Code dump
Key instruction encodings verified from TI SPRU172C doc, corrects emulator bugs
./hack.patch
# DIAGNOSTIC HACK: force-clear INTM at insn=$CALYPSO_FORCE_INTM_CLEAR_AT
#
# Purpose: discriminate the catch-22 hypothesis (DSP can't clear INTM
# because the path that does is unreachable while INTM=1).
#
# Apply : patch -p1 -d /home/nirvana/qemu-src < hack.patch
# Revert : patch -p1 -R -d /home/nirvana/qemu-src < hack.patch
#
# After apply, set CALYPSO_FORCE_INTM_CLEAR_AT=<N> to enable. Disabled
# by default (env var unset → no-op).
#
# Tracked in hw/arm/calypso/doc/TODO.md "DIAGNOSTIC HACK" section.
# MUST be reverted once the real RSBX INTM path is identified.
--- a/hw/arm/calypso/calypso_c54x.c
+++ b/hw/arm/calypso/calypso_c54x.c
@@ -3905,6 +3905,38 @@
s->cycles++;
s->insn_count++;
+ /* === DIAGNOSTIC HACK — TEMPORARY — REMOVE ASAP ===
+ * Force-clear INTM at insn_count = $CALYPSO_FORCE_INTM_CLEAR_AT.
+ * Discriminates the catch-22 hypothesis: if clearing INTM here
+ * unblocks the FB-det path (RETED ≥1, d_fb_det written, FB1/FB2
+ * print), the root cause is "boot init never executes RSBX INTM";
+ * then we hunt the missing path (α/β/γ). If no change → INTM is
+ * not the only blocker.
+ *
+ * Documented in hw/arm/calypso/doc/TODO.md "DIAGNOSTIC HACK" —
+ * MUST BE REMOVED once the real RSBX path is identified.
+ * Disabled by default (env var unset). */
+ {
+ static int hack_at = -2;
+ static int hack_done = 0;
+ if (hack_at == -2) {
+ const char *e = getenv("CALYPSO_FORCE_INTM_CLEAR_AT");
+ hack_at = e ? atoi(e) : -1;
+ if (hack_at > 0)
+ C54_LOG("DIAG-HACK armed: will clear INTM at insn=%d", hack_at);
+ }
+ if (hack_at > 0 && !hack_done && (uint32_t)hack_at == s->insn_count) {
+ if (s->st1 & ST1_INTM) {
+ s->st1 &= ~ST1_INTM;
+ C54_LOG("DIAG-HACK *** FORCE-INTM-CLEAR *** at insn=%u PC=0x%04x ST1=0x%04x (was INTM=1)",
+ s->insn_count, s->pc, s->st1);
+ } else {
+ C54_LOG("DIAG-HACK at insn=%u: INTM already 0, no-op", s->insn_count);
+ }
+ hack_done = 1;
+ }
+ }
+
/* One-shot diagnostic at boot+: dump 0xB900 vector table
* (the relocated table the firmware should use if it sets
* IPTR=0x172) plus DSP runtime state. Helps diagnose why the./diff_pending_uncommitted.patch
diff --git a/hw/arm/calypso/calypso_sim.c b/hw/arm/calypso/calypso_sim.c
index e7097c3..91b4db0 100644
--- a/hw/arm/calypso/calypso_sim.c
+++ b/hw/arm/calypso/calypso_sim.c
@@ -543,9 +543,29 @@ uint16_t calypso_sim_reg_read(CalypsoSim *s, hwaddr off)
case CALYPSO_SIM_REG_IT: {
refresh_it_rx(s);
uint16_t v = s->it;
- /* Edge bits (NATR/WT/OV/TX) are read-clear; level bit RX stays. */
- s->it &= CALYPSO_SIM_IT_RX;
+ /* Edge bits (NATR/WT/OV/TX) are read-clear; level bit RX stays.
+ *
+ * AUDIT FIX 2026-05-08 night (Claude web Q2 hardening) : was
+ * s->it &= CALYPSO_SIM_IT_RX;
+ * which clears ANY bit set after the snapshot (race with concurrent
+ * fire_wt / IRQ handlers raising new bits). Correct semantic : clear
+ * only edge bits that were observed in `v`, so a bit raised between
+ * snapshot and clear survives. RX bit always preserved (level). */
+ uint16_t edge_seen = v & ~CALYPSO_SIM_IT_RX;
+ s->it &= ~edge_seen;
update_irq(s);
+ /* INSTRUMENTATION 2026-05-08 night : log every SIM_IT read so we can
+ * see what value the firmware FIQ handler at 0x822498 receives in R2.
+ * If we see SIM_IT read=0x0002 (IT_WT) but rxDoneFlag stays 0, the
+ * handler's TST/STR chain is failing. If we see SIM_IT read=0x0000
+ * for the WT entry, the IT_WT bit was cleared before handler arrived
+ * (race or wrong read sequencing). Cap at 30. */
+ static unsigned itrd;
+ if (itrd++ < 30)
+ fprintf(stderr,
+ "[sim] SIM_IT read=0x%04x rx_count=%d edge_cleared=0x%04x "
+ "post_it=0x%04x\n",
+ v, rx_count(s), edge_seen, s->it);
return v;
}
case CALYPSO_SIM_REG_DRX: {
diff --git a/hw/arm/calypso/calypso_trx.c b/hw/arm/calypso/calypso_trx.c
index f149507..375dd3a 100644
--- a/hw/arm/calypso/calypso_trx.c
+++ b/hw/arm/calypso/calypso_trx.c
@@ -897,7 +897,22 @@ static void calypso_tdma_start(CalypsoTRX *s)
* (fixed in calypso_uart.c same session), not this kick timer.
*/
static QEMUTimer *g_kick_timer;
-static void calypso_kick_cb(void *o){CPUState*cpu=first_cpu;if(cpu)cpu_exit(cpu);qemu_notify_event();timer_mod_ns(g_kick_timer,qemu_clock_get_ns(QEMU_CLOCK_REALTIME)+5000000);}
+static void calypso_kick_cb(void *o){
+ /* AUDIT INSTRUMENTATION 2026-05-08 night : confirm kick fires under
+ * -icount auto. Per Claude web : if 0 hits in 5s wall → REALTIME timer
+ * not armed correctly with icount. If N≈1000 hits/5s (5ms period) →
+ * timer fires but cpu_exit/notify don't propagate to scheduler. */
+ static unsigned kick_n;
+ kick_n++;
+ if (kick_n <= 30 || (kick_n % 200) == 0) {
+ uint64_t vt = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL);
+ uint64_t rt = qemu_clock_get_ns(QEMU_CLOCK_REALTIME);
+ fprintf(stderr, "[kick] fire #%u vt=%lu rt=%lu\n",
+ kick_n, (unsigned long)vt, (unsigned long)rt);
+ }
+ CPUState*cpu=first_cpu;if(cpu)cpu_exit(cpu);qemu_notify_event();
+ timer_mod_ns(g_kick_timer,qemu_clock_get_ns(QEMU_CLOCK_REALTIME)+5000000);
+}
/* ---- Sercomm burst transport (DLCI 4) ---- */
./RUN_SNAPSHOT_2026-05-08.md
Run snapshot — 2026-05-08, after rsl_si_tap.py + BCCH_INJECT purge
Process state
QEMU PID 38836 alive ~2m45s uptime
osmo-bts-trx PID 38906 alive no shutdown (period=51 OK)
bridge.py PID 38889 alive
mobile PID 38945 alive (stuck cell-search)
osmocon PID 38872 alive
osmo-bsc/msc/hlr/mgw/stp/ggsn/sgsn/pcu alive
tcpdump PID 38947 -i any → /root/mobile-gsmtap.pcapEffective env (from /proc/$QEMU_PID/environ)
BRIDGE_CLK_FROM_QEMU=0 (default — wall-paced)
BRIDGE_CLK_PERIOD=51 (default — BTS-friendly)
BRIDGE_UL_FN_REWRITE=0 (shell residue — passthrough qfn)
CALYPSO_FBSB_SYNTH=1 (synth FB/SB still on)
CALYPSO_W1C_LATCH=0
CALYPSO_NDB_D_RACH_OFFSET=0x023a
CALYPSO_RACH_FORCE_BSIC=7
CALYPSO_DSP_FBDET_SKIP=1
CALYPSO_DSP_IDLE_FF=1
CALYPSO_ICOUNT=off
CALYPSO_BSP_DARAM_ADDR=0x3fb0
CALYPSO_DSP_ROM=/opt/GSM/calypso_dsp.txtNO CALYPSO_BCCH_INJECT. NO CALYPSO_SI_MMAP_PATH. Purge confirmed.
Bridge stats — most recent
tick=11942 clk=528 dl=214998 ul=2 ul_rewrite=0 ul_slot_in/off=1/1
wall_fn=26925 qfn=12143
ratio qfn/wall_fn = 0.451 — QEMU runs ~2.2× slower than wall215k DL bursts forwarded since POWERON, only 2 UL (both boot artifacts).
BTS state — VTY counters
NM State: Oper 'Enabled', Admin 'Unlocked', Avail 'OK'
OML Link state: connected.
Received paging requests (Abis): 0
Received RACH requests (Um): 0 ← no RACH ever decoded
Dropped RACH requests (Um): 0
Received AGCH requests (Abis): 0BTS scheduler — recent CLK Ind log
DTRX INFO Clock indication: fn=20451
DL1C INFO TRX Clock Ind: elapsed_us= 235341, elapsed_fn= 51, error_us= -24
DL1C INFO GSM clock jitter: -192us (elapsed_fn=0)error_us ±2000us range — well inside skew tolerance, no shutdown risk.
Mobile state — log content
Mobile '1' initialized, please start phone now!
Available via telnet 127.0.0.1 4247
gsm322.c:2929 using DSC of 90 (×20 in stuck cell-search loop)0× MM_EVENT_NO_CELL_FOUND
0× RANDOM ACCESS
0× MON
0× CGI=
0× RR_EST_REQ
20× "using DSC of 90"Mobile doesn’t even reach the “no cell found” event yet — stuck earlier in the cell-search state machine. Probably still in initial DSC ramp.
CRITICAL FINDING — BSP RX FN delta growing unbounded
Recent BSP DL receive trace from qemu.log :
[BSP] RX tn=0 fn=26803 cur_fn=12109 delta=14694
[BSP] RX tn=0 fn=26928 cur_fn=12143 delta=14785
[BSP] RX tn=0 fn=27053 cur_fn=12170 delta=14883
[BSP] RX tn=0 fn=27178 cur_fn=12212 delta=14966
[BSP] RX tn=0 fn=27303 cur_fn=12275 delta=15028
[BSP] RX tn=0 fn=27428 cur_fn=12337 delta=15091delta = bts_fn - qfn is monotonically growing (14694 → 15091 over a few seconds) because BTS scheduler runs at wall-clock rate and QEMU at ~half wall.
BSP_FN_MATCH_WINDOW = 64 (constant in calypso_bsp.c).
delta = ~15000 ≫ 64 ⇒ every DL burst is outside the match window.
This is the actual root blocker for DL. The DSP CCCH demod doesn’t fail to converge — it never receives the bursts in the first place because BSP rejects them at the FN match check.
The hack BCCH_INJECT masked this by writing a_cd[] directly without needing BSP→DSP DMA at all. Now that the hack is gone, the FN mismatch is exposed.
DSP execution profile (qemu.log)
PC HIST insn=2018009060 top:
cc62:166667 cc63:166667 cc65:166667 cc66:166667 cc67:166667
cc68:166667 cc69:166667 cc6f:166667 cc6a:166666 cc6b:166666
cc6d:166666 cc6e:166666DSP spends 100% of its time in PC range 0xCC62..0xCC6F = the idle dispatcher polling loop in PROM0. Never enters fb-det, never enters CCCH demod. Consistent with the BSP-blocks-all-DL finding above.
DARAM RD HIST (FB-det, reads=1.6e9):
0062:5.0e8 ← top read (5x more than any other)
1f00:5.0e8 ← d_fb_det polling
1f0c:5.0e8 ← d_fb_mode polling
3dd2:9.3e7
0078:9.7e6DSP polls 0062, 1f00, 1f0c heavily — these are the fb-det / a_sync / d_fb_det cells the dispatcher checks to decide whether to dispatch to a real handler. They’re never set (no real burst processing) so DSP stays in poll loop.
DSP_TASK_ALLC firing from ARM L1 (qemu.log)
[calypso-fbsb] on_dsp_task_change task=24 fn=12217 state=6
[calypso-fbsb] on_dsp_task_change task=24 fn=12218 state=6
... (firing every frame after FBSB synth)ARM L1 IS writing d_task_md=24 (DSP_TASK_ALLC) to ask DSP for CCCH demod. The QEMU hook fires correctly. But DSP never executes CCCH demod because : - DSP idle dispatcher polls task slots - task slots get the value, but DSP routine for CCCH demod expects bursts in DARAM via BSP DMA - BSP DMA never delivers (FN mismatch above)
state=6 is the FBSB state machine post-FBSB-synth (FBSB_FB1_FOUND or similar — done with FBSB).
TDMA tick health (qemu.log)
[tdma-skip] fn=12200 skipped=1 work_dt=9174294
[tdma-skip] fn=12300 skipped=1 work_dt=8588146TDMA tick is occasionally skipping frames because work duration (~9ms) exceeds GSM_TDMA_NS (4.615ms). Host load issue. Not the primary blocker but contributes to qfn lag widening.
fw-console UART overflow (qemu.log)
LOST count: 7812
[fw-console] LOST 3893!
[fw-console] LOST 3729!
[fw-console] LOST 3754!ARM firmware UART sercomm buffer overflows under stderr write pressure. Known issue (review point #9 — stderr in real-time path).
GSMTAP capture (1213 packets in pcap)
All packets are BTS-side (clock IND telemetry, RSL RF RESource IND, mobile “DSC of 90” chatter). NO RACH, NO IMM_ASS, NO BCCH SI exchange. Confirms DL chain dead.
UDP socket map
QEMU 127.0.0.1:6702 recv-q=15360 (≈100 bursts queued, BSP backed up)
bridge 127.0.0.1:5700 CLK ← BTS:5800
bridge 127.0.0.1:5701 TRXC ↔ BTS:5801
bridge 127.0.0.1:5702 TRXD ↔ BTS:5802
osmo-bts-trx 127.0.0.1:5800 ESTAB peer 5700
osmo-bts-trx 127.0.0.1:5801 ESTAB peer 5701
osmo-bts-trx 127.0.0.1:5802 ESTAB peer 5702
mobile 172.20.0.11 → 172.20.0.1:4729 (GSMTAP)
osmo-bts-trx 172.20.0.11 → 172.20.0.1:4729 (GSMTAP)Recv-Q=15360 on QEMU 6702 = bridge sending DL faster than QEMU drains (BSP processes bursts at qfn rate). Not packet loss yet but consistent with FN-overflow pattern.
Files state
md5 bridge.py 972b38accea7f4a24f38cd167c1d5e3c
md5 run_si.sh 8af74418b33068e5e5263b7167ab46c9
md5 CLAUDE.md 569e2051be9491124144389feb9638bb
md5 README.md 4bb9c38a25c7713957370caadff4e0ba
md5 DIAG_FOR_CLAUDE_WEB.md 7bfa047b02e8166befe51f5d2c274741
md5 hw/arm/calypso/calypso_fbsb.c 4c7a7d2a48bfa0acd0e935df05a483a3
md5 hw/arm/calypso/calypso_bsp.c 3f6dc13a9a6ffb2aae991af8fe7c3518
md5 hw/arm/calypso/calypso_trx.c 33bd5af22c37f3a0d096d0f05133b170scripts/rsl_si_tap.py deleted. /dev/shm/calypso_si.bin absent.
Resolution applied (2026-05-08 evening)
Option A — slot-aware DL FN rewrite implemented in bridge.py.
New env vars in run_si.sh : - BRIDGE_DL_FN_REWRITE — slot (default), naive, off - BRIDGE_DL_FN_LOOKAHEAD — default 32 (half of BSP_FN_MATCH_WINDOW=64)
Algorithm (O(1)) :
def dl_slot_aware_qfn(bts_fn, current_qfn, lookahead):
target_mod = bts_fn % 51
delta = (target_mod - (current_qfn % 51)) % 51
if delta > lookahead:
return None # drop, BCCH repeats
return current_qfn + deltaPreserves (FN % 51) so DSP demod still types BCCH/CCCH/SDCCH correctly. Drops bursts whose target slot is more than lookahead frames ahead — BCCH repeats every 51 frames so missed slots get re-presented.
Stats counters added : - dl_rewrite — number of DL bursts FN-rewritten - dl_drop_no_slot — number of DL bursts dropped because no qfn within lookahead matches the target % 51
Expected post-fix observation in qemu.log : - [BSP] RX delta should drop from ~15000 to 0..lookahead - [c54x] PC HIST should leave the 0xCC62..0xCC6F idle dispatcher - [c54x] DARAM RD HIST should show non-zero reads on a_cd[] addresses - mobile.log should show New SYSTEM INFORMATION 3 (lai=001-01-1) and MON CGI=001-01-1-888
Original diagnosis
The actual blocker is NOT “DSP CCCH demod doesn’t converge”. It is :
BSP DL queue rejects 100% of bursts due to FN mismatch.
delta = bts_fn - qfn ≈ 15000whileBSP_FN_MATCH_WINDOW = 64.
The DSP demod path was never even reached. The hack BCCH_INJECT masked this by feeding a_cd[] directly. Now without the hack, the asymmetric clock domains (wall-paced BTS, qfn-paced QEMU/BSP) make all DL bursts land outside the BSP acceptance window.
Two viable fixes
A. DL FN rewrite at bridge (symmetric to the UL rewrite work) : - Bridge currently forwards DL bts_fn unchanged to QEMU - Add a BRIDGE_DL_FN_REWRITE mode that rewrites bts_fn → qfn + ε so the burst lands inside QEMU’s BSP match window - Need to preserve slot-modulo (BCCH/AGCH/SDCCH slot identity within 51-multiframe) — not just any qfn, but the next qfn whose % 51 matches bts_fn % 51 - ~30 lines Python, env-gated, preserves wall-paced CLK IND for BTS
B. Widen BSP_FN_MATCH_WINDOW : - Set BSP_FN_MATCH_WINDOW = max_observed_delta + margin (so ~16384) - Trivial 1-line change in calypso_bsp.c - Risk : BSP queue may grow unbounded, deliveries far in the past - Less clean than (A) but valid as a probe
Test plan
- Apply (A) or (B). Confirm
cur_fncatches up with bursts via[BSP] RX deltalog → delta should drop to 0..few-frames. - Watch for first DSP CCCH demod attempt (PC moves out of
0xCC62..0xCC6F). - Watch for
a_cd[]write from DSP side. - Mobile log : expect SI 1/2/3/4 reception, then
MON CGI=001-01-1-888. - Then UL chain (RACH/IMM_ASS) becomes testable for the first time on the legitimate path.
If (A)/(B) doesn’t unlock CCCH
Then the real DSP CCCH demod implementation in calypso_c54x.c is broken on the actual GMSK soft bits. Possible candidates : - Channel-coding inverse (deinterleaver, FIRE check) - Soft-bit polarity convention DSP-side - DARAM addr/word-size assumption mismatch
But fix (A) or (B) FIRST — without bursts reaching DSP, nothing else can be diagnosed.
./AUDIT_DECODER_20260508.md
Audit décodeur c54x — 2026-05-08 night
Audit systématique post-fixes-#1-#2 (0x76 ST + faux LMS F2/F3) demandé par Claude web : “1-2h max, mécanique, grep chaque if (hi8 == 0x??) et confronter à binutils tic54x-opc.c.”
Résultat après ~30 min de pass : au moins 11 bugs supplémentaires identifiés. Audit non-exhaustif (focus sur 0x80-0x9F + 0xE4-0xE7). Le reste à faire (0xC0-0xDF parallel ST, 0xF0-0xFF F-class, 0xA0-0xBF MAC family) reste à couvrir.
Format
| op | binutils ground truth | notre handler | gravité |
|---|
Bugs identifiés
| op | binutils | notre handler | gravité |
|---|---|---|---|
| 0x76 | ST #lk, Smem (2-3 mots) | LDM MMR,dst (1 mot) | ✅ FIXÉ session |
| 0xF2/0xF3 (sauf F272/3/4) | unmapped + F3 dispatch (SFTL/AND/OR/XOR/INTR) | faux LMS Xmem,Ymem | ✅ FIXÉ session |
| 0x80 | STL src, Smem (1 mot) | stubbed NOP (“ancienne classification MVDD 2-mot, neutralisé”) | CRITIQUE — silently drops stores |
| 0x8C | ST T, Smem (1 mot) | MVPD pmad,Smem (2 mots, prog→data) | CRITIQUE — MVPD est à 0x7C |
| 0x8E | CMPS Smem,dst (1 mot, bit test) | MVDP Smem,pmad (2 mots, data→prog) | CRITIQUE — MVDP est à 0x7D |
| 0x8F | CMPS Smem,dst (1 mot, bit test) | PORTR PA,Smem (2 mots) | CRITIQUE — PORTR est à 0x7400 |
| 0x94/0x95 | LD Xmem,SHFT,dst (1 mot, load avec shift) | MVDK / MVKD (2 mots, data move) | HAUTE |
| 0x96 | BIT Xmem,BITC (1 mot, set TC bit-test) | MVDP Smem,pmad (2 mots, prog write) | CRITIQUE — fait des prog_write fantômes |
| 0x98/0x99 | STL src, SHFT, Xmem (1 mot, store low) | déclaré STH, écrit (acc>>16) (high) |
CRITIQUE — STL/STH swap, écrit le mauvais demi-acc |
| 0x9A/0x9B | STH src, SHFT, Xmem (1 mot, store high) | déclaré STL, écrit (acc&0xFFFF) (low) |
CRITIQUE — STL/STH swap symétrique |
| 0xE4 | parallel ST OP_SRC,OP_Ymem (mask 0xFC00 FL_PAR) |
BITF Smem,#lk (2 mots) | HAUTE — BITF est à 0x6100 |
Bugs secondaires possibles non vérifiés
- 0xE5 MVDD : correct (vérifié)
- 0xE6 ST parallel : non vérifié notre handler
- 0xE7 MVMM : correct (vérifié)
- 0xC0-0xDF : binutils dit tout ST parallel, ranges multiples — non audité
- 0xF0-0xFF : énorme range (ADD/AND/B/CALL/LD/MAC/etc.), partiellement audité
- 0xA0-0xBF : MAC family (mac/macsu/macr/mas/masr) — non audité
- 0x70-0x7B : MVKD/MVDK/MVDM/MVMD/PORTR/PORTW/MACP/MACD — non audité
Priorités si on applique des fixes
Si firmware actif les utilise (à vérifier par PC HIST grep) : 1. 0x80 stub NOP → STL src, Smem (1 mot) — déblocage si STL src=A version utilisée 2. 0x98/0x99 ↔︎ 0x9A/0x9B swap — fix symétrique (juste échanger les blocs ou inverser le >> 16) 3. 0x8C / 0x8E / 0x8F : refaire complètement les handlers (CMPS bit test ≠ MVPD/MVDP/PORTR) 4. 0x96 : refaire (BIT 1-mot, set TC) au lieu de MVDP fantôme 5. 0x94/0x95 : refaire (LD avec shift) au lieu de MVDK/MVKD
Mise à jour 2026-05-08 night : Tier A appliqué + audit étendu
Per directive Claude web : Tier A = LMS (déjà) + 0x98/9A swap + 0x80 STL + 0x8C ST T. 3 fixes additionnels appliqués (commits inclus dans md5 9f5ffe5c).
Audit poursuivi sur 0x70-0x7B, 0xA0-0xBF, 0xC0-0xDF. Bugs additionnels catalogués (Tier B) :
| op | binutils | notre handler | gravité |
|---|---|---|---|
| 0x81 | STL src,Smem (1w) bit8=src | utilise s->a toujours, ignore bit 8 |
MOYENNE — STL B fait écrire A.low |
| 0x82 | STH src,Smem (1w no shift) | applique ASM shift (faux) | MOYENNE — STH avec shift fantôme |
| 0x83 | STH src,Smem (1w) | WRITA Smem (totalement faux) | HAUTE |
| 0x84 | STL src,ASM,Smem (1w) | READA Smem (faux) | HAUTE |
| 0x85 | STL src,ASM,Smem (1w) | MVPD pmad,Smem (2w faux) | HAUTE |
| 0x86 | STH src,ASM,Smem (1w) | MVDM dmad,MMR (2w faux) | HAUTE |
| 0x87 | STH src,ASM,Smem (1w) | MVMD MMR,dmad (2w faux) | HAUTE |
| 0x8B | POPD Smem (1w) | stubbed NOP | MOYENNE — pop dropped |
| 0x8E | CMPS A,Smem (1w, set TC) | MVDP Smem,pmad (2w faux) | HAUTE |
| 0x8F | CMPS B,Smem (1w, set TC) | PORTR PA,Smem (2w faux) | HAUTE |
| 0x91 | ADD #lk,SHFT,src,dst (2w) | MVKD dmad,Smem (2w faux) | HAUTE |
| 0x70..0x75 | MVKD/MVDK/MVDM/MVMD/PORTR/PORTW (2w each) | AUCUN handler → unimpl | DÉPEND USAGE |
| 0x78..0x7B | MACP/MACD (2w) | aucun handler | DÉPEND USAGE |
| 0x7C/0x7D | MVPD/MVDP (2w) | aucun handler — vrais MVPD/MVDP unimpl | DÉPEND USAGE |
| 0xA0 | ADD Xmem,Ymem,DST (1w 3 ops) | sub-dispatch LD/NEG/ABS/NOT/SAT/SFT | CASCADE RISK |
| 0xA1 | ADD Xmem,Ymem,DST (1w) | AND #lk,16,src ? | CASCADE RISK |
| 0xC0..0xDF | ST | … parallel (mask 0xFC00) |
Total bugs catalogués session 2026-05-08 night : 24 (5 fixés Tier A, 19 restants Tier B).
Limite atteinte
0xA0xx en particulier est profondément différent entre notre handler et binutils : changer ça impacte tout le hot path MAC. Risque “compensation mutuelle” trop élevé pour fixer sans validation runtime des Tier A.
Audit Tier B suspendu jusqu’à validation post-rebuild des fixes Tier A.
Recommandation pour la session
Claude web a dit “pas de patch, instrumentation d’abord” pour les bugs runtime (cascade IMR). Mais ces bugs-ci sont statiquement vérifiés contre binutils : pas besoin de runtime pour confirmer qu’ils sont faux. Toutefois :
- Risque : appliquer 8 fixes d’un coup expose tous les paths cachés. L’effet observable du fix #1 (0x76) avait déjà déplacé le blocker. Le fix #2 (faux LMS) n’a pas encore été testé.
- Stratégie conseillée : valider les 2 fixes appliqués au prochain rebuild (signaux #1-#8 listés dans le report précédent), puis appliquer ces 8 nouveaux fixes en bloc, puis re-tester.
- Alternative agressive : appliquer tout dans un même build (le rebuild prend du temps, mutualiser). Risque de régression silencieuse si plusieurs bugs étaient en compensation mutuelle.
Méthode
Reproductible via :
## Liste des hi8 dispatchés dans le code
grep -nE 'if \(hi8 == 0x[0-9A-Fa-f]+\)' \
hw/arm/calypso/calypso_c54x.c
## Référence binutils
grep -E '"\w+",.*0x[0-9A-Fa-f]{4}, 0xFF00' \
/home/nirvana/gnuarm/src/binutils-2.21.1/opcodes/tic54x-opc.c
## Pour chaque hi8, comparer la meaning du commentaire de notre handler
## avec le mnémonique binutils. Mismatch → bug.L’audit devrait être ré-exécuté périodiquement (pré-merge, pré-release) pour rattraper toute régression.
Question pour Claude web
Audit demandé : 11 bugs trouvés en ~30 min de grep+source-read. 8 sont CRITIQUES (changent l’effet observable du firmware) : 0x80 stub NOP, 0x8C/0x8E/0x8F mauvais opcodes, 0x94-0x96 idem, 0x98-0x9B STL/STH swap.
Stratégie demandée : (a) wait-and-see — rebuild avec les 2 fixes session, valider signaux, puis batcher les 8 audit-fixes (b) all-in — appliquer les 8 audit-fixes maintenant et rebuild une fois pour les 10 bugs total (c) priorisation — fix seulement les 3-4 plus probables d’être hit par le firmware actuellement (0x80, 0x98/9A swap, 0x8C ST T) puis re-test
Quel est ton avis ? Aussi : tu vois quelque chose qui justifierait que les bugs 0x80/0x9x soient des compensations volontaires (genre firmware spécifique qui dépend de la mauvaise sémantique parce qu’historiquement ça avait été testé comme ça) ?
./include/hw/arm/calypso/calypso_spi.h
/*
* calypso_spi.h — Calypso SPI + TWL3025 ABB
*
* SPDX-License-Identifier: GPL-2.0-or-later
*/
#ifndef HW_SSI_CALYPSO_SPI_H
#define HW_SSI_CALYPSO_SPI_H
#include "hw/sysbus.h"
#include "qom/object.h"
#define TYPE_CALYPSO_SPI "calypso-spi"
OBJECT_DECLARE_SIMPLE_TYPE(CalypsoSPIState, CALYPSO_SPI)
struct CalypsoSPIState {
/*< private >*/
SysBusDevice parent_obj;
/*< public >*/
MemoryRegion iomem;
qemu_irq irq;
/* Registers matching real Calypso SPI layout */
uint16_t set1; /* 0x00 SET1 */
uint16_t set2; /* 0x02 SET2 */
uint16_t ctrl; /* 0x04 CTRL */
uint16_t status; /* 0x06 STATUS */
uint16_t tx_data; /* 0x08/0x0A TX_LSB/MSB */
uint16_t rx_data; /* 0x0C/0x0E RX_LSB/MSB */
/* TWL3025 shadow registers (256 possible addresses) */
uint16_t abb_regs[256];
};
/* TWL3025 important register addresses */
#define ABB_VRPCDEV 0x01
#define ABB_VRPCSTS 0x02
#define ABB_VBUCTRL 0x03
#define ABB_VBDR1 0x04
#define ABB_TOGBR1 0x09
#define ABB_TOGBR2 0x0A
#define ABB_AUXLED 0x17
#define ABB_ITSTATREG 0x1B
/* SPI status bits (real Calypso) */
#define SPI_STATUS_RE (1 << 1) /* Ready / transfer complete */
/* Legacy compat */
#define SPI_STATUS_TX_READY SPI_STATUS_RE
#define SPI_STATUS_RX_READY SPI_STATUS_RE
#endif /* HW_SSI_CALYPSO_SPI_H */./include/hw/arm/calypso/calypso_bsp.h
/*
* Calypso BSP/RIF DMA — public interface.
*
* Faithful path for downlink I/Q samples between sercomm_gate (the QEMU
* surrogate of the IOTA RF frontend wired through bridge.py) and the
* Calypso DSP DARAM. No NDB result hacking — the DSP code itself is
* expected to find FB/SB and post results in the NDB.
*
* SPDX-License-Identifier: GPL-2.0-or-later
*/
#ifndef HW_ARM_CALYPSO_BSP_H
#define HW_ARM_CALYPSO_BSP_H
#include <stdint.h>
#include <stdbool.h>
struct C54xState;
/*
* Initialise the BSP DMA module. Call once after the C54x has been created.
*
* Two env vars control the DMA destination:
* CALYPSO_BSP_DARAM_ADDR — word address inside DSP data space (hex/dec)
* CALYPSO_BSP_DARAM_LEN — max number of int16 words to copy per burst
*
* When CALYPSO_BSP_DARAM_ADDR is unset/zero the BSP runs in DISCOVERY mode:
* it logs every received burst but writes nothing into DARAM. This lets the
* c54x.c FBDET data-read tracer reveal the real buffer location before we
* lock the address.
*/
void calypso_bsp_init(struct C54xState *dsp);
/*
* Receive a downlink burst.
*
* tn — timeslot number (0..7)
* fn — TDMA frame number
* iq — interleaved int16 I,Q,I,Q,... in DSP-native (host) endianness
* n_int16 — number of int16 elements in iq[] (= 2 * n_complex_samples)
*/
void calypso_bsp_rx_burst(uint8_t tn, uint32_t fn,
const int16_t *iq, int n_int16);
/*
* Transmit an uplink burst — symmetric to rx_burst.
*
* Reads 148 hard bits from the DSP UL buffer (where the L1 firmware
* deposits encoded TX data) and fills bits[148]. Returns true if
* the burst is valid (any non-zero), false otherwise.
*/
bool calypso_bsp_tx_burst(uint8_t tn, uint32_t fn, uint8_t bits[148]);
/* Build a RACH access burst (148 bits) by reading d_rach from NDB and
* channel-encoding it via libosmocoding (gsm0503_rach_ext_encode).
* Returns true if a valid RACH was produced, false if d_rach is zero or
* the encoder failed. Called by calypso_trx.c when ARM L1 commits a
* d_task_ra (RACH access). */
bool calypso_bsp_tx_rach_burst(uint32_t fn, uint8_t bits[148]);
uint16_t calypso_bsp_get_daram_addr(void);
uint16_t calypso_bsp_get_daram_len(void);
uint8_t calypso_bsp_get_last_att(void);
/* Send UL burst via UDP to BTS */
void calypso_bsp_send_ul(uint8_t tn, uint32_t fn, const uint8_t bits[148]);
/* Deliver buffered DL bursts when BDLENA windows are available.
* Called each TDMA frame from calypso_tdma_tick().
* current_fn is the QEMU virtual FN — only bursts tagged with that FN
* (per TN) are delivered; stale bursts (fn < current_fn) are dropped,
* future bursts (fn > current_fn) are kept for later frames. */
void calypso_bsp_deliver_buffered(uint32_t current_fn);
#endif /* HW_ARM_CALYPSO_BSP_H */./include/hw/arm/calypso/calypso_uart.h
/*
* calypso_uart.h — Calypso UART device
*
* SPDX-License-Identifier: GPL-2.0-or-later
*/
#ifndef HW_CHAR_CALYPSO_UART_H
#define HW_CHAR_CALYPSO_UART_H
#include "hw/sysbus.h"
#include "chardev/char-fe.h"
#include "qom/object.h"
#define TYPE_CALYPSO_UART "calypso-uart"
OBJECT_DECLARE_SIMPLE_TYPE(CalypsoUARTState, CALYPSO_UART)
/*
* Large RX FIFO to tolerate Compal/sercomm bursts.
*/
#define CALYPSO_UART_RX_FIFO_SIZE 8192
typedef struct CalypsoUARTState {
SysBusDevice parent_obj;
/* MMIO */
MemoryRegion iomem;
/* QEMU backend */
CharBackend chr;
qemu_irq irq;
/* Debug label ("modem", "irda") */
char *label;
/* Base registers */
uint8_t ier;
uint8_t iir;
uint8_t fcr;
uint8_t lcr;
uint8_t mcr;
uint8_t lsr;
uint8_t msr;
uint8_t spr;
uint8_t dll;
uint8_t dlh;
uint8_t mdr1;
/* Extended/banked registers used by Calypso loader/uart driver */
uint8_t efr;
uint8_t xon1;
uint8_t xon2;
uint8_t xoff1;
uint8_t xoff2;
uint8_t scr;
uint8_t ssr;
/* RX FIFO */
uint8_t rx_fifo[CALYPSO_UART_RX_FIFO_SIZE];
uint16_t rx_head;
uint16_t rx_tail;
uint16_t rx_count;
/* TX empty fires once per THR transition */
bool thr_empty_pending;
/* TX burst drain: count consecutive IIR(TX_EMPTY) reads without
* a THR write. Allows firmware ISR to loop and drain multiple
* bytes per invocation. Clear pending only after 2 reads without
* a write (ISR has nothing left to send). */
uint8_t tx_empty_reads;
/* Periodic RX poll timer — works around QEMU not delivering
* chardev input while the CPU runs in a tight loop. */
QEMUTimer *rx_poll_timer;
} CalypsoUARTState;
/* Char backend callbacks */
int calypso_uart_can_receive(void *opaque);
void calypso_uart_receive(void *opaque, const uint8_t *buf, int size);
/* Inject bytes directly into RX FIFO, bypassing sercomm DLCI parser.
* Used by l1ctl_sock to avoid interference with bridge DLCI 4 parsing. */
void calypso_uart_inject_raw(CalypsoUARTState *s, const uint8_t *buf, int size);
/* Force IRQ re-evaluation if RX data is pending */
void calypso_uart_kick_rx(CalypsoUARTState *s);
/* Tell the chardev backend we can accept more data. */
void calypso_uart_poll_backend(CalypsoUARTState *s);
/* Nudge TX: if TX_EMPTY IRQ is enabled, set pending to trigger ISR.
* This ensures queued sercomm data gets drained even without console output. */
void calypso_uart_kick_tx(CalypsoUARTState *s);
void calypso_uart_force_init(CalypsoUARTState *s);
/* L1CTL socket — sercomm↔L1CTL relay */
void l1ctl_sock_init(CalypsoUARTState *uart, const char *path);
void l1ctl_sock_uart_tx_byte(uint8_t byte);
void l1ctl_sock_poll(void);
bool l1ctl_client_active(void);
#endif /* HW_CHAR_CALYPSO_UART_H */./include/hw/arm/calypso/fw_console.h
#ifndef HW_ARM_CALYPSO_FW_CONSOLE_H
#define HW_ARM_CALYPSO_FW_CONSOLE_H
void fw_console_init(void);
#endif./include/hw/arm/calypso/calypso_timer.h
/*
* calypso_timer.h — Calypso GP/Watchdog Timer QOM device
*
* 16-bit down-counter with auto-reload and IRQ support.
* Clocked from 13 MHz / (prescaler + 1).
*
* SPDX-License-Identifier: GPL-2.0-or-later
*/
#ifndef HW_TIMER_CALYPSO_TIMER_H
#define HW_TIMER_CALYPSO_TIMER_H
#include "hw/sysbus.h"
#include "qom/object.h"
#include "qemu/timer.h"
#define TYPE_CALYPSO_TIMER "calypso-timer"
OBJECT_DECLARE_SIMPLE_TYPE(CalypsoTimerState, CALYPSO_TIMER)
struct CalypsoTimerState {
/*< private >*/
SysBusDevice parent_obj;
/*< public >*/
MemoryRegion iomem;
QEMUTimer *timer;
qemu_irq irq;
uint16_t load; /* Reload value */
uint16_t count; /* Current counter (frozen value, only used when stopped) */
uint16_t ctrl; /* CNTL byte (firmware layout) */
uint16_t prescaler;
int64_t tick_ns; /* Nanoseconds per tick */
int64_t epoch_ns; /* Virtual time when count==load (lazy compute) */
bool running;
};
#endif /* HW_TIMER_CALYPSO_TIMER_H */./include/hw/arm/calypso/sercomm_gate.h
/*
* sercomm_gate.h — Sercomm DLCI router (HDLC demux)
*
* Emulates the hardware separation between:
* - BSP path (bursts) : DLCI 4 → calypso_trx_rx_burst → c54x BSP
* - UART path (L1CTL) : all other DLCIs → re-wrap → FIFO → firmware
*
* On real Calypso, bursts come from the ABB via BSP hardware, not UART.
* In QEMU, the bridge sends them as sercomm DLCI 4 on the PTY, so the
* gate intercepts them and routes to the BSP emulation layer.
*
* SPDX-License-Identifier: GPL-2.0-or-later
*/
#ifndef SERCOMM_GATE_H
#define SERCOMM_GATE_H
#include "hw/arm/calypso/calypso_uart.h"
/* Feed raw bytes from PTY into the sercomm HDLC parser.
* Complete frames are routed by DLCI:
* 4 (bursts) → calypso_trx_rx_burst (BSP emulation)
* * (L1CTL, debug, console) → re-wrap → UART FIFO (firmware) */
void sercomm_gate_feed(CalypsoUARTState *s, const uint8_t *buf, int size);
/* Bind UDP CLK listener starting at base_port. */
void sercomm_gate_init(int base_port);
#endif /* SERCOMM_GATE_H */./include/hw/arm/calypso/calypso_soc.h
/*
* calypso_soc.h - TI Calypso System-on-Chip
* SPDX-License-Identifier: GPL-2.0-or-later
*/
#ifndef HW_ARM_CALYPSO_SOC_H
#define HW_ARM_CALYPSO_SOC_H
#include "hw/sysbus.h"
#include "qom/object.h"
#include "hw/arm/calypso/calypso_inth.h"
#include "hw/arm/calypso/calypso_timer.h"
#include "hw/arm/calypso/calypso_uart.h"
#include "hw/arm/calypso/calypso_spi.h"
#define TYPE_CALYPSO_SOC "calypso-soc"
OBJECT_DECLARE_SIMPLE_TYPE(CalypsoSoCState, CALYPSO_SOC)
#define CALYPSO_SOC_NUM_IRQS 2
struct CalypsoSoCState {
/*< private >*/
SysBusDevice parent_obj;
/*< public >*/
MemoryRegion iram;
CalypsoINTHState inth;
CalypsoTimerState timer1;
CalypsoTimerState timer2;
CalypsoUARTState uart_modem;
CalypsoUARTState uart_irda;
CalypsoSPIState spi;
void *trx;
qemu_irq cpu_irq;
qemu_irq cpu_fiq;
/* IRAM-at-zero alias (controlled by CNTL register) */
MemoryRegion iram_alias;
bool iram_at_zero;
MemoryRegion cntl_iomem;
uint16_t extra_conf;
};
#endif /* HW_ARM_CALYPSO_SOC_H */./include/hw/arm/calypso/calypso_sim.h
#ifndef HW_ARM_CALYPSO_SIM_H
#define HW_ARM_CALYPSO_SIM_H
#include "qemu/osdep.h"
#include "exec/hwaddr.h"
#include "hw/irq.h"
/* Calypso SIM controller register offsets (relative to 0xFFFE0000) */
#define CALYPSO_SIM_REG_CMD 0x00
#define CALYPSO_SIM_REG_STAT 0x02
#define CALYPSO_SIM_REG_CONF1 0x04
#define CALYPSO_SIM_REG_CONF2 0x06
#define CALYPSO_SIM_REG_IT 0x08
#define CALYPSO_SIM_REG_DRX 0x0A
#define CALYPSO_SIM_REG_DTX 0x0C
#define CALYPSO_SIM_REG_MASKIT 0x0E
#define CALYPSO_SIM_REG_IT_CD 0x10
/* CMD bits */
#define CALYPSO_SIM_CMD_CARDRST (1 << 0)
#define CALYPSO_SIM_CMD_IFRST (1 << 1)
#define CALYPSO_SIM_CMD_STOP (1 << 2)
#define CALYPSO_SIM_CMD_START (1 << 3)
#define CALYPSO_SIM_CMD_MODULE_CLK_EN (1 << 4)
/* STAT bits */
#define CALYPSO_SIM_STAT_NOCARD (1 << 0)
#define CALYPSO_SIM_STAT_TXPAR (1 << 1)
#define CALYPSO_SIM_STAT_FIFOFULL (1 << 2)
#define CALYPSO_SIM_STAT_FIFOEMPTY (1 << 3)
/* IT bits — interrupt sources */
#define CALYPSO_SIM_IT_NATR (1 << 0)
#define CALYPSO_SIM_IT_WT (1 << 1)
#define CALYPSO_SIM_IT_OV (1 << 2)
#define CALYPSO_SIM_IT_TX (1 << 3)
#define CALYPSO_SIM_IT_RX (1 << 4)
/* CONF1 bits */
#define CALYPSO_SIM_CONF1_BYPASS (1 << 8)
#define CALYPSO_SIM_CONF1_SVCCLEV (1 << 9)
#define CALYPSO_SIM_CONF1_SRSTLEV (1 << 10)
typedef struct CalypsoSim CalypsoSim;
CalypsoSim *calypso_sim_new(qemu_irq sim_irq);
uint16_t calypso_sim_reg_read(CalypsoSim *s, hwaddr off);
void calypso_sim_reg_write(CalypsoSim *s, hwaddr off, uint16_t val);
#endif./include/hw/arm/calypso/calypso_trx.h
/*
* calypso_trx.h — Calypso DSP/TPU hardware emulation
* Pure hardware — no sockets, no DSP processing. Firmware does everything.
* SPDX-License-Identifier: GPL-2.0-or-later
*/
#ifndef CALYPSO_TRX_H
#define CALYPSO_TRX_H
#include "hw/irq.h"
#include "exec/memory.h"
/* IRQ map */
#define CALYPSO_IRQ_WATCHDOG 0
#define CALYPSO_IRQ_TIMER1 1
#define CALYPSO_IRQ_TIMER2 2
#define CALYPSO_IRQ_TSP_RX 3
#define CALYPSO_IRQ_TPU_FRAME 4
#define CALYPSO_IRQ_TPU_PAGE 5
#define CALYPSO_IRQ_SIM 6
#define CALYPSO_IRQ_UART_MODEM 7
#define CALYPSO_IRQ_KEYPAD_GPIO 8
#define CALYPSO_IRQ_RTC_TIMER 9
#define CALYPSO_IRQ_RTC_ALARM 10
#define CALYPSO_IRQ_ULPD_GAUGING 11
#define CALYPSO_IRQ_EXTERNAL 12
#define CALYPSO_IRQ_SPI 13
#define CALYPSO_IRQ_DMA 14
#define CALYPSO_IRQ_API 15
#define CALYPSO_IRQ_SIM_DETECT 16
#define CALYPSO_IRQ_EXTERNAL_FIQ 17
#define CALYPSO_IRQ_UART_IRDA 18
#define CALYPSO_IRQ_ULPD_GSM_TIMER 19
#define CALYPSO_IRQ_GEA 20
#define CALYPSO_NUM_IRQS 32
/* Hardware addresses */
#define CALYPSO_DSP_BASE 0xFFD00000
#define CALYPSO_DSP_SIZE (64 * 1024)
#define CALYPSO_TPU_BASE 0xFFFF1000
#define CALYPSO_TPU_SIZE 0x0100
#define CALYPSO_TPU_RAM_BASE 0xFFFF9000
#define CALYPSO_TPU_RAM_SIZE 0x0800
#define CALYPSO_TSP_BASE 0xFFFE0800
#define CALYPSO_TSP_SIZE 0x0100
#define CALYPSO_SIM_BASE 0xFFFE0000
#define CALYPSO_SIM_SIZE 0x0100
#define CALYPSO_ULPD_BASE 0xFFFE2800
#define CALYPSO_ULPD_SIZE 0x0100
/* TPU register offsets */
#define TPU_CTRL 0x0000
#define TPU_INT_CTRL 0x0002
#define TPU_INT_STAT 0x0004
#define TPU_OFFSET 0x000C
#define TPU_SYNCHRO 0x000E
#define TPU_IT_DSP_PG 0x0020
/* TPU_CTRL bits */
#define TPU_CTRL_RESET (1 << 0)
#define TPU_CTRL_PAGE (1 << 1)
#define TPU_CTRL_EN (1 << 2)
#define TPU_CTRL_DSP_EN (1 << 4)
#define TPU_CTRL_MCU_RAM_ACC (1 << 6)
#define TPU_CTRL_TSP_RESET (1 << 7)
#define TPU_CTRL_IDLE (1 << 8)
#define TPU_CTRL_WAIT (1 << 9)
#define TPU_CTRL_CK_ENABLE (1 << 10)
#define TPU_CTRL_FULL_WRITE (1 << 11)
/* TPU INT_CTRL bits */
#define ICTRL_MCU_FRAME (1 << 0)
#define ICTRL_MCU_PAGE (1 << 1)
#define ICTRL_DSP_FRAME (1 << 2)
#define ICTRL_DSP_FRAME_FORCE (1 << 3)
/* TSP */
#define TSP_RX_REG 0x08
/* ULPD */
#define ULPD_SETUP_CLK13 0x00
#define ULPD_COUNTER_HI 0x1C
#define ULPD_COUNTER_LO 0x1E
#define ULPD_GAUGING_CTRL 0x24
#define ULPD_GSM_TIMER 0x28
/* GSM timing — real 4.615ms TDMA frame period */
#define GSM_TDMA_NS 4615000
#define GSM_HYPERFRAME 2715648
/* DSP boot */
#define DSP_DL_STATUS_ADDR 0x0FFE
#define DSP_API_VER_ADDR 0x01B4
#define DSP_API_VER2_ADDR 0x01B6
#define DSP_DL_STATUS_RESET 0x0000
#define DSP_DL_STATUS_BOOT 0x0001
#define DSP_DL_STATUS_READY 0x0002
#define DSP_API_VERSION 0x3606
void calypso_trx_init(MemoryRegion *sysmem, qemu_irq *irqs);
/* W1C (Write-1-to-Clear) latch toggle for ARM↔DSP a_sync_* cells.
* Returns 1 if CALYPSO_W1C_LATCH=1 env is set, 0 otherwise. Used by
* both calypso_c54x.c (capture side) and calypso_trx.c (consume side)
* to gate the latch flow. */
int calypso_w1c_latch_enabled(void);
/* Sercomm burst transport (DLCI 4) — called by UART hardware */
void calypso_trx_rx_burst(const uint8_t *data, int len);
void calypso_trx_tx_burst_poll(void);
/* Current TDMA frame number (0..GSM_HYPERFRAME-1). Used by BSP for
* FN-alignment of arriving DL bursts. Returns 0 before TDMA starts. */
uint32_t calypso_trx_get_fn(void);
#endif /* CALYPSO_TRX_H */./include/hw/arm/calypso/calypso_inth.h
/*
* calypso_inth.h — Calypso INTH (Interrupt Handler) QOM device
*
* Two-level interrupt controller with 32 IRQ lines,
* priority-based arbitration, and IRQ/FIQ routing.
*
* SPDX-License-Identifier: GPL-2.0-or-later
*/
#ifndef HW_INTC_CALYPSO_INTH_H
#define HW_INTC_CALYPSO_INTH_H
#include "hw/sysbus.h"
#include "qom/object.h"
#define TYPE_CALYPSO_INTH "calypso-inth"
OBJECT_DECLARE_SIMPLE_TYPE(CalypsoINTHState, CALYPSO_INTH)
#define CALYPSO_INTH_NUM_IRQS 32
struct CalypsoINTHState {
/*< private >*/
SysBusDevice parent_obj;
/*< public >*/
MemoryRegion iomem;
/* Output lines to CPU */
qemu_irq parent_irq; /* CPU IRQ line */
qemu_irq parent_fiq; /* CPU FIQ line */
/* Interrupt Level Registers: bits[4:0]=priority, bit[8]=FIQ */
uint16_t ilr[CALYPSO_INTH_NUM_IRQS];
uint16_t ith_v; /* Current highest-priority active IRQ number */
uint16_t fiq_v; /* Current highest-priority active FIQ number
* (separate channel from ith_v — see audit fix
* 2026-05-08 night in calypso_inth_update). */
int irq_in_service; /* IRQ being serviced (-1 = none). Set on IRQ_NUM read,
* cleared on IRQ_CTRL write. Prevents ith_v update
* so IRQ_CTRL acks the correct interrupt. */
uint32_t levels; /* Bitmask of current input levels (level-sensitive) */
uint32_t mask; /* Bitmask: 1 = masked (disabled) */
int rr_start; /* Round-robin: start scan from here next time */
};
#endif /* HW_INTC_CALYPSO_INTH_H */./include/hw/arm/calypso/calypso_iota.h
/*
* TWL3025 / IOTA — analog baseband chip model.
*
* Sits on the Calypso TSP serial bus (dev_idx 0). The L1 firmware programs
* BDLON / BDLENA / BULON / BULENA via single-byte TSP writes; this model
* tracks the resulting downlink/uplink window state so other QEMU
* components (notably calypso_bsp) can gate sample DMA the way the real
* BSP serial link is gated by IOTA's BDLENA pin.
*
* Reference: osmocom-bb src/target/firmware/include/abb/twl3025.h
* (BDLON/BDLENA/BULON/BULENA bit values).
*
* SPDX-License-Identifier: GPL-2.0-or-later
*/
#ifndef HW_ARM_CALYPSO_IOTA_H
#define HW_ARM_CALYPSO_IOTA_H
#include <stdbool.h>
#include <stdint.h>
/* Bit values written by twl3025_tsp_write() — straight from twl3025.h */
#define IOTA_TSP_BULON 0x80
#define IOTA_TSP_BULENA 0x40
#define IOTA_TSP_BULCAL 0x20
#define IOTA_TSP_BDLON 0x10
#define IOTA_TSP_BDLCAL 0x08
#define IOTA_TSP_BDLENA 0x04
void calypso_iota_init(void);
/* Process one TSP write (TPU sequencer feeds us). `data` is the 7-bit byte
* the firmware passed to twl3025_tsp_write(). `expected_tn` is the GSM
* timeslot the L1 has armed this BDLENA window for, derived by the TPU
* sequencer from the AT instruction immediately preceding this MOVE. */
void calypso_iota_tsp_write(uint8_t data, uint8_t expected_tn);
/* True while the firmware has BDLENA asserted on IOTA. */
bool calypso_iota_bdl_ena(void);
/* Number of times BDLENA has been asserted (rising edge counter). */
uint32_t calypso_iota_bdl_ena_pulses(void);
/* Atomically take one bdl_ena rising-edge credit if it matches the burst's
* timeslot. Returns true if a credit existed for this `tn` and was consumed,
* false otherwise. */
bool calypso_iota_take_bdl_pulse(uint8_t tn);
#endif /* HW_ARM_CALYPSO_IOTA_H */./include/hw/arm/calypso/calypso_dbg.h
/*
* Calypso QEMU runtime debug categories.
*
* Each tracer in the calypso modules is gated by a category bit. The
* active set is controlled by the CALYPSO_DBG environment variable, a
* comma-separated list of category names (or "all", or "none"). If the
* env var is unset, only the "always-on" categories (CORRUPT, UNIMPL)
* are enabled.
*
* Example:
* CALYPSO_DBG=bsp,fb,sp # 3 categories
* CALYPSO_DBG=all # everything
* CALYPSO_DBG=none # nothing (even corrupt suppressed)
*
* SPDX-License-Identifier: GPL-2.0-or-later
*/
#ifndef HW_ARM_CALYPSO_DBG_H
#define HW_ARM_CALYPSO_DBG_H
#include <stdint.h>
#include <stdio.h>
enum calypso_dbg_cat {
DBG_BSP = 0, /* BSP DMA, BSP-RD, BSP-ENV-CHECK */
DBG_FB, /* FB-DETECT-*, FB DETECTED */
DBG_SP, /* SP-WEDGE, SP-STEP, SP MMR writes */
DBG_CORRUPT, /* NDB d_dsp_page / d_fb_det wrong writes (default ON) */
DBG_UNIMPL, /* unimplemented opcodes (default ON) */
DBG_HOT, /* HOT-LOOP-PC */
DBG_XPC, /* XPC switches, far call/branch */
DBG_CALL, /* CALL/RET balance */
DBG_F2, /* F2xx undocumented opcode tracer */
DBG_DUMP, /* one-shot DUMP-XXXX */
DBG_BOOT, /* boot ROM, init, ROM->DARAM transitions */
DBG_L1CTL, /* L1CTL socket */
DBG_TRX, /* TRX/sercomm/UDP */
DBG_PMST, /* PMST changes */
DBG_RPT, /* RPT/RPTB tracking */
DBG_MVPD, /* MVPD copies */
DBG_INTH, /* interrupt handler */
DBG_TINT0, /* TINT0 master clock */
DBG__COUNT
};
extern uint32_t calypso_dbg_mask;
void calypso_dbg_init(void);
#define DBG(cat, fmt, ...) do { \
if (calypso_dbg_mask & (1u << (cat))) \
fprintf(stderr, "[" #cat "] " fmt "\n", ##__VA_ARGS__); \
} while (0)
#define DBG_ON(cat) (calypso_dbg_mask & (1u << (cat)))
#endif /* HW_ARM_CALYPSO_DBG_H */./make_diag_bundle.sh
#!/usr/bin/env bash
# make_diag_bundle.sh — collecte et package les données de diag du run actif.
#
# Output : un tar.gz dans /home/nirvana/ (ou $OUT_DIR) avec ownership nirvana.
# Inclut : logs filtrés, PC HIST complet, tail brut, static dumps des zones
# stuck (auto-detect), source excerpts des décodeurs, env+boot trace.
#
# Pas de prompt Claude web — juste les données. À toi de les analyser ou
# de les uploader où tu veux.
#
# Usage:
# ./make_diag_bundle.sh # défaut : container "trying", out /home/nirvana/
# CONTAINER=foo ./make_diag_bundle.sh # autre container
# OUT_DIR=/tmp ./make_diag_bundle.sh # autre dest
# TAG=v5_test ./make_diag_bundle.sh # tag custom (défaut = timestamp)
# ZONES="0xa0e0 0x8200 0xfc50" ./make_diag_bundle.sh # zones static dump
# (défaut = auto-detect)
# SKIP="osmocon frame_irq" ./make_diag_bundle.sh # exclure des fichiers
# TAIL_LINES=8000 ./make_diag_bundle.sh # taille du tail brut
#
# Pré-requis : docker exec dispo, dsp_read.sh dans le container.
set -u
CONTAINER="${CONTAINER:-trying}"
OUT_DIR="${OUT_DIR:-/home/nirvana}"
TAG="${TAG:-$(date +%Y%m%d_%H%M%S)}"
ZONES="${ZONES:-}"
SKIP="${SKIP:-}"
TAIL_LINES="${TAIL_LINES:-4000}"
OWNER="${OWNER:-nirvana:nirvana}"
# --- preflight checks ------------------------------------------------
if ! docker ps --format '{{.Names}}' 2>/dev/null | grep -qx "$CONTAINER"; then
echo "ERR: container '$CONTAINER' not running" >&2
exit 1
fi
if [[ ! -d "$OUT_DIR" ]]; then
echo "ERR: output dir '$OUT_DIR' does not exist" >&2
exit 1
fi
WORK=$(mktemp -d -t bundle.XXXXXX)
trap 'rm -rf "$WORK"' EXIT
echo "[bundle] work dir: $WORK"
echo "[bundle] tag: $TAG"
echo "[bundle] container: $CONTAINER"
skip() { [[ " $SKIP " == *" $1 "* ]]; }
# --- 1. Pull logs from container ------------------------------------
echo "[bundle] pulling logs from container..."
PROC_PID=$(docker inspect --format '{{.State.Pid}}' "$CONTAINER" 2>/dev/null)
PROC_ROOT="/proc/$PROC_PID/root"
if [[ ! -d "$PROC_ROOT" ]]; then
echo "ERR: cannot access /proc/$PROC_PID/root" >&2
exit 1
fi
cp -a "$PROC_ROOT/root/qemu.log" "$WORK/qemu_full.log" 2>/dev/null || \
{ echo "ERR: cannot read /root/qemu.log in container"; exit 1; }
skip bridge || cp -a "$PROC_ROOT/tmp/bridge.log" "$WORK/bridge.log" 2>/dev/null || true
skip osmocon || cp -a "$PROC_ROOT/tmp/osmocon.log" "$WORK/osmocon.log" 2>/dev/null || true
skip frame_irq|| cp -a "$PROC_ROOT/tmp/frame_irq.log" "$WORK/frame_irq.log" 2>/dev/null || true
skip mobile || cp -a "$PROC_ROOT/tmp/mobile.log" "$WORK/mobile.log" 2>/dev/null || true
skip tdma_profile || cp -a "$PROC_ROOT/tmp/tdma_profile.log" "$WORK/tdma_profile.log" 2>/dev/null || true
skip tdma_tick || cp -a "$PROC_ROOT/tmp/tdma_tick.log" "$WORK/tdma_tick.log" 2>/dev/null || true
skip qemu-fw || cp -a "$PROC_ROOT/tmp/qemu-fw-console.log" "$WORK/qemu-fw-console.log" 2>/dev/null || true
raw_size=$(wc -c < "$WORK/qemu_full.log")
echo "[bundle] qemu.log raw size: $((raw_size/1024)) KB"
# --- 2. Filtered grep — all known markers (extensible) -------------
echo "[bundle] generating filtered logs..."
grep -nE 'XC-COND|DUAL-OP-INTERPRET|SP-CATASTROPHE|IMR-W|INTM-TRANS|cause prev_exec|DSP WR a_sync|ENTER-770c|ENTER-7700|ENTER-8d2d|MAC-8d33|fbsb hook|MAC-7700|IRQ #|STALE ratio|BSP LOAD|BSP DMA|DISP-FLAG-W|ARM TASK WR|ARM RD|d_fb_det|a_sync_TOA|VEC-TRACE|PENDING IRQ|WATCH-WRITE|WATCH-READ|HOT-OPS-DUMP|FORCE-DARAM62|PMST WR|IMR change|DISP-PTR|DISP-WRITE|RPTB' \
"$WORK/qemu_full.log" > "$WORK/qemu_diag.log" || true
grep 'PC HIST insn=' "$WORK/qemu_full.log" > "$WORK/pc_hist.log" || true
tail -"$TAIL_LINES" "$WORK/qemu_full.log" > "$WORK/qemu_tail.log"
# ENV + boot trace
grep -iE 'CALYPSO_|^\[BSP\]|^\[calypso-trx\]|^\[calypso-fbsb\]|^\[c54x\] BOOT|^\[c54x\] Reset|PMST=|^\[BL ARM' \
"$WORK/qemu_full.log" 2>/dev/null | head -300 > "$WORK/env_boot.log" || true
# Optionnellement : remove the full dump if it's huge (keep filtered + tail)
if [[ "$raw_size" -gt 10000000 ]]; then
rm "$WORK/qemu_full.log"
echo "[bundle] qemu_full.log removed (>10MB) — kept qemu_diag.log + qemu_tail.log"
fi
# --- 3. Auto-detect stuck zones if ZONES not provided --------------
if [[ -z "$ZONES" ]]; then
echo "[bundle] auto-detecting stuck zones from PC HIST..."
# Take last PC HIST window, extract top 5 distinct PCs (4 hex digits)
last_pc_hist=$(tail -1 "$WORK/pc_hist.log" 2>/dev/null | sed 's/.*top: //')
if [[ -n "$last_pc_hist" ]]; then
# Extract first 5 unique 4-hex PCs
ZONES=$(echo "$last_pc_hist" | grep -oE '[0-9a-f]{4}' | head -5 | sort -u | sed 's/^/0x/' | tr '\n' ' ')
echo "[bundle] auto-zones: $ZONES"
fi
# Always include the canonical ones we've been investigating
for z in 0xa0e0 0xa0e7 0x8208 0x8d2d 0xfc54; do
case " $ZONES " in *" $z "*) :;; *) ZONES="$ZONES $z";; esac
done
fi
# --- 4. Static prog dumps for the chosen zones ---------------------
echo "[bundle] static prog dumps for: $ZONES"
{
for zone in $ZONES; do
# Convert zone to integer (handle both 0x... and bare hex)
zone_int=$((zone))
zone_hex=$(printf '0x%04x' "$zone_int")
echo "=== Static dump prog[${zone_hex}..$(printf '0x%04x' $((zone_int+0x1f)))] ==="
# Determine section : prom0 = 0x7000-0xDFFF, prom1 = 0xE000-0xFF7F
if (( zone_int >= 0xE000 && zone_int <= 0xFFFF )); then
section=prom1
else
section=prom0
fi
for off in $(seq 0 31); do
addr=$(printf '0x%04x' $((zone_int + off)))
docker exec "$CONTAINER" bash /opt/GSM/qemu-src/dsp_read.sh "$section" "$addr" 2>&1
done
echo
done
} > "$WORK/static_decode.txt"
# --- 5. Source excerpts ---------------------------------------------
echo "[bundle] extracting source excerpts..."
SRC=/home/nirvana/qemu-src/hw/arm/calypso/calypso_c54x.c
{
echo "=== calypso_c54x.c — version + size ==="
ls -la "$SRC"
echo
if [[ -r "$SRC" ]]; then
echo "=== ST||LD dual-op handler (C8-CB) ==="
grep -n 'C8/C9/CA/CB' "$SRC" | head -5
sed -n '4485,4545p' "$SRC"
echo
echo "=== MAC dual-op handler (D0-D9) ==="
sed -n '4302,4350p' "$SRC"
echo
echo "=== MASA / SQUR (DB / DC) ==="
sed -n '4360,4420p' "$SRC"
echo
echo "=== XC-COND probe (line ~5005-5070) ==="
sed -n '5005,5080p' "$SRC"
echo
echo "=== SP-CATASTROPHE + DUAL-OP-INTERPRET tracer ==="
grep -n 'SP-CATASTROPHE\|DUAL-OP-INTERPRET' "$SRC" | head -10
echo
echo "=== INTM-TRANS tracer (uses last_exec_pc) ==="
grep -n 'INTM-TRANS' "$SRC" | head -5
fi
} > "$WORK/source_excerpts.txt"
# --- 6. Markers summary (run output of parse_dsp_log.sh) -----------
echo "[bundle] running parse_dsp_log.sh for summary snapshot..."
if [[ -x /home/nirvana/qemu-src/parse_dsp_log.sh ]]; then
SECTIONS="meta env markers pc stuck pc-zones bsp sp imr dual snr intm mac irq summary" \
/home/nirvana/qemu-src/parse_dsp_log.sh > "$WORK/parse_summary.txt" 2>&1 || true
fi
# --- 7. Sizes report ------------------------------------------------
echo "[bundle] file sizes:"
( cd "$WORK" && wc -l *.log *.txt 2>/dev/null )
echo
# --- 8. Tarball + copy to OUT_DIR with owner -----------------------
TARBALL="diag_${TAG}.tar.gz"
( cd "$WORK" && tar czf "$OUT_DIR/$TARBALL" *.log *.txt )
SIZE=$(du -h "$OUT_DIR/$TARBALL" | awk '{print $1}')
chown "$OWNER" "$OUT_DIR/$TARBALL" 2>/dev/null || true
echo "[bundle] DONE"
echo " → $OUT_DIR/$TARBALL ($SIZE, owner $OWNER)"
ls -la "$OUT_DIR/$TARBALL"./hw/arm/calypso/calypso_fbsb.h
/*
* calypso_fbsb.h — QEMU-side FBSB (FCCH/SCH burst search) orchestration
*
* Mirrors the firmware's prim_fbsb.c state machine but lives entirely in
* QEMU. The goal is to handle the FBSB sequence autonomously when the
* emulated DSP cannot drive the NDB cells correctly (because of opcode
* gaps, missing C548 extensions, etc).
*
* The "real" osmocom-bb flow is in:
* src/target/firmware/layer1/prim_fbsb.c
*
* That file's state machine, mirrored here:
*
* IDLE
* │
* │ ARM writes d_task_md = FB_DSP_TASK (mode 0)
* ▼
* FB0_SEARCH ── correlator finds burst ──► FB0_FOUND
* │ │
* │ 12 attempts no FB │ ferr small enough
* │ ▼
* ▼ FB1_SEARCH ──► FB1_FOUND
* FAIL (result=255) │ │
* ▼ ▼
* FAIL SB_SEARCH ──► SB_FOUND
* │ │
* ▼ ▼
* FAIL SUCCESS
*
* NDB cells we read/write (offsets in DSP data words from API base 0x0800):
* d_dsp_page 0x08D4 (page toggle from ARM)
* d_fb_det 0x08F9 (DSP → ARM: non-zero = FB found)
* d_fb_mode 0x08FA (ARM → DSP: 0 = wideband search, 1 = narrow)
* a_sync_demod[0] 0x08FB D_TOA — time-of-arrival
* a_sync_demod[1] 0x08FC D_PM — power measurement
* a_sync_demod[2] 0x08FD D_ANGLE — frequency phase angle
* a_sync_demod[3] 0x08FE D_SNR — signal-to-noise ratio
*
* SPDX-License-Identifier: GPL-2.0-or-later
*/
#ifndef CALYPSO_FBSB_H
#define CALYPSO_FBSB_H
#include <stdint.h>
#include <stdbool.h>
/* NDB cell offsets — DSP data word addresses. */
/* Offsets verified against calypso_trx.c lines 575-581: ARM sees NDB
* starting at byte 0x01A8 (= dsp_ram word 0xD4), and d_fb_det is at
* dsp_ram[0xF8]. With api_base=0x0800 → DSP word = 0x0800 + 0xF8. */
#define NDB_D_DSP_PAGE 0x08D4
#define NDB_D_FB_DET 0x08F8
#define NDB_D_FB_MODE 0x08F9
#define NDB_A_SYNC_DEMOD_TOA 0x08FA
#define NDB_A_SYNC_DEMOD_PM 0x08FB
#define NDB_A_SYNC_DEMOD_ANG 0x08FC
#define NDB_A_SYNC_DEMOD_SNR 0x08FD
/* d_task_md values used by the firmware (subset).
* From osmocom-bb dsp_api.h — verified against l1s_pm_cmd / l1s_fbdet_cmd. */
#define DSP_TASK_NONE 0
#define DSP_TASK_PM 1 /* PM_DSP_TASK (power measurement, NOT FB) */
#define DSP_TASK_FB 5 /* FB_DSP_TASK (frequency burst, idle) */
#define DSP_TASK_SB 6 /* SB_DSP_TASK (sync burst, idle) */
#define DSP_TASK_TCH_FB 8 /* TCH_FB_DSP_TASK (dedicated) */
#define DSP_TASK_TCH_SB 9 /* TCH_SB_DSP_TASK (dedicated) */
#define DSP_TASK_ALLC 24 /* ALLC_DSP_TASK (CCCH read while FULL BCCH/CCCH) */
/* FBSB orchestration state. One instance per Calypso. */
typedef enum {
FBSB_IDLE = 0,
FBSB_FB0_SEARCH,
FBSB_FB0_FOUND,
FBSB_FB1_SEARCH,
FBSB_FB1_FOUND,
FBSB_SB_SEARCH,
FBSB_SB_FOUND,
FBSB_DONE,
FBSB_FAIL,
} CalypsoFbsbState;
typedef struct CalypsoFbsb {
CalypsoFbsbState state;
uint16_t *ndb; /* points into ARM dsp_ram[] (word-addressed) */
uint16_t api_base; /* DSP-side word base (0x0800) */
/* Per-attempt counters mirroring prim_fbsb.c. */
uint8_t fb0_attempt;
uint8_t fb1_attempt;
uint8_t sb_attempt;
uint8_t fb0_retries;
uint8_t afc_retries;
/* Last DSP result snapshot (what we'd write to a_sync_demod). */
int16_t last_toa;
int16_t last_angle;
uint16_t last_pm;
uint16_t last_snr;
/* Bookkeeping. */
uint64_t fn_started;
} CalypsoFbsb;
/* Lifecycle. */
void calypso_fbsb_init(CalypsoFbsb *s, uint16_t *ndb_word_base,
uint16_t api_base);
void calypso_fbsb_reset(CalypsoFbsb *s);
/* Hooks. */
void calypso_fbsb_on_dsp_task_change(CalypsoFbsb *s, uint16_t d_task_md,
uint64_t fn);
void calypso_fbsb_on_frame_tick(CalypsoFbsb *s, uint64_t fn);
/* Direct write helpers (used by the orchestration to publish results
* into NDB so the ARM firmware sees them). */
void calypso_fbsb_publish_fb_found(CalypsoFbsb *s,
int16_t toa, uint16_t pm,
int16_t angle, uint16_t snr);
void calypso_fbsb_clear_fb(CalypsoFbsb *s);
/* SB synthesis: writes a_sch[0..4] in BOTH db_r pages so l1s_sbdet_resp
* sees CRC=OK + a decodable sync burst regardless of d_dsp_page state. */
void calypso_fbsb_publish_sb_found(CalypsoFbsb *s, uint8_t bsic);
/* Trace helper — single-line dump of current state. */
void calypso_fbsb_dump(const CalypsoFbsb *s, const char *tag);
#endif /* CALYPSO_FBSB_H */./hw/arm/calypso/calypso_mb.c
/*
* calypso_mb.c - Calypso development board machine
* DEBUG BUILD — verbose flash/memory debug
*
* SPDX-License-Identifier: GPL-2.0-or-later
*/
#include "qemu/osdep.h"
#include "qapi/error.h"
#include "hw/boards.h"
#include "hw/sysbus.h"
#include "hw/irq.h"
#include "hw/loader.h"
#include "hw/qdev-properties.h"
#include "hw/qdev-properties-system.h"
#include "hw/block/flash.h"
#include "hw/char/serial.h"
#include "sysemu/sysemu.h"
#include "sysemu/blockdev.h"
#include "sysemu/block-backend.h"
#include "qemu/error-report.h"
#include "exec/address-spaces.h"
#include "elf.h"
#include "target/arm/cpu.h"
#include "sysemu/reset.h"
#include "hw/arm/calypso/calypso_soc.h"
#define CALYPSO_XRAM_BASE 0x01000000
#define CALYPSO_XRAM_SIZE (8 * 1024 * 1024)
#define CALYPSO_FLASH_BASE 0x00000000
#define CALYPSO_FLASH_SIZE (4 * 1024 * 1024)
typedef struct CalypsoMachineState {
MachineState parent;
ARMCPU *cpu;
CalypsoSoCState soc;
MemoryRegion xram;
MemoryRegion bootrom;
} CalypsoMachineState;
#define TYPE_CALYPSO_MACHINE MACHINE_TYPE_NAME("calypso")
OBJECT_DECLARE_SIMPLE_TYPE(CalypsoMachineState, CALYPSO_MACHINE)
/*
* Firmware patches applied after ROM blobs are loaded into memory.
* Called from qemu_system_reset() which runs after machine_init.
*
* 1) NOP cons_puts: prevents console output from filling the 32-slot
* msgb pool, which causes talloc panic during boot.
*
* 2) Talloc panic → retry with IRQs: if the pool fills despite (1),
* re-enable IRQs and retry instead of halting. The NOP at the
* cons_puts call site prevents recursive allocation.
*
* 3) handle_abort → loop with IRQs enabled: prevents a stray data
* abort from permanently disabling IRQs and halting the system.
*/
static void calypso_machine_init(MachineState *machine)
{
CalypsoMachineState *s = CALYPSO_MACHINE(machine);
MemoryRegion *sysmem = get_system_memory();
Object *cpuobj;
Error *err = NULL;
fprintf(stderr, "[MB] === calypso_machine_init START ===\n");
/* ---- CPU ---- */
cpuobj = object_new(machine->cpu_type);
s->cpu = ARM_CPU(cpuobj);
if (!qdev_realize(DEVICE(cpuobj), NULL, &err)) {
error_report_err(err);
exit(1);
}
/* ---- SoC ---- */
object_initialize_child(OBJECT(machine), "soc", &s->soc, TYPE_CALYPSO_SOC);
if (!sysbus_realize(SYS_BUS_DEVICE(&s->soc), &err)) {
error_report_err(err);
exit(1);
}
sysbus_connect_irq(SYS_BUS_DEVICE(&s->soc), 0,
qdev_get_gpio_in(DEVICE(&s->cpu->parent_obj), ARM_CPU_IRQ));
sysbus_connect_irq(SYS_BUS_DEVICE(&s->soc), 1,
qdev_get_gpio_in(DEVICE(&s->cpu->parent_obj), ARM_CPU_FIQ));
/* ---- External RAM ---- */
memory_region_init_ram(&s->xram,
OBJECT(&s->soc.parent_obj),
"calypso.xram",
CALYPSO_XRAM_SIZE,
&error_fatal);
memory_region_add_subregion(sysmem, CALYPSO_XRAM_BASE, &s->xram);
fprintf(stderr, "[MB] XRAM @ 0x%08x (%d MiB)\n",
CALYPSO_XRAM_BASE, CALYPSO_XRAM_SIZE / (1024*1024));
/* ---- Flash NOR @ 0x00000000 ----
*
* Real Compal E88: Intel 28F320 (4 MiB) on CS0 at 0x00000000.
* 16-bit bus width (Calypso CS0 is 16-bit).
* Manufacturer 0x0089 = Intel, Device 0x0018 = 28F320J3.
* 64 KiB sectors.
*
* The loader does CFI queries here. If there's no pflash or
* something else shadows this address, we get "Failed to
* initialize flash!".
*/
DriveInfo *dinfo = drive_get(IF_PFLASH, 0, 0);
fprintf(stderr, "[MB] Flash: registering pflash_cfi01 @ 0x%08x\n",
CALYPSO_FLASH_BASE);
fprintf(stderr, "[MB] size=%d MiB, sector=64K, width=2 (16-bit)\n",
CALYPSO_FLASH_SIZE / (1024*1024));
fprintf(stderr, "[MB] mfr=0x0089 (Intel), dev=0x0018 (28F320J3)\n");
fprintf(stderr, "[MB] drive=%s\n", dinfo ? "attached" : "NONE (blank 0xFF)");
pflash_cfi01_register(CALYPSO_FLASH_BASE,
"calypso.flash",
CALYPSO_FLASH_SIZE,
dinfo ? blk_by_legacy_dinfo(dinfo) : NULL,
64 * 1024, /* sector size */
1, /* 8-bit bus width */
0x0089, /* Intel */
0x0018, /* 28F320J3 */
0, 0, 0);
fprintf(stderr, "[MB] Flash: pflash_cfi01 registered OK\n");
/* ---- Synthetic boot ROM at address 0 ----
*
* The real Calypso has internal ROM at 0x00000000 containing
* exception vector stubs that branch to IRAM exception handlers.
* OsmocomBB firmware installs handlers at IRAM+0x1C through IRAM+0x34.
* The boot ROM vectors use: ldr pc, [pc, #0x18] + address table.
*
* Layout (0x00-0x3F):
* 0x00-0x1C: ldr pc, [pc, #0x18] for each exception
* 0x20-0x3C: handler addresses in IRAM
*/
{
uint32_t bootrom_data[16];
/* ARM instruction: ldr pc, [pc, #0x18] = 0xe59ff018 */
for (int i = 0; i < 8; i++) {
bootrom_data[i] = 0xe59ff018;
}
/* Handler addresses (read via the ldr pc above):
* Each vector at offset N reads from offset N+0x20 */
bootrom_data[8] = 0x00820000; /* reset → _start */
bootrom_data[9] = 0x0080001C; /* undef → IRAM _undef_instr */
bootrom_data[10] = 0x00800020; /* SWI → IRAM _sw_interr */
bootrom_data[11] = 0x00800024; /* prefetch abort → IRAM */
bootrom_data[12] = 0x00800028; /* data abort → IRAM */
bootrom_data[13] = 0x0080002C; /* reserved → IRAM */
bootrom_data[14] = 0x00800030; /* IRQ → IRAM _irq */
bootrom_data[15] = 0x00800034; /* FIQ → IRAM _fiq */
memory_region_init_ram(&s->bootrom, NULL,
"calypso.bootrom", 64, &error_fatal);
memory_region_add_subregion_overlap(sysmem, 0x00000000,
&s->bootrom, 1);
/* Write vector table into the boot ROM RAM */
{
void *ptr = memory_region_get_ram_ptr(&s->bootrom);
memcpy(ptr, bootrom_data, sizeof(bootrom_data));
}
fprintf(stderr, "[MB] Boot ROM @ 0x00000000 (64 bytes, exception vectors)\n");
}
/* ---- Firmware load ---- */
if (machine->kernel_filename) {
uint64_t entry;
int ret;
ret = load_elf(machine->kernel_filename, NULL, NULL, NULL,
&entry, NULL, NULL, NULL,
0, EM_ARM, 1, 0);
if (ret < 0) {
ret = load_image_targphys(machine->kernel_filename,
CALYPSO_XRAM_BASE,
CALYPSO_XRAM_SIZE);
if (ret < 0) {
error_report("Could not load firmware '%s'",
machine->kernel_filename);
exit(1);
}
entry = CALYPSO_XRAM_BASE;
}
cpu_set_pc(CPU(s->cpu), entry);
fprintf(stderr, "[MB] Firmware: '%s'\n", machine->kernel_filename);
fprintf(stderr, "[MB] entry=0x%08lx size=%d bytes\n",
(unsigned long)entry, ret);
}
fprintf(stderr, "[MB] === Machine ready ===\n");
fprintf(stderr, "[MB] Flash: 0x%08x–0x%08x (%d MiB pflash_cfi01)\n",
CALYPSO_FLASH_BASE,
CALYPSO_FLASH_BASE + CALYPSO_FLASH_SIZE - 1,
CALYPSO_FLASH_SIZE / (1024*1024));
fprintf(stderr, "[MB] IRAM: 0x00800000–0x0083FFFF (256 KiB)\n");
fprintf(stderr, "[MB] XRAM: 0x%08x–0x%08x (%d MiB)\n",
CALYPSO_XRAM_BASE,
CALYPSO_XRAM_BASE + CALYPSO_XRAM_SIZE - 1,
CALYPSO_XRAM_SIZE / (1024*1024));
}
static void calypso_machine_class_init(ObjectClass *oc, void *data)
{
MachineClass *mc = MACHINE_CLASS(oc);
mc->desc = "Calypso SoC development board (modular architecture)";
mc->init = calypso_machine_init;
mc->max_cpus = 1;
mc->default_cpu_type = ARM_CPU_TYPE_NAME("arm946");
mc->default_ram_size = 0;
mc->alias = "calypso-high";
}
static const TypeInfo calypso_machine_info = {
.name = TYPE_CALYPSO_MACHINE,
.parent = TYPE_MACHINE,
.instance_size = sizeof(CalypsoMachineState),
.class_init = calypso_machine_class_init,
};
static void calypso_machine_register_types(void)
{
type_register_static(&calypso_machine_info);
}
type_init(calypso_machine_register_types)./hw/arm/calypso/calypso_sim.c
/*
* calypso_sim.c — ISO 7816 / GSM 11.11 SIM emulator for the Calypso
*
* Replaces the historical 1-line ATR-pulse stub. Implements:
* - ATR delivery on CMDSTART
* - APDU framing through the TX/RX FIFO
* - Minimum viable GSM 11.11 file system (MF, DF_GSM, DF_TELECOM)
* - Standard commands: SELECT (A4), READ_BINARY (B0), READ_RECORD (B2),
* GET_RESPONSE (C0), STATUS (F2), VERIFY_CHV (20),
* RUN_GSM_ALGORITHM (88)
*
* Test SIM identity (matches the standard test PLMN 001/01):
* IMSI = 001 01 0000000001 (15 digits)
* ICCID = 8901010000000000001 F (BCD swapped)
* Ki = 00..00 (16 bytes — auth always returns deterministic SRES/Kc)
*
* Bytes flow: firmware writes APDU bytes one at a time to DTX. We parse
* the 5-byte ISO 7816 header, optionally collect data bytes (P3 of length
* for outgoing case 3) and dispatch. Response bytes are pushed to RX FIFO,
* IT_RX raised, IRQ pulsed.
*/
#include "qemu/osdep.h"
#include "qemu/timer.h"
#include "qemu/main-loop.h"
#include "exec/cpu-common.h"
#include "hw/core/cpu.h"
#include "hw/arm/calypso/calypso_sim.h"
#define SIM_LOG(...) do { fprintf(stderr, "[sim] " __VA_ARGS__); fputc('\n', stderr); } while(0)
#define APDU_MAX_LEN 261
#define RX_FIFO_SIZE 512
#define ATR_DELAY_NS 1000000 /* 1 ms simulated */
/* Minimal valid ATR (4 bytes):
* TS = 0x3B (direct convention)
* T0 = 0x02 (Y1=0 → no TA/TB/TC/TD interface bytes,
* K =2 → 2 historical bytes follow)
* Hist[0..1] = 0x14 0x50 (arbitrary, identifies a test card)
* No TCK byte because no T!=0 protocol indicated.
* Total bytes the firmware will read = 4. */
static const uint8_t SIM_ATR[] = { 0x3B, 0x02, 0x14, 0x50 };
/* ---------- file system ---------------------------------------------- */
typedef enum {
EF_TRANSPARENT = 0,
EF_LINEAR_FIXED = 1,
EF_CYCLIC = 2,
EF_DF = 0xF0, /* not a real EF — directory entry */
EF_MF = 0xF1,
} EfStructure;
typedef struct SimFile {
uint16_t fid;
uint16_t parent;
uint8_t structure;
uint16_t size; /* total bytes (transparent) or rec_len * nrec */
uint8_t rec_len; /* records (linear/cyclic) */
uint8_t data[64]; /* in-line storage (small EFs only) */
} SimFile;
/* SIM identity defaults (overridden at boot from the osmocom-bb mobile
* config — see load_config_from_file). EF_IMSI is GSM 11.11 BCD-packed
* with the standard length-byte + parity-nibble layout. */
static SimFile sim_files[] = {
{ 0x3F00, 0x0000, EF_MF, 0, 0, {0} }, /* MF root */
{ 0x7F20, 0x3F00, EF_DF, 0, 0, {0} }, /* DF_GSM */
{ 0x7F10, 0x3F00, EF_DF, 0, 0, {0} }, /* DF_TELECOM */
{ 0x2FE2, 0x3F00, EF_TRANSPARENT, 10, 0, /* EF_ICCID */
{ 0x98, 0x10, 0x10, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0xF1 } },
{ 0x6F07, 0x7F20, EF_TRANSPARENT, 9, 0, /* EF_IMSI */
{ 0x08, 0x09, 0x10, 0x10, 0x00, 0x00, 0x00, 0x00, 0xF1 } },
{ 0x6F30, 0x7F20, EF_TRANSPARENT, 24, 0, /* EF_PLMNsel: 001 01 = FFFFFF empty list */
{ 0x00, 0xF1, 0x10, /* PLMN 001 01 */
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF } },
{ 0x6F38, 0x7F20, EF_TRANSPARENT, 14, 0, /* EF_SST: services */
{ 0xFF, 0x33, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00 } },
{ 0x6F78, 0x7F20, EF_TRANSPARENT, 2, 0, /* EF_ACC: access class */
{ 0x00, 0x01 } },
{ 0x6FAD, 0x7F20, EF_TRANSPARENT, 4, 0, /* EF_AD: admin data */
{ 0x00, 0x00, 0x00, 0x02 } },
{ 0x6F7E, 0x7F20, EF_TRANSPARENT, 11, 0, /* EF_LOCI: location info */
{ 0xFF, 0xFF, 0xFF, 0xFF, /* TMSI */
0xFF, 0xFF, 0xFF, /* LAI = unknown */
0x00, 0x00, /* TMSI time */
0xFF, 0x00 } }, /* update status: not updated */
{ 0x6F74, 0x7F20, EF_TRANSPARENT, 16, 0, /* EF_BCCH */
{ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF } },
{ 0x6F46, 0x7F20, EF_TRANSPARENT, 17, 0, /* EF_SPN */
{ 0x01, 'Q','E','M','U','-','S','I','M', ' ',' ',' ',' ',' ',' ',' ',' ' } },
};
#define SIM_FILE_COUNT (sizeof(sim_files) / sizeof(sim_files[0]))
static SimFile *find_file(uint16_t fid, uint16_t parent_pref)
{
/* Try parent-scoped first (for relative selects), then global. */
if (parent_pref) {
for (size_t i = 0; i < SIM_FILE_COUNT; i++)
if (sim_files[i].fid == fid && sim_files[i].parent == parent_pref)
return &sim_files[i];
}
for (size_t i = 0; i < SIM_FILE_COUNT; i++)
if (sim_files[i].fid == fid)
return &sim_files[i];
return NULL;
}
/* ---------- IMSI BCD encoding --------------------------------------- */
/* Encode a numeric IMSI string (e.g. "001010000000001") into the GSM 11.11
* EF_IMSI 9-byte layout:
* byte 0: length of the actual data following (1..8)
* byte 1: high nibble = first IMSI digit, low nibble = parity
* (parity = 9 if odd # digits, 1 if even)
* bytes 2..N: pairs of digits, low digit in low nibble
* (last byte may have F filler in high nibble) */
static int encode_imsi_bcd(const char *imsi_str, uint8_t out[9])
{
int n = 0;
while (imsi_str[n] >= '0' && imsi_str[n] <= '9') n++;
if (n < 1 || n > 15) return -1;
bool odd = (n & 1) != 0;
int data_len = (n / 2) + 1;
out[0] = (uint8_t)data_len;
out[1] = (uint8_t)(((imsi_str[0] - '0') << 4) | (odd ? 0x9 : 0x1));
int wpos = 2, ipos = 1;
while (ipos < n) {
uint8_t lo = imsi_str[ipos] - '0';
uint8_t hi = (ipos + 1 < n) ? (imsi_str[ipos + 1] - '0') : 0xF;
out[wpos++] = (uint8_t)((hi << 4) | lo);
ipos += 2;
}
while (wpos < 9) out[wpos++] = 0xFF;
return data_len + 1;
}
/* ---------- card state ----------------------------------------------- */
struct CalypsoSim {
qemu_irq irq;
QEMUTimer *atr_timer;
QEMUTimer *wt_timer; /* fires IT_WT after RX FIFO drains
* — tells firmware "no more bytes coming" */
uint8_t ki[16]; /* COMP128 secret key from mobile.cfg */
bool ki_valid;
/* register shadows */
uint16_t cmd, stat, conf1, conf2, maskit, it_cd;
/* IT register — bits set as events occur, cleared on read */
uint16_t it;
/* TX FIFO (firmware → SIM) — APDU assembly */
uint8_t apdu[APDU_MAX_LEN];
int apdu_pos; /* bytes received so far */
int apdu_expected; /* total expected length */
/* RX FIFO (SIM → firmware) */
uint8_t rx[RX_FIFO_SIZE];
int rx_head, rx_tail;
/* selected file context */
uint16_t selected_df; /* current directory (MF or DF_GSM/TELECOM) */
uint16_t selected_ef; /* last selected EF (for SELECT response) */
/* GET RESPONSE pending data */
uint8_t resp_buf[64];
int resp_len;
bool powered;
};
/* ---------- RX FIFO --------------------------------------------------- */
G_GNUC_UNUSED
static int rx_count(CalypsoSim *s)
{
int c = s->rx_head - s->rx_tail;
if (c < 0) c += RX_FIFO_SIZE;
return c;
}
static void rx_push(CalypsoSim *s, uint8_t b)
{
int next = (s->rx_head + 1) % RX_FIFO_SIZE;
if (next == s->rx_tail) {
SIM_LOG("RX FIFO overflow");
return;
}
s->rx[s->rx_head] = b;
s->rx_head = next;
}
G_GNUC_UNUSED
static int rx_pop(CalypsoSim *s, uint8_t *out)
{
if (s->rx_head == s->rx_tail) return 0;
*out = s->rx[s->rx_tail];
s->rx_tail = (s->rx_tail + 1) % RX_FIFO_SIZE;
return 1;
}
static void rx_push_n(CalypsoSim *s, const uint8_t *buf, int n)
{
for (int i = 0; i < n; i++) rx_push(s, buf[i]);
}
/* Forward decl */
static void update_irq(CalypsoSim *s);
/* IT_WT semantics: fires when no new char arrives within the configured
* "wait time" after the last byte. The osmocom-bb sim_irq_handler uses
* IT_WT to flag rxDoneFlag when calypso_sim_receive was invoked with
* expected_length=0 (open-ended ATR receive). We schedule WT a few
* milliseconds after the FIFO drains. */
#define WT_DELAY_NS 2000000 /* 2 ms simulated */
static void fire_wt(void *opaque)
{
CalypsoSim *s = opaque;
if (rx_count(s) > 0) return; /* new bytes arrived — cancel WT */
s->it |= CALYPSO_SIM_IT_WT;
SIM_LOG("WT timeout fired (RX FIFO empty)");
update_irq(s);
/* XXX HACK 2026-05-08 night — CALYPSO_FORCE_RX_DONE workaround.
*
* Under -icount auto, sim_irq_handler at PC=0x822498 is correctly
* called for the IT_WT FIQ entry (verified : ARM_PC=0x82249c when
* SIM_IT read=0x0002), but the STR rxDoneFlag at PC=0x8224ac never
* commits — rxDoneFlag (firmware data @ 0x830510) stays 0, ARM
* busy-loops forever at calypso_sim_powerup+0x54 (0x822b90).
*
* Investigation chain (Claude web night audit):
* - (C) parallel polling — eliminated (PC=0x82249c on all 5 reads)
* - (D) INTH FIQ_NUM dispatch broken — eliminated (handler runs)
* - (H) update_irq mid-TB causes cpu_io_recompile abort — partial
* confirm (commenting update_irq → rxDoneFlag=1 once, but FIQ
* line stays high → infinite re-entry)
* - bh-defer of update_irq → rxDoneFlag still 0 (root not in propagate)
* - removing ARM PC env access in MMIO read → still 0
*
* Real root unknown ; suspected TCG/icount conditional execution
* race specific to FIQ-mode mid-MMIO. Needs gdb watchpoint on
* 0x830510 for upstream report — done another day with fresh head.
*
* Until then, this env-gated hack writes rxDoneFlag = 1 directly
* via cpu_physical_memory_write right after the WT IRQ propagates.
* Hardcoded address 0x830510 = `rxDoneFlag` symbol in firmware
* (verified via nm on layer1.highram.elf). Will silently break if
* firmware is rebuilt with different layout — caller's
* responsibility to verify.
*
* TODO: open ticket. Test path : write watchpoint via gdb on
* 0x830510 to discriminate STRNE-skip vs STR-then-clear-by-other.
* Remove hack once TCG bug is identified or sim_irq_handler path
* is patched to avoid the icount race.
*/
/* Hack moved to calypso_sim_reg_read SIM_IT case so it fires every
* time IT_WT is observed by firmware, not just on the initial ATR
* fire_wt. Firmware does multiple SIM operations (SELECT, READ_BINARY,
* etc.); each one calls calypso_sim_receive which clears rxDoneFlag,
* then busy-polls. Without re-firing the hack on each cycle, only the
* first SIM operation gets through. */
}
static void schedule_wt(CalypsoSim *s)
{
if (s->wt_timer)
timer_mod_ns(s->wt_timer,
qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) + WT_DELAY_NS);
}
/* IT_RX semantics per Calypso TRM: the bit is set whenever there is
* a byte waiting to be read in the RX FIFO (DRX). It auto-clears on
* read access to DRX (when the FIFO empties). We mirror that by
* recomputing IT_RX from the FIFO occupancy at every IT/DRX touch. */
static void refresh_it_rx(CalypsoSim *s)
{
if (rx_count(s) > 0) s->it |= CALYPSO_SIM_IT_RX;
else s->it &= ~CALYPSO_SIM_IT_RX;
}
/* Update the IRQ line from the current IT register state. The Calypso
* INTH is level-sensitive — a pulse can be missed when the ARM has
* IRQs masked (CPSR I=1) at the moment of the rise/fall. We hold the
* line high while any unmasked IT bit is set. */
static void update_irq(CalypsoSim *s)
{
if (!s->irq) return;
refresh_it_rx(s);
bool active = (s->it & ~(uint16_t)s->maskit) != 0;
static unsigned log_count;
static bool last_active;
if ((active != last_active && log_count < 30) || (log_count < 10)) {
SIM_LOG("IRQ %s IT=0x%04x MASKIT=0x%04x rx_count=%d",
active ? "RAISE" : "lower",
s->it, s->maskit, rx_count(s));
log_count++;
last_active = active;
}
if (active) qemu_irq_raise(s->irq);
else qemu_irq_lower(s->irq);
}
static void raise_rx_irq(CalypsoSim *s)
{
update_irq(s);
}
/* ---------- ATR delivery --------------------------------------------- */
static void deliver_atr(void *opaque)
{
CalypsoSim *s = opaque;
if (!s->powered) return;
rx_push_n(s, SIM_ATR, sizeof(SIM_ATR));
SIM_LOG("ATR queued (%zu bytes)", sizeof(SIM_ATR));
raise_rx_irq(s);
}
G_GNUC_UNUSED
static void schedule_atr(CalypsoSim *s)
{
timer_mod_ns(s->atr_timer,
qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) + ATR_DELAY_NS);
}
/* ---------- SELECT response (FCP / response template) --------------- */
static int build_select_response(CalypsoSim *s, SimFile *f, uint8_t *out)
{
/* GSM 11.11 SELECT response (status info data). 22 bytes for EF, 22 bytes
* for DF/MF. We build a simple but firmware-friendly template. */
int p = 0;
out[p++] = 0x00; out[p++] = 0x00; /* RFU */
out[p++] = (f->size >> 8) & 0xFF; /* file size MSB */
out[p++] = f->size & 0xFF; /* file size LSB */
out[p++] = (f->fid >> 8) & 0xFF; /* file ID MSB */
out[p++] = f->fid & 0xFF; /* file ID LSB */
if (f->structure == EF_DF || f->structure == EF_MF) {
out[p++] = (f->structure == EF_MF) ? 0x01 : 0x02; /* file type */
out[p++] = 0x00; /* RFU */
out[p++] = 0x00; out[p++] = 0x00;
out[p++] = 0x00; out[p++] = 0x00;
out[p++] = 0x00; out[p++] = 0x00;
out[p++] = 0x00;
out[p++] = 0x09; /* GSM data length */
out[p++] = 0x91; /* file characteristics */
out[p++] = 0x00; /* num child DFs */
out[p++] = 0x00; /* num child EFs */
out[p++] = 0x04; /* CHVs */
out[p++] = 0x00;
out[p++] = 0x83; /* CHV1 status */
out[p++] = 0x83; /* unblock */
out[p++] = 0x83; /* CHV2 */
out[p++] = 0x83;
} else {
out[p++] = 0x04; /* file type EF */
out[p++] = 0x00;
out[p++] = 0x00; out[p++] = 0x00;
out[p++] = 0x00;
out[p++] = 0xAA; /* access conditions */
out[p++] = 0x00; out[p++] = 0x00;
out[p++] = 0x00; /* file status */
out[p++] = 0x02; /* length of remaining */
out[p++] = (f->structure == EF_TRANSPARENT) ? 0x00
: (f->structure == EF_LINEAR_FIXED) ? 0x01 : 0x03;
out[p++] = f->rec_len; /* record length */
}
return p;
}
/* ---------- APDU dispatch ------------------------------------------- */
static void respond_sw(CalypsoSim *s, uint8_t sw1, uint8_t sw2)
{
rx_push(s, sw1);
rx_push(s, sw2);
}
/* For T=0, GSM 11.11 has special procedure: when response data exists,
* card sends: SW1=0x9F (or 0x6C/0x61) + SW2=length
* Then firmware does GET_RESPONSE to read the actual data. */
static void respond_with_data_pending(CalypsoSim *s,
const uint8_t *data, int len)
{
if (len > (int)sizeof(s->resp_buf)) len = sizeof(s->resp_buf);
memcpy(s->resp_buf, data, len);
s->resp_len = len;
/* 9F xx = "data available, do GET_RESPONSE for xx bytes" */
respond_sw(s, 0x9F, (uint8_t)len);
}
static void cmd_select(CalypsoSim *s, uint8_t p1, uint8_t p2,
uint8_t lc, const uint8_t *data)
{
if (lc != 2) { respond_sw(s, 0x67, 0x00); return; }
uint16_t fid = (data[0] << 8) | data[1];
/* Pick parent context: 3F00 reset, 7Fxx changes DF, 2Fxx EF under MF,
* 6Fxx EF under current DF. */
SimFile *f = NULL;
if (fid == 0x3F00) {
f = find_file(0x3F00, 0);
s->selected_df = 0x3F00;
} else if ((fid & 0xFF00) == 0x7F00) {
f = find_file(fid, 0);
if (f) s->selected_df = fid;
} else if ((fid & 0xFF00) == 0x2F00) {
f = find_file(fid, 0x3F00);
} else {
f = find_file(fid, s->selected_df);
if (!f) f = find_file(fid, 0);
}
if (!f) {
SIM_LOG("SELECT 0x%04x → file not found", fid);
respond_sw(s, 0x6A, 0x82);
return;
}
s->selected_ef = f->fid;
uint8_t resp[32];
int n = build_select_response(s, f, resp);
SIM_LOG("SELECT 0x%04x (%s) → %d bytes pending",
fid,
f->structure == EF_MF ? "MF" :
f->structure == EF_DF ? "DF" : "EF",
n);
respond_with_data_pending(s, resp, n);
}
static void cmd_get_response(CalypsoSim *s, uint8_t le)
{
if (s->resp_len == 0) {
respond_sw(s, 0x6F, 0x00);
return;
}
int n = (le == 0) ? s->resp_len : (le > s->resp_len ? s->resp_len : le);
rx_push_n(s, s->resp_buf, n);
respond_sw(s, 0x90, 0x00);
s->resp_len = 0;
}
static void cmd_read_binary(CalypsoSim *s, uint8_t p1, uint8_t p2, uint8_t le)
{
SimFile *f = find_file(s->selected_ef, 0);
if (!f || f->structure != EF_TRANSPARENT) {
respond_sw(s, 0x94, 0x00);
return;
}
int offset = (p1 << 8) | p2;
int n = (le == 0) ? 256 : le;
if (offset + n > f->size) {
respond_sw(s, 0x67, 0x00);
return;
}
rx_push_n(s, f->data + offset, n);
SIM_LOG("READ_BINARY EF=0x%04x off=%d len=%d", s->selected_ef, offset, n);
respond_sw(s, 0x90, 0x00);
}
static void cmd_status(CalypsoSim *s, uint8_t le)
{
SimFile *df = find_file(s->selected_df, 0);
if (!df) { respond_sw(s, 0x6F, 0x00); return; }
uint8_t resp[32];
int n = build_select_response(s, df, resp);
int outn = (le == 0 || le > n) ? n : le;
rx_push_n(s, resp, outn);
respond_sw(s, 0x90, 0x00);
}
static void cmd_verify_chv(CalypsoSim *s, uint8_t p2, uint8_t lc,
const uint8_t *data)
{
/* Test SIM accepts any PIN. Real card would compare and decrement
* remaining attempts on mismatch. */
(void)p2; (void)lc; (void)data;
SIM_LOG("VERIFY_CHV → always OK");
respond_sw(s, 0x90, 0x00);
}
static void cmd_run_gsm_algo(CalypsoSim *s, uint8_t lc, const uint8_t *data)
{
/* RAND in (16 bytes), SRES out (4 bytes) + Kc (8 bytes) = 12 bytes. */
if (lc != 16) { respond_sw(s, 0x67, 0x00); return; }
/* Test SIM: deterministic SRES = first 4 bytes of RAND ^ 0xAA, Kc = 0. */
uint8_t resp[12];
for (int i = 0; i < 4; i++) resp[i] = data[i] ^ 0xAA;
for (int i = 0; i < 8; i++) resp[4+i] = 0x00;
SIM_LOG("RUN_GSM_ALGORITHM (RAND[0]=0x%02x) → SRES[0]=0x%02x",
data[0], resp[0]);
respond_with_data_pending(s, resp, 12);
}
static void dispatch_apdu(CalypsoSim *s)
{
uint8_t cla = s->apdu[0];
uint8_t ins = s->apdu[1];
uint8_t p1 = s->apdu[2];
uint8_t p2 = s->apdu[3];
uint8_t p3 = s->apdu[4];
uint8_t *data = (s->apdu_pos > 5) ? s->apdu + 5 : NULL;
int dlen = s->apdu_pos - 5;
SIM_LOG("APDU CLA=%02x INS=%02x P1=%02x P2=%02x P3=%02x dlen=%d",
cla, ins, p1, p2, p3, dlen > 0 ? dlen : 0);
/* GSM 11.11 expects CLA=A0; ISO 7816 base allows other classes. */
switch (ins) {
case 0xA4: cmd_select(s, p1, p2, p3, data ? data : (const uint8_t *)""); break;
case 0xB0: cmd_read_binary(s, p1, p2, p3); break;
case 0xC0: cmd_get_response(s, p3); break;
case 0xF2: cmd_status(s, p3); break;
case 0x20: cmd_verify_chv(s, p2, p3, data ? data : (const uint8_t *)""); break;
case 0x88: cmd_run_gsm_algo(s, p3, data ? data : (const uint8_t *)""); break;
default:
SIM_LOG("INS=0x%02x not supported → SW=6D00", ins);
respond_sw(s, 0x6D, 0x00);
break;
}
raise_rx_irq(s);
}
/* When firmware writes a byte to DTX, accumulate. After 5 header bytes
* we know the case (incoming/outgoing) and how much more to read. */
G_GNUC_UNUSED
static void apdu_tx_byte(CalypsoSim *s, uint8_t b)
{
if (s->apdu_pos < APDU_MAX_LEN) {
s->apdu[s->apdu_pos++] = b;
}
if (s->apdu_pos == 5) {
/* For simplicity: if INS is a known WRITE-class command (data sent
* by firmware), expect P3 more bytes. Otherwise (READ class),
* dispatch immediately. */
uint8_t ins = s->apdu[1];
bool is_outgoing_data =
(ins == 0xA4) || (ins == 0xD6) || (ins == 0xDC) ||
(ins == 0x20) || (ins == 0x24) || (ins == 0x88);
if (is_outgoing_data && s->apdu[4] != 0) {
s->apdu_expected = 5 + s->apdu[4];
} else {
s->apdu_expected = 5;
}
/* Procedure byte: T=0 expects card to ACK by echoing INS.
* The firmware reads this from DRX before sending the data part. */
if (is_outgoing_data && s->apdu[4] != 0) {
rx_push(s, ins);
raise_rx_irq(s);
}
}
if (s->apdu_pos == s->apdu_expected) {
dispatch_apdu(s);
s->apdu_pos = 0;
s->apdu_expected = 0;
}
}
/* ---------- public register interface ------------------------------- */
uint16_t calypso_sim_reg_read(CalypsoSim *s, hwaddr off)
{
switch (off) {
case CALYPSO_SIM_REG_CMD:
return s->cmd;
case CALYPSO_SIM_REG_STAT: {
uint16_t v = 0;
if (s->powered) v |= CALYPSO_SIM_STAT_NOCARD; /* card detected */
v |= CALYPSO_SIM_STAT_TXPAR; /* parity always OK */
if (rx_count(s) == 0) v |= CALYPSO_SIM_STAT_FIFOEMPTY;
if (rx_count(s) >= RX_FIFO_SIZE - 1) v |= CALYPSO_SIM_STAT_FIFOFULL;
return v;
}
case CALYPSO_SIM_REG_CONF1: return s->conf1;
case CALYPSO_SIM_REG_CONF2: return s->conf2;
case CALYPSO_SIM_REG_IT: {
refresh_it_rx(s);
uint16_t v = s->it;
/* Edge bits (NATR/WT/OV/TX) are read-clear; level bit RX stays.
*
* AUDIT FIX 2026-05-08 night (Claude web Q2 hardening) : was
* s->it &= CALYPSO_SIM_IT_RX;
* which clears ANY bit set after the snapshot (race with concurrent
* fire_wt / IRQ handlers raising new bits). Correct semantic : clear
* only edge bits that were observed in `v`, so a bit raised between
* snapshot and clear survives. RX bit always preserved (level). */
uint16_t edge_seen = v & ~CALYPSO_SIM_IT_RX;
s->it &= ~edge_seen;
update_irq(s);
/* XXX HACK 2026-05-08 night — CALYPSO_FORCE_RX_DONE workaround.
*
* Fires on EVERY SIM_IT read where IT_WT bit (0x0002) is observed.
* Each firmware SIM operation (ATR, SELECT, READ_BINARY, ...)
* calls calypso_sim_receive at 0x822588 which clears rxDoneFlag
* (STR R0, [R3] at 0x82259c with R0=0), then busy-polls. The TCG
* conditional STR in sim_irq_handler @ 0x8224ac never commits
* under -icount auto (bug to root-cause Task #29). Without firing
* this hack on every WT-observation cycle, only the first SIM op
* (ATR) gets through ; subsequent ones deadlock again.
*
* Hardcoded address 0x830510 = `rxDoneFlag` from nm
* layer1.highram.elf. cpu_exit() forces the busy-loop TB at
* 0x822b90 to recompile so it picks up the new memory value.
*/
if (v & CALYPSO_SIM_IT_WT) {
const char *env = getenv("CALYPSO_FORCE_RX_DONE");
if (env && env[0] == '1') {
static unsigned force_n;
const uint32_t one = 1;
cpu_physical_memory_write(0x00830510, &one, sizeof(one));
CPUState *cpu = first_cpu;
if (cpu) cpu_exit(cpu);
if (force_n++ < 30)
SIM_LOG("XXX HACK FORCE_RX_DONE on SIM_IT-read #%u "
"(IT=0x%04x) → write 1 to 0x830510 + cpu_exit",
force_n, v);
}
}
/* Lighter instrumentation : just IT bits + FIFO state, no PC read.
* The ARM_PC access via env.regs[15] from inside an MMIO read may
* itself trigger TB recompile under -icount auto. Now we know all
* 5 reads come from PC=0x82249c (sim_irq_handler), the PC log
* isn't needed and removing it eliminates a potential TB-abort
* trigger separate from update_irq. */
static unsigned itrd;
if (itrd++ < 30)
fprintf(stderr,
"[sim] SIM_IT read=0x%04x rx_count=%d edge_cleared=0x%04x "
"post_it=0x%04x\n",
v, rx_count(s), edge_seen, s->it);
return v;
}
case CALYPSO_SIM_REG_DRX: {
uint8_t b = 0;
rx_pop(s, &b);
update_irq(s); /* maybe clear IT_RX */
if (rx_count(s) == 0) schedule_wt(s); /* arm WT when FIFO drains */
return b | (1 << 8); /* parity OK */
}
case CALYPSO_SIM_REG_DTX: return 0;
case CALYPSO_SIM_REG_MASKIT: return s->maskit;
case CALYPSO_SIM_REG_IT_CD: return s->it_cd;
default: return 0;
}
}
void calypso_sim_reg_write(CalypsoSim *s, hwaddr off, uint16_t val)
{
switch (off) {
case CALYPSO_SIM_REG_CMD:
s->cmd = val;
if (val & CALYPSO_SIM_CMD_START) {
s->powered = true;
SIM_LOG("CMDSTART → ATR delivered (synchronous)");
/* AUDIT FIX 2026-05-08 night : was schedule_atr() (1ms VIRTUAL
* timer). Under -icount auto, virtual time is rate-limited;
* the firmware's SIM driver enters a busy-loop polling
* rxDoneFlag (firmware data 0x830510) with IRQs masked
* (PSR I=1) before the timer fires, deadlocking the ARM CPU.
* Direct delivery: bytes in FIFO at MMIO write return time,
* IRQ raised immediately. Same effect as the timer being 0ns.
* Equivalent under icount=off (timer fires ~instantly anyway). */
deliver_atr(s);
}
if (val & CALYPSO_SIM_CMD_STOP) {
s->powered = false;
SIM_LOG("CMDSTOP");
}
if (val & (CALYPSO_SIM_CMD_CARDRST | CALYPSO_SIM_CMD_IFRST)) {
SIM_LOG("RESET → ATR delivered (synchronous)");
s->apdu_pos = 0;
s->apdu_expected = 0;
s->resp_len = 0;
s->rx_head = s->rx_tail = 0;
s->selected_df = 0x3F00;
s->selected_ef = 0x3F00;
/* Same audit fix as CMDSTART above. */
if (s->powered) deliver_atr(s);
}
break;
case CALYPSO_SIM_REG_STAT: s->stat = val; break;
case CALYPSO_SIM_REG_CONF1: s->conf1 = val; break;
case CALYPSO_SIM_REG_CONF2: s->conf2 = val; break;
case CALYPSO_SIM_REG_IT: /* W1C ignored */ break;
case CALYPSO_SIM_REG_DRX: /* read-only */ break;
case CALYPSO_SIM_REG_DTX:
apdu_tx_byte(s, (uint8_t)(val & 0xFF));
break;
case CALYPSO_SIM_REG_MASKIT:
s->maskit = val;
update_irq(s); /* re-evaluate line after mask change */
break;
case CALYPSO_SIM_REG_IT_CD: s->it_cd = val; break;
default: break;
}
}
/* ---------- mobile.cfg parser --------------------------------------- */
/* Parse the osmocom-bb layer23 mobile config:
* ms 1
* test-sim
* imsi 001010000000001
* ki comp128 00 11 22 ... 16 hex bytes
* We pull the imsi (→ EF_IMSI) and ki (→ s->ki for RUN_GSM_ALGORITHM). */
static void load_config_from_file(CalypsoSim *s, const char *path)
{
FILE *fp = fopen(path, "r");
if (!fp) {
SIM_LOG("config %s not found — keeping default file system", path);
return;
}
char line[256];
bool in_test_sim = false;
while (fgets(line, sizeof(line), fp)) {
char *p = line;
while (*p == ' ' || *p == '\t') p++;
if (strncmp(p, "test-sim", 8) == 0) {
in_test_sim = true;
continue;
}
if (!in_test_sim) continue;
/* Section ends at a non-indented keyword (e.g. "ms", "exit", "!") */
if (line[0] != ' ' && line[0] != '\t' && line[0] != '\n') {
in_test_sim = false;
continue;
}
if (strncmp(p, "imsi ", 5) == 0) {
const char *imsi = p + 5;
uint8_t bcd[9];
if (encode_imsi_bcd(imsi, bcd) > 0) {
SimFile *ef = find_file(0x6F07, 0x7F20);
if (ef) {
memcpy(ef->data, bcd, 9);
ef->size = 9;
SIM_LOG("EF_IMSI loaded from %s: %.15s", path, imsi);
}
}
} else if (strncmp(p, "ki comp128 ", 11) == 0) {
const char *hex = p + 11;
int n = 0;
while (n < 16 && *hex) {
while (*hex == ' ') hex++;
if (!*hex) break;
unsigned v;
if (sscanf(hex, "%2x", &v) != 1) break;
s->ki[n++] = (uint8_t)v;
hex += 2;
}
if (n == 16) {
s->ki_valid = true;
SIM_LOG("Ki loaded from %s (16 bytes)", path);
}
}
}
fclose(fp);
}
CalypsoSim *calypso_sim_new(qemu_irq sim_irq)
{
CalypsoSim *s = g_new0(CalypsoSim, 1);
s->irq = sim_irq;
s->atr_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, deliver_atr, s);
s->wt_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, fire_wt, s);
s->selected_df = 0x3F00;
s->selected_ef = 0x3F00;
/* Pull IMSI / Ki from the same config the layer23 `mobile` is using.
* The launcher (run_new.sh) sets CALYPSO_SIM_CFG to its $MOBILE_CFG,
* so the SIM and the mobile stay in sync without us hardcoding any
* path. If the env var is missing we keep the file-system defaults. */
const char *cfg_path = getenv("CALYPSO_SIM_CFG");
if (cfg_path && *cfg_path) {
load_config_from_file(s, cfg_path);
} else {
SIM_LOG("CALYPSO_SIM_CFG unset — keeping default IMSI/Ki");
}
return s;
}./hw/arm/calypso/doc/C54X_INSTRUCTIONS.md
XC (Execute Conditionally) — SPRU172C p.4-198
- Opcode:
1111 11N1 CCCCCCCC(1 word) - N=0 (bit 9=0) → n=1 instruction = opcode 0xFDxx
- N=1 (bit 9=1) → n=2 instructions = opcode 0xFFxx
- If cond true: execute next n instructions normally
- If cond false: treat next n instructions as NOP
- Condition codes (8-bit, combinable):
- UNC=0x00, BIO=0x03, NBIO=0x02, C=0x0C, NC=0x08
- TC=0x30, NTC=0x20
- AEQ=0x45, ANEQ=0x44, AGT=0x46, AGEQ=0x42, ALT=0x43, ALEQ=0x47
- BEQ=0x4D, BNEQ=0x4C, BGT=0x4E, BGEQ=0x4A, BLT=0x4B, BLEQ=0x4F
- AOV=0x70, ANOV=0x60, BOV=0x78, BNOV=0x68
FRET — SPRU172C p.4-61
- Opcode:
1111 0Z01 1101 0100(Z=0 normal, Z=1 delayed) - Execution: (TOS)→XPC, SP+1, (TOS)→PC, SP+1
- Pops 2 words: first XPC, then PC
FCALL — SPRU172C p.4-57
- Opcode:
1111 10Z1 1+ 7-bit pmad(22-16) + 16-bit pmad(15-0) - 2 words total
- Execution: SP-1, PC+2→TOS, SP-1, XPC→TOS, pmad(15-0)→PC, pmad(22-16)→XPC
- Pushes 2 words: first PC+2, then XPC
RETE — SPRU172C p.4-140
- Execution: (TOS)→PC, SP+1, 0→INTM
- Pops 1 word (just PC), clears INTM
TRAP K — SPRU172C p.4-195
- Pushes PC+1, branches to interrupt vector K
- Not affected by INTM
0xEA = BANZ (confirmed, not XC)
How to apply: Fix XC (0xFD/0xFF), FRET (2 pops), FCALL (2 pushes) in calypso_c54x.c
BANZ — SPRU172C p.4-16
- Opcode:
0111 1Z0I AAAA AAAA+ 16-bit pmad (2 words) - BANZ = 0x78xx, BANZD = 0x7Axx
- Sind encodes indirect addressing (which AR and modify mode)
- Execution: if (AR[x] != 0) then pmad→PC, else PC+2→PC
- AR[x] is always decremented (even when condition is false)
- NOT 0xEA! 0xEA is something else (needs identification)
BC — SPRU172C p.4-18
- Opcode:
1111 10Z0 CCCCCCCC+ 16-bit pmad (2 words)
- BC = 0xF8xx, BCD = 0xFAxx
CC — SPRU172C p.4-29
- Opcode:
1111 10Z1 CCCCCCCC+ 16-bit pmad (2 words) - CC = 0xF9xx, CCD = 0xFBxx
./hw/arm/calypso/doc/datasheets/README.md
Calypso DSP / TMS320C54x Reference Datasheets
Collected 2026-04-28 to provide ground truth for the QEMU C54x emulator and to resolve open questions about Calypso DBB boot semantics.
Files
| File | Source | Size | Purpose |
|---|---|---|---|
TI_SPRU131G_C54x_CPU_and_Peripherals.pdf |
ti.com/lit/ug/spru131g | 2.2 MB | TMS320C54x DSP Reference Set Vol.1: CPU. The C54x reference. ST0/ST1 layout, reset values, IDLE modes, IMR/IFR semantics, MMR layout, interrupt handling. |
TI_SPRU172C_C54x_Mnemonic_Instruction_Set.pdf |
local copy | 1.1 MB | Vol.2: Mnemonic Instruction Set. Per-opcode reference (already cross-referenced for opcode bug fixes). |
TI_SPRU288_C548_C549_Bootloader.pdf |
ti.com/lit/ug/spru288 | 313 KB | C548/C549 Bootloader and ROM Code Contents. Describes the on-chip ROM at 0xF800-0xFFFF (only mapped when MP/MC=0). Calypso has MP/MC=1 → this ROM is NOT used. |
TI_SPRA036_DSP_Interrupts.pdf |
ti.com/lit/an/spra036 | 173 KB | Setting Up TMS320 DSP Interrupts in C — vector handler patterns, ISR entry/exit, RSBX/SSBX INTM usage. |
TI_SPRA618_C5402_Bootloader.pdf |
ti.com/lit/an/spra618 | 309 KB | C5402 Bootloader (related variant). For comparison. |
dsp-rom-3606-dump.txt |
freecalypso.org/pub/GSM/Calypso | 722 KB | Calypso DSP ROM v3606 (Pirelli DP-L10). Most common version — matches our local calypso_dsp.txt (14 diff lines / 9821 = essentially identical). |
dsp-rom-3416-dump.txt |
freecalypso.org/pub/GSM/Calypso | 722 KB | Calypso DSP ROM v3416 (FCDEV3B-751774). |
dsp-rom-3311-dump.txt |
freecalypso.org/pub/GSM/Calypso | 722 KB | Calypso DSP ROM v3311 (D-Sample C05). |
DSP-ROM-dump.txt |
freecalypso-tools/doc | 1.8 KB | FreeCalypso documentation about the ROM dumping methodology. |
Key findings (collected here, applied/cross-referenced in code)
1. C548 On-Chip ROM Layout (SPRU288 §1.2, Figure 1-1)
When MP/MC=0 (microcomputer mode), program space looks like:
0x0000-0xF7FF : External program space ← user code lives here
0xF800-0xFBFF : Bootloader (TI mask ROM)
0xFC00-0xFCFF : µ-law table
0xFD00-0xFDFF : A-law table
0xFE00-0xFEFF : Sine look-up table
0xFF00-0xFF7F : Built-in self-test
0xFF80-0xFFFF : Interrupt vector table
When MP/MC=1 (microprocessor mode):
0x0000-0xFFFF : All external — TI internal ROM is NOT mapped.2. Calypso uses MP/MC=1
Calypso reset value PMST = 0xFFA8 (per silicon dumps below) includes bit 6 (MP_MC) = 1 → microprocessor mode. The TI on-chip ROM at 0xF800-0xFFFF is not used. The osmocom firmware fully provides PROM1 mirror including vector table at 0xFF80-0xFFFF.
This is consistent with osmocom-bb dsp_bootcode.c:
/* We don't really need any DSP boot code, it happily works with its own ROM */
static const struct dsp_section *dsp_bootcode = NULL;The “own ROM” referred to is the Calypso-specific mask ROM cast at the silicon level, which contains the GSM signal-processing routines. This ROM is what the osmocom community has dumped (3 versions: 3311, 3416, 3606) and is exactly what the QEMU emulator loads at PROM0/1/2/3.
3. Reset / post-bootloader state — empirical (4 dumps cross-checked)
The Registers section [0x00000-0x0005F] in each ROM dump captures the DSP MMR state post-bootloader-handshake but pre-application-init (the dumper asserts DSP into reset, releases, reads bootloader version, then dumps registers while the DSP is in its idle loop waiting for BL_CMD instructions from ARM).
Cross-checked across 3 silicon phones (3311, 3416, 3606) + our local calypso_dsp.txt. Invariants across all 4:
| MMR | Addr | Value | Notes |
|---|---|---|---|
| ST0 | 0x06 | 0x181F |
DP=0x01F (low 9 bits), other bits 0 |
| ST1 | 0x07 | 0x2900 |
bit 8 SXM=1, bit 11 INTM=1, bit 13 XF=1 |
| AR1 | 0x11 | 0x005F |
preserved bootloader pointer |
| AR2 | 0x12 | 0x0813 |
API_RAM-related |
| AR3 | 0x13 | 0x0014 |
preserved |
| AR4 | 0x14 | 0x0003 |
preserved |
| AR5 | 0x15 | 0x0014 |
preserved |
| SP | 0x18 | 0x1100 |
bootloader stack base — NOT 0x5AC8 |
| PMST | 0x1D | 0xFFA8 |
IPTR=0x1FF, MP_MC=1, OVLY=1, DROM=1 |
| (ext) | 0x22 | 0x0800 |
API_RAM base reference |
| (ext) | 0x25 | 0xFFFF |
invariant |
| (ext) | 0x28 | 0x7FFF |
invariant |
| (ext) | 0x29 | 0xF802 |
invariant |
Variable across versions (= programmed by ROM-version-specific bootloader):
| MMR | 3311 | 3416 | 3606 | osmocom local |
|---|---|---|---|---|
| IMR | 0xF6FF | 0xF6F6 | 0x3000 | 0x52FD |
| AR0 | 0x3375 | 0xFEBF | 0x42A4 | 0xFF75 |
| BK | 0xFFFE | 0x36FC | 0x000E | 0xFFF6 |
4. Implications for QEMU c54x_reset()
Current QEMU values (incorrect per silicon):
s->sp = 0x5AC8; // wrong: silicon shows 0x1100
s->st0 = 0; // wrong: silicon shows 0x181F (DP=0x01F)
s->st1 = ST1_INTM; // partially correct (INTM=1), missing SXM and XF
// silicon shows 0x2900 = INTM | SXM | XF
s->pmst = 0xFFE0; // wrong: silicon shows 0xFFA8 (OVLY=1, DROM=1)Per-silicon aligned values (justified empirically by 3-dump consensus):
s->sp = 0x1100; // bootloader stack base
s->st0 = 0x181F; // DP=0x01F, no flag bits
s->st1 = ST1_INTM | ST1_SXM | ST1_XF; // 0x2900: INTM=1, SXM=1, XF=1
s->pmst = 0xFFA8; // IPTR=0x1FF, MP_MC=1, OVLY=1, DROM=1Caveat on SP=0x1100: The osmocom firmware likely repoints SP to 0x5AC8 early in its init (post-handshake user code). The 0x5AC8 value in c54x_reset may be a shortcut anticipating the firmware’s own SP setup. To be safe and faithful, align SP with silicon (0x1100) and let the firmware repoint as it does on real hardware.
Caveat on OVLY=1 in PMST: With OVLY=1 the DARAM is mapped into program space 0x0080-0x27FF, so prog_read(addr) for addr in [0x0080, 0x27FF] returns s->data[addr]. The MVPD copy in c54x_reset lines 4595-4612 already populates this overlay. With OVLY=0 (current QEMU reset), the overlay is NOT active during the very first instructions, so the DSP fetches from s->prog[] (which contains PROM dump in 0x7000+ but is empty in 0x0080-0x6FFF). If the DSP is supposed to execute overlay code from PC<0x2800 from the start, OVLY=1 at reset is required.
5. ST1.INTM at reset — confirmation
Per SPRU131G §4 Status Registers, on C54x reset: - INTM = 1 (interrupts globally disabled) - SXM = 1 (sign extension mode) - All other bits cleared
The 3 FreeCalypso ROM dumps + our local calypso_dsp.txt all snapshot ST1 = 0x2900 post-bootloader-handshake. INTM=1 stays after the Calypso silicon hardware reset. The osmocom firmware is responsible for clearing INTM when ready (via RSBX INTM or by RETE from the first ISR).
The earlier hypothesis “Calypso clears INTM on reset” is infirmed by these 3 independent silicon dumps. The s->st1 = 0 test in QEMU was therefore a hack that should be reverted — not because it didn’t appear to help, but because it’s not a faithful emulation of silicon behavior.
6. What does NOT exist (ruled out)
Boot ROM TI utilities at 0x0000-0x007F: This zone is “External program space” per Figure 1-1. On Calypso (MP/MC=1) it’s RAM/external. Our QEMU stub of FRET in this zone is benign (these addresses are not “TI utility routines” the firmware would normally call).
NMI initial trigger: Not documented as automatic on Calypso reset. The first NMI would have to come from ARM-side via a specific MMIO write (likely
REG_API_CONTROLbit 2 = APIC_W_DSPINT, but not yet verified).
7. Open question
If INTM=1 stays at reset and there is no TI boot ROM doing RSBX INTM, how does the Calypso DSP normally get INTM cleared on silicon? Three remaining candidates:
The osmocom firmware does RSBX INTM as part of its own init sequence at one of the 14 known F6BB sites in PROM0/PROM1. In QEMU, none of these sites is currently reached on the boot path — possibly due to an opcode mis-decode that drifts the PC away from the init path.
ARM-side write to APIC_W_DSPINT triggers an interrupt the DSP services regardless of INTM (NMI-equivalent on Calypso). Test: hook write to
REG_API_CONTROL = 0xFFFE0000bit 2 in calypso_trx.c → call into the DSP with vec=1 (NMI) which bypasses IMR. This requires extendingc54x_interrupt_exto acceptimr_bit < 0as “non-maskable”.PMST/ST0/ST1 misalignment at reset (see §4 above) causes the DSP to fetch from wrong memory regions for the very first instructions, drifting the PC and missing the init path. Aligning PMST=0xFFA8, ST0=0x181F, ST1=0x2900 per silicon dumps may resolve this.
Empirical priority: try (3) first (cheap, documented, justified by silicon dumps), then (2) if (3) fails, then (1) by tracing what the firmware actually attempts on the new aligned boot path.
Sources
- Texas Instruments Literature: https://www.ti.com/lit/
- FreeCalypso ROM dumps: https://www.freecalypso.org/pub/GSM/Calypso/
- FreeCalypso tools docs: https://www.freecalypso.org/hg/freecalypso-tools/
- OsmocomBB Hardware wiki (Anubis-blocked): https://osmocom.org/projects/baseband/wiki/HardwareCalypsoDSP
./hw/arm/calypso/doc/CALYPSO_HW.md
Calypso Hardware Reference
Chip Overview
TI Calypso (TWL3014/DBB) — GSM baseband processor - ARM7TDMI CPU (ARM926EJ-S in QEMU, close enough) - TMS320C54x DSP core - Shared API RAM between ARM and DSP - TPU (Time Processing Unit) for radio timing - ABB (Analog Baseband) for RF - BSP (Baseband Serial Port) for DSP↔︎ABB data - DMA controller
ARM Memory Map
| Address | Size | Peripheral |
|---|---|---|
| 0x00000000 | 2MB | Internal ROM |
| 0x00800000 | 256KB | Internal SRAM |
| 0xFFFE0000 | TPU registers | |
| 0xFFFF0000 | INTH (interrupt controller) | |
| 0xFFFF1000 | TPU control | |
| 0xFFFC0000 | UART modem | |
| 0xFFFC8000 | UART IrDA | |
| 0xFFD00000 | 64KB | DSP API RAM (shared with C54x) |
DSP API RAM (0xFFD00000)
- Total: 64KB (32K words of 16-bit)
- ARM accesses as bytes, DSP accesses as 16-bit words
- ARM byte offset X = DSP word address 0x0800 + X/2
- Double-buffered pages: Write page 0/1, Read page 0/1
TPU
- Controls radio timing sequences
- TPU_CTRL register:
- Bit 0: TPU_CTRL_EN (enable scenario execution)
- Bit 2: TPU_CTRL_IDLE (idle status)
- Bit 4: TPU_CTRL_DSP_EN (enable DSP frame interrupt)
- Firmware writes TPU scenarios then sets EN
- When scenario completes: clears EN, fires FRAME interrupt
- DSP_EN causes FRAME interrupt to also wake DSP
INTH (Interrupt Controller)
- Level-sensitive
- IRQ 4: TPU_FRAME
- IRQ 0: Watchdog
- IRQ 7: UART
TDMA Timing
- GSM frame: 4.615ms (216.7 frames/sec)
- 8 timeslots per frame
- Hyperframe: 2715648 frames
- QEMU uses 10x slowed timing for emulation stability
DSP C54x Integration
- DSP boots from internal ROM at IPTR*128 (0xFF80 for IPTR=0x1FF)
- ARM communicates via API RAM (shared memory)
- ARM signals DSP via:
- Writing d_dsp_page in NDB
- Setting TPU_CTRL_DSP_EN
- TPU generates FRAME interrupt to DSP (SINT17, vec 2)
- DSP signals ARM by writing results in Read page
OsmocomBB Layer1 Flow
l1_sync()called every TDMA frame (TPU FRAME IRQ)- Updates page pointers (db_w, db_r)
- Runs TDMA scheduler (
tdma_sched_execute) - If tasks scheduled: writes d_task_d/d_task_md, calls
dsp_end_scenario() dsp_end_scenario(): writes d_dsp_page = B_GSM_TASK | w_page, toggles w_page- Enables TPU DSP frame interrupt
- DSP wakes, reads d_dsp_page, dispatches task, writes results
- Next frame: ARM reads results from db_r
TRXD Protocol (BTS ↔︎ Bridge)
DL (BTS → MS) — TRXD v0
| Offset | Size | Field |
|---|---|---|
| 0 | 1 | TN (timeslot number, 3 bits) |
| 1-4 | 4 | FN (frame number, big-endian) |
| 5 | 1 | RSSI |
| 6-7 | 2 | TOA (big-endian) |
| 8+ | 148 | Soft bits (0=strong 1, 127=uncertain, 255=strong 0) |
UL (MS → BTS) — TRXD v0
| Offset | Size | Field |
|---|---|---|
| 0 | 1 | TN |
| 1-4 | 4 | FN (big-endian) |
| 5 | 1 | PWR |
| 6+ | 148 | Hard bits (0/1) |
Sercomm Protocol
- Flag: 0x7E
- Escape: 0x7D (next byte XOR 0x20)
- Frame: FLAG + DLCI + CTRL(0x03) + payload + FLAG
- DLCI 4: burst data
- DLCI 5: L1CTL messages
L1CTL Protocol (mobile ↔︎ firmware)
- Length-prefixed: 2-byte big-endian length + message
- Message: type(1) + flags(1) + padding(2) + payload
- Key types:
- 0x01: FBSB_REQ
- 0x02: FBSB_CONF (result byte: 0=success, 255=fail)
- 0x03: DATA_IND
- 0x04: RACH_REQ
- 0x05: DM_EST_REQ
- 0x06: DATA_REQ
- 0x07: RESET_IND (sent on boot)
- 0x08: PM_REQ
- 0x09: PM_CONF
- 0x0D: RESET_REQ (payload: reset_type, 1=full)
- 0x0E: RESET_CONF
- 0x10: CCCH_MODE_REQ
- 0x11: CCCH_MODE_CONF
./hw/arm/calypso/doc/hacks.md
Inventaire des hacks et workarounds — qemu-calypso
Établi 2026-04-30 au cours d’une session debug FBSB→BCCH. Honest inventory : à mettre à jour à chaque session ajoutant ou retirant un hack.
