Softgun - A Software ARM 
---------------------------

Softgun is intended to emulate complete embedded Systems.
Currently five boards with Netsilicon NS9750 or Freescale i.MX21 and 
some additional components on PCI and I2C bus are supported.  

Compilation
-------------
Softgun requires a little Endian Linux machine  with a 
GNU Compiler installed. (It is known to work on IA32, AMD64 and ARM)
Type:

make
make install

For using the network you must give user of the emulator access
to /dev/net/tun and allow the user to execute  ifconfig using sudo.
Here a configuration example line for your /etc/sudoers

jkarrer   ALL=NOPASSWD: /sbin/ifconfig
jkarrer   ALL=NOPASSWD: /sbin/brctl


Usage
---------
Copy one of the files from the directory "configs" to "~/.emuconfig" 
Best use "configs/defaultconfig" if you do not know what you want.
Edit the ~/.emuconfig. It is required to change at least the paths. 
Run the emulator:

softgun flash.img


Byteorder
---------------

"softgun" is the binary for little endian memory system and
works with CPU in little endian or big endian mode.

The ARM CPU emulation can run in both byteorders.
Changing the endianess of  the CPU means that the CPU selects different byte
lanes for 16Bit and 8Bit accesses. If the CPU runs in big endian this
does NOT mean that the memory system is big endian. 

Running Big endian linux
------------------------
The ARM core of the real NS9750 goes to bigendian mode when the gpio 44 pin
is low during boot. In the emulator this is done in the configuration
file:    

[ns9750]
gpio44:         0       # Big Endian

Normally you want to run a big endian linux on softgun with a little
endian memory system. You have to store a big endian image in a little
endian memory. This means
you have to swap byteorder before or during loading. This is not a bug o
softgun. You have to do the same thing if you use a JTAG-programmer
which uses the Boundary scan mode. To avoid work, softgun can
convert the files which are loaded from the commandline to the memory or to
the flash image (binary, Intel-Hex or Srecord). 
The following configuration lines should be used whenever the memory system
Byteorder of your emulated system differs from the 32 Bit CPU Byteorder:

[loader]
swap32: 1 


Select Board
------------
softgun can emulate different Boards. You can select the
board in the global section of the config file:

[global]
board: NS9750DEV 

If you want to have a list of available boards, select some
nonsense. softgun will then display an error message with
a list of available boards

Every Board has a builtin default configuration. So you need
not specify RAM size and Flash Types if you want to use
the default types/sizes.

Loading Motorola S-Records
---------------------------
The filename must have the ending .srec
Start Addresses (S7, S8 and S9 records) found in S-Record file 
are currently ignored. Example:

softgun programm.srec

Loading Intel Hex Records
---------------------------
The filename must have the ending .hex
Start Addresses found in Hex-Record file are currently ignored 
Segmented address records are not implemented
Example:

softgun programm.hex

Current features
---------------------

ARM9 32Bit Instruction Set and DSP Extensions
MMU with 3 Entry first level TLB and 3*128 second level TLB and halt instruction
ARM PL172 Memory Controller
Serial line emulation redirected to stdin/stdout or real serial
NS9750 timer emulation in 32 Bit mode with interrupts
NS9750/NS9360 GPIO Port emulation
NS9750 OHCI USB-Controller not yet working but detected by Linux
NS9750 Interrupt Controller Emulation
NS9750 Ethernet Controller 
STE10/100 Tulip compatible Ethernet controller 
Davicom DM9000 Ethernet controller 
SJA-1000 CAN controller emulation in PeliCAN mode
AMD29LV640 and many other AMD compatible NOR Flash chips with writeback to file
I2C-Bus Emulation using GPIO ports with timing check
NS9750 CPU internal I2C master and slave
M24Cxx I2C-EEProms
PCF8563 Real time clock
PCF8591 and ADS7828 A/D Converters
PCF8574/8575 I2C IO-Expanders
PCA9544 I2C Multiplexer
LM75 Temperature Sensor (without National Semiconductor bug)
ARM PL190 Vectored Interrupt controller
Philips LPC2106 Timers

