xref: /openbmc/qemu/hw/arm/musicpal.c (revision 30e702ab)
1 /*
2  * Marvell MV88W8618 / Freecom MusicPal emulation.
3  *
4  * Copyright (c) 2008 Jan Kiszka
5  *
6  * This code is licensed under the GNU GPL v2.
7  *
8  * Contributions after 2012-01-13 are licensed under the terms of the
9  * GNU GPL, version 2 or (at your option) any later version.
10  */
11 
12 #include "qemu/osdep.h"
13 #include "qapi/error.h"
14 #include "cpu.h"
15 #include "hw/sysbus.h"
16 #include "migration/vmstate.h"
17 #include "hw/arm/boot.h"
18 #include "net/net.h"
19 #include "sysemu/sysemu.h"
20 #include "hw/boards.h"
21 #include "hw/char/serial.h"
22 #include "qemu/timer.h"
23 #include "hw/ptimer.h"
24 #include "hw/qdev-properties.h"
25 #include "hw/block/flash.h"
26 #include "ui/console.h"
27 #include "hw/i2c/i2c.h"
28 #include "hw/irq.h"
29 #include "hw/or-irq.h"
30 #include "hw/audio/wm8750.h"
31 #include "sysemu/block-backend.h"
32 #include "sysemu/runstate.h"
33 #include "sysemu/dma.h"
34 #include "ui/pixel_ops.h"
35 #include "qemu/cutils.h"
36 #include "qom/object.h"
37 
38 #define MP_MISC_BASE            0x80002000
39 #define MP_MISC_SIZE            0x00001000
40 
41 #define MP_ETH_BASE             0x80008000
42 #define MP_ETH_SIZE             0x00001000
43 
44 #define MP_WLAN_BASE            0x8000C000
45 #define MP_WLAN_SIZE            0x00000800
46 
47 #define MP_UART1_BASE           0x8000C840
48 #define MP_UART2_BASE           0x8000C940
49 
50 #define MP_GPIO_BASE            0x8000D000
51 #define MP_GPIO_SIZE            0x00001000
52 
53 #define MP_FLASHCFG_BASE        0x90006000
54 #define MP_FLASHCFG_SIZE        0x00001000
55 
56 #define MP_AUDIO_BASE           0x90007000
57 
58 #define MP_PIC_BASE             0x90008000
59 #define MP_PIC_SIZE             0x00001000
60 
61 #define MP_PIT_BASE             0x90009000
62 #define MP_PIT_SIZE             0x00001000
63 
64 #define MP_LCD_BASE             0x9000c000
65 #define MP_LCD_SIZE             0x00001000
66 
67 #define MP_SRAM_BASE            0xC0000000
68 #define MP_SRAM_SIZE            0x00020000
69 
70 #define MP_RAM_DEFAULT_SIZE     32*1024*1024
71 #define MP_FLASH_SIZE_MAX       32*1024*1024
72 
73 #define MP_TIMER1_IRQ           4
74 #define MP_TIMER2_IRQ           5
75 #define MP_TIMER3_IRQ           6
76 #define MP_TIMER4_IRQ           7
77 #define MP_EHCI_IRQ             8
78 #define MP_ETH_IRQ              9
79 #define MP_UART_SHARED_IRQ      11
80 #define MP_GPIO_IRQ             12
81 #define MP_RTC_IRQ              28
82 #define MP_AUDIO_IRQ            30
83 
84 /* Wolfson 8750 I2C address */
85 #define MP_WM_ADDR              0x1A
86 
87 /* Ethernet register offsets */
88 #define MP_ETH_SMIR             0x010
89 #define MP_ETH_PCXR             0x408
90 #define MP_ETH_SDCMR            0x448
91 #define MP_ETH_ICR              0x450
92 #define MP_ETH_IMR              0x458
93 #define MP_ETH_FRDP0            0x480
94 #define MP_ETH_FRDP1            0x484
95 #define MP_ETH_FRDP2            0x488
96 #define MP_ETH_FRDP3            0x48C
97 #define MP_ETH_CRDP0            0x4A0
98 #define MP_ETH_CRDP1            0x4A4
99 #define MP_ETH_CRDP2            0x4A8
100 #define MP_ETH_CRDP3            0x4AC
101 #define MP_ETH_CTDP0            0x4E0
102 #define MP_ETH_CTDP1            0x4E4
103 
104 /* MII PHY access */
105 #define MP_ETH_SMIR_DATA        0x0000FFFF
106 #define MP_ETH_SMIR_ADDR        0x03FF0000
107 #define MP_ETH_SMIR_OPCODE      (1 << 26) /* Read value */
108 #define MP_ETH_SMIR_RDVALID     (1 << 27)
109 
110 /* PHY registers */
111 #define MP_ETH_PHY1_BMSR        0x00210000
112 #define MP_ETH_PHY1_PHYSID1     0x00410000
113 #define MP_ETH_PHY1_PHYSID2     0x00610000
114 
115 #define MP_PHY_BMSR_LINK        0x0004
116 #define MP_PHY_BMSR_AUTONEG     0x0008
117 
118 #define MP_PHY_88E3015          0x01410E20
119 
120 /* TX descriptor status */
121 #define MP_ETH_TX_OWN           (1U << 31)
122 
123 /* RX descriptor status */
124 #define MP_ETH_RX_OWN           (1U << 31)
125 
126 /* Interrupt cause/mask bits */
127 #define MP_ETH_IRQ_RX_BIT       0
128 #define MP_ETH_IRQ_RX           (1 << MP_ETH_IRQ_RX_BIT)
129 #define MP_ETH_IRQ_TXHI_BIT     2
130 #define MP_ETH_IRQ_TXLO_BIT     3
131 
132 /* Port config bits */
133 #define MP_ETH_PCXR_2BSM_BIT    28 /* 2-byte incoming suffix */
134 
135 /* SDMA command bits */
136 #define MP_ETH_CMD_TXHI         (1 << 23)
137 #define MP_ETH_CMD_TXLO         (1 << 22)
138 
139 typedef struct mv88w8618_tx_desc {
140     uint32_t cmdstat;
141     uint16_t res;
142     uint16_t bytes;
143     uint32_t buffer;
144     uint32_t next;
145 } mv88w8618_tx_desc;
146 
147 typedef struct mv88w8618_rx_desc {
148     uint32_t cmdstat;
149     uint16_t bytes;
150     uint16_t buffer_size;
151     uint32_t buffer;
152     uint32_t next;
153 } mv88w8618_rx_desc;
154 
155 #define TYPE_MV88W8618_ETH "mv88w8618_eth"
156 OBJECT_DECLARE_SIMPLE_TYPE(mv88w8618_eth_state, MV88W8618_ETH)
157 
158 struct mv88w8618_eth_state {
159     /*< private >*/
160     SysBusDevice parent_obj;
161     /*< public >*/
162 
163     MemoryRegion iomem;
164     qemu_irq irq;
165     MemoryRegion *dma_mr;
166     AddressSpace dma_as;
167     uint32_t smir;
168     uint32_t icr;
169     uint32_t imr;
170     int mmio_index;
171     uint32_t vlan_header;
172     uint32_t tx_queue[2];
173     uint32_t rx_queue[4];
174     uint32_t frx_queue[4];
175     uint32_t cur_rx[4];
176     NICState *nic;
177     NICConf conf;
178 };
179 
180 static void eth_rx_desc_put(AddressSpace *dma_as, uint32_t addr,
181                             mv88w8618_rx_desc *desc)
182 {
183     cpu_to_le32s(&desc->cmdstat);
184     cpu_to_le16s(&desc->bytes);
185     cpu_to_le16s(&desc->buffer_size);
186     cpu_to_le32s(&desc->buffer);
187     cpu_to_le32s(&desc->next);
188     dma_memory_write(dma_as, addr, desc, sizeof(*desc));
189 }
190 
191 static void eth_rx_desc_get(AddressSpace *dma_as, uint32_t addr,
192                             mv88w8618_rx_desc *desc)
193 {
194     dma_memory_read(dma_as, addr, desc, sizeof(*desc));
195     le32_to_cpus(&desc->cmdstat);
196     le16_to_cpus(&desc->bytes);
197     le16_to_cpus(&desc->buffer_size);
198     le32_to_cpus(&desc->buffer);
199     le32_to_cpus(&desc->next);
200 }
201 
202 static ssize_t eth_receive(NetClientState *nc, const uint8_t *buf, size_t size)
203 {
204     mv88w8618_eth_state *s = qemu_get_nic_opaque(nc);
205     uint32_t desc_addr;
206     mv88w8618_rx_desc desc;
207     int i;
208 
209     for (i = 0; i < 4; i++) {
210         desc_addr = s->cur_rx[i];
211         if (!desc_addr) {
212             continue;
213         }
214         do {
215             eth_rx_desc_get(&s->dma_as, desc_addr, &desc);
216             if ((desc.cmdstat & MP_ETH_RX_OWN) && desc.buffer_size >= size) {
217                 dma_memory_write(&s->dma_as, desc.buffer + s->vlan_header,
218                                           buf, size);
219                 desc.bytes = size + s->vlan_header;
220                 desc.cmdstat &= ~MP_ETH_RX_OWN;
221                 s->cur_rx[i] = desc.next;
222 
223                 s->icr |= MP_ETH_IRQ_RX;
