1 /* 2 * SD Memory Card emulation as defined in the "SD Memory Card Physical 3 * layer specification, Version 1.10." 4 * 5 * Copyright (c) 2006 Andrzej Zaborowski <balrog@zabor.org> 6 * Copyright (c) 2007 CodeSourcery 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in 16 * the documentation and/or other materials provided with the 17 * distribution. 18 * 19 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' 20 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, 21 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A 22 * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR 23 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, 24 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, 25 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 26 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY 27 * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 28 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 29 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 30 */ 31 32 #include "qemu/osdep.h" 33 #include "hw/qdev.h" 34 #include "hw/hw.h" 35 #include "sysemu/block-backend.h" 36 #include "hw/sd/sd.h" 37 #include "qemu/bitmap.h" 38 #include "hw/qdev-properties.h" 39 #include "qemu/error-report.h" 40 #include "qemu/timer.h" 41 42 //#define DEBUG_SD 1 43 44 #ifdef DEBUG_SD 45 #define DPRINTF(fmt, ...) \ 46 do { fprintf(stderr, "SD: " fmt , ## __VA_ARGS__); } while (0) 47 #else 48 #define DPRINTF(fmt, ...) do {} while(0) 49 #endif 50 51 #define ACMD41_ENQUIRY_MASK 0x00ffffff 52 #define OCR_POWER_UP 0x80000000 53 #define OCR_POWER_DELAY_NS 500000 /* 0.5ms */ 54 55 typedef enum { 56 sd_r0 = 0, /* no response */ 57 sd_r1, /* normal response command */ 58 sd_r2_i, /* CID register */ 59 sd_r2_s, /* CSD register */ 60 sd_r3, /* OCR register */ 61 sd_r6 = 6, /* Published RCA response */ 62 sd_r7, /* Operating voltage */ 63 sd_r1b = -1, 64 sd_illegal = -2, 65 } sd_rsp_type_t; 66 67 enum SDCardModes { 68 sd_inactive, 69 sd_card_identification_mode, 70 sd_data_transfer_mode, 71 }; 72 73 enum SDCardStates { 74 sd_inactive_state = -1, 75 sd_idle_state = 0, 76 sd_ready_state, 77 sd_identification_state, 78 sd_standby_state, 79 sd_transfer_state, 80 sd_sendingdata_state, 81 sd_receivingdata_state, 82 sd_programming_state, 83 sd_disconnect_state, 84 }; 85 86 struct SDState { 87 DeviceState parent_obj; 88 89 uint32_t mode; /* current card mode, one of SDCardModes */ 90 int32_t state; /* current card state, one of SDCardStates */ 91 uint32_t ocr; 92 QEMUTimer *ocr_power_timer; 93 uint8_t scr[8]; 94 uint8_t cid[16]; 95 uint8_t csd[16]; 96 uint16_t rca; 97 uint32_t card_status; 98 uint8_t sd_status[64]; 99 uint32_t vhs; 100 bool wp_switch; 101 unsigned long *wp_groups; 102 int32_t wpgrps_size; 103 uint64_t size; 104 uint32_t blk_len; 105 uint32_t multi_blk_cnt; 106 uint32_t erase_start; 107 uint32_t erase_end; 108 uint8_t pwd[16]; 109 uint32_t pwd_len; 110 uint8_t function_group[6]; 111 112 bool spi; 113 uint8_t current_cmd; 114 /* True if we will handle the next command as an ACMD. Note that this does 115 * *not* track the APP_CMD status bit! 116 */ 117 bool expecting_acmd; 118 uint32_t blk_written; 119 uint64_t data_start; 120 uint32_t data_offset; 121 uint8_t data[512]; 122 qemu_irq readonly_cb; 123 qemu_irq inserted_cb; 124 BlockBackend *blk; 125 uint8_t *buf; 126 127 bool enable; 128 }; 129 130 static void sd_set_mode(SDState *sd) 131 { 132 switch (sd->state) { 133 case sd_inactive_state: 134 sd->mode = sd_inactive; 135 break; 136 137 case sd_idle_state: 138 case sd_ready_state: 139 case sd_identification_state: 140 sd->mode = sd_card_identification_mode; 141 break; 142 143 case sd_standby_state: 144 case sd_transfer_state: 145 case sd_sendingdata_state: 146 case sd_receivingdata_state: 147 case sd_programming_state: 148 case sd_disconnect_state: 149 sd->mode = sd_data_transfer_mode; 150 break; 151 } 152 } 153 154 static const sd_cmd_type_t sd_cmd_type[64] = { 155 sd_bc, sd_none, sd_bcr, sd_bcr, sd_none, sd_none, sd_none, sd_ac, 156 sd_bcr, sd_ac, sd_ac, sd_adtc, sd_ac, sd_ac, sd_none, sd_ac, 157 sd_ac, sd_adtc, sd_adtc, sd_none, sd_none, sd_none, sd_none, sd_none, 158 sd_adtc, sd_adtc, sd_adtc, sd_adtc, sd_ac, sd_ac, sd_adtc, sd_none, 159 sd_ac, sd_ac, sd_none, sd_none, sd_none, sd_none, sd_ac, sd_none, 160 sd_none, sd_none, sd_bc, sd_none, sd_none, sd_none, sd_none, sd_none, 161 sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_ac, 162 sd_adtc, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, 163 }; 164 165 static const int sd_cmd_class[64] = { 166 0, 0, 0, 0, 0, 9, 10, 0, 0, 0, 0, 1, 0, 0, 0, 0, 167 2, 2, 2, 2, 3, 3, 3, 3, 4, 4, 4, 4, 6, 6, 6, 6, 168 5, 5, 10, 10, 10, 10, 5, 9, 9, 9, 7, 7, 7, 7, 7, 7, 169 7, 7, 10, 7, 9, 9, 9, 8, 8, 10, 8, 8, 8, 8, 8, 8, 170 }; 171 172 static uint8_t sd_crc7(void *message, size_t width) 173 { 174 int i, bit; 175 uint8_t shift_reg = 0x00; 176 uint8_t *msg = (uint8_t *) message; 177 178 for (i = 0; i < width; i ++, msg ++) 179 for (bit = 7; bit >= 0; bit --) { 180 shift_reg <<= 1; 181 if ((shift_reg >> 7) ^ ((*msg >> bit) & 1)) 182 shift_reg ^= 0x89; 183 } 184 185 return shift_reg; 186 } 187 188 static uint16_t sd_crc16(void *message, size_t width) 189 { 190 int i, bit; 191 uint16_t shift_reg = 0x0000; 192 uint16_t *msg = (uint16_t *) message; 193 width <<= 1; 194 195 for (i = 0; i < width; i ++, msg ++) 196 for (bit = 15; bit >= 0; bit --) { 197 shift_reg <<= 1; 198 if ((shift_reg >> 15) ^ ((*msg >> bit) & 1)) 199 shift_reg ^= 0x1011; 200 } 201 202 return shift_reg; 203 } 204 205 static void sd_set_ocr(SDState *sd) 206 { 207 /* All voltages OK, Standard Capacity SD Memory Card, not yet powered up */ 208 sd->ocr = 0x00ffff00; 209 } 210 211 static void sd_ocr_powerup(void *opaque) 212 { 213 SDState *sd = opaque; 214 215 /* Set powered up bit in OCR */ 216 assert(!