Ce6 kernel Startup Process

Developers need to understand the CE system startup process. First, let's review how the system is built. Soft tool chain generate .exe and. DLL files. These files contain portable
Executable format, or PE format. Their structures are the same:

1. It is an extension of the common object file format.

2. Tables Imported and Exported

3. There is an entry point in the header, which is the place where execution starts.

 

The operating system is generated by the compiler. An exe(nk.exe) is not connected to any external library or DLL. When this file is executed, there is nothing in the system. EXE needs to have a known header (PE) to determine the program entry point. Therefore, the CPU knows where to start execution.

 

In addition, PE files can be arranged in order, so xip (execute in
Place ). This means that the data added to the file is placed in a virtual address, and the data in the address can be accessed and used by the program code without any change. For example, you can use the Microsoft linker
The core code file is placed in the virtual address 0x80000000. The program entry address will be placed in the EXE file. During execution, the address will be able to jump to the real code segment for execution. If the function foo is
In 0x80001000, foo calls the function bar, where the bar address is 0x80005000. A structure is saved in the code to call the address.
0x80005000. As shown in the following figure, the dotted line is the split line of the function code.

If the address of the kernel's exe file is changed, the bar function will also move. The call address of the foo function is incorrect. You need to point to the new address.

 

 

Is the kernel EXE file from 0x80000000 to 0x80050000, the call address in the foo function is incorrect.

 

After a process is loaded to a real address space, it modifies the actions of the EXE and DLL files, which are called -- correction. The normal EXE file allows the program to modify the address record. If it is not correct, the previous address is incorrect. So
Before the CE kernel EXE is loaded to a specific address, it will make address correction. Before the romimage program generates the system image file (NK. Bin), it will correct the kernel EXE and some DLL addresses.

 

Finally, we have to get a part of the system kernel, exe--nk.exe. This EXE has a program entry point like other EXE and DLL. Before execution
Bootloader puts the image file in the correct address. Next let's take a look at how bootloaderis in the image and find nk.exe and its entry point.

 

Nk.exe is the only part of the ce6 kernel and contains the oal and system startup template processes. The main part of this process is that all processes, threads, and memory of the operating system kernel are managed in
In kernel. dll. This dll is also a virtual address modified by romimage. This means there are at least two executable modules. We need to find the address and entry point to store them.
The endpoint address is in EXE and DLL, but how does one find EXE and DLL in the image.

 

The CE image has an important struct generated by romimage, called table
CONTENTS (TOC. TOC stores system pointers and data. There is a flag near the beginning of the image file, the content is Cece (0x45434543 ). Behind this sign
The TOC offset value is stored, so Bootloader and other programs can find the image information through TOC. This offset value defines a global pointer ptoc in oal to ensure
Storage, romimage can use this pointer to locate and fill in the content of TOC. During compilation, the ptoc variable of nk.exe is 0 xffffffff. When NK. Bin is produced
Wait, romimage will do the following:

1. initialize nk.exe, and then modify

2. Generate TOC content and find the place where the image file is stored with TOC

3. Find the ptoc pointer and confirm that it is directed to 0 xffffffff.

4. Run the ptoc pointer to the true TOC location.

 

When nk.exe starts running, you will know where to find TOC. Find other parts of the Image Based on the TOC.

 

Romimage obtains the address distribution of the system image through the bib file. Config. bib has two important parts: ramimage and ram. The following is an example:

NK
Zero X 80070000
Zero X 02000000
Ramimage
Ram
Zero X 82070000
0x01e7f000
Ram

 

This tells romimage how to do this. The system image address is 0x80070000, And the read/write memory address is 0x82070000. Based on this information, you can know where to load the module and run it, and then create the TOC content. To run the kernel, TOC also stores the ram information. Is placed in the memory kernel:

 

 

To run the operating system, you also need bootloader to do the following:

1. Place the image in the correct place in the memory

2. Find the Cece mark

3. Use the TOC pointer to find the TOC

4. In toc, find the nk.exe address.

5. Scan the EXE file and find the entry point (via PE)

6. Jump to the entry point address and start execution.

 

When nk.exe is running:

1. Create and enable virtual memory ing

2. Collect information required to run kernel. dll.

3. Use ptoc to find kernel. dll

4. Find the kernel. dll entry point.

5. Pass the collected information to the entry point of kernel. dll.

 

Different processors have different starting processes. The CPU of arm and x86 has different Virtual Memory Manager (MMU ). However, the general process is the same.

