CE5.0 - eboot烧写NK.nb0的详细流程

 CE5.0 - eboot烧写NK.nb0的详细流程

可以参考《CE5.0 - eboot加载NK.nb0的详细流程》

nk.nb0首先通过umon下载到DDR中,然后执行烧写操作,烧写到flash上.
PLATFORM/SMDK2440A/Src/Bootloader/Eboot/main.c
==>BootloaderMain
==>OEMPlatformInit  =>  MainMenu()从串口打印menu选择菜单
==>DownloadImage
        dwImageStart   =  *pdwImageStart    = 0x80001000; //0x80001000 & 0x8C200000;                    
        dwImageLength =  *pdwImageLength = 0x1500000;  // 21M 它给固定死了,而且仅仅21M,所以应该根据自己的nk.nb0的大小进行修改[luther.gliethttp]
        *pdwLaunchAddr   = 0x8002C794;// lanch地址也是固定的
            显示menu,根据选择烧写相应的文件,比如输入3表示烧写
        // Nk.nb0
        case '3':        
            EdbgOutputDebugString ("Nk.nb0 chosed.../r/n");    
            dwImageStart   =  *pdwImageStart = 0x80001000;         
             dwImageLength =  *pdwImageLength = 0x1500000;  
            *pdwLaunchAddr   = 0x8002c794;
            g_ImageType = IMAGE_TYPE_RAMIMAGE;//选择将要烧写的文件为Nk.nb0
        goto len;//接着接收用户输入的image文件大小[luther.gliethttp]

         mid:
                if (!g_DownloadManifest.dwNumRegions)//这是第一次调用g_DownloadManifest结构体,所以一定等于0
                {
                    g_DownloadManifest.dwNumRegions             = 1;//region总数为1
                    g_DownloadManifest.Region[0].dwRegionStart  = dwImageStart;//起始地址为nk.nb0加载地址,也是umon下载地址[luther.gliethttp]
                    g_DownloadManifest.Region[0].dwRegionLength = dwImageLength;//nk.nb0文件长度

                    // Provide the download manifest to the OEM.
                    //
                    if (g_pOEMMultiBINNotify)
                    {
//在OEMDebugInit中g_pOEMMultiBINNotify = OEMMultiBINNotify;进行了赋值.
                        g_pOEMMultiBINNotify((PDownloadManifest)&g_DownloadManifest);//仅定义1 region
                    }
                }
==>OEMMultiBINNotify
void OEMMultiBINNotify(const PMultiBINInfo pInfo)
{
    BYTE nCount;
    DWORD g_dwMinImageStart;

    OALMSG(OAL_FUNC, (TEXT("+OEMMultiBINNotify./r/n")));

    if (!pInfo || !pInfo->dwNumRegions)
    {
        OALMSG(OAL_WARN, (TEXT("WARNING: OEMMultiBINNotify: Invalid BIN region descriptor(s)./r/n")));
        return;
    }

    if (!pInfo->Region[0].dwRegionStart && !pInfo->Region[0].dwRegionLength)
    {
        return;
    }

    g_dwMinImageStart = pInfo->Region[0].dwRegionStart;//最小的地址

    OALMSG(TRUE, (TEXT("/r/nDownload BIN file information:/r/n")));
    OALMSG(TRUE, (TEXT("-----------------------------------------------------/r/n")));
    for (nCount = 0 ; nCount < pInfo->dwNumRegions ; nCount++)
    {
        OALMSG(TRUE, (TEXT("[%d]: Base Address=0x%x  Length=0x%x/r/n"),
            nCount, pInfo->Region[nCount].dwRegionStart, pInfo->Region[nCount].dwRegionLength));
        if (pInfo->Region[nCount].dwRegionStart < g_dwMinImageStart)
        {
            g_dwMinImageStart = pInfo->Region[nCount].dwRegionStart;
            if (g_dwMinImageStart == 0)
            {
                OALMSG(OAL_WARN, (TEXT("WARNING: OEMMultiBINNotify: Bad start address for region (%d)./r/n"), nCount));
                return;
            }
        }
    }

    memcpy((LPBYTE)&g_BINRegionInfo, (LPBYTE)pInfo, sizeof(MultiBINInfo));//ok,将BINinfo信息转储到全局变量g_BINRegionInfo中,以便其它单元引用到我们的nk.nb0这个image足够信息[luther.gliethttp]

