Debug & Trace — CoreSight

• Every Cortex-M has the same debug & trace IP — CoreSight — so the same probe drives an STM32, Nordic nRF52, and NXP i.MX RT.
• The debug system is intrusive (halt, single-step, read memory) and non-intrusive (trace, watchpoints with hit counts, printf via ITM).
• On M0/M0+/M23 the footprint is minimal (8 HW breakpoints → 4 → 2, no ETM); on M7/M55/M85 it is a full-strength trace infrastructure.
• A debugger finds 80% of bugs; a tracer finds the remaining 20% — timing, race conditions, ISR interactions.

• SWJ-DP is a dual-role block that speaks either JTAG or SWD; the probe issues a magic sequence (0x79E7) on the TMS/SWDIO pin to switch modes.
• SWO (Serial Wire Output) is a one-way UART-style pin emitting ITM/TPIU packets at up to 200 Mbps UART or Manchester-encoded.

• Small bus master inside the SoC; accepts probe commands and performs memory/register reads/writes without halting the CPU.
• Two register banks:
  • DP — Debug Port. Selects an AP, manages auth, reports errors (CTRL/STAT).
  • AP — Access Port. One AHB-AP per bus master (typically: system bus + PPB). APB-AP for CoreSight components.
• Register model is memory-mapped over the probe transport — the probe issues 36-bit packets (8-bit header + 32-bit data + parity) on SWD.

/* Pseudo — probe interaction */
DP:SELECT   = AP 0, bank 0      ; pick AHB-AP
AP:CSW      = 0x23000002         ; 32-bit word, auto-inc
AP:TAR      = 0x20000000         ; target addr
AP:DRW      = read/write         ; data read or write
AP:TAR      auto-incs 4 bytes    ; burst reads follow

/* High-level: dump 1 KiB of SRAM without halting */

CMSIS-DAP and PyOCD expose this at a higher level.

• Debug State: CPU halted, pipeline frozen; GPRs and memory accessible via DAP.
• Enter via:
  • Halt request from probe (DHCSR.C_HALT).
  • Hit on a breakpoint / watchpoint.
  • Fault that escalates to DebugMon or HardFault while debug is enabled.
• Exit via DHCSR.C_HALT=0 (resume) or DHCSR.C_STEP=1 (single-step).
• Halting is allowed to keep peripherals running — the SoC optionally freezes timers & watchdog via a "debug freeze" register.

/* DHCSR — 0xE000EDF0
   Top half = 0xA05F key required on writes. */
#define DHCSR (*(volatile uint32_t*)0xE000EDF0)

/* Halt */ DHCSR = 0xA05F0003;     /* C_DEBUGEN | C_HALT */
/* Step */ DHCSR = 0xA05F000D;     /* + C_STEP + MASKINTS */
/* Run  */ DHCSR = 0xA05F0001;     /* C_DEBUGEN only */

• Sets hardware breakpoints by comparing PC to a small set of registers.
• Breakpoint slots per core:
  • Cortex-M0 / M1: 4
  • Cortex-M0+ / M23: 4
  • Cortex-M3 / M4 / M33: 6 or 8
  • Cortex-M7 / M85: 8
• Software breakpoints via BKPT #imm — unlimited, but require patching code in flash (fine on RAM-resident code).
• FPB "patch" mode (M3/M4 only) can substitute up to 2 fetched words — used for flash-remap tricks, deprecated on v8-M.

Watchpoints

• 4 comparators (M3/M4), up to 16 (M7+).
• Each matches on PC, address, value, or cycle count.
• Programmable mask for range matches.
• Triggers: halt, ITM event, ETM start/stop, counter.

Counters

• CYCCNT — 32-bit free-running cycle count (use it for timing measurements).
• CPICNT, EXCCNT, SLEEPCNT, LSUCNT, FOLDCNT — 8-bit saturating counters for CPI, exception overhead, sleep, load-store, folded instr.

/* Use DWT CYCCNT for profiling */
#define DWT_CTRL   (*(volatile uint32_t*)0xE0001000)
#define DWT_CYCCNT (*(volatile uint32_t*)0xE0001004)
#define DEMCR      (*(volatile uint32_t*)0xE000EDFC)

void dwt_init(void) {
    DEMCR    |= (1u << 24);   /* TRCENA */
    DWT_CYCCNT = 0;
    DWT_CTRL |= 1;            /* CYCCNTENA */
}

uint32_t cycles_elapsed(uint32_t start) {
    return DWT_CYCCNT - start;
}

Cycle-accurate profiling with a single 32-bit register. Every embedded engineer's best friend.

• 32 stimulus ports, each a 32-bit register at 0xE000_0000 .. 0xE000_007C.
• Writes form packets which are streamed out via SWO / TPIU at the CPU's pace.
• Zero-cost "printf": a handful of writes per character, no busy-wait, no blocking.
• Protocol also carries DWT events, timestamp packets, and PC-sampling packets at configurable rate.
• Host decoder (OpenOCD / JLink / Keil µVision) demultiplexes port 0 → console, port 1 → data log, etc.

/* Classic retargeted putc() */
#define ITM_STIM0 (*(volatile uint32_t*)0xE0000000)
#define ITM_TER   (*(volatile uint32_t*)0xE0000E00)
#define ITM_TCR   (*(volatile uint32_t*)0xE0000E80)

int _write(int fd, const void *buf, size_t len) {
    const char *s = buf;
    while (len--) {
        while (!(ITM_STIM0 & 1));   /* FIFO not full */
        *(volatile uint8_t *)&ITM_STIM0 = *s++;
    }
    return 0;
}

Each byte costs ~3 cycles. A 115 kbps UART costs ~700 cycles per byte by contrast.

