http://blog.chinaunix.net/u1/38994/showart_1883743.html
CE5.0 - eboot烧写NK.nb0的详细流程
可以参考《CE5.0 - eboot加载NK.nb0的详细流程》
nk.nb0首先通过umon下载到DDR中,然后执行烧写操作,烧写到flash上.
PLATFORM/SMDK2440A/Src/Bootloader/Eboot/main.c
==>BootloaderMain
==>OEMPlatformInit => MainMenu()从串口打印menu选择菜单
==>DownloadImage
dwImageStart = *pdwImageStart = 0x80001000; //0x80001000 & 0x8C200000;
dwImageLength = *pdwImageLength = 0x1500000; // 21M 它给固定死了,而且仅仅21M,所以应该根据自己的nk.nb0的大小进行修改[luther.gliethttp]
*pdwLaunchAddr = 0x8002C794;// lanch地址也是固定的
显示menu,根据选择烧写相应的文件,比如输入3表示烧写
// Nk.nb0
case '3':
EdbgOutputDebugString ("Nk.nb0 chosed.../r/n");
dwImageStart = *pdwImageStart = 0x80001000;
dwImageLength = *pdwImageLength = 0x1500000;
*pdwLaunchAddr = 0x8002c794;
g_ImageType = IMAGE_TYPE_RAMIMAGE;//选择将要烧写的文件为Nk.nb0
goto len;//接着接收用户输入的image文件大小[luther.gliethttp]
mid:
if (!g_DownloadManifest.dwNumRegions)//这是第一次调用g_DownloadManifest结构体,所以一定等于0
{
g_DownloadManifest.dwNumRegions = 1;//region总数为1
g_DownloadManifest.Region[0].dwRegionStart = dwImageStart;//起始地址为nk.nb0加载地址,也是umon下载地址[luther.gliethttp]
g_DownloadManifest.Region[0].dwRegionLength = dwImageLength;//nk.nb0文件长度
// Provide the download manifest to the OEM.
//
if (g_pOEMMultiBINNotify)
{
//在OEMDebugInit中g_pOEMMultiBINNotify = OEMMultiBINNotify;进行了赋值.
g_pOEMMultiBINNotify((PDownloadManifest)&g_DownloadManifest);//仅定义1 region
}
}
==>OEMMultiBINNotify
void OEMMultiBINNotify(const PMultiBINInfo pInfo)
{
BYTE nCount;
DWORD g_dwMinImageStart;
OALMSG(OAL_FUNC, (TEXT("+OEMMultiBINNotify./r/n")));
if (!pInfo || !pInfo->dwNumRegions)
{
OALMSG(OAL_WARN, (TEXT("WARNING: OEMMultiBINNotify: Invalid BIN region descriptor(s)./r/n")));
return;
}
if (!pInfo->Region[0].dwRegionStart && !pInfo->Region[0].dwRegionLength)
{
return;
}
g_dwMinImageStart = pInfo->Region[0].dwRegionStart;//最小的地址
OALMSG(TRUE, (TEXT("/r/nDownload BIN file information:/r/n")));
OALMSG(TRUE, (TEXT("-----------------------------------------------------/r/n")));
for (nCount = 0 ; nCount < pInfo->dwNumRegions ; nCount++)
{
OALMSG(TRUE, (TEXT("[%d]: Base Address=0x%x Length=0x%x/r/n"),
nCount, pInfo->Region[nCount].dwRegionStart, pInfo->Region[nCount].dwRegionLength));
if (pInfo->Region[nCount].dwRegionStart < g_dwMinImageStart)
{
g_dwMinImageStart = pInfo->Region[nCount].dwRegionStart;
if (g_dwMinImageStart == 0)
{
OALMSG(OAL_WARN, (TEXT("WARNING: OEMMultiBINNotify: Bad start address for region (%d)./r/n"), nCount));
return;
}
}
}
memcpy((LPBYTE)&g_BINRegionInfo, (LPBYTE)pInfo, sizeof(MultiBINInfo));//ok,将BINinfo信息转储到全局变量g_BINRegionInfo中,以便其它单元引用到我们的nk.nb0这个image足够信息[luther.gliethttp]
OALMSG(TRUE, (TEXT("-----------------------------------------------------/r/n")));
OALMSG(OAL_FUNC, (TEXT("_OEMMultiBINNotify./r/n")));
}
==>if (OEMMapMemAddr (dwImageStart, dwImageStart + ROM_SIGNATURE_OFFSET) == ROM_SIGNATURE) 即nk.nb0的第0x40偏移处应该为0x43454345
// Check for pTOC signature ("CECE") here, after image in place
if (*(LPDWORD) OEMMapMemAddr (dwImageStart, dwImageStart + ROM_SIGNATURE_OFFSET) == ROM_SIGNATURE)
{
//#define ROM_SIGNATURE_OFFSET 0x40 // Offset from the image's physfirst address to the ROM signature.
//#define ROM_SIGNATURE 0x43454345
//#define ROM_TOC_POINTER_OFFSET 0x44 // Offset from the image's physfirst address to the TOC pointer.
//#define ROM_TOC_OFFSET_OFFSET 0x48 // Offset from the image's physfirst address to the TOC offset (from physfirst).
