xref: /openbmc/qemu/hw/arm/musicpal.c (revision 63785678)
1 /*
2  * Marvell MV88W8618 / Freecom MusicPal emulation.
3  *
4  * Copyright (c) 2008 Jan Kiszka
5  *
6  * This code is licensed under the GNU GPL v2.
7  *
8  * Contributions after 2012-01-13 are licensed under the terms of the
9  * GNU GPL, version 2 or (at your option) any later version.
10  */
11 
12 #include "qemu/osdep.h"
13 #include "qapi/error.h"
14 #include "qemu-common.h"
15 #include "cpu.h"
16 #include "hw/sysbus.h"
17 #include "hw/arm/arm.h"
18 #include "hw/devices.h"
19 #include "net/net.h"
20 #include "sysemu/sysemu.h"
21 #include "hw/boards.h"
22 #include "hw/char/serial.h"
23 #include "qemu/timer.h"
24 #include "hw/ptimer.h"
25 #include "hw/block/flash.h"
26 #include "ui/console.h"
27 #include "hw/i2c/i2c.h"
28 #include "sysemu/block-backend.h"
29 #include "exec/address-spaces.h"
30 #include "ui/pixel_ops.h"
31 
32 #define MP_MISC_BASE            0x80002000
33 #define MP_MISC_SIZE            0x00001000
34 
35 #define MP_ETH_BASE             0x80008000
36 #define MP_ETH_SIZE             0x00001000
37 
38 #define MP_WLAN_BASE            0x8000C000
39 #define MP_WLAN_SIZE            0x00000800
40 
41 #define MP_UART1_BASE           0x8000C840
42 #define MP_UART2_BASE           0x8000C940
43 
44 #define MP_GPIO_BASE            0x8000D000
45 #define MP_GPIO_SIZE            0x00001000
46 
47 #define MP_FLASHCFG_BASE        0x90006000
48 #define MP_FLASHCFG_SIZE        0x00001000
49 
50 #define MP_AUDIO_BASE           0x90007000
51 
52 #define MP_PIC_BASE             0x90008000
53 #define MP_PIC_SIZE             0x00001000
54 
55 #define MP_PIT_BASE             0x90009000
56 #define MP_PIT_SIZE             0x00001000
57 
58 #define MP_LCD_BASE             0x9000c000
59 #define MP_LCD_SIZE             0x00001000
60 
61 #define MP_SRAM_BASE            0xC0000000
62 #define MP_SRAM_SIZE            0x00020000
63 
64 #define MP_RAM_DEFAULT_SIZE     32*1024*1024
65 #define MP_FLASH_SIZE_MAX       32*1024*1024
66 
67 #define MP_TIMER1_IRQ           4
68 #define MP_TIMER2_IRQ           5
69 #define MP_TIMER3_IRQ           6
70 #define MP_TIMER4_IRQ           7
71 #define MP_EHCI_IRQ             8
72 #define MP_ETH_IRQ              9
73 #define MP_UART1_IRQ            11
74 #define MP_UART2_IRQ            11
75 #define MP_GPIO_IRQ             12
76 #define MP_RTC_IRQ              28
77 #define MP_AUDIO_IRQ            30
78 
79 /* Wolfson 8750 I2C address */
80 #define MP_WM_ADDR              0x1A
81 
82 /* Ethernet register offsets */
83 #define MP_ETH_SMIR             0x010
84 #define MP_ETH_PCXR             0x408
85 #define MP_ETH_SDCMR            0x448
86 #define MP_ETH_ICR              0x450
87 #define MP_ETH_IMR              0x458
88 #define MP_ETH_FRDP0            0x480
89 #define MP_ETH_FRDP1            0x484
90 #define MP_ETH_FRDP2            0x488
91 #define MP_ETH_FRDP3            0x48C
92 #define MP_ETH_CRDP0            0x4A0
93 #define MP_ETH_CRDP1            0x4A4
94 #define MP_ETH_CRDP2            0x4A8
95 #define MP_ETH_CRDP3            0x4AC
96 #define MP_ETH_CTDP0            0x4E0
97 #define MP_ETH_CTDP1            0x4E4
98 
99 /* MII PHY access */
100 #define MP_ETH_SMIR_DATA        0x0000FFFF
101 #define MP_ETH_SMIR_ADDR        0x03FF0000
102 #define MP_ETH_SMIR_OPCODE      (1 << 26) /* Read value */
103 #define MP_ETH_SMIR_RDVALID     (1 << 27)
104 
105 /* PHY registers */
106 #define MP_ETH_PHY1_BMSR        0x00210000
107 #define MP_ETH_PHY1_PHYSID1     0x00410000
108 #define MP_ETH_PHY1_PHYSID2     0x00610000
109 
110 #define MP_PHY_BMSR_LINK        0x0004
111 #define MP_PHY_BMSR_AUTONEG     0x0008
112 
113 #define MP_PHY_88E3015          0x01410E20
114 
115 /* TX descriptor status */
116 #define MP_ETH_TX_OWN           (1U << 31)
117 
118 /* RX descriptor status */
119 #define MP_ETH_RX_OWN           (1U << 31)
120 
121 /* Interrupt cause/mask bits */
122 #define MP_ETH_IRQ_RX_BIT       0
123 #define MP_ETH_IRQ_RX           (1 << MP_ETH_IRQ_RX_BIT)
124 #define MP_ETH_IRQ_TXHI_BIT     2
125 #define MP_ETH_IRQ_TXLO_BIT     3
126 
127 /* Port config bits */
128 #define MP_ETH_PCXR_2BSM_BIT    28 /* 2-byte incoming suffix */
129 
130 /* SDMA command bits */
131 #define MP_ETH_CMD_TXHI         (1 << 23)
132 #define MP_ETH_CMD_TXLO         (1 << 22)
133 
134 typedef struct mv88w8618_tx_desc {
135     uint32_t cmdstat;
136     uint16_t res;
137     uint16_t bytes;
138     uint32_t buffer;
139     uint32_t next;
140 } mv88w8618_tx_desc;
141 
142 typedef struct mv88w8618_rx_desc {
143     uint32_t cmdstat;
144     uint16_t bytes;
145     uint16_t buffer_size;
146     uint32_t buffer;
147     uint32_t next;
148 } mv88w8618_rx_desc;
149 
150 #define TYPE_MV88W8618_ETH "mv88w8618_eth"
151 #define MV88W8618_ETH(obj) \
152     OBJECT_CHECK(mv88w8618_eth_state, (obj), TYPE_MV88W8618_ETH)
153 
154 typedef struct mv88w8618_eth_state {
155     /*< private >*/
156     SysBusDevice parent_obj;
157     /*< public >*/
158 
159     MemoryRegion iomem;
160     qemu_irq irq;
161     uint32_t smir;
162     uint32_t icr;
163     uint32_t imr;
164     int mmio_index;
165     uint32_t vlan_header;
166     uint32_t tx_queue[2];
167     uint32_t rx_queue[4];
168     uint32_t frx_queue[4];
169     uint32_t cur_rx[4];
170     NICState *nic;
171     NICConf conf;
172 } mv88w8618_eth_state;
173 
174 static void eth_rx_desc_put(uint32_t addr, mv88w8618_rx_desc *desc)
175 {
176     cpu_to_le32s(&desc->cmdstat);
177     cpu_to_le16s(&desc->bytes);
178     cpu_to_le16s(&desc->buffer_size);
179     cpu_to_le32s(&desc->buffer);
180     cpu_to_le32s(&desc->next);
181     cpu_physical_memory_write(addr, desc, sizeof(*desc));
182 }
183 
184 static void eth_rx_desc_get(uint32_t addr, mv88w8618_rx_desc *desc)
185 {
186     cpu_physical_memory_read(addr, desc, sizeof(*desc));
187     le32_to_cpus(&desc->cmdstat);
188     le16_to_cpus(&desc->bytes);
189     le16_to_cpus(&desc->buffer_size);
190     le32_to_cpus(&desc->buffer);
191     le32_to_cpus(&desc->next);
192 }
193 
194 static ssize_t eth_receive(NetClientState *nc, const uint8_t *buf, size_t size)
195 {
196     mv88w8618_eth_state *s = qemu_get_nic_opaque(nc);
197     uint32_t desc_addr;
198     mv88w8618_rx_desc desc;
199     int i;
200 
201     for (i = 0; i < 4; i++) {
202         desc_addr = s->cur_rx[i];
203         if (!desc_addr) {
204             continue;
205         }
206         do {
207             eth_rx_desc_get(desc_addr, &desc);
208             if ((desc.cmdstat & MP_ETH_RX_OWN) && desc.buffer_size >= size) {
209                 cpu_physical_memory_write(desc.buffer + s->vlan_header,
210                                           buf, size);
211                 desc.bytes = size + s->vlan_header;
212                 desc.cmdstat &= ~MP_ETH_RX_OWN;
213                 s->cur_rx[i] = desc.next;
214 
215                 s->icr |= MP_ETH_IRQ_RX;
216                 if (s->icr & s->imr) {
217                     qemu_irq_raise(s->irq);
218                 }
219                 eth_rx_desc_put(desc_addr, &desc);
220                 return size;
221             }
