Transmeta TMS5xxx Reverse Engineered

Richard W.M. Jones writes "This fascinating article, published anonymously, dissects the Transmeta TMS5xxx architecture, revealing how to access and modify the code-morphing code, how the instruction set works, and tells why you won't be able to run Linux directly on this chip."

Not interesting anymore

[AKnightCowboy]

Transmeta had a chance to do something interesting and amazing but it really has turned out to be a huge disappointment. They can't even get their processors into mainstream laptops and the power savings these days is negligible compared to modern day Intel stuff like the Centrino or P4-M. They should've went the route Via is taking and produce low-power, cool running processors in the mini-ITX form factor motherboards. Via's EPIA line is very nice, but they're starting to slip with some of the modern faster versions that have added fans onto the heatsink. Where are the modern fanless low power fast processors?

Re:Not interesting anymore

[NotoriousQ]

Well, do not give up yet. While it may be impossible to run programs in the underlying architecture, nothing says that you can not place a different translation code.

I am still waiting for the day when I will be able to run linux/ppc on my transmeta. (Or perhaps even cooler...being able to switch on demand!)

Imagine...

[ihtagik]

a beowulf cluster of these...

Wait, you can't run Linux on these...directly.

(That comment was sooo 2001)

But on a more serious note, the Transmeta chips would have been pretty interesting from a clustering standpoint due to their low power consumption and heat dissipation. It is sad that they can't run Linux directly.

what was he THINKING?

[bluethundr]

and tells why you won't be able to run Linux directly on this chip."

....Oh! The Irony!

Re:what was he THINKING?

[LWATCDR]

Actually the artical says that you can not run ANY os "Native" on this chip. Linux will run just fine using the same X/86 Code morphing system that runs windows.
What I wonder is could you come up with a more morphing friendly ISA than X86? What about then 68040 ISA? How would that work? ARM maybe?
Even if it is less than practical These chips could be good tools for playing around with new ISAs.

Re:what was he THINKING?

[mystran]

Indeed, I've been thinkingn about this even before the article. If the internal model is RISC, why not build a almost similar RISC ISA on top of it, with just the protection stuff and such added. The closer you can bring the emulated ISA to the underlying ISA, the more you should be able to benefit.

Looking at the article, it doesn't look like x86 was the optimum ISA to emulate. On the other hand, Linus has made some comments on how x86 ISA could actually benefit from having variable-length opcodes since more code fits into cache, so it's hard to say what kind of ISA would actually be most efficient.

Re:what was he THINKING?

[addaon]

The thing is, if you're giving up x86 compatibility, there's no reason morphing is needed. ARM and PPC run fine without morphing; in modern sparc and mips, maybe you'd want to magic away the delay slots, but they don't really hurt anything... only the baroque CISC architectures gain any significant advantage (even in theory) from morphing.

Re:what was he THINKING?

[LWATCDR]

" The thing is, if you're giving up x86 compatibility,"

Not really. IBM uses something like code morphing for there AS/400 midrange computers. The AS/400 replaced the model 38. The model 38 used an "idealized" instruction set. The model38 used a huge CISC cpu, The AS/400 was based on PPC yet the can run Model 38 software.
Code morphing allows a yet another layer of abstraction.
There are other old ISA besides Intels that could continue to live a productive life buy running on code morphing cpus. The 680XX where great chips to program for but there are no 10Ghz 68060s around Code morphing to the rescue.
Now about a single chip low power VAX?
Single chip embeded IBM 390 anyone?
There are lots of old embeded systems that used to run on things like the PDP and VAX that could get a new lease on life with a code morphing CPU.
And of course just to be a little scary. Java Bytecode anyone?
And to be REALLY SCARY!!! Native .net cpus!

Re:what was he THINKING?

[addaon]

Except that all the cisc chips you mention can be easily emulated (and some can be simulated effectively!) on any modern risc or cisc chip. Java bytecode runs just fine on custom hardware, but isn't too well suited for morphing; if you're running on hardware, you might as well use a real stack machine. x86 is the only cisc instruction set that's within a factor of ten or so of the performance of the leading processors (actually, it's within a factor of one).

Re:what was he THINKING?