224                 if (s->icr & s->imr) {
225                     qemu_irq_raise(s->irq);
226                 }
227                 eth_rx_desc_put(&s->dma_as, desc_addr, &desc);
228                 return size;
229             }
230             desc_addr = desc.next;
231         } while (desc_addr != s->rx_queue[i]);
232     }
233     return size;
234 }
235 
236 static void eth_tx_desc_put(AddressSpace *dma_as, uint32_t addr,
237                             mv88w8618_tx_desc *desc)
238 {
239     cpu_to_le32s(&desc->cmdstat);
240     cpu_to_le16s(&desc->res);
241     cpu_to_le16s(&desc->bytes);
242     cpu_to_le32s(&desc->buffer);
243     cpu_to_le32s(&desc->next);
244     dma_memory_write(dma_as, addr, desc, sizeof(*desc));
245 }
246 
247 static void eth_tx_desc_get(AddressSpace *dma_as, uint32_t addr,
248                             mv88w8618_tx_desc *desc)
249 {
250     dma_memory_read(dma_as, addr, desc, sizeof(*desc));
251     le32_to_cpus(&desc->cmdstat);
252     le16_to_cpus(&desc->res);
253     le16_to_cpus(&desc->bytes);
254     le32_to_cpus(&desc->buffer);
255     le32_to_cpus(&desc->next);
256 }
257 
258 static void eth_send(mv88w8618_eth_state *s, int queue_index)
259 {
260     uint32_t desc_addr = s->tx_queue[queue_index];
261     mv88w8618_tx_desc desc;
262     uint32_t next_desc;
263     uint8_t buf[2048];
264     int len;
265 
266     do {
267         eth_tx_desc_get(&s->dma_as, desc_addr, &desc);
268         next_desc = desc.next;
269         if (desc.cmdstat & MP_ETH_TX_OWN) {
270             len = desc.bytes;
271             if (len < 2048) {
272                 dma_memory_read(&s->dma_as, desc.buffer, buf, len);
273                 qemu_send_packet(qemu_get_queue(s->nic), buf, len);
274             }
275             desc.cmdstat &= ~MP_ETH_TX_OWN;
276             s->icr |= 1 << (MP_ETH_IRQ_TXLO_BIT - queue_index);
277             eth_tx_desc_put(&s->dma_as, desc_addr, &desc);
278         }
279         desc_addr = next_desc;
280     } while (desc_addr != s->tx_queue[queue_index]);
281 }
282 
283 static uint64_t mv88w8618_eth_read(void *opaque, hwaddr offset,
284                                    unsigned size)
285 {
286     mv88w8618_eth_state *s = opaque;
287 
288     switch (offset) {
289     case MP_ETH_SMIR:
290         if (s->smir & MP_ETH_SMIR_OPCODE) {
291             switch (s->smir & MP_ETH_SMIR_ADDR) {
292             case MP_ETH_PHY1_BMSR:
293                 return MP_PHY_BMSR_LINK | MP_PHY_BMSR_AUTONEG |
294                        MP_ETH_SMIR_RDVALID;
295             case MP_ETH_PHY1_PHYSID1:
296                 return (MP_PHY_88E3015 >> 16) | MP_ETH_SMIR_RDVALID;
297             case MP_ETH_PHY1_PHYSID2:
298                 return (MP_PHY_88E3015 & 0xFFFF) | MP_ETH_SMIR_RDVALID;
299             default:
300                 return MP_ETH_SMIR_RDVALID;
301             }
302         }
303         return 0;
304 
305     case MP_ETH_ICR:
306         return s->icr;
307 
308     case MP_ETH_IMR:
309         return s->imr;
310 
311     case MP_ETH_FRDP0 ... MP_ETH_FRDP3:
312         return s->frx_queue[(offset - MP_ETH_FRDP0)/4];
313 
314     case MP_ETH_CRDP0 ... MP_ETH_CRDP3:
315         return s->rx_queue[(offset - MP_ETH_CRDP0)/4];
316 
317     case MP_ETH_CTDP0 ... MP_ETH_CTDP1:
318         return s->tx_queue[(offset - MP_ETH_CTDP0)/4];
319 
320     default:
321         return 0;
322     }
323 }
324 
325 static void mv88w8618_eth_write(void *opaque, hwaddr offset,
326                                 uint64_t value, unsigned size)
327 {
328     mv88w8618_eth_state *s = opaque;
329 
330     switch (offset) {
331     case MP_ETH_SMIR:
332         s->smir = value;
333         break;
334 
335     case MP_ETH_PCXR:
336         s->vlan_header = ((value >> MP_ETH_PCXR_2BSM_BIT) & 1) * 2;
337         break;
338 
339     case MP_ETH_SDCMR:
340         if (value & MP_ETH_CMD_TXHI) {
341             eth_send(s, 1);
342         }
343         if (value & MP_ETH_CMD_TXLO) {
344             eth_send(s, 0);
345         }
346         if (value & (MP_ETH_CMD_TXHI | MP_ETH_CMD_TXLO) && s->icr & s->imr) {
347             qemu_irq_raise(s->irq);
348         }
349         break;
350 
351     case MP_ETH_ICR:
352         s->icr &= value;
353         break;
354 
355     case MP_ETH_IMR:
356         s->imr = value;
357         if (s->icr & s->imr) {
358             qemu_irq_raise(s->irq);
359         }
360         break;
361 
362     case MP_ETH_FRDP0 ... MP_ETH_FRDP3:
363         s->frx_queue[(offset - MP_ETH_FRDP0)/4] = value;
364         break;
365 
366     case MP_ETH_CRDP0 ... MP_ETH_CRDP3:
367         s->rx_queue[(offset - MP_ETH_CRDP0)/4] =
368             s->cur_rx[(offset - MP_ETH_CRDP0)/4] = value;
369         break;
370 
371     case MP_ETH_CTDP0 ... MP_ETH_CTDP1:
372         s->tx_queue[(offset - MP_ETH_CTDP0)/4] = value;
373         break;
374     }
375 }
376 
377 static const MemoryRegionOps mv88w8618_eth_ops = {
378     .read = mv88w8618_eth_read,
379     .write = mv88w8618_eth_write,
380     .endianness = DEVICE_NATIVE_ENDIAN,
381 };
382 
383 static void eth_cleanup(NetClientState *nc)
384 {
385     mv88w8618_eth_state *s = qemu_get_nic_opaque(nc);
386 
387     s->nic = NULL;
388 }
389 
390 static NetClientInfo net_mv88w8618_info = {
391     .type = NET_CLIENT_DRIVER_NIC,
392     .size = sizeof(NICState),
393     .receive = eth_receive,
394     .cleanup = eth_cleanup,
395 };
396 
397 static void mv88w8618_eth_init(Object *obj)
398 {
399     SysBusDevice *sbd = SYS_BUS_DEVICE(obj);
400     DeviceState *dev = DEVICE(sbd);
401     mv88w8618_eth_state *s = MV88W8618_ETH(dev);
402 
403     sysbus_init_irq(sbd, &s->irq);
404     memory_region_init_io(&s->iomem, obj, &mv88w8618_eth_ops, s,
405                           "mv88w8618-eth", MP_ETH_SIZE);
406     sysbus_init_mmio(sbd, &s->iomem);
407 }
408 
409 static void mv88w8618_eth_realize(DeviceState *dev, Error **errp)
410 {
411     mv88w8618_eth_state *s = MV88W8618_ETH(dev);
412 
413     if (!s->dma_mr) {
414         error_setg(errp, TYPE_MV88W8618_ETH " 'dma-memory' link not set");
415         return;
416     }
417 
418     address_space_init(&s->dma_as, s->dma_mr, "emac-dma");
419     s->nic = qemu_new_nic(&net_mv88w8618_info, &s->conf,
420                           object_get_typename(OBJECT(dev)), dev->id, s);
421 }
422 
423 static const VMStateDescription mv88w8618_eth_vmsd = {
424     .name = "mv88w8618_eth",
425     .version_id = 1,
426     .minimum_version_id = 1,
427     .fields = (VMStateField[]) {
428         VMSTATE_UINT32(smir, mv88w8618_eth_state),
429         VMSTATE_UINT32(icr, mv88w8618_eth_state),
430         VMSTATE_UINT32(imr, mv88w8618_eth_state),
431         VMSTATE_UINT32(vlan_header, mv88w8618_eth_state),
432         VMSTATE_UINT32_ARRAY(tx_queue, mv88w8618_eth_state, 2),
433         VMSTATE_UINT32_ARRAY(rx_queue, mv88w8618_eth_state, 4),
434         VMSTATE_UINT32_ARRAY(frx_queue, mv88w8618_eth_state, 4),
435         VMSTATE_UINT32_ARRAY(cur_rx, mv88w8618_eth_state, 4),
436         VMSTATE_END_OF_LIST()
437     }
438 };
439 
440 static Property mv88w8618_eth_properties[] = {
441     DEFINE_NIC_PROPERTIES(mv88w8618_eth_state, conf),
