1 /* 2 * SD Memory Card emulation as defined in the "SD Memory Card Physical 3 * layer specification, Version 1.10." 4 * 5 * Copyright (c) 2006 Andrzej Zaborowski <balrog@zabor.org> 6 * Copyright (c) 2007 CodeSourcery 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in 16 * the documentation and/or other materials provided with the 17 * distribution. 18 * 19 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' 20 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, 21 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A 22 * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR 23 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, 24 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, 25 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 26 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY 27 * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 28 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 29 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 30 */ 31 32 #include "qemu/osdep.h" 33 #include "hw/qdev.h" 34 #include "hw/hw.h" 35 #include "sysemu/block-backend.h" 36 #include "hw/sd/sd.h" 37 #include "qapi/error.h" 38 #include "qemu/bitmap.h" 39 #include "hw/qdev-properties.h" 40 #include "qemu/error-report.h" 41 #include "qemu/timer.h" 42 43 //#define DEBUG_SD 1 44 45 #ifdef DEBUG_SD 46 #define DPRINTF(fmt, ...) \ 47 do { fprintf(stderr, "SD: " fmt , ## __VA_ARGS__); } while (0) 48 #else 49 #define DPRINTF(fmt, ...) do {} while(0) 50 #endif 51 52 #define ACMD41_ENQUIRY_MASK 0x00ffffff 53 #define OCR_POWER_UP 0x80000000 54 #define OCR_POWER_DELAY_NS 500000 /* 0.5ms */ 55 56 typedef enum { 57 sd_r0 = 0, /* no response */ 58 sd_r1, /* normal response command */ 59 sd_r2_i, /* CID register */ 60 sd_r2_s, /* CSD register */ 61 sd_r3, /* OCR register */ 62 sd_r6 = 6, /* Published RCA response */ 63 sd_r7, /* Operating voltage */ 64 sd_r1b = -1, 65 sd_illegal = -2, 66 } sd_rsp_type_t; 67 68 enum SDCardModes { 69 sd_inactive, 70 sd_card_identification_mode, 71 sd_data_transfer_mode, 72 }; 73 74 enum SDCardStates { 75 sd_inactive_state = -1, 76 sd_idle_state = 0, 77 sd_ready_state, 78 sd_identification_state, 79 sd_standby_state, 80 sd_transfer_state, 81 sd_sendingdata_state, 82 sd_receivingdata_state, 83 sd_programming_state, 84 sd_disconnect_state, 85 }; 86 87 struct SDState { 88 DeviceState parent_obj; 89 90 uint32_t mode; /* current card mode, one of SDCardModes */ 91 int32_t state; /* current card state, one of SDCardStates */ 92 uint32_t ocr; 93 QEMUTimer *ocr_power_timer; 94 uint8_t scr[8]; 95 uint8_t cid[16]; 96 uint8_t csd[16]; 97 uint16_t rca; 98 uint32_t card_status; 99 uint8_t sd_status[64]; 100 uint32_t vhs; 101 bool wp_switch; 102 unsigned long *wp_groups; 103 int32_t wpgrps_size; 104 uint64_t size; 105 uint32_t blk_len; 106 uint32_t multi_blk_cnt; 107 uint32_t erase_start; 108 uint32_t erase_end; 109 uint8_t pwd[16]; 110 uint32_t pwd_len; 111 uint8_t function_group[6]; 112 113 bool spi; 114 uint8_t current_cmd; 115 /* True if we will handle the next command as an ACMD. Note that this does 116 * *not* track the APP_CMD status bit! 117 */ 118 bool expecting_acmd; 119 uint32_t blk_written; 120 uint64_t data_start; 121 uint32_t data_offset; 122 uint8_t data[512]; 123 qemu_irq readonly_cb; 124 qemu_irq inserted_cb; 125 BlockBackend *blk; 126 127 bool enable; 128 }; 129 130 static void sd_set_mode(SDState *sd) 131 { 132 switch (sd->state) { 133 case sd_inactive_state: 134 sd->mode = sd_inactive; 135 break; 136 137 case sd_idle_state: 138 case sd_ready_state: 139 case sd_identification_state: 140 sd->mode = sd_card_identification_mode; 141 break; 142 143 case sd_standby_state: 144 case sd_transfer_state: 145 case sd_sendingdata_state: 146 case sd_receivingdata_state: 147 case sd_programming_state: 148 case sd_disconnect_state: 149 sd->mode = sd_data_transfer_mode; 150 break; 151 } 152 } 153 154 static const sd_cmd_type_t sd_cmd_type[64] = { 155 sd_bc, sd_none, sd_bcr, sd_bcr, sd_none, sd_none, sd_none, sd_ac, 156 sd_bcr, sd_ac, sd_ac, sd_adtc, sd_ac, sd_ac, sd_none, sd_ac, 157 sd_ac, sd_adtc, sd_adtc, sd_none, sd_none, sd_none, sd_none, sd_none, 158 sd_adtc, sd_adtc, sd_adtc, sd_adtc, sd_ac, sd_ac, sd_adtc, sd_none, 159 sd_ac, sd_ac, sd_none, sd_none, sd_none, sd_none, sd_ac, sd_none, 160 sd_none, sd_none, sd_bc, sd_none, sd_none, sd_none, sd_none, sd_none, 161 sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_ac, 162 sd_adtc, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, 163 }; 164 165 static const int sd_cmd_class[64] = { 166 0, 0, 0, 0, 0, 9, 10, 0, 0, 0, 0, 1, 0, 0, 0, 0, 167 2, 2, 2, 2, 3, 3, 3, 3, 4, 4, 4, 4, 6, 6, 6, 6, 168 5, 5, 10, 10, 10, 10, 5, 9, 9, 9, 7, 7, 7, 7, 7, 7, 169 7, 7, 10, 7, 9, 9, 9, 8, 8, 10, 8, 8, 8, 8, 8, 8, 170 }; 171 172 static uint8_t sd_crc7(void *message, size_t width) 173 { 174 int i, bit; 175 uint8_t shift_reg = 0x00; 176 uint8_t *msg = (uint8_t *) message; 177 178 for (i = 0; i < width; i ++, msg ++) 179 for (bit = 7; bit >= 0; bit --) { 180 shift_reg <<= 1; 181 if ((shift_reg >> 7) ^ ((*msg >> bit) & 1)) 182 shift_reg ^= 0x89; 183 } 184 185 return shift_reg; 186 } 187 188 static uint16_t sd_crc16(void *message, size_t width) 189 { 190 int i, bit; 191 uint16_t shift_reg = 0x0000; 192 uint16_t *msg = (uint16_t *) message; 193 width <<= 1; 194 195 for (i = 0; i < width; i ++, msg ++) 196 for (bit = 15; bit >= 0; bit --) { 197 shift_reg <<= 1; 198 if ((shift_reg >> 15) ^ ((*msg >> bit) & 1)) 199 shift_reg ^= 0x1011; 200 } 201 202 return shift_reg; 203 } 204 205 static void sd_set_ocr(SDState *sd) 206 { 207 /* All voltages OK, Standard Capacity SD Memory Card, not yet powered up */ 208 sd->ocr = 0x00ffff00; 209 } 210 211 static void sd_ocr_powerup(void *opaque) 212 { 213 SDState *sd = opaque; 214 215 /* Set powered up bit in OCR */ 216 assert(!