xref: /openbmc/qemu/hw/arm/musicpal.c (revision 67abc3dd)
1 /*
2  * Marvell MV88W8618 / Freecom MusicPal emulation.
3  *
4  * Copyright (c) 2008 Jan Kiszka
5  *
6  * This code is licensed under the GNU GPL v2.
7  *
8  * Contributions after 2012-01-13 are licensed under the terms of the
9  * GNU GPL, version 2 or (at your option) any later version.
10  */
11 
12 #include "qemu/osdep.h"
13 #include "qapi/error.h"
14 #include "cpu.h"
15 #include "hw/sysbus.h"
16 #include "migration/vmstate.h"
17 #include "hw/arm/boot.h"
18 #include "net/net.h"
19 #include "sysemu/sysemu.h"
20 #include "hw/boards.h"
21 #include "hw/char/serial.h"
22 #include "hw/hw.h"
23 #include "qemu/timer.h"
24 #include "hw/ptimer.h"
25 #include "hw/qdev-properties.h"
26 #include "hw/block/flash.h"
27 #include "ui/console.h"
28 #include "hw/i2c/i2c.h"
29 #include "hw/irq.h"
30 #include "hw/audio/wm8750.h"
31 #include "sysemu/block-backend.h"
32 #include "sysemu/runstate.h"
33 #include "sysemu/dma.h"
34 #include "exec/address-spaces.h"
35 #include "ui/pixel_ops.h"
36 #include "qemu/cutils.h"
37 
38 #define MP_MISC_BASE            0x80002000
39 #define MP_MISC_SIZE            0x00001000
40 
41 #define MP_ETH_BASE             0x80008000
42 #define MP_ETH_SIZE             0x00001000
43 
44 #define MP_WLAN_BASE            0x8000C000
45 #define MP_WLAN_SIZE            0x00000800
46 
47 #define MP_UART1_BASE           0x8000C840
48 #define MP_UART2_BASE           0x8000C940
49 
50 #define MP_GPIO_BASE            0x8000D000
51 #define MP_GPIO_SIZE            0x00001000
52 
53 #define MP_FLASHCFG_BASE        0x90006000
54 #define MP_FLASHCFG_SIZE        0x00001000
55 
56 #define MP_AUDIO_BASE           0x90007000
57 
58 #define MP_PIC_BASE             0x90008000
59 #define MP_PIC_SIZE             0x00001000
60 
61 #define MP_PIT_BASE             0x90009000
62 #define MP_PIT_SIZE             0x00001000
63 
64 #define MP_LCD_BASE             0x9000c000
65 #define MP_LCD_SIZE             0x00001000
66 
67 #define MP_SRAM_BASE            0xC0000000
68 #define MP_SRAM_SIZE            0x00020000
69 
70 #define MP_RAM_DEFAULT_SIZE     32*1024*1024
71 #define MP_FLASH_SIZE_MAX       32*1024*1024
72 
73 #define MP_TIMER1_IRQ           4
74 #define MP_TIMER2_IRQ           5
75 #define MP_TIMER3_IRQ           6
76 #define MP_TIMER4_IRQ           7
77 #define MP_EHCI_IRQ             8
78 #define MP_ETH_IRQ              9
79 #define MP_UART1_IRQ            11
80 #define MP_UART2_IRQ            11
81 #define MP_GPIO_IRQ             12
82 #define MP_RTC_IRQ              28
83 #define MP_AUDIO_IRQ            30
84 
85 /* Wolfson 8750 I2C address */
86 #define MP_WM_ADDR              0x1A
87 
88 /* Ethernet register offsets */
89 #define MP_ETH_SMIR             0x010
90 #define MP_ETH_PCXR             0x408
91 #define MP_ETH_SDCMR            0x448
92 #define MP_ETH_ICR              0x450
93 #define MP_ETH_IMR              0x458
94 #define MP_ETH_FRDP0            0x480
95 #define MP_ETH_FRDP1            0x484
96 #define MP_ETH_FRDP2            0x488
97 #define MP_ETH_FRDP3            0x48C
98 #define MP_ETH_CRDP0            0x4A0
99 #define MP_ETH_CRDP1            0x4A4
100 #define MP_ETH_CRDP2            0x4A8
101 #define MP_ETH_CRDP3            0x4AC
102 #define MP_ETH_CTDP0            0x4E0
103 #define MP_ETH_CTDP1            0x4E4
104 
105 /* MII PHY access */
106 #define MP_ETH_SMIR_DATA        0x0000FFFF
107 #define MP_ETH_SMIR_ADDR        0x03FF0000
108 #define MP_ETH_SMIR_OPCODE      (1 << 26) /* Read value */
109 #define MP_ETH_SMIR_RDVALID     (1 << 27)
110 
111 /* PHY registers */
112 #define MP_ETH_PHY1_BMSR        0x00210000
113 #define MP_ETH_PHY1_PHYSID1     0x00410000
114 #define MP_ETH_PHY1_PHYSID2     0x00610000
115 
116 #define MP_PHY_BMSR_LINK        0x0004
117 #define MP_PHY_BMSR_AUTONEG     0x0008
118 
119 #define MP_PHY_88E3015          0x01410E20
120 
121 /* TX descriptor status */
122 #define MP_ETH_TX_OWN           (1U << 31)
123 
124 /* RX descriptor status */
125 #define MP_ETH_RX_OWN           (1U << 31)
126 
127 /* Interrupt cause/mask bits */
128 #define MP_ETH_IRQ_RX_BIT       0
129 #define MP_ETH_IRQ_RX           (1 << MP_ETH_IRQ_RX_BIT)
130 #define MP_ETH_IRQ_TXHI_BIT     2
131 #define MP_ETH_IRQ_TXLO_BIT     3
132 
133 /* Port config bits */
134 #define MP_ETH_PCXR_2BSM_BIT    28 /* 2-byte incoming suffix */
135 
136 /* SDMA command bits */
137 #define MP_ETH_CMD_TXHI         (1 << 23)
138 #define MP_ETH_CMD_TXLO         (1 << 22)
139 
140 typedef struct mv88w8618_tx_desc {
141     uint32_t cmdstat;
142     uint16_t res;
143     uint16_t bytes;
144     uint32_t buffer;
145     uint32_t next;
146 } mv88w8618_tx_desc;
147 
148 typedef struct mv88w8618_rx_desc {
149     uint32_t cmdstat;
150     uint16_t bytes;
151     uint16_t buffer_size;
152     uint32_t buffer;
153     uint32_t next;
154 } mv88w8618_rx_desc;
155 
156 #define TYPE_MV88W8618_ETH "mv88w8618_eth"
157 #define MV88W8618_ETH(obj) \
158     OBJECT_CHECK(mv88w8618_eth_state, (obj), TYPE_MV88W8618_ETH)
159 
160 typedef struct mv88w8618_eth_state {
161     /*< private >*/
162     SysBusDevice parent_obj;
163     /*< public >*/
164 
165     MemoryRegion iomem;
166     qemu_irq irq;
167     MemoryRegion *dma_mr;
168     AddressSpace dma_as;
169     uint32_t smir;
170     uint32_t icr;
171     uint32_t imr;
172     int mmio_index;
173     uint32_t vlan_header;
174     uint32_t tx_queue[2];
175     uint32_t rx_queue[4];
176     uint32_t frx_queue[4];
177     uint32_t cur_rx[4];
178     NICState *nic;
179     NICConf conf;
180 } mv88w8618_eth_state;
181 
182 static void eth_rx_desc_put(AddressSpace *dma_as, uint32_t addr,
183                             mv88w8618_rx_desc *desc)
184 {
185     cpu_to_le32s(&desc->cmdstat);
186     cpu_to_le16s(&desc->bytes);
187     cpu_to_le16s(&desc->buffer_size);
188     cpu_to_le32s(&desc->buffer);
189     cpu_to_le32s(&desc->next);
190     dma_memory_write(dma_as, addr, desc, sizeof(*desc));
191 }
192 
193 static void eth_rx_desc_get(AddressSpace *dma_as, uint32_t addr,
194                             mv88w8618_rx_desc *desc)
195 {
196     dma_memory_read(dma_as, addr, desc, sizeof(*desc));
197     le32_to_cpus(&desc->cmdstat);
198     le16_to_cpus(&desc->bytes);
199     le16_to_cpus(&desc->buffer_size);
200     le32_to_cpus(&desc->buffer);
201     le32_to_cpus(&desc->next);
202 }
203 
204 static ssize_t eth_receive(NetClientState *nc, const uint8_t *buf, size_t size)
205 {
206     mv88w8618_eth_state *s = qemu_get_nic_opaque(nc);
207     uint32_t desc_addr;
208     mv88w8618_rx_desc desc;
209     int i;
210 
211     for (i = 0; i < 4; i++) {
212         desc_addr = s->cur_rx[i];
213         if (!desc_addr) {
214             continue;
215         }
216         do {
217             eth_rx_desc_get(&s->dma_as, desc_addr, &desc);
218             if ((desc.cmdstat & MP_ETH_RX_OWN) && desc.buffer_size >= size) {
219                 dma_memory_write(&s->dma_as, desc.buffer + s->vlan_header,
220                                           buf, size);
221                 desc.bytes = size + s->vlan_header;
222                 desc.cmdstat &= ~MP_ETH_RX_OWN;
223                 s->cur_rx[i] = desc.next;
