# $\mu$ ARM Informal Specifications

Marco Melletti - melletti.marco@gmail.com http://www.mellotanica.com/uarm

# Contents

| 1 | $\mathbf{Pro}$ | cessor 3                           |
|---|----------------|------------------------------------|
|   | 1.1            | Operating modes                    |
|   |                | 1.1.1 Execution Control 6          |
|   | 1.2            | Processor States                   |
|   |                | 1.2.1 ARM ISA                      |
|   |                | 1.2.2 Thumb ISA                    |
|   | 1.3            | Exception Handling                 |
|   | 1.4            | System Coprocessor                 |
| 2 | Sys            | tem Bus 13                         |
|   | 2.1            | Reserved address space             |
|   |                | 2.1.1 Exception Vector             |
|   |                | 2.1.2 Installed Device Table       |
|   |                | 2.1.3 Device Registers             |
|   |                | 2.1.4 System Information Registers |
|   |                | 2.1.5 Bootstrap ROM                |
|   |                | 2.1.6 Pending Interrupt Bitmap     |
|   |                | 2.1.7 Kernel Reserved Frame        |
|   | 2.2            | Memory address space               |
| 3 | Mei            | mory Interface 17                  |
|   | 3.1            | Physical addressing mode           |
|   | 3.2            | Virtual addressing mode            |
| 4 | BIC            | OS & System Library 21             |
|   | 4.1            | BIOS                               |
|   |                | 4.1.1 Bootstrap Function           |
|   |                | 4.1.2 Low Level Hanlders           |
|   |                | 4.1.3 Low Level Services           |
|   | 4.2            | System Library                     |
| 5 | Not            | es 26                              |
|   | 5.1            | Compilers and compiling            |
|   |                | 5.1.1 Compilers                    |

|     | 5.1.2   | Comp  | iling | ς. |  |  |  |  |  |  |  |  |  |  |  |  |  | 26 |
|-----|---------|-------|-------|----|--|--|--|--|--|--|--|--|--|--|--|--|--|----|
| 5.2 | Binary  | Forma | ats   |    |  |  |  |  |  |  |  |  |  |  |  |  |  | 2  |
| 5.3 | Hints . |       |       |    |  |  |  |  |  |  |  |  |  |  |  |  |  | 2  |
| 5.4 | Known   | bugs  |       |    |  |  |  |  |  |  |  |  |  |  |  |  |  | 28 |

## Chapter 1

## Processor

The uARM machine runs on an emulated ARM7TDMI processor, with both ARM and Thumb ISAs implemented (Thumb is still a bit buggy right now), wich is able to perform each operation listed in <u>ARM7TDMI Data Sheet</u> (a brief summary is shown below) and to accept painlessly binary programs compiled with the Gnu C Compiler for ARM7 architecture.

## 1.1 Operating modes

The processor can work in seven different modes:

- User mode (usr) regular user process execution
- System mode (sys) typipcal privileged mode execution (e.g. kernel code execution)
- Supervisor (srv) protected mode kernel execution
- Fast Interrupt (fiq) protected mode for fast interrupt handling
- Interrupt (irq) protected mode for regular interrupt handling
- Abort (abt) protected mode for data/instruction abort exception handling
- $\bullet~$  Undefined (und) protected mode for undefined instruction exception handling

In each mode the processor can access a limited portion of all its registers, varying from 16 registers in User/System modes to 17 registers in each protected mode in ARM state (only protected modes have the 17th register, it automatically stores the previous value of the Program Status Register when entering an exception) plus the Current Program Status Register (CPRS), wich is shared by all modes.

The lower 8 registers in addition to the Program Counter (R15) are common to each "window" of visible registers, each protected mode has its dedicated upper 2 registers and Fast Interrupt mode has all the upper 7 unique registers to allow for a fast context switch, while System and User mode share the full set of 16 general puprose registers.

| ystem / User | FIQ      | Supervisor      | Abort           | IRQ      | Undefined                |
|--------------|----------|-----------------|-----------------|----------|--------------------------|
| R0           | R0       | $\overline{R0}$ | $\overline{R0}$ | R0       | $\overline{\mathrm{R0}}$ |
| R1           | R1       | R1              | R1              | R1       | R1                       |
| R2           | R2       | R2              | R2              | R2       | R2                       |
| R3           | R3       | R3              | R3              | R3       | R3                       |
| R4           | R4       | R4              | R4              | R4       | R4                       |
| R5           | R5       | R5              | R5              | R5       | R5                       |
| R6           | R6       | R6              | R6              | R6       | R6                       |
| R7           | R7       | R7              | R7              | R7       | R7                       |
| R8           | R8_fiq   | R8              | R8              | R8       | R8                       |
| R9           | R9_fiq   | R9              | R9              | R9       | R9                       |
| R10          | R10_fiq  | R10             | R10             | R10      | R10                      |
| R11          | R11_fiq  | R11             | R11             | R11      | R11                      |
| R12          | R12_fiq  | R12             | R12             | R12      | R12                      |
| R13          | R13_fiq  | R13_svc         | R13_abt         | R13_irq  | R13_und                  |
| R14          | R14_fiq  | R14_svc         | R14_abt         | R14_irq  | R14_und                  |
| R15 (PC)     | R15 (PC) | R15 (PC)        | R15 (PC)        | R15 (PC) | R15 (PC)                 |
| CPSR         | CPSR     | CPSR            | CPSR            | CPSR     | CPSR                     |
|              | SPSR_fiq | SPSR_svc        | SPSR_abt        | SPSR_irq | SPSR_une                 |

