xref: /openbmc/qemu/hw/block/onenand.c (revision c39f95dc)
1 /*
2  * OneNAND flash memories emulation.
3  *
4  * Copyright (C) 2008 Nokia Corporation
5  * Written by Andrzej Zaborowski <andrew@openedhand.com>
6  *
7  * This program is free software; you can redistribute it and/or
8  * modify it under the terms of the GNU General Public License as
9  * published by the Free Software Foundation; either version 2 or
10  * (at your option) version 3 of the License.
11  *
12  * This program is distributed in the hope that it will be useful,
13  * but WITHOUT ANY WARRANTY; without even the implied warranty of
14  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
15  * GNU General Public License for more details.
16  *
17  * You should have received a copy of the GNU General Public License along
18  * with this program; if not, see <http://www.gnu.org/licenses/>.
19  */
20 
21 #include "qemu/osdep.h"
22 #include "qapi/error.h"
23 #include "qemu-common.h"
24 #include "hw/hw.h"
25 #include "hw/block/flash.h"
26 #include "hw/irq.h"
27 #include "sysemu/block-backend.h"
28 #include "sysemu/blockdev.h"
29 #include "exec/memory.h"
30 #include "exec/address-spaces.h"
31 #include "hw/sysbus.h"
32 #include "qemu/error-report.h"
33 
34 /* 11 for 2kB-page OneNAND ("2nd generation") and 10 for 1kB-page chips */
35 #define PAGE_SHIFT	11
36 
37 /* Fixed */
38 #define BLOCK_SHIFT	(PAGE_SHIFT + 6)
39 
40 #define TYPE_ONE_NAND "onenand"
41 #define ONE_NAND(obj) OBJECT_CHECK(OneNANDState, (obj), TYPE_ONE_NAND)
42 
43 typedef struct OneNANDState {
44     SysBusDevice parent_obj;
45 
46     struct {
47         uint16_t man;
48         uint16_t dev;
49         uint16_t ver;
50     } id;
51     int shift;
52     hwaddr base;
53     qemu_irq intr;
54     qemu_irq rdy;
55     BlockBackend *blk;
56     BlockBackend *blk_cur;
57     uint8_t *image;
58     uint8_t *otp;
59     uint8_t *current;
60     MemoryRegion ram;
61     MemoryRegion mapped_ram;
62     uint8_t current_direction;
63     uint8_t *boot[2];
64     uint8_t *data[2][2];
65     MemoryRegion iomem;
66     MemoryRegion container;
67     int cycle;
68     int otpmode;
69 
70     uint16_t addr[8];
71     uint16_t unladdr[8];
72     int bufaddr;
73     int count;
74     uint16_t command;
75     uint16_t config[2];
76     uint16_t status;
77     uint16_t intstatus;
78     uint16_t wpstatus;
79 
80     ECCState ecc;
81 
82     int density_mask;
83     int secs;
84     int secs_cur;
85     int blocks;
86     uint8_t *blockwp;
87 } OneNANDState;
88 
89 enum {
90     ONEN_BUF_BLOCK = 0,
91     ONEN_BUF_BLOCK2 = 1,
92     ONEN_BUF_DEST_BLOCK = 2,
93     ONEN_BUF_DEST_PAGE = 3,
94     ONEN_BUF_PAGE = 7,
95 };
96 
97 enum {
98     ONEN_ERR_CMD = 1 << 10,
99     ONEN_ERR_ERASE = 1 << 11,
100     ONEN_ERR_PROG = 1 << 12,
101     ONEN_ERR_LOAD = 1 << 13,
102 };
103 
104 enum {
105     ONEN_INT_RESET = 1 << 4,
106     ONEN_INT_ERASE = 1 << 5,
107     ONEN_INT_PROG = 1 << 6,
108     ONEN_INT_LOAD = 1 << 7,
109     ONEN_INT = 1 << 15,
110 };
111 
112 enum {
113     ONEN_LOCK_LOCKTIGHTEN = 1 << 0,
114     ONEN_LOCK_LOCKED = 1 << 1,
115     ONEN_LOCK_UNLOCKED = 1 << 2,
116 };
117 
118 static void onenand_mem_setup(OneNANDState *s)
119 {
120     /* XXX: We should use IO_MEM_ROMD but we broke it earlier...