//使用winhex在nk.nb0获得如下数据
//00000040 : 45 43 45 43 C8 ED 90 81 C8 DD 90 01 00 00 00 00
//所以dwImageStart + ROM_SIGNATURE_OFFSET + sizeof(ULONG)大小等于0x40+4=0x44所以对应的内容为0x8190EDC8
//在上面的DownloadImage中可以看到dwImageStart = 0x80001000;
//0x8190EDC8为TOC指针虚拟地址值,0x190DDC8为其对应的物理地址偏移
//所以0x8190EDC8 - 0x80001000 = 0x190DDC8
//其实这个差值就存储在了0x48偏移地址处[luther.gliethttp]
//dwpToc = *(LPDWORD)0x8190EDC8;取出该虚拟地址处的数据,即偏移0x190DDC8处的4字节数据
//使用winhex获得数据为
//E3 01 DA 01
//即:0x1DA01E3
//所以最后dwpToc = 0x1DA01E3 + g_dwROMOffset;//这里g_dwROMOffset因为没有地方对其赋值,所以其值为默认值0
//typedef struct ROMHDR {
// ULONG dllfirst; // first DLL address
// ULONG dlllast; // last DLL address
// ULONG physfirst; // first physical address
// ULONG physlast; // highest physical address
// ULONG nummods; // number of TOCentry's
// ULONG ulRAMStart; // start of RAM
// ULONG ulRAMFree; // start of RAM free space
// ULONG ulRAMEnd; // end of RAM
// ULONG ulCopyEntries; // number of copy section entries
// ULONG ulCopyOffset; // offset to copy section
// ULONG ulProfileLen; // length of PROFentries RAM
// ULONG ulProfileOffset; // offset to PROFentries
// ULONG numfiles; // number of FILES
// ULONG ulKernelFlags; // optional kernel flags from ROMFLAGS .bib config option
// ULONG ulFSRamPercent; // Percentage of RAM used for filesystem
// // from FSRAMPERCENT .bib config option
// // byte 0 = #4K chunks/Mbyte of RAM for filesystem 0-2Mbytes 0-255
// // byte 1 = #4K chunks/Mbyte of RAM for filesystem 2-4Mbytes 0-255
// // byte 2 = #4K chunks/Mbyte of RAM for filesystem 4-6Mbytes 0-255
// // byte 3 = #4K chunks/Mbyte of RAM for filesystem > 6Mbytes 0-255
//
// ULONG ulDrivglobStart; // device driver global starting address
// ULONG ulDrivglobLen; // device driver global length
// USHORT usCPUType; // CPU (machine) Type
// USHORT usMiscFlags; // Miscellaneous flags
// PVOID pExtensions; // pointer to ROM Header extensions
// ULONG ulTrackingStart; // tracking memory starting address
// ULONG ulTrackingLen; // tracking memory ending address
//} ROMHDR;
//#define TOCentry_dwFileAttributes 0
//#define TOCentry_ftTime 4
//#define TOCentry_lpszFileSize 12
//#define TOCentry_lpszFileName 16
//#define TOCentry_ulE32Offset 20
//#define TOCentry_ulO32Offset 24
//#define TOCentry_ulLoadOffset 28
//#define SIZEOF_TOCentry 32
//typedef struct TOCentry { // MODULE BIB section structure
// DWORD dwFileAttributes;
// FILETIME ftTime;
// DWORD nFileSize;
// LPSTR lpszFileName;
// ULONG ulE32Offset; // Offset to E32 structure
// ULONG ulO32Offset; // Offset to O32 structure
// ULONG ulLoadOffset; // MODULE load buffer offset
//} TOCentry, *LPTOCentry;
//0190DDC0 : 57 EF 50 00 58 00 00 00 E3 01 DA 01 00 00 00 02
//0190DDD0 : 00 10 00 80 94 0D 91 81 AD 00 00 00 00 00 20 8C
//0190DDE0 : 00 90 22 8C 00 00 00 8E 01 00 00 00 C0 3D C2 80
//0190DDF0 : 00 00 00 00 00 00 00 00 5A 00 00 00 02 00 00 00
//0190DE00 : 80 80 80 80 00 00 00 00 00 00 00 00 C2 01 02 00
//0190DE10 : 10 32 00 80 00 00 00 00 00 00 00 00 07 00 00 00 //07 00 00 00 开始为TOC,一共占32字节空间
//0190DE20 : D4 A3 9A 28 AB 1E C7 01 00 B0 06 00 F8 1F C5 80 //该4字节F8 1F C5 80为TOCentry_lpszFileName虚拟地址,其偏移值为0x80C51FF8 - 0x80001000 = 0xC50FF8
//0190DE30 : 84 CF 58 80 9C CF 1F 80 00 10 00 80 07 10 00 00 //从该07 10 00 00 00开始为下一个TOC,一共占32字节空间
//0190DE40 : 3A F3 8F 3C AB 1E C7 01 00 84 08 00 F4 5F 4D 80
//0190DE50 : 6C 5F C9 80 A0 0F C2 80 00 90 09 80 07 00 00 00
//从0x0190DDC8开始
//dllfirst = 0x01DA01E3
//dlllast = 0x20000000
//physfirst = 0x80001000
//physlast = 0x81910D94
//nummods = 0x000000AD
//ulRAMStart= 0x8C200000
//ulRAMFree = 0x8C229000
//ulRAMEnd = 0x8E000000
//ulCopyEntries = 0x00000001
//ulCopyOffset = 0x80C23DC0
//ulProfileLen = 0x00000000
//ulProfileOffset = 0x00000000
//numfiles = 0x0000005A
//ulKernelFlags = 0x00000002
//ulFSRamPercent= 0x80808080
//ulDrivglobStart = 0x00000000
