xref: /openbmc/qemu/hw/arm/musicpal.c (revision 8fa3b702)
1 /*
2  * Marvell MV88W8618 / Freecom MusicPal emulation.
3  *
4  * Copyright (c) 2008 Jan Kiszka
5  *
6  * This code is licensed under the GNU GPL v2.
7  *
8  * Contributions after 2012-01-13 are licensed under the terms of the
9  * GNU GPL, version 2 or (at your option) any later version.
10  */
11 
12 #include "qemu/osdep.h"
13 #include "qapi/error.h"
14 #include "cpu.h"
15 #include "hw/sysbus.h"
16 #include "migration/vmstate.h"
17 #include "hw/arm/boot.h"
18 #include "net/net.h"
19 #include "sysemu/sysemu.h"
20 #include "hw/boards.h"
21 #include "hw/char/serial.h"
22 #include "hw/hw.h"
23 #include "qemu/timer.h"
24 #include "hw/ptimer.h"
25 #include "hw/qdev-properties.h"
26 #include "hw/block/flash.h"
27 #include "ui/console.h"
28 #include "hw/i2c/i2c.h"
29 #include "hw/irq.h"
30 #include "hw/audio/wm8750.h"
31 #include "sysemu/block-backend.h"
32 #include "sysemu/runstate.h"
33 #include "sysemu/dma.h"
34 #include "exec/address-spaces.h"
35 #include "ui/pixel_ops.h"
36 #include "qemu/cutils.h"
37 #include "qom/object.h"
38 
39 #define MP_MISC_BASE            0x80002000
40 #define MP_MISC_SIZE            0x00001000
41 
42 #define MP_ETH_BASE             0x80008000
43 #define MP_ETH_SIZE             0x00001000
44 
45 #define MP_WLAN_BASE            0x8000C000
46 #define MP_WLAN_SIZE            0x00000800
47 
48 #define MP_UART1_BASE           0x8000C840
49 #define MP_UART2_BASE           0x8000C940
50 
51 #define MP_GPIO_BASE            0x8000D000
52 #define MP_GPIO_SIZE            0x00001000
53 
54 #define MP_FLASHCFG_BASE        0x90006000
55 #define MP_FLASHCFG_SIZE        0x00001000
56 
57 #define MP_AUDIO_BASE           0x90007000
58 
59 #define MP_PIC_BASE             0x90008000
60 #define MP_PIC_SIZE             0x00001000
61 
62 #define MP_PIT_BASE             0x90009000
63 #define MP_PIT_SIZE             0x00001000
64 
65 #define MP_LCD_BASE             0x9000c000
66 #define MP_LCD_SIZE             0x00001000
67 
68 #define MP_SRAM_BASE            0xC0000000
69 #define MP_SRAM_SIZE            0x00020000
70 
71 #define MP_RAM_DEFAULT_SIZE     32*1024*1024
72 #define MP_FLASH_SIZE_MAX       32*1024*1024
73 
74 #define MP_TIMER1_IRQ           4
75 #define MP_TIMER2_IRQ           5
76 #define MP_TIMER3_IRQ           6
77 #define MP_TIMER4_IRQ           7
78 #define MP_EHCI_IRQ             8
79 #define MP_ETH_IRQ              9
80 #define MP_UART1_IRQ            11
81 #define MP_UART2_IRQ            11
82 #define MP_GPIO_IRQ             12
83 #define MP_RTC_IRQ              28
84 #define MP_AUDIO_IRQ            30
85 
86 /* Wolfson 8750 I2C address */
87 #define MP_WM_ADDR              0x1A
88 
89 /* Ethernet register offsets */
90 #define MP_ETH_SMIR             0x010
91 #define MP_ETH_PCXR             0x408
92 #define MP_ETH_SDCMR            0x448
93 #define MP_ETH_ICR              0x450
94 #define MP_ETH_IMR              0x458
95 #define MP_ETH_FRDP0            0x480
96 #define MP_ETH_FRDP1            0x484
97 #define MP_ETH_FRDP2            0x488
98 #define MP_ETH_FRDP3            0x48C
99 #define MP_ETH_CRDP0            0x4A0
100 #define MP_ETH_CRDP1            0x4A4
101 #define MP_ETH_CRDP2            0x4A8
102 #define MP_ETH_CRDP3            0x4AC
103 #define MP_ETH_CTDP0            0x4E0
104 #define MP_ETH_CTDP1            0x4E4
105 
106 /* MII PHY access */
107 #define MP_ETH_SMIR_DATA        0x0000FFFF
108 #define MP_ETH_SMIR_ADDR        0x03FF0000
109 #define MP_ETH_SMIR_OPCODE      (1 << 26) /* Read value */
110 #define MP_ETH_SMIR_RDVALID     (1 << 27)
111 
112 /* PHY registers */
113 #define MP_ETH_PHY1_BMSR        0x00210000
114 #define MP_ETH_PHY1_PHYSID1     0x00410000
115 #define MP_ETH_PHY1_PHYSID2     0x00610000
116 
117 #define MP_PHY_BMSR_LINK        0x0004
118 #define MP_PHY_BMSR_AUTONEG     0x0008
119 
120 #define MP_PHY_88E3015          0x01410E20
121 
122 /* TX descriptor status */
123 #define MP_ETH_TX_OWN           (1U << 31)
124 
125 /* RX descriptor status */
126 #define MP_ETH_RX_OWN           (1U << 31)
127 
128 /* Interrupt cause/mask bits */
129 #define MP_ETH_IRQ_RX_BIT       0
130 #define MP_ETH_IRQ_RX           (1 << MP_ETH_IRQ_RX_BIT)
131 #define MP_ETH_IRQ_TXHI_BIT     2
132 #define MP_ETH_IRQ_TXLO_BIT     3
133 
134 /* Port config bits */
135 #define MP_ETH_PCXR_2BSM_BIT    28 /* 2-byte incoming suffix */
136 
137 /* SDMA command bits */
138 #define MP_ETH_CMD_TXHI         (1 << 23)
139 #define MP_ETH_CMD_TXLO         (1 << 22)
140 
141 typedef struct mv88w8618_tx_desc {
142     uint32_t cmdstat;
143     uint16_t res;
144     uint16_t bytes;
145     uint32_t buffer;
146     uint32_t next;
147 } mv88w8618_tx_desc;
148 
149 typedef struct mv88w8618_rx_desc {
150     uint32_t cmdstat;
151     uint16_t bytes;
152     uint16_t buffer_size;
153     uint32_t buffer;
154     uint32_t next;
155 } mv88w8618_rx_desc;
156 
157 #define TYPE_MV88W8618_ETH "mv88w8618_eth"
158 typedef struct mv88w8618_eth_state mv88w8618_eth_state;
159 DECLARE_INSTANCE_CHECKER(mv88w8618_eth_state, MV88W8618_ETH,
160                          TYPE_MV88W8618_ETH)
161 
162 struct mv88w8618_eth_state {
163     /*< private >*/
164     SysBusDevice parent_obj;
165     /*< public >*/
166 
167     MemoryRegion iomem;
168     qemu_irq irq;
169     MemoryRegion *dma_mr;
170     AddressSpace dma_as;
171     uint32_t smir;
172     uint32_t icr;
173     uint32_t imr;
174     int mmio_index;
175     uint32_t vlan_header;
176     uint32_t tx_queue[2];
177     uint32_t rx_queue[4];
178     uint32_t frx_queue[4];
179     uint32_t cur_rx[4];
180     NICState *nic;
181     NICConf conf;
182 };
183 
184 static void eth_rx_desc_put(AddressSpace *dma_as, uint32_t addr,
185                             mv88w8618_rx_desc *desc)
186 {
187     cpu_to_le32s(&desc->cmdstat);
188     cpu_to_le16s(&desc->bytes);
189     cpu_to_le16s(&desc->buffer_size);
190     cpu_to_le32s(&desc->buffer);
191     cpu_to_le32s(&desc->next);
192     dma_memory_write(dma_as, addr, desc, sizeof(*desc));
193 }
194 
195 static void eth_rx_desc_get(AddressSpace *dma_as, uint32_t addr,
196                             mv88w8618_rx_desc *desc)
197 {
198     dma_memory_read(dma_as, addr, desc, sizeof(*desc));
199     le32_to_cpus(&desc->cmdstat);
200     le16_to_cpus(&desc->bytes);
201     le16_to_cpus(&desc->buffer_size);
202     le32_to_cpus(&desc->buffer);
203     le32_to_cpus(&desc->next);
204 }
205 
206 static ssize_t eth_receive(NetClientState *nc, const uint8_t *buf, size_t size)
207 {
208     mv88w8618_eth_state *s = qemu_get_nic_opaque(nc);
209     uint32_t desc_addr;
210     mv88w8618_rx_desc desc;
211     int i;
212 
213     for (i = 0; i < 4; i++) {
214         desc_addr = s->cur_rx[i];
215         if (!desc_addr) {
216             continue;
217         }
218         do {
219             eth_rx_desc_get(&s->dma_as, desc_addr, &desc);
220             if ((desc.cmdstat & MP_ETH_RX_OWN) && desc.buffer_size >= size) {
221                 dma_memory_write(&s->dma_as, desc.buffer + s->vlan_header,
222                                           buf, size);
223                 desc.bytes = size + s->vlan_header;
224                 desc.cmdstat &= ~MP_ETH_RX_OWN;
