1 /* 2 * SD Memory Card emulation as defined in the "SD Memory Card Physical 3 * layer specification, Version 2.00." 4 * 5 * Copyright (c) 2006 Andrzej Zaborowski <balrog@zabor.org> 6 * Copyright (c) 2007 CodeSourcery 7 * Copyright (c) 2018 Philippe Mathieu-Daudé <f4bug@amsat.org> 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in 17 * the documentation and/or other materials provided with the 18 * distribution. 19 * 20 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' 21 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, 22 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A 23 * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR 24 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, 25 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, 26 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 27 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY 28 * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 29 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 30 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 31 */ 32 33 #include "qemu/osdep.h" 34 #include "qemu/units.h" 35 #include "hw/irq.h" 36 #include "hw/registerfields.h" 37 #include "sysemu/block-backend.h" 38 #include "hw/sd/sd.h" 39 #include "migration/vmstate.h" 40 #include "qapi/error.h" 41 #include "qemu/bitmap.h" 42 #include "hw/qdev-properties.h" 43 #include "qemu/error-report.h" 44 #include "qemu/timer.h" 45 #include "qemu/log.h" 46 #include "qemu/module.h" 47 #include "sdmmc-internal.h" 48 #include "trace.h" 49 50 //#define DEBUG_SD 1 51 52 typedef enum { 53 sd_r0 = 0, /* no response */ 54 sd_r1, /* normal response command */ 55 sd_r2_i, /* CID register */ 56 sd_r2_s, /* CSD register */ 57 sd_r3, /* OCR register */ 58 sd_r6 = 6, /* Published RCA response */ 59 sd_r7, /* Operating voltage */ 60 sd_r1b = -1, 61 sd_illegal = -2, 62 } sd_rsp_type_t; 63 64 enum SDCardModes { 65 sd_inactive, 66 sd_card_identification_mode, 67 sd_data_transfer_mode, 68 }; 69 70 enum SDCardStates { 71 sd_inactive_state = -1, 72 sd_idle_state = 0, 73 sd_ready_state, 74 sd_identification_state, 75 sd_standby_state, 76 sd_transfer_state, 77 sd_sendingdata_state, 78 sd_receivingdata_state, 79 sd_programming_state, 80 sd_disconnect_state, 81 }; 82 83 struct SDState { 84 DeviceState parent_obj; 85 86 /* If true, created by sd_init() for a non-qdevified caller */ 87 /* TODO purge them with fire */ 88 bool me_no_qdev_me_kill_mammoth_with_rocks; 89 90 /* SD Memory Card Registers */ 91 uint32_t ocr; 92 uint8_t scr[8]; 93 uint8_t cid[16]; 94 uint8_t csd[16]; 95 uint16_t rca; 96 uint32_t card_status; 97 uint8_t sd_status[64]; 98 99 /* Configurable properties */ 100 uint8_t spec_version; 101 BlockBackend *blk; 102 bool spi; 103 104 uint32_t mode; /* current card mode, one of SDCardModes */ 105 int32_t state; /* current card state, one of SDCardStates */ 106 uint32_t vhs; 107 bool wp_switch; 108 unsigned long *wp_groups; 109 int32_t wpgrps_size; 110 uint64_t size; 111 uint32_t blk_len; 112 uint32_t multi_blk_cnt; 113 uint32_t erase_start; 114 uint32_t erase_end; 115 uint8_t pwd[16]; 116 uint32_t pwd_len; 117 uint8_t function_group[6]; 118 uint8_t current_cmd; 119 /* True if we will handle the next command as an ACMD. Note that this does 120 * *not* track the APP_CMD status bit! 121 */ 122 bool expecting_acmd; 123 uint32_t blk_written; 124 uint64_t data_start; 125 uint32_t data_offset; 126 uint8_t data[512]; 127 qemu_irq readonly_cb; 128 qemu_irq inserted_cb; 129 QEMUTimer *ocr_power_timer; 130 const char *proto_name; 131 bool enable; 132 uint8_t dat_lines; 133 bool cmd_line; 134 }; 135 136 static void sd_realize(DeviceState *dev, Error **errp); 137 138 static const char *sd_state_name(enum SDCardStates state) 139 { 140 static const char *state_name[] = { 141 [sd_idle_state] = "idle", 142 [sd_ready_state] = "ready", 143 [sd_identification_state] = "identification", 144 [sd_standby_state] = "standby", 145 [sd_transfer_state] = "transfer", 146 [sd_sendingdata_state] = "sendingdata", 147 [sd_receivingdata_state] = "receivingdata", 148 [sd_programming_state] = "programming", 149 [sd_disconnect_state] = "disconnect", 150 }; 151 if (state == sd_inactive_state) { 152 return "inactive"; 153 } 154 assert(state < ARRAY_SIZE(state_name)); 155 return state_name[state]; 156 } 157 158 static const char *sd_response_name(sd_rsp_type_t rsp) 159 { 160 static const char *response_name[] = { 161 [sd_r0] = "RESP#0 (no response)", 162 [sd_r1] = "RESP#1 (normal cmd)", 163 [sd_r2_i] = "RESP#2 (CID reg)", 164 [sd_r2_s] = "RESP#2 (CSD reg)", 165 [sd_r3] = "RESP#3 (OCR reg)", 166 [sd_r6] = "RESP#6 (RCA)", 167 [sd_r7] = "RESP#7 (operating voltage)", 168 }; 169 if (rsp == sd_illegal) { 170 return "ILLEGAL RESP"; 171 } 172 if (rsp == sd_r1b) { 173 rsp = sd_r1; 174 } 175 assert(rsp < ARRAY_SIZE(response_name)); 176 return response_name[rsp]; 177 } 178 179 static uint8_t sd_get_dat_lines(SDState *sd) 180 { 181 return sd->enable ? sd->dat_lines : 0; 182 } 183 184 static bool sd_get_cmd_line(SDState *sd) 185 { 186 return sd->enable ? sd->cmd_line : false; 187 } 188 189 static void sd_set_voltage(SDState *sd, uint16_t millivolts) 190 { 191 trace_sdcard_set_voltage(millivolts); 192 193 switch (millivolts) { 194 case 3001 ... 3600: /* SD_VOLTAGE_3_3V */ 195 case 2001 ... 3000: /* SD_VOLTAGE_3_0V */ 196 break; 197 default: 198 qemu_log_mask(LOG_GUEST_ERROR, "SD card voltage not supported: %.3fV", 199 millivolts / 1000.f); 200 } 201 } 202 203 static void sd_set_mode(SDState *sd) 204 { 205 switch (sd->state) { 206 case sd_inactive_state: 207 sd->mode = sd_inactive; 208 break; 209 210 case sd_idle_state: 211 case sd_ready_state: 212 case sd_identification_state: 213 sd->mode = sd_card_identification_mode; 214 break; 215 216 case sd_standby_state: 217 case sd_transfer_state: 218 case sd_sendingdata_state: 219 case sd_receivingdata_state: 220 case sd_programming_state: 221 case sd_disconnect_state: 222 sd->mode = sd_data_transfer_mode; 223 break; 224 } 225 } 226 227 static const sd_cmd_type_t sd_cmd_type[SDMMC_CMD_MAX] = { 228 sd_bc, sd_none, sd_bcr, sd_bcr, sd_none, sd_none, sd_none, sd_ac, 229 sd_bcr, sd_ac, sd_ac, sd_adtc, sd_ac, sd_ac, sd_none, sd_ac, 230 /* 16 */ 231 sd_ac, sd_adtc, sd_adtc, sd_none, sd_none, sd_none, sd_none, sd_none, 232 sd_adtc, sd_adtc, sd_adtc, sd_adtc, sd_ac, sd_ac, sd_adtc, sd_none, 233 /* 32 */ 234 sd_ac, sd_ac, sd_none, sd_none, sd_none, sd_none, sd_ac, sd_none, 235 sd_none, sd_none, sd_bc, sd_none, sd_none, sd_none, sd_none, sd_none, 236 /* 48 */ 237 sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_ac, 238 sd_adtc, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, 239 }; 240 241 static const int sd_cmd_class[SDMMC_CMD_MAX] = { 242 0, 0, 0, 0, 0, 9, 10, 0, 0, 0, 0, 1, 0, 0, 0, 0, 243 2, 2, 2, 2, 3, 3, 3, 3, 4, 4, 4, 4, 6, 6, 6, 6, 244 5, 5, 10, 10, 10, 10, 5, 9, 9, 9, 7, 7, 7, 7, 7, 7, 245 7, 7, 10, 7, 9, 9, 9, 8, 8, 10, 8, 8, 8, 8, 8, 8, 246 }; 247 248 static uint8_t sd_crc7(void *message, size_t width) 249 { 250 int i, bit; 251 uint8_t shift_reg = 0x00; 252 uint8_t *msg = (uint8_t *) message; 253 254 for (i = 0; i < width; i ++, msg ++) 255 for (bit = 7; bit >= 0; bit --) { 256 shift_reg <<= 1; 257 if ((shift_reg >> 7) ^ ((*msg >> bit) & 1)) 258 shift_reg ^= 0x89; 259 } 260 261 return shift_reg; 262 } 263 264 static uint16_t sd_crc16(void *message, size_t width) 265 { 266 int i, bit; 267 uint16_t shift_reg = 0x0000; 268 uint16_t *msg = (uint16_t *) message; 269 width <<= 1; 270 271 for (i = 0; i < width; i ++, msg ++) 272 for (bit = 15; bit >= 0; bit --) { 273 shift_reg <<= 1; 274 if ((shift_reg >> 15) ^ ((*msg >> bit) & 1)) 275 shift_reg ^= 0x1011; 276 } 277 278 return shift_reg; 279 } 280 281 #define OCR_POWER_DELAY_NS 500000 /* 0.5ms */ 282 283 FIELD(OCR, VDD_VOLTAGE_WINDOW, 0, 24) 284 FIELD(OCR, VDD_VOLTAGE_WIN_LO, 0, 8) 285 FIELD(OCR, DUAL_VOLTAGE_CARD, 7, 1) 286 FIELD(OCR, VDD_VOLTAGE_WIN_HI, 8, 16) 287 FIELD(OCR, ACCEPT_SWITCH_1V8, 24, 1) /* Only UHS-I */ 288 FIELD(OCR, UHS_II_CARD, 29, 1) /* Only UHS-II */ 289 FIELD(OCR, CARD_CAPACITY, 30, 1) /* 0:SDSC, 1:SDHC/SDXC */ 290 FIELD(OCR, CARD_POWER_UP, 31, 1) 291 292 #define ACMD41_ENQUIRY_MASK 0x00ffffff 293 #define ACMD41_R3_MASK (R_OCR_VDD_VOLTAGE_WIN_HI_MASK \ 294 | R_OCR_ACCEPT_SWITCH_1V8_MASK \ 295 | R_OCR_UHS_II_CARD_MASK \ 296 | R_OCR_CARD_CAPACITY_MASK \ 297 | R_OCR_CARD_POWER_UP_MASK) 298 299 static void sd_set_ocr(SDState *sd) 300 { 301 /* All voltages OK */ 302 sd->ocr = R_OCR_VDD_VOLTAGE_WIN_HI_MASK; 303 } 304 305 static void sd_ocr_powerup(void *opaque) 306 { 307 SDState *sd = opaque; 308 309 trace_sdcard_powerup(); 310 assert(!FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP)); 311 312 /* card power-up OK */ 313 sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_POWER_UP, 1); 314 315 if (sd->size > 1 * GiB) { 316 sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_CAPACITY, 1); 317 } 318 } 319 320 static void sd_set_scr(SDState *sd) 321 { 322 sd->scr[0] = 0 << 4; /* SCR structure version 1.0 */ 323 if (sd->spec_version == SD_PHY_SPECv1_10_VERS) { 324 sd->scr[0] |= 1; /* Spec Version 1.10 */ 325 } else { 326 sd->scr[0] |= 2; /* Spec Version 2.00 or Version 3.0X */ 327 } 328 sd->scr[1] = (2 << 4) /* SDSC Card (Security Version 1.01) */ 329 | 0b0101; /* 1-bit or 4-bit width bus modes */ 330 sd->scr[2] = 0x00; /* Extended Security is not supported. */ 331 if (sd->spec_version >= SD_PHY_SPECv3_01_VERS) { 332 sd->scr[2] |= 1 << 7; /* Spec Version 3.0X */ 333 } 334 sd->scr[3] = 0x00; 335 /* reserved for manufacturer usage */ 336 sd->scr[4] = 0x00; 337 sd->scr[5] = 0x00; 338 sd->scr[6] = 0x00; 339 sd->scr[7] = 0x00; 340 } 341 342 #define MID 0xaa 343 #define OID "XY" 344 #define PNM "QEMU!" 345 #define PRV 0x01 346 #define MDT_YR 2006 347 #define MDT_MON 2 348 349 static void sd_set_cid(SDState *sd) 350 { 351 sd->cid[0] = MID; /* Fake card manufacturer ID (MID) */ 352 sd->cid[1] = OID[0]; /* OEM/Application ID (OID) */ 353 sd->cid[2] = OID[1]; 354 sd->cid[3] = PNM[0]; /* Fake product name (PNM) */ 355 sd->cid[4] = PNM[1]; 356 sd->cid[5] = PNM[2]; 357 sd->cid[6] = PNM[3]; 358 sd->cid[7] = PNM[4]; 359 sd->cid[8] = PRV; /* Fake product revision (PRV) */ 360 sd->cid[9] = 0xde; /* Fake serial number (PSN) */ 361 sd->cid[10] = 0xad; 362 sd->cid[11] = 0xbe; 363 sd->cid[12] = 0xef; 364 sd->cid[13] = 0x00 | /* Manufacture date (MDT) */ 365 ((MDT_YR - 2000) / 10); 366 sd->cid[14] = ((MDT_YR % 10) << 4) | MDT_MON; 367 sd->cid[15] = (sd_crc7(sd->cid, 15) << 1) | 1; 368 } 369 370 #define HWBLOCK_SHIFT 9 /* 512 bytes */ 371 #define SECTOR_SHIFT 5 /* 16 kilobytes */ 372 #define WPGROUP_SHIFT 7 /* 2 megs */ 373 #define CMULT_SHIFT 9 /* 512 times HWBLOCK_SIZE */ 374 #define WPGROUP_SIZE (1 << (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT)) 375 376 static const uint8_t sd_csd_rw_mask[16] = { 377 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 378 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xfc, 0xfe, 379 }; 380 381 static void sd_set_csd(SDState *sd, uint64_t size) 382 { 383 uint32_t csize = (size >> (CMULT_SHIFT + HWBLOCK_SHIFT)) - 1; 384 uint32_t sectsize = (1 << (SECTOR_SHIFT + 1)) - 1; 385 uint32_t wpsize = (1 << (WPGROUP_SHIFT + 1)) - 1; 386 387 if (size <= 1 * GiB) { /* Standard Capacity SD */ 388 sd->csd[0] = 0x00; /* CSD structure */ 389 sd->csd[1] = 0x26; /* Data read access-time-1 */ 390 sd->csd[2] = 0x00; /* Data read access-time-2 */ 391 sd->csd[3] = 0x32; /* Max. data transfer rate: 25 MHz */ 392 sd->csd[4] = 0x5f; /* Card Command Classes */ 393 sd->csd[5] = 0x50 | /* Max. read data block length */ 394 HWBLOCK_SHIFT; 395 sd->csd[6] = 0xe0 | /* Partial block for read allowed */ 396 ((csize >> 10) & 0x03); 397 sd->csd[7] = 0x00 | /* Device size */ 398 ((csize >> 2) & 0xff); 399 sd->csd[8] = 0x3f | /* Max. read current */ 400 ((csize << 6) & 0xc0); 401 sd->csd[9] = 0xfc | /* Max. write current */ 402 ((CMULT_SHIFT - 2) >> 1); 403 sd->csd[10] = 0x40 | /* Erase sector size */ 404 (((CMULT_SHIFT - 2) << 7) & 0x80) | (sectsize >> 1); 405 sd->csd[11] = 0x00 | /* Write protect group size */ 406 ((sectsize << 7) & 0x80) | wpsize; 407 sd->csd[12] = 0x90 | /* Write speed factor */ 408 (HWBLOCK_SHIFT >> 2); 409 sd->csd[13] = 0x20 | /* Max. write data block length */ 410 ((HWBLOCK_SHIFT << 6) & 0xc0); 411 sd->csd[14] = 0x00; /* File format group */ 412 } else { /* SDHC */ 413 size /= 512 * KiB; 414 size -= 1; 415 sd->csd[0] = 0x40; 416 sd->csd[1] = 0x0e; 417 sd->csd[2] = 0x00; 418 sd->csd[3] = 0x32; 419 sd->csd[4] = 0x5b; 420 sd->csd[5] = 0x59; 421 sd->csd[6] = 0x00; 422 sd->csd[7] = (size >> 16) & 0xff; 423 sd->csd[8] = (size >> 8) & 0xff; 424 sd->csd[9] = (size & 0xff); 425 sd->csd[10] = 0x7f; 426 sd->csd[11] = 0x80; 427 sd->csd[12] = 0x0a; 428 sd->csd[13] = 0x40; 429 sd->csd[14] = 0x00; 430 } 431 sd->csd[15] = (sd_crc7(sd->csd, 15) << 1) | 1; 432 } 433 434 static void sd_set_rca(SDState *sd) 435 { 436 sd->rca += 0x4567; 437 } 438 439 FIELD(CSR, AKE_SEQ_ERROR, 3, 1) 440 FIELD(CSR, APP_CMD, 5, 1) 441 FIELD(CSR, FX_EVENT, 6, 1) 442 FIELD(CSR, READY_FOR_DATA, 8, 1) 443 FIELD(CSR, CURRENT_STATE, 9, 4) 444 FIELD(CSR, ERASE_RESET, 13, 1) 445 FIELD(CSR, CARD_ECC_DISABLED, 14, 1) 446 FIELD(CSR, WP_ERASE_SKIP, 15, 1) 447 FIELD(CSR, CSD_OVERWRITE, 16, 1) 448 FIELD(CSR, DEFERRED_RESPONSE, 17, 1) 449 FIELD(CSR, ERROR, 19, 1) 450 FIELD(CSR, CC_ERROR, 20, 1) 451 FIELD(CSR, CARD_ECC_FAILED, 21, 1) 452 FIELD(CSR, ILLEGAL_COMMAND, 22, 1) 453 FIELD(CSR, COM_CRC_ERROR, 23, 1) 454 FIELD(CSR, LOCK_UNLOCK_FAILED, 24, 1) 455 FIELD(CSR, CARD_IS_LOCKED, 25, 1) 456 FIELD(CSR, WP_VIOLATION, 26, 1) 457 FIELD(CSR, ERASE_PARAM, 27, 1) 458 FIELD(CSR, ERASE_SEQ_ERROR, 28, 1) 459 FIELD(CSR, BLOCK_LEN_ERROR, 29, 1) 460 FIELD(CSR, ADDRESS_ERROR, 30, 1) 461 FIELD(CSR, OUT_OF_RANGE, 31, 1) 462 463 /* Card status bits, split by clear condition: 464 * A : According to the card current state 465 * B : Always related to the previous command 466 * C : Cleared by read 467 */ 468 #define CARD_STATUS_A (R_CSR_READY_FOR_DATA_MASK \ 469 | R_CSR_CARD_ECC_DISABLED_MASK \ 470 | R_CSR_CARD_IS_LOCKED_MASK) 471 #define CARD_STATUS_B (R_CSR_CURRENT_STATE_MASK \ 472 | R_CSR_ILLEGAL_COMMAND_MASK \ 473 | R_CSR_COM_CRC_ERROR_MASK) 474 #define CARD_STATUS_C (R_CSR_AKE_SEQ_ERROR_MASK \ 475 | R_CSR_APP_CMD_MASK \ 476 | R_CSR_ERASE_RESET_MASK \ 477 | R_CSR_WP_ERASE_SKIP_MASK \ 478 | R_CSR_CSD_OVERWRITE_MASK \ 479 | R_CSR_ERROR_MASK \ 480 | R_CSR_CC_ERROR_MASK \ 481 | R_CSR_CARD_ECC_FAILED_MASK \ 482 | R_CSR_LOCK_UNLOCK_FAILED_MASK \ 483 | R_CSR_WP_VIOLATION_MASK \ 484 | R_CSR_ERASE_PARAM_MASK \ 485 | R_CSR_ERASE_SEQ_ERROR_MASK \ 486 | R_CSR_BLOCK_LEN_ERROR_MASK \ 487 | R_CSR_ADDRESS_ERROR_MASK \ 488 | R_CSR_OUT_OF_RANGE_MASK) 489 490 static void sd_set_cardstatus(SDState *sd) 491 { 492 sd->card_status = 0x00000100; 493 } 494 495 static void sd_set_sdstatus(SDState *sd) 496 { 497 memset(sd->sd_status, 0, 64); 498 } 499 500 static int sd_req_crc_validate(SDRequest *req) 501 { 502 uint8_t buffer[5]; 503 buffer[0] = 0x40 | req->cmd; 504 stl_be_p(&buffer[1], req->arg); 505 return 0; 506 return sd_crc7(buffer, 5) != req->crc; /* TODO */ 507 } 508 509 static void sd_response_r1_make(SDState *sd, uint8_t *response) 510 { 511 stl_be_p(response, sd->card_status); 512 513 /* Clear the "clear on read" status bits */ 514 sd->card_status &= ~CARD_STATUS_C; 515 } 516 517 static void sd_response_r3_make(SDState *sd, uint8_t *response) 518 { 519 stl_be_p(response, sd->ocr & ACMD41_R3_MASK); 520 } 521 522 static void sd_response_r6_make(SDState *sd, uint8_t *response) 523 { 524 uint16_t status; 525 526 status = ((sd->card_status >> 8) & 0xc000) | 527 ((sd->card_status >> 6) & 0x2000) | 528 (sd->card_status & 0x1fff); 529 sd->card_status &= ~(CARD_STATUS_C & 0xc81fff); 530 stw_be_p(response + 0, sd->rca); 531 stw_be_p(response + 2, status); 532 } 533 534 static void sd_response_r7_make(SDState *sd, uint8_t *response) 535 { 536 stl_be_p(response, sd->vhs); 537 } 538 539 static inline uint64_t sd_addr_to_wpnum(uint64_t addr) 540 { 541 return addr >> (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT); 542 } 543 544 static void sd_reset(DeviceState *dev) 545 { 546 SDState *sd = SD_CARD(dev); 547 uint64_t size; 548 uint64_t sect; 549 550 trace_sdcard_reset(); 551 if (sd->blk) { 552 blk_get_geometry(sd->blk, §); 553 } else { 554 sect = 0; 555 } 556 size = sect << 9; 557 558 sect = sd_addr_to_wpnum(size) + 1; 559 560 sd->state = sd_idle_state; 561 sd->rca = 0x0000; 562 sd_set_ocr(sd); 563 sd_set_scr(sd); 564 sd_set_cid(sd); 565 sd_set_csd(sd, size); 566 sd_set_cardstatus(sd); 567 sd_set_sdstatus(sd); 568 569 g_free(sd->wp_groups); 570 sd->wp_switch = sd->blk ? blk_is_read_only(sd->blk) : false; 571 sd->wpgrps_size = sect; 572 sd->wp_groups = bitmap_new(sd->wpgrps_size); 573 memset(sd->function_group, 0, sizeof(sd->function_group)); 574 sd->erase_start = 0; 575 sd->erase_end = 0; 576 sd->size = size; 577 sd->blk_len = 0x200; 578 sd->pwd_len = 0; 579 sd->expecting_acmd = false; 580 sd->dat_lines = 0xf; 581 sd->cmd_line = true; 582 sd->multi_blk_cnt = 0; 583 } 584 585 static bool sd_get_inserted(SDState *sd) 586 { 587 return sd->blk && blk_is_inserted(sd->blk); 588 } 589 590 static bool sd_get_readonly(SDState *sd) 591 { 592 return sd->wp_switch; 593 } 594 595 static void sd_cardchange(void *opaque, bool load, Error **errp) 596 { 597 SDState *sd = opaque; 598 DeviceState *dev = DEVICE(sd); 599 SDBus *sdbus; 600 bool inserted = sd_get_inserted(sd); 601 bool readonly = sd_get_readonly(sd); 602 603 if (inserted) { 604 trace_sdcard_inserted(readonly); 605 sd_reset(dev); 606 } else { 607 trace_sdcard_ejected(); 608 } 609 610 if (sd->me_no_qdev_me_kill_mammoth_with_rocks) { 611 qemu_set_irq(sd->inserted_cb, inserted); 612 if (inserted) { 613 qemu_set_irq(sd->readonly_cb, readonly); 614 } 615 } else { 616 sdbus = SD_BUS(qdev_get_parent_bus(dev)); 617 sdbus_set_inserted(sdbus, inserted); 618 if (inserted) { 619 sdbus_set_readonly(sdbus, readonly); 620 } 621 } 622 } 623 624 static const BlockDevOps sd_block_ops = { 625 .change_media_cb = sd_cardchange, 626 }; 627 628 static bool sd_ocr_vmstate_needed(void *opaque) 629 { 630 SDState *sd = opaque; 631 632 /* Include the OCR state (and timer) if it is not yet powered up */ 633 return !FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP); 634 } 635 636 static const VMStateDescription sd_ocr_vmstate = { 637 .name = "sd-card/ocr-state", 638 .version_id = 1, 639 .minimum_version_id = 1, 640 .needed = sd_ocr_vmstate_needed, 641 .fields = (VMStateField[]) { 642 VMSTATE_UINT32(ocr, SDState), 643 VMSTATE_TIMER_PTR(ocr_power_timer, SDState), 644 VMSTATE_END_OF_LIST() 645 }, 646 }; 647 648 static int sd_vmstate_pre_load(void *opaque) 649 { 650 SDState *sd = opaque; 651 652 /* If the OCR state is not included (prior versions, or not 653 * needed), then the OCR must be set as powered up. If the OCR state 654 * is included, this will be replaced by the state restore. 655 */ 656 sd_ocr_powerup(sd); 657 658 return 0; 659 } 660 661 static const VMStateDescription sd_vmstate = { 662 .name = "sd-card", 663 .version_id = 1, 664 .minimum_version_id = 1, 665 .pre_load = sd_vmstate_pre_load, 666 .fields = (VMStateField[]) { 667 VMSTATE_UINT32(mode, SDState), 668 VMSTATE_INT32(state, SDState), 669 VMSTATE_UINT8_ARRAY(cid, SDState, 16), 670 VMSTATE_UINT8_ARRAY(csd, SDState, 16), 671 VMSTATE_UINT16(rca, SDState), 672 VMSTATE_UINT32(card_status, SDState), 673 VMSTATE_PARTIAL_BUFFER(sd_status, SDState, 1), 674 VMSTATE_UINT32(vhs, SDState), 675 VMSTATE_BITMAP(wp_groups, SDState, 0, wpgrps_size), 676 VMSTATE_UINT32(blk_len, SDState), 677 VMSTATE_UINT32(multi_blk_cnt, SDState), 678 VMSTATE_UINT32(erase_start, SDState), 679 VMSTATE_UINT32(erase_end, SDState), 680 VMSTATE_UINT8_ARRAY(pwd, SDState, 16), 681 VMSTATE_UINT32(pwd_len, SDState), 682 VMSTATE_UINT8_ARRAY(function_group, SDState, 6), 683 VMSTATE_UINT8(current_cmd, SDState), 684 VMSTATE_BOOL(expecting_acmd, SDState), 685 VMSTATE_UINT32(blk_written, SDState), 686 VMSTATE_UINT64(data_start, SDState), 687 VMSTATE_UINT32(data_offset, SDState), 688 VMSTATE_UINT8_ARRAY(data, SDState, 512), 689 VMSTATE_UNUSED_V(1, 512), 690 VMSTATE_BOOL(enable, SDState), 691 VMSTATE_END_OF_LIST() 692 }, 693 .subsections = (const VMStateDescription*[]) { 694 &sd_ocr_vmstate, 695 NULL 696 }, 697 }; 698 699 /* Legacy initialization function for use by non-qdevified callers */ 700 SDState *sd_init(BlockBackend *blk, bool is_spi) 701 { 702 Object *obj; 703 DeviceState *dev; 704 SDState *sd; 705 Error *err = NULL; 706 707 obj = object_new(TYPE_SD_CARD); 708 dev = DEVICE(obj); 709 if (!qdev_prop_set_drive_err(dev, "drive", blk, &err)) { 710 error_reportf_err(err, "sd_init failed: "); 711 return NULL; 712 } 713 qdev_prop_set_bit(dev, "spi", is_spi); 714 715 /* 716 * Realizing the device properly would put it into the QOM 717 * composition tree even though it is not plugged into an 718 * appropriate bus. That's a no-no. Hide the device from 719 * QOM/qdev, and call its qdev realize callback directly. 