Before Running nk.exe, the system has the following conditions:

1. All caches are disabled.

2,
The ramimage and ram segments configured in config. bib are physically accessible and readable.

3. The virtual address is pre-determined.

4. Ram can be written without additional operations.

 

These are prerequisites for any system startup. The kernel runs independently and does not depend on the virtual memory configured by the bootloader before running. When the internal kernel runs, nk.exe is the first computing
The physical address in oemaddresstable. Oemaddresstable statically defines the ing between virtual addresses and physical addresses. Nk.exe:

1. Virtual Memory

2. Physical memory

3. Virtual Address Space of oemaddresstable

 

A simple formula is used to calculate the physical address of the kernel oemaddresstable:

NK: physicalbase + (NK: Virtual oemaddresstable-NK: Virtual
Base) è NK physical oemaddresstable

 

Oemaddresstable format:

<Region virtual
Start> <Region
Physical Start> <region size in
MB>

<Region virtual
Start> <Region
Physical Start> <region size in
MB>

...

With the information of the preceding table, nk.exe can use MMU to set the ing relationship of the virtual memory. The Virtual Memory uses the data in oemaddresstableand uses the data to make it effective. Then, nk.exe is converted to an executable virtual address.

 

Note that all modules in RAM have not been initialized. No matter how much data is initialized by Ram, the initialization data is also stored in the image file (data segment data ). Read/write data, required
You must copy the actual image data to ram before using the image. So how does nk.exe know where the data segment is located in the image? use TOC.

 

TOC not only lists the starting addresses of each module in the image, but also describes the Read and Write pointers of each module. Copying a system image to ram is called "copy ".
Entries. Before nk.exe accesses a read/write variable, copy
Entries to ram. The pointer ptoc must be valid. How can we ensure that ptoc is valid. Ptoc is a read-only variable. When an image file is created, romimage
Ptoc write. The media used to save ptoc is not Ram. You do not need to copy it to ram before using ptoc. Nk.exe has a function that copies all relevant information to ram, called
Kernelrelocate. This is a simple process. It just traverses the struct in a table and copies the virtual memory content. Only the variables of nk.exe are available after the upload is completed.
Can be normally accessed like other programs.

 

 

At this time, we have a program that can really work, as we mentioned before, can execute, call functions, read and write memory. This is not a thread, process, or any system object, but everything is put in a known place. It can be used when the system's high-end address starts to execute.

 

The virtual memory is very elastic. Ce retains some virtual address segments and only uses them for the system kernel. The virtual memory of 4 K pages is retained in the high-end address space above 0xfffe0000
. The kernel maps some physical addresses to these pages to save global dynamic data. Some of them are used for memory ing of MMU, and some are reserved for the stack for kernel state and interruption. The most important part is
Reserved as kernel
Data Page. Different page sizes are retained Based on the kernel version. Nk.exe can directly access and initialize these pages.

 

Three important data of nk.exe

1. ptoc backup

2. oemaddresstable address

3. oeminitgolbals function address

 

The first two items are stored in the kernel data
Page, any code knows the address of this page, you can find the system image content and the basic virtual ing relationship. The last piece of information is special. After nk.exe is used once, it is passed to kernel. dll. The placement method is as follows:

 

Now kernel data
The page is initialized, and the virtual memory is activated. You can jump to the Microsoft Kernel. dll portal. Remember, we can find the image's kernel. dll through TOC, and also find the entry of other modules. Nk.exe knows how to set the kernel
Data Page is stored in the virtual memory, but kernel. dll does not know its own running location. Therefore, we need
The virtual address of page is passed to the entry of kernel. dll.

