1 /* 2 * SD Memory Card emulation as defined in the "SD Memory Card Physical 3 * layer specification, Version 2.00." 4 * 5 * eMMC emulation defined in "JEDEC Standard No. 84-A43" 6 * 7 * Copyright (c) 2006 Andrzej Zaborowski <balrog@zabor.org> 8 * Copyright (c) 2007 CodeSourcery 9 * Copyright (c) 2018 Philippe Mathieu-Daudé <f4bug@amsat.org> 10 * 11 * Redistribution and use in source and binary forms, with or without 12 * modification, are permitted provided that the following conditions 13 * are met: 14 * 15 * 1. Redistributions of source code must retain the above copyright 16 * notice, this list of conditions and the following disclaimer. 17 * 2. Redistributions in binary form must reproduce the above copyright 18 * notice, this list of conditions and the following disclaimer in 19 * the documentation and/or other materials provided with the 20 * distribution. 21 * 22 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' 23 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, 24 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A 25 * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR 26 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, 27 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, 28 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 29 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY 30 * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 31 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 32 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 33 */ 34 35 #include "qemu/osdep.h" 36 #include "qemu/units.h" 37 #include "qemu/cutils.h" 38 #include "hw/irq.h" 39 #include "hw/registerfields.h" 40 #include "system/block-backend.h" 41 #include "hw/sd/sd.h" 42 #include "migration/vmstate.h" 43 #include "qapi/error.h" 44 #include "qemu/bitmap.h" 45 #include "hw/qdev-properties.h" 46 #include "hw/qdev-properties-system.h" 47 #include "qemu/error-report.h" 48 #include "qemu/timer.h" 49 #include "qemu/log.h" 50 #include "qemu/guest-random.h" 51 #include "qemu/module.h" 52 #include "sdmmc-internal.h" 53 #include "trace.h" 54 55 //#define DEBUG_SD 1 56 57 #define SDSC_MAX_CAPACITY (2 * GiB) 58 59 #define INVALID_ADDRESS UINT32_MAX 60 61 typedef enum { 62 sd_r0 = 0, /* no response */ 63 sd_r1, /* normal response command */ 64 sd_r2_i, /* CID register */ 65 sd_r2_s, /* CSD register */ 66 sd_r3, /* OCR register */ 67 sd_r6 = 6, /* Published RCA response */ 68 sd_r7, /* Operating voltage */ 69 sd_r1b = -1, 70 sd_illegal = -2, 71 } sd_rsp_type_t; 72 73 typedef enum { 74 sd_spi, 75 sd_bc, /* broadcast -- no response */ 76 sd_bcr, /* broadcast with response */ 77 sd_ac, /* addressed -- no data transfer */ 78 sd_adtc, /* addressed with data transfer */ 79 } sd_cmd_type_t; 80 81 enum SDCardModes { 82 sd_inactive, 83 sd_card_identification_mode, 84 sd_data_transfer_mode, 85 }; 86 87 enum SDCardStates { 88 sd_waitirq_state = -2, /* emmc */ 89 sd_inactive_state = -1, 90 91 sd_idle_state = 0, 92 sd_ready_state = 1, 93 sd_identification_state = 2, 94 sd_standby_state = 3, 95 sd_transfer_state = 4, 96 sd_sendingdata_state = 5, 97 sd_receivingdata_state = 6, 98 sd_programming_state = 7, 99 sd_disconnect_state = 8, 100 sd_bus_test_state = 9, /* emmc */ 101 sd_sleep_state = 10, /* emmc */ 102 sd_io_state = 15 /* sd */ 103 }; 104 105 #define SDMMC_CMD_MAX 64 106 107 typedef sd_rsp_type_t (*sd_cmd_handler)(SDState *sd, SDRequest req); 108 109 typedef struct SDProto { 110 const char *name; 111 struct { 112 const unsigned class; 113 const sd_cmd_type_t type; 114 const char *name; 115 sd_cmd_handler handler; 116 } cmd[SDMMC_CMD_MAX], acmd[SDMMC_CMD_MAX]; 117 } SDProto; 118 119 struct SDState { 120 DeviceState parent_obj; 121 122 /* SD Memory Card Registers */ 123 uint32_t ocr; 124 uint8_t scr[8]; 125 uint8_t cid[16]; 126 uint8_t csd[16]; 127 uint16_t rca; 128 uint32_t card_status; 129 uint8_t sd_status[64]; 130 union { 131 uint8_t ext_csd[512]; 132 struct { 133 uint8_t ext_csd_rw[192]; /* Modes segment */ 134 uint8_t ext_csd_ro[320]; /* Properties segment */ 135 }; 136 }; 137 138 /* Static properties */ 139 140 uint8_t spec_version; 141 uint64_t boot_part_size; 142 BlockBackend *blk; 143 uint8_t boot_config; 144 145 const SDProto *proto; 146 147 /* Runtime changeables */ 148 149 uint32_t mode; /* current card mode, one of SDCardModes */ 150 int32_t state; /* current card state, one of SDCardStates */ 151 uint32_t vhs; 152 bool wp_switch; 153 unsigned long *wp_group_bmap; 154 int32_t wp_group_bits; 155 uint64_t size; 156 uint32_t blk_len; 157 uint32_t multi_blk_cnt; 158 uint32_t erase_start; 159 uint32_t erase_end; 160 uint8_t pwd[16]; 161 uint32_t pwd_len; 162 uint8_t function_group[6]; 163 uint8_t current_cmd; 164 const char *last_cmd_name; 165 /* True if we will handle the next command as an ACMD. Note that this does 166 * *not* track the APP_CMD status bit! 167 */ 168 bool expecting_acmd; 169 uint32_t blk_written; 170 171 uint64_t data_start; 172 uint32_t data_offset; 173 size_t data_size; 174 uint8_t data[512]; 175 QEMUTimer *ocr_power_timer; 176 uint8_t dat_lines; 177 bool cmd_line; 178 }; 179 180 static void sd_realize(DeviceState *dev, Error **errp); 181 182 static const SDProto sd_proto_spi; 183 static const SDProto sd_proto_emmc; 184 185 static bool sd_is_spi(SDState *sd) 186 { 187 return sd->proto == &sd_proto_spi; 188 } 189 190 static bool sd_is_emmc(SDState *sd) 191 { 192 return sd->proto == &sd_proto_emmc; 193 } 194 195 static const char *sd_version_str(enum SDPhySpecificationVersion version) 196 { 197 static const char *sdphy_version[] = { 198 [SD_PHY_SPECv1_10_VERS] = "v1.10", 199 [SD_PHY_SPECv2_00_VERS] = "v2.00", 200 [SD_PHY_SPECv3_01_VERS] = "v3.01", 201 }; 202 if (version >= ARRAY_SIZE(sdphy_version)) { 203 return "unsupported version"; 204 } 205 return sdphy_version[version]; 206 } 207 208 static const char *sd_mode_name(enum SDCardModes mode) 209 { 210 static const char *mode_name[] = { 211 [sd_inactive] = "inactive", 212 [sd_card_identification_mode] = "identification", 213 [sd_data_transfer_mode] = "transfer", 214 }; 215 assert(mode < ARRAY_SIZE(mode_name)); 216 return mode_name[mode]; 217 } 218 219 static const char *sd_state_name(enum SDCardStates state) 220 { 221 static const char *state_name[] = { 222 [sd_idle_state] = "idle", 223 [sd_ready_state] = "ready", 224 [sd_identification_state] = "identification", 225 [sd_standby_state] = "standby", 226 [sd_transfer_state] = "transfer", 227 [sd_sendingdata_state] = "sendingdata", 228 [sd_bus_test_state] = "bus-test", 229 [sd_receivingdata_state] = "receivingdata", 230 [sd_programming_state] = "programming", 231 [sd_disconnect_state] = "disconnect", 232 [sd_sleep_state] = "sleep", 233 [sd_io_state] = "i/o" 234 }; 235 if (state == sd_inactive_state) { 236 return "inactive"; 237 } 238 if (state == sd_waitirq_state) { 239 return "wait-irq"; 240 } 241 assert(state < ARRAY_SIZE(state_name)); 242 return state_name[state]; 243 } 244 245 static const char *sd_response_name(sd_rsp_type_t rsp) 246 { 247 static const char *response_name[] = { 248 [sd_r0] = "RESP#0 (no response)", 249 [sd_r1] = "RESP#1 (normal cmd)", 250 [sd_r2_i] = "RESP#2 (CID reg)", 251 [sd_r2_s] = "RESP#2 (CSD reg)", 252 [sd_r3] = "RESP#3 (OCR reg)", 253 [sd_r6] = "RESP#6 (RCA)", 254 [sd_r7] = "RESP#7 (operating voltage)", 255 }; 256 if (rsp == sd_illegal) { 257 return "ILLEGAL RESP"; 258 } 259 if (rsp == sd_r1b) { 260 rsp = sd_r1; 261 } 262 assert(rsp < ARRAY_SIZE(response_name)); 263 return response_name[rsp]; 264 } 265 266 static const char *sd_cmd_name(SDState *sd, uint8_t cmd) 267 { 268 static const char *cmd_abbrev[SDMMC_CMD_MAX] = { 269 [18] = "READ_MULTIPLE_BLOCK", 270 [25] = "WRITE_MULTIPLE_BLOCK", 271 }; 272 const SDProto *sdp = sd->proto; 273 274 if (sdp->cmd[cmd].handler) { 275 assert(!cmd_abbrev[cmd]); 276 return sdp->cmd[cmd].name; 277 } 278 return cmd_abbrev[cmd] ? cmd_abbrev[cmd] : "UNKNOWN_CMD"; 279 } 280 281 static const char *sd_acmd_name(SDState *sd, uint8_t cmd) 282 { 283 const SDProto *sdp = sd->proto; 284 285 if (sdp->acmd[cmd].handler) { 286 return sdp->acmd[cmd].name; 287 } 288 289 return "UNKNOWN_ACMD"; 290 } 291 292 static uint8_t sd_get_dat_lines(SDState *sd) 293 { 294 return sd->dat_lines; 295 } 296 297 static bool sd_get_cmd_line(SDState *sd) 298 { 299 return sd->cmd_line; 300 } 301 302 static void sd_set_voltage(SDState *sd, uint16_t millivolts) 303 { 304 trace_sdcard_set_voltage(millivolts); 305 306 switch (millivolts) { 307 case 3001 ... 3600: /* SD_VOLTAGE_3_3V */ 308 case 2001 ... 3000: /* SD_VOLTAGE_3_0V */ 309 break; 310 default: 311 qemu_log_mask(LOG_GUEST_ERROR, "SD card voltage not supported: %.3fV", 312 millivolts / 1000.f); 313 } 314 } 315 316 static void sd_set_mode(SDState *sd) 317 { 318 switch (sd->state) { 319 case sd_inactive_state: 320 sd->mode = sd_inactive; 321 break; 322 323 case sd_idle_state: 324 case sd_ready_state: 325 case sd_identification_state: 326 sd->mode = sd_card_identification_mode; 327 break; 328 329 case sd_standby_state: 330 case sd_transfer_state: 331 case sd_sendingdata_state: 332 case sd_receivingdata_state: 333 case sd_programming_state: 334 case sd_disconnect_state: 335 sd->mode = sd_data_transfer_mode; 336 break; 337 } 338 } 339 340 static uint8_t sd_crc7(const void *message, size_t width) 341 { 342 int i, bit; 343 uint8_t shift_reg = 0x00; 344 const uint8_t *msg = (const uint8_t *)message; 345 346 for (i = 0; i < width; i ++, msg ++) 347 for (bit = 7; bit >= 0; bit --) { 348 shift_reg <<= 1; 349 if ((shift_reg >> 7) ^ ((*msg >> bit) & 1)) 350 shift_reg ^= 0x89; 351 } 352 353 return shift_reg; 354 } 355 356 /* Operation Conditions register */ 357 358 #define OCR_POWER_DELAY_NS 500000 /* 0.5ms */ 359 360 FIELD(OCR, VDD_VOLTAGE_WINDOW, 0, 24) 361 FIELD(OCR, VDD_VOLTAGE_WIN_LO, 0, 8) 362 FIELD(OCR, DUAL_VOLTAGE_CARD, 7, 1) 363 FIELD(OCR, VDD_VOLTAGE_WIN_HI, 8, 16) 364 FIELD(OCR, ACCEPT_SWITCH_1V8, 24, 1) /* Only UHS-I */ 365 FIELD(OCR, UHS_II_CARD, 29, 1) /* Only UHS-II */ 366 FIELD(OCR, CARD_CAPACITY, 30, 1) /* 0:SDSC, 1:SDHC/SDXC */ 367 FIELD(OCR, CARD_POWER_UP, 31, 1) 368 369 #define ACMD41_ENQUIRY_MASK 0x00ffffff 370 #define ACMD41_R3_MASK (R_OCR_VDD_VOLTAGE_WIN_HI_MASK \ 371 | R_OCR_ACCEPT_SWITCH_1V8_MASK \ 372 | R_OCR_UHS_II_CARD_MASK \ 373 | R_OCR_CARD_CAPACITY_MASK \ 374 | R_OCR_CARD_POWER_UP_MASK) 375 376 static void sd_ocr_powerup(void *opaque) 377 { 378 SDState *sd = opaque; 379 380 trace_sdcard_powerup(); 381 assert(!FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP)); 382 383 /* card power-up OK */ 384 sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_POWER_UP, 1); 385 386 if (sd->size > SDSC_MAX_CAPACITY) { 387 sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_CAPACITY, 1); 388 } 389 } 390 391 static void sd_set_ocr(SDState *sd) 392 { 393 /* All voltages OK */ 394 sd->ocr = R_OCR_VDD_VOLTAGE_WIN_HI_MASK; 395 396 if (sd_is_spi(sd)) { 397 /* 398 * We don't need to emulate power up sequence in SPI-mode. 399 * Thus, the card's power up status bit should be set to 1 when reset. 