    OALMSG(TRUE, (TEXT("-----------------------------------------------------/r/n")));
    OALMSG(OAL_FUNC, (TEXT("_OEMMultiBINNotify./r/n")));
}
==>if (OEMMapMemAddr (dwImageStart, dwImageStart + ROM_SIGNATURE_OFFSET) == ROM_SIGNATURE) 即nk.nb0的第0x40偏移处应该为0x43454345
        // Check for pTOC signature ("CECE") here, after image in place
        if (*(LPDWORD) OEMMapMemAddr (dwImageStart, dwImageStart + ROM_SIGNATURE_OFFSET) == ROM_SIGNATURE)
        {
//#define ROM_SIGNATURE_OFFSET   0x40         // Offset from the image's physfirst address to the ROM signature.
//#define ROM_SIGNATURE          0x43454345
//#define ROM_TOC_POINTER_OFFSET 0x44         // Offset from the image's physfirst address to the TOC pointer.
//#define ROM_TOC_OFFSET_OFFSET  0x48         // Offset from the image's physfirst address to the TOC offset (from physfirst).
//使用winhex在nk.nb0获得如下数据
//00000040 : 45 43 45 43 C8 ED 90 81 C8 DD 90 01 00 00 00 00
//所以dwImageStart + ROM_SIGNATURE_OFFSET + sizeof(ULONG)大小等于0x40+4=0x44所以对应的内容为0x8190EDC8
//在上面的DownloadImage中可以看到dwImageStart = 0x80001000;
//0x8190EDC8为TOC指针虚拟地址值,0x190DDC8为其对应的物理地址偏移
//所以0x8190EDC8 - 0x80001000 = 0x190DDC8
//其实这个差值就存储在了0x48偏移地址处[luther.gliethttp]
//dwpToc = *(LPDWORD)0x8190EDC8;取出该虚拟地址处的数据,即偏移0x190DDC8处的4字节数据
//使用winhex获得数据为
//E3 01 DA 01
//即:0x1DA01E3
//所以最后dwpToc = 0x1DA01E3 + g_dwROMOffset;//这里g_dwROMOffset因为没有地方对其赋值,所以其值为默认值0
//typedef struct ROMHDR {
//    ULONG   dllfirst;               // first DLL address
//    ULONG   dlllast;                // last DLL address
//    ULONG   physfirst;              // first physical address
//    ULONG   physlast;               // highest physical address
//    ULONG   nummods;                // number of TOCentry's
//    ULONG   ulRAMStart;             // start of RAM
//    ULONG   ulRAMFree;              // start of RAM free space
//    ULONG   ulRAMEnd;               // end of RAM
//    ULONG   ulCopyEntries;          // number of copy section entries
//    ULONG   ulCopyOffset;           // offset to copy section
//    ULONG   ulProfileLen;           // length of PROFentries RAM
//    ULONG   ulProfileOffset;        // offset to PROFentries
//    ULONG   numfiles;               // number of FILES
//    ULONG   ulKernelFlags;          // optional kernel flags from ROMFLAGS .bib config option
//    ULONG   ulFSRamPercent;         // Percentage of RAM used for filesystem
//                                        // from FSRAMPERCENT .bib config option
//                                        // byte 0 = #4K chunks/Mbyte of RAM for filesystem 0-2Mbytes 0-255
//                                        // byte 1 = #4K chunks/Mbyte of RAM for filesystem 2-4Mbytes 0-255
//                                        // byte 2 = #4K chunks/Mbyte of RAM for filesystem 4-6Mbytes 0-255
//                                        // byte 3 = #4K chunks/Mbyte of RAM for filesystem > 6Mbytes 0-255
//
//    ULONG   ulDrivglobStart;        // device driver global starting address
//    ULONG   ulDrivglobLen;          // device driver global length
//    USHORT  usCPUType;              // CPU (machine) Type
//    USHORT  usMiscFlags;            // Miscellaneous flags
//    PVOID   pExtensions;            // pointer to ROM Header extensions
//    ULONG   ulTrackingStart;        // tracking memory starting address
//    ULONG   ulTrackingLen;          // tracking memory ending address
//} ROMHDR;
//#define TOCentry_dwFileAttributes 0
//#define TOCentry_ftTime         4
//#define TOCentry_lpszFileSize   12
//#define TOCentry_lpszFileName   16
//#define TOCentry_ulE32Offset    20
//#define TOCentry_ulO32Offset    24
//#define TOCentry_ulLoadOffset   28
//#define SIZEOF_TOCentry         32
//typedef struct TOCentry {           // MODULE BIB section structure
//    DWORD dwFileAttributes;
//    FILETIME ftTime;
//    DWORD nFileSize;
//    LPSTR   lpszFileName;
//    ULONG   ulE32Offset;            // Offset to E32 structure
//    ULONG   ulO32Offset;            // Offset to O32 structure
//    ULONG   ulLoadOffset;           // MODULE load buffer offset
//} TOCentry, *LPTOCentry;
//0190DDC0 : 57 EF 50 00 58 00 00 00 E3 01 DA 01 00 00 00 02
//0190DDD0 : 00 10 00 80 94 0D 91 81 AD 00 00 00 00 00 20 8C
//0190DDE0 : 00 90 22 8C 00 00 00 8E 01 00 00 00 C0 3D C2 80
//0190DDF0 : 00 00 00 00 00 00 00 00 5A 00 00 00 02 00 00 00
//0190DE00 : 80 80 80 80 00 00 00 00 00 00 00 00 C2 01 02 00
//0190DE10 : 10 32 00 80 00 00 00 00 00 00 00 00 07 00 00 00 //07 00 00 00 开始为TOC,一共占32字节空间
//0190DE20 : D4 A3 9A 28 AB 1E C7 01 00 B0 06 00 F8 1F C5 80 //该4字节F8 1F C5 80为TOCentry_lpszFileName虚拟地址,其偏移值为0x80C51FF8 - 0x80001000 = 0xC50FF8
//0190DE30 : 84 CF 58 80 9C CF 1F 80 00 10 00 80 07 10 00 00 //从该07 10 00 00 00开始为下一个TOC,一共占32字节空间
//0190DE40 : 3A F3 8F 3C AB 1E C7 01 00 84 08 00 F4 5F 4D 80
//0190DE50 : 6C 5F C9 80 A0 0F C2 80 00 90 09 80 07 00 00 00
//从0x0190DDC8开始
//dllfirst  = 0x01DA01E3
//dlllast   = 0x20000000
//physfirst = 0x80001000
//physlast  = 0x81910D94
//nummods   = 0x000000AD
//ulRAMStart= 0x8C200000
//ulRAMFree = 0x8C229000
//ulRAMEnd  = 0x8E000000
//ulCopyEntries = 0x00000001
//ulCopyOffset  = 0x80C23DC0
//ulProfileLen  = 0x00000000
//ulProfileOffset   = 0x00000000
//numfiles  = 0x0000005A
//ulKernelFlags = 0x00000002
//ulFSRamPercent= 0x80808080
//ulDrivglobStart   = 0x00000000
//ulDrivglobLen = 0x00000000
//usCPUType = 0x01C2
//usMiscFlags   = 0x0002
//pExtensions   = 0x80003210
//ulTrackingStart   = 0x00000000
//ulTrackingLen = 0x00000000
//紧跟ROMHDR其后的为nummods个TOCentry结构体
            dwpToc = *(LPDWORD) OEMMapMemAddr (dwImageStart, dwImageStart + ROM_SIGNATURE_OFFSET + sizeof(ULONG));//OEMMapMemAddr直接返回dwImageStart + ROM_SIGNATURE_OFFSET + sizeof(ULONG))数值,即0x8190EDC8这个虚拟地址处的内容,0x8190EDC8虚拟地址对应的物理偏移值为0x190DDC8,该值位于0x48偏移处[luther.gliethttp]
            // need to map the content again since the pointer is going to be in a fixup address
            dwpToc = (DWORD) OEMMapMemAddr (dwImageStart, dwpToc + g_dwROMOffset);