DWT events over ITM

• Exception entry/exit packets (DWT_CTRL.EXCTRCENA).
• PC sampling — periodic PC snapshot for statistical profiling.
• Watchpoint-match events.
• Cycle-count timestamp packets.

• Optional block — on M4/M7/M33/M55/M85.
• Produces a compressed stream of branch packets: "I took this branch at this timestamp."
• Combined with the static code image, trace tools reconstruct the exact instruction sequence executed.
• Non-intrusive — CPU runs at full speed.
• Output over:
  • SWO pin — ~1–20 MB/s (same as ITM path).
  • TRACEDATA[0..3] pins — up to 200+ MB/s. Needs debug probe with parallel trace support (JLink Ultra+, Arm ULINKpro).

• TPIU (Trace Port Interface Unit) serialises the merged trace stream for export.
• Two output modes:
  • SWO (serial) — 1 pin at 1–200 Mbps; low-pin-count vendors prefer this.
  • Parallel — 1/2/4-bit TRACEDATA + TRACECLK pins. Higher bandwidth, dedicated pins.
• Pin muxing is SoC-specific: on STM32 MCUs, the same pins are candidate TRACEDATA but usually shared with GPIO. Board designs commit one way.
• SWO clock is usually derived from the CPU clock — prescaled by TPIU->ACPR.

• M0+ lacks ETM, but offers a small Micro Trace Buffer — last N branches stored in on-chip SRAM.
• Typical size: 512 B – 4 KiB of SRAM reserved at boot.
• Each "trace record" is 8 bytes: source PC + destination PC of one taken branch.
• After a HardFault, the MTB content is the cheapest possible "last 256 branches" history — extremely useful forensics.

/* Reserve 1 KiB of SRAM for MTB */
#define MTB_BASE      (*(volatile uint32_t*)0xF0002000)
#define MTB_FLOW      (*(volatile uint32_t*)0xF0002008)
#define MTB_MASTER    (*(volatile uint32_t*)0xF000200C)

static uint8_t __attribute__((aligned(1024))) mtb_buf[1024];

void mtb_init(void) {
    MTB_BASE   = (uint32_t)mtb_buf;
    MTB_MASTER = (1 << 31) |          /* EN */
                 (10);                  /* MASK → 2^10 wrap */
}

• At 0xE00F_F000 every Cortex-M has a ROM table — a list of pointers describing the debug components present.
• Probe enumerates by walking the table; fingerprints the SoC.
• Each component has a peripheral ID (ARM DDI 0314 CoreSight Architecture) — ITM = 0x001, DWT = 0x002, FPB = 0x003, etc.
• This is how CMSIS-DAP / pyOCD auto-detect which features the target supports without device-specific code.

• A pre-CoreSight convention: use BKPT #0xAB as a system call to the debugger.
• Debugger catches the breakpoint, inspects registers: R0 = syscall number, R1 = arg ptr.
• Provides SYS_OPEN, SYS_WRITE, SYS_READ, SYS_TIME, SYS_EXIT etc.
• Great for CI tests — firmware calls fopen("test.log","w") and the file lands on the host.
• Terrible for production: blocks CPU for ~200 kcycle per call; firmware hangs if no debugger is attached.

/* Typical use in test firmware */
static inline int semihost(int op, void *arg)
{
    register int r0 __asm("r0") = op;
    register void *r1 __asm("r1") = arg;
    __asm volatile (
        "bkpt 0xAB" : "+r"(r0) : "r"(r1) : "memory");
    return r0;
}

/* SYS_WRITE0 = 0x04, arg = null-term string */
semihost(0x04, "Hello from the chip\n");

• Pure-software alternative to ITM: a ring-buffer in SRAM that the debug probe polls over the DAP.
• No extra pins, no special hardware — works on every Cortex-M, even M0.
• Bi-directional: 8 up-channels and 8 down-channels.
• Measured throughput: ~1 MB/s on a JLink over SWD.
• "Fire-and-forget" log calls: ~10 cycles each, safe from any context including fault handlers.

Why lock it down?

• An attacker with SWD access can read firmware, extract keys, patch code.
• SWD is on by default; pads are routed to test points on almost every board.

How

• Readout Protection (RDP) — vendor-specific option byte; Level 2 permanently disables the DAP. STM32, NXP, Nordic all have this.
• DAP_AUTH challenge-response — newer SoCs (STM32U5, nRF54) require signed token from the probe.
• Secure-debug channel — in Armv8-M, DAUTHCTRL gates halting/debug per security state.

• v8-M cores add two per-state gates: Secure debug enable (SDE) and Non-Secure debug enable (NSDE).
• If SDE=0, the probe cannot halt the CPU while it is executing Secure code. Memory reads of S regions are RAZ/WI.
• This lets secure bootloader authors run RDP-like policies at the state boundary — useful for PSA attestation.
• Halt/step from NS code still works when NSDE=1, even if S is locked. Developers of NS app firmware can still debug without unlocking S.

• Always wire up SWD (2 pins) to a test header — even on the smallest product.
• Leave SWO available (one pin) unless the board is truly pin-starved.
• Use RTT from day one; ITM for pin-scarce builds; ETM only when needed.
• Keep a cycle-counted BSOD fault handler that dumps MSP/PSP, CFSR, HFSR, MMFAR, BFAR over RTT and the last MTB/ETM window over a predictable channel.
• Set up the watchdog to freeze on debug during dev, run always in production.
• Have a documented procedure to unlock RDP for returned units (or accept permanent lockdown).