(sd->ocr & OCR_POWER_UP)); 217 sd->ocr |= OCR_POWER_UP; 218 } 219 220 static void sd_set_scr(SDState *sd) 221 { 222 sd->scr[0] = 0x00; /* SCR Structure */ 223 sd->scr[1] = 0x2f; /* SD Security Support */ 224 sd->scr[2] = 0x00; 225 sd->scr[3] = 0x00; 226 sd->scr[4] = 0x00; 227 sd->scr[5] = 0x00; 228 sd->scr[6] = 0x00; 229 sd->scr[7] = 0x00; 230 } 231 232 #define MID 0xaa 233 #define OID "XY" 234 #define PNM "QEMU!" 235 #define PRV 0x01 236 #define MDT_YR 2006 237 #define MDT_MON 2 238 239 static void sd_set_cid(SDState *sd) 240 { 241 sd->cid[0] = MID; /* Fake card manufacturer ID (MID) */ 242 sd->cid[1] = OID[0]; /* OEM/Application ID (OID) */ 243 sd->cid[2] = OID[1]; 244 sd->cid[3] = PNM[0]; /* Fake product name (PNM) */ 245 sd->cid[4] = PNM[1]; 246 sd->cid[5] = PNM[2]; 247 sd->cid[6] = PNM[3]; 248 sd->cid[7] = PNM[4]; 249 sd->cid[8] = PRV; /* Fake product revision (PRV) */ 250 sd->cid[9] = 0xde; /* Fake serial number (PSN) */ 251 sd->cid[10] = 0xad; 252 sd->cid[11] = 0xbe; 253 sd->cid[12] = 0xef; 254 sd->cid[13] = 0x00 | /* Manufacture date (MDT) */ 255 ((MDT_YR - 2000) / 10); 256 sd->cid[14] = ((MDT_YR % 10) << 4) | MDT_MON; 257 sd->cid[15] = (sd_crc7(sd->cid, 15) << 1) | 1; 258 } 259 260 #define HWBLOCK_SHIFT 9 /* 512 bytes */ 261 #define SECTOR_SHIFT 5 /* 16 kilobytes */ 262 #define WPGROUP_SHIFT 7 /* 2 megs */ 263 #define CMULT_SHIFT 9 /* 512 times HWBLOCK_SIZE */ 264 #define WPGROUP_SIZE (1 << (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT)) 265 266 static const uint8_t sd_csd_rw_mask[16] = { 267 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 268 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xfc, 0xfe, 269 }; 270 271 static void sd_set_csd(SDState *sd, uint64_t size) 272 { 273 uint32_t csize = (size >> (CMULT_SHIFT + HWBLOCK_SHIFT)) - 1; 274 uint32_t sectsize = (1 << (SECTOR_SHIFT + 1)) - 1; 275 uint32_t wpsize = (1 << (WPGROUP_SHIFT + 1)) - 1; 276 277 if (size <= 0x40000000) { /* Standard Capacity SD */ 278 sd->csd[0] = 0x00; /* CSD structure */ 279 sd->csd[1] = 0x26; /* Data read access-time-1 */ 280 sd->csd[2] = 0x00; /* Data read access-time-2 */ 281 sd->csd[3] = 0x5a; /* Max. data transfer rate */ 282 sd->csd[4] = 0x5f; /* Card Command Classes */ 283 sd->csd[5] = 0x50 | /* Max. read data block length */ 284 HWBLOCK_SHIFT; 285 sd->csd[6] = 0xe0 | /* Partial block for read allowed */ 286 ((csize >> 10) & 0x03); 287 sd->csd[7] = 0x00 | /* Device size */ 288 ((csize >> 2) & 0xff); 289 sd->csd[8] = 0x3f | /* Max. read current */ 290 ((csize << 6) & 0xc0); 291 sd->csd[9] = 0xfc | /* Max. write current */ 292 ((CMULT_SHIFT - 2) >> 1); 293 sd->csd[10] = 0x40 | /* Erase sector size */ 294 (((CMULT_SHIFT - 2) << 7) & 0x80) | (sectsize >> 1); 295 sd->csd[11] = 0x00 | /* Write protect group size */ 296 ((sectsize << 7) & 0x80) | wpsize; 297 sd->csd[12] = 0x90 | /* Write speed factor */ 298 (HWBLOCK_SHIFT >> 2); 299 sd->csd[13] = 0x20 | /* Max. write data block length */ 300 ((HWBLOCK_SHIFT << 6) & 0xc0); 301 sd->csd[14] = 0x00; /* File format group */ 302 sd->csd[15] = (sd_crc7(sd->csd, 15) << 1) | 1; 303 } else { /* SDHC */ 304 size /= 512 * 1024; 305 size -= 1; 306 sd->csd[0] = 0x40; 307 sd->csd[1] = 0x0e; 308 sd->csd[2] = 0x00; 309 sd->csd[3] = 0x32; 310 sd->csd[4] = 0x5b; 311 sd->csd[5] = 0x59; 312 sd->csd[6] = 0x00; 313 sd->csd[7] = (size >> 16) & 0xff; 314 sd->csd[8] = (size >> 8) & 0xff; 315 sd->csd[9] = (size & 0xff); 316 sd->csd[10] = 0x7f; 317 sd->csd[11] = 0x80; 318 sd->csd[12] = 0x0a; 319 sd->csd[13] = 0x40; 320 sd->csd[14] = 0x00; 321 sd->csd[15] = 0x00; 322 sd->ocr |= 1 << 30; /* High Capacity SD Memory Card */ 323 } 324 } 325 326 static void sd_set_rca(SDState *sd) 327 { 328 sd->rca += 0x4567; 329 } 330 331 /* Card status bits, split by clear condition: 332 * A : According to the card current state 333 * B : Always related to the previous command 334 * C : Cleared by read 335 */ 336 #define CARD_STATUS_A 0x02004100 337 #define CARD_STATUS_B 0x00c01e00 338 #define CARD_STATUS_C 0xfd39a028 339 340 static void sd_set_cardstatus(SDState *sd) 341 { 342 sd->card_status = 0x00000100; 343 } 344 345 static void sd_set_sdstatus(SDState *sd) 346 { 347 memset(sd->sd_status, 0, 64); 348 } 349 350 static int sd_req_crc_validate(SDRequest *req) 351 { 352 uint8_t buffer[5]; 353 buffer[0] = 0x40 | req->cmd; 354 buffer[1] = (req->arg >> 24) & 0xff; 355 buffer[2] = (req->arg >> 16) & 0xff; 356 buffer[3] = (req->arg >> 8) & 0xff; 357 buffer[4] = (req->arg >> 0) & 0xff; 358 return 0; 359 return sd_crc7(buffer, 5) != req->crc; /* TODO */ 360 } 361 362 static void sd_response_r1_make(SDState *sd, uint8_t *response) 363 { 364 uint32_t status = sd->card_status; 365 /* Clear the "clear on read" status bits */ 366 sd->card_status &= ~CARD_STATUS_C; 367 368 response[0] = (status >> 24) & 0xff; 369 response[1] = (status >> 16) & 0xff; 370 response[2] = (status >> 8) & 0xff; 371 response[3] = (status >> 0) & 0xff; 372 } 373 374 static void sd_response_r3_make(SDState *sd, uint8_t *response) 375 { 376 response[0] = (sd->ocr >> 24) & 0xff; 377 response[1] = (sd->ocr >> 16) & 0xff; 378 response[2] = (sd->ocr >> 8) & 0xff; 379 response[3] = (sd->ocr >> 0) & 0xff; 380 } 381 382 static void sd_response_r6_make(SDState *sd, uint8_t *response) 383 { 384 uint16_t arg; 385 uint16_t status; 386 387 arg = sd->rca; 388 status = ((sd->card_status >> 8) & 0xc000) | 389 ((sd->card_status >> 6) & 0x2000) | 390 (sd->card_status & 0x1fff); 391 sd->card_status &= ~(CARD_STATUS_C & 0xc81fff); 392 393 response[0] = (arg >> 8) & 0xff; 394 response[1] = arg & 0xff; 395 response[2] = (status >> 8) & 0xff; 396 response[3] = status & 0xff; 397 } 398 399 static void sd_response_r7_make(SDState *sd, uint8_t *response) 400 { 401 response[0] = (sd->vhs >> 24) & 0xff; 402 response[1] = (sd->vhs >> 16) & 0xff; 403 response[2] = (sd->vhs >> 8) & 0xff; 404 response[3] = (sd->vhs >> 0) & 0xff; 405 } 406 407 static inline uint64_t sd_addr_to_wpnum(uint64_t addr) 408 { 409 return addr >> (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT); 410 } 411 412 static void sd_reset(DeviceState *dev) 413 { 414 SDState *sd = SD_CARD(dev); 415 uint64_t size; 416 uint64_t sect; 417 418 if (sd->blk) { 419 blk_get_geometry(sd->blk, §); 420 } else { 421 sect = 0; 422 } 423 size = sect << 9; 424 425 sect = sd_addr_to_wpnum(size) + 1; 426 427 sd->state = sd_idle_state; 428 sd->rca = 0x0000; 429 sd_set_ocr(sd); 430 sd_set_scr(sd); 431 sd_set_cid(sd); 432 sd_set_csd(sd, size); 433 sd_set_cardstatus(sd); 434 sd_set_sdstatus(sd); 435 436 g_free(sd->wp_groups); 437 sd->wp_switch = sd->blk ? blk_is_read_only(sd->blk) : false; 438 sd->wpgrps_size = sect; 439 sd->wp_groups = bitmap_new(sd->wpgrps_size); 440 memset(sd->function_group, 0, sizeof(sd->function_group)); 441 sd->erase_start = 0; 442 sd->erase_end = 0; 443 sd->size = size; 444 sd->blk_len = 0x200; 445 sd->pwd_len = 0; 446 sd->expecting_acmd = false; 447 sd->multi_blk_cnt = 0; 448 } 449 450 static bool sd_get_inserted(SDState *sd) 451 { 452 return sd->blk && blk_is_inserted(sd->blk); 453 } 454 455 static bool sd_get_readonly(SDState *sd) 456 { 457 return sd->wp_switch; 458 } 459 460 static void sd_cardchange(void *opaque, bool load) 461 { 462 SDState *sd = opaque; 463 DeviceState *dev = DEVICE(sd); 464 SDBus *sdbus = SD_BUS(qdev_get_parent_bus(dev)); 465 bool inserted = sd_get_inserted(sd); 466 bool readonly = sd_get_readonly(sd); 467 468 if (inserted) { 469 sd_reset(dev); 470 } 471 472 /* The IRQ notification is for legacy non-QOM SD controller devices; 473 * QOMified controllers use the SDBus APIs. 474 */ 475 if (sdbus) { 476 sdbus_set_inserted(sdbus, inserted); 477 if (inserted) { 478 sdbus_set_readonly(sdbus, readonly); 479 } 480 } else { 481 qemu_set_irq(sd->inserted_cb, inserted); 482 if (inserted) { 483 qemu_set_irq(sd->readonly_cb, readonly); 484 } 485 } 486 } 487 488 static const BlockDevOps sd_block_ops = { 489 .change_media_cb = sd_cardchange, 490 }; 491 492 static bool sd_ocr_vmstate_needed(void *opaque) 493 { 494 SDState *sd = opaque; 495 496 /* Include the OCR state (and timer) if it is not yet powered up */ 497 return !(sd->ocr & OCR_POWER_UP); 498 } 499 500 static const VMStateDescription sd_ocr_vmstate = { 501 .name = "sd-card/ocr-state", 502 .version_id = 1, 503 .minimum_version_id = 1, 504 .needed = sd_ocr_vmstate_needed, 505 .fields = (VMStateField[]) { 506 VMSTATE_UINT32(ocr, SDState), 507 VMSTATE_TIMER_PTR(ocr_power_timer, SDState), 508 VMSTATE_END_OF_LIST() 509 }, 510 }; 511 512 static int sd_vmstate_pre_load(void *opaque) 513 { 514 SDState *sd = opaque; 515 516 /* If the OCR state is not included (prior versions, or not 517 * needed), then the OCR must be set as powered up. If the OCR state 518 * is included, this will be replaced by the state restore. 519 */ 520 sd_ocr_powerup(sd); 521 522 return 0; 523 } 524 525 static const VMStateDescription sd_vmstate = { 526 .name = "sd-card", 527 .version_id = 1, 528 .minimum_version_id = 1, 529 .pre_load = sd_vmstate_pre_load, 530 .fields = (VMStateField[]) { 531 VMSTATE_UINT32(mode, SDState), 532 VMSTATE_INT32(state, SDState), 533 VMSTATE_UINT8_ARRAY(cid, SDState, 16), 534 VMSTATE_UINT8_ARRAY(csd, SDState, 16), 535 VMSTATE_UINT16(rca, SDState), 536 VMSTATE_UINT32(card_status, SDState), 537 VMSTATE_PARTIAL_BUFFER(sd_status, SDState, 1), 538 VMSTATE_UINT32(vhs, SDState), 539 VMSTATE_BITMAP(wp_groups, SDState, 0, wpgrps_size), 540 VMSTATE_UINT32(blk_len, SDState), 541 VMSTATE_UINT32(multi_blk_cnt, SDState), 542 VMSTATE_UINT32(erase_start, SDState), 543 VMSTATE_UINT32(erase_end, SDState), 544 VMSTATE_UINT8_ARRAY(pwd, SDState, 16), 545 VMSTATE_UINT32(pwd_len, SDState), 546 VMSTATE_UINT8_ARRAY(function_group, SDState, 6), 547 VMSTATE_UINT8(current_cmd, SDState), 548 VMSTATE_BOOL(expecting_acmd, SDState), 549 VMSTATE_UINT32(blk_written, SDState), 550 VMSTATE_UINT64(data_start, SDState), 551 VMSTATE_UINT32(data_offset, SDState), 552 VMSTATE_UINT8_ARRAY(data, SDState, 512), 553 VMSTATE_UNUSED_V(1, 512), 554 VMSTATE_BOOL(enable, SDState), 555 VMSTATE_END_OF_LIST() 556 }, 557 .subsections = (const VMStateDescription*[]) { 558 &sd_ocr_vmstate, 559 NULL 560 }, 561 }; 562 563 /* Legacy initialization function for use by non-qdevified callers */ 564 SDState *sd_init(BlockBackend *blk, bool is_spi) 565 { 566 Object *obj; 567 DeviceState *dev; 568 Error *err = NULL; 569 570 obj = object_new(TYPE_SD_CARD); 571 dev = DEVICE(obj); 572 qdev_prop_set_drive(dev, "drive", blk, &err); 573 if (err) { 574 error_report("sd_init failed: %s", error_get_pretty(err)); 575 return NULL; 576 } 577 qdev_prop_set_bit(dev, "spi", is_spi); 578 object_property_set_bool(obj, true, "realized", &err); 579 if (err) { 580 error_report("sd_init failed: %s", error_get_pretty(err)); 581 return NULL; 582 } 583 584 return SD_CARD(dev); 585 } 586 587 void sd_set_cb(SDState *sd, qemu_irq readonly, qemu_irq insert) 588 { 589 sd->readonly_cb = readonly; 590 sd->inserted_cb = insert; 591 qemu_set_irq(readonly, sd->blk ? blk_is_read_only(sd->blk) : 0); 592 qemu_set_irq(insert, sd->blk ? blk_is_inserted(sd->blk) : 0); 593 } 594 595 static void sd_erase(SDState *sd) 596 { 597 int i; 598 uint64_t erase_start = sd->erase_start; 599 uint64_t erase_end = sd->erase_end; 600 601 if (!sd->erase_start || !sd->erase_end) { 602 sd->card_status |= ERASE_SEQ_ERROR; 603 return; 604 } 605 606 if (extract32(sd->ocr, OCR_CCS_BITN, 1)) { 607 /* High capacity memory card: erase units are 512 byte blocks */ 608 erase_start *= 512; 609 erase_end *= 512; 610 } 611 612 erase_start = sd_addr_to_wpnum(erase_start); 613 erase_end = sd_addr_to_wpnum(erase_end); 614 sd->erase_start = 0; 615 sd->erase_end = 0; 616 sd->csd[14] |= 0x40; 617 618 for (i = erase_start; i <= erase_end; i++) { 619 if (test_bit(i, sd->wp_groups)) { 620 sd->card_status |= WP_ERASE_SKIP; 621 } 622 } 623 } 624 625 static uint32_t sd_wpbits(SDState *sd, uint64_t addr) 626 { 627 uint32_t i, wpnum; 628 uint32_t ret = 0; 629 630 wpnum = sd_addr_to_wpnum(addr); 631 632 for (i = 0; i < 32; i++, wpnum++, addr += WPGROUP_SIZE) { 633 if (addr < sd->size && test_bit(wpnum, sd->wp_groups)) { 634 ret |= (1 << i); 635 } 636 } 637 638 return ret; 639 } 640 641 static void sd_function_switch(SDState *sd, uint32_t arg) 642 { 643 int i, mode, new_func, crc; 644 mode = !!(arg & 0x80000000); 645 646 sd->data[0] = 0x00; /* Maximum current consumption */ 647 sd->data[1] = 0x01; 648 sd->data[2] = 0x80; /* Supported group 6 functions */ 649 sd->data[3] = 0x01; 650 sd->data[4] = 0x80; /* Supported group 5 functions */ 651 sd->data[5] = 0x01; 652 sd->data[6] = 0x80; /* Supported group 4 functions */ 653 sd->data[7] = 0x01; 654 sd->data[8] = 0x80; /* Supported group 3 functions */ 655 sd->data[9] = 0x01; 656 sd->data[10] = 0x80; /* Supported group 2 functions */ 657 sd->data[11] = 0x43; 658 sd->data[12] = 0x80; /* Supported group 1 functions */ 659 sd->data[13] = 0x03; 660 for (i = 0; i < 6; i ++) { 661 new_func = (arg >> (i * 4)) & 0x0f; 662 if (mode && new_func != 0x0f) 663 sd->function_group[i] = new_func; 664 sd->data[14 + (i >> 1)] = new_func << ((i * 4) & 4); 665 } 666 memset(&sd->data[17], 0, 47); 667 crc = sd_crc16(sd->data, 64); 668 sd->data[65] = crc >> 8; 669 sd->data[66] = crc & 0xff; 670 } 671 672 static inline bool sd_wp_addr(SDState *sd, uint64_t addr) 673 { 674 return test_bit(sd_addr_to_wpnum(addr), sd->wp_groups); 675 } 676 677 static void sd_lock_command(SDState *sd) 678 { 679 int erase, lock, clr_pwd, set_pwd, pwd_len; 680 erase = !!