agent: add hi3520dv200 + HISFC350 SPI flash driver (#96)

## Summary

- Adds support for **hi3520dv200** (V1-era HiSilicon DVR/NVR SoC,
Cortex-A9, Macronix MX25L25635E 32 MiB NOR on CS1) to the bare-metal
flash agent.
- Introduces a **HISFC350** SPI flash driver (\`spi_flash_hisfc350.c\`)
selectable via \`SPI_DRIVER=hisfc350\` in the per-SoC Makefile stanza.
Default stays FMC100 for every other supported SoC.
- Fixes a long-standing **selfupdate cache-coherency bug** that affected
ARMv7-A in general (the trampoline copy never cleaned D-cache, so the BX
target read stale memory; survived on Cortex-A7 by coincidence,
deterministically broken on Cortex-A9).
- Bumps INFO response to v3 with a \`flash_mem\` field so the host stops
hardcoding \`0x14000000\` (hi3520dv200 has FLASH_MEM at \`0x58000000\`).

## What's new

| File | Change |
|---|---|
| \`agent/spi_flash_hisfc350.c\` (new) | NOR-only HISFC350 driver.
Probes both CS lines. EAR-based bank-switching for >16 MiB chips. |
| \`agent/main.c\` | INFO v3 (+\`flash_mem\`); cache-aware selfupdate +
trampoline; widened \`addr_readable\`/\`io_region\` for V1 peripheral
block. |
| \`agent/uart.c\` | Preserve bootrom IBRD/FBRD (works on chips where
bootrom UART runs off a slow reference); divisor-scaling \`set_baud\`;
bounded FIFO drain; IBRD safety check. |
| \`agent/Makefile\` | \`SPI_DRIVER\` selector; hi3520dv200 SoC stanza.
|
| \`agent/README.md\` | Update SoC table; document HISFC350 vs FMC100. |
| \`src/defib/agent/client.py\` | Parse \`flash_mem\` from INFO v3+;
expose \`client.flash_mem\`; add hi3520dv200 to \`chip_to_agent\`. |
| \`src/defib/cli/app.py\` | Use \`client.flash_mem\` instead of
hardcoded \`0x14000000\` in \`agent install\`, \`agent read\`,
flash-doctor. |

## Why HISFC350 instead of EN4B for 32 MiB chips

EN4B (true 4-byte mode, 0xB7) was tried first on the MX25L25635E. The
HISFC350's \`GLOBAL_CONFIG.ADDR_MODE_4B\` bit latched cleanly, but reads
at offsets ≥16 MiB returned a fixed repeating pattern instead of real
data — the chip never actually entered 4-byte mode, for reasons we
haven't figured out. Switching to **WREAR (0xC5) + EAR-banking** (3-byte
addressing with a 25th-bit selector) makes both halves accessible. The
vendor U-Boot driver \`hisfc350_spi_mx25l25635e.c\` follows the same
approach.

## Why selfupdate needed cache fixes

The old trampoline did a byte-copy then \`BX r3\`. On ARMv7-A with
write-back D-cache:
1. Byte writes go to D-cache, not memory.
2. I-fetch at the destination misses or hits stale lines.
3. Result: the BX jumps into garbage (or, when binaries happen to be
byte-identical, into the right code "by accident").

This worked on the existing Cortex-A7 boards because we rarely deployed
a binary with diverging early-startup bytes. On Cortex-A9 (hi3520dv200)
it broke deterministically. Fix:

- The trampoline now walks the destination range invalidating I-cache
and cleaning D-cache per line (DCCMVAU + ICIMVAU + DSB + ISB + BX).
- \`handle_selfupdate\` also cleans the trampoline location itself
before calling the function pointer — without this, the trampoline bytes
themselves are in D-cache and the I-fetch reads stale memory.

## Verified locally

- \`make -C agent test HOST_CC=gcc\` — 5406 / 5406 unit tests pass.
- \`uv run pytest tests/ -x -q --ignore=tests/fuzz\` — 490 pass.
- \`uv run ruff check src/ tests/\` — clean.
- \`uv run mypy src/defib/ --ignore-missing-imports\` — clean.
- All 10 supported SoCs build: hi3516ev300, hi3516ev200, gk7205v200,
gk7205v300, hi3516cv300, hi3516cv500, hi3518ev200, hi3516cv610,
hi3519v101, hi3520dv200.