222             desc_addr = desc.next;
223         } while (desc_addr != s->rx_queue[i]);
224     }
225     return size;
226 }
227 
228 static void eth_tx_desc_put(uint32_t addr, mv88w8618_tx_desc *desc)
229 {
230     cpu_to_le32s(&desc->cmdstat);
231     cpu_to_le16s(&desc->res);
232     cpu_to_le16s(&desc->bytes);
233     cpu_to_le32s(&desc->buffer);
234     cpu_to_le32s(&desc->next);
235     cpu_physical_memory_write(addr, desc, sizeof(*desc));
236 }
237 
238 static void eth_tx_desc_get(uint32_t addr, mv88w8618_tx_desc *desc)
239 {
240     cpu_physical_memory_read(addr, desc, sizeof(*desc));
241     le32_to_cpus(&desc->cmdstat);
242     le16_to_cpus(&desc->res);
243     le16_to_cpus(&desc->bytes);
244     le32_to_cpus(&desc->buffer);
245     le32_to_cpus(&desc->next);
246 }
247 
248 static void eth_send(mv88w8618_eth_state *s, int queue_index)
249 {
250     uint32_t desc_addr = s->tx_queue[queue_index];
251     mv88w8618_tx_desc desc;
252     uint32_t next_desc;
253     uint8_t buf[2048];
254     int len;
255 
256     do {
257         eth_tx_desc_get(desc_addr, &desc);
258         next_desc = desc.next;
259         if (desc.cmdstat & MP_ETH_TX_OWN) {
260             len = desc.bytes;
261             if (len < 2048) {
262                 cpu_physical_memory_read(desc.buffer, buf, len);
263                 qemu_send_packet(qemu_get_queue(s->nic), buf, len);
264             }
265             desc.cmdstat &= ~MP_ETH_TX_OWN;
266             s->icr |= 1 << (MP_ETH_IRQ_TXLO_BIT - queue_index);
267             eth_tx_desc_put(desc_addr, &desc);
268         }
269         desc_addr = next_desc;
270     } while (desc_addr != s->tx_queue[queue_index]);
271 }
272 
273 static uint64_t mv88w8618_eth_read(void *opaque, hwaddr offset,
274                                    unsigned size)
275 {
276     mv88w8618_eth_state *s = opaque;
277 
278     switch (offset) {
279     case MP_ETH_SMIR:
280         if (s->smir & MP_ETH_SMIR_OPCODE) {
281             switch (s->smir & MP_ETH_SMIR_ADDR) {
282             case MP_ETH_PHY1_BMSR:
283                 return MP_PHY_BMSR_LINK | MP_PHY_BMSR_AUTONEG |
284                        MP_ETH_SMIR_RDVALID;
285             case MP_ETH_PHY1_PHYSID1:
286                 return (MP_PHY_88E3015 >> 16) | MP_ETH_SMIR_RDVALID;
287             case MP_ETH_PHY1_PHYSID2:
288                 return (MP_PHY_88E3015 & 0xFFFF) | MP_ETH_SMIR_RDVALID;
289             default:
290                 return MP_ETH_SMIR_RDVALID;
291             }
292         }
293         return 0;
294 
295     case MP_ETH_ICR:
296         return s->icr;
297 
298     case MP_ETH_IMR:
299         return s->imr;
300 
301     case MP_ETH_FRDP0 ... MP_ETH_FRDP3:
302         return s->frx_queue[(offset - MP_ETH_FRDP0)/4];
303 
304     case MP_ETH_CRDP0 ... MP_ETH_CRDP3:
305         return s->rx_queue[(offset - MP_ETH_CRDP0)/4];
306 
307     case MP_ETH_CTDP0 ... MP_ETH_CTDP1:
308         return s->tx_queue[(offset - MP_ETH_CTDP0)/4];
309 
310     default:
311         return 0;
312     }
313 }
314 
315 static void mv88w8618_eth_write(void *opaque, hwaddr offset,
316                                 uint64_t value, unsigned size)
317 {
318     mv88w8618_eth_state *s = opaque;
319 
320     switch (offset) {
321     case MP_ETH_SMIR:
322         s->smir = value;
323         break;
324 
325     case MP_ETH_PCXR:
326         s->vlan_header = ((value >> MP_ETH_PCXR_2BSM_BIT) & 1) * 2;
327         break;
328 
329     case MP_ETH_SDCMR:
330         if (value & MP_ETH_CMD_TXHI) {
331             eth_send(s, 1);
332         }
333         if (value & MP_ETH_CMD_TXLO) {
334             eth_send(s, 0);
335         }
336         if (value & (MP_ETH_CMD_TXHI | MP_ETH_CMD_TXLO) && s->icr & s->imr) {
337             qemu_irq_raise(s->irq);
338         }
339         break;
340 
341     case MP_ETH_ICR:
342         s->icr &= value;
343         break;
344 
345     case MP_ETH_IMR:
346         s->imr = value;
347         if (s->icr & s->imr) {
348             qemu_irq_raise(s->irq);
349         }
350         break;
351 
352     case MP_ETH_FRDP0 ... MP_ETH_FRDP3:
353         s->frx_queue[(offset - MP_ETH_FRDP0)/4] = value;
354         break;
355 
356     case MP_ETH_CRDP0 ... MP_ETH_CRDP3:
357         s->rx_queue[(offset - MP_ETH_CRDP0)/4] =
358             s->cur_rx[(offset - MP_ETH_CRDP0)/4] = value;
359         break;
360 
361     case MP_ETH_CTDP0 ... MP_ETH_CTDP1:
362         s->tx_queue[(offset - MP_ETH_CTDP0)/4] = value;
363         break;
364     }
365 }
366 
367 static const MemoryRegionOps mv88w8618_eth_ops = {
368     .read = mv88w8618_eth_read,
369     .write = mv88w8618_eth_write,
370     .endianness = DEVICE_NATIVE_ENDIAN,
371 };
372 
373 static void eth_cleanup(NetClientState *nc)
374 {
375     mv88w8618_eth_state *s = qemu_get_nic_opaque(nc);
376 
377     s->nic = NULL;
378 }
379 
380 static NetClientInfo net_mv88w8618_info = {
381     .type = NET_CLIENT_OPTIONS_KIND_NIC,
382     .size = sizeof(NICState),
383     .receive = eth_receive,
384     .cleanup = eth_cleanup,
385 };
386 
387 static int mv88w8618_eth_init(SysBusDevice *sbd)
388 {
389     DeviceState *dev = DEVICE(sbd);
390     mv88w8618_eth_state *s = MV88W8618_ETH(dev);
391 
392     sysbus_init_irq(sbd, &s->irq);
393     s->nic = qemu_new_nic(&net_mv88w8618_info, &s->conf,
394                           object_get_typename(OBJECT(dev)), dev->id, s);
395     memory_region_init_io(&s->iomem, OBJECT(s), &mv88w8618_eth_ops, s,
396                           "mv88w8618-eth", MP_ETH_SIZE);
397     sysbus_init_mmio(sbd, &s->iomem);
398     return 0;
399 }
400 
401 static const VMStateDescription mv88w8618_eth_vmsd = {
402     .name = "mv88w8618_eth",
403     .version_id = 1,
404     .minimum_version_id = 1,
405     .fields = (VMStateField[]) {
406         VMSTATE_UINT32(smir, mv88w8618_eth_state),
407         VMSTATE_UINT32(icr, mv88w8618_eth_state),
408         VMSTATE_UINT32(imr, mv88w8618_eth_state),
409         VMSTATE_UINT32(vlan_header, mv88w8618_eth_state),
410         VMSTATE_UINT32_ARRAY(tx_queue, mv88w8618_eth_state, 2),
411         VMSTATE_UINT32_ARRAY(rx_queue, mv88w8618_eth_state, 4),
412         VMSTATE_UINT32_ARRAY(frx_queue, mv88w8618_eth_state, 4),
413         VMSTATE_UINT32_ARRAY(cur_rx, mv88w8618_eth_state, 4),
414         VMSTATE_END_OF_LIST()
415     }
416 };
417 
418 static Property mv88w8618_eth_properties[] = {
419     DEFINE_NIC_PROPERTIES(mv88w8618_eth_state, conf),
420     DEFINE_PROP_END_OF_LIST(),
421 };
422 
423 static void mv88w8618_eth_class_init(ObjectClass *klass, void *data)
424 {
425     DeviceClass *dc = DEVICE_CLASS(klass);
426     SysBusDeviceClass *k = SYS_BUS_DEVICE_CLASS(klass);
427 
428     k->init = mv88w8618_eth_init;
429     dc->vmsd = &mv88w8618_eth_vmsd;
430     dc->props = mv88w8618_eth_properties;
431 }
432 
433 static const TypeInfo mv88w8618_eth_info = {
434     .name          = TYPE_MV88W8618_ETH,
435     .parent        = TYPE_SYS_BUS_DEVICE,
436     .instance_size = sizeof(mv88w8618_eth_state),
437     .class_init    = mv88w8618_eth_class_init,
438 };
439 
440 /* LCD register offsets */