[Mattsson]

Of course there is, if the transmeta-cpu is less powerhungry than the ppc/mc680x0/arm-cpu it's emulating.
And it would be really cool to have a cpu that could *change* while running, so that you could be running MacOSX on PPC-emulation and start x86-programs that runs x86-emulation.
Even if it would take a reboot to change architecture and then boot into a different os, it would be really cool. =)
I would love to have a machine capable of running IRIX, WinXP, MacOSX, Mac classic just by rebooting.
Of course, it would be hell to design a mainboard that could handle this even if the cpu could. =/
You'd need more or less one complete system per architecture, only sharing the cpu and some basic hardware. =/

Re:what was he THINKING?

You might be interested to know about the Dynamo research project at HP a couple of years ago. They created a dynamic binary recompiler that translates from PA-RISC to PA-RISC. Dynamo is thus essentially a "code morpher" that reads in PA-RISC machine code, optimizes it more or less depending on its profiling data, and outputs the result as PA-RISC machine code. The astonishing thing is that the Dynamo project demonstrated noticeable speed improvements over the original code, including the overhead of the binary recompiler! The basic explanation was that they were able to optimize over boundaries that normal compilers cannot, for example by inlining calls to shared libraries. Unfortunately the project is over, and I'm not sure their web pages are up any more. If you are interested, at least their academic publications would still be found in your nearest university library, if nowhere else.

TMTA, IBM research, and gcc/binutils

[aurum42]

Several interesting questions raised by the article:

The author asserts that transmetas CMS and microprocessors bear striking similarities to an IBM research project named DAISY. I quote:

While I will not give a full analysis here, it appears that much of Transmeta's work was actually invented by IBM Research in the early 1990s. IBM's Daisy (Dynamically Architected Instruction Set from Yorktown) project [6] is essentially CMS for the PowerPC architecture, and uses a strikingly similar design and implementation, including: * Designing the morph host microarchitecture with the same semantics as the target instruction set (in IBM's case, PowerPC rather than x86) * Translated page cache, using a T-bit buffer to track which user pages are dirty and need re-translation * Explicit memory alias handling, using protected loads and checked stores * Extensive profiling logic to aid in further optimization * Handling of speculatively reordered loads and stores to I/O space

I wonder if this was just a question of similar approaches to similar problems, movement of engineers from IBM research to TMTA or something else.

He also states that CMS appears to have been compiled with a hacked up version of gcc and binutils. Isn't failure to release modifications to GPLed code against the license, or am I missing something? I doubt transmeta would've failed to foresee that, so perhaps they're using a different toolchain. Very interesting, all in all!

Re:TMTA, IBM research, and gcc/binutils

[Richard+W.M.+Jones]

He also states that CMS appears to have been compiled with a hacked up version of gcc and binutils. Isn't failure to release modifications to GPLed code against the license, or am I missing something?

No, not unless they started distributing the binary of the modified gcc outside transmeta.

Rich.

Re:TMTA, IBM research, and gcc/binutils

[theCoder]

Isn't failure to release modifications to GPLed code against the license, or am I missing something?

Not in this case because Transmeta isn't distributing their hacked up version of gcc. Sure, if they started distributing that version of gcc, they'd have to make the code available. The GPL only requires that you give code (actually just offer to give code) to the people you distribute the binary to. Just because a tool (like gcc) is GPL doesn't mean the output of that tool must be GPL. Otherwise, no one could use gcc to compile proprietary code, and as much as we all like Free software, that would be bad in the end.

How long...

[Dave9876]

until someone comes out with a code morphing solution that turns the crusoe into a sparc/alpha/(insert favourite processor here).

So what if the rest of the hardware will be peecee, it'd still be some fun.

Re:How long...

[Richard+W.M.+Jones]

until someone comes out with a code morphing solution that turns the crusoe into a sparc/alpha/(insert favourite processor here).

It's likely to be quite hard. Firstly you've got to work out how to do code morphing. Remember it took Transmeta 2 years or so to develop the hardware and software.

Secondly, and more importantly, the TMS5xxx has an architecture which is very closely tied to the x86 architecture. eg - there is a common mapping of registers, and certain instructions in TMS are designed to make it easy to run specifically x86 code. Consider how hard it would be to run 64 bit big endian[1] code, for instance, on a processor designed primarily to run 32 bit little endian code. That's only the start of your problems ...

