xref: /openbmc/qemu/hw/arm/musicpal.c (revision 31cf4b97)
1 /*
2  * Marvell MV88W8618 / Freecom MusicPal emulation.
3  *
4  * Copyright (c) 2008 Jan Kiszka
5  *
6  * This code is licensed under the GNU GPL v2.
7  *
8  * Contributions after 2012-01-13 are licensed under the terms of the
9  * GNU GPL, version 2 or (at your option) any later version.
10  */
11 
12 #include "qemu/osdep.h"
13 #include "qapi/error.h"
14 #include "qemu-common.h"
15 #include "cpu.h"
16 #include "hw/sysbus.h"
17 #include "hw/arm/arm.h"
18 #include "hw/devices.h"
19 #include "net/net.h"
20 #include "sysemu/sysemu.h"
21 #include "hw/boards.h"
22 #include "hw/char/serial.h"
23 #include "qemu/timer.h"
24 #include "hw/ptimer.h"
25 #include "hw/block/flash.h"
26 #include "ui/console.h"
27 #include "hw/i2c/i2c.h"
28 #include "hw/audio/wm8750.h"
29 #include "sysemu/block-backend.h"
30 #include "exec/address-spaces.h"
31 #include "ui/pixel_ops.h"
32 
33 #define MP_MISC_BASE            0x80002000
34 #define MP_MISC_SIZE            0x00001000
35 
36 #define MP_ETH_BASE             0x80008000
37 #define MP_ETH_SIZE             0x00001000
38 
39 #define MP_WLAN_BASE            0x8000C000
40 #define MP_WLAN_SIZE            0x00000800
41 
42 #define MP_UART1_BASE           0x8000C840
43 #define MP_UART2_BASE           0x8000C940
44 
45 #define MP_GPIO_BASE            0x8000D000
46 #define MP_GPIO_SIZE            0x00001000
47 
48 #define MP_FLASHCFG_BASE        0x90006000
49 #define MP_FLASHCFG_SIZE        0x00001000
50 
51 #define MP_AUDIO_BASE           0x90007000
52 
53 #define MP_PIC_BASE             0x90008000
54 #define MP_PIC_SIZE             0x00001000
55 
56 #define MP_PIT_BASE             0x90009000
57 #define MP_PIT_SIZE             0x00001000
58 
59 #define MP_LCD_BASE             0x9000c000
60 #define MP_LCD_SIZE             0x00001000
61 
62 #define MP_SRAM_BASE            0xC0000000
63 #define MP_SRAM_SIZE            0x00020000
64 
65 #define MP_RAM_DEFAULT_SIZE     32*1024*1024
66 #define MP_FLASH_SIZE_MAX       32*1024*1024
67 
68 #define MP_TIMER1_IRQ           4
69 #define MP_TIMER2_IRQ           5
70 #define MP_TIMER3_IRQ           6
71 #define MP_TIMER4_IRQ           7
72 #define MP_EHCI_IRQ             8
73 #define MP_ETH_IRQ              9
74 #define MP_UART1_IRQ            11
75 #define MP_UART2_IRQ            11
76 #define MP_GPIO_IRQ             12
77 #define MP_RTC_IRQ              28
78 #define MP_AUDIO_IRQ            30
79 
80 /* Wolfson 8750 I2C address */
81 #define MP_WM_ADDR              0x1A
82 
83 /* Ethernet register offsets */
84 #define MP_ETH_SMIR             0x010
85 #define MP_ETH_PCXR             0x408
86 #define MP_ETH_SDCMR            0x448
87 #define MP_ETH_ICR              0x450
88 #define MP_ETH_IMR              0x458
89 #define MP_ETH_FRDP0            0x480
90 #define MP_ETH_FRDP1            0x484
91 #define MP_ETH_FRDP2            0x488
92 #define MP_ETH_FRDP3            0x48C
93 #define MP_ETH_CRDP0            0x4A0
94 #define MP_ETH_CRDP1            0x4A4
95 #define MP_ETH_CRDP2            0x4A8
96 #define MP_ETH_CRDP3            0x4AC
97 #define MP_ETH_CTDP0            0x4E0
98 #define MP_ETH_CTDP1            0x4E4
99 
100 /* MII PHY access */
101 #define MP_ETH_SMIR_DATA        0x0000FFFF
102 #define MP_ETH_SMIR_ADDR        0x03FF0000
103 #define MP_ETH_SMIR_OPCODE      (1 << 26) /* Read value */
104 #define MP_ETH_SMIR_RDVALID     (1 << 27)
105 
106 /* PHY registers */
107 #define MP_ETH_PHY1_BMSR        0x00210000
108 #define MP_ETH_PHY1_PHYSID1     0x00410000
109 #define MP_ETH_PHY1_PHYSID2     0x00610000
110 
111 #define MP_PHY_BMSR_LINK        0x0004
112 #define MP_PHY_BMSR_AUTONEG     0x0008
113 
114 #define MP_PHY_88E3015          0x01410E20
115 
116 /* TX descriptor status */
117 #define MP_ETH_TX_OWN           (1U << 31)
118 
119 /* RX descriptor status */
120 #define MP_ETH_RX_OWN           (1U << 31)
121 
122 /* Interrupt cause/mask bits */
123 #define MP_ETH_IRQ_RX_BIT       0
124 #define MP_ETH_IRQ_RX           (1 << MP_ETH_IRQ_RX_BIT)
125 #define MP_ETH_IRQ_TXHI_BIT     2
126 #define MP_ETH_IRQ_TXLO_BIT     3
127 
128 /* Port config bits */
129 #define MP_ETH_PCXR_2BSM_BIT    28 /* 2-byte incoming suffix */
130 
131 /* SDMA command bits */
132 #define MP_ETH_CMD_TXHI         (1 << 23)
133 #define MP_ETH_CMD_TXLO         (1 << 22)
134 
135 typedef struct mv88w8618_tx_desc {
136     uint32_t cmdstat;
137     uint16_t res;
138     uint16_t bytes;
139     uint32_t buffer;
140     uint32_t next;
141 } mv88w8618_tx_desc;
142 
143 typedef struct mv88w8618_rx_desc {
144     uint32_t cmdstat;
145     uint16_t bytes;
146     uint16_t buffer_size;
147     uint32_t buffer;
148     uint32_t next;
149 } mv88w8618_rx_desc;
150 
151 #define TYPE_MV88W8618_ETH "mv88w8618_eth"
152 #define MV88W8618_ETH(obj) \
153     OBJECT_CHECK(mv88w8618_eth_state, (obj), TYPE_MV88W8618_ETH)
154 
155 typedef struct mv88w8618_eth_state {
156     /*< private >*/
157     SysBusDevice parent_obj;
158     /*< public >*/
159 
160     MemoryRegion iomem;
161     qemu_irq irq;
162     uint32_t smir;
163     uint32_t icr;
164     uint32_t imr;
165     int mmio_index;
166     uint32_t vlan_header;
167     uint32_t tx_queue[2];
168     uint32_t rx_queue[4];
169     uint32_t frx_queue[4];
170     uint32_t cur_rx[4];
171     NICState *nic;
172     NICConf conf;
173 } mv88w8618_eth_state;
174 
175 static void eth_rx_desc_put(uint32_t addr, mv88w8618_rx_desc *desc)
176 {
177     cpu_to_le32s(&desc->cmdstat);
178     cpu_to_le16s(&desc->bytes);
179     cpu_to_le16s(&desc->buffer_size);
180     cpu_to_le32s(&desc->buffer);
181     cpu_to_le32s(&desc->next);
182     cpu_physical_memory_write(addr, desc, sizeof(*desc));
183 }
184 
185 static void eth_rx_desc_get(uint32_t addr, mv88w8618_rx_desc *desc)
186 {
187     cpu_physical_memory_read(addr, desc, sizeof(*desc));
188     le32_to_cpus(&desc->cmdstat);
189     le16_to_cpus(&desc->bytes);
190     le16_to_cpus(&desc->buffer_size);
191     le32_to_cpus(&desc->buffer);
192     le32_to_cpus(&desc->next);
193 }
194 
195 static ssize_t eth_receive(NetClientState *nc, const uint8_t *buf, size_t size)
196 {
197     mv88w8618_eth_state *s = qemu_get_nic_opaque(nc);
198     uint32_t desc_addr;
199     mv88w8618_rx_desc desc;
200     int i;
201 
202     for (i = 0; i < 4; i++) {
203         desc_addr = s->cur_rx[i];
204         if (!desc_addr) {
205             continue;
206         }
207         do {
208             eth_rx_desc_get(desc_addr, &desc);
209             if ((desc.cmdstat & MP_ETH_RX_OWN) && desc.buffer_size >= size) {
210                 cpu_physical_memory_write(desc.buffer + s->vlan_header,
211                                           buf, size);
212                 desc.bytes = size + s->vlan_header;
213                 desc.cmdstat &= ~MP_ETH_RX_OWN;
214                 s->cur_rx[i] = desc.next;
215 
216                 s->icr |= MP_ETH_IRQ_RX;
217                 if (s->icr & s->imr) {
218                     qemu_irq_raise(s->irq);
219                 }
220                 eth_rx_desc_put(desc_addr, &desc);
221                 return size;
