1 /* 2 * SD Memory Card emulation as defined in the "SD Memory Card Physical 3 * layer specification, Version 1.10." 4 * 5 * Copyright (c) 2006 Andrzej Zaborowski <balrog@zabor.org> 6 * Copyright (c) 2007 CodeSourcery 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in 16 * the documentation and/or other materials provided with the 17 * distribution. 18 * 19 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' 20 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, 21 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A 22 * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR 23 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, 24 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, 25 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 26 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY 27 * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 28 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 29 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 30 */ 31 32 #include "qemu/osdep.h" 33 #include "hw/qdev.h" 34 #include "hw/hw.h" 35 #include "sysemu/block-backend.h" 36 #include "hw/sd/sd.h" 37 #include "qapi/error.h" 38 #include "qemu/bitmap.h" 39 #include "hw/qdev-properties.h" 40 #include "qemu/error-report.h" 41 #include "qemu/timer.h" 42 #include "qemu/log.h" 43 44 //#define DEBUG_SD 1 45 46 #ifdef DEBUG_SD 47 #define DPRINTF(fmt, ...) \ 48 do { fprintf(stderr, "SD: " fmt , ## __VA_ARGS__); } while (0) 49 #else 50 #define DPRINTF(fmt, ...) do {} while(0) 51 #endif 52 53 #define ACMD41_ENQUIRY_MASK 0x00ffffff 54 #define OCR_POWER_UP 0x80000000 55 #define OCR_POWER_DELAY_NS 500000 /* 0.5ms */ 56 57 typedef enum { 58 sd_r0 = 0, /* no response */ 59 sd_r1, /* normal response command */ 60 sd_r2_i, /* CID register */ 61 sd_r2_s, /* CSD register */ 62 sd_r3, /* OCR register */ 63 sd_r6 = 6, /* Published RCA response */ 64 sd_r7, /* Operating voltage */ 65 sd_r1b = -1, 66 sd_illegal = -2, 67 } sd_rsp_type_t; 68 69 enum SDCardModes { 70 sd_inactive, 71 sd_card_identification_mode, 72 sd_data_transfer_mode, 73 }; 74 75 enum SDCardStates { 76 sd_inactive_state = -1, 77 sd_idle_state = 0, 78 sd_ready_state, 79 sd_identification_state, 80 sd_standby_state, 81 sd_transfer_state, 82 sd_sendingdata_state, 83 sd_receivingdata_state, 84 sd_programming_state, 85 sd_disconnect_state, 86 }; 87 88 struct SDState { 89 DeviceState parent_obj; 90 91 uint32_t mode; /* current card mode, one of SDCardModes */ 92 int32_t state; /* current card state, one of SDCardStates */ 93 uint32_t ocr; 94 QEMUTimer *ocr_power_timer; 95 uint8_t scr[8]; 96 uint8_t cid[16]; 97 uint8_t csd[16]; 98 uint16_t rca; 99 uint32_t card_status; 100 uint8_t sd_status[64]; 101 uint32_t vhs; 102 bool wp_switch; 103 unsigned long *wp_groups; 104 int32_t wpgrps_size; 105 uint64_t size; 106 uint32_t blk_len; 107 uint32_t multi_blk_cnt; 108 uint32_t erase_start; 109 uint32_t erase_end; 110 uint8_t pwd[16]; 111 uint32_t pwd_len; 112 uint8_t function_group[6]; 113 114 bool spi; 115 uint8_t current_cmd; 116 /* True if we will handle the next command as an ACMD. Note that this does 117 * *not* track the APP_CMD status bit! 118 */ 119 bool expecting_acmd; 120 uint32_t blk_written; 121 uint64_t data_start; 122 uint32_t data_offset; 123 uint8_t data[512]; 124 qemu_irq readonly_cb; 125 qemu_irq inserted_cb; 126 BlockBackend *blk; 127 128 bool enable; 129 uint8_t dat_lines; 130 bool cmd_line; 131 }; 132 133 static uint8_t sd_get_dat_lines(SDState *sd) 134 { 135 return sd->enable ? sd->dat_lines : 0; 136 } 137 138 static bool sd_get_cmd_line(SDState *sd) 139 { 140 return sd->enable ? sd->cmd_line : false; 141 } 142 143 static void sd_set_voltage(SDState *sd, uint16_t millivolts) 144 { 145 switch (millivolts) { 146 case 3001 ... 3600: /* SD_VOLTAGE_3_3V */ 147 case 2001 ... 3000: /* SD_VOLTAGE_3_0V */ 148 break; 149 default: 150 qemu_log_mask(LOG_GUEST_ERROR, "SD card voltage not supported: %.3fV", 151 millivolts / 1000.f); 152 } 153 } 154 155 static void sd_set_mode(SDState *sd) 156 { 157 switch (sd->state) { 158 case sd_inactive_state: 159 sd->mode = sd_inactive; 160 break; 161 162 case sd_idle_state: 163 case sd_ready_state: 164 case sd_identification_state: 165 sd->mode = sd_card_identification_mode; 166 break; 167 168 case sd_standby_state: 169 case sd_transfer_state: 170 case sd_sendingdata_state: 171 case sd_receivingdata_state: 172 case sd_programming_state: 173 case sd_disconnect_state: 174 sd->mode = sd_data_transfer_mode; 175 break; 176 } 177 } 178 179 static const sd_cmd_type_t sd_cmd_type[64] = { 180 sd_bc, sd_none, sd_bcr, sd_bcr, sd_none, sd_none, sd_none, sd_ac, 181 sd_bcr, sd_ac, sd_ac, sd_adtc, sd_ac, sd_ac, sd_none, sd_ac, 182 sd_ac, sd_adtc, sd_adtc, sd_none, sd_none, sd_none, sd_none, sd_none, 183 sd_adtc, sd_adtc, sd_adtc, sd_adtc, sd_ac, sd_ac, sd_adtc, sd_none, 184 sd_ac, sd_ac, sd_none, sd_none, sd_none, sd_none, sd_ac, sd_none, 185 sd_none, sd_none, sd_bc, sd_none, sd_none, sd_none, sd_none, sd_none, 186 sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_ac, 187 sd_adtc, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, 188 }; 189 190 static const int sd_cmd_class[64] = { 191 0, 0, 0, 0, 0, 9, 10, 0, 0, 0, 0, 1, 0, 0, 0, 0, 192 2, 2, 2, 2, 3, 3, 3, 3, 4, 4, 4, 4, 6, 6, 6, 6, 193 5, 5, 10, 10, 10, 10, 5, 9, 9, 9, 7, 7, 7, 7, 7, 7, 194 7, 7, 10, 7, 9, 9, 9, 8, 8, 10, 8, 8, 8, 8, 8, 8, 195 }; 196 197 static uint8_t sd_crc7(void *message, size_t width) 198 { 199 int i, bit; 200 uint8_t shift_reg = 0x00; 201 uint8_t *msg = (uint8_t *) message; 202 203 for (i = 0; i < width; i ++, msg ++) 204 for (bit = 7; bit >= 0; bit --) { 205 shift_reg <<= 1; 206 if ((shift_reg >> 7) ^ ((*msg >> bit) & 1)) 207 shift_reg ^= 0x89; 208 } 209 210 return shift_reg; 211 } 212 213 static uint16_t sd_crc16(void *message, size_t width) 214 { 215 int i, bit; 216 uint16_t shift_reg = 0x0000; 217 uint16_t *msg = (uint16_t *) message; 218 width <<= 1; 219 220 for (i = 0; i < width; i ++, msg ++) 221 for (bit = 15; bit >= 0; bit --) { 222 shift_reg <<= 1; 223 if ((shift_reg >> 15) ^ ((*msg >> bit) & 1)) 224 shift_reg ^= 0x1011; 225 } 226 227 return shift_reg; 228 } 229 230 static void sd_set_ocr(SDState *sd) 231 { 232 /* All voltages OK, Standard Capacity SD Memory Card, not yet powered up */ 233 sd->ocr = 0x00ffff00; 234 } 235 236 static void sd_ocr_powerup(void *opaque) 237 { 238 SDState *sd = opaque; 239 240 /* Set powered up bit in OCR */ 241 assert(!