Transmeta TMS5xxx Reverse Engineered

Richard W.M. Jones writes "This fascinating article, published anonymously, dissects the Transmeta TMS5xxx architecture, revealing how to access and modify the code-morphing code, how the instruction set works, and tells why you won't be able to run Linux directly on this chip."

Not interesting anymore

[AKnightCowboy]

Transmeta had a chance to do something interesting and amazing but it really has turned out to be a huge disappointment. They can't even get their processors into mainstream laptops and the power savings these days is negligible compared to modern day Intel stuff like the Centrino or P4-M. They should've went the route Via is taking and produce low-power, cool running processors in the mini-ITX form factor motherboards. Via's EPIA line is very nice, but they're starting to slip with some of the modern faster versions that have added fans onto the heatsink. Where are the modern fanless low power fast processors?

Re:Not interesting anymore

[NotoriousQ]

Well, do not give up yet. While it may be impossible to run programs in the underlying architecture, nothing says that you can not place a different translation code.

I am still waiting for the day when I will be able to run linux/ppc on my transmeta. (Or perhaps even cooler...being able to switch on demand!)

TMTA, IBM research, and gcc/binutils

[aurum42]

Several interesting questions raised by the article:

The author asserts that transmetas CMS and microprocessors bear striking similarities to an IBM research project named DAISY. I quote:

While I will not give a full analysis here, it appears that much of Transmeta's work was actually invented by IBM Research in the early 1990s. IBM's Daisy (Dynamically Architected Instruction Set from Yorktown) project [6] is essentially CMS for the PowerPC architecture, and uses a strikingly similar design and implementation, including: * Designing the morph host microarchitecture with the same semantics as the target instruction set (in IBM's case, PowerPC rather than x86) * Translated page cache, using a T-bit buffer to track which user pages are dirty and need re-translation * Explicit memory alias handling, using protected loads and checked stores * Extensive profiling logic to aid in further optimization * Handling of speculatively reordered loads and stores to I/O space

I wonder if this was just a question of similar approaches to similar problems, movement of engineers from IBM research to TMTA or something else.

He also states that CMS appears to have been compiled with a hacked up version of gcc and binutils. Isn't failure to release modifications to GPLed code against the license, or am I missing something? I doubt transmeta would've failed to foresee that, so perhaps they're using a different toolchain. Very interesting, all in all!

Re:TMTA, IBM research, and gcc/binutils

[Richard+W.M.+Jones]

He also states that CMS appears to have been compiled with a hacked up version of gcc and binutils. Isn't failure to release modifications to GPLed code against the license, or am I missing something?

No, not unless they started distributing the binary of the modified gcc outside transmeta.

Rich.

Are *you* experienced?

[DrSkwid]

Fortunately for Transmeta and its end users, this backdoor is difficult to exploit without the consent of the user, since it does require both x86 kernel level access and in some cases physical access to the machine. However, if you are experienced enough to be reading this, such limitations are unlikely to be a problem.

Ah, someone who still believes in the /. readership :)

Re:Are *you* experienced?

[geggibus]

/.ers don't read articles! ;)

-K

Re:How long...

[Richard+W.M.+Jones]

until someone comes out with a code morphing solution that turns the crusoe into a sparc/alpha/(insert favourite processor here).

It's likely to be quite hard. Firstly you've got to work out how to do code morphing. Remember it took Transmeta 2 years or so to develop the hardware and software.

Secondly, and more importantly, the TMS5xxx has an architecture which is very closely tied to the x86 architecture. eg - there is a common mapping of registers, and certain instructions in TMS are designed to make it easy to run specifically x86 code. Consider how hard it would be to run 64 bit big endian[1] code, for instance, on a processor designed primarily to run 32 bit little endian code. That's only the start of your problems ...

There are some quite interesting applications if this could be done ... eg: perhaps have multiple architecture OSes running at the same time? Have multiple processes running in a single OS which were compiled for different architectures?

Rich.

[1] Hope I got my endianness the right way round ...