224 
225                 s->icr |= MP_ETH_IRQ_RX;
226                 if (s->icr & s->imr) {
227                     qemu_irq_raise(s->irq);
228                 }
229                 eth_rx_desc_put(&s->dma_as, desc_addr, &desc);
230                 return size;
231             }
232             desc_addr = desc.next;
233         } while (desc_addr != s->rx_queue[i]);
234     }
235     return size;
236 }
237 
238 static void eth_tx_desc_put(AddressSpace *dma_as, uint32_t addr,
239                             mv88w8618_tx_desc *desc)
240 {
241     cpu_to_le32s(&desc->cmdstat);
242     cpu_to_le16s(&desc->res);
243     cpu_to_le16s(&desc->bytes);
244     cpu_to_le32s(&desc->buffer);
245     cpu_to_le32s(&desc->next);
246     dma_memory_write(dma_as, addr, desc, sizeof(*desc));
247 }
248 
249 static void eth_tx_desc_get(AddressSpace *dma_as, uint32_t addr,
250                             mv88w8618_tx_desc *desc)
251 {
252     dma_memory_read(dma_as, addr, desc, sizeof(*desc));
253     le32_to_cpus(&desc->cmdstat);
254     le16_to_cpus(&desc->res);
255     le16_to_cpus(&desc->bytes);
256     le32_to_cpus(&desc->buffer);
257     le32_to_cpus(&desc->next);
258 }
259 
260 static void eth_send(mv88w8618_eth_state *s, int queue_index)
261 {
262     uint32_t desc_addr = s->tx_queue[queue_index];
263     mv88w8618_tx_desc desc;
264     uint32_t next_desc;
265     uint8_t buf[2048];
266     int len;
267 
268     do {
269         eth_tx_desc_get(&s->dma_as, desc_addr, &desc);
270         next_desc = desc.next;
271         if (desc.cmdstat & MP_ETH_TX_OWN) {
272             len = desc.bytes;
273             if (len < 2048) {
274                 dma_memory_read(&s->dma_as, desc.buffer, buf, len);
275                 qemu_send_packet(qemu_get_queue(s->nic), buf, len);
276             }
277             desc.cmdstat &= ~MP_ETH_TX_OWN;
278             s->icr |= 1 << (MP_ETH_IRQ_TXLO_BIT - queue_index);
279             eth_tx_desc_put(&s->dma_as, desc_addr, &desc);
280         }
281         desc_addr = next_desc;
282     } while (desc_addr != s->tx_queue[queue_index]);
283 }
284 
285 static uint64_t mv88w8618_eth_read(void *opaque, hwaddr offset,
286                                    unsigned size)
287 {
288     mv88w8618_eth_state *s = opaque;
289 
290     switch (offset) {
291     case MP_ETH_SMIR:
292         if (s->smir & MP_ETH_SMIR_OPCODE) {
293             switch (s->smir & MP_ETH_SMIR_ADDR) {
294             case MP_ETH_PHY1_BMSR:
295                 return MP_PHY_BMSR_LINK | MP_PHY_BMSR_AUTONEG |
296                        MP_ETH_SMIR_RDVALID;
297             case MP_ETH_PHY1_PHYSID1:
298                 return (MP_PHY_88E3015 >> 16) | MP_ETH_SMIR_RDVALID;
299             case MP_ETH_PHY1_PHYSID2:
300                 return (MP_PHY_88E3015 & 0xFFFF) | MP_ETH_SMIR_RDVALID;
301             default:
302                 return MP_ETH_SMIR_RDVALID;
303             }
304         }
305         return 0;
306 
307     case MP_ETH_ICR:
308         return s->icr;
309 
310     case MP_ETH_IMR:
311         return s->imr;
312 
313     case MP_ETH_FRDP0 ... MP_ETH_FRDP3:
314         return s->frx_queue[(offset - MP_ETH_FRDP0)/4];
315 
316     case MP_ETH_CRDP0 ... MP_ETH_CRDP3:
317         return s->rx_queue[(offset - MP_ETH_CRDP0)/4];
318 
319     case MP_ETH_CTDP0 ... MP_ETH_CTDP1:
320         return s->tx_queue[(offset - MP_ETH_CTDP0)/4];
321 
322     default:
323         return 0;
324     }
325 }
326 
327 static void mv88w8618_eth_write(void *opaque, hwaddr offset,
328                                 uint64_t value, unsigned size)
329 {
330     mv88w8618_eth_state *s = opaque;
331 
332     switch (offset) {
333     case MP_ETH_SMIR:
334         s->smir = value;
335         break;
336 
337     case MP_ETH_PCXR:
338         s->vlan_header = ((value >> MP_ETH_PCXR_2BSM_BIT) & 1) * 2;
339         break;
340 
341     case MP_ETH_SDCMR:
342         if (value & MP_ETH_CMD_TXHI) {
343             eth_send(s, 1);
344         }
345         if (value & MP_ETH_CMD_TXLO) {
346             eth_send(s, 0);
347         }
348         if (value & (MP_ETH_CMD_TXHI | MP_ETH_CMD_TXLO) && s->icr & s->imr) {
349             qemu_irq_raise(s->irq);
350         }
351         break;
352 
353     case MP_ETH_ICR:
354         s->icr &= value;
355         break;
356 
357     case MP_ETH_IMR:
358         s->imr = value;
359         if (s->icr & s->imr) {
360             qemu_irq_raise(s->irq);
361         }
362         break;
363 
364     case MP_ETH_FRDP0 ... MP_ETH_FRDP3:
365         s->frx_queue[(offset - MP_ETH_FRDP0)/4] = value;
366         break;
367 
368     case MP_ETH_CRDP0 ... MP_ETH_CRDP3:
369         s->rx_queue[(offset - MP_ETH_CRDP0)/4] =
370             s->cur_rx[(offset - MP_ETH_CRDP0)/4] = value;
371         break;
372 
373     case MP_ETH_CTDP0 ... MP_ETH_CTDP1:
374         s->tx_queue[(offset - MP_ETH_CTDP0)/4] = value;
375         break;
376     }
377 }
378 
379 static const MemoryRegionOps mv88w8618_eth_ops = {
380     .read = mv88w8618_eth_read,
381     .write = mv88w8618_eth_write,
382     .endianness = DEVICE_NATIVE_ENDIAN,
383 };
384 
385 static void eth_cleanup(NetClientState *nc)
386 {
387     mv88w8618_eth_state *s = qemu_get_nic_opaque(nc);
388 
389     s->nic = NULL;
390 }
391 
392 static NetClientInfo net_mv88w8618_info = {
393     .type = NET_CLIENT_DRIVER_NIC,
394     .size = sizeof(NICState),
395     .receive = eth_receive,
396     .cleanup = eth_cleanup,
397 };
398 
399 static void mv88w8618_eth_init(Object *obj)
400 {
401     SysBusDevice *sbd = SYS_BUS_DEVICE(obj);
402     DeviceState *dev = DEVICE(sbd);
403     mv88w8618_eth_state *s = MV88W8618_ETH(dev);
404 
405     sysbus_init_irq(sbd, &s->irq);
406     memory_region_init_io(&s->iomem, obj, &mv88w8618_eth_ops, s,
407                           "mv88w8618-eth", MP_ETH_SIZE);
408     sysbus_init_mmio(sbd, &s->iomem);
409 }
410 
411 static void mv88w8618_eth_realize(DeviceState *dev, Error **errp)
412 {
413     mv88w8618_eth_state *s = MV88W8618_ETH(dev);
414 
415     if (!s->dma_mr) {
416         error_setg(errp, TYPE_MV88W8618_ETH " 'dma-memory' link not set");
417         return;
418     }
419 
420     address_space_init(&s->dma_as, s->dma_mr, "emac-dma");
421     s->nic = qemu_new_nic(&net_mv88w8618_info, &s->conf,
422                           object_get_typename(OBJECT(dev)), dev->id, s);
423 }
424 
425 static const VMStateDescription mv88w8618_eth_vmsd = {
426     .name = "mv88w8618_eth",
427     .version_id = 1,
428     .minimum_version_id = 1,
429     .fields = (VMStateField[]) {
430         VMSTATE_UINT32(smir, mv88w8618_eth_state),
431         VMSTATE_UINT32(icr, mv88w8618_eth_state),
432         VMSTATE_UINT32(imr, mv88w8618_eth_state),
433         VMSTATE_UINT32(vlan_header, mv88w8618_eth_state),
434         VMSTATE_UINT32_ARRAY(tx_queue, mv88w8618_eth_state, 2),
435         VMSTATE_UINT32_ARRAY(rx_queue, mv88w8618_eth_state, 4),
436         VMSTATE_UINT32_ARRAY(frx_queue, mv88w8618_eth_state, 4),
437         VMSTATE_UINT32_ARRAY(cur_rx, mv88w8618_eth_state, 4),
438         VMSTATE_END_OF_LIST()
439     }
440 };
441 
442 static Property mv88w8618_eth_properties[] = {