//ulDrivglobLen = 0x00000000
//usCPUType = 0x01C2
//usMiscFlags = 0x0002
//pExtensions = 0x80003210
//ulTrackingStart = 0x00000000
//ulTrackingLen = 0x00000000
//紧跟ROMHDR其后的为nummods个TOCentry结构体
dwpToc = *(LPDWORD) OEMMapMemAddr (dwImageStart, dwImageStart + ROM_SIGNATURE_OFFSET + sizeof(ULONG));//OEMMapMemAddr直接返回dwImageStart + ROM_SIGNATURE_OFFSET + sizeof(ULONG))数值,即0x8190EDC8这个虚拟地址处的内容,0x8190EDC8虚拟地址对应的物理偏移值为0x190DDC8,该值位于0x48偏移处[luther.gliethttp]
// need to map the content again since the pointer is going to be in a fixup address
dwpToc = (DWORD) OEMMapMemAddr (dwImageStart, dwpToc + g_dwROMOffset);
EdbgOutputDebugString ("ROMHDR at Address %Xh/r/n", dwImageStart + ROM_SIGNATURE_OFFSET + sizeof (DWORD)); // right after signature
}
case BL_JUMP:
==>OEMLaunch
==>switch (g_ImageType)
case IMAGE_TYPE_RAMIMAGE:
g_pTOC->id[g_dwTocEntry].dwLoadAddress = dwImageStart;
g_pTOC->id[g_dwTocEntry].dwTtlSectors = FILE_TO_SECTOR_SIZE(dwImageLength);
if (!WriteOSImageToBootMedia(dwImageStart, dwImageLength, dwLaunchAddr))//写数据
{
OALMSG(OAL_ERROR, (TEXT("ERROR: OEMLaunch: Failed to store image to Smart Media./r/n")));
goto CleanUp;
}
if (dwLaunchAddr && (g_pTOC->id[g_dwTocEntry].dwJumpAddress != dwLaunchAddr))
{
//*pdwLaunchAddr = 0x8002C794;// 我们的lanch地址也是固定的
g_pTOC->id[g_dwTocEntry].dwJumpAddress = dwLaunchAddr;//修改跳转地址到位于block块1区的TOC数据
if ( !TOC_Write() ) {//回写TOC到block块1
EdbgOutputDebugString("*** OEMLaunch ERROR: TOC_Write failed! Next boot may not load from disk *** /r/n");
}
TOC_Print();
}
else
{
dwLaunchAddr= g_pTOC->id[g_dwTocEntry].dwJumpAddress;
EdbgOutputDebugString("INFO: using TOC[%d] dwJumpAddress: 0x%x/r/n", g_dwTocEntry, dwLaunchAddr);
}
break;
//然后就执行Lanch()登陆.
// Jump to downloaded image (use the physical address since we'll be turning the MMU off)...
//
dwPhysLaunchAddr = (DWORD)OALVAtoPA((void *)dwLaunchAddr);//根据位于PLATFORM/SMDK2440A/Src/Inc/oemaddrtab_cfg.inc下的g_oalAddressTable定义的转换表,将虚拟地址转为对应的物理地址
OALMSG(TRUE, (TEXT("INFO: OEMLaunch: Jumping to Physical Address 0x%Xh (Virtual Address 0x%Xh).../r/n/r/n/r/n"), dwPhysLaunchAddr, dwLaunchAddr));//打印该log信息
// Jump...
//
Launch(dwPhysLaunchAddr);//执行PLATFORM/SMDK2440A/Src/Bootloader/Eboot/util.s|32| LEAF_ENTRY Launch中定义的Lanuch函数,代码见下面[lutehr.gliethttp]
/*
@func BOOL | WriteOSImageToBootMedia | Stores the image cached in RAM to the Boot Media.
The image may be comprised of one or more BIN regions.
@rdesc TRUE = Success, FALSE = Failure.
@comm
@xref
*/
BOOL WriteOSImageToBootMedia(DWORD dwImageStart, DWORD dwImageLength, DWORD dwLaunchAddr)
{
BYTE nCount;
DWORD dwNumExts;
PXIPCHAIN_SUMMARY pChainInfo = NULL;
EXTENSION *pExt = NULL;
DWORD dwBINFSPartLength = 0;
HANDLE hPart, hPartEx;
DWORD dwStoreOffset;
DWORD dwMaxRegionLength[BL_MAX_BIN_REGIONS] = {0};
DWORD dwChainStart, dwChainLength;
// Initialize the variables
dwChainStart = dwChainLength = 0;
OALMSG(OAL_FUNC, (TEXT("+WriteOSImageToBootMedia/r/n")));
OALMSG(OAL_INFO, (TEXT("+WriteOSImageToBootMedia: g_dwTocEntry =%d, ImageStart: 0x%x, ImageLength: 0x%x, LaunchAddr:0x%x/r/n"),
g_dwTocEntry, dwImageStart, dwImageLength, dwLaunchAddr));
if ( !g_bBootMediaExist )
{
OALMSG(OAL_ERROR, (TEXT("ERROR: WriteOSImageToBootMedia: device doesn't exist./r/n")));
return(FALSE);
}
if ( !VALID_TOC(g_pTOC) )
{
OALMSG(OAL_WARN, (TEXT("WARN: WriteOSImageToBootMedia: INVALID_TOC/r/n")));
if ( !TOC_Init(g_dwTocEntry, g_ImageType, dwImageStart, dwImageLength, dwLaunchAddr) )
{
OALMSG(OAL_ERROR, (TEXT("ERROR: INVALID_TOC/r/n")));
return(FALSE);
}
}
// Look in the kernel region's extension area for a multi-BIN extension descriptor.
// This region, if found, details the number, start, and size of each BIN region.
// 这里我们只有nk.nb0一个region需要烧写
for (nCount = 0, dwNumExts = 0 ; (nCount < g_BINRegionInfo.dwNumRegions); nCount++)
{
// Does this region contain nk.exe and an extension pointer?
