xref: /openbmc/qemu/hw/arm/musicpal.c (revision e1fe50dc)
1 /*
2  * Marvell MV88W8618 / Freecom MusicPal emulation.
3  *
4  * Copyright (c) 2008 Jan Kiszka
5  *
6  * This code is licensed under the GNU GPL v2.
7  *
8  * Contributions after 2012-01-13 are licensed under the terms of the
9  * GNU GPL, version 2 or (at your option) any later version.
10  */
11 
12 #include "hw/sysbus.h"
13 #include "hw/arm/arm.h"
14 #include "hw/devices.h"
15 #include "net/net.h"
16 #include "sysemu/sysemu.h"
17 #include "hw/boards.h"
18 #include "hw/char/serial.h"
19 #include "qemu/timer.h"
20 #include "hw/ptimer.h"
21 #include "block/block.h"
22 #include "hw/block/flash.h"
23 #include "ui/console.h"
24 #include "hw/i2c/i2c.h"
25 #include "sysemu/blockdev.h"
26 #include "exec/address-spaces.h"
27 #include "ui/pixel_ops.h"
28 
29 #define MP_MISC_BASE            0x80002000
30 #define MP_MISC_SIZE            0x00001000
31 
32 #define MP_ETH_BASE             0x80008000
33 #define MP_ETH_SIZE             0x00001000
34 
35 #define MP_WLAN_BASE            0x8000C000
36 #define MP_WLAN_SIZE            0x00000800
37 
38 #define MP_UART1_BASE           0x8000C840
39 #define MP_UART2_BASE           0x8000C940
40 
41 #define MP_GPIO_BASE            0x8000D000
42 #define MP_GPIO_SIZE            0x00001000
43 
44 #define MP_FLASHCFG_BASE        0x90006000
45 #define MP_FLASHCFG_SIZE        0x00001000
46 
47 #define MP_AUDIO_BASE           0x90007000
48 
49 #define MP_PIC_BASE             0x90008000
50 #define MP_PIC_SIZE             0x00001000
51 
52 #define MP_PIT_BASE             0x90009000
53 #define MP_PIT_SIZE             0x00001000
54 
55 #define MP_LCD_BASE             0x9000c000
56 #define MP_LCD_SIZE             0x00001000
57 
58 #define MP_SRAM_BASE            0xC0000000
59 #define MP_SRAM_SIZE            0x00020000
60 
61 #define MP_RAM_DEFAULT_SIZE     32*1024*1024
62 #define MP_FLASH_SIZE_MAX       32*1024*1024
63 
64 #define MP_TIMER1_IRQ           4
65 #define MP_TIMER2_IRQ           5
66 #define MP_TIMER3_IRQ           6
67 #define MP_TIMER4_IRQ           7
68 #define MP_EHCI_IRQ             8
69 #define MP_ETH_IRQ              9
70 #define MP_UART1_IRQ            11
71 #define MP_UART2_IRQ            11
72 #define MP_GPIO_IRQ             12
73 #define MP_RTC_IRQ              28
74 #define MP_AUDIO_IRQ            30
75 
76 /* Wolfson 8750 I2C address */
77 #define MP_WM_ADDR              0x1A
78 
79 /* Ethernet register offsets */
80 #define MP_ETH_SMIR             0x010
81 #define MP_ETH_PCXR             0x408
82 #define MP_ETH_SDCMR            0x448
83 #define MP_ETH_ICR              0x450
84 #define MP_ETH_IMR              0x458
85 #define MP_ETH_FRDP0            0x480
86 #define MP_ETH_FRDP1            0x484
87 #define MP_ETH_FRDP2            0x488
88 #define MP_ETH_FRDP3            0x48C
89 #define MP_ETH_CRDP0            0x4A0
90 #define MP_ETH_CRDP1            0x4A4
91 #define MP_ETH_CRDP2            0x4A8
92 #define MP_ETH_CRDP3            0x4AC
93 #define MP_ETH_CTDP0            0x4E0
94 #define MP_ETH_CTDP1            0x4E4
95 #define MP_ETH_CTDP2            0x4E8
96 #define MP_ETH_CTDP3            0x4EC
97 
98 /* MII PHY access */
99 #define MP_ETH_SMIR_DATA        0x0000FFFF
100 #define MP_ETH_SMIR_ADDR        0x03FF0000
101 #define MP_ETH_SMIR_OPCODE      (1 << 26) /* Read value */
102 #define MP_ETH_SMIR_RDVALID     (1 << 27)
103 
104 /* PHY registers */
105 #define MP_ETH_PHY1_BMSR        0x00210000
106 #define MP_ETH_PHY1_PHYSID1     0x00410000
107 #define MP_ETH_PHY1_PHYSID2     0x00610000
108 
109 #define MP_PHY_BMSR_LINK        0x0004
110 #define MP_PHY_BMSR_AUTONEG     0x0008
111 
112 #define MP_PHY_88E3015          0x01410E20
113 
114 /* TX descriptor status */
115 #define MP_ETH_TX_OWN           (1 << 31)
116 
117 /* RX descriptor status */
118 #define MP_ETH_RX_OWN           (1 << 31)
119 
120 /* Interrupt cause/mask bits */
121 #define MP_ETH_IRQ_RX_BIT       0
122 #define MP_ETH_IRQ_RX           (1 << MP_ETH_IRQ_RX_BIT)
123 #define MP_ETH_IRQ_TXHI_BIT     2
124 #define MP_ETH_IRQ_TXLO_BIT     3
125 
126 /* Port config bits */
127 #define MP_ETH_PCXR_2BSM_BIT    28 /* 2-byte incoming suffix */
128 
129 /* SDMA command bits */
130 #define MP_ETH_CMD_TXHI         (1 << 23)
131 #define MP_ETH_CMD_TXLO         (1 << 22)
132 
133 typedef struct mv88w8618_tx_desc {
134     uint32_t cmdstat;
135     uint16_t res;
136     uint16_t bytes;
137     uint32_t buffer;
138     uint32_t next;
139 } mv88w8618_tx_desc;
140 
141 typedef struct mv88w8618_rx_desc {
142     uint32_t cmdstat;
143     uint16_t bytes;
144     uint16_t buffer_size;
145     uint32_t buffer;
146     uint32_t next;
147 } mv88w8618_rx_desc;
148 
149 typedef struct mv88w8618_eth_state {
150     SysBusDevice busdev;
151     MemoryRegion iomem;
152     qemu_irq irq;
153     uint32_t smir;
154     uint32_t icr;
155     uint32_t imr;
156     int mmio_index;
157     uint32_t vlan_header;
158     uint32_t tx_queue[2];
159     uint32_t rx_queue[4];
160     uint32_t frx_queue[4];
161     uint32_t cur_rx[4];
162     NICState *nic;
163     NICConf conf;
164 } mv88w8618_eth_state;
165 
166 static void eth_rx_desc_put(uint32_t addr, mv88w8618_rx_desc *desc)
167 {
168     cpu_to_le32s(&desc->cmdstat);
169     cpu_to_le16s(&desc->bytes);
170     cpu_to_le16s(&desc->buffer_size);
171     cpu_to_le32s(&desc->buffer);
172     cpu_to_le32s(&desc->next);
173     cpu_physical_memory_write(addr, desc, sizeof(*desc));
174 }
175 
176 static void eth_rx_desc_get(uint32_t addr, mv88w8618_rx_desc *desc)
177 {
178     cpu_physical_memory_read(addr, desc, sizeof(*desc));
179     le32_to_cpus(&desc->cmdstat);
180     le16_to_cpus(&desc->bytes);
181     le16_to_cpus(&desc->buffer_size);
182     le32_to_cpus(&desc->buffer);
183     le32_to_cpus(&desc->next);
184 }
185 
186 static int eth_can_receive(NetClientState *nc)
187 {
188     return 1;
189 }
190 
191 static ssize_t eth_receive(NetClientState *nc, const uint8_t *buf, size_t size)
192 {
193     mv88w8618_eth_state *s = qemu_get_nic_opaque(nc);
194     uint32_t desc_addr;
195     mv88w8618_rx_desc desc;
196     int i;
197 
198     for (i = 0; i < 4; i++) {
199         desc_addr = s->cur_rx[i];
200         if (!desc_addr) {
201             continue;
202         }
203         do {
204             eth_rx_desc_get(desc_addr, &desc);
205             if ((desc.cmdstat & MP_ETH_RX_OWN) && desc.buffer_size >= size) {
206                 cpu_physical_memory_write(desc.buffer + s->vlan_header,
207                                           buf, size);
208                 desc.bytes = size + s->vlan_header;
209                 desc.cmdstat &= ~MP_ETH_RX_OWN;
210                 s->cur_rx[i] = desc.next;
211 
212                 s->icr |= MP_ETH_IRQ_RX;
213                 if (s->icr & s->imr) {
214                     qemu_irq_raise(s->irq);
215                 }
216                 eth_rx_desc_put(desc_addr, &desc);
217                 return size;
218             }
219             desc_addr = desc.next;
220         } while (desc_addr != s->rx_queue[i]);
221     }
222     return size;
223 }
224 
225 static void eth_tx_desc_put(uint32_t addr, mv88w8618_tx_desc *desc)
226 {
227     cpu_to_le32s(&desc->cmdstat);
228     cpu_to_le16s(&desc->res);
229     cpu_to_le16s(&desc->bytes);
230     cpu_to_le32s(&desc->buffer);