            EdbgOutputDebugString ("ROMHDR at Address %Xh/r/n", dwImageStart + ROM_SIGNATURE_OFFSET + sizeof (DWORD)); // right after signature
        }
case BL_JUMP:
==>OEMLaunch
==>switch (g_ImageType)
    case IMAGE_TYPE_RAMIMAGE:
                g_pTOC->id[g_dwTocEntry].dwLoadAddress = dwImageStart;
                g_pTOC->id[g_dwTocEntry].dwTtlSectors = FILE_TO_SECTOR_SIZE(dwImageLength);
                if (!WriteOSImageToBootMedia(dwImageStart, dwImageLength, dwLaunchAddr))//写数据
                {
                    OALMSG(OAL_ERROR, (TEXT("ERROR: OEMLaunch: Failed to store image to Smart Media./r/n")));
                    goto CleanUp;
                }

                if (dwLaunchAddr && (g_pTOC->id[g_dwTocEntry].dwJumpAddress != dwLaunchAddr))
                {
                    //*pdwLaunchAddr   = 0x8002C794;// 我们的lanch地址也是固定的
                    g_pTOC->id[g_dwTocEntry].dwJumpAddress = dwLaunchAddr;//修改跳转地址到位于block块1区的TOC数据
                    if ( !TOC_Write() ) {//回写TOC到block块1
                        EdbgOutputDebugString("*** OEMLaunch ERROR: TOC_Write failed! Next boot may not load from disk *** /r/n");
                    }
                    TOC_Print();
                }
                else
                {
                    dwLaunchAddr= g_pTOC->id[g_dwTocEntry].dwJumpAddress;
                    EdbgOutputDebugString("INFO: using TOC[%d] dwJumpAddress: 0x%x/r/n", g_dwTocEntry, dwLaunchAddr);
                }
                                
                break;
    //然后就执行Lanch()登陆.
    // Jump to downloaded image (use the physical address since we'll be turning the MMU off)...
    //
    dwPhysLaunchAddr = (DWORD)OALVAtoPA((void *)dwLaunchAddr);//根据位于PLATFORM/SMDK2440A/Src/Inc/oemaddrtab_cfg.inc下的g_oalAddressTable定义的转换表,将虚拟地址转为对应的物理地址
    OALMSG(TRUE, (TEXT("INFO: OEMLaunch: Jumping to Physical Address 0x%Xh (Virtual Address 0x%Xh).../r/n/r/n/r/n"), dwPhysLaunchAddr, dwLaunchAddr));//打印该log信息

    // Jump...
    //
    Launch(dwPhysLaunchAddr);//执行PLATFORM/SMDK2440A/Src/Bootloader/Eboot/util.s|32| LEAF_ENTRY Launch中定义的Lanuch函数,代码见下面[lutehr.gliethttp]


/*
    @func   BOOL | WriteOSImageToBootMedia | Stores the image cached in RAM to the Boot Media.
    The image may be comprised of one or more BIN regions.
    @rdesc  TRUE = Success, FALSE = Failure.
    @comm
    @xref
*/
BOOL WriteOSImageToBootMedia(DWORD dwImageStart, DWORD dwImageLength, DWORD dwLaunchAddr)
{
    BYTE nCount;
    DWORD dwNumExts;
    PXIPCHAIN_SUMMARY pChainInfo = NULL;
    EXTENSION *pExt = NULL;
    DWORD dwBINFSPartLength = 0;
    HANDLE hPart, hPartEx;
    DWORD dwStoreOffset;
    DWORD dwMaxRegionLength[BL_MAX_BIN_REGIONS] = {0};
    DWORD dwChainStart, dwChainLength;
    
    //  Initialize the variables
    dwChainStart = dwChainLength = 0;

    OALMSG(OAL_FUNC, (TEXT("+WriteOSImageToBootMedia/r/n")));
    OALMSG(OAL_INFO, (TEXT("+WriteOSImageToBootMedia: g_dwTocEntry =%d, ImageStart: 0x%x, ImageLength: 0x%x, LaunchAddr:0x%x/r/n"),
                            g_dwTocEntry, dwImageStart, dwImageLength, dwLaunchAddr));

    if ( !g_bBootMediaExist )
    {
        OALMSG(OAL_ERROR, (TEXT("ERROR: WriteOSImageToBootMedia: device doesn't exist./r/n")));
        return(FALSE);
    }

    if ( !VALID_TOC(g_pTOC) )
    {
        OALMSG(OAL_WARN, (TEXT("WARN: WriteOSImageToBootMedia: INVALID_TOC/r/n")));
        if ( !TOC_Init(g_dwTocEntry, g_ImageType, dwImageStart, dwImageLength, dwLaunchAddr) )
        {
            OALMSG(OAL_ERROR, (TEXT("ERROR: INVALID_TOC/r/n")));
            return(FALSE);
        }
    }