442     DEFINE_PROP_LINK("dma-memory", mv88w8618_eth_state, dma_mr,
443                      TYPE_MEMORY_REGION, MemoryRegion *),
444     DEFINE_PROP_END_OF_LIST(),
445 };
446 
447 static void mv88w8618_eth_class_init(ObjectClass *klass, void *data)
448 {
449     DeviceClass *dc = DEVICE_CLASS(klass);
450 
451     dc->vmsd = &mv88w8618_eth_vmsd;
452     device_class_set_props(dc, mv88w8618_eth_properties);
453     dc->realize = mv88w8618_eth_realize;
454 }
455 
456 static const TypeInfo mv88w8618_eth_info = {
457     .name          = TYPE_MV88W8618_ETH,
458     .parent        = TYPE_SYS_BUS_DEVICE,
459     .instance_size = sizeof(mv88w8618_eth_state),
460     .instance_init = mv88w8618_eth_init,
461     .class_init    = mv88w8618_eth_class_init,
462 };
463 
464 /* LCD register offsets */
465 #define MP_LCD_IRQCTRL          0x180
466 #define MP_LCD_IRQSTAT          0x184
467 #define MP_LCD_SPICTRL          0x1ac
468 #define MP_LCD_INST             0x1bc
469 #define MP_LCD_DATA             0x1c0
470 
471 /* Mode magics */
472 #define MP_LCD_SPI_DATA         0x00100011
473 #define MP_LCD_SPI_CMD          0x00104011
474 #define MP_LCD_SPI_INVALID      0x00000000
475 
476 /* Commmands */
477 #define MP_LCD_INST_SETPAGE0    0xB0
478 /* ... */
479 #define MP_LCD_INST_SETPAGE7    0xB7
480 
481 #define MP_LCD_TEXTCOLOR        0xe0e0ff /* RRGGBB */
482 
483 #define TYPE_MUSICPAL_LCD "musicpal_lcd"
484 OBJECT_DECLARE_SIMPLE_TYPE(musicpal_lcd_state, MUSICPAL_LCD)
485 
486 struct musicpal_lcd_state {
487     /*< private >*/
488     SysBusDevice parent_obj;
489     /*< public >*/
490 
491     MemoryRegion iomem;
492     uint32_t brightness;
493     uint32_t mode;
494     uint32_t irqctrl;
495     uint32_t page;
496     uint32_t page_off;
497     QemuConsole *con;
498     uint8_t video_ram[128*64/8];
499 };
500 
501 static uint8_t scale_lcd_color(musicpal_lcd_state *s, uint8_t col)
502 {
503     switch (s->brightness) {
504     case 7:
505         return col;
506     case 0:
507         return 0;
508     default:
509         return (col * s->brightness) / 7;
510     }
511 }
512 
513 static inline void set_lcd_pixel32(musicpal_lcd_state *s,
514                                    int x, int y, uint32_t col)
515 {
516     int dx, dy;
517     DisplaySurface *surface = qemu_console_surface(s->con);
518     uint32_t *pixel =
519         &((uint32_t *) surface_data(surface))[(y * 128 * 3 + x) * 3];
520 
521     for (dy = 0; dy < 3; dy++, pixel += 127 * 3) {
522         for (dx = 0; dx < 3; dx++, pixel++) {
523             *pixel = col;
524         }
525     }
526 }
527 
528 static void lcd_refresh(void *opaque)
529 {
530     musicpal_lcd_state *s = opaque;
531     int x, y, col;
532 
533     col = rgb_to_pixel32(scale_lcd_color(s, (MP_LCD_TEXTCOLOR >> 16) & 0xff),
534                          scale_lcd_color(s, (MP_LCD_TEXTCOLOR >> 8) & 0xff),
535                          scale_lcd_color(s, MP_LCD_TEXTCOLOR & 0xff));
536     for (x = 0; x < 128; x++) {
537         for (y = 0; y < 64; y++) {
538             if (s->video_ram[x + (y / 8) * 128] & (1 << (y % 8))) {
539                 set_lcd_pixel32(s, x, y, col);
540             } else {
541                 set_lcd_pixel32(s, x, y, 0);
542             }
543         }
544     }
545 
546     dpy_gfx_update(s->con, 0, 0, 128*3, 64*3);
547 }
548 
549 static void lcd_invalidate(void *opaque)
550 {
551 }
552 
553 static void musicpal_lcd_gpio_brightness_in(void *opaque, int irq, int level)
554 {
555     musicpal_lcd_state *s = opaque;
556     s->brightness &= ~(1 << irq);
557     s->brightness |= level << irq;
558 }
559 
560 static uint64_t musicpal_lcd_read(void *opaque, hwaddr offset,
561                                   unsigned size)
562 {
563     musicpal_lcd_state *s = opaque;
564 
565     switch (offset) {
566     case MP_LCD_IRQCTRL:
567         return s->irqctrl;
568 
569     default:
570         return 0;
571     }
572 }
573 
574 static void musicpal_lcd_write(void *opaque, hwaddr offset,
575                                uint64_t value, unsigned size)
576 {
577     musicpal_lcd_state *s = opaque;
578 
579     switch (offset) {
580     case MP_LCD_IRQCTRL:
581         s->irqctrl = value;
582         break;
583 
584     case MP_LCD_SPICTRL:
585         if (value == MP_LCD_SPI_DATA || value == MP_LCD_SPI_CMD) {
586             s->mode = value;
587         } else {
588             s->mode = MP_LCD_SPI_INVALID;
589         }
590         break;
591 
592     case MP_LCD_INST:
593         if (value >= MP_LCD_INST_SETPAGE0 && value <= MP_LCD_INST_SETPAGE7) {
594             s->page = value - MP_LCD_INST_SETPAGE0;
595             s->page_off = 0;
596         }
597         break;
598 
599     case MP_LCD_DATA:
600         if (s->mode == MP_LCD_SPI_CMD) {
601             if (value >= MP_LCD_INST_SETPAGE0 &&
602                 value <= MP_LCD_INST_SETPAGE7) {
603                 s->page = value - MP_LCD_INST_SETPAGE0;
604                 s->page_off = 0;
605             }
606         } else if (s->mode == MP_LCD_SPI_DATA) {
607             s->video_ram[s->page*128 + s->page_off] = value;
608             s->page_off = (s->page_off + 1) & 127;
609         }
610         break;
611     }
612 }
613 
614 static const MemoryRegionOps musicpal_lcd_ops = {
615     .read = musicpal_lcd_read,
616     .write = musicpal_lcd_write,
617     .endianness = DEVICE_NATIVE_ENDIAN,
618 };
619 
620 static const GraphicHwOps musicpal_gfx_ops = {
621     .invalidate  = lcd_invalidate,
622     .gfx_update  = lcd_refresh,
623 };
624 
625 static void musicpal_lcd_realize(DeviceState *dev, Error **errp)
626 {
627     musicpal_lcd_state *s = MUSICPAL_LCD(dev);
628     s->con = graphic_console_init(dev, 0, &musicpal_gfx_ops, s);
629     qemu_console_resize(s->con, 128 * 3, 64 * 3);
630 }
631 
632 static void musicpal_lcd_init(Object *obj)
633 {
634     SysBusDevice *sbd = SYS_BUS_DEVICE(obj);
635     DeviceState *dev = DEVICE(sbd);
636     musicpal_lcd_state *s = MUSICPAL_LCD(dev);
637 
638     s->brightness = 7;
639 
640     memory_region_init_io(&s->iomem, obj, &musicpal_lcd_ops, s,
641                           "musicpal-lcd", MP_LCD_SIZE);
642     sysbus_init_mmio(sbd, &s->iomem);
643 
644     qdev_init_gpio_in(dev, musicpal_lcd_gpio_brightness_in, 3);
645 }
646 
647 static const VMStateDescription musicpal_lcd_vmsd = {
648     .name = "musicpal_lcd",
649     .version_id = 1,
650     .minimum_version_id = 1,
651     .fields = (VMStateField[]) {
652         VMSTATE_UINT32(brightness, musicpal_lcd_state),
653         VMSTATE_UINT32(mode, musicpal_lcd_state),
654         VMSTATE_UINT32(irqctrl, musicpal_lcd_state),
655         VMSTATE_UINT32(page, musicpal_lcd_state),
656         VMSTATE_UINT32(page_off, musicpal_lcd_state),
657         VMSTATE_BUFFER(video_ram, musicpal_lcd_state),
658         VMSTATE_END_OF_LIST()
659     }
660 };
661 
662 static void musicpal_lcd_class_init(ObjectClass *klass, void *data)
663 {
664     DeviceClass *dc = DEVICE_CLASS(klass);
665 
666     dc->vmsd = &musicpal_lcd_vmsd;
667     dc->realize = musicpal_lcd_realize;
668 }
669 
670 static const TypeInfo musicpal_lcd_info = {