231     cpu_to_le32s(&desc->next);
232     cpu_physical_memory_write(addr, desc, sizeof(*desc));
233 }
234 
235 static void eth_tx_desc_get(uint32_t addr, mv88w8618_tx_desc *desc)
236 {
237     cpu_physical_memory_read(addr, desc, sizeof(*desc));
238     le32_to_cpus(&desc->cmdstat);
239     le16_to_cpus(&desc->res);
240     le16_to_cpus(&desc->bytes);
241     le32_to_cpus(&desc->buffer);
242     le32_to_cpus(&desc->next);
243 }
244 
245 static void eth_send(mv88w8618_eth_state *s, int queue_index)
246 {
247     uint32_t desc_addr = s->tx_queue[queue_index];
248     mv88w8618_tx_desc desc;
249     uint32_t next_desc;
250     uint8_t buf[2048];
251     int len;
252 
253     do {
254         eth_tx_desc_get(desc_addr, &desc);
255         next_desc = desc.next;
256         if (desc.cmdstat & MP_ETH_TX_OWN) {
257             len = desc.bytes;
258             if (len < 2048) {
259                 cpu_physical_memory_read(desc.buffer, buf, len);
260                 qemu_send_packet(qemu_get_queue(s->nic), buf, len);
261             }
262             desc.cmdstat &= ~MP_ETH_TX_OWN;
263             s->icr |= 1 << (MP_ETH_IRQ_TXLO_BIT - queue_index);
264             eth_tx_desc_put(desc_addr, &desc);
265         }
266         desc_addr = next_desc;
267     } while (desc_addr != s->tx_queue[queue_index]);
268 }
269 
270 static uint64_t mv88w8618_eth_read(void *opaque, hwaddr offset,
271                                    unsigned size)
272 {
273     mv88w8618_eth_state *s = opaque;
274 
275     switch (offset) {
276     case MP_ETH_SMIR:
277         if (s->smir & MP_ETH_SMIR_OPCODE) {
278             switch (s->smir & MP_ETH_SMIR_ADDR) {
279             case MP_ETH_PHY1_BMSR:
280                 return MP_PHY_BMSR_LINK | MP_PHY_BMSR_AUTONEG |
281                        MP_ETH_SMIR_RDVALID;
282             case MP_ETH_PHY1_PHYSID1:
283                 return (MP_PHY_88E3015 >> 16) | MP_ETH_SMIR_RDVALID;
284             case MP_ETH_PHY1_PHYSID2:
285                 return (MP_PHY_88E3015 & 0xFFFF) | MP_ETH_SMIR_RDVALID;
286             default:
287                 return MP_ETH_SMIR_RDVALID;
288             }
289         }
290         return 0;
291 
292     case MP_ETH_ICR:
293         return s->icr;
294 
295     case MP_ETH_IMR:
296         return s->imr;
297 
298     case MP_ETH_FRDP0 ... MP_ETH_FRDP3:
299         return s->frx_queue[(offset - MP_ETH_FRDP0)/4];
300 
301     case MP_ETH_CRDP0 ... MP_ETH_CRDP3:
302         return s->rx_queue[(offset - MP_ETH_CRDP0)/4];
303 
304     case MP_ETH_CTDP0 ... MP_ETH_CTDP3:
305         return s->tx_queue[(offset - MP_ETH_CTDP0)/4];
306 
307     default:
308         return 0;
309     }
310 }
311 
312 static void mv88w8618_eth_write(void *opaque, hwaddr offset,
313                                 uint64_t value, unsigned size)
314 {
315     mv88w8618_eth_state *s = opaque;
316 
317     switch (offset) {
318     case MP_ETH_SMIR:
319         s->smir = value;
320         break;
321 
322     case MP_ETH_PCXR:
323         s->vlan_header = ((value >> MP_ETH_PCXR_2BSM_BIT) & 1) * 2;
324         break;
325 
326     case MP_ETH_SDCMR:
327         if (value & MP_ETH_CMD_TXHI) {
328             eth_send(s, 1);
329         }
330         if (value & MP_ETH_CMD_TXLO) {
331             eth_send(s, 0);
332         }
333         if (value & (MP_ETH_CMD_TXHI | MP_ETH_CMD_TXLO) && s->icr & s->imr) {
334             qemu_irq_raise(s->irq);
335         }
336         break;
337 
338     case MP_ETH_ICR:
339         s->icr &= value;
340         break;
341 
342     case MP_ETH_IMR:
343         s->imr = value;
344         if (s->icr & s->imr) {
345             qemu_irq_raise(s->irq);
346         }
347         break;
348 
349     case MP_ETH_FRDP0 ... MP_ETH_FRDP3:
350         s->frx_queue[(offset - MP_ETH_FRDP0)/4] = value;
351         break;
352 
353     case MP_ETH_CRDP0 ... MP_ETH_CRDP3:
354         s->rx_queue[(offset - MP_ETH_CRDP0)/4] =
355             s->cur_rx[(offset - MP_ETH_CRDP0)/4] = value;
356         break;
357 
358     case MP_ETH_CTDP0 ... MP_ETH_CTDP3:
359         s->tx_queue[(offset - MP_ETH_CTDP0)/4] = value;
360         break;
361     }
362 }
363 
364 static const MemoryRegionOps mv88w8618_eth_ops = {
365     .read = mv88w8618_eth_read,
366     .write = mv88w8618_eth_write,
367     .endianness = DEVICE_NATIVE_ENDIAN,
368 };
369 
370 static void eth_cleanup(NetClientState *nc)
371 {
372     mv88w8618_eth_state *s = qemu_get_nic_opaque(nc);
373 
374     s->nic = NULL;
375 }
376 
377 static NetClientInfo net_mv88w8618_info = {
378     .type = NET_CLIENT_OPTIONS_KIND_NIC,
379     .size = sizeof(NICState),
380     .can_receive = eth_can_receive,
381     .receive = eth_receive,
382     .cleanup = eth_cleanup,
383 };
384 
385 static int mv88w8618_eth_init(SysBusDevice *dev)
386 {
387     mv88w8618_eth_state *s = FROM_SYSBUS(mv88w8618_eth_state, dev);
388 
389     sysbus_init_irq(dev, &s->irq);
390     s->nic = qemu_new_nic(&net_mv88w8618_info, &s->conf,
391                           object_get_typename(OBJECT(dev)), dev->qdev.id, s);
392     memory_region_init_io(&s->iomem, &mv88w8618_eth_ops, s, "mv88w8618-eth",
393                           MP_ETH_SIZE);
394     sysbus_init_mmio(dev, &s->iomem);
395     return 0;
396 }
397 
398 static const VMStateDescription mv88w8618_eth_vmsd = {
399     .name = "mv88w8618_eth",
400     .version_id = 1,
401     .minimum_version_id = 1,
402     .minimum_version_id_old = 1,
403     .fields = (VMStateField[]) {
404         VMSTATE_UINT32(smir, mv88w8618_eth_state),
405         VMSTATE_UINT32(icr, mv88w8618_eth_state),
406         VMSTATE_UINT32(imr, mv88w8618_eth_state),
407         VMSTATE_UINT32(vlan_header, mv88w8618_eth_state),
408         VMSTATE_UINT32_ARRAY(tx_queue, mv88w8618_eth_state, 2),
409         VMSTATE_UINT32_ARRAY(rx_queue, mv88w8618_eth_state, 4),
410         VMSTATE_UINT32_ARRAY(frx_queue, mv88w8618_eth_state, 4),
411         VMSTATE_UINT32_ARRAY(cur_rx, mv88w8618_eth_state, 4),
412         VMSTATE_END_OF_LIST()
413     }
414 };
415 
416 static Property mv88w8618_eth_properties[] = {
417     DEFINE_NIC_PROPERTIES(mv88w8618_eth_state, conf),
418     DEFINE_PROP_END_OF_LIST(),
419 };
420 
421 static void mv88w8618_eth_class_init(ObjectClass *klass, void *data)
422 {
423     DeviceClass *dc = DEVICE_CLASS(klass);
424     SysBusDeviceClass *k = SYS_BUS_DEVICE_CLASS(klass);
425 
426     k->init = mv88w8618_eth_init;
427     dc->vmsd = &mv88w8618_eth_vmsd;
428     dc->props = mv88w8618_eth_properties;
429 }
430 
431 static const TypeInfo mv88w8618_eth_info = {
432     .name          = "mv88w8618_eth",
433     .parent        = TYPE_SYS_BUS_DEVICE,
434     .instance_size = sizeof(mv88w8618_eth_state),
435     .class_init    = mv88w8618_eth_class_init,
436 };
437 
438 /* LCD register offsets */
439 #define MP_LCD_IRQCTRL          0x180
440 #define MP_LCD_IRQSTAT          0x184
441 #define MP_LCD_SPICTRL          0x1ac
442 #define MP_LCD_INST             0x1bc
443 #define MP_LCD_DATA             0x1c0
444 
445 /* Mode magics */
446 #define MP_LCD_SPI_DATA         0x00100011
447 #define MP_LCD_SPI_CMD          0x00104011
448 #define MP_LCD_SPI_INVALID      0x00000000
449 
450 /* Commmands */
451 #define MP_LCD_INST_SETPAGE0    0xB0
452 /* ... */
453 #define MP_LCD_INST_SETPAGE7    0xB7
454 