(sd->data[0] & 0x08); 681 lock = sd->data[0] & 0x04; 682 clr_pwd = sd->data[0] & 0x02; 683 set_pwd = sd->data[0] & 0x01; 684 685 if (sd->blk_len > 1) 686 pwd_len = sd->data[1]; 687 else 688 pwd_len = 0; 689 690 if (erase) { 691 if (!(sd->card_status & CARD_IS_LOCKED) || sd->blk_len > 1 || 692 set_pwd || clr_pwd || lock || sd->wp_switch || 693 (sd->csd[14] & 0x20)) { 694 sd->card_status |= LOCK_UNLOCK_FAILED; 695 return; 696 } 697 bitmap_zero(sd->wp_groups, sd->wpgrps_size); 698 sd->csd[14] &= ~0x10; 699 sd->card_status &= ~CARD_IS_LOCKED; 700 sd->pwd_len = 0; 701 /* Erasing the entire card here! */ 702 fprintf(stderr, "SD: Card force-erased by CMD42\n"); 703 return; 704 } 705 706 if (sd->blk_len < 2 + pwd_len || 707 pwd_len <= sd->pwd_len || 708 pwd_len > sd->pwd_len + 16) { 709 sd->card_status |= LOCK_UNLOCK_FAILED; 710 return; 711 } 712 713 if (sd->pwd_len && memcmp(sd->pwd, sd->data + 2, sd->pwd_len)) { 714 sd->card_status |= LOCK_UNLOCK_FAILED; 715 return; 716 } 717 718 pwd_len -= sd->pwd_len; 719 if ((pwd_len && !set_pwd) || 720 (clr_pwd && (set_pwd || lock)) || 721 (lock && !sd->pwd_len && !set_pwd) || 722 (!set_pwd && !clr_pwd && 723 (((sd->card_status & CARD_IS_LOCKED) && lock) || 724 (!(sd->card_status & CARD_IS_LOCKED) && !lock)))) { 725 sd->card_status |= LOCK_UNLOCK_FAILED; 726 return; 727 } 728 729 if (set_pwd) { 730 memcpy(sd->pwd, sd->data + 2 + sd->pwd_len, pwd_len); 731 sd->pwd_len = pwd_len; 732 } 733 734 if (clr_pwd) { 735 sd->pwd_len = 0; 736 } 737 738 if (lock) 739 sd->card_status |= CARD_IS_LOCKED; 740 else 741 sd->card_status &= ~CARD_IS_LOCKED; 742 } 743 744 static sd_rsp_type_t sd_normal_command(SDState *sd, 745 SDRequest req) 746 { 747 uint32_t rca = 0x0000; 748 uint64_t addr = (sd->ocr & (1 << 30)) ? (uint64_t) req.arg << 9 : req.arg; 749 750 /* Not interpreting this as an app command */ 751 sd->card_status &= ~APP_CMD; 752 753 if (sd_cmd_type[req.cmd & 0x3F] == sd_ac 754 || sd_cmd_type[req.cmd & 0x3F] == sd_adtc) { 755 rca = req.arg >> 16; 756 } 757 758 /* CMD23 (set block count) must be immediately followed by CMD18 or CMD25 759 * if not, its effects are cancelled */ 760 if (sd->multi_blk_cnt != 0 && !(req.cmd == 18 || req.cmd == 25)) { 761 sd->multi_blk_cnt = 0; 762 } 763 764 DPRINTF("CMD%d 0x%08x state %d\n", req.cmd, req.arg, sd->state); 765 switch (req.cmd) { 766 /* Basic commands (Class 0 and Class 1) */ 767 case 0: /* CMD0: GO_IDLE_STATE */ 768 switch (sd->state) { 769 case sd_inactive_state: 770 return sd->spi ? sd_r1 : sd_r0; 771 772 default: 773 sd->state = sd_idle_state; 774 sd_reset(DEVICE(sd)); 775 return sd->spi ? sd_r1 : sd_r0; 776 } 777 break; 778 779 case 1: /* CMD1: SEND_OP_CMD */ 780 if (!sd->spi) 781 goto bad_cmd; 782 783 sd->state = sd_transfer_state; 784 return sd_r1; 785 786 case 2: /* CMD2: ALL_SEND_CID */ 787 if (sd->spi) 788 goto bad_cmd; 789 switch (sd->state) { 790 case sd_ready_state: 791 sd->state = sd_identification_state; 792 return sd_r2_i; 793 794 default: 795 break; 796 } 797 break; 798 799 case 3: /* CMD3: SEND_RELATIVE_ADDR */ 800 if (sd->spi) 801 goto bad_cmd; 802 switch (sd->state) { 803 case sd_identification_state: 804 case sd_standby_state: 805 sd->state = sd_standby_state; 806 sd_set_rca(sd); 807 return sd_r6; 808 809 default: 810 break; 811 } 812 break; 813 814 case 4: /* CMD4: SEND_DSR */ 815 if (sd->spi) 816 goto bad_cmd; 817 switch (sd->state) { 818 case sd_standby_state: 819 break; 820 821 default: 822 break; 823 } 824 break; 825 826 case 5: /* CMD5: reserved for SDIO cards */ 827 return sd_illegal; 828 829 case 6: /* CMD6: SWITCH_FUNCTION */ 830 if (sd->spi) 831 goto bad_cmd; 832 switch (sd->mode) { 833 case sd_data_transfer_mode: 834 sd_function_switch(sd, req.arg); 835 sd->state = sd_sendingdata_state; 836 sd->data_start = 0; 837 sd->data_offset = 0; 838 return sd_r1; 839 840 default: 841 break; 842 } 843 break; 844 845 case 7: /* CMD7: SELECT/DESELECT_CARD */ 846 if (sd->spi) 847 goto bad_cmd; 848 switch (sd->state) { 849 case sd_standby_state: 850 if (sd->rca != rca) 851 return sd_r0; 852 853 sd->state = sd_transfer_state; 854 return sd_r1b; 855 856 case sd_transfer_state: 857 case sd_sendingdata_state: 858 if (sd->rca == rca) 859 break; 860 861 sd->state = sd_standby_state; 862 return sd_r1b; 863 864 case sd_disconnect_state: 865 if (sd->rca != rca) 866 return sd_r0; 867 868 sd->state = sd_programming_state; 869 return sd_r1b; 870 871 case sd_programming_state: 872 if (sd->rca == rca) 873 break; 874 875 sd->state = sd_disconnect_state; 876 return sd_r1b; 877 878 default: 879 break; 880 } 881 break; 882 883 case 8: /* CMD8: SEND_IF_COND */ 884 /* Physical Layer Specification Version 2.00 command */ 885 switch (sd->state) { 886 case sd_idle_state: 887 sd->vhs = 0; 888 889 /* No response if not exactly one VHS bit is set. */ 890 if (!