Even if the base 16 registers are defined as general purpose registers, there are some conventions adopted by the compiler in their use. The following list shows the full set of processor register visible in each mode with their conventional meaning:

- R0 (a1) first function argument / integer result
- R1 (a2) second function argument
- R2 (a3) third function argument
- R3 (a4) fourth function argument
- $\bullet$  R4 (v1) register variable

- R5 (v2) register variable
- R6 (v3) register variable
- R7 (v4) register variable
- R8 (v5) register variable
- R9 (v6/rfp) register variable / real frame pointer
- R10 (sl) stack limit
- R11 (fp) frame pointer / argument pointer
- R12 (ip) instruction pointer / temporary workspace
- R13 (sp) stack pointer
- R14 (lr) link register
- R15 (pc) program counter
- CPSR current program status register
- SPSR\_mode saved program status register

When the processor is in Thumb state the register window is halved, showing 12 registers in User/System mode and 13 registers in protected modes (the last register is the same dedicated SPSR register as in ARM state) in addition to the Current Program Status Register, common to all modes.

Only the first 8 registers ( $R0 \rightarrow R7$ ) are general purpose, the higher 3 are specialized registers that act as Stack Pointer, Link Return and Program Counter. Each protected mode has its own banked instance of Stack Pointer and Link Return in addition to Saved Program Status Register to allow for faster exception handling.

| ARM State General Registers |                           |            |                           |                           |           |  |  |  |  |  |
|-----------------------------|---------------------------|------------|---------------------------|---------------------------|-----------|--|--|--|--|--|
| System / User               | $\overline{\mathrm{FIQ}}$ | Supervisor | $\underline{	ext{Abort}}$ | $\overline{\mathrm{IRQ}}$ | Undefined |  |  |  |  |  |
| R0                          | R0                        | R0         | R0                        | R0                        | R0        |  |  |  |  |  |
| R1                          | R1                        | R1         | R1                        | R1                        | R1        |  |  |  |  |  |
| R2                          | R2                        | R2         | R2                        | R2                        | R2        |  |  |  |  |  |
| R3                          | R3                        | R3         | R3                        | R3                        | R3        |  |  |  |  |  |
| R4                          | R4                        | R4         | R4                        | R4                        | R4        |  |  |  |  |  |
| R5                          | R5                        | R5         | R5                        | R5                        | R5        |  |  |  |  |  |
| R6                          | R6                        | R6         | R6                        | R6                        | R6        |  |  |  |  |  |
| R7                          | R7                        | R7         | R7                        | R7                        | R7        |  |  |  |  |  |
| SP                          | SP_fiq                    | SP_svc     | SP_abt                    | SP_irq                    | SP_und    |  |  |  |  |  |
| LR                          | LR_fiq                    | LR_svc     | LR_abt                    | LR_irq                    | LR_und    |  |  |  |  |  |
| PC                          | PC                        | PC         | PC                        | PC                        | PC        |  |  |  |  |  |
| CPSR                        | CPSR                      | CPSR       | CPSR                      | CPSR                      | CPSR      |  |  |  |  |  |
|                             | SPSR_fiq                  | SPSR_svc   | SPSR_abt                  | SPSR_irq                  | SPSR_und  |  |  |  |  |  |
| = banked register           |                           |            |                           |                           |           |  |  |  |  |  |

## 1.1.1 Execution Control

## Program Status Register

The CPSR (and SPSR if active mode has one) is always accessible in ARM state via the special instructions MSR (move register to PRS) and MRS (move PRS to register). This register shows arithmetical instructions' additional results and allows to switch states/modes and interrupt handling. Its structure is shown below:



The first 5 bits of CPSR are used to set processor execution mode, the possible values are:

| 0x10 | User Mode           |
|------|---------------------|
| 0x11 | Fast Interrupt Mode |
| 0x12 | Interrupt Mode      |
| 0x13 | Supervisor Mode     |
| 0x17 | Abort Mode          |
| 0x1B | Undefined Mode      |
| 0x1F | System Mode         |
|      |                     |

<u>User Mode</u> is the only unprivileged mode, this means that if processor is running in <u>User Mode</u> it cannot access <u>reserved memory regions</u> (see System Bus chapter) and it cannot modify CPSR control bits.

<u>System Mode</u> is the execution mode reserved for regular Kernel code execution, all other modes are activated when exceptions are being handled.

