xref: /openbmc/qemu/hw/arm/musicpal.c (revision 461a2753)
1 /*
2  * Marvell MV88W8618 / Freecom MusicPal emulation.
3  *
4  * Copyright (c) 2008 Jan Kiszka
5  *
6  * This code is licensed under the GNU GPL v2.
7  *
8  * Contributions after 2012-01-13 are licensed under the terms of the
9  * GNU GPL, version 2 or (at your option) any later version.
10  */
11 
12 #include "hw/sysbus.h"
13 #include "hw/arm/arm.h"
14 #include "hw/devices.h"
15 #include "net/net.h"
16 #include "sysemu/sysemu.h"
17 #include "hw/boards.h"
18 #include "hw/char/serial.h"
19 #include "qemu/timer.h"
20 #include "hw/ptimer.h"
21 #include "block/block.h"
22 #include "hw/block/flash.h"
23 #include "ui/console.h"
24 #include "hw/i2c/i2c.h"
25 #include "sysemu/blockdev.h"
26 #include "exec/address-spaces.h"
27 #include "ui/pixel_ops.h"
28 
29 #define MP_MISC_BASE            0x80002000
30 #define MP_MISC_SIZE            0x00001000
31 
32 #define MP_ETH_BASE             0x80008000
33 #define MP_ETH_SIZE             0x00001000
34 
35 #define MP_WLAN_BASE            0x8000C000
36 #define MP_WLAN_SIZE            0x00000800
37 
38 #define MP_UART1_BASE           0x8000C840
39 #define MP_UART2_BASE           0x8000C940
40 
41 #define MP_GPIO_BASE            0x8000D000
42 #define MP_GPIO_SIZE            0x00001000
43 
44 #define MP_FLASHCFG_BASE        0x90006000
45 #define MP_FLASHCFG_SIZE        0x00001000
46 
47 #define MP_AUDIO_BASE           0x90007000
48 
49 #define MP_PIC_BASE             0x90008000
50 #define MP_PIC_SIZE             0x00001000
51 
52 #define MP_PIT_BASE             0x90009000
53 #define MP_PIT_SIZE             0x00001000
54 
55 #define MP_LCD_BASE             0x9000c000
56 #define MP_LCD_SIZE             0x00001000
57 
58 #define MP_SRAM_BASE            0xC0000000
59 #define MP_SRAM_SIZE            0x00020000
60 
61 #define MP_RAM_DEFAULT_SIZE     32*1024*1024
62 #define MP_FLASH_SIZE_MAX       32*1024*1024
63 
64 #define MP_TIMER1_IRQ           4
65 #define MP_TIMER2_IRQ           5
66 #define MP_TIMER3_IRQ           6
67 #define MP_TIMER4_IRQ           7
68 #define MP_EHCI_IRQ             8
69 #define MP_ETH_IRQ              9
70 #define MP_UART1_IRQ            11
71 #define MP_UART2_IRQ            11
72 #define MP_GPIO_IRQ             12
73 #define MP_RTC_IRQ              28
74 #define MP_AUDIO_IRQ            30
75 
76 /* Wolfson 8750 I2C address */
77 #define MP_WM_ADDR              0x1A
78 
79 /* Ethernet register offsets */
80 #define MP_ETH_SMIR             0x010
81 #define MP_ETH_PCXR             0x408
82 #define MP_ETH_SDCMR            0x448
83 #define MP_ETH_ICR              0x450
84 #define MP_ETH_IMR              0x458
85 #define MP_ETH_FRDP0            0x480
86 #define MP_ETH_FRDP1            0x484
87 #define MP_ETH_FRDP2            0x488
88 #define MP_ETH_FRDP3            0x48C
89 #define MP_ETH_CRDP0            0x4A0
90 #define MP_ETH_CRDP1            0x4A4
91 #define MP_ETH_CRDP2            0x4A8
92 #define MP_ETH_CRDP3            0x4AC
93 #define MP_ETH_CTDP0            0x4E0
94 #define MP_ETH_CTDP1            0x4E4
95 
96 /* MII PHY access */
97 #define MP_ETH_SMIR_DATA        0x0000FFFF
98 #define MP_ETH_SMIR_ADDR        0x03FF0000
99 #define MP_ETH_SMIR_OPCODE      (1 << 26) /* Read value */
100 #define MP_ETH_SMIR_RDVALID     (1 << 27)
101 
102 /* PHY registers */
103 #define MP_ETH_PHY1_BMSR        0x00210000
104 #define MP_ETH_PHY1_PHYSID1     0x00410000
105 #define MP_ETH_PHY1_PHYSID2     0x00610000
106 
107 #define MP_PHY_BMSR_LINK        0x0004
108 #define MP_PHY_BMSR_AUTONEG     0x0008
109 
110 #define MP_PHY_88E3015          0x01410E20
111 
112 /* TX descriptor status */
113 #define MP_ETH_TX_OWN           (1U << 31)
114 
115 /* RX descriptor status */
116 #define MP_ETH_RX_OWN           (1U << 31)
117 
118 /* Interrupt cause/mask bits */
119 #define MP_ETH_IRQ_RX_BIT       0
120 #define MP_ETH_IRQ_RX           (1 << MP_ETH_IRQ_RX_BIT)
121 #define MP_ETH_IRQ_TXHI_BIT     2
122 #define MP_ETH_IRQ_TXLO_BIT     3
123 
124 /* Port config bits */
125 #define MP_ETH_PCXR_2BSM_BIT    28 /* 2-byte incoming suffix */
126 
127 /* SDMA command bits */
128 #define MP_ETH_CMD_TXHI         (1 << 23)
129 #define MP_ETH_CMD_TXLO         (1 << 22)
130 
131 typedef struct mv88w8618_tx_desc {
132     uint32_t cmdstat;
133     uint16_t res;
134     uint16_t bytes;
135     uint32_t buffer;
136     uint32_t next;
137 } mv88w8618_tx_desc;
138 
139 typedef struct mv88w8618_rx_desc {
140     uint32_t cmdstat;
141     uint16_t bytes;
142     uint16_t buffer_size;
143     uint32_t buffer;
144     uint32_t next;
145 } mv88w8618_rx_desc;
146 
147 #define TYPE_MV88W8618_ETH "mv88w8618_eth"
148 #define MV88W8618_ETH(obj) \
149     OBJECT_CHECK(mv88w8618_eth_state, (obj), TYPE_MV88W8618_ETH)
150 
151 typedef struct mv88w8618_eth_state {
152     /*< private >*/
153     SysBusDevice parent_obj;
154     /*< public >*/
155 
156     MemoryRegion iomem;
157     qemu_irq irq;
158     uint32_t smir;
159     uint32_t icr;
160     uint32_t imr;
161     int mmio_index;
162     uint32_t vlan_header;
163     uint32_t tx_queue[2];
164     uint32_t rx_queue[4];
165     uint32_t frx_queue[4];
166     uint32_t cur_rx[4];
167     NICState *nic;
168     NICConf conf;
169 } mv88w8618_eth_state;
170 
171 static void eth_rx_desc_put(uint32_t addr, mv88w8618_rx_desc *desc)
172 {
173     cpu_to_le32s(&desc->cmdstat);
174     cpu_to_le16s(&desc->bytes);
175     cpu_to_le16s(&desc->buffer_size);
176     cpu_to_le32s(&desc->buffer);
177     cpu_to_le32s(&desc->next);
178     cpu_physical_memory_write(addr, desc, sizeof(*desc));
179 }
180 
181 static void eth_rx_desc_get(uint32_t addr, mv88w8618_rx_desc *desc)
182 {
183     cpu_physical_memory_read(addr, desc, sizeof(*desc));
184     le32_to_cpus(&desc->cmdstat);
185     le16_to_cpus(&desc->bytes);
186     le16_to_cpus(&desc->buffer_size);
187     le32_to_cpus(&desc->buffer);
188     le32_to_cpus(&desc->next);
189 }
190 
191 static int eth_can_receive(NetClientState *nc)
192 {
193     return 1;
194 }
195 
196 static ssize_t eth_receive(NetClientState *nc, const uint8_t *buf, size_t size)
197 {
198     mv88w8618_eth_state *s = qemu_get_nic_opaque(nc);
199     uint32_t desc_addr;
200     mv88w8618_rx_desc desc;
201     int i;
202 
203     for (i = 0; i < 4; i++) {
204         desc_addr = s->cur_rx[i];
205         if (!desc_addr) {
206             continue;
207         }
208         do {
209             eth_rx_desc_get(desc_addr, &desc);
210             if ((desc.cmdstat & MP_ETH_RX_OWN) && desc.buffer_size >= size) {
211                 cpu_physical_memory_write(desc.buffer + s->vlan_header,
212                                           buf, size);
213                 desc.bytes = size + s->vlan_header;
214                 desc.cmdstat &= ~MP_ETH_RX_OWN;
215                 s->cur_rx[i] = desc.next;
216 
217                 s->icr |= MP_ETH_IRQ_RX;
218                 if (s->icr & s->imr) {
219                     qemu_irq_raise(s->irq);
220                 }
221                 eth_rx_desc_put(desc_addr, &desc);
222                 return size;
223             }
224             desc_addr = desc.next;