720 */ 721 object_ref(obj); 722 object_unparent(obj); 723 sd_realize(dev, &err); 724 if (err) { 725 error_reportf_err(err, "sd_init failed: "); 726 return NULL; 727 } 728 729 sd = SD_CARD(dev); 730 sd->me_no_qdev_me_kill_mammoth_with_rocks = true; 731 return sd; 732 } 733 734 void sd_set_cb(SDState *sd, qemu_irq readonly, qemu_irq insert) 735 { 736 sd->readonly_cb = readonly; 737 sd->inserted_cb = insert; 738 qemu_set_irq(readonly, sd->blk ? blk_is_read_only(sd->blk) : 0); 739 qemu_set_irq(insert, sd->blk ? blk_is_inserted(sd->blk) : 0); 740 } 741 742 static void sd_erase(SDState *sd) 743 { 744 int i; 745 uint64_t erase_start = sd->erase_start; 746 uint64_t erase_end = sd->erase_end; 747 748 trace_sdcard_erase(); 749 if (!sd->erase_start || !sd->erase_end) { 750 sd->card_status |= ERASE_SEQ_ERROR; 751 return; 752 } 753 754 if (FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) { 755 /* High capacity memory card: erase units are 512 byte blocks */ 756 erase_start *= 512; 757 erase_end *= 512; 758 } 759 760 erase_start = sd_addr_to_wpnum(erase_start); 761 erase_end = sd_addr_to_wpnum(erase_end); 762 sd->erase_start = 0; 763 sd->erase_end = 0; 764 sd->csd[14] |= 0x40; 765 766 for (i = erase_start; i <= erase_end; i++) { 767 if (test_bit(i, sd->wp_groups)) { 768 sd->card_status |= WP_ERASE_SKIP; 769 } 770 } 771 } 772 773 static uint32_t sd_wpbits(SDState *sd, uint64_t addr) 774 { 775 uint32_t i, wpnum; 776 uint32_t ret = 0; 777 778 wpnum = sd_addr_to_wpnum(addr); 779 780 for (i = 0; i < 32; i++, wpnum++, addr += WPGROUP_SIZE) { 781 if (addr < sd->size && test_bit(wpnum, sd->wp_groups)) { 782 ret |= (1 << i); 783 } 784 } 785 786 return ret; 787 } 788 789 static void sd_function_switch(SDState *sd, uint32_t arg) 790 { 791 int i, mode, new_func; 792 mode = !!(arg & 0x80000000); 793 794 sd->data[0] = 0x00; /* Maximum current consumption */ 795 sd->data[1] = 0x01; 796 sd->data[2] = 0x80; /* Supported group 6 functions */ 797 sd->data[3] = 0x01; 798 sd->data[4] = 0x80; /* Supported group 5 functions */ 799 sd->data[5] = 0x01; 800 sd->data[6] = 0x80; /* Supported group 4 functions */ 801 sd->data[7] = 0x01; 802 sd->data[8] = 0x80; /* Supported group 3 functions */ 803 sd->data[9] = 0x01; 804 sd->data[10] = 0x80; /* Supported group 2 functions */ 805 sd->data[11] = 0x43; 806 sd->data[12] = 0x80; /* Supported group 1 functions */ 807 sd->data[13] = 0x03; 808 for (i = 0; i < 6; i ++) { 809 new_func = (arg >> (i * 4)) & 0x0f; 810 if (mode && new_func != 0x0f) 811 sd->function_group[i] = new_func; 812 sd->data[14 + (i >> 1)] = new_func << ((i * 4) & 4); 813 } 814 memset(&sd->data[17], 0, 47); 815 stw_be_p(sd->data + 64, sd_crc16(sd->data, 64)); 816 } 817 818 static inline bool sd_wp_addr(SDState *sd, uint64_t addr) 819 { 820 return test_bit(sd_addr_to_wpnum(addr), sd->wp_groups); 821 } 822 823 static void sd_lock_command(SDState *sd) 824 { 825 int erase, lock, clr_pwd, set_pwd, pwd_len; 826 erase = !!(sd->data[0] & 0x08); 827 lock = sd->data[0] & 0x04; 828 clr_pwd = sd->data[0] & 0x02; 829 set_pwd = sd->data[0] & 0x01; 830 831 if (sd->blk_len > 1) 832 pwd_len = sd->data[1]; 833 else 834 pwd_len = 0; 835 836 if (lock) { 837 trace_sdcard_lock(); 838 } else { 839 trace_sdcard_unlock(); 840 } 841 if (erase) { 842 if (!(sd->card_status & CARD_IS_LOCKED) || sd->blk_len > 1 || 843 set_pwd || clr_pwd || lock || sd->wp_switch || 844 (sd->csd[14] & 0x20)) { 845 sd->card_status |= LOCK_UNLOCK_FAILED; 846 return; 847 } 848 bitmap_zero(sd->wp_groups, sd->wpgrps_size); 849 sd->csd[14] &= ~0x10; 850 sd->card_status &= ~CARD_IS_LOCKED; 851 sd->pwd_len = 0; 852 /* Erasing the entire card here! */ 853 fprintf(stderr, "SD: Card force-erased by CMD42\n"); 854 return; 855 } 856 857 if (sd->blk_len < 2 + pwd_len || 858 pwd_len <= sd->pwd_len || 859 pwd_len > sd->pwd_len + 16) { 860 sd->card_status |= LOCK_UNLOCK_FAILED; 861 return; 862 } 863 864 if (sd->pwd_len && memcmp(sd->pwd, sd->data + 2, sd->pwd_len)) { 865 sd->card_status |= LOCK_UNLOCK_FAILED; 866 return; 867 } 868 869 pwd_len -= sd->pwd_len; 870 if ((pwd_len && !set_pwd) || 871 (clr_pwd && (set_pwd || lock)) || 872 (lock && !sd->pwd_len && !set_pwd) || 873 (!set_pwd && !clr_pwd && 874 (((sd->card_status & CARD_IS_LOCKED) && lock) || 875 (!(sd->card_status & CARD_IS_LOCKED) && !lock)))) { 876 sd->card_status |= LOCK_UNLOCK_FAILED; 877 return; 878 } 879 880 if (set_pwd) { 881 memcpy(sd->pwd, sd->data + 2 + sd->pwd_len, pwd_len); 882 sd->pwd_len = pwd_len; 883 } 884 885 if (clr_pwd) { 886 sd->pwd_len = 0; 887 } 888 889 if (lock) 890 sd->card_status |= CARD_IS_LOCKED; 891 else 892 sd->card_status &= ~CARD_IS_LOCKED; 893 } 894 895 static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req) 896 { 897 uint32_t rca = 0x0000; 898 uint64_t addr = (sd->ocr & (1 << 30)) ? (uint64_t) req.arg << 9 : req.arg; 899 900 /* CMD55 precedes an ACMD, so we are not interested in tracing it. 901 * However there is no ACMD55, so we want to trace this particular case. 902 */ 903 if (req.cmd != 55 || sd->expecting_acmd) { 904 trace_sdcard_normal_command(sd->proto_name, 905 sd_cmd_name(req.cmd), req.cmd, 906 req.arg, sd_state_name(sd->state)); 907 } 908 909 /* Not interpreting this as an app command */ 910 sd->card_status &= ~APP_CMD; 911 912 if (sd_cmd_type[req.cmd] == sd_ac 913 || sd_cmd_type[req.cmd] == sd_adtc) { 914 rca = req.arg >> 16; 915 } 916 917 /* CMD23 (set block count) must be immediately followed by CMD18 or CMD25 918 * if not, its effects are cancelled */ 919 if (sd->multi_blk_cnt != 0 && !(req.cmd == 18 || req.cmd == 25)) { 920 sd->multi_blk_cnt = 0; 921 } 922 923 switch (req.cmd) { 924 /* Basic commands (Class 0 and Class 1) */ 925 case 0: /* CMD0: GO_IDLE_STATE */ 926 switch (sd->state) { 927 case sd_inactive_state: 928 return sd->spi ? sd_r1 : sd_r0; 929 930 default: 931 sd->state = sd_idle_state; 932 sd_reset(DEVICE(sd)); 933 return sd->spi ? sd_r1 : sd_r0; 934 } 935 break; 936 937 case 1: /* CMD1: SEND_OP_CMD */ 938 if (!sd->spi) 939 goto bad_cmd; 940 941 sd->state = sd_transfer_state; 942 return sd_r1; 943 944 case 2: /* CMD2: ALL_SEND_CID */ 945 if (sd->spi) 946 goto bad_cmd; 947 switch (sd->state) { 948 case sd_ready_state: 949 sd->state = sd_identification_state; 950 return sd_r2_i; 951 952 default: 953 break; 954 } 955 break; 956 957 case 3: /* CMD3: SEND_RELATIVE_ADDR */ 958 if (sd->spi) 959 goto bad_cmd; 960 switch (sd->state) { 961 case sd_identification_state: 962 case sd_standby_state: 963 sd->state = sd_standby_state; 964 sd_set_rca(sd); 965 return sd_r6; 966 967 default: 968 break; 969 } 970 break; 971 972 case 4: /* CMD4: SEND_DSR */ 973 if (sd->spi) 974 goto bad_cmd; 975 switch (sd->state) { 976 case sd_standby_state: 977 break; 978 979 default: 980 break; 981 } 982 break; 983 984 case 5: /* CMD5: reserved for SDIO cards */ 985 return sd_illegal; 986 987 case 6: /* CMD6: SWITCH_FUNCTION */ 988 switch (sd->mode) { 989 case sd_data_transfer_mode: 990 sd_function_switch(sd, req.arg); 991 sd->state = sd_sendingdata_state; 992 sd->data_start = 0; 993 sd->data_offset = 0; 994 return sd_r1; 995 996 default: 997 break; 998 } 999 break; 1000 1001 case 7: /* CMD7: SELECT/DESELECT_CARD */ 1002 if (sd->spi) 1003 goto bad_cmd; 1004 switch (sd->state) { 1005 case sd_standby_state: 1006 if (sd->rca != rca) 1007 return sd_r0; 1008 1009 sd->state = sd_transfer_state; 1010 return sd_r1b; 1011 1012 case sd_transfer_state: 1013 case sd_sendingdata_state: 1014 if (sd->rca == rca) 1015 break; 1016 1017 sd->state = sd_standby_state; 1018 return sd_r1b; 1019 1020 case sd_disconnect_state: 1021 if (sd->rca != rca) 1022 return sd_r0; 1023 1024 sd->state = sd_programming_state; 1025 return sd_r1b; 1026 1027 case sd_programming_state: 1028 if (sd->rca == rca) 1029 break; 1030 1031 sd->state = sd_disconnect_state; 1032 return sd_r1b; 1033 1034 default: 1035 break; 1036 } 1037 break; 1038 1039 case 8: /* CMD8: SEND_IF_COND */ 1040 if (sd->spec_version < SD_PHY_SPECv2_00_VERS) { 1041 break; 1042 } 1043 if (sd->state != sd_idle_state) { 1044 break; 1045 } 1046 sd->vhs = 0; 1047 1048 /* No response if not exactly one VHS bit is set. */ 1049 if (!