(req.arg >> 8) || (req.arg >> (ctz32(req.arg & ~0xff) + 1))) { 891 return sd->spi ? sd_r7 : sd_r0; 892 } 893 894 /* Accept. */ 895 sd->vhs = req.arg; 896 return sd_r7; 897 898 default: 899 break; 900 } 901 break; 902 903 case 9: /* CMD9: SEND_CSD */ 904 switch (sd->state) { 905 case sd_standby_state: 906 if (sd->rca != rca) 907 return sd_r0; 908 909 return sd_r2_s; 910 911 case sd_transfer_state: 912 if (!sd->spi) 913 break; 914 sd->state = sd_sendingdata_state; 915 memcpy(sd->data, sd->csd, 16); 916 sd->data_start = addr; 917 sd->data_offset = 0; 918 return sd_r1; 919 920 default: 921 break; 922 } 923 break; 924 925 case 10: /* CMD10: SEND_CID */ 926 switch (sd->state) { 927 case sd_standby_state: 928 if (sd->rca != rca) 929 return sd_r0; 930 931 return sd_r2_i; 932 933 case sd_transfer_state: 934 if (!sd->spi) 935 break; 936 sd->state = sd_sendingdata_state; 937 memcpy(sd->data, sd->cid, 16); 938 sd->data_start = addr; 939 sd->data_offset = 0; 940 return sd_r1; 941 942 default: 943 break; 944 } 945 break; 946 947 case 11: /* CMD11: READ_DAT_UNTIL_STOP */ 948 if (sd->spi) 949 goto bad_cmd; 950 switch (sd->state) { 951 case sd_transfer_state: 952 sd->state = sd_sendingdata_state; 953 sd->data_start = req.arg; 954 sd->data_offset = 0; 955 956 if (sd->data_start + sd->blk_len > sd->size) 957 sd->card_status |= ADDRESS_ERROR; 958 return sd_r0; 959 960 default: 961 break; 962 } 963 break; 964 965 case 12: /* CMD12: STOP_TRANSMISSION */ 966 switch (sd->state) { 967 case sd_sendingdata_state: 968 sd->state = sd_transfer_state; 969 return sd_r1b; 970 971 case sd_receivingdata_state: 972 sd->state = sd_programming_state; 973 /* Bzzzzzzztt .... Operation complete. */ 974 sd->state = sd_transfer_state; 975 return sd_r1b; 976 977 default: 978 break; 979 } 980 break; 981 982 case 13: /* CMD13: SEND_STATUS */ 983 switch (sd->mode) { 984 case sd_data_transfer_mode: 985 if (sd->rca != rca) 986 return sd_r0; 987 988 return sd_r1; 989 990 default: 991 break; 992 } 993 break; 994 995 case 15: /* CMD15: GO_INACTIVE_STATE */ 996 if (sd->spi) 997 goto bad_cmd; 998 switch (sd->mode) { 999 case sd_data_transfer_mode: 1000 if (sd->rca != rca) 1001 return sd_r0; 1002 1003 sd->state = sd_inactive_state; 1004 return sd_r0; 1005 1006 default: 1007 break; 1008 } 1009 break; 1010 1011 /* Block read commands (Classs 2) */ 1012 case 16: /* CMD16: SET_BLOCKLEN */ 1013 switch (sd->state) { 1014 case sd_transfer_state: 1015 if (req.arg > (1 << HWBLOCK_SHIFT)) 1016 sd->card_status |= BLOCK_LEN_ERROR; 1017 else 1018 sd->blk_len = req.arg; 1019 1020 return sd_r1; 1021 1022 default: 1023 break; 1024 } 1025 break; 1026 1027 case 17: /* CMD17: READ_SINGLE_BLOCK */ 1028 switch (sd->state) { 1029 case sd_transfer_state: 1030 sd->state = sd_sendingdata_state; 1031 sd->data_start = addr; 1032 sd->data_offset = 0; 1033 1034 if (sd->data_start + sd->blk_len > sd->size) 1035 sd->card_status |= ADDRESS_ERROR; 1036 return sd_r1; 1037 1038 default: 1039 break; 1040 } 1041 break; 1042 1043 case 18: /* CMD18: READ_MULTIPLE_BLOCK */ 1044 switch (sd->state) { 1045 case sd_transfer_state: 1046 sd->state = sd_sendingdata_state; 1047 sd->data_start = addr; 1048 sd->data_offset = 0; 1049 1050 if (sd->data_start + sd->blk_len > sd->size) 1051 sd->card_status |= ADDRESS_ERROR; 1052 return sd_r1; 1053 1054 default: 1055 break; 1056 } 1057 break; 1058 1059 case 23: /* CMD23: SET_BLOCK_COUNT */ 1060 switch (sd->state) { 1061 case sd_transfer_state: 1062 sd->multi_blk_cnt = req.arg; 1063 return sd_r1; 1064 1065 default: 1066 break; 1067 } 1068 break; 1069 1070 /* Block write commands (Class 4) */ 1071 case 24: /* CMD24: WRITE_SINGLE_BLOCK */ 1072 if (sd->spi) 1073 goto unimplemented_cmd; 1074 switch (sd->state) { 1075 case sd_transfer_state: 1076 /* Writing in SPI mode not implemented. */ 1077 if (sd->spi) 1078 break; 1079 sd->state = sd_receivingdata_state; 1080 sd->data_start = addr; 1081 sd->data_offset = 0; 1082 sd->blk_written = 0; 1083 1084 if (sd->data_start + sd->blk_len > sd->size) 1085 sd->card_status |= ADDRESS_ERROR; 1086 if (sd_wp_addr(sd, sd->data_start)) 1087 sd->card_status |= WP_VIOLATION; 1088 if (sd->csd[14] & 0x30) 1089 sd->card_status |= WP_VIOLATION; 1090 return sd_r1; 1091 1092 default: 1093 break; 1094 } 1095 break; 1096 1097 case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */ 1098 if (sd->spi) 1099 goto unimplemented_cmd; 1100 switch (sd->state) { 1101 case sd_transfer_state: 1102 /* Writing in SPI mode not implemented. */ 1103 if (sd->spi) 1104 break; 1105 sd->state = sd_receivingdata_state; 1106 sd->data_start = addr; 1107 sd->data_offset = 0; 1108 sd->blk_written = 0; 1109 1110 if (sd->data_start + sd->blk_len > sd->size) 1111 sd->card_status |= ADDRESS_ERROR; 1112 if (sd_wp_addr(sd, sd->data_start)) 1113 sd->card_status |= WP_VIOLATION; 1114 if (sd->csd[14] & 0x30) 1115 sd->card_status |= WP_VIOLATION; 1116 return sd_r1; 1117 1118 default: 1119 break; 1120 } 1121 break; 1122 1123 case 26: /* CMD26: PROGRAM_CID */ 1124 if (sd->spi) 1125 goto bad_cmd; 1126 switch (sd->state) { 1127 case sd_transfer_state: 1128 sd->state = sd_receivingdata_state; 1129 sd->data_start = 0; 1130 sd->data_offset = 0; 1131 return sd_r1; 1132 1133 default: 1134 break; 1135 } 1136 break; 1137 1138 case 27: /* CMD27: PROGRAM_CSD */ 1139 if (sd->spi) 1140 goto unimplemented_cmd; 1141 switch (sd->state) { 1142 case sd_transfer_state: 1143 sd->state = sd_receivingdata_state; 1144 sd->data_start = 0; 1145 sd->data_offset = 0; 1146 return sd_r1; 1147 1148 default: 1149 break; 1150 } 1151 break; 1152 1153 /* Write protection (Class 6) */ 1154 case 28: /* CMD28: SET_WRITE_PROT */ 1155 switch (sd->state) { 1156 case sd_transfer_state: 1157 if (addr >= sd->size) { 1158 sd->card_status |= ADDRESS_ERROR; 1159 return sd_r1b; 1160 } 1161 1162 sd->state = sd_programming_state; 1163 set_bit(sd_addr_to_wpnum(addr), sd->wp_groups); 1164 /* Bzzzzzzztt .... Operation complete. */ 1165 sd->state = sd_transfer_state; 1166 return sd_r1b; 1167 1168 default: 1169 break; 1170 } 1171 break; 1172 1173 case 29: /* CMD29: CLR_WRITE_PROT */ 1174 switch (sd->state) { 1175 case sd_transfer_state: 1176 if (addr >= sd->size) { 1177 sd->card_status |= ADDRESS_ERROR; 1178 return sd_r1b; 1179 } 1180 1181 sd->state = sd_programming_state; 1182 clear_bit(sd_addr_to_wpnum(addr), sd->wp_groups); 1183 /* Bzzzzzzztt .... Operation complete. */ 1184 sd->state = sd_transfer_state; 1185 return sd_r1b; 1186 1187 default: 1188 break; 1189 } 1190 break; 1191 1192 case 30: /* CMD30: SEND_WRITE_PROT */ 1193 switch (sd->state) { 1194 case sd_transfer_state: 1195 sd->state = sd_sendingdata_state; 1196 *(uint32_t *) sd->data = sd_wpbits(sd, req.arg); 1197 sd->data_start = addr; 1198 sd->data_offset = 0; 1199 return sd_r1b; 1200 1201 default: 1202 break; 1203 } 1204 break; 1205 1206 /* Erase commands (Class 5) */ 1207 case 32: /* CMD32: ERASE_WR_BLK_START */ 1208 switch (sd->state) { 1209 case sd_transfer_state: 1210 sd->erase_start = req.arg; 1211 return sd_r1; 1212 1213 default: 1214 break; 1215 } 1216 break; 1217 1218 case 33: /* CMD33: ERASE_WR_BLK_END */ 1219 switch (sd->state) { 1220 case