Supported chips: ESP32-C3, ESP32-H2
This is an example of "direct boot" feature. It allows an application to be executed directly from flash, without using the 2nd stage bootloader.
ESP8266 and ESP32 series of chips share the common binary image format. This format describes how the binary image stored in flash should be loaded into IRAM/DRAM by the ROM bootloader. In typical applications, the ROM bootloader doesn't load the application binary directly. Instead, it loads the 2nd stage bootloader into RAM. The 2nd stage bootloader then loads the application: sections which should reside in RAM are copied from flash into RAM, and cache MMU is configured to map the remaining sections, which are accessed from flash.
Compared to other microcontrollers, where the program in flash is executed directly without the need for additional stages of bootloaders, this arrangement does add complexity. However, it should be noted that in most production applications the 2nd stage bootloader is required to support firmware update, rollback, and security features. Because of this, the 2nd stage bootloader is used in ESP-IDF, despite the extra complexity.
Chips, supported in this example (for example, ESP32-C3, starting from silicon revision 3) allow an application stored in flash to be executed directly, without being copied into RAM. This makes it possible to link an application with a relatively simple linker script, and produce the binary using objcopy
command, then flash the resulting binary to the target chip.
Direct boot feature is activated under the following conditions:
- Secure boot is disabled.
- Direct boot feature is not disabled via
EFUSE_DIS_LEGACY_SPI_BOOT
eFuse bit. - The ROM bootloader doesn't detect a valid binary image in the usual format
- The first 8 bytes in flash are
1d 04 db ae 1d 04 db ae
— that is a "magic number" 0xaedb041d repeated twice.
In this case, the ROM bootloader sets up Flash MMU to map all amount of Flash then jumps to address Flash address + 8
, i.e. to the instruction at offset 8 in flash, immediately after the magic numbers.
For example, the ROM bootloader of ESP32-C3 sets up Flash MMU to map 4 MB of Flash to addresses 0x42000000 (for code execution) and 0x3C000000 (for read-only data access).
The application entry function needs to:
- set up global pointer register
- set up stack pointer register
- zero-initialize the .bss section
- initialize the .data section, copying it from ROM
- write the vector table address to the MTVEC register (optional)
- call C library initialization (optional)
- call the
main
function
The _start
function provided by newlib C library performs all these steps, except for the .data section initialization.
Direct boot feature is provided primarily to simplify the initial porting process of new languages, frameworks, and execution environments.
Use it if all of the below are true:
- ESP-IDF environment can't be used.
- The code doesn't fit into RAM, therefore execution from flash is required.
- Dependency on the ESP-specific binary image format or the ESP-IDF 2nd stage bootloader is undesirable.
This feature can also be useful in an educational context to "hide" the added complexity of chip Flash MMU and cache configuration.
If the entire application code is small enough to fit into RAM, then the direct boot feature is not required. Instead, the ELF file can be loaded into the chip using one of the following methods:
- With GDB
load
command, over JTAG. - With
esptool.py load_ram
command, over UART. - By converting the ELF file to binary using
esptool.py elf2image
and then writing the binary into flash.
This example contains the following parts:
- common/ directory with the application entrypoint, placeholder for the vector table, and a simple implementation of
_write
syscall. - examples/blink/ directory with an example project which blinks an LED.
- examples/hello_world/ directory with the minimal example project which prints "Hello, world!" to the UART.
- img/ directory with *.svg format diagrams which illustrate the run-time memory layout and binary image layout when direct boot is used.
- ld/ directory with the linker scripts.
Download and install riscv-none-elf-gcc
toolchain, for example from the xPack project.
This example has been built and tested with toolchain release 12.2.0-3
.
Make sure the toolchain is added to your PATH
.
A different RISC-V toolchain can also be used, in this case you need to adjust toolchain-rv32.cmake.
This example uses CMake. Make sure that CMake and your build system of choice (e.g., Ninja or GNU Make) are also added to your PATH
.
To flash binaries into the chip, esptool.py is used.
If you have Python and pip installed, you can install esptool using:
pip install --user esptool
Windows users may alternatively download a pre-built executable from the releases page. These executables don't require Python to be installed.
See README.md files in example directories for instructions:
To debug the examples using JTAG and GDB, follow these steps:
- Install OpenOCD from https://github.com/espressif/openocd-esp32/releases. (At the time of writing, the upstream version of OpenOCD includes Espressif Xtensa-based chips, but not RISC-V ones, yet.)
- Add openocd to
PATH
- Build one of the examples (for instance,
blink
), then launch GDB like this:This will use the provided gdbinit file to:riscv-none-elf-gdb -x gdbinit build/blink
- Launch OpenOCD in pipe mode. Adjust the
gdbinit
file if you need to change OpenOCD launch configuration or select another target chip. You can also launch OpenOCD manually, in that case usetarget extended-remote :3333
ingdbinit
. - Flash the program over JTAG
- Reset the target
- Set a temporary breakpoint at
main
- Run until the breakpoint
- Launch OpenOCD in pipe mode. Adjust the
- Now you can use GDB commands to step through the code as usual.
The sections shown in blue on the left are parts of the flash image.
ROM bootloader maps the 0 – 4 MB region of flash to the CPU address space twice: to the "DROM" region using the data cache, and to the "IROM" region using the instruction cache.
As it is obvious from the diagram, some parts of this mapping are unnecessary. These parts are shown in gray on the right. For example, .text
section gets mapped not only to the IROM, but also to DROM, even though code execution only happens through IROM.
Such uniform mapping was chosen simply because it is universal, and can be set up by the ROM code without any prior knowledge about the application being loaded. This mapping isn't in any way a limitation of ESP32-C3 cache hardware; for example, ESP-IDF 2nd stage bootloader maps only those regions which are necessary in the given part of the address space.
The run-time memory layout and flash binary image layout shown above are achieved in the linker script (ld/esp32c3/common.ld) by specifying the LMAs (load addresses). LMAs start at 0, and match the addresses in flash. VMAs for IROM (entry
and .text
) and DROM (.rodata
) sections are set in such a way that LMA == VMA - BASE, where BASE is the starting address of IROM or DROM. Non-cached .data
section is then added at the next available LMA.
ROM bootloader maps the 0 – 4 MB region of flash to the CPU address space using the cache and the Flash MMU.
The memory layout can be found in liker script (ld/esp32h2/memory.ld).
The run-time memory layout and flash binary image layout shown above are achieved in the linker script (ld/esp32h2/common.ld) by specifying the LMAs (load addresses). LMAs start at 0, and match the addresses in flash. VMAs for ROM (entry
, .text
and .rodata
) section is set in such a way that LMA == VMA - BASE, where BASE is the starting address of ROM. Non-cached .data
section is then added at the next available LMA.