400 * The card's capacity status bit should also be set if SD card size 401 * is larger than 2GB for SDHC support. 402 */ 403 sd_ocr_powerup(sd); 404 } 405 } 406 407 /* SD Configuration register */ 408 409 static void sd_set_scr(SDState *sd) 410 { 411 sd->scr[0] = 0 << 4; /* SCR structure version 1.0 */ 412 if (sd->spec_version == SD_PHY_SPECv1_10_VERS) { 413 sd->scr[0] |= 1; /* Spec Version 1.10 */ 414 } else { 415 sd->scr[0] |= 2; /* Spec Version 2.00 or Version 3.0X */ 416 } 417 sd->scr[1] = (2 << 4) /* SDSC Card (Security Version 1.01) */ 418 | 0b0101; /* 1-bit or 4-bit width bus modes */ 419 sd->scr[2] = 0x00; /* Extended Security is not supported. */ 420 if (sd->spec_version >= SD_PHY_SPECv3_01_VERS) { 421 sd->scr[2] |= 1 << 7; /* Spec Version 3.0X */ 422 } 423 sd->scr[3] = 0x00; 424 /* reserved for manufacturer usage */ 425 sd->scr[4] = 0x00; 426 sd->scr[5] = 0x00; 427 sd->scr[6] = 0x00; 428 sd->scr[7] = 0x00; 429 } 430 431 /* Card IDentification register */ 432 433 #define MID 0xaa 434 #define OID "XY" 435 #define PNM "QEMU!" 436 #define PRV 0x01 437 #define MDT_YR 2006 438 #define MDT_MON 2 439 440 static void sd_set_cid(SDState *sd) 441 { 442 sd->cid[0] = MID; /* Fake card manufacturer ID (MID) */ 443 sd->cid[1] = OID[0]; /* OEM/Application ID (OID) */ 444 sd->cid[2] = OID[1]; 445 sd->cid[3] = PNM[0]; /* Fake product name (PNM) */ 446 sd->cid[4] = PNM[1]; 447 sd->cid[5] = PNM[2]; 448 sd->cid[6] = PNM[3]; 449 sd->cid[7] = PNM[4]; 450 sd->cid[8] = PRV; /* Fake product revision (PRV) */ 451 stl_be_p(&sd->cid[9], 0xdeadbeef); /* Fake serial number (PSN) */ 452 sd->cid[13] = 0x00 | /* Manufacture date (MDT) */ 453 ((MDT_YR - 2000) / 10); 454 sd->cid[14] = ((MDT_YR % 10) << 4) | MDT_MON; 455 sd->cid[15] = (sd_crc7(sd->cid, 15) << 1) | 1; 456 } 457 458 static void emmc_set_cid(SDState *sd) 459 { 460 sd->cid[0] = MID; /* Fake card manufacturer ID (MID) */ 461 sd->cid[1] = 0b01; /* CBX: soldered BGA */ 462 sd->cid[2] = OID[0]; /* OEM/Application ID (OID) */ 463 sd->cid[3] = PNM[0]; /* Fake product name (PNM) */ 464 sd->cid[4] = PNM[1]; 465 sd->cid[5] = PNM[2]; 466 sd->cid[6] = PNM[3]; 467 sd->cid[7] = PNM[4]; 468 sd->cid[8] = PNM[4]; 469 sd->cid[9] = PRV; /* Fake product revision (PRV) */ 470 stl_be_p(&sd->cid[10], 0xdeadbeef); /* Fake serial number (PSN) */ 471 sd->cid[14] = (MDT_MON << 4) | (MDT_YR - 1997); /* Manufacture date (MDT) */ 472 sd->cid[15] = (sd_crc7(sd->cid, 15) << 1) | 1; 473 } 474 475 /* Card-Specific Data register */ 476 477 #define HWBLOCK_SHIFT 9 /* 512 bytes */ 478 #define SECTOR_SHIFT 5 /* 16 kilobytes */ 479 #define WPGROUP_SHIFT 7 /* 2 megs */ 480 #define CMULT_SHIFT 9 /* 512 times HWBLOCK_SIZE */ 481 #define WPGROUP_SIZE (1 << (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT)) 482 483 static const uint8_t sd_csd_rw_mask[16] = { 484 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 485 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xfc, 0xfe, 486 }; 487 488 static void emmc_set_ext_csd(SDState *sd, uint64_t size) 489 { 490 uint32_t sectcount = size >> HWBLOCK_SHIFT; 491 492 memset(sd->ext_csd, 0, sizeof(sd->ext_csd)); /* FIXME only RW at reset */ 493 494 /* Properties segment (RO) */ 495 sd->ext_csd[EXT_CSD_S_CMD_SET] = 0b1; /* supported command sets */ 496 sd->ext_csd[EXT_CSD_BOOT_INFO] = 0x0; /* Boot information */ 497 /* Boot partition size. 128KB unit */ 498 sd->ext_csd[EXT_CSD_BOOT_MULT] = sd->boot_part_size / (128 * KiB); 499 sd->ext_csd[EXT_CSD_ACC_SIZE] = 0x1; /* Access size */ 500 sd->ext_csd[EXT_CSD_HC_ERASE_GRP_SIZE] = 0x01; /* HC Erase unit size */ 501 sd->ext_csd[EXT_CSD_ERASE_TIMEOUT_MULT] = 0x01; /* HC erase timeout */ 502 sd->ext_csd[EXT_CSD_REL_WR_SEC_C] = 0x1; /* Reliable write sector count */ 503 sd->ext_csd[EXT_CSD_HC_WP_GRP_SIZE] = 0x01; /* HC write protect group size */ 504 sd->ext_csd[EXT_CSD_S_C_VCC] = 0x01; /* Sleep current VCC */ 505 sd->ext_csd[EXT_CSD_S_C_VCCQ] = 0x01; /* Sleep current VCCQ */ 506 sd->ext_csd[EXT_CSD_S_A_TIMEOUT] = 0x01; /* Sleep/Awake timeout */ 507 stl_le_p(&sd->ext_csd[EXT_CSD_SEC_CNT], sectcount); /* Sector count */ 508 sd->ext_csd[210] = 0x46; /* Min write perf for 8bit@52Mhz */ 509 sd->ext_csd[209] = 0x46; /* Min read perf for 8bit@52Mhz */ 510 sd->ext_csd[208] = 0x46; /* Min write perf for 4bit@52Mhz */ 511 sd->ext_csd[207] = 0x46; /* Min read perf for 4bit@52Mhz */ 512 sd->ext_csd[206] = 0x46; /* Min write perf for 4bit@26Mhz */ 513 sd->ext_csd[205] = 0x46; /* Min read perf for 4bit@26Mhz */ 514 sd->ext_csd[EXT_CSD_CARD_TYPE] = 0b11; 515 sd->ext_csd[EXT_CSD_STRUCTURE] = 2; 516 sd->ext_csd[EXT_CSD_REV] = 3; 517 518 /* Mode segment (RW) */ 519 sd->ext_csd[EXT_CSD_PART_CONFIG] = sd->boot_config; 520 } 521 522 static void emmc_set_csd(SDState *sd, uint64_t size) 523 { 524 int hwblock_shift = HWBLOCK_SHIFT; 525 uint32_t sectsize = (1 << (SECTOR_SHIFT + 1)) - 1; 526 uint32_t wpsize = (1 << (WPGROUP_SHIFT + 1)) - 1; 527 528 sd->csd[0] = (3 << 6) | (4 << 2); /* Spec v4.3 with EXT_CSD */ 529 sd->csd[1] = (1 << 3) | 6; /* Asynchronous data access time: 1ms */ 530 sd->csd[2] = 0x00; 531 sd->csd[3] = (1 << 3) | 3;; /* Maximum bus clock frequency: 100MHz */ 532 sd->csd[4] = 0x0f; 533 if (size <= 2 * GiB) { 534 /* use 1k blocks */ 535 uint32_t csize1k = (size >> (CMULT_SHIFT + 10)) - 1; 536 sd->csd[5] = 0x5a; 537 sd->csd[6] = 0x80 | ((csize1k >> 10) & 0xf); 538 sd->csd[7] = (csize1k >> 2) & 0xff; 539 } else { /* >= 2GB : size stored in ext CSD, block addressing */ 540 sd->csd[5] = 0x59; 541 sd->csd[6] = 0x8f; 542 sd->csd[7] = 0xff; 543 sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_CAPACITY, 1); 544 } 545 sd->csd[8] = 0xff; 546 sd->csd[9] = 0xfc | /* Max. write current */ 547 ((CMULT_SHIFT - 2) >> 1); 548 sd->csd[10] = 0x40 | /* Erase sector size */ 549 (((CMULT_SHIFT - 2) << 7) & 0x80) | (sectsize >> 1); 550 sd->csd[11] = 0x00 | /* Write protect group size */ 551 ((sectsize << 7) & 0x80) | wpsize; 552 sd->csd[12] = 0x90 | /* Write speed factor */ 553 (hwblock_shift >> 2); 554 sd->csd[13] = 0x20 | /* Max. write data block length */ 555 ((hwblock_shift << 6) & 0xc0); 556 sd->csd[14] = 0x00; 557 sd->csd[15] = (sd_crc7(sd->csd, 15) << 1) | 1; 558 emmc_set_ext_csd(sd, size); 559 } 560 561 static void sd_set_csd(SDState *sd, uint64_t size) 562 { 563 int hwblock_shift = HWBLOCK_SHIFT; 564 uint32_t csize; 565 uint32_t sectsize = (1 << (SECTOR_SHIFT + 1)) - 1; 566 uint32_t wpsize = (1 << (WPGROUP_SHIFT + 1)) - 1; 567 568 /* To indicate 2 GiB card, BLOCK_LEN shall be 1024 bytes */ 569 if (size == SDSC_MAX_CAPACITY) { 570 hwblock_shift += 1; 571 } 572 csize = (size >> (CMULT_SHIFT + hwblock_shift)) - 1; 573 574 if (size <= SDSC_MAX_CAPACITY) { /* Standard Capacity SD */ 575 sd->csd[0] = 0x00; /* CSD structure */ 576 sd->csd[1] = 0x26; /* Data read access-time-1 */ 577 sd->csd[2] = 0x00; /* Data read access-time-2 */ 578 sd->csd[3] = 0x32; /* Max. data transfer rate: 25 MHz */ 579 sd->csd[4] = 0x5f; /* Card Command Classes */ 580 sd->csd[5] = 0x50 | /* Max. read data block length */ 581 hwblock_shift; 582 sd->csd[6] = 0xe0 | /* Partial block for read allowed */ 583 ((csize >> 10) & 0x03); 584 sd->csd[7] = 0x00 | /* Device size */ 585 ((csize >> 2) & 0xff); 586 sd->csd[8] = 0x3f | /* Max. read current */ 587 ((csize << 6) & 0xc0); 588 sd->csd[9] = 0xfc | /* Max. write current */ 589 ((CMULT_SHIFT - 2) >> 1); 590 sd->csd[10] = 0x40 | /* Erase sector size */ 591 (((CMULT_SHIFT - 2) << 7) & 0x80) | (sectsize >> 1); 592 sd->csd[11] = 0x00 | /* Write protect group size */ 593 ((sectsize << 7) & 0x80) | wpsize; 594 sd->csd[12] = 0x90 | /* Write speed factor */ 595 (hwblock_shift >> 2); 596 sd->csd[13] = 0x20 | /* Max. write data block length */ 597 ((hwblock_shift << 6) & 0xc0); 598 sd->csd[14] = 0x00; /* File format group */ 599 } else { /* SDHC */ 600 size /= 512 * KiB; 601 size -= 1; 602 sd->csd[0] = 0x40; 603 sd->csd[1] = 0x0e; 604 sd->csd[2] = 0x00; 605 sd->csd[3] = 0x32; 606 sd->csd[4] = 0x5b; 607 sd->csd[5] = 0x59; 608 sd->csd[6] = 0x00; 609 st24_be_p(&sd->csd[7], size); 610 sd->csd[10] = 0x7f; 611 sd->csd[11] = 0x80; 612 sd->csd[12] = 0x0a; 613 sd->csd[13] = 0x40; 614 sd->csd[14] = 0x00; 615 } 616 sd->csd[15] = (sd_crc7(sd->csd, 15) << 1) | 1; 617 } 618 619 /* Relative Card Address register */ 620 621 static void sd_set_rca(SDState *sd, uint16_t value) 622 { 623 trace_sdcard_set_rca(value); 624 sd->rca = value; 625 } 626 627 static uint16_t sd_req_get_rca(SDState *s, SDRequest req) 628 { 629 switch (s->proto->cmd[req.cmd].type) { 630 case sd_ac: 631 case sd_adtc: 632 return req.arg >> 16; 633 case sd_spi: 634 default: 635 g_assert_not_reached(); 636 } 637 } 638 639 static bool sd_req_rca_same(SDState *s, SDRequest req) 640 { 641 return sd_req_get_rca(s, req) == s->rca; 642 } 643 644 /* Card Status register */ 645 646 FIELD(CSR, AKE_SEQ_ERROR, 3, 1) 647 FIELD(CSR, APP_CMD, 5, 1) 648 FIELD(CSR, FX_EVENT, 6, 1) 649 FIELD(CSR, SWITCH_ERROR, 7, 1) 650 FIELD(CSR, READY_FOR_DATA, 8, 1) 651 FIELD(CSR, CURRENT_STATE, 9, 4) 652 FIELD(CSR, ERASE_RESET, 13, 1) 653 FIELD(CSR, CARD_ECC_DISABLED, 14, 1) 654 FIELD(CSR, WP_ERASE_SKIP, 15, 1) 655 FIELD(CSR, CSD_OVERWRITE, 16, 1) 656 FIELD(CSR, DEFERRED_RESPONSE, 17, 1) 657 FIELD(CSR, ERROR, 19, 1) 658 FIELD(CSR, CC_ERROR, 20, 1) 659 FIELD(CSR, CARD_ECC_FAILED, 21, 1) 660 FIELD(CSR, ILLEGAL_COMMAND, 22, 1) 661 FIELD(CSR, COM_CRC_ERROR, 23, 1) 662 FIELD(CSR, LOCK_UNLOCK_FAILED, 24, 1) 663 FIELD(CSR, CARD_IS_LOCKED, 25, 1) 664 FIELD(CSR, WP_VIOLATION, 26, 1) 665 FIELD(CSR, ERASE_PARAM, 27, 1) 666 FIELD(CSR, ERASE_SEQ_ERROR, 28, 1) 667 FIELD(CSR, BLOCK_LEN_ERROR, 29, 1) 668 FIELD(CSR, ADDRESS_ERROR, 30, 1) 669 FIELD(CSR, OUT_OF_RANGE, 31, 1) 670 671 /* Card status bits, split by clear condition: 672 * A : According to the card current state 673 * B : Always related to the previous command 674 * C : Cleared by read 675 */ 676 #define CARD_STATUS_A (R_CSR_READY_FOR_DATA_MASK \ 677 | R_CSR_CARD_ECC_DISABLED_MASK \ 678 | R_CSR_CARD_IS_LOCKED_MASK) 679 #define CARD_STATUS_B (R_CSR_CURRENT_STATE_MASK \ 680 | R_CSR_ILLEGAL_COMMAND_MASK \ 681 | R_CSR_COM_CRC_ERROR_MASK) 682 #define CARD_STATUS_C (R_CSR_AKE_SEQ_ERROR_MASK \ 683 | R_CSR_APP_CMD_MASK \ 684 | R_CSR_ERASE_RESET_MASK \ 685 | R_CSR_WP_ERASE_SKIP_MASK \ 686 | R_CSR_CSD_OVERWRITE_MASK \ 687 | R_CSR_ERROR_MASK \ 688 | R_CSR_CC_ERROR_MASK \ 689 | R_CSR_CARD_ECC_FAILED_MASK \ 690 | R_CSR_LOCK_UNLOCK_FAILED_MASK \ 691 | R_CSR_WP_VIOLATION_MASK \ 692 | R_CSR_ERASE_PARAM_MASK \ 693 | R_CSR_ERASE_SEQ_ERROR_MASK \ 694 | R_CSR_BLOCK_LEN_ERROR_MASK \ 695 | R_CSR_ADDRESS_ERROR_MASK \ 696 | R_CSR_OUT_OF_RANGE_MASK) 697 698 static void sd_set_cardstatus(SDState *sd) 699 { 700 sd->card_status = READY_FOR_DATA; 701 } 702 703 static void sd_set_sdstatus(SDState *sd) 704 { 705 memset(sd->sd_status, 0, 64); 706 } 707 708 static const uint8_t sd_tuning_block_pattern4[64] = { 709 /* 710 * See: Physical Layer Simplified Specification Version 3.01, 711 * Table 4-2. 