(req.arg >> 8) || (req.arg >> (ctz32(req.arg & ~0xff) + 1))) { 1050 return sd->spi ? sd_r7 : sd_r0; 1051 } 1052 1053 /* Accept. */ 1054 sd->vhs = req.arg; 1055 return sd_r7; 1056 1057 case 9: /* CMD9: SEND_CSD */ 1058 switch (sd->state) { 1059 case sd_standby_state: 1060 if (sd->rca != rca) 1061 return sd_r0; 1062 1063 return sd_r2_s; 1064 1065 case sd_transfer_state: 1066 if (!sd->spi) 1067 break; 1068 sd->state = sd_sendingdata_state; 1069 memcpy(sd->data, sd->csd, 16); 1070 sd->data_start = addr; 1071 sd->data_offset = 0; 1072 return sd_r1; 1073 1074 default: 1075 break; 1076 } 1077 break; 1078 1079 case 10: /* CMD10: SEND_CID */ 1080 switch (sd->state) { 1081 case sd_standby_state: 1082 if (sd->rca != rca) 1083 return sd_r0; 1084 1085 return sd_r2_i; 1086 1087 case sd_transfer_state: 1088 if (!sd->spi) 1089 break; 1090 sd->state = sd_sendingdata_state; 1091 memcpy(sd->data, sd->cid, 16); 1092 sd->data_start = addr; 1093 sd->data_offset = 0; 1094 return sd_r1; 1095 1096 default: 1097 break; 1098 } 1099 break; 1100 1101 case 12: /* CMD12: STOP_TRANSMISSION */ 1102 switch (sd->state) { 1103 case sd_sendingdata_state: 1104 sd->state = sd_transfer_state; 1105 return sd_r1b; 1106 1107 case sd_receivingdata_state: 1108 sd->state = sd_programming_state; 1109 /* Bzzzzzzztt .... Operation complete. */ 1110 sd->state = sd_transfer_state; 1111 return sd_r1b; 1112 1113 default: 1114 break; 1115 } 1116 break; 1117 1118 case 13: /* CMD13: SEND_STATUS */ 1119 switch (sd->mode) { 1120 case sd_data_transfer_mode: 1121 if (sd->rca != rca) 1122 return sd_r0; 1123 1124 return sd_r1; 1125 1126 default: 1127 break; 1128 } 1129 break; 1130 1131 case 15: /* CMD15: GO_INACTIVE_STATE */ 1132 if (sd->spi) 1133 goto bad_cmd; 1134 switch (sd->mode) { 1135 case sd_data_transfer_mode: 1136 if (sd->rca != rca) 1137 return sd_r0; 1138 1139 sd->state = sd_inactive_state; 1140 return sd_r0; 1141 1142 default: 1143 break; 1144 } 1145 break; 1146 1147 /* Block read commands (Classs 2) */ 1148 case 16: /* CMD16: SET_BLOCKLEN */ 1149 switch (sd->state) { 1150 case sd_transfer_state: 1151 if (req.arg > (1 << HWBLOCK_SHIFT)) { 1152 sd->card_status |= BLOCK_LEN_ERROR; 1153 } else { 1154 trace_sdcard_set_blocklen(req.arg); 1155 sd->blk_len = req.arg; 1156 } 1157 1158 return sd_r1; 1159 1160 default: 1161 break; 1162 } 1163 break; 1164 1165 case 17: /* CMD17: READ_SINGLE_BLOCK */ 1166 switch (sd->state) { 1167 case sd_transfer_state: 1168 sd->state = sd_sendingdata_state; 1169 sd->data_start = addr; 1170 sd->data_offset = 0; 1171 1172 if (sd->data_start + sd->blk_len > sd->size) 1173 sd->card_status |= ADDRESS_ERROR; 1174 return sd_r1; 1175 1176 default: 1177 break; 1178 } 1179 break; 1180 1181 case 18: /* CMD18: READ_MULTIPLE_BLOCK */ 1182 switch (sd->state) { 1183 case sd_transfer_state: 1184 sd->state = sd_sendingdata_state; 1185 sd->data_start = addr; 1186 sd->data_offset = 0; 1187 1188 if (sd->data_start + sd->blk_len > sd->size) 1189 sd->card_status |= ADDRESS_ERROR; 1190 return sd_r1; 1191 1192 default: 1193 break; 1194 } 1195 break; 1196 1197 case 19: /* CMD19: SEND_TUNING_BLOCK (SD) */ 1198 if (sd->spec_version < SD_PHY_SPECv3_01_VERS) { 1199 break; 1200 } 1201 if (sd->state == sd_transfer_state) { 1202 sd->state = sd_sendingdata_state; 1203 sd->data_offset = 0; 1204 return sd_r1; 1205 } 1206 break; 1207 1208 case 23: /* CMD23: SET_BLOCK_COUNT */ 1209 if (sd->spec_version < SD_PHY_SPECv3_01_VERS) { 1210 break; 1211 } 1212 switch (sd->state) { 1213 case sd_transfer_state: 1214 sd->multi_blk_cnt = req.arg; 1215 return sd_r1; 1216 1217 default: 1218 break; 1219 } 1220 break; 1221 1222 /* Block write commands (Class 4) */ 1223 case 24: /* CMD24: WRITE_SINGLE_BLOCK */ 1224 switch (sd->state) { 1225 case sd_transfer_state: 1226 /* Writing in SPI mode not implemented. */ 1227 if (sd->spi) 1228 break; 1229 sd->state = sd_receivingdata_state; 1230 sd->data_start = addr; 1231 sd->data_offset = 0; 1232 sd->blk_written = 0; 1233 1234 if (sd->data_start + sd->blk_len > sd->size) 1235 sd->card_status |= ADDRESS_ERROR; 1236 if (sd_wp_addr(sd, sd->data_start)) 1237 sd->card_status |= WP_VIOLATION; 1238 if (sd->csd[14] & 0x30) 1239 sd->card_status |= WP_VIOLATION; 1240 return sd_r1; 1241 1242 default: 1243 break; 1244 } 1245 break; 1246 1247 case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */ 1248 switch (sd->state) { 1249 case sd_transfer_state: 1250 /* Writing in SPI mode not implemented. */ 1251 if (sd->spi) 1252 break; 1253 sd->state = sd_receivingdata_state; 1254 sd->data_start = addr; 1255 sd->data_offset = 0; 1256 sd->blk_written = 0; 1257 1258 if (sd->data_start + sd->blk_len > sd->size) 1259 sd->card_status |= ADDRESS_ERROR; 1260 if (sd_wp_addr(sd, sd->data_start)) 1261 sd->card_status |= WP_VIOLATION; 1262 if (sd->csd[14] & 0x30) 1263 sd->card_status |= WP_VIOLATION; 1264 return sd_r1; 1265 1266 default: 1267 break; 1268 } 1269 break; 1270 1271 case 26: /* CMD26: PROGRAM_CID */ 1272 if (sd->spi) 1273 goto bad_cmd; 1274 switch (sd->state) { 1275 case sd_transfer_state: 1276 sd->state = sd_receivingdata_state; 1277 sd->data_start = 0; 1278 sd->data_offset = 0; 1279 return sd_r1; 1280 1281 default: 1282 break; 1283 } 1284 break; 1285 1286 case 27: /* CMD27: PROGRAM_CSD */ 1287 switch (sd->state) { 1288 case sd_transfer_state: 1289 sd->state = sd_receivingdata_state; 1290 sd->data_start = 0; 1291 sd->data_offset = 0; 1292 return sd_r1; 1293 1294 default: 1295 break; 1296 } 1297 break; 1298 1299 /* Write protection (Class 6) */ 1300 case 28: /* CMD28: SET_WRITE_PROT */ 1301 switch (sd->state) { 1302 case sd_transfer_state: 1303 if (addr >= sd->size) { 1304 sd->card_status |= ADDRESS_ERROR; 1305 return sd_r1b; 1306 } 1307 1308 sd->state = sd_programming_state; 1309 set_bit(sd_addr_to_wpnum(addr), sd->wp_groups); 1310 /* Bzzzzzzztt .... Operation complete. */ 1311 sd->state = sd_transfer_state; 1312 return sd_r1b; 1313 1314 default: 1315 break; 1316 } 1317 break; 1318 1319 case 29: /* CMD29: CLR_WRITE_PROT */ 1320 switch (sd->state) { 1321 case sd_transfer_state: 1322 if (addr >= sd->size) { 1323 sd->card_status |= ADDRESS_ERROR; 1324 return sd_r1b; 1325 } 1326 1327 sd->state = sd_programming_state; 1328 clear_bit(sd_addr_to_wpnum(addr), sd->wp_groups); 1329 /* Bzzzzzzztt .... Operation complete. */ 1330 sd->state = sd_transfer_state; 1331 return sd_r1b; 1332 1333 default: 1334 break; 1335 } 1336 break; 1337 1338 case 30: /* CMD30: SEND_WRITE_PROT */ 1339 switch (sd->state) { 1340 case sd_transfer_state: 1341 sd->state = sd_sendingdata_state; 1342 *(uint32_t *) sd->data = sd_wpbits(sd, req.arg); 1343 sd->data_start = addr; 1344 sd->data_offset = 0; 1345 return sd_r1b; 1346 1347 default: 1348 break; 1349 } 1350 break; 1351 1352 /* Erase commands (Class 5) */ 1353 case 32: /* CMD32: ERASE_WR_BLK_START */ 1354 switch (sd->state) { 1355 case sd_transfer_state: 1356 sd->erase_start = req.arg; 1357 return sd_r1; 1358 1359 default: 1360 break; 1361 } 1362 break; 1363 1364 case 33: /* CMD33: ERASE_WR_BLK_END */ 1365 switch (sd->state) { 1366 case sd_transfer_state: 1367 sd->erase_end = req.arg; 1368 return sd_r1; 1369 1370 default: 1371 break; 1372 } 1373 break; 1374 1375 case 38: /* CMD38: ERASE */ 1376 switch (sd->state) { 1377 case sd_transfer_state: 1378 if (sd->csd[14] & 0x30) { 1379 sd->card_status |= WP_VIOLATION; 1380 return sd_r1b; 1381 } 1382 1383 sd->state = sd_programming_state; 1384 sd_erase(sd); 1385 /* Bzzzzzzztt .... Operation complete. */ 1386 sd->state = sd_transfer_state; 1387 return sd_r1b; 1388 1389 default: 1390 break; 1391 } 1392 break; 1393 1394 /* Lock card commands (Class 7) */ 1395 case 42: /* CMD42: LOCK_UNLOCK */ 1396 switch (sd->state) { 1397 case sd_transfer_state: 1398 sd->state = sd_receivingdata_state; 1399 sd->data_start = 0; 1400 sd->data_offset = 0; 1401 return sd_r1; 1402 1403 default: 1404 break; 1405 } 1406 break; 1407 1408 case 52 ... 