## System Control Register

System Coprocessor (CP15) holds the System control register (CP15.R1), wich controls Virtual Memory and thumb availability (plus some other hardware specific settings that are not implemented in current release):

- bit 0: if set, the Memory Management Unit is enabled
- bit 15: if set, changes to T bit in CPSR are ignored

## 1.2 Processor States

The  $\underline{T}$  flag of the Program Status Register shows the state of the processor, when the bit is clear the processor operates in ARM state, otherwise it worsk in Thumb state. To switch between the two states a Branch and Exchange (BX) instruction is required.

The first difference between the two states is the register set that is accessible (see previous section), the other main difference is the Instruction Set used.

#### 1.2.1 ARM ISA

The main Instruction Set is the ARM ISA, the processor starts execution in this state and switches to ARM state when entering excepton handling sections.

ARM instructions are 32 bits long and must be word-aligned. The table below shows a brief summary of the instruction set. (For a much detailed description of each instruction refer to <u>ARM7TMI Data Sheet</u> and <u>ARM7TMI</u> Technical Reference Manual)

| ADC | add with carry |
|-----|----------------|
| ADD | add            |
| AND | logical AND    |
| В   | brach          |

| BIC   | bit clear                                 |
|-------|-------------------------------------------|
| BL    | branch with link                          |
| BX    | branch and exchange                       |
| CDP   | coprocessor data processing               |
| CMN   | compare negative                          |
| CMP   | compare                                   |
| EOR   | logical exclusive OR                      |
| LDC   | load coprocessor register from memory     |
| LDM   | load multiple registers from memory       |
| LDR   | load register from memory                 |
| LDRH  | load halfword from memory                 |
| LDRSB | load signed byte from memory              |
| LDRSH | load signed halfword from memory          |
| MCR   | move cpu register to coprocessor register |
| MLA   | multiply accumulative                     |
| MLAL  | multiply accumulative long                |
| MOV   | move register or constant                 |
| MRC   | move coprocessor register to cpu register |
| MRS   | move PRS status/flags to register         |
| MSR   | move register to PRS status/flags         |
| MUL   | multiply                                  |
| MULL  | multiply long                             |
| MVN   | move negative register                    |
| ORR   | logical OR                                |
| RSB   | reverse subtract                          |
| RSC   | reverse subtract with carry               |
| SBC   | subtract with carry                       |
| STC   | store coprocessor register to memory      |
| STM   | store multiple                            |
| STR   | store register to memory                  |
| STRH  | store halfword                            |
| SUB   | subtract                                  |
| SWI   | software interrupt                        |
| SWP   | swap register with memory                 |
| TEQ   | test bitwiser equality                    |
| TST   | test bits                                 |
| UND   | undefined instruction                     |

## 1.2.2 Thumb ISA

Thumb instruction set is a simpler (smaller) instruction set composed of 16-bit, halfword aligned instructions, wich offer less refined functionalities but less memory usage.

Thumb instructions can be seen as "shortcuts" to execute ARM code, as

the performed operations are the same but this ISA offers less options for each instruction.

The following table summarizes Thumb instructions. (For a much detailed description of each instruction refer to  $\underline{ARM7TMI}$  Data Sheet and  $\underline{ARM7TMI}$  Technical Reference Manual)

| ADC     | add with carry                   |
|---------|----------------------------------|
| ADD     | add                              |
| AND     | logical AND                      |
| ASR     | arithmetical shift right         |
| В       | unconditional branch             |
| B[cond] | conditioned branch               |
| BIC     | bit clear                        |
| BL      | branch with link                 |
| BX      | branch and exchange              |
| CMN     | compare negative                 |
| CMP     | compare                          |
| EOR     | logical exclusive OR             |
| LDMIA   | load multiple (increment after)  |
| LDR     | load word to register            |
| LDRB    | load byte to register            |
| LDRH    | load halfword to register        |
| LDRSB   | load signed byte to register     |
| LDRSH   | load signed halfword to register |
| LSL     | logical shift left               |
| LSR     | logical shift right              |
| MOV     | move from register to register   |
| MUL     | multiply                         |
| MVN     | move negative register           |
| NEG     | negate word                      |
| ORR     | logical OR                       |
| POP     | pop from stack                   |
| PUSH    | push to stack                    |
| ROR     | rotate right                     |
| SBC     | subtract with carry              |
| STMIA   | store multiple (increment after) |
| STR     | store register to memory         |
| STRB    | store byte to memory             |
| STRH    | store halfword to memory         |
| SUB     | sub operation                    |
| SWI     | software interrupt               |
| TST     | test bits                        |
|         |                                  |

## 1.3 Exception Handling

When an exception is raised (e.g. a read instruction is performed on a forbidden bus address), the processor automatically enter a special routine to solve the problem.

There are seven different exceptions handled by the processor, each of them has a specific bus address to wich the execution jumps on exception handling (see Bus chapter for further details).

