1 /* 2 * SD Memory Card emulation as defined in the "SD Memory Card Physical 3 * layer specification, Version 2.00." 4 * 5 * eMMC emulation defined in "JEDEC Standard No. 84-A43" 6 * 7 * Copyright (c) 2006 Andrzej Zaborowski <balrog@zabor.org> 8 * Copyright (c) 2007 CodeSourcery 9 * Copyright (c) 2018 Philippe Mathieu-Daudé <f4bug@amsat.org> 10 * 11 * Redistribution and use in source and binary forms, with or without 12 * modification, are permitted provided that the following conditions 13 * are met: 14 * 15 * 1. Redistributions of source code must retain the above copyright 16 * notice, this list of conditions and the following disclaimer. 17 * 2. Redistributions in binary form must reproduce the above copyright 18 * notice, this list of conditions and the following disclaimer in 19 * the documentation and/or other materials provided with the 20 * distribution. 21 * 22 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' 23 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, 24 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A 25 * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR 26 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, 27 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, 28 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 29 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY 30 * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 31 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 32 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 33 */ 34 35 #include "qemu/osdep.h" 36 #include "qemu/units.h" 37 #include "qemu/cutils.h" 38 #include "hw/irq.h" 39 #include "hw/registerfields.h" 40 #include "system/block-backend.h" 41 #include "hw/sd/sd.h" 42 #include "migration/vmstate.h" 43 #include "qapi/error.h" 44 #include "qemu/bitmap.h" 45 #include "hw/qdev-properties.h" 46 #include "hw/qdev-properties-system.h" 47 #include "qemu/error-report.h" 48 #include "qemu/timer.h" 49 #include "qemu/log.h" 50 #include "qemu/guest-random.h" 51 #include "qemu/module.h" 52 #include "sdmmc-internal.h" 53 #include "trace.h" 54 55 //#define DEBUG_SD 1 56 57 #define SDSC_MAX_CAPACITY (2 * GiB) 58 59 #define INVALID_ADDRESS UINT32_MAX 60 61 typedef enum { 62 sd_r0 = 0, /* no response */ 63 sd_r1, /* normal response command */ 64 sd_r2_i, /* CID register */ 65 sd_r2_s, /* CSD register */ 66 sd_r3, /* OCR register */ 67 sd_r6 = 6, /* Published RCA response */ 68 sd_r7, /* Operating voltage */ 69 sd_r1b = -1, 70 sd_illegal = -2, 71 } sd_rsp_type_t; 72 73 typedef enum { 74 sd_spi, 75 sd_bc, /* broadcast -- no response */ 76 sd_bcr, /* broadcast with response */ 77 sd_ac, /* addressed -- no data transfer */ 78 sd_adtc, /* addressed with data transfer */ 79 } sd_cmd_type_t; 80 81 enum SDCardModes { 82 sd_inactive, 83 sd_card_identification_mode, 84 sd_data_transfer_mode, 85 }; 86 87 enum SDCardStates { 88 sd_waitirq_state = -2, /* emmc */ 89 sd_inactive_state = -1, 90 91 sd_idle_state = 0, 92 sd_ready_state = 1, 93 sd_identification_state = 2, 94 sd_standby_state = 3, 95 sd_transfer_state = 4, 96 sd_sendingdata_state = 5, 97 sd_receivingdata_state = 6, 98 sd_programming_state = 7, 99 sd_disconnect_state = 8, 100 sd_bus_test_state = 9, /* emmc */ 101 sd_sleep_state = 10, /* emmc */ 102 sd_io_state = 15 /* sd */ 103 }; 104 105 #define SDMMC_CMD_MAX 64 106 107 typedef sd_rsp_type_t (*sd_cmd_handler)(SDState *sd, SDRequest req); 108 109 typedef struct SDProto { 110 const char *name; 111 struct { 112 const unsigned class; 113 const sd_cmd_type_t type; 114 const char *name; 115 sd_cmd_handler handler; 116 } cmd[SDMMC_CMD_MAX], acmd[SDMMC_CMD_MAX]; 117 } SDProto; 118 119 struct SDState { 120 DeviceState parent_obj; 121 122 /* SD Memory Card Registers */ 123 uint32_t ocr; 124 uint8_t scr[8]; 125 uint8_t cid[16]; 126 uint8_t csd[16]; 127 uint16_t rca; 128 uint32_t card_status; 129 uint8_t sd_status[64]; 130 union { 131 uint8_t ext_csd[512]; 132 struct { 133 uint8_t ext_csd_rw[192]; /* Modes segment */ 134 uint8_t ext_csd_ro[320]; /* Properties segment */ 135 }; 136 }; 137 138 /* Static properties */ 139 140 uint8_t spec_version; 141 uint64_t boot_part_size; 142 BlockBackend *blk; 143 uint8_t boot_config; 144 145 const SDProto *proto; 146 147 /* Runtime changeables */ 148 149 uint32_t mode; /* current card mode, one of SDCardModes */ 150 int32_t state; /* current card state, one of SDCardStates */ 151 uint32_t vhs; 152 bool wp_switch; 153 unsigned long *wp_group_bmap; 154 int32_t wp_group_bits; 155 uint64_t size; 156 uint32_t blk_len; 157 uint32_t multi_blk_cnt; 158 uint32_t erase_start; 159 uint32_t erase_end; 160 uint8_t pwd[16]; 161 uint32_t pwd_len; 162 uint8_t function_group[6]; 163 uint8_t current_cmd; 164 const char *last_cmd_name; 165 /* True if we will handle the next command as an ACMD. Note that this does 166 * *not* track the APP_CMD status bit! 167 */ 168 bool expecting_acmd; 169 uint32_t blk_written; 170 171 uint64_t data_start; 172 uint32_t data_offset; 173 size_t data_size; 174 uint8_t data[512]; 175 QEMUTimer *ocr_power_timer; 176 uint8_t dat_lines; 177 bool cmd_line; 178 }; 179 180 static void sd_realize(DeviceState *dev, Error **errp); 181 182 static const SDProto sd_proto_spi; 183 static const SDProto sd_proto_emmc; 184 185 static bool sd_is_spi(SDState *sd) 186 { 187 return sd->proto == &sd_proto_spi; 188 } 189 190 static bool sd_is_emmc(SDState *sd) 191 { 192 return sd->proto == &sd_proto_emmc; 193 } 194 195 static const char *sd_version_str(enum SDPhySpecificationVersion version) 196 { 197 static const char *sdphy_version[] = { 198 [SD_PHY_SPECv1_10_VERS] = "v1.10", 199 [SD_PHY_SPECv2_00_VERS] = "v2.00", 200 [SD_PHY_SPECv3_01_VERS] = "v3.01", 201 }; 202 if (version >= ARRAY_SIZE(sdphy_version)) { 203 return "unsupported version"; 204 } 205 return sdphy_version[version]; 206 } 207 208 static const char *sd_mode_name(enum SDCardModes mode) 209 { 210 static const char *mode_name[] = { 211 [sd_inactive] = "inactive", 212 [sd_card_identification_mode] = "identification", 213 [sd_data_transfer_mode] = "transfer", 214 }; 215 assert(mode < ARRAY_SIZE(mode_name)); 216 return mode_name[mode]; 217 } 218 219 static const char *sd_state_name(enum SDCardStates state) 220 { 221 static const char *state_name[] = { 222 [sd_idle_state] = "idle", 223 [sd_ready_state] = "ready", 224 [sd_identification_state] = "identification", 225 [sd_standby_state] = "standby", 226 [sd_transfer_state] = "transfer", 227 [sd_sendingdata_state] = "sendingdata", 228 [sd_bus_test_state] = "bus-test", 229 [sd_receivingdata_state] = "receivingdata", 230 [sd_programming_state] = "programming", 231 [sd_disconnect_state] = "disconnect", 232 [sd_sleep_state] = "sleep", 233 [sd_io_state] = "i/o" 234 }; 235 if (state == sd_inactive_state) { 236 return "inactive"; 237 } 238 if (state == sd_waitirq_state) { 239 return "wait-irq"; 240 } 241 assert(state < ARRAY_SIZE(state_name)); 242 return state_name[state]; 243 } 244 245 static const char *sd_response_name(sd_rsp_type_t rsp) 246 { 247 static const char *response_name[] = { 248 [sd_r0] = "RESP#0 (no response)", 249 [sd_r1] = "RESP#1 (normal cmd)", 250 [sd_r2_i] = "RESP#2 (CID reg)", 251 [sd_r2_s] = "RESP#2 (CSD reg)", 252 [sd_r3] = "RESP#3 (OCR reg)", 253 [sd_r6] = "RESP#6 (RCA)", 254 [sd_r7] = "RESP#7 (operating voltage)", 255 }; 256 if (rsp == sd_illegal) { 257 return "ILLEGAL RESP"; 258 } 259 if (rsp == sd_r1b) { 260 rsp = sd_r1; 261 } 262 assert(rsp < ARRAY_SIZE(response_name)); 263 return response_name[rsp]; 264 } 265 266 static const char *sd_cmd_name(SDState *sd, uint8_t cmd) 267 { 268 static const char *cmd_abbrev[SDMMC_CMD_MAX] = { 269 [18] = "READ_MULTIPLE_BLOCK", 270 [25] = "WRITE_MULTIPLE_BLOCK", 271 }; 272 const SDProto *sdp = sd->proto; 273 274 if (sdp->cmd[cmd].handler) { 275 assert(!cmd_abbrev[cmd]); 276 return sdp->cmd[cmd].name; 277 } 278 return cmd_abbrev[cmd] ? cmd_abbrev[cmd] : "UNKNOWN_CMD"; 279 } 280 281 static const char *sd_acmd_name(SDState *sd, uint8_t cmd) 282 { 283 const SDProto *sdp = sd->proto; 284 285 if (sdp->acmd[cmd].handler) { 286 return sdp->acmd[cmd].name; 287 } 288 289 return "UNKNOWN_ACMD"; 290 } 291 292 static uint8_t sd_get_dat_lines(SDState *sd) 293 { 294 return sd->dat_lines; 295 } 296 297 static bool sd_get_cmd_line(SDState *sd) 298 { 299 return sd->cmd_line; 300 } 301 302 static void sd_set_voltage(SDState *sd, uint16_t millivolts) 303 { 304 trace_sdcard_set_voltage(millivolts); 305 306 switch (millivolts) { 307 case 3001 ... 3600: /* SD_VOLTAGE_3_3V */ 308 case 2001 ... 3000: /* SD_VOLTAGE_3_0V */ 309 break; 310 default: 311 qemu_log_mask(LOG_GUEST_ERROR, "SD card voltage not supported: %.3fV", 312 millivolts / 1000.f); 313 } 314 } 315 316 static void sd_set_mode(SDState *sd) 317 { 318 switch (sd->state) { 319 case sd_inactive_state: 320 sd->mode = sd_inactive; 321 break; 322 323 case sd_idle_state: 324 case sd_ready_state: 325 case sd_identification_state: 326 sd->mode = sd_card_identification_mode; 327 break; 328 329 case sd_standby_state: 330 case sd_transfer_state: 331 case sd_sendingdata_state: 332 case sd_receivingdata_state: 333 case sd_programming_state: 334 case sd_disconnect_state: 335 sd->mode = sd_data_transfer_mode; 336 break; 337 } 338 } 339 340 static uint8_t sd_crc7(const void *message, size_t width) 341 { 342 int i, bit; 343 uint8_t shift_reg = 0x00; 344 const uint8_t *msg = (const uint8_t *)message; 345 346 for (i = 0; i < width; i ++, msg ++) 347 for (bit = 7; bit >= 0; bit --) { 348 shift_reg <<= 1; 349 if ((shift_reg >> 7) ^ ((*msg >> bit) & 1)) 350 shift_reg ^= 0x89; 351 } 352 353 return shift_reg; 354 } 355 356 /* Operation Conditions register */ 357 358 #define OCR_POWER_DELAY_NS 500000 /* 0.5ms */ 359 360 FIELD(OCR, VDD_VOLTAGE_WINDOW, 0, 24) 361 FIELD(OCR, VDD_VOLTAGE_WIN_LO, 0, 8) 362 FIELD(OCR, DUAL_VOLTAGE_CARD, 7, 1) 363 FIELD(OCR, VDD_VOLTAGE_WIN_HI, 8, 16) 364 FIELD(OCR, ACCEPT_SWITCH_1V8, 24, 1) /* Only UHS-I */ 365 FIELD(OCR, UHS_II_CARD, 29, 1) /* Only UHS-II */ 366 FIELD(OCR, CARD_CAPACITY, 30, 1) /* 0:SDSC, 1:SDHC/SDXC */ 367 FIELD(OCR, CARD_POWER_UP, 31, 1) 368 369 #define ACMD41_ENQUIRY_MASK 0x00ffffff 370 #define ACMD41_R3_MASK (R_OCR_VDD_VOLTAGE_WIN_HI_MASK \ 371 | R_OCR_ACCEPT_SWITCH_1V8_MASK \ 372 | R_OCR_UHS_II_CARD_MASK \ 373 | R_OCR_CARD_CAPACITY_MASK \ 374 | R_OCR_CARD_POWER_UP_MASK) 375 376 static void sd_ocr_powerup(void *opaque) 377 { 378 SDState *sd = opaque; 379 380 trace_sdcard_powerup(); 381 assert(!FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP)); 382 383 /* card power-up OK */ 384 sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_POWER_UP, 1); 385 386 if (sd->size > SDSC_MAX_CAPACITY) { 387 sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_CAPACITY, 1); 388 } 389 } 390 391 static void sd_set_ocr(SDState *sd) 392 { 393 /* All voltages OK */ 394 sd->ocr = R_OCR_VDD_VOLTAGE_WIN_HI_MASK; 395 396 if (sd_is_spi(sd)) { 397 /* 398 * We don't need to emulate power up sequence in SPI-mode. 399 * Thus, the card's power up status bit should be set to 1 when reset. 