441 #define MP_LCD_IRQCTRL          0x180
442 #define MP_LCD_IRQSTAT          0x184
443 #define MP_LCD_SPICTRL          0x1ac
444 #define MP_LCD_INST             0x1bc
445 #define MP_LCD_DATA             0x1c0
446 
447 /* Mode magics */
448 #define MP_LCD_SPI_DATA         0x00100011
449 #define MP_LCD_SPI_CMD          0x00104011
450 #define MP_LCD_SPI_INVALID      0x00000000
451 
452 /* Commmands */
453 #define MP_LCD_INST_SETPAGE0    0xB0
454 /* ... */
455 #define MP_LCD_INST_SETPAGE7    0xB7
456 
457 #define MP_LCD_TEXTCOLOR        0xe0e0ff /* RRGGBB */
458 
459 #define TYPE_MUSICPAL_LCD "musicpal_lcd"
460 #define MUSICPAL_LCD(obj) \
461     OBJECT_CHECK(musicpal_lcd_state, (obj), TYPE_MUSICPAL_LCD)
462 
463 typedef struct musicpal_lcd_state {
464     /*< private >*/
465     SysBusDevice parent_obj;
466     /*< public >*/
467 
468     MemoryRegion iomem;
469     uint32_t brightness;
470     uint32_t mode;
471     uint32_t irqctrl;
472     uint32_t page;
473     uint32_t page_off;
474     QemuConsole *con;
475     uint8_t video_ram[128*64/8];
476 } musicpal_lcd_state;
477 
478 static uint8_t scale_lcd_color(musicpal_lcd_state *s, uint8_t col)
479 {
480     switch (s->brightness) {
481     case 7:
482         return col;
483     case 0:
484         return 0;
485     default:
486         return (col * s->brightness) / 7;
487     }
488 }
489 
490 #define SET_LCD_PIXEL(depth, type) \
491 static inline void glue(set_lcd_pixel, depth) \
492         (musicpal_lcd_state *s, int x, int y, type col) \
493 { \
494     int dx, dy; \
495     DisplaySurface *surface = qemu_console_surface(s->con); \
496     type *pixel = &((type *) surface_data(surface))[(y * 128 * 3 + x) * 3]; \
497 \
498     for (dy = 0; dy < 3; dy++, pixel += 127 * 3) \
499         for (dx = 0; dx < 3; dx++, pixel++) \
500             *pixel = col; \
501 }
502 SET_LCD_PIXEL(8, uint8_t)
503 SET_LCD_PIXEL(16, uint16_t)
504 SET_LCD_PIXEL(32, uint32_t)
505 
506 static void lcd_refresh(void *opaque)
507 {
508     musicpal_lcd_state *s = opaque;
509     DisplaySurface *surface = qemu_console_surface(s->con);
510     int x, y, col;
511 
512     switch (surface_bits_per_pixel(surface)) {
513     case 0:
514         return;
515 #define LCD_REFRESH(depth, func) \
516     case depth: \
517         col = func(scale_lcd_color(s, (MP_LCD_TEXTCOLOR >> 16) & 0xff), \
518                    scale_lcd_color(s, (MP_LCD_TEXTCOLOR >> 8) & 0xff), \
519                    scale_lcd_color(s, MP_LCD_TEXTCOLOR & 0xff)); \
520         for (x = 0; x < 128; x++) { \
521             for (y = 0; y < 64; y++) { \
522                 if (s->video_ram[x + (y/8)*128] & (1 << (y % 8))) { \
523                     glue(set_lcd_pixel, depth)(s, x, y, col); \
524                 } else { \
525                     glue(set_lcd_pixel, depth)(s, x, y, 0); \
526                 } \
527             } \
528         } \
529         break;
530     LCD_REFRESH(8, rgb_to_pixel8)
531     LCD_REFRESH(16, rgb_to_pixel16)
532     LCD_REFRESH(32, (is_surface_bgr(surface) ?
533                      rgb_to_pixel32bgr : rgb_to_pixel32))
534     default:
535         hw_error("unsupported colour depth %i\n",
536                  surface_bits_per_pixel(surface));
537     }
538 
539     dpy_gfx_update(s->con, 0, 0, 128*3, 64*3);
540 }
541 
542 static void lcd_invalidate(void *opaque)
543 {
544 }
545 
546 static void musicpal_lcd_gpio_brightness_in(void *opaque, int irq, int level)
547 {
548     musicpal_lcd_state *s = opaque;
549     s->brightness &= ~(1 << irq);
550     s->brightness |= level << irq;
551 }
552 
553 static uint64_t musicpal_lcd_read(void *opaque, hwaddr offset,
554                                   unsigned size)
555 {
556     musicpal_lcd_state *s = opaque;
557 
558     switch (offset) {
559     case MP_LCD_IRQCTRL:
560         return s->irqctrl;
561 
562     default:
563         return 0;
564     }
565 }
566 
567 static void musicpal_lcd_write(void *opaque, hwaddr offset,
568                                uint64_t value, unsigned size)
569 {
570     musicpal_lcd_state *s = opaque;
571 
572     switch (offset) {
573     case MP_LCD_IRQCTRL:
574         s->irqctrl = value;
575         break;
576 
577     case MP_LCD_SPICTRL:
578         if (value == MP_LCD_SPI_DATA || value == MP_LCD_SPI_CMD) {
579             s->mode = value;
580         } else {
581             s->mode = MP_LCD_SPI_INVALID;
582         }
583         break;
584 
585     case MP_LCD_INST:
586         if (value >= MP_LCD_INST_SETPAGE0 && value <= MP_LCD_INST_SETPAGE7) {
587             s->page = value - MP_LCD_INST_SETPAGE0;
588             s->page_off = 0;
589         }
590         break;
591 
592     case MP_LCD_DATA:
593         if (s->mode == MP_LCD_SPI_CMD) {
594             if (value >= MP_LCD_INST_SETPAGE0 &&
595                 value <= MP_LCD_INST_SETPAGE7) {
596                 s->page = value - MP_LCD_INST_SETPAGE0;
597                 s->page_off = 0;
598             }
599         } else if (s->mode == MP_LCD_SPI_DATA) {
600             s->video_ram[s->page*128 + s->page_off] = value;
601             s->page_off = (s->page_off + 1) & 127;
602         }
603         break;
604     }
605 }
606 
607 static const MemoryRegionOps musicpal_lcd_ops = {
608     .read = musicpal_lcd_read,
609     .write = musicpal_lcd_write,
610     .endianness = DEVICE_NATIVE_ENDIAN,
611 };
612 
613 static const GraphicHwOps musicpal_gfx_ops = {
614     .invalidate  = lcd_invalidate,
615     .gfx_update  = lcd_refresh,
616 };
617 
618 static int musicpal_lcd_init(SysBusDevice *sbd)
619 {
620     DeviceState *dev = DEVICE(sbd);
621     musicpal_lcd_state *s = MUSICPAL_LCD(dev);
622 
623     s->brightness = 7;
624 
625     memory_region_init_io(&s->iomem, OBJECT(s), &musicpal_lcd_ops, s,
626                           "musicpal-lcd", MP_LCD_SIZE);
627     sysbus_init_mmio(sbd, &s->iomem);
628 
629     s->con = graphic_console_init(dev, 0, &musicpal_gfx_ops, s);
630     qemu_console_resize(s->con, 128*3, 64*3);
631 
632     qdev_init_gpio_in(dev, musicpal_lcd_gpio_brightness_in, 3);
633 
634     return 0;
635 }
636 
637 static const VMStateDescription musicpal_lcd_vmsd = {
638     .name = "musicpal_lcd",
639     .version_id = 1,
640     .minimum_version_id = 1,
641     .fields = (VMStateField[]) {
642         VMSTATE_UINT32(brightness, musicpal_lcd_state),
643         VMSTATE_UINT32(mode, musicpal_lcd_state),
644         VMSTATE_UINT32(irqctrl, musicpal_lcd_state),
645         VMSTATE_UINT32(page, musicpal_lcd_state),
646         VMSTATE_UINT32(page_off, musicpal_lcd_state),
647         VMSTATE_BUFFER(video_ram, musicpal_lcd_state),
648         VMSTATE_END_OF_LIST()
649     }
650 };
651 
652 static void musicpal_lcd_class_init(ObjectClass *klass, void *data)
653 {
654     DeviceClass *dc = DEVICE_CLASS(klass);
655     SysBusDeviceClass *k = SYS_BUS_DEVICE_CLASS(klass);
656 
657     k->init = musicpal_lcd_init;
658     dc->vmsd = &musicpal_lcd_vmsd;
659 }
660 
661 static const TypeInfo musicpal_lcd_info = {
662     .name          = TYPE_MUSICPAL_LCD,
663     .parent        = TYPE_SYS_BUS_DEVICE,