712 */ 713 0xff, 0x0f, 0xff, 0x00, 0x0f, 0xfc, 0xc3, 0xcc, 714 0xc3, 0x3c, 0xcc, 0xff, 0xfe, 0xff, 0xfe, 0xef, 715 0xff, 0xdf, 0xff, 0xdd, 0xff, 0xfb, 0xff, 0xfb, 716 0xbf, 0xff, 0x7f, 0xff, 0x77, 0xf7, 0xbd, 0xef, 717 0xff, 0xf0, 0xff, 0xf0, 0x0f, 0xfc, 0xcc, 0x3c, 718 0xcc, 0x33, 0xcc, 0xcf, 0xff, 0xef, 0xff, 0xee, 719 0xff, 0xfd, 0xff, 0xfd, 0xdf, 0xff, 0xbf, 0xff, 720 0xbb, 0xff, 0xf7, 0xff, 0xf7, 0x7f, 0x7b, 0xde 721 }; 722 723 static int sd_req_crc_validate(SDRequest *req) 724 { 725 uint8_t buffer[5]; 726 buffer[0] = 0x40 | req->cmd; 727 stl_be_p(&buffer[1], req->arg); 728 return 0; 729 return sd_crc7(buffer, 5) != req->crc; /* TODO */ 730 } 731 732 static size_t sd_response_size(SDState *sd, sd_rsp_type_t rtype) 733 { 734 switch (rtype) { 735 case sd_r1: 736 case sd_r1b: 737 return 4; 738 739 case sd_r2_i: 740 case sd_r2_s: 741 return 16; 742 743 case sd_r3: 744 case sd_r7: 745 return 4; 746 747 case sd_r6: 748 return 4; 749 750 case sd_r0: 751 case sd_illegal: 752 return 0; 753 754 default: 755 g_assert_not_reached(); 756 } 757 } 758 759 static void sd_response_r1_make(SDState *sd, uint8_t *response) 760 { 761 stl_be_p(response, sd->card_status); 762 763 /* Clear the "clear on read" status bits */ 764 sd->card_status &= ~CARD_STATUS_C; 765 } 766 767 static void sd_response_r3_make(SDState *sd, uint8_t *response) 768 { 769 stl_be_p(response, sd->ocr & ACMD41_R3_MASK); 770 } 771 772 static void sd_response_r6_make(SDState *sd, uint8_t *response) 773 { 774 uint16_t status; 775 776 status = ((sd->card_status >> 8) & 0xc000) | 777 ((sd->card_status >> 6) & 0x2000) | 778 (sd->card_status & 0x1fff); 779 sd->card_status &= ~(CARD_STATUS_C & 0xc81fff); 780 stw_be_p(response + 0, sd->rca); 781 stw_be_p(response + 2, status); 782 } 783 784 static void sd_response_r7_make(SDState *sd, uint8_t *response) 785 { 786 stl_be_p(response, sd->vhs); 787 } 788 789 static uint32_t sd_blk_len(SDState *sd) 790 { 791 if (FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) { 792 return 1 << HWBLOCK_SHIFT; 793 } 794 return sd->blk_len; 795 } 796 797 /* 798 * This requires a disk image that has two boot partitions inserted at the 799 * beginning of it. The size of the boot partitions is the "boot-size" 800 * property. 801 */ 802 static uint32_t sd_bootpart_offset(SDState *sd) 803 { 804 unsigned partition_access; 805 806 if (!sd->boot_part_size || !sd_is_emmc(sd)) { 807 return 0; 808 } 809 810 partition_access = sd->ext_csd[EXT_CSD_PART_CONFIG] 811 & EXT_CSD_PART_CONFIG_ACC_MASK; 812 switch (partition_access) { 813 case EXT_CSD_PART_CONFIG_ACC_DEFAULT: 814 return sd->boot_part_size * 2; 815 case EXT_CSD_PART_CONFIG_ACC_BOOT0: 816 return 0; 817 case EXT_CSD_PART_CONFIG_ACC_BOOT0 + 1: 818 return sd->boot_part_size * 1; 819 default: 820 g_assert_not_reached(); 821 } 822 } 823 824 static uint64_t sd_req_get_address(SDState *sd, SDRequest req) 825 { 826 uint64_t addr; 827 828 if (FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) { 829 addr = (uint64_t) req.arg << HWBLOCK_SHIFT; 830 } else { 831 addr = req.arg; 832 } 833 trace_sdcard_req_addr(req.arg, addr); 834 return addr; 835 } 836 837 static inline uint64_t sd_addr_to_wpnum(uint64_t addr) 838 { 839 return addr >> (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT); 840 } 841 842 static void sd_reset(DeviceState *dev) 843 { 844 SDState *sd = SDMMC_COMMON(dev); 845 SDCardClass *sc = SDMMC_COMMON_GET_CLASS(sd); 846 uint64_t size; 847 uint64_t sect; 848 849 trace_sdcard_reset(); 850 if (sd->blk) { 851 blk_get_geometry(sd->blk, §); 852 } else { 853 sect = 0; 854 } 855 size = sect << HWBLOCK_SHIFT; 856 if (sd_is_emmc(sd)) { 857 size -= sd->boot_part_size * 2; 858 } 859 860 sect = sd_addr_to_wpnum(size) + 1; 861 862 sd->state = sd_idle_state; 863 864 /* card registers */ 865 sd->rca = sd_is_emmc(sd) ? 0x0001 : 0x0000; 866 sd->size = size; 867 sd_set_ocr(sd); 868 sd_set_scr(sd); 869 sc->set_cid(sd); 870 sc->set_csd(sd, size); 871 sd_set_cardstatus(sd); 872 sd_set_sdstatus(sd); 873 874 g_free(sd->wp_group_bmap); 875 sd->wp_switch = sd->blk ? !blk_is_writable(sd->blk) : false; 876 sd->wp_group_bits = sect; 877 sd->wp_group_bmap = bitmap_new(sd->wp_group_bits); 878 memset(sd->function_group, 0, sizeof(sd->function_group)); 879 sd->erase_start = INVALID_ADDRESS; 880 sd->erase_end = INVALID_ADDRESS; 881 sd->blk_len = 0x200; 882 sd->pwd_len = 0; 883 sd->expecting_acmd = false; 884 sd->dat_lines = 0xf; 885 sd->cmd_line = true; 886 sd->multi_blk_cnt = 0; 887 } 888 889 static bool sd_get_inserted(SDState *sd) 890 { 891 return sd->blk && blk_is_inserted(sd->blk); 892 } 893 894 static bool sd_get_readonly(SDState *sd) 895 { 896 return sd->wp_switch; 897 } 898 899 static void sd_cardchange(void *opaque, bool load, Error **errp) 900 { 901 SDState *sd = opaque; 902 DeviceState *dev = DEVICE(sd); 903 SDBus *sdbus; 904 bool inserted = sd_get_inserted(sd); 905 bool readonly = sd_get_readonly(sd); 906 907 if (inserted) { 908 trace_sdcard_inserted(readonly); 909 sd_reset(dev); 910 } else { 911 trace_sdcard_ejected(); 912 } 913 914 sdbus = SD_BUS(qdev_get_parent_bus(dev)); 915 sdbus_set_inserted(sdbus, inserted); 916 if (inserted) { 917 sdbus_set_readonly(sdbus, readonly); 918 } 919 } 920 921 static const BlockDevOps sd_block_ops = { 922 .change_media_cb = sd_cardchange, 923 }; 924 925 static bool sd_ocr_vmstate_needed(void *opaque) 926 { 927 SDState *sd = opaque; 928 929 /* Include the OCR state (and timer) if it is not yet powered up */ 930 return !FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP); 931 } 932 933 static const VMStateDescription sd_ocr_vmstate = { 934 .name = "sd-card/ocr-state", 935 .version_id = 1, 936 .minimum_version_id = 1, 937 .needed = sd_ocr_vmstate_needed, 938 .fields = (const VMStateField[]) { 939 VMSTATE_UINT32(ocr, SDState), 940 VMSTATE_TIMER_PTR(ocr_power_timer, SDState), 941 VMSTATE_END_OF_LIST() 942 }, 943 }; 944 945 static bool vmstate_needed_for_emmc(void *opaque) 946 { 947 SDState *sd = opaque; 948 949 return sd_is_emmc(sd); 950 } 951 952 static const VMStateDescription emmc_extcsd_vmstate = { 953 .name = "sd-card/ext_csd_modes-state", 954 .version_id = 1, 955 .minimum_version_id = 1, 956 .needed = vmstate_needed_for_emmc, 957 .fields = (const VMStateField[]) { 958 VMSTATE_UINT8_ARRAY(ext_csd_rw, SDState, 192), 959 VMSTATE_END_OF_LIST() 960 }, 961 }; 962 963 static int sd_vmstate_pre_load(void *opaque) 964 { 965 SDState *sd = opaque; 966 967 /* If the OCR state is not included (prior versions, or not 968 * needed), then the OCR must be set as powered up. If the OCR state 969 * is included, this will be replaced by the state restore. 970 */ 971 sd_ocr_powerup(sd); 972 973 return 0; 974 } 975 976 static const VMStateDescription sd_vmstate = { 977 .name = "sd-card", 978 .version_id = 2, 979 .minimum_version_id = 2, 980 .pre_load = sd_vmstate_pre_load, 981 .fields = (const VMStateField[]) { 982 VMSTATE_UINT32(mode, SDState), 983 VMSTATE_INT32(state, SDState), 984 VMSTATE_UINT8_ARRAY(cid, SDState, 16), 985 VMSTATE_UINT8_ARRAY(csd, SDState, 16), 986 VMSTATE_UINT16(rca, SDState), 987 VMSTATE_UINT32(card_status, SDState), 988 VMSTATE_PARTIAL_BUFFER(sd_status, SDState, 1), 989 VMSTATE_UINT32(vhs, SDState), 990 VMSTATE_BITMAP(wp_group_bmap, SDState, 0, wp_group_bits), 991 VMSTATE_UINT32(blk_len, SDState), 992 VMSTATE_UINT32(multi_blk_cnt, SDState), 993 VMSTATE_UINT32(erase_start, SDState), 994 VMSTATE_UINT32(erase_end, SDState), 995 VMSTATE_UINT8_ARRAY(pwd, SDState, 16), 996 VMSTATE_UINT32(pwd_len, SDState), 997 VMSTATE_UINT8_ARRAY(function_group, SDState, 6), 998 VMSTATE_UINT8(current_cmd, SDState), 999 VMSTATE_BOOL(expecting_acmd, SDState), 1000 VMSTATE_UINT32(blk_written, SDState), 1001 VMSTATE_UINT64(data_start, SDState), 1002 VMSTATE_UINT32(data_offset, SDState), 1003 VMSTATE_UINT8_ARRAY(data, SDState, 512), 1004 VMSTATE_UNUSED_V(1, 512), 1005 VMSTATE_UNUSED(1), 1006 VMSTATE_END_OF_LIST() 1007 }, 1008 .subsections = (const VMStateDescription * const []) { 1009 &sd_ocr_vmstate, 1010 &emmc_extcsd_vmstate, 1011 NULL 1012 }, 1013 }; 1014 1015 static void sd_blk_read(SDState *sd, uint64_t addr, uint32_t len) 1016 { 1017 trace_sdcard_read_block(addr, len); 1018 addr += sd_bootpart_offset(sd); 1019 if (!sd->blk || blk_pread(sd->blk, addr, len, sd->data, 0) < 0) { 1020 fprintf(stderr, "sd_blk_read: read error on host side\n"); 1021 } 1022 } 1023 1024 static void sd_blk_write(SDState *sd, uint64_t addr, uint32_t len) 1025 { 1026 trace_sdcard_write_block(addr, len); 1027 addr += sd_bootpart_offset(sd); 1028 if (!sd->blk || blk_pwrite(sd->blk, addr, len, sd->data, 0) < 0) { 1029 fprintf(stderr, "sd_blk_write: write error on host side\n"); 1030 } 1031 } 1032 1033 static void sd_erase(SDState *sd) 1034 { 1035 uint64_t erase_start = sd->erase_start; 1036 uint64_t erase_end = sd->erase_end; 1037 bool sdsc = true; 1038 uint64_t wpnum; 1039 uint64_t erase_addr; 1040 int erase_len = 1 << HWBLOCK_SHIFT; 1041 1042 trace_sdcard_erase(sd->erase_start, sd->erase_end); 1043 if (sd->erase_start == INVALID_ADDRESS 1044 || sd->erase_end == INVALID_ADDRESS) { 1045 sd->card_status |= ERASE_SEQ_ERROR; 1046 sd->erase_start = INVALID_ADDRESS; 1047 sd->erase_end = INVALID_ADDRESS; 1048 return; 1049 } 1050 1051 if (FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) { 1052 /* High capacity memory card: erase units are 512 byte blocks */ 1053 erase_start <<= HWBLOCK_SHIFT; 1054 erase_end <<= HWBLOCK_SHIFT; 1055 sdsc = false; 1056 } 1057 1058 if (erase_start > sd->size || erase_end > sd->size) { 1059 sd->card_status |= OUT_OF_RANGE; 1060 sd->erase_start = INVALID_ADDRESS; 1061 sd->erase_end = INVALID_ADDRESS; 1062 return; 1063 } 1064 1065 sd->erase_start = INVALID_ADDRESS; 1066 sd->erase_end = INVALID_ADDRESS; 1067 sd->csd[14] |= 0x40; 1068 1069 memset(sd->data, 0xff, erase_len); 1070 for (erase_addr = erase_start; erase_addr <= erase_end; 1071 erase_addr += erase_len) { 1072 if (sdsc) { 1073 /* Only SDSC cards support write protect groups */ 1074 wpnum = sd_addr_to_wpnum(erase_addr); 1075 assert(wpnum < sd->wp_group_bits); 1076 if (test_bit(wpnum, sd->wp_group_bmap)) { 1077 sd->card_status |= WP_ERASE_SKIP; 1078 continue; 1079 } 1080 } 1081 sd_blk_write(sd, erase_addr, erase_len); 1082 } 1083 } 1084 1085 static uint32_t sd_wpbits(SDState *sd, uint64_t addr) 1086 { 1087 uint32_t i, wpnum; 1088 uint32_t ret = 0; 1089 1090 wpnum = sd_addr_to_wpnum(addr); 1091 1092 for (i = 0; i < 32; i++, wpnum++, addr += WPGROUP_SIZE) { 1093 if (addr >= sd->size) { 1094 /* 1095 * If the addresses of the last groups are outside the valid range, 1096 * then the corresponding write protection bits shall be set to 0. 