When enetring an exception handler, the processor stores a return address in the Link Return register and the Current Program Status Register in the SPSR register of the handler's Processor mode.

#### Reset Exception

This exception is automatically raised each time the machine is started.

This exception is handled in Supervisor mode with all interrupts disabled, Link Return and SPSR registers have unpredictable values and execution starts from bus address 0x00000000.

## **Undefined Instruction Exception**

If a Coprocessor instruction cannot be executed from any Coprocessor or if an UNDEFINED instruction is executed, this exception is raised.

Processor mode is set to Undefined, normal interrupts are disabled and Link Return register points to the instruction right after the one that caused the Undefined Exception.

### Software Interrupt Exception

This exception is caused by a SWI instruction and is meant to provide a neat way to implement System Calls.

When handling Software Interrupt Exceptions, the processor switches to Supervisor mode with normal interrupts disabled and the Link Return register points to the instruction after the SWI that caused the exception.

## **Data Abort Exception**

If a the processor tries to access memory address that is not valid or available, this exception is raised.

When handling Data Aborts, the processor switches to Abort mode with normal interrupts disabled and Link Return register is set to the address of the instruction that caused the Abort plus 8.

#### **Prefetch Abort Exception**

If the processor tries to execute an instruction that generated a data abort while being fetched, this exception is raised. When handling Prefetch Aborts, the processor enters Abort mode with normal interrupts disabled and Link Return register points to the address of the instruction after the one that caused the exception.

#### **Interrupt Request Exception**

When a connected Device requires the processor's attention, it fires an Interrupt Request.

When handling Interrupt Requests, the processor enters Interrupt mode with normal interrupts disabled and Link Return register is set to the address of the instruction that was not executed plus 4.

#### Fast Interrupt Request Exception

Fast Interrupts have higher priority than norma Interrupts, also, system Interval Timer is connected to this line of interrupts. When the Timer changes its value from 0x00000000 to 0xfffffffff, a Fast Interrupt is requested.

When handling Fast Interrupt Requests, the processor enters Fast Interrupt mode with all interrupts disabled and Link Return register points to the address of the instruction that was not executed plus 4.

## 1.4 System Coprocessor

CP15 provides access to a total of three 64-bit and one 32-bit registers wich give additional informations and functionalities to regular processor operations:

## R0 (IDC) - ID Codes

Register 0 is a read-only register that contains system implementation informations such as Processor ID, TLB type, Memory Protection Unit type, Cache type and Tightly Coupled Memory type.

## R1 (SCB) - System Control Bits

Register 1.SCB is the System Control Register, from wich MMU and Processor State modifications can be enabled/disabled.

See Execution Control section for further details.

#### R1 (CCB) - Coprocessors Access Register

Register 1.CCB shows wich coprocessors are available. Values can be written to this register to enable/disable available coprocessors a part from CP15.

| Coprocessors Access Register                                                          |          |       |       |                   |       |       |       |        |       |        |      |        |     |     |
|---------------------------------------------------------------------------------------|----------|-------|-------|-------------------|-------|-------|-------|--------|-------|--------|------|--------|-----|-----|
| 31                                                                                    | 28 27 26 | 25 24 | 23 22 | 21 20             | 19 18 | 17 16 | 15 14 | 13 12  | 11 10 | 9 8    | 7 6  | 5 4    | 3 2 | 1 0 |
| SBZ                                                                                   | cp13     | cp12  | ср11  | cp10              | cp9   | cp8   | cp7   | cp6    | cp5   | cp4    | ср3  | cp2    | cp1 | cp0 |
| SBZ: Should Be Zero cp*: 00 Access Denied.                                            |          |       |       |                   |       |       |       |        |       |        |      |        |     |     |
| ·F                                                                                    | 01       | `     |       | ing th            |       |       | 0     | nerate | s Und | efined | Exce | ption) |     |     |
| (Accessing this coprocessor in user mode generates Undefined Exception)  10 RESERVED. |          |       |       |                   |       |       |       |        |       |        |      |        |     |     |
|                                                                                       | 11       | `     |       | lictabl<br>.ccess | /     |       |       |        |       |        |      |        |     |     |

## R2 - Page Table Entry

Register 2 is a 64-bit register wich contains the actual loaded Page Table Entry if MMU is enabled. Its structure is the same as a stored PTE (see  $\underline{\text{Memory}}$  Interface. Virtual Addressing Mode for structure details).

## R15 (Cause) - Exception Cause

Register 15. Cause contains the last exception cause, it can be read or written by processor.

Memory Access exception causes are:

 $\begin{array}{lll} \text{Memory Error} & = 1 \\ \text{Bus Error} & = 2 \\ \text{Address Error} & = 3 \\ \text{Segment Error} & = 4 \\ \text{Page Error} & = 5 \end{array}$ 

## R15 (IPC) - Interrupt Cause

Register 15.IPC shows on which lines interrupts are pending, when interrupts have been handled the value of this register is updated.