## Verified on real hardware (hi3520dv200 on /dev/ttyUSB3, manual
power-cycle)

- Agent uploads via \`defib agent upload\`, sends READY, reports \`JEDEC
c22019 / 32768 KB / sector 64 KB / RAM 0x80000000 / FLASH_MEM 0x58000000
/ agent v3\`.
- Reads from the lower 16 MiB return real vendor U-Boot bytes; reads
from the upper 16 MiB return DIFFERENT real data (bank-switching works
end to end).
- Selfupdate verified end-to-end (no power-cycle needed for subsequent
agent updates).

## Known limitations / follow-ups

Tracked separately in [#97] (issue opened in this PR sequence). Briefly:

- High baud (\`set_baud\` >115200) is **rejected** by the IBRD safety
check on hi3520dv200 because the bootrom hands UART running off a ~2 MHz
reference. Vendor U-Boot \`board.c\` clears bit 13 of \`CRG+0xE4\` to
switch UART onto APB; we tried that but the resulting UART rate didn't
match any guess at the actual APB clock. Need to identify the real clock
empirically (probably needs a power-cycle relay so we can iterate
without manual intervention).
- Stock-firmware dump and write/erase tests deferred until high-baud
works (32 MiB at 115200 ≈ 54 min round-trip).

## Test plan

- [ ] On a power-cycle relay-equipped rig: run \`defib agent upload -c
hi3520dv200 -p \$PORT\`, confirm JEDEC + 32 MiB.
- [ ] Dump full 32 MiB to a file, verify CRC, store as stock-firmware
backup.
- [ ] Erase a known-empty sector (e.g. \`0xFE0000\`), verify it reads as
0xFF.
- [ ] Write a small known pattern, read back, verify CRC matches.
- [ ] Re-flash the original sector contents, verify chip is back to
stock.
- [ ] Test scan over the full 32 MiB.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

---------

Co-authored-by: Dmitry Ilyin <widgetii@users.noreply.github.com>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: widgetii

agent/.gitignore

@@ -1,3 +1,7 @@
 *.o
 *.elf
 *-padded.bin
+# Host-built unit-test binaries (built by `make test HOST_CC=gcc`).
+test_agent
+test_cobs_detail
+test_firmware_data

agent/Makefile

@@ -119,8 +119,39 @@ else ifeq ($(SOC),hi3519v101)
   WDT_BASE       = 0x12080000
   CRG_BASE       = 0x12010000
   SYSCTRL_REBOOT = 0x12020004
+else ifeq ($(SOC),hi3520dv200)
+  # V1-era DVR/NVR generation — Cortex-A9 single-core, 0x2xxxxxxx peripheral
+  # map, HISFC350 SPI controller (NOT the FMC100 used by V3+/V4+/V5/V6).
+  # UART_CLOCK = CFG_CLK_BUS / 2 (per vendor Linux mach-godarm/core.c
+  # uart_clk_init: busclk=396 MHz / 2 = 198 MHz). The bootrom hands us a
+  # UART running off a slow ~2 MHz reference (IBRD=1, FBRD=5), so uart_init
+  # must first clear UART_CKSEL bit 13 of CRG+0xE4 to switch UART to APB
+  # clock — only then can we hit baud rates above 115200.
+  # FLASH_MEM at 0x58000000 per vendor mach-godarm SPI_MEM_BASE;
+  # FMC_BASE at 0x10010000 (HISFC350 register block).
+  CPU_TYPE       = cortex-a9
+  UART_BASE      = 0x20080000
+  # The bootrom hands UART running off a slow ~2 MHz reference clock
+  # (IBRD=1 / FBRD=5 → 115200 baud). uart_init preserves those divisors
+  # so 115200 keeps working without any CRG poking. set_baud above
+  # 115200 cannot succeed at this clock (would need IBRD<1) and is
+  # rejected by the IBRD safety check. Switching to APB via vendor's
+  # `CRG+0xE4 bit 13` produced an unidentified clock rate that we
+  # couldn't decode at any standard baud — see GitHub issue tracking
+  # the high-baud TODO. UART_CLOCK is the vendor U-Boot value
+  # (CFG_CLK_BUS/4 per include/configs/hi3520d.h) but is unused while
+  # the bootrom-divisor preservation path is active.
+  UART_CLOCK     = 99000000
+  LOAD_ADDR      = 0x81000000
+  FLASH_MEM      = 0x58000000
+  FMC_BASE       = 0x10010000
+  RAM_BASE       = 0x80000000
+  WDT_BASE       = 0x20040000
+  CRG_BASE       = 0x20030000
+  SYSCTRL_REBOOT = 0x20050004
+  SPI_DRIVER     = hisfc350
 else
-  $(error Unknown SOC: $(SOC). Supported: hi3516ev300 hi3516ev200 gk7205v200 gk7205v300 hi3516cv300 hi3516cv500 hi3518ev200 hi3516cv610 hi3519v101)
+  $(error Unknown SOC: $(SOC). Supported: hi3516ev300 hi3516ev200 gk7205v200 gk7205v300 hi3516cv300 hi3516cv500 hi3518ev200 hi3516cv610 hi3519v101 hi3520dv200)
 endif
 