1097 */ 1098 continue; 1099 } 1100 assert(wpnum < sd->wp_group_bits); 1101 if (test_bit(wpnum, sd->wp_group_bmap)) { 1102 ret |= (1 << i); 1103 } 1104 } 1105 1106 return ret; 1107 } 1108 1109 enum ExtCsdAccessMode { 1110 EXT_CSD_ACCESS_MODE_COMMAND_SET = 0, 1111 EXT_CSD_ACCESS_MODE_SET_BITS = 1, 1112 EXT_CSD_ACCESS_MODE_CLEAR_BITS = 2, 1113 EXT_CSD_ACCESS_MODE_WRITE_BYTE = 3 1114 }; 1115 1116 static void emmc_function_switch(SDState *sd, uint32_t arg) 1117 { 1118 uint8_t access = extract32(arg, 24, 2); 1119 uint8_t index = extract32(arg, 16, 8); 1120 uint8_t value = extract32(arg, 8, 8); 1121 uint8_t b = sd->ext_csd[index]; 1122 1123 trace_sdcard_switch(access, index, value, extract32(arg, 0, 2)); 1124 1125 if (index >= 192) { 1126 qemu_log_mask(LOG_GUEST_ERROR, "MMC switching illegal offset\n"); 1127 sd->card_status |= R_CSR_SWITCH_ERROR_MASK; 1128 return; 1129 } 1130 1131 switch (access) { 1132 case EXT_CSD_ACCESS_MODE_COMMAND_SET: 1133 qemu_log_mask(LOG_UNIMP, "MMC Command set switching not supported\n"); 1134 return; 1135 case EXT_CSD_ACCESS_MODE_SET_BITS: 1136 b |= value; 1137 break; 1138 case EXT_CSD_ACCESS_MODE_CLEAR_BITS: 1139 b &= ~value; 1140 break; 1141 case EXT_CSD_ACCESS_MODE_WRITE_BYTE: 1142 b = value; 1143 break; 1144 } 1145 1146 trace_sdcard_ext_csd_update(index, sd->ext_csd[index], b); 1147 sd->ext_csd[index] = b; 1148 } 1149 1150 static void sd_function_switch(SDState *sd, uint32_t arg) 1151 { 1152 int i, mode, new_func; 1153 mode = !!(arg & 0x80000000); 1154 1155 sd->data[0] = 0x00; /* Maximum current consumption */ 1156 sd->data[1] = 0x01; 1157 sd->data[2] = 0x80; /* Supported group 6 functions */ 1158 sd->data[3] = 0x01; 1159 sd->data[4] = 0x80; /* Supported group 5 functions */ 1160 sd->data[5] = 0x01; 1161 sd->data[6] = 0x80; /* Supported group 4 functions */ 1162 sd->data[7] = 0x01; 1163 sd->data[8] = 0x80; /* Supported group 3 functions */ 1164 sd->data[9] = 0x01; 1165 sd->data[10] = 0x80; /* Supported group 2 functions */ 1166 sd->data[11] = 0x43; 1167 sd->data[12] = 0x80; /* Supported group 1 functions */ 1168 sd->data[13] = 0x03; 1169 1170 memset(&sd->data[14], 0, 3); 1171 for (i = 0; i < 6; i ++) { 1172 new_func = (arg >> (i * 4)) & 0x0f; 1173 if (mode && new_func != 0x0f) 1174 sd->function_group[i] = new_func; 1175 sd->data[16 - (i >> 1)] |= new_func << ((i % 2) * 4); 1176 } 1177 memset(&sd->data[17], 0, 47); 1178 } 1179 1180 static inline bool sd_wp_addr(SDState *sd, uint64_t addr) 1181 { 1182 return test_bit(sd_addr_to_wpnum(addr), sd->wp_group_bmap); 1183 } 1184 1185 static void sd_lock_command(SDState *sd) 1186 { 1187 int erase, lock, clr_pwd, set_pwd, pwd_len; 1188 erase = !!(sd->data[0] & 0x08); 1189 lock = sd->data[0] & 0x04; 1190 clr_pwd = sd->data[0] & 0x02; 1191 set_pwd = sd->data[0] & 0x01; 1192 1193 if (sd->blk_len > 1) 1194 pwd_len = sd->data[1]; 1195 else 1196 pwd_len = 0; 1197 1198 if (lock) { 1199 trace_sdcard_lock(); 1200 } else { 1201 trace_sdcard_unlock(); 1202 } 1203 if (erase) { 1204 if (!(sd->card_status & CARD_IS_LOCKED) || sd->blk_len > 1 || 1205 set_pwd || clr_pwd || lock || sd->wp_switch || 1206 (sd->csd[14] & 0x20)) { 1207 sd->card_status |= LOCK_UNLOCK_FAILED; 1208 return; 1209 } 1210 bitmap_zero(sd->wp_group_bmap, sd->wp_group_bits); 1211 sd->csd[14] &= ~0x10; 1212 sd->card_status &= ~CARD_IS_LOCKED; 1213 sd->pwd_len = 0; 1214 /* Erasing the entire card here! */ 1215 fprintf(stderr, "SD: Card force-erased by CMD42\n"); 1216 return; 1217 } 1218 1219 if (sd->blk_len < 2 + pwd_len || 1220 pwd_len <= sd->pwd_len || 1221 pwd_len > sd->pwd_len + 16) { 1222 sd->card_status |= LOCK_UNLOCK_FAILED; 1223 return; 1224 } 1225 1226 if (sd->pwd_len && memcmp(sd->pwd, sd->data + 2, sd->pwd_len)) { 1227 sd->card_status |= LOCK_UNLOCK_FAILED; 1228 return; 1229 } 1230 1231 pwd_len -= sd->pwd_len; 1232 if ((pwd_len && !set_pwd) || 1233 (clr_pwd && (set_pwd || lock)) || 1234 (lock && !sd->pwd_len && !set_pwd) || 1235 (!set_pwd && !clr_pwd && 1236 (((sd->card_status & CARD_IS_LOCKED) && lock) || 1237 (!(sd->card_status & CARD_IS_LOCKED) && !lock)))) { 1238 sd->card_status |= LOCK_UNLOCK_FAILED; 1239 return; 1240 } 1241 1242 if (set_pwd) { 1243 memcpy(sd->pwd, sd->data + 2 + sd->pwd_len, pwd_len); 1244 sd->pwd_len = pwd_len; 1245 } 1246 1247 if (clr_pwd) { 1248 sd->pwd_len = 0; 1249 } 1250 1251 if (lock) 1252 sd->card_status |= CARD_IS_LOCKED; 1253 else 1254 sd->card_status &= ~CARD_IS_LOCKED; 1255 } 1256 1257 static bool address_in_range(SDState *sd, const char *desc, 1258 uint64_t addr, uint32_t length) 1259 { 1260 if (addr + length > sd->size) { 1261 qemu_log_mask(LOG_GUEST_ERROR, 1262 "%s offset %"PRIu64" > card %"PRIu64" [%%%u]\n", 1263 desc, addr, sd->size, length); 1264 sd->card_status |= ADDRESS_ERROR; 1265 return false; 1266 } 1267 return true; 1268 } 1269 1270 static sd_rsp_type_t sd_invalid_state_for_cmd(SDState *sd, SDRequest req) 1271 { 1272 qemu_log_mask(LOG_GUEST_ERROR, "%s: CMD%i in a wrong state: %s (spec %s)\n", 1273 sd->proto->name, req.cmd, sd_state_name(sd->state), 1274 sd_version_str(sd->spec_version)); 1275 1276 return sd_illegal; 1277 } 1278 1279 static sd_rsp_type_t sd_invalid_mode_for_cmd(SDState *sd, SDRequest req) 1280 { 1281 qemu_log_mask(LOG_GUEST_ERROR, "%s: CMD%i in a wrong mode: %s (spec %s)\n", 1282 sd->proto->name, req.cmd, sd_mode_name(sd->mode), 1283 sd_version_str(sd->spec_version)); 1284 1285 return sd_illegal; 1286 } 1287 1288 static sd_rsp_type_t sd_cmd_illegal(SDState *sd, SDRequest req) 1289 { 1290 qemu_log_mask(LOG_GUEST_ERROR, "%s: Unknown CMD%i for spec %s\n", 1291 sd->proto->name, req.cmd, 1292 sd_version_str(sd->spec_version)); 1293 1294 return sd_illegal; 1295 } 1296 1297 /* Commands that are recognised but not yet implemented. */ 1298 static sd_rsp_type_t sd_cmd_unimplemented(SDState *sd, SDRequest req) 1299 { 1300 qemu_log_mask(LOG_UNIMP, "%s: CMD%i not implemented\n", 1301 sd->proto->name, req.cmd); 1302 1303 return sd_illegal; 1304 } 1305 1306 static sd_rsp_type_t sd_cmd_optional(SDState *sd, SDRequest req) 1307 { 1308 qemu_log_mask(LOG_UNIMP, "%s: Optional CMD%i not implemented\n", 1309 sd->proto->name, req.cmd); 1310 1311 return sd_illegal; 1312 } 1313 1314 /* Configure fields for following sd_generic_write_byte() calls */ 1315 static sd_rsp_type_t sd_cmd_to_receivingdata(SDState *sd, SDRequest req, 1316 uint64_t start, size_t size) 1317 { 1318 if (sd->state != sd_transfer_state) { 1319 return sd_invalid_state_for_cmd(sd, req); 1320 } 1321 sd->state = sd_receivingdata_state; 1322 sd->data_start = start; 1323 sd->data_offset = 0; 1324 /* sd->data[] used as receive buffer */ 1325 sd->data_size = size ?: sizeof(sd->data); 1326 return sd_r1; 1327 } 1328 1329 /* Configure fields for following sd_generic_read_byte() calls */ 1330 static sd_rsp_type_t sd_cmd_to_sendingdata(SDState *sd, SDRequest req, 1331 uint64_t start, 1332 const void *data, size_t size) 1333 { 1334 if (sd->state != sd_transfer_state) { 1335 return sd_invalid_state_for_cmd(sd, req); 1336 } 1337 1338 sd->state = sd_sendingdata_state; 1339 sd->data_start = start; 1340 sd->data_offset = 0; 1341 if (data) { 1342 assert(size > 0 && size <= sizeof(sd->data)); 1343 memcpy(sd->data, data, size); 1344 } 1345 if (size) { 1346 sd->data_size = size; 1347 } 1348 return sd_r1; 1349 } 1350 1351 /* CMD0 */ 1352 static sd_rsp_type_t sd_cmd_GO_IDLE_STATE(SDState *sd, SDRequest req) 1353 { 1354 if (sd->state == sd_sleep_state) { 1355 switch (req.arg) { 1356 case 0x00000000: 1357 case 0xf0f0f0f0: 1358 break; 1359 default: 1360 return sd_r0; 1361 } 1362 } 1363 if (sd->state != sd_inactive_state) { 1364 sd->state = sd_idle_state; 1365 sd_reset(DEVICE(sd)); 1366 } 1367 1368 return sd_is_spi(sd) ? sd_r1 : sd_r0; 1369 } 1370 1371 /* CMD1 */ 1372 static sd_rsp_type_t spi_cmd_SEND_OP_COND(SDState *sd, SDRequest req) 1373 { 1374 sd->state = sd_transfer_state; 1375 1376 return sd_r1; 1377 } 1378 1379 /* CMD2 */ 1380 static sd_rsp_type_t sd_cmd_ALL_SEND_CID(SDState *sd, SDRequest req) 1381 { 1382 switch (sd->state) { 1383 case sd_ready_state: 1384 sd->state = sd_identification_state; 1385 return sd_r2_i; 1386 default: 1387 return sd_invalid_state_for_cmd(sd, req); 1388 } 1389 } 1390 1391 /* CMD3 */ 1392 static sd_rsp_type_t sd_cmd_SEND_RELATIVE_ADDR(SDState *sd, SDRequest req) 1393 { 1394 uint16_t random_rca; 1395 1396 switch (sd->state) { 1397 case sd_identification_state: 1398 case sd_standby_state: 1399 sd->state = sd_standby_state; 1400 qemu_guest_getrandom_nofail(&random_rca, sizeof(random_rca)); 1401 sd_set_rca(sd, random_rca); 1402 return sd_r6; 1403 1404 default: 1405 return sd_invalid_state_for_cmd(sd, req); 1406 } 1407 } 1408 1409 static sd_rsp_type_t emmc_cmd_SET_RELATIVE_ADDR(SDState *sd, SDRequest req) 1410 { 1411 switch (sd->state) { 1412 case sd_identification_state: 1413 case sd_standby_state: 1414 sd->state = sd_standby_state; 1415 sd_set_rca(sd, req.arg >> 16); 1416 return sd_r1; 1417 1418 default: 1419 return sd_invalid_state_for_cmd(sd, req); 1420 } 1421 } 1422 1423 /* CMD5 */ 1424 static sd_rsp_type_t emmc_cmd_sleep_awake(SDState *sd, SDRequest req) 1425 { 1426 bool do_sleep = extract32(req.arg, 15, 1); 1427 1428 switch (sd->state) { 1429 case sd_sleep_state: 1430 if (!do_sleep) { 1431 /* Awake */ 1432 sd->state = sd_standby_state; 1433 } 1434 return sd_r1b; 1435 1436 case sd_standby_state: 1437 if (do_sleep) { 1438 sd->state = sd_sleep_state; 1439 } 1440 return sd_r1b; 1441 1442 default: 1443 return sd_invalid_state_for_cmd(sd, req); 1444 } 1445 } 1446 1447 /* CMD6 */ 1448 static sd_rsp_type_t sd_cmd_SWITCH_FUNCTION(SDState *sd, SDRequest req) 1449 { 1450 if (sd->mode != sd_data_transfer_mode) { 1451 return sd_invalid_mode_for_cmd(sd, req); 1452 } 1453 if (sd->state != sd_transfer_state) { 1454 return sd_invalid_state_for_cmd(sd, req); 1455 } 1456 1457 sd_function_switch(sd, req.arg); 1458 return sd_cmd_to_sendingdata(sd, req, 0, NULL, 64); 1459 } 1460 1461 static sd_rsp_type_t emmc_cmd_SWITCH(SDState *sd, SDRequest req) 1462 { 1463 switch (sd->state) { 1464 case sd_transfer_state: 1465 sd->state = sd_programming_state; 1466 emmc_function_switch(sd, req.arg); 1467 sd->state = sd_transfer_state; 1468 return sd_r1b; 1469 default: 1470 return sd_invalid_state_for_cmd(sd, req); 1471 } 1472 } 1473 1474 /* CMD7 */ 1475 static sd_rsp_type_t sd_cmd_DE_SELECT_CARD(SDState *sd, SDRequest req) 1476 { 1477 bool same_rca = sd_req_rca_same(sd, req); 1478 1479 switch (sd->state) { 1480 case sd_standby_state: 1481 if (!same_rca) { 1482 return sd_r0; 1483 } 1484 sd->state = sd_transfer_state; 1485 return sd_r1b; 1486 1487 case sd_transfer_state: 1488 case sd_sendingdata_state: 1489 if (same_rca) { 1490 break; 1491 } 1492 sd->state = sd_standby_state; 1493 return sd_r1b; 1494 1495 case sd_disconnect_state: 1496 if (!same_rca) { 1497 return sd_r0; 1498 } 1499 sd->state = sd_programming_state; 1500 return sd_r1b; 1501 1502 case sd_programming_state: 1503 if (same_rca) { 1504 break; 1505 } 1506 sd->state = sd_disconnect_state; 1507 return sd_r1b; 1508 1509 default: 1510 break; 1511 } 1512 return sd_invalid_state_for_cmd(sd, req); 1513 } 1514 1515 /* CMD8 */ 1516 static sd_rsp_type_t sd_cmd_SEND_IF_COND(SDState *sd, SDRequest req) 1517 { 1518 if (sd->spec_version < SD_PHY_SPECv2_00_VERS) { 1519 return sd_cmd_illegal(sd, req); 1520 } 1521 if (sd->state != sd_idle_state) { 1522 return sd_invalid_state_for_cmd(sd, req); 1523 } 1524 sd->vhs = 0; 1525 1526 /* No response if not exactly one VHS bit is set. */ 1527 if (!