671     .name          = TYPE_MUSICPAL_LCD,
672     .parent        = TYPE_SYS_BUS_DEVICE,
673     .instance_size = sizeof(musicpal_lcd_state),
674     .instance_init = musicpal_lcd_init,
675     .class_init    = musicpal_lcd_class_init,
676 };
677 
678 /* PIC register offsets */
679 #define MP_PIC_STATUS           0x00
680 #define MP_PIC_ENABLE_SET       0x08
681 #define MP_PIC_ENABLE_CLR       0x0C
682 
683 #define TYPE_MV88W8618_PIC "mv88w8618_pic"
684 OBJECT_DECLARE_SIMPLE_TYPE(mv88w8618_pic_state, MV88W8618_PIC)
685 
686 struct mv88w8618_pic_state {
687     /*< private >*/
688     SysBusDevice parent_obj;
689     /*< public >*/
690 
691     MemoryRegion iomem;
692     uint32_t level;
693     uint32_t enabled;
694     qemu_irq parent_irq;
695 };
696 
697 static void mv88w8618_pic_update(mv88w8618_pic_state *s)
698 {
699     qemu_set_irq(s->parent_irq, (s->level & s->enabled));
700 }
701 
702 static void mv88w8618_pic_set_irq(void *opaque, int irq, int level)
703 {
704     mv88w8618_pic_state *s = opaque;
705 
706     if (level) {
707         s->level |= 1 << irq;
708     } else {
709         s->level &= ~(1 << irq);
710     }
711     mv88w8618_pic_update(s);
712 }
713 
714 static uint64_t mv88w8618_pic_read(void *opaque, hwaddr offset,
715                                    unsigned size)
716 {
717     mv88w8618_pic_state *s = opaque;
718 
719     switch (offset) {
720     case MP_PIC_STATUS:
721         return s->level & s->enabled;
722 
723     default:
724         return 0;
725     }
726 }
727 
728 static void mv88w8618_pic_write(void *opaque, hwaddr offset,
729                                 uint64_t value, unsigned size)
730 {
731     mv88w8618_pic_state *s = opaque;
732 
733     switch (offset) {
734     case MP_PIC_ENABLE_SET:
735         s->enabled |= value;
736         break;
737 
738     case MP_PIC_ENABLE_CLR:
739         s->enabled &= ~value;
740         s->level &= ~value;
741         break;
742     }
743     mv88w8618_pic_update(s);
744 }
745 
746 static void mv88w8618_pic_reset(DeviceState *d)
747 {
748     mv88w8618_pic_state *s = MV88W8618_PIC(d);
749 
750     s->level = 0;
751     s->enabled = 0;
752 }
753 
754 static const MemoryRegionOps mv88w8618_pic_ops = {
755     .read = mv88w8618_pic_read,
756     .write = mv88w8618_pic_write,
757     .endianness = DEVICE_NATIVE_ENDIAN,
758 };
759 
760 static void mv88w8618_pic_init(Object *obj)
761 {
762     SysBusDevice *dev = SYS_BUS_DEVICE(obj);
763     mv88w8618_pic_state *s = MV88W8618_PIC(dev);
764 
765     qdev_init_gpio_in(DEVICE(dev), mv88w8618_pic_set_irq, 32);
766     sysbus_init_irq(dev, &s->parent_irq);
767     memory_region_init_io(&s->iomem, obj, &mv88w8618_pic_ops, s,
768                           "musicpal-pic", MP_PIC_SIZE);
769     sysbus_init_mmio(dev, &s->iomem);
770 }
771 
772 static const VMStateDescription mv88w8618_pic_vmsd = {
773     .name = "mv88w8618_pic",
774     .version_id = 1,
775     .minimum_version_id = 1,
776     .fields = (VMStateField[]) {
777         VMSTATE_UINT32(level, mv88w8618_pic_state),
778         VMSTATE_UINT32(enabled, mv88w8618_pic_state),
779         VMSTATE_END_OF_LIST()
780     }
781 };
782 
783 static void mv88w8618_pic_class_init(ObjectClass *klass, void *data)
784 {
785     DeviceClass *dc = DEVICE_CLASS(klass);
786 
787     dc->reset = mv88w8618_pic_reset;
788     dc->vmsd = &mv88w8618_pic_vmsd;
789 }
790 
791 static const TypeInfo mv88w8618_pic_info = {
792     .name          = TYPE_MV88W8618_PIC,
793     .parent        = TYPE_SYS_BUS_DEVICE,
794     .instance_size = sizeof(mv88w8618_pic_state),
795     .instance_init = mv88w8618_pic_init,
796     .class_init    = mv88w8618_pic_class_init,
797 };
798 
799 /* PIT register offsets */
800 #define MP_PIT_TIMER1_LENGTH    0x00
801 /* ... */
802 #define MP_PIT_TIMER4_LENGTH    0x0C
803 #define MP_PIT_CONTROL          0x10
804 #define MP_PIT_TIMER1_VALUE     0x14
805 /* ... */
806 #define MP_PIT_TIMER4_VALUE     0x20
807 #define MP_BOARD_RESET          0x34
808 
809 /* Magic board reset value (probably some watchdog behind it) */
810 #define MP_BOARD_RESET_MAGIC    0x10000
811 
812 typedef struct mv88w8618_timer_state {
813     ptimer_state *ptimer;
814     uint32_t limit;
815     int freq;
816     qemu_irq irq;
817 } mv88w8618_timer_state;
818 
819 #define TYPE_MV88W8618_PIT "mv88w8618_pit"
820 OBJECT_DECLARE_SIMPLE_TYPE(mv88w8618_pit_state, MV88W8618_PIT)
821 
822 struct mv88w8618_pit_state {
823     /*< private >*/
824     SysBusDevice parent_obj;
825     /*< public >*/
826 
827     MemoryRegion iomem;
828     mv88w8618_timer_state timer[4];
829 };
830 
831 static void mv88w8618_timer_tick(void *opaque)
832 {
833     mv88w8618_timer_state *s = opaque;
834 
835     qemu_irq_raise(s->irq);
836 }
837 
838 static void mv88w8618_timer_init(SysBusDevice *dev, mv88w8618_timer_state *s,
839                                  uint32_t freq)
840 {
841     sysbus_init_irq(dev, &s->irq);
842     s->freq = freq;
843 
844     s->ptimer = ptimer_init(mv88w8618_timer_tick, s, PTIMER_POLICY_DEFAULT);
845 }
846 
847 static uint64_t mv88w8618_pit_read(void *opaque, hwaddr offset,
848                                    unsigned size)
849 {
850     mv88w8618_pit_state *s = opaque;
851     mv88w8618_timer_state *t;
852 
853     switch (offset) {
854     case MP_PIT_TIMER1_VALUE ... MP_PIT_TIMER4_VALUE:
855         t = &s->timer[(offset-MP_PIT_TIMER1_VALUE) >> 2];
856         return ptimer_get_count(t->ptimer);
857 
858     default:
859         return 0;
860     }
861 }
862 
863 static void mv88w8618_pit_write(void *opaque, hwaddr offset,
864                                 uint64_t value, unsigned size)
865 {
866     mv88w8618_pit_state *s = opaque;
867     mv88w8618_timer_state *t;
868     int i;
869 
870     switch (offset) {
871     case MP_PIT_TIMER1_LENGTH ... MP_PIT_TIMER4_LENGTH:
872         t = &s->timer[offset >> 2];
873         t->limit = value;
874         ptimer_transaction_begin(t->ptimer);
875         if (t->limit > 0) {
876             ptimer_set_limit(t->ptimer, t->limit, 1);
877         } else {
878             ptimer_stop(t->ptimer);
879         }
880         ptimer_transaction_commit(t->ptimer);
881         break;
882 
883     case MP_PIT_CONTROL:
884         for (i = 0; i < 4; i++) {
885             t = &s->timer[i];
886             ptimer_transaction_begin(t->ptimer);
887             if (value & 0xf && t->limit > 0) {
888                 ptimer_set_limit(t->ptimer, t->limit, 0);
889                 ptimer_set_freq(t->ptimer, t->freq);
890                 ptimer_run(t->ptimer, 0);
891             } else {
892                 ptimer_stop(t->ptimer);
893             }
894             ptimer_transaction_commit(t->ptimer);
895             value >>= 4;
896         }
897         break;
898 
899     case MP_BOARD_RESET:
900         if (value == MP_BOARD_RESET_MAGIC) {
901             qemu_system_reset_request(SHUTDOWN_CAUSE_GUEST_RESET);
902         }
903         break;
904     }
905 }
906 
907 static void mv88w8618_pit_reset(DeviceState *d)
908 {
909     mv88w8618_pit_state *s = MV88W8618_PIT(d);
910     int i;
911 
912     for (i = 0; i < 4; i++) {