 

After the redirection is complete, run the kernel code. The entry point obtains the kernel data.
Page address. Therefore, you can use TOC to obtain information about any system image. The kernel starts some preparation and critical section to ensure that it is a kernel data
The current unique user of the page.

 

Kernel. dll has a static function and data table. It is called nkglobals as a static data structure of the DLL during compilation. Because kernel. dll is
Romimage has been corrected and runs in a specific address. Therefore, the nkglobals pointer will be changed to the correct address during running. Among these function pointers, such
Setlasterror () and nkwvsprintfw (), which are directly called by the kernel. But the kernel does not know that these functions are actually in kernel. dll, and then the kernel will
The functions and data of this Part are actually in kernel. dll.

 

Kernel.dllpasses through oeminitglobalsand transmits the nkglobalsaddress back to nk.exe. The process is as follows:

 

 

As shown above, the oeminitglobals function saves a pointer to the omeglobals struct. This struct is the key to other functions of the kernel.
After the kernel. dll module is established, it can be run by any structure of the processor (such as x86 and arm ). Nk.exe extracts the special parts of these processors and provides them to the platform to ensure
System running (xcale or oamp, which is slightly different from arm ). The composition of omeglobals is similar to that of nkglobals and has the following members:

• Pfn_initdebugserial (), pfn_writedebugbyte (),
  Pfn_readdebugbyte ()
• Pfn_setrealtime (), pfn_getrealtime (), pfn_setalarmtime ()
• Pfn_ioctl ()

This refers to oemedia, for example, oeminitdebugserial in nk.exe.
And oemioctl. Many functions are listed here, So kernel. dll can know the function functions in a specific processor environment.

 

After oeminitglobals is complete,
Kernel. dll can be determined for the work environment in a specific environment. It can know the memory, how the memory is mapped, and the address of each module in the image. Nk.exe also has a pointer to obtain this information. Therefore, the two modules perform simple data interaction in a dynamic connection environment through handshaking.

 

Nk.exe and kernel. dll have done everything without processes, threads, and kernel services. In order for the system to continue running, three more tasks are required for kernel. dll:

1. processor-specific settings

2. processor local settings

3. Special platform settings

 

The specific settings of the processor are the specific processing setting functions called by kernel. dll. For example, the armsetup function is used on the ARM chip, and the x86setup function is used on x86. Although there are many codes for specific processor settings, no process is executed in a thread. Therefore, this operation has some restrictions:

1. It is difficult to set a page table and reserve the virtual memory for the kernel page table.

2. Root Cache Information in the page table

3. Refresh TLB

4. Configure the processor bus and coprocessor

In the setcode of the processor, you must set interlocked to enable nk.exe to call it. Even if it is in the early stage, Ce needs to perform synchronization between multiple threads.
. The most frequently used function is the interlocked function, which consists of Multiple Functional functions, including interlockedcompareexchange. The interlockedcompareexchange function process is as follows:

1. Read the local memory and set it to the Register (R1)

2. Compare the read value with other registers (R2)

3. Exit if the two registers (R1 and R2) have different values

4. Write another register value (r3) back to the original memory.

 

These four steps maintain synchronization between threads. However, these four steps may be interrupted. To ensure that the processor executes the function correctly, you must ensure that the operation can be performed between hardware and that the hardware interruption must be disabled. This leads to another problem. Because user-State processes do not have the permission to close the interrupt, it is inefficient to close the interrupt through the kernel every time synchronization between threads.

To improve efficiency, the entire system can run interlockedcompareexchange only in one place. The code for the four steps is put in the kernel
In a special location of Data page, nk.exe and kernel. dll (others can access the kernel data
PAG processes) can call the function, so all operations are executed in the same location. After this setting, the function needs to be executed from the beginning (meaning that even after the thread is switched, the function is not restored from the scene, but started from the beginning). Why?