225                 s->cur_rx[i] = desc.next;
226 
227                 s->icr |= MP_ETH_IRQ_RX;
228                 if (s->icr & s->imr) {
229                     qemu_irq_raise(s->irq);
230                 }
231                 eth_rx_desc_put(&s->dma_as, desc_addr, &desc);
232                 return size;
233             }
234             desc_addr = desc.next;
235         } while (desc_addr != s->rx_queue[i]);
236     }
237     return size;
238 }
239 
240 static void eth_tx_desc_put(AddressSpace *dma_as, uint32_t addr,
241                             mv88w8618_tx_desc *desc)
242 {
243     cpu_to_le32s(&desc->cmdstat);
244     cpu_to_le16s(&desc->res);
245     cpu_to_le16s(&desc->bytes);
246     cpu_to_le32s(&desc->buffer);
247     cpu_to_le32s(&desc->next);
248     dma_memory_write(dma_as, addr, desc, sizeof(*desc));
249 }
250 
251 static void eth_tx_desc_get(AddressSpace *dma_as, uint32_t addr,
252                             mv88w8618_tx_desc *desc)
253 {
254     dma_memory_read(dma_as, addr, desc, sizeof(*desc));
255     le32_to_cpus(&desc->cmdstat);
256     le16_to_cpus(&desc->res);
257     le16_to_cpus(&desc->bytes);
258     le32_to_cpus(&desc->buffer);
259     le32_to_cpus(&desc->next);
260 }
261 
262 static void eth_send(mv88w8618_eth_state *s, int queue_index)
263 {
264     uint32_t desc_addr = s->tx_queue[queue_index];
265     mv88w8618_tx_desc desc;
266     uint32_t next_desc;
267     uint8_t buf[2048];
268     int len;
269 
270     do {
271         eth_tx_desc_get(&s->dma_as, desc_addr, &desc);
272         next_desc = desc.next;
273         if (desc.cmdstat & MP_ETH_TX_OWN) {
274             len = desc.bytes;
275             if (len < 2048) {
276                 dma_memory_read(&s->dma_as, desc.buffer, buf, len);
277                 qemu_send_packet(qemu_get_queue(s->nic), buf, len);
278             }
279             desc.cmdstat &= ~MP_ETH_TX_OWN;
280             s->icr |= 1 << (MP_ETH_IRQ_TXLO_BIT - queue_index);
281             eth_tx_desc_put(&s->dma_as, desc_addr, &desc);
282         }
283         desc_addr = next_desc;
284     } while (desc_addr != s->tx_queue[queue_index]);
285 }
286 
287 static uint64_t mv88w8618_eth_read(void *opaque, hwaddr offset,
288                                    unsigned size)
289 {
290     mv88w8618_eth_state *s = opaque;
291 
292     switch (offset) {
293     case MP_ETH_SMIR:
294         if (s->smir & MP_ETH_SMIR_OPCODE) {
295             switch (s->smir & MP_ETH_SMIR_ADDR) {
296             case MP_ETH_PHY1_BMSR:
297                 return MP_PHY_BMSR_LINK | MP_PHY_BMSR_AUTONEG |
298                        MP_ETH_SMIR_RDVALID;
299             case MP_ETH_PHY1_PHYSID1:
300                 return (MP_PHY_88E3015 >> 16) | MP_ETH_SMIR_RDVALID;
301             case MP_ETH_PHY1_PHYSID2:
302                 return (MP_PHY_88E3015 & 0xFFFF) | MP_ETH_SMIR_RDVALID;
303             default:
304                 return MP_ETH_SMIR_RDVALID;
305             }
306         }
307         return 0;
308 
309     case MP_ETH_ICR:
310         return s->icr;
311 
312     case MP_ETH_IMR:
313         return s->imr;
314 
315     case MP_ETH_FRDP0 ... MP_ETH_FRDP3:
316         return s->frx_queue[(offset - MP_ETH_FRDP0)/4];
317 
318     case MP_ETH_CRDP0 ... MP_ETH_CRDP3:
319         return s->rx_queue[(offset - MP_ETH_CRDP0)/4];
320 
321     case MP_ETH_CTDP0 ... MP_ETH_CTDP1:
322         return s->tx_queue[(offset - MP_ETH_CTDP0)/4];
323 
324     default:
325         return 0;
326     }
327 }
328 
329 static void mv88w8618_eth_write(void *opaque, hwaddr offset,
330                                 uint64_t value, unsigned size)
331 {
332     mv88w8618_eth_state *s = opaque;
333 
334     switch (offset) {
335     case MP_ETH_SMIR:
336         s->smir = value;
337         break;
338 
339     case MP_ETH_PCXR:
340         s->vlan_header = ((value >> MP_ETH_PCXR_2BSM_BIT) & 1) * 2;
341         break;
342 
343     case MP_ETH_SDCMR:
344         if (value & MP_ETH_CMD_TXHI) {
345             eth_send(s, 1);
346         }
347         if (value & MP_ETH_CMD_TXLO) {
348             eth_send(s, 0);
349         }
350         if (value & (MP_ETH_CMD_TXHI | MP_ETH_CMD_TXLO) && s->icr & s->imr) {
351             qemu_irq_raise(s->irq);
352         }
353         break;
354 
355     case MP_ETH_ICR:
356         s->icr &= value;
357         break;
358 
359     case MP_ETH_IMR:
360         s->imr = value;
361         if (s->icr & s->imr) {
362             qemu_irq_raise(s->irq);
363         }
364         break;
365 
366     case MP_ETH_FRDP0 ... MP_ETH_FRDP3:
367         s->frx_queue[(offset - MP_ETH_FRDP0)/4] = value;
368         break;
369 
370     case MP_ETH_CRDP0 ... MP_ETH_CRDP3:
371         s->rx_queue[(offset - MP_ETH_CRDP0)/4] =
372             s->cur_rx[(offset - MP_ETH_CRDP0)/4] = value;
373         break;
374 
375     case MP_ETH_CTDP0 ... MP_ETH_CTDP1:
376         s->tx_queue[(offset - MP_ETH_CTDP0)/4] = value;
377         break;
378     }
379 }
380 
381 static const MemoryRegionOps mv88w8618_eth_ops = {
382     .read = mv88w8618_eth_read,
383     .write = mv88w8618_eth_write,
384     .endianness = DEVICE_NATIVE_ENDIAN,
385 };
386 
387 static void eth_cleanup(NetClientState *nc)
388 {
389     mv88w8618_eth_state *s = qemu_get_nic_opaque(nc);
390 
391     s->nic = NULL;
392 }
393 
394 static NetClientInfo net_mv88w8618_info = {
395     .type = NET_CLIENT_DRIVER_NIC,
396     .size = sizeof(NICState),
397     .receive = eth_receive,
398     .cleanup = eth_cleanup,
399 };
400 
401 static void mv88w8618_eth_init(Object *obj)
402 {
403     SysBusDevice *sbd = SYS_BUS_DEVICE(obj);
404     DeviceState *dev = DEVICE(sbd);
405     mv88w8618_eth_state *s = MV88W8618_ETH(dev);
406 
407     sysbus_init_irq(sbd, &s->irq);
408     memory_region_init_io(&s->iomem, obj, &mv88w8618_eth_ops, s,
409                           "mv88w8618-eth", MP_ETH_SIZE);
410     sysbus_init_mmio(sbd, &s->iomem);
411 }
412 
413 static void mv88w8618_eth_realize(DeviceState *dev, Error **errp)
414 {
415     mv88w8618_eth_state *s = MV88W8618_ETH(dev);
416 
417     if (!s->dma_mr) {
418         error_setg(errp, TYPE_MV88W8618_ETH " 'dma-memory' link not set");
419         return;
420     }
421 
422     address_space_init(&s->dma_as, s->dma_mr, "emac-dma");
423     s->nic = qemu_new_nic(&net_mv88w8618_info, &s->conf,
424                           object_get_typename(OBJECT(dev)), dev->id, s);
425 }
426 
427 static const VMStateDescription mv88w8618_eth_vmsd = {
428     .name = "mv88w8618_eth",
429     .version_id = 1,
430     .minimum_version_id = 1,
431     .fields = (VMStateField[]) {
432         VMSTATE_UINT32(smir, mv88w8618_eth_state),
433         VMSTATE_UINT32(icr, mv88w8618_eth_state),
434         VMSTATE_UINT32(imr, mv88w8618_eth_state),
435         VMSTATE_UINT32(vlan_header, mv88w8618_eth_state),
436         VMSTATE_UINT32_ARRAY(tx_queue, mv88w8618_eth_state, 2),
437         VMSTATE_UINT32_ARRAY(rx_queue, mv88w8618_eth_state, 4),
438         VMSTATE_UINT32_ARRAY(frx_queue, mv88w8618_eth_state, 4),
439         VMSTATE_UINT32_ARRAY(cur_rx, mv88w8618_eth_state, 4),
440         VMSTATE_END_OF_LIST()
441     }
442 };
443 
444 static Property mv88w8618_eth_properties[] = {
445     DEFINE_NIC_PROPERTIES(mv88w8618_eth_state, conf),