400 * The card's capacity status bit should also be set if SD card size 401 * is larger than 2GB for SDHC support. 402 */ 403 sd_ocr_powerup(sd); 404 } 405 } 406 407 /* SD Configuration register */ 408 409 static void sd_set_scr(SDState *sd) 410 { 411 sd->scr[0] = 0 << 4; /* SCR structure version 1.0 */ 412 if (sd->spec_version == SD_PHY_SPECv1_10_VERS) { 413 sd->scr[0] |= 1; /* Spec Version 1.10 */ 414 } else { 415 sd->scr[0] |= 2; /* Spec Version 2.00 or Version 3.0X */ 416 } 417 sd->scr[1] = (2 << 4) /* SDSC Card (Security Version 1.01) */ 418 | 0b0101; /* 1-bit or 4-bit width bus modes */ 419 sd->scr[2] = 0x00; /* Extended Security is not supported. */ 420 if (sd->spec_version >= SD_PHY_SPECv3_01_VERS) { 421 sd->scr[2] |= 1 << 7; /* Spec Version 3.0X */ 422 } 423 sd->scr[3] = 0x00; 424 /* reserved for manufacturer usage */ 425 sd->scr[4] = 0x00; 426 sd->scr[5] = 0x00; 427 sd->scr[6] = 0x00; 428 sd->scr[7] = 0x00; 429 } 430 431 /* Card IDentification register */ 432 433 #define MID 0xaa 434 #define OID "XY" 435 #define PNM "QEMU!" 436 #define PRV 0x01 437 #define MDT_YR 2006 438 #define MDT_MON 2 439 440 static void sd_set_cid(SDState *sd) 441 { 442 sd->cid[0] = MID; /* Fake card manufacturer ID (MID) */ 443 sd->cid[1] = OID[0]; /* OEM/Application ID (OID) */ 444 sd->cid[2] = OID[1]; 445 sd->cid[3] = PNM[0]; /* Fake product name (PNM) */ 446 sd->cid[4] = PNM[1]; 447 sd->cid[5] = PNM[2]; 448 sd->cid[6] = PNM[3]; 449 sd->cid[7] = PNM[4]; 450 sd->cid[8] = PRV; /* Fake product revision (PRV) */ 451 stl_be_p(&sd->cid[9], 0xdeadbeef); /* Fake serial number (PSN) */ 452 sd->cid[13] = 0x00 | /* Manufacture date (MDT) */ 453 ((MDT_YR - 2000) / 10); 454 sd->cid[14] = ((MDT_YR % 10) << 4) | MDT_MON; 455 sd->cid[15] = (sd_crc7(sd->cid, 15) << 1) | 1; 456 } 457 458 static void emmc_set_cid(SDState *sd) 459 { 460 sd->cid[0] = MID; /* Fake card manufacturer ID (MID) */ 461 sd->cid[1] = 0b01; /* CBX: soldered BGA */ 462 sd->cid[2] = OID[0]; /* OEM/Application ID (OID) */ 463 sd->cid[3] = PNM[0]; /* Fake product name (PNM) */ 464 sd->cid[4] = PNM[1]; 465 sd->cid[5] = PNM[2]; 466 sd->cid[6] = PNM[3]; 467 sd->cid[7] = PNM[4]; 468 sd->cid[8] = PNM[4]; 469 sd->cid[9] = PRV; /* Fake product revision (PRV) */ 470 stl_be_p(&sd->cid[10], 0xdeadbeef); /* Fake serial number (PSN) */ 471 sd->cid[14] = (MDT_MON << 4) | (MDT_YR - 1997); /* Manufacture date (MDT) */ 472 sd->cid[15] = (sd_crc7(sd->cid, 15) << 1) | 1; 473 } 474 475 /* Card-Specific Data register */ 476 477 #define HWBLOCK_SHIFT 9 /* 512 bytes */ 478 #define SECTOR_SHIFT 5 /* 16 kilobytes */ 479 #define WPGROUP_SHIFT 7 /* 2 megs */ 480 #define CMULT_SHIFT 9 /* 512 times HWBLOCK_SIZE */ 481 #define WPGROUP_SIZE (1 << (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT)) 482 483 static const uint8_t sd_csd_rw_mask[16] = { 484 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 485 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xfc, 0xfe, 486 }; 487 488 static void emmc_set_ext_csd(SDState *sd, uint64_t size) 489 { 490 uint32_t sectcount = size >> HWBLOCK_SHIFT; 491 492 memset(sd->ext_csd, 0, sizeof(sd->ext_csd)); /* FIXME only RW at reset */ 493 494 /* Properties segment (RO) */ 495 sd->ext_csd[EXT_CSD_S_CMD_SET] = 0b1; /* supported command sets */ 496 sd->ext_csd[EXT_CSD_BOOT_INFO] = 0x0; /* Boot information */ 497 /* Boot partition size. 128KB unit */ 498 sd->ext_csd[EXT_CSD_BOOT_MULT] = sd->boot_part_size / (128 * KiB); 499 sd->ext_csd[EXT_CSD_ACC_SIZE] = 0x1; /* Access size */ 500 sd->ext_csd[EXT_CSD_HC_ERASE_GRP_SIZE] = 0x01; /* HC Erase unit size */ 501 sd->ext_csd[EXT_CSD_ERASE_TIMEOUT_MULT] = 0x01; /* HC erase timeout */ 502 sd->ext_csd[EXT_CSD_REL_WR_SEC_C] = 0x1; /* Reliable write sector count */ 503 sd->ext_csd[EXT_CSD_HC_WP_GRP_SIZE] = 0x01; /* HC write protect group size */ 504 sd->ext_csd[EXT_CSD_S_C_VCC] = 0x01; /* Sleep current VCC */ 505 sd->ext_csd[EXT_CSD_S_C_VCCQ] = 0x01; /* Sleep current VCCQ */ 506 sd->ext_csd[EXT_CSD_S_A_TIMEOUT] = 0x01; /* Sleep/Awake timeout */ 507 stl_le_p(&sd->ext_csd[EXT_CSD_SEC_CNT], sectcount); /* Sector count */ 508 sd->ext_csd[210] = 0x46; /* Min write perf for 8bit@52Mhz */ 509 sd->ext_csd[209] = 0x46; /* Min read perf for 8bit@52Mhz */ 510 sd->ext_csd[208] = 0x46; /* Min write perf for 4bit@52Mhz */ 511 sd->ext_csd[207] = 0x46; /* Min read perf for 4bit@52Mhz */ 512 sd->ext_csd[206] = 0x46; /* Min write perf for 4bit@26Mhz */ 513 sd->ext_csd[205] = 0x46; /* Min read perf for 4bit@26Mhz */ 514 sd->ext_csd[EXT_CSD_CARD_TYPE] = 0b11; 515 sd->ext_csd[EXT_CSD_STRUCTURE] = 2; 516 sd->ext_csd[EXT_CSD_REV] = 3; 517 518 /* Mode segment (RW) */ 519 sd->ext_csd[EXT_CSD_PART_CONFIG] = sd->boot_config; 520 } 521 522 static void emmc_set_csd(SDState *sd, uint64_t size) 523 { 524 int hwblock_shift = HWBLOCK_SHIFT; 525 uint32_t sectsize = (1 << (SECTOR_SHIFT + 1)) - 1; 526 uint32_t wpsize = (1 << (WPGROUP_SHIFT + 1)) - 1; 527 528 sd->csd[0] = (3 << 6) | (4 << 2); /* Spec v4.3 with EXT_CSD */ 529 sd->csd[1] = (1 << 3) | 6; /* Asynchronous data access time: 1ms */ 530 sd->csd[2] = 0x00; 531 sd->csd[3] = (1 << 3) | 3;; /* Maximum bus clock frequency: 100MHz */ 532 sd->csd[4] = 0x0f; 533 if (size <= 2 * GiB) { 534 /* use 1k blocks */ 535 uint32_t csize1k = (size >> (CMULT_SHIFT + 10)) - 1; 536 sd->csd[5] = 0x5a; 537 sd->csd[6] = 0x80 | ((csize1k >> 10) & 0xf); 538 sd->csd[7] = (csize1k >> 2) & 0xff; 539 } else { /* >= 2GB : size stored in ext CSD, block addressing */ 540 sd->csd[5] = 0x59; 541 sd->csd[6] = 0x8f; 542 sd->csd[7] = 0xff; 543 sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_CAPACITY, 1); 544 } 545 sd->csd[8] = 0xff; 546 sd->csd[9] = 0xfc | /* Max. write current */ 547 ((CMULT_SHIFT - 2) >> 1); 548 sd->csd[10] = 0x40 | /* Erase sector size */ 549 (((CMULT_SHIFT - 2) << 7) & 0x80) | (sectsize >> 1); 550 sd->csd[11] = 0x00 | /* Write protect group size */ 551 ((sectsize << 7) & 0x80) | wpsize; 552 sd->csd[12] = 0x90 | /* Write speed factor */ 553 (hwblock_shift >> 2); 554 sd->csd[13] = 0x20 | /* Max. write data block length */ 555 ((hwblock_shift << 6) & 0xc0); 556 sd->csd[14] = 0x00; 557 sd->csd[15] = (sd_crc7(sd->csd, 15) << 1) | 1; 558 emmc_set_ext_csd(sd, size); 559 } 560 561 static void sd_set_csd(SDState *sd, uint64_t size) 562 { 563 int hwblock_shift = HWBLOCK_SHIFT; 564 uint32_t csize; 565 uint32_t sectsize = (1 << (SECTOR_SHIFT + 1)) - 1; 566 uint32_t wpsize = (1 << (WPGROUP_SHIFT + 1)) - 1; 567 568 /* To indicate 2 GiB card, BLOCK_LEN shall be 1024 bytes */ 569 if (size == SDSC_MAX_CAPACITY) { 570 hwblock_shift += 1; 571 } 572 csize = (size >> (CMULT_SHIFT + hwblock_shift)) - 1; 573 574 if (size <= SDSC_MAX_CAPACITY) { /* Standard Capacity SD */ 575 sd->csd[0] = 0x00; /* CSD structure */ 576 sd->csd[1] = 0x26; /* Data read access-time-1 */ 577 sd->csd[2] = 0x00; /* Data read access-time-2 */ 578 sd->csd[3] = 0x32; /* Max. data transfer rate: 25 MHz */ 579 sd->csd[4] = 0x5f; /* Card Command Classes */ 580 sd->csd[5] = 0x50 | /* Max. read data block length */ 581 hwblock_shift; 582 sd->csd[6] = 0xe0 | /* Partial block for read allowed */ 583 ((csize >> 10) & 0x03); 584 sd->csd[7] = 0x00 | /* Device size */ 585 ((csize >> 2) & 0xff); 586 sd->csd[8] = 0x3f | /* Max. read current */ 587 ((csize << 6) & 0xc0); 588 sd->csd[9] = 0xfc | /* Max. write current */ 589 ((CMULT_SHIFT - 2) >> 1); 590 sd->csd[10] = 0x40 | /* Erase sector size */ 591 (((CMULT_SHIFT - 2) << 7) & 0x80) | (sectsize >> 1); 592 sd->csd[11] = 0x00 | /* Write protect group size */ 593 ((sectsize << 7) & 0x80) | wpsize; 594 sd->csd[12] = 0x90 | /* Write speed factor */ 595 (hwblock_shift >> 2); 596 sd->csd[13] = 0x20 | /* Max. write data block length */ 597 ((hwblock_shift << 6) & 0xc0); 598 sd->csd[14] = 0x00; /* File format group */ 599 } else { /* SDHC */ 600 size /= 512 * KiB; 601 size -= 1; 602 sd->csd[0] = 0x40; 603 sd->csd[1] = 0x0e; 604 sd->csd[2] = 0x00; 605 sd->csd[3] = 0x32; 606 sd->csd[4] = 0x5b; 607 sd->csd[5] = 0x59; 608 sd->csd[6] = 0x00; 609 st24_be_p(&sd->csd[7], size); 610 sd->csd[10] = 0x7f; 611 sd->csd[11] = 0x80; 612 sd->csd[12] = 0x0a; 613 sd->csd[13] = 0x40; 614 sd->csd[14] = 0x00; 615 } 616 sd->csd[15] = (sd_crc7(sd->csd, 15) << 1) | 1; 617 } 618 619 /* Relative Card Address register */ 620 621 static void sd_set_rca(SDState *sd, uint16_t value) 622 { 623 trace_sdcard_set_rca(value); 624 sd->rca = value; 625 } 626 627 static uint16_t sd_req_get_rca(SDState *s, SDRequest req) 628 { 629 switch (s->proto->cmd[req.cmd].type) { 630 case sd_ac: 631 case sd_adtc: 632 return req.arg >> 16; 633 case sd_spi: 634 default: 635 g_assert_not_reached(); 636 } 637 } 638 639 static bool sd_req_rca_same(SDState *s, SDRequest req) 640 { 641 return sd_req_get_rca(s, req) == s->rca; 642 } 643 644 /* Card Status register */ 645 646 FIELD(CSR, AKE_SEQ_ERROR, 3, 1) 647 FIELD(CSR, APP_CMD, 5, 1) 648 FIELD(CSR, FX_EVENT, 6, 1) 649 FIELD(CSR, SWITCH_ERROR, 7, 1) 650 FIELD(CSR, READY_FOR_DATA, 8, 1) 651 FIELD(CSR, CURRENT_STATE, 9, 4) 652 FIELD(CSR, ERASE_RESET, 13, 1) 653 FIELD(CSR, CARD_ECC_DISABLED, 14, 1) 654 FIELD(CSR, WP_ERASE_SKIP, 15, 1) 655 FIELD(CSR, CSD_OVERWRITE, 16, 1) 656 FIELD(CSR, DEFERRED_RESPONSE, 17, 1) 657 FIELD(CSR, ERROR, 19, 1) 658 FIELD(CSR, CC_ERROR, 20, 1) 659 FIELD(CSR, CARD_ECC_FAILED, 21, 1) 660 FIELD(CSR, ILLEGAL_COMMAND, 22, 1) 661 FIELD(CSR, COM_CRC_ERROR, 23, 1) 662 FIELD(CSR, LOCK_UNLOCK_FAILED, 24, 1) 663 FIELD(CSR, CARD_IS_LOCKED, 25, 1) 664 FIELD(CSR, WP_VIOLATION, 26, 1) 665 FIELD(CSR, ERASE_PARAM, 27, 1) 666 FIELD(CSR, ERASE_SEQ_ERROR, 28, 1) 667 FIELD(CSR, BLOCK_LEN_ERROR, 29, 1) 668 FIELD(CSR, ADDRESS_ERROR, 30, 1) 669 FIELD(CSR, OUT_OF_RANGE, 31, 1) 670 671 /* Card status bits, split by clear condition: 672 * A : According to the card current state 673 * B : Always related to the previous command 674 * C : Cleared by read 675 */ 676 #define CARD_STATUS_A (R_CSR_READY_FOR_DATA_MASK \ 677 | R_CSR_CARD_ECC_DISABLED_MASK \ 678 | R_CSR_CARD_IS_LOCKED_MASK) 679 #define CARD_STATUS_B (R_CSR_CURRENT_STATE_MASK \ 680 | R_CSR_ILLEGAL_COMMAND_MASK \ 681 | R_CSR_COM_CRC_ERROR_MASK) 682 #define CARD_STATUS_C (R_CSR_AKE_SEQ_ERROR_MASK \ 683 | R_CSR_APP_CMD_MASK \ 684 | R_CSR_ERASE_RESET_MASK \ 685 | R_CSR_WP_ERASE_SKIP_MASK \ 686 | R_CSR_CSD_OVERWRITE_MASK \ 687 | R_CSR_ERROR_MASK \ 688 | R_CSR_CC_ERROR_MASK \ 689 | R_CSR_CARD_ECC_FAILED_MASK \ 690 | R_CSR_LOCK_UNLOCK_FAILED_MASK \ 691 | R_CSR_WP_VIOLATION_MASK \ 692 | R_CSR_ERASE_PARAM_MASK \ 693 | R_CSR_ERASE_SEQ_ERROR_MASK \ 694 | R_CSR_BLOCK_LEN_ERROR_MASK \ 695 | R_CSR_ADDRESS_ERROR_MASK \ 696 | R_CSR_OUT_OF_RANGE_MASK) 697 698 static void sd_set_cardstatus(SDState *sd) 699 { 700 sd->card_status = READY_FOR_DATA; 701 } 702 703 static void sd_set_sdstatus(SDState *sd) 704 { 705 memset(sd->sd_status, 0, 64); 706 } 707 708 static const uint8_t sd_tuning_block_pattern4[64] = { 709 /* 710 * See: Physical Layer Simplified Specification Version 3.01, 711 * Table 4-2. 