There are some quite interesting applications if this could be done ... eg: perhaps have multiple architecture OSes running at the same time? Have multiple processes running in a single OS which were compiled for different architectures?

Rich.

[1] Hope I got my endianness the right way round ...

Re:How long...

[TheRealMindChild]

It ends up being not as beneficial as you first think.

Think about it... who makes motherboards for these things? Only one or two people for one or two products. You cant just make it, say, an ultrasparc and expect all of the peripherals to work... especially with a PC bios.

Re:How long...

Some chips (my brain tells me the PPC is this way) have a pin that lets you set whether it's to be big or little endian. If the code morphing were to be figured out, it shouldn't be hard to get this chip to emulate whatever chip you want.

Are *you* experienced?

[DrSkwid]

Fortunately for Transmeta and its end users, this backdoor is difficult to exploit without the consent of the user, since it does require both x86 kernel level access and in some cases physical access to the machine. However, if you are experienced enough to be reading this, such limitations are unlikely to be a problem.

Ah, someone who still believes in the /. readership :)

Re:Are *you* experienced?

[geggibus]

/.ers don't read articles! ;)

-K

And you thought Bluetooth was risky?!

[DrSkwid]

Cripes, your laptop broadcasts the whole frikkin pipeline!

Write: Write results back to GPRs or store buffer

Linux on a Transmeta

[Gleef]

OK, you might not be able to port Linux to run directly the bare hardware, but what about porting a simpler, more streamlined, processor emulation to run on the bare hardware, preferably one that Linux has already been ported to. Maybe a Crusoe emulating MIPS running Linux might be a more efficient proposition than a Crusoe emulating IA-32 running Linux. Or perhaps Crusoe->ARM->Linux.

Re:Linux on a Transmeta

[jmv]

Then you have to rewrite the whole translation system. I'd guess it's a *huge* job. At least if you want the resulting CPU to run faster than an x86 (that has been optimized by the Transmeta engineers).

So someone tell me...

[FooAtWFU]

What is this chip and who uses it? =/

None shall pass!

[alexjohns]

"...and tells why you won't be able to run Linux directly on this chip."

A whole bunch of kernel hackers just got slapped across the face with a silk glove, I do believe.

Re:None shall pass!

[Carnildo]

The article makes it pretty clear why Linux can't run directly on the Crusoe: Linux expects the hardware to have a virtual memory manager, which the Crusoe doesn't have. Consequently, any port of Linux will need to be running on an emulated memory manager.

As a side note, the Crusoe is also missing native support for certain other helpful features:
*Memory protection -- without that, a segfault can take out the entire OS.
*Running code from user memory -- without this, any application code will need to be piped through the OS to the CPU.

Re:None shall pass!

[alexjohns]

Yes, I read the article. Doesn't mean those things can't be hacked into the kernel. If they can modify it to run on the X-box, they can hack it on to a Crusoe too.

Re:None shall pass!

How can you have a 5 digit UID, and yet be so fucking stupid? Linux already fucking runs on the Crusoe ... they're talking about running it without the x86 translation software. Jesus!

Re:None shall pass!

Isn't the Xbox just a PIII?

Re:None shall pass!

How do you know he isn't talking about "running it without the x86 translation software. Jesus!"

Re:None shall pass!

There is a big fucking difference between trying to hack the kernel to run on an architecture which is known to be 100% impossible to run any kind of OS natively, ever, and running Linux on a whored up Pentium 3.

It needs to be said: Read The Fucking Article

Troll, troll, troll your boat!

[Inoshiro]

"Where are the modern fanless low power fast processors?"
Why, they're in Transmeta-powered laptops.

An x86 laptop like Toshiba makes gets about 1.5 - 2 hours of battery life. 3 if you only use things like Word, which let Speedstep and the like kick in. A 17" TiBook gets about 3-4 hours, again dependant on load.

Practically every Transmeta-based x86 laptop gets 5 hours, up to 7 if you're using Word. That is nothing to sneeze at. Fujitsu has an optional battery pack for their laptops which nets you 7 to 9 hours of battery life on their Lifestyle series. True x86 laptops are a joke in comparison.

Naturally, trolls ignore these facts when trolling. If you repeat a lie often enough, some moderators will believe it true enough to mod you up...

Re:Troll, troll, troll your boat!