121      * Both 0x0000 ... 0x01ff and 0x8000 ... 0x800f can be used to
122      * write boot commands.  Also take note of the BWPS bit.  */
123     memory_region_init(&s->container, OBJECT(s), "onenand",
124                        0x10000 << s->shift);
125     memory_region_add_subregion(&s->container, 0, &s->iomem);
126     memory_region_init_alias(&s->mapped_ram, OBJECT(s), "onenand-mapped-ram",
127                              &s->ram, 0x0200 << s->shift,
128                              0xbe00 << s->shift);
129     memory_region_add_subregion_overlap(&s->container,
130                                         0x0200 << s->shift,
131                                         &s->mapped_ram,
132                                         1);
133 }
134 
135 static void onenand_intr_update(OneNANDState *s)
136 {
137     qemu_set_irq(s->intr, ((s->intstatus >> 15) ^ (~s->config[0] >> 6)) & 1);
138 }
139 
140 static int onenand_pre_save(void *opaque)
141 {
142     OneNANDState *s = opaque;
143     if (s->current == s->otp) {
144         s->current_direction = 1;
145     } else if (s->current == s->image) {
146         s->current_direction = 2;
147     } else {
148         s->current_direction = 0;
149     }
150 
151     return 0;
152 }
153 
154 static int onenand_post_load(void *opaque, int version_id)
155 {
156     OneNANDState *s = opaque;
157     switch (s->current_direction) {
158     case 0:
159         break;
160     case 1:
161         s->current = s->otp;
162         break;
163     case 2:
164         s->current = s->image;
165         break;
166     default:
167         return -1;
168     }
169     onenand_intr_update(s);
170     return 0;
171 }
172 
173 static const VMStateDescription vmstate_onenand = {
174     .name = "onenand",
175     .version_id = 1,
176     .minimum_version_id = 1,
177     .pre_save = onenand_pre_save,
178     .post_load = onenand_post_load,
179     .fields = (VMStateField[]) {
180         VMSTATE_UINT8(current_direction, OneNANDState),
181         VMSTATE_INT32(cycle, OneNANDState),
182         VMSTATE_INT32(otpmode, OneNANDState),
183         VMSTATE_UINT16_ARRAY(addr, OneNANDState, 8),
184         VMSTATE_UINT16_ARRAY(unladdr, OneNANDState, 8),
185         VMSTATE_INT32(bufaddr, OneNANDState),
186         VMSTATE_INT32(count, OneNANDState),
187         VMSTATE_UINT16(command, OneNANDState),
188         VMSTATE_UINT16_ARRAY(config, OneNANDState, 2),
189         VMSTATE_UINT16(status, OneNANDState),
190         VMSTATE_UINT16(intstatus, OneNANDState),
191         VMSTATE_UINT16(wpstatus, OneNANDState),
192         VMSTATE_INT32(secs_cur, OneNANDState),
193         VMSTATE_PARTIAL_VBUFFER(blockwp, OneNANDState, blocks),
194         VMSTATE_UINT8(ecc.cp, OneNANDState),
195         VMSTATE_UINT16_ARRAY(ecc.lp, OneNANDState, 2),
196         VMSTATE_UINT16(ecc.count, OneNANDState),
197         VMSTATE_BUFFER_POINTER_UNSAFE(otp, OneNANDState, 0,
198             ((64 + 2) << PAGE_SHIFT)),
199         VMSTATE_END_OF_LIST()
200     }
201 };
202 
203 /* Hot reset (Reset OneNAND command) or warm reset (RP pin low) */
204 static void onenand_reset(OneNANDState *s, int cold)
205 {
206     memset(&s->addr, 0, sizeof(s->addr));
207     s->command = 0;
208     s->count = 1;
209     s->bufaddr = 0;
210     s->config[0] = 0x40c0;
211     s->config[1] = 0x0000;
212     onenand_intr_update(s);
213     qemu_irq_raise(s->rdy);
214     s->status = 0x0000;
215     s->intstatus = cold ? 0x8080 : 0x8010;
216     s->unladdr[0] = 0;
217     s->unladdr[1] = 0;
218     s->wpstatus = 0x0002;
219     s->cycle = 0;
220     s->otpmode = 0;
221     s->blk_cur = s->blk;
222     s->current = s->image;
223     s->secs_cur = s->secs;
224 
225     if (cold) {
226         /* Lock the whole flash */
227         memset(s->blockwp, ONEN_LOCK_LOCKED, s->blocks);
228 