 # Per-SoC CPU. V3 chips (cv300) are ARM926EJ-S (ARMv5TEJ);
@@ -136,6 +167,7 @@ CFLAGS = -mcpu=$(CPU_TYPE) -marm -O2 -ffreestanding -nostdlib \
          -DUART_BASE=$(UART_BASE) -DUART_CLOCK=$(UART_CLOCK) $(CPU_FLAG) \
          -DFLASH_MEM=$(FLASH_MEM) -DFMC_BASE=$(FMC_BASE) -DRAM_BASE=$(RAM_BASE) -DWDT_BASE=$(WDT_BASE) \
          -DCRG_BASE=$(CRG_BASE) -DSYSCTRL_REBOOT=$(SYSCTRL_REBOOT) \
+         $(if $(UART_CKSEL_REG),-DUART_CKSEL_REG=$(UART_CKSEL_REG) -DUART_CKSEL_BIT=$(UART_CKSEL_BIT)) \
          -mno-unaligned-access -Wall -Wextra
 
 LDFLAGS = -nostdlib -T link.ld -Ttext=$(LOAD_ADDR) --defsym=LOAD_ADDR=$(LOAD_ADDR)
@@ -145,7 +177,17 @@ LDFLAGS = -nostdlib -T link.ld -Ttext=$(LOAD_ADDR) --defsym=LOAD_ADDR=$(LOAD_ADD
 # but linking it costs nothing.
 LIBGCC := $(shell $(CC) -mcpu=$(CPU_TYPE) -print-libgcc-file-name)
 
-SRCS_C = main.c uart.c protocol.c cobs.c spi_flash.c
+# SPI flash driver — default FMC100 (V3+/V4+/V5/V6 chips). V1-era chips
+# (hi3520dv200, hi3518ev100, hi3516cv100, hi3535) need HISFC350 instead.
+# Per-SoC stanza above sets SPI_DRIVER when needed.
+SPI_DRIVER ?= fmc100
+ifeq ($(SPI_DRIVER),fmc100)
+  SPI_FLASH_SRC = spi_flash.c
+else
+  SPI_FLASH_SRC = spi_flash_$(SPI_DRIVER).c
+endif
+
+SRCS_C = main.c uart.c protocol.c cobs.c $(SPI_FLASH_SRC)
 SRCS_S = startup.S
 OBJS = $(SRCS_S:.S=.o) $(SRCS_C:.c=.o)
 

agent/README.md

@@ -78,15 +78,30 @@ Requires `arm-none-eabi-gcc` (Arch: `pacman -S arm-none-eabi-gcc arm-none-eabi-n
 | hi3516cv500 | 0x12100000 | 0x14000000 | 0x80000000 | 0x81000000 |
 | hi3518ev200 | 0x12100000 | 0x14000000 | 0x80000000 | 0x81000000 |
 | hi3516cv610 | 0x11040000 | 0x14000000 | 0x40000000 | 0x41000000 |
+| hi3519v101 | 0x12100000 | 0x14000000 | 0x80000000 | 0x81000000 |
+| hi3520dv200 | 0x20080000 | 0x58000000 | 0x80000000 | 0x81000000 |
 