222             }
223             desc_addr = desc.next;
224         } while (desc_addr != s->rx_queue[i]);
225     }
226     return size;
227 }
228 
229 static void eth_tx_desc_put(uint32_t addr, mv88w8618_tx_desc *desc)
230 {
231     cpu_to_le32s(&desc->cmdstat);
232     cpu_to_le16s(&desc->res);
233     cpu_to_le16s(&desc->bytes);
234     cpu_to_le32s(&desc->buffer);
235     cpu_to_le32s(&desc->next);
236     cpu_physical_memory_write(addr, desc, sizeof(*desc));
237 }
238 
239 static void eth_tx_desc_get(uint32_t addr, mv88w8618_tx_desc *desc)
240 {
241     cpu_physical_memory_read(addr, desc, sizeof(*desc));
242     le32_to_cpus(&desc->cmdstat);
243     le16_to_cpus(&desc->res);
244     le16_to_cpus(&desc->bytes);
245     le32_to_cpus(&desc->buffer);
246     le32_to_cpus(&desc->next);
247 }
248 
249 static void eth_send(mv88w8618_eth_state *s, int queue_index)
250 {
251     uint32_t desc_addr = s->tx_queue[queue_index];
252     mv88w8618_tx_desc desc;
253     uint32_t next_desc;
254     uint8_t buf[2048];
255     int len;
256 
257     do {
258         eth_tx_desc_get(desc_addr, &desc);
259         next_desc = desc.next;
260         if (desc.cmdstat & MP_ETH_TX_OWN) {
261             len = desc.bytes;
262             if (len < 2048) {
263                 cpu_physical_memory_read(desc.buffer, buf, len);
264                 qemu_send_packet(qemu_get_queue(s->nic), buf, len);
265             }
266             desc.cmdstat &= ~MP_ETH_TX_OWN;
267             s->icr |= 1 << (MP_ETH_IRQ_TXLO_BIT - queue_index);
268             eth_tx_desc_put(desc_addr, &desc);
269         }
270         desc_addr = next_desc;
271     } while (desc_addr != s->tx_queue[queue_index]);
272 }
273 
274 static uint64_t mv88w8618_eth_read(void *opaque, hwaddr offset,
275                                    unsigned size)
276 {
277     mv88w8618_eth_state *s = opaque;
278 
279     switch (offset) {
280     case MP_ETH_SMIR:
281         if (s->smir & MP_ETH_SMIR_OPCODE) {
282             switch (s->smir & MP_ETH_SMIR_ADDR) {
283             case MP_ETH_PHY1_BMSR:
284                 return MP_PHY_BMSR_LINK | MP_PHY_BMSR_AUTONEG |
285                        MP_ETH_SMIR_RDVALID;
286             case MP_ETH_PHY1_PHYSID1:
287                 return (MP_PHY_88E3015 >> 16) | MP_ETH_SMIR_RDVALID;
288             case MP_ETH_PHY1_PHYSID2:
289                 return (MP_PHY_88E3015 & 0xFFFF) | MP_ETH_SMIR_RDVALID;
290             default:
291                 return MP_ETH_SMIR_RDVALID;
292             }
293         }
294         return 0;
295 
296     case MP_ETH_ICR:
297         return s->icr;
298 
299     case MP_ETH_IMR:
300         return s->imr;
301 
302     case MP_ETH_FRDP0 ... MP_ETH_FRDP3:
303         return s->frx_queue[(offset - MP_ETH_FRDP0)/4];
304 
305     case MP_ETH_CRDP0 ... MP_ETH_CRDP3:
306         return s->rx_queue[(offset - MP_ETH_CRDP0)/4];
307 
308     case MP_ETH_CTDP0 ... MP_ETH_CTDP1:
309         return s->tx_queue[(offset - MP_ETH_CTDP0)/4];
310 
311     default:
312         return 0;
313     }
314 }
315 
316 static void mv88w8618_eth_write(void *opaque, hwaddr offset,
317                                 uint64_t value, unsigned size)
318 {
319     mv88w8618_eth_state *s = opaque;
320 
321     switch (offset) {
322     case MP_ETH_SMIR:
323         s->smir = value;
324         break;
325 
326     case MP_ETH_PCXR:
327         s->vlan_header = ((value >> MP_ETH_PCXR_2BSM_BIT) & 1) * 2;
328         break;
329 
330     case MP_ETH_SDCMR:
331         if (value & MP_ETH_CMD_TXHI) {
332             eth_send(s, 1);
333         }
334         if (value & MP_ETH_CMD_TXLO) {
335             eth_send(s, 0);
336         }
337         if (value & (MP_ETH_CMD_TXHI | MP_ETH_CMD_TXLO) && s->icr & s->imr) {
338             qemu_irq_raise(s->irq);
339         }
340         break;
341 
342     case MP_ETH_ICR:
343         s->icr &= value;
344         break;
345 
346     case MP_ETH_IMR:
347         s->imr = value;
348         if (s->icr & s->imr) {
349             qemu_irq_raise(s->irq);
350         }
351         break;
352 
353     case MP_ETH_FRDP0 ... MP_ETH_FRDP3:
354         s->frx_queue[(offset - MP_ETH_FRDP0)/4] = value;
355         break;
356 
357     case MP_ETH_CRDP0 ... MP_ETH_CRDP3:
358         s->rx_queue[(offset - MP_ETH_CRDP0)/4] =
359             s->cur_rx[(offset - MP_ETH_CRDP0)/4] = value;
360         break;
361 
362     case MP_ETH_CTDP0 ... MP_ETH_CTDP1:
363         s->tx_queue[(offset - MP_ETH_CTDP0)/4] = value;
364         break;
365     }
366 }
367 
368 static const MemoryRegionOps mv88w8618_eth_ops = {
369     .read = mv88w8618_eth_read,
370     .write = mv88w8618_eth_write,
371     .endianness = DEVICE_NATIVE_ENDIAN,
372 };
373 
374 static void eth_cleanup(NetClientState *nc)
375 {
376     mv88w8618_eth_state *s = qemu_get_nic_opaque(nc);
377 
378     s->nic = NULL;
379 }
380 
381 static NetClientInfo net_mv88w8618_info = {
382     .type = NET_CLIENT_DRIVER_NIC,
383     .size = sizeof(NICState),
384     .receive = eth_receive,
385     .cleanup = eth_cleanup,
386 };
387 
388 static void mv88w8618_eth_init(Object *obj)
389 {
390     SysBusDevice *sbd = SYS_BUS_DEVICE(obj);
391     DeviceState *dev = DEVICE(sbd);
392     mv88w8618_eth_state *s = MV88W8618_ETH(dev);
393 
394     sysbus_init_irq(sbd, &s->irq);
395     memory_region_init_io(&s->iomem, obj, &mv88w8618_eth_ops, s,
396                           "mv88w8618-eth", MP_ETH_SIZE);
397     sysbus_init_mmio(sbd, &s->iomem);
398 }
399 
400 static void mv88w8618_eth_realize(DeviceState *dev, Error **errp)
401 {
402     mv88w8618_eth_state *s = MV88W8618_ETH(dev);
403 
404     s->nic = qemu_new_nic(&net_mv88w8618_info, &s->conf,
405                           object_get_typename(OBJECT(dev)), dev->id, s);
406 }
407 
408 static const VMStateDescription mv88w8618_eth_vmsd = {
409     .name = "mv88w8618_eth",
410     .version_id = 1,
411     .minimum_version_id = 1,
412     .fields = (VMStateField[]) {
413         VMSTATE_UINT32(smir, mv88w8618_eth_state),
414         VMSTATE_UINT32(icr, mv88w8618_eth_state),
415         VMSTATE_UINT32(imr, mv88w8618_eth_state),
416         VMSTATE_UINT32(vlan_header, mv88w8618_eth_state),
417         VMSTATE_UINT32_ARRAY(tx_queue, mv88w8618_eth_state, 2),
418         VMSTATE_UINT32_ARRAY(rx_queue, mv88w8618_eth_state, 4),
419         VMSTATE_UINT32_ARRAY(frx_queue, mv88w8618_eth_state, 4),
420         VMSTATE_UINT32_ARRAY(cur_rx, mv88w8618_eth_state, 4),
421         VMSTATE_END_OF_LIST()
422     }
423 };
424 
425 static Property mv88w8618_eth_properties[] = {
426     DEFINE_NIC_PROPERTIES(mv88w8618_eth_state, conf),
427     DEFINE_PROP_END_OF_LIST(),
428 };
429 
430 static void mv88w8618_eth_class_init(ObjectClass *klass, void *data)
431 {
432     DeviceClass *dc = DEVICE_CLASS(klass);
433 
434     dc->vmsd = &mv88w8618_eth_vmsd;
435     dc->props = mv88w8618_eth_properties;
436     dc->realize = mv88w8618_eth_realize;
437 }
438 
439 static const TypeInfo mv88w8618_eth_info = {
440     .name          = TYPE_MV88W8618_ETH,
441     .parent        = TYPE_SYS_BUS_DEVICE,
442     .instance_size = sizeof(mv88w8618_eth_state),