229         if (s->blk_cur && blk_pread(s->blk_cur, 0, s->boot[0],
230                                     8 << BDRV_SECTOR_BITS) < 0) {
231             hw_error("%s: Loading the BootRAM failed.\n", __func__);
232         }
233     }
234 }
235 
236 static void onenand_system_reset(DeviceState *dev)
237 {
238     OneNANDState *s = ONE_NAND(dev);
239 
240     onenand_reset(s, 1);
241 }
242 
243 static inline int onenand_load_main(OneNANDState *s, int sec, int secn,
244                 void *dest)
245 {
246     assert(UINT32_MAX >> BDRV_SECTOR_BITS > sec);
247     assert(UINT32_MAX >> BDRV_SECTOR_BITS > secn);
248     if (s->blk_cur) {
249         return blk_pread(s->blk_cur, sec << BDRV_SECTOR_BITS, dest,
250                          secn << BDRV_SECTOR_BITS) < 0;
251     } else if (sec + secn > s->secs_cur) {
252         return 1;
253     }
254 
255     memcpy(dest, s->current + (sec << 9), secn << 9);
256 
257     return 0;
258 }
259 
260 static inline int onenand_prog_main(OneNANDState *s, int sec, int secn,
261                 void *src)
262 {
263     int result = 0;
264 
265     if (secn > 0) {
266         uint32_t size = secn << BDRV_SECTOR_BITS;
267         uint32_t offset = sec << BDRV_SECTOR_BITS;
268         assert(UINT32_MAX >> BDRV_SECTOR_BITS > sec);
269         assert(UINT32_MAX >> BDRV_SECTOR_BITS > secn);
270         const uint8_t *sp = (const uint8_t *)src;
271         uint8_t *dp = 0;
272         if (s->blk_cur) {
273             dp = g_malloc(size);
274             if (!dp || blk_pread(s->blk_cur, offset, dp, size) < 0) {
275                 result = 1;
276             }
277         } else {
278             if (sec + secn > s->secs_cur) {
279                 result = 1;
280             } else {
281                 dp = (uint8_t *)s->current + offset;
282             }
283         }
284         if (!result) {
285             uint32_t i;
286             for (i = 0; i < size; i++) {
287                 dp[i] &= sp[i];
288             }
289             if (s->blk_cur) {
290                 result = blk_pwrite(s->blk_cur, offset, dp, size, 0) < 0;
291             }
292         }
293         if (dp && s->blk_cur) {
294             g_free(dp);
295         }
296     }
297 
298     return result;
299 }
300 
301 static inline int onenand_load_spare(OneNANDState *s, int sec, int secn,
302                 void *dest)
303 {
304     uint8_t buf[512];
305 
306     if (s->blk_cur) {
307         uint32_t offset = (s->secs_cur + (sec >> 5)) << BDRV_SECTOR_BITS;
308         if (blk_pread(s->blk_cur, offset, buf, BDRV_SECTOR_SIZE) < 0) {
309             return 1;
310         }
311         memcpy(dest, buf + ((sec & 31) << 4), secn << 4);
312     } else if (sec + secn > s->secs_cur) {
313         return 1;
314     } else {
315         memcpy(dest, s->current + (s->secs_cur << 9) + (sec << 4), secn << 4);
316     }
317 
318     return 0;
319 }
320 
321 static inline int onenand_prog_spare(OneNANDState *s, int sec, int secn,
322                 void *src)
323 {
324     int result = 0;
325     if (secn > 0) {
326         const uint8_t *sp = (const uint8_t *)src;
327         uint8_t *dp = 0, *dpp = 0;
328         uint32_t offset = (s->secs_cur + (sec >> 5)) << BDRV_SECTOR_BITS;
329         assert(UINT32_MAX >> BDRV_SECTOR_BITS > s->secs_cur + (sec >> 5));
330         if (s->blk_cur) {
331             dp = g_malloc(512);
332             if (!dp
333                 || blk_pread(s->blk_cur, offset, dp, BDRV_SECTOR_SIZE) < 0) {
334                 result = 1;
335             } else {
336                 dpp = dp + ((sec & 31) << 4);
337             }
338         } else {
339             if (sec + secn > s->secs_cur) {
340                 result = 1;
341             } else {
342                 dpp = s->current + (s->secs_cur << 9) + (sec << 4);
343             }
344         }
345         if (!result) {
346             uint32_t i;