    // Look in the kernel region's extension area for a multi-BIN extension descriptor.
    // This region, if found, details the number, start, and size of each BIN region.
    // 这里我们只有nk.nb0一个region需要烧写
    for (nCount = 0, dwNumExts = 0 ; (nCount < g_BINRegionInfo.dwNumRegions); nCount++)
    {
        // Does this region contain nk.exe and an extension pointer?
        //我们这里返回的数值就是0x80003210,对其分析见后面[luther.gliethttp]
        //对应的nk.nb0偏移值为0x80003210 - 0x80001000 = 0x2210
        pExt = (EXTENSION *)GetKernelExtPointer(g_BINRegionInfo.Region[nCount].dwRegionStart,
                                                g_BINRegionInfo.Region[nCount].dwRegionLength );
        if ( pExt != NULL)
        {
//#define PID_LENGTH 10
//typedef struct ROMPID {
//  union{
//    DWORD dwPID[PID_LENGTH];        // PID 可见该union一共40字节数据
//    struct{
//      char  name[(PID_LENGTH - 4) * sizeof(DWORD)];
//      DWORD type;
//      PVOID pdata;
//      DWORD length;
//      DWORD reserved;
//    };
//  };
//  PVOID pNextExt;                 // pointer to next extension if any
//} ROMPID, EXTENSION;
//所以一共占用了44字节数据
//0x2210 ~ 0x2210 + 44空间全部为0,所以不会找到"chain information"
            // If there is an extension pointer region, walk it until the end.
            //
            while (pExt)
            {
                DWORD dwBaseAddr = g_BINRegionInfo.Region[nCount].dwRegionStart;
                pExt = (EXTENSION *)OEMMapMemAddr(dwBaseAddr, (DWORD)pExt);
                OALMSG(OAL_INFO, (TEXT("INFO: OEMLaunch: Found chain extenstion: '%s' @ 0x%x/r/n"), pExt->name, dwBaseAddr));
                if ((pExt->type == 0) && !strcmp(pExt->name, "chain information"))
                {
                    pChainInfo = (PXIPCHAIN_SUMMARY) OEMMapMemAddr(dwBaseAddr, (DWORD)pExt->pdata);
                    dwNumExts = (pExt->length / sizeof(XIPCHAIN_SUMMARY));
                    OALMSG(OAL_INFO, (TEXT("INFO: OEMLaunch: Found 'chain information' (pChainInfo=0x%x  Extensions=0x%x)./r/n"), (DWORD)pChainInfo, dwNumExts));
                    break;
                }
                pExt = (EXTENSION *)pExt->pNextExt;
            }
        }
        else {
            //  Search for Chain region. Chain region doesn't have the ROMSIGNATURE set
            DWORD   dwRegionStart = g_BINRegionInfo.Region[nCount].dwRegionStart;
            DWORD   dwSig = *(LPDWORD) OEMMapMemAddr(dwRegionStart, dwRegionStart + ROM_SIGNATURE_OFFSET);

            if ( dwSig != ROM_SIGNATURE) {
                //  It is the chain
                dwChainStart = dwRegionStart;
                dwChainLength = g_BINRegionInfo.Region[nCount].dwRegionLength;
                OALMSG(TRUE, (TEXT("Found the Chain region: StartAddress: 0x%X; Length: 0x%X/n"), dwChainStart, dwChainLength));
            }
        }
    }

    // Determine how big the Total BINFS partition needs to be to store all of this.
    //
    if (pChainInfo && dwNumExts == g_BINRegionInfo.dwNumRegions)    // We're downloading all the regions in a multi-region image...
    {
        DWORD i;
        OALMSG(TRUE, (TEXT("Writing multi-regions/r/n")));

        for (nCount = 0, dwBINFSPartLength = 0 ; nCount < dwNumExts ; nCount++)
        {
            dwBINFSPartLength += (pChainInfo + nCount)->dwMaxLength;
            OALMSG(OAL_ERROR, (TEXT("BINFSPartMaxLength[%u]: 0x%x, TtlBINFSPartLength: 0x%x /r/n"),
                nCount, (pChainInfo + nCount)->dwMaxLength, dwBINFSPartLength));

            // MultiBINInfo does not store each Regions MAX length, and pChainInfo is not in any particular order.
            // So, walk our MultiBINInfo matching up pChainInfo to find each regions MAX Length
            for (i = 0; i < dwNumExts; i++) {
                if ( g_BINRegionInfo.Region[i].dwRegionStart == (DWORD)((pChainInfo + nCount)->pvAddr) ) {
                    dwMaxRegionLength[i] = (pChainInfo + nCount)->dwMaxLength;
                    OALMSG(TRUE, (TEXT("dwMaxRegionLength[%u]: 0x%x /r/n"), i, dwMaxRegionLength[i]));
                    break;
                }
            }
        }

    }
    else    // A single BIN file or potentially a multi-region update (but the partition's already been created in this latter case).
    {
        //我们的下载程序将执行到这里[luther.gliethttp]
        dwBINFSPartLength = g_BINRegionInfo.Region[0].dwRegionLength;
        OALMSG(TRUE, (TEXT("Writing single region/multi-region update, dwBINFSPartLength: %u /r/n"), dwBINFSPartLength));
    }

    // Open/Create the BINFS partition where images are stored.  This partition starts immediately after the MBR on the Boot Media and its length is
    // determined by the maximum image size (or sum of all maximum sizes in a multi-region design).
    // Parameters are LOGICAL sectors.
    //
    //为nk.nb0建立主分区,管理(IMAGE_START_BLOCK+1)*PAGES_PER_BLOCK开始的扇区,管理大小为SECTOR_TO_BLOCK_SIZE(FILE_TO_SECTOR_SIZE(dwBINFSPartLength))*PAGES_PER_BLOCK
    //将该分区所有信息登记到了MBR中,hPart为申请到的主分区表指针[luther.gliethttp]
    hPart = BP_OpenPartition( (IMAGE_START_BLOCK+1)*PAGES_PER_BLOCK,    // next block of MBR
                              SECTOR_TO_BLOCK_SIZE(FILE_TO_SECTOR_SIZE(dwBINFSPartLength))*PAGES_PER_BLOCK, // align to block
                              PART_BINFS,
                              TRUE,
                              PART_OPEN_ALWAYS);

    if (hPart == INVALID_HANDLE_VALUE )
    {
        OALMSG(OAL_ERROR, (TEXT("ERROR: WriteOSImageToBootMedia: Failed to open/create partition./r/n")));
        return(FALSE);
    }