446     DEFINE_PROP_LINK("dma-memory", mv88w8618_eth_state, dma_mr,
447                      TYPE_MEMORY_REGION, MemoryRegion *),
448     DEFINE_PROP_END_OF_LIST(),
449 };
450 
451 static void mv88w8618_eth_class_init(ObjectClass *klass, void *data)
452 {
453     DeviceClass *dc = DEVICE_CLASS(klass);
454 
455     dc->vmsd = &mv88w8618_eth_vmsd;
456     device_class_set_props(dc, mv88w8618_eth_properties);
457     dc->realize = mv88w8618_eth_realize;
458 }
459 
460 static const TypeInfo mv88w8618_eth_info = {
461     .name          = TYPE_MV88W8618_ETH,
462     .parent        = TYPE_SYS_BUS_DEVICE,
463     .instance_size = sizeof(mv88w8618_eth_state),
464     .instance_init = mv88w8618_eth_init,
465     .class_init    = mv88w8618_eth_class_init,
466 };
467 
468 /* LCD register offsets */
469 #define MP_LCD_IRQCTRL          0x180
470 #define MP_LCD_IRQSTAT          0x184
471 #define MP_LCD_SPICTRL          0x1ac
472 #define MP_LCD_INST             0x1bc
473 #define MP_LCD_DATA             0x1c0
474 
475 /* Mode magics */
476 #define MP_LCD_SPI_DATA         0x00100011
477 #define MP_LCD_SPI_CMD          0x00104011
478 #define MP_LCD_SPI_INVALID      0x00000000
479 
480 /* Commmands */
481 #define MP_LCD_INST_SETPAGE0    0xB0
482 /* ... */
483 #define MP_LCD_INST_SETPAGE7    0xB7
484 
485 #define MP_LCD_TEXTCOLOR        0xe0e0ff /* RRGGBB */
486 
487 #define TYPE_MUSICPAL_LCD "musicpal_lcd"
488 typedef struct musicpal_lcd_state musicpal_lcd_state;
489 DECLARE_INSTANCE_CHECKER(musicpal_lcd_state, MUSICPAL_LCD,
490                          TYPE_MUSICPAL_LCD)
491 
492 struct musicpal_lcd_state {
493     /*< private >*/
494     SysBusDevice parent_obj;
495     /*< public >*/
496 
497     MemoryRegion iomem;
498     uint32_t brightness;
499     uint32_t mode;
500     uint32_t irqctrl;
501     uint32_t page;
502     uint32_t page_off;
503     QemuConsole *con;
504     uint8_t video_ram[128*64/8];
505 };
506 
507 static uint8_t scale_lcd_color(musicpal_lcd_state *s, uint8_t col)
508 {
509     switch (s->brightness) {
510     case 7:
511         return col;
512     case 0:
513         return 0;
514     default:
515         return (col * s->brightness) / 7;
516     }
517 }
518 
519 #define SET_LCD_PIXEL(depth, type) \
520 static inline void glue(set_lcd_pixel, depth) \
521         (musicpal_lcd_state *s, int x, int y, type col) \
522 { \
523     int dx, dy; \
524     DisplaySurface *surface = qemu_console_surface(s->con); \
525     type *pixel = &((type *) surface_data(surface))[(y * 128 * 3 + x) * 3]; \
526 \
527     for (dy = 0; dy < 3; dy++, pixel += 127 * 3) \
528         for (dx = 0; dx < 3; dx++, pixel++) \
529             *pixel = col; \
530 }
531 SET_LCD_PIXEL(8, uint8_t)
532 SET_LCD_PIXEL(16, uint16_t)
533 SET_LCD_PIXEL(32, uint32_t)
534 
535 static void lcd_refresh(void *opaque)
536 {
537     musicpal_lcd_state *s = opaque;
538     DisplaySurface *surface = qemu_console_surface(s->con);
539     int x, y, col;
540 
541     switch (surface_bits_per_pixel(surface)) {
542     case 0:
543         return;
544 #define LCD_REFRESH(depth, func) \
545     case depth: \
546         col = func(scale_lcd_color(s, (MP_LCD_TEXTCOLOR >> 16) & 0xff), \
547                    scale_lcd_color(s, (MP_LCD_TEXTCOLOR >> 8) & 0xff), \
548                    scale_lcd_color(s, MP_LCD_TEXTCOLOR & 0xff)); \
549         for (x = 0; x < 128; x++) { \
550             for (y = 0; y < 64; y++) { \
551                 if (s->video_ram[x + (y/8)*128] & (1 << (y % 8))) { \
552                     glue(set_lcd_pixel, depth)(s, x, y, col); \
553                 } else { \
554                     glue(set_lcd_pixel, depth)(s, x, y, 0); \
555                 } \
556             } \
557         } \
558         break;
559     LCD_REFRESH(8, rgb_to_pixel8)
560     LCD_REFRESH(16, rgb_to_pixel16)
561     LCD_REFRESH(32, (is_surface_bgr(surface) ?
562                      rgb_to_pixel32bgr : rgb_to_pixel32))
563     default:
564         hw_error("unsupported colour depth %i\n",
565                  surface_bits_per_pixel(surface));
566     }
567 
568     dpy_gfx_update(s->con, 0, 0, 128*3, 64*3);
569 }
570 
571 static void lcd_invalidate(void *opaque)
572 {
573 }
574 
575 static void musicpal_lcd_gpio_brightness_in(void *opaque, int irq, int level)
576 {
577     musicpal_lcd_state *s = opaque;
578     s->brightness &= ~(1 << irq);
579     s->brightness |= level << irq;
580 }
581 
582 static uint64_t musicpal_lcd_read(void *opaque, hwaddr offset,
583                                   unsigned size)
584 {
585     musicpal_lcd_state *s = opaque;
586 
587     switch (offset) {
588     case MP_LCD_IRQCTRL:
589         return s->irqctrl;
590 
591     default:
592         return 0;
593     }
594 }
595 
596 static void musicpal_lcd_write(void *opaque, hwaddr offset,
597                                uint64_t value, unsigned size)
598 {
599     musicpal_lcd_state *s = opaque;
600 
601     switch (offset) {
602     case MP_LCD_IRQCTRL:
603         s->irqctrl = value;
604         break;
605 
606     case MP_LCD_SPICTRL:
607         if (value == MP_LCD_SPI_DATA || value == MP_LCD_SPI_CMD) {
608             s->mode = value;
609         } else {
610             s->mode = MP_LCD_SPI_INVALID;
611         }
612         break;
613 
614     case MP_LCD_INST:
615         if (value >= MP_LCD_INST_SETPAGE0 && value <= MP_LCD_INST_SETPAGE7) {
616             s->page = value - MP_LCD_INST_SETPAGE0;
617             s->page_off = 0;
618         }
619         break;
620 
621     case MP_LCD_DATA:
622         if (s->mode == MP_LCD_SPI_CMD) {
623             if (value >= MP_LCD_INST_SETPAGE0 &&
624                 value <= MP_LCD_INST_SETPAGE7) {
625                 s->page = value - MP_LCD_INST_SETPAGE0;
626                 s->page_off = 0;
627             }
628         } else if (s->mode == MP_LCD_SPI_DATA) {
629             s->video_ram[s->page*128 + s->page_off] = value;
630             s->page_off = (s->page_off + 1) & 127;
631         }
632         break;
633     }
634 }
635 
636 static const MemoryRegionOps musicpal_lcd_ops = {
637     .read = musicpal_lcd_read,
638     .write = musicpal_lcd_write,
639     .endianness = DEVICE_NATIVE_ENDIAN,
640 };
641 
642 static const GraphicHwOps musicpal_gfx_ops = {
643     .invalidate  = lcd_invalidate,
644     .gfx_update  = lcd_refresh,
645 };
646 
647 static void musicpal_lcd_realize(DeviceState *dev, Error **errp)
648 {
649     musicpal_lcd_state *s = MUSICPAL_LCD(dev);
650     s->con = graphic_console_init(dev, 0, &musicpal_gfx_ops, s);
651     qemu_console_resize(s->con, 128 * 3, 64 * 3);
652 }
653 
654 static void musicpal_lcd_init(Object *obj)
655 {
656     SysBusDevice *sbd = SYS_BUS_DEVICE(obj);
657     DeviceState *dev = DEVICE(sbd);
658     musicpal_lcd_state *s = MUSICPAL_LCD(dev);
659 
660     s->brightness = 7;
661 
662     memory_region_init_io(&s->iomem, obj, &musicpal_lcd_ops, s,
663                           "musicpal-lcd", MP_LCD_SIZE);
664     sysbus_init_mmio(sbd, &s->iomem);
665 
666     qdev_init_gpio_in(dev, musicpal_lcd_gpio_brightness_in, 3);
667 }
668 
669 static const VMStateDescription musicpal_lcd_vmsd = {
670     .name = "musicpal_lcd",
671     .version_id = 1,
672     .minimum_version_id = 1,