//我们这里返回的数值就是0x80003210,对其分析见后面[luther.gliethttp]
//对应的nk.nb0偏移值为0x80003210 - 0x80001000 = 0x2210
pExt = (EXTENSION *)GetKernelExtPointer(g_BINRegionInfo.Region[nCount].dwRegionStart,
g_BINRegionInfo.Region[nCount].dwRegionLength );
if ( pExt != NULL)
{
//#define PID_LENGTH 10
//typedef struct ROMPID {
// union{
// DWORD dwPID[PID_LENGTH]; // PID 可见该union一共40字节数据
// struct{
// char name[(PID_LENGTH - 4) * sizeof(DWORD)];
// DWORD type;
// PVOID pdata;
// DWORD length;
// DWORD reserved;
// };
// };
// PVOID pNextExt; // pointer to next extension if any
//} ROMPID, EXTENSION;
//所以一共占用了44字节数据
//0x2210 ~ 0x2210 + 44空间全部为0,所以不会找到"chain information"
// If there is an extension pointer region, walk it until the end.
//
while (pExt)
{
DWORD dwBaseAddr = g_BINRegionInfo.Region[nCount].dwRegionStart;
pExt = (EXTENSION *)OEMMapMemAddr(dwBaseAddr, (DWORD)pExt);
OALMSG(OAL_INFO, (TEXT("INFO: OEMLaunch: Found chain extenstion: '%s' @ 0x%x/r/n"), pExt->name, dwBaseAddr));
if ((pExt->type == 0) && !strcmp(pExt->name, "chain information"))
{
pChainInfo = (PXIPCHAIN_SUMMARY) OEMMapMemAddr(dwBaseAddr, (DWORD)pExt->pdata);
dwNumExts = (pExt->length / sizeof(XIPCHAIN_SUMMARY));
OALMSG(OAL_INFO, (TEXT("INFO: OEMLaunch: Found 'chain information' (pChainInfo=0x%x Extensions=0x%x)./r/n"), (DWORD)pChainInfo, dwNumExts));
break;
}
pExt = (EXTENSION *)pExt->pNextExt;
}
}
else {
// Search for Chain region. Chain region doesn't have the ROMSIGNATURE set
DWORD dwRegionStart = g_BINRegionInfo.Region[nCount].dwRegionStart;
DWORD dwSig = *(LPDWORD) OEMMapMemAddr(dwRegionStart, dwRegionStart + ROM_SIGNATURE_OFFSET);
if ( dwSig != ROM_SIGNATURE) {
// It is the chain
dwChainStart = dwRegionStart;
dwChainLength = g_BINRegionInfo.Region[nCount].dwRegionLength;
OALMSG(TRUE, (TEXT("Found the Chain region: StartAddress: 0x%X; Length: 0x%X/n"), dwChainStart, dwChainLength));
}
}
}
// Determine how big the Total BINFS partition needs to be to store all of this.
//
if (pChainInfo && dwNumExts == g_BINRegionInfo.dwNumRegions) // We're downloading all the regions in a multi-region image...
{
DWORD i;
OALMSG(TRUE, (TEXT("Writing multi-regions/r/n")));
for (nCount = 0, dwBINFSPartLength = 0 ; nCount < dwNumExts ; nCount++)
{
dwBINFSPartLength += (pChainInfo + nCount)->dwMaxLength;
OALMSG(OAL_ERROR, (TEXT("BINFSPartMaxLength[%u]: 0x%x, TtlBINFSPartLength: 0x%x /r/n"),
nCount, (pChainInfo + nCount)->dwMaxLength, dwBINFSPartLength));
// MultiBINInfo does not store each Regions MAX length, and pChainInfo is not in any particular order.
// So, walk our MultiBINInfo matching up pChainInfo to find each regions MAX Length
for (i = 0; i < dwNumExts; i++) {
if ( g_BINRegionInfo.Region[i].dwRegionStart == (DWORD)((pChainInfo + nCount)->pvAddr) ) {
dwMaxRegionLength[i] = (pChainInfo + nCount)->dwMaxLength;
OALMSG(TRUE, (TEXT("dwMaxRegionLength[%u]: 0x%x /r/n"), i, dwMaxRegionLength[i]));
break;
}
}
}
}
else // A single BIN file or potentially a multi-region update (but the partition's already been created in this latter case).
{
//我们的下载程序将执行到这里[luther.gliethttp]
dwBINFSPartLength = g_BINRegionInfo.Region[0].dwRegionLength;
OALMSG(TRUE, (TEXT("Writing single region/multi-region update, dwBINFSPartLength: %u /r/n"), dwBINFSPartLength));
}
// Open/Create the BINFS partition where images are stored. This partition starts immediately after the MBR on the Boot Media and its length is
// determined by the maximum image size (or sum of all maximum sizes in a multi-region design).
// Parameters are LOGICAL sectors.
//
//为nk.nb0建立主分区,管理(IMAGE_START_BLOCK+1)*PAGES_PER_BLOCK开始的扇区,管理大小为SECTOR_TO_BLOCK_SIZE(FILE_TO_SECTOR_SIZE(dwBINFSPartLength))*PAGES_PER_BLOCK
//将该分区所有信息登记到了MBR中,hPart为申请到的主分区表指针[luther.gliethttp]
hPart = BP_OpenPartition( (IMAGE_START_BLOCK+1)*PAGES_PER_BLOCK, // next block of MBR
SECTOR_TO_BLOCK_SIZE(FILE_TO_SECTOR_SIZE(dwBINFSPartLength))*PAGES_PER_BLOCK, // align to block
PART_BINFS,
TRUE,
PART_OPEN_ALWAYS);
if (hPart == INVALID_HANDLE_VALUE )
{
OALMSG(OAL_ERROR, (TEXT("ERROR: WriteOSImageToBootMedia: Failed to open/create partition./r/n")));
return(FALSE);
}
// Are there multiple BIN files in RAM (we may just be updating one in a multi-BIN solution)?