443     DEFINE_NIC_PROPERTIES(mv88w8618_eth_state, conf),
444     DEFINE_PROP_LINK("dma-memory", mv88w8618_eth_state, dma_mr,
445                      TYPE_MEMORY_REGION, MemoryRegion *),
446     DEFINE_PROP_END_OF_LIST(),
447 };
448 
449 static void mv88w8618_eth_class_init(ObjectClass *klass, void *data)
450 {
451     DeviceClass *dc = DEVICE_CLASS(klass);
452 
453     dc->vmsd = &mv88w8618_eth_vmsd;
454     device_class_set_props(dc, mv88w8618_eth_properties);
455     dc->realize = mv88w8618_eth_realize;
456 }
457 
458 static const TypeInfo mv88w8618_eth_info = {
459     .name          = TYPE_MV88W8618_ETH,
460     .parent        = TYPE_SYS_BUS_DEVICE,
461     .instance_size = sizeof(mv88w8618_eth_state),
462     .instance_init = mv88w8618_eth_init,
463     .class_init    = mv88w8618_eth_class_init,
464 };
465 
466 /* LCD register offsets */
467 #define MP_LCD_IRQCTRL          0x180
468 #define MP_LCD_IRQSTAT          0x184
469 #define MP_LCD_SPICTRL          0x1ac
470 #define MP_LCD_INST             0x1bc
471 #define MP_LCD_DATA             0x1c0
472 
473 /* Mode magics */
474 #define MP_LCD_SPI_DATA         0x00100011
475 #define MP_LCD_SPI_CMD          0x00104011
476 #define MP_LCD_SPI_INVALID      0x00000000
477 
478 /* Commmands */
479 #define MP_LCD_INST_SETPAGE0    0xB0
480 /* ... */
481 #define MP_LCD_INST_SETPAGE7    0xB7
482 
483 #define MP_LCD_TEXTCOLOR        0xe0e0ff /* RRGGBB */
484 
485 #define TYPE_MUSICPAL_LCD "musicpal_lcd"
486 #define MUSICPAL_LCD(obj) \
487     OBJECT_CHECK(musicpal_lcd_state, (obj), TYPE_MUSICPAL_LCD)
488 
489 typedef struct musicpal_lcd_state {
490     /*< private >*/
491     SysBusDevice parent_obj;
492     /*< public >*/
493 
494     MemoryRegion iomem;
495     uint32_t brightness;
496     uint32_t mode;
497     uint32_t irqctrl;
498     uint32_t page;
499     uint32_t page_off;
500     QemuConsole *con;
501     uint8_t video_ram[128*64/8];
502 } musicpal_lcd_state;
503 
504 static uint8_t scale_lcd_color(musicpal_lcd_state *s, uint8_t col)
505 {
506     switch (s->brightness) {
507     case 7:
508         return col;
509     case 0:
510         return 0;
511     default:
512         return (col * s->brightness) / 7;
513     }
514 }
515 
516 #define SET_LCD_PIXEL(depth, type) \
517 static inline void glue(set_lcd_pixel, depth) \
518         (musicpal_lcd_state *s, int x, int y, type col) \
519 { \
520     int dx, dy; \
521     DisplaySurface *surface = qemu_console_surface(s->con); \
522     type *pixel = &((type *) surface_data(surface))[(y * 128 * 3 + x) * 3]; \
523 \
524     for (dy = 0; dy < 3; dy++, pixel += 127 * 3) \
525         for (dx = 0; dx < 3; dx++, pixel++) \
526             *pixel = col; \
527 }
528 SET_LCD_PIXEL(8, uint8_t)
529 SET_LCD_PIXEL(16, uint16_t)
530 SET_LCD_PIXEL(32, uint32_t)
531 
532 static void lcd_refresh(void *opaque)
533 {
534     musicpal_lcd_state *s = opaque;
535     DisplaySurface *surface = qemu_console_surface(s->con);
536     int x, y, col;
537 
538     switch (surface_bits_per_pixel(surface)) {
539     case 0:
540         return;
541 #define LCD_REFRESH(depth, func) \
542     case depth: \
543         col = func(scale_lcd_color(s, (MP_LCD_TEXTCOLOR >> 16) & 0xff), \
544                    scale_lcd_color(s, (MP_LCD_TEXTCOLOR >> 8) & 0xff), \
545                    scale_lcd_color(s, MP_LCD_TEXTCOLOR & 0xff)); \
546         for (x = 0; x < 128; x++) { \
547             for (y = 0; y < 64; y++) { \
548                 if (s->video_ram[x + (y/8)*128] & (1 << (y % 8))) { \
549                     glue(set_lcd_pixel, depth)(s, x, y, col); \
550                 } else { \
551                     glue(set_lcd_pixel, depth)(s, x, y, 0); \
552                 } \
553             } \
554         } \
555         break;
556     LCD_REFRESH(8, rgb_to_pixel8)
557     LCD_REFRESH(16, rgb_to_pixel16)
558     LCD_REFRESH(32, (is_surface_bgr(surface) ?
559                      rgb_to_pixel32bgr : rgb_to_pixel32))
560     default:
561         hw_error("unsupported colour depth %i\n",
562                  surface_bits_per_pixel(surface));
563     }
564 
565     dpy_gfx_update(s->con, 0, 0, 128*3, 64*3);
566 }
567 
568 static void lcd_invalidate(void *opaque)
569 {
570 }
571 
572 static void musicpal_lcd_gpio_brightness_in(void *opaque, int irq, int level)
573 {
574     musicpal_lcd_state *s = opaque;
575     s->brightness &= ~(1 << irq);
576     s->brightness |= level << irq;
577 }
578 
579 static uint64_t musicpal_lcd_read(void *opaque, hwaddr offset,
580                                   unsigned size)
581 {
582     musicpal_lcd_state *s = opaque;
583 
584     switch (offset) {
585     case MP_LCD_IRQCTRL:
586         return s->irqctrl;
587 
588     default:
589         return 0;
590     }
591 }
592 
593 static void musicpal_lcd_write(void *opaque, hwaddr offset,
594                                uint64_t value, unsigned size)
595 {
596     musicpal_lcd_state *s = opaque;
597 
598     switch (offset) {
599     case MP_LCD_IRQCTRL:
600         s->irqctrl = value;
601         break;
602 
603     case MP_LCD_SPICTRL:
604         if (value == MP_LCD_SPI_DATA || value == MP_LCD_SPI_CMD) {
605             s->mode = value;
606         } else {
607             s->mode = MP_LCD_SPI_INVALID;
608         }
609         break;
610 
611     case MP_LCD_INST:
612         if (value >= MP_LCD_INST_SETPAGE0 && value <= MP_LCD_INST_SETPAGE7) {
613             s->page = value - MP_LCD_INST_SETPAGE0;
614             s->page_off = 0;
615         }
616         break;
617 
618     case MP_LCD_DATA:
619         if (s->mode == MP_LCD_SPI_CMD) {
620             if (value >= MP_LCD_INST_SETPAGE0 &&
621                 value <= MP_LCD_INST_SETPAGE7) {
622                 s->page = value - MP_LCD_INST_SETPAGE0;
623                 s->page_off = 0;
624             }
625         } else if (s->mode == MP_LCD_SPI_DATA) {
626             s->video_ram[s->page*128 + s->page_off] = value;
627             s->page_off = (s->page_off + 1) & 127;
628         }
629         break;
630     }
631 }
632 
633 static const MemoryRegionOps musicpal_lcd_ops = {
634     .read = musicpal_lcd_read,
635     .write = musicpal_lcd_write,
636     .endianness = DEVICE_NATIVE_ENDIAN,
637 };
638 
639 static const GraphicHwOps musicpal_gfx_ops = {
640     .invalidate  = lcd_invalidate,
641     .gfx_update  = lcd_refresh,
642 };
643 
644 static void musicpal_lcd_realize(DeviceState *dev, Error **errp)
645 {
646     musicpal_lcd_state *s = MUSICPAL_LCD(dev);
647     s->con = graphic_console_init(dev, 0, &musicpal_gfx_ops, s);
648     qemu_console_resize(s->con, 128 * 3, 64 * 3);
649 }
650 
651 static void musicpal_lcd_init(Object *obj)
652 {
653     SysBusDevice *sbd = SYS_BUS_DEVICE(obj);
654     DeviceState *dev = DEVICE(sbd);
655     musicpal_lcd_state *s = MUSICPAL_LCD(dev);
656 
657     s->brightness = 7;
658 
659     memory_region_init_io(&s->iomem, obj, &musicpal_lcd_ops, s,
660                           "musicpal-lcd", MP_LCD_SIZE);
661     sysbus_init_mmio(sbd, &s->iomem);
662 
663     qdev_init_gpio_in(dev, musicpal_lcd_gpio_brightness_in, 3);
664 }
665 
666 static const VMStateDescription musicpal_lcd_vmsd = {
667     .name = "musicpal_lcd",
668     .version_id = 1,