Linux on a Transmeta

[Gleef]

OK, you might not be able to port Linux to run directly the bare hardware, but what about porting a simpler, more streamlined, processor emulation to run on the bare hardware, preferably one that Linux has already been ported to. Maybe a Crusoe emulating MIPS running Linux might be a more efficient proposition than a Crusoe emulating IA-32 running Linux. Or perhaps Crusoe->ARM->Linux.

None shall pass!

[alexjohns]

"...and tells why you won't be able to run Linux directly on this chip."

A whole bunch of kernel hackers just got slapped across the face with a silk glove, I do believe.

Re:None shall pass!

[Carnildo]

The article makes it pretty clear why Linux can't run directly on the Crusoe: Linux expects the hardware to have a virtual memory manager, which the Crusoe doesn't have. Consequently, any port of Linux will need to be running on an emulated memory manager.

As a side note, the Crusoe is also missing native support for certain other helpful features:
*Memory protection -- without that, a segfault can take out the entire OS.
*Running code from user memory -- without this, any application code will need to be piped through the OS to the CPU.

Troll, troll, troll your boat!

[Inoshiro]

"Where are the modern fanless low power fast processors?"
Why, they're in Transmeta-powered laptops.

An x86 laptop like Toshiba makes gets about 1.5 - 2 hours of battery life. 3 if you only use things like Word, which let Speedstep and the like kick in. A 17" TiBook gets about 3-4 hours, again dependant on load.

Practically every Transmeta-based x86 laptop gets 5 hours, up to 7 if you're using Word. That is nothing to sneeze at. Fujitsu has an optional battery pack for their laptops which nets you 7 to 9 hours of battery life on their Lifestyle series. True x86 laptops are a joke in comparison.

Naturally, trolls ignore these facts when trolling. If you repeat a lie often enough, some moderators will believe it true enough to mod you up...

Re:Troll, troll, troll your boat!

[RzUpAnmsCwrds]

"An x86 laptop like Toshiba makes gets about 1.5 - 2 hours of battery life. 3 if you only use things like Word, which let Speedstep and the like kick in. A 17" TiBook gets about 3-4 hours, again dependant on load."

I have a friend whose Dell Pentium-M powered notebook goes for 4+ hours.

Re:Troll, troll, troll your boat!

[Experiment+626]

Just to elaborate on what RzUpAnmsCwrds said a bit... For modern Intel based laptops, there are basically three levels of of power hunger.

Lower price laptops use the same CPUs (P4 or Celeron) as desktop PCs. These are great (aside from heat) if you keep them plugged in, but you may only get an hour or two of battery time.

Then there are the variants that are modified for lower power consumption, P4M / Mobile P4. These turn off some power wasting CPU features and run more power efficiently than desktop chips. These cost a little more but should keep you above two hours on battery life.

Finally, there is the Pentium-M, better known as Centrino as it is called when bundled with Intel's own chipset and wireless adapter. This is a different architecture, built with low power in mind. Intel basically started with a P3, which were less of a power hog than the P4, and added features to give it lots of processing capacity without making it need so much energy. The Pentium-M runs at a much lower clock rate than the P4, but executes more instructions per clock to compensate, and comes with a large cache. It's a really clever architecture, and you can get at least 4 hours of battery life, 7 if you use a secondary battery.

I'm not really sure how AMD and Transmeta stack up. Transmeta seems like they are aiming at the market segment that only needs a few hundred MHz instead of a full-blown desktop equivalent, willing to give up speed for low power use. The Pentium-M can be used in "ultra low power" configurations like this, but is most commonly seen in laptops that give a few hours of battery life while keeping performance on par with a desktop.

Re:Troll, troll, troll your boat!

[jmv]

What model does he have? I own a Dell Latitude D600 (Pentium-M 1.6 GHz), and I've been a bit disappointed. I can't get more than 3 hours, even with the CPU running at 600 MHz, the display at low power and the disk spinning down when unused.

Re:what was he THINKING?

[LWATCDR]

Actually the artical says that you can not run ANY os "Native" on this chip. Linux will run just fine using the same X/86 Code morphing system that runs windows.
What I wonder is could you come up with a more morphing friendly ISA than X86? What about then 68040 ISA? How would that work? ARM maybe?
Even if it is less than practical These chips could be good tools for playing around with new ISAs.