Légende des niveaux
| Niveau | Définition | Politique |
|---|---|---|
| Hack brut | Stub qui ment. Court-circuite un pipeline qui existerait. Viole règle #1 CLAUDE.md “no stubs”. | À retirer impérativement avant claim B2B / licensing. Critère de retrait obligatoire. |
| Bypass architectural | Workaround documenté pour combler un trou de l’environnement d’émulation (pas de RF, pas de timing physique). Justifié tant que QEMU n’a pas l’équivalent. | Acceptable pour LU PoC. À évaluer post-LU si replacement faisable. |
| Dette technique | Code correct mais pas idéal. Pattern fragile, code mort, redondance. Pas mentir, juste pas propre. | Nettoyer post-LU pour qualité long-terme. Pas bloquant. |
Cleanup — 2026-05-07
User mandate : « tant pis on bourrine pas, tu vire les hack des que tu vois ». Removed in this pass :
| Hack | Type | File / loc | Replacement |
|---|---|---|---|
BOURRIN-FBDET-SKIP PC range pop+jump |
brut | calypso_c54x.c ~864 (block) |
DSP runs full fb-det ; -icount covers cycle budget |
DIAG-HACK env-gated INTM force-clear + ALIAS-CHECK dump |
brut | calypso_c54x.c ~4950 (block) |
Removed entirely ; CALYPSO_FORCE_INTM_CLEAR_AT no longer recognized |
publish_fb_found(toa=0,pm=80,angle=0,snr=100) synth call |
bypass | calypso_fbsb.c::on_dsp_task_change DSP_TASK_FB |
Real DSP fb-det path on GMSK-modulated I/Q from osmo-bts-trx |
publish_sb_found(bsic=0) synth call |
bypass | calypso_fbsb.c::on_dsp_task_change DSP_TASK_SB |
Real DSP sb-det path |
si3_fallback[23] hardcoded SI3 |
brut | calypso_fbsb.c::on_dsp_task_change DSP_TASK_ALLC |
mmap-only ; no SI written if /dev/shm/calypso_si.bin absent |
allc_burst_idx static cycle 0..3 |
brut | calypso_fbsb.c::on_dsp_task_change DSP_TASK_ALLC |
burst_d = fn & 3 (FN-derived, no static state) |
ul_drop_no_bts race in bridge UL |
brut | bridge.py::_handle_ul |
trxd_remote pre-set to (BTS, base+102) at init |
BSP trxd_peer_valid=false until first DL |
brut | calypso_bsp.c::calypso_bsp_init |
Pre-set to bridge default (127.0.0.1:5702) ; refined on first DL |
W1C latch system on a_sync_demod cells |
bypass | calypso_c54x.c capture + calypso_trx.c consume |
Env-gated via CALYPSO_W1C_LATCH=1 (default OFF — ARM reads NDB direct) |
DSP_TASK_ALLC db_r echo + a_cd mmap inject |
bypass | calypso_fbsb.c::on_dsp_task_change |
Env-gated via CALYPSO_BCCH_INJECT=1 (default OFF — real DSP CCCH demod path). Pair with FBSB_SYNTH=1 to deliver SIs end-to-end. |
Kick timer on QEMU_CLOCK_REALTIME |
dette | calypso_trx.c::calypso_kick_cb |
Moved to QEMU_CLOCK_VIRTUAL (2026-05-07). Was vestigial main-loop wake on wall-clock, broke -icount by interrupting the TCG burst before VIRTUAL-clock timers (TDMA, TINT0, frame_irq) could reach their deadlines. |
| DSP MAC simulation in dispatcher idle loop | optim | calypso_c54x.c::dsp_idle_fast_forward |
NOT a hack — simulator optimisation (2026-05-07). When DSP PC is in the polling dispatcher (0xe9ac..0xe9b7) AND no task slot is set AND no IRQ pending → skip MAC emulation, advance cycle counter. DSP exits idle naturally when ARM writes a task slot or an IRQ fires. Cuts ~80% host CPU spent on a sterile loop. Env-gated CALYPSO_DSP_IDLE_FF=1 (default ON) ; set to 0 to fall back to full emulation. |
Functions kept compiled but unused (calypso_fbsb_publish_fb_found / _publish_sb_found) — diagnostic utilities, no live caller.
Connections added in this pass :
| Connection | File | Why |
|---|---|---|
DB_W_D_TASK_RA polling (write-page word 7) |
calypso_trx.c::tdma_tick UL section |
RACH writes were silently dropped — only d_task_u was polled |
calypso_bsp_tx_rach_burst via libosmocoding |
calypso_bsp.c |
Real RACH AB burst encoding from NDB d_rach |
| libosmocoding linkage in meson | hw/arm/calypso/meson.build |
dep on libosmocoding for gsm0503_rach_ext_encode |
BRIDGE_CLK_FROM_QEMU env-gated mode |
bridge.py |
Deterministic CLK IND from QEMU FN advance |
-icount shift=auto,align=off,sleep=off on QEMU |
run.sh |
Reproducible virtual clock |
calypso_fbsb.c — orchestration FBSB host-side
Hacks bruts
si3_blob[] hardcoded — RESOLVED (2026-04-30)
Status : REMOVED from active path.
Path : si3_blob[] renamed to si3_fallback[], used only when mmap unavailable at first ALLC fire (cold-start race condition).
Replacement : rsl_si_tap.py + /dev/shm/calypso_si.bin mmap interface.
Removal criterion (for full cleanup) : tap reliability validated over multiple sessions, then si3_fallback[] can be removed (replaced by log warning + zeroed blob output, mobile would fail FBSB cleanly).
populate-si.sh — Cold-start warm cache (NOT a hack)
Status : kept in scripts/ as manual debug tool. Removed from run_si.sh boot path.
Function : pre-populates mmap with last-known-good SI bytes. Useful when osmo-bsc unavailable (debug isolation of QEMU+mobile without full network stack).
Bytes contained : snapshot from RSL trace 12:13 (osmo-bsc → osmo-bts re-attach), byte-exact identical to live tap output for current BSC config.
If BSC config changes : re-run populate-si.sh post manual snapshot, OR rely on rsl_si_tap.py which always reflects current BSC live config.
Removal criterion : csi_init_once() in calypso_fbsb.c modified to retry mmap open periodically (currently lazy one-shot). Until then keep populate-si.sh for manual cold-start scenarios.
allc_burst_idx static counter cycle 0..3 — RESOLVED (2026-05-07)
Status : REMOVED. Replaced by burst_d = fn & 3 (FN-derived). No static state, no run-to-run drift. The duplicate entry below is preserved for historical context — both pointed at the same problem.
allc_burst_idx (duplicate entry — same fix as above)
Status : RESOLVED 2026-05-07. See entry above.
Bypass architecturaux
publish_fb_found(toa=0, pm=80, angle=0, snr=100) — RESOLVED (2026-05-07)
Status : call site REMOVED in on_dsp_task_change. The function is still compiled (no live caller) for diagnostic re-use if needed. DSP fb-det now runs against real GMSK-modulated I/Q from osmo-bts-trx (via calypso_bsp.c::bsp_trxd_readable → cos_tab/sin_tab phase walk).
Risk if it regresses : without enough cycle budget per TDMA tick, the DSP fb-det routine doesn’t complete → freq_err drifts → FBSB returns result=255. Mitigation : -icount shift=auto on QEMU.
publish_sb_found(bsic=0) — RESOLVED (2026-05-07)
Status : call site REMOVED in on_dsp_task_change. Same as publish_fb_found — function compiled but unused.
publish_pm_found (RSSI synthétique) — N/A
Status : was conceptual in the original hacks.md ; no concrete implementation found in code at audit time. No removal needed.
case ALLC_DSP_TASK echo d_task_d + d_burst_d + a_cd inject — ENV-GATED (2026-05-07)
Status : env-gated via CALYPSO_BCCH_INJECT=1. Default = OFF (real DSP CCCH demod path, currently non-converging in QEMU).
Sites du code : calypso_fbsb.c::on_dsp_task_change DSP_TASK_ALLC — gardé par bcch_inject_mode().
Quand activer : pair avec CALYPSO_FBSB_SYNTH=1 pour la chaîne DL end-to-end (mobile L3 décode SI1/SI2/SI3/SI4 depuis le mmap rsl_si_tap).
Pourquoi bypass : implémentation complète DSP CCCH read = mois de travail (NB processing : demod, deinterleaving, channel decoding, FIRE CRC). Court-circuit la chaîne mais expose le slot mailbox correct et l’a_cd[] avec les vrais octets RSL du BSC.
calypso_c54x.c — émulateur DSP TMS320C54x
Hacks bruts (bourrin pre-LU)
Short-circuit fb-det [0x8d00, 0x8f80] — RESOLVED (2026-05-07)
Status : REMOVED. The 36-line block at c54x_exec_one ~864 has been deleted entirely. DSP fb-det runs to completion. Cycle budget is covered by -icount shift=auto on QEMU (set in run.sh).
Hacks bruts (diagnostiques)
CALYPSO_FORCE_INTM_CLEAR_AT=N env var — RESOLVED (2026-05-07)
Status : REMOVED. ~120-line block at c54x_run_until_idle_or_n ~4950 deleted. Env var no longer recognized. The 100k-instruction VECDUMP diagnostic block (BOOT+100k VECDUMP-FORCED base=0xB900) was removed in the same edit since it was paired with the hack.
The INTM=1 catch-22 was resolved naturally when the DSP frame-IRQ wiring + BSP RX delivery path converged ; no need for force-clear anymore.
Bypass architecturaux
W1C latch snapshot dans data_write — ENV-GATED (2026-05-07)
Status : env-gated via CALYPSO_W1C_LATCH=1. Default = OFF (ARM reads NDB direct). Pattern aligné avec CALYPSO_FBSB_SYNTH=1.
Quand activer : si on observe une race ARM-DSP où DSP écrit d_fb_mode != 0 depuis PCs {0x8d33, 0x8eb9, 0x8f51} puis clear avant qu’ARM ne lise. Le latch capture la “fin d’itération” cohérente (snapshot des 6 cells au moment du write a_sync_SNR).
Sites du code : - Capture : calypso_c54x.c (~552-561) — gardé par calypso_w1c_latch_enabled() - Consume : calypso_trx.c (~163-188) — gardé par calypso_w1c_latch_enabled()
Liste statique real_fbdet_pcs[] = {0x8d33, 0x8eb9, 0x8f51}
Quoi : filtre PCs autorisés à déclencher snapshot. Découverts empiriquement.
Pourquoi hack : si firmware fb-det utilise un 4ème PC dans certaines conditions (mode change, error path), on rate les writes.
Mitigation présente : log “new PC” pour tout write à d_fb_mode venant d’un PC inconnu — à vérifier que ça compile encore.
Dette technique
Filtres logging mensongers
Pattern : if (fbd_log < 5) printf("(spurious, ignored)") — corrigé en cours de session pour d_fb_mode, mais probablement répété ailleurs (audit pour tous les log filtering similaires).
12+ opcode fixes au fil de l’eau (sessions précédentes)
Quoi : F4E4=FRET, F074=CALL pmad, F9xx=CC cond call, etc. (cf. CLAUDE.md “Known Fixed Opcode Bugs” + TODO.md sessions log).
Niveau : majoritairement vrais fixes contre tic54x-opc.c + SPRU172C. Quelques-uns peuvent être “fait marcher pour ce firmware” sans couvrir tous les cas du standard C54x. Audit systématique nécessaire pour upstream-defendable.
calypso_bsp.c — DMA BSP I/Q samples
Bypass architecturaux
BSP_FN_MATCH_WINDOW élargi (±64 ou ±128 frames)
Quoi : fenêtre d’acceptation des bursts entrants vs FN courant. Sur silicon réel = ±1.
Pourquoi bypass : compense la dérive QEMU virtual clock vs bridge.py wall-clock. Sans fenêtre élargie, 1:31 stale ratio observé (drop 31 bursts sur 32).
Vrai fix : -icount shift=auto côté QEMU OU bridge.py slave de QEMU virtual time (déjà partiellement implémenté via CLK FD socket).
Dette technique : on accepte des samples de la mauvaise frame. Bénin tant que fbsb bypass actif (DSP demod n’est pas critique). Devient un problème majeur si fbsb bypass retiré.
calypso_trx.c — Calypso SoC + TDMA + DSP API
Bypass architecturaux
Latch consume path dans calypso_dsp_read
Quoi : code qui retourne g_*_latch si g_a_sync_valid, puis invalidate.
Status : symétrique au snapshot dans c54x.c, inactif dans runs courants. Conceptuellement propre (W1C semantics). Dette technique parallèle.
Dette technique
calypso_dsp_done IRQ_API timing optimiste
Quoi : qemu_irq_raise(IRQ_API) immédiatement après DMA write page → DSP. Sur silicon, cycles de propagation entre DMA completion et IRQ assertion.
Impact actuel : aucun. Le firmware tolère.
Risque latent : si le firmware ARM compte sur des cycles de slack entre TPU_CTRL_EN et IRQ_API, comportement non identique au silicon.
calypso_uart.c — UART + sercomm
Hacks bruts
TRXD v0 patch côté osmocom-bb-transceiver/trxcon
Quoi : patch dans le tooling osmocom (pas dans uart.c) qui force protocole TRXD v0 au lieu de v1, mismatch versions.
Critère de retrait : harmoniser versions TRXD entre osmo-bts-trx et trxcon, ou implémenter v1 dans bridge.py.
Hacks par omission
UART1 / UART2 stubs minimaux
Quoi : seul UART0 utilisé pour L1CTL (sercomm DLCI 4/5). UART1 (irda) et UART2 (DSP) probablement stubs minimalistes.
À vérifier : audit UART1/UART2 read/write pour s’assurer qu’ils ne mentent pas (= retournent valeurs plausibles ou zéro plutôt que valeurs fabriquées).
calypso_inth.c — interrupt controller
Pas de hack apparent à ma connaissance. Audit complet recommandé pour confirmer.
calypso_soc.c — SoC glue
Hacks par omission
add_stub() helper + I2C stub
Quoi : static void add_stub(MemoryRegion *sys, ...) aux lignes 125+, et “I2C stub” à la 187.
Niveau : stubs explicites pour MMIO regions non implémentées. Acceptable tant qu’ils retournent 0 / accept writes silently. À auditer pour s’assurer qu’aucun ne ment (retourne valeur fabriquée non-zero).
bridge.py — bridge BTS UDP
Bypass architecturaux
fn_anchor désactivé / commenté “telemetry only”
Quoi : bts_fn passé tel quel au lieu d’être réécrit pour aligner sur QEMU virtual time.
Pourquoi bypass : alignement correct nécessiterait que bridge soit slave de QEMU virtual clock. Actuellement bridge ne fait que logger l’anchor.
Dette technique : si on voulait aligner les FNs, le code est commenté donc trivial à réactiver, mais demande validation.
CLK_IND à cadence wall-clock fixe
Quoi : tick CLK envoyé au BTS à intervalle wall-clock régulier (~471 ms / 26 frames).
Pourquoi pas un hack : c’est ce que fait un téléphone réel. Mais crée la dérive QEMU virtual clock vs wall-clock que BSP_FN_MATCH_WINDOW élargi compense.
Vrai fix : faire bridge slave de QEMU virtual time (CLK_IND tick basé sur fn QEMU, pas wall-clock).
Dette technique
time.sleep() ou similaire pour cadence
À vérifier dans le source. Fragile sous charge système.
Tooling — run.sh, configs
Fragilité opérationnelle (pas hack stricto sensu)
- Hardcoded paths
- Hardcoded ports
- Topologie tmux fixe
calypso:cell_log/calypso:mob - Symlinks
/tmp/*.log→/root/logs/*_001.logqui peuvent être stales
Patches firmware OsmocomBB ?
À vérifier dans le source. Si patches existent dans prim_*.c côté firmware (par ex. skip seuil threshold AFC trop strict), c’est un hack qui n’est pas dans QEMU mais dans le contrat.
Vérification :
cd /opt/GSM/osmocom-bb && git diff --statSi git diff montre des changements dans src/target/firmware/, lister précisément.
D’après mémoire feedback_no_hacks_client_server.md, l’objectif était “no patches firmware”. À vérifier que c’est encore le cas.
Récapitulatif synthétique
À retirer impérativement avant claim B2B / licensing
| File | Hack | Status |
|---|---|---|
calypso_fbsb.c |
si3_blob[] hardcodé |
XXX TEMP marked, TODO.md entry, critère de retrait défini |
calypso_fbsb.c |
allc_burst_idx static counter |
À remplacer par frame-tick scheduled write |
calypso_c54x.c |
CALYPSO_FORCE_INTM_CLEAR_AT |
Diag instrument, retrait conditionnel à vraie ISR INTM |
calypso_uart.c (tooling) |
TRXD v0 patch osmocom-bb-transceiver | Harmoniser versions |
Bypass architecturaux justifiables tant que QEMU n’a pas vrai RF
| File | Hack | Justification |
|---|---|---|
calypso_fbsb.c |
publish_fb_found/sb_found/pm_found synthétiques |
Pas de vrai signal RF |
calypso_fbsb.c |
case ALLC_DSP_TASK echo task_d/burst_d |
DSP NB processing non implémenté |
calypso_c54x.c |
W1C latch snapshot/consume | Race window DSP iter vs ARM read |
calypso_bsp.c |
BSP_FN_MATCH_WINDOW ±64/128 |
Dérive virtual vs wall clock |
bridge.py |
CLK_IND wall-clock | Bridge pas slave QEMU virtual time |
Dette technique à nettoyer post-LU
- Latch code inactif dans
c54x.c+trx.c(à supprimer ou activer proprement) - Filtres logging avec messages mensongers (
spurious, ignoredstyle) - UART1/UART2 stubs (audit nécessaire)
- I2C stub
calypso_soc.c:187(audit) bridge.py fn_anchordésactivé (commenté)run.shhardcoded paths/ports/tmux topology
Méthode de mise à jour
À chaque session ajoutant ou retirant un hack :
- Si ajout : créer entrée dans la section appropriée (hack brut / bypass / dette).
- Tout hack brut MUST avoir :
- Marqueur dans le code (
XXX TEMP HACKou similaire) - Critère de retrait explicite
- Lien vers TODO.md détaillé
- Marqueur dans le code (
- Si retrait : déplacer vers section “Retirés” (à créer ci-dessous quand nécessaire) avec date + commit hash.
Verification empirique
## Lister marqueurs explicites :
grep -rEn "HACK|XXX|TEMP|TODO|FIXME|workaround|stub|bypass" \
/opt/GSM/qemu-src/hw/arm/calypso/ /opt/GSM/bridge.py /opt/GSM/run.sh \
2>/dev/null | grep -v '\.bak\|\.preNoCell\|/calypso_backup_check/'
## Vérifier patches firmware :
cd /opt/GSM/osmocom-bb && git diff --statTout marqueur trouvé hors de ce fichier signale soit : - Un hack non documenté → ajouter ici - Un commentaire historique de dev → nettoyer ou justifier sa présence
Inventaire établi 2026-04-30 nuit, session FBSB→BCCH étape 2 validée empiriquement. Note honnêteté : peut être incomplet pour c54x.c opcode fixes profonds et certains aspects bridge.py/run.sh non audités exhaustivement.
./hw/arm/calypso/doc/SESSION_20260405_NIGHT4.md
Session 2026-04-05 Night 4 — C54x Opcode Audit
Summary
Massive opcode audit of calypso_c54x.c against the authoritative tic54x-opc.c from binutils-2.21.1 (found at /var/lib/docker/overlay2/.../gnuarm/src/binutils-2.21.1/opcodes/tic54x-opc.c).
17 bugs fixed. DSP now boots correctly: IDLE reached, IMR configured, dispatch loop active.
Fixes
ALU Instructions (Fix 1)
- F0xx was READA → now ADD/SUB/LD/AND/OR/XOR #lk,shift,src,dst
- Also added F06x (ADD/SUB/LD #lk,16 + MPY/MAC #lk)
- Also added F08x-F0Fx (accumulator AND/OR/XOR/SFTL with shift)
- Encoding: bits 7:4=op, bits 9:8=src/dst, bits 3:0=shift, 2nd word=lk
- Source: tic54x-opc.c line 254
{ "add", 0xF000, 0xFCF0 }
RSBX/SSBX (Fixes 2-5)
Per tic54x-opc.c: RSBX=0xF4B0 mask 0xFDF0, SSBX=0xF5B0 mask 0xFDF0. This covers 4 opcode ranges:
| Fix | Opcode | Was | Now | Encoding |
|---|---|---|---|---|
| 2 | F4Bx | NOP catch-all | RSBX ST0 | bit9=0, bit8=0 |
| 3 | F5Bx | RPT #0xBx (176+!) | SSBX ST0 | bit9=0, bit8=1 |
| 4 | F6Bx | MVDD Xmem,Ymem | RSBX ST1 | bit9=1, bit8=0 |
| 5 | F7Bx | LD #k8 → AR7 | SSBX ST1 | bit9=1, bit8=1 |
Return/Branch Instructions (Fixes 6-12)
| Fix | Opcode | Was | Now | tic54x-opc.c |
|---|---|---|---|---|
| 6 | FC00 | LD #k<<16, B | RET (return) | line 391 |
| 7 | FE00 | LD #k, B | RETD (return delayed) | line 392 |
| 8 | F073 | RET (pop stack) | B pmad (branch, 2-word) | line 264 |
| 9 | F074 | RETE (pop+clr INTM) | CALL pmad (call, 2-word) | line 279 |
| 10 | F072 | FRET (far return) | RPTB pmad (block repeat) | line 410 |
| 11 | F070 | RET (catch-all) | RPT #lku (repeat, 2-word) | line 409 |
| 12 | F071 | RET (catch-all) | RPTZ dst,#lku (repeat-zero) | line 412 |
CALLD Return Address (Fix 13)
- F274 CALLD pushed PC+2, should be PC+4 (skip 2-word instruction + 2 delay slots)
- Both copies fixed (line 960 and 1210)
IDLE/FRET (Fixes 14-16)
| Fix | Opcode | Was | Now | tic54x-opc.c |
|---|---|---|---|---|
| 14 | F4E4 | IDLE | FRET (far return) | line 306 |
| 15 | F4E1 | NOP (catch-all) | IDLE (the real one) | line 310 |
| 16 | F4E5 | NOP (catch-all) | FRETE (far return from IRQ) | line 308 |
TINT0 Interrupt Mapping (Fix 17)
calypso_tint0.h: IFR bit 4 → bit 3, vector 20 → vector 19- Per TMS320C5410A datasheet: TINT0 = IFR/IMR bit 3, interrupt vector 19
- Previous mapping (bit 4) was BRINT0 (BSP receive), not TINT0
Condition Evaluator (part of Fix 7)
Replaced incomplete if-else chain with proper tic54x-opc.c encoding: - CC1=0x40 (accumulator test), CCB=0x08 (B vs A) - EQ=0x05, NEQ=0x04, LT=0x03, LEQ=0x07, GT=0x06, GEQ=0x02 - OV=0x70, NOV=0x60, TC=0x30, NTC=0x20, C=0x0C, NC=0x08
Results
Before (all 17 bugs present)
- DSP stuck in dispatch loop at 0x81AF forever
- IMR=0x0000 (never configured)
- idle=0 (IDLE never reached)
- TINT0 on wrong interrupt bit
After
- DSP boots in 173 instructions
- IMR=0x002D configured (bits 0,2,3,5 = INT0,INT2,TINT0,BXINT0)
- Dispatch loop active at 0x81AF
- TINT0 on correct bit 3 (enabled in IMR)
Remaining Issue
- SP drift: 0x5AC8 → 0x8FFE after boot. FRET at 0x770C pops XPC+PC from empty stack (init code reached via branch, not FCALL). The popped values are garbage → DSP executes DARAM data as code → SP corrupts gradually.
- No return to IDLE: dispatch loop never exits because the handler RET/RETD pops garbage return addresses. The real IDLE (F4E1) at 0xA6A0 is never reached.
- INTM=1 stuck: handler sets INTM=1 (SSBX 1,8 at 0x7710) and never clears it, preventing interrupt servicing.
Key Reference
tic54x-opc.c location in container:
/var/lib/docker/overlay2/a242f59.../diff/root/gnuarm/src/binutils-2.21.1/opcodes/tic54x-opc.cFiles Modified
hw/arm/calypso/calypso_c54x.c— md5: 5a474083hw/arm/calypso/calypso_tint0.h— md5: 65a588f7
./hw/arm/calypso/doc/TODO.md
TODO — chemin FBSB QEMU Calypso
État au 2026-05-08 fin de session (après POPM fix + batch 8 stubs).
État courant
Run end-to-end : QEMU + osmocon natif + bridge + BTS + mobile. - Pipeline ARM ↔︎ TPU ↔︎ BSP ↔︎ DSP fonctionnel - Mobile L23 progresse jusqu’à gsm322 cell selection avec CALYPSO_FBSB_SYNTH=1 - Avec SYNTH=0, mobile bloqué pré-FBSB (firmware n’émet pas FBSB_CONF)
Bug racine restant : DSP correlator FB-det lit DARAM zones internes ([0x0000..0x03A3] linéaire + wrap [0xfc5d..] BK=176 stride 19) indépendamment de CALYPSO_BSP_DARAM_ADDR. AR3/AR4 init impose ces pointers.
Prochaine action critique (Priorité A — 1 probe statique)
Tracer init AR3 et AR4 dans le firmware avant insn=10 040 312 (1ère exécution observée de PC=0x8f51 = write d_fb_det).
Option 1 — grep statique
## AR3 = MMR 0x13, donc STM #lk, AR3 = 0x7713 puis lk
grep -nE "7713 [0-9a-f]{4}" /opt/GSM/qemu-src/calypso_dsp.txt | head
## AR4 = MMR 0x14, donc STM #lk, AR4 = 0x7714 puis lk
grep -nE "7714 [0-9a-f]{4}" /opt/GSM/qemu-src/calypso_dsp.txt | head
## Cibler les sites dont l'immediate ressemble aux bases observées :
## AR3 base = 0x0000, AR4 base = 0x2bc0Option 2 — probe runtime
/* Ajouter dans c54x_exec_one() */
if (s->insn_count < 10040312 &&
(op == 0x7713 || op == 0x7714)) {
uint16_t lk = prog_fetch(s, s->pc + 1);
C54_LOG("AR-INIT op=0x%04x lk=0x%04x PC=0x%04x insn=%u",
op, lk, s->pc, s->insn_count);
}
/* Aussi tracer STLM B,AR3 (op 0x8B+...) ou STLM A,AR3 */Décision arbre
- Base AR3 lue depuis literal STM → firmware attend les samples en zone DARAM bas. Le BSP doit livrer là, ou une routine ARM doit copier depuis BSP target vers cette zone (path manquant à identifier).
- Base AR3 lue depuis cell NDB → identifier la cell. ARM est censé pousser la base depuis une variable configurable.
- Base AR3 lue depuis registre/calcul → tracer caller pour comprendre le contexte.
Priorité B — Cleanup opcode (low priority)
doc/opcodes/tic54x_hi8_map.md liste 9 misclassifications identifiées 2026-05-08. Statut : - ✓ 0x8A (POPM) — fixé, sémantique correcte - ⏳ 0x80, 0x8B, 0xAA/AB, 0xC5, 0xCD, 0xCE, 0xDD, 0xDE — stubés en NOP
Pour implémentation sémantiquement correcte des familles ST||OP parallèles (0xC0..0xDF range = ST src,Ymem || ADD/SUB/MPY/MAC/MAS Xmem, dst), créer un handler dédié inspiré du ST||LD existant à 0xC8..0xCB (ligne 4773). Non urgent tant que SP est stable et que blocker FB-det persiste.
Priorité C — Comprendre RETE=0
Malgré INTM=0 post-fix POPM, RETE count reste à 0 sur 4.3B insn. Possibilités : - (a) c54x_interrupt_ex jamais appelé → générateur d’IRQ matérielle côté ARM (BSP, TPU, INTH) ne fire pas de SINT vers DSP - (b) IRQ fire mais ISR boucle sans atteindre RETE - (c) Pending IRQ replay block (ligne 5148) gardé par condition non remplie
À investiguer après tracé init AR3/AR4 (le blocker correlator est plus direct et probablement plus fondamental).
Run config courante
## Variables clés
CALYPSO_BSP_DARAM_ADDR=0x3fb0 # default; testé 0x2bc0 / 0x0080 / 0x0000
CALYPSO_FBSB_SYNTH=0|1 # 1 fait passer mobile vers gsm322
CALYPSO_DSP_IDLE_FF=1 # default ON, perf optim, pas un hack
BRIDGE_DL_FN_REWRITE=slot # default
BRIDGE_CLK_FROM_QEMU=0 # wall-paced (BTS happy)
## Lancement
docker exec -it trying bash -c "killall -9 qemu-system-arm 2>/dev/null; \
rm -f /tmp/osmocom_l2 /tmp/qemu-calypso-mon.sock; \
bash /opt/GSM/qemu-src/run.sh"Probes runtime en place (dans calypso_c54x.c)
| Tag | PC ciblé | Ce qu’il logue |
|---|---|---|
PC-HIST-3FB |
data_read addr ∈ [0x3fb0..0x3fbf] | Top PCs lecteurs zone BSP |
PC-HIST-3DD |
data_read addr ∈ [0x3dcf..0x3dd5] | Top PCs zone scratch dominante |
WATCH-WRITE 0x3dd2 |
data_write addr=0x3dd2 | PCs writers + valeurs |
INTM-TRANS |
exec_one start, transition INTM | 0→1 et 1→0 avec cause |
WAIT-A21A |
PC=0xa21a | INTM/IMR/IFR/ST0/ST1/SP snapshot |
ENTER-7740 |
PC=0x7740 | Caller chain + AR + insn |
ST1-WR |
STM #lk, ST1 (op 0x7707) | Toutes écritures ST1 |
POST-BOOTSTUB-RET |
RET depuis PC ≤ 0x0008 | Task PC poppé du nouveau stack |
D_FB_DET-WR-SITE |
PC=0x8f51 | AR0..AR7 + data[AR0/1/2] + BK + A |
État branche
Working tree commit 06ab6f3 (push fait avant cette session) + edits 2026-05-08 non-commités : - hw/arm/calypso/calypso_c54x.c (POPM fix + 8 stubs + 9 probes) - hw/arm/calypso/doc/opcodes/tic54x_hi8_map.md (créé) - hw/arm/calypso/doc/PROJECT_STATUS.md (mis à jour) - hw/arm/calypso/doc/TODO.md (ce fichier)
3 trees synchronisés (/home/nirvana/qemu-src/, /home/nirvana/qemu-calypso/, container /opt/GSM/qemu-src/) — md5 vérifié.
Issues annexes (inchangées)
Link -lm cassé (workaround manuel)
cd /opt/GSM/qemu-src/build
ninja -t commands qemu-system-arm | tail -1 > /tmp/link.sh
sed -i 's|$| -lm|' /tmp/link.sh && bash /tmp/link.sh/tmp tmpfs 16G
qemu.log peut atteindre 12G+ avec tous les tracers. Surveiller df -h /tmp.
./hw/arm/calypso/doc/PROJECT_STATUS.md
Calypso GSM Baseband Emulator — Project Status
État courant (2026-05-08)
Ce qui marche
- Pipeline ARM ↔︎ TPU ↔︎ BSP ↔︎ DSP fonctionnel (timer, UART, RPTB, sercomm)
- Mobile L23 atteint gsm322 cell selection (DSC=90) avec
CALYPSO_FBSB_SYNTH=1 CALYPSO_BSP_DARAM_ADDRconfigurable, samples I/Q FCCH binarisés (7ffe/8002/0000) livrés- 9 probes runtime instrumentés (PC-HIST-3FB/3DD, WATCH-WRITE 0x3dd2, INTM-TRANS, WAIT-A21A, ENTER-7740, ST1-WR, POST-BOOTSTUB-RET, D_FB_DET-WR-SITE)
Fixes émulateur 2026-05-08
- POPM (0x8A00 mask 0xFF00) fixé — était décodé en MVDK Smem,dmad. Corrigé : pop top-of-stack vers MMR. Débloque restore ST1 → INTM se clear correctement → fin du dwell INTM=1 perpétuel observé depuis avril.
- 8 stubs NOP posés sur opcodes misclassifiés causant push/pop fantômes :
0x80(était MVDD, doit être STL src,Smem)0x8B(était MVDK long-addr, doit être POPD Smem)0xAA/AB(était STLM duplicate, doit être LD variant — vrai STLM en 0x88/89)0xC5(était PSHM, doit être ST||OP — vrai PSHM en 0x4A)0xCD(était POPM, doit être ST||OP — vrai POPM en 0x8A)0xCE(était FRAME, doit être ST||OP)0xDD(était POPD, doit être ST||OP — cause SP runaway post-POPM)0xDE(était POPD dmad 2-word, doit être ST||OP)
- Référence opcode :
doc/opcodes/tic54x_hi8_map.mdcréé (table tic54x complète).
Symptômes débloqués vs résiduels
| Symptôme | Avant 2026-05-08 | Après |
|---|---|---|
| INTM=1 dwell | perpétuel après insn=90.2M | INTM=0 dans POST-BOOTSTUB-RET ✓ |
| WAIT-A21A | 5.7M iters (loop morte) | 0 ✓ |
| ENTER-7740 | 37k figé | 0 (path différent) |
| DSP throughput | 1× | 5× plus rapide (4.3B insn / 44s) |
| RETE | 0 | 0 (toujours zéro) |
| fb0_att | 0 | 0 (correlator lit zone vide) |
| L1CTL_DATA_IND | 0 | 0 (pas de BCCH décodé) |
Blocker actuel — D_FB_DET-WR-SITE révèle mismatch source/sink
50 hits captures à PC=0x8f51 (write d_fb_det) :
##1 AR1=001c AR2=0000 AR3=0000 AR4=2bc0 AR7=0000 data[AR1]=bbef BK=00b0
##50 AR1=004a AR2=fc5d AR3=03a3 AR4=2bc3 AR7=fc5d data[AR1]=0000 BK=00b0- AR3 stride +19, base 0 → lit DARAM
[0x0000..0x03A3](linéaire) - AR2/AR7 stride −19, BK=176 → wrap circulaire
[0xfc5d..] - AR4 = 0x2bc0 quasi-fixe → table coefficients ROM
- Aucun AR ne tombe dans la zone BSP DMA target.
Tests A/B CALYPSO_BSP_DARAM_ADDR (0x3fb0 / 0x2bc0 / 0x0080) → D_FB_DET-WR-SITE bit-pour-bit identique. L’init AR du firmware est indépendante de daram_addr.
Goal
Run real OsmocomBB layer1.highram.elf firmware on emulated TI Calypso (ARM7 + TMS320C54x DSP) in QEMU. Connect to a real BTS via TRX protocol through a bridge. Mobile/ccch_scan sees the BTS and decodes BCCH/CCCH.
Architecture
BTS (osmo-bts-trx)
↕ UDP (TRXC 5701, TRXD 5702, CLK 5700)
bridge.py
↕ PTY/UART (sercomm DLCI 4 = bursts, DLCI 5 = L1CTL)
QEMU (ARM7 calypso_trx.c + C54x calypso_c54x.c)
↕ Unix socket /tmp/osmocom_l2_1 (L1CTL length-prefixed)
mobile / ccch_scan (OsmocomBB host tools)Key Files
| File | Role |
|---|---|
calypso_c54x.c |
TMS320C54x DSP emulator (~1800 lines) |
calypso_c54x.h |
DSP state struct, constants, API |
calypso_trx.c |
Calypso SoC: DSP API RAM, TPU, TDMA, burst RX |
l1ctl_sock.c |
Unix socket L1CTL ↔︎ sercomm bridge |
calypso_uart.c |
UART with sercomm DLCI routing |
calypso_inth.c |
ARM interrupt controller |
calypso_soc.c |
SoC glue, memory map |
calypso_mb.c |
Machine/board definition |
bridge.py |
BTS TRX UDP ↔︎ UART sercomm bridge |
run.sh |
Launches QEMU + bridge + BTS + ccch_scan in tmux |
sync.sh |
Syncs files between host and docker container |
l1ctl_test.py |
Direct L1CTL test script |
DSP ROM
- Dumped from real Motorola C1xx phone via osmocon + ESP32
- File:
/opt/GSM/calypso_dsp.txt(131168 words) - Sections: Registers [00000-0005f], DROM [09000-0dfff], PDROM [0e000-0ffff], PROM0 [07000-0dfff], PROM1 [18000-1ffff], PROM2 [28000-2ffff], PROM3 [38000-39fff]
- DSP version: 0x3606
Memory Map (DSP side)
| DSP Address | ARM Address | Content |
|---|---|---|
| 0x0000-0x001F | — | MMR (registers) |
| 0x0020-0x007F | — | DARAM (low, scratch) |
| 0x0080-0x07FF | — | DARAM (overlay with prog when OVLY=1) |
| 0x0800-0x27FF | 0xFFD00000-0xFFD03FFF | API RAM (shared ARM↔︎DSP) |
| 0x7000-0xDFFF | — | PROM0 (program ROM) |
| 0x8000-0xFFFF | — | PROM1 mirror (program ROM page 1) |
| 0x9000-0xDFFF | — | DROM (data ROM) |
| 0xE000-0xFFFF | — | PDROM (patch data ROM) |
API RAM Layout
| ARM Offset | DSP Address | Name |
|---|---|---|
| 0x0000 (W_PAGE_0) | 0x0800 | Write page 0 (MCU→DSP, 20 words) |
| 0x0028 (W_PAGE_1) | 0x0814 | Write page 1 |
| 0x0050 (R_PAGE_0) | 0x0828 | Read page 0 (DSP→MCU, 20 words) |
| 0x0078 (R_PAGE_1) | 0x083C | Read page 1 |
| 0x01A8 (NDB) | 0x08D4 | d_dsp_page (first word of NDB) |
| 0x0862 (PARAM) | 0x0C31 | DSP parameters |
d_dsp_page values
0x0000= no task0x0002= B_GSM_TASK | page 00x0003= B_GSM_TASK | page 1- B_GSM_TASK = (1 << 1) = 0x0002
Write page structure (T_DB_MCU_TO_DSP, 20 words)
| Offset | Field |
|---|---|
| 0 | d_task_d (downlink task) |
| 1 | d_burst_d |
| 2 | d_task_u (uplink task) |
| 3 | d_burst_u |
| 4 | d_task_md (monitoring/FB/SB task: 5=FB, 6=SB) |
| 5 | d_background |
| 6 | d_debug |
| 7 | d_task_ra |
| 8-19 | results area |
DSP Boot Sequence
- ARM writes DSP_DL_STATUS_READY
c54x_reset()→ PMST=0xFFE0, IPTR=0x1FF, OVLY=0, PC=0xFF80c54x_run(10M)→ DSP executes PROM1 reset code → calls PROM0 init → 86K insns → IDLE@0xFFFE- ARM continues, firmware initializes
- Each TDMA frame: ARM writes d_dsp_page + tasks, fires TPU_CTRL_EN
calypso_dsp_done()→ copies write page to DARAM 0x0586, wakes DSP- DSP jumps to 0x8000 (TDMA slot table), processes, returns to IDLE
TDMA Slot Table (PROM1 0x8000-0x801F)
0x8000: 12f8 3fc5 f4e3 f4e4 → slot 0: SUB data[0x3FC5], A; SSBX INTM; IDLE
0x8004: 12f8 322a f4e3 f4e4 → slot 1
...8 slots of 4 words each...
0x8020: processing code starts (reads d_dsp_page, dispatches tasks)Frame Dispatch Routine (PROM0)
- Entry: 0xC8E7 → reads d_dsp_page at DSP 0x08D4
- Configures page pointers (0x0800/0x0814/0x0828/0x083C)
- Called via BANZ at 0xC8CD
- d_dsp_page also read at 0xA51C during init
Bugs Fixed This Session
- Timer HW (TCR/PSC/TDDR) — Real C54x timer behavior, TSS=1 at reset
- IDLE PC — return 0 (stay at IDLE addr for interrupt handler)
- PC wrap 16-bit —
s->pc &= 0xFFFF - F4E2/F4E3 (RSBX/SSBX INTM) — 98 occurrences decoded as BD instead of interrupt enable/disable. CRITICAL BUG.
- Interrupt vec = bit + 16 then reverted to SINT17 vec 2 bit 1 — correct vector for TPU frame
- FRET — Must pop 2 words (XPC then PC) per SPRU172C p.4-61
- FCALL — Must push 2 words (PC+2 then XPC) per SPRU172C p.4-57
- XC (Execute Conditionally) — Opcode 0xFDxx (n=1) / 0xFFxx (n=2), NOT 0xEAxx. 0xEA = BANZ.
- TRXD header — 8 bytes (TN+FN+RSSI+TOA), not 6. Soft bit conversion.
- L1CTL sequencing — 1 message per callback to let ARM process between messages
- OVLY activation — Enabled after boot for DARAM code execution
- IDLE wake — Jump to 0x8000 (TDMA loop) on wake from boot IDLE
- Interrupt PC+1 — Push PC+1 when waking from IDLE (resume after IDLE)
- Timer FN increment — TINT0 increments frame number in DARAM
Current State (2026-04-03)
- Base: no_cell_found (API RAM intercepts for FB/SB/PM)
- No_cell_found loop works: RESET→PM→FBSB cycle running
- C54x DSP boots in parallel via TDMA ticks (2000 insns/frame)
- SINT17 controlled by TPU_CTRL_DSP_EN (per hardware spec)
- 0 UNIMPL instructions — all opcodes emulated
- SP=0x06AA-0x0C2E after boot (correct, in DARAM)
- DSP reaches PROM0 0x7000 init + PROM1 0x8159 processing
Bugs Fixed (session 2026-04-03)
- RC conditionnel (F2xx) — was unconditional RET, now eval_condition
- PROM0 read protection — prog_read returns prog[] for 0x7000-0xDFFF
- PROM0 write protection — prog_write ignores writes to ROM area
- prog_write double-write — return after prog[ext] for addr>=0x8000
- DELAY instruction (D4/D5) — pipeline delay, was UNIMPL
- BCD 0xEF — added to EE/ED branch conditional handler
- XOR/OR #lk16 (B0/B1/B8/B9) — was UNIMPL
- Timer0 hardware — TIM/PRD/TCR with prescaler and TINT0
- IDLE skip TDMA slots — 0x8000-0x801F IDLE treated as NOP
- Parallel DSP boot — no blocking c54x_run(10M), boot via TDMA ticks
- DSP_EN SINT17 — interrupt only when firmware sets TPU_CTRL_DSP_EN
- eval_condition — full XC/RC condition decoder per SPRU172C Table 3-2
- Interrupt dispatch — check IFR&IMR in main loop each cycle
- API IRQ — raise IRQ15 in dsp_done, unmask at boot
d_fb_det Location
- ARM offset: 0x01F0 (NDB + 0x48)
- DSP address: 0x08F8
- DSP ROM writes it at PROM0 0x7730-0x7990
Next Steps
- DSP boot must reach IDLE@0xFFFE — currently runs but doesn’t converge
- Once boot works, remove API RAM intercepts (let DSP produce results)
- Verify burst samples reach DSP at correct DARAM address
- Achieve FBSB_CONF(result=0) → SB decode → BCCH → mobile registered
Docker
- Container:
osmo-operator-1(always running) - Images:
calypso-qemu:YYYYMMDD-HHMM(snapshots) - Build:
ninja -C /opt/GSM/qemu-src/build - Run:
bash /opt/GSM/qemu-src/run.sh - DSP ROM:
/opt/GSM/calypso_dsp.txt - Firmware:
/opt/GSM/firmware/board/compal_e88/layer1.highram.elf
Reference Documents
doc/spru172c.pdf— TMS320C54x DSP Reference Set Volume 2: Mnemonic Instruction Setdoc/C54X_INSTRUCTIONS.md— Key instruction encodings extracted from SPRU172C
./hw/arm/calypso/doc/SESSION_20260406.md
Session 2026-04-06 — BSP DMA path + dispatcher diagnosis
Objectif
Sortir du hack dsp_ram[0xF8]=1 (faux d_fb_det posé par QEMU) et brancher un vrai chemin BSP : I/Q GMSK depuis le bridge → DMA dans la DARAM DSP → laisser le DSP faire FB-det lui-même.
Vérifications préalables
NDB layout (DSP=36)
Firmware compal_e88 compilé avec DSP=36 (l1_environment.h:9), CHIPSET=12, ANLG_FAM=2 (Iota), W_A_DSP_IDLE3=1, AMR=undef.
NDB T_NDB_MCU_DSP (branche DSP == 34..36) commence par d_dsp_page (offset 0). Comptage des champs jusqu’à d_fb_det :
0 d_dsp_page 18 d_hole2_ndb[0]
1 d_error_status 19 d_mcsi_select
2 d_spcx_rif 20 d_apcdel1_bis
3 d_tch_mode 21 d_apcdel2_bis
4 d_debug1 22 d_apcdel2
5 d_dsp_test 23 d_vbctrl2
6 d_version_number1 24 d_bulgcal
7 d_version_number2 25 d_afcctladd
8 d_debug_ptr 26 d_vbuctrl
9 d_debug_bk 27 d_vbdctrl
10 d_pll_config 28 d_apcdel1
11 p_debug_buffer 29 d_apcoff
12 d_debug_buffer_sz 30 d_bulioff
13 d_debug_trace_type 31 d_bulqoff
14 d_dsp_state 32 d_dai_onoff
15 d_hole1_ndb[0] 33 d_auxdac
16 d_hole1_ndb[1] 34 d_vbctrl1 (ANLG_FAM=2)
17 d_hole_debug_amr 35 d_bbctrl
36 d_fb_det ←BASE_API_NDB = 0xFFD001A8 → mot 0x01A8/2 = dsp_ram[0xD4]. d_fb_det = dsp_ram[0xD4 + 36] = dsp_ram[0xF8].
→ L’offset que calypso_trx.c poke est correct. L’hypothèse “mauvais offset” était fausse.
IRQ TINT0 → ARM
Confirmé : calypso_tint0_do_tick() lower puis raise IRQ_TPU_FRAME (= IRQ4) à chaque tick. Firmware utilise IRQ_TPU_FRAME pour L1S, IRQ_API (15) est masqué (irq.c: [IRQ_API] = 0xff).
Implémentation BSP
Nouveaux fichiers
| Fichier | Rôle |
|---|---|
include/hw/arm/calypso/calypso_bsp.h |
API publique |
hw/arm/calypso/calypso_bsp.c |
DMA vers DARAM, mode discovery |
API
void calypso_bsp_init(C54xState *dsp);
void calypso_bsp_rx_burst(uint8_t tn, uint32_t fn,
const int16_t *iq, int n_int16);État interne (bsp.dsp, bsp.daram_addr, bsp.daram_len, compteurs). Configuration runtime via env :
| Var | Défaut | Rôle |
|---|---|---|
CALYPSO_BSP_DARAM_ADDR |
0 |
Adresse cible DARAM (mots) |
CALYPSO_BSP_DARAM_LEN |
1184 |
Nombre max de int16 par burst |
addr=0 → mode DISCOVERY : log les bursts mais n’écrit pas en DARAM.
Wiring
calypso_trx.c::calypso_trx_init(): appellecalypso_bsp_init(s->dsp)juste aprèsc54x_initréussi.sercomm_gate.c::trxd_cb(): remplace l’ancien repackage 8-byte +calypso_trx_rx_burst()par un appel directcalypso_bsp_rx_burst(tn, fn, (const int16_t *)(buf+6), nint16).meson.build: ajoutecalypso_bsp.c.
Instrumentation ajoutée dans calypso_c54x.c::data_read
- FBDET RD tracer : si
0x7730 ≤ PC ≤ 0x7990(zone FB-det dans PROM0 d’aprèsproject_dsp_fb_det), log les 200 premières lectures data — révélera l’adresse DARAM cible quand le DSP atteindra réellement la routine FB-det. - d_spcx_rif RD/WR : log accès à
dsp_ram[0xD6](NDB word 2).
Et dans calypso_trx.c::calypso_dsp_write :
- ARM WR d_spcx_rif (offset 0x01AC) : 20 premières écritures.
- ARM WR d_task_md : NZ uniquement, page 0/1 (offsets 0x08/0x30).
- ARM WR d_task_d : NZ, page 0/1 (offsets 0x00/0x28).
- d_dsp_page WR : 200 écritures avec n° + fn.
Build
GCC 9.5 / meson sur Debian-like : ninja -C build qemu-system-arm échoue au link avec undefined reference to symbol 'sqrtf@@GLIBC_2.2.5' / DSO missing from command line. La regen meson n’inclut pas -lm dans la commande de link de la cible.
Workaround : extraire la commande, lui ajouter -lm à la fin, relancer manuellement :
cd /opt/GSM/qemu-src/build
ninja -t commands qemu-system-arm | tail -1 > /tmp/link.sh
sed -i 's|$| -lm|' /tmp/link.sh
bash /tmp/link.shÀ fixer proprement plus tard (probablement une dépendance softfloat non propagée à qemu-arm-softmmu).
Run de validation
run.sh ne rentrait pas via docker exec -d (tmux). Lancement manuel :
qemu-system-arm -M calypso -cpu arm946 -icount shift=auto -serial pty -serial pty -monitor unix:...,server,nowait -kernel layer1.highram.elf > /tmp/qemu.log 2>&1contvia socat sur le monitorpython3 bridge.py /dev/pts/0osmo-bts-trx -c /etc/osmocom/osmo-bts-trx.cfgmobile -c /root/.osmocom/bb/mobile_group1.cfg
Observations
BSP fonctionne
[BSP] init dsp=0x... daram_addr=0x0000 len=1184 (DISCOVERY mode — no DMA)
[calypso-trx] ARM WR d_spcx_rif = 0x0179 (sz=2 fn=0)
[BSP] rx_burst fn=869 tn=0 n=1184 (target unset, sample[0]=32766 sample[1]=-1)
[BSP] rx_burst fn=869 tn=1 n=1184 (target unset, sample[0]=30267 sample[1]=-12552)
...d_spcx_rif = 0x0179: ARM écrit la valeur attendue d’aprèsdsp.c:429→ cohérent avec un firmware qui programme bien le BSP.- GMSK :
|z| ≈ 32766confirme le signal complexe full-scale du modulateur gr-gsm. Bridge → gate → BSP transmet correctement. - 0 FBDET RD : sur tout le run le DSP n’entre jamais dans
[0x7730..0x7990]. Le DSP boucle dans le dispatcher0x81a7..0x81d6(= une seule fonction handler) à chaque frame.
d_task_md jamais positionné
ARM WR d_task_md[p0] = 0 (init) fn=0
ARM WR d_task_md[p1] = 0 (init) fn=0
... (rien d'autre, pas d'écritures NZ)Aucune écriture non-nulle de d_task_md sur les deux pages, donc le firmware n’envoie jamais FB_DSP_TASK au DSP, donc le dispatcher ne peut que tourner sur sa task par défaut. Ce n’est pas un bug de dispatcher DSP : le DSP fait ce qu’on lui demande (= rien).
d_dsp_page toggle 1/14
fn=181 page=0x0000 (B_GSM_TASK pas encore set)
fn=182 page=0x0002 (B_GSM_TASK | w_page=0)
...
fn=196 page=0x0002 ← reste 14 frames
fn=197 page=0x0003 (B_GSM_TASK | w_page=1)
fn=200 page=0x0003Décodage d_dsp_page (l1_environment.h:249) : - bit 0 = w_page (devrait toggle chaque frame) - bit 1 = B_GSM_TASK
Le toggle de w_page ne se produit qu’une fois sur 14 frames parce que dsp_end_scenario() n’est appelé que si sched_flags & TDMA_IFLG_DSP (sync.c:275). Sur les frames sans task DSP planifiée, le page ne bouge pas. Comportement normal tant que rien n’est dans la queue TDMA.
Diagnostic principal
Le pipeline est cassé à un endroit unique :
mobile L1CTL_FBSB_REQ
→ bridge (PTY)
→ firmware sercomm UART_MODEM
→ l1ctl_rx_fbsb_req() [l23_api.c:230]
→ l1s_reset()
→ l1s_fbsb_req(1, ...) [prim_fbsb.c:538]
→ tdma_schedule_set(1, fb_sched_set, 0)
→ ??? ← ICI
→ l1s_fbdet_cmd() ❌ jamais appelée
→ db_w->d_task_md = FB_DSP_TASKMobile reçoit FBSB RESP result=255 (échec après timeout) sans qu’aucune écriture d_task_md = FB_DSP_TASK n’ait eu lieu. Soit tdma_schedule_set drop le set, soit le scheduler tick ne dépile jamais le set, soit la queue est saturée par un set précédent.
Hypothèses budget DSP & famine ARM
Vérifié : c54x_run() ne consomme pas de temps virtuel QEMU (boucle hors clock). Donc même si do_tick brûle 5M instructions DSP par tick, l’ARM garde tout son budget virtuel. La théorie “famine ARM par DSP” est incorrecte en virtual time.
Le code calypso_trx.c ligne ~370 calculait int budget = 5000000 constamment, sans utiliser le flag dsp_init_done (qui pourtant existe et est correctement maintenu à true depuis fn=1). Le commentaire prévoyait “500K post-init”. Patch préparé en local mais non poussé parce que la cause racine n’est pas la famine.
État des fichiers
| Fichier | Statut |
|---|---|
include/hw/arm/calypso/calypso_bsp.h |
nouveau, pushé |
hw/arm/calypso/calypso_bsp.c |
nouveau, pushé |
hw/arm/calypso/meson.build |
+ calypso_bsp.c, pushé |
hw/arm/calypso/calypso_trx.c |
+ bsp_init, instrumentations, pushé |
hw/arm/calypso/sercomm_gate.c |
trxd_cb appelle BSP, pushé |
hw/arm/calypso/calypso_c54x.c |
FBDET / d_spcx_rif tracers, pushé |
hw/arm/calypso/doc/BSP_DMA.md |
rédigé, non pushé (interruption) |
Prochains chantiers
- Trouver pourquoi
tdma_schedule_setn’aboutit pas àl1s_fbdet_cmd. Pistes :- Logger côté ARM/QEMU les writes au queue TDMA (mais c’est de la mémoire IRAM banale, difficile à intercepter sans hooks CPU). Plus simple : patcher temporairement
prim_fbsb.c/sync.cpour ajouter desprintdau début/sortie del1s_fbsb_req,tdma_schedule_set,l1s_fbdet_cmd, et reflasherlayer1.highram.elf. - OU instrumenter dans QEMU le retour des appels via le PC : si PC entre dans
l1s_fbsb_reqsymbole connu, log.
- Logger côté ARM/QEMU les writes au queue TDMA (mais c’est de la mémoire IRAM banale, difficile à intercepter sans hooks CPU). Plus simple : patcher temporairement
- Une fois
d_task_md = FB_DSP_TASKposté, vérifier que le dispatcher DSP y répond et entre dans[0x7730..0x7990]. Le tracer FBDET RD donnera l’adresse DARAM cible, à mettre dansCALYPSO_BSP_DARAM_ADDR. - Une fois la DARAM cible connue, désactiver le mode discovery et constater (ou pas) que
d_fb_detpasse à 1 grâce au vrai code DSP — ce qui validerait la chaîne complète. - Fix propre du link
-lmdans le meson de qemu-arm-softmmu.
Mémoires associées
project_dsp_fb_det— emplacement supposé du handler FB en PROM0feedback_no_hack_functions— règle “no DSP shortcuts”calypso_trx_role— calypso_trx ne fait que forwarderfeedback_sync_host— sync vers/home/nirvana/qemu-src/à faire
./hw/arm/calypso/doc/REPORT_CLAUDE_WEB_20260507.md
Rapport Claude web — 2026-05-07
TL;DR
Session de cleanup + UL wiring + stabilité. Tout les hacks documentés sont supprimés ou env-gated, le milestone DL 777→888 est préservé en mode CALYPSO_FBSB_SYNTH=1 (default OFF = vraie chaîne DSP), et la chaîne UL emet maintenant des RACH bursts réels sur TN=0 — la même position où le mobile était bloqué le 06/05 dans ta session précédente. Le test discriminant que tu avais proposé (tcpdump GSMTAP pour voir si IMM_ASS passe) reste à faire.
Ce qu’on a fait dans cette session
Diagnostic du commit 63b4fe5 (pré-cleanup)
Trois nuisances dans le diff qui captait le milestone du 06/05 : 1. 36 lignes BOURRIN-FBDET-SKIP dans c54x_exec_one (range PC 0x8d00-0x8f80 pop+jump bypass de la routine fb-det DSP — court-circuitait ~3M cycles par frame qui faisaient déborder le budget TDMA 4.615 ms). 2. ~120 lignes DIAG-HACK env-gated INTM force-clear + ALIAS-CHECK dump. 3. 23 fichiers __pycache__/*.pyc recompilés (bruit binaire).
Plus dans le code actif (pas dans 63b4fe5 mais latents) : 4. publish_fb_found(toa=0,pm=80,angle=0,snr=100) synth dans calypso_fbsb_on_dsp_task_change (DSP_TASK_FB). 5. publish_sb_found(bsic=0) synth idem. 6. si3_fallback[23] hardcoded SI3. 7. allc_burst_idx static cycle 0..3. 8. UL pipeline ne polait que d_task_u (word 2 = SDCCH/SACCH/TCH lane), ignorait d_task_ra (word 7 = RACH lane par prim_rach.c:77). 9. BSP/bridge trxd_peer race au démarrage (UL drop avant premier DL).
Hacks retirés
| Hack | Fichier | Type |
|---|---|---|
| BOURRIN-FBDET-SKIP block | calypso_c54x.c |
brut |
| DIAG-HACK INTM + ALIAS-CHECK + BOOT+100k VECDUMP | calypso_c54x.c |
brut |
si3_fallback[] hardcode |
calypso_fbsb.c |
brut |
allc_burst_idx static counter |
calypso_fbsb.c |
brut |
ul_drop_no_bts race |
bridge.py |
brut |
BSP trxd_peer_valid=false race |
calypso_bsp.c |
brut |
publish_fb_found/publish_sb_found calls |
calypso_fbsb.c |
bypass arch |
.gitignore étendu pour __pycache__/, *.pyc, *.bak* afin d’éviter la répétition du bruit de 63b4fe5 dans les commits futurs.
Connections ajoutées (vraies, pas hack)
| Connection | Fichier |
|---|---|
DB_W_D_TASK_RA = 7 poll dans tdma_tick UL section |
calypso_trx.c |
calypso_bsp_tx_rach_burst via gsm0503_rach_ext_encode (libosmocoding) |
calypso_bsp.c |
| libosmocoding linkage dans meson | hw/arm/calypso/meson.build |
bsp.trxd_peer pre-set à (127.0.0.1, 5702) |
calypso_bsp.c |
bridge.trxd_remote pre-set à (BTS, base+102) |
bridge.py |
BRIDGE_CLK_FROM_QEMU=1 env mode (CLK IND piloté par QEMU FN) |
bridge.py |
-icount shift=auto,align=off,sleep=off sur QEMU |
run.sh |
Env vars (default = real path, opt-in pour dev assist)
| Env | Default | Effet |
|---|---|---|
CALYPSO_FBSB_SYNTH |
0 |
1 ré-active publish_fb_found+publish_sb_found dans on_dsp_task_change (pour passer le DSP correlator non-convergent) |
CALYPSO_NDB_D_RACH_OFFSET |
0x01CB |
Override word index de d_rach dans NDB (DSP version-dépendant) |
BRIDGE_CLK_FROM_QEMU |
0 |
1 remplace wall-clock CLK IND par QEMU-FN pace |
Diff total
12 fichiers modifiés, +401 / -421 lignes (net -20). Les détails sont dans hw/arm/calypso/doc/hacks.md § Cleanup 2026-05-07 (table par hack avec replacement) et hw/arm/calypso/doc/PROJECT_STATUS.md § 2026-05-07.
État du run avec CALYPSO_FBSB_SYNTH=1
Recompilé dans le conteneur Docker trying, lancé via run.sh modifié :
DL — milestone 06/05 préservé : - [calypso-fbsb] CALYPSO_FBSB_SYNTH=1 (synth, dev-assist path) au boot - [fbsb] FB0_FOUND (synth) + SB_FOUND (synth) cycliques - Mobile L3 décode SI1, SI2, SI3, SI4 (lai=001-01-1) - Changing CCCH_MODE to 2 - MON: f=1 lev=<=-110 snr= 0 ber= 0 CGI=001-01-1-888 ← le 888 est là
UL — progression vs 06/05 : - Mobile passe à RR_EST_REQ + connection pending + CHANNEL REQUEST: 00 (Location Update with NECI) - RANDOM ACCESS (requests left 8 → 7 → 6) — mobile retries en cours - Côté QEMU : [BSP] RACH encode #N fn=NNNN ra=0xXX bsic=0xXX d_rach=0xNNNN fire régulièrement - [calypso-trx] UL RACH task=0xXXXX tn=0 fn=NNNN — TN=0 (vrai slot RACH) - Bridge délivre 10 paquets UL au BTS sur ('127.0.0.1', 5802) - BTS clock skew réduit à 1-FN compensation au lieu de 102-FN avant icount
UL — pas encore résolu : - Pas d’IMM_ASS_CMD visible côté mobile (toujours dans le cycle RR_EST_REQ → RACH ×N → T3126 timeout → re-RR_EST_REQ)
C’est exactement le point où on était le 06/05
Tu avais conclu sur deux failure modes non discriminés : - (a) UL : RACH burst ne traverse pas jusqu’au décodage osmo-bts-trx - (b) DL AGCH : BTS répond IMM_ASS mais mobile DSP rate l’AGCH sub-slot
Et tu avais proposé comme test discriminant immédiat : tcpdump GSMTAP pendant un run, voir si IMM_ASS_CMD apparaît sur l’air.
Cette session apporte deux choses sur ce front : 1. Les RACH UL sortent maintenant pour de vrai sur TN=0 avec encoding AB correct (libosmocoding gsm0503_rach_ext_encode). Avant la session, ils étaient soit absents soit malformés (le seul task_u poll loupait le d_task_ra lane, et même quand il fire-ait, on lisait des bits depuis dsp->data[0x0900] qui est un guess non vérifié pour les UL bits). 2. La pcap GSMTAP est en cours de capture: tcpdump -i eth1 -w /root/mobile-gsmtap.pcap udp port 4729 tourne depuis 50 minutes (process PID 26999). Donc le test discriminant est armé — il suffit d’attendre que le mobile retry assez longtemps puis analyser la pcap.
Petits problèmes secondaires identifiés
task_rasemble lire des résidus : valeurs commetask_ra=0x2d4e tn=6 fn=104au début du run, avant que le mobile ne soit synced. Soit le firmware ne zéro-initialise pas l’API RAM, soit on lit le mauvais offset. Led_rachmontre des BSIC variables (0x2a, 0x24, 0x1f, 0x14, 0x33, 0x1c, 0x19, 0x15, 0x3c) ce qui est incohérent avec une cellule fixe. Hypothèse :CALYPSO_NDB_D_RACH_OFFSETpar défaut (0x01CB, dérivé du walk struct DSP==33) pointe vers la mauvaise zone — le firmware utilise peut-être DSP==35 ou autre.- TN values weird au début (
tn=4,tn=6avant LU complete) : même cause probable que (1). - Une fois LU démarré : les
UL RACH tn=0 fn=NNNNapparaissent de façon cohérente avec lesRANDOM ACCESScôté mobile L3, donc à ce stade le pipeline marche.
Question pour toi
Avec ce contexte (RACH UL sortent réellement maintenant, milestone DL intact), quelle est ta priorité parmi :
A. Analyse pcap : capture-pane le BTS log + parse la pcap GSMTAP pour voir si IMM_ASS_CMD passe sur l’air. Réponse direct (a)/(b) du discriminant.
B. Fix d_rach offset : tracer les writes API RAM autour de fn où le mobile fait RANDOM ACCESS ra 0xXX, pinner le vrai offset. Élimine les false positives RACH.
C. DSP correlator real path : sans CALYPSO_FBSB_SYNTH, identifier pourquoi le DSP fb-det émulé ne converge pas (les 3 pistes du SESSION_BRIEF : α bug opcode dans MAC/correlator, β timing miss, γ phase reference inversée).
D. NB UL : calypso_bsp_tx_burst lit encore dsp->data[0x0900] qui est un guess pour le buffer DSP→BSP des bursts encodés (SDCCH/SACCH). Dès que le mobile passe en SDCCH après IMM_ASS (si on résout le blocker IMM_ASS), c’est le prochain link à valider.
Mon tip personnel : (A) en premier puisque la pcap est armée et qu’elle répond direct au test discriminant que tu avais cadré. (B) en parallèle si tu veux nettoyer les faux positifs RACH visibles dans les logs. (C) et (D) sont des deeper digs après.
./hw/arm/calypso/doc/SERCOMM_GATE_ARCHITECTURE.md
Sercomm Gate Architecture — QEMU Calypso
1. Le vrai hardware Calypso
Le Calypso a deux chemins de données complètement séparés :
Chemin radio (bursts)
Antenne → RF frontend → ABB (Analog Baseband)
→ BSP (Baseband Serial Port, hardware)
→ DSP lit via PORTR PA=0xF430
→ DSP traite (FIR, equalizer, Viterbi)
→ Résultats dans API RAM (DB read page)
→ ARM lit les résultatsLe BSP est un port série hardware (registre à 0xF430 dans l’espace I/O du DSP C54x). Le DSP reçoit un BRINT0 (interrupt vec 21, IMR bit 5) quand un burst complet est disponible. L’ARM ne touche jamais aux bursts radio — c’est 100% hardware BSP → DSP.
Chemin contrôle (L1CTL / sercomm)
Host (mobile/ccch_scan) → UART PTY → sercomm HDLC
→ DLCI 5 (L1A_L23) → firmware ARM (l1a_l23_rx callback)
→ Firmware écrit tâches dans API DB write page
→ d_dsp_page = B_GSM_TASK | page
→ TPU frame IRQ → SINT17 → DSP exécuteL’UART ne transporte que du L1CTL et du debug. Jamais de bursts.
2. Protocole sercomm (source: osmocom-bb/src/target/firmware/comm/sercomm.c)
Format trame
FLAG(0x7E) | DLCI(1) | CTRL(0x03) | DATA(N) | FLAG(0x7E)Escaping
Les octets 0x7E, 0x7D et 0x00 sont échappés : - Remplacés par 0x7D suivi de octet XOR 0x20 - Décodage : quand on reçoit 0x7D, le byte suivant est XOR 0x20
DLCIs enregistrés par le firmware layer1
| DLCI | Constante | Callback | Usage |
|---|---|---|---|
| 4 | SC_DLCI_DEBUG | aucun dans layer1 | Debug (non utilisé) |
| 5 | SC_DLCI_L1A_L23 | l1a_l23_rx |
L1CTL — commandes mobile↔︎firmware |
| 9 | SC_DLCI_LOADER | cmd_handler (loader only) |
Chargement firmware |
| 10 | SC_DLCI_CONSOLE | non enregistré dans layer1 | Console texte |
| 128 | SC_DLCI_ECHO | sercomm_sendmsg (loopback) |
Test echo |
State machine RX (sercomm_drv_rx_char)
WAIT_START ──(0x7E)──→ ADDR ──(byte)──→ CTRL ──(byte)──→ DATA
│
(0x7D)→ ESCAPE ──(byte^0x20)──→ DATA
(0x7E)→ dispatch_rx_msg(dlci, msg) → WAIT_STARTBinding UART
- Compal E88 :
sercomm_bind_uart(UART_MODEM)(board/compal_e88/init.c:104) - UART modem = 0xFFFF5800 (notre calypso_uart “modem”)
- IRQ handler :
uart_irq_handler_sercommdans calypso/uart.c
Flow RX complet (vrai hardware)
UART RHR register → uart_irq_handler_sercomm (IRQ)
→ uart_getchar_nb() lit chaque byte
→ sercomm_drv_rx_char(ch) parse HDLC
→ quand trame complète: dispatch_rx_msg(dlci, msg)
→ callback[dlci](dlci, msg)
→ pour DLCI 5: l1a_l23_rx() enqueue dans l23_rx_queue
→ l1a_l23_handler() (appelé depuis main loop) déqueue et traiteFlow TX complet (vrai hardware)
Firmware veut envoyer (ex: L1CTL_FBSB_CONF) :
→ sercomm_sendmsg(SC_DLCI_L1A_L23, msg)
→ msgb_push(msg, 2) pour ajouter DLCI + CTRL en tête
→ enqueue dans dlci_queues[5]
→ uart_irq_enable(UART_IRQ_TX_EMPTY, 1)
→ uart_irq_handler_sercomm (THR interrupt)
→ sercomm_drv_pull(&ch) lit un byte de la queue
→ uart_putchar_nb(ch) écrit dans UART THR
→ byte sort sur le PTY → host3. DSP Frame Dispatch (source: calypso/dsp.c)
Séquence par frame TDMA
1. ARM écrit tâches dans DB write page :
dsp_api.db_w->d_task_d = FB_DSP_TASK (5) ou NB_DSP_TASK (21) etc.
dsp_api.db_w->d_burst_d = burst_id (0-3)
dsp_api.db_w->d_ctrl_system |= tsc & 7
2. ARM appelle dsp_end_scenario() :
dsp_api.ndb->d_dsp_page = B_GSM_TASK | dsp_api.w_page
dsp_api.w_page ^= 1 (flip page)
tpu_dsp_frameirq_enable() → TPU_CTRL |= DSP_EN
tpu_frame_irq_en(1, 1)
3. TPU hardware génère SINT17 (frame IRQ) au DSP
4. DSP ROM dispatcher :
- Lit d_dsp_page (DSP addr 0x08D4)
- Vérifie B_GSM_TASK (bit 1)
- Lit page number (bit 0) → sélectionne DB page 0 ou 1
- Exécute d_task_d (DL), d_task_u (UL), d_task_md (monitoring)
- Écrit résultats dans DB read page (a_pm, a_serv_demod, a_sch)
- Fait IDLE
5. ARM lit résultats de DB read page :
dsp_api.db_r->a_serv_demod[D_TOA/D_PM/D_ANGLE/D_SNR]
dsp_api.db_r->a_pm[0..2]Constantes
B_GSM_TASK = (1 << 1) = 0x02 // Task flag in d_dsp_page
B_GSM_PAGE = (1 << 0) = 0x01 // Page select in d_dsp_page
// d_dsp_page = 0x02 (page 0, task) ou 0x03 (page 1, task)
BASE_API_NDB = 0xFFD001A8 // ARM address
BASE_API_W_PAGE_0= 0xFFD00000 // 20 words MCU→DSP
BASE_API_W_PAGE_1= 0xFFD00028
BASE_API_R_PAGE_0= 0xFFD00050 // 20 words DSP→MCU
BASE_API_R_PAGE_1= 0xFFD00078
BASE_API_PARAM = 0xFFD00862 // 57 words paramsDSP Task IDs (l1_environment.h)
NO_DSP_TASK = 0 // No task
FB_DSP_TASK = 5 // Frequency Burst (idle)
SB_DSP_TASK = 6 // Sync Burst (idle)
TCH_FB_DSP_TASK = 8 // Frequency Burst (dedicated)
TCH_SB_DSP_TASK = 9 // Sync Burst (dedicated)
RACH_DSP_TASK = 10 // RACH transmit
AUL_DSP_TASK = 11 // SACCH UL
DUL_DSP_TASK = 12 // SDCCH UL
TCHT_DSP_TASK = 13 // TCH traffic
NBN_DSP_TASK = 17 // Normal BCCH neighbour
EBN_DSP_TASK = 18 // Extended BCCH neighbour
NBS_DSP_TASK = 19 // Normal BCCH serving
NP_DSP_TASK = 21 // Normal Paging
EP_DSP_TASK = 22 // Extended Paging
ALLC_DSP_TASK = 24 // CCCH reading
CB_DSP_TASK = 25 // CBCH
DDL_DSP_TASK = 26 // SDCCH DL
ADL_DSP_TASK = 27 // SACCH DL
TCHD_DSP_TASK = 28 // TCH traffic DL
CHECKSUM_DSP_TASK = 33 // DSP checksum4. BSP — Baseband Serial Port
Hardware
Le BSP est un port série synchrone du DSP C54x qui connecte directement à l’ABB (Analog Baseband). - Port address : 0xF430 (BSP data register) - Interrupt : BRINT0 (vec 21, IMR bit 5) — “BSP Receive Interrupt” - Data format : int16 I/Q samples, 1 sample par symbole GSM
Flow DL (downlink — BTS → phone)
Vrai hardware :
ABB convertit le signal RF en baseband I/Q
→ BSP DMA transfère les samples dans un buffer DSP
→ BRINT0 signale "burst reçu"
→ DSP traite : dérotation, FIR, equalizer, Viterbi decode
→ Résultats dans API RAM
QEMU émulation :
osmo-bts-trx → TRXD UDP (soft bits)
→ bridge (sercomm_udp.py) GMSK modulation → int16 I/Q
→ calypso_trx_rx_burst()
→ c54x_bsp_load(dsp, samples, n) // charge bsp_buf[]
→ c54x_interrupt_ex(dsp, 21, 5) // BRINT0
→ DSP lit via PORTR PA=0xF430 // bsp_buf[bsp_pos++]C54x BSP implementation (calypso_c54x.c)
// Structure
uint16_t bsp_buf[160]; // burst samples
int bsp_len; // number of samples
int bsp_pos; // read position
// Load (called by calypso_trx.c)
void c54x_bsp_load(C54xState *s, const uint16_t *samples, int n);
// Read (called by PORTR instruction)
if (op2 == 0xF430 && s->bsp_pos < s->bsp_len)
data_write(s, addr, s->bsp_buf[s->bsp_pos++]);5. Architecture QEMU — Ce qu’il faut implémenter
Chemins de données
┌─────────────────────────────────────────────────────────┐
│ QEMU Calypso │
│ │
│ ┌──────────┐ TRXD UDP ┌──────────────────┐ │
│ │ Bridge │───────────────→│ calypso_trx.c │ │
│ │ (python) │ │ rx_burst() │ │
│ └──────────┘ │ → c54x_bsp_load │ │
│ ↑ │ → BRINT0 │ │
│ │ PTY └────────┬─────────┘ │
│ │ │ │
│ ┌────┴─────┐ ┌─────┴──────┐ │
│ │ UART │ sercomm_gate │ DSP C54x │ │
│ │ modem │───────────────→ │ PORTR F430│ │
│ │ │ DLCI 5 → FIFO │ bsp_buf[] │ │
│ └──────────┘ (L1CTL only) └────────────┘ │
│ ↑ │
│ │ L1CTL socket │
│ ┌────┴─────┐ │
│ │ l1ctl │ │
│ │ _sock.c │ ← mobile/ccch_scan │
│ └──────────┘ │
└─────────────────────────────────────────────────────────┘sercomm_gate.c — Rôle exact
- Le gate parse le flux sercomm entrant sur l’UART modem et route par DLCI
-
- Tous les DLCIs → re-wrap et push dans le FIFO UART (firmware ARM les traite) - Pas de routage spécial pour DLCI 4 — le firmware n’a pas de handler pour DLCI 4 - Le gate ne touche PAS aux bursts — ils arrivent par un autre chemin (TRXD → BSP)
Le gate remplace le parser sercomm inline qui était dans calypso_uart.c. C’est un simple parser HDLC qui re-injecte les trames dans le FIFO.
Bridge (sercomm_udp.py) — Deux rôles
- Bursts DL : BTS TRXD → GMSK modulation → écriture directe vers QEMU (actuellement via PTY sercomm DLCI 4 — à changer en UDP/socket direct)
- Clock : CLK IND → BTS pour synchronisation
- Bursts UL : PTY sercomm DLCI 4 → TRXD → BTS (firmware envoie les bursts UL via sercomm_sendmsg)
Problème actuel du bridge
Le bridge envoie les bursts DL via le PTY en sercomm DLCI 4. C’est incorrect : - Sur le vrai hardware, les bursts DL arrivent par le BSP, pas l’UART - Le firmware n’a pas de handler pour DLCI 4 (SC_DLCI_DEBUG) - Les bursts DL dans le FIFO UART polluent le firmware
Solution : le bridge doit envoyer les bursts DL par un canal séparé (UDP socket, pipe, ou shared memory) directement à calypso_trx_rx_burst(), qui charge le BSP via c54x_bsp_load() et fire BRINT0.
NDB d_dsp_page — Mapping mémoire
ARM offset 0x01A8 = DSP addr 0x08D4 = d_dsp_page
bit 0 = page number (0 ou 1)
bit 1 = B_GSM_TASK (1 = tâche à exécuter)
ARM offset 0x01C4 = DSP addr 0x08E2 = d_dsp_state
0 = run, 1 = Idle1, 2 = Idle2, 3 = Idle3
Firmware init: d_dsp_state = 3 (C_DSP_IDLE3)6. Résumé des fichiers
| Fichier | Rôle | Touche aux bursts ? |
|---|---|---|
| sercomm_gate.c | Parse sercomm UART → FIFO (L1CTL) | Non |
| calypso_uart.c | Hardware UART, appelle sercomm_gate | Non |
| calypso_trx.c | TDMA tick, BSP load, SINT17, TPU | Oui (rx_burst → bsp_load) |
| calypso_c54x.c | DSP emulation, PORTR 0xF430 | Oui (bsp_buf read) |
| sercomm_udp.py | Bridge BTS↔︎QEMU | Oui (TRXD → GMSK → PTY/BSP) |
| l1ctl_sock.c | L1CTL socket ↔︎ mobile | Non |
./hw/arm/calypso/doc/DSP_ROM_MAP.md
Calypso DSP ROM Map
ROM Dump Sections
Source: /opt/GSM/calypso_dsp.txt — dumped from Motorola C1xx via osmocon + ESP32
| Section | Address Range | Size (words) | Loaded Into |
|---|---|---|---|
| Registers | 0x00000-0x0005F | 96 | data[0x00-0x5F] |
| DROM | 0x09000-0x0DFFF | 20480 | data[0x9000-0xDFFF] |
| PDROM | 0x0E000-0x0FFFF | 8192 | data[0xE000-0xFFFF] |
| PROM0 | 0x07000-0x0DFFF | 28672 | prog[0x7000-0xDFFF] |
| PROM1 | 0x18000-0x1FFFF | 32768 | prog[0x18000-0x1FFFF] + mirror at prog[0x8000-0xFFFF] |
| PROM2 | 0x28000-0x2FFFF | 32768 | prog[0x28000-0x2FFFF] |
| PROM3 | 0x38000-0x39FFF | 8192 | prog[0x38000-0x39FFF] |
Key Code Locations
PROM1 (mirrored to 0x8000-0xFFFF)
| Address | Content |
|---|---|
| 0xFF80-0xFFFE | RESET boot code (runs sequentially, NOT separate interrupt vectors) |
| 0xFFFE | IDLE instruction (end of boot) |
| 0x8000-0x801F | TDMA slot table (8 slots × 4 words: SUB + SSBX INTM + IDLE) |
| 0x8020+ | Processing code (after TDMA slots) |
PROM0 (0x7000-0xDFFF)
| Address | Content |
|---|---|
| 0x7000-0x7025 | Boot init routines (called from PROM1 RESET handler) |
| 0x7026-0x71FF | Boot polling loop (writes API RAM tables) |
| 0xA4CA-0xA530 | Frame init / page setup |
| 0xA51C | Reads d_dsp_page (instruction: 10f8 08d4) |
| 0xC860-0xC8C8 | Frame dispatcher setup |
| 0xC8CD | BANZ to 0xC8E7 (dispatch entry) |
| 0xC8E7-0xC920 | Frame dispatch: reads d_dsp_page, configures pages, branches to task handlers |
| 0xC920+ | Task processing code |
PDROM (data space 0xE000-0xFFFF, prog space via XPC=0)
| Address | Content |
|---|---|
| 0xE000+ | DSP runtime code (accessed as prog[0x8000+] with XPC=0) |
Interrupt Vector Table (IPTR=0x1FF → base 0xFF80)
The table at 0xFF80-0xFFFF in PROM1 is boot code, not separate handlers. Vectors 0-31 fall into inline boot code. Only useful vectors: - Vec 0 (0xFF80): RESET entry point - Most other vectors: inline boot code (context save/restore + RETE)
MVPD Locations in PROM0
16 MVPD (0x8Cxx) instructions at: 0x75C0, 0x8700, 0x8C80, 0x8CA0 These are NOT reached during the 86K-instruction boot — they’re in processing code.
Key Data Addresses (DSP data space)
| Address | Content |
|---|---|
| 0x0007 | Used by TDMA slot table (LD/ST with offsets) |
| 0x08D4 | d_dsp_page (NDB offset 0) |
| 0x08D5 | d_error_status (NDB offset 1) |
| 0x0800-0x0813 | Write page 0 |
| 0x0814-0x0827 | Write page 1 |
| 0x0828-0x083B | Read page 0 |
| 0x083C-0x084F | Read page 1 |
| 0x3FB0 | Internal: page state variable |
| 0x3FC1-0x3FC2 | Internal: current page pointers |
| 0x3FDC-0x3FE0 | Internal: boot state variables |
./hw/arm/calypso/doc/MMAP_SI_FORMAT.md
MMAP_SI_FORMAT — Interface dynamique d’injection BCCH SI
Spec v1 — 2026-04-30. Interface mmap shared file pour injection dynamique des System Information BCCH bursts dans
calypso_fbsb.c, alimentée par tap RSL côté bridge / sniffer indépendant.
Rationale
- Avant : SI3 hardcodé dans
calypso_fbsb.c::si3_blob[]. Viole règle #1 “no stubs”. - Après : SI1/SI2/SI3/SI4/SI13 lus dynamiquement depuis
/dev/shm/calypso_si.bin, alimenté par un sniffer RSL qui tap lesBCCH INFORMATIONmessages osmo-bsc → osmo-bts.
Architecture
osmo-bsc osmo-bts
│ │
│ RSL/IPA tcp:3003│
├────────────────►│
│ │
▲
│ pcap sniff
│
scripts/rsl_si_tap.py (process séparé, single-writer)
│
│ mmap write
▼
/dev/shm/calypso_si.bin (176 bytes)
▲
│ mmap read
│
QEMU calypso_fbsb.c::on_dsp_task_change ALLC (single-reader)
│
▼
DATA_IND → ARM L1S → mobile L23Properties : - Single writer (rsl_si_tap.py) / single reader (QEMU). Pas de mutex. - Race condition possible mais bénigne : QEMU peut lire un slot half-written une fois sur 10000 → SI invalide → mobile retry 4 frames plus tard. - 32-byte slot alignment = 1 cache line = écriture atomique de fait sur x86.
Layout binaire fixe (176 bytes total)
Header (16 bytes, offset 0-15)
| Offset | Field | Size | Description |
|---|---|---|---|
| 0 | magic |
4 | "CSI1" (0x43 0x53 0x49 0x31). Validation au mmap. |
| 4 | version |
1 | 0x01 (room for evolution: SI5/6 SACCH ajout = v2) |
| 5 | slot_count |
1 | 5 (current : SI1, SI2, SI3, SI4, SI13) |
| 6 | last_update_fn |
2 | LE uint16, FN du dernier write (debug, watch live) |
| 8 | reserved |
8 | zero-fill |
Slots (5 × 32 bytes, offset 16-175)
Slot indices fixes pour lookup direct :
| Slot # | si_type | Contenu |
|---|---|---|
| 0 | 0x01 | SI1 |
| 1 | 0x02 | SI2 |
| 2 | 0x03 | SI3 |
| 3 | 0x04 | SI4 |
| 4 | 0x0d | SI13 |
Layout par slot (32 bytes) :
| Offset (relatif) | Field | Size | Description |
|---|---|---|---|
| 0 | si_type |
1 | 0x01..0x0d. 0x00 = slot vide / pas encore reçu |
| 1 | slot_flags |
1 | bit 0 = VALID, bit 1 = UPDATED_SINCE_LAST_READ (optionnel) |
| 2 | blob_len |
1 | toujours 23 (BCCH burst LAPDm-wrapped) |
| 3 | padding |
1 | zero |
| 4-26 | blob |
23 | 23 bytes BCCH burst (premier byte = L2 pseudo length) |
| 27-31 | padding |
5 | zero (align à 32 bytes) |
Exemple slot SI3 (RSL-extracted run 2026-04-30 12:13) :
Offset 16+2*32 = 80 (slot 2 = SI3) :
80: 03 si_type=SI3
81: 01 slot_flags = VALID
82: 17 blob_len = 23
83: 00 padding
84-106: 49 06 1b 17 71 00 f1 10 00 01 c9 03 05 27 47 40
e5 04 00 2c 0b 2b 2b ← BCCH burst SI3
107-111: 00 00 00 00 00 paddingScheduling BCCH par TC (TS 44.018 §3.4 table 1)
TC = (FN / 51) mod 8
TC=0 → SI1
TC=1 → SI2
TC=2 → SI3
TC=3 → SI4
TC=4 → SI3
TC=5 → SI2
TC=6 → SI3
TC=7 → SI4SI3 émis 3× par cycle multiframe (TC=2,4,6) car critique pour cell selection. Implémentation stricte de cette table — pas de round-robin naïf.
Fallback slot vide : si si_type=0x00 au TC demandé → fallback SI3 (slot 2). Justification : SI3 est le SI le plus fréquemment broadcast réel, le mobile l’attend toujours.
Configuration runtime — CALYPSO_SI_MMAP_PATH
const char *path = getenv("CALYPSO_SI_MMAP_PATH");
if (!path) path = "/dev/shm/calypso_si.bin";
int fd = open(path, O_RDONLY);
if (fd < 0) {
/* fallback to hardcoded SI3 with warning log */
return -1;
}CALYPSO_SI_MMAP_PATH=/path/to/file: override- Non défini :
/dev/shm/calypso_si.binpar défaut - File absent au boot : log warning, fallback SI3 hardcoded (transition graceful pendant dev, à supprimer une fois bridge.py stable)
Atomicity policy
Single writer / single reader, pas de mutex.
- Writer (rsl_si_tap.py) : update slot complet en un seul
mm[off:off+32] = bytes(32)(atomic Python memoryview → kernel syscall). - Reader (QEMU) : copie le slot dans local stack avant utilisation.
- Race rare : si lecture happens during 32-byte write → blob potentiellement half-old/half-new. Détection :
slot_flags & VALID. Si non valid → fallback SI3. - Memory barrier x86 : implicite pour writes alignées 8 bytes.
Évolution v2 si race observée : utiliser slot_flags bit 1 = UPDATED, write blob d’abord, set bit en dernier. QEMU read clear bit. Pas implémenté en v1.
Process responsibilities
scripts/rsl_si_tap.py — single writer
- pcap sniff
lo:3003(RSL/Abis IP) - Parse IPA header (3 bytes
len + 0x00) - Parse RSL message : check msg discriminator
0x0c(CCHAN),0x1e(BCCH INFO IE) - Extract
RSL_IE_FULL_BCCH_INFO(IE 0x21) +RSL_IE_SYSINFO_TYPE(IE 0x1e)- SI1=0, SI2=1, SI3=2, SI4=3, SI13=8 (osmocom encoding)
- Map vers slot index : SI1→slot 0, SI2→slot 1, SI3→slot 2, SI4→slot 3, SI13→slot 4
- Write slot via mmap, update header
last_update_fn
calypso_fbsb.c — single reader
- Au boot : open + mmap O_RDONLY, valide magic = “CSI1”
- Si absent / magic invalide → fallback SI3 hardcoded existant + log warning
- Sur
case DSP_TASK_ALLC:- Calculer TC =
(s->fn / 51) % 8 - Lookup slot SI selon table TC ci-dessus
- Si slot.si_type == 0x00 ou !VALID → fallback slot 2 (SI3)
- Copier blob 23 bytes dans
a_cd[3..14](packing LE word→byte standard) - Echo
d_task_d=24, d_burst_d=Ndans read pages
- Calculer TC =
Status v1
Évolutions futures (v2+)
- Slot 5+ : SI5 / SI6 (SACCH FILLING) — pour cycle dédié post-LU
- Header field :
bts_idpour multi-BTS support - Memory barrier strict via
slot_flags bit 1 = UPDATED
./hw/arm/calypso/doc/SESSION_20260429.md
Session 2026-04-29 — DSP firmware path unblocked, INTM=1 final blocker
Summary
Five structural opcode fixes resolved in sequence, each validated by empirical markers. Full DSP firmware path from reset → applicative code → BSP DMA active is now unblocked. One blocker remains: INTM=1 forever. The DSP enters the firmware applicative loop but never clears INTM, so all IRQ pending in IFR (INT3 frame, BRINT0 BSP) are never serviced. Without serviced IRQ, the DSP never reaches the PORTR PA=0x0034 consume-from-BSP path, and the correlator FB-det never sees fresh samples.
Fixes applied (in order, all 3-tree synced)
| # | Fix | File | Impact |
|---|---|---|---|
| 1 | Silicon-aligned reset | calypso_c54x.c c54x_reset() |
DSP enters PROM1 init zone (PMST=0xFFA8, ST0=0x181F, ST1=0x2900 = INTM/SXM/XF, PC=0xff80) |
| 2 | 0x6F00 dispatch | calypso_c54x.c line 2792+ |
Wedge at PC=0x8353 (CALAD A self-loop, 2.2G iter) eliminated |
| 3 | 0x68-0x6E handlers (ANDM/ORM/XORM/ADDM/BANZ/BANZD) | line 2808+ | 1259 + 304 = 1563 firmware sites unblocked |
| 4 | APTS misnomer fix (5 FAR opcodes) | FRET/FRETED/FCALAD/FCALL FAR/FCALLD FAR | Stack leak eliminated (1.96M STACK-IN-NDB events → 0) |
| 5 | F3xx complete dispatch | line 1909+ | 364 sites (AND/OR/XOR/SFTL + #lk variants) unblocked |
All five fixes are sourced against binutils-2.21.1/opcodes/tic54x-opc.c + include/opcode/tic54x.h (struct insn_template) + SPRU172C/SPRU131G PDFs in doc/datasheets/.
Empirical state achieved
After all 5 fixes, without the diagnostic INTM-clear hack:
DSP execution:
insn count : >2 G in stable runs
STACK-IN-NDB events : 0 (vs 1.96M before fix #4)
PC=0x8353 wedge : 0 (vs 17M+ before fix #2)
IMR change events : 14 (init globally traverses, was 2)
IRQ count : 1500-30000 depending on run
XPC transitions : occur (FAR call/return symmetric)
d_fb_det WR events : ≥3 (DSP writes the result slot)
BSP pipeline:
Bridge DL forwarded : 1.1M+ FCCH bursts
BSP RX accepted : 4150+ (window-matched)
c54x_bsp_load → bsp_buf : 17 000+ (DMA writes confirmed)
BRINT0 IRQ fired : 17 000+ (one per DMA)
Mobile (no-stick):
PM MEAS scan : 10 000+ ARFCNs swept
L1CTL_RESET : 0 (mobile patient)Remaining blocker — INTM=1 forever (3 measurements confirm)
After the 5 fixes, INTM=1 is verified strict:
PORTR PA=0x0034 count = 0 in log. The DSP never executes the opcode that consumes BSP samples. The bsp_buf is filled by the BSP DMA but never read.
INTM=1 in 100% of IRQ entries (105/105 sampled). No IRQ entry shows INTM=0. INTM is strictly stuck, not oscillating per normal entry/exit ISR semantics.
F6BB (RSBX INTM) opcode encounters = 0. The 14 firmware sites
RSBX INTM(PROM0 0xa4d0/0xa51b/0xa6cf/0xc665/ 0xd13d/0xd142/0xd277/0xd9ed/0xdb48/0xdde6, PROM1 0xaad8/0xaadf/0xab43/ 0xab48) are never reached by the DSP execution path, even with all 5 structural fixes applied.
Hypothesis space for the INTM unblock
Three plausible mechanisms; none fully verified due to lack of public TI Calypso DBB datasheet (TWL3014 / proprietary):
H1: ARM lifts NMI on DSP at boot via hardware mailbox
calypso/dsp.c defines APIC_W_DSPINT = (1<<2) at 0xFFFE0000 but zero usage in osmocom-bb/src/target/firmware/. So this specific mechanism is not exercised by osmocom firmware. It’s defined-but-unused.
The NMI vector at PROM1[0xFF84] = f4eb f495 f495 f495 = RETE; NOP; NOP; NOP. A NMI fired post-DSP-ready would: branch to 0xFF84 → execute RETE → pop PC + clear INTM (per SPRU172C Table 2-15: RETE[D]: PC = TOS, ++SP, INTM = 0) → back to caller with INTM=0. The handler stub suggests the silicon expects NMI to happen but the firmware doesn’t need to do anything in response — the side effect of RETE (INTM=0) is sufficient.
But this is inference, not documented. SPRU172C is generic C54x; the specific Calypso DBB ARM↔︎DSP IRQ wiring isn’t published.
H2: Calypso silicon clears INTM on DSP power-on
3 FreeCalypso ROM dumps (3311, 3416, 3606) show ST1=0x2900 post-bootloader (INTM=1). Tested empirically: setting s->st1 = 0 at reset (the test fix) eliminated the wedge at 0x8353 cascade but introduced stack leak — actually the leak was independent (APTS misnomer) and the s->st1=0 was masking it. Once APTS is fixed, ST1=0x2900 with INTM=1 is the proper state per silicon dumps.
So H2 is unlikely: silicon dumps consistently show INTM=1 after silicon’s own bootloader handshake. The clear must happen post-handshake via some other mechanism.
H3: Firmware contains an unreached RSBX INTM site
Empirically infirmed: 0 F6BB encounters in current run. The 14 sites are real but the DSP never executes them on the current path. Either there’s yet another structural opcode bug blocking access to those sites, or the sites are in ISR handler code (only entered via IRQ — which is blocked by INTM=1, classic catch-22).
Pattern of context around the 14 sites (from earlier audit): 9/14 are preceded by f5e3 (SSBX INTM) or f4e1/f5e1 (IDLE) — confirming ISR critical-section structure. So sites are fundamentally unreachable until INTM=0 lets one IRQ through. Catch-22 confirmed.
INTM=1 final blocker — diagnostic state
The DSP CPU emulation, opcode dispatch, reset values, and ISR mechanism are all silicon-aligned and validated against binutils tic54x-opc.c + SPRU172C/SPRU131G + 3 FreeCalypso ROM dumps. The remaining blocker is the mechanism by which INTM transitions from 1 (silicon reset value, confirmed by 3 ROM dumps) to 0 (required for IRQ servicing).
What we know empirically (3 measurements, this session)
- PORTR PA=0x0034 count = 0 in log — DSP never consumes BSP samples
- INTM=1 in 100% of IRQ entries (105/105 sampled) — strict, not oscillating
- F6BB (RSBX INTM) opcode encounters = 0 — firmware never reaches the 14 native RSBX INTM sites in PROM0/PROM1
- BSP DMA fully functional — 17 000+ bursts written to DARAM[0x3FB0]
- Pipeline up to BRINT0 IRQ fire confirmed working — IRQ 21 bit 5 is set in IFR but never serviced because INTM=1
What we don’t know (would require source access)
- TI Calypso DBB datasheet (TWL3014 / OMAP-equivalent) is not public
- The silicon mechanism that triggers initial INTM clearance is undocumented in the public corpus reviewed:
- SPRU131G (C54x CPU/Peripherals): bit-by-bit PMST/ST0/ST1 reset values confirmed (INTM=1, SXM=1, XF=1) but no transition mechanism documented
- SPRU172C (Mnemonic instruction set): RETE/FRET semantics confirmed (INTM=0 on RETE/RETED), but doesn’t explain how silicon clears INTM initially without the firmware executing F6BB
- SPRU288 (C548/C549 Bootloader): does not apply to Calypso (MP/MC=1 selects external program memory, internal TI ROM is not used)
- FreeCalypso
Calypso_overview.pdf: DSP IRQ sources documented as {IT_DSP, IT_DSP_PG via MOVE, INT0/INT1 RIF, RSN reset} — no NMI mechanism explicitly described - osmocom-bb
dsp.c:APIC_W_DSPINT = (1<<2)defined but zero usage in the firmware tree — the bit exists but is not wired up freecalypso-reveng/bootrom.notes: covers ARM UART loader, not DSP- Mail-archive search for “freecalypso INTM” / “dsp_power_on”: no hits
- Hypotheses remaining (none falsifiable with current public docs):
- ARM-fired NMI via undocumented hardware path
- IT_DSP_PG self-trigger from ARM via TPU MOVE instruction (slide 47 of Calypso overview confirms this exists)
- Silicon-internal signal not exposed in any public document
Diagnostic instrument in use (not a workaround)
CALYPSO_FORCE_INTM_CLEAR_AT=2000000 environment variable forces a single INTM clear at insn=2M. This is a diagnostic instrument, not a fix — it lets the rest of the pipeline run for further development of FB-detect, SB-decode, BCCH read, etc. The behavior under this instrument is empirically equivalent to a hypothetical correct silicon mechanism: with it active + all 5 structural fixes, the DSP completes init globally (IMR=0xFFFF), traverses XPC=0/2/3, writes d_fb_det multiple times, and the ARM mobile stays patient on FBSB_REQ.
The instrument is documented as such in calypso_c54x.c and is only active when the environment variable is set. Default behavior (instrument off) is silicon-faithful — INTM stays at 1 indefinitely and IRQ are not serviced, matching the empirical reality of an undocumented mechanism.
Suggested investigation paths (for future sessions)
- FreeCalypso source review — read
fc-magnetiteandfc-tourmalinefirmware source for actual DSP boot init sequence, particularly anyMOVEto TPU IT_CTRL register that might trigger IT_DSP_PG, or any ARM-side write that maps onto the documented APIC_W_DSPINT. - Hardware probe on Mot C123 or FCDEV3B — capture DSP register state immediately after boot to observe INTM transition empirically.
- TI Calypso DBB datasheet acquisition — NDA path with TI legacy support, or industry contacts who worked on Calypso (Openmoko, Pirelli, Motorola C series engineers).
- Test: fire NMI manually via QMP/HMP — add a 5-line monitor command that calls
c54x_interrupt_ex(s->dsp, 1, -1)(with imr_bit gate bypassed). If issuing this manually unblocks the DSP into IRQ-serviced state, that’s empirical evidence the silicon mechanism resembles NMI. Falsifiable test, doesn’t commit to a permanent code change.
Recommended next steps
- Commit the 5 fixes as 3 separate commits (or one consolidated) with detailed messages. State is empirically validated.
- Document INTM-clear as known issue in CLAUDE.md “Current Bug” section (already there; update with new evidence from this session).
- Park NMI hypothesis until either:
- A Calypso DBB datasheet surfaces (FreeCalypso community, leaked, etc.)
- Or a runtime trace from a real Calypso device DSP shows the NMI being entered post-power-on
- Continue FB-det / signal-processing work with DIAG-HACK active — the pipeline is fully functional with hack, and further progress (FBSB_CONF, SB decode, BCCH read) doesn’t require the INTM mechanism to be silicon- accurate.
- If/when the BSP-DARAM-DSP read path is unblocked (via natural INTM clear or NMI fix), validate that PORTR PA=0x0034 count goes >0 and d_fb_det WR=1 events appear (FB matches found).
File inventory delivered this session
hw/arm/calypso/calypso_c54x.c (5 fixes integrated)
hw/arm/calypso/doc/datasheets/ (5 PDFs TI + 3 ROM dumps + README)
TI_SPRU131G_C54x_CPU_and_Peripherals.pdf
TI_SPRU172C_C54x_Mnemonic_Instruction_Set.pdf
TI_SPRU288_C548_C549_Bootloader.pdf
TI_SPRA036_DSP_Interrupts.pdf
TI_SPRA618_C5402_Bootloader.pdf
dsp-rom-3311-dump.txt
dsp-rom-3416-dump.txt
dsp-rom-3606-dump.txt
README.md (synthesis + open questions)
hw/arm/calypso/doc/opcodes/
0x68_0x6F.md (spec v2 verified)
0xF3.md (spec v1 verified)
hw/arm/calypso/doc/SESSION_20260429.md (this file)
scripts/inject_fcch.py (3 modes: bytes_zero / soft_neg127 / iq_raw)All synchronized across 3 trees: /home/nirvana/qemu/, /home/nirvana/qemu-calypso/, container /opt/GSM/qemu-src/.
./hw/arm/calypso/doc/SESSION_20260403.md
Session 2026-04-03 — Fix LD #k9,DP (0xEA) + TDMA boot
Bug Found: 0xEA decoded as BANZ instead of LD #k9,DP
Root cause
The C54x emulator treated opcode 0xEA as BANZ (branch on auxiliary register not zero). In reality: - BANZ = opcode 0110 11Z0 IAAAAAAA = 0x6C/0x6E (per SPRU172C p.4-16) - 0xEA = 1110 101k kkkk kkkk = LD #k9, DP (load data page pointer)
This caused the DSP to branch to random DARAM addresses (e.g., 0x1231) instead of continuing sequential execution. The DSP would get lost in empty DARAM.
Evidence
- 0xEA appears 202 times in the Calypso DSP ROM
- 114 uses have bit7=0 (direct addressing) which is impossible for BANZ (requires indirect)
- BANZ (0x6C/0x6E) appears 304 times separately in the ROM
- Confirmed via GNU binutils tic54x-opc.c:
LD #k9,DP= opcode 0xEA00, mask 0xFE00
Fix
Replaced the 0xEA BANZ handler with:
if ((op & 0xFE00) == 0xEA00) {
uint16_t k9 = op & 0x01FF;
s->st0 = (s->st0 & ~ST0_DP_MASK) | k9;
return consumed; // 1 word
}Impact
- DSP boot now executes 197M instructions (was 86K) — full ROM init including DARAM population
data[0x1231] = 0x115F(was 0x0000) — DARAM correctly populated with processing codePMST = 0x4D86(OVLY=1) — DSP correctly enables overlay moded_dsp_pagealternates 0x0002/0x0003 — firmware/DSP page protocol workstask_md=5(FB search) correctly dispatched to DSP
Boot approach: TDMA-tick (from GSMTAP_WORKING)
Instead of c54x_run(10M) at DSP_DL_STATUS_READY, we now: 1. c54x_reset() + running = true 2. DSP runs 1M instructions per TDMA frame tick 3. SINT17 interrupt delivered when firmware sets TPU_CTRL_DSP_EN
This lets the timer (TINT0) fire between frames, which the DSP boot code needs.
Remaining issues
FB detection (result=255)
DSP runs FB search (task_md=5) but never sets d_fb_det=1 at NDB+0x48 (0xFFD001F0). Burst samples arrive via calypso_trx_rx_burst() and are written to DARAM at 0x03F0 and 0x04F0, but the DSP FB code may read from different addresses.
Unimplemented opcodes (non-blocking, 145 hits / 197M instructions)
| Opcode | Mnemonic | Words | Encoding |
|---|---|---|---|
| 0x9Bxx | RPT #k (11-bit) | 1 | 1001 1kkk kkkk kkkk |
| 0xC9xx | STL B, Smem | 1 | 1100 1SII IIII IIII |
| 0xA1xx | LD Smem, B | 1 | 1010 0SII IIII IIII |
| 0xD6xx | LD Smem, T | 1 | 1101 0III IIII IIII |
| 0xE0xx | BANZ pmad, *ARn- | 2 | standard BANZ alt? needs investigation |
| 0xF1xx | FIRS Xmem,Ymem,pmad | 2 | Symmetric FIR filter |
Priority: RPT #k (0x98-0x9F) is critical — used for block copies during boot/processing.
Files modified
calypso_c54x.cline 810: 0xEA BANZ -> LD #k9,DPcalypso_trx.cline 135: boot approach changed to TDMA-tickcalypso_trx.cline 292: added DSP run + SINT17 in TDMA tick
Key addresses reference
- d_fb_det = NDB+0x48 = ARM 0xFFD001F0 = DSP 0x08F8
- d_dsp_page = NDB+0x00 = ARM 0xFFD001A8 = DSP 0x08D4
- Write page 0 = ARM 0xFFD00000 = DSP 0x0800
- Write page 1 = ARM 0xFFD00028 = DSP 0x0814
- Read page 0 = ARM 0xFFD00050 = DSP 0x0828
- Read page 1 = ARM 0xFFD00078 = DSP 0x083C
./hw/arm/calypso/doc/opcodes/0xF3.md
0xF3xx (F0xx family) Opcode — Spec for QEMU C54x Decoder
Status: SPEC v1 — verified against binutils 2.21.1 source + SPRU172C Source: binutils include/opcode/tic54x.h + opcodes/tic54x-opc.c Date: 2026-04-29 Bug: 364 sites in firmware ROM mass-mis-dispatched as LD #k9, DP Wedge observed: PC=0x8eb9 (0xF3E1 = SFTL B, 1) → looped IMR fluctuations
Why this exists
Current QEMU decoder (calypso_c54x.c lines 1905-1932):
if (hi8 == 0xF3) {
uint8_t sub3 = (op >> 5) & 0x07;
if (sub3 == 0) {
/* F300-F31F: INTR k */ ← OK
}
/* F320+: LD #k9, DP */ ← FALLBACK CATCHES EVERYTHING ELSE
}This catches all F320-F3FF as LD #k9, DP. Per binutils, this is wrong for 364 sites (out of 376 non-INTR). The mis-decode causes: - 1-word ops (AND/OR/XOR/SFTL src,SHIFT,DST) get treated as DP load — DP corrupted in the middle of computation. - 2-word ops (ADD/SUB/AND/OR/XOR/MAC #lk variants) get treated as 1-word DP load — PC drifts +1 word, the lk operand executes as parasitic instruction.
This is the same class of bug as the 0x68-0x6F family that was fixed in stage 3 (see 0x68_0x6F.md). Same methodology applies.
Hot Wedge (current run validation case)
PROM0[0x8EB9] = 0xF3E1
binutils: matches sftl word1=0xF0E0 mask=0xFCE0 (1-word)
bits 9-8 = 11 → src=B, dst=B (3 = both B)
bits 7-5 = 111 → SFTL (sub-opcode discriminator)
bits 4-0 = 1 → SHIFT = +1
Effect: SFTL B, 1, B → B = B << 1
But QEMU decodes as: LD #(0xF3E1 & 0x1FF) = #0x1E1, DP
→ DP set to 0x1E1 (corrupts data addressing)
→ subsequent ops read wrong DARAM zone
→ IMR fluctuates with computed garbage values
→ loop at 0x8eb9 (back-branch from 0x8eba → 0x8eb2)If F3E1 is decoded correctly, B is shifted left by 1 (the proper init operation), DP is preserved, and the firmware progresses past 0x8eb9.
Family overview
Per binutils (verified):
| First-word | Mnemonic | Words | Mask | Base (in F3xx range) |
|---|---|---|---|---|
0xF300-0xF31F |
INTR k | 1 | 0xFFE0 | 0xF300 (handled OK) |
0xF320-0xF32F |
(unmapped/reserved) | — | — | — |
0xF330-0xF33F |
AND #lk, SHIFT, SRC, DST | 2 | 0xFCF0 | 0xF030 |
0xF340-0xF34F |
OR #lk, SHIFT, SRC, DST | 2 | 0xFCF0 | 0xF040 |
0xF350-0xF35F |
XOR #lku, SHIFT, SRC, DST | 2 | 0xFCF0 | 0xF050 |
0xF360 |
ADD #lk << 16, SRC, DST | 2 | 0xFCFF | 0xF060 |
0xF361 |
SUB #lk << 16, SRC, DST | 2 | 0xFCFF | 0xF061 |
0xF363 |
AND #lk << 16, SRC, DST | 2 | 0xFCFF | 0xF063 |
0xF364 |
OR #lk << 16, SRC, DST | 2 | 0xFCFF | 0xF064 |
0xF365 |
XOR #lku << 16, SRC, DST | 2 | 0xFCFF | 0xF065 |
0xF367 |
MAC #lk, SRC, DST | 2 | 0xFCFF | 0xF067 |
0xF368-0xF37F |
(unmapped) | — | — | — |
0xF380-0xF39F |
AND SRC, SHIFT, DST | 1 | 0xFCE0 | 0xF080 |
0xF3A0-0xF3BF |
OR SRC, SHIFT, DST | 1 | 0xFCE0 | 0xF0A0 |
0xF3C0-0xF3DF |
XOR SRC, SHIFT, DST | 1 | 0xFCE0 | 0xF0C0 |
0xF3E0-0xF3FF |
SFTL SRC, SHIFT, DST | 1 | 0xFCE0 | 0xF0E0 |
The 5 sub-families (AND/OR/XOR/ADD/SUB/SFTL/MAC) all share the F0xx generic arithmetic encoding pattern: bits 9-8 = SRC/DST, bits 7-5 = sub-opcode, bits 4-0 = SHIFT (signed 5-bit). bits 13-12 = “11” for F3xx range (vs 00 for F0xx, 01 for F1xx, 10 for F2xx). The QEMU F4-F7 fix already handled the analogous range with the same bits 9-8 src/dst convention.
Bit-by-bit decoding (1-word variants)
F3xx 1-word (mask 0xFCE0):
bits 15-10 : 111100 (always — F3xx range)
bit 9 : SRC (acc 0=A, 1=B) — free
bit 8 : DST (acc 0=A, 1=B) — free
bits 7-5 : sub-opcode discriminator:
100 = AND (matches 0xF080 base + 0xF300 high nibble)
101 = OR (matches 0xF0A0)
110 = XOR (matches 0xF0C0)
111 = SFTL (matches 0xF0E0)
bits 4-0 : SHIFT (signed 5-bit, -16..+15)Wedge case verification: - 0xF3E1 = 1111 0011 1110 0001 - bits 15-10 = 111100 ✓ - bit 9 = 1 → SRC=B - bit 8 = 1 → DST=B - bits 7-5 = 111 → SFTL ✓ - bits 4-0 = 00001 → SHIFT=+1 - → SFTL B, 1, B (B = B << 1)
Bit-by-bit decoding (2-word variants)
Mask 0xFCF0 (with #lk operand following)
F3xx 2-word (mask 0xFCF0):
bits 15-10 : 111100 (F3xx)
bit 9 : SRC — free
bit 8 : DST — free
bits 7-4 : sub-opcode:
0000 = ADD (base 0xF000 → F300-F30F doesn't exist; F330+ does
if bit 12 high nibble = 11; check distinct from INTR)
0001 = SUB (base 0xF010 → F310-F31F = INTR! collision!)
0011 = AND (base 0xF030 → F330-F33F)
0100 = OR (base 0xF040 → F340-F34F)
0101 = XOR (base 0xF050 → F350-F35F)
bits 3-0 : SHIFT (signed 4-bit, -8..+7)
word2: 16-bit lk constant (signed for ADD/SUB/AND/OR; unsigned for XOR via OP_lku)Important caveat — collision F310-F31F:
INTR k is at base 0xF300 mask 0xFFE0 (1-word, k=bits 4-0). This range is 0xF300-0xF31F. But binutils also has sub at base 0xF010 mask 0xFCF0 (2-word). When we look at F3xx range, 0xF310-0xF31F matches BOTH: - INTR (mask 0xFFE0) → bits 4-0 = k = 0..31 - SUB (mask 0xFCF0) → matches F310-F31F if bits 7-4 = 0001
The current QEMU decoder treats 0xF300-0xF31F as INTR (sub3==0 in the existing code). This is probably correct because: - INTR is documented as an explicit software interrupt with smaller mask - SUB at F310+ would conflict with INTR semantically - 342 firmware sites in F300-F31F all behave as INTR per existing decoder
Decision: keep INTR k handling for F300-F31F, use the new 2-word ADD/SUB/AND/OR/XOR dispatch only for F330-F35F. Same for F320-F32F (unmapped, 4 sites in firmware — leave as fallback).
Mask 0xFCFF (specific lk variants)
F3xx 2-word (mask 0xFCFF):
bits 15-10 : 111100
bit 9 : SRC
bit 8 : DST
bits 7-0 : exact match to base:
0x60 = ADD #lk << 16 (base 0xF060 → 0xF360)
0x61 = SUB #lk << 16 (base 0xF061 → 0xF361)
0x63 = AND #lk << 16 (base 0xF063 → 0xF363)
0x64 = OR #lk << 16 (base 0xF064 → 0xF364)
0x65 = XOR #lk << 16 (base 0xF065 → 0xF365)
0x67 = MAC #lk, SRC, DST (base 0xF067 → 0xF367)
word2: 16-bit lk constantThese are the “hardcoded shift = 16” or MAC variants. Only 41 firmware sites in F360-F367 range.
Implementation order
First: 1-word SFTL/AND/OR/XOR (F380-F3FF) — 159 firmware sites, directly tied to current wedge at PC=0x8eb9 (SFTL B,1). Most impactful.
Second: 2-word ADD/SUB/AND/OR/XOR #lk dst (F330-F35F) — 162 sites, second-most-impactful.
Third: 2-word variants (F360-F367) — 41 sites, less impactful.
Skip for now: F320-F32F (4 sites, unmapped — fallback to NOP-log for diagnostic) and F368-F37F (5 sites, unmapped).
Counts (firmware ROM static)
| Range | Mnemonic | Hits |
|---|---|---|
| F300-F31F | INTR k (handled) | 342 |
| F320-F32F | unmapped | 4 |
| F330-F35F | ADD/SUB/AND/OR/XOR #lk,dst (2-word) | 162 |
| F360-F367 | ADD/SUB/AND/OR/XOR/MAC #lk variants (2-word) | 41 |
| F368-F37F | unmapped | 5 |
| F380-F39F | AND src,SHIFT,DST (1-word) | 5 |
| F3A0-F3BF | OR src,SHIFT,DST (1-word) | 7 |
| F3C0-F3DF | XOR src,SHIFT,DST (1-word) | 10 |
| F3E0-F3FF | SFTL src,SHIFT (1-word) | 137 ← biggest single subgroup |
| Total buggy | 371 |
Implementation pseudo-code
/* F3xx dispatch — replace existing line 1905-1932.
* Order: most-restrictive masks first to avoid unintended overlap. */
if (hi8 == 0xF3) {
/* F300-F31F: INTR k (handled — preserve existing behavior). */
if ((op & 0xFFE0) == 0xF300) {
int vec = op & 0x1F;
s->sp--;
data_write(s, s->sp, (uint16_t)(s->pc + 1));
s->st1 |= ST1_INTM;
uint16_t iptr = (s->pmst >> PMST_IPTR_SHIFT) & 0x1FF;
s->pc = (iptr * 0x80) + vec * 4;
return 0;
}
/* F360-F367: 2-word with mask FCFF (hardcoded variants).
* Most restrictive, check first. Match against bits 7-0 ignoring 9-8. */
if ((op & 0xFCFF) == 0xF060 || /* F360 ADD #lk<<16 */
(op & 0xFCFF) == 0xF061 || /* F361 SUB */
(op & 0xFCFF) == 0xF063 || /* F363 AND */
(op & 0xFCFF) == 0xF064 || /* F364 OR */
(op & 0xFCFF) == 0xF065 || /* F365 XOR */
(op & 0xFCFF) == 0xF067) { /* F367 MAC */
op2 = prog_fetch(s, s->pc + 1 + (s->lk_used ? 1 : 0));
consumed = 2;
int sub = op & 0x7; /* bits 2-0 */
int src_b = (op >> 9) & 1;
int dst_b = (op >> 8) & 1;
int64_t src = src_b ? s->b : s->a;
int64_t lk = (int16_t)op2; /* signed for most, unsigned for XOR */
int64_t result = 0;
switch (sub) {
case 0x0: result = src + ((int64_t)lk << 16); break; /* ADD */
case 0x1: result = src - ((int64_t)lk << 16); break; /* SUB */
case 0x3: result = src & (((uint64_t)(uint16_t)op2) << 16); break; /* AND */
case 0x4: result = src | (((uint64_t)(uint16_t)op2) << 16); break; /* OR */
case 0x5: result = src ^ (((uint64_t)(uint16_t)op2) << 16); break; /* XOR */
case 0x7: { /* MAC: dst += T * lk */
int64_t prod = (int64_t)(int16_t)s->t * (int64_t)(int16_t)op2;
if (s->st1 & ST1_FRCT) prod <<= 1;
result = src + prod;
break;
}
}
if (dst_b) s->b = sext40(result); else s->a = sext40(result);
return consumed + s->lk_used;
}
/* F330-F35F: 2-word with mask FCF0 (#lk + shift in bits 3-0). */
if (((op & 0xFCF0) == 0xF030) || /* AND */
((op & 0xFCF0) == 0xF040) || /* OR */
((op & 0xFCF0) == 0xF050)) { /* XOR */
op2 = prog_fetch(s, s->pc + 1 + (s->lk_used ? 1 : 0));
consumed = 2;
int subop = (op >> 4) & 0xF; /* bits 7-4 = sub */
int shift_raw = op & 0xF; /* bits 3-0 = shift (4-bit signed) */
int shift = (shift_raw & 0x8) ? (shift_raw - 16) : shift_raw;
int src_b = (op >> 9) & 1;
int dst_b = (op >> 8) & 1;
int64_t src = src_b ? s->b : s->a;
int64_t lk = (int16_t)op2;
int64_t shifted = (shift >= 0) ? (lk << shift) : (lk >> (-shift));
int64_t result;
switch (subop) {
case 0x3: result = src & shifted; break; /* AND */
case 0x4: result = src | shifted; break; /* OR */
case 0x5: result = src ^ shifted; break; /* XOR */
default: result = src; break; /* unknown — log */
}
if (dst_b) s->b = sext40(result); else s->a = sext40(result);
return consumed + s->lk_used;
}
/* F300/F310 ADD/SUB collision avoided: F300-F31F caught by INTR
* handler above. So F300-F30F (ADD) and F310-F31F (SUB) 2-word
* variants per binutils mask FCF0 are NOT reachable here. They
* are 0 sites in firmware so no impact. */
/* F380-F3FF: 1-word AND/OR/XOR/SFTL src,SHIFT,DST.
* Mask 0xFCE0, sub-opcode in bits 7-5. */
if ((op & 0xFCE0) == 0xF080 || /* AND */
(op & 0xFCE0) == 0xF0A0 || /* OR */
(op & 0xFCE0) == 0xF0C0 || /* XOR */
(op & 0xFCE0) == 0xF0E0) { /* SFTL */
int sub = (op >> 5) & 0x7; /* bits 7-5 = sub-op */
int src_b = (op >> 9) & 1;
int dst_b = (op >> 8) & 1;
int shift_raw = op & 0x1F;
int shift = (shift_raw & 0x10) ? (shift_raw - 32) : shift_raw;
int64_t src = src_b ? s->b : s->a;
int64_t result;
switch (sub) {
case 0x4: { /* AND src,SHIFT,DST: DST = SRC & (DST_in << shift) */
int64_t dst_in = dst_b ? s->b : s->a;
int64_t shifted = (shift >= 0) ? (dst_in << shift) : (dst_in >> (-shift));
result = src & shifted;
break;
}
case 0x5: { /* OR */
int64_t dst_in = dst_b ? s->b : s->a;
int64_t shifted = (shift >= 0) ? (dst_in << shift) : (dst_in >> (-shift));
result = src | shifted;
break;
}
case 0x6: { /* XOR */
int64_t dst_in = dst_b ? s->b : s->a;
int64_t shifted = (shift >= 0) ? (dst_in << shift) : (dst_in >> (-shift));
result = src ^ shifted;
break;
}
case 0x7: { /* SFTL src,SHIFT,DST: DST = SRC << shift (logical, no sign-extend) */
uint64_t usrc = (uint64_t)src & 0xFFFFFFFFFFULL; /* 40-bit */
result = (int64_t)((shift >= 0) ? (usrc << shift) : (usrc >> (-shift)));
break;
}
default:
result = src; /* shouldn't reach */
break;
}
if (dst_b) s->b = sext40(result); else s->a = sext40(result);
return consumed + s->lk_used;
}
/* F320-F32F + F368-F37F: unmapped per binutils.
* Log-once and treat as NOP for safety. 9 firmware sites total. */
static int unmapped_log = 0;
if (unmapped_log++ < 20)
C54_LOG("F3xx unmapped op=0x%04x PC=0x%04x (treated as NOP)",
op, s->pc);
return consumed + s->lk_used;
}Wedge case verification
For the current wedge 0xF3E1 at PC=0x8eb9: - (0xF3E1 & 0xFCE0) == 0xF0E0 → SFTL match ✓ - src_b = 1 → SRC=B - dst_b = 1 → DST=B - shift_raw = 1 → SHIFT = +1 - Effect: B = B << 1 (logical)
If B was the FB-det correlator accumulator with a meaningful value, shifting left by 1 advances the integration. The DSP would no longer loop at 0x8eb9.
SFTL note: arithmetic vs logical
Per SPRU172C, SFTL = “Shift Logical” = no sign extension on right shift. Distinct from SFTA (Shift Arithmetic) which preserves sign on right shift. Important when shift is negative (right shift of high accumulator bits).
References
binutils-2.21.1/opcodes/tic54x-opc.clines 254, 255, 259, 261-262, 379, 381-382, 418, 451-452, 459, 461-462 (5 mnemonics, 15 entries total)binutils-2.21.1/include/opcode/tic54x.hlines 85-150 (struct insn_template)- SPRU172C entries:
- SFTL: shift logical (no sign-extend)
- AND/OR/XOR src,SHIFT,DST: 1-word arith with operand shift
- ADD/SUB/AND/OR/XOR #lk,dst: 2-word with long immediate
- Wedge verification:
0xF3E1at PROM0[0x8EB9], current run hot PC. - Companion fix:
0x68_0x6F.md(same methodology, F4-F7 family already fixed).
./hw/arm/calypso/doc/opcodes/tic54x_hi8_map.md
Tic54x C54x Opcode Map (hi8 → mnemonic)
Source authoritative : binutils-2.21.1/opcodes/tic54x-opc.c (encoding officiel TI).
Cross-référence à utiliser pour vérifier le décodage c54x_exec_one() dans calypso_c54x.c. Chaque ligne donne l’instruction qui couvre le hi8 (byte de poids fort de l’opcode) ; pour un encodage exact, le mask de chaque entrée tic54x doit être respecté.
Table complète 0x00..0xFF
| hi8 | mnemonic | base / mask |
|---|---|---|
| 0x00..0x01 | add |
0x0000 / 0xFE00 |
| 0x02..0x03 | adds |
0x0200 / 0xFE00 |
| 0x04..0x05 | add |
0x0400 / 0xFE00 |
| 0x06..0x07 | addc |
0x0600 / 0xFE00 |
| 0x08..0x09 | sub |
0x0800 / 0xFE00 |
| 0x0A..0x0B | subs |
0x0A00 / 0xFE00 |
| 0x0C..0x0D | sub |
0x0C00 / 0xFE00 |
| 0x0E..0x0F | subb |
0x0E00 / 0xFE00 |
| 0x10..0x11 | ld |
0x1000 / 0xFE00 |
| 0x12..0x13 | ldu |
0x1200 / 0xFE00 |
| 0x14..0x15 | ld |
0x1400 / 0xFE00 |
| 0x16..0x17 | ldr |
0x1600 / 0xFE00 |
| 0x18..0x19 | and |
0x1800 / 0xFE00 |
| 0x1A..0x1B | or |
0x1A00 / 0xFE00 |
| 0x1C..0x1D | xor |
0x1C00 / 0xFE00 |
| 0x1E..0x1F | subc |
0x1E00 / 0xFE00 |
| 0x20..0x21 | mpy |
0x2000 / 0xFE00 |
| 0x22..0x23 | mpyr |
0x2200 / 0xFE00 |
| 0x24..0x25 | mpyu |
0x2400 / 0xFE00 |
| 0x26..0x27 | squr |
0x2600 / 0xFE00 |
| 0x28..0x29 | mac |
0x2800 / 0xFE00 |
| 0x2A..0x2B | macr |
0x2A00 / 0xFE00 |
| 0x2C..0x2D | mas |
0x2C00 / 0xFE00 |
| 0x2E..0x2F | masr |
0x2E00 / 0xFE00 |
| 0x30 | ld |
0x3000 / 0xFF00 |
| 0x31 | mpya |
0x3100 / 0xFF00 |
| 0x32 | ld |
0x3200 / 0xFF00 |
| 0x33 | masa |
0x3300 / 0xFF00 |
| 0x34 | bitt |
0x3400 / 0xFF00 |
| 0x35 | maca |
0x3500 / 0xFF00 |
| 0x36 | poly |
0x3600 / 0xFF00 |
| 0x37 | macar |
0x3700 / 0xFF00 |
| 0x38..0x39 | squra |
0x3800 / 0xFE00 |
| 0x3A..0x3B | squrs |
0x3A00 / 0xFE00 |
| 0x3C..0x3F | add |
0x3C00 / 0xFC00 |
| 0x40..0x43 | sub |
0x4000 / 0xFC00 |
| 0x44..0x45 | ld |
0x4400 / 0xFE00 |
| 0x46 | ld |
0x4600 / 0xFF00 |
| 0x47 | rpt |
0x4700 / 0xFF00 |
| 0x48..0x49 | ldm |
0x4800 / 0xFE00 |
| 0x4A | pshm |
0x4A00 / 0xFF00 |
| 0x4B | pshd |
0x4B00 / 0xFF00 |
| 0x4C | ltd |
0x4C00 / 0xFF00 |
| 0x4D | delay |
0x4D00 / 0xFF00 |
| 0x4E..0x4F | dst |
0x4E00 / 0xFE00 |
| 0x50..0x53 | dadd |
0x5000 / 0xFC00 |
| 0x54..0x55 | dsub |
0x5400 / 0xFE00 |
| 0x56..0x57 | dld |
0x5600 / 0xFE00 |
| 0x58..0x59 | drsub |
0x5800 / 0xFE00 |
| 0x5A..0x5B | dadst |
0x5A00 / 0xFE00 |
| 0x5C..0x5D | dsubt |
0x5C00 / 0xFE00 |
| 0x5E..0x5F | dsadt |
0x5E00 / 0xFE00 |
| 0x60 | cmpm |
0x6000 / 0xFF00 |
| 0x61 | bitf |
0x6100 / 0xFF00 |
| 0x62..0x63 | mpy |
0x6200 / 0xFE00 |
| 0x64..0x67 | mac |
0x6400 / 0xFC00 |
| 0x68 | andm |
0x6800 / 0xFF00 |
| 0x69 | orm |
0x6900 / 0xFF00 |
| 0x6A | xorm |
0x6A00 / 0xFF00 |
| 0x6B | addm |
0x6B00 / 0xFF00 |
| 0x6C | banz |
0x6C00 / 0xFF00 |
| 0x6D | mar |
0x6D00 / 0xFF00 |
| 0x6E | banzd |
0x6E00 / 0xFF00 |
| 0x6F | add / ld / sth / stl / sub |
0x6F00 / 0xFF00 (sous-encodings via bits internes) |
| 0x70 | mvkd |
0x7000 / 0xFF00 |
| 0x71 | mvdk |
0x7100 / 0xFF00 |
| 0x72 | mvdm |
0x7200 / 0xFF00 |
| 0x73 | mvmd |
0x7300 / 0xFF00 |
| 0x74 | portr |
0x7400 / 0xFF00 |
| 0x75 | portw |
0x7500 / 0xFF00 |
| 0x76 | st |
0x7600 / 0xFF00 |
| 0x77 | stm |
0x7700 / 0xFF00 |
| 0x78..0x79 | macp |
0x7800 / 0xFE00 |
| 0x7A..0x7B | macd |
0x7A00 / 0xFE00 |
| 0x7C | mvpd |
0x7C00 / 0xFF00 |
| 0x7D | mvdp |
0x7D00 / 0xFF00 |
| 0x7E | reada |
0x7E00 / 0xFF00 |
| 0x7F | writa |
0x7F00 / 0xFF00 |
| 0x80..0x81 | stl |
0x8000 / 0xFE00 |
| 0x82..0x83 | sth |
0x8200 / 0xFE00 |
| 0x84..0x85 | stl |
0x8400 / 0xFE00 (variante avec ASM) |
| 0x86..0x87 | sth |
0x8600 / 0xFE00 (variante avec ASM) |
| 0x88..0x89 | stlm |
0x8800 / 0xFE00 |
| 0x8A | popm |
0x8A00 / 0xFF00 ← fixé 2026-05-08 |
| 0x8B | popd |
0x8B00 / 0xFF00 ← TODO : qemu-calypso le décode en MVDK |
| 0x8C | st (T, Smem) |
0x8C00 / 0xFF00 |
| 0x8D | st (TRN, Smem) |
0x8D00 / 0xFF00 |
| 0x8E..0x8F | cmps |
0x8E00 / 0xFE00 |
| 0x90..0x91 | add |
0x9000 / 0xFE00 |
| 0x92..0x93 | sub |
0x9200 / 0xFE00 |
| 0x94..0x95 | ld |
0x9400 / 0xFE00 |
| 0x96 | bit |
0x9600 / 0xFF00 |
| 0x98..0x99 | stl |
0x9800 / 0xFE00 (variante shift) |
| 0x9A..0x9B | sth |
0x9A00 / 0xFE00 (variante shift) |
| 0x9C | strcd |
0x9C00 / 0xFF00 |
| 0x9D | srccd |
0x9D00 / 0xFF00 |
| 0x9E..0x9F | saccd |
0x9E00 / 0xFE00 |
| 0xA0..0xA1 | add |
0xA000 / 0xFE00 |
| 0xA2..0xA3 | sub |
0xA200 / 0xFE00 |
| 0xA4..0xA5 | mpy |
0xA400 / 0xFE00 |
| 0xA6..0xA7 | macsu |
0xA600 / 0xFE00 |
| 0xA8..0xAF | ld (variantes) |
0xA800-0xAE00 / 0xFE00 ← TODO : qemu code 0xAA/AB en STLM (ce devrait être 0x88) |
| 0xB0..0xB3 | mac |
0xB000 / 0xFC00 |
| 0xB4..0xB7 | macr |
0xB400 / 0xFC00 |
| 0xB8..0xBB | mas |
0xB800 / 0xFC00 |
| 0xBC..0xBF | masr |
0xBC00 / 0xFC00 |
| 0xC0..0xC3 | st (parallel) |
0xC000 / 0xFC00 — ST src,Ymem \|\| ADD/SUB/etc Xmem,dst |
| 0xC4..0xC7 | st (parallel) |
0xC400 / 0xFC00 |
| 0xC8..0xCB | st (parallel) |
0xC800 / 0xFC00 — ST \|\| LD (correctement décodé qemu ligne 4773) |
| 0xCC..0xCF | st (parallel) |
0xCC00 / 0xFC00 |
| 0xD0..0xD3 | st (parallel) |
0xD000 / 0xFC00 |
| 0xD4..0xD7 | st (parallel) |
0xD400 / 0xFC00 |
| 0xD8..0xDB | st (parallel) |
0xD800 / 0xFC00 |
| 0xDC..0xDF | st (parallel) |
0xDC00 / 0xFC00 ← TODO : qemu décode 0xDD en POPD (cause SP runaway) |
| 0xE0 | firs |
0xE000 / 0xFF00 |
| 0xE1 | lms |
0xE100 / 0xFF00 |
| 0xE2 | sqdst |
0xE200 / 0xFF00 |
| 0xE3 | abdst |
0xE300 / 0xFF00 |
| 0xE4..0xE7 | st (parallel) |
0xE400 / 0xFC00 — overlapping with: |
mvdd |
0xE500 / 0xFF00 | |
mvmm |
0xE700 / 0xFF00 | |
| 0xE8..0xE9 | ld |
0xE800 / 0xFE00 |
| 0xEA..0xEB | ld |
0xEA00 / 0xFE00 |
| 0xEC | rpt |
0xEC00 / 0xFF00 |
| 0xED | ld (k5,ASM) |
0xED00 / 0xFFE0 (ED20+ = autre famille) |
| 0xEE | frame |
0xEE00 / 0xFF00 |
| 0xF0..0xF3 | add (2-mot) |
0xF000 / 0xFCF0 (sous-formes ADD/SUB/AND/OR/XOR/MAC #lk) |
| 0xF4..0xF7 | add (2-mot) + special |
0xF400 / 0xFCE0 + cas spéciaux : |
rsbx N,SBIT |
0xF4B0 / 0xFDF0 | |
ssbx N,SBIT |
0xF5B0 / 0xFDF0 | |
bacc/cala |
0xF4E2/F4E3 / 0xFEFF | |
idle 1/2/3 |
0xF4E1 / 0xFCFF | |
rete |
0xF4EB | |
fret |
0xF4E4 | |
nop |
0xF495 | |
trap k |
0xF4C0 / 0xFFE0 | |
| 0xF8 | bc |
0xF800 / 0xFF00 |
| 0xF9 | cc |
0xF900 / 0xFF00 |
| 0xFA | bcd |
0xFA00 / 0xFF00 |
| 0xFB | ccd |
0xFB00 / 0xFF00 |
| 0xFC | ret / rc cond |
0xFC00 / 0xFF00 |
| 0xFD | xc 1, cond |
0xFD00 / 0xFD00 |
| 0xFE | retd / rcd cond |
0xFE00 / 0xFF00 |
| 0xFF | xc 2, cond |
0xFD00 / 0xFD00 |
Encodings sous-mnémoniques importants
MMR addressing
- bits 7:0 du second mot ou du smem field = MMR sélection (0x00..0x7F)
- MMR clés :
- 0x06 = ST0
- 0x07 = ST1 (bit 11 = INTM)
- 0x10..0x17 = AR0..AR7
- 0x18 = SP
- 0x19 = BK
- 0x20 = IMR
- 0x21 = IFR
Conditions XC / BC / CC / RC (8-bit cond field)
0x00= UNC (always)0x08= NC (Not Carry, !C)0x0C= C (Carry)0x20= NTC (Not TC)0x30= TC0x42= AGEQ (A >= 0)0x43= ALT (A < 0)0x44= ANEQ0x45= AEQ0x46= AGT0x47= ALEQ0x60= ANOV / BNOV0x70= AOV / BOV
ST1 layout (bit positions)
| bit | flag |
|---|---|
| 15 | BRAF |
| 14 | CPL |
| 13 | XF |
| 12 | HM |
| 11 | INTM |
| 10 | reserved |
| 9 | OVM |
| 8 | SXM |
| 7 | C16 |
| 6 | FRCT |
| 5 | CMPT |
| 4..0 | ASM |
Cas connus de misclassification dans qemu-calypso
| Opcode | tic54x | qemu-calypso | Statut |
|---|---|---|---|
| 0x8A | popm MMR | (était MVDK Smem,dmad — 2-mot) | fixé 2026-05-08 |
| 0x8B | popd Smem | “MVDK with long address” (ligne 4220) | TODO |
| 0xDD | st (parallel) | POPD Smem (ligne 4745) | TODO — cause SP runaway |
| 0xDE | st (parallel) | POPD dmad (2-mot, ligne 4753) | TODO |
| 0xCD | st (parallel) | POPM MMR (ligne ~4704) | TODO |
| 0xC5 | st (parallel) | PSHM MMR (ligne 4660) | TODO |
| 0xCE | st (parallel) | FRAME #k | TODO (FRAME est en 0xEE per tic54x) |
| 0xAA-0xAB | ld (long-addr variants) | STLM src,MMR (ligne 4353) | TODO (STLM est en 0x88 per tic54x) |
| 0x80 | stl src, Smem | “MVDD Smem,Smem” | TODO |
| 0x71 | mvdk Smem,dmad | (vérifier) | TODO |
Référence
- TI SPRU172C — TMS320C54x DSP Reference Set Volume 1: CPU and Peripherals
- Binutils 2.21.1 source :
/home/nirvana/gnuarm/src/binutils-2.21.1/opcodes/tic54x-opc.c
./hw/arm/calypso/doc/opcodes/0x68_0x6F.md
0x68xx-0x6Fxx Opcode Family — Spec for QEMU C54x Decoder
Status: SPEC v2 — verified against binutils 2.21.1 source + SPRU172C Source: binutils include/opcode/tic54x.h + opcodes/tic54x-opc.c + SPRU172C Date: 2026-04-28 Changelog: - v1 (initial): bit assignments deduced from masks, BANZ ordering described as “decrement-then-test” (incorrect) - v2 (this): bit assignments verified against insn_template struct + binutils macros; BANZ ordering corrected per SPRU172C Examples 3+4
Why this exists
QEMU’s current C54x decoder has a single fallback (op & 0xF800) == 0x6800 treating the entire range 0x6800-0x6FFF as LD Smem, T (1-word). Per binutils, the 7 sub-families (excluding 0x6Dxx which is correctly handled) are all 2-word instructions with distinct semantics. The wrong fallback causes: - PC drifts +1 word at every site (operand consumed as next opcode) - The lk/pmad operand executes as a parasitic instruction - 2107 sites in firmware ROM (PROM0/1/2/3) → wedge displaces between runs depending on which path is taken
Reference: this spec is for fixing that. See doc/datasheets/README.md §7 candidate (1) “opcode mis-decode that drifts the PC away from the init path”.