673     .fields = (VMStateField[]) {
674         VMSTATE_UINT32(brightness, musicpal_lcd_state),
675         VMSTATE_UINT32(mode, musicpal_lcd_state),
676         VMSTATE_UINT32(irqctrl, musicpal_lcd_state),
677         VMSTATE_UINT32(page, musicpal_lcd_state),
678         VMSTATE_UINT32(page_off, musicpal_lcd_state),
679         VMSTATE_BUFFER(video_ram, musicpal_lcd_state),
680         VMSTATE_END_OF_LIST()
681     }
682 };
683 
684 static void musicpal_lcd_class_init(ObjectClass *klass, void *data)
685 {
686     DeviceClass *dc = DEVICE_CLASS(klass);
687 
688     dc->vmsd = &musicpal_lcd_vmsd;
689     dc->realize = musicpal_lcd_realize;
690 }
691 
692 static const TypeInfo musicpal_lcd_info = {
693     .name          = TYPE_MUSICPAL_LCD,
694     .parent        = TYPE_SYS_BUS_DEVICE,
695     .instance_size = sizeof(musicpal_lcd_state),
696     .instance_init = musicpal_lcd_init,
697     .class_init    = musicpal_lcd_class_init,
698 };
699 
700 /* PIC register offsets */
701 #define MP_PIC_STATUS           0x00
702 #define MP_PIC_ENABLE_SET       0x08
703 #define MP_PIC_ENABLE_CLR       0x0C
704 
705 #define TYPE_MV88W8618_PIC "mv88w8618_pic"
706 typedef struct mv88w8618_pic_state mv88w8618_pic_state;
707 DECLARE_INSTANCE_CHECKER(mv88w8618_pic_state, MV88W8618_PIC,
708                          TYPE_MV88W8618_PIC)
709 
710 struct mv88w8618_pic_state {
711     /*< private >*/
712     SysBusDevice parent_obj;
713     /*< public >*/
714 
715     MemoryRegion iomem;
716     uint32_t level;
717     uint32_t enabled;
718     qemu_irq parent_irq;
719 };
720 
721 static void mv88w8618_pic_update(mv88w8618_pic_state *s)
722 {
723     qemu_set_irq(s->parent_irq, (s->level & s->enabled));
724 }
725 
726 static void mv88w8618_pic_set_irq(void *opaque, int irq, int level)
727 {
728     mv88w8618_pic_state *s = opaque;
729 
730     if (level) {
731         s->level |= 1 << irq;
732     } else {
733         s->level &= ~(1 << irq);
734     }
735     mv88w8618_pic_update(s);
736 }
737 
738 static uint64_t mv88w8618_pic_read(void *opaque, hwaddr offset,
739                                    unsigned size)
740 {
741     mv88w8618_pic_state *s = opaque;
742 
743     switch (offset) {
744     case MP_PIC_STATUS:
745         return s->level & s->enabled;
746 
747     default:
748         return 0;
749     }
750 }
751 
752 static void mv88w8618_pic_write(void *opaque, hwaddr offset,
753                                 uint64_t value, unsigned size)
754 {
755     mv88w8618_pic_state *s = opaque;
756 
757     switch (offset) {
758     case MP_PIC_ENABLE_SET:
759         s->enabled |= value;
760         break;
761 
762     case MP_PIC_ENABLE_CLR:
763         s->enabled &= ~value;
764         s->level &= ~value;
765         break;
766     }
767     mv88w8618_pic_update(s);
768 }
769 
770 static void mv88w8618_pic_reset(DeviceState *d)
771 {
772     mv88w8618_pic_state *s = MV88W8618_PIC(d);
773 
774     s->level = 0;
775     s->enabled = 0;
776 }
777 
778 static const MemoryRegionOps mv88w8618_pic_ops = {
779     .read = mv88w8618_pic_read,
780     .write = mv88w8618_pic_write,
781     .endianness = DEVICE_NATIVE_ENDIAN,
782 };
783 
784 static void mv88w8618_pic_init(Object *obj)
785 {
786     SysBusDevice *dev = SYS_BUS_DEVICE(obj);
787     mv88w8618_pic_state *s = MV88W8618_PIC(dev);
788 
789     qdev_init_gpio_in(DEVICE(dev), mv88w8618_pic_set_irq, 32);
790     sysbus_init_irq(dev, &s->parent_irq);
791     memory_region_init_io(&s->iomem, obj, &mv88w8618_pic_ops, s,
792                           "musicpal-pic", MP_PIC_SIZE);
793     sysbus_init_mmio(dev, &s->iomem);
794 }
795 
796 static const VMStateDescription mv88w8618_pic_vmsd = {
797     .name = "mv88w8618_pic",
798     .version_id = 1,
799     .minimum_version_id = 1,
800     .fields = (VMStateField[]) {
801         VMSTATE_UINT32(level, mv88w8618_pic_state),
802         VMSTATE_UINT32(enabled, mv88w8618_pic_state),
803         VMSTATE_END_OF_LIST()
804     }
805 };
806 
807 static void mv88w8618_pic_class_init(ObjectClass *klass, void *data)
808 {
809     DeviceClass *dc = DEVICE_CLASS(klass);
810 
811     dc->reset = mv88w8618_pic_reset;
812     dc->vmsd = &mv88w8618_pic_vmsd;
813 }
814 
815 static const TypeInfo mv88w8618_pic_info = {
816     .name          = TYPE_MV88W8618_PIC,
817     .parent        = TYPE_SYS_BUS_DEVICE,
818     .instance_size = sizeof(mv88w8618_pic_state),
819     .instance_init = mv88w8618_pic_init,
820     .class_init    = mv88w8618_pic_class_init,
821 };
822 
823 /* PIT register offsets */
824 #define MP_PIT_TIMER1_LENGTH    0x00
825 /* ... */
826 #define MP_PIT_TIMER4_LENGTH    0x0C
827 #define MP_PIT_CONTROL          0x10
828 #define MP_PIT_TIMER1_VALUE     0x14
829 /* ... */
830 #define MP_PIT_TIMER4_VALUE     0x20
831 #define MP_BOARD_RESET          0x34
832 
833 /* Magic board reset value (probably some watchdog behind it) */
834 #define MP_BOARD_RESET_MAGIC    0x10000
835 
836 typedef struct mv88w8618_timer_state {
837     ptimer_state *ptimer;
838     uint32_t limit;
839     int freq;
840     qemu_irq irq;
841 } mv88w8618_timer_state;
842 
843 #define TYPE_MV88W8618_PIT "mv88w8618_pit"
844 typedef struct mv88w8618_pit_state mv88w8618_pit_state;
845 DECLARE_INSTANCE_CHECKER(mv88w8618_pit_state, MV88W8618_PIT,
846                          TYPE_MV88W8618_PIT)
847 
848 struct mv88w8618_pit_state {
849     /*< private >*/
850     SysBusDevice parent_obj;
851     /*< public >*/
852 
853     MemoryRegion iomem;
854     mv88w8618_timer_state timer[4];
855 };
856 
857 static void mv88w8618_timer_tick(void *opaque)
858 {
859     mv88w8618_timer_state *s = opaque;
860 
861     qemu_irq_raise(s->irq);
862 }
863 
864 static void mv88w8618_timer_init(SysBusDevice *dev, mv88w8618_timer_state *s,
865                                  uint32_t freq)
866 {
867     sysbus_init_irq(dev, &s->irq);
868     s->freq = freq;
869 
870     s->ptimer = ptimer_init(mv88w8618_timer_tick, s, PTIMER_POLICY_DEFAULT);
871 }
872 
873 static uint64_t mv88w8618_pit_read(void *opaque, hwaddr offset,
874                                    unsigned size)
875 {
876     mv88w8618_pit_state *s = opaque;
877     mv88w8618_timer_state *t;
878 
879     switch (offset) {
880     case MP_PIT_TIMER1_VALUE ... MP_PIT_TIMER4_VALUE:
881         t = &s->timer[(offset-MP_PIT_TIMER1_VALUE) >> 2];
882         return ptimer_get_count(t->ptimer);
883 
884     default:
885         return 0;
886     }
887 }
888 
889 static void mv88w8618_pit_write(void *opaque, hwaddr offset,
890                                 uint64_t value, unsigned size)
891 {
892     mv88w8618_pit_state *s = opaque;
893     mv88w8618_timer_state *t;
894     int i;
895 
896     switch (offset) {
897     case MP_PIT_TIMER1_LENGTH ... MP_PIT_TIMER4_LENGTH:
898         t = &s->timer[offset >> 2];
899         t->limit = value;
900         ptimer_transaction_begin(t->ptimer);
901         if (t->limit > 0) {
902             ptimer_set_limit(t->ptimer, t->limit, 1);
903         } else {
904             ptimer_stop(t->ptimer);
905         }
906         ptimer_transaction_commit(t->ptimer);
907         break;
908 
909     case MP_PIT_CONTROL:
910         for (i = 0; i < 4; i++) {
911             t = &s->timer[i];