 Addresses from [qemu-hisilicon](https://github.com/OpenIPC/LoTool) hardware definitions.
 
+`hi3520dv200` is a V1-era DVR/NVR SoC: Cortex-A9 (single core), `0x2xxxxxxx`
+peripheral map, and a HISFC350 SPI flash controller (NOT the FMC100 used by
+all other supported SoCs). The HISFC350 driver lives in
+`spi_flash_hisfc350.c` and is selected via `SPI_DRIVER=hisfc350` in the
+per-SoC Makefile stanza.
+
 ## Agent Binary Details
 
-- **Size**: ~4 KB code + 1 KB CRC32 table = ~5 KB total
+- **Size**: ~4 KB code + 1 KB CRC32 table = ~5 KB total (HISFC350 build is
+  somewhat larger because of the bank-switching machinery)
 - **Runs bare-metal**: no OS, no U-Boot, no libc
-- **UART**: ARM PrimeCell PL011 (polled I/O, 115200 8N1)
-- **Flash**: HiSilicon FMC controller (memory-mapped read, register write/erase)
+- **UART**: ARM PrimeCell PL011 (polled I/O, 115200 8N1). On hi3520dv200 the
+  bootrom hands UART running off a slow ~2 MHz reference; we preserve those
+  divisors at startup so 115200 keeps working without any CRG poking.
+- **Flash**: HiSilicon FMC controller (default) — memory-mapped read,
+  register write/erase. V1-era chips (hi3520dv200) use the HISFC350
+  controller instead, with the same external API (`flash_read`,
+  `flash_erase_sector`, `flash_write_page`, ...) so `main.c` is
+  controller-agnostic.
 - **Protocol**: COBS framing + CRC-32 per packet
 
 ### Startup sequence

agent/main.c

@@ -100,18 +100,31 @@ static int addr_readable(uint32_t addr, uint32_t size) {
     /* RAM region: RAM_BASE to RAM_BASE + 128MB */
     if (addr >= RAM_BASE && (addr + size) <= (RAM_BASE + 128 * 1024 * 1024))
         return 1;
-    /* I/O register regions (CRG, FMC controller, system controller) */
+    /* I/O register regions — V3+/V4+ default whitelist. */
     if (addr >= 0x10000000 && (addr + size) <= 0x10001000) return 1; /* FMC regs */
     if (addr >= 0x12010000 && (addr + size) <= 0x12020000) return 1; /* CRG */
     if (addr >= 0x12020000 && (addr + size) <= 0x12030000) return 1; /* SYS_CTRL */
+    /* Per-SoC controller regions (FMC + CRG + UART) — covers V1-era
+     * chips where these don't sit in the default whitelist (e.g.
+     * hi3520dv200 has FMC at 0x10010000, CRG at 0x20030000, UART at
+     * 0x20080000). 4 KiB window per controller is enough for any
+     * HiSilicon SPI-flash controller. UART access is needed to
+     * verify what divisors the bootrom programmed. */
+    if (addr >= FMC_BASE  && (addr + size) <= (FMC_BASE  + 0x1000)) return 1;
+    if (addr >= CRG_BASE  && (addr + size) <= (CRG_BASE  + 0x1000)) return 1;
+    if (addr >= UART_BASE && (addr + size) <= (UART_BASE + 0x1000)) return 1;
     /* Flash memory-mapped window — only after flash_init succeeds */
     if (flash_readable && addr >= FLASH_MEM && (addr + size) <= (FLASH_MEM + 32 * 1024 * 1024))
         return 1;
     return 0;
 }
 