443     .instance_init = mv88w8618_eth_init,
444     .class_init    = mv88w8618_eth_class_init,
445 };
446 
447 /* LCD register offsets */
448 #define MP_LCD_IRQCTRL          0x180
449 #define MP_LCD_IRQSTAT          0x184
450 #define MP_LCD_SPICTRL          0x1ac
451 #define MP_LCD_INST             0x1bc
452 #define MP_LCD_DATA             0x1c0
453 
454 /* Mode magics */
455 #define MP_LCD_SPI_DATA         0x00100011
456 #define MP_LCD_SPI_CMD          0x00104011
457 #define MP_LCD_SPI_INVALID      0x00000000
458 
459 /* Commmands */
460 #define MP_LCD_INST_SETPAGE0    0xB0
461 /* ... */
462 #define MP_LCD_INST_SETPAGE7    0xB7
463 
464 #define MP_LCD_TEXTCOLOR        0xe0e0ff /* RRGGBB */
465 
466 #define TYPE_MUSICPAL_LCD "musicpal_lcd"
467 #define MUSICPAL_LCD(obj) \
468     OBJECT_CHECK(musicpal_lcd_state, (obj), TYPE_MUSICPAL_LCD)
469 
470 typedef struct musicpal_lcd_state {
471     /*< private >*/
472     SysBusDevice parent_obj;
473     /*< public >*/
474 
475     MemoryRegion iomem;
476     uint32_t brightness;
477     uint32_t mode;
478     uint32_t irqctrl;
479     uint32_t page;
480     uint32_t page_off;
481     QemuConsole *con;
482     uint8_t video_ram[128*64/8];
483 } musicpal_lcd_state;
484 
485 static uint8_t scale_lcd_color(musicpal_lcd_state *s, uint8_t col)
486 {
487     switch (s->brightness) {
488     case 7:
489         return col;
490     case 0:
491         return 0;
492     default:
493         return (col * s->brightness) / 7;
494     }
495 }
496 
497 #define SET_LCD_PIXEL(depth, type) \
498 static inline void glue(set_lcd_pixel, depth) \
499         (musicpal_lcd_state *s, int x, int y, type col) \
500 { \
501     int dx, dy; \
502     DisplaySurface *surface = qemu_console_surface(s->con); \
503     type *pixel = &((type *) surface_data(surface))[(y * 128 * 3 + x) * 3]; \
504 \
505     for (dy = 0; dy < 3; dy++, pixel += 127 * 3) \
506         for (dx = 0; dx < 3; dx++, pixel++) \
507             *pixel = col; \
508 }
509 SET_LCD_PIXEL(8, uint8_t)
510 SET_LCD_PIXEL(16, uint16_t)
511 SET_LCD_PIXEL(32, uint32_t)
512 
513 static void lcd_refresh(void *opaque)
514 {
515     musicpal_lcd_state *s = opaque;
516     DisplaySurface *surface = qemu_console_surface(s->con);
517     int x, y, col;
518 
519     switch (surface_bits_per_pixel(surface)) {
520     case 0:
521         return;
522 #define LCD_REFRESH(depth, func) \
523     case depth: \
524         col = func(scale_lcd_color(s, (MP_LCD_TEXTCOLOR >> 16) & 0xff), \
525                    scale_lcd_color(s, (MP_LCD_TEXTCOLOR >> 8) & 0xff), \
526                    scale_lcd_color(s, MP_LCD_TEXTCOLOR & 0xff)); \
527         for (x = 0; x < 128; x++) { \
528             for (y = 0; y < 64; y++) { \
529                 if (s->video_ram[x + (y/8)*128] & (1 << (y % 8))) { \
530                     glue(set_lcd_pixel, depth)(s, x, y, col); \
531                 } else { \
532                     glue(set_lcd_pixel, depth)(s, x, y, 0); \
533                 } \
534             } \
535         } \
536         break;
537     LCD_REFRESH(8, rgb_to_pixel8)
538     LCD_REFRESH(16, rgb_to_pixel16)
539     LCD_REFRESH(32, (is_surface_bgr(surface) ?
540                      rgb_to_pixel32bgr : rgb_to_pixel32))
541     default:
542         hw_error("unsupported colour depth %i\n",
543                  surface_bits_per_pixel(surface));
544     }
545 
546     dpy_gfx_update(s->con, 0, 0, 128*3, 64*3);
547 }
548 
549 static void lcd_invalidate(void *opaque)
550 {
551 }
552 
553 static void musicpal_lcd_gpio_brightness_in(void *opaque, int irq, int level)
554 {
555     musicpal_lcd_state *s = opaque;
556     s->brightness &= ~(1 << irq);
557     s->brightness |= level << irq;
558 }
559 
560 static uint64_t musicpal_lcd_read(void *opaque, hwaddr offset,
561                                   unsigned size)
562 {
563     musicpal_lcd_state *s = opaque;
564 
565     switch (offset) {
566     case MP_LCD_IRQCTRL:
567         return s->irqctrl;
568 
569     default:
570         return 0;
571     }
572 }
573 
574 static void musicpal_lcd_write(void *opaque, hwaddr offset,
575                                uint64_t value, unsigned size)
576 {
577     musicpal_lcd_state *s = opaque;
578 
579     switch (offset) {
580     case MP_LCD_IRQCTRL:
581         s->irqctrl = value;
582         break;
583 
584     case MP_LCD_SPICTRL:
585         if (value == MP_LCD_SPI_DATA || value == MP_LCD_SPI_CMD) {
586             s->mode = value;
587         } else {
588             s->mode = MP_LCD_SPI_INVALID;
589         }
590         break;
591 
592     case MP_LCD_INST:
593         if (value >= MP_LCD_INST_SETPAGE0 && value <= MP_LCD_INST_SETPAGE7) {
594             s->page = value - MP_LCD_INST_SETPAGE0;
595             s->page_off = 0;
596         }
597         break;
598 
599     case MP_LCD_DATA:
600         if (s->mode == MP_LCD_SPI_CMD) {
601             if (value >= MP_LCD_INST_SETPAGE0 &&
602                 value <= MP_LCD_INST_SETPAGE7) {
603                 s->page = value - MP_LCD_INST_SETPAGE0;
604                 s->page_off = 0;
605             }
606         } else if (s->mode == MP_LCD_SPI_DATA) {
607             s->video_ram[s->page*128 + s->page_off] = value;
608             s->page_off = (s->page_off + 1) & 127;
609         }
610         break;
611     }
612 }
613 
614 static const MemoryRegionOps musicpal_lcd_ops = {
615     .read = musicpal_lcd_read,
616     .write = musicpal_lcd_write,
617     .endianness = DEVICE_NATIVE_ENDIAN,
618 };
619 
620 static const GraphicHwOps musicpal_gfx_ops = {
621     .invalidate  = lcd_invalidate,
622     .gfx_update  = lcd_refresh,
623 };
624 
625 static void musicpal_lcd_realize(DeviceState *dev, Error **errp)
626 {
627     musicpal_lcd_state *s = MUSICPAL_LCD(dev);
628     s->con = graphic_console_init(dev, 0, &musicpal_gfx_ops, s);
629     qemu_console_resize(s->con, 128 * 3, 64 * 3);
630 }
631 
632 static void musicpal_lcd_init(Object *obj)
633 {
634     SysBusDevice *sbd = SYS_BUS_DEVICE(obj);
635     DeviceState *dev = DEVICE(sbd);
636     musicpal_lcd_state *s = MUSICPAL_LCD(dev);
637 
638     s->brightness = 7;
639 
640     memory_region_init_io(&s->iomem, obj, &musicpal_lcd_ops, s,
641                           "musicpal-lcd", MP_LCD_SIZE);
642     sysbus_init_mmio(sbd, &s->iomem);
643 
644     qdev_init_gpio_in(dev, musicpal_lcd_gpio_brightness_in, 3);
645 }
646 
647 static const VMStateDescription musicpal_lcd_vmsd = {
648     .name = "musicpal_lcd",
649     .version_id = 1,
650     .minimum_version_id = 1,
651     .fields = (VMStateField[]) {
652         VMSTATE_UINT32(brightness, musicpal_lcd_state),
653         VMSTATE_UINT32(mode, musicpal_lcd_state),
654         VMSTATE_UINT32(irqctrl, musicpal_lcd_state),
655         VMSTATE_UINT32(page, musicpal_lcd_state),
656         VMSTATE_UINT32(page_off, musicpal_lcd_state),
657         VMSTATE_BUFFER(video_ram, musicpal_lcd_state),
658         VMSTATE_END_OF_LIST()
659     }
660 };
661 
662 static void musicpal_lcd_class_init(ObjectClass *klass, void *data)
663 {
664     DeviceClass *dc = DEVICE_CLASS(klass);
665 