//
for (nCount = 0, dwStoreOffset = 0; nCount < g_BINRegionInfo.dwNumRegions ; nCount++)
{
DWORD dwRegionStart = (DWORD)OEMMapMemAddr(0, g_BINRegionInfo.Region[nCount].dwRegionStart);//我们这里就是nk.nb0下载地址0x32001000对应的虚拟地址为0x80001000
DWORD dwRegionLength = g_BINRegionInfo.Region[nCount].dwRegionLength;
// Media byte offset where image region is stored.
dwStoreOffset += nCount ? dwMaxRegionLength[nCount-1] : 0;//如果是MultiBin,那么将一个挨一个的紧凑存储,其紧凑度由dwStoreOffset偏移指针控制,这个偏移指针数值就是这里所谓的
//逻辑地址[luther.gliethttp]
// Set the file pointer (byte indexing) to the correct offset for this particular region.
//
if ( !BP_SetDataPointer(hPart, dwStoreOffset) )//从该分区的dwStoreOffset(以字节为单位)逻辑地址开始
{
OALMSG(OAL_ERROR, (TEXT("ERROR: StoreImageToBootMedia: Failed to set data pointer in partition (offset=0x%x)./r/n"), dwStoreOffset));
return(FALSE);
}
// Write the region to the BINFS partition.
//
if ( !BP_WriteData(hPart, (LPBYTE)dwRegionStart, dwRegionLength) )//将数据顺序写到dwStoreOffset(以字节为单位)开始的地址后,长度dwRegionLength,代码见后面.[luther.gliethttp]
{
EdbgOutputDebugString("ERROR: StoreImageToBootMedia: Failed to write region to BINFS partition (start=0x%x, length=0x%x)./r/n", dwRegionStart, dwRegionLength);
return(FALSE);
}
// update our TOC?
//
if ((g_pTOC->id[g_dwTocEntry].dwLoadAddress == g_BINRegionInfo.Region[nCount].dwRegionStart) &&
g_pTOC->id[g_dwTocEntry].dwTtlSectors == FILE_TO_SECTOR_SIZE(dwRegionLength) )
{
//我们的符合该条件,所以执行了下面语句[luther.gliethttp]
g_pTOC->id[g_dwTocEntry].dwStoreOffset = dwStoreOffset;//对期望Toc进行写操作,那么保存它的存储逻辑地址(以字节为单位)[luther.gliethttp]
g_pTOC->id[g_dwTocEntry].dwJumpAddress = 0; // Filled upon return to OEMLaunch
g_pTOC->id[g_dwTocEntry].dwImageType = g_ImageType;
g_pTOC->id[g_dwTocEntry].sgList[0].dwSector = FILE_TO_SECTOR_SIZE(g_dwLastWrittenLoc);
g_pTOC->id[g_dwTocEntry].sgList[0].dwLength = g_pTOC->id[g_dwTocEntry].dwTtlSectors;
// copy Kernel Region to SDRAM for jump
memcpy((void*)g_pTOC->id[g_dwTocEntry].dwLoadAddress, (void*)dwRegionStart, dwRegionLength);
OALMSG(TRUE, (TEXT("Updateded TOC!/r/n")));
}
else if( (dwChainStart == g_BINRegionInfo.Region[nCount].dwRegionStart) &&
(dwChainLength == g_BINRegionInfo.Region[nCount].dwRegionLength))
{
//我们的没有执行到这里
// Update our TOC for Chain region
g_pTOC->chainInfo.dwLoadAddress = dwChainStart;
g_pTOC->chainInfo.dwFlashAddress = FILE_TO_SECTOR_SIZE(g_dwLastWrittenLoc);
//在BP_WriteData()中对g_dwLastWrittenLoc进行了更新,
//g_dwLastWrittenLoc = dwBlock * g_dwDataBytesPerBlock + dwOffsetBlock;//记录现在写的是第几个字节(物理地址)[luther.gliethttp]
g_pTOC->chainInfo.dwLength = FILE_TO_SECTOR_SIZE(dwMaxRegionLength[nCount]);
OALMSG(TRUE, (TEXT("Written Chain Region to the Flash/n")));
OALMSG(TRUE, (TEXT("LoadAddress = 0x%X; FlashAddress = 0x%X; Length = 0x%X/n"),
g_pTOC->chainInfo.dwLoadAddress,
g_pTOC->chainInfo.dwFlashAddress,
g_pTOC->chainInfo.dwLength));
// Now copy it to the SDRAM
memcpy((void *)g_pTOC->chainInfo.dwLoadAddress, (void *)dwRegionStart, dwRegionLength);
}
}
// create extended partition in whatever is left
//
//为系统创建扩展分区,
//1.eboot.nb0主分区
//2.nk.nb0主分区
//3.扩展分区[luther.gliethttp]
hPartEx = BP_OpenPartition( NEXT_FREE_LOC,
USE_REMAINING_SPACE,
PART_DOS32,
TRUE,
PART_OPEN_ALWAYS);
if (hPartEx == INVALID_HANDLE_VALUE )
{
OALMSG(OAL_WARN, (TEXT("*** WARN: StoreImageToBootMedia: Failed to open/create Extended partition ***/r/n")));
}
OALMSG(OAL_FUNC, (TEXT("-WriteOSImageToBootMedia/r/n")));
return(TRUE);//好了nk.nb0对应的MBR也创建了,nk.nb0也写进去了,对应的位于1块的TOC数据也更新了,扩展分区也创建了,工作完成了,返回ok.[luther.gliethttp]
}
/*
@func PVOID | GetKernelExtPointer | Locates the kernel region's extension area pointer.
