xref: /openbmc/qemu/hw/arm/nseries.c (revision 3ab8bf83)
1 /*
2  * Nokia N-series internet tablets.
3  *
4  * Copyright (C) 2007 Nokia Corporation
5  * Written by Andrzej Zaborowski <andrew@openedhand.com>
6  *
7  * This program is free software; you can redistribute it and/or
8  * modify it under the terms of the GNU General Public License as
9  * published by the Free Software Foundation; either version 2 or
10  * (at your option) version 3 of the License.
11  *
12  * This program is distributed in the hope that it will be useful,
13  * but WITHOUT ANY WARRANTY; without even the implied warranty of
14  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
15  * GNU General Public License for more details.
16  *
17  * You should have received a copy of the GNU General Public License along
18  * with this program; if not, see <http://www.gnu.org/licenses/>.
19  */
20 
21 #include "qemu/osdep.h"
22 #include "qapi/error.h"
23 #include "cpu.h"
24 #include "chardev/char.h"
25 #include "qemu/cutils.h"
26 #include "qemu/bswap.h"
27 #include "qemu/hw-version.h"
28 #include "sysemu/reset.h"
29 #include "sysemu/runstate.h"
30 #include "sysemu/sysemu.h"
31 #include "hw/arm/omap.h"
32 #include "hw/arm/boot.h"
33 #include "hw/irq.h"
34 #include "ui/console.h"
35 #include "hw/boards.h"
36 #include "hw/i2c/i2c.h"
37 #include "hw/display/blizzard.h"
38 #include "hw/input/lm832x.h"
39 #include "hw/input/tsc2xxx.h"
40 #include "hw/misc/cbus.h"
41 #include "hw/sensor/tmp105.h"
42 #include "hw/qdev-properties.h"
43 #include "hw/block/flash.h"
44 #include "hw/hw.h"
45 #include "hw/loader.h"
46 #include "hw/sysbus.h"
47 #include "qemu/log.h"
48 
49 /* Nokia N8x0 support */
50 struct n800_s {
51     struct omap_mpu_state_s *mpu;
52 
53     struct rfbi_chip_s blizzard;
54     struct {
55         void *opaque;
56         uint32_t (*txrx)(void *opaque, uint32_t value, int len);
57         uWireSlave *chip;
58     } ts;
59 
60     int keymap[0x80];
61     DeviceState *kbd;
62 
63     DeviceState *usb;
64     void *retu;
65     void *tahvo;
66     DeviceState *nand;
67 };
68 
69 /* GPIO pins */
70 #define N8X0_TUSB_ENABLE_GPIO		0
71 #define N800_MMC2_WP_GPIO		8
72 #define N800_UNKNOWN_GPIO0		9	/* out */
73 #define N810_MMC2_VIOSD_GPIO		9
74 #define N810_HEADSET_AMP_GPIO		10
75 #define N800_CAM_TURN_GPIO		12
76 #define N810_GPS_RESET_GPIO		12
77 #define N800_BLIZZARD_POWERDOWN_GPIO	15
78 #define N800_MMC1_WP_GPIO		23
79 #define N810_MMC2_VSD_GPIO		23
80 #define N8X0_ONENAND_GPIO		26
81 #define N810_BLIZZARD_RESET_GPIO	30
82 #define N800_UNKNOWN_GPIO2		53	/* out */
83 #define N8X0_TUSB_INT_GPIO		58
84 #define N8X0_BT_WKUP_GPIO		61
85 #define N8X0_STI_GPIO			62
86 #define N8X0_CBUS_SEL_GPIO		64
87 #define N8X0_CBUS_DAT_GPIO		65
88 #define N8X0_CBUS_CLK_GPIO		66
89 #define N8X0_WLAN_IRQ_GPIO		87
90 #define N8X0_BT_RESET_GPIO		92
91 #define N8X0_TEA5761_CS_GPIO		93
92 #define N800_UNKNOWN_GPIO		94
93 #define N810_TSC_RESET_GPIO		94
94 #define N800_CAM_ACT_GPIO		95
95 #define N810_GPS_WAKEUP_GPIO		95
96 #define N8X0_MMC_CS_GPIO		96
97 #define N8X0_WLAN_PWR_GPIO		97
98 #define N8X0_BT_HOST_WKUP_GPIO		98
99 #define N810_SPEAKER_AMP_GPIO		101
100 #define N810_KB_LOCK_GPIO		102
101 #define N800_TSC_TS_GPIO		103
102 #define N810_TSC_TS_GPIO		106
103 #define N8X0_HEADPHONE_GPIO		107
104 #define N8X0_RETU_GPIO			108
105 #define N800_TSC_KP_IRQ_GPIO		109
106 #define N810_KEYBOARD_GPIO		109
107 #define N800_BAT_COVER_GPIO		110
108 #define N810_SLIDE_GPIO			110
109 #define N8X0_TAHVO_GPIO			111
110 #define N800_UNKNOWN_GPIO4		112	/* out */
111 #define N810_SLEEPX_LED_GPIO		112
112 #define N800_TSC_RESET_GPIO		118	/* ? */
113 #define N810_AIC33_RESET_GPIO		118
114 #define N800_TSC_UNKNOWN_GPIO		119	/* out */
115 #define N8X0_TMP105_GPIO		125
116 
117 /* Config */
118 #define BT_UART				0
119 #define XLDR_LL_UART			1
120 
121 /* Addresses on the I2C bus 0 */
122 #define N810_TLV320AIC33_ADDR		0x18	/* Audio CODEC */
123 #define N8X0_TCM825x_ADDR		0x29	/* Camera */
124 #define N810_LP5521_ADDR		0x32	/* LEDs */
125 #define N810_TSL2563_ADDR		0x3d	/* Light sensor */
126 #define N810_LM8323_ADDR		0x45	/* Keyboard */
127 /* Addresses on the I2C bus 1 */
128 #define N8X0_TMP105_ADDR		0x48	/* Temperature sensor */
129 #define N8X0_MENELAUS_ADDR		0x72	/* Power management */
130 
131 /* Chipselects on GPMC NOR interface */
132 #define N8X0_ONENAND_CS			0
133 #define N8X0_USB_ASYNC_CS		1
134 #define N8X0_USB_SYNC_CS		4
135 
136 #define N8X0_BD_ADDR			0x00, 0x1a, 0x89, 0x9e, 0x3e, 0x81
137 
138 static void n800_mmc_cs_cb(void *opaque, int line, int level)
139 {
140     /* TODO: this seems to actually be connected to the menelaus, to
141      * which also both MMC slots connect.  */
142     omap_mmc_enable((struct omap_mmc_s *) opaque, !level);
143 }
144 
145 static void n8x0_gpio_setup(struct n800_s *s)
146 {
147     qdev_connect_gpio_out(s->mpu->gpio, N8X0_MMC_CS_GPIO,
148                           qemu_allocate_irq(n800_mmc_cs_cb, s->mpu->mmc, 0));
149     qemu_irq_lower(qdev_get_gpio_in(s->mpu->gpio, N800_BAT_COVER_GPIO));
150 }
151 
152 #define MAEMO_CAL_HEADER(...)				\
153     'C',  'o',  'n',  'F',  0x02, 0x00, 0x04, 0x00,	\
154     __VA_ARGS__,					\
155     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
156 
157 static const uint8_t n8x0_cal_wlan_mac[] = {
158     MAEMO_CAL_HEADER('w', 'l', 'a', 'n', '-', 'm', 'a', 'c')
159     0x1c, 0x00, 0x00, 0x00, 0x47, 0xd6, 0x69, 0xb3,
160     0x30, 0x08, 0xa0, 0x83, 0x00, 0x00, 0x00, 0x00,
161     0x00, 0x00, 0x00, 0x00, 0x1a, 0x00, 0x00, 0x00,
162     0x89, 0x00, 0x00, 0x00, 0x9e, 0x00, 0x00, 0x00,
163     0x5d, 0x00, 0x00, 0x00, 0xc1, 0x00, 0x00, 0x00,
164 };
165 
166 static const uint8_t n8x0_cal_bt_id[] = {
167     MAEMO_CAL_HEADER('b', 't', '-', 'i', 'd', 0, 0, 0)
168     0x0a, 0x00, 0x00, 0x00, 0xa3, 0x4b, 0xf6, 0x96,
169     0xa8, 0xeb, 0xb2, 0x41, 0x00, 0x00, 0x00, 0x00,
170     N8X0_BD_ADDR,
171 };
172 
173 static void n8x0_nand_setup(struct n800_s *s)
174 {
175     char *otp_region;
176     DriveInfo *dinfo;
177 
178     s->nand = qdev_new("onenand");
179     qdev_prop_set_uint16(s->nand, "manufacturer_id", NAND_MFR_SAMSUNG);
180     /* Either 0x40 or 0x48 are OK for the device ID */
181     qdev_prop_set_uint16(s->nand, "device_id", 0x48);
182     qdev_prop_set_uint16(s->nand, "version_id", 0);
183     qdev_prop_set_int32(s->nand, "shift", 1);