    // Are there multiple BIN files in RAM (we may just be updating one in a multi-BIN solution)?
    //
    for (nCount = 0, dwStoreOffset = 0; nCount < g_BINRegionInfo.dwNumRegions ; nCount++)
    {
        DWORD dwRegionStart  = (DWORD)OEMMapMemAddr(0, g_BINRegionInfo.Region[nCount].dwRegionStart);//我们这里就是nk.nb0下载地址0x32001000对应的虚拟地址为0x80001000

        DWORD dwRegionLength = g_BINRegionInfo.Region[nCount].dwRegionLength;

        // Media byte offset where image region is stored.
        dwStoreOffset += nCount ? dwMaxRegionLength[nCount-1] : 0;//如果是MultiBin,那么将一个挨一个的紧凑存储,其紧凑度由dwStoreOffset偏移指针控制,这个偏移指针数值就是这里所谓的
        //逻辑地址[luther.gliethttp]

        // Set the file pointer (byte indexing) to the correct offset for this particular region.
        //
        if ( !BP_SetDataPointer(hPart, dwStoreOffset) )//从该分区的dwStoreOffset(以字节为单位)逻辑地址开始
        {
            OALMSG(OAL_ERROR, (TEXT("ERROR: StoreImageToBootMedia: Failed to set data pointer in partition (offset=0x%x)./r/n"), dwStoreOffset));
            return(FALSE);
        }

        // Write the region to the BINFS partition.
        //
        if ( !BP_WriteData(hPart, (LPBYTE)dwRegionStart, dwRegionLength) )//将数据顺序写到dwStoreOffset(以字节为单位)开始的地址后,长度dwRegionLength,代码见后面.[luther.gliethttp]
        {
            EdbgOutputDebugString("ERROR: StoreImageToBootMedia: Failed to write region to BINFS partition (start=0x%x, length=0x%x)./r/n", dwRegionStart, dwRegionLength);
            return(FALSE);
        }
        
        // update our TOC?
        //
        if ((g_pTOC->id[g_dwTocEntry].dwLoadAddress == g_BINRegionInfo.Region[nCount].dwRegionStart) &&
             g_pTOC->id[g_dwTocEntry].dwTtlSectors == FILE_TO_SECTOR_SIZE(dwRegionLength) )
        {
            //我们的符合该条件,所以执行了下面语句[luther.gliethttp]
            g_pTOC->id[g_dwTocEntry].dwStoreOffset = dwStoreOffset;//对期望Toc进行写操作,那么保存它的存储逻辑地址(以字节为单位)[luther.gliethttp]
            g_pTOC->id[g_dwTocEntry].dwJumpAddress = 0; // Filled upon return to OEMLaunch

            g_pTOC->id[g_dwTocEntry].dwImageType = g_ImageType;

            g_pTOC->id[g_dwTocEntry].sgList[0].dwSector = FILE_TO_SECTOR_SIZE(g_dwLastWrittenLoc);
            g_pTOC->id[g_dwTocEntry].sgList[0].dwLength = g_pTOC->id[g_dwTocEntry].dwTtlSectors;

            // copy Kernel Region to SDRAM for jump
            memcpy((void*)g_pTOC->id[g_dwTocEntry].dwLoadAddress, (void*)dwRegionStart, dwRegionLength);

            OALMSG(TRUE, (TEXT("Updateded TOC!/r/n")));
        }
        else if( (dwChainStart == g_BINRegionInfo.Region[nCount].dwRegionStart) &&
                 (dwChainLength == g_BINRegionInfo.Region[nCount].dwRegionLength))
        {
            //我们的没有执行到这里
            //  Update our TOC for Chain region
            g_pTOC->chainInfo.dwLoadAddress = dwChainStart;
            g_pTOC->chainInfo.dwFlashAddress = FILE_TO_SECTOR_SIZE(g_dwLastWrittenLoc);
            //在BP_WriteData()中对g_dwLastWrittenLoc进行了更新,
            //g_dwLastWrittenLoc = dwBlock * g_dwDataBytesPerBlock + dwOffsetBlock;//记录现在写的是第几个字节(物理地址)[luther.gliethttp]
            g_pTOC->chainInfo.dwLength = FILE_TO_SECTOR_SIZE(dwMaxRegionLength[nCount]);

            OALMSG(TRUE, (TEXT("Written Chain Region to the Flash/n")));
            OALMSG(TRUE, (TEXT("LoadAddress = 0x%X; FlashAddress = 0x%X; Length = 0x%X/n"),
                                  g_pTOC->chainInfo.dwLoadAddress,
                                  g_pTOC->chainInfo.dwFlashAddress,
                                  g_pTOC->chainInfo.dwLength));
            // Now copy it to the SDRAM
            memcpy((void *)g_pTOC->chainInfo.dwLoadAddress, (void *)dwRegionStart, dwRegionLength);
        }
    }

    // create extended partition in whatever is left
    //
    //为系统创建扩展分区,
    //1.eboot.nb0主分区
    //2.nk.nb0主分区
    //3.扩展分区[luther.gliethttp]
    hPartEx = BP_OpenPartition( NEXT_FREE_LOC,
                                USE_REMAINING_SPACE,
                                PART_DOS32,
                                TRUE,
                                PART_OPEN_ALWAYS);

    if (hPartEx == INVALID_HANDLE_VALUE )
    {
        OALMSG(OAL_WARN, (TEXT("*** WARN: StoreImageToBootMedia: Failed to open/create Extended partition ***/r/n")));
    }

    OALMSG(OAL_FUNC, (TEXT("-WriteOSImageToBootMedia/r/n")));

    return(TRUE);//好了nk.nb0对应的MBR也创建了,nk.nb0也写进去了,对应的位于1块的TOC数据也更新了,扩展分区也创建了,工作完成了,返回ok.[luther.gliethttp]
}

