1 /* 2 * SD Memory Card emulation as defined in the "SD Memory Card Physical 3 * layer specification, Version 2.00." 4 * 5 * Copyright (c) 2006 Andrzej Zaborowski <balrog@zabor.org> 6 * Copyright (c) 2007 CodeSourcery 7 * Copyright (c) 2018 Philippe Mathieu-Daudé <f4bug@amsat.org> 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in 17 * the documentation and/or other materials provided with the 18 * distribution. 19 * 20 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' 21 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, 22 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A 23 * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR 24 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, 25 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, 26 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 27 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY 28 * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 29 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 30 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 31 */ 32 33 #include "qemu/osdep.h" 34 #include "qemu/units.h" 35 #include "hw/qdev.h" 36 #include "hw/irq.h" 37 #include "hw/registerfields.h" 38 #include "sysemu/block-backend.h" 39 #include "hw/sd/sd.h" 40 #include "migration/vmstate.h" 41 #include "qapi/error.h" 42 #include "qemu/bitmap.h" 43 #include "hw/qdev-properties.h" 44 #include "qemu/error-report.h" 45 #include "qemu/timer.h" 46 #include "qemu/log.h" 47 #include "qemu/module.h" 48 #include "sdmmc-internal.h" 49 #include "trace.h" 50 51 //#define DEBUG_SD 1 52 53 typedef enum { 54 sd_r0 = 0, /* no response */ 55 sd_r1, /* normal response command */ 56 sd_r2_i, /* CID register */ 57 sd_r2_s, /* CSD register */ 58 sd_r3, /* OCR register */ 59 sd_r6 = 6, /* Published RCA response */ 60 sd_r7, /* Operating voltage */ 61 sd_r1b = -1, 62 sd_illegal = -2, 63 } sd_rsp_type_t; 64 65 enum SDCardModes { 66 sd_inactive, 67 sd_card_identification_mode, 68 sd_data_transfer_mode, 69 }; 70 71 enum SDCardStates { 72 sd_inactive_state = -1, 73 sd_idle_state = 0, 74 sd_ready_state, 75 sd_identification_state, 76 sd_standby_state, 77 sd_transfer_state, 78 sd_sendingdata_state, 79 sd_receivingdata_state, 80 sd_programming_state, 81 sd_disconnect_state, 82 }; 83 84 struct SDState { 85 DeviceState parent_obj; 86 87 /* SD Memory Card Registers */ 88 uint32_t ocr; 89 uint8_t scr[8]; 90 uint8_t cid[16]; 91 uint8_t csd[16]; 92 uint16_t rca; 93 uint32_t card_status; 94 uint8_t sd_status[64]; 95 96 /* Configurable properties */ 97 uint8_t spec_version; 98 BlockBackend *blk; 99 bool spi; 100 101 uint32_t mode; /* current card mode, one of SDCardModes */ 102 int32_t state; /* current card state, one of SDCardStates */ 103 uint32_t vhs; 104 bool wp_switch; 105 unsigned long *wp_groups; 106 int32_t wpgrps_size; 107 uint64_t