1 /* 2 * SD Memory Card emulation as defined in the "SD Memory Card Physical 3 * layer specification, Version 2.00." 4 * 5 * Copyright (c) 2006 Andrzej Zaborowski <balrog@zabor.org> 6 * Copyright (c) 2007 CodeSourcery 7 * Copyright (c) 2018 Philippe Mathieu-Daudé <f4bug@amsat.org> 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in 17 * the documentation and/or other materials provided with the 18 * distribution. 19 * 20 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' 21 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, 22 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A 23 * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR 24 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, 25 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, 26 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 27 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY 28 * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 29 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 30 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 31 */ 32 33 #include "qemu/osdep.h" 34 #include "qemu/units.h" 35 #include "hw/qdev.h" 36 #include "hw/hw.h" 37 #include "hw/irq.h" 38 #include "hw/registerfields.h" 39 #include "sysemu/block-backend.h" 40 #include "hw/sd/sd.h" 41 #include "migration/vmstate.h" 42 #include "qapi/error.h" 43 #include "qemu/bitmap.h" 44 #include "hw/qdev-properties.h" 45 #include "qemu/error-report.h" 46 #include "qemu/timer.h" 47 #include "qemu/log.h" 48 #include "qemu/module.h" 49 #include "sdmmc-internal.h" 50 #include "trace.h" 51 52 //#define DEBUG_SD 1 53 54 typedef enum { 55 sd_r0 = 0, /* no response */ 56 sd_r1, /* normal response command */ 57 sd_r2_i, /* CID register */ 58 sd_r2_s, /* CSD register */ 59 sd_r3, /* OCR register */ 60 sd_r6 = 6, /* Published RCA response */ 61 sd_r7, /* Operating voltage */ 62 sd_r1b = -1, 63 sd_illegal = -2, 64 } sd_rsp_type_t; 65 66 enum SDCardModes { 67 sd_inactive, 68 sd_card_identification_mode, 69 sd_data_transfer_mode, 70 }; 71 72 enum SDCardStates { 73 sd_inactive_state = -1, 74 sd_idle_state = 0, 75 sd_ready_state, 76 sd_identification_state, 77 sd_standby_state, 78 sd_transfer_state, 79 sd_sendingdata_state, 80 sd_receivingdata_state, 81 sd_programming_state, 82 sd_disconnect_state, 83 }; 84 85 struct SDState { 86 DeviceState parent_obj; 87 88 /* SD Memory Card Registers */ 89 uint32_t ocr; 90 uint8_t scr[8]; 91 uint8_t cid[16]; 92 uint8_t csd[16]; 93 uint16_t rca; 94 uint32_t card_status; 95 uint8_t sd_status[64]; 96 97 /* Configurable properties */ 98 uint8_t spec_version; 99 BlockBackend *blk; 100 bool spi; 101 102 uint32_t mode; /* current card mode, one of SDCardModes */ 103 int32_t state; /* current card state, one of SDCardStates */ 104 uint32_t vhs; 105 bool wp_switch; 106 unsigned long *wp_groups; 107 int32_t wpgrps_size; 108 uint64_t size; 109 uint32_t blk_len; 110 uint32_t multi_blk_cnt; 111 uint32_t erase_start; 112 uint32_t erase_end; 113 uint8_t pwd[16]; 114 uint32_t pwd_len; 115 uint8_t function_group[6]; 116 uint8_t current_cmd; 117 /* True if we will handle the next command as an ACMD. Note that this does 118 * *not* track the APP_CMD status bit! 119 */ 120 bool expecting_acmd; 121 uint32_t blk_written; 122 uint64_t data_start; 123 uint32_t data_offset; 124 uint8_t data[512]; 125 qemu_irq readonly_cb; 126 qemu_irq inserted_cb; 127 QEMUTimer *ocr_power_timer; 128 const char *proto_name; 129 bool enable; 130 uint8_t dat_lines; 131 bool cmd_line; 132 }; 133 134 static const char *sd_state_name(enum SDCardStates state) 135 { 136 static const char *state_name[] = { 137 [sd_idle_state] = "idle", 138 [sd_ready_state] = "ready", 139 [sd_identification_state] = "identification", 140 [sd_standby_state] = "standby", 141 [sd_transfer_state] = "transfer", 142 [sd_sendingdata_state] = "sendingdata", 143 [sd_receivingdata_state] = "receivingdata", 144 [sd_programming_state] = "programming", 145 [sd_disconnect_state] = "disconnect", 146 }; 147 if (state == sd_inactive_state) { 148 return "inactive"; 149 } 150 assert(state < ARRAY_SIZE(state_name)); 151 return state_name[state]; 152 } 153 154 static const char *sd_response_name(sd_rsp_type_t rsp) 155 { 156 static const char *response_name[] = { 157 [sd_r0] = "RESP#0 (no response)", 158 [sd_r1] = "RESP#1 (normal cmd)", 159 [sd_r2_i] = "RESP#2 (CID reg)", 160 [sd_r2_s] = "RESP#2 (CSD reg)", 161 [sd_r3] = "RESP#3 (OCR reg)", 162 [sd_r6] = "RESP#6 (RCA)", 163 [sd_r7] = "RESP#7 (operating voltage)", 164 }; 165 if (rsp == sd_illegal) { 166 return "ILLEGAL RESP"; 167 } 168 if (rsp == sd_r1b) { 169 rsp = sd_r1; 170 } 171 assert(rsp < ARRAY_SIZE(response_name)); 172 return response_name[rsp]; 173 } 174 175 static uint8_t sd_get_dat_lines(SDState *sd) 176 { 177 return sd->enable ? sd->dat_lines : 0; 178 } 179 180 static bool sd_get_cmd_line(SDState *sd) 181 { 182 return sd->enable ? sd->cmd_line : false; 183 } 184 185 static void sd_set_voltage(SDState *sd, uint16_t millivolts) 186 { 187 trace_sdcard_set_voltage(millivolts); 188 189 switch (millivolts) { 190 case 3001 ... 3600: /* SD_VOLTAGE_3_3V */ 191 case 2001 ... 3000: /* SD_VOLTAGE_3_0V */ 192 break; 193 default: 194 qemu_log_mask(LOG_GUEST_ERROR, "SD card voltage not supported: %.3fV", 195 millivolts / 1000.f); 196 } 197 } 198 199 static void sd_set_mode(SDState *sd) 200 { 201 switch (sd->state) { 202 case sd_inactive_state: 203 sd->mode = sd_inactive; 204 break; 205 206 case sd_idle_state: 207 case sd_ready_state: 208 case sd_identification_state: 209 sd->mode = sd_card_identification_mode; 210 break; 211 212 case sd_standby_state: 213 case sd_transfer_state: 214 case sd_sendingdata_state: 215 case sd_receivingdata_state: 216 case sd_programming_state: 217 case sd_disconnect_state: 218 sd->mode = sd_data_transfer_mode; 219 break; 220 } 221 } 222 223 static const sd_cmd_type_t sd_cmd_type[SDMMC_CMD_MAX] = { 224 sd_bc, sd_none, sd_bcr, sd_bcr, sd_none, sd_none, sd_none, sd_ac, 225 sd_bcr, sd_ac, sd_ac, sd_adtc, sd_ac, sd_ac, sd_none, sd_ac, 226 /* 16 */ 227 sd_ac, sd_adtc, sd_adtc, sd_none, sd_none, sd_none, sd_none, sd_none, 228 sd_adtc, sd_adtc, sd_adtc, sd_adtc, sd_ac, sd_ac, sd_adtc, sd_none, 229 /* 32 */ 230 sd_ac, sd_ac, sd_none, sd_none, sd_none, sd_none, sd_ac, sd_none, 231 sd_none, sd_none, sd_bc, sd_none, sd_none, sd_none, sd_none, sd_none, 232 /* 48 */ 233 sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_ac, 234 sd_adtc, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, 235 }; 236 237 static const int sd_cmd_class[SDMMC_CMD_MAX] = { 238 0, 0, 0, 0, 0, 9, 10, 0, 0, 0, 0, 1, 0, 0, 0, 0, 239 2, 2, 2, 2, 3, 3, 3, 3, 4, 4, 4, 4, 6, 6, 6, 6, 240 5, 5, 10, 10, 10, 10, 5, 9, 9, 9, 7, 7, 7, 7, 7, 7, 241 7, 7, 10, 7, 9, 9, 9, 8, 8, 10, 8, 8, 8, 8, 8, 8, 242 }; 243 244 static uint8_t sd_crc7(void *message, size_t width) 245 { 246 int i, bit; 247 uint8_t shift_reg = 0x00; 248 uint8_t *msg = (uint8_t *) message; 249 250 for (i = 0; i < width; i ++, msg ++) 251 for (bit = 7; bit >= 0; bit --) { 252 shift_reg <<= 1; 253 if ((shift_reg >> 7) ^ ((*msg >> bit) & 1)) 254 shift_reg ^= 0x89; 255 } 256 257 return shift_reg; 258 } 259 260 static uint16_t sd_crc16(void *message, size_t width) 261 { 262 int i, bit; 263 uint16_t shift_reg = 0x0000; 264 uint16_t *msg = (uint16_t *) message; 265 width <<= 1; 266 267 for (i = 0; i < width; i ++, msg ++) 268 for (bit = 15; bit >= 0; bit --) { 269 shift_reg <<= 1; 270 if ((shift_reg >> 15) ^ ((*msg >> bit) & 1)) 271 shift_reg ^= 0x1011; 272 } 273 274 return shift_reg; 275 } 276 277 #define OCR_POWER_DELAY_NS 500000 /* 0.5ms */ 278 279 FIELD(OCR, VDD_VOLTAGE_WINDOW, 0, 24) 280 FIELD(OCR, VDD_VOLTAGE_WIN_LO, 0, 8) 281 FIELD(OCR, DUAL_VOLTAGE_CARD, 7, 1) 282 FIELD(OCR, VDD_VOLTAGE_WIN_HI, 8, 16) 283 FIELD(OCR, ACCEPT_SWITCH_1V8, 24, 1) /* Only UHS-I */ 284 FIELD(OCR, UHS_II_CARD, 29, 1) /* Only UHS-II */ 285 FIELD(OCR, CARD_CAPACITY, 30, 1) /* 0:SDSC, 1:SDHC/SDXC */ 286 FIELD(OCR, CARD_POWER_UP, 31, 1) 287 288 #define ACMD41_ENQUIRY_MASK 0x00ffffff 289 #define ACMD41_R3_MASK (R_OCR_VDD_VOLTAGE_WIN_HI_MASK \ 290 | R_OCR_ACCEPT_SWITCH_1V8_MASK \ 291 | R_OCR_UHS_II_CARD_MASK \ 292 | R_OCR_CARD_CAPACITY_MASK \ 293 | R_OCR_CARD_POWER_UP_MASK) 294 295 static void sd_set_ocr(SDState *sd) 296 { 297 /* All voltages OK */ 298 sd->ocr = R_OCR_VDD_VOLTAGE_WIN_HI_MASK; 299 } 300 301 static void sd_ocr_powerup(void *opaque) 302 { 303 SDState *sd = opaque; 304 305 trace_sdcard_powerup(); 306 assert(!FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP)); 307 308 /* card power-up OK */ 309 sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_POWER_UP, 1); 310 311 if (sd->size > 1 * GiB) { 312 sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_CAPACITY, 1); 313 } 314 } 315 316 static void sd_set_scr(SDState *sd) 317 { 318 sd->scr[0] = 0 << 4; /* SCR structure version 1.0 */ 319 if (sd->spec_version == SD_PHY_SPECv1_10_VERS) { 320 sd->scr[0] |= 1; /* Spec Version 1.10 */ 321 } else { 322 sd->scr[0] |= 2; /* Spec Version 2.00 or Version 3.0X */ 323 } 324 sd->scr[1] = (2 << 4) /* SDSC Card (Security Version 1.01) */ 325 | 0b0101; /* 1-bit or 4-bit width bus modes */ 326 sd->scr[2] = 0x00; /* Extended Security is not supported. */ 327 if (sd->spec_version >= SD_PHY_SPECv3_01_VERS) { 328 sd->scr[2] |= 1 << 7; /* Spec Version 3.0X */ 329 } 330 sd->scr[3] = 0x00; 331 /* reserved for manufacturer usage */ 332 sd->scr[4] = 0x00; 333 sd->scr[5] = 0x00; 334 sd->scr[6] = 0x00; 335 sd->scr[7] = 0x00; 336 } 337 338 #define MID 0xaa 339 #define OID "XY" 340 #define PNM "QEMU!" 341 #define PRV 0x01 342 #define MDT_YR 2006 343 #define MDT_MON 2 344 345 static void sd_set_cid(SDState *sd) 346 { 347 sd->cid[0] = MID; /* Fake card manufacturer ID (MID) */ 348 sd->cid[1] = OID[0]; /* OEM/Application ID (OID) */ 349 sd->cid[2] = OID[1]; 350 sd->cid[3] = PNM[0]; /* Fake product name (PNM) */ 351 sd->cid[4] = PNM[1]; 352 sd->cid[5] = PNM[2]; 353 sd->cid[6] = PNM[3]; 354 sd->cid[7] = PNM[4]; 355 sd->cid[8] = PRV; /* Fake product revision (PRV) */ 356 sd->cid[9] = 0xde; /* Fake serial number (PSN) */ 357 sd->cid[10] = 0xad; 358 sd->cid[11] = 0xbe; 359 sd->cid[12] = 0xef; 360 sd->cid[13] = 0x00 | /* Manufacture date (MDT) */ 361 ((MDT_YR - 2000) / 10); 362 sd->cid[14] = ((MDT_YR % 10) << 4) | MDT_MON; 363 sd->cid[15] = (sd_crc7(sd->cid, 15) << 1) | 1; 364 } 365 366 #define HWBLOCK_SHIFT 9 /* 512 bytes */ 367 #define SECTOR_SHIFT 5 /* 16 kilobytes */ 368 #define WPGROUP_SHIFT 7 /* 2 megs */ 369 #define CMULT_SHIFT 9 /* 512 times HWBLOCK_SIZE */ 370 #define WPGROUP_SIZE (1 << (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT)) 371 372 static const uint8_t sd_csd_rw_mask[16] = { 373 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 374 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xfc, 0xfe, 375 }; 376 377 static void sd_set_csd(SDState *sd, uint64_t size) 378 { 379 uint32_t csize = (size >> (CMULT_SHIFT + HWBLOCK_SHIFT)) - 1; 380 uint32_t sectsize = (1 << (SECTOR_SHIFT + 1)) - 1; 381 uint32_t wpsize = (1 << (WPGROUP_SHIFT + 1)) - 1; 382 383 if (size <= 1 * GiB) { /* Standard Capacity SD */ 384 sd->csd[0] = 0x00; /* CSD structure */ 385 sd->csd[1] = 0x26; /* Data read access-time-1 */ 386 sd->csd[2] = 0x00; /* Data read access-time-2 */ 387 sd->csd[3] = 0x32; /* Max. data transfer rate: 25 MHz */ 388 sd->csd[4] = 0x5f; /* Card Command Classes */ 389 sd->csd[5] = 0x50 | /* Max. read data block length */ 390 HWBLOCK_SHIFT; 391 sd->csd[6] = 0xe0 | /* Partial block for read allowed */ 392 ((csize >> 10) & 0x03); 393 sd->csd[7] = 0x00 | /* Device size */ 394 ((csize >> 2) & 0xff); 395 sd->csd[8] = 0x3f | /* Max. read current */ 396 ((csize << 6) & 0xc0); 397 sd->csd[9] = 0xfc | /* Max. write current */ 398 ((CMULT_SHIFT - 2) >> 1); 399 sd->csd[10] = 0x40 | /* Erase sector size */ 400 (((CMULT_SHIFT - 2) << 7) & 0x80) | (sectsize >> 1); 401 sd->csd[11] = 0x00 | /* Write protect group size */ 402 ((sectsize << 7) & 0x80) | wpsize; 403 sd->csd[12] = 0x90 | /* Write speed factor */ 404 (HWBLOCK_SHIFT >> 2); 405 sd->csd[13] = 0x20 | /* Max. write data block length */ 406 ((HWBLOCK_SHIFT << 6) & 0xc0); 407 sd->csd[14] = 0x00; /* File format group */ 408 } else { /* SDHC */ 409 size /= 512 * KiB; 410 size -= 1; 411 sd->csd[0] = 0x40; 412 sd->csd[1] = 0x0e; 413 sd->csd[2] = 0x00; 414 sd->csd[3] = 0x32; 415 sd->csd[4] = 0x5b; 416 sd->csd[5] = 0x59; 417 sd->csd[6] = 0x00; 418 sd->csd[7] = (size >> 16) & 0xff; 419 sd->csd[8] = (size >> 8) & 0xff; 420 sd->csd[9] = (size & 0xff); 421 sd->csd[10] = 0x7f; 422 sd->csd[11] = 0x80; 423 sd->csd[12] = 0x0a; 424 sd->csd[13] = 0x40; 425 sd->csd[14] = 0x00; 426 } 427 sd->csd[15] = (sd_crc7(sd->csd, 15) << 1) | 1; 428 } 429 430 static void sd_set_rca(SDState *sd) 431 { 432 sd->rca += 0x4567; 433 } 434 435 FIELD(CSR, AKE_SEQ_ERROR, 3, 1) 436 FIELD(CSR, APP_CMD, 5, 1) 437 FIELD(CSR, FX_EVENT, 6, 1) 438 FIELD(CSR, READY_FOR_DATA, 8, 1) 439 FIELD(CSR, CURRENT_STATE, 9, 4) 440 FIELD(CSR, ERASE_RESET, 13, 1) 441 FIELD(CSR, CARD_ECC_DISABLED, 14, 1) 442 FIELD(CSR, WP_ERASE_SKIP, 15, 1) 443 FIELD(CSR, CSD_OVERWRITE, 16, 1) 444 FIELD(CSR, DEFERRED_RESPONSE, 17, 1) 445 FIELD(CSR, ERROR, 19, 1) 446 FIELD(CSR, CC_ERROR, 20, 1) 447 FIELD(CSR, CARD_ECC_FAILED, 21, 1) 448 FIELD(CSR, ILLEGAL_COMMAND, 22, 1) 449 FIELD(CSR, COM_CRC_ERROR, 23, 1) 450 FIELD(CSR, LOCK_UNLOCK_FAILED, 24, 1) 451 FIELD(CSR, CARD_IS_LOCKED, 25, 1) 452 FIELD(CSR, WP_VIOLATION, 26, 1) 453 FIELD(CSR, ERASE_PARAM, 27, 1) 454 FIELD(CSR, ERASE_SEQ_ERROR, 28, 1) 455 FIELD(CSR, BLOCK_LEN_ERROR, 29, 1) 456 FIELD(CSR, ADDRESS_ERROR, 30, 1) 457 FIELD(CSR, OUT_OF_RANGE, 31, 1) 458 459 /* Card status bits, split by clear condition: 460 * A : According to the card current state 461 * B : Always related to the previous command 462 * C : Cleared by read 463 */ 464 #define CARD_STATUS_A (R_CSR_READY_FOR_DATA_MASK \ 465 | R_CSR_CARD_ECC_DISABLED_MASK \ 466 | R_CSR_CARD_IS_LOCKED_MASK) 467 #define CARD_STATUS_B (R_CSR_CURRENT_STATE_MASK \ 468 | R_CSR_ILLEGAL_COMMAND_MASK \ 469 | R_CSR_COM_CRC_ERROR_MASK) 470 #define CARD_STATUS_C (R_CSR_AKE_SEQ_ERROR_MASK \ 471 | R_CSR_APP_CMD_MASK \ 472 | R_CSR_ERASE_RESET_MASK \ 473 | R_CSR_WP_ERASE_SKIP_MASK \ 474 | R_CSR_CSD_OVERWRITE_MASK \ 475 | R_CSR_ERROR_MASK \ 476 | R_CSR_CC_ERROR_MASK \ 477 | R_CSR_CARD_ECC_FAILED_MASK \ 478 | R_CSR_LOCK_UNLOCK_FAILED_MASK \ 479 | R_CSR_WP_VIOLATION_MASK \ 480 | R_CSR_ERASE_PARAM_MASK \ 481 | R_CSR_ERASE_SEQ_ERROR_MASK \ 482 | R_CSR_BLOCK_LEN_ERROR_MASK \ 483 | R_CSR_ADDRESS_ERROR_MASK \ 484 | R_CSR_OUT_OF_RANGE_MASK) 485 486 static void sd_set_cardstatus(SDState *sd) 487 { 488 sd->card_status = 0x00000100; 489 } 490 491 static void sd_set_sdstatus(SDState *sd) 492 { 493 memset(sd->sd_status, 0, 64); 494 } 495 496 static int sd_req_crc_validate(SDRequest *req) 497 { 498 uint8_t buffer[5]; 499 buffer[0] = 0x40 | req->cmd; 500 stl_be_p(&buffer[1], req->arg); 501 return 0; 502 return sd_crc7(buffer, 5) != req->crc; /* TODO */ 503 } 504 505 static void sd_response_r1_make(SDState *sd, uint8_t *response) 506 { 507 stl_be_p(response, sd->card_status); 508 509 /* Clear the "clear on read" status bits */ 510 sd->card_status &= ~CARD_STATUS_C; 511 } 512 513 static void sd_response_r3_make(SDState *sd, uint8_t *response) 514 { 515 stl_be_p(response, sd->ocr & ACMD41_R3_MASK); 516 } 517 518 static void sd_response_r6_make(SDState *sd, uint8_t *response) 519 { 520 uint16_t status; 521 522 status = ((sd->card_status >> 8) & 0xc000) | 523 ((sd->card_status >> 6) & 0x2000) | 524 (sd->card_status & 0x1fff); 525 sd->card_status &= ~(CARD_STATUS_C & 0xc81fff); 526 stw_be_p(response + 0, sd->rca); 527 stw_be_p(response + 2, status); 528 } 529 530 static void sd_response_r7_make(SDState *sd, uint8_t *response) 531 { 532 stl_be_p(response, sd->vhs); 533 } 534 535 static inline uint64_t sd_addr_to_wpnum(uint64_t addr) 536 { 537 return addr >> (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT); 538 } 539 540 static void sd_reset(DeviceState *dev) 541 { 542 SDState *sd = SD_CARD(dev); 543 uint64_t size; 544 uint64_t sect; 545 546 trace_sdcard_reset(); 547 if (sd->blk) { 548 blk_get_geometry(sd->blk, §); 549 } else { 550 sect = 0; 551 } 552 size = sect << 9; 553 554 sect = sd_addr_to_wpnum(size) + 1; 555 556 sd->state = sd_idle_state; 557 sd->rca = 0x0000; 558 sd_set_ocr(sd); 559 sd_set_scr(sd); 560 sd_set_cid(sd); 561 sd_set_csd(sd, size); 562 sd_set_cardstatus(sd); 563 sd_set_sdstatus(sd); 564 565 g_free(sd->wp_groups); 566 sd->wp_switch = sd->blk ? blk_is_read_only(sd->blk) : false; 567 sd->wpgrps_size = sect; 568 sd->wp_groups = bitmap_new(sd->wpgrps_size); 569 memset(sd->function_group, 0, sizeof(sd->function_group)); 570 sd->erase_start = 0; 571 sd->erase_end = 0; 572 sd->size = size; 573 sd->blk_len = 0x200; 574 sd->pwd_len = 0; 575 sd->expecting_acmd = false; 576 sd->dat_lines = 0xf; 577 sd->cmd_line = true; 578 sd->multi_blk_cnt = 0; 579 } 580 581 static bool sd_get_inserted(SDState *sd) 582 { 583 return sd->blk && blk_is_inserted(sd->blk); 584 } 585 586 static bool sd_get_readonly(SDState *sd) 587 { 588 return sd->wp_switch; 589 } 590 591 static void sd_cardchange(void *opaque, bool load, Error **errp) 592 { 593 SDState *sd = opaque; 594 DeviceState *dev = DEVICE(sd); 595 SDBus *sdbus = SD_BUS(qdev_get_parent_bus(dev)); 596 bool inserted = sd_get_inserted(sd); 597 bool readonly = sd_get_readonly(sd); 598 599 if (inserted) { 600 trace_sdcard_inserted(readonly); 601 sd_reset(dev); 602 } else { 603 trace_sdcard_ejected(); 604 } 605 606 /* The IRQ notification is for legacy non-QOM SD controller devices; 607 * QOMified controllers use the SDBus APIs. 608 */ 609 if (sdbus) { 610 sdbus_set_inserted(sdbus, inserted); 611 if (inserted) { 612 sdbus_set_readonly(sdbus, readonly); 613 } 614 } else { 615 qemu_set_irq(sd->inserted_cb, inserted); 616 if (inserted) { 617 qemu_set_irq(sd->readonly_cb, readonly); 618 } 619 } 620 } 621 622 static const BlockDevOps sd_block_ops = { 623 .change_media_cb = sd_cardchange, 624 }; 625 626 static bool sd_ocr_vmstate_needed(void *opaque) 627 { 628 SDState *sd = opaque; 629 630 /* Include the OCR state (and timer) if it is not yet powered up */ 631 return !FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP); 632 } 633 634 static const VMStateDescription sd_ocr_vmstate = { 635 .name = "sd-card/ocr-state", 636 .version_id = 1, 637 .minimum_version_id = 1, 638 .needed = sd_ocr_vmstate_needed, 639 .fields = (VMStateField[]) { 640 VMSTATE_UINT32(ocr, SDState), 641 VMSTATE_TIMER_PTR(ocr_power_timer, SDState), 642 VMSTATE_END_OF_LIST() 643 }, 644 }; 645 646 static int sd_vmstate_pre_load(void *opaque) 647 { 648 SDState *sd = opaque; 649 650 /* If the OCR state is not included (prior versions, or not 651 * needed), then the OCR must be set as powered up. If the OCR state 652 * is included, this will be replaced by the state restore. 653 */ 654 sd_ocr_powerup(sd); 655 656 return 0; 657 } 658 659 static const VMStateDescription sd_vmstate = { 660 .name = "sd-card", 661 .version_id = 1, 662 .minimum_version_id = 1, 663 .pre_load = sd_vmstate_pre_load, 664 .fields = (VMStateField[]) { 665 VMSTATE_UINT32(mode, SDState), 666 VMSTATE_INT32(state, SDState), 667 VMSTATE_UINT8_ARRAY(cid, SDState, 16), 668 VMSTATE_UINT8_ARRAY(csd, SDState, 16), 669 VMSTATE_UINT16(rca, SDState), 670 VMSTATE_UINT32(card_status, SDState), 671 VMSTATE_PARTIAL_BUFFER(sd_status, SDState, 1), 672 VMSTATE_UINT32(vhs, SDState), 673 VMSTATE_BITMAP(wp_groups, SDState, 0, wpgrps_size), 674 VMSTATE_UINT32(blk_len, SDState), 675 VMSTATE_UINT32(multi_blk_cnt, SDState), 676 VMSTATE_UINT32(erase_start, SDState), 677 VMSTATE_UINT32(erase_end, SDState), 678 VMSTATE_UINT8_ARRAY(pwd, SDState, 16), 679 VMSTATE_UINT32(pwd_len, SDState), 680 VMSTATE_UINT8_ARRAY(function_group, SDState, 6), 681 VMSTATE_UINT8(current_cmd, SDState), 682 VMSTATE_BOOL(expecting_acmd, SDState), 683 VMSTATE_UINT32(blk_written, SDState), 684 VMSTATE_UINT64(data_start, SDState), 685 VMSTATE_UINT32(data_offset, SDState), 686 VMSTATE_UINT8_ARRAY(data, SDState, 512), 687 VMSTATE_UNUSED_V(1, 512), 688 VMSTATE_BOOL(enable, SDState), 689 VMSTATE_END_OF_LIST() 690 }, 691 .subsections = (const VMStateDescription*[]) { 692 &sd_ocr_vmstate, 693 NULL 694 }, 695 }; 696 697 /* Legacy initialization function for use by non-qdevified callers */ 698 SDState *sd_init(BlockBackend *blk, bool is_spi) 699 { 700 Object *obj; 701 DeviceState *dev; 702 Error *err = NULL; 703 704 obj = object_new(TYPE_SD_CARD); 705 dev = DEVICE(obj); 706 qdev_prop_set_drive(dev, "drive", blk, &err); 707 if (err) { 708 error_report("sd_init failed: %s", error_get_pretty(err)); 709 return NULL; 710 } 711 qdev_prop_set_bit(dev, "spi", is_spi); 712 object_property_set_bool(obj, true, "realized", &err); 713 if (err) { 714 error_report("sd_init failed: %s", error_get_pretty(err)); 715 return NULL; 716 } 717 718 return SD_CARD(dev); 719 } 720 721 void sd_set_cb(SDState *sd, qemu_irq readonly, qemu_irq insert) 722 { 723 sd->readonly_cb = readonly; 724 sd->inserted_cb = insert; 725 qemu_set_irq(readonly, sd->blk ? blk_is_read_only(sd->blk) : 0); 726 qemu_set_irq(insert, sd->blk ? blk_is_inserted(sd->blk) : 0); 727 } 728 729 static void sd_erase(SDState *sd) 730 { 731 int i; 732 uint64_t erase_start = sd->erase_start; 733 uint64_t erase_end = sd->erase_end; 734 735 trace_sdcard_erase(); 736 if (!sd->erase_start || !sd->erase_end) { 737 sd->card_status |= ERASE_SEQ_ERROR; 738 return; 739 } 740 741 if (FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) { 742 /* High capacity memory card: erase units are 512 byte blocks */ 743 erase_start *= 512; 744 erase_end *= 512; 745 } 746 747 erase_start = sd_addr_to_wpnum(erase_start); 748 erase_end = sd_addr_to_wpnum(erase_end); 749 sd->erase_start = 0; 750 sd->erase_end = 0; 751 sd->csd[14] |= 0x40; 752 753 for (i = erase_start; i <= erase_end; i++) { 754 if (test_bit(i, sd->wp_groups)) { 755 sd->card_status |= WP_ERASE_SKIP; 756 } 757 } 758 } 759 760 static uint32_t sd_wpbits(SDState *sd, uint64_t addr) 761 { 762 uint32_t i, wpnum; 763 uint32_t ret = 0; 764 765 wpnum = sd_addr_to_wpnum(addr); 766 767 for (i = 0; i < 32; i++, wpnum++, addr += WPGROUP_SIZE) { 768 if (addr < sd->size && test_bit(wpnum, sd->wp_groups)) { 769 ret |= (1 << i); 770 } 771 } 772 773 return ret; 774 } 775 776 static void sd_function_switch(SDState *sd, uint32_t arg) 777 { 778 int i, mode, new_func; 779 mode = !!