Emulation runs at 21MHz per Intel Celeron GHz

Missing Features
----------------
Debugger Interface and GUI
BBus DMA Controller
Complete the timers (16 Bit mode is missing for example)
Big Endian target support
LCD-Display Controller emulation
ELF-reader
NS9750 Builtin I2C-Controller
Big Endian host support
Add USB-Devices and complete the OHCI
MMU Modified Virtual address support (MVA)
Clean implementation of 8 Bit and 16 Bit IO-accesses to 32 Bit registers
Checks for correct DRAM setup because the emulator works with every timing.


Ethernet Emulation:
-----------------------

Ethernet emulation is only working when the emulator is
running on Linux.

By default the NS9750 builtin Ethernet Controller and
three STE10/100 Tulip Compatible PCI-Ethernet Controllers
are emulated.
The  Linux TAP Ethernet Tunnel /dev/net/tun is used.  
Make sure that this device file exists and the emulator user
has the right to use it. Make sure that the driver tun.ko coming with the 
linux kernel is loaded.  

For every emulated Ethernet Card there will be two IP addresses. One on Host side and
one in the emulated environment.
Host side IP-Addresses are configured in the configfile .emuconfig.  
For SUSE Linux 9.3 you have to disable the firewall for the emulator interfaces. 
On Emulator side the IP addresses have to be configured using the
OS running in the emulator. If the emulator runs linux this is done 
with ifconfig in the shell running in the emulator.

Example: 
Add the following section to the configfile:

[ns9750_eth]
host_ip: 192.168.81.3
host_ifname: emu0

After booting the emulator login as root and type:

root@emu # ifconfig eth0 192.168.81.10
root@emu # ping -c 1 192.168.81.3

Bridged networking
------------------
Softgun can attach to a already existing bridge in
your Linux Host. This is useful if you want to reach
the emulator not only from the host machine, or if you
want to connect many emulators to a cluster. 
Using a bridge only one IP address for the host is required
(or none if you only want to create a cluster of emulators and you 
do not want to reach the host from the emulator) 
and one IP address in the OS on emulator for every emulated Interface.
The following example shows how to configure a host
with IP address 192.168.2.3 and an emulator with 
Address 192.168.2.4 to appear on your LAN using eth0.

1. Step: Prepare your host machine
--------
- Install the linux bridge_utils.
- Create a bridge with 

#root@host # brctl addbr br0

- Configure Interfaces which should be part 
  of the bridge:

root@host # ifconfig eth0 0.0.0.0 up
root@host # brctl addif br0 eth0
root@host # ifconfig br0 192.168.2.3 up

2. Step: attach your emulator to the bridge
--------
Add to the emulator configuration file:

[ns9750_eth]
host_ifname: emu0
host_ip: 0.0.0.0
bridge: br0

3. Step
-------
Start the emulator and configure the interface in 
the emulator to be in the same subnet like the host. 
Under Linux this is done in the emulator shell:

root@emu:/ # ifconfig eth0 192.168.2.4


SJA1000 CAN Controller Emulation
--------------------------------
The SJA-1000 CAN controller emulator is accessible through
/dev/canX in the emulator. From the host system you can 
send and receive the CAN messages from/to a TCP-Server socket. 
The port numbers are given in the configuration file:

[lacc_can0]
port: 8530

[lacc_can1]
port: 8531

System Clock
------------
The timing source for the emulated System is the CPU cycle counter of the
emulated CPU (target).
During the ARM's MMU wait-for-interrupt instruction the system runs with
the full speed of the real CPU. During other instructions the emulator is
slower. The wait for Interrupt function catches up a maximum of 1/4 of a
second when system has fallen behind the speed of the real device.