669     .minimum_version_id = 1,
670     .fields = (VMStateField[]) {
671         VMSTATE_UINT32(brightness, musicpal_lcd_state),
672         VMSTATE_UINT32(mode, musicpal_lcd_state),
673         VMSTATE_UINT32(irqctrl, musicpal_lcd_state),
674         VMSTATE_UINT32(page, musicpal_lcd_state),
675         VMSTATE_UINT32(page_off, musicpal_lcd_state),
676         VMSTATE_BUFFER(video_ram, musicpal_lcd_state),
677         VMSTATE_END_OF_LIST()
678     }
679 };
680 
681 static void musicpal_lcd_class_init(ObjectClass *klass, void *data)
682 {
683     DeviceClass *dc = DEVICE_CLASS(klass);
684 
685     dc->vmsd = &musicpal_lcd_vmsd;
686     dc->realize = musicpal_lcd_realize;
687 }
688 
689 static const TypeInfo musicpal_lcd_info = {
690     .name          = TYPE_MUSICPAL_LCD,
691     .parent        = TYPE_SYS_BUS_DEVICE,
692     .instance_size = sizeof(musicpal_lcd_state),
693     .instance_init = musicpal_lcd_init,
694     .class_init    = musicpal_lcd_class_init,
695 };
696 
697 /* PIC register offsets */
698 #define MP_PIC_STATUS           0x00
699 #define MP_PIC_ENABLE_SET       0x08
700 #define MP_PIC_ENABLE_CLR       0x0C
701 
702 #define TYPE_MV88W8618_PIC "mv88w8618_pic"
703 #define MV88W8618_PIC(obj) \
704     OBJECT_CHECK(mv88w8618_pic_state, (obj), TYPE_MV88W8618_PIC)
705 
706 typedef struct mv88w8618_pic_state {
707     /*< private >*/
708     SysBusDevice parent_obj;
709     /*< public >*/
710 
711     MemoryRegion iomem;
712     uint32_t level;
713     uint32_t enabled;
714     qemu_irq parent_irq;
715 } mv88w8618_pic_state;
716 
717 static void mv88w8618_pic_update(mv88w8618_pic_state *s)
718 {
719     qemu_set_irq(s->parent_irq, (s->level & s->enabled));
720 }
721 
722 static void mv88w8618_pic_set_irq(void *opaque, int irq, int level)
723 {
724     mv88w8618_pic_state *s = opaque;
725 
726     if (level) {
727         s->level |= 1 << irq;
728     } else {
729         s->level &= ~(1 << irq);
730     }
731     mv88w8618_pic_update(s);
732 }
733 
734 static uint64_t mv88w8618_pic_read(void *opaque, hwaddr offset,
735                                    unsigned size)
736 {
737     mv88w8618_pic_state *s = opaque;
738 
739     switch (offset) {
740     case MP_PIC_STATUS:
741         return s->level & s->enabled;
742 
743     default:
744         return 0;
745     }
746 }
747 
748 static void mv88w8618_pic_write(void *opaque, hwaddr offset,
749                                 uint64_t value, unsigned size)
750 {
751     mv88w8618_pic_state *s = opaque;
752 
753     switch (offset) {
754     case MP_PIC_ENABLE_SET:
755         s->enabled |= value;
756         break;
757 
758     case MP_PIC_ENABLE_CLR:
759         s->enabled &= ~value;
760         s->level &= ~value;
761         break;
762     }
763     mv88w8618_pic_update(s);
764 }
765 
766 static void mv88w8618_pic_reset(DeviceState *d)
767 {
768     mv88w8618_pic_state *s = MV88W8618_PIC(d);
769 
770     s->level = 0;
771     s->enabled = 0;
772 }
773 
774 static const MemoryRegionOps mv88w8618_pic_ops = {
775     .read = mv88w8618_pic_read,
776     .write = mv88w8618_pic_write,
777     .endianness = DEVICE_NATIVE_ENDIAN,
778 };
779 
780 static void mv88w8618_pic_init(Object *obj)
781 {
782     SysBusDevice *dev = SYS_BUS_DEVICE(obj);
783     mv88w8618_pic_state *s = MV88W8618_PIC(dev);
784 
785     qdev_init_gpio_in(DEVICE(dev), mv88w8618_pic_set_irq, 32);
786     sysbus_init_irq(dev, &s->parent_irq);
787     memory_region_init_io(&s->iomem, obj, &mv88w8618_pic_ops, s,
788                           "musicpal-pic", MP_PIC_SIZE);
789     sysbus_init_mmio(dev, &s->iomem);
790 }
791 
792 static const VMStateDescription mv88w8618_pic_vmsd = {
793     .name = "mv88w8618_pic",
794     .version_id = 1,
795     .minimum_version_id = 1,
796     .fields = (VMStateField[]) {
797         VMSTATE_UINT32(level, mv88w8618_pic_state),
798         VMSTATE_UINT32(enabled, mv88w8618_pic_state),
799         VMSTATE_END_OF_LIST()
800     }
801 };
802 
803 static void mv88w8618_pic_class_init(ObjectClass *klass, void *data)
804 {
805     DeviceClass *dc = DEVICE_CLASS(klass);
806 
807     dc->reset = mv88w8618_pic_reset;
808     dc->vmsd = &mv88w8618_pic_vmsd;
809 }
810 
811 static const TypeInfo mv88w8618_pic_info = {
812     .name          = TYPE_MV88W8618_PIC,
813     .parent        = TYPE_SYS_BUS_DEVICE,
814     .instance_size = sizeof(mv88w8618_pic_state),
815     .instance_init = mv88w8618_pic_init,
816     .class_init    = mv88w8618_pic_class_init,
817 };
818 
819 /* PIT register offsets */
820 #define MP_PIT_TIMER1_LENGTH    0x00
821 /* ... */
822 #define MP_PIT_TIMER4_LENGTH    0x0C
823 #define MP_PIT_CONTROL          0x10
824 #define MP_PIT_TIMER1_VALUE     0x14
825 /* ... */
826 #define MP_PIT_TIMER4_VALUE     0x20
827 #define MP_BOARD_RESET          0x34
828 
829 /* Magic board reset value (probably some watchdog behind it) */
830 #define MP_BOARD_RESET_MAGIC    0x10000
831 
832 typedef struct mv88w8618_timer_state {
833     ptimer_state *ptimer;
834     uint32_t limit;
835     int freq;
836     qemu_irq irq;
837 } mv88w8618_timer_state;
838 
839 #define TYPE_MV88W8618_PIT "mv88w8618_pit"
840 #define MV88W8618_PIT(obj) \
841     OBJECT_CHECK(mv88w8618_pit_state, (obj), TYPE_MV88W8618_PIT)
842 
843 typedef struct mv88w8618_pit_state {
844     /*< private >*/
845     SysBusDevice parent_obj;
846     /*< public >*/
847 
848     MemoryRegion iomem;
849     mv88w8618_timer_state timer[4];
850 } mv88w8618_pit_state;
851 
852 static void mv88w8618_timer_tick(void *opaque)
853 {
854     mv88w8618_timer_state *s = opaque;
855 
856     qemu_irq_raise(s->irq);
857 }
858 
859 static void mv88w8618_timer_init(SysBusDevice *dev, mv88w8618_timer_state *s,
860                                  uint32_t freq)
861 {
862     sysbus_init_irq(dev, &s->irq);
863     s->freq = freq;
864 
865     s->ptimer = ptimer_init(mv88w8618_timer_tick, s, PTIMER_POLICY_DEFAULT);
866 }
867 
868 static uint64_t mv88w8618_pit_read(void *opaque, hwaddr offset,
869                                    unsigned size)
870 {
871     mv88w8618_pit_state *s = opaque;
872     mv88w8618_timer_state *t;
873 
874     switch (offset) {
875     case MP_PIT_TIMER1_VALUE ... MP_PIT_TIMER4_VALUE:
876         t = &s->timer[(offset-MP_PIT_TIMER1_VALUE) >> 2];
877         return ptimer_get_count(t->ptimer);
878 
879     default:
880         return 0;
881     }
882 }
883 
884 static void mv88w8618_pit_write(void *opaque, hwaddr offset,
885                                 uint64_t value, unsigned size)
886 {
887     mv88w8618_pit_state *s = opaque;
888     mv88w8618_timer_state *t;
889     int i;
890 
891     switch (offset) {
892     case MP_PIT_TIMER1_LENGTH ... MP_PIT_TIMER4_LENGTH:
893         t = &s->timer[offset >> 2];
894         t->limit = value;
895         ptimer_transaction_begin(t->ptimer);
896         if (t->limit > 0) {
897             ptimer_set_limit(t->ptimer, t->limit, 1);
898         } else {
899             ptimer_stop(t->ptimer);
900         }
901         ptimer_transaction_commit(t->ptimer);
902         break;
903 
904     case MP_PIT_CONTROL:
905         for (i = 0; i < 4; i++) {
906             t = &s->timer[i];