347             for (i = 0; i < (secn << 4); i++) {
348                 dpp[i] &= sp[i];
349             }
350             if (s->blk_cur) {
351                 result = blk_pwrite(s->blk_cur, offset, dp,
352                                     BDRV_SECTOR_SIZE, 0) < 0;
353             }
354         }
355         g_free(dp);
356     }
357     return result;
358 }
359 
360 static inline int onenand_erase(OneNANDState *s, int sec, int num)
361 {
362     uint8_t *blankbuf, *tmpbuf;
363 
364     blankbuf = g_malloc(512);
365     tmpbuf = g_malloc(512);
366     memset(blankbuf, 0xff, 512);
367     for (; num > 0; num--, sec++) {
368         if (s->blk_cur) {
369             int erasesec = s->secs_cur + (sec >> 5);
370             if (blk_pwrite(s->blk_cur, sec << BDRV_SECTOR_BITS, blankbuf,
371                            BDRV_SECTOR_SIZE, 0) < 0) {
372                 goto fail;
373             }
374             if (blk_pread(s->blk_cur, erasesec << BDRV_SECTOR_BITS, tmpbuf,
375                           BDRV_SECTOR_SIZE) < 0) {
376                 goto fail;
377             }
378             memcpy(tmpbuf + ((sec & 31) << 4), blankbuf, 1 << 4);
379             if (blk_pwrite(s->blk_cur, erasesec << BDRV_SECTOR_BITS, tmpbuf,
380                            BDRV_SECTOR_SIZE, 0) < 0) {
381                 goto fail;
382             }
383         } else {
384             if (sec + 1 > s->secs_cur) {
385                 goto fail;
386             }
387             memcpy(s->current + (sec << 9), blankbuf, 512);
388             memcpy(s->current + (s->secs_cur << 9) + (sec << 4),
389                    blankbuf, 1 << 4);
390         }
391     }
392 
393     g_free(tmpbuf);
394     g_free(blankbuf);
395     return 0;
396 
397 fail:
398     g_free(tmpbuf);
399     g_free(blankbuf);
400     return 1;
401 }
402 
403 static void onenand_command(OneNANDState *s)
404 {
405     int b;
406     int sec;
407     void *buf;
408 #define SETADDR(block, page)			\
409     sec = (s->addr[page] & 3) +			\
410             ((((s->addr[page] >> 2) & 0x3f) +	\
411               (((s->addr[block] & 0xfff) |	\
412                 (s->addr[block] >> 15 ?		\
413                  s->density_mask : 0)) << 6)) << (PAGE_SHIFT - 9));
414 #define SETBUF_M()				\
415     buf = (s->bufaddr & 8) ?			\
416             s->data[(s->bufaddr >> 2) & 1][0] : s->boot[0];	\
417     buf += (s->bufaddr & 3) << 9;
418 #define SETBUF_S()				\
419     buf = (s->bufaddr & 8) ?			\
420             s->data[(s->bufaddr >> 2) & 1][1] : s->boot[1];	\
421     buf += (s->bufaddr & 3) << 4;
422 
423     switch (s->command) {
424     case 0x00:	/* Load single/multiple sector data unit into buffer */
425         SETADDR(ONEN_BUF_BLOCK, ONEN_BUF_PAGE)
426 
427         SETBUF_M()
428         if (onenand_load_main(s, sec, s->count, buf))
429             s->status |= ONEN_ERR_CMD | ONEN_ERR_LOAD;
430 
431 #if 0
432         SETBUF_S()
433         if (onenand_load_spare(s, sec, s->count, buf))
434             s->status |= ONEN_ERR_CMD | ONEN_ERR_LOAD;
435 #endif
436 
437         /* TODO: if (s->bufaddr & 3) + s->count was > 4 (2k-pages)
438          * or    if (s->bufaddr & 1) + s->count was > 2 (1k-pages)
439          * then we need two split the read/write into two chunks.
440          */
441         s->intstatus |= ONEN_INT | ONEN_INT_LOAD;
442         break;
443     case 0x13:	/* Load single/multiple spare sector into buffer */
444         SETADDR(ONEN_BUF_BLOCK, ONEN_BUF_PAGE)
445 
446         SETBUF_S()
447         if (onenand_load_spare(s, sec, s->count, buf))
448             s->status |= ONEN_ERR_CMD | ONEN_ERR_LOAD;
449 
450         /* TODO: if (s->bufaddr & 3) + s->count was > 4 (2k-pages)
451          * or    if (s->bufaddr & 1) + s->count was > 2 (1k-pages)
452          * then we need two split the read/write into two chunks.