912             ptimer_transaction_begin(t->ptimer);
913             if (value & 0xf && t->limit > 0) {
914                 ptimer_set_limit(t->ptimer, t->limit, 0);
915                 ptimer_set_freq(t->ptimer, t->freq);
916                 ptimer_run(t->ptimer, 0);
917             } else {
918                 ptimer_stop(t->ptimer);
919             }
920             ptimer_transaction_commit(t->ptimer);
921             value >>= 4;
922         }
923         break;
924 
925     case MP_BOARD_RESET:
926         if (value == MP_BOARD_RESET_MAGIC) {
927             qemu_system_reset_request(SHUTDOWN_CAUSE_GUEST_RESET);
928         }
929         break;
930     }
931 }
932 
933 static void mv88w8618_pit_reset(DeviceState *d)
934 {
935     mv88w8618_pit_state *s = MV88W8618_PIT(d);
936     int i;
937 
938     for (i = 0; i < 4; i++) {
939         mv88w8618_timer_state *t = &s->timer[i];
940         ptimer_transaction_begin(t->ptimer);
941         ptimer_stop(t->ptimer);
942         ptimer_transaction_commit(t->ptimer);
943         t->limit = 0;
944     }
945 }
946 
947 static const MemoryRegionOps mv88w8618_pit_ops = {
948     .read = mv88w8618_pit_read,
949     .write = mv88w8618_pit_write,
950     .endianness = DEVICE_NATIVE_ENDIAN,
951 };
952 
953 static void mv88w8618_pit_init(Object *obj)
954 {
955     SysBusDevice *dev = SYS_BUS_DEVICE(obj);
956     mv88w8618_pit_state *s = MV88W8618_PIT(dev);
957     int i;
958 
959     /* Letting them all run at 1 MHz is likely just a pragmatic
960      * simplification. */
961     for (i = 0; i < 4; i++) {
962         mv88w8618_timer_init(dev, &s->timer[i], 1000000);
963     }
964 
965     memory_region_init_io(&s->iomem, obj, &mv88w8618_pit_ops, s,
966                           "musicpal-pit", MP_PIT_SIZE);
967     sysbus_init_mmio(dev, &s->iomem);
968 }
969 
970 static const VMStateDescription mv88w8618_timer_vmsd = {
971     .name = "timer",
972     .version_id = 1,
973     .minimum_version_id = 1,
974     .fields = (VMStateField[]) {
975         VMSTATE_PTIMER(ptimer, mv88w8618_timer_state),
976         VMSTATE_UINT32(limit, mv88w8618_timer_state),
977         VMSTATE_END_OF_LIST()
978     }
979 };
980 
981 static const VMStateDescription mv88w8618_pit_vmsd = {
982     .name = "mv88w8618_pit",
983     .version_id = 1,
984     .minimum_version_id = 1,
985     .fields = (VMStateField[]) {
986         VMSTATE_STRUCT_ARRAY(timer, mv88w8618_pit_state, 4, 1,
987                              mv88w8618_timer_vmsd, mv88w8618_timer_state),
988         VMSTATE_END_OF_LIST()
989     }
990 };
991 
992 static void mv88w8618_pit_class_init(ObjectClass *klass, void *data)
993 {
994     DeviceClass *dc = DEVICE_CLASS(klass);
995 
996     dc->reset = mv88w8618_pit_reset;
997     dc->vmsd = &mv88w8618_pit_vmsd;
998 }
999 
1000 static const TypeInfo mv88w8618_pit_info = {
1001     .name          = TYPE_MV88W8618_PIT,
1002     .parent        = TYPE_SYS_BUS_DEVICE,
1003     .instance_size = sizeof(mv88w8618_pit_state),
1004     .instance_init = mv88w8618_pit_init,
1005     .class_init    = mv88w8618_pit_class_init,
1006 };
1007 
1008 /* Flash config register offsets */
1009 #define MP_FLASHCFG_CFGR0    0x04
1010 
1011 #define TYPE_MV88W8618_FLASHCFG "mv88w8618_flashcfg"
1012 typedef struct mv88w8618_flashcfg_state mv88w8618_flashcfg_state;
1013 DECLARE_INSTANCE_CHECKER(mv88w8618_flashcfg_state, MV88W8618_FLASHCFG,
1014                          TYPE_MV88W8618_FLASHCFG)
1015 
1016 struct mv88w8618_flashcfg_state {
1017     /*< private >*/
1018     SysBusDevice parent_obj;
1019     /*< public >*/
1020 
1021     MemoryRegion iomem;
1022     uint32_t cfgr0;
1023 };
1024 
1025 static uint64_t mv88w8618_flashcfg_read(void *opaque,
1026                                         hwaddr offset,
1027                                         unsigned size)
1028 {
1029     mv88w8618_flashcfg_state *s = opaque;
1030 
1031     switch (offset) {
1032     case MP_FLASHCFG_CFGR0:
1033         return s->cfgr0;
1034 
1035     default:
1036         return 0;
1037     }
1038 }
1039 
1040 static void mv88w8618_flashcfg_write(void *opaque, hwaddr offset,
1041                                      uint64_t value, unsigned size)
1042 {
1043     mv88w8618_flashcfg_state *s = opaque;
1044 
1045     switch (offset) {
1046     case MP_FLASHCFG_CFGR0:
1047         s->cfgr0 = value;
1048         break;
1049     }
1050 }
1051 
1052 static const MemoryRegionOps mv88w8618_flashcfg_ops = {
1053     .read = mv88w8618_flashcfg_read,
1054     .write = mv88w8618_flashcfg_write,
1055     .endianness = DEVICE_NATIVE_ENDIAN,
1056 };
1057 
1058 static void mv88w8618_flashcfg_init(Object *obj)
1059 {
1060     SysBusDevice *dev = SYS_BUS_DEVICE(obj);
1061     mv88w8618_flashcfg_state *s = MV88W8618_FLASHCFG(dev);
1062 
1063     s->cfgr0 = 0xfffe4285; /* Default as set by U-Boot for 8 MB flash */
1064     memory_region_init_io(&s->iomem, obj, &mv88w8618_flashcfg_ops, s,
1065                           "musicpal-flashcfg", MP_FLASHCFG_SIZE);
1066     sysbus_init_mmio(dev, &s->iomem);
1067 }
1068 
1069 static const VMStateDescription mv88w8618_flashcfg_vmsd = {
1070     .name = "mv88w8618_flashcfg",
1071     .version_id = 1,
1072     .minimum_version_id = 1,
1073     .fields = (VMStateField[]) {
1074         VMSTATE_UINT32(cfgr0, mv88w8618_flashcfg_state),
1075         VMSTATE_END_OF_LIST()
1076     }
1077 };
1078 
1079 static void mv88w8618_flashcfg_class_init(ObjectClass *klass, void *data)
1080 {
1081     DeviceClass *dc = DEVICE_CLASS(klass);
1082 
1083     dc->vmsd = &mv88w8618_flashcfg_vmsd;
1084 }
1085 
1086 static const TypeInfo mv88w8618_flashcfg_info = {
1087     .name          = TYPE_MV88W8618_FLASHCFG,
1088     .parent        = TYPE_SYS_BUS_DEVICE,
1089     .instance_size = sizeof(mv88w8618_flashcfg_state),
1090     .instance_init = mv88w8618_flashcfg_init,
1091     .class_init    = mv88w8618_flashcfg_class_init,
1092 };
1093 
1094 /* Misc register offsets */
1095 #define MP_MISC_BOARD_REVISION  0x18
1096 
1097 #define MP_BOARD_REVISION       0x31
1098 
1099 struct MusicPalMiscState {
1100     SysBusDevice parent_obj;
1101     MemoryRegion iomem;
1102 };
1103 typedef struct MusicPalMiscState MusicPalMiscState;
1104 
1105 #define TYPE_MUSICPAL_MISC "musicpal-misc"
1106 DECLARE_INSTANCE_CHECKER(MusicPalMiscState, MUSICPAL_MISC,
1107                          TYPE_MUSICPAL_MISC)
1108 
1109 static uint64_t musicpal_misc_read(void *opaque, hwaddr offset,
1110                                    unsigned size)
1111 {
1112     switch (offset) {
1113     case MP_MISC_BOARD_REVISION:
1114         return MP_BOARD_REVISION;
1115 
1116     default:
1117         return 0;
1118     }
1119 }
1120 
1121 static void musicpal_misc_write(void *opaque, hwaddr offset,
1122                                 uint64_t value, unsigned size)
1123 {
1124 }
1125 
1126 static const MemoryRegionOps musicpal_misc_ops = {
1127     .read = musicpal_misc_read,
1128     .write = musicpal_misc_write,
1129     .endianness = DEVICE_NATIVE_ENDIAN,
1130 };
1131 
1132 static void musicpal_misc_init(Object *obj)
1133 {
1134     SysBusDevice *sd = SYS_BUS_DEVICE(obj);
1135     MusicPalMiscState *s = MUSICPAL_MISC(obj);
1136 
1137     memory_region_init_io(&s->iomem, OBJECT(s), &musicpal_misc_ops, NULL,