913         mv88w8618_timer_state *t = &s->timer[i];
914         ptimer_transaction_begin(t->ptimer);
915         ptimer_stop(t->ptimer);
916         ptimer_transaction_commit(t->ptimer);
917         t->limit = 0;
918     }
919 }
920 
921 static const MemoryRegionOps mv88w8618_pit_ops = {
922     .read = mv88w8618_pit_read,
923     .write = mv88w8618_pit_write,
924     .endianness = DEVICE_NATIVE_ENDIAN,
925 };
926 
927 static void mv88w8618_pit_init(Object *obj)
928 {
929     SysBusDevice *dev = SYS_BUS_DEVICE(obj);
930     mv88w8618_pit_state *s = MV88W8618_PIT(dev);
931     int i;
932 
933     /* Letting them all run at 1 MHz is likely just a pragmatic
934      * simplification. */
935     for (i = 0; i < 4; i++) {
936         mv88w8618_timer_init(dev, &s->timer[i], 1000000);
937     }
938 
939     memory_region_init_io(&s->iomem, obj, &mv88w8618_pit_ops, s,
940                           "musicpal-pit", MP_PIT_SIZE);
941     sysbus_init_mmio(dev, &s->iomem);
942 }
943 
944 static void mv88w8618_pit_finalize(Object *obj)
945 {
946     SysBusDevice *dev = SYS_BUS_DEVICE(obj);
947     mv88w8618_pit_state *s = MV88W8618_PIT(dev);
948     int i;
949 
950     for (i = 0; i < 4; i++) {
951         ptimer_free(s->timer[i].ptimer);
952     }
953 }
954 
955 static const VMStateDescription mv88w8618_timer_vmsd = {
956     .name = "timer",
957     .version_id = 1,
958     .minimum_version_id = 1,
959     .fields = (VMStateField[]) {
960         VMSTATE_PTIMER(ptimer, mv88w8618_timer_state),
961         VMSTATE_UINT32(limit, mv88w8618_timer_state),
962         VMSTATE_END_OF_LIST()
963     }
964 };
965 
966 static const VMStateDescription mv88w8618_pit_vmsd = {
967     .name = "mv88w8618_pit",
968     .version_id = 1,
969     .minimum_version_id = 1,
970     .fields = (VMStateField[]) {
971         VMSTATE_STRUCT_ARRAY(timer, mv88w8618_pit_state, 4, 1,
972                              mv88w8618_timer_vmsd, mv88w8618_timer_state),
973         VMSTATE_END_OF_LIST()
974     }
975 };
976 
977 static void mv88w8618_pit_class_init(ObjectClass *klass, void *data)
978 {
979     DeviceClass *dc = DEVICE_CLASS(klass);
980 
981     dc->reset = mv88w8618_pit_reset;
982     dc->vmsd = &mv88w8618_pit_vmsd;
983 }
984 
985 static const TypeInfo mv88w8618_pit_info = {
986     .name          = TYPE_MV88W8618_PIT,
987     .parent        = TYPE_SYS_BUS_DEVICE,
988     .instance_size = sizeof(mv88w8618_pit_state),
989     .instance_init = mv88w8618_pit_init,
990     .instance_finalize = mv88w8618_pit_finalize,
991     .class_init    = mv88w8618_pit_class_init,
992 };
993 
994 /* Flash config register offsets */
995 #define MP_FLASHCFG_CFGR0    0x04
996 
997 #define TYPE_MV88W8618_FLASHCFG "mv88w8618_flashcfg"
998 OBJECT_DECLARE_SIMPLE_TYPE(mv88w8618_flashcfg_state, MV88W8618_FLASHCFG)
999 
1000 struct mv88w8618_flashcfg_state {
1001     /*< private >*/
1002     SysBusDevice parent_obj;
1003     /*< public >*/
1004 
1005     MemoryRegion iomem;
1006     uint32_t cfgr0;
1007 };
1008 
1009 static uint64_t mv88w8618_flashcfg_read(void *opaque,
1010                                         hwaddr offset,
1011                                         unsigned size)
1012 {
1013     mv88w8618_flashcfg_state *s = opaque;
1014 
1015     switch (offset) {
1016     case MP_FLASHCFG_CFGR0:
1017         return s->cfgr0;
1018 
1019     default:
1020         return 0;
1021     }
1022 }
1023 
1024 static void mv88w8618_flashcfg_write(void *opaque, hwaddr offset,
1025                                      uint64_t value, unsigned size)
1026 {
1027     mv88w8618_flashcfg_state *s = opaque;
1028 
1029     switch (offset) {
1030     case MP_FLASHCFG_CFGR0:
1031         s->cfgr0 = value;
1032         break;
1033     }
1034 }
1035 
1036 static const MemoryRegionOps mv88w8618_flashcfg_ops = {
1037     .read = mv88w8618_flashcfg_read,
1038     .write = mv88w8618_flashcfg_write,
1039     .endianness = DEVICE_NATIVE_ENDIAN,
1040 };
1041 
1042 static void mv88w8618_flashcfg_init(Object *obj)
1043 {
1044     SysBusDevice *dev = SYS_BUS_DEVICE(obj);
1045     mv88w8618_flashcfg_state *s = MV88W8618_FLASHCFG(dev);
1046 
1047     s->cfgr0 = 0xfffe4285; /* Default as set by U-Boot for 8 MB flash */
1048     memory_region_init_io(&s->iomem, obj, &mv88w8618_flashcfg_ops, s,
1049                           "musicpal-flashcfg", MP_FLASHCFG_SIZE);
1050     sysbus_init_mmio(dev, &s->iomem);
1051 }
1052 
1053 static const VMStateDescription mv88w8618_flashcfg_vmsd = {
1054     .name = "mv88w8618_flashcfg",
1055     .version_id = 1,
1056     .minimum_version_id = 1,
1057     .fields = (VMStateField[]) {
1058         VMSTATE_UINT32(cfgr0, mv88w8618_flashcfg_state),
1059         VMSTATE_END_OF_LIST()
1060     }
1061 };
1062 
1063 static void mv88w8618_flashcfg_class_init(ObjectClass *klass, void *data)
1064 {
1065     DeviceClass *dc = DEVICE_CLASS(klass);
1066 
1067     dc->vmsd = &mv88w8618_flashcfg_vmsd;
1068 }
1069 
1070 static const TypeInfo mv88w8618_flashcfg_info = {
1071     .name          = TYPE_MV88W8618_FLASHCFG,
1072     .parent        = TYPE_SYS_BUS_DEVICE,
1073     .instance_size = sizeof(mv88w8618_flashcfg_state),
1074     .instance_init = mv88w8618_flashcfg_init,
1075     .class_init    = mv88w8618_flashcfg_class_init,
1076 };
1077 
1078 /* Misc register offsets */
1079 #define MP_MISC_BOARD_REVISION  0x18
1080 
1081 #define MP_BOARD_REVISION       0x31
1082 
1083 struct MusicPalMiscState {
1084     SysBusDevice parent_obj;
1085     MemoryRegion iomem;
1086 };
1087 
1088 #define TYPE_MUSICPAL_MISC "musicpal-misc"
1089 OBJECT_DECLARE_SIMPLE_TYPE(MusicPalMiscState, MUSICPAL_MISC)
1090 
1091 static uint64_t musicpal_misc_read(void *opaque, hwaddr offset,
1092                                    unsigned size)
1093 {
1094     switch (offset) {
1095     case MP_MISC_BOARD_REVISION:
1096         return MP_BOARD_REVISION;
1097 
1098     default:
1099         return 0;
1100     }
1101 }
1102 
1103 static void musicpal_misc_write(void *opaque, hwaddr offset,
1104                                 uint64_t value, unsigned size)
1105 {
1106 }
1107 
1108 static const MemoryRegionOps musicpal_misc_ops = {
1109     .read = musicpal_misc_read,
1110     .write = musicpal_misc_write,
1111     .endianness = DEVICE_NATIVE_ENDIAN,
1112 };
1113 
1114 static void musicpal_misc_init(Object *obj)
1115 {
1116     SysBusDevice *sd = SYS_BUS_DEVICE(obj);
1117     MusicPalMiscState *s = MUSICPAL_MISC(obj);
1118 
1119     memory_region_init_io(&s->iomem, OBJECT(s), &musicpal_misc_ops, NULL,
1120                           "musicpal-misc", MP_MISC_SIZE);
1121     sysbus_init_mmio(sd, &s->iomem);
1122 }
1123 
1124 static const TypeInfo musicpal_misc_info = {
1125     .name = TYPE_MUSICPAL_MISC,
1126     .parent = TYPE_SYS_BUS_DEVICE,
1127     .instance_init = musicpal_misc_init,
1128     .instance_size = sizeof(MusicPalMiscState),
1129 };
1130 
1131 /* WLAN register offsets */
1132 #define MP_WLAN_MAGIC1          0x11c
1133 #define MP_WLAN_MAGIC2          0x124
1134 
1135 static uint64_t mv88w8618_wlan_read(void *opaque, hwaddr offset,
1136                                     unsigned size)
1137 {
1138     switch (offset) {