Verified: binutils struct layout
Per include/opcode/tic54x.h:85-150, the insn_template struct has:
typedef struct _template {
const char *name;
unsigned int words; // insn size in words
int minops, maxops;
unsigned short opcode; // word0 base
unsigned short mask; // word0 mask
enum optype operand_types[4];
unsigned short flags; // FL_EXT=0x20 → 2-word, FL_DELAY=0x10 → delayed branch, etc.
unsigned short opcode2, mask2; // ★ "some insns have an extended opcode" (word1)
const char *parname;
enum optype paroperand_types[4];
} insn_template;So opcode2/mask2 are the canonical word1 base/mask fields for FL_EXT instructions. They are NOT parallel-instruction fields (those are parname and paroperand_types[]).
Useful binutils macros for decoding:
##define SRC(OP) ((OP)&0x200) // bit 9
##define DST(OP) ((OP)&0x100) // bit 8
##define SRC1(OP) ((OP)&0x100) // bit 8 (alias for single-acc instructions)
##define SHIFT(OP) (((OP)&0x10)?(((OP)&0x1F)-32):((OP)&0x1F)) // signed 5-bit
##define INDIRECT(OP) ((OP)&0x80) // bit 7
##define MOD(OP) (((OP)>>3)&0xF)
##define ARF(OP) ((OP)&0x7)
##define MMR(OP) ((OP)&0x7F)Family overview
| First-word | Mnemonic | Words | Operands (binutils) | Status QEMU |
|---|---|---|---|---|
0x68xx |
ANDM #lk, Smem |
2 | OP_lk, OP_Smem | MISSING |
0x69xx |
ORM #lk, Smem |
2 | OP_lk, OP_Smem | MISSING |
0x6Axx |
XORM #lku, Smem |
2 | OP_lku, OP_Smem | MISSING |
0x6Bxx |
ADDM #lk, Smem |
2 | OP_lk, OP_Smem | MISSING |
0x6Cxx |
BANZ pmad, Sind |
2 | OP_pmad, OP_Sind | MISSING |
0x6Dxx |
MAR Smem |
1 | OP_Smem | OK |
0x6Exx |
BANZD pmad, Sind |
2 (delayed, 2 slots) | OP_pmad, OP_Sind | MISSING |
0x6Fxx |
ADD/SUB/LD/STH/STL Smem,SHIFT,DST |
2 (extended) | (see §6F00 sub-encoding) | MISSING |
Smem encoding for first word (bits 6:0): - bit 7 = 0 → direct (DP-relative): addr = (DP << 7) | (op & 0x7F) - bit 7 = 1 → indirect: standard ARn-mode (already covered by resolve_smem)
§0x68xx — ANDM #lk, Smem
Encoding:
word0: 0110 1000 SSSS SSSS (op & 0xFF00 == 0x6800)
word1: KKKK KKKK KKKK KKKK (lk = 16-bit immediate, signed)
Semantics:
data[Smem] = data[Smem] & lk
PC advance: +2
Side effects: TC unchanged, no accumulator side effect.Flags FL_NR = no repeat allowed.
§0x69xx — ORM #lk, Smem
Encoding:
word0: 0110 1001 SSSS SSSS (op & 0xFF00 == 0x6900)
word1: KKKK KKKK KKKK KKKK
Semantics:
data[Smem] = data[Smem] | lkFlags FL_NR|FL_SMR.
§0x6Axx — XORM #lku, Smem
Encoding:
word0: 0110 1010 SSSS SSSS (op & 0xFF00 == 0x6A00)
word1: KKKK KKKK KKKK KKKK (lku = unsigned 16-bit)
Semantics:
data[Smem] = data[Smem] ^ lkubinutils uses OP_lku (unsigned) here vs OP_lk (signed) in others — relevant only for sign-extension semantics during the lk fetch. For pure bitwise XOR, no observable difference, but documented for completeness.
§0x6Bxx — ADDM #lk, Smem
Encoding:
word0: 0110 1011 SSSS SSSS (op & 0xFF00 == 0x6B00)
word1: KKKK KKKK KKKK KKKK
Semantics:
data[Smem] = data[Smem] + lk
TC and overflow flags affected per SXM/OVM (verify against SPRU172C).Flags FL_NR|FL_SMR.
§0x6Cxx — BANZ pmad, Sind
Verified against SPRU172C p.4-15 (Examples 3 and 4):
Encoding:
word0: 0110 1100 IIII IIII (op & 0xFF00 == 0x6C00, Sind in low bits)
word1: PPPP PPPP PPPP PPPP (pmad = branch target)
Semantics (per SPRU172C):
1. Apply indirect addressing mode (Sind) to ARx via resolve_smem
→ ARx may be modified pre- or post-test depending on mode:
* `*ARn` no change
* `*ARn+` post-increment
* `*ARn-` post-decrement
* `*ARn(lk)` indexed, ARn unchanged
* `*+ARn(lk)` pre-modify ARn += lk (then test on new value)
2. test (ARx) ≠ 0 (after the indirect mode has been applied)
3. if (ARx) ≠ 0: PC ← pmad
else: PC += 2 (fall through)
Status bits: None (Status Bits: None per SPRU172C)Critical: my v1 spec had this as “decrement-then-test” — that was wrong. The decrement (or other modification) comes from the indirect mode, not from BANZ itself. resolve_smem already handles all indirect modes correctly in QEMU; the BANZ implementation should call resolve_smem first, then test ARx.
// Pseudo-code:
if ((op & 0xFF00) == 0x6C00) {
int arp = (s->st1 >> ST1_ARP_SHIFT) & 0x7;
/* resolve_smem applies the indirect mode and may modify s->ar[arp] */
int ind;
resolve_smem(s, op, &ind); /* side effect on ARx, return addr ignored */
uint16_t pmad = prog_fetch(s, s->pc + 1);
if (s->ar[arp] != 0) {
s->pc = pmad;
return 0;
}
return 2; /* skip op + pmad */
}B_BRANCH|FL_NR flags from binutils.
§0x6Exx — BANZD pmad, Sind (delayed)
Same as BANZ but with 2-slot delay:
Encoding:
word0: 0110 1110 IIII IIII (op & 0xFF00 == 0x6E00)
word1: PPPP PPPP PPPP PPPP
Semantics:
1. Apply indirect mode to ARx (via resolve_smem)
2. Save branch_taken = (ARx != 0)
3. Save branch_target = pmad
4. PC += 2 (advance to delay slot 1)
5. Execute delay slot 1 (1 word)
6. Execute delay slot 2 (1 word)
7. After delay slots: PC = branch_target if branch_taken, else continue
Pipeline: same delay-slot semantics as BD (0xF073) / CALAD (0xF6E3) /
RETD / FCALLD. MUST reuse the existing delay-slot mechanism in QEMU.Flags B_BRANCH|FL_DELAY|FL_NR — explicit FL_DELAY.
§0x6Fxx — Extended ADD/SUB/LD/STH/STL Smem, SHIFT, DST/SRC
Verified against binutils tic54x-opc.c lines 251, 327, 432, 437, 448:
The 5 mnemonics share opcode=0x6F00 mask=0xFF00 for word0 but differ in word1 via opcode2/mask2:
add word0=0x6F00 mask=0xFF00 word1 base=0x0C00 mask=0xFCE0 FL_EXT|FL_SMR
sub word0=0x6F00 mask=0xFF00 word1 base=0x0C20 mask=0xFCE0 FL_EXT|FL_SMR
ld word0=0x6F00 mask=0xFF00 word1 base=0x0C40 mask=0xFEE0 FL_EXT|FL_SMR
sth word0=0x6F00 mask=0xFF00 word1 base=0x0C60 mask=0xFEE0 FL_EXT
stl word0=0x6F00 mask=0xFF00 word1 base=0x0C80 mask=0xFEE0 FL_EXTWord1 bit-by-bit decoding (verified)
word1 layout:
bits 15-10 : 000011 (always — common pattern matching 0xFC00..0xFE00 base)
bit 9 : SRC (ADD/SUB only — bit free in mask 0xFCE0)
LD/STH/STL have bit 9 fixed to 0 (mask 0xFEE0 makes bit 9 strict)
bit 8 : DST (ADD/SUB) or SRC1 (LD/STH/STL — same bit position, same macro)
bits 7-5 : sub-opcode discriminator:
000 = ADD
001 = SUB
010 = LD
011 = STH
100 = STL
bits 4-0 : SHIFT (signed 5-bit, -16..+15)
SHIFT = (bit4 set) ? (bits[4:0] - 32) : bits[4:0]
(per SHIFT macro in tic54x.h)Sub-opcode discriminator at bits 7-5 — verified by computing (base >> 5) & 7:
ADD 0x0C00 → bits 7-5 = 000
SUB 0x0C20 → bits 7-5 = 001
LD 0x0C40 → bits 7-5 = 010
STH 0x0C60 → bits 7-5 = 011
STL 0x0C80 → bits 7-5 = 100Decoder implementation
if ((op & 0xFF00) == 0x6F00) {
int ind;
addr = resolve_smem(s, op, &ind); /* applies Smem indirect mode */
op2 = prog_fetch(s, s->pc + 1);
int sub = (op2 >> 5) & 0x7;
int shift_raw = op2 & 0x1F;
int shift = (shift_raw & 0x10) ? (shift_raw - 32) : shift_raw;
int dst_b = (op2 >> 8) & 1; /* bit 8 = DST/SRC1 */
int src_b = (op2 >> 9) & 1; /* bit 9 = SRC (ADD/SUB only) */
switch (sub) {
case 0b000: { /* ADD Smem,SHIFT,SRC,[DST] : DST = SRC + (data[Smem] << shift) */
int64_t v = (s->st1 & ST1_SXM) ? (int16_t)data_read(s, addr) : data_read(s, addr);
v = (shift >= 0) ? (v << shift) : (v >> (-shift));
int64_t src = src_b ? s->b : s->a;
int64_t result = sext40(src + v);
if (dst_b) s->b = result; else s->a = result;
/* TODO: OVA/OVB on overflow if OVM */
break;
}
case 0b001: { /* SUB Smem,SHIFT,SRC,[DST] : DST = SRC - (data[Smem] << shift) */
int64_t v = (s->st1 & ST1_SXM) ? (int16_t)data_read(s, addr) : data_read(s, addr);
v = (shift >= 0) ? (v << shift) : (v >> (-shift));
int64_t src = src_b ? s->b : s->a;
int64_t result = sext40(src - v);
if (dst_b) s->b = result; else s->a = result;
break;
}
case 0b010: { /* LD Smem,SHIFT,DST : DST = data[Smem] << shift */
int64_t v = (s->st1 & ST1_SXM) ? (int16_t)data_read(s, addr) : data_read(s, addr);
v = (shift >= 0) ? (v << shift) : (v >> (-shift));
if (dst_b) s->b = sext40(v); else s->a = sext40(v);
break;
}
case 0b011: { /* STH SRC,SHIFT,Smem : data[Smem] = (SRC >> 16) << shift */
int64_t src = dst_b ? s->b : s->a;
int16_t high = (int16_t)((src >> 16) & 0xFFFF);
int64_t shifted = (shift >= 0) ? ((int64_t)high << shift) : ((int64_t)high >> (-shift));
data_write(s, addr, (uint16_t)(shifted & 0xFFFF));
break;
}
case 0b100: { /* STL SRC,SHIFT,Smem : data[Smem] = (SRC & 0xFFFF) << shift */
int64_t src = dst_b ? s->b : s->a;
int64_t shifted = (shift >= 0) ? (src << shift) : (src >> (-shift));
data_write(s, addr, (uint16_t)(shifted & 0xFFFF));
break;
}
default:
/* Unknown sub-opcode in word1 — log and treat as NOP */
break;
}
return 2 + s->lk_used; /* 2 words + Smem long-addr if any */
}Note on STH/STL: binutils operand strings show OP_SRC1 for these — i.e., single-acc selection via bit 8. So I use dst_b (which is bit 8) as the source acc selector for STH/STL. Verify against SPRU172C entry pages for STH and STL during implementation.
Wedge case verification (the test that closes the diagnostic)
PROM0[0x834C] = 0x6F07 (op)
PROM0[0x834D] = 0x0C41 (op2)
word0 & 0xFF00 = 0x6F00 ✓ matches family
Smem (op & 0x7F) = 0x07, bit 7 = 0 → direct mode
With DP=0x01F: addr = (0x01F << 7) | 0x07 = 0x0F87
word1 = 0x0C41
bits 15-10 = 000011 ✓
bit 9 = 0 (LD/STH/STL — bit 9 fixed)
bit 8 = 0 → DST = A (for LD)
bits 7-5 = 010 → LD
bits 4-0 = 00001 → SHIFT = +1
Effect: A = sign_extend(data[0x0F87]) << 1If data[0x0F87] is a real value (not 0), A receives a sensible non-self value, the subsequent ADD #0x8359, A at PC=0x834E gives A = real+0x8359 ≠ 0x8353, and the CALAD A at PC=0x8352 branches somewhere meaningful, NOT self-loop.
This is the falsifiable prediction: implement only 0x6F00 first, rebuild, re-run with no other changes — if PC=0x8353 hot count drops to ~0, the bug chain is confirmed closed.
MAC at 0xF067 — separate, do not include here
Note that mac also appears with base=0xF067 mask=0xFCFF — this is a different opcode in the F0xx family (long-immediate MAC MAC #lk, SRC, [DST]). Already in scope of the F4-F7 generic family that was previously fixed.
Implementation order (validated by user)
- 0x6F00 first (544 hits, the highest impact and tied to the current wedge at PC=0x8353). Verify against the wedge case above. If
A_lowno longer becomes 0xFFFA → 0x8353, the diagnostic is closed. - 0x6800-0x6Bxx (ANDM/ORM/XORM/ADDM, 1259 hits combined). Trivial 2-word memory ops.
- 0x6Cxx BANZ + 0x6Exx BANZD (304 hits combined). MUST integrate with existing delay-slot mechanism. BANZ test on ARx after indirect mode application.
- Re-test full run after each step. Validation = hot PC distribution shifts away from the wedge sites.
Counts (firmware ROM static)
| First-word | Hits in PROM0/1/2/3 |
|---|---|
| 0x6800 ANDM | 498 |
| 0x6900 ORM | 414 |
| 0x6A00 XORM | 12 |
| 0x6B00 ADDM | 335 |
| 0x6C00 BANZ | 160 |
| 0x6D00 MAR | (N/A — already OK) |
| 0x6E00 BANZD | 144 |
| 0x6F00 ADD/SUB/LD/STH/STL | 544 |
| Total buggy | 2107 |
References
binutils-2.21.1/include/opcode/tic54x.hlines 85-150 (struct insn_template)binutils-2.21.1/opcodes/tic54x-opc.clines 251, 257, 263, 268-269, 327, 350, 383, 432, 437, 448, 463- SPRU172C (
../datasheets/TI_SPRU172C_C54x_Mnemonic_Instruction_Set.pdf)- p.4-15 BANZ[D] Branch on Auxiliary Register Not Zero (verified semantics)
- For implementation: also read entries for ADD Smem,SHIFT,SRC,DST; SUB Smem,SHIFT,SRC,DST; LD Smem,SHIFT,DST; STH SRC,SHIFT,Smem; STL SRC,SHIFT,Smem (verify TC/OVM/SXM behaviors per page).
- SPRU131G (
../datasheets/TI_SPRU131G_C54x_CPU_and_Peripherals.pdf) for delay-slot pipeline behavior (BANZD) - Wedge verification:
0x6F07 0x0C41at PROM0[0x834C], current run wedge observed in QEMU at PC=0x8353 with A_low=0xFFFA after parasitic SUB.
./hw/arm/calypso/doc/SESSION_20260507_BRIEF.md
Brief Claude web — 2026-05-07
Session de cleanup + UL wiring. Coller en intégralité dans Claude web.
Contexte
QEMU Calypso baseband emulator (ARM7TDMI + TMS320C54x DSP, layer1.highram.elf osmocom-bb). Bridge Python relaie BTS UDP (5700-5702) ↔︎ QEMU BSP (6702). DL milestone validé 2026-05-06 : cell_identity 777→888 dans osmo-bsc.cfg propage RSL → BTS → bridge → BSP DMA → DSP demod → ARM L1 → mobile L3 (<0001> sysinfo.c New SYSTEM INFORMATION 3 (lai=001-01-1) + CGI=001-01-1-888). Deux observations indépendantes : rsl_si_tap mmap (octets 03 78) + mobile L3 logs.
À l’audit du 07/05, le commit qui scellait ce milestone (63b4fe5) embarquait trois nuisances dans le diff : 1. 36 lignes BOURRIN-FBDET-SKIP dans calypso_c54x.c — pop stack+jump bypass du range PC [0x8d00, 0x8f80] pour court-circuiter la routine DSP fb-det. 2. ~120 lignes DIAG-HACK env-gated INTM force-clear + ALIAS-CHECK dump. 3. 23 fichiers __pycache__/*.pyc recompilés (bruit sans hash diff).
Plus, sans être dans 63b4fe5 mais dans le code actif : 4. publish_fb_found(toa=0,pm=80,angle=0,snr=100) synthétique dans calypso_fbsb_on_dsp_task_change (DSP_TASK_FB). 5. publish_sb_found(bsic=0) synthétique idem. 6. si3_fallback[23] hardcodé en cas d’absence de mmap (cold-start). 7. allc_burst_idx static cycle 0..3 — désynchronise sous jitter TDMA. 8. UL pipeline coté QEMU branché sur d_task_u uniquement (= SDCCH/SACCH/TCH), ignorant d_task_ra (RACH au word 7 du write-page) — cf. prim_rach.c:77. 9. BSP trxd_peer_valid=false jusqu’à premier DL, et bridge.py trxd_remote=None idem côté UL forward → race au démarrage.
Ce que j’ai fait
Removed (no more hacks)
| Hack | Fichier | Status |
|---|---|---|
| BOURRIN-FBDET-SKIP | calypso_c54x.c |
bloc supprimé entièrement |
| DIAG-HACK INTM force-clear + ALIAS-CHECK + BOOT+100k VECDUMP | calypso_c54x.c |
bloc supprimé |
si3_fallback[] hardcode |
calypso_fbsb.c |
supprimé ; mmap-only ; si absent → pas d’écriture a_cd |
allc_burst_idx static counter |
calypso_fbsb.c |
remplacé par burst_d = fn & 3 |
ul_drop_no_bts race |
bridge.py |
trxd_remote pre-set à (BTS, 5802) à init |
BSP trxd_peer_valid=false race |
calypso_bsp.c |
pre-set à (127.0.0.1, 5702) à init |
publish_fb_found/publish_sb_found calls |
calypso_fbsb.c |
call sites supprimés du chemin par défaut, env-gated CALYPSO_FBSB_SYNTH=1 |
.gitignore étendu : __pycache__/, *.pyc, *.bak* pour éviter répétition du bruit du commit 63b4fe5.
Added (real connections)
| Connection | Fichier |
|---|---|
DB_W_D_TASK_RA = 7 poll dans tdma_tick UL section |
calypso_trx.c |
calypso_bsp_tx_rach_burst (real AB encoding via gsm0503_rach_ext_encode) |
calypso_bsp.c |
| libosmocoding link dans meson | hw/arm/calypso/meson.build |
BRIDGE_CLK_FROM_QEMU=1 env mode (CLK IND piloté par QEMU FN, pas wall-clock) |
bridge.py |
-icount shift=auto,align=off,sleep=off sur QEMU |
run.sh |
CALYPSO_FBSB_SYNTH=1 env-gate pour ré-activer synth quand emulated DSP correlator ne converge pas |
calypso_fbsb.c |
CALYPSO_NDB_D_RACH_OFFSET=0xNNN override pour pinner offset |
calypso_bsp.c |
Doc à jour : README.md Latest update section, hw/arm/calypso/doc/hacks.md § Cleanup 2026-05-07, hw/arm/calypso/doc/TODO.md § Status 2026-05-07, hw/arm/calypso/doc/PROJECT_STATUS.md entry du jour, CLAUDE.md Current Bug section refresh.
Run actuel — observations
Avec CALYPSO_FBSB_SYNTH=1 (rebuild 13:04 dans le conteneur Docker trying) :
DL retrouvé : - [calypso-fbsb] CALYPSO_FBSB_SYNTH=1 (synth, dev-assist path) confirmé au boot - [fbsb] FB0_FOUND (synth) + SB_FOUND (synth) cycliques - Mobile L3 : New SYSTEM INFORMATION 1, 2, 3, 4 (lai=001-01-1) répétés - Changing CCCH_MODE to 2 → cell sync complet
UL — progrès : - 8 paquets UL délivrés au BTS - Premiers UL sur TN=0 (vrai slot RACH) : bridge: UL #7 TN=0 fn=1480, UL #8 TN=0 fn=1480 — vs UL antérieurs sur TN=4/6 (garbage) - Côté DSP : [BSP] RACH encode #N fn=NNN ra=0xXX bsic=0xXX d_rach=0xNNNN fire régulièrement - BTS osmo-bts-trx clock skew : 1 FN compensation au lieu de 102 FN avant icount + CLK_FROM_QEMU
UL — problèmes restants : 1. task_ra non-zéro très tôt (fn=104, avant FBSB complete) — suspect. Hypothèse : d_rach offset par défaut 0x01CB lit la mauvaise zone NDB, ou le firmware écrit du résidu non-zéro qu’on interprète comme RACH command. Symptôme : BSIC varie run-to-run (0x2a, 0x24, 0x1f, 0x14, 0x33, 0x1c, 0x19, 0x15, 0x3c) alors que BSIC est constant pour une cellule donnée. 2. task_u et task_ra fire en même temps avec valeurs incohérentes (task_ra=0x2d4e tn=6 fn=104 + task_u=0xfec2 tn=6 fn=104) — vraisemblablement les deux sont des résidus mémoire que ARM n’a pas encore initialisés à zéro. 3. Pas encore vu d’IMM_ASS_CMD côté mobile — soit BTS rejette les RACH UL (malformés ?), soit BSC ne génère pas IMM_ASS, soit mobile rate l’AGCH sub-slot.
Diagnostic question pour toi (Claude web)
Le DL milestone tient via CALYPSO_FBSB_SYNTH=1 qui ré-active les écritures synth a_sync_demod[*] + d_fb_det=1 à chaque DSP_TASK_FB write par l’ARM. Sans synth, le DSP exécute la vraie routine fb-det (range PC ~0x8d00..0x8f80) sur les samples GMSK que le BSP modulé depuis les hard bits TRXD du bridge.
GMSK h=0.5 : pour un FCCH burst (148 zéros) la phase avance de +π/2 par bit → pure tone à fs/4 ≈ 67.7 kHz, conforme spec GSM. Notre cos_tab/sin_tab walk reproduit cette structure (calypso_bsp.c lignes ~290-301). Donc en théorie le correlator DSP devrait latch sur le FCCH.
Il ne le fait pas. Trois pistes :
(α) Bug d’opcode dans c54x_exec_one : un MAC ou correlator instruction (probable : MACR, MAC*AR2-,A, MACSU) calcule mal sur les samples Q15 full-scale ±0x7FFE. Hint historique : range PC 0x8d33/0x8eb9/0x8f51 sont des fb-det stores connus (cf. c54x.c “real_fbdet_pcs[]” comments). Si on instrumente A/B accumulators à ces PCs et qu’on compare aux valeurs attendues sur un burst FCCH pur, on saura.
(β) Timing miss : la routine fb-det DSP démarre à un offset symbol qui ne matche pas le burst que BSP vient de DMA. Le DSP correlator suppose que les 148 symboles dans 0x3fb0..0x4047 (ou wherever DARAM RX zone) sont la fenêtre courante, mais en QEMU le DMA arrive au mauvais moment relatif au TPU FRAME IRQ. Avec -icount ça devrait être stable mais pas forcément aligné.
(γ) Phase reference inversée : nos cos_tab/sin_tab walk advance phase à +π/2 per zero bit (NRZ : bit 0 → phase += π/2). Si le correlator DSP s’attend à -π/2, l’output est conjugué et le pic FCCH n’apparaît pas là où attendu. Trivial à inverser pour tester.
Question : selon toi, lequel des trois pistes mérite l’instrumentation en premier ? J’ai en main : - log complet de PC HIST (/root/qemu.log côté DSP, ~80k lignes) - la pcap GSMTAP en cours de capture (/root/mobile-gsmtap.pcap) - accès aux registres DSP (A, B, T, AR0..AR7, ST0/ST1, PMST) via les logs existants à PCs spécifiques (cf. MAC-7700 tracer ENTER-7700 tracer dans c54x.c)
Et sur le UL — vu que les RACH partent pour de vrai sur TN=0 maintenant, tu validerais quel test discriminant en premier : tcpdump GSMTAP pour voir si IMM_ASS passe sur l’air, ou logs osmo-bts-trx pour voir si RACH detect counter incrémente ?
Annexes
Liens documentation : - README.md § Latest update — Session 2026-05-07 - hw/arm/calypso/doc/hacks.md § Cleanup 2026-05-07 (table par hack) - hw/arm/calypso/doc/TODO.md § Status 2026-05-07 - hw/arm/calypso/doc/PROJECT_STATUS.md § 2026-05-07
Diff récap : 12 fichiers modifiés, +401 / −421 lignes (net -20 lignes malgré ajout libosmocoding integration + env vars).
./hw/arm/calypso/doc/BSP_DMA.md
Calypso BSP/RIF DMA — QEMU implementation
Rôle
Sur le vrai matériel, le BSP (Baseband Serial Port) est le lien série synchrone qui DMA les samples I/Q de l’IOTA RF frontend directement dans la DARAM du DSP C54x. Le code DSP (FCCH/SCH/burst detection en PROM0) lit ces samples depuis un buffer DARAM fixe et poste les résultats dans le NDB.
Dans QEMU on n’émule pas le bus série IOTA. À la place :
bridge.py (gr-gsm GMSK modulateur)
│
│ UDP TRXD v0 (port 6802)
▼
sercomm_gate.c::trxd_cb()
│
│ calypso_bsp_rx_burst(tn, fn, int16 *iq, n_int16)
▼
calypso_bsp.c::calypso_bsp_rx_burst()
│
│ copie de mots dans dsp->data[<DARAM target>]
▼
C54x DARAM ──read──▶ PROM0 FB-det handler ──▶ NDB d_fb_detPas de poke dans le NDB, pas de faux d_fb_det, pas d’ancien header rx_burst. Le seul boulot du module BSP est de poser le flux int16 au bon endroit en DARAM ; le firmware DSP fait tout le reste.
Fichiers
| Path | Rôle |
|---|---|
include/hw/arm/calypso/calypso_bsp.h |
API publique |
hw/arm/calypso/calypso_bsp.c |
Implémentation DMA |
hw/arm/calypso/sercomm_gate.c::trxd_cb |
Appelle calypso_bsp_rx_burst |
hw/arm/calypso/calypso_trx.c::calypso_trx_init |
Appelle calypso_bsp_init(s->dsp) |
hw/arm/calypso/calypso_c54x.c::data_read |
Tracer FBDET / d_spcx_rif |
hw/arm/calypso/meson.build |
Ajoute calypso_bsp.c |
Configuration
Deux variables d’environnement (lues une fois à calypso_bsp_init) :
| Env var | Défaut | Sens |
|---|---|---|
CALYPSO_BSP_DARAM_ADDR |
0 |
Adresse de mot dans le data-space DSP (DARAM) |
CALYPSO_BSP_DARAM_LEN |
1184 |
Nombre max de mots int16 copiés par burst (148×4×2) |
Quand CALYPSO_BSP_DARAM_ADDR=0, le BSP tourne en mode DISCOVERY : chaque burst est loggué mais rien n’est écrit en DARAM. C’est le défaut sûr pendant le debug DSP.
Procédure de discovery
L’adresse cible du buffer DARAM utilisée par la routine FB-det est identifiée à l’exécution en traçant les data reads émis quand le PC DSP est dans le handler FB-det en PROM0 (plage 0x7730..0x7990, mémoire project_dsp_fb_det) :
[c54x] FBDET RD [0x<addr>]=0x<val> PC=0x<pc> insn=<n>Le cluster d’<addr> (avec PC juste avant la première boucle MAC/FIR) est la cible BSP. Mettre CALYPSO_BSP_DARAM_ADDR en conséquence et relancer.
Statut (2026-04-06)
- Infra BSP complète, build clean (link manuel
-lmrequis). - Runtime vérifié : les bursts arrivent au BSP avec une enveloppe GMSK correcte (|z| ≈ 32766),
d_spcx_rifprogrammé par ARM à0x0179à fn=0. - Discovery bloquée : le DSP n’entre jamais dans la plage PC FB-det ; il busy-loop dans le dispatcher à
0x81a7..0x81d6. La cause n’est pas un bug DSP — c’est que le firmware ARM n’écrit jamaisd_task_md = FB_DSP_TASK. VoirTODO.md.
Dès que le DSP atteindra 0x7730+, le tracer FBDET révélera le buffer DARAM et on pourra fixer CALYPSO_BSP_DARAM_ADDR.
./hw/arm/calypso/calypso_trx.c
/*
* calypso_trx.c — Calypso hardware emulation + DSP C54x emulation
* No sockets. Firmware speaks UART only. DSP results in shared RAM.
* SPDX-License-Identifier: GPL-2.0-or-later
*/
#include "qemu/osdep.h"
#include "qapi/error.h"
#include "qemu/timer.h"
#include "qemu/error-report.h"
#include "qemu/main-loop.h"
#include "exec/address-spaces.h"
#include "hw/irq.h"
#include "hw/arm/calypso/calypso_trx.h"
#include "hw/arm/calypso/calypso_uart.h"
#include "hw/arm/calypso/calypso_c54x.h"
#include "hw/arm/calypso/calypso_bsp.h"
#include "hw/arm/calypso/calypso_iota.h"
#include "hw/arm/calypso/calypso_sim.h"
#include "hw/arm/calypso/calypso_fbsb.h"
#include "chardev/char-fe.h"
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <fcntl.h>
#include <unistd.h>
extern CalypsoUARTState *g_uart_modem;
#define TRX_LOG(fmt, ...) \
fprintf(stderr, "[calypso-trx] " fmt "\n", ##__VA_ARGS__)
#define DSP_API_W_PAGE0 0x0000
#define DSP_API_W_PAGE1 0x0028
#define DSP_API_NDB 0x01A8
#define DB_W_D_TASK_D 0
#define DB_W_D_BURST_D 1
#define DB_W_D_TASK_U 2
#define DB_W_D_BURST_U 3
#define DB_W_D_TASK_MD 4
#define DB_W_D_BACKGROUND 5
#define DB_W_D_DEBUG 6
#define DB_W_D_TASK_RA 7 /* RACH access task — separate from d_task_u */
/* No PM/FB/SB stubs — the DSP handles everything via shared API RAM */
typedef struct CalypsoTRX {
qemu_irq *irqs;
MemoryRegion dsp_iomem;
uint16_t dsp_ram[CALYPSO_DSP_SIZE / 2];
uint8_t dsp_page;
bool dsp_booted;
uint32_t boot_frame;
MemoryRegion tpu_iomem;
MemoryRegion tpu_ram_iomem;
uint16_t tpu_regs[CALYPSO_TPU_SIZE / 2];
uint16_t tpu_ram[CALYPSO_TPU_RAM_SIZE / 2];
MemoryRegion tsp_iomem;
uint16_t tsp_regs[CALYPSO_TSP_SIZE / 2];
MemoryRegion ulpd_iomem;
uint16_t ulpd_regs[CALYPSO_ULPD_SIZE / 2];
uint32_t ulpd_counter;
MemoryRegion sim_iomem;
CalypsoSim *sim;
QEMUTimer *tdma_timer;
QEMUTimer *frame_irq_timer;
QEMUTimer *dsp_timer;
uint32_t fn;
bool tdma_running;
uint8_t sync_bsic;
/* C54x DSP emulator */
C54xState *dsp;
bool dsp_init_done; /* DSP reached first IDLE after boot */
/* CLK UDP: send each TDMA tick to bridge so it's clock-slave */
int clk_fd;
struct sockaddr_in clk_peer;
} CalypsoTRX;
static CalypsoTRX *g_trx;
/* FBSB host-side orchestration. Reintroduced after preNoCell refactor
* (28 Apr) accidentally removed the wire. The bridge delivers I/Q from
* a fixed cos/sin LUT (no AFC DAC feedback in QEMU), so the DSP
* correlator cannot converge across iterations. This wire publishes
* synthetic clean FB/SB results at the NDB level when ARM dispatches
* FB_DSP_TASK, allowing the L1→L2→L3 stack to progress toward Location
* Update without requiring physical RF AFC simulation. */
static CalypsoFbsb g_fbsb;
static bool g_fbsb_inited;
/* W1C latches for FB-detection result snapshot.
* Set by c54x data_write when DSP writes a_sync_SNR (LAST cell of
* fb-det iteration sequence) from a real fb-det PC. Snapshot captures
* d_fb_det/d_fb_mode/a_sync_demod[*] coherent for the iteration.
* Consumed by ARM read; survives DSP-side clears and stack-stomp at
* PC=0x0662. Order in DSP firmware:
* d_fb_det → d_fb_mode → a_sync_TOA → PM → ANG → SNR (insn N..N+150)
* Snapshot at SNR ensures all values are this-iter values. */
uint16_t g_d_fb_det_latch;
uint16_t g_d_fb_mode_latch;
uint16_t g_a_sync_TOA_latch;
uint16_t g_a_sync_PM_latch;
uint16_t g_a_sync_ANG_latch;
uint16_t g_a_sync_SNR_latch;
bool g_a_sync_valid;
/* CALYPSO_W1C_LATCH=1 enables the W1C latch system : DSP writes at the
* a_sync_demod iteration end (PCs 0x8d33/0x8eb9/0x8f51) snapshot all 6
* cells, ARM reads consume them. Mitigates a race window where DSP sets
* d_fb_mode then clears within a tight loop, and ARM polls between.
* Default 0 = ARM reads NDB directly. Read once at first call, cached. */
int calypso_w1c_latch_enabled(void)
{
static int cached = -1;
if (cached < 0) {
const char *e = getenv("CALYPSO_W1C_LATCH");
cached = (e && *e == '1') ? 1 : 0;
fprintf(stderr,
"[calypso-trx] CALYPSO_W1C_LATCH=%d (%s)\n",
cached, cached ? "latch on a_sync_SNR snapshot, consume on ARM read"
: "ARM reads NDB direct");
}
return cached;
}
/* All firmware patches removed — verified that the layer1.highram.elf
* runs unmodified against the current QEMU emulation (PM scan, FBSB,
* RESET cycle stable for >1 minute with NO patches applied).
*
* History — patches removed and why each was actually unnecessary:
* cons_puts NOP (0x82a1b0) : function has a UART fall-through path
* taken when its LCD ctx flag is 0 (the
* default). printf_buffer is filled by
* vsnprintf upstream and read by the
* fw_console poller in fw_console.c.
* puts NOP (0x829ea0) : puts is a one-instruction tail call to
* sercomm_puts; it was never broken.
* 5x BL NOP in frame_irq : these are bl printf / bl puts calls
* that became safe once cons_puts/puts
* were left alone.
* talloc pool 32->148 : pool exhaustion never observed in the
* current run profile.
* talloc retry loop : same — never reached.
* abort_irqs inf-loop fixup : handle_abort never entered with the
* IRQ controller fixes from earlier
* sessions.
* sim_handler -> BX LR : l1a_l23_handler progresses through SIM
* polling without blocking under the
* current SIM register stub responses.
*
* If any of these regress, look first at the underlying QEMU subsystem
* (LCD MMIO, talloc memory pool, IRQ controller, SIM stub) rather than
* re-introducing a firmware patch.
*/
uint32_t calypso_trx_get_fn(void) { return g_trx ? g_trx->fn : 0; }
/* ---- DSP API RAM ---- */
static uint64_t calypso_dsp_read(void *opaque, hwaddr offset, unsigned size)
{
CalypsoTRX *s = opaque;
if (offset >= CALYPSO_DSP_SIZE) return 0;
uint64_t val = (size == 2) ? s->dsp_ram[offset/2] :
(size == 4) ? (s->dsp_ram[offset/2] | ((uint32_t)s->dsp_ram[offset/2+1] << 16)) :
((uint8_t *)s->dsp_ram)[offset];
/* DSP boot handshake: firmware polls DL_STATUS until it reads BOOT */
if (offset == DSP_DL_STATUS_ADDR && !s->dsp_booted) {
if (++s->boot_frame > 3) {
s->dsp_ram[DSP_DL_STATUS_ADDR/2] = DSP_DL_STATUS_BOOT;
s->dsp_ram[DSP_API_VER_ADDR/2] = DSP_API_VERSION;
s->dsp_ram[DSP_API_VER2_ADDR/2] = 0;
s->dsp_booted = true;
TRX_LOG("DSP boot ver=0x%04x", DSP_API_VERSION);
val = DSP_DL_STATUS_BOOT;
}
}
/* W1C latch consume — snapshot at fb-det iteration end (a_sync_SNR
* write by real fb-det PC).
* d_fb_det read consumes the latch (ARM acks detection); a_sync_*
* remain valid for the subsequent burst-read until next snapshot
* overwrites them. */
if (calypso_w1c_latch_enabled() &&
offset == 0x01F0 && size == 2 && g_a_sync_valid &&
g_d_fb_det_latch != 0) {
uint16_t v = g_d_fb_det_latch;
g_d_fb_det_latch = 0;
TRX_LOG("ARM RD d_fb_det LATCH-CONSUME = 0x%04x (cleared) fn=%u",
v, s->fn);
return v;
}
if (calypso_w1c_latch_enabled() && g_a_sync_valid && size == 2) {
uint16_t v = 0;
const char *name = NULL;
switch (offset) {
case 0x01F2: v = g_d_fb_mode_latch; name = "d_fb_mode"; break;
case 0x01F4: v = g_a_sync_TOA_latch; name = "a_sync_TOA"; break;
case 0x01F6: v = g_a_sync_PM_latch; name = "a_sync_PM"; break;
case 0x01F8: v = g_a_sync_ANG_latch; name = "a_sync_ANG"; break;
case 0x01FA: v = g_a_sync_SNR_latch; name = "a_sync_SNR"; break;
}
if (name) {
TRX_LOG("ARM RD %s LATCH = 0x%04x (s=%d) fn=%u",
name, v, (int)(int16_t)v, s->fn);
return v;
}
}
/* ARM-read trace on d_fb_det / d_fb_mode / a_sync_demod cells:
* 0x01F0 = d_fb_det (DSP word 0x08F8)
* 0x01F2 = d_fb_mode (DSP word 0x08F9)
* 0x01F4..0x01FA = a_sync_demod[0..3] (TOA/PM/ANGLE/SNR)
* Capped + thinned. Goal: confirm whether ARM polls these cells and
* what value it sees vs what DSP wrote. If ARM never reads while DSP
* writes 0x095b → ARM-side mapping/timing bug. */
if (offset >= 0x01F0 && offset <= 0x01FE && (offset & 1) == 0) {
static unsigned arm_rd_log = 0;
static unsigned arm_rd_mode = 0;
arm_rd_log++;
bool is_mode = (offset == 0x01F2);
if (is_mode) arm_rd_mode++;
/* d_fb_mode: log EVERY read (no cap) — race-window check.
* Other cells: thinned. */
bool log_it = is_mode ||
(arm_rd_log <= 200 || (arm_rd_log % 5000) == 0) ||
(val != 0 && offset == 0x01F0);
if (log_it) {
const char *name =
(offset == 0x01F0) ? "d_fb_det" :
(offset == 0x01F2) ? "d_fb_mode" :
(offset == 0x01F4) ? "a_sync_TOA" :
(offset == 0x01F6) ? "a_sync_PM" :
(offset == 0x01F8) ? "a_sync_ANG" :
(offset == 0x01FA) ? "a_sync_SNR" : "unk";
TRX_LOG("ARM RD %s [arm=0x%04x dsp_word=0x%04x] = 0x%04x sz=%d fn=%u #%u",
name, (unsigned)offset, (unsigned)(offset/2 + 0x0800),
(unsigned)val, size, s->fn, arm_rd_log);
}
}
return val;
}
static void calypso_dsp_write(void *opaque, hwaddr offset, uint64_t value, unsigned size)
{
CalypsoTRX *s = opaque;
if (offset >= CALYPSO_DSP_SIZE) return;
if (size == 2) s->dsp_ram[offset/2] = value;
else if (size == 4) { s->dsp_ram[offset/2] = value; s->dsp_ram[offset/2+1] = value >> 16; }
else ((uint8_t *)s->dsp_ram)[offset] = value;
/* Mirror to DSP s->data[] so prog_fetch in OVLY mode sees ARM writes
* to the shared API/DARAM region. On real silicon dsp_ram and the DSP
* DARAM share one physical memory; without this mirror, ARM writes
* land in dsp_ram only and the DSP executes the stale (boot-time
* MVPD-copied) value via prog_fetch. */
if (s->dsp) {
uint16_t dsp_word = offset/2 + 0x0800;
if (size == 2) {
s->dsp->data[dsp_word] = (uint16_t)value;
} else if (size == 4) {
s->dsp->data[dsp_word] = (uint16_t)value;
s->dsp->data[dsp_word + 1] = (uint16_t)(value >> 16);
}
/* size==1 byte: skip — sub-word writes to DSP data are unusual
* and would need careful endianness handling; falls back to the
* dsp_ram-only path which is fine for the sub-word case. */
}
/* Debug: log task-related writes to write pages (d_task_d/u/md/ra) */
if ((offset == 0x0000 || offset == 0x0004 || offset == 0x0008 ||
offset == 0x000E || offset == 0x0028 || offset == 0x002C ||
offset == 0x0030 || offset == 0x0036) && value != 0) {
static int wp_log = 0;
if (++wp_log <= 100)
TRX_LOG("DSP WR [0x%04x] = 0x%04x (sz=%d) fn=%u",
(unsigned)offset, (unsigned)value, size, s->fn);
}
/* d_rach offset finder — circular buffer of recent NDB writes.
* NDB starts at byte offset 0x01A8 in API RAM (= dsp_ram + 0x01A8).
* We capture every non-zero ARM-side write to NDB range and dump the
* last 16 entries when d_task_ra commits (0x000E page0 or 0x0036 page1).
* The d_rach value matches the pattern (ra<<8) | (bsic<<2) — the ra
* byte mirrors what the mobile L3 just announced in `RANDOM ACCESS`.
* Once observed, set CALYPSO_NDB_D_RACH_OFFSET to the matching word
* index (= (offset - 0x01A8) / 2 + 0xD4 in the convention used by
* calypso_bsp.c). */
{
#define D_RACH_RING_SIZE 128
struct ndb_wr_entry { hwaddr off; uint32_t val; uint32_t fn; uint32_t insn; uint8_t sz; };
static struct ndb_wr_entry ring[D_RACH_RING_SIZE];
static int idx;
static int dump_count;
/* Capture all sizes (1/2/4) over the full NDB + post-NDB region
* (NDB extent varies by DSP firmware version; widen to 0x0800 to
* be safe, restrict later once the actual d_rach offset is pinned).
* Filter only zero-value writes to keep the ring useful. */
if (offset >= 0x01A8 && offset < 0x0800 && value != 0 &&
(size == 1 || size == 2 || size == 4)) {
ring[idx % D_RACH_RING_SIZE] = (struct ndb_wr_entry){
offset, (uint32_t)value, s->fn, s->dsp ? s->dsp->insn_count : 0,
(uint8_t)size
};
idx++;
}
bool task_ra_commit =
(offset == DSP_API_W_PAGE0 + DB_W_D_TASK_RA * 2 ||
offset == DSP_API_W_PAGE1 + DB_W_D_TASK_RA * 2) && value != 0;
if (task_ra_commit && dump_count < 30) {
dump_count++;
uint32_t commit_insn = s->dsp ? s->dsp->insn_count : 0;
TRX_LOG("D_RACH-FINDER task_ra commit @0x%04x = 0x%04x fn=%u insn=%u — full ring (last 128 NDB writes):",
(unsigned)offset, (unsigned)value, s->fn, commit_insn);
int n = (idx < D_RACH_RING_SIZE) ? idx : D_RACH_RING_SIZE;
int start = idx - n;
for (int i = 0; i < n; i++) {
int k = (start + i) % D_RACH_RING_SIZE;
uint32_t v = ring[k].val;
int32_t d_insn = (int32_t)(commit_insn - ring[k].insn);
uint8_t ra = (uint8_t)((v >> 8) & 0xFF);
uint8_t low = (uint8_t)(v & 0xFF);
uint8_t bsic = low >> 2;
/* Mark entries within the "RACH window" (last 1000 insn
* before commit) — those are the candidates worth scanning
* by eye for ra match against mobile L3 log. Older entries
* are init/unrelated but kept in the dump for offline
* correlation when filtering misses the d_rach write. */
const char *tag = (d_insn >= 0 && d_insn <= 1000) ? "*HOT*" : "";
fprintf(stderr,
"[trx] D_RACH-FINDER #%d off=0x%04x val=0x%04x sz=%u "
"d_insn=%+d ra=0x%02x bsic=0x%02x fn=%u %s\n",
i, (unsigned)ring[k].off, v, ring[k].sz,
-d_insn, ra, bsic, ring[k].fn, tag);
}
}
}
/* DSP bootloader mailbox writes (osmocom-bb dsp.c BL_*).
* ARM byte → DSP word mapping (api_ram[w] ↔ ARM byte w*2):
* ARM 0x0FF8 BL_ADDR_HI ↔ DSP word 0x0FFC
* ARM 0x0FFA BL_SIZE ↔ DSP word 0x0FFD
* ARM 0x0FFC BL_ADDR_LO ↔ DSP word 0x0FFE (BACC target)
* ARM 0x0FFE BL_CMD_STATUS ↔ DSP word 0x0FFF (poll value)
* Trace every write so we can confirm the handshake actually reaches
* the cells the bootloader at PROM0 0xb41c-0xb430 reads. */
if (offset == 0x0FF8 || offset == 0x0FFA ||
offset == 0x0FFC || offset == 0x0FFE) {
const char *name = (offset == 0x0FF8) ? "BL_ADDR_HI" :
(offset == 0x0FFA) ? "BL_SIZE" :
(offset == 0x0FFC) ? "BL_ADDR_LO" :
"BL_CMD_STATUS";
static unsigned bl_log;
if (++bl_log <= 200)
TRX_LOG("BL ARM WR %s [arm=0x%04x dsp_word=0x%04x] = 0x%04x sz=%d fn=%u",
name, (unsigned)offset, (unsigned)(offset/2 + 0x0800),
(unsigned)value, size, s->fn);
}
/* Log task writes for debugging — no interception, no faking.
* The DSP handles all tasks via shared API RAM. */
{
hwaddr w0_md = DSP_API_W_PAGE0 + DB_W_D_TASK_MD * 2;
hwaddr w1_md = DSP_API_W_PAGE1 + DB_W_D_TASK_MD * 2;
hwaddr w0_d = DSP_API_W_PAGE0 + DB_W_D_TASK_D * 2;
hwaddr w1_d = DSP_API_W_PAGE1 + DB_W_D_TASK_D * 2;
if ((offset == w0_md || offset == w1_md ||
offset == w0_d || offset == w1_d) && value != 0) {
static unsigned task_log = 0;
/* Always log non-PM tasks (value != 1) so FB_TASK=5 / SB=6
* surfaces no matter when it occurs. PM=1 thinned. */
bool is_pm = (value == 1);
if (!is_pm || task_log < 100 || (task_log % 500) == 0)
TRX_LOG("ARM TASK WR [0x%04x] = %u fn=%u",
(unsigned)offset, (unsigned)value, s->fn);
task_log++;
/* FBSB orchestration hook: ARM has just written d_task_md.
* Initialise on first call, then dispatch to the host-side
* state machine which publishes synthetic FB/SB results
* into NDB so ARM can progress past l1s_fbdet_resp. */
if (!g_fbsb_inited) {
calypso_fbsb_init(&g_fbsb, s->dsp_ram, 0x0800);
g_fbsb_inited = true;
TRX_LOG("fbsb init ok ndb_base=0x0800");
}
if (g_fbsb_inited) {
TRX_LOG("fbsb hook fired task=%u fn=%u",
(unsigned)value, s->fn);
calypso_fbsb_on_dsp_task_change(&g_fbsb,
(uint16_t)value,
(uint64_t)s->fn);
}
}
}
/* DSP page */
if (offset == DSP_API_NDB) s->dsp_page = value & 1;
/* DSP status */
if (offset == DSP_DL_STATUS_ADDR) {
if (value == 0) { s->dsp_booted = false; s->boot_frame = 0; TRX_LOG("DSP reset"); }
else if (value == DSP_DL_STATUS_READY) {
s->dsp_ram[DSP_API_VER_ADDR/2] = DSP_API_VERSION;
s->dsp_ram[DSP_API_VER2_ADDR/2] = 0;
/* Unmask API IRQ (IRQ15) in INTH */
{
uint16_t mask;
cpu_physical_memory_read(0xFFFFFA08, &mask, 2);
mask &= ~(1 << 15);
cpu_physical_memory_write(0xFFFFFA08, &mask, 2);
TRX_LOG("DSP ready — unmasked API IRQ (mask=0x%04x)", mask);
}
/* Reset C54x DSP — boot runs in TDMA ticks (parallel with ARM) */
if (s->dsp) {
c54x_reset(s->dsp);
s->dsp->running = true;
s->dsp_init_done = false;
s->dsp_ram[0x01A8/2] = 0;
TRX_LOG("C54x DSP reset — boot via TDMA ticks");
}
}
}
}
static const MemoryRegionOps calypso_dsp_ops = {
.read = calypso_dsp_read, .write = calypso_dsp_write,
.endianness = DEVICE_LITTLE_ENDIAN,
.valid = {.min_access_size=1,.max_access_size=4}, .impl = {.min_access_size=1,.max_access_size=4},
};
/* ---- TPU ---- */
static void calypso_dsp_done(void *opaque) {
CalypsoTRX *s = opaque;
s->tpu_regs[TPU_CTRL/2] &= ~TPU_CTRL_EN;
/* Hardware DMA: copy API write page → DSP DARAM 0x0586.
* Triggered by firmware writing TPU_CTRL with EN bit (dsp_end_scenario).
* This is the ONLY place DMA happens — same as real Calypso. */
if (s->dsp && s->dsp_ram[0x01A8/2] != 0) {
uint16_t page = s->dsp_ram[0x01A8/2] & 1;
uint16_t *wp = page ?
&s->dsp_ram[DSP_API_W_PAGE1/2] : &s->dsp_ram[DSP_API_W_PAGE0/2];
/* Log proof that ARM wrote tasks before DMA */
uint16_t task_d = wp[DB_W_D_TASK_D];
uint16_t task_u = wp[DB_W_D_TASK_U];
uint16_t task_md = wp[DB_W_D_TASK_MD];
if (task_d || task_u || task_md) {
static int dma_task_log = 0;
if (++dma_task_log <= 50)
TRX_LOG("DMA proof: ARM wrote task_d=%u task_u=%u task_md=%u page=%u fn=%u",
task_d, task_u, task_md, page, s->fn);
}
s->dsp->data[0x0584] = s->dsp_ram[0x01A8/2];
s->dsp->data[0x0585] = s->fn & 0xFFFF;
for (int i = 0; i < 20; i++)
s->dsp->data[0x0586 + i] = wp[i];
if (s->dsp->api_ram)
s->dsp->api_ram[0x08D4 - C54X_API_BASE] = s->dsp_ram[0x01A8/2];
}
/* Execute TPU RAM micro-instructions (TSP bus commands).
* The firmware wrote a TPU scenario into TPU RAM. We scan it for
* MOVE instructions that write to TSP registers. When we see
* TSP_CTRL2 with WR bit, we send the TX byte to IOTA.
*
* IMPORTANT: The Calypso Rhea bus is 16-bit wide, mapped to the
* 32-bit ARM bus at 2-byte stride. The firmware writes 16-bit TPU
* instructions at ARM offsets 0, 2, 4, ..., which end up in
* tpu_ram[0], tpu_ram[1], tpu_ram[2], ... However, the actual
* physical layout has zero-padding between instructions (ARM 32-bit
* alignment). We must skip zero words that are just bus padding,
* not real SLEEP instructions. A real SLEEP (0x0000) always comes
* after at least one non-zero instruction. */
{
uint8_t tsp_tx1 = 0;
uint8_t tsp_ctrl1 = 0;
bool seen_any = false;
for (int i = 0; i < CALYPSO_TPU_RAM_SIZE / 2; i++) {
uint16_t insn = s->tpu_ram[i];
if (insn == 0x0000) {
/* Skip zero words: they are either Rhea bus padding
* or the final SLEEP. Only break on SLEEP after we've
* seen real instructions, and only if the NEXT word
* is also zero (two consecutive zeros = real SLEEP). */
if (seen_any) {
int next = i + 1;
if (next >= CALYPSO_TPU_RAM_SIZE / 2 ||
s->tpu_ram[next] == 0x0000)
break; /* real SLEEP — end of scenario */
}
continue;
}
seen_any = true;
uint8_t opcode = (insn >> 13) & 0x7;
if (opcode == 4) {
/* MOVE: addr = bits 4:0, data = bits 12:5 */
uint8_t addr = insn & 0x1F;
uint8_t data = (insn >> 5) & 0xFF;
if (addr == 0x04) tsp_tx1 = data; /* TPUI_TX_1 */
if (addr == 0x00) tsp_ctrl1 = data; /* TPUI_TSP_CTRL1 */
if (addr == 0x01 && (data & 0x02)) { /* TPUI_TSP_CTRL2 WR bit */
/* TSP write: send tsp_tx1 to the device.
* Device 0 (TWL3025): 7-bit data = tsp_tx1.
* This byte contains BDLON/BDLENA/BULENA bits. */
uint8_t dev = (tsp_ctrl1 >> 5) & 0x07;
if (dev == 0) {
calypso_iota_tsp_write(tsp_tx1, 0);
}
}
}
}
}
qemu_irq_raise(s->irqs[CALYPSO_IRQ_API]);
}
static void calypso_tdma_start(CalypsoTRX *s);
/* Called by calypso_tint0.c on each TDMA frame tick.
* Forward declaration — actual tdma_tick is defined below. */
static void calypso_tdma_tick(void *opaque);
/* Prototype visible to tint0 (declared extern there) */
void calypso_tint0_do_tick(uint32_t fn);
void calypso_tint0_do_tick(uint32_t fn)
{
if (!g_trx) return;
g_trx->fn = fn;
/* d_dsp_page is toggled by the DSP firmware itself (PC=0x1748),
* NOT by ARM or the emulator. Don't touch it here. */
calypso_tdma_tick(g_trx);
}
static uint64_t calypso_tpu_read(void *o, hwaddr off, unsigned sz) {
CalypsoTRX *s=o; if (off==TPU_IT_DSP_PG) return s->dsp_page;
return (off/2<CALYPSO_TPU_SIZE/2)?s->tpu_regs[off/2]:0;
}
static void calypso_tpu_write(void *o, hwaddr off, uint64_t val, unsigned sz) {
CalypsoTRX *s=o; if (off/2<CALYPSO_TPU_SIZE/2) s->tpu_regs[off/2]=val;
if (off==TPU_CTRL) {
static int tpu_log = 0;
if (++tpu_log <= 50)
TRX_LOG("TPU_CTRL WR val=0x%04x (EN=%d DSP_EN=%d) fn=%u",
(unsigned)val, !!(val&TPU_CTRL_EN), !!(val&TPU_CTRL_DSP_EN), s->fn);
}
if (off==TPU_CTRL && (val&TPU_CTRL_EN)) {
s->tpu_regs[TPU_CTRL/2] &= ~(TPU_CTRL_EN|TPU_CTRL_IDLE);
/* DMA immediately — no timer delay. The firmware has already
* finished writing the write page before setting TPU_CTRL_EN.
* A 1ns timer caused a race condition where the DMA would fire
* before the write page was fully populated. */
calypso_dsp_done(s);
}
if (off==TPU_INT_CTRL) {
static int ictrl_log = 0;
if (++ictrl_log <= 30)
TRX_LOG("INT_CTRL WR val=0x%02x (MCU_FRAME=%d DSP_FRAME=%d DSP_FORCE=%d) fn=%u",
(unsigned)val,
!!(val&ICTRL_MCU_FRAME), !!(val&ICTRL_DSP_FRAME),
!!(val&ICTRL_DSP_FRAME_FORCE), s->fn);
}
if (off==TPU_INT_CTRL && !(val&ICTRL_MCU_FRAME) && !s->tdma_running) calypso_tdma_start(s);
if (off==TPU_IT_DSP_PG) s->dsp_page=val&1;
}
static const MemoryRegionOps calypso_tpu_ops = {
.read=calypso_tpu_read,.write=calypso_tpu_write,.endianness=DEVICE_LITTLE_ENDIAN,
.valid={.min_access_size=1,.max_access_size=4},.impl={.min_access_size=1,.max_access_size=4},
};
static uint64_t calypso_tpu_ram_read(void *o,hwaddr off,unsigned sz){CalypsoTRX*s=o;return(off/2<CALYPSO_TPU_RAM_SIZE/2)?s->tpu_ram[off/2]:0;}
static void calypso_tpu_ram_write(void *o,hwaddr off,uint64_t v,unsigned sz){CalypsoTRX*s=o;if(off/2<CALYPSO_TPU_RAM_SIZE/2)s->tpu_ram[off/2]=v;}
static const MemoryRegionOps calypso_tpu_ram_ops={.read=calypso_tpu_ram_read,.write=calypso_tpu_ram_write,.endianness=DEVICE_LITTLE_ENDIAN,.valid={.min_access_size=1,.max_access_size=4},.impl={.min_access_size=1,.max_access_size=4},};
/* ---- TSP ---- */
static uint64_t calypso_tsp_read(void *o,hwaddr off,unsigned sz){CalypsoTRX*s=o;return(off==TSP_RX_REG)?0xFFFF:(off/2<CALYPSO_TSP_SIZE/2)?s->tsp_regs[off/2]:0;}
static void calypso_tsp_write(void *o,hwaddr off,uint64_t v,unsigned sz){CalypsoTRX*s=o;if(off/2<CALYPSO_TSP_SIZE/2)s->tsp_regs[off/2]=v;}
static const MemoryRegionOps calypso_tsp_ops={.read=calypso_tsp_read,.write=calypso_tsp_write,.endianness=DEVICE_LITTLE_ENDIAN,.valid={.min_access_size=1,.max_access_size=4},.impl={.min_access_size=1,.max_access_size=4},};
/* ---- ULPD ---- */
static uint64_t calypso_ulpd_read(void *o,hwaddr off,unsigned sz){
CalypsoTRX*s=o;if(off>=0x20&&off<=0x40)return 0;
switch(off){case ULPD_SETUP_CLK13:return 0x2003;case ULPD_COUNTER_HI:s->ulpd_counter+=100;return(s->ulpd_counter>>16)&0xFFFF;
case ULPD_COUNTER_LO:return s->ulpd_counter&0xFFFF;case ULPD_GAUGING_CTRL:return 1;case ULPD_GSM_TIMER:return s->fn&0xFFFF;
default:return(off/2<CALYPSO_ULPD_SIZE/2)?s->ulpd_regs[off/2]:0;}
}
static void calypso_ulpd_write(void *o,hwaddr off,uint64_t v,unsigned sz){CalypsoTRX*s=o;if(off>=0x20&&off<=0x40)return;if(off/2<CALYPSO_ULPD_SIZE/2)s->ulpd_regs[off/2]=v;}
static const MemoryRegionOps calypso_ulpd_ops={.read=calypso_ulpd_read,.write=calypso_ulpd_write,.endianness=DEVICE_LITTLE_ENDIAN,.valid={.min_access_size=1,.max_access_size=2},.impl={.min_access_size=1,.max_access_size=2},};
/* ---- SIM (forwarded to calypso_sim.c) ---- */
static uint64_t calypso_sim_read(void *o, hwaddr off, unsigned sz)
{
CalypsoTRX *s = o;
return calypso_sim_reg_read(s->sim, off);
}
static void calypso_sim_write(void *o, hwaddr off, uint64_t v, unsigned sz)
{
CalypsoTRX *s = o;
calypso_sim_reg_write(s->sim, off, (uint16_t)v);
}
static const MemoryRegionOps calypso_sim_ops = {
.read = calypso_sim_read,
.write = calypso_sim_write,
.endianness = DEVICE_LITTLE_ENDIAN,
.valid = { .min_access_size = 1, .max_access_size = 4 },
.impl = { .min_access_size = 1, .max_access_size = 4 },
};
/* ---- TDMA ---- */
static void calypso_frame_irq_lower(void *o){qemu_irq_lower(((CalypsoTRX*)o)->irqs[CALYPSO_IRQ_TPU_FRAME]);}
static void calypso_tdma_tick(void *opaque) {
CalypsoTRX *s = opaque;
int64_t entry_t = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL);
int64_t t_clk = 0, t_uart = 0, t_dspboot = 0, t_dspirq = 0,
t_bsp = 0, t_ul = 0;
s->fn = (s->fn+1) % GSM_HYPERFRAME;
/* ── 0. Send CLK tick to bridge (QEMU is clock master) ── */
if (s->clk_fd >= 0) {
uint8_t pkt[4];
pkt[0] = (s->fn >> 24) & 0xFF;
pkt[1] = (s->fn >> 16) & 0xFF;
pkt[2] = (s->fn >> 8) & 0xFF;
pkt[3] = s->fn & 0xFF;
sendto(s->clk_fd, pkt, 4, 0,
(struct sockaddr *)&s->clk_peer, sizeof(s->clk_peer));
}
t_clk = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL);
/* ── 1. UART poll: deliver pending chardev bytes to firmware ── */
if (g_uart_modem) {
calypso_uart_poll_backend(g_uart_modem);
calypso_uart_kick_rx(g_uart_modem);
}
t_uart = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL);
/* ── 2. DSP boot phase ── */
if (s->dsp && s->dsp->running && !s->dsp_init_done) {
if (!s->dsp->idle)
c54x_run(s->dsp, 256000);
if (s->dsp->idle) {
s->dsp_init_done = true;
TRX_LOG("DSP init complete (first IDLE reached)");
}
}
t_dspboot = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL);
/* ── 3. DMA is NOT done here ──
* On real Calypso, the TPU scenario triggers the DMA when the
* firmware writes TPU_CTRL with EN bit. This happens in
* calypso_dsp_done() (the TPU_CTRL_EN timer callback).
* Doing DMA here would copy a STALE write page because the
* firmware hasn't written the new tasks yet (it writes them
* in l1s_compl() which runs in the IRQ4 handler AFTER this tick). */
/* ── 4. DSP frame interrupt ──
* Three conditions for periodic INT3 fire:
* - INT_CTRL.ICTRL_DSP_FRAME (bit 2) = persistent enable at TPU,
* polarity INVERTED (bit clear = enabled).
* - DSP IMR bit 3 (C54X_INT_FRAME_BIT) = mask enable at DSP.
* Empirically: firing INT3 while IMR bit 3 = 0 perturbs the
* firmware boot path (DSP wakes from IDLE without expecting it,
* takes wrong code path, never reaches IMR-init at PC=0x0810,
* dead-locks). Respecting IMR matches the "hardware INT line
* gated by IMR" model used on Calypso.
* - TPU_CTRL.DSP_EN (bit 4) = one-shot force, alternative path.
* Bypasses IMR (explicit hardware override). */
if (s->dsp && s->dsp->running) {
bool was_idle = s->dsp->idle;
bool tpu_armed = !(s->tpu_regs[TPU_INT_CTRL/2] & ICTRL_DSP_FRAME);
bool imr_armed = !!(s->dsp->imr & (1 << C54X_INT_FRAME_BIT));
bool periodic_armed = tpu_armed && imr_armed;
bool force_pulse = !!(s->tpu_regs[TPU_CTRL/2] & TPU_CTRL_DSP_EN);
if (periodic_armed || force_pulse) {
c54x_interrupt_ex(s->dsp, C54X_INT_FRAME_VEC, C54X_INT_FRAME_BIT);
if (force_pulse)
s->tpu_regs[TPU_CTRL/2] &= ~TPU_CTRL_DSP_EN;
/* periodic_armed: do NOT clear — hardware-persistent enable. */
}
/* ── 5. Run DSP ── */
if (!s->dsp->idle) {
c54x_run(s->dsp, 256000);
}
/* Do NOT clear tasks here — the firmware's l1s_compl() does
* dsp_api_memset() on the write page at the start of each frame,
* before tdma_sched_execute() writes new tasks. Clearing here
* would erase tasks that the scheduler just programmed. */
/* Only pulse API IRQ when DSP naturally reaches IDLE. */
if (!was_idle && s->dsp->idle) {
qemu_irq_raise(s->irqs[CALYPSO_IRQ_API]);
}
}
t_dspirq = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL);
/* ── 6. Deliver buffered DL bursts to DSP ──
* Bursts from BTS arrive via UDP in real time, but BDLENA windows
* open in virtual time (faster). This step pulls buffered bursts
* and delivers them when BDLENA windows are available. */
calypso_bsp_deliver_buffered(s->fn);
t_bsp = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL);
/* ── 6b. UL burst poll ──
* The MCU→DSP write page exposes three independent UL task fields:
* d_task_u (word 2) — generic UL: SDCCH/SACCH/FACCH/TCH NB
* d_task_ra (word 7) — RACH access burst (8 info bits → AB)
* d_burst_u (word 3) — TN selector
* Each UL kind has its own d_task_*; the firmware (prim_rach.c,
* prim_tx_nb.c) writes whichever applies. We must poll all of them
* — polling only d_task_u silently drops every RACH attempt. */
{
uint16_t *wp = s->dsp_page ?
&s->dsp_ram[DSP_API_W_PAGE1 / 2] : &s->dsp_ram[DSP_API_W_PAGE0 / 2];
uint16_t task_u = wp[DB_W_D_TASK_U];
uint16_t task_ra = wp[DB_W_D_TASK_RA];
uint8_t tn = wp[DB_W_D_BURST_U] & 0x07;
if (task_ra != 0 && s->dsp) {
/* RACH: dsp_task_iq_swap(RACH_DSP_TASK, arfcn, 1) packs
* task ID + ARFCN. The 8-bit RACH info is in NDB d_rach.
* Burst encoding (gsm0503_rach_ext_encode) belongs in the
* BSP UL path — see calypso_bsp.c.
*
* IMPORTANT : zero-init bits[148] before encode. libosmocoding
* fills only the 41-bit sync + 36-bit FIRE-encoded data + 3-bit
* tail (~80 bits total in the AB structure). The remaining 60
* bits of guard period (positions 88..147) are NOT written by
* the encoder ; without zero-init we'd transmit stack garbage
* in the guard period, which BTS RACH detector treats as
* out-of-sync noise → silent drop. Confirmed empirically via
* burst hex print : same 8 trailing bits across all RAs before
* this fix. */
uint8_t bits[148] = {0};
if (calypso_bsp_tx_rach_burst(s->fn, bits)) {
calypso_bsp_send_ul(tn, s->fn, bits);
static int rach_log = 0;
if (++rach_log <= 20)
TRX_LOG("UL RACH task=0x%04x tn=%u fn=%u",
task_ra, tn, s->fn);
}
wp[DB_W_D_TASK_RA] = 0;
}
if (task_u != 0 && s->dsp) {
/* NB UL : same zero-init reasoning as RACH path. */
uint8_t bits[148] = {0};
if (calypso_bsp_tx_burst(tn, s->fn, bits)) {
calypso_bsp_send_ul(tn, s->fn, bits);
static int ul_log = 0;
if (++ul_log <= 20)
TRX_LOG("UL NB task=0x%04x tn=%u fn=%u",
task_u, tn, s->fn);
}
wp[DB_W_D_TASK_U] = 0;
}
}
t_ul = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL);
/* ── 7. TPU FRAME IRQ → ARM L1 scheduler ── */
{
static FILE *firq_log = NULL;
static int firq_count = 0;
static int64_t prev_firq_t = 0;
if (firq_count < 2000) { /* DISABLED for baseline — re-enable by setting >0 */
if (!firq_log) firq_log = fopen("/tmp/frame_irq.log", "w");
if (firq_log) {
int64_t now = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL);
int64_t dt = prev_firq_t ? (now - prev_firq_t) : 0;
int64_t target = now + GSM_TDMA_NS;
fprintf(firq_log, "[frame-irq] raise t_virt=%" PRId64
" dt=%" PRId64 " next_target=%" PRId64
" gap_to_target=%" PRId64 " fn=%u #%d\n",
now, dt, target, (target - now), s->fn, firq_count);
prev_firq_t = now;
firq_count++;
}
}
}
qemu_irq_raise(s->irqs[CALYPSO_IRQ_TPU_FRAME]);
timer_mod_ns(s->frame_irq_timer,
qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) + 1000000);
/* ── 8. Re-arm TDMA timer ──
* FIX: anchor on entry_t (start of tick), not on exit_t. Otherwise
* the work_dt of the body cumulates into the deadline and the TDMA
* cadence drifts to (work_dt + GSM_TDMA_NS) instead of staying at
* GSM_TDMA_NS exact.
*
* Si déjà en retard (work_dt > GSM_TDMA_NS), sauter aux frames suivantes
* pour rester aligné sur la grille TDMA. Mimique silicon : la(les) frame(s)
* sont perdues mais le timer ne dérive pas et le main loop n'est pas saturé
* par des back-to-back catch-up. */
{
int64_t target = entry_t + GSM_TDMA_NS;
int64_t now = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL);
int skipped = 0;
while (target <= now) {
target += GSM_TDMA_NS;
skipped++;
}
{
static int rearm_log_count = 0;
if (rearm_log_count < 50) {
fprintf(stderr, "[rearm-fix] entry_t=%" PRId64 " target=%" PRId64
" now=%" PRId64 " gap_to_now=%" PRId64 " skipped=%d\n",
entry_t, target, now, target - now, skipped);
rearm_log_count++;
}
}
if (skipped > 0 && (s->fn % 100 == 0)) {
fprintf(stderr, "[tdma-skip] fn=%u skipped=%d work_dt=%" PRId64 "\n",
s->fn, skipped, now - entry_t);
}
if (s->tdma_running)
timer_mod_ns(s->tdma_timer, target);
}
{
static FILE *tick_log = NULL;
static int tick_count = 0;
if (tick_count < 500) {
if (!tick_log) tick_log = fopen("/tmp/tdma_tick.log", "w");
if (tick_log) {
int64_t exit_t = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL);
fprintf(tick_log, "[tdma-tick] entry=%" PRId64 " exit=%" PRId64
" work_dt=%" PRId64 " fn=%u #%d\n",
entry_t, exit_t, (exit_t - entry_t), s->fn, tick_count);
tick_count++;
}
}
}
/* Profile per sub-block: identifie quelle section consomme work_dt. */
{
static FILE *prof_log = NULL;
static int prof_count = 0;
if (prof_count < 200) {
if (!prof_log) prof_log = fopen("/tmp/tdma_profile.log", "w");
if (prof_log) {
int64_t exit_t = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL);
fprintf(prof_log, "[prof] fn=%u clk=%" PRId64 " uart=%" PRId64
" dspboot=%" PRId64 " dspirq=%" PRId64 " bsp=%" PRId64
" ul=%" PRId64 " irq=%" PRId64 " total=%" PRId64
" #%d\n",
s->fn,
t_clk - entry_t,
t_uart - t_clk,
t_dspboot - t_uart,
t_dspirq - t_dspboot,
t_bsp - t_dspirq,
t_ul - t_bsp,
exit_t - t_ul,
exit_t - entry_t,
prof_count);
prof_count++;
}
}
}
}
static void calypso_tdma_start(CalypsoTRX *s)
{
if (s->tdma_running) return;
s->tdma_running = true;
s->fn = 0;
TRX_LOG("TDMA started");
timer_mod_ns(s->tdma_timer, qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) + GSM_TDMA_NS);
}
/* ---- kick ----
* Periodic CPU exit + main-loop wake. Whose role is to force the event
* loop to service fd handlers (UDP bridge sockets, chardev) even when
* the guest is in long TCG bursts.
*
* AUDIT FIX 2026-05-08 night : reverted to QEMU_CLOCK_REALTIME (was
* moved to VIRTUAL on 2026-05-07 based on a faulty diagnosis).
*
* Rationale per Claude web event-loop audit :
* - Under -icount, VIRTUAL warps with guest progress. A VIRTUAL-clock
* kick fires "in sync" with the guest = tautologically useless,
* cpu_exit becomes a no-op (we're already in the main loop when the
* timer dispatches), and the kick contributes nothing.
* - REALTIME on the other hand advances independently and guarantees
* that fd handlers are serviced at wall-time intervals regardless
* of guest TCG burst length. This is precisely the original purpose.
* - The 2026-05-07 claim that REALTIME-driven cpu_exit was blocking
* VIRTUAL TDMA timers was wrong : cpu_exit terminates the current
* burst, the main loop runs the next one immediately, and virtual
* time is not gated on cpu_exit calls.
*
* The real culprit blocking the bridge under icount was the
* `main_loop_wait(false)` recursive call in calypso_uart_rx_poll
* (fixed in calypso_uart.c same session), not this kick timer.
*/
static QEMUTimer *g_kick_timer;
static void calypso_kick_cb(void *o){
/* AUDIT INSTRUMENTATION 2026-05-08 night : confirm kick fires under
* -icount auto. Per Claude web : if 0 hits in 5s wall → REALTIME timer
* not armed correctly with icount. If N≈1000 hits/5s (5ms period) →
* timer fires but cpu_exit/notify don't propagate to scheduler. */
static unsigned kick_n;
kick_n++;
if (kick_n <= 30 || (kick_n % 200) == 0) {
uint64_t vt = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL);
uint64_t rt = qemu_clock_get_ns(QEMU_CLOCK_REALTIME);
fprintf(stderr, "[kick] fire #%u vt=%lu rt=%lu\n",
kick_n, (unsigned long)vt, (unsigned long)rt);
}
/* XXX HACK 2026-05-08 night — CALYPSO_FORCE_RX_DONE periodic enforcement.
*
* Each firmware SIM operation (ATR, SELECT, READ_BINARY, ...) calls
* calypso_sim_receive at 0x822588 which clears rxDoneFlag (firmware
* data @ 0x830510), then busy-polls. Under -icount auto, the conditional
* STR in sim_irq_handler @ 0x8224ac never commits (TCG bug Task #29).
*
* Firing the workaround only on SIM_IT-read fires once per WT cycle
* which doesn't cover subsequent SIM ops. Periodic enforcement here
* (every 5ms wall via REALTIME kick) keeps rxDoneFlag = 1 reliably,
* regardless of which SIM op is in flight. cpu_exit forces ARM TB
* recompile so busy-loop @ 0x822b90 picks up the new value. */
{
const char *env = getenv("CALYPSO_FORCE_RX_DONE");
if (env && env[0] == '1') {
const uint32_t one = 1;
cpu_physical_memory_write(0x00830510, &one, sizeof(one));
/* No need to log every kick (every 5ms = 200/s); cpu_exit
* is done unconditionally below. */
}
}
CPUState*cpu=first_cpu;if(cpu)cpu_exit(cpu);qemu_notify_event();
timer_mod_ns(g_kick_timer,qemu_clock_get_ns(QEMU_CLOCK_REALTIME)+5000000);
}
/* ---- Sercomm burst transport (DLCI 4) ---- */
/* RX burst from bridge (DL) — store in DSP RAM for firmware to read */
void calypso_trx_rx_burst(const uint8_t *data, int len)
{
if (!g_trx || len < 8) return;
CalypsoTRX *s = g_trx;
uint8_t tn = data[0] & 0x07;
uint32_t fn = ((uint32_t)data[1]<<24)|((uint32_t)data[2]<<16)|
((uint32_t)data[3]<<8)|(uint32_t)data[4];
/* Sync FN */
s->fn = fn % GSM_HYPERFRAME;
static int rx_count = 0;
if (++rx_count <= 5 || (rx_count % 1000) == 0)
TRX_LOG("RX_BURST #%d TN=%d FN=%u len=%d", rx_count, tn, fn, len);
/* No stubs — bursts go to BSP via UDP (calypso_bsp.c), not here.
* The DSP processes them and writes results to shared API RAM. */
(void)tn;
}
/* TX burst: send UL burst from DSP write page via UART TX as sercomm DLCI 4 */
static void calypso_trx_send_ul_burst(CalypsoTRX *s, uint16_t task_u)
{
if (!g_uart_modem || task_u == 0) return;
/* Read UL burst from write page.
* d_burst_u at word 3, burst data follows in NDB a_cu area. */
uint16_t *wp = s->dsp_page ?
&s->dsp_ram[DSP_API_W_PAGE1 / 2] : &s->dsp_ram[DSP_API_W_PAGE0 / 2];
/* Build TRXD v0 TX packet: TN(1) FN(4) PWR(1) bits(148) */
uint8_t pkt[6 + 148];
uint8_t tn = wp[3] & 0x07; /* d_burst_u has TN info */
uint32_t fn = s->fn;
pkt[0] = tn;
pkt[1] = (fn >> 24) & 0xFF;
pkt[2] = (fn >> 16) & 0xFF;
pkt[3] = (fn >> 8) & 0xFF;
pkt[4] = fn & 0xFF;
pkt[5] = 0; /* TX power */
/* Read burst bits from NDB UL area — for now send dummy burst */
memset(&pkt[6], 0, 148);
/* Wrap in sercomm DLCI 4 and send via UART TX */
uint8_t frame[512];
int pos = 0;
frame[pos++] = 0x7E; /* FLAG */
/* Header: DLCI + CTRL, with escaping */
uint8_t hdr[2] = { 0x04, 0x03 };
for (int i = 0; i < 2; i++) {
if (hdr[i] == 0x7E || hdr[i] == 0x7D) {
frame[pos++] = 0x7D;
frame[pos++] = hdr[i] ^ 0x20;
} else {
frame[pos++] = hdr[i];
}
}
/* Payload with escaping */
int pkt_len = 6 + 148;
for (int i = 0; i < pkt_len && pos < 500; i++) {
if (pkt[i] == 0x7E || pkt[i] == 0x7D) {
frame[pos++] = 0x7D;
frame[pos++] = pkt[i] ^ 0x20;
} else {
frame[pos++] = pkt[i];
}
}
frame[pos++] = 0x7E; /* FLAG */
/* Write to UART chardev (goes to PTY → bridge reads it) */
qemu_chr_fe_write_all(&g_uart_modem->chr, frame, pos);
}
void calypso_trx_tx_burst_poll(void)
{
if (!g_trx) return;
/* Check if firmware wrote a UL task */
CalypsoTRX *s = g_trx;
uint16_t *wp = s->dsp_page ?
&s->dsp_ram[DSP_API_W_PAGE1 / 2] : &s->dsp_ram[DSP_API_W_PAGE0 / 2];
uint16_t task_u = wp[DB_W_D_TASK_U];
if (task_u != 0) {
calypso_trx_send_ul_burst(s, task_u);
wp[DB_W_D_TASK_U] = 0; /* clear after sending */
}
}
/* ---- Init ---- */
void calypso_trx_init(MemoryRegion *sysmem, qemu_irq *irqs)
{
CalypsoTRX *s = g_new0(CalypsoTRX, 1);
g_trx = s; s->irqs = irqs; s->sync_bsic = 7;
s->clk_fd = -1;
TRX_LOG("=== Calypso hardware init ===");
memory_region_init_io(&s->dsp_iomem,NULL,&calypso_dsp_ops,s,"calypso.dsp_api",CALYPSO_DSP_SIZE);
memory_region_add_subregion(sysmem,CALYPSO_DSP_BASE,&s->dsp_iomem);
s->dsp_ram[DSP_DL_STATUS_ADDR/2]=DSP_DL_STATUS_READY; s->dsp_ram[DSP_API_VER_ADDR/2]=DSP_API_VERSION; s->dsp_booted=true;
memory_region_init_io(&s->tpu_iomem,NULL,&calypso_tpu_ops,s,"calypso.tpu",CALYPSO_TPU_SIZE);
memory_region_add_subregion(sysmem,CALYPSO_TPU_BASE,&s->tpu_iomem);
memory_region_init_io(&s->tpu_ram_iomem,NULL,&calypso_tpu_ram_ops,s,"calypso.tpu_ram",CALYPSO_TPU_RAM_SIZE);
memory_region_add_subregion(sysmem,CALYPSO_TPU_RAM_BASE,&s->tpu_ram_iomem);
memory_region_init_io(&s->tsp_iomem,NULL,&calypso_tsp_ops,s,"calypso.tsp",CALYPSO_TSP_SIZE);
memory_region_add_subregion(sysmem,CALYPSO_TSP_BASE,&s->tsp_iomem);
memory_region_init_io(&s->ulpd_iomem,NULL,&calypso_ulpd_ops,s,"calypso.ulpd",CALYPSO_ULPD_SIZE);
memory_region_add_subregion(sysmem,CALYPSO_ULPD_BASE,&s->ulpd_iomem);
s->sim = calypso_sim_new(s->irqs[CALYPSO_IRQ_SIM]);
memory_region_init_io(&s->sim_iomem,NULL,&calypso_sim_ops,s,"calypso.sim",CALYPSO_SIM_SIZE);
memory_region_add_subregion(sysmem,CALYPSO_SIM_BASE,&s->sim_iomem);
s->tdma_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL,calypso_tdma_tick,s);
s->dsp_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL,calypso_dsp_done,s);
s->frame_irq_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL,calypso_frame_irq_lower,s);
g_kick_timer = timer_new_ns(QEMU_CLOCK_REALTIME,calypso_kick_cb,NULL);
timer_mod_ns(g_kick_timer,qemu_clock_get_ns(QEMU_CLOCK_REALTIME)+5000000);
/* C54x DSP emulator */
{
const char *rom_path = getenv("CALYPSO_DSP_ROM");
if (!rom_path) rom_path = "/opt/GSM/calypso_dsp.txt";
s->dsp = c54x_init();
if (s->dsp) {
c54x_set_api_ram(s->dsp, s->dsp_ram);
if (c54x_load_rom(s->dsp, rom_path) == 0) {
c54x_reset(s->dsp);
calypso_bsp_init(s->dsp);
TRX_LOG("C54x DSP loaded from %s", rom_path);
} else {
TRX_LOG("C54x DSP ROM not found at %s", rom_path);
free(s->dsp);
s->dsp = NULL;
}
}
}
TRX_LOG("=== Hardware ready ===");
/* CLK UDP: QEMU sends TDMA ticks to bridge on port 6700.
* Bridge is clock-slave — no independent timer. */
{
int fd = socket(AF_INET, SOCK_DGRAM, 0);
if (fd >= 0) {
fcntl(fd, F_SETFL, fcntl(fd, F_GETFL) | O_NONBLOCK);
s->clk_fd = fd;
memset(&s->clk_peer, 0, sizeof(s->clk_peer));
s->clk_peer.sin_family = AF_INET;
s->clk_peer.sin_port = htons(6700);
s->clk_peer.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
TRX_LOG("CLK UDP → bridge 127.0.0.1:6700");
}
}
}./hw/arm/calypso/CLAUDE.md
Calypso HW — C54x DSP Emulator Context
Opcode Debug Workflow
- Find the suspect opcode value (from boot trace or PC HIST)
- Check
tic54x-opc.cin binutils:grep "0xXX" /home/nirvana/gnuarm/src/binutils-2.21.1/opcodes/tic54x-opc.c - Cross-reference with SPRU172C (TMS320C54x instruction set)
- Fix in
calypso_c54x.cinc54x_exec_one()switch - Build, run, check DSP IDLE + SP + IMR
ROM Reader
bash /opt/GSM/dsp_read.sh <section> <addr_hex>
## Sections: regs, drom, pdrom, prom0, prom1, prom2, prom3
## Example: bash /opt/GSM/dsp_read.sh prom0 0x770CDSP Boot Trace Format
[c54x] BOOT[phase.step] PC=0xXXXX op=0xXXXX SP=0xXXXX A=... B=...- phase 1 = first boot, phase 2 = second boot (after DSP_DL_STATUS_READY)
- Check SP changes to detect stack corruption
- SP should stay near 0x5AC8 during boot
C54x Addressing Modes (resolve_smem)
- Bit 7 = 0: Direct addressing → (DP << 7) | (op & 0x7F)
- Bit 7 = 1: Indirect → modes 0x0-0xF with AR[ARP]
- Modes 0xC-0xF: lk_used = consume extra word from prog
Critical DSP State at IDLE
Healthy boot produces:
IDLE @0x770C INTM=1 IMR=0xFFFF SP=0x5AC8If IMR=0x0000: init code was skipped (opcode bug caused branch over init) If SP < 0x5000: stack overflow (opcode doing spurious PUSH/CALL)
Firmware Symbols (from nm)
| Symbol | Address | Purpose |
|---|---|---|
| main | 0x820190 | ARM main loop |
| l1a_l23_handler | 0x823f9c | L1CTL message dispatch |
| l1s_pm_test | 0x825424 | Schedule PM in TDMA |
| l1s_fbsb_req | 0x826778 | Schedule FB/SB |
| l1s_fbdet_cmd | 0x8262cc | Write d_task_md=5 |
| l1a_compl_execute | 0x825180 | Main loop completions |
| sim_handler | 0x82266c | SIM (patched to BX LR) |
| tdma_sched_execute | 0x828ef8 | TDMA scheduler |
| sercomm | 0x832428 | Sercomm state |
| dsp_api | 0x82f9c4 | DSP API pointers |
| l1s | 0x836508 | L1S state |
| fbs | 0x8307ec | FBSB state |
| l23_rx_queue | 0x82f854 | L1CTL RX queue |
./hw/arm/calypso/calypso_tint0.c
/*
* calypso_tint0.c -- TINT0 master clock for Calypso GSM virtualization
*
* Emulates the C54x DSP Timer 0 as a QEMU virtual timer.
* On real hardware, Timer 0 runs off the 13 MHz DSP clock divided by
* (PRD+1)*(TDDR+1) to produce a 4.615 ms TDMA frame tick (TINT0).
* TINT0 drives the entire Calypso timing: DSP frame processing,
* TPU sync, ARM frame IRQ, and UART polling.
*
* SPDX-License-Identifier: GPL-2.0-or-later
*/
#include "qemu/osdep.h"
#include "qemu/timer.h"
#include "qemu/main-loop.h"
#include "hw/irq.h"
#include "calypso_tint0.h"
#include "calypso_c54x.h"
#include "hw/core/cpu.h"
#define TINT0_LOG(fmt, ...) \
fprintf(stderr, "[tint0] " fmt "\n", ##__VA_ARGS__)
/* calypso_trx.c implements the actual frame work (DSP run, IRQs, UART) */
extern void calypso_tint0_do_tick(uint32_t fn);
/* orch CLK→BTS is now driven from TINT0 (2× rate via internal half-tick). */
/* ---- State ---- */
static struct {
QEMUTimer *timer;
uint32_t fn;
bool running;
bool tpu_en_pending;
} tint0;
/* ---- Timer callback (fires every 4.615ms) ---- */
static void tint0_tick_cb(void *opaque)
{
tint0.fn = (tint0.fn + 1) % GSM_HYPERFRAME;
/* No forced page tic-toc here: the DSP itself writes d_dsp_page
* each frame (PC=0xf321 / 0xf5ec) — the trx api hook mirrors the
* value into ARM space. We let the firmware drive the toggle. */
/* Delegate frame work to calypso_trx */
calypso_tint0_do_tick(tint0.fn);
/* Re-arm timer */
if (tint0.running) {
timer_mod_ns(tint0.timer,
qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) + TINT0_PERIOD_NS);
}
/* Kick ARM CPU to process pending IRQs */
qemu_notify_event();
}
/* ---- Public API ---- */
void calypso_tint0_start(void)
{
if (tint0.running) return;
if (!tint0.timer) {
tint0.timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, tint0_tick_cb, NULL);
}
tint0.running = true;
/* Do NOT force tint0.fn = 0 here. A real GSM BTS never restarts the
* frame counter at 0 — it only ever advances. Resetting on every
* TINT0 start makes the firmware believe it just synchronized to a
* fresh hyperframe each run, which is the "fn injection" hack the
* user flagged 2026-04-07 night. Whoever owns the master clock
* (calypso_tint0_set_fn from a network-derived source) should seed
* fn before calling start; otherwise it inherits whatever value the
* static struct holds (0 on first boot only). */
TINT0_LOG("started (period=%.3f ms, IFR bit %d, vec %d) fn=%u",
TINT0_PERIOD_NS / 1e6, TINT0_IFR_BIT, TINT0_VEC, tint0.fn);
timer_mod_ns(tint0.timer,
qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) + TINT0_PERIOD_NS);
}
void calypso_tint0_tpu_en(void)
{
tint0.tpu_en_pending = true;
}
bool calypso_tint0_tpu_en_pending(void)
{
return tint0.tpu_en_pending;
}
void calypso_tint0_tpu_en_clear(void)
{
tint0.tpu_en_pending = false;
}
uint32_t calypso_tint0_fn(void)
{
return tint0.fn;
}
void calypso_tint0_set_fn(uint32_t fn)
{
tint0.fn = fn % GSM_HYPERFRAME;
}
bool calypso_tint0_running(void)
{
return tint0.running;
}./hw/arm/calypso/calypso_c54x.h
/*
* calypso_c54x.h — TMS320C54x DSP emulator for Calypso
*
* Emulates the C54x DSP core found in the TI Calypso baseband chip.
* Loads ROM dump, executes instructions, shares API RAM with ARM.
*
* SPDX-License-Identifier: GPL-2.0-or-later
*/
#ifndef CALYPSO_C54X_H
#define CALYPSO_C54X_H
#include <stdint.h>
#include <stdbool.h>
/* Memory sizes (in 16-bit words) */
#define C54X_PROG_SIZE 0x40000 /* 256K words program space */
#define C54X_DATA_SIZE 0x10000 /* 64K words data space */
#define C54X_IO_SIZE 0x10000 /* 64K words I/O space */
/* API RAM: shared between ARM and DSP */
#define C54X_API_BASE 0x0800 /* DSP data address of API RAM */
#define C54X_API_SIZE 0x2000 /* 8K words */
/* DSP start address (after boot) */
#define C54X_DSP_START 0x7000
/* MMR addresses (data memory 0x00-0x1F) */
#define MMR_IMR 0x00
#define MMR_IFR 0x01
#define MMR_ST0 0x06
#define MMR_ST1 0x07
#define MMR_AL 0x08
#define MMR_AH 0x09
#define MMR_AG 0x0A
#define MMR_BL 0x0B
#define MMR_BH 0x0C
#define MMR_BG 0x0D
#define MMR_T 0x0E
#define MMR_TRN 0x0F
#define MMR_AR0 0x10
#define MMR_AR1 0x11
#define MMR_AR2 0x12
#define MMR_AR3 0x13
#define MMR_AR4 0x14
#define MMR_AR5 0x15
#define MMR_AR6 0x16
#define MMR_AR7 0x17
#define MMR_SP 0x18
#define MMR_BK 0x19
#define MMR_BRC 0x1A
#define MMR_RSA 0x1B
#define MMR_REA 0x1C
#define MMR_PMST 0x1D
#define MMR_XPC 0x1E
/* Timer registers (memory-mapped at 0x0024-0x0026) */
#define TIM_ADDR 0x0024 /* Timer counter */
#define PRD_ADDR 0x0025 /* Timer period */
#define TCR_ADDR 0x0026 /* Timer control */
/* TCR bit positions (TMS320C54x hardware spec) */
#define TCR_TDDR_MASK 0x000F /* bits 3:0 — prescaler reload value */
#define TCR_TSS (1 << 4) /* bit 4 — Timer Stop Status (1=stopped) */
#define TCR_TRB (1 << 5) /* bit 5 — Timer Reload (write 1 reloads) */
#define TCR_PSC_SHIFT 6 /* bits 9:6 — prescale counter */
#define TCR_PSC_MASK (0xF << TCR_PSC_SHIFT)
#define TCR_SOFT (1 << 10)
#define TCR_FREE (1 << 11)
/* ST0 bit positions */
#define ST0_DP_MASK 0x01FF /* bits 8-0: data page pointer */
#define ST0_OVB (1 << 9)
#define ST0_OVA (1 << 10)
#define ST0_C (1 << 11)
#define ST0_TC (1 << 12)
#define ST0_ARP_SHIFT 13
#define ST0_ARP_MASK (7 << ST0_ARP_SHIFT)
/* ST1 bit positions */
#define ST1_ASM_MASK 0x001F /* bits 4-0: accumulator shift mode */
#define ST1_CMPT (1 << 5)
#define ST1_FRCT (1 << 6)
#define ST1_C16 (1 << 7)
#define ST1_SXM (1 << 8)
#define ST1_OVM (1 << 9)
#define ST1_INTM (1 << 11)
#define ST1_HM (1 << 12)
#define ST1_XF (1 << 13)
#define ST1_BRAF (1 << 14)
/* PMST bit positions (per SPRU131: SST=0 SMUL=1 CLKOFF=2 DROM=3 APTS=4 OVLY=5 MP/MC=6) */
#define PMST_SST (1 << 0)
#define PMST_SMUL (1 << 1)
#define PMST_CLKOFF (1 << 2)
#define PMST_DROM (1 << 3)
#define PMST_APTS (1 << 4)
#define PMST_OVLY (1 << 5)
#define PMST_MP_MC (1 << 6)
#define PMST_IPTR_SHIFT 7
#define PMST_IPTR_MASK (0x1FF << PMST_IPTR_SHIFT)
/* Interrupt vectors */
#define C54X_INT_RESET 0
#define C54X_INT_NMI 1
/* TMS320C54x interrupt mapping: vector = IMR_bit + 2
* IMR bit 0 → INT0 → vec 2 IMR bit 5 → BRINT0 → vec 7
* IMR bit 1 → INT1 → vec 3 IMR bit 6 → BXINT0 → vec 8
* IMR bit 2 → INT2 → vec 4 IMR bit 7 → DMAC0 → vec 9
* IMR bit 3 → INT3 → vec 5 IMR bit 8 → DMAC1 → vec 10
* IMR bit 4 → TINT0→ vec 6 IMR bit 9 → INT4 → vec 11
* IMR bit 10→ INT5 → vec 12 */
/* TMS320C54x interrupt vector mapping (SPRU131):
* Vec 0: RESET Vec 16: INT0 (IMR bit 0)
* Vec 1: NMI Vec 17: INT1 (IMR bit 1)
* Vec 2: SINT17 Vec 18: INT2 (IMR bit 2)
* Vec 3: SINT18 Vec 19: INT3 (IMR bit 3)
* Vec 4: SINT19 Vec 20: TINT0 (IMR bit 4)
* Vec 5: SINT20 Vec 21: BRINT0 (IMR bit 5)
* ... Vec 22: BXINT0 (IMR bit 6)
* Vec 23: DMAC0 (IMR bit 7)
* Vec 24: DMAC1 (IMR bit 8)
* Formula: vec = imr_bit + 16 */
/* Calypso DSP firmware enables IMR bits 3 + 7 + upper (observed IMR=0xFF88).
* Bit 3 = INT3 = vec 19 — this is the external frame-sync line from the TPU,
* the only "frame" interrupt the firmware actually unmasks. Use it. */
#define C54X_INT_FRAME_VEC 19 /* INT3 = vec (3+16) */
#define C54X_INT_FRAME_BIT 3 /* IMR bit 3 */
#define C54X_NUM_INTS 16
typedef struct C54xState {
/* Accumulators (40-bit) stored as int64 for convenience */
int64_t a; /* A accumulator: bits 39-0 */
int64_t b; /* B accumulator: bits 39-0 */
/* Auxiliary registers */
uint16_t ar[8];
/* Other registers */
uint16_t t; /* Temporary register */
uint16_t trn; /* Transition register (Viterbi) */
uint16_t sp;
uint16_t bk; /* Circular buffer size */
uint16_t brc; /* Block repeat counter */
uint16_t rsa; /* Block repeat start address */
uint16_t rea; /* Block repeat end address */
/* Status registers */
uint16_t st0;
uint16_t st1;
uint16_t pmst;
/* Interrupt registers */
uint16_t imr;
uint16_t ifr;
/* Program counter */
uint32_t pc; /* 16-bit (or 23-bit with XPC) */
uint16_t xpc;
/* Timer0 prescale counter (PSC) — not memory-mapped directly */
uint16_t timer_psc;
/* DMA sub-register bank (6 channels × 4 regs) */
uint16_t dma_subaddr;
uint16_t dma_subregs[24];
/* McBSP sub-register bank */
uint16_t spsa;
/* RPT state */
uint16_t rpt_count; /* remaining RPT iterations */
uint16_t rpt_pc; /* PC of repeated instruction */
bool rpt_active;
uint16_t par; /* Program Address Register (for READA/WRITA/MACD/MACP) */
bool par_set;
bool lk_used; /* resolve_smem consumed extra word for lk */
uint16_t mvpd_src; /* MVPD auto-increment source address during RPT */
/* RPTB state */
bool rptb_active;
/* Delayed-branch state (CALLD/RETD/BD/CCD/...): when set, the next
* `delay_slots` instructions execute normally, then PC is forced to
* `delayed_pc`. */
uint16_t delayed_pc;
uint8_t delay_slots;
/* Memory */
uint16_t prog[C54X_PROG_SIZE]; /* Program memory */
uint16_t data[C54X_DATA_SIZE]; /* Data memory */
/* API RAM pointer (shared with ARM calypso_trx.c) */
uint16_t *api_ram; /* points into ARM's dsp_ram[] */
/* DSP → ARM notify hook: called whenever the DSP writes to api_ram. */
void (*api_write_cb)(void *opaque, uint16_t woff, uint16_t val);
void *api_write_cb_opaque;
/* State */
bool running;
bool idle; /* IDLE instruction executed */
uint64_t cycles;
uint32_t insn_count;
/* BSP (Baseband Serial Port) — burst sample buffer */
uint16_t bsp_buf[2048]; /* burst I/Q samples from radio */
int bsp_len; /* number of samples */
int bsp_pos; /* read position */
/* Debug */
uint32_t unimpl_count;
uint16_t last_unimpl;
/* Last executed instruction snapshot — captured at end of each
* c54x_run iteration. Used by the INTM-TRANS tracer (and others)
* to attribute post-instruction state changes to the actual cause
* PC/opcode rather than the post-advance PC. */
uint16_t last_exec_pc;
uint16_t last_exec_op;
/* writer_kind : set by each opcode handler / external writer before
* calling data_write. Logged in DATA-W-MMR trace to disambiguate
* which path is responsible for stray writes to MMR (addr<=0x1F).
* Reset to WK_UNKNOWN at the top of c54x_exec_one. */
uint8_t writer_kind;
} C54xState;
/* writer_kind enum — keep small, extend as needed */
enum {
WK_UNKNOWN = 0,
WK_OPCODE_F3 = 1, /* 0xF3xx family (SFTL/AND/OR/XOR/INTR/etc.) */
WK_OPCODE_8x = 2, /* 0x80xx-0x8Fxx (STL/STH/STLM/STM/LD-Smem) */
WK_OPCODE_77 = 3, /* 0x77xx STM #lk, MMR */
WK_OPCODE_76 = 4, /* 0x76xx ST #lk, Smem */
WK_OPCODE_PSHM = 5, /* PSHM/POPM stack ops */
WK_OPCODE_RET = 6, /* RET/RETI/RETD frame restore */
WK_IRQ_ACK = 7, /* IRQ acknowledge / vector dispatch */
WK_ARM_MMIO = 8, /* ARM-side write through shared region */
WK_RESOLVE_AR = 9, /* resolve_smem AR-modify side effect */
WK_OPCODE_OTHER= 10, /* anything else inside an opcode handler */
};
/* Feed burst samples to BSP (called by calypso_trx) */
void c54x_bsp_load(C54xState *s, const uint16_t *samples, int n);
/* Create and initialize C54x state */
C54xState *c54x_init(void);
/* Load ROM dump from text file */
int c54x_load_rom(C54xState *s, const char *path);
/* Link API RAM (shared memory with ARM) */
void c54x_set_api_ram(C54xState *s, uint16_t *api_ram);
/* Reset the DSP */
void c54x_reset(C54xState *s);
/* Execute N instructions (returns actual count executed) */
int c54x_run(C54xState *s, int n_insns);
/* Raise an interrupt */
/* Send interrupt: vec = vector number (for PC), imr_bit = bit in IMR/IFR */
void c54x_interrupt_ex(C54xState *s, int vec, int imr_bit);
/* Wake from IDLE */
void c54x_wake(C54xState *s);
#endif /* CALYPSO_C54X_H */./hw/arm/calypso/calypso_fbsb.c
/*
* calypso_fbsb.c — QEMU-side FBSB orchestration (cf. osmocom prim_fbsb.c)
*
* Standalone module: only depends on calypso_fbsb.h. Holds no global
* state; all state lives in the CalypsoFbsb instance owned by the
* caller (typically calypso_trx.c).
*
* The intent is to handle the first FB detection cycle on behalf of
* the broken DSP path so the ARM firmware can progress past
* l1s_fbdet_resp without burning the 12-attempts-then-give-up timeout
* that triggers the 3-second reset cycle.
*
* SPDX-License-Identifier: GPL-2.0-or-later
*/
#include "calypso_fbsb.h"
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
/* ---------------------------------------------------------------- *
* Internal: NDB cell access. ndb is the ARM-side dsp_ram[] view
* (uint16_t *), word-addressed from API base (0x0800 DSP).
* Address 0x08D4 maps to ndb[(0x08D4 - 0x0800)] = ndb[0x00D4].
* ---------------------------------------------------------------- */
static inline uint16_t *cell(CalypsoFbsb *s, uint16_t dsp_addr)
{
if (!s || !s->ndb) return NULL;
if (dsp_addr < s->api_base) return NULL;
return &s->ndb[dsp_addr - s->api_base];
}
static inline uint16_t cell_rd(CalypsoFbsb *s, uint16_t dsp_addr)
{
uint16_t *p = cell(s, dsp_addr);
return p ? *p : 0;
}
static inline void cell_wr(CalypsoFbsb *s, uint16_t dsp_addr, uint16_t v)
{
uint16_t *p = cell(s, dsp_addr);
if (p) *p = v;
}
/* ---------------------------------------------------------------- */
void calypso_fbsb_init(CalypsoFbsb *s, uint16_t *ndb_word_base,
uint16_t api_base)
{
if (!s) return;
s->ndb = ndb_word_base;
s->api_base = api_base;
calypso_fbsb_reset(s);
}
void calypso_fbsb_reset(CalypsoFbsb *s)
{
if (!s) return;
s->state = FBSB_IDLE;
s->fb0_attempt = 0;
s->fb1_attempt = 0;
s->sb_attempt = 0;
s->fb0_retries = 0;
s->afc_retries = 0;
s->last_toa = 0;
s->last_angle = 0;
s->last_pm = 0;
s->last_snr = 0;
s->fn_started = 0;
}
/* ---------------------------------------------------------------- *
* Hook: ARM has just written d_task_md (or any task descriptor that
* means "DSP, do this on the next frame"). We mirror what the
* firmware's prim_fbsb.c expects: when the task is FB_DSP_TASK we
* enter FB0_SEARCH; when it's SB_DSP_TASK we enter SB_SEARCH.
* ---------------------------------------------------------------- */
/* CALYPSO_FBSB_SYNTH=1 → publish synthetic FB/SB results in NDB so the
* firmware progresses past FBSB without waiting for the DSP correlator
* to converge. Documented dev-assist for cases where the emulated DSP
* fb-det doesn't converge on bridge-fed GMSK samples. Default 0 = real
* DSP path. Read once at first call. */
static int fbsb_synth_mode(void)
{
static int cached = -1;
if (cached < 0) {
const char *e = getenv("CALYPSO_FBSB_SYNTH");
cached = (e && *e == '1') ? 1 : 0;
fprintf(stderr, "[calypso-fbsb] CALYPSO_FBSB_SYNTH=%d (%s path)\n",
cached, cached ? "synth, dev-assist" : "real DSP");
fflush(stderr);
}
return cached;
}
void calypso_fbsb_on_dsp_task_change(CalypsoFbsb *s, uint16_t d_task_md,
uint64_t fn)
{
fprintf(stderr, "[calypso-fbsb] on_dsp_task_change task=%u fn=%lu state=%d\n",
d_task_md, (unsigned long)fn, s ? (int)s->state : -1);
fflush(stderr);
if (!s) return;
int synth = fbsb_synth_mode();
switch (d_task_md) {
case DSP_TASK_FB:
/* The DSP runs the real fb-det routine on the I/Q stream that
* the BSP feeds from osmo-bts-trx (GMSK-modulated). Convergence
* depends on the routine running fully each frame — see
* doc/FBSB_FLOW.md and the icount/wall-clock notes in run.sh.
* If CALYPSO_FBSB_SYNTH=1, publish synthetic results to bypass
* the (currently non-converging) emulated correlator. */
s->state = FBSB_FB0_SEARCH;
s->fb0_attempt = 0;
s->fb1_attempt = 0;
s->sb_attempt = 0;
s->fn_started = fn;
if (synth) {
calypso_fbsb_publish_fb_found(s,
/* toa */ 0, /* pm */ 80, /* angle */ 0, /* snr */ 100);
s->state = FBSB_FB0_FOUND;
calypso_fbsb_dump(s, "FB0_FOUND (synth)");
} else {
calypso_fbsb_dump(s, "FB0_SEARCH (real DSP path)");
}
break;
case DSP_TASK_SB:
s->state = FBSB_SB_SEARCH;
s->sb_attempt = 0;
s->fn_started = fn;
if (synth) {
calypso_fbsb_publish_sb_found(s, /* bsic */ 0);
s->state = FBSB_SB_FOUND;
calypso_fbsb_dump(s, "SB_FOUND (synth)");
} else {
calypso_fbsb_dump(s, "SB_SEARCH (real DSP path)");
}
break;
case DSP_TASK_ALLC: {
/* CCCH read (task=24, ALLC_DSP_TASK). The DSP demodulates BCCH
* bursts delivered by BSP DMA, channel-decodes (deinterleaving +
* FIRE check), and writes the resulting LAPDm bytes to a_cd[] +
* responds via db_r->d_task_d/d_burst_d. ARM L1S then synthesizes
* a DATA_IND. No QEMU-side intervention. */
static int log_once;
if (!log_once++) {
fprintf(stderr,
"[fbsb] ALLC task=24 fn=%lu — real DSP CCCH demod "
"(QEMU does not write a_cd[] from any side-channel)\n",
(unsigned long)fn);
fflush(stderr);
}
break;
}
case DSP_TASK_NONE:
default:
break;
}
}
/* ---------------------------------------------------------------- *
* Hook: called from calypso_trx.c at every frame tick. The state
* machine here decides whether to publish a synthetic "FB found" into
* NDB so the firmware progresses, or to wait another frame.
*
* The first cut is INTENTIONALLY minimal: after the firmware has
* spent N attempts in FB0_SEARCH, we publish a plausible result (the
* SNR observed by the running DSP correlator if known, otherwise a
* default that exceeds FB0_SNR_THRESH=0). Subsequent stages are TODO.
* ---------------------------------------------------------------- */
void calypso_fbsb_on_frame_tick(CalypsoFbsb *s, uint64_t fn)
{
if (!s) return;
switch (s->state) {
case FBSB_FB0_SEARCH:
/* Should be unreachable: on_dsp_task_change publishes
* immediately and transitions to FB0_FOUND. Kept as a safety
* net in case the publish path changes. */
s->fb0_attempt++;
break;
case FBSB_FB0_FOUND:
/* Stay here until ARM either re-arms via d_task_md (which will
* push us back to FB0_SEARCH) or moves on. Don't auto-cascade
* to FB1_SEARCH — that loop ran fb1_attempt to 59 last run. */
break;
case FBSB_FB1_SEARCH:
s->fb1_attempt++;
break;
case FBSB_FB1_FOUND:
s->state = FBSB_SB_SEARCH;
s->sb_attempt = 0;
break;
case FBSB_SB_SEARCH:
/* TODO: synthesize a plausible SCH result (BSIC, FN, ToA) so
* l1s_sbdet_resp can complete and the firmware moves on to
* BCCH reception. Not implemented yet. */
break;
default:
break;
}
}
/* W1C latches in calypso_trx.c (set by c54x DSP-side iter writes).
* Invalidate them here so ARM read falls through to fresh fbsb values
* instead of stale DSP iter values. The master gate is g_a_sync_valid
* (false → all a_sync_* + d_fb_det reads fall through). Individual
* latch values cleared for hygiene. */
extern bool g_a_sync_valid;
extern uint16_t g_d_fb_det_latch;
extern uint16_t g_d_fb_mode_latch;
extern uint16_t g_a_sync_TOA_latch;
extern uint16_t g_a_sync_PM_latch;
extern uint16_t g_a_sync_ANG_latch;
extern uint16_t g_a_sync_SNR_latch;
static inline void invalidate_fbsb_latches(void)
{
g_a_sync_valid = false;
g_d_fb_det_latch = 0;
g_d_fb_mode_latch = 0;
g_a_sync_TOA_latch = 0;
g_a_sync_PM_latch = 0;
g_a_sync_ANG_latch = 0;
g_a_sync_SNR_latch = 0;
}
/* ---------------------------------------------------------------- */
void calypso_fbsb_publish_fb_found(CalypsoFbsb *s,
int16_t toa, uint16_t pm,
int16_t angle, uint16_t snr)
{
if (!s) return;
s->last_toa = toa;
s->last_pm = pm;
s->last_angle = angle;
s->last_snr = snr;
cell_wr(s, NDB_A_SYNC_DEMOD_TOA, (uint16_t)toa);
cell_wr(s, NDB_A_SYNC_DEMOD_PM, (uint16_t)(pm << 3)); /* prim_fbsb shifts >>3 on read */
cell_wr(s, NDB_A_SYNC_DEMOD_ANG, (uint16_t)angle);
cell_wr(s, NDB_A_SYNC_DEMOD_SNR, snr);
cell_wr(s, NDB_D_FB_DET, 1);
/* Invalidate W1C latches so ARM read returns these fresh values,
* not stale DSP iter snapshot. */
invalidate_fbsb_latches();
(void)toa; (void)pm; (void)angle; (void)snr;
}
void calypso_fbsb_clear_fb(CalypsoFbsb *s)
{
if (!s) return;
cell_wr(s, NDB_D_FB_DET, 0);
cell_wr(s, NDB_A_SYNC_DEMOD_TOA, 0);
/* Same latch invalidation as publish path — without this, ARM
* could keep reading a stale latched d_fb_det=1 after we cleared
* the cell. */
invalidate_fbsb_latches();
}
/* ---------------------------------------------------------------- *
* Sync Burst synthesis.
*
* l1s_sbdet_resp (cf prim_fbsb.c, doc §SB) reads:
* dsp_api.db_r->a_sch[0] — bit B_SCH_CRC=8 set means CRC ERROR.
* dsp_api.db_r->a_sch[3..4] — packed SB word, decoded by l1s_decode_sb
* into bsic / t1 / t2 / t3.
*
* db_r is double-buffered between dsp_ram[0x0050/2] (page 0) and
* dsp_ram[0x0078/2] (page 1). The READ page is selected by
* d_dsp_page & 1 (cf calypso_trx.c lines 561-564). We don't know which
* page the firmware will read at the next response frame, so we write
* BOTH pages — cheap and reliable.
*
* a_sch[] sits at struct word offset 15..19 in T_DB_DSP_TO_MCU
* (after a_pm[3] at 8..10 and a_serv_demod[4] at 11..14).
*
* sb encoding (l1s_decode_sb):
* bsic = (sb >> 2) & 0x3f
* t1 = ((sb>>23)&1) | ((sb>>7)&0x1fe) | ((sb<<9)&0x600)
* t2 = (sb>>18) & 0x1f
* t3p = ((sb>>24)&1) | ((sb>>15)&6)
* t3 = t3p*10 + 1
*
* For minimal valid: sb encoding such that bsic=<arg>, t1=t2=0, t3=1
* → t3p=0 → bits {24,16,15}=0; t2 bits {18..22}=0; t1 bits {7..15,23,9..10}=0.
* Then bsic only uses bits 2..7. So sb = (bsic & 0x3f) << 2.
* ---------------------------------------------------------------- */
void calypso_fbsb_publish_sb_found(CalypsoFbsb *s, uint8_t bsic)
{
if (!s || !s->ndb) return;
static const uint16_t db_r_word_base[2] = { 0x0028, 0x003C };
uint32_t sb = ((uint32_t)(bsic & 0x3f)) << 2;
for (int p = 0; p < 2; p++) {
uint16_t *rp = &s->ndb[db_r_word_base[p]];
rp[15] = 0; /* a_sch[0] — CRC OK (bit 8 cleared) */
rp[16] = 0; /* a_sch[1] */
rp[17] = 0; /* a_sch[2] */
rp[18] = (uint16_t)(sb & 0xFFFF); /* a_sch[3] = sb low */
rp[19] = (uint16_t)(sb >> 16); /* a_sch[4] = sb high */
}
}
/* ---------------------------------------------------------------- */
void calypso_fbsb_dump(const CalypsoFbsb *s, const char *tag)
{
if (!s) return;
static const char *names[] = {
"IDLE", "FB0_SEARCH", "FB0_FOUND",
"FB1_SEARCH", "FB1_FOUND",
"SB_SEARCH", "SB_FOUND",
"DONE", "FAIL",
};
fprintf(stderr,
"[fbsb] %s state=%s fb0_att=%u fb1_att=%u sb_att=%u "
"fb0_ret=%u afc_ret=%u last(snr=%u toa=%d ang=%d pm=%u)\n",
tag ? tag : "", names[s->state],
s->fb0_attempt, s->fb1_attempt, s->sb_attempt,
s->fb0_retries, s->afc_retries,
s->last_snr, s->last_toa, s->last_angle, s->last_pm);
fflush(stderr);
}./hw/arm/calypso/calypso_dbg.c
/*
* Calypso QEMU runtime debug categories — implementation.
*
* Parses CALYPSO_DBG env var once at init and exposes the mask via
* the global calypso_dbg_mask variable. The DBG() macro in calypso_dbg.h
* tests the mask before formatting/printing each log line.
*
* SPDX-License-Identifier: GPL-2.0-or-later
*/
#include "qemu/osdep.h"
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include "hw/arm/calypso/calypso_dbg.h"
uint32_t calypso_dbg_mask = 0;
static const struct {
const char *name;
enum calypso_dbg_cat cat;
} cat_table[] = {
{ "bsp", DBG_BSP },
{ "fb", DBG_FB },
{ "sp", DBG_SP },
{ "corrupt", DBG_CORRUPT },
{ "unimpl", DBG_UNIMPL },
{ "hot", DBG_HOT },
{ "xpc", DBG_XPC },
{ "call", DBG_CALL },
{ "f2", DBG_F2 },
{ "dump", DBG_DUMP },
{ "boot", DBG_BOOT },
{ "l1ctl", DBG_L1CTL },
{ "trx", DBG_TRX },
{ "pmst", DBG_PMST },
{ "rpt", DBG_RPT },
{ "mvpd", DBG_MVPD },
{ "inth", DBG_INTH },
{ "tint0", DBG_TINT0 },
};
#define N_CATS (sizeof(cat_table) / sizeof(cat_table[0]))
static const uint32_t default_mask =
(1u << DBG_CORRUPT) | (1u << DBG_UNIMPL);
static int once = 0;
void calypso_dbg_init(void)
{
if (once) return;
once = 1;
const char *env = getenv("CALYPSO_DBG");
if (!env) {
calypso_dbg_mask = default_mask;
fprintf(stderr, "[dbg] CALYPSO_DBG unset → default (corrupt,unimpl)\n");
return;
}
if (!*env || strcmp(env, "none") == 0) {
calypso_dbg_mask = 0;
fprintf(stderr, "[dbg] CALYPSO_DBG=none → all silent\n");
return;
}
if (strcmp(env, "all") == 0) {
calypso_dbg_mask = (1u << DBG__COUNT) - 1;
fprintf(stderr, "[dbg] CALYPSO_DBG=all → every category enabled\n");
return;
}
/* Parse comma-separated list. */
char buf[512];
snprintf(buf, sizeof(buf), "%s", env);
calypso_dbg_mask = 0;
char *tok = strtok(buf, ",");
while (tok) {
/* trim leading spaces */
while (*tok == ' ') tok++;
size_t l = strlen(tok);
while (l > 0 && (tok[l-1] == ' ' || tok[l-1] == '\n')) tok[--l] = 0;
int found = 0;
for (size_t i = 0; i < N_CATS; i++) {
if (strcasecmp(tok, cat_table[i].name) == 0) {
calypso_dbg_mask |= (1u << cat_table[i].cat);
found = 1;
break;
}
}
if (!found && *tok)
fprintf(stderr, "[dbg] unknown category '%s'\n", tok);
tok = strtok(NULL, ",");
}
/* Always force corrupt + unimpl on unless explicit "none". */
calypso_dbg_mask |= default_mask;
fprintf(stderr, "[dbg] CALYPSO_DBG=%s → mask=0x%08x\n", env, calypso_dbg_mask);
}./hw/arm/calypso/calypso_c54x.c
/*
* calypso_c54x.c — TMS320C54x DSP emulator for Calypso
*
* Minimal C54x core: enough to run the Calypso DSP ROM for GSM
* signal processing (Viterbi, deinterleaving, burst decode).
*
* SPDX-License-Identifier: GPL-2.0-or-later
*/
#include "calypso_c54x.h"
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
/* W1C latches for FB-detection iteration snapshot — defined in
* calypso_trx.c. Set here in data_write when DSP writes a_sync_SNR
* (LAST cell of fb-det sequence) from a real fb-det PC. Snapshot
* captures all 6 cells coherent. Consumed by ARM read. */
extern uint16_t g_d_fb_det_latch;
extern uint16_t g_d_fb_mode_latch;
extern int calypso_w1c_latch_enabled(void);
extern uint16_t g_a_sync_TOA_latch;
extern uint16_t g_a_sync_PM_latch;
extern uint16_t g_a_sync_ANG_latch;
extern uint16_t g_a_sync_SNR_latch;
extern bool g_a_sync_valid;
static int g_boot_trace = 0;
#define C54_LOG(fmt, ...) \
fprintf(stderr, "[c54x] " fmt "\n", ##__VA_ARGS__)
/* ================================================================
* Helpers
* ================================================================ */
/* Sign-extend 40-bit accumulator */
static inline int64_t sext40(int64_t v)
{
if (v & ((int64_t)1 << 39))
v |= ~(((int64_t)1 << 40) - 1);
else
v &= ((int64_t)1 << 40) - 1;
return v;
}
/* Saturate 40-bit to 32-bit (OVM mode) */
static inline int64_t sat32(int64_t v)
{
if (v > 0x7FFFFFFF) return 0x7FFFFFFF;
if (v < (int64_t)(int32_t)0x80000000) return (int64_t)(int32_t)0x80000000;
return v;
}
/* Get ARP from ST0 */
static inline int arp(C54xState *s)
{
return (s->st0 >> ST0_ARP_SHIFT) & 7;
}
/* Get DP from ST0 */
static inline uint16_t dp(C54xState *s)
{
return s->st0 & ST0_DP_MASK;
}
/* Get ASM from ST1 (5-bit signed) */
static inline int asm_shift(C54xState *s)
{
int v = s->st1 & ST1_ASM_MASK;
if (v & 0x10) v |= ~0x1F; /* sign extend */
return v;
}
/* ================================================================
* Memory access
* ================================================================ */
/* Forward decl: used by data_write() VECDUMP at MMR_PMST. */
static uint16_t prog_read(C54xState *s, uint32_t addr);
static uint16_t data_read(C54xState *s, uint16_t addr)
{
/* PC-histogram pour identifier la routine PM. Deux ranges :
* [0x3fb0..0x3fbf] = buffer BSP (samples I/Q)
* [0x3dcf..0x3dd5] = buffer scratch dominant (78k+52k reads observés)
* Compte par PC, dump top-10 toutes les 50k reads dans chaque range.
* Plus compteur d'entrée par PC dominant pour distinguer
* "PM cassée" vs "PM jamais appelée" (vu IRQ rate 1.5 Hz). */
if (addr >= 0x3fb0 && addr <= 0x3fbf) {
static uint32_t pc_hist_3fb[65536];
static uint32_t total_3fb;
pc_hist_3fb[s->pc]++;
total_3fb++;
if ((total_3fb % 50000) == 0) {
uint32_t top_pc[10] = {0};
uint32_t top_cnt[10] = {0};
for (uint32_t p = 0; p < 65536; p++) {
uint32_t c = pc_hist_3fb[p];
if (c == 0) continue;
for (int i = 0; i < 10; i++) {
if (c > top_cnt[i]) {
for (int j = 9; j > i; j--) {
top_pc[j] = top_pc[j-1];
top_cnt[j] = top_cnt[j-1];
}
top_pc[i] = p;
top_cnt[i] = c;
break;
}
}
}
fprintf(stderr, "[c54x] PC-HIST-3FB total=%u :", total_3fb);
for (int i = 0; i < 10 && top_cnt[i]; i++) {
fprintf(stderr, " %04x:%u", top_pc[i], top_cnt[i]);
}
fprintf(stderr, "\n");
}
}
if (addr >= 0x3dcf && addr <= 0x3dd5) {
static uint32_t pc_hist_3dd[65536];
static uint32_t total_3dd;
pc_hist_3dd[s->pc]++;
total_3dd++;
if ((total_3dd % 50000) == 0) {
uint32_t top_pc[10] = {0};
uint32_t top_cnt[10] = {0};
for (uint32_t p = 0; p < 65536; p++) {
uint32_t c = pc_hist_3dd[p];
if (c == 0) continue;
for (int i = 0; i < 10; i++) {
if (c > top_cnt[i]) {
for (int j = 9; j > i; j--) {
top_pc[j] = top_pc[j-1];
top_cnt[j] = top_cnt[j-1];
}
top_pc[i] = p;
top_cnt[i] = c;
break;
}
}
}
fprintf(stderr, "[c54x] PC-HIST-3DD total=%u :", total_3dd);
for (int i = 0; i < 10 && top_cnt[i]; i++) {
fprintf(stderr, " %04x:%u", top_pc[i], top_cnt[i]);
}
fprintf(stderr, "\n");
}
}
/* Watch the mailbox slots that the firmware polls at PROM0 0xb41a
* (LDU *(0x0ffe), A then BACC A) and 0xb41c (CMPM *(0x0fff), 4).
* If these stay zero / 0x10 forever, ARM never wrote them. */
if (addr == 0x0ffe || addr == 0x0fff || addr == 0x0ffc || addr == 0x0ffd) {
static unsigned watch_count;
watch_count++;
if (watch_count <= 60 || (watch_count % 10000) == 0) {
uint16_t vd = s->data[addr];
uint16_t va = s->api_ram ? s->api_ram[addr - C54X_API_BASE] : 0xDEAD;
fprintf(stderr,
"[c54x] WATCH-READ #%u data[0x%04x] data=0x%04x api_ram=0x%04x api_set=%d PC=0x%04x insn=%u\n",
watch_count, addr, vd, va, s->api_ram ? 1 : 0, s->pc, s->insn_count);
}
}
/* Wait-loop diagnostic: 0x3dd0 was found to absorb ~99.5 % of DARAM
* reads after the first ~500k reads — the DSP is stuck polling it.
* Log the first PCs and then sample once per million reads so we can
* trace the loop without flooding the log. */
if (addr == 0x3dd0) {
static unsigned wait_log;
static unsigned wait_seen;
wait_seen++;
if (wait_log < 20 || (wait_seen % 1000000) == 0) {
wait_log++;
fprintf(stderr,
"[c54x] WAIT-3DD0 #%u data[0x3dd0]=0x%04x PC=0x%04x AR2=%04x AR3=%04x insn=%u\n",
wait_seen, s->data[0x3dd0], s->pc,
s->ar[2], s->ar[3], s->insn_count);
}
}
/* d_fb_det watch — REAL DSP word address is 0x08F8.
* Mapping: ARM 0xFFD001F0 (BASE_API_NDB 0xFFD001A8 + 36 words × 2)
* = DSP word 0x0800 + 0x1F0/2 = 0x08F8.