453          */
454         s->intstatus |= ONEN_INT | ONEN_INT_LOAD;
455         break;
456     case 0x80:	/* Program single/multiple sector data unit from buffer */
457         SETADDR(ONEN_BUF_BLOCK, ONEN_BUF_PAGE)
458 
459         SETBUF_M()
460         if (onenand_prog_main(s, sec, s->count, buf))
461             s->status |= ONEN_ERR_CMD | ONEN_ERR_PROG;
462 
463 #if 0
464         SETBUF_S()
465         if (onenand_prog_spare(s, sec, s->count, buf))
466             s->status |= ONEN_ERR_CMD | ONEN_ERR_PROG;
467 #endif
468 
469         /* TODO: if (s->bufaddr & 3) + s->count was > 4 (2k-pages)
470          * or    if (s->bufaddr & 1) + s->count was > 2 (1k-pages)
471          * then we need two split the read/write into two chunks.
472          */
473         s->intstatus |= ONEN_INT | ONEN_INT_PROG;
474         break;
475     case 0x1a:	/* Program single/multiple spare area sector from buffer */
476         SETADDR(ONEN_BUF_BLOCK, ONEN_BUF_PAGE)
477 
478         SETBUF_S()
479         if (onenand_prog_spare(s, sec, s->count, buf))
480             s->status |= ONEN_ERR_CMD | ONEN_ERR_PROG;
481 
482         /* TODO: if (s->bufaddr & 3) + s->count was > 4 (2k-pages)
483          * or    if (s->bufaddr & 1) + s->count was > 2 (1k-pages)
484          * then we need two split the read/write into two chunks.
485          */
486         s->intstatus |= ONEN_INT | ONEN_INT_PROG;
487         break;
488     case 0x1b:	/* Copy-back program */
489         SETBUF_S()
490 
491         SETADDR(ONEN_BUF_BLOCK, ONEN_BUF_PAGE)
492         if (onenand_load_main(s, sec, s->count, buf))
493             s->status |= ONEN_ERR_CMD | ONEN_ERR_PROG;
494 
495         SETADDR(ONEN_BUF_DEST_BLOCK, ONEN_BUF_DEST_PAGE)
496         if (onenand_prog_main(s, sec, s->count, buf))
497             s->status |= ONEN_ERR_CMD | ONEN_ERR_PROG;
498 
499         /* TODO: spare areas */
500 
501         s->intstatus |= ONEN_INT | ONEN_INT_PROG;
502         break;
503 
504     case 0x23:	/* Unlock NAND array block(s) */
505         s->intstatus |= ONEN_INT;
506 
507         /* XXX the previous (?) area should be locked automatically */
508         for (b = s->unladdr[0]; b <= s->unladdr[1]; b ++) {
509             if (b >= s->blocks) {
510                 s->status |= ONEN_ERR_CMD;
511                 break;
512             }
513             if (s->blockwp[b] == ONEN_LOCK_LOCKTIGHTEN)
514                 break;
515 
516             s->wpstatus = s->blockwp[b] = ONEN_LOCK_UNLOCKED;
517         }
518         break;
519     case 0x27:	/* Unlock All NAND array blocks */
520         s->intstatus |= ONEN_INT;
521 
522         for (b = 0; b < s->blocks; b ++) {
523             if (s->blockwp[b] == ONEN_LOCK_LOCKTIGHTEN)
524                 break;
525 
526             s->wpstatus = s->blockwp[b] = ONEN_LOCK_UNLOCKED;
527         }
528         break;
529 
530     case 0x2a:	/* Lock NAND array block(s) */
531         s->intstatus |= ONEN_INT;
532 
533         for (b = s->unladdr[0]; b <= s->unladdr[1]; b ++) {
534             if (b >= s->blocks) {
535                 s->status |= ONEN_ERR_CMD;
536                 break;
537             }
538             if (s->blockwp[b] == ONEN_LOCK_LOCKTIGHTEN)
539                 break;
540 
541             s->wpstatus = s->blockwp[b] = ONEN_LOCK_LOCKED;
542         }
543         break;
544     case 0x2c:	/* Lock-tight NAND array block(s) */
545         s->intstatus |= ONEN_INT;
546 
547         for (b = s->unladdr[0]; b <= s->unladdr[1]; b ++) {
548             if (b >= s->blocks) {
549                 s->status |= ONEN_ERR_CMD;
550                 break;
551             }
552             if (s->blockwp[b] == ONEN_LOCK_UNLOCKED)
553                 continue;
554 