(req.arg >> 8) || (req.arg >> (ctz32(req.arg & ~0xff) + 1))) { 1528 return sd_is_spi(sd) ? sd_r7 : sd_r0; 1529 } 1530 1531 /* Accept. */ 1532 sd->vhs = req.arg; 1533 return sd_r7; 1534 } 1535 1536 /* CMD8 */ 1537 static sd_rsp_type_t emmc_cmd_SEND_EXT_CSD(SDState *sd, SDRequest req) 1538 { 1539 if (sd->state != sd_transfer_state) { 1540 return sd_invalid_state_for_cmd(sd, req); 1541 } 1542 1543 return sd_cmd_to_sendingdata(sd, req, sd_req_get_address(sd, req), 1544 sd->ext_csd, sizeof(sd->ext_csd)); 1545 } 1546 1547 /* CMD9 */ 1548 static sd_rsp_type_t spi_cmd_SEND_CSD(SDState *sd, SDRequest req) 1549 { 1550 if (sd->state != sd_standby_state) { 1551 return sd_invalid_state_for_cmd(sd, req); 1552 } 1553 return sd_cmd_to_sendingdata(sd, req, sd_req_get_address(sd, req), 1554 sd->csd, 16); 1555 } 1556 1557 static sd_rsp_type_t sd_cmd_SEND_CSD(SDState *sd, SDRequest req) 1558 { 1559 if (sd->state != sd_standby_state) { 1560 return sd_invalid_state_for_cmd(sd, req); 1561 } 1562 1563 return sd_req_rca_same(sd, req) ? sd_r2_s : sd_r0; 1564 } 1565 1566 /* CMD10 */ 1567 static sd_rsp_type_t spi_cmd_SEND_CID(SDState *sd, SDRequest req) 1568 { 1569 if (sd->state != sd_standby_state) { 1570 return sd_invalid_state_for_cmd(sd, req); 1571 } 1572 return sd_cmd_to_sendingdata(sd, req, sd_req_get_address(sd, req), 1573 sd->cid, 16); 1574 } 1575 1576 static sd_rsp_type_t sd_cmd_SEND_CID(SDState *sd, SDRequest req) 1577 { 1578 if (sd->state != sd_standby_state) { 1579 return sd_invalid_state_for_cmd(sd, req); 1580 } 1581 1582 return sd_req_rca_same(sd, req) ? sd_r2_i : sd_r0; 1583 } 1584 1585 /* CMD12 */ 1586 static sd_rsp_type_t sd_cmd_STOP_TRANSMISSION(SDState *sd, SDRequest req) 1587 { 1588 switch (sd->state) { 1589 case sd_sendingdata_state: 1590 sd->state = sd_transfer_state; 1591 return sd_r1b; 1592 case sd_receivingdata_state: 1593 sd->state = sd_programming_state; 1594 /* Bzzzzzzztt .... Operation complete. */ 1595 sd->state = sd_transfer_state; 1596 return sd_r1; 1597 default: 1598 return sd_invalid_state_for_cmd(sd, req); 1599 } 1600 } 1601 1602 /* CMD13 */ 1603 static sd_rsp_type_t sd_cmd_SEND_STATUS(SDState *sd, SDRequest req) 1604 { 1605 if (sd->mode != sd_data_transfer_mode) { 1606 return sd_invalid_mode_for_cmd(sd, req); 1607 } 1608 1609 switch (sd->state) { 1610 case sd_standby_state: 1611 case sd_transfer_state: 1612 case sd_sendingdata_state: 1613 case sd_receivingdata_state: 1614 case sd_programming_state: 1615 case sd_disconnect_state: 1616 break; 1617 default: 1618 return sd_invalid_state_for_cmd(sd, req); 1619 } 1620 1621 if (sd_is_spi(sd)) { 1622 return sd_r2_s; 1623 } 1624 1625 return sd_req_rca_same(sd, req) ? sd_r1 : sd_r0; 1626 } 1627 1628 /* CMD15 */ 1629 static sd_rsp_type_t sd_cmd_GO_INACTIVE_STATE(SDState *sd, SDRequest req) 1630 { 1631 if (sd->mode != sd_data_transfer_mode) { 1632 return sd_invalid_mode_for_cmd(sd, req); 1633 } 1634 switch (sd->state) { 1635 case sd_standby_state: 1636 case sd_transfer_state: 1637 case sd_sendingdata_state: 1638 case sd_receivingdata_state: 1639 case sd_programming_state: 1640 case sd_disconnect_state: 1641 break; 1642 default: 1643 return sd_invalid_state_for_cmd(sd, req); 1644 } 1645 if (sd_req_rca_same(sd, req)) { 1646 sd->state = sd_inactive_state; 1647 } 1648 1649 return sd_r0; 1650 } 1651 1652 /* CMD16 */ 1653 static sd_rsp_type_t sd_cmd_SET_BLOCKLEN(SDState *sd, SDRequest req) 1654 { 1655 if (sd->state != sd_transfer_state) { 1656 return sd_invalid_state_for_cmd(sd, req); 1657 } 1658 if (req.arg > (1 << HWBLOCK_SHIFT)) { 1659 sd->card_status |= BLOCK_LEN_ERROR; 1660 } else { 1661 trace_sdcard_set_blocklen(req.arg); 1662 sd->blk_len = req.arg; 1663 } 1664 1665 return sd_r1; 1666 } 1667 1668 /* CMD17 */ 1669 static sd_rsp_type_t sd_cmd_READ_SINGLE_BLOCK(SDState *sd, SDRequest req) 1670 { 1671 uint64_t addr; 1672 1673 if (sd->state != sd_transfer_state) { 1674 return sd_invalid_state_for_cmd(sd, req); 1675 } 1676 1677 addr = sd_req_get_address(sd, req); 1678 if (!address_in_range(sd, "READ_SINGLE_BLOCK", addr, sd->blk_len)) { 1679 return sd_r1; 1680 } 1681 1682 sd_blk_read(sd, addr, sd->blk_len); 1683 return sd_cmd_to_sendingdata(sd, req, addr, NULL, sd->blk_len); 1684 } 1685 1686 /* CMD19 */ 1687 static sd_rsp_type_t sd_cmd_SEND_TUNING_BLOCK(SDState *sd, SDRequest req) 1688 { 1689 if (sd->spec_version < SD_PHY_SPECv3_01_VERS) { 1690 return sd_cmd_illegal(sd, req); 1691 } 1692 1693 return sd_cmd_to_sendingdata(sd, req, 0, 1694 sd_tuning_block_pattern4, 1695 sizeof(sd_tuning_block_pattern4)); 1696 } 1697 1698 /* CMD23 */ 1699 static sd_rsp_type_t sd_cmd_SET_BLOCK_COUNT(SDState *sd, SDRequest req) 1700 { 1701 if (sd->spec_version < SD_PHY_SPECv3_01_VERS) { 1702 return sd_cmd_illegal(sd, req); 1703 } 1704 1705 if (sd->state != sd_transfer_state) { 1706 return sd_invalid_state_for_cmd(sd, req); 1707 } 1708 1709 sd->multi_blk_cnt = req.arg; 1710 if (sd_is_emmc(sd)) { 1711 sd->multi_blk_cnt &= 0xffff; 1712 } 1713 trace_sdcard_set_block_count(sd->multi_blk_cnt); 1714 1715 return sd_r1; 1716 } 1717 1718 /* CMD24 */ 1719 static sd_rsp_type_t sd_cmd_WRITE_SINGLE_BLOCK(SDState *sd, SDRequest req) 1720 { 1721 uint64_t addr; 1722 1723 if (sd->state != sd_transfer_state) { 1724 return sd_invalid_state_for_cmd(sd, req); 1725 } 1726 1727 addr = sd_req_get_address(sd, req); 1728 if (!address_in_range(sd, "WRITE_SINGLE_BLOCK", addr, sd->blk_len)) { 1729 return sd_r1; 1730 } 1731 1732 if (sd->size <= SDSC_MAX_CAPACITY) { 1733 if (sd_wp_addr(sd, addr)) { 1734 sd->card_status |= WP_VIOLATION; 1735 } 1736 } 1737 if (sd->csd[14] & 0x30) { 1738 sd->card_status |= WP_VIOLATION; 1739 } 1740 1741 sd->blk_written = 0; 1742 return sd_cmd_to_receivingdata(sd, req, addr, sd->blk_len); 1743 } 1744 1745 /* CMD26 */ 1746 static sd_rsp_type_t emmc_cmd_PROGRAM_CID(SDState *sd, SDRequest req) 1747 { 1748 return sd_cmd_to_receivingdata(sd, req, 0, sizeof(sd->cid)); 1749 } 1750 1751 /* CMD27 */ 1752 static sd_rsp_type_t sd_cmd_PROGRAM_CSD(SDState *sd, SDRequest req) 1753 { 1754 return sd_cmd_to_receivingdata(sd, req, 0, sizeof(sd->csd)); 1755 } 1756 1757 static sd_rsp_type_t sd_cmd_SET_CLR_WRITE_PROT(SDState *sd, SDRequest req, 1758 bool is_write) 1759 { 1760 uint64_t addr; 1761 1762 if (sd->size > SDSC_MAX_CAPACITY) { 1763 return sd_illegal; 1764 } 1765 1766 if (sd->state != sd_transfer_state) { 1767 return sd_invalid_state_for_cmd(sd, req); 1768 } 1769 1770 addr = sd_req_get_address(sd, req); 1771 if (!address_in_range(sd, is_write ? "SET_WRITE_PROT" : "CLR_WRITE_PROT", 1772 addr, 1)) { 1773 return sd_r1b; 1774 } 1775 1776 sd->state = sd_programming_state; 1777 if (is_write) { 1778 set_bit(sd_addr_to_wpnum(addr), sd->wp_group_bmap); 1779 } else { 1780 clear_bit(sd_addr_to_wpnum(addr), sd->wp_group_bmap); 1781 } 1782 /* Bzzzzzzztt .... Operation complete. */ 1783 sd->state = sd_transfer_state; 1784 return sd_r1; 1785 } 1786 1787 /* CMD28 */ 1788 static sd_rsp_type_t sd_cmd_SET_WRITE_PROT(SDState *sd, SDRequest req) 1789 { 1790 return sd_cmd_SET_CLR_WRITE_PROT(sd, req, true); 1791 } 1792 1793 /* CMD29 */ 1794 static sd_rsp_type_t sd_cmd_CLR_WRITE_PROT(SDState *sd, SDRequest req) 1795 { 1796 return sd_cmd_SET_CLR_WRITE_PROT(sd, req, false); 1797 } 1798 1799 /* CMD30 */ 1800 static sd_rsp_type_t sd_cmd_SEND_WRITE_PROT(SDState *sd, SDRequest req) 1801 { 1802 uint64_t addr; 1803 uint32_t data; 1804 1805 if (sd->size > SDSC_MAX_CAPACITY) { 1806 return sd_illegal; 1807 } 1808 1809 if (sd->state != sd_transfer_state) { 1810 return sd_invalid_state_for_cmd(sd, req); 1811 } 1812 1813 addr = sd_req_get_address(sd, req); 1814 if (!address_in_range(sd, "SEND_WRITE_PROT", addr, sd->blk_len)) { 1815 return sd_r1; 1816 } 1817 1818 data = sd_wpbits(sd, req.arg); 1819 return sd_cmd_to_sendingdata(sd, req, addr, &data, sizeof(data)); 1820 } 1821 1822 /* CMD32 */ 1823 static sd_rsp_type_t sd_cmd_ERASE_WR_BLK_START(SDState *sd, SDRequest req) 1824 { 1825 if (sd->state != sd_transfer_state) { 1826 return sd_invalid_state_for_cmd(sd, req); 1827 } 1828 sd->erase_start = req.arg; 1829 return sd_r1; 1830 } 1831 1832 /* CMD33 */ 1833 static sd_rsp_type_t sd_cmd_ERASE_WR_BLK_END(SDState *sd, SDRequest req) 1834 { 1835 if (sd->state != sd_transfer_state) { 1836 return sd_invalid_state_for_cmd(sd, req); 1837 } 1838 sd->erase_end = req.arg; 1839 return sd_r1; 1840 } 1841 1842 /* CMD38 */ 1843 static sd_rsp_type_t sd_cmd_ERASE(SDState *sd, SDRequest req) 1844 { 1845 if (sd->state != sd_transfer_state) { 1846 return sd_invalid_state_for_cmd(sd, req); 1847 } 1848 if (sd->csd[14] & 0x30) { 1849 sd->card_status |= WP_VIOLATION; 1850 return sd_r1b; 1851 } 1852 1853 sd->state = sd_programming_state; 1854 sd_erase(sd); 1855 /* Bzzzzzzztt .... Operation complete. */ 1856 sd->state = sd_transfer_state; 1857 return sd_r1b; 1858 } 1859 1860 /* CMD42 */ 1861 static sd_rsp_type_t sd_cmd_LOCK_UNLOCK(SDState *sd, SDRequest req) 1862 { 1863 return sd_cmd_to_receivingdata(sd, req, 0, 0); 1864 } 1865 1866 /* CMD55 */ 1867 static sd_rsp_type_t sd_cmd_APP_CMD(SDState *sd, SDRequest req) 1868 { 1869 switch (sd->state) { 1870 case sd_ready_state: 1871 case sd_identification_state: 1872 case sd_inactive_state: 1873 case