1138                           "musicpal-misc", MP_MISC_SIZE);
1139     sysbus_init_mmio(sd, &s->iomem);
1140 }
1141 
1142 static const TypeInfo musicpal_misc_info = {
1143     .name = TYPE_MUSICPAL_MISC,
1144     .parent = TYPE_SYS_BUS_DEVICE,
1145     .instance_init = musicpal_misc_init,
1146     .instance_size = sizeof(MusicPalMiscState),
1147 };
1148 
1149 /* WLAN register offsets */
1150 #define MP_WLAN_MAGIC1          0x11c
1151 #define MP_WLAN_MAGIC2          0x124
1152 
1153 static uint64_t mv88w8618_wlan_read(void *opaque, hwaddr offset,
1154                                     unsigned size)
1155 {
1156     switch (offset) {
1157     /* Workaround to allow loading the binary-only wlandrv.ko crap
1158      * from the original Freecom firmware. */
1159     case MP_WLAN_MAGIC1:
1160         return ~3;
1161     case MP_WLAN_MAGIC2:
1162         return -1;
1163 
1164     default:
1165         return 0;
1166     }
1167 }
1168 
1169 static void mv88w8618_wlan_write(void *opaque, hwaddr offset,
1170                                  uint64_t value, unsigned size)
1171 {
1172 }
1173 
1174 static const MemoryRegionOps mv88w8618_wlan_ops = {
1175     .read = mv88w8618_wlan_read,
1176     .write =mv88w8618_wlan_write,
1177     .endianness = DEVICE_NATIVE_ENDIAN,
1178 };
1179 
1180 static void mv88w8618_wlan_realize(DeviceState *dev, Error **errp)
1181 {
1182     MemoryRegion *iomem = g_new(MemoryRegion, 1);
1183 
1184     memory_region_init_io(iomem, OBJECT(dev), &mv88w8618_wlan_ops, NULL,
1185                           "musicpal-wlan", MP_WLAN_SIZE);
1186     sysbus_init_mmio(SYS_BUS_DEVICE(dev), iomem);
1187 }
1188 
1189 /* GPIO register offsets */
1190 #define MP_GPIO_OE_LO           0x008
1191 #define MP_GPIO_OUT_LO          0x00c
1192 #define MP_GPIO_IN_LO           0x010
1193 #define MP_GPIO_IER_LO          0x014
1194 #define MP_GPIO_IMR_LO          0x018
1195 #define MP_GPIO_ISR_LO          0x020
1196 #define MP_GPIO_OE_HI           0x508
1197 #define MP_GPIO_OUT_HI          0x50c
1198 #define MP_GPIO_IN_HI           0x510
1199 #define MP_GPIO_IER_HI          0x514
1200 #define MP_GPIO_IMR_HI          0x518
1201 #define MP_GPIO_ISR_HI          0x520
1202 
1203 /* GPIO bits & masks */
1204 #define MP_GPIO_LCD_BRIGHTNESS  0x00070000
1205 #define MP_GPIO_I2C_DATA_BIT    29
1206 #define MP_GPIO_I2C_CLOCK_BIT   30
1207 
1208 /* LCD brightness bits in GPIO_OE_HI */
1209 #define MP_OE_LCD_BRIGHTNESS    0x0007
1210 
1211 #define TYPE_MUSICPAL_GPIO "musicpal_gpio"
1212 typedef struct musicpal_gpio_state musicpal_gpio_state;
1213 DECLARE_INSTANCE_CHECKER(musicpal_gpio_state, MUSICPAL_GPIO,
1214                          TYPE_MUSICPAL_GPIO)
1215 
1216 struct musicpal_gpio_state {
1217     /*< private >*/
1218     SysBusDevice parent_obj;
1219     /*< public >*/
1220 
1221     MemoryRegion iomem;
1222     uint32_t lcd_brightness;
1223     uint32_t out_state;
1224     uint32_t in_state;
1225     uint32_t ier;
1226     uint32_t imr;
1227     uint32_t isr;
1228     qemu_irq irq;
1229     qemu_irq out[5]; /* 3 brightness out + 2 lcd (data and clock ) */
1230 };
1231 
1232 static void musicpal_gpio_brightness_update(musicpal_gpio_state *s) {
1233     int i;
1234     uint32_t brightness;
1235 
1236     /* compute brightness ratio */
1237     switch (s->lcd_brightness) {
1238     case 0x00000007:
1239         brightness = 0;
1240         break;
1241 
1242     case 0x00020000:
1243         brightness = 1;
1244         break;
1245 
1246     case 0x00020001:
1247         brightness = 2;
1248         break;
1249 
1250     case 0x00040000:
1251         brightness = 3;
1252         break;
1253 
1254     case 0x00010006:
1255         brightness = 4;
1256         break;
1257 
1258     case 0x00020005:
1259         brightness = 5;
1260         break;
1261 
1262     case 0x00040003:
1263         brightness = 6;
1264         break;
1265 
1266     case 0x00030004:
1267     default:
1268         brightness = 7;
1269     }
1270 
1271     /* set lcd brightness GPIOs  */
1272     for (i = 0; i <= 2; i++) {
1273         qemu_set_irq(s->out[i], (brightness >> i) & 1);
1274     }
1275 }
1276 
1277 static void musicpal_gpio_pin_event(void *opaque, int pin, int level)
1278 {
1279     musicpal_gpio_state *s = opaque;
1280     uint32_t mask = 1 << pin;
1281     uint32_t delta = level << pin;
1282     uint32_t old = s->in_state & mask;
1283 
1284     s->in_state &= ~mask;
1285     s->in_state |= delta;
1286 
1287     if ((old ^ delta) &&
1288         ((level && (s->imr & mask)) || (!level && (s->ier & mask)))) {
1289         s->isr = mask;
1290         qemu_irq_raise(s->irq);
1291     }
1292 }
1293 
1294 static uint64_t musicpal_gpio_read(void *opaque, hwaddr offset,
1295                                    unsigned size)
1296 {
1297     musicpal_gpio_state *s = opaque;
1298 
1299     switch (offset) {
1300     case MP_GPIO_OE_HI: /* used for LCD brightness control */
1301         return s->lcd_brightness & MP_OE_LCD_BRIGHTNESS;
1302 
1303     case MP_GPIO_OUT_LO:
1304         return s->out_state & 0xFFFF;
1305     case MP_GPIO_OUT_HI:
1306         return s->out_state >> 16;
1307 
1308     case MP_GPIO_IN_LO:
1309         return s->in_state & 0xFFFF;
1310     case MP_GPIO_IN_HI:
1311         return s->in_state >> 16;
1312 
1313     case MP_GPIO_IER_LO:
1314         return s->ier & 0xFFFF;
1315     case MP_GPIO_IER_HI:
1316         return s->ier >> 16;
1317 
1318     case MP_GPIO_IMR_LO:
1319         return s->imr & 0xFFFF;
1320     case MP_GPIO_IMR_HI:
1321         return s->imr >> 16;
1322 
1323     case MP_GPIO_ISR_LO:
1324         return s->isr & 0xFFFF;
1325     case MP_GPIO_ISR_HI:
1326         return s->isr >> 16;
1327 
1328     default:
1329         return 0;
1330     }
1331 }
1332 
1333 static void musicpal_gpio_write(void *opaque, hwaddr offset,
1334                                 uint64_t value, unsigned size)
1335 {
1336     musicpal_gpio_state *s = opaque;
1337     switch (offset) {
1338     case MP_GPIO_OE_HI: /* used for LCD brightness control */
1339         s->lcd_brightness = (s->lcd_brightness & MP_GPIO_LCD_BRIGHTNESS) |
1340                          (value & MP_OE_LCD_BRIGHTNESS);
1341         musicpal_gpio_brightness_update(s);
1342         break;
1343 
1344     case MP_GPIO_OUT_LO:
1345         s->out_state = (s->out_state & 0xFFFF0000) | (value & 0xFFFF);
1346         break;
1347     case MP_GPIO_OUT_HI:
1348         s->out_state = (s->out_state & 0xFFFF) | (value << 16);
1349         s->lcd_brightness = (s->lcd_brightness & 0xFFFF) |
1350                             (s->out_state & MP_GPIO_LCD_BRIGHTNESS);
1351         musicpal_gpio_brightness_update(s);
1352         qemu_set_irq(s->out[3], (s->out_state >> MP_GPIO_I2C_DATA_BIT) & 1);
1353         qemu_set_irq(s->out[4], (s->out_state >> MP_GPIO_I2C_CLOCK_BIT) & 1);
1354         break;
1355 
1356     case MP_GPIO_IER_LO:
1357         s->ier = (s->ier & 0xFFFF0000) | (value & 0xFFFF);
1358         break;
1359     case MP_GPIO_IER_HI:
1360         s->ier = (s->ier & 0xFFFF) | (value << 16);
1361         break;
1362 
1363     case MP_GPIO_IMR_LO:
1364         s->imr = (s->imr & 0xFFFF0000) | (value & 0xFFFF);
1365         break;