size; 108 uint32_t blk_len; 109 uint32_t multi_blk_cnt; 110 uint32_t erase_start; 111 uint32_t erase_end; 112 uint8_t pwd[16]; 113 uint32_t pwd_len; 114 uint8_t function_group[6]; 115 uint8_t current_cmd; 116 /* True if we will handle the next command as an ACMD. Note that this does 117 * *not* track the APP_CMD status bit! 118 */ 119 bool expecting_acmd; 120 uint32_t blk_written; 121 uint64_t data_start; 122 uint32_t data_offset; 123 uint8_t data[512]; 124 qemu_irq readonly_cb; 125 qemu_irq inserted_cb; 126 QEMUTimer *ocr_power_timer; 127 const char *proto_name; 128 bool enable; 129 uint8_t dat_lines; 130 bool cmd_line; 131 }; 132 133 static const char *sd_state_name(enum SDCardStates state) 134 { 135 static const char *state_name[] = { 136 [sd_idle_state] = "idle", 137 [sd_ready_state] = "ready", 138 [sd_identification_state] = "identification", 139 [sd_standby_state] = "standby", 140 [sd_transfer_state] = "transfer", 141 [sd_sendingdata_state] = "sendingdata", 142 [sd_receivingdata_state] = "receivingdata", 143 [sd_programming_state] = "programming", 144 [sd_disconnect_state] = "disconnect", 145 }; 146 if (state == sd_inactive_state) { 147 return "inactive"; 148 } 149 assert(state < ARRAY_SIZE(state_name)); 150 return state_name[state]; 151 } 152 153 static const char *sd_response_name(sd_rsp_type_t rsp) 154 { 155 static const char *response_name[] = { 156 [sd_r0] = "RESP#0 (no response)", 157 [sd_r1] = "RESP#1 (normal cmd)", 158 [sd_r2_i] = "RESP#2 (CID reg)", 159 [sd_r2_s] = "RESP#2 (CSD reg)", 160 [sd_r3] = "RESP#3 (OCR reg)", 161 [sd_r6] = "RESP#6 (RCA)", 162 [sd_r7] = "RESP#7 (operating voltage)", 163 }; 164 if (rsp == sd_illegal) { 165 return "ILLEGAL RESP"; 166 } 167 if (rsp == sd_r1b) { 168 rsp = sd_r1; 169 } 170 assert(rsp < ARRAY_SIZE(response_name)); 171 return response_name[rsp]; 172 } 173 174 static uint8_t sd_get_dat_lines(SDState *sd) 175 { 176 return sd->enable ? sd->dat_lines : 0; 177 } 178 179 static bool sd_get_cmd_line(SDState *sd) 180 { 181 return sd->enable ? sd->cmd_line : false; 182 } 183 184 static void sd_set_voltage(SDState *sd, uint16_t millivolts) 185 { 186 trace_sdcard_set_voltage(millivolts); 187 188 switch (millivolts) { 189 case 3001 ... 3600: /* SD_VOLTAGE_3_3V */ 190 case 2001 ... 3000: /* SD_VOLTAGE_3_0V */ 191 break; 192 default: 193 qemu_log_mask(LOG_GUEST_ERROR, "SD card voltage not supported: %.3fV", 194 millivolts / 1000.f); 195 } 196 } 197 198 static void sd_set_mode(SDState *sd) 199 { 200 switch (sd->state) { 201 case sd_inactive_state: 202 sd->mode = sd_inactive; 203 break; 204 205 case sd_idle_state: 206 case sd_ready_state: 207 case sd_identification_state: 208 sd->mode = sd_card_identification_mode; 209 break; 210 211 case sd_standby_state: 212 case sd_transfer_state: 213 case sd_sendingdata_state: 214 case sd_receivingdata_state: 215 