(sd->ocr & OCR_POWER_UP)); 242 sd->ocr |= OCR_POWER_UP; 243 } 244 245 static void sd_set_scr(SDState *sd) 246 { 247 sd->scr[0] = 0x00; /* SCR Structure */ 248 sd->scr[1] = 0x2f; /* SD Security Support */ 249 sd->scr[2] = 0x00; 250 sd->scr[3] = 0x00; 251 sd->scr[4] = 0x00; 252 sd->scr[5] = 0x00; 253 sd->scr[6] = 0x00; 254 sd->scr[7] = 0x00; 255 } 256 257 #define MID 0xaa 258 #define OID "XY" 259 #define PNM "QEMU!" 260 #define PRV 0x01 261 #define MDT_YR 2006 262 #define MDT_MON 2 263 264 static void sd_set_cid(SDState *sd) 265 { 266 sd->cid[0] = MID; /* Fake card manufacturer ID (MID) */ 267 sd->cid[1] = OID[0]; /* OEM/Application ID (OID) */ 268 sd->cid[2] = OID[1]; 269 sd->cid[3] = PNM[0]; /* Fake product name (PNM) */ 270 sd->cid[4] = PNM[1]; 271 sd->cid[5] = PNM[2]; 272 sd->cid[6] = PNM[3]; 273 sd->cid[7] = PNM[4]; 274 sd->cid[8] = PRV; /* Fake product revision (PRV) */ 275 sd->cid[9] = 0xde; /* Fake serial number (PSN) */ 276 sd->cid[10] = 0xad; 277 sd->cid[11] = 0xbe; 278 sd->cid[12] = 0xef; 279 sd->cid[13] = 0x00 | /* Manufacture date (MDT) */ 280 ((MDT_YR - 2000) / 10); 281 sd->cid[14] = ((MDT_YR % 10) << 4) | MDT_MON; 282 sd->cid[15] = (sd_crc7(sd->cid, 15) << 1) | 1; 283 } 284 285 #define HWBLOCK_SHIFT 9 /* 512 bytes */ 286 #define SECTOR_SHIFT 5 /* 16 kilobytes */ 287 #define WPGROUP_SHIFT 7 /* 2 megs */ 288 #define CMULT_SHIFT 9 /* 512 times HWBLOCK_SIZE */ 289 #define WPGROUP_SIZE (1 << (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT)) 290 291 static const uint8_t sd_csd_rw_mask[16] = { 292 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 293 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xfc, 0xfe, 294 }; 295 296 static void sd_set_csd(SDState *sd, uint64_t size) 297 { 298 uint32_t csize = (size >> (CMULT_SHIFT + HWBLOCK_SHIFT)) - 1; 299 uint32_t sectsize = (1 << (SECTOR_SHIFT + 1)) - 1; 300 uint32_t wpsize = (1 << (WPGROUP_SHIFT + 1)) - 1; 301 302 if (size <= 0x40000000) { /* Standard Capacity SD */ 303 sd->csd[0] = 0x00; /* CSD structure */ 304 sd->csd[1] = 0x26; /* Data read access-time-1 */ 305 sd->csd[2] = 0x00; /* Data read access-time-2 */ 306 sd->csd[3] = 0x5a; /* Max. data transfer rate */ 307 sd->csd[4] = 0x5f; /* Card Command Classes */ 308 sd->csd[5] = 0x50 | /* Max. read data block length */ 309 HWBLOCK_SHIFT; 310 sd->csd[6] = 0xe0 | /* Partial block for read allowed */ 311 ((csize >> 10) & 0x03); 312 sd->csd[7] = 0x00 | /* Device size */ 313 ((csize >> 2) & 0xff); 314 sd->csd[8] = 0x3f | /* Max. read current */ 315 ((csize << 6) & 0xc0); 316 sd->csd[9] = 0xfc | /* Max. write current */ 317 ((CMULT_SHIFT - 2) >> 1); 318 sd->csd[10] = 0x40 | /* Erase sector size */ 319 (((CMULT_SHIFT - 2) << 7) & 0x80) | (sectsize >> 1); 320 sd->csd[11] = 0x00 | /* Write protect group size */ 321 ((sectsize << 7) & 0x80) | wpsize; 322 sd->csd[12] = 0x90 | /* Write speed factor */ 323 (HWBLOCK_SHIFT >> 2); 324 sd->csd[13] = 0x20 | /* Max. write data block length */ 325 ((HWBLOCK_SHIFT << 6) & 0xc0); 326 sd->csd[14] = 0x00; /* File format group */ 327 sd->csd[15] = (sd_crc7(sd->csd, 15) << 1) | 1; 328 } else { /* SDHC */ 329 size /= 512 * 1024; 330 size -= 1; 331 sd->csd[0] = 0x40; 332 sd->csd[1] = 0x0e; 333 sd->csd[2] = 0x00; 334 sd->csd[3] = 0x32; 335 sd->csd[4] = 0x5b; 336 sd->csd[5] = 0x59; 337 sd->csd[6] = 0x00; 338 sd->csd[7] = (size >> 16) & 0xff; 339 sd->csd[8] = (size >> 8) & 0xff; 340 sd->csd[9] = (size & 0xff); 341 sd->csd[10] = 0x7f; 342 sd->csd[11] = 0x80; 343 sd->csd[12] = 0x0a; 344 sd->csd[13] = 0x40; 345 sd->csd[14] = 0x00; 346 sd->csd[15] = 0x00; 347 sd->ocr |= 1 << 30; /* High Capacity SD Memory Card */ 348 } 349 } 350 351 static void sd_set_rca(SDState *sd) 352 { 353 sd->rca += 0x4567; 354 } 355 356 /* Card status bits, split by clear condition: 357 * A : According to the card current state 358 * B : Always related to the previous command 359 * C : Cleared by read 360 */ 361 #define CARD_STATUS_A 0x02004100 362 #define CARD_STATUS_B 0x00c01e00 363 #define CARD_STATUS_C 0xfd39a028 364 365 static void sd_set_cardstatus(SDState *sd) 366 { 367 sd->card_status = 0x00000100; 368 } 369 370 static void sd_set_sdstatus(SDState *sd) 371 { 372 memset(sd->sd_status, 0, 64); 373 } 374 375 static int sd_req_crc_validate(SDRequest *req) 376 { 377 uint8_t buffer[5]; 378 buffer[0] = 0x40 | req->cmd; 379 buffer[1] = (req->arg >> 24) & 0xff; 380 buffer[2] = (req->arg >> 16) & 0xff; 381 buffer[3] = (req->arg >> 8) & 0xff; 382 buffer[4] = (req->arg >> 0) & 0xff; 383 return 0; 384 return sd_crc7(buffer, 5) != req->crc; /* TODO */ 385 } 386 387 static void sd_response_r1_make(SDState *sd, uint8_t *response) 388 { 389 uint32_t status = sd->card_status; 390 /* Clear the "clear on read" status bits */ 391 sd->card_status &= ~CARD_STATUS_C; 392 393 response[0] = (status >> 24) & 0xff; 394 response[1] = (status >> 16) & 0xff; 395 response[2] = (status >> 8) & 0xff; 396 response[3] = (status >> 0) & 0xff; 397 } 398 399 static void sd_response_r3_make(SDState *sd, uint8_t *response) 400 { 401 response[0] = (sd->ocr >> 24) & 0xff; 402 response[1] = (sd->ocr >> 16) & 0xff; 403 response[2] = (sd->ocr >> 8) & 0xff; 404 response[3] = (sd->ocr >> 0) & 0xff; 405 } 406 407 static void sd_response_r6_make(SDState *sd, uint8_t *response) 408 { 409 uint16_t arg; 410 uint16_t status; 411 412 arg = sd->rca; 413 status = ((sd->card_status >> 8) & 0xc000) | 414 ((sd->card_status >> 6) & 0x2000) | 415 (sd->card_status & 0x1fff); 416 sd->card_status &= ~(CARD_STATUS_C & 0xc81fff); 417 418 response[0] = (arg >> 8) & 0xff; 419 response[1] = arg & 0xff; 420 response[2] = (status >> 8) & 0xff; 421 response[3] = status & 0xff; 422 } 423 424 static void sd_response_r7_make(SDState *sd, uint8_t *response) 425 { 426 response[0] = (sd->vhs >> 24) & 0xff; 427 response[1] = (sd->vhs >> 16) & 0xff; 428 response[2] = (sd->vhs >> 8) & 0xff; 429 response[3] = (sd->vhs >> 0) & 0xff; 430 } 431 432 static inline uint64_t sd_addr_to_wpnum(uint64_t addr) 433 { 434 return addr >> (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT); 435 } 436 437 static void sd_reset(DeviceState *dev) 438 { 439 SDState *sd = SD_CARD(dev); 440 uint64_t size; 441 uint64_t sect; 442 443 if (sd->blk) { 444 blk_get_geometry(sd->blk, §); 445 } else { 446 sect = 0; 447 } 448 size = sect << 9; 449 450 sect = sd_addr_to_wpnum(size) + 1; 451 452 sd->state = sd_idle_state; 