54: 1409 /* CMD52, CMD53, CMD54: reserved for SDIO cards 1410 * (see the SDIO Simplified Specification V2.0) 1411 * Handle as illegal command but do not complain 1412 * on stderr, as some OSes may use these in their 1413 * probing for presence of an SDIO card. 1414 */ 1415 return sd_illegal; 1416 1417 /* Application specific commands (Class 8) */ 1418 case 55: /* CMD55: APP_CMD */ 1419 switch (sd->state) { 1420 case sd_ready_state: 1421 case sd_identification_state: 1422 case sd_inactive_state: 1423 return sd_illegal; 1424 case sd_idle_state: 1425 if (rca) { 1426 qemu_log_mask(LOG_GUEST_ERROR, 1427 "SD: illegal RCA 0x%04x for APP_CMD\n", req.cmd); 1428 } 1429 default: 1430 break; 1431 } 1432 if (!sd->spi) { 1433 if (sd->rca != rca) { 1434 return sd_r0; 1435 } 1436 } 1437 sd->expecting_acmd = true; 1438 sd->card_status |= APP_CMD; 1439 return sd_r1; 1440 1441 case 56: /* CMD56: GEN_CMD */ 1442 switch (sd->state) { 1443 case sd_transfer_state: 1444 sd->data_offset = 0; 1445 if (req.arg & 1) 1446 sd->state = sd_sendingdata_state; 1447 else 1448 sd->state = sd_receivingdata_state; 1449 return sd_r1; 1450 1451 default: 1452 break; 1453 } 1454 break; 1455 1456 case 58: /* CMD58: READ_OCR (SPI) */ 1457 if (!sd->spi) { 1458 goto bad_cmd; 1459 } 1460 return sd_r3; 1461 1462 case 59: /* CMD59: CRC_ON_OFF (SPI) */ 1463 if (!sd->spi) { 1464 goto bad_cmd; 1465 } 1466 goto unimplemented_spi_cmd; 1467 1468 default: 1469 bad_cmd: 1470 qemu_log_mask(LOG_GUEST_ERROR, "SD: Unknown CMD%i\n", req.cmd); 1471 return sd_illegal; 1472 1473 unimplemented_spi_cmd: 1474 /* Commands that are recognised but not yet implemented in SPI mode. */ 1475 qemu_log_mask(LOG_UNIMP, "SD: CMD%i not implemented in SPI mode\n", 1476 req.cmd); 1477 return sd_illegal; 1478 } 1479 1480 qemu_log_mask(LOG_GUEST_ERROR, "SD: CMD%i in a wrong state\n", req.cmd); 1481 return sd_illegal; 1482 } 1483 1484 static sd_rsp_type_t sd_app_command(SDState *sd, 1485 SDRequest req) 1486 { 1487 trace_sdcard_app_command(sd->proto_name, sd_acmd_name(req.cmd), 1488 req.cmd, req.arg, sd_state_name(sd->state)); 1489 sd->card_status |= APP_CMD; 1490 switch (req.cmd) { 1491 case 6: /* ACMD6: SET_BUS_WIDTH */ 1492 if (sd->spi) { 1493 goto unimplemented_spi_cmd; 1494 } 1495 switch (sd->state) { 1496 case sd_transfer_state: 1497 sd->sd_status[0] &= 0x3f; 1498 sd->sd_status[0] |= (req.arg & 0x03) << 6; 1499 return sd_r1; 1500 1501 default: 1502 break; 1503 } 1504 break; 1505 1506 case 13: /* ACMD13: SD_STATUS */ 1507 switch (sd->state) { 1508 case sd_transfer_state: 1509 sd->state = sd_sendingdata_state; 1510 sd->data_start = 0; 1511 sd->data_offset = 0; 1512 return sd_r1; 1513 1514 default: 1515 break; 1516 } 1517 break; 1518 1519 case 22: /* ACMD22: SEND_NUM_WR_BLOCKS */ 1520 switch (sd->state) { 1521 case sd_transfer_state: 1522 *(uint32_t *) sd->data = sd->blk_written; 1523 1524 sd->state = sd_sendingdata_state; 1525 sd->data_start = 0; 1526 sd->data_offset = 0; 1527 return sd_r1; 1528 1529 default: 1530 break; 1531 } 1532 break; 1533 1534 case 23: /* ACMD23: SET_WR_BLK_ERASE_COUNT */ 1535 switch (sd->state) { 1536 case sd_transfer_state: 1537 return sd_r1; 1538 1539 default: 1540 break; 1541 } 1542 break; 1543 1544 case 41: /* ACMD41: SD_APP_OP_COND */ 1545 if (sd->spi) { 1546 /* SEND_OP_CMD */ 1547 sd->state = sd_transfer_state; 1548 return sd_r1; 1549 } 1550 if (sd->state != sd_idle_state) { 1551 break; 1552 } 1553 /* If it's the first ACMD41 since reset, we need to decide 1554 * whether to power up. If this is not an enquiry ACMD41, 1555 * we immediately report power on and proceed below to the 1556 * ready state, but if it is, we set a timer to model a 1557 * delay for power up. This works around a bug in EDK2 1558 * UEFI, which sends an initial enquiry ACMD41, but 1559 * assumes that the card is in ready state as soon as it 1560 * sees the power up bit set. */ 1561 if (!FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP)) { 1562 if ((req.arg & ACMD41_ENQUIRY_MASK) != 0) { 1563 timer_del(sd->ocr_power_timer); 1564 sd_ocr_powerup(sd); 1565 } else { 1566 trace_sdcard_inquiry_cmd41(); 1567 if (!timer_pending(sd->ocr_power_timer)) { 1568 timer_mod_ns(sd->ocr_power_timer, 1569 (qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) 1570 + OCR_POWER_DELAY_NS)); 1571 } 1572 } 1573 } 1574 1575 if (FIELD_EX32(sd->ocr & req.arg, OCR, VDD_VOLTAGE_WINDOW)) { 1576 /* We accept any voltage. 10000 V is nothing. 1577 * 1578 * Once we're powered up, we advance straight to ready state 1579 * unless it's an enquiry ACMD41 (bits 23:0 == 0). 1580 */ 1581 sd->state = sd_ready_state; 1582 } 1583 1584 return sd_r3; 1585 1586 case 42: /* ACMD42: SET_CLR_CARD_DETECT */ 1587 switch (sd->state) { 1588 case sd_transfer_state: 1589 /* Bringing in the 50KOhm pull-up resistor... Done. */ 1590 return sd_r1; 1591 1592 default: 1593 break; 1594 } 1595 break; 1596 1597 case 51: /* ACMD51: SEND_SCR */ 1598 switch (sd->state) { 1599 case sd_transfer_state: 1600 sd->state = sd_sendingdata_state; 1601 sd->data_start = 0; 1602 sd->data_offset = 0; 1603 return sd_r1; 1604 1605 default: 1606 break; 1607 } 1608 break; 1609 1610 case 18: /* Reserved for SD security applications */ 1611 case 25: 1612 case 26: 1613 case 38: 1614 case 43 ... 49: 1615 /* Refer to the "SD Specifications Part3 Security Specification" for 1616 * information about the SD Security Features. 1617 */ 1618 qemu_log_mask(LOG_UNIMP, "SD: CMD%i Security not implemented\n", 1619 req.cmd); 1620 return sd_illegal; 1621 1622 default: 1623 /* Fall back to standard commands. */ 1624 return sd_normal_command(sd, req); 1625 1626 unimplemented_spi_cmd: 1627 /* Commands that are recognised but not yet implemented in SPI mode. */ 1628 qemu_log_mask(LOG_UNIMP, "SD: CMD%i not implemented in SPI mode\n", 1629 req.cmd); 1630 return sd_illegal; 1631 } 1632 1633 qemu_log_mask(LOG_GUEST_ERROR, "SD: ACMD%i in a wrong state\n", req.cmd); 1634 return sd_illegal; 1635 } 1636 1637 static int cmd_valid_while_locked(SDState *sd, SDRequest *req) 1638 { 1639 /* Valid commands in locked state: 1640 * basic class (0) 1641 * lock card class (7) 1642 * CMD16 1643 * implicitly, the ACMD prefix CMD55 1644 * ACMD41 and ACMD42 1645 * Anything else provokes an "illegal command" response. 