664     .instance_size = sizeof(musicpal_lcd_state),
665     .class_init    = musicpal_lcd_class_init,
666 };
667 
668 /* PIC register offsets */
669 #define MP_PIC_STATUS           0x00
670 #define MP_PIC_ENABLE_SET       0x08
671 #define MP_PIC_ENABLE_CLR       0x0C
672 
673 #define TYPE_MV88W8618_PIC "mv88w8618_pic"
674 #define MV88W8618_PIC(obj) \
675     OBJECT_CHECK(mv88w8618_pic_state, (obj), TYPE_MV88W8618_PIC)
676 
677 typedef struct mv88w8618_pic_state {
678     /*< private >*/
679     SysBusDevice parent_obj;
680     /*< public >*/
681 
682     MemoryRegion iomem;
683     uint32_t level;
684     uint32_t enabled;
685     qemu_irq parent_irq;
686 } mv88w8618_pic_state;
687 
688 static void mv88w8618_pic_update(mv88w8618_pic_state *s)
689 {
690     qemu_set_irq(s->parent_irq, (s->level & s->enabled));
691 }
692 
693 static void mv88w8618_pic_set_irq(void *opaque, int irq, int level)
694 {
695     mv88w8618_pic_state *s = opaque;
696 
697     if (level) {
698         s->level |= 1 << irq;
699     } else {
700         s->level &= ~(1 << irq);
701     }
702     mv88w8618_pic_update(s);
703 }
704 
705 static uint64_t mv88w8618_pic_read(void *opaque, hwaddr offset,
706                                    unsigned size)
707 {
708     mv88w8618_pic_state *s = opaque;
709 
710     switch (offset) {
711     case MP_PIC_STATUS:
712         return s->level & s->enabled;
713 
714     default:
715         return 0;
716     }
717 }
718 
719 static void mv88w8618_pic_write(void *opaque, hwaddr offset,
720                                 uint64_t value, unsigned size)
721 {
722     mv88w8618_pic_state *s = opaque;
723 
724     switch (offset) {
725     case MP_PIC_ENABLE_SET:
726         s->enabled |= value;
727         break;
728 
729     case MP_PIC_ENABLE_CLR:
730         s->enabled &= ~value;
731         s->level &= ~value;
732         break;
733     }
734     mv88w8618_pic_update(s);
735 }
736 
737 static void mv88w8618_pic_reset(DeviceState *d)
738 {
739     mv88w8618_pic_state *s = MV88W8618_PIC(d);
740 
741     s->level = 0;
742     s->enabled = 0;
743 }
744 
745 static const MemoryRegionOps mv88w8618_pic_ops = {
746     .read = mv88w8618_pic_read,
747     .write = mv88w8618_pic_write,
748     .endianness = DEVICE_NATIVE_ENDIAN,
749 };
750 
751 static int mv88w8618_pic_init(SysBusDevice *dev)
752 {
753     mv88w8618_pic_state *s = MV88W8618_PIC(dev);
754 
755     qdev_init_gpio_in(DEVICE(dev), mv88w8618_pic_set_irq, 32);
756     sysbus_init_irq(dev, &s->parent_irq);
757     memory_region_init_io(&s->iomem, OBJECT(s), &mv88w8618_pic_ops, s,
758                           "musicpal-pic", MP_PIC_SIZE);
759     sysbus_init_mmio(dev, &s->iomem);
760     return 0;
761 }
762 
763 static const VMStateDescription mv88w8618_pic_vmsd = {
764     .name = "mv88w8618_pic",
765     .version_id = 1,
766     .minimum_version_id = 1,
767     .fields = (VMStateField[]) {
768         VMSTATE_UINT32(level, mv88w8618_pic_state),
769         VMSTATE_UINT32(enabled, mv88w8618_pic_state),
770         VMSTATE_END_OF_LIST()
771     }
772 };
773 
774 static void mv88w8618_pic_class_init(ObjectClass *klass, void *data)
775 {
776     DeviceClass *dc = DEVICE_CLASS(klass);
777     SysBusDeviceClass *k = SYS_BUS_DEVICE_CLASS(klass);
778 
779     k->init = mv88w8618_pic_init;
780     dc->reset = mv88w8618_pic_reset;
781     dc->vmsd = &mv88w8618_pic_vmsd;
782 }
783 
784 static const TypeInfo mv88w8618_pic_info = {
785     .name          = TYPE_MV88W8618_PIC,
786     .parent        = TYPE_SYS_BUS_DEVICE,
787     .instance_size = sizeof(mv88w8618_pic_state),
788     .class_init    = mv88w8618_pic_class_init,
789 };
790 
791 /* PIT register offsets */
792 #define MP_PIT_TIMER1_LENGTH    0x00
793 /* ... */
794 #define MP_PIT_TIMER4_LENGTH    0x0C
795 #define MP_PIT_CONTROL          0x10
796 #define MP_PIT_TIMER1_VALUE     0x14
797 /* ... */
798 #define MP_PIT_TIMER4_VALUE     0x20
799 #define MP_BOARD_RESET          0x34
800 
801 /* Magic board reset value (probably some watchdog behind it) */
802 #define MP_BOARD_RESET_MAGIC    0x10000
803 
804 typedef struct mv88w8618_timer_state {
805     ptimer_state *ptimer;
806     uint32_t limit;
807     int freq;
808     qemu_irq irq;
809 } mv88w8618_timer_state;
810 
811 #define TYPE_MV88W8618_PIT "mv88w8618_pit"
812 #define MV88W8618_PIT(obj) \
813     OBJECT_CHECK(mv88w8618_pit_state, (obj), TYPE_MV88W8618_PIT)
814 
815 typedef struct mv88w8618_pit_state {
816     /*< private >*/
817     SysBusDevice parent_obj;
818     /*< public >*/
819 
820     MemoryRegion iomem;
821     mv88w8618_timer_state timer[4];
822 } mv88w8618_pit_state;
823 
824 static void mv88w8618_timer_tick(void *opaque)
825 {
826     mv88w8618_timer_state *s = opaque;
827 
828     qemu_irq_raise(s->irq);
829 }
830 
831 static void mv88w8618_timer_init(SysBusDevice *dev, mv88w8618_timer_state *s,
832                                  uint32_t freq)
833 {
834     QEMUBH *bh;
835 
836     sysbus_init_irq(dev, &s->irq);
837     s->freq = freq;
838 
839     bh = qemu_bh_new(mv88w8618_timer_tick, s);
840     s->ptimer = ptimer_init(bh);
841 }
842 
843 static uint64_t mv88w8618_pit_read(void *opaque, hwaddr offset,
844                                    unsigned size)
845 {
846     mv88w8618_pit_state *s = opaque;
847     mv88w8618_timer_state *t;
848 
849     switch (offset) {
850     case MP_PIT_TIMER1_VALUE ... MP_PIT_TIMER4_VALUE:
851         t = &s->timer[(offset-MP_PIT_TIMER1_VALUE) >> 2];
852         return ptimer_get_count(t->ptimer);
853 
854     default:
855         return 0;
856     }
857 }
858 
859 static void mv88w8618_pit_write(void *opaque, hwaddr offset,
860                                 uint64_t value, unsigned size)
861 {
862     mv88w8618_pit_state *s = opaque;
863     mv88w8618_timer_state *t;
864     int i;
865 
866     switch (offset) {
867     case MP_PIT_TIMER1_LENGTH ... MP_PIT_TIMER4_LENGTH:
868         t = &s->timer[offset >> 2];
869         t->limit = value;
870         if (t->limit > 0) {
871             ptimer_set_limit(t->ptimer, t->limit, 1);
872         } else {
873             ptimer_stop(t->ptimer);
874         }
875         break;
876 
877     case MP_PIT_CONTROL:
878         for (i = 0; i < 4; i++) {
879             t = &s->timer[i];
880             if (value & 0xf && t->limit > 0) {
881                 ptimer_set_limit(t->ptimer, t->limit, 0);
882                 ptimer_set_freq(t->ptimer, t->freq);
883                 ptimer_run(t->ptimer, 0);
884             } else {
885                 ptimer_stop(t->ptimer);
886             }
887             value >>= 4;
888         }
889         break;
890 
891     case MP_BOARD_RESET:
892         if (value == MP_BOARD_RESET_MAGIC) {
893             qemu_system_reset_request();
894         }
895         break;
896     }
897 }
898 
899 static void mv88w8618_pit_reset(DeviceState *d)
900 {
901     mv88w8618_pit_state *s = MV88W8618_PIT(d);
902     int i;
903 
904     for (i = 0; i < 4; i++) {
905         ptimer_stop(s->timer[i].ptimer);
906         s->timer[i].limit = 0;
907     }
908 }
909 
910 static const MemoryRegionOps mv88w8618_pit_ops = {