(arg & 0x80000000); 780 781 sd->data[0] = 0x00; /* Maximum current consumption */ 782 sd->data[1] = 0x01; 783 sd->data[2] = 0x80; /* Supported group 6 functions */ 784 sd->data[3] = 0x01; 785 sd->data[4] = 0x80; /* Supported group 5 functions */ 786 sd->data[5] = 0x01; 787 sd->data[6] = 0x80; /* Supported group 4 functions */ 788 sd->data[7] = 0x01; 789 sd->data[8] = 0x80; /* Supported group 3 functions */ 790 sd->data[9] = 0x01; 791 sd->data[10] = 0x80; /* Supported group 2 functions */ 792 sd->data[11] = 0x43; 793 sd->data[12] = 0x80; /* Supported group 1 functions */ 794 sd->data[13] = 0x03; 795 for (i = 0; i < 6; i ++) { 796 new_func = (arg >> (i * 4)) & 0x0f; 797 if (mode && new_func != 0x0f) 798 sd->function_group[i] = new_func; 799 sd->data[14 + (i >> 1)] = new_func << ((i * 4) & 4); 800 } 801 memset(&sd->data[17], 0, 47); 802 stw_be_p(sd->data + 64, sd_crc16(sd->data, 64)); 803 } 804 805 static inline bool sd_wp_addr(SDState *sd, uint64_t addr) 806 { 807 return test_bit(sd_addr_to_wpnum(addr), sd->wp_groups); 808 } 809 810 static void sd_lock_command(SDState *sd) 811 { 812 int erase, lock, clr_pwd, set_pwd, pwd_len; 813 erase = !!(sd->data[0] & 0x08); 814 lock = sd->data[0] & 0x04; 815 clr_pwd = sd->data[0] & 0x02; 816 set_pwd = sd->data[0] & 0x01; 817 818 if (sd->blk_len > 1) 819 pwd_len = sd->data[1]; 820 else 821 pwd_len = 0; 822 823 if (lock) { 824 trace_sdcard_lock(); 825 } else { 826 trace_sdcard_unlock(); 827 } 828 if (erase) { 829 if (!(sd->card_status & CARD_IS_LOCKED) || sd->blk_len > 1 || 830 set_pwd || clr_pwd || lock || sd->wp_switch || 831 (sd->csd[14] & 0x20)) { 832 sd->card_status |= LOCK_UNLOCK_FAILED; 833 return; 834 } 835 bitmap_zero(sd->wp_groups, sd->wpgrps_size); 836 sd->csd[14] &= ~0x10; 837 sd->card_status &= ~CARD_IS_LOCKED; 838 sd->pwd_len = 0; 839 /* Erasing the entire card here! */ 840 fprintf(stderr, "SD: Card force-erased by CMD42\n"); 841 return; 842 } 843 844 if (sd->blk_len < 2 + pwd_len || 845 pwd_len <= sd->pwd_len || 846 pwd_len > sd->pwd_len + 16) { 847 sd->card_status |= LOCK_UNLOCK_FAILED; 848 return; 849 } 850 851 if (sd->pwd_len && memcmp(sd->pwd, sd->data + 2, sd->pwd_len)) { 852 sd->card_status |= LOCK_UNLOCK_FAILED; 853 return; 854 } 855 856 pwd_len -= sd->pwd_len; 857 if ((pwd_len && !set_pwd) || 858 (clr_pwd && (set_pwd || lock)) || 859 (lock && !sd->pwd_len && !set_pwd) || 860 (!set_pwd && !clr_pwd && 861 (((sd->card_status & CARD_IS_LOCKED) && lock) || 862 (!(sd->card_status & CARD_IS_LOCKED) && !lock)))) { 863 sd->card_status |= LOCK_UNLOCK_FAILED; 864 return; 865 } 866 867 if (set_pwd) { 868 memcpy(sd->pwd, sd->data + 2 + sd->pwd_len, pwd_len); 869 sd->pwd_len = pwd_len; 870 } 871 872 if (clr_pwd) { 873 sd->pwd_len = 0; 874 } 875 876 if (lock) 877 sd->card_status |= CARD_IS_LOCKED; 878 else 879 sd->card_status &= ~CARD_IS_LOCKED; 880 } 881 882 static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req) 883 { 884 uint32_t rca = 0x0000; 885 uint64_t addr = (sd->ocr & (1 << 30)) ? (uint64_t) req.arg << 9 : req.arg; 886 887 /* CMD55 precedes an ACMD, so we are not interested in tracing it. 888 * However there is no ACMD55, so we want to trace this particular case. 889 */ 890 if (req.cmd != 55 || sd->expecting_acmd) { 891 trace_sdcard_normal_command(sd->proto_name, 892 sd_cmd_name(req.cmd), req.cmd, 893 req.arg, sd_state_name(sd->state)); 894 } 895 896 /* Not interpreting this as an app command */ 897 sd->card_status &= ~APP_CMD; 898 899 if (sd_cmd_type[req.cmd] == sd_ac 900 || sd_cmd_type[req.cmd] == sd_adtc) { 901 rca = req.arg >> 16; 902 } 903 904 /* CMD23 (set block count) must be immediately followed by CMD18 or CMD25 905 * if not, its effects are cancelled */ 906 if (sd->multi_blk_cnt != 0 && !(req.cmd == 18 || req.cmd == 25)) { 907 sd->multi_blk_cnt = 0; 908 } 909 910 switch (req.cmd) { 911 /* Basic commands (Class 0 and Class 1) */ 912 case 0: /* CMD0: GO_IDLE_STATE */ 913 switch (sd->state) { 914 case sd_inactive_state: 915 return sd->spi ? sd_r1 : sd_r0; 916 917 default: 918 sd->state = sd_idle_state; 919 sd_reset(DEVICE(sd)); 920 return sd->spi ? sd_r1 : sd_r0; 921 } 922 break; 923 924 case 1: /* CMD1: SEND_OP_CMD */ 925 if (!sd->spi) 926 goto bad_cmd; 927 928 sd->state = sd_transfer_state; 929 return sd_r1; 930 931 case 2: /* CMD2: ALL_SEND_CID */ 932 if (sd->spi) 933 goto bad_cmd; 934 switch (sd->state) { 935 case sd_ready_state: 936 sd->state = sd_identification_state; 937 return sd_r2_i; 938 939 default: 940 break; 941 } 942 break; 943 944 case 3: /* CMD3: SEND_RELATIVE_ADDR */ 945 if (sd->spi) 946 goto bad_cmd; 947 switch (sd->state) { 948 case sd_identification_state: 949 case sd_standby_state: 950 sd->state = sd_standby_state; 951 sd_set_rca(sd); 952 return sd_r6; 953 954 default: 955 break; 956 } 957 break; 958 959 case 4: /* CMD4: SEND_DSR */ 960 if (sd->spi) 961 goto bad_cmd; 962 switch (sd->state) { 963 case sd_standby_state: 964 break; 965 966 default: 967 break; 968 } 969 break; 970 971 case 5: /* CMD5: reserved for SDIO cards */ 972 return sd_illegal; 973 974 case 6: /* CMD6: SWITCH_FUNCTION */ 975 switch (sd->mode) { 976 case sd_data_transfer_mode: 977 sd_function_switch(sd, req.arg); 978 sd->state = sd_sendingdata_state; 979 sd->data_start = 0; 980 sd->data_offset = 0; 981 return sd_r1; 982 983 default: 984 break; 985 } 986 break; 987 988 case 7: /* CMD7: SELECT/DESELECT_CARD */ 989 if (sd->spi) 990 goto bad_cmd; 991 switch (sd->state) { 992 case sd_standby_state: 993 if (sd->rca != rca) 994 return sd_r0; 995 996 sd->state = sd_transfer_state; 997 return sd_r1b; 998 999 case sd_transfer_state: 1000 case sd_sendingdata_state: 1001 if (sd->rca == rca) 1002 break; 1003 1004 sd->state = sd_standby_state; 1005 return sd_r1b; 1006 1007 case sd_disconnect_state: 1008 if (sd->rca != rca) 1009 return sd_r0; 1010 1011 sd->state = sd_programming_state; 1012 return sd_r1b; 1013 1014 case sd_programming_state: 1015 if (sd->rca == rca) 1016 break; 1017 1018 sd->state = sd_disconnect_state; 1019 return sd_r1b; 1020 1021 default: 1022 break; 1023 } 1024 break; 1025 1026 case 8: /* CMD8: SEND_IF_COND */ 1027 if (sd->spec_version < SD_PHY_SPECv2_00_VERS) { 1028 break; 1029 } 1030 if (sd->state != sd_idle_state) { 1031 break; 1032 } 1033 sd->vhs = 0; 1034 1035 /* No response if not exactly one VHS bit is set. */ 1036 if (!