## Chapter 2

# System Bus

The system bus connects each component of the system and lets processing units access physical memory and devices.

The CPU and the System Coprocessor (CP15) can directly access the bus reading or writing values from or to specific addresses.

The lower addresses (below 0x8000) are reserved for special uses and are accessible under certain conditions.

## 2.1 Reserved address space

The address region between 0x0 and 0x8000 holds the fast exception vector, device registers, system informations, bootstrap rom and the kernel reserved frame. Any access to this memory area in User mode are (should be) prohibited and treated by the system bus as errors.

## 2.1.1 Exception Vector

The first locations  $(0x0 \rightarrow 0x1C)$  are occupied by exception vector, the processor jumps automatically to these addresses if an exception is risen and the bootstrap rom tipically writes a set of branch instructions to exception handlers in these fields.

Exception vector is organized as follows:

| 0x0  | Reset                  |
|------|------------------------|
| 0x4  | Undefined Instruction  |
| 8x0  | Software Interrupt     |
| 0xC  | Prefetch Abort         |
| 0x10 | Data Abort             |
| 0x14 | reserved               |
| 0x18 | Interrupt Request      |
| 0x1C | Fast Interrupt Request |

## 2.1.2 Installed Device Table

Five words, from 0x20 to 0x30, show the status of active devices. Each word represent a device line:

```
0x20 | Disks
0x24 | Tapes
0x28 | Netwok
0x2C | Printers
0x30 | Terminals
```

For each device line, if a specific device  $\underline{i}$  is enable,  $\underline{i}^{th}$  bit in representing word has value 1.

## 2.1.3 Device Registers

Addresses 0x40 to 0x2C0 hold device registers, the behavior of this memory region is the same as uMPS machine's.

## 2.1.4 System Information Registers

Six registers, from address 0x2D0 to 0x2E8, show system specific informations:

```
0x2D0 ram base address
0x2D4 ram top address
0x2D8 device registers base address
0x2DC time of day (Hi)
0x2E0 time of day (Low)
0x2E4 interval timer
0x2E8 timer scale (fixed to 1 Mz)
```

#### **Interval Timer**

Interval timer is decremented at each cpu cycle, when its value becomes 0 a software interrupt is thrown. It can be set to a desired value by writing its address in any privileged mode.

### 2.1.5 Bootstrap ROM

The bootstrap rom is loaded starting from address 0x300, its maximum size is 109 KB. See BIOS chapter for details.

## 2.1.6 Pending Interrupt Bitmap

Most of the interrupt lines are shared through all the devices of the same class, to identify which device is requesting for interrupt there are five registers from address 0x6FE0 to 0x6FF0 that hold a bitmap of interrupting devices per interrupt line.

This region is organized exactly as the Installed Device Table:

| 0x6FE0 | Disks     |
|--------|-----------|
| 0x6FE4 | Tapes     |
| 0x6FE8 | Netwok    |
| 0x6FEC | Printers  |
| 0x6FF0 | Terminals |

For each word, i bit is set if i<sup>th</sup> device on that line is requesting for interrupt.

## 2.1.7 Kernel Reserved Frame

The last memory frame  $(0x7000 \rightarrow 0x7FFC)$  is reserved for kernel use:

- $0x7000 \rightarrow 0x7500$ : Exception states vector memory area in which processor states are saved and loaded when entering into/exiting from exception handlers code.
- 0x7600 → 0x7C00: Segment table here is stored the 128 elements segment table describing the virtual address space, for each ASID (entries in the segment table) there are two pointers to ASID's private and shared page tables.
- $0x7FF0 \rightarrow 0x7FFC$ : Rom stack when invoking rom functions this stack is used to pass parameters to the hardware routines.

#### **Stored Processor States**

Processor states are defined by library data structure <u>state\_t</u>, this structure is composed of 20 unsigned 32-bit integers representing processor registers' values and coprocessor's system control registers' values.

Its structure is shown below:

```
typedef struct{
                       //r0
   unsigned int a1;
  unsigned int a2;
                       //r1
  unsigned int a3;
                       //r2
   unsigned int a4;
                       //r3
   unsigned int v1;
                       //r4
   unsigned int v2;
                       //r5
   unsigned int v3;
                       //r6
   unsigned int v4;
                       //r7
  unsigned int v5;
                       //r8
  unsigned int v6;
                       //r9
   unsigned int sl;
                       //r10
   unsigned int fp;
                       //r11
  unsigned int ip;
                       //r12
   unsigned int sp;
                       //r13
   unsigned int lr;
                       //r14
   unsigned int pc;
                       //r15
   unsigned int cpsr;
   unsigned int CP15_Control;
   unsigned int CP15_EntryHi;
   unsigned int CP15_Cause;
}state_t;
```

These structures take 80 bytes each. Given this value, the BIOS code will look for the Old/New enties at the following addresses:

```
        0x7000
        Interrupt Old

        0x7080
        Interrupt New

        0x7100
        TLB Old

        0x7180
        TLB New

        0x7200
        PGMT Old

        0x7280
        PGMT New

        0x7300
        Syscall Old

        0x7380
        Syscall New
```

#### ASID 0

The first ASID is reserved for kernel address space and is automatically enabled in any Privileged mode, this way if a User mode program performs a System Call, the kernel routine has access to its address space and to the program's address space through saved processor state.