/*
    @func   PVOID | GetKernelExtPointer | Locates the kernel region's extension area pointer.
    @rdesc  Pointer to the kernel's extension area.
    @comm    
    @xref   
*/
PVOID GetKernelExtPointer(DWORD dwRegionStart, DWORD dwRegionLength)
{
    DWORD dwCacheAddress = 0;
    ROMHDR *pROMHeader;
    DWORD  dwNumModules = 0;
    TOCentry *pTOC;

    if (dwRegionStart == 0 || dwRegionLength == 0)
        return(NULL);

    if (*(LPDWORD) OEMMapMemAddr (dwRegionStart, dwRegionStart + ROM_SIGNATURE_OFFSET) != ROM_SIGNATURE)//首先检查该region的ROM标志值是否正确[luther.gliethttp]
        return NULL;


    // A pointer to the ROMHDR structure lives just past the ROM_SIGNATURE (which is a longword value).  Note that
    // this pointer is remapped since it might be a flash address (image destined for flash), but is actually cached
    // in RAM.
    //
    dwCacheAddress = *(LPDWORD) OEMMapMemAddr (dwRegionStart, dwRegionStart + ROM_SIGNATURE_OFFSET + sizeof(ULONG));//我们这里就是0x44偏移处的值
    pROMHeader     = (ROMHDR *) OEMMapMemAddr (dwRegionStart, dwCacheAddress);
    
//从0x0190DDC8开始,pROMHeader = 0x0190DDC8偏移处对应的虚拟地址0x8190EDC8,通过使用winhex分析后数据如下:
//dllfirst  = 0x01DA01E3
//dlllast   = 0x20000000
//physfirst = 0x80001000
//physlast  = 0x81910D94
//nummods   = 0x000000AD
//ulRAMStart= 0x8C200000
//ulRAMFree = 0x8C229000
//ulRAMEnd  = 0x8E000000
//ulCopyEntries = 0x00000001
//ulCopyOffset  = 0x80C23DC0
//ulProfileLen  = 0x00000000
//ulProfileOffset   = 0x00000000
//numfiles  = 0x0000005A
//ulKernelFlags = 0x00000002
//ulFSRamPercent= 0x80808080
//ulDrivglobStart   = 0x00000000
//ulDrivglobLen = 0x00000000
//usCPUType = 0x01C2
//usMiscFlags   = 0x0002
//pExtensions   = 0x80003210
//ulTrackingStart   = 0x00000000
//ulTrackingLen = 0x00000000
//紧跟ROMHDR其后的为nummods个TOCentry结构体
//
//00C50FF0 : 74 65 00 00 DC 5F 03 00 6E 6B 2E 65 78 65 00 00  这里6E 6B 2E 65 78 65就是nk.exe
//所以可见在nk.nb0中含有nk.exe字符串的偏移位置为C50FF8
//对应的虚拟的地址为0x80001000 + C50FF8 = 0x80C51FF8其在小段存储模式内存中的十六进制数据为F8 1F C5 80
//使用BC3查找该十六进制串
//就在0190DE2B偏移处.
    // Make sure sure are some modules in the table of contents.
    //
    if ((dwNumModules = pROMHeader->nummods) == 0)
        return NULL;

    // Locate the table of contents and search for the kernel executable and the TOC immediately follows the ROMHDR.
    //
    pTOC = (TOCentry *)(pROMHeader + 1);
    

    while(dwNumModules--) {        
        char* pFileName = OEMMapMemAddr(dwRegionStart, (DWORD)pTOC->lpszFileName);
//改名字在我编译出的nk.nb0的0190DE2B偏移处,刚好为第1个TOC
        if (!strcmp((const char *)pFileName, "nk.exe")) {//找到名字为"nk.exe"的TOC,我们可以在这里打印出所有的TOC名字来进一步了解CE内核结构[luther.gliethttp]
            return ((PVOID)(pROMHeader->pExtensions));//ok,这个该image是合法的nk.nb0,返回pROMHeader->pExtensions数据,这里就是0x80003210
        }
    
        ++pTOC;    
    }
    return NULL;//否则NULL
}

BOOL BP_SetDataPointer (HANDLE hPartition, DWORD dwAddress)
{
    if (hPartition == INVALID_HANDLE_VALUE)
        return FALSE;

    RETAILMSG(1,(TEXT("BP_SetDataPointer at 0x%x/r/n"), dwAddress));
    
    PPARTSTATE pPartState = (PPARTSTATE) hPartition;

    if (dwAddress >= pPartState->pPartEntry->Part_TotalSectors * g_FlashInfo.wDataBytesPerSector)
        return FALSE;
/*
typedef struct _PARTSTATE {
        PPARTENTRY  pPartEntry;
        DWORD         dwDataPointer;        // Pointer to where next read and write will occur
} PARTSTATE, *PPARTSTATE;
*/
    pPartState->dwDataPointer = dwAddress;//对该分区执行读写的逻辑扇区地址,也就是偏移地址[luther.gliethttp]
    return TRUE;
   
}

//将pbBuffer中dwLength个字节数据写到hPartition分区,写入该分区的逻辑扇区地址在BP_SetDataPointer()中已经进行了设置[luther.gliethttp]
BOOL BP_WriteData(HANDLE hPartition, LPBYTE pbBuffer, DWORD dwLength)
{
    if (hPartition == INVALID_HANDLE_VALUE)
        return FALSE;
    
    DWORD dwNumBlocks;
    PPARTSTATE pPartState = (PPARTSTATE) hPartition;
    DWORD dwNextPtrValue = pPartState->dwDataPointer + dwLength;

    RETAILMSG (1, (TEXT("WriteData: Start = 0x%x, Length = 0x%x./r/n"), pPartState->dwDataPointer, dwLength));

    if (!pbBuffer || !g_pbBlock || dwLength == 0) {
        RETAILMSG(1,(TEXT("BP_WriteData Fails.  pbBuffer = 0x%x, g_pbBlock = 0x%x, dwLength = 0x%x/r/n"), pbBuffer, g_pbBlock, dwLength));
        return(FALSE);
    }