712 */ 713 0xff, 0x0f, 0xff, 0x00, 0x0f, 0xfc, 0xc3, 0xcc, 714 0xc3, 0x3c, 0xcc, 0xff, 0xfe, 0xff, 0xfe, 0xef, 715 0xff, 0xdf, 0xff, 0xdd, 0xff, 0xfb, 0xff, 0xfb, 716 0xbf, 0xff, 0x7f, 0xff, 0x77, 0xf7, 0xbd, 0xef, 717 0xff, 0xf0, 0xff, 0xf0, 0x0f, 0xfc, 0xcc, 0x3c, 718 0xcc, 0x33, 0xcc, 0xcf, 0xff, 0xef, 0xff, 0xee, 719 0xff, 0xfd, 0xff, 0xfd, 0xdf, 0xff, 0xbf, 0xff, 720 0xbb, 0xff, 0xf7, 0xff, 0xf7, 0x7f, 0x7b, 0xde 721 }; 722 723 static int sd_req_crc_validate(SDRequest *req) 724 { 725 uint8_t buffer[5]; 726 buffer[0] = 0x40 | req->cmd; 727 stl_be_p(&buffer[1], req->arg); 728 return 0; 729 return sd_crc7(buffer, 5) != req->crc; /* TODO */ 730 } 731 732 static size_t sd_response_size(SDState *sd, sd_rsp_type_t rtype) 733 { 734 switch (rtype) { 735 case sd_r1: 736 case sd_r1b: 737 return 4; 738 739 case sd_r2_i: 740 case sd_r2_s: 741 return 16; 742 743 case sd_r3: 744 case sd_r7: 745 return 4; 746 747 case sd_r6: 748 return 4; 749 750 case sd_r0: 751 case sd_illegal: 752 return 0; 753 754 default: 755 g_assert_not_reached(); 756 } 757 } 758 759 static void sd_response_r1_make(SDState *sd, uint8_t *response) 760 { 761 stl_be_p(response, sd->card_status); 762 763 /* Clear the "clear on read" status bits */ 764 sd->card_status &= ~CARD_STATUS_C; 765 } 766 767 static void sd_response_r3_make(SDState *sd, uint8_t *response) 768 { 769 stl_be_p(response, sd->ocr & ACMD41_R3_MASK); 770 } 771 772 static void sd_response_r6_make(SDState *sd, uint8_t *response) 773 { 774 uint16_t status; 775 776 status = ((sd->card_status >> 8) & 0xc000) | 777 ((sd->card_status >> 6) & 0x2000) | 778 (sd->card_status & 0x1fff); 779 sd->card_status &= ~(CARD_STATUS_C & 0xc81fff); 780 stw_be_p(response + 0, sd->rca); 781 stw_be_p(response + 2, status); 782 } 783 784 static void sd_response_r7_make(SDState *sd, uint8_t *response) 785 { 786 stl_be_p(response, sd->vhs); 787 } 788 789 static uint32_t sd_blk_len(SDState *sd) 790 { 791 if (FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) { 792 return 1 << HWBLOCK_SHIFT; 793 } 794 return sd->blk_len; 795 } 796 797 /* 798 * This requires a disk image that has two boot partitions inserted at the 799 * beginning of it. The size of the boot partitions is the "boot-size" 800 * property. 801 */ 802 static uint32_t sd_bootpart_offset(SDState *sd) 803 { 804 unsigned partition_access; 805 806 if (!sd->boot_part_size || !sd_is_emmc(sd)) { 807 return 0; 808 } 809 810 partition_access = sd->ext_csd[EXT_CSD_PART_CONFIG] 811 & EXT_CSD_PART_CONFIG_ACC_MASK; 812 switch (partition_access) { 813 case EXT_CSD_PART_CONFIG_ACC_DEFAULT: 814 return sd->boot_part_size * 2; 815 case EXT_CSD_PART_CONFIG_ACC_BOOT0: 816 return 0; 817 case EXT_CSD_PART_CONFIG_ACC_BOOT0 + 1: 818 return sd->boot_part_size * 1; 819 default: 820 g_assert_not_reached(); 821 } 822 } 823 824 static uint64_t sd_req_get_address(SDState *sd, SDRequest req) 825 { 826 uint64_t addr; 827 828 if (FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) { 829 addr = (uint64_t) req.arg << HWBLOCK_SHIFT; 830 } else { 831 addr = req.arg; 832 } 833 trace_sdcard_req_addr(req.arg, addr); 834 return addr; 835 } 836 837 static inline uint64_t sd_addr_to_wpnum(uint64_t addr) 838 { 839 return addr >> (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT); 840 } 841 842 static void sd_reset(DeviceState *dev) 843 { 844 SDState *sd = SDMMC_COMMON(dev); 845 SDCardClass *sc = SDMMC_COMMON_GET_CLASS(sd); 846 uint64_t size; 847 uint64_t sect; 848 849 trace_sdcard_reset(); 850 if (sd->blk) { 851 blk_get_geometry(sd->blk, §); 852 } else { 853 sect = 0; 854 } 855 size = sect << HWBLOCK_SHIFT; 856 if (sd_is_emmc(sd)) { 857 size -= sd->boot_part_size * 2; 858 } 859 860 sect = sd_addr_to_wpnum(size) + 1; 861 862 sd->state = sd_idle_state; 863 864 /* card registers */ 865 sd->rca = sd_is_emmc(sd) ? 0x0001 : 0x0000; 866 sd->size = size; 867 sd_set_ocr(sd); 868 sd_set_scr(sd); 869 sc->set_cid(sd); 870 sc->set_csd(sd, size); 871 sd_set_cardstatus(sd); 872 sd_set_sdstatus(sd); 873 874 g_free(sd->wp_group_bmap); 875 sd->wp_switch = sd->blk ? !blk_is_writable(sd->blk) : false; 876 sd->wp_group_bits = sect; 877 sd->wp_group_bmap = bitmap_new(sd->wp_group_bits); 878 memset(sd->function_group, 0, sizeof(sd->function_group)); 879 sd->erase_start = INVALID_ADDRESS; 880 sd->erase_end = INVALID_ADDRESS; 881 sd->blk_len = 0x200; 882 sd->pwd_len = 0; 883 sd->expecting_acmd = false; 884 sd->dat_lines = 0xf; 885 sd->cmd_line = true; 886 sd->multi_blk_cnt = 0; 887 } 888 889 static bool sd_get_inserted(SDState *sd) 890 { 891 return sd->blk && blk_is_inserted(sd->blk); 892 } 893 894 static bool sd_get_readonly(SDState *sd) 895 { 896 return sd->wp_switch; 897 } 898 899 static void sd_cardchange(void *opaque, bool load, Error **errp) 900 { 901 SDState *sd = opaque; 902 DeviceState *dev = DEVICE(sd); 903 SDBus *sdbus; 904 bool inserted = sd_get_inserted(sd); 905 bool readonly = sd_get_readonly(sd); 906 907 if (inserted) { 908 trace_sdcard_inserted(readonly); 909 sd_reset(dev); 910 } else { 911 trace_sdcard_ejected(); 912 } 913 914 sdbus = SD_BUS(qdev_get_parent_bus(dev)); 915 sdbus_set_inserted(sdbus, inserted); 916 if (inserted) { 917 sdbus_set_readonly(sdbus, readonly); 918 } 919 } 920 921 static const BlockDevOps sd_block_ops = { 922 .change_media_cb = sd_cardchange, 923 }; 924 925 static bool sd_ocr_vmstate_needed(void *opaque) 926 { 927 SDState *sd = opaque; 928 929 /* Include the OCR state (and timer) if it is not yet powered up */ 930 return !FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP); 931 } 932 933 static const VMStateDescription sd_ocr_vmstate = { 934 .name = "sd-card/ocr-state", 935 .version_id = 1, 936 .minimum_version_id = 1, 937 .needed = sd_ocr_vmstate_needed, 938 .fields = (const VMStateField[]) { 939 VMSTATE_UINT32(ocr, SDState), 940 VMSTATE_TIMER_PTR(ocr_power_timer, SDState), 941 VMSTATE_END_OF_LIST() 942 }, 943 }; 944 945 static bool vmstate_needed_for_emmc(void *opaque) 946 { 947 SDState *sd = opaque; 948 949 return sd_is_emmc(sd); 950 } 951 952 static const VMStateDescription emmc_extcsd_vmstate = { 953 .name = "sd-card/ext_csd_modes-state", 954 .version_id = 1, 955 .minimum_version_id = 1, 956 .needed = vmstate_needed_for_emmc, 957 .fields = (const VMStateField[]) { 958 VMSTATE_UINT8_ARRAY(ext_csd_rw, SDState, 192), 959 VMSTATE_END_OF_LIST() 960 }, 961 }; 962 963 static int sd_vmstate_pre_load(void *opaque) 964 { 965 SDState *sd = opaque; 966 967 /* If the OCR state is not included (prior versions, or not 968 * needed), then the OCR must be set as powered up. If the OCR state 969 * is included, this will be replaced by the state restore. 970 */ 971 sd_ocr_powerup(sd); 972 973 return 0; 974 } 975 976 static const VMStateDescription sd_vmstate = { 977 .name = "sd-card", 978 .version_id = 2, 979 .minimum_version_id = 2, 980 .pre_load = sd_vmstate_pre_load, 981 .fields = (const VMStateField[]) { 982 VMSTATE_UINT32(mode, SDState), 983 VMSTATE_INT32(state, SDState), 984 VMSTATE_UINT8_ARRAY(cid, SDState, 16), 985 VMSTATE_UINT8_ARRAY(csd, SDState, 16), 986 VMSTATE_UINT16(rca, SDState), 987 VMSTATE_UINT32(card_status, SDState), 988 VMSTATE_PARTIAL_BUFFER(sd_status, SDState, 1), 989 VMSTATE_UINT32(vhs, SDState), 990 VMSTATE_BITMAP(wp_group_bmap, SDState, 0, wp_group_bits), 991 VMSTATE_UINT32(blk_len, SDState), 992 VMSTATE_UINT32(multi_blk_cnt, SDState), 993 VMSTATE_UINT32(erase_start, SDState), 994 VMSTATE_UINT32(erase_end, SDState), 995 VMSTATE_UINT8_ARRAY(pwd, SDState, 16), 996 VMSTATE_UINT32(pwd_len, SDState), 997 VMSTATE_UINT8_ARRAY(function_group, SDState, 6), 998 VMSTATE_UINT8(current_cmd, SDState), 999 VMSTATE_BOOL(expecting_acmd, SDState), 1000 VMSTATE_UINT32(blk_written, SDState), 1001 VMSTATE_UINT64(data_start, SDState), 1002 VMSTATE_UINT32(data_offset, SDState), 1003 VMSTATE_UINT8_ARRAY(data, SDState, 512), 1004 VMSTATE_UNUSED_V(1, 512), 1005 VMSTATE_UNUSED(1), 1006 VMSTATE_END_OF_LIST() 1007 }, 1008 .subsections = (const VMStateDescription * const []) { 1009 &sd_ocr_vmstate, 1010 &emmc_extcsd_vmstate, 1011 NULL 1012 }, 1013 }; 1014 1015 static void sd_blk_read(SDState *sd, uint64_t addr, uint32_t len) 1016 { 1017 trace_sdcard_read_block(addr, len); 1018 addr += sd_bootpart_offset(sd); 1019 if (!sd->blk || blk_pread(sd->blk, addr, len, sd->data, 0) < 0) { 1020 fprintf(stderr, "sd_blk_read: read error on host side\n"); 1021 } 1022 } 1023 1024 static void sd_blk_write(SDState *sd, uint64_t addr, uint32_t len) 1025 { 1026 trace_sdcard_write_block(addr, len); 1027 addr += sd_bootpart_offset(sd); 1028 if (!sd->blk || blk_pwrite(sd->blk, addr, len, sd->data, 0) < 0) { 1029 fprintf(stderr, "sd_blk_write: write error on host side\n"); 1030 } 1031 } 1032 1033 static void sd_erase(SDState *sd) 1034 { 1035 uint64_t erase_start = sd->erase_start; 1036 uint64_t erase_end = sd->erase_end; 1037 bool sdsc = true; 1038 uint64_t wpnum; 1039 uint64_t erase_addr; 1040 int erase_len = 1 << HWBLOCK_SHIFT; 1041 1042 trace_sdcard_erase(sd->erase_start, sd->erase_end); 1043 if (sd->erase_start == INVALID_ADDRESS 1044 || sd->erase_end == INVALID_ADDRESS) { 1045 sd->card_status |= ERASE_SEQ_ERROR; 1046 sd->erase_start = INVALID_ADDRESS; 1047 sd->erase_end = INVALID_ADDRESS; 1048 return; 1049 } 1050 1051 if (FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) { 1052 /* High capacity memory card: erase units are 512 byte blocks */ 1053 erase_start <<= HWBLOCK_SHIFT; 1054 erase_end <<= HWBLOCK_SHIFT; 1055 sdsc = false; 1056 } 1057 1058 if (erase_start > sd->size || erase_end > sd->size) { 1059 sd->card_status |= OUT_OF_RANGE; 1060 sd->erase_start = INVALID_ADDRESS; 1061 sd->erase_end = INVALID_ADDRESS; 1062 return; 1063 } 1064 1065 sd->erase_start = INVALID_ADDRESS; 1066 sd->erase_end = INVALID_ADDRESS; 1067 sd->csd[14] |= 0x40; 1068 1069 memset(sd->data, 0xff, erase_len); 1070 for (erase_addr = erase_start; erase_addr <= erase_end; 1071 erase_addr += erase_len) { 1072 if (sdsc) { 1073 /* Only SDSC cards support write protect groups */ 1074 wpnum = sd_addr_to_wpnum(erase_addr); 1075 assert(wpnum < sd->wp_group_bits); 1076 if (test_bit(wpnum, sd->wp_group_bmap)) { 1077 sd->card_status |= WP_ERASE_SKIP; 1078 continue; 1079 } 1080 } 1081 sd_blk_write(sd, erase_addr, erase_len); 1082 } 1083 } 1084 1085 static uint32_t sd_wpbits(SDState *sd, uint64_t addr) 1086 { 1087 uint32_t i, wpnum; 1088 uint32_t ret = 0; 1089 1090 wpnum = sd_addr_to_wpnum(addr); 1091 1092 for (i = 0; i < 32; i++, wpnum++, addr += WPGROUP_SIZE) { 1093 if (addr >= sd->size) { 1094 /* 1095 * If the addresses of the last groups are outside the valid range, 1096 * then the corresponding write protection bits shall be set to 0. 