* Earlier 0x01F0 was the ARM byte-offset, NOT a DSP word address —
* watching it logged unrelated DARAM 0x01F0 (junk). Now we trace
* the real slot the firmware polls. */
if (addr == 0x08F8) {
static unsigned fb_read;
if (fb_read++ < 30) {
fprintf(stderr,
"[c54x] WATCH-READ d_fb_det[0x08F8]=0x%04x PC=0x%04x insn=%u\n",
s->data[0x08F8], s->pc, s->insn_count);
}
}
/* === DIAG-FORCE-DARAM62 ===
* Pinned diag (env-gated, default OFF) : when set, override the read
* of daram[0x62] inside the dispatcher loop (PC ∈ 0xCC62..0xCC6F) to
* return 1 instead of the actual stored value. Goal: force the
* dispatcher's "branch if flag != 0" to fire and observe whether the
* DSP escapes the loop and jumps to api[0x1f0c]=0x770c (the dispatch
* target). Three outcomes (binary diagnostic) :
* - PC leaves cc62..cc6f → 0x770c and new code paths run :
* loop hypothesis correct, flag is the gate, INT3 ISR is the
* missing writer (next step: trace writes to confirm).
* - PC reaches 0x770c then returns to cc62 immediately :
* flag is set but handler bails because something else missing
* (a_cd[] init, NDB cell, ...).
* - No change : branch / compare is more subtle than read.
* This is a force-test, not a fix — remove or env-leave-off after. */
if (addr == 0x0062 && s->pc >= 0xCC62 && s->pc <= 0xCC6F) {
static int force_cached = -1;
if (force_cached < 0) {
const char *e = getenv("CALYPSO_DSP_FORCE_DARAM62");
force_cached = (e && *e == '1') ? 1 : 0;
fprintf(stderr,
"[c54x] CALYPSO_DSP_FORCE_DARAM62=%d (%s)\n",
force_cached,
force_cached ? "FORCING daram[0x62]=1 in idle disp loop"
: "real value (no force)");
fflush(stderr);
}
if (force_cached) {
static unsigned force_log;
if (force_log < 5) {
fprintf(stderr,
"[c54x] FORCE-DARAM62 #%u PC=0x%04x real=0x%04x → returning 0x0001 insn=%u\n",
force_log, s->pc, s->data[0x62], s->insn_count);
force_log++;
}
return 1;
}
}
/* === DSP idle dispatcher trace (PC ∈ 0xCC62..0xCC6F) ===
* The DSP gets stuck in this PROM0 loop polling task slots. Dump the
* exact (PC, addr, value, AR2..AR5) for the first N reads so we can
* see WHICH memory location the dispatcher inspects to decide whether
* to branch out (task_md ? db_r ? api_ram ? other ?). Capped to keep
* log size manageable.
*
* Captures all reads (DARAM + API RAM + MMR) so we don't miss the
* critical poll address. */
if (s->pc >= 0xCC62 && s->pc <= 0xCC6F) {
static unsigned idle_rd_log;
const unsigned LIMIT = 200;
if (idle_rd_log < LIMIT) {
uint16_t v;
const char *region;
if (addr >= C54X_API_BASE && addr < C54X_API_BASE + C54X_API_SIZE) {
v = s->api_ram ? s->api_ram[addr - C54X_API_BASE] : 0;
region = "api";
} else if (addr < 0x4000) {
v = s->data[addr];
region = "daram";
} else {
v = s->data[addr];
region = "mmr/other";
}
fprintf(stderr,
"[c54x] IDLE-DISP RD #%u PC=0x%04x [%s 0x%04x]=0x%04x "
"AR2=%04x AR3=%04x AR4=%04x AR5=%04x insn=%u\n",
idle_rd_log, s->pc, region, addr, v,
s->ar[2], s->ar[3], s->ar[4], s->ar[5], s->insn_count);
idle_rd_log++;
if (idle_rd_log == LIMIT) {
fprintf(stderr,
"[c54x] IDLE-DISP RD log capped at %u — pattern should be visible above\n",
LIMIT);
}
}
}
/* === DARAM discovery histogram ===
* Track ALL data reads from DARAM (addr < 0x4000) regardless of PC.
* The FB handler runs from both PROM0 (0xBD47) and DARAM overlay,
* so filtering by PC misses critical reads. */
if (addr < 0x4000 && addr >= 0x20) { /* skip MMRs 0x00-0x1F */
static unsigned hist[0x4000]; /* 16 KW DARAM */
static unsigned reads;
if (addr < 0x4000) {
hist[addr]++;
reads++;
if ((reads % 50000) == 0) {
/* find top-16 */
unsigned best[16] = {0}; uint16_t baddr[16] = {0};
for (uint16_t a = 0; a < 0x4000; a++) {
unsigned c = hist[a];
if (c <= best[15]) continue;
int p = 15;
while (p > 0 && best[p-1] < c) {
best[p] = best[p-1]; baddr[p] = baddr[p-1]; p--;
}
best[p] = c; baddr[p] = a;
}
fprintf(stderr,
"[c54x] DARAM RD HIST (FB-det, reads=%u): ",
reads);
for (int i = 0; i < 16 && best[i]; i++)
fprintf(stderr, "%04x:%u ", baddr[i], best[i]);
fprintf(stderr, "\n");
}
}
}
/* === BSP discovery: trace data reads in FB-det handler ===
* Wide range over the PROM0 user-code area: handler PCs observed in
* timeout traces cluster around 0x7e92..0x7eb8 (the FB-det inner
* loop), so we widen the catch zone to 0x7000..0x7fff. */
/* FB-det / dispatcher subroutine trace.
* The 0x7e80..0x7eb8 wrapper CALLS into 0x81a5/0x81c8 with AR5=0x0e4c
* (the FB sample buffer). Cover both ranges to catch both wrapper
* polls and inner correlator reads. Skip the boot init phase. */
if ((s->pc >= 0x7e80 && s->pc <= 0x7ec0) ||
(s->pc >= 0x81a0 && s->pc <= 0x82ff)) {
static int fbdet_rd_log = 0;
if (s->insn_count > 50000000 && fbdet_rd_log < 2000) {
uint16_t v;
if (addr >= C54X_API_BASE && addr < C54X_API_BASE + C54X_API_SIZE)
v = s->api_ram ? s->api_ram[addr - C54X_API_BASE] : 0;
else
v = s->data[addr];
C54_LOG("FBDET RD [0x%04x]=0x%04x PC=0x%04x AR2=%04x AR3=%04x AR4=%04x AR5=%04x insn=%u",
addr, v, s->pc, s->ar[2], s->ar[3], s->ar[4], s->ar[5], s->insn_count);
fbdet_rd_log++;
}
}
/* Log AR0..AR7 when entering FB-det subroutines to understand
* what each AR points at (sample buffer? coeffs? status?). */
if ((s->pc == 0x81a5 || s->pc == 0x81c8) && s->insn_count > 50000000) {
static int ar_log = 0;
if (ar_log < 10) {
C54_LOG("FB-CALL PC=0x%04x AR0=%04x AR1=%04x AR2=%04x AR3=%04x "
"AR4=%04x AR5=%04x AR6=%04x AR7=%04x SP=%04x BK=%04x",
s->pc, s->ar[0], s->ar[1], s->ar[2], s->ar[3],
s->ar[4], s->ar[5], s->ar[6], s->ar[7], s->sp, s->bk);
ar_log++;
}
}
/* d_spcx_rif (NDB word 2 = api 0xD6 = DSP data 0x08D6) */
if (addr == 0x08D6) {
static int spcx_rd = 0;
if (spcx_rd < 32) {
C54_LOG("d_spcx_rif RD = 0x%04x PC=0x%04x insn=%u",
s->api_ram ? s->api_ram[0xD6] : s->data[addr],
s->pc, s->insn_count);
spcx_rd++;
}
}
/* Log reads from API RAM at 0x08D4 (d_dsp_page) */
if (addr == 0x08D4) {
static int dsp_page_log = 0;
if (dsp_page_log < 50) {
C54_LOG("d_dsp_page RD = 0x%04x PC=0x%04x insn=%u SP=0x%04x",
s->api_ram ? s->api_ram[addr - 0x0800] : s->data[addr],
s->pc, s->insn_count, s->sp);
dsp_page_log++;
}
}
/* Timer registers (0x0024-0x0026) — read returns current value */
if (addr == TIM_ADDR) return s->data[TIM_ADDR];
if (addr == PRD_ADDR) return s->data[PRD_ADDR];
if (addr == TCR_ADDR) {
/* TCR: PSC is read from bits 9:6, rest from stored value */
uint16_t tcr = s->data[TCR_ADDR] & ~TCR_PSC_MASK;
tcr |= (s->timer_psc & 0xF) << TCR_PSC_SHIFT;
return tcr;
}
/* MMR region */
if (addr < 0x20) {
switch (addr) {
case MMR_IMR: return s->imr;
case MMR_IFR:
{
static int ifr_log = 0;
if ((s->ifr & 0x0020) && ifr_log < 10) {
/* bit 5 = BRINT0 per C54X header (vec 21). */
C54_LOG("IFR READ=0x%04x (BRINT0 pending) PC=0x%04x", s->ifr, s->pc);
ifr_log++;
}
return s->ifr;
}
case MMR_ST0: return s->st0;
case MMR_ST1: return s->st1;
case MMR_AL: return (uint16_t)(s->a & 0xFFFF);
case MMR_AH: return (uint16_t)((s->a >> 16) & 0xFFFF);
case MMR_AG: return (uint16_t)((s->a >> 32) & 0xFF);
case MMR_BL: return (uint16_t)(s->b & 0xFFFF);
case MMR_BH: return (uint16_t)((s->b >> 16) & 0xFFFF);
case MMR_BG: return (uint16_t)((s->b >> 32) & 0xFF);
case MMR_T: return s->t;
case MMR_TRN: return s->trn;
case MMR_AR0: case MMR_AR1: case MMR_AR2: case MMR_AR3:
case MMR_AR4: case MMR_AR5: case MMR_AR6: case MMR_AR7:
return s->ar[addr - MMR_AR0];
case MMR_SP: return s->sp;
case MMR_BK: return s->bk;
case MMR_BRC: return s->brc;
case MMR_RSA: return s->rsa;
case MMR_REA: return s->rea;
case MMR_PMST: return s->pmst;
case MMR_XPC: return s->xpc;
default: return 0;
}
}
/* API RAM (shared with ARM) */
if (addr >= C54X_API_BASE && addr < C54X_API_BASE + C54X_API_SIZE) {
if (s->api_ram) {
uint16_t val = s->api_ram[addr - C54X_API_BASE];
/* Log ALL API reads during interrupt handler (first 100) */
static int api_rd_log = 0;
if (api_rd_log < 100 && s->insn_count > 66000) {
C54_LOG("API RD [0x%04x] = 0x%04x PC=0x%04x insn=%u",
addr, val, s->pc, s->insn_count);
api_rd_log++;
}
return val;
}
}
/* Log data reads during SINT17 handler (PC in 0xFFC0-0xFFFF) */
if (s->pc >= 0xFFC0 && s->insn_count > 66090) {
static int handler_rd_log = 0;
if (handler_rd_log < 30) {
C54_LOG("H_RD [0x%04x]=0x%04x PC=0x%04x", addr, s->data[addr], s->pc);
handler_rd_log++;
}
}
return s->data[addr];
}
static void data_write(C54xState *s, uint16_t addr, uint16_t val)
{
/* DATA-W-MMR : log every write into the low MMR window (addr <= 0x1F)
* with full attribution context. Goal : disambiguate the IMR-W trace
* cascade observed at PC=0x8eb9 (op=0xf3e1) and PC=0x9ad0 (op=0x8192).
* The writer_kind field tells us *which path* triggered the write
* (opcode family / IRQ ack / ARM MMIO / resolve_smem side effect).
* Cap at 200 distinct events to avoid log flood. */
if (addr <= 0x1F) {
static unsigned mmrw_log;
if (mmrw_log++ < 200) {
const char *wk_name[] = {
"UNK", "F3", "8x", "77", "76", "PSHM",
"RET", "IRQ_ACK", "ARM_MMIO", "RES_AR", "OTHER"
};
uint8_t wk = s->writer_kind;
const char *wkn = (wk < sizeof(wk_name)/sizeof(wk_name[0]))
? wk_name[wk] : "??";
fprintf(stderr,
"[c54x] DATA-W-MMR addr=0x%02x val=0x%04x "
"exec_pc=0x%04x cur_pc=0x%04x cur_op=0x%04x "
"xpc=%d wk=%s "
"AR0=%04x AR1=%04x AR2=%04x AR3=%04x "
"AR4=%04x AR5=%04x AR6=%04x AR7=%04x "
"SP=%04x DP=%d INTM=%d insn=%u\n",
addr, val,
s->last_exec_pc, s->pc, s->prog[s->pc],
s->xpc, wkn,
s->ar[0], s->ar[1], s->ar[2], s->ar[3],
s->ar[4], s->ar[5], s->ar[6], s->ar[7],
s->sp, dp(s),
!!(s->st1 & ST1_INTM),
s->insn_count);
}
}
/* WATCH-WRITE on the same mailbox slots tracked in data_read.
* Whoever writes them — DSP or ARM via api_ram alias — gets logged
* so we can attribute the source of the value the firmware polls. */
/* WATCH-WRITE 0x3dd2 — la cellule sur laquelle 0x75db poll en boucle
* (37M reads/15s). Identifier qui écrit (et qui ne le fait pas).
* Cas 1 : zéro write → un bloc compute ne fire jamais.
* Cas 2 : write boot only → init OK mais set steady-state manquant.
* Cas 3 : writes périodiques avec valeur jamais matchée par le test
* à 0x75db → bug dans le compute en amont. */
if (addr == 0x3dd2) {
static unsigned w3dd2;
w3dd2++;
if (w3dd2 <= 100 || (w3dd2 % 1000) == 0) {
fprintf(stderr,
"[c54x] WATCH-WRITE 0x3dd2 #%u <- 0x%04x (was 0x%04x) "
"PC=0x%04x insn=%u INTM=%d\n",
w3dd2, val, s->data[addr], s->pc, s->insn_count,
!!(s->st1 & ST1_INTM));
}
}
if (addr == 0x0ffe || addr == 0x0fff || addr == 0x01F0) {
static unsigned wcount;
if (wcount++ < 30) {
fprintf(stderr,
"[c54x] WATCH-WRITE data[0x%04x] <- 0x%04x (was 0x%04x) "
"PC=0x%04x insn=%u\n",
addr, val, s->data[addr], s->pc, s->insn_count);
}
}
/* Dispatcher pointer at data[0x3f65] — `LD *(0x3f65),A; CALA A` at
* DARAM 0x008a-0x008c. When this slot holds 0xfff8/0x0000/garbage the
* CALA jumps into PROM1 vec or boot stub NOPs and the SP runs away.
* Trace every write so we can identify who populates / corrupts it. */
if (addr == 0x3f65) {
static unsigned dpw;
if (dpw++ < 100) {
fprintf(stderr,
"[c54x] DISP-PTR data[0x3f65] <- 0x%04x (was 0x%04x) "
"PC=0x%04x insn=%u\n",
val, s->data[addr], s->pc, s->insn_count);
}
}
/* Dispatcher poll addresses — log ANY write so we identify the
* code path that should populate them. Currently 0 PORTR PA=0xF430
* fires because dispatcher reads 0 here forever. */
if (addr == 0x4359 || addr == 0x3fab) {
static unsigned dispw;
if (dispw++ < 50) {
fprintf(stderr,
"[c54x] DISP-WRITE data[0x%04x] <- 0x%04x (was 0x%04x) "
"PC=0x%04x insn=%u\n",
addr, val, s->data[addr], s->pc, s->insn_count);
}
}
/* CALAD source zone 0x4180-0x41FF — LD-A-TRACE shows the firmware
* reads 0x4189 (DP=0x83) but our emulation has it as 0. Log every
* write to this range so we can tell whether (a) anyone is meant to
* populate it and we missed the path, or (b) DP=0x83 is itself a
* symptom upstream of an unrelated bug. */
if (addr >= 0x4180 && addr <= 0x41FF) {
static unsigned cwz;
if (cwz++ < 5000) {
fprintf(stderr,
"[c54x] CALAD-ZONE-W data[0x%04x] <- 0x%04x (was 0x%04x) "
"PC=0x%04x insn=%u\n",
addr, val, s->data[addr], s->pc, s->insn_count);
}
}
/* Dedicated watch on 0x4189 — never capped. The LD-A loop reads this
* slot in the CALAD trap; we want to know if/when *anyone* finally
* writes a non-zero value, and from which PC. */
if (addr == 0x4189) {
fprintf(stderr,
"[c54x] *** WR-0x4189 *** data[0x4189] <- 0x%04x (was 0x%04x) PC=0x%04x insn=%u\n",
val, s->data[addr], s->pc, s->insn_count);
}
/* === DARAM[0x40..0x90] watch — dispatcher flag area ===
* The PROM0 idle dispatcher (0xCC62..0xCC6F) polls data[0x62] and
* other slots in [0x60..0x70]. FORCE-DARAM62=1 (env) proves that
* setting data[0x62]=1 makes the DSP escape and reach 0x770c, so
* this range gates the runtime task pipeline. ARM-side writes to
* the API page mirror at +0x0800 (calypso_trx.c calypso_dsp_write)
* but never to DARAM 0x40..0x90 — so any value here must come from
* DSP-self stores (ST/STH/STM/...) or stay zero forever. Capture
* EVERY write with PC+INTM+insn so we can attribute the source.
* INTM annotation lets us tell ISR-context writes from main code. */
if (addr >= 0x0040 && addr <= 0x0090) {
static unsigned daram_disp_w;
if (daram_disp_w++ < 1000) {
fprintf(stderr,
"[c54x] DISP-FLAG-W data[0x%04x] <- 0x%04x (was 0x%04x) "
"PC=0x%04x INTM=%d IFR=0x%04x insn=%u\n",
addr, val, s->data[addr], s->pc,
!!(s->st1 & ST1_INTM), s->ifr, s->insn_count);
if (daram_disp_w == 1000) {
fprintf(stderr,
"[c54x] DISP-FLAG-W log capped at 1000 — pattern visible above\n");
}
}
}
/* Timer registers (0x0024-0x0026) — before MMR check */
if (addr == TCR_ADDR) {
/* TRB: write 1 → reload TIM from PRD, PSC from TDDR */
if (val & TCR_TRB) {
s->data[TIM_ADDR] = s->data[PRD_ADDR];
s->timer_psc = val & TCR_TDDR_MASK;
}
/* Store TCR without TRB (TRB is write-only, always reads 0) */
s->data[TCR_ADDR] = val & ~TCR_TRB;
return;
}
if (addr == TIM_ADDR) { s->data[TIM_ADDR] = val; return; }
if (addr == PRD_ADDR) { s->data[PRD_ADDR] = val; return; }
/* MMR region */
if (addr < 0x20) {
switch (addr) {
case MMR_IMR:
if (val != s->imr) {
static unsigned imr_log = 0;
/* Always log transitions TO zero (mask-everything) — that
* is the cascade root suspected in 2026-05-08 v2 diag :
* IMR=0 → INT3 IFR pending forever → RPTB at 0xe9ac never
* exits. We need the PC + opcode of every IMR=0 write,
* uncapped, so we can identify the buggy code path. */
bool to_zero = (val == 0);
if (imr_log++ < 50 || to_zero) {
fprintf(stderr,
"[c54x] IMR-W %s 0x%04x → 0x%04x PC=0x%04x "
"op=0x%04x prev_op=0x%04x SP=0x%04x INTM=%d insn=%u\n",
to_zero ? "*ZERO*" : " ",
s->imr, val, s->pc,
s->prog[s->pc],
s->prog[(uint16_t)(s->pc - 1)],
s->sp,
!!(s->st1 & ST1_INTM),
s->insn_count);
}
}
s->imr = val; return;
case MMR_IFR: s->ifr &= ~val; return; /* write 1 to clear */
case MMR_ST0: s->st0 = val; return;
case MMR_ST1: s->st1 = val; return;
case MMR_AL: s->a = (s->a & ~0xFFFF) | val; return;
case MMR_AH: s->a = (s->a & ~((int64_t)0xFFFF << 16)) | ((int64_t)val << 16); return;
case MMR_AG: s->a = (s->a & 0xFFFFFFFF) | ((int64_t)(val & 0xFF) << 32); return;
case MMR_BL: s->b = (s->b & ~0xFFFF) | val; return;
case MMR_BH: s->b = (s->b & ~((int64_t)0xFFFF << 16)) | ((int64_t)val << 16); return;
case MMR_BG: s->b = (s->b & 0xFFFFFFFF) | ((int64_t)(val & 0xFF) << 32); return;
case MMR_T: s->t = val; return;
case MMR_TRN: s->trn = val; return;
case MMR_AR0: case MMR_AR1: case MMR_AR2: case MMR_AR3:
case MMR_AR4: case MMR_AR5: case MMR_AR6: case MMR_AR7:
s->ar[addr - MMR_AR0] = val; return;
case MMR_SP:
if (val >= 0x0800 && val < 0x0900) {
fprintf(stderr,
"[c54x] SP-GUARD: refused MMR_SP write 0x%04x "
"(API mailbox); keeping 0x%04x PC=0x%04x\n",
val, s->sp, s->pc);
return;
}
s->sp = val;
return;
case MMR_BK: s->bk = val; return;
case MMR_BRC: s->brc = val; return;
case MMR_RSA: s->rsa = val; return;
case MMR_REA: s->rea = val; return;
case MMR_PMST:
{
static unsigned pmst_wr_attempts = 0;
if (pmst_wr_attempts++ < 100)
C54_LOG("PMST WR attempt #%u: val=0x%04x cur=0x%04x PC=0x%04x insn=%u",
pmst_wr_attempts, val, s->pmst, s->pc, s->insn_count);
}
if (val != s->pmst) {
uint16_t old_iptr = (s->pmst >> PMST_IPTR_SHIFT) & 0x1FF;
uint16_t new_iptr = (val >> PMST_IPTR_SHIFT) & 0x1FF;
{
static unsigned pmst_log = 0;
if (pmst_log++ < 100)
C54_LOG("PMST change 0x%04x → 0x%04x (IPTR=0x%03x→0x%03x OVLY=%d) PC=0x%04x SP=0x%04x insn=%u #%u/100",
s->pmst, val, old_iptr, new_iptr, !!(val & PMST_OVLY), s->pc, s->sp, s->insn_count, pmst_log);
}
static uint16_t last_dumped_iptr = 0xFFFF;
static unsigned vecdump_count = 0;
/* Cap at 8 dumps total — firmware may oscillate between 2-3
* IPTR values thousands of times during a session, and each
* dump emits 32 fprintf lines. Without cap : 250k+ log lines
* = saturates host I/O = bridge stops emitting CLK INDs =
* BTS shutdown "No more clock from transceiver". */
if (new_iptr != last_dumped_iptr && vecdump_count < 8) {
vecdump_count++;
last_dumped_iptr = new_iptr;
uint32_t base = (uint32_t)new_iptr << 7;
uint16_t saved_pmst = s->pmst;
s->pmst = val;
C54_LOG("VECDUMP IPTR=0x%03x base=0x%04x (32 vectors) #%u/8:",
new_iptr, (uint16_t)base, vecdump_count);
for (int vec = 0; vec < 32; vec++) {
uint32_t a = base + vec * 4;
uint16_t w0 = prog_read(s, a + 0);
uint16_t w1 = prog_read(s, a + 1);
uint16_t w2 = prog_read(s, a + 2);
uint16_t w3 = prog_read(s, a + 3);
fprintf(stderr,
"[c54x] vec %2d @ 0x%04x : %04x %04x %04x %04x\n",
vec, (uint16_t)a, w0, w1, w2, w3);
}
s->pmst = saved_pmst;
}
}
s->pmst = val; return;
case MMR_XPC:
{
static int xpc_log = 0;
if (xpc_log++ < 50)
C54_LOG("MMR_XPC WR val=0x%04x (was %d) PC=0x%04x SP=0x%04x insn=%u",
val, s->xpc, s->pc, s->sp, s->insn_count);
}
s->xpc = val & 3;
return;
default: return;
}
}
/* DMA sub-register bank (C54x DMA controller).
* DMSA (0x0054): sets the sub-register address.
* DMSDI (0x0055): writes sub-register data, auto-increments DMSA.
* DMSDN (0x0057): writes sub-register data, no auto-increment.
* DMA channel 0 sub-registers (BSP receive DMA):
* sub 0x00=DMSRC0, 0x01=DMDST0, 0x02=DMCTR0, 0x03=DMMCR0 */
if (addr == 0x0054) {
s->dma_subaddr = val;
s->data[0x0054] = val;
return;
}
if (addr == 0x0055 || addr == 0x0057) {
uint16_t sa = s->dma_subaddr;
if (sa < 24) { /* 6 channels × 4 regs */
s->dma_subregs[sa] = val;
int ch = sa / 4;
int reg = sa % 4;
static const char *rnames[] = {"SRC","DST","CTR","MCR"};
C54_LOG("DMA ch%d %s = 0x%04x (sub 0x%02x) PC=0x%04x",
ch, rnames[reg], val, sa, s->pc);
}
s->data[addr] = val;
if (addr == 0x0055) s->dma_subaddr++; /* auto-increment */
return;
}
/* McBSP sub-register bank (serial port extended config).
* SPSA (0x0038): sub-address. SPSD (0x0039): sub-data. */
if (addr == 0x0038 || addr == 0x0039) {
if (addr == 0x0038) s->spsa = val;
else {
C54_LOG("McBSP sub[0x%02x] = 0x%04x PC=0x%04x", s->spsa, val, s->pc);
}
s->data[addr] = val;
return;
}
/* API RAM (shared with ARM) */
if (addr >= C54X_API_BASE && addr < C54X_API_BASE + C54X_API_SIZE) {
uint16_t woff = addr - C54X_API_BASE;
if (s->api_ram)
s->api_ram[woff] = val;
/* Notify the ARM-side mailbox watcher (calypso_trx) so it can
* pulse IRQ_API, mirror to dsp_ram, and run the d_fb_det hook.
* Without this, DSP writes to NDB cells are invisible to ARM. */
if (s->api_write_cb)
s->api_write_cb(s->api_write_cb_opaque, woff, val);
/* Stack-corruption watch: stack push landing in the NDB
* mailbox region [0x0800..0x08FF]. Only fires when SP has
* already been corrupted into that range. */
if (addr == s->sp && addr >= 0x0800 && addr < 0x0900) {
fprintf(stderr,
"[c54x] STACK-IN-NDB addr=0x%04x val=0x%04x SP=0x%04x "
"PC=0x%04x insn=%u op[pc-2..pc+1]=%04x %04x %04x %04x\n",
addr, val, s->sp, s->pc, s->insn_count,
s->prog[(uint16_t)(s->pc - 2)],
s->prog[(uint16_t)(s->pc - 1)],
s->prog[s->pc],
s->prog[(uint16_t)(s->pc + 1)]);
}
/* Always log writes to d_dsp_page (0x08D4) */
if (addr == 0x08D4) {
C54_LOG("DSP WR d_dsp_page = 0x%04x PC=0x%04x insn=%u op[pc-2..pc+1]=%04x %04x %04x %04x",
val, s->pc, s->insn_count,
s->prog[(uint16_t)(s->pc - 2)],
s->prog[(uint16_t)(s->pc - 1)],
s->prog[s->pc],
s->prog[(uint16_t)(s->pc + 1)]);
}
/* d_spcx_rif (NDB word 2 = DSP data 0x08D6) — BSP serial port config */
if (addr == 0x08D6) {
C54_LOG("DSP WR d_spcx_rif = 0x%04x PC=0x%04x insn=%u op[pc-2..pc+1]=%04x %04x %04x %04x",
val, s->pc, s->insn_count,
s->prog[(uint16_t)(s->pc - 2)],
s->prog[(uint16_t)(s->pc - 1)],
s->prog[s->pc],
s->prog[(uint16_t)(s->pc + 1)]);
}
/* d_fb_det (NDB word 36 = DSP data 0x08F8). The DSP correlator
* output here is treated as Q15-signed by the firmware FB-det
* path — small unsigned BSIC was a wrong assumption. Log every
* write unconditionally (thinned past 200) and dump the
* adjacent NDB cells [0x08F0..0x0900] so we can see correlator
* + flag + a_sync_demod fields together. */
/* Silent NDB cells watch — d_fb_mode (binary "FB matched" flag,
* THE actual trigger ARM tests), a_sync_PM (power), a_sync_SNR
* (SNR). All read as 0 by ARM during 200M run despite d_fb_det
* varying. Confirms: DSP never declares valid detection.
* Three discriminating outcomes:
* (α) never written → "FB confirmed" code path unreached
* (β) written =0 explicitly → DSP scans, never matches threshold
* (γ) written !=0 but ARM reads 0 → coherence bug */
/* W1C latch on d_fb_mode for real fb-det PCs.
* Race-window evidence (200M run, 2026-04-29) :
* DSP writes d_fb_mode = 0x0001 30× from PC=0x8d33/0x8f51
* ARM reads d_fb_mode 1× and sees 0x0000
* → DSP sets, then clears within tight loop, ARM polls between
* → 100% of detections lost.
* Latch: real-fb-det PC with non-zero val sets g_d_fb_mode_latch.
* ARM read in calypso_trx.c::calypso_dsp_read consumes & clears. */
/* Snapshot trigger: DSP writes a_sync_SNR (0x08FD, LAST cell of
* fb-det iteration) from a real fb-det PC. At this moment all 6
* cells (d_fb_det, d_fb_mode, a_sync_TOA/PM/ANG/SNR) are coherent
* for the just-completed iteration. Snapshot atomically; survives
* subsequent stack-stomp at PC=0x0662 etc.
* Order observed: d_fb_det → d_fb_mode → a_sync_TOA → PM → ANG
* → SNR (insn N..N+150). */
if (calypso_w1c_latch_enabled() &&
addr == 0x08FD && val != 0 &&
(s->pc == 0x8d33 || s->pc == 0x8eb9 || s->pc == 0x8f51)) {
g_d_fb_det_latch = s->data[0x08F8];
g_d_fb_mode_latch = s->data[0x08F9];
g_a_sync_TOA_latch = s->data[0x08FA];
g_a_sync_PM_latch = s->data[0x08FB];
g_a_sync_ANG_latch = s->data[0x08FC];
g_a_sync_SNR_latch = val;
g_a_sync_valid = true;
}
/* Full a_sync_demod + d_fb_mode WR watch — every cell, no PC
* filter (so we catch real-fb-det writes AND stomp candidates).
* Stomp zone PC=0x06xx tagged for easy grep. */
if (addr == 0x08F9 || addr == 0x08FA ||
addr == 0x08FB || addr == 0x08FC || addr == 0x08FD) {
static unsigned ts_log[5] = {0};
static uint16_t prev_d_fb_mode = 0xFFFF;
int idx = (addr == 0x08F9) ? 0 :
(addr == 0x08FA) ? 1 :
(addr == 0x08FB) ? 2 :
(addr == 0x08FC) ? 3 : 4;
const char *name = (idx == 0) ? "d_fb_mode" :
(idx == 1) ? "a_sync_TOA" :
(idx == 2) ? "a_sync_PM" :
(idx == 3) ? "a_sync_ANG" : "a_sync_SNR";
ts_log[idx]++;
bool transition = (idx == 0) &&
(prev_d_fb_mode != 0xFFFF) &&
(prev_d_fb_mode != val) &&
(val != 0 || prev_d_fb_mode != 0);
bool stomp_zone = (s->pc >= 0x0600 && s->pc < 0x0700);
bool log_it = transition ||
(idx == 0 && val != 0) ||
(val != 0 && ts_log[idx] <= 50) ||
(ts_log[idx] % 1000) == 0;
if (log_it) {
C54_LOG("DSP WR %s = 0x%04x (s=%d) PC=0x%04x%s insn=%u #%u%s",
name, val, (int)(int16_t)val, s->pc,
stomp_zone ? " [STOMP?]" : "",
s->insn_count, ts_log[idx],
transition ? " *TRANSITION*" : "");
}
if (idx == 0) prev_d_fb_mode = val;
}
if (addr == 0x08F8) {
static unsigned fbd_log = 0;
/* Filter out stack-stomp at d_fb_det: only PCs known to be
* actual fb-det correlator stores (0x8d33, 0x8eb9, 0x8f51) get
* the full per-write log + NDB+DARAM dumps. Other PCs (e.g.
* 0xb906 push site, 0x7763/0x7764 SP-overflow) get a counted
* one-line tag so we don't lose visibility on them, but they
* stop polluting the watch stream. */
bool real_fbdet = (s->pc == 0x8d33 || s->pc == 0x8eb9 ||
s->pc == 0x8f51);
/* FBDET-DIVERSITY: count distinct values per 1M-insn window.
* 1 = DSP pegged on stale data. >5 = real scan. Discriminates
* "BSP delivers fresh I/Q" from "DSP recorrelates same window". */
if (real_fbdet) {
static uint16_t recent_vals[8] = {0};
static unsigned next_window = 1000000;
static int n_distinct = 0;
int seen = 0;
for (int i = 0; i < 8; i++) {
if (recent_vals[i] == val) { seen = 1; break; }
}
if (!seen) {
recent_vals[n_distinct & 7] = val;
n_distinct++;
}
if (s->insn_count >= next_window) {
C54_LOG("FBDET-DIVERSITY window=%uM distinct=%d",
next_window / 1000000, n_distinct);
n_distinct = 0;
for (int i = 0; i < 8; i++) recent_vals[i] = 0;
next_window = (s->insn_count / 1000000 + 1) * 1000000;
}
}
if (real_fbdet && (fbd_log < 200 || (fbd_log % 1000) == 0)) {
C54_LOG("DSP WR d_fb_det = 0x%04x (s=%d) PC=0x%04x insn=%u op[pc-2..pc+1]=%04x %04x %04x %04x",
val, (int)(int16_t)val, s->pc, s->insn_count,
s->prog[(uint16_t)(s->pc - 2)],
s->prog[(uint16_t)(s->pc - 1)],
s->prog[s->pc],
s->prog[(uint16_t)(s->pc + 1)]);
C54_LOG(" NDB[0x08F0..0x0900]: %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x",
s->data[0x08F0], s->data[0x08F1], s->data[0x08F2], s->data[0x08F3],
s->data[0x08F4], s->data[0x08F5], s->data[0x08F6], s->data[0x08F7],
val, s->data[0x08F9], s->data[0x08FA], s->data[0x08FB],
s->data[0x08FC], s->data[0x08FD], s->data[0x08FE], s->data[0x08FF],
s->data[0x0900]);
if (fbd_log < 5) {
C54_LOG(" DARAM[0x3FB0..0x3FBF]: %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x",
s->data[0x3FB0], s->data[0x3FB1], s->data[0x3FB2], s->data[0x3FB3],
s->data[0x3FB4], s->data[0x3FB5], s->data[0x3FB6], s->data[0x3FB7],
s->data[0x3FB8], s->data[0x3FB9], s->data[0x3FBA], s->data[0x3FBB],
s->data[0x3FBC], s->data[0x3FBD], s->data[0x3FBE], s->data[0x3FBF]);
}
} else if (!real_fbdet) {
static unsigned other_pc_count = 0;
other_pc_count++;
if (other_pc_count == 1 || other_pc_count == 100 ||
other_pc_count == 10000 || other_pc_count == 1000000) {
C54_LOG("d_fb_det NON-FBDET-PC write #%u val=0x%04x PC=0x%04x SP=0x%04x",
other_pc_count, val, s->pc, s->sp);
}
}
/* === D_FB_DET ZERO-OVERRIDE TRACE ===
* Race-window observed (memory `project_fbdet_threshold_blocker`):
* DSP writes high SNR (e.g. 0x7902, 0x7766) at fb-det PCs, then
* SOMETHING zeroes d_fb_det before ARM reads. ARM sees 200×
* 0x0000 → no FB found → endless L1CTL_FBSB_REQ retries.
*
* Capture EVERY write of val=0 to 0x08F8 with full context so
* we identify the zero-ifying PCs and reconstruct the condition
* (threshold check, post-correlation reset, error path, etc.).
* Cap 200 events. */
if (val == 0) {
static unsigned zero_log = 0;
if (zero_log < 200) {
C54_LOG("D_FB_DET ZERO-WR #%u PC=0x%04x op=0x%04x prev=0x%04x "
"A=%010llx B=%010llx T=0x%04x ST0=0x%04x ST1=0x%04x insn=%u",
zero_log + 1,
s->pc, s->prog[s->pc],
s->data[0x08F8],
(unsigned long long)(s->a & 0xFFFFFFFFFFLL),
(unsigned long long)(s->b & 0xFFFFFFFFFFLL),
s->t, s->st0, s->st1, s->insn_count);
zero_log++;
}
}
/* Transition trace : non-zero → zero (the override moment).
* Logs whenever d_fb_det was non-zero just before this write
* but the new write makes it zero. Cap 100. */
if (val == 0 && s->data[0x08F8] != 0) {
static unsigned override_log = 0;
if (override_log < 100) {
C54_LOG("D_FB_DET OVERRIDE #%u prev=0x%04x → 0 PC=0x%04x op=0x%04x "
"A=%010llx ST0=0x%04x insn=%u",
override_log + 1,
s->data[0x08F8], s->pc, s->prog[s->pc],
(unsigned long long)(s->a & 0xFFFFFFFFFFLL),
s->st0, s->insn_count);
override_log++;
}
}
fbd_log++;
}
}
/* Log DARAM writes to code target area and count total */
if (addr >= 0x0020 && addr < 0x0800) {
static int dw_total = 0;
dw_total++;
if (addr >= 0x1200 && addr <= 0x1240) {
C54_LOG("DARAM WR [0x%04x] = 0x%04x PC=0x%04x insn=%u",
addr, val, s->pc, s->insn_count);
}
if (dw_total == 1 || dw_total == 100 || dw_total == 1000 || dw_total == 10000)
C54_LOG("DARAM write count: %d (last: [0x%04x]=0x%04x)", dw_total, addr, val);
}
s->data[addr] = val;
}
/* Instruction fetch: uses mirrored PROM1 at 0x8000-0xFFFF, ignores XPC */
static uint16_t prog_fetch(C54xState *s, uint16_t pc)
{
/* OVLY: map DARAM into program space 0x0080-0x27FF only.
* Calypso has 10K words DARAM (0x0000-0x27FF).
* PROM0 (0x7000-0xDFFF) is always accessible in program space. */
if ((s->pmst & PMST_OVLY) && pc >= 0x80 && pc < 0x2800)
return s->data[pc];
/* prog_fetch: PC is always 16-bit, never uses XPC banking.
* Per version 222807: only OVLY overlay applies to instruction fetch.
* XPC is only used by prog_read (data/operand reads). */
return s->prog[pc];
}
static uint16_t prog_read(C54xState *s, uint32_t addr)
{
uint16_t addr16 = addr & 0xFFFF;
/* OVLY: DARAM visible in program space for 0x0080-0x27FF */
if ((s->pmst & PMST_OVLY) && addr16 >= 0x80 && addr16 < 0x2800)
return s->data[addr16];
/* For addresses >= 0x8000: use XPC to select extended page.
* prog_read is used for data/operand reads (MVPD, FIRS coeff, etc.)
* which need XPC banking — unlike prog_fetch which is PC-only. */
if (addr16 >= 0x8000) {
uint32_t ext = ((uint32_t)s->xpc << 16) | addr16;
ext &= (C54X_PROG_SIZE - 1);
return s->prog[ext];
}
return s->prog[addr16];
}
static void __attribute__((unused)) prog_write(C54xState *s, uint32_t addr, uint16_t val)
{
uint16_t addr16 = addr & 0xFFFF;
/* PROM1 (0xE000-0xFFFF) is ROM — reject writes */
if (addr16 >= 0xE000) return;
if ((s->pmst & PMST_OVLY) && addr16 >= 0x80 && addr16 < 0x2800)
s->data[addr16] = val;
if (addr16 >= 0x8000) {
uint32_t ext = ((uint32_t)s->xpc << 16) | addr16;
ext &= (C54X_PROG_SIZE - 1);
s->prog[ext] = val;
}
s->prog[addr16] = val;
}
/* ================================================================
* Addressing mode helpers
* ================================================================ */
/* Resolve Smem operand: direct or indirect addressing.
* Returns the data memory address. */
static uint16_t resolve_smem(C54xState *s, uint16_t opcode, bool *indirect)
{
if (opcode & 0x80) {
/* Indirect addressing.
* Per SPRU131G §5.4.1 Table 5-5: bits 2:0 = ARF select the AR for
* THIS instruction. ARP (in ST0) is then updated to ARF for the
* NEXT direct-Smem reference. Earlier this code used arp(s) for
* cur_arp, which made every indirect insn operate on the
* PREVIOUS insn's ARF — off-by-one. Symptoms: BANZD *AR1- after
* STL *AR2+ would decrement AR2 instead of AR1 (BANZD test
* against AR2 stayed non-zero forever, AR1 frozen). Diagnosed
* via 5×500M-insn STATE-DUMP showing AR1=0x1c / AR2=0x2b0c
* frozen across 2B insns at PC=0xa2c2..0xa2ca. */
*indirect = true;
int mod = (opcode >> 3) & 0x0F;
int nar = opcode & 0x07;
int cur_arp = nar;
uint16_t addr = s->ar[cur_arp];
/* Post-modify */
switch (mod) {
case 0x0: /* *ARn */
break;
case 0x1: /* *ARn- */
s->ar[cur_arp]--;
break;
case 0x2: /* *ARn+ */
s->ar[cur_arp]++;
break;
case 0x3: /* *+ARn */
addr = ++s->ar[cur_arp];
break;
case 0x4: /* *ARn-0 */
s->ar[cur_arp] -= s->ar[0];
break;
case 0x5: /* *ARn+0 */
s->ar[cur_arp] += s->ar[0];
break;
case 0x6: /* *ARn-0B (bit-reversed) */
/* Simplified: just subtract */
s->ar[cur_arp] -= s->ar[0];
break;
case 0x7: /* *ARn+0B (bit-reversed) */
s->ar[cur_arp] += s->ar[0];
break;
case 0x8: /* *ARn-% (circular) */
if (s->bk == 0) s->ar[cur_arp]--;
else {
uint16_t base = s->ar[cur_arp] - (s->ar[cur_arp] % s->bk);
s->ar[cur_arp]--;
if (s->ar[cur_arp] < base) s->ar[cur_arp] = base + s->bk - 1;
}
break;
case 0x9: /* *ARn+% (circular) */
if (s->bk == 0) s->ar[cur_arp]++;
else {
uint16_t base = s->ar[cur_arp] - (s->ar[cur_arp] % s->bk);
s->ar[cur_arp]++;
if (s->ar[cur_arp] >= base + s->bk) s->ar[cur_arp] = base;
}
break;
case 0xA: /* *ARn-0% */
s->ar[cur_arp] -= s->ar[0];
break;
case 0xB: /* *ARn+0% */
s->ar[cur_arp] += s->ar[0];
break;
/* Indirect modes 12..15 use a long-immediate operand from the next
* program word. Encoding per tic54x-dis.c (MOD field = bits 6:3 of
* the smem byte) and SPRU131G Table 5-9:
* 12 : *AR(x)(lk) — addr = AR(x) + lk, NO modify
* 13 : *+AR(x)(lk) — premod: AR(x) += lk; addr = AR(x)
* 14 : *+AR(x)(lk)% — premod circular: AR(x) = circ(AR(x)+lk)
* 15 : *(lk) — ABSOLUTE long address (lk itself)
*
* The bootloader at PROM0 0xb429 uses MOD=15 (`LDU *(0x0ffe), A`)
* to read BL_ADDR_LO. Misdecoding 15 as "AR + lk circular"
* produced AR0+0x0ffe instead of 0x0ffe — one of the multiple
* subtle off-by-AR bugs that left A=0 after the load. */
case 0xC: /* *AR(x)(lk) */
addr = s->ar[cur_arp] + prog_fetch(s, s->pc + 1);
s->lk_used = true;
break;
case 0xD: /* *+AR(x)(lk) */
s->ar[cur_arp] += prog_fetch(s, s->pc + 1);
addr = s->ar[cur_arp];
s->lk_used = true;
break;
case 0xE: { /* *+AR(x)(lk)% — circular */
uint16_t lk = prog_fetch(s, s->pc + 1);
uint16_t v = s->ar[cur_arp] + lk;
if (s->bk) {
uint16_t base = s->ar[cur_arp] - (s->ar[cur_arp] % s->bk);
if (v >= base + s->bk) v -= s->bk;
}
s->ar[cur_arp] = v;
addr = v;
s->lk_used = true;
break;
}
case 0xF: /* *(lk) — absolute address */
addr = prog_fetch(s, s->pc + 1);
s->lk_used = true;
break;
}
/* Update ARP */
s->st0 = (s->st0 & ~ST0_ARP_MASK) | (nar << ST0_ARP_SHIFT);
return addr;
} else {
/* Direct addressing: DP:offset */
*indirect = false;
uint16_t offset = opcode & 0x7F;
return (dp(s) << 7) | offset;
}
}
/* ================================================================
* Instruction execution
* ================================================================ */
/* Execute one instruction. Returns number of words consumed (1 or 2). */
/* PC ring buffer for pre-IDLE trace */
static uint16_t pc_ring[256];
static int pc_ring_idx = 0;
static int c54x_exec_one(C54xState *s)
{
uint16_t op = prog_fetch(s, s->pc);
uint16_t op2;
bool ind;
uint16_t addr;
int consumed = 1;
s->lk_used = false; /* reset before each instruction */
s->writer_kind = WK_UNKNOWN; /* attribution tag for DATA-W-MMR */
uint8_t hi4 = (op >> 12) & 0xF;
uint8_t hi8 = (op >> 8) & 0xFF;
/* Coarse default: any MMR write happening inside this opcode handler
* gets attributed to the opcode family so we can read the trace. */
if (hi8 == 0xF3) s->writer_kind = WK_OPCODE_F3;
else if (hi8 >= 0x80 && hi8 <= 0x8F) s->writer_kind = WK_OPCODE_8x;
else if (hi8 == 0x77) s->writer_kind = WK_OPCODE_77;
else if (hi8 == 0x76) s->writer_kind = WK_OPCODE_76;
else s->writer_kind = WK_OPCODE_OTHER;
/* INTM-TRANS probe : log toute transition INTM 0→1.
* Le SSBX INTM orphelin se cache entre insn=89.83M (last write 0x3dd2)
* et insn=98.38M (entrée wait permanente). Cap à 200 transitions pour
* éviter le flood au boot ; capture le PC qui a fait passer INTM à 1
* et l'adresse de retour stack pour identifier le caller. */
{
static int prev_intm = -1;
static unsigned itrans_total;
int cur_intm = !!(s->st1 & ST1_INTM);
if (prev_intm == 0 && cur_intm == 1) {
itrans_total++;
if (itrans_total <= 200) {
uint16_t ret = s->data[s->sp];
uint16_t ret_p1 = s->data[(uint16_t)(s->sp + 1)];
fprintf(stderr,
"[c54x] INTM-TRANS #%u 0->1 PC=0x%04x insn=%u SP=0x%04x "
"RET=%04x RET+1=%04x op=0x%04x IMR=0x%04x IFR=0x%04x\n",
itrans_total, s->pc, s->insn_count, s->sp,
ret, ret_p1, op, s->imr, s->ifr);
}
}
prev_intm = cur_intm;
}
/* Detect when DSP enters DARAM code zone (0x0080-0x27FF) from ROM */
{
static uint16_t prev_pc = 0;
static int daram_log = 0;
if (s->pc >= 0x0080 && s->pc < 0x2800 && prev_pc >= 0x7000 && daram_log < 3) {
C54_LOG("ROM->DARAM jump: 0x%04x->0x%04x op=0x%04x insn=%u SP=0x%04x XPC=%d",
prev_pc, s->pc, op, s->insn_count, s->sp, s->xpc);
C54_LOG(" trail: %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x",
pc_ring[(pc_ring_idx-10)&255], pc_ring[(pc_ring_idx-9)&255],
pc_ring[(pc_ring_idx-8)&255], pc_ring[(pc_ring_idx-7)&255],
pc_ring[(pc_ring_idx-6)&255], pc_ring[(pc_ring_idx-5)&255],
pc_ring[(pc_ring_idx-4)&255], pc_ring[(pc_ring_idx-3)&255],
pc_ring[(pc_ring_idx-2)&255], pc_ring[(pc_ring_idx-1)&255]);
daram_log++;
}
/* 0x7700 entry tracer: log when PC enters 0x7700 from elsewhere
* (i.e. prev_pc != 0x76FF, the natural sequential predecessor).
* Reveals which CALL/B/RET sources land here. PC HIST shows
* 7700/7701 as the hottest non-loop addresses — find the callers. */
if (s->pc == 0x7700 && prev_pc != 0x76FF) {
static uint64_t e7700;
e7700++;
if (e7700 <= 30 || (e7700 % 5000) == 0) {
C54_LOG("ENTER-7700 #%llu from PC=0x%04x A=%010llx B=%010llx SP=0x%04x trail: %04x %04x %04x %04x %04x",
(unsigned long long)e7700, prev_pc,
(unsigned long long)(s->a & 0xFFFFFFFFFFULL),
(unsigned long long)(s->b & 0xFFFFFFFFFFULL),
s->sp,
pc_ring[(pc_ring_idx-5)&255], pc_ring[(pc_ring_idx-4)&255],
pc_ring[(pc_ring_idx-3)&255], pc_ring[(pc_ring_idx-2)&255],
pc_ring[(pc_ring_idx-1)&255]);
}
}
/* === ENTER-770c — dispatcher target, post-flag entry ===
* The PROM0 idle dispatcher at 0xCC62..0xCC6F polls data[0x62];
* when set, it CALAs to api[0x1f0c]=0x770c. So 0x770c is the
* runtime task handler entry. If DARAM[0x60..0x70] never gets
* set, this PC is never reached. Its appearance in the log is
* therefore the binary signal that the dispatcher gate has
* unlocked. Log every entry with full AR/SP/INTM context.
* Cap to avoid log explosion if it ever runs hot. */
if (s->pc == 0x770c) {
static uint64_t e770c;
e770c++;
if (e770c <= 30 || (e770c % 1000) == 0) {
C54_LOG("ENTER-770c #%llu from PC=0x%04x SP=0x%04x INTM=%d "
"ARs: %04x %04x %04x %04x %04x %04x %04x %04x insn=%u",
(unsigned long long)e770c, prev_pc, s->sp,
!!(s->st1 & ST1_INTM),
s->ar[0], s->ar[1], s->ar[2], s->ar[3],
s->ar[4], s->ar[5], s->ar[6], s->ar[7],
s->insn_count);
}
}
/* D_FB_DET-WR-SITE probe : à PC=0x8f51 (le PC qui écrit d_fb_det).
* Snapshot AR0..AR7 + data[AR0/1/2] + BK + A pour identifier la
* zone DARAM lue par le correlator FB-det au moment de produire
* sa valeur d'output. Comparer la zone source avec le BSP DMA
* target (default 0x3fb0..0x3fbf) :
* - zone source = BSP target → correlator lit bien les samples
* - zone source ≠ BSP target → mismatch source/sink, blocker
* structurel : DSP attend les samples ailleurs que là où le
* BSP les écrit. Suite : tracer init AR, table coeffs, ou
* MAC sur autre buffer. */
if (s->pc == 0x8f51) {
static int dfbwr_n;
if (dfbwr_n++ < 50) {
C54_LOG("D_FB_DET-WR-SITE #%d AR0..AR7=%04x %04x %04x %04x %04x %04x %04x %04x "
"data[AR0]=%04x data[AR1]=%04x data[AR2]=%04x BK=%04x A=0x%010llx insn=%u",
dfbwr_n, s->ar[0], s->ar[1], s->ar[2], s->ar[3],
s->ar[4], s->ar[5], s->ar[6], s->ar[7],
s->data[s->ar[0]], s->data[s->ar[1]], s->data[s->ar[2]],
s->bk, (unsigned long long)(s->a & 0xFFFFFFFFFFULL),
s->insn_count);
}
}
/* WAIT-A21A probe : à PC=0xa21a, snapshot INTM + IMR + IFR.
* Tranche H1/H2/H3 :
* INTM=1 + IFR=0 + IMR plein → H3 strict, hardware silencieux
* INTM=1 + IFR≠0 + IMR plein → H3 + IRQ pending bloquée (BUG)
* INTM=0 → H1/H2 (IRQ servable mais path
* vers 0x7740 cassé en amont) */
if (s->pc == 0xa21a) {
static uint64_t a21a_total;
a21a_total++;
if (a21a_total <= 5 || (a21a_total % 100000) == 0) {
C54_LOG("WAIT-A21A #%llu insn=%u INTM=%d IMR=0x%04x IFR=0x%04x "
"ST0=0x%04x ST1=0x%04x SP=0x%04x",
(unsigned long long)a21a_total, s->insn_count,
!!(s->st1 & ST1_INTM), s->imr, s->ifr,
s->st0, s->st1, s->sp);
}
}
/* CALLER-7740 tracer : à l'entrée 0x7740, log le contexte caller.
* data[sp] = adresse de retour pushée par le CALL/CALLD précédent.
* INTM=1 → on est dans un IRQ context. Permet de distinguer
* "appelé via IRQ ISR" vs "appelé via flow régulier", et de
* remonter la chaîne caller→callee jusqu'à l'IRQ vector. */
if (s->pc == 0x7740) {
static uint64_t enter7740;
enter7740++;
uint16_t ret_addr = s->data[s->sp];
uint16_t ret_addr_p1 = s->data[(uint16_t)(s->sp + 1)];
C54_LOG("ENTER-7740 #%llu insn=%u SP=%04x RET=%04x RET+1=%04x "
"INTM=%d XPC=%02x AR2=%04x AR3=%04x BK=%04x",
(unsigned long long)enter7740, s->insn_count,
s->sp, ret_addr, ret_addr_p1,
!!(s->st1 & ST1_INTM), s->xpc,
s->ar[2], s->ar[3], s->bk);
}
/* MAC-7700 tracer: at PC=0x7700 (MAC *AR2-, A) we want to know
* what AR2 points at, what data[AR2] holds, T, and A before/after.
* Helps determine if AR2 references the BSP RX zone (correlator
* FB-det) or somewhere else. Also dumps full AR0-AR7 + ST0/ST1. */
if (s->pc == 0x7700) {
static uint64_t mac7700_total;
mac7700_total++;
if (mac7700_total <= 50 || (mac7700_total % 5000) == 0) {
uint16_t ar2 = s->ar[2];
uint16_t v_at_ar2 = s->data[ar2];
C54_LOG("MAC-7700 #%llu AR2=0x%04x data[AR2]=0x%04x T=0x%04x "
"A_pre=%010llx ST0=0x%04x ST1=0x%04x",
(unsigned long long)mac7700_total, ar2, v_at_ar2,
s->t,
(unsigned long long)(s->a & 0xFFFFFFFFFFULL),
s->st0, s->st1);
C54_LOG("MAC-7700 #%llu ARs: AR0=%04x AR1=%04x AR2=%04x AR3=%04x "
"AR4=%04x AR5=%04x AR6=%04x AR7=%04x SP=%04x",
(unsigned long long)mac7700_total,
s->ar[0], s->ar[1], s->ar[2], s->ar[3],
s->ar[4], s->ar[5], s->ar[6], s->ar[7], s->sp);
}
}
/* RCD-75e8 tracer: when DSP arrives at PC=0x75e8 (cond=0x47 = LEQ),
* log A. The RCD takes if A <= 0; report whether the loop will
* exit this iteration. */
if (s->pc == 0x75e8) {
static uint64_t rcd75e8_total;
rcd75e8_total++;
if (rcd75e8_total <= 50 || (rcd75e8_total % 5000) == 0) {
int64_t acc = sext40(s->a);
C54_LOG("RCD-75e8 #%llu A=%010llx (signed=%lld) RCD-taken=%d AR2=%04x",
(unsigned long long)rcd75e8_total,
(unsigned long long)(s->a & 0xFFFFFFFFFFULL),
(long long)acc, (acc <= 0), s->ar[2]);
}
}
prev_pc = s->pc;
/* DARAM 0x1100-0x1130 tracer: dump first 64 visits */
static int daram1110_log = 0;
if (s->pc >= 0x1100 && s->pc <= 0x1130 && daram1110_log < 64) {
C54_LOG("DARAM110x PC=0x%04x op=0x%04x A=%08x B=%08x AR2=%04x AR3=%04x AR4=%04x AR5=%04x BRC=%d",
s->pc, op, (uint32_t)s->a, (uint32_t)s->b,
s->ar[2], s->ar[3], s->ar[4], s->ar[5], s->brc);
daram1110_log++;
}
}
if (s->pc >= 0xFE00 && s->pc <= 0xFFFF && op == 0x0000) {
static int nop_slide = 0;
if (nop_slide == 0) {
C54_LOG("NOP-SLIDE PC=0x%04x insn=%u SP=0x%04x PMST=0x%04x XPC=%d OVLY=%d",
s->pc, s->insn_count, s->sp, s->pmst, s->xpc, !!(s->pmst & PMST_OVLY));
C54_LOG(" trail: %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x",
pc_ring[(pc_ring_idx-10)&255], pc_ring[(pc_ring_idx-9)&255],
pc_ring[(pc_ring_idx-8)&255], pc_ring[(pc_ring_idx-7)&255],
pc_ring[(pc_ring_idx-6)&255], pc_ring[(pc_ring_idx-5)&255],
pc_ring[(pc_ring_idx-4)&255], pc_ring[(pc_ring_idx-3)&255],
pc_ring[(pc_ring_idx-2)&255], pc_ring[(pc_ring_idx-1)&255]);
}
nop_slide++;
}
switch (hi4) {
case 0xF:
/* 0xF --- large group: branches, misc, short immediates */
if (op == 0xF495) return consumed + s->lk_used; /* NOP */
/* XC n, cond — Execute Conditionally (SPRU172C p.4-198)
* Opcode: 1111 11N1 CCCCCCCC
* 0xFDxx = XC 1, cond (N=0, execute next 1 instruction)
* 0xFFxx = XC 2, cond (N=1, execute next 2 instructions)
* If condition true: execute normally. If false: skip n instructions. */
if (hi8 == 0xFD || hi8 == 0xFF) {
int n_insns = (hi8 == 0xFF) ? 2 : 1;
uint8_t cc = op & 0xFF;
bool cond = false;
/* Evaluate condition code per SPRU172C condition table */
/* Conditions can be combined (OR'd bits), but common single conditions: */
if (cc == 0x00) cond = true; /* UNC */
else if (cc == 0x0C) cond = (s->st0 & ST0_C) != 0; /* C */
else if (cc == 0x08) cond = !(s->st0 & ST0_C); /* NC */
else if (cc == 0x30) cond = (s->st0 & ST0_TC) != 0; /* TC */
else if (cc == 0x20) cond = !(s->st0 & ST0_TC); /* NTC */
else if (cc == 0x45) cond = (sext40(s->a) == 0); /* AEQ */
else if (cc == 0x44) cond = (sext40(s->a) != 0); /* ANEQ */
else if (cc == 0x46) cond = (sext40(s->a) > 0); /* AGT */
else if (cc == 0x42) cond = (sext40(s->a) >= 0); /* AGEQ */
else if (cc == 0x43) cond = (sext40(s->a) < 0); /* ALT */
else if (cc == 0x47) cond = (sext40(s->a) <= 0); /* ALEQ */
else if (cc == 0x4D) cond = (sext40(s->b) == 0); /* BEQ */
else if (cc == 0x4C) cond = (sext40(s->b) != 0); /* BNEQ */
else if (cc == 0x4E) cond = (sext40(s->b) > 0); /* BGT */
else if (cc == 0x4A) cond = (sext40(s->b) >= 0); /* BGEQ */
else if (cc == 0x4B) cond = (sext40(s->b) < 0); /* BLT */
else if (cc == 0x4F) cond = (sext40(s->b) <= 0); /* BLEQ */
else if (cc == 0x70) cond = (s->st0 & ST0_OVA) != 0; /* AOV */
else if (cc == 0x60) cond = !(s->st0 & ST0_OVA); /* ANOV */
else if (cc == 0x78) cond = (s->st0 & ST0_OVB) != 0; /* BOV */
else if (cc == 0x68) cond = !(s->st0 & ST0_OVB); /* BNOV */
else {
/* Combined conditions: OR the individual condition bits */
cond = false;
if (cc & 0x0C) cond |= ((cc & 0x04) ? (s->st0 & ST0_C) != 0 : !(s->st0 & ST0_C));
if (cc & 0x30) cond |= ((cc & 0x10) ? (s->st0 & ST0_TC) != 0 : !(s->st0 & ST0_TC));
if (cc & 0x40) {
int64_t acc = (cc & 0x08) ? s->b : s->a;
int c3 = cc & 0x07;
switch (c3) {
case 0x5: cond |= (sext40(acc) == 0); break;
case 0x4: cond |= (sext40(acc) != 0); break;
case 0x6: cond |= (sext40(acc) > 0); break;
case 0x2: cond |= (sext40(acc) >= 0); break;
case 0x3: cond |= (sext40(acc) < 0); break;
case 0x7: cond |= (sext40(acc) <= 0); break;
default: cond = true; break;
}
}
if (cc & 0x70 && !(cc & 0x40)) {
if (cc & 0x08) cond |= (s->st0 & ST0_OVB) != 0;
else cond |= (s->st0 & ST0_OVA) != 0;
}
}
if (!cond) {
/* Skip n instructions — count consumed words for skipped insns */
/* Each skipped insn is 1 word (simplified — multi-word insns rare after XC) */
return 1 + n_insns;
}
return consumed + s->lk_used; /* condition true: just advance past XC, execute next normally */
}
/* F4E2 = RSBX INTM (enable interrupts), F4E3 = SSBX INTM (disable interrupts) */
/* F4E2 = BACC A, F5E2 = BACC B (per tic54x-opc.c, mask 0xFEFF) */
/* F4E3 = CALA A, F5E3 = CALA B — push next-PC, jump to acc low 16 bits */
/* DYN-CALL tracer: targets are computed at runtime, invisible to static
* disasm. Log every BACC/CALA, plus an extra hot tag when the target
* lands in any FB-det zone (PROM0 0x77xx-0x79xx, 0x88xx, 0xa0xx-0xa1xx). */
if (op == 0xF4E2 || op == 0xF5E2 || op == 0xF4E3 || op == 0xF5E3) {
int is_b = (op & 0x0100) != 0;
int is_call = (op & 1) != 0;
uint16_t tgt = (uint16_t)((is_b ? s->b : s->a) & 0xFFFF);
uint16_t src_pc = s->pc;
int fb_zone = (tgt >= 0x7730 && tgt <= 0x7990) ||
(tgt >= 0x8800 && tgt <= 0x88FF) ||
(tgt >= 0xA000 && tgt <= 0xA1FF);
static uint64_t dyn_total = 0;
static uint64_t dyn_fb = 0;
dyn_total++;
if (fb_zone) dyn_fb++;
/* When OVLY=1 and src_pc in [0x80, 0x2800], the executed opcode
* comes from data[] (DARAM), not prog[]. Reflect this in the
* dump so we see the *actual* bytes that drove the CALA. */
int ovly_active = (s->pmst & PMST_OVLY) && src_pc >= 0x80 && src_pc < 0x2800;
uint16_t m0 = ovly_active ? s->data[(uint16_t)(src_pc - 2)] : s->prog[(uint16_t)(src_pc - 2)];
uint16_t m1 = ovly_active ? s->data[(uint16_t)(src_pc - 1)] : s->prog[(uint16_t)(src_pc - 1)];
uint16_t m2 = ovly_active ? s->data[src_pc] : s->prog[src_pc];
uint16_t m3 = ovly_active ? s->data[(uint16_t)(src_pc + 1)] : s->prog[(uint16_t)(src_pc + 1)];
if (dyn_total <= 200 || fb_zone || (dyn_total % 5000) == 0) {
C54_LOG("DYN-CALL #%llu %s%c src=0x%04x tgt=0x%04x A=%010llx B=%010llx SP=0x%04x mem[%c]=%04x %04x %04x %04x%s",
(unsigned long long)dyn_total,
is_call ? "CALA" : "BACC",
is_b ? 'B' : 'A',
src_pc, tgt,
(unsigned long long)(s->a & 0xFFFFFFFFFFULL),
(unsigned long long)(s->b & 0xFFFFFFFFFFULL),
s->sp,
ovly_active ? 'D' : 'P',
m0, m1, m2, m3,
fb_zone ? " *FB-ZONE*" : "");
}
if (is_call) {
uint16_t ret_pc = src_pc + 1;
s->sp = (s->sp - 1) & 0xFFFF;
data_write(s, s->sp, ret_pc);
}
s->pc = tgt;
return 0;
}
/* F4E0-F4FF: RSBX/SSBX status bits — treat as NOP (most don't affect emulation) */
if (op >= 0xF4E0 && op <= 0xF4FF && op != 0xF4E4 && op != 0xF4EB) {
return consumed + s->lk_used;
}
/* F4EB = RETE (return from interrupt). Pop PC, pop XPC iff APTS=1.
* Symmetric with c54x_interrupt_ex push order. */
if (op == 0xF4EB) {
uint16_t ra = data_read(s, s->sp); s->sp++;
uint16_t prev_xpc = s->xpc;
if (s->pmst & PMST_APTS) {
s->xpc = data_read(s, s->sp); s->sp++;
if (s->xpc > 3) s->xpc &= 3;
}
s->st1 &= ~ST1_INTM;
{
static uint64_t rete_count;
rete_count++;
if (rete_count <= 20 || (rete_count % 100) == 0)
C54_LOG("RETE #%llu PC=0x%04x -> ra=0x%04x XPC=%u→%u SP=0x%04x",
(unsigned long long)rete_count,
s->pc, ra, prev_xpc, s->xpc, s->sp);
}
s->pc = ra; return 0;
}
/* 0xF4E4 = FRET (far return). Pop PC + XPC unconditionally.
* Per binutils tic54x-opc.c (FL_FAR flag) and SPRU172C Table 2-15:
* FRET[D]: XPC = TOS, ++SP, PC = TOS, ++SP
* Symmetric with FCALL/FCALLD push (also unconditional, see below).
* 2026-04-28 — fixed: was conditional on PMST_APTS (bit 4) which is
* actually AVIS (Address Visibility) per SPRU131G — has no stack
* semantics. The misnomer caused FRET to skip XPC pop when AVIS=0,
* leading to stack imbalance against FCALL FAR which always pushes 2. */
if (op == 0xF4E4) {
uint16_t ra = data_read(s, s->sp); s->sp++;
uint16_t prev_xpc = s->xpc;
s->xpc = data_read(s, s->sp); s->sp++;
if (s->xpc > 3) s->xpc &= 3;
{
static uint64_t fret_count;
fret_count++;
if (fret_count <= 30 || (fret_count % 1000) == 0)
C54_LOG("FRET #%llu PC=0x%04x -> ra=0x%04x XPC=%u→%u SP=0x%04x",
(unsigned long long)fret_count,
s->pc, ra, prev_xpc, s->xpc, s->sp);
}
s->pc = ra;
return 0;
}
/* IDLE 1/2/3: 0xF4E1, 0xF5E1, 0xF6E1, 0xF7E1 (mask 0xFCFF) */
if ((op & 0xFCFF) == 0xF4E1) {
int level = ((op >> 8) & 0x3) + 1;
static int idle_log = 0;
if (idle_log < 20)
C54_LOG("IDLE%d @0x%04x INTM=%d IMR=0x%04x SP=0x%04x insns=%u XPC=%d",
level, s->pc, !!(s->st1 & ST1_INTM),
s->imr, s->sp, s->insn_count, s->xpc);
idle_log++;
if (s->pc >= 0x8000 && s->pc < 0x8020) {
return consumed + s->lk_used;
}
s->idle = true;
return 0;
}
/* ================================================================
* F[4-7]xx generic accumulator family — promoted from F4 block
* to handle F5/F6/F7 variants. Handlers use bits 8/9 for src/dst,
* with masks FCE0/FCFF/FEFF naturally covering all 4 combinations
* (A->A, B->A, A->B, B->B). The matching handler bodies remain
* inside the F4 block as dead code (never reached for arith ops
* because of the early return here). 2026-04-28.
* ================================================================ */
/* F483/F583: SAT src (mask FEFF, 1 word) */
if ((op & 0xFEFF) == 0xF483) {
int src = (op >> 8) & 1;
int64_t *acc = src ? &s->b : &s->a;
int64_t val = sext40(*acc);
if (val > 0x7FFFFFFFLL) *acc = sext40(0x7FFFFFFFLL);
else if (val < -0x80000000LL) *acc = sext40(-0x80000000LL);
return consumed + s->lk_used;
}
/* F484/F584: NEG src[,dst] (mask FCFF, 1 word) */
if ((op & 0xFCFF) == 0xF484) {
int src = (op >> 8) & 1, dst = (op >> 9) & 1;
int64_t val = sext40(src ? s->b : s->a);
if (dst) s->b = sext40(-val); else s->a = sext40(-val);
return consumed + s->lk_used;
}
/* F485/F585: ABS src[,dst] (mask FCFF, 1 word) */
if ((op & 0xFCFF) == 0xF485) {
int src = (op >> 8) & 1, dst = (op >> 9) & 1;
int64_t val = sext40(src ? s->b : s->a);
if (val < 0) val = -val;
if (dst) s->b = sext40(val); else s->a = sext40(val);
return consumed + s->lk_used;
}
/* F48C/F58C: MPYA dst (mask FEFF, 1 word)
* Multiply T * A(high), accumulate into dst */
if ((op & 0xFEFF) == 0xF48C) {
int dst = (op >> 8) & 1;
int64_t prod = (int64_t)(int16_t)s->t * (int64_t)(int16_t)((s->a >> 16) & 0xFFFF);
if (s->st1 & ST1_FRCT) prod <<= 1;
if (dst) s->b = sext40(s->b + prod); else s->a = sext40(s->a + prod);
return consumed + s->lk_used;
}
/* F48D/F58D: SQUR A,dst (mask FEFF, 1 word) */
if ((op & 0xFEFF) == 0xF48D) {
int dst = (op >> 8) & 1;
int16_t ah = (int16_t)((s->a >> 16) & 0xFFFF);
int64_t prod = (int64_t)ah * (int64_t)ah;
if (s->st1 & ST1_FRCT) prod <<= 1;
if (dst) s->b = sext40(prod); else s->a = sext40(prod);
return consumed + s->lk_used;
}
/* F48E/F58E: EXP src (mask FEFF, 1 word)
* Count leading sign bits of accumulator, store in T */
if ((op & 0xFEFF) == 0xF48E) {
int src = (op >> 8) & 1;
int64_t val = sext40(src ? s->b : s->a);
int exp = 0;
if (val == 0 || val == -1) { exp = 31; }
else {
uint64_t uv = (val < 0) ? ~val : val;
uv &= 0xFFFFFFFFFFULL;
/* Count leading zeros from bit 38 down */
for (int i = 38; i >= 0; i--) {
if (uv & (1ULL << i)) break;
exp++;
}
exp -= 8; /* EXP = leading sign bits - 8 */
}
s->t = (uint16_t)(int16_t)exp;
return consumed + s->lk_used;
}
/* F492/F592: MAX src (mask FEFF, 1 word) — keep max of A,B */
if ((op & 0xFEFF) == 0xF492) {
int64_t sa = sext40(s->a), sb = sext40(s->b);
if (sa < sb) { s->a = s->b; s->st0 |= ST0_C; }
else { s->st0 &= ~ST0_C; }
return consumed + s->lk_used;
}
/* F493/F593: MIN src (mask FEFF, 1 word) — keep min of A,B */
if ((op & 0xFEFF) == 0xF493) {
int64_t sa = sext40(s->a), sb = sext40(s->b);
if (sa > sb) { s->a = s->b; s->st0 |= ST0_C; }
else { s->st0 &= ~ST0_C; }
return consumed + s->lk_used;
}
/* F49E/F59E: SUBC src (mask FEFF, 1 word) — conditional subtract for division */
if ((op & 0xFEFF) == 0xF49E) {
int src = (op >> 8) & 1;
int64_t *acc = src ? &s->b : &s->a;
int64_t val = sext40(*acc);
if (val >= 0) { *acc = sext40((val << 1) + 1); }
else { *acc = sext40(val << 1); }
return consumed + s->lk_used;
}
/* F48F/F58F: NORM src[, dst] (mask FEFF, 1 word)
* Per SPRU172C p.4-118: if the two MSBs of src accumulator
* are different (not sign-extended), shift src left by 1
* and decrement T. Otherwise do nothing. Used by the FB-det
* correlator to normalize results; the loop exits when
* NORM stops shifting (MSBs match = value is normalized). */
if ((op & 0xFEFF) == 0xF48F) {
int src = (op >> 8) & 1;
int64_t val = sext40(src ? s->b : s->a);
/* Check bits 39 and 38 — if they differ, shift left */
int bit39 = (val >> 39) & 1;
int bit38 = (val >> 38) & 1;
if (bit39 != bit38) {
val = sext40(val << 1);
if (src) s->b = val; else s->a = val;
s->t = (uint16_t)(s->t - 1);
}
/* TC flag: set if shift occurred */
if (bit39 != bit38)
s->st0 |= ST0_TC;
else
s->st0 &= ~ST0_TC;
return consumed + s->lk_used;
}
/* F490/F590: ROR src (mask FEFF, 1 word) */
if ((op & 0xFEFF) == 0xF490) {
int src = (op >> 8) & 1;
int64_t *acc = src ? &s->b : &s->a;
uint16_t c = (s->st0 >> 8) & 1; /* carry */
uint16_t lsb = *acc & 1;
*acc = sext40(((uint64_t)(*acc & 0xFFFFFFFFFFULL) >> 1) | ((uint64_t)c << 39));
if (lsb) s->st0 |= ST0_C; else s->st0 &= ~ST0_C;
return consumed + s->lk_used;
}
/* F491/F591: ROL src (mask FEFF, 1 word) */
if ((op & 0xFEFF) == 0xF491) {
int src = (op >> 8) & 1;
int64_t *acc = src ? &s->b : &s->a;
uint16_t c = (s->st0 >> 8) & 1;
uint16_t msb = (*acc >> 39) & 1;
*acc = sext40(((*acc << 1) & 0xFFFFFFFFFFULL) | c);
if (msb) s->st0 |= ST0_C; else s->st0 &= ~ST0_C;
return consumed + s->lk_used;
}
/* F488/F588: MACA T,src[,dst] (mask FCFF, 1 word) */
if ((op & 0xFCFF) == 0xF488) {
int src = (op >> 8) & 1, dst = (op >> 9) & 1;
int64_t prod = (int64_t)(int16_t)s->t * (int64_t)(int16_t)((src ? s->b : s->a) >> 16);
if (s->st1 & ST1_FRCT) prod <<= 1;
if (dst) s->b = sext40(s->b + prod); else s->a = sext40(s->a + prod);
return consumed + s->lk_used;
}
/* F486/F586: CMPL src (complement, mask FEFF, 1 word) */
if ((op & 0xFEFF) == 0xF486) {
int src = (op >> 8) & 1;
int64_t *acc = src ? &s->b : &s->a;
*acc = sext40(~(*acc) & 0xFFFFFFFFFFULL);
return consumed + s->lk_used;
}
/* F487/F587: RND src (round, mask FEFF, 1 word) */
if ((op & 0xFEFF) == 0xF487) {
int src = (op >> 8) & 1;
int64_t *acc = src ? &s->b : &s->a;
*acc = sext40(*acc + 0x8000);
return consumed + s->lk_used;
}
/* F480/F580: ADD src,ASM,dst (mask FCFF, 1 word) */
if ((op & 0xFCFF) == 0xF480) {
int src = (op >> 8) & 1, dst = (op >> 9) & 1;
int64_t sv = sext40(src ? s->b : s->a);
if (dst) s->b = sext40(s->b + sv); else s->a = sext40(s->a + sv);
return consumed + s->lk_used;
}
/* F481/F581: SUB src,ASM,dst (mask FCFF, 1 word) */
if ((op & 0xFCFF) == 0xF481) {
int src = (op >> 8) & 1, dst = (op >> 9) & 1;
int64_t sv = sext40(src ? s->b : s->a);
if (dst) s->b = sext40(s->b - sv); else s->a = sext40(s->a - sv);
return consumed + s->lk_used;
}
/* F482/F582: LD src,ASM,dst (mask FCFF, 1 word) */
if ((op & 0xFCFF) == 0xF482) {
int src = (op >> 8) & 1, dst = (op >> 9) & 1;
int64_t sv = sext40(src ? s->b : s->a);
if (dst) s->b = sext40(sv); else s->a = sext40(sv);
return consumed + s->lk_used;
}
/* F4xx accumulator shift/load (1-word, mask FCE0):
* F400: ADD src,shift,dst F420: SUB F440: LD F460: SFTA */
if ((op & 0xFCE0) == 0xF400) {
int src = (op >> 8) & 1, dst = (op >> 9) & 1;
int shift = op & 0x1F; if (shift > 15) shift -= 32;
int64_t sv = sext40(src ? s->b : s->a);
if (shift >= 0) sv <<= shift; else sv >>= (-shift);
if (dst) s->b = sext40(s->b + sv); else s->a = sext40(s->a + sv);
return consumed + s->lk_used;
}
if ((op & 0xFCE0) == 0xF420) {
int src = (op >> 8) & 1, dst = (op >> 9) & 1;
int shift = op & 0x1F; if (shift > 15) shift -= 32;
int64_t sv = sext40(src ? s->b : s->a);
if (shift >= 0) sv <<= shift; else sv >>= (-shift);
if (dst) s->b = sext40(s->b - sv); else s->a = sext40(s->a - sv);
return consumed + s->lk_used;
}
if ((op & 0xFCE0) == 0xF440) {
int src = (op >> 8) & 1, dst = (op >> 9) & 1;
int shift = op & 0x1F; if (shift > 15) shift -= 32;
int64_t sv = sext40(src ? s->b : s->a);
if (shift >= 0) sv <<= shift; else sv >>= (-shift);
if (dst) s->b = sext40(sv); else s->a = sext40(sv);
return consumed + s->lk_used;
}
if ((op & 0xFCE0) == 0xF460) {
/* SFTA src,shift,dst — arithmetic shift accumulator */
int src = (op >> 8) & 1, dst = (op >> 9) & 1;
int shift = op & 0x1F; if (shift > 15) shift -= 32;
int64_t sv = sext40(src ? s->b : s->a);
if (shift >= 0) sv <<= shift; else sv >>= (-shift);
if (dst) s->b = sext40(sv); else s->a = sext40(sv);
return consumed + s->lk_used;
}
if ((op & 0xFCE0) == 0xF4A0) {
/* SFTL src,shift,dst — logical shift accumulator */
int src = (op >> 8) & 1, dst = (op >> 9) & 1;
int shift = op & 0x1F; if (shift > 15) shift -= 32;
uint64_t uv = (uint64_t)((src ? s->b : s->a) & 0xFFFFFFFFFFULL);
if (shift >= 0) uv <<= shift; else uv >>= (-shift);
uv &= 0xFFFFFFFFFFULL;
if (dst) s->b = sext40(uv); else s->a = sext40(uv);
return consumed + s->lk_used;
}
/* F494/F594: SFTC src (mask FEFF, 1 word).
* Per SPRU172C p.4-264: shift src left by 1 if src(31)==src(30)
* and src!=0. Used by FB-det normalisation around PC=0x10e5..0x10f4
* — without it the correlator sums never normalise. */
if ((op & 0xFEFF) == 0xF494) {
int src = (op >> 8) & 1;
int64_t *acc = src ? &s->b : &s->a;
int64_t val = sext40(*acc);
if (val != 0) {
int b31 = (val >> 31) & 1;
int b30 = (val >> 30) & 1;
if (b31 == b30) *acc = sext40(val << 1);
}
return consumed + s->lk_used;
}
if (hi8 == 0xF4) {
/* F4xx: unconditional branch/call and special instructions.
* Some F4xx instructions are 1-word (FRET, FRETE, RETE, TRAP, NOP, etc.)
* Must check specific opcodes BEFORE the 2-word switch. */
/* Note: 0xF4E4 = IDLE (handled above, not FRET).
* Real FRET = 0xF072 (algebraic), handled in F0xx section. */
/* NOP — F495 per SPRU172C p.4-121 */
if (op == 0xF495) {
return 1; /* 1-word NOP */
}
/* TRAP K — F4C0-F4DF per SPRU172C p.4-195:
* SP-1, PC+1 → TOS, vector(IPTR*128 + K*4) → PC */
if ((op & 0xFFE0) == 0xF4C0) {
int k = op & 0x1F;
s->sp--;
data_write(s, s->sp, (uint16_t)(s->pc + 1));
uint16_t iptr = (s->pmst >> PMST_IPTR_SHIFT) & 0x1FF;
s->pc = (iptr * 0x80) + k * 4;
C54_LOG("TRAP #%d → PC=0x%04x (from PC=0x%04x)", k, s->pc,
(uint16_t)(s->pc - (iptr * 0x80 + k * 4) + 1 - 1));
return 0;
}
/* F4xx arithmetic instructions (1-word, per tic54x-opc.c).
* These MUST be checked before the 2-word branch/call switch. */
{
/* F483/F583: SAT src (mask FEFF, 1 word) */
if ((op & 0xFEFF) == 0xF483) {
int src = (op >> 8) & 1;
int64_t *acc = src ? &s->b : &s->a;
int64_t val = sext40(*acc);
if (val > 0x7FFFFFFFLL) *acc = sext40(0x7FFFFFFFLL);
else if (val < -0x80000000LL) *acc = sext40(-0x80000000LL);
return consumed + s->lk_used;
}
/* F484/F584: NEG src[,dst] (mask FCFF, 1 word) */
if ((op & 0xFCFF) == 0xF484) {
int src = (op >> 8) & 1, dst = (op >> 9) & 1;
int64_t val = sext40(src ? s->b : s->a);
if (dst) s->b = sext40(-val); else s->a = sext40(-val);
return consumed + s->lk_used;
}
/* F485/F585: ABS src[,dst] (mask FCFF, 1 word) */
if ((op & 0xFCFF) == 0xF485) {
int src = (op >> 8) & 1, dst = (op >> 9) & 1;
int64_t val = sext40(src ? s->b : s->a);
if (val < 0) val = -val;
if (dst) s->b = sext40(val); else s->a = sext40(val);
return consumed + s->lk_used;
}
/* F48C/F58C: MPYA dst (mask FEFF, 1 word)
* Multiply T * A(high), accumulate into dst */
if ((op & 0xFEFF) == 0xF48C) {
int dst = (op >> 8) & 1;
int64_t prod = (int64_t)(int16_t)s->t * (int64_t)(int16_t)((s->a >> 16) & 0xFFFF);
if (s->st1 & ST1_FRCT) prod <<= 1;
if (dst) s->b = sext40(s->b + prod); else s->a = sext40(s->a + prod);
return consumed + s->lk_used;
}
/* F48D/F58D: SQUR A,dst (mask FEFF, 1 word) */
if ((op & 0xFEFF) == 0xF48D) {
int dst = (op >> 8) & 1;
int16_t ah = (int16_t)((s->a >> 16) & 0xFFFF);
int64_t prod = (int64_t)ah * (int64_t)ah;
if (s->st1 & ST1_FRCT) prod <<= 1;
if (dst) s->b = sext40(prod); else s->a = sext40(prod);
return consumed + s->lk_used;
}
/* F48E/F58E: EXP src (mask FEFF, 1 word)
* Count leading sign bits of accumulator, store in T */
if ((op & 0xFEFF) == 0xF48E) {
int src = (op >> 8) & 1;
int64_t val = sext40(src ? s->b : s->a);
int exp = 0;
if (val == 0 || val == -1) { exp = 31; }
else {
uint64_t uv = (val < 0) ? ~val : val;
uv &= 0xFFFFFFFFFFULL;
/* Count leading zeros from bit 38 down */
for (int i = 38; i >= 0; i--) {
if (uv & (1ULL << i)) break;
exp++;
}
exp -= 8; /* EXP = leading sign bits - 8 */
}
s->t = (uint16_t)(int16_t)exp;
return consumed + s->lk_used;
}
/* F48F/F58F: NORM — handled below (real implementation, not NOP) */
/* F492/F592: MAX src (mask FEFF, 1 word) — keep max of A,B */
if ((op & 0xFEFF) == 0xF492) {
int64_t sa = sext40(s->a), sb = sext40(s->b);
if (sa < sb) { s->a = s->b; s->st0 |= ST0_C; }
else { s->st0 &= ~ST0_C; }
return consumed + s->lk_used;
}
/* F493/F593: MIN src (mask FEFF, 1 word) — keep min of A,B */
if ((op & 0xFEFF) == 0xF493) {
int64_t sa = sext40(s->a), sb = sext40(s->b);
if (sa > sb) { s->a = s->b; s->st0 |= ST0_C; }
else { s->st0 &= ~ST0_C; }
return consumed + s->lk_used;
}
/* F49E/F59E: SUBC src (mask FEFF, 1 word) — conditional subtract for division */
if ((op & 0xFEFF) == 0xF49E) {
int src = (op >> 8) & 1;
int64_t *acc = src ? &s->b : &s->a;
int64_t val = sext40(*acc);
if (val >= 0) { *acc = sext40((val << 1) + 1); }
else { *acc = sext40(val << 1); }
return consumed + s->lk_used;
}
/* F48F/F58F: NORM src[, dst] (mask FEFF, 1 word)
* Per SPRU172C p.4-118: if the two MSBs of src accumulator
* are different (not sign-extended), shift src left by 1
* and decrement T. Otherwise do nothing. Used by the FB-det
* correlator to normalize results; the loop exits when
* NORM stops shifting (MSBs match = value is normalized). */
if ((op & 0xFEFF) == 0xF48F) {
int src = (op >> 8) & 1;
int64_t val = sext40(src ? s->b : s->a);
/* Check bits 39 and 38 — if they differ, shift left */
int bit39 = (val >> 39) & 1;
int bit38 = (val >> 38) & 1;
if (bit39 != bit38) {
val = sext40(val << 1);
if (src) s->b = val; else s->a = val;
s->t = (uint16_t)(s->t - 1);
}
/* TC flag: set if shift occurred */
if (bit39 != bit38)
s->st0 |= ST0_TC;
else
s->st0 &= ~ST0_TC;
return consumed + s->lk_used;
}
/* F49F: DELAY (pipeline flush, NOP) */
if (op == 0xF49F) { return consumed + s->lk_used; }
/* F490/F590: ROR src (mask FEFF, 1 word) */
if ((op & 0xFEFF) == 0xF490) {
int src = (op >> 8) & 1;
int64_t *acc = src ? &s->b : &s->a;
uint16_t c = (s->st0 >> 8) & 1; /* carry */
uint16_t lsb = *acc & 1;
*acc = sext40(((uint64_t)(*acc & 0xFFFFFFFFFFULL) >> 1) | ((uint64_t)c << 39));
if (lsb) s->st0 |= ST0_C; else s->st0 &= ~ST0_C;
return consumed + s->lk_used;
}
/* F491/F591: ROL src (mask FEFF, 1 word) */
if ((op & 0xFEFF) == 0xF491) {
int src = (op >> 8) & 1;
int64_t *acc = src ? &s->b : &s->a;
uint16_t c = (s->st0 >> 8) & 1;
uint16_t msb = (*acc >> 39) & 1;
*acc = sext40(((*acc << 1) & 0xFFFFFFFFFFULL) | c);
if (msb) s->st0 |= ST0_C; else s->st0 &= ~ST0_C;
return consumed + s->lk_used;
}
/* F488/F588: MACA T,src[,dst] (mask FCFF, 1 word) */
if ((op & 0xFCFF) == 0xF488) {
int src = (op >> 8) & 1, dst = (op >> 9) & 1;
int64_t prod = (int64_t)(int16_t)s->t * (int64_t)(int16_t)((src ? s->b : s->a) >> 16);
if (s->st1 & ST1_FRCT) prod <<= 1;
if (dst) s->b = sext40(s->b + prod); else s->a = sext40(s->a + prod);
return consumed + s->lk_used;
}
/* F486/F586: CMPL src (complement, mask FEFF, 1 word) */
if ((op & 0xFEFF) == 0xF486) {
int src = (op >> 8) & 1;
int64_t *acc = src ? &s->b : &s->a;
*acc = sext40(~(*acc) & 0xFFFFFFFFFFULL);
return consumed + s->lk_used;
}
/* F487/F587: RND src (round, mask FEFF, 1 word) */
if ((op & 0xFEFF) == 0xF487) {
int src = (op >> 8) & 1;
int64_t *acc = src ? &s->b : &s->a;
*acc = sext40(*acc + 0x8000);
return consumed + s->lk_used;
}
/* F480/F580: ADD src,ASM,dst (mask FCFF, 1 word) */
if ((op & 0xFCFF) == 0xF480) {
int src = (op >> 8) & 1, dst = (op >> 9) & 1;
int64_t sv = sext40(src ? s->b : s->a);
if (dst) s->b = sext40(s->b + sv); else s->a = sext40(s->a + sv);
return consumed + s->lk_used;
}
/* F481/F581: SUB src,ASM,dst (mask FCFF, 1 word) */
if ((op & 0xFCFF) == 0xF481) {
int src = (op >> 8) & 1, dst = (op >> 9) & 1;
int64_t sv = sext40(src ? s->b : s->a);
if (dst) s->b = sext40(s->b - sv); else s->a = sext40(s->a - sv);
return consumed + s->lk_used;
}
/* F482/F582: LD src,ASM,dst (mask FCFF, 1 word) */
if ((op & 0xFCFF) == 0xF482) {
int src = (op >> 8) & 1, dst = (op >> 9) & 1;
int64_t sv = sext40(src ? s->b : s->a);
if (dst) s->b = sext40(sv); else s->a = sext40(sv);
return consumed + s->lk_used;
}
/* F4xx accumulator shift/load (1-word, mask FCE0):
* F400: ADD src,shift,dst F420: SUB F440: LD F460: SFTA */
if ((op & 0xFCE0) == 0xF400) {
int src = (op >> 8) & 1, dst = (op >> 9) & 1;
int shift = op & 0x1F; if (shift > 15) shift -= 32;
int64_t sv = sext40(src ? s->b : s->a);
if (shift >= 0) sv <<= shift; else sv >>= (-shift);
if (dst) s->b = sext40(s->b + sv); else s->a = sext40(s->a + sv);
return consumed + s->lk_used;
}
if ((op & 0xFCE0) == 0xF420) {
int src = (op >> 8) & 1, dst = (op >> 9) & 1;
int shift = op & 0x1F; if (shift > 15) shift -= 32;
int64_t sv = sext40(src ? s->b : s->a);
if (shift >= 0) sv <<= shift; else sv >>= (-shift);
if (dst) s->b = sext40(s->b - sv); else s->a = sext40(s->a - sv);
return consumed + s->lk_used;
}
if ((op & 0xFCE0) == 0xF440) {
int src = (op >> 8) & 1, dst = (op >> 9) & 1;
int shift = op & 0x1F; if (shift > 15) shift -= 32;
int64_t sv = sext40(src ? s->b : s->a);
if (shift >= 0) sv <<= shift; else sv >>= (-shift);
if (dst) s->b = sext40(sv); else s->a = sext40(sv);
return consumed + s->lk_used;
}
if ((op & 0xFCE0) == 0xF460) {
/* SFTA src,shift,dst — arithmetic shift accumulator */
int src = (op >> 8) & 1, dst = (op >> 9) & 1;
int shift = op & 0x1F; if (shift > 15) shift -= 32;
int64_t sv = sext40(src ? s->b : s->a);
if (shift >= 0) sv <<= shift; else sv >>= (-shift);
if (dst) s->b = sext40(sv); else s->a = sext40(sv);
return consumed + s->lk_used;
}
if ((op & 0xFCE0) == 0xF4A0) {
/* SFTL src,shift,dst — logical shift accumulator */
int src = (op >> 8) & 1, dst = (op >> 9) & 1;
int shift = op & 0x1F; if (shift > 15) shift -= 32;
uint64_t uv = (uint64_t)((src ? s->b : s->a) & 0xFFFFFFFFFFULL);
if (shift >= 0) uv <<= shift; else uv >>= (-shift);
uv &= 0xFFFFFFFFFFULL;
if (dst) s->b = sext40(uv); else s->a = sext40(uv);
return consumed + s->lk_used;
}
}
/* F4Bx: RSBX -- reset bit in ST0 (bit 9=0, bit 8=0).
* Per tic54x-opc.c: RSBX 0xF4B0 mask 0xFDF0. */
if ((op & 0xFFF0) == 0xF4B0) {
int bit = op & 0x0F;
s->st0 &= ~(1 << bit);
return consumed + s->lk_used;
}
/* F494/F594: SFTC src (mask FEFF, 1 word).
* Per SPRU172C p.4-264: shift src left by 1 if src(31)==src(30)
* and src!=0. Used by FB-det normalisation around PC=0x10e5..0x10f4
* — without it the correlator sums never normalise. */
if ((op & 0xFEFF) == 0xF494) {
int src = (op >> 8) & 1;
int64_t *acc = src ? &s->b : &s->a;
int64_t val = sext40(*acc);
if (val != 0) {
int b31 = (val >> 31) & 1;
int b30 = (val >> 30) & 1;
if (b31 == b30) *acc = sext40(val << 1);
}
return consumed + s->lk_used;
}
/* Remaining F4xx: unhandled — treat as 1-word NOP */
C54_LOG("F4xx unhandled: 0x%04x PC=0x%04x", op, s->pc);
return consumed + s->lk_used;
}
if (hi8 == 0xF0 || hi8 == 0xF1) {
/* FIRS -- catch before other F1xx handlers */
if (hi8 == 0xF1) {
op2 = prog_fetch(s, s->pc + 1);
consumed = 2;
int xar = (op >> 4) & 0x07;
int yar = op & 0x07;
uint16_t xval = data_read(s, s->ar[xar]);
uint16_t yval = data_read(s, s->ar[yar]);
uint8_t xmod = (op >> 4) & 0xF;
if ((xmod & 0x1) == 0) s->ar[xar]++; else s->ar[xar]--;
if ((op & 0x08) == 0) s->ar[yar]++; else s->ar[yar]--;
int16_t coeff = (int16_t)prog_read(s, op2);
int16_t ah = (int16_t)((s->a >> 16) & 0xFFFF);
int64_t product = (int64_t)ah * (int64_t)coeff;
if (s->st1 & ST1_FRCT) product <<= 1;
s->b = sext40(s->b + product);
int32_t sum = (int32_t)(int16_t)xval + (int32_t)(int16_t)yval;
s->a = sext40((int64_t)sum << 16);
return consumed + s->lk_used;
}
/* F073: B pmad — unconditional branch (2-word).
* Per tic54x-opc.c: 0xF073 mask 0xFFFF. */
if (op == 0xF073) {
op2 = prog_fetch(s, s->pc + 1);
s->pc = op2;
return 0;
}
/* F074: CALL pmad — unconditional call (2-word).
* Per tic54x-opc.c: call 0xF074 mask 0xFFFF.
* Push PC+2 (return address), branch to pmad.
* NOTE: RETE is 0xF4EB (already handled above), NOT F074. */
if (op == 0xF074) {
op2 = prog_fetch(s, s->pc + 1);
s->sp--;
data_write(s, s->sp, (uint16_t)(s->pc + 2));
s->pc = op2;
return 0;
}
/* F072: RPTB pmad — block repeat (2-word, non-delayed).
* Per tic54x-opc.c: 0xF072 mask 0xFFFF.
* RSA = PC+2, REA = pmad. */
if (op == 0xF072) {
op2 = prog_fetch(s, s->pc + 1);
consumed = 2;
s->rea = op2;
s->rsa = (uint16_t)(s->pc + 2);
s->rptb_active = true;
s->st1 |= ST1_BRAF;
return consumed + s->lk_used;
}
/* F07x: RPT/RPTZ/misc (F072-F074 handled above) */
if (op == 0xF070) {
/* F070: RPT #lku — repeat next instruction lku+1 times (2-word) */
op2 = prog_fetch(s, s->pc + 1);
consumed = 2;
s->rpt_count = op2;
s->rpt_active = true;
s->pc += 2;
return 0;
}
if (op == 0xF071) {
/* F071: RPTZ dst, #lku — zero accumulator and repeat (2-word) */
op2 = prog_fetch(s, s->pc + 1);
consumed = 2;
int dst = (op >> 8) & 1; /* bit 8 via FEFF mask */
if (dst) s->b = 0; else s->a = 0;
s->rpt_count = op2;
s->rpt_active = true;
s->pc += 2;
return 0;
}
if ((op & 0xFFF0) == 0xF070) {
/* F075-F07F: undefined, treat as 1-word NOP */
return consumed + s->lk_used;
}
/* F0Bx/F1Bx: RSBX/SSBX */
if ((op & 0x00F0) == 0x00B0) {
int bit = op & 0x0F;
int set = (op >> 8) & 1;
int st = (op >> 5) & 1;
if (st == 0) { if (set) s->st0 |= (1<<bit); else s->st0 &= ~(1<<bit); }
else { if (set) s->st1 |= (1<<bit); else s->st1 &= ~(1<<bit); }
return consumed + s->lk_used;
}
/* F0xx/F1xx ALU with #lk immediate (2-word).
* Per tic54x-opc.c: bits 7:4 = op (0=ADD,1=SUB,2=LD,3=AND,4=OR,5=XOR),
* bit 8 = SRC (ADD/SUB/AND/OR/XOR) or DST (LD), bit 9 = DST,
* bits 3:0 = shift. Second word = lk. */
{
uint8_t alu_op = (op >> 4) & 0xF;
if (alu_op <= 5) {
op2 = prog_fetch(s, s->pc + 1);
consumed = 2;
int shift = op & 0xF;
int src_sel = (op >> 8) & 1;
int dst_sel = (op >> 9) & 1;
int64_t src_val = src_sel ? s->b : s->a;
int64_t *dst = (alu_op == 2)
? (src_sel ? &s->b : &s->a)
: (dst_sel ? &s->b : &s->a);
int64_t lk_val;
if (alu_op <= 2)
lk_val = (int64_t)(int16_t)op2 << shift;
else
lk_val = (int64_t)(uint16_t)op2 << shift;
switch (alu_op) {
case 0: *dst = sext40(src_val + lk_val); break; /* ADD */
case 1: *dst = sext40(src_val - lk_val); break; /* SUB */
case 2: *dst = sext40(lk_val); break; /* LD */
case 3: *dst = src_val & lk_val; break; /* AND */
case 4: *dst = src_val | lk_val; break; /* OR */
case 5: *dst = src_val ^ lk_val; break; /* XOR */
}
return consumed + s->lk_used;
}
if (alu_op == 6) {
/* F06x: ADD/SUB/LD/AND/OR/XOR #lk,16 + MPY/MAC #lk */
uint8_t sub6 = op & 0xF;
op2 = prog_fetch(s, s->pc + 1);
consumed = 2;
int src_sel = (op >> 8) & 1;
int dst_sel = (op >> 9) & 1;
int64_t src_val = src_sel ? s->b : s->a;
int64_t *dst = dst_sel ? &s->b : &s->a;
switch (sub6) {
case 0: *dst = sext40(src_val + ((int64_t)(int16_t)op2 << 16)); break;
case 1: *dst = sext40(src_val - ((int64_t)(int16_t)op2 << 16)); break;
case 2: dst = src_sel ? &s->b : &s->a;
*dst = sext40((int64_t)(int16_t)op2 << 16); break;
case 3: *dst = src_val & ((int64_t)(uint16_t)op2 << 16); break;
case 4: *dst = src_val | ((int64_t)(uint16_t)op2 << 16); break;
case 5: *dst = src_val ^ ((int64_t)(uint16_t)op2 << 16); break;
case 6: /* MPY #lk, dst */
dst = src_sel ? &s->b : &s->a;
{ int64_t p = (int64_t)(int16_t)s->t * (int64_t)(int16_t)op2;
if (s->st1 & ST1_FRCT) p <<= 1;
*dst = sext40(p); } break;
case 7: /* MAC #lk, src[,dst] */
{ int64_t p = (int64_t)(int16_t)s->t * (int64_t)(int16_t)op2;
if (s->st1 & ST1_FRCT) p <<= 1;
*dst = sext40(src_val + p); } break;
default: break;
}
return consumed + s->lk_used;
}
if (alu_op >= 8) {
/* F08x-F0Fx: accumulator-to-accumulator ops (1-word).
* bits 7:5 = op (100=AND,101=OR,110=XOR,111=SFTL)
* bits 4:0 = shift (signed 5-bit), bits 9:8 = src,dst */
int src_sel = (op >> 8) & 1;
int dst_sel = (op >> 9) & 1;
int64_t sv = src_sel ? s->b : s->a;
int64_t *dst = dst_sel ? &s->b : &s->a;
int shift = op & 0x1F;
if (shift > 15) shift -= 32;
uint8_t aop = (op >> 5) & 0x7;
int64_t shifted;
if (shift >= 0) shifted = sv << shift;
else shifted = sv >> (-shift);
switch (aop) {
case 4: *dst = sext40(sv) & sext40(shifted); break;
case 5: *dst = sext40(sv) | sext40(shifted); break;
case 6: *dst = sext40(sv) ^ sext40(shifted); break;
case 7: { uint64_t uv = (uint64_t)(sv & 0xFFFFFFFFFFULL);
if (shift >= 0) uv <<= shift; else uv >>= (-shift);
*dst = sext40(uv & 0xFFFFFFFFFFULL); } break;
default: break;
}
return consumed + s->lk_used;
}
}
goto unimpl;
}
/* F272/F274/F273: RPTBD/CALLD/RETD — must check BEFORE LMS */
if (op == 0xF272) {
/* RPTBD pmad — delayed block repeat (2 words).
* Delayed: 2 delay slots after the 2-word instruction.
* RSA = PC + 4 (skip RPTBD + 2 delay slot words). */
op2 = prog_fetch(s, s->pc + 1);
consumed = 2;
s->rea = op2;
s->rsa = (uint16_t)(s->pc + 4);
s->rptb_active = true;
s->st1 |= ST1_BRAF;
{ static int _rb=0; if (_rb<20) { C54_LOG("RPTBD PC=0x%04x REA=0x%04x RSA=0x%04x BRC=%d", s->pc, s->rea, s->rsa, s->brc); _rb++; } }
return consumed + s->lk_used;
}
if (op == 0xF274) {
/* CALLD pmad — delayed call (2 words, 2 delay slots).
* Push PC+4 (past CALLD + 2 delay slots), branch to pmad. */
op2 = prog_fetch(s, s->pc + 1);
consumed = 2;
s->sp--;
data_write(s, s->sp, (uint16_t)(s->pc + 4));
s->pc = op2;
return 0;
}
if (op == 0xF273) {
/* RETD — delayed return (1 word) */
uint16_t ra = data_read(s, s->sp); s->sp++;
s->pc = ra;
return 0;
}
/* LMS Xmem, Ymem — Least Mean Square step (1-word dual-operand)
* Encoding: 1111 001D XXXX YYYY
* Per SPRU172C: dst += T * Xmem; Ymem += rnd(AH * T); T = Xmem
* Exclude F272 (RPTBD), F273 (RETD), F274 (CALLD) — exact-match
* opcodes that share the F2xx range but are handled below. */
/* REMOVED 2026-05-08 night : the previous "LMS Xmem,Ymem" handler
* for hi8 ∈ {0xF2, 0xF3} (excluding F272/F273/F274) was mis-decoded
* — it claimed encoding `1111 001D XXXX YYYY` but per binutils
* tic54x-opc.c LMS is actually :
*
* { "lms", 1,2,2, 0xE100, 0xFF00, {OP_Xmem,OP_Ymem}, ... }
*
* i.e. hi8 == 0xE1, NOT 0xF2/F3. The 0xE1 handler already exists
* (line ~3247) and is correct.
*
* The F2xx/F3xx range per binutils contains only :
* F272 RPTBD, F273 RETD, F274 CALLD (3 special-cases)
* F300-F31F INTR k (handled below)
* F330-F35F AND/OR/XOR with shift (mask FCF0) (handled below)
* F360-F367 ADD/SUB/AND/OR/XOR/MAC #lk (mask FCFF) (handled below)
* F380-F3FF AND/OR/XOR/SFTL src,SHIFT,DST (FCE0) (handled below)
* F320-F32F + F368-F37F unmapped (NOP fallback)
*
* The bogus LMS catch-all stole every F3xx instruction before the
* proper F3 dispatch could see it. For 0xF3E1 (= SFTL B,1,B,
* 4872 sites in firmware) it computed `new_ym = AH*T-derived junk`
* and called data_write(s, AR1, new_ym). When AR1=0, that wrote
* the junk to MMR_IMR. This is the IMR-thrash cascade observed
* post-0x76-fix at PC=0x8eb9.
*
* Discovered after the 0x76 fix exposed the second-level cascade.
* Trace evidence : IMR-W 0x0000→{0x0540, 0x0525, 0x082b, 0xfd57,
* 0xfacf, ...} all PC=0x8eb9 op=0xf3e1, INTM-TRANS XPC=0
* (confirms genuine PROM0 execution, not XPC artifact).
*
* Fix : let the existing F3 dispatch (line 2468+) handle F3xx
* properly. F2xx (other than F272/3/4) falls through to F-class
* NOP fallback — firmware does not appear to use it. */
/* F8xx: branches, RPT, BANZ, CALL, RET variants */
if (hi8 == 0xF8) {
uint8_t sub = (op >> 4) & 0xF;
/* F820 (624 sites) and F830 (543 sites) are BC pmad,cond per
* tic54x-opc.c (bc = 0xF800 mask 0xFF00). The dispatcher at
* PROM0 0xb968-0xb9a4 relies on these branching when the ACC
* comparison succeeds. Cond 0x20 = C set, cond 0x30 = ?
* (we treat both via ACC compare for now since dispatcher uses
* cmp-style behaviour). The full F8xx range is BC per binutils
* but historically the firmware tolerates the legacy decode
* for the other sub-codes — surgical override here only. */
if (sub == 0x2 || sub == 0x3) {
op2 = prog_fetch(s, s->pc + 1);
consumed = 2;
int64_t acc_signed = (s->a & 0x8000000000LL)
? (s->a | ~0xFFFFFFFFFFLL) : s->a;
bool take = false;
/* For now: cond=0x20 → branch if A != 0; cond=0x30 → A == 0.
* These are heuristics until we confirm the exact cond
* mapping from SPRU172C. Tweak based on observed dispatcher
* behaviour. */
if (sub == 0x2) take = (acc_signed != 0);
else /* sub==0x3 */ take = (acc_signed == 0);
if (take) { s->pc = op2; return 0; }
return consumed + s->lk_used;
}
if (sub == 0x2) {
/* Unreachable now — kept for clarity in case we revert. */
op2 = prog_fetch(s, s->pc + 1);
consumed = 2;
s->rea = op2;
s->rsa = (uint16_t)(s->pc + 2);
s->rptb_active = true;
s->st1 |= ST1_BRAF;
return consumed + s->lk_used;
}
if (sub == 0x3) {
/* Unreachable now. */
op2 = prog_fetch(s, s->pc + 1);
s->rpt_count = op2;
s->rpt_active = true;
s->pc += 2;
return 0;
}
/* Per tic54x-opc.c:
* F880-F8FF mask FF80 = FB pmad (FAR branch unconditional)
* The low 7 bits of the opcode word encode the target XPC bits.
* Calypso uses 2-bit XPC, so & 0x3 is sufficient.
*
* Earlier this range was treated as plain B pmad — a bug that
* kept XPC=0 forever (DSP never reached PROM1 user code). */
if ((op & 0xFF80) == 0xF880) {
op2 = prog_fetch(s, s->pc + 1);
consumed = 2;
uint8_t new_xpc = (op & 0x7F) & 0x03;
static uint64_t fb_total;
fb_total++;
if (fb_total <= 30 || (fb_total % 5000) == 0) {
C54_LOG("FB FAR #%llu PC=0x%04x → XPC=%u PC=0x%04x (was XPC=%u)",
(unsigned long long)fb_total, s->pc,
new_xpc, op2, s->xpc);
}
s->xpc = new_xpc;
s->pc = op2;
return 0;
}
/* F88x..F8Bx (mask FF80=0): historic plain B pmad (NEAR), kept
* for sub-codes that fall outside the FAR mask above. */
if (sub >= 0x8 && sub <= 0xB) {
op2 = prog_fetch(s, s->pc + 1);
s->pc = op2;
return 0;
}
/* F86x/F87x: BANZ *ARn, pmad — branch if ARn != 0 (2 words) */
if (sub == 0x6 || sub == 0x7) {
op2 = prog_fetch(s, s->pc + 1);
int ar_idx = op & 0x07;
if (s->ar[ar_idx] != 0) {
s->ar[ar_idx]--;
s->pc = op2;
return 0;
}
return 2; /* skip 2 words, fall through */
}
/* F84x/F85x: BANZ with condition / CALL variants */
if (sub == 0x4 || sub == 0x5) {
op2 = prog_fetch(s, s->pc + 1);
/* BANZ ARn, pmad */
int ar_idx = op & 0x07;
if (s->ar[ar_idx] != 0) {
s->ar[ar_idx]--;
s->pc = op2;
return 0;
}
return 2;
}
/* F8Cx-F8Fx: CALL/CALLD pmad (2 words) */
if (sub >= 0xC) {
op2 = prog_fetch(s, s->pc + 1);
s->sp--;
data_write(s, s->sp, (uint16_t)(s->pc + 2));
s->pc = op2;
return 0;
}
/* F80x-F81x: BANZ pmad, Smem (2 words)
* Per SPRU172C + tic54x-opc.c: entire F8xx range is BANZ.
* Sind operand selects AR via op[2:0] (nar). Test pre-mod
* value; resolve_smem applies Sind post-mod. Same off-by-ARP
* fix as 0x6C00 / 0x6E00 BANZ/BANZD. */
if (sub <= 0x1) {
int nar = op & 0x07;
uint16_t old_ar = s->ar[nar];
addr = resolve_smem(s, op, &ind);
op2 = prog_fetch(s, s->pc + 1);
consumed = 2;
if (old_ar != 0) {
s->pc = op2;
return 0;
}
return consumed + s->lk_used;
}
/* Fallback: RPT Smem (F8xx sub not handled above) */
addr = resolve_smem(s, op, &ind);
s->rpt_count = data_read(s, addr);
s->rpt_active = true;
s->pc += consumed;
return 0;
}
/* F3xx: dispatch per binutils tic54x-opc.c (verified against
* insn_template struct include/opcode/tic54x.h:85-150).
*
* 8 sub-families:
* F300-F31F INTR k 1-word
* F320-F32F unmapped (NOP fallback)
* F330-F35F AND/OR/XOR #lk,SHIFT,SRC,DST mask FCF0 2-word
* F360-F367 ADD/SUB/AND/OR/XOR/MAC #lk var. FCFF 2-word
* F368-F37F unmapped (NOP fallback)
* F380-F39F AND src,SHIFT,DST mask FCE0 1-word
* F3A0-F3BF OR src,SHIFT,DST mask FCE0 1-word
* F3C0-F3DF XOR src,SHIFT,DST mask FCE0 1-word
* F3E0-F3FF SFTL src,SHIFT,DST mask FCE0 1-word
*
* Dispatch order: most-specific masks first (FCFF → FCF0 → FCE0).
*
* 2026-04-29 — replaces previous "F320+ → LD #k9, DP" fallback
* which mass-mis-decoded 364 firmware sites. Wedge at PC=0x8eb9
* (0xF3E1 SFTL B,1,B) was directly tied to this bug.
* See doc/opcodes/0xF3.md for full spec. */
if (hi8 == 0xF3) {
/* F300-F31F: INTR k (preserve existing behavior) */
if ((op & 0xFFE0) == 0xF300) {
int vec = op & 0x1F;
s->sp--;
data_write(s, s->sp, (uint16_t)(s->pc + 1));
s->st1 |= ST1_INTM;
uint16_t iptr = (s->pmst >> PMST_IPTR_SHIFT) & 0x1FF;
s->pc = (iptr * 0x80) + vec * 4;
return 0;
}
/* F360-F367: 2-word with mask FCFF (#lk<<16 variants).
* Most-specific mask, check first. */
if ((op & 0xFCFF) == 0xF060 || /* ADD #lk<<16, src, [dst] */
(op & 0xFCFF) == 0xF061 || /* SUB */
(op & 0xFCFF) == 0xF063 || /* AND */
(op & 0xFCFF) == 0xF064 || /* OR */
(op & 0xFCFF) == 0xF065 || /* XOR */
(op & 0xFCFF) == 0xF067) { /* MAC #lk, src, [dst] */
op2 = prog_fetch(s, s->pc + 1 + (s->lk_used ? 1 : 0));
consumed = 2;
int sub = op & 0x7;
int src_b = (op >> 9) & 1;
int dst_b = (op >> 8) & 1;
int64_t src = src_b ? s->b : s->a;
int64_t result = src;
switch (sub) {
case 0x0: result = src + ((int64_t)(int16_t)op2 << 16); break;
case 0x1: result = src - ((int64_t)(int16_t)op2 << 16); break;
case 0x3: result = src & (((int64_t)op2) << 16); break;
case 0x4: result = src | (((int64_t)op2) << 16); break;
case 0x5: result = src ^ (((int64_t)op2) << 16); break;
case 0x7: { /* MAC: dst = src + T * lk */
int64_t prod = (int64_t)(int16_t)s->t * (int64_t)(int16_t)op2;
if (s->st1 & ST1_FRCT) prod <<= 1;
result = src + prod;
break;
}
}
if (dst_b) s->b = sext40(result); else s->a = sext40(result);
return consumed + s->lk_used;
}
/* F330-F35F: 2-word with mask FCF0 (#lk + 4-bit shift).
* AND (sub=3), OR (sub=4), XOR (sub=5).
* Note: ADD (sub=0) and SUB (sub=1) at F30x/F31x are caught
* by INTR handler above (those ranges are INTR semantically). */
if ((op & 0xFCF0) == 0xF030 || /* AND #lk, SHIFT, src, [dst] */
(op & 0xFCF0) == 0xF040 || /* OR */
(op & 0xFCF0) == 0xF050) { /* XOR */
op2 = prog_fetch(s, s->pc + 1 + (s->lk_used ? 1 : 0));
consumed = 2;
int subop = (op >> 4) & 0xF;
int shift_raw = op & 0xF;
int shift = (shift_raw & 0x8) ? (shift_raw - 16) : shift_raw;
int src_b = (op >> 9) & 1;
int dst_b = (op >> 8) & 1;
int64_t src = src_b ? s->b : s->a;
int64_t lk_signed = (int16_t)op2;
int64_t shifted = (shift >= 0) ? (lk_signed << shift)
: (lk_signed >> (-shift));
int64_t result = src;
switch (subop) {
case 0x3: result = src & shifted; break; /* AND */
case 0x4: result = src | shifted; break; /* OR */
case 0x5: result = src ^ shifted; break; /* XOR */
}
if (dst_b) s->b = sext40(result); else s->a = sext40(result);
return consumed + s->lk_used;
}
/* F380-F3FF: 1-word AND/OR/XOR/SFTL src,SHIFT,DST (mask FCE0).
* Sub-opcode in bits 7-5: 100=AND, 101=OR, 110=XOR, 111=SFTL. */
if ((op & 0xFCE0) == 0xF080 || /* AND */
(op & 0xFCE0) == 0xF0A0 || /* OR */
(op & 0xFCE0) == 0xF0C0 || /* XOR */
(op & 0xFCE0) == 0xF0E0) { /* SFTL */
int sub = (op >> 5) & 0x7;
int src_b = (op >> 9) & 1;
int dst_b = (op >> 8) & 1;
int shift_raw = op & 0x1F;
int shift = (shift_raw & 0x10) ? (shift_raw - 32) : shift_raw;
int64_t src = src_b ? s->b : s->a;
int64_t result = src;
switch (sub) {
case 0x4: { /* AND src,SHIFT,DST: DST = SRC & (DST_in << shift) */
int64_t dst_in = dst_b ? s->b : s->a;
int64_t sh = (shift >= 0) ? (dst_in << shift) : (dst_in >> (-shift));
result = src & sh;
break;
}
case 0x5: { /* OR */
int64_t dst_in = dst_b ? s->b : s->a;
int64_t sh = (shift >= 0) ? (dst_in << shift) : (dst_in >> (-shift));
result = src | sh;
break;
}
case 0x6: { /* XOR */
int64_t dst_in = dst_b ? s->b : s->a;
int64_t sh = (shift >= 0) ? (dst_in << shift) : (dst_in >> (-shift));
result = src ^ sh;
break;
}
case 0x7: { /* SFTL src,SHIFT,DST: DST = SRC << shift (logical) */
uint64_t usrc = (uint64_t)src & 0xFFFFFFFFFFULL;
result = (int64_t)((shift >= 0) ? (usrc << shift) : (usrc >> (-shift)));
break;
}
}
if (dst_b) s->b = sext40(result); else s->a = sext40(result);
return consumed + s->lk_used;
}
/* F320-F32F + F368-F37F: unmapped per binutils. NOP fallback +
* log-once for diagnostic. 9 firmware sites total. */
{
static int unmapped_log = 0;
if (unmapped_log++ < 20)
C54_LOG("F3xx unmapped op=0x%04x PC=0x%04x (NOP)",
op, s->pc);
}
return consumed + s->lk_used;
}
/* F6xx: various — LD/ST acc-acc, ABDST, SACCD, etc. */
if (hi8 == 0xF6) {
uint8_t sub = (op >> 4) & 0xF;
if (sub == 0x2) {
/* F62x: LD A, dst_shift, B or LD B, dst_shift, A */
int dst = op & 1;
if (dst) s->b = s->a; else s->a = s->b;
return consumed + s->lk_used;
}
if (sub == 0x6) {
/* F66x: LD A/B with shift to other acc */
int dst = op & 1;
if (dst) s->b = s->a; else s->a = s->b;
return consumed + s->lk_used;
}
if (sub == 0xB) {
/* F6Bx: RSBX -- reset bit in ST1 (bit 9=1, bit 8=0).
* Per tic54x-opc.c: RSBX 0xF4B0 mask 0xFDF0 covers F6Bx. */
int bit = op & 0x0F;
s->st1 &= ~(1 << bit);
return consumed + s->lk_used;
}
/* Delayed branches/calls/returns from PROM (per tic54x-opc.c).
* MUST be checked BEFORE the MVDD catch-all because they share
* the high nibbles 0xE/0x9. Without these the DSP cannot return
* from interrupt service routines — RETED in particular leaves
* INTM=1 forever, blocking every subsequent INT3 and stalling
* the firmware↔DSP frame loop (the original CLAUDE.md root bug).
*
* All delayed forms execute 2 delay-slot words before the jump
* commits; we arm the existing delayed_pc/delay_slots machinery
* (the same one RCD uses) so the slots run with the right PC. */
if (op == 0xF6EB) {
/* RETED — return from interrupt, enable interrupts, delayed.
* Pop PC, clear INTM, then run 2 delay slots before jumping. */
uint16_t ra = data_read(s, s->sp); s->sp++;
s->st1 &= ~ST1_INTM;
s->delayed_pc = ra;
s->delay_slots = 2;
{
static uint64_t reted_count;
reted_count++;
if (reted_count <= 20 || (reted_count % 100) == 0)
C54_LOG("RETED #%llu PC=0x%04x -> ra=0x%04x SP=0x%04x INTM=0",
(unsigned long long)reted_count,
s->pc, ra, s->sp);
}
return consumed + s->lk_used;
}
if (op == 0xF69B) {
/* RETFD — fast return, delayed (no INTM change). */
uint16_t ra = data_read(s, s->sp); s->sp++;
s->delayed_pc = ra;
s->delay_slots = 2;
return consumed + s->lk_used;
}
if (op == 0xF6E2 || op == 0xF6E3) {
/* BACCD A / CALAD A — delayed branch/call to acc(low).
* 1-word op + 2 delay slots. CALAD pushes PC+3 (skip op +
* 2 delay slots) per TI convention (cf. CALLD which pushes
* PC+4 for its 2-word form). Branch is armed via the
* delayed_pc/delay_slots mechanism so the 2 slots run
* before PC commits to tgt. */
uint16_t tgt = (uint16_t)(s->a & 0xFFFF);
bool is_call = (op == 0xF6E3);
static uint64_t bcd_total;
bcd_total++;
/* Pre-load context: dump the 8 words preceding PC (in OVLY
* the executor reads from DARAM, mirror that). Lets us see
* which LD/MAR sequence was supposed to put a valid target
* in A before the CALAD/BACCD. */
int pre_ovly = (s->pmst & PMST_OVLY) && s->pc >= 0x80 && s->pc < 0x2800;
uint16_t pre[8];
for (int i = 0; i < 8; i++) {
uint16_t a = (uint16_t)(s->pc - 8 + i);
pre[i] = pre_ovly ? s->data[a] : s->prog[a];
}
if (bcd_total <= 60 || (bcd_total % 5000) == 0) {
C54_LOG("BCD/CAD F6E%c #%llu PC=0x%04x tgt=0x%04x A=%010llx SP=0x%04x DP=0x%03x mem[%c PC-8..-1]=%04x %04x %04x %04x %04x %04x %04x %04x%s",
is_call ? '3' : '2',
(unsigned long long)bcd_total,
s->pc, tgt,
(unsigned long long)(s->a & 0xFFFFFFFFFFULL),
s->sp,
(s->st0 & 0x1FF),
pre_ovly ? 'D' : 'P',
pre[0], pre[1], pre[2], pre[3],
pre[4], pre[5], pre[6], pre[7],
is_call ? " CALAD" : " BACCD");
}
if (is_call) {
uint16_t ret_pc = (uint16_t)(s->pc + 3);
s->sp = (s->sp - 1) & 0xFFFF;
data_write(s, s->sp, ret_pc);
}
s->delayed_pc = tgt;
s->delay_slots = 2;
return consumed + s->lk_used;
}
if (op == 0xF6E4 || op == 0xF6E5) {
/* FRETD / FRETED — far return, delayed.
* Pop XPC + PC unconditionally (FL_FAR). FRETED also clears INTM.
* 2026-04-28 — fixed: was APTS-gated (= AVIS, no stack semantics). */
s->xpc = data_read(s, s->sp); s->sp++;
if (s->xpc > 3) s->xpc &= 3;
uint16_t ra = data_read(s, s->sp); s->sp++;
if (op == 0xF6E5) s->st1 &= ~ST1_INTM;
s->delayed_pc = ra;
s->delay_slots = 2;
return consumed + s->lk_used;
}
if (op == 0xF6E6 || op == 0xF6E7) {
/* FBACCD A / FCALAD A — far delayed branch/call to A.
* A(22:16) → XPC, A(15:0) → tgt. XPC update is immediate
* (mirrors FRETED at line ~1639). FCALAD pushes ret PC+3,
* and (when APTS) pushes XPC first (so RETF/FRETD pops in
* order). 2 delay slots. */
uint16_t tgt = (uint16_t)(s->a & 0xFFFF);
uint8_t new_xpc = (uint8_t)((s->a >> 16) & 0xFF);
if (new_xpc > 3) new_xpc &= 3;
bool is_call = (op == 0xF6E7);
static uint64_t fbcd_total;
fbcd_total++;
if (fbcd_total <= 10 || (fbcd_total % 5000) == 0) {
C54_LOG("FBCD/FCAD F6E%c #%llu PC=0x%04x tgt=0x%04x newXPC=%u A=%010llx SP=0x%04x%s",
is_call ? '7' : '6',
(unsigned long long)fbcd_total,
s->pc, tgt, new_xpc,
(unsigned long long)(s->a & 0xFFFFFFFFFFULL),
s->sp,
is_call ? " FCALAD" : " FBACCD");
}
if (is_call) {
/* FCALAD (F6E7): push XPC + return PC unconditionally (FL_FAR).
* 2026-04-28 — fixed: was APTS-gated (= AVIS, no stack semantics). */
s->sp = (s->sp - 1) & 0xFFFF;
data_write(s, s->sp, s->xpc);
uint16_t ret_pc = (uint16_t)(s->pc + 3);
s->sp = (s->sp - 1) & 0xFFFF;
data_write(s, s->sp, ret_pc);
}
s->xpc = new_xpc;
s->delayed_pc = tgt;
s->delay_slots = 2;
return consumed + s->lk_used;
}
if (sub >= 0x8) {
/* F68x-F6Fx: MVDD Xmem, Ymem — dual data-memory operand move
* Encoding: 1111 0110 XXXX YYYY
* bit 7 = Xmod (0=inc, 1=dec)
* bits 6:4 = Xar (source AR register)
* bit 3 = Ymod (0=inc, 1=dec)
* bits 2:0 = Yar (dest AR register) */
int xar = (op >> 4) & 0x07;
int yar = op & 0x07;
uint16_t val = data_read(s, s->ar[xar]);
data_write(s, s->ar[yar], val);
if ((op >> 7) & 1) s->ar[xar]--; else s->ar[xar]++;
if ((op >> 3) & 1) s->ar[yar]--; else s->ar[yar]++;
return consumed + s->lk_used;
}
/* Other F6xx: treat as NOP for now */
return consumed + s->lk_used;
}
/* F5xx: SSBX or RPT #k */
if (hi8 == 0xF5) {
/* F5Bx: SSBX -- set bit in ST0 (bit 9=0, bit 8=1).
* Per tic54x-opc.c: SSBX 0xF5B0 mask 0xFDF0. */
if ((op & 0xFFF0) == 0xF5B0) {
int bit = op & 0x0F;
s->st0 |= (1 << bit);
return consumed + s->lk_used;
}
/* Note: 0xF5E2/F5E3 (BACC B / CALA B) are handled earlier alongside
* their F4 counterparts, so they never reach this F5xx block. */
/* RPT #k (short immediate) — kept as fallback, must advance PC. */
s->rpt_count = op & 0xFF;
s->rpt_active = true;
s->pc += 1;
return 0;
}
/* DIAG: log F7xx executions before the (buggy) LD #k8 dispatch.
* Per tic54x-opc.c the F7xx range contains SSBX ST1 (0xF7Bx) and
* other instructions, NOT LD #k8 (which is at E800-E9FF).
* Caps at 5 per distinct sub-opcode to avoid spam. */
if (hi8 == 0xF7) {
static int f7xx_seen[256] = {0};
int sub_idx = op & 0xFF;
if (++f7xx_seen[sub_idx] <= 100 || (f7xx_seen[sub_idx] % 1000) == 0) {
C54_LOG("F7xx EXEC op=0x%04x PC=0x%04x XPC=%d insn=%u",
op, s->pc, s->xpc, s->insn_count);
}
}
/* F7Bx: SSBX bit, ST1 (incl. SSBX INTM at F7BB).
* Per binutils tic54x-opc.c: opcode "ssbx" 0xF5B0 mask 0xFDF0,
* where bit 9 selects ST0 (0xF5Bx) vs ST1 (0xF7Bx).
* Symmetric counterpart of RSBX ST1 (F6Bx) handler above.
* MUST be tested before the F7xx LD #k8 dispatch (which is
* itself incorrect — per SPRU172C, LD #k8 lives at E800-E9FF). */
if ((op & 0xFFF0) == 0xF7B0) {
int bit = op & 0x0F;
bool is_intm = (bit == 11);
s->st1 |= (1 << bit);
if (is_intm)
C54_LOG("*** SSBX INTM (F7BB) *** PC=0x%04x ST1=0x%04x insn=%u",
s->pc, s->st1, s->insn_count);
return consumed + s->lk_used;
}
/* F7xx: LD/ST #k to various registers */
if (hi8 == 0xF7) {
uint8_t sub = (op >> 4) & 0xF;
uint16_t k = op & 0xFF;
switch (sub) {
case 0x0: /* F70x: LD #k8, ASM */
s->st1 = (s->st1 & ~ST1_ASM_MASK) | (k & ST1_ASM_MASK);
break;
case 0x1: /* F71x: LD #k8, AR0 */
s->ar[0] = k; break;
case 0x2: /* F72x: LD #k8, AR1 */
s->ar[1] = k; break;
case 0x3: s->ar[2] = k; break;
case 0x4: s->ar[3] = k; break;
case 0x5: s->ar[4] = k; break;
case 0x6: s->ar[5] = k; break;
case 0x7: s->ar[6] = k; break;
case 0x8: /* F78x: LD #k8, T */
s->t = (s->st1 & ST1_SXM) ? (uint16_t)(int8_t)k : k; break;
case 0x9: /* F79x: LD #k8, DP */
s->st0 = (s->st0 & ~ST0_DP_MASK) | (k & ST0_DP_MASK); break;
case 0xA: /* F7Ax: LD #k8, ARP */
s->st0 = (s->st0 & ~ST0_ARP_MASK) | ((k & 7) << ST0_ARP_SHIFT); break;
case 0xB: s->ar[7] = k; break; /* F7Bx: LD #k8, AR7 */
case 0xC: s->bk = k; break;
case 0xD: s->sp = k; break;
case 0xE: /* F7Ex: LD #k8, BRC */
s->brc = k; break;
case 0xF: /* F7Fx: LD #k8, ... */
break;
}
return consumed + s->lk_used;
}
/* F9xx encoding split per tic54x-opc.c:
* F900-F97F mask FF00 = CC pmad cond (NEAR conditional call)
* F980-F9FF mask FF80 = FCALL pmad (FAR call unconditional)
* The bit 7 of the opcode low byte distinguishes them. */
if (hi8 == 0xF9) {
op2 = prog_fetch(s, s->pc + 1);
consumed = 2;
/* FCALL FAR : push XPC + return PC unconditionally (FL_FAR).
* Per binutils tic54x-opc.c (fcall 0xF980 mask 0xFF80, FL_FAR)
* and SPRU172C: FAR call always saves XPC for FRET to restore.
* 2026-04-28 — fixed: was APTS-gated (= AVIS, no stack semantics).