    // Check to make sure buffer size is within limits of partition
    // 检查写入该分区的数据是否超过该扇区所管理的扇区总数[luther.gliethttp]
    if (((dwNextPtrValue - 1) / g_FlashInfo.wDataBytesPerSector) >= pPartState->pPartEntry->Part_TotalSectors) {
        RETAILMSG (1, (TEXT("WriteData: trying to write past end of partition./r/n")));
        return FALSE;
    }

    // Get the starting physical block
    // 获取dwDataPointer写入/读取指针所在的块号,经过Log2Phys转换之后dwBlock就是实际的物理块号了[luther.gliethttp]
    DWORD dwBlock = Log2Phys (pPartState->dwDataPointer / g_FlashInfo.wDataBytesPerSector + pPartState->pPartEntry->Part_StartSector) / g_FlashInfo.wSectorsPerBlock;
    //计算以该主分区起始地址为基址的块号[luther.gliethttp]
    DWORD dwOffsetBlock = (pPartState->dwDataPointer + pPartState->pPartEntry->Part_StartSector * g_FlashInfo.wDataBytesPerSector) % g_dwDataBytesPerBlock;//计算待写的指针为该块中第几个字节

    // Update the global indicating last written physical address.  Global variable is used by the caller.
    g_dwLastWrittenLoc = dwBlock * g_dwDataBytesPerBlock + dwOffsetBlock;//记录现在写的是第几个字节(物理地址)[luther.gliethttp]

    // If current pointer is not on a block boundary, copy bytes up to the first block boundary
    if (dwOffsetBlock)
    {
        //待写入sector非block开始边界,那么调整为整block,所以先写入非整block的头部数据,之后数据就是整block开始了,这样对大数据读写可以达到加速效果[luther.gliethttp]
        if (!ReadBlock(dwBlock, g_pbBlock, g_pSectorInfoBuf)) {
            RETAILMSG (1, (TEXT("WriteData: failed to read block (0x%x)./r/n"), dwBlock));
            return(FALSE);
        }
        
        DWORD dwNumBytesWrite = g_dwDataBytesPerBlock - dwOffsetBlock;//需要向该block写入的多少个字节数据,从dwOffsetBlock开始写[luther.gliethttp]
        if (dwNumBytesWrite > dwLength)//写入数据大小不会超过该block.
            dwNumBytesWrite = dwLength;

        memcpy(g_pbBlock + dwOffsetBlock, pbBuffer, dwNumBytesWrite);//1.拷贝数据  

        if (!FMD_EraseBlock(dwBlock)) {//2.擦
            RETAILMSG (1, (TEXT("WriteData: failed to erase block (0x%x)./r/n"), dwBlock));
            return FALSE;
        }

        if (!WriteBlock(dwBlock, g_pbBlock, g_pSectorInfoBuf)) {//3.写
            RETAILMSG (1, (TEXT("WriteData: failed to write block (0x%x)./r/n"), dwBlock));
            return(FALSE);
        }
        
        dwLength -= dwNumBytesWrite;//长度调整
        pbBuffer += dwNumBytesWrite;//将数据调整到整块边界[luther.gliethttp]
        dwBlock++;
    }
    //好了,经过上面调整之后,数据指针已经调整为下一个block的边界值了[ltuher.gliethttp]
    // Compute number of blocks.
    dwNumBlocks = (dwLength / g_dwDataBytesPerBlock);
    
    while (dwNumBlocks--)
    {
        // If the block is marked bad, skip to next block.  Note that the assumption in our error checking
        // is that any truely bad block will be marked either by the factory during production or will be marked
        // during the erase and write verification phases.  If anything other than a bad block fails ECC correction
        // in this routine, it's fatal.
        if (IS_BLOCK_UNUSABLE(dwBlock))//该物理块是否损坏
        {
            ++dwBlock;//继续下一块
            //表示我们跳过该物理块,所以应该++dwNumBlocks;恢复
            ++dwNumBlocks;        // Compensate for fact that we didn't write any blocks.
            continue;
        }

        if (!ReadBlock(dwBlock, NULL, g_pSectorInfoBuf)) {
            RETAILMSG (1, (TEXT("WriteData: failed to read block (0x%x)./r/n"), dwBlock));
            return(FALSE);
        }

        if (!FMD_EraseBlock(dwBlock)) {
            RETAILMSG (1, (TEXT("WriteData: failed to erase block (0x%x)./r/n"), dwBlock));
            return FALSE;
        }

        if (!WriteBlock(dwBlock, pbBuffer, g_pSectorInfoBuf)) {
            RETAILMSG (1, (TEXT("WriteData: failed to write block (0x%x)./r/n"), dwBlock));
            return(FALSE);
        }

        ++dwBlock;
        pbBuffer += g_dwDataBytesPerBlock;//ok,开始写吧,开始循环吧[luther.gliethttp]
    }

    DWORD dwNumExtraBytes = (dwLength % g_dwDataBytesPerBlock);//看看收尾是否还需要向下一个block开头部分写些数据
    if (dwNumExtraBytes)
    {
        //还有数据需要写
        // Skip bad blocks
        while (IS_BLOCK_UNUSABLE(dwBlock))
        {
            dwBlock++;//找到紧邻的下一个好块[luther.gliethttp]
            if (dwBlock >= g_FlashInfo.dwNumBlocks)
            {
                // This should never happen since partition has already been created
                RETAILMSG (1, (TEXT("WriteData: corrupt partition.  Reformat flash./r/n")));                
                return FALSE;
            }
            