-/* Agent protocol version — increment on protocol changes */
-#define AGENT_VERSION       2
+/* Agent protocol version — increment on protocol changes.
+ *   v3 added: flash_mem at INFO bytes 24..27 (so the host knows which
+ *   memory-mapped flash window CMD_CRC32/CMD_READ should target on
+ *   SoCs where it isn't 0x14000000 — e.g. hi3520dv200 has it at
+ *   0x58000000). */
+#define AGENT_VERSION       3
 
 /* Capability flags — advertise supported features */
 #define CAP_FLASH_STREAM    (1 << 0)  /* CMD_FLASH_STREAM with double-buffer */
@@ -126,7 +139,7 @@ static int addr_readable(uint32_t addr, uint32_t size) {
                     CAP_SET_BAUD | CAP_REBOOT | CAP_SELFUPDATE | CAP_SCAN)
 
 static void handle_info(void) {
-    uint8_t resp[24];
+    uint8_t resp[28];
     /* JEDEC ID in first 4 bytes (3 bytes + padding) */
     resp[0] = flash_info.jedec_id[0];
     resp[1] = flash_info.jedec_id[1];
@@ -137,7 +150,8 @@ static void handle_info(void) {
     write_le32(&resp[12], flash_info.sector_size);  /* NOR=64K, NAND=128K */
     write_le32(&resp[16], AGENT_VERSION);
     write_le32(&resp[20], AGENT_CAPS);
-    proto_send(RSP_INFO, resp, 24);
+    write_le32(&resp[24], FLASH_MEM);
+    proto_send(RSP_INFO, resp, 28);
 }
 
 static void handle_read(const uint8_t *data, uint32_t len) {
@@ -153,8 +167,13 @@ static void handle_read(const uint8_t *data, uint32_t len) {
     }
 
     /* I/O registers require 32-bit word-aligned access (ldr not ldrb).
-     * RAM and flash can use byte access. */
-    int io_region = (addr >= 0x10000000 && addr < 0x13000000);
+     * RAM and flash can use byte access. Cover the V3+/V4+/V5/V6
+     * peripheral block (0x10000000..0x13000000) as well as the V1-era
+     * regions actually used by V1 SoCs (FMC, CRG, UART). */
+    int io_region = (addr >= 0x10000000 && addr < 0x13000000)
+                 || (addr >= FMC_BASE  && addr < FMC_BASE  + 0x1000)
+                 || (addr >= CRG_BASE  && addr < CRG_BASE  + 0x1000)
+                 || (addr >= UART_BASE && addr < UART_BASE + 0x1000);
 
     uint16_t seq = 0;
     uint32_t offset = 0;
@@ -693,19 +712,21 @@ static void handle_flash_stream(const uint8_t *data, uint32_t len) {
 