455 #define MP_LCD_TEXTCOLOR        0xe0e0ff /* RRGGBB */
456 
457 typedef struct musicpal_lcd_state {
458     SysBusDevice busdev;
459     MemoryRegion iomem;
460     uint32_t brightness;
461     uint32_t mode;
462     uint32_t irqctrl;
463     uint32_t page;
464     uint32_t page_off;
465     QemuConsole *con;
466     uint8_t video_ram[128*64/8];
467 } musicpal_lcd_state;
468 
469 static uint8_t scale_lcd_color(musicpal_lcd_state *s, uint8_t col)
470 {
471     switch (s->brightness) {
472     case 7:
473         return col;
474     case 0:
475         return 0;
476     default:
477         return (col * s->brightness) / 7;
478     }
479 }
480 
481 #define SET_LCD_PIXEL(depth, type) \
482 static inline void glue(set_lcd_pixel, depth) \
483         (musicpal_lcd_state *s, int x, int y, type col) \
484 { \
485     int dx, dy; \
486     DisplaySurface *surface = qemu_console_surface(s->con); \
487     type *pixel = &((type *) surface_data(surface))[(y * 128 * 3 + x) * 3]; \
488 \
489     for (dy = 0; dy < 3; dy++, pixel += 127 * 3) \
490         for (dx = 0; dx < 3; dx++, pixel++) \
491             *pixel = col; \
492 }
493 SET_LCD_PIXEL(8, uint8_t)
494 SET_LCD_PIXEL(16, uint16_t)
495 SET_LCD_PIXEL(32, uint32_t)
496 
497 static void lcd_refresh(void *opaque)
498 {
499     musicpal_lcd_state *s = opaque;
500     DisplaySurface *surface = qemu_console_surface(s->con);
501     int x, y, col;
502 
503     switch (surface_bits_per_pixel(surface)) {
504     case 0:
505         return;
506 #define LCD_REFRESH(depth, func) \
507     case depth: \
508         col = func(scale_lcd_color(s, (MP_LCD_TEXTCOLOR >> 16) & 0xff), \
509                    scale_lcd_color(s, (MP_LCD_TEXTCOLOR >> 8) & 0xff), \
510                    scale_lcd_color(s, MP_LCD_TEXTCOLOR & 0xff)); \
511         for (x = 0; x < 128; x++) { \
512             for (y = 0; y < 64; y++) { \
513                 if (s->video_ram[x + (y/8)*128] & (1 << (y % 8))) { \
514                     glue(set_lcd_pixel, depth)(s, x, y, col); \
515                 } else { \
516                     glue(set_lcd_pixel, depth)(s, x, y, 0); \
517                 } \
518             } \
519         } \
520         break;
521     LCD_REFRESH(8, rgb_to_pixel8)
522     LCD_REFRESH(16, rgb_to_pixel16)
523     LCD_REFRESH(32, (is_surface_bgr(surface) ?
524                      rgb_to_pixel32bgr : rgb_to_pixel32))
525     default:
526         hw_error("unsupported colour depth %i\n",
527                  surface_bits_per_pixel(surface));
528     }
529 
530     dpy_gfx_update(s->con, 0, 0, 128*3, 64*3);
531 }
532 
533 static void lcd_invalidate(void *opaque)
534 {
535 }
536 
537 static void musicpal_lcd_gpio_brigthness_in(void *opaque, int irq, int level)
538 {
539     musicpal_lcd_state *s = opaque;
540     s->brightness &= ~(1 << irq);
541     s->brightness |= level << irq;
542 }
543 
544 static uint64_t musicpal_lcd_read(void *opaque, hwaddr offset,
545                                   unsigned size)
546 {
547     musicpal_lcd_state *s = opaque;
548 
549     switch (offset) {
550     case MP_LCD_IRQCTRL:
551         return s->irqctrl;
552 
553     default:
554         return 0;
555     }
556 }
557 
558 static void musicpal_lcd_write(void *opaque, hwaddr offset,
559                                uint64_t value, unsigned size)
560 {
561     musicpal_lcd_state *s = opaque;
562 
563     switch (offset) {
564     case MP_LCD_IRQCTRL:
565         s->irqctrl = value;
566         break;
567 
568     case MP_LCD_SPICTRL:
569         if (value == MP_LCD_SPI_DATA || value == MP_LCD_SPI_CMD) {
570             s->mode = value;
571         } else {
572             s->mode = MP_LCD_SPI_INVALID;
573         }
574         break;
575 
576     case MP_LCD_INST:
577         if (value >= MP_LCD_INST_SETPAGE0 && value <= MP_LCD_INST_SETPAGE7) {
578             s->page = value - MP_LCD_INST_SETPAGE0;
579             s->page_off = 0;
580         }
581         break;
582 
583     case MP_LCD_DATA:
584         if (s->mode == MP_LCD_SPI_CMD) {
585             if (value >= MP_LCD_INST_SETPAGE0 &&
586                 value <= MP_LCD_INST_SETPAGE7) {
587                 s->page = value - MP_LCD_INST_SETPAGE0;
588                 s->page_off = 0;
589             }
590         } else if (s->mode == MP_LCD_SPI_DATA) {
591             s->video_ram[s->page*128 + s->page_off] = value;
592             s->page_off = (s->page_off + 1) & 127;
593         }
594         break;
595     }
596 }
597 
598 static const MemoryRegionOps musicpal_lcd_ops = {
599     .read = musicpal_lcd_read,
600     .write = musicpal_lcd_write,
601     .endianness = DEVICE_NATIVE_ENDIAN,
602 };
603 
604 static const GraphicHwOps musicpal_gfx_ops = {
605     .invalidate  = lcd_invalidate,
606     .gfx_update  = lcd_refresh,
607 };
608 
609 static int musicpal_lcd_init(SysBusDevice *dev)
610 {
611     musicpal_lcd_state *s = FROM_SYSBUS(musicpal_lcd_state, dev);
612 
613     s->brightness = 7;
614 
615     memory_region_init_io(&s->iomem, &musicpal_lcd_ops, s,
616                           "musicpal-lcd", MP_LCD_SIZE);
617     sysbus_init_mmio(dev, &s->iomem);
618 
619     s->con = graphic_console_init(&musicpal_gfx_ops, s);
620     qemu_console_resize(s->con, 128*3, 64*3);
621 
622     qdev_init_gpio_in(&dev->qdev, musicpal_lcd_gpio_brigthness_in, 3);
623 
624     return 0;
625 }
626 
627 static const VMStateDescription musicpal_lcd_vmsd = {
628     .name = "musicpal_lcd",
629     .version_id = 1,
630     .minimum_version_id = 1,
631     .minimum_version_id_old = 1,
632     .fields = (VMStateField[]) {
633         VMSTATE_UINT32(brightness, musicpal_lcd_state),
634         VMSTATE_UINT32(mode, musicpal_lcd_state),
635         VMSTATE_UINT32(irqctrl, musicpal_lcd_state),
636         VMSTATE_UINT32(page, musicpal_lcd_state),
637         VMSTATE_UINT32(page_off, musicpal_lcd_state),
638         VMSTATE_BUFFER(video_ram, musicpal_lcd_state),
639         VMSTATE_END_OF_LIST()
640     }
641 };
642 
643 static void musicpal_lcd_class_init(ObjectClass *klass, void *data)
644 {
645     DeviceClass *dc = DEVICE_CLASS(klass);
646     SysBusDeviceClass *k = SYS_BUS_DEVICE_CLASS(klass);
647 
648     k->init = musicpal_lcd_init;
649     dc->vmsd = &musicpal_lcd_vmsd;
650 }
651 
652 static const TypeInfo musicpal_lcd_info = {
653     .name          = "musicpal_lcd",
654     .parent        = TYPE_SYS_BUS_DEVICE,
655     .instance_size = sizeof(musicpal_lcd_state),
656     .class_init    = musicpal_lcd_class_init,
657 };
658 
659 /* PIC register offsets */
660 #define MP_PIC_STATUS           0x00
661 #define MP_PIC_ENABLE_SET       0x08
662 #define MP_PIC_ENABLE_CLR       0x0C
663 
664 typedef struct mv88w8618_pic_state
665 {
666     SysBusDevice busdev;
667     MemoryRegion iomem;
668     uint32_t level;
669     uint32_t enabled;
670     qemu_irq parent_irq;
671 } mv88w8618_pic_state;
672 
673 static void mv88w8618_pic_update(mv88w8618_pic_state *s)
674 {
675     qemu_set_irq(s->parent_irq, (s->level & s->enabled));
676 }
677 
678 static void mv88w8618_pic_set_irq(void *opaque, int irq, int level)
679 {
680     mv88w8618_pic_state *s = opaque;
681 
682     if (level) {
683         s->level |= 1 << irq;
684     } else {
685         s->level &= ~(1 << irq);
686     }
687     mv88w8618_pic_update(s);
688 }
689 
