Example of ESP32-C3 (rev. 3 and later) "direct boot" feature.
MIT License
Supported chips: ESP32-C3, ESP32-H2
This is an example of "direct boot" feature. It allows an application to be executed directly from flash, without using the 2nd stage bootloader.
ESP8266 and ESP32 series of chips share the common binary image format. This format describes how the binary image stored in flash should be loaded into IRAM/DRAM by the ROM bootloader. In typical applications, the ROM bootloader doesn't load the application binary directly. Instead, it loads the 2nd stage bootloader into RAM. The 2nd stage bootloader then loads the application: sections which should reside in RAM are copied from flash into RAM, and cache MMU is configured to map the remaining sections, which are accessed from flash.
Compared to other microcontrollers, where the program in flash is executed directly without the need for additional stages of bootloaders, this arrangement does add complexity. However, it should be noted that in most production applications the 2nd stage bootloader is required to support firmware update, rollback, and security features. Because of this, the 2nd stage bootloader is used in ESP-IDF, despite the extra complexity.
Chips, supported in this example (for example, ESP32-C3, starting from silicon revision 3) allow an application stored in flash to be executed directly, without being copied into RAM. This makes it possible to link an application with a relatively simple linker script, and produce the binary using objcopy
command, then flash the resulting binary to the target chip.
Direct boot feature is activated under the following conditions:
EFUSE_DIS_LEGACY_SPI_BOOT
eFuse bit.1d 04 db ae 1d 04 db ae
— that is a "magic number" 0xaedb041d repeated twice.In this case, the ROM bootloader sets up Flash MMU to map all amount of Flash then jumps to address Flash address + 8
, i.e. to the instruction at offset 8 in flash, immediately after the magic numbers.
For example, the ROM bootloader of ESP32-C3 sets up Flash MMU to map 4 MB of Flash to addresses 0x42000000 (for code execution) and 0x3C000000 (for read-only data access).
The application entry function needs to:
main
functionThe _start
function provided by newlib C library performs all these steps, except for the .data section initialization.
Direct boot feature is provided primarily to simplify the initial porting process of new languages, frameworks, and execution environments.
Use it if all of the below are true:
This feature can also be useful in an educational context to "hide" the added complexity of chip Flash MMU and cache configuration.
If the entire application code is small enough to fit into RAM, then the direct boot feature is not required. Instead, the ELF file can be loaded into the chip using one of the following methods:
load
command, over JTAG.esptool.py load_ram
command, over UART.esptool.py elf2image
and then writing the binary into flash.This example contains the following parts:
_write
syscall.Download and install riscv-none-elf-gcc
toolchain, for example from the xPack project.
This example has been built and tested with toolchain release 12.2.0-3
.
Make sure the toolchain is added to your PATH
.
A different RISC-V toolchain can also be used, in this case you need to adjust toolchain-rv32.cmake.
This example uses CMake. Make sure that CMake and your build system of choice (e.g., Ninja or GNU Make) are also added to your PATH
.
To flash binaries into the chip, esptool.py is used.
If you have Python and pip installed, you can install esptool using:
pip install --user esptool
Windows users may alternatively download a pre-built executable from the releases page. These executables don't require Python to be installed.
See README.md files in example directories for instructions:
To debug the examples using JTAG and GDB, follow these steps:
PATH
blink
), then launch GDB like this:
riscv-none-elf-gdb -x gdbinit build/blink
This will use the provided gdbinit file to:
gdbinit
file if you need to change OpenOCD launch configuration or select another target chip. You can also launch OpenOCD manually, in that case use target extended-remote :3333
in gdbinit
.main
The sections shown in blue on the left are parts of the flash image.
ROM bootloader maps the 0 – 4 MB region of flash to the CPU address space twice: to the "DROM" region using the data cache, and to the "IROM" region using the instruction cache.
As it is obvious from the diagram, some parts of this mapping are unnecessary. These parts are shown in gray on the right. For example, .text
section gets mapped not only to the IROM, but also to DROM, even though code execution only happens through IROM.
Such uniform mapping was chosen simply because it is universal, and can be set up by the ROM code without any prior knowledge about the application being loaded. This mapping isn't in any way a limitation of ESP32-C3 cache hardware; for example, ESP-IDF 2nd stage bootloader maps only those regions which are necessary in the given part of the address space.
The run-time memory layout and flash binary image layout shown above are achieved in the linker script (ld/esp32c3/common.ld) by specifying the LMAs (load addresses). LMAs start at 0, and match the addresses in flash. VMAs for IROM (entry
and .text
) and DROM (.rodata
) sections are set in such a way that LMA == VMA - BASE, where BASE is the starting address of IROM or DROM. Non-cached .data
section is then added at the next available LMA.
ROM bootloader maps the 0 – 4 MB region of flash to the CPU address space using the cache and the Flash MMU.
The memory layout can be found in liker script (ld/esp32h2/memory.ld).
The run-time memory layout and flash binary image layout shown above are achieved in the linker script (ld/esp32h2/common.ld) by specifying the LMAs (load addresses). LMAs start at 0, and match the addresses in flash. VMAs for ROM (entry
, .text
and .rodata
) section is set in such a way that LMA == VMA - BASE, where BASE is the starting address of ROM. Non-cached .data
section is then added at the next available LMA.