## 2.2 Memory address space

The remaining addresses are mapped to memory subsystem and can be accessed through a number of instructions, see Memory Interface chapter for details.

## Chapter 3

# Memory Interface

Memory system is controlled by Program Status Register (CPSR) and System Coprocessor's registers 1 and 2 (CP15.R1 & CPSR.R2). It supports two operating modes:

- physical addressing mode,
- virtual addressing mode.

In addition to address translation modes, the portion of accessible memory is dictated by processor operating mode:

- User mode  $\rightarrow$  User Space
- Privileged mode  $\rightarrow$  All Memory

In each addressing mode theese portions have a specific definition.

As described in System Bus chapter, sddresses below 0x00008000 are reserved for hardware/protected functions and belong to the <u>reserved address space</u>.

## 3.1 Physical addressing mode

The machine starts execution in this mode, each address is used directly without conversions.

All the available memory is directly accessible in Privileged mode and any address over 0x00008000 is directly accessible in User mode.



## 3.2 Virtual addressing mode

By setting M flag in System Coprocessor's register 1 (CP15.R1.M, that is least significative bit), you enable memory address translation.

When virtual memory is active, each address above 0x0000.8000 is treated as a logical address and translated to the corresponding physical address from the memory subsystem, addresses below 0x0000.8000 are always treated as physical addresses, as they refer to a memory region reserved for bus access.

In Privileged mode all logical memory is accessible, when executin in User mode, only User Segments are accessible instead: the first one (Useg2) starts from address 0x8000.0000 and extends over the next GB, the second one (Useg3) starts from address 0xC000.0000 and terminates at the top of the logical memory, address 0xFFFF.FFFF.

| User  | Mode                       | Kernel Mode |                            |  |  |  |  |
|-------|----------------------------|-------------|----------------------------|--|--|--|--|
| Useg3 | OxFFFF.FFFF<br>OxCOOO.0000 | Useg3       | 0xFFFF.FFFF<br>0xC000.0000 |  |  |  |  |
| Useg2 | 0x8000.0000                | Useg2       | 0x8000.0000                |  |  |  |  |
|       |                            | Kseg0       | 0x00008000                 |  |  |  |  |
|       | 0x00000000                 | BUS         | 0x00000000                 |  |  |  |  |

When the MMU is enabled the user process ASID is stored in the EntryHy field of CP15's 64bit register R2 along whith the Virtual Page number (e.g. the 20 most significant bits of the logical address). The EntryLow filed is filled with the Physical Page Frame address and is kept up to date after each modification of CP15.R2.EntryHy value.

The CP15 register 2 is organized as a Page Table Entry (PTE):



The Low half of each entry contains 4 flags used for memory protection:

- Non Chachable bit: not used by uARM implementation.
- Dirty bit: if the bit is clear, any write access to the physical frame locations will rise a TLB-Modification excepion.
- Valid bit: if bit is set the Page Table Entry is considered valid, otherwise a TLB-Invalid exception is raised.
- Global bit: if the bit is set, the Page Table Entry will match the corresponding VPN regardless of the ASID.

Page Table Entries are grouped together in Page Tables, each Page Table begins with a special word (PgTbl-Header) composed of the PgTbl Magic Number 0x2A stored in the most significant 8 bits and the number of page table entries in the least significant 20 bits.

The Segment Table specifies the physical addresses of the Page Tables of the three Segments for each ASID, the general structure is shown below:

#### Segent Table:



Page Table:

| PgTbl Entry n                   |      |         |  |          |  |   |
|---------------------------------|------|---------|--|----------|--|---|
| ,                               |      |         |  |          |  |   |
| •                               |      |         |  |          |  |   |
| •                               |      |         |  |          |  |   |
| PgTbl Entry 2                   |      |         |  |          |  |   |
| PgTbl Entry 1                   |      |         |  |          |  |   |
| PgTbl Entry 0                   |      |         |  |          |  |   |
| PgTbl Header Word $\rightarrow$ | Magi | MagicNO |  | EntryCNT |  |   |
|                                 | 31   | 24      |  | 19       |  | 0 |

uARM implements a Translation Lookaside Buffer (TLB) to translate logical addresses to physical ones, the buffer contains a specific amount of recently used PTEs and uses a random algorythm to select which entry to replace with a newly retrieved PTE. The number of available TLB slots is variable between 4 and 64 elements, it is conigurable through the settings window and needs a reset of the machine to effectively change.

Each time a memory access is requested, the memory subsystem checks if the requested virtual Page has a corresponding PTE in the TLB for the current ASID or with the G flag set, if this is the case it concatenates the physical frame address with the actual requested offset to access the right address.