184     dinfo = drive_get(IF_MTD, 0, 0);
185     if (dinfo) {
186         qdev_prop_set_drive_err(s->nand, "drive", blk_by_legacy_dinfo(dinfo),
187                                 &error_fatal);
188     }
189     sysbus_realize_and_unref(SYS_BUS_DEVICE(s->nand), &error_fatal);
190     sysbus_connect_irq(SYS_BUS_DEVICE(s->nand), 0,
191                        qdev_get_gpio_in(s->mpu->gpio, N8X0_ONENAND_GPIO));
192     omap_gpmc_attach(s->mpu->gpmc, N8X0_ONENAND_CS,
193                      sysbus_mmio_get_region(SYS_BUS_DEVICE(s->nand), 0));
194     otp_region = onenand_raw_otp(s->nand);
195 
196     memcpy(otp_region + 0x000, n8x0_cal_wlan_mac, sizeof(n8x0_cal_wlan_mac));
197     memcpy(otp_region + 0x800, n8x0_cal_bt_id, sizeof(n8x0_cal_bt_id));
198     /* XXX: in theory should also update the OOB for both pages */
199 }
200 
201 static qemu_irq n8x0_system_powerdown;
202 
203 static void n8x0_powerdown_req(Notifier *n, void *opaque)
204 {
205     qemu_irq_raise(n8x0_system_powerdown);
206 }
207 
208 static Notifier n8x0_system_powerdown_notifier = {
209     .notify = n8x0_powerdown_req
210 };
211 
212 static void n8x0_i2c_setup(struct n800_s *s)
213 {
214     DeviceState *dev;
215     qemu_irq tmp_irq = qdev_get_gpio_in(s->mpu->gpio, N8X0_TMP105_GPIO);
216     I2CBus *i2c = omap_i2c_bus(s->mpu->i2c[0]);
217 
218     /* Attach a menelaus PM chip */
219     dev = DEVICE(i2c_slave_create_simple(i2c, "twl92230", N8X0_MENELAUS_ADDR));
220     qdev_connect_gpio_out(dev, 3,
221                           qdev_get_gpio_in(s->mpu->ih[0],
222                                            OMAP_INT_24XX_SYS_NIRQ));
223 
224     n8x0_system_powerdown = qdev_get_gpio_in(dev, 3);
225     qemu_register_powerdown_notifier(&n8x0_system_powerdown_notifier);
226 
227     /* Attach a TMP105 PM chip (A0 wired to ground) */
228     dev = DEVICE(i2c_slave_create_simple(i2c, TYPE_TMP105, N8X0_TMP105_ADDR));
229     qdev_connect_gpio_out(dev, 0, tmp_irq);
230 }
231 
232 /* Touchscreen and keypad controller */
233 static const MouseTransformInfo n800_pointercal = {
234     .x = 800,
235     .y = 480,
236     .a = { 14560, -68, -3455208, -39, -9621, 35152972, 65536 },
237 };
238 
239 static const MouseTransformInfo n810_pointercal = {
240     .x = 800,
241     .y = 480,
242     .a = { 15041, 148, -4731056, 171, -10238, 35933380, 65536 },
243 };
244 
245 #define RETU_KEYCODE	61	/* F3 */
246 
247 static void n800_key_event(void *opaque, int keycode)
248 {
249     struct n800_s *s = (struct n800_s *) opaque;
250     int code = s->keymap[keycode & 0x7f];
251 
252     if (code == -1) {
253         if ((keycode & 0x7f) == RETU_KEYCODE) {
254             retu_key_event(s->retu, !(keycode & 0x80));
255         }
256         return;
257     }
258 
259     tsc210x_key_event(s->ts.chip, code, !(keycode & 0x80));
260 }
261 
262 static const int n800_keys[16] = {
263     -1,
264     72,	/* Up */
265     63,	/* Home (F5) */
266     -1,
267     75,	/* Left */
268     28,	/* Enter */
269     77,	/* Right */
270     -1,
271      1,	/* Cycle (ESC) */
272     80,	/* Down */
273     62,	/* Menu (F4) */
274     -1,
275     66,	/* Zoom- (F8) */
276     64,	/* FullScreen (F6) */
277     65,	/* Zoom+ (F7) */
278     -1,
279 };
280 
281 static void n800_tsc_kbd_setup(struct n800_s *s)
282 {
283     int i;
284 
285     /* XXX: are the three pins inverted inside the chip between the
286      * tsc and the cpu (N4111)?  */
287     qemu_irq penirq = NULL;	/* NC */
288     qemu_irq kbirq = qdev_get_gpio_in(s->mpu->gpio, N800_TSC_KP_IRQ_GPIO);
289     qemu_irq dav = qdev_get_gpio_in(s->mpu->gpio, N800_TSC_TS_GPIO);
290 
291     s->ts.chip = tsc2301_init(penirq, kbirq, dav);
292     s->ts.opaque = s->ts.chip->opaque;
293     s->ts.txrx = tsc210x_txrx;
294 
295     for (i = 0; i < 0x80; i++) {
296         s->keymap[i] = -1;
297     }
298     for (i = 0; i < 0x10; i++) {
299         if (n800_keys[i] >= 0) {
300             s->keymap[n800_keys[i]] = i;
301         }
302     }
303 
304     qemu_add_kbd_event_handler(n800_key_event, s);
305 
306     tsc210x_set_transform(s->ts.chip, &n800_pointercal);
307 }
308 
309 static void n810_tsc_setup(struct n800_s *s)
310 {
311     qemu_irq pintdav = qdev_get_gpio_in(s->mpu->gpio, N810_TSC_TS_GPIO);
312 
313     s->ts.opaque = tsc2005_init(pintdav);
314     s->ts.txrx = tsc2005_txrx;
315 
316     tsc2005_set_transform(s->ts.opaque, &n810_pointercal);
317 }
318 
319 /* N810 Keyboard controller */
320 static void n810_key_event(void *opaque, int keycode)
321 {
322     struct n800_s *s = (struct n800_s *) opaque;
323     int code = s->keymap[keycode & 0x7f];
324 
325     if (code == -1) {
326         if ((keycode & 0x7f) == RETU_KEYCODE) {
327             retu_key_event(s->retu, !(keycode & 0x80));
328         }
329         return;
330     }
331 
332     lm832x_key_event(s->kbd, code, !(keycode & 0x80));
333 }
334 
335 #define M	0
336 
337 static const int n810_keys[0x80] = {
338     [0x01] = 16,	/* Q */
339     [0x02] = 37,	/* K */
340     [0x03] = 24,	/* O */
341     [0x04] = 25,	/* P */
342     [0x05] = 14,	/* Backspace */
343     [0x06] = 30,	/* A */
344     [0x07] = 31,	/* S */
345     [0x08] = 32,	/* D */
346     [0x09] = 33,	/* F */
347     [0x0a] = 34,	/* G */
348     [0x0b] = 35,	/* H */
349     [0x0c] = 36,	/* J */
350 
351     [0x11] = 17,	/* W */
352     [0x12] = 62,	/* Menu (F4) */
353     [0x13] = 38,	/* L */
354     [0x14] = 40,	/* ' (Apostrophe) */
355     [0x16] = 44,	/* Z */
356     [0x17] = 45,	/* X */
357     [0x18] = 46,	/* C */
358     [0x19] = 47,	/* V */
359     [0x1a] = 48,	/* B */
360     [0x1b] = 49,	/* N */
361     [0x1c] = 42,	/* Shift (Left shift) */
362     [0x1f] = 65,	/* Zoom+ (F7) */
363 
364     [0x21] = 18,	/* E */
365     [0x22] = 39,	/* ; (Semicolon) */
366     [0x23] = 12,	/* - (Minus) */
367     [0x24] = 13,	/* = (Equal) */
368     [0x2b] = 56,	/* Fn (Left Alt) */
369     [0x2c] = 50,	/* M */
370     [0x2f] = 66,	/* Zoom- (F8) */
371 
372     [0x31] = 19,	/* R */
373     [0x32] = 29 | M,	/* Right Ctrl */
374     [0x34] = 57,	/* Space */
375     [0x35] = 51,	/* , (Comma) */
376     [0x37] = 72 | M,	/* Up */
377     [0x3c] = 82 | M,	/* Compose (Insert) */
378     [0x3f] = 64,	/* FullScreen (F6) */
379 
380     [0x41] = 20,	/* T */
381     [0x44] = 52,	/* . (Dot) */
382     [0x46] = 77 | M,	/* Right */
383     [0x4f] = 63,	/* Home (F5) */
