SP++];
SRAM0:20000092 M1 = [SP++];
SRAM0:20000094 M0 = [SP++];
SRAM0:20000096 B3 = [SP++];
SRAM0:20000098 B2 = [SP++];
SRAM0:2000009A B1 = [SP++];
SRAM0:2000009C B0 = [SP++];
SRAM0:2000009E I3 = [SP++];
SRAM0:200000A0 I2 = [SP++];
SRAM0:200000A2 I1 = [SP++];
SRAM0:200000A4 I0 = [SP++];
SRAM0:200000A6 (P5:0) = [SP++];
SRAM0:200000A8 (R7:0) = [SP++];
SRAM0:200000AA RETS = [SP++];
SRAM0:200000AC ASTAT = [SP++];
SRAM0:200000AE RTS; # Return from Subroutine
SRAM0:200000AE # ---------------------------------------------------------------------------
SRAM0:200000B0 LOADER_02: dd 0xFFA08000 # LDR_01 at: 0x2000000E
SRAM0:200000B4 _COUNT_02: dd 2 # LDR_03 at: 0x200000BA + 0x0002 = 0x200000BC
SRAM0:200000B8 _FLAGS_02: dw 8 # Action: INIT @ 0xFFA08000
SRAM0:200000BA _BLOCK_02: dw 0x166
SRAM0:200000BC # ---------------------------------------------------------------------------
SRAM0:200000BC LOADER_03: dd 0xFF800060 # LDR_02 at: 0x200000B0
SRAM0:200000C0 _COUNT_03: dd 4 # LDR_03 at: 0x200000C6 + 0x0004 = 0x200000CA
SRAM0:200000C4 _FLAGS_03: dw 0x10 # Action: IGNORE
SRAM0:200000C6 _BLOCK_03: dd 0x1494C8
SRAM0:200000CA # ---------------------------------------------------------------------------
SRAM0:200000CA LOADER_04: dd 4 # LDR_03 at: 0x200000BC
SRAM0:200000CE _COUNT_04: dd 0xFFFE # LDR_05 at: 0x200000D4 + 0xFFFE = 0x200100D2
SRAM0:200000D2 _FLAGS_04: dw 0 # Action: BLOCK_COPY
SRAM0:200000D4 # ---------------------------------------------------------------------------
SRAM0:200000D4
SRAM0:200000D4 _BLOCK_04: LINK 0x14; # CODE XREF: sub_2000017A+6C
[...]
This is what happens there:
* LOADER_01 copies the _BLOCK_01 code chunk (that initialises the SDRAM and the FLASH memory interfaces) to the INSTRUCTION SRAM space at address 0xFFA0.8000
* LOADER_02 forces the processor to execute the _BLOCK_01 code at the INSTRUCTION SRAM space
* LOADER_04 copies the 65,534 following FLASH bytes to SDRAM at address 0x0000.0004
[...]
* LOADER_231 quits the Boot-ROM and starts program execution after having copied a last chunk of 15,800 FLASH bytes to L1 INSTRUCTION SRAM at address 0xFFA1.0000
Unfortunately, the piece of code at _BLOCK_01 cannot be found in the disassembly listings because it will be overwritten at some point by the LOADER_229, which fills the same address (0xFFA0.8000) with code of the main program.
By the way, Krater, I have updated the following files attached. The modified loader file hopefully displays correctly all the usable address space of the BlackFin. Can you add the processor's register definitions to the IDA loader?
-George
[...]
See the MISRA C coding standard, born out of the auto/motor industry in 1998: It will restrict you from directly accessing any lower level hardware recourses but it will not make you write better programs; a bad programmer will always be producing bad code, no matter what!
( * ) Just look at the quality of the "engineers" the educational institutions spit out today. Their eduction is oriented rather in their marketing skills than in actual Electrical Engineering. Quoting a friend of mine, "The only engineers who get promoted to management are the ones who can be spared. The real walking disasters are the ones who think they got promoted because they were good."
Then it's probably not a software issue. So far everything seems to point to a hardware issue for others too. I think earlier in this thread, it was suggested that the probem may be related to either incorrect PCB etching or excessive flux. If you bought yours from an authorized retailer and have not opened it up, I would consider making a warranty claim.
Another desperate 1052e user here! After long hesitation I finally bought this scope a week ago and I'm slowly growing frustration with it ( I'll exlain my problem with pictures.
1.Probe is not connected to BNC. Good flat measurement
2.Probe is connected but not attached to anything. 1X attenuation. Notice ~100Mhz noise
3.Probe is connected but not attached to anything. 10X attenuation
If you have a flat line without probe attached, that means the scope is fine. Your probe picks up ambient noise and you are doing measurements at a very high sensitivity.
When you've put the probe in the compensator output did you also couple the probe's ground to the output ground?
DS1052E new ADC markings!