225         } while (desc_addr != s->rx_queue[i]);
226     }
227     return size;
228 }
229 
230 static void eth_tx_desc_put(uint32_t addr, mv88w8618_tx_desc *desc)
231 {
232     cpu_to_le32s(&desc->cmdstat);
233     cpu_to_le16s(&desc->res);
234     cpu_to_le16s(&desc->bytes);
235     cpu_to_le32s(&desc->buffer);
236     cpu_to_le32s(&desc->next);
237     cpu_physical_memory_write(addr, desc, sizeof(*desc));
238 }
239 
240 static void eth_tx_desc_get(uint32_t addr, mv88w8618_tx_desc *desc)
241 {
242     cpu_physical_memory_read(addr, desc, sizeof(*desc));
243     le32_to_cpus(&desc->cmdstat);
244     le16_to_cpus(&desc->res);
245     le16_to_cpus(&desc->bytes);
246     le32_to_cpus(&desc->buffer);
247     le32_to_cpus(&desc->next);
248 }
249 
250 static void eth_send(mv88w8618_eth_state *s, int queue_index)
251 {
252     uint32_t desc_addr = s->tx_queue[queue_index];
253     mv88w8618_tx_desc desc;
254     uint32_t next_desc;
255     uint8_t buf[2048];
256     int len;
257 
258     do {
259         eth_tx_desc_get(desc_addr, &desc);
260         next_desc = desc.next;
261         if (desc.cmdstat & MP_ETH_TX_OWN) {
262             len = desc.bytes;
263             if (len < 2048) {
264                 cpu_physical_memory_read(desc.buffer, buf, len);
265                 qemu_send_packet(qemu_get_queue(s->nic), buf, len);
266             }
267             desc.cmdstat &= ~MP_ETH_TX_OWN;
268             s->icr |= 1 << (MP_ETH_IRQ_TXLO_BIT - queue_index);
269             eth_tx_desc_put(desc_addr, &desc);
270         }
271         desc_addr = next_desc;
272     } while (desc_addr != s->tx_queue[queue_index]);
273 }
274 
275 static uint64_t mv88w8618_eth_read(void *opaque, hwaddr offset,
276                                    unsigned size)
277 {
278     mv88w8618_eth_state *s = opaque;
279 
280     switch (offset) {
281     case MP_ETH_SMIR:
282         if (s->smir & MP_ETH_SMIR_OPCODE) {
283             switch (s->smir & MP_ETH_SMIR_ADDR) {
284             case MP_ETH_PHY1_BMSR:
285                 return MP_PHY_BMSR_LINK | MP_PHY_BMSR_AUTONEG |
286                        MP_ETH_SMIR_RDVALID;
287             case MP_ETH_PHY1_PHYSID1:
288                 return (MP_PHY_88E3015 >> 16) | MP_ETH_SMIR_RDVALID;
289             case MP_ETH_PHY1_PHYSID2:
290                 return (MP_PHY_88E3015 & 0xFFFF) | MP_ETH_SMIR_RDVALID;
291             default:
292                 return MP_ETH_SMIR_RDVALID;
293             }
294         }
295         return 0;
296 
297     case MP_ETH_ICR:
298         return s->icr;
299 
300     case MP_ETH_IMR:
301         return s->imr;
302 
303     case MP_ETH_FRDP0 ... MP_ETH_FRDP3:
304         return s->frx_queue[(offset - MP_ETH_FRDP0)/4];
305 
306     case MP_ETH_CRDP0 ... MP_ETH_CRDP3:
307         return s->rx_queue[(offset - MP_ETH_CRDP0)/4];
308 
309     case MP_ETH_CTDP0 ... MP_ETH_CTDP1:
310         return s->tx_queue[(offset - MP_ETH_CTDP0)/4];
311 
312     default:
313         return 0;
314     }
315 }
316 
317 static void mv88w8618_eth_write(void *opaque, hwaddr offset,
318                                 uint64_t value, unsigned size)
319 {
320     mv88w8618_eth_state *s = opaque;
321 
322     switch (offset) {
323     case MP_ETH_SMIR:
324         s->smir = value;
325         break;
326 
327     case MP_ETH_PCXR:
328         s->vlan_header = ((value >> MP_ETH_PCXR_2BSM_BIT) & 1) * 2;
329         break;
330 
331     case MP_ETH_SDCMR:
332         if (value & MP_ETH_CMD_TXHI) {
333             eth_send(s, 1);
334         }
335         if (value & MP_ETH_CMD_TXLO) {
336             eth_send(s, 0);
337         }
338         if (value & (MP_ETH_CMD_TXHI | MP_ETH_CMD_TXLO) && s->icr & s->imr) {
339             qemu_irq_raise(s->irq);
340         }
341         break;
342 
343     case MP_ETH_ICR:
344         s->icr &= value;
345         break;
346 
347     case MP_ETH_IMR:
348         s->imr = value;
349         if (s->icr & s->imr) {
350             qemu_irq_raise(s->irq);
351         }
352         break;
353 
354     case MP_ETH_FRDP0 ... MP_ETH_FRDP3:
355         s->frx_queue[(offset - MP_ETH_FRDP0)/4] = value;
356         break;
357 
358     case MP_ETH_CRDP0 ... MP_ETH_CRDP3:
359         s->rx_queue[(offset - MP_ETH_CRDP0)/4] =
360             s->cur_rx[(offset - MP_ETH_CRDP0)/4] = value;
361         break;
362 
363     case MP_ETH_CTDP0 ... MP_ETH_CTDP1:
364         s->tx_queue[(offset - MP_ETH_CTDP0)/4] = value;
365         break;
366     }
367 }
368 
369 static const MemoryRegionOps mv88w8618_eth_ops = {
370     .read = mv88w8618_eth_read,
371     .write = mv88w8618_eth_write,
372     .endianness = DEVICE_NATIVE_ENDIAN,
373 };
374 
375 static void eth_cleanup(NetClientState *nc)
376 {
377     mv88w8618_eth_state *s = qemu_get_nic_opaque(nc);
378 
379     s->nic = NULL;
380 }
381 
382 static NetClientInfo net_mv88w8618_info = {
383     .type = NET_CLIENT_OPTIONS_KIND_NIC,
384     .size = sizeof(NICState),
385     .can_receive = eth_can_receive,
386     .receive = eth_receive,
387     .cleanup = eth_cleanup,
388 };
389 
390 static int mv88w8618_eth_init(SysBusDevice *sbd)
391 {
392     DeviceState *dev = DEVICE(sbd);
393     mv88w8618_eth_state *s = MV88W8618_ETH(dev);
394 
395     sysbus_init_irq(sbd, &s->irq);
396     s->nic = qemu_new_nic(&net_mv88w8618_info, &s->conf,
397                           object_get_typename(OBJECT(dev)), dev->id, s);
398     memory_region_init_io(&s->iomem, OBJECT(s), &mv88w8618_eth_ops, s,
399                           "mv88w8618-eth", MP_ETH_SIZE);
400     sysbus_init_mmio(sbd, &s->iomem);
401     return 0;
402 }
403 
404 static const VMStateDescription mv88w8618_eth_vmsd = {
405     .name = "mv88w8618_eth",
406     .version_id = 1,
407     .minimum_version_id = 1,
408     .fields = (VMStateField[]) {
409         VMSTATE_UINT32(smir, mv88w8618_eth_state),
410         VMSTATE_UINT32(icr, mv88w8618_eth_state),
411         VMSTATE_UINT32(imr, mv88w8618_eth_state),
412         VMSTATE_UINT32(vlan_header, mv88w8618_eth_state),
413         VMSTATE_UINT32_ARRAY(tx_queue, mv88w8618_eth_state, 2),
414         VMSTATE_UINT32_ARRAY(rx_queue, mv88w8618_eth_state, 4),
415         VMSTATE_UINT32_ARRAY(frx_queue, mv88w8618_eth_state, 4),
416         VMSTATE_UINT32_ARRAY(cur_rx, mv88w8618_eth_state, 4),
417         VMSTATE_END_OF_LIST()
418     }
419 };
420 
421 static Property mv88w8618_eth_properties[] = {
422     DEFINE_NIC_PROPERTIES(mv88w8618_eth_state, conf),
423     DEFINE_PROP_END_OF_LIST(),
424 };
425 
426 static void mv88w8618_eth_class_init(ObjectClass *klass, void *data)
427 {
428     DeviceClass *dc = DEVICE_CLASS(klass);
429     SysBusDeviceClass *k = SYS_BUS_DEVICE_CLASS(klass);
430 
431     k->init = mv88w8618_eth_init;
432     dc->vmsd = &mv88w8618_eth_vmsd;
433     dc->props = mv88w8618_eth_properties;
434 }
435 
436 static const TypeInfo mv88w8618_eth_info = {
437     .name          = TYPE_MV88W8618_ETH,
438     .parent        = TYPE_SYS_BUS_DEVICE,
439     .instance_size = sizeof(mv88w8618_eth_state),
440     .class_init    = mv88w8618_eth_class_init,
441 };
442 
443 /* LCD register offsets */