1139     /* Workaround to allow loading the binary-only wlandrv.ko crap
1140      * from the original Freecom firmware. */
1141     case MP_WLAN_MAGIC1:
1142         return ~3;
1143     case MP_WLAN_MAGIC2:
1144         return -1;
1145 
1146     default:
1147         return 0;
1148     }
1149 }
1150 
1151 static void mv88w8618_wlan_write(void *opaque, hwaddr offset,
1152                                  uint64_t value, unsigned size)
1153 {
1154 }
1155 
1156 static const MemoryRegionOps mv88w8618_wlan_ops = {
1157     .read = mv88w8618_wlan_read,
1158     .write =mv88w8618_wlan_write,
1159     .endianness = DEVICE_NATIVE_ENDIAN,
1160 };
1161 
1162 static void mv88w8618_wlan_realize(DeviceState *dev, Error **errp)
1163 {
1164     MemoryRegion *iomem = g_new(MemoryRegion, 1);
1165 
1166     memory_region_init_io(iomem, OBJECT(dev), &mv88w8618_wlan_ops, NULL,
1167                           "musicpal-wlan", MP_WLAN_SIZE);
1168     sysbus_init_mmio(SYS_BUS_DEVICE(dev), iomem);
1169 }
1170 
1171 /* GPIO register offsets */
1172 #define MP_GPIO_OE_LO           0x008
1173 #define MP_GPIO_OUT_LO          0x00c
1174 #define MP_GPIO_IN_LO           0x010
1175 #define MP_GPIO_IER_LO          0x014
1176 #define MP_GPIO_IMR_LO          0x018
1177 #define MP_GPIO_ISR_LO          0x020
1178 #define MP_GPIO_OE_HI           0x508
1179 #define MP_GPIO_OUT_HI          0x50c
1180 #define MP_GPIO_IN_HI           0x510
1181 #define MP_GPIO_IER_HI          0x514
1182 #define MP_GPIO_IMR_HI          0x518
1183 #define MP_GPIO_ISR_HI          0x520
1184 
1185 /* GPIO bits & masks */
1186 #define MP_GPIO_LCD_BRIGHTNESS  0x00070000
1187 #define MP_GPIO_I2C_DATA_BIT    29
1188 #define MP_GPIO_I2C_CLOCK_BIT   30
1189 
1190 /* LCD brightness bits in GPIO_OE_HI */
1191 #define MP_OE_LCD_BRIGHTNESS    0x0007
1192 
1193 #define TYPE_MUSICPAL_GPIO "musicpal_gpio"
1194 OBJECT_DECLARE_SIMPLE_TYPE(musicpal_gpio_state, MUSICPAL_GPIO)
1195 
1196 struct musicpal_gpio_state {
1197     /*< private >*/
1198     SysBusDevice parent_obj;
1199     /*< public >*/
1200 
1201     MemoryRegion iomem;
1202     uint32_t lcd_brightness;
1203     uint32_t out_state;
1204     uint32_t in_state;
1205     uint32_t ier;
1206     uint32_t imr;
1207     uint32_t isr;
1208     qemu_irq irq;
1209     qemu_irq out[5]; /* 3 brightness out + 2 lcd (data and clock ) */
1210 };
1211 
1212 static void musicpal_gpio_brightness_update(musicpal_gpio_state *s) {
1213     int i;
1214     uint32_t brightness;
1215 
1216     /* compute brightness ratio */
1217     switch (s->lcd_brightness) {
1218     case 0x00000007:
1219         brightness = 0;
1220         break;
1221 
1222     case 0x00020000:
1223         brightness = 1;
1224         break;
1225 
1226     case 0x00020001:
1227         brightness = 2;
1228         break;
1229 
1230     case 0x00040000:
1231         brightness = 3;
1232         break;
1233 
1234     case 0x00010006:
1235         brightness = 4;
1236         break;
1237 
1238     case 0x00020005:
1239         brightness = 5;
1240         break;
1241 
1242     case 0x00040003:
1243         brightness = 6;
1244         break;
1245 
1246     case 0x00030004:
1247     default:
1248         brightness = 7;
1249     }
1250 
1251     /* set lcd brightness GPIOs  */
1252     for (i = 0; i <= 2; i++) {
1253         qemu_set_irq(s->out[i], (brightness >> i) & 1);
1254     }
1255 }
1256 
1257 static void musicpal_gpio_pin_event(void *opaque, int pin, int level)
1258 {
1259     musicpal_gpio_state *s = opaque;
1260     uint32_t mask = 1 << pin;
1261     uint32_t delta = level << pin;
1262     uint32_t old = s->in_state & mask;
1263 
1264     s->in_state &= ~mask;
1265     s->in_state |= delta;
1266 
1267     if ((old ^ delta) &&
1268         ((level && (s->imr & mask)) || (!level && (s->ier & mask)))) {
1269         s->isr = mask;
1270         qemu_irq_raise(s->irq);
1271     }
1272 }
1273 
1274 static uint64_t musicpal_gpio_read(void *opaque, hwaddr offset,
1275                                    unsigned size)
1276 {
1277     musicpal_gpio_state *s = opaque;
1278 
1279     switch (offset) {
1280     case MP_GPIO_OE_HI: /* used for LCD brightness control */
1281         return s->lcd_brightness & MP_OE_LCD_BRIGHTNESS;
1282 
1283     case MP_GPIO_OUT_LO:
1284         return s->out_state & 0xFFFF;
1285     case MP_GPIO_OUT_HI:
1286         return s->out_state >> 16;
1287 
1288     case MP_GPIO_IN_LO:
1289         return s->in_state & 0xFFFF;
1290     case MP_GPIO_IN_HI:
1291         return s->in_state >> 16;
1292 
1293     case MP_GPIO_IER_LO:
1294         return s->ier & 0xFFFF;
1295     case MP_GPIO_IER_HI:
1296         return s->ier >> 16;
1297 
1298     case MP_GPIO_IMR_LO:
1299         return s->imr & 0xFFFF;
1300     case MP_GPIO_IMR_HI:
1301         return s->imr >> 16;
1302 
1303     case MP_GPIO_ISR_LO:
1304         return s->isr & 0xFFFF;
1305     case MP_GPIO_ISR_HI:
1306         return s->isr >> 16;
1307 
1308     default:
1309         return 0;
1310     }
1311 }
1312 
1313 static void musicpal_gpio_write(void *opaque, hwaddr offset,
1314                                 uint64_t value, unsigned size)
1315 {
1316     musicpal_gpio_state *s = opaque;
1317     switch (offset) {
1318     case MP_GPIO_OE_HI: /* used for LCD brightness control */
1319         s->lcd_brightness = (s->lcd_brightness & MP_GPIO_LCD_BRIGHTNESS) |
1320                          (value & MP_OE_LCD_BRIGHTNESS);
1321         musicpal_gpio_brightness_update(s);
1322         break;
1323 
1324     case MP_GPIO_OUT_LO:
1325         s->out_state = (s->out_state & 0xFFFF0000) | (value & 0xFFFF);
1326         break;
1327     case MP_GPIO_OUT_HI:
1328         s->out_state = (s->out_state & 0xFFFF) | (value << 16);
1329         s->lcd_brightness = (s->lcd_brightness & 0xFFFF) |
1330                             (s->out_state & MP_GPIO_LCD_BRIGHTNESS);
1331         musicpal_gpio_brightness_update(s);
1332         qemu_set_irq(s->out[3], (s->out_state >> MP_GPIO_I2C_DATA_BIT) & 1);
1333         qemu_set_irq(s->out[4], (s->out_state >> MP_GPIO_I2C_CLOCK_BIT) & 1);
1334         break;
1335 
1336     case MP_GPIO_IER_LO:
1337         s->ier = (s->ier & 0xFFFF0000) | (value & 0xFFFF);
1338         break;
1339     case MP_GPIO_IER_HI:
1340         s->ier = (s->ier & 0xFFFF) | (value << 16);
1341         break;
1342 
1343     case MP_GPIO_IMR_LO:
1344         s->imr = (s->imr & 0xFFFF0000) | (value & 0xFFFF);
1345         break;
1346     case MP_GPIO_IMR_HI:
1347         s->imr = (s->imr & 0xFFFF) | (value << 16);
1348         break;
1349     }
1350 }
1351 
1352 static const MemoryRegionOps musicpal_gpio_ops = {
1353     .read = musicpal_gpio_read,
1354     .write = musicpal_gpio_write,
1355     .endianness = DEVICE_NATIVE_ENDIAN,
1356 };
1357 
1358 static void musicpal_gpio_reset(DeviceState *d)
1359 {
1360     musicpal_gpio_state *s = MUSICPAL_GPIO(d);
1361 
1362     s->lcd_brightness = 0;
1363     s->out_state = 0;
1364     s->in_state = 0xffffffff;
1365     s->ier = 0;
1366     s->imr = 0;
1367     s->isr = 0;
1368 }
1369 
1370 static void musicpal_gpio_init(Object *obj)
1371 {
1372     SysBusDevice *sbd = SYS_BUS_DEVICE(obj);