1646 */ 1647 if (sd->expecting_acmd) { 1648 return req->cmd == 41 || req->cmd == 42; 1649 } 1650 if (req->cmd == 16 || req->cmd == 55) { 1651 return 1; 1652 } 1653 return sd_cmd_class[req->cmd] == 0 1654 || sd_cmd_class[req->cmd] == 7; 1655 } 1656 1657 int sd_do_command(SDState *sd, SDRequest *req, 1658 uint8_t *response) { 1659 int last_state; 1660 sd_rsp_type_t rtype; 1661 int rsplen; 1662 1663 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable) { 1664 return 0; 1665 } 1666 1667 if (sd_req_crc_validate(req)) { 1668 sd->card_status |= COM_CRC_ERROR; 1669 rtype = sd_illegal; 1670 goto send_response; 1671 } 1672 1673 if (req->cmd >= SDMMC_CMD_MAX) { 1674 qemu_log_mask(LOG_GUEST_ERROR, "SD: incorrect command 0x%02x\n", 1675 req->cmd); 1676 req->cmd &= 0x3f; 1677 } 1678 1679 if (sd->card_status & CARD_IS_LOCKED) { 1680 if (!cmd_valid_while_locked(sd, req)) { 1681 sd->card_status |= ILLEGAL_COMMAND; 1682 sd->expecting_acmd = false; 1683 qemu_log_mask(LOG_GUEST_ERROR, "SD: Card is locked\n"); 1684 rtype = sd_illegal; 1685 goto send_response; 1686 } 1687 } 1688 1689 last_state = sd->state; 1690 sd_set_mode(sd); 1691 1692 if (sd->expecting_acmd) { 1693 sd->expecting_acmd = false; 1694 rtype = sd_app_command(sd, *req); 1695 } else { 1696 rtype = sd_normal_command(sd, *req); 1697 } 1698 1699 if (rtype == sd_illegal) { 1700 sd->card_status |= ILLEGAL_COMMAND; 1701 } else { 1702 /* Valid command, we can update the 'state before command' bits. 1703 * (Do this now so they appear in r1 responses.) 1704 */ 1705 sd->current_cmd = req->cmd; 1706 sd->card_status &= ~CURRENT_STATE; 1707 sd->card_status |= (last_state << 9); 1708 } 1709 1710 send_response: 1711 switch (rtype) { 1712 case sd_r1: 1713 case sd_r1b: 1714 sd_response_r1_make(sd, response); 1715 rsplen = 4; 1716 break; 1717 1718 case sd_r2_i: 1719 memcpy(response, sd->cid, sizeof(sd->cid)); 1720 rsplen = 16; 1721 break; 1722 1723 case sd_r2_s: 1724 memcpy(response, sd->csd, sizeof(sd->csd)); 1725 rsplen = 16; 1726 break; 1727 1728 case sd_r3: 1729 sd_response_r3_make(sd, response); 1730 rsplen = 4; 1731 break; 1732 1733 case sd_r6: 1734 sd_response_r6_make(sd, response); 1735 rsplen = 4; 1736 break; 1737 1738 case sd_r7: 1739 sd_response_r7_make(sd, response); 1740 rsplen = 4; 1741 break; 1742 1743 case sd_r0: 1744 case sd_illegal: 1745 rsplen = 0; 1746 break; 1747 default: 1748 g_assert_not_reached(); 1749 } 1750 trace_sdcard_response(sd_response_name(rtype), rsplen); 1751 1752 if (rtype != sd_illegal) { 1753 /* Clear the "clear on valid command" status bits now we've 1754 * sent any response 1755 */ 1756 sd->card_status &= ~CARD_STATUS_B; 1757 } 1758 1759 #ifdef DEBUG_SD 1760 qemu_hexdump((const char *)response, stderr, "Response", rsplen); 1761 #endif 1762 1763 return rsplen; 1764 } 1765 1766 static void sd_blk_read(SDState *sd, uint64_t addr, uint32_t len) 1767 { 1768 trace_sdcard_read_block(addr, len); 1769 if (!sd->blk || blk_pread(sd->blk, addr, sd->data, len) < 0) { 1770 fprintf(stderr, "sd_blk_read: read error on host side\n"); 1771 } 1772 } 1773 1774 static void sd_blk_write(SDState *sd, uint64_t addr, uint32_t len) 1775 { 1776 trace_sdcard_write_block(addr, len); 1777 if (!sd->blk || blk_pwrite(sd->blk, addr, sd->data, len, 0) < 0) { 1778 fprintf(stderr, "sd_blk_write: write error on host side\n"); 1779 } 1780 } 1781 1782 #define BLK_READ_BLOCK(a, len) sd_blk_read(sd, a, len) 1783 #define BLK_WRITE_BLOCK(a, len) sd_blk_write(sd, a, len) 1784 #define APP_READ_BLOCK(a, len) memset(sd->data, 0xec, len) 1785 #define APP_WRITE_BLOCK(a, len) 1786 1787 void sd_write_data(SDState *sd, uint8_t value) 1788 { 1789 int i; 1790 1791 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable) 1792 return; 1793 1794 if (sd->state != sd_receivingdata_state) { 1795 qemu_log_mask(LOG_GUEST_ERROR, 1796 "sd_write_data: not in Receiving-Data state\n"); 1797 return; 1798 } 1799 1800 if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION)) 1801 return; 1802 1803 trace_sdcard_write_data(sd->proto_name, 1804 sd_acmd_name(sd->current_cmd), 1805 sd->current_cmd, value); 1806 switch (sd->current_cmd) { 1807 case 24: /* CMD24: WRITE_SINGLE_BLOCK */ 1808 sd->data[sd->data_offset ++] = value; 1809 if (sd->data_offset >= sd->blk_len) { 1810 /* TODO: Check CRC before committing */ 1811 sd->state = sd_programming_state; 1812 BLK_WRITE_BLOCK(sd->data_start, sd->data_offset); 1813 sd->blk_written ++; 1814 sd->csd[14] |= 0x40; 1815 /* Bzzzzzzztt .... Operation complete. */ 1816 sd->state = sd_transfer_state; 1817 } 1818 break; 1819 1820 case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */ 1821 if (sd->data_offset == 0) { 1822 /* Start of the block - let's check the address is valid */ 1823 if (sd->data_start + sd->blk_len > sd->size) { 1824 sd->card_status |= ADDRESS_ERROR; 1825 break; 1826 } 1827 if (sd_wp_addr(sd, sd->data_start)) { 1828 sd->card_status |= WP_VIOLATION; 1829 break; 1830 } 1831 } 1832 sd->data[sd->data_offset++] = value; 1833 if (sd->data_offset >= sd->blk_len) { 1834 /* TODO: Check CRC before committing */ 1835 sd->state = sd_programming_state; 1836 BLK_WRITE_BLOCK(sd->data_start, sd->data_offset); 1837 sd->blk_written++; 1838 sd->data_start += sd->blk_len; 1839 sd->data_offset = 0; 1840 sd->csd[14] |= 0x40; 1841 1842 /* Bzzzzzzztt .... Operation complete. */ 1843 if (sd->multi_blk_cnt != 0) { 1844 if (--sd->multi_blk_cnt == 0) { 1845 /* Stop! */ 1846 sd->state = sd_transfer_state; 1847 break; 1848 } 1849 } 1850 1851 sd->state = sd_receivingdata_state; 1852 } 1853 break; 1854 1855 case 26: /* CMD26: PROGRAM_CID */ 1856 sd->data[sd->data_offset ++] = value; 1857 if (sd->data_offset >= sizeof(sd->cid)) { 1858 /* TODO: Check CRC before committing */ 1859 sd->state = sd_programming_state; 1860 for (i = 0; i < sizeof(sd->cid); i ++) 1861 if ((sd->cid[i] | 0x00) != sd->data[i]) 1862 sd->card_status |= CID_CSD_OVERWRITE; 1863 1864 if (!(sd->card_status & CID_CSD_OVERWRITE)) 1865 for (i = 0; i < sizeof(sd->cid); i ++) { 1866 sd->cid[i] |= 0x00; 1867 sd->cid[i] &= sd->data[i]; 1868 } 1869 /* Bzzzzzzztt .... Operation complete. */ 1870 sd->state = sd_transfer_state; 1871 } 1872 break; 1873 1874 case 27: /* CMD27: PROGRAM_CSD */ 1875 sd->data[sd->data_offset ++] = value; 1876 if (sd->data_offset >= sizeof(sd->csd)) { 1877 /* TODO: Check CRC before committing */ 1878 sd->state = sd_programming_state; 1879 for (i = 0; i < sizeof(sd->csd); i ++) 1880 if ((sd->csd[i] | sd_csd_rw_mask[i]) != 1881 (sd->data[i] | sd_csd_rw_mask[i])) 1882 sd->card_status |= CID_CSD_OVERWRITE; 1883 1884 /* Copy flag (OTP) & Permanent write protect */ 1885 if (sd->csd[14] & ~sd->data[14] & 0x60) 1886 sd->card_status |= CID_CSD_OVERWRITE; 1887 1888 if (!