444 #define MP_LCD_IRQCTRL          0x180
445 #define MP_LCD_IRQSTAT          0x184
446 #define MP_LCD_SPICTRL          0x1ac
447 #define MP_LCD_INST             0x1bc
448 #define MP_LCD_DATA             0x1c0
449 
450 /* Mode magics */
451 #define MP_LCD_SPI_DATA         0x00100011
452 #define MP_LCD_SPI_CMD          0x00104011
453 #define MP_LCD_SPI_INVALID      0x00000000
454 
455 /* Commmands */
456 #define MP_LCD_INST_SETPAGE0    0xB0
457 /* ... */
458 #define MP_LCD_INST_SETPAGE7    0xB7
459 
460 #define MP_LCD_TEXTCOLOR        0xe0e0ff /* RRGGBB */
461 
462 #define TYPE_MUSICPAL_LCD "musicpal_lcd"
463 #define MUSICPAL_LCD(obj) \
464     OBJECT_CHECK(musicpal_lcd_state, (obj), TYPE_MUSICPAL_LCD)
465 
466 typedef struct musicpal_lcd_state {
467     /*< private >*/
468     SysBusDevice parent_obj;
469     /*< public >*/
470 
471     MemoryRegion iomem;
472     uint32_t brightness;
473     uint32_t mode;
474     uint32_t irqctrl;
475     uint32_t page;
476     uint32_t page_off;
477     QemuConsole *con;
478     uint8_t video_ram[128*64/8];
479 } musicpal_lcd_state;
480 
481 static uint8_t scale_lcd_color(musicpal_lcd_state *s, uint8_t col)
482 {
483     switch (s->brightness) {
484     case 7:
485         return col;
486     case 0:
487         return 0;
488     default:
489         return (col * s->brightness) / 7;
490     }
491 }
492 
493 #define SET_LCD_PIXEL(depth, type) \
494 static inline void glue(set_lcd_pixel, depth) \
495         (musicpal_lcd_state *s, int x, int y, type col) \
496 { \
497     int dx, dy; \
498     DisplaySurface *surface = qemu_console_surface(s->con); \
499     type *pixel = &((type *) surface_data(surface))[(y * 128 * 3 + x) * 3]; \
500 \
501     for (dy = 0; dy < 3; dy++, pixel += 127 * 3) \
502         for (dx = 0; dx < 3; dx++, pixel++) \
503             *pixel = col; \
504 }
505 SET_LCD_PIXEL(8, uint8_t)
506 SET_LCD_PIXEL(16, uint16_t)
507 SET_LCD_PIXEL(32, uint32_t)
508 
509 static void lcd_refresh(void *opaque)
510 {
511     musicpal_lcd_state *s = opaque;
512     DisplaySurface *surface = qemu_console_surface(s->con);
513     int x, y, col;
514 
515     switch (surface_bits_per_pixel(surface)) {
516     case 0:
517         return;
518 #define LCD_REFRESH(depth, func) \
519     case depth: \
520         col = func(scale_lcd_color(s, (MP_LCD_TEXTCOLOR >> 16) & 0xff), \
521                    scale_lcd_color(s, (MP_LCD_TEXTCOLOR >> 8) & 0xff), \
522                    scale_lcd_color(s, MP_LCD_TEXTCOLOR & 0xff)); \
523         for (x = 0; x < 128; x++) { \
524             for (y = 0; y < 64; y++) { \
525                 if (s->video_ram[x + (y/8)*128] & (1 << (y % 8))) { \
526                     glue(set_lcd_pixel, depth)(s, x, y, col); \
527                 } else { \
528                     glue(set_lcd_pixel, depth)(s, x, y, 0); \
529                 } \
530             } \
531         } \
532         break;
533     LCD_REFRESH(8, rgb_to_pixel8)
534     LCD_REFRESH(16, rgb_to_pixel16)
535     LCD_REFRESH(32, (is_surface_bgr(surface) ?
536                      rgb_to_pixel32bgr : rgb_to_pixel32))
537     default:
538         hw_error("unsupported colour depth %i\n",
539                  surface_bits_per_pixel(surface));
540     }
541 
542     dpy_gfx_update(s->con, 0, 0, 128*3, 64*3);
543 }
544 
545 static void lcd_invalidate(void *opaque)
546 {
547 }
548 
549 static void musicpal_lcd_gpio_brightness_in(void *opaque, int irq, int level)
550 {
551     musicpal_lcd_state *s = opaque;
552     s->brightness &= ~(1 << irq);
553     s->brightness |= level << irq;
554 }
555 
556 static uint64_t musicpal_lcd_read(void *opaque, hwaddr offset,
557                                   unsigned size)
558 {
559     musicpal_lcd_state *s = opaque;
560 
561     switch (offset) {
562     case MP_LCD_IRQCTRL:
563         return s->irqctrl;
564 
565     default:
566         return 0;
567     }
568 }
569 
570 static void musicpal_lcd_write(void *opaque, hwaddr offset,
571                                uint64_t value, unsigned size)
572 {
573     musicpal_lcd_state *s = opaque;
574 
575     switch (offset) {
576     case MP_LCD_IRQCTRL:
577         s->irqctrl = value;
578         break;
579 
580     case MP_LCD_SPICTRL:
581         if (value == MP_LCD_SPI_DATA || value == MP_LCD_SPI_CMD) {
582             s->mode = value;
583         } else {
584             s->mode = MP_LCD_SPI_INVALID;
585         }
586         break;
587 
588     case MP_LCD_INST:
589         if (value >= MP_LCD_INST_SETPAGE0 && value <= MP_LCD_INST_SETPAGE7) {
590             s->page = value - MP_LCD_INST_SETPAGE0;
591             s->page_off = 0;
592         }
593         break;
594 
595     case MP_LCD_DATA:
596         if (s->mode == MP_LCD_SPI_CMD) {
597             if (value >= MP_LCD_INST_SETPAGE0 &&
598                 value <= MP_LCD_INST_SETPAGE7) {
599                 s->page = value - MP_LCD_INST_SETPAGE0;
600                 s->page_off = 0;
601             }
602         } else if (s->mode == MP_LCD_SPI_DATA) {
603             s->video_ram[s->page*128 + s->page_off] = value;
604             s->page_off = (s->page_off + 1) & 127;
605         }
606         break;
607     }
608 }
609 
610 static const MemoryRegionOps musicpal_lcd_ops = {
611     .read = musicpal_lcd_read,
612     .write = musicpal_lcd_write,
613     .endianness = DEVICE_NATIVE_ENDIAN,
614 };
615 
616 static const GraphicHwOps musicpal_gfx_ops = {
617     .invalidate  = lcd_invalidate,
618     .gfx_update  = lcd_refresh,
619 };
620 
621 static int musicpal_lcd_init(SysBusDevice *sbd)
622 {
623     DeviceState *dev = DEVICE(sbd);
624     musicpal_lcd_state *s = MUSICPAL_LCD(dev);
625 
626     s->brightness = 7;
627 
628     memory_region_init_io(&s->iomem, OBJECT(s), &musicpal_lcd_ops, s,
629                           "musicpal-lcd", MP_LCD_SIZE);
630     sysbus_init_mmio(sbd, &s->iomem);
631 
632     s->con = graphic_console_init(dev, 0, &musicpal_gfx_ops, s);
633     qemu_console_resize(s->con, 128*3, 64*3);
634 
635     qdev_init_gpio_in(dev, musicpal_lcd_gpio_brightness_in, 3);
636 
637     return 0;
638 }
639 
640 static const VMStateDescription musicpal_lcd_vmsd = {
641     .name = "musicpal_lcd",
642     .version_id = 1,
643     .minimum_version_id = 1,
644     .fields = (VMStateField[]) {
645         VMSTATE_UINT32(brightness, musicpal_lcd_state),
646         VMSTATE_UINT32(mode, musicpal_lcd_state),
647         VMSTATE_UINT32(irqctrl, musicpal_lcd_state),
648         VMSTATE_UINT32(page, musicpal_lcd_state),
649         VMSTATE_UINT32(page_off, musicpal_lcd_state),
650         VMSTATE_BUFFER(video_ram, musicpal_lcd_state),
651         VMSTATE_END_OF_LIST()
652     }
653 };
654 
655 static void musicpal_lcd_class_init(ObjectClass *klass, void *data)
656 {
657     DeviceClass *dc = DEVICE_CLASS(klass);
658     SysBusDeviceClass *k = SYS_BUS_DEVICE_CLASS(klass);
659 
660     k->init = musicpal_lcd_init;
661     dc->vmsd = &musicpal_lcd_vmsd;
662 }
663 
664 static const TypeInfo musicpal_lcd_info = {
665     .name          = TYPE_MUSICPAL_LCD,
666     .parent        = TYPE_SYS_BUS_DEVICE,
667     .instance_size = sizeof(musicpal_lcd_state),