666     dc->vmsd = &musicpal_lcd_vmsd;
667     dc->realize = musicpal_lcd_realize;
668 }
669 
670 static const TypeInfo musicpal_lcd_info = {
671     .name          = TYPE_MUSICPAL_LCD,
672     .parent        = TYPE_SYS_BUS_DEVICE,
673     .instance_size = sizeof(musicpal_lcd_state),
674     .instance_init = musicpal_lcd_init,
675     .class_init    = musicpal_lcd_class_init,
676 };
677 
678 /* PIC register offsets */
679 #define MP_PIC_STATUS           0x00
680 #define MP_PIC_ENABLE_SET       0x08
681 #define MP_PIC_ENABLE_CLR       0x0C
682 
683 #define TYPE_MV88W8618_PIC "mv88w8618_pic"
684 #define MV88W8618_PIC(obj) \
685     OBJECT_CHECK(mv88w8618_pic_state, (obj), TYPE_MV88W8618_PIC)
686 
687 typedef struct mv88w8618_pic_state {
688     /*< private >*/
689     SysBusDevice parent_obj;
690     /*< public >*/
691 
692     MemoryRegion iomem;
693     uint32_t level;
694     uint32_t enabled;
695     qemu_irq parent_irq;
696 } mv88w8618_pic_state;
697 
698 static void mv88w8618_pic_update(mv88w8618_pic_state *s)
699 {
700     qemu_set_irq(s->parent_irq, (s->level & s->enabled));
701 }
702 
703 static void mv88w8618_pic_set_irq(void *opaque, int irq, int level)
704 {
705     mv88w8618_pic_state *s = opaque;
706 
707     if (level) {
708         s->level |= 1 << irq;
709     } else {
710         s->level &= ~(1 << irq);
711     }
712     mv88w8618_pic_update(s);
713 }
714 
715 static uint64_t mv88w8618_pic_read(void *opaque, hwaddr offset,
716                                    unsigned size)
717 {
718     mv88w8618_pic_state *s = opaque;
719 
720     switch (offset) {
721     case MP_PIC_STATUS:
722         return s->level & s->enabled;
723 
724     default:
725         return 0;
726     }
727 }
728 
729 static void mv88w8618_pic_write(void *opaque, hwaddr offset,
730                                 uint64_t value, unsigned size)
731 {
732     mv88w8618_pic_state *s = opaque;
733 
734     switch (offset) {
735     case MP_PIC_ENABLE_SET:
736         s->enabled |= value;
737         break;
738 
739     case MP_PIC_ENABLE_CLR:
740         s->enabled &= ~value;
741         s->level &= ~value;
742         break;
743     }
744     mv88w8618_pic_update(s);
745 }
746 
747 static void mv88w8618_pic_reset(DeviceState *d)
748 {
749     mv88w8618_pic_state *s = MV88W8618_PIC(d);
750 
751     s->level = 0;
752     s->enabled = 0;
753 }
754 
755 static const MemoryRegionOps mv88w8618_pic_ops = {
756     .read = mv88w8618_pic_read,
757     .write = mv88w8618_pic_write,
758     .endianness = DEVICE_NATIVE_ENDIAN,
759 };
760 
761 static void mv88w8618_pic_init(Object *obj)
762 {
763     SysBusDevice *dev = SYS_BUS_DEVICE(obj);
764     mv88w8618_pic_state *s = MV88W8618_PIC(dev);
765 
766     qdev_init_gpio_in(DEVICE(dev), mv88w8618_pic_set_irq, 32);
767     sysbus_init_irq(dev, &s->parent_irq);
768     memory_region_init_io(&s->iomem, obj, &mv88w8618_pic_ops, s,
769                           "musicpal-pic", MP_PIC_SIZE);
770     sysbus_init_mmio(dev, &s->iomem);
771 }
772 
773 static const VMStateDescription mv88w8618_pic_vmsd = {
774     .name = "mv88w8618_pic",
775     .version_id = 1,
776     .minimum_version_id = 1,
777     .fields = (VMStateField[]) {
778         VMSTATE_UINT32(level, mv88w8618_pic_state),
779         VMSTATE_UINT32(enabled, mv88w8618_pic_state),
780         VMSTATE_END_OF_LIST()
781     }
782 };
783 
784 static void mv88w8618_pic_class_init(ObjectClass *klass, void *data)
785 {
786     DeviceClass *dc = DEVICE_CLASS(klass);
787 
788     dc->reset = mv88w8618_pic_reset;
789     dc->vmsd = &mv88w8618_pic_vmsd;
790 }
791 
792 static const TypeInfo mv88w8618_pic_info = {
793     .name          = TYPE_MV88W8618_PIC,
794     .parent        = TYPE_SYS_BUS_DEVICE,
795     .instance_size = sizeof(mv88w8618_pic_state),
796     .instance_init = mv88w8618_pic_init,
797     .class_init    = mv88w8618_pic_class_init,
798 };
799 
800 /* PIT register offsets */
801 #define MP_PIT_TIMER1_LENGTH    0x00
802 /* ... */
803 #define MP_PIT_TIMER4_LENGTH    0x0C
804 #define MP_PIT_CONTROL          0x10
805 #define MP_PIT_TIMER1_VALUE     0x14
806 /* ... */
807 #define MP_PIT_TIMER4_VALUE     0x20
808 #define MP_BOARD_RESET          0x34
809 
810 /* Magic board reset value (probably some watchdog behind it) */
811 #define MP_BOARD_RESET_MAGIC    0x10000
812 
813 typedef struct mv88w8618_timer_state {
814     ptimer_state *ptimer;
815     uint32_t limit;
816     int freq;
817     qemu_irq irq;
818 } mv88w8618_timer_state;
819 
820 #define TYPE_MV88W8618_PIT "mv88w8618_pit"
821 #define MV88W8618_PIT(obj) \
822     OBJECT_CHECK(mv88w8618_pit_state, (obj), TYPE_MV88W8618_PIT)
823 
824 typedef struct mv88w8618_pit_state {
825     /*< private >*/
826     SysBusDevice parent_obj;
827     /*< public >*/
828 
829     MemoryRegion iomem;
830     mv88w8618_timer_state timer[4];
831 } mv88w8618_pit_state;
832 
833 static void mv88w8618_timer_tick(void *opaque)
834 {
835     mv88w8618_timer_state *s = opaque;
836 
837     qemu_irq_raise(s->irq);
838 }
839 
840 static void mv88w8618_timer_init(SysBusDevice *dev, mv88w8618_timer_state *s,
841                                  uint32_t freq)
842 {
843     QEMUBH *bh;
844 
845     sysbus_init_irq(dev, &s->irq);
846     s->freq = freq;
847 
848     bh = qemu_bh_new(mv88w8618_timer_tick, s);
849     s->ptimer = ptimer_init(bh, PTIMER_POLICY_DEFAULT);
850 }
851 
852 static uint64_t mv88w8618_pit_read(void *opaque, hwaddr offset,
853                                    unsigned size)
854 {
855     mv88w8618_pit_state *s = opaque;
856     mv88w8618_timer_state *t;
857 
858     switch (offset) {
859     case MP_PIT_TIMER1_VALUE ... MP_PIT_TIMER4_VALUE:
860         t = &s->timer[(offset-MP_PIT_TIMER1_VALUE) >> 2];
861         return ptimer_get_count(t->ptimer);
862 
863     default:
864         return 0;
865     }
866 }
867 
868 static void mv88w8618_pit_write(void *opaque, hwaddr offset,
869                                 uint64_t value, unsigned size)
870 {
871     mv88w8618_pit_state *s = opaque;
872     mv88w8618_timer_state *t;
873     int i;
874 
875     switch (offset) {
876     case MP_PIT_TIMER1_LENGTH ... MP_PIT_TIMER4_LENGTH:
877         t = &s->timer[offset >> 2];
878         t->limit = value;
879         if (t->limit > 0) {
880             ptimer_set_limit(t->ptimer, t->limit, 1);
881         } else {
882             ptimer_stop(t->ptimer);
883         }
884         break;
885 
886     case MP_PIT_CONTROL:
887         for (i = 0; i < 4; i++) {
888             t = &s->timer[i];
889             if (value & 0xf && t->limit > 0) {
890                 ptimer_set_limit(t->ptimer, t->limit, 0);
891                 ptimer_set_freq(t->ptimer, t->freq);
892                 ptimer_run(t->ptimer, 0);
893             } else {
894                 ptimer_stop(t->ptimer);
895             }
896             value >>= 4;
897         }
898         break;
899 
900     case MP_BOARD_RESET:
901         if (value == MP_BOARD_RESET_MAGIC) {
902             qemu_system_reset_request(SHUTDOWN_CAUSE_GUEST_RESET);
903         }
904         break;
905     }
906 }
907 