case sd_programming_state: 216 case sd_disconnect_state: 217 sd->mode = sd_data_transfer_mode; 218 break; 219 } 220 } 221 222 static const sd_cmd_type_t sd_cmd_type[SDMMC_CMD_MAX] = { 223 sd_bc, sd_none, sd_bcr, sd_bcr, sd_none, sd_none, sd_none, sd_ac, 224 sd_bcr, sd_ac, sd_ac, sd_adtc, sd_ac, sd_ac, sd_none, sd_ac, 225 /* 16 */ 226 sd_ac, sd_adtc, sd_adtc, sd_none, sd_none, sd_none, sd_none, sd_none, 227 sd_adtc, sd_adtc, sd_adtc, sd_adtc, sd_ac, sd_ac, sd_adtc, sd_none, 228 /* 32 */ 229 sd_ac, sd_ac, sd_none, sd_none, sd_none, sd_none, sd_ac, sd_none, 230 sd_none, sd_none, sd_bc, sd_none, sd_none, sd_none, sd_none, sd_none, 231 /* 48 */ 232 sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_ac, 233 sd_adtc, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, 234 }; 235 236 static const int sd_cmd_class[SDMMC_CMD_MAX] = { 237 0, 0, 0, 0, 0, 9, 10, 0, 0, 0, 0, 1, 0, 0, 0, 0, 238 2, 2, 2, 2, 3, 3, 3, 3, 4, 4, 4, 4, 6, 6, 6, 6, 239 5, 5, 10, 10, 10, 10, 5, 9, 9, 9, 7, 7, 7, 7, 7, 7, 240 7, 7, 10, 7, 9, 9, 9, 8, 8, 10, 8, 8, 8, 8, 8, 8, 241 }; 242 243 static uint8_t sd_crc7(void *message, size_t width) 244 { 245 int i, bit; 246 uint8_t shift_reg = 0x00; 247 uint8_t *msg = (uint8_t *) message; 248 249 for (i = 0; i < width; i ++, msg ++) 250 for (bit = 7; bit >= 0; bit --) { 251 shift_reg <<= 1; 252 if ((shift_reg >> 7) ^ ((*msg >> bit) & 1)) 253 shift_reg ^= 0x89; 254 } 255 256 return shift_reg; 257 } 258 259 static uint16_t sd_crc16(void *message, size_t width) 260 { 261 int i, bit; 262 uint16_t shift_reg = 0x0000; 263 uint16_t *msg = (uint16_t *) message; 264 width <<= 1; 265 266 for (i = 0; i < width; i ++, msg ++) 267 for (bit = 15; bit >= 0; bit --) { 268 shift_reg <<= 1; 269 if ((shift_reg >> 15) ^ ((*msg >> bit) & 1)) 270 shift_reg ^= 0x1011; 271 } 272 273 return shift_reg; 274 } 275 276 #define OCR_POWER_DELAY_NS 500000 /* 0.5ms */ 277 278 FIELD(OCR, VDD_VOLTAGE_WINDOW, 0, 24) 279 FIELD(OCR, VDD_VOLTAGE_WIN_LO, 0, 8) 280 FIELD(OCR, DUAL_VOLTAGE_CARD, 7, 1) 281 FIELD(OCR, VDD_VOLTAGE_WIN_HI, 8, 16) 282 FIELD(OCR, ACCEPT_SWITCH_1V8, 24, 1) /* Only UHS-I */ 283 FIELD(OCR, UHS_II_CARD, 29, 1) /* Only UHS-II */ 284 FIELD(OCR, CARD_CAPACITY, 30, 1) /* 0:SDSC, 1:SDHC/SDXC */ 285 FIELD(OCR, CARD_POWER_UP, 31, 1) 286 287 #define ACMD41_ENQUIRY_MASK 0x00ffffff 288 #define ACMD41_R3_MASK (R_OCR_VDD_VOLTAGE_WIN_HI_MASK \ 289 | R_OCR_ACCEPT_SWITCH_1V8_MASK \ 290 | R_OCR_UHS_II_CARD_MASK \ 291 | R_OCR_CARD_CAPACITY_MASK \ 292 | R_OCR_CARD_POWER_UP_MASK) 293 294 static void sd_set_ocr(SDState *sd) 295 { 296 /* All voltages OK */ 297 sd->ocr = R_OCR_VDD_VOLTAGE_WIN_HI_MASK; 298 } 299 300 static void sd_ocr_powerup(void *opaque) 301 { 302 SDState *sd = opaque; 303 304 trace_sdcard_powerup(); 305 assert(!FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP)); 306 307 /* card power-up OK */ 308 sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_POWER_UP, 1); 309 310 if (sd->size > 1 * GiB) { 311 sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_CAPACITY, 1); 312 } 313 } 314 315 static void sd_set_scr(SDState *sd) 316 { 317 sd->scr[0] = 0 << 4; /* SCR structure version 1.0 */ 318 if (sd->spec_version == SD_PHY_SPECv1_10_VERS) { 319 sd->scr[0] |= 1; /* Spec Version 1.10 */ 320 } else { 321 sd->scr[0] |= 2; /* Spec Version 2.00 or Version 3.0X */ 322 } 323 sd->scr[1] = (2 << 4) /* SDSC Card (Security Version 1.01) */ 324 | 0b0101; /* 1-bit or 4-bit width bus modes */ 325 sd->scr[2] = 0x00; /* Extended Security is not supported. */ 326 if (sd->spec_version >= SD_PHY_SPECv3_01_VERS) { 327 sd->scr[2] |= 1 << 7; /* Spec Version 3.0X */ 328 } 329 sd->scr[3] = 0x00; 330 /* reserved for manufacturer usage */ 331 sd->scr[4] = 0x00; 332 sd->scr[5] = 0x00; 333 sd->scr[6] = 0x00; 334 sd->scr[7] = 0x00; 335 } 336 337 #define MID 0xaa 338 #define OID "XY" 339 #define PNM "QEMU!" 340 #define PRV 0x01 341 #define MDT_YR 2006 342 #define MDT_MON 2 343 344 static void sd_set_cid(SDState *sd) 345 { 346 sd->cid[0] = MID; /* Fake card manufacturer ID (MID) */ 347 sd->cid[1] = OID[0]; /* OEM/Application ID (OID) */ 348 sd->cid[2] = OID[1]; 349 sd->cid[3] = PNM[0]; /* Fake product name (PNM) */ 350 sd->cid[4] = PNM[1]; 351 sd->cid[5] = PNM[2]; 352 sd->cid[6] = PNM[3]; 353 sd->cid[7] = PNM[4]; 354 sd->cid[8] = PRV; /* Fake product revision (PRV) */ 355 sd->cid[9] = 0xde; /* Fake serial number (PSN) */ 356 sd->cid[10] = 0xad; 357 sd->cid[11] = 0xbe; 358 sd->cid[12] = 0xef; 359 sd->cid[13] = 0x00 | /* Manufacture date (MDT) */ 360 ((MDT_YR - 2000) / 10); 361 sd->cid[14] = ((MDT_YR % 10) << 4) | MDT_MON; 362 sd->cid[15] = (sd_crc7(sd->cid, 15) << 1) | 1; 363 } 364 365 #define HWBLOCK_SHIFT 9 /* 512 bytes */ 366 #define SECTOR_SHIFT 5 /* 16 kilobytes */ 367 #define WPGROUP_SHIFT 7 /* 2 megs */ 368 #define CMULT_SHIFT 9 /* 512 times HWBLOCK_SIZE */ 369 #define WPGROUP_SIZE (1 << (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT)) 370 371 static const uint8_t sd_csd_rw_mask[16] = { 372 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 373 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xfc, 0xfe, 374 }; 375 376 static void sd_set_csd(SDState *sd, uint64_t size) 377 { 378 uint32_t csize = (size >> (CMULT_SHIFT + HWBLOCK_SHIFT)) - 1; 379 uint32_t sectsize = (1 << (SECTOR_SHIFT + 1)) - 1; 380 uint32_t wpsize = (1 << (WPGROUP_SHIFT + 1)) - 1; 381 382 if (size <= 1 * GiB) { /* Standard Capacity SD */ 383 sd->csd[0] = 0x00; /* CSD structure */ 384 sd->csd[1] = 0x26; /* Data read access-time-1 */ 385 sd->csd[2] = 0x00; /* Data read access-time-2 */ 386 sd->csd[3] = 0x32; /* Max. data transfer rate: 25 MHz */ 387 sd->csd[4] = 0x5f; /* Card Command Classes */ 388 sd->csd[5] = 0x50 | /* Max. read