453 sd->rca = 0x0000; 454 sd_set_ocr(sd); 455 sd_set_scr(sd); 456 sd_set_cid(sd); 457 sd_set_csd(sd, size); 458 sd_set_cardstatus(sd); 459 sd_set_sdstatus(sd); 460 461 g_free(sd->wp_groups); 462 sd->wp_switch = sd->blk ? blk_is_read_only(sd->blk) : false; 463 sd->wpgrps_size = sect; 464 sd->wp_groups = bitmap_new(sd->wpgrps_size); 465 memset(sd->function_group, 0, sizeof(sd->function_group)); 466 sd->erase_start = 0; 467 sd->erase_end = 0; 468 sd->size = size; 469 sd->blk_len = 0x200; 470 sd->pwd_len = 0; 471 sd->expecting_acmd = false; 472 sd->dat_lines = 0xf; 473 sd->cmd_line = true; 474 sd->multi_blk_cnt = 0; 475 } 476 477 static bool sd_get_inserted(SDState *sd) 478 { 479 return sd->blk && blk_is_inserted(sd->blk); 480 } 481 482 static bool sd_get_readonly(SDState *sd) 483 { 484 return sd->wp_switch; 485 } 486 487 static void sd_cardchange(void *opaque, bool load, Error **errp) 488 { 489 SDState *sd = opaque; 490 DeviceState *dev = DEVICE(sd); 491 SDBus *sdbus = SD_BUS(qdev_get_parent_bus(dev)); 492 bool inserted = sd_get_inserted(sd); 493 bool readonly = sd_get_readonly(sd); 494 495 if (inserted) { 496 sd_reset(dev); 497 } 498 499 /* The IRQ notification is for legacy non-QOM SD controller devices; 500 * QOMified controllers use the SDBus APIs. 501 */ 502 if (sdbus) { 503 sdbus_set_inserted(sdbus, inserted); 504 if (inserted) { 505 sdbus_set_readonly(sdbus, readonly); 506 } 507 } else { 508 qemu_set_irq(sd->inserted_cb, inserted); 509 if (inserted) { 510 qemu_set_irq(sd->readonly_cb, readonly); 511 } 512 } 513 } 514 515 static const BlockDevOps sd_block_ops = { 516 .change_media_cb = sd_cardchange, 517 }; 518 519 static bool sd_ocr_vmstate_needed(void *opaque) 520 { 521 SDState *sd = opaque; 522 523 /* Include the OCR state (and timer) if it is not yet powered up */ 524 return !(sd->ocr & OCR_POWER_UP); 525 } 526 527 static const VMStateDescription sd_ocr_vmstate = { 528 .name = "sd-card/ocr-state", 529 .version_id = 1, 530 .minimum_version_id = 1, 531 .needed = sd_ocr_vmstate_needed, 532 .fields = (VMStateField[]) { 533 VMSTATE_UINT32(ocr, SDState), 534 VMSTATE_TIMER_PTR(ocr_power_timer, SDState), 535 VMSTATE_END_OF_LIST() 536 }, 537 }; 538 539 static int sd_vmstate_pre_load(void *opaque) 540 { 541 SDState *sd = opaque; 542 543 /* If the OCR state is not included (prior versions, or not 544 * needed), then the OCR must be set as powered up. If the OCR state 545 * is included, this will be replaced by the state restore. 546 */ 547 sd_ocr_powerup(sd); 548 549 return 0; 550 } 551 552 static const VMStateDescription sd_vmstate = { 553 .name = "sd-card", 554 .version_id = 1, 555 .minimum_version_id = 1, 556 .pre_load = sd_vmstate_pre_load, 557 .fields = (VMStateField[]) { 558 VMSTATE_UINT32(mode, SDState), 559 VMSTATE_INT32(state, SDState), 560 VMSTATE_UINT8_ARRAY(cid, SDState, 16), 561 VMSTATE_UINT8_ARRAY(csd, SDState, 16), 562 VMSTATE_UINT16(rca, SDState), 563 VMSTATE_UINT32(card_status, SDState), 564 VMSTATE_PARTIAL_BUFFER(sd_status, SDState, 1), 565 VMSTATE_UINT32(vhs, SDState), 566 VMSTATE_BITMAP(wp_groups, SDState, 0, wpgrps_size), 567 VMSTATE_UINT32(blk_len, SDState), 568 VMSTATE_UINT32(multi_blk_cnt, SDState), 569 VMSTATE_UINT32(erase_start, SDState), 570 VMSTATE_UINT32(erase_end, SDState), 571 VMSTATE_UINT8_ARRAY(pwd, SDState, 16), 572 VMSTATE_UINT32(pwd_len, SDState), 573 VMSTATE_UINT8_ARRAY(function_group, SDState, 6), 574 VMSTATE_UINT8(current_cmd, SDState), 575 VMSTATE_BOOL(expecting_acmd, SDState), 576 VMSTATE_UINT32(blk_written, SDState), 577 VMSTATE_UINT64(data_start, SDState), 578 VMSTATE_UINT32(data_offset, SDState), 579 VMSTATE_UINT8_ARRAY(data, SDState, 512), 580 VMSTATE_UNUSED_V(1, 512), 581 VMSTATE_BOOL(enable, SDState), 582 VMSTATE_END_OF_LIST() 583 }, 584 .subsections = (const VMStateDescription*[]) { 585 &sd_ocr_vmstate, 586 NULL 587 }, 588 }; 589 590 /* Legacy initialization function for use by non-qdevified callers */ 591 SDState *sd_init(BlockBackend *blk, bool is_spi) 592 { 593 Object *obj; 594 DeviceState *dev; 595 Error *err = NULL; 596 597 obj = object_new(TYPE_SD_CARD); 598 dev = DEVICE(obj); 599 qdev_prop_set_drive(dev, "drive", blk, &err); 600 if (err) { 601 error_report("sd_init failed: %s", error_get_pretty(err)); 602 return NULL; 603 } 604 qdev_prop_set_bit(dev, "spi", is_spi); 605 object_property_set_bool(obj, true, "realized", &err); 606 if (err) { 607 error_report("sd_init failed: %s", error_get_pretty(err)); 608 return NULL; 609 } 610 611 return SD_CARD(dev); 612 } 613 614 void sd_set_cb(SDState *sd, qemu_irq readonly, qemu_irq insert) 615 { 616 sd->readonly_cb = readonly; 617 sd->inserted_cb = insert; 618 qemu_set_irq(readonly, sd->blk ? blk_is_read_only(sd->blk) : 0); 619 qemu_set_irq(insert, sd->blk ? blk_is_inserted(sd->blk) : 0); 620 } 621 622 static void sd_erase(SDState *sd) 623 { 624 int i; 625 uint64_t erase_start = sd->erase_start; 626 uint64_t erase_end = sd->erase_end; 627 628 if (!sd->erase_start || !sd->erase_end) { 629 sd->card_status |= ERASE_SEQ_ERROR; 630 return; 631 } 632 633 if (extract32(sd->ocr, OCR_CCS_BITN, 1)) { 634 /* High capacity memory card: erase units are 512 byte blocks */ 635 erase_start *= 512; 636 erase_end *= 512; 637 } 638 639 erase_start = sd_addr_to_wpnum(erase_start); 640 erase_end = sd_addr_to_wpnum(erase_end); 641 sd->erase_start = 0; 642 sd->erase_end = 0; 643 sd->csd[14] |= 0x40; 644 645 for (i = erase_start; i <= erase_end; i++) { 646 if (test_bit(i, sd->wp_groups)) { 647 sd->card_status |= WP_ERASE_SKIP; 648 } 649 } 650 } 651 652 static uint32_t sd_wpbits(SDState *sd, uint64_t addr) 653 { 654 uint32_t i, wpnum; 655 uint32_t ret = 0; 656 657 wpnum = sd_addr_to_wpnum(addr); 658 659 for (i = 0; i < 32; i++, wpnum++, addr += WPGROUP_SIZE) { 660 if (addr < sd->size && test_bit(wpnum, sd->wp_groups)) { 661 ret |= (1 << i); 662 } 663 } 664 665 return ret; 666 } 667 668 static void sd_function_switch(SDState *sd, uint32_t arg) 669 { 670 int i, mode, new_func, crc; 671 mode = !!