* Old behavior caused 281 firmware FCALL FAR sites to push only PC,
* imbalanced with 142 FRET pop expecting both PC + XPC. */
if ((op & 0x80) != 0) {
uint8_t new_xpc = (op & 0x7F) & 0x03;
static uint64_t fcall_total;
fcall_total++;
s->sp = (s->sp - 1) & 0xFFFF;
data_write(s, s->sp, s->xpc);
s->sp = (s->sp - 1) & 0xFFFF;
data_write(s, s->sp, (uint16_t)(s->pc + 2));
if (fcall_total <= 30 || (fcall_total % 5000) == 0) {
C54_LOG("FCALL FAR #%llu PC=0x%04x → XPC=%u PC=0x%04x (was XPC=%u SP=0x%04x)",
(unsigned long long)fcall_total, s->pc,
new_xpc, op2, s->xpc, s->sp);
}
s->xpc = new_xpc;
s->pc = op2;
return 0;
}
uint8_t cond_code = (op >> 4) & 0xF;
uint8_t qual = op & 0xF;
bool take = false;
int64_t acc = (qual & 0x8) ? s->b : s->a;
switch (cond_code) {
case 0x0: take = true; break;
case 0x1: take = (acc < 0); break;
case 0x2: take = (acc <= 0); break;
case 0x3: take = (acc != 0); break;
case 0x4: take = (acc == 0); break;
case 0x5: take = (acc >= 0); break;
case 0x6: take = (acc > 0); break;
case 0x8: take = !!(s->st0 & ST0_TC); break;
case 0x9: take = !(s->st0 & ST0_TC); break;
case 0xA: take = !!(s->st0 & ST0_C); break;
case 0xB: take = !(s->st0 & ST0_C); break;
default: take = true; break;
}
if (take) {
s->sp--;
data_write(s, s->sp, (uint16_t)(s->pc + 2));
/* CC leak tracer */
{
static uint32_t cc_targets[64];
static uint32_t cc_counts[64];
static int cc_n = 0;
static uint32_t total_cc = 0;
bool found = false;
for (int i = 0; i < cc_n; i++) {
if (cc_targets[i] == op2) { cc_counts[i]++; found = true; break; }
}
if (!found && cc_n < 64) { cc_targets[cc_n] = op2; cc_counts[cc_n++] = 1; }
if ((++total_cc % 100) == 0) {
C54_LOG("F9xx CC TOP TARGETS (SP=0x%04x total=%u):", s->sp, total_cc);
for (int i = 0; i < cc_n && i < 10; i++)
C54_LOG(" CC→0x%04x count=%u", cc_targets[i], cc_counts[i]);
}
}
s->pc = op2;
return 0;
}
return consumed + s->lk_used;
}
/* FAxx encoding split per tic54x-opc.c:
* FA80-FAFF mask FF80 = FBD pmad (FAR branch delayed)
* FA00-FA7F = various NEAR delayed ops (treated as branch). */
if (hi8 == 0xFA) {
op2 = prog_fetch(s, s->pc + 1);
consumed = 2;
if ((op & 0x80) != 0) {
/* FBD FAR delayed branch — XPC change, no push */
uint8_t new_xpc = (op & 0x7F) & 0x03;
static uint64_t fbd_total;
fbd_total++;
if (fbd_total <= 30 || (fbd_total % 5000) == 0) {
C54_LOG("FBD FAR #%llu PC=0x%04x → XPC=%u PC=0x%04x (was XPC=%u, delayed 2 slots)",
(unsigned long long)fbd_total, s->pc,
new_xpc, op2, s->xpc);
}
s->xpc = new_xpc;
s->delayed_pc = op2;
s->delay_slots = 2;
return consumed + s->lk_used;
}
/* NEAR FAxx fallback: simplified treat as branch */
s->pc = op2;
return 0;
}
/* FBxx encoding split per tic54x-opc.c:
* FB80-FBFF mask FF80 = FCALLD pmad (FAR call delayed)
* FB00-FB7F mask FF00 = CCD pmad cond (NEAR conditional call delayed) */
if (hi8 == 0xFB) {
op2 = prog_fetch(s, s->pc + 1);
consumed = 2;
/* FCALLD FAR : push XPC + return PC+4 unconditionally (FL_FAR delayed).
* Per binutils (fcalld 0xFB80 mask 0xFF80, FL_FAR|FL_DELAY).
* 2026-04-28 — fixed: was APTS-gated (= AVIS, no stack semantics). */
if ((op & 0x80) != 0) {
uint8_t new_xpc = (op & 0x7F) & 0x03;
static uint64_t fcalld_total;
fcalld_total++;
s->sp = (s->sp - 1) & 0xFFFF;
data_write(s, s->sp, s->xpc);
s->sp = (s->sp - 1) & 0xFFFF;
data_write(s, s->sp, (uint16_t)(s->pc + 4));
if (fcalld_total <= 30 || (fcalld_total % 5000) == 0) {
C54_LOG("FCALLD FAR #%llu PC=0x%04x → XPC=%u PC=0x%04x (was XPC=%u SP=0x%04x, delayed)",
(unsigned long long)fcalld_total, s->pc,
new_xpc, op2, s->xpc, s->sp);
}
s->xpc = new_xpc;
s->delayed_pc = op2;
s->delay_slots = 2;
return consumed + s->lk_used;
}
uint8_t cond_code = (op >> 4) & 0xF;
uint8_t qual = op & 0xF;
bool take = false;
int64_t acc = (qual & 0x8) ? s->b : s->a;
switch (cond_code) {
case 0x0: take = true; break;
case 0x1: take = (acc < 0); break;
case 0x2: take = (acc <= 0); break;
case 0x3: take = (acc != 0); break;
case 0x4: take = (acc == 0); break;
case 0x5: take = (acc >= 0); break;
case 0x6: take = (acc > 0); break;
case 0x8: take = !!(s->st0 & ST0_TC); break;
case 0x9: take = !(s->st0 & ST0_TC); break;
case 0xA: take = !!(s->st0 & ST0_C); break;
case 0xB: take = !(s->st0 & ST0_C); break;
default: take = true; break;
}
if (take) {
s->sp--;
data_write(s, s->sp, (uint16_t)(s->pc + 4)); /* past CCD + 2 delay slots */
s->pc = op2;
return 0;
}
return consumed + s->lk_used;
}
/* FCxx: LD #k, 16, B */
/* FCxx: RC cond / RET -- return conditional (1-word).
* Per tic54x-opc.c: RET=0xFC00, RC=0xFC00 mask 0xFF00. */
if (hi8 == 0xFC) {
uint8_t cc = op & 0xFF;
bool cond = false;
/* Evaluate condition per tic54x-opc.c encoding:
* CC1=0x40: accumulator test, CCB=0x08: use B (else A)
* EQ=0x05, NEQ=0x04, LT=0x03, LEQ=0x07, GT=0x06, GEQ=0x02
* OV=0x70, NOV=0x60, TC=0x30, NTC=0x20, C=0x0C, NC=0x08 */
if (cc == 0x00) cond = true; /* UNC */
else if (cc & 0x40) {
/* Accumulator condition */
int64_t acc = (cc & 0x08) ? sext40(s->b) : sext40(s->a);
uint8_t test = cc & 0x07;
bool ov = (cc & 0x08) ? (s->st0 & (1<<9)/*OVB*/) : (s->st0 & (1<<8)/*OVA*/);
if ((cc & 0x70) == 0x70) cond = ov; /* AOV/BOV */
else if ((cc & 0x70) == 0x60) cond = !ov; /* ANOV/BNOV */
else {
switch (test) {
case 0x05: cond = (acc == 0); break; /* EQ */
case 0x04: cond = (acc != 0); break; /* NEQ */
case 0x03: cond = (acc < 0); break; /* LT */
case 0x07: cond = (acc <= 0); break; /* LEQ */
case 0x06: cond = (acc > 0); break; /* GT */
case 0x02: cond = (acc >= 0); break; /* GEQ */
default: cond = true; break;
}
}
}
else if ((cc & 0x30) == 0x30) cond = (s->st0 & ST0_TC) != 0; /* TC */
else if ((cc & 0x30) == 0x20) cond = !(s->st0 & ST0_TC); /* NTC */
else if ((cc & 0x0C) == 0x0C) cond = (s->st0 & ST0_C) != 0; /* C */
else if ((cc & 0x0C) == 0x08) cond = !(s->st0 & ST0_C); /* NC */
else cond = true; /* unknown: take it */
if (cond) {
uint16_t ra = data_read(s, s->sp); s->sp++;
{
static int rc_log = 0;
if (rc_log < 50)
C54_LOG("RC/RET PC=0x%04x cc=0x%02x -> ra=0x%04x SP=0x%04x",
s->pc, cc, ra, s->sp);
rc_log++;
}
/* POST-BOOTSTUB-RET : si on est en train de RET depuis le
* boot stub (PC ∈ 0x0000..0x0008), c'est la sortie du
* task-switch trampoline 0x701b/0x701d → 0x0000. Le ra
* poppé est le PC du task qui prend le contrôle. À insn≈90.2M
* (dernière transition INTM), ce PC = le task qui ne clear
* jamais INTM ensuite. */
if (s->pc <= 0x0008) {
static unsigned bsr;
bsr++;
if (bsr <= 200 || (bsr % 50) == 0) {
fprintf(stderr,
"[c54x] POST-BOOTSTUB-RET #%u PC=0x%04x -> task=0x%04x "
"SP_new=0x%04x B=0x%010llx INTM=%d insn=%u\n",
bsr, s->pc, ra, s->sp,
(unsigned long long)(s->b & 0xFFFFFFFFFFULL),
!!(s->st1 & ST1_INTM), s->insn_count);
}
}
s->pc = ra;
return 0;
}
return consumed + s->lk_used;
}
/* FDxx: LD #k, A (no shift) */
if (hi8 == 0xFD) {
int8_t k = (int8_t)(op & 0xFF);
s->a = sext40((int64_t)k);
return consumed + s->lk_used;
}
/* FExx: RCD cond / RETD -- return conditional delayed (1-word).
* Per tic54x-opc.c: RETD=0xFE00, RCD=0xFE00 mask 0xFF00.
* Simplified: immediate return (delay slots skipped). */
if (hi8 == 0xFE) {
uint8_t cc = op & 0xFF;
bool cond = false;
/* Evaluate condition per tic54x-opc.c encoding:
* CC1=0x40: accumulator test, CCB=0x08: use B (else A)
* EQ=0x05, NEQ=0x04, LT=0x03, LEQ=0x07, GT=0x06, GEQ=0x02
* OV=0x70, NOV=0x60, TC=0x30, NTC=0x20, C=0x0C, NC=0x08 */
if (cc == 0x00) cond = true; /* UNC */
else if (cc & 0x40) {
/* Accumulator condition */
int64_t acc = (cc & 0x08) ? sext40(s->b) : sext40(s->a);
uint8_t test = cc & 0x07;
bool ov = (cc & 0x08) ? (s->st0 & (1<<9)/*OVB*/) : (s->st0 & (1<<8)/*OVA*/);
if ((cc & 0x70) == 0x70) cond = ov; /* AOV/BOV */
else if ((cc & 0x70) == 0x60) cond = !ov; /* ANOV/BNOV */
else {
switch (test) {
case 0x05: cond = (acc == 0); break; /* EQ */
case 0x04: cond = (acc != 0); break; /* NEQ */
case 0x03: cond = (acc < 0); break; /* LT */
case 0x07: cond = (acc <= 0); break; /* LEQ */
case 0x06: cond = (acc > 0); break; /* GT */
case 0x02: cond = (acc >= 0); break; /* GEQ */
default: cond = true; break;
}
}
}
else if ((cc & 0x30) == 0x30) cond = (s->st0 & ST0_TC) != 0; /* TC */
else if ((cc & 0x30) == 0x20) cond = !(s->st0 & ST0_TC); /* NTC */
else if ((cc & 0x0C) == 0x0C) cond = (s->st0 & ST0_C) != 0; /* C */
else if ((cc & 0x0C) == 0x08) cond = !(s->st0 & ST0_C); /* NC */
else cond = true; /* unknown: take it */
if (cond) {
/* RCD is *delayed*: per SPRU172C the next 2 instructions
* after RCD execute before the return takes effect. The
* old "skip delay slots" implementation broke FB-detection
* because slots like `LD #0, B` at PROM0 0x75ea were never
* run, leaving accumulator state stale and the dispatcher
* at 0x7700 looping forever.
*
* Fix: arm the existing delayed_pc/delay_slots machinery —
* pop the return address now, advance PC normally so the
* next 2 instructions execute as delay slots, then the
* main loop forces PC = delayed_pc. */
uint16_t ra = data_read(s, s->sp); s->sp++;
s->delayed_pc = ra;
s->delay_slots = 2;
{
static int rcd_log = 0;
if (rcd_log < 50)
C54_LOG("RCD/RETD PC=0x%04x cc=0x%02x -> ra=0x%04x SP=0x%04x (delayed)",
s->pc, cc, ra, s->sp);
rcd_log++;
}
return consumed + s->lk_used;
}
return consumed + s->lk_used;
}
/* FFxx is XC 2,cond — handled above with FDxx. No ADD here. */
goto unimpl;
case 0xE:
/* Exxxx: single-word ALU, status, misc */
/* CMPS src, Smem — Compare, Select, and Store (Viterbi)
* Encoding: 1110 00SD IAAAAAAA (1 word)
* Per SPRU172C p.4-35: if |A(32-16)| >= |Smem| then TC=1,
* TRN = (TRN<<1)|1, dst=A; else TC=0, TRN=(TRN<<1), dst=Smem<<16 */
if ((op & 0xFC00) == 0xE000) {
int src_s = (op >> 9) & 1;
int dst_d = (op >> 8) & 1;
addr = resolve_smem(s, op, &ind);
uint16_t val = data_read(s, addr);
int64_t acc = src_s ? s->b : s->a;
int32_t ah = (int32_t)((acc >> 16) & 0xFFFF);
if (ah < 0) ah = -ah;
int32_t sv = (int16_t)val;
if (sv < 0) sv = -sv;
s->trn <<= 1;
if (ah >= sv) {
s->st0 |= ST0_TC;
s->trn |= 1;
} else {
s->st0 &= ~ST0_TC;
int64_t nv = (int64_t)(int16_t)val << 16;
if (dst_d) s->b = sext40(nv); else s->a = sext40(nv);
}
return consumed + s->lk_used;
}
if ((op & 0xFE00) == 0xEA00) {
/* EAxx: LD #k9, DP — Load Data Page pointer (1-word).
* Per tic54x-opc.c: ld 0xEA00 mask 0xFE00, 1 word. */
uint16_t k9 = op & 0x01FF;
uint16_t old_dp = s->st0 & ST0_DP_MASK;
s->st0 = (s->st0 & ~ST0_DP_MASK) | k9;
{
static uint64_t dpc;
dpc++;
if (dpc <= 80 || (dpc % 5000) == 0 || k9 == 0x83) {
C54_LOG("DP-SET EAxx #%llu PC=0x%04x DP 0x%03x → 0x%03x %s",
(unsigned long long)dpc, s->pc,
old_dp, k9,
k9 == 0x83 ? "*** 0x83 (CALAD-zone base 0x4180) ***" : "");
}
}
return consumed + s->lk_used;
}
if (hi8 == 0xEC) {
/* ECxx: RPT #k8u — repeat next instruction k8u+1 times.
* Per tic54x-opc.c: rpt 0xEC00 mask 0xFF00, single word.
* Must advance PC past RPT now and return 0 so the dispatcher
* re-executes the NEXT instruction (not RPT itself). */
s->rpt_count = op & 0xFF;
s->rpt_active = true;
s->pc += 1;
return 0;
}
if (hi8 == 0xE5) {
/* E5xx: MVDD Xmem, Ymem (per tic54x-opc.c, NOT MVMM)
* 1-word, 2-cycle dual-operand data-to-data move:
* *Ymem = *Xmem
* Per tic54x.h:
* XMEM = (op & 0xF0) >> 4
* YMEM = op & 0x0F
* XMOD/YMOD = (nibble & 0xC) >> 2 (0=*AR,1=*AR-,2=*AR+,3=*AR+0%)
* XARX/YARX = (nibble & 0x3) + 2 (AR2..AR5 only) */
uint8_t xnib = (op >> 4) & 0xF;
uint8_t ynib = op & 0xF;
int xar = (xnib & 0x3) + 2;
int yar = (ynib & 0x3) + 2;
int xmod = (xnib & 0xC) >> 2;
int ymod = (ynib & 0xC) >> 2;
uint16_t xa = s->ar[xar];
uint16_t ya = s->ar[yar];
uint16_t v = data_read(s, xa);
data_write(s, ya, v);
/* Post-modify both ARs per their mod field */
switch (xmod) {
case 0: break; /* *AR */
case 1: s->ar[xar] = xa - 1; break; /* *AR- */
case 2: s->ar[xar] = xa + 1; break; /* *AR+ */
case 3: s->ar[xar] = xa + s->ar[0]; break; /* *AR+0% (no circular here) */
}
switch (ymod) {
case 0: break;
case 1: s->ar[yar] = ya - 1; break;
case 2: s->ar[yar] = ya + 1; break;
case 3: s->ar[yar] = ya + s->ar[0]; break;
}
return consumed + s->lk_used;
}
if (hi8 == 0xE4) {
/* E4xx: BITF Smem, #lk (2-word) or BIT Smem, bit */
addr = resolve_smem(s, op, &ind);
op2 = prog_fetch(s, s->pc + 1);
consumed = 2;
uint16_t val = data_read(s, addr);
s->st0 = (val & op2) ? (s->st0 | ST0_TC) : (s->st0 & ~ST0_TC);
return consumed + s->lk_used;
}
if (hi8 == 0xE7) {
/* E7xx: MVMM mmrx, mmry (per tic54x-opc.c)
* 1-word, 2-cycle, MMR-to-MMR move using a constrained set
* (MMRX/MMRY operand types). */
int src = (op >> 4) & 0xF;
int dst = op & 0xF;
uint16_t val;
if (src <= 7) val = s->ar[src];
else if (src == 8) val = s->sp;
else val = data_read(s, src + 0x10);
if (dst <= 7) s->ar[dst] = val;
else if (dst == 8) s->sp = val;
else data_write(s, dst + 0x10, val);
return consumed + s->lk_used;
}
if (hi8 == 0xE8 || hi8 == 0xE9) {
/* E8xx/E9xx: LD #k8u, dst — Load 8-bit unsigned immediate (1-word).
* Per tic54x-opc.c: ld 0xE800 mask 0xFE00.
* bit 8 = dst (0=A, 1=B), bits 7:0 = k8u.
* NOTE: This was previously decoded as CC (conditional call, 2-word)
* which caused stack overflow by pushing return addresses in a loop. */
int dst = (op >> 8) & 1;
uint8_t k = op & 0xFF;
int64_t v = (s->st1 & ST1_SXM) ? (int64_t)(int8_t)k : (int64_t)k;
if (dst) s->b = sext40(v << 16);
else s->a = sext40(v << 16);
return consumed + s->lk_used;
}
if (hi8 == 0xE1) {
/* E1xx: single-word acc ops — NEG, ABS, CMPL, SAT, EXP, etc. */
uint8_t sub = op & 0xFF;
switch (sub) {
case 0xE0: s->a = ~s->a; s->a = sext40(s->a); break; /* CMPL A */
case 0xE1: s->b = ~s->b; s->b = sext40(s->b); break; /* CMPL B */
case 0xE2: s->a = -s->a; s->a = sext40(s->a); break; /* NEG A */
case 0xE3: s->b = -s->b; s->b = sext40(s->b); break; /* NEG B */
case 0xE4: /* SAT A */ if (s->st0 & ST0_OVA) s->a = (s->a < 0) ? (int64_t)0xFF80000000LL : 0x7FFFFFFFLL; break;
case 0xE5: /* SAT B */ if (s->st0 & ST0_OVB) s->b = (s->b < 0) ? (int64_t)0xFF80000000LL : 0x7FFFFFFFLL; break;
case 0xE8: /* ABS A */ s->a = (s->a < 0) ? -s->a : s->a; s->a = sext40(s->a); break;
case 0xE9: /* ABS B */ s->b = (s->b < 0) ? -s->b : s->b; s->b = sext40(s->b); break;
case 0xEA: /* ROR A */ { uint16_t c = s->st0 & ST0_C ? 1 : 0; if (s->a & 1) s->st0 |= ST0_C; else s->st0 &= ~ST0_C; s->a = (s->a >> 1) | ((int64_t)c << 39); s->a = sext40(s->a); } break;
case 0xEB: /* ROL A */ { uint16_t c = s->st0 & ST0_C ? 1 : 0; if (s->a & ((int64_t)1<<39)) s->st0 |= ST0_C; else s->st0 &= ~ST0_C; s->a = (s->a << 1) | c; s->a = sext40(s->a); } break;
default:
/* EXP A/B etc — return 0 for now */
break;
}
return consumed + s->lk_used;
}
if (hi8 == 0xEF) {
/* EFxx: RPTZ dst, #lk — Zero accumulator and repeat (2 words)
* Per SPRU172C: dst = 0; RPT #lk
* Encoding: 1110 1111 xxxx xxxx + lk_word */
op2 = prog_fetch(s, s->pc + 1);
consumed = 2;
int rptz_dst = (op >> 0) & 1;
if (rptz_dst) s->b = 0; else s->a = 0;
s->rpt_count = op2;
s->rpt_active = true;
s->pc += 2;
return 0;
}
if (hi8 == 0xEB) {
/* EBxx: RPTB[D] pmad — Block repeat (2 words)
* Per SPRU172C: REA = pmad, RSA = PC+2, BRAF=1 */
op2 = prog_fetch(s, s->pc + 1);
consumed = 2;
s->rea = op2;
s->rsa = (uint16_t)(s->pc + 2);
s->rptb_active = true;
s->st1 |= ST1_BRAF;
return consumed + s->lk_used;
}
if (hi8 == 0xE6) {
/* E6xx: SFTA/SFTL acc, #shift (single-word immediate shift) */
int shift = op & 0x1F;
if (shift & 0x10) shift |= ~0x1F; /* sign extend 5-bit */
int dst = (op >> 5) & 1;
int logical = (op >> 6) & 1;
int64_t *acc = dst ? &s->b : &s->a;
if (logical) {
uint64_t u = (uint64_t)(*acc) & 0xFFFFFFFFFFULL;
if (shift >= 0) *acc = sext40((int64_t)(u << shift));
else *acc = sext40((int64_t)(u >> (-shift)));
} else {
if (shift >= 0) *acc = sext40(*acc << shift);
else *acc = sext40(*acc >> (-shift));
}
return consumed + s->lk_used;
}
if (hi8 == 0xEE) {
/* EExx: BCD pmad, cond (conditional delayed branch, 2 words) */
op2 = prog_fetch(s, s->pc + 1);
consumed = 2;
uint8_t cond = op & 0xFF;
bool take = false;
if (cond == 0x03) take = (s->a == 0);
else if (cond == 0x0B) take = (s->b == 0);
else if (cond == 0x02) take = (s->a != 0);
else if (cond == 0x0A) take = (s->b != 0);
else if (cond == 0x00) take = true; /* UNC */
else if (cond == 0x08) take = (s->b < 0);
else if (cond == 0x04) take = (s->a > 0);
else if (cond == 0x0C) take = (s->b > 0);
else if (cond == 0x40) take = (s->st0 & ST0_TC) != 0;
else if (cond == 0x41) take = !(s->st0 & ST0_TC);
else if (cond == 0x20) take = (s->st0 & ST0_C) != 0;
else if (cond == 0x21) take = !(s->st0 & ST0_C);
else if ((cond & 0x3A) == 0x3A) take = true; /* unconditional-ish */
else take = true;
if (take) { s->pc = op2; return 0; }
return consumed + s->lk_used;
}
if ((op & 0xFFE0) == 0xED00) {
/* ED00-ED1F: LD #k5, ASM — load 5-bit immediate into ASM field of ST1.
* Per tic54x-opc.c: ld 0xED00 mask 0xFFE0, 1 word.
* NOT BCD (which is 0xFA00 mask 0xFF00). */
uint8_t k5 = op & 0x1F;
s->st1 = (s->st1 & ~ST1_ASM_MASK) | k5;
return consumed + s->lk_used;
}
if (hi8 == 0xED) {
/* EDxx (not ED00-ED1F): BCD pmad, cond (conditional branch delayed, 2 words) */
op2 = prog_fetch(s, s->pc + 1);
consumed = 2;
uint8_t cond = op & 0xFF;
bool take = false;
if (cond == 0x00) take = true; /* UNC */
else if (cond == 0x08) take = (s->b < 0);
else if (cond == 0x02) take = (s->a != 0);
else if (cond == 0x0A) take = (s->b != 0);
else if (cond == 0x03) take = (s->a == 0);
else if (cond == 0x0B) take = (s->b == 0);
else if (cond == 0x04) take = (s->a > 0);
else if (cond == 0x0C) take = (s->b > 0);
else if (cond == 0x40) take = (s->st0 & ST0_TC) != 0;
else if (cond == 0x41) take = !(s->st0 & ST0_TC);
else take = true;
if (take) { s->pc = op2; return 0; }
return consumed + s->lk_used;
}
goto unimpl;
case 0x6: case 0x7:
/* 7Exx: READA Smem — read prog[A_low] → data[Smem]
* Per tic54x-opc.c: reada 0x7E00 mask 0xFF00 (1 word).
* Under RPT, the prog address auto-increments each iteration;
* accumulator A is preserved (we mirror via mvpd_src state). */
if (hi8 == 0x7E) {
addr = resolve_smem(s, op, &ind);
uint16_t psrc = s->rpt_active ? s->mvpd_src : (uint16_t)(s->a & 0xFFFF);
uint16_t v = prog_read(s, psrc);
data_write(s, addr, v);
s->mvpd_src = psrc + 1;
{ static int reada_log = 0; if (reada_log++ < 20)
C54_LOG("READA: prog[0x%04x]=0x%04x → data[0x%04x] PC=0x%04x rpt=%d insn=%u",
psrc, v, addr, s->pc, s->rpt_count, s->insn_count); }
return consumed + s->lk_used;
}
/* 7Fxx: WRITA Smem — write data[Smem] → prog[A_low] (mirror of READA) */
if (hi8 == 0x7F) {
addr = resolve_smem(s, op, &ind);
uint16_t pdst = s->rpt_active ? s->mvpd_src : (uint16_t)(s->a & 0xFFFF);
prog_write(s, pdst, data_read(s, addr));
s->mvpd_src = pdst + 1;
return consumed + s->lk_used;
}
/* 6Dxx: MAR Smem — modify address register (side effects only) */
if (hi8 == 0x6D) {
addr = resolve_smem(s, op, &ind);
/* MAR only modifies AR via addressing mode, no data access */
return consumed + s->lk_used;
}
/* 76xx: ST #lk, Smem (2 or 3 words) — store 16-bit literal to data
* memory. Per binutils tic54x-opc.c {st, 2,2,2, 0x7600, 0xFF00,
* {OP_lk, OP_Smem}} and tic54x-dis.c get_insn_size = words +
* has_lkaddr (extra word when Smem mode in 0xC..0xF).
*
* Encoding (verified via tic54x-dis.c:192-204):
* word 0 = opcode (0x76xx)
* word 1 = lkaddr (Smem extension, only if mode in 0xC..0xF)
* word N = opcode2 (the #lk value being stored, last extension)
*
* Was previously misdecoded as LDM MMR,dst (1 word) — copy/paste
* of the wrong mnemonic. The real LDM is 0x48xx mask 0xFE00,
* already correctly handled in the 0x4 group. Misdecoding caused
* PC to advance by 1 instead of 2-3 ; the literal then executed
* as a stray opcode. In particular the 0x4F00 (DST B,Lmem with
* DP=0 → MMR_IMR) stray write zeroed IMR forever, masking
* INT3+BRINT0 → DSP parked in RPTB at e9ab..e9b6 awaiting a
* frame interrupt that was never serviced. Fix 2026-05-08. */
if (hi8 == 0x76) {
static unsigned hit76_log;
addr = resolve_smem(s, op, &ind);
op2 = prog_fetch(s, s->pc + 1 + (s->lk_used ? 1 : 0));
consumed = 2;
if (hit76_log++ < 30) {
fprintf(stderr,
"[c54x] HIT-76 PC=0x%04x op=0x%04x addr=0x%04x "
"lk=0x%04x lk_used=%d insn=%u\n",
s->pc, op, addr, op2, s->lk_used, s->insn_count);
}
data_write(s, addr, op2);
return consumed + s->lk_used;
}
/* 77xx: STM #lk, MMR (2 words) */
if (hi8 == 0x77) {
uint8_t mmr = op & 0x7F;
op2 = prog_fetch(s, s->pc + 1);
consumed = 2;
/* WATCH-ST1-WRITE : MMR 0x07 = ST1. Capture toutes les
* écritures de ST1 (STM #lk, ST1) — incluant celles qui
* ne changent pas la valeur d'INTM mais redéfinissent
* tout le mot ST1. Sortie : valeur écrite, bit 11 (INTM),
* delta vs current ST1. Cap 200 entries pour boot, puis
* sample 1/100. */
if (mmr == 0x07) {
static unsigned st1w;
st1w++;
if (st1w <= 200 || (st1w % 100) == 0) {
int new_intm = !!(op2 & (1 << 11));
int cur_intm = !!(s->st1 & ST1_INTM);
fprintf(stderr,
"[c54x] ST1-WR #%u STM #0x%04x,ST1 PC=0x%04x "
"cur=0x%04x->0x%04x INTM:%d->%d insn=%u XPC=%d\n",
st1w, op2, s->pc, s->st1, op2,
cur_intm, new_intm, s->insn_count, s->xpc);
}
}
data_write(s, mmr, op2);
return consumed + s->lk_used;
}
/* LD / ST operations */
if ((op & 0xF800) == 0x7000) {
/* 70xx: STL src, Smem */
int src_acc = (op >> 9) & 1;
addr = resolve_smem(s, op, &ind);
int64_t acc = src_acc ? s->b : s->a;
data_write(s, addr, (uint16_t)(acc & 0xFFFF));
return consumed + s->lk_used;
}
if ((op & 0xF800) == 0x7800) {
/* 78xx-7Fxx: STH src, Smem
* Note: BANZ (0x78xx per doc) shares this range but is handled
* via F84x (BANZ with condition) in the F8xx group. */
int src_acc = (op >> 9) & 1;
addr = resolve_smem(s, op, &ind);
int64_t acc = src_acc ? s->b : s->a;
data_write(s, addr, (uint16_t)((acc >> 16) & 0xFFFF));
return consumed + s->lk_used;
}
/* 0x6000-0x60FF: CMPM Smem, lk (compare memory with long immediate)
* Per tic54x-opc.c: { "cmpm", 2,2,2, 0x6000, 0xFF00 }
* Sets TC = (data[Smem] == lk).
*
* The DSP bootloader at PROM0 0xb41c / 0xb424 polls
* CMPM *(0x0fff), 4 → CMPM *(0x0fff), 2
* to wait for ARM-side BL_CMD_STATUS write. Without TC being set
* the subsequent BC NTC always branches back, looping forever.
* Was previously folded into the generic 0x6000-0x67FF "LD" path
* which set the accumulator instead and never updated TC. */
if ((op & 0xFF00) == 0x6000) {
addr = resolve_smem(s, op, &ind);
uint16_t cmp_val = prog_fetch(s, s->pc + 1 + (s->lk_used ? 1 : 0));
uint16_t mem_val = data_read(s, addr);
if (mem_val == cmp_val) s->st0 |= ST0_TC;
else s->st0 &= ~ST0_TC;
consumed = 2; /* opcode + cmp_val (smem extra lk added via lk_used) */
return consumed + s->lk_used;
}
/* 0x6100-0x61FF: BITF Smem, lk — bit-field test, TC = (Smem & lk)!=0 */
if ((op & 0xFF00) == 0x6100) {
addr = resolve_smem(s, op, &ind);
uint16_t mask = prog_fetch(s, s->pc + 1 + (s->lk_used ? 1 : 0));
uint16_t mem_val = data_read(s, addr);
if (mem_val & mask) s->st0 |= ST0_TC;
else s->st0 &= ~ST0_TC;
consumed = 2;
return consumed + s->lk_used;
}
if ((op & 0xF800) == 0x6000) {
/* 60xx-67xx: LD Smem, dst (other variants — fallback) */
int dst_acc = (op >> 9) & 1;
int shift = (op >> 8) & 1;
addr = resolve_smem(s, op, &ind);
uint16_t val = data_read(s, addr);
int64_t v = (s->st1 & ST1_SXM) ? (int16_t)val : val;
if (shift) v <<= 16; /* LD Smem, 16, dst */
if (dst_acc) s->b = sext40(v); else s->a = sext40(v);
return consumed + s->lk_used;
}
/* 0x6800-0x6BFF + 0x6Cxx + 0x6Exx: companion to the 0x6F00 fix below.
* Per binutils tic54x-opc.c (verified against insn_template struct):
* 0x6800 ANDM #lk, Smem data[Smem] = data[Smem] & lk (2-word)
* 0x6900 ORM #lk, Smem data[Smem] = data[Smem] | lk (2-word)
* 0x6A00 XORM #lku, Smem data[Smem] = data[Smem] ^ lku (2-word)
* 0x6B00 ADDM #lk, Smem data[Smem] = data[Smem] + lk (2-word)
* 0x6C00 BANZ pmad, Sind if (ARx != 0) PC = pmad (2-word)
* 0x6E00 BANZD pmad, Sind same as BANZ but with 2 delay slots
*
* Without these, the fallback at (op & 0xF800) == 0x6800 below
* mis-decodes them all as LD Smem,T (1-word), causing PC drift +1
* word and the lk/pmad operand executing as parasitic instruction.
* 1259 (ANDM/ORM/XORM/ADDM) + 304 (BANZ/BANZD) = 1563 sites in ROM.
*
* 2026-04-28 — companion fix to 0x6F00 already inserted below.
* See doc/opcodes/0x68_0x6F.md for spec. */
if ((op & 0xFF00) == 0x6800) {
/* ANDM #lk, Smem */
addr = resolve_smem(s, op, &ind);
uint16_t lk = prog_fetch(s, s->pc + 1 + (s->lk_used ? 1 : 0));
uint16_t v = data_read(s, addr);
data_write(s, addr, v & lk);
consumed = 2;
return consumed + s->lk_used;
}
if ((op & 0xFF00) == 0x6900) {
/* ORM #lk, Smem */
addr = resolve_smem(s, op, &ind);
uint16_t lk = prog_fetch(s, s->pc + 1 + (s->lk_used ? 1 : 0));
uint16_t v = data_read(s, addr);
data_write(s, addr, v | lk);
consumed = 2;
return consumed + s->lk_used;
}
if ((op & 0xFF00) == 0x6A00) {
/* XORM #lku, Smem */
addr = resolve_smem(s, op, &ind);
uint16_t lku = prog_fetch(s, s->pc + 1 + (s->lk_used ? 1 : 0));
uint16_t v = data_read(s, addr);
data_write(s, addr, v ^ lku);
consumed = 2;
return consumed + s->lk_used;
}
if ((op & 0xFF00) == 0x6B00) {
/* ADDM #lk, Smem — add signed lk to memory (wrap mod 2^16) */
addr = resolve_smem(s, op, &ind);
int16_t lk = (int16_t)prog_fetch(s, s->pc + 1 + (s->lk_used ? 1 : 0));
uint16_t v = data_read(s, addr);
data_write(s, addr, (uint16_t)((int16_t)v + lk));
consumed = 2;
/* TODO: TC/OVM/SXM flag effects per SPRU172C (verify) */
return consumed + s->lk_used;
}
if ((op & 0xFF00) == 0x6C00) {
/* BANZ pmad, Sind — branch if ARx (selected by ARF in op[2:0])
* is non-zero. Test on PRE-modify value; resolve_smem applies
* post-mod regardless of branch outcome. Previously read ARP
* from ST0 (the PREVIOUS instruction's nar) — wrong AR was
* tested. Cf resolve_smem comment for the off-by-ARP bug. */
int nar = op & 0x07;
uint16_t pre = s->ar[nar];
resolve_smem(s, op, &ind);
uint16_t pmad = prog_fetch(s, s->pc + 1 + (s->lk_used ? 1 : 0));
consumed = 2;
if (pre != 0) {
s->pc = pmad;
return 0;
}
return consumed + s->lk_used;
}
if ((op & 0xFF00) == 0x6E00) {
/* BANZD pmad, Sind — delayed BANZ (2 slots after the 2-word op).
* Same off-by-ARP fix as BANZ above. */
int nar = op & 0x07;
uint16_t pre = s->ar[nar];
resolve_smem(s, op, &ind);
uint16_t pmad = prog_fetch(s, s->pc + 1 + (s->lk_used ? 1 : 0));
consumed = 2;
if (pre != 0) {
s->delayed_pc = pmad;
s->delay_slots = 2;
}
return consumed + s->lk_used;
}
/* 0x6F00-0x6FFF: Extended ADD/SUB/LD/STH/STL Smem, SHIFT, DST/SRC (2-word).
* Per binutils tic54x-opc.c (verified against insn_template struct
* include/opcode/tic54x.h:85-150):
* word0 = 0x6F00 mask 0xFF00 (Smem in low 7 bits)
* word1 = sub-opcode in bits 7:5, SRC=bit 9, DST/SRC1=bit 8,
* SHIFT=signed 5-bit in bits 4:0
* bits 7:5 = 000 → ADD Smem,SHIFT,SRC,[DST]
* bits 7:5 = 001 → SUB Smem,SHIFT,SRC,[DST]
* bits 7:5 = 010 → LD Smem,SHIFT,DST
* bits 7:5 = 011 → STH SRC1,SHIFT,Smem
* bits 7:5 = 100 → STL SRC1,SHIFT,Smem
*
* Without this handler, the fallback at (op & 0xF800) == 0x6800 below
* mis-decodes 0x6Fxx as LD Smem,T (1-word), causing PC drift +1 word
* and the lk-side operand to be executed as parasitic instruction.
* 544 sites in firmware ROM. See doc/opcodes/0x68_0x6F.md for spec.
*
* 2026-04-28 — fix introduced for wedge at PC=0x8353 (CALAD A self-loop)
* caused by 0x6F07 0x0C41 mis-decoded → 0x0C41 executed as parasitic
* SUB Smem,TS,A → A_low=0xFFFA → A_low=0x8353 after subsequent ADD. */
if ((op & 0xFF00) == 0x6F00) {
addr = resolve_smem(s, op, &ind);
op2 = prog_fetch(s, s->pc + 1 + (s->lk_used ? 1 : 0));
int sub = (op2 >> 5) & 0x7;
int shift_raw = op2 & 0x1F;
int shift = (shift_raw & 0x10) ? (shift_raw - 32) : shift_raw;
int dst_b = (op2 >> 8) & 1; /* bit 8 = DST/SRC1 */
int src_b = (op2 >> 9) & 1; /* bit 9 = SRC (ADD/SUB only) */
consumed = 2;
switch (sub) {
case 0: { /* ADD Smem,SHIFT,SRC,[DST]: DST = SRC + (data[Smem]<<shift) */
uint16_t mv = data_read(s, addr);
int64_t v = (s->st1 & ST1_SXM) ? (int64_t)(int16_t)mv : (int64_t)mv;
v = (shift >= 0) ? (v << shift) : (v >> (-shift));
int64_t src = src_b ? s->b : s->a;
int64_t result = sext40(src + v);
if (dst_b) s->b = result; else s->a = result;
break;
}
case 1: { /* SUB Smem,SHIFT,SRC,[DST]: DST = SRC - (data[Smem]<<shift) */
uint16_t mv = data_read(s, addr);
int64_t v = (s->st1 & ST1_SXM) ? (int64_t)(int16_t)mv : (int64_t)mv;
v = (shift >= 0) ? (v << shift) : (v >> (-shift));
int64_t src = src_b ? s->b : s->a;
int64_t result = sext40(src - v);
if (dst_b) s->b = result; else s->a = result;
break;
}
case 2: { /* LD Smem,SHIFT,DST: DST = data[Smem] << shift (SXM-aware) */
uint16_t mv = data_read(s, addr);
int64_t v = (s->st1 & ST1_SXM) ? (int64_t)(int16_t)mv : (int64_t)mv;
v = (shift >= 0) ? (v << shift) : (v >> (-shift));
if (dst_b) s->b = sext40(v); else s->a = sext40(v);
break;
}
case 3: { /* STH SRC1,SHIFT,Smem: data[Smem] = (SRC1 high 16) << shift */
int64_t src = dst_b ? s->b : s->a;
int16_t high = (int16_t)((src >> 16) & 0xFFFF);
int64_t shifted = (shift >= 0) ? ((int64_t)high << shift)
: ((int64_t)high >> (-shift));
data_write(s, addr, (uint16_t)(shifted & 0xFFFF));
break;
}
case 4: { /* STL SRC1,SHIFT,Smem: data[Smem] = (SRC1 low) << shift */
int64_t src = dst_b ? s->b : s->a;
int64_t shifted = (shift >= 0) ? (src << shift) : (src >> (-shift));
data_write(s, addr, (uint16_t)(shifted & 0xFFFF));
break;
}
default:
{ static int unk6f = 0; if (unk6f++ < 10)
C54_LOG("0x6F unknown sub=%d op=0x%04x op2=0x%04x PC=0x%04x",
sub, op, op2, s->pc); }
break;
}
return consumed + s->lk_used;
}
if ((op & 0xF800) == 0x6800) {
/* DEAD CODE since 2026-04-28: all 0x68xx-0x6Fxx now intercepted
* by specific handlers above (ANDM/ORM/XORM/ADDM/BANZ/BANZD/
* extended-0x6F00) plus the existing 0x6Dxx MAR. This generic
* "LD Smem, T" fallback was the source of the 2107-site mass
* mis-dispatch that caused PC drift on every 0x68xx-0x6Fxx
* encounter. Kept here for safety in case a previously unseen
* sub-encoding slips through; if you ever see this trigger,
* the new handler above for the matching 0xNN00 prefix is
* incomplete. See doc/opcodes/0x68_0x6F.md. */
addr = resolve_smem(s, op, &ind);
s->t = data_read(s, addr);
return consumed + s->lk_used;
}
goto unimpl;
case 0x1: {
/* 1xxx: LD / LDU / LDR Smem, DST (per tic54x-opc.c, all mask FE00):
* 0x1000 LD Smem, DST — signed load (SXM-aware)
* 0x1200 LDU Smem, DST — unsigned load (zero-extend)
* 0x1400 LD Smem, TS, DST — load shifted by T low bits
* 0x1600 LDR Smem, DST — load with rounding
*
* Critical: bootloader at PROM0 0xb429 does `LDU *(0x0ffe), A`
* (op=0x12f8 + lk=0x0ffe) to read BL_ADDR_LO, then BACC A to that
* target. The previous "case 0x1: SUB" decoded this as a subtract,
* leaving A=0 and the BACC dropping into boot-stub NOPs. */
addr = resolve_smem(s, op, &ind);
int dst = (op >> 8) & 1;
int sub = (op >> 9) & 0x07; /* selects LD/LDU/LD,TS/LDR within case 1 */
uint16_t val = data_read(s, addr);
int64_t v;
switch (sub) {
case 0x0: /* 0x1000: LD Smem, DST — signed (SXM honoured) */
v = (s->st1 & ST1_SXM) ? (int16_t)val : (uint16_t)val;
break;
case 0x1: { /* 0x1200: LDU Smem, DST — always zero-extended */
v = (uint16_t)val;
break;
}
case 0x2: { /* 0x1400: LD Smem, TS, DST — shift by T[5:0] (signed) */
int8_t ts = (int8_t)((s->t & 0x3F) | ((s->t & 0x20) ? 0xC0 : 0));
int64_t base = (s->st1 & ST1_SXM) ? (int16_t)val : (uint16_t)val;
v = (ts >= 0) ? (base << ts) : (base >> -ts);
break;
}
case 0x3: { /* 0x1600: LDR Smem, DST — load with rounding (+0x8000) */
v = (s->st1 & ST1_SXM) ? (int16_t)val : (uint16_t)val;
v = (v << 16) + 0x8000;
v &= 0xFFFFFFFF0000LL; /* clear low 16 after rounding */
if (dst) s->b = sext40(v); else s->a = sext40(v);
return consumed + s->lk_used;
}
default:
v = (s->st1 & ST1_SXM) ? (int16_t)val : (uint16_t)val;
break;
}
if (dst) s->b = sext40(v); else s->a = sext40(v);
/* CALAD-zone LD trace: every LD/LDU/LDR that targets A while
* executing in DARAM near the CALAD cluster. Reveals what
* address/value is feeding A right before each CALAD A. */
if (dst == 0 && (s->pmst & PMST_OVLY) &&
s->pc >= 0x10b0 && s->pc < 0x1100) {
static uint64_t ldA_total;
ldA_total++;
if (ldA_total <= 60 || (ldA_total % 5000) == 0) {
C54_LOG("LD-A-TRACE #%llu PC=0x%04x op=0x%04x sub=%d addr=0x%04x val=0x%04x A_after=0x%04x DP=0x%03x",
(unsigned long long)ldA_total,
s->pc, op, sub, addr, val,
(uint16_t)(s->a & 0xFFFF),
(s->st0 & 0x1FF));
}
}
return consumed + s->lk_used;
}
case 0x0: {
/* 0xxx: ADD / ADDS / ADD,TS / SUB / SUBS / SUB,TS (mask FE00):
* 0x0000 ADD Smem, SRC1 (no shift, SXM honoured)
* 0x0200 ADDS Smem, SRC1 (no shift, zero-extended)
* 0x0400 ADD Smem, TS, SRC1
* 0x0800 SUB Smem, SRC1
* 0x0A00 SUBS Smem, SRC1
* 0x0C00 SUB Smem, TS, SRC1
* Previous handler always shifted by 16 — wrong for plain ADD/SUB.
*/
addr = resolve_smem(s, op, &ind);
int dst = (op >> 8) & 1;
int sub = (op >> 9) & 0x07; /* 0..7 */
uint16_t val = data_read(s, addr);
int64_t v;
bool is_sub = (sub & 0x4) != 0;
bool is_unsigned = (sub == 1 || sub == 5); /* ADDS / SUBS */
bool ts_shift = (sub == 2 || sub == 6); /* ,TS variants */
v = is_unsigned ? (uint16_t)val
: ((s->st1 & ST1_SXM) ? (int16_t)val : (uint16_t)val);
if (ts_shift) {
int8_t ts = (int8_t)((s->t & 0x3F) | ((s->t & 0x20) ? 0xC0 : 0));
v = (ts >= 0) ? (v << ts) : (v >> -ts);
}
if (is_sub) {
if (dst) s->b = sext40(s->b - v);
else s->a = sext40(s->a - v);
} else {
if (dst) s->b = sext40(s->b + v);
else s->a = sext40(s->a + v);
}
/* CALAD-zone ADD/SUB trace: same scope as LD-A-TRACE. */
if (dst == 0 && (s->pmst & PMST_OVLY) &&
s->pc >= 0x10b0 && s->pc < 0x1100) {
static uint64_t addA_total;
addA_total++;
if (addA_total <= 30 || (addA_total % 5000) == 0) {
C54_LOG("ADDSUB-A-TRACE #%llu PC=0x%04x op=0x%04x sub=%d addr=0x%04x val=0x%04x A_after=%010llx",
(unsigned long long)addA_total,
s->pc, op, sub, addr, val,
(unsigned long long)(s->a & 0xFFFFFFFFFFULL));
}
}
return consumed + s->lk_used;
}
case 0x3:
/* 3xxx: MAC / MAS */
addr = resolve_smem(s, op, &ind);
{
int dst = (op >> 8) & 1;
uint16_t val = data_read(s, addr);
int64_t product = (int64_t)(int16_t)s->t * (int64_t)(int16_t)val;
if (s->st1 & ST1_FRCT) product <<= 1;
if (dst) s->b = sext40(s->b + product);
else s->a = sext40(s->a + product);
}
return consumed + s->lk_used;
case 0x2:
/* 2xxx: MPY, SQUR, MAS, MAC variants */
{
int sub = (op >> 8) & 0xF;
addr = resolve_smem(s, op, &ind);
uint16_t val = data_read(s, addr);
int64_t product;
int dst;
switch (sub) {
case 0x0: case 0x1: /* MPY Smem, A/B */
product = (int64_t)(int16_t)s->t * (int64_t)(int16_t)val;
if (s->st1 & ST1_FRCT) product <<= 1;
if (sub & 1) s->b = sext40(product);
else s->a = sext40(product);
return consumed + s->lk_used;
case 0x4: case 0x5: /* SQUR Smem, A/B */
product = (int64_t)(int16_t)val * (int64_t)(int16_t)val;
if (s->st1 & ST1_FRCT) product <<= 1;
s->t = val;
if (sub & 1) s->b = sext40(product);
else s->a = sext40(product);
return consumed + s->lk_used;
case 0x8: case 0x9: /* MPYA Smem (A = T * Smem, B += A) or variants */
product = (int64_t)(int16_t)s->t * (int64_t)(int16_t)val;
if (s->st1 & ST1_FRCT) product <<= 1;
if (sub & 1) { s->a += s->b; s->b = sext40(product); }
else { s->b += s->a; s->a = sext40(product); }
return consumed + s->lk_used;
case 0xA: case 0xB: /* MACA[R] Smem, A/B (A += B * Smem then B = T * Smem) */
dst = sub & 1;
product = (int64_t)(int16_t)s->t * (int64_t)(int16_t)val;
if (s->st1 & ST1_FRCT) product <<= 1;
if (dst) { s->a = sext40(s->a + s->b); s->b = sext40(product); }
else { s->b = sext40(s->b + s->a); s->a = sext40(product); }
s->t = val;
return consumed + s->lk_used;
default:
/* MAS variants and others */
product = (int64_t)(int16_t)s->t * (int64_t)(int16_t)val;
if (s->st1 & ST1_FRCT) product <<= 1;
dst = sub & 1;
if (dst) s->b = sext40(s->b - product);
else s->a = sext40(s->a - product);
return consumed + s->lk_used;
}
}
case 0x4:
/* 0x4xxx group — per binutils tic54x-opc.c:
* 0x40-0x43 SUB Smem,16,src[,dst] (mask 0xFC00)
* 0x44-0x45 LD Smem,16,dst (mask 0xFE00)
* 0x4600 LD Smem,DP (mask 0xFF00)
* 0x4700 RPT Smem (mask 0xFF00)
* 0x48-0x49 LDM MMR,dst (mask 0xFE00)
* 0x4A00 PSHM MMR (mask 0xFF00)
* 0x4B00 PSHD Smem (mask 0xFF00)
* 0x4C00 LTD Smem (mask 0xFF00)
* 0x4D00 DELAY Smem (mask 0xFF00)
* 0x4E-0x4F DST src,Lmem (mask 0xFE00) */
{
uint8_t op8 = hi8; /* (op >> 8) & 0xFF */
int dst_b = op8 & 0x01; /* bit8 = src/dst select (A=0, B=1) */
int64_t *acc_dst = dst_b ? &s->b : &s->a;
if (op8 >= 0x40 && op8 <= 0x43) {
/* SUB Smem << 16, src, dst — sub of shifted Smem from acc */
addr = resolve_smem(s, op, &ind);
int64_t val = (int64_t)(int16_t)data_read(s, addr) << 16;
*acc_dst = sext40(*acc_dst - val);
return consumed + s->lk_used;
}
if (op8 == 0x44 || op8 == 0x45) {
/* LD Smem << 16, dst */
addr = resolve_smem(s, op, &ind);
int64_t val = (int64_t)(int16_t)data_read(s, addr) << 16;
*acc_dst = sext40(val);
return consumed + s->lk_used;
}
if (op8 == 0x46) {
/* LD Smem, DP — load DP from low 9 bits of Smem */
addr = resolve_smem(s, op, &ind);
uint16_t val = data_read(s, addr);
s->st0 = (s->st0 & ~ST0_DP_MASK) | (val & ST0_DP_MASK);
return consumed + s->lk_used;
}
if (op8 == 0x47) {
/* RPT Smem — load BRC from mem[Smem] */
addr = resolve_smem(s, op, &ind);
uint16_t val = data_read(s, addr);
s->brc = val;
s->rpt_active = (val != 0);
return consumed + s->lk_used;
}
if (op8 == 0x48 || op8 == 0x49) {
/* LDM MMR, dst — load accumulator from a memory-mapped reg */
int mmr = op & 0x7F;
uint16_t val = data_read(s, mmr);
*acc_dst = sext40((int16_t)val);
return consumed + s->lk_used;
}
if (op8 == 0x4A) {
/* PSHM MMR — push memory-mapped reg onto stack */
int mmr = op & 0x7F;
uint16_t val = data_read(s, mmr);
s->sp = (s->sp - 1) & 0xFFFF;
data_write(s, s->sp, val);
return consumed + s->lk_used;
}
if (op8 == 0x4B) {
/* PSHD Smem — push data memory onto stack */
addr = resolve_smem(s, op, &ind);
uint16_t val = data_read(s, addr);
s->sp = (s->sp - 1) & 0xFFFF;
data_write(s, s->sp, val);
return consumed + s->lk_used;
}
if (op8 == 0x4C) {
/* LTD Smem — T = mem[Smem]; mem[Smem+1] = mem[Smem] */
addr = resolve_smem(s, op, &ind);
uint16_t val = data_read(s, addr);
s->t = val;
data_write(s, (addr + 1) & 0xFFFF, val);
return consumed + s->lk_used;
}
if (op8 == 0x4D) {
/* DELAY Smem — mem[Smem+1] = mem[Smem] (delay-line shift) */
addr = resolve_smem(s, op, &ind);
uint16_t val = data_read(s, addr);
data_write(s, (addr + 1) & 0xFFFF, val);
return consumed + s->lk_used;
}
if (op8 == 0x4E || op8 == 0x4F) {
/* DST src, Lmem — store accumulator to long memory.
* Lmem = even-aligned 32-bit pair: mem[L]=high, mem[L+1]=low */
addr = resolve_smem(s, op, &ind) & 0xFFFE;
int64_t v = *acc_dst;
data_write(s, addr, (uint16_t)((v >> 16) & 0xFFFF));
data_write(s, (addr+1)&0xFFFF, (uint16_t)(v & 0xFFFF));
return consumed + s->lk_used;
}
}
return consumed + s->lk_used;
case 0x5:
/* 5xxx: shifts — SFTA, SFTL, various forms.
* NOTE: 0x56xx/0x57xx are SFTL/SFTA with Smem (1-word), NOT MVPD.
* MVPD is at 0x8Cxx (hi8=0x8C). The old 0x56 MVPD decode was wrong
* and caused writes to MMR_SP via resolve_smem, corrupting the stack. */
{
int dst = (op >> 8) & 1;
int64_t *acc = dst ? &s->b : &s->a;
int sub = (op >> 9) & 0x7;
if (sub <= 1) {
/* 50xx/51xx: SFTA src, ASM shift */
int shift = asm_shift(s);
if (shift >= 0) *acc = sext40(*acc << shift);
else *acc = sext40(*acc >> (-shift));
} else if (sub == 2 || sub == 3) {
/* 54xx/55xx: SFTA src, #shift (immediate in Smem) */
addr = resolve_smem(s, op, &ind);
int shift = (int16_t)data_read(s, addr);
if (shift >= 0) *acc = sext40(*acc << shift);
else *acc = sext40(*acc >> (-shift));
} else if (sub == 4 || sub == 5) {
/* 58xx/59xx: SFTL src, ASM shift (logical) */
int shift = asm_shift(s);
uint64_t u = (uint64_t)(*acc) & 0xFFFFFFFFFFULL;
if (shift >= 0) *acc = sext40((int64_t)(u << shift));
else *acc = sext40((int64_t)(u >> (-shift)));
} else if (sub == 6 || sub == 7) {
/* 5Cxx/5Dxx/5Exx/5Fxx: SFTL with Smem or other */
addr = resolve_smem(s, op, &ind);
int shift = (int16_t)data_read(s, addr);
uint64_t u = (uint64_t)(*acc) & 0xFFFFFFFFFFULL;
if (shift >= 0) *acc = sext40((int64_t)(u << shift));
else *acc = sext40((int64_t)(u >> (-shift)));
}
}
return consumed + s->lk_used;
case 0x8: case 0x9:
/* 8xxx/9xxx: Memory moves, PORTR/PORTW */
/* ---- Dual-operand MAC Xmem, Ymem, dst (1-word) ----
* 0x90: MAC Xmem,Ymem,A 0x92: MAC Xmem,Ymem,B
* 0x91: MACR Xmem,Ymem,A 0x93: MACR Xmem,Ymem,B
* Same encoding as 0xA4 family: OOOO OOOD XXXX YYYY */
if (hi8 == 0x90 || hi8 == 0x91 || hi8 == 0x92 || hi8 == 0x93) {
int xar_m = (op >> 4) & 0x07;
int yar_m = op & 0x07;
uint16_t xval_m = data_read(s, s->ar[xar_m]);
uint16_t yval_m = data_read(s, s->ar[yar_m]);
if ((op >> 7) & 1) s->ar[xar_m]--; else s->ar[xar_m]++;
if ((op & 0x08) == 0) s->ar[yar_m]++; else s->ar[yar_m]--;
int64_t prod_m = (int64_t)(int16_t)s->t * (int64_t)(int16_t)xval_m;
if (s->st1 & ST1_FRCT) prod_m <<= 1;
if (hi8 & 0x01) prod_m += 0x8000; /* round */
int dst_m = (hi8 & 0x02) ? 1 : 0;
if (dst_m) s->b = sext40(s->b + prod_m);
else s->a = sext40(s->a + prod_m);
s->t = yval_m;
return consumed + s->lk_used;
}
/* 94xx: MVDK Smem, dmad — Move data(Smem) to data(dmad) (2 words) */
if (hi8 == 0x94) {
addr = resolve_smem(s, op, &ind);
op2 = prog_fetch(s, s->pc + 1);
consumed = 2;
data_write(s, op2, data_read(s, addr));
return consumed + s->lk_used;
}
/* 95xx: MVKD dmad, Smem — Move data(dmad) to data(Smem) (2 words) */
if (hi8 == 0x95) {
addr = resolve_smem(s, op, &ind);
op2 = prog_fetch(s, s->pc + 1);
consumed = 2;
data_write(s, addr, data_read(s, op2));
return consumed + s->lk_used;
}
/* 96xx: MVDP Smem, pmad — Move data to program (2 words) */
if (hi8 == 0x96) {
addr = resolve_smem(s, op, &ind);
op2 = prog_fetch(s, s->pc + 1);
consumed = 2;
s->prog[op2] = data_read(s, addr);
return consumed + s->lk_used;
}
/* AUDIT FIX 2026-05-08 night : STL ↔ STH swap.
* Per binutils tic54x-opc.c :
* { "stl", 1,3,3, 0x9800, 0xFE00, {OP_SRC1,OP_SHFT,OP_Xmem} }
* { "sth", 1,3,3, 0x9A00, 0xFE00, {OP_SRC1,OP_SHFT,OP_Xmem} }
* Old decoder claimed 0x98/99=STH and 0x9A/9B=STL — exactly inverted.
* Effect: every STL/STH-with-shift in firmware wrote the WRONG half
* of the accumulator. Hot pattern in DSP code (post-MAC scaling),
* so this corrupted ~half of all data writes from compute paths.
* Shift application is intentionally simplified (no SHFT decode)
* matching prior-art handlers — Tier B will add proper 4-bit shift
* decode from low nibble. Mirror swap : write low for 0x98/99,
* write high for 0x9A/9B, src bit 8 selects A/B. */
if (hi8 == 0x98 || hi8 == 0x99) {
/* STL src, SHFT, Xmem — store LOW (acc&0xFFFF) */
addr = resolve_smem(s, op, &ind);
int src = hi8 & 1;
int64_t acc = src ? s->b : s->a;
data_write(s, addr, (uint16_t)(acc & 0xFFFF));
return consumed + s->lk_used;
}
if (hi8 == 0x9A || hi8 == 0x9B) {
/* STH src, SHFT, Xmem — store HIGH (acc>>16) */
addr = resolve_smem(s, op, &ind);
int src = hi8 & 1;
int64_t acc = src ? s->b : s->a;
data_write(s, addr, (uint16_t)((acc >> 16) & 0xFFFF));
return consumed + s->lk_used;
}
/* 0x9C-0x9F range: SACCD/SRCCD/STRCD — conditional stores */
/* SACCD src, Xmem, cond — Conditional accumulator store
* Encoding: 1001 11SD XXXX COND per SPRU172C p.4-152 */
if ((op & 0xFC00) == 0x9C00) {
int src_s = (op >> 9) & 1;
int64_t acc = src_s ? s->b : s->a;
int xar_s = (op >> 4) & 0x07;
uint16_t xaddr = s->ar[xar_s];
int cond = op & 0x0F;
/* Evaluate condition */
int take = 0;
switch (cond) {
case 0x0: take = (acc == 0); break; /* EQ */
case 0x1: take = (acc != 0); break; /* NEQ */
case 0x2: take = (acc > 0); break; /* GT */
case 0x3: take = (acc < 0); break; /* LT */
case 0x4: take = (acc >= 0); break; /* GEQ */
case 0x5: take = (acc == 0); break; /* AEQ */
case 0x6: take = (acc > 0); break; /* AGT */
case 0x7: take = (acc <= 0); break; /* LEQ/ALEQ */
default: take = 0; break;
}
int asm_val = asm_shift(s);
if (take) {
/* Store shifted accumulator high part */
int64_t shifted = acc << (asm_val > 0 ? asm_val : 0);
if (asm_val < 0) shifted = acc >> (-asm_val);
uint16_t val = (uint16_t)((shifted >> 16) & 0xFFFF);
data_write(s, xaddr, val);
} else {
/* Read and write back (no change) */
uint16_t val = data_read(s, xaddr);
data_write(s, xaddr, val);
}
/* Xmem post-modify */
if ((op >> 7) & 1) s->ar[xar_s]--; else s->ar[xar_s]++;
return consumed + s->lk_used;
}
/* POPM MMR — pop top-of-stack into MMR (1-word).
* Per tic54x-opc.c: { "popm", 0x8A00, 0xFF00, {OP_MMR} }.
* Per SPRU172C section 4 : value at SP popped to MMR, SP++.
*
* Bug fix 2026-05-08 : 0x8Axx était précédemment mal décodé en
* MVDK Smem,dmad (qui est en réalité 0x7100 mask 0xFF00). Le
* pattern PSHM/POPM symétrique du firmware (e.g. PROM0 0x7013-0x7023
* sauve/restaure 6 MMRs autour d'un CALA) ne fonctionnait jamais
* post-CALA → ST1 jamais restauré → INTM=1 dwell perpétuel
* → IRQ vectoring bloqué → DSP wait stuck → L1 mort.
* Le case MVDK ci-dessous devient dead code mais est laissé pour
* référence historique. */
if ((op & 0xFF00) == 0x8A00) {
uint16_t mmr = op & 0x7F;
uint16_t val = data_read(s, s->sp);
s->sp = (s->sp + 1) & 0xFFFF;
data_write(s, mmr, val);
return consumed + s->lk_used;
}
/* OBSOLETE — superseded by POPM above. The 0x8Axx range belongs to
* POPM per tic54x-opc.c, not MVDK (which is 0x7100 mask 0xFF00).
* Kept commented for one revision so any caller depending on the
* old (incorrect) behaviour is forced to be re-examined. */
if (0 && hi8 == 0x8A) {
/* MVDK Smem, dmad — INCORRECT for 0x8Axx, see POPM above */
addr = resolve_smem(s, op, &ind);
op2 = prog_fetch(s, s->pc + 1);
consumed = 2;
data_write(s, op2, data_read(s, addr));
return consumed + s->lk_used;
}
/* 0x88xx-0x89xx: STLM src, MMR (1-word!)
* Per tic54x-opc.c: { "stlm", 1,2,2, 0x8800, 0xFE00, ... }
* bits 9-15 = fixed (0x44)
* bit 8 = src (0 = A, 1 = B)
* bits 0-6 = MMR address (0x00..0x7F)
*
* Critical for the DSP bootloader at PROM0 0xb42d (`STLM B, AR1`):
* if decoded as 2-word MVDM the emulator eats the next opcode
* (0xb42e = 0xf84c, a BC), then jumps into 0xb431 (MACR family)
* with an uninitialised T register, producing A=0x10 — which
* the immediately-following BACC A at 0xb430 then uses as the
* jump target, dropping the DSP into the boot-stub NOPs at
* PC=0x0010 instead of continuing the bootloader handshake. */
if (hi8 == 0x88 || hi8 == 0x89) {
int src = (op >> 8) & 1; /* 0 = A, 1 = B */
int mmr = op & 0x7F;
uint16_t val = src ? (uint16_t)(s->b & 0xFFFF)
: (uint16_t)(s->a & 0xFFFF);
data_write(s, (uint16_t)mmr, val); /* MMRs alias addr 0x00..0x1F */
return consumed + s->lk_used;
}
if (hi8 == 0x80) {
/* AUDIT FIX 2026-05-08 night : was stubbed NOP because old
* decoder claimed MVDD (2-word, wrong). Per binutils tic54x-opc.c :
* { "stl", 1,2,2, 0x8000, 0xFE00, {OP_SRC1,OP_Smem}, 0, REST }
* 0x80xx/0x81xx = STL src, Smem (1-word, no shift). bit 8 = src.
* Range 0x8000-0x80FF = STL A, Smem (since bit 8 = 0 here).
* Stubbing this silently dropped every STL A in the firmware ;
* variables that should have been written to DARAM kept stale
* values (junk-state cascade). Mirror of the existing 0x82
* STH-with-shift handler but no shift here. */
addr = resolve_smem(s, op, &ind);
data_write(s, addr, (uint16_t)(s->a & 0xFFFF));
return consumed + s->lk_used;
}
if (hi8 == 0x8C) {
/* AUDIT FIX 2026-05-08 night : was MVPD pmad,Smem (2 mots,
* prog→data move). Per binutils tic54x-opc.c :
* { "mvpd", 2,2,2, 0x7C00, 0xFF00, {OP_pmad,OP_Smem}, 0, REST }
* { "st", 1,2,2, 0x8C00, 0xFF00, {OP_T,OP_Smem}, 0, REST }
* Real MVPD is at 0x7C — the 0x8C handler should be ST T, Smem
* (1 mot, store T register to data memory). Run-trace confirms
* 0 MVPD hits with the old handler, meaning firmware did not
* issue any 0x7Cxx → our wrong 0x8C MVPD was never triggered
* for legitimate MVPD anyway (PROM0 OVLY happens via DSP
* bootloader, not via 0x7C MVPD instruction). Switching to
* ST T,Smem is safe and unblocks the legitimate ST T pattern
* used after MAC for T persistence. Old MVPD-LOG instrumentation
* removed — was dead-code in current run. */
addr = resolve_smem(s, op, &ind);
data_write(s, addr, s->t);
return consumed + s->lk_used;
}
if (hi8 == 0x8E) {
/* MVDP Smem, pmad (data→prog) */
addr = resolve_smem(s, op, &ind);
op2 = prog_fetch(s, s->pc + 1);
consumed = 2;
prog_write(s, op2, data_read(s, addr));
return consumed + s->lk_used;
}
if (hi8 == 0x8F) {
/* PORTR PA, Smem — read I/O port */
addr = resolve_smem(s, op, &ind);
op2 = prog_fetch(s, s->pc + 1);
consumed = 2;
/* BSP RX data register — return next burst sample.
* The DSP firmware uses PORTR PA=0xF430 (64 sites in PROM0,
* verified from ROM dump). We also accept 0x0034 for legacy
* compatibility with earlier QEMU experiments. */
uint16_t portr_val;
bool is_bsp_pa = (op2 == 0xF430 || op2 == 0x0034);
if (is_bsp_pa && s->bsp_pos < s->bsp_len) {
portr_val = s->bsp_buf[s->bsp_pos++];
data_write(s, addr, portr_val);
} else {
portr_val = 0;
data_write(s, addr, 0);
}
/* Per-PA counters so we can see which I/O ports the DSP polls
* and how often. */
{
static uint64_t portr_total[16];
static uint64_t portr_since_summary;
int pa_bucket = (op2 >> 4) & 0xF;
portr_total[pa_bucket]++;
portr_since_summary++;
static int portr_log = 0;
if (portr_log < 50) {
C54_LOG("PORTR PA=0x%04x → [0x%04x] val=0x%04x "
"bsp_pos=%u/%u PC=0x%04x",
op2, addr, portr_val,
(unsigned)s->bsp_pos, (unsigned)s->bsp_len,
s->pc);
portr_log++;
}
if ((portr_since_summary % 10000) == 0) {
C54_LOG("PORTR summary (last 10000): "
"PA0x=%llu 1x=%llu 2x=%llu 3x=%llu 4x=%llu "
"5x=%llu 6x=%llu 7x=%llu",
(unsigned long long)portr_total[0],
(unsigned long long)portr_total[1],
(unsigned long long)portr_total[2],
(unsigned long long)portr_total[3],
(unsigned long long)portr_total[4],
(unsigned long long)portr_total[5],
(unsigned long long)portr_total[6],
(unsigned long long)portr_total[7]);
}
}
return consumed + s->lk_used;
}
if (hi8 == 0x9F) {
/* PORTW Smem, PA — write I/O port */
addr = resolve_smem(s, op, &ind);
op2 = prog_fetch(s, s->pc + 1);
consumed = 2;
/* Log I/O port writes */
{
uint16_t wval = data_read(s, addr);
static int portw_log = 0;
if (portw_log < 30) {
C54_LOG("PORTW PA=0x%04x val=0x%04x PC=0x%04x", op2, wval, s->pc);
portw_log++;
}
}
return consumed + s->lk_used;
}
/* 85xx: MVPD pmad, Smem (prog→data, different encoding) */
if (hi8 == 0x85) {
addr = resolve_smem(s, op, &ind);
op2 = prog_fetch(s, s->pc + 1);
consumed = 2;
data_write(s, addr, prog_read(s, op2));
return consumed + s->lk_used;
}
/* 86xx: MVDM dmad, MMR */
if (hi8 == 0x86) {
op2 = prog_fetch(s, s->pc + 1);
consumed = 2;
uint16_t mmr = op & 0x7F;
data_write(s, mmr, data_read(s, op2));
return consumed + s->lk_used;
}
/* 87xx: MVMD MMR, dmad */
if (hi8 == 0x87) {
op2 = prog_fetch(s, s->pc + 1);
consumed = 2;
uint16_t mmr = op & 0x7F;
data_write(s, op2, data_read(s, mmr));
return consumed + s->lk_used;
}
/* 81xx: STL src, ASM, Smem (store with shift) */
if (hi8 == 0x81) {
addr = resolve_smem(s, op, &ind);
int shift = asm_shift(s);
int64_t v = s->a;
if (shift >= 0) v <<= shift; else v >>= (-shift);
data_write(s, addr, (uint16_t)(v & 0xFFFF));
return consumed + s->lk_used;
}
/* 82xx: STH src, ASM, Smem */
if (hi8 == 0x82) {
addr = resolve_smem(s, op, &ind);
int shift = asm_shift(s);
int64_t v = s->a;
if (shift >= 0) v <<= shift; else v >>= (-shift);
data_write(s, addr, (uint16_t)((v >> 16) & 0xFFFF));
return consumed + s->lk_used;
}
/* 89xx: ST src, Smem with shift or MVDK variants */
if (hi8 == 0x89) {
addr = resolve_smem(s, op, &ind);
op2 = prog_fetch(s, s->pc + 1);
consumed = 2;
data_write(s, op2, data_read(s, addr));
return consumed + s->lk_used;
}
/* 8Bxx: MVDK with long address */
if (hi8 == 0x8B) {
/* STUB-NOP : tic54x dit 0x8B = POPD Smem (1-word).
* Ancienne classification qemu = MVDK long-addr 2-word (incorrect).
* Voir doc/opcodes/tic54x_hi8_map.md. Neutralisé. */
return 1;
}
/* 8Dxx: MVDD Smem, Smem */
if (hi8 == 0x8D) {
addr = resolve_smem(s, op, &ind);
op2 = prog_fetch(s, s->pc + 1);
consumed = 2;
data_write(s, op2, data_read(s, addr));
return consumed + s->lk_used;
}
/* 83xx: WRITA Smem (write A to prog), 84xx: READA Smem */
if (hi8 == 0x83) {
addr = resolve_smem(s, op, &ind);
prog_write(s, (uint16_t)(s->a & 0xFFFF), data_read(s, addr));
return consumed + s->lk_used;
}
if (hi8 == 0x84) {
addr = resolve_smem(s, op, &ind);
data_write(s, addr, prog_read(s, (uint16_t)(s->a & 0xFFFF)));
return consumed + s->lk_used;
}
/* 91xx: MVKD dmad, Smem (another encoding) */
if (hi8 == 0x91) {
addr = resolve_smem(s, op, &ind);
op2 = prog_fetch(s, s->pc + 1);
consumed = 2;
data_write(s, addr, data_read(s, op2));
return consumed + s->lk_used;
}
/* 97xx: ST #lk, Smem (2-word). 0x96xx is caught above as MVDP. */
if (hi8 == 0x97) {
addr = resolve_smem(s, op, &ind);
op2 = prog_fetch(s, s->pc + 1);
consumed = 2;
data_write(s, addr, op2);
return consumed + s->lk_used;
}
goto unimpl;
case 0xA: case 0xB:
/* Axx/Bxx: STLM, LDMM, misc accumulator ops */
/* ---- Dual-operand MAC/MAS Xmem, Ymem, dst (1-word) ----
* MAC: dst += T * Xmem; T = Ymem
* MACR: dst += rnd(T * Xmem); T = Ymem
* MAS: dst -= T * Xmem; T = Ymem
* MASR: dst -= rnd(T * Xmem); T = Ymem
* Encoding: OOOO OOOD XXXX YYYY (1 word)
* Xmem: AR[ARP], post-mod by bit4 (0=inc,1=dec)
* Ymem: AR[bits2:0], post-mod by bit3 (0=inc,1=dec)
* D: 0=A, 1=B
* hi8 mapping per SPRU172C:
* 0xA4/0xA5: MAC[R] Xmem,Ymem,A 0xA6/0xA7: MAC[R] Xmem,Ymem,B
* 0xB4/0xB5: MAS[R] Xmem,Ymem,A 0xB6/0xB7: MAS[R] Xmem,Ymem,B
* 0xB0/0xB1: MAC[R] Xmem,Ymem,A (alt) 0xB2/0xB3 already handled
*/
if (hi8 == 0xA4 || hi8 == 0xA5 || hi8 == 0xA6 || hi8 == 0xA7 ||
hi8 == 0xB4 || hi8 == 0xB5 || hi8 == 0xB6 || hi8 == 0xB7 ||
hi8 == 0xB0 || hi8 == 0xB1 || hi8 == 0xB2) {
int xar_d = (op >> 4) & 0x07;
int yar_d = op & 0x07;
uint16_t xval_d = data_read(s, s->ar[xar_d]);
uint16_t yval_d = data_read(s, s->ar[yar_d]);
/* Post-modify */
if ((op >> 7) & 1) s->ar[xar_d]--; else s->ar[xar_d]++;
if ((op & 0x08) == 0) s->ar[yar_d]++; else s->ar[yar_d]--;
/* Multiply T * Xmem */
int64_t prod = (int64_t)(int16_t)s->t * (int64_t)(int16_t)xval_d;
if (s->st1 & ST1_FRCT) prod <<= 1;
/* Round if R bit set (odd hi8) */
if (hi8 & 0x01) prod += 0x8000;
/* Determine dest and operation */
int is_sub = (hi8 >= 0xB4 && hi8 <= 0xB7);
int dst_b;
if (hi8 >= 0xA4 && hi8 <= 0xA7) dst_b = (hi8 >= 0xA6);
else if (hi8 >= 0xB4 && hi8 <= 0xB7) dst_b = (hi8 >= 0xB6);
else dst_b = (hi8 & 0x02) ? 1 : 0; /* 0xB0/B1→A, 0xB2/B3→B */
if (dst_b) {
if (is_sub) s->b = sext40(s->b - prod);
else s->b = sext40(s->b + prod);
} else {
if (is_sub) s->a = sext40(s->a - prod);
else s->a = sext40(s->a + prod);
}
/* T = Ymem */
s->t = yval_d;
return consumed + s->lk_used;
}
/* SQDST Xmem, Ymem — Squared Distance (1-word dual-operand)
* Encoding: 1010 0001 XXXX YYYY
* Per SPRU172C: B += (AH - Xmem)^2; A = Ymem << 16; T = Xmem */
if (hi8 == 0xA1) {
int xar_sq = (op >> 4) & 0x07;
int yar_sq = op & 0x07;
uint16_t xval_sq = data_read(s, s->ar[xar_sq]);
uint16_t yval_sq = data_read(s, s->ar[yar_sq]);
if ((op >> 7) & 1) s->ar[xar_sq]--; else s->ar[xar_sq]++;
if ((op & 0x08) == 0) s->ar[yar_sq]++; else s->ar[yar_sq]--;
int16_t ah_sq = (int16_t)((s->a >> 16) & 0xFFFF);
int32_t diff = (int32_t)ah_sq - (int32_t)(int16_t)xval_sq;
int64_t sq = (int64_t)diff * (int64_t)diff;
if (s->st1 & ST1_FRCT) sq <<= 1;
s->b = sext40(s->b + sq);
s->a = sext40((int64_t)(int16_t)yval_sq << 16);
s->t = xval_sq;
return consumed + s->lk_used;
}
/* POLY Xmem, Ymem — Polynomial evaluation (1-word dual-operand)
* Encoding: 1011 110D XXXX YYYY (0xBC=A, 0xBD=B)
* 1011 111D XXXX YYYY (0xBE/0xBF variants — ABDST or POLY)
* Per SPRU172C: B += AH * T (with round); A = Xmem << 16; T = Ymem */
if (hi8 == 0xBC || hi8 == 0xBD || hi8 == 0xBE || hi8 == 0xBF) {
int xar_p = (op >> 4) & 0x07;
int yar_p = op & 0x07;
uint16_t xval_p = data_read(s, s->ar[xar_p]);
uint16_t yval_p = data_read(s, s->ar[yar_p]);
if ((op >> 7) & 1) s->ar[xar_p]--; else s->ar[xar_p]++;
if ((op & 0x08) == 0) s->ar[yar_p]++; else s->ar[yar_p]--;
int16_t ah_p = (int16_t)((s->a >> 16) & 0xFFFF);
int64_t prod_p = (int64_t)ah_p * (int64_t)(int16_t)s->t;
if (s->st1 & ST1_FRCT) prod_p <<= 1;
prod_p += 0x8000; /* round */
s->b = sext40(s->b + prod_p);
s->a = sext40((int64_t)(int16_t)xval_p << 16);
s->t = yval_p;
return consumed + s->lk_used;
}
/* B8-BB: MAS/MASR Xmem, Ymem (subtract variants) or POLY-like */
if (hi8 == 0xB8 || hi8 == 0xB9 || hi8 == 0xBA || hi8 == 0xBB) {
/* Check if it's actually LDMM (BA) or POPM (BD) — those are handled below */
if (hi8 == 0xBA) goto ba_handler;
int xar_b8 = (op >> 4) & 0x07;
int yar_b8 = op & 0x07;
uint16_t xval_b8 = data_read(s, s->ar[xar_b8]);
uint16_t yval_b8 = data_read(s, s->ar[yar_b8]);
if ((op >> 7) & 1) s->ar[xar_b8]--; else s->ar[xar_b8]++;
if ((op & 0x08) == 0) s->ar[yar_b8]++; else s->ar[yar_b8]--;
int64_t prod_b8 = (int64_t)(int16_t)s->t * (int64_t)(int16_t)xval_b8;
if (s->st1 & ST1_FRCT) prod_b8 <<= 1;
if (hi8 & 0x01) prod_b8 += 0x8000;
int dst_b8 = (hi8 & 0x02) ? 1 : 0;
/* MAS: subtract */
if (dst_b8) s->b = sext40(s->b - prod_b8);
else s->a = sext40(s->a - prod_b8);
s->t = yval_b8;
return consumed + s->lk_used;
}
ba_handler:
if (hi8 == 0xAA || hi8 == 0xAB) {
/* STUB-NOP : tic54x dit 0xAA/AB = LD variant.
* Ancienne classification qemu = STLM src,MMR (incorrect — STLM
* est en 0x88/0x89, déjà correctement décodé ligne 4046).
* Voir doc/opcodes/tic54x_hi8_map.md. Neutralisé. */
return 1;
}
if (hi8 == 0xBA) {
/* LDMM MMR, dst */
uint16_t mmr = op & 0x7F;
int dst = (op >> 4) & 1;
int64_t v = (int64_t)(int16_t)data_read(s, mmr);
if (dst) s->b = sext40(v << 16);
else s->a = sext40(v << 16);
return consumed + s->lk_used;
}
if (hi8 == 0xA8 || hi8 == 0xA9) {
/* A8xx/A9xx: AND #lk, src[, dst] (2-word) */
op2 = prog_fetch(s, s->pc + 1);
consumed = 2;
int dst = op & 1;
int64_t *acc = dst ? &s->b : &s->a;
*acc = sext40(*acc & ((int64_t)op2 << 16));
return consumed + s->lk_used;
}
if (hi8 == 0xA0) {
/* A0xx: accumulator operations — LD/NEG/ABS/NOT/SFTA/SFTL/SAT
* Per SPRU172C:
* A000/A001: LD B,A / LD A,B
* A004/A005: NOT A / NOT B
* A008/A009: NEG A / NEG B
* A00A/A00B: ABS A / ABS B
* A00C/A00D: MAX A / MAX B (sat + clip)
* A00E/A00F: MIN A / MIN B
* bit7=0: SFTA dst, SHIFT — 1010 0000 0SSS SSSD (arith shift)
* bit7=1: SFTL dst, SHIFT — 1010 0000 1SSS SSSD (logical shift)
* A098/A099: SAT A / SAT B
*/
uint8_t sub = op & 0xFF;
if (sub == 0x00) { s->a = s->b; }
else if (sub == 0x01) { s->b = s->a; }
else if (sub == 0x04) { s->a = sext40(~s->a); } /* NOT A */
else if (sub == 0x05) { s->b = sext40(~s->b); } /* NOT B */
else if (sub == 0x08) { s->a = sext40(-s->a); } /* NEG A */
else if (sub == 0x09) { s->b = sext40(-s->b); } /* NEG B */
else if (sub == 0x0A) { s->a = sext40((s->a < 0) ? -s->a : s->a); } /* ABS A */
else if (sub == 0x0B) { s->b = sext40((s->b < 0) ? -s->b : s->b); } /* ABS B */
else if (sub == 0x98) { /* SAT A */
if (s->a > 0x7FFFFFFFFFLL) s->a = 0x7FFFFFFFFFLL;
else if (s->a < -0x8000000000LL) s->a = -0x8000000000LL;
s->st0 &= ~ST0_OVA;
}
else if (sub == 0x99) { /* SAT B */
if (s->b > 0x7FFFFFFFFFLL) s->b = 0x7FFFFFFFFFLL;
else if (s->b < -0x8000000000LL) s->b = -0x8000000000LL;
s->st0 &= ~ST0_OVB;
}
else if (sub & 0x80) {
/* SFTL dst, SHIFT — logical shift, bits[6:1]=shift, bit[0]=dst */
int shift = (sub >> 1) & 0x3F;
if (shift & 0x20) shift |= ~0x3F; /* sign-extend 6-bit */
int dst = sub & 1;
int64_t *acc = dst ? &s->b : &s->a;
uint64_t u = (uint64_t)(*acc) & 0xFFFFFFFFFFULL;
if (shift >= 0) *acc = sext40((int64_t)(u << shift));
else *acc = sext40((int64_t)(u >> (-shift)));
}
else if (sub >= 0x10) {
/* SFTA dst, SHIFT — arithmetic shift, bits[6:1]=shift, bit[0]=dst */
int shift = (sub >> 1) & 0x3F;
if (shift & 0x20) shift |= ~0x3F; /* sign-extend 6-bit */
int dst = sub & 1;
int64_t *acc = dst ? &s->b : &s->a;
if (shift >= 0) *acc = sext40(*acc << shift);
else *acc = sext40(*acc >> (-shift));
}
return consumed + s->lk_used;
}
if (hi8 == 0xA5) {
/* CMPS src, Smem — compare and select (Viterbi) */
addr = resolve_smem(s, op, &ind);
uint16_t val = data_read(s, addr);
int src = (op >> 4) & 1;
int64_t acc = src ? s->b : s->a;
int64_t cmp = (int64_t)(int16_t)val << 16;
/* TRN shift left, TC set based on comparison */
s->trn <<= 1;
if (acc >= cmp) {
s->st0 |= ST0_TC;
s->trn |= 1;
} else {
s->st0 &= ~ST0_TC;
if (src) s->b = cmp; else s->a = cmp;
}
return consumed + s->lk_used;
}
/* AExx/AFxx: MACD Smem, pmad, dst — MAC + data move (2 words)
* dst += T * Smem, then data(Smem) → data(dmad)
* pmad in second word auto-increments during RPT */
if (hi8 == 0xAE || hi8 == 0xAF) {
addr = resolve_smem(s, op, &ind);
op2 = prog_fetch(s, s->pc + 1);
consumed = 2;
uint16_t sval = data_read(s, addr);
int64_t prod = (int64_t)(int16_t)s->t * (int64_t)(int16_t)sval;
if (s->st1 & ST1_FRCT) prod <<= 1;
int dst = (hi8 & 0x01);
if (dst) s->b = sext40(s->b + prod);
else s->a = sext40(s->a + prod);
/* Data move: read from prog[pmad], write to data[addr] */
uint16_t psrc = s->rpt_active ? s->mvpd_src : op2;
data_write(s, addr, prog_fetch(s, psrc));
s->mvpd_src = psrc + 1;
s->t = sval; /* T = old Smem value (before overwrite) */
return consumed + s->lk_used;
}
/* ACxx/ADxx: MACP Smem, pmad, dst — MAC + program fetch (2 words) */
if (hi8 == 0xAC || hi8 == 0xAD) {
addr = resolve_smem(s, op, &ind);
op2 = prog_fetch(s, s->pc + 1);
consumed = 2;
uint16_t sval = data_read(s, addr);
int64_t prod = (int64_t)(int16_t)s->t * (int64_t)(int16_t)sval;
if (s->st1 & ST1_FRCT) prod <<= 1;
int dst = (hi8 & 0x01);
if (dst) s->b = sext40(s->b + prod);
else s->a = sext40(s->a + prod);
/* Coeff fetch from program memory */
uint16_t psrc = s->rpt_active ? s->mvpd_src : op2;
s->t = prog_fetch(s, psrc);
s->mvpd_src = psrc + 1;
return consumed + s->lk_used;
}
if (hi8 == 0xB3) {
/* LD #lk, dst (long immediate, 2 words) */
op2 = prog_fetch(s, s->pc + 1);
consumed = 2;
int dst = (op >> 0) & 1;
int64_t v = (s->st1 & ST1_SXM) ? (int16_t)op2 : op2;
if (dst) s->b = sext40(v << 16);
else s->a = sext40(v << 16);
return consumed + s->lk_used;
}
/* ADD #lk, src[, dst] */
if (hi8 == 0xA2) {
op2 = prog_fetch(s, s->pc + 1);
consumed = 2;
int dst = op & 1;
int64_t v = (s->st1 & ST1_SXM) ? (int16_t)op2 : op2;
if (dst) s->b = sext40(s->b + (v << 16));
else s->a = sext40(s->a + (v << 16));
return consumed + s->lk_used;
}
/* SUB #lk */
if (hi8 == 0xA3) {
op2 = prog_fetch(s, s->pc + 1);
consumed = 2;
int dst = op & 1;
int64_t v = (s->st1 & ST1_SXM) ? (int16_t)op2 : op2;
if (dst) s->b = sext40(s->b - (v << 16));
else s->a = sext40(s->a - (v << 16));
return consumed + s->lk_used;
}
goto unimpl;
case 0xC: case 0xD:
/* C/Dxxx: PSHM, POPM, PSHD, POPD, RPT, FRAME, etc. */
/* ---- Dual-operand MAC/MAS Xmem, Ymem, dst (1-word) ----
* 0xD0: MAC Xmem,Ymem,A 0xD2: MAC Xmem,Ymem,B
* 0xD1: MACR Xmem,Ymem,A 0xD3: MACR Xmem,Ymem,B
* 0xD4-0xD7: MAS variants (subtract)
*
* Encoding per binutils tic54x.h (XARX/YARX = ((C&0x3)+2)) :
* bits 7:6 Xmod | 5:4 Xar (AR2..AR5) | 3:2 Ymod | 1:0 Yar (AR2..AR5)
* Was 3-bit AR raw — same bug as C8/CB had (fixed 2026-05-08). Now
* aligned with binutils. Expected aftermath : new SP-CATASTROPHE on
* D-class opcodes when firmware ARs land at MMR — same root pattern
* as 0xc8be at PC=0xa0e7. That's correct exposure, not regression. */
if (hi8 >= 0xD0 && hi8 <= 0xD9 && hi8 != 0xDA) {
int xmod_c = (op >> 6) & 0x03;
int xar_c = ((op >> 4) & 0x03) + 2;
int ymod_c = (op >> 2) & 0x03;
int yar_c = (op & 0x03) + 2;
uint16_t xval_c = data_read(s, s->ar[xar_c]);
uint16_t yval_c = data_read(s, s->ar[yar_c]);
switch (xmod_c) {
case 0: break;
case 1: s->ar[xar_c]++; break;
case 2: s->ar[xar_c]--; break;
case 3: s->ar[xar_c] += s->ar[0]; break;
}
switch (ymod_c) {
case 0: break;
case 1: s->ar[yar_c]++; break;
case 2: s->ar[yar_c]--; break;
case 3: s->ar[yar_c] += s->ar[0]; break;
}
/* MAC dual-mem formula : T × Xmem (pas X × Y per SPRU pure).
*
* 2026-05-08 retest empirique avec pipeline stable :
* T×X : BRC variable, A/B accumulator drift, d_fb_det reaches
* high SNR values (0x7902 / 0x7766) at moments
* X×Y : BRC=0 uniforme (201/201), A=B=0 forever, d_fb_det
* mostly 0 — correlation produces only zeros
*
* Le firmware Calypso s'appuie sur le pipeline c54x : T est
* latched depuis Ymem du MAC précédent (T = Y(post)). Ainsi
* MAC dual-mem effectivement calcule `T_old × X_current` =
* `Y[n-1] × X[n]`. Notre `prod = T × X` reproduit fidèlement
* cet effet pipelined. `X × Y` (les 2 du buffer courant) ne
* matche pas la sémantique attendue par le firmware. */
int64_t prod_c = (int64_t)(int16_t)s->t * (int64_t)(int16_t)xval_c;
if (s->st1 & ST1_FRCT) prod_c <<= 1;
if (hi8 & 0x01) prod_c += 0x8000; /* round */
int is_sub_c = (hi8 >= 0xD4);
int dst_c = (hi8 & 0x02) ? 1 : 0;
if (dst_c) {
if (is_sub_c) s->b = sext40(s->b - prod_c);
else s->b = sext40(s->b + prod_c);
} else {
if (is_sub_c) s->a = sext40(s->a - prod_c);
else s->a = sext40(s->a + prod_c);
}
s->t = yval_c;
return consumed + s->lk_used;
}
/* DBxx: MASA Xmem, Ymem, dst — MAC with accumulator sign extension
* Per SPRU172C: same as MAC but T loaded from Xmem instead of Ymem.
* dst += T * Xmem, T = Xmem
* Encoding fixed 2026-05-08 : same 2-bit AR + offset 2 + 2-bit mod
* format as the rest of the dual-operand class. */
if (hi8 == 0xDB) {
int xmod_db = (op >> 6) & 0x03;
int xar_db = ((op >> 4) & 0x03) + 2;
int ymod_db = (op >> 2) & 0x03;
int yar_db = (op & 0x03) + 2;
uint16_t xval_db = data_read(s, s->ar[xar_db]);
(void)data_read(s, s->ar[yar_db]); /* Ymem read (unused) */
switch (xmod_db) {
case 0: break;
case 1: s->ar[xar_db]++; break;
case 2: s->ar[xar_db]--; break;
case 3: s->ar[xar_db] += s->ar[0]; break;
}
switch (ymod_db) {
case 0: break;
case 1: s->ar[yar_db]++; break;
case 2: s->ar[yar_db]--; break;
case 3: s->ar[yar_db] += s->ar[0]; break;
}
int64_t prod_db = (int64_t)(int16_t)s->t * (int64_t)(int16_t)xval_db;
if (s->st1 & ST1_FRCT) prod_db <<= 1;
s->a = sext40(s->a + prod_db);
s->t = xval_db;
return consumed + s->lk_used;
}
/* DCxx: SQUR Xmem, dst — Square and accumulate (1-word dual-operand)
* Per SPRU172C p.4-165: T = Xmem, dst = dst + T * T
* Encoding fixed 2026-05-08 : same dual-operand format as D0-D9. */
if (hi8 == 0xDC) {
int xmod_dc = (op >> 6) & 0x03;
int xar_dc = ((op >> 4) & 0x03) + 2;
int ymod_dc = (op >> 2) & 0x03;
int yar_dc = (op & 0x03) + 2;
uint16_t xval_dc = data_read(s, s->ar[xar_dc]);
(void)data_read(s, s->ar[yar_dc]); /* Ymem pipeline read */
switch (xmod_dc) {
case 0: break;
case 1: s->ar[xar_dc]++; break;
case 2: s->ar[xar_dc]--; break;
case 3: s->ar[xar_dc] += s->ar[0]; break;
}
switch (ymod_dc) {
case 0: break;
case 1: s->ar[yar_dc]++; break;
case 2: s->ar[yar_dc]--; break;
case 3: s->ar[yar_dc] += s->ar[0]; break;
}
s->t = xval_dc;
int64_t prod_dc = (int64_t)(int16_t)xval_dc * (int64_t)(int16_t)xval_dc;
if (s->st1 & ST1_FRCT) prod_dc <<= 1;
s->a = sext40(s->a + prod_dc);
return consumed + s->lk_used;
}
/* CA/CB handled by the unified C8/C9/CA/CB block below. */
/* CF: variant parallel or DELAY */
if (hi8 == 0xCF) {
/* Treat as NOP for now — rare instruction */
return consumed + s->lk_used;
}
/* RPTB[D] pmad — Block repeat (2 words)
* C2xx: RPTB pmad, C3xx: RPTBD pmad (delayed)
* Per SPRU172C: RSA = PC+2, REA = pmad, BRAF = 1 */
if (hi8 == 0xC2 || hi8 == 0xC3 || hi8 == 0xC6 || hi8 == 0xC7) {
op2 = prog_fetch(s, s->pc + 1);
consumed = 2;
s->rea = op2;
s->rsa = (uint16_t)(s->pc + 2);
s->rptb_active = true;
s->st1 |= ST1_BRAF;
return consumed + s->lk_used;
}
if (hi8 == 0xC5) {
/* STUB-NOP : tic54x dit 0xC5 = ST||family (parallel).
* Ancienne classification qemu = PSHM MMR (incorrect — vrai
* PSHM est en 0x4A, correctement décodé ligne 3816).
* Le sp-- ici causait des pushes fantômes. Neutralisé. */
return 1;
}
if (hi8 == 0xCD) {
/* STUB-NOP : tic54x dit 0xCD = ST||family (parallel).
* Ancienne classification qemu = POPM MMR (incorrect — vrai
* POPM est en 0x8A, fixé 2026-05-08).
* Le sp++ ici causait des pops fantômes. Neutralisé. */
return 1;
}
if (hi8 == 0xCE) {
/* STUB-NOP : tic54x dit 0xCE = ST||family (parallel).
* Ancienne classification qemu = FRAME #k (incorrect — FRAME
* n'a pas de hi8 fixe, encodage différent).
* Le sp+=k ici causait des sauts SP arbitraires. Neutralisé. */
return 1;
}
if (hi8 == 0xC4) {
/* C4xx: PSHD dmad (push data from absolute addr) */
op2 = prog_fetch(s, s->pc + 1);
consumed = 2;
s->sp--;
data_write(s, s->sp, data_read(s, op2));
return consumed + s->lk_used;
}
if (hi8 == 0xC0 || hi8 == 0xC1) {
/* PSHD Smem / RPT Smem variants */
addr = resolve_smem(s, op, &ind);
if (hi8 == 0xC0) {
/* PSHD Smem */
s->sp--;
data_write(s, s->sp, data_read(s, addr));
} else {
/* RPT Smem */
s->rpt_count = data_read(s, addr);
s->rpt_active = true;
s->pc += consumed;
return 0;
}
return consumed + s->lk_used;
}
if (hi8 == 0xCC) {
/* CCxx: SACCD Smem, ARmem — Store Acc Conditionally (1-word)
* Per SPRU172C: conditionally store AH or BH to Smem.
* Simplified: always store (condition always true). */
addr = resolve_smem(s, op, &ind);
data_write(s, addr, (uint16_t)((s->a >> 16) & 0xFFFF));
return consumed + s->lk_used;
}
if (hi8 == 0xDA) {
/* DAxx: RPTBD pmad (block repeat delayed, 2 words) */
op2 = prog_fetch(s, s->pc + 1);
consumed = 2;
s->rea = op2;
s->rsa = (uint16_t)(s->pc + 4); /* delayed: skip 2 delay slots */
s->rptb_active = true;
s->st1 |= ST1_BRAF;
return consumed + s->lk_used;
}
if (hi8 == 0xDD) {
/* STUB-NOP : tic54x dit 0xDD = ST||family (parallel) — base
* 0xDC00 mask 0xFC00. Ancienne classification qemu = POPD Smem
* (incorrect — vrai POPD en 0x8B, neutralisé en stub).
* Le sp++ ici causait le SP runaway post-POPM-fix observé
* 2026-05-08 (~13k faux pops en 64k insn). Neutralisé. */
return 1;
}
if (hi8 == 0xDE) {
/* STUB-NOP : tic54x dit 0xDE = ST||family (parallel).
* Ancienne classification qemu = POPD dmad 2-word (incorrect).
* Le sp++ ici causait le SP runaway. Neutralisé. */
return 1;
}
if (hi8 == 0xDF) {
/* DELAY Smem — shift delay line: data(Smem) → data(Smem+1)
* Per SPRU172C: used with RPT for FIR filter delay lines */
addr = resolve_smem(s, op, &ind);
uint16_t dval = data_read(s, addr);
data_write(s, addr + 1, dval);
return consumed + s->lk_used;
}
/* 0xC8/C9/CA/CB: ST SRC, Ymem || LD Xmem, DST (1-word parallel)
*
* Encoding per SPRU172C §5.5 (Parallel store + arithmetic format,
* cross-checked against tic54x-opc.c entry "0xC800/0xFC00 st||ld") :
*
* bit 15..10 : opcode (110010)
* bit 9 : reserved (used to disambiguate; here: 0 for C8/CA,
* bit 9 of 0xC9/CB still in opcode space — but the
* effective operand bits for parallel are 7:0)
* bit 8 : SRC accumulator select (0 = A, 1 = B)
* bits 7:6 : Xmod (0=*ARi 1=*ARi+ 2=*ARi- 3=*ARi+0%)
* bits 5:4 : Xar (00=AR2, 01=AR3, 10=AR4, 11=AR5) — only AR2..AR5
* bits 3:2 : Ymod (same encoding as Xmod)
* bits 1:0 : Yar (same encoding as Xar)
*
* Bug fix 2026-05-08 v2 evidence (DUAL-OP-INTERPRET log) :
* Previously decoded as `xar=(op>>4)&7`, `yar=op&7` (3-bit AR
* field) with bit 7 = Xmod ±, bit 3 = Ymod ±. That picked
* AR0/AR1 instead of AR2/AR3 and made post-mod always ± with
* no support for "no mod" or `*ARi+0%`. When firmware loaded
* AR1=0x0018 (= MMR_SP) for an unrelated reason, the *AR1
* write landed on the SP MMR slot — observed catastrophes
* Δ=+16601 / -16640 at PC=0x7818 / 0x786b are the consequence.
*
* Note on 0xCA/CB : per tic54x-opc.c, 0xC800 mask 0xFC00 covers
* 0xC800..0xCBFF for ST||LD (single instruction class). The
* earlier emulator split CA/CB into a separate block — that
* block is now removed, the C8..CB handler is unified here. */
if (hi8 >= 0xC8 && hi8 <= 0xCB) {
int s_acc = (hi8 & 0x01) ? 1 : 0; /* C9/CB store from B */
int xmod = (op >> 6) & 0x03;
int xar = ((op >> 4) & 0x03) + 2; /* AR2..AR5 */
int ymod = (op >> 2) & 0x03;
int yar = (op & 0x03) + 2; /* AR2..AR5 */
int d_acc = s_acc ? 0 : 1; /* LD into the OTHER acc */
int64_t st_val = s_acc ? s->b : s->a;
data_write(s, s->ar[yar], (uint16_t)(st_val & 0xFFFF));
uint16_t ld_val = data_read(s, s->ar[xar]);
int64_t loaded = (int64_t)(int16_t)ld_val << 16;
if (d_acc) s->b = sext40(loaded); else s->a = sext40(loaded);
switch (xmod) {
case 0: break; /* *ARi (no mod) */
case 1: s->ar[xar]++; break; /* *ARi+ */
case 2: s->ar[xar]--; break; /* *ARi- */
case 3: s->ar[xar] += s->ar[0]; break; /* *ARi+0% (linear approx) */
}
switch (ymod) {
case 0: break;
case 1: s->ar[yar]++; break;
case 2: s->ar[yar]--; break;
case 3: s->ar[yar] += s->ar[0]; break;
}
return consumed + s->lk_used;
}
goto unimpl;
default:
break;
}
unimpl:
s->unimpl_count++;
if (s->unimpl_count <= 200 || op != s->last_unimpl) {
C54_LOG("UNIMPL @0x%04x: 0x%04x (hi8=0x%02x) [#%u]",
s->pc, op, hi8, s->unimpl_count);
s->last_unimpl = op;
}
return consumed + s->lk_used;
}
/* ================================================================
* Main execution loop
* ================================================================ */
/* DSP idle fast-forward — simulator optimisation, NOT a hack.
*
* The Calypso DSP polls its task slots in NDB and write pages while
* waiting for ARM/TPU to post work. Empirically this dispatcher loop
* lives in PROM1 mirror at PC 0xe9ac..0xe9b7 (8-instruction body cycled
* ~285k times per 1.4G insn window when nothing pending). Each iteration
* costs C-level MAC/branch emulation that ends up consuming 80%+ of host
* CPU for zero useful work, making QEMU run ~3x slower than wall-clock
* GSM and starving the BTS scheduler of CLK INDs.
*
* Detection: PC inside the polling range AND all four task fields in
* both write pages are zero AND no interrupt pending. When confirmed,
* advance cycles/insn_count without invoking c54x_exec_one. The DSP
* exits idle naturally next iteration if either:
* - ARM writes a task field (mirrored via calypso_dsp_write to
* s->data[0x0800+offset])
* - An IRQ fires (calypso_c54x_interrupt_ex sets s->ifr)
* - PC moves outside the range (shouldn't happen while polling)
*
* Env vars (default ON) :
* CALYPSO_DSP_IDLE_FF=0 disable
* CALYPSO_DSP_IDLE_RANGE=lo:hi override hex PC range
*/
#define DSP_IDLE_FF_MAX_RANGES 4
static bool dsp_idle_fast_forward(C54xState *s, int *consumed_out)
{
static int ff_enabled = -1;
static int ff_n_ranges = 0;
static uint16_t ff_lo[DSP_IDLE_FF_MAX_RANGES];
static uint16_t ff_hi[DSP_IDLE_FF_MAX_RANGES];
static uint64_t ff_hits = 0;
if (ff_enabled < 0) {
const char *e = getenv("CALYPSO_DSP_IDLE_FF");
ff_enabled = (!e || *e != '0') ? 1 : 0;
/* Defaults: two empirically observed dispatcher loops in the
* stock layer1.highram.elf firmware:
* 1) 0xe9ac..0xe9b7 — PROM1 mirror, init/SP-aware path
* 2) 0xcc62..0xcc6f — PROM0 page 0, runtime mailbox poll loop
* Override via CALYPSO_DSP_IDLE_RANGE="lo1:hi1,lo2:hi2,..."
* (max 4 ranges). Each range is hex. Empty = use defaults. */
const char *r = getenv("CALYPSO_DSP_IDLE_RANGE");
if (r && *r) {
const char *p = r;
while (*p && ff_n_ranges < DSP_IDLE_FF_MAX_RANGES) {
unsigned lo, hi;
if (sscanf(p, "%x:%x", &lo, &hi) == 2 && lo <= hi &&
lo <= 0xFFFF && hi <= 0xFFFF) {
ff_lo[ff_n_ranges] = (uint16_t)lo;
ff_hi[ff_n_ranges] = (uint16_t)hi;
ff_n_ranges++;
}
while (*p && *p != ',') p++;
if (*p == ',') p++;
}
}
if (ff_n_ranges == 0) {
ff_lo[0] = 0xe9ac; ff_hi[0] = 0xe9b7;
ff_lo[1] = 0xcc62; ff_hi[1] = 0xcc6f;
ff_n_ranges = 2;
}
char buf[160] = ""; int blen = 0;
for (int i = 0; i < ff_n_ranges; i++) {
blen += snprintf(buf + blen, sizeof(buf) - blen,
"%s0x%04x..0x%04x",
i ? "," : "", ff_lo[i], ff_hi[i]);
}
C54_LOG("DSP IDLE FF: %s, ranges=[%s]",
ff_enabled ? "enabled" : "disabled", buf);
}
if (!ff_enabled) return false;
bool in_range = false;
for (int i = 0; i < ff_n_ranges; i++) {
if (s->pc >= ff_lo[i] && s->pc <= ff_hi[i]) {
in_range = true;
break;
}
}
if (!in_range) return false;
/* Task slots in both write pages — DSP word addresses :
* page 0 : 0x0800 (d_task_d), 0x0802 (d_task_u),
* 0x0804 (d_task_md), 0x0807 (d_task_ra)
* page 1 : 0x0814, 0x0816, 0x0818, 0x081B (offsets +0x14)
*/
if (s->data[0x0800] | s->data[0x0802] | s->data[0x0804] | s->data[0x0807] |
s->data[0x0814] | s->data[0x0816] | s->data[0x0818] | s->data[0x081B]) {
return false; /* something pending → exec normally */
}
/* Pending IRQ would also break us out of the dispatcher next iter. */
if (!(s->st1 & ST1_INTM) && (s->ifr & s->imr)) {
return false;
}
/* Fast-forward this dispatcher iteration.
*
* Cycle-budget calibration: real C54x at 65 MHz means 1 cycle ≈ 15 ns.
* The dispatcher body is ~8 instructions per pass (matches the 8 hot
* PCs observed). One pass ≈ 8 cycles ≈ 120 ns of *DSP* time.
*
* Per Claude web 2026-05-07 review: previously this returned a
* fixed 8-cycle skip per call regardless of host wall time. Combined
* with c54x_run(256000) that meant a single tick callback could
* burn through 32k FF iterations in microseconds host time but
* accumulate the full 256k cycles credit on the DSP — the net
* effect on QEMU virtual time was minimal (DSP cycles aren't a
* QEMU clock anyway), so this isn't itself the cause of the BTS
* timing skew. But to match wall-clock more honestly we now cap
* the FF run length per c54x_run invocation: at most enough skips
* to consume the budget (n_insns) without overshooting.
*
* The actual wall-clock alignment (CLK IND cadence) is owned by
* the TDMA timer in calypso_trx.c, not by this function. */
*consumed_out = 8;
ff_hits++;
if ((ff_hits & 0xFFFFFFu) == 0) {
C54_LOG("DSP IDLE FF: %llu skips so far (PC=0x%04x SP=0x%04x)",
(unsigned long long)ff_hits, s->pc, s->sp);
}
return true;
}
int c54x_run(C54xState *s, int n_insns)
{
int executed = 0;
/* Log first 10 instructions of each run (for 2nd cycle debug) */
static int run_num = 0;
run_num++;
/* SP history ring buffer (64 entries × insn/PC/SP). Sampled every
* 1M insns at top of run-loop. Dumped on STATE-DUMP. Reveals whether
* SP descends monotonically (cumulative leak — each ISR entry leaks
* one stack frame) or oscillates around a value (one big initial
* drop then steady-state). Different fixes. */
static struct { unsigned insn; uint16_t pc; uint16_t sp; } sp_ring[64];
static unsigned sp_ring_idx = 0;
static unsigned next_sp_sample = 1000000u;
if (s->insn_count >= next_sp_sample) {
next_sp_sample += 1000000u;
sp_ring[sp_ring_idx & 63].insn = s->insn_count;
sp_ring[sp_ring_idx & 63].pc = s->pc;
sp_ring[sp_ring_idx & 63].sp = s->sp;
sp_ring_idx++;
}
/* Periodic DSP state dump (every 500M insns, starting at 500M).
* Captures: state regs, hot-zone disasm (0xa2c0..0xa2d0 + 0xb8e0..0xb910),
* vector table at current PMST IPTR base, hot-PC opcodes, SP history. */
{
static unsigned next_dump = 500000000u;
if (s->insn_count >= next_dump) {
next_dump += 500000000u;
uint16_t iptr = (s->pmst >> PMST_IPTR_SHIFT) & 0x1FF;
uint16_t vbase = iptr * 0x80;
C54_LOG("STATE-DUMP insn=%u PC=0x%04x ST0=0x%04x ST1=0x%04x INTM=%d IMR=0x%04x IFR=0x%04x XPC=%d PMST=0x%04x SP=0x%04x AR1=0x%04x AR2=0x%04x BRC=%d",
s->insn_count, s->pc, s->st0, s->st1,
!!(s->st1 & ST1_INTM),
s->imr, s->ifr, s->xpc, s->pmst, s->sp,
s->ar[1], s->ar[2], s->brc);
C54_LOG("STATE-DUMP prog[0xa2c0..0xa2d0]: %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x",
s->prog[0xa2c0], s->prog[0xa2c1], s->prog[0xa2c2], s->prog[0xa2c3],
s->prog[0xa2c4], s->prog[0xa2c5], s->prog[0xa2c6], s->prog[0xa2c7],
s->prog[0xa2c8], s->prog[0xa2c9], s->prog[0xa2ca], s->prog[0xa2cb],
s->prog[0xa2cc], s->prog[0xa2cd], s->prog[0xa2ce], s->prog[0xa2cf],
s->prog[0xa2d0]);
/* Hot zone after ARP fix: b8e9..b906 (run 2, vec1 handler). */
C54_LOG("STATE-DUMP prog[0xb8e0..0xb910]: %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x",
s->prog[0xb8e0], s->prog[0xb8e1], s->prog[0xb8e2], s->prog[0xb8e3],
s->prog[0xb8e4], s->prog[0xb8e5], s->prog[0xb8e6], s->prog[0xb8e7],
s->prog[0xb8e8], s->prog[0xb8e9], s->prog[0xb8ea], s->prog[0xb8eb],
s->prog[0xb8ec], s->prog[0xb8ed], s->prog[0xb8ee], s->prog[0xb8ef],
s->prog[0xb8f0], s->prog[0xb8f1], s->prog[0xb8f2], s->prog[0xb8f3],
s->prog[0xb8f4], s->prog[0xb8f5], s->prog[0xb8f6], s->prog[0xb8f7],
s->prog[0xb8f8], s->prog[0xb8f9], s->prog[0xb8fa], s->prog[0xb8fb],
s->prog[0xb8fc], s->prog[0xb8fd], s->prog[0xb8fe], s->prog[0xb8ff],
s->prog[0xb900]);
C54_LOG("STATE-DUMP prog[0xb900..0xb920]: %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x",
s->prog[0xb900], s->prog[0xb901], s->prog[0xb902], s->prog[0xb903],
s->prog[0xb904], s->prog[0xb905], s->prog[0xb906], s->prog[0xb907],
s->prog[0xb908], s->prog[0xb909], s->prog[0xb90a], s->prog[0xb90b],
s->prog[0xb90c], s->prog[0xb90d], s->prog[0xb90e], s->prog[0xb90f],
s->prog[0xb910], s->prog[0xb911], s->prog[0xb912], s->prog[0xb913],
s->prog[0xb914], s->prog[0xb915], s->prog[0xb916], s->prog[0xb917],
s->prog[0xb918], s->prog[0xb919], s->prog[0xb91a], s->prog[0xb91b],
s->prog[0xb91c], s->prog[0xb91d], s->prog[0xb91e], s->prog[0xb91f],
s->prog[0xb920]);
C54_LOG("STATE-DUMP vbase=0x%04x prog[vbase..vbase+0x18]: %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x",
vbase,
s->prog[vbase+0x00], s->prog[vbase+0x01], s->prog[vbase+0x02], s->prog[vbase+0x03],
s->prog[vbase+0x04], s->prog[vbase+0x05], s->prog[vbase+0x06], s->prog[vbase+0x07],
s->prog[vbase+0x08], s->prog[vbase+0x09], s->prog[vbase+0x0a], s->prog[vbase+0x0b],
s->prog[vbase+0x0c], s->prog[vbase+0x0d], s->prog[vbase+0x0e], s->prog[vbase+0x0f],
s->prog[vbase+0x10], s->prog[vbase+0x11], s->prog[vbase+0x12], s->prog[vbase+0x13],
s->prog[vbase+0x14], s->prog[vbase+0x15], s->prog[vbase+0x16], s->prog[vbase+0x17],
s->prog[vbase+0x18]);
/* Hot-PC opcode dump for known correlator/handler sites */
C54_LOG("STATE-DUMP HOT-OPS: 0x8d33=%04x 0x8eb9=%04x 0x8f51=%04x 0xa2c7=%04x 0xa2c8=%04x 0xb8e9=%04x 0xb8eb=%04x 0xb8f4=%04x 0xb8f5=%04x 0xb906=%04x",
s->prog[0x8d33], s->prog[0x8eb9], s->prog[0x8f51],
s->prog[0xa2c7], s->prog[0xa2c8],
s->prog[0xb8e9], s->prog[0xb8eb], s->prog[0xb8f4],
s->prog[0xb8f5], s->prog[0xb906]);
/* DARAM 0x066F..0x0682 wait-loop disasm (run 3 stuck zone).
* Looking for B-self (f073 066f) vs IDLE n (f7e1/f7e2/f7e3)
* vs poll-and-branch. If IDLE found → emulator IDLE handler
* is the real bug (3 runs all hit the same opcode, terminate
* in different bassins because PMST/IPTR varies). */
C54_LOG("STATE-DUMP prog[0x0660..0x0690]: %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x",
s->prog[0x0660], s->prog[0x0661], s->prog[0x0662], s->prog[0x0663],
s->prog[0x0664], s->prog[0x0665], s->prog[0x0666], s->prog[0x0667],
s->prog[0x0668], s->prog[0x0669], s->prog[0x066a], s->prog[0x066b],
s->prog[0x066c], s->prog[0x066d], s->prog[0x066e], s->prog[0x066f],
s->prog[0x0670], s->prog[0x0671], s->prog[0x0672], s->prog[0x0673],
s->prog[0x0674], s->prog[0x0675], s->prog[0x0676], s->prog[0x0677],
s->prog[0x0678], s->prog[0x0679], s->prog[0x067a], s->prog[0x067b],
s->prog[0x067c], s->prog[0x067d], s->prog[0x067e], s->prog[0x067f],
s->prog[0x0680]);
/* Same range but data[] view in case OVLY=1 routes fetches
* to data array (different memory than prog). */
C54_LOG("STATE-DUMP data[0x0660..0x0680]: %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x",
s->data[0x0660], s->data[0x0661], s->data[0x0662], s->data[0x0663],
s->data[0x0664], s->data[0x0665], s->data[0x0666], s->data[0x0667],
s->data[0x0668], s->data[0x0669], s->data[0x066a], s->data[0x066b],
s->data[0x066c], s->data[0x066d], s->data[0x066e], s->data[0x066f],
s->data[0x0670], s->data[0x0671], s->data[0x0672], s->data[0x0673],
s->data[0x0674], s->data[0x0675], s->data[0x0676], s->data[0x0677],
s->data[0x0678], s->data[0x0679], s->data[0x067a], s->data[0x067b],
s->data[0x067c], s->data[0x067d], s->data[0x067e], s->data[0x067f],
s->data[0x0680]);
/* IRQ entry handler at PC=0x1854 (last 0→1 transition) */
C54_LOG("STATE-DUMP prog[0x1850..0x1860]: %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x",
s->prog[0x1850], s->prog[0x1851], s->prog[0x1852], s->prog[0x1853],
s->prog[0x1854], s->prog[0x1855], s->prog[0x1856], s->prog[0x1857],
s->prog[0x1858], s->prog[0x1859], s->prog[0x185a], s->prog[0x185b],
s->prog[0x185c], s->prog[0x185d], s->prog[0x185e], s->prog[0x185f],
s->prog[0x1860]);
/* SP history ring (last 32 sampled at 1M-insn intervals) */
{
char buf[2048]; int o = 0;
int start = (sp_ring_idx >= 32) ? (sp_ring_idx - 32) : 0;
for (unsigned i = start; i < sp_ring_idx; i++) {
int idx = i & 63;
o += snprintf(buf+o, sizeof(buf)-o,
"[%u:PC=%04x SP=%04x] ",
sp_ring[idx].insn,
sp_ring[idx].pc,
sp_ring[idx].sp);
if (o > (int)sizeof(buf) - 64) break;
}
C54_LOG("STATE-DUMP SP-RING (last %d): %s",
(int)(sp_ring_idx >= 32 ? 32 : sp_ring_idx), buf);
}
}
}
while (executed < n_insns && s->running && !s->idle) {
/* DSP idle fast-forward — see dsp_idle_fast_forward() comment.
* Skips MAC simulation when DSP is in its empty-task-slot
* polling loop, returning host CPU to the rest of QEMU. */
{
int ff_cyc;
if (dsp_idle_fast_forward(s, &ff_cyc)) {
s->cycles += ff_cyc;
s->insn_count += ff_cyc;
executed += ff_cyc;
continue;
}
}
/* CALYPSO_DSP_FBDET_SKIP — completion of the SYNTH strategy.
* When the firmware enters the fb-det routine (PC range
* 0x8d00..0x8f80) AND we already publish synthetic FB results
* via CALYPSO_FBSB_SYNTH=1, executing the routine is pure
* waste : the caller will read NDB, find the synth d_fb_det=1,
* and ignore whatever the routine would have computed.
*
* Mechanism : at the FIRST PC entering the range from outside,
* pop the return addr from stack (CALL convention) and jump to
* it. Subsequent PCs inside the range fall back to normal exec
* (we only short-circuit the entry point per call).
*
* Default OFF. Enable with CALYPSO_DSP_FBDET_SKIP=1 alongside
* CALYPSO_FBSB_SYNTH=1 for B2B / demo runs where you accept the
* shunt for performance. Silently no-op without FBSB_SYNTH so
* the user can leave it set without affecting real-DSP runs.
*/
{
static int fbdet_skip_enabled = -1;
static int fbsb_synth_active = -1;
static uint16_t prev_pc_fbdet = 0;
static uint64_t fbdet_skip_count = 0;
if (fbdet_skip_enabled < 0) {
const char *e1 = getenv("CALYPSO_DSP_FBDET_SKIP");
fbdet_skip_enabled = (e1 && *e1 == '1') ? 1 : 0;
const char *e2 = getenv("CALYPSO_FBSB_SYNTH");
fbsb_synth_active = (e2 && *e2 == '1') ? 1 : 0;
C54_LOG("DSP FBDET SKIP: %s%s",
fbdet_skip_enabled ? "enabled" : "disabled",
fbdet_skip_enabled && !fbsb_synth_active
? " (but FBSB_SYNTH=0 — skip is no-op)" : "");
}
if (fbdet_skip_enabled && fbsb_synth_active &&
s->pc >= 0x8d00 && s->pc < 0x8f80 &&
(prev_pc_fbdet < 0x8d00 || prev_pc_fbdet >= 0x8f80)) {
uint16_t ra = data_read(s, s->sp);
s->sp = (uint16_t)(s->sp + 1);
fbdet_skip_count++;
if (fbdet_skip_count <= 5 || (fbdet_skip_count % 10000) == 0) {
C54_LOG("FBDET-SKIP #%llu entry_pc=0x%04x ra=0x%04x SP=0x%04x",
(unsigned long long)fbdet_skip_count,
s->pc, ra, s->sp);
}
s->pc = ra;
prev_pc_fbdet = ra;
s->cycles += 5;
executed += 5;
continue;
}
prev_pc_fbdet = s->pc;
}
/* Replay any interrupt that fired while INTM=1.
* c54x_interrupt_ex sets IFR but does nothing else when INTM=1;
* the real C54x re-evaluates pending interrupts every cycle, so
* as soon as INTM clears (via RETE or RSBX INTM) a pending
* BRINT0/TINT0/... must dispatch. Without this, a BRINT0 that
* arrived inside another ISR is lost and the FB correlator never
* receives its I/Q samples (d_fb_det stays 0). */
if (!(s->st1 & ST1_INTM)) {
uint16_t pending = s->ifr & s->imr;
if (pending) {
int imr_bit = __builtin_ctz(pending);
int vec = imr_bit + 16;
s->ifr &= ~(1 << imr_bit);
s->sp--;
data_write(s, s->sp, s->pc);
if (s->pmst & PMST_APTS) {
s->sp--;
data_write(s, s->sp, s->xpc);
}
s->st1 |= ST1_INTM;
uint16_t iptr = (s->pmst >> PMST_IPTR_SHIFT) & 0x1FF;
s->pc = (iptr * 0x80) + vec * 4;
static int pending_log = 0;
if (pending_log < 20) {
C54_LOG("PENDING IRQ replay vec=%d bit=%d PC->0x%04x SP=0x%04x insn=%u",
vec, imr_bit, s->pc, s->sp, s->insn_count);
pending_log++;
}
}
}
/* Record PC in ring buffer */
pc_ring[pc_ring_idx & 255] = s->pc;
pc_ring_idx++;
/* Push counter at PC=0xb906 (and other suspected push sites).
* Logs at powers of 10 to track cadence. SP captured at hit. */
{
static unsigned hit_b906 = 0;
if (s->pc == 0xb906) {
hit_b906++;
if (hit_b906 == 1 || hit_b906 == 10 || hit_b906 == 100 ||
hit_b906 == 1000 || hit_b906 == 10000 ||
hit_b906 == 100000 || hit_b906 == 1000000) {
C54_LOG("HIT-b906 #%u op=0x%04x SP=0x%04x XPC=%d insn=%u",
hit_b906, s->prog[0xb906], s->sp, s->xpc,
s->insn_count);
}
}
}
/* INTM transition tracer: every change of ST1 bit 11 with
* surrounding state. Identifies which IRQ entered the trap and
* whether RETE / RSBX paths ever execute again. On each 0->1
* (IRQ entry), also dump prog[PC..PC+8] and the 4 most-recently
* pushed stack words (data[SP..SP+3]) so we can see what handler
* we're entering and why it never RETEs.
*
* NOTE: this block runs BEFORE c54x_exec_one of the current
* iteration. So when a transition is observed, the cause was
* either (a) the previous iteration's exec_one (RETE, RSBX INTM
* etc. — INTM 1→0), or (b) the pending-IRQ replay block above
* (INTM 0→1, PC moved to vector). For (a), s->pc has already
* advanced past the cause — log the previous iteration's
* exec_pc/exec_op (captured at end of loop into last_exec_*) so
* the cause is unambiguous. For (b), s->pc IS the vector entry
* and is informative as-is. */
{
static int intm_log = 0;
static uint16_t prev_intm = 0xFFFF;
uint16_t cur_intm = !!(s->st1 & ST1_INTM);
if (prev_intm != 0xFFFF && cur_intm != prev_intm && intm_log < 200) {
C54_LOG("INTM-TRANS %u->%u current PC=0x%04x op=0x%04x | "
"cause prev_exec PC=0x%04x op=0x%04x | "
"XPC=%d IFR=0x%04x SP=0x%04x insn=%u",
(unsigned)prev_intm, (unsigned)cur_intm,
s->pc, s->prog[s->pc],
s->last_exec_pc, s->last_exec_op,
s->xpc, s->ifr, s->sp,
s->insn_count);
if (cur_intm == 1) {
C54_LOG(" HANDLER prog[PC..PC+8]: %04x %04x %04x %04x %04x %04x %04x %04x %04x",
s->prog[s->pc],
s->prog[(uint16_t)(s->pc + 1)],
s->prog[(uint16_t)(s->pc + 2)],
s->prog[(uint16_t)(s->pc + 3)],
s->prog[(uint16_t)(s->pc + 4)],
s->prog[(uint16_t)(s->pc + 5)],
s->prog[(uint16_t)(s->pc + 6)],
s->prog[(uint16_t)(s->pc + 7)],
s->prog[(uint16_t)(s->pc + 8)]);
C54_LOG(" STACK data[SP..SP+3]: %04x %04x %04x %04x",
s->data[s->sp],
s->data[(uint16_t)(s->sp + 1)],
s->data[(uint16_t)(s->sp + 2)],
s->data[(uint16_t)(s->sp + 3)]);
}
intm_log++;
}
prev_intm = cur_intm;
}
/* SP-WATCH: log every transition where SP enters / leaves the
* API mailbox region [0x0800..0x08FF]. This pinpoints the exact
* instruction that corrupts the stack pointer so we don't have
* to keep recoding to investigate. */
{
static uint16_t prev_sp = 0xFFFF;
bool was_in = (prev_sp >= 0x0800 && prev_sp < 0x0900);
bool is_in = (s->sp >= 0x0800 && s->sp < 0x0900);
if (was_in != is_in) {
fprintf(stderr,
"[c54x] SP-WATCH %s SP=0x%04x (prev=0x%04x) "
"PC=0x%04x op=0x%04x insn=%u\n",
is_in ? "ENTER api" : "LEAVE api",
s->sp, prev_sp, s->pc, s->prog[s->pc], s->insn_count);
}
prev_sp = s->sp;
}
/* TRACE: dump entry into 0xe260 loop (first 5 hits) */
if (s->pc == 0xe260 || s->pc == 0xe261) {
static int e260_log = 0;
if (e260_log < 5) {
e260_log++;
C54_LOG("E260-ENTRY #%d PC=0x%04x AR2=%04x AR5=%04x BRC=%d RSA=%04x REA=%04x rptb=%d IMR=%04x SP=%04x insn=%u",
e260_log, s->pc, s->ar[2], s->ar[5], s->brc, s->rsa, s->rea, s->rptb_active, s->imr, s->sp, s->insn_count);
int idx = pc_ring_idx;
char buf[1024]; int o = 0;
for (int i = 50; i >= 1; i--) {
o += snprintf(buf+o, sizeof(buf)-o, "%04x ", pc_ring[(idx-i)&255]);
}
C54_LOG("E260-PCRING (last 50): %s", buf);
/* Dump runtime opcodes 0xe255..0xe28f */
char ob[1024]; int oo = 0;
for (uint16_t a = 0xe255; a <= 0xe28f; a++) {
oo += snprintf(ob+oo, sizeof(ob)-oo, "%04x ", s->prog[a]);
}
C54_LOG("E260-PROG[e255..e28f]: %s", ob);
}
}
/* CALA loop tracer: dump A and SP at PC=0xd24e and 0xd250 (first 40) */
if (s->pc == 0xd24e || s->pc == 0xd250) {
static int cala_log = 0;
if (cala_log++ < 40) {
C54_LOG("CALA-TRACE PC=0x%04x A=%08x SP=0x%04x BRC=%d AR2=%04x AR3=%04x AR4=%04x AR5=%04x insn=%u",
s->pc, (uint32_t)(s->a & 0xFFFFFFFF), s->sp, s->brc,
s->ar[2], s->ar[3], s->ar[4], s->ar[5], s->insn_count);
}
}
/* PC histogram: count visits per PC, dump top 20 every 2M insns */
{
static uint32_t pc_hist[0x10000];
static uint64_t hist_last_dump = 0;
pc_hist[s->pc]++;
if (s->insn_count - hist_last_dump >= 2000000) {
hist_last_dump = s->insn_count;
/* find top 20 */
uint32_t top_cnt[20] = {0};
uint16_t top_pc[20] = {0};
for (int i = 0; i < 0x10000; i++) {
uint32_t c = pc_hist[i];
if (c == 0) continue;
for (int j = 0; j < 20; j++) {
if (c > top_cnt[j]) {
for (int k = 19; k > j; k--) {
top_cnt[k] = top_cnt[k-1];
top_pc[k] = top_pc[k-1];
}
top_cnt[j] = c;
top_pc[j] = (uint16_t)i;
break;
}
}
}
C54_LOG("PC HIST insn=%u top: %04x:%u %04x:%u %04x:%u %04x:%u %04x:%u %04x:%u %04x:%u %04x:%u %04x:%u %04x:%u",
s->insn_count,
top_pc[0], top_cnt[0], top_pc[1], top_cnt[1], top_pc[2], top_cnt[2],
top_pc[3], top_cnt[3], top_pc[4], top_cnt[4], top_pc[5], top_cnt[5],
top_pc[6], top_cnt[6], top_pc[7], top_cnt[7], top_pc[8], top_cnt[8],
top_pc[9], top_cnt[9]);
C54_LOG("PC HIST cont: %04x:%u %04x:%u %04x:%u %04x:%u %04x:%u %04x:%u %04x:%u %04x:%u %04x:%u %04x:%u",
top_pc[10], top_cnt[10], top_pc[11], top_cnt[11], top_pc[12], top_cnt[12],
top_pc[13], top_cnt[13], top_pc[14], top_cnt[14], top_pc[15], top_cnt[15],
top_pc[16], top_cnt[16], top_pc[17], top_cnt[17], top_pc[18], top_cnt[18],
top_pc[19], top_cnt[19]);
memset(pc_hist, 0, sizeof(pc_hist));
}
}
/* === Rolling PC sampler (v6 — find the REAL stuck zone) ===
* The cumulative-since-boot PC HIST shows 0xa218..0xa222 dominant
* because the init loop at 0xa222 (BANZD AR5, 60k iters) ran once
* early. After that, the DSP moved on but the cumulative histogram
* still shows those PCs at the top.
*
* BANZD-A222 traces (2026-05-08) confirmed AR5 was the actual loop
* counter (61523→61499 in 25 iter), not AR1. Loop finishes in
* ~984k insns (= 0.06% of a 1.7B run). Whatever IS currently
* burning DSP cycles is in a different zone, invisible to the
* cumulative top-N.
*
* Solution : rolling histogram per 100k-insn window. Resets each
* window so we always see "what is the DSP doing RIGHT NOW".
* Logs top-5 PCs of the most recent window. */
{
static uint32_t pc_recent[0x10000];
static uint32_t recent_last_dump = 0;
pc_recent[s->pc]++;
if (s->insn_count - recent_last_dump >= 100000) {
recent_last_dump = s->insn_count;
uint32_t top_cnt[5] = {0};
uint16_t top_pc[5] = {0};
for (int i = 0; i < 0x10000; i++) {
uint32_t c = pc_recent[i];
if (c <= top_cnt[4]) continue;
top_cnt[4] = c; top_pc[4] = (uint16_t)i;
for (int j = 4; j > 0 && top_cnt[j] > top_cnt[j-1]; j--) {
uint32_t tc = top_cnt[j]; top_cnt[j] = top_cnt[j-1]; top_cnt[j-1] = tc;
uint16_t tp = top_pc[j]; top_pc[j] = top_pc[j-1]; top_pc[j-1] = tp;
}
}
C54_LOG("PC RECENT (last 100k) top: %04x:%u %04x:%u %04x:%u %04x:%u %04x:%u",
top_pc[0], top_cnt[0], top_pc[1], top_cnt[1],
top_pc[2], top_cnt[2], top_pc[3], top_cnt[3],
top_pc[4], top_cnt[4]);
memset(pc_recent, 0, sizeof(pc_recent));
}
}
/* === ENTER-RPTB-A218 probe (Q-BRC investigation 2026-05-08 v5+v6) ===
* v5 hypothesis (BRC≈30770) was REFUTED by first 20 events :
* BRC=0 systematic, AR1=0 systematic, AR2 increments by 2,
* 16 insns between visits.
* v6 expands to capture the late-run behaviour : the cap=20 saturated
* at insn=48M while the run reached 2.4B. We now have :
* (a) cap=200 for early events
* (b) periodic sampler at 100k-visits intervals (late-run)
* (c) BANZD-A222 probe to capture the actual AR used by the
* branch-back instruction at 0xa222 op=0x6e81.