668     .class_init    = musicpal_lcd_class_init,
669 };
670 
671 /* PIC register offsets */
672 #define MP_PIC_STATUS           0x00
673 #define MP_PIC_ENABLE_SET       0x08
674 #define MP_PIC_ENABLE_CLR       0x0C
675 
676 #define TYPE_MV88W8618_PIC "mv88w8618_pic"
677 #define MV88W8618_PIC(obj) \
678     OBJECT_CHECK(mv88w8618_pic_state, (obj), TYPE_MV88W8618_PIC)
679 
680 typedef struct mv88w8618_pic_state {
681     /*< private >*/
682     SysBusDevice parent_obj;
683     /*< public >*/
684 
685     MemoryRegion iomem;
686     uint32_t level;
687     uint32_t enabled;
688     qemu_irq parent_irq;
689 } mv88w8618_pic_state;
690 
691 static void mv88w8618_pic_update(mv88w8618_pic_state *s)
692 {
693     qemu_set_irq(s->parent_irq, (s->level & s->enabled));
694 }
695 
696 static void mv88w8618_pic_set_irq(void *opaque, int irq, int level)
697 {
698     mv88w8618_pic_state *s = opaque;
699 
700     if (level) {
701         s->level |= 1 << irq;
702     } else {
703         s->level &= ~(1 << irq);
704     }
705     mv88w8618_pic_update(s);
706 }
707 
708 static uint64_t mv88w8618_pic_read(void *opaque, hwaddr offset,
709                                    unsigned size)
710 {
711     mv88w8618_pic_state *s = opaque;
712 
713     switch (offset) {
714     case MP_PIC_STATUS:
715         return s->level & s->enabled;
716 
717     default:
718         return 0;
719     }
720 }
721 
722 static void mv88w8618_pic_write(void *opaque, hwaddr offset,
723                                 uint64_t value, unsigned size)
724 {
725     mv88w8618_pic_state *s = opaque;
726 
727     switch (offset) {
728     case MP_PIC_ENABLE_SET:
729         s->enabled |= value;
730         break;
731 
732     case MP_PIC_ENABLE_CLR:
733         s->enabled &= ~value;
734         s->level &= ~value;
735         break;
736     }
737     mv88w8618_pic_update(s);
738 }
739 
740 static void mv88w8618_pic_reset(DeviceState *d)
741 {
742     mv88w8618_pic_state *s = MV88W8618_PIC(d);
743 
744     s->level = 0;
745     s->enabled = 0;
746 }
747 
748 static const MemoryRegionOps mv88w8618_pic_ops = {
749     .read = mv88w8618_pic_read,
750     .write = mv88w8618_pic_write,
751     .endianness = DEVICE_NATIVE_ENDIAN,
752 };
753 
754 static int mv88w8618_pic_init(SysBusDevice *dev)
755 {
756     mv88w8618_pic_state *s = MV88W8618_PIC(dev);
757 
758     qdev_init_gpio_in(DEVICE(dev), mv88w8618_pic_set_irq, 32);
759     sysbus_init_irq(dev, &s->parent_irq);
760     memory_region_init_io(&s->iomem, OBJECT(s), &mv88w8618_pic_ops, s,
761                           "musicpal-pic", MP_PIC_SIZE);
762     sysbus_init_mmio(dev, &s->iomem);
763     return 0;
764 }
765 
766 static const VMStateDescription mv88w8618_pic_vmsd = {
767     .name = "mv88w8618_pic",
768     .version_id = 1,
769     .minimum_version_id = 1,
770     .fields = (VMStateField[]) {
771         VMSTATE_UINT32(level, mv88w8618_pic_state),
772         VMSTATE_UINT32(enabled, mv88w8618_pic_state),
773         VMSTATE_END_OF_LIST()
774     }
775 };
776 
777 static void mv88w8618_pic_class_init(ObjectClass *klass, void *data)
778 {
779     DeviceClass *dc = DEVICE_CLASS(klass);
780     SysBusDeviceClass *k = SYS_BUS_DEVICE_CLASS(klass);
781 
782     k->init = mv88w8618_pic_init;
783     dc->reset = mv88w8618_pic_reset;
784     dc->vmsd = &mv88w8618_pic_vmsd;
785 }
786 
787 static const TypeInfo mv88w8618_pic_info = {
788     .name          = TYPE_MV88W8618_PIC,
789     .parent        = TYPE_SYS_BUS_DEVICE,
790     .instance_size = sizeof(mv88w8618_pic_state),
791     .class_init    = mv88w8618_pic_class_init,
792 };
793 
794 /* PIT register offsets */
795 #define MP_PIT_TIMER1_LENGTH    0x00
796 /* ... */
797 #define MP_PIT_TIMER4_LENGTH    0x0C
798 #define MP_PIT_CONTROL          0x10
799 #define MP_PIT_TIMER1_VALUE     0x14
800 /* ... */
801 #define MP_PIT_TIMER4_VALUE     0x20
802 #define MP_BOARD_RESET          0x34
803 
804 /* Magic board reset value (probably some watchdog behind it) */
805 #define MP_BOARD_RESET_MAGIC    0x10000
806 
807 typedef struct mv88w8618_timer_state {
808     ptimer_state *ptimer;
809     uint32_t limit;
810     int freq;
811     qemu_irq irq;
812 } mv88w8618_timer_state;
813 
814 #define TYPE_MV88W8618_PIT "mv88w8618_pit"
815 #define MV88W8618_PIT(obj) \
816     OBJECT_CHECK(mv88w8618_pit_state, (obj), TYPE_MV88W8618_PIT)
817 
818 typedef struct mv88w8618_pit_state {
819     /*< private >*/
820     SysBusDevice parent_obj;
821     /*< public >*/
822 
823     MemoryRegion iomem;
824     mv88w8618_timer_state timer[4];
825 } mv88w8618_pit_state;
826 
827 static void mv88w8618_timer_tick(void *opaque)
828 {
829     mv88w8618_timer_state *s = opaque;
830 
831     qemu_irq_raise(s->irq);
832 }
833 
834 static void mv88w8618_timer_init(SysBusDevice *dev, mv88w8618_timer_state *s,
835                                  uint32_t freq)
836 {
837     QEMUBH *bh;
838 
839     sysbus_init_irq(dev, &s->irq);
840     s->freq = freq;
841 
842     bh = qemu_bh_new(mv88w8618_timer_tick, s);
843     s->ptimer = ptimer_init(bh);
844 }
845 
846 static uint64_t mv88w8618_pit_read(void *opaque, hwaddr offset,
847                                    unsigned size)
848 {
849     mv88w8618_pit_state *s = opaque;
850     mv88w8618_timer_state *t;
851 
852     switch (offset) {
853     case MP_PIT_TIMER1_VALUE ... MP_PIT_TIMER4_VALUE:
854         t = &s->timer[(offset-MP_PIT_TIMER1_VALUE) >> 2];
855         return ptimer_get_count(t->ptimer);
856 
857     default:
858         return 0;
859     }
860 }
861 
862 static void mv88w8618_pit_write(void *opaque, hwaddr offset,
863                                 uint64_t value, unsigned size)
864 {
865     mv88w8618_pit_state *s = opaque;
866     mv88w8618_timer_state *t;
867     int i;
868 
869     switch (offset) {
870     case MP_PIT_TIMER1_LENGTH ... MP_PIT_TIMER4_LENGTH:
871         t = &s->timer[offset >> 2];
872         t->limit = value;
873         if (t->limit > 0) {
874             ptimer_set_limit(t->ptimer, t->limit, 1);
875         } else {
876             ptimer_stop(t->ptimer);
877         }
878         break;
879 
880     case MP_PIT_CONTROL:
881         for (i = 0; i < 4; i++) {
882             t = &s->timer[i];
883             if (value & 0xf && t->limit > 0) {
884                 ptimer_set_limit(t->ptimer, t->limit, 0);
885                 ptimer_set_freq(t->ptimer, t->freq);
886                 ptimer_run(t->ptimer, 0);
887             } else {
888                 ptimer_stop(t->ptimer);
889             }
890             value >>= 4;
891         }
892         break;
893 
894     case MP_BOARD_RESET:
895         if (value == MP_BOARD_RESET_MAGIC) {
896             qemu_system_reset_request();
897         }
898         break;
899     }
900 }
901 
902 static void mv88w8618_pit_reset(DeviceState *d)
903 {
904     mv88w8618_pit_state *s = MV88W8618_PIT(d);
905     int i;
906 
907     for (i = 0; i < 4; i++) {
908         ptimer_stop(s->timer[i].ptimer);
909         s->timer[i].limit = 0;
910     }
911 }
912 
913 static const MemoryRegionOps mv88w8618_pit_ops = {
914     .read = mv88w8618_pit_read,