907             ptimer_transaction_begin(t->ptimer);
908             if (value & 0xf && t->limit > 0) {
909                 ptimer_set_limit(t->ptimer, t->limit, 0);
910                 ptimer_set_freq(t->ptimer, t->freq);
911                 ptimer_run(t->ptimer, 0);
912             } else {
913                 ptimer_stop(t->ptimer);
914             }
915             ptimer_transaction_commit(t->ptimer);
916             value >>= 4;
917         }
918         break;
919 
920     case MP_BOARD_RESET:
921         if (value == MP_BOARD_RESET_MAGIC) {
922             qemu_system_reset_request(SHUTDOWN_CAUSE_GUEST_RESET);
923         }
924         break;
925     }
926 }
927 
928 static void mv88w8618_pit_reset(DeviceState *d)
929 {
930     mv88w8618_pit_state *s = MV88W8618_PIT(d);
931     int i;
932 
933     for (i = 0; i < 4; i++) {
934         mv88w8618_timer_state *t = &s->timer[i];
935         ptimer_transaction_begin(t->ptimer);
936         ptimer_stop(t->ptimer);
937         ptimer_transaction_commit(t->ptimer);
938         t->limit = 0;
939     }
940 }
941 
942 static const MemoryRegionOps mv88w8618_pit_ops = {
943     .read = mv88w8618_pit_read,
944     .write = mv88w8618_pit_write,
945     .endianness = DEVICE_NATIVE_ENDIAN,
946 };
947 
948 static void mv88w8618_pit_init(Object *obj)
949 {
950     SysBusDevice *dev = SYS_BUS_DEVICE(obj);
951     mv88w8618_pit_state *s = MV88W8618_PIT(dev);
952     int i;
953 
954     /* Letting them all run at 1 MHz is likely just a pragmatic
955      * simplification. */
956     for (i = 0; i < 4; i++) {
957         mv88w8618_timer_init(dev, &s->timer[i], 1000000);
958     }
959 
960     memory_region_init_io(&s->iomem, obj, &mv88w8618_pit_ops, s,
961                           "musicpal-pit", MP_PIT_SIZE);
962     sysbus_init_mmio(dev, &s->iomem);
963 }
964 
965 static const VMStateDescription mv88w8618_timer_vmsd = {
966     .name = "timer",
967     .version_id = 1,
968     .minimum_version_id = 1,
969     .fields = (VMStateField[]) {
970         VMSTATE_PTIMER(ptimer, mv88w8618_timer_state),
971         VMSTATE_UINT32(limit, mv88w8618_timer_state),
972         VMSTATE_END_OF_LIST()
973     }
974 };
975 
976 static const VMStateDescription mv88w8618_pit_vmsd = {
977     .name = "mv88w8618_pit",
978     .version_id = 1,
979     .minimum_version_id = 1,
980     .fields = (VMStateField[]) {
981         VMSTATE_STRUCT_ARRAY(timer, mv88w8618_pit_state, 4, 1,
982                              mv88w8618_timer_vmsd, mv88w8618_timer_state),
983         VMSTATE_END_OF_LIST()
984     }
985 };
986 
987 static void mv88w8618_pit_class_init(ObjectClass *klass, void *data)
988 {
989     DeviceClass *dc = DEVICE_CLASS(klass);
990 
991     dc->reset = mv88w8618_pit_reset;
992     dc->vmsd = &mv88w8618_pit_vmsd;
993 }
994 
995 static const TypeInfo mv88w8618_pit_info = {
996     .name          = TYPE_MV88W8618_PIT,
997     .parent        = TYPE_SYS_BUS_DEVICE,
998     .instance_size = sizeof(mv88w8618_pit_state),
999     .instance_init = mv88w8618_pit_init,
1000     .class_init    = mv88w8618_pit_class_init,
1001 };
1002 
1003 /* Flash config register offsets */
1004 #define MP_FLASHCFG_CFGR0    0x04
1005 
1006 #define TYPE_MV88W8618_FLASHCFG "mv88w8618_flashcfg"
1007 #define MV88W8618_FLASHCFG(obj) \
1008     OBJECT_CHECK(mv88w8618_flashcfg_state, (obj), TYPE_MV88W8618_FLASHCFG)
1009 
1010 typedef struct mv88w8618_flashcfg_state {
1011     /*< private >*/
1012     SysBusDevice parent_obj;
1013     /*< public >*/
1014 
1015     MemoryRegion iomem;
1016     uint32_t cfgr0;
1017 } mv88w8618_flashcfg_state;
1018 
1019 static uint64_t mv88w8618_flashcfg_read(void *opaque,
1020                                         hwaddr offset,
1021                                         unsigned size)
1022 {
1023     mv88w8618_flashcfg_state *s = opaque;
1024 
1025     switch (offset) {
1026     case MP_FLASHCFG_CFGR0:
1027         return s->cfgr0;
1028 
1029     default:
1030         return 0;
1031     }
1032 }
1033 
1034 static void mv88w8618_flashcfg_write(void *opaque, hwaddr offset,
1035                                      uint64_t value, unsigned size)
1036 {
1037     mv88w8618_flashcfg_state *s = opaque;
1038 
1039     switch (offset) {
1040     case MP_FLASHCFG_CFGR0:
1041         s->cfgr0 = value;
1042         break;
1043     }
1044 }
1045 
1046 static const MemoryRegionOps mv88w8618_flashcfg_ops = {
1047     .read = mv88w8618_flashcfg_read,
1048     .write = mv88w8618_flashcfg_write,
1049     .endianness = DEVICE_NATIVE_ENDIAN,
1050 };
1051 
1052 static void mv88w8618_flashcfg_init(Object *obj)
1053 {
1054     SysBusDevice *dev = SYS_BUS_DEVICE(obj);
1055     mv88w8618_flashcfg_state *s = MV88W8618_FLASHCFG(dev);
1056 
1057     s->cfgr0 = 0xfffe4285; /* Default as set by U-Boot for 8 MB flash */
1058     memory_region_init_io(&s->iomem, obj, &mv88w8618_flashcfg_ops, s,
1059                           "musicpal-flashcfg", MP_FLASHCFG_SIZE);
1060     sysbus_init_mmio(dev, &s->iomem);
1061 }
1062 
1063 static const VMStateDescription mv88w8618_flashcfg_vmsd = {
1064     .name = "mv88w8618_flashcfg",
1065     .version_id = 1,
1066     .minimum_version_id = 1,
1067     .fields = (VMStateField[]) {
1068         VMSTATE_UINT32(cfgr0, mv88w8618_flashcfg_state),
1069         VMSTATE_END_OF_LIST()
1070     }
1071 };
1072 
1073 static void mv88w8618_flashcfg_class_init(ObjectClass *klass, void *data)
1074 {
1075     DeviceClass *dc = DEVICE_CLASS(klass);
1076 
1077     dc->vmsd = &mv88w8618_flashcfg_vmsd;
1078 }
1079 
1080 static const TypeInfo mv88w8618_flashcfg_info = {
1081     .name          = TYPE_MV88W8618_FLASHCFG,
1082     .parent        = TYPE_SYS_BUS_DEVICE,
1083     .instance_size = sizeof(mv88w8618_flashcfg_state),
1084     .instance_init = mv88w8618_flashcfg_init,
1085     .class_init    = mv88w8618_flashcfg_class_init,
1086 };
1087 
1088 /* Misc register offsets */
1089 #define MP_MISC_BOARD_REVISION  0x18
1090 
1091 #define MP_BOARD_REVISION       0x31
1092 
1093 typedef struct {
1094     SysBusDevice parent_obj;
1095     MemoryRegion iomem;
1096 } MusicPalMiscState;
1097 
1098 #define TYPE_MUSICPAL_MISC "musicpal-misc"
1099 #define MUSICPAL_MISC(obj) \
1100      OBJECT_CHECK(MusicPalMiscState, (obj), TYPE_MUSICPAL_MISC)
1101 
1102 static uint64_t musicpal_misc_read(void *opaque, hwaddr offset,
1103                                    unsigned size)
1104 {
1105     switch (offset) {
1106     case MP_MISC_BOARD_REVISION:
1107         return MP_BOARD_REVISION;
1108 
1109     default:
1110         return 0;
1111     }
1112 }
1113 
1114 static void musicpal_misc_write(void *opaque, hwaddr offset,
1115                                 uint64_t value, unsigned size)
1116 {
1117 }
1118 
1119 static const MemoryRegionOps musicpal_misc_ops = {
1120     .read = musicpal_misc_read,
1121     .write = musicpal_misc_write,
1122     .endianness = DEVICE_NATIVE_ENDIAN,
1123 };
1124 
1125 static void musicpal_misc_init(Object *obj)
1126 {
1127     SysBusDevice *sd = SYS_BUS_DEVICE(obj);
1128     MusicPalMiscState *s = MUSICPAL_MISC(obj);
1129 
1130     memory_region_init_io(&s->iomem, OBJECT(s), &musicpal_misc_ops, NULL,
1131                           "musicpal-misc", MP_MISC_SIZE);