* The !s->rpt_active guard avoids spurious mid-RPTB hits. */
if (s->pc == 0xa218 && !s->rpt_active) {
static unsigned a218_total = 0;
static int a218_log = 0;
a218_total++;
bool log_now = (a218_log < 200) ||
(a218_total % 100000 == 0);
if (log_now) {
C54_LOG("ENTER-RPTB-A218 #%d total=%u BRC=%u (0x%04x) "
"AR0=0x%04x AR1=0x%04x AR2=0x%04x AR3=0x%04x "
"AR4=0x%04x AR5=0x%04x A=%010llx T=0x%04x "
"ST0=0x%04x insn=%u",
a218_log + 1, a218_total, s->brc, s->brc,
s->ar[0], s->ar[1], s->ar[2], s->ar[3],
s->ar[4], s->ar[5],
(unsigned long long)(s->a & 0xFFFFFFFFFFLL),
s->t, s->st0, s->insn_count);
a218_log++;
}
}
/* === BANZD-A222 probe (v6) ===
* 0xa222 op=0x6e81 + opnd 0x8208 = `BANZD pmad, *Sind`.
* The *Sind operand decodes some AR but my v5 guess (AR1) was
* unverified — capture all ARs so we see which one is non-zero
* and how it evolves. If AR1=0 systematically, the branch test
* uses a different AR. Cap=200, plus periodic 100k. */
if (s->pc == 0xa222 && !s->rpt_active) {
static unsigned a222_total = 0;
static int a222_log = 0;
a222_total++;
bool log_now = (a222_log < 200) ||
(a222_total % 100000 == 0);
if (log_now) {
C54_LOG("BANZD-A222 #%d total=%u op=0x%04x op2=0x%04x "
"AR0=0x%04x AR1=0x%04x AR2=0x%04x AR3=0x%04x "
"AR4=0x%04x AR5=0x%04x AR6=0x%04x AR7=0x%04x "
"BRC=%u insn=%u",
a222_log + 1, a222_total,
s->prog[s->pc], s->prog[(uint16_t)(s->pc + 1)],
s->ar[0], s->ar[1], s->ar[2], s->ar[3],
s->ar[4], s->ar[5], s->ar[6], s->ar[7],
s->brc, s->insn_count);
a222_log++;
}
}
/* Companion probe at 0xa215 (BRC setup) and 0xa217 (outer entry).
* 0xa215 op=0x4492 + 0xa216 opnd 0x0092 = `ADD/SUB Smem,16,dst` per
* tic54x (2-word, mask FE00 base 0x4400). Logs A_pre / A_post and
* the Smem read so we can trace what value lands in dst (may feed
* BRC eventually). 30-event cap. */
if (s->pc == 0xa215 || s->pc == 0xa217) {
static int brc_setup_215 = 0;
static int brc_setup_217 = 0;
int *cnt = (s->pc == 0xa215) ? &brc_setup_215 : &brc_setup_217;
if (*cnt < 30) {
C54_LOG("ENTER-A%04x #%d AR0=%04x AR1=%04x AR2=%04x "
"A=%010llx B=%010llx T=%04x BRC=%u DP=0x%03x insn=%u",
s->pc, *cnt + 1,
s->ar[0], s->ar[1], s->ar[2],
(unsigned long long)(s->a & 0xFFFFFFFFFFLL),
(unsigned long long)(s->b & 0xFFFFFFFFFFLL),
s->t, s->brc, (s->st0 & 0x1FF), s->insn_count);
(*cnt)++;
}
}
/* === XC-COND probe at PC=0xa0e0 / 0xa0e4 (Q1 hypothesis test) ===
* Per Claude web v3 diag (2026-05-08) : routine 0xa0e0..0xa0e9 ends
* at PC=0xa0e7 op=0xc8be where AR4 is consistently 0x18 (=MMR_SP)
* pre-instruction → ST||LD writes to SP, catastrophe.
*
* Static dump shows two `XC 1, cond` instructions before 0xc8be :
* 0xa0e0 = 0xfd30 ; XC 1, cond=0x30 (TC)
* 0xa0e4 = 0xfd43 ; XC 1, cond=0x43 (ALT, A<0)
*
* Hypothesis : if XC condition evaluates to FALSE (TC bit not set, or
* A not negative), the conditional STM #lk, AR4 (likely at 0xa0e5) is
* SKIPPED → AR4 keeps stale value of 0x18 from earlier code path.
*
* Log every visit with : cond byte, TC/A/B flag values, AR4 value,
* and the next opcode (which would be skipped or executed). If the
* "taken" decision is consistently false at one of these XCs, that's
* the bug. Cap to 100 events per PC. */
if (s->pc == 0xa0e0 || s->pc == 0xa0e4) {
static unsigned xc_log_e0;
static unsigned xc_log_e4;
unsigned *cnt = (s->pc == 0xa0e0) ? &xc_log_e0 : &xc_log_e4;
if (*cnt < 100) {
uint16_t op_xc = s->prog[s->pc];
uint8_t cond_byte = op_xc & 0xFF;
uint16_t next_op = s->prog[(uint16_t)(s->pc + 1)];
/* Mirror the condition decode from c54x_exec_one (case 0xF
* XC handler around line 1108+) — only the common subset. */
bool cond = false;
if (cond_byte == 0x00) cond = true;
else if (cond_byte == 0x0C) cond = (s->st0 & ST0_C) != 0;
else if (cond_byte == 0x08) cond = !(s->st0 & ST0_C);
else if (cond_byte == 0x30) cond = (s->st0 & ST0_TC) != 0;
else if (cond_byte == 0x20) cond = !(s->st0 & ST0_TC);
else if (cond_byte == 0x45) cond = (sext40(s->a) == 0);
else if (cond_byte == 0x44) cond = (sext40(s->a) != 0);
else if (cond_byte == 0x46) cond = (sext40(s->a) > 0);
else if (cond_byte == 0x42) cond = (sext40(s->a) >= 0);
else if (cond_byte == 0x43) cond = (sext40(s->a) < 0);
else if (cond_byte == 0x47) cond = (sext40(s->a) <= 0);
else if (cond_byte == 0x4D) cond = (sext40(s->b) == 0);
else if (cond_byte == 0x4C) cond = (sext40(s->b) != 0);
else if (cond_byte == 0x4E) cond = (sext40(s->b) > 0);
else if (cond_byte == 0x4A) cond = (sext40(s->b) >= 0);
else if (cond_byte == 0x4B) cond = (sext40(s->b) < 0);
else if (cond_byte == 0x4F) cond = (sext40(s->b) <= 0);
fprintf(stderr,
"[c54x] XC-COND #%u PC=0x%04x op=0x%04x cond=0x%02x "
"→ %s | TC=%d C=%d A=%010llx (sgn:%c) "
"B=%010llx (sgn:%c) AR4=0x%04x next_op=0x%04x insn=%u\n",
*cnt + 1, s->pc, op_xc, cond_byte,
cond ? "TAKEN " : "SKIPPED",
!!(s->st0 & ST0_TC),
!!(s->st0 & ST0_C),
(unsigned long long)(s->a & 0xFFFFFFFFFFULL),
sext40(s->a) < 0 ? '-' : (sext40(s->a) == 0 ? '0' : '+'),
(unsigned long long)(s->b & 0xFFFFFFFFFFULL),
sext40(s->b) < 0 ? '-' : (sext40(s->b) == 0 ? '0' : '+'),
s->ar[4], next_op, s->insn_count);
(*cnt)++;
}
}
/* === MAC-8d33 trace — FB-det inner correlator ===
* The DSP loops indefinitely in 0x8d2d..0x8d36. Static dump shows :
* 8d2d 0x771a 0x0004 ; (2-word) — likely setup
* 8d2f 0xf072 0x8d33 ; RPTB pmad, end=0x8d33 (per tic54x)
* 8d31 0xf461 ; F46x = SFTA src,shift,dst (1-word)
* 8d32 0xf591 ; F591 = ROL B (per our decoder)
* 8d33 0xf3e2 ; F3E0-F3FF = SFTL src,SHIFT,DST ← writes a_sync_SNR
* 8d34 0x6e89 0x8d2d ; BANZD pmad=0x8d2d, *AR — outer back-branch
* 8d36 0xf3e1 ; SFTL B,1,B (exit path)
* PC HIST counts (105k outer / 526k inner = 5×) confirm the 5-iter
* RPTB body is (0x8d32, 0x8d33, 0x8d34) repeated 5 times.
*
* Capture A_pre, T, AR2..AR5 at each PC inside this zone. Rate-limit :
* first 50 always (init + early convergence)
* every 5000th (steady-state cadence)
* when |A_after - last_logged_A| > 0x100000 (significant accumulator
* shift = convergence event worth dumping)
* Plus a dedicated "ENTER 0x8d2d" outer-iter counter that always logs
* A_pre at the OUTER entry, so we can tell whether the accumulator
* is reset between FB-det attempts (Observation 1 from session diag). */
if (s->pc >= 0x8d2c && s->pc <= 0x8d3a) {
static uint64_t mac8d_count;
static int64_t last_logged_a;
int64_t a_now = sext40(s->a);
int64_t da = a_now - last_logged_a;
if (da < 0) da = -da;
mac8d_count++;
bool log_now = (mac8d_count <= 50) ||
(mac8d_count % 5000) == 0 ||
da > 0x100000LL;
if (log_now) {
C54_LOG("MAC-8d33 #%llu PC=0x%04x op=0x%04x A_pre=%010llx B=%010llx "
"T=0x%04x ARs: %04x %04x %04x %04x %04x %04x BRC=%d insn=%u",
(unsigned long long)mac8d_count,
s->pc, s->prog[s->pc],
(unsigned long long)(s->a & 0xFFFFFFFFFFULL),
(unsigned long long)(s->b & 0xFFFFFFFFFFULL),
s->t,
s->ar[2], s->ar[3], s->ar[4], s->ar[5], s->ar[6], s->ar[7],
s->brc, s->insn_count);
last_logged_a = a_now;
}
}
/* Dedicated outer-entry tracer at PC=0x8d2d : ALWAYS log A_pre on
* entry (cap to 200 events). If A is non-zero on outer entry,
* the accumulator wasn't reset between attempts — observation 1
* from 2026-05-08 session : 21× 0x2fb0 SNR could mean stuck
* accumulator across attempts. */
if (s->pc == 0x8d2d) {
static uint64_t enter_8d2d;
enter_8d2d++;
if (enter_8d2d <= 200) {
C54_LOG("ENTER-8d2d #%llu A_pre=%010llx B_pre=%010llx T=0x%04x "
"ARs: %04x %04x %04x %04x %04x %04x %04x %04x SP=0x%04x BRC=%d insn=%u",
(unsigned long long)enter_8d2d,
(unsigned long long)(s->a & 0xFFFFFFFFFFULL),
(unsigned long long)(s->b & 0xFFFFFFFFFFULL),
s->t,
s->ar[0], s->ar[1], s->ar[2], s->ar[3],
s->ar[4], s->ar[5], s->ar[6], s->ar[7],
s->sp, s->brc, s->insn_count);
}
}
/* === HOT-OPS PROBE for 0xe9ac..0xe9b7 + 0xe981..0xe983 ===
* Diag v2 2026-05-08 : DSP locked in deterministic 7-instruction
* loop at 0xe9ac..0xe9b7 (PROM1 mirror), with outer 3-PC loop
* 0xe981..0xe983 reloading a BRC counter — pattern consistent
* with `RPTB end_addr` + outer reset. We need the actual opcodes
* to confirm/refute the RPTB hypothesis. One-shot dump on first
* entry into the body range, with surrounding context (a few
* words before for the RPTB instruction itself, and the outer). */
{
static bool e9ac_dumped = false;
if (!e9ac_dumped && s->pc >= 0xe9ac && s->pc <= 0xe9b7) {
e9ac_dumped = true;
fprintf(stderr,
"[c54x] HOT-OPS-DUMP triggered at PC=0x%04x insn=%u\n",
s->pc, s->insn_count);
fprintf(stderr,
"[c54x] HOT-OPS prog[0xe9a0..0xe9bf]:");
for (uint16_t a = 0xe9a0; a <= 0xe9bf; a++)
fprintf(stderr, " %04x", s->prog[a]);
fprintf(stderr, "\n");
fprintf(stderr,
"[c54x] HOT-OPS prog[0xe97c..0xe98f] (outer):");
for (uint16_t a = 0xe97c; a <= 0xe98f; a++)
fprintf(stderr, " %04x", s->prog[a]);
fprintf(stderr, "\n");
fprintf(stderr,
"[c54x] HOT-OPS state: BRC=%d RSA=0x%04x REA=0x%04x "
"rptb_active=%d ST1=0x%04x AR0..7: %04x %04x %04x %04x "
"%04x %04x %04x %04x\n",
s->brc, s->rsa, s->rea, s->rptb_active, s->st1,
s->ar[0], s->ar[1], s->ar[2], s->ar[3],
s->ar[4], s->ar[5], s->ar[6], s->ar[7]);
}
}
/* Track SP changes inside RPTB loops */
uint16_t sp_before = s->sp;
/* Trace EB04 loop — dump first 20 iterations */
if (s->pc == 0xEB04) {
static int eb04_log = 0;
if (eb04_log < 20) {
C54_LOG("EB04 op=%04x A=0x%010llx B=0x%010llx T=%04x "
"INTM=%d IMR=%04x IFR=%04x rptb=%d RSA=%04x REA=%04x BRC=%d "
"AR0=%04x AR1=%04x AR2=%04x AR3=%04x AR4=%04x AR5=%04x AR6=%04x AR7=%04x",
prog_fetch(s, s->pc),
(unsigned long long)(s->a & 0xFFFFFFFFFFLL),
(unsigned long long)(s->b & 0xFFFFFFFFFFLL),
s->t,
!!(s->st1 & ST1_INTM), s->imr, s->ifr,
s->rptb_active, s->rsa, s->rea, s->brc,
s->ar[0], s->ar[1], s->ar[2], s->ar[3],
s->ar[4], s->ar[5], s->ar[6], s->ar[7]);
eb04_log++;
}
}
/* Dump DSP state when stuck — triggers once after 500M instructions
* if DSP hasn't reached IDLE yet */
{
static int dumped = 0;
if (s->insn_count > 500000000 && !dumped && !s->idle) {
dumped = 1;
C54_LOG("DSP NO-IDLE dump at insn=%u PC=0x%04x:", s->insn_count, s->pc);
C54_LOG(" ST0=0x%04x ST1=0x%04x PMST=0x%04x SP=0x%04x INTM=%d",
s->st0, s->st1, s->pmst, s->sp, !!(s->st1 & ST1_INTM));
C54_LOG(" IMR=0x%04x IFR=0x%04x rptb=%d RSA=0x%04x REA=0x%04x BRC=%d",
s->imr, s->ifr, s->rptb_active, s->rsa, s->rea, s->brc);
C54_LOG(" A=0x%010llx B=0x%010llx T=0x%04x XPC=%d",
(unsigned long long)(s->a & 0xFFFFFFFFFFLL),
(unsigned long long)(s->b & 0xFFFFFFFFFFLL), s->t, s->xpc);
C54_LOG(" AR0=%04x AR1=%04x AR2=%04x AR3=%04x AR4=%04x AR5=%04x AR6=%04x AR7=%04x",
s->ar[0], s->ar[1], s->ar[2], s->ar[3],
s->ar[4], s->ar[5], s->ar[6], s->ar[7]);
/* Dump code around current PC (using prog_fetch for correct OVLY) */
C54_LOG(" Code around PC:");
for (int i = -4; i < 16; i++) {
uint16_t a = s->pc + i;
C54_LOG(" %c [0x%04x] = 0x%04x",
i == 0 ? '>' : ' ', a, prog_fetch(s, a));
}
C54_LOG(" ST0=0x%04x ST1=0x%04x PMST=0x%04x SP=0x%04x INTM=%d",
s->st0, s->st1, s->pmst, s->sp, !!(s->st1 & ST1_INTM));
C54_LOG(" A=0x%010llx B=0x%010llx T=0x%04x",
(unsigned long long)(s->a & 0xFFFFFFFFFFLL),
(unsigned long long)(s->b & 0xFFFFFFFFFFLL), s->t);
C54_LOG(" AR0=%04x AR1=%04x AR2=%04x AR3=%04x AR4=%04x AR5=%04x AR6=%04x AR7=%04x",
s->ar[0], s->ar[1], s->ar[2], s->ar[3],
s->ar[4], s->ar[5], s->ar[6], s->ar[7]);
}
}
/* BSP read entry points — these functions contain PORTR PA=0xF430
* (read BSP sample). If DSP never visits them, the FB-det chain is
* dead. Targets identified by static analysis of PROM0 callers of
* the 64 PORTR PA=0xF430 sites at 0x9b80+. */
if (!s->rpt_active &&
(s->pc == 0x9a78 || s->pc == 0x9aaf || s->pc == 0x9ad3 ||
s->pc == 0x9b4c || s->pc == 0x8811)) {
static unsigned bsp_visits[5];
int idx = (s->pc == 0x9a78) ? 0 :
(s->pc == 0x9aaf) ? 1 :
(s->pc == 0x9ad3) ? 2 :
(s->pc == 0x9b4c) ? 3 : 4;
if (bsp_visits[idx] < 5) {
bsp_visits[idx]++;
C54_LOG("BSP-ENTRY PC=0x%04x A=0x%010llx ar0=%04x ar1=%04x "
"ar2=%04x ar3=%04x ar4=%04x SP=0x%04x insn=%u",
s->pc,
(unsigned long long)(s->a & 0xFFFFFFFFFFLL),
s->ar[0], s->ar[1], s->ar[2], s->ar[3], s->ar[4],
s->sp, s->insn_count);
}
}
/* Trace any write touching the dispatcher poll addresses
* data[0x4359] / data[0x3fab]. We never see them go non-zero;
* confirm whether ANY code path writes them. */
/* (handled in data_write — see below) */
/* Dispatcher hot loop trace at PROM0 0xb968-0xb9a4 — the state
* machine the DSP spins in when waiting for ARM tasks. Logs the
* first 8 visits per PC so we see the full conditional structure
* (which addresses it polls, which constants it compares to). */
if (s->pc >= 0xb968 && s->pc <= 0xb9a4 && !s->rpt_active) {
static uint8_t disp_visits[64];
int idx = s->pc - 0xb968;
if (idx >= 0 && idx < 64 && disp_visits[idx] < 8) {
disp_visits[idx]++;
C54_LOG("DISP-TRACE PC=0x%04x op=0x%04x A=0x%010llx "
"B=0x%010llx ar0=%04x ar1=%04x ar2=%04x ar3=%04x "
"ar4=%04x ar5=%04x TC=%d",
s->pc, prog_fetch(s, s->pc),
(unsigned long long)(s->a & 0xFFFFFFFFFFLL),
(unsigned long long)(s->b & 0xFFFFFFFFFFLL),
s->ar[0], s->ar[1], s->ar[2], s->ar[3],
s->ar[4], s->ar[5],
!!(s->st0 & ST0_TC));
}
}
/* IRQ vec area trace: log every PC visit in 0xFFCC-0xFFE0
* (INT3 + TINT0 + BRINT0 vec slots). Captures the 3 actual
* 4-word handlers our IRQ INT3 dispatch lands on at IPTR=0x1ff.
* 80 unique PCs max, log first 4 visits each. */
if (s->pc >= 0xFFCC && s->pc < 0xFFE0 && !s->rpt_active) {
static uint8_t vec_visits[20]; /* index 0 = 0xffcc */
int idx = s->pc - 0xFFCC;
if (vec_visits[idx] < 4) {
vec_visits[idx]++;
C54_LOG("VEC-TRACE PC=0x%04x op=0x%04x SP=0x%04x A=0x%010llx "
"B=0x%010llx TC=%d INTM=%d ar7=%04x",
s->pc, prog_fetch(s, s->pc), s->sp,
(unsigned long long)(s->a & 0xFFFFFFFFFFLL),
(unsigned long long)(s->b & 0xFFFFFFFFFFLL),
!!(s->st0 & ST0_TC),
!!(s->st1 & ST1_INTM),
s->ar[7]);
}
}
/* Trace DSP init - log once per unique PC in E900-E960 */
if (s->pc >= 0xE900 && s->pc < 0xE960 && !s->rpt_active) {
static uint16_t seen_pcs[96];
int idx = s->pc - 0xE900;
if (!seen_pcs[idx]) {
seen_pcs[idx] = 1;
C54_LOG("INIT PC=0x%04x op=0x%04x SP=0x%04x BRC=%d rptb=%d RSA=0x%04x REA=0x%04x",
s->pc, prog_fetch(s, s->pc), s->sp, s->brc,
s->rptb_active, s->rsa, s->rea);
}
}
/* Trace SINT17 handler (0x8a00-0x8a5f) */
if (s->pc >= 0x8a00 && s->pc < 0x8a60) {
static int sint17_log = 0;
if (sint17_log < 500) {
C54_LOG("SINT17 PC=0x%04x op=0x%04x SP=0x%04x DP=0x%03x A=0x%010llx B=0x%010llx AR0=%04x",
s->pc, prog_fetch(s, s->pc), s->sp, dp(s),
(unsigned long long)(s->a & 0xFFFFFFFFFFLL),
(unsigned long long)(s->b & 0xFFFFFFFFFFLL), s->ar[0]);
sint17_log++;
}
}
/* Sample PC every 1M instructions to find stuck loops */
if (executed > 0 && (executed % 1000000) == 0) {
static int sample_log = 0;
if (sample_log < 20)
C54_LOG("@%dM: PC=0x%04x op=0x%04x SP=0x%04x insn=%u",
executed/1000000, s->pc, prog_read(s, s->pc), s->sp, s->insn_count);
sample_log++;
}
if (run_num <= 2 && executed < 2000) {
C54_LOG("BOOT[%d.%d] PC=0x%04x op=0x%04x SP=0x%04x A=0x%010llx B=0x%010llx",
run_num, executed, s->pc, prog_fetch(s, s->pc), s->sp,
(unsigned long long)(s->a & 0xFFFFFFFFFFLL),
(unsigned long long)(s->b & 0xFFFFFFFFFFLL));
}
/* RPTB check moved below — must run AFTER `s->pc += consumed` so
* that when the body's last instruction has executed and PC has
* advanced to REA+1, the redirect to RSA is the FINAL operation
* on PC for this iteration. The previous placement (before PC
* advance) caused a 1-instruction off-by-one : redirect set
* pc=RSA, then `s->pc += consumed` bumped it to RSA+1, so the
* first body instruction was never re-executed across iterations
* (PC HIST showed body=[RSA+1..REA+1] instead of [RSA..REA]). */
/* Trace the IMR loop: how does the DSP reach 0x03F0? */
/* Trace RPTB entry at 0x76FD: dump all AR values */
if (s->pc == 0x76FD) {
static int rptb_entry_log = 0;
if (rptb_entry_log < 30)
C54_LOG("RPTB-ENTRY PC=0x76FD AR0=%04x AR1=%04x AR2=%04x AR3=%04x AR4=%04x AR5=%04x AR6=%04x AR7=%04x ARP=%d DP=%d BRC=%d SP=%04x",
s->ar[0], s->ar[1], s->ar[2], s->ar[3], s->ar[4], s->ar[5], s->ar[6], s->ar[7],
arp(s), dp(s), s->brc, s->sp);
rptb_entry_log++;
}
if (s->pc == 0x03F0) {
static int f3_log = 0;
if (f3_log < 2) {
C54_LOG("PC=0x03F0 op=0x%04x insn=%u SP=0x%04x IMR=0x%04x XPC=%d PMST=0x%04x",
prog_fetch(s, s->pc), s->insn_count, s->sp, s->imr, s->xpc, s->pmst);
C54_LOG(" trail: %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x %04x",
pc_ring[(pc_ring_idx-20)&255], pc_ring[(pc_ring_idx-19)&255],
pc_ring[(pc_ring_idx-18)&255], pc_ring[(pc_ring_idx-17)&255],
pc_ring[(pc_ring_idx-16)&255], pc_ring[(pc_ring_idx-15)&255],
pc_ring[(pc_ring_idx-14)&255], pc_ring[(pc_ring_idx-13)&255],
pc_ring[(pc_ring_idx-12)&255], pc_ring[(pc_ring_idx-11)&255],
pc_ring[(pc_ring_idx-10)&255], pc_ring[(pc_ring_idx-9)&255],
pc_ring[(pc_ring_idx-8)&255], pc_ring[(pc_ring_idx-7)&255],
pc_ring[(pc_ring_idx-6)&255], pc_ring[(pc_ring_idx-5)&255],
pc_ring[(pc_ring_idx-4)&255], pc_ring[(pc_ring_idx-3)&255],
pc_ring[(pc_ring_idx-2)&255], pc_ring[(pc_ring_idx-1)&255]);
f3_log++;
}
}
/* Boot trace */
if (g_boot_trace > 0) {
C54_LOG("BOOT[%d] PC=0x%04x op=0x%04x SP=0x%04x PMST=0x%04x",
51 - g_boot_trace, s->pc, prog_fetch(s, s->pc), s->sp, s->pmst);
g_boot_trace--;
}
/* Execute instruction */
int consumed;
uint16_t exec_pc = s->pc;
uint16_t exec_op = prog_fetch(s, s->pc);
consumed = c54x_exec_one(s);
/* Detect SP changes — only log after init (insn > 490M) */
if (s->sp != sp_before && s->insn_count > 490000000) {
static int sp_leak_log = 0;
if (sp_leak_log < 100) {
C54_LOG("SP %+d PC=0x%04x op=0x%04x SP 0x%04x→0x%04x insn=%u",
(int16_t)(s->sp - sp_before), exec_pc, exec_op, sp_before, s->sp, s->insn_count);
sp_leak_log++;
}
}
/* === SP catastrophic delta tracer ===
* Diag v2 2026-05-08 : SP went from 0x9c1e → 0x0001 in one window
* (lost ~40k stack words). The progressive-leak log above caps at
* 100 small deltas and misses the single catastrophic event.
* This block flags any |Δ| > 100 in one instruction — never
* capped — so the buggy STM/PSHM/POPM/RETE-corrupted-stack /
* FRAME-with-huge-offset is unambiguously identified the FIRST
* time it happens. ARs included so we can see if the ST/LD
* destination resolved to an MMR slot (e.g. *AR=0x18 → MMR_SP).
*
* Threshold raised from 100→256 on 2026-05-08 to filter legitimate
* FRAME #imm8s (signed 8-bit can be ±127). Real catastrophes from
* dual-op writing to MMR_SP are always thousands of words. */
{
int32_t dsp = (int32_t)(int16_t)(s->sp - sp_before);
if (dsp > 256 || dsp < -256) {
fprintf(stderr,
"[c54x] SP-CATASTROPHE Δ=%+d PC=0x%04x op=0x%04x "
"SP 0x%04x → 0x%04x INTM=%d "
"AR0..7: %04x %04x %04x %04x %04x %04x %04x %04x "
"BK=%04x A=%010llx insn=%u\n",
(int)dsp, exec_pc, exec_op, sp_before, s->sp,
!!(s->st1 & ST1_INTM),
s->ar[0], s->ar[1], s->ar[2], s->ar[3],
s->ar[4], s->ar[5], s->ar[6], s->ar[7],
s->bk,
(unsigned long long)(s->a & 0xFFFFFFFFFFULL),
s->insn_count);
}
}
/* === DUAL-OP-INTERPRET diagnostic ===
* Compare current decoder's AR field interpretation (3-bit fields)
* with SPRU172C's dual-operand encoding (2-bit AR fields + offset 2,
* AR2..AR5 only). If the two disagree on which AR is used and the
* SP-CATASTROPHE just fired, we have evidence the encoding is
* wrong. Cap to 100 entries to avoid log explosion. */
if ((exec_op & 0xFC00) == 0xC800 && (
(int32_t)(int16_t)(s->sp - sp_before) > 100 ||
(int32_t)(int16_t)(s->sp - sp_before) < -100)) {
static unsigned dop_log;
if (dop_log++ < 100) {
int xar_cur = (exec_op >> 4) & 0x07;
int yar_cur = exec_op & 0x07;
int xar_spru = ((exec_op >> 4) & 0x03) + 2;
int yar_spru = (exec_op & 0x03) + 2;
int xmod_spru = (exec_op >> 6) & 0x03;
int ymod_spru = (exec_op >> 2) & 0x03;
fprintf(stderr,
"[c54x] DUAL-OP-INTERPRET op=0x%04x PC=0x%04x : "
"current_dec X=AR%d Y=AR%d (3bit) | "
"SPRU172C X=AR%d Y=AR%d xmod=%d ymod=%d (2bit+2) | "
"AR%d_cur=%04x AR%d_spru=%04x | "
"AR%d_cur=%04x AR%d_spru=%04x\n",
exec_op, exec_pc,
xar_cur, yar_cur,
xar_spru, yar_spru, xmod_spru, ymod_spru,
xar_cur, s->ar[xar_cur],
xar_spru, s->ar[xar_spru],
yar_cur, s->ar[yar_cur],
yar_spru, s->ar[yar_spru]);
}
}
/* Snapshot the just-executed PC/op into C54xState so other
* tracers (in particular INTM-TRANS at top of next iteration)
* can attribute post-instruction state changes to the cause. */
s->last_exec_pc = exec_pc;
s->last_exec_op = exec_op;
/* RPT: after executing an instruction while repeat is active,
* re-execute the SAME instruction (don't advance PC) until count=0. */
if (s->rpt_active && !s->idle) {
if (s->rpt_count > 0) {
s->rpt_count--;
/* Don't advance PC — re-execute same instruction next cycle */
s->cycles++;
executed++;
if (s->rpt_count == 0) {
static int rpt_done_log = 0;
if (rpt_done_log < 10)
C54_LOG("RPT DONE PC=0x%04x op=0x%04x count_was=%d", s->pc, prog_fetch(s, s->pc), 0);
rpt_done_log++;
}
continue;
} else {
s->rpt_active = false;
s->par_set = false;
}
}
if (consumed > 0)
s->pc += consumed;
s->pc &= 0xFFFF; /* C54x has 16-bit PC (23-bit with XPC, but wrap at 16-bit) */
/* consumed == 0 means PC was set by branch */
/* Delayed-branch slot countdown.
* RCD (and later CALLD/RETD/BD/CCD if extended) sets delayed_pc and
* delay_slots = 2. The two instructions following the RCD execute
* as normal pipeline slots; once both have completed the branch
* commits by forcing PC to delayed_pc. */
if (s->delay_slots > 0) {
s->delay_slots--;
if (s->delay_slots == 0) {
s->pc = s->delayed_pc;
}
}
/* === RPTB (block repeat) end-of-body check ===
* Must run AFTER PC advance and delayed-branch settle so the
* redirect to RSA is the final word on s->pc for this iteration.
* Triggers when PC has overshot REA (= reached REA+1 or beyond,
* accounting for 2-word instructions at the body's tail). Skip
* during RPT (single-instruction repeat has priority). */
if (s->rptb_active && !s->rpt_active && s->pc >= s->rea + 1) {
static int rptb_log = 0;
if (rptb_log < 20) {
C54_LOG("RPTB redirect PC=0x%04x→RSA=0x%04x REA=0x%04x BRC=%d",
s->pc, s->rsa, s->rea, s->brc);
rptb_log++;
}
if (s->brc > 0) {
s->brc--;
s->pc = s->rsa;
} else {
s->rptb_active = false;
{ static int _re=0;
if (_re<50) {
C54_LOG("RPTB EXIT PC=0x%04x RSA=0x%04x REA=0x%04x insn=%u SP=0x%04x",
s->pc, s->rsa, s->rea, s->insn_count, s->sp);
_re++;
}
}
s->st1 &= ~ST1_BRAF;
}
}
s->cycles++;
s->insn_count++;
executed++;
}
return executed;
}
/* ================================================================
* ROM loader
* ================================================================ */
int c54x_load_rom(C54xState *s, const char *path)
{
FILE *f = fopen(path, "r");
if (!f) {
C54_LOG("Cannot open ROM dump: %s", path);
return -1;
}
char line[1024];
int section = -1; /* 0=regs, 1=DROM, 2=PDROM, 3-6=PROM0-3 */
int total_words = 0;
while (fgets(line, sizeof(line), f)) {
/* Section headers */
if (strstr(line, "DSP dump: Registers")) { section = 0; continue; }
if (strstr(line, "DSP dump: DROM")) { section = 1; continue; }
if (strstr(line, "DSP dump: PDROM")) { section = 2; continue; }
if (strstr(line, "DSP dump: PROM0")) { section = 3; continue; }
if (strstr(line, "DSP dump: PROM1")) { section = 4; continue; }
if (strstr(line, "DSP dump: PROM2")) { section = 5; continue; }
if (strstr(line, "DSP dump: PROM3")) { section = 6; continue; }
if (section < 0) continue;
/* Parse data lines: "ADDR : XXXX XXXX XXXX ..." */
uint32_t addr;
if (sscanf(line, "%x :", &addr) != 1) continue;
char *p = strchr(line, ':');
if (!p) continue;
p++;
uint16_t word;
while (sscanf(p, " %hx%n", &word, (int[]){0}) == 1) {
int n;
sscanf(p, " %hx%n", &word, &n);
p += n;
if (section == 0) {
/* Registers: store in data memory */
if (addr < 0x60) s->data[addr] = word;
} else if (section == 1 || section == 2) {
/* DROM/PDROM: data memory */
if (addr < C54X_DATA_SIZE) s->data[addr] = word;
} else {
/* PROM: program memory.
* The dump uses extended addresses (XPC pages):
* PROM0: 0x07000-0x0DFFF → prog space 0x7000-0xDFFF
* PROM1: 0x18000-0x1FFFF → prog space 0x8000-0xFFFF (page 1)
* PROM2: 0x28000-0x2FFFF → prog space 0x8000-0xFFFF (page 2)
* PROM3: 0x38000-0x39FFF → prog space 0xF800-0xFFFF (page 3)
* For 16-bit PC access, map all PROM to lower 64K too.
* PROM0 is already at 0x7000. For PROM1-3, also mirror
* to the 16-bit alias (0x8000-0xFFFF). */
if (addr < C54X_PROG_SIZE) s->prog[addr] = word;
/* Mirror PROM1 (page 1: 0x18000-0x1FFFF) to 16-bit space.
* PROM0 occupies 0x7000-0xDFFF — only mirror PROM1 above that
* (0xE000-0xFFFF) to avoid overwriting PROM0 data.
* This gives us interrupt vectors at 0xFF80. */
if (section == 4) { /* PROM1 only */
uint16_t addr16 = addr & 0xFFFF;
/* Mirror PROM1 to 0xE000-0xFF7F only.
* 0xFF80-0xFFFF is the interrupt vector table,
* populated by the DSP boot ROM (not PROM1). */
if (addr16 >= 0xE000)
s->prog[addr16] = word;
}
}
addr++;
total_words++;
}
}
fclose(f);
C54_LOG("Loaded ROM: %d words from %s", total_words, path);
return 0;
}
/* ================================================================
* Init / Reset / Interrupts
* ================================================================ */
C54xState *c54x_init(void)
{
C54xState *s = calloc(1, sizeof(C54xState));
if (!s) return NULL;
return s;
}
void c54x_set_api_ram(C54xState *s, uint16_t *api_ram)
{
s->api_ram = api_ram;
}
void c54x_reset(C54xState *s)
{
g_boot_trace = 50;
s->a = 0; s->b = 0;
memset(s->ar, 0, sizeof(s->ar));
s->t = 0; s->trn = 0;
s->sp = 0x5AC8; s->bk = 0; /* SP init per Calypso boot ROM
* NOTE: silicon dumps show SP=0x1100 post-handshake.
* 0x5AC8 is a shortcut anticipating osmocom firmware re-init.
* See doc/datasheets/README.md §3-4. */
s->brc = 0; s->rsa = 0; s->rea = 0;
/* MMR reset values aligned with Calypso silicon (3 FreeCalypso ROM dumps + local).
* Empirically validated 2026-04-28. See doc/datasheets/README.md §3.
* Previous QEMU values (st0=0, st1=ST1_INTM, pmst=0xFFE0) were partial. */
s->st0 = 0x181F; /* DP=0x01F per silicon */
s->st1 = ST1_INTM | ST1_SXM | ST1_XF; /* 0x2900: INTM=1, SXM=1, XF=1 */
s->pmst = 0xFFA8; /* IPTR=0x1FF, MP_MC=1, OVLY=1, DROM=1 */
s->imr = 0;
s->ifr = 0;
s->xpc = 0;
s->timer_psc = 0;
s->data[TCR_ADDR] = TCR_TSS; /* Timer stopped at reset (TSS=1) per HW spec */
s->data[TIM_ADDR] = 0xFFFF; /* TIM = max at reset */
s->data[PRD_ADDR] = 0xFFFF; /* PRD = max at reset */
s->rpt_active = false;
s->rptb_active = false; { static int _re=0; if (_re<50) { C54_LOG("RPTB EXIT PC=0x%04x RSA=0x%04x REA=0x%04x insn=%u SP=0x%04x", s->pc, s->rsa, s->rea, s->insn_count, s->sp); _re++; } }
s->idle = false;
s->running = true;
s->cycles = 0;
s->insn_count = 0;
s->unimpl_count = 0;
/* Boot ROM MVPD: copy PROM0 code to DARAM overlay.
* On real Calypso, the internal boot ROM copies PROM0[0x7080..0x9FFF]
* to DARAM data[0x0080..0x27FF] before jumping to user code.
* This populates the DARAM code overlay that the DSP executes with OVLY=1.
*
* On real silicon, DARAM and API RAM share one physical memory in the
* range 0x0800-0x27FF (DSP-words). Mirror the copy into api_ram so the
* ARM-side view matches the DSP-side view from boot — without this
* mirror, every ARM read into the overlay zone returns 0 while the
* DSP executes the copied code, which silently splits the two views. */
for (int i = 0; i < 0x2780; i++) {
uint16_t addr = 0x0080 + i;
uint16_t val = s->prog[0x7080 + i];
s->data[addr] = val;
if (s->api_ram &&
addr >= C54X_API_BASE && addr < C54X_API_BASE + C54X_API_SIZE)
s->api_ram[addr - C54X_API_BASE] = val;
}
/* Install boot ROM interrupt vectors at 0xFF80 (IPTR=0x1FF).
* These are from the Calypso internal boot ROM, not in the PROM dump.
* Vec0 (reset): B 0xB410 (bootloader entry) */
s->prog[0xFF80] = 0xF880; /* B pmad */
s->prog[0xFF81] = 0xB410; /* target: bootloader */
s->prog[0xFF82] = 0xF495; /* NOP */
s->prog[0xFF83] = 0xF495; /* NOP */
/* Vec1-7: use PROM1 ROM vectors (already mirrored to 0xFF84-0xFFFF).
* Do NOT overwrite — the ROM contains the real interrupt handlers. */
/* Boot ROM stubs at 0x0000-0x007F.
* Discriminant test 2026-04-26 confirmed FRET stub did NOT block the
* firmware path to 0x0810 (reverting to NOPs gave identical PC HIST
* + same IMR change=0). FRET stub kept: prevents stack runaway when
* CALAA targets the stub area, with no downside.
*
* Fallback per slot:
* - 0x0000: LDMM SP, B (real boot ROM behaviour)
* - 0x0001: RET (paired with the CALL at 0x770A)
* - rest: FRET (0xF4E4) — return immediately to caller. */
for (int i = 0; i < 0x80; i++)
s->prog[i] = 0xF4E4; /* FRET fallback — return-from-far */
s->prog[0x0000] = 0xBA18; /* LDMM SP, B */
s->prog[0x0001] = 0xFC00; /* RET */
/* Reset vector: IPTR * 0x80 */
uint16_t iptr = (s->pmst >> PMST_IPTR_SHIFT) & 0x1FF;
s->pc = iptr * 0x80; /* 0xFF80 for default PMST */
C54_LOG("Reset: PC=0x%04x PMST=0x%04x SP=0x%04x prog[PC]=0x%04x",
s->pc, s->pmst, s->sp, s->prog[s->pc]);
}
void c54x_interrupt_ex(C54xState *s, int vec, int imr_bit)
{
if (vec < 0 || vec >= 32) return;
if (imr_bit < 0 || imr_bit >= 16) return;
s->ifr |= (1 << imr_bit);
bool unmasked = (s->imr & (1 << imr_bit)) != 0;
/* Per SPRU131: IDLE exits on ANY interrupt (masked or unmasked).
* - Unmasked: branch to vector, set INTM=1
* - Masked: just resume after IDLE, IFR bit stays set */
if (s->idle) {
s->idle = false;
if (unmasked) {
/* Service the interrupt: branch to vector */
s->ifr &= ~(1 << imr_bit);
s->sp--;
data_write(s, s->sp, (uint16_t)(s->pc + 1));
if (s->pmst & PMST_APTS) {
s->sp--;
data_write(s, s->sp, s->xpc);
}
s->st1 |= ST1_INTM;
uint16_t iptr = (s->pmst >> PMST_IPTR_SHIFT) & 0x1FF;
s->pc = (iptr * 0x80) + vec * 4;
}
/* If masked: just wake, advance PC past IDLE */
if (!unmasked) {
s->pc++; /* resume at instruction after IDLE */
}
} else if (!(s->st1 & ST1_INTM) && unmasked) {
/* Normal (non-IDLE) interrupt servicing */
s->ifr &= ~(1 << imr_bit);
s->sp--;
data_write(s, s->sp, (uint16_t)s->pc);
if (s->pmst & PMST_APTS) {
s->sp--;
data_write(s, s->sp, s->xpc);
}
s->st1 |= ST1_INTM;
uint16_t iptr = (s->pmst >> PMST_IPTR_SHIFT) & 0x1FF;
s->pc = (iptr * 0x80) + vec * 4;
}
/* Log interrupts: first 20 + every 100th, so we can count them.
* PMST/IPTR included so we can correlate which vector base the IRQ
* lands at — INT3 at IPTR=0x1ff (vec=0xffcc) hits a garbage ROM stub,
* INT3 at IPTR=0x140 (vec=0xa04c) hits the firmware's real handler. */
static uint64_t int_log_count;
int_log_count++;
if (int_log_count <= 20 || (int_log_count % 100) == 0) {
uint16_t iptr_now = (s->pmst >> PMST_IPTR_SHIFT) & 0x1FF;
C54_LOG("IRQ #%llu vec=%d bit=%d: INTM=%d IMR=0x%04x IFR=0x%04x "
"idle=%d PC=0x%04x PMST=0x%04x IPTR=0x%03x",
(unsigned long long)int_log_count,
vec, imr_bit, !!(s->st1 & ST1_INTM), s->imr, s->ifr,
s->idle, s->pc, s->pmst, iptr_now);
}
}
void c54x_wake(C54xState *s)
{
s->idle = false;
}
void c54x_bsp_load(C54xState *s, const uint16_t *samples, int n)
{
if (n > 2048) n = 2048;
memcpy(s->bsp_buf, samples, n * sizeof(uint16_t));
s->bsp_len = n;
s->bsp_pos = 0;
/* Confirm what the PORTR PA=0x0034 serving path will hand the DSP,
* and also flag if the DSP consumed less than half of the previous
* batch before a new one arrived (would indicate correlator starvation
* or DSP never reading via PORTR at all). */
static uint64_t load_count;
load_count++;
if (load_count <= 10 || (load_count % 1000) == 0) {
C54_LOG("BSP LOAD #%llu n=%d: %04x %04x %04x %04x %04x %04x %04x %04x",
(unsigned long long)load_count, n,
n > 0 ? samples[0] : 0, n > 1 ? samples[1] : 0,
n > 2 ? samples[2] : 0, n > 3 ? samples[3] : 0,
n > 4 ? samples[4] : 0, n > 5 ? samples[5] : 0,
n > 6 ? samples[6] : 0, n > 7 ? samples[7] : 0);
}
}./hw/arm/calypso/calypso_tint0.h
/*
* calypso_tint0.h -- TINT0 master clock for Calypso GSM virtualization
*
* On real Calypso hardware, the C54x DSP Timer 0 (TIM/PRD/TCR at
* DSP addresses 0x0024-0x0026) generates TINT0 (IFR bit 4, vector 20).
* The DSP ROM configures Timer 0 to fire at TDMA frame rate (4.615ms).
* TINT0 is the master clock that synchronizes everything:
*
* TINT0 (DSP Timer 0, 4.615ms)
* +-- DSP: SINT17 frame interrupt -> process GSM tasks
* +-- TPU: frame sync -> burst scheduling
* +-- ARM: TPU_FRAME IRQ -> L1 scheduler
* +-- ARM: API IRQ -> read DSP results
* +-- UART: poll TX/RX
*
* SPDX-License-Identifier: GPL-2.0-or-later
*/
#ifndef CALYPSO_TINT0_H
#define CALYPSO_TINT0_H
#include <stdint.h>
#include <stdbool.h>
/* Hardware constants from TMS320C54x Timer 0 */
#define TINT0_PERIOD_US 4615 /* 4.615 ms per TDMA frame */
#define TINT0_PERIOD_NS 4615000ULL /* in nanoseconds */
#define GSM_HYPERFRAME 2715648 /* GSM hyperframe modulus */
/* C54x Timer 0 registers (DSP data addresses) */
#define TINT0_TIM_ADDR 0x0024 /* Timer counter */
#define TINT0_PRD_ADDR 0x0025 /* Timer period */
#define TINT0_TCR_ADDR 0x0026 /* Timer control */
/* C54x IFR/IMR bit for TINT0 */
#define TINT0_IFR_BIT 4 /* IFR/IMR bit 4 */
#define TINT0_VEC 20 /* Interrupt vector 20 (offset 0x50) */
/* Start the master clock */
void calypso_tint0_start(void);
/* Notify that TPU_CTRL_EN was written (ARM requests frame processing) */
void calypso_tint0_tpu_en(void);
bool calypso_tint0_tpu_en_pending(void);
void calypso_tint0_tpu_en_clear(void);
/* Frame number access */
uint32_t calypso_tint0_fn(void);
void calypso_tint0_set_fn(uint32_t fn);
bool calypso_tint0_running(void);
#endif /* CALYPSO_TINT0_H */./hw/arm/calypso/calypso_iota.c
/*
* TWL3025 / IOTA model — implementation.
*
* SPDX-License-Identifier: GPL-2.0-or-later
*/
#include "qemu/osdep.h"
#include <stdio.h>
#include <string.h>
#include "hw/arm/calypso/calypso_iota.h"
#define IOTA_LOG(fmt, ...) \
do { fprintf(stderr, "[iota] " fmt "\n", ##__VA_ARGS__); } while (0)
/* Pending BDLENA windows queued by the TPU sequencer, waiting for a
* matching downlink burst to arrive on the BSP. Sized for one full TDMA
* frame's worth of slots so successive armings on different TNs queue up
* cleanly. */
#define IOTA_PENDING_MAX 32
static struct {
uint8_t last_byte; /* most recent TSP byte */
bool bdl_ena; /* current state of BDLENA pin */
bool bul_ena; /* current state of BULENA pin */
uint32_t bdl_pulses; /* total BDLENA rising edges */
uint32_t writes_seen;
/* Pending pulses: each holds the TN the L1 armed for. */
uint8_t pending_tn[IOTA_PENDING_MAX];
int pending_head, pending_tail;
} iota;
static int iota_pending_count(void)
{
int n = iota.pending_tail - iota.pending_head;
if (n < 0) n += IOTA_PENDING_MAX;
return n;
}
static void iota_pending_push(uint8_t tn)
{
if (iota_pending_count() >= IOTA_PENDING_MAX - 1) {
IOTA_LOG("WARN pending queue full, dropping oldest");
iota.pending_head = (iota.pending_head + 1) % IOTA_PENDING_MAX;
}
iota.pending_tn[iota.pending_tail] = tn;
iota.pending_tail = (iota.pending_tail + 1) % IOTA_PENDING_MAX;
}
void calypso_iota_init(void)
{
memset(&iota, 0, sizeof(iota));
IOTA_LOG("init");
}
void calypso_iota_tsp_write(uint8_t data, uint8_t expected_tn)
{
bool prev_bdl = iota.bdl_ena;
bool prev_bul = iota.bul_ena;
iota.last_byte = data;
iota.bdl_ena = !!(data & IOTA_TSP_BDLENA);
iota.bul_ena = !!(data & IOTA_TSP_BULENA);
iota.writes_seen++;
if (!prev_bdl && iota.bdl_ena) {
iota.bdl_pulses++;
iota_pending_push(expected_tn);
if (iota.bdl_pulses <= 10 || (iota.bdl_pulses % 100) == 0) {
IOTA_LOG("BDLENA rising edge #%u tn=%u pending=%d",
iota.bdl_pulses, expected_tn, iota_pending_count());
}
}
if (prev_bul != iota.bul_ena && iota.writes_seen <= 10) {
IOTA_LOG("BULENA -> %d (data=0x%02x)", iota.bul_ena, data);
}
}
bool calypso_iota_bdl_ena(void) { return iota.bdl_ena; }
uint32_t calypso_iota_bdl_ena_pulses(void) { return iota.bdl_pulses; }
bool calypso_iota_take_bdl_pulse(uint8_t tn)
{
/* Walk the pending queue from oldest to newest looking for a TN
* match. Newer pending pulses past the matched one stay queued. */
int n = iota_pending_count();
for (int i = 0; i < n; i++) {
int idx = (iota.pending_head + i) % IOTA_PENDING_MAX;
if (iota.pending_tn[idx] == tn) {
/* Consume: shift everything from head..idx forward by 1 */
for (int j = i; j > 0; j--) {
int dst = (iota.pending_head + j) % IOTA_PENDING_MAX;
int src = (iota.pending_head + j - 1) % IOTA_PENDING_MAX;
iota.pending_tn[dst] = iota.pending_tn[src];
}
iota.pending_head = (iota.pending_head + 1) % IOTA_PENDING_MAX;
return true;
}
}
return false;
}./hw/arm/calypso/fw_console.c
/*
* fw_console.c — diagnostic poller for the layer1 firmware printf_buffer
*
* The osmocom-bb compal_e88 firmware (layer1.highram.elf) builds printf
* output in `printf_buffer` (symbol at 0x00831018) via cons_puts. On real
* hardware cons_puts pushes the assembled string to the LCD framebuffer
* (fb_bw8_putstr at 0x82a1b4); QEMU does not emulate the LCD, so the
* strings just sit in RAM and get overwritten on the next printf.
*
* This poller wakes every FW_POLL_MS simulated milliseconds, snapshots the
* buffer via cpu_physical_memory_read, and emits the string to
* /tmp/qemu-fw-console.log + stderr whenever its content changes. Polling
* misses printfs that get overwritten between two ticks; for noisy paths
* lower FW_POLL_MS or mirror the buffer to stderr at additional event
* sites (DSP IDLE, IRQ entry, etc.).
*/
#include "qemu/osdep.h"
#include "qemu/timer.h"
#include "exec/cpu-common.h"
#include "hw/arm/calypso/fw_console.h"
#define FW_PRINTF_ADDR 0x00831018u
#define FW_PRINTF_LEN 512u
#define FW_POLL_MS 10u
static QEMUTimer *fw_poll_timer;
static FILE *fw_log_fp;
static uint8_t fw_last[FW_PRINTF_LEN];
static void fw_console_emit(const uint8_t *buf, size_t len)
{
while (len > 0 && (buf[len-1] == '\n' || buf[len-1] == '\r'))
len--;
if (len == 0)
return;
if (fw_log_fp) {
fprintf(fw_log_fp, "[fw] %.*s\n", (int)len, buf);
fflush(fw_log_fp);
}
fprintf(stderr, "[fw-console] %.*s\n", (int)len, buf);
}
static void fw_console_poll(void *opaque)
{
uint8_t cur[FW_PRINTF_LEN];
cpu_physical_memory_read(FW_PRINTF_ADDR, cur, FW_PRINTF_LEN);
if (memcmp(cur, fw_last, FW_PRINTF_LEN) != 0) {
size_t len = 0;
while (len < FW_PRINTF_LEN && cur[len] != 0)
len++;
if (len > 0)
fw_console_emit(cur, len);
memcpy(fw_last, cur, FW_PRINTF_LEN);
}
timer_mod_ns(fw_poll_timer,
qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) +
(uint64_t)FW_POLL_MS * 1000000ULL);
}
void fw_console_init(void)
{
fw_log_fp = fopen("/tmp/qemu-fw-console.log", "w");
if (fw_log_fp) {
setvbuf(fw_log_fp, NULL, _IOLBF, 0);
fprintf(fw_log_fp,
"# QEMU firmware console - poll printf_buffer @ 0x%08x every %u ms\n",
FW_PRINTF_ADDR, FW_POLL_MS);
}
fw_poll_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, fw_console_poll, NULL);
timer_mod_ns(fw_poll_timer,
qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) +
(uint64_t)FW_POLL_MS * 1000000ULL);
fprintf(stderr,
"[fw-console] polling 0x%08x every %u ms -> /tmp/qemu-fw-console.log\n",
FW_PRINTF_ADDR, FW_POLL_MS);
}./hw/arm/calypso/sercomm_gate.c
/*
* sercomm_gate.c — Sercomm DLCI router (PTY) + CLK UDP listener
*
* Two separate roles, matching the current QEMU split:
*
* 1. PTY (UART modem) — sercomm HDLC stream from host (mobile/ccch_scan).
* DLCIs are re-wrapped and pushed to the UART RX FIFO so the firmware's
* sercomm driver parses them via the real code path. L1CTL = DLCI 5,
* TRXC = DLCI 4 (intercepted here, stub responses wrapped back out).
* No DLCI on the PTY ever carries radio bursts.
*
* 2. UDP CLK listener — just drains "IND CLOCK <fn>" on the baseband
* side and logs it. calypso_trx owns its own FN counter; the CLK
* packets are purely informational here.
*
* TRXC traffic is stubbed locally by bridge.py on UDP 5701 — QEMU
* never sees TRXC on UDP.
*
* TRXD (burst) transport is owned by calypso_bsp.c via calypso_orch.
*
* SPDX-License-Identifier: GPL-2.0-or-later
*/
#include "qemu/osdep.h"
#include "qemu/main-loop.h"
#include "qemu/error-report.h"
#include "chardev/char-fe.h"
#include <sys/socket.h>
#include <netinet/in.h>
#include <unistd.h>
#include <errno.h>
#include "hw/arm/calypso/calypso_uart.h"
#include "hw/arm/calypso/sercomm_gate.h"
/* TRXC handling is NOT done by QEMU. bridge.py answers TRXC commands
* locally (stub) on UDP 5701 — QEMU never sees them. The L1CTL/L23
* path on PTY DLCI 5 is the only thing the modem UART carries. */
#define GATE_LOG(fmt, ...) \
fprintf(stderr, "[gate] " fmt "\n", ##__VA_ARGS__)
/* UART pointer captured on the first sercomm_gate_feed() call. The TRXC
* UDP callback uses it to push received sercomm-wrapped frames straight
* into the firmware UART RX FIFO. */
static CalypsoUARTState *g_uart;
/* ============================================================
* 1. PTY side — sercomm HDLC parser (L1CTL only)
* ============================================================ */
#define SERCOMM_FLAG 0x7E
#define SERCOMM_ESCAPE 0x7D
#define SERCOMM_XOR 0x20
#define GATE_BUF_SIZE 512
enum gate_rx_state {
GATE_WAIT_FLAG,
GATE_IN_FRAME,
GATE_ESCAPE,
};
static uint8_t sc_buf[GATE_BUF_SIZE];
static int sc_len;
static enum gate_rx_state sc_state;
/*
* Re-wrap a decoded sercomm frame (DLCI + CTRL + payload) and push it
* back into the UART RX FIFO. The firmware's sercomm driver will parse
* it again — keeping the firmware code path 100% identical to hardware.
*/
static void gate_push_to_fifo(CalypsoUARTState *s,
const uint8_t *frame, int len)
{
fprintf(stderr,
"[gate→fw-fifo] DLCI=%u CTRL=%02x payload=%d bytes (rx_count_before=%u)\n",
len > 0 ? frame[0] : 0xff,
len > 1 ? frame[1] : 0xff,
len > 2 ? len - 2 : 0,
(unsigned)s->rx_count);
{ uint8_t _b = SERCOMM_FLAG; calypso_uart_inject_raw(s, &_b, 1); }
for (int i = 0; i < len; i++) {
uint8_t c = frame[i];
/* Standard sercomm: only escape FLAG and ESCAPE. Escaping
* 0x00 was a bug — the firmware sercomm parser doesn't
* expect it and would drop the frame. */
if (c == SERCOMM_FLAG || c == SERCOMM_ESCAPE) {
{ uint8_t _e = SERCOMM_ESCAPE; calypso_uart_inject_raw(s, &_e, 1); }
{ uint8_t _x = c ^ SERCOMM_XOR; calypso_uart_inject_raw(s, &_x, 1); }
} else {
calypso_uart_inject_raw(s, &c, 1);
}
}
{ uint8_t _b = SERCOMM_FLAG; calypso_uart_inject_raw(s, &_b, 1); }
}
#define SERCOMM_DLCI_TRXC 4
/* Wrap a payload in sercomm DLCI 4 (TRXC) and send it back via the
* chardev TX (→ PTY → bridge.py → osmo-bts-trx 5701). */
static void gate_send_trxc_rsp(CalypsoUARTState *s,
const uint8_t *payload, int plen)
{
if (!s) return;
uint8_t frame[1024];
int pos = 0;
frame[pos++] = SERCOMM_FLAG;
uint8_t hdr[2] = { SERCOMM_DLCI_TRXC, 0x03 };
for (int i = 0; i < 2; i++) {
if (hdr[i] == SERCOMM_FLAG || hdr[i] == SERCOMM_ESCAPE) {
frame[pos++] = SERCOMM_ESCAPE;
frame[pos++] = hdr[i] ^ SERCOMM_XOR;
} else {
frame[pos++] = hdr[i];
}
}
for (int i = 0; i < plen && pos + 2 < (int)sizeof(frame); i++) {
uint8_t c = payload[i];
if (c == SERCOMM_FLAG || c == SERCOMM_ESCAPE) {
frame[pos++] = SERCOMM_ESCAPE;
frame[pos++] = c ^ SERCOMM_XOR;
} else {
frame[pos++] = c;
}
}
frame[pos++] = SERCOMM_FLAG;
qemu_chr_fe_write_all(&s->chr, frame, pos);
fprintf(stderr, "[gate-trxc] TX→bridge %d bytes (sercomm framed=%d)\n",
plen, pos);
}
/* Parse a TRXC CMD string and produce a RSP string.
* Mirrors bridge.py::trxc_response. Returns response length, or 0 if
* the command is not a CMD (silently ignored). */
static int gate_trxc_handle(const uint8_t *cmd_buf, int cmd_len,
char *rsp, int rsp_size)
{
/* Strip trailing \0 and find verb/args */
int n = cmd_len;
while (n > 0 && (cmd_buf[n-1] == 0 || cmd_buf[n-1] == "\n"[0])) n--;
if (n < 4) return 0;
if (memcmp(cmd_buf, "CMD ", 4) != 0) return 0;
char tmp[512];
int tn = n - 4 < (int)sizeof(tmp) - 1 ? n - 4 : (int)sizeof(tmp) - 1;
memcpy(tmp, cmd_buf + 4, tn);
tmp[tn] = 0;
/* Split verb and args */
char *verb = tmp;
char *args = strchr(tmp, " "[0]);
if (args) { *args = 0; args++; }
else args = (char *)"";
fprintf(stderr, "[gate-trxc] RX←bridge CMD %s args=%s\n", verb, args);
int rl;
if (strcmp(verb, "POWERON") == 0)
rl = snprintf(rsp, rsp_size, "RSP POWERON 0");
else if (strcmp(verb, "POWEROFF") == 0)
rl = snprintf(rsp, rsp_size, "RSP POWEROFF 0");
else if (strcmp(verb, "SETFORMAT") == 0)
rl = snprintf(rsp, rsp_size, "RSP SETFORMAT 0 %s", args[0] ? args : "0");
else if (strcmp(verb, "NOMTXPOWER") == 0)
rl = snprintf(rsp, rsp_size, "RSP NOMTXPOWER 0 50");
else if (strcmp(verb, "MEASURE") == 0)
rl = snprintf(rsp, rsp_size, "RSP MEASURE 0 %s -60", args[0] ? args : "0");
else if (args[0])
rl = snprintf(rsp, rsp_size, "RSP %s 0 %s", verb, args);
else
rl = snprintf(rsp, rsp_size, "RSP %s 0", verb);
if (rl > 0 && rl < rsp_size) rsp[rl++] = 0; /* trailing NUL like bridge */
return rl;
}
void sercomm_gate_feed(CalypsoUARTState *s, const uint8_t *buf, int size)
{
if (!g_uart) g_uart = s;
for (int i = 0; i < size; i++) {
uint8_t b = buf[i];
switch (sc_state) {
case GATE_WAIT_FLAG:
if (b == SERCOMM_FLAG) {
sc_state = GATE_IN_FRAME;
sc_len = 0;
} else {
/* Pre-sercomm raw bytes pass through (loader/console). */
calypso_uart_inject_raw(s, &b, 1);
}
break;
case GATE_ESCAPE:
if (sc_len < GATE_BUF_SIZE)
sc_buf[sc_len++] = b ^ SERCOMM_XOR;
sc_state = GATE_IN_FRAME;
break;
case GATE_IN_FRAME:
if (b == SERCOMM_FLAG) {
if (sc_len >= 2) {
/* DLCI 5 = L1CTL from mobile (via bridge).
* Trace, then push to firmware FIFO so the real
* sercomm parser dispatches it. All other DLCIs
* (console, debug, …) go straight to FIFO. */
if (sc_buf[0] == SERCOMM_DLCI_TRXC && sc_len >= 2) {
char rsp[512];
int rl = gate_trxc_handle(sc_buf + 2, sc_len - 2,
rsp, sizeof(rsp));
if (rl > 0)
gate_send_trxc_rsp(s, (uint8_t *)rsp, rl);
sc_len = 0;
break;
}
if (sc_buf[0] == 5) {
int plen = sc_len - 2;
uint8_t mt = plen > 0 ? sc_buf[2] : 0;
fprintf(stderr,
"[PTY-L1CTL] <<<RX %d bytes (mobile→fw) mt=0x%02x:",
plen, mt);
for (int j = 0; j < plen && j < 32; j++)
fprintf(stderr, " %02x", sc_buf[2 + j]);
if (plen > 32) fprintf(stderr, " ...");
fprintf(stderr, "\n");
}
gate_push_to_fifo(s, sc_buf, sc_len);
}
sc_len = 0;
} else if (b == SERCOMM_ESCAPE) {
sc_state = GATE_ESCAPE;
} else {
if (sc_len < GATE_BUF_SIZE)
sc_buf[sc_len++] = b;
}
break;
}
}
}
/* ============================================================
* 2. UDP CLK listener — informational only
* ============================================================
*
* TRXC is stubbed by bridge.py on UDP 5701; QEMU never sees it.
* TRXD (bursts) is owned by calypso_bsp.c via calypso_orch.
*/
/* CLK UDP listener removed — QEMU sends ticks to bridge directly. */
static int g_clk_fd = -1;
/* ---------- init ---------- */
void sercomm_gate_init(int base_port)
{
if (base_port <= 0) base_port = 6700;
int clk_port = base_port + 0;
/* CLK UDP listener disabled — QEMU is now the clock master and sends
* ticks directly to the bridge via calypso_trx.c (port 6700).
* The gate no longer needs to receive CLK IND. */
(void)clk_port;
g_clk_fd = -1;
GATE_LOG("TRXD: owned by calypso_bsp.c via calypso_orch");
}./hw/arm/calypso/calypso_bsp.c
/*
* Calypso BSP/RIF DMA module — implementation.
*
* On real hardware the BSP (Baseband Serial Port) is a synchronous serial
* link that DMA-feeds I/Q samples from the IOTA RF frontend into C54x
* DSP DARAM. The DSP code (FB/SB/burst detection in PROM0) reads them
* from a fixed DARAM buffer and posts results into the NDB.
*
* In QEMU, DL bursts arrive via UDP (TRXDv0 from bridge.py on port 5702).
* This module owns that socket, decodes the TRXDv0 header, converts hard
* bits to I/Q samples, and DMA-writes them into DSP DARAM.
*
* L1CTL control (DLCI 5) goes through the UART — bursts never touch UART.
*
* SPDX-License-Identifier: GPL-2.0-or-later
*/
#include "qemu/osdep.h"
#include "qemu/main-loop.h"
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h> /* inet_aton */
#include <unistd.h>
#include <errno.h>
#include <fcntl.h>
#include "hw/arm/calypso/calypso_bsp.h"
#include "hw/arm/calypso/calypso_c54x.h"
#include "hw/arm/calypso/calypso_iota.h"
#include "calypso_tint0.h" /* GSM_HYPERFRAME */
/* Forward-declared here to avoid pulling in the full calypso_trx.h
* (which would drag in hw/irq.h and qemu internals not needed in this TU). */
uint32_t calypso_trx_get_fn(void);
/* Forward decls for env-gated helpers used in calypso_bsp_init pre-warm. */
static uint32_t d_rach_word_offset(void);
static int rach_force_bsic(void);
#define BSP_LOG(fmt, ...) \
do { fprintf(stderr, "[BSP] " fmt "\n", ##__VA_ARGS__); } while (0)
#define BSP_TRXD_PORT 6702 /* bridge forwards DL bursts here (5702 is bridge's own) */
/* Per-TN burst queue: FN-indexed ring so lookahead bursts from the BTS
* (osmo-bts-trx schedules up to ~92 frames ahead) are preserved until the
* QEMU virtual FN catches up to each burst's scheduled FN. On real hardware
* BSP DMA is synchronous within the TDMA frame; in QEMU bursts arrive over
* UDP from the bridge with their scheduled FN embedded in the TRXD header,
* and delivery must happen at the exact virtual FN or the DSP correlates
* samples against a frame boundary that does not match the modulator phase
* (→ d_fb_det stays 0 indefinitely). */
#define BSP_NUM_TN 8 /* one queue per timeslot */
#define BSP_QUEUE_LEN 128 /* lookahead depth per TN */
/* Match window: real BSP captures samples around BDLENA; exact FN match
* is a QEMU artefact. ±4 frames tolerates bridge/BTS CLK IND jitter and
* is narrow enough not to swap adjacent FCCH with non-FCCH in the 51-
* multiframe pattern (FCCH appears every 10 frames on the BCCH slot). */
/* Was 4: too tight for BTS scheduler lookahead (observed delta=1..139 with
* mean ~50). 99 % of bursts went stale before the QEMU virtual FN caught up.
* 64 covers the typical lookahead and lets the queue drain fast enough that
* BDLENA pulses actually consume bursts. (Bumped to 1024 in diag 2026-04-26
* — confirmed not the bottleneck. Restored to 64.) */
#define BSP_FN_MATCH_WINDOW 64
typedef struct {
int16_t iq[296]; /* 148 I/Q pairs max */
int n; /* number of int16 values */
uint32_t fn;
bool valid;
} BspBurstSlot;
typedef struct {
BspBurstSlot slot[BSP_QUEUE_LEN];
} BspBurstQueue;
static struct {
C54xState *dsp;
uint16_t daram_addr;
uint16_t daram_len;
uint16_t bypass_bdlena;
uint64_t bursts_seen;
uint64_t bursts_written;
uint64_t bursts_dropped_no_window;
uint64_t bursts_dropped_queue_full;
uint64_t bursts_dropped_stale;
int trxd_fd; /* UDP socket for TRXDv0 DL bursts */
struct sockaddr_in trxd_peer; /* BTS address (for UL replies) */
bool trxd_peer_valid;
uint8_t last_att; /* last DL attenuation byte */
/* FN-indexed queue per TN */
BspBurstQueue q[BSP_NUM_TN];
} bsp;
/* Signed hyperframe distance (entry_fn - reference_fn) in (-H/2, H/2]. */
static int32_t bsp_fn_delta(uint32_t entry_fn, uint32_t ref_fn)
{
int32_t d = (int32_t)entry_fn - (int32_t)ref_fn;
if (d > (int32_t)(GSM_HYPERFRAME / 2)) d -= GSM_HYPERFRAME;
else if (d <= -(int32_t)(GSM_HYPERFRAME / 2)) d += GSM_HYPERFRAME;
return d;
}
/* Enqueue a burst into queue[tn]. If a slot already carries the same FN,
* overwrite it (duplicate retransmission from BTS). If the queue is full,
* drop the oldest entry (smallest fn_delta relative to enqueue). */
static void bsp_enqueue(uint8_t tn, uint32_t fn, const int16_t *iq, int n)
{
if (tn >= BSP_NUM_TN) return;
BspBurstQueue *qq = &bsp.q[tn];
int free_idx = -1;
int oldest_idx = 0;
int32_t oldest_delta = INT32_MAX;
for (int i = 0; i < BSP_QUEUE_LEN; i++) {
BspBurstSlot *s = &qq->slot[i];
if (s->valid && s->fn == fn) {
memcpy(s->iq, iq, n * sizeof(int16_t));
s->n = n;
return;
}
if (!s->valid) {
if (free_idx < 0) free_idx = i;
} else {
int32_t d = bsp_fn_delta(s->fn, fn);
if (d < oldest_delta) { oldest_delta = d; oldest_idx = i; }
}
}
int idx;
if (free_idx >= 0) {
idx = free_idx;
} else {
idx = oldest_idx;
bsp.bursts_dropped_queue_full++;
}
BspBurstSlot *s = &qq->slot[idx];
memcpy(s->iq, iq, n * sizeof(int16_t));
s->n = n;
s->fn = fn;
s->valid = true;
}
/* Purge entries older than the match window and return the slot whose FN
* is closest to current_fn (within ±BSP_FN_MATCH_WINDOW) for this TN, or
* NULL if none. Future bursts beyond the window stay queued. */
static BspBurstSlot *bsp_take_for_fn(uint8_t tn, uint32_t current_fn)
{
if (tn >= BSP_NUM_TN) return NULL;
BspBurstQueue *qq = &bsp.q[tn];
BspBurstSlot *match = NULL;
int32_t best_abs = INT32_MAX;
for (int i = 0; i < BSP_QUEUE_LEN; i++) {
BspBurstSlot *s = &qq->slot[i];
if (!s->valid) continue;
int32_t d = bsp_fn_delta(s->fn, current_fn);
int32_t ad = d < 0 ? -d : d;
if (d < -BSP_FN_MATCH_WINDOW) {
s->valid = false;
bsp.bursts_dropped_stale++;
} else if (ad <= BSP_FN_MATCH_WINDOW && ad < best_abs) {
match = s;
best_abs = ad;
}
}
/* Periodic stale ratio summary: a runaway ratio (e.g. 7000:1) is the
* symptom of a stalled DSP — virtual fn isn't catching up to queued
* burst FNs before the match window expires. Report every 5000 stales
* so the spiral is visible without flooding the log. */
{
static uint64_t last_logged_stale;
if (bsp.bursts_dropped_stale - last_logged_stale >= 5000) {
last_logged_stale = bsp.bursts_dropped_stale;
BSP_LOG("STALE ratio: stale=%llu written=%llu (cur_fn=%u)",
(unsigned long long)bsp.bursts_dropped_stale,
(unsigned long long)bsp.bursts_written,
current_fn);
}
}
return match;
}
static uint16_t parse_uint_env(const char *name, uint16_t def)
{
const char *v = getenv(name);
if (!v || !*v) return def;
return (uint16_t)strtoul(v, NULL, 0);
}
uint16_t calypso_bsp_get_daram_addr(void) { return bsp.daram_addr; }
uint16_t calypso_bsp_get_daram_len(void) { return bsp.daram_len; }
uint8_t calypso_bsp_get_last_att(void) { return bsp.last_att; }
/* ---- UDP TRXDv0 DL receive callback ---- */
static void bsp_trxd_readable(void *opaque)
{
uint8_t buf[512];
struct sockaddr_in addr;
socklen_t alen = sizeof(addr);
ssize_t n = recvfrom(bsp.trxd_fd, buf, sizeof(buf), 0,
(struct sockaddr *)&addr, &alen);
if (n < 8) return;
/* Refine UL peer to actual DL sender (init-time default is bridge
* 127.0.0.1:5702 — DL source confirms it or replaces it). */
if (addr.sin_addr.s_addr != bsp.trxd_peer.sin_addr.s_addr ||
addr.sin_port != bsp.trxd_peer.sin_port) {
bsp.trxd_peer = addr;
BSP_LOG("TRXD peer learned: %s:%d",
inet_ntoa(addr.sin_addr), ntohs(addr.sin_port));
}
/* TRXDv0 DL: tn(1) fn(4) rssi(1) toa(2) bits(148) = 156 bytes.
* (Confirmed empirically 2026-05-07 — earlier "asymmetric 6-byte
* header" hypothesis was wrong : RX header IS 8 bytes like TX.
* Even when BTS emits 154-byte packets, the n-8 skip + 148-bit
* clamp keeps DSP demod aligned. n-6 broke mobile L1 sync —
* mobile stayed in cell-selection loop and never reached LU.) */
uint8_t tn = buf[0] & 0x07;
uint32_t fn = ((uint32_t)buf[1]<<24)|((uint32_t)buf[2]<<16)|
((uint32_t)buf[3]<<8)|buf[4];
bsp.last_att = (n > 5) ? buf[5] : 0;
int nbits = (int)n - 8; /* TRXDv0 header is 8 bytes (TS+FN+RSSI+ToA) */
if (nbits > 148) nbits = 148;
if (nbits <= 0) return;
const uint8_t *bits = buf + 8;
/* Log burst type: check if all-zero (FB) or mixed (NB/SB) */
{
int zeros = 0, ones = 0;
for (int i = 0; i < nbits; i++) {
if (bits[i] == 0) zeros++;
else ones++;
}
static int burst_log = 0;
if (burst_log < 20 || (burst_log % 10000) == 0) {
BSP_LOG("BURST fn=%u tn=%u zeros=%d ones=%d %s",
fn, tn, zeros, ones,
zeros == nbits ? "*** FB ***" :
ones > 100 ? "DUMMY/NB" : "SB/OTHER");
}
burst_log++;
}
/* FN-alignment instrumentation: measure burst arrival FN vs QEMU
* virtual FN. A persistent negative delta means BTS is lagging
* (bursts arrive for FNs that have already passed); a positive
* delta is normal lookahead. */
{
uint32_t cur_fn = calypso_trx_get_fn();
int32_t delta = bsp_fn_delta(fn, cur_fn);
static int rx_log = 0;
if (rx_log < 100 || (rx_log % 1000) == 0) {
BSP_LOG("RX tn=%u fn=%u cur_fn=%u delta=%d",
tn, fn, cur_fn, delta);
}
rx_log++;
/* Rolling summary over last 500 samples: min/max/mean */
static int32_t hist[500];
static unsigned hist_pos = 0;
static unsigned hist_seen = 0;
hist[hist_pos] = delta;
hist_pos = (hist_pos + 1) % 500;
hist_seen++;
if ((hist_seen % 500) == 0) {
unsigned nh = hist_seen < 500 ? hist_seen : 500;
int32_t mn = INT32_MAX, mx = INT32_MIN;
int64_t sum = 0;
for (unsigned i = 0; i < nh; i++) {
int32_t d = hist[i];
if (d < mn) mn = d;
if (d > mx) mx = d;
sum += d;
}
BSP_LOG("RX delta stats (last %u): min=%d max=%d mean=%lld",
nh, mn, mx, (long long)(sum / (int64_t)nh));
}
}
/* GMSK modulation: convert TRXDv0 hard bits to I/Q samples.
* GMSK with h=0.5: each bit adds ±π/2 to the phase.
* NRZ encoding: bit 0 → phase += π/2, bit 1 → phase -= π/2.
*
* The Calypso IOTA chip delivers complex I/Q pairs to the BSP.
* Phase increments are exactly ±π/2, so I=cos(φ) and Q=sin(φ)
* cycle through {±1, 0}. We produce interleaved I,Q pairs.
*
* For FB (all-zero bits): phase advances π/2 per bit → pure tone.
* I/Q sequence: (1,0),(0,1),(-1,0),(0,-1),(1,0),... */
int16_t iq[296]; /* 148 I/Q pairs = 296 values */
/* Q15 full-scale amplitude: real BSP/IOTA delivers near-full-range Q15
* samples. ±0x7FFE keeps one bit of headroom below INT16_MIN. */
static const int16_t cos_tab[4] = { 0x7FFE, 0, -0x7FFE, 0 };
static const int16_t sin_tab[4] = { 0, 0x7FFE, 0, -0x7FFE };
int phase_idx = 0;
int iq_count = 0;
for (int i = 0; i < nbits; i++) {
/* Anomaly A fix (2026-05-08) : émettre AVANT advance, donc le premier
* sample est à phase=0 au lieu de phase=π/2. Le code original
* advance-then-emit décalait tout le burst de 90°, faisant que la
* corrélation cohérente du DSP correlator tombait dans la partie
* quadrature au lieu d'in-phase → d_fb_det principalement négatif
* (pattern observé : +23k, +20k occasionnel puis 4× -5k consécutifs).
* À valider sur le prochain run. */
iq[iq_count++] = cos_tab[phase_idx]; /* I — phase_idx avant advance */
iq[iq_count++] = sin_tab[phase_idx]; /* Q */
phase_idx = (phase_idx + (bits[i] ? 3 : 1)) & 3;
}
/* Enqueue the burst FN-indexed for this TN. With BTS lookahead of up
* to ~92 frames, several bursts are in flight at once; each must be
* delivered at the exact QEMU virtual FN it was scheduled for, or
* the DSP correlator runs against incoherent samples. */
bsp_enqueue(tn, fn, iq, iq_count);
/* Delivery is handled exclusively by calypso_bsp_deliver_buffered()
* called from the TDMA tick. No immediate delivery — it would
* double-consume BDLENA pulses and race with the buffered path. */
}
/* ---- Init ---- */
void calypso_bsp_init(C54xState *dsp)
{
bsp.dsp = dsp;
/* DSP reads I/Q at DARAM 0x3fb3-0x3fbe (verified via DARAM RD HIST).
* 0x3fc0 was off by 13 words — DSP saw zeros and never advanced past
* the FB-det wait loop at PROM0 0x7700. */
bsp.daram_addr = parse_uint_env("CALYPSO_BSP_DARAM_ADDR", 0x3fb0);
bsp.daram_len = parse_uint_env("CALYPSO_BSP_DARAM_LEN", 296);
bsp.bypass_bdlena = parse_uint_env("CALYPSO_BSP_BYPASS_BDLENA", 0);
bsp.bursts_seen = 0;
bsp.bursts_written = 0;
bsp.bursts_dropped_no_window = 0;
bsp.bursts_dropped_queue_full = 0;
bsp.bursts_dropped_stale = 0;
memset(bsp.q, 0, sizeof(bsp.q));
bsp.trxd_fd = -1;
/* Pre-set UL peer to bridge default (TRXDv0 listener on 127.0.0.1:5702).
* Eliminates the race where ARM/DSP fires the first UL burst before any
* DL has arrived to learn the peer addr. The peer is refined to the
* actual sender on first DL receive (bsp_trxd_readable). */
memset(&bsp.trxd_peer, 0, sizeof(bsp.trxd_peer));
bsp.trxd_peer.sin_family = AF_INET;
bsp.trxd_peer.sin_port = htons(5702);
bsp.trxd_peer.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
bsp.trxd_peer_valid = true;
/* Bind UDP socket for TRXDv0 DL bursts from bridge/BTS.
*
* Default bind = 0.0.0.0 (was 127.0.0.1 hard-coded) so external
* sources can inject bursts — bridge in the same netns still works,
* and the host or other containers can reach BSP via the container
* IP or via Docker port mapping (-p 6702:6702/udp).
*
* Override via env :
* CALYPSO_BSP_BIND_ADDR=<ip> bind explicit IPv4 (e.g. 127.0.0.1,
* 172.20.0.11). Default: 0.0.0.0
* CALYPSO_BSP_BIND_LOOPBACK=1 legacy alias = 127.0.0.1 */
int fd = socket(AF_INET, SOCK_DGRAM, 0);
if (fd >= 0) {
int one = 1;
setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, &one, sizeof(one));
const char *bind_addr_env = getenv("CALYPSO_BSP_BIND_ADDR");
const char *bind_lo_env = getenv("CALYPSO_BSP_BIND_LOOPBACK");
const char *bind_addr = NULL;
if (bind_addr_env && *bind_addr_env)
bind_addr = bind_addr_env;
else if (bind_lo_env && *bind_lo_env == '1')
bind_addr = "127.0.0.1";
else
bind_addr = "0.0.0.0";
struct sockaddr_in sa = {
.sin_family = AF_INET,
.sin_port = htons(BSP_TRXD_PORT),
};
if (inet_aton(bind_addr, &sa.sin_addr) == 0) {
BSP_LOG("CALYPSO_BSP_BIND_ADDR=%s invalid, falling back to 0.0.0.0",
bind_addr);
sa.sin_addr.s_addr = htonl(INADDR_ANY);
bind_addr = "0.0.0.0";
}
if (bind(fd, (struct sockaddr *)&sa, sizeof(sa)) == 0) {
fcntl(fd, F_SETFL, fcntl(fd, F_GETFL) | O_NONBLOCK);
qemu_set_fd_handler(fd, bsp_trxd_readable, NULL, NULL);
bsp.trxd_fd = fd;
BSP_LOG("TRXD UDP listening on %s:%d", bind_addr, BSP_TRXD_PORT);
} else {
BSP_LOG("TRXD bind %s:%d failed: %s",
bind_addr, BSP_TRXD_PORT, strerror(errno));
close(fd);
}
}
/* Pre-init env-gated state so the first RACH burst doesn't pay the
* cost of strtoul/getenv mid-run. Reportedly the static-cache pattern
* had correlated runtime variability with LU success rate. */
(void)d_rach_word_offset();
(void)rach_force_bsic();
BSP_LOG("init dsp=%p daram_addr=0x%04x len=%u%s%s",
(void *)dsp, bsp.daram_addr, bsp.daram_len,
bsp.daram_addr ? "" : " (DISCOVERY mode — no DMA)",
bsp.bypass_bdlena ? " (BDLENA gate BYPASSED — debug)" : "");
}
/* ---- DL burst → DSP DARAM ---- */
void calypso_bsp_rx_burst(uint8_t tn, uint32_t fn,
const int16_t *iq, int n_int16)
{
bsp.bursts_seen++;
if (!bsp.dsp) {
if (bsp.bursts_seen <= 3)
BSP_LOG("rx_burst: no DSP attached, dropping fn=%u tn=%u", fn, tn);
return;
}
if (n_int16 <= 0 || iq == NULL) return;
if (bsp.daram_addr == 0) {
if (bsp.bursts_seen <= 5) {
BSP_LOG("rx_burst fn=%u tn=%u n=%d (target unset)",
fn, tn, n_int16);
}
return;
}
/* On real hw the BSP serial link only carries samples while IOTA's
* BDLENA pin is asserted. */
if (!bsp.bypass_bdlena && !calypso_iota_take_bdl_pulse(tn)) {
bsp.bursts_dropped_no_window++;
if (bsp.bursts_dropped_no_window <= 5 ||
(bsp.bursts_dropped_no_window % 100000) == 0) {
BSP_LOG("DROP fn=%u tn=%u (no BDLENA window, dropped=%llu)",
fn, tn,
(unsigned long long)bsp.bursts_dropped_no_window);
}
return;
}
int n = n_int16 < (int)bsp.daram_len ? n_int16 : (int)bsp.daram_len;
/* Load samples into BSP serial port buffer (PORTR PA=0x0034).
* The DSP reads one sample per PORTR instruction from this buffer. */
uint16_t samples[148];
for (int i = 0; i < n && i < 148; i++)
samples[i] = (uint16_t)iq[i];
c54x_bsp_load(bsp.dsp, samples, n > 148 ? 148 : n);
/* Also write to DARAM for code that reads samples directly. */
static unsigned woff = 0;
for (int i = 0; i < n; i++) {
bsp.dsp->data[(uint16_t)(bsp.daram_addr + woff)] = (uint16_t)iq[i];
woff++;
if (woff >= bsp.daram_len) woff = 0;
}
bsp.bursts_written++;
/* Log DARAM content after write for FB bursts */
{
if (bsp.bursts_written <= 3) {
BSP_LOG("DARAM after write [0x%04x]: %d %d %d %d %d %d %d %d",
bsp.daram_addr,
n>0?(int16_t)bsp.dsp->data[bsp.daram_addr]:0,
n>1?(int16_t)bsp.dsp->data[bsp.daram_addr+1]:0,
n>2?(int16_t)bsp.dsp->data[bsp.daram_addr+2]:0,
n>3?(int16_t)bsp.dsp->data[bsp.daram_addr+3]:0,
n>4?(int16_t)bsp.dsp->data[bsp.daram_addr+4]:0,
n>5?(int16_t)bsp.dsp->data[bsp.daram_addr+5]:0,
n>6?(int16_t)bsp.dsp->data[bsp.daram_addr+6]:0,
n>7?(int16_t)bsp.dsp->data[bsp.daram_addr+7]:0);
}
}
if (bsp.bursts_written <= 5 || (bsp.bursts_written % 1000) == 0) {
BSP_LOG("DMA fn=%u tn=%u n=%d → DARAM[0x%04x..0x%04x] total=%llu "
"iq[0..3]=%d,%d,%d,%d",
fn, tn, n, bsp.daram_addr,
(unsigned)(bsp.daram_addr + n - 1),
(unsigned long long)bsp.bursts_written,
n>0 ? iq[0] : 0, n>1 ? iq[1] : 0,
n>2 ? iq[2] : 0, n>3 ? iq[3] : 0);
}
/* Fire BRINT0 — gated by BDLENA from the TPU/TSP/IOTA chain.
* The firmware opens the RX window via TPU scenario → TSP write → IOTA BDLENA.
* calypso_iota_take_bdl_pulse() consumed the window above.
* BRINT0 fires once per window, rate-limited by IFR bit. */
if (bsp.dsp && !(bsp.dsp->ifr & (1 << 5))) {
c54x_interrupt_ex(bsp.dsp, 21, 5);
if (bsp.dsp->idle) bsp.dsp->idle = false;
}
}
/* ---- Deliver buffered burst when BDLENA fires ---- */
/* Called from calypso_tdma_tick (calypso_trx.c) each frame.
* For each TN: purge stale entries, then if a queued burst matches the
* current QEMU virtual FN and a BDLENA pulse is pending, deliver it. */
void calypso_bsp_deliver_buffered(uint32_t current_fn)
{
if (!bsp.dsp || bsp.daram_addr == 0) return;
for (int tn = 0; tn < BSP_NUM_TN; tn++) {
BspBurstSlot *sl = bsp_take_for_fn(tn, current_fn);
if (!sl) continue;
if (!bsp.bypass_bdlena && !calypso_iota_take_bdl_pulse(tn))
continue;
int n = sl->n < (int)bsp.daram_len ? sl->n : (int)bsp.daram_len;
uint16_t samples[296];
for (int i = 0; i < n && i < 296; i++)
samples[i] = (uint16_t)sl->iq[i];
c54x_bsp_load(bsp.dsp, samples, n > 296 ? 296 : n);
static unsigned woff = 0;
for (int i = 0; i < n; i++) {
bsp.dsp->data[(uint16_t)(bsp.daram_addr + woff)] = (uint16_t)sl->iq[i];
woff++;
if (woff >= bsp.daram_len) woff = 0;
}
bsp.bursts_written++;
sl->valid = false; /* consumed */
if (bsp.bursts_written <= 10 || (bsp.bursts_written % 1000) == 0) {
BSP_LOG("DMA tn=%u fn=%u n=%d total=%llu stale=%llu qfull=%llu",
tn, sl->fn, n,
(unsigned long long)bsp.bursts_written,
(unsigned long long)bsp.bursts_dropped_stale,
(unsigned long long)bsp.bursts_dropped_queue_full);
/* Dump first 8 words written so we can verify the I/Q
* constellation actually landed in the DSP data memory at
* daram_addr — independent of any ARM-side mapping. */
BSP_LOG("DMA @0x%04x: %04x %04x %04x %04x %04x %04x %04x %04x",
bsp.daram_addr,
bsp.dsp->data[bsp.daram_addr + 0],
bsp.dsp->data[bsp.daram_addr + 1],
bsp.dsp->data[bsp.daram_addr + 2],
bsp.dsp->data[bsp.daram_addr + 3],
bsp.dsp->data[bsp.daram_addr + 4],
bsp.dsp->data[bsp.daram_addr + 5],
bsp.dsp->data[bsp.daram_addr + 6],
bsp.dsp->data[bsp.daram_addr + 7]);
}
/* Fire BRINT0 */
if (bsp.dsp && !(bsp.dsp->ifr & (1 << 5))) {
c54x_interrupt_ex(bsp.dsp, 21, 5);
if (bsp.dsp->idle) bsp.dsp->idle = false;
}
}
}
/* ---- UL burst → UDP to BTS ---- */
void calypso_bsp_send_ul(uint8_t tn, uint32_t fn, const uint8_t bits[148])
{
if (bsp.trxd_fd < 0 || !bsp.trxd_peer_valid) return;
/* TRXDv0 UL (TRX → BTS): tn(1) fn(4) rssi(1) toa(2) bits(148) = 156 bytes.
*
* The osmo-bts-trx TRXD protocol is *asymmetric* :
* - DL (BTS → TRX) : 6-byte header, 154 bytes total. No ToA.
* - UL (TRX → BTS) : 8-byte header WITH ToA, 156 bytes total. The
* ToA is needed by BTS RACH/SACCH timing-advance estimation.
*
* Sending 154-byte UL caused osmo-bts-trx::trx_if.c:821 to log
* "Rx TRXD PDU with odd burst length 146"
* (BTS subtracts its 8-byte header from msg len, expects 148 body).
* Always send 156 bytes for UL. */
uint8_t pkt[8 + 148];
pkt[0] = tn & 0x07;
pkt[1] = (fn >> 24) & 0xff;
pkt[2] = (fn >> 16) & 0xff;
pkt[3] = (fn >> 8) & 0xff;
pkt[4] = fn & 0xff;
pkt[5] = 60; /* RSSI → -60 dBm at the BTS */
pkt[6] = 0; pkt[7] = 0; /* ToA256 = 0 (centered, no timing advance request) */
for (int i = 0; i < 148; i++)
pkt[8 + i] = bits[i] ? 127 : (uint8_t)(-127);
/* Hex dump of every UL burst as it's sent — symmetric with the bridge.py
* UL print, so we can correlate L1 → bridge → BTS at the byte level
* when chasing TRXD framing or RACH parity issues. Cap at 200 to keep
* log finite. */
{
static unsigned ul_log_count = 0;
if (ul_log_count++ < 200 || (ul_log_count % 1000) == 0) {
BSP_LOG("UL #%u TN=%u fn=%u rssi=-60 toa=0 len=%zu "
"hdr=%02x%02x%02x%02x%02x%02x%02x%02x "
"bits[0:16]=[%+d %+d %+d %+d %+d %+d %+d %+d "
"%+d %+d %+d %+d %+d %+d %+d %+d]",
ul_log_count, tn, fn, sizeof(pkt),
pkt[0], pkt[1], pkt[2], pkt[3],
pkt[4], pkt[5], pkt[6], pkt[7],
(int8_t)pkt[8], (int8_t)pkt[9], (int8_t)pkt[10],
(int8_t)pkt[11], (int8_t)pkt[12], (int8_t)pkt[13],
(int8_t)pkt[14], (int8_t)pkt[15],
(int8_t)pkt[16], (int8_t)pkt[17], (int8_t)pkt[18],
(int8_t)pkt[19], (int8_t)pkt[20], (int8_t)pkt[21],
(int8_t)pkt[22], (int8_t)pkt[23]);
}
}
sendto(bsp.trxd_fd, pkt, sizeof(pkt), 0,
(struct sockaddr *)&bsp.trxd_peer, sizeof(bsp.trxd_peer));
}
bool calypso_bsp_tx_burst(uint8_t tn, uint32_t fn, uint8_t bits[148])
{
if (!bsp.dsp || !bits) return false;
/* On real Calypso, the DSP encodes the UL burst (channel coding +
* interleaving + burst formation) and writes the 148 hard bits to a
* DARAM buffer that the BSP TX DMA reads. The exact destination is
* configured per task by TPU scenarios. We currently read from a
* candidate location; if it's all-zero, the DSP encoder did not run
* for this frame (timing miss or wrong addr) and we drop the burst. */
bool any = false;
for (int i = 0; i < 148; i++) {
uint16_t w = bsp.dsp->data[0x0900 + i];
bits[i] = (uint8_t)(w & 1);
if (bits[i]) any = true;
}
return any;
}
/* ---- RACH access burst encoding ---- */
#include <osmocom/coding/gsm0503_coding.h>
/* d_rach lives in NDB at a struct offset that depends on the DSP version.
* The firmware writes (uic|bsic)<<2 | (ra<<8) to ndb->d_rach right before
* setting db_w->d_task_ra.
*
* Default 0x023A — confirmed empirically 2026-05-07 via D_RACH-FINDER ring
* trace : ARM-side write at API byte 0x0474 (= DSP word 0x0A3A = word 0x23A
* from API base) carries values 0x0300, 0x0f00, ... matching mobile L3
* `RANDOM ACCESS ra 0xRR` log lines exactly.
*
* Cached via env var for ABI predictability — the old static-init+branch
* pattern was reportedly correlated with worse LU success rate vs explicit
* env set, so we now read env once and stash in bsp.* state at init. */
#define D_RACH_DEFAULT_OFFSET 0x023A
static uint32_t d_rach_word_offset(void)
{
static uint32_t cached = 0;
static bool done = false;
if (done) return cached;
const char *e = getenv("CALYPSO_NDB_D_RACH_OFFSET");
if (e && *e) {
cached = (uint32_t)strtoul(e, NULL, 0);
BSP_LOG("d_rach offset: 0x%04x (env=%s)", cached, e);
} else {
cached = D_RACH_DEFAULT_OFFSET;
BSP_LOG("d_rach offset: 0x%04x (default macro — pinned 2026-05-07)", cached);
}
done = true;
return cached;
}
/* CALYPSO_RACH_FORCE_BSIC=N forces the BSIC used by the RACH encoder to a
* fixed value, overriding whatever is read from d_rach. Useful when the
* d_rach offset is uncertain : if the BTS responds with IMM_ASS_CMD as
* soon as we encode with the BSC's `base_station_id_code`, the chain is
* proven and we know the only remaining bug is the d_rach offset.
*
* Returns -1 if unset, otherwise the forced BSIC value (0..63). */
static int rach_force_bsic(void)
{
static int cached = -2;
if (cached != -2) return cached;
const char *e = getenv("CALYPSO_RACH_FORCE_BSIC");
/* Same empty-string-as-unset handling as d_rach_word_offset(). */
if (!e || !*e) {
cached = -1;
BSP_LOG("CALYPSO_RACH_FORCE_BSIC unset → BSIC read from d_rach");
return cached;
}
long v = strtol(e, NULL, 0);
if (v < 0 || v > 63) {
BSP_LOG("CALYPSO_RACH_FORCE_BSIC=%s out of range [0..63] — ignored", e);
cached = -1;
return cached;
}
cached = (int)v;
BSP_LOG("CALYPSO_RACH_FORCE_BSIC=%d (forcing all RACH bursts with this BSIC)", cached);
return cached;
}
bool calypso_bsp_tx_rach_burst(uint32_t fn, uint8_t bits[148])
{
if (!bsp.dsp || !bits) return false;
/* Read d_rach from NDB. dsp->data[] is the DSP-side word view; the
* API RAM at DSP word 0x0800.. is shared with the ARM-visible page
* at 0xFFD00000. We address via dsp->data[0x0800 + offset]. */
uint32_t off = d_rach_word_offset();
uint16_t d_rach = bsp.dsp->data[0x0800 + off];
if (d_rach == 0) {
/* Pre-LU : firmware hasn't written d_rach yet. Normal during cell
* selection / SI decode phase. Don't alarm — just skip silently
* (cap log to first 5 to keep it visible if there's a real issue). */
static unsigned zero_log = 0;
if (zero_log++ < 5) {
BSP_LOG("RACH: d_rach@0x%04x is zero — skipping #%u "
"(normal pre-LU, mobile not yet in RR_EST_REQ)",
off, zero_log);
}
return false;
}
/* prim_rach.c:73 packs as:
* d_rach[7:0] = uic<<2 (or bsic<<2)
* d_rach[15:8] = ra (8-bit RACH info) */
uint8_t uic_or_bsic = (uint8_t)((d_rach & 0xFF) >> 2);
uint8_t ra = (uint8_t)((d_rach >> 8) & 0xFF);
/* Optional BSIC override (probes whether wrong BSIC is the only blocker). */
int forced = rach_force_bsic();
if (forced >= 0) {
uic_or_bsic = (uint8_t)forced;
}
/* gsm0503_rach_ext_encode writes 148 unpacked bits (ubit_t=uint8_t 0/1)
* into burst[]. is_11bit=false → use 8-bit RACH (legacy GSM). */
int rc = gsm0503_rach_ext_encode(bits, ra, uic_or_bsic, false);
if (rc < 0) {
BSP_LOG("RACH encode failed rc=%d ra=0x%02x bsic=0x%02x", rc, ra, uic_or_bsic);
return false;
}
static int rach_log = 0;
if (++rach_log <= 20) {
BSP_LOG("RACH encode #%d fn=%u ra=0x%02x bsic=0x%02x d_rach=0x%04x",
rach_log, fn, ra, uic_or_bsic, d_rach);
}
return true;
}./hw/arm/calypso/l1ctl_sock.c
/*
* l1ctl_sock.c — L1CTL unix socket server for Calypso QEMU
*
* Replaces the Python bridge: provides a unix socket at /tmp/osmocom_l2
* that speaks L1CTL (length-prefixed messages) to OsmocomBB mobile.
*
* Internally translates between:
* - sercomm framing (FLAG/ESCAPE/DLCI) on the firmware UART side
* - L1CTL length-prefix on the mobile socket side
*
* SPDX-License-Identifier: GPL-2.0-or-later
*/
#include "qemu/osdep.h"
#include "qemu/main-loop.h"
#include "hw/arm/calypso/calypso_uart.h"
#include <sys/socket.h>
#include <sys/un.h>
#include <fcntl.h>
#include <errno.h>
/* Sercomm constants */
#define SERCOMM_FLAG 0x7E
#define SERCOMM_ESCAPE 0x7D
#define SERCOMM_ESCAPE_XOR 0x20
#define SERCOMM_DLCI_L1CTL 5
/* L1CTL socket path */
#define L1CTL_SOCK_PATH "/tmp/osmocom_l2"
#define L1CTL_LOG(fmt, ...) \
fprintf(stderr, "[l1ctl-sock] " fmt "\n", ##__VA_ARGS__)
/* ---- Sercomm TX parser (firmware → mobile) ---- */
typedef enum {
SC_IDLE, /* waiting for FLAG */
SC_IN_FRAME, /* collecting frame bytes */
SC_ESCAPE, /* next byte is escaped */
} SercommState;
typedef struct L1CTLSock {
/* Server socket */
int srv_fd;
/* Client connection */
int cli_fd;
/* Sercomm TX parser (firmware UART output → mobile) */
SercommState sc_state;
uint8_t sc_buf[512];
int sc_len;
/* L1CTL RX parser (mobile → firmware UART input) */
uint8_t lp_buf[4096]; /* length-prefix accumulator */
int lp_len;
/* Reference to UART modem for RX injection */
CalypsoUARTState *uart;
} L1CTLSock;
static L1CTLSock g_l1ctl;
/* ---- Sercomm helpers ---- */
static int sercomm_wrap(uint8_t dlci, const uint8_t *payload, int plen,
uint8_t *out, int out_size)
{
int pos = 0;
if (pos >= out_size) return -1;
out[pos++] = SERCOMM_FLAG;
/* DLCI + CTRL */
uint8_t hdr[2] = { dlci, 0x03 };
for (int i = 0; i < 2; i++) {
if (hdr[i] == SERCOMM_FLAG || hdr[i] == SERCOMM_ESCAPE) {
if (pos + 2 > out_size) return -1;
out[pos++] = SERCOMM_ESCAPE;
out[pos++] = hdr[i] ^ SERCOMM_ESCAPE_XOR;
} else {
if (pos + 1 > out_size) return -1;
out[pos++] = hdr[i];
}
}
/* Payload */
for (int i = 0; i < plen; i++) {
if (payload[i] == SERCOMM_FLAG || payload[i] == SERCOMM_ESCAPE) {
if (pos + 2 > out_size) return -1;
out[pos++] = SERCOMM_ESCAPE;
out[pos++] = payload[i] ^ SERCOMM_ESCAPE_XOR;
} else {
if (pos + 1 > out_size) return -1;
out[pos++] = payload[i];
}
}
if (pos >= out_size) return -1;
out[pos++] = SERCOMM_FLAG;
return pos;
}
/* ---- Send L1CTL message to mobile (length-prefix) ---- */
static void l1ctl_send_to_mobile(L1CTLSock *s, const uint8_t *payload, int len)
{
if (s->cli_fd < 0 || len <= 0 || len > UINT16_MAX) return;
uint8_t hdr[2] = { (uint8_t)(len >> 8), (uint8_t)(len & 0xFF) };
struct iovec iov[2] = {
{ .iov_base = hdr, .iov_len = sizeof(hdr) },
{ .iov_base = (void *)payload, .iov_len = (size_t)len },
};
struct msghdr msg = { .msg_iov = iov, .msg_iovlen = 2 };
int total = (int)sizeof(hdr) + len;
ssize_t sent = sendmsg(s->cli_fd, &msg, MSG_NOSIGNAL);
if (sent != total) {
L1CTL_LOG("client send error (%zd/%d), closing", sent, total);
close(s->cli_fd);
s->cli_fd = -1;
}
}
/* ---- Process a complete sercomm frame from firmware TX ---- */
static void sercomm_frame_complete(L1CTLSock *s)
{
if (s->sc_len < 2) return; /* need at least DLCI + CTRL */
uint8_t dlci = s->sc_buf[0];
/* uint8_t ctrl = s->sc_buf[1]; */
uint8_t *payload = &s->sc_buf[2];
int plen = s->sc_len - 2;
if (dlci == SERCOMM_DLCI_L1CTL && plen > 0) {
L1CTL_LOG("TX→mobile: dlci=%d len=%d type=0x%02x", dlci, plen, payload[0]);
l1ctl_send_to_mobile(s, payload, plen);
}
/* Ignore other DLCIs (debug console, loader, etc.) */
}
/* ---- Feed firmware UART TX bytes into sercomm parser ---- */
void l1ctl_sock_uart_tx_byte(uint8_t byte)
{
L1CTLSock *s = &g_l1ctl;
switch (s->sc_state) {
case SC_IDLE:
if (byte == SERCOMM_FLAG) {
s->sc_state = SC_IN_FRAME;
s->sc_len = 0;
}
break;
case SC_IN_FRAME:
if (byte == SERCOMM_FLAG) {
if (s->sc_len > 0) {
sercomm_frame_complete(s);
}
/* Stay in IN_FRAME for next frame */
s->sc_len = 0;
} else if (byte == SERCOMM_ESCAPE) {
s->sc_state = SC_ESCAPE;
} else {
if (s->sc_len < (int)sizeof(s->sc_buf)) {
s->sc_buf[s->sc_len++] = byte;
}
}
break;
case SC_ESCAPE:
if (s->sc_len < (int)sizeof(s->sc_buf)) {
s->sc_buf[s->sc_len++] = byte ^ SERCOMM_ESCAPE_XOR;
}
s->sc_state = SC_IN_FRAME;
break;
}
}
/* ---- Receive L1CTL from mobile, inject into firmware UART RX ---- */
static void l1ctl_client_readable(void *opaque)
{
L1CTLSock *s = (L1CTLSock *)opaque;
uint8_t tmp[4096];
ssize_t n = recv(s->cli_fd, tmp, sizeof(tmp), MSG_DONTWAIT);
if (n < 0) {
if (errno == EAGAIN || errno == EWOULDBLOCK)
return; /* no data available yet */
L1CTL_LOG("client recv error: %s", strerror(errno));
qemu_set_fd_handler(s->cli_fd, NULL, NULL, NULL);
close(s->cli_fd);
s->cli_fd = -1;
s->lp_len = 0;
return;
}
if (n == 0) {
L1CTL_LOG("client disconnected");
qemu_set_fd_handler(s->cli_fd, NULL, NULL, NULL);
close(s->cli_fd);
s->cli_fd = -1;
s->lp_len = 0;
return;
}
/* Accumulate in length-prefix buffer */
if (s->lp_len + (int)n > (int)sizeof(s->lp_buf)) {
s->lp_len = 0; /* overflow, reset */
}
memcpy(&s->lp_buf[s->lp_len], tmp, n);
s->lp_len += (int)n;
/* Parse complete L1CTL messages */
while (s->lp_len >= 2) {
int msglen = (s->lp_buf[0] << 8) | s->lp_buf[1];
if (s->lp_len < 2 + msglen) break; /* incomplete */
uint8_t *payload = &s->lp_buf[2];
/* Wrap in sercomm and inject into UART RX */
uint8_t frame[1024];
int flen = sercomm_wrap(SERCOMM_DLCI_L1CTL, payload, msglen,
frame, sizeof(frame));
if (flen > 0 && s->uart) {
L1CTL_LOG("RX←mobile: len=%d type=0x%02x → sercomm %d bytes",
msglen, payload[0], flen);
/* Hex dump of sercomm frame being injected */
{
fprintf(stderr, "[l1ctl-sock] INJECT %d bytes:", flen);
for (int j = 0; j < flen && j < 32; j++)
fprintf(stderr, " %02x", frame[j]);
if (flen > 32) fprintf(stderr, " ...");
fprintf(stderr, "\n");
}
calypso_uart_receive(s->uart, frame, flen);
}
/* Consume from buffer */
int consumed = 2 + msglen;
memmove(s->lp_buf, &s->lp_buf[consumed], s->lp_len - consumed);
s->lp_len -= consumed;
}
}
/* ---- Accept new client connection ---- */
static void l1ctl_accept_cb(void *opaque)
{
L1CTLSock *s = (L1CTLSock *)opaque;
int fd = accept(s->srv_fd, NULL, NULL);
if (fd < 0) return;
/* Only one client at a time */
if (s->cli_fd >= 0) {
L1CTL_LOG("replacing existing client");
qemu_set_fd_handler(s->cli_fd, NULL, NULL, NULL);
close(s->cli_fd);
}
/* Set non-blocking */
int flags = fcntl(fd, F_GETFL);
fcntl(fd, F_SETFL, flags | O_NONBLOCK);
s->cli_fd = fd;
s->lp_len = 0;
s->sc_state = SC_IDLE;
s->sc_len = 0;
qemu_set_fd_handler(fd, l1ctl_client_readable, NULL, s);
L1CTL_LOG("client connected (fd=%d)", fd);
}
/* ---- Init ---- */
void l1ctl_sock_init(CalypsoUARTState *uart, const char *path)
{
L1CTLSock *s = &g_l1ctl;
memset(s, 0, sizeof(*s));
s->srv_fd = -1;
s->cli_fd = -1;
s->uart = uart;
if (!path) path = L1CTL_SOCK_PATH;
/* Remove stale socket */
unlink(path);
/* Create unix socket server */
s->srv_fd = socket(AF_UNIX, SOCK_STREAM, 0);
if (s->srv_fd < 0) {
L1CTL_LOG("ERROR: socket(): %s", strerror(errno));
return;
}
struct sockaddr_un addr;
memset(&addr, 0, sizeof(addr));
addr.sun_family = AF_UNIX;
strncpy(addr.sun_path, path, sizeof(addr.sun_path) - 1);
if (bind(s->srv_fd, (struct sockaddr *)&addr, sizeof(addr)) < 0) {
L1CTL_LOG("ERROR: bind(%s): %s", path, strerror(errno));
close(s->srv_fd);
s->srv_fd = -1;
return;
}
if (listen(s->srv_fd, 1) < 0) {
L1CTL_LOG("ERROR: listen(): %s", strerror(errno));
close(s->srv_fd);
s->srv_fd = -1;
return;
}
/* Set non-blocking */
int flags = fcntl(s->srv_fd, F_GETFL);
fcntl(s->srv_fd, F_SETFL, flags | O_NONBLOCK);
qemu_set_fd_handler(s->srv_fd, l1ctl_accept_cb, NULL, s);
L1CTL_LOG("listening on %s", path);
}
/* ---- Manual poll (called from TDMA tick) ---- */
void l1ctl_sock_poll(void)
{
L1CTLSock *s = &g_l1ctl;
/* Try to accept a pending client */
if (s->srv_fd >= 0 && s->cli_fd < 0) {
int fd = accept(s->srv_fd, NULL, NULL);
if (fd >= 0) {
int flags = fcntl(fd, F_GETFL);
fcntl(fd, F_SETFL, flags | O_NONBLOCK);
s->cli_fd = fd;
s->lp_len = 0;
s->sc_state = SC_IDLE;
s->sc_len = 0;
qemu_set_fd_handler(fd, l1ctl_client_readable, NULL, s);
L1CTL_LOG("client connected via poll (fd=%d)", fd);
}
}
/* Try to read from connected client */
if (s->cli_fd >= 0) {
l1ctl_client_readable(s);
}
}
bool l1ctl_client_active(void)
{
return g_l1ctl.cli_fd >= 0;
}./hw/arm/calypso/calypso_soc.c
/*
* Calypso SoC - TI Calypso DBB (Digital Baseband)
* DEBUG BUILD — verbose memory map logging
*
* SPDX-License-Identifier: GPL-2.0-or-later
*/
#include "qemu/osdep.h"
#include "qapi/error.h"
#include "hw/sysbus.h"
#include "hw/irq.h"
#include "hw/qdev-properties.h"
#include "exec/memory.h"
#include "exec/address-spaces.h"
#include "hw/misc/unimp.h"
#include "sysemu/sysemu.h"
#include "hw/arm/calypso/calypso_soc.h"
#include "hw/arm/calypso/calypso_trx.h"
/* Global reference for TDMA tick to kick UART RX */
CalypsoUARTState *g_uart_modem;
#include "chardev/char-fe.h"
#include "chardev/char.h"
#include "qemu/error-report.h"
#include "hw/arm/calypso/calypso_uart.h"
/* ---- Memory map ---- */
#define CALYPSO_IRAM_BASE 0x00800000
#define CALYPSO_IRAM_SIZE (256 * 1024)
/* ---- Peripheral addresses ---- */
#define CALYPSO_INTH_BASE 0xFFFFFA00
#define CALYPSO_TIMER1_BASE 0xFFFE3800
#define CALYPSO_TIMER2_BASE 0xFFFE3C00
#define CALYPSO_SPI_BASE 0xFFFE3000
#define CALYPSO_KEYPAD_BASE 0xFFFE4800
#define CALYPSO_UART_IRDA 0xFFFF5000
#define CALYPSO_UART_MODEM 0xFFFF5800
/* ---- IRQ numbers ---- */
#define IRQ_TIMER1 1
#define IRQ_TIMER2 2
#define IRQ_UART_MODEM 7
#define IRQ_SPI 13
#define IRQ_UART_IRDA 18
/* ---- Stub MMIO ---- */
static uint64_t calypso_mmio8_read(void *o, hwaddr a, unsigned s) { return 0; }
static void calypso_mmio8_write(void *o, hwaddr a, uint64_t v, unsigned s) {}
static const MemoryRegionOps calypso_mmio8_ops = {
.read = calypso_mmio8_read, .write = calypso_mmio8_write,
.endianness = DEVICE_NATIVE_ENDIAN,
.impl = { .min_access_size = 1, .max_access_size = 1 },
};
static uint64_t calypso_mmio16_read(void *o, hwaddr a, unsigned s) { return 0; }
static void calypso_mmio16_write(void *o, hwaddr a, uint64_t v, unsigned s) {}
static const MemoryRegionOps calypso_mmio16_ops = {
.read = calypso_mmio16_read, .write = calypso_mmio16_write,
.endianness = DEVICE_NATIVE_ENDIAN,
.impl = { .min_access_size = 2, .max_access_size = 2 },
};
/* ---- CNTL register (EXTRA_CONF) at 0xFFFFFD00 ----
* Bit [8:9] = bootrom mapping control
* When cleared (0), IRAM is aliased at 0x00000000
* When set (3), internal ROM is mapped at 0x00000000
*
* On real Calypso, firmware calls calypso_bootrom(0) to disable
* bootrom and enable IRAM at address 0 for exception vectors.
*/
static uint64_t calypso_cntl_read(void *opaque, hwaddr offset, unsigned size)
{
CalypsoSoCState *s = CALYPSO_SOC(opaque);
if (offset == 0) return s->extra_conf;
return 0;
}
static void calypso_cntl_write(void *opaque, hwaddr offset,
uint64_t value, unsigned size)
{
CalypsoSoCState *s = CALYPSO_SOC(opaque);
if (offset != 0) return;
s->extra_conf = (uint16_t)value;
/* Bits [9:8] control bootrom/IRAM mapping at address 0 */
bool bootrom_enabled = (value >> 8) & 3;
if (!bootrom_enabled && !s->iram_at_zero) {
/* Map IRAM at address 0 (higher priority than flash) */
MemoryRegion *sysmem = get_system_memory();
memory_region_init_alias(&s->iram_alias, OBJECT(s),
"calypso.iram_at_zero",
&s->iram, 0, CALYPSO_IRAM_SIZE);
memory_region_add_subregion_overlap(sysmem, 0x00000000,
&s->iram_alias, 1);
s->iram_at_zero = true;
fprintf(stderr, "[SOC] CNTL: IRAM aliased at 0x00000000 (bootrom disabled)\n");
} else if (bootrom_enabled && s->iram_at_zero) {
/* Remove IRAM alias */
memory_region_del_subregion(get_system_memory(), &s->iram_alias);
object_unparent(OBJECT(&s->iram_alias));
s->iram_at_zero = false;
fprintf(stderr, "[SOC] CNTL: IRAM alias removed (bootrom enabled)\n");
}
}
static const MemoryRegionOps calypso_cntl_ops = {
.read = calypso_cntl_read,
.write = calypso_cntl_write,
.endianness = DEVICE_NATIVE_ENDIAN,
.impl = { .min_access_size = 2, .max_access_size = 2 },
};
static uint64_t calypso_kp_read(void *o, hwaddr a, unsigned s) { return 0xFF; }
static void calypso_kp_write(void *o, hwaddr a, uint64_t v, unsigned s) {}
static const MemoryRegionOps calypso_keypad_ops = {
.read = calypso_kp_read, .write = calypso_kp_write,
.endianness = DEVICE_NATIVE_ENDIAN,
};
static void add_stub(MemoryRegion *sys, const char *name,
hwaddr base, const MemoryRegionOps *ops)
{
MemoryRegion *mr = g_new(MemoryRegion, 1);
memory_region_init_io(mr, NULL, ops, NULL, name, 0x100);
memory_region_add_subregion(sys, base, mr);
fprintf(stderr, "[SOC] stub '%s' @ 0x%08lx (0x100)\n", name, (unsigned long)base);
}
/* ================================================================
* SoC realize
* ================================================================ */
static void calypso_soc_realize(DeviceState *dev, Error **errp)
{
CalypsoSoCState *s = CALYPSO_SOC(dev);
SysBusDevice *sbd = SYS_BUS_DEVICE(dev);
MemoryRegion *sysmem = get_system_memory();
Error *err = NULL;
fprintf(stderr, "[SOC] === calypso_soc_realize START ===\n");
/* ---- IRAM at 0x00800000 ONLY ----
* NO alias at 0x00000000 — flash lives there (board-level).
*/
memory_region_init_ram(&s->iram, OBJECT(dev), "calypso.iram",
CALYPSO_IRAM_SIZE, &error_fatal);
memory_region_add_subregion(sysmem, CALYPSO_IRAM_BASE, &s->iram);
fprintf(stderr, "[SOC] IRAM @ 0x%08x (%d KiB) — NO alias at 0x00000000\n",
CALYPSO_IRAM_BASE, CALYPSO_IRAM_SIZE / 1024);
/* ---- INTH ---- */
object_initialize_child(OBJECT(dev), "inth", &s->inth, TYPE_CALYPSO_INTH);
if (!sysbus_realize(SYS_BUS_DEVICE(&s->inth), &err)) {
error_propagate(errp, err); return;
}
sysbus_mmio_map(SYS_BUS_DEVICE(&s->inth), 0, CALYPSO_INTH_BASE);
/* Pass INTH's output IRQs (parent_irq, parent_fiq) through
* the SoC device so the board can connect them to the CPU.
* This avoids the ordering issue where sysbus_connect_irq
* captures a NULL qemu_irq before the board connects it. */
sysbus_pass_irq(sbd, SYS_BUS_DEVICE(&s->inth));
#define INTH_IRQ(n) qdev_get_gpio_in(DEVICE(&s->inth), (n))
/* ---- Timer 1 ---- */
object_initialize_child(OBJECT(dev), "timer1", &s->timer1, TYPE_CALYPSO_TIMER);
if (!sysbus_realize(SYS_BUS_DEVICE(&s->timer1), &err)) {
error_propagate(errp, err); return;
}
sysbus_mmio_map(SYS_BUS_DEVICE(&s->timer1), 0, CALYPSO_TIMER1_BASE);
sysbus_connect_irq(SYS_BUS_DEVICE(&s->timer1), 0, INTH_IRQ(IRQ_TIMER1));
/* ---- Timer 2 ---- */
object_initialize_child(OBJECT(dev), "timer2", &s->timer2, TYPE_CALYPSO_TIMER);
if (!sysbus_realize(SYS_BUS_DEVICE(&s->timer2), &err)) {
error_propagate(errp, err); return;
}
sysbus_mmio_map(SYS_BUS_DEVICE(&s->timer2), 0, CALYPSO_TIMER2_BASE);
sysbus_connect_irq(SYS_BUS_DEVICE(&s->timer2), 0, INTH_IRQ(IRQ_TIMER2));
/* ---- I2C stub ---- */
DeviceState *i2c_dev = qdev_new("calypso-i2c");
sysbus_realize_and_unref(SYS_BUS_DEVICE(i2c_dev), &error_fatal);
sysbus_mmio_map(SYS_BUS_DEVICE(i2c_dev), 0, 0xFFFE1800);
/* ---- SPI ---- */
object_initialize_child(OBJECT(dev), "spi", &s->spi, TYPE_CALYPSO_SPI);
if (!sysbus_realize(SYS_BUS_DEVICE(&s->spi), &err)) {
error_propagate(errp, err); return;
}
sysbus_mmio_map(SYS_BUS_DEVICE(&s->spi), 0, CALYPSO_SPI_BASE);
sysbus_connect_irq(SYS_BUS_DEVICE(&s->spi), 0, INTH_IRQ(IRQ_SPI));
/* ---- UART MODEM ---- */
{
Chardev *chr = qemu_chr_find("modem");
if (!chr) chr = serial_hd(0);
fprintf(stderr, "[SOC] UART modem: chardev → %s\n",
chr ? (chr->label ? chr->label : "(no label)") : "NULL");
object_initialize_child(OBJECT(dev), "uart-modem",
&s->uart_modem, TYPE_CALYPSO_UART);
qdev_prop_set_string(DEVICE(&s->uart_modem), "label", "modem");
if (chr) {
qdev_prop_set_chr(DEVICE(&s->uart_modem), "chardev", chr);
}
if (!sysbus_realize(SYS_BUS_DEVICE(&s->uart_modem), &err)) {
error_propagate(errp, err); return;
}
sysbus_mmio_map(SYS_BUS_DEVICE(&s->uart_modem), 0, CALYPSO_UART_MODEM);
sysbus_connect_irq(SYS_BUS_DEVICE(&s->uart_modem), 0,
INTH_IRQ(IRQ_UART_MODEM));
g_uart_modem = &s->uart_modem;
/* L1CTL socket: sercomm↔L1CTL relay for OsmocomBB mobile */
{
const char *l1ctl_path = getenv("L1CTL_SOCK");
l1ctl_sock_init(&s->uart_modem, l1ctl_path ? l1ctl_path : "/tmp/osmocom_l2");
}
}
/* ---- UART IRDA ---- */
{
Chardev *chr = qemu_chr_find("irda");
if (!chr) chr = serial_hd(1);
object_initialize_child(OBJECT(dev), "uart-irda",
&s->uart_irda, TYPE_CALYPSO_UART);
qdev_prop_set_string(DEVICE(&s->uart_irda), "label", "irda");
if (chr) {
qdev_prop_set_chr(DEVICE(&s->uart_irda), "chardev", chr);
}
if (!sysbus_realize(SYS_BUS_DEVICE(&s->uart_irda), &err)) {
error_propagate(errp, err); return;
}
sysbus_mmio_map(SYS_BUS_DEVICE(&s->uart_irda), 0, CALYPSO_UART_IRDA);
sysbus_connect_irq(SYS_BUS_DEVICE(&s->uart_irda), 0,
INTH_IRQ(IRQ_UART_IRDA));
}
/* ---- TRX bridge (pure hardware) ---- */
{
qemu_irq *irqs = g_new0(qemu_irq, CALYPSO_NUM_IRQS);
for (int i = 0; i < CALYPSO_NUM_IRQS; i++)
irqs[i] = INTH_IRQ(i);
calypso_trx_init(sysmem, irqs);
}
#undef INTH_IRQ
/* ---- Stubs ----
*
* IMPORTANT: NO stub at 0x00000300 ("calypso.low300")!
* That address falls inside the flash range 0x00000000–0x003FFFFF
* and would shadow pflash CFI queries → "Failed to initialize flash!"
*/
add_stub(sysmem, "calypso.keypad", CALYPSO_KEYPAD_BASE, &calypso_keypad_ops);
add_stub(sysmem, "calypso.tmr6800", 0xFFFE6800, &calypso_mmio8_ops);
add_stub(sysmem, "calypso.mmio_80xx", 0xFFFE8000, &calypso_mmio8_ops);
add_stub(sysmem, "calypso.conf", 0xFFFEF000, &calypso_mmio16_ops);
add_stub(sysmem, "calypso.mmio_98xx", 0xFFFF9800, &calypso_mmio16_ops);
add_stub(sysmem, "calypso.dpll", 0xFFFFF000, &calypso_mmio16_ops);
add_stub(sysmem, "calypso.rhea", 0xFFFFF900, &calypso_mmio16_ops);
add_stub(sysmem, "calypso.clkm", 0xFFFFFB00, &calypso_mmio16_ops);
add_stub(sysmem, "calypso.mmio_fcxx", 0xFFFFFC00, &calypso_mmio16_ops);
/* CNTL (EXTRA_CONF) - controls IRAM-at-zero mapping */
memory_region_init_io(&s->cntl_iomem, OBJECT(dev), &calypso_cntl_ops, s,
"calypso.cntl", 0x100);
memory_region_add_subregion(sysmem, 0xFFFFFD00, &s->cntl_iomem);
s->extra_conf = 0x0300; /* bootrom enabled at reset */
s->iram_at_zero = false;
add_stub(sysmem, "calypso.dio", 0xFFFFFF00, &calypso_mmio8_ops);
/* NO calypso.low300 — it overlaps flash! */
/* Catch-all (lowest priority) */
{
MemoryRegion *mr = g_new(MemoryRegion, 1);
memory_region_init_io(mr, NULL, &calypso_mmio8_ops, NULL,
"calypso.catchall", 0x100000);
memory_region_add_subregion_overlap(sysmem, 0xFFF00000, mr, -1);
}
fprintf(stderr, "[SOC] === calypso_soc_realize DONE ===\n");
}
/* ---- QOM boilerplate ---- */
static Property calypso_soc_properties[] = {
DEFINE_PROP_END_OF_LIST(),
};
static void calypso_soc_class_init(ObjectClass *oc, void *data)
{
DeviceClass *dc = DEVICE_CLASS(oc);
dc->realize = calypso_soc_realize;
device_class_set_props(dc, calypso_soc_properties);
dc->user_creatable = false;
}
static const TypeInfo calypso_soc_type_info = {
.name = TYPE_CALYPSO_SOC,
.parent = TYPE_SYS_BUS_DEVICE,
.instance_size = sizeof(CalypsoSoCState),
.class_init = calypso_soc_class_init,
};
static void calypso_soc_register_types(void)
{
type_register_static(&calypso_soc_type_info);
}
type_init(calypso_soc_register_types)./hw/intc/calypso_inth.c
/*
* calypso_inth.c — Calypso INTH (Interrupt Handler)
*
* Level-sensitive interrupt controller at 0xFFFFFA00.
* 32 IRQ inputs, priority-based arbitration, IRQ/FIQ routing via ILR.
*
* The Calypso INTH is LEVEL-SENSITIVE: it tracks the current level of
* each input line. When a peripheral deasserts its IRQ (e.g. UART clears
* TX_EMPTY by reading IIR), the INTH immediately sees the change.
*
* Simplified model: no nesting, no irq_in_service blocking. The ARM CPU's
* own CPSR I-bit prevents re-entry. We just present the highest-priority
* active IRQ at all times. Edge-triggered sources (TPU_FRAME=4, TPU_PAGE=5)
* are cleared on IRQ_NUM read.
*
* SPDX-License-Identifier: GPL-2.0-or-later
*/
#include "qemu/osdep.h"
#include "hw/irq.h"
#include "hw/sysbus.h"
#include "qemu/log.h"
#include "hw/arm/calypso/calypso_inth.h"
/* ---- Priority arbitration ---- */
static void calypso_inth_update(CalypsoINTHState *s)
{
uint32_t active = s->levels & ~s->mask;
int best_irq = -1, best_irq_prio = 0x7F;
int best_fiq = -1, best_fiq_prio = 0x7F;
/* AUDIT FIX 2026-05-08 night : was a single-best arbitration that
* conflated IRQ and FIQ channels. When both an IRQ-routed and an
* FIQ-routed source were active simultaneously, the higher-priority
* winner would raise its parent line AND lower the other, killing
* any pending interrupt on the losing channel.
*
* In ARM, FIQ and IRQ are two independent CPU lines with separate
* vectors, separate disable bits (CPSR.F vs CPSR.I), and separate
* acknowledgement (FIQ_NUM vs IRQ_NUM registers). They MUST be
* arbitrated independently.
*
* Concrete failure observed under -icount auto :
* SIM (line 6, ILR[6]=0x1ffc → FIQ bit set) raised the FIQ line.
* UART_MODEM (line 7, IRQ-routed) was also active.
* Single-best arbitration picked UART (lower prio value), raised
* parent_irq, LOWERED parent_fiq → ARM never got FIQ → sim_irq_handler
* never ran → rxDoneFlag never set → ARM busy-loop forever at 0x822b90.
*
* Round-robin scan within each channel separately. */
for (int j = 0; j < CALYPSO_INTH_NUM_IRQS; j++) {
int i = (s->rr_start + j) % CALYPSO_INTH_NUM_IRQS;
if (!(active & (1u << i))) continue;
int prio = s->ilr[i] & 0x1F;
int is_fiq = (s->ilr[i] >> 8) & 1;
if (is_fiq) {
if (prio < best_fiq_prio) { best_fiq_prio = prio; best_fiq = i; }
} else {
if (prio < best_irq_prio) { best_irq_prio = prio; best_irq = i; }
}
}
/* Drive parent_irq line independently */
if (best_irq >= 0) {
s->ith_v = best_irq; /* IRQ_NUM read returns this */
qemu_irq_raise(s->parent_irq);
} else {
if (best_fiq < 0) s->ith_v = 0;
qemu_irq_lower(s->parent_irq);
}
/* Drive parent_fiq line independently */
if (best_fiq >= 0) {
s->fiq_v = best_fiq; /* FIQ_NUM read returns this */
qemu_irq_raise(s->parent_fiq);
} else {
qemu_irq_lower(s->parent_fiq);
}
}
/* ---- GPIO input handler (one per IRQ line) ---- */
static void calypso_inth_set_irq(void *opaque, int irq, int level)
{
CalypsoINTHState *s = CALYPSO_INTH(opaque);
/* AUDIT INSTRUMENTATION 2026-05-08 night : trace SIM (irq 6) raises
* with current mask state — disambiguates whether SIM IRQ propagates
* to ARM or is blocked by mask. Cap log to avoid flood. */
if (irq == 6 /* SIM */) {
static unsigned sim_log;
if (sim_log++ < 60)
fprintf(stderr,
"[INTH] LINE-SET sim(6) level=%d mask=0x%08x "
"bit6_masked=%d prev_levels=0x%08x ilr[6]=0x%04x\n",
level, s->mask,
!!(s->mask & (1u<<6)), s->levels, s->ilr[6]);
}
if (level) {
s->levels |= (1u << irq);
} else {
s->levels &= ~(1u << irq);
}
calypso_inth_update(s);
}
/* ---- MMIO read/write ---- */
static uint64_t calypso_inth_read(void *opaque, hwaddr offset, unsigned size)
{
CalypsoINTHState *s = CALYPSO_INTH(opaque);
switch (offset) {
case 0x00: /* IT_REG1 — active bits [15:0] */
return s->levels & 0xFFFF;
case 0x02: /* IT_REG2 — active bits [31:16] */
return (s->levels >> 16) & 0xFFFF;
case 0x08: /* MASK_IT_REG1 */
return s->mask & 0xFFFF;
case 0x0a: /* MASK_IT_REG2 */
return (s->mask >> 16) & 0xFFFF;
case 0x10: /* IRQ_NUM — read returns current highest-priority IRQ */
case 0x80: /* IRQ_NUM (legacy) */
{
uint16_t num = s->ith_v;
/* Clear level for edge-like sources (TPU_FRAME=4, TPU_PAGE=5, API=15).
* These pulse once per event; clearing here prevents re-trigger
* until the next event raises the line again. */
if (num == 4 || num == 5 || num == 15) {
s->levels &= ~(1u << num);
}
/* Re-evaluate immediately: if other active IRQs remain,
* keep CPU IRQ line high so the firmware can chain ISRs
* without returning to the main loop. */
calypso_inth_update(s);
{
static uint32_t total = 0;
static uint32_t irq7_count = 0;
total++;
if (num == 7) {
irq7_count++;
if (irq7_count <= 50 || (irq7_count % 100) == 0)
fprintf(stderr, "[INTH] IRQ7 dispatch #%u (total=%u) levels=0x%08x mask=0x%08x\n",
irq7_count, total, s->levels, s->mask);
}
if (total <= 20 || total == 100 || total == 500 || total == 1000)
fprintf(stderr, "[INTH] IRQ_NUM=%u (#%u) levels=0x%08x mask=0x%08x\n",
num, total, s->levels, s->mask);
}
return num;
}
case 0x12: /* FIQ_NUM */
case 0x82: /* FIQ_NUM (legacy) */
{
/* AUDIT FIX 2026-05-08 night : returns separately-arbitrated FIQ
* source number (was returning ith_v, the IRQ winner — wrong for
* FIQ acknowledgement). Edge-clear for FIQ-routed edge sources too. */
uint16_t num = s->fiq_v;
if (num == 4 || num == 5 || num == 15) {
s->levels &= ~(1u << num);
}
calypso_inth_update(s);
static unsigned fiq_log;
if (fiq_log++ < 30)
fprintf(stderr, "[INTH] FIQ_NUM=%u read levels=0x%08x mask=0x%08x\n",
num, s->levels, s->mask);
return num;
}
case 0x14: /* IRQ_CTRL */
case 0x84: /* IRQ_CTRL (legacy) */
return 0;
default:
if (offset >= 0x20 && offset < 0x60) {
int idx = (offset - 0x20) / 2;
return s->ilr[idx];
}
return 0;
}
}
static void calypso_inth_write(void *opaque, hwaddr offset, uint64_t value,
unsigned size)
{
CalypsoINTHState *s = CALYPSO_INTH(opaque);
switch (offset) {
case 0x08: /* MASK_IT_REG1 */
{
uint32_t old = s->mask;
s->mask = (s->mask & 0xFFFF0000) | (value & 0xFFFF);
/* AUDIT INSTRUMENTATION 2026-05-08 night : trace mask writes to
* disambiguate icount-vs-mask race for SIM IRQ (bit 6). */
static unsigned mask_log;
if (mask_log++ < 50)
fprintf(stderr,
"[INTH] MASK-W LO val=0x%04x full 0x%08x → 0x%08x "
"bit6(SIM)=%d bit7(UART)=%d levels=0x%08x\n",
(unsigned)value, old, s->mask,
!!(s->mask & (1u<<6)), !!(s->mask & (1u<<7)),
s->levels);
calypso_inth_update(s);
break;
}
case 0x0a: /* MASK_IT_REG2 */
{
uint32_t old = s->mask;
s->mask = (s->mask & 0x0000FFFF) | ((value & 0xFFFF) << 16);
static unsigned mask_log_hi;
if (mask_log_hi++ < 50)
fprintf(stderr,
"[INTH] MASK-W HI val=0x%04x full 0x%08x → 0x%08x\n",
(unsigned)value, old, s->mask);
calypso_inth_update(s);
break;
}
case 0x14: /* IRQ_CTRL — end-of-service acknowledge */
case 0x84:
{
/* Advance round-robin past the IRQ just serviced.