If the necessary PTE is not present in the TLB, a TLB-Miss exception is raised and the BIOS reacts with a TLB Refill event, which executes the next steps:

- 1. Retrieve the PgTbl address from the Segment Table for the current ASID and required Segment.
- 2. Access the PgTbl and check if it is well-formed and well-located:
  - Address must be greater than 0x0000.8000,
  - Address must be word aligned,
  - PgTbl-Header must be valid (magic number is 0x2A),
  - PgTbl must not extend outside physical memory (e.g. [PgTbl addr + PgTbl size] < RAMTOP).
- 3. Linearly search the PgTbl for matching Virtual Page with correct ASID or G flag set.
- 4. If a matching PTE has been found, write it back in a random slot of the TLB and resume execution from the same instruction that raised the TLB-Miss exception, else raise a PTE-Miss exception.

The random algorythm uses all the TLB slots besides the first one (e.g. item 0) to ensure a safe entry is always available.

## Chapter 4

# BIOS & System Library

## 4.1 BIOS

## 4.1.1 Bootstrap Function

The bootstrap program bundled with uarm installation has initializes hardware facilities and starts execution.

The operation it performs are:

- 1. populate Exception Vector with Branch instructions to basic exception handling routines
- 2. set default Exception States Vector entries with Branch to PANIC instructions
- 3. retrieve entry point from kernel binary file
- 4. set execution mode to System mode with ARM ISA and all interrupts enabled
- 5. set exit point and ramtop value
- 6. clear all used scratch registers
- 7. jump to entry point

## 4.1.2 Low Level Hanlders

In addition to bootsrapping the machine, BIOS code provides low level exception handlers:

### **Undefined Instruction Exception Handler**

When an Undefined Instruction Exception is risen, the processor stores its internal state at the moment of the exception into the <u>Old Area</u> of the exception states vector relative to Undefined Exceptions and loads the content of the <u>New Area</u>.

## **Interrupts Exception Handlers**

For both Fast and regular Interrupt Exceptions the processor behaves in a way similar to Undefined Exceptions, it stores its state at the time of the interrupt and loads the New Area from Interrupts Exception States Vector's slot.

### Software Interrupt Handler

In addition to the regular operations (the same as the Undef and Interrupts handlers), in case of an SWI instruction the BIOS responds for known Low Level Services and sets the Cause register to the right value for the requested interruption (Syscall or Breakpoint).

### Data and Prefetch Exception Handlers

These two handlers share most of their code and perform special operations in case Virtual Memory is turned on:

- if VM is disabled, Abort Exceptions are treated as Undefined Exceptions,
- else low level TLB management is required.

In the latter case, the handler corrects the return address, setting it to the address of the faulting instruction and stores the processor state in the <u>TLB Old Area</u> of the Exception States Vector. It then checks if the Abort was labled as a TLB-Miss and, if it was the case, it performs the TLB Refill procedure described in Virtual Memory section.

### 4.1.3 Low Level Services

Low level services are requested by issuing a SWI instruction with the right parameter:

#### Halt

By executing SWI #1, the BIOS will print "SYSTEM HALTED." on Terminal 0 and shut down the virtual machine.

#### Panic

By executing SWI #2, the BIOS will print "KERNEL PANIC." on Terminal 0 and enter an infinite loop.

## LDST

A SWI #3 instruction will begin the loading of the processor state stored at the address specified by <u>a1</u> register to actual processor's registers, checking destination mode and setting only the right processor's registers window.

#### Wait

By executing SWI #4, the BIOS will put the machine in IDLE state waiting for an interrupt to wake the system up.

#### System Calls / Breakpoints

If a SWI #8 or SWI #9 instruction is executed, the syscall handler passes up the call, setting the right cause in CP15 Cause register.

## 4.2 System Library

System library is provided by <u>libuarm</u>, it offers a small but increasing set of methods to access low level functionalities.

## tprint(char \*s)

Print a '\0' terminated array of chars to Terminal 0.

This function uses busy waiting to wait for the device to be ready.

## HALT()

Run BIOS Halt function.

#### PANIC()

Run BIOS Panic function.

## WAIT()

Run BIOS Wait function.

## LDST(void \*addr)

Calls the BIOS function that loads the entire processor state from state\_t stored at addr address.

## STST(void \*addr)

Stores the actual processor state in state\_t structure pointed by addr.

# SYSCALL(unsigned int sysNum, unsigned int arg1, unsigned int arg2, unsigned int arg3)

Generates a software exception leading to kernel defined Syscall handler.

# BREAK(unsigned int arg0, unsigned int arg1, unsigned int arg2, unsigned int arg3)

Generates a software exception leading to kernel defined Breakpoint handler.

## getSTATUS() / setSTATUS()

Manipulate Current Program Status Register.

## getCAUSE() / setCAUSE()

Manipulate Exception/Interrupt Cause register.

### getTIMER() / setTIMER()

Manipulate Interval Timer.

