EMB426 Windows CE Memory Architecture Steve Maillet CEO/Chief Software Architect EmbeddedFusion

Part I Architecture and concepts Virtual Memory Kernel Mode versus User Mode Statically mapped memory Process memory System API Calls Access Permissions

Virtual Memory Model Single 32-bit (4 Gigabyte) flat virtual memory address space Permits efficient use of physical memory with protection Virtual addresses translated to physical addresses by MMU A valid virtual address maps to a physical address Static or Dynamically mapped virtual addressing

Virtual Memory 2 GB User Space Slot 97: NK.EXE Reserved Statically Mapped Virtual Addresses: Un-Cached Statically Mapped Virtual Addresses: Cached Slot 0 – Current Process Slot 1 – XIP DLL code Slots Processes Slots Object Store and Memory-Mapped Files FFFF FFFF E C C C A FFF FFFF Total 4 GB Virtual Space 2 GB Kernel Space User Space Reserved Kernel Addresses: KPAGE, Trap Area, Others

Kernel Mode Versus User Mode ONLY Difference is access to different regions Kernel mode code has full access to all memory Process protection still applies! User Mode code only has access to User Space Kernel Space (0x – 0xFFFFFFFF) Used only by Kernel-mode code with privileged access (“Kmode”) SetKMode() protected API or ROMFLAGS Setting for ALL threads in the system User Space (0x – 0x7FFFFFFF) Organized as 64 slots of 32 MB (225 bytes) each Applications, DLLs and Data located here

Statically Mapped Memory 2 GB User 512 MB Uncached 512 MB Cached 32 MB Flash Physical Memory Virtual Memory A C MB RAM MB RAM 32 MB Flash 64 MB RAM FFFF FFFF Address Translation 32 MB Flash Kernel Space User Space

Statically Mapped Memory x86, ARM OEM provides OEMAddressTable in OAL to define initial mappings MIPS, SHx Mapping is fixed in the MMU architecture

Process Memory 01FF FFFF MB Process Space Free Virtual Space Slot 30 Slot 31 Slot Slot Current Process XIP ROM DLLs nk.exe filesys.exe shell.exe device.exe gwes.exe Resource DLLs Slot 2 Slot 3 Slot 4 Slot 5 Slot 1 Slot 0... Slot 97 C C A E C C E

System API Calls Application Win32 API Thunks Local Process Services PSL Process Switching filesys.exegwes.exedevice.exe Virtual Memory Process/Thread Exception Handling Scheduling Loader Synchronization Initialization Process Switching Memory-Mapped File Hardware Abstraction Memory Map Interrupts Bus Map Function Call Traps Process Interface DLL Interface Interrupt Handling OAL Heap Coredll.dll N.EXE Nk.lib services.exeshell.exe

System API Calls Coredll.dll Located at the top of every process slot Fields system API calls from user mode threads Implements some system API calls directly Causes an exception (trap) to pass on system API request Kernel Catches system API request exception traps Dispatches to a system EXE to fulfill request User mode thread migrated to system EXE process space Access rights of user mode thread inherits current process rights

System API Calling Mechanism User mode thread Win32 API Thunks Function Call Coredll.dll App.exe Kernel Trap Win32 API Dispatch Nk.exe Jump Function Code system EXE Return Call

Access Permissions Process Access Permissions Access permissions set on per-thread basis GetProcPermissions() / SetProcPermissions() Threads accessing other process slots require permission Violations cause exceptions reported to the Kernel Structured exception handling allows process to trap its faults

Access Permissions Resource DLLs and Memory-Mapped files Accessible by threads in all processes Shared Heaps Writable by threads in creating process Read Only by threads in other processes Object Store (Optional) Accessible only by kernel file system (filesys.exe)

Access Permissions System call process contexts GetCurrentProcess() Process context in which the current thread is running GetOwnerProcess() Original process that created the current thread GetCallerProcess Process that thread most recently migrated from MapCallerPtr() Adjusts a pointer to a specific process slot while validating caller has access to the data Typically maps a Slot 0 relative address to the owing processes slot so a driver can use it