(arg & 0x80000000); 672 673 sd->data[0] = 0x00; /* Maximum current consumption */ 674 sd->data[1] = 0x01; 675 sd->data[2] = 0x80; /* Supported group 6 functions */ 676 sd->data[3] = 0x01; 677 sd->data[4] = 0x80; /* Supported group 5 functions */ 678 sd->data[5] = 0x01; 679 sd->data[6] = 0x80; /* Supported group 4 functions */ 680 sd->data[7] = 0x01; 681 sd->data[8] = 0x80; /* Supported group 3 functions */ 682 sd->data[9] = 0x01; 683 sd->data[10] = 0x80; /* Supported group 2 functions */ 684 sd->data[11] = 0x43; 685 sd->data[12] = 0x80; /* Supported group 1 functions */ 686 sd->data[13] = 0x03; 687 for (i = 0; i < 6; i ++) { 688 new_func = (arg >> (i * 4)) & 0x0f; 689 if (mode && new_func != 0x0f) 690 sd->function_group[i] = new_func; 691 sd->data[14 + (i >> 1)] = new_func << ((i * 4) & 4); 692 } 693 memset(&sd->data[17], 0, 47); 694 crc = sd_crc16(sd->data, 64); 695 sd->data[65] = crc >> 8; 696 sd->data[66] = crc & 0xff; 697 } 698 699 static inline bool sd_wp_addr(SDState *sd, uint64_t addr) 700 { 701 return test_bit(sd_addr_to_wpnum(addr), sd->wp_groups); 702 } 703 704 static void sd_lock_command(SDState *sd) 705 { 706 int erase, lock, clr_pwd, set_pwd, pwd_len; 707 erase = !!(sd->data[0] & 0x08); 708 lock = sd->data[0] & 0x04; 709 clr_pwd = sd->data[0] & 0x02; 710 set_pwd = sd->data[0] & 0x01; 711 712 if (sd->blk_len > 1) 713 pwd_len = sd->data[1]; 714 else 715 pwd_len = 0; 716 717 if (erase) { 718 if (!(sd->card_status & CARD_IS_LOCKED) || sd->blk_len > 1 || 719 set_pwd || clr_pwd || lock || sd->wp_switch || 720 (sd->csd[14] & 0x20)) { 721 sd->card_status |= LOCK_UNLOCK_FAILED; 722 return; 723 } 724 bitmap_zero(sd->wp_groups, sd->wpgrps_size); 725 sd->csd[14] &= ~0x10; 726 sd->card_status &= ~CARD_IS_LOCKED; 727 sd->pwd_len = 0; 728 /* Erasing the entire card here! */ 729 fprintf(stderr, "SD: Card force-erased by CMD42\n"); 730 return; 731 } 732 733 if (sd->blk_len < 2 + pwd_len || 734 pwd_len <= sd->pwd_len || 735 pwd_len > sd->pwd_len + 16) { 736 sd->card_status |= LOCK_UNLOCK_FAILED; 737 return; 738 } 739 740 if (sd->pwd_len && memcmp(sd->pwd, sd->data + 2, sd->pwd_len)) { 741 sd->card_status |= LOCK_UNLOCK_FAILED; 742 return; 743 } 744 745 pwd_len -= sd->pwd_len; 746 if ((pwd_len && !set_pwd) || 747 (clr_pwd && (set_pwd || lock)) || 748 (lock && !sd->pwd_len && !set_pwd) || 749 (!set_pwd && !clr_pwd && 750 (((sd->card_status & CARD_IS_LOCKED) && lock) || 751 (!(sd->card_status & CARD_IS_LOCKED) && !lock)))) { 752 sd->card_status |= LOCK_UNLOCK_FAILED; 753 return; 754 } 755 756 if (set_pwd) { 757 memcpy(sd->pwd, sd->data + 2 + sd->pwd_len, pwd_len); 758 sd->pwd_len = pwd_len; 759 } 760 761 if (clr_pwd) { 762 sd->pwd_len = 0; 763 } 764 765 if (lock) 766 sd->card_status |= CARD_IS_LOCKED; 767 else 768 sd->card_status &= ~CARD_IS_LOCKED; 769 } 770 771 static sd_rsp_type_t sd_normal_command(SDState *sd, 772 SDRequest req) 773 { 774 uint32_t rca = 0x0000; 775 uint64_t addr = (sd->ocr & (1 << 30)) ? (uint64_t) req.arg << 9 : req.arg; 776 777 /* Not interpreting this as an app command */ 778 sd->card_status &= ~APP_CMD; 779 780 if (sd_cmd_type[req.cmd & 0x3F] == sd_ac 781 || sd_cmd_type[req.cmd & 0x3F] == sd_adtc) { 782 rca = req.arg >> 16; 783 } 784 785 /* CMD23 (set block count) must be immediately followed by CMD18 or CMD25 786 * if not, its effects are cancelled */ 787 if (sd->multi_blk_cnt != 0 && !(req.cmd == 18 || req.cmd == 25)) { 788 sd->multi_blk_cnt = 0; 789 } 790 791 DPRINTF("CMD%d 0x%08x state %d\n", req.cmd, req.arg, sd->state); 792 switch (req.cmd) { 793 /* Basic commands (Class 0 and Class 1) */ 794 case 0: /* CMD0: GO_IDLE_STATE */ 795 switch (sd->state) { 796 case sd_inactive_state: 797 return sd->spi ? sd_r1 : sd_r0; 798 799 default: 800 sd->state = sd_idle_state; 801 sd_reset(DEVICE(sd)); 802 return sd->spi ? sd_r1 : sd_r0; 803 } 804 break; 805 806 case 1: /* CMD1: SEND_OP_CMD */ 807 if (!sd->spi) 808 goto bad_cmd; 809 810 sd->state = sd_transfer_state; 811 return sd_r1; 812 813 case 2: /* CMD2: ALL_SEND_CID */ 814 if (sd->spi) 815 goto bad_cmd; 816 switch (sd->state) { 817 case sd_ready_state: 818 sd->state = sd_identification_state; 819 return sd_r2_i; 820 821 default: 822 break; 823 } 824 break; 825 826 case 3: /* CMD3: SEND_RELATIVE_ADDR */ 827 if (sd->spi) 828 goto bad_cmd; 829 switch (sd->state) { 830 case sd_identification_state: 831 case sd_standby_state: 832 sd->state = sd_standby_state; 833 sd_set_rca(sd); 834 return sd_r6; 835 836 default: 837 break; 838 } 839 break; 840 841 case 4: /* CMD4: SEND_DSR */ 842 if (sd->spi) 843 goto bad_cmd; 844 switch (sd->state) { 845 case sd_standby_state: 846 break; 847 848 default: 849 break; 850 } 851 break; 852 853 case 5: /* CMD5: reserved for SDIO cards */ 854 return sd_illegal; 855 856 case 6: /* CMD6: SWITCH_FUNCTION */ 857 if (sd->spi) 858 goto bad_cmd; 859 switch (sd->mode) { 860 case sd_data_transfer_mode: 861 sd_function_switch(sd, req.arg); 862 sd->state = sd_sendingdata_state; 863 sd->data_start = 0; 864 sd->data_offset = 0; 865 return sd_r1; 866 867 default: 868 break; 869 } 870 break; 871 872 case 7: /* CMD7: SELECT/DESELECT_CARD */ 873 if (sd->spi) 874 goto bad_cmd; 875 switch (sd->state) { 876 case sd_standby_state: 877 if (sd->rca != rca) 878 return sd_r0; 879 880 sd->state = sd_transfer_state; 881 return sd_r1b; 882 883 case sd_transfer_state: 884 case sd_sendingdata_state: 885 if (sd->rca == rca) 886 break; 887 888 sd->state = sd_standby_state; 889 return sd_r1b; 890 891 case sd_disconnect_state: 892 if (sd->rca != rca) 893 return sd_r0; 894 895 sd->state = sd_programming_state; 896 return sd_r1b; 897 898 case sd_programming_state: 899 if (sd->rca == rca) 900 break; 901 902 sd->state = sd_disconnect_state; 903 return sd_r1b; 904 905 default: 906 break; 907 } 908 break; 909 910 case 8: /* CMD8: SEND_IF_COND */ 911 /* Physical Layer Specification Version 2.00 command */ 912 switch (sd->state) { 913 case sd_idle_state: 914 sd->vhs = 0; 915 916 /* No response if not exactly one VHS bit is set. */ 917 if (!