What's the FU540 boot sequence?

I may be overlooking something obvious, but I’m having trouble understanding parts of the boot sequence for the FU540. I have a nicely formatted StackExchange question about it here:

assembly - Not Understanding the FU540Boot Process - Reverse Engineering Stack Exchange

Any insight is appreciated!


Step 2, lw is load word, it is reading from the address 0x1000 not putting 0x1000 in t1. I think the result should be a number between 0 and 15 but I don’t know for sure.

@jimw thank you! that helped clarify some things. I’m new to assembly, so still muddling my way through.

Unfortunately, the math still isn’t working out. I’m close though… according to the docs, MSEL = 0x1111 should cause the device to jump to 0x0001_0000 and my calculations are coming to 0x9988… which isn’t terribly far off, but still miles away.

It is already mentioned in stackexchange, but you have MSEL as hex when it should be binary. So it is 0b1111 or 0xf not 0x1111 as the max value. The code is just loading an address from a table, indexed by the MSEL vlaue.

@jimw thank you again. I updated my answer. I’m now jumping to 0x1178 instead of 0x0001_0000

I’m going to see if I can connect gdb to qemu and see if I can see what’s happening. Any other insight is appreciated, though.

obviously the value at 0x1178 is 0x10000. As I mentioned before, you are reading an address from a table indexed by MSEL, and the figure in the docs tells you what the addresses in the table are.

qemu is a little different. It has neither a physical MSEL switch nor a mask rom. So it just puts the start address directly in the reset vector and avoids the msel indexed table read.



What a dumb move on my part.

Since the FU540 is open source, my thought is that this information is publicly available somewhere, but I can’t seem to find anything this detailed, just the user manual. I even tried the chip schematics just for kicks. Do you know if there are public documents with information as detailed as the memory contents of the jump table?

Table 9 in the FU540 docs maps MSEL to start address, and this is the contents of the table that the reset vector indexes into.

If you have a board, then you can use gdb+openocd to connect to the debug port and read the mask rom from there.

Incidentally, a version of the zero stage boot loader sources can be found at https://github.com/sifive/freedom-u540-c000-bootloader/tree/master/zsbl
This is what the reset vector jumps to.

Okay, that table makes more sense now.

Are there some documents that aren’t released to the public? If the chip is designed so that memory address 0x1178 has the value 0x0001_0000 in it, that has to be documented somewhere.

The U54 core is open source. The FU540 SoC is not. Some parts, mainly analog stuff, is licensed. I don’t know if the mask rom is part of the core or not. If it is part of the core, then yes, it would be in the core sources somewhere. If it isn’t part of the core, then there would be no public sources for it.

The u54 core is rocket chip, so I would suggest looking here
I don’t know the rocket chip source tree so don’t know where to look.

Rather, I should say that the U54 core is based on the rocket-chip core, and the rocket chip core is open source.

Here’s the mask rom on Unmatched dumped with U-boot. I believe it’s the same as FU540.