915     .write = mv88w8618_pit_write,
916     .endianness = DEVICE_NATIVE_ENDIAN,
917 };
918 
919 static int mv88w8618_pit_init(SysBusDevice *dev)
920 {
921     mv88w8618_pit_state *s = MV88W8618_PIT(dev);
922     int i;
923 
924     /* Letting them all run at 1 MHz is likely just a pragmatic
925      * simplification. */
926     for (i = 0; i < 4; i++) {
927         mv88w8618_timer_init(dev, &s->timer[i], 1000000);
928     }
929 
930     memory_region_init_io(&s->iomem, OBJECT(s), &mv88w8618_pit_ops, s,
931                           "musicpal-pit", MP_PIT_SIZE);
932     sysbus_init_mmio(dev, &s->iomem);
933     return 0;
934 }
935 
936 static const VMStateDescription mv88w8618_timer_vmsd = {
937     .name = "timer",
938     .version_id = 1,
939     .minimum_version_id = 1,
940     .fields = (VMStateField[]) {
941         VMSTATE_PTIMER(ptimer, mv88w8618_timer_state),
942         VMSTATE_UINT32(limit, mv88w8618_timer_state),
943         VMSTATE_END_OF_LIST()
944     }
945 };
946 
947 static const VMStateDescription mv88w8618_pit_vmsd = {
948     .name = "mv88w8618_pit",
949     .version_id = 1,
950     .minimum_version_id = 1,
951     .fields = (VMStateField[]) {
952         VMSTATE_STRUCT_ARRAY(timer, mv88w8618_pit_state, 4, 1,
953                              mv88w8618_timer_vmsd, mv88w8618_timer_state),
954         VMSTATE_END_OF_LIST()
955     }
956 };
957 
958 static void mv88w8618_pit_class_init(ObjectClass *klass, void *data)
959 {
960     DeviceClass *dc = DEVICE_CLASS(klass);
961     SysBusDeviceClass *k = SYS_BUS_DEVICE_CLASS(klass);
962 
963     k->init = mv88w8618_pit_init;
964     dc->reset = mv88w8618_pit_reset;
965     dc->vmsd = &mv88w8618_pit_vmsd;
966 }
967 
968 static const TypeInfo mv88w8618_pit_info = {
969     .name          = TYPE_MV88W8618_PIT,
970     .parent        = TYPE_SYS_BUS_DEVICE,
971     .instance_size = sizeof(mv88w8618_pit_state),
972     .class_init    = mv88w8618_pit_class_init,
973 };
974 
975 /* Flash config register offsets */
976 #define MP_FLASHCFG_CFGR0    0x04
977 
978 #define TYPE_MV88W8618_FLASHCFG "mv88w8618_flashcfg"
979 #define MV88W8618_FLASHCFG(obj) \
980     OBJECT_CHECK(mv88w8618_flashcfg_state, (obj), TYPE_MV88W8618_FLASHCFG)
981 
982 typedef struct mv88w8618_flashcfg_state {
983     /*< private >*/
984     SysBusDevice parent_obj;
985     /*< public >*/
986 
987     MemoryRegion iomem;
988     uint32_t cfgr0;
989 } mv88w8618_flashcfg_state;
990 
991 static uint64_t mv88w8618_flashcfg_read(void *opaque,
992                                         hwaddr offset,
993                                         unsigned size)
994 {
995     mv88w8618_flashcfg_state *s = opaque;
996 
997     switch (offset) {
998     case MP_FLASHCFG_CFGR0:
999         return s->cfgr0;
1000 
1001     default:
1002         return 0;
1003     }
1004 }
1005 
1006 static void mv88w8618_flashcfg_write(void *opaque, hwaddr offset,
1007                                      uint64_t value, unsigned size)
1008 {
1009     mv88w8618_flashcfg_state *s = opaque;
1010 
1011     switch (offset) {
1012     case MP_FLASHCFG_CFGR0:
1013         s->cfgr0 = value;
1014         break;
1015     }
1016 }
1017 
1018 static const MemoryRegionOps mv88w8618_flashcfg_ops = {
1019     .read = mv88w8618_flashcfg_read,
1020     .write = mv88w8618_flashcfg_write,
1021     .endianness = DEVICE_NATIVE_ENDIAN,
1022 };
1023 
1024 static int mv88w8618_flashcfg_init(SysBusDevice *dev)
1025 {
1026     mv88w8618_flashcfg_state *s = MV88W8618_FLASHCFG(dev);
1027 
1028     s->cfgr0 = 0xfffe4285; /* Default as set by U-Boot for 8 MB flash */
1029     memory_region_init_io(&s->iomem, OBJECT(s), &mv88w8618_flashcfg_ops, s,
1030                           "musicpal-flashcfg", MP_FLASHCFG_SIZE);
1031     sysbus_init_mmio(dev, &s->iomem);
1032     return 0;
1033 }
1034 
1035 static const VMStateDescription mv88w8618_flashcfg_vmsd = {
1036     .name = "mv88w8618_flashcfg",
1037     .version_id = 1,
1038     .minimum_version_id = 1,
1039     .fields = (VMStateField[]) {
1040         VMSTATE_UINT32(cfgr0, mv88w8618_flashcfg_state),
1041         VMSTATE_END_OF_LIST()
1042     }
1043 };
1044 
1045 static void mv88w8618_flashcfg_class_init(ObjectClass *klass, void *data)
1046 {
1047     DeviceClass *dc = DEVICE_CLASS(klass);
1048     SysBusDeviceClass *k = SYS_BUS_DEVICE_CLASS(klass);
1049 
1050     k->init = mv88w8618_flashcfg_init;
1051     dc->vmsd = &mv88w8618_flashcfg_vmsd;
1052 }
1053 
1054 static const TypeInfo mv88w8618_flashcfg_info = {
1055     .name          = TYPE_MV88W8618_FLASHCFG,
1056     .parent        = TYPE_SYS_BUS_DEVICE,
1057     .instance_size = sizeof(mv88w8618_flashcfg_state),
1058     .class_init    = mv88w8618_flashcfg_class_init,
1059 };
1060 
1061 /* Misc register offsets */
1062 #define MP_MISC_BOARD_REVISION  0x18
1063 
1064 #define MP_BOARD_REVISION       0x31
1065 
1066 typedef struct {
1067     SysBusDevice parent_obj;
1068     MemoryRegion iomem;
1069 } MusicPalMiscState;
1070 
1071 #define TYPE_MUSICPAL_MISC "musicpal-misc"
1072 #define MUSICPAL_MISC(obj) \
1073      OBJECT_CHECK(MusicPalMiscState, (obj), TYPE_MUSICPAL_MISC)
1074 
1075 static uint64_t musicpal_misc_read(void *opaque, hwaddr offset,
1076                                    unsigned size)
1077 {
1078     switch (offset) {
1079     case MP_MISC_BOARD_REVISION:
1080         return MP_BOARD_REVISION;
1081 
1082     default:
1083         return 0;
1084     }
1085 }
1086 
1087 static void musicpal_misc_write(void *opaque, hwaddr offset,
1088                                 uint64_t value, unsigned size)
1089 {
1090 }
1091 
1092 static const MemoryRegionOps musicpal_misc_ops = {
1093     .read = musicpal_misc_read,
1094     .write = musicpal_misc_write,
1095     .endianness = DEVICE_NATIVE_ENDIAN,
1096 };
1097 
1098 static void musicpal_misc_init(Object *obj)
1099 {
1100     SysBusDevice *sd = SYS_BUS_DEVICE(obj);
1101     MusicPalMiscState *s = MUSICPAL_MISC(obj);
1102 
1103     memory_region_init_io(&s->iomem, OBJECT(s), &musicpal_misc_ops, NULL,
1104                           "musicpal-misc", MP_MISC_SIZE);
1105     sysbus_init_mmio(sd, &s->iomem);
1106 }
1107 
1108 static const TypeInfo musicpal_misc_info = {
1109     .name = TYPE_MUSICPAL_MISC,
1110     .parent = TYPE_SYS_BUS_DEVICE,
1111     .instance_init = musicpal_misc_init,
1112     .instance_size = sizeof(MusicPalMiscState),
1113 };
1114 
1115 /* WLAN register offsets */
1116 #define MP_WLAN_MAGIC1          0x11c
1117 #define MP_WLAN_MAGIC2          0x124
1118 
1119 static uint64_t mv88w8618_wlan_read(void *opaque, hwaddr offset,
1120                                     unsigned size)
1121 {
1122     switch (offset) {
1123     /* Workaround to allow loading the binary-only wlandrv.ko crap
1124      * from the original Freecom firmware. */
1125     case MP_WLAN_MAGIC1:
1126         return ~3;
1127     case MP_WLAN_MAGIC2:
1128         return -1;
1129 
1130     default:
1131         return 0;
1132     }
1133 }
1134 
1135 static void mv88w8618_wlan_write(void *opaque, hwaddr offset,
1136                                  uint64_t value, unsigned size)
1137 {
1138 }
1139 