1132     sysbus_init_mmio(sd, &s->iomem);
1133 }
1134 
1135 static const TypeInfo musicpal_misc_info = {
1136     .name = TYPE_MUSICPAL_MISC,
1137     .parent = TYPE_SYS_BUS_DEVICE,
1138     .instance_init = musicpal_misc_init,
1139     .instance_size = sizeof(MusicPalMiscState),
1140 };
1141 
1142 /* WLAN register offsets */
1143 #define MP_WLAN_MAGIC1          0x11c
1144 #define MP_WLAN_MAGIC2          0x124
1145 
1146 static uint64_t mv88w8618_wlan_read(void *opaque, hwaddr offset,
1147                                     unsigned size)
1148 {
1149     switch (offset) {
1150     /* Workaround to allow loading the binary-only wlandrv.ko crap
1151      * from the original Freecom firmware. */
1152     case MP_WLAN_MAGIC1:
1153         return ~3;
1154     case MP_WLAN_MAGIC2:
1155         return -1;
1156 
1157     default:
1158         return 0;
1159     }
1160 }
1161 
1162 static void mv88w8618_wlan_write(void *opaque, hwaddr offset,
1163                                  uint64_t value, unsigned size)
1164 {
1165 }
1166 
1167 static const MemoryRegionOps mv88w8618_wlan_ops = {
1168     .read = mv88w8618_wlan_read,
1169     .write =mv88w8618_wlan_write,
1170     .endianness = DEVICE_NATIVE_ENDIAN,
1171 };
1172 
1173 static void mv88w8618_wlan_realize(DeviceState *dev, Error **errp)
1174 {
1175     MemoryRegion *iomem = g_new(MemoryRegion, 1);
1176 
1177     memory_region_init_io(iomem, OBJECT(dev), &mv88w8618_wlan_ops, NULL,
1178                           "musicpal-wlan", MP_WLAN_SIZE);
1179     sysbus_init_mmio(SYS_BUS_DEVICE(dev), iomem);
1180 }
1181 
1182 /* GPIO register offsets */
1183 #define MP_GPIO_OE_LO           0x008
1184 #define MP_GPIO_OUT_LO          0x00c
1185 #define MP_GPIO_IN_LO           0x010
1186 #define MP_GPIO_IER_LO          0x014
1187 #define MP_GPIO_IMR_LO          0x018
1188 #define MP_GPIO_ISR_LO          0x020
1189 #define MP_GPIO_OE_HI           0x508
1190 #define MP_GPIO_OUT_HI          0x50c
1191 #define MP_GPIO_IN_HI           0x510
1192 #define MP_GPIO_IER_HI          0x514
1193 #define MP_GPIO_IMR_HI          0x518
1194 #define MP_GPIO_ISR_HI          0x520
1195 
1196 /* GPIO bits & masks */
1197 #define MP_GPIO_LCD_BRIGHTNESS  0x00070000
1198 #define MP_GPIO_I2C_DATA_BIT    29
1199 #define MP_GPIO_I2C_CLOCK_BIT   30
1200 
1201 /* LCD brightness bits in GPIO_OE_HI */
1202 #define MP_OE_LCD_BRIGHTNESS    0x0007
1203 
1204 #define TYPE_MUSICPAL_GPIO "musicpal_gpio"
1205 #define MUSICPAL_GPIO(obj) \
1206     OBJECT_CHECK(musicpal_gpio_state, (obj), TYPE_MUSICPAL_GPIO)
1207 
1208 typedef struct musicpal_gpio_state {
1209     /*< private >*/
1210     SysBusDevice parent_obj;
1211     /*< public >*/
1212 
1213     MemoryRegion iomem;
1214     uint32_t lcd_brightness;
1215     uint32_t out_state;
1216     uint32_t in_state;
1217     uint32_t ier;
1218     uint32_t imr;
1219     uint32_t isr;
1220     qemu_irq irq;
1221     qemu_irq out[5]; /* 3 brightness out + 2 lcd (data and clock ) */
1222 } musicpal_gpio_state;
1223 
1224 static void musicpal_gpio_brightness_update(musicpal_gpio_state *s) {
1225     int i;
1226     uint32_t brightness;
1227 
1228     /* compute brightness ratio */
1229     switch (s->lcd_brightness) {
1230     case 0x00000007:
1231         brightness = 0;
1232         break;
1233 
1234     case 0x00020000:
1235         brightness = 1;
1236         break;
1237 
1238     case 0x00020001:
1239         brightness = 2;
1240         break;
1241 
1242     case 0x00040000:
1243         brightness = 3;
1244         break;
1245 
1246     case 0x00010006:
1247         brightness = 4;
1248         break;
1249 
1250     case 0x00020005:
1251         brightness = 5;
1252         break;
1253 
1254     case 0x00040003:
1255         brightness = 6;
1256         break;
1257 
1258     case 0x00030004:
1259     default:
1260         brightness = 7;
1261     }
1262 
1263     /* set lcd brightness GPIOs  */
1264     for (i = 0; i <= 2; i++) {
1265         qemu_set_irq(s->out[i], (brightness >> i) & 1);
1266     }
1267 }
1268 
1269 static void musicpal_gpio_pin_event(void *opaque, int pin, int level)
1270 {
1271     musicpal_gpio_state *s = opaque;
1272     uint32_t mask = 1 << pin;
1273     uint32_t delta = level << pin;
1274     uint32_t old = s->in_state & mask;
1275 
1276     s->in_state &= ~mask;
1277     s->in_state |= delta;
1278 
1279     if ((old ^ delta) &&
1280         ((level && (s->imr & mask)) || (!level && (s->ier & mask)))) {
1281         s->isr = mask;
1282         qemu_irq_raise(s->irq);
1283     }
1284 }
1285 
1286 static uint64_t musicpal_gpio_read(void *opaque, hwaddr offset,
1287                                    unsigned size)
1288 {
1289     musicpal_gpio_state *s = opaque;
1290 
1291     switch (offset) {
1292     case MP_GPIO_OE_HI: /* used for LCD brightness control */
1293         return s->lcd_brightness & MP_OE_LCD_BRIGHTNESS;
1294 
1295     case MP_GPIO_OUT_LO:
1296         return s->out_state & 0xFFFF;
1297     case MP_GPIO_OUT_HI:
1298         return s->out_state >> 16;
1299 
1300     case MP_GPIO_IN_LO:
1301         return s->in_state & 0xFFFF;
1302     case MP_GPIO_IN_HI:
1303         return s->in_state >> 16;
1304 
1305     case MP_GPIO_IER_LO:
1306         return s->ier & 0xFFFF;
1307     case MP_GPIO_IER_HI:
1308         return s->ier >> 16;
1309 
1310     case MP_GPIO_IMR_LO:
1311         return s->imr & 0xFFFF;
1312     case MP_GPIO_IMR_HI:
1313         return s->imr >> 16;
1314 
1315     case MP_GPIO_ISR_LO:
1316         return s->isr & 0xFFFF;
1317     case MP_GPIO_ISR_HI:
1318         return s->isr >> 16;
1319 
1320     default:
1321         return 0;
1322     }
1323 }
1324 
1325 static void musicpal_gpio_write(void *opaque, hwaddr offset,
1326                                 uint64_t value, unsigned size)
1327 {
1328     musicpal_gpio_state *s = opaque;
1329     switch (offset) {
1330     case MP_GPIO_OE_HI: /* used for LCD brightness control */
1331         s->lcd_brightness = (s->lcd_brightness & MP_GPIO_LCD_BRIGHTNESS) |
1332                          (value & MP_OE_LCD_BRIGHTNESS);
1333         musicpal_gpio_brightness_update(s);
1334         break;
1335 
1336     case MP_GPIO_OUT_LO:
1337         s->out_state = (s->out_state & 0xFFFF0000) | (value & 0xFFFF);
1338         break;
1339     case MP_GPIO_OUT_HI:
1340         s->out_state = (s->out_state & 0xFFFF) | (value << 16);
1341         s->lcd_brightness = (s->lcd_brightness & 0xFFFF) |
1342                             (s->out_state & MP_GPIO_LCD_BRIGHTNESS);
1343         musicpal_gpio_brightness_update(s);
1344         qemu_set_irq(s->out[3], (s->out_state >> MP_GPIO_I2C_DATA_BIT) & 1);
1345         qemu_set_irq(s->out[4], (s->out_state >> MP_GPIO_I2C_CLOCK_BIT) & 1);
1346         break;
1347 
1348     case MP_GPIO_IER_LO:
1349         s->ier = (s->ier & 0xFFFF0000) | (value & 0xFFFF);
1350         break;
1351     case MP_GPIO_IER_HI:
1352         s->ier = (s->ier & 0xFFFF) | (value << 16);
1353         break;
1354 
1355     case MP_GPIO_IMR_LO:
1356         s->imr = (s->imr & 0xFFFF0000) | (value & 0xFFFF);
1357         break;
1358     case MP_GPIO_IMR_HI:
1359         s->imr = (s->imr & 0xFFFF) | (value << 16);