384     [0x51] = 21,	/* Y */
385     [0x53] = 80 | M,	/* Down */
386     [0x55] = 28,	/* Enter */
387     [0x5f] =  1,	/* Cycle (ESC) */
388 
389     [0x61] = 22,	/* U */
390     [0x64] = 75 | M,	/* Left */
391 
392     [0x71] = 23,	/* I */
393 #if 0
394     [0x75] = 28 | M,	/* KP Enter (KP Enter) */
395 #else
396     [0x75] = 15,	/* KP Enter (Tab) */
397 #endif
398 };
399 
400 #undef M
401 
402 static void n810_kbd_setup(struct n800_s *s)
403 {
404     qemu_irq kbd_irq = qdev_get_gpio_in(s->mpu->gpio, N810_KEYBOARD_GPIO);
405     int i;
406 
407     for (i = 0; i < 0x80; i++) {
408         s->keymap[i] = -1;
409     }
410     for (i = 0; i < 0x80; i++) {
411         if (n810_keys[i] > 0) {
412             s->keymap[n810_keys[i]] = i;
413         }
414     }
415 
416     qemu_add_kbd_event_handler(n810_key_event, s);
417 
418     /* Attach the LM8322 keyboard to the I2C bus,
419      * should happen in n8x0_i2c_setup and s->kbd be initialised here.  */
420     s->kbd = DEVICE(i2c_slave_create_simple(omap_i2c_bus(s->mpu->i2c[0]),
421                                             TYPE_LM8323, N810_LM8323_ADDR));
422     qdev_connect_gpio_out(s->kbd, 0, kbd_irq);
423 }
424 
425 /* LCD MIPI DBI-C controller (URAL) */
426 struct mipid_s {
427     int resp[4];
428     int param[4];
429     int p;
430     int pm;
431     int cmd;
432 
433     int sleep;
434     int booster;
435     int te;
436     int selfcheck;
437     int partial;
438     int normal;
439     int vscr;
440     int invert;
441     int onoff;
442     int gamma;
443     uint32_t id;
444 };
445 
446 static void mipid_reset(struct mipid_s *s)
447 {
448     s->pm = 0;
449     s->cmd = 0;
450 
451     s->sleep = 1;
452     s->booster = 0;
453     s->selfcheck =
454             (1 << 7) |	/* Register loading OK.  */
455             (1 << 5) |	/* The chip is attached.  */
456             (1 << 4);	/* Display glass still in one piece.  */
457     s->te = 0;
458     s->partial = 0;
459     s->normal = 1;
460     s->vscr = 0;
461     s->invert = 0;
462     s->onoff = 1;
463     s->gamma = 0;
464 }
465 
466 static uint32_t mipid_txrx(void *opaque, uint32_t cmd, int len)
467 {
468     struct mipid_s *s = (struct mipid_s *) opaque;
469     uint8_t ret;
470 
471     if (len > 9) {
472         hw_error("%s: FIXME: bad SPI word width %i\n", __func__, len);
473     }
474 
475     if (s->p >= ARRAY_SIZE(s->resp)) {
476         ret = 0;
477     } else {
478         ret = s->resp[s->p++];
479     }
480     if (s->pm-- > 0) {
481         s->param[s->pm] = cmd;
482     } else {
483         s->cmd = cmd;
484     }
485 
486     switch (s->cmd) {
487     case 0x00:	/* NOP */
488         break;
489 
490     case 0x01:	/* SWRESET */
491         mipid_reset(s);
492         break;
493 
494     case 0x02:	/* BSTROFF */
495         s->booster = 0;
496         break;
497     case 0x03:	/* BSTRON */
498         s->booster = 1;
499         break;
500 
501     case 0x04:	/* RDDID */
502         s->p = 0;
503         s->resp[0] = (s->id >> 16) & 0xff;
504         s->resp[1] = (s->id >>  8) & 0xff;
505         s->resp[2] = (s->id >>  0) & 0xff;
506         break;
507 
508     case 0x06:	/* RD_RED */
509     case 0x07:	/* RD_GREEN */
510         /* XXX the bootloader sometimes issues RD_BLUE meaning RDDID so
511          * for the bootloader one needs to change this.  */
512     case 0x08:	/* RD_BLUE */
513         s->p = 0;
514         /* TODO: return first pixel components */
515         s->resp[0] = 0x01;
516         break;
517 
518     case 0x09:	/* RDDST */
519         s->p = 0;
520         s->resp[0] = s->booster << 7;
521         s->resp[1] = (5 << 4) | (s->partial << 2) |
522                 (s->sleep << 1) | s->normal;
523         s->resp[2] = (s->vscr << 7) | (s->invert << 5) |
524                 (s->onoff << 2) | (s->te << 1) | (s->gamma >> 2);
525         s->resp[3] = s->gamma << 6;
526         break;
527 
528     case 0x0a:	/* RDDPM */
529         s->p = 0;
530         s->resp[0] = (s->onoff << 2) | (s->normal << 3) | (s->sleep << 4) |
531                 (s->partial << 5) | (s->sleep << 6) | (s->booster << 7);
532         break;
533     case 0x0b:	/* RDDMADCTR */
534         s->p = 0;
535         s->resp[0] = 0;
536         break;
537     case 0x0c:	/* RDDCOLMOD */
538         s->p = 0;
539         s->resp[0] = 5;	/* 65K colours */
540         break;
541     case 0x0d:	/* RDDIM */
542         s->p = 0;
543         s->resp[0] = (s->invert << 5) | (s->vscr << 7) | s->gamma;
544         break;
545     case 0x0e:	/* RDDSM */
546         s->p = 0;
547         s->resp[0] = s->te << 7;
548         break;
549     case 0x0f:	/* RDDSDR */
550         s->p = 0;
551         s->resp[0] = s->selfcheck;
552         break;
553 
554     case 0x10:	/* SLPIN */
555         s->sleep = 1;
556         break;
557     case 0x11:	/* SLPOUT */
558         s->sleep = 0;
559         s->selfcheck ^= 1 << 6;	/* POFF self-diagnosis Ok */
560         break;
561 
562     case 0x12:	/* PTLON */
563         s->partial = 1;
564         s->normal = 0;
565         s->vscr = 0;
566         break;
567     case 0x13:	/* NORON */
568         s->partial = 0;
569         s->normal = 1;
570         s->vscr = 0;
571         break;
572 
573     case 0x20:	/* INVOFF */
574         s->invert = 0;
575         break;
576     case 0x21:	/* INVON */
577         s->invert = 1;
578         break;
579 
580     case 0x22:	/* APOFF */
581     case 0x23:	/* APON */
582         goto bad_cmd;
583 
584     case 0x25:	/* WRCNTR */
585         if (s->pm < 0) {
586             s->pm = 1;
587         }
588         goto bad_cmd;
589 
590     case 0x26:	/* GAMSET */
591         if (!s->pm) {
592             s->gamma = ctz32(s->param[0] & 0xf);
593             if (s->gamma == 32) {
594                 s->gamma = -1; /* XXX: should this be 0? */
595             }
596         } else if (s->pm < 0) {
597             s->pm = 1;
598         }
599         break;
600 
601     case 0x28:	/* DISPOFF */
602         s->onoff = 0;
603         break;
604     case 0x29:	/* DISPON */
605         s->onoff = 1;
606         break;
607 
608     case 0x2a:	/* CASET */
609     case 0x2b:	/* RASET */
610     case 0x2c:	/* RAMWR */
611     case 0x2d:	/* RGBSET */
612     case 0x2e:	/* RAMRD */
613     case 0x30:	/* PTLAR */
614     case 0x33:	/* SCRLAR */
615         goto bad_cmd;
616 
617     case 0x34:	/* TEOFF */