(req.arg >> 8) || (req.arg >> (ctz32(req.arg & ~0xff) + 1))) { 1037 return sd->spi ? sd_r7 : sd_r0; 1038 } 1039 1040 /* Accept. */ 1041 sd->vhs = req.arg; 1042 return sd_r7; 1043 1044 case 9: /* CMD9: SEND_CSD */ 1045 switch (sd->state) { 1046 case sd_standby_state: 1047 if (sd->rca != rca) 1048 return sd_r0; 1049 1050 return sd_r2_s; 1051 1052 case sd_transfer_state: 1053 if (!sd->spi) 1054 break; 1055 sd->state = sd_sendingdata_state; 1056 memcpy(sd->data, sd->csd, 16); 1057 sd->data_start = addr; 1058 sd->data_offset = 0; 1059 return sd_r1; 1060 1061 default: 1062 break; 1063 } 1064 break; 1065 1066 case 10: /* CMD10: SEND_CID */ 1067 switch (sd->state) { 1068 case sd_standby_state: 1069 if (sd->rca != rca) 1070 return sd_r0; 1071 1072 return sd_r2_i; 1073 1074 case sd_transfer_state: 1075 if (!sd->spi) 1076 break; 1077 sd->state = sd_sendingdata_state; 1078 memcpy(sd->data, sd->cid, 16); 1079 sd->data_start = addr; 1080 sd->data_offset = 0; 1081 return sd_r1; 1082 1083 default: 1084 break; 1085 } 1086 break; 1087 1088 case 12: /* CMD12: STOP_TRANSMISSION */ 1089 switch (sd->state) { 1090 case sd_sendingdata_state: 1091 sd->state = sd_transfer_state; 1092 return sd_r1b; 1093 1094 case sd_receivingdata_state: 1095 sd->state = sd_programming_state; 1096 /* Bzzzzzzztt .... Operation complete. */ 1097 sd->state = sd_transfer_state; 1098 return sd_r1b; 1099 1100 default: 1101 break; 1102 } 1103 break; 1104 1105 case 13: /* CMD13: SEND_STATUS */ 1106 switch (sd->mode) { 1107 case sd_data_transfer_mode: 1108 if (sd->rca != rca) 1109 return sd_r0; 1110 1111 return sd_r1; 1112 1113 default: 1114 break; 1115 } 1116 break; 1117 1118 case 15: /* CMD15: GO_INACTIVE_STATE */ 1119 if (sd->spi) 1120 goto bad_cmd; 1121 switch (sd->mode) { 1122 case sd_data_transfer_mode: 1123 if (sd->rca != rca) 1124 return sd_r0; 1125 1126 sd->state = sd_inactive_state; 1127 return sd_r0; 1128 1129 default: 1130 break; 1131 } 1132 break; 1133 1134 /* Block read commands (Classs 2) */ 1135 case 16: /* CMD16: SET_BLOCKLEN */ 1136 switch (sd->state) { 1137 case sd_transfer_state: 1138 if (req.arg > (1 << HWBLOCK_SHIFT)) { 1139 sd->card_status |= BLOCK_LEN_ERROR; 1140 } else { 1141 trace_sdcard_set_blocklen(req.arg); 1142 sd->blk_len = req.arg; 1143 } 1144 1145 return sd_r1; 1146 1147 default: 1148 break; 1149 } 1150 break; 1151 1152 case 17: /* CMD17: READ_SINGLE_BLOCK */ 1153 switch (sd->state) { 1154 case sd_transfer_state: 1155 sd->state = sd_sendingdata_state; 1156 sd->data_start = addr; 1157 sd->data_offset = 0; 1158 1159 if (sd->data_start + sd->blk_len > sd->size) 1160 sd->card_status |= ADDRESS_ERROR; 1161 return sd_r1; 1162 1163 default: 1164 break; 1165 } 1166 break; 1167 1168 case 18: /* CMD18: READ_MULTIPLE_BLOCK */ 1169 switch (sd->state) { 1170 case sd_transfer_state: 1171 sd->state = sd_sendingdata_state; 1172 sd->data_start = addr; 1173 sd->data_offset = 0; 1174 1175 if (sd->data_start + sd->blk_len > sd->size) 1176 sd->card_status |= ADDRESS_ERROR; 1177 return sd_r1; 1178 1179 default: 1180 break; 1181 } 1182 break; 1183 1184 case 19: /* CMD19: SEND_TUNING_BLOCK (SD) */ 1185 if (sd->spec_version < SD_PHY_SPECv3_01_VERS) { 1186 break; 1187 } 1188 if (sd->state == sd_transfer_state) { 1189 sd->state = sd_sendingdata_state; 1190 sd->data_offset = 0; 1191 return sd_r1; 1192 } 1193 break; 1194 1195 case 23: /* CMD23: SET_BLOCK_COUNT */ 1196 if (sd->spec_version < SD_PHY_SPECv3_01_VERS) { 1197 break; 1198 } 1199 switch (sd->state) { 1200 case sd_transfer_state: 1201 sd->multi_blk_cnt = req.arg; 1202 return sd_r1; 1203 1204 default: 1205 break; 1206 } 1207 break; 1208 1209 /* Block write commands (Class 4) */ 1210 case 24: /* CMD24: WRITE_SINGLE_BLOCK */ 1211 switch (sd->state) { 1212 case sd_transfer_state: 1213 /* Writing in SPI mode not implemented. */ 1214 if (sd->spi) 1215 break; 1216 sd->state = sd_receivingdata_state; 1217 sd->data_start = addr; 1218 sd->data_offset = 0; 1219 sd->blk_written = 0; 1220 1221 if (sd->data_start + sd->blk_len > sd->size) 1222 sd->card_status |= ADDRESS_ERROR; 1223 if (sd_wp_addr(sd, sd->data_start)) 1224 sd->card_status |= WP_VIOLATION; 1225 if (sd->csd[14] & 0x30) 1226 sd->card_status |= WP_VIOLATION; 1227 return sd_r1; 1228 1229 default: 1230 break; 1231 } 1232 break; 1233 1234 case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */ 1235 switch (sd->state) { 1236 case sd_transfer_state: 1237 /* Writing in SPI mode not implemented. */ 1238 if (sd->spi) 1239 break; 1240 sd->state = sd_receivingdata_state; 1241 sd->data_start = addr; 1242 sd->data_offset = 0; 1243 sd->blk_written = 0; 1244 1245 if (sd->data_start + sd->blk_len > sd->size) 1246 sd->card_status |= ADDRESS_ERROR; 1247 if (sd_wp_addr(sd, sd->data_start)) 1248 sd->card_status |= WP_VIOLATION; 1249 if (sd->csd[14] & 0x30) 1250 sd->card_status |= WP_VIOLATION; 1251 return sd_r1; 1252 1253 default: 1254 break; 1255 } 1256 break; 1257 1258 case 26: /* CMD26: PROGRAM_CID */ 1259 if (sd->spi) 1260 goto bad_cmd; 1261 switch (sd->state) { 1262 case sd_transfer_state: 1263 sd->state = sd_receivingdata_state; 1264 sd->data_start = 0; 1265 sd->data_offset = 0; 1266 return sd_r1; 1267 1268 default: 1269 break; 1270 } 1271 break; 1272 1273 case 27: /* CMD27: PROGRAM_CSD */ 1274 switch (sd->state) { 1275 case sd_transfer_state: 1276 sd->state = sd_receivingdata_state; 1277 sd->data_start = 0; 1278 sd->data_offset = 0; 1279 return sd_r1; 1280 1281 default: 1282 break; 1283 } 1284 break; 1285 1286 /* Write protection (Class 6) */ 1287 case 28: /* CMD28: SET_WRITE_PROT */ 1288 switch (sd->state) { 1289 case sd_transfer_state: 1290 if (addr >= sd->size) { 1291 sd->card_status |= ADDRESS_ERROR; 1292 return sd_r1b; 1293 } 1294 1295 sd->state = sd_programming_state; 1296 set_bit(sd_addr_to_wpnum(addr), sd->wp_groups); 1297 /* Bzzzzzzztt .... Operation complete. */ 1298 sd->state = sd_transfer_state; 1299 return sd_r1b; 1300 1301 default: 1302 break; 1303 } 1304 break; 1305 1306 case 29: /* CMD29: CLR_WRITE_PROT */ 1307 switch (sd->state) { 1308 case sd_transfer_state: 1309 if (addr >= sd->size) { 1310 sd->card_status |= ADDRESS_ERROR; 1311 return sd_r1b; 1312 } 1313 1314 sd->state = sd_programming_state; 1315 clear_bit(sd_addr_to_wpnum(addr), sd->wp_groups); 1316 /* Bzzzzzzztt .... Operation complete. */ 1317 sd->state = sd_transfer_state; 1318 return sd_r1b; 1319 1320 default: 1321 break; 1322 } 1323 break; 1324 1325 case 30: /* CMD30: SEND_WRITE_PROT */ 1326 switch (sd->state) { 1327 case sd_transfer_state: 1328 sd->state = sd_sendingdata_state; 1329 *(uint32_t *) sd->data = sd_wpbits(sd, req.arg); 1330 sd->data_start = addr; 1331 sd->data_offset = 0; 1332 return sd_r1b; 1333 1334 default: 1335 break; 1336 } 1337 break; 1338 1339 /* Erase commands (Class 5) */ 1340 case 32: /* CMD32: ERASE_WR_BLK_START */ 1341 switch (sd->state) { 1342 case sd_transfer_state: 1343 sd->erase_start = req.arg; 1344 return sd_r1; 1345 1346 default: 1347 break; 1348 } 1349 break; 1350 1351 case 33: /* CMD33: ERASE_WR_BLK_END */ 1352 switch (sd->state) { 1353 case sd_transfer_state: 1354 sd->erase_end = req.arg; 1355 return sd_r1; 1356 1357 default: 1358 break; 1359 } 1360 break; 1361 1362 case 38: /* CMD38: ERASE */ 1363 switch (sd->state) { 1364 case sd_transfer_state: 1365 if (sd->csd[14] & 0x30) { 1366 sd->card_status |= WP_VIOLATION; 1367 return sd_r1b; 1368 } 1369 1370 sd->state = sd_programming_state; 1371 sd_erase(sd); 1372 /* Bzzzzzzztt .... Operation complete. */ 1373 sd->state = sd_transfer_state; 1374 return sd_r1b; 1375 1376 default: 1377 break; 1378 } 1379 break; 1380 1381 /* Lock card commands (Class 7) */ 1382 case 42: /* CMD42: LOCK_UNLOCK */ 1383 switch (sd->state) { 1384 case sd_transfer_state: 1385 sd->state = sd_receivingdata_state; 1386 sd->data_start = 0; 1387 sd->data_offset = 0; 1388 return sd_r1; 1389 1390 default: 1391 break; 1392 } 1393 break; 1394 1395 case 52 ... 