1360         break;
1361     }
1362 }
1363 
1364 static const MemoryRegionOps musicpal_gpio_ops = {
1365     .read = musicpal_gpio_read,
1366     .write = musicpal_gpio_write,
1367     .endianness = DEVICE_NATIVE_ENDIAN,
1368 };
1369 
1370 static void musicpal_gpio_reset(DeviceState *d)
1371 {
1372     musicpal_gpio_state *s = MUSICPAL_GPIO(d);
1373 
1374     s->lcd_brightness = 0;
1375     s->out_state = 0;
1376     s->in_state = 0xffffffff;
1377     s->ier = 0;
1378     s->imr = 0;
1379     s->isr = 0;
1380 }
1381 
1382 static void musicpal_gpio_init(Object *obj)
1383 {
1384     SysBusDevice *sbd = SYS_BUS_DEVICE(obj);
1385     DeviceState *dev = DEVICE(sbd);
1386     musicpal_gpio_state *s = MUSICPAL_GPIO(dev);
1387 
1388     sysbus_init_irq(sbd, &s->irq);
1389 
1390     memory_region_init_io(&s->iomem, obj, &musicpal_gpio_ops, s,
1391                           "musicpal-gpio", MP_GPIO_SIZE);
1392     sysbus_init_mmio(sbd, &s->iomem);
1393 
1394     qdev_init_gpio_out(dev, s->out, ARRAY_SIZE(s->out));
1395 
1396     qdev_init_gpio_in(dev, musicpal_gpio_pin_event, 32);
1397 }
1398 
1399 static const VMStateDescription musicpal_gpio_vmsd = {
1400     .name = "musicpal_gpio",
1401     .version_id = 1,
1402     .minimum_version_id = 1,
1403     .fields = (VMStateField[]) {
1404         VMSTATE_UINT32(lcd_brightness, musicpal_gpio_state),
1405         VMSTATE_UINT32(out_state, musicpal_gpio_state),
1406         VMSTATE_UINT32(in_state, musicpal_gpio_state),
1407         VMSTATE_UINT32(ier, musicpal_gpio_state),
1408         VMSTATE_UINT32(imr, musicpal_gpio_state),
1409         VMSTATE_UINT32(isr, musicpal_gpio_state),
1410         VMSTATE_END_OF_LIST()
1411     }
1412 };
1413 
1414 static void musicpal_gpio_class_init(ObjectClass *klass, void *data)
1415 {
1416     DeviceClass *dc = DEVICE_CLASS(klass);
1417 
1418     dc->reset = musicpal_gpio_reset;
1419     dc->vmsd = &musicpal_gpio_vmsd;
1420 }
1421 
1422 static const TypeInfo musicpal_gpio_info = {
1423     .name          = TYPE_MUSICPAL_GPIO,
1424     .parent        = TYPE_SYS_BUS_DEVICE,
1425     .instance_size = sizeof(musicpal_gpio_state),
1426     .instance_init = musicpal_gpio_init,
1427     .class_init    = musicpal_gpio_class_init,
1428 };
1429 
1430 /* Keyboard codes & masks */
1431 #define KEY_RELEASED            0x80
1432 #define KEY_CODE                0x7f
1433 
1434 #define KEYCODE_TAB             0x0f
1435 #define KEYCODE_ENTER           0x1c
1436 #define KEYCODE_F               0x21
1437 #define KEYCODE_M               0x32
1438 
1439 #define KEYCODE_EXTENDED        0xe0
1440 #define KEYCODE_UP              0x48
1441 #define KEYCODE_DOWN            0x50
1442 #define KEYCODE_LEFT            0x4b
1443 #define KEYCODE_RIGHT           0x4d
1444 
1445 #define MP_KEY_WHEEL_VOL       (1 << 0)
1446 #define MP_KEY_WHEEL_VOL_INV   (1 << 1)
1447 #define MP_KEY_WHEEL_NAV       (1 << 2)
1448 #define MP_KEY_WHEEL_NAV_INV   (1 << 3)
1449 #define MP_KEY_BTN_FAVORITS    (1 << 4)
1450 #define MP_KEY_BTN_MENU        (1 << 5)
1451 #define MP_KEY_BTN_VOLUME      (1 << 6)
1452 #define MP_KEY_BTN_NAVIGATION  (1 << 7)
1453 
1454 #define TYPE_MUSICPAL_KEY "musicpal_key"
1455 #define MUSICPAL_KEY(obj) \
1456     OBJECT_CHECK(musicpal_key_state, (obj), TYPE_MUSICPAL_KEY)
1457 
1458 typedef struct musicpal_key_state {
1459     /*< private >*/
1460     SysBusDevice parent_obj;
1461     /*< public >*/
1462 
1463     MemoryRegion iomem;
1464     uint32_t kbd_extended;
1465     uint32_t pressed_keys;
1466     qemu_irq out[8];
1467 } musicpal_key_state;
1468 
1469 static void musicpal_key_event(void *opaque, int keycode)
1470 {
1471     musicpal_key_state *s = opaque;
1472     uint32_t event = 0;
1473     int i;
1474 
1475     if (keycode == KEYCODE_EXTENDED) {
1476         s->kbd_extended = 1;
1477         return;
1478     }
1479 
1480     if (s->kbd_extended) {
1481         switch (keycode & KEY_CODE) {
1482         case KEYCODE_UP:
1483             event = MP_KEY_WHEEL_NAV | MP_KEY_WHEEL_NAV_INV;
1484             break;
1485 
1486         case KEYCODE_DOWN:
1487             event = MP_KEY_WHEEL_NAV;
1488             break;
1489 
1490         case KEYCODE_LEFT:
1491             event = MP_KEY_WHEEL_VOL | MP_KEY_WHEEL_VOL_INV;
1492             break;
1493 
1494         case KEYCODE_RIGHT:
1495             event = MP_KEY_WHEEL_VOL;
1496             break;
1497         }
1498     } else {
1499         switch (keycode & KEY_CODE) {
1500         case KEYCODE_F:
1501             event = MP_KEY_BTN_FAVORITS;
1502             break;
1503 
1504         case KEYCODE_TAB:
1505             event = MP_KEY_BTN_VOLUME;
1506             break;
1507 
1508         case KEYCODE_ENTER:
1509             event = MP_KEY_BTN_NAVIGATION;
1510             break;
1511 
1512         case KEYCODE_M:
1513             event = MP_KEY_BTN_MENU;
1514             break;
1515         }
1516         /* Do not repeat already pressed buttons */
1517         if (!(keycode & KEY_RELEASED) && (s->pressed_keys & event)) {
1518             event = 0;
1519         }
1520     }
1521 
1522     if (event) {
1523         /* Raise GPIO pin first if repeating a key */
1524         if (!(keycode & KEY_RELEASED) && (s->pressed_keys & event)) {
1525             for (i = 0; i <= 7; i++) {
1526                 if (event & (1 << i)) {
1527                     qemu_set_irq(s->out[i], 1);
1528                 }
1529             }
1530         }
1531         for (i = 0; i <= 7; i++) {
1532             if (event & (1 << i)) {
1533                 qemu_set_irq(s->out[i], !!(keycode & KEY_RELEASED));
1534             }
1535         }
1536         if (keycode & KEY_RELEASED) {
1537             s->pressed_keys &= ~event;
1538         } else {
1539             s->pressed_keys |= event;
1540         }
1541     }
1542 
1543     s->kbd_extended = 0;
1544 }
1545 
1546 static void musicpal_key_init(Object *obj)
1547 {
1548     SysBusDevice *sbd = SYS_BUS_DEVICE(obj);
1549     DeviceState *dev = DEVICE(sbd);
1550     musicpal_key_state *s = MUSICPAL_KEY(dev);
1551 
1552     memory_region_init(&s->iomem, obj, "dummy", 0);
1553     sysbus_init_mmio(sbd, &s->iomem);
1554 
1555     s->kbd_extended = 0;
1556     s->pressed_keys = 0;
1557 
1558     qdev_init_gpio_out(dev, s->out, ARRAY_SIZE(s->out));
1559 
1560     qemu_add_kbd_event_handler(musicpal_key_event, s);
1561 }
1562 
1563 static const VMStateDescription musicpal_key_vmsd = {
1564     .name = "musicpal_key",
1565     .version_id = 1,
1566     .minimum_version_id = 1,
1567     .fields = (VMStateField[]) {
1568         VMSTATE_UINT32(kbd_extended, musicpal_key_state),
1569         VMSTATE_UINT32(pressed_keys, musicpal_key_state),
1570         VMSTATE_END_OF_LIST()
1571     }
1572 };
1573 
1574 static void musicpal_key_class_init(ObjectClass *klass, void *data)
1575 {
1576     DeviceClass *dc = DEVICE_CLASS(klass);
1577 
1578     dc->vmsd = &musicpal_key_vmsd;
1579 }
1580 
1581 static const TypeInfo musicpal_key_info = {
1582     .name          = TYPE_MUSICPAL_KEY,
1583     .parent        = TYPE_SYS_BUS_DEVICE,
1584     .instance_size = sizeof(musicpal_key_state),
1585     .instance_init = musicpal_key_init,