sd_sleep_state: 1874 return sd_invalid_state_for_cmd(sd, req); 1875 case sd_idle_state: 1876 if (!sd_is_spi(sd) && sd_req_get_rca(sd, req) != 0x0000) { 1877 qemu_log_mask(LOG_GUEST_ERROR, 1878 "SD: illegal RCA 0x%04x for APP_CMD\n", req.cmd); 1879 } 1880 /* fall-through */ 1881 default: 1882 break; 1883 } 1884 if (!sd_is_spi(sd) && !sd_req_rca_same(sd, req)) { 1885 return sd_r0; 1886 } 1887 sd->expecting_acmd = true; 1888 sd->card_status |= APP_CMD; 1889 1890 return sd_r1; 1891 } 1892 1893 /* CMD56 */ 1894 static sd_rsp_type_t sd_cmd_GEN_CMD(SDState *sd, SDRequest req) 1895 { 1896 if (sd->state != sd_transfer_state) { 1897 return sd_invalid_state_for_cmd(sd, req); 1898 } 1899 1900 /* Vendor specific command: our model is RAZ/WI */ 1901 if (req.arg & 1) { 1902 memset(sd->data, 0, sizeof(sd->data)); 1903 return sd_cmd_to_sendingdata(sd, req, 0, NULL, 0); 1904 } else { 1905 return sd_cmd_to_receivingdata(sd, req, 0, 0); 1906 } 1907 } 1908 1909 /* CMD58 */ 1910 static sd_rsp_type_t spi_cmd_READ_OCR(SDState *sd, SDRequest req) 1911 { 1912 return sd_r3; 1913 } 1914 1915 /* CMD59 */ 1916 static sd_rsp_type_t spi_cmd_CRC_ON_OFF(SDState *sd, SDRequest req) 1917 { 1918 return sd_r1; 1919 } 1920 1921 /* ACMD6 */ 1922 static sd_rsp_type_t sd_acmd_SET_BUS_WIDTH(SDState *sd, SDRequest req) 1923 { 1924 if (sd->state != sd_transfer_state) { 1925 return sd_invalid_state_for_cmd(sd, req); 1926 } 1927 1928 sd->sd_status[0] &= 0x3f; 1929 sd->sd_status[0] |= (req.arg & 0x03) << 6; 1930 return sd_r1; 1931 } 1932 1933 /* ACMD13 */ 1934 static sd_rsp_type_t sd_acmd_SD_STATUS(SDState *sd, SDRequest req) 1935 { 1936 return sd_cmd_to_sendingdata(sd, req, 0, 1937 sd->sd_status, sizeof(sd->sd_status)); 1938 } 1939 1940 /* ACMD22 */ 1941 static sd_rsp_type_t sd_acmd_SEND_NUM_WR_BLOCKS(SDState *sd, SDRequest req) 1942 { 1943 return sd_cmd_to_sendingdata(sd, req, 0, 1944 &sd->blk_written, sizeof(sd->blk_written)); 1945 } 1946 1947 /* ACMD23 */ 1948 static sd_rsp_type_t sd_acmd_SET_WR_BLK_ERASE_COUNT(SDState *sd, SDRequest req) 1949 { 1950 if (sd->state != sd_transfer_state) { 1951 return sd_invalid_state_for_cmd(sd, req); 1952 } 1953 return sd_r1; 1954 } 1955 1956 /* ACMD41 */ 1957 static sd_rsp_type_t sd_cmd_SEND_OP_COND(SDState *sd, SDRequest req) 1958 { 1959 if (sd->state != sd_idle_state) { 1960 return sd_invalid_state_for_cmd(sd, req); 1961 } 1962 1963 /* 1964 * If it's the first ACMD41 since reset, we need to decide 1965 * whether to power up. If this is not an enquiry ACMD41, 1966 * we immediately report power on and proceed below to the 1967 * ready state, but if it is, we set a timer to model a 1968 * delay for power up. This works around a bug in EDK2 1969 * UEFI, which sends an initial enquiry ACMD41, but 1970 * assumes that the card is in ready state as soon as it 1971 * sees the power up bit set. 1972 */ 1973 if (!FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP)) { 1974 if ((req.arg & ACMD41_ENQUIRY_MASK) != 0) { 1975 timer_del(sd->ocr_power_timer); 1976 sd_ocr_powerup(sd); 1977 } else { 1978 trace_sdcard_inquiry_cmd41(); 1979 if (!timer_pending(sd->ocr_power_timer)) { 1980 timer_mod_ns(sd->ocr_power_timer, 1981 (qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) 1982 + OCR_POWER_DELAY_NS)); 1983 } 1984 } 1985 } 1986 1987 if (FIELD_EX32(sd->ocr & req.arg, OCR, VDD_VOLTAGE_WINDOW)) { 1988 /* 1989 * We accept any voltage. 10000 V is nothing. 1990 * 1991 * Once we're powered up, we advance straight to ready state 1992 * unless it's an enquiry ACMD41 (bits 23:0 == 0). 1993 */ 1994 sd->state = sd_ready_state; 1995 } 1996 1997 return sd_r3; 1998 } 1999 2000 /* ACMD42 */ 2001 static sd_rsp_type_t sd_acmd_SET_CLR_CARD_DETECT(SDState *sd, SDRequest req) 2002 { 2003 if (sd->state != sd_transfer_state) { 2004 return sd_invalid_state_for_cmd(sd, req); 2005 } 2006 2007 /* Bringing in the 50KOhm pull-up resistor... Done. */ 2008 return sd_r1; 2009 } 2010 2011 /* ACMD51 */ 2012 static sd_rsp_type_t sd_acmd_SEND_SCR(SDState *sd, SDRequest req) 2013 { 2014 return sd_cmd_to_sendingdata(sd, req, 0, sd->scr, sizeof(sd->scr)); 2015 } 2016 2017 static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req) 2018 { 2019 uint64_t addr; 2020 2021 sd->last_cmd_name = sd_cmd_name(sd, req.cmd); 2022 /* CMD55 precedes an ACMD, so we are not interested in tracing it. 2023 * However there is no ACMD55, so we want to trace this particular case. 2024 */ 2025 if (req.cmd != 55 || sd->expecting_acmd) { 2026 trace_sdcard_normal_command(sd->proto->name, 2027 sd->last_cmd_name, req.cmd, 2028 req.arg, sd_state_name(sd->state)); 2029 } 2030 2031 /* Not interpreting this as an app command */ 2032 sd->card_status &= ~APP_CMD; 2033 2034 /* CMD23 (set block count) must be immediately followed by CMD18 or CMD25 2035 * if not, its effects are cancelled */ 2036 if (sd->multi_blk_cnt != 0 && !(req.cmd == 18 || req.cmd == 25)) { 2037 sd->multi_blk_cnt = 0; 2038 } 2039 2040 if (sd->proto->cmd[req.cmd].class == 6 && FIELD_EX32(sd->ocr, OCR, 2041 CARD_CAPACITY)) { 2042 /* Only Standard Capacity cards support class 6 commands */ 2043 return sd_illegal; 2044 } 2045 2046 if (sd->proto->cmd[req.cmd].handler) { 2047 return sd->proto->cmd[req.cmd].handler(sd, req); 2048 } 2049 2050 switch (req.cmd) { 2051 /* Block read commands (Class 2) */ 2052 case 18: /* CMD18: READ_MULTIPLE_BLOCK */ 2053 addr = sd_req_get_address(sd, req); 2054 switch (sd->state) { 2055 case sd_transfer_state: 2056 2057 if (!address_in_range(sd, "READ_BLOCK", addr, sd->blk_len)) { 2058 return sd_r1; 2059 } 2060 2061 sd->state = sd_sendingdata_state; 2062 sd->data_start = addr; 2063 sd->data_offset = 0; 2064 return sd_r1; 2065 2066 default: 2067 break; 2068 } 2069 break; 2070 2071 /* Block write commands (Class 4) */ 2072 case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */ 2073 addr = sd_req_get_address(sd, req); 2074 switch (sd->state) { 2075 case sd_transfer_state: 2076 2077 if (!address_in_range(sd, "WRITE_BLOCK", addr, sd->blk_len)) { 2078 return sd_r1; 2079 } 2080 2081 sd->state = sd_receivingdata_state; 2082 sd->data_start = addr; 2083 sd->data_offset = 0; 2084 sd->blk_written = 0; 2085 2086 if (sd->size <= SDSC_MAX_CAPACITY) { 2087 if (sd_wp_addr(sd, sd->data_start)) { 2088 sd->card_status |= WP_VIOLATION; 2089 } 2090 } 2091 if (sd->csd[14] & 0x30) { 2092 sd->card_status |= WP_VIOLATION; 2093 } 2094 return sd_r1; 2095 2096 default: 2097 break; 2098 } 2099 break; 2100 2101 default: 2102 qemu_log_mask(LOG_GUEST_ERROR, "SD: Unknown CMD%i\n", req.cmd); 2103 return sd_illegal; 2104 } 2105 2106 return sd_invalid_state_for_cmd(sd, req); 2107 } 2108 2109 static sd_rsp_type_t sd_app_command(SDState *sd, 2110 SDRequest req) 2111 { 2112 sd->last_cmd_name = sd_acmd_name(sd, req.cmd); 2113 trace_sdcard_app_command(sd->proto->name, sd->last_cmd_name, 2114 req.cmd, req.arg, sd_state_name(sd->state)); 2115 sd->card_status |= APP_CMD; 2116 2117 if (sd->proto->acmd[req.cmd].handler) { 2118 return sd->proto->acmd[req.cmd].handler(sd, req); 2119 } 2120 2121 switch (req.cmd) { 2122 case 18: /* Reserved for SD security applications */ 2123 case 25: 2124 case 26: 2125 case 38: 2126 case 43 ... 49: 2127 /* Refer to the "SD Specifications Part3 Security Specification" for 2128 * information about the SD Security Features. 2129 */ 2130 qemu_log_mask(LOG_UNIMP, "SD: CMD%i Security not implemented\n", 2131 req.cmd); 2132 return sd_illegal; 2133 2134 default: 2135 /* Fall back to standard commands. */ 2136 return sd_normal_command(sd, req); 2137 } 2138 2139 qemu_log_mask(LOG_GUEST_ERROR, "SD: ACMD%i in a wrong state\n", req.cmd); 2140 return sd_illegal; 2141 } 2142 2143 static bool cmd_valid_while_locked(SDState *sd, unsigned cmd) 2144 { 2145 unsigned cmd_class; 2146 2147 /* Valid commands in locked state: 2148 * basic class (0) 2149 * lock card class (7) 2150 * CMD16 2151 * implicitly, the ACMD prefix CMD55 2152 * ACMD41 and ACMD42 2153 * Anything else provokes an "illegal command" response. 2154 */ 2155 if (sd->expecting_acmd) { 2156 return cmd == 41 || cmd == 42; 2157 } 2158 if (cmd == 16 || cmd == 55) { 2159 return true; 2160 } 2161 if (!sd->proto->cmd[cmd].handler) { 2162 return false; 2163 } 2164 cmd_class = sd->proto->cmd[cmd].class; 2165 2166 return cmd_class == 0 || cmd_class == 7; 2167 } 2168 2169 static int sd_do_command(SDState *sd, SDRequest *req, 2170 uint8_t *response) { 2171 int last_state; 2172 sd_rsp_type_t rtype; 2173 int rsplen; 2174 2175 if (!sd->blk || !blk_is_inserted(sd->blk)) { 2176 return 0; 2177 } 2178 2179 if (sd->state == sd_inactive_state) { 2180 rtype = sd_illegal; 2181 goto send_response; 2182 } 2183 2184 if (sd_req_crc_validate(req)) { 2185 sd->card_status |= COM_CRC_ERROR; 2186 rtype = sd_illegal; 2187 goto send_response; 2188 } 2189 2190 if (req->cmd >= SDMMC_CMD_MAX) { 2191 qemu_log_mask(LOG_GUEST_ERROR, "SD: incorrect command 0x%02x\n", 2192 req->cmd); 2193 req->cmd &= 0x3f; 2194 } 2195 2196 if (sd->state == sd_sleep_state && req->cmd) { 2197 qemu_log_mask(LOG_GUEST_ERROR, "SD: Card is sleeping\n"); 2198 rtype = sd_r0; 2199 goto send_response; 2200 } 2201 2202 if (sd->card_status & CARD_IS_LOCKED) { 2203 if (!cmd_valid_while_locked(sd, req->cmd)) { 2204 sd->card_status |= ILLEGAL_COMMAND; 2205 sd->expecting_acmd = false; 2206 qemu_log_mask(LOG_GUEST_ERROR, "SD: Card is locked\n"); 2207 rtype = sd_illegal; 2208 goto send_response; 2209 } 2210 } 2211 2212 last_state = sd->state; 2213 sd_set_mode(sd); 2214 2215 if (sd->expecting_acmd) { 2216 sd->expecting_acmd = false; 2217 rtype = sd_app_command(sd, *req); 2218 } else { 2219 rtype = sd_normal_command(sd, *req); 2220 } 2221 2222 if (rtype == sd_illegal) { 2223 sd->card_status |= ILLEGAL_COMMAND; 2224 } else { 2225 /* Valid command, we can update the 'state before command' bits. 2226 * (Do this now so they appear in r1 responses.) 2227 */ 2228 sd->card_status = FIELD_DP32(sd->card_status, CSR, 2229 CURRENT_STATE, last_state); 2230 } 2231 2232 send_response: 2233 rsplen = sd_response_size(sd, rtype); 2234 2235 switch (rtype) { 2236 case sd_r1: 2237 case sd_r1b: 2238 sd_response_r1_make(sd, response); 2239 break; 2240 2241 case sd_r2_i: 2242 memcpy(response, sd->cid, sizeof(sd->cid)); 2243 break; 2244 2245 case sd_r2_s: 2246 memcpy(response, sd->csd, sizeof(sd->csd)); 2247 break; 2248 2249 case sd_r3: 2250 sd_response_r3_make(sd, response); 2251 break; 2252 2253 case sd_r6: 2254 sd_response_r6_make(sd, response); 2255 break; 2256 2257 case sd_r7: 2258 sd_response_r7_make(sd, response); 2259 break; 2260 2261 case sd_r0: 2262 /* 2263 * Invalid state transition, reset implementation 2264 * fields to avoid OOB abuse. 