54: 1396 /* CMD52, CMD53, CMD54: reserved for SDIO cards 1397 * (see the SDIO Simplified Specification V2.0) 1398 * Handle as illegal command but do not complain 1399 * on stderr, as some OSes may use these in their 1400 * probing for presence of an SDIO card. 1401 */ 1402 return sd_illegal; 1403 1404 /* Application specific commands (Class 8) */ 1405 case 55: /* CMD55: APP_CMD */ 1406 switch (sd->state) { 1407 case sd_ready_state: 1408 case sd_identification_state: 1409 case sd_inactive_state: 1410 return sd_illegal; 1411 case sd_idle_state: 1412 if (rca) { 1413 qemu_log_mask(LOG_GUEST_ERROR, 1414 "SD: illegal RCA 0x%04x for APP_CMD\n", req.cmd); 1415 } 1416 default: 1417 break; 1418 } 1419 if (!sd->spi) { 1420 if (sd->rca != rca) { 1421 return sd_r0; 1422 } 1423 } 1424 sd->expecting_acmd = true; 1425 sd->card_status |= APP_CMD; 1426 return sd_r1; 1427 1428 case 56: /* CMD56: GEN_CMD */ 1429 switch (sd->state) { 1430 case sd_transfer_state: 1431 sd->data_offset = 0; 1432 if (req.arg & 1) 1433 sd->state = sd_sendingdata_state; 1434 else 1435 sd->state = sd_receivingdata_state; 1436 return sd_r1; 1437 1438 default: 1439 break; 1440 } 1441 break; 1442 1443 case 58: /* CMD58: READ_OCR (SPI) */ 1444 if (!sd->spi) { 1445 goto bad_cmd; 1446 } 1447 return sd_r3; 1448 1449 case 59: /* CMD59: CRC_ON_OFF (SPI) */ 1450 if (!sd->spi) { 1451 goto bad_cmd; 1452 } 1453 goto unimplemented_spi_cmd; 1454 1455 default: 1456 bad_cmd: 1457 qemu_log_mask(LOG_GUEST_ERROR, "SD: Unknown CMD%i\n", req.cmd); 1458 return sd_illegal; 1459 1460 unimplemented_spi_cmd: 1461 /* Commands that are recognised but not yet implemented in SPI mode. */ 1462 qemu_log_mask(LOG_UNIMP, "SD: CMD%i not implemented in SPI mode\n", 1463 req.cmd); 1464 return sd_illegal; 1465 } 1466 1467 qemu_log_mask(LOG_GUEST_ERROR, "SD: CMD%i in a wrong state\n", req.cmd); 1468 return sd_illegal; 1469 } 1470 1471 static sd_rsp_type_t sd_app_command(SDState *sd, 1472 SDRequest req) 1473 { 1474 trace_sdcard_app_command(sd->proto_name, sd_acmd_name(req.cmd), 1475 req.cmd, req.arg, sd_state_name(sd->state)); 1476 sd->card_status |= APP_CMD; 1477 switch (req.cmd) { 1478 case 6: /* ACMD6: SET_BUS_WIDTH */ 1479 if (sd->spi) { 1480 goto unimplemented_spi_cmd; 1481 } 1482 switch (sd->state) { 1483 case sd_transfer_state: 1484 sd->sd_status[0] &= 0x3f; 1485 sd->sd_status[0] |= (req.arg & 0x03) << 6; 1486 return sd_r1; 1487 1488 default: 1489 break; 1490 } 1491 break; 1492 1493 case 13: /* ACMD13: SD_STATUS */ 1494 switch (sd->state) { 1495 case sd_transfer_state: 1496 sd->state = sd_sendingdata_state; 1497 sd->data_start = 0; 1498 sd->data_offset = 0; 1499 return sd_r1; 1500 1501 default: 1502 break; 1503 } 1504 break; 1505 1506 case 22: /* ACMD22: SEND_NUM_WR_BLOCKS */ 1507 switch (sd->state) { 1508 case sd_transfer_state: 1509 *(uint32_t *) sd->data = sd->blk_written; 1510 1511 sd->state = sd_sendingdata_state; 1512 sd->data_start = 0; 1513 sd->data_offset = 0; 1514 return sd_r1; 1515 1516 default: 1517 break; 1518 } 1519 break; 1520 1521 case 23: /* ACMD23: SET_WR_BLK_ERASE_COUNT */ 1522 switch (sd->state) { 1523 case sd_transfer_state: 1524 return sd_r1; 1525 1526 default: 1527 break; 1528 } 1529 break; 1530 1531 case 41: /* ACMD41: SD_APP_OP_COND */ 1532 if (sd->spi) { 1533 /* SEND_OP_CMD */ 1534 sd->state = sd_transfer_state; 1535 return sd_r1; 1536 } 1537 if (sd->state != sd_idle_state) { 1538 break; 1539 } 1540 /* If it's the first ACMD41 since reset, we need to decide 1541 * whether to power up. If this is not an enquiry ACMD41, 1542 * we immediately report power on and proceed below to the 1543 * ready state, but if it is, we set a timer to model a 1544 * delay for power up. This works around a bug in EDK2 1545 * UEFI, which sends an initial enquiry ACMD41, but 1546 * assumes that the card is in ready state as soon as it 1547 * sees the power up bit set. */ 1548 if (!FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP)) { 1549 if ((req.arg & ACMD41_ENQUIRY_MASK) != 0) { 1550 timer_del(sd->ocr_power_timer); 1551 sd_ocr_powerup(sd); 1552 } else { 1553 trace_sdcard_inquiry_cmd41(); 1554 if (!timer_pending(sd->ocr_power_timer)) { 1555 timer_mod_ns(sd->ocr_power_timer, 1556 (qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) 1557 + OCR_POWER_DELAY_NS)); 1558 } 1559 } 1560 } 1561 1562 if (FIELD_EX32(sd->ocr & req.arg, OCR, VDD_VOLTAGE_WINDOW)) { 1563 /* We accept any voltage. 10000 V is nothing. 1564 * 1565 * Once we're powered up, we advance straight to ready state 1566 * unless it's an enquiry ACMD41 (bits 23:0 == 0). 1567 */ 1568 sd->state = sd_ready_state; 1569 } 1570 1571 return sd_r3; 1572 1573 case 42: /* ACMD42: SET_CLR_CARD_DETECT */ 1574 switch (sd->state) { 1575 case sd_transfer_state: 1576 /* Bringing in the 50KOhm pull-up resistor... Done. */ 1577 return sd_r1; 1578 1579 default: 1580 break; 1581 } 1582 break; 1583 1584 case 51: /* ACMD51: SEND_SCR */ 1585 switch (sd->state) { 1586 case sd_transfer_state: 1587 sd->state = sd_sendingdata_state; 1588 sd->data_start = 0; 1589 sd->data_offset = 0; 1590 return sd_r1; 1591 1592 default: 1593 break; 1594 } 1595 break; 1596 1597 case 18: /* Reserved for SD security applications */ 1598 case 25: 1599 case 26: 1600 case 38: 1601 case 43 ... 49: 1602 /* Refer to the "SD Specifications Part3 Security Specification" for 1603 * information about the SD Security Features. 1604 */ 1605 qemu_log_mask(LOG_UNIMP, "SD: CMD%i Security not implemented\n", 1606 req.cmd); 1607 return sd_illegal; 1608 1609 default: 1610 /* Fall back to standard commands. */ 1611 return sd_normal_command(sd, req); 1612 1613 unimplemented_spi_cmd: 1614 /* Commands that are recognised but not yet implemented in SPI mode. */ 1615 qemu_log_mask(LOG_UNIMP, "SD: CMD%i not implemented in SPI mode\n", 1616 req.cmd); 1617 return sd_illegal; 1618 } 1619 1620 qemu_log_mask(LOG_GUEST_ERROR, "SD: ACMD%i in a wrong state\n", req.cmd); 1621 return sd_illegal; 1622 } 1623 1624 static int cmd_valid_while_locked(SDState *sd, SDRequest *req) 1625 { 1626 /* Valid commands in locked state: 1627 * basic class (0) 1628 * lock card class (7) 1629 * CMD16 1630 * implicitly, the ACMD prefix CMD55 1631 * ACMD41 and ACMD42 1632 * Anything else provokes an "illegal command" response. 