(req.arg >> 8) || (req.arg >> (ctz32(req.arg & ~0xff) + 1))) { 918 return sd->spi ? sd_r7 : sd_r0; 919 } 920 921 /* Accept. */ 922 sd->vhs = req.arg; 923 return sd_r7; 924 925 default: 926 break; 927 } 928 break; 929 930 case 9: /* CMD9: SEND_CSD */ 931 switch (sd->state) { 932 case sd_standby_state: 933 if (sd->rca != rca) 934 return sd_r0; 935 936 return sd_r2_s; 937 938 case sd_transfer_state: 939 if (!sd->spi) 940 break; 941 sd->state = sd_sendingdata_state; 942 memcpy(sd->data, sd->csd, 16); 943 sd->data_start = addr; 944 sd->data_offset = 0; 945 return sd_r1; 946 947 default: 948 break; 949 } 950 break; 951 952 case 10: /* CMD10: SEND_CID */ 953 switch (sd->state) { 954 case sd_standby_state: 955 if (sd->rca != rca) 956 return sd_r0; 957 958 return sd_r2_i; 959 960 case sd_transfer_state: 961 if (!sd->spi) 962 break; 963 sd->state = sd_sendingdata_state; 964 memcpy(sd->data, sd->cid, 16); 965 sd->data_start = addr; 966 sd->data_offset = 0; 967 return sd_r1; 968 969 default: 970 break; 971 } 972 break; 973 974 case 11: /* CMD11: READ_DAT_UNTIL_STOP */ 975 if (sd->spi) 976 goto bad_cmd; 977 switch (sd->state) { 978 case sd_transfer_state: 979 sd->state = sd_sendingdata_state; 980 sd->data_start = req.arg; 981 sd->data_offset = 0; 982 983 if (sd->data_start + sd->blk_len > sd->size) 984 sd->card_status |= ADDRESS_ERROR; 985 return sd_r0; 986 987 default: 988 break; 989 } 990 break; 991 992 case 12: /* CMD12: STOP_TRANSMISSION */ 993 switch (sd->state) { 994 case sd_sendingdata_state: 995 sd->state = sd_transfer_state; 996 return sd_r1b; 997 998 case sd_receivingdata_state: 999 sd->state = sd_programming_state; 1000 /* Bzzzzzzztt .... Operation complete. */ 1001 sd->state = sd_transfer_state; 1002 return sd_r1b; 1003 1004 default: 1005 break; 1006 } 1007 break; 1008 1009 case 13: /* CMD13: SEND_STATUS */ 1010 switch (sd->mode) { 1011 case sd_data_transfer_mode: 1012 if (sd->rca != rca) 1013 return sd_r0; 1014 1015 return sd_r1; 1016 1017 default: 1018 break; 1019 } 1020 break; 1021 1022 case 15: /* CMD15: GO_INACTIVE_STATE */ 1023 if (sd->spi) 1024 goto bad_cmd; 1025 switch (sd->mode) { 1026 case sd_data_transfer_mode: 1027 if (sd->rca != rca) 1028 return sd_r0; 1029 1030 sd->state = sd_inactive_state; 1031 return sd_r0; 1032 1033 default: 1034 break; 1035 } 1036 break; 1037 1038 /* Block read commands (Classs 2) */ 1039 case 16: /* CMD16: SET_BLOCKLEN */ 1040 switch (sd->state) { 1041 case sd_transfer_state: 1042 if (req.arg > (1 << HWBLOCK_SHIFT)) 1043 sd->card_status |= BLOCK_LEN_ERROR; 1044 else 1045 sd->blk_len = req.arg; 1046 1047 return sd_r1; 1048 1049 default: 1050 break; 1051 } 1052 break; 1053 1054 case 17: /* CMD17: READ_SINGLE_BLOCK */ 1055 switch (sd->state) { 1056 case sd_transfer_state: 1057 sd->state = sd_sendingdata_state; 1058 sd->data_start = addr; 1059 sd->data_offset = 0; 1060 1061 if (sd->data_start + sd->blk_len > sd->size) 1062 sd->card_status |= ADDRESS_ERROR; 1063 return sd_r1; 1064 1065 default: 1066 break; 1067 } 1068 break; 1069 1070 case 18: /* CMD18: READ_MULTIPLE_BLOCK */ 1071 switch (sd->state) { 1072 case sd_transfer_state: 1073 sd->state = sd_sendingdata_state; 1074 sd->data_start = addr; 1075 sd->data_offset = 0; 1076 1077 if (sd->data_start + sd->blk_len > sd->size) 1078 sd->card_status |= ADDRESS_ERROR; 1079 return sd_r1; 1080 1081 default: 1082 break; 1083 } 1084 break; 1085 1086 case 23: /* CMD23: SET_BLOCK_COUNT */ 1087 switch (sd->state) { 1088 case sd_transfer_state: 1089 sd->multi_blk_cnt = req.arg; 1090 return sd_r1; 1091 1092 default: 1093 break; 1094 } 1095 break; 1096 1097 /* Block write commands (Class 4) */ 1098 case 24: /* CMD24: WRITE_SINGLE_BLOCK */ 1099 if (sd->spi) 1100 goto unimplemented_cmd; 1101 switch (sd->state) { 1102 case sd_transfer_state: 1103 /* Writing in SPI mode not implemented. */ 1104 if (sd->spi) 1105 break; 1106 sd->state = sd_receivingdata_state; 1107 sd->data_start = addr; 1108 sd->data_offset = 0; 1109 sd->blk_written = 0; 1110 1111 if (sd->data_start + sd->blk_len > sd->size) 1112 sd->card_status |= ADDRESS_ERROR; 1113 if (sd_wp_addr(sd, sd->data_start)) 1114 sd->card_status |= WP_VIOLATION; 1115 if (sd->csd[14] & 0x30) 1116 sd->card_status |= WP_VIOLATION; 1117 return sd_r1; 1118 1119 default: 1120 break; 1121 } 1122 break; 1123 1124 case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */ 1125 if (sd->spi) 1126 goto unimplemented_cmd; 1127 switch (sd->state) { 1128 case sd_transfer_state: 1129 /* Writing in SPI mode not implemented. */ 1130 if (sd->spi) 1131 break; 1132 sd->state = sd_receivingdata_state; 1133 sd->data_start = addr; 1134 sd->data_offset = 0; 1135 sd->blk_written = 0; 1136 1137 if (sd->data_start + sd->blk_len > sd->size) 1138 sd->card_status |= ADDRESS_ERROR; 1139 if (sd_wp_addr(sd, sd->data_start)) 1140 sd->card_status |= WP_VIOLATION; 1141 if (sd->csd[14] & 0x30) 1142 sd->card_status |= WP_VIOLATION; 1143 return sd_r1; 1144 1145 default: 1146 break; 1147 } 1148 break; 1149 1150 case 26: /* CMD26: PROGRAM_CID */ 1151 if (sd->spi) 1152 goto bad_cmd; 1153 switch (sd->state) { 1154 case sd_transfer_state: 1155 sd->state = sd_receivingdata_state; 1156 sd->data_start = 0; 1157 sd->data_offset = 0; 1158 return sd_r1; 1159 1160 default: 1161 break; 1162 } 1163 break; 1164 1165 case 27: /* CMD27: PROGRAM_CSD */ 1166 if (sd->spi) 1167 goto unimplemented_cmd; 1168 switch (sd->state) { 1169 case sd_transfer_state: 1170 sd->state = sd_receivingdata_state; 1171 sd->data_start = 0; 1172 sd->data_offset = 0; 1173 return sd_r1; 1174 1175 default: 1176 break; 1177 } 1178 break; 1179 1180 /* Write protection (Class 6) */ 1181 case 28: /* CMD28: SET_WRITE_PROT */ 1182 switch (sd->state) { 1183 case sd_transfer_state: 1184 if (addr >= sd->size) { 1185 sd->card_status |= ADDRESS_ERROR; 1186 return sd_r1b; 1187 } 1188 1189 sd->state = sd_programming_state; 1190 set_bit(sd_addr_to_wpnum(addr), sd->wp_groups); 1191 /* Bzzzzzzztt .... Operation complete. */ 1192 sd->state = sd_transfer_state; 1193 return sd_r1b; 1194 1195 default: 1196 break; 1197 } 1198 break; 1199 1200 case 29: /* CMD29: CLR_WRITE_PROT */ 1201 switch (sd->state) { 1202 case sd_transfer_state: 1203 if (addr >= sd->size) { 1204 sd->card_status |= ADDRESS_ERROR; 1205 return sd_r1b; 1206 } 1207 1208 sd->state = sd_programming_state; 1209 clear_bit(sd_addr_to_wpnum(addr), sd->wp_groups); 1210 /* Bzzzzzzztt .... Operation complete. */ 1211 sd->state = sd_transfer_state; 1212 return sd_r1b; 1213 1214 default: 1215 break; 1216 } 1217 break; 1218 1219 case 30: /* CMD30: SEND_WRITE_PROT */ 1220 switch (sd->state) { 1221 case sd_transfer_state: 1222 sd->state = sd_sendingdata_state; 1223 *(uint32_t *) sd->data = sd_wpbits(sd, req.arg); 1224 sd->data_start = addr; 1225 sd->data_offset = 0; 1226 return sd_r1b; 1227 1228 default: 1229 break; 1230 } 1231 break; 1232 1233 /* Erase commands (Class 5) */ 1234 case 32: /* CMD32: ERASE_WR_BLK_START */ 1235 switch (sd->state) { 1236 case sd_transfer_state: 1237 sd->erase_start = req.arg; 1238 return sd_r1; 1239 1240 default: 1241 break; 1242 } 1243 break; 1244 1245 case 33: /* CMD33: ERASE_WR_BLK_END */ 1246 switch (sd->state) { 1247 case sd_transfer_state: 1248 sd->erase_end = req.arg; 1249 return