2265 */ 2266 sd->data_start = 0; 2267 sd->data_offset = 0; 2268 /* fall-through */ 2269 case sd_illegal: 2270 break; 2271 default: 2272 g_assert_not_reached(); 2273 } 2274 trace_sdcard_response(sd_response_name(rtype), rsplen); 2275 2276 if (rtype != sd_illegal) { 2277 /* Clear the "clear on valid command" status bits now we've 2278 * sent any response 2279 */ 2280 sd->card_status &= ~CARD_STATUS_B; 2281 } 2282 2283 #ifdef DEBUG_SD 2284 qemu_hexdump(stderr, "Response", response, rsplen); 2285 #endif 2286 2287 sd->current_cmd = rtype == sd_illegal ? 0 : req->cmd; 2288 2289 return rsplen; 2290 } 2291 2292 /* Return true if buffer is consumed. Configured by sd_cmd_to_receivingdata() */ 2293 static bool sd_generic_write_byte(SDState *sd, uint8_t value) 2294 { 2295 sd->data[sd->data_offset] = value; 2296 2297 if (++sd->data_offset >= sd->data_size) { 2298 sd->state = sd_transfer_state; 2299 return true; 2300 } 2301 return false; 2302 } 2303 2304 /* Return true when buffer is consumed. Configured by sd_cmd_to_sendingdata() */ 2305 static bool sd_generic_read_byte(SDState *sd, uint8_t *value) 2306 { 2307 *value = sd->data[sd->data_offset]; 2308 2309 if (++sd->data_offset >= sd->data_size) { 2310 sd->state = sd_transfer_state; 2311 return true; 2312 } 2313 2314 return false; 2315 } 2316 2317 static void sd_write_byte(SDState *sd, uint8_t value) 2318 { 2319 int i; 2320 2321 if (!sd->blk || !blk_is_inserted(sd->blk)) { 2322 return; 2323 } 2324 2325 if (sd->state != sd_receivingdata_state) { 2326 qemu_log_mask(LOG_GUEST_ERROR, 2327 "%s: not in Receiving-Data state\n", __func__); 2328 return; 2329 } 2330 2331 if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION)) 2332 return; 2333 2334 trace_sdcard_write_data(sd->proto->name, 2335 sd->last_cmd_name, 2336 sd->current_cmd, sd->data_offset, value); 2337 switch (sd->current_cmd) { 2338 case 24: /* CMD24: WRITE_SINGLE_BLOCK */ 2339 if (sd_generic_write_byte(sd, value)) { 2340 /* TODO: Check CRC before committing */ 2341 sd->state = sd_programming_state; 2342 sd_blk_write(sd, sd->data_start, sd->data_offset); 2343 sd->blk_written ++; 2344 sd->csd[14] |= 0x40; 2345 /* Bzzzzzzztt .... Operation complete. */ 2346 sd->state = sd_transfer_state; 2347 } 2348 break; 2349 2350 case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */ 2351 if (sd->data_offset == 0) { 2352 /* Start of the block - let's check the address is valid */ 2353 if (!address_in_range(sd, "WRITE_MULTIPLE_BLOCK", 2354 sd->data_start, sd->blk_len)) { 2355 break; 2356 } 2357 if (sd->size <= SDSC_MAX_CAPACITY) { 2358 if (sd_wp_addr(sd, sd->data_start)) { 2359 sd->card_status |= WP_VIOLATION; 2360 break; 2361 } 2362 } 2363 } 2364 sd->data[sd->data_offset++] = value; 2365 if (sd->data_offset >= sd->blk_len) { 2366 /* TODO: Check CRC before committing */ 2367 sd->state = sd_programming_state; 2368 sd_blk_write(sd, sd->data_start, sd->data_offset); 2369 sd->blk_written++; 2370 sd->data_start += sd->blk_len; 2371 sd->data_offset = 0; 2372 sd->csd[14] |= 0x40; 2373 2374 /* Bzzzzzzztt .... Operation complete. */ 2375 if (sd->multi_blk_cnt != 0) { 2376 if (--sd->multi_blk_cnt == 0) { 2377 /* Stop! */ 2378 sd->state = sd_transfer_state; 2379 break; 2380 } 2381 } 2382 2383 sd->state = sd_receivingdata_state; 2384 } 2385 break; 2386 2387 case 26: /* CMD26: PROGRAM_CID */ 2388 if (sd_generic_write_byte(sd, value)) { 2389 /* TODO: Check CRC before committing */ 2390 sd->state = sd_programming_state; 2391 for (i = 0; i < sizeof(sd->cid); i ++) 2392 if ((sd->cid[i] | 0x00) != sd->data[i]) 2393 sd->card_status |= CID_CSD_OVERWRITE; 2394 2395 if (!(sd->card_status & CID_CSD_OVERWRITE)) 2396 for (i = 0; i < sizeof(sd->cid); i ++) { 2397 sd->cid[i] |= 0x00; 2398 sd->cid[i] &= sd->data[i]; 2399 } 2400 /* Bzzzzzzztt .... Operation complete. */ 2401 sd->state = sd_transfer_state; 2402 } 2403 break; 2404 2405 case 27: /* CMD27: PROGRAM_CSD */ 2406 if (sd_generic_write_byte(sd, value)) { 2407 /* TODO: Check CRC before committing */ 2408 sd->state = sd_programming_state; 2409 for (i = 0; i < sizeof(sd->csd); i ++) 2410 if ((sd->csd[i] | sd_csd_rw_mask[i]) != 2411 (sd->data[i] | sd_csd_rw_mask[i])) 2412 sd->card_status |= CID_CSD_OVERWRITE; 2413 2414 /* Copy flag (OTP) & Permanent write protect */ 2415 if (sd->csd[14] & ~sd->data[14] & 0x60) 2416 sd->card_status |= CID_CSD_OVERWRITE; 2417 2418 if (!(sd->card_status & CID_CSD_OVERWRITE)) 2419 for (i = 0; i < sizeof(sd->csd); i ++) { 2420 sd->csd[i] |= sd_csd_rw_mask[i]; 2421 sd->csd[i] &= sd->data[i]; 2422 } 2423 /* Bzzzzzzztt .... Operation complete. */ 2424 sd->state = sd_transfer_state; 2425 } 2426 break; 2427 2428 case 42: /* CMD42: LOCK_UNLOCK */ 2429 if (sd_generic_write_byte(sd, value)) { 2430 /* TODO: Check CRC before committing */ 2431 sd->state = sd_programming_state; 2432 sd_lock_command(sd); 2433 /* Bzzzzzzztt .... Operation complete. */ 2434 sd->state = sd_transfer_state; 2435 } 2436 break; 2437 2438 case 56: /* CMD56: GEN_CMD */ 2439 sd_generic_write_byte(sd, value); 2440 break; 2441 2442 default: 2443 g_assert_not_reached(); 2444 } 2445 } 2446 2447 static uint8_t sd_read_byte(SDState *sd) 2448 { 2449 /* TODO: Append CRCs */ 2450 const uint8_t dummy_byte = 0x00; 2451 uint8_t ret; 2452 uint32_t io_len; 2453 2454 if (!sd->blk || !blk_is_inserted(sd->blk)) { 2455 return dummy_byte; 2456 } 2457 2458 if (sd->state != sd_sendingdata_state) { 2459 qemu_log_mask(LOG_GUEST_ERROR, 2460 "%s: not in Sending-Data state\n", __func__); 2461 return dummy_byte; 2462 } 2463 2464 if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION)) { 2465 return dummy_byte; 2466 } 2467 2468 io_len = sd_blk_len(sd); 2469 2470 trace_sdcard_read_data(sd->proto->name, 2471 sd->last_cmd_name, sd->current_cmd, 2472 sd->data_offset, sd->data_size, io_len); 2473 switch (sd->current_cmd) { 2474 case 6: /* CMD6: SWITCH_FUNCTION */ 2475 case 8: /* CMD8: SEND_EXT_CSD */ 2476 case 9: /* CMD9: SEND_CSD */ 2477 case 10: /* CMD10: SEND_CID */ 2478 case 13: /* ACMD13: SD_STATUS */ 2479 case 17: /* CMD17: READ_SINGLE_BLOCK */ 2480 case 19: /* CMD19: SEND_TUNING_BLOCK (SD) */ 2481 case 22: /* ACMD22: SEND_NUM_WR_BLOCKS */ 2482 case 30: /* CMD30: SEND_WRITE_PROT */ 2483 case 51: /* ACMD51: SEND_SCR */ 2484 case 56: /* CMD56: GEN_CMD */ 2485 sd_generic_read_byte(sd, &ret); 2486 break; 2487 2488 case 18: /* CMD18: READ_MULTIPLE_BLOCK */ 2489 if (sd->data_offset == 0) { 2490 if (!address_in_range(sd, "READ_MULTIPLE_BLOCK", 2491 sd->data_start, io_len)) { 2492 return dummy_byte; 2493 } 2494 sd_blk_read(sd, sd->data_start, io_len); 2495 } 2496 ret = sd->data[sd->data_offset ++]; 2497 2498 if (sd->data_offset >= io_len) { 2499 sd->data_start += io_len; 2500 sd->data_offset = 0; 2501 2502 if (sd->multi_blk_cnt != 0) { 2503 if (--sd->multi_blk_cnt == 0) { 2504 /* Stop! */ 2505 sd->state = sd_transfer_state; 2506 break; 2507 } 2508 } 2509 } 2510 break; 2511 2512 default: 2513 qemu_log_mask(LOG_GUEST_ERROR, "%s: DAT read illegal for command %s\n", 2514 __func__, sd->last_cmd_name); 2515 return dummy_byte; 2516 } 2517 2518 return ret; 2519 } 2520 2521 static bool sd_receive_ready(SDState *sd) 2522 { 2523 return sd->state == sd_receivingdata_state; 2524 } 2525 2526 static bool sd_data_ready(SDState *sd) 2527 { 2528 return sd->state == sd_sendingdata_state; 2529 } 2530 2531 static const SDProto sd_proto_spi = { 2532 .name = "SPI", 2533 .cmd = { 2534 [0] = {0, sd_spi, "GO_IDLE_STATE", sd_cmd_GO_IDLE_STATE}, 2535 [1] = {0, sd_spi, "SEND_OP_COND", spi_cmd_SEND_OP_COND}, 2536 [5] = {9, sd_spi, "IO_SEND_OP_COND", sd_cmd_optional}, 2537 [6] = {10, sd_spi, "SWITCH_FUNCTION", sd_cmd_SWITCH_FUNCTION}, 2538 [8] = {0, sd_spi, "SEND_IF_COND", sd_cmd_SEND_IF_COND}, 2539 [9] = {0, sd_spi, "SEND_CSD", spi_cmd_SEND_CSD}, 2540 [10] = {0, sd_spi, "SEND_CID", spi_cmd_SEND_CID}, 2541 [12] = {0, sd_spi, "STOP_TRANSMISSION", sd_cmd_STOP_TRANSMISSION}, 2542 [13] = {0, sd_spi, "SEND_STATUS", sd_cmd_SEND_STATUS}, 2543 [16] = {2, sd_spi, "SET_BLOCKLEN", sd_cmd_SET_BLOCKLEN}, 2544 [17] = {2, sd_spi, "READ_SINGLE_BLOCK", sd_cmd_READ_SINGLE_BLOCK}, 2545 [24] = {4, sd_spi, "WRITE_SINGLE_BLOCK", sd_cmd_WRITE_SINGLE_BLOCK}, 2546 [27] = {4, sd_spi, "PROGRAM_CSD", sd_cmd_PROGRAM_CSD}, 2547 [28] = {6, sd_spi, "SET_WRITE_PROT", sd_cmd_SET_WRITE_PROT}, 2548 [29] = {6, sd_spi, "CLR_WRITE_PROT", sd_cmd_CLR_WRITE_PROT}, 2549 [30] = {6, sd_spi, "SEND_WRITE_PROT", sd_cmd_SEND_WRITE_PROT}, 2550 [32] = {5, sd_spi, "ERASE_WR_BLK_START", sd_cmd_ERASE_WR_BLK_START}, 2551 [33] = {5, sd_spi, "ERASE_WR_BLK_END", sd_cmd_ERASE_WR_BLK_END}, 2552 [34] = {10, sd_spi, "READ_SEC_CMD", sd_cmd_optional}, 2553 [35] = {10, sd_spi, "WRITE_SEC_CMD", sd_cmd_optional}, 2554 [36] = {10, sd_spi, "SEND_PSI", sd_cmd_optional}, 2555 [37] = {10, sd_spi, "CONTROL_ASSD_SYSTEM", sd_cmd_optional}, 2556 [38] = {5, sd_spi, "ERASE", sd_cmd_ERASE}, 2557 [42] = {7, sd_spi, "LOCK_UNLOCK", sd_cmd_LOCK_UNLOCK}, 2558 [50] = {10, sd_spi, "DIRECT_SECURE_READ", sd_cmd_optional}, 2559 [52] = {9, sd_spi, "IO_RW_DIRECT", sd_cmd_optional}, 2560 [53] = {9, sd_spi, "IO_RW_EXTENDED", sd_cmd_optional}, 2561 [55] = {8, sd_spi, "APP_CMD", sd_cmd_APP_CMD}, 2562 [56] = {8, sd_spi, "GEN_CMD", sd_cmd_GEN_CMD}, 2563 [57] = {10, sd_spi, "DIRECT_SECURE_WRITE", sd_cmd_optional}, 2564 [58] = {0, sd_spi, "READ_OCR", spi_cmd_READ_OCR}, 2565 [59] = {0, sd_spi, "CRC_ON_OFF", spi_cmd_CRC_ON_OFF}, 2566 }, 2567 .acmd = { 2568 [13] = {8, sd_spi, "SD_STATUS", sd_acmd_SD_STATUS}, 2569 [22] = {8, sd_spi, "SEND_NUM_WR_BLOCKS", sd_acmd_SEND_NUM_WR_BLOCKS}, 2570 [23] = {8, sd_spi, "SET_WR_BLK_ERASE_COUNT", sd_acmd_SET_WR_BLK_ERASE_COUNT}, 2571 [41] = {8, sd_spi, "SEND_OP_COND", spi_cmd_SEND_OP_COND}, 2572 [42] = {8, sd_spi, "SET_CLR_CARD_DETECT", sd_acmd_SET_CLR_CARD_DETECT}, 2573 [51] = {8, sd_spi, "SEND_SCR", sd_acmd_SEND_SCR}, 2574 }, 2575 }; 2576 2577 static const SDProto sd_proto_sd = { 2578 .name = "SD", 2579 .cmd = { 2580 [0] = {0, sd_bc, "GO_IDLE_STATE", sd_cmd_GO_IDLE_STATE}, 2581 [2] = {0, sd_bcr, "ALL_SEND_CID", sd_cmd_ALL_SEND_CID}, 2582 [3] = {0, sd_bcr, "SEND_RELATIVE_ADDR", sd_cmd_SEND_RELATIVE_ADDR}, 2583 [4] = {0, sd_bc, "SEND_DSR", sd_cmd_unimplemented}, 2584 [5] = {9, sd_bc, "IO_SEND_OP_COND", sd_cmd_optional}, 2585 [6] = {10, sd_adtc, "SWITCH_FUNCTION", sd_cmd_SWITCH_FUNCTION}, 2586 [7] = {0, sd_ac, "(DE)SELECT_CARD", sd_cmd_DE_SELECT_CARD}, 2587 [8] = {0, sd_bcr, "SEND_IF_COND", sd_cmd_SEND_IF_COND}, 2588 [9] = {0, sd_ac, "SEND_CSD", sd_cmd_SEND_CSD}, 2589 [10] = {0, sd_ac, "SEND_CID", sd_cmd_SEND_CID}, 2590 [11] = {0, sd_ac, "VOLTAGE_SWITCH", sd_cmd_optional}, 2591 [12] = {0, sd_ac, "STOP_TRANSMISSION", sd_cmd_STOP_TRANSMISSION}, 2592 [13] = {0, sd_ac, "SEND_STATUS", sd_cmd_SEND_STATUS}, 