## getTODHI() / getTODLO()

Returns the upper/lower part of Time of Day 64-bit register.

## getCONTROL() / setCONTROL()

Manipulate System Control Register.

## getTLB\_Index() / setTLB\_Index(unsigned int index)

Manipulate TLB Index register.

#### getTLB\_Random()

Returns TLB Random register.

# getEntryHi() / setEntryHi(unsigned int hi) / getEntryLo() / setEntryLo(unsigned int lo)

Manipulate TLB Entry Hi and Entry Low registers.

## $\mathbf{getBadVAddr}()$

Returns BadVAddr register, which contains the faulting address in case of Page Fault Exceptions.

## TLBWR()

Write the contents of EntryHi and EntryLo to the TLB slot indicated by TLB Random register value.

## TLBWI()

Write the contents of EntryHi and EntryLo to the TLB slot indicated by TLB Index register value.

## TLBR()

Read the contents of TLB slot indicated by TLB Index register value in EntryHi and EntryLo registers.

## TLBP()

Scan the TLB searching for a pair that matches VPN in EntryHi and ASID in EntryHi or that has G flag set in EntryLo and is Valid, if a match is found, its index in the TLB cache is stored as TLB Index register value, otherwise that register will have 31st bit set to 1.

## TLBCLR()

Set all TLB contents to 0.

## Chapter 5

## Notes

## 5.1 Compilers and compiling

## 5.1.1 Compilers

To compile a program to be run in uARM you need an ARM compiler in order to generate code that the cpu is able to understand.

If you happen to be running a machine wich is not ARM-based, you will need a cross-compiler (or better a cross-toolchain).

arm-linux-gnueabi and arm-none-eabi are the cross-toolchains with wich the program is tested so they are likely the most compatible, but any toolchain able to compile code for ARM7TDMI processor will work.

### 5.1.2 Compiling

When it comes the time to actually compile your code, be aware that you need to manually compile and then link each executable, because if gcc does all the work, it will include Linux system libraries as well. These libraries will try to "prepare" your program to be executed under Linux OS, adding initializing functions that will "break" execution in a bare metal system like uARM.

So remember to add -c option while compiling each source file as well as -mcpu=arm7tdmi to ensure maximum compatibility with the system.

When you have all the required object files, you have to link them together with

```
arm-some-abi-gcc -nostartfiles -T \\
/usr/include/uarm/ldscripts/elf32ltsarm.h.uarmcore.x \\
/usr/include/uarm/crtso.o
command (optionally you may want to add /usr/include/uarm/libuarm.o if
```

command (optionally you may want to add /usr/include/uarm/libuarm.o if you included system library in your code, you can also use elf32ltsarm.h.uarmaout.x script to link user mode programs).

The last tool needed for preparing code for execution is elf2uarm, it converts elf binary files into uarm elf files. The tool has three operating modes and two

options:

- -k: create kernel core file (extension \*.core.uarm) with symbol table map (extension \*.uarm.stab)
- -b : create bootstrap BIOS file (extension \*.rom.uarm)
- -a: create a.out user program file (extension \*.aout.uarm)
- -m : force creation of symbol table map
- -v : verbose mode

## 5.2 Binary Formats

Output file formats used for core and user program files (\*.core.uarm and \*.uarm files) are essentially based on ELF standard. They have the same structure:

- header section (16 header fields described below)
- .text segment
- optional .data segment

Header section has the following format:

```
0 AOUT_HE_TAG: Header TAG (aout.h defines different executable files magic numbers)
1 AOUT_HE_ENTRY: Program Entry Point
2 AOUT_HE_TEXT_VADDR: .text segment beginning virtual address
```

3 AOUT\_HE\_TEXT\_MEMSZ: .text segment actual Byte size

4 AOUT\_HE\_TEXT\_OFFSET: .text segment offset from Header section end

5 AOUT\_HE\_TEXT\_FILESZ: .text segment size (rounded to the next 4KB block)

6 AOUT\_HE\_DATA\_VADDR: .data segment beginning virtual address

7 AOUT\_HE\_DATA\_MEMSZ: .data segment actual Byte size

8 AOUT\_HE\_DATA\_OFFSET: .data segment offset from Header section end

9 AOUT\_HE\_DATA\_FILESZ: .data segment size (rounded to the next 4KB block)

the last 6 header fields are unused.

## 5.3 Hints

When writing Exception Handlers code, it is well advised to pay attetion to the Program Counter value stored in the Old Area. As described in Exception Handling section, each exception leave a different value in Link Return register and this value is automatically moved to Old Area pc from low level exception handlers, so, for example, when handling an interrupt, the Old Area PC has to be decreased by 4 to point to the right return instruction.

You may also want look closely to the Low Level Handlers section to better understand what actions are performed by the BIOS code.

## 5.4 Known bugs

- Thumb ISA is misbehaving with some Branch instructions
- Terminals shortcuts are still not working
- $\bullet$  If Symbol Table file is changed during execution the machine can misbehave