Access Permissions Security Violation

Part II Build Configuration BIB Files BIB Memory Types ROMOFFSET Example System

BIB Files MEMORY section Defines the platform memory information Partitions the physical memory into Data memory and Program memory ;NameStart address Size (bytes)Type ; NK E00000 RAMIMAGE ; (30M) "ROM" RAM E00000 RAM ; (30M) ;NameStart address Size (bytes)Type ; NK E00000 RAMIMAGE ; (30M) "ROM" RAM E00000 RAM ; (30M)

BIB Memory Section Types TypeDescription RAMIMAGE OS Image (Read + Execute ONLY) MUST start on a 64K boundary! RAM RAM for OS to partition RESERVED Reserved region OS won’t use NANDIMAGE Used with BINFS to mark memory region for paging Files From NAND storage devices FIXUPVAR Used to set the value of a variable during image build time

BIB Files Indicate the modules and components that should be included in the image Text files with four types of sections The FILES section: Memory reservation for static data files ;NamePathMemory Type Tahoma.ttf $(_FLATRELEASEDIR)\Tahoma.ttf NK SHU ;NamePathMemory Type Tahoma.ttf $(_FLATRELEASEDIR)\Tahoma.ttf NK SHU Taskman.exe$(_FLATRELEASEDIR)\Taskman.exe NK  The MODULES section: Specifies object module to be loaded in memory

BIN File Format Header Block B0000F Start Address Image Length StartLengthChecksumData… 0 Starting IP 0 BIN Record(s) Terminating Record

ROMOFFSET ROMOFFSET is used to adjust the address of records in the Microsoft BIN file format Boot loader uses physical memory Boot loader copies image from flash to RAM Boot loader copies image from disk

ROMOFFSET ROMIMAGE pseudo code WriteBinRecord(UINT32 StartAddress, UINT32 RomOffset, UINT32 Length, UINT8* pData) { Write(StartAddress + RomOffset); Write(Length); UINT32 ChkSum = WriteBinData(pData, Length); Write(ChkSum); }

Example System ARM core CPU OEMAddressTable required 32M Ram at physical address 0x M Flash at physical address 0x M Block of “On-Chip” devices at physical address 0x

Static Mapped Memory Cached RAMIMAGE RAM... 0x x SDRAM 0x9FFFFFFF 0x9FF00000 On-Chip Devices

Static Mapped Memory Uncached RAMIMAGE RAM... 0xA xA SDRAM 0xBFFFFFFF 0xBFF00000 On-Chip Devices

OEMAddressTable Cached Address Physical Address Size (MB) Description 0x x RAM 0x9CD000000x FLASH 0x9FF000000x On Chip Devices 000 NULL Terminator

Summary Virtual memory central to Windows CE Configuration controlled by OEMs CONFIG.BIB Device developers need to understand and keep total system in mind when configuring their device images

While At MEDC 2005… Fill out an evaluation for this session Randomly selected instant WIN prizes! Randomly selected instant WIN prizes! Use real technology in a lab Instructor led Reef E/F & Breakers L Self-paced Reef B/C Self-paced Reef B/C Visit the Microsoft Product Pavilion in the Exhibit Hall Shorelines B in the Exhibit Hall Shorelines B

After The Conference… Develop Build InstallBuildJoin Install Enter Enter Join Full-featured trial versions of Windows CE and/or Windows XP Embedded Cool stuff & tell us about it: msdn.microsoft.com/embedded/community msdn.microsoft.com/embedded/community Windows Embedded Partner Program: Windows Mobile 5.0 Eval Kit including Visual Studio 2005 Beta 2 Mobile2Market Contest and win up to $25000: mobile2marketcontest.com mobile2marketcontest.com Microsoft Solutions Partner Program: partner.microsoft.com partner.microsoft.com

Tools & Resources msdn.microsoft.com/ embedded microsoft.public. windowsxp.embedded windowsce.platbuilder windowsce.platbuilder windowsce.embedded.vc windowsce.embedded.vc blogs.msdn.com/ mikehall Windows CE 5.0 Eval Kit Windows XP Embedded Eval Kit msdn.microsoft.com/ mobility microsoft.public. pocketpc.developer smartphone.developer dotnet.framework.compactframework blogs.msdn.com/ windowsmobile vsdteam netcfteam Windows Mobile 5.0 Eval Kit Websites Newsgroups Blogs Tools Build Develop

© 2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.