1097 */ 1098 continue; 1099 } 1100 assert(wpnum < sd->wp_group_bits); 1101 if (test_bit(wpnum, sd->wp_group_bmap)) { 1102 ret |= (1 << i); 1103 } 1104 } 1105 1106 return ret; 1107 } 1108 1109 enum ExtCsdAccessMode { 1110 EXT_CSD_ACCESS_MODE_COMMAND_SET = 0, 1111 EXT_CSD_ACCESS_MODE_SET_BITS = 1, 1112 EXT_CSD_ACCESS_MODE_CLEAR_BITS = 2, 1113 EXT_CSD_ACCESS_MODE_WRITE_BYTE = 3 1114 }; 1115 1116 static void emmc_function_switch(SDState *sd, uint32_t arg) 1117 { 1118 uint8_t access = extract32(arg, 24, 2); 1119 uint8_t index = extract32(arg, 16, 8); 1120 uint8_t value = extract32(arg, 8, 8); 1121 uint8_t b = sd->ext_csd[index]; 1122 1123 trace_sdcard_switch(access, index, value, extract32(arg, 0, 2)); 1124 1125 if (index >= 192) { 1126 qemu_log_mask(LOG_GUEST_ERROR, "MMC switching illegal offset\n"); 1127 sd->card_status |= R_CSR_SWITCH_ERROR_MASK; 1128 return; 1129 } 1130 1131 switch (access) { 1132 case EXT_CSD_ACCESS_MODE_COMMAND_SET: 1133 qemu_log_mask(LOG_UNIMP, "MMC Command set switching not supported\n"); 1134 return; 1135 case EXT_CSD_ACCESS_MODE_SET_BITS: 1136 b |= value; 1137 break; 1138 case EXT_CSD_ACCESS_MODE_CLEAR_BITS: 1139 b &= ~value; 1140 break; 1141 case EXT_CSD_ACCESS_MODE_WRITE_BYTE: 1142 b = value; 1143 break; 1144 } 1145 1146 trace_sdcard_ext_csd_update(index, sd->ext_csd[index], b); 1147 sd->ext_csd[index] = b; 1148 } 1149 1150 static void sd_function_switch(SDState *sd, uint32_t arg) 1151 { 1152 int i, mode, new_func; 1153 mode = !!(arg & 0x80000000); 1154 1155 sd->data[0] = 0x00; /* Maximum current consumption */ 1156 sd->data[1] = 0x01; 1157 sd->data[2] = 0x80; /* Supported group 6 functions */ 1158 sd->data[3] = 0x01; 1159 sd->data[4] = 0x80; /* Supported group 5 functions */ 1160 sd->data[5] = 0x01; 1161 sd->data[6] = 0x80; /* Supported group 4 functions */ 1162 sd->data[7] = 0x01; 1163 sd->data[8] = 0x80; /* Supported group 3 functions */ 1164 sd->data[9] = 0x01; 1165 sd->data[10] = 0x80; /* Supported group 2 functions */ 1166 sd->data[11] = 0x43; 1167 sd->data[12] = 0x80; /* Supported group 1 functions */ 1168 sd->data[13] = 0x03; 1169 1170 memset(&sd->data[14], 0, 3); 1171 for (i = 0; i < 6; i ++) { 1172 new_func = (arg >> (i * 4)) & 0x0f; 1173 if (mode && new_func != 0x0f) 1174 sd->function_group[i] = new_func; 1175 sd->data[16 - (i >> 1)] |= new_func << ((i % 2) * 4); 1176 } 1177 memset(&sd->data[17], 0, 47); 1178 } 1179 1180 static inline bool sd_wp_addr(SDState *sd, uint64_t addr) 1181 { 1182 return test_bit(sd_addr_to_wpnum(addr), sd->wp_group_bmap); 1183 } 1184 1185 static void sd_lock_command(SDState *sd) 1186 { 1187 int erase, lock, clr_pwd, set_pwd, pwd_len; 1188 erase = !!(sd->data[0] & 0x08); 1189 lock = sd->data[0] & 0x04; 1190 clr_pwd = sd->data[0] & 0x02; 1191 set_pwd = sd->data[0] & 0x01; 1192 1193 if (sd->blk_len > 1) 1194 pwd_len = sd->data[1]; 1195 else 1196 pwd_len = 0; 1197 1198 if (lock) { 1199 trace_sdcard_lock(); 1200 } else { 1201 trace_sdcard_unlock(); 1202 } 1203 if (erase) { 1204 if (!(sd->card_status & CARD_IS_LOCKED) || sd->blk_len > 1 || 1205 set_pwd || clr_pwd || lock || sd->wp_switch || 1206 (sd->csd[14] & 0x20)) { 1207 sd->card_status |= LOCK_UNLOCK_FAILED; 1208 return; 1209 } 1210 bitmap_zero(sd->wp_group_bmap, sd->wp_group_bits); 1211 sd->csd[14] &= ~0x10; 1212 sd->card_status &= ~CARD_IS_LOCKED; 1213 sd->pwd_len = 0; 1214 /* Erasing the entire card here! */ 1215 fprintf(stderr, "SD: Card force-erased by CMD42\n"); 1216 return; 1217 } 1218 1219 if (sd->blk_len < 2 + pwd_len || 1220 pwd_len <= sd->pwd_len || 1221 pwd_len > sd->pwd_len + 16) { 1222 sd->card_status |= LOCK_UNLOCK_FAILED; 1223 return; 1224 } 1225 1226 if (sd->pwd_len && memcmp(sd->pwd, sd->data + 2, sd->pwd_len)) { 1227 sd->card_status |= LOCK_UNLOCK_FAILED; 1228 return; 1229 } 1230 1231 pwd_len -= sd->pwd_len; 1232 if ((pwd_len && !set_pwd) || 1233 (clr_pwd && (set_pwd || lock)) || 1234 (lock && !sd->pwd_len && !set_pwd) || 1235 (!set_pwd && !clr_pwd && 1236 (((sd->card_status & CARD_IS_LOCKED) && lock) || 1237 (!(sd->card_status & CARD_IS_LOCKED) && !lock)))) { 1238 sd->card_status |= LOCK_UNLOCK_FAILED; 1239 return; 1240 } 1241 1242 if (set_pwd) { 1243 memcpy(sd->pwd, sd->data + 2 + sd->pwd_len, pwd_len); 1244 sd->pwd_len = pwd_len; 1245 } 1246 1247 if (clr_pwd) { 1248 sd->pwd_len = 0; 1249 } 1250 1251 if (lock) 1252 sd->card_status |= CARD_IS_LOCKED; 1253 else 1254 sd->card_status &= ~CARD_IS_LOCKED; 1255 } 1256 1257 static bool address_in_range(SDState *sd, const char *desc, 1258 uint64_t addr, uint32_t length) 1259 { 1260 if (addr + length > sd->size) { 1261 qemu_log_mask(LOG_GUEST_ERROR, 1262 "%s offset %"PRIu64" > card %"PRIu64" [%%%u]\n", 1263 desc, addr, sd->size, length); 1264 sd->card_status |= ADDRESS_ERROR; 1265 return false; 1266 } 1267 return true; 1268 } 1269 1270 static sd_rsp_type_t sd_invalid_state_for_cmd(SDState *sd, SDRequest req) 1271 { 1272 qemu_log_mask(LOG_GUEST_ERROR, "%s: CMD%i in a wrong state: %s (spec %s)\n", 1273 sd->proto->name, req.cmd, sd_state_name(sd->state), 1274 sd_version_str(sd->spec_version)); 1275 1276 return sd_illegal; 1277 } 1278 1279 static sd_rsp_type_t sd_invalid_mode_for_cmd(SDState *sd, SDRequest req) 1280 { 1281 qemu_log_mask(LOG_GUEST_ERROR, "%s: CMD%i in a wrong mode: %s (spec %s)\n", 1282 sd->proto->name, req.cmd, sd_mode_name(sd->mode), 1283 sd_version_str(sd->spec_version)); 1284 1285 return sd_illegal; 1286 } 1287 1288 static sd_rsp_type_t sd_cmd_illegal(SDState *sd, SDRequest req) 1289 { 1290 qemu_log_mask(LOG_GUEST_ERROR, "%s: Unknown CMD%i for spec %s\n", 1291 sd->proto->name, req.cmd, 1292 sd_version_str(sd->spec_version)); 1293 1294 return sd_illegal; 1295 } 1296 1297 /* Commands that are recognised but not yet implemented. */ 1298 static sd_rsp_type_t sd_cmd_unimplemented(SDState *sd, SDRequest req) 1299 { 1300 qemu_log_mask(LOG_UNIMP, "%s: CMD%i not implemented\n", 1301 sd->proto->name, req.cmd); 1302 1303 return sd_illegal; 1304 } 1305 1306 static sd_rsp_type_t sd_cmd_optional(SDState *sd, SDRequest req) 1307 { 1308 qemu_log_mask(LOG_UNIMP, "%s: Optional CMD%i not implemented\n", 1309 sd->proto->name, req.cmd); 1310 1311 return sd_illegal; 1312 } 1313 1314 /* Configure fields for following sd_generic_write_byte() calls */ 1315 static sd_rsp_type_t sd_cmd_to_receivingdata(SDState *sd, SDRequest req, 1316 uint64_t start, size_t size) 1317 { 1318 if (sd->state != sd_transfer_state) { 1319 return sd_invalid_state_for_cmd(sd, req); 1320 } 1321 sd->state = sd_receivingdata_state; 1322 sd->data_start = start; 1323 sd->data_offset = 0; 1324 /* sd->data[] used as receive buffer */ 1325 sd->data_size = size ?: sizeof(sd->data); 1326 return sd_r1; 1327 } 1328 1329 /* Configure fields for following sd_generic_read_byte() calls */ 1330 static sd_rsp_type_t sd_cmd_to_sendingdata(SDState *sd, SDRequest req, 1331 uint64_t start, 1332 const void *data, size_t size) 1333 { 1334 if (sd->state != sd_transfer_state) { 1335 return sd_invalid_state_for_cmd(sd, req); 1336 } 1337 1338 sd->state = sd_sendingdata_state; 1339 sd->data_start = start; 1340 sd->data_offset = 0; 1341 if (data) { 1342 assert(size > 0 && size <= sizeof(sd->data)); 1343 memcpy(sd->data, data, size); 1344 } 1345 if (size) { 1346 sd->data_size = size; 1347 } 1348 return sd_r1; 1349 } 1350 1351 /* CMD0 */ 1352 static sd_rsp_type_t sd_cmd_GO_IDLE_STATE(SDState *sd, SDRequest req) 1353 { 1354 if (sd->state == sd_sleep_state) { 1355 switch (req.arg) { 1356 case 0x00000000: 1357 case 0xf0f0f0f0: 1358 break; 1359 default: 1360 return sd_r0; 1361 } 1362 } 1363 if (sd->state != sd_inactive_state) { 1364 sd->state = sd_idle_state; 1365 sd_reset(DEVICE(sd)); 1366 } 1367 1368 return sd_is_spi(sd) ? sd_r1 : sd_r0; 1369 } 1370 1371 /* CMD1 */ 1372 static sd_rsp_type_t spi_cmd_SEND_OP_COND(SDState *sd, SDRequest req) 1373 { 1374 sd->state = sd_transfer_state; 1375 1376 return sd_r1; 1377 } 1378 1379 /* CMD2 */ 1380 static sd_rsp_type_t sd_cmd_ALL_SEND_CID(SDState *sd, SDRequest req) 1381 { 1382 switch (sd->state) { 1383 case sd_ready_state: 1384 sd->state = sd_identification_state; 1385 return sd_r2_i; 1386 default: 1387 return sd_invalid_state_for_cmd(sd, req); 1388 } 1389 } 1390 1391 /* CMD3 */ 1392 static sd_rsp_type_t sd_cmd_SEND_RELATIVE_ADDR(SDState *sd, SDRequest req) 1393 { 1394 uint16_t random_rca; 1395 1396 switch (sd->state) { 1397 case sd_identification_state: 1398 case sd_standby_state: 1399 sd->state = sd_standby_state; 1400 qemu_guest_getrandom_nofail(&random_rca, sizeof(random_rca)); 1401 sd_set_rca(sd, random_rca); 1402 return sd_r6; 1403 1404 default: 1405 return sd_invalid_state_for_cmd(sd, req); 1406 } 1407 } 1408 1409 static sd_rsp_type_t emmc_cmd_SET_RELATIVE_ADDR(SDState *sd, SDRequest req) 1410 { 1411 switch (sd->state) { 1412 case sd_identification_state: 1413 case sd_standby_state: 1414 sd->state = sd_standby_state; 1415 sd_set_rca(sd, req.arg >> 16); 1416 return sd_r1; 1417 1418 default: 1419 return sd_invalid_state_for_cmd(sd, req); 1420 } 1421 } 1422 1423 /* CMD5 */ 1424 static sd_rsp_type_t emmc_cmd_sleep_awake(SDState *sd, SDRequest req) 1425 { 1426 bool do_sleep = extract32(req.arg, 15, 1); 1427 1428 switch (sd->state) { 1429 case sd_sleep_state: 1430 if (!do_sleep) { 1431 /* Awake */ 1432 sd->state = sd_standby_state; 1433 } 1434 return sd_r1b; 1435 1436 case sd_standby_state: 1437 if (do_sleep) { 1438 sd->state = sd_sleep_state; 1439 } 1440 return sd_r1b; 1441 1442 default: 1443 return sd_invalid_state_for_cmd(sd, req); 1444 } 1445 } 1446 1447 /* CMD6 */ 1448 static sd_rsp_type_t sd_cmd_SWITCH_FUNCTION(SDState *sd, SDRequest req) 1449 { 1450 if (sd->mode != sd_data_transfer_mode) { 1451 return sd_invalid_mode_for_cmd(sd, req); 1452 } 1453 if (sd->state != sd_transfer_state) { 1454 return sd_invalid_state_for_cmd(sd, req); 1455 } 1456 1457 sd_function_switch(sd, req.arg); 1458 return sd_cmd_to_sendingdata(sd, req, 0, NULL, 64); 1459 } 1460 1461 static sd_rsp_type_t emmc_cmd_SWITCH(SDState *sd, SDRequest req) 1462 { 1463 switch (sd->state) { 1464 case sd_transfer_state: 1465 sd->state = sd_programming_state; 1466 emmc_function_switch(sd, req.arg); 1467 sd->state = sd_transfer_state; 1468 return sd_r1b; 1469 default: 1470 return sd_invalid_state_for_cmd(sd, req); 1471 } 1472 } 1473 1474 /* CMD7 */ 1475 static sd_rsp_type_t sd_cmd_DE_SELECT_CARD(SDState *sd, SDRequest req) 1476 { 1477 bool same_rca = sd_req_rca_same(sd, req); 1478 1479 switch (sd->state) { 1480 case sd_standby_state: 1481 if (!same_rca) { 1482 return sd_r0; 1483 } 1484 sd->state = sd_transfer_state; 1485 return sd_r1b; 1486 1487 case sd_transfer_state: 1488 case sd_sendingdata_state: 1489 if (same_rca) { 1490 break; 1491 } 1492 sd->state = sd_standby_state; 1493 return sd_r1b; 1494 1495 case sd_disconnect_state: 1496 if (!same_rca) { 1497 return sd_r0; 1498 } 1499 sd->state = sd_programming_state; 1500 return sd_r1b; 1501 1502 case sd_programming_state: 1503 if (same_rca) { 1504 break; 1505 } 1506 sd->state = sd_disconnect_state; 1507 return sd_r1b; 1508 1509 default: 1510 break; 1511 } 1512 return sd_invalid_state_for_cmd(sd, req); 1513 } 1514 1515 /* CMD8 */ 1516 static sd_rsp_type_t sd_cmd_SEND_IF_COND(SDState *sd, SDRequest req) 1517 { 1518 if (sd->spec_version < SD_PHY_SPECv2_00_VERS) { 1519 return sd_cmd_illegal(sd, req); 1520 } 1521 if (sd->state != sd_idle_state) { 1522 return sd_invalid_state_for_cmd(sd, req); 1523 } 1524 sd->vhs = 0; 1525 1526 /* No response if not exactly one VHS bit is set. */ 1527 if (!(req.arg >> 8) || (req.arg >> (ctz32(req.arg & ~0xff) + 1))) { 1528 return sd_is_spi(sd) ? sd_r7 : sd_r0; 1529 } 1530 1531 /* Accept. */ 1532 sd->vhs = req.arg; 1533 return sd_r7; 1534 } 1535 1536 /* CMD8 */ 1537 static sd_rsp_type_t emmc_cmd_SEND_EXT_CSD(SDState *sd, SDRequest req) 1538 { 1539 if (sd->state != sd_transfer_state) { 1540 return sd_invalid_state_for_cmd(sd, req); 1541 } 1542 1543 return sd_cmd_to_sendingdata(sd, req, sd_req_get_address(sd, req), 1544 sd->ext_csd, sizeof(sd->ext_csd)); 1545 } 1546 1547 /* CMD9 */ 1548 static sd_rsp_type_t spi_cmd_SEND_CSD(SDState *sd, SDRequest req) 1549 { 1550 if (sd->state != sd_standby_state) { 1551 return sd_invalid_state_for_cmd(sd, req); 1552 } 1553 return sd_cmd_to_sendingdata(sd, req, sd_req_get_address(sd, req), 1554 sd->csd, 16); 1555 } 1556 1557 static sd_rsp_type_t sd_cmd_SEND_CSD(SDState *sd, SDRequest req) 1558 { 1559 if (sd->state != sd_standby_state) { 1560 return sd_invalid_state_for_cmd(sd, req); 1561 } 1562 1563 return sd_req_rca_same(sd, req) ? sd_r2_s : sd_r0; 1564 } 1565 1566 /* CMD10 */ 1567 static sd_rsp_type_t spi_cmd_SEND_CID(SDState *sd, SDRequest req) 1568 { 1569 if (sd->state != sd_standby_state) { 1570 return sd_invalid_state_for_cmd(sd, req); 1571 } 1572 return sd_cmd_to_sendingdata(sd, req, sd_req_get_address(sd, req), 1573 sd->cid, 16); 1574 } 1575 1576 static sd_rsp_type_t sd_cmd_SEND_CID(SDState *sd, SDRequest req) 1577 { 1578 if (sd->state != sd_standby_state) { 1579 return sd_invalid_state_for_cmd(sd, req); 1580 } 1581 1582 return sd_req_rca_same(sd, req) ? sd_r2_i : sd_r0; 1583 } 1584 1585 /* CMD12 */ 1586 static sd_rsp_type_t sd_cmd_STOP_TRANSMISSION(SDState *sd, SDRequest req) 1587 { 1588 switch (sd->state) { 1589 case sd_sendingdata_state: 1590 sd->state = sd_transfer_state; 1591 return sd_r1b; 1592 case sd_receivingdata_state: 1593 sd->state = sd_programming_state; 1594 /* Bzzzzzzztt .... Operation complete. */ 1595 sd->state = sd_transfer_state; 1596 return sd_r1; 1597 default: 1598 return sd_invalid_state_for_cmd(sd, req); 1599 } 1600 } 1601 1602 /* CMD13 */ 1603 static sd_rsp_type_t sd_cmd_SEND_STATUS(SDState *sd, SDRequest req) 1604 { 1605 if (sd->mode != sd_data_transfer_mode) { 1606 return sd_invalid_mode_for_cmd(sd, req); 1607 } 1608 1609 switch (sd->state) { 1610 case sd_standby_state: 1611 case sd_transfer_state: 1612 case sd_sendingdata_state: 1613 case sd_receivingdata_state: 1614 case sd_programming_state: 1615 case sd_disconnect_state: 1616 break; 1617 default: 1618 return sd_invalid_state_for_cmd(sd, req); 1619 } 1620 1621 if (sd_is_spi(sd)) { 1622 return sd_r2_s; 1623 } 1624 1625 return sd_req_rca_same(sd, req) ? sd_r1 : sd_r0; 1626 } 1627 1628 /* CMD15 */ 1629 static sd_rsp_type_t sd_cmd_GO_INACTIVE_STATE(SDState *sd, SDRequest req) 1630 { 1631 if (sd->mode != sd_data_transfer_mode) { 1632 return sd_invalid_mode_for_cmd(sd, req); 1633 } 1634 switch (sd->state) { 1635 case sd_standby_state: 1636 case sd_transfer_state: 1637 case sd_sendingdata_state: 1638 case sd_receivingdata_state: 1639 case sd_programming_state: 1640 case sd_disconnect_state: 1641 break; 1642 default: 1643 return sd_invalid_state_for_cmd(sd, req); 1644 } 1645 if (sd_req_rca_same(sd, req)) { 1646 sd->state = sd_inactive_state; 1647 } 1648 1649 return sd_r0; 1650 } 1651 1652 /* CMD16 */ 1653 static sd_rsp_type_t sd_cmd_SET_BLOCKLEN(SDState *sd, SDRequest req) 1654 { 1655 if (sd->state != sd_transfer_state) { 1656 return sd_invalid_state_for_cmd(sd, req); 1657 } 1658 if (req.arg > (1 << HWBLOCK_SHIFT)) { 1659 sd->card_status |= BLOCK_LEN_ERROR; 1660 } else { 1661 trace_sdcard_set_blocklen(req.arg); 1662 sd->blk_len = req.arg; 1663 } 1664 1665 return sd_r1; 1666 } 1667 1668 /* CMD17 */ 1669 static sd_rsp_type_t sd_cmd_READ_SINGLE_BLOCK(SDState *sd, SDRequest req) 1670 { 1671 uint64_t addr; 1672 1673 if (sd->state != sd_transfer_state) { 1674 return sd_invalid_state_for_cmd(sd, req); 1675 } 1676 1677 addr = sd_req_get_address(sd, req); 1678 if (!address_in_range(sd, "READ_SINGLE_BLOCK", addr, sd->blk_len)) { 1679 return sd_r1; 1680 } 1681 1682 sd_blk_read(sd, addr, sd->blk_len); 1683 return sd_cmd_to_sendingdata(sd, req, addr, NULL, sd->blk_len); 1684 } 1685 1686 /* CMD19 */ 1687 static sd_rsp_type_t sd_cmd_SEND_TUNING_BLOCK(SDState *sd, SDRequest req) 1688 { 1689 if (sd->spec_version < SD_PHY_SPECv3_01_VERS) { 1690 return sd_cmd_illegal(sd, req); 1691 } 1692 1693 return sd_cmd_to_sendingdata(sd, req, 0, 1694 sd_tuning_block_pattern4, 1695 sizeof(sd_tuning_block_pattern4)); 1696 } 1697 1698 /* CMD23 */ 1699 static sd_rsp_type_t sd_cmd_SET_BLOCK_COUNT(SDState *sd, SDRequest req) 1700 { 1701 if (sd->spec_version < SD_PHY_SPECv3_01_VERS) { 1702 return sd_cmd_illegal(sd, req); 1703 } 1704 1705 if (sd->state != sd_transfer_state) { 1706 return sd_invalid_state_for_cmd(sd, req); 1707 } 1708 1709 sd->multi_blk_cnt = req.arg; 1710 if (sd_is_emmc(sd)) { 1711 sd->multi_blk_cnt &= 0xffff; 1712 } 1713 trace_sdcard_set_block_count(sd->multi_blk_cnt); 1714 1715 return sd_r1; 1716 } 1717 1718 /* CMD24 */ 1719 static sd_rsp_type_t sd_cmd_WRITE_SINGLE_BLOCK(SDState *sd, SDRequest req) 1720 { 1721 uint64_t addr; 1722 1723 if (sd->state != sd_transfer_state) { 1724 return sd_invalid_state_for_cmd(sd, req); 1725 } 1726 1727 addr = sd_req_get_address(sd, req); 1728 if (!address_in_range(sd, "WRITE_SINGLE_BLOCK", addr, sd->blk_len)) { 1729 return sd_r1; 1730 } 1731 1732 if (sd->size <= SDSC_MAX_CAPACITY) { 1733 if (sd_wp_addr(sd, addr)) { 1734 sd->card_status |= WP_VIOLATION; 1735 } 1736 } 1737 if (sd->csd[14] & 0x30) { 1738 sd->card_status |= WP_VIOLATION; 1739 } 1740 1741 sd->blk_written = 0; 1742 return sd_cmd_to_receivingdata(sd, req, addr, sd->blk_len); 1743 } 1744 1745 /* CMD26 */ 1746 static sd_rsp_type_t emmc_cmd_PROGRAM_CID(SDState *sd, SDRequest req) 1747 { 1748 return sd_cmd_to_receivingdata(sd, req, 0, sizeof(sd->cid)); 1749 } 1750 1751 /* CMD27 */ 1752 static sd_rsp_type_t sd_cmd_PROGRAM_CSD(SDState *sd, SDRequest req) 1753 { 1754 return sd_cmd_to_receivingdata(sd, req, 0, sizeof(sd->csd)); 1755 } 1756 1757 static sd_rsp_type_t sd_cmd_SET_CLR_WRITE_PROT(SDState *sd, SDRequest req, 1758 bool is_write) 1759 { 1760 uint64_t addr; 1761 1762 if (sd->size > SDSC_MAX_CAPACITY) { 1763 return sd_illegal; 1764 } 1765 1766 if (sd->state != sd_transfer_state) { 1767 return sd_invalid_state_for_cmd(sd, req); 1768 } 1769 1770 addr = sd_req_get_address(sd, req); 1771 if (!address_in_range(sd, is_write ? "SET_WRITE_PROT" : "CLR_WRITE_PROT", 1772 addr, 1)) { 1773 return sd_r1b; 1774 } 1775 1776 sd->state = sd_programming_state; 1777 if (is_write) { 1778 set_bit(sd_addr_to_wpnum(addr), sd->wp_group_bmap); 1779 } else { 1780 clear_bit(sd_addr_to_wpnum(addr), sd->wp_group_bmap); 1781 } 1782 /* Bzzzzzzztt .... Operation complete. */ 1783 sd->state = sd_transfer_state; 1784 return sd_r1; 1785 } 1786 1787 /* CMD28 */ 1788 static sd_rsp_type_t sd_cmd_SET_WRITE_PROT(SDState *sd, SDRequest req) 1789 { 1790 return sd_cmd_SET_CLR_WRITE_PROT(sd, req, true); 1791 } 1792 1793 /* CMD29 */ 1794 static sd_rsp_type_t sd_cmd_CLR_WRITE_PROT(SDState *sd, SDRequest req) 1795 { 1796 return sd_cmd_SET_CLR_WRITE_PROT(sd, req, false); 1797 } 1798 1799 /* CMD30 */ 1800 static sd_rsp_type_t sd_cmd_SEND_WRITE_PROT(SDState *sd, SDRequest req) 1801 { 1802 uint64_t addr; 1803 uint32_t data; 1804 1805 if (sd->size > SDSC_MAX_CAPACITY) { 1806 return sd_illegal; 1807 } 1808 1809 if (sd->state != sd_transfer_state) { 1810 return sd_invalid_state_for_cmd(sd, req); 1811 } 1812 1813 addr = sd_req_get_address(sd, req); 1814 if (!address_in_range(sd, "SEND_WRITE_PROT", addr, sd->blk_len)) { 1815 return sd_r1; 1816 } 1817 1818 data = sd_wpbits(sd, req.arg); 1819 return sd_cmd_to_sendingdata(sd, req, addr, &data, sizeof(data)); 1820 } 1821 1822 /* CMD32 */ 1823 static sd_rsp_type_t sd_cmd_ERASE_WR_BLK_START(SDState *sd, SDRequest req) 1824 { 1825 if (sd->state != sd_transfer_state) { 1826 return sd_invalid_state_for_cmd(sd, req); 1827 } 1828 sd->erase_start = req.arg; 1829 return sd_r1; 1830 } 1831 1832 /* CMD33 */ 1833 static sd_rsp_type_t sd_cmd_ERASE_WR_BLK_END(SDState *sd, SDRequest req) 1834 { 1835 if (sd->state != sd_transfer_state) { 1836 return sd_invalid_state_for_cmd(sd, req); 1837 } 1838 sd->erase_end = req.arg; 1839 return sd_r1; 1840 } 1841 1842 /* CMD38 */ 1843 static sd_rsp_type_t sd_cmd_ERASE(SDState *sd, SDRequest req) 1844 { 1845 if (sd->state != sd_transfer_state) { 1846 return sd_invalid_state_for_cmd(sd, req); 1847 } 1848 if (sd->csd[14] & 0x30) { 1849 sd->card_status |= WP_VIOLATION; 1850 return sd_r1b; 1851 } 1852 1853 sd->state = sd_programming_state; 1854 sd_erase(sd); 1855 /* Bzzzzzzztt .... Operation complete. */ 1856 sd->state = sd_transfer_state; 1857 return sd_r1b; 1858 } 1859 1860 /* CMD42 */ 1861 static sd_rsp_type_t sd_cmd_LOCK_UNLOCK(SDState *sd, SDRequest req) 1862 { 1863 return sd_cmd_to_receivingdata(sd, req, 0, 0); 1864 } 1865 1866 /* CMD55 */ 1867 static sd_rsp_type_t sd_cmd_APP_CMD(SDState *sd, SDRequest req) 1868 { 1869 switch (sd->state) { 1870 case sd_ready_state: 1871 case sd_identification_state: 1872 case sd_inactive_state: 1873 case sd_sleep_state: 1874 return sd_invalid_state_for_cmd(sd, req); 1875 case sd_idle_state: 1876 if (!sd_is_spi(sd) && sd_req_get_rca(sd, req) != 0x0000) { 1877 qemu_log_mask(LOG_GUEST_ERROR, 1878 "SD: illegal RCA 0x%04x for APP_CMD\n", req.cmd); 1879 } 1880 /* fall-through */ 1881 default: 1882 break; 1883 } 1884 if (!sd_is_spi(sd) && !sd_req_rca_same(sd, req)) { 1885 return sd_r0; 1886 } 1887 sd->expecting_acmd = true; 1888 sd->card_status |= APP_CMD; 1889 1890 return sd_r1; 1891 } 1892 1893 /* CMD56 */ 1894 static sd_rsp_type_t sd_cmd_GEN_CMD(SDState *sd, SDRequest req) 1895 { 1896 if (sd->state != sd_transfer_state) { 1897 return sd_invalid_state_for_cmd(sd, req); 1898 } 1899 1900 /* Vendor specific command: our model is RAZ/WI */ 1901 if (req.arg & 1) { 1902 memset(sd->data, 0, sizeof(sd->data)); 1903 return sd_cmd_to_sendingdata(sd, req, 0, NULL, 0); 1904 } else { 1905 return sd_cmd_to_receivingdata(sd, req, 0, 0); 1906 } 1907 } 1908 1909 /* CMD58 */ 1910 static sd_rsp_type_t spi_cmd_READ_OCR(SDState *sd, SDRequest req) 1911 { 1912 return sd_r3; 1913 } 1914 1915 /* CMD59 */ 1916 static sd_rsp_type_t spi_cmd_CRC_ON_OFF(SDState *sd, SDRequest req) 1917 { 1918 return sd_r1; 1919 } 1920 1921 /* ACMD6 */ 1922 static sd_rsp_type_t sd_acmd_SET_BUS_WIDTH(SDState *sd, SDRequest req) 1923 { 1924 if (sd->state != sd_transfer_state) { 1925 return sd_invalid_state_for_cmd(sd, req); 1926 } 1927 1928 sd->sd_status[0] &= 0x3f; 1929 sd->sd_status[0] |= (req.arg & 0x03) << 6; 1930 return sd_r1; 1931 } 1932 1933 /* ACMD13 */ 1934 static sd_rsp_type_t sd_acmd_SD_STATUS(SDState *sd, SDRequest req) 1935 { 1936 return sd_cmd_to_sendingdata(sd, req, 0, 1937 sd->sd_status, sizeof(sd->sd_status)); 1938 } 1939 1940 /* ACMD22 */ 1941 static sd_rsp_type_t sd_acmd_SEND_NUM_WR_BLOCKS(SDState *sd, SDRequest req) 1942 { 1943 return sd_cmd_to_sendingdata(sd, req, 0, 1944 &sd->blk_written, sizeof(sd->blk_written)); 1945 } 1946 1947 /* ACMD23 */ 1948 static sd_rsp_type_t sd_acmd_SET_WR_BLK_ERASE_COUNT(SDState *sd, SDRequest req) 1949 { 1950 if (sd->state != sd_transfer_state) { 1951 return sd_invalid_state_for_cmd(sd, req); 1952 } 1953 return sd_r1; 1954 } 1955 1956 /* ACMD41 */ 1957 static sd_rsp_type_t sd_cmd_SEND_OP_COND(SDState *sd, SDRequest req) 1958 { 1959 if (sd->state != sd_idle_state) { 1960 return sd_invalid_state_for_cmd(sd, req); 1961 } 1962 1963 /* 1964 * If it's the first ACMD41 since reset, we need to decide 1965 * whether to power up. If this is not an enquiry ACMD41, 1966 * we immediately report power on and proceed below to the 1967 * ready state, but if it is, we set a timer to model a 1968 * delay for power up. This works around a bug in EDK2 1969 * UEFI, which sends an initial enquiry ACMD41, but 1970 * assumes that the card is in ready state as soon as it 1971 * sees the power up bit set. 1972 */ 1973 if (!FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP)) { 1974 if ((req.arg & ACMD41_ENQUIRY_MASK) != 0) { 1975 timer_del(sd->ocr_power_timer); 1976 sd_ocr_powerup(sd); 1977 } else { 1978 trace_sdcard_inquiry_cmd41(); 1979 if (!timer_pending(sd->ocr_power_timer)) { 1980 timer_mod_ns(sd->ocr_power_timer, 1981 (qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) 1982 + OCR_POWER_DELAY_NS)); 1983 } 1984 } 1985 } 1986 1987 if (FIELD_EX32(sd->ocr & req.arg, OCR, VDD_VOLTAGE_WINDOW)) { 1988 /* 1989 * We accept any voltage. 10000 V is nothing. 1990 * 1991 * Once we're powered up, we advance straight to ready state 1992 * unless it's an enquiry ACMD41 (bits 23:0 == 0). 1993 */ 1994 sd->state = sd_ready_state; 1995 } 1996 1997 return sd_r3; 1998 } 1999 2000 /* ACMD42 */ 2001 static sd_rsp_type_t sd_acmd_SET_CLR_CARD_DETECT(SDState *sd, SDRequest req) 2002 { 2003 if (sd->state != sd_transfer_state) { 2004 return sd_invalid_state_for_cmd(sd, req); 2005 } 2006 2007 /* Bringing in the 50KOhm pull-up resistor... Done. */ 2008 return sd_r1; 2009 } 2010 2011 /* ACMD51 */ 2012 static sd_rsp_type_t sd_acmd_SEND_SCR(SDState *sd, SDRequest req) 2013 { 2014 return sd_cmd_to_sendingdata(sd, req, 0, sd->scr, sizeof(sd->scr)); 2015 } 2016 2017 static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req) 2018 { 2019 uint64_t addr; 2020 2021 sd->last_cmd_name = sd_cmd_name(sd, req.cmd); 2022 /* CMD55 precedes an ACMD, so we are not interested in tracing it. 2023 * However there is no ACMD55, so we want to trace this particular case. 2024 */ 2025 if (req.cmd != 55 || sd->expecting_acmd) { 2026 trace_sdcard_normal_command(sd->proto->name, 2027 sd->last_cmd_name, req.cmd, 2028 req.arg, sd_state_name(sd->state)); 2029 } 2030 2031 /* Not interpreting this as an app command */ 2032 sd->card_status &= ~APP_CMD; 2033 2034 /* CMD23 (set block count) must be immediately followed by CMD18 or CMD25 2035 * if not, its effects are cancelled */ 2036 if (sd->multi_blk_cnt != 0 && !(req.cmd == 18 || req.cmd == 25)) { 2037 sd->multi_blk_cnt = 0; 2038 } 2039 2040 if (sd->proto->cmd[req.cmd].class == 6 && FIELD_EX32(sd->ocr, OCR, 2041 CARD_CAPACITY)) { 2042 /* Only Standard Capacity cards support class 6 commands */ 2043 return sd_illegal; 2044 } 2045 2046 if (sd->proto->cmd[req.cmd].handler) { 2047 return sd->proto->cmd[req.cmd].handler(sd, req); 2048 } 2049 2050 switch (req.cmd) { 2051 /* Block read commands (Class 2) */ 2052 case 18: /* CMD18: READ_MULTIPLE_BLOCK */ 2053 addr = sd_req_get_address(sd, req); 2054 switch (sd->state) { 2055 case sd_transfer_state: 2056 2057 if (!address_in_range(sd, "READ_BLOCK", addr, sd->blk_len)) { 2058 return sd_r1; 2059 } 2060 2061 sd->state = sd_sendingdata_state; 2062 sd->data_start = addr; 2063 sd->data_offset = 0; 2064 return sd_r1; 2065 2066 default: 2067 break; 2068 } 2069 break; 2070 2071 /* Block write commands (Class 4) */ 2072 case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */ 2073 addr = sd_req_get_address(sd, req); 2074 switch (sd->state) { 2075 case sd_transfer_state: 2076 2077 if (!address_in_range(sd, "WRITE_BLOCK", addr, sd->blk_len)) { 2078 return sd_r1; 2079 } 2080 2081 sd->state = sd_receivingdata_state; 2082 sd->data_start = addr; 2083 sd->data_offset = 0; 2084 sd->blk_written = 0; 2085 2086 if (sd->size <= SDSC_MAX_CAPACITY) { 2087 if (sd_wp_addr(sd, sd->data_start)) { 2088 sd->card_status |= WP_VIOLATION; 2089 } 2090 } 2091 if (sd->csd[14] & 0x30) { 2092 sd->card_status |= WP_VIOLATION; 2093 } 2094 return sd_r1; 2095 2096 default: 2097 break; 2098 } 2099 break; 2100 2101 default: 2102 qemu_log_mask(LOG_GUEST_ERROR, "SD: Unknown CMD%i\n", req.cmd); 2103 return sd_illegal; 2104 } 2105 2106 return sd_invalid_state_for_cmd(sd, req); 2107 } 2108 2109 static sd_rsp_type_t sd_app_command(SDState *sd, 2110 SDRequest req) 2111 { 2112 sd->last_cmd_name = sd_acmd_name(sd, req.cmd); 2113 trace_sdcard_app_command(sd->proto->name, sd->last_cmd_name, 2114 req.cmd, req.arg, sd_state_name(sd->state)); 2115 sd->card_status |= APP_CMD; 2116 2117 if (sd->proto->acmd[req.cmd].handler) { 2118 return sd->proto->acmd[req.cmd].handler(sd, req); 2119 } 2120 2121 switch (req.cmd) { 2122 case 18: /* Reserved for SD security applications */ 2123 case 25: 2124 case 26: 2125 case 38: 2126 case 43 ... 49: 2127 /* Refer to the "SD Specifications Part3 Security Specification" for 2128 * information about the SD Security Features. 2129 */ 2130 qemu_log_mask(LOG_UNIMP, "SD: CMD%i Security not implemented\n", 2131 req.cmd); 2132 return sd_illegal; 2133 2134 default: 2135 /* Fall back to standard commands. */ 2136 return sd_normal_command(sd, req); 2137 } 2138 2139 qemu_log_mask(LOG_GUEST_ERROR, "SD: ACMD%i in a wrong state\n", req.cmd); 2140 return sd_illegal; 2141 } 2142 2143 static bool cmd_valid_while_locked(SDState *sd, unsigned cmd) 2144 { 2145 unsigned cmd_class; 2146 2147 /* Valid commands in locked state: 2148 * basic class (0) 2149 * lock card class (7) 2150 * CMD16 2151 * implicitly, the ACMD prefix CMD55 2152 * ACMD41 and ACMD42 2153 * Anything else provokes an "illegal command" response. 2154 */ 2155 if (sd->expecting_acmd) { 2156 return cmd == 41 || cmd == 42; 2157 } 2158 if (cmd == 16 || cmd == 55) { 2159 return true; 2160 } 2161 if (!sd->proto->cmd[cmd].handler) { 2162 return false; 2163 } 2164 cmd_class = sd->proto->cmd[cmd].class; 2165 2166 return cmd_class == 0 || cmd_class == 7; 2167 } 2168 2169 static size_t sd_do_command(SDState *sd, SDRequest *req, 2170 uint8_t *response, size_t respsz) 2171 { 2172 int last_state; 2173 sd_rsp_type_t rtype; 2174 int rsplen; 2175 2176 if (!sd->blk || !blk_is_inserted(sd->blk)) { 2177 return 0; 2178 } 2179 2180 if (sd->state == sd_inactive_state) { 2181 rtype = sd_illegal; 2182 goto send_response; 2183 } 2184 2185 if (sd_req_crc_validate(req)) { 2186 sd->card_status |= COM_CRC_ERROR; 2187 rtype = sd_illegal; 2188 goto send_response; 2189 } 2190 2191 if (req->cmd >= SDMMC_CMD_MAX) { 2192 qemu_log_mask(LOG_GUEST_ERROR, "SD: incorrect command 0x%02x\n", 2193 req->cmd); 2194 req->cmd &= 0x3f; 2195 } 2196 2197 if (sd->state == sd_sleep_state && req->cmd) { 2198 qemu_log_mask(LOG_GUEST_ERROR, "SD: Card is sleeping\n"); 2199 rtype = sd_r0; 2200 goto send_response; 2201 } 2202 2203 if (sd->card_status & CARD_IS_LOCKED) { 2204 if (!cmd_valid_while_locked(sd, req->cmd)) { 2205 sd->card_status |= ILLEGAL_COMMAND; 2206 sd->expecting_acmd = false; 2207 qemu_log_mask(LOG_GUEST_ERROR, "SD: Card is locked\n"); 2208 rtype = sd_illegal; 2209 goto send_response; 2210 } 2211 } 2212 2213 last_state = sd->state; 2214 sd_set_mode(sd); 2215 2216 if (sd->expecting_acmd) { 2217 sd->expecting_acmd = false; 2218 rtype = sd_app_command(sd, *req); 2219 } else { 2220 rtype = sd_normal_command(sd, *req); 2221 } 2222 2223 if (rtype == sd_illegal) { 2224 sd->card_status |= ILLEGAL_COMMAND; 2225 } else { 2226 /* Valid command, we can update the 'state before command' bits. 2227 * (Do this now so they appear in r1 responses.) 2228 */ 2229 sd->card_status = FIELD_DP32(sd->card_status, CSR, 2230 CURRENT_STATE, last_state); 2231 } 2232 2233 send_response: 2234 rsplen = sd_response_size(sd, rtype); 2235 assert(rsplen <= respsz); 2236 2237 switch (rtype) { 2238 case sd_r1: 2239 case sd_r1b: 2240 sd_response_r1_make(sd, response); 2241 break; 2242 2243 case sd_r2_i: 2244 memcpy(response, sd->cid, sizeof(sd->cid)); 2245 break; 2246 2247 case sd_r2_s: 2248 memcpy(response, sd->csd, sizeof(sd->csd)); 2249 break; 2250 2251 case sd_r3: 2252 sd_response_r3_make(sd, response); 2253 break; 2254 2255 case sd_r6: 2256 sd_response_r6_make(sd, response); 2257 break; 2258 2259 case sd_r7: 2260 sd_response_r7_make(sd, response); 2261 break; 2262 2263 case sd_r0: 2264 /* 2265 * Invalid state transition, reset implementation 2266 * fields to avoid OOB abuse. 2267 */ 2268 sd->data_start = 0; 2269 sd->data_offset = 0; 2270 /* fall-through */ 2271 case sd_illegal: 2272 break; 2273 default: 2274 g_assert_not_reached(); 2275 } 2276 trace_sdcard_response(sd_response_name(rtype), rsplen); 2277 2278 if (rtype != sd_illegal) { 2279 /* Clear the "clear on valid command" status bits now we've 2280 * sent any response 2281 */ 2282 sd->card_status &= ~CARD_STATUS_B; 2283 } 2284 2285 #ifdef DEBUG_SD 2286 qemu_hexdump(stderr, "Response", response, rsplen); 2287 #endif 2288 2289 sd->current_cmd = rtype == sd_illegal ? 0 : req->cmd; 2290 2291 return rsplen; 2292 } 2293 2294 /* Return true if buffer is consumed. Configured by sd_cmd_to_receivingdata() */ 2295 static bool sd_generic_write_byte(SDState *sd, uint8_t value) 2296 { 2297 sd->data[sd->data_offset] = value; 2298 2299 if (++sd->data_offset >= sd->data_size) { 2300 sd->state = sd_transfer_state; 2301 return true; 2302 } 2303 return false; 2304 } 2305 2306 /* Return true when buffer is consumed. Configured by sd_cmd_to_sendingdata() */ 2307 static bool sd_generic_read_byte(SDState *sd, uint8_t *value) 2308 { 2309 *value = sd->data[sd->data_offset]; 2310 2311 if (++sd->data_offset >= sd->data_size) { 2312 sd->state = sd_transfer_state; 2313 return true; 2314 } 2315 2316 return false; 2317 } 2318 2319 static void sd_write_byte(SDState *sd, uint8_t value) 2320 { 2321 int i; 2322 2323 if (!sd->blk || !blk_is_inserted(sd->blk)) { 2324 return; 2325 } 2326 2327 if (sd->state != sd_receivingdata_state) { 2328 qemu_log_mask(LOG_GUEST_ERROR, 2329 "%s: not in Receiving-Data state\n", __func__); 2330 return; 2331 } 2332 2333 if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION)) 2334 return; 2335 2336 trace_sdcard_write_data(sd->proto->name, 2337 sd->last_cmd_name, 2338 sd->current_cmd, sd->data_offset, value); 2339 switch (sd->current_cmd) { 2340 case 24: /* CMD24: WRITE_SINGLE_BLOCK */ 2341 if (sd_generic_write_byte(sd, value)) { 2342 /* TODO: Check CRC before committing */ 2343 sd->state = sd_programming_state; 2344 sd_blk_write(sd, sd->data_start, sd->data_offset); 2345 sd->blk_written ++; 2346 sd->csd[14] |= 0x40; 2347 /* Bzzzzzzztt .... Operation complete. */ 2348 sd->state = sd_transfer_state; 2349 } 2350 break; 2351 2352 case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */ 2353 if (sd->data_offset == 0) { 2354 /* Start of the block - let's check the address is valid */ 2355 if (!address_in_range(sd, "WRITE_MULTIPLE_BLOCK", 2356 sd->data_start, sd->blk_len)) { 2357 break; 2358 } 2359 if (sd->size <= SDSC_MAX_CAPACITY) { 2360 if (sd_wp_addr(sd, sd->data_start)) { 2361 sd->card_status |= WP_VIOLATION; 2362 break; 2363 } 2364 } 2365 } 2366 sd->data[sd->data_offset++] = value; 2367 if (sd->data_offset >= sd->blk_len) { 2368 /* TODO: Check CRC before committing */ 2369 sd->state = sd_programming_state; 2370 sd_blk_write(sd, sd->data_start, sd->data_offset); 2371 sd->blk_written++; 2372 sd->data_start += sd->blk_len; 2373 sd->data_offset = 0; 2374 sd->csd[14] |= 0x40; 2375 2376 /* Bzzzzzzztt .... Operation complete. */ 2377 if (sd->multi_blk_cnt != 0) { 2378 if (--sd->multi_blk_cnt == 0) { 2379 /* Stop! */ 2380 sd->state = sd_transfer_state; 2381 break; 2382 } 2383 } 2384 2385 sd->state = sd_receivingdata_state; 2386 } 2387 break; 2388 2389 case 26: /* CMD26: PROGRAM_CID */ 2390 if (sd_generic_write_byte(sd, value)) { 2391 /* TODO: Check CRC before committing */ 2392 sd->state = sd_programming_state; 2393 for (i = 0; i < sizeof(sd->cid); i ++) 2394 if ((sd->cid[i] | 0x00) != sd->data[i]) 2395 sd->card_status |= CID_CSD_OVERWRITE; 2396 2397 if (!(sd->card_status & CID_CSD_OVERWRITE)) 2398 for (i = 0; i < sizeof(sd->cid); i ++) { 2399 sd->cid[i] |= 0x00; 2400 sd->cid[i] &= sd->data[i]; 2401 } 2402 /* Bzzzzzzztt .... Operation complete. */ 2403 sd->state = sd_transfer_state; 2404 } 2405 break; 2406 2407 case 27: /* CMD27: PROGRAM_CSD */ 2408 if (sd_generic_write_byte(sd, value)) { 2409 /* TODO: Check CRC before committing */ 2410 sd->state = sd_programming_state; 2411 for (i = 0; i < sizeof(sd->csd); i ++) 2412 if ((sd->csd[i] | sd_csd_rw_mask[i]) != 2413 (sd->data[i] | sd_csd_rw_mask[i])) 2414 sd->card_status |= CID_CSD_OVERWRITE; 2415 2416 /* Copy flag (OTP) & Permanent write protect */ 2417 if (sd->csd[14] & ~sd->data[14] & 0x60) 2418 sd->card_status |= CID_CSD_OVERWRITE; 2419 2420 if (!(sd->card_status & CID_CSD_OVERWRITE)) 2421 for (i = 0; i < sizeof(sd->csd); i ++) { 2422 sd->csd[i] |= sd_csd_rw_mask[i]; 2423 sd->csd[i] &= sd->data[i]; 2424 } 2425 /* Bzzzzzzztt .... Operation complete. */ 2426 sd->state = sd_transfer_state; 2427 } 2428 break; 2429 2430 case 42: /* CMD42: LOCK_UNLOCK */ 2431 if (sd_generic_write_byte(sd, value)) { 2432 /* TODO: Check CRC before committing */ 2433 sd->state = sd_programming_state; 2434 sd_lock_command(sd); 2435 /* Bzzzzzzztt .... Operation complete. */ 2436 sd->state = sd_transfer_state; 2437 } 2438 break; 2439 2440 case 56: /* CMD56: GEN_CMD */ 2441 sd_generic_write_byte(sd, value); 2442 break; 2443 2444 default: 2445 g_assert_not_reached(); 2446 } 2447 } 2448 2449 static uint8_t sd_read_byte(SDState *sd) 2450 { 2451 /* TODO: Append CRCs */ 2452 const uint8_t dummy_byte = 0x00; 2453 uint8_t ret; 2454 uint32_t io_len; 2455 2456 if (!sd->blk || !blk_is_inserted(sd->blk)) { 2457 return dummy_byte; 2458 } 2459 2460 if (sd->state != sd_sendingdata_state) { 2461 qemu_log_mask(LOG_GUEST_ERROR, 2462 "%s: not in Sending-Data state\n", __func__); 2463 return dummy_byte; 2464 } 2465 2466 if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION)) { 2467 return dummy_byte; 2468 } 2469 2470 io_len = sd_blk_len(sd); 2471 2472 trace_sdcard_read_data(sd->proto->name, 2473 sd->last_cmd_name, sd->current_cmd, 2474 sd->data_offset, sd->data_size, io_len); 2475 switch (sd->current_cmd) { 2476 case 6: /* CMD6: SWITCH_FUNCTION */ 2477 case 8: /* CMD8: SEND_EXT_CSD */ 2478 case 9: /* CMD9: SEND_CSD */ 2479 case 10: /* CMD10: SEND_CID */ 2480 case 13: /* ACMD13: SD_STATUS */ 2481 case 17: /* CMD17: READ_SINGLE_BLOCK */ 2482 case 19: /* CMD19: SEND_TUNING_BLOCK (SD) */ 2483 case 22: /* ACMD22: SEND_NUM_WR_BLOCKS */ 2484 case 30: /* CMD30: SEND_WRITE_PROT */ 2485 case 51: /* ACMD51: SEND_SCR */ 2486 case 56: /* CMD56: GEN_CMD */ 2487 sd_generic_read_byte(sd, &ret); 2488 break; 2489 2490 case 18: /* CMD18: READ_MULTIPLE_BLOCK */ 2491 if (sd->data_offset == 0) { 2492 if (!address_in_range(sd, "READ_MULTIPLE_BLOCK", 2493 sd->data_start, io_len)) { 2494 return dummy_byte; 2495 } 2496 sd_blk_read(sd, sd->data_start, io_len); 2497 } 2498 ret = sd->data[sd->data_offset ++]; 2499 2500 if (sd->data_offset >= io_len) { 2501 sd->data_start += io_len; 2502 sd->data_offset = 0; 2503 2504 if (sd->multi_blk_cnt != 0) { 2505 if (--sd->multi_blk_cnt == 0) { 2506 /* Stop! */ 2507 sd->state = sd_transfer_state; 2508 break; 2509 } 2510 } 2511 } 2512 break; 2513 2514 default: 2515 qemu_log_mask(LOG_GUEST_ERROR, "%s: DAT read illegal for command %s\n", 2516 __func__, sd->last_cmd_name); 2517 return dummy_byte; 2518 } 2519 2520 return ret; 2521 } 2522 2523 static bool sd_receive_ready(SDState *sd) 2524 { 2525 return sd->state == sd_receivingdata_state; 2526 } 2527 2528 static bool sd_data_ready(SDState *sd) 2529 { 2530 return sd->state == sd_sendingdata_state; 2531 } 2532 2533 static const SDProto sd_proto_spi = { 2534 .name = "SPI", 2535 .cmd = { 2536 [0] = {0, sd_spi, "GO_IDLE_STATE", sd_cmd_GO_IDLE_STATE}, 2537 [1] = {0, sd_spi, "SEND_OP_COND", spi_cmd_SEND_OP_COND}, 2538 [5] = {9, sd_spi, "IO_SEND_OP_COND", sd_cmd_optional}, 2539 [6] = {10, sd_spi, "SWITCH_FUNCTION", sd_cmd_SWITCH_FUNCTION}, 2540 [8] = {0, sd_spi, "SEND_IF_COND", sd_cmd_SEND_IF_COND}, 2541 [9] = {0, sd_spi, "SEND_CSD", spi_cmd_SEND_CSD}, 2542 [10] = {0, sd_spi, "SEND_CID", spi_cmd_SEND_CID}, 2543 [12] = {0, sd_spi, "STOP_TRANSMISSION", sd_cmd_STOP_TRANSMISSION}, 2544 [13] = {0, sd_spi, "SEND_STATUS", sd_cmd_SEND_STATUS}, 2545 [16] = {2, sd_spi, "SET_BLOCKLEN", sd_cmd_SET_BLOCKLEN}, 2546 [17] = {2, sd_spi, "READ_SINGLE_BLOCK", sd_cmd_READ_SINGLE_BLOCK}, 2547 [24] = {4, sd_spi, "WRITE_SINGLE_BLOCK", sd_cmd_WRITE_SINGLE_BLOCK}, 2548 [27] = {4, sd_spi, "PROGRAM_CSD", sd_cmd_PROGRAM_CSD}, 2549 [28] = {6, sd_spi, "SET_WRITE_PROT", sd_cmd_SET_WRITE_PROT}, 2550 [29] = {6, sd_spi, "CLR_WRITE_PROT", sd_cmd_CLR_WRITE_PROT}, 2551 [30] = {6, sd_spi, "SEND_WRITE_PROT", sd_cmd_SEND_WRITE_PROT}, 2552 [32] = {5, sd_spi, "ERASE_WR_BLK_START", sd_cmd_ERASE_WR_BLK_START}, 2553 [33] = {5, sd_spi, "ERASE_WR_BLK_END", sd_cmd_ERASE_WR_BLK_END}, 2554 [34] = {10, sd_spi, "READ_SEC_CMD", sd_cmd_optional}, 2555 [35] = {10, sd_spi, "WRITE_SEC_CMD", sd_cmd_optional}, 2556 [36] = {10, sd_spi, "SEND_PSI", sd_cmd_optional}, 2557 [37] = {10, sd_spi, "CONTROL_ASSD_SYSTEM", sd_cmd_optional}, 2558 [38] = {5, sd_spi, "ERASE", sd_cmd_ERASE}, 2559 [42] = {7, sd_spi, "LOCK_UNLOCK", sd_cmd_LOCK_UNLOCK}, 2560 [50] = {10, sd_spi, "DIRECT_SECURE_READ", sd_cmd_optional}, 2561 [52] = {9, sd_spi, "IO_RW_DIRECT", sd_cmd_optional}, 2562 [53] = {9, sd_spi, "IO_RW_EXTENDED", sd_cmd_optional}, 2563 [55] = {8, sd_spi, "APP_CMD", sd_cmd_APP_CMD}, 2564 [56] = {8, sd_spi, "GEN_CMD", sd_cmd_GEN_CMD}, 2565 [57] = {10, sd_spi, "DIRECT_SECURE_WRITE", sd_cmd_optional}, 2566 [58] = {0, sd_spi, "READ_OCR", spi_cmd_READ_OCR}, 2567 [59] = {0, sd_spi, "CRC_ON_OFF", spi_cmd_CRC_ON_OFF}, 2568 }, 2569 .acmd = { 2570 [13] = {8, sd_spi, "SD_STATUS", sd_acmd_SD_STATUS}, 2571 [22] = {8, sd_spi, "SEND_NUM_WR_BLOCKS", sd_acmd_SEND_NUM_WR_BLOCKS}, 2572 [23] = {8, sd_spi, "SET_WR_BLK_ERASE_COUNT", sd_acmd_SET_WR_BLK_ERASE_COUNT}, 2573 [41] = {8, sd_spi, "SEND_OP_COND", spi_cmd_SEND_OP_COND}, 2574 [42] = {8, sd_spi, "SET_CLR_CARD_DETECT", sd_acmd_SET_CLR_CARD_DETECT}, 2575 [51] = {8, sd_spi, "SEND_SCR", sd_acmd_SEND_SCR}, 2576 }, 2577 }; 2578 2579 static const SDProto sd_proto_sd = { 2580 .name = "SD", 2581 .cmd = { 2582 [0] = {0, sd_bc, "GO_IDLE_STATE", sd_cmd_GO_IDLE_STATE}, 2583 [2] = {0, sd_bcr, "ALL_SEND_CID", sd_cmd_ALL_SEND_CID}, 2584 [3] = {0, sd_bcr, "SEND_RELATIVE_ADDR", sd_cmd_SEND_RELATIVE_ADDR}, 2585 [4] = {0, sd_bc, "SEND_DSR", sd_cmd_unimplemented}, 2586 [5] = {9, sd_bc, "IO_SEND_OP_COND", sd_cmd_optional}, 2587 [6] = {10, sd_adtc, "SWITCH_FUNCTION", sd_cmd_SWITCH_FUNCTION}, 2588 [7] = {0, sd_ac, "(DE)SELECT_CARD", sd_cmd_DE_SELECT_CARD}, 2589 [8] = {0, sd_bcr, "SEND_IF_COND", sd_cmd_SEND_IF_COND}, 2590 [9] = {0, sd_ac, "SEND_CSD", sd_cmd_SEND_CSD}, 2591 [10] = {0, sd_ac, "SEND_CID", sd_cmd_SEND_CID}, 2592 [11] = {0, sd_ac, "VOLTAGE_SWITCH", sd_cmd_optional}, 2593 [12] = {0, sd_ac, "STOP_TRANSMISSION", sd_cmd_STOP_TRANSMISSION}, 2594 [13] = {0, sd_ac, "SEND_STATUS", sd_cmd_SEND_STATUS}, 2595 [15] = {0, sd_ac, "GO_INACTIVE_STATE", sd_cmd_GO_INACTIVE_STATE}, 2596 [16] = {2, sd_ac, "SET_BLOCKLEN", sd_cmd_SET_BLOCKLEN}, 2597 [17] = {2, sd_adtc, "READ_SINGLE_BLOCK", sd_cmd_READ_SINGLE_BLOCK}, 2598 [19] = {2, sd_adtc, "SEND_TUNING_BLOCK", sd_cmd_SEND_TUNING_BLOCK}, 2599 [20] = {2, sd_ac, "SPEED_CLASS_CONTROL", sd_cmd_optional}, 2600 [23] = {2, sd_ac, "SET_BLOCK_COUNT", sd_cmd_SET_BLOCK_COUNT}, 2601 [24] = {4, sd_adtc, "WRITE_SINGLE_BLOCK", sd_cmd_WRITE_SINGLE_BLOCK}, 2602 [27] = {4, sd_adtc, "PROGRAM_CSD", sd_cmd_PROGRAM_CSD}, 2603 [28] = {6, sd_ac, "SET_WRITE_PROT", sd_cmd_SET_WRITE_PROT}, 2604 [29] = {6, sd_ac, "CLR_WRITE_PROT", sd_cmd_CLR_WRITE_PROT}, 2605 [30] = {6, sd_adtc, "SEND_WRITE_PROT", sd_cmd_SEND_WRITE_PROT}, 2606 [32] = {5, sd_ac, "ERASE_WR_BLK_START", sd_cmd_ERASE_WR_BLK_START}, 2607 [33] = {5, sd_ac, "ERASE_WR_BLK_END", sd_cmd_ERASE_WR_BLK_END}, 2608 [34] = {10, sd_adtc, "READ_SEC_CMD", sd_cmd_optional}, 2609 [35] = {10, sd_adtc, "WRITE_SEC_CMD", sd_cmd_optional}, 2610 [36] = {10, sd_adtc, "SEND_PSI", sd_cmd_optional}, 2611 [37] = {10, sd_ac, "CONTROL_ASSD_SYSTEM", sd_cmd_optional}, 2612 [38] = {5, sd_ac, "ERASE", sd_cmd_ERASE}, 2613 [42] = {7, sd_adtc, "LOCK_UNLOCK", sd_cmd_LOCK_UNLOCK}, 2614 [43] = {1, sd_ac, "Q_MANAGEMENT", sd_cmd_optional}, 2615 [44] = {1, sd_ac, "Q_TASK_INFO_A", sd_cmd_optional}, 2616 [45] = {1, sd_ac, "Q_TASK_INFO_B", sd_cmd_optional}, 2617 [46] = {1, sd_adtc, "Q_RD_TASK", sd_cmd_optional}, 2618 [47] = {1, sd_adtc, "Q_WR_TASK", sd_cmd_optional}, 2619 [48] = {1, sd_adtc, "READ_EXTR_SINGLE", sd_cmd_optional}, 2620 [49] = {1, sd_adtc, "WRITE_EXTR_SINGLE", sd_cmd_optional}, 2621 [50] = {10, sd_adtc, "DIRECT_SECURE_READ", sd_cmd_optional}, 2622 [52] = {9, sd_bc, "IO_RW_DIRECT", sd_cmd_optional}, 2623 [53] = {9, sd_bc, "IO_RW_EXTENDED", sd_cmd_optional}, 2624 [55] = {8, sd_ac, "APP_CMD", sd_cmd_APP_CMD}, 2625 [56] = {8, sd_adtc, "GEN_CMD", sd_cmd_GEN_CMD}, 2626 [57] = {10, sd_adtc, "DIRECT_SECURE_WRITE", sd_cmd_optional}, 2627 [58] = {11, sd_adtc, "READ_EXTR_MULTI", sd_cmd_optional}, 2628 [59] = {11, sd_adtc, "WRITE_EXTR_MULTI", sd_cmd_optional}, 2629 }, 2630 .acmd = { 2631 [6] = {8, sd_ac, "SET_BUS_WIDTH", sd_acmd_SET_BUS_WIDTH}, 2632 [13] = {8, sd_adtc, "SD_STATUS", sd_acmd_SD_STATUS}, 2633 [22] = {8, sd_adtc, "SEND_NUM_WR_BLOCKS", sd_acmd_SEND_NUM_WR_BLOCKS}, 2634 [23] = {8, sd_ac, "SET_WR_BLK_ERASE_COUNT", sd_acmd_SET_WR_BLK_ERASE_COUNT}, 2635 [41] = {8, sd_bcr, "SEND_OP_COND", sd_cmd_SEND_OP_COND}, 2636 [42] = {8, sd_ac, "SET_CLR_CARD_DETECT", sd_acmd_SET_CLR_CARD_DETECT}, 2637 [51] = {8, sd_adtc, "SEND_SCR", sd_acmd_SEND_SCR}, 2638 }, 2639 }; 2640 2641 static const SDProto sd_proto_emmc = { 2642 /* Only v4.3 is supported */ 2643 .name = "eMMC", 2644 .cmd = { 2645 [0] = {0, sd_bc, "GO_IDLE_STATE", sd_cmd_GO_IDLE_STATE}, 2646 [1] = {0, sd_bcr, "SEND_OP_COND", sd_cmd_SEND_OP_COND}, 2647 [2] = {0, sd_bcr, "ALL_SEND_CID", sd_cmd_ALL_SEND_CID}, 2648 [3] = {0, sd_ac, "SET_RELATIVE_ADDR", emmc_cmd_SET_RELATIVE_ADDR}, 2649 [4] = {0, sd_bc, "SEND_DSR", sd_cmd_unimplemented}, 2650 [5] = {0, sd_ac, "SLEEP/AWAKE", emmc_cmd_sleep_awake}, 2651 [6] = {10, sd_adtc, "SWITCH", emmc_cmd_SWITCH}, 2652 [7] = {0, sd_ac, "(DE)SELECT_CARD", sd_cmd_DE_SELECT_CARD}, 2653 [8] = {0, sd_adtc, "SEND_EXT_CSD", emmc_cmd_SEND_EXT_CSD}, 2654 [9] = {0, sd_ac, "SEND_CSD", sd_cmd_SEND_CSD}, 2655 [10] = {0, sd_ac, "SEND_CID", sd_cmd_SEND_CID}, 2656 [11] = {1, sd_adtc, "READ_DAT_UNTIL_STOP", sd_cmd_unimplemented}, 2657 [12] = {0, sd_ac, "STOP_TRANSMISSION", sd_cmd_STOP_TRANSMISSION}, 2658 [13] = {0, sd_ac, "SEND_STATUS", sd_cmd_SEND_STATUS}, 2659 [14] = {0, sd_adtc, "BUSTEST_R", sd_cmd_unimplemented}, 2660 [15] = {0, sd_ac, "GO_INACTIVE_STATE", sd_cmd_GO_INACTIVE_STATE}, 2661 [16] = {2, sd_ac, "SET_BLOCKLEN", sd_cmd_SET_BLOCKLEN}, 2662 [17] = {2, sd_adtc, "READ_SINGLE_BLOCK", sd_cmd_READ_SINGLE_BLOCK}, 2663 [19] = {0, sd_adtc, "BUSTEST_W", sd_cmd_unimplemented}, 2664 [20] = {3, sd_adtc, "WRITE_DAT_UNTIL_STOP", sd_cmd_unimplemented}, 2665 [23] = {2, sd_ac, "SET_BLOCK_COUNT", sd_cmd_SET_BLOCK_COUNT}, 2666 [24] = {4, sd_adtc, "WRITE_SINGLE_BLOCK", sd_cmd_WRITE_SINGLE_BLOCK}, 2667 [26] = {4, sd_adtc, "PROGRAM_CID", emmc_cmd_PROGRAM_CID}, 2668 [27] = {4, sd_adtc, "PROGRAM_CSD", sd_cmd_PROGRAM_CSD}, 2669 [28] = {6, sd_ac, "SET_WRITE_PROT", sd_cmd_SET_WRITE_PROT}, 2670 [29] = {6, sd_ac, "CLR_WRITE_PROT", sd_cmd_CLR_WRITE_PROT}, 2671 [30] = {6, sd_adtc, "SEND_WRITE_PROT", sd_cmd_SEND_WRITE_PROT}, 2672 [31] = {6, sd_adtc, "SEND_WRITE_PROT_TYPE", sd_cmd_unimplemented}, 2673 [35] = {5, sd_ac, "ERASE_WR_BLK_START", sd_cmd_ERASE_WR_BLK_START}, 2674 [36] = {5, sd_ac, "ERASE_WR_BLK_END", sd_cmd_ERASE_WR_BLK_END}, 2675 [38] = {5, sd_ac, "ERASE", sd_cmd_ERASE}, 2676 [39] = {9, sd_ac, "FAST_IO", sd_cmd_unimplemented}, 2677 [40] = {9, sd_bcr, "GO_IRQ_STATE", sd_cmd_unimplemented}, 2678 [42] = {7, sd_adtc, "LOCK_UNLOCK", sd_cmd_LOCK_UNLOCK}, 2679 [49] = {0, sd_adtc, "SET_TIME", sd_cmd_unimplemented}, 2680 [55] = {8, sd_ac, "APP_CMD", sd_cmd_APP_CMD}, 2681 [56] = {8, sd_adtc, "GEN_CMD", sd_cmd_GEN_CMD}, 2682 }, 2683 }; 2684 2685 static void sd_instance_init(Object *obj) 2686 { 2687 SDState *sd = SDMMC_COMMON(obj); 2688 SDCardClass *sc = SDMMC_COMMON_GET_CLASS(sd); 2689 2690 sd->proto = sc->proto; 2691 sd->last_cmd_name = "UNSET"; 2692 sd->ocr_power_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, sd_ocr_powerup, sd); 2693 } 2694 2695 static void sd_instance_finalize(Object *obj) 2696 { 2697 SDState *sd = SDMMC_COMMON(obj); 2698 2699 timer_free(sd->ocr_power_timer); 2700 } 2701 2702 static void sd_realize(DeviceState *dev, Error **errp) 2703 { 2704 SDState *sd = SDMMC_COMMON(dev); 2705 int ret; 2706 2707 switch (sd->spec_version) { 2708 case SD_PHY_SPECv1_10_VERS 2709 ... SD_PHY_SPECv3_01_VERS: 2710 break; 2711 default: 2712 error_setg(errp, "Invalid SD card Spec version: %u", sd->spec_version); 2713 return; 2714 } 2715 2716 if (sd->blk) { 2717 int64_t blk_size; 2718 2719 if (!blk_supports_write_perm(sd->blk)) { 2720 error_setg(errp, "Cannot use read-only drive as SD card"); 2721 return; 2722 } 2723 2724 blk_size = blk_getlength(sd->blk); 2725 if (blk_size > 0 && !is_power_of_2(blk_size)) { 2726 int64_t blk_size_aligned = pow2ceil(blk_size); 2727 char *blk_size_str; 2728 2729 blk_size_str = size_to_str(blk_size); 2730 error_setg(errp, "Invalid SD card size: %s", blk_size_str); 2731 g_free(blk_size_str); 2732 2733 blk_size_str = size_to_str(blk_size_aligned); 2734 error_append_hint(errp, 2735 "SD card size has to be a power of 2, e.g. %s.\n" 2736 "You can resize disk images with" 2737 " 'qemu-img resize <imagefile> <new-size>'\n" 2738 "(note that this will lose data if you make the" 2739 " image smaller than it currently is).\n", 2740 blk_size_str); 2741 g_free(blk_size_str); 2742 2743 return; 2744 } 2745 2746 ret = blk_set_perm(sd->blk, BLK_PERM_CONSISTENT_READ | BLK_PERM_WRITE, 2747 BLK_PERM_ALL, errp); 2748 if (ret < 0) { 2749 return; 2750 } 2751 blk_set_dev_ops(sd->blk, &sd_block_ops, sd); 2752 } 2753 } 2754 2755 static void emmc_realize(DeviceState *dev, Error **errp) 2756 { 2757 SDState *sd = SDMMC_COMMON(dev); 2758 2759 sd->spec_version = SD_PHY_SPECv3_01_VERS; /* Actually v4.3 */ 2760 2761 sd_realize(dev, errp); 2762 } 2763 2764 static const Property sdmmc_common_properties[] = { 2765 DEFINE_PROP_DRIVE("drive", SDState, blk), 2766 }; 2767 2768 static const Property sd_properties[] = { 2769 DEFINE_PROP_UINT8("spec_version", SDState, 2770 spec_version, SD_PHY_SPECv3_01_VERS), 2771 }; 2772 2773 static const Property emmc_properties[] = { 2774 DEFINE_PROP_UINT64("boot-partition-size", SDState, boot_part_size, 0), 2775 DEFINE_PROP_UINT8("boot-config", SDState, boot_config, 0x0), 2776 }; 2777 2778 static void sdmmc_common_class_init(ObjectClass *klass, const void *data) 2779 { 2780 DeviceClass *dc = DEVICE_CLASS(klass); 2781 SDCardClass *sc = SDMMC_COMMON_CLASS(klass); 2782 2783 device_class_set_props(dc, sdmmc_common_properties); 2784 dc->vmsd = &sd_vmstate; 2785 device_class_set_legacy_reset(dc, sd_reset); 2786 dc->bus_type = TYPE_SD_BUS; 2787 set_bit(DEVICE_CATEGORY_STORAGE, dc->categories); 2788 2789 sc->set_voltage = sd_set_voltage; 2790 sc->get_dat_lines = sd_get_dat_lines; 2791 sc->get_cmd_line = sd_get_cmd_line; 2792 sc->do_command = sd_do_command; 2793 sc->write_byte = sd_write_byte; 2794 sc->read_byte = sd_read_byte; 2795 sc->receive_ready = sd_receive_ready; 2796 sc->data_ready = sd_data_ready; 2797 sc->get_inserted = sd_get_inserted; 2798 sc->get_readonly = sd_get_readonly; 2799 } 2800 2801 static void sd_class_init(ObjectClass *klass, const void *data) 2802 { 2803 DeviceClass *dc = DEVICE_CLASS(klass); 2804 SDCardClass *sc = SDMMC_COMMON_CLASS(klass); 2805 2806 dc->realize = sd_realize; 2807 device_class_set_props(dc, sd_properties); 2808 2809 sc->set_cid = sd_set_cid; 2810 sc->set_csd = sd_set_csd; 2811 sc->proto = &sd_proto_sd; 2812 } 2813 2814 /* 2815 * We do not model the chip select pin, so allow the board to select 2816 * whether card should be in SSI or MMC/SD mode. It is also up to the 2817 * board to ensure that ssi transfers only occur when the chip select 2818 * is asserted. 2819 */ 2820 static void sd_spi_class_init(ObjectClass *klass, const void *data) 2821 { 2822 DeviceClass *dc = DEVICE_CLASS(klass); 2823 SDCardClass *sc = SDMMC_COMMON_CLASS(klass); 2824 2825 dc->desc = "SD SPI"; 2826 sc->proto = &sd_proto_spi; 2827 } 2828 2829 static void emmc_class_init(ObjectClass *klass, const void *data) 2830 { 2831 DeviceClass *dc = DEVICE_CLASS(klass); 2832 SDCardClass *sc = SDMMC_COMMON_CLASS(klass); 2833 2834 dc->desc = "eMMC"; 2835 dc->realize = emmc_realize; 2836 device_class_set_props(dc, emmc_properties); 2837 /* Reason: Soldered on board */ 2838 dc->user_creatable = false; 2839 2840 sc->proto = &sd_proto_emmc; 2841 2842 sc->set_cid = emmc_set_cid; 2843 sc->set_csd = emmc_set_csd; 2844 } 2845 2846 static const TypeInfo sd_types[] = { 2847 { 2848 .name = TYPE_SDMMC_COMMON, 2849 .parent = TYPE_DEVICE, 2850 .abstract = true, 2851 .instance_size = sizeof(SDState), 2852 .class_size = sizeof(SDCardClass), 2853 .class_init = sdmmc_common_class_init, 2854 .instance_init = sd_instance_init, 2855 .instance_finalize = sd_instance_finalize, 2856 }, 2857 { 2858 .name = TYPE_SD_CARD, 2859 .parent = TYPE_SDMMC_COMMON, 2860 .class_init = sd_class_init, 2861 }, 2862 { 2863 .name = TYPE_SD_CARD_SPI, 2864 .parent = TYPE_SD_CARD, 2865 .class_init = sd_spi_class_init, 2866 }, 2867 { 2868 .name = TYPE_EMMC, 2869 .parent = TYPE_SDMMC_COMMON, 2870 .class_init = emmc_class_init, 2871 }, 2872 }; 2873 2874 DEFINE_TYPES(sd_types) 2875