(sd->ocr & OCR_POWER_UP)); 217 sd->ocr |= OCR_POWER_UP; 218 } 219 220 static void sd_set_scr(SDState *sd) 221 { 222 sd->scr[0] = 0x00; /* SCR Structure */ 223 sd->scr[1] = 0x2f; /* SD Security Support */ 224 sd->scr[2] = 0x00; 225 sd->scr[3] = 0x00; 226 sd->scr[4] = 0x00; 227 sd->scr[5] = 0x00; 228 sd->scr[6] = 0x00; 229 sd->scr[7] = 0x00; 230 } 231 232 #define MID 0xaa 233 #define OID "XY" 234 #define PNM "QEMU!" 235 #define PRV 0x01 236 #define MDT_YR 2006 237 #define MDT_MON 2 238 239 static void sd_set_cid(SDState *sd) 240 { 241 sd->cid[0] = MID; /* Fake card manufacturer ID (MID) */ 242 sd->cid[1] = OID[0]; /* OEM/Application ID (OID) */ 243 sd->cid[2] = OID[1]; 244 sd->cid[3] = PNM[0]; /* Fake product name (PNM) */ 245 sd->cid[4] = PNM[1]; 246 sd->cid[5] = PNM[2]; 247 sd->cid[6] = PNM[3]; 248 sd->cid[7] = PNM[4]; 249 sd->cid[8] = PRV; /* Fake product revision (PRV) */ 250 sd->cid[9] = 0xde; /* Fake serial number (PSN) */ 251 sd->cid[10] = 0xad; 252 sd->cid[11] = 0xbe; 253 sd->cid[12] = 0xef; 254 sd->cid[13] = 0x00 | /* Manufacture date (MDT) */ 255 ((MDT_YR - 2000) / 10); 256 sd->cid[14] = ((MDT_YR % 10) << 4) | MDT_MON; 257 sd->cid[15] = (sd_crc7(sd->cid, 15) << 1) | 1; 258 } 259 260 #define HWBLOCK_SHIFT 9 /* 512 bytes */ 261 #define SECTOR_SHIFT 5 /* 16 kilobytes */ 262 #define WPGROUP_SHIFT 7 /* 2 megs */ 263 #define CMULT_SHIFT 9 /* 512 times HWBLOCK_SIZE */ 264 #define WPGROUP_SIZE (1 << (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT)) 265 266 static const uint8_t sd_csd_rw_mask[16] = { 267 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 268 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xfc, 0xfe, 269 }; 270 271 static void sd_set_csd(SDState *sd, uint64_t size) 272 { 273 uint32_t csize = (size >> (CMULT_SHIFT + HWBLOCK_SHIFT)) - 1; 274 uint32_t sectsize = (1 << (SECTOR_SHIFT + 1)) - 1; 275 uint32_t wpsize = (1 << (WPGROUP_SHIFT + 1)) - 1; 276 277 if (size <= 0x40000000) { /* Standard Capacity SD */ 278 sd->csd[0] = 0x00; /* CSD structure */ 279 sd->csd[1] = 0x26; /* Data read access-time-1 */ 280 sd->csd[2] = 0x00; /* Data read access-time-2 */ 281 sd->csd[3] = 0x5a; /* Max. data transfer rate */ 282 sd->csd[4] = 0x5f; /* Card Command Classes */ 283 sd->csd[5] = 0x50 | /* Max. read data block length */ 284 HWBLOCK_SHIFT; 285 sd->csd[6] = 0xe0 | /* Partial block for read allowed */ 286 ((csize >> 10) & 0x03); 287 sd->csd[7] = 0x00 | /* Device size */ 288 ((csize >> 2) & 0xff); 289 sd->csd[8] = 0x3f | /* Max. read current */ 290 ((csize << 6) & 0xc0); 291 sd->csd[9] = 0xfc | /* Max. write current */ 292 ((CMULT_SHIFT - 2) >> 1); 293 sd->csd[10] = 0x40 | /* Erase sector size */ 294 (((CMULT_SHIFT - 2) << 7) & 0x80) | (sectsize >> 1); 295 sd->csd[11] = 0x00 | /* Write protect group size */ 296 ((sectsize << 7) & 0x80) | wpsize; 297 sd->csd[12] = 0x90 | /* Write speed factor */ 298 (HWBLOCK_SHIFT >> 2); 299 sd->csd[13] = 0x20 | /* Max. write data block length */ 300 ((HWBLOCK_SHIFT << 6) & 0xc0); 301 sd->csd[14] = 0x00; /* File format group */ 302 sd->csd[15] = (sd_crc7(sd->csd, 15) << 1) | 1; 303 } else { /* SDHC */ 304 size /= 512 * 1024; 305 size -= 1; 306 sd->csd[0] = 0x40; 307 sd->csd[1] = 0x0e; 308 sd->csd[2] = 0x00; 309 sd->csd[3] = 0x32; 310 sd->csd[4] = 0x5b; 311 sd->csd[5] = 0x59; 312 sd->csd[6] = 0x00; 313 sd->csd[7] = (size >> 16) & 0xff; 314 sd->csd[8] = (size >> 8) & 0xff; 315 sd->csd[9] = (size & 0xff); 316 sd->csd[10] = 0x7f; 317 sd->csd[11] = 0x80; 318 sd->csd[12] = 0x0a; 319 sd->csd[13] = 0x40; 320 sd->csd[14] = 0x00; 321 sd->csd[15] = 0x00; 322 sd->ocr |= 1 << 30; /* High Capacity SD Memory Card */ 323 } 324 } 325 326 static void sd_set_rca(SDState *sd) 327 { 328 sd->rca += 0x4567; 329 } 330 331 /* Card status bits, split by clear condition: 332 * A : According to the card current state 333 * B : Always related to the previous command 334 * C : Cleared by read 335 */ 336 #define CARD_STATUS_A 0x02004100 337 #define CARD_STATUS_B 0x00c01e00 338 #define CARD_STATUS_C 0xfd39a028 339 340 static void sd_set_cardstatus(SDState *sd) 341 { 342 sd->card_status = 0x00000100; 343 } 344 345 static void sd_set_sdstatus(SDState *sd) 346 { 347 memset(sd->sd_status, 0, 64); 348 } 349 350 static int sd_req_crc_validate(SDRequest *req) 351 { 352 uint8_t buffer[5]; 353 buffer[0] = 0x40 | req->cmd; 354 buffer[1] = (req->arg >> 24) & 0xff; 355 buffer[2] = (req->arg >> 16) & 0xff; 356 buffer[3] = (req->arg >> 8) & 0xff; 357 buffer[4] = (req->arg >> 0) & 0xff; 358 return 0; 359 return sd_crc7(buffer, 5) != req->crc; /* TODO */ 360 } 361 362 static void sd_response_r1_make(SDState *sd, uint8_t *response) 363 { 364 uint32_t status = sd->card_status; 365 /* Clear the "clear on read" status bits */ 366 sd->card_status &= ~CARD_STATUS_C; 367 368 response[0] = (status >> 24) & 0xff; 369 response[1] = (status >> 16) & 0xff; 370 response[2] = (status >> 8) & 0xff; 371 response[3] = (status >> 0) & 0xff; 372 } 373 374 static void sd_response_r3_make(SDState *sd, uint8_t *response) 375 { 376 response[0] = (sd->ocr >> 24) & 0xff; 377 response[1] = (sd->ocr >> 16) & 0xff; 378 response[2] = (sd->ocr >> 8) & 0xff; 379 response[3] = (sd->ocr >> 0) & 0xff; 380 } 381 382 static void sd_response_r6_make(SDState *sd, uint8_t *response) 383 { 384 uint16_t arg; 385 uint16_t status; 386 387 arg = sd->rca; 388 status = ((sd->card_status >> 8) & 0xc000) | 389 ((sd->card_status >> 6) & 0x2000) | 390 (sd->card_status & 0x1fff); 391 sd->card_status &= ~(CARD_STATUS_C & 0xc81fff); 392 393 response[0] = (arg >> 8) & 0xff; 394 response[1] = arg & 0xff; 395 response[2] = (status >> 8) & 0xff; 396 response[3] = status & 0xff; 397 } 398 399 static void sd_response_r7_make(SDState *sd, uint8_t *response) 400 { 401 response[0] = (sd->vhs >> 24) & 0xff; 402 response[1] = (sd->vhs >> 16) & 0xff; 403 response[2] = (sd->vhs >> 8) & 0xff; 404 response[3] = (sd->vhs >> 0) & 0xff; 405 } 406 407 static inline uint64_t sd_addr_to_wpnum(uint64_t addr) 408 { 409 return addr >> (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT); 410 } 411 412 static void sd_reset(DeviceState *dev) 413 { 414 SDState *sd = SD_CARD(dev); 415 uint64_t size; 416 uint64_t sect; 417 418 if (sd->blk) { 419 blk_get_geometry(sd->blk, §); 420 } else { 421 sect = 0; 422 } 423 size = sect << 9; 424 425 sect = sd_addr_to_wpnum(size) + 1; 426 427 sd->state = sd_idle_state; 428 sd->rca = 0x0000; 429 sd_set_ocr(sd); 430 sd_set_scr(sd); 431 sd_set_cid(sd); 432 sd_set_csd(sd, size); 433 sd_set_cardstatus(sd); 434 sd_set_sdstatus(sd); 435 436 g_free(sd->wp_groups); 437 sd->wp_switch = sd->blk ? blk_is_read_only(sd->blk) : false; 438 sd->wpgrps_size = sect; 439 sd->wp_groups = bitmap_new(sd->wpgrps_size); 440 memset(sd->function_group, 0, sizeof(sd->function_group)); 441 sd->erase_start = 0; 442 sd->erase_end = 0; 443 sd->size = size; 444 sd->blk_len = 0x200; 445 sd->pwd_len = 0; 446 sd->expecting_acmd = false; 447 sd->multi_blk_cnt = 0; 448 } 449 450 static bool sd_get_inserted(SDState *sd) 451 { 452 return sd->blk && blk_is_inserted(sd->blk); 453 } 454 455 static bool sd_get_readonly(SDState *sd) 456 { 457 return sd->wp_switch; 458 } 459 460 static void sd_cardchange(void *opaque, bool load) 461 { 462 SDState *sd = opaque; 463 DeviceState *dev = DEVICE(sd); 464 SDBus *sdbus = SD_BUS(qdev_get_parent_bus(dev)); 465 bool inserted = sd_get_inserted(sd); 466 bool readonly = sd_get_readonly(sd); 467 468 if (inserted) { 469 sd_reset(dev); 470 } 471 472 /* The IRQ notification is for legacy non-QOM SD controller devices; 473 * QOMified controllers use the SDBus APIs. 474 */ 475 if (sdbus) { 476 sdbus_set_inserted(sdbus, inserted); 477 if (inserted) { 478 sdbus_set_readonly(sdbus, readonly); 479 } 480 } else { 481 qemu_set_irq(sd->inserted_cb, inserted); 482 if (inserted) { 483 qemu_set_irq(sd->readonly_cb, readonly); 484 } 485 } 486 } 487 488 static const BlockDevOps sd_block_ops = { 489 .change_media_cb = sd_cardchange, 490 }; 491 492 static bool sd_ocr_vmstate_needed(void *opaque) 493 { 494 SDState *sd = opaque; 495 496 /* Include the OCR state (and timer) if it is not yet powered up */ 497 return !(sd->ocr & OCR_POWER_UP); 498 } 499 500 static const VMStateDescription sd_ocr_vmstate = { 501 .name = "sd-card/ocr-state", 502 .version_id = 1, 503 .minimum_version_id = 1, 504 .needed = sd_ocr_vmstate_needed, 505 .fields = (VMStateField[]) { 506 VMSTATE_UINT32(ocr, SDState), 507 VMSTATE_TIMER_PTR(ocr_power_timer, SDState), 508 VMSTATE_END_OF_LIST() 509 }, 510 }; 511 512 static int sd_vmstate_pre_load(void *opaque) 513 { 514 SDState *sd = opaque; 515 516 /* If the OCR state is not included (prior versions, or not 517 * needed), then the OCR must be set as powered up. If the OCR state 518 * is included, this will be replaced by the state restore. 519 */ 520 sd_ocr_powerup(sd); 521 522 return 0; 523 } 524 525 static const VMStateDescription sd_vmstate = { 526 .name = "sd-card", 527 .version_id = 1, 528 .minimum_version_id = 1, 529 .pre_load = sd_vmstate_pre_load, 530 .fields = (VMStateField[]) { 531 VMSTATE_UINT32(mode, SDState), 532 VMSTATE_INT32(state, SDState), 533 VMSTATE_UINT8_ARRAY(cid, SDState, 16), 534 VMSTATE_UINT8_ARRAY(csd, SDState, 16), 535 VMSTATE_UINT16(rca, SDState), 536 VMSTATE_UINT32(card_status, SDState), 537 VMSTATE_PARTIAL_BUFFER(sd_status, SDState, 1), 538 VMSTATE_UINT32(vhs, SDState), 539 VMSTATE_BITMAP(wp_groups, SDState, 0, wpgrps_size), 540 VMSTATE_UINT32(blk_len, SDState), 541 VMSTATE_UINT32(multi_blk_cnt, SDState), 542 VMSTATE_UINT32(erase_start, SDState), 543 VMSTATE_UINT32(erase_end, SDState), 544 VMSTATE_UINT8_ARRAY(pwd, SDState, 16), 545 VMSTATE_UINT32(pwd_len, SDState), 546 VMSTATE_UINT8_ARRAY(function_group, SDState, 6), 547 VMSTATE_UINT8(current_cmd, SDState), 548 VMSTATE_BOOL(expecting_acmd, SDState), 549 VMSTATE_UINT32(blk_written, SDState), 550 VMSTATE_UINT64(data_start, SDState), 551 VMSTATE_UINT32(data_offset, SDState), 552 VMSTATE_UINT8_ARRAY(data, SDState, 512), 553 VMSTATE_BUFFER_POINTER_UNSAFE(buf, SDState, 1, 512), 554 VMSTATE_BOOL(enable, SDState), 555 VMSTATE_END_OF_LIST() 556 }, 557 .subsections = (const VMStateDescription*[]) { 558 &sd_ocr_vmstate, 559 NULL 560 }, 561 }; 562 563 /* Legacy initialization function for use by non-qdevified callers */ 564 SDState *sd_init(BlockBackend *blk, bool is_spi) 565 { 566 Object *obj; 567 DeviceState *dev; 568 Error *err = NULL; 569 570 obj = object_new(TYPE_SD_CARD); 571 dev = DEVICE(obj); 572 qdev_prop_set_drive(dev, "drive", blk, &err); 573 if (err) { 574 error_report("sd_init failed: %s", error_get_pretty(err)); 575 return NULL; 576 } 577 qdev_prop_set_bit(dev, "spi", is_spi); 578 object_property_set_bool(obj, true, "realized", &err); 579 if (err) { 580 error_report("sd_init failed: %s", error_get_pretty(err)); 581 return NULL; 582 } 583 584 return SD_CARD(dev); 585 } 586 587 void sd_set_cb(SDState *sd, qemu_irq readonly, qemu_irq insert) 588 { 589 sd->readonly_cb = readonly; 590 sd->inserted_cb = insert; 591 qemu_set_irq(readonly, sd->blk ? blk_is_read_only(sd->blk) : 0); 592 qemu_set_irq(insert, sd->blk ? blk_is_inserted(sd->blk) : 0); 593 } 594 595 static void sd_erase(SDState *sd) 596 { 597 int i; 598 uint64_t erase_start = sd->erase_start; 599 uint64_t erase_end = sd->erase_end; 600 601 if (!sd->erase_start || !sd->erase_end) { 602 sd->card_status |= ERASE_SEQ_ERROR; 603 return; 604 } 605 606 if (extract32(sd->ocr, OCR_CCS_BITN, 1)) { 607 /* High capacity memory card: erase units are 512 byte blocks */ 608 erase_start *= 512; 609 erase_end *= 512; 610 } 611 612 erase_start = sd_addr_to_wpnum(erase_start); 613 erase_end = sd_addr_to_wpnum(erase_end); 614 sd->erase_start = 0; 615 sd->erase_end = 0; 616 sd->csd[14] |= 0x40; 617 618 for (i = erase_start; i <= erase_end; i++) { 619 if (test_bit(i, sd->wp_groups)) { 620 sd->card_status |= WP_ERASE_SKIP; 621 } 622 } 623 } 624 625 static uint32_t sd_wpbits(SDState *sd, uint64_t addr) 626 { 627 uint32_t i, wpnum; 628 uint32_t ret = 0; 629 630 wpnum = sd_addr_to_wpnum(addr); 631 632 for (i = 0; i < 32; i++, wpnum++, addr += WPGROUP_SIZE) { 633 if (addr < sd->size && test_bit(wpnum, sd->wp_groups)) { 634 ret |= (1 << i); 635 } 636 } 637 638 return ret; 639 } 640 641 static void sd_function_switch(SDState *sd, uint32_t arg) 642 { 643 int i, mode, new_func, crc; 644 mode = !!(arg & 0x80000000); 645 646 sd->data[0] = 0x00; /* Maximum current consumption */ 647 sd->data[1] = 0x01; 648 sd->data[2] = 0x80; /* Supported group 6 functions */ 649 sd->data[3] = 0x01; 650 sd->data[4] = 0x80; /* Supported group 5 functions */ 651 sd->data[5] = 0x01; 652 sd->data[6] = 0x80; /* Supported group 4 functions */ 653 sd->data[7] = 0x01; 654 sd->data[8] = 0x80; /* Supported group 3 functions */ 655 sd->data[9] = 0x01; 656 sd->data[10] = 0x80; /* Supported group 2 functions */ 657 sd->data[11] = 0x43; 658 sd->data[12] = 0x80; /* Supported group 1 functions */ 659 sd->data[13] = 0x03; 660 for (i = 0; i < 6; i ++) { 661 new_func = (arg >> (i * 4)) & 0x0f; 662 if (mode && new_func != 0x0f) 663 sd->function_group[i] = new_func; 664 sd->data[14 + (i >> 1)] = new_func << ((i * 4) & 4); 665 } 666 memset(&sd->data[17], 0, 47); 667 crc = sd_crc16(sd->data, 64); 668 sd->data[65] = crc >> 8; 669 sd->data[66] = crc & 0xff; 670 } 671 672 static inline bool sd_wp_addr(SDState *sd, uint64_t addr) 673 { 674 return test_bit(sd_addr_to_wpnum(addr), sd->wp_groups); 675 } 676 677 static void sd_lock_command(SDState *sd) 678 { 679 int erase, lock, clr_pwd, set_pwd, pwd_len; 680 erase = !!