[RzUpAnmsCwrds]

"An x86 laptop like Toshiba makes gets about 1.5 - 2 hours of battery life. 3 if you only use things like Word, which let Speedstep and the like kick in. A 17" TiBook gets about 3-4 hours, again dependant on load."

I have a friend whose Dell Pentium-M powered notebook goes for 4+ hours.

Re:Troll, troll, troll your boat!

I'd say you're the troll ignoring facts. The last laptop I purchased claims 8 hours. The user I purchased it for say it gets pretty close to that. It's an Intel chip and many times faster than a Transmeta chip. Your "facts" are about 3 years old. (I'm very sad Transmeta didn't take a bite out of Intel.)

Re:Troll, troll, troll your boat!

[yamla]

I tend to abuse laptops, often spending much of my time at very high CPU loads. I used a 15" TiBook and, despite the thing being brand new, only got a little under 2 hours of battery life out of it (a couple of minutes short).

Perhaps the 17" TiBooks have higher quality batteries in them. I assume they'd need one with considerably more juice than the 15" in order to get close to 4 hours of life.

Re:Troll, troll, troll your boat!

[addaon]

The batteries are roughly the same quality, but of course the bigger laptops have batteries with larger capacities. The iBooks also seem to have the same quality batteries as the alBooks, as far as I can tell.

Re:Troll, troll, troll your boat!

[Experiment+626]

Just to elaborate on what RzUpAnmsCwrds said a bit... For modern Intel based laptops, there are basically three levels of of power hunger.

Lower price laptops use the same CPUs (P4 or Celeron) as desktop PCs. These are great (aside from heat) if you keep them plugged in, but you may only get an hour or two of battery time.

Then there are the variants that are modified for lower power consumption, P4M / Mobile P4. These turn off some power wasting CPU features and run more power efficiently than desktop chips. These cost a little more but should keep you above two hours on battery life.

Finally, there is the Pentium-M, better known as Centrino as it is called when bundled with Intel's own chipset and wireless adapter. This is a different architecture, built with low power in mind. Intel basically started with a P3, which were less of a power hog than the P4, and added features to give it lots of processing capacity without making it need so much energy. The Pentium-M runs at a much lower clock rate than the P4, but executes more instructions per clock to compensate, and comes with a large cache. It's a really clever architecture, and you can get at least 4 hours of battery life, 7 if you use a secondary battery.

I'm not really sure how AMD and Transmeta stack up. Transmeta seems like they are aiming at the market segment that only needs a few hundred MHz instead of a full-blown desktop equivalent, willing to give up speed for low power use. The Pentium-M can be used in "ultra low power" configurations like this, but is most commonly seen in laptops that give a few hours of battery life while keeping performance on par with a desktop.

Re:Troll, troll, troll your boat!

[jmv]

What model does he have? I own a Dell Latitude D600 (Pentium-M 1.6 GHz), and I've been a bit disappointed. I can't get more than 3 hours, even with the CPU running at 600 MHz, the display at low power and the disk spinning down when unused.

Re:Troll, troll, troll your boat!

[larry+bagina]

dickface!

Unfortunately, the processor isn't the only laptop component that uses electricity. And it isn't even the major electricity user!

TMTA has no power or speed advantage over a low-speed celeron or pentium M, and even more importantly, no price advantage.

1. hire geek circle-jerk icon Linus Torvaldes
2. ???
3. Profit!

Re:Troll, troll, troll your boat!

How many times faster is 'many times faster'? Do you mean clock speed or actual efficiency? Current Transmeta laptops run at 1 Ghz, but I'm not sure how fast that would be compared to say a P4.

Re:Troll, troll, troll your boat!

3 hours off a single battery is good stuff. My g3 powerbook (a good bit less power use than a g3, and orders of magnitude less than the g5) gets about 3.5 hours on a single battery.

Very slightly less battery life + x86 compatibility is nothing to sneer at.

Transmeta Cluster

[JonnyRo88]

Here is an example of a transmeta cluster.

LANL Transmeta Cluster (PDF Link)

And by cant run on the underlying hardware directly, you mean that you cant run on the bare core of the transmeta chip, as opposed to it's x86 translation layer?

As far as I know Linux runs fine on top of it's translation layer, as the chip was designed to do.