555             s->wpstatus = s->blockwp[b] = ONEN_LOCK_LOCKTIGHTEN;
556         }
557         break;
558 
559     case 0x71:	/* Erase-Verify-Read */
560         s->intstatus |= ONEN_INT;
561         break;
562     case 0x95:	/* Multi-block erase */
563         qemu_irq_pulse(s->intr);
564         /* Fall through.  */
565     case 0x94:	/* Block erase */
566         sec = ((s->addr[ONEN_BUF_BLOCK] & 0xfff) |
567                         (s->addr[ONEN_BUF_BLOCK] >> 15 ? s->density_mask : 0))
568                 << (BLOCK_SHIFT - 9);
569         if (onenand_erase(s, sec, 1 << (BLOCK_SHIFT - 9)))
570             s->status |= ONEN_ERR_CMD | ONEN_ERR_ERASE;
571 
572         s->intstatus |= ONEN_INT | ONEN_INT_ERASE;
573         break;
574     case 0xb0:	/* Erase suspend */
575         break;
576     case 0x30:	/* Erase resume */
577         s->intstatus |= ONEN_INT | ONEN_INT_ERASE;
578         break;
579 
580     case 0xf0:	/* Reset NAND Flash core */
581         onenand_reset(s, 0);
582         break;
583     case 0xf3:	/* Reset OneNAND */
584         onenand_reset(s, 0);
585         break;
586 
587     case 0x65:	/* OTP Access */
588         s->intstatus |= ONEN_INT;
589         s->blk_cur = NULL;
590         s->current = s->otp;
591         s->secs_cur = 1 << (BLOCK_SHIFT - 9);
592         s->addr[ONEN_BUF_BLOCK] = 0;
593         s->otpmode = 1;
594         break;
595 
596     default:
597         s->status |= ONEN_ERR_CMD;
598         s->intstatus |= ONEN_INT;
599         fprintf(stderr, "%s: unknown OneNAND command %x\n",
600                         __func__, s->command);
601     }
602 
603     onenand_intr_update(s);
604 }
605 
606 static uint64_t onenand_read(void *opaque, hwaddr addr,
607                              unsigned size)
608 {
609     OneNANDState *s = (OneNANDState *) opaque;
610     int offset = addr >> s->shift;
611 
612     switch (offset) {
613     case 0x0000 ... 0xc000:
614         return lduw_le_p(s->boot[0] + addr);
615 
616     case 0xf000:	/* Manufacturer ID */
617         return s->id.man;
618     case 0xf001:	/* Device ID */
619         return s->id.dev;
620     case 0xf002:	/* Version ID */
621         return s->id.ver;
622     /* TODO: get the following values from a real chip!  */
623     case 0xf003:	/* Data Buffer size */
624         return 1 << PAGE_SHIFT;
625     case 0xf004:	/* Boot Buffer size */
626         return 0x200;
627     case 0xf005:	/* Amount of buffers */
628         return 1 | (2 << 8);
629     case 0xf006:	/* Technology */
630         return 0;
631 
632     case 0xf100 ... 0xf107:	/* Start addresses */
633         return s->addr[offset - 0xf100];
634 
635     case 0xf200:	/* Start buffer */
636         return (s->bufaddr << 8) | ((s->count - 1) & (1 << (PAGE_SHIFT - 10)));
637 
638     case 0xf220:	/* Command */
639         return s->command;
640     case 0xf221:	/* System Configuration 1 */
641         return s->config[0] & 0xffe0;
642     case 0xf222:	/* System Configuration 2 */
643         return s->config[1];
644 
645     case 0xf240:	/* Controller Status */
646         return s->status;
647     case 0xf241:	/* Interrupt */
648         return s->intstatus;
649     case 0xf24c:	/* Unlock Start Block Address */
650         return s->unladdr[0];
651     case 0xf24d:	/* Unlock End Block Address */
652         return s->unladdr[1];
653     case 0xf24e:	/* Write Protection Status */
654         return s->wpstatus;
655 
656     case 0xff00:	/* ECC Status */
657         return 0x00;
658     case 0xff01:	/* ECC Result of main area data */
659     case 0xff02:	/* ECC Result of spare area data */
660     case 0xff03:	/* ECC Result of main area data */
661     case 0xff04:	/* ECC Result of spare area data */