1373     DeviceState *dev = DEVICE(sbd);
1374     musicpal_gpio_state *s = MUSICPAL_GPIO(dev);
1375 
1376     sysbus_init_irq(sbd, &s->irq);
1377 
1378     memory_region_init_io(&s->iomem, obj, &musicpal_gpio_ops, s,
1379                           "musicpal-gpio", MP_GPIO_SIZE);
1380     sysbus_init_mmio(sbd, &s->iomem);
1381 
1382     qdev_init_gpio_out(dev, s->out, ARRAY_SIZE(s->out));
1383 
1384     qdev_init_gpio_in(dev, musicpal_gpio_pin_event, 32);
1385 }
1386 
1387 static const VMStateDescription musicpal_gpio_vmsd = {
1388     .name = "musicpal_gpio",
1389     .version_id = 1,
1390     .minimum_version_id = 1,
1391     .fields = (VMStateField[]) {
1392         VMSTATE_UINT32(lcd_brightness, musicpal_gpio_state),
1393         VMSTATE_UINT32(out_state, musicpal_gpio_state),
1394         VMSTATE_UINT32(in_state, musicpal_gpio_state),
1395         VMSTATE_UINT32(ier, musicpal_gpio_state),
1396         VMSTATE_UINT32(imr, musicpal_gpio_state),
1397         VMSTATE_UINT32(isr, musicpal_gpio_state),
1398         VMSTATE_END_OF_LIST()
1399     }
1400 };
1401 
1402 static void musicpal_gpio_class_init(ObjectClass *klass, void *data)
1403 {
1404     DeviceClass *dc = DEVICE_CLASS(klass);
1405 
1406     dc->reset = musicpal_gpio_reset;
1407     dc->vmsd = &musicpal_gpio_vmsd;
1408 }
1409 
1410 static const TypeInfo musicpal_gpio_info = {
1411     .name          = TYPE_MUSICPAL_GPIO,
1412     .parent        = TYPE_SYS_BUS_DEVICE,
1413     .instance_size = sizeof(musicpal_gpio_state),
1414     .instance_init = musicpal_gpio_init,
1415     .class_init    = musicpal_gpio_class_init,
1416 };
1417 
1418 /* Keyboard codes & masks */
1419 #define KEY_RELEASED            0x80
1420 #define KEY_CODE                0x7f
1421 
1422 #define KEYCODE_TAB             0x0f
1423 #define KEYCODE_ENTER           0x1c
1424 #define KEYCODE_F               0x21
1425 #define KEYCODE_M               0x32
1426 
1427 #define KEYCODE_EXTENDED        0xe0
1428 #define KEYCODE_UP              0x48
1429 #define KEYCODE_DOWN            0x50
1430 #define KEYCODE_LEFT            0x4b
1431 #define KEYCODE_RIGHT           0x4d
1432 
1433 #define MP_KEY_WHEEL_VOL       (1 << 0)
1434 #define MP_KEY_WHEEL_VOL_INV   (1 << 1)
1435 #define MP_KEY_WHEEL_NAV       (1 << 2)
1436 #define MP_KEY_WHEEL_NAV_INV   (1 << 3)
1437 #define MP_KEY_BTN_FAVORITS    (1 << 4)
1438 #define MP_KEY_BTN_MENU        (1 << 5)
1439 #define MP_KEY_BTN_VOLUME      (1 << 6)
1440 #define MP_KEY_BTN_NAVIGATION  (1 << 7)
1441 
1442 #define TYPE_MUSICPAL_KEY "musicpal_key"
1443 OBJECT_DECLARE_SIMPLE_TYPE(musicpal_key_state, MUSICPAL_KEY)
1444 
1445 struct musicpal_key_state {
1446     /*< private >*/
1447     SysBusDevice parent_obj;
1448     /*< public >*/
1449 
1450     MemoryRegion iomem;
1451     uint32_t kbd_extended;
1452     uint32_t pressed_keys;
1453     qemu_irq out[8];
1454 };
1455 
1456 static void musicpal_key_event(void *opaque, int keycode)
1457 {
1458     musicpal_key_state *s = opaque;
1459     uint32_t event = 0;
1460     int i;
1461 
1462     if (keycode == KEYCODE_EXTENDED) {
1463         s->kbd_extended = 1;
1464         return;
1465     }
1466 
1467     if (s->kbd_extended) {
1468         switch (keycode & KEY_CODE) {
1469         case KEYCODE_UP:
1470             event = MP_KEY_WHEEL_NAV | MP_KEY_WHEEL_NAV_INV;
1471             break;
1472 
1473         case KEYCODE_DOWN:
1474             event = MP_KEY_WHEEL_NAV;
1475             break;
1476 
1477         case KEYCODE_LEFT:
1478             event = MP_KEY_WHEEL_VOL | MP_KEY_WHEEL_VOL_INV;
1479             break;
1480 
1481         case KEYCODE_RIGHT:
1482             event = MP_KEY_WHEEL_VOL;
1483             break;
1484         }
1485     } else {
1486         switch (keycode & KEY_CODE) {
1487         case KEYCODE_F:
1488             event = MP_KEY_BTN_FAVORITS;
1489             break;
1490 
1491         case KEYCODE_TAB:
1492             event = MP_KEY_BTN_VOLUME;
1493             break;
1494 
1495         case KEYCODE_ENTER:
1496             event = MP_KEY_BTN_NAVIGATION;
1497             break;
1498 
1499         case KEYCODE_M:
1500             event = MP_KEY_BTN_MENU;
1501             break;
1502         }
1503         /* Do not repeat already pressed buttons */
1504         if (!(keycode & KEY_RELEASED) && (s->pressed_keys & event)) {
1505             event = 0;
1506         }
1507     }
1508 
1509     if (event) {
1510         /* Raise GPIO pin first if repeating a key */
1511         if (!(keycode & KEY_RELEASED) && (s->pressed_keys & event)) {
1512             for (i = 0; i <= 7; i++) {
1513                 if (event & (1 << i)) {
1514                     qemu_set_irq(s->out[i], 1);
1515                 }
1516             }
1517         }
1518         for (i = 0; i <= 7; i++) {
1519             if (event & (1 << i)) {
1520                 qemu_set_irq(s->out[i], !!(keycode & KEY_RELEASED));
1521             }
1522         }
1523         if (keycode & KEY_RELEASED) {
1524             s->pressed_keys &= ~event;
1525         } else {
1526             s->pressed_keys |= event;
1527         }
1528     }
1529 
1530     s->kbd_extended = 0;
1531 }
1532 
1533 static void musicpal_key_init(Object *obj)
1534 {
1535     SysBusDevice *sbd = SYS_BUS_DEVICE(obj);
1536     DeviceState *dev = DEVICE(sbd);
1537     musicpal_key_state *s = MUSICPAL_KEY(dev);
1538 
1539     memory_region_init(&s->iomem, obj, "dummy", 0);
1540     sysbus_init_mmio(sbd, &s->iomem);
1541 
1542     s->kbd_extended = 0;
1543     s->pressed_keys = 0;
1544 
1545     qdev_init_gpio_out(dev, s->out, ARRAY_SIZE(s->out));
1546 
1547     qemu_add_kbd_event_handler(musicpal_key_event, s);
1548 }
1549 
1550 static const VMStateDescription musicpal_key_vmsd = {
1551     .name = "musicpal_key",
1552     .version_id = 1,
1553     .minimum_version_id = 1,
1554     .fields = (VMStateField[]) {
1555         VMSTATE_UINT32(kbd_extended, musicpal_key_state),
1556         VMSTATE_UINT32(pressed_keys, musicpal_key_state),
1557         VMSTATE_END_OF_LIST()
1558     }
1559 };
1560 
1561 static void musicpal_key_class_init(ObjectClass *klass, void *data)
1562 {
1563     DeviceClass *dc = DEVICE_CLASS(klass);
1564 
1565     dc->vmsd = &musicpal_key_vmsd;
1566 }
1567 
1568 static const TypeInfo musicpal_key_info = {
1569     .name          = TYPE_MUSICPAL_KEY,
1570     .parent        = TYPE_SYS_BUS_DEVICE,
1571     .instance_size = sizeof(musicpal_key_state),
1572     .instance_init = musicpal_key_init,
1573     .class_init    = musicpal_key_class_init,
1574 };
1575 
1576 static struct arm_boot_info musicpal_binfo = {
1577     .loader_start = 0x0,
1578     .board_id = 0x20e,
1579 };
1580 
1581 static void musicpal_init(MachineState *machine)
1582 {
1583     ARMCPU *cpu;
1584     DeviceState *dev;
1585     DeviceState *pic;
1586     DeviceState *uart_orgate;
1587     DeviceState *i2c_dev;
1588     DeviceState *lcd_dev;
1589     DeviceState *key_dev;
1590     I2CSlave *wm8750_dev;
1591     SysBusDevice *s;
1592     I2CBus *i2c;
1593     int i;
1594     unsigned long flash_size;
1595     DriveInfo *dinfo;
1596     MachineClass *mc = MACHINE_GET_CLASS(machine);