sd_r1; 1250 1251 default: 1252 break; 1253 } 1254 break; 1255 1256 case 38: /* CMD38: ERASE */ 1257 switch (sd->state) { 1258 case sd_transfer_state: 1259 if (sd->csd[14] & 0x30) { 1260 sd->card_status |= WP_VIOLATION; 1261 return sd_r1b; 1262 } 1263 1264 sd->state = sd_programming_state; 1265 sd_erase(sd); 1266 /* Bzzzzzzztt .... Operation complete. */ 1267 sd->state = sd_transfer_state; 1268 return sd_r1b; 1269 1270 default: 1271 break; 1272 } 1273 break; 1274 1275 /* Lock card commands (Class 7) */ 1276 case 42: /* CMD42: LOCK_UNLOCK */ 1277 if (sd->spi) 1278 goto unimplemented_cmd; 1279 switch (sd->state) { 1280 case sd_transfer_state: 1281 sd->state = sd_receivingdata_state; 1282 sd->data_start = 0; 1283 sd->data_offset = 0; 1284 return sd_r1; 1285 1286 default: 1287 break; 1288 } 1289 break; 1290 1291 case 52: 1292 case 53: 1293 /* CMD52, CMD53: reserved for SDIO cards 1294 * (see the SDIO Simplified Specification V2.0) 1295 * Handle as illegal command but do not complain 1296 * on stderr, as some OSes may use these in their 1297 * probing for presence of an SDIO card. 1298 */ 1299 return sd_illegal; 1300 1301 /* Application specific commands (Class 8) */ 1302 case 55: /* CMD55: APP_CMD */ 1303 if (sd->rca != rca) 1304 return sd_r0; 1305 1306 sd->expecting_acmd = true; 1307 sd->card_status |= APP_CMD; 1308 return sd_r1; 1309 1310 case 56: /* CMD56: GEN_CMD */ 1311 fprintf(stderr, "SD: GEN_CMD 0x%08x\n", req.arg); 1312 1313 switch (sd->state) { 1314 case sd_transfer_state: 1315 sd->data_offset = 0; 1316 if (req.arg & 1) 1317 sd->state = sd_sendingdata_state; 1318 else 1319 sd->state = sd_receivingdata_state; 1320 return sd_r1; 1321 1322 default: 1323 break; 1324 } 1325 break; 1326 1327 default: 1328 bad_cmd: 1329 qemu_log_mask(LOG_GUEST_ERROR, "SD: Unknown CMD%i\n", req.cmd); 1330 return sd_illegal; 1331 1332 unimplemented_cmd: 1333 /* Commands that are recognised but not yet implemented in SPI mode. */ 1334 qemu_log_mask(LOG_UNIMP, "SD: CMD%i not implemented in SPI mode\n", 1335 req.cmd); 1336 return sd_illegal; 1337 } 1338 1339 qemu_log_mask(LOG_GUEST_ERROR, "SD: CMD%i in a wrong state\n", req.cmd); 1340 return sd_illegal; 1341 } 1342 1343 static sd_rsp_type_t sd_app_command(SDState *sd, 1344 SDRequest req) 1345 { 1346 DPRINTF("ACMD%d 0x%08x\n", req.cmd, req.arg); 1347 sd->card_status |= APP_CMD; 1348 switch (req.cmd) { 1349 case 6: /* ACMD6: SET_BUS_WIDTH */ 1350 switch (sd->state) { 1351 case sd_transfer_state: 1352 sd->sd_status[0] &= 0x3f; 1353 sd->sd_status[0] |= (req.arg & 0x03) << 6; 1354 return sd_r1; 1355 1356 default: 1357 break; 1358 } 1359 break; 1360 1361 case 13: /* ACMD13: SD_STATUS */ 1362 switch (sd->state) { 1363 case sd_transfer_state: 1364 sd->state = sd_sendingdata_state; 1365 sd->data_start = 0; 1366 sd->data_offset = 0; 1367 return sd_r1; 1368 1369 default: 1370 break; 1371 } 1372 break; 1373 1374 case 22: /* ACMD22: SEND_NUM_WR_BLOCKS */ 1375 switch (sd->state) { 1376 case sd_transfer_state: 1377 *(uint32_t *) sd->data = sd->blk_written; 1378 1379 sd->state = sd_sendingdata_state; 1380 sd->data_start = 0; 1381 sd->data_offset = 0; 1382 return sd_r1; 1383 1384 default: 1385 break; 1386 } 1387 break; 1388 1389 case 23: /* ACMD23: SET_WR_BLK_ERASE_COUNT */ 1390 switch (sd->state) { 1391 case sd_transfer_state: 1392 return sd_r1; 1393 1394 default: 1395 break; 1396 } 1397 break; 1398 1399 case 41: /* ACMD41: SD_APP_OP_COND */ 1400 if (sd->spi) { 1401 /* SEND_OP_CMD */ 1402 sd->state = sd_transfer_state; 1403 return sd_r1; 1404 } 1405 switch (sd->state) { 1406 case sd_idle_state: 1407 /* If it's the first ACMD41 since reset, we need to decide 1408 * whether to power up. If this is not an enquiry ACMD41, 1409 * we immediately report power on and proceed below to the 1410 * ready state, but if it is, we set a timer to model a 1411 * delay for power up. This works around a bug in EDK2 1412 * UEFI, which sends an initial enquiry ACMD41, but 1413 * assumes that the card is in ready state as soon as it 1414 * sees the power up bit set. */ 1415 if (!(sd->ocr & OCR_POWER_UP)) { 1416 if ((req.arg & ACMD41_ENQUIRY_MASK) != 0) { 1417 timer_del(sd->ocr_power_timer); 1418 sd_ocr_powerup(sd); 1419 } else if (!timer_pending(sd->ocr_power_timer)) { 1420 timer_mod_ns(sd->ocr_power_timer, 1421 (qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) 1422 + OCR_POWER_DELAY_NS)); 1423 } 1424 } 1425 1426 /* We accept any voltage. 10000 V is nothing. 1427 * 1428 * Once we're powered up, we advance straight to ready state 1429 * unless it's an enquiry ACMD41 (bits 23:0 == 0). 1430 */ 1431 if (req.arg & ACMD41_ENQUIRY_MASK) { 1432 sd->state = sd_ready_state; 1433 } 1434 1435 return sd_r3; 1436 1437 default: 1438 break; 1439 } 1440 break; 1441 1442 case 42: /* ACMD42: SET_CLR_CARD_DETECT */ 1443 switch (sd->state) { 1444 case sd_transfer_state: 1445 /* Bringing in the 50KOhm pull-up resistor... Done. */ 1446 return sd_r1; 1447 1448 default: 1449 break; 1450 } 1451 break; 1452 1453 case 51: /* ACMD51: SEND_SCR */ 1454 switch (sd->state) { 1455 case sd_transfer_state: 1456 sd->state = sd_sendingdata_state; 1457 sd->data_start = 0; 1458 sd->data_offset = 0; 1459 return sd_r1; 1460 1461 default: 1462 break; 1463 } 1464 break; 1465 1466 default: 1467 /* Fall back to standard commands. */ 1468 return sd_normal_command(sd, req); 1469 } 1470 1471 qemu_log_mask(LOG_GUEST_ERROR, "SD: ACMD%i in a wrong state\n", req.cmd); 1472 return sd_illegal; 1473 } 1474 1475 static int cmd_valid_while_locked(SDState *sd, SDRequest *req) 1476 { 1477 /* Valid commands in locked state: 1478 * basic class (0) 1479 * lock card class (7) 1480 * CMD16 1481 * implicitly, the ACMD prefix CMD55 1482 * ACMD41 and ACMD42 1483 * Anything else provokes an "illegal command" response. 