690 static uint64_t mv88w8618_pic_read(void *opaque, hwaddr offset,
691                                    unsigned size)
692 {
693     mv88w8618_pic_state *s = opaque;
694 
695     switch (offset) {
696     case MP_PIC_STATUS:
697         return s->level & s->enabled;
698 
699     default:
700         return 0;
701     }
702 }
703 
704 static void mv88w8618_pic_write(void *opaque, hwaddr offset,
705                                 uint64_t value, unsigned size)
706 {
707     mv88w8618_pic_state *s = opaque;
708 
709     switch (offset) {
710     case MP_PIC_ENABLE_SET:
711         s->enabled |= value;
712         break;
713 
714     case MP_PIC_ENABLE_CLR:
715         s->enabled &= ~value;
716         s->level &= ~value;
717         break;
718     }
719     mv88w8618_pic_update(s);
720 }
721 
722 static void mv88w8618_pic_reset(DeviceState *d)
723 {
724     mv88w8618_pic_state *s = FROM_SYSBUS(mv88w8618_pic_state,
725                                          SYS_BUS_DEVICE(d));
726 
727     s->level = 0;
728     s->enabled = 0;
729 }
730 
731 static const MemoryRegionOps mv88w8618_pic_ops = {
732     .read = mv88w8618_pic_read,
733     .write = mv88w8618_pic_write,
734     .endianness = DEVICE_NATIVE_ENDIAN,
735 };
736 
737 static int mv88w8618_pic_init(SysBusDevice *dev)
738 {
739     mv88w8618_pic_state *s = FROM_SYSBUS(mv88w8618_pic_state, dev);
740 
741     qdev_init_gpio_in(&dev->qdev, mv88w8618_pic_set_irq, 32);
742     sysbus_init_irq(dev, &s->parent_irq);
743     memory_region_init_io(&s->iomem, &mv88w8618_pic_ops, s,
744                           "musicpal-pic", MP_PIC_SIZE);
745     sysbus_init_mmio(dev, &s->iomem);
746     return 0;
747 }
748 
749 static const VMStateDescription mv88w8618_pic_vmsd = {
750     .name = "mv88w8618_pic",
751     .version_id = 1,
752     .minimum_version_id = 1,
753     .minimum_version_id_old = 1,
754     .fields = (VMStateField[]) {
755         VMSTATE_UINT32(level, mv88w8618_pic_state),
756         VMSTATE_UINT32(enabled, mv88w8618_pic_state),
757         VMSTATE_END_OF_LIST()
758     }
759 };
760 
761 static void mv88w8618_pic_class_init(ObjectClass *klass, void *data)
762 {
763     DeviceClass *dc = DEVICE_CLASS(klass);
764     SysBusDeviceClass *k = SYS_BUS_DEVICE_CLASS(klass);
765 
766     k->init = mv88w8618_pic_init;
767     dc->reset = mv88w8618_pic_reset;
768     dc->vmsd = &mv88w8618_pic_vmsd;
769 }
770 
771 static const TypeInfo mv88w8618_pic_info = {
772     .name          = "mv88w8618_pic",
773     .parent        = TYPE_SYS_BUS_DEVICE,
774     .instance_size = sizeof(mv88w8618_pic_state),
775     .class_init    = mv88w8618_pic_class_init,
776 };
777 
778 /* PIT register offsets */
779 #define MP_PIT_TIMER1_LENGTH    0x00
780 /* ... */
781 #define MP_PIT_TIMER4_LENGTH    0x0C
782 #define MP_PIT_CONTROL          0x10
783 #define MP_PIT_TIMER1_VALUE     0x14
784 /* ... */
785 #define MP_PIT_TIMER4_VALUE     0x20
786 #define MP_BOARD_RESET          0x34
787 
788 /* Magic board reset value (probably some watchdog behind it) */
789 #define MP_BOARD_RESET_MAGIC    0x10000
790 
791 typedef struct mv88w8618_timer_state {
792     ptimer_state *ptimer;
793     uint32_t limit;
794     int freq;
795     qemu_irq irq;
796 } mv88w8618_timer_state;
797 
798 typedef struct mv88w8618_pit_state {
799     SysBusDevice busdev;
800     MemoryRegion iomem;
801     mv88w8618_timer_state timer[4];
802 } mv88w8618_pit_state;
803 
804 static void mv88w8618_timer_tick(void *opaque)
805 {
806     mv88w8618_timer_state *s = opaque;
807 
808     qemu_irq_raise(s->irq);
809 }
810 
811 static void mv88w8618_timer_init(SysBusDevice *dev, mv88w8618_timer_state *s,
812                                  uint32_t freq)
813 {
814     QEMUBH *bh;
815 
816     sysbus_init_irq(dev, &s->irq);
817     s->freq = freq;
818 
819     bh = qemu_bh_new(mv88w8618_timer_tick, s);
820     s->ptimer = ptimer_init(bh);
821 }
822 
823 static uint64_t mv88w8618_pit_read(void *opaque, hwaddr offset,
824                                    unsigned size)
825 {
826     mv88w8618_pit_state *s = opaque;
827     mv88w8618_timer_state *t;
828 
829     switch (offset) {
830     case MP_PIT_TIMER1_VALUE ... MP_PIT_TIMER4_VALUE:
831         t = &s->timer[(offset-MP_PIT_TIMER1_VALUE) >> 2];
832         return ptimer_get_count(t->ptimer);
833 
834     default:
835         return 0;
836     }
837 }
838 
839 static void mv88w8618_pit_write(void *opaque, hwaddr offset,
840                                 uint64_t value, unsigned size)
841 {
842     mv88w8618_pit_state *s = opaque;
843     mv88w8618_timer_state *t;
844     int i;
845 
846     switch (offset) {
847     case MP_PIT_TIMER1_LENGTH ... MP_PIT_TIMER4_LENGTH:
848         t = &s->timer[offset >> 2];
849         t->limit = value;
850         if (t->limit > 0) {
851             ptimer_set_limit(t->ptimer, t->limit, 1);
852         } else {
853             ptimer_stop(t->ptimer);
854         }
855         break;
856 
857     case MP_PIT_CONTROL:
858         for (i = 0; i < 4; i++) {
859             t = &s->timer[i];
860             if (value & 0xf && t->limit > 0) {
861                 ptimer_set_limit(t->ptimer, t->limit, 0);
862                 ptimer_set_freq(t->ptimer, t->freq);
863                 ptimer_run(t->ptimer, 0);
864             } else {
865                 ptimer_stop(t->ptimer);
866             }
867             value >>= 4;
868         }
869         break;
870 
871     case MP_BOARD_RESET:
872         if (value == MP_BOARD_RESET_MAGIC) {
873             qemu_system_reset_request();
874         }
875         break;
876     }
877 }
878 
879 static void mv88w8618_pit_reset(DeviceState *d)
880 {
881     mv88w8618_pit_state *s = FROM_SYSBUS(mv88w8618_pit_state,
882                                          SYS_BUS_DEVICE(d));
883     int i;
884 
885     for (i = 0; i < 4; i++) {
886         ptimer_stop(s->timer[i].ptimer);
887         s->timer[i].limit = 0;
888     }
889 }
890 
891 static const MemoryRegionOps mv88w8618_pit_ops = {
892     .read = mv88w8618_pit_read,
893     .write = mv88w8618_pit_write,
894     .endianness = DEVICE_NATIVE_ENDIAN,
895 };
896 
897 static int mv88w8618_pit_init(SysBusDevice *dev)
898 {
899     mv88w8618_pit_state *s = FROM_SYSBUS(mv88w8618_pit_state, dev);
900     int i;
901 
902     /* Letting them all run at 1 MHz is likely just a pragmatic
903      * simplification. */
904     for (i = 0; i < 4; i++) {
905         mv88w8618_timer_init(dev, &s->timer[i], 1000000);
906     }
907 
908     memory_region_init_io(&s->iomem, &mv88w8618_pit_ops, s,
909                           "musicpal-pit", MP_PIT_SIZE);
910     sysbus_init_mmio(dev, &s->iomem);
911     return 0;
912 }
913 
914 static const VMStateDescription mv88w8618_timer_vmsd = {
915     .name = "timer",
916     .version_id = 1,
917     .minimum_version_id = 1,
918     .minimum_version_id_old = 1,
919     .fields = (VMStateField[]) {
920         VMSTATE_PTIMER(ptimer, mv88w8618_timer_state),
921         VMSTATE_UINT32(limit, mv88w8618_timer_state),
922         VMSTATE_END_OF_LIST()
923     }
924 };
925 
926 static const VMStateDescription mv88w8618_pit_vmsd = {
927     .name = "mv88w8618_pit",
928     .version_id = 1,
929     .minimum_version_id = 1,
930     .minimum_version_id_old = 1,
931     .fields = (VMStateField[]) {