(sd->data[0] & 0x08); 681 lock = sd->data[0] & 0x04; 682 clr_pwd = sd->data[0] & 0x02; 683 set_pwd = sd->data[0] & 0x01; 684 685 if (sd->blk_len > 1) 686 pwd_len = sd->data[1]; 687 else 688 pwd_len = 0; 689 690 if (erase) { 691 if (!(sd->card_status & CARD_IS_LOCKED) || sd->blk_len > 1 || 692 set_pwd || clr_pwd || lock || sd->wp_switch || 693 (sd->csd[14] & 0x20)) { 694 sd->card_status |= LOCK_UNLOCK_FAILED; 695 return; 696 } 697 bitmap_zero(sd->wp_groups, sd->wpgrps_size); 698 sd->csd[14] &= ~0x10; 699 sd->card_status &= ~CARD_IS_LOCKED; 700 sd->pwd_len = 0; 701 /* Erasing the entire card here! */ 702 fprintf(stderr, "SD: Card force-erased by CMD42\n"); 703 return; 704 } 705 706 if (sd->blk_len < 2 + pwd_len || 707 pwd_len <= sd->pwd_len || 708 pwd_len > sd->pwd_len + 16) { 709 sd->card_status |= LOCK_UNLOCK_FAILED; 710 return; 711 } 712 713 if (sd->pwd_len && memcmp(sd->pwd, sd->data + 2, sd->pwd_len)) { 714 sd->card_status |= LOCK_UNLOCK_FAILED; 715 return; 716 } 717 718 pwd_len -= sd->pwd_len; 719 if ((pwd_len && !set_pwd) || 720 (clr_pwd && (set_pwd || lock)) || 721 (lock && !sd->pwd_len && !set_pwd) || 722 (!set_pwd && !clr_pwd && 723 (((sd->card_status & CARD_IS_LOCKED) && lock) || 724 (!(sd->card_status & CARD_IS_LOCKED) && !lock)))) { 725 sd->card_status |= LOCK_UNLOCK_FAILED; 726 return; 727 } 728 729 if (set_pwd) { 730 memcpy(sd->pwd, sd->data + 2 + sd->pwd_len, pwd_len); 731 sd->pwd_len = pwd_len; 732 } 733 734 if (clr_pwd) { 735 sd->pwd_len = 0; 736 } 737 738 if (lock) 739 sd->card_status |= CARD_IS_LOCKED; 740 else 741 sd->card_status &= ~CARD_IS_LOCKED; 742 } 743 744 static sd_rsp_type_t sd_normal_command(SDState *sd, 745 SDRequest req) 746 { 747 uint32_t rca = 0x0000; 748 uint64_t addr = (sd->ocr & (1 << 30)) ? (uint64_t) req.arg << 9 : req.arg; 749 750 /* Not interpreting this as an app command */ 751 sd->card_status &= ~APP_CMD; 752 753 if (sd_cmd_type[req.cmd & 0x3F] == sd_ac 754 || sd_cmd_type[req.cmd & 0x3F] == sd_adtc) { 755 rca = req.arg >> 16; 756 } 757 758 /* CMD23 (set block count) must be immediately followed by CMD18 or CMD25 759 * if not, its effects are cancelled */ 760 if (sd->multi_blk_cnt != 0 && !(req.cmd == 18 || req.cmd == 25)) { 761 sd->multi_blk_cnt = 0; 762 } 763 764 DPRINTF("CMD%d 0x%08x state %d\n", req.cmd, req.arg, sd->state); 765 switch (req.cmd) { 766 /* Basic commands (Class 0 and Class 1) */ 767 case 0: /* CMD0: GO_IDLE_STATE */ 768 switch (sd->state) { 769 case sd_inactive_state: 770 return sd->spi ? sd_r1 : sd_r0; 771 772 default: 773 sd->state = sd_idle_state; 774 sd_reset(DEVICE(sd)); 775 return sd->spi ? sd_r1 : sd_r0; 776 } 777 break; 778 779 case 1: /* CMD1: SEND_OP_CMD */ 780 if (!sd->spi) 781 goto bad_cmd; 782 783 sd->state = sd_transfer_state; 784 return sd_r1; 785 786 case 2: /* CMD2: ALL_SEND_CID */ 787 if (sd->spi) 788 goto bad_cmd; 789 switch (sd->state) { 790 case sd_ready_state: 791 sd->state = sd_identification_state; 792 return sd_r2_i; 793 794 default: 795 break; 796 } 797 break; 798 799 case 3: /* CMD3: SEND_RELATIVE_ADDR */ 800 if (sd->spi) 801 goto bad_cmd; 802 switch (sd->state) { 803 case sd_identification_state: 804 case sd_standby_state: 805 sd->state = sd_standby_state; 806 sd_set_rca(sd); 807 return sd_r6; 808 809 default: 810 break; 811 } 812 break; 813 814 case 4: /* CMD4: SEND_DSR */ 815 if (sd->spi) 816 goto bad_cmd; 817 switch (sd->state) { 818 case sd_standby_state: 819 break; 820 821 default: 822 break; 823 } 824 break; 825 826 case 5: /* CMD5: reserved for SDIO cards */ 827 return sd_illegal; 828 829 case 6: /* CMD6: SWITCH_FUNCTION */ 830 if (sd->spi) 831 goto bad_cmd; 832 switch (sd->mode) { 833 case sd_data_transfer_mode: 834 sd_function_switch(sd, req.arg); 835 sd->state = sd_sendingdata_state; 836 sd->data_start = 0; 837 sd->data_offset = 0; 838 return sd_r1; 839 840 default: 841 break; 842 } 843 break; 844 845 case 7: /* CMD7: SELECT/DESELECT_CARD */ 846 if (sd->spi) 847 goto bad_cmd; 848 switch (sd->state) { 849 case sd_standby_state: 850 if (sd->rca != rca) 851 return sd_r0; 852 853 sd->state = sd_transfer_state; 854 return sd_r1b; 855 856 case sd_transfer_state: 857 case sd_sendingdata_state: 858 if (sd->rca == rca) 859 break; 860 861 sd->state = sd_standby_state; 862 return sd_r1b; 863 864 case sd_disconnect_state: 865 if (sd->rca != rca) 866 return sd_r0; 867 868 sd->state = sd_programming_state; 869 return sd_r1b; 870 871 case sd_programming_state: 872 if (sd->rca == rca) 873 break; 874 875 sd->state = sd_disconnect_state; 876 return sd_r1b; 877 878 default: 879 break; 880 } 881 break; 882 883 case 8: /* CMD8: SEND_IF_COND */ 884 /* Physical Layer Specification Version 2.00 command */ 885 switch (sd->state) { 886 case sd_idle_state: 887 sd->vhs = 0; 888 889 /* No response if not exactly one VHS bit is set. */ 890 if (!(req.arg >> 8) || (req.arg >> (ctz32(req.arg & ~0xff) + 1))) { 891 return sd->spi ? sd_r7 : sd_r0; 892 } 893 894 /* Accept. */ 895 sd->vhs = req.arg; 896 return sd_r7; 897 898 default: 899 break; 900 } 901 break; 902 903 case 9: /* CMD9: SEND_CSD */ 904 switch (sd->state) { 905 case sd_standby_state: 906 if (sd->rca != rca) 907 return sd_r0; 908 909 return sd_r2_s; 910 911 case sd_transfer_state: 912 if (!sd->spi) 913 break; 914 sd->state = sd_sendingdata_state; 915 memcpy(sd->data, sd->csd, 16); 916 sd->data_start = addr; 917 sd->data_offset = 0; 918 return sd_r1; 919 920 default: 921 break; 922 } 923 break; 924 925 case 10: /* CMD10: SEND_CID */ 926 switch (sd->state) { 927 case sd_standby_state: 928 if (sd->rca != rca) 929 return sd_r0; 930 931 return sd_r2_i; 932 933 case sd_transfer_state: 934 if (!sd->spi) 935 break; 936 sd->state = sd_sendingdata_state; 937 memcpy(sd->data, sd->cid, 16); 938 sd->data_start = addr; 939 sd->data_offset = 0; 940 return sd_r1; 941 942 default: 943 break; 944 } 945 break; 946 947 case 11: /* CMD11: READ_DAT_UNTIL_STOP */ 948 if (sd->spi) 949 goto bad_cmd; 950 switch (sd->state) { 951 case sd_transfer_state: 952 sd->state = sd_sendingdata_state; 953 sd->data_start = req.arg; 954 sd->data_offset = 0; 955 956 if (sd->data_start + sd->blk_len > sd->size) 957 sd->card_status |= ADDRESS_ERROR; 958 return sd_r0; 959 960 default: 961 break; 962 } 963 break; 964 965 case 12: /* CMD12: STOP_TRANSMISSION */ 966 switch (sd->state) { 967 case sd_sendingdata_state: 968 sd->state = sd_transfer_state; 969 return sd_r1b; 