1366     case MP_GPIO_IMR_HI:
1367         s->imr = (s->imr & 0xFFFF) | (value << 16);
1368         break;
1369     }
1370 }
1371 
1372 static const MemoryRegionOps musicpal_gpio_ops = {
1373     .read = musicpal_gpio_read,
1374     .write = musicpal_gpio_write,
1375     .endianness = DEVICE_NATIVE_ENDIAN,
1376 };
1377 
1378 static void musicpal_gpio_reset(DeviceState *d)
1379 {
1380     musicpal_gpio_state *s = MUSICPAL_GPIO(d);
1381 
1382     s->lcd_brightness = 0;
1383     s->out_state = 0;
1384     s->in_state = 0xffffffff;
1385     s->ier = 0;
1386     s->imr = 0;
1387     s->isr = 0;
1388 }
1389 
1390 static void musicpal_gpio_init(Object *obj)
1391 {
1392     SysBusDevice *sbd = SYS_BUS_DEVICE(obj);
1393     DeviceState *dev = DEVICE(sbd);
1394     musicpal_gpio_state *s = MUSICPAL_GPIO(dev);
1395 
1396     sysbus_init_irq(sbd, &s->irq);
1397 
1398     memory_region_init_io(&s->iomem, obj, &musicpal_gpio_ops, s,
1399                           "musicpal-gpio", MP_GPIO_SIZE);
1400     sysbus_init_mmio(sbd, &s->iomem);
1401 
1402     qdev_init_gpio_out(dev, s->out, ARRAY_SIZE(s->out));
1403 
1404     qdev_init_gpio_in(dev, musicpal_gpio_pin_event, 32);
1405 }
1406 
1407 static const VMStateDescription musicpal_gpio_vmsd = {
1408     .name = "musicpal_gpio",
1409     .version_id = 1,
1410     .minimum_version_id = 1,
1411     .fields = (VMStateField[]) {
1412         VMSTATE_UINT32(lcd_brightness, musicpal_gpio_state),
1413         VMSTATE_UINT32(out_state, musicpal_gpio_state),
1414         VMSTATE_UINT32(in_state, musicpal_gpio_state),
1415         VMSTATE_UINT32(ier, musicpal_gpio_state),
1416         VMSTATE_UINT32(imr, musicpal_gpio_state),
1417         VMSTATE_UINT32(isr, musicpal_gpio_state),
1418         VMSTATE_END_OF_LIST()
1419     }
1420 };
1421 
1422 static void musicpal_gpio_class_init(ObjectClass *klass, void *data)
1423 {
1424     DeviceClass *dc = DEVICE_CLASS(klass);
1425 
1426     dc->reset = musicpal_gpio_reset;
1427     dc->vmsd = &musicpal_gpio_vmsd;
1428 }
1429 
1430 static const TypeInfo musicpal_gpio_info = {
1431     .name          = TYPE_MUSICPAL_GPIO,
1432     .parent        = TYPE_SYS_BUS_DEVICE,
1433     .instance_size = sizeof(musicpal_gpio_state),
1434     .instance_init = musicpal_gpio_init,
1435     .class_init    = musicpal_gpio_class_init,
1436 };
1437 
1438 /* Keyboard codes & masks */
1439 #define KEY_RELEASED            0x80
1440 #define KEY_CODE                0x7f
1441 
1442 #define KEYCODE_TAB             0x0f
1443 #define KEYCODE_ENTER           0x1c
1444 #define KEYCODE_F               0x21
1445 #define KEYCODE_M               0x32
1446 
1447 #define KEYCODE_EXTENDED        0xe0
1448 #define KEYCODE_UP              0x48
1449 #define KEYCODE_DOWN            0x50
1450 #define KEYCODE_LEFT            0x4b
1451 #define KEYCODE_RIGHT           0x4d
1452 
1453 #define MP_KEY_WHEEL_VOL       (1 << 0)
1454 #define MP_KEY_WHEEL_VOL_INV   (1 << 1)
1455 #define MP_KEY_WHEEL_NAV       (1 << 2)
1456 #define MP_KEY_WHEEL_NAV_INV   (1 << 3)
1457 #define MP_KEY_BTN_FAVORITS    (1 << 4)
1458 #define MP_KEY_BTN_MENU        (1 << 5)
1459 #define MP_KEY_BTN_VOLUME      (1 << 6)
1460 #define MP_KEY_BTN_NAVIGATION  (1 << 7)
1461 
1462 #define TYPE_MUSICPAL_KEY "musicpal_key"
1463 typedef struct musicpal_key_state musicpal_key_state;
1464 DECLARE_INSTANCE_CHECKER(musicpal_key_state, MUSICPAL_KEY,
1465                          TYPE_MUSICPAL_KEY)
1466 
1467 struct musicpal_key_state {
1468     /*< private >*/
1469     SysBusDevice parent_obj;
1470     /*< public >*/
1471 
1472     MemoryRegion iomem;
1473     uint32_t kbd_extended;
1474     uint32_t pressed_keys;
1475     qemu_irq out[8];
1476 };
1477 
1478 static void musicpal_key_event(void *opaque, int keycode)
1479 {
1480     musicpal_key_state *s = opaque;
1481     uint32_t event = 0;
1482     int i;
1483 
1484     if (keycode == KEYCODE_EXTENDED) {
1485         s->kbd_extended = 1;
1486         return;
1487     }
1488 
1489     if (s->kbd_extended) {
1490         switch (keycode & KEY_CODE) {
1491         case KEYCODE_UP:
1492             event = MP_KEY_WHEEL_NAV | MP_KEY_WHEEL_NAV_INV;
1493             break;
1494 
1495         case KEYCODE_DOWN:
1496             event = MP_KEY_WHEEL_NAV;
1497             break;
1498 
1499         case KEYCODE_LEFT:
1500             event = MP_KEY_WHEEL_VOL | MP_KEY_WHEEL_VOL_INV;
1501             break;
1502 
1503         case KEYCODE_RIGHT:
1504             event = MP_KEY_WHEEL_VOL;
1505             break;
1506         }
1507     } else {
1508         switch (keycode & KEY_CODE) {
1509         case KEYCODE_F:
1510             event = MP_KEY_BTN_FAVORITS;
1511             break;
1512 
1513         case KEYCODE_TAB:
1514             event = MP_KEY_BTN_VOLUME;
1515             break;
1516 
1517         case KEYCODE_ENTER:
1518             event = MP_KEY_BTN_NAVIGATION;
1519             break;
1520 
1521         case KEYCODE_M:
1522             event = MP_KEY_BTN_MENU;
1523             break;
1524         }
1525         /* Do not repeat already pressed buttons */
1526         if (!(keycode & KEY_RELEASED) && (s->pressed_keys & event)) {
1527             event = 0;
1528         }
1529     }
1530 
1531     if (event) {
1532         /* Raise GPIO pin first if repeating a key */
1533         if (!(keycode & KEY_RELEASED) && (s->pressed_keys & event)) {
1534             for (i = 0; i <= 7; i++) {
1535                 if (event & (1 << i)) {
1536                     qemu_set_irq(s->out[i], 1);
1537                 }
1538             }
1539         }
1540         for (i = 0; i <= 7; i++) {
1541             if (event & (1 << i)) {
1542                 qemu_set_irq(s->out[i], !!(keycode & KEY_RELEASED));
1543             }
1544         }
1545         if (keycode & KEY_RELEASED) {
1546             s->pressed_keys &= ~event;
1547         } else {
1548             s->pressed_keys |= event;
1549         }
1550     }
1551 
1552     s->kbd_extended = 0;
1553 }
1554 
1555 static void musicpal_key_init(Object *obj)
1556 {
1557     SysBusDevice *sbd = SYS_BUS_DEVICE(obj);
1558     DeviceState *dev = DEVICE(sbd);
1559     musicpal_key_state *s = MUSICPAL_KEY(dev);
1560 
1561     memory_region_init(&s->iomem, obj, "dummy", 0);
1562     sysbus_init_mmio(sbd, &s->iomem);
1563 
1564     s->kbd_extended = 0;
1565     s->pressed_keys = 0;
1566 
1567     qdev_init_gpio_out(dev, s->out, ARRAY_SIZE(s->out));
1568 
1569     qemu_add_kbd_event_handler(musicpal_key_event, s);
1570 }
1571 
1572 static const VMStateDescription musicpal_key_vmsd = {
1573     .name = "musicpal_key",
1574     .version_id = 1,
1575     .minimum_version_id = 1,
1576     .fields = (VMStateField[]) {
1577         VMSTATE_UINT32(kbd_extended, musicpal_key_state),
1578         VMSTATE_UINT32(pressed_keys, musicpal_key_state),
1579         VMSTATE_END_OF_LIST()
1580     }
1581 };
1582 
1583 static void musicpal_key_class_init(ObjectClass *klass, void *data)
1584 {
1585     DeviceClass *dc = DEVICE_CLASS(klass);
1586 
1587     dc->vmsd = &musicpal_key_vmsd;
1588 }
1589 
1590 static const TypeInfo musicpal_key_info = {
1591     .name          = TYPE_MUSICPAL_KEY,
1592     .parent        = TYPE_SYS_BUS_DEVICE,
1593     .instance_size = sizeof(musicpal_key_state),