618         s->te = 0;
619         break;
620     case 0x35:	/* TEON */
621         if (!s->pm) {
622             s->te = 1;
623         } else if (s->pm < 0) {
624             s->pm = 1;
625         }
626         break;
627 
628     case 0x36:	/* MADCTR */
629         goto bad_cmd;
630 
631     case 0x37:	/* VSCSAD */
632         s->partial = 0;
633         s->normal = 0;
634         s->vscr = 1;
635         break;
636 
637     case 0x38:	/* IDMOFF */
638     case 0x39:	/* IDMON */
639     case 0x3a:	/* COLMOD */
640         goto bad_cmd;
641 
642     case 0xb0:	/* CLKINT / DISCTL */
643     case 0xb1:	/* CLKEXT */
644         if (s->pm < 0) {
645             s->pm = 2;
646         }
647         break;
648 
649     case 0xb4:	/* FRMSEL */
650         break;
651 
652     case 0xb5:	/* FRM8SEL */
653     case 0xb6:	/* TMPRNG / INIESC */
654     case 0xb7:	/* TMPHIS / NOP2 */
655     case 0xb8:	/* TMPREAD / MADCTL */
656     case 0xba:	/* DISTCTR */
657     case 0xbb:	/* EPVOL */
658         goto bad_cmd;
659 
660     case 0xbd:	/* Unknown */
661         s->p = 0;
662         s->resp[0] = 0;
663         s->resp[1] = 1;
664         break;
665 
666     case 0xc2:	/* IFMOD */
667         if (s->pm < 0) {
668             s->pm = 2;
669         }
670         break;
671 
672     case 0xc6:	/* PWRCTL */
673     case 0xc7:	/* PPWRCTL */
674     case 0xd0:	/* EPWROUT */
675     case 0xd1:	/* EPWRIN */
676     case 0xd4:	/* RDEV */
677     case 0xd5:	/* RDRR */
678         goto bad_cmd;
679 
680     case 0xda:	/* RDID1 */
681         s->p = 0;
682         s->resp[0] = (s->id >> 16) & 0xff;
683         break;
684     case 0xdb:	/* RDID2 */
685         s->p = 0;
686         s->resp[0] = (s->id >>  8) & 0xff;
687         break;
688     case 0xdc:	/* RDID3 */
689         s->p = 0;
690         s->resp[0] = (s->id >>  0) & 0xff;
691         break;
692 
693     default:
694     bad_cmd:
695         qemu_log_mask(LOG_GUEST_ERROR,
696                       "%s: unknown command 0x%02x\n", __func__, s->cmd);
697         break;
698     }
699 
700     return ret;
701 }
702 
703 static void *mipid_init(void)
704 {
705     struct mipid_s *s = g_malloc0(sizeof(*s));
706 
707     s->id = 0x838f03;
708     mipid_reset(s);
709 
710     return s;
711 }
712 
713 static void n8x0_spi_setup(struct n800_s *s)
714 {
715     void *tsc = s->ts.opaque;
716     void *mipid = mipid_init();
717 
718     omap_mcspi_attach(s->mpu->mcspi[0], s->ts.txrx, tsc, 0);
719     omap_mcspi_attach(s->mpu->mcspi[0], mipid_txrx, mipid, 1);
720 }
721 
722 /* This task is normally performed by the bootloader.  If we're loading
723  * a kernel directly, we need to enable the Blizzard ourselves.  */
724 static void n800_dss_init(struct rfbi_chip_s *chip)
725 {
726     uint8_t *fb_blank;
727 
728     chip->write(chip->opaque, 0, 0x2a);		/* LCD Width register */
729     chip->write(chip->opaque, 1, 0x64);
730     chip->write(chip->opaque, 0, 0x2c);		/* LCD HNDP register */
731     chip->write(chip->opaque, 1, 0x1e);
732     chip->write(chip->opaque, 0, 0x2e);		/* LCD Height 0 register */
733     chip->write(chip->opaque, 1, 0xe0);
734     chip->write(chip->opaque, 0, 0x30);		/* LCD Height 1 register */
735     chip->write(chip->opaque, 1, 0x01);
736     chip->write(chip->opaque, 0, 0x32);		/* LCD VNDP register */
737     chip->write(chip->opaque, 1, 0x06);
738     chip->write(chip->opaque, 0, 0x68);		/* Display Mode register */
739     chip->write(chip->opaque, 1, 1);		/* Enable bit */
740 
741     chip->write(chip->opaque, 0, 0x6c);
742     chip->write(chip->opaque, 1, 0x00);		/* Input X Start Position */
743     chip->write(chip->opaque, 1, 0x00);		/* Input X Start Position */
744     chip->write(chip->opaque, 1, 0x00);		/* Input Y Start Position */
745     chip->write(chip->opaque, 1, 0x00);		/* Input Y Start Position */
746     chip->write(chip->opaque, 1, 0x1f);		/* Input X End Position */
747     chip->write(chip->opaque, 1, 0x03);		/* Input X End Position */
748     chip->write(chip->opaque, 1, 0xdf);		/* Input Y End Position */
749     chip->write(chip->opaque, 1, 0x01);		/* Input Y End Position */
750     chip->write(chip->opaque, 1, 0x00);		/* Output X Start Position */
751     chip->write(chip->opaque, 1, 0x00);		/* Output X Start Position */
752     chip->write(chip->opaque, 1, 0x00);		/* Output Y Start Position */
753     chip->write(chip->opaque, 1, 0x00);		/* Output Y Start Position */
754     chip->write(chip->opaque, 1, 0x1f);		/* Output X End Position */
755     chip->write(chip->opaque, 1, 0x03);		/* Output X End Position */
756     chip->write(chip->opaque, 1, 0xdf);		/* Output Y End Position */
757     chip->write(chip->opaque, 1, 0x01);		/* Output Y End Position */
758     chip->write(chip->opaque, 1, 0x01);		/* Input Data Format */
759     chip->write(chip->opaque, 1, 0x01);		/* Data Source Select */
760 
761     fb_blank = memset(g_malloc(800 * 480 * 2), 0xff, 800 * 480 * 2);
762     /* Display Memory Data Port */
763     chip->block(chip->opaque, 1, fb_blank, 800 * 480 * 2, 800);
764     g_free(fb_blank);
765 }
766 
767 static void n8x0_dss_setup(struct n800_s *s)
768 {
769     s->blizzard.opaque = s1d13745_init(NULL);
770     s->blizzard.block = s1d13745_write_block;
771     s->blizzard.write = s1d13745_write;
772     s->blizzard.read = s1d13745_read;
773 
774     omap_rfbi_attach(s->mpu->dss, 0, &s->blizzard);
775 }
776 
777 static void n8x0_cbus_setup(struct n800_s *s)
778 {
779     qemu_irq dat_out = qdev_get_gpio_in(s->mpu->gpio, N8X0_CBUS_DAT_GPIO);
780     qemu_irq retu_irq = qdev_get_gpio_in(s->mpu->gpio, N8X0_RETU_GPIO);
781     qemu_irq tahvo_irq = qdev_get_gpio_in(s->mpu->gpio, N8X0_TAHVO_GPIO);
782 
783     CBus *cbus = cbus_init(dat_out);
784 
785     qdev_connect_gpio_out(s->mpu->gpio, N8X0_CBUS_CLK_GPIO, cbus->clk);
786     qdev_connect_gpio_out(s->mpu->gpio, N8X0_CBUS_DAT_GPIO, cbus->dat);
787     qdev_connect_gpio_out(s->mpu->gpio, N8X0_CBUS_SEL_GPIO, cbus->sel);
788 
789     cbus_attach(cbus, s->retu = retu_init(retu_irq, 1));
790     cbus_attach(cbus, s->tahvo = tahvo_init(tahvo_irq, 1));
791 }
792 
793 static void n8x0_usb_setup(struct n800_s *s)
794 {
795     SysBusDevice *dev;
796     s->usb = qdev_new("tusb6010");
797     dev = SYS_BUS_DEVICE(s->usb);
798     sysbus_realize_and_unref(dev, &error_fatal);
799     sysbus_connect_irq(dev, 0,