970 971 case sd_receivingdata_state: 972 sd->state = sd_programming_state; 973 /* Bzzzzzzztt .... Operation complete. */ 974 sd->state = sd_transfer_state; 975 return sd_r1b; 976 977 default: 978 break; 979 } 980 break; 981 982 case 13: /* CMD13: SEND_STATUS */ 983 switch (sd->mode) { 984 case sd_data_transfer_mode: 985 if (sd->rca != rca) 986 return sd_r0; 987 988 return sd_r1; 989 990 default: 991 break; 992 } 993 break; 994 995 case 15: /* CMD15: GO_INACTIVE_STATE */ 996 if (sd->spi) 997 goto bad_cmd; 998 switch (sd->mode) { 999 case sd_data_transfer_mode: 1000 if (sd->rca != rca) 1001 return sd_r0; 1002 1003 sd->state = sd_inactive_state; 1004 return sd_r0; 1005 1006 default: 1007 break; 1008 } 1009 break; 1010 1011 /* Block read commands (Classs 2) */ 1012 case 16: /* CMD16: SET_BLOCKLEN */ 1013 switch (sd->state) { 1014 case sd_transfer_state: 1015 if (req.arg > (1 << HWBLOCK_SHIFT)) 1016 sd->card_status |= BLOCK_LEN_ERROR; 1017 else 1018 sd->blk_len = req.arg; 1019 1020 return sd_r1; 1021 1022 default: 1023 break; 1024 } 1025 break; 1026 1027 case 17: /* CMD17: READ_SINGLE_BLOCK */ 1028 switch (sd->state) { 1029 case sd_transfer_state: 1030 sd->state = sd_sendingdata_state; 1031 sd->data_start = addr; 1032 sd->data_offset = 0; 1033 1034 if (sd->data_start + sd->blk_len > sd->size) 1035 sd->card_status |= ADDRESS_ERROR; 1036 return sd_r1; 1037 1038 default: 1039 break; 1040 } 1041 break; 1042 1043 case 18: /* CMD18: READ_MULTIPLE_BLOCK */ 1044 switch (sd->state) { 1045 case sd_transfer_state: 1046 sd->state = sd_sendingdata_state; 1047 sd->data_start = addr; 1048 sd->data_offset = 0; 1049 1050 if (sd->data_start + sd->blk_len > sd->size) 1051 sd->card_status |= ADDRESS_ERROR; 1052 return sd_r1; 1053 1054 default: 1055 break; 1056 } 1057 break; 1058 1059 case 23: /* CMD23: SET_BLOCK_COUNT */ 1060 switch (sd->state) { 1061 case sd_transfer_state: 1062 sd->multi_blk_cnt = req.arg; 1063 return sd_r1; 1064 1065 default: 1066 break; 1067 } 1068 break; 1069 1070 /* Block write commands (Class 4) */ 1071 case 24: /* CMD24: WRITE_SINGLE_BLOCK */ 1072 if (sd->spi) 1073 goto unimplemented_cmd; 1074 switch (sd->state) { 1075 case sd_transfer_state: 1076 /* Writing in SPI mode not implemented. */ 1077 if (sd->spi) 1078 break; 1079 sd->state = sd_receivingdata_state; 1080 sd->data_start = addr; 1081 sd->data_offset = 0; 1082 sd->blk_written = 0; 1083 1084 if (sd->data_start + sd->blk_len > sd->size) 1085 sd->card_status |= ADDRESS_ERROR; 1086 if (sd_wp_addr(sd, sd->data_start)) 1087 sd->card_status |= WP_VIOLATION; 1088 if (sd->csd[14] & 0x30) 1089 sd->card_status |= WP_VIOLATION; 1090 return sd_r1; 1091 1092 default: 1093 break; 1094 } 1095 break; 1096 1097 case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */ 1098 if (sd->spi) 1099 goto unimplemented_cmd; 1100 switch (sd->state) { 1101 case sd_transfer_state: 1102 /* Writing in SPI mode not implemented. */ 1103 if (sd->spi) 1104 break; 1105 sd->state = sd_receivingdata_state; 1106 sd->data_start = addr; 1107 sd->data_offset = 0; 1108 sd->blk_written = 0; 1109 1110 if (sd->data_start + sd->blk_len > sd->size) 1111 sd->card_status |= ADDRESS_ERROR; 1112 if (sd_wp_addr(sd, sd->data_start)) 1113 sd->card_status |= WP_VIOLATION; 1114 if (sd->csd[14] & 0x30) 1115 sd->card_status |= WP_VIOLATION; 1116 return sd_r1; 1117 1118 default: 1119 break; 1120 } 1121 break; 1122 1123 case 26: /* CMD26: PROGRAM_CID */ 1124 if (sd->spi) 1125 goto bad_cmd; 1126 switch (sd->state) { 1127 case sd_transfer_state: 1128 sd->state = sd_receivingdata_state; 1129 sd->data_start = 0; 1130 sd->data_offset = 0; 1131 return sd_r1; 1132 1133 default: 1134 break; 1135 } 1136 break; 1137 1138 case 27: /* CMD27: PROGRAM_CSD */ 1139 if (sd->spi) 1140 goto unimplemented_cmd; 1141 switch (sd->state) { 1142 case sd_transfer_state: 1143 sd->state = sd_receivingdata_state; 1144 sd->data_start = 0; 1145 sd->data_offset = 0; 1146 return sd_r1; 1147 1148 default: 1149 break; 1150 } 1151 break; 1152 1153 /* Write protection (Class 6) */ 1154 case 28: /* CMD28: SET_WRITE_PROT */ 1155 switch (sd->state) { 1156 case sd_transfer_state: 1157 if (addr >= sd->size) { 1158 sd->card_status |= ADDRESS_ERROR; 1159 return sd_r1b; 1160 } 1161 1162 sd->state = sd_programming_state; 1163 set_bit(sd_addr_to_wpnum(addr), sd->wp_groups); 1164 /* Bzzzzzzztt .... Operation complete. */ 1165 sd->state = sd_transfer_state; 1166 return sd_r1b; 1167 1168 default: 1169 break; 1170 } 1171 break; 1172 1173 case 29: /* CMD29: CLR_WRITE_PROT */ 1174 switch (sd->state) { 1175 case sd_transfer_state: 1176 if (addr >= sd->size) { 1177 sd->card_status |= ADDRESS_ERROR; 1178 return sd_r1b; 1179 } 1180 1181 sd->state = sd_programming_state; 1182 clear_bit(sd_addr_to_wpnum(addr), sd->wp_groups); 1183 /* Bzzzzzzztt .... Operation complete. */ 1184 sd->state = sd_transfer_state; 1185 return sd_r1b; 1186 1187 default: 1188 break; 1189 } 1190 break; 1191 1192 case 30: /* CMD30: SEND_WRITE_PROT */ 1193 switch (sd->state) { 1194 case sd_transfer_state: 1195 sd->state = sd_sendingdata_state; 1196 *(uint32_t *) sd->data = sd_wpbits(sd, req.arg); 1197 sd->data_start = addr; 1198 sd->data_offset = 0; 1199 return sd_r1b; 1200 1201 default: 1202 break; 1203 } 1204 break; 1205 1206 /* Erase commands (Class 5) */ 1207 case 32: /* CMD32: ERASE_WR_BLK_START */ 1208 switch (sd->state) { 1209 case sd_transfer_state: 1210 sd->erase_start = req.arg; 1211 return sd_r1; 1212 1213 default: 1214 break; 1215 } 1216 break; 1217 1218 case 33: /* CMD33: ERASE_WR_BLK_END */ 1219 switch (sd->state) { 1220 case sd_transfer_state: 1221 sd->erase_end = req.arg; 1222 return sd_r1; 1223 1224 default: 1225 break; 1226 } 1227 break; 1228 1229 case 38: /* CMD38: ERASE */ 1230 switch (sd->state) { 1231 case sd_transfer_state: 1232 if (sd->csd[14] & 0x30) { 1233 sd->card_status |= WP_VIOLATION; 1234 return sd_r1b; 1235 } 1236 1237 sd->state = sd_programming_state; 1238 sd_erase(sd); 1239 /* Bzzzzzzztt .... Operation complete. */ 1240 sd->state = sd_transfer_state; 1241 return sd_r1b; 1242 1243 default: 1244 break; 1245 } 1246 break; 1247 1248 /* Lock card commands (Class 7) */ 1249 case 42: /* CMD42: LOCK_UNLOCK */ 1250 if (sd->spi) 1251 goto unimplemented_cmd; 1252 switch (sd->state) { 1253 case sd_transfer_state: 1254 sd->state = sd_receivingdata_state; 1255 sd->data_start = 0; 1256 sd->data_offset = 0; 1257 return sd_r1; 1258 1259 default: 1260 break; 1261 } 