Re:Transmeta Cluster

[Wolfrider]

--That is frickin schweet, dude. They estimate that power and cooling costs for that cluster are an order of magnitude cheaper for the Transmeta chips vs traditional x86.

Centrino style chipsets

[wowbagger]

There's an aspect of the Crusoe and code morphing that I am surprised that Transmeta and some vendor haven't jumped on - the idea of using CMS to simulate hardware.

Consider the Centrino chipset from Intel, specifically the 802.11 part. (Now, this is conjecture on my part, but fits the observed behavior of Intel as a corporation and the Centrino chipset, so if somebody can prove me wrong please do so.)

I suspect the real reason that Intel is uneasy about releasing Linux drivers for the Centrino's WLAN chip is not just that an open source driver could be programmed to operate out of band or over power. I suspect that the WLAN chip is little more than a DMA core and an RF A/D converter (actually, a quadrature programmable up converter)- that the actual modulation/demodulation are being done by the CPU. Were that the case, then releasing the driver would expose a complete 802.11* modulation/demodulation algorithm. Furthurmore, modifications to that code could perform other forms of modulation besides 802.11 - a regulatory nightmare.

Now, consider the Crusoe. What if you had a version of the CMS that emulated a hardware device at a specific set of I/O addresses? The x86 driver would queue a bufferlist of symbols to be modulated, and, from the perspective of the x86 driver, "hardware" would DMA that data, modulate it, and send it. Simillarly, the x86 driver would queue a bufferlist of empty buffers, and "hardware" would receive the data, demodulate it, and fill the buffers.

Now the real work would be done in native CMS micro-ops. The micro-ops would create the modulation buffers from the symbol buffers (storing them into the CMS working area), and would set up the REAL DMA to transfer those modulation buffers to the RF section. Simillarly, the CMS code would set up the RF section to fill buffers in CMS-space with received data, which would then be decoded by the CMS code into symbols and placed into the x86 bufferspace.

The advantage of this is that the x86 drivers for (Windows|Linux|*BSD) would not contain any of the "magic" that causes problems - indeed, the "hardware" could have a register that sets the region the system supposedly is in, allowing the "hardware" (CMS driver) to select power levels, frequencies, and modulation schemes that are permissable to the area (e.g. USA, England, etc.) Thus the drivers could be completely Free.

I would think that this could allow a one-chip-wonder computer - a single Transmeta part for the main system, with integrated video, 802.11, Bluetooth, audio, V.90 modem, etc. Add an RF chip for the RF side of the Bluetooth and 802.11, RAM, a flash-ROM chip, et voila! A very low power, all integrated laptop/PDA/Phone/Set top box/Whatever that could have GOOD driver support under any OS.

(Yes, such a technique would shoot to hell any chance of hard-realtime in the OS, as "hardware" might preempt the code. However, I would not want to do hard real time on a Crusoe anyway, as you simple cannot guarantee the execution time of any block of code due to the possiblity of needing to re-morph it.)

Great Scott!

[stuffduff]

Now that it's shown that TransMeta may have borrowed from IBM, how long until SCO makes claims against it!

Re:Great Scott!

How long before the conspiracies start flying that this was a shop setup by IBM to further its Linux cause, while continuing with its research under a guise of a product?

The do.

[DAldredge]

It ships with ever processor they make.

Re:The do.

[42forty-two42]

No. They ship the output, which is *not* covered by the GPL.

Re:The do.

[DAldredge]

Damn. Your right. That is what I get for posting with out any Dr. Pepper in my system.

Hmmmm

You lost me at 'instruction set.'

Forth Chip

[pkhuong]

Forth is a language that has often been put on extremely small and simple die. It seems to me it would be possible to implement it on TMTA technology, especially considering the number of available registers - enough to guarantee the stack won't have to be put in RAM more than 90% of the time, iirc.

ANyone up for this? :)

*nix chip?

[Crazy+Eight]

The processor has 64 GPRs, with the following specialized semantics: * %r63 (%zero) always reads 0 when used as a source operand * %r62 (%sink) is a discarded destination (e.g., for compares); it is never read

Wow. /dev/zero and /dev/null in silicon.

Re:*nix chip?

[stevesliva]

MIPS r0 is also always zero. I suspect a register that is always zero is a pretty standard architectural feature.