1594     .instance_init = musicpal_key_init,
1595     .class_init    = musicpal_key_class_init,
1596 };
1597 
1598 static struct arm_boot_info musicpal_binfo = {
1599     .loader_start = 0x0,
1600     .board_id = 0x20e,
1601 };
1602 
1603 static void musicpal_init(MachineState *machine)
1604 {
1605     ARMCPU *cpu;
1606     qemu_irq pic[32];
1607     DeviceState *dev;
1608     DeviceState *i2c_dev;
1609     DeviceState *lcd_dev;
1610     DeviceState *key_dev;
1611     I2CSlave *wm8750_dev;
1612     SysBusDevice *s;
1613     I2CBus *i2c;
1614     int i;
1615     unsigned long flash_size;
1616     DriveInfo *dinfo;
1617     MachineClass *mc = MACHINE_GET_CLASS(machine);
1618     MemoryRegion *address_space_mem = get_system_memory();
1619     MemoryRegion *sram = g_new(MemoryRegion, 1);
1620 
1621     /* For now we use a fixed - the original - RAM size */
1622     if (machine->ram_size != mc->default_ram_size) {
1623         char *sz = size_to_str(mc->default_ram_size);
1624         error_report("Invalid RAM size, should be %s", sz);
1625         g_free(sz);
1626         exit(EXIT_FAILURE);
1627     }
1628 
1629     cpu = ARM_CPU(cpu_create(machine->cpu_type));
1630 
1631     memory_region_add_subregion(address_space_mem, 0, machine->ram);
1632 
1633     memory_region_init_ram(sram, NULL, "musicpal.sram", MP_SRAM_SIZE,
1634                            &error_fatal);
1635     memory_region_add_subregion(address_space_mem, MP_SRAM_BASE, sram);
1636 
1637     dev = sysbus_create_simple(TYPE_MV88W8618_PIC, MP_PIC_BASE,
1638                                qdev_get_gpio_in(DEVICE(cpu), ARM_CPU_IRQ));
1639     for (i = 0; i < 32; i++) {
1640         pic[i] = qdev_get_gpio_in(dev, i);
1641     }
1642     sysbus_create_varargs(TYPE_MV88W8618_PIT, MP_PIT_BASE, pic[MP_TIMER1_IRQ],
1643                           pic[MP_TIMER2_IRQ], pic[MP_TIMER3_IRQ],
1644                           pic[MP_TIMER4_IRQ], NULL);
1645 
1646     serial_mm_init(address_space_mem, MP_UART1_BASE, 2, pic[MP_UART1_IRQ],
1647                    1825000, serial_hd(0), DEVICE_NATIVE_ENDIAN);
1648     serial_mm_init(address_space_mem, MP_UART2_BASE, 2, pic[MP_UART2_IRQ],
1649                    1825000, serial_hd(1), DEVICE_NATIVE_ENDIAN);
1650 
1651     /* Register flash */
1652     dinfo = drive_get(IF_PFLASH, 0, 0);
1653     if (dinfo) {
1654         BlockBackend *blk = blk_by_legacy_dinfo(dinfo);
1655 
1656         flash_size = blk_getlength(blk);
1657         if (flash_size != 8*1024*1024 && flash_size != 16*1024*1024 &&
1658             flash_size != 32*1024*1024) {
1659             error_report("Invalid flash image size");
1660             exit(1);
1661         }
1662 
1663         /*
1664          * The original U-Boot accesses the flash at 0xFE000000 instead of
1665          * 0xFF800000 (if there is 8 MB flash). So remap flash access if the
1666          * image is smaller than 32 MB.
1667          */
1668         pflash_cfi02_register(0x100000000ULL - MP_FLASH_SIZE_MAX,
1669                               "musicpal.flash", flash_size,
1670                               blk, 0x10000,
1671                               MP_FLASH_SIZE_MAX / flash_size,
1672                               2, 0x00BF, 0x236D, 0x0000, 0x0000,
1673                               0x5555, 0x2AAA, 0);
1674     }
1675     sysbus_create_simple(TYPE_MV88W8618_FLASHCFG, MP_FLASHCFG_BASE, NULL);
1676 
1677     qemu_check_nic_model(&nd_table[0], "mv88w8618");
1678     dev = qdev_new(TYPE_MV88W8618_ETH);
1679     qdev_set_nic_properties(dev, &nd_table[0]);
1680     object_property_set_link(OBJECT(dev), "dma-memory",
1681                              OBJECT(get_system_memory()), &error_fatal);
1682     sysbus_realize_and_unref(SYS_BUS_DEVICE(dev), &error_fatal);
1683     sysbus_mmio_map(SYS_BUS_DEVICE(dev), 0, MP_ETH_BASE);
1684     sysbus_connect_irq(SYS_BUS_DEVICE(dev), 0, pic[MP_ETH_IRQ]);
1685 
1686     sysbus_create_simple("mv88w8618_wlan", MP_WLAN_BASE, NULL);
1687 
1688     sysbus_create_simple(TYPE_MUSICPAL_MISC, MP_MISC_BASE, NULL);
1689 
1690     dev = sysbus_create_simple(TYPE_MUSICPAL_GPIO, MP_GPIO_BASE,
1691                                pic[MP_GPIO_IRQ]);
1692     i2c_dev = sysbus_create_simple("gpio_i2c", -1, NULL);
1693     i2c = (I2CBus *)qdev_get_child_bus(i2c_dev, "i2c");
1694 
1695     lcd_dev = sysbus_create_simple(TYPE_MUSICPAL_LCD, MP_LCD_BASE, NULL);
1696     key_dev = sysbus_create_simple(TYPE_MUSICPAL_KEY, -1, NULL);
1697 
1698     /* I2C read data */
1699     qdev_connect_gpio_out(i2c_dev, 0,
1700                           qdev_get_gpio_in(dev, MP_GPIO_I2C_DATA_BIT));
1701     /* I2C data */
1702     qdev_connect_gpio_out(dev, 3, qdev_get_gpio_in(i2c_dev, 0));
1703     /* I2C clock */
1704     qdev_connect_gpio_out(dev, 4, qdev_get_gpio_in(i2c_dev, 1));
1705 
1706     for (i = 0; i < 3; i++) {
1707         qdev_connect_gpio_out(dev, i, qdev_get_gpio_in(lcd_dev, i));
1708     }
1709     for (i = 0; i < 4; i++) {
1710         qdev_connect_gpio_out(key_dev, i, qdev_get_gpio_in(dev, i + 8));
1711     }
1712     for (i = 4; i < 8; i++) {
1713         qdev_connect_gpio_out(key_dev, i, qdev_get_gpio_in(dev, i + 15));
1714     }
1715 
1716     wm8750_dev = i2c_slave_create_simple(i2c, TYPE_WM8750, MP_WM_ADDR);
1717     dev = qdev_new(TYPE_MV88W8618_AUDIO);
1718     s = SYS_BUS_DEVICE(dev);
1719     object_property_set_link(OBJECT(dev), "wm8750", OBJECT(wm8750_dev),
1720                              NULL);
1721     sysbus_realize_and_unref(s, &error_fatal);
1722     sysbus_mmio_map(s, 0, MP_AUDIO_BASE);
1723     sysbus_connect_irq(s, 0, pic[MP_AUDIO_IRQ]);
1724 
1725     musicpal_binfo.ram_size = MP_RAM_DEFAULT_SIZE;
1726     arm_load_kernel(cpu, machine, &musicpal_binfo);
1727 }
1728 
1729 static void musicpal_machine_init(MachineClass *mc)
1730 {
1731     mc->desc = "Marvell 88w8618 / MusicPal (ARM926EJ-S)";
1732     mc->init = musicpal_init;
1733     mc->ignore_memory_transaction_failures = true;
1734     mc->default_cpu_type = ARM_CPU_TYPE_NAME("arm926");
1735     mc->default_ram_size = MP_RAM_DEFAULT_SIZE;
1736     mc->default_ram_id = "musicpal.ram";
1737 }
1738 
1739 DEFINE_MACHINE("musicpal", musicpal_machine_init)
1740 
1741 static void mv88w8618_wlan_class_init(ObjectClass *klass, void *data)
1742 {
1743     DeviceClass *dc = DEVICE_CLASS(klass);
1744 
1745     dc->realize = mv88w8618_wlan_realize;
1746 }
1747 
1748 static const TypeInfo mv88w8618_wlan_info = {
1749     .name          = "mv88w8618_wlan",
1750     .parent        = TYPE_SYS_BUS_DEVICE,
1751     .instance_size = sizeof(SysBusDevice),
1752     .class_init    = mv88w8618_wlan_class_init,
1753 };
1754 
1755 static void musicpal_register_types(void)
1756 {
1757     type_register_static(&mv88w8618_pic_info);
1758     type_register_static(&mv88w8618_pit_info);
1759     type_register_static(&mv88w8618_flashcfg_info);
1760     type_register_static(&mv88w8618_eth_info);
1761     type_register_static(&mv88w8618_wlan_info);
1762     type_register_static(&musicpal_lcd_info);
1763     type_register_static(&musicpal_gpio_info);
1764     type_register_static(&musicpal_key_info);
1765     type_register_static(&musicpal_misc_info);
1766 }
1767 
1768 type_init(musicpal_register_types)
1769