1262 break; 1263 1264 case 52: 1265 case 53: 1266 /* CMD52, CMD53: reserved for SDIO cards 1267 * (see the SDIO Simplified Specification V2.0) 1268 * Handle as illegal command but do not complain 1269 * on stderr, as some OSes may use these in their 1270 * probing for presence of an SDIO card. 1271 */ 1272 return sd_illegal; 1273 1274 /* Application specific commands (Class 8) */ 1275 case 55: /* CMD55: APP_CMD */ 1276 if (sd->rca != rca) 1277 return sd_r0; 1278 1279 sd->expecting_acmd = true; 1280 sd->card_status |= APP_CMD; 1281 return sd_r1; 1282 1283 case 56: /* CMD56: GEN_CMD */ 1284 fprintf(stderr, "SD: GEN_CMD 0x%08x\n", req.arg); 1285 1286 switch (sd->state) { 1287 case sd_transfer_state: 1288 sd->data_offset = 0; 1289 if (req.arg & 1) 1290 sd->state = sd_sendingdata_state; 1291 else 1292 sd->state = sd_receivingdata_state; 1293 return sd_r1; 1294 1295 default: 1296 break; 1297 } 1298 break; 1299 1300 default: 1301 bad_cmd: 1302 qemu_log_mask(LOG_GUEST_ERROR, "SD: Unknown CMD%i\n", req.cmd); 1303 return sd_illegal; 1304 1305 unimplemented_cmd: 1306 /* Commands that are recognised but not yet implemented in SPI mode. */ 1307 qemu_log_mask(LOG_UNIMP, "SD: CMD%i not implemented in SPI mode\n", 1308 req.cmd); 1309 return sd_illegal; 1310 } 1311 1312 qemu_log_mask(LOG_GUEST_ERROR, "SD: CMD%i in a wrong state\n", req.cmd); 1313 return sd_illegal; 1314 } 1315 1316 static sd_rsp_type_t sd_app_command(SDState *sd, 1317 SDRequest req) 1318 { 1319 DPRINTF("ACMD%d 0x%08x\n", req.cmd, req.arg); 1320 sd->card_status |= APP_CMD; 1321 switch (req.cmd) { 1322 case 6: /* ACMD6: SET_BUS_WIDTH */ 1323 switch (sd->state) { 1324 case sd_transfer_state: 1325 sd->sd_status[0] &= 0x3f; 1326 sd->sd_status[0] |= (req.arg & 0x03) << 6; 1327 return sd_r1; 1328 1329 default: 1330 break; 1331 } 1332 break; 1333 1334 case 13: /* ACMD13: SD_STATUS */ 1335 switch (sd->state) { 1336 case sd_transfer_state: 1337 sd->state = sd_sendingdata_state; 1338 sd->data_start = 0; 1339 sd->data_offset = 0; 1340 return sd_r1; 1341 1342 default: 1343 break; 1344 } 1345 break; 1346 1347 case 22: /* ACMD22: SEND_NUM_WR_BLOCKS */ 1348 switch (sd->state) { 1349 case sd_transfer_state: 1350 *(uint32_t *) sd->data = sd->blk_written; 1351 1352 sd->state = sd_sendingdata_state; 1353 sd->data_start = 0; 1354 sd->data_offset = 0; 1355 return sd_r1; 1356 1357 default: 1358 break; 1359 } 1360 break; 1361 1362 case 23: /* ACMD23: SET_WR_BLK_ERASE_COUNT */ 1363 switch (sd->state) { 1364 case sd_transfer_state: 1365 return sd_r1; 1366 1367 default: 1368 break; 1369 } 1370 break; 1371 1372 case 41: /* ACMD41: SD_APP_OP_COND */ 1373 if (sd->spi) { 1374 /* SEND_OP_CMD */ 1375 sd->state = sd_transfer_state; 1376 return sd_r1; 1377 } 1378 switch (sd->state) { 1379 case sd_idle_state: 1380 /* If it's the first ACMD41 since reset, we need to decide 1381 * whether to power up. If this is not an enquiry ACMD41, 1382 * we immediately report power on and proceed below to the 1383 * ready state, but if it is, we set a timer to model a 1384 * delay for power up. This works around a bug in EDK2 1385 * UEFI, which sends an initial enquiry ACMD41, but 1386 * assumes that the card is in ready state as soon as it 1387 * sees the power up bit set. */ 1388 if (!(sd->ocr & OCR_POWER_UP)) { 1389 if ((req.arg & ACMD41_ENQUIRY_MASK) != 0) { 1390 timer_del(sd->ocr_power_timer); 1391 sd_ocr_powerup(sd); 1392 } else if (!timer_pending(sd->ocr_power_timer)) { 1393 timer_mod_ns(sd->ocr_power_timer, 1394 (qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) 1395 + OCR_POWER_DELAY_NS)); 1396 } 1397 } 1398 1399 /* We accept any voltage. 10000 V is nothing. 1400 * 1401 * Once we're powered up, we advance straight to ready state 1402 * unless it's an enquiry ACMD41 (bits 23:0 == 0). 1403 */ 1404 if (req.arg & ACMD41_ENQUIRY_MASK) { 1405 sd->state = sd_ready_state; 1406 } 1407 1408 return sd_r3; 1409 1410 default: 1411 break; 1412 } 1413 break; 1414 1415 case 42: /* ACMD42: SET_CLR_CARD_DETECT */ 1416 switch (sd->state) { 1417 case sd_transfer_state: 1418 /* Bringing in the 50KOhm pull-up resistor... Done. */ 1419 return sd_r1; 1420 1421 default: 1422 break; 1423 } 1424 break; 1425 1426 case 51: /* ACMD51: SEND_SCR */ 1427 switch (sd->state) { 1428 case sd_transfer_state: 1429 sd->state = sd_sendingdata_state; 1430 sd->data_start = 0; 1431 sd->data_offset = 0; 1432 return sd_r1; 1433 1434 default: 1435 break; 1436 } 1437 break; 1438 1439 default: 1440 /* Fall back to standard commands. */ 1441 return sd_normal_command(sd, req); 1442 } 1443 1444 qemu_log_mask(LOG_GUEST_ERROR, "SD: ACMD%i in a wrong state\n", req.cmd); 1445 return sd_illegal; 1446 } 1447 1448 static int cmd_valid_while_locked(SDState *sd, SDRequest *req) 1449 { 1450 /* Valid commands in locked state: 1451 * basic class (0) 1452 * lock card class (7) 1453 * CMD16 1454 * implicitly, the ACMD prefix CMD55 1455 * ACMD41 and ACMD42 1456 * Anything else provokes an "illegal command" response. 1457 */ 1458 if (sd->expecting_acmd) { 1459 return req->cmd == 41 || req->cmd == 42; 1460 } 1461 if (req->cmd == 16 || req->cmd == 55) { 1462 return 1; 1463 } 1464 return sd_cmd_class[req->cmd & 0x3F] == 0 1465 || sd_cmd_class[req->cmd & 0x3F] == 7; 1466 } 1467 1468 int sd_do_command(SDState *sd, SDRequest *req, 1469 uint8_t *response) { 1470 int last_state; 1471 sd_rsp_type_t rtype; 1472 int rsplen; 1473 1474 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable) { 1475 return 0; 1476 } 1477 1478 if (sd_req_crc_validate(req)) { 1479 sd->card_status |= COM_CRC_ERROR; 1480 rtype = sd_illegal; 1481 goto send_response; 1482 } 1483 1484 if (sd->card_status & CARD_IS_LOCKED) { 1485 if (!cmd_valid_while_locked(sd, req)) { 1486 sd->card_status |= ILLEGAL_COMMAND; 1487 sd->expecting_acmd = false; 1488 qemu_log_mask(LOG_GUEST_ERROR, "SD: Card is locked\n"); 1489 rtype = sd_illegal; 1490 goto send_response; 1491 } 1492 } 1493 1494 last_state = sd->state; 1495 sd_set_mode(sd); 1496 1497 if (sd->expecting_acmd) { 1498 sd->expecting_acmd = false; 1499 rtype = sd_app_command(sd, *req); 1500 } else { 1501 rtype = sd_normal_command(sd, *req); 1502 } 1503 1504 if (rtype == sd_illegal) { 1505 sd->card_status |= ILLEGAL_COMMAND; 1506 } else { 1507 /* Valid command, we can update the 'state before command' bits. 1508 * (Do this now so they appear in r1 responses.) 