932         VMSTATE_STRUCT_ARRAY(timer, mv88w8618_pit_state, 4, 1,
933                              mv88w8618_timer_vmsd, mv88w8618_timer_state),
934         VMSTATE_END_OF_LIST()
935     }
936 };
937 
938 static void mv88w8618_pit_class_init(ObjectClass *klass, void *data)
939 {
940     DeviceClass *dc = DEVICE_CLASS(klass);
941     SysBusDeviceClass *k = SYS_BUS_DEVICE_CLASS(klass);
942 
943     k->init = mv88w8618_pit_init;
944     dc->reset = mv88w8618_pit_reset;
945     dc->vmsd = &mv88w8618_pit_vmsd;
946 }
947 
948 static const TypeInfo mv88w8618_pit_info = {
949     .name          = "mv88w8618_pit",
950     .parent        = TYPE_SYS_BUS_DEVICE,
951     .instance_size = sizeof(mv88w8618_pit_state),
952     .class_init    = mv88w8618_pit_class_init,
953 };
954 
955 /* Flash config register offsets */
956 #define MP_FLASHCFG_CFGR0    0x04
957 
958 typedef struct mv88w8618_flashcfg_state {
959     SysBusDevice busdev;
960     MemoryRegion iomem;
961     uint32_t cfgr0;
962 } mv88w8618_flashcfg_state;
963 
964 static uint64_t mv88w8618_flashcfg_read(void *opaque,
965                                         hwaddr offset,
966                                         unsigned size)
967 {
968     mv88w8618_flashcfg_state *s = opaque;
969 
970     switch (offset) {
971     case MP_FLASHCFG_CFGR0:
972         return s->cfgr0;
973 
974     default:
975         return 0;
976     }
977 }
978 
979 static void mv88w8618_flashcfg_write(void *opaque, hwaddr offset,
980                                      uint64_t value, unsigned size)
981 {
982     mv88w8618_flashcfg_state *s = opaque;
983 
984     switch (offset) {
985     case MP_FLASHCFG_CFGR0:
986         s->cfgr0 = value;
987         break;
988     }
989 }
990 
991 static const MemoryRegionOps mv88w8618_flashcfg_ops = {
992     .read = mv88w8618_flashcfg_read,
993     .write = mv88w8618_flashcfg_write,
994     .endianness = DEVICE_NATIVE_ENDIAN,
995 };
996 
997 static int mv88w8618_flashcfg_init(SysBusDevice *dev)
998 {
999     mv88w8618_flashcfg_state *s = FROM_SYSBUS(mv88w8618_flashcfg_state, dev);
1000 
1001     s->cfgr0 = 0xfffe4285; /* Default as set by U-Boot for 8 MB flash */
1002     memory_region_init_io(&s->iomem, &mv88w8618_flashcfg_ops, s,
1003                           "musicpal-flashcfg", MP_FLASHCFG_SIZE);
1004     sysbus_init_mmio(dev, &s->iomem);
1005     return 0;
1006 }
1007 
1008 static const VMStateDescription mv88w8618_flashcfg_vmsd = {
1009     .name = "mv88w8618_flashcfg",
1010     .version_id = 1,
1011     .minimum_version_id = 1,
1012     .minimum_version_id_old = 1,
1013     .fields = (VMStateField[]) {
1014         VMSTATE_UINT32(cfgr0, mv88w8618_flashcfg_state),
1015         VMSTATE_END_OF_LIST()
1016     }
1017 };
1018 
1019 static void mv88w8618_flashcfg_class_init(ObjectClass *klass, void *data)
1020 {
1021     DeviceClass *dc = DEVICE_CLASS(klass);
1022     SysBusDeviceClass *k = SYS_BUS_DEVICE_CLASS(klass);
1023 
1024     k->init = mv88w8618_flashcfg_init;
1025     dc->vmsd = &mv88w8618_flashcfg_vmsd;
1026 }
1027 
1028 static const TypeInfo mv88w8618_flashcfg_info = {
1029     .name          = "mv88w8618_flashcfg",
1030     .parent        = TYPE_SYS_BUS_DEVICE,
1031     .instance_size = sizeof(mv88w8618_flashcfg_state),
1032     .class_init    = mv88w8618_flashcfg_class_init,
1033 };
1034 
1035 /* Misc register offsets */
1036 #define MP_MISC_BOARD_REVISION  0x18
1037 
1038 #define MP_BOARD_REVISION       0x31
1039 
1040 typedef struct {
1041     SysBusDevice parent_obj;
1042     MemoryRegion iomem;
1043 } MusicPalMiscState;
1044 
1045 #define TYPE_MUSICPAL_MISC "musicpal-misc"
1046 #define MUSICPAL_MISC(obj) \
1047      OBJECT_CHECK(MusicPalMiscState, (obj), TYPE_MUSICPAL_MISC)
1048 
1049 static uint64_t musicpal_misc_read(void *opaque, hwaddr offset,
1050                                    unsigned size)
1051 {
1052     switch (offset) {
1053     case MP_MISC_BOARD_REVISION:
1054         return MP_BOARD_REVISION;
1055 
1056     default:
1057         return 0;
1058     }
1059 }
1060 
1061 static void musicpal_misc_write(void *opaque, hwaddr offset,
1062                                 uint64_t value, unsigned size)
1063 {
1064 }
1065 
1066 static const MemoryRegionOps musicpal_misc_ops = {
1067     .read = musicpal_misc_read,
1068     .write = musicpal_misc_write,
1069     .endianness = DEVICE_NATIVE_ENDIAN,
1070 };
1071 
1072 static void musicpal_misc_init(Object *obj)
1073 {
1074     SysBusDevice *sd = SYS_BUS_DEVICE(obj);
1075     MusicPalMiscState *s = MUSICPAL_MISC(obj);
1076 
1077     memory_region_init_io(&s->iomem, &musicpal_misc_ops, NULL,
1078                           "musicpal-misc", MP_MISC_SIZE);
1079     sysbus_init_mmio(sd, &s->iomem);
1080 }
1081 
1082 static const TypeInfo musicpal_misc_info = {
1083     .name = TYPE_MUSICPAL_MISC,
1084     .parent = TYPE_SYS_BUS_DEVICE,
1085     .instance_init = musicpal_misc_init,
1086     .instance_size = sizeof(MusicPalMiscState),
1087 };
1088 
1089 /* WLAN register offsets */
1090 #define MP_WLAN_MAGIC1          0x11c
1091 #define MP_WLAN_MAGIC2          0x124
1092 
1093 static uint64_t mv88w8618_wlan_read(void *opaque, hwaddr offset,
1094                                     unsigned size)
1095 {
1096     switch (offset) {
1097     /* Workaround to allow loading the binary-only wlandrv.ko crap
1098      * from the original Freecom firmware. */
1099     case MP_WLAN_MAGIC1:
1100         return ~3;
1101     case MP_WLAN_MAGIC2:
1102         return -1;
1103 
1104     default:
1105         return 0;
1106     }
1107 }
1108 
1109 static void mv88w8618_wlan_write(void *opaque, hwaddr offset,
1110                                  uint64_t value, unsigned size)
1111 {
1112 }
1113 
1114 static const MemoryRegionOps mv88w8618_wlan_ops = {
1115     .read = mv88w8618_wlan_read,
1116     .write =mv88w8618_wlan_write,
1117     .endianness = DEVICE_NATIVE_ENDIAN,
1118 };
1119 
1120 static int mv88w8618_wlan_init(SysBusDevice *dev)
1121 {
1122     MemoryRegion *iomem = g_new(MemoryRegion, 1);
1123 
1124     memory_region_init_io(iomem, &mv88w8618_wlan_ops, NULL,
1125                           "musicpal-wlan", MP_WLAN_SIZE);
1126     sysbus_init_mmio(dev, iomem);
1127     return 0;
1128 }
1129 
1130 /* GPIO register offsets */
1131 #define MP_GPIO_OE_LO           0x008
1132 #define MP_GPIO_OUT_LO          0x00c
1133 #define MP_GPIO_IN_LO           0x010
1134 #define MP_GPIO_IER_LO          0x014
1135 #define MP_GPIO_IMR_LO          0x018
1136 #define MP_GPIO_ISR_LO          0x020
1137 #define MP_GPIO_OE_HI           0x508
1138 #define MP_GPIO_OUT_HI          0x50c
1139 #define MP_GPIO_IN_HI           0x510
1140 #define MP_GPIO_IER_HI          0x514
1141 #define MP_GPIO_IMR_HI          0x518
1142 #define MP_GPIO_ISR_HI          0x520
1143 
1144 /* GPIO bits & masks */
1145 #define MP_GPIO_LCD_BRIGHTNESS  0x00070000
1146 #define MP_GPIO_I2C_DATA_BIT    29
1147 #define MP_GPIO_I2C_CLOCK_BIT   30
1148 
1149 /* LCD brightness bits in GPIO_OE_HI */
1150 #define MP_OE_LCD_BRIGHTNESS    0x0007
1151 
1152 typedef struct musicpal_gpio_state {
1153     SysBusDevice busdev;
1154     MemoryRegion iomem;
1155     uint32_t lcd_brightness;
1156     uint32_t out_state;
1157     uint32_t in_state;
1158     uint32_t ier;
1159     uint32_t imr;
1160     uint32_t isr;
1161     qemu_irq irq;