sd_transfer_state: 1221 sd->erase_end = req.arg; 1222 return sd_r1; 1223 1224 default: 1225 break; 1226 } 1227 break; 1228 1229 case 38: /* CMD38: ERASE */ 1230 switch (sd->state) { 1231 case sd_transfer_state: 1232 if (sd->csd[14] & 0x30) { 1233 sd->card_status |= WP_VIOLATION; 1234 return sd_r1b; 1235 } 1236 1237 sd->state = sd_programming_state; 1238 sd_erase(sd); 1239 /* Bzzzzzzztt .... Operation complete. */ 1240 sd->state = sd_transfer_state; 1241 return sd_r1b; 1242 1243 default: 1244 break; 1245 } 1246 break; 1247 1248 /* Lock card commands (Class 7) */ 1249 case 42: /* CMD42: LOCK_UNLOCK */ 1250 if (sd->spi) 1251 goto unimplemented_cmd; 1252 switch (sd->state) { 1253 case sd_transfer_state: 1254 sd->state = sd_receivingdata_state; 1255 sd->data_start = 0; 1256 sd->data_offset = 0; 1257 return sd_r1; 1258 1259 default: 1260 break; 1261 } 1262 break; 1263 1264 case 52: 1265 case 53: 1266 /* CMD52, CMD53: reserved for SDIO cards 1267 * (see the SDIO Simplified Specification V2.0) 1268 * Handle as illegal command but do not complain 1269 * on stderr, as some OSes may use these in their 1270 * probing for presence of an SDIO card. 1271 */ 1272 return sd_illegal; 1273 1274 /* Application specific commands (Class 8) */ 1275 case 55: /* CMD55: APP_CMD */ 1276 if (sd->rca != rca) 1277 return sd_r0; 1278 1279 sd->expecting_acmd = true; 1280 sd->card_status |= APP_CMD; 1281 return sd_r1; 1282 1283 case 56: /* CMD56: GEN_CMD */ 1284 fprintf(stderr, "SD: GEN_CMD 0x%08x\n", req.arg); 1285 1286 switch (sd->state) { 1287 case sd_transfer_state: 1288 sd->data_offset = 0; 1289 if (req.arg & 1) 1290 sd->state = sd_sendingdata_state; 1291 else 1292 sd->state = sd_receivingdata_state; 1293 return sd_r1; 1294 1295 default: 1296 break; 1297 } 1298 break; 1299 1300 default: 1301 bad_cmd: 1302 qemu_log_mask(LOG_GUEST_ERROR, "SD: Unknown CMD%i\n", req.cmd); 1303 return sd_illegal; 1304 1305 unimplemented_cmd: 1306 /* Commands that are recognised but not yet implemented in SPI mode. */ 1307 qemu_log_mask(LOG_UNIMP, "SD: CMD%i not implemented in SPI mode\n", 1308 req.cmd); 1309 return sd_illegal; 1310 } 1311 1312 qemu_log_mask(LOG_GUEST_ERROR, "SD: CMD%i in a wrong state\n", req.cmd); 1313 return sd_illegal; 1314 } 1315 1316 static sd_rsp_type_t sd_app_command(SDState *sd, 1317 SDRequest req) 1318 { 1319 DPRINTF("ACMD%d 0x%08x\n", req.cmd, req.arg); 1320 sd->card_status |= APP_CMD; 1321 switch (req.cmd) { 1322 case 6: /* ACMD6: SET_BUS_WIDTH */ 1323 switch (sd->state) { 1324 case sd_transfer_state: 1325 sd->sd_status[0] &= 0x3f; 1326 sd->sd_status[0] |= (req.arg & 0x03) << 6; 1327 return sd_r1; 1328 1329 default: 1330 break; 1331 } 1332 break; 1333 1334 case 13: /* ACMD13: SD_STATUS */ 1335 switch (sd->state) { 1336 case sd_transfer_state: 1337 sd->state = sd_sendingdata_state; 1338 sd->data_start = 0; 1339 sd->data_offset = 0; 1340 return sd_r1; 1341 1342 default: 1343 break; 1344 } 1345 break; 1346 1347 case 22: /* ACMD22: SEND_NUM_WR_BLOCKS */ 1348 switch (sd->state) { 1349 case sd_transfer_state: 1350 *(uint32_t *) sd->data = sd->blk_written; 1351 1352 sd->state = sd_sendingdata_state; 1353 sd->data_start = 0; 1354 sd->data_offset = 0; 1355 return sd_r1; 1356 1357 default: 1358 break; 1359 } 1360 break; 1361 1362 case 23: /* ACMD23: SET_WR_BLK_ERASE_COUNT */ 1363 switch (sd->state) { 1364 case sd_transfer_state: 1365 return sd_r1; 1366 1367 default: 1368 break; 1369 } 1370 break; 1371 1372 case 41: /* ACMD41: SD_APP_OP_COND */ 1373 if (sd->spi) { 1374 /* SEND_OP_CMD */ 1375 sd->state = sd_transfer_state; 1376 return sd_r1; 1377 } 1378 switch (sd->state) { 1379 case sd_idle_state: 1380 /* If it's the first ACMD41 since reset, we need to decide 1381 * whether to power up. If this is not an enquiry ACMD41, 1382 * we immediately report power on and proceed below to the 1383 * ready state, but if it is, we set a timer to model a 1384 * delay for power up. This works around a bug in EDK2 1385 * UEFI, which sends an initial enquiry ACMD41, but 1386 * assumes that the card is in ready state as soon as it 1387 * sees the power up bit set. */ 1388 if (!(sd->ocr & OCR_POWER_UP)) { 1389 if ((req.arg & ACMD41_ENQUIRY_MASK) != 0) { 1390 timer_del(sd->ocr_power_timer); 1391 sd_ocr_powerup(sd); 1392 } else if (!timer_pending(sd->ocr_power_timer)) { 1393 timer_mod_ns(sd->ocr_power_timer, 1394 (qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) 1395 + OCR_POWER_DELAY_NS)); 1396 } 1397 } 1398 1399 /* We accept any voltage. 10000 V is nothing. 1400 * 1401 * Once we're powered up, we advance straight to ready state 1402 * unless it's an enquiry ACMD41 (bits 23:0 == 0). 1403 */ 1404 if (req.arg & ACMD41_ENQUIRY_MASK) { 1405 sd->state = sd_ready_state; 1406 } 1407 1408 return sd_r3; 1409 1410 default: 1411 break; 1412 } 1413 break; 1414 1415 case 42: /* ACMD42: SET_CLR_CARD_DETECT */ 1416 switch (sd->state) { 1417 case sd_transfer_state: 1418 /* Bringing in the 50KOhm pull-up resistor... Done. */ 1419 return sd_r1; 1420 1421 default: 1422 break; 1423 } 1424 break; 1425 1426 case 51: /* ACMD51: SEND_SCR */ 1427 switch (sd->state) { 1428 case sd_transfer_state: 1429 sd->state = sd_sendingdata_state; 1430 sd->data_start = 0; 1431 sd->data_offset = 0; 1432 return sd_r1; 1433 1434 default: 1435 break; 1436 } 1437 break; 1438 1439 default: 1440 /* Fall back to standard commands. */ 1441 return sd_normal_command(sd, req); 1442 } 1443 1444 qemu_log_mask(LOG_GUEST_ERROR, "SD: ACMD%i in a wrong state\n", req.cmd); 1445 return sd_illegal; 1446 } 1447 1448 static int cmd_valid_while_locked(SDState *sd, SDRequest *req) 1449 { 1450 /* Valid commands in locked state: 1451 * basic class (0) 1452 * lock card class (7) 1453 * CMD16 1454 * implicitly, the ACMD prefix CMD55 1455 * ACMD41 and ACMD42 1456 * Anything else provokes an "illegal command" response. 