1509 */ 1510 sd->current_cmd = req->cmd; 1511 sd->card_status &= ~CURRENT_STATE; 1512 sd->card_status |= (last_state << 9); 1513 } 1514 1515 send_response: 1516 switch (rtype) { 1517 case sd_r1: 1518 case sd_r1b: 1519 sd_response_r1_make(sd, response); 1520 rsplen = 4; 1521 break; 1522 1523 case sd_r2_i: 1524 memcpy(response, sd->cid, sizeof(sd->cid)); 1525 rsplen = 16; 1526 break; 1527 1528 case sd_r2_s: 1529 memcpy(response, sd->csd, sizeof(sd->csd)); 1530 rsplen = 16; 1531 break; 1532 1533 case sd_r3: 1534 sd_response_r3_make(sd, response); 1535 rsplen = 4; 1536 break; 1537 1538 case sd_r6: 1539 sd_response_r6_make(sd, response); 1540 rsplen = 4; 1541 break; 1542 1543 case sd_r7: 1544 sd_response_r7_make(sd, response); 1545 rsplen = 4; 1546 break; 1547 1548 case sd_r0: 1549 case sd_illegal: 1550 default: 1551 rsplen = 0; 1552 break; 1553 } 1554 1555 if (rtype != sd_illegal) { 1556 /* Clear the "clear on valid command" status bits now we've 1557 * sent any response 1558 */ 1559 sd->card_status &= ~CARD_STATUS_B; 1560 } 1561 1562 #ifdef DEBUG_SD 1563 if (rsplen) { 1564 int i; 1565 DPRINTF("Response:"); 1566 for (i = 0; i < rsplen; i++) 1567 fprintf(stderr, " %02x", response[i]); 1568 fprintf(stderr, " state %d\n", sd->state); 1569 } else { 1570 DPRINTF("No response %d\n", sd->state); 1571 } 1572 #endif 1573 1574 return rsplen; 1575 } 1576 1577 static void sd_blk_read(SDState *sd, uint64_t addr, uint32_t len) 1578 { 1579 uint64_t end = addr + len; 1580 1581 DPRINTF("sd_blk_read: addr = 0x%08llx, len = %d\n", 1582 (unsigned long long) addr, len); 1583 if (!sd->blk || blk_read(sd->blk, addr >> 9, sd->buf, 1) < 0) { 1584 fprintf(stderr, "sd_blk_read: read error on host side\n"); 1585 return; 1586 } 1587 1588 if (end > (addr & ~511) + 512) { 1589 memcpy(sd->data, sd->buf + (addr & 511), 512 - (addr & 511)); 1590 1591 if (blk_read(sd->blk, end >> 9, sd->buf, 1) < 0) { 1592 fprintf(stderr, "sd_blk_read: read error on host side\n"); 1593 return; 1594 } 1595 memcpy(sd->data + 512 - (addr & 511), sd->buf, end & 511); 1596 } else 1597 memcpy(sd->data, sd->buf + (addr & 511), len); 1598 } 1599 1600 static void sd_blk_write(SDState *sd, uint64_t addr, uint32_t len) 1601 { 1602 uint64_t end = addr + len; 1603 1604 if ((addr & 511) || len < 512) 1605 if (!sd->blk || blk_read(sd->blk, addr >> 9, sd->buf, 1) < 0) { 1606 fprintf(stderr, "sd_blk_write: read error on host side\n"); 1607 return; 1608 } 1609 1610 if (end > (addr & ~511) + 512) { 1611 memcpy(sd->buf + (addr & 511), sd->data, 512 - (addr & 511)); 1612 if (blk_write(sd->blk, addr >> 9, sd->buf, 1) < 0) { 1613 fprintf(stderr, "sd_blk_write: write error on host side\n"); 1614 return; 1615 } 1616 1617 if (blk_read(sd->blk, end >> 9, sd->buf, 1) < 0) { 1618 fprintf(stderr, "sd_blk_write: read error on host side\n"); 1619 return; 1620 } 1621 memcpy(sd->buf, sd->data + 512 - (addr & 511), end & 511); 1622 if (blk_write(sd->blk, end >> 9, sd->buf, 1) < 0) { 1623 fprintf(stderr, "sd_blk_write: write error on host side\n"); 1624 } 1625 } else { 1626 memcpy(sd->buf + (addr & 511), sd->data, len); 1627 if (!sd->blk || blk_write(sd->blk, addr >> 9, sd->buf, 1) < 0) { 1628 fprintf(stderr, "sd_blk_write: write error on host side\n"); 1629 } 1630 } 1631 } 1632 1633 #define BLK_READ_BLOCK(a, len) sd_blk_read(sd, a, len) 1634 #define BLK_WRITE_BLOCK(a, len) sd_blk_write(sd, a, len) 1635 #define APP_READ_BLOCK(a, len) memset(sd->data, 0xec, len) 1636 #define APP_WRITE_BLOCK(a, len) 1637 1638 void sd_write_data(SDState *sd, uint8_t value) 1639 { 1640 int i; 1641 1642 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable) 1643 return; 1644 1645 if (sd->state != sd_receivingdata_state) { 1646 qemu_log_mask(LOG_GUEST_ERROR, 1647 "sd_write_data: not in Receiving-Data state\n"); 1648 return; 1649 } 1650 1651 if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION)) 1652 return; 1653 1654 switch (sd->current_cmd) { 1655 case 24: /* CMD24: WRITE_SINGLE_BLOCK */ 1656 sd->data[sd->data_offset ++] = value; 1657 if (sd->data_offset >= sd->blk_len) { 1658 /* TODO: Check CRC before committing */ 1659 sd->state = sd_programming_state; 1660 BLK_WRITE_BLOCK(sd->data_start, sd->data_offset); 1661 sd->blk_written ++; 1662 sd->csd[14] |= 0x40; 1663 /* Bzzzzzzztt .... Operation complete. */ 1664 sd->state = sd_transfer_state; 1665 } 1666 break; 1667 1668 case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */ 1669 if (sd->data_offset == 0) { 1670 /* Start of the block - let's check the address is valid */ 1671 if (sd->data_start + sd->blk_len > sd->size) { 1672 sd->card_status |= ADDRESS_ERROR; 1673 break; 1674 } 1675 if (sd_wp_addr(sd, sd->data_start)) { 1676 sd->card_status |= WP_VIOLATION; 1677 break; 1678 } 1679 } 1680 sd->data[sd->data_offset++] = value; 1681 if (sd->data_offset >= sd->blk_len) { 1682 /* TODO: Check CRC before committing */ 1683 sd->state = sd_programming_state; 1684 BLK_WRITE_BLOCK(sd->data_start, sd->data_offset); 1685 sd->blk_written++; 1686 sd->data_start += sd->blk_len; 1687 sd->data_offset = 0; 1688 sd->csd[14] |= 0x40; 1689 1690 /* Bzzzzzzztt .... Operation complete. */ 1691 if (sd->multi_blk_cnt != 0) { 1692 if (--sd->multi_blk_cnt == 0) { 1693 /* Stop! */ 1694 sd->state = sd_transfer_state; 1695 break; 1696 } 1697 } 1698 1699 sd->state = sd_receivingdata_state; 1700 } 1701 break; 1702 1703 case 26: /* CMD26: PROGRAM_CID */ 1704 sd->data[sd->data_offset ++] = value; 1705 if (sd->data_offset >= sizeof(sd->cid)) { 1706 /* TODO: Check CRC before committing */ 1707 sd->state = sd_programming_state; 1708 for (i = 0; i < sizeof(sd->cid); i ++) 1709 if ((sd->cid[i] | 0x00) != sd->data[i]) 1710 sd->card_status |= CID_CSD_OVERWRITE; 1711 1712 if (!(sd->card_status & CID_CSD_OVERWRITE)) 1713 for (i = 0; i < sizeof(sd->cid); i ++) { 1714 sd->cid[i] |= 0x00; 1715 sd->cid[i] &= sd->data[i]; 1716 } 1717 /* Bzzzzzzztt .... Operation complete. */ 1718 sd->state = sd_transfer_state; 1719 } 1720 break; 1721 1722 case 27: /* CMD27: PROGRAM_CSD */ 1723 sd->data[sd->data_offset ++] = value; 1724 if (sd->data_offset >= sizeof(sd->csd)) { 1725 /* TODO: Check CRC before committing */ 1726 sd->state = sd_programming_state; 1727 for (i = 0; i < sizeof(sd->csd); i ++) 1728 if ((sd->csd[i] | sd_csd_rw_mask[i]) != 1729 (sd->data[i] | sd_csd_rw_mask[i])) 1730 sd->card_status |= CID_CSD_OVERWRITE; 1731 1732 /* Copy flag (OTP) & Permanent write protect */ 1733 if (sd->csd[14] & ~sd->data[14] & 0x60) 1734 sd->card_status |= CID_CSD_OVERWRITE; 1735 1736 if (!