1162     qemu_irq out[5]; /* 3 brightness out + 2 lcd (data and clock ) */
1163 } musicpal_gpio_state;
1164 
1165 static void musicpal_gpio_brightness_update(musicpal_gpio_state *s) {
1166     int i;
1167     uint32_t brightness;
1168 
1169     /* compute brightness ratio */
1170     switch (s->lcd_brightness) {
1171     case 0x00000007:
1172         brightness = 0;
1173         break;
1174 
1175     case 0x00020000:
1176         brightness = 1;
1177         break;
1178 
1179     case 0x00020001:
1180         brightness = 2;
1181         break;
1182 
1183     case 0x00040000:
1184         brightness = 3;
1185         break;
1186 
1187     case 0x00010006:
1188         brightness = 4;
1189         break;
1190 
1191     case 0x00020005:
1192         brightness = 5;
1193         break;
1194 
1195     case 0x00040003:
1196         brightness = 6;
1197         break;
1198 
1199     case 0x00030004:
1200     default:
1201         brightness = 7;
1202     }
1203 
1204     /* set lcd brightness GPIOs  */
1205     for (i = 0; i <= 2; i++) {
1206         qemu_set_irq(s->out[i], (brightness >> i) & 1);
1207     }
1208 }
1209 
1210 static void musicpal_gpio_pin_event(void *opaque, int pin, int level)
1211 {
1212     musicpal_gpio_state *s = opaque;
1213     uint32_t mask = 1 << pin;
1214     uint32_t delta = level << pin;
1215     uint32_t old = s->in_state & mask;
1216 
1217     s->in_state &= ~mask;
1218     s->in_state |= delta;
1219 
1220     if ((old ^ delta) &&
1221         ((level && (s->imr & mask)) || (!level && (s->ier & mask)))) {
1222         s->isr = mask;
1223         qemu_irq_raise(s->irq);
1224     }
1225 }
1226 
1227 static uint64_t musicpal_gpio_read(void *opaque, hwaddr offset,
1228                                    unsigned size)
1229 {
1230     musicpal_gpio_state *s = opaque;
1231 
1232     switch (offset) {
1233     case MP_GPIO_OE_HI: /* used for LCD brightness control */
1234         return s->lcd_brightness & MP_OE_LCD_BRIGHTNESS;
1235 
1236     case MP_GPIO_OUT_LO:
1237         return s->out_state & 0xFFFF;
1238     case MP_GPIO_OUT_HI:
1239         return s->out_state >> 16;
1240 
1241     case MP_GPIO_IN_LO:
1242         return s->in_state & 0xFFFF;
1243     case MP_GPIO_IN_HI:
1244         return s->in_state >> 16;
1245 
1246     case MP_GPIO_IER_LO:
1247         return s->ier & 0xFFFF;
1248     case MP_GPIO_IER_HI:
1249         return s->ier >> 16;
1250 
1251     case MP_GPIO_IMR_LO:
1252         return s->imr & 0xFFFF;
1253     case MP_GPIO_IMR_HI:
1254         return s->imr >> 16;
1255 
1256     case MP_GPIO_ISR_LO:
1257         return s->isr & 0xFFFF;
1258     case MP_GPIO_ISR_HI:
1259         return s->isr >> 16;
1260 
1261     default:
1262         return 0;
1263     }
1264 }
1265 
1266 static void musicpal_gpio_write(void *opaque, hwaddr offset,
1267                                 uint64_t value, unsigned size)
1268 {
1269     musicpal_gpio_state *s = opaque;
1270     switch (offset) {
1271     case MP_GPIO_OE_HI: /* used for LCD brightness control */
1272         s->lcd_brightness = (s->lcd_brightness & MP_GPIO_LCD_BRIGHTNESS) |
1273                          (value & MP_OE_LCD_BRIGHTNESS);
1274         musicpal_gpio_brightness_update(s);
1275         break;
1276 
1277     case MP_GPIO_OUT_LO:
1278         s->out_state = (s->out_state & 0xFFFF0000) | (value & 0xFFFF);
1279         break;
1280     case MP_GPIO_OUT_HI:
1281         s->out_state = (s->out_state & 0xFFFF) | (value << 16);
1282         s->lcd_brightness = (s->lcd_brightness & 0xFFFF) |
1283                             (s->out_state & MP_GPIO_LCD_BRIGHTNESS);
1284         musicpal_gpio_brightness_update(s);
1285         qemu_set_irq(s->out[3], (s->out_state >> MP_GPIO_I2C_DATA_BIT) & 1);
1286         qemu_set_irq(s->out[4], (s->out_state >> MP_GPIO_I2C_CLOCK_BIT) & 1);
1287         break;
1288 
1289     case MP_GPIO_IER_LO:
1290         s->ier = (s->ier & 0xFFFF0000) | (value & 0xFFFF);
1291         break;
1292     case MP_GPIO_IER_HI:
1293         s->ier = (s->ier & 0xFFFF) | (value << 16);
1294         break;
1295 
1296     case MP_GPIO_IMR_LO:
1297         s->imr = (s->imr & 0xFFFF0000) | (value & 0xFFFF);
1298         break;
1299     case MP_GPIO_IMR_HI:
1300         s->imr = (s->imr & 0xFFFF) | (value << 16);
1301         break;
1302     }
1303 }
1304 
1305 static const MemoryRegionOps musicpal_gpio_ops = {
1306     .read = musicpal_gpio_read,
1307     .write = musicpal_gpio_write,
1308     .endianness = DEVICE_NATIVE_ENDIAN,
1309 };
1310 
1311 static void musicpal_gpio_reset(DeviceState *d)
1312 {
1313     musicpal_gpio_state *s = FROM_SYSBUS(musicpal_gpio_state,
1314                                          SYS_BUS_DEVICE(d));
1315 
1316     s->lcd_brightness = 0;
1317     s->out_state = 0;
1318     s->in_state = 0xffffffff;
1319     s->ier = 0;
1320     s->imr = 0;
1321     s->isr = 0;
1322 }
1323 
1324 static int musicpal_gpio_init(SysBusDevice *dev)
1325 {
1326     musicpal_gpio_state *s = FROM_SYSBUS(musicpal_gpio_state, dev);
1327 
1328     sysbus_init_irq(dev, &s->irq);
1329 
1330     memory_region_init_io(&s->iomem, &musicpal_gpio_ops, s,
1331                           "musicpal-gpio", MP_GPIO_SIZE);
1332     sysbus_init_mmio(dev, &s->iomem);
1333 
1334     qdev_init_gpio_out(&dev->qdev, s->out, ARRAY_SIZE(s->out));
1335 
1336     qdev_init_gpio_in(&dev->qdev, musicpal_gpio_pin_event, 32);
1337 
1338     return 0;
1339 }
1340 
1341 static const VMStateDescription musicpal_gpio_vmsd = {
1342     .name = "musicpal_gpio",
1343     .version_id = 1,
1344     .minimum_version_id = 1,
1345     .minimum_version_id_old = 1,
1346     .fields = (VMStateField[]) {
1347         VMSTATE_UINT32(lcd_brightness, musicpal_gpio_state),
1348         VMSTATE_UINT32(out_state, musicpal_gpio_state),
1349         VMSTATE_UINT32(in_state, musicpal_gpio_state),
1350         VMSTATE_UINT32(ier, musicpal_gpio_state),
1351         VMSTATE_UINT32(imr, musicpal_gpio_state),
1352         VMSTATE_UINT32(isr, musicpal_gpio_state),
1353         VMSTATE_END_OF_LIST()
1354     }
1355 };
1356 
1357 static void musicpal_gpio_class_init(ObjectClass *klass, void *data)
1358 {
1359     DeviceClass *dc = DEVICE_CLASS(klass);
1360     SysBusDeviceClass *k = SYS_BUS_DEVICE_CLASS(klass);
1361 
1362     k->init = musicpal_gpio_init;
1363     dc->reset = musicpal_gpio_reset;
1364     dc->vmsd = &musicpal_gpio_vmsd;
1365 }
1366 
1367 static const TypeInfo musicpal_gpio_info = {
1368     .name          = "musicpal_gpio",
1369     .parent        = TYPE_SYS_BUS_DEVICE,
1370     .instance_size = sizeof(musicpal_gpio_state),
1371     .class_init    = musicpal_gpio_class_init,
1372 };
1373 
1374 /* Keyboard codes & masks */
1375 #define KEY_RELEASED            0x80
1376 #define KEY_CODE                0x7f
1377 
1378 #define KEYCODE_TAB             0x0f
1379 #define KEYCODE_ENTER           0x1c
1380 #define KEYCODE_F               0x21
1381 #define KEYCODE_M               0x32
1382 
1383 #define KEYCODE_EXTENDED        0xe0
1384 #define KEYCODE_UP              0x48
1385 #define KEYCODE_DOWN            0x50
1386 #define KEYCODE_LEFT            0x4b
1387 #define KEYCODE_RIGHT           0x4d
1388 
1389 #define MP_KEY_WHEEL_VOL       (1 << 0)
1390 #define MP_KEY_WHEEL_VOL_INV   (1 << 1)
1391 #define MP_KEY_WHEEL_NAV       (1 << 2)