800                        qdev_get_gpio_in(s->mpu->gpio, N8X0_TUSB_INT_GPIO));
801     /* Using the NOR interface */
802     omap_gpmc_attach(s->mpu->gpmc, N8X0_USB_ASYNC_CS,
803                      sysbus_mmio_get_region(dev, 0));
804     omap_gpmc_attach(s->mpu->gpmc, N8X0_USB_SYNC_CS,
805                      sysbus_mmio_get_region(dev, 1));
806     qdev_connect_gpio_out(s->mpu->gpio, N8X0_TUSB_ENABLE_GPIO,
807                           qdev_get_gpio_in(s->usb, 0)); /* tusb_pwr */
808 }
809 
810 /* Setup done before the main bootloader starts by some early setup code
811  * - used when we want to run the main bootloader in emulation.  This
812  * isn't documented.  */
813 static const uint32_t n800_pinout[104] = {
814     0x080f00d8, 0x00d40808, 0x03080808, 0x080800d0,
815     0x00dc0808, 0x0b0f0f00, 0x080800b4, 0x00c00808,
816     0x08080808, 0x180800c4, 0x00b80000, 0x08080808,
817     0x080800bc, 0x00cc0808, 0x08081818, 0x18180128,
818     0x01241800, 0x18181818, 0x000000f0, 0x01300000,
819     0x00001b0b, 0x1b0f0138, 0x00e0181b, 0x1b031b0b,
820     0x180f0078, 0x00740018, 0x0f0f0f1a, 0x00000080,
821     0x007c0000, 0x00000000, 0x00000088, 0x00840000,
822     0x00000000, 0x00000094, 0x00980300, 0x0f180003,
823     0x0000008c, 0x00900f0f, 0x0f0f1b00, 0x0f00009c,
824     0x01140000, 0x1b1b0f18, 0x0818013c, 0x01400008,
825     0x00001818, 0x000b0110, 0x010c1800, 0x0b030b0f,
826     0x181800f4, 0x00f81818, 0x00000018, 0x000000fc,
827     0x00401808, 0x00000000, 0x0f1b0030, 0x003c0008,
828     0x00000000, 0x00000038, 0x00340000, 0x00000000,
829     0x1a080070, 0x00641a1a, 0x08080808, 0x08080060,
830     0x005c0808, 0x08080808, 0x08080058, 0x00540808,
831     0x08080808, 0x0808006c, 0x00680808, 0x08080808,
832     0x000000a8, 0x00b00000, 0x08080808, 0x000000a0,
833     0x00a40000, 0x00000000, 0x08ff0050, 0x004c0808,
834     0xffffffff, 0xffff0048, 0x0044ffff, 0xffffffff,
835     0x000000ac, 0x01040800, 0x08080b0f, 0x18180100,
836     0x01081818, 0x0b0b1808, 0x1a0300e4, 0x012c0b1a,
837     0x02020018, 0x0b000134, 0x011c0800, 0x0b1b1b00,
838     0x0f0000c8, 0x00ec181b, 0x000f0f02, 0x00180118,
839     0x01200000, 0x0f0b1b1b, 0x0f0200e8, 0x0000020b,
840 };
841 
842 static void n800_setup_nolo_tags(void *sram_base)
843 {
844     int i;
845     uint32_t *p = sram_base + 0x8000;
846     uint32_t *v = sram_base + 0xa000;
847 
848     memset(p, 0, 0x3000);
849 
850     strcpy((void *) (p + 0), "QEMU N800");
851 
852     strcpy((void *) (p + 8), "F5");
853 
854     stl_p(p + 10, 0x04f70000);
855     strcpy((void *) (p + 9), "RX-34");
856 
857     /* RAM size in MB? */
858     stl_p(p + 12, 0x80);
859 
860     /* Pointer to the list of tags */
861     stl_p(p + 13, OMAP2_SRAM_BASE + 0x9000);
862 
863     /* The NOLO tags start here */
864     p = sram_base + 0x9000;
865 #define ADD_TAG(tag, len)				\
866     stw_p((uint16_t *) p + 0, tag);			\
867     stw_p((uint16_t *) p + 1, len); p++;		\
868     stl_p(p++, OMAP2_SRAM_BASE | (((void *) v - sram_base) & 0xffff));
869 
870     /* OMAP STI console? Pin out settings? */
871     ADD_TAG(0x6e01, 414);
872     for (i = 0; i < ARRAY_SIZE(n800_pinout); i++) {
873         stl_p(v++, n800_pinout[i]);
874     }
875 
876     /* Kernel memsize? */
877     ADD_TAG(0x6e05, 1);
878     stl_p(v++, 2);
879 
880     /* NOLO serial console */
881     ADD_TAG(0x6e02, 4);
882     stl_p(v++, XLDR_LL_UART);		/* UART number (1 - 3) */
883 
884 #if 0
885     /* CBUS settings (Retu/AVilma) */
886     ADD_TAG(0x6e03, 6);
887     stw_p((uint16_t *) v + 0, 65);	/* CBUS GPIO0 */
888     stw_p((uint16_t *) v + 1, 66);	/* CBUS GPIO1 */
889     stw_p((uint16_t *) v + 2, 64);	/* CBUS GPIO2 */
890     v += 2;
891 #endif
892 
893     /* Nokia ASIC BB5 (Retu/Tahvo) */
894     ADD_TAG(0x6e0a, 4);
895     stw_p((uint16_t *) v + 0, 111);	/* "Retu" interrupt GPIO */
896     stw_p((uint16_t *) v + 1, 108);	/* "Tahvo" interrupt GPIO */
897     v++;
898 
899     /* LCD console? */
900     ADD_TAG(0x6e04, 4);
901     stw_p((uint16_t *) v + 0, 30);	/* ??? */
902     stw_p((uint16_t *) v + 1, 24);	/* ??? */
903     v++;
904 
905 #if 0
906     /* LCD settings */
907     ADD_TAG(0x6e06, 2);
908     stw_p((uint16_t *) (v++), 15);	/* ??? */
909 #endif
910 
911     /* I^2C (Menelaus) */
912     ADD_TAG(0x6e07, 4);
913     stl_p(v++, 0x00720000);		/* ??? */
914 
915     /* Unknown */
916     ADD_TAG(0x6e0b, 6);
917     stw_p((uint16_t *) v + 0, 94);	/* ??? */
918     stw_p((uint16_t *) v + 1, 23);	/* ??? */
919     stw_p((uint16_t *) v + 2, 0);	/* ??? */
920     v += 2;
921 
922     /* OMAP gpio switch info */
923     ADD_TAG(0x6e0c, 80);
924     strcpy((void *) v, "bat_cover");	v += 3;
925     stw_p((uint16_t *) v + 0, 110);	/* GPIO num ??? */
926     stw_p((uint16_t *) v + 1, 1);	/* GPIO num ??? */
927     v += 2;
928     strcpy((void *) v, "cam_act");	v += 3;
929     stw_p((uint16_t *) v + 0, 95);	/* GPIO num ??? */
930     stw_p((uint16_t *) v + 1, 32);	/* GPIO num ??? */
931     v += 2;
932     strcpy((void *) v, "cam_turn");	v += 3;
933     stw_p((uint16_t *) v + 0, 12);	/* GPIO num ??? */
934     stw_p((uint16_t *) v + 1, 33);	/* GPIO num ??? */
935     v += 2;
936     strcpy((void *) v, "headphone");	v += 3;
937     stw_p((uint16_t *) v + 0, 107);	/* GPIO num ??? */
938     stw_p((uint16_t *) v + 1, 17);	/* GPIO num ??? */
939     v += 2;
940 
941     /* Bluetooth */
942     ADD_TAG(0x6e0e, 12);
943     stl_p(v++, 0x5c623d01);		/* ??? */
944     stl_p(v++, 0x00000201);		/* ??? */
945     stl_p(v++, 0x00000000);		/* ??? */
946 
947     /* CX3110x WLAN settings */
948     ADD_TAG(0x6e0f, 8);
949     stl_p(v++, 0x00610025);		/* ??? */
950     stl_p(v++, 0xffff0057);		/* ??? */
951 
952     /* MMC host settings */
953     ADD_TAG(0x6e10, 12);
954     stl_p(v++, 0xffff000f);		/* ??? */
955     stl_p(v++, 0xffffffff);		/* ??? */
956     stl_p(v++, 0x00000060);		/* ??? */
957 
958     /* OneNAND chip select */
959     ADD_TAG(0x6e11, 10);
960     stl_p(v++, 0x00000401);		/* ??? */
961     stl_p(v++, 0x0002003a);		/* ??? */
962     stl_p(v++, 0x00000002);		/* ??? */
963 
964     /* TEA5761 sensor settings */
965     ADD_TAG(0x6e12, 2);
966     stl_p(v++, 93);			/* GPIO num ??? */
967 
968 #if 0
969     /* Unknown tag */
970     ADD_TAG(6e09, 0);
971 
972     /* Kernel UART / console */
973     ADD_TAG(6e12, 0);
974 #endif
975 
976     /* End of the list */
977     stl_p(p++, 0x00000000);
978     stl_p(p++, 0x00000000);