911     .read = mv88w8618_pit_read,
912     .write = mv88w8618_pit_write,
913     .endianness = DEVICE_NATIVE_ENDIAN,
914 };
915 
916 static int mv88w8618_pit_init(SysBusDevice *dev)
917 {
918     mv88w8618_pit_state *s = MV88W8618_PIT(dev);
919     int i;
920 
921     /* Letting them all run at 1 MHz is likely just a pragmatic
922      * simplification. */
923     for (i = 0; i < 4; i++) {
924         mv88w8618_timer_init(dev, &s->timer[i], 1000000);
925     }
926 
927     memory_region_init_io(&s->iomem, OBJECT(s), &mv88w8618_pit_ops, s,
928                           "musicpal-pit", MP_PIT_SIZE);
929     sysbus_init_mmio(dev, &s->iomem);
930     return 0;
931 }
932 
933 static const VMStateDescription mv88w8618_timer_vmsd = {
934     .name = "timer",
935     .version_id = 1,
936     .minimum_version_id = 1,
937     .fields = (VMStateField[]) {
938         VMSTATE_PTIMER(ptimer, mv88w8618_timer_state),
939         VMSTATE_UINT32(limit, mv88w8618_timer_state),
940         VMSTATE_END_OF_LIST()
941     }
942 };
943 
944 static const VMStateDescription mv88w8618_pit_vmsd = {
945     .name = "mv88w8618_pit",
946     .version_id = 1,
947     .minimum_version_id = 1,
948     .fields = (VMStateField[]) {
949         VMSTATE_STRUCT_ARRAY(timer, mv88w8618_pit_state, 4, 1,
950                              mv88w8618_timer_vmsd, mv88w8618_timer_state),
951         VMSTATE_END_OF_LIST()
952     }
953 };
954 
955 static void mv88w8618_pit_class_init(ObjectClass *klass, void *data)
956 {
957     DeviceClass *dc = DEVICE_CLASS(klass);
958     SysBusDeviceClass *k = SYS_BUS_DEVICE_CLASS(klass);
959 
960     k->init = mv88w8618_pit_init;
961     dc->reset = mv88w8618_pit_reset;
962     dc->vmsd = &mv88w8618_pit_vmsd;
963 }
964 
965 static const TypeInfo mv88w8618_pit_info = {
966     .name          = TYPE_MV88W8618_PIT,
967     .parent        = TYPE_SYS_BUS_DEVICE,
968     .instance_size = sizeof(mv88w8618_pit_state),
969     .class_init    = mv88w8618_pit_class_init,
970 };
971 
972 /* Flash config register offsets */
973 #define MP_FLASHCFG_CFGR0    0x04
974 
975 #define TYPE_MV88W8618_FLASHCFG "mv88w8618_flashcfg"
976 #define MV88W8618_FLASHCFG(obj) \
977     OBJECT_CHECK(mv88w8618_flashcfg_state, (obj), TYPE_MV88W8618_FLASHCFG)
978 
979 typedef struct mv88w8618_flashcfg_state {
980     /*< private >*/
981     SysBusDevice parent_obj;
982     /*< public >*/
983 
984     MemoryRegion iomem;
985     uint32_t cfgr0;
986 } mv88w8618_flashcfg_state;
987 
988 static uint64_t mv88w8618_flashcfg_read(void *opaque,
989                                         hwaddr offset,
990                                         unsigned size)
991 {
992     mv88w8618_flashcfg_state *s = opaque;
993 
994     switch (offset) {
995     case MP_FLASHCFG_CFGR0:
996         return s->cfgr0;
997 
998     default:
999         return 0;
1000     }
1001 }
1002 
1003 static void mv88w8618_flashcfg_write(void *opaque, hwaddr offset,
1004                                      uint64_t value, unsigned size)
1005 {
1006     mv88w8618_flashcfg_state *s = opaque;
1007 
1008     switch (offset) {
1009     case MP_FLASHCFG_CFGR0:
1010         s->cfgr0 = value;
1011         break;
1012     }
1013 }
1014 
1015 static const MemoryRegionOps mv88w8618_flashcfg_ops = {
1016     .read = mv88w8618_flashcfg_read,
1017     .write = mv88w8618_flashcfg_write,
1018     .endianness = DEVICE_NATIVE_ENDIAN,
1019 };
1020 
1021 static int mv88w8618_flashcfg_init(SysBusDevice *dev)
1022 {
1023     mv88w8618_flashcfg_state *s = MV88W8618_FLASHCFG(dev);
1024 
1025     s->cfgr0 = 0xfffe4285; /* Default as set by U-Boot for 8 MB flash */
1026     memory_region_init_io(&s->iomem, OBJECT(s), &mv88w8618_flashcfg_ops, s,
1027                           "musicpal-flashcfg", MP_FLASHCFG_SIZE);
1028     sysbus_init_mmio(dev, &s->iomem);
1029     return 0;
1030 }
1031 
1032 static const VMStateDescription mv88w8618_flashcfg_vmsd = {
1033     .name = "mv88w8618_flashcfg",
1034     .version_id = 1,
1035     .minimum_version_id = 1,
1036     .fields = (VMStateField[]) {
1037         VMSTATE_UINT32(cfgr0, mv88w8618_flashcfg_state),
1038         VMSTATE_END_OF_LIST()
1039     }
1040 };
1041 
1042 static void mv88w8618_flashcfg_class_init(ObjectClass *klass, void *data)
1043 {
1044     DeviceClass *dc = DEVICE_CLASS(klass);
1045     SysBusDeviceClass *k = SYS_BUS_DEVICE_CLASS(klass);
1046 
1047     k->init = mv88w8618_flashcfg_init;
1048     dc->vmsd = &mv88w8618_flashcfg_vmsd;
1049 }
1050 
1051 static const TypeInfo mv88w8618_flashcfg_info = {
1052     .name          = TYPE_MV88W8618_FLASHCFG,
1053     .parent        = TYPE_SYS_BUS_DEVICE,
1054     .instance_size = sizeof(mv88w8618_flashcfg_state),
1055     .class_init    = mv88w8618_flashcfg_class_init,
1056 };
1057 
1058 /* Misc register offsets */
1059 #define MP_MISC_BOARD_REVISION  0x18
1060 
1061 #define MP_BOARD_REVISION       0x31
1062 
1063 typedef struct {
1064     SysBusDevice parent_obj;
1065     MemoryRegion iomem;
1066 } MusicPalMiscState;
1067 
1068 #define TYPE_MUSICPAL_MISC "musicpal-misc"
1069 #define MUSICPAL_MISC(obj) \
1070      OBJECT_CHECK(MusicPalMiscState, (obj), TYPE_MUSICPAL_MISC)
1071 
1072 static uint64_t musicpal_misc_read(void *opaque, hwaddr offset,
1073                                    unsigned size)
1074 {
1075     switch (offset) {
1076     case MP_MISC_BOARD_REVISION:
1077         return MP_BOARD_REVISION;
1078 
1079     default:
1080         return 0;
1081     }
1082 }
1083 
1084 static void musicpal_misc_write(void *opaque, hwaddr offset,
1085                                 uint64_t value, unsigned size)
1086 {
1087 }
1088 
1089 static const MemoryRegionOps musicpal_misc_ops = {
1090     .read = musicpal_misc_read,
1091     .write = musicpal_misc_write,
1092     .endianness = DEVICE_NATIVE_ENDIAN,
1093 };
1094 
1095 static void musicpal_misc_init(Object *obj)
1096 {
1097     SysBusDevice *sd = SYS_BUS_DEVICE(obj);
1098     MusicPalMiscState *s = MUSICPAL_MISC(obj);
1099 
1100     memory_region_init_io(&s->iomem, OBJECT(s), &musicpal_misc_ops, NULL,
1101                           "musicpal-misc", MP_MISC_SIZE);
1102     sysbus_init_mmio(sd, &s->iomem);
1103 }
1104 
1105 static const TypeInfo musicpal_misc_info = {
1106     .name = TYPE_MUSICPAL_MISC,
1107     .parent = TYPE_SYS_BUS_DEVICE,
1108     .instance_init = musicpal_misc_init,
1109     .instance_size = sizeof(MusicPalMiscState),
1110 };
1111 
1112 /* WLAN register offsets */
1113 #define MP_WLAN_MAGIC1          0x11c
1114 #define MP_WLAN_MAGIC2          0x124
1115 
1116 static uint64_t mv88w8618_wlan_read(void *opaque, hwaddr offset,
1117                                     unsigned size)
1118 {
1119     switch (offset) {
1120     /* Workaround to allow loading the binary-only wlandrv.ko crap
1121      * from the original Freecom firmware. */
1122     case MP_WLAN_MAGIC1:
1123         return ~3;
1124     case MP_WLAN_MAGIC2:
1125         return -1;
1126 
1127     default:
1128         return 0;
1129     }
1130 }
1131 
1132 static void mv88w8618_wlan_write(void *opaque, hwaddr offset,