1457 */ 1458 if (sd->expecting_acmd) { 1459 return req->cmd == 41 || req->cmd == 42; 1460 } 1461 if (req->cmd == 16 || req->cmd == 55) { 1462 return 1; 1463 } 1464 return sd_cmd_class[req->cmd & 0x3F] == 0 1465 || sd_cmd_class[req->cmd & 0x3F] == 7; 1466 } 1467 1468 int sd_do_command(SDState *sd, SDRequest *req, 1469 uint8_t *response) { 1470 int last_state; 1471 sd_rsp_type_t rtype; 1472 int rsplen; 1473 1474 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable) { 1475 return 0; 1476 } 1477 1478 if (sd_req_crc_validate(req)) { 1479 sd->card_status |= COM_CRC_ERROR; 1480 rtype = sd_illegal; 1481 goto send_response; 1482 } 1483 1484 if (sd->card_status & CARD_IS_LOCKED) { 1485 if (!cmd_valid_while_locked(sd, req)) { 1486 sd->card_status |= ILLEGAL_COMMAND; 1487 sd->expecting_acmd = false; 1488 qemu_log_mask(LOG_GUEST_ERROR, "SD: Card is locked\n"); 1489 rtype = sd_illegal; 1490 goto send_response; 1491 } 1492 } 1493 1494 last_state = sd->state; 1495 sd_set_mode(sd); 1496 1497 if (sd->expecting_acmd) { 1498 sd->expecting_acmd = false; 1499 rtype = sd_app_command(sd, *req); 1500 } else { 1501 rtype = sd_normal_command(sd, *req); 1502 } 1503 1504 if (rtype == sd_illegal) { 1505 sd->card_status |= ILLEGAL_COMMAND; 1506 } else { 1507 /* Valid command, we can update the 'state before command' bits. 1508 * (Do this now so they appear in r1 responses.) 1509 */ 1510 sd->current_cmd = req->cmd; 1511 sd->card_status &= ~CURRENT_STATE; 1512 sd->card_status |= (last_state << 9); 1513 } 1514 1515 send_response: 1516 switch (rtype) { 1517 case sd_r1: 1518 case sd_r1b: 1519 sd_response_r1_make(sd, response); 1520 rsplen = 4; 1521 break; 1522 1523 case sd_r2_i: 1524 memcpy(response, sd->cid, sizeof(sd->cid)); 1525 rsplen = 16; 1526 break; 1527 1528 case sd_r2_s: 1529 memcpy(response, sd->csd, sizeof(sd->csd)); 1530 rsplen = 16; 1531 break; 1532 1533 case sd_r3: 1534 sd_response_r3_make(sd, response); 1535 rsplen = 4; 1536 break; 1537 1538 case sd_r6: 1539 sd_response_r6_make(sd, response); 1540 rsplen = 4; 1541 break; 1542 1543 case sd_r7: 1544 sd_response_r7_make(sd, response); 1545 rsplen = 4; 1546 break; 1547 1548 case sd_r0: 1549 case sd_illegal: 1550 default: 1551 rsplen = 0; 1552 break; 1553 } 1554 1555 if (rtype != sd_illegal) { 1556 /* Clear the "clear on valid command" status bits now we've 1557 * sent any response 1558 */ 1559 sd->card_status &= ~CARD_STATUS_B; 1560 } 1561 1562 #ifdef DEBUG_SD 1563 if (rsplen) { 1564 int i; 1565 DPRINTF("Response:"); 1566 for (i = 0; i < rsplen; i++) 1567 fprintf(stderr, " %02x", response[i]); 1568 fprintf(stderr, " state %d\n", sd->state); 1569 } else { 1570 DPRINTF("No response %d\n", sd->state); 1571 } 1572 #endif 1573 1574 return rsplen; 1575 } 1576 1577 static void sd_blk_read(SDState *sd, uint64_t addr, uint32_t len) 1578 { 1579 DPRINTF("sd_blk_read: addr = 0x%08llx, len = %d\n", 1580 (unsigned long long) addr, len); 1581 if (!sd->blk || blk_pread(sd->blk, addr, sd->data, len) < 0) { 1582 fprintf(stderr, "sd_blk_read: read error on host side\n"); 1583 } 1584 } 1585 1586 static void sd_blk_write(SDState *sd, uint64_t addr, uint32_t len) 1587 { 1588 if (!sd->blk || blk_pwrite(sd->blk, addr, sd->data, len, 0) < 0) { 1589 fprintf(stderr, "sd_blk_write: write error on host side\n"); 1590 } 1591 } 1592 1593 #define BLK_READ_BLOCK(a, len) sd_blk_read(sd, a, len) 1594 #define BLK_WRITE_BLOCK(a, len) sd_blk_write(sd, a, len) 1595 #define APP_READ_BLOCK(a, len) memset(sd->data, 0xec, len) 1596 #define APP_WRITE_BLOCK(a, len) 1597 1598 void sd_write_data(SDState *sd, uint8_t value) 1599 { 1600 int i; 1601 1602 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable) 1603 return; 1604 1605 if (sd->state != sd_receivingdata_state) { 1606 qemu_log_mask(LOG_GUEST_ERROR, 1607 "sd_write_data: not in Receiving-Data state\n"); 1608 return; 1609 } 1610 1611 if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION)) 1612 return; 1613 1614 switch (sd->current_cmd) { 1615 case 24: /* CMD24: WRITE_SINGLE_BLOCK */ 1616 sd->data[sd->data_offset ++] = value; 1617 if (sd->data_offset >= sd->blk_len) { 1618 /* TODO: Check CRC before committing */ 1619 sd->state = sd_programming_state; 1620 BLK_WRITE_BLOCK(sd->data_start, sd->data_offset); 1621 sd->blk_written ++; 1622 sd->csd[14] |= 0x40; 1623 /* Bzzzzzzztt .... Operation complete. */ 1624 sd->state = sd_transfer_state; 1625 } 1626 break; 1627 1628 case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */ 1629 if (sd->data_offset == 0) { 1630 /* Start of the block - let's check the address is valid */ 1631 if (sd->data_start + sd->blk_len > sd->size) { 1632 sd->card_status |= ADDRESS_ERROR; 1633 break; 1634 } 1635 if (sd_wp_addr(sd, sd->data_start)) { 1636 sd->card_status |= WP_VIOLATION; 1637 break; 1638 } 1639 } 1640 sd->data[sd->data_offset++] = value; 1641 if (sd->data_offset >= sd->blk_len) { 1642 /* TODO: Check CRC before committing */ 1643 sd->state = sd_programming_state; 1644 BLK_WRITE_BLOCK(sd->data_start, sd->data_offset); 1645 sd->blk_written++; 1646 sd->data_start += sd->blk_len; 1647 sd->data_offset = 0; 1648 sd->csd[14] |= 0x40; 1649 1650 /* Bzzzzzzztt .... Operation complete. */ 1651 if (sd->multi_blk_cnt != 0) { 1652 if (--sd->multi_blk_cnt == 0) { 1653 /* Stop! */ 1654 sd->state = sd_transfer_state; 1655 break; 1656 } 1657 } 1658 1659 sd->state = sd_receivingdata_state; 1660 } 1661 break; 1662 1663 case 26: /* CMD26: PROGRAM_CID */ 1664 sd->data[sd->data_offset ++] = value; 1665 if (sd->data_offset >= sizeof(sd->cid)) { 1666 /* TODO: Check CRC before committing */ 1667 sd->state = sd_programming_state; 1668 for (i = 0; i < sizeof(sd->cid); i ++) 1669 if ((sd->cid[i] | 0x00) != sd->data[i]) 1670 sd->card_status |= CID_CSD_OVERWRITE; 1671 1672 if (!(sd->card_status & CID_CSD_OVERWRITE)) 1673 for (i = 0; i < sizeof(sd->cid); i ++) { 1674 sd->cid[i] |= 0x00; 1675 sd->cid[i] &= sd->data[i]; 1676 } 1677 /* Bzzzzzzztt .... Operation complete. */ 1678 sd->state = sd_transfer_state; 1679 } 1680 break; 1681 1682 case 27: /* CMD27: PROGRAM_CSD */ 1683 sd->data[sd->data_offset ++] = value; 1684 if (sd->data_offset >= sizeof(sd->csd)) { 1685 /* TODO: Check CRC before committing */ 1686 sd->state = sd_programming_state; 1687 for (i = 0; i < sizeof(sd->csd); i ++) 1688 if ((sd->csd[i] | sd_csd_rw_mask[i]) != 1689 (sd->data[i] | sd_csd_rw_mask[i])) 1690 sd->card_status |= CID_CSD_OVERWRITE; 1691 1692 /* Copy flag (OTP) & Permanent write protect */ 1693 if (sd->csd[14] & ~sd->data[14] & 0x60) 1694 sd->card_status |= CID_CSD_OVERWRITE; 1695 1696 if (!