662         hw_error("%s: imeplement ECC\n", __FUNCTION__);
663         return 0x0000;
664     }
665 
666     fprintf(stderr, "%s: unknown OneNAND register %x\n",
667                     __FUNCTION__, offset);
668     return 0;
669 }
670 
671 static void onenand_write(void *opaque, hwaddr addr,
672                           uint64_t value, unsigned size)
673 {
674     OneNANDState *s = (OneNANDState *) opaque;
675     int offset = addr >> s->shift;
676     int sec;
677 
678     switch (offset) {
679     case 0x0000 ... 0x01ff:
680     case 0x8000 ... 0x800f:
681         if (s->cycle) {
682             s->cycle = 0;
683 
684             if (value == 0x0000) {
685                 SETADDR(ONEN_BUF_BLOCK, ONEN_BUF_PAGE)
686                 onenand_load_main(s, sec,
687                                 1 << (PAGE_SHIFT - 9), s->data[0][0]);
688                 s->addr[ONEN_BUF_PAGE] += 4;
689                 s->addr[ONEN_BUF_PAGE] &= 0xff;
690             }
691             break;
692         }
693 
694         switch (value) {
695         case 0x00f0:	/* Reset OneNAND */
696             onenand_reset(s, 0);
697             break;
698 
699         case 0x00e0:	/* Load Data into Buffer */
700             s->cycle = 1;
701             break;
702 
703         case 0x0090:	/* Read Identification Data */
704             memset(s->boot[0], 0, 3 << s->shift);
705             s->boot[0][0 << s->shift] = s->id.man & 0xff;
706             s->boot[0][1 << s->shift] = s->id.dev & 0xff;
707             s->boot[0][2 << s->shift] = s->wpstatus & 0xff;
708             break;
709 
710         default:
711             fprintf(stderr, "%s: unknown OneNAND boot command %"PRIx64"\n",
712                             __FUNCTION__, value);
713         }
714         break;
715 
716     case 0xf100 ... 0xf107:	/* Start addresses */
717         s->addr[offset - 0xf100] = value;
718         break;
719 
720     case 0xf200:	/* Start buffer */
721         s->bufaddr = (value >> 8) & 0xf;
722         if (PAGE_SHIFT == 11)
723             s->count = (value & 3) ?: 4;
724         else if (PAGE_SHIFT == 10)
725             s->count = (value & 1) ?: 2;
726         break;
727 
728     case 0xf220:	/* Command */
729         if (s->intstatus & (1 << 15))
730             break;
731         s->command = value;
732         onenand_command(s);
733         break;
734     case 0xf221:	/* System Configuration 1 */
735         s->config[0] = value;
736         onenand_intr_update(s);
737         qemu_set_irq(s->rdy, (s->config[0] >> 7) & 1);
738         break;
739     case 0xf222:	/* System Configuration 2 */
740         s->config[1] = value;
741         break;
742 
743     case 0xf241:	/* Interrupt */
744         s->intstatus &= value;
745         if ((1 << 15) & ~s->intstatus)
746             s->status &= ~(ONEN_ERR_CMD | ONEN_ERR_ERASE |
747                             ONEN_ERR_PROG | ONEN_ERR_LOAD);
748         onenand_intr_update(s);
749         break;
750     case 0xf24c:	/* Unlock Start Block Address */
751         s->unladdr[0] = value & (s->blocks - 1);
752         /* For some reason we have to set the end address to by default
753          * be same as start because the software forgets to write anything
754          * in there.  */
755         s->unladdr[1] = value & (s->blocks - 1);
756         break;
757     case 0xf24d:	/* Unlock End Block Address */
758         s->unladdr[1] = value & (s->blocks - 1);
759         break;
760 
761     default:
762         fprintf(stderr, "%s: unknown OneNAND register %x\n",
763                         __FUNCTION__, offset);
764     }
765 }
766 
767 static const MemoryRegionOps onenand_ops = {
768     .read = onenand_read,
769     .write = onenand_write,
770     .endianness = DEVICE_NATIVE_ENDIAN,