979 }
980 
981 /* This task is normally performed by the bootloader.  If we're loading
982  * a kernel directly, we need to set up GPMC mappings ourselves.  */
983 static void n800_gpmc_init(struct n800_s *s)
984 {
985     uint32_t config7 =
986             (0xf << 8) |	/* MASKADDRESS */
987             (1 << 6) |		/* CSVALID */
988             (4 << 0);		/* BASEADDRESS */
989 
990     cpu_physical_memory_write(0x6800a078,		/* GPMC_CONFIG7_0 */
991                               &config7, sizeof(config7));
992 }
993 
994 /* Setup sequence done by the bootloader */
995 static void n8x0_boot_init(void *opaque)
996 {
997     struct n800_s *s = (struct n800_s *) opaque;
998     uint32_t buf;
999 
1000     /* PRCM setup */
1001 #define omap_writel(addr, val)	\
1002     buf = (val);			\
1003     cpu_physical_memory_write(addr, &buf, sizeof(buf))
1004 
1005     omap_writel(0x48008060, 0x41);		/* PRCM_CLKSRC_CTRL */
1006     omap_writel(0x48008070, 1);			/* PRCM_CLKOUT_CTRL */
1007     omap_writel(0x48008078, 0);			/* PRCM_CLKEMUL_CTRL */
1008     omap_writel(0x48008090, 0);			/* PRCM_VOLTSETUP */
1009     omap_writel(0x48008094, 0);			/* PRCM_CLKSSETUP */
1010     omap_writel(0x48008098, 0);			/* PRCM_POLCTRL */
1011     omap_writel(0x48008140, 2);			/* CM_CLKSEL_MPU */
1012     omap_writel(0x48008148, 0);			/* CM_CLKSTCTRL_MPU */
1013     omap_writel(0x48008158, 1);			/* RM_RSTST_MPU */
1014     omap_writel(0x480081c8, 0x15);		/* PM_WKDEP_MPU */
1015     omap_writel(0x480081d4, 0x1d4);		/* PM_EVGENCTRL_MPU */
1016     omap_writel(0x480081d8, 0);			/* PM_EVEGENONTIM_MPU */
1017     omap_writel(0x480081dc, 0);			/* PM_EVEGENOFFTIM_MPU */
1018     omap_writel(0x480081e0, 0xc);		/* PM_PWSTCTRL_MPU */
1019     omap_writel(0x48008200, 0x047e7ff7);	/* CM_FCLKEN1_CORE */
1020     omap_writel(0x48008204, 0x00000004);	/* CM_FCLKEN2_CORE */
1021     omap_writel(0x48008210, 0x047e7ff1);	/* CM_ICLKEN1_CORE */
1022     omap_writel(0x48008214, 0x00000004);	/* CM_ICLKEN2_CORE */
1023     omap_writel(0x4800821c, 0x00000000);	/* CM_ICLKEN4_CORE */
1024     omap_writel(0x48008230, 0);			/* CM_AUTOIDLE1_CORE */
1025     omap_writel(0x48008234, 0);			/* CM_AUTOIDLE2_CORE */
1026     omap_writel(0x48008238, 7);			/* CM_AUTOIDLE3_CORE */
1027     omap_writel(0x4800823c, 0);			/* CM_AUTOIDLE4_CORE */
1028     omap_writel(0x48008240, 0x04360626);	/* CM_CLKSEL1_CORE */
1029     omap_writel(0x48008244, 0x00000014);	/* CM_CLKSEL2_CORE */
1030     omap_writel(0x48008248, 0);			/* CM_CLKSTCTRL_CORE */
1031     omap_writel(0x48008300, 0x00000000);	/* CM_FCLKEN_GFX */
1032     omap_writel(0x48008310, 0x00000000);	/* CM_ICLKEN_GFX */
1033     omap_writel(0x48008340, 0x00000001);	/* CM_CLKSEL_GFX */
1034     omap_writel(0x48008400, 0x00000004);	/* CM_FCLKEN_WKUP */
1035     omap_writel(0x48008410, 0x00000004);	/* CM_ICLKEN_WKUP */
1036     omap_writel(0x48008440, 0x00000000);	/* CM_CLKSEL_WKUP */
1037     omap_writel(0x48008500, 0x000000cf);	/* CM_CLKEN_PLL */
1038     omap_writel(0x48008530, 0x0000000c);	/* CM_AUTOIDLE_PLL */
1039     omap_writel(0x48008540,			/* CM_CLKSEL1_PLL */
1040                     (0x78 << 12) | (6 << 8));
1041     omap_writel(0x48008544, 2);			/* CM_CLKSEL2_PLL */
1042 
1043     /* GPMC setup */
1044     n800_gpmc_init(s);
1045 
1046     /* Video setup */
1047     n800_dss_init(&s->blizzard);
1048 
1049     /* CPU setup */
1050     s->mpu->cpu->env.GE = 0x5;
1051 
1052     /* If the machine has a slided keyboard, open it */
1053     if (s->kbd) {
1054         qemu_irq_raise(qdev_get_gpio_in(s->mpu->gpio, N810_SLIDE_GPIO));
1055     }
1056 }
1057 
1058 #define OMAP_TAG_NOKIA_BT	0x4e01
1059 #define OMAP_TAG_WLAN_CX3110X	0x4e02
1060 #define OMAP_TAG_CBUS		0x4e03
1061 #define OMAP_TAG_EM_ASIC_BB5	0x4e04
1062 
1063 static const struct omap_gpiosw_info_s {
1064     const char *name;
1065     int line;
1066     int type;
1067 } n800_gpiosw_info[] = {
1068     {
1069         "bat_cover", N800_BAT_COVER_GPIO,
1070         OMAP_GPIOSW_TYPE_COVER | OMAP_GPIOSW_INVERTED,
1071     }, {
1072         "cam_act", N800_CAM_ACT_GPIO,
1073         OMAP_GPIOSW_TYPE_ACTIVITY,
1074     }, {
1075         "cam_turn", N800_CAM_TURN_GPIO,
1076         OMAP_GPIOSW_TYPE_ACTIVITY | OMAP_GPIOSW_INVERTED,
1077     }, {
1078         "headphone", N8X0_HEADPHONE_GPIO,
1079         OMAP_GPIOSW_TYPE_CONNECTION | OMAP_GPIOSW_INVERTED,
1080     },
1081     { /* end of list */ }
1082 }, n810_gpiosw_info[] = {
1083     {
1084         "gps_reset", N810_GPS_RESET_GPIO,
1085         OMAP_GPIOSW_TYPE_ACTIVITY | OMAP_GPIOSW_OUTPUT,
1086     }, {
1087         "gps_wakeup", N810_GPS_WAKEUP_GPIO,
1088         OMAP_GPIOSW_TYPE_ACTIVITY | OMAP_GPIOSW_OUTPUT,
1089     }, {
1090         "headphone", N8X0_HEADPHONE_GPIO,
1091         OMAP_GPIOSW_TYPE_CONNECTION | OMAP_GPIOSW_INVERTED,
1092     }, {
1093         "kb_lock", N810_KB_LOCK_GPIO,
1094         OMAP_GPIOSW_TYPE_COVER | OMAP_GPIOSW_INVERTED,
1095     }, {
1096         "sleepx_led", N810_SLEEPX_LED_GPIO,
1097         OMAP_GPIOSW_TYPE_ACTIVITY | OMAP_GPIOSW_INVERTED | OMAP_GPIOSW_OUTPUT,
1098     }, {
1099         "slide", N810_SLIDE_GPIO,
1100         OMAP_GPIOSW_TYPE_COVER | OMAP_GPIOSW_INVERTED,
1101     },
1102     { /* end of list */ }
1103 };
1104 
1105 static const struct omap_partition_info_s {
1106     uint32_t offset;
1107     uint32_t size;
1108     int mask;
1109     const char *name;
1110 } n800_part_info[] = {
1111     { 0x00000000, 0x00020000, 0x3, "bootloader" },
1112     { 0x00020000, 0x00060000, 0x0, "config" },
1113     { 0x00080000, 0x00200000, 0x0, "kernel" },
1114     { 0x00280000, 0x00200000, 0x3, "initfs" },
1115     { 0x00480000, 0x0fb80000, 0x3, "rootfs" },
1116     { /* end of list */ }
1117 }, n810_part_info[] = {
1118     { 0x00000000, 0x00020000, 0x3, "bootloader" },
1119     { 0x00020000, 0x00060000, 0x0, "config" },
1120     { 0x00080000, 0x00220000, 0x0, "kernel" },
1121     { 0x002a0000, 0x00400000, 0x0, "initfs" },
1122     { 0x006a0000, 0x0f960000, 0x0, "rootfs" },
1123     { /* end of list */ }
1124 };
1125 
1126 static const uint8_t n8x0_bd_addr[6] = { N8X0_BD_ADDR };
1127 
1128 static int n8x0_atag_setup(void *p, int model)
1129 {
1130     uint8_t *b;
1131     uint16_t *w;
1132     uint32_t *l;
1133     const struct omap_gpiosw_info_s *gpiosw;
1134     const struct omap_partition_info_s *partition;
1135     const char *tag;