        }
        
        if (!ReadBlock(dwBlock, g_pbBlock, g_pSectorInfoBuf)) {
            RETAILMSG (1, (TEXT("WriteData: failed to read block (0x%x)./r/n"), dwBlock));
            return(FALSE);
        }
        
        memcpy(g_pbBlock, pbBuffer, dwNumExtraBytes);   //向该block开头追加未写完的跨块的数据[luther.gliethttp]

        if (!FMD_EraseBlock(dwBlock)) {
            RETAILMSG (1, (TEXT("WriteData: failed to erase block (0x%x)./r/n"), dwBlock));
            return FALSE;
        }

        if (!WriteBlock(dwBlock, g_pbBlock, g_pSectorInfoBuf)) {
            RETAILMSG (1, (TEXT("WriteData: failed to write block (0x%x)./r/n"), dwBlock));
            return(FALSE);
        }
        
    }

    pPartState->dwDataPointer = dwNextPtrValue;//该分区写一次数据发生写入操作时的物理地址,以字节为单位进行计算[luther.gliethttp]
    return(TRUE);
}

static DWORD Log2Phys (DWORD dwLogSector) //该dwLogSector数值已经是加过其在主分区的主分区地址了
{
    // Determine logical block number
    DWORD dwLogBlock = dwLogSector / g_FlashInfo.wSectorsPerBlock;

    // Start searching at the MBR block
    if (g_dwMBRSectorNum == INVALID_ADDR) {
        RETAILMSG(1, (TEXT("Log2Phys: MBR sector number is invalid./r/n")));        
        return INVALID_ADDR;
    }
    DWORD dwPhysBlock = g_dwMBRSectorNum / g_FlashInfo.wSectorsPerBlock;//g_dwMBRSectorNum为第一个18块开始之后的第一个好块,对该原因的分析见上面[luther.gliethttp]
    //这就是和主分区地址相加之后dwLogSector的物理基地址了[luther.gliethttp]

    if (dwLogBlock >= g_FlashInfo.dwNumBlocks)
        return INVALID_ADDR;

    // The physical block will be the number of logical blocks plus the number of bad blocks
    // starting from the MBR block.
    while (dwLogBlock--) {//找到dwLogBlock块对应的物理块,坏块将只是简单的对物理块地址进行加1操作,简单的略过,之后计算出最终的物理地址[luther.gliethttp]
        dwPhysBlock++;
        while (IS_BLOCK_UNUSABLE (dwPhysBlock) && dwPhysBlock < g_FlashInfo.dwNumBlocks) {
            dwPhysBlock++;
        }
        if (dwPhysBlock >= g_FlashInfo.dwNumBlocks)
            return INVALID_ADDR;
    }

    //打log数据
    RETAILMSG(1, (TEXT("Log2Phys: Logical 0x%x -> Physical 0x%x/r/n"), dwLogSector, dwPhysBlock * g_FlashInfo.wSectorsPerBlock + (dwLogSector % g_FlashInfo.wSectorsPerBlock)));
    //MBR
    return dwPhysBlock * g_FlashInfo.wSectorsPerBlock + (dwLogSector % g_FlashInfo.wSectorsPerBlock);//返回dwLogSector所在的物理sector地址
    //wince对nand的坏块不做任何维护性处理,只是简单的跳过,这和linux下存在BBT(Bad Block Table)坏块表不一样[luther.gliethttp]
}

//根据位于PLATFORM/SMDK2440A/Src/Inc/oemaddrtab_cfg.inc下的g_oalAddressTable定义的转换表,将虚拟地址转为对应的物理地址
UINT32 OALVAtoPA(VOID *pVA)
{
    OAL_ADDRESS_TABLE *pTable = g_oalAddressTable;
    UINT32 va = (UINT32)pVA;
    UINT32 pa = 0;

    OALMSG(OAL_MEMORY&&OAL_FUNC, (L"+OALVAtoPA(0x%08x)/r/n", pVA));

    // Virtual address must be in CACHED or UNCACHED regions.
    if (va < 0x80000000 || va >= 0xC0000000) {
        OALMSG(OAL_ERROR, (
            L"ERROR:OALVAtoPA: invalid virtual address 0x%08x/r/n", pVA
        ));
        goto cleanUp;
    }

    // Address must be cached, as entries in OEMAddressTable are cached address.
    va = va&~OAL_MEMORY_CACHE_BIT;

    // Search the table for address range
    while (pTable->size != 0) {
        if (va >= pTable->CA && va <= pTable->CA + (pTable->size << 20) - 1) {
            break;
        }
        pTable++;
    }

    // If address table entry is valid compute the PA
    if (pTable->size != 0) pa = pTable->PA + va - pTable->CA;

cleanUp:
    // Indicate physical address
    OALMSG(OAL_MEMORY&&OAL_FUNC, (L"-OALVAtoPA(pa = 0x%x)/r/n", pa));
    return pa;
}

位于PLATFORM/SMDK2440A/Src/Bootloader/Eboot/util.s汇编中
    INCLUDE kxarm.h

PHY_RAM_START    EQU    0x30000000
VIR_RAM_START    EQU    0x8c000000

    TEXTAREA

    LEAF_ENTRY Launch

    ldr    r2, = PhysicalStart //获得PhysicalStart虚拟地址值,在8c038000~范围,可在boot.bib中看到eboot的编译地址[luther.gliethttp]
    ldr     r3, = (VIR_RAM_START - PHY_RAM_START)//计算虚拟地址和物理地址的差值

    sub     r2, r2, r3 //计算虚拟地址PhysicalStart对应的物理地址值[luther.gliethttp]

    mov     r1, #0x0070             ; Disable MMU
    mcr     p15, 0, r1, c1, c0, 0   //禁用MMU
    nop
    mov     pc, r2                  ; Jump to PStart//MMU禁止,所以跳转到PhysicalStart对应的物理地址继续执行[luther.gliethttp]
    nop

    ; MMU & caches now disabled.

PhysicalStart

    mov     r2, #0
    mcr     p15, 0, r2, c8, c7, 0   ; Flush the TLB
    mov     pc, r0            ; Jump to program we are launching. //跳转到dwLaunchAddr登陆地址,之后的进一步内核解压加载等工作就完全由ce内核自身封闭完成了[luther.gliethttp]

你可能感兴趣的:(CE5.0 - eboot烧写NK.nb0的详细流程)