2593 [15] = {0, sd_ac, "GO_INACTIVE_STATE", sd_cmd_GO_INACTIVE_STATE}, 2594 [16] = {2, sd_ac, "SET_BLOCKLEN", sd_cmd_SET_BLOCKLEN}, 2595 [17] = {2, sd_adtc, "READ_SINGLE_BLOCK", sd_cmd_READ_SINGLE_BLOCK}, 2596 [19] = {2, sd_adtc, "SEND_TUNING_BLOCK", sd_cmd_SEND_TUNING_BLOCK}, 2597 [20] = {2, sd_ac, "SPEED_CLASS_CONTROL", sd_cmd_optional}, 2598 [23] = {2, sd_ac, "SET_BLOCK_COUNT", sd_cmd_SET_BLOCK_COUNT}, 2599 [24] = {4, sd_adtc, "WRITE_SINGLE_BLOCK", sd_cmd_WRITE_SINGLE_BLOCK}, 2600 [27] = {4, sd_adtc, "PROGRAM_CSD", sd_cmd_PROGRAM_CSD}, 2601 [28] = {6, sd_ac, "SET_WRITE_PROT", sd_cmd_SET_WRITE_PROT}, 2602 [29] = {6, sd_ac, "CLR_WRITE_PROT", sd_cmd_CLR_WRITE_PROT}, 2603 [30] = {6, sd_adtc, "SEND_WRITE_PROT", sd_cmd_SEND_WRITE_PROT}, 2604 [32] = {5, sd_ac, "ERASE_WR_BLK_START", sd_cmd_ERASE_WR_BLK_START}, 2605 [33] = {5, sd_ac, "ERASE_WR_BLK_END", sd_cmd_ERASE_WR_BLK_END}, 2606 [34] = {10, sd_adtc, "READ_SEC_CMD", sd_cmd_optional}, 2607 [35] = {10, sd_adtc, "WRITE_SEC_CMD", sd_cmd_optional}, 2608 [36] = {10, sd_adtc, "SEND_PSI", sd_cmd_optional}, 2609 [37] = {10, sd_ac, "CONTROL_ASSD_SYSTEM", sd_cmd_optional}, 2610 [38] = {5, sd_ac, "ERASE", sd_cmd_ERASE}, 2611 [42] = {7, sd_adtc, "LOCK_UNLOCK", sd_cmd_LOCK_UNLOCK}, 2612 [43] = {1, sd_ac, "Q_MANAGEMENT", sd_cmd_optional}, 2613 [44] = {1, sd_ac, "Q_TASK_INFO_A", sd_cmd_optional}, 2614 [45] = {1, sd_ac, "Q_TASK_INFO_B", sd_cmd_optional}, 2615 [46] = {1, sd_adtc, "Q_RD_TASK", sd_cmd_optional}, 2616 [47] = {1, sd_adtc, "Q_WR_TASK", sd_cmd_optional}, 2617 [48] = {1, sd_adtc, "READ_EXTR_SINGLE", sd_cmd_optional}, 2618 [49] = {1, sd_adtc, "WRITE_EXTR_SINGLE", sd_cmd_optional}, 2619 [50] = {10, sd_adtc, "DIRECT_SECURE_READ", sd_cmd_optional}, 2620 [52] = {9, sd_bc, "IO_RW_DIRECT", sd_cmd_optional}, 2621 [53] = {9, sd_bc, "IO_RW_EXTENDED", sd_cmd_optional}, 2622 [55] = {8, sd_ac, "APP_CMD", sd_cmd_APP_CMD}, 2623 [56] = {8, sd_adtc, "GEN_CMD", sd_cmd_GEN_CMD}, 2624 [57] = {10, sd_adtc, "DIRECT_SECURE_WRITE", sd_cmd_optional}, 2625 [58] = {11, sd_adtc, "READ_EXTR_MULTI", sd_cmd_optional}, 2626 [59] = {11, sd_adtc, "WRITE_EXTR_MULTI", sd_cmd_optional}, 2627 }, 2628 .acmd = { 2629 [6] = {8, sd_ac, "SET_BUS_WIDTH", sd_acmd_SET_BUS_WIDTH}, 2630 [13] = {8, sd_adtc, "SD_STATUS", sd_acmd_SD_STATUS}, 2631 [22] = {8, sd_adtc, "SEND_NUM_WR_BLOCKS", sd_acmd_SEND_NUM_WR_BLOCKS}, 2632 [23] = {8, sd_ac, "SET_WR_BLK_ERASE_COUNT", sd_acmd_SET_WR_BLK_ERASE_COUNT}, 2633 [41] = {8, sd_bcr, "SEND_OP_COND", sd_cmd_SEND_OP_COND}, 2634 [42] = {8, sd_ac, "SET_CLR_CARD_DETECT", sd_acmd_SET_CLR_CARD_DETECT}, 2635 [51] = {8, sd_adtc, "SEND_SCR", sd_acmd_SEND_SCR}, 2636 }, 2637 }; 2638 2639 static const SDProto sd_proto_emmc = { 2640 /* Only v4.3 is supported */ 2641 .name = "eMMC", 2642 .cmd = { 2643 [0] = {0, sd_bc, "GO_IDLE_STATE", sd_cmd_GO_IDLE_STATE}, 2644 [1] = {0, sd_bcr, "SEND_OP_COND", sd_cmd_SEND_OP_COND}, 2645 [2] = {0, sd_bcr, "ALL_SEND_CID", sd_cmd_ALL_SEND_CID}, 2646 [3] = {0, sd_ac, "SET_RELATIVE_ADDR", emmc_cmd_SET_RELATIVE_ADDR}, 2647 [4] = {0, sd_bc, "SEND_DSR", sd_cmd_unimplemented}, 2648 [5] = {0, sd_ac, "SLEEP/AWAKE", emmc_cmd_sleep_awake}, 2649 [6] = {10, sd_adtc, "SWITCH", emmc_cmd_SWITCH}, 2650 [7] = {0, sd_ac, "(DE)SELECT_CARD", sd_cmd_DE_SELECT_CARD}, 2651 [8] = {0, sd_adtc, "SEND_EXT_CSD", emmc_cmd_SEND_EXT_CSD}, 2652 [9] = {0, sd_ac, "SEND_CSD", sd_cmd_SEND_CSD}, 2653 [10] = {0, sd_ac, "SEND_CID", sd_cmd_SEND_CID}, 2654 [11] = {1, sd_adtc, "READ_DAT_UNTIL_STOP", sd_cmd_unimplemented}, 2655 [12] = {0, sd_ac, "STOP_TRANSMISSION", sd_cmd_STOP_TRANSMISSION}, 2656 [13] = {0, sd_ac, "SEND_STATUS", sd_cmd_SEND_STATUS}, 2657 [14] = {0, sd_adtc, "BUSTEST_R", sd_cmd_unimplemented}, 2658 [15] = {0, sd_ac, "GO_INACTIVE_STATE", sd_cmd_GO_INACTIVE_STATE}, 2659 [16] = {2, sd_ac, "SET_BLOCKLEN", sd_cmd_SET_BLOCKLEN}, 2660 [17] = {2, sd_adtc, "READ_SINGLE_BLOCK", sd_cmd_READ_SINGLE_BLOCK}, 2661 [19] = {0, sd_adtc, "BUSTEST_W", sd_cmd_unimplemented}, 2662 [20] = {3, sd_adtc, "WRITE_DAT_UNTIL_STOP", sd_cmd_unimplemented}, 2663 [23] = {2, sd_ac, "SET_BLOCK_COUNT", sd_cmd_SET_BLOCK_COUNT}, 2664 [24] = {4, sd_adtc, "WRITE_SINGLE_BLOCK", sd_cmd_WRITE_SINGLE_BLOCK}, 2665 [26] = {4, sd_adtc, "PROGRAM_CID", emmc_cmd_PROGRAM_CID}, 2666 [27] = {4, sd_adtc, "PROGRAM_CSD", sd_cmd_PROGRAM_CSD}, 2667 [28] = {6, sd_ac, "SET_WRITE_PROT", sd_cmd_SET_WRITE_PROT}, 2668 [29] = {6, sd_ac, "CLR_WRITE_PROT", sd_cmd_CLR_WRITE_PROT}, 2669 [30] = {6, sd_adtc, "SEND_WRITE_PROT", sd_cmd_SEND_WRITE_PROT}, 2670 [31] = {6, sd_adtc, "SEND_WRITE_PROT_TYPE", sd_cmd_unimplemented}, 2671 [35] = {5, sd_ac, "ERASE_WR_BLK_START", sd_cmd_ERASE_WR_BLK_START}, 2672 [36] = {5, sd_ac, "ERASE_WR_BLK_END", sd_cmd_ERASE_WR_BLK_END}, 2673 [38] = {5, sd_ac, "ERASE", sd_cmd_ERASE}, 2674 [39] = {9, sd_ac, "FAST_IO", sd_cmd_unimplemented}, 2675 [40] = {9, sd_bcr, "GO_IRQ_STATE", sd_cmd_unimplemented}, 2676 [42] = {7, sd_adtc, "LOCK_UNLOCK", sd_cmd_LOCK_UNLOCK}, 2677 [49] = {0, sd_adtc, "SET_TIME", sd_cmd_unimplemented}, 2678 [55] = {8, sd_ac, "APP_CMD", sd_cmd_APP_CMD}, 2679 [56] = {8, sd_adtc, "GEN_CMD", sd_cmd_GEN_CMD}, 2680 }, 2681 }; 2682 2683 static void sd_instance_init(Object *obj) 2684 { 2685 SDState *sd = SDMMC_COMMON(obj); 2686 SDCardClass *sc = SDMMC_COMMON_GET_CLASS(sd); 2687 2688 sd->proto = sc->proto; 2689 sd->last_cmd_name = "UNSET"; 2690 sd->ocr_power_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, sd_ocr_powerup, sd); 2691 } 2692 2693 static void sd_instance_finalize(Object *obj) 2694 { 2695 SDState *sd = SDMMC_COMMON(obj); 2696 2697 timer_free(sd->ocr_power_timer); 2698 } 2699 2700 static void sd_realize(DeviceState *dev, Error **errp) 2701 { 2702 SDState *sd = SDMMC_COMMON(dev); 2703 int ret; 2704 2705 switch (sd->spec_version) { 2706 case SD_PHY_SPECv1_10_VERS 2707 ... SD_PHY_SPECv3_01_VERS: 2708 break; 2709 default: 2710 error_setg(errp, "Invalid SD card Spec version: %u", sd->spec_version); 2711 return; 2712 } 2713 2714 if (sd->blk) { 2715 int64_t blk_size; 2716 2717 if (!blk_supports_write_perm(sd->blk)) { 2718 error_setg(errp, "Cannot use read-only drive as SD card"); 2719 return; 2720 } 2721 2722 blk_size = blk_getlength(sd->blk); 2723 if (blk_size > 0 && !is_power_of_2(blk_size)) { 2724 int64_t blk_size_aligned = pow2ceil(blk_size); 2725 char *blk_size_str; 2726 2727 blk_size_str = size_to_str(blk_size); 2728 error_setg(errp, "Invalid SD card size: %s", blk_size_str); 2729 g_free(blk_size_str); 2730 2731 blk_size_str = size_to_str(blk_size_aligned); 2732 error_append_hint(errp, 2733 "SD card size has to be a power of 2, e.g. %s.\n" 2734 "You can resize disk images with" 2735 " 'qemu-img resize <imagefile> <new-size>'\n" 2736 "(note that this will lose data if you make the" 2737 " image smaller than it currently is).\n", 2738 blk_size_str); 2739 g_free(blk_size_str); 2740 2741 return; 2742 } 2743 2744 ret = blk_set_perm(sd->blk, BLK_PERM_CONSISTENT_READ | BLK_PERM_WRITE, 2745 BLK_PERM_ALL, errp); 2746 if (ret < 0) { 2747 return; 2748 } 2749 blk_set_dev_ops(sd->blk, &sd_block_ops, sd); 2750 } 2751 } 2752 2753 static void emmc_realize(DeviceState *dev, Error **errp) 2754 { 2755 SDState *sd = SDMMC_COMMON(dev); 2756 2757 sd->spec_version = SD_PHY_SPECv3_01_VERS; /* Actually v4.3 */ 2758 2759 sd_realize(dev, errp); 2760 } 2761 2762 static const Property sdmmc_common_properties[] = { 2763 DEFINE_PROP_DRIVE("drive", SDState, blk), 2764 }; 2765 2766 static const Property sd_properties[] = { 2767 DEFINE_PROP_UINT8("spec_version", SDState, 2768 spec_version, SD_PHY_SPECv3_01_VERS), 2769 }; 2770 2771 static const Property emmc_properties[] = { 2772 DEFINE_PROP_UINT64("boot-partition-size", SDState, boot_part_size, 0), 2773 DEFINE_PROP_UINT8("boot-config", SDState, boot_config, 0x0), 2774 }; 2775 2776 static void sdmmc_common_class_init(ObjectClass *klass, const void *data) 2777 { 2778 DeviceClass *dc = DEVICE_CLASS(klass); 2779 SDCardClass *sc = SDMMC_COMMON_CLASS(klass); 2780 2781 device_class_set_props(dc, sdmmc_common_properties); 2782 dc->vmsd = &sd_vmstate; 2783 device_class_set_legacy_reset(dc, sd_reset); 2784 dc->bus_type = TYPE_SD_BUS; 2785 set_bit(DEVICE_CATEGORY_STORAGE, dc->categories); 2786 2787 sc->set_voltage = sd_set_voltage; 2788 sc->get_dat_lines = sd_get_dat_lines; 2789 sc->get_cmd_line = sd_get_cmd_line; 2790 sc->do_command = sd_do_command; 2791 sc->write_byte = sd_write_byte; 2792 sc->read_byte = sd_read_byte; 2793 sc->receive_ready = sd_receive_ready; 2794 sc->data_ready = sd_data_ready; 2795 sc->get_inserted = sd_get_inserted; 2796 sc->get_readonly = sd_get_readonly; 2797 } 2798 2799 static void sd_class_init(ObjectClass *klass, const void *data) 2800 { 2801 DeviceClass *dc = DEVICE_CLASS(klass); 2802 SDCardClass *sc = SDMMC_COMMON_CLASS(klass); 2803 2804 dc->realize = sd_realize; 2805 device_class_set_props(dc, sd_properties); 2806 2807 sc->set_cid = sd_set_cid; 2808 sc->set_csd = sd_set_csd; 2809 sc->proto = &sd_proto_sd; 2810 } 2811 2812 /* 2813 * We do not model the chip select pin, so allow the board to select 2814 * whether card should be in SSI or MMC/SD mode. It is also up to the 2815 * board to ensure that ssi transfers only occur when the chip select 2816 * is asserted. 2817 */ 2818 static void sd_spi_class_init(ObjectClass *klass, const void *data) 2819 { 2820 DeviceClass *dc = DEVICE_CLASS(klass); 2821 SDCardClass *sc = SDMMC_COMMON_CLASS(klass); 2822 2823 dc->desc = "SD SPI"; 2824 sc->proto = &sd_proto_spi; 2825 } 2826 2827 static void emmc_class_init(ObjectClass *klass, const void *data) 2828 { 2829 DeviceClass *dc = DEVICE_CLASS(klass); 2830 SDCardClass *sc = SDMMC_COMMON_CLASS(klass); 2831 2832 dc->desc = "eMMC"; 2833 dc->realize = emmc_realize; 2834 device_class_set_props(dc, emmc_properties); 2835 /* Reason: Soldered on board */ 2836 dc->user_creatable = false; 2837 2838 sc->proto = &sd_proto_emmc; 2839 2840 sc->set_cid = emmc_set_cid; 2841 sc->set_csd = emmc_set_csd; 2842 } 2843 2844 static const TypeInfo sd_types[] = { 2845 { 2846 .name = TYPE_SDMMC_COMMON, 2847 .parent = TYPE_DEVICE, 2848 .abstract = true, 2849 .instance_size = sizeof(SDState), 2850 .class_size = sizeof(SDCardClass), 2851 .class_init = sdmmc_common_class_init, 2852 .instance_init = sd_instance_init, 2853 .instance_finalize = sd_instance_finalize, 2854 }, 2855 { 2856 .name = TYPE_SD_CARD, 2857 .parent = TYPE_SDMMC_COMMON, 2858 .class_init = sd_class_init, 2859 }, 2860 { 2861 .name = TYPE_SD_CARD_SPI, 2862 .parent = TYPE_SD_CARD, 2863 .class_init = sd_spi_class_init, 2864 }, 2865 { 2866 .name = TYPE_EMMC, 2867 .parent = TYPE_SDMMC_COMMON, 2868 .class_init = emmc_class_init, 2869 }, 2870 }; 2871 2872 DEFINE_TYPES(sd_types) 2873