1140 static const MemoryRegionOps mv88w8618_wlan_ops = {
1141     .read = mv88w8618_wlan_read,
1142     .write =mv88w8618_wlan_write,
1143     .endianness = DEVICE_NATIVE_ENDIAN,
1144 };
1145 
1146 static int mv88w8618_wlan_init(SysBusDevice *dev)
1147 {
1148     MemoryRegion *iomem = g_new(MemoryRegion, 1);
1149 
1150     memory_region_init_io(iomem, OBJECT(dev), &mv88w8618_wlan_ops, NULL,
1151                           "musicpal-wlan", MP_WLAN_SIZE);
1152     sysbus_init_mmio(dev, iomem);
1153     return 0;
1154 }
1155 
1156 /* GPIO register offsets */
1157 #define MP_GPIO_OE_LO           0x008
1158 #define MP_GPIO_OUT_LO          0x00c
1159 #define MP_GPIO_IN_LO           0x010
1160 #define MP_GPIO_IER_LO          0x014
1161 #define MP_GPIO_IMR_LO          0x018
1162 #define MP_GPIO_ISR_LO          0x020
1163 #define MP_GPIO_OE_HI           0x508
1164 #define MP_GPIO_OUT_HI          0x50c
1165 #define MP_GPIO_IN_HI           0x510
1166 #define MP_GPIO_IER_HI          0x514
1167 #define MP_GPIO_IMR_HI          0x518
1168 #define MP_GPIO_ISR_HI          0x520
1169 
1170 /* GPIO bits & masks */
1171 #define MP_GPIO_LCD_BRIGHTNESS  0x00070000
1172 #define MP_GPIO_I2C_DATA_BIT    29
1173 #define MP_GPIO_I2C_CLOCK_BIT   30
1174 
1175 /* LCD brightness bits in GPIO_OE_HI */
1176 #define MP_OE_LCD_BRIGHTNESS    0x0007
1177 
1178 #define TYPE_MUSICPAL_GPIO "musicpal_gpio"
1179 #define MUSICPAL_GPIO(obj) \
1180     OBJECT_CHECK(musicpal_gpio_state, (obj), TYPE_MUSICPAL_GPIO)
1181 
1182 typedef struct musicpal_gpio_state {
1183     /*< private >*/
1184     SysBusDevice parent_obj;
1185     /*< public >*/
1186 
1187     MemoryRegion iomem;
1188     uint32_t lcd_brightness;
1189     uint32_t out_state;
1190     uint32_t in_state;
1191     uint32_t ier;
1192     uint32_t imr;
1193     uint32_t isr;
1194     qemu_irq irq;
1195     qemu_irq out[5]; /* 3 brightness out + 2 lcd (data and clock ) */
1196 } musicpal_gpio_state;
1197 
1198 static void musicpal_gpio_brightness_update(musicpal_gpio_state *s) {
1199     int i;
1200     uint32_t brightness;
1201 
1202     /* compute brightness ratio */
1203     switch (s->lcd_brightness) {
1204     case 0x00000007:
1205         brightness = 0;
1206         break;
1207 
1208     case 0x00020000:
1209         brightness = 1;
1210         break;
1211 
1212     case 0x00020001:
1213         brightness = 2;
1214         break;
1215 
1216     case 0x00040000:
1217         brightness = 3;
1218         break;
1219 
1220     case 0x00010006:
1221         brightness = 4;
1222         break;
1223 
1224     case 0x00020005:
1225         brightness = 5;
1226         break;
1227 
1228     case 0x00040003:
1229         brightness = 6;
1230         break;
1231 
1232     case 0x00030004:
1233     default:
1234         brightness = 7;
1235     }
1236 
1237     /* set lcd brightness GPIOs  */
1238     for (i = 0; i <= 2; i++) {
1239         qemu_set_irq(s->out[i], (brightness >> i) & 1);
1240     }
1241 }
1242 
1243 static void musicpal_gpio_pin_event(void *opaque, int pin, int level)
1244 {
1245     musicpal_gpio_state *s = opaque;
1246     uint32_t mask = 1 << pin;
1247     uint32_t delta = level << pin;
1248     uint32_t old = s->in_state & mask;
1249 
1250     s->in_state &= ~mask;
1251     s->in_state |= delta;
1252 
1253     if ((old ^ delta) &&
1254         ((level && (s->imr & mask)) || (!level && (s->ier & mask)))) {
1255         s->isr = mask;
1256         qemu_irq_raise(s->irq);
1257     }
1258 }
1259 
1260 static uint64_t musicpal_gpio_read(void *opaque, hwaddr offset,
1261                                    unsigned size)
1262 {
1263     musicpal_gpio_state *s = opaque;
1264 
1265     switch (offset) {
1266     case MP_GPIO_OE_HI: /* used for LCD brightness control */
1267         return s->lcd_brightness & MP_OE_LCD_BRIGHTNESS;
1268 
1269     case MP_GPIO_OUT_LO:
1270         return s->out_state & 0xFFFF;
1271     case MP_GPIO_OUT_HI:
1272         return s->out_state >> 16;
1273 
1274     case MP_GPIO_IN_LO:
1275         return s->in_state & 0xFFFF;
1276     case MP_GPIO_IN_HI:
1277         return s->in_state >> 16;
1278 
1279     case MP_GPIO_IER_LO:
1280         return s->ier & 0xFFFF;
1281     case MP_GPIO_IER_HI:
1282         return s->ier >> 16;
1283 
1284     case MP_GPIO_IMR_LO:
1285         return s->imr & 0xFFFF;
1286     case MP_GPIO_IMR_HI:
1287         return s->imr >> 16;
1288 
1289     case MP_GPIO_ISR_LO:
1290         return s->isr & 0xFFFF;
1291     case MP_GPIO_ISR_HI:
1292         return s->isr >> 16;
1293 
1294     default:
1295         return 0;
1296     }
1297 }
1298 
1299 static void musicpal_gpio_write(void *opaque, hwaddr offset,
1300                                 uint64_t value, unsigned size)
1301 {
1302     musicpal_gpio_state *s = opaque;
1303     switch (offset) {
1304     case MP_GPIO_OE_HI: /* used for LCD brightness control */
1305         s->lcd_brightness = (s->lcd_brightness & MP_GPIO_LCD_BRIGHTNESS) |
1306                          (value & MP_OE_LCD_BRIGHTNESS);
1307         musicpal_gpio_brightness_update(s);
1308         break;
1309 
1310     case MP_GPIO_OUT_LO:
1311         s->out_state = (s->out_state & 0xFFFF0000) | (value & 0xFFFF);
1312         break;
1313     case MP_GPIO_OUT_HI:
1314         s->out_state = (s->out_state & 0xFFFF) | (value << 16);
1315         s->lcd_brightness = (s->lcd_brightness & 0xFFFF) |
1316                             (s->out_state & MP_GPIO_LCD_BRIGHTNESS);
1317         musicpal_gpio_brightness_update(s);
1318         qemu_set_irq(s->out[3], (s->out_state >> MP_GPIO_I2C_DATA_BIT) & 1);
1319         qemu_set_irq(s->out[4], (s->out_state >> MP_GPIO_I2C_CLOCK_BIT) & 1);
1320         break;
1321 
1322     case MP_GPIO_IER_LO:
1323         s->ier = (s->ier & 0xFFFF0000) | (value & 0xFFFF);
1324         break;
1325     case MP_GPIO_IER_HI:
1326         s->ier = (s->ier & 0xFFFF) | (value << 16);
1327         break;
1328 
1329     case MP_GPIO_IMR_LO:
1330         s->imr = (s->imr & 0xFFFF0000) | (value & 0xFFFF);
1331         break;
1332     case MP_GPIO_IMR_HI:
1333         s->imr = (s->imr & 0xFFFF) | (value << 16);
1334         break;
1335     }
1336 }
1337 
1338 static const MemoryRegionOps musicpal_gpio_ops = {
1339     .read = musicpal_gpio_read,
1340     .write = musicpal_gpio_write,
1341     .endianness = DEVICE_NATIVE_ENDIAN,
1342 };
1343 
1344 static void musicpal_gpio_reset(DeviceState *d)
1345 {
1346     musicpal_gpio_state *s = MUSICPAL_GPIO(d);
1347 
1348     s->lcd_brightness = 0;
1349     s->out_state = 0;
1350     s->in_state = 0xffffffff;
1351     s->ier = 0;
1352     s->imr = 0;
1353     s->isr = 0;
1354 }
1355 
1356 static int musicpal_gpio_init(SysBusDevice *sbd)
1357 {
1358     DeviceState *dev = DEVICE(sbd);
1359     musicpal_gpio_state *s = MUSICPAL_GPIO(dev);
1360 
1361     sysbus_init_irq(sbd, &s->irq);
1362 
1363     memory_region_init_io(&s->iomem, OBJECT(s), &musicpal_gpio_ops, s,
1364                           "musicpal-gpio", MP_GPIO_SIZE);
1365     sysbus_init_mmio(sbd, &s->iomem);
1366 
1367     qdev_init_gpio_out(dev, s->out, ARRAY_SIZE(s->out));
1368 