(sd->card_status & CID_CSD_OVERWRITE)) 1889 for (i = 0; i < sizeof(sd->csd); i ++) { 1890 sd->csd[i] |= sd_csd_rw_mask[i]; 1891 sd->csd[i] &= sd->data[i]; 1892 } 1893 /* Bzzzzzzztt .... Operation complete. */ 1894 sd->state = sd_transfer_state; 1895 } 1896 break; 1897 1898 case 42: /* CMD42: LOCK_UNLOCK */ 1899 sd->data[sd->data_offset ++] = value; 1900 if (sd->data_offset >= sd->blk_len) { 1901 /* TODO: Check CRC before committing */ 1902 sd->state = sd_programming_state; 1903 sd_lock_command(sd); 1904 /* Bzzzzzzztt .... Operation complete. */ 1905 sd->state = sd_transfer_state; 1906 } 1907 break; 1908 1909 case 56: /* CMD56: GEN_CMD */ 1910 sd->data[sd->data_offset ++] = value; 1911 if (sd->data_offset >= sd->blk_len) { 1912 APP_WRITE_BLOCK(sd->data_start, sd->data_offset); 1913 sd->state = sd_transfer_state; 1914 } 1915 break; 1916 1917 default: 1918 qemu_log_mask(LOG_GUEST_ERROR, "sd_write_data: unknown command\n"); 1919 break; 1920 } 1921 } 1922 1923 #define SD_TUNING_BLOCK_SIZE 64 1924 1925 static const uint8_t sd_tuning_block_pattern[SD_TUNING_BLOCK_SIZE] = { 1926 /* See: Physical Layer Simplified Specification Version 3.01, Table 4-2 */ 1927 0xff, 0x0f, 0xff, 0x00, 0x0f, 0xfc, 0xc3, 0xcc, 1928 0xc3, 0x3c, 0xcc, 0xff, 0xfe, 0xff, 0xfe, 0xef, 1929 0xff, 0xdf, 0xff, 0xdd, 0xff, 0xfb, 0xff, 0xfb, 1930 0xbf, 0xff, 0x7f, 0xff, 0x77, 0xf7, 0xbd, 0xef, 1931 0xff, 0xf0, 0xff, 0xf0, 0x0f, 0xfc, 0xcc, 0x3c, 1932 0xcc, 0x33, 0xcc, 0xcf, 0xff, 0xef, 0xff, 0xee, 1933 0xff, 0xfd, 0xff, 0xfd, 0xdf, 0xff, 0xbf, 0xff, 1934 0xbb, 0xff, 0xf7, 0xff, 0xf7, 0x7f, 0x7b, 0xde, 1935 }; 1936 1937 uint8_t sd_read_data(SDState *sd) 1938 { 1939 /* TODO: Append CRCs */ 1940 uint8_t ret; 1941 int io_len; 1942 1943 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable) 1944 return 0x00; 1945 1946 if (sd->state != sd_sendingdata_state) { 1947 qemu_log_mask(LOG_GUEST_ERROR, 1948 "sd_read_data: not in Sending-Data state\n"); 1949 return 0x00; 1950 } 1951 1952 if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION)) 1953 return 0x00; 1954 1955 io_len = (sd->ocr & (1 << 30)) ? 512 : sd->blk_len; 1956 1957 trace_sdcard_read_data(sd->proto_name, 1958 sd_acmd_name(sd->current_cmd), 1959 sd->current_cmd, io_len); 1960 switch (sd->current_cmd) { 1961 case 6: /* CMD6: SWITCH_FUNCTION */ 1962 ret = sd->data[sd->data_offset ++]; 1963 1964 if (sd->data_offset >= 64) 1965 sd->state = sd_transfer_state; 1966 break; 1967 1968 case 9: /* CMD9: SEND_CSD */ 1969 case 10: /* CMD10: SEND_CID */ 1970 ret = sd->data[sd->data_offset ++]; 1971 1972 if (sd->data_offset >= 16) 1973 sd->state = sd_transfer_state; 1974 break; 1975 1976 case 13: /* ACMD13: SD_STATUS */ 1977 ret = sd->sd_status[sd->data_offset ++]; 1978 1979 if (sd->data_offset >= sizeof(sd->sd_status)) 1980 sd->state = sd_transfer_state; 1981 break; 1982 1983 case 17: /* CMD17: READ_SINGLE_BLOCK */ 1984 if (sd->data_offset == 0) 1985 BLK_READ_BLOCK(sd->data_start, io_len); 1986 ret = sd->data[sd->data_offset ++]; 1987 1988 if (sd->data_offset >= io_len) 1989 sd->state = sd_transfer_state; 1990 break; 1991 1992 case 18: /* CMD18: READ_MULTIPLE_BLOCK */ 1993 if (sd->data_offset == 0) { 1994 if (sd->data_start + io_len > sd->size) { 1995 sd->card_status |= ADDRESS_ERROR; 1996 return 0x00; 1997 } 1998 BLK_READ_BLOCK(sd->data_start, io_len); 1999 } 2000 ret = sd->data[sd->data_offset ++]; 2001 2002 if (sd->data_offset >= io_len) { 2003 sd->data_start += io_len; 2004 sd->data_offset = 0; 2005 2006 if (sd->multi_blk_cnt != 0) { 2007 if (--sd->multi_blk_cnt == 0) { 2008 /* Stop! */ 2009 sd->state = sd_transfer_state; 2010 break; 2011 } 2012 } 2013 } 2014 break; 2015 2016 case 19: /* CMD19: SEND_TUNING_BLOCK (SD) */ 2017 if (sd->data_offset >= SD_TUNING_BLOCK_SIZE - 1) { 2018 sd->state = sd_transfer_state; 2019 } 2020 ret = sd_tuning_block_pattern[sd->data_offset++]; 2021 break; 2022 2023 case 22: /* ACMD22: SEND_NUM_WR_BLOCKS */ 2024 ret = sd->data[sd->data_offset ++]; 2025 2026 if (sd->data_offset >= 4) 2027 sd->state = sd_transfer_state; 2028 break; 2029 2030 case 30: /* CMD30: SEND_WRITE_PROT */ 2031 ret = sd->data[sd->data_offset ++]; 2032 2033 if (sd->data_offset >= 4) 2034 sd->state = sd_transfer_state; 2035 break; 2036 2037 case 51: /* ACMD51: SEND_SCR */ 2038 ret = sd->scr[sd->data_offset ++]; 2039 2040 if (sd->data_offset >= sizeof(sd->scr)) 2041 sd->state = sd_transfer_state; 2042 break; 2043 2044 case 56: /* CMD56: GEN_CMD */ 2045 if (sd->data_offset == 0) 2046 APP_READ_BLOCK(sd->data_start, sd->blk_len); 2047 ret = sd->data[sd->data_offset ++]; 2048 2049 if (sd->data_offset >= sd->blk_len) 2050 sd->state = sd_transfer_state; 2051 break; 2052 2053 default: 2054 qemu_log_mask(LOG_GUEST_ERROR, "sd_read_data: unknown command\n"); 2055 return 0x00; 2056 } 2057 2058 return ret; 2059 } 2060 2061 bool sd_data_ready(SDState *sd) 2062 { 2063 return sd->state == sd_sendingdata_state; 2064 } 2065 2066 void sd_enable(SDState *sd, bool enable) 2067 { 2068 sd->enable = enable; 2069 } 2070 2071 static void sd_instance_init(Object *obj) 2072 { 2073 SDState *sd = SD_CARD(obj); 2074 2075 sd->enable = true; 2076 sd->ocr_power_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, sd_ocr_powerup, sd); 2077 } 2078 2079 static void sd_instance_finalize(Object *obj) 2080 { 2081 SDState *sd = SD_CARD(obj); 2082 2083 timer_del(sd->ocr_power_timer); 2084 timer_free(sd->ocr_power_timer); 2085 } 2086 2087 static void sd_realize(DeviceState *dev, Error **errp) 2088 { 2089 SDState *sd = SD_CARD(dev); 2090 int ret; 2091 2092 sd->proto_name = sd->spi ? "SPI" : "SD"; 2093 2094 switch (sd->spec_version) { 2095 case SD_PHY_SPECv1_10_VERS 2096 ... SD_PHY_SPECv3_01_VERS: 2097 break; 2098 default: 2099 error_setg(errp, "Invalid SD card Spec version: %u", sd->spec_version); 2100 return; 2101 } 2102 2103 if (sd->blk && blk_is_read_only(sd->blk)) { 2104 error_setg(errp, "Cannot use read-only drive as SD card"); 2105 return; 2106 } 2107 2108 if (sd->blk) { 2109 ret = blk_set_perm(sd->blk, BLK_PERM_CONSISTENT_READ | BLK_PERM_WRITE, 2110 BLK_PERM_ALL, errp); 2111 if (ret < 0) { 2112 return; 2113 } 2114 blk_set_dev_ops(sd->blk, &sd_block_ops, sd); 2115 } 2116 } 2117 2118 static Property sd_properties[] = { 2119 DEFINE_PROP_UINT8("spec_version", SDState, 2120 spec_version, SD_PHY_SPECv2_00_VERS), 2121 DEFINE_PROP_DRIVE("drive", SDState, blk), 2122 /* We do not model the chip select pin, so allow the board to select 2123 * whether card should be in SSI or MMC/SD mode. It is also up to the 2124 * board to ensure that ssi transfers only occur when the chip select 2125 * is asserted. */ 2126 DEFINE_PROP_BOOL("spi", SDState, spi, false), 2127 DEFINE_PROP_END_OF_LIST() 2128 }; 2129 2130 static void sd_class_init(ObjectClass *klass, void *data) 2131 { 2132 DeviceClass *dc = DEVICE_CLASS(klass); 2133 SDCardClass *sc = SD_CARD_CLASS(klass); 2134 2135 dc->realize = sd_realize; 2136 device_class_set_props(dc, sd_properties); 2137 dc->vmsd = &sd_vmstate; 2138 dc->reset = sd_reset; 2139 dc->bus_type = TYPE_SD_BUS; 2140 set_bit(DEVICE_CATEGORY_STORAGE, dc->categories); 2141 2142 sc->set_voltage = sd_set_voltage; 2143 sc->get_dat_lines = sd_get_dat_lines; 2144 sc->get_cmd_line = sd_get_cmd_line; 2145 sc->do_command = sd_do_command; 2146 sc->write_data = sd_write_data; 2147 sc->read_data = sd_read_data; 2148 sc->data_ready = sd_data_ready; 2149 sc->enable = sd_enable; 2150 sc->get_inserted = sd_get_inserted; 2151 sc->get_readonly = sd_get_readonly; 2152 } 2153 2154 static const TypeInfo sd_info = { 2155 .name = TYPE_SD_CARD, 2156 .parent = TYPE_DEVICE, 2157 .instance_size = sizeof(SDState), 2158 .class_size = sizeof(SDCardClass), 2159 .class_init = sd_class_init, 2160 .instance_init = sd_instance_init, 2161 .instance_finalize = sd_instance_finalize, 2162 }; 2163 2164 static void sd_register_types(void) 2165 { 2166 type_register_static(&sd_info); 2167 } 2168 2169 type_init(sd_register_types) 2170