* Only advance if the serviced IRQ was actually active
* (not a spurious read of ith_v=0 when nothing was pending). */
uint16_t svc = s->ith_v;
if (svc > 0 || (s->levels & 1)) {
/* Real IRQ was serviced — advance past it */
s->rr_start = (svc + 1) % CALYPSO_INTH_NUM_IRQS;
}
calypso_inth_update(s);
break;
}
default:
if (offset >= 0x20 && offset < 0x60) {
int idx = (offset - 0x20) / 2;
s->ilr[idx] = value & 0x1FFF;
/* Force UART (IRQ7) to same priority as TPU_FRAME (IRQ4).
* Firmware sets IRQ7 to prio 31 which causes starvation. */
if (idx == 7) {
s->ilr[7] = (s->ilr[7] & ~0x1F) | (s->ilr[4] & 0x1F);
}
}
break;
}
}
static const MemoryRegionOps calypso_inth_ops = {
.read = calypso_inth_read,
.write = calypso_inth_write,
.endianness = DEVICE_NATIVE_ENDIAN,
.valid = { .min_access_size = 1, .max_access_size = 2 },
.impl = { .min_access_size = 1, .max_access_size = 2 },
};
/* ---- QOM lifecycle ---- */
static void calypso_inth_realize(DeviceState *dev, Error **errp)
{
CalypsoINTHState *s = CALYPSO_INTH(dev);
memory_region_init_io(&s->iomem, OBJECT(dev), &calypso_inth_ops, s,
"calypso-inth", 0x100);
sysbus_init_mmio(SYS_BUS_DEVICE(dev), &s->iomem);
sysbus_init_irq(SYS_BUS_DEVICE(dev), &s->parent_irq);
sysbus_init_irq(SYS_BUS_DEVICE(dev), &s->parent_fiq);
qdev_init_gpio_in(dev, calypso_inth_set_irq, CALYPSO_INTH_NUM_IRQS);
}
static void calypso_inth_reset(DeviceState *dev)
{
CalypsoINTHState *s = CALYPSO_INTH(dev);
s->levels = 0;
s->mask = 0x00000000;
s->ith_v = 0;
s->fiq_v = 0;
s->irq_in_service = -1;
s->rr_start = 0;
memset(s->ilr, 0, sizeof(s->ilr));
}
static void calypso_inth_class_init(ObjectClass *klass, void *data)
{
DeviceClass *dc = DEVICE_CLASS(klass);
dc->realize = calypso_inth_realize;
device_class_set_legacy_reset(dc, calypso_inth_reset);
dc->desc = "Calypso INTH interrupt controller";
}
static const TypeInfo calypso_inth_info = {
.name = TYPE_CALYPSO_INTH,
.parent = TYPE_SYS_BUS_DEVICE,
.instance_size = sizeof(CalypsoINTHState),
.class_init = calypso_inth_class_init,
};
static void calypso_inth_register_types(void)
{
type_register_static(&calypso_inth_info);
}
type_init(calypso_inth_register_types)./hw/char/calypso_uart.c
/*
* calypso_uart.c — Calypso UART
*
* Pragmatic emulation for the Compal/Calypso loader path:
* - strict 8-bit MMIO accesses
* - banked registers via LCR[7] / LCR==0xBF
* - SCR / SSR implemented
* - RX FIFO with verbose debug
* - raw RX/TX dumps to /tmp/qemu-*.raw
*
* SPDX-License-Identifier: GPL-2.0-or-later
*/
#include "qemu/osdep.h"
#include "hw/sysbus.h"
#include "hw/irq.h"
#include "chardev/char-fe.h"
#include "qemu/log.h"
#include "qemu/timer.h"
#include "qemu/main-loop.h"
#include "hw/qdev-properties.h"
#include "hw/qdev-properties-system.h"
#include "hw/arm/calypso/calypso_uart.h"
#include "hw/arm/calypso/calypso_trx.h"
#include "hw/arm/calypso/sercomm_gate.h"
/* Register offsets */
#define REG_RBR_THR 0x00
#define REG_IER 0x01
#define REG_IIR_FCR 0x02
#define REG_LCR 0x03
#define REG_MCR 0x04
#define REG_LSR 0x05
#define REG_MSR 0x06
#define REG_SPR 0x07
#define REG_MDR1 0x08
#define REG_SCR 0x10
#define REG_SSR 0x11
/* IER bits */
#define IER_RX_DATA (1 << 0)
#define IER_TX_EMPTY (1 << 1)
#define IER_RX_LINE (1 << 2)
/* IIR values */
#define IIR_NO_INT 0x01
#define IIR_RX_LINE 0x06
#define IIR_RX_DATA 0x04
#define IIR_TX_EMPTY 0x02
/* LCR bits */
#define LCR_DLAB (1 << 7)
#define LCR_CONF_BF 0xBF
/* LSR bits */
#define LSR_DR (1 << 0)
#define LSR_OE (1 << 1)
#define LSR_THRE (1 << 5)
#define LSR_TEMT (1 << 6)
/* MSR bits */
#define MSR_CTS (1 << 4)
#define MSR_DSR (1 << 5)
#define MSR_DCD (1 << 7)
/* FCR bits */
#define FCR_FIFO_EN (1 << 0)
#define FCR_RX_RESET (1 << 1)
#define FCR_TX_RESET (1 << 2)
/* SSR bits (minimal model) */
#define SSR_TX_FIFO_FULL (1 << 0)
/**
* uart_log_raw - Log raw UART data to a file
* @path: Path to the log file
* @buf: Buffer containing the data
* @len: Length of the data
*
* Appends binary data to the specified file. Used for debugging
* modem and IrDA traffic. Silently ignores errors.
*/
static void uart_log_raw(const char *path, const uint8_t *buf, size_t len)
{
FILE *f = fopen(path, "ab");
if (!f) {
return;
}
fwrite(buf, 1, len, f);
fclose(f);
}
/* ---- FIFO helpers ---- */
/**
* fifo_reset - Reset the RX FIFO state
* @s: UART device state
*/
static void fifo_reset(CalypsoUARTState *s)
{
s->rx_head = 0;
s->rx_tail = 0;
s->rx_count = 0;
}
/**
* fifo_push - Push a byte into the RX FIFO
* @s: UART device state
* @data: Byte to push
*
* Sets overrun error flag if FIFO is full.
*/
static void fifo_push(CalypsoUARTState *s, uint8_t data)
{
if (s->rx_count >= CALYPSO_UART_RX_FIFO_SIZE) {
s->lsr |= LSR_OE;
fprintf(stderr,
"[UART:%s] RX FIFO OVERFLOW drop=0x%02x count=%u size=%u\n",
s->label ? s->label : "?",
data,
(unsigned)s->rx_count,
(unsigned)CALYPSO_UART_RX_FIFO_SIZE);
return;
}
s->rx_fifo[s->rx_head] = data;
s->rx_head = (s->rx_head + 1) % CALYPSO_UART_RX_FIFO_SIZE;
s->rx_count++;
}
/**
* fifo_pop - Pop a byte from the RX FIFO
* @s: UART device state
*
* Returns: The popped byte, or 0 if FIFO is empty.
*/
static uint8_t fifo_pop(CalypsoUARTState *s)
{
uint8_t data = 0;
if (s->rx_count == 0) {
return 0;
}
data = s->rx_fifo[s->rx_tail];
s->rx_tail = (s->rx_tail + 1) % CALYPSO_UART_RX_FIFO_SIZE;
s->rx_count--;
return data;
}
/* ---- IRQ ---- */
static void calypso_uart_update_irq(CalypsoUARTState *s)
{
uint8_t iir = IIR_NO_INT;
bool want = false;
if ((s->ier & IER_RX_LINE) && (s->lsr & LSR_OE)) {
iir = IIR_RX_LINE;
want = true;
} else if ((s->ier & IER_RX_DATA) && (s->lsr & LSR_DR)) {
iir = IIR_RX_DATA;
want = true;
} else if ((s->ier & IER_TX_EMPTY) && s->thr_empty_pending) {
iir = IIR_TX_EMPTY;
want = true;
}
s->iir = iir;
/* Force edge transition so INTH always sees the change.
* After IRQ_CTRL ack clears levels[n], a steady-high line
* needs a low→high pulse to re-register in the INTH. */
qemu_irq_lower(s->irq);
if (want) {
qemu_irq_raise(s->irq);
}
}
void calypso_uart_kick_rx(CalypsoUARTState *s)
{
if (s->rx_count > 0 && (s->lsr & LSR_DR)) {
/* Force IRQ re-evaluation by pulsing the IRQ line */
qemu_irq_lower(s->irq);
calypso_uart_update_irq(s);
}
}
void calypso_uart_poll_backend(CalypsoUARTState *s)
{
qemu_chr_fe_accept_input(&s->chr);
}
void calypso_uart_kick_tx(CalypsoUARTState *s)
{
/* Re-check TX interrupt state — if THR is empty and IER TX enabled,
* fire the interrupt so firmware can write next byte. */
calypso_uart_update_irq(s);
}
void calypso_uart_inject_raw(CalypsoUARTState *s, const uint8_t *buf, int len)
{
if (!s) return;
for (int i = 0; i < len; i++) {
fifo_push(s, buf[i]);
}
if (s->rx_count > 0) {
s->lsr |= LSR_DR;
calypso_uart_update_irq(s);
}
}
void calypso_uart_force_init(CalypsoUARTState *s)
{
/* Force UART into operational state for firmware that gets stuck
* before completing its own UART init (e.g. trx.highram.elf).
* Sets MDR1=UART16x, enables RX+TX interrupts. */
if (s->mdr1 != 0x00) {
s->mdr1 = 0x00; /* UART 16x mode */
s->scr = 0x01;
}
s->ier = 0x03; /* RX + TX interrupts enabled */
calypso_uart_update_irq(s);
}
/* ---- RX poll timer ----
* QEMU's chardev backend (PTY) only delivers data during the main event
* loop. If the ARM CPU runs in a tight loop without yielding, incoming
* bytes accumulate in the PTY buffer and never reach calypso_uart_receive.
* This periodic timer forces QEMU to check for pending chardev input. */
#define UART_RX_POLL_NS (10 * 1000 * 1000) /* 10 ms */
static void calypso_uart_rx_poll(void *opaque)
{
CalypsoUARTState *s = (CalypsoUARTState *)opaque;
/* AUDIT FIX 2026-05-08 night : `main_loop_wait(false)` removed.
*
* In QEMU API, the parameter is named `nonblocking`. `false` means
* BLOCKING — the prior comment "non-blocking poll" was wrong.
* Worse, calling main_loop_wait from a timer callback creates
* arbitrary recursion : the very loop that dispatched this REALTIME
* timer is re-entered from within itself.
*
* Under -icount, this breaks the invariant
* virtual_time = icount * (1 << shift)
* because nested TCG bursts update icount non-monotonically relative
* to the outer loop's scheduling decisions ; the auto-tune algorithm
* drifts and VIRTUAL-clock timers (tdma/firq) miss their deadlines
* for seconds at a time. Symptom : bridge UDP path frozen under any
* `icount != off`.
*
* `qemu_chr_fe_accept_input` alone is what's needed : it signals the
* chardev backend that more bytes can be delivered. The main loop
* resumes naturally at the end of this callback.
*
* Diagnosed by Claude web event-loop audit 2026-05-08. The user
* wants `CALYPSO_ICOUNT != off` to work end-to-end. */
qemu_chr_fe_accept_input(&s->chr);
/* Re-arm (realtime, 50ms) */
timer_mod(s->rx_poll_timer,
qemu_clock_get_ms(QEMU_CLOCK_REALTIME) + 50);
}
/* ---- Control PTY callbacks ---- */
/* ---- Calypso romloader stub --------------------------------------------
*
* On real hardware the Compal/Calypso boots into a small ROM-resident
* "romloader" that speaks a simple framed protocol over UART:
*
* <i (0x3c 0x69) ident → ack >i + param >p ...
* <w (0x3c 0x77) hdr(8B) data(N) write block → >w (or >W on err)
* <c (0x3c 0x63) chk(1B) checksum → >c (or >C)
* <b (0x3c 0x62) addr(4B BE) branch → >b → run firmware
*
* osmocon performs this handshake before it switches to bridging the
* mobile↔firmware sercomm channel. Our QEMU loads the firmware via -kernel
* and never runs the bootloader, so without this stub osmocon loops on
* "Waiting for handshake".
*
* The stub eats every modem-UART RX byte until the branch ack is sent,
* fakes the protocol responses (no actual download — the firmware is
* already in RAM), then enables passthrough so subsequent traffic flows
* to the firmware sercomm parser as usual.
*
* The param ack advertises a payload size of 1024 bytes, so each <w
* block is 8 (header continuation) + 1024 (data) bytes after the 0x77.
*/
typedef enum {
ROM_IDLE, /* waiting for 0x3c lead-in */
ROM_AFTER_3C, /* saw 0x3c, expecting cmd char */
ROM_BLOCK_DATA, /* consuming write block payload */
ROM_CHK_DATA, /* consuming 1-byte checksum */
ROM_BR_DATA, /* consuming 4-byte branch address */
ROM_PASSTHROUGH, /* handshake complete — bytes go to sercomm */
} RomloadState;
static struct {
RomloadState state;
int needed; /* bytes still expected for current block */
uint16_t payload_size; /* what we advertised in param ack */
} romload = {
.state = ROM_IDLE,
.payload_size = 1024,
};
/* Returns true when the byte was consumed by the stub (must NOT be
* forwarded to sercomm). Returns false when passthrough is active. */
static bool romload_stub_eat(CalypsoUARTState *s, uint8_t b)
{
if (romload.state == ROM_PASSTHROUGH) {
return false;
}
switch (romload.state) {
case ROM_IDLE:
if (b == 0x3c) {
romload.state = ROM_AFTER_3C;
}
/* discard pre-handshake noise */
return true;
case ROM_AFTER_3C: {
if (b == 0x69) {
/* <i ident → reply >i then >p (param ack with payload size LE) */
uint8_t ack[6] = {
0x3e, 0x69, /* >i */
0x3e, 0x70, /* >p */
(uint8_t)((romload.payload_size + 10) & 0xFF),
(uint8_t)(((romload.payload_size + 10) >> 8) & 0xFF),
};
qemu_chr_fe_write_all(&s->chr, ack, sizeof(ack));
fprintf(stderr, "[UART:modem] ROMLOAD STUB: ident → ack+param "
"(payload_size=%u)\n", romload.payload_size);
romload.state = ROM_IDLE;
} else if (b == 0x77) {
/* <w block: 8 hdr-cont (idx, num+1, sz_msb, sz_lsb, addr×4)
* + payload_size data bytes still to read */
romload.state = ROM_BLOCK_DATA;
romload.needed = 8 + romload.payload_size;
} else if (b == 0x63) {
romload.state = ROM_CHK_DATA;
romload.needed = 1;
} else if (b == 0x62) {
romload.state = ROM_BR_DATA;
romload.needed = 4;
} else {
/* unknown command — discard and resync */
romload.state = ROM_IDLE;
}
return true;
}
case ROM_BLOCK_DATA:
if (--romload.needed == 0) {
uint8_t ack[2] = { 0x3e, 0x77 }; /* >w */
qemu_chr_fe_write_all(&s->chr, ack, sizeof(ack));
romload.state = ROM_IDLE;
}
return true;
case ROM_CHK_DATA:
if (--romload.needed == 0) {
/* osmocon's handle_read_romload sets buf_used_len=3 in
* WAITING_CHECKSUM_ACK: it waits for ">c" + a trailing byte
* (used for the nack diagnostic). The 2-byte ack alone
* keeps it blocked. Echo the checksum byte we just got. */
uint8_t ack[3] = { 0x3e, 0x63, b }; /* >c <chk> */
qemu_chr_fe_write_all(&s->chr, ack, sizeof(ack));
fprintf(stderr, "[UART:modem] ROMLOAD STUB: checksum 0x%02x → ack\n",
b);
romload.state = ROM_IDLE;
}
return true;
case ROM_BR_DATA:
if (--romload.needed == 0) {
uint8_t ack[2] = { 0x3e, 0x62 }; /* >b */
qemu_chr_fe_write_all(&s->chr, ack, sizeof(ack));
fprintf(stderr, "[UART:modem] ROMLOAD STUB: branch → ack — "
"switching to sercomm passthrough\n");
romload.state = ROM_PASSTHROUGH;
}
return true;
case ROM_PASSTHROUGH:
return false;
}
return false;
}
int calypso_uart_can_receive(void *opaque)
{
CalypsoUARTState *s = (CalypsoUARTState *)opaque;
return CALYPSO_UART_RX_FIFO_SIZE - s->rx_count;
}
void calypso_uart_receive(void *opaque, const uint8_t *buf, int size)
{
CalypsoUARTState *s = (CalypsoUARTState *)opaque;
/* RX = host → firmware. Modem UART tagged [PTY-MODEM-RX]
* (generic — actual DLCI dispatch is logged downstream by the
* sercomm parser, e.g. [gate] TRXC RX from PTY for DLCI 4). */
{
const char *tag = (s->label && !strcmp(s->label, "modem"))
? "PTY-MODEM-RX" : "UART";
const char *lbl = (s->label && !strcmp(s->label, "modem"))
? "" : s->label ? s->label : "?";
fprintf(stderr,
"[%s%s%s] <<<RX %d bytes (rx_count=%u free=%u):",
tag, *lbl ? ":" : "", lbl,
size,
(unsigned)s->rx_count,
(unsigned)(CALYPSO_UART_RX_FIFO_SIZE - s->rx_count));
for (int i = 0; i < size && i < 64; i++)
fprintf(stderr, " %02x", buf[i]);
if (size > 64) fprintf(stderr, " ...");
fprintf(stderr, "\n");
}
if (s->label && !strcmp(s->label, "modem")) {
uart_log_raw("/tmp/qemu-modem-rx.raw", buf, size);
} else if (s->label && !strcmp(s->label, "irda")) {
uart_log_raw("/tmp/qemu-irda-rx.raw", buf, size);
}
/* IrDA UART: burst-only channel from bridge.
* Parse sercomm, extract DLCI 4, route to calypso_trx_rx_burst.
* Nothing goes to FIFO — this UART is dedicated to bursts. */
if (s->label && !strcmp(s->label, "irda")) {
static uint8_t ir_buf[512];
static int ir_len = 0;
static int ir_state = 0;
for (int i = 0; i < size; i++) {
uint8_t b = buf[i];
if (ir_state == 0) {
if (b == 0x7E) { ir_state = 1; ir_len = 0; }
} else if (ir_state == 2) {
if (ir_len < (int)sizeof(ir_buf)) ir_buf[ir_len++] = b ^ 0x20;
ir_state = 1;
} else {
if (b == 0x7E) {
if (ir_len >= 2 && ir_buf[0] == 4)
calypso_trx_rx_burst(&ir_buf[2], ir_len - 2);
ir_len = 0;
} else if (b == 0x7D) {
ir_state = 2;
} else {
if (ir_len < (int)sizeof(ir_buf)) ir_buf[ir_len++] = b;
}
}
}
return;
}
/* Modem UART: filter through the romloader stub first. While the
* stub is in handshake mode it eats every byte and replies on the
* same chardev to satisfy osmocon. Once branch ack has fired, the
* stub goes passthrough and the remaining bytes flow into the
* sercomm parser as before. */
if (s->label && !strcmp(s->label, "modem")) {
uint8_t passthrough[CALYPSO_UART_RX_FIFO_SIZE];
int pt_len = 0;
for (int i = 0; i < size; i++) {
if (!romload_stub_eat(s, buf[i])) {
passthrough[pt_len++] = buf[i];
}
}
if (pt_len > 0) {
sercomm_gate_feed(s, passthrough, pt_len);
}
return;
}
/* Non-modem UARTs (irda is already handled above): pass directly. */
sercomm_gate_feed(s, buf, size);
if (s->rx_count > 0) {
s->lsr |= LSR_DR;
}
calypso_uart_update_irq(s);
}
/* ---- MMIO ---- */
static uint64_t calypso_uart_read(void *opaque, hwaddr offset, unsigned size)
{
CalypsoUARTState *s = CALYPSO_UART(opaque);
uint64_t val = 0;
switch (offset) {
case REG_RBR_THR:
if (s->lcr & LCR_DLAB) {
val = s->dll;
} else {
val = fifo_pop(s);
if (s->rx_count > 0) {
s->lsr |= LSR_DR;
} else {
s->lsr &= ~LSR_DR;
}
/* RBR debug: log bytes read by firmware from modem UART */
if (s->label && !strcmp(s->label, "modem")) {
static int rbr_log = 0;
if (rbr_log < 200) {
fprintf(stderr, "[UART-RBR] pop=0x%02x rx_count=%u\n",
(unsigned)(val & 0xFF), (unsigned)s->rx_count);
rbr_log++;
}
}
calypso_uart_update_irq(s);
}
break;
case REG_IER:
if (s->lcr & LCR_DLAB) {
val = s->dlh;
} else {
val = s->ier;
}
break;
case REG_IIR_FCR:
if (s->lcr == LCR_CONF_BF) {
val = s->efr;
} else {
val = s->iir;
if ((s->iir & 0x0F) == IIR_TX_EMPTY) {
/* TX burst drain: don't clear pending on the first read.
* This lets the firmware ISR loop and drain multiple bytes.
* Clear only after 2 consecutive reads without a THR write
* (meaning the ISR has no more data to send). */
s->tx_empty_reads++;
if (s->tx_empty_reads >= 2) {
s->thr_empty_pending = false;
s->tx_empty_reads = 0;
calypso_uart_update_irq(s);
}
}
}
break;
case REG_LCR:
val = s->lcr;
break;
case REG_MCR:
if (s->lcr == LCR_CONF_BF) {
val = s->xon1;
} else {
val = s->mcr;
}
break;
case REG_LSR:
if (s->lcr == LCR_CONF_BF) {
val = s->xon2;
} else {
val = s->lsr;
s->lsr &= ~LSR_OE;
}
break;
case REG_MSR:
if (s->lcr == LCR_CONF_BF) {
val = s->xoff1;
} else {
val = MSR_CTS | MSR_DSR | MSR_DCD;
}
break;
case REG_SPR:
if (s->lcr == LCR_CONF_BF) {
val = s->xoff2;
} else {
val = s->spr;
}
break;
case REG_MDR1:
val = s->mdr1;
break;
case REG_SCR:
val = s->scr;
break;
case REG_SSR:
val = s->ssr & ~SSR_TX_FIFO_FULL;
break;
default:
break;
}
return val;
}
static void calypso_uart_write(void *opaque, hwaddr offset,
uint64_t value, unsigned size)
{
CalypsoUARTState *s = CALYPSO_UART(opaque);
switch (offset) {
case REG_RBR_THR:
if (s->lcr & LCR_DLAB) {
s->dll = value;
} else {
uint8_t ch = (uint8_t)value;
/* TX trace: tag modem UART as L1CTL-PTY.
* Per-byte log is volume-heavy (>140k lines per minute under
* fw-console "LOST N!" flood). Gated on env CALYPSO_UART_TRACE=1
* (default OFF) to keep host I/O free for QEMU emulation —
* heavy stderr writes were causing BTS to die from "No more
* clock from transceiver" because bridge couldn't get scheduled. */
{
static int trace_enabled = -1;
if (trace_enabled < 0) {
const char *e = getenv("CALYPSO_UART_TRACE");
trace_enabled = (e && *e == '1') ? 1 : 0;
}
if (trace_enabled) {
const char *tag = (s->label && !strcmp(s->label, "modem"))
? "L1CTL-PTY" : "UART";
const char *lbl = (s->label && !strcmp(s->label, "modem"))
? "" : s->label ? s->label : "?";
fprintf(stderr, "[%s%s%s] >>>TX %02x\n",
tag, *lbl ? ":" : "", lbl, ch);
}
}
if (s->label && !strcmp(s->label, "modem")) {
uart_log_raw("/tmp/qemu-modem-tx.raw", &ch, 1);
} else if (s->label && !strcmp(s->label, "irda")) {
uart_log_raw("/tmp/qemu-irda-tx.raw", &ch, 1);
}
qemu_chr_fe_write_all(&s->chr, &ch, 1);
/* Feed TX byte to L1CTL socket (sercomm parser) */
if (s->label && !strcmp(s->label, "modem")) {
l1ctl_sock_uart_tx_byte(ch);
}
s->lsr |= LSR_THRE | LSR_TEMT;
s->thr_empty_pending = true;
s->tx_empty_reads = 0; /* reset burst counter — ISR wrote a byte */
calypso_uart_update_irq(s);
}
break;
case REG_IER:
if (s->lcr & LCR_DLAB) {
s->dlh = value;
} else {
uint8_t old = s->ier;
s->ier = value & 0x0F;
if (old != s->ier && s->label && strcmp(s->label, "modem") != 0) {
fprintf(stderr, "[UART:%s] IER=0x%02x (RX=%d TX=%d)\n",
s->label ? s->label : "?",
s->ier,
!!(s->ier & IER_RX_DATA),
!!(s->ier & IER_TX_EMPTY));
}
if (!(old & IER_TX_EMPTY) &&
(s->ier & IER_TX_EMPTY) &&
(s->lsr & LSR_THRE)) {
s->thr_empty_pending = true;
}
calypso_uart_update_irq(s);
}
break;
case REG_IIR_FCR:
if (s->lcr == LCR_CONF_BF) {
s->efr = value;
} else {
s->fcr = value;
if (value & FCR_RX_RESET) {
if (s->rx_count > 0) {
fprintf(stderr, "[UART:%s] FCR_RX_RESET with %u bytes in FIFO!\n",
s->label ? s->label : "?", (unsigned)s->rx_count);
}
fifo_reset(s);
s->lsr &= ~LSR_DR;
}
if (value & FCR_TX_RESET) {
s->thr_empty_pending = false;
s->lsr |= LSR_THRE | LSR_TEMT;
}
calypso_uart_update_irq(s);
}
break;
case REG_LCR:
s->lcr = value;
break;
case REG_MCR:
if (s->lcr == LCR_CONF_BF) {
s->xon1 = value;
} else {
s->mcr = value;
}
break;
case REG_LSR:
if (s->lcr == LCR_CONF_BF) {
s->xon2 = value;
}
break;
case REG_MSR:
if (s->lcr == LCR_CONF_BF) {
s->xoff1 = value;
}
break;
case REG_SPR:
if (s->lcr == LCR_CONF_BF) {
s->xoff2 = value;
} else {
s->spr = value;
}
break;
case REG_MDR1:
s->mdr1 = value;
fprintf(stderr, "[UART:%s] MDR1=0x%02x\n",
s->label ? s->label : "?",
(unsigned)value);
break;
case REG_SCR:
s->scr = value;
fprintf(stderr, "[UART:%s] SCR=0x%02x\n",
s->label ? s->label : "?",
(unsigned)value);
break;
case REG_SSR:
s->ssr = value;
break;
default:
break;
}
}
static const MemoryRegionOps calypso_uart_ops = {
.read = calypso_uart_read,
.write = calypso_uart_write,
.endianness = DEVICE_NATIVE_ENDIAN,
.impl = { .min_access_size = 1, .max_access_size = 1 },
.valid = { .min_access_size = 1, .max_access_size = 1 },
};
/* ---- QOM ---- */
static void calypso_uart_realize(DeviceState *dev, Error **errp)
{
CalypsoUARTState *s = CALYPSO_UART(dev);
bool connected;
memory_region_init_io(&s->iomem, OBJECT(dev), &calypso_uart_ops, s,
"calypso-uart", 0x100);
sysbus_init_mmio(SYS_BUS_DEVICE(dev), &s->iomem);
sysbus_init_irq(SYS_BUS_DEVICE(dev), &s->irq);
connected = qemu_chr_fe_backend_connected(&s->chr);
fprintf(stderr, "### UART PATCH ACTIVE ###\n");
fprintf(stderr, "[UART:%s] realize: chardev %s\n",
s->label ? s->label : "?",
connected ? "CONNECTED" : "NONE");
if (connected) {
qemu_chr_fe_set_handlers(&s->chr,
calypso_uart_can_receive,
calypso_uart_receive,
NULL, NULL,
s,
NULL, true);
fprintf(stderr, "[UART:%s] handlers installed, opaque=%p\n",
s->label ? s->label : "?",
(void *)s);
/* Start RX poll timer using REALTIME clock to force the CPU to
* yield and process chardev I/O from the PTY backend. */
s->rx_poll_timer = timer_new_ms(QEMU_CLOCK_REALTIME,
calypso_uart_rx_poll, s);
timer_mod(s->rx_poll_timer,
qemu_clock_get_ms(QEMU_CLOCK_REALTIME) + 10);
}
}
static void calypso_uart_reset_state(DeviceState *dev)
{
CalypsoUARTState *s = CALYPSO_UART(dev);
s->ier = 0;
s->iir = IIR_NO_INT;
s->fcr = 0;
s->lcr = 0;
s->mcr = 0;
s->lsr = LSR_THRE | LSR_TEMT;
s->msr = MSR_CTS | MSR_DSR | MSR_DCD;
s->spr = 0;
s->dll = 0;
s->dlh = 0;
s->mdr1 = 0;
s->efr = 0;
s->xon1 = 0;
s->xon2 = 0;
s->xoff1 = 0;
s->xoff2 = 0;
s->scr = 0;
s->ssr = 0;
s->thr_empty_pending = false;
fifo_reset(s);
}
static Property calypso_uart_properties[] = {
DEFINE_PROP_CHR("chardev", CalypsoUARTState, chr),
DEFINE_PROP_STRING("label", CalypsoUARTState, label),
DEFINE_PROP_END_OF_LIST(),
};
static void calypso_uart_class_init(ObjectClass *klass, void *data)
{
DeviceClass *dc = DEVICE_CLASS(klass);
dc->realize = calypso_uart_realize;
device_class_set_legacy_reset(dc, calypso_uart_reset_state);
dc->desc = "Calypso UART";
device_class_set_props(dc, calypso_uart_properties);
}
static const TypeInfo calypso_uart_info = {
.name = TYPE_CALYPSO_UART,
.parent = TYPE_SYS_BUS_DEVICE,
.instance_size = sizeof(CalypsoUARTState),
.class_init = calypso_uart_class_init,
};
static void calypso_uart_register_types(void)
{
type_register_static(&calypso_uart_info);
}
type_init(calypso_uart_register_types)./hw/ssi/calypso_spi.c
/*
* calypso_spi.c — Calypso SPI + TWL3025 ABB
*
* REWRITE: Correct register map + poweroff blocking.
*
* The OsmocomBB loader calls twl3025_power_off() (writes TOGBR1 bit 0)
* whenever flash_init() fails. In QEMU we block this to keep the
* loader alive so osmoload can still inject firmware.
*
* SPDX-License-Identifier: GPL-2.0-or-later
*/
#include "qemu/osdep.h"
#include "hw/sysbus.h"
#include "hw/irq.h"
#include "qemu/log.h"
#include "hw/arm/calypso/calypso_spi.h"
/* Register offsets */
#define SPI_REG_SET1 0x00
#define SPI_REG_SET2 0x02
#define SPI_REG_CTRL 0x04
#define SPI_REG_STATUS 0x06
#define SPI_REG_TX_LSB 0x08
#define SPI_REG_TX_MSB 0x0A
#define SPI_REG_RX_LSB 0x0C
#define SPI_REG_RX_MSB 0x0E
/* CTRL bits */
#define SPI_CTRL_START (1 << 0)
/* ---- TWL3025 ABB SPI transaction ---- */
static uint16_t twl3025_spi_xfer(CalypsoSPIState *s, uint16_t tx)
{
int read = (tx >> 15) & 1;
int addr = (tx >> 6) & 0x1FF;
int wdata = tx & 0x3F;
if (addr >= 256) {
addr = 0;
}
if (read) {
fprintf(stderr, "[SPI] ABB read addr=0x%02x → 0x%04x\n",
addr, s->abb_regs[addr]);
return s->abb_regs[addr];
} else {
fprintf(stderr, "[SPI] ABB write addr=0x%02x data=0x%02x", addr, wdata);
/* ---- TOGBR1 (0x09): power control toggle ----
* Bit 0 (TOGB) = power off the phone.
* The loader calls twl3025_power_off() which writes 1 here
* whenever flash_init() fails.
* We BLOCK this to keep the loader alive in QEMU.
*/
if (addr == ABB_TOGBR1 && (wdata & 0x01)) {
fprintf(stderr, " *** POWEROFF BLOCKED (TOGBR1 bit 0) ***\n");
return 0; /* Don't store, don't poweroff */
}
/* ---- TOGBR2 (0x0A): other toggles ---- */
if (addr == ABB_TOGBR2) {
fprintf(stderr, " (TOGBR2)\n");
s->abb_regs[addr] = wdata;
return 0;
}
fprintf(stderr, "\n");
s->abb_regs[addr] = wdata;
if (addr == ABB_VRPCDEV) {
s->abb_regs[ABB_VRPCSTS] = 0x1F;
}
return 0;
}
}
/* ---- MMIO read ---- */
static uint64_t calypso_spi_read(void *opaque, hwaddr offset, unsigned size)
{
CalypsoSPIState *s = CALYPSO_SPI(opaque);
switch (offset) {
case SPI_REG_SET1:
return s->set1;
case SPI_REG_SET2:
return s->set2;
case SPI_REG_CTRL:
return s->ctrl;
case SPI_REG_STATUS:
return SPI_STATUS_RE;
case SPI_REG_TX_LSB:
return s->tx_data & 0xFF;
case SPI_REG_TX_MSB:
return (s->tx_data >> 8) & 0xFF;
case SPI_REG_RX_LSB:
return s->rx_data & 0xFF;
case SPI_REG_RX_MSB:
return (s->rx_data >> 8) & 0xFF;
default:
qemu_log_mask(LOG_UNIMP, "calypso-spi: read at 0x%02x\n",
(unsigned)offset);
return 0;
}
}
/* ---- MMIO write ---- */
static void calypso_spi_write(void *opaque, hwaddr offset, uint64_t value,
unsigned size)
{
CalypsoSPIState *s = CALYPSO_SPI(opaque);
switch (offset) {
case SPI_REG_SET1:
s->set1 = value & 0xFFFF;
break;
case SPI_REG_SET2:
s->set2 = value & 0xFFFF;
break;
case SPI_REG_CTRL:
s->ctrl = value & 0xFFFF;
if (value & SPI_CTRL_START) {
s->rx_data = twl3025_spi_xfer(s, s->tx_data);
qemu_irq_pulse(s->irq);
}
break;
case SPI_REG_STATUS:
break;
case SPI_REG_TX_LSB:
s->tx_data = (s->tx_data & 0xFF00) | (value & 0xFF);
break;
case SPI_REG_TX_MSB:
s->tx_data = (s->tx_data & 0x00FF) | ((value & 0xFF) << 8);
break;
case SPI_REG_RX_LSB:
case SPI_REG_RX_MSB:
break;
default:
qemu_log_mask(LOG_UNIMP, "calypso-spi: write 0x%04x at 0x%02x\n",
(unsigned)value, (unsigned)offset);
break;
}
}
static const MemoryRegionOps calypso_spi_ops = {
.read = calypso_spi_read,
.write = calypso_spi_write,
.endianness = DEVICE_NATIVE_ENDIAN,
.impl = { .min_access_size = 2, .max_access_size = 2 },
};
/* ---- QOM lifecycle ---- */
static void calypso_spi_realize(DeviceState *dev, Error **errp)
{
CalypsoSPIState *s = CALYPSO_SPI(dev);
memory_region_init_io(&s->iomem, OBJECT(dev), &calypso_spi_ops, s,
"calypso-spi", 0x100);
sysbus_init_mmio(SYS_BUS_DEVICE(dev), &s->iomem);
sysbus_init_irq(SYS_BUS_DEVICE(dev), &s->irq);
}
static void calypso_spi_reset(DeviceState *dev)
{
CalypsoSPIState *s = CALYPSO_SPI(dev);
s->set1 = 0;
s->set2 = 0;
s->ctrl = 0;
s->status = SPI_STATUS_RE;
s->tx_data = 0;
s->rx_data = 0;
memset(s->abb_regs, 0, sizeof(s->abb_regs));
s->abb_regs[ABB_VRPCSTS] = 0x1F;
s->abb_regs[ABB_ITSTATREG] = 0x00;
}
static void calypso_spi_class_init(ObjectClass *klass, void *data)
{
DeviceClass *dc = DEVICE_CLASS(klass);
dc->realize = calypso_spi_realize;
device_class_set_legacy_reset(dc, calypso_spi_reset);
dc->desc = "Calypso SPI controller + TWL3025 ABB";
}
static const TypeInfo calypso_spi_info = {
.name = TYPE_CALYPSO_SPI,
.parent = TYPE_SYS_BUS_DEVICE,
.instance_size = sizeof(CalypsoSPIState),
.class_init = calypso_spi_class_init,
};
static void calypso_spi_register_types(void)
{
type_register_static(&calypso_spi_info);
}
type_init(calypso_spi_register_types)./hw/ssi/calypso_i2c.c
/*
* Calypso I2C Controller - Minimal stub
* Returns "ready" immediately to avoid firmware blocking
*/
#include "qemu/osdep.h"
#include "hw/sysbus.h"
#include "qemu/log.h"
#define TYPE_CALYPSO_I2C "calypso-i2c"
OBJECT_DECLARE_SIMPLE_TYPE(CalypsoI2CState, CALYPSO_I2C)
struct CalypsoI2CState {
SysBusDevice parent_obj;
MemoryRegion iomem;
};
static uint64_t calypso_i2c_read(void *opaque, hwaddr offset, unsigned size)
{
switch (offset) {
case 0x04: /* STATUS - always ready */
return 0x04; /* ARDY (access ready) */
default:
return 0;
}
}
static void calypso_i2c_write(void *opaque, hwaddr offset, uint64_t value,
unsigned size)
{
/* Accept all writes silently */
}
static const MemoryRegionOps calypso_i2c_ops = {
.read = calypso_i2c_read,
.write = calypso_i2c_write,
.endianness = DEVICE_NATIVE_ENDIAN,
.impl = { .min_access_size = 2, .max_access_size = 2 },
};
static void calypso_i2c_realize(DeviceState *dev, Error **errp)
{
CalypsoI2CState *s = CALYPSO_I2C(dev);
memory_region_init_io(&s->iomem, OBJECT(dev), &calypso_i2c_ops, s,
"calypso-i2c", 0x100);
sysbus_init_mmio(SYS_BUS_DEVICE(dev), &s->iomem);
}
static void calypso_i2c_class_init(ObjectClass *klass, void *data)
{
DeviceClass *dc = DEVICE_CLASS(klass);
dc->realize = calypso_i2c_realize;
dc->desc = "Calypso I2C stub";
}
static const TypeInfo calypso_i2c_info = {
.name = TYPE_CALYPSO_I2C,
.parent = TYPE_SYS_BUS_DEVICE,
.instance_size = sizeof(CalypsoI2CState),
.class_init = calypso_i2c_class_init,
};
static void calypso_i2c_register_types(void)
{
type_register_static(&calypso_i2c_info);
}
type_init(calypso_i2c_register_types)./hw/timer/calypso_timer.c
/*
* calypso_timer.c — Calypso GP/Watchdog Timer
*
* 16-bit down-counter with auto-reload, prescaler, and IRQ.
* Calypso base clock: 13 MHz. The silicon has a fixed /32 hardware
* prescaler ahead of the user-visible PRESCALER field, so:
*
* tick_freq = 13 MHz / (32 << PRESCALER)
*
* With PRESCALER=0 the timer ticks at 13e6/32 ≈ 406.25 kHz, which is
* what osmocom-bb's check_lost_frame() expects (1875 ticks ≈ 4615 µs
* = one TDMA frame). Without the fixed /32 the firmware sees thousands
* of "LOST N!" because the timer wraps multiple times per frame.
*
* Register map (firmware uses byte access on CNTL, word access on LOAD/READ):
* 0x00 CNTL bit 0 = START
* bit 1 = AUTO_RELOAD
* bits 4:2 = PRESCALER (0..7) → user divider
* bit 5 = CLOCK_ENABLE (timer ticks only when also START)
* 0x02 LOAD Reload value (16-bit)
* 0x04 READ Current count (16-bit, read-only)
*
* SPDX-License-Identifier: GPL-2.0-or-later
*/
#include "qemu/osdep.h"
#include "hw/sysbus.h"
#include "hw/irq.h"
#include "qemu/timer.h"
#include "hw/arm/calypso/calypso_timer.h"
/* Layout matches osmocom-bb firmware (calypso/timer.c). The timer only
* ticks when both START and CLOCK_ENABLE are set; hwtimer_read() polls
* those exact bits before returning the count, so they MUST round-trip
* through readb/writeb intact — otherwise the firmware sees the timer
* as stopped and returns 0xFFFF, producing a constant "LOST 0!" stream
* every TDMA frame because diff = 0xFFFF - 0xFFFF = 0. */
#define TIMER_CTRL_START (1 << 0)
#define TIMER_CTRL_RELOAD (1 << 1)
#define TIMER_CTRL_PRESCALER_SH 2
#define TIMER_CTRL_PRESCALER_MSK (0x7 << 2)
#define TIMER_CTRL_CLOCK_ENABLE (1 << 5)
#define CALYPSO_BASE_CLK 13000000LL /* 13 MHz */
static bool calypso_timer_should_run(CalypsoTimerState *s)
{
return (s->ctrl & TIMER_CTRL_START) && (s->ctrl & TIMER_CTRL_CLOCK_ENABLE);
}
static void calypso_timer_recompute_tick(CalypsoTimerState *s)
{
int prescaler = (s->ctrl & TIMER_CTRL_PRESCALER_MSK) >> TIMER_CTRL_PRESCALER_SH;
/* Silicon has a fixed /32 hardware prescaler in front of PRESCALER. */
int64_t divider = 32LL << prescaler;
int64_t freq = CALYPSO_BASE_CLK / divider;
if (freq <= 0) freq = 1;
s->tick_ns = NANOSECONDS_PER_SECOND / freq;
}
/* Compute current count by interpolating virtual time elapsed since the
* timer was (re)started — avoids scheduling one QEMU event per decrement,
* which would coalesce on the QEMU virtual clock granularity and make the
* effective tick rate roughly half of what the firmware expects. */
static uint16_t calypso_timer_current_count(CalypsoTimerState *s)
{
if (!s->running) return s->count;
int64_t now = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL);
int64_t elapsed = now - s->epoch_ns;
if (elapsed < 0) elapsed = 0;
int64_t ticks = elapsed / s->tick_ns;
int64_t period = (int64_t)s->load + 1;
if (s->ctrl & TIMER_CTRL_RELOAD) {
ticks %= period;
} else if (ticks > s->load) {
return 0;
}
return (uint16_t)(s->load - ticks);
}
static void calypso_timer_schedule_wrap(CalypsoTimerState *s)
{
/* Schedule the next IRQ at the moment count would reach 0 from the
* current virtual time. */
int64_t now = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL);
uint16_t cur = calypso_timer_current_count(s);
int64_t ns_to_wrap = (int64_t)(cur + 1) * s->tick_ns;
timer_mod(s->timer, now + ns_to_wrap);
}
static void calypso_timer_tick(void *opaque)
{
CalypsoTimerState *s = CALYPSO_TIMER(opaque);
if (!s->running) return;
qemu_irq_raise(s->irq);
if (s->ctrl & TIMER_CTRL_RELOAD) {
/* Reanchor epoch to "now" so the next read sees count=load. */
s->epoch_ns = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL);
s->count = s->load;
timer_mod(s->timer, s->epoch_ns + (int64_t)(s->load + 1) * s->tick_ns);
} else {
s->running = false;
s->count = 0;
}
}
static void calypso_timer_start(CalypsoTimerState *s)
{
if (s->load == 0) return;
calypso_timer_recompute_tick(s);
s->count = s->load;
s->running = true;
s->epoch_ns = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL);
timer_mod(s->timer, s->epoch_ns + (int64_t)(s->load + 1) * s->tick_ns);
}
/* ---- MMIO ---- */
static uint64_t calypso_timer_read(void *opaque, hwaddr offset, unsigned size)
{
CalypsoTimerState *s = CALYPSO_TIMER(opaque);
{
static int rd_count = 0;
static int64_t prev_t_virt = 0;
if (rd_count < 0) { /* DISABLED — re-enable by setting >0 */
uint16_t live = calypso_timer_current_count(s);
int64_t now = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL);
int64_t dt = prev_t_virt ? (now - prev_t_virt) : 0;
fprintf(stderr, "[timer] RD ts=%p off=0x%02x live=%u stored=%u "
"running=%d tick_ns=%" PRId64 " epoch=%" PRId64
" t_virt=%" PRId64 " dt=%" PRId64 " rd#=%d\n",
(void *)s, (unsigned)offset, live, s->count, s->running,
s->tick_ns, s->epoch_ns, now, dt, rd_count);
prev_t_virt = now;
rd_count++;
}
}
switch (offset) {
case 0x00: return s->ctrl;
case 0x02: return s->load;
case 0x04: return calypso_timer_current_count(s);
default: return 0;
}
}
static void calypso_timer_write(void *opaque, hwaddr offset, uint64_t value,
unsigned size)
{
CalypsoTimerState *s = CALYPSO_TIMER(opaque);
switch (offset) {
case 0x00: { /* CNTL — preserve all 8 bits the firmware writes */
bool was_running = s->running;
uint16_t old_ctrl = s->ctrl;
s->ctrl = value & 0xFF;
if (calypso_timer_should_run(s)) {
if (!was_running) {
calypso_timer_start(s);
} else if ((old_ctrl & TIMER_CTRL_PRESCALER_MSK) !=
(s->ctrl & TIMER_CTRL_PRESCALER_MSK)) {
/* prescaler changed mid-run — re-anchor at current count */
s->count = calypso_timer_current_count(s);
calypso_timer_recompute_tick(s);
s->epoch_ns = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) -
(int64_t)(s->load - s->count) * s->tick_ns;
calypso_timer_schedule_wrap(s);
}
} else {
s->count = calypso_timer_current_count(s);
s->running = false;
timer_del(s->timer);
}
break;
}
case 0x02: /* LOAD */
s->load = value;
break;
}
}
static const MemoryRegionOps calypso_timer_ops = {
.read = calypso_timer_read,
.write = calypso_timer_write,
.endianness = DEVICE_NATIVE_ENDIAN,
.valid = { .min_access_size = 1, .max_access_size = 2 },
.impl = { .min_access_size = 1, .max_access_size = 2 },
};
/* ---- QOM lifecycle ---- */
static void calypso_timer_realize(DeviceState *dev, Error **errp)
{
CalypsoTimerState *s = CALYPSO_TIMER(dev);
memory_region_init_io(&s->iomem, OBJECT(dev), &calypso_timer_ops, s,
"calypso-timer", 0x100);
sysbus_init_mmio(SYS_BUS_DEVICE(dev), &s->iomem);
sysbus_init_irq(SYS_BUS_DEVICE(dev), &s->irq);
s->timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, calypso_timer_tick, s);
}
static void calypso_timer_reset(DeviceState *dev)
{
CalypsoTimerState *s = CALYPSO_TIMER(dev);
s->load = 0;
s->count = 0;
s->ctrl = 0;
s->prescaler = 0;
s->running = false;
timer_del(s->timer);
}
static void calypso_timer_class_init(ObjectClass *klass, void *data)
{
DeviceClass *dc = DEVICE_CLASS(klass);
dc->realize = calypso_timer_realize;
device_class_set_legacy_reset(dc, calypso_timer_reset);
dc->desc = "Calypso GP/Watchdog timer";
}
static const TypeInfo calypso_timer_info = {
.name = TYPE_CALYPSO_TIMER,
.parent = TYPE_SYS_BUS_DEVICE,
.instance_size = sizeof(CalypsoTimerState),
.class_init = calypso_timer_class_init,
};
static void calypso_timer_register_types(void)
{
type_register_static(&calypso_timer_info);
}
type_init(calypso_timer_register_types)./diag/source_resolve_smem.c
if ((s->pmst & PMST_OVLY) && addr16 >= 0x80 && addr16 < 0x2800)
return s->data[addr16];
/* For addresses >= 0x8000: use XPC to select extended page.
* prog_read is used for data/operand reads (MVPD, FIRS coeff, etc.)
* which need XPC banking — unlike prog_fetch which is PC-only. */
if (addr16 >= 0x8000) {
uint32_t ext = ((uint32_t)s->xpc << 16) | addr16;
ext &= (C54X_PROG_SIZE - 1);
return s->prog[ext];
}
return s->prog[addr16];
}
static void __attribute__((unused)) prog_write(C54xState *s, uint32_t addr, uint16_t val)
{
uint16_t addr16 = addr & 0xFFFF;
/* PROM1 (0xE000-0xFFFF) is ROM — reject writes */
if (addr16 >= 0xE000) return;
if ((s->pmst & PMST_OVLY) && addr16 >= 0x80 && addr16 < 0x2800)
s->data[addr16] = val;
if (addr16 >= 0x8000) {
uint32_t ext = ((uint32_t)s->xpc << 16) | addr16;
ext &= (C54X_PROG_SIZE - 1);
s->prog[ext] = val;
}
s->prog[addr16] = val;
}
/* ================================================================
* Addressing mode helpers
* ================================================================ */
/* Resolve Smem operand: direct or indirect addressing.
* Returns the data memory address. */
static uint16_t resolve_smem(C54xState *s, uint16_t opcode, bool *indirect)
{
if (opcode & 0x80) {
/* Indirect addressing.
* Per SPRU131G §5.4.1 Table 5-5: bits 2:0 = ARF select the AR for
* THIS instruction. ARP (in ST0) is then updated to ARF for the
* NEXT direct-Smem reference. Earlier this code used arp(s) for
* cur_arp, which made every indirect insn operate on the
* PREVIOUS insn's ARF — off-by-one. Symptoms: BANZD *AR1- after
* STL *AR2+ would decrement AR2 instead of AR1 (BANZD test
* against AR2 stayed non-zero forever, AR1 frozen). Diagnosed
* via 5×500M-insn STATE-DUMP showing AR1=0x1c / AR2=0x2b0c
* frozen across 2B insns at PC=0xa2c2..0xa2ca. */
*indirect = true;
int mod = (opcode >> 3) & 0x0F;
int nar = opcode & 0x07;
int cur_arp = nar;
uint16_t addr = s->ar[cur_arp];
/* Post-modify */
switch (mod) {
case 0x0: /* *ARn */
break;
case 0x1: /* *ARn- */
s->ar[cur_arp]--;
break;
case 0x2: /* *ARn+ */
s->ar[cur_arp]++;
break;
case 0x3: /* *+ARn */
addr = ++s->ar[cur_arp];
break;
case 0x4: /* *ARn-0 */
s->ar[cur_arp] -= s->ar[0];
break;
case 0x5: /* *ARn+0 */
s->ar[cur_arp] += s->ar[0];
break;
case 0x6: /* *ARn-0B (bit-reversed) */
/* Simplified: just subtract */
s->ar[cur_arp] -= s->ar[0];
break;
case 0x7: /* *ARn+0B (bit-reversed) */
s->ar[cur_arp] += s->ar[0];
break;
case 0x8: /* *ARn-% (circular) */
if (s->bk == 0) s->ar[cur_arp]--;
else {
uint16_t base = s->ar[cur_arp] - (s->ar[cur_arp] % s->bk);
s->ar[cur_arp]--;
if (s->ar[cur_arp] < base) s->ar[cur_arp] = base + s->bk - 1;
}
break;
case 0x9: /* *ARn+% (circular) */
if (s->bk == 0) s->ar[cur_arp]++;
else {
uint16_t base = s->ar[cur_arp] - (s->ar[cur_arp] % s->bk);
s->ar[cur_arp]++;
if (s->ar[cur_arp] >= base + s->bk) s->ar[cur_arp] = base;
}
break;
case 0xA: /* *ARn-0% */
s->ar[cur_arp] -= s->ar[0];
break;
case 0xB: /* *ARn+0% */
s->ar[cur_arp] += s->ar[0];
break;
/* Indirect modes 12..15 use a long-immediate operand from the next
* program word. Encoding per tic54x-dis.c (MOD field = bits 6:3 of
* the smem byte) and SPRU131G Table 5-9:
* 12 : *AR(x)(lk) — addr = AR(x) + lk, NO modify
* 13 : *+AR(x)(lk) — premod: AR(x) += lk; addr = AR(x)
* 14 : *+AR(x)(lk)% — premod circular: AR(x) = circ(AR(x)+lk)
* 15 : *(lk) — ABSOLUTE long address (lk itself)
*
* The bootloader at PROM0 0xb429 uses MOD=15 (`LDU *(0x0ffe), A`)
* to read BL_ADDR_LO. Misdecoding 15 as "AR + lk circular"
* produced AR0+0x0ffe instead of 0x0ffe — one of the multiple
* subtle off-by-AR bugs that left A=0 after the load. */
case 0xC: /* *AR(x)(lk) */
addr = s->ar[cur_arp] + prog_fetch(s, s->pc + 1);
s->lk_used = true;
break;./diag/source_data_write.c
static void data_write(C54xState *s, uint16_t addr, uint16_t val)
{
/* DATA-W-MMR : log every write into the low MMR window (addr <= 0x1F)
* with full attribution context. Goal : disambiguate the IMR-W trace
* cascade observed at PC=0x8eb9 (op=0xf3e1) and PC=0x9ad0 (op=0x8192).
* The writer_kind field tells us *which path* triggered the write
* (opcode family / IRQ ack / ARM MMIO / resolve_smem side effect).
* Cap at 200 distinct events to avoid log flood. */
if (addr <= 0x1F) {
static unsigned mmrw_log;
if (mmrw_log++ < 200) {
const char *wk_name[] = {
"UNK", "F3", "8x", "77", "76", "PSHM",
"RET", "IRQ_ACK", "ARM_MMIO", "RES_AR", "OTHER"
};
uint8_t wk = s->writer_kind;
const char *wkn = (wk < sizeof(wk_name)/sizeof(wk_name[0]))
? wk_name[wk] : "??";
fprintf(stderr,
"[c54x] DATA-W-MMR addr=0x%02x val=0x%04x "
"exec_pc=0x%04x cur_pc=0x%04x cur_op=0x%04x "
"xpc=%d wk=%s "
"AR0=%04x AR1=%04x AR2=%04x AR3=%04x "
"AR4=%04x AR5=%04x AR6=%04x AR7=%04x "
"SP=%04x DP=%d INTM=%d insn=%u\n",
addr, val,
s->last_exec_pc, s->pc, s->prog[s->pc],
s->xpc, wkn,
s->ar[0], s->ar[1], s->ar[2], s->ar[3],
s->ar[4], s->ar[5], s->ar[6], s->ar[7],
s->sp, dp(s),
!!(s->st1 & ST1_INTM),
s->insn_count);
}
}
/* WATCH-WRITE on the same mailbox slots tracked in data_read.
* Whoever writes them — DSP or ARM via api_ram alias — gets logged
* so we can attribute the source of the value the firmware polls. */
/* WATCH-WRITE 0x3dd2 — la cellule sur laquelle 0x75db poll en boucle
* (37M reads/15s). Identifier qui écrit (et qui ne le fait pas).
* Cas 1 : zéro write → un bloc compute ne fire jamais.
* Cas 2 : write boot only → init OK mais set steady-state manquant.
* Cas 3 : writes périodiques avec valeur jamais matchée par le test
* à 0x75db → bug dans le compute en amont. */
if (addr == 0x3dd2) {
static unsigned w3dd2;
w3dd2++;
if (w3dd2 <= 100 || (w3dd2 % 1000) == 0) {
fprintf(stderr,
"[c54x] WATCH-WRITE 0x3dd2 #%u <- 0x%04x (was 0x%04x) "
"PC=0x%04x insn=%u INTM=%d\n",
w3dd2, val, s->data[addr], s->pc, s->insn_count,
!!(s->st1 & ST1_INTM));
}
}
if (addr == 0x0ffe || addr == 0x0fff || addr == 0x01F0) {
static unsigned wcount;
if (wcount++ < 30) {
fprintf(stderr,
"[c54x] WATCH-WRITE data[0x%04x] <- 0x%04x (was 0x%04x) "
"PC=0x%04x insn=%u\n",
addr, val, s->data[addr], s->pc, s->insn_count);
}
}
/* Dispatcher pointer at data[0x3f65] — `LD *(0x3f65),A; CALA A` at
* DARAM 0x008a-0x008c. When this slot holds 0xfff8/0x0000/garbage the
* CALA jumps into PROM1 vec or boot stub NOPs and the SP runs away.
* Trace every write so we can identify who populates / corrupts it. */
if (addr == 0x3f65) {
static unsigned dpw;
if (dpw++ < 100) {
fprintf(stderr,
"[c54x] DISP-PTR data[0x3f65] <- 0x%04x (was 0x%04x) "
"PC=0x%04x insn=%u\n",
val, s->data[addr], s->pc, s->insn_count);
}
}
/* Dispatcher poll addresses — log ANY write so we identify the
* code path that should populate them. Currently 0 PORTR PA=0xF430
* fires because dispatcher reads 0 here forever. */
if (addr == 0x4359 || addr == 0x3fab) {
static unsigned dispw;
if (dispw++ < 50) {
fprintf(stderr,
"[c54x] DISP-WRITE data[0x%04x] <- 0x%04x (was 0x%04x) "
"PC=0x%04x insn=%u\n",
addr, val, s->data[addr], s->pc, s->insn_count);
}
}
/* CALAD source zone 0x4180-0x41FF — LD-A-TRACE shows the firmware
* reads 0x4189 (DP=0x83) but our emulation has it as 0. Log every
* write to this range so we can tell whether (a) anyone is meant to
* populate it and we missed the path, or (b) DP=0x83 is itself a
* symptom upstream of an unrelated bug. */
if (addr >= 0x4180 && addr <= 0x41FF) {
static unsigned cwz;
if (cwz++ < 5000) {
fprintf(stderr,
"[c54x] CALAD-ZONE-W data[0x%04x] <- 0x%04x (was 0x%04x) "
"PC=0x%04x insn=%u\n",
addr, val, s->data[addr], s->pc, s->insn_count);
}
}
/* Dedicated watch on 0x4189 — never capped. The LD-A loop reads this
* slot in the CALAD trap; we want to know if/when *anyone* finally
* writes a non-zero value, and from which PC. */
if (addr == 0x4189) {
fprintf(stderr,
"[c54x] *** WR-0x4189 *** data[0x4189] <- 0x%04x (was 0x%04x) PC=0x%04x insn=%u\n",
val, s->data[addr], s->pc, s->insn_count);
}
/* === DARAM[0x40..0x90] watch — dispatcher flag area ===
* The PROM0 idle dispatcher (0xCC62..0xCC6F) polls data[0x62] and
* other slots in [0x60..0x70]. FORCE-DARAM62=1 (env) proves that
* setting data[0x62]=1 makes the DSP escape and reach 0x770c, so
* this range gates the runtime task pipeline. ARM-side writes to
* the API page mirror at +0x0800 (calypso_trx.c calypso_dsp_write)
* but never to DARAM 0x40..0x90 — so any value here must come from
* DSP-self stores (ST/STH/STM/...) or stay zero forever. Capture
* EVERY write with PC+INTM+insn so we can attribute the source.
* INTM annotation lets us tell ISR-context writes from main code. */
if (addr >= 0x0040 && addr <= 0x0090) {
static unsigned daram_disp_w;
if (daram_disp_w++ < 1000) {
fprintf(stderr,
"[c54x] DISP-FLAG-W data[0x%04x] <- 0x%04x (was 0x%04x) "
"PC=0x%04x INTM=%d IFR=0x%04x insn=%u\n",
addr, val, s->data[addr], s->pc,
!!(s->st1 & ST1_INTM), s->ifr, s->insn_count);
if (daram_disp_w == 1000) {
fprintf(stderr,
"[c54x] DISP-FLAG-W log capped at 1000 — pattern visible above\n");
}
}
}
/* Timer registers (0x0024-0x0026) — before MMR check */
if (addr == TCR_ADDR) {
/* TRB: write 1 → reload TIM from PRD, PSC from TDDR */
if (val & TCR_TRB) {
s->data[TIM_ADDR] = s->data[PRD_ADDR];
s->timer_psc = val & TCR_TDDR_MASK;
}
/* Store TCR without TRB (TRB is write-only, always reads 0) */
s->data[TCR_ADDR] = val & ~TCR_TRB;
return;
}
if (addr == TIM_ADDR) { s->data[TIM_ADDR] = val; return; }
if (addr == PRD_ADDR) { s->data[PRD_ADDR] = val; return; }./diag/source_8xxx_handlers.c
/* SACCD src, Xmem, cond — Conditional accumulator store
* Encoding: 1001 11SD XXXX COND per SPRU172C p.4-152 */
if ((op & 0xFC00) == 0x9C00) {
int src_s = (op >> 9) & 1;
int64_t acc = src_s ? s->b : s->a;
int xar_s = (op >> 4) & 0x07;
uint16_t xaddr = s->ar[xar_s];
int cond = op & 0x0F;
/* Evaluate condition */
int take = 0;
switch (cond) {
case 0x0: take = (acc == 0); break; /* EQ */
case 0x1: take = (acc != 0); break; /* NEQ */
case 0x2: take = (acc > 0); break; /* GT */
case 0x3: take = (acc < 0); break; /* LT */
case 0x4: take = (acc >= 0); break; /* GEQ */
case 0x5: take = (acc == 0); break; /* AEQ */
case 0x6: take = (acc > 0); break; /* AGT */
case 0x7: take = (acc <= 0); break; /* LEQ/ALEQ */
default: take = 0; break;
}
int asm_val = asm_shift(s);
if (take) {
/* Store shifted accumulator high part */
int64_t shifted = acc << (asm_val > 0 ? asm_val : 0);
if (asm_val < 0) shifted = acc >> (-asm_val);
uint16_t val = (uint16_t)((shifted >> 16) & 0xFFFF);
data_write(s, xaddr, val);
} else {
/* Read and write back (no change) */
uint16_t val = data_read(s, xaddr);
data_write(s, xaddr, val);
}
/* Xmem post-modify */
if ((op >> 7) & 1) s->ar[xar_s]--; else s->ar[xar_s]++;
return consumed + s->lk_used;
}
/* POPM MMR — pop top-of-stack into MMR (1-word).
* Per tic54x-opc.c: { "popm", 0x8A00, 0xFF00, {OP_MMR} }.
* Per SPRU172C section 4 : value at SP popped to MMR, SP++.
*
* Bug fix 2026-05-08 : 0x8Axx était précédemment mal décodé en
* MVDK Smem,dmad (qui est en réalité 0x7100 mask 0xFF00). Le
* pattern PSHM/POPM symétrique du firmware (e.g. PROM0 0x7013-0x7023
* sauve/restaure 6 MMRs autour d'un CALA) ne fonctionnait jamais
* post-CALA → ST1 jamais restauré → INTM=1 dwell perpétuel
* → IRQ vectoring bloqué → DSP wait stuck → L1 mort.
* Le case MVDK ci-dessous devient dead code mais est laissé pour
* référence historique. */
if ((op & 0xFF00) == 0x8A00) {
uint16_t mmr = op & 0x7F;
uint16_t val = data_read(s, s->sp);
s->sp = (s->sp + 1) & 0xFFFF;
data_write(s, mmr, val);
return consumed + s->lk_used;
}
/* OBSOLETE — superseded by POPM above. The 0x8Axx range belongs to
* POPM per tic54x-opc.c, not MVDK (which is 0x7100 mask 0xFF00).
* Kept commented for one revision so any caller depending on the
* old (incorrect) behaviour is forced to be re-examined. */
if (0 && hi8 == 0x8A) {
/* MVDK Smem, dmad — INCORRECT for 0x8Axx, see POPM above */
addr = resolve_smem(s, op, &ind);
op2 = prog_fetch(s, s->pc + 1);
consumed = 2;
data_write(s, op2, data_read(s, addr));
return consumed + s->lk_used;
}
/* 0x88xx-0x89xx: STLM src, MMR (1-word!)
* Per tic54x-opc.c: { "stlm", 1,2,2, 0x8800, 0xFE00, ... }
* bits 9-15 = fixed (0x44)
* bit 8 = src (0 = A, 1 = B)
* bits 0-6 = MMR address (0x00..0x7F)
*
* Critical for the DSP bootloader at PROM0 0xb42d (`STLM B, AR1`):
* if decoded as 2-word MVDM the emulator eats the next opcode
* (0xb42e = 0xf84c, a BC), then jumps into 0xb431 (MACR family)
* with an uninitialised T register, producing A=0x10 — which
* the immediately-following BACC A at 0xb430 then uses as the
* jump target, dropping the DSP into the boot-stub NOPs at
* PC=0x0010 instead of continuing the bootloader handshake. */
if (hi8 == 0x88 || hi8 == 0x89) {
int src = (op >> 8) & 1; /* 0 = A, 1 = B */
int mmr = op & 0x7F;
uint16_t val = src ? (uint16_t)(s->b & 0xFFFF)
: (uint16_t)(s->a & 0xFFFF);
data_write(s, (uint16_t)mmr, val); /* MMRs alias addr 0x00..0x1F */
return consumed + s->lk_used;
}
if (hi8 == 0x80) {
/* STUB-NOP : tic54x dit 0x80 = STL src,Smem (1-word).
* Ancienne classification qemu = MVDD 2-word (incorrect).
* Voir doc/opcodes/tic54x_hi8_map.md. Neutralisé pour éviter
* les écritures mémoire fantômes en attendant impl correcte. */
return 1;
}
if (hi8 == 0x8C) {
/* MVPD pmad, Smem (prog→data) */
addr = resolve_smem(s, op, &ind);
op2 = prog_fetch(s, s->pc + 1);
consumed = 2;
uint16_t mvpd_val = prog_read(s, op2);
data_write(s, addr, mvpd_val);
{
static unsigned mvpd_log = 0;
static unsigned mvpd_total;
static uint16_t src_min = 0xFFFF, src_max;
static uint16_t dst_min = 0xFFFF, dst_max;
static unsigned hits_a040;
mvpd_total++;
if (op2 < src_min) src_min = op2;
if (op2 > src_max) src_max = op2;
if (addr < dst_min) dst_min = addr;
if (addr > dst_max) dst_max = addr;
if (addr >= 0xa040 && addr <= 0xa080) hits_a040++;
if (mvpd_log++ < 500 ||
(addr >= 0xa040 && addr <= 0xa080) ||
(mvpd_total % 1000) == 0)
C54_LOG("MVPD#%u: prog[0x%04x]=0x%04x → data[0x%04x] PC=0x%04x insn=%u%s",
mvpd_total, op2, mvpd_val, addr, s->pc, s->insn_count,
(addr >= 0xa040 && addr <= 0xa080) ? " *A040*" : "");
if ((mvpd_total % 500) == 0)
C54_LOG("MVPD-SUMMARY total=%u src=[0x%04x..0x%04x] dst=[0x%04x..0x%04x] hits_a040=%u",
mvpd_total, src_min, src_max, dst_min, dst_max, hits_a040);
}
return consumed + s->lk_used;
}
if (hi8 == 0x8E) {
/* MVDP Smem, pmad (data→prog) */
addr = resolve_smem(s, op, &ind);
op2 = prog_fetch(s, s->pc + 1);
consumed = 2;
prog_write(s, op2, data_read(s, addr));
return consumed + s->lk_used;
}
if (hi8 == 0x8F) {
/* PORTR PA, Smem — read I/O port */
addr = resolve_smem(s, op, &ind);
op2 = prog_fetch(s, s->pc + 1);
consumed = 2;
/* BSP RX data register — return next burst sample.
* The DSP firmware uses PORTR PA=0xF430 (64 sites in PROM0,
* verified from ROM dump). We also accept 0x0034 for legacy
* compatibility with earlier QEMU experiments. */
uint16_t portr_val;
bool is_bsp_pa = (op2 == 0xF430 || op2 == 0x0034);
if (is_bsp_pa && s->bsp_pos < s->bsp_len) {
portr_val = s->bsp_buf[s->bsp_pos++];
data_write(s, addr, portr_val);
} else {
portr_val = 0;
data_write(s, addr, 0);
}
/* Per-PA counters so we can see which I/O ports the DSP polls
* and how often. */
{
static uint64_t portr_total[16];
static uint64_t portr_since_summary;
int pa_bucket = (op2 >> 4) & 0xF;
portr_total[pa_bucket]++;
portr_since_summary++;
static int portr_log = 0;
if (portr_log < 50) {
C54_LOG("PORTR PA=0x%04x → [0x%04x] val=0x%04x "
"bsp_pos=%u/%u PC=0x%04x",
op2, addr, portr_val,
(unsigned)s->bsp_pos, (unsigned)s->bsp_len,
s->pc);
portr_log++;
}
if ((portr_since_summary % 10000) == 0) {
C54_LOG("PORTR summary (last 10000): "
"PA0x=%llu 1x=%llu 2x=%llu 3x=%llu 4x=%llu "
"5x=%llu 6x=%llu 7x=%llu",
(unsigned long long)portr_total[0],
(unsigned long long)portr_total[1],
(unsigned long long)portr_total[2],
(unsigned long long)portr_total[3],
(unsigned long long)portr_total[4],
(unsigned long long)portr_total[5],
(unsigned long long)portr_total[6],
(unsigned long long)portr_total[7]);
}
}
return consumed + s->lk_used;
}
if (hi8 == 0x9F) {
/* PORTW Smem, PA — write I/O port */
addr = resolve_smem(s, op, &ind);
op2 = prog_fetch(s, s->pc + 1);
consumed = 2;
/* Log I/O port writes */
{
uint16_t wval = data_read(s, addr);
static int portw_log = 0;
if (portw_log < 30) {
C54_LOG("PORTW PA=0x%04x val=0x%04x PC=0x%04x", op2, wval, s->pc);
portw_log++;
}
}
return consumed + s->lk_used;
}
/* 85xx: MVPD pmad, Smem (prog→data, different encoding) */
if (hi8 == 0x85) {
addr = resolve_smem(s, op, &ind);
op2 = prog_fetch(s, s->pc + 1);
consumed = 2;
data_write(s, addr, prog_read(s, op2));
return consumed + s->lk_used;
}
/* 86xx: MVDM dmad, MMR */
if (hi8 == 0x86) {
op2 = prog_fetch(s, s->pc + 1);
consumed = 2;
uint16_t mmr = op & 0x7F;
data_write(s, mmr, data_read(s, op2));
return consumed + s->lk_used;
}
/* 87xx: MVMD MMR, dmad */
if (hi8 == 0x87) {
op2 = prog_fetch(s, s->pc + 1);
consumed = 2;
uint16_t mmr = op & 0x7F;
data_write(s, op2, data_read(s, mmr));
return consumed + s->lk_used;
}
/* 81xx: STL src, ASM, Smem (store with shift) */
if (hi8 == 0x81) {
addr = resolve_smem(s, op, &ind);
int shift = asm_shift(s);
int64_t v = s->a;
if (shift >= 0) v <<= shift; else v >>= (-shift);
data_write(s, addr, (uint16_t)(v & 0xFFFF));
return consumed + s->lk_used;
}
/* 82xx: STH src, ASM, Smem */
if (hi8 == 0x82) {
addr = resolve_smem(s, op, &ind);
int shift = asm_shift(s);
int64_t v = s->a;
if (shift >= 0) v <<= shift; else v >>= (-shift);
data_write(s, addr, (uint16_t)((v >> 16) & 0xFFFF));
return consumed + s->lk_used;
}
/* 89xx: ST src, Smem with shift or MVDK variants */
if (hi8 == 0x89) {
addr = resolve_smem(s, op, &ind);
op2 = prog_fetch(s, s->pc + 1);
consumed = 2;
data_write(s, op2, data_read(s, addr));
return consumed + s->lk_used;
}
/* 8Bxx: MVDK with long address */
if (hi8 == 0x8B) {
/* STUB-NOP : tic54x dit 0x8B = POPD Smem (1-word).
* Ancienne classification qemu = MVDK long-addr 2-word (incorrect).
* Voir doc/opcodes/tic54x_hi8_map.md. Neutralisé. */
return 1;
}
/* 8Dxx: MVDD Smem, Smem */
if (hi8 == 0x8D) {
addr = resolve_smem(s, op, &ind);
op2 = prog_fetch(s, s->pc + 1);
consumed = 2;
data_write(s, op2, data_read(s, addr));
return consumed + s->lk_used;
}
/* 83xx: WRITA Smem (write A to prog), 84xx: READA Smem */
if (hi8 == 0x83) {
addr = resolve_smem(s, op, &ind);
prog_write(s, (uint16_t)(s->a & 0xFFFF), data_read(s, addr));
return consumed + s->lk_used;
}
if (hi8 == 0x84) {
addr = resolve_smem(s, op, &ind);
data_write(s, addr, prog_read(s, (uint16_t)(s->a & 0xFFFF)));
return consumed + s->lk_used;
}
/* 91xx: MVKD dmad, Smem (another encoding) */
if (hi8 == 0x91) {
addr = resolve_smem(s, op, &ind);
op2 = prog_fetch(s, s->pc + 1);
consumed = 2;
data_write(s, addr, data_read(s, op2));
return consumed + s->lk_used;
}
/* 97xx: ST #lk, Smem (2-word). 0x96xx is caught above as MVDP. */
if (hi8 == 0x97) {
addr = resolve_smem(s, op, &ind);
op2 = prog_fetch(s, s->pc + 1);
consumed = 2;
data_write(s, addr, op2);
return consumed + s->lk_used;
}
goto unimpl;
case 0xA: case 0xB:
/* Axx/Bxx: STLM, LDMM, misc accumulator ops */
/* ---- Dual-operand MAC/MAS Xmem, Ymem, dst (1-word) ----
* MAC: dst += T * Xmem; T = Ymem
* MACR: dst += rnd(T * Xmem); T = Ymem
* MAS: dst -= T * Xmem; T = Ymem
* MASR: dst -= rnd(T * Xmem); T = Ymem
* Encoding: OOOO OOOD XXXX YYYY (1 word)
* Xmem: AR[ARP], post-mod by bit4 (0=inc,1=dec)
* Ymem: AR[bits2:0], post-mod by bit3 (0=inc,1=dec)
* D: 0=A, 1=B
* hi8 mapping per SPRU172C:
* 0xA4/0xA5: MAC[R] Xmem,Ymem,A 0xA6/0xA7: MAC[R] Xmem,Ymem,B
* 0xB4/0xB5: MAS[R] Xmem,Ymem,A 0xB6/0xB7: MAS[R] Xmem,Ymem,B
* 0xB0/0xB1: MAC[R] Xmem,Ymem,A (alt) 0xB2/0xB3 already handled
*/
if (hi8 == 0xA4 || hi8 == 0xA5 || hi8 == 0xA6 || hi8 == 0xA7 ||
hi8 == 0xB4 || hi8 == 0xB5 || hi8 == 0xB6 || hi8 == 0xB7 ||
hi8 == 0xB0 || hi8 == 0xB1 || hi8 == 0xB2) {
int xar_d = (op >> 4) & 0x07;
int yar_d = op & 0x07;
uint16_t xval_d = data_read(s, s->ar[xar_d]);
uint16_t yval_d = data_read(s, s->ar[yar_d]);
/* Post-modify */
if ((op >> 7) & 1) s->ar[xar_d]--; else s->ar[xar_d]++;
if ((op & 0x08) == 0) s->ar[yar_d]++; else s->ar[yar_d]--;
/* Multiply T * Xmem */
int64_t prod = (int64_t)(int16_t)s->t * (int64_t)(int16_t)xval_d;
if (s->st1 & ST1_FRCT) prod <<= 1;
/* Round if R bit set (odd hi8) */
if (hi8 & 0x01) prod += 0x8000;
/* Determine dest and operation */
int is_sub = (hi8 >= 0xB4 && hi8 <= 0xB7);
int dst_b;
if (hi8 >= 0xA4 && hi8 <= 0xA7) dst_b = (hi8 >= 0xA6);
else if (hi8 >= 0xB4 && hi8 <= 0xB7) dst_b = (hi8 >= 0xB6);
else dst_b = (hi8 & 0x02) ? 1 : 0; /* 0xB0/B1→A, 0xB2/B3→B */
if (dst_b) {
if (is_sub) s->b = sext40(s->b - prod);
else s->b = sext40(s->b + prod);
} else {
if (is_sub) s->a = sext40(s->a - prod);
else s->a = sext40(s->a + prod);
}
/* T = Ymem */
s->t = yval_d;
return consumed + s->lk_used;
}./diag/source_F2_to_F7_handlers.c
if ((hi8 == 0xF2 || hi8 == 0xF3) &&
op != 0xF272 && op != 0xF273 && op != 0xF274) {
int xar_l = (op >> 4) & 0x07;
int yar_l = op & 0x07;
uint16_t xval_l = data_read(s, s->ar[xar_l]);
uint16_t yval_l = data_read(s, s->ar[yar_l]);
/* MAC: dst += T * Xmem */
int64_t prod_l = (int64_t)(int16_t)s->t * (int64_t)(int16_t)xval_l;
if (s->st1 & ST1_FRCT) prod_l <<= 1;
int dst_l = hi8 & 1;
if (dst_l) s->b = sext40(s->b + prod_l);
else s->a = sext40(s->a + prod_l);
/* LMS coefficient update: Ymem += rnd(AH * T) */
int16_t ah_l = (int16_t)((s->a >> 16) & 0xFFFF);
int32_t update = (int32_t)ah_l * (int32_t)(int16_t)s->t;
if (s->st1 & ST1_FRCT) update <<= 1;
update += 0x8000; /* round */
int16_t new_ym = (int16_t)yval_l + (int16_t)(update >> 16);
data_write(s, s->ar[yar_l], (uint16_t)new_ym);
/* T = Xmem */
s->t = xval_l;
/* Post-modify */
if ((op >> 7) & 1) s->ar[xar_l]--; else s->ar[xar_l]++;
if ((op & 0x08) == 0) s->ar[yar_l]++; else s->ar[yar_l]--;
return consumed + s->lk_used;
}
/* F8xx: branches, RPT, BANZ, CALL, RET variants */
if (hi8 == 0xF8) {
uint8_t sub = (op >> 4) & 0xF;
/* F820 (624 sites) and F830 (543 sites) are BC pmad,cond per
* tic54x-opc.c (bc = 0xF800 mask 0xFF00). The dispatcher at
* PROM0 0xb968-0xb9a4 relies on these branching when the ACC
* comparison succeeds. Cond 0x20 = C set, cond 0x30 = ?
* (we treat both via ACC compare for now since dispatcher uses
* cmp-style behaviour). The full F8xx range is BC per binutils
* but historically the firmware tolerates the legacy decode
* for the other sub-codes — surgical override here only. */
if (sub == 0x2 || sub == 0x3) {
op2 = prog_fetch(s, s->pc + 1);
consumed = 2;
int64_t acc_signed = (s->a & 0x8000000000LL)
? (s->a | ~0xFFFFFFFFFFLL) : s->a;
bool take = false;
/* For now: cond=0x20 → branch if A != 0; cond=0x30 → A == 0.
* These are heuristics until we confirm the exact cond
* mapping from SPRU172C. Tweak based on observed dispatcher
* behaviour. */
if (sub == 0x2) take = (acc_signed != 0);
else /* sub==0x3 */ take = (acc_signed == 0);
if (take) { s->pc = op2; return 0; }
return consumed + s->lk_used;
}
if (sub == 0x2) {
/* Unreachable now — kept for clarity in case we revert. */
op2 = prog_fetch(s, s->pc + 1);
consumed = 2;
s->rea = op2;
s->rsa = (uint16_t)(s->pc + 2);
s->rptb_active = true;
s->st1 |= ST1_BRAF;
return consumed + s->lk_used;
}
if (sub == 0x3) {
/* Unreachable now. */
op2 = prog_fetch(s, s->pc + 1);
s->rpt_count = op2;
s->rpt_active = true;
s->pc += 2;
return 0;
}
/* Per tic54x-opc.c:
* F880-F8FF mask FF80 = FB pmad (FAR branch unconditional)
* The low 7 bits of the opcode word encode the target XPC bits.
* Calypso uses 2-bit XPC, so & 0x3 is sufficient.
*
* Earlier this range was treated as plain B pmad — a bug that
* kept XPC=0 forever (DSP never reached PROM1 user code). */
if ((op & 0xFF80) == 0xF880) {
op2 = prog_fetch(s, s->pc + 1);
consumed = 2;
uint8_t new_xpc = (op & 0x7F) & 0x03;
static uint64_t fb_total;
fb_total++;
if (fb_total <= 30 || (fb_total % 5000) == 0) {
C54_LOG("FB FAR #%llu PC=0x%04x → XPC=%u PC=0x%04x (was XPC=%u)",
(unsigned long long)fb_total, s->pc,
new_xpc, op2, s->xpc);
}
s->xpc = new_xpc;
s->pc = op2;
return 0;
}
/* F88x..F8Bx (mask FF80=0): historic plain B pmad (NEAR), kept
* for sub-codes that fall outside the FAR mask above. */
if (sub >= 0x8 && sub <= 0xB) {
op2 = prog_fetch(s, s->pc + 1);
s->pc = op2;
return 0;
}
/* F86x/F87x: BANZ *ARn, pmad — branch if ARn != 0 (2 words) */
if (sub == 0x6 || sub == 0x7) {
op2 = prog_fetch(s, s->pc + 1);
int ar_idx = op & 0x07;
if (s->ar[ar_idx] != 0) {
s->ar[ar_idx]--;
s->pc = op2;
return 0;
}
return 2; /* skip 2 words, fall through */
}
/* F84x/F85x: BANZ with condition / CALL variants */
if (sub == 0x4 || sub == 0x5) {
op2 = prog_fetch(s, s->pc + 1);
/* BANZ ARn, pmad */
int ar_idx = op & 0x07;
if (s->ar[ar_idx] != 0) {
s->ar[ar_idx]--;
if (hi8 == 0xF3) {
/* F300-F31F: INTR k (preserve existing behavior) */
if ((op & 0xFFE0) == 0xF300) {
int vec = op & 0x1F;
s->sp--;
data_write(s, s->sp, (uint16_t)(s->pc + 1));
s->st1 |= ST1_INTM;
uint16_t iptr = (s->pmst >> PMST_IPTR_SHIFT) & 0x1FF;
s->pc = (iptr * 0x80) + vec * 4;
return 0;
}
/* F360-F367: 2-word with mask FCFF (#lk<<16 variants).
* Most-specific mask, check first. */
if ((op & 0xFCFF) == 0xF060 || /* ADD #lk<<16, src, [dst] */
(op & 0xFCFF) == 0xF061 || /* SUB */
(op & 0xFCFF) == 0xF063 || /* AND */
(op & 0xFCFF) == 0xF064 || /* OR */
(op & 0xFCFF) == 0xF065 || /* XOR */
(op & 0xFCFF) == 0xF067) { /* MAC #lk, src, [dst] */
op2 = prog_fetch(s, s->pc + 1 + (s->lk_used ? 1 : 0));
consumed = 2;
int sub = op & 0x7;
int src_b = (op >> 9) & 1;
int dst_b = (op >> 8) & 1;
int64_t src = src_b ? s->b : s->a;
int64_t result = src;
switch (sub) {
case 0x0: result = src + ((int64_t)(int16_t)op2 << 16); break;
case 0x1: result = src - ((int64_t)(int16_t)op2 << 16); break;
case 0x3: result = src & (((int64_t)op2) << 16); break;
case 0x4: result = src | (((int64_t)op2) << 16); break;
case 0x5: result = src ^ (((int64_t)op2) << 16); break;
case 0x7: { /* MAC: dst = src + T * lk */
int64_t prod = (int64_t)(int16_t)s->t * (int64_t)(int16_t)op2;
if (s->st1 & ST1_FRCT) prod <<= 1;
result = src + prod;
break;
}
}
if (dst_b) s->b = sext40(result); else s->a = sext40(result);
return consumed + s->lk_used;
}
/* F330-F35F: 2-word with mask FCF0 (#lk + 4-bit shift).
* AND (sub=3), OR (sub=4), XOR (sub=5).
* Note: ADD (sub=0) and SUB (sub=1) at F30x/F31x are caught
* by INTR handler above (those ranges are INTR semantically). */
if ((op & 0xFCF0) == 0xF030 || /* AND #lk, SHIFT, src, [dst] */
(op & 0xFCF0) == 0xF040 || /* OR */
(op & 0xFCF0) == 0xF050) { /* XOR */
op2 = prog_fetch(s, s->pc + 1 + (s->lk_used ? 1 : 0));
consumed = 2;
int subop = (op >> 4) & 0xF;
int shift_raw = op & 0xF;
int shift = (shift_raw & 0x8) ? (shift_raw - 16) : shift_raw;
int src_b = (op >> 9) & 1;
int dst_b = (op >> 8) & 1;
int64_t src = src_b ? s->b : s->a;
int64_t lk_signed = (int16_t)op2;
int64_t shifted = (shift >= 0) ? (lk_signed << shift)
: (lk_signed >> (-shift));
int64_t result = src;
switch (subop) {
case 0x3: result = src & shifted; break; /* AND */
case 0x4: result = src | shifted; break; /* OR */
case 0x5: result = src ^ shifted; break; /* XOR */
}
if (dst_b) s->b = sext40(result); else s->a = sext40(result);
return consumed + s->lk_used;
}
/* F380-F3FF: 1-word AND/OR/XOR/SFTL src,SHIFT,DST (mask FCE0).
* Sub-opcode in bits 7-5: 100=AND, 101=OR, 110=XOR, 111=SFTL. */
if ((op & 0xFCE0) == 0xF080 || /* AND */
(op & 0xFCE0) == 0xF0A0 || /* OR */
(op & 0xFCE0) == 0xF0C0 || /* XOR */
(op & 0xFCE0) == 0xF0E0) { /* SFTL */
int sub = (op >> 5) & 0x7;
int src_b = (op >> 9) & 1;
int dst_b = (op >> 8) & 1;
int shift_raw = op & 0x1F;
int shift = (shift_raw & 0x10) ? (shift_raw - 32) : shift_raw;
int64_t src = src_b ? s->b : s->a;
int64_t result = src;
switch (sub) {
case 0x4: { /* AND src,SHIFT,DST: DST = SRC & (DST_in << shift) */
int64_t dst_in = dst_b ? s->b : s->a;
int64_t sh = (shift >= 0) ? (dst_in << shift) : (dst_in >> (-shift));
result = src & sh;
break;
}
case 0x5: { /* OR */
int64_t dst_in = dst_b ? s->b : s->a;
int64_t sh = (shift >= 0) ? (dst_in << shift) : (dst_in >> (-shift));
result = src | sh;
break;
}
case 0x6: { /* XOR */
int64_t dst_in = dst_b ? s->b : s->a;
int64_t sh = (shift >= 0) ? (dst_in << shift) : (dst_in >> (-shift));
result = src ^ sh;
break;
}
case 0x7: { /* SFTL src,SHIFT,DST: DST = SRC << shift (logical) */
uint64_t usrc = (uint64_t)src & 0xFFFFFFFFFFULL;
result = (int64_t)((shift >= 0) ? (usrc << shift) : (usrc >> (-shift)));
break;
}
}
if (dst_b) s->b = sext40(result); else s->a = sext40(result);
return consumed + s->lk_used;
}
if (hi8 == 0xF6) {
uint8_t sub = (op >> 4) & 0xF;
if (sub == 0x2) {
/* F62x: LD A, dst_shift, B or LD B, dst_shift, A */
int dst = op & 1;
if (dst) s->b = s->a; else s->a = s->b;
return consumed + s->lk_used;
}
if (sub == 0x6) {
/* F66x: LD A/B with shift to other acc */
int dst = op & 1;
if (dst) s->b = s->a; else s->a = s->b;
return consumed + s->lk_used;
}
if (sub == 0xB) {
/* F6Bx: RSBX -- reset bit in ST1 (bit 9=1, bit 8=0).
* Per tic54x-opc.c: RSBX 0xF4B0 mask 0xFDF0 covers F6Bx. */
int bit = op & 0x0F;
s->st1 &= ~(1 << bit);
return consumed + s->lk_used;
}
/* Delayed branches/calls/returns from PROM (per tic54x-opc.c).
* MUST be checked BEFORE the MVDD catch-all because they share
* the high nibbles 0xE/0x9. Without these the DSP cannot return
* from interrupt service routines — RETED in particular leaves
* INTM=1 forever, blocking every subsequent INT3 and stalling
* the firmware↔DSP frame loop (the original CLAUDE.md root bug).
*
* All delayed forms execute 2 delay-slot words before the jump
* commits; we arm the existing delayed_pc/delay_slots machinery
* (the same one RCD uses) so the slots run with the right PC. */
if (op == 0xF6EB) {
/* RETED — return from interrupt, enable interrupts, delayed.
* Pop PC, clear INTM, then run 2 delay slots before jumping. */
uint16_t ra = data_read(s, s->sp); s->sp++;
s->st1 &= ~ST1_INTM;
s->delayed_pc = ra;
s->delay_slots = 2;
{
static uint64_t reted_count;
reted_count++;
if (reted_count <= 20 || (reted_count % 100) == 0)
C54_LOG("RETED #%llu PC=0x%04x -> ra=0x%04x SP=0x%04x INTM=0",
(unsigned long long)reted_count,
s->pc, ra, s->sp);
}
return consumed + s->lk_used;
}
if (op == 0xF69B) {
/* RETFD — fast return, delayed (no INTM change). */
uint16_t ra = data_read(s, s->sp); s->sp++;
s->delayed_pc = ra;
s->delay_slots = 2;
return consumed + s->lk_used;
}
if (op == 0xF6E2 || op == 0xF6E3) {
/* BACCD A / CALAD A — delayed branch/call to acc(low).
* 1-word op + 2 delay slots. CALAD pushes PC+3 (skip op +
* 2 delay slots) per TI convention (cf. CALLD which pushes
* PC+4 for its 2-word form). Branch is armed via the
* delayed_pc/delay_slots mechanism so the 2 slots run
* before PC commits to tgt. */
uint16_t tgt = (uint16_t)(s->a & 0xFFFF);
bool is_call = (op == 0xF6E3);
static uint64_t bcd_total;
bcd_total++;
/* Pre-load context: dump the 8 words preceding PC (in OVLY
* the executor reads from DARAM, mirror that). Lets us see
* which LD/MAR sequence was supposed to put a valid target
* in A before the CALAD/BACCD. */
int pre_ovly = (s->pmst & PMST_OVLY) && s->pc >= 0x80 && s->pc < 0x2800;
uint16_t pre[8];
for (int i = 0; i < 8; i++) {
uint16_t a = (uint16_t)(s->pc - 8 + i);
pre[i] = pre_ovly ? s->data[a] : s->prog[a];
}
if (bcd_total <= 60 || (bcd_total % 5000) == 0) {
C54_LOG("BCD/CAD F6E%c #%llu PC=0x%04x tgt=0x%04x A=%010llx SP=0x%04x DP=0x%03x mem[%c PC-8..-1]=%04x %04x %04x %04x %04x %04x %04x %04x%s",
is_call ? '3' : '2',
(unsigned long long)bcd_total,
s->pc, tgt,
(unsigned long long)(s->a & 0xFFFFFFFFFFULL),
s->sp,
(s->st0 & 0x1FF),
pre_ovly ? 'D' : 'P',
pre[0], pre[1], pre[2], pre[3],
pre[4], pre[5], pre[6], pre[7],
is_call ? " CALAD" : " BACCD");
}
if (is_call) {
uint16_t ret_pc = (uint16_t)(s->pc + 3);
s->sp = (s->sp - 1) & 0xFFFF;
data_write(s, s->sp, ret_pc);
}
s->delayed_pc = tgt;
s->delay_slots = 2;
return consumed + s->lk_used;
}
if (op == 0xF6E4 || op == 0xF6E5) {
/* FRETD / FRETED — far return, delayed.
* Pop XPC + PC unconditionally (FL_FAR). FRETED also clears INTM.
* 2026-04-28 — fixed: was APTS-gated (= AVIS, no stack semantics). */
s->xpc = data_read(s, s->sp); s->sp++;
if (s->xpc > 3) s->xpc &= 3;
uint16_t ra = data_read(s, s->sp); s->sp++;
if (op == 0xF6E5) s->st1 &= ~ST1_INTM;
s->delayed_pc = ra;
s->delay_slots = 2;
return consumed + s->lk_used;
}
if (op == 0xF6E6 || op == 0xF6E7) {
/* FBACCD A / FCALAD A — far delayed branch/call to A.
* A(22:16) → XPC, A(15:0) → tgt. XPC update is immediate
* (mirrors FRETED at line ~1639). FCALAD pushes ret PC+3,
* and (when APTS) pushes XPC first (so RETF/FRETD pops in
* order). 2 delay slots. */
uint16_t tgt = (uint16_t)(s->a & 0xFFFF);
uint8_t new_xpc = (uint8_t)((s->a >> 16) & 0xFF);
if (new_xpc > 3) new_xpc &= 3;
bool is_call = (op == 0xF6E7);
static uint64_t fbcd_total;
fbcd_total++;
if (fbcd_total <= 10 || (fbcd_total % 5000) == 0) {
C54_LOG("FBCD/FCAD F6E%c #%llu PC=0x%04x tgt=0x%04x newXPC=%u A=%010llx SP=0x%04x%s",
is_call ? '7' : '6',
(unsigned long long)fbcd_total,
s->pc, tgt, new_xpc,
(unsigned long long)(s->a & 0xFFFFFFFFFFULL),
s->sp,
is_call ? " FCALAD" : " FBACCD");
}
if (is_call) {
/* FCALAD (F6E7): push XPC + return PC unconditionally (FL_FAR).
* 2026-04-28 — fixed: was APTS-gated (= AVIS, no stack semantics). */
s->sp = (s->sp - 1) & 0xFFFF;
data_write(s, s->sp, s->xpc);
uint16_t ret_pc = (uint16_t)(s->pc + 3);
s->sp = (s->sp - 1) & 0xFFFF;
data_write(s, s->sp, ret_pc);
}
s->xpc = new_xpc;
s->delayed_pc = tgt;
s->delay_slots = 2;
return consumed + s->lk_used;
}
if (sub >= 0x8) {
/* F68x-F6Fx: MVDD Xmem, Ymem — dual data-memory operand move
* Encoding: 1111 0110 XXXX YYYY
* bit 7 = Xmod (0=inc, 1=dec)
* bits 6:4 = Xar (source AR register)
* bit 3 = Ymod (0=inc, 1=dec)
* bits 2:0 = Yar (dest AR register) */
int xar = (op >> 4) & 0x07;
int yar = op & 0x07;
uint16_t val = data_read(s, s->ar[xar]);
data_write(s, s->ar[yar], val);
if ((op >> 7) & 1) s->ar[xar]--; else s->ar[xar]++;
if ((op >> 3) & 1) s->ar[yar]--; else s->ar[yar]++;
return consumed + s->lk_used;
}
/* Other F6xx: treat as NOP for now */
return consumed + s->lk_used;
}
/* F5xx: SSBX or RPT #k */
if (hi8 == 0xF5) {
/* F5Bx: SSBX -- set bit in ST0 (bit 9=0, bit 8=1).
* Per tic54x-opc.c: SSBX 0xF5B0 mask 0xFDF0. */
if ((op & 0xFFF0) == 0xF5B0) {
if (hi8 == 0xF7) {
static int f7xx_seen[256] = {0};
int sub_idx = op & 0xFF;
if (++f7xx_seen[sub_idx] <= 100 || (f7xx_seen[sub_idx] % 1000) == 0) {
C54_LOG("F7xx EXEC op=0x%04x PC=0x%04x XPC=%d insn=%u",
op, s->pc, s->xpc, s->insn_count);
}
}
/* F7Bx: SSBX bit, ST1 (incl. SSBX INTM at F7BB).
* Per binutils tic54x-opc.c: opcode "ssbx" 0xF5B0 mask 0xFDF0,
* where bit 9 selects ST0 (0xF5Bx) vs ST1 (0xF7Bx).
* Symmetric counterpart of RSBX ST1 (F6Bx) handler above.
* MUST be tested before the F7xx LD #k8 dispatch (which is
* itself incorrect — per SPRU172C, LD #k8 lives at E800-E9FF). */
if ((op & 0xFFF0) == 0xF7B0) {
int bit = op & 0x0F;
bool is_intm = (bit == 11);
s->st1 |= (1 << bit);
if (is_intm)
C54_LOG("*** SSBX INTM (F7BB) *** PC=0x%04x ST1=0x%04x insn=%u",
s->pc, s->st1, s->insn_count);
return consumed + s->lk_used;
}
/* F7xx: LD/ST #k to various registers */
if (hi8 == 0xF7) {
uint8_t sub = (op >> 4) & 0xF;
uint16_t k = op & 0xFF;
switch (sub) {
case 0x0: /* F70x: LD #k8, ASM */
s->st1 = (s->st1 & ~ST1_ASM_MASK) | (k & ST1_ASM_MASK);
break;
case 0x1: /* F71x: LD #k8, AR0 */
s->ar[0] = k; break;
case 0x2: /* F72x: LD #k8, AR1 */
s->ar[1] = k; break;
case 0x3: s->ar[2] = k; break;
case 0x4: s->ar[3] = k; break;
case 0x5: s->ar[4] = k; break;
case 0x6: s->ar[5] = k; break;
case 0x7: s->ar[6] = k; break;
case 0x8: /* F78x: LD #k8, T */
s->t = (s->st1 & ST1_SXM) ? (uint16_t)(int8_t)k : k; break;
case 0x9: /* F79x: LD #k8, DP */
s->st0 = (s->st0 & ~ST0_DP_MASK) | (k & ST0_DP_MASK); break;
case 0xA: /* F7Ax: LD #k8, ARP */
s->st0 = (s->st0 & ~ST0_ARP_MASK) | ((k & 7) << ST0_ARP_SHIFT); break;
case 0xB: s->ar[7] = k; break; /* F7Bx: LD #k8, AR7 */
case 0xC: s->bk = k; break;
case 0xD: s->sp = k; break;
case 0xE: /* F7Ex: LD #k8, BRC */
s->brc = k; break;
case 0xF: /* F7Fx: LD #k8, ... */
break;
}
return consumed + s->lk_used;
}
/* F9xx encoding split per tic54x-opc.c:
* F900-F97F mask FF00 = CC pmad cond (NEAR conditional call)
* F980-F9FF mask FF80 = FCALL pmad (FAR call unconditional)
* The bit 7 of the opcode low byte distinguishes them. */
if (hi8 == 0xF9) {
op2 = prog_fetch(s, s->pc + 1);
consumed = 2;
/* FCALL FAR : push XPC + return PC unconditionally (FL_FAR)../CLAUDE.md
QEMU Calypso — Claude Code Context
Session pickup (2026-05-08 night → next session)
DONE
- DL FN rewrite slot-aware implemented in bridge.py
→ BSP delta passed from 15000 → 0..32 (within BSP_FN_MATCH_WINDOW=64)
→ env BRIDGE_DL_FN_REWRITE=slot|naive|off, default slot
→ env BRIDGE_DL_FN_LOOKAHEAD=32 (half BSP window margin)
- BCCH_INJECT / FBSB_SYNTH purge clean
→ scripts/rsl_si_tap.py deleted entirely
→ CALYPSO_BCCH_INJECT + CALYPSO_SI_MMAP_PATH env vars deleted
→ calypso_fbsb.c: csi_*, bcch_inject_*, ALLC inject block deleted
→ run_si.sh clears /dev/shm/calypso_si.bin at startup (inter-run hygiene)
- Force test daram[0x62]=1 (CALYPSO_DSP_FORCE_DARAM62=1 in calypso_c54x.c
data_read override, env-gated) :
→ DSP escapes idle dispatcher loop cc62..cc6f
→ traps in NEW polling loop at df93..dfb1
→ DARAM RD HIST pattern shifts radically (0060/2460/2413/2ee0/3dd2 family)
→ Confirms gate hypothesis : INT3 ISR (or equivalent) is not writing
dispatcher flags. Forcing one flag bypasses one gate, but more gates
sit downstream — the ISR writes multiple flags per frame, not just 0x62.
NEXT
- Trace WRITES on DARAM[0x60..0x70] in calypso_c54x.c data_write hook
→ If zero writes: INT3 wiring DSP path is the culprit, open the
interrupt wiring front (calypso_inth.c IMR/IRQ routing to DSP)
→ If some writes but cleared too fast: timing / race
- Cross-check PROM0 handler at 0x770c (the dispatch target read at
api[0x1f0c] = api[0x1f00] = 0x770c) — what does it expect on entry ?
- Same instrumentation pattern as IDLE-DISP RD : add IDLE-DISP-2 trace
for PC ∈ 0xDF93..0xDFB1, observe what flag IT polls.
KEY FILES TOUCHED
- bridge.py (DL FN rewrite + slot-aware UL retained)
- run_si.sh (cleanup + new envs + ENV summary)
- hw/arm/calypso/calypso_fbsb.c (mmap consumer + BCCH_INJECT removed)
- hw/arm/calypso/calypso_c54x.c (IDLE-DISP RD trace + FORCE-DARAM62)
DROPPED ENVS (do not re-set)
CALYPSO_BCCH_INJECT CALYPSO_SI_MMAP_PATH
DEFAULTS (run_si.sh)
BRIDGE_CLK_FROM_QEMU=0 (wall-paced, BTS happy)
BRIDGE_CLK_PERIOD=51 (BTS skew tolerance)
BRIDGE_UL_FN_REWRITE=slot
BRIDGE_DL_FN_REWRITE=slot
BRIDGE_DL_FN_LOOKAHEAD=32
CALYPSO_FBSB_SYNTH=0 (set =1 to keep mobile past FBSB phase)⚠️ PAS DE HACK — règle #1. Pas d’injection, pas de stub, pas de bypass, pas de “TEMPORARY”, pas de hardcode pour faire avancer un état. Le DSP exécute le vrai ROM, la BSP est gated par TPU→TSP→IOTA, le mobile passe par la PTY QEMU. Si une instruction/opcode/registre semble cassé : vérifier contre
tic54x-opc.cet SPRU172C avant de patcher, jamais contourner. Tout contournement temporaire jugé inévitable doit être documenté danshw/arm/calypso/doc/TODO.mdavec un critère de retrait.
Architecture
Dual-core GSM baseband emulator: - ARM7TDMI runs osmocom-bb layer1.highram.elf firmware - TMS320C54x DSP runs real Calypso ROM (calypso_dsp.txt) - API RAM shared memory at DSP 0x0800 (ARM 0xFFD00000), 8K words - BSP receives I/Q via UDP 6702, serves to DSP via PORTR PA=0x0034 - TPU→TSP→IOTA chain gates BDLENA for RX windows - Bridge (Python) relays BTS UDP (5700-5702) ↔︎ BSP, clock-slave of QEMU
Memory Map (DSP side)
| Range | Type | Content |
|---|---|---|
| 0x0000-0x007F | Boot ROM stubs | LDMM SP,B + RET at 0x0000, NOP elsewhere |
| 0x0080-0x27FF | DARAM overlay (OVLY) | Code + data, loaded by MVPD at boot |
| 0x2800-0x6FFF | Unmapped | Reads as 0x0000 |
| 0x7000-0xDFFF | PROM0 | DSP ROM (always readable) |
| 0xE000-0xFF7F | PROM1 mirror | Mirrored from page 1 (0x18000+) |
| 0xFF80-0xFFFF | Interrupt vectors | From PROM1, IPTR=0x1FF |
| 0x0800-0x27FF | API RAM | Shared with ARM (NDB, write/read pages) |
Key DSP API Offsets (byte offsets from 0xFFD00000)
- Write Page 0: 0x0000 (20 words: d_task_d, d_burst_d, d_task_u, d_burst_u, d_task_md, …)
- Write Page 1: 0x0028
- Read Page 0: 0x0050 (20 words: same + a_serv_demod[4] at +8, a_pm[3] at +12)
- Read Page 1: 0x0078
- NDB: 0x01A8 (d_dsp_page, d_error_status, d_spcx_rif, …)
- d_fb_det: NDB + 0x48 = 0x01F0
- a_cd[15]: NDB + 0x1F8 = 0x03A0
Interrupt Vectors (IPTR=0x1FF → base 0xFF80)
Vec = imr_bit + 16. Formula: addr = 0xFF80 + vec * 4 - INT3 (frame): vec 19, IMR bit 3 → 0xFFCC - TINT0: vec 20, IMR bit 4 → 0xFFD0 - BRINT0 (BSP): vec 21, IMR bit 5 → 0xFFD4
Known Fixed Opcode Bugs
Always verify against tic54x-opc.c (binutils) before changing any opcode:
| Opcode | Wrong decode | Correct decode | Impact |
|---|---|---|---|
| 0xF074 | RETE (1w) | CALL pmad (2w) | Was reverting, now correct |
| 0xE8xx/E9xx | CC cond call (2w) | LD #k8u,dst (1w) | Stack overflow — ROOT CAUSE |
| 0xED00-ED1F | BCD branch (2w) | LD #k5,ASM (1w) | Skipped DSP init code |
| 0x56xx | MVPD (2w) | SFTL shift (1w) | Wrote to SP via MMR |
| 0xF7Bx | SSBX (1w) | LD #k8,AR7 (1w) | Corrupted ST1 |
| MMR mask | & 0x1F | & 0x7F | STLM/POPM/PSHM wrong address |
| PORTR PA | 0xF430 | 0x0034 | DSP read wrong BSP port |
| 0xF4EB | — | RETE (correct) | The REAL rete opcode |
| 0xF9xx | BC branch (no push) | CC conditional call (push) | Lost return addresses |
| 0xFBxx | LD #k,16,A | CCD conditional call delayed (push) | Lost return addresses |
| NORM L799 | NOP (dead) | — removed, real NORM at L832 | FB correlator broken |
Current Bug
UL RACH / IMM_ASS chain — Location Update stalled.
DL was validated end-to-end up to 2026-05-07 via the rsl_si_tap.py + /dev/shm mmap + CALYPSO_BCCH_INJECT shortcut, but the shortcut was a hack: it bypassed the DSP CCCH demod path and let the mobile camp even after BTS death (mmap persistence). It was removed on 2026-05-08. The legitimate path (BTS → bridge UDP relay → QEMU BSP DMA → DSP CCCH demod → a_cd[] → ARM L1 → L1CTL_DATA_IND) currently does not converge on bridge-fed GMSK in QEMU — fixing that is the new prerequisite for any L3 progress.
The mobile then issues RR_EST_REQ (Location Update) and sends RACH bursts (ra 0x01, ra 0x05, retries 8→7) but never receives an IMM_ASS_CMD. Two failure modes are not yet discriminated: (a) UL: RACH burst is generated by ARM/DSP but doesn’t reach osmo-bts-trx decode (DSP TX buffer wrong addr, BSP UL UDP path broken, bridge UL forwarding broken). (b) DL AGCH: BTS sends IMM_ASS but mobile DSP misses the AGCH sub-slot (BCCH passes because it’s repetitive; AGCH is event-driven and a single miss is fatal).
Test discriminant (not yet run): tcpdump GSMTAP during a session. IMM_ASS visible on air → (b). Absent + osmo-bts-trx RACH counter at 0 → (a).
UL pipeline as of 2026-05-07
calypso_trx.c polls all three UL task fields: - d_task_u (write-page word 2) — generic SDCCH/SACCH/FACCH/TCH NB - d_task_ra (write-page word 7) — RACH access burst - d_burst_u (write-page word 3) — TN selector
RACH path uses gsm0503_rach_ext_encode (libosmocoding) reading d_rach from NDB. The d_rach offset defaults to word 0x01CB from API base (DSP==33 layout walk); override via CALYPSO_NDB_D_RACH_OFFSET=0xNNN if the firmware uses a different DSP version.
NB UL still reads encoded bursts from DSP DARAM 0x0900 (candidate location — needs verification by tracing DSP encoder writes during a real SDCCH UL).
Removed in 2026-05-07 cleanup (no more hacks)
- BOURRIN-FBDET-SKIP block in
c54x_exec_one(range 0x8d00..0x8f80 pop-and-jump). DSP now runs the full fb-det routine — performance cost mitigated by-icounton the QEMU command line. - DIAG-HACK env-gated INTM force-clear + ALIAS-CHECK dump in
c54x_run_until_idle_or_n. publish_fb_found/publish_sb_foundsynthetic NDB writes incalypso_fbsb_on_dsp_task_change. DSP demod runs for real on the GMSK-modulated I/Q the BSP feeds fromosmo-bts-trx.si3_fallback[]hardcoded BCCH SI3 incalypso_fbsb_on_dsp_task_change.allc_burst_idxstatic cycle 0..3 counter — replaced byburst_d = fn & 3(FN-derived, lockstep-safe).
Removed in 2026-05-08 cleanup (hack purge)
scripts/rsl_si_tap.pydeleted entirely. It sniffed the BSC↔︎BTS RSL TCP stream, parsed BCCH_INFO messages, and wrote/dev/shm/calypso_si.binwith the raw SI bytes.CALYPSO_BCCH_INJECTenv var + thecsi_init_once/csi_lookup_for_tc/bcch_inject_consumeblock incalypso_fbsb.cdeleted. They read the mmap and wrotea_cd[]directly in NDB during DSP_TASK_ALLC, bypassing the real DSP CCCH demod.CALYPSO_SI_MMAP_PATHenv var deleted (no consumer left).doc/MMAP_SI_FORMAT.mdis now historical (kept for reference but not applicable to any live path).run_si.shno longer launchesrsl_si_tap.pyand clears the legacy/dev/shm/calypso_si.binfrom prior runs at startup.
Why removed : the mmap survived BTS death, so the mobile kept camping on a stale cache even after the BTS process exited. The “DL works” claim was therefore not honest — it worked off cached SI bytes, not off live BTS broadcast. Removing the shortcut forces the DSP CCCH demod path to be the only data flow, which is currently broken on bridge-fed GMSK samples (= the new top blocker).
Stability config
run.sh launches QEMU with -icount shift=auto,align=off,sleep=off for deterministic virtual time and bridge.py with BRIDGE_CLK_FROM_QEMU=1 for QEMU-driven CLK IND. The pair eliminates host-load jitter that was producing 28% LOST timer events.
Env-gated dev assists
| Env | Effect |
|---|---|
CALYPSO_FBSB_SYNTH=1 |
Synth FB/SB publish in on_dsp_task_change (default OFF) |
CALYPSO_W1C_LATCH=1 |
W1C latch on a_sync_demod cells (default OFF) |
CALYPSO_NDB_D_RACH_OFFSET=0xNNN |
Override d_rach word index (default 0x01CB) |
CALYPSO_RACH_FORCE_BSIC=N |
Force BSIC in RACH encoder to N (0..63), overriding d_rach byte. Match osmo-bsc.cfg base_station_id_code |
BRIDGE_CLK_FROM_QEMU=1 |
CLK IND from QEMU FN (default OFF = wall-clock) |
CALYPSO_ICOUNT=auto/off/shift=N |
QEMU icount mode (default auto). Kick timer is on VIRTUAL clock so icount doesn’t freeze TDMA. |
As of 2026-05-08, no env-gated dev-assist can deliver SIs to mobile L3 anymore. The legitimate path (BTS → bridge → BSP → DSP CCCH demod → a_cd[]) is the only one wired. It currently does not converge on the bridge-fed GMSK samples — mobile stays in cell-search until the demod is fixed.
Run config
## Mobile config must have `stick <arfcn>` in `ms 1` block, otherwise
## mobile abandons FBSB after 2 retries → d_task_md stays at 1.
CALYPSO_BSP_DARAM_ADDR=0x3fb0 ./run.sh
## DARAM 0x3fb0 covers the DSP-read range 0x3fb3-0x3fbf (verified via
## DARAM RD HIST). 0x3fc0 was off by 16 words.Old blockers (resolved)
INTM=1 forever / DSP INT3 never serviced — was the 2026-04 blocker. Resolved naturally once DSP frame interrupt wiring + BSP RX delivery converged. Does not require the diagnostic INTM bypass that previously caused NDB corruption (commit 306d6ec, reverted in f0dec53).
Old bugs (resolved)
SP slow leak: SP descends ~3 words per IDLE cycle (5AC7 → 5AC4). Introduced by F9xx CC fix (push now correct). Likely some CC calls in ROM where the callee doesn’t RET properly — need to trace which CC target doesn’t return.
27 duplicate opcode handlers in c54x_exec_one — consolidated in a72266d (-150 lines, no behavior change).
Conventions
- No stubs — the DSP handles PM/FB/SB/NB via real ROM code and shared API RAM
- No hacks — BDLENA gated by real TPU→TSP→IOTA chain, not bypass
- QEMU is clock master — bridge is slave, BTS receives CLK IND at wall-clock rate
- Verify opcodes against
tic54x-opc.cbefore any C54x decode change - Test after each edit — build in Docker, check DSP IDLE + SP + IMR
Build
docker exec CONTAINER bash -c "cd /opt/GSM/qemu-src/build && ninja qemu-system-arm"Key Files
hw/arm/calypso/calypso_c54x.c— DSP emulator (3500+ lines, opcode switch)hw/arm/calypso/calypso_trx.c— TRX/TPU/TSP/ULPD/SIM + TDMA tick + DMAhw/arm/calypso/calypso_bsp.c— BSP DMA + PORTR buffer + UDP 6702hw/arm/calypso/calypso_iota.c— IOTA BDLENA gatehw/arm/calypso/l1ctl_sock.c— L1CTL unix socket (/tmp/osmocom_l2)hw/arm/calypso/sercomm_gate.c— Sercomm DLCI router (PTY → FIFO)hw/intc/calypso_inth.c— INTH interrupt controllerhw/char/calypso_uart.c— UART with RX FIFO + sercommbridge.py— BTS UDP bridge (clock-slave)run.sh— Orchestrated launch (QEMU → bridge → BTS → mobile)
./bridge.py
#!/usr/bin/env python3
"""
bridge.py — BTS TRX UDP bridge for QEMU Calypso
BTS side: osmo-bts-trx (CLK/TRXC/TRXD on 5700-5702)
QEMU side: BSP receives DL bursts on UDP 6702
QEMU sends TDMA ticks on UDP 6700 (QEMU is clock master)
QEMU sends UL bursts back on UDP 5702 (TRXD is bidirectional)
CLOCK DOMAIN BRIDGE
-------------------
QEMU runs ~2x slower than wall-clock in this build (DSP emulator cost).
osmo-bts-trx and osmo-bsc both run on wall-clock. Without a translation
layer, the FN counters diverge and the BTS scheduler shuts down with
"PC clock skew too high".
This bridge maintains its own *wall-clock-paced* FN counter (`wall_fn`)
that ticks at 217 Hz regardless of QEMU's emulation speed. CLK INDs to
the BTS use `wall_fn` so BTS↔BSC see consistent wall-paced GSM time.
UL bursts arriving from QEMU carry QEMU's lagged FN in their TRXD
header ; we rewrite the FN field to the current `wall_fn` before
forwarding to osmo-bts-trx, so the BTS RACH/SDCCH scheduler matches
the burst against its wall-clock-aligned window. Burst content (sync
sequence, FIRE-encoded data, parity) is FN-invariant so this rewrite
is safe.
DL bursts from BTS already carry wall_fn in their TRXD header. They
are forwarded to QEMU's BSP unchanged — the BSP queue uses a wide
match window (cf. BSP_FN_MATCH_WINDOW in calypso_bsp.c) so wall-clock-
tagged bursts are still picked up by QEMU at delivery time.
TRXD socket (5702) is bidirectional:
DL: BTS → bridge:5702 → QEMU:6702 (forward downlink to BSP)
UL: QEMU:6702 → bridge:5702 → BTS (forward uplink to BTS, FN rewritten)
Usage: bridge.py
"""
import errno, os, select, signal, socket, struct, sys, time
GSM_HYPERFRAME = 2715648
GSM_TDMA_S = 4615 / 1_000_000 # 4.615 ms per TDMA frame, wall-clock
# CLK IND period in frames (default 102 = stock GSM TDMA spec).
# In debug runs where QEMU is slower than wall-clock, the bridge sends
# CLK IND at wall-clock pace using its own wall_fn counter — see CLOCK
# DOMAIN BRIDGE block above. CLK_IND_PERIOD just controls the cadence
# (every N wall-paced frames). Default 102 = standard GSM rate.
CLK_IND_PERIOD = int(os.environ.get("BRIDGE_CLK_PERIOD", "102"))
CLK_IND_WALL_S = (CLK_IND_PERIOD * 4615) / 1_000_000
QEMU_BSP_ADDR = ("127.0.0.1", 6702)
# RACH-allowed slots in the 51-multiframe TN=0 uplink for combined CCCH+SDCCH8
# (TS 45.002 §7 Table 3). Mobile L3 announces "S(lots) 115" = these slots when
# combined=yes. A burst whose FN%51 falls outside this set is discarded by
# osmo-bts-trx scheduler before the RACH detector runs.
RACH_SLOTS_COMBINED = (
set(range(4, 11)) | set(range(14, 21)) |
set(range(24, 31)) | set(range(34, 41)) | set(range(44, 51))
)
# CLK IND source mode. Two clock domains live on the wire:
# - wall-clock (BTS scheduler expects ~235ms intervals at default period)
# - qfn (QEMU TDMA tick, ~2× slower than wall in this build)
#
# "0" / unset → CLK IND fn = wall_fn rounded to CLK_IND_PERIOD (default).
# BTS scheduler advances wall-paced. UL bursts must be
# wall-paced too or they land outside the BTS RACH window.
# "1" → CLK IND fn = qfn rounded to CLK_IND_PERIOD. BTS scheduler
# advances qemu-paced (slow). Pair with passthrough UL
# (BRIDGE_UL_FN_REWRITE=0) so UL bursts in qfn match BTS
# scheduler window. Risk: BTS may shutdown on "PC clock
# skew too high" if elapsed_fn between consecutive CLK INDs
# deviates too much from CLK_IND_PERIOD; mitigate by lowering
# BRIDGE_CLK_PERIOD (e.g., 51 → 26).
CLK_FROM_QEMU = os.environ.get("BRIDGE_CLK_FROM_QEMU", "0") == "1"
# UL FN rewrite mode. Three modes:
#
# "1" / "slot" / unset (default)
# Slot-aware rewrite: sent_fn = next FN ≥ wall_fn whose (% 51) is a
# valid combined-CCCH RACH slot. BTS scheduler is wall-paced (CLK IND
# wall_fn) so we tag bursts a few frames in BTS's near-future at a
# slot where RACH detection is scheduled. BTS holds the burst briefly
# then processes it when its scheduler reaches that FN.
# Caveat: only RACH-correct for TN=0 during LU phase. Once SDCCH UL
# kicks in (post-IMM_ASS), needs a content-aware variant.
#
# "0"
# Passthrough qfn. UL burst sent unchanged from QEMU. Tags the past
# from BTS POV → BTS likely drops as stale. Useful as a discriminant
# (e.g., to see what BTS error log says).
#
# "naive"
# Blind wall_fn rewrite (legacy behavior pre-2026-05-08). Sent_fn =
# wall_fn rounded to nothing. ~60% of bursts land off-slot for
# combined CCCH+SDCCH8. Kept for A/B comparison.
UL_FN_REWRITE_MODE = os.environ.get("BRIDGE_UL_FN_REWRITE", "1").lower()
if UL_FN_REWRITE_MODE in ("1", "slot", "slot-aware", "true"):
UL_FN_REWRITE_MODE = "slot"
elif UL_FN_REWRITE_MODE in ("0", "off", "passthrough", "false"):
UL_FN_REWRITE_MODE = "off"
elif UL_FN_REWRITE_MODE in ("naive", "wall", "blind"):
UL_FN_REWRITE_MODE = "naive"
else:
UL_FN_REWRITE_MODE = "slot" # unrecognized → safe default
# DL FN rewrite mode (symmetric to UL). The clock-domain split makes
# `bts_fn` (wall-paced) drift ~50 frames/s ahead of QEMU's `qfn`. BSP's
# default match window is 64 frames so DL bursts get dropped in seconds.
# See RUN_SNAPSHOT_2026-05-08.md for the measured delta=15000+ frames.
#
# "slot" / "1" / unset (default)
# Rewrite bts_fn → smallest qfn ≥ self.fn whose (% 51) matches
# (bts_fn % 51). Preserves the slot type within the 51-multiframe
# so DSP demod still types BCCH/CCCH/SDCCH correctly. If no qfn
# in the lookahead window matches, the burst is dropped (BCCH
# repeats so this is recoverable).
#
# "naive"
# Rewrite bts_fn → self.fn (current qfn). Ignores slot type — DSP
# demod will mis-type bursts. Useful only as A/B comparison.
#
# "off"
# Passthrough bts_fn unchanged. BSP will reject ~all bursts due
# to FN mismatch when QEMU is slow vs wall.
DL_FN_REWRITE_MODE = os.environ.get("BRIDGE_DL_FN_REWRITE", "slot").lower()
if DL_FN_REWRITE_MODE in ("1", "slot", "slot-aware", "true"):
DL_FN_REWRITE_MODE = "slot"
elif DL_FN_REWRITE_MODE in ("0", "off", "passthrough", "false"):
DL_FN_REWRITE_MODE = "off"
elif DL_FN_REWRITE_MODE in ("naive",):
DL_FN_REWRITE_MODE = "naive"
else:
DL_FN_REWRITE_MODE = "slot"
# How many qfn frames in the future we're willing to tag a DL burst.
# Bounded above by BSP_FN_MATCH_WINDOW (default 64 in calypso_bsp.c)
# minus a safety margin. Default 32 → at most ~50% of the BSP window
# leaves headroom for queue jitter. With lookahead=51 every burst can
# be slot-mapped (since each %51 value occurs once per 51-frame
# window), but bursts get tagged up to 50 frames in the qfn future.
DL_FN_LOOKAHEAD = int(os.environ.get("BRIDGE_DL_FN_LOOKAHEAD", "32"))
def next_rach_slot_fn(fn):
"""Return smallest FN ≥ fn whose (FN % 51) ∈ RACH_SLOTS_COMBINED.
Worst case scans 51 candidates, typically finds one within 4."""
for delta in range(0, 52):
if (fn + delta) % 51 in RACH_SLOTS_COMBINED:
return fn + delta
return fn # unreachable since RACH_SLOTS_COMBINED covers 35/51 slots
def dl_slot_aware_qfn(bts_fn, current_qfn, lookahead):
"""Map bts_fn to the smallest qfn ≥ current_qfn whose (qfn % 51) matches
(bts_fn % 51). Preserves slot type for DSP demod typing.
Returns the target qfn, or None if no match exists within `lookahead`
frames (caller drops the burst — BCCH repeats so this is recoverable).
O(1): delta = ((bts_fn - current_qfn) mod 51) is the always-non-negative
offset to the next matching qfn slot ; either ≤ lookahead or we drop.
"""
target_mod = bts_fn % 51
delta = (target_mod - (current_qfn % 51)) % 51
if delta > lookahead:
return None
return current_qfn + delta
def udp_bind(port):
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
s.bind(("127.0.0.1", port))
s.setblocking(False)
return s
class Bridge:
def __init__(self, bts_base=5700):
self.clk_sock = udp_bind(bts_base)
self.trxc_sock = udp_bind(bts_base + 1)
self.trxd_sock = udp_bind(bts_base + 2)
self.bts_clk_addr = ("127.0.0.1", bts_base + 100)
self.trxc_remote = None
# Pre-set TRXD remote to osmo-bts-trx convention (base+102=5802) so
# UL packets from QEMU forward correctly even before the first DL
# has arrived. Refined to the actual sender on first DL.
self.trxd_remote = ("127.0.0.1", bts_base + 102)
self.powered = False
# QEMU-side FN — kept for telemetry only. NOT used to drive CLK IND
# or UL FN rewrite anymore (both use wall_fn).
self.fn = 0
# BTS starts its own FN at 0 on POWERON — several seconds after the
# bridge has already been running. Remember bridge wall_fn at
# POWERON so BTS-tagged DL bursts can be matched against the right
# timeline if needed (currently only telemetry).
self.fn_anchor = 0
self.anchored = False
self._stop = False
self.stats = {"clk": 0, "trxc": 0, "dl": 0, "ul": 0,
"tick": 0, "ul_fn_rewrite": 0}
# QEMU CLK tick receiver
self.qemu_clk_sock = udp_bind(6700)
# Wall-clock-paced FN counter — independent of QEMU. Anchored to
# POWERON so BTS sees fn=0 right when it asks to power up.
self._wall_t0 = None # set at POWERON
self._last_clk_fn_sent = None
print(f"bridge: CLK={bts_base} TRXC={bts_base+1} TRXD={bts_base+2} ↔ BSP@6702", flush=True)
print(f"bridge: CLK IND source={'qfn (qemu-paced)' if CLK_FROM_QEMU else 'wall_fn (wall-paced 217 Hz)'}, "
f"period={CLK_IND_PERIOD} frames", flush=True)
ul_desc = {
"slot": "slot-aware (next RACH slot ≥ wall_fn — combined CCCH+SDCCH8)",
"naive": "naive (wall_fn rounded, ignores slot mask)",
"off": "off (passthrough qemu_fn)",
}[UL_FN_REWRITE_MODE]
dl_desc = {
"slot": f"slot-aware (next qfn ≥ self.fn matching bts_fn%%51, lookahead={DL_FN_LOOKAHEAD})",
"naive": "naive (rewrite to current qfn, ignores slot type)",
"off": "off (passthrough bts_fn — BSP will reject ~all bursts)",
}[DL_FN_REWRITE_MODE]
print(f"bridge: UL FN rewrite mode={UL_FN_REWRITE_MODE} — {ul_desc}",
flush=True)
print(f"bridge: DL FN rewrite mode={DL_FN_REWRITE_MODE} — {dl_desc}",
flush=True)
def wall_fn(self):
"""Compute current bridge wall-paced FN. Anchored at POWERON."""
if self._wall_t0 is None:
return 0
elapsed = time.monotonic() - self._wall_t0
return int(elapsed / GSM_TDMA_S) % GSM_HYPERFRAME
def handle_qemu_tick(self):
"""Receive TDMA tick from QEMU — 4 bytes big-endian FN.
Used as telemetry only ; CLK IND is wall_fn-paced now."""
try:
data, addr = self.qemu_clk_sock.recvfrom(64)
except OSError:
return
if len(data) < 4:
return
fn = int.from_bytes(data[0:4], 'big')
self.fn = fn % GSM_HYPERFRAME
self.stats["tick"] += 1
if self.stats["tick"] <= 3 or self.stats["tick"] % 10000 == 0:
wfn = self.wall_fn()
lag = (wfn - self.fn) % GSM_HYPERFRAME
print(f"bridge: QEMU tick #{self.stats['tick']} qfn={self.fn} "
f"wall_fn={wfn} lag={lag}", flush=True)
def _send_clk_ind(self, clk_fn):
try:
self.clk_sock.sendto(
f"IND CLOCK {clk_fn}\0".encode(), self.bts_clk_addr)
self.stats["clk"] += 1
self._last_clk_fn_sent = clk_fn
if self.stats["clk"] <= 5 or (self.stats["clk"] % 200) == 0:
src = "qfn" if CLK_FROM_QEMU else "wall_fn"
print(f"bridge: CLK IND #{self.stats['clk']} fn={clk_fn} ({src})",
flush=True)
except OSError:
pass
def maybe_send_clk(self):
"""CLK IND scheduler. Two modes:
wall-paced (default, CLK_FROM_QEMU=False)
Send every CLK_IND_WALL_S seconds with clk_fn = wall_fn rounded
to CLK_IND_PERIOD. BTS sees consistent ~235ms intervals.
qfn-paced (CLK_FROM_QEMU=True)
Send each time qfn has advanced by CLK_IND_PERIOD since last
send. clk_fn = qfn rounded down to CLK_IND_PERIOD. Wall-clock
interval between sends scales with QEMU emulation speed (slower
QEMU → longer wall gaps). BTS scheduler advances at qemu-rate.
"""
if not self.powered:
return
if CLK_FROM_QEMU:
target = (self.fn // CLK_IND_PERIOD) * CLK_IND_PERIOD
if self._last_clk_fn_sent is not None and \
target <= self._last_clk_fn_sent:
return # qfn hasn't advanced enough — skip this poll
self._send_clk_ind(target)
return
now = time.monotonic()
if not hasattr(self, '_last_clk_wall'):
self._last_clk_wall = now - CLK_IND_WALL_S # force first send
if now - self._last_clk_wall < CLK_IND_WALL_S:
return
self._last_clk_wall += CLK_IND_WALL_S
# Catch up if we slipped a long time (avoid runaway send burst)
if now - self._last_clk_wall > CLK_IND_WALL_S * 4:
self._last_clk_wall = now
wfn = self.wall_fn()
self._send_clk_ind((wfn // CLK_IND_PERIOD) * CLK_IND_PERIOD)
def handle_trxc(self):
try: data, addr = self.trxc_sock.recvfrom(256)
except OSError: return
if not data: return
self.trxc_remote = addr
raw = data.strip(b'\x00').decode(errors='replace')
if not raw.startswith("CMD "): return
parts = raw[4:].split(); verb = parts[0]; args = parts[1:]
self.stats["trxc"] += 1
if verb == "POWERON":
self.powered = True
# Anchor wall-clock FN at POWERON so BTS sees fn=0 right when
# it powers up — matches osmo-bts-trx scheduler expectation.
self._wall_t0 = time.monotonic()
self.fn_anchor = self.fn
self.anchored = True
print(f"BTS: POWERON (wall_fn anchor at t0, qfn={self.fn})", flush=True)
rsp = "RSP POWERON 0"
elif verb == "POWEROFF":
self.powered = False; rsp = "RSP POWEROFF 0"
elif verb == "SETFORMAT":
# CRITICAL: bridge always emits TRXDv0 (8-byte header + 148 soft
# bits = 156 bytes). If BTS asks for v1 and we echo "agreed v1",
# BTS parses our v0 packets with v1 layout → silent drop before
# RACH detector. Force v0 in the response regardless of request.
requested = args[0] if args else "0"
rsp = "RSP SETFORMAT 0 0 0" # status=0 (ok), accepted=0, available=0 (v0)
print(f"TRXC SETFORMAT requested=v{requested} → forced reply v0 "
f"(bridge sends TRXDv0 only)", flush=True)
elif verb == "NOMTXPOWER":
rsp = "RSP NOMTXPOWER 0 50"
elif verb == "MEASURE":
freq = args[0] if args else "0"
rsp = f"RSP MEASURE 0 {freq} -60"
else:
rsp = f"RSP {verb} 0 {' '.join(args)}".rstrip()
# Log all TRXC exchanges so init-time negotiation is visible
if self.stats["trxc"] <= 50 or verb in ("POWERON", "POWEROFF"):
print(f"TRXC < CMD {verb} {' '.join(args)}".rstrip()
+ f" → > {rsp}", flush=True)
self.trxc_sock.sendto((rsp + "\0").encode(), addr)
def handle_trxd(self):
"""Bidirectional TRXD relay.