1484 */ 1485 if (sd->expecting_acmd) { 1486 return req->cmd == 41 || req->cmd == 42; 1487 } 1488 if (req->cmd == 16 || req->cmd == 55) { 1489 return 1; 1490 } 1491 return sd_cmd_class[req->cmd & 0x3F] == 0 1492 || sd_cmd_class[req->cmd & 0x3F] == 7; 1493 } 1494 1495 int sd_do_command(SDState *sd, SDRequest *req, 1496 uint8_t *response) { 1497 int last_state; 1498 sd_rsp_type_t rtype; 1499 int rsplen; 1500 1501 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable) { 1502 return 0; 1503 } 1504 1505 if (sd_req_crc_validate(req)) { 1506 sd->card_status |= COM_CRC_ERROR; 1507 rtype = sd_illegal; 1508 goto send_response; 1509 } 1510 1511 if (sd->card_status & CARD_IS_LOCKED) { 1512 if (!cmd_valid_while_locked(sd, req)) { 1513 sd->card_status |= ILLEGAL_COMMAND; 1514 sd->expecting_acmd = false; 1515 qemu_log_mask(LOG_GUEST_ERROR, "SD: Card is locked\n"); 1516 rtype = sd_illegal; 1517 goto send_response; 1518 } 1519 } 1520 1521 last_state = sd->state; 1522 sd_set_mode(sd); 1523 1524 if (sd->expecting_acmd) { 1525 sd->expecting_acmd = false; 1526 rtype = sd_app_command(sd, *req); 1527 } else { 1528 rtype = sd_normal_command(sd, *req); 1529 } 1530 1531 if (rtype == sd_illegal) { 1532 sd->card_status |= ILLEGAL_COMMAND; 1533 } else { 1534 /* Valid command, we can update the 'state before command' bits. 1535 * (Do this now so they appear in r1 responses.) 1536 */ 1537 sd->current_cmd = req->cmd; 1538 sd->card_status &= ~CURRENT_STATE; 1539 sd->card_status |= (last_state << 9); 1540 } 1541 1542 send_response: 1543 switch (rtype) { 1544 case sd_r1: 1545 case sd_r1b: 1546 sd_response_r1_make(sd, response); 1547 rsplen = 4; 1548 break; 1549 1550 case sd_r2_i: 1551 memcpy(response, sd->cid, sizeof(sd->cid)); 1552 rsplen = 16; 1553 break; 1554 1555 case sd_r2_s: 1556 memcpy(response, sd->csd, sizeof(sd->csd)); 1557 rsplen = 16; 1558 break; 1559 1560 case sd_r3: 1561 sd_response_r3_make(sd, response); 1562 rsplen = 4; 1563 break; 1564 1565 case sd_r6: 1566 sd_response_r6_make(sd, response); 1567 rsplen = 4; 1568 break; 1569 1570 case sd_r7: 1571 sd_response_r7_make(sd, response); 1572 rsplen = 4; 1573 break; 1574 1575 case sd_r0: 1576 case sd_illegal: 1577 default: 1578 rsplen = 0; 1579 break; 1580 } 1581 1582 if (rtype != sd_illegal) { 1583 /* Clear the "clear on valid command" status bits now we've 1584 * sent any response 1585 */ 1586 sd->card_status &= ~CARD_STATUS_B; 1587 } 1588 1589 #ifdef DEBUG_SD 1590 if (rsplen) { 1591 int i; 1592 DPRINTF("Response:"); 1593 for (i = 0; i < rsplen; i++) { 1594 DPRINTF(" %02x", response[i]); 1595 } 1596 DPRINTF(" state %d\n", sd->state); 1597 } else { 1598 DPRINTF("No response %d\n", sd->state); 1599 } 1600 #endif 1601 1602 return rsplen; 1603 } 1604 1605 static void sd_blk_read(SDState *sd, uint64_t addr, uint32_t len) 1606 { 1607 DPRINTF("sd_blk_read: addr = 0x%08llx, len = %d\n", 1608 (unsigned long long) addr, len); 1609 if (!sd->blk || blk_pread(sd->blk, addr, sd->data, len) < 0) { 1610 fprintf(stderr, "sd_blk_read: read error on host side\n"); 1611 } 1612 } 1613 1614 static void sd_blk_write(SDState *sd, uint64_t addr, uint32_t len) 1615 { 1616 if (!sd->blk || blk_pwrite(sd->blk, addr, sd->data, len, 0) < 0) { 1617 fprintf(stderr, "sd_blk_write: write error on host side\n"); 1618 } 1619 } 1620 1621 #define BLK_READ_BLOCK(a, len) sd_blk_read(sd, a, len) 1622 #define BLK_WRITE_BLOCK(a, len) sd_blk_write(sd, a, len) 1623 #define APP_READ_BLOCK(a, len) memset(sd->data, 0xec, len) 1624 #define APP_WRITE_BLOCK(a, len) 1625 1626 void sd_write_data(SDState *sd, uint8_t value) 1627 { 1628 int i; 1629 1630 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable) 1631 return; 1632 1633 if (sd->state != sd_receivingdata_state) { 1634 qemu_log_mask(LOG_GUEST_ERROR, 1635 "sd_write_data: not in Receiving-Data state\n"); 1636 return; 1637 } 1638 1639 if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION)) 1640 return; 1641 1642 switch (sd->current_cmd) { 1643 case 24: /* CMD24: WRITE_SINGLE_BLOCK */ 1644 sd->data[sd->data_offset ++] = value; 1645 if (sd->data_offset >= sd->blk_len) { 1646 /* TODO: Check CRC before committing */ 1647 sd->state = sd_programming_state; 1648 BLK_WRITE_BLOCK(sd->data_start, sd->data_offset); 1649 sd->blk_written ++; 1650 sd->csd[14] |= 0x40; 1651 /* Bzzzzzzztt .... Operation complete. */ 1652 sd->state = sd_transfer_state; 1653 } 1654 break; 1655 1656 case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */ 1657 if (sd->data_offset == 0) { 1658 /* Start of the block - let's check the address is valid */ 1659 if (sd->data_start + sd->blk_len > sd->size) { 1660 sd->card_status |= ADDRESS_ERROR; 1661 break; 1662 } 1663 if (sd_wp_addr(sd, sd->data_start)) { 1664 sd->card_status |= WP_VIOLATION; 1665 break; 1666 } 1667 } 1668 sd->data[sd->data_offset++] = value; 1669 if (sd->data_offset >= sd->blk_len) { 1670 /* TODO: Check CRC before committing */ 1671 sd->state = sd_programming_state; 1672 BLK_WRITE_BLOCK(sd->data_start, sd->data_offset); 1673 sd->blk_written++; 1674 sd->data_start += sd->blk_len; 1675 sd->data_offset = 0; 1676 sd->csd[14] |= 0x40; 1677 1678 /* Bzzzzzzztt .... Operation complete. */ 1679 if (sd->multi_blk_cnt != 0) { 1680 if (--sd->multi_blk_cnt == 0) { 1681 /* Stop! */ 1682 sd->state = sd_transfer_state; 1683 break; 1684 } 1685 } 1686 1687 sd->state = sd_receivingdata_state; 1688 } 1689 break; 1690 1691 case 26: /* CMD26: PROGRAM_CID */ 1692 sd->data[sd->data_offset ++] = value; 1693 if (sd->data_offset >= sizeof(sd->cid)) { 1694 /* TODO: Check CRC before committing */ 1695 sd->state = sd_programming_state; 1696 for (i = 0; i < sizeof(sd->cid); i ++) 1697 if ((sd->cid[i] | 0x00) != sd->data[i]) 1698 sd->card_status |= CID_CSD_OVERWRITE; 1699 1700 if (!(sd->card_status & CID_CSD_OVERWRITE)) 1701 for (i = 0; i < sizeof(sd->cid); i ++) { 1702 sd->cid[i] |= 0x00; 1703 sd->cid[i] &= sd->data[i]; 1704 } 1705 /* Bzzzzzzztt .... Operation complete. */ 1706 sd->state = sd_transfer_state; 1707 } 1708 break; 1709 1710 case 27: /* CMD27: PROGRAM_CSD */ 1711 sd->data[sd->data_offset ++] = value; 1712 if (sd->data_offset >= sizeof(sd->csd)) { 1713 /* TODO: Check CRC before committing */ 1714 sd->state = sd_programming_state; 1715 for (i = 0; i < sizeof(sd->csd); i ++) 1716 if ((sd->csd[i] | sd_csd_rw_mask[i]) != 1717 (sd->data[i] | sd_csd_rw_mask[i])) 1718 sd->card_status |= CID_CSD_OVERWRITE; 1719 1720 /* Copy flag (OTP) & Permanent write protect */ 1721 if (sd->csd[14] & ~sd->data[14] & 0x60) 1722 sd->card_status |= CID_CSD_OVERWRITE; 1723 1724 if (!