1136 
1137     w = p;
1138 
1139     stw_p(w++, OMAP_TAG_UART);			/* u16 tag */
1140     stw_p(w++, 4);				/* u16 len */
1141     stw_p(w++, (1 << 2) | (1 << 1) | (1 << 0)); /* uint enabled_uarts */
1142     w++;
1143 
1144 #if 0
1145     stw_p(w++, OMAP_TAG_SERIAL_CONSOLE);	/* u16 tag */
1146     stw_p(w++, 4);				/* u16 len */
1147     stw_p(w++, XLDR_LL_UART + 1);		/* u8 console_uart */
1148     stw_p(w++, 115200);				/* u32 console_speed */
1149 #endif
1150 
1151     stw_p(w++, OMAP_TAG_LCD);			/* u16 tag */
1152     stw_p(w++, 36);				/* u16 len */
1153     strcpy((void *) w, "QEMU LCD panel");	/* char panel_name[16] */
1154     w += 8;
1155     strcpy((void *) w, "blizzard");		/* char ctrl_name[16] */
1156     w += 8;
1157     stw_p(w++, N810_BLIZZARD_RESET_GPIO);	/* TODO: n800 s16 nreset_gpio */
1158     stw_p(w++, 24);				/* u8 data_lines */
1159 
1160     stw_p(w++, OMAP_TAG_CBUS);			/* u16 tag */
1161     stw_p(w++, 8);				/* u16 len */
1162     stw_p(w++, N8X0_CBUS_CLK_GPIO);		/* s16 clk_gpio */
1163     stw_p(w++, N8X0_CBUS_DAT_GPIO);		/* s16 dat_gpio */
1164     stw_p(w++, N8X0_CBUS_SEL_GPIO);		/* s16 sel_gpio */
1165     w++;
1166 
1167     stw_p(w++, OMAP_TAG_EM_ASIC_BB5);		/* u16 tag */
1168     stw_p(w++, 4);				/* u16 len */
1169     stw_p(w++, N8X0_RETU_GPIO);			/* s16 retu_irq_gpio */
1170     stw_p(w++, N8X0_TAHVO_GPIO);		/* s16 tahvo_irq_gpio */
1171 
1172     gpiosw = (model == 810) ? n810_gpiosw_info : n800_gpiosw_info;
1173     for (; gpiosw->name; gpiosw++) {
1174         stw_p(w++, OMAP_TAG_GPIO_SWITCH);	/* u16 tag */
1175         stw_p(w++, 20);				/* u16 len */
1176         strcpy((void *) w, gpiosw->name);	/* char name[12] */
1177         w += 6;
1178         stw_p(w++, gpiosw->line);		/* u16 gpio */
1179         stw_p(w++, gpiosw->type);
1180         stw_p(w++, 0);
1181         stw_p(w++, 0);
1182     }
1183 
1184     stw_p(w++, OMAP_TAG_NOKIA_BT);		/* u16 tag */
1185     stw_p(w++, 12);				/* u16 len */
1186     b = (void *) w;
1187     stb_p(b++, 0x01);				/* u8 chip_type	(CSR) */
1188     stb_p(b++, N8X0_BT_WKUP_GPIO);		/* u8 bt_wakeup_gpio */
1189     stb_p(b++, N8X0_BT_HOST_WKUP_GPIO);		/* u8 host_wakeup_gpio */
1190     stb_p(b++, N8X0_BT_RESET_GPIO);		/* u8 reset_gpio */
1191     stb_p(b++, BT_UART + 1);			/* u8 bt_uart */
1192     memcpy(b, &n8x0_bd_addr, 6);		/* u8 bd_addr[6] */
1193     b += 6;
1194     stb_p(b++, 0x02);				/* u8 bt_sysclk (38.4) */
1195     w = (void *) b;
1196 
1197     stw_p(w++, OMAP_TAG_WLAN_CX3110X);		/* u16 tag */
1198     stw_p(w++, 8);				/* u16 len */
1199     stw_p(w++, 0x25);				/* u8 chip_type */
1200     stw_p(w++, N8X0_WLAN_PWR_GPIO);		/* s16 power_gpio */
1201     stw_p(w++, N8X0_WLAN_IRQ_GPIO);		/* s16 irq_gpio */
1202     stw_p(w++, -1);				/* s16 spi_cs_gpio */
1203 
1204     stw_p(w++, OMAP_TAG_MMC);			/* u16 tag */
1205     stw_p(w++, 16);				/* u16 len */
1206     if (model == 810) {
1207         stw_p(w++, 0x23f);			/* unsigned flags */
1208         stw_p(w++, -1);				/* s16 power_pin */
1209         stw_p(w++, -1);				/* s16 switch_pin */
1210         stw_p(w++, -1);				/* s16 wp_pin */
1211         stw_p(w++, 0x240);			/* unsigned flags */
1212         stw_p(w++, 0xc000);			/* s16 power_pin */
1213         stw_p(w++, 0x0248);			/* s16 switch_pin */
1214         stw_p(w++, 0xc000);			/* s16 wp_pin */
1215     } else {
1216         stw_p(w++, 0xf);			/* unsigned flags */
1217         stw_p(w++, -1);				/* s16 power_pin */
1218         stw_p(w++, -1);				/* s16 switch_pin */
1219         stw_p(w++, -1);				/* s16 wp_pin */
1220         stw_p(w++, 0);				/* unsigned flags */
1221         stw_p(w++, 0);				/* s16 power_pin */
1222         stw_p(w++, 0);				/* s16 switch_pin */
1223         stw_p(w++, 0);				/* s16 wp_pin */
1224     }
1225 
1226     stw_p(w++, OMAP_TAG_TEA5761);		/* u16 tag */
1227     stw_p(w++, 4);				/* u16 len */
1228     stw_p(w++, N8X0_TEA5761_CS_GPIO);		/* u16 enable_gpio */
1229     w++;
1230 
1231     partition = (model == 810) ? n810_part_info : n800_part_info;
1232     for (; partition->name; partition++) {
1233         stw_p(w++, OMAP_TAG_PARTITION);		/* u16 tag */
1234         stw_p(w++, 28);				/* u16 len */
1235         strcpy((void *) w, partition->name);	/* char name[16] */
1236         l = (void *) (w + 8);
1237         stl_p(l++, partition->size);		/* unsigned int size */
1238         stl_p(l++, partition->offset);		/* unsigned int offset */
1239         stl_p(l++, partition->mask);		/* unsigned int mask_flags */
1240         w = (void *) l;
1241     }
1242 
1243     stw_p(w++, OMAP_TAG_BOOT_REASON);		/* u16 tag */
1244     stw_p(w++, 12);				/* u16 len */
1245 #if 0
1246     strcpy((void *) w, "por");			/* char reason_str[12] */
1247     strcpy((void *) w, "charger");		/* char reason_str[12] */
1248     strcpy((void *) w, "32wd_to");		/* char reason_str[12] */
1249     strcpy((void *) w, "sw_rst");		/* char reason_str[12] */
1250     strcpy((void *) w, "mbus");			/* char reason_str[12] */
1251     strcpy((void *) w, "unknown");		/* char reason_str[12] */
1252     strcpy((void *) w, "swdg_to");		/* char reason_str[12] */
1253     strcpy((void *) w, "sec_vio");		/* char reason_str[12] */
1254     strcpy((void *) w, "pwr_key");		/* char reason_str[12] */
1255     strcpy((void *) w, "rtc_alarm");		/* char reason_str[12] */
1256 #else
1257     strcpy((void *) w, "pwr_key");		/* char reason_str[12] */
1258 #endif
1259     w += 6;
1260 
1261     tag = (model == 810) ? "RX-44" : "RX-34";
1262     stw_p(w++, OMAP_TAG_VERSION_STR);		/* u16 tag */
1263     stw_p(w++, 24);				/* u16 len */
1264     strcpy((void *) w, "product");		/* char component[12] */
1265     w += 6;
1266     strcpy((void *) w, tag);			/* char version[12] */
1267     w += 6;
1268 
1269     stw_p(w++, OMAP_TAG_VERSION_STR);		/* u16 tag */
1270     stw_p(w++, 24);				/* u16 len */
1271     strcpy((void *) w, "hw-build");		/* char component[12] */
1272     w += 6;
1273     strcpy((void *) w, "QEMU ");
1274     pstrcat((void *) w, 12, qemu_hw_version()); /* char version[12] */
1275     w += 6;
1276 
1277     tag = (model == 810) ? "1.1.10-qemu" : "1.1.6-qemu";
1278     stw_p(w++, OMAP_TAG_VERSION_STR);		/* u16 tag */
1279     stw_p(w++, 24);				/* u16 len */
1280     strcpy((void *) w, "nolo");			/* char component[12] */
1281     w += 6;
1282     strcpy((void *) w, tag);			/* char version[12] */