1133                                  uint64_t value, unsigned size)
1134 {
1135 }
1136 
1137 static const MemoryRegionOps mv88w8618_wlan_ops = {
1138     .read = mv88w8618_wlan_read,
1139     .write =mv88w8618_wlan_write,
1140     .endianness = DEVICE_NATIVE_ENDIAN,
1141 };
1142 
1143 static int mv88w8618_wlan_init(SysBusDevice *dev)
1144 {
1145     MemoryRegion *iomem = g_new(MemoryRegion, 1);
1146 
1147     memory_region_init_io(iomem, OBJECT(dev), &mv88w8618_wlan_ops, NULL,
1148                           "musicpal-wlan", MP_WLAN_SIZE);
1149     sysbus_init_mmio(dev, iomem);
1150     return 0;
1151 }
1152 
1153 /* GPIO register offsets */
1154 #define MP_GPIO_OE_LO           0x008
1155 #define MP_GPIO_OUT_LO          0x00c
1156 #define MP_GPIO_IN_LO           0x010
1157 #define MP_GPIO_IER_LO          0x014
1158 #define MP_GPIO_IMR_LO          0x018
1159 #define MP_GPIO_ISR_LO          0x020
1160 #define MP_GPIO_OE_HI           0x508
1161 #define MP_GPIO_OUT_HI          0x50c
1162 #define MP_GPIO_IN_HI           0x510
1163 #define MP_GPIO_IER_HI          0x514
1164 #define MP_GPIO_IMR_HI          0x518
1165 #define MP_GPIO_ISR_HI          0x520
1166 
1167 /* GPIO bits & masks */
1168 #define MP_GPIO_LCD_BRIGHTNESS  0x00070000
1169 #define MP_GPIO_I2C_DATA_BIT    29
1170 #define MP_GPIO_I2C_CLOCK_BIT   30
1171 
1172 /* LCD brightness bits in GPIO_OE_HI */
1173 #define MP_OE_LCD_BRIGHTNESS    0x0007
1174 
1175 #define TYPE_MUSICPAL_GPIO "musicpal_gpio"
1176 #define MUSICPAL_GPIO(obj) \
1177     OBJECT_CHECK(musicpal_gpio_state, (obj), TYPE_MUSICPAL_GPIO)
1178 
1179 typedef struct musicpal_gpio_state {
1180     /*< private >*/
1181     SysBusDevice parent_obj;
1182     /*< public >*/
1183 
1184     MemoryRegion iomem;
1185     uint32_t lcd_brightness;
1186     uint32_t out_state;
1187     uint32_t in_state;
1188     uint32_t ier;
1189     uint32_t imr;
1190     uint32_t isr;
1191     qemu_irq irq;
1192     qemu_irq out[5]; /* 3 brightness out + 2 lcd (data and clock ) */
1193 } musicpal_gpio_state;
1194 
1195 static void musicpal_gpio_brightness_update(musicpal_gpio_state *s) {
1196     int i;
1197     uint32_t brightness;
1198 
1199     /* compute brightness ratio */
1200     switch (s->lcd_brightness) {
1201     case 0x00000007:
1202         brightness = 0;
1203         break;
1204 
1205     case 0x00020000:
1206         brightness = 1;
1207         break;
1208 
1209     case 0x00020001:
1210         brightness = 2;
1211         break;
1212 
1213     case 0x00040000:
1214         brightness = 3;
1215         break;
1216 
1217     case 0x00010006:
1218         brightness = 4;
1219         break;
1220 
1221     case 0x00020005:
1222         brightness = 5;
1223         break;
1224 
1225     case 0x00040003:
1226         brightness = 6;
1227         break;
1228 
1229     case 0x00030004:
1230     default:
1231         brightness = 7;
1232     }
1233 
1234     /* set lcd brightness GPIOs  */
1235     for (i = 0; i <= 2; i++) {
1236         qemu_set_irq(s->out[i], (brightness >> i) & 1);
1237     }
1238 }
1239 
1240 static void musicpal_gpio_pin_event(void *opaque, int pin, int level)
1241 {
1242     musicpal_gpio_state *s = opaque;
1243     uint32_t mask = 1 << pin;
1244     uint32_t delta = level << pin;
1245     uint32_t old = s->in_state & mask;
1246 
1247     s->in_state &= ~mask;
1248     s->in_state |= delta;
1249 
1250     if ((old ^ delta) &&
1251         ((level && (s->imr & mask)) || (!level && (s->ier & mask)))) {
1252         s->isr = mask;
1253         qemu_irq_raise(s->irq);
1254     }
1255 }
1256 
1257 static uint64_t musicpal_gpio_read(void *opaque, hwaddr offset,
1258                                    unsigned size)
1259 {
1260     musicpal_gpio_state *s = opaque;
1261 
1262     switch (offset) {
1263     case MP_GPIO_OE_HI: /* used for LCD brightness control */
1264         return s->lcd_brightness & MP_OE_LCD_BRIGHTNESS;
1265 
1266     case MP_GPIO_OUT_LO:
1267         return s->out_state & 0xFFFF;
1268     case MP_GPIO_OUT_HI:
1269         return s->out_state >> 16;
1270 
1271     case MP_GPIO_IN_LO:
1272         return s->in_state & 0xFFFF;
1273     case MP_GPIO_IN_HI:
1274         return s->in_state >> 16;
1275 
1276     case MP_GPIO_IER_LO:
1277         return s->ier & 0xFFFF;
1278     case MP_GPIO_IER_HI:
1279         return s->ier >> 16;
1280 
1281     case MP_GPIO_IMR_LO:
1282         return s->imr & 0xFFFF;
1283     case MP_GPIO_IMR_HI:
1284         return s->imr >> 16;
1285 
1286     case MP_GPIO_ISR_LO:
1287         return s->isr & 0xFFFF;
1288     case MP_GPIO_ISR_HI:
1289         return s->isr >> 16;
1290 
1291     default:
1292         return 0;
1293     }
1294 }
1295 
1296 static void musicpal_gpio_write(void *opaque, hwaddr offset,
1297                                 uint64_t value, unsigned size)
1298 {
1299     musicpal_gpio_state *s = opaque;
1300     switch (offset) {
1301     case MP_GPIO_OE_HI: /* used for LCD brightness control */
1302         s->lcd_brightness = (s->lcd_brightness & MP_GPIO_LCD_BRIGHTNESS) |
1303                          (value & MP_OE_LCD_BRIGHTNESS);
1304         musicpal_gpio_brightness_update(s);
1305         break;
1306 
1307     case MP_GPIO_OUT_LO:
1308         s->out_state = (s->out_state & 0xFFFF0000) | (value & 0xFFFF);
1309         break;
1310     case MP_GPIO_OUT_HI:
1311         s->out_state = (s->out_state & 0xFFFF) | (value << 16);
1312         s->lcd_brightness = (s->lcd_brightness & 0xFFFF) |
1313                             (s->out_state & MP_GPIO_LCD_BRIGHTNESS);
1314         musicpal_gpio_brightness_update(s);
1315         qemu_set_irq(s->out[3], (s->out_state >> MP_GPIO_I2C_DATA_BIT) & 1);
1316         qemu_set_irq(s->out[4], (s->out_state >> MP_GPIO_I2C_CLOCK_BIT) & 1);
1317         break;
1318 
1319     case MP_GPIO_IER_LO:
1320         s->ier = (s->ier & 0xFFFF0000) | (value & 0xFFFF);
1321         break;
1322     case MP_GPIO_IER_HI:
1323         s->ier = (s->ier & 0xFFFF) | (value << 16);
1324         break;
1325 
1326     case MP_GPIO_IMR_LO:
1327         s->imr = (s->imr & 0xFFFF0000) | (value & 0xFFFF);
1328         break;
1329     case MP_GPIO_IMR_HI:
1330         s->imr = (s->imr & 0xFFFF) | (value << 16);
1331         break;
1332     }
1333 }
1334 
1335 static const MemoryRegionOps musicpal_gpio_ops = {
1336     .read = musicpal_gpio_read,
1337     .write = musicpal_gpio_write,
1338     .endianness = DEVICE_NATIVE_ENDIAN,
1339 };
1340 
1341 static void musicpal_gpio_reset(DeviceState *d)
1342 {
1343     musicpal_gpio_state *s = MUSICPAL_GPIO(d);
1344 
1345     s->lcd_brightness = 0;
1346     s->out_state = 0;
1347     s->in_state = 0xffffffff;
1348     s->ier = 0;
1349     s->imr = 0;
1350     s->isr = 0;
1351 }
1352 
1353 static int musicpal_gpio_init(SysBusDevice *sbd)
1354 {
1355     DeviceState *dev = DEVICE(sbd);
1356     musicpal_gpio_state *s = MUSICPAL_GPIO(dev);
1357 
1358     sysbus_init_irq(sbd, &s->irq);
1359 
1360     memory_region_init_io(&s->iomem, OBJECT(s), &musicpal_gpio_ops, s,
1361                           "musicpal-gpio", MP_GPIO_SIZE);