1633 */ 1634 if (sd->expecting_acmd) { 1635 return req->cmd == 41 || req->cmd == 42; 1636 } 1637 if (req->cmd == 16 || req->cmd == 55) { 1638 return 1; 1639 } 1640 return sd_cmd_class[req->cmd] == 0 1641 || sd_cmd_class[req->cmd] == 7; 1642 } 1643 1644 int sd_do_command(SDState *sd, SDRequest *req, 1645 uint8_t *response) { 1646 int last_state; 1647 sd_rsp_type_t rtype; 1648 int rsplen; 1649 1650 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable) { 1651 return 0; 1652 } 1653 1654 if (sd_req_crc_validate(req)) { 1655 sd->card_status |= COM_CRC_ERROR; 1656 rtype = sd_illegal; 1657 goto send_response; 1658 } 1659 1660 if (req->cmd >= SDMMC_CMD_MAX) { 1661 qemu_log_mask(LOG_GUEST_ERROR, "SD: incorrect command 0x%02x\n", 1662 req->cmd); 1663 req->cmd &= 0x3f; 1664 } 1665 1666 if (sd->card_status & CARD_IS_LOCKED) { 1667 if (!cmd_valid_while_locked(sd, req)) { 1668 sd->card_status |= ILLEGAL_COMMAND; 1669 sd->expecting_acmd = false; 1670 qemu_log_mask(LOG_GUEST_ERROR, "SD: Card is locked\n"); 1671 rtype = sd_illegal; 1672 goto send_response; 1673 } 1674 } 1675 1676 last_state = sd->state; 1677 sd_set_mode(sd); 1678 1679 if (sd->expecting_acmd) { 1680 sd->expecting_acmd = false; 1681 rtype = sd_app_command(sd, *req); 1682 } else { 1683 rtype = sd_normal_command(sd, *req); 1684 } 1685 1686 if (rtype == sd_illegal) { 1687 sd->card_status |= ILLEGAL_COMMAND; 1688 } else { 1689 /* Valid command, we can update the 'state before command' bits. 1690 * (Do this now so they appear in r1 responses.) 1691 */ 1692 sd->current_cmd = req->cmd; 1693 sd->card_status &= ~CURRENT_STATE; 1694 sd->card_status |= (last_state << 9); 1695 } 1696 1697 send_response: 1698 switch (rtype) { 1699 case sd_r1: 1700 case sd_r1b: 1701 sd_response_r1_make(sd, response); 1702 rsplen = 4; 1703 break; 1704 1705 case sd_r2_i: 1706 memcpy(response, sd->cid, sizeof(sd->cid)); 1707 rsplen = 16; 1708 break; 1709 1710 case sd_r2_s: 1711 memcpy(response, sd->csd, sizeof(sd->csd)); 1712 rsplen = 16; 1713 break; 1714 1715 case sd_r3: 1716 sd_response_r3_make(sd, response); 1717 rsplen = 4; 1718 break; 1719 1720 case sd_r6: 1721 sd_response_r6_make(sd, response); 1722 rsplen = 4; 1723 break; 1724 1725 case sd_r7: 1726 sd_response_r7_make(sd, response); 1727 rsplen = 4; 1728 break; 1729 1730 case sd_r0: 1731 case sd_illegal: 1732 rsplen = 0; 1733 break; 1734 default: 1735 g_assert_not_reached(); 1736 } 1737 trace_sdcard_response(sd_response_name(rtype), rsplen); 1738 1739 if (rtype != sd_illegal) { 1740 /* Clear the "clear on valid command" status bits now we've 1741 * sent any response 1742 */ 1743 sd->card_status &= ~CARD_STATUS_B; 1744 } 1745 1746 #ifdef DEBUG_SD 1747 qemu_hexdump((const char *)response, stderr, "Response", rsplen); 1748 #endif 1749 1750 return rsplen; 1751 } 1752 1753 static void sd_blk_read(SDState *sd, uint64_t addr, uint32_t len) 1754 { 1755 trace_sdcard_read_block(addr, len); 1756 if (!sd->blk || blk_pread(sd->blk, addr, sd->data, len) < 0) { 1757 fprintf(stderr, "sd_blk_read: read error on host side\n"); 1758 } 1759 } 1760 1761 static void sd_blk_write(SDState *sd, uint64_t addr, uint32_t len) 1762 { 1763 trace_sdcard_write_block(addr, len); 1764 if (!sd->blk || blk_pwrite(sd->blk, addr, sd->data, len, 0) < 0) { 1765 fprintf(stderr, "sd_blk_write: write error on host side\n"); 1766 } 1767 } 1768 1769 #define BLK_READ_BLOCK(a, len) sd_blk_read(sd, a, len) 1770 #define BLK_WRITE_BLOCK(a, len) sd_blk_write(sd, a, len) 1771 #define APP_READ_BLOCK(a, len) memset(sd->data, 0xec, len) 1772 #define APP_WRITE_BLOCK(a, len) 1773 1774 void sd_write_data(SDState *sd, uint8_t value) 1775 { 1776 int i; 1777 1778 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable) 1779 return; 1780 1781 if (sd->state != sd_receivingdata_state) { 1782 qemu_log_mask(LOG_GUEST_ERROR, 1783 "sd_write_data: not in Receiving-Data state\n"); 1784 return; 1785 } 1786 1787 if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION)) 1788 return; 1789 1790 trace_sdcard_write_data(sd->proto_name, 1791 sd_acmd_name(sd->current_cmd), 1792 sd->current_cmd, value); 1793 switch (sd->current_cmd) { 1794 case 24: /* CMD24: WRITE_SINGLE_BLOCK */ 1795 sd->data[sd->data_offset ++] = value; 1796 if (sd->data_offset >= sd->blk_len) { 1797 /* TODO: Check CRC before committing */ 1798 sd->state = sd_programming_state; 1799 BLK_WRITE_BLOCK(sd->data_start, sd->data_offset); 1800 sd->blk_written ++; 1801 sd->csd[14] |= 0x40; 1802 /* Bzzzzzzztt .... Operation complete. */ 1803 sd->state = sd_transfer_state; 1804 } 1805 break; 1806 1807 case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */ 1808 if (sd->data_offset == 0) { 1809 /* Start of the block - let's check the address is valid */ 1810 if (sd->data_start + sd->blk_len > sd->size) { 1811 sd->card_status |= ADDRESS_ERROR; 1812 break; 1813 } 1814 if (sd_wp_addr(sd, sd->data_start)) { 1815 sd->card_status |= WP_VIOLATION; 1816 break; 1817 } 1818 } 1819 sd->data[sd->data_offset++] = value; 1820 if (sd->data_offset >= sd->blk_len) { 1821 /* TODO: Check CRC before committing */ 1822 sd->state = sd_programming_state; 1823 BLK_WRITE_BLOCK(sd->data_start, sd->data_offset); 1824 sd->blk_written++; 1825 sd->data_start += sd->blk_len; 1826 sd->data_offset = 0; 1827 sd->csd[14] |= 0x40; 1828 1829 /* Bzzzzzzztt .... Operation complete. */ 1830 if (sd->multi_blk_cnt != 0) { 1831 if (--sd->multi_blk_cnt == 0) { 1832 /* Stop! */ 1833 sd->state = sd_transfer_state; 1834 break; 1835 } 1836 } 1837 1838 sd->state = sd_receivingdata_state; 1839 } 1840 break; 1841 1842 case 26: /* CMD26: PROGRAM_CID */ 1843 sd->data[sd->data_offset ++] = value; 1844 if (sd->data_offset >= sizeof(sd->cid)) { 1845 /* TODO: Check CRC before committing */ 1846 sd->state = sd_programming_state; 1847 for (i = 0; i < sizeof(sd->cid); i ++) 1848 if ((sd->cid[i] | 0x00) != sd->data[i]) 1849 sd->card_status |= CID_CSD_OVERWRITE; 1850 1851 if (!(sd->card_status & CID_CSD_OVERWRITE)) 1852 for (i = 0; i < sizeof(sd->cid); i ++) { 1853 sd->cid[i] |= 0x00; 1854 sd->cid[i] &= sd->data[i]; 1855 } 1856 /* Bzzzzzzztt .... Operation complete. */ 1857 sd->state = sd_transfer_state; 1858 } 1859 break; 1860 1861 case 27: /* CMD27: PROGRAM_CSD */ 1862 sd->data[sd->data_offset ++] = value; 1863 if (sd->data_offset >= sizeof(sd->csd)) { 1864 /* TODO: Check CRC before committing */ 1865 sd->state = sd_programming_state; 1866 for (i = 0; i < sizeof(sd->csd); i ++) 1867 if ((sd->csd[i] | sd_csd_rw_mask[i]) != 1868 (sd->data[i] | sd_csd_rw_mask[i])) 1869 sd->card_status |= CID_CSD_OVERWRITE; 1870 1871 /* Copy flag (OTP) & Permanent write protect */ 1872 if (sd->csd[14] & ~sd->data[14] & 0x60) 1873 sd->card_status |= CID_CSD_OVERWRITE; 1874 1875 if (!(sd->card_status & CID_CSD_OVERWRITE)) 1876 for (i = 0; i < sizeof(sd->csd); i ++) { 1877 sd->csd[i] |= sd_csd_rw_mask[i]; 1878 sd->csd[i] &= sd->data[i]; 1879 } 1880 /* Bzzzzzzztt .... Operation complete. */ 1881 sd->state = sd_transfer_state; 1882 } 1883 break; 1884 1885 case 42: /* CMD42: LOCK_UNLOCK */ 1886 sd->data[sd->data_offset ++] = value; 1887 if (sd->data_offset >= sd->blk_len) { 1888 /* TODO: Check CRC before committing */ 1889 sd->state = sd_programming_state; 1890 sd_lock_command(sd); 1891 /* Bzzzzzzztt .... Operation complete. */ 1892 sd->state = sd_transfer_state; 1893 } 1894 break; 1895 1896 case 56: /* CMD56: GEN_CMD */ 1897 sd->data[sd->data_offset ++] = value; 1898 if (sd->data_offset >= sd->blk_len) { 1899 APP_WRITE_BLOCK(sd->data_start, sd->data_offset); 1900 sd->state = sd_transfer_state; 1901 } 1902 break; 1903 1904 default: 1905 qemu_log_mask(LOG_GUEST_ERROR, "sd_write_data: unknown command\n"); 1906 break; 1907 } 1908 } 1909 1910 #define SD_TUNING_BLOCK_SIZE 64 1911 1912 static const uint8_t sd_tuning_block_pattern[SD_TUNING_BLOCK_SIZE] = { 1913 /* See: Physical Layer Simplified Specification Version 3.01, Table 4-2 */ 1914 0xff, 0x0f, 0xff, 0x00, 0x0f, 0xfc, 0xc3, 0xcc, 1915 0xc3, 0x3c, 0xcc, 0xff, 0xfe, 0xff, 0xfe, 0xef, 1916 0xff, 0xdf, 0xff, 0xdd, 0xff, 0xfb, 0xff, 0xfb, 1917 0xbf, 0xff, 0x7f, 0xff, 0x77, 0xf7, 0xbd, 0xef, 1918 0xff, 0xf0, 0xff, 0xf0, 0x0f, 0xfc, 0xcc, 0x3c, 1919 0xcc, 0x33, 0xcc, 0xcf, 0xff, 0xef, 0xff, 0xee, 1920 0xff, 0xfd, 0xff, 0xfd, 0xdf, 0xff, 0xbf, 0xff, 1921 0xbb, 0xff, 0xf7, 0xff, 0xf7, 0x7f, 0x7b, 0xde, 1922 }; 1923 1924 uint8_t sd_read_data(SDState *sd) 1925 { 1926 /* TODO: Append CRCs */ 1927 uint8_t ret; 1928 int io_len; 1929 1930 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable) 1931 return 0x00; 1932 1933 if (sd->state != sd_sendingdata_state) { 1934 qemu_log_mask(LOG_GUEST_ERROR, 1935 "sd_read_data: not in Sending-Data state\n"); 1936 return 0x00; 1937 } 1938 1939 if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION)) 1940 return 0x00; 1941 1942 io_len = (sd->ocr & (1 << 30)) ? 512 : sd->blk_len; 1943 1944 trace_sdcard_read_data(sd->proto_name, 1945 sd_acmd_name(sd->current_cmd), 1946 sd->current_cmd, io_len); 1947 switch (sd->current_cmd) { 1948 case 6: /* CMD6: SWITCH_FUNCTION */ 1949 ret = sd->data[sd->data_offset ++]; 1950 1951 if (sd->data_offset >= 64) 1952 sd->state = sd_transfer_state; 1953 break; 1954 1955 case 9: /* CMD9: SEND_CSD */ 1956 case 10: /* CMD10: SEND_CID */ 1957 ret = sd->data[sd->data_offset ++]; 1958 1959 if (sd->data_offset >= 16) 1960 sd->state = sd_transfer_state; 1961 break; 1962 1963 case 13: /* ACMD13: SD_STATUS */ 1964 ret = sd->sd_status[sd->data_offset ++]; 1965 1966 if (sd->data_offset >= sizeof(sd->sd_status)) 1967 sd->state = sd_transfer_state; 1968 break; 1969 1970 case 17: /* CMD17: READ_SINGLE_BLOCK */ 1971 if (sd->data_offset == 0) 1972 BLK_READ_BLOCK(sd->data_start, io_len); 1973 ret = sd->data[sd->data_offset ++]; 1974 1975 if (sd->data_offset >= io_len) 1976 sd->state = sd_transfer_state; 1977 break; 1978 1979 case 18: /* CMD18: READ_MULTIPLE_BLOCK */ 1980 if (sd->data_offset == 0) { 1981 if (sd->data_start + io_len > sd->size) { 1982 sd->card_status |= ADDRESS_ERROR; 1983 return 0x00; 1984 } 1985 BLK_READ_BLOCK(sd->data_start, io_len); 1986 } 1987 ret = sd->data[sd->data_offset ++]; 1988 1989 if (sd->data_offset >= io_len) { 1990 sd->data_start += io_len; 1991 sd->data_offset = 0; 1992 1993 if (sd->multi_blk_cnt != 0) { 1994 if (--sd->multi_blk_cnt == 0) { 1995 /* Stop! */ 1996 sd->state = sd_transfer_state; 1997 break; 1998 } 1999 } 2000 } 2001 break; 2002 2003 case 19: /* CMD19: SEND_TUNING_BLOCK (SD) */ 2004 if (sd->data_offset >= SD_TUNING_BLOCK_SIZE - 1) { 2005 sd->state = sd_transfer_state; 2006 } 2007 ret = sd_tuning_block_pattern[sd->data_offset++]; 2008 break; 2009 2010 case 22: /* ACMD22: SEND_NUM_WR_BLOCKS */ 2011 ret = sd->data[sd->data_offset ++]; 2012 2013 if (sd->data_offset >= 4) 2014 sd->state = sd_transfer_state; 2015 break; 2016 2017 case 30: /* CMD30: SEND_WRITE_PROT */ 2018 ret = sd->data[sd->data_offset ++]; 2019 2020 if (sd->data_offset >= 4) 2021 sd->state = sd_transfer_state; 2022 break; 2023 2024 case 51: /* ACMD51: SEND_SCR */ 2025 ret = sd->scr[sd->data_offset ++]; 2026 2027 if (sd->data_offset >= sizeof(sd->scr)) 2028 sd->state = sd_transfer_state; 2029 break; 2030 2031 case 56: /* CMD56: GEN_CMD */ 2032 if (sd->data_offset == 0) 2033 APP_READ_BLOCK(sd->data_start, sd->blk_len); 2034 ret = sd->data[sd->data_offset ++]; 2035 2036 if (sd->data_offset >= sd->blk_len) 2037 sd->state = sd_transfer_state; 2038 break; 2039 2040 default: 2041 qemu_log_mask(LOG_GUEST_ERROR, "sd_read_data: unknown command\n"); 2042 return 0x00; 2043 } 2044 2045 return ret; 2046 } 2047 2048 bool sd_data_ready(SDState *sd) 2049 { 2050 return sd->state == sd_sendingdata_state; 2051 } 2052 2053 void sd_enable(SDState *sd, bool enable) 2054 { 2055 sd->enable = enable; 2056 } 2057 2058 static void sd_instance_init(Object *obj) 2059 { 2060 SDState *sd = SD_CARD(obj); 2061 2062 sd->enable = true; 2063 sd->ocr_power_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, sd_ocr_powerup, sd); 2064 } 2065 2066 static void sd_instance_finalize(Object *obj) 2067 { 2068 SDState *sd = SD_CARD(obj); 2069 2070 timer_del(sd->ocr_power_timer); 2071 timer_free(sd->ocr_power_timer); 2072 } 2073 2074 static void sd_realize(DeviceState *dev, Error **errp) 2075 { 2076 SDState *sd = SD_CARD(dev); 2077 int ret; 2078 2079 sd->proto_name = sd->spi ? "SPI" : "SD"; 2080 2081 switch (sd->spec_version) { 2082 case SD_PHY_SPECv1_10_VERS 2083 ... SD_PHY_SPECv3_01_VERS: 2084 break; 2085 default: 2086 error_setg(errp, "Invalid SD card Spec version: %u", sd->spec_version); 2087 return; 2088 } 2089 2090 if (sd->blk && blk_is_read_only(sd->blk)) { 2091 error_setg(errp, "Cannot use read-only drive as SD card"); 2092 return; 2093 } 2094 2095 if (sd->blk) { 2096 ret = blk_set_perm(sd->blk, BLK_PERM_CONSISTENT_READ | BLK_PERM_WRITE, 2097 BLK_PERM_ALL, errp); 2098 if (ret < 0) { 2099 return; 2100 } 2101 blk_set_dev_ops(sd->blk, &sd_block_ops, sd); 2102 } 2103 } 2104 2105 static Property sd_properties[] = { 2106 DEFINE_PROP_UINT8("spec_version", SDState, 2107 spec_version, SD_PHY_SPECv2_00_VERS), 2108 DEFINE_PROP_DRIVE("drive", SDState, blk), 2109 /* We do not model the chip select pin, so allow the board to select 2110 * whether card should be in SSI or MMC/SD mode. It is also up to the 2111 * board to ensure that ssi transfers only occur when the chip select 2112 * is asserted. */ 2113 DEFINE_PROP_BOOL("spi", SDState, spi, false), 2114 DEFINE_PROP_END_OF_LIST() 2115 }; 2116 2117 static void sd_class_init(ObjectClass *klass, void *data) 2118 { 2119 DeviceClass *dc = DEVICE_CLASS(klass); 2120 SDCardClass *sc = SD_CARD_CLASS(klass); 2121 2122 dc->realize = sd_realize; 2123 dc->props = sd_properties; 2124 dc->vmsd = &sd_vmstate; 2125 dc->reset = sd_reset; 2126 dc->bus_type = TYPE_SD_BUS; 2127 set_bit(DEVICE_CATEGORY_STORAGE, dc->categories); 2128 2129 sc->set_voltage = sd_set_voltage; 2130 sc->get_dat_lines = sd_get_dat_lines; 2131 sc->get_cmd_line = sd_get_cmd_line; 2132 sc->do_command = sd_do_command; 2133 sc->write_data = sd_write_data; 2134 sc->read_data = sd_read_data; 2135 sc->data_ready = sd_data_ready; 2136 sc->enable = sd_enable; 2137 sc->get_inserted = sd_get_inserted; 2138 sc->get_readonly = sd_get_readonly; 2139 } 2140 2141 static const TypeInfo sd_info = { 2142 .name = TYPE_SD_CARD, 2143 .parent = TYPE_DEVICE, 2144 .instance_size = sizeof(SDState), 2145 .class_size = sizeof(SDCardClass), 2146 .class_init = sd_class_init, 2147 .instance_init = sd_instance_init, 2148 .instance_finalize = sd_instance_finalize, 2149 }; 2150 2151 static void sd_register_types(void) 2152 { 2153 type_register_static(&sd_info); 2154 } 2155 2156 type_init(sd_register_types) 2157