1283     w += 6;
1284 
1285     return (void *) w - p;
1286 }
1287 
1288 static int n800_atag_setup(const struct arm_boot_info *info, void *p)
1289 {
1290     return n8x0_atag_setup(p, 800);
1291 }
1292 
1293 static int n810_atag_setup(const struct arm_boot_info *info, void *p)
1294 {
1295     return n8x0_atag_setup(p, 810);
1296 }
1297 
1298 static void n8x0_init(MachineState *machine,
1299                       struct arm_boot_info *binfo, int model)
1300 {
1301     struct n800_s *s = g_malloc0(sizeof(*s));
1302     MachineClass *mc = MACHINE_GET_CLASS(machine);
1303 
1304     if (machine->ram_size != mc->default_ram_size) {
1305         char *sz = size_to_str(mc->default_ram_size);
1306         error_report("Invalid RAM size, should be %s", sz);
1307         g_free(sz);
1308         exit(EXIT_FAILURE);
1309     }
1310     binfo->ram_size = machine->ram_size;
1311 
1312     memory_region_add_subregion(get_system_memory(), OMAP2_Q2_BASE,
1313                                 machine->ram);
1314 
1315     s->mpu = omap2420_mpu_init(machine->ram, machine->cpu_type);
1316 
1317     /* Setup peripherals
1318      *
1319      * Believed external peripherals layout in the N810:
1320      * (spi bus 1)
1321      *   tsc2005
1322      *   lcd_mipid
1323      * (spi bus 2)
1324      *   Conexant cx3110x (WLAN)
1325      *   optional: pc2400m (WiMAX)
1326      * (i2c bus 0)
1327      *   TLV320AIC33 (audio codec)
1328      *   TCM825x (camera by Toshiba)
1329      *   lp5521 (clever LEDs)
1330      *   tsl2563 (light sensor, hwmon, model 7, rev. 0)
1331      *   lm8323 (keypad, manf 00, rev 04)
1332      * (i2c bus 1)
1333      *   tmp105 (temperature sensor, hwmon)
1334      *   menelaus (pm)
1335      * (somewhere on i2c - maybe N800-only)
1336      *   tea5761 (FM tuner)
1337      * (serial 0)
1338      *   GPS
1339      * (some serial port)
1340      *   csr41814 (Bluetooth)
1341      */
1342     n8x0_gpio_setup(s);
1343     n8x0_nand_setup(s);
1344     n8x0_i2c_setup(s);
1345     if (model == 800) {
1346         n800_tsc_kbd_setup(s);
1347     } else if (model == 810) {
1348         n810_tsc_setup(s);
1349         n810_kbd_setup(s);
1350     }
1351     n8x0_spi_setup(s);
1352     n8x0_dss_setup(s);
1353     n8x0_cbus_setup(s);
1354     if (machine_usb(machine)) {
1355         n8x0_usb_setup(s);
1356     }
1357 
1358     if (machine->kernel_filename) {
1359         /* Or at the linux loader.  */
1360         arm_load_kernel(s->mpu->cpu, machine, binfo);
1361 
1362         qemu_register_reset(n8x0_boot_init, s);
1363     }
1364 
1365     if (option_rom[0].name &&
1366         (machine->boot_config.order[0] == 'n' || !machine->kernel_filename)) {
1367         uint8_t *nolo_tags = g_new(uint8_t, 0x10000);
1368         /* No, wait, better start at the ROM.  */
1369         s->mpu->cpu->env.regs[15] = OMAP2_Q2_BASE + 0x400000;
1370 
1371         /*
1372          * This is intended for loading the `secondary.bin' program from
1373          * Nokia images (the NOLO bootloader).  The entry point seems
1374          * to be at OMAP2_Q2_BASE + 0x400000.
1375          *
1376          * The `2nd.bin' files contain some kind of earlier boot code and
1377          * for them the entry point needs to be set to OMAP2_SRAM_BASE.
1378          *
1379          * The code above is for loading the `zImage' file from Nokia
1380          * images.
1381          */
1382         if (load_image_targphys(option_rom[0].name,
1383                                 OMAP2_Q2_BASE + 0x400000,
1384                                 machine->ram_size - 0x400000) < 0) {
1385             error_report("Failed to load secondary bootloader %s",
1386                          option_rom[0].name);
1387             exit(EXIT_FAILURE);
1388         }
1389 
1390         n800_setup_nolo_tags(nolo_tags);
1391         cpu_physical_memory_write(OMAP2_SRAM_BASE, nolo_tags, 0x10000);
1392         g_free(nolo_tags);
1393     }
1394 }
1395 
1396 static struct arm_boot_info n800_binfo = {
1397     .loader_start = OMAP2_Q2_BASE,
1398     .board_id = 0x4f7,
1399     .atag_board = n800_atag_setup,
1400 };
1401 
1402 static struct arm_boot_info n810_binfo = {
1403     .loader_start = OMAP2_Q2_BASE,
1404     /* 0x60c and 0x6bf (WiMAX Edition) have been assigned but are not
1405      * used by some older versions of the bootloader and 5555 is used
1406      * instead (including versions that shipped with many devices).  */
1407     .board_id = 0x60c,
1408     .atag_board = n810_atag_setup,
1409 };
1410 
1411 static void n800_init(MachineState *machine)
1412 {
1413     n8x0_init(machine, &n800_binfo, 800);
1414 }
1415 
1416 static void n810_init(MachineState *machine)
1417 {
1418     n8x0_init(machine, &n810_binfo, 810);
1419 }
1420 
1421 static void n800_class_init(ObjectClass *oc, void *data)
1422 {
1423     MachineClass *mc = MACHINE_CLASS(oc);
1424 
1425     mc->desc = "Nokia N800 tablet aka. RX-34 (OMAP2420)";
1426     mc->init = n800_init;
1427     mc->default_boot_order = "";
1428     mc->ignore_memory_transaction_failures = true;
1429     mc->default_cpu_type = ARM_CPU_TYPE_NAME("arm1136-r2");
1430     /* Actually two chips of 0x4000000 bytes each */
1431     mc->default_ram_size = 0x08000000;
1432     mc->default_ram_id = "omap2.dram";
1433 }
1434 
1435 static const TypeInfo n800_type = {
1436     .name = MACHINE_TYPE_NAME("n800"),
1437     .parent = TYPE_MACHINE,
1438     .class_init = n800_class_init,
1439 };
1440 
1441 static void n810_class_init(ObjectClass *oc, void *data)
1442 {
1443     MachineClass *mc = MACHINE_CLASS(oc);
1444 
1445     mc->desc = "Nokia N810 tablet aka. RX-44 (OMAP2420)";
1446     mc->init = n810_init;
1447     mc->default_boot_order = "";
1448     mc->ignore_memory_transaction_failures = true;
1449     mc->default_cpu_type = ARM_CPU_TYPE_NAME("arm1136-r2");
1450     /* Actually two chips of 0x4000000 bytes each */
1451     mc->default_ram_size = 0x08000000;
1452     mc->default_ram_id = "omap2.dram";
1453 }
1454 
1455 static const TypeInfo n810_type = {
1456     .name = MACHINE_TYPE_NAME("n810"),
1457     .parent = TYPE_MACHINE,
1458     .class_init = n810_class_init,
1459 };
1460 
1461 static void nseries_machine_init(void)
1462 {
1463     type_register_static(&n800_type);
1464     type_register_static(&n810_type);
1465 }
1466 
1467 type_init(nseries_machine_init)
1468