1362     sysbus_init_mmio(sbd, &s->iomem);
1363 
1364     qdev_init_gpio_out(dev, s->out, ARRAY_SIZE(s->out));
1365 
1366     qdev_init_gpio_in(dev, musicpal_gpio_pin_event, 32);
1367 
1368     return 0;
1369 }
1370 
1371 static const VMStateDescription musicpal_gpio_vmsd = {
1372     .name = "musicpal_gpio",
1373     .version_id = 1,
1374     .minimum_version_id = 1,
1375     .fields = (VMStateField[]) {
1376         VMSTATE_UINT32(lcd_brightness, musicpal_gpio_state),
1377         VMSTATE_UINT32(out_state, musicpal_gpio_state),
1378         VMSTATE_UINT32(in_state, musicpal_gpio_state),
1379         VMSTATE_UINT32(ier, musicpal_gpio_state),
1380         VMSTATE_UINT32(imr, musicpal_gpio_state),
1381         VMSTATE_UINT32(isr, musicpal_gpio_state),
1382         VMSTATE_END_OF_LIST()
1383     }
1384 };
1385 
1386 static void musicpal_gpio_class_init(ObjectClass *klass, void *data)
1387 {
1388     DeviceClass *dc = DEVICE_CLASS(klass);
1389     SysBusDeviceClass *k = SYS_BUS_DEVICE_CLASS(klass);
1390 
1391     k->init = musicpal_gpio_init;
1392     dc->reset = musicpal_gpio_reset;
1393     dc->vmsd = &musicpal_gpio_vmsd;
1394 }
1395 
1396 static const TypeInfo musicpal_gpio_info = {
1397     .name          = TYPE_MUSICPAL_GPIO,
1398     .parent        = TYPE_SYS_BUS_DEVICE,
1399     .instance_size = sizeof(musicpal_gpio_state),
1400     .class_init    = musicpal_gpio_class_init,
1401 };
1402 
1403 /* Keyboard codes & masks */
1404 #define KEY_RELEASED            0x80
1405 #define KEY_CODE                0x7f
1406 
1407 #define KEYCODE_TAB             0x0f
1408 #define KEYCODE_ENTER           0x1c
1409 #define KEYCODE_F               0x21
1410 #define KEYCODE_M               0x32
1411 
1412 #define KEYCODE_EXTENDED        0xe0
1413 #define KEYCODE_UP              0x48
1414 #define KEYCODE_DOWN            0x50
1415 #define KEYCODE_LEFT            0x4b
1416 #define KEYCODE_RIGHT           0x4d
1417 
1418 #define MP_KEY_WHEEL_VOL       (1 << 0)
1419 #define MP_KEY_WHEEL_VOL_INV   (1 << 1)
1420 #define MP_KEY_WHEEL_NAV       (1 << 2)
1421 #define MP_KEY_WHEEL_NAV_INV   (1 << 3)
1422 #define MP_KEY_BTN_FAVORITS    (1 << 4)
1423 #define MP_KEY_BTN_MENU        (1 << 5)
1424 #define MP_KEY_BTN_VOLUME      (1 << 6)
1425 #define MP_KEY_BTN_NAVIGATION  (1 << 7)
1426 
1427 #define TYPE_MUSICPAL_KEY "musicpal_key"
1428 #define MUSICPAL_KEY(obj) \
1429     OBJECT_CHECK(musicpal_key_state, (obj), TYPE_MUSICPAL_KEY)
1430 
1431 typedef struct musicpal_key_state {
1432     /*< private >*/
1433     SysBusDevice parent_obj;
1434     /*< public >*/
1435 
1436     MemoryRegion iomem;
1437     uint32_t kbd_extended;
1438     uint32_t pressed_keys;
1439     qemu_irq out[8];
1440 } musicpal_key_state;
1441 
1442 static void musicpal_key_event(void *opaque, int keycode)
1443 {
1444     musicpal_key_state *s = opaque;
1445     uint32_t event = 0;
1446     int i;
1447 
1448     if (keycode == KEYCODE_EXTENDED) {
1449         s->kbd_extended = 1;
1450         return;
1451     }
1452 
1453     if (s->kbd_extended) {
1454         switch (keycode & KEY_CODE) {
1455         case KEYCODE_UP:
1456             event = MP_KEY_WHEEL_NAV | MP_KEY_WHEEL_NAV_INV;
1457             break;
1458 
1459         case KEYCODE_DOWN:
1460             event = MP_KEY_WHEEL_NAV;
1461             break;
1462 
1463         case KEYCODE_LEFT:
1464             event = MP_KEY_WHEEL_VOL | MP_KEY_WHEEL_VOL_INV;
1465             break;
1466 
1467         case KEYCODE_RIGHT:
1468             event = MP_KEY_WHEEL_VOL;
1469             break;
1470         }
1471     } else {
1472         switch (keycode & KEY_CODE) {
1473         case KEYCODE_F:
1474             event = MP_KEY_BTN_FAVORITS;
1475             break;
1476 
1477         case KEYCODE_TAB:
1478             event = MP_KEY_BTN_VOLUME;
1479             break;
1480 
1481         case KEYCODE_ENTER:
1482             event = MP_KEY_BTN_NAVIGATION;
1483             break;
1484 
1485         case KEYCODE_M:
1486             event = MP_KEY_BTN_MENU;
1487             break;
1488         }
1489         /* Do not repeat already pressed buttons */
1490         if (!(keycode & KEY_RELEASED) && (s->pressed_keys & event)) {
1491             event = 0;
1492         }
1493     }
1494 
1495     if (event) {
1496         /* Raise GPIO pin first if repeating a key */
1497         if (!(keycode & KEY_RELEASED) && (s->pressed_keys & event)) {
1498             for (i = 0; i <= 7; i++) {
1499                 if (event & (1 << i)) {
1500                     qemu_set_irq(s->out[i], 1);
1501                 }
1502             }
1503         }
1504         for (i = 0; i <= 7; i++) {
1505             if (event & (1 << i)) {
1506                 qemu_set_irq(s->out[i], !!(keycode & KEY_RELEASED));
1507             }
1508         }
1509         if (keycode & KEY_RELEASED) {
1510             s->pressed_keys &= ~event;
1511         } else {
1512             s->pressed_keys |= event;
1513         }
1514     }
1515 
1516     s->kbd_extended = 0;
1517 }
1518 
1519 static int musicpal_key_init(SysBusDevice *sbd)
1520 {
1521     DeviceState *dev = DEVICE(sbd);
1522     musicpal_key_state *s = MUSICPAL_KEY(dev);
1523 
1524     memory_region_init(&s->iomem, OBJECT(s), "dummy", 0);
1525     sysbus_init_mmio(sbd, &s->iomem);
1526 
1527     s->kbd_extended = 0;
1528     s->pressed_keys = 0;
1529 
1530     qdev_init_gpio_out(dev, s->out, ARRAY_SIZE(s->out));
1531 
1532     qemu_add_kbd_event_handler(musicpal_key_event, s);
1533 
1534     return 0;
1535 }
1536 
1537 static const VMStateDescription musicpal_key_vmsd = {
1538     .name = "musicpal_key",
1539     .version_id = 1,
1540     .minimum_version_id = 1,
1541     .fields = (VMStateField[]) {
1542         VMSTATE_UINT32(kbd_extended, musicpal_key_state),
1543         VMSTATE_UINT32(pressed_keys, musicpal_key_state),
1544         VMSTATE_END_OF_LIST()
1545     }
1546 };
1547 
1548 static void musicpal_key_class_init(ObjectClass *klass, void *data)
1549 {
1550     DeviceClass *dc = DEVICE_CLASS(klass);
1551     SysBusDeviceClass *k = SYS_BUS_DEVICE_CLASS(klass);
1552 
1553     k->init = musicpal_key_init;
1554     dc->vmsd = &musicpal_key_vmsd;
1555 }
1556 
1557 static const TypeInfo musicpal_key_info = {
1558     .name          = TYPE_MUSICPAL_KEY,
1559     .parent        = TYPE_SYS_BUS_DEVICE,
1560     .instance_size = sizeof(musicpal_key_state),
1561     .class_init    = musicpal_key_class_init,
1562 };
1563 
1564 static struct arm_boot_info musicpal_binfo = {
1565     .loader_start = 0x0,
1566     .board_id = 0x20e,
1567 };
1568 
1569 static void musicpal_init(MachineState *machine)
1570 {
1571     const char *cpu_model = machine->cpu_model;
1572     const char *kernel_filename = machine->kernel_filename;
1573     const char *kernel_cmdline = machine->kernel_cmdline;
1574     const char *initrd_filename = machine->initrd_filename;
1575     ARMCPU *cpu;
1576     qemu_irq pic[32];
1577     DeviceState *dev;
1578     DeviceState *i2c_dev;
1579     DeviceState *lcd_dev;
1580     DeviceState *key_dev;
1581     DeviceState *wm8750_dev;
1582     SysBusDevice *s;
1583     I2CBus *i2c;