(sd->card_status & CID_CSD_OVERWRITE)) 1737 for (i = 0; i < sizeof(sd->csd); i ++) { 1738 sd->csd[i] |= sd_csd_rw_mask[i]; 1739 sd->csd[i] &= sd->data[i]; 1740 } 1741 /* Bzzzzzzztt .... Operation complete. */ 1742 sd->state = sd_transfer_state; 1743 } 1744 break; 1745 1746 case 42: /* CMD42: LOCK_UNLOCK */ 1747 sd->data[sd->data_offset ++] = value; 1748 if (sd->data_offset >= sd->blk_len) { 1749 /* TODO: Check CRC before committing */ 1750 sd->state = sd_programming_state; 1751 sd_lock_command(sd); 1752 /* Bzzzzzzztt .... Operation complete. */ 1753 sd->state = sd_transfer_state; 1754 } 1755 break; 1756 1757 case 56: /* CMD56: GEN_CMD */ 1758 sd->data[sd->data_offset ++] = value; 1759 if (sd->data_offset >= sd->blk_len) { 1760 APP_WRITE_BLOCK(sd->data_start, sd->data_offset); 1761 sd->state = sd_transfer_state; 1762 } 1763 break; 1764 1765 default: 1766 qemu_log_mask(LOG_GUEST_ERROR, "sd_write_data: unknown command\n"); 1767 break; 1768 } 1769 } 1770 1771 uint8_t sd_read_data(SDState *sd) 1772 { 1773 /* TODO: Append CRCs */ 1774 uint8_t ret; 1775 int io_len; 1776 1777 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable) 1778 return 0x00; 1779 1780 if (sd->state != sd_sendingdata_state) { 1781 qemu_log_mask(LOG_GUEST_ERROR, 1782 "sd_read_data: not in Sending-Data state\n"); 1783 return 0x00; 1784 } 1785 1786 if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION)) 1787 return 0x00; 1788 1789 io_len = (sd->ocr & (1 << 30)) ? 512 : sd->blk_len; 1790 1791 switch (sd->current_cmd) { 1792 case 6: /* CMD6: SWITCH_FUNCTION */ 1793 ret = sd->data[sd->data_offset ++]; 1794 1795 if (sd->data_offset >= 64) 1796 sd->state = sd_transfer_state; 1797 break; 1798 1799 case 9: /* CMD9: SEND_CSD */ 1800 case 10: /* CMD10: SEND_CID */ 1801 ret = sd->data[sd->data_offset ++]; 1802 1803 if (sd->data_offset >= 16) 1804 sd->state = sd_transfer_state; 1805 break; 1806 1807 case 11: /* CMD11: READ_DAT_UNTIL_STOP */ 1808 if (sd->data_offset == 0) 1809 BLK_READ_BLOCK(sd->data_start, io_len); 1810 ret = sd->data[sd->data_offset ++]; 1811 1812 if (sd->data_offset >= io_len) { 1813 sd->data_start += io_len; 1814 sd->data_offset = 0; 1815 if (sd->data_start + io_len > sd->size) { 1816 sd->card_status |= ADDRESS_ERROR; 1817 break; 1818 } 1819 } 1820 break; 1821 1822 case 13: /* ACMD13: SD_STATUS */ 1823 ret = sd->sd_status[sd->data_offset ++]; 1824 1825 if (sd->data_offset >= sizeof(sd->sd_status)) 1826 sd->state = sd_transfer_state; 1827 break; 1828 1829 case 17: /* CMD17: READ_SINGLE_BLOCK */ 1830 if (sd->data_offset == 0) 1831 BLK_READ_BLOCK(sd->data_start, io_len); 1832 ret = sd->data[sd->data_offset ++]; 1833 1834 if (sd->data_offset >= io_len) 1835 sd->state = sd_transfer_state; 1836 break; 1837 1838 case 18: /* CMD18: READ_MULTIPLE_BLOCK */ 1839 if (sd->data_offset == 0) 1840 BLK_READ_BLOCK(sd->data_start, io_len); 1841 ret = sd->data[sd->data_offset ++]; 1842 1843 if (sd->data_offset >= io_len) { 1844 sd->data_start += io_len; 1845 sd->data_offset = 0; 1846 1847 if (sd->multi_blk_cnt != 0) { 1848 if (--sd->multi_blk_cnt == 0) { 1849 /* Stop! */ 1850 sd->state = sd_transfer_state; 1851 break; 1852 } 1853 } 1854 1855 if (sd->data_start + io_len > sd->size) { 1856 sd->card_status |= ADDRESS_ERROR; 1857 break; 1858 } 1859 } 1860 break; 1861 1862 case 22: /* ACMD22: SEND_NUM_WR_BLOCKS */ 1863 ret = sd->data[sd->data_offset ++]; 1864 1865 if (sd->data_offset >= 4) 1866 sd->state = sd_transfer_state; 1867 break; 1868 1869 case 30: /* CMD30: SEND_WRITE_PROT */ 1870 ret = sd->data[sd->data_offset ++]; 1871 1872 if (sd->data_offset >= 4) 1873 sd->state = sd_transfer_state; 1874 break; 1875 1876 case 51: /* ACMD51: SEND_SCR */ 1877 ret = sd->scr[sd->data_offset ++]; 1878 1879 if (sd->data_offset >= sizeof(sd->scr)) 1880 sd->state = sd_transfer_state; 1881 break; 1882 1883 case 56: /* CMD56: GEN_CMD */ 1884 if (sd->data_offset == 0) 1885 APP_READ_BLOCK(sd->data_start, sd->blk_len); 1886 ret = sd->data[sd->data_offset ++]; 1887 1888 if (sd->data_offset >= sd->blk_len) 1889 sd->state = sd_transfer_state; 1890 break; 1891 1892 default: 1893 qemu_log_mask(LOG_GUEST_ERROR, "sd_read_data: unknown command\n"); 1894 return 0x00; 1895 } 1896 1897 return ret; 1898 } 1899 1900 bool sd_data_ready(SDState *sd) 1901 { 1902 return sd->state == sd_sendingdata_state; 1903 } 1904 1905 void sd_enable(SDState *sd, bool enable) 1906 { 1907 sd->enable = enable; 1908 } 1909 1910 static void sd_instance_init(Object *obj) 1911 { 1912 SDState *sd = SD_CARD(obj); 1913 1914 sd->enable = true; 1915 sd->ocr_power_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, sd_ocr_powerup, sd); 1916 } 1917 1918 static void sd_realize(DeviceState *dev, Error **errp) 1919 { 1920 SDState *sd = SD_CARD(dev); 1921 1922 if (sd->blk && blk_is_read_only(sd->blk)) { 1923 error_setg(errp, "Cannot use read-only drive as SD card"); 1924 return; 1925 } 1926 1927 sd->buf = blk_blockalign(sd->blk, 512); 1928 1929 if (sd->blk) { 1930 blk_set_dev_ops(sd->blk, &sd_block_ops, sd); 1931 } 1932 } 1933 1934 static Property sd_properties[] = { 1935 DEFINE_PROP_DRIVE("drive", SDState, blk), 1936 /* We do not model the chip select pin, so allow the board to select 1937 * whether card should be in SSI or MMC/SD mode. It is also up to the 1938 * board to ensure that ssi transfers only occur when the chip select 1939 * is asserted. */ 1940 DEFINE_PROP_BOOL("spi", SDState, spi, false), 1941 DEFINE_PROP_END_OF_LIST() 1942 }; 1943 1944 static void sd_class_init(ObjectClass *klass, void *data) 1945 { 1946 DeviceClass *dc = DEVICE_CLASS(klass); 1947 SDCardClass *sc = SD_CARD_CLASS(klass); 1948 1949 dc->realize = sd_realize; 1950 dc->props = sd_properties; 1951 dc->vmsd = &sd_vmstate; 1952 dc->reset = sd_reset; 1953 dc->bus_type = TYPE_SD_BUS; 1954 1955 sc->do_command = sd_do_command; 1956 sc->write_data = sd_write_data; 1957 sc->read_data = sd_read_data; 1958 sc->data_ready = sd_data_ready; 1959 sc->enable = sd_enable; 1960 sc->get_inserted = sd_get_inserted; 1961 sc->get_readonly = sd_get_readonly; 1962 } 1963 1964 static const TypeInfo sd_info = { 1965 .name = TYPE_SD_CARD, 1966 .parent = TYPE_DEVICE, 1967 .instance_size = sizeof(SDState), 1968 .class_size = sizeof(SDCardClass), 1969 .class_init = sd_class_init, 1970 .instance_init = sd_instance_init, 1971 }; 1972 1973 static void sd_register_types(void) 1974 { 1975 type_register_static(&sd_info); 1976 } 1977 1978 type_init(sd_register_types) 1979