1369     qdev_init_gpio_in(dev, musicpal_gpio_pin_event, 32);
1370 
1371     return 0;
1372 }
1373 
1374 static const VMStateDescription musicpal_gpio_vmsd = {
1375     .name = "musicpal_gpio",
1376     .version_id = 1,
1377     .minimum_version_id = 1,
1378     .fields = (VMStateField[]) {
1379         VMSTATE_UINT32(lcd_brightness, musicpal_gpio_state),
1380         VMSTATE_UINT32(out_state, musicpal_gpio_state),
1381         VMSTATE_UINT32(in_state, musicpal_gpio_state),
1382         VMSTATE_UINT32(ier, musicpal_gpio_state),
1383         VMSTATE_UINT32(imr, musicpal_gpio_state),
1384         VMSTATE_UINT32(isr, musicpal_gpio_state),
1385         VMSTATE_END_OF_LIST()
1386     }
1387 };
1388 
1389 static void musicpal_gpio_class_init(ObjectClass *klass, void *data)
1390 {
1391     DeviceClass *dc = DEVICE_CLASS(klass);
1392     SysBusDeviceClass *k = SYS_BUS_DEVICE_CLASS(klass);
1393 
1394     k->init = musicpal_gpio_init;
1395     dc->reset = musicpal_gpio_reset;
1396     dc->vmsd = &musicpal_gpio_vmsd;
1397 }
1398 
1399 static const TypeInfo musicpal_gpio_info = {
1400     .name          = TYPE_MUSICPAL_GPIO,
1401     .parent        = TYPE_SYS_BUS_DEVICE,
1402     .instance_size = sizeof(musicpal_gpio_state),
1403     .class_init    = musicpal_gpio_class_init,
1404 };
1405 
1406 /* Keyboard codes & masks */
1407 #define KEY_RELEASED            0x80
1408 #define KEY_CODE                0x7f
1409 
1410 #define KEYCODE_TAB             0x0f
1411 #define KEYCODE_ENTER           0x1c
1412 #define KEYCODE_F               0x21
1413 #define KEYCODE_M               0x32
1414 
1415 #define KEYCODE_EXTENDED        0xe0
1416 #define KEYCODE_UP              0x48
1417 #define KEYCODE_DOWN            0x50
1418 #define KEYCODE_LEFT            0x4b
1419 #define KEYCODE_RIGHT           0x4d
1420 
1421 #define MP_KEY_WHEEL_VOL       (1 << 0)
1422 #define MP_KEY_WHEEL_VOL_INV   (1 << 1)
1423 #define MP_KEY_WHEEL_NAV       (1 << 2)
1424 #define MP_KEY_WHEEL_NAV_INV   (1 << 3)
1425 #define MP_KEY_BTN_FAVORITS    (1 << 4)
1426 #define MP_KEY_BTN_MENU        (1 << 5)
1427 #define MP_KEY_BTN_VOLUME      (1 << 6)
1428 #define MP_KEY_BTN_NAVIGATION  (1 << 7)
1429 
1430 #define TYPE_MUSICPAL_KEY "musicpal_key"
1431 #define MUSICPAL_KEY(obj) \
1432     OBJECT_CHECK(musicpal_key_state, (obj), TYPE_MUSICPAL_KEY)
1433 
1434 typedef struct musicpal_key_state {
1435     /*< private >*/
1436     SysBusDevice parent_obj;
1437     /*< public >*/
1438 
1439     MemoryRegion iomem;
1440     uint32_t kbd_extended;
1441     uint32_t pressed_keys;
1442     qemu_irq out[8];
1443 } musicpal_key_state;
1444 
1445 static void musicpal_key_event(void *opaque, int keycode)
1446 {
1447     musicpal_key_state *s = opaque;
1448     uint32_t event = 0;
1449     int i;
1450 
1451     if (keycode == KEYCODE_EXTENDED) {
1452         s->kbd_extended = 1;
1453         return;
1454     }
1455 
1456     if (s->kbd_extended) {
1457         switch (keycode & KEY_CODE) {
1458         case KEYCODE_UP:
1459             event = MP_KEY_WHEEL_NAV | MP_KEY_WHEEL_NAV_INV;
1460             break;
1461 
1462         case KEYCODE_DOWN:
1463             event = MP_KEY_WHEEL_NAV;
1464             break;
1465 
1466         case KEYCODE_LEFT:
1467             event = MP_KEY_WHEEL_VOL | MP_KEY_WHEEL_VOL_INV;
1468             break;
1469 
1470         case KEYCODE_RIGHT:
1471             event = MP_KEY_WHEEL_VOL;
1472             break;
1473         }
1474     } else {
1475         switch (keycode & KEY_CODE) {
1476         case KEYCODE_F:
1477             event = MP_KEY_BTN_FAVORITS;
1478             break;
1479 
1480         case KEYCODE_TAB:
1481             event = MP_KEY_BTN_VOLUME;
1482             break;
1483 
1484         case KEYCODE_ENTER:
1485             event = MP_KEY_BTN_NAVIGATION;
1486             break;
1487 
1488         case KEYCODE_M:
1489             event = MP_KEY_BTN_MENU;
1490             break;
1491         }
1492         /* Do not repeat already pressed buttons */
1493         if (!(keycode & KEY_RELEASED) && (s->pressed_keys & event)) {
1494             event = 0;
1495         }
1496     }
1497 
1498     if (event) {
1499         /* Raise GPIO pin first if repeating a key */
1500         if (!(keycode & KEY_RELEASED) && (s->pressed_keys & event)) {
1501             for (i = 0; i <= 7; i++) {
1502                 if (event & (1 << i)) {
1503                     qemu_set_irq(s->out[i], 1);
1504                 }
1505             }
1506         }
1507         for (i = 0; i <= 7; i++) {
1508             if (event & (1 << i)) {
1509                 qemu_set_irq(s->out[i], !!(keycode & KEY_RELEASED));
1510             }
1511         }
1512         if (keycode & KEY_RELEASED) {
1513             s->pressed_keys &= ~event;
1514         } else {
1515             s->pressed_keys |= event;
1516         }
1517     }
1518 
1519     s->kbd_extended = 0;
1520 }
1521 
1522 static int musicpal_key_init(SysBusDevice *sbd)
1523 {
1524     DeviceState *dev = DEVICE(sbd);
1525     musicpal_key_state *s = MUSICPAL_KEY(dev);
1526 
1527     memory_region_init(&s->iomem, OBJECT(s), "dummy", 0);
1528     sysbus_init_mmio(sbd, &s->iomem);
1529 
1530     s->kbd_extended = 0;
1531     s->pressed_keys = 0;
1532 
1533     qdev_init_gpio_out(dev, s->out, ARRAY_SIZE(s->out));
1534 
1535     qemu_add_kbd_event_handler(musicpal_key_event, s);
1536 
1537     return 0;
1538 }
1539 
1540 static const VMStateDescription musicpal_key_vmsd = {
1541     .name = "musicpal_key",
1542     .version_id = 1,
1543     .minimum_version_id = 1,
1544     .fields = (VMStateField[]) {
1545         VMSTATE_UINT32(kbd_extended, musicpal_key_state),
1546         VMSTATE_UINT32(pressed_keys, musicpal_key_state),
1547         VMSTATE_END_OF_LIST()
1548     }
1549 };
1550 
1551 static void musicpal_key_class_init(ObjectClass *klass, void *data)
1552 {
1553     DeviceClass *dc = DEVICE_CLASS(klass);
1554     SysBusDeviceClass *k = SYS_BUS_DEVICE_CLASS(klass);
1555 
1556     k->init = musicpal_key_init;
1557     dc->vmsd = &musicpal_key_vmsd;
1558 }
1559 
1560 static const TypeInfo musicpal_key_info = {
1561     .name          = TYPE_MUSICPAL_KEY,
1562     .parent        = TYPE_SYS_BUS_DEVICE,
1563     .instance_size = sizeof(musicpal_key_state),
1564     .class_init    = musicpal_key_class_init,
1565 };
1566 
1567 static struct arm_boot_info musicpal_binfo = {
1568     .loader_start = 0x0,
1569     .board_id = 0x20e,
1570 };
1571 
1572 static void musicpal_init(MachineState *machine)
1573 {
1574     const char *cpu_model = machine->cpu_model;
1575     const char *kernel_filename = machine->kernel_filename;
1576     const char *kernel_cmdline = machine->kernel_cmdline;
1577     const char *initrd_filename = machine->initrd_filename;
1578     ARMCPU *cpu;
1579     qemu_irq pic[32];
1580     DeviceState *dev;
1581     DeviceState *i2c_dev;
1582     DeviceState *lcd_dev;
1583     DeviceState *key_dev;
1584     DeviceState *wm8750_dev;
1585     SysBusDevice *s;
1586     I2CBus *i2c;
1587     int i;
1588     unsigned long flash_size;
1589     DriveInfo *dinfo;
1590     MemoryRegion *address_space_mem = get_system_memory();