Permanent Flash storage and EEPROM storage
-------------------------------------------
There is one storage directory for all images of your Flash chips and
EEProms in the global configuration section. You have to create this
directory manually

[global]   
imagedir: /home/user/softgun_images 

to the .emuconfig 
On first startup one file per flash/eeprom will be created. The file
has the same name like the chip instance.  

Images which are loaded to the flash from the commandline will overwrite 
the old contents of your flash partially. This way you can update your basic
 system while keeping the rest of the flash.

Flash statistics
----------------
Flash statistics is useful for estimating the livetime of your NOR flash device.
Flash statistics is written into your diskimage directory.

The file flash1.stat contains the erase counters and will be updated whenever a 
sector is erased which contains at least one bit which is 0. 
The file is an array of unsigned 32Bit Integers in host byte order. There is
one integer for each sector. 
You can read the statistics file with a hexdumper:

od -tx4 -Ax flash1.stat

Flash Types
-----------
Available types:
AM29LV800BT size 1024kB, sectorsize 64kB
AM29LV640ML size 8192kB, sectorsize 64kB
MBM29LV650UE size 8192kB, sectorsize 64kB
AM29LV256ML size 32768kB, sectorsize 64kB
SG29GL256MR2 size 32768kB, sectorsize 64kB
SG29GL128NR2 size 16384kB, sectorsize 128kB
SG29GL256NR2 size 32768kB, sectorsize 128kB
SG29GL512NR2 size 32768kB, sectorsize 128kB
MX29LV640BU size 8192kB, sectorsize 64kB

The Chips are always used in 16 Bit mode, a bank
can have one (1x16) or two chips (2x16).
When more than one chip per bank is used the 
Flash image and the Flash statistics are interleaved

Configuration Example:

[flash1]
type: AM29LV640ML 
chips: 1

Serial Interfaces
-----------------
The default configuration file connects serial-A to stdin:

[ns9750] 
serialA: /dev/stdin

Do not connect more than one serial emulation to the same
device.

Debugging with gdb
-------------------
softgun listens on gdb remote protocol when enabled in config file.
GDB interface implements only the minimal required functions. 
You need gdb-6.3 build for arm:

configure --target arm-elf
make

Configuration file example:

[gdebug]
host: 127.0.0.1
port: 4711

First start the emulator, then connect with gdb:

# gdb ~/linux.arm/vmlinux

GNU gdb 6.3
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "--host=i686-pc-linux-gnu --target=arm-linux-elf"...

(gdb) target remote :4711
Remote debugging using :4711
<Press Ctrl-C here to stop target>
0xc033a018 in cpu_arm926_do_idle ()
(gdb) disas
Dump of assembler code for function cpu_arm926_do_idle:
0xc033a000 <cpu_arm926_do_idle+0>:      mov     r0, #0  ; 0x0
0xc033a004 <cpu_arm926_do_idle+4>:      mrc     15, 0, r1, cr1, cr0, {0}
0xc033a008 <cpu_arm926_do_idle+8>:      mcr     15, 0, r0, cr7, cr10, {4}
0xc033a00c <cpu_arm926_do_idle+12>:     bic     r2, r1, #4096   ; 0x1000
0xc033a010 <cpu_arm926_do_idle+16>:     mcr     15, 0, r2, cr1, cr0, {0}
0xc033a014 <cpu_arm926_do_idle+20>:     mcr     15, 0, r0, cr7, cr0, {4}
0xc033a018 <cpu_arm926_do_idle+24>:     mcr     15, 0, r1, cr1, cr0, {0}
0xc033a01c <cpu_arm926_do_idle+28>:     mov     pc, lr
End of assembler dump.
(gdb) detach
(gdb) quit


Security
----------
When you allow the User to modify your network using ifconfig he can mess up your
network configuration. Tcp connection to the gdb interface and the debugshell 
and connection to the CAN-Bus emulator socket are not encrypted and not 
protected with a password. Best configure them to allow connections only from
localhost (host: 127.0.0.1)  and disable them if you don't need them.