1597     MemoryRegion *address_space_mem = get_system_memory();
1598     MemoryRegion *sram = g_new(MemoryRegion, 1);
1599 
1600     /* For now we use a fixed - the original - RAM size */
1601     if (machine->ram_size != mc->default_ram_size) {
1602         char *sz = size_to_str(mc->default_ram_size);
1603         error_report("Invalid RAM size, should be %s", sz);
1604         g_free(sz);
1605         exit(EXIT_FAILURE);
1606     }
1607 
1608     cpu = ARM_CPU(cpu_create(machine->cpu_type));
1609 
1610     memory_region_add_subregion(address_space_mem, 0, machine->ram);
1611 
1612     memory_region_init_ram(sram, NULL, "musicpal.sram", MP_SRAM_SIZE,
1613                            &error_fatal);
1614     memory_region_add_subregion(address_space_mem, MP_SRAM_BASE, sram);
1615 
1616     pic = sysbus_create_simple(TYPE_MV88W8618_PIC, MP_PIC_BASE,
1617                                qdev_get_gpio_in(DEVICE(cpu), ARM_CPU_IRQ));
1618     sysbus_create_varargs(TYPE_MV88W8618_PIT, MP_PIT_BASE,
1619                           qdev_get_gpio_in(pic, MP_TIMER1_IRQ),
1620                           qdev_get_gpio_in(pic, MP_TIMER2_IRQ),
1621                           qdev_get_gpio_in(pic, MP_TIMER3_IRQ),
1622                           qdev_get_gpio_in(pic, MP_TIMER4_IRQ), NULL);
1623 
1624     /* Logically OR both UART IRQs together */
1625     uart_orgate = DEVICE(object_new(TYPE_OR_IRQ));
1626     object_property_set_int(OBJECT(uart_orgate), "num-lines", 2, &error_fatal);
1627     qdev_realize_and_unref(uart_orgate, NULL, &error_fatal);
1628     qdev_connect_gpio_out(DEVICE(uart_orgate), 0,
1629                           qdev_get_gpio_in(pic, MP_UART_SHARED_IRQ));
1630 
1631     serial_mm_init(address_space_mem, MP_UART1_BASE, 2,
1632                    qdev_get_gpio_in(uart_orgate, 0),
1633                    1825000, serial_hd(0), DEVICE_NATIVE_ENDIAN);
1634     serial_mm_init(address_space_mem, MP_UART2_BASE, 2,
1635                    qdev_get_gpio_in(uart_orgate, 1),
1636                    1825000, serial_hd(1), DEVICE_NATIVE_ENDIAN);
1637 
1638     /* Register flash */
1639     dinfo = drive_get(IF_PFLASH, 0, 0);
1640     if (dinfo) {
1641         BlockBackend *blk = blk_by_legacy_dinfo(dinfo);
1642 
1643         flash_size = blk_getlength(blk);
1644         if (flash_size != 8*1024*1024 && flash_size != 16*1024*1024 &&
1645             flash_size != 32*1024*1024) {
1646             error_report("Invalid flash image size");
1647             exit(1);
1648         }
1649 
1650         /*
1651          * The original U-Boot accesses the flash at 0xFE000000 instead of
1652          * 0xFF800000 (if there is 8 MB flash). So remap flash access if the
1653          * image is smaller than 32 MB.
1654          */
1655         pflash_cfi02_register(0x100000000ULL - MP_FLASH_SIZE_MAX,
1656                               "musicpal.flash", flash_size,
1657                               blk, 0x10000,
1658                               MP_FLASH_SIZE_MAX / flash_size,
1659                               2, 0x00BF, 0x236D, 0x0000, 0x0000,
1660                               0x5555, 0x2AAA, 0);
1661     }
1662     sysbus_create_simple(TYPE_MV88W8618_FLASHCFG, MP_FLASHCFG_BASE, NULL);
1663 
1664     qemu_check_nic_model(&nd_table[0], "mv88w8618");
1665     dev = qdev_new(TYPE_MV88W8618_ETH);
1666     qdev_set_nic_properties(dev, &nd_table[0]);
1667     object_property_set_link(OBJECT(dev), "dma-memory",
1668                              OBJECT(get_system_memory()), &error_fatal);
1669     sysbus_realize_and_unref(SYS_BUS_DEVICE(dev), &error_fatal);
1670     sysbus_mmio_map(SYS_BUS_DEVICE(dev), 0, MP_ETH_BASE);
1671     sysbus_connect_irq(SYS_BUS_DEVICE(dev), 0,
1672                        qdev_get_gpio_in(pic, MP_ETH_IRQ));
1673 
1674     sysbus_create_simple("mv88w8618_wlan", MP_WLAN_BASE, NULL);
1675 
1676     sysbus_create_simple(TYPE_MUSICPAL_MISC, MP_MISC_BASE, NULL);
1677 
1678     dev = sysbus_create_simple(TYPE_MUSICPAL_GPIO, MP_GPIO_BASE,
1679                                qdev_get_gpio_in(pic, MP_GPIO_IRQ));
1680     i2c_dev = sysbus_create_simple("gpio_i2c", -1, NULL);
1681     i2c = (I2CBus *)qdev_get_child_bus(i2c_dev, "i2c");
1682 
1683     lcd_dev = sysbus_create_simple(TYPE_MUSICPAL_LCD, MP_LCD_BASE, NULL);
1684     key_dev = sysbus_create_simple(TYPE_MUSICPAL_KEY, -1, NULL);
1685 
1686     /* I2C read data */
1687     qdev_connect_gpio_out(i2c_dev, 0,
1688                           qdev_get_gpio_in(dev, MP_GPIO_I2C_DATA_BIT));
1689     /* I2C data */
1690     qdev_connect_gpio_out(dev, 3, qdev_get_gpio_in(i2c_dev, 0));
1691     /* I2C clock */
1692     qdev_connect_gpio_out(dev, 4, qdev_get_gpio_in(i2c_dev, 1));
1693 
1694     for (i = 0; i < 3; i++) {
1695         qdev_connect_gpio_out(dev, i, qdev_get_gpio_in(lcd_dev, i));
1696     }
1697     for (i = 0; i < 4; i++) {
1698         qdev_connect_gpio_out(key_dev, i, qdev_get_gpio_in(dev, i + 8));
1699     }
1700     for (i = 4; i < 8; i++) {
1701         qdev_connect_gpio_out(key_dev, i, qdev_get_gpio_in(dev, i + 15));
1702     }
1703 
1704     wm8750_dev = i2c_slave_create_simple(i2c, TYPE_WM8750, MP_WM_ADDR);
1705     dev = qdev_new(TYPE_MV88W8618_AUDIO);
1706     s = SYS_BUS_DEVICE(dev);
1707     object_property_set_link(OBJECT(dev), "wm8750", OBJECT(wm8750_dev),
1708                              NULL);
1709     sysbus_realize_and_unref(s, &error_fatal);
1710     sysbus_mmio_map(s, 0, MP_AUDIO_BASE);
1711     sysbus_connect_irq(s, 0, qdev_get_gpio_in(pic, MP_AUDIO_IRQ));
1712 
1713     musicpal_binfo.ram_size = MP_RAM_DEFAULT_SIZE;
1714     arm_load_kernel(cpu, machine, &musicpal_binfo);
1715 }
1716 
1717 static void musicpal_machine_init(MachineClass *mc)
1718 {
1719     mc->desc = "Marvell 88w8618 / MusicPal (ARM926EJ-S)";
1720     mc->init = musicpal_init;
1721     mc->ignore_memory_transaction_failures = true;
1722     mc->default_cpu_type = ARM_CPU_TYPE_NAME("arm926");
1723     mc->default_ram_size = MP_RAM_DEFAULT_SIZE;
1724     mc->default_ram_id = "musicpal.ram";
1725 }
1726 
1727 DEFINE_MACHINE("musicpal", musicpal_machine_init)
1728 
1729 static void mv88w8618_wlan_class_init(ObjectClass *klass, void *data)
1730 {
1731     DeviceClass *dc = DEVICE_CLASS(klass);
1732 
1733     dc->realize = mv88w8618_wlan_realize;
1734 }
1735 
1736 static const TypeInfo mv88w8618_wlan_info = {
1737     .name          = "mv88w8618_wlan",
1738     .parent        = TYPE_SYS_BUS_DEVICE,
1739     .instance_size = sizeof(SysBusDevice),
1740     .class_init    = mv88w8618_wlan_class_init,
1741 };
1742 
1743 static void musicpal_register_types(void)
1744 {
1745     type_register_static(&mv88w8618_pic_info);
1746     type_register_static(&mv88w8618_pit_info);
1747     type_register_static(&mv88w8618_flashcfg_info);
1748     type_register_static(&mv88w8618_eth_info);
1749     type_register_static(&mv88w8618_wlan_info);
1750     type_register_static(&musicpal_lcd_info);
1751     type_register_static(&musicpal_gpio_info);
1752     type_register_static(&musicpal_key_info);
1753     type_register_static(&musicpal_misc_info);
1754 }
1755 
1756 type_init(musicpal_register_types)
1757