1392 #define MP_KEY_WHEEL_NAV_INV   (1 << 3)
1393 #define MP_KEY_BTN_FAVORITS    (1 << 4)
1394 #define MP_KEY_BTN_MENU        (1 << 5)
1395 #define MP_KEY_BTN_VOLUME      (1 << 6)
1396 #define MP_KEY_BTN_NAVIGATION  (1 << 7)
1397 
1398 typedef struct musicpal_key_state {
1399     SysBusDevice busdev;
1400     MemoryRegion iomem;
1401     uint32_t kbd_extended;
1402     uint32_t pressed_keys;
1403     qemu_irq out[8];
1404 } musicpal_key_state;
1405 
1406 static void musicpal_key_event(void *opaque, int keycode)
1407 {
1408     musicpal_key_state *s = opaque;
1409     uint32_t event = 0;
1410     int i;
1411 
1412     if (keycode == KEYCODE_EXTENDED) {
1413         s->kbd_extended = 1;
1414         return;
1415     }
1416 
1417     if (s->kbd_extended) {
1418         switch (keycode & KEY_CODE) {
1419         case KEYCODE_UP:
1420             event = MP_KEY_WHEEL_NAV | MP_KEY_WHEEL_NAV_INV;
1421             break;
1422 
1423         case KEYCODE_DOWN:
1424             event = MP_KEY_WHEEL_NAV;
1425             break;
1426 
1427         case KEYCODE_LEFT:
1428             event = MP_KEY_WHEEL_VOL | MP_KEY_WHEEL_VOL_INV;
1429             break;
1430 
1431         case KEYCODE_RIGHT:
1432             event = MP_KEY_WHEEL_VOL;
1433             break;
1434         }
1435     } else {
1436         switch (keycode & KEY_CODE) {
1437         case KEYCODE_F:
1438             event = MP_KEY_BTN_FAVORITS;
1439             break;
1440 
1441         case KEYCODE_TAB:
1442             event = MP_KEY_BTN_VOLUME;
1443             break;
1444 
1445         case KEYCODE_ENTER:
1446             event = MP_KEY_BTN_NAVIGATION;
1447             break;
1448 
1449         case KEYCODE_M:
1450             event = MP_KEY_BTN_MENU;
1451             break;
1452         }
1453         /* Do not repeat already pressed buttons */
1454         if (!(keycode & KEY_RELEASED) && (s->pressed_keys & event)) {
1455             event = 0;
1456         }
1457     }
1458 
1459     if (event) {
1460         /* Raise GPIO pin first if repeating a key */
1461         if (!(keycode & KEY_RELEASED) && (s->pressed_keys & event)) {
1462             for (i = 0; i <= 7; i++) {
1463                 if (event & (1 << i)) {
1464                     qemu_set_irq(s->out[i], 1);
1465                 }
1466             }
1467         }
1468         for (i = 0; i <= 7; i++) {
1469             if (event & (1 << i)) {
1470                 qemu_set_irq(s->out[i], !!(keycode & KEY_RELEASED));
1471             }
1472         }
1473         if (keycode & KEY_RELEASED) {
1474             s->pressed_keys &= ~event;
1475         } else {
1476             s->pressed_keys |= event;
1477         }
1478     }
1479 
1480     s->kbd_extended = 0;
1481 }
1482 
1483 static int musicpal_key_init(SysBusDevice *dev)
1484 {
1485     musicpal_key_state *s = FROM_SYSBUS(musicpal_key_state, dev);
1486 
1487     memory_region_init(&s->iomem, "dummy", 0);
1488     sysbus_init_mmio(dev, &s->iomem);
1489 
1490     s->kbd_extended = 0;
1491     s->pressed_keys = 0;
1492 
1493     qdev_init_gpio_out(&dev->qdev, s->out, ARRAY_SIZE(s->out));
1494 
1495     qemu_add_kbd_event_handler(musicpal_key_event, s);
1496 
1497     return 0;
1498 }
1499 
1500 static const VMStateDescription musicpal_key_vmsd = {
1501     .name = "musicpal_key",
1502     .version_id = 1,
1503     .minimum_version_id = 1,
1504     .minimum_version_id_old = 1,
1505     .fields = (VMStateField[]) {
1506         VMSTATE_UINT32(kbd_extended, musicpal_key_state),
1507         VMSTATE_UINT32(pressed_keys, musicpal_key_state),
1508         VMSTATE_END_OF_LIST()
1509     }
1510 };
1511 
1512 static void musicpal_key_class_init(ObjectClass *klass, void *data)
1513 {
1514     DeviceClass *dc = DEVICE_CLASS(klass);
1515     SysBusDeviceClass *k = SYS_BUS_DEVICE_CLASS(klass);
1516 
1517     k->init = musicpal_key_init;
1518     dc->vmsd = &musicpal_key_vmsd;
1519 }
1520 
1521 static const TypeInfo musicpal_key_info = {
1522     .name          = "musicpal_key",
1523     .parent        = TYPE_SYS_BUS_DEVICE,
1524     .instance_size = sizeof(musicpal_key_state),
1525     .class_init    = musicpal_key_class_init,
1526 };
1527 
1528 static struct arm_boot_info musicpal_binfo = {
1529     .loader_start = 0x0,
1530     .board_id = 0x20e,
1531 };
1532 
1533 static void musicpal_init(QEMUMachineInitArgs *args)
1534 {
1535     const char *cpu_model = args->cpu_model;
1536     const char *kernel_filename = args->kernel_filename;
1537     const char *kernel_cmdline = args->kernel_cmdline;
1538     const char *initrd_filename = args->initrd_filename;
1539     ARMCPU *cpu;
1540     qemu_irq *cpu_pic;
1541     qemu_irq pic[32];
1542     DeviceState *dev;
1543     DeviceState *i2c_dev;
1544     DeviceState *lcd_dev;
1545     DeviceState *key_dev;
1546     DeviceState *wm8750_dev;
1547     SysBusDevice *s;
1548     i2c_bus *i2c;
1549     int i;
1550     unsigned long flash_size;
1551     DriveInfo *dinfo;
1552     MemoryRegion *address_space_mem = get_system_memory();
1553     MemoryRegion *ram = g_new(MemoryRegion, 1);
1554     MemoryRegion *sram = g_new(MemoryRegion, 1);
1555 
1556     if (!cpu_model) {
1557         cpu_model = "arm926";
1558     }
1559     cpu = cpu_arm_init(cpu_model);
1560     if (!cpu) {
1561         fprintf(stderr, "Unable to find CPU definition\n");
1562         exit(1);
1563     }
1564     cpu_pic = arm_pic_init_cpu(cpu);
1565 
1566     /* For now we use a fixed - the original - RAM size */
1567     memory_region_init_ram(ram, "musicpal.ram", MP_RAM_DEFAULT_SIZE);
1568     vmstate_register_ram_global(ram);
1569     memory_region_add_subregion(address_space_mem, 0, ram);
1570 
1571     memory_region_init_ram(sram, "musicpal.sram", MP_SRAM_SIZE);
1572     vmstate_register_ram_global(sram);
1573     memory_region_add_subregion(address_space_mem, MP_SRAM_BASE, sram);
1574 
1575     dev = sysbus_create_simple("mv88w8618_pic", MP_PIC_BASE,
1576                                cpu_pic[ARM_PIC_CPU_IRQ]);
1577     for (i = 0; i < 32; i++) {
1578         pic[i] = qdev_get_gpio_in(dev, i);
1579     }
1580     sysbus_create_varargs("mv88w8618_pit", MP_PIT_BASE, pic[MP_TIMER1_IRQ],
1581                           pic[MP_TIMER2_IRQ], pic[MP_TIMER3_IRQ],
1582                           pic[MP_TIMER4_IRQ], NULL);
1583 
1584     if (serial_hds[0]) {
1585         serial_mm_init(address_space_mem, MP_UART1_BASE, 2, pic[MP_UART1_IRQ],
1586                        1825000, serial_hds[0], DEVICE_NATIVE_ENDIAN);
1587     }
1588     if (serial_hds[1]) {
1589         serial_mm_init(address_space_mem, MP_UART2_BASE, 2, pic[MP_UART2_IRQ],
1590                        1825000, serial_hds[1], DEVICE_NATIVE_ENDIAN);
1591     }
1592 
1593     /* Register flash */
1594     dinfo = drive_get(IF_PFLASH, 0, 0);
1595     if (dinfo) {
1596         flash_size = bdrv_getlength(dinfo->bdrv);
1597         if (flash_size != 8*1024*1024 && flash_size != 16*1024*1024 &&
1598             flash_size != 32*1024*1024) {
1599             fprintf(stderr, "Invalid flash image size\n");
1600             exit(1);
1601         }
1602 
1603         /*
1604          * The original U-Boot accesses the flash at 0xFE000000 instead of
1605          * 0xFF800000 (if there is 8 MB flash). So remap flash access if the
1606          * image is smaller than 32 MB.