771 };
772 
773 static int onenand_initfn(SysBusDevice *sbd)
774 {
775     DeviceState *dev = DEVICE(sbd);
776     OneNANDState *s = ONE_NAND(dev);
777     uint32_t size = 1 << (24 + ((s->id.dev >> 4) & 7));
778     void *ram;
779     Error *local_err = NULL;
780 
781     s->base = (hwaddr)-1;
782     s->rdy = NULL;
783     s->blocks = size >> BLOCK_SHIFT;
784     s->secs = size >> 9;
785     s->blockwp = g_malloc(s->blocks);
786     s->density_mask = (s->id.dev & 0x08)
787         ? (1 << (6 + ((s->id.dev >> 4) & 7))) : 0;
788     memory_region_init_io(&s->iomem, OBJECT(s), &onenand_ops, s, "onenand",
789                           0x10000 << s->shift);
790     if (!s->blk) {
791         s->image = memset(g_malloc(size + (size >> 5)),
792                           0xff, size + (size >> 5));
793     } else {
794         if (blk_is_read_only(s->blk)) {
795             error_report("Can't use a read-only drive");
796             return -1;
797         }
798         blk_set_perm(s->blk, BLK_PERM_CONSISTENT_READ | BLK_PERM_WRITE,
799                      BLK_PERM_ALL, &local_err);
800         if (local_err) {
801             error_report_err(local_err);
802             return -1;
803         }
804         s->blk_cur = s->blk;
805     }
806     s->otp = memset(g_malloc((64 + 2) << PAGE_SHIFT),
807                     0xff, (64 + 2) << PAGE_SHIFT);
808     memory_region_init_ram_nomigrate(&s->ram, OBJECT(s), "onenand.ram",
809                            0xc000 << s->shift, &error_fatal);
810     vmstate_register_ram_global(&s->ram);
811     ram = memory_region_get_ram_ptr(&s->ram);
812     s->boot[0] = ram + (0x0000 << s->shift);
813     s->boot[1] = ram + (0x8000 << s->shift);
814     s->data[0][0] = ram + ((0x0200 + (0 << (PAGE_SHIFT - 1))) << s->shift);
815     s->data[0][1] = ram + ((0x8010 + (0 << (PAGE_SHIFT - 6))) << s->shift);
816     s->data[1][0] = ram + ((0x0200 + (1 << (PAGE_SHIFT - 1))) << s->shift);
817     s->data[1][1] = ram + ((0x8010 + (1 << (PAGE_SHIFT - 6))) << s->shift);
818     onenand_mem_setup(s);
819     sysbus_init_irq(sbd, &s->intr);
820     sysbus_init_mmio(sbd, &s->container);
821     vmstate_register(dev,
822                      ((s->shift & 0x7f) << 24)
823                      | ((s->id.man & 0xff) << 16)
824                      | ((s->id.dev & 0xff) << 8)
825                      | (s->id.ver & 0xff),
826                      &vmstate_onenand, s);
827     return 0;
828 }
829 
830 static Property onenand_properties[] = {
831     DEFINE_PROP_UINT16("manufacturer_id", OneNANDState, id.man, 0),
832     DEFINE_PROP_UINT16("device_id", OneNANDState, id.dev, 0),
833     DEFINE_PROP_UINT16("version_id", OneNANDState, id.ver, 0),
834     DEFINE_PROP_INT32("shift", OneNANDState, shift, 0),
835     DEFINE_PROP_DRIVE("drive", OneNANDState, blk),
836     DEFINE_PROP_END_OF_LIST(),
837 };
838 
839 static void onenand_class_init(ObjectClass *klass, void *data)
840 {
841     DeviceClass *dc = DEVICE_CLASS(klass);
842     SysBusDeviceClass *k = SYS_BUS_DEVICE_CLASS(klass);
843 
844     k->init = onenand_initfn;
845     dc->reset = onenand_system_reset;
846     dc->props = onenand_properties;
847 }
848 
849 static const TypeInfo onenand_info = {
850     .name          = TYPE_ONE_NAND,
851     .parent        = TYPE_SYS_BUS_DEVICE,
852     .instance_size = sizeof(OneNANDState),
853     .class_init    = onenand_class_init,
854 };
855 
856 static void onenand_register_types(void)
857 {
858     type_register_static(&onenand_info);
859 }
860 
861 void *onenand_raw_otp(DeviceState *onenand_device)
862 {
863     OneNANDState *s = ONE_NAND(onenand_device);
864 
865     return s->otp;
866 }
867 
868 type_init(onenand_register_types)
869