Transmeta Cluster

[JonnyRo88]

Here is an example of a transmeta cluster.

LANL Transmeta Cluster (PDF Link)

And by cant run on the underlying hardware directly, you mean that you cant run on the bare core of the transmeta chip, as opposed to it's x86 translation layer?

As far as I know Linux runs fine on top of it's translation layer, as the chip was designed to do.

Re:How long...

[TheRealMindChild]

It ends up being not as beneficial as you first think.

Think about it... who makes motherboards for these things? Only one or two people for one or two products. You cant just make it, say, an ultrasparc and expect all of the peripherals to work... especially with a PC bios.

Centrino style chipsets

[wowbagger]

There's an aspect of the Crusoe and code morphing that I am surprised that Transmeta and some vendor haven't jumped on - the idea of using CMS to simulate hardware.

Consider the Centrino chipset from Intel, specifically the 802.11 part. (Now, this is conjecture on my part, but fits the observed behavior of Intel as a corporation and the Centrino chipset, so if somebody can prove me wrong please do so.)

I suspect the real reason that Intel is uneasy about releasing Linux drivers for the Centrino's WLAN chip is not just that an open source driver could be programmed to operate out of band or over power. I suspect that the WLAN chip is little more than a DMA core and an RF A/D converter (actually, a quadrature programmable up converter)- that the actual modulation/demodulation are being done by the CPU. Were that the case, then releasing the driver would expose a complete 802.11* modulation/demodulation algorithm. Furthurmore, modifications to that code could perform other forms of modulation besides 802.11 - a regulatory nightmare.

Now, consider the Crusoe. What if you had a version of the CMS that emulated a hardware device at a specific set of I/O addresses? The x86 driver would queue a bufferlist of symbols to be modulated, and, from the perspective of the x86 driver, "hardware" would DMA that data, modulate it, and send it. Simillarly, the x86 driver would queue a bufferlist of empty buffers, and "hardware" would receive the data, demodulate it, and fill the buffers.

Now the real work would be done in native CMS micro-ops. The micro-ops would create the modulation buffers from the symbol buffers (storing them into the CMS working area), and would set up the REAL DMA to transfer those modulation buffers to the RF section. Simillarly, the CMS code would set up the RF section to fill buffers in CMS-space with received data, which would then be decoded by the CMS code into symbols and placed into the x86 bufferspace.

The advantage of this is that the x86 drivers for (Windows|Linux|*BSD) would not contain any of the "magic" that causes problems - indeed, the "hardware" could have a register that sets the region the system supposedly is in, allowing the "hardware" (CMS driver) to select power levels, frequencies, and modulation schemes that are permissable to the area (e.g. USA, England, etc.) Thus the drivers could be completely Free.

I would think that this could allow a one-chip-wonder computer - a single Transmeta part for the main system, with integrated video, 802.11, Bluetooth, audio, V.90 modem, etc. Add an RF chip for the RF side of the Bluetooth and 802.11, RAM, a flash-ROM chip, et voila! A very low power, all integrated laptop/PDA/Phone/Set top box/Whatever that could have GOOD driver support under any OS.

(Yes, such a technique would shoot to hell any chance of hard-realtime in the OS, as "hardware" might preempt the code. However, I would not want to do hard real time on a Crusoe anyway, as you simple cannot guarantee the execution time of any block of code due to the possiblity of needing to re-morph it.)

Re:what was he THINKING?

[addaon]

The thing is, if you're giving up x86 compatibility, there's no reason morphing is needed. ARM and PPC run fine without morphing; in modern sparc and mips, maybe you'd want to magic away the delay slots, but they don't really hurt anything... only the baroque CISC architectures gain any significant advantage (even in theory) from morphing.

Re:The do.

[42forty-two42]

No. They ship the output, which is *not* covered by the GPL.

Forth Chip

[pkhuong]

Forth is a language that has often been put on extremely small and simple die. It seems to me it would be possible to implement it on TMTA technology, especially considering the number of available registers - enough to guarantee the stack won't have to be put in RAM more than 90% of the time, iirc.

ANyone up for this? :)