 /*
  * ARM32 position-independent trampoline (machine code).
- * Copies r2 bytes from r1 to r0, then branches to r0-r2 (original dst).
+ * Copies r2 bytes from r1 to r0, then branches to r0 (original dst).
  *
- *   mov r3, r0          @ save dst
- *   cmp r2, #0
- *   beq done
- * loop:
- *   ldrb r4, [r1], #1
- *   strb r4, [r0], #1
- *   subs r2, r2, #1
- *   bne loop
- * done:
- *   bx r3               @ jump to saved dst
+ * ARMv7-A variant additionally cleans D-cache and invalidates I-cache
+ * over the destination range before BX so the I-fetch unit pulls the
+ * just-written bytes from memory instead of stale lines from when the
+ * old agent occupied that address.  Without this, selfupdate either
+ * runs with stale instructions (silent crash, no UART) or — when both
+ * binaries happen to be byte-identical at the cached lines — works by
+ * coincidence.
+ *
+ * ARM926 (ARMv5TEJ) keeps the original short trampoline; if/when we
+ * actually exercise selfupdate on ARM926 boards we'll need the same
+ * treatment with V5 cache-op encodings.
  */
+#ifdef CPU_ARM926
 static const uint32_t trampoline_arm[] = {
     0xe1a03000,  /* mov  r3, r0       ; save dst  */
     0xe3520000,  /* cmp  r2, #0                    */
@@ -718,6 +739,36 @@ static const uint32_t trampoline_arm[] = {
     /* done: */
     0xe12fff13,  /* bx   r3           ; jump to dst */
 };
+#else
+/* ARMv7-A: copy + per-line DCCMVAU + ICIMVAU + DSB + ISB + BX.
+ * Source: agent/tramp_v7.S, assembled with arm-none-eabi-gcc -mcpu=cortex-a7.
+ * Walks the destination in 32-byte cache-line steps (smallest line size
+ * among supported ARMv7-A cores; over-walking is harmless). */
+static const uint32_t trampoline_arm[] = {
+    0xe1a03000,  /* mov  r3, r0           ; save dst                       */
+    0xe1a05002,  /* mov  r5, r2           ; save size                      */
+    0xe3520000,  /* cmp  r2, #0                                             */
+    0x0a000003,  /* beq  done                                               */
+    /* copy_loop: */
+    0xe4d14001,  /* ldrb r4, [r1], #1                                       */
+    0xe4c04001,  /* strb r4, [r0], #1                                       */
+    0xe2522001,  /* subs r2, r2, #1                                         */
+    0x1afffffb,  /* bne  copy_loop                                          */
+    /* done: */
+    0xe1a00003,  /* mov  r0, r3           ; restore dst start              */
+    0xe0836005,  /* add  r6, r3, r5       ; end = dst + size               */
+    0xe3c0001f,  /* bic  r0, r0, #31      ; round down to cache line       */
+    /* cache_loop: */
+    0xee070f3b,  /* mcr  p15, 0, r0, c7, c11, 1   ; DCCMVAU                */
+    0xee070f35,  /* mcr  p15, 0, r0, c7, c5, 1    ; ICIMVAU                */
+    0xe2800020,  /* add  r0, r0, #32                                        */
+    0xe1500006,  /* cmp  r0, r6                                             */
+    0xbafffffa,  /* blt  cache_loop                                         */
+    0xf57ff04f,  /* dsb  sy                                                 */
+    0xf57ff06f,  /* isb  sy                                                 */
+    0xe12fff13,  /* bx   r3                                                 */
+};
+#endif
 
 /*
  * CMD_SELFUPDATE: receive new agent binary, verify, copy and jump.
@@ -779,6 +830,27 @@ static void handle_selfupdate(const uint8_t *data, uint32_t len) {
     for (uint32_t i = 0; i < sizeof(trampoline_arm) / sizeof(uint32_t); i++)
         tramp_dst[i] = trampoline_arm[i];
 
+    /* CRITICAL: writes above land in D-cache. Without explicit cache
+     * maintenance the CPU's I-fetch at RAM_BASE+0x200 reads stale memory
+     * contents (whatever was there before — typically zeros) instead of
+     * the trampoline bytes, and execution branches into garbage.
+     * Clean D-cache for the trampoline range to push writes to memory,
+     * then invalidate the entire I-cache so new fetches hit memory. */
+#ifndef CPU_ARM926
+    {
+        uintptr_t start = (uintptr_t)tramp_dst & ~31u;
+        uintptr_t end = (uintptr_t)tramp_dst + sizeof(trampoline_arm);
+        for (uintptr_t a = start; a < end; a += 32) {
+            asm volatile("mcr p15, 0, %0, c7, c11, 1" :: "r"(a) : "memory");
+        }
+        asm volatile("dsb" ::: "memory");
+        asm volatile("mcr p15, 0, %0, c7, c5, 0" :: "r"(0) : "memory");  /* ICIALLU */
+        asm volatile("mcr p15, 0, %0, c7, c5, 6" :: "r"(0) : "memory");  /* BPIALL */
+        asm volatile("dsb" ::: "memory");
+        asm volatile("isb" ::: "memory");
+    }
+#endif
+
     void (*tramp)(uint32_t, uint32_t, uint32_t) =
         (void (*)(uint32_t, uint32_t, uint32_t))(void *)(RAM_BASE + 0x200);
     tramp(addr, staging, size);