1586     .class_init    = musicpal_key_class_init,
1587 };
1588 
1589 static struct arm_boot_info musicpal_binfo = {
1590     .loader_start = 0x0,
1591     .board_id = 0x20e,
1592 };
1593 
1594 static void musicpal_init(MachineState *machine)
1595 {
1596     ARMCPU *cpu;
1597     qemu_irq pic[32];
1598     DeviceState *dev;
1599     DeviceState *i2c_dev;
1600     DeviceState *lcd_dev;
1601     DeviceState *key_dev;
1602     I2CSlave *wm8750_dev;
1603     SysBusDevice *s;
1604     I2CBus *i2c;
1605     int i;
1606     unsigned long flash_size;
1607     DriveInfo *dinfo;
1608     MachineClass *mc = MACHINE_GET_CLASS(machine);
1609     MemoryRegion *address_space_mem = get_system_memory();
1610     MemoryRegion *sram = g_new(MemoryRegion, 1);
1611 
1612     /* For now we use a fixed - the original - RAM size */
1613     if (machine->ram_size != mc->default_ram_size) {
1614         char *sz = size_to_str(mc->default_ram_size);
1615         error_report("Invalid RAM size, should be %s", sz);
1616         g_free(sz);
1617         exit(EXIT_FAILURE);
1618     }
1619 
1620     cpu = ARM_CPU(cpu_create(machine->cpu_type));
1621 
1622     memory_region_add_subregion(address_space_mem, 0, machine->ram);
1623 
1624     memory_region_init_ram(sram, NULL, "musicpal.sram", MP_SRAM_SIZE,
1625                            &error_fatal);
1626     memory_region_add_subregion(address_space_mem, MP_SRAM_BASE, sram);
1627 
1628     dev = sysbus_create_simple(TYPE_MV88W8618_PIC, MP_PIC_BASE,
1629                                qdev_get_gpio_in(DEVICE(cpu), ARM_CPU_IRQ));
1630     for (i = 0; i < 32; i++) {
1631         pic[i] = qdev_get_gpio_in(dev, i);
1632     }
1633     sysbus_create_varargs(TYPE_MV88W8618_PIT, MP_PIT_BASE, pic[MP_TIMER1_IRQ],
1634                           pic[MP_TIMER2_IRQ], pic[MP_TIMER3_IRQ],
1635                           pic[MP_TIMER4_IRQ], NULL);
1636 
1637     serial_mm_init(address_space_mem, MP_UART1_BASE, 2, pic[MP_UART1_IRQ],
1638                    1825000, serial_hd(0), DEVICE_NATIVE_ENDIAN);
1639     serial_mm_init(address_space_mem, MP_UART2_BASE, 2, pic[MP_UART2_IRQ],
1640                    1825000, serial_hd(1), DEVICE_NATIVE_ENDIAN);
1641 
1642     /* Register flash */
1643     dinfo = drive_get(IF_PFLASH, 0, 0);
1644     if (dinfo) {
1645         BlockBackend *blk = blk_by_legacy_dinfo(dinfo);
1646 
1647         flash_size = blk_getlength(blk);
1648         if (flash_size != 8*1024*1024 && flash_size != 16*1024*1024 &&
1649             flash_size != 32*1024*1024) {
1650             error_report("Invalid flash image size");
1651             exit(1);
1652         }
1653 
1654         /*
1655          * The original U-Boot accesses the flash at 0xFE000000 instead of
1656          * 0xFF800000 (if there is 8 MB flash). So remap flash access if the
1657          * image is smaller than 32 MB.
1658          */
1659         pflash_cfi02_register(0x100000000ULL - MP_FLASH_SIZE_MAX,
1660                               "musicpal.flash", flash_size,
1661                               blk, 0x10000,
1662                               MP_FLASH_SIZE_MAX / flash_size,
1663                               2, 0x00BF, 0x236D, 0x0000, 0x0000,
1664                               0x5555, 0x2AAA, 0);
1665     }
1666     sysbus_create_simple(TYPE_MV88W8618_FLASHCFG, MP_FLASHCFG_BASE, NULL);
1667 
1668     qemu_check_nic_model(&nd_table[0], "mv88w8618");
1669     dev = qdev_new(TYPE_MV88W8618_ETH);
1670     qdev_set_nic_properties(dev, &nd_table[0]);
1671     object_property_set_link(OBJECT(dev), "dma-memory",
1672                              OBJECT(get_system_memory()), &error_fatal);
1673     sysbus_realize_and_unref(SYS_BUS_DEVICE(dev), &error_fatal);
1674     sysbus_mmio_map(SYS_BUS_DEVICE(dev), 0, MP_ETH_BASE);
1675     sysbus_connect_irq(SYS_BUS_DEVICE(dev), 0, pic[MP_ETH_IRQ]);
1676 
1677     sysbus_create_simple("mv88w8618_wlan", MP_WLAN_BASE, NULL);
1678 
1679     sysbus_create_simple(TYPE_MUSICPAL_MISC, MP_MISC_BASE, NULL);
1680 
1681     dev = sysbus_create_simple(TYPE_MUSICPAL_GPIO, MP_GPIO_BASE,
1682                                pic[MP_GPIO_IRQ]);
1683     i2c_dev = sysbus_create_simple("gpio_i2c", -1, NULL);
1684     i2c = (I2CBus *)qdev_get_child_bus(i2c_dev, "i2c");
1685 
1686     lcd_dev = sysbus_create_simple(TYPE_MUSICPAL_LCD, MP_LCD_BASE, NULL);
1687     key_dev = sysbus_create_simple(TYPE_MUSICPAL_KEY, -1, NULL);
1688 
1689     /* I2C read data */
1690     qdev_connect_gpio_out(i2c_dev, 0,
1691                           qdev_get_gpio_in(dev, MP_GPIO_I2C_DATA_BIT));
1692     /* I2C data */
1693     qdev_connect_gpio_out(dev, 3, qdev_get_gpio_in(i2c_dev, 0));
1694     /* I2C clock */
1695     qdev_connect_gpio_out(dev, 4, qdev_get_gpio_in(i2c_dev, 1));
1696 
1697     for (i = 0; i < 3; i++) {
1698         qdev_connect_gpio_out(dev, i, qdev_get_gpio_in(lcd_dev, i));
1699     }
1700     for (i = 0; i < 4; i++) {
1701         qdev_connect_gpio_out(key_dev, i, qdev_get_gpio_in(dev, i + 8));
1702     }
1703     for (i = 4; i < 8; i++) {
1704         qdev_connect_gpio_out(key_dev, i, qdev_get_gpio_in(dev, i + 15));
1705     }
1706 
1707     wm8750_dev = i2c_slave_create_simple(i2c, TYPE_WM8750, MP_WM_ADDR);
1708     dev = qdev_new(TYPE_MV88W8618_AUDIO);
1709     s = SYS_BUS_DEVICE(dev);
1710     object_property_set_link(OBJECT(dev), "wm8750", OBJECT(wm8750_dev),
1711                              NULL);
1712     sysbus_realize_and_unref(s, &error_fatal);
1713     sysbus_mmio_map(s, 0, MP_AUDIO_BASE);
1714     sysbus_connect_irq(s, 0, pic[MP_AUDIO_IRQ]);
1715 
1716     musicpal_binfo.ram_size = MP_RAM_DEFAULT_SIZE;
1717     arm_load_kernel(cpu, machine, &musicpal_binfo);
1718 }
1719 
1720 static void musicpal_machine_init(MachineClass *mc)
1721 {
1722     mc->desc = "Marvell 88w8618 / MusicPal (ARM926EJ-S)";
1723     mc->init = musicpal_init;
1724     mc->ignore_memory_transaction_failures = true;
1725     mc->default_cpu_type = ARM_CPU_TYPE_NAME("arm926");
1726     mc->default_ram_size = MP_RAM_DEFAULT_SIZE;
1727     mc->default_ram_id = "musicpal.ram";
1728 }
1729 
1730 DEFINE_MACHINE("musicpal", musicpal_machine_init)
1731 
1732 static void mv88w8618_wlan_class_init(ObjectClass *klass, void *data)
1733 {
1734     DeviceClass *dc = DEVICE_CLASS(klass);
1735 
1736     dc->realize = mv88w8618_wlan_realize;
1737 }
1738 
1739 static const TypeInfo mv88w8618_wlan_info = {
1740     .name          = "mv88w8618_wlan",
1741     .parent        = TYPE_SYS_BUS_DEVICE,
1742     .instance_size = sizeof(SysBusDevice),
1743     .class_init    = mv88w8618_wlan_class_init,
1744 };
1745 
1746 static void musicpal_register_types(void)
1747 {
1748     type_register_static(&mv88w8618_pic_info);
1749     type_register_static(&mv88w8618_pit_info);
1750     type_register_static(&mv88w8618_flashcfg_info);
1751     type_register_static(&mv88w8618_eth_info);
1752     type_register_static(&mv88w8618_wlan_info);
1753     type_register_static(&musicpal_lcd_info);
1754     type_register_static(&musicpal_gpio_info);
1755     type_register_static(&musicpal_key_info);
1756     type_register_static(&musicpal_misc_info);
1757 }
1758 
1759 type_init(musicpal_register_types)
1760