(sd->card_status & CID_CSD_OVERWRITE)) 1725 for (i = 0; i < sizeof(sd->csd); i ++) { 1726 sd->csd[i] |= sd_csd_rw_mask[i]; 1727 sd->csd[i] &= sd->data[i]; 1728 } 1729 /* Bzzzzzzztt .... Operation complete. */ 1730 sd->state = sd_transfer_state; 1731 } 1732 break; 1733 1734 case 42: /* CMD42: LOCK_UNLOCK */ 1735 sd->data[sd->data_offset ++] = value; 1736 if (sd->data_offset >= sd->blk_len) { 1737 /* TODO: Check CRC before committing */ 1738 sd->state = sd_programming_state; 1739 sd_lock_command(sd); 1740 /* Bzzzzzzztt .... Operation complete. */ 1741 sd->state = sd_transfer_state; 1742 } 1743 break; 1744 1745 case 56: /* CMD56: GEN_CMD */ 1746 sd->data[sd->data_offset ++] = value; 1747 if (sd->data_offset >= sd->blk_len) { 1748 APP_WRITE_BLOCK(sd->data_start, sd->data_offset); 1749 sd->state = sd_transfer_state; 1750 } 1751 break; 1752 1753 default: 1754 qemu_log_mask(LOG_GUEST_ERROR, "sd_write_data: unknown command\n"); 1755 break; 1756 } 1757 } 1758 1759 uint8_t sd_read_data(SDState *sd) 1760 { 1761 /* TODO: Append CRCs */ 1762 uint8_t ret; 1763 int io_len; 1764 1765 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable) 1766 return 0x00; 1767 1768 if (sd->state != sd_sendingdata_state) { 1769 qemu_log_mask(LOG_GUEST_ERROR, 1770 "sd_read_data: not in Sending-Data state\n"); 1771 return 0x00; 1772 } 1773 1774 if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION)) 1775 return 0x00; 1776 1777 io_len = (sd->ocr & (1 << 30)) ? 512 : sd->blk_len; 1778 1779 switch (sd->current_cmd) { 1780 case 6: /* CMD6: SWITCH_FUNCTION */ 1781 ret = sd->data[sd->data_offset ++]; 1782 1783 if (sd->data_offset >= 64) 1784 sd->state = sd_transfer_state; 1785 break; 1786 1787 case 9: /* CMD9: SEND_CSD */ 1788 case 10: /* CMD10: SEND_CID */ 1789 ret = sd->data[sd->data_offset ++]; 1790 1791 if (sd->data_offset >= 16) 1792 sd->state = sd_transfer_state; 1793 break; 1794 1795 case 11: /* CMD11: READ_DAT_UNTIL_STOP */ 1796 if (sd->data_offset == 0) 1797 BLK_READ_BLOCK(sd->data_start, io_len); 1798 ret = sd->data[sd->data_offset ++]; 1799 1800 if (sd->data_offset >= io_len) { 1801 sd->data_start += io_len; 1802 sd->data_offset = 0; 1803 if (sd->data_start + io_len > sd->size) { 1804 sd->card_status |= ADDRESS_ERROR; 1805 break; 1806 } 1807 } 1808 break; 1809 1810 case 13: /* ACMD13: SD_STATUS */ 1811 ret = sd->sd_status[sd->data_offset ++]; 1812 1813 if (sd->data_offset >= sizeof(sd->sd_status)) 1814 sd->state = sd_transfer_state; 1815 break; 1816 1817 case 17: /* CMD17: READ_SINGLE_BLOCK */ 1818 if (sd->data_offset == 0) 1819 BLK_READ_BLOCK(sd->data_start, io_len); 1820 ret = sd->data[sd->data_offset ++]; 1821 1822 if (sd->data_offset >= io_len) 1823 sd->state = sd_transfer_state; 1824 break; 1825 1826 case 18: /* CMD18: READ_MULTIPLE_BLOCK */ 1827 if (sd->data_offset == 0) { 1828 if (sd->data_start + io_len > sd->size) { 1829 sd->card_status |= ADDRESS_ERROR; 1830 return 0x00; 1831 } 1832 BLK_READ_BLOCK(sd->data_start, io_len); 1833 } 1834 ret = sd->data[sd->data_offset ++]; 1835 1836 if (sd->data_offset >= io_len) { 1837 sd->data_start += io_len; 1838 sd->data_offset = 0; 1839 1840 if (sd->multi_blk_cnt != 0) { 1841 if (--sd->multi_blk_cnt == 0) { 1842 /* Stop! */ 1843 sd->state = sd_transfer_state; 1844 break; 1845 } 1846 } 1847 } 1848 break; 1849 1850 case 22: /* ACMD22: SEND_NUM_WR_BLOCKS */ 1851 ret = sd->data[sd->data_offset ++]; 1852 1853 if (sd->data_offset >= 4) 1854 sd->state = sd_transfer_state; 1855 break; 1856 1857 case 30: /* CMD30: SEND_WRITE_PROT */ 1858 ret = sd->data[sd->data_offset ++]; 1859 1860 if (sd->data_offset >= 4) 1861 sd->state = sd_transfer_state; 1862 break; 1863 1864 case 51: /* ACMD51: SEND_SCR */ 1865 ret = sd->scr[sd->data_offset ++]; 1866 1867 if (sd->data_offset >= sizeof(sd->scr)) 1868 sd->state = sd_transfer_state; 1869 break; 1870 1871 case 56: /* CMD56: GEN_CMD */ 1872 if (sd->data_offset == 0) 1873 APP_READ_BLOCK(sd->data_start, sd->blk_len); 1874 ret = sd->data[sd->data_offset ++]; 1875 1876 if (sd->data_offset >= sd->blk_len) 1877 sd->state = sd_transfer_state; 1878 break; 1879 1880 default: 1881 qemu_log_mask(LOG_GUEST_ERROR, "sd_read_data: unknown command\n"); 1882 return 0x00; 1883 } 1884 1885 return ret; 1886 } 1887 1888 bool sd_data_ready(SDState *sd) 1889 { 1890 return sd->state == sd_sendingdata_state; 1891 } 1892 1893 void sd_enable(SDState *sd, bool enable) 1894 { 1895 sd->enable = enable; 1896 } 1897 1898 static void sd_instance_init(Object *obj) 1899 { 1900 SDState *sd = SD_CARD(obj); 1901 1902 sd->enable = true; 1903 sd->ocr_power_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, sd_ocr_powerup, sd); 1904 } 1905 1906 static void sd_instance_finalize(Object *obj) 1907 { 1908 SDState *sd = SD_CARD(obj); 1909 1910 timer_del(sd->ocr_power_timer); 1911 timer_free(sd->ocr_power_timer); 1912 } 1913 1914 static void sd_realize(DeviceState *dev, Error **errp) 1915 { 1916 SDState *sd = SD_CARD(dev); 1917 int ret; 1918 1919 if (sd->blk && blk_is_read_only(sd->blk)) { 1920 error_setg(errp, "Cannot use read-only drive as SD card"); 1921 return; 1922 } 1923 1924 if (sd->blk) { 1925 ret = blk_set_perm(sd->blk, BLK_PERM_CONSISTENT_READ | BLK_PERM_WRITE, 1926 BLK_PERM_ALL, errp); 1927 if (ret < 0) { 1928 return; 1929 } 1930 blk_set_dev_ops(sd->blk, &sd_block_ops, sd); 1931 } 1932 } 1933 1934 static Property sd_properties[] = { 1935 DEFINE_PROP_DRIVE("drive", SDState, blk), 1936 /* We do not model the chip select pin, so allow the board to select 1937 * whether card should be in SSI or MMC/SD mode. It is also up to the 1938 * board to ensure that ssi transfers only occur when the chip select 1939 * is asserted. */ 1940 DEFINE_PROP_BOOL("spi", SDState, spi, false), 1941 DEFINE_PROP_END_OF_LIST() 1942 }; 1943 1944 static void sd_class_init(ObjectClass *klass, void *data) 1945 { 1946 DeviceClass *dc = DEVICE_CLASS(klass); 1947 SDCardClass *sc = SD_CARD_CLASS(klass); 1948 1949 dc->realize = sd_realize; 1950 dc->props = sd_properties; 1951 dc->vmsd = &sd_vmstate; 1952 dc->reset = sd_reset; 1953 dc->bus_type = TYPE_SD_BUS; 1954 1955 sc->set_voltage = sd_set_voltage; 1956 sc->get_dat_lines = sd_get_dat_lines; 1957 sc->get_cmd_line = sd_get_cmd_line; 1958 sc->do_command = sd_do_command; 1959 sc->write_data = sd_write_data; 1960 sc->read_data = sd_read_data; 1961 sc->data_ready = sd_data_ready; 1962 sc->enable = sd_enable; 1963 sc->get_inserted = sd_get_inserted; 1964 sc->get_readonly = sd_get_readonly; 1965 } 1966 1967 static const TypeInfo sd_info = { 1968 .name = TYPE_SD_CARD, 1969 .parent = TYPE_DEVICE, 1970 .instance_size = sizeof(SDState), 1971 .class_size = sizeof(SDCardClass), 1972 .class_init = sd_class_init, 1973 .instance_init = sd_instance_init, 1974 .instance_finalize = sd_instance_finalize, 1975 }; 1976 1977 static void sd_register_types(void) 1978 { 1979 type_register_static(&sd_info); 1980 } 1981 1982 type_init(sd_register_types) 1983