908 static void mv88w8618_pit_reset(DeviceState *d)
909 {
910     mv88w8618_pit_state *s = MV88W8618_PIT(d);
911     int i;
912 
913     for (i = 0; i < 4; i++) {
914         ptimer_stop(s->timer[i].ptimer);
915         s->timer[i].limit = 0;
916     }
917 }
918 
919 static const MemoryRegionOps mv88w8618_pit_ops = {
920     .read = mv88w8618_pit_read,
921     .write = mv88w8618_pit_write,
922     .endianness = DEVICE_NATIVE_ENDIAN,
923 };
924 
925 static void mv88w8618_pit_init(Object *obj)
926 {
927     SysBusDevice *dev = SYS_BUS_DEVICE(obj);
928     mv88w8618_pit_state *s = MV88W8618_PIT(dev);
929     int i;
930 
931     /* Letting them all run at 1 MHz is likely just a pragmatic
932      * simplification. */
933     for (i = 0; i < 4; i++) {
934         mv88w8618_timer_init(dev, &s->timer[i], 1000000);
935     }
936 
937     memory_region_init_io(&s->iomem, obj, &mv88w8618_pit_ops, s,
938                           "musicpal-pit", MP_PIT_SIZE);
939     sysbus_init_mmio(dev, &s->iomem);
940 }
941 
942 static const VMStateDescription mv88w8618_timer_vmsd = {
943     .name = "timer",
944     .version_id = 1,
945     .minimum_version_id = 1,
946     .fields = (VMStateField[]) {
947         VMSTATE_PTIMER(ptimer, mv88w8618_timer_state),
948         VMSTATE_UINT32(limit, mv88w8618_timer_state),
949         VMSTATE_END_OF_LIST()
950     }
951 };
952 
953 static const VMStateDescription mv88w8618_pit_vmsd = {
954     .name = "mv88w8618_pit",
955     .version_id = 1,
956     .minimum_version_id = 1,
957     .fields = (VMStateField[]) {
958         VMSTATE_STRUCT_ARRAY(timer, mv88w8618_pit_state, 4, 1,
959                              mv88w8618_timer_vmsd, mv88w8618_timer_state),
960         VMSTATE_END_OF_LIST()
961     }
962 };
963 
964 static void mv88w8618_pit_class_init(ObjectClass *klass, void *data)
965 {
966     DeviceClass *dc = DEVICE_CLASS(klass);
967 
968     dc->reset = mv88w8618_pit_reset;
969     dc->vmsd = &mv88w8618_pit_vmsd;
970 }
971 
972 static const TypeInfo mv88w8618_pit_info = {
973     .name          = TYPE_MV88W8618_PIT,
974     .parent        = TYPE_SYS_BUS_DEVICE,
975     .instance_size = sizeof(mv88w8618_pit_state),
976     .instance_init = mv88w8618_pit_init,
977     .class_init    = mv88w8618_pit_class_init,
978 };
979 
980 /* Flash config register offsets */
981 #define MP_FLASHCFG_CFGR0    0x04
982 
983 #define TYPE_MV88W8618_FLASHCFG "mv88w8618_flashcfg"
984 #define MV88W8618_FLASHCFG(obj) \
985     OBJECT_CHECK(mv88w8618_flashcfg_state, (obj), TYPE_MV88W8618_FLASHCFG)
986 
987 typedef struct mv88w8618_flashcfg_state {
988     /*< private >*/
989     SysBusDevice parent_obj;
990     /*< public >*/
991 
992     MemoryRegion iomem;
993     uint32_t cfgr0;
994 } mv88w8618_flashcfg_state;
995 
996 static uint64_t mv88w8618_flashcfg_read(void *opaque,
997                                         hwaddr offset,
998                                         unsigned size)
999 {
1000     mv88w8618_flashcfg_state *s = opaque;
1001 
1002     switch (offset) {
1003     case MP_FLASHCFG_CFGR0:
1004         return s->cfgr0;
1005 
1006     default:
1007         return 0;
1008     }
1009 }
1010 
1011 static void mv88w8618_flashcfg_write(void *opaque, hwaddr offset,
1012                                      uint64_t value, unsigned size)
1013 {
1014     mv88w8618_flashcfg_state *s = opaque;
1015 
1016     switch (offset) {
1017     case MP_FLASHCFG_CFGR0:
1018         s->cfgr0 = value;
1019         break;
1020     }
1021 }
1022 
1023 static const MemoryRegionOps mv88w8618_flashcfg_ops = {
1024     .read = mv88w8618_flashcfg_read,
1025     .write = mv88w8618_flashcfg_write,
1026     .endianness = DEVICE_NATIVE_ENDIAN,
1027 };
1028 
1029 static void mv88w8618_flashcfg_init(Object *obj)
1030 {
1031     SysBusDevice *dev = SYS_BUS_DEVICE(obj);
1032     mv88w8618_flashcfg_state *s = MV88W8618_FLASHCFG(dev);
1033 
1034     s->cfgr0 = 0xfffe4285; /* Default as set by U-Boot for 8 MB flash */
1035     memory_region_init_io(&s->iomem, obj, &mv88w8618_flashcfg_ops, s,
1036                           "musicpal-flashcfg", MP_FLASHCFG_SIZE);
1037     sysbus_init_mmio(dev, &s->iomem);
1038 }
1039 
1040 static const VMStateDescription mv88w8618_flashcfg_vmsd = {
1041     .name = "mv88w8618_flashcfg",
1042     .version_id = 1,
1043     .minimum_version_id = 1,
1044     .fields = (VMStateField[]) {
1045         VMSTATE_UINT32(cfgr0, mv88w8618_flashcfg_state),
1046         VMSTATE_END_OF_LIST()
1047     }
1048 };
1049 
1050 static void mv88w8618_flashcfg_class_init(ObjectClass *klass, void *data)
1051 {
1052     DeviceClass *dc = DEVICE_CLASS(klass);
1053 
1054     dc->vmsd = &mv88w8618_flashcfg_vmsd;
1055 }
1056 
1057 static const TypeInfo mv88w8618_flashcfg_info = {
1058     .name          = TYPE_MV88W8618_FLASHCFG,
1059     .parent        = TYPE_SYS_BUS_DEVICE,
1060     .instance_size = sizeof(mv88w8618_flashcfg_state),
1061     .instance_init = mv88w8618_flashcfg_init,
1062     .class_init    = mv88w8618_flashcfg_class_init,
1063 };
1064 
1065 /* Misc register offsets */
1066 #define MP_MISC_BOARD_REVISION  0x18
1067 
1068 #define MP_BOARD_REVISION       0x31
1069 
1070 typedef struct {
1071     SysBusDevice parent_obj;
1072     MemoryRegion iomem;
1073 } MusicPalMiscState;
1074 
1075 #define TYPE_MUSICPAL_MISC "musicpal-misc"
1076 #define MUSICPAL_MISC(obj) \
1077      OBJECT_CHECK(MusicPalMiscState, (obj), TYPE_MUSICPAL_MISC)
1078 
1079 static uint64_t musicpal_misc_read(void *opaque, hwaddr offset,
1080                                    unsigned size)
1081 {
1082     switch (offset) {
1083     case MP_MISC_BOARD_REVISION:
1084         return MP_BOARD_REVISION;
1085 
1086     default:
1087         return 0;
1088     }
1089 }
1090 
1091 static void musicpal_misc_write(void *opaque, hwaddr offset,
1092                                 uint64_t value, unsigned size)
1093 {
1094 }
1095 
1096 static const MemoryRegionOps musicpal_misc_ops = {
1097     .read = musicpal_misc_read,
1098     .write = musicpal_misc_write,
1099     .endianness = DEVICE_NATIVE_ENDIAN,
1100 };
1101 
1102 static void musicpal_misc_init(Object *obj)
1103 {
1104     SysBusDevice *sd = SYS_BUS_DEVICE(obj);
1105     MusicPalMiscState *s = MUSICPAL_MISC(obj);
1106 
1107     memory_region_init_io(&s->iomem, OBJECT(s), &musicpal_misc_ops, NULL,
1108                           "musicpal-misc", MP_MISC_SIZE);
1109     sysbus_init_mmio(sd, &s->iomem);
1110 }
1111 
1112 static const TypeInfo musicpal_misc_info = {
1113     .name = TYPE_MUSICPAL_MISC,
1114     .parent = TYPE_SYS_BUS_DEVICE,
1115     .instance_init = musicpal_misc_init,
1116     .instance_size = sizeof(MusicPalMiscState),
1117 };
1118 
1119 /* WLAN register offsets */
1120 #define MP_WLAN_MAGIC1          0x11c
1121 #define MP_WLAN_MAGIC2          0x124
1122 
1123 static uint64_t mv88w8618_wlan_read(void *opaque, hwaddr offset,
1124                                     unsigned size)
1125 {
1126     switch (offset) {
1127     /* Workaround to allow loading the binary-only wlandrv.ko crap
1128      * from the original Freecom firmware. */
1129     case MP_WLAN_MAGIC1:
1130         return ~3;
1131     case MP_WLAN_MAGIC2:
1132         return -1;
1133 
1134     default:
1135         return 0;
1136     }
1137 }
1138 
1139 static void mv88w8618_wlan_write(void *opaque, hwaddr offset,
1140                                  uint64_t value, unsigned size)
1141 {
1142 }
1143 
1144 static const MemoryRegionOps mv88w8618_wlan_ops = {
1145     .read = mv88w8618_wlan_read,
1146     .write =mv88w8618_wlan_write,
1147     .endianness = DEVICE_NATIVE_ENDIAN,
1148 };
1149 
1150 static void mv88w8618_wlan_realize(DeviceState *dev, Error **errp)
1151 {
1152     MemoryRegion *iomem = g_new(MemoryRegion, 1);
1153 
1154     memory_region_init_io(iomem, OBJECT(dev), &mv88w8618_wlan_ops, NULL,
1155                           "musicpal-wlan", MP_WLAN_SIZE);
1156     sysbus_init_mmio(SYS_BUS_DEVICE(dev), iomem);
1157 }
1158 
1159 /* GPIO register offsets */
1160 #define MP_GPIO_OE_LO           0x008
1161 #define MP_GPIO_OUT_LO          0x00c
1162 #define MP_GPIO_IN_LO           0x010
1163 #define MP_GPIO_IER_LO          0x014
1164 #define MP_GPIO_IMR_LO          0x018
1165 #define MP_GPIO_ISR_LO          0x020
1166 #define MP_GPIO_OE_HI           0x508
1167 #define MP_GPIO_OUT_HI          0x50c
1168 #define MP_GPIO_IN_HI           0x510
1169 #define MP_GPIO_IER_HI          0x514
1170 #define MP_GPIO_IMR_HI          0x518
1171 #define MP_GPIO_ISR_HI          0x520
1172 
1173 /* GPIO bits & masks */
1174 #define MP_GPIO_LCD_BRIGHTNESS  0x00070000
1175 #define MP_GPIO_I2C_DATA_BIT    29
1176 #define MP_GPIO_I2C_CLOCK_BIT   30
1177 
1178 /* LCD brightness bits in GPIO_OE_HI */
1179 #define MP_OE_LCD_BRIGHTNESS    0x0007
1180 
1181 #define TYPE_MUSICPAL_GPIO "musicpal_gpio"
1182 #define MUSICPAL_GPIO(obj) \
1183     OBJECT_CHECK(musicpal_gpio_state, (obj), TYPE_MUSICPAL_GPIO)
1184 
1185 typedef struct musicpal_gpio_state {
1186     /*< private >*/
1187     SysBusDevice parent_obj;
1188     /*< public >*/
1189 
1190     MemoryRegion iomem;
1191     uint32_t lcd_brightness;
1192     uint32_t out_state;
1193     uint32_t in_state;
1194     uint32_t ier;
1195     uint32_t imr;
1196     uint32_t isr;
1197     qemu_irq irq;
1198     qemu_irq out[5]; /* 3 brightness out + 2 lcd (data and clock ) */
1199 } musicpal_gpio_state;
1200 
1201 static void musicpal_gpio_brightness_update(musicpal_gpio_state *s) {
1202     int i;
1203     uint32_t brightness;
1204 
1205     /* compute brightness ratio */
1206     switch (s->lcd_brightness) {
1207     case 0x00000007:
1208         brightness = 0;
1209         break;
1210 
1211     case 0x00020000:
1212         brightness = 1;
1213         break;
1214 
1215     case 0x00020001:
1216         brightness = 2;
1217         break;
1218 
1219     case 0x00040000:
1220         brightness = 3;
1221         break;
1222 
1223     case 0x00010006:
1224         brightness = 4;
1225         break;
1226 
1227     case 0x00020005:
1228         brightness = 5;
1229         break;
1230 
1231     case 0x00040003:
1232         brightness = 6;
1233         break;
1234 
1235     case 0x00030004:
1236     default:
1237         brightness = 7;
1238     }
1239 
1240     /* set lcd brightness GPIOs  */
1241     for (i = 0; i <= 2; i++) {
1242         qemu_set_irq(s->out[i], (brightness >> i) & 1);
1243     }
1244 }
1245 
1246 static void musicpal_gpio_pin_event(void *opaque, int pin, int level)
1247 {
1248     musicpal_gpio_state *s = opaque;
1249     uint32_t mask = 1 << pin;
1250     uint32_t delta = level << pin;
1251     uint32_t old = s->in_state & mask;
1252 
1253     s->in_state &= ~mask;
1254     s->in_state |= delta;
1255 
1256     if ((old ^ delta) &&
1257         ((level && (s->imr & mask)) || (!level && (s->ier & mask)))) {
1258         s->isr = mask;
1259         qemu_irq_raise(s->irq);
1260     }
1261 }
1262 
1263 static uint64_t musicpal_gpio_read(void *opaque, hwaddr offset,
1264                                    unsigned size)
1265 {
1266     musicpal_gpio_state *s = opaque;
1267 
1268     switch (offset) {
1269     case MP_GPIO_OE_HI: /* used for LCD brightness control */
1270         return s->lcd_brightness & MP_OE_LCD_BRIGHTNESS;
1271 
1272     case MP_GPIO_OUT_LO:
1273         return s->out_state & 0xFFFF;
1274     case MP_GPIO_OUT_HI:
1275         return s->out_state >> 16;
1276 
1277     case MP_GPIO_IN_LO:
1278         return s->in_state & 0xFFFF;
1279     case MP_GPIO_IN_HI:
1280         return s->in_state >> 16;
1281 
1282     case MP_GPIO_IER_LO:
1283         return s->ier & 0xFFFF;
1284     case MP_GPIO_IER_HI:
1285         return s->ier >> 16;
1286 
1287     case MP_GPIO_IMR_LO:
1288         return s->imr & 0xFFFF;
1289     case MP_GPIO_IMR_HI:
1290         return s->imr >> 16;
1291 
1292     case MP_GPIO_ISR_LO:
1293         return s->isr & 0xFFFF;
1294     case MP_GPIO_ISR_HI:
1295         return s->isr >> 16;
1296 
1297     default:
1298         return 0;
1299     }
1300 }
1301 
1302 static void musicpal_gpio_write(void *opaque, hwaddr offset,
1303                                 uint64_t value, unsigned size)
1304 {
1305     musicpal_gpio_state *s = opaque;
1306     switch (offset) {
1307     case MP_GPIO_OE_HI: /* used for LCD brightness control */
1308         s->lcd_brightness = (s->lcd_brightness & MP_GPIO_LCD_BRIGHTNESS) |
1309                          (value & MP_OE_LCD_BRIGHTNESS);
1310         musicpal_gpio_brightness_update(s);
1311         break;
1312 
1313     case MP_GPIO_OUT_LO:
1314         s->out_state = (s->out_state & 0xFFFF0000) | (value & 0xFFFF);
1315         break;
1316     case MP_GPIO_OUT_HI:
1317         s->out_state = (s->out_state & 0xFFFF) | (value << 16);
1318         s->lcd_brightness = (s->lcd_brightness & 0xFFFF) |
1319                             (s->out_state & MP_GPIO_LCD_BRIGHTNESS);
1320         musicpal_gpio_brightness_update(s);
1321         qemu_set_irq(s->out[3], (s->out_state >> MP_GPIO_I2C_DATA_BIT) & 1);
1322         qemu_set_irq(s->out[4], (s->out_state >> MP_GPIO_I2C_CLOCK_BIT) & 1);
1323         break;
1324 
1325     case MP_GPIO_IER_LO:
1326         s->ier = (s->ier & 0xFFFF0000) | (value & 0xFFFF);
1327         break;
1328     case MP_GPIO_IER_HI:
1329         s->ier = (s->ier & 0xFFFF) | (value << 16);
1330         break;
1331 
1332     case MP_GPIO_IMR_LO:
1333         s->imr = (s->imr & 0xFFFF0000) | (value & 0xFFFF);
1334         break;
1335     case MP_GPIO_IMR_HI:
1336         s->imr = (s->imr & 0xFFFF) | (value << 16);
1337         break;
1338     }
1339 }
1340 
1341 static const MemoryRegionOps musicpal_gpio_ops = {
1342     .read = musicpal_gpio_read,
1343     .write = musicpal_gpio_write,
1344     .endianness = DEVICE_NATIVE_ENDIAN,
1345 };
1346 
1347 static void musicpal_gpio_reset(DeviceState *d)
1348 {
1349     musicpal_gpio_state *s = MUSICPAL_GPIO(d);
1350 
1351     s->lcd_brightness = 0;
1352     s->out_state = 0;
1353     s->in_state = 0xffffffff;
1354     s->ier = 0;
1355     s->imr = 0;
1356     s->isr = 0;
1357 }
1358 
1359 static void musicpal_gpio_init(Object *obj)
1360 {
1361     SysBusDevice *sbd = SYS_BUS_DEVICE(obj);
1362     DeviceState *dev = DEVICE(sbd);