(sd->card_status & CID_CSD_OVERWRITE)) 1697 for (i = 0; i < sizeof(sd->csd); i ++) { 1698 sd->csd[i] |= sd_csd_rw_mask[i]; 1699 sd->csd[i] &= sd->data[i]; 1700 } 1701 /* Bzzzzzzztt .... Operation complete. */ 1702 sd->state = sd_transfer_state; 1703 } 1704 break; 1705 1706 case 42: /* CMD42: LOCK_UNLOCK */ 1707 sd->data[sd->data_offset ++] = value; 1708 if (sd->data_offset >= sd->blk_len) { 1709 /* TODO: Check CRC before committing */ 1710 sd->state = sd_programming_state; 1711 sd_lock_command(sd); 1712 /* Bzzzzzzztt .... Operation complete. */ 1713 sd->state = sd_transfer_state; 1714 } 1715 break; 1716 1717 case 56: /* CMD56: GEN_CMD */ 1718 sd->data[sd->data_offset ++] = value; 1719 if (sd->data_offset >= sd->blk_len) { 1720 APP_WRITE_BLOCK(sd->data_start, sd->data_offset); 1721 sd->state = sd_transfer_state; 1722 } 1723 break; 1724 1725 default: 1726 qemu_log_mask(LOG_GUEST_ERROR, "sd_write_data: unknown command\n"); 1727 break; 1728 } 1729 } 1730 1731 uint8_t sd_read_data(SDState *sd) 1732 { 1733 /* TODO: Append CRCs */ 1734 uint8_t ret; 1735 int io_len; 1736 1737 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable) 1738 return 0x00; 1739 1740 if (sd->state != sd_sendingdata_state) { 1741 qemu_log_mask(LOG_GUEST_ERROR, 1742 "sd_read_data: not in Sending-Data state\n"); 1743 return 0x00; 1744 } 1745 1746 if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION)) 1747 return 0x00; 1748 1749 io_len = (sd->ocr & (1 << 30)) ? 512 : sd->blk_len; 1750 1751 switch (sd->current_cmd) { 1752 case 6: /* CMD6: SWITCH_FUNCTION */ 1753 ret = sd->data[sd->data_offset ++]; 1754 1755 if (sd->data_offset >= 64) 1756 sd->state = sd_transfer_state; 1757 break; 1758 1759 case 9: /* CMD9: SEND_CSD */ 1760 case 10: /* CMD10: SEND_CID */ 1761 ret = sd->data[sd->data_offset ++]; 1762 1763 if (sd->data_offset >= 16) 1764 sd->state = sd_transfer_state; 1765 break; 1766 1767 case 11: /* CMD11: READ_DAT_UNTIL_STOP */ 1768 if (sd->data_offset == 0) 1769 BLK_READ_BLOCK(sd->data_start, io_len); 1770 ret = sd->data[sd->data_offset ++]; 1771 1772 if (sd->data_offset >= io_len) { 1773 sd->data_start += io_len; 1774 sd->data_offset = 0; 1775 if (sd->data_start + io_len > sd->size) { 1776 sd->card_status |= ADDRESS_ERROR; 1777 break; 1778 } 1779 } 1780 break; 1781 1782 case 13: /* ACMD13: SD_STATUS */ 1783 ret = sd->sd_status[sd->data_offset ++]; 1784 1785 if (sd->data_offset >= sizeof(sd->sd_status)) 1786 sd->state = sd_transfer_state; 1787 break; 1788 1789 case 17: /* CMD17: READ_SINGLE_BLOCK */ 1790 if (sd->data_offset == 0) 1791 BLK_READ_BLOCK(sd->data_start, io_len); 1792 ret = sd->data[sd->data_offset ++]; 1793 1794 if (sd->data_offset >= io_len) 1795 sd->state = sd_transfer_state; 1796 break; 1797 1798 case 18: /* CMD18: READ_MULTIPLE_BLOCK */ 1799 if (sd->data_offset == 0) 1800 BLK_READ_BLOCK(sd->data_start, io_len); 1801 ret = sd->data[sd->data_offset ++]; 1802 1803 if (sd->data_offset >= io_len) { 1804 sd->data_start += io_len; 1805 sd->data_offset = 0; 1806 1807 if (sd->multi_blk_cnt != 0) { 1808 if (--sd->multi_blk_cnt == 0) { 1809 /* Stop! */ 1810 sd->state = sd_transfer_state; 1811 break; 1812 } 1813 } 1814 1815 if (sd->data_start + io_len > sd->size) { 1816 sd->card_status |= ADDRESS_ERROR; 1817 break; 1818 } 1819 } 1820 break; 1821 1822 case 22: /* ACMD22: SEND_NUM_WR_BLOCKS */ 1823 ret = sd->data[sd->data_offset ++]; 1824 1825 if (sd->data_offset >= 4) 1826 sd->state = sd_transfer_state; 1827 break; 1828 1829 case 30: /* CMD30: SEND_WRITE_PROT */ 1830 ret = sd->data[sd->data_offset ++]; 1831 1832 if (sd->data_offset >= 4) 1833 sd->state = sd_transfer_state; 1834 break; 1835 1836 case 51: /* ACMD51: SEND_SCR */ 1837 ret = sd->scr[sd->data_offset ++]; 1838 1839 if (sd->data_offset >= sizeof(sd->scr)) 1840 sd->state = sd_transfer_state; 1841 break; 1842 1843 case 56: /* CMD56: GEN_CMD */ 1844 if (sd->data_offset == 0) 1845 APP_READ_BLOCK(sd->data_start, sd->blk_len); 1846 ret = sd->data[sd->data_offset ++]; 1847 1848 if (sd->data_offset >= sd->blk_len) 1849 sd->state = sd_transfer_state; 1850 break; 1851 1852 default: 1853 qemu_log_mask(LOG_GUEST_ERROR, "sd_read_data: unknown command\n"); 1854 return 0x00; 1855 } 1856 1857 return ret; 1858 } 1859 1860 bool sd_data_ready(SDState *sd) 1861 { 1862 return sd->state == sd_sendingdata_state; 1863 } 1864 1865 void sd_enable(SDState *sd, bool enable) 1866 { 1867 sd->enable = enable; 1868 } 1869 1870 static void sd_instance_init(Object *obj) 1871 { 1872 SDState *sd = SD_CARD(obj); 1873 1874 sd->enable = true; 1875 sd->ocr_power_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, sd_ocr_powerup, sd); 1876 } 1877 1878 static void sd_realize(DeviceState *dev, Error **errp) 1879 { 1880 SDState *sd = SD_CARD(dev); 1881 1882 if (sd->blk && blk_is_read_only(sd->blk)) { 1883 error_setg(errp, "Cannot use read-only drive as SD card"); 1884 return; 1885 } 1886 1887 if (sd->blk) { 1888 blk_set_dev_ops(sd->blk, &sd_block_ops, sd); 1889 } 1890 } 1891 1892 static Property sd_properties[] = { 1893 DEFINE_PROP_DRIVE("drive", SDState, blk), 1894 /* We do not model the chip select pin, so allow the board to select 1895 * whether card should be in SSI or MMC/SD mode. It is also up to the 1896 * board to ensure that ssi transfers only occur when the chip select 1897 * is asserted. */ 1898 DEFINE_PROP_BOOL("spi", SDState, spi, false), 1899 DEFINE_PROP_END_OF_LIST() 1900 }; 1901 1902 static void sd_class_init(ObjectClass *klass, void *data) 1903 { 1904 DeviceClass *dc = DEVICE_CLASS(klass); 1905 SDCardClass *sc = SD_CARD_CLASS(klass); 1906 1907 dc->realize = sd_realize; 1908 dc->props = sd_properties; 1909 dc->vmsd = &sd_vmstate; 1910 dc->reset = sd_reset; 1911 dc->bus_type = TYPE_SD_BUS; 1912 1913 sc->do_command = sd_do_command; 1914 sc->write_data = sd_write_data; 1915 sc->read_data = sd_read_data; 1916 sc->data_ready = sd_data_ready; 1917 sc->enable = sd_enable; 1918 sc->get_inserted = sd_get_inserted; 1919 sc->get_readonly = sd_get_readonly; 1920 } 1921 1922 static const TypeInfo sd_info = { 1923 .name = TYPE_SD_CARD, 1924 .parent = TYPE_DEVICE, 1925 .instance_size = sizeof(SDState), 1926 .class_size = sizeof(SDCardClass), 1927 .class_init = sd_class_init, 1928 .instance_init = sd_instance_init, 1929 }; 1930 1931 static void sd_register_types(void) 1932 { 1933 type_register_static(&sd_info); 1934 } 1935 1936 type_init(sd_register_types) 1937