Embedded Systems Consultant

Implementing jump function – STM32 vs Aurix TriCore

embedded systems consultant
Table Of Contents
  1. Overview
  2. Vector-Table-Based Jump – STM32
  3. Direct Jump – Aurix Tricore TC27x
  4. References

Overview

In embedded C, a “jump” typically refers to transferring program execution to another point in code outside of the normal sequential flow (common in bootloaders or multi-image firmware). This article will focus on implementing jump function from bootloader to application in the context of STM32 and Aurix TriCore microcontrollers.

A jump requires two parameters to work:

  • The program counter (PC) that points to address in Flash memory of the code to jump to (Application).
  • The stack pointer (SP) that points to address in RAM where the Application code will be loaded.

The implementation of the jump may differ from an MCU to another since it depends on CPU architecture and the compiler toolchain. This article will discuss two common ways:

  • Vector-Table-Based Jump (used in STM32 MCUs)
  • Direct Jump (Used in some Aurix TriCore MCUs)

Vector-Table-Based Jump – STM32

Vector Table overview

To jump from bootloader to application in STM32, the CPU needs to find the App’s PC and SP. These two parameters reside in a vector table located at beginning of each firmware. Then the linker script tells the compiler where and how to put this vector table in the image so it’s flashed identically in Flash memory.

The vector table is defined in “startup_xxx.s” file available in “workspace/project/core/Startup/startup_stm32l552xx.s” (Path from STM32CubeIDE):

Ingénieur systèmes embarqués
Figure 1: STM32 Vector Table
Ingénieur bootloader
Figure 2: Specifying Vector Table location in STM32 Linker script

Note that a section for the vector table is defined as “.isr_vector” in the startup file as shown in figure 1. And the vector table content is defined with “g_pfnVectors” symbole in the same section.

The “_estack” and “Reset_Handler” in g_pfnVectors refer respectively to the SP and PC.

Reset vs Jump

On power-on reset, the STM32 CPU automatically:

  1. Reads the first word of the vector table (at the reset address, e.g. 0x08000000).
  2. Loads that value into MSP (Main Stack Pointer).
  3. Reads the second word of the vector table and sets PC (Program Counter) to that value (jump to Reset_Handler).

In manual jump (from a bootloader), the CPU does not reload MSP automatically:

  1. The CPU may keep a valid MSP value from the bootloader if it’s the same as App.
  2. Or, it can be retrieved from first word and specified in a dedicated call __set_MSP().

Implementing jump function in C

After firmware compilation, the SP and PC will be placed in the first two words of the firmware binary. So in order to jump to Application, the PC address needs to be specified in a function pointer.

Since the PC address is placed in the second word of the app image, the function pointer shall retrieve the PC address then jump to it. For example considering layout below:

  • Bootloader start address = 0x08000000
  • Application start address = 0x08010000

The PC address is to be collected from 0x08010004 before jumping to it. In C this can be summarized in snippet below:

// 1. Define a function pointer to application reset handler
void (*app_reset_handler)(void);

// 2. Load reset handler address (second word of image)
app_reset_handler = (void*)(*(volatile uint32_t*)(0x08010000 + 4));

// 3. Load stack pointer address (first word of image) 
__set_MSP(*(volatile uint32_t*)0x08010000);

// 4. Jump to application (branch)
app_reset_handler();

Figure 3 shows a debug screenshot where the PC address value is 0x08011D6D (6D1D0108 in little endian). This is the address where application code instructions start and to which the CPU shall jump.

embedded systems engineer
Figure 3: Debugging jump in STM32

Direct Jump – Aurix Tricore TC27x

Reset vs Jump

Unlike STM32, Aurix Tricore MCUs don’t have specific vector table hard-coded on a fixed flash address to set SP and PC.

On reset, the Startup Software (BootROM code) is executed. SSW evaluates sequentially up to four Boot Mode Headers BMHD0-to-BMHD3. The SSW performs then a jump to the user code if its corresponding BMHD is valid. The SSW retrieves the user code start address from the first field “STADABM” in the BMHD. BMHDs location for TC27x series are provided in linker script, while their contents are provided in an AURIX iLLD/Tasking startup module IfxCpu_CStart0.src. To override BMHDs whith specific ones it’s recommended to do so in a specific section in C code in the project and avoid editing the shared lib directly.

bootloader training
Figure 4: Boot Mode Headers (BMHD)
formation bootloader
Figure 5: Boot Mode Headers in memory

When jumping to an application from bootloader:

  1. The jump can be performed directly to application start address code, not to a raw vector table.
  2. The PC address can be specified directly in the function pointer to point to App start address.
  3. The SP is set by software during startup in A10 register in reset. After the jump the SP keeps the same value before leaving bootloader.

Implementing jump function in C

The jump implementation for Aurix TriCore MCUs is straightforward. The BMHDs are only needed in first user firmware which is the bootloader in this article’s case. So they can be removed from application using its linker script to allow application code to take over the flash from the start address. The example below shows a jump for the layout:

  • Bootloader start address = 0x80000000
  • App start address = 0x80040000
#define APP_START_ADDR   (0x80040000u)

/*Defining the function pointer */
typedef void (*app_entry_t)(void);

/* Setting the PC address */
app_entry_t entry = (app_entry_t)(APP_START_ADDR);
entry(); /* Jump into application reset handler */
bootloader engineer
Figure 6: Debugging jump function in Aurix TriCore

References

Latest Posts

Categories

Trainings

E-Learning

Leave a Reply

Your email address will not be published. Required fields are marked *