Skip to content

Instantly share code, notes, and snippets.

@bri3d
Created February 5, 2021 14:52
Show Gist options
  • Save bri3d/5429c0b25346a0830c01042e77d6914c to your computer and use it in GitHub Desktop.
Save bri3d/5429c0b25346a0830c01042e77d6914c to your computer and use it in GitHub Desktop.
Getting TriCore qemu + gdb working!

Getting QEMU

The mainline release of QEMU includes working simulation of Tricore. Both TC1.3 and TC1.6 CPU instruction sets are supported. No peripherals are implemented.

However, the mainline QEMU's "triboard" based machine specification is insufficient for most ECU use cases as it does not define the correct memory regions or aliasing.

I have an example of setup for Simos18 here: https://github.com/bri3d/qemu/tree/tricore-simos18 . The kernel load code (and constants) as well as the hardcoded entry point are actually unnecessary with the use of the QEMU "loader" device, documented below.

So, to get started, first we simply build QEMU for Tricore: ./configure --target-list=tricore-softmmu && make . You should now have a qemu-system-tricore binary, provided your dependencies were set up correctly (the QEMU documentation is good for this).

Next, we want to start QEMU in "single-step" mode (which tells the code generator not to group instructions), with the debugger ON, and the CPU halted. We can use the loader plugin to add whichever flash segments we would like at whichever addresses we would like as well. Here's an example of loading the Calibration block and SBOOT for Simos18, which I used while understanding how the RSA process constructs the data being signed.

../qemu/build/qemu-system-tricore -machine tricore_s18 -kernel simos18_flash.bin.sboot -device loader,file=simos18_flash.bin.cal,addr=0x80800000 -singlestep -s -S

Getting GDB

Tricore GDBs seem hard to come by - it seems that Hightec have removed GDB from their free toolchain. For this, I simply used this mysterious GitHub project: https://github.com/Gigallith/gdb-tricore . It compiled right up without any fuss using ./configure --disable-werror --target=tricore for me and produced a gdb/gdb binary with Tricore target support.

Hooking it all up, nuances, etc.

OK, so we have a running qemu waiting on a gdb connection - we can connect to it easily by firing up gdb and running target remote localhost:1234 . Intuitively, we want to just set $pc to the code we wish to inspect and let it run wild, but there's a catch:

Experienced TriCore engineers will remember that Tricore operates using "context states," used for task switching, and that the low registers are usually used as global offset registers (a0, a8, a9 etc.). And, sure enough, we need to configure this Context Store system before we can issue a call or ret instruction - otherwise, qemu will correctly emulate the "unconfigured context system" traps and jump into somewhere you don't expect in your trap vector table, instead of issuing a call/ret.

The easy way to do this is to simply jump through the initialization code for whatever task you'd like to debug. In the case of Simos18 SBOOT, this looks like:

set $pc=0x80007672
break *0x80007862
continue

Once we have the context registers and globals configured correctly, we're ready to jump into whatever code we'd like, using set $pc= and break .

Ghidra

And yes, you can point Ghidra's Debugger branch at this Tricore GDB and have Tricore debugging in Ghidra. A totally free and open source Tricore debug toolchain - pretty cool!

@NoMore201
Copy link

Interesting, I will have a look at it. It's a pity that all this efforts are hidden in the corners of Github, it would be great to collect all this information in a single place.

@allen-c
Copy link

allen-c commented Jun 30, 2023

Sadly,I find tricore-gdb on https://github.com/volumit don't support tricore 1.6.2.

@juanjqh
Copy link

juanjqh commented Oct 11, 2023

If anyone needs it, I took tricore architecture support code from https://github.com/Gigallith/gdb-tricore and merged it into a patch that can be applied to latest GDB 11.2. There is also a PKGBUILD to compile it under the MSYS2 environment. Not sure how licensing works in this case, but the original tricore contribution is licensed under the GPL so there should be no problem in reusing it.

https://github.com/NoMore201/tricore-tools

Hi! This repo not found, any issue?

@NoMore201
Copy link

If anyone needs it, I took tricore architecture support code from https://github.com/Gigallith/gdb-tricore and merged it into a patch that can be applied to latest GDB 11.2. There is also a PKGBUILD to compile it under the MSYS2 environment. Not sure how licensing works in this case, but the original tricore contribution is licensed under the GPL so there should be no problem in reusing it.
https://github.com/NoMore201/tricore-tools

Hi! This repo not found, any issue?

Sorry I removed it by mistake, I uploaded it again, you can find it here: NoMore201/tricore-gdb

@Spitgranger
Copy link

If anyone needs it, I took tricore architecture support code from https://github.com/Gigallith/gdb-tricore and merged it into a patch that can be applied to latest GDB 11.2. There is also a PKGBUILD to compile it under the MSYS2 environment. Not sure how licensing works in this case, but the original tricore contribution is licensed under the GPL so there should be no problem in reusing it.
https://github.com/NoMore201/tricore-tools

Hi! This repo not found, any issue?

Sorry I removed it by mistake, I uploaded it again, you can find it here: NoMore201/tricore-gdb

I am trying to compile in MSYS2, pacmac doesn't seem to be able to find mingw-w64-x86_64-libssp. Cannot seem to find this package anywhere. Any insights?

@NoMore201
Copy link

Seems like MSYS2 completely removed the libssp package, and it removed the dependency from GDB between 12.1 and 13. This is the commit that removes the dependency. I'll try to remove the dependecy or upgrade gdb to latest version to match MSYS2 state.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment