Hi Andrey
The only quirk I know is that the emulated part must support SFDP. ROM boot code is very sensitive to SFDP and will halt if there no response to SFDP commands.
Just adding --em100 worked for me. What does em100 in trace mode show?
Example follows:
TIMESTAMP(s) CNT CMD ADDRESS DATA ============================================================= 211.52630792 1 Read SFDP Table(0x5A) 00 00 00 FF 53 46 44 50 00 01 00 FF 211.52631727 2 Read SFDP Table(0x5A) 00 00 08 FF 00 00 01 09 30 00 00 FF 211.52632661 3 Read SFDP Table(0x5A) 00 00 30 FF E5 20 F1 FF FF FF FF 03 29 EB 27 6B 08 3B 27 FF FF FF FF FF FF FF 27 BB FF FF 29 EB 0C 20 10 D8 00 00 00 00 211.52636413 4 Normal Read(0x03) 00 00 10 5A A5 F0 0F 211.52637013 5 Normal Read(0x03) 00 00 14 03 00 04 00 08 02 10 13 00 00 00 00 211.52638149 6 Normal Read(0x03) 00 00 30 F5 02 DC 36 21 42 60 AD B7 B9 C4 C7 211.52639283 7 Fast Read(0x0B) 00 00 40 00 00 00 00 01 00 FE 0E FF 7F 00 00 FF 7F 00 00 FF 7F 00 00 FF 0E FE 0F FF 7F 00 00 FF 7F 00 00 FF 7F 00 00 FF 7F 00 00 211.52642366 8 Fast Read(0x0B) 00 00 80 00 FF FF FF 00 FF FF FF 00 FF F7 7F 00 00 00 00 00 00 00 00 00 00 00 00 211.52644380 9 Fast Read(0x0B) 00 01 00 A1 10 06 00 00 00 FF 00 0F 00 00 C8 65 06 00 00 00 00 00 00 04 03 60 00 00 00 10 00 B2 00 00 00 07 50 00 00 3C 00 00 00 00 00 00 00 04 15 05 00 00 40 00 00 00 00 00 00 00 58 00 00 00 00 00 00 211.52649076 10 Fast Read(0x0B) 00 01 40 00 00 00 00 00 00 00 00 00 00 00 00 211.92804439 11 Read SFDP Table(0x5A) 00 00 00 FF 53 46 44 50 00 01 00 FF 211.92805376 12 Read SFDP Table(0x5A) 00 00 08 FF 00 00 01 09 30 00 00 FF 211.92806310 13 Read SFDP Table(0x5A) 00 00 30 FF E5 20 F1 FF FF FF FF 03 29 EB 27 6B 08 3B 27 FF FF FF FF FF FF FF 27 BB FF FF 29 EB 0C 20 10 D8 00 00 00 00 211.92810061 14 Normal Read(0x03) 00 00 10 5A A5 F0 0F 211.92810658 15 Normal Read(0x03) 00 00 14 03 00 04 00 08 02 10 13 00 00 00 00 211.92811794 16 Normal Read(0x03) 00 00 30 F5 02 DC 36 21 42 60 AD B7 B9 C4 C7 211.92812932 17 Fast Read(0x0B) 00 00 40 00 00 00 00 01 00 FE 0E FF 7F 00 00 FF 7F 00 00 FF 7F 00 00 FF 0E FE 0F FF 7F 00 00 FF 7F 00 00 FF 7F 00 00 FF 7F 00 00 211.92816019 18 Fast Read(0x0B) 00 00 80 00 FF FF FF 00 FF FF FF 00 FF F7 7F 00 00 00 00 00 00 00 00 00 00 00 00 211.92818029 19 Fast Read(0x0B) 00 01 00 A1 10 06 00 00 00 FF 00 0F 00 00 C8 65 06 00 00 00 00 00 00 04 03 60 00 00 00 10 00 B2 00 00 00 07 50 00 00 3C 00 00 00 00 00 00 00 04 15 05 00 00 40 00 00 00 00 00 00 00 58 00 00 00 00 00 00 211.92822731 20 Fast Read(0x0B) 00 01 40 00 00 00 00 00 00 00 00 00 00 00 00 212.00523997 21 Quad IO Read(0xEB) 00 10 00 55 00 00 0D 00 01 00 00 00 00 00 00 00 00 00 03 00 00 00 02 00 54 04 09 00 00 00 00 00 00 00 00 00 00 00 0A 00 00 00 00 02 00 00 10 00 00 00 05 00 00 00 00 80 13 00 00 C0 10 00 01 00 00 00 00 50 212.00525360 22 Quad IO Read(0xEB) 00 10 40 50 00 00 00 A0 00 00 0C 00 00 00 00 00 00 00 00 00 00 00 0D 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 00 F0 01 00 00 B0 05 00 11 00 00 00 10 02 00 00 08 01 00 00 00 00 00 00 00 10 00 00 00 40 /* more Quad IO Read's follow but stop after the 150'th command */
Looks like the discovery (0x5A) works, it continues reading the firmware descriptor part using Fast Read(0x0B) and then starts reading the BIOS region at address 0x001000 using Quad IO Read(0xEB). But the data returned by the first Quad IO Read (CNT 21) seems to be shifted by one byte. The emulator returns 0x55 0x00 0x00... but should return 0xAA 0x55 0x00.. , like in the hexdump:
hexdump bios.rom -s 0x1000 -Cn 128 00001000 aa 55 00 00 0d 00 01 00 00 00 00 00 00 00 00 00 |.U..............| 00001010 03 00 00 00 02 00 54 04 09 00 00 00 00 00 00 00 |......T.........| 00001020 00 00 00 00 0a 00 00 00 00 02 00 00 10 00 00 00 |................| 00001030 05 00 00 00 00 80 13 00 00 c0 10 00 01 00 00 00 |................| 00001040 00 50 00 00 00 a0 00 00 0c 00 00 00 00 00 00 00 |.P..............| 00001050 00 00 00 00 0d 00 00 00 00 00 00 00 00 00 00 00 |................| 00001060 02 00 00 00 00 f0 01 00 00 b0 05 00 11 00 00 00 |................| 00001070 10 02 00 00 08 01 00 00 00 00 00 00 00 10 00 00 |................|
Is there a way to disable Quad IO Read(0xEB) from the flash descriptor region?
Many thanks, Urs