1584     int i;
1585     unsigned long flash_size;
1586     DriveInfo *dinfo;
1587     MemoryRegion *address_space_mem = get_system_memory();
1588     MemoryRegion *ram = g_new(MemoryRegion, 1);
1589     MemoryRegion *sram = g_new(MemoryRegion, 1);
1590 
1591     if (!cpu_model) {
1592         cpu_model = "arm926";
1593     }
1594     cpu = cpu_arm_init(cpu_model);
1595     if (!cpu) {
1596         fprintf(stderr, "Unable to find CPU definition\n");
1597         exit(1);
1598     }
1599 
1600     /* For now we use a fixed - the original - RAM size */
1601     memory_region_allocate_system_memory(ram, NULL, "musicpal.ram",
1602                                          MP_RAM_DEFAULT_SIZE);
1603     memory_region_add_subregion(address_space_mem, 0, ram);
1604 
1605     memory_region_init_ram(sram, NULL, "musicpal.sram", MP_SRAM_SIZE,
1606                            &error_fatal);
1607     vmstate_register_ram_global(sram);
1608     memory_region_add_subregion(address_space_mem, MP_SRAM_BASE, sram);
1609 
1610     dev = sysbus_create_simple(TYPE_MV88W8618_PIC, MP_PIC_BASE,
1611                                qdev_get_gpio_in(DEVICE(cpu), ARM_CPU_IRQ));
1612     for (i = 0; i < 32; i++) {
1613         pic[i] = qdev_get_gpio_in(dev, i);
1614     }
1615     sysbus_create_varargs(TYPE_MV88W8618_PIT, MP_PIT_BASE, pic[MP_TIMER1_IRQ],
1616                           pic[MP_TIMER2_IRQ], pic[MP_TIMER3_IRQ],
1617                           pic[MP_TIMER4_IRQ], NULL);
1618 
1619     if (serial_hds[0]) {
1620         serial_mm_init(address_space_mem, MP_UART1_BASE, 2, pic[MP_UART1_IRQ],
1621                        1825000, serial_hds[0], DEVICE_NATIVE_ENDIAN);
1622     }
1623     if (serial_hds[1]) {
1624         serial_mm_init(address_space_mem, MP_UART2_BASE, 2, pic[MP_UART2_IRQ],
1625                        1825000, serial_hds[1], DEVICE_NATIVE_ENDIAN);
1626     }
1627 
1628     /* Register flash */
1629     dinfo = drive_get(IF_PFLASH, 0, 0);
1630     if (dinfo) {
1631         BlockBackend *blk = blk_by_legacy_dinfo(dinfo);
1632 
1633         flash_size = blk_getlength(blk);
1634         if (flash_size != 8*1024*1024 && flash_size != 16*1024*1024 &&
1635             flash_size != 32*1024*1024) {
1636             fprintf(stderr, "Invalid flash image size\n");
1637             exit(1);
1638         }
1639 
1640         /*
1641          * The original U-Boot accesses the flash at 0xFE000000 instead of
1642          * 0xFF800000 (if there is 8 MB flash). So remap flash access if the
1643          * image is smaller than 32 MB.
1644          */
1645 #ifdef TARGET_WORDS_BIGENDIAN
1646         pflash_cfi02_register(0x100000000ULL-MP_FLASH_SIZE_MAX, NULL,
1647                               "musicpal.flash", flash_size,
1648                               blk, 0x10000, (flash_size + 0xffff) >> 16,
1649                               MP_FLASH_SIZE_MAX / flash_size,
1650                               2, 0x00BF, 0x236D, 0x0000, 0x0000,
1651                               0x5555, 0x2AAA, 1);
1652 #else
1653         pflash_cfi02_register(0x100000000ULL-MP_FLASH_SIZE_MAX, NULL,
1654                               "musicpal.flash", flash_size,
1655                               blk, 0x10000, (flash_size + 0xffff) >> 16,
1656                               MP_FLASH_SIZE_MAX / flash_size,
1657                               2, 0x00BF, 0x236D, 0x0000, 0x0000,
1658                               0x5555, 0x2AAA, 0);
1659 #endif
1660 
1661     }
1662     sysbus_create_simple(TYPE_MV88W8618_FLASHCFG, MP_FLASHCFG_BASE, NULL);
1663 
1664     qemu_check_nic_model(&nd_table[0], "mv88w8618");
1665     dev = qdev_create(NULL, TYPE_MV88W8618_ETH);
1666     qdev_set_nic_properties(dev, &nd_table[0]);
1667     qdev_init_nofail(dev);
1668     sysbus_mmio_map(SYS_BUS_DEVICE(dev), 0, MP_ETH_BASE);
1669     sysbus_connect_irq(SYS_BUS_DEVICE(dev), 0, pic[MP_ETH_IRQ]);
1670 
1671     sysbus_create_simple("mv88w8618_wlan", MP_WLAN_BASE, NULL);
1672 
1673     sysbus_create_simple(TYPE_MUSICPAL_MISC, MP_MISC_BASE, NULL);
1674 
1675     dev = sysbus_create_simple(TYPE_MUSICPAL_GPIO, MP_GPIO_BASE,
1676                                pic[MP_GPIO_IRQ]);
1677     i2c_dev = sysbus_create_simple("gpio_i2c", -1, NULL);
1678     i2c = (I2CBus *)qdev_get_child_bus(i2c_dev, "i2c");
1679 
1680     lcd_dev = sysbus_create_simple(TYPE_MUSICPAL_LCD, MP_LCD_BASE, NULL);
1681     key_dev = sysbus_create_simple(TYPE_MUSICPAL_KEY, -1, NULL);
1682 
1683     /* I2C read data */
1684     qdev_connect_gpio_out(i2c_dev, 0,
1685                           qdev_get_gpio_in(dev, MP_GPIO_I2C_DATA_BIT));
1686     /* I2C data */
1687     qdev_connect_gpio_out(dev, 3, qdev_get_gpio_in(i2c_dev, 0));
1688     /* I2C clock */
1689     qdev_connect_gpio_out(dev, 4, qdev_get_gpio_in(i2c_dev, 1));
1690 
1691     for (i = 0; i < 3; i++) {
1692         qdev_connect_gpio_out(dev, i, qdev_get_gpio_in(lcd_dev, i));
1693     }
1694     for (i = 0; i < 4; i++) {
1695         qdev_connect_gpio_out(key_dev, i, qdev_get_gpio_in(dev, i + 8));
1696     }
1697     for (i = 4; i < 8; i++) {
1698         qdev_connect_gpio_out(key_dev, i, qdev_get_gpio_in(dev, i + 15));
1699     }
1700 
1701     wm8750_dev = i2c_create_slave(i2c, "wm8750", MP_WM_ADDR);
1702     dev = qdev_create(NULL, "mv88w8618_audio");
1703     s = SYS_BUS_DEVICE(dev);
1704     qdev_prop_set_ptr(dev, "wm8750", wm8750_dev);
1705     qdev_init_nofail(dev);
1706     sysbus_mmio_map(s, 0, MP_AUDIO_BASE);
1707     sysbus_connect_irq(s, 0, pic[MP_AUDIO_IRQ]);
1708 
1709     musicpal_binfo.ram_size = MP_RAM_DEFAULT_SIZE;
1710     musicpal_binfo.kernel_filename = kernel_filename;
1711     musicpal_binfo.kernel_cmdline = kernel_cmdline;
1712     musicpal_binfo.initrd_filename = initrd_filename;
1713     arm_load_kernel(cpu, &musicpal_binfo);
1714 }
1715 
1716 static void musicpal_machine_init(MachineClass *mc)
1717 {
1718     mc->desc = "Marvell 88w8618 / MusicPal (ARM926EJ-S)";
1719     mc->init = musicpal_init;
1720 }
1721 
1722 DEFINE_MACHINE("musicpal", musicpal_machine_init)
1723 
1724 static void mv88w8618_wlan_class_init(ObjectClass *klass, void *data)
1725 {
1726     SysBusDeviceClass *sdc = SYS_BUS_DEVICE_CLASS(klass);
1727 
1728     sdc->init = mv88w8618_wlan_init;
1729 }
1730 
1731 static const TypeInfo mv88w8618_wlan_info = {
1732     .name          = "mv88w8618_wlan",
1733     .parent        = TYPE_SYS_BUS_DEVICE,
1734     .instance_size = sizeof(SysBusDevice),
1735     .class_init    = mv88w8618_wlan_class_init,
1736 };
1737 
1738 static void musicpal_register_types(void)
1739 {
1740     type_register_static(&mv88w8618_pic_info);
1741     type_register_static(&mv88w8618_pit_info);
1742     type_register_static(&mv88w8618_flashcfg_info);
1743     type_register_static(&mv88w8618_eth_info);
1744     type_register_static(&mv88w8618_wlan_info);
1745     type_register_static(&musicpal_lcd_info);
1746     type_register_static(&musicpal_gpio_info);
1747     type_register_static(&musicpal_key_info);
1748     type_register_static(&musicpal_misc_info);
1749 }
1750 
1751 type_init(musicpal_register_types)
1752