1607          */
1608 #ifdef TARGET_WORDS_BIGENDIAN
1609         pflash_cfi02_register(0x100000000ULL-MP_FLASH_SIZE_MAX, NULL,
1610                               "musicpal.flash", flash_size,
1611                               dinfo->bdrv, 0x10000,
1612                               (flash_size + 0xffff) >> 16,
1613                               MP_FLASH_SIZE_MAX / flash_size,
1614                               2, 0x00BF, 0x236D, 0x0000, 0x0000,
1615                               0x5555, 0x2AAA, 1);
1616 #else
1617         pflash_cfi02_register(0x100000000ULL-MP_FLASH_SIZE_MAX, NULL,
1618                               "musicpal.flash", flash_size,
1619                               dinfo->bdrv, 0x10000,
1620                               (flash_size + 0xffff) >> 16,
1621                               MP_FLASH_SIZE_MAX / flash_size,
1622                               2, 0x00BF, 0x236D, 0x0000, 0x0000,
1623                               0x5555, 0x2AAA, 0);
1624 #endif
1625 
1626     }
1627     sysbus_create_simple("mv88w8618_flashcfg", MP_FLASHCFG_BASE, NULL);
1628 
1629     qemu_check_nic_model(&nd_table[0], "mv88w8618");
1630     dev = qdev_create(NULL, "mv88w8618_eth");
1631     qdev_set_nic_properties(dev, &nd_table[0]);
1632     qdev_init_nofail(dev);
1633     sysbus_mmio_map(SYS_BUS_DEVICE(dev), 0, MP_ETH_BASE);
1634     sysbus_connect_irq(SYS_BUS_DEVICE(dev), 0, pic[MP_ETH_IRQ]);
1635 
1636     sysbus_create_simple("mv88w8618_wlan", MP_WLAN_BASE, NULL);
1637 
1638     sysbus_create_simple(TYPE_MUSICPAL_MISC, MP_MISC_BASE, NULL);
1639 
1640     dev = sysbus_create_simple("musicpal_gpio", MP_GPIO_BASE, pic[MP_GPIO_IRQ]);
1641     i2c_dev = sysbus_create_simple("gpio_i2c", -1, NULL);
1642     i2c = (i2c_bus *)qdev_get_child_bus(i2c_dev, "i2c");
1643 
1644     lcd_dev = sysbus_create_simple("musicpal_lcd", MP_LCD_BASE, NULL);
1645     key_dev = sysbus_create_simple("musicpal_key", -1, NULL);
1646 
1647     /* I2C read data */
1648     qdev_connect_gpio_out(i2c_dev, 0,
1649                           qdev_get_gpio_in(dev, MP_GPIO_I2C_DATA_BIT));
1650     /* I2C data */
1651     qdev_connect_gpio_out(dev, 3, qdev_get_gpio_in(i2c_dev, 0));
1652     /* I2C clock */
1653     qdev_connect_gpio_out(dev, 4, qdev_get_gpio_in(i2c_dev, 1));
1654 
1655     for (i = 0; i < 3; i++) {
1656         qdev_connect_gpio_out(dev, i, qdev_get_gpio_in(lcd_dev, i));
1657     }
1658     for (i = 0; i < 4; i++) {
1659         qdev_connect_gpio_out(key_dev, i, qdev_get_gpio_in(dev, i + 8));
1660     }
1661     for (i = 4; i < 8; i++) {
1662         qdev_connect_gpio_out(key_dev, i, qdev_get_gpio_in(dev, i + 15));
1663     }
1664 
1665     wm8750_dev = i2c_create_slave(i2c, "wm8750", MP_WM_ADDR);
1666     dev = qdev_create(NULL, "mv88w8618_audio");
1667     s = SYS_BUS_DEVICE(dev);
1668     qdev_prop_set_ptr(dev, "wm8750", wm8750_dev);
1669     qdev_init_nofail(dev);
1670     sysbus_mmio_map(s, 0, MP_AUDIO_BASE);
1671     sysbus_connect_irq(s, 0, pic[MP_AUDIO_IRQ]);
1672 
1673     musicpal_binfo.ram_size = MP_RAM_DEFAULT_SIZE;
1674     musicpal_binfo.kernel_filename = kernel_filename;
1675     musicpal_binfo.kernel_cmdline = kernel_cmdline;
1676     musicpal_binfo.initrd_filename = initrd_filename;
1677     arm_load_kernel(cpu, &musicpal_binfo);
1678 }
1679 
1680 static QEMUMachine musicpal_machine = {
1681     .name = "musicpal",
1682     .desc = "Marvell 88w8618 / MusicPal (ARM926EJ-S)",
1683     .init = musicpal_init,
1684     DEFAULT_MACHINE_OPTIONS,
1685 };
1686 
1687 static void musicpal_machine_init(void)
1688 {
1689     qemu_register_machine(&musicpal_machine);
1690 }
1691 
1692 machine_init(musicpal_machine_init);
1693 
1694 static void mv88w8618_wlan_class_init(ObjectClass *klass, void *data)
1695 {
1696     SysBusDeviceClass *sdc = SYS_BUS_DEVICE_CLASS(klass);
1697 
1698     sdc->init = mv88w8618_wlan_init;
1699 }
1700 
1701 static const TypeInfo mv88w8618_wlan_info = {
1702     .name          = "mv88w8618_wlan",
1703     .parent        = TYPE_SYS_BUS_DEVICE,
1704     .instance_size = sizeof(SysBusDevice),
1705     .class_init    = mv88w8618_wlan_class_init,
1706 };
1707 
1708 static void musicpal_register_types(void)
1709 {
1710     type_register_static(&mv88w8618_pic_info);
1711     type_register_static(&mv88w8618_pit_info);
1712     type_register_static(&mv88w8618_flashcfg_info);
1713     type_register_static(&mv88w8618_eth_info);
1714     type_register_static(&mv88w8618_wlan_info);
1715     type_register_static(&musicpal_lcd_info);
1716     type_register_static(&musicpal_gpio_info);
1717     type_register_static(&musicpal_key_info);
1718     type_register_static(&musicpal_misc_info);
1719 }
1720 
1721 type_init(musicpal_register_types)
1722