 

First, let's look at the thread switching in the operating system:

1. The running thread has special operations (sleep, wait, etc)

2. When the time slice wheel of the thread is used up (the timer interrupt is used for Judgment), other threads start to run.

3. A thread with a high priority needs to start running.

 

The last two cases are the same. Thread switching is caused by interruptions. Because synchronization functions may be interrupted in steps 1-4, thread switching is triggered. This requires atomic operations when we execute functions.

To make operations in steps 1-4 atomic, a boundary check checks whether the CPU is executing the operation code in steps 1-4 each time an interruption occurs. If it is determined that the CPU is executed in step 1-4
. Then a running pointer will be reset to the position in step 1 of the function, so this operation can be performed again from the beginning. To enable the interrupt code to check whether the CPU is running in step 1-4
This code must be placed in the kernel
Data Page. When the interlocked function is put in the kernel data
After page, both nk.exe and kernel. dll can use it for multi-thread synchronization.

 

Back to the topic, the next step of kernel. dll execution is the local settings of the processor. The first step here is to set the kitl. dll tool for debugging the system kernel.

Kitl (kernel independent transport
Layer), is the way to communicate data between the device kernel and the desktop Pb. Usually, kitl is provided by the kernel for data encoding and transmission. BSP (Board
Support
Package) does not need to care about the data content between the device and the desktop PC, you only need to complete the correct data communication. The kitl communication carrier can be RS232 serial port, USB, Nic, and other serial devices.

 

Other operations on the processor's local settings, including

1. initialize the debug output (oemglobals) of the system kernel
Oeminitdebugserial function in the structure)

2. output the debugging string (Windows CE kernel version XXXX)

3. Select available configurations for the processor

After the processor is set locally, it is a special setting step of the platform. Because the oemand board-related code is stored in nk.exe. During initialization, the kernel is implemented through the oeminit function of oemglobals. Oeminit initializes the settings related to the Board and also starts kitl.

 

If kitlis included in nk.exe, nk.exe can access each other. If kitl is a DLL, the DLL will be loaded during kernel debugging in the processor local setup phase. In any form, the kernel uses oeminit to start kitl.

 

After oeminit is completed, the kernel starts to allow processes and threads to run. Then synchronize the cache. If it is not ready to run, it enters the processor service mode. Here we will do some operations, including:

1. enumerate valid memory (oemenumextensiondram)

2. initialize the critical section for the kernel

3. initialize the heap

4. initialize the structure of processes and threads

5. Other operations before Multithreading

 

After initialization of all threads, the kernel is ready to schedule the first thread. This thread is named systemstartupfunc in kernel. dll. To make the thread run
The core is set to no other thread switching. The first thread is a valid thread before the thread scheduling code is called. For thread scheduling, first check the valid thread and select the next running thread. At this time, the system only has one thread
The dynamic configuration is run, and other threads are switched one by one.

 

Systemstartupfunc can be executed after the cache is refreshed. To run the thread smoothly, you can also do the following:

1. initialize the system loader.

2. initialize the page pool

3. initialize the system logging

4. initialize the System Debugger

 

Systemstartupfunc uses the OEM function to complete initialization. In oemglobals, this function passes in oem_hal_postinit through oemioctl. In this case, nk.exe is completed, and the process and thread scheduling can be completed.

 

After exiting from oemioctl, systemstartupfunc will continue to initialize the message queue and watchdogs of the system, and then create the thread of power management and file system. Because
In this case, other high-end content of the operating system is being executed. The last step of systemstartupfunc will create other threads to execute runappsatstartup. This function will
Create the first user process.

 

So far, the kernel, power management, file system, and so on have been created and executed, the application is also ready to run, the system registry can also be used, and the system kernel has been started.

 

The above is the ce6 kernel boot process, and the ce5 startup process is very similar.

Http://blogs.msdn.com/ce_base/archive/2007/11/26/How-does-Windows-Embedded-CE-6.0-start_3F00_.aspx
Start_3f00 _. aspx