1363     musicpal_gpio_state *s = MUSICPAL_GPIO(dev);
1364 
1365     sysbus_init_irq(sbd, &s->irq);
1366 
1367     memory_region_init_io(&s->iomem, obj, &musicpal_gpio_ops, s,
1368                           "musicpal-gpio", MP_GPIO_SIZE);
1369     sysbus_init_mmio(sbd, &s->iomem);
1370 
1371     qdev_init_gpio_out(dev, s->out, ARRAY_SIZE(s->out));
1372 
1373     qdev_init_gpio_in(dev, musicpal_gpio_pin_event, 32);
1374 }
1375 
1376 static const VMStateDescription musicpal_gpio_vmsd = {
1377     .name = "musicpal_gpio",
1378     .version_id = 1,
1379     .minimum_version_id = 1,
1380     .fields = (VMStateField[]) {
1381         VMSTATE_UINT32(lcd_brightness, musicpal_gpio_state),
1382         VMSTATE_UINT32(out_state, musicpal_gpio_state),
1383         VMSTATE_UINT32(in_state, musicpal_gpio_state),
1384         VMSTATE_UINT32(ier, musicpal_gpio_state),
1385         VMSTATE_UINT32(imr, musicpal_gpio_state),
1386         VMSTATE_UINT32(isr, musicpal_gpio_state),
1387         VMSTATE_END_OF_LIST()
1388     }
1389 };
1390 
1391 static void musicpal_gpio_class_init(ObjectClass *klass, void *data)
1392 {
1393     DeviceClass *dc = DEVICE_CLASS(klass);
1394 
1395     dc->reset = musicpal_gpio_reset;
1396     dc->vmsd = &musicpal_gpio_vmsd;
1397 }
1398 
1399 static const TypeInfo musicpal_gpio_info = {
1400     .name          = TYPE_MUSICPAL_GPIO,
1401     .parent        = TYPE_SYS_BUS_DEVICE,
1402     .instance_size = sizeof(musicpal_gpio_state),
1403     .instance_init = musicpal_gpio_init,
1404     .class_init    = musicpal_gpio_class_init,
1405 };
1406 
1407 /* Keyboard codes & masks */
1408 #define KEY_RELEASED            0x80
1409 #define KEY_CODE                0x7f
1410 
1411 #define KEYCODE_TAB             0x0f
1412 #define KEYCODE_ENTER           0x1c
1413 #define KEYCODE_F               0x21
1414 #define KEYCODE_M               0x32
1415 
1416 #define KEYCODE_EXTENDED        0xe0
1417 #define KEYCODE_UP              0x48
1418 #define KEYCODE_DOWN            0x50
1419 #define KEYCODE_LEFT            0x4b
1420 #define KEYCODE_RIGHT           0x4d
1421 
1422 #define MP_KEY_WHEEL_VOL       (1 << 0)
1423 #define MP_KEY_WHEEL_VOL_INV   (1 << 1)
1424 #define MP_KEY_WHEEL_NAV       (1 << 2)
1425 #define MP_KEY_WHEEL_NAV_INV   (1 << 3)
1426 #define MP_KEY_BTN_FAVORITS    (1 << 4)
1427 #define MP_KEY_BTN_MENU        (1 << 5)
1428 #define MP_KEY_BTN_VOLUME      (1 << 6)
1429 #define MP_KEY_BTN_NAVIGATION  (1 << 7)
1430 
1431 #define TYPE_MUSICPAL_KEY "musicpal_key"
1432 #define MUSICPAL_KEY(obj) \
1433     OBJECT_CHECK(musicpal_key_state, (obj), TYPE_MUSICPAL_KEY)
1434 
1435 typedef struct musicpal_key_state {
1436     /*< private >*/
1437     SysBusDevice parent_obj;
1438     /*< public >*/
1439 
1440     MemoryRegion iomem;
1441     uint32_t kbd_extended;
1442     uint32_t pressed_keys;
1443     qemu_irq out[8];
1444 } musicpal_key_state;
1445 
1446 static void musicpal_key_event(void *opaque, int keycode)
1447 {
1448     musicpal_key_state *s = opaque;
1449     uint32_t event = 0;
1450     int i;
1451 
1452     if (keycode == KEYCODE_EXTENDED) {
1453         s->kbd_extended = 1;
1454         return;
1455     }
1456 
1457     if (s->kbd_extended) {
1458         switch (keycode & KEY_CODE) {
1459         case KEYCODE_UP:
1460             event = MP_KEY_WHEEL_NAV | MP_KEY_WHEEL_NAV_INV;
1461             break;
1462 
1463         case KEYCODE_DOWN:
1464             event = MP_KEY_WHEEL_NAV;
1465             break;
1466 
1467         case KEYCODE_LEFT:
1468             event = MP_KEY_WHEEL_VOL | MP_KEY_WHEEL_VOL_INV;
1469             break;
1470 
1471         case KEYCODE_RIGHT:
1472             event = MP_KEY_WHEEL_VOL;
1473             break;
1474         }
1475     } else {
1476         switch (keycode & KEY_CODE) {
1477         case KEYCODE_F:
1478             event = MP_KEY_BTN_FAVORITS;
1479             break;
1480 
1481         case KEYCODE_TAB:
1482             event = MP_KEY_BTN_VOLUME;
1483             break;
1484 
1485         case KEYCODE_ENTER:
1486             event = MP_KEY_BTN_NAVIGATION;
1487             break;
1488 
1489         case KEYCODE_M:
1490             event = MP_KEY_BTN_MENU;
1491             break;
1492         }
1493         /* Do not repeat already pressed buttons */
1494         if (!(keycode & KEY_RELEASED) && (s->pressed_keys & event)) {
1495             event = 0;
1496         }
1497     }
1498 
1499     if (event) {
1500         /* Raise GPIO pin first if repeating a key */
1501         if (!(keycode & KEY_RELEASED) && (s->pressed_keys & event)) {
1502             for (i = 0; i <= 7; i++) {
1503                 if (event & (1 << i)) {
1504                     qemu_set_irq(s->out[i], 1);
1505                 }
1506             }
1507         }
1508         for (i = 0; i <= 7; i++) {
1509             if (event & (1 << i)) {
1510                 qemu_set_irq(s->out[i], !!(keycode & KEY_RELEASED));
1511             }
1512         }
1513         if (keycode & KEY_RELEASED) {
1514             s->pressed_keys &= ~event;
1515         } else {
1516             s->pressed_keys |= event;
1517         }
1518     }
1519 
1520     s->kbd_extended = 0;
1521 }
1522 
1523 static void musicpal_key_init(Object *obj)
1524 {
1525     SysBusDevice *sbd = SYS_BUS_DEVICE(obj);
1526     DeviceState *dev = DEVICE(sbd);
1527     musicpal_key_state *s = MUSICPAL_KEY(dev);
1528 
1529     memory_region_init(&s->iomem, obj, "dummy", 0);
1530     sysbus_init_mmio(sbd, &s->iomem);
1531 
1532     s->kbd_extended = 0;
1533     s->pressed_keys = 0;
1534 
1535     qdev_init_gpio_out(dev, s->out, ARRAY_SIZE(s->out));
1536 
1537     qemu_add_kbd_event_handler(musicpal_key_event, s);
1538 }
1539 
1540 static const VMStateDescription musicpal_key_vmsd = {
1541     .name = "musicpal_key",
1542     .version_id = 1,
1543     .minimum_version_id = 1,
1544     .fields = (VMStateField[]) {
1545         VMSTATE_UINT32(kbd_extended, musicpal_key_state),
1546         VMSTATE_UINT32(pressed_keys, musicpal_key_state),
1547         VMSTATE_END_OF_LIST()
1548     }
1549 };
1550 
1551 static void musicpal_key_class_init(ObjectClass *klass, void *data)
1552 {
1553     DeviceClass *dc = DEVICE_CLASS(klass);
1554 
1555     dc->vmsd = &musicpal_key_vmsd;
1556 }
1557 
1558 static const TypeInfo musicpal_key_info = {
1559     .name          = TYPE_MUSICPAL_KEY,
1560     .parent        = TYPE_SYS_BUS_DEVICE,
1561     .instance_size = sizeof(musicpal_key_state),
1562     .instance_init = musicpal_key_init,
1563     .class_init    = musicpal_key_class_init,
1564 };
1565 
1566 static struct arm_boot_info musicpal_binfo = {
1567     .loader_start = 0x0,
1568     .board_id = 0x20e,
1569 };
1570 
1571 static void musicpal_init(MachineState *machine)
1572 {
1573     const char *kernel_filename = machine->kernel_filename;
1574     const char *kernel_cmdline = machine->kernel_cmdline;
1575     const char *initrd_filename = machine->initrd_filename;
1576     ARMCPU *cpu;
1577     qemu_irq pic[32];
1578     DeviceState *dev;
1579     DeviceState *i2c_dev;
1580     DeviceState *lcd_dev;
1581     DeviceState *key_dev;
1582     DeviceState *wm8750_dev;
1583     SysBusDevice *s;
1584     I2CBus *i2c;
1585     int i;
1586     unsigned long flash_size;
1587     DriveInfo *dinfo;
1588     MemoryRegion *address_space_mem = get_system_memory();
1589     MemoryRegion *ram = g_new(MemoryRegion, 1);
1590     MemoryRegion *sram = g_new(MemoryRegion, 1);
1591 
1592     cpu = ARM_CPU(cpu_create(machine->cpu_type));
1593 
1594     /* For now we use a fixed - the original - RAM size */
1595     memory_region_allocate_system_memory(ram, NULL, "musicpal.ram",
1596                                          MP_RAM_DEFAULT_SIZE);
1597     memory_region_add_subregion(address_space_mem, 0, ram);
1598 
1599     memory_region_init_ram(sram, NULL, "musicpal.sram", MP_SRAM_SIZE,
1600                            &error_fatal);
1601     memory_region_add_subregion(address_space_mem, MP_SRAM_BASE, sram);
1602 
1603     dev = sysbus_create_simple(TYPE_MV88W8618_PIC, MP_PIC_BASE,
1604                                qdev_get_gpio_in(DEVICE(cpu), ARM_CPU_IRQ));
1605     for (i = 0; i < 32; i++) {
1606         pic[i] = qdev_get_gpio_in(dev, i);
1607     }
1608     sysbus_create_varargs(TYPE_MV88W8618_PIT, MP_PIT_BASE, pic[MP_TIMER1_IRQ],
1609                           pic[MP_TIMER2_IRQ], pic[MP_TIMER3_IRQ],
1610                           pic[MP_TIMER4_IRQ], NULL);
1611 
1612     if (serial_hd(0)) {
1613         serial_mm_init(address_space_mem, MP_UART1_BASE, 2, pic[MP_UART1_IRQ],
1614                        1825000, serial_hd(0), DEVICE_NATIVE_ENDIAN);
1615     }
1616     if (serial_hd(1)) {
1617         serial_mm_init(address_space_mem, MP_UART2_BASE, 2, pic[MP_UART2_IRQ],
1618                        1825000, serial_hd(1), DEVICE_NATIVE_ENDIAN);
1619     }
1620 
1621     /* Register flash */
1622     dinfo = drive_get(IF_PFLASH, 0, 0);
1623     if (dinfo) {
1624         BlockBackend *blk = blk_by_legacy_dinfo(dinfo);
1625 
1626         flash_size = blk_getlength(blk);
1627         if (flash_size != 8*1024*1024 && flash_size != 16*1024*1024 &&
1628             flash_size != 32*1024*1024) {
1629             error_report("Invalid flash image size");
1630             exit(1);
1631         }
1632 
1633         /*
1634          * The original U-Boot accesses the flash at 0xFE000000 instead of
1635          * 0xFF800000 (if there is 8 MB flash). So remap flash access if the
1636          * image is smaller than 32 MB.
1637          */
1638 #ifdef TARGET_WORDS_BIGENDIAN
1639         pflash_cfi02_register(0x100000000ULL-MP_FLASH_SIZE_MAX, NULL,
1640                               "musicpal.flash", flash_size,
1641                               blk, 0x10000, (flash_size + 0xffff) >> 16,
1642                               MP_FLASH_SIZE_MAX / flash_size,
1643                               2, 0x00BF, 0x236D, 0x0000, 0x0000,
1644                               0x5555, 0x2AAA, 1);
1645 #else
1646         pflash_cfi02_register(0x100000000ULL-MP_FLASH_SIZE_MAX, NULL,
1647                               "musicpal.flash", flash_size,
1648                               blk, 0x10000, (flash_size + 0xffff) >> 16,
1649                               MP_FLASH_SIZE_MAX / flash_size,
1650                               2, 0x00BF, 0x236D, 0x0000, 0x0000,
1651                               0x5555, 0x2AAA, 0);
1652 #endif
1653 
1654     }
1655     sysbus_create_simple(TYPE_MV88W8618_FLASHCFG, MP_FLASHCFG_BASE, NULL);
1656 
1657     qemu_check_nic_model(&nd_table[0], "mv88w8618");
1658     dev = qdev_create(NULL, TYPE_MV88W8618_ETH);
1659     qdev_set_nic_properties(dev, &nd_table[0]);
1660     qdev_init_nofail(dev);
1661     sysbus_mmio_map(SYS_BUS_DEVICE(dev), 0, MP_ETH_BASE);
1662     sysbus_connect_irq(SYS_BUS_DEVICE(dev), 0, pic[MP_ETH_IRQ]);
1663 
1664     sysbus_create_simple("mv88w8618_wlan", MP_WLAN_BASE, NULL);
1665 
1666     sysbus_create_simple(TYPE_MUSICPAL_MISC, MP_MISC_BASE, NULL);
1667 
1668     dev = sysbus_create_simple(TYPE_MUSICPAL_GPIO, MP_GPIO_BASE,
1669                                pic[MP_GPIO_IRQ]);
1670     i2c_dev = sysbus_create_simple("gpio_i2c", -1, NULL);
1671     i2c = (I2CBus *)qdev_get_child_bus(i2c_dev, "i2c");
1672 
1673     lcd_dev = sysbus_create_simple(TYPE_MUSICPAL_LCD, MP_LCD_BASE, NULL);
1674     key_dev = sysbus_create_simple(TYPE_MUSICPAL_KEY, -1, NULL);
1675 
1676     /* I2C read data */
1677     qdev_connect_gpio_out(i2c_dev, 0,
1678                           qdev_get_gpio_in(dev, MP_GPIO_I2C_DATA_BIT));
1679     /* I2C data */
1680     qdev_connect_gpio_out(dev, 3, qdev_get_gpio_in(i2c_dev, 0));
1681     /* I2C clock */
1682     qdev_connect_gpio_out(dev, 4, qdev_get_gpio_in(i2c_dev, 1));
1683 
1684     for (i = 0; i < 3; i++) {
1685         qdev_connect_gpio_out(dev, i, qdev_get_gpio_in(lcd_dev, i));
1686     }
1687     for (i = 0; i < 4; i++) {
1688         qdev_connect_gpio_out(key_dev, i, qdev_get_gpio_in(dev, i + 8));
1689     }
1690     for (i = 4; i < 8; i++) {
1691         qdev_connect_gpio_out(key_dev, i, qdev_get_gpio_in(dev, i + 15));
1692     }
1693 
1694     wm8750_dev = i2c_create_slave(i2c, TYPE_WM8750, MP_WM_ADDR);
1695     dev = qdev_create(NULL, TYPE_MV88W8618_AUDIO);
1696     s = SYS_BUS_DEVICE(dev);
1697     object_property_set_link(OBJECT(dev), OBJECT(wm8750_dev),
1698                              "wm8750", NULL);
1699     qdev_init_nofail(dev);
1700     sysbus_mmio_map(s, 0, MP_AUDIO_BASE);
1701     sysbus_connect_irq(s, 0, pic[MP_AUDIO_IRQ]);
1702 
1703     musicpal_binfo.ram_size = MP_RAM_DEFAULT_SIZE;
1704     musicpal_binfo.kernel_filename = kernel_filename;
1705     musicpal_binfo.kernel_cmdline = kernel_cmdline;
1706     musicpal_binfo.initrd_filename = initrd_filename;
1707     arm_load_kernel(cpu, &musicpal_binfo);
1708 }
1709 
1710 static void musicpal_machine_init(MachineClass *mc)
1711 {
1712     mc->desc = "Marvell 88w8618 / MusicPal (ARM926EJ-S)";
1713     mc->init = musicpal_init;
1714     mc->ignore_memory_transaction_failures = true;
1715     mc->default_cpu_type = ARM_CPU_TYPE_NAME("arm926");
1716 }
1717 
1718 DEFINE_MACHINE("musicpal", musicpal_machine_init)
1719 
1720 static void mv88w8618_wlan_class_init(ObjectClass *klass, void *data)
1721 {
1722     DeviceClass *dc = DEVICE_CLASS(klass);
1723 
1724     dc->realize = mv88w8618_wlan_realize;
1725 }
1726 
1727 static const TypeInfo mv88w8618_wlan_info = {
1728     .name          = "mv88w8618_wlan",
1729     .parent        = TYPE_SYS_BUS_DEVICE,
1730     .instance_size = sizeof(SysBusDevice),
1731     .class_init    = mv88w8618_wlan_class_init,
1732 };
1733 
1734 static void musicpal_register_types(void)
1735 {
1736     type_register_static(&mv88w8618_pic_info);
1737     type_register_static(&mv88w8618_pit_info);
1738     type_register_static(&mv88w8618_flashcfg_info);
1739     type_register_static(&mv88w8618_eth_info);
1740     type_register_static(&mv88w8618_wlan_info);
1741     type_register_static(&musicpal_lcd_info);
1742     type_register_static(&musicpal_gpio_info);
1743     type_register_static(&musicpal_key_info);
1744     type_register_static(&musicpal_misc_info);
1745 }
1746 
1747 type_init(musicpal_register_types)
1748