1591     MemoryRegion *ram = g_new(MemoryRegion, 1);
1592     MemoryRegion *sram = g_new(MemoryRegion, 1);
1593 
1594     if (!cpu_model) {
1595         cpu_model = "arm926";
1596     }
1597     cpu = cpu_arm_init(cpu_model);
1598     if (!cpu) {
1599         fprintf(stderr, "Unable to find CPU definition\n");
1600         exit(1);
1601     }
1602 
1603     /* For now we use a fixed - the original - RAM size */
1604     memory_region_init_ram(ram, NULL, "musicpal.ram", MP_RAM_DEFAULT_SIZE,
1605                            &error_abort);
1606     vmstate_register_ram_global(ram);
1607     memory_region_add_subregion(address_space_mem, 0, ram);
1608 
1609     memory_region_init_ram(sram, NULL, "musicpal.sram", MP_SRAM_SIZE,
1610                            &error_abort);
1611     vmstate_register_ram_global(sram);
1612     memory_region_add_subregion(address_space_mem, MP_SRAM_BASE, sram);
1613 
1614     dev = sysbus_create_simple(TYPE_MV88W8618_PIC, MP_PIC_BASE,
1615                                qdev_get_gpio_in(DEVICE(cpu), ARM_CPU_IRQ));
1616     for (i = 0; i < 32; i++) {
1617         pic[i] = qdev_get_gpio_in(dev, i);
1618     }
1619     sysbus_create_varargs(TYPE_MV88W8618_PIT, MP_PIT_BASE, pic[MP_TIMER1_IRQ],
1620                           pic[MP_TIMER2_IRQ], pic[MP_TIMER3_IRQ],
1621                           pic[MP_TIMER4_IRQ], NULL);
1622 
1623     if (serial_hds[0]) {
1624         serial_mm_init(address_space_mem, MP_UART1_BASE, 2, pic[MP_UART1_IRQ],
1625                        1825000, serial_hds[0], DEVICE_NATIVE_ENDIAN);
1626     }
1627     if (serial_hds[1]) {
1628         serial_mm_init(address_space_mem, MP_UART2_BASE, 2, pic[MP_UART2_IRQ],
1629                        1825000, serial_hds[1], DEVICE_NATIVE_ENDIAN);
1630     }
1631 
1632     /* Register flash */
1633     dinfo = drive_get(IF_PFLASH, 0, 0);
1634     if (dinfo) {
1635         flash_size = bdrv_getlength(dinfo->bdrv);
1636         if (flash_size != 8*1024*1024 && flash_size != 16*1024*1024 &&
1637             flash_size != 32*1024*1024) {
1638             fprintf(stderr, "Invalid flash image size\n");
1639             exit(1);
1640         }
1641 
1642         /*
1643          * The original U-Boot accesses the flash at 0xFE000000 instead of
1644          * 0xFF800000 (if there is 8 MB flash). So remap flash access if the
1645          * image is smaller than 32 MB.
1646          */
1647 #ifdef TARGET_WORDS_BIGENDIAN
1648         pflash_cfi02_register(0x100000000ULL-MP_FLASH_SIZE_MAX, NULL,
1649                               "musicpal.flash", flash_size,
1650                               dinfo->bdrv, 0x10000,
1651                               (flash_size + 0xffff) >> 16,
1652                               MP_FLASH_SIZE_MAX / flash_size,
1653                               2, 0x00BF, 0x236D, 0x0000, 0x0000,
1654                               0x5555, 0x2AAA, 1);
1655 #else
1656         pflash_cfi02_register(0x100000000ULL-MP_FLASH_SIZE_MAX, NULL,
1657                               "musicpal.flash", flash_size,
1658                               dinfo->bdrv, 0x10000,
1659                               (flash_size + 0xffff) >> 16,
1660                               MP_FLASH_SIZE_MAX / flash_size,
1661                               2, 0x00BF, 0x236D, 0x0000, 0x0000,
1662                               0x5555, 0x2AAA, 0);
1663 #endif
1664 
1665     }
1666     sysbus_create_simple(TYPE_MV88W8618_FLASHCFG, MP_FLASHCFG_BASE, NULL);
1667 
1668     qemu_check_nic_model(&nd_table[0], "mv88w8618");
1669     dev = qdev_create(NULL, TYPE_MV88W8618_ETH);
1670     qdev_set_nic_properties(dev, &nd_table[0]);
1671     qdev_init_nofail(dev);
1672     sysbus_mmio_map(SYS_BUS_DEVICE(dev), 0, MP_ETH_BASE);
1673     sysbus_connect_irq(SYS_BUS_DEVICE(dev), 0, pic[MP_ETH_IRQ]);
1674 
1675     sysbus_create_simple("mv88w8618_wlan", MP_WLAN_BASE, NULL);
1676 
1677     sysbus_create_simple(TYPE_MUSICPAL_MISC, MP_MISC_BASE, NULL);
1678 
1679     dev = sysbus_create_simple(TYPE_MUSICPAL_GPIO, MP_GPIO_BASE,
1680                                pic[MP_GPIO_IRQ]);
1681     i2c_dev = sysbus_create_simple("gpio_i2c", -1, NULL);
1682     i2c = (I2CBus *)qdev_get_child_bus(i2c_dev, "i2c");
1683 
1684     lcd_dev = sysbus_create_simple(TYPE_MUSICPAL_LCD, MP_LCD_BASE, NULL);
1685     key_dev = sysbus_create_simple(TYPE_MUSICPAL_KEY, -1, NULL);
1686 
1687     /* I2C read data */
1688     qdev_connect_gpio_out(i2c_dev, 0,
1689                           qdev_get_gpio_in(dev, MP_GPIO_I2C_DATA_BIT));
1690     /* I2C data */
1691     qdev_connect_gpio_out(dev, 3, qdev_get_gpio_in(i2c_dev, 0));
1692     /* I2C clock */
1693     qdev_connect_gpio_out(dev, 4, qdev_get_gpio_in(i2c_dev, 1));
1694 
1695     for (i = 0; i < 3; i++) {
1696         qdev_connect_gpio_out(dev, i, qdev_get_gpio_in(lcd_dev, i));
1697     }
1698     for (i = 0; i < 4; i++) {
1699         qdev_connect_gpio_out(key_dev, i, qdev_get_gpio_in(dev, i + 8));
1700     }
1701     for (i = 4; i < 8; i++) {
1702         qdev_connect_gpio_out(key_dev, i, qdev_get_gpio_in(dev, i + 15));
1703     }
1704 
1705     wm8750_dev = i2c_create_slave(i2c, "wm8750", MP_WM_ADDR);
1706     dev = qdev_create(NULL, "mv88w8618_audio");
1707     s = SYS_BUS_DEVICE(dev);
1708     qdev_prop_set_ptr(dev, "wm8750", wm8750_dev);
1709     qdev_init_nofail(dev);
1710     sysbus_mmio_map(s, 0, MP_AUDIO_BASE);
1711     sysbus_connect_irq(s, 0, pic[MP_AUDIO_IRQ]);
1712 
1713     musicpal_binfo.ram_size = MP_RAM_DEFAULT_SIZE;
1714     musicpal_binfo.kernel_filename = kernel_filename;
1715     musicpal_binfo.kernel_cmdline = kernel_cmdline;
1716     musicpal_binfo.initrd_filename = initrd_filename;
1717     arm_load_kernel(cpu, &musicpal_binfo);
1718 }
1719 
1720 static QEMUMachine musicpal_machine = {
1721     .name = "musicpal",
1722     .desc = "Marvell 88w8618 / MusicPal (ARM926EJ-S)",
1723     .init = musicpal_init,
1724 };
1725 
1726 static void musicpal_machine_init(void)
1727 {
1728     qemu_register_machine(&musicpal_machine);
1729 }
1730 
1731 machine_init(musicpal_machine_init);
1732 
1733 static void mv88w8618_wlan_class_init(ObjectClass *klass, void *data)
1734 {
1735     SysBusDeviceClass *sdc = SYS_BUS_DEVICE_CLASS(klass);
1736 
1737     sdc->init = mv88w8618_wlan_init;
1738 }
1739 
1740 static const TypeInfo mv88w8618_wlan_info = {
1741     .name          = "mv88w8618_wlan",
1742     .parent        = TYPE_SYS_BUS_DEVICE,
1743     .instance_size = sizeof(SysBusDevice),
1744     .class_init    = mv88w8618_wlan_class_init,
1745 };
1746 
1747 static void musicpal_register_types(void)
1748 {
1749     type_register_static(&mv88w8618_pic_info);
1750     type_register_static(&mv88w8618_pit_info);
1751     type_register_static(&mv88w8618_flashcfg_info);
1752     type_register_static(&mv88w8618_eth_info);
1753     type_register_static(&mv88w8618_wlan_info);
1754     type_register_static(&musicpal_lcd_info);
1755     type_register_static(&musicpal_gpio_info);
1756     type_register_static(&musicpal_key_info);
1757     type_register_static(&musicpal_misc_info);
1758 }
1759 
1760 type_init(musicpal_register_types)
1761