@rdesc Pointer to the kernel's extension area.
@comm
@xref
*/
PVOID GetKernelExtPointer(DWORD dwRegionStart, DWORD dwRegionLength)
{
DWORD dwCacheAddress = 0;
ROMHDR *pROMHeader;
DWORD dwNumModules = 0;
TOCentry *pTOC;
if (dwRegionStart == 0 || dwRegionLength == 0)
return(NULL);
if (*(LPDWORD) OEMMapMemAddr (dwRegionStart, dwRegionStart + ROM_SIGNATURE_OFFSET) != ROM_SIGNATURE)//首先检查该region的ROM标志值是否正确[luther.gliethttp]
return NULL;
// A pointer to the ROMHDR structure lives just past the ROM_SIGNATURE (which is a longword value). Note that
// this pointer is remapped since it might be a flash address (image destined for flash), but is actually cached
// in RAM.
//
dwCacheAddress = *(LPDWORD) OEMMapMemAddr (dwRegionStart, dwRegionStart + ROM_SIGNATURE_OFFSET + sizeof(ULONG));//我们这里就是0x44偏移处的值
pROMHeader = (ROMHDR *) OEMMapMemAddr (dwRegionStart, dwCacheAddress);
//从0x0190DDC8开始,pROMHeader = 0x0190DDC8偏移处对应的虚拟地址0x8190EDC8,通过使用winhex分析后数据如下:
//dllfirst = 0x01DA01E3
//dlllast = 0x20000000
//physfirst = 0x80001000
//physlast = 0x81910D94
//nummods = 0x000000AD
//ulRAMStart= 0x8C200000
//ulRAMFree = 0x8C229000
//ulRAMEnd = 0x8E000000
//ulCopyEntries = 0x00000001
//ulCopyOffset = 0x80C23DC0
//ulProfileLen = 0x00000000
//ulProfileOffset = 0x00000000
//numfiles = 0x0000005A
//ulKernelFlags = 0x00000002
//ulFSRamPercent= 0x80808080
//ulDrivglobStart = 0x00000000
//ulDrivglobLen = 0x00000000
//usCPUType = 0x01C2
//usMiscFlags = 0x0002
//pExtensions = 0x80003210
//ulTrackingStart = 0x00000000
//ulTrackingLen = 0x00000000
//紧跟ROMHDR其后的为nummods个TOCentry结构体
//
//00C50FF0 : 74 65 00 00 DC 5F 03 00 6E 6B 2E 65 78 65 00 00 这里6E 6B 2E 65 78 65就是nk.exe
//所以可见在nk.nb0中含有nk.exe字符串的偏移位置为C50FF8
//对应的虚拟的地址为0x80001000 + C50FF8 = 0x80C51FF8其在小段存储模式内存中的十六进制数据为F8 1F C5 80
//使用BC3查找该十六进制串
//就在0190DE2B偏移处.
// Make sure sure are some modules in the table of contents.
//
if ((dwNumModules = pROMHeader->nummods) == 0)
return NULL;
// Locate the table of contents and search for the kernel executable and the TOC immediately follows the ROMHDR.
//
pTOC = (TOCentry *)(pROMHeader + 1);
while(dwNumModules--) {
char* pFileName = OEMMapMemAddr(dwRegionStart, (DWORD)pTOC->lpszFileName);
//改名字在我编译出的nk.nb0的0190DE2B偏移处,刚好为第1个TOC
if (!strcmp((const char *)pFileName, "nk.exe")) {//找到名字为"nk.exe"的TOC,我们可以在这里打印出所有的TOC名字来进一步了解CE内核结构[luther.gliethttp]
return ((PVOID)(pROMHeader->pExtensions));//ok,这个该image是合法的nk.nb0,返回pROMHeader->pExtensions数据,这里就是0x80003210
}
++pTOC;
}
return NULL;//否则NULL
}
BOOL BP_SetDataPointer (HANDLE hPartition, DWORD dwAddress)
{
if (hPartition == INVALID_HANDLE_VALUE)
return FALSE;
RETAILMSG(1,(TEXT("BP_SetDataPointer at 0x%x/r/n"), dwAddress));
PPARTSTATE pPartState = (PPARTSTATE) hPartition;
if (dwAddress >= pPartState->pPartEntry->Part_TotalSectors * g_FlashInfo.wDataBytesPerSector)
return FALSE;
/*
typedef struct _PARTSTATE {
PPARTENTRY pPartEntry;
DWORD dwDataPointer; // Pointer to where next read and write will occur
} PARTSTATE, *PPARTSTATE;
*/
pPartState->dwDataPointer = dwAddress;//对该分区执行读写的逻辑扇区地址,也就是偏移地址[luther.gliethttp]
return TRUE;
}
//将pbBuffer中dwLength个字节数据写到hPartition分区,写入该分区的逻辑扇区地址在BP_SetDataPointer()中已经进行了设置[luther.gliethttp]
BOOL BP_WriteData(HANDLE hPartition, LPBYTE pbBuffer, DWORD dwLength)
{
if (hPartition == INVALID_HANDLE_VALUE)
return FALSE;
DWORD dwNumBlocks;
PPARTSTATE pPartState = (PPARTSTATE) hPartition;
DWORD dwNextPtrValue = pPartState->dwDataPointer + dwLength;
RETAILMSG (1, (TEXT("WriteData: Start = 0x%x, Length = 0x%x./r/n"), pPartState->dwDataPointer, dwLength));
if (!pbBuffer || !g_pbBlock || dwLength == 0) {
RETAILMSG(1,(TEXT("BP_WriteData Fails. pbBuffer = 0x%x, g_pbBlock = 0x%x, dwLength = 0x%x/r/n"), pbBuffer, g_pbBlock, dwLength));
return(FALSE);
}
// Check to make sure buffer size is within limits of partition
// 检查写入该分区的数据是否超过该扇区所管理的扇区总数[luther.gliethttp]
if (((dwNextPtrValue - 1) / g_FlashInfo.wDataBytesPerSector) >= pPartState->pPartEntry->Part_TotalSectors) {
RETAILMSG (1, (TEXT("WriteData: trying to write past end of partition./r/n")));
return FALSE;
}
// Get the starting physical block
// 获取dwDataPointer写入/读取指针所在的块号,经过Log2Phys转换之后dwBlock就是实际的物理块号了[luther.gliethttp]
DWORD dwBlock = Log2Phys (pPartState->dwDataPointer / g_FlashInfo.wDataBytesPerSector + pPartState->pPartEntry->Part_StartSector) / g_FlashInfo.wSectorsPerBlock;
//计算以该主分区起始地址为基址的块号[luther.gliethttp]
DWORD dwOffsetBlock = (pPartState->dwDataPointer + pPartState->pPartEntry->Part_StartSector * g_FlashInfo.wDataBytesPerSector) % g_dwDataBytesPerBlock;//计算待写的指针为该块中第几个字节
// Update the global indicating last written physical address. Global variable is used by the caller.