Discriminates by source address:
- From QEMU (127.0.0.1:6702) → UL burst → forward to BTS
- From anyone else → DL burst from BTS → forward to QEMU
UL packets that arrive before the BTS peer is known (no DL yet)
are dropped with a counter so we can detect the race in logs.
"""
try:
data, addr = self.trxd_sock.recvfrom(512)
except OSError:
return
if len(data) < 6:
return
if addr == QEMU_BSP_ADDR:
self._handle_ul(data)
else:
self._handle_dl(data, addr)
def _handle_ul(self, data):
"""UL burst from QEMU → forward to BTS TRXD endpoint.
Format (TRXDv0 UL, 156 bytes total, set in calypso_bsp_send_ul):
[0] TN
[1:5] FN (BE) — REWRITTEN by bridge to current wall_fn
[5] RSSI offset (BTS sees -value dBm)
[6:8] ToA256 (BE)
[8:] 148 soft bits (±127)
FN rewrite: QEMU runs ~2x slower than wall-clock so the FN in the
incoming burst lags wall-clock by hundreds of frames. BTS scheduler
only accepts bursts within a small window of its current wall-paced
FN. We rewrite the header FN to wall_fn so the burst lands in the
BTS scheduler window. Burst content is FN-invariant.
"""
self.stats["ul"] += 1
tn = data[0] & 0x07
qemu_fn = int.from_bytes(data[1:5], 'big')
rssi = data[5] if len(data) > 5 else 0
toa = int.from_bytes(data[6:8], 'big', signed=True) if len(data) >= 8 else 0
# FN rewrite (or passthrough) per UL_FN_REWRITE_MODE.
# The actual FN that goes to BTS is the one that matters for the
# slot-validity diagnostic.
if not self.powered or UL_FN_REWRITE_MODE == "off":
sent_fn = qemu_fn
elif UL_FN_REWRITE_MODE == "naive":
sent_fn = self.wall_fn()
else: # "slot" — default
sent_fn = next_rach_slot_fn(self.wall_fn())
out = bytearray(data)
out[1] = (sent_fn >> 24) & 0xFF
out[2] = (sent_fn >> 16) & 0xFF
out[3] = (sent_fn >> 8) & 0xFF
out[4] = sent_fn & 0xFF
if sent_fn != qemu_fn:
self.stats["ul_fn_rewrite"] += 1
# Slot-validity diagnostic: is sent_fn % 51 a valid RACH slot for
# combined CCCH+SDCCH8 (the only mode mobile knows about)? Counters
# printed in the rolling stats line so the distribution is visible.
slot_mod51 = sent_fn % 51
in_rach_slot = slot_mod51 in RACH_SLOTS_COMBINED
if in_rach_slot:
self.stats.setdefault("ul_in_slot", 0)
self.stats["ul_in_slot"] += 1
else:
self.stats.setdefault("ul_off_slot", 0)
self.stats["ul_off_slot"] += 1
# Print full header + first/last bits of every UL burst (cap 200 to
# avoid log flood). Show both FNs + slot validity to track the rewrite.
if self.stats["ul"] <= 200 or (self.stats["ul"] % 1000) == 0:
hdr_in_hex = data[:8].hex()
hdr_out_hex = bytes(out[:8]).hex()
payload = data[8:]
head = ' '.join(f"{b - 256 if b >= 128 else b:+d}" for b in payload[:16])
tail = ' '.join(f"{b - 256 if b >= 128 else b:+d}" for b in payload[-8:])
slot_mark = "RACH" if in_rach_slot else "OFF"
arrow = "→" if sent_fn != qemu_fn else "="
print(f"bridge: UL #{self.stats['ul']} TN={tn} "
f"qfn={qemu_fn}{arrow}sent={sent_fn} slot={slot_mod51:02d}/51={slot_mark} "
f"rssi=-{rssi} toa={toa} len={len(data)} "
f"hdr_in={hdr_in_hex} hdr_out={hdr_out_hex} "
f"bits[0:16]=[{head}] bits[140:148]=[{tail}] "
f"→ BTS {self.trxd_remote}", flush=True)
try:
self.trxd_sock.sendto(bytes(out), self.trxd_remote)
except OSError as e:
print(f"bridge: UL send error: {e}", flush=True)
def _handle_dl(self, data, addr):
"""DL burst from BTS → forward to QEMU BSP, slot-aware FN-rewritten.
Format (TRXDv0 DL, 154 bytes total) :
[0] TN
[1:5] FN (BE) — REWRITTEN to a near-future qfn that preserves
(FN % 51) so DSP demod still types BCCH/CCCH
correctly. Burst dropped if no match within
DL_FN_LOOKAHEAD frames (BCCH repeats).
[5] RSSI / format flags (TRXDv0 omits ToA on DL, header is 6 B)
[6:] 148 soft bits
WHY: BTS scheduler runs at wall-clock rate, QEMU BSP at qfn (~half).
delta=bts_fn-qfn grows ~50 frames/s and quickly exceeds BSP's match
window (default 64 frames in calypso_bsp.c). Without rewrite, BSP
rejects 100 % of bursts, DSP CCCH demod never runs, mobile L3 never
receives SI, mobile stays in cell-search forever.
"""
self.trxd_remote = addr
self.stats["dl"] += 1
tn = data[0] & 0x07
bts_fn = int.from_bytes(data[1:5], 'big')
# FN rewrite per DL_FN_REWRITE_MODE
if DL_FN_REWRITE_MODE == "off" or self.fn == 0:
sent_fn = bts_fn
drop = False
elif DL_FN_REWRITE_MODE == "naive":
sent_fn = self.fn
drop = False
else: # "slot" — default
sent_fn = dl_slot_aware_qfn(bts_fn, self.fn, DL_FN_LOOKAHEAD)
drop = sent_fn is None
if drop:
self.stats.setdefault("dl_drop_no_slot", 0)
self.stats["dl_drop_no_slot"] += 1
# Log first few drops + every 1000th so the pattern is visible
n = self.stats["dl_drop_no_slot"]
if n <= 5 or n % 1000 == 0:
bts_mod = bts_fn % 51
qfn_mod = self.fn % 51
delta_to_match = (bts_mod - qfn_mod) % 51
print(f"bridge: DL drop #{n} TN={tn} bts_fn={bts_fn} (mod {bts_mod}) "
f"qfn={self.fn} (mod {qfn_mod}) delta_to_match={delta_to_match} "
f"> lookahead={DL_FN_LOOKAHEAD}", flush=True)
return
if sent_fn != bts_fn:
self.stats.setdefault("dl_rewrite", 0)
self.stats["dl_rewrite"] += 1
out = bytearray(data)
out[1] = (sent_fn >> 24) & 0xFF
out[2] = (sent_fn >> 16) & 0xFF
out[3] = (sent_fn >> 8) & 0xFF
out[4] = sent_fn & 0xFF
# Log burst content: first 8 data bytes + check if FB (all zeros)
hdr_bytes = bytes(out[:8]) if len(out) >= 8 else bytes(out)
payload = data[8:] if len(data) > 8 else b''
is_fb = all(b == 0 for b in payload) if payload else False
if self.stats["dl"] <= 10 or self.stats["dl"] % 5000 == 0 or is_fb:
arrow = "→" if sent_fn != bts_fn else "="
print(f"bridge: DL #{self.stats['dl']} TN={tn} "
f"bts_fn={bts_fn}{arrow}qfn={sent_fn} (cur_qfn={self.fn}, anchor={self.fn_anchor}) "
f"len={len(out)} hdr={hdr_bytes[:8].hex()} "
f"bits[0:8]={list(payload[:8])} "
f"{'*** FB ***' if is_fb else ''}", flush=True)
try:
self.trxd_sock.sendto(bytes(out), QEMU_BSP_ADDR)
except OSError as e:
print(f"bridge: DL send error: {e}", flush=True)
def run(self):
running = True
def shutdown(s, f):
nonlocal running; running = False
signal.signal(signal.SIGINT, shutdown)
signal.signal(signal.SIGTERM, shutdown)
while running:
fds = [self.trxc_sock, self.trxd_sock, self.qemu_clk_sock]
try:
readable, _, _ = select.select(fds, [], [], 0.05)
except (OSError, ValueError) as e:
print(f"bridge: select error: {e}", flush=True)
break
if self.qemu_clk_sock in readable: self.handle_qemu_tick()
if self.trxc_sock in readable: self.handle_trxc()
if self.trxd_sock in readable: self.handle_trxd()
# Send CLK IND at wall-clock rate using bridge's wall_fn
self.maybe_send_clk()
if (self.stats["dl"] + self.stats["ul"]) > 0 and \
((self.stats["dl"] + self.stats["ul"]) % 5000) == 0:
wfn = self.wall_fn()
in_s = self.stats.get("ul_in_slot", 0)
off_s = self.stats.get("ul_off_slot", 0)
dl_rw = self.stats.get("dl_rewrite", 0)
dl_dr = self.stats.get("dl_drop_no_slot", 0)
print(f"bridge: tick={self.stats['tick']} "
f"clk={self.stats['clk']} "
f"dl={self.stats['dl']} ul={self.stats['ul']} "
f"ul_rewrite={self.stats['ul_fn_rewrite']} "
f"ul_slot_in/off={in_s}/{off_s} "
f"dl_rewrite={dl_rw} dl_drop={dl_dr} "
f"wall_fn={wfn} qfn={self.fn}",
flush=True)
self._stop = True
print(f"bridge: tick={self.stats['tick']} clk={self.stats['clk']} "
f"trxc={self.stats['trxc']} dl={self.stats['dl']} "
f"ul={self.stats['ul']} ul_rewrite={self.stats['ul_fn_rewrite']}",
flush=True)
if __name__ == "__main__":
Bridge().run()./dsp_read.sh
#!/bin/bash
# Read DSP ROM word at a given address from the dump file
# Usage: dsp_read.sh <section> <addr_hex>
# Sections: regs, drom, pdrom, prom0, prom1, prom2, prom3
DUMP="${CALYPSO_DSP_ROM:-/opt/GSM/calypso_dsp.txt}"
SECTION="${1:-prom0}"
ADDR="$2"
case "$SECTION" in
regs) HEADER="DSP dump: Registers" ;;
drom) HEADER="DSP dump: DROM" ;;
pdrom) HEADER="DSP dump: PDROM" ;;
prom0) HEADER="DSP dump: PROM0" ;;
prom1) HEADER="DSP dump: PROM1" ;;
prom2) HEADER="DSP dump: PROM2" ;;
prom3) HEADER="DSP dump: PROM3" ;;
*) echo "Unknown section: $SECTION"; exit 1 ;;
esac
python3 -c "
import sys
hdr = '$HEADER'
target = int('$ADDR', 16)
in_section = False
with open('$DUMP') as f:
for line in f:
if 'DSP dump:' in line:
in_section = hdr in line
continue
if not in_section:
continue
parts = line.split()
if len(parts) < 2 or parts[1] != ':':
continue
line_addr = int(parts[0], 16)
if target >= line_addr and target < line_addr + 16:
idx = target - line_addr
if idx + 2 < len(parts):
print(f'{hdr.split(\":\")[1].strip()}[0x{target:04x}] = 0x{parts[idx+2]}')
break
"./run.sh
#!/bin/bash
# run.sh — Calypso QEMU pipeline (was run_si.sh, renamed 2026-05-08).
#
# All SI delivery to mobile L3 goes through the legitimate path now :
# osmo-bts-trx encodes BCCH bursts → bridge.py UDP relay → QEMU BSP
# DMA → DSP CCCH demod → a_cd[] in NDB → ARM L1 → L1CTL_DATA_IND.
#
# The previous rsl_si_tap.py + /dev/shm/calypso_si.bin mmap shortcut
# was removed (it was a hack that bypassed DSP demod and made the
# mobile camp on a stale cache even when BTS was dead).
set -euo pipefail
SESSION="calypso"
FW_ELF="/opt/GSM/firmware/board/compal_e88/layer1.highram.elf"
FW_BIN="/opt/GSM/firmware/board/compal_e88/layer1.highram.bin"
QEMU="/opt/GSM/qemu-src/build/qemu-system-arm"
BRIDGE="/opt/GSM/qemu-src/bridge.py"
OSMOCON="/opt/GSM/osmocom-bb/src/host/osmocon/osmocon"
BTS_CFG="/etc/osmocom/osmo-bts-trx.cfg"
MOBILE_CFG="/root/.osmocom/bb/mobile_group1.cfg"
# ---- DSP / DIAG instruments (override at command line if needed) ----
CALYPSO_DSP_ROM="${CALYPSO_DSP_ROM:-/opt/GSM/calypso_dsp.txt}"
CALYPSO_BSP_DARAM_ADDR="${CALYPSO_BSP_DARAM_ADDR:-0x3fb0}"
CALYPSO_SIM_CFG="${CALYPSO_SIM_CFG:-$MOBILE_CFG}"
export CALYPSO_DSP_ROM CALYPSO_BSP_DARAM_ADDR CALYPSO_SIM_CFG
# ---- Env-gated dev assists (default OFF = real path) ----
# Set =1 in the calling environment to enable. Cf. README.md "Env vars".
CALYPSO_FBSB_SYNTH="${CALYPSO_FBSB_SYNTH:-0}"
CALYPSO_W1C_LATCH="${CALYPSO_W1C_LATCH:-0}"
CALYPSO_NDB_D_RACH_OFFSET="${CALYPSO_NDB_D_RACH_OFFSET:-}"
CALYPSO_RACH_FORCE_BSIC="${CALYPSO_RACH_FORCE_BSIC:-}"
CALYPSO_DSP_IDLE_FF="${CALYPSO_DSP_IDLE_FF:-1}"
CALYPSO_DSP_IDLE_RANGE="${CALYPSO_DSP_IDLE_RANGE:-}"
CALYPSO_DSP_FBDET_SKIP="${CALYPSO_DSP_FBDET_SKIP:-0}"
CALYPSO_UART_TRACE="${CALYPSO_UART_TRACE:-0}"
# BRIDGE_CLK_FROM_QEMU=0 (default): CLK IND wall-paced. BTS scheduler stays
# happy (no clock-skew shutdown). Pair with BRIDGE_UL_FN_REWRITE=1/slot for
# slot-aware UL rewrite that lands bursts in BTS RACH slot windows.
# =1 mode: CLK IND qfn-paced. Fundamentally incompatible with osmo-bts-trx
# clock-skew check at PERIOD>=3 (BTS shutdown). Only useful for experiments
# with PERIOD=1 (~217 CLK INDs/s wall, marginal but match guaranteed).
BRIDGE_CLK_FROM_QEMU="${BRIDGE_CLK_FROM_QEMU:-0}"
# UL FN rewrite mode: slot|naive|off. Default slot-aware.
BRIDGE_UL_FN_REWRITE="${BRIDGE_UL_FN_REWRITE:-slot}"
# DL FN rewrite mode: slot|naive|off. Default slot-aware (preserves
# bts_fn%%51 → BCCH/CCCH/SDCCH typing intact). Without it, BSP drops
# 100%% of DL bursts since bts_fn drifts ~50 frames/s ahead of qfn.
BRIDGE_DL_FN_REWRITE="${BRIDGE_DL_FN_REWRITE:-slot}"
# Max qfn-future frames a DL burst may be tagged. Bounded by
# BSP_FN_MATCH_WINDOW (=64 default in calypso_bsp.c). Default 32 leaves
# half-window safety margin. Set 51 to never drop (always find a slot).
BRIDGE_DL_FN_LOOKAHEAD="${BRIDGE_DL_FN_LOOKAHEAD:-32}"
# CLK IND period — default 51 (half of stock 102) to keep osmo-bts-trx
# scheduler happy when QEMU runs slower than wall-clock real-time. With
# a 102-frame period, the BTS accumulates skew between consecutive
# CLK INDs faster than they arrive → bts_shutdown_fsm "PC clock skew
# too high" or "No more clock from transceiver" within ~30 s. With 51,
# the correction rate doubles and BTS survives long enough for the
# mobile to complete a Location Update cycle.
# Set to 102 explicitly when QEMU runs near wall-clock (or in production).
BRIDGE_CLK_PERIOD="${BRIDGE_CLK_PERIOD:-51}"
export CALYPSO_FBSB_SYNTH CALYPSO_W1C_LATCH \
CALYPSO_NDB_D_RACH_OFFSET CALYPSO_RACH_FORCE_BSIC \
CALYPSO_DSP_IDLE_FF CALYPSO_DSP_IDLE_RANGE \
CALYPSO_DSP_FBDET_SKIP CALYPSO_UART_TRACE \
BRIDGE_CLK_FROM_QEMU BRIDGE_CLK_PERIOD \
BRIDGE_UL_FN_REWRITE BRIDGE_DL_FN_REWRITE BRIDGE_DL_FN_LOOKAHEAD
# ---- icount mode (deterministic virtual clock paced by instruction count) ----
# Default ON (auto = shift=auto,sleep=on,align=off). Set CALYPSO_ICOUNT=off
# to disable. The kick timer (calypso_kick_cb) was moved to
# QEMU_CLOCK_VIRTUAL so it no longer races with icount.
# Other accepted values:
# auto shift dynamic, wall-clock aligned (recommended)
# shift=N,sleep=on fixed shift (1<<N instr ≈ 1ns), explicit sleep
# off disable (legacy default-clock mode)
CALYPSO_ICOUNT="${CALYPSO_ICOUNT:-auto}"
export CALYPSO_ICOUNT
if [ "$CALYPSO_ICOUNT" = "off" ]; then
QEMU_ICOUNT_FLAG=""
else
QEMU_ICOUNT_FLAG="-icount $CALYPSO_ICOUNT"
fi
# ---- log paths ----
QEMU_LOG="/root/qemu.log"
BRIDGE_LOG="/tmp/bridge.log"
OSMOCON_LOG="/tmp/osmocon.log"
MOBILE_LOG="/tmp/mobile.log"
MON_SOCK="/tmp/qemu-calypso-mon.sock"
L1CTL_SOCK="/tmp/osmocom_l2"
QEMU_DUMMY_SOCK="/tmp/qemu_l1ctl_disabled"
# ---------- cleanup ----------
rm -f "$QEMU_LOG" "$BRIDGE_LOG" "$OSMOCON_LOG" "$MOBILE_LOG" \
"$MON_SOCK" "$L1CTL_SOCK" "$QEMU_DUMMY_SOCK"
tmux kill-session -t "$SESSION" 2>/dev/null || true
killall -9 qemu-system-arm osmo-bts-trx mobile osmocon 2>/dev/null || true
pkill -9 -f bridge.py 2>/dev/null || true
rm -f "$L1CTL_SOCK" "$MON_SOCK" "$QEMU_DUMMY_SOCK" /tmp/osmocom_l2_*
# Drop the legacy mmap from previous runs — no longer used, but lying
# around in /dev/shm could confuse forensic forensics on old runs.
rm -f /dev/shm/calypso_si.bin
sleep 1
/etc/osmocom/status.sh stop 2>/dev/null || true
/etc/osmocom/osmo-start.sh 2>/dev/null || true
tmux new-session -d -s "$SESSION" -n qemu
# ---------- 1. QEMU ----------
# icount controlled by CALYPSO_ICOUNT env var (default 'auto'). The kick
# timer in calypso_trx.c was moved to QEMU_CLOCK_VIRTUAL so icount no
# longer freezes the TDMA tick → bridge UDP path. If you observe the
# bridge wait timeout again, fall back with CALYPSO_ICOUNT=off.
L1CTL_SOCK="$QEMU_DUMMY_SOCK" \
"$QEMU" -M calypso -cpu arm946 \
$QEMU_ICOUNT_FLAG \
-serial pty -serial pty \
-monitor "unix:${MON_SOCK},server,nowait" \
-kernel "$FW_ELF" \
> "$QEMU_LOG" 2>&1 &
QEMU_PID=$!
tmux send-keys -t "$SESSION:qemu" "tail -f $QEMU_LOG" C-m
echo -n "Waiting for QEMU PTY allocation..."
PTY_MODEM=""
for i in $(seq 1 30); do
if grep -q 'redirected to /dev/pts/.* (label serial0)' "$QEMU_LOG" 2>/dev/null; then
PTY_MODEM=$(grep 'redirected to /dev/pts/.* (label serial0)' "$QEMU_LOG" \
| sed -E 's/.*redirected to (\/dev\/pts\/[0-9]+).*/\1/' | head -1)
break
fi
sleep 1; echo -n "."
done
if [ -z "$PTY_MODEM" ]; then
echo " TIMEOUT — no PTY in $QEMU_LOG"
exit 1
fi
echo " OK ($PTY_MODEM, QEMU_PID=$QEMU_PID)"
# ---------- 2. osmocon ----------
tmux new-window -t "$SESSION" -n osmocon
tmux send-keys -t "$SESSION:osmocon" \
"$OSMOCON -m romload -i 100 -p $PTY_MODEM -s $L1CTL_SOCK $FW_BIN -d tr 2>&1 | tee $OSMOCON_LOG" C-m
echo -n "Waiting for osmocon to expose $L1CTL_SOCK..."
for i in $(seq 1 30); do
[ -S "$L1CTL_SOCK" ] && break
sleep 1; echo -n "."
done
if [ -S "$L1CTL_SOCK" ]; then echo " OK"; else echo " WARN — socket missing"; fi
# ---------- 3. bridge.py ----------
tmux new-window -t "$SESSION" -n bridge
tmux send-keys -t "$SESSION:bridge" \
"python3 $BRIDGE 2>&1 | tee $BRIDGE_LOG" C-m
echo -n "Waiting for bridge to receive QEMU ticks..."
for i in $(seq 1 30); do
grep -q "QEMU tick" "$BRIDGE_LOG" 2>/dev/null && break
sleep 1; echo -n "."
done
if grep -q "QEMU tick" "$BRIDGE_LOG" 2>/dev/null; then echo " OK"; else echo " TIMEOUT"; fi
# ---------- 4. osmo-bts-trx ----------
tmux new-window -t "$SESSION" -n bts
tmux send-keys -t "$SESSION:bts" "osmo-bts-trx -c $BTS_CFG" C-m
sleep 2
# ---------- 5. mobile ----------
tmux new-window -t "$SESSION" -n mobile
tmux send-keys -t "$SESSION:mobile" \
"sleep 3 && mobile -c $MOBILE_CFG -d DRR,DMM,DCC,DLAPDM,DCS,DSAP,DPAG,DL1C,DSUM,DSI,DRSL,DNM 2>&1 | tee $MOBILE_LOG" C-m
# ---------- 6. gsmtap capture (any iface — covers eth0 mobile/BTS + eth1) ----------
tmux new-window -t "$SESSION" -n gsmtap
tmux send-keys -t "$SESSION:gsmtap" \
"sleep 5 && tcpdump -i any -w /root/mobile-gsmtap.pcap udp port 4729" C-m
# ---------- shell + attach ----------
tmux new-window -t "$SESSION" -n shell
echo
echo "Pipeline launched. Attach with: tmux attach -t $SESSION"
echo "ENV summary:"
echo " CALYPSO_DSP_ROM = $CALYPSO_DSP_ROM"
echo " CALYPSO_BSP_DARAM_ADDR = $CALYPSO_BSP_DARAM_ADDR"
echo " CALYPSO_SIM_CFG = $CALYPSO_SIM_CFG"
echo " CALYPSO_FBSB_SYNTH = $CALYPSO_FBSB_SYNTH"
echo " CALYPSO_W1C_LATCH = $CALYPSO_W1C_LATCH"
echo " CALYPSO_NDB_D_RACH_OFFSET = ${CALYPSO_NDB_D_RACH_OFFSET:-(default 0x023a — pinned 2026-05-07)}"
echo " CALYPSO_RACH_FORCE_BSIC = ${CALYPSO_RACH_FORCE_BSIC:-(unset = use d_rach byte)}"
echo " BRIDGE_CLK_FROM_QEMU = $BRIDGE_CLK_FROM_QEMU (0=wall-paced safe, 1=qfn-paced experimental)"
echo " BRIDGE_UL_FN_REWRITE = $BRIDGE_UL_FN_REWRITE (slot=next RACH slot ≥ wall_fn, naive=blind wall_fn, off=passthrough)"
echo " BRIDGE_DL_FN_REWRITE = $BRIDGE_DL_FN_REWRITE (slot=qfn matching bts_fn%51, naive=current qfn, off=passthrough — BSP rejects all)"
echo " BRIDGE_DL_FN_LOOKAHEAD = $BRIDGE_DL_FN_LOOKAHEAD (max qfn-future frames before drop, BSP window=64)"
echo " CALYPSO_ICOUNT = $CALYPSO_ICOUNT (flag: ${QEMU_ICOUNT_FLAG:-(none)})"
echo " CALYPSO_DSP_IDLE_FF = $CALYPSO_DSP_IDLE_FF (1=fast-forward DSP idle dispatcher)"
echo " CALYPSO_DSP_IDLE_RANGE = ${CALYPSO_DSP_IDLE_RANGE:-(default 0xe9ac:0xe9b7,0xcc62:0xcc6f)}"
echo " CALYPSO_FORCE_RX_DONE = ${CALYPSO_FORCE_RX_DONE}"
echo
echo "Manual warm-start (debug, if BSC unavailable) :"
echo " /opt/GSM/qemu-src/scripts/populate-si.sh"
echo
tmux select-window -t "$SESSION:qemu"
exec tmux attach -t "$SESSION"./REPORT_CLAUDE_WEB_20260508_NIGHT_RXDONEFLAG.md
Diag Claude web — rxDoneFlag deadlock under icount=auto (2026-05-08 night, 3e itération)
Recap
Ton audit précédent (post-2 fixes main_loop_wait + kick REALTIME) avait conclu que la SIM débloque sous icount=auto et que le blocker est en aval (TDMA scheduler). C’était basé sur un tarball mixte (frame_irq.log daté 16:36, qemu_full.log daté 17:26 = 2 runs différents). Mes mesures actuelles montrent que la SIM est toujours stuck sous icount=auto dans tous les runs frais.
Plus précisément : - ARM en busy-poll PC=0x822b90 (LDR/CMP/BEQ rxDoneFlag) — vérifié via 20 samples PC consécutifs sur 10 secondes wall, ARM coince dans la boucle 0x822b90..b98 (3 instructions, 8 octets) - rxDoneFlag (firmware data @ 0x830510) reste 0 - Aucun INTM-TRANS, aucun TDMA, aucun fbsb hook — DSP jamais démarré - Bridge cur_qfn=0 → bridge timeout
Les fixes confirmés actifs
| Fix | Status | Effet |
|---|---|---|
| main_loop_wait(false) récursif removed | ✓ in binary | event-loop OK |
| kick_timer REALTIME (re-revert from VIRTUAL) | ✓ in binary, fires 5400×/28s = 193/s = 5ms period correct | fd dispatch OK |
| INTH FIQ/IRQ arbitration séparée | ✓ in binary, FIQ_NUM=6 read 5× per ATR cycle | FIQ propage |
| ATR delivery synchronous (deliver_atr direct call) | ✓ in binary | ATR queued at CMDSTART time |
| SIM IT clear-only-observed-bits (Q2 hardening) | ✓ in binary | propre, pas le bug |
Smoking gun #5 — Le firmware FIQ handler reçoit IT_WT mais rxDoneFlag reste 0
J’ai instrumenté le SIM_IT register read pour logger chaque accès :
[sim] SIM_IT read=0x0010 rx_count=4 edge_cleared=0x0000 post_it=0x0010 ← FIQ #1 (IT_RX)
[sim] SIM_IT read=0x0010 rx_count=3 edge_cleared=0x0000 post_it=0x0010 ← FIQ #2
[sim] SIM_IT read=0x0010 rx_count=2 edge_cleared=0x0000 post_it=0x0010 ← FIQ #3
[sim] SIM_IT read=0x0010 rx_count=1 edge_cleared=0x0000 post_it=0x0010 ← FIQ #4
[sim] SIM_IT read=0x0002 rx_count=0 edge_cleared=0x0002 post_it=0x0000 ← FIQ #5 (IT_WT)Le 5e read renvoie 0x0002 = IT_WT à ARM. Donc R2 dans le FIQ handler reçoit la bonne valeur.
Le firmware handler @ 0x822498 (sim_irq_handler)
Disasm via python (file offset 0x2498 in layer1.highram.bin) :
0x822498: e59f30dc LDR R3, [PC, #0xdc] R3 = mem[0x82257c] = 0xfffe00ff (SIM base ref)
0x82249c: e1532fb7 LDRH R2, [R3, #-0xf7] R2 = halfword at 0xfffe0008 (SIM_IT register)
0x8224a0: e3120002 TST R2, #2 test IT_WT bit
0x8224a4: 159f30d4 LDRNE R3, [PC, #0xd4] R3 = mem[0x822580] = 0x00830510 (rxDoneFlag)
0x8224a8: 13a01001 MOVNE R1, #1
0x8224ac: 15831000 STRNE R1, [R3] *rxDoneFlag = 1
0x8224b0: e3120008 TST R2, #8 test IT_TX
0x8224b4: 0a000015 BEQ 0x822510 skip TX if no IT_TX
...
0x822580: 0x00830510 literal pool — verified rxDoneFlag addr ✓
0x822584: 0x0000fffbLe LDRH retourne R2 = SIM_IT = 0x0002 (vérifié via instrumentation). Le TST R2,#2 doit poser le NE flag (Z=0, R2&2 != 0). Le STRNE doit firer.
Mais *rxDoneFlag reste 0.
Probes runtime (gdb-remote via QEMU monitor gdbserver tcp::1234)
irq_handlers[6]@ 0x008304a4 = 0x00822498 ✓ (handler registered)rxDoneFlag@ 0x00830510 = 0x00000000 stuck on 10s window (20 polls)- ARM PC = 0x00822b90 sustained (rapid burst of 20 samples = all in 0x822b90..b98)
- PSR = 0x60000113 = svc32, I=1, F=0 (IRQ disabled — entered FIQ-disable region apparently)
gdb set *(int*)0x830510 = 1; continue→ ARM exits busy loop, TDMA starts, INTM-TRANS=45, 541 fbsb hooks, bridge cur_qfn=14865+ ⚡
Donc le seul truc qui manque pour débloquer est l’écriture de 1 à 0x830510. Tout le reste de la chaîne fonctionne après cette écriture.
Hypothèses au choix (où je rame)
(A) Bug QEMU dans la conditional execution sous icount-auto. TST/STRNE wouldn’t fire correctly. Mais si c’était ça, on verrait des bugs partout dans le boot, pas juste ici. Et ça marche sous icount=off donc pas spécifique à conditional exec.
(B) FIQ-mode banked registers race. Quand le handler est en mode FIQ (R8-R12 banked), peut-être que la pile ou un truc spécifique à FIQ32 bouge R2/R3 entre la lecture et la STR ? Improbable — instructions 0x8224a0..ac sont sequentielles.
(C) Le 5e SIM_IT read NE VIENT PAS de sim_irq_handler. Maybe le firmware a un autre code path qui lit SIM_IT (genre polling loop quelque part), et ce code path lit IT_WT, le clear, mais ne set pas rxDoneFlag. Le FIQ handler arrive après mais notre SIM_IT (level bits cleared) renvoie 0 → handler ne voit pas IT_WT.
Données qui supportent (C) : - 5 SIM_IT reads + 5 FIQ_NUM=6 reads — exactement 1:1 (mais ordre temporel n’a pas été vérifié dans le log) - Si le polling loop lit en premier, le SIM_IT read serait dans le log AVANT le FIQ_NUM. Mais on a 4 FIQ_NUM intercalées entre les 5 reads. - Le 5e read dit edge_cleared=0x0002 post_it=0x0000 — IT_WT a été cleared par cette lecture précisément. Si une autre lecture avait précédé, post_it serait déjà 0 avant.
(D) Bug dans notre INTH FIQ_NUM read. Maybe le s->fiq_v retourne 6 mais le firmware fiq() s’attend à un autre offset/taille. Checked — read returns u16 6 truncated to byte (LDRB by firmware). OK.
(E) Firmware utilise un GPP register (0xfffffa) different. Pas exploré.
(F) Le handler ne run pas réellement à 0x822498. Le BXNE R3 dans fiq() avec R3=0x822498 pourrait avoir un bug. Mais on a vérifié irq_handlers[6]=0x822498 ✓.
Le diff entre icount=off (marche) et icount=auto (bloque)
Sous icount=off (ne pas tester maintenant pour préserver le run actif), tout boot proprement et arrive à FBSB. Donc le bug n’est PAS structurel — c’est timing-sensitive.
Mon hypothèse forte : (C) — il existe un POLLING path firmware qui lit SIM_IT EN PARALLÈLE du FIQ handler. Sous icount=off, le timing fait que le polling lit après le FIQ handler (qui a déjà set rxDoneFlag). Sous icount=auto, polling lit AVANT le FIQ handler, clear IT_WT, FIQ handler arrive trop tard et reçoit IT=0.
Mais notre log montre 5e read = 0x0002. Si polling read avait précédé, le 5e read montrerait 0x0000… à moins que les 5 reads soient TOUS du polling (pas du FIQ) et le FIQ handler vient APRÈS, voit 0x0000, ne set pas rxDoneFlag.
Ça serait cohérent avec : - 4 polling reads pour les ATR bytes (rx_count 4→1) - 5e polling read pour IT_WT - 5 FIQ entries qui lisent FIQ_NUM=6 mais leur SIM_IT read renvoie 0 (déjà cleared) — ces 5 SIM_IT reads ne sont PAS dans notre log car cap=30 hit ?
Cap est à 30, on a 5 entries. Donc il manque potentiellement plein de reads.
Plan de probe que je propose
Je peux instrumenter de manière distinctive : 1. Log SIM_IT reads avec PC ARM (qui lit) — discrimine FIQ handler (PC ~ 0x82249c) vs polling loop (PC autre) 2. Lever le cap à 200 3. Logger aussi les FIQ entries via gdb breakpoint @ 0x822498
Question pour toi : 1. Tu vois l’hypothèse (C) plausible ? Ou autre piste ? 2. Tu connais un site dans osmocom-bb firmware où SIM_IT est polled hors IRQ context ? (calypso_sim_powerup ? layer1 init ?) 3. Le set *(int*)0x830510 = 1 via gdb débloque tout. C’est OK comme workaround ou tu vois mieux ? On pourrait avoir notre fire_wt qui force cpu_physical_memory_write(0x830510, 0x00000001) après le delay 2ms VIRTUAL — ugly hack mais ça marche et c’est gating-free.
State récap
Tasks completed (12) : 5 décodeur Tier A + 4 event-loop fixes + 1 instrumentation INTH + 1 instrumentation kick + 1 SIM IT hardening.
Tasks pending (15) — décodeur Tier B (9) + event-loop Tier B (5) + 1 validation finale.
Files patched (md5) : - calypso_sim.c ecda530b — IT clear hardening + SIM_IT instrumentation - calypso_trx.c 78102920 — kick instrumentation - calypso_inth.c 4cc60204 — FIQ/IRQ split - calypso_inth.h b73e9931 — fiq_v field - calypso_uart.c f1c59fed — main_loop_wait removed - calypso_c54x.c 9f5ffe5c — Tier A decoder (0x76, F2/F3 LMS, 0x80 STL, 0x98/9A swap, 0x8C ST T) - calypso_c54x.h 0388a368 — writer_kind enum
3-way sync clean (host qemu-calypso = host qemu-src = docker /opt/GSM/qemu-src).
./scripts/populate-si.sh
#!/bin/bash
# populate-si.sh — XXX TRANSITIONAL STUB (étape 2b, disposable).
#
# Écrit les 5 SI hex blobs RSL-extracted (osmo-bsc → osmo-bts trace 2026-04-30)
# dans /dev/shm/calypso_si.bin per doc/MMAP_SI_FORMAT.md v1.
#
# Permet de valider l'interface mmap (étape 2a) sans dépendance sur le RSL
# parser (étape 3). À supprimer dès que scripts/rsl_si_tap.py est opérationnel
# en steady-state.
#
# Usage:
# ./populate-si.sh # défaut /dev/shm/calypso_si.bin
# CALYPSO_SI_MMAP_PATH=/tmp/foo ./populate-si.sh
#
# Vérification:
# xxd /dev/shm/calypso_si.bin | head # check magic "CSI1" + slots
set -e
OUTPUT="${CALYPSO_SI_MMAP_PATH:-/dev/shm/calypso_si.bin}"
python3 - "$OUTPUT" << 'PYEOF'
import sys, struct, os
OUTPUT = sys.argv[1]
# 23-byte BCCH SI blobs, byte-exact from RSL re-attach trace
# (osmo-bsc emits BCCH INFORMATION when osmo-bts attaches via Abis OML).
# LAI 001/01/0001, CI=6001, BSIC=7, ARFCN=514.
SI1 = bytes([0x55, 0x06, 0x19, 0x8f, 0x01,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xe5, 0x04, 0x00, 0x2b])
SI2 = bytes([0x59, 0x06, 0x1a,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xff, 0xe5, 0x04, 0x00])
SI3 = bytes([0x49, 0x06, 0x1b, 0x17, 0x71, 0x00, 0xf1, 0x10, 0x00, 0x01, 0xc9, 0x03,
0x05, 0x27, 0x47, 0x40, 0xe5, 0x04, 0x00, 0x2c, 0x0b, 0x2b, 0x2b])
SI4 = bytes([0x31, 0x06, 0x1c, 0x00, 0xf1, 0x10, 0x00, 0x01, 0x47, 0x40, 0xe5, 0x04,
0x00, 0x01, 0x2b, 0x2b, 0x2b, 0x2b, 0x2b, 0x2b, 0x2b, 0x2b, 0x2b])
SI13 = bytes([0x01, 0x06, 0x00, 0x90, 0x00, 0x18, 0x5a, 0x6f, 0xc9, 0xf2, 0xb5, 0x30,
0x42, 0x08, 0xeb, 0x2b, 0x2b, 0x2b, 0x2b, 0x2b, 0x2b, 0x2b, 0x2b])
assert len(SI1) == 23, f"SI1 len={len(SI1)}"
assert len(SI2) == 23, f"SI2 len={len(SI2)}"
assert len(SI3) == 23, f"SI3 len={len(SI3)}"
assert len(SI4) == 23, f"SI4 len={len(SI4)}"
assert len(SI13) == 23, f"SI13 len={len(SI13)}"
# Layout per MMAP_SI_FORMAT.md v1 :
# header (16 bytes) : magic + version + slot_count + last_update_fn + reserved
# slots (5 × 32B) : si_type + flags + blob_len + pad + 23B blob + 5B pad
SLOT_VALID = 0x01
def make_slot(si_type, blob):
s = bytearray(32)
s[0] = si_type
s[1] = SLOT_VALID
s[2] = len(blob)
s[3] = 0 # padding
s[4:4+23] = blob
# 27..31 padding zero (already)
return bytes(s)
buf = bytearray(176)
# Header
buf[0:4] = b"CSI1"
buf[4] = 0x01 # version
buf[5] = 0x05 # slot_count
buf[6:8] = struct.pack("<H", 0) # last_update_fn = 0 (stub static, no live FN)
# bytes 8..15 reserved zero (already)
# Slots in fixed order : SI1, SI2, SI3, SI4, SI13
buf[16:48] = make_slot(0x01, SI1)
buf[48:80] = make_slot(0x02, SI2)
buf[80:112] = make_slot(0x03, SI3)
buf[112:144] = make_slot(0x04, SI4)
buf[144:176] = make_slot(0x0d, SI13)
with open(OUTPUT, "wb") as f:
f.write(buf)
# Verify
with open(OUTPUT, "rb") as f:
chk = f.read()
assert chk == bytes(buf), "readback mismatch"
print(f"OK : wrote {len(buf)} bytes to {OUTPUT}")
print(f" magic={chk[0:4]!r} version={chk[4]} slot_count={chk[5]}")
for slot_idx, name in enumerate(["SI1", "SI2", "SI3", "SI4", "SI13"]):
off = 16 + slot_idx * 32
si_type = chk[off]
flags = chk[off+1]
blob_len= chk[off+2]
blob = chk[off+4:off+4+23]
print(f" slot[{slot_idx}] {name}: type=0x{si_type:02x} flags=0x{flags:02x} "
f"len={blob_len} blob[0:4]={blob[:4].hex()} blob[-4:]={blob[-4:].hex()}")
PYEOF./scripts/inject_fb.py
#!/usr/bin/env python3
"""
inject_fb.py — diagnostic script: send a clean FB burst (148 zero bits)
straight to QEMU's BSP UDP port (127.0.0.1:6702), bypassing osmo-bts-trx.
Purpose: confirm whether the DSP correlator at PROM0 0x82f6 actually
writes d_fb_det when fed a perfect frequency burst. If yes → the loop
in production runs is failing on amplitude/phase/timing of the bridge's
GMSK simulation. If no → the DSP code path itself is broken.
We tail bridge.log to track QEMU's current FN (the bridge prints
"bridge: QEMU tick #N FN=X" on every TDMA tick) and send each burst
slightly in the future of the live FN so it lands in the BSP match
window (±64).
"""
import os
import re
import socket
import struct
import sys
import time
BRIDGE_LOG = "/tmp/bridge.log"
BSP_ADDR = ("127.0.0.1", 6702)
LOOKAHEAD = 30 # frames ahead of cur_fn (well inside ±64 window)
SEND_PERIOD_S = 0.004 # ~one TDMA frame
DURATION_S = 30
def make_fb_burst(tn, fn, rssi=20, toa=0):
"""TRXDv0 DL: tn(1) fn(4 BE) rssi(1) toa(2 BE) + 148 zero bits."""
return (
bytes([tn & 0x07])
+ struct.pack(">I", fn & 0xFFFFFFFF)
+ bytes([rssi])
+ struct.pack(">H", toa & 0xFFFF)
+ bytes(148)
)
def latest_fn_from_bridge():
"""Walk bridge.log backwards looking for the most recent 'fn=N' tag."""
try:
with open(BRIDGE_LOG, "rb") as f:
f.seek(0, 2)
size = f.tell()
chunk = 8192
f.seek(max(0, size - chunk))
tail = f.read().decode("utf-8", errors="replace")
# Prefer DL bursts (carry bts_fn and our rewritten fn) for freshness
m = list(re.finditer(r"\bfn=(\d+)", tail))
if m:
return int(m[-1].group(1))
except FileNotFoundError:
pass
return None
def main():
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
print(f"inject_fb: target={BSP_ADDR} lookahead={LOOKAHEAD} duration={DURATION_S}s",
flush=True)
# Wait until bridge.log has at least one fn= line
start = time.time()
while time.time() - start < 10:
fn = latest_fn_from_bridge()
if fn is not None:
break
time.sleep(0.2)
else:
print("inject_fb: no fn= seen in bridge.log within 10s", file=sys.stderr)
sys.exit(1)
print(f"inject_fb: starting FN={fn}", flush=True)
sent = 0
end = time.time() + DURATION_S
while time.time() < end:
cur = latest_fn_from_bridge()
if cur is None:
cur = fn
target_fn = cur + LOOKAHEAD
sock.sendto(make_fb_burst(tn=0, fn=target_fn), BSP_ADDR)
sent += 1
if sent % 250 == 0:
print(f"inject_fb: sent={sent} cur_fn~={cur} target_fn={target_fn}",
flush=True)
time.sleep(SEND_PERIOD_S)
print(f"inject_fb: done sent={sent}", flush=True)
if __name__ == "__main__":
main()./scripts/inject_fcch.py
#!/usr/bin/env python3
"""
inject_fcch.py — diagnostic script: synthesize a clean FCCH (FB) burst
and inject it into QEMU's BSP via UDP 127.0.0.1:6702 (TRXDv0 format).
Purpose: validate the DSP FB-detect path independently of bridge.py /
osmo-bts-trx by feeding a known-good FCCH burst with selectable encoding.
GSM FCCH burst:
- 148 bits all "0" → after GMSK modulation: pure tone at fc + 67.7083 kHz
(= 1625/24 kHz, modulation index h=0.5, bit rate 270.833 kbps)
- Burst duration: 148 × 3.69231 µs = 546.5 µs
- The DSP correlator at PROM0 0x77xx-0x88xx searches for this pure-tone
burst by computing autocorrelation peak.
TRXDv0 wire format (per bridge.py + calypso_bsp.c):
byte 0 : TN (timeslot 0..7)
bytes 1-4 : FN (uint32 big-endian)
byte 5 : RSSI (uint8, dBm offset)
bytes 6-7 : TOA (int16 big-endian)
bytes 8.. : payload (encoding-dependent, see modes)
Three injection modes available:
--mode bytes_zero : 148 zero bytes (default — same as inject_fb.py)
--mode soft_neg127 : 148 × 0x81 (signed -127 = confident "0" bit)
--mode iq_raw : 296 int16 = 148 I/Q complex samples synthesized
from a +67.7 kHz GMSK sinusoid
Use --mode iq_raw if the BSP DMA path expects I/Q samples directly.
Use --mode bytes_zero or soft_neg127 if it expects soft bits.
"""
import argparse
import math
import os
import re
import socket
import struct
import sys
import time
BRIDGE_LOG = "/tmp/bridge.log"
BSP_ADDR = ("127.0.0.1", 6702)
# GSM constants
GSM_BIT_RATE = 270833.333 # bits per second (= 13MHz / 48)
FCCH_FREQ_HZ = 1625e3 / 24 # = 67708.333... Hz, FCCH tone offset
SYMBOL_PERIOD = 1.0 / GSM_BIT_RATE # 3.692 µs per symbol
NUM_SYMBOLS = 148 # FCCH/normal burst length
def make_iq_fcch_samples(amplitude=0.7, samples_per_symbol=1):
"""Synthesize 148*samples_per_symbol complex I/Q samples for an FCCH
burst (pure tone at FCCH_FREQ_HZ above carrier).
Returns int16 sequence of [I0, Q0, I1, Q1, ...] suitable for direct
DMA injection. With samples_per_symbol=1 (default), 148 I/Q pairs =
296 int16 = 592 bytes — matches calypso_bsp.c iq[296] buffer."""
n = NUM_SYMBOLS * samples_per_symbol
fs = GSM_BIT_RATE * samples_per_symbol # sample rate
out = bytearray()
scale = int(amplitude * 0x7FFE)
for k in range(n):
t = k / fs
phase = 2 * math.pi * FCCH_FREQ_HZ * t
# Q15 fixed-point I/Q samples
I = int(math.cos(phase) * scale)
Q = int(math.sin(phase) * scale)
# Clamp to int16
I = max(-0x7FFE, min(0x7FFE, I))
Q = max(-0x7FFE, min(0x7FFE, Q))
out += struct.pack(">hh", I, Q)
return bytes(out)
def make_burst(tn, fn, mode, rssi=20, toa=0):
"""Build TRXDv0-formatted DL burst with selected payload encoding."""
header = (
bytes([tn & 0x07])
+ struct.pack(">I", fn & 0xFFFFFFFF)
+ bytes([rssi])
+ struct.pack(">H", toa & 0xFFFF)
)
if mode == "bytes_zero":
payload = bytes(148) # 148 × 0x00
elif mode == "soft_neg127":
payload = bytes([0x81]) * 148 # 148 × signed -127 (confident "0")
elif mode == "iq_raw":
payload = make_iq_fcch_samples() # 148 I/Q pairs = 592 bytes
else:
raise ValueError(f"unknown mode {mode!r}")
return header + payload
def latest_fn_from_bridge():
"""Walk bridge.log backwards looking for the most recent 'fn=N' tag."""
try:
with open(BRIDGE_LOG, "rb") as f:
f.seek(0, 2)
size = f.tell()
f.seek(max(0, size - 8192))
tail = f.read().decode("utf-8", errors="replace")
m = list(re.finditer(r"\bfn=(\d+)", tail))
if m:
return int(m[-1].group(1))
except FileNotFoundError:
pass
return None
def main():
ap = argparse.ArgumentParser(
description="Inject synthesized FCCH burst into QEMU BSP",
formatter_class=argparse.RawDescriptionHelpFormatter)
ap.add_argument("--mode", choices=["bytes_zero", "soft_neg127", "iq_raw"],
default="bytes_zero",
help="payload encoding (default: bytes_zero)")
ap.add_argument("--lookahead", type=int, default=30,
help="frames ahead of cur_fn to schedule the burst (default: 30)")
ap.add_argument("--period-ms", type=float, default=4.0,
help="send period in milliseconds (default: 4 = ~1 TDMA frame)")
ap.add_argument("--duration", type=float, default=30.0,
help="run duration in seconds (default: 30)")
ap.add_argument("--tn", type=int, default=0, help="timeslot (default: 0)")
ap.add_argument("--rssi", type=int, default=20, help="RSSI tag (default: 20)")
ap.add_argument("--toa", type=int, default=0, help="TOA tag (default: 0)")
ap.add_argument("--target", default="127.0.0.1:6702",
help="BSP UDP endpoint (default: 127.0.0.1:6702)")
args = ap.parse_args()
host, port = args.target.split(":")
target = (host, int(port))
period = args.period_ms / 1000.0
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
print(f"inject_fcch: mode={args.mode} target={target} "
f"lookahead={args.lookahead} period={period*1000:.1f}ms "
f"duration={args.duration}s", flush=True)
# Wait until bridge.log has at least one fn= line
start = time.time()
fn = None
while time.time() - start < 10:
fn = latest_fn_from_bridge()
if fn is not None:
break
time.sleep(0.2)
if fn is None:
print("inject_fcch: no fn= seen in bridge.log within 10s — "
"starting from FN=0 (no sync)", file=sys.stderr)
fn = 0
else:
print(f"inject_fcch: synced from bridge, starting FN={fn}", flush=True)
sample = make_burst(args.tn, 0, args.mode, args.rssi, args.toa)
print(f"inject_fcch: payload encoding {args.mode} "
f"→ packet size {len(sample)} bytes "
f"(header 8 + payload {len(sample)-8})", flush=True)
sent = 0
end = time.time() + args.duration
next_send = time.time()
while time.time() < end:
# Refresh FN from bridge if available; advance manually otherwise
live_fn = latest_fn_from_bridge()
if live_fn is not None:
fn = live_fn
target_fn = (fn + args.lookahead) & 0xFFFFFFFF
burst = make_burst(args.tn, target_fn, args.mode,
args.rssi, args.toa)
try:
sock.sendto(burst, target)
sent += 1
if sent <= 10 or sent % 100 == 0:
print(f"inject_fcch: sent #{sent} TN={args.tn} "
f"FN={target_fn} (cur_fn={fn})", flush=True)
except OSError as e:
print(f"inject_fcch: send error: {e}", file=sys.stderr)
next_send += period
sleep = next_send - time.time()
if sleep > 0:
time.sleep(sleep)
else:
next_send = time.time() # we slipped, resync
print(f"inject_fcch: done — {sent} bursts sent", flush=True)
if __name__ == "__main__":
main()./REPORT_CLAUDE_WEB_20260508_NIGHT.md
Report for Claude Web — 2026-05-08 night session
TL;DR
Found the smoking gun for IMR=0 / DSP-stuck-in-RPTB-loop blocker: opcode 0x76xx is misdecoded as LDM MMR, dst (1-word) when binutils tic54x-opc.c says it’s ST #lk, Smem (2-word). This causes every firmware ST #lk, Smem to advance PC by only 1 instead of 2; the literal lk value then gets executed as a stray opcode, and one of those strays writes 0 to MMR_IMR via DST B, Lmem with DP=0. Result: INT3 + BRINT0 both pending in IFR (10000+ IRQs counted) but never serviced. DSP parks in RPTB at e9ab..e9b6 forever waiting for an interrupt.
I want your validation of the fix and a sanity check on the proposed patch before applying.
Live run state
Container trying, container has 4078M+ DSP insn run :
ARM : fbsb hooks fire every frame, ARM TASK WR [0x0008/0x0030] = 5
(FB0_SEARCH), fn now ~75088, mobile alive in cell-search
DSP : RPTB tight loop e9ab..e9b6, PC HIST = 7 PCs at 14286 hits / 100k
window, fb0_att=0 fb1_att=0 sb_att=0 (no FB ever detected)
BSP : RX delta stats min=0 max=32 mean=6 — bursts arrive within window,
NOT the blockerRoot cause chain
IFR / IMR trace
INTM-TRANS 1..10 : early boot, INTM 0→1, normal
IMR-W 0x0000 → 0x0010 PC=0xc471 op=0x69f8 insn=40684074 ← OR IMR,#0x10 (TINT0)
IMR-W *ZERO* 0x0010 → 0x0000 PC=0xc44b op=0x68f8 ← AND IMR,#0
IMR-W 0x0000 → 0x0010 PC=0xc471 op=0x69f8 ← OR IMR,#0x10 again
IMR-W *ZERO* 0x0010 → 0x0000 PC=0x8859 op=0x4f00 prev_op=0x7615 ← THE BUG
insn=40691264After insn 40691264, IMR stayed 0 from then to insn=4078M+.
IRQ #1 vec=19 bit=3 IFR=0x0008 (INT3 pending)
IRQ #2 vec=21 bit=5 IFR=0x0028 (INT3 + BRINT0 pending)
...
IRQ #10300 (latest) IFR=0x0008..0x0028, IMR=0x0000 throughout10000+ interrupts raised, none serviced. Both INT3 (bit 3, frame) and BRINT0 (bit 5, BSP RX) are masked because IMR is forever 0.
ROM bytes at the IMR=0 site
PROM0[0x8854] = 0xf273
PROM0[0x8855] = 0x8866
PROM0[0x8856] = 0x7711 ← STM-ish 2-word: 0x77 mmr=0x11
PROM0[0x8857] = 0x4f00 value
PROM0[0x8858] = 0x7615 ← THIS — should be ST #0x4f00, Smem (2-word)
PROM0[0x8859] = 0x4f00 value (the literal being stored)
PROM0[0x885a] = 0x7616 ← also a 2-word ST
PROM0[0x885b] = 0x0000The IMR-W trace reports PC=0x8859 op=0x4f00 prev_op=0x7615. PC is at 0x8859 because the buggy 0x76 handler in our emulator only advanced PC by 1, so 0x4f00 is being decoded as a fresh instruction instead of being treated as the literal operand of the ST at 0x8858.
Decoder bug
hw/arm/calypso/calypso_c54x.c lines 3348-3354 :
/* 76xx: LDM MMR, dst */
if (hi8 == 0x76) {
uint8_t mmr = op & 0x7F;
uint16_t val = data_read(s, mmr);
s->a = (int64_t)(int16_t)val << 16;
return consumed + s->lk_used; /* consumed = 1 */
}Per binutils tic54x-opc.c (authoritative reference per CLAUDE.md convention) :
{ "ldm", 1,2,2, 0x4800, 0xFE00, {OP_MMR,OP_DST}, 0, REST}
{ "st", 2,2,2, 0x7600, 0xFF00, {OP_lk,OP_Smem}, 0, REST}
{ "stm", 2,2,2, 0x7700, 0xFF00, {OP_lk,OP_MMR}, 0, REST}LDM is at 0x48xx (already correctly handled at line 3831). 0x76xx is ST #lk, Smem (2-word), and the existing 0x77xx STM handler (line 3355) is correct. The 0x76 handler is just wrong — copy/paste of the wrong mnemonic.
Why this causes IMR=0
When the buggy 0x76 handler runs on 0x7615 0x4f00 : 1. Treats 0x7615 as LDM AR5 → A (advances PC by 1) 2. Next iteration, fetches 0x4f00 at PC=0x8859 as a real opcode 3. 0x4f00 is in the 0x4Exx/0x4Fxx range = DST src, Lmem (line 3869) 4. resolve_smem(0x4f00) with DP=0 returns addr=0x00 = MMR_IMR 5. data_write(addr=0x00, B_high) — writes B’s high word to IMR 6. B at that point is 0 → IMR := 0
(Same trick : op8 = 0x4f and dst_b = 1 selects acc B; addr & 0xFFFE forces even alignment; bit 7 = 0 in 0x4f00 → direct addressing → addr = DP<<7 | 0 = 0 = MMR_IMR.)
Proposed fix
Replace lines 3348-3354 :
/* 76xx: ST #lk, Smem (2 words) — store 16-bit literal to data memory.
* Was incorrectly decoded as LDM MMR,dst. The real LDM is 0x48xx
* (handled below). Per binutils tic54x-opc.c: 0x7600 mask 0xFF00. */
if (hi8 == 0x76) {
op2 = prog_fetch(s, s->pc + 1);
consumed = 2;
addr = resolve_smem(s, op, &ind);
data_write(s, addr, op2);
return consumed + s->lk_used;
}This matches the existing 0x77 handler exactly except : - writes op2 (literal lk) instead of fetching from MMR - addr from resolve_smem(op, …) (Smem, not MMR & 0x7F)
Open questions for you
Sanity : is my reading of
0x76 = ST #lk, Smemcorrect ? The binutils entry is unambiguous but I want a second pair of eyes before clobbering a handler that’s been there for weeks.Side effects : changing 0x76 from 1-word to 2-word will shift PC alignment for any code path that previously skipped the literal as a stray “instruction”. Is there a recommended way to canary this — e.g. diff PC HIST insn=0..1M before/after, or a specific symbol to watch ? The DSP boot path passes
OVLYMVPD then enters runtime ; I’d expect the boot to break differently (or recover) under the fix.Other 0x76-confused sites : I see other
IMR=0andIMR=0x10writes at PC=0xc44b op=0x68f8 and PC=0xc471 op=0x69f8. Those have prev_op != 0x7615/0x7616 so probably aren’t 0x76-induced. But should I also audit whether theOR Smem,src(0x69f8) andAND Smem,src(0x68f8) handlers correctly treat operand encoding ? The fact that they hit MMR_IMR with apparent intent (set bit 4 then clear it) might be the firmware doing a TINT0 toggle, but might also be more collateral from upstream PC drift.Test plan : after applying the fix, what’s the right “did it work” signal ?
- IMR-W trace should show STM #0x????,IMR with non-zero values ?
- INT3 vec=19 should service (idle=1 → 0 transition, PC jumping to 0xFFCC) ?
- DSP should leave the RPTB loop e9ab..e9b6 ?
- fb0_att should increment beyond 0 ? Or all of the above ?
Memory note : current
project_session_20260508_pm_fbdet_split.mdsays “PM tourne mais ne transitionne jamais vers FB-det. IRQ rate 1.5 Hz vs 217 Hz attendus”. I read the rate gap as a consequence of IMR=0 (interrupts are raised but invisible to the DSP, so the firmware sees ~ARM-mediated polling rate), not the root cause. Agree ?
Files / entry points if you want to dig
hw/arm/calypso/calypso_c54x.c:3348-3354— the buggy handlerhw/arm/calypso/calypso_c54x.c:3355-3382— the correct STM handler (model)hw/arm/calypso/calypso_c54x.c:3869-3877— DST handler (the path that turned the stray 0x4f00 into an IMR write)hw/arm/calypso/calypso_c54x.c:551-573— IMR-W trace- ROM dump :
/opt/GSM/calypso_dsp.txtin container, orCALYPSO_DSP_ROM=/home/nirvana/qemu-src/calypso_dsp.txt bash /home/nirvana/qemu-calypso/dsp_read.sh prom0 0xADDRon host - Live log :
docker exec trying tail -200 /root/qemu.log
What I’d like you to do
- Confirm or refute my 0x76 → ST #lk, Smem reading.
- Suggest the canary / regression check for the patch.
- Tell me whether to apply the fix in this session or wait for more data (any hidden code paths I’m missing where the current “LDM” decode is intentionally exploited ?).
./calypso.md
● Cartographie qemu-calypso — état post-session 2026-04-29
## Status update 2026-04-29 5 structural fixes validated empirically (~2530 firmware sites unblocked): silicon-aligned reset + 0x6F00 + 0x68-0x6E + APTS misnomer + F3xx. Final blocker: INTM=1 forever (silicon mechanism not documented publicly). See hw/arm/calypso/doc/SESSION_20260429.md for full report.
## Cartographie originelle (post-2026-04-26)
- Architecture pipeline complet
flowchart TB
subgraph Container ["Docker container trying"]
subgraph QEMU ["QEMU emulation"]
ARM[ARM7TDMI<br/>layer1.highram.elf]
DSP[TMS320C54x<br/>real ROM]
APIRAM[(API RAM<br/>0x0800-0x27FF<br/>shared)]
BSP[BSP UDP RX<br/>port 6702]
TPU[TPU + INT_CTRL<br/>+ TDMA tick]
INTH[INTH<br/>IRQ ctrl]
ARM <--> APIRAM
DSP <--> APIRAM
ARM --> TPU
TPU --> DSP
BSP --> DSP
ARM --> INTH
end
BRIDGE[bridge.py<br/>clock-slave]
BTS[osmo-bts-trx]
MOBILE[mobile<br/>L23]
OSMOCON[osmocon<br/>romload]
end
BTS -->|UDP 5702 DL| BRIDGE
BRIDGE -->|UDP 6702 TRXDv0| BSP
BRIDGE -->|UDP 5700 CLK IND| BTS
OSMOCON -->|PTY firmware| ARM
ARM -->|PTY L1CTL| MOBILE
style ARM fill:#9f9,color:#000
style DSP fill:#fa9,color:#000
style APIRAM fill:#9ff,color:#000
style BSP fill:#9f9,color:#000
style TPU fill:#9f9,color:#000
style BRIDGE fill:#9f9,color:#000
style BTS fill:#9f9,color:#000
style MOBILE fill:#9f9,color:#000
style OSMOCON fill:#9f9,color:#000Vert = fonctionnel. Orange = fonctionnel mais piégé en init loop sans le hack.
- Séquence de boot — état actuel avec hack
sequenceDiagram
participant ARM
participant Mailbox as API RAM<br/>(BL_*, NDB)
participant DSP
participant Hack as DIAG-HACK<br/>(env-var)
Note over ARM,DSP: Phase 1 — Boot bootloader (FONCTIONNE)
ARM->>+DSP: calypso_reset(RESET=1)
ARM->>Mailbox: BL_ADDR_LO=0x7000
ARM->>Mailbox: BL_CMD_STATUS=0x0002 (COPY_BLOCK)
ARM->>DSP: calypso_reset(RESET=0)
DSP->>Mailbox: poll BL_CMD_STATUS
Mailbox-->>DSP: =0x0002 ✓ (alias fix)
DSP->>Mailbox: poll BL_ADDR_LO
Mailbox-->>DSP: =0x7000 ✓
DSP->>DSP: BACC 0x7000 (entrée user code)
Note over ARM,DSP: Phase 2 — Init firmware (FONCTIONNE)
DSP->>DSP: PMST <- 0xFFA8 (PROM0 0xb360)
ARM->>Mailbox: NDB init (d_dsp_state=3, etc.)
ARM->>TPU_INT_CTRL: tpu_frame_irq_en(1,1) → bit 2=0
DSP->>DSP: 4.7M MAC ops (init/checksum)
DSP->>DSP: RCD à 0x75e8 (cond=A<=0) returns ✓
Note over ARM,DSP: Phase 3 — Mode applicatif (BLOQUÉ sans hack)
rect rgb(255, 230, 230)
Note right of DSP: Sans hack: DSP en init loop forever<br/>INTM=1, IMR=0, F6BB=0
end
Hack->>DSP: ⚡ INTM=0 (force, insn=2M)
DSP->>DSP: IMR change × 3310 ✓
DSP->>DSP: IMR <- 0xFFFF ✓
DSP->>DSP: PMST <- 0x0000 (OVLY=0, IPTR=0)
DSP->>DSP: FCALL FAR × 30 (XPC=0/2/3) ✓
Note over DSP: Phase 4 — Runtime (BLOQUÉ ici maintenant)
rect rgb(255, 230, 230)
DSP-xDSP: PC=0x2FA5 (zone non chargée → NOP slide)
DSP-xMailbox: vec IRQ → 0x0000-0x007F = stubs FRET<br/>(ISR vide → INTM stay 1)
end # qemu-calypso — Status
Snapshot of the DSP memory map, what works end-to-end, and what’s left.
DSP Program Space
XPC = 0 (low pages)
| Range | Region | Status | Notes |
|---|---|---|---|
0x0000–0x007F |
Boot ROM stubs (TI ROM) | ⚠️ | FRET fallback — real TI boot ROM ISRs still to implement |
0x0080–0x07FF |
DARAM overlay (OVLY=1) |
✅ | Code copied from PROM0[0x7080+] at reset, aliased on api_ram |
0x0800–0x27FF |
DARAM = API RAM (shared) | ✅ | ARM ↔︎ DSP mailbox: BL_*, NDB, task_md, d_fb_det |
0x2800–0x6FFF |
“Unmapped” / SARAM | ⚠️ | Firmware fetches here post-OVLY (PC=0x2FA5 stuck NOP slide) |
0x7000–0xDFFF |
PROM0 (24K words) | ✅ | Full ROM dump: init code, bootloader, IDLE clusters |
0xE000–0xFF7F |
PROM1 mirror (page-1 vec) | ✅ | Loaded from page-1 dump (INT3=0x0100 fc20 etc.) |
0xFF80–0xFFFF |
Vector table (IPTR=0x1FF) |
✅ | Reset @ 0xFF80 = B 0xb410; other vectors from PROM1 |
XPC = 1/2/3 (extended pages)
| Range | Region | Status | Notes |
|---|---|---|---|
0x18000–0x1FFFF |
PROM1 | ✅ | Loaded; contains dispatcher @ 0x1a7c4, RSBX INTM clusters |
0x28000–0x2FFFF |
PROM2 | ✅ | Loaded; reached with hack |
0x38000–0x39FFF |
PROM3 | ✅ | Loaded; reached with hack |
What works
Pipeline ARM ↔︎ BTS ↔︎ Mobile
- ✅ Bridge UDP relay (BTS DL
UDP 5702→ QEMU6702) - ✅ Clock master (QEMU FN → bridge → BTS via
CLK INDwall-clock) - ✅
osmo-bts-trxfull pipeline withmobileL23 - ✅
osmoconromload firmware upload (PTY native) - ✅ Sercomm DLCI router PTY ↔︎ FIFO
- ✅ ARM main loop:
l1a_compl_execute,tdma_sched_execute,sim_handler,l1a_l23_handler - ✅ ARM PM scan (
PM_REQARFCN range, PM MEAS publish) - ✅ ARM FBSB request loop (
L1CTL_FBSB_REQretry) - ✅ SIM module ISO 7816 emulated (
calypso_sim.c, IMSI/Ki loaded)
ARM ↔︎ DSP mailbox
- ✅ Bootloader handshake
BL_ADDR_LO/BL_CMD_STATUS(BACC0x7000) - ✅ NDB structure init on ARM side (
dsp_ndb_init) - ✅
d_task_mdwrite (FB-det command, ~14 frames) - ✅ DMA proof: ARM writes
task_d/task_u/task_mdper frame - ✅ Aliasing data ↔︎ api_ram coherent (fix #1)
DSP emulation core
- ✅ Reset state correct (
SP=0x5AC8,ST1=INTM,PMST=0xFFE0) - ✅ MVPD-style copy
PROM0[0x7080+] → DARAM[0x80+]at reset (aliased api_ram) - ✅ Boot ROM stub
0x0000=LDMM,0x0001=RET,0x0002–0x007F=FRET - ✅ Vec table
0xFF80(reset →0xb410, others = PROM1 mirror) - ✅ ROM loader (PROM0/1/2/3 + DROM/PDROM)
- ✅ OVLY mode (DARAM in program space when bit set)
C54x opcodes verified (50+)
| Class | Opcodes |
|---|---|
| ALU | ADD, ADDS, SUB, SUBS, MAC, MAS, MPY, SQUR, FIRS, NORM |
| Move | LD (signed/unsigned/rounded/T-shift), ST/STH/STL/STM, MVPD, MVDM |
| Branch near | B, BC, BD, CC, CCD, CALL, CALLD, RET, RETD, RC, RCD, BANZ |
| Branch far | FB, FBD, FCALL, FCALLD (fix #5 tonight, set XPC properly) |
| Acc-target | BACC, CALA, BACCD, CALAD, FBACCD, FCALAD |
| ISR | RETE, RETED, FRET, FRETED (with APTS gate) |
| Status | RSBX, SSBX, IDLE 1/2/3, RPT, RPTB, RPTBD, RPTZ |
| Conditional | AGEQ/ALT/ALEQ/AEQ/ANEQ/AGT, BGEQ/etc., TC/NTC, C/NC, OV/NOV |
| Compare | CMPM, BITF, CMPS, CMPR |
| Indirect | Modes 0–15 (incl. mode 15 *(lk) absolute) |
| MMR access | IMR, IFR, ST0, ST1, AR0–AR7, SP, BK, BRC, RSA, REA, PMST, XPC |
IRQ / interrupts
- ✅ INTH controller (ARM-side) with level-clear
- ✅
INT3frame interrupt path (TPUINT_CTRLgate, fix #2) - ✅
BRINT0raise after BSP DMA (gate IFR rate-limit) - ✅ IRQ vec dispatch (
INTM=0+ IMR-mask) - ✅ IRQ pending in IFR when masked
- ✅ IDLE wake-up on IRQ (masked or unmasked)
- ✅ FAR call/return XPC push iff APTS
TPU / TSP / IOTA / Timer
- ✅ TPU TDMA tick at GSM frame rate
- ✅
TPU_CTRLwrites (RESET/EN/DSP_EN/CK_ENABLE) - ✅
INT_CTRLwrites (MCU_FRAME/DSP_FRAME/DSP_FRAME_FORCE) - ✅ TPU RAM scenarios
- ✅ IOTA
BDLENApulse delivery - ✅
TINT0timer (CNTL bit 5CLOCK_ENABLE, prescaler 4:2, lazy mode)
BSP DMA pipeline
- ✅ UDP
6702RX (TRXDv0 from bridge) - ✅ FN-indexed queue per TN (tolerance window 64)
- ✅ Burst classification (FB pattern detect: 146 zeros)
- ✅ DARAM write @
0x3FB0+(fixed in init) - ✅
BRINT0IRQ raise after DMA
Diagnostic / instrumentation
- ✅ DIAG-HACK env-var driven (
CALYPSO_FORCE_INTM_CLEAR_AT) - ✅ Full dump (
PMST,IPTR,IMR,IFR,ST0/ST1, vec table,ALIAS-CHECK) - ✅ 30+ conditional tracers (
DYN-CALL,BCD/CAD,MAC-7700,RCD-75e8, …) - ✅ PC HIST sampling (top 20 per 50K cycles)
- ✅
WATCH-READ/WATCH-WRITEon critical mailbox slots
Tooling / dev
- ✅ 3-way sync:
qemu-src(host primary) ↔︎qemu(mirror) ↔︎ container/opt/GSM/qemu-src - ✅ Packaged repo
/home/nirvana/qemu-calypso(hw/,include/,CLAUDE.md,hack.patch) - ✅ Build container
ninja - ✅
hack.patchreversible (patch -p1 -R) - ✅ Exhaustive
TODO.md(601 lines, structured by root bug + technical debt) - ✅
CLAUDE.mdrule #1: “PAS DE HACK”
What’s left
| Priority | Item | Type |
|---|---|---|
| 🔴 High | Identify silicon mechanism that clears INTM (NMI / TI boot ROM / MMIO) |
TI doc research |
| 🔴 High | Implement real ISR stubs at 0x0000–0x007F (at minimum RETE) |
impl |
| 🟠 Med | Identify source of code at PC ≥ 0x2800 post-OVLY (ext SARAM? ARM upload?) |
research |
| 🟢 Low | Refactor structural aliasing (1 backing store instead of 3 paths) | tech debt |
| 🟢 Low | c54x_reset MVPD: opcode-driven instead of fixed memcpy |
tech debt |
| 🟢 Low | prog_fetch honor XPC for ≥0x8000 |
tech debt |
./parse_dsp_log.sh
#!/usr/bin/env bash
# parse_dsp_log.sh — synthèse exhaustive du run actif Calypso/DSP.
#
# Usage:
# ./parse_dsp_log.sh # log container "trying"
# ./parse_dsp_log.sh /path/to/qemu.log # log local
# CONTAINER=foo ./parse_dsp_log.sh # autre container
# SECTIONS="markers pc sp" # restreindre les sections
# COMPARE=/path/to/old.log # comparer avec un run précédent
#
# Sections (toutes par défaut, ordre = ordre d'affichage):
# meta — taille/mtime binaire et log + run age
# env — ENV vars détectées dans le log (FBSB_SYNTH, W1C_LATCH, etc.)
# markers — counts globaux (tous les markers DSP/BSP/L1)
# pc — derniers PC HIST + zone hot
# stuck — détecte stagnation (sum-delta < tolerance)
# pc-zones — distribution des zones DSP visitées (0x8d, 0xeb, etc.)
# bsp — stats BSP DMA (stale ratio, BSP LOAD, DMA hits)
# sp — détail SP-CATASTROPHE + opcode breakdown + AR analysis
# imr — IMR-W *ZERO* par PC+op + détection PC=0x0888 firmware-intentional
# dual — DUAL-OP-INTERPRET + analyse current_dec vs SPRU
# dispflag — DISP-FLAG-W top addresses (DARAM[0x40..0x90] writes)
# snr — a_sync_SNR DSP-side, distribution + write PCs + déterminisme
# intm — INTM-TRANS (last 6 with cause prev_exec)
# mac — MAC-7700, MAC-8d33, ENTER-* trace counts
# irq — IRQ events sequence
# bridge — bridge.log activity
# summary — verdict consolidé fin-de-rapport
#
# Couleurs : auto si TTY, sinon plain.
set -u
CONTAINER="${CONTAINER:-trying}"
LOG="${1:-}"
SECTIONS="${SECTIONS:-meta env markers pc stuck pc-zones bsp sp imr dual dispflag snr intm mac irq bridge summary}"
COMPARE="${COMPARE:-}"
# --- detect log source --------------------------------------------------
if [[ -z "$LOG" ]]; then
if ! docker ps --format '{{.Names}}' 2>/dev/null | grep -qx "$CONTAINER"; then
echo "ERR: container '$CONTAINER' not running" >&2
exit 1
fi
READ_LOG() { docker exec "$CONTAINER" cat /root/qemu.log; }
READ_BRIDGE() { docker exec "$CONTAINER" cat /tmp/bridge.log 2>/dev/null || true; }
META_CMD() { docker exec "$CONTAINER" bash -c \
'ls -la /opt/GSM/qemu-src/build/qemu-system-arm /root/qemu.log /tmp/bridge.log 2>/dev/null'; }
else
[[ ! -f "$LOG" ]] && { echo "ERR: log file not found: $LOG" >&2; exit 1; }
READ_LOG() { cat "$LOG"; }
READ_BRIDGE() {
local b="$(dirname "$LOG")/bridge.log"
[[ -f "$b" ]] && cat "$b" || true
}
META_CMD() { ls -la "$LOG"; }
fi
# Cache log content once, all sections grep over $TMP for consistency.
TMP=$(mktemp -t qemulog.XXXXXX)
BTMP="${TMP}.bridge"
CTMP="${TMP}.compare"
trap 'rm -f "$TMP" "$BTMP" "$CTMP"' EXIT
READ_LOG > "$TMP" || { echo "ERR: cannot read log" >&2; exit 1; }
READ_BRIDGE > "$BTMP" 2>/dev/null || true
[[ -n "$COMPARE" && -f "$COMPARE" ]] && cp "$COMPARE" "$CTMP" || : > "$CTMP"
# --- color helpers ------------------------------------------------------
if [[ -t 1 ]]; then
BOLD=$'\e[1m'; DIM=$'\e[2m'; RED=$'\e[31m'; GRN=$'\e[32m'
YEL=$'\e[33m'; BLU=$'\e[34m'; CYA=$'\e[36m'; MAG=$'\e[35m'; RST=$'\e[0m'
else
BOLD=''; DIM=''; RED=''; GRN=''; YEL=''; BLU=''; CYA=''; MAG=''; RST=''
fi
hdr() { printf '\n%s=== %s ===%s\n' "$BOLD" "$1" "$RST"; }
sub() { printf '%s--- %s ---%s\n' "$DIM" "$1" "$RST"; }
warn() { printf '%s%s%s\n' "$YEL" "$1" "$RST"; }
crit() { printf '%s%s%s\n' "$RED" "$1" "$RST"; }
ok() { printf '%s%s%s\n' "$GRN" "$1" "$RST"; }
dim() { printf '%s%s%s\n' "$DIM" "$1" "$RST"; }
has_section() { [[ " $SECTIONS " == *" $1 "* ]]; }
# Robust grep -c (returns "0" without error / no concat)
grepc() {
local n
n=$(grep -c "$1" "$TMP" 2>/dev/null) || true
n=${n:-0}
echo "$n"
}
# --- meta --------------------------------------------------------------
if has_section meta; then
hdr "META — binary + log"
META_CMD
last_insn=$(grep -E 'PC HIST insn=' "$TMP" | tail -1 | sed -E 's/.*insn=([0-9]+).*/\1/')
log_size=$(wc -c < "$TMP")
if [[ -n "$last_insn" ]]; then
printf "Last insn=%s log=%dKB" "$last_insn" $((log_size/1024))
# Estimated wall-time at ~50M insn/s typical
if [[ "$last_insn" -gt 0 ]]; then
wall_s=$((last_insn / 50000000))
printf " ≈%ds DSP wall\n" "$wall_s"
else
echo
fi
else
echo "(no PC HIST yet)"
fi
if [[ -s "$CTMP" ]]; then
cmp_insn=$(grep -E 'PC HIST insn=' "$CTMP" | tail -1 | sed -E 's/.*insn=([0-9]+).*/\1/')
printf "Compare run last insn=%s\n" "${cmp_insn:-?}"
fi
fi
# --- env --------------------------------------------------------------
if has_section env; then
hdr "ENV — variables détectées"
grep -E '\[(BSP|calypso-trx|calypso-fbsb|c54x)\].*CALYPSO_|FORCE-DARAM62|BYPASS_BDLENA|ICOUNT' "$TMP" | head -10
# Highlight conflicts (e.g. multiple FBSB_SYNTH lines)
fbsb_n=$(grep -c 'CALYPSO_FBSB_SYNTH=' "$TMP" 2>/dev/null) || fbsb_n=0
[[ "$fbsb_n" -gt 1 ]] && warn " ⚠ Multiple FBSB_SYNTH lines — env might have flipped mid-run"
fi
# --- markers -----------------------------------------------------------
if has_section markers; then
hdr "MARKERS — counts globaux"
cnt() {
local label="$1" pattern="$2" color="${3:-}"
local n
n=$(grepc "$pattern")
local cmp=""
if [[ -s "$CTMP" ]]; then
local nc
nc=$(grep -c "$pattern" "$CTMP" 2>/dev/null) || nc=0
local d=$((n - nc))
if [[ "$d" -gt 0 ]]; then cmp=" (+$d vs cmp)"; elif [[ "$d" -lt 0 ]]; then cmp=" ($d vs cmp)"; fi
fi
if [[ -z "$color" ]]; then
printf " %-28s %d%s\n" "$label" "$n" "$cmp"
else
printf " %-28s %s%d%s%s\n" "$label" "$color" "$n" "$RST" "$cmp"
fi
}
cnt "IMR-W *ZERO*" 'IMR-W \*ZERO\*' "$RED"
cnt "SP-CATASTROPHE" 'SP-CATASTROPHE' "$RED"
cnt "DUAL-OP-INTERPRET" 'DUAL-OP-INTERPRET' "$YEL"
cnt "HOT-OPS-DUMP" 'HOT-OPS-DUMP' ""
cnt "INTM-TRANS" 'cause prev_exec' ""
cnt "DISP-FLAG-W" 'DISP-FLAG-W' ""
cnt "ENTER-770c" 'ENTER-770c' "$GRN"
cnt "ENTER-7700" 'ENTER-7700' ""
cnt "ENTER-8d2d" 'ENTER-8d2d' ""
cnt "DSP WR a_sync_SNR" 'DSP WR a_sync_SNR' "$GRN"
cnt "DSP WR a_sync_TOA" 'a_sync_TOA' ""
cnt "d_fb_det WR" 'd_fb_det' ""
cnt "fbsb hook fired" 'fbsb hook fired' "$GRN"
cnt "L1CTL_DATA_IND" 'L1CTL_DATA_IND' "$GRN"
cnt "ARM TASK WR" 'ARM TASK WR' ""
cnt "IRQ events" '\[c54x\] IRQ #' ""
cnt "BSP LOAD" 'BSP LOAD' ""
cnt "BSP DMA fn=*" '\[BSP\] DMA fn=' ""
cnt "STALE ratio" 'STALE ratio:' ""
cnt "MAC-7700" 'MAC-7700' ""
cnt "MAC-8d33" 'MAC-8d33' ""
cnt "VEC-TRACE" 'VEC-TRACE' ""
cnt "PENDING IRQ" 'PENDING IRQ' ""
fi
# --- pc hist -----------------------------------------------------------
if has_section pc; then
hdr "PC HIST — last 3 windows"
grep 'PC HIST insn=' "$TMP" | tail -3
fi
# --- stagnation -------------------------------------------------------
if has_section stuck; then
hdr "STAGNATION — DSP stuck detection"
last2=$(grep 'PC HIST insn=' "$TMP" | tail -2)
if [[ -n "$last2" ]]; then
sum_of() {
echo "$1" | grep -oE '[0-9a-f]{4}:[0-9]+' | \
awk -F: '{s+=$2} END {print s+0}'
}
line1=$(echo "$last2" | head -1 | sed 's/.*top: //')
line2=$(echo "$last2" | tail -1 | sed 's/.*top: //')
sum1=$(sum_of "$line1")
sum2=$(sum_of "$line2")
delta=$(( sum2 - sum1 ))
abs_delta=${delta#-}
if (( abs_delta < 1000 )); then
crit " STUCK — sum-delta=$delta (< 1000) between last 2 PC HIST windows"
top_pc=$(echo "$last2" | tail -1 | sed 's/.*top: //' | awk '{print $1}' | cut -d: -f1)
echo " Hot region: 0x$top_pc (sum1=$sum1 sum2=$sum2)"
# Detect zone classification
case "$top_pc" in
8d*) echo " Zone: 0x8d3X = FB-det inner correlator (historical)";;
eb*) echo " Zone: 0xebXX = PROM1 mirror trap";;
fc*) echo " Zone: 0xfcXX = PROM1 mirror, often post-fbdet";;
82*) echo " Zone: 0x82XX = correlator routine (with W1C_LATCH=1)";;
99*) echo " Zone: 0x99XX = ?";;
*) echo " Zone: unknown — investigate";;
esac
else
ok " PROGRESSING — sum-delta=$delta between last 2 windows"
fi
else
dim " not enough PC HIST data"
fi
fi
# --- pc zones (which zones have been visited) -------------------------
if has_section pc-zones; then
hdr "PC ZONES — high-level visit map"
for prefix in 7700 0x8d 0xeb 0xfc 0x82 0x99 0x16 0x17 0xa0 0xc8 0xff; do
zone_short="${prefix#0x}"
n=$(grep 'PC HIST insn=' "$TMP" | grep -oE "${zone_short}[0-9a-f]{2}" | sort -u | wc -l 2>/dev/null) || n=0
printf " zone 0x%-4s : %3d distinct PCs visited in PC HIST\n" "$zone_short" "$n"
done
fi
# --- bsp -------------------------------------------------------------
if has_section bsp; then
hdr "BSP DMA — sample delivery to DSP"
sub "Stats from STALE ratio log"
grep 'STALE ratio' "$TMP" | tail -3
sub "BSP DMA log (per-1000 + first 10) — sample of fn delivered"
grep '\[BSP\] DMA fn=' "$TMP" | head -3
echo "..."
grep '\[BSP\] DMA fn=' "$TMP" | tail -3
sub "fn%51 distribution — DSP-delivered (sparse, log-rate-limited)"
grep '\[BSP\] DMA' "$TMP" | grep -oE 'fn=[0-9]+' | \
awk -F= '{print $2 % 51}' | sort -n | uniq -c | sort -rn | head -8
sub "fn%51 distribution — bridge sent (full)"
if [[ -s "$BTMP" ]]; then
grep 'DL #' "$BTMP" | grep -oE 'qfn=[0-9]+' | \
awk -F= '{print $2 % 51}' | sort -n | uniq -c | sort -rn | head -8
else
dim " no bridge.log"
fi
fi
# --- sp catastrophe ----------------------------------------------------
if has_section sp; then
hdr "SP-CATASTROPHE — opcode breakdown + AR analysis"
n_sp=$(grepc 'SP-CATASTROPHE')
if [[ "$n_sp" -gt 0 ]]; then
sub "Top opcodes (count × op)"
grep 'SP-CATASTROPHE' "$TMP" | awk '{
for(i=1;i<=NF;i++) if ($i ~ /^op=/) { print $i; break }
}' | sort | uniq -c | sort -rn | head -10
sub "Top PCs (count × PC)"
grep 'SP-CATASTROPHE' "$TMP" | awk '{
for(i=1;i<=NF;i++) if ($i ~ /^PC=/) { print $i; break }
}' | sort | uniq -c | sort -rn | head -10
sub "Last 5 events (full)"
grep 'SP-CATASTROPHE' "$TMP" | tail -5 | sed -E 's/^(.{120}).*/\1.../'
sub "AR analysis : how often is some AR=0x0018 (MMR_SP) post-instruction?"
ar18=$(grep 'SP-CATASTROPHE' "$TMP" | grep -cE 'AR[0-7]?: ([0-9a-f]{4} ){0,7}0018') || ar18=0
echo " events with any AR pos visible at 0x0018: $ar18 / $n_sp"
ar00=$(grep 'SP-CATASTROPHE' "$TMP" | grep -cE 'AR[0-7]?: ([0-9a-f]{4} ){0,7}0000') || ar00=0
echo " events with any AR pos visible at 0x0000: $ar00 / $n_sp"
else
ok " none"
fi
fi
# --- imr=0 culprits ----------------------------------------------------
if has_section imr; then
hdr "IMR-W *ZERO* — culprits"
n_imr=$(grepc 'IMR-W \*ZERO\*')
if [[ "$n_imr" -gt 0 ]]; then
sub "Distinct PC+op (count × PC+op)"
grep 'IMR-W \*ZERO\*' "$TMP" | awk '{
pc=""; op="";
for(i=1;i<=NF;i++) {
if ($i ~ /^PC=/) pc=$i;
if ($i ~ /^op=/) op=$i;
}
print pc, op;
}' | sort | uniq -c | sort -rn | head -10
# Detect known firmware-intentional sites
f0888=$(grep -c 'IMR-W \*ZERO\*.*PC=0x0888' "$TMP" 2>/dev/null) || f0888=0
if [[ "$f0888" -gt 30 ]]; then
warn " ℹ PC=0x0888 = $f0888 hits — likely firmware-intentional (STM #0,IMR in ISR critical section)"
fi
# Highlight C8/C9/CA/CB ops (= dual-op via my fix territory)
sub "Dual-op (C8-CB) IMR=0 — relates to encoding fix"
grep 'IMR-W \*ZERO\*' "$TMP" | grep -cE 'op=0xc[89ab]' | head -1 | xargs -I{} echo " C8-CB hits: {}"
else
ok " none"
fi
fi
# --- dual-op interpret -------------------------------------------------
if has_section dual; then
hdr "DUAL-OP-INTERPRET — encoding evidence"
n_dop=$(grepc 'DUAL-OP-INTERPRET')
if [[ "$n_dop" -gt 0 ]]; then
warn " $n_dop hits — SP catastrophes occurred on 0xC8xx opcodes despite C8/CB fix"
echo " (= firmware-driven AR pollution upstream, not encoding bug)"
sub "Top PCs"
grep 'DUAL-OP-INTERPRET' "$TMP" | awk '{
for(i=1;i<=NF;i++) if ($i ~ /^PC=/) { print $i; break }
}' | sort | uniq -c | sort -rn | head -5
sub "Sample (first 3)"
grep 'DUAL-OP-INTERPRET' "$TMP" | head -3 | sed -E 's/^(.{180}).*/\1.../'
else
ok " 0 hits — fix C8/C9/CA/CB tient (no SP-cat on 0xC8xx)"
fi
fi
# --- disp flag writes --------------------------------------------------
if has_section dispflag; then
hdr "DISP-FLAG-W — DARAM[0x40..0x90] writes"
n=$(grepc 'DISP-FLAG-W')
if [[ "$n" -gt 0 ]]; then
sub "Top 12 addresses (count × addr)"
grep 'DISP-FLAG-W' "$TMP" | awk '{print $3}' | \
sort | uniq -c | sort -rn | head -12
sub "Coverage of 0x60-0x65 zone (the supposed dispatcher poll)"
for a in 0060 0061 0062 0063 0064 0065; do
c=$(grep -c "DISP-FLAG-W data\[0x$a\]" "$TMP" 2>/dev/null) || c=0
printf " data[0x%s]: %d\n" "$a" "$c"
done
else
dim " no writes captured"
fi
fi
# --- a_sync_SNR variation ---------------------------------------------
if has_section snr; then
hdr "a_sync_SNR — DSP-side demod output"
n=$(grepc 'DSP WR a_sync_SNR')
if [[ "$n" -gt 0 ]]; then
nv=$(grep 'DSP WR a_sync_SNR' "$TMP" | grep -oE '= 0x[0-9a-f]+' | sort -u | wc -l)
if [[ "$nv" -le 1 ]]; then
warn " $n writes, $nv distinct value → demod ne converge plus / figé"
else
ok " $n writes, $nv distinct values"
fi
sub "Distribution (count × value)"
grep 'DSP WR a_sync_SNR' "$TMP" | grep -oE '= 0x[0-9a-f]+' | \
sort | uniq -c | sort -rn | head -8
sub "Write PCs (sites du correlator qui produit SNR)"
grep 'DSP WR a_sync_SNR' "$TMP" | grep -oE 'PC=0x[0-9a-f]+' | \
sort | uniq -c | sort -rn | head -6
sub "Determinism check (signature 21× 0x2fb0 attendue)"
d2fb0=$(grep 'DSP WR a_sync_SNR.*= 0x2fb0' "$TMP" | wc -l)
d164e=$(grep 'DSP WR a_sync_SNR.*= 0x164e' "$TMP" | wc -l)
echo " 0x2fb0=$d2fb0 0x164e=$d164e (cumulative — déterministe across runs)"
else
dim " no FB-det output yet"
fi
fi
# --- INTM transitions --------------------------------------------------
if has_section intm; then
hdr "INTM-TRANS — last 6 (avec cause prev_exec)"
grep 'cause prev_exec' "$TMP" | tail -6
fi
# --- MAC trace -------------------------------------------------------
if has_section mac; then
hdr "MAC traces (FB-det correlator instrumentation)"
sub "MAC-7700 (FB-det at PROM0 0x7700)"
grep '\[c54x\] MAC-7700' "$TMP" | head -2
grep '\[c54x\] MAC-7700' "$TMP" | tail -2
sub "MAC-8d33 + ENTER-8d2d (instrumented zone — for runs that reach it)"
n_8d33=$(grepc 'MAC-8d33')
n_8d2d=$(grepc 'ENTER-8d2d')
echo " MAC-8d33: $n_8d33 ENTER-8d2d: $n_8d2d"
if [[ "$n_8d33" -gt 0 ]]; then
sub "ENTER-8d2d first 5 (A_pre check : reset vs persistent)"
grep 'ENTER-8d2d' "$TMP" | head -5
fi
fi
# --- IRQ activity ---------------------------------------------------
if has_section irq; then
hdr "IRQ activity"
n_irq=$(grepc '\[c54x\] IRQ #')
if [[ "$n_irq" -gt 0 ]]; then
sub "Last 3 IRQ events"
grep '\[c54x\] IRQ #' "$TMP" | tail -3
sub "IPTR distribution (which vector base did the IRQs land at?)"
grep '\[c54x\] IRQ #' "$TMP" | grep -oE 'IPTR=0x[0-9a-f]+' | \
sort | uniq -c | sort -rn | head -5
sub "IMR distribution (was service ever possible?)"
grep '\[c54x\] IRQ #' "$TMP" | grep -oE 'IMR=0x[0-9a-f]+' | \
sort | uniq -c | sort -rn | head -5
else
dim " no IRQ events"
fi
fi
# --- bridge activity --------------------------------------------------
if has_section bridge; then
hdr "BRIDGE — UDP samples / CLK IND activity"
if [[ -s "$BTMP" ]]; then
b_lines=$(wc -l < "$BTMP")
printf " bridge.log: %d lines total\n" "$b_lines"
sub "Last tick summary"
grep -E 'tick=.*clk=.*dl=.*ul=' "$BTMP" | tail -1
sub "Last 3 DL frames"
grep 'DL #' "$BTMP" | tail -3 | sed -E 's/^(.{160}).*/\1.../'
sub "DL drops (lookahead)"
grep -c 'DL drop' "$BTMP" 2>/dev/null
else
dim " no bridge.log accessible"
fi
fi
# --- summary -------------------------------------------------------
if has_section summary; then
hdr "SUMMARY — verdict consolidé"
last_insn=$(grep -E 'PC HIST insn=' "$TMP" | tail -1 | sed -E 's/.*insn=([0-9]+).*/\1/')
last2=$(grep 'PC HIST insn=' "$TMP" | tail -2)
sum2=$(echo "$last2" | tail -1 | sed 's/.*top: //' | grep -oE '[0-9a-f]{4}:[0-9]+' | awk -F: '{s+=$2} END {print s+0}')
sum1=$(echo "$last2" | head -1 | sed 's/.*top: //' | grep -oE '[0-9a-f]{4}:[0-9]+' | awk -F: '{s+=$2} END {print s+0}')
delta=$(( sum2 - sum1 )); adelta=${delta#-}
n_imr=$(grepc 'IMR-W \*ZERO\*')
n_sp=$(grepc 'SP-CATASTROPHE')
n_dop=$(grepc 'DUAL-OP-INTERPRET')
n_l1=$(grepc 'L1CTL_DATA_IND')
n_fbsb=$(grepc 'fbsb hook fired')
top_pc=$(echo "$last2" | tail -1 | sed 's/.*top: //' | awk '{print $1}' | cut -d: -f1 2>/dev/null)
[[ "$adelta" -lt 1000 ]] && state="STUCK at 0x$top_pc" || state="PROGRESSING"
printf " State : %s\n" "$state"
printf " Insn count : %s\n" "${last_insn:-?}"
printf " L1 progress : L1CTL_DATA_IND=%d fbsb_hook=%d\n" "$n_l1" "$n_fbsb"
printf " DSP errors : IMR=0=%d SP-cat=%d dual-op-cat=%d\n" "$n_imr" "$n_sp" "$n_dop"
if [[ "$n_l1" -gt 0 ]]; then
ok " → BCCH/L1 has progressed ✓"
elif [[ "$n_dop" -gt 50 ]]; then
crit " → MAJOR : $n_dop dual-op SP-catastrophes — firmware AR pollution at PC=0x?"
crit " Verify if AR4=0x18 (MMR_SP) shows up in DUAL-OP-INTERPRET log"
elif [[ "$n_imr" -gt 100 ]]; then
warn " → $n_imr IMR=0 hits — DSP service pipeline likely broken"
elif [[ "$adelta" -lt 1000 ]]; then
warn " → DSP STUCK at 0x$top_pc — investigate hot zone"
else
dim " → DSP progressing but no L1 yet"
fi
fi
echo./README.md
qemu-calypso
QEMU emulation of the TI Calypso GSM baseband chipset (ARM7TDMI + TMS320C54x DSP), the SoC used in the OpenMoko Neo / Compal e88 family. Runs unmodified real DSP ROM and the osmocom-bb layer1.highram.elf firmware on the ARM side, with a Python bridge that connects to osmo-bts-trx for full GSM cell simulation.
Latest update — Session 2026-05-08 (POPM fix + opcode audit)
INTM=1 dwell perpétuel résolu. Blocker déplacé sur l’init AR du correlator FB-det.
L’émulateur DSP avait 9 opcodes misclassifiés (depuis le début du projet). Le plus critique : 0x8A00 était décodé en MVDK Smem,dmad alors que tic54x-opc.c l’identifie comme POPM MMR. Conséquence : le pattern PSHM/POPM symétrique du firmware DSP (sauve ST1, entre zone critique avec INTM=1, restore ST1) ne fonctionnait jamais — ST1 jamais restauré → INTM stuck à 1 → IRQ vectoring bloqué → DSP mort dans une wait à 0xa21x après ~98M insn. Symptôme persistant depuis avril 2026.
Audit opcode
Référence créée : hw/arm/calypso/doc/opcodes/tic54x_hi8_map.md — table complète tic54x officielle (binutils 2.21.1) hi8 → mnémonique pour les 256 valeurs.
| Opcode | qemu-calypso (avant) | tic54x officiel | Statut 2026-05-08 |
|---|---|---|---|
0x8A |
MVDK Smem,dmad (2-mot) | popm MMR (1-mot) | fixé |
0x8B |
MVDK long-addr (2-mot) | popd Smem (1-mot) | stubé NOP |
0xAA/AB |
STLM duplicate | ld variant | stubé NOP |
0xC5 |
PSHM MMR | st parallel | stubé NOP (sp– fantôme) |
0xCD |
POPM MMR | st parallel | stubé NOP (sp++ fantôme) |
0xCE |
FRAME #k | st parallel | stubé NOP (sp+=k arbitraire) |
0xDD |
POPD Smem | st parallel | stubé NOP (sp++ fantôme — cause SP runaway post-POPM) |
0xDE |
POPD dmad (2-mot) | st parallel | stubé NOP |
0x80 |
MVDD Smem,Smem | stl src,Smem | stubé NOP |
Stratégie « stop-the-bleed » : les opcodes mal classifiés qui causaient des push/pop fantômes ou écritures mémoire pourries sont neutralisés en NOP 1-mot. Implémentation sémantique correcte des familles ST||OP parallèles (0xC0..0xDF) reportée — non bloquant tant que le SP est stable.
Symptômes débloqués
| Avant | Après |
|---|---|
| INTM=1 perpétuel après insn=90.2M | INTM=0 après chaque coroutine swap ✓ |
| WAIT-A21A : 5.7 millions d’iters bloquées | 0 ✓ |
| ENTER-7740 : 37k figé | 0 (path différent) |
| DSP throughput | 5× plus rapide (4.3B insn / 44s) |
| RETE count | toujours 0 (pending IRQ replay non déclenché) |
fb0_att / L1CTL_DATA_IND |
toujours 0 (correlator lit zone vide) |
Blocker actuel — D_FB_DET-WR-SITE
Probe instrumenté à PC=0x8f51 (= PC qui écrit d_fb_det). 50 captures révèlent les pointers AR au moment du write :
##1 AR1=001c AR2=0000 AR3=0000 AR4=2bc0 AR7=0000 data[AR1]=bbef BK=00b0
##50 AR1=004a AR2=fc5d AR3=03a3 AR4=2bc3 AR7=fc5d data[AR1]=0000 BK=00b0- AR3 monte 0x0000 → 0x03A3 par stride +19 → lit DARAM linéaire
[0..0x3A3] - AR2/AR7 wrappent
[0xfc5d..0xffed]par stride −19, BK=176 (circulaire) - AR4 ≈ 0x2bc0 quasi-fixe → table coefficients ROM
- Aucun AR n’atteint la zone BSP DMA target.
Tests A/B avec CALYPSO_BSP_DARAM_ADDR (0x3fb0 / 0x2bc0 / 0x0080) → D_FB_DET-WR-SITE bit-pour-bit identique. Le correlator FB-det ignore où le BSP livre. L’init AR du firmware impose les pointers internes — le mismatch est structurel.
Mobile L23
| Mode | État |
|---|---|
CALYPSO_FBSB_SYNTH=0 |
mobile bloqué pré-FBSB (firmware n’émet pas FBSB_CONF) |
CALYPSO_FBSB_SYNTH=1 |
mobile passe FBSB → atteint gsm322 cell selection (DSC=90) → bloqué (pas de BCCH décodé) |
Quick start
## Real DSP path. Mobile reste pré-FBSB sans synth.
./run.sh
## Synth FB/SB pour faire camper le mobile en gsm322
CALYPSO_FBSB_SYNTH=1 ./run.shVariables d’environnement
| Env | Default | Effet |
|---|---|---|
CALYPSO_FBSB_SYNTH |
0 |
1 publie FB/SB synthétique côté NDB pour faire passer le mobile FBSB → gsm322. Fallback dev tant que le correlator DSP réel ne converge pas. |
CALYPSO_BSP_DARAM_ADDR |
0x3fb0 |
Adresse DARAM cible des DMA RX BSP. Sans effet sur le correlator FB-det actuel (AR init firmware-dependent). |
CALYPSO_W1C_LATCH |
0 |
1 active le latch capture sur les cellules a_sync_demod (race DSP-write/ARM-read mitigation). |
CALYPSO_NDB_D_RACH_OFFSET |
0x01CB |
Override word index de d_rach dans NDB (DSP version-dependent). |
CALYPSO_RACH_FORCE_BSIC |
unset | Force la BSIC dans l’encoder RACH (0..63). Match avec osmo-bsc.cfg base_station_id_code. |
CALYPSO_DSP_IDLE_FF |
1 |
Fast-forward DSP idle dispatcher. Optimisation purement host-side, pas un hack. Set 0 pour debug DSP boot complet. |
CALYPSO_DSP_IDLE_RANGE |
e9ac:e9b7 |
Range PC du dispatcher idle skipée par le fast-forward. |
CALYPSO_DSP_FBDET_SKIP |
0 |
(option de diag) Force-skip du fb-det inner loop. |
CALYPSO_ICOUNT |
auto |
Mode -icount QEMU. auto = shift=auto,sleep=on,align=off. Le kick timer TDMA est sur QEMU_CLOCK_VIRTUAL donc icount ne fige pas la TDMA tick. |
BRIDGE_CLK_FROM_QEMU |
0 |
1 → CLK IND piloté par FN QEMU. À pairer avec -icount. Default = wall-clock (BTS happy). |
BRIDGE_DL_FN_REWRITE |
slot |
Réécriture FN downlink slot-aware (DL FN→qFN cohérent avec TPU). naive ou off pour debug. |
BRIDGE_DL_FN_LOOKAHEAD |
32 |
Marge demi-fenêtre BSP_FN_MATCH_WINDOW pour DL FN rewrite. |
BRIDGE_UL_FN_REWRITE |
slot |
Idem pour UL. |
CALYPSO_DSP_ROM |
calypso_dsp.txt |
Path du dump DSP ROM. |
CALYPSO_SIM_CFG |
~/.osmocom/bb/sim.cfg |
Config SIM IMSI/Ki. |
L1CTL_SOCK |
/tmp/osmocom_l2 |
Mobile↔︎QEMU L1CTL Unix socket. |
Probes runtime instrumentés
Le binaire embarque 9 probes activables via stderr du QEMU. Tous présents dans hw/arm/calypso/calypso_c54x.c :
| Tag | Cible | Usage |
|---|---|---|
PC-HIST-3FB |
reads addr ∈ [0x3fb0..0x3fbf] |
Top PCs lecteurs zone BSP target |
PC-HIST-3DD |
reads addr ∈ [0x3dcf..0x3dd5] |
Top PCs zone scratch dominante |
WATCH-WRITE 0x3dd2 |
writes à 0x3dd2 | Identifie writers + valeurs |
INTM-TRANS |
transitions INTM 0↔︎1 | Cause du SSBX/RSBX/STM ST1 |
WAIT-A21A |
PC=0xa21a | Snapshot INTM/IMR/IFR/ST0/ST1/SP |
ENTER-7740 |
PC=0x7740 | Caller chain + AR + insn |
ST1-WR |
STM #lk, ST1 (op 0x7707) | Toutes écritures de ST1 |
POST-BOOTSTUB-RET |
RET depuis PC ≤ 0x0008 | Task PC poppé après boot stub |
D_FB_DET-WR-SITE |
PC=0x8f51 | AR0..AR7 + data[AR0/1/2] + BK + A |
Repository layout
qemu-calypso/ ← snapshot Calypso-specific
├── hw/arm/calypso/ ← SoC + DSP emulator
│ ├── calypso_c54x.c ← C54x DSP (~6000 lignes)
│ ├── calypso_trx.c ← TRX/TPU/TSP/TDMA
│ ├── calypso_bsp.c ← BSP DMA + UDP 6702
│ ├── calypso_iota.c ← IOTA BDLENA gating
│ ├── calypso_fbsb.c ← FB/SB helper côté ARM
│ ├── calypso_sim.c ← SIM ISO 7816
│ ├── l1ctl_sock.c ← L1CTL Unix socket
│ ├── sercomm_gate.c ← Sercomm DLCI router
│ └── doc/
│ ├── PROJECT_STATUS.md ← état détaillé du projet
│ ├── TODO.md ← prochaines actions
│ ├── opcodes/
│ │ └── tic54x_hi8_map.md ← référence tic54x complète (NEW 2026-05-08)
│ └── spru172c.pdf ← TI C54x manual
├── hw/{intc,char,timer,ssi}/ ← peripherals
├── include/ ← headers
├── bridge.py ← BTS UDP ↔ BSP relay
├── run.sh ← launch orchestration
├── calypso_dsp.txt ← DSP ROM dump (132K words)
├── calypso.md ← Architecture pipeline + diagrams
└── CLAUDE.md ← AI-assistant contextL’arbre de dev actif vit séparément (/home/nirvana/qemu-src/). Sync via cp host + docker cp container ; vérifier md5 après chaque sync.
Architecture
Dual-core GSM baseband emulator :
- ARM7TDMI runs
osmocom-bbLayer 1 firmware (layer1.highram.elf) - TMS320C54x DSP runs the real Calypso DSP ROM (
calypso_dsp.txt) - API RAM shared memory at DSP
0x0800/ ARM0xFFD00000, 8K words - BSP receives I/Q bursts via UDP 6702, serves DSP via PORTR PA=0x0034
- TPU → TSP → IOTA chain gates BDLENA for RX windows
- Bridge (Python) relays BTS UDP 5700-5702 ↔︎ BSP, clock-slave of QEMU
- osmo-bts-trx acts as the cell, paired with
osmo-stp/hlr/msc/bsc/... - mobile (osmocom L23) talks L1CTL via
/tmp/osmocom_l2socket throughosmocon
Pipeline détaillé + sequence diagrams dans calypso.md.
Memory map (DSP side)
| Range | Type | Content |
|---|---|---|
| 0x0000-0x007F | Boot ROM stubs | LDMM SP,B + RET at 0x0000, NOP elsewhere |
| 0x0080-0x27FF | DARAM overlay (OVLY) | Code + data, loaded by MVPD at boot |
| 0x2800-0x6FFF | Unmapped | Reads as 0x0000 |
| 0x7000-0xDFFF | PROM0 | DSP ROM (always readable) |
| 0xE000-0xFF7F | PROM1 mirror | Mirrored from page 1 (0x18000+) |
| 0xFF80-0xFFFF | Interrupt vectors | From PROM1, IPTR=0x1FF |
| 0x0800-0x27FF | API RAM | Shared with ARM (NDB, write/read pages) |
Interrupt vectors (IPTR=0x1FF → base 0xFF80)
vec = imr_bit + 16. addr = 0xFF80 + vec * 4 - INT3 (frame): vec 19, IMR bit 3 → 0xFFCC - TINT0: vec 20, IMR bit 4 → 0xFFD0 - BRINT0 (BSP): vec 21, IMR bit 5 → 0xFFD4
Conventions du projet
- No stubs / no hacks dans les paths critiques. Le DSP exécute le vrai ROM, la BSP est gated par TPU→TSP→IOTA, le mobile passe par la PTY QEMU.
- Vérifier les opcodes contre
tic54x-opc.c(binutils) AVANT de patcher. Voirdoc/opcodes/tic54x_hi8_map.md. - QEMU = clock master, le bridge est slave, le BTS reçoit CLK IND wall-paced.
- Test après chaque édit — build dans Docker, vérifier DSP IDLE + SP + IMR + RETE count.
- Tout contournement temporaire jugé inévitable doit être documenté dans
hw/arm/calypso/doc/TODO.mdavec critère de retrait.
Build
docker exec CONTAINER bash -c "cd /opt/GSM/qemu-src/build && ninja qemu-system-arm"Workaround link -lm cassé :
cd /opt/GSM/qemu-src/build
ninja -t commands qemu-system-arm | tail -1 > /tmp/link.sh
sed -i 's|$| -lm|' /tmp/link.sh && bash /tmp/link.shLe container bastienbaranoff/free-bb:latest a un environnement pré-built avec toute la chaîne d’outils GSM (osmocom-bb, osmo-bts-trx, osmo-msc/bsc/hlr/mgw, osmocon, mobile) et le build QEMU à /opt/GSM/qemu-src/build/.
Historique
2026-05-08 — POPM fix + audit opcode (cette session)
- POPM (0x8A) fixé : INTM dwell perpétuel résolu
- 8 stubs NOP sur opcodes misclassifiés (stop-the-bleed)
tic54x_hi8_map.mdcréé (référence complète)- DSP throughput ×5
- Blocker isolé : correlator FB-det lit DARAM internes indépendamment du BSP target
2026-05-07 — Hacks purgés
rsl_si_tap.py+CALYPSO_BCCH_INJECT+CALYPSO_SI_MMAP_PATHsupprimésBOURRIN-FBDET-SKIPblock supprimé- DIAG-HACK INTM force-clear supprimé
si3_fallback[]hardcode suppriméallc_burst_idxstatic cycle remplacé parfn & 3
2026-04-29 — Opcode dispatch baseline
5 fixes structurels validés empiriquement, ~2530 sites firmware débloqués :
| # | Fix | Impact |
|---|---|---|
| 1 | Reset silicon-aligné (PMST=0xFFA8, ST0=0x181F, ST1=0x2900) | DSP entre PROM1 init zone |
| 2 | 0x6F00 ext dispatch | Wedge PC=0x8353 (2.2G iter) éliminé |
| 3 | 0x68-0x6E handlers (ANDM/ORM/XORM/ADDM/BANZ/BANZD) | 1563 sites unblocked |
| 4 | APTS misnomer fix (PMST bit 4 = AVIS, sans stack semantics) | Stack leak 1.96M events → 0 |
| 5 | F3xx complet (AND/OR/XOR/SFTL + #lk variants) | 364 sites, wedge PC=0x8eb9 |
Sessions précédentes
Voir hw/arm/calypso/doc/SESSION_*.md et /root/.claude/projects/-home-nirvana/memory/.
License & attribution
- QEMU base : GPL-2.0-or-later (upstream QEMU)
- Calypso emulator additions : GPL-2.0-or-later
- osmocom-bb firmware : GPL (utilisé tel quel, non redistribué ici)
- Calypso DSP ROM (
calypso_dsp.txt) : TI proprietary, dump physique d’un device pour recherche et interopérabilité (osmocom DSP dumper). Non redistribuable commercialement sans autorisation TI.
./diff_session_full.patch
diff --git a/hw/arm/calypso/calypso_sim.c b/hw/arm/calypso/calypso_sim.c
index e7097c3..91b4db0 100644
--- a/hw/arm/calypso/calypso_sim.c
+++ b/hw/arm/calypso/calypso_sim.c
@@ -543,9 +543,29 @@ uint16_t calypso_sim_reg_read(CalypsoSim *s, hwaddr off)
case CALYPSO_SIM_REG_IT: {
refresh_it_rx(s);
uint16_t v = s->it;
- /* Edge bits (NATR/WT/OV/TX) are read-clear; level bit RX stays. */
- s->it &= CALYPSO_SIM_IT_RX;
+ /* Edge bits (NATR/WT/OV/TX) are read-clear; level bit RX stays.
+ *
+ * AUDIT FIX 2026-05-08 night (Claude web Q2 hardening) : was
+ * s->it &= CALYPSO_SIM_IT_RX;
+ * which clears ANY bit set after the snapshot (race with concurrent
+ * fire_wt / IRQ handlers raising new bits). Correct semantic : clear
+ * only edge bits that were observed in `v`, so a bit raised between
+ * snapshot and clear survives. RX bit always preserved (level). */
+ uint16_t edge_seen = v & ~CALYPSO_SIM_IT_RX;
+ s->it &= ~edge_seen;
update_irq(s);
+ /* INSTRUMENTATION 2026-05-08 night : log every SIM_IT read so we can
+ * see what value the firmware FIQ handler at 0x822498 receives in R2.
+ * If we see SIM_IT read=0x0002 (IT_WT) but rxDoneFlag stays 0, the
+ * handler's TST/STR chain is failing. If we see SIM_IT read=0x0000
+ * for the WT entry, the IT_WT bit was cleared before handler arrived
+ * (race or wrong read sequencing). Cap at 30. */
+ static unsigned itrd;
+ if (itrd++ < 30)
+ fprintf(stderr,
+ "[sim] SIM_IT read=0x%04x rx_count=%d edge_cleared=0x%04x "
+ "post_it=0x%04x\n",
+ v, rx_count(s), edge_seen, s->it);
return v;
}
case CALYPSO_SIM_REG_DRX: {
diff --git a/hw/arm/calypso/calypso_trx.c b/hw/arm/calypso/calypso_trx.c
index f149507..375dd3a 100644
--- a/hw/arm/calypso/calypso_trx.c
+++ b/hw/arm/calypso/calypso_trx.c
@@ -897,7 +897,22 @@ static void calypso_tdma_start(CalypsoTRX *s)
* (fixed in calypso_uart.c same session), not this kick timer.
*/
static QEMUTimer *g_kick_timer;
-static void calypso_kick_cb(void *o){CPUState*cpu=first_cpu;if(cpu)cpu_exit(cpu);qemu_notify_event();timer_mod_ns(g_kick_timer,qemu_clock_get_ns(QEMU_CLOCK_REALTIME)+5000000);}
+static void calypso_kick_cb(void *o){
+ /* AUDIT INSTRUMENTATION 2026-05-08 night : confirm kick fires under
+ * -icount auto. Per Claude web : if 0 hits in 5s wall → REALTIME timer
+ * not armed correctly with icount. If N≈1000 hits/5s (5ms period) →
+ * timer fires but cpu_exit/notify don't propagate to scheduler. */
+ static unsigned kick_n;
+ kick_n++;
+ if (kick_n <= 30 || (kick_n % 200) == 0) {
+ uint64_t vt = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL);
+ uint64_t rt = qemu_clock_get_ns(QEMU_CLOCK_REALTIME);
+ fprintf(stderr, "[kick] fire #%u vt=%lu rt=%lu\n",
+ kick_n, (unsigned long)vt, (unsigned long)rt);
+ }
+ CPUState*cpu=first_cpu;if(cpu)cpu_exit(cpu);qemu_notify_event();
+ timer_mod_ns(g_kick_timer,qemu_clock_get_ns(QEMU_CLOCK_REALTIME)+5000000);
+}
/* ---- Sercomm burst transport (DLCI 4) ---- */
diff --git a/hw/intc/calypso_inth.c b/hw/intc/calypso_inth.c
index a67f551..464520f 100644
--- a/hw/intc/calypso_inth.c
+++ b/hw/intc/calypso_inth.c
@@ -27,37 +27,54 @@
static void calypso_inth_update(CalypsoINTHState *s)
{
uint32_t active = s->levels & ~s->mask;
- int best_irq = -1;
- int best_prio = 0x7F;
- int is_fiq = 0;
+ int best_irq = -1, best_irq_prio = 0x7F;
+ int best_fiq = -1, best_fiq_prio = 0x7F;
- /* Round-robin scan within same priority: start from rr_start so that
- * after servicing IRQ N, the next scan begins at N+1. This prevents
- * IRQ4 (TPU_FRAME, fires every tick) from starving IRQ7 (UART). */
+ /* AUDIT FIX 2026-05-08 night : was a single-best arbitration that
+ * conflated IRQ and FIQ channels. When both an IRQ-routed and an
+ * FIQ-routed source were active simultaneously, the higher-priority
+ * winner would raise its parent line AND lower the other, killing
+ * any pending interrupt on the losing channel.
+ *
+ * In ARM, FIQ and IRQ are two independent CPU lines with separate
+ * vectors, separate disable bits (CPSR.F vs CPSR.I), and separate
+ * acknowledgement (FIQ_NUM vs IRQ_NUM registers). They MUST be
+ * arbitrated independently.
+ *
+ * Concrete failure observed under -icount auto :
+ * SIM (line 6, ILR[6]=0x1ffc → FIQ bit set) raised the FIQ line.
+ * UART_MODEM (line 7, IRQ-routed) was also active.
+ * Single-best arbitration picked UART (lower prio value), raised
+ * parent_irq, LOWERED parent_fiq → ARM never got FIQ → sim_irq_handler
+ * never ran → rxDoneFlag never set → ARM busy-loop forever at 0x822b90.
+ *
+ * Round-robin scan within each channel separately. */
for (int j = 0; j < CALYPSO_INTH_NUM_IRQS; j++) {
int i = (s->rr_start + j) % CALYPSO_INTH_NUM_IRQS;
- if (active & (1u << i)) {
- int prio = s->ilr[i] & 0x1F;
- if (prio < best_prio) {
- best_prio = prio;
- best_irq = i;
- is_fiq = (s->ilr[i] >> 8) & 1;
- }
+ if (!(active & (1u << i))) continue;
+ int prio = s->ilr[i] & 0x1F;
+ int is_fiq = (s->ilr[i] >> 8) & 1;
+ if (is_fiq) {
+ if (prio < best_fiq_prio) { best_fiq_prio = prio; best_fiq = i; }
+ } else {
+ if (prio < best_irq_prio) { best_irq_prio = prio; best_irq = i; }
}
}
+ /* Drive parent_irq line independently */
if (best_irq >= 0) {
- s->ith_v = best_irq;
- if (is_fiq) {
- qemu_irq_raise(s->parent_fiq);
- qemu_irq_lower(s->parent_irq);
- } else {
- qemu_irq_raise(s->parent_irq);
- qemu_irq_lower(s->parent_fiq);
- }
+ s->ith_v = best_irq; /* IRQ_NUM read returns this */
+ qemu_irq_raise(s->parent_irq);
} else {
- s->ith_v = 0;
+ if (best_fiq < 0) s->ith_v = 0;
qemu_irq_lower(s->parent_irq);
+ }
+
+ /* Drive parent_fiq line independently */
+ if (best_fiq >= 0) {
+ s->fiq_v = best_fiq; /* FIQ_NUM read returns this */
+ qemu_irq_raise(s->parent_fiq);
+ } else {
qemu_irq_lower(s->parent_fiq);
}
}
@@ -68,6 +85,19 @@ static void calypso_inth_set_irq(void *opaque, int irq, int level)
{
CalypsoINTHState *s = CALYPSO_INTH(opaque);
+ /* AUDIT INSTRUMENTATION 2026-05-08 night : trace SIM (irq 6) raises
+ * with current mask state — disambiguates whether SIM IRQ propagates
+ * to ARM or is blocked by mask. Cap log to avoid flood. */
+ if (irq == 6 /* SIM */) {
+ static unsigned sim_log;
+ if (sim_log++ < 60)
+ fprintf(stderr,
+ "[INTH] LINE-SET sim(6) level=%d mask=0x%08x "
+ "bit6_masked=%d prev_levels=0x%08x ilr[6]=0x%04x\n",
+ level, s->mask,
+ !!(s->mask & (1u<<6)), s->levels, s->ilr[6]);
+ }
+
if (level) {
s->levels |= (1u << irq);
} else {
@@ -124,7 +154,21 @@ static uint64_t calypso_inth_read(void *opaque, hwaddr offset, unsigned size)
}
case 0x12: /* FIQ_NUM */
case 0x82: /* FIQ_NUM (legacy) */
- return s->ith_v;
+ {
+ /* AUDIT FIX 2026-05-08 night : returns separately-arbitrated FIQ
+ * source number (was returning ith_v, the IRQ winner — wrong for
+ * FIQ acknowledgement). Edge-clear for FIQ-routed edge sources too. */
+ uint16_t num = s->fiq_v;
+ if (num == 4 || num == 5 || num == 15) {
+ s->levels &= ~(1u << num);
+ }
+ calypso_inth_update(s);
+ static unsigned fiq_log;
+ if (fiq_log++ < 30)
+ fprintf(stderr, "[INTH] FIQ_NUM=%u read levels=0x%08x mask=0x%08x\n",
+ num, s->levels, s->mask);
+ return num;
+ }
case 0x14: /* IRQ_CTRL */
case 0x84: /* IRQ_CTRL (legacy) */
return 0;
@@ -144,13 +188,34 @@ static void calypso_inth_write(void *opaque, hwaddr offset, uint64_t value,
switch (offset) {
case 0x08: /* MASK_IT_REG1 */
+ {
+ uint32_t old = s->mask;
s->mask = (s->mask & 0xFFFF0000) | (value & 0xFFFF);
+ /* AUDIT INSTRUMENTATION 2026-05-08 night : trace mask writes to
+ * disambiguate icount-vs-mask race for SIM IRQ (bit 6). */
+ static unsigned mask_log;
+ if (mask_log++ < 50)
+ fprintf(stderr,
+ "[INTH] MASK-W LO val=0x%04x full 0x%08x → 0x%08x "
+ "bit6(SIM)=%d bit7(UART)=%d levels=0x%08x\n",
+ (unsigned)value, old, s->mask,
+ !!(s->mask & (1u<<6)), !!(s->mask & (1u<<7)),
+ s->levels);
calypso_inth_update(s);
break;
+ }
case 0x0a: /* MASK_IT_REG2 */
+ {
+ uint32_t old = s->mask;
s->mask = (s->mask & 0x0000FFFF) | ((value & 0xFFFF) << 16);
+ static unsigned mask_log_hi;
+ if (mask_log_hi++ < 50)
+ fprintf(stderr,
+ "[INTH] MASK-W HI val=0x%04x full 0x%08x → 0x%08x\n",
+ (unsigned)value, old, s->mask);
calypso_inth_update(s);
break;
+ }
case 0x14: /* IRQ_CTRL — end-of-service acknowledge */
case 0x84:
{
@@ -210,6 +275,7 @@ static void calypso_inth_reset(DeviceState *dev)
s->levels = 0;
s->mask = 0x00000000;
s->ith_v = 0;
+ s->fiq_v = 0;
s->irq_in_service = -1;
s->rr_start = 0;
memset(s->ilr, 0, sizeof(s->ilr));
diff --git a/include/hw/arm/calypso/calypso_inth.h b/include/hw/arm/calypso/calypso_inth.h
index fd9377f..027daa8 100644
--- a/include/hw/arm/calypso/calypso_inth.h
+++ b/include/hw/arm/calypso/calypso_inth.h
@@ -33,6 +33,9 @@ struct CalypsoINTHState {
uint16_t ilr[CALYPSO_INTH_NUM_IRQS];
uint16_t ith_v; /* Current highest-priority active IRQ number */
+ uint16_t fiq_v; /* Current highest-priority active FIQ number
+ * (separate channel from ith_v — see audit fix
+ * 2026-05-08 night in calypso_inth_update). */
int irq_in_service; /* IRQ being serviced (-1 = none). Set on IRQ_NUM read,
* cleared on IRQ_CTRL write. Prevents ith_v update
* so IRQ_CTRL acks the correct interrupt. */./DIAG_FOR_CLAUDE_WEB.md
DIAG — DSP CCCH demod blocker (2026-05-08, refresh from live run)
QEMU Calypso emulator. State after the 2026-05-08 hack purge.
Live run snapshot (this session)
Container trying (bastienbaranoff/free-bb:removed-hacks-broken) up, qemu-system-arm running, full osmocom chain alive, mobile launched. After ~580M DSP insn :
ARM side : fbsb hook fires repeatedly (task=5 FB0_SEARCH, fn=9520→9534…)
DSP side : RPTB tight loop, PC HIST dominated by e9ab,e9ac,e9ae,e9b0,
e9b2,e9b4,e9b6 (each ≈ 14286 hits / 100k window)
DMA ch0 : SRC=0x0000 PC=0xe9b6 — never armed
McBSP : sub[0x00]=0x0000 PC=0xe9b6 — feeds zero
NDB writes: d_spcx_rif=0, d_dsp_page=0 in loop, op[pc-2..pc+1]=b398 b3dc cb9a 4914
Counters : fb0_att=0 fb1_att=0 sb_att=0 (no FB detected ever)The e9ab..e9b6 block is the RPTB-awaits-INT3 loop already identified in project_session_20260508_diag_v2_findings.md. The DSP is parked there waiting for the frame ISR. ARM keeps publishing tasks ; DSP never picks them up because INT3/BRINT0 service path is still not delivering.
This matches project_session_20260508_pm_fbdet_split.md : PM is alive on the firmware side but never transitions to FB-det because the upstream IRQ rate is ~1.5 Hz instead of ~217 Hz. The force daram[0x62]=1 probe (CLAUDE.md NEXT) is the only way past one of those gates ; more gates sit downstream.
Bottom line : the new blocker is upstream of CCCH demod — it’s the DSP frame-interrupt wiring (INT3 / BRINT0). Until the DSP exits e9ab..e9b6 under its own steam (real ISR write to dispatcher flags in DARAM[0x60..0x70]), no DL bursts get demodulated regardless of what the bridge feeds.
What happened
The rsl_si_tap.py + /dev/shm/calypso_si.bin mmap + CALYPSO_BCCH_INJECT shortcut was removed entirely. It sniffed the BSC↔︎BTS RSL TCP stream, extracted BCCH SI bytes, and wrote them to a mmap that QEMU’s calypso_fbsb.c read on every DSP_TASK_ALLC to populate a_cd[] in NDB directly, bypassing the DSP CCCH demod.
That shortcut “worked” but had two problems: 1. mmap survived BTS death → mobile camped on stale cache even after the BTS process exited. The “DL works end-to-end” claim was off cached bytes, not live BTS broadcast. 2. It hid the real DSP demod failure. As long as the inject worked, no one had to fix the DSP CCCH demod path.
Now removed: - scripts/rsl_si_tap.py deleted - CALYPSO_BCCH_INJECT env + csi_* + ALLC-inject block in calypso_fbsb.c deleted - CALYPSO_SI_MMAP_PATH env deleted - run_si.sh no longer launches the tap and clears /dev/shm/calypso_si.bin at startup
Current state of the DL chain
osmo-bsc ← config source (cell_identity 888)
↓ RSL TCP (BCCH_INFO)
osmo-bts-trx ← encodes BCCH SIs into GSM bursts
↓ TRXD UDP 5702 ← real DL bursts (encoded GMSK soft-bits, 154 B each)
bridge.py ← UDP relay to QEMU BSP
↓ UDP 6702
QEMU BSP ← receives bursts, queues by FN
↓ DMA (PORTR PA=0x0034)
DSP CCCH demod ← ⚠️ DOES NOT CONVERGE on bridge-fed GMSK ⚠️
↓ a_cd[] in NDB ← never written
ARM L1 ← reads a_cd[], finds no valid LAPDm
↓ L1CTL_DATA_IND ← never sent
mobile L3 ← never receives SI → cell-search foreverEffect on the test
Mobile no longer camps : - mobile.log shows MM_EVENT_NO_CELL_FOUND repeatedly - No MON: ... CGI=001-01-1-888 line - No RR_EST_REQ because mobile never gets to MM_IDLE/Camped state - No RACH burst path exercised
UL chain (RACH/AGCH) cannot be tested as long as DL is broken.
What needs to be debugged next
The DSP CCCH demod on bridge-fed GMSK. Concretely :
Verify BSP receives the bursts : count how many DL bursts hit the BSP UDP socket per second. Should be ~8/frame × 217 frame/s ≈ 1730/s wall but at qfn rate (so half).
Verify BSP DMA queues them by FN match : the queue match window
BSP_FN_MATCH_WINDOWwas thrashed (4 → 1024 → 64) without calibration. Wall_fn from BTS vs qfn from QEMU diverge by thousands of frames once running, so a 64-frame window will reject everything. Histograms ofdelta_fn = bts_fn - qfnon burst arrival are needed.Verify DSP reads samples via PORTR PA=0x0034 : trace ARM-side DARAM writes when DSP polls BSP. Confirm I/Q samples reach the DSP memory.
DSP CCCH demod path itself : does the demod converge ? FIRE check on decoded LAPDm — does it pass ? The DSP ROM at 0x7000-0xDFFF handles CCCH demod ; opcodes are emulated by
c54x_exec_one. Suspect families : LD/STL on GMSK input buffer, channel-coding inverse, deinterleaver index table reads.
Other knobs still available
| Env | Effect |
|---|---|
CALYPSO_FBSB_SYNTH=1 |
Synth FB/SB publish (still env-gated, still useful for FB/SB phase). Doesn’t help CCCH which is the new blocker. |
CALYPSO_W1C_LATCH=1 |
W1C latch on a_sync_demod cells |
CALYPSO_NDB_D_RACH_OFFSET=0xNNN |
Override d_rach word index |
CALYPSO_RACH_FORCE_BSIC=N |
Force BSIC in RACH encoder |
BRIDGE_CLK_FROM_QEMU=0 (default) |
CLK IND wall-paced. Default safe. |
BRIDGE_UL_FN_REWRITE=slot (default) |
Slot-aware rewrite, not exercised since no LU is reached. |
Reproducer
cd /opt/GSM/qemu-src
unset CALYPSO_NDB_D_RACH_OFFSET CALYPSO_DSP_IDLE_RANGE CALYPSO_W1C_LATCH \
CALYPSO_UART_TRACE BRIDGE_CLK_PERIOD BRIDGE_UL_FN_REWRITE \
BRIDGE_CLK_FROM_QEMU
CALYPSO_FBSB_SYNTH=1 \
CALYPSO_DSP_FBDET_SKIP=1 CALYPSO_ICOUNT=off \
./run_si.shExpected mobile.log :
MM_EVENT_NO_CELL_FOUND (repeated)
Changing CCCH_MODE to 2 (repeated)
using DSC of 90 (repeated)NO MON: ... CGI=... line. That’s the new ground-truth state.
Files relevant to next work
| File | Why |
|---|---|
hw/arm/calypso/calypso_bsp.c |
DL receive (TRXD UDP) + DMA enqueue. BSP_FN_MATCH_WINDOW constant, calypso_bsp_dl_enqueue logic |
hw/arm/calypso/calypso_c54x.c |
DSP emulator, CCCH demod opcode execution |
hw/arm/calypso/calypso_trx.c |
BSP→DSP DMA tick, PORTR read |
bridge.py |
UDP relay (no parsing — pure transparent) |
Open structural concerns from earlier review (still valid)
calypso_c54x.c4000 lines monolithic switch with dead code, duplicate F4xx handler 700 lines apart- 3-way memory aliasing dsp->data ↔︎ api_ram ↔︎ MVPD reset path
- stderr writes in real-time DSP path can saturate host I/O
dsp_idle_fast_forwardcan mask new bugs (no ff_hits/cycles metric)BSP_FN_MATCH_WINDOW=64unjustified (no fn_delta histogram)gsm0503_rach_ext_encode(..., false)hard-codes 8-bit RACH- W1C latches without explicit memory barrier
calypso_uart.c::main_loop_wait(false)re-entry risk