g_dwLastWrittenLoc = dwBlock * g_dwDataBytesPerBlock + dwOffsetBlock;//记录现在写的是第几个字节(物理地址)[luther.gliethttp]
// If current pointer is not on a block boundary, copy bytes up to the first block boundary
if (dwOffsetBlock)
{
//待写入sector非block开始边界,那么调整为整block,所以先写入非整block的头部数据,之后数据就是整block开始了,这样对大数据读写可以达到加速效果[luther.gliethttp]
if (!ReadBlock(dwBlock, g_pbBlock, g_pSectorInfoBuf)) {
RETAILMSG (1, (TEXT("WriteData: failed to read block (0x%x)./r/n"), dwBlock));
return(FALSE);
}
DWORD dwNumBytesWrite = g_dwDataBytesPerBlock - dwOffsetBlock;//需要向该block写入的多少个字节数据,从dwOffsetBlock开始写[luther.gliethttp]
if (dwNumBytesWrite > dwLength)//写入数据大小不会超过该block.
dwNumBytesWrite = dwLength;
memcpy(g_pbBlock + dwOffsetBlock, pbBuffer, dwNumBytesWrite);//1.拷贝数据
if (!FMD_EraseBlock(dwBlock)) {//2.擦
RETAILMSG (1, (TEXT("WriteData: failed to erase block (0x%x)./r/n"), dwBlock));
return FALSE;
}
if (!WriteBlock(dwBlock, g_pbBlock, g_pSectorInfoBuf)) {//3.写
RETAILMSG (1, (TEXT("WriteData: failed to write block (0x%x)./r/n"), dwBlock));
return(FALSE);
}
dwLength -= dwNumBytesWrite;//长度调整
pbBuffer += dwNumBytesWrite;//将数据调整到整块边界[luther.gliethttp]
dwBlock++;
}
//好了,经过上面调整之后,数据指针已经调整为下一个block的边界值了[ltuher.gliethttp]
// Compute number of blocks.
dwNumBlocks = (dwLength / g_dwDataBytesPerBlock);
while (dwNumBlocks--)
{
// If the block is marked bad, skip to next block. Note that the assumption in our error checking
// is that any truely bad block will be marked either by the factory during production or will be marked
// during the erase and write verification phases. If anything other than a bad block fails ECC correction
// in this routine, it's fatal.
if (IS_BLOCK_UNUSABLE(dwBlock))//该物理块是否损坏
{
++dwBlock;//继续下一块
//表示我们跳过该物理块,所以应该++dwNumBlocks;恢复
++dwNumBlocks; // Compensate for fact that we didn't write any blocks.
continue;
}
if (!ReadBlock(dwBlock, NULL, g_pSectorInfoBuf)) {
RETAILMSG (1, (TEXT("WriteData: failed to read block (0x%x)./r/n"), dwBlock));
return(FALSE);
}
if (!FMD_EraseBlock(dwBlock)) {
RETAILMSG (1, (TEXT("WriteData: failed to erase block (0x%x)./r/n"), dwBlock));
return FALSE;
}
if (!WriteBlock(dwBlock, pbBuffer, g_pSectorInfoBuf)) {
RETAILMSG (1, (TEXT("WriteData: failed to write block (0x%x)./r/n"), dwBlock));
return(FALSE);
}
++dwBlock;
pbBuffer += g_dwDataBytesPerBlock;//ok,开始写吧,开始循环吧[luther.gliethttp]
}
DWORD dwNumExtraBytes = (dwLength % g_dwDataBytesPerBlock);//看看收尾是否还需要向下一个block开头部分写些数据
if (dwNumExtraBytes)
{
//还有数据需要写
// Skip bad blocks
while (IS_BLOCK_UNUSABLE(dwBlock))
{
dwBlock++;//找到紧邻的下一个好块[luther.gliethttp]
if (dwBlock >= g_FlashInfo.dwNumBlocks)
{
// This should never happen since partition has already been created
RETAILMSG (1, (TEXT("WriteData: corrupt partition. Reformat flash./r/n")));
return FALSE;
}
}
if (!ReadBlock(dwBlock, g_pbBlock, g_pSectorInfoBuf)) {
RETAILMSG (1, (TEXT("WriteData: failed to read block (0x%x)./r/n"), dwBlock));
return(FALSE);
}
memcpy(g_pbBlock, pbBuffer, dwNumExtraBytes); //向该block开头追加未写完的跨块的数据[luther.gliethttp]
if (!FMD_EraseBlock(dwBlock)) {
RETAILMSG (1, (TEXT("WriteData: failed to erase block (0x%x)./r/n"), dwBlock));
return FALSE;
}
if (!WriteBlock(dwBlock, g_pbBlock, g_pSectorInfoBuf)) {
RETAILMSG (1, (TEXT("WriteData: failed to write block (0x%x)./r/n"), dwBlock));
return(FALSE);
}
}
pPartState->dwDataPointer = dwNextPtrValue;//该分区写一次数据发生写入操作时的物理地址,以字节为单位进行计算[luther.gliethttp]
return(TRUE);
}
static DWORD Log2Phys (DWORD dwLogSector) //该dwLogSector数值已经是加过其在主分区的主分区地址了
{
// Determine logical block number
DWORD dwLogBlock = dwLogSector / g_FlashInfo.wSectorsPerBlock;
// Start searching at the MBR block
if (g_dwMBRSectorNum == INVALID_ADDR) {
RETAILMSG(1, (TEXT("Log2Phys: MBR sector number is invalid./r/n")));
return INVALID_ADDR;
}
DWORD dwPhysBlock = g_dwMBRSectorNum / g_FlashInfo.wSectorsPerBlock;//g_dwMBRSectorNum为第一个18块开始之后的第一个好块,对该原因的分析见上面[luther.gliethttp]
//这就是和主分区地址相加之后dwLogSector的物理基地址了[luther.gliethttp]
if (dwLogBlock >= g_FlashInfo.dwNumBlocks)
return INVALID_ADDR;
// The physical block will be the number of logical blocks plus the number of bad blocks
// starting from the MBR block.
while (dwLogBlock--) {//找到dwLogBlock块对应的物理块,坏块将只是简单的对物理块地址进行加1操作,简单的略过,之后计算出最终的物理地址[luther.gliethttp]
dwPhysBlock++;
while (IS_BLOCK_UNUSABLE (dwPhysBlock) && dwPhysBlock < g_FlashInfo.dwNumBlocks) {
dwPhysBlock++;
}
if (dwPhysBlock >= g_FlashInfo.dwNumBlocks)
return INVALID_ADDR;
}
//打log数据
RETAILMSG(1, (TEXT("Log2Phys: Logical 0x%x -> Physical 0x%x/r/n"), dwLogSector, dwPhysBlock * g_FlashInfo.wSectorsPerBlock + (dwLogSector % g_FlashInfo.wSectorsPerBlock)));
//MBR
return dwPhysBlock * g_FlashInfo.wSectorsPerBlock + (dwLogSector % g_FlashInfo.wSectorsPerBlock);//返回dwLogSector所在的物理sector地址
//wince对nand的坏块不做任何维护性处理,只是简单的跳过,这和linux下存在BBT(Bad Block Table)坏块表不一样[luther.gliethttp]
}
//根据位于PLATFORM/SMDK2440A/Src/Inc/oemaddrtab_cfg.inc下的g_oalAddressTable定义的转换表,将虚拟地址转为对应的物理地址
UINT32 OALVAtoPA(VOID *pVA)
{
OAL_ADDRESS_TABLE *pTable = g_oalAddressTable;
UINT32 va = (UINT32)pVA;
UINT32 pa = 0;
OALMSG(OAL_MEMORY&&OAL_FUNC, (L"+OALVAtoPA(0x%08x)/r/n", pVA));
// Virtual address must be in CACHED or UNCACHED regions.
if (va < 0x80000000 || va >= 0xC0000000) {
OALMSG(OAL_ERROR, (
L"ERROR:OALVAtoPA: invalid virtual address 0x%08x/r/n", pVA
));
goto cleanUp;
}
// Address must be cached, as entries in OEMAddressTable are cached address.
va = va&~OAL_MEMORY_CACHE_BIT;
// Search the table for address range
while (pTable->size != 0) {
if (va >= pTable->CA && va <= pTable->CA + (pTable->size << 20) - 1) {
break;
}
pTable++;
}
// If address table entry is valid compute the PA
if (pTable->size != 0) pa = pTable->PA + va - pTable->CA;
cleanUp:
// Indicate physical address
OALMSG(OAL_MEMORY&&OAL_FUNC, (L"-OALVAtoPA(pa = 0x%x)/r/n", pa));
return pa;
}
位于PLATFORM/SMDK2440A/Src/Bootloader/Eboot/util.s汇编中
INCLUDE kxarm.h
PHY_RAM_START EQU 0x30000000
VIR_RAM_START EQU 0x8c000000
TEXTAREA
LEAF_ENTRY Launch
ldr r2, = PhysicalStart //获得PhysicalStart虚拟地址值,在8c038000~范围,可在boot.bib中看到eboot的编译地址[luther.gliethttp]
ldr r3, = (VIR_RAM_START - PHY_RAM_START)//计算虚拟地址和物理地址的差值
sub r2, r2, r3 //计算虚拟地址PhysicalStart对应的物理地址值[luther.gliethttp]
mov r1, #0x0070 ; Disable MMU
mcr p15, 0, r1, c1, c0, 0 //禁用MMU
nop
mov pc, r2 ; Jump to PStart//MMU禁止,所以跳转到PhysicalStart对应的物理地址继续执行[luther.gliethttp]
nop
; MMU & caches now disabled.
PhysicalStart
mov r2, #0
mcr p15, 0, r2, c8, c7, 0 ; Flush the TLB
mov pc, r0 ; Jump to program we are launching. //跳转到dwLaunchAddr登陆地址,之后的进一步内核解压加载等工作就完全由ce内核自身封闭完成了[luther.gliethttp]
扫一扫
2425
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