data block length */ 389 HWBLOCK_SHIFT; 390 sd->csd[6] = 0xe0 | /* Partial block for read allowed */ 391 ((csize >> 10) & 0x03); 392 sd->csd[7] = 0x00 | /* Device size */ 393 ((csize >> 2) & 0xff); 394 sd->csd[8] = 0x3f | /* Max. read current */ 395 ((csize << 6) & 0xc0); 396 sd->csd[9] = 0xfc | /* Max. write current */ 397 ((CMULT_SHIFT - 2) >> 1); 398 sd->csd[10] = 0x40 | /* Erase sector size */ 399 (((CMULT_SHIFT - 2) << 7) & 0x80) | (sectsize >> 1); 400 sd->csd[11] = 0x00 | /* Write protect group size */ 401 ((sectsize << 7) & 0x80) | wpsize; 402 sd->csd[12] = 0x90 | /* Write speed factor */ 403 (HWBLOCK_SHIFT >> 2); 404 sd->csd[13] = 0x20 | /* Max. write data block length */ 405 ((HWBLOCK_SHIFT << 6) & 0xc0); 406 sd->csd[14] = 0x00; /* File format group */ 407 } else { /* SDHC */ 408 size /= 512 * KiB; 409 size -= 1; 410 sd->csd[0] = 0x40; 411 sd->csd[1] = 0x0e; 412 sd->csd[2] = 0x00; 413 sd->csd[3] = 0x32; 414 sd->csd[4] = 0x5b; 415 sd->csd[5] = 0x59; 416 sd->csd[6] = 0x00; 417 sd->csd[7] = (size >> 16) & 0xff; 418 sd->csd[8] = (size >> 8) & 0xff; 419 sd->csd[9] = (size & 0xff); 420 sd->csd[10] = 0x7f; 421 sd->csd[11] = 0x80; 422 sd->csd[12] = 0x0a; 423 sd->csd[13] = 0x40; 424 sd->csd[14] = 0x00; 425 } 426 sd->csd[15] = (sd_crc7(sd->csd, 15) << 1) | 1; 427 } 428 429 static void sd_set_rca(SDState *sd) 430 { 431 sd->rca += 0x4567; 432 } 433 434 FIELD(CSR, AKE_SEQ_ERROR, 3, 1) 435 FIELD(CSR, APP_CMD, 5, 1) 436 FIELD(CSR, FX_EVENT, 6, 1) 437 FIELD(CSR, READY_FOR_DATA, 8, 1) 438 FIELD(CSR, CURRENT_STATE, 9, 4) 439 FIELD(CSR, ERASE_RESET, 13, 1) 440 FIELD(CSR, CARD_ECC_DISABLED, 14, 1) 441 FIELD(CSR, WP_ERASE_SKIP, 15, 1) 442 FIELD(CSR, CSD_OVERWRITE, 16, 1) 443 FIELD(CSR, DEFERRED_RESPONSE, 17, 1) 444 FIELD(CSR, ERROR, 19, 1) 445 FIELD(CSR, CC_ERROR, 20, 1) 446 FIELD(CSR, CARD_ECC_FAILED, 21, 1) 447 FIELD(CSR, ILLEGAL_COMMAND, 22, 1) 448 FIELD(CSR, COM_CRC_ERROR, 23, 1) 449 FIELD(CSR, LOCK_UNLOCK_FAILED, 24, 1) 450 FIELD(CSR, CARD_IS_LOCKED, 25, 1) 451 FIELD(CSR, WP_VIOLATION, 26, 1) 452 FIELD(CSR, ERASE_PARAM, 27, 1) 453 FIELD(CSR, ERASE_SEQ_ERROR, 28, 1) 454 FIELD(CSR, BLOCK_LEN_ERROR, 29, 1) 455 FIELD(CSR, ADDRESS_ERROR, 30, 1) 456 FIELD(CSR, OUT_OF_RANGE, 31, 1) 457 458 /* Card status bits, split by clear condition: 459 * A : According to the card current state 460 * B : Always related to the previous command 461 * C : Cleared by read 462 */ 463 #define CARD_STATUS_A (R_CSR_READY_FOR_DATA_MASK \ 464 | R_CSR_CARD_ECC_DISABLED_MASK \ 465 | R_CSR_CARD_IS_LOCKED_MASK) 466 #define CARD_STATUS_B (R_CSR_CURRENT_STATE_MASK \ 467 | R_CSR_ILLEGAL_COMMAND_MASK \ 468 | R_CSR_COM_CRC_ERROR_MASK) 469 #define CARD_STATUS_C (R_CSR_AKE_SEQ_ERROR_MASK \ 470 | R_CSR_APP_CMD_MASK \ 471 | R_CSR_ERASE_RESET_MASK \ 472 | R_CSR_WP_ERASE_SKIP_MASK \ 473 | R_CSR_CSD_OVERWRITE_MASK \ 474 | R_CSR_ERROR_MASK \ 475 | R_CSR_CC_ERROR_MASK \ 476 | R_CSR_CARD_ECC_FAILED_MASK \ 477 | R_CSR_LOCK_UNLOCK_FAILED_MASK \ 478 | R_CSR_WP_VIOLATION_MASK \ 479 | R_CSR_ERASE_PARAM_MASK \ 480 | R_CSR_ERASE_SEQ_ERROR_MASK \ 481 | R_CSR_BLOCK_LEN_ERROR_MASK \ 482 | R_CSR_ADDRESS_ERROR_MASK \ 483 | R_CSR_OUT_OF_RANGE_MASK) 484 485 static void sd_set_cardstatus(SDState *sd) 486 { 487 sd->card_status = 0x00000100; 488 } 489 490 static void sd_set_sdstatus(SDState *sd) 491 { 492 memset(sd->sd_status, 0, 64); 493 } 494 495 static int sd_req_crc_validate(SDRequest *req) 496 { 497 uint8_t buffer[5]; 498 buffer[0] = 0x40 | req->cmd; 499 stl_be_p(&buffer[1], req->arg); 500 return 0; 501 return sd_crc7(buffer, 5) != req->crc; /* TODO */ 502 } 503 504 static void sd_response_r1_make(SDState *sd, uint8_t *response) 505 { 506 stl_be_p(response, sd->card_status); 507 508 /* Clear the "clear on read" status bits */ 509 sd->card_status &= ~CARD_STATUS_C; 510 } 511 512 static void sd_response_r3_make(SDState *sd, uint8_t *response) 513 { 514 stl_be_p(response, sd->ocr & ACMD41_R3_MASK); 515 } 516 517 static void sd_response_r6_make(SDState *sd, uint8_t *response) 518 { 519 uint16_t status; 520 521 status = ((sd->card_status >> 8) & 0xc000) | 522 ((sd->card_status >> 6) & 0x2000) | 523 (sd->card_status & 0x1fff); 524 sd->card_status &= ~(CARD_STATUS_C & 0xc81fff); 525 stw_be_p(response + 0, sd->rca); 526 stw_be_p(response + 2, status); 527 } 528 529 static void sd_response_r7_make(SDState *sd, uint8_t *response) 530 { 531 stl_be_p(response, sd->vhs); 532 } 533 534 static inline uint64_t sd_addr_to_wpnum(uint64_t addr) 535 { 536 return addr >> (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT); 537 } 538 539 static void sd_reset(DeviceState *dev) 540 { 541 SDState *sd = SD_CARD(dev); 542 uint64_t size; 543 uint64_t sect; 544 545 trace_sdcard_reset(); 546 if (sd->blk) { 547 blk_get_geometry(sd->blk, §); 548 } else { 549 sect = 0; 550 } 551 size = sect << 9; 552 553 sect = sd_addr_to_wpnum(size) + 1; 554 555 sd->state = sd_idle_state; 556 sd->rca = 0x0000; 557 sd_set_ocr(sd); 558 sd_set_scr(sd); 559 sd_set_cid(sd); 560 sd_set_csd(sd, size); 561 sd_set_cardstatus(sd); 562 sd_set_sdstatus(sd); 563 564 g_free(sd->wp_groups); 565 sd->wp_switch = sd->blk ? blk_is_read_only(sd->blk) : false; 566 sd->wpgrps_size = sect; 567 sd->wp_groups = bitmap_new(sd->wpgrps_size); 568 memset(sd->function_group, 0, sizeof(sd->function_group)); 569 sd->erase_start = 0; 570 sd->erase_end = 0; 571 sd->size = size; 572 sd->blk_len = 0x200; 573 sd->pwd_len = 0; 574 sd->expecting_acmd = false; 575 sd->dat_lines = 0xf; 576 sd->cmd_line = true; 577 sd->multi_blk_cnt = 0; 578 } 579 580 static bool sd_get_inserted(SDState *sd) 581 { 582 return sd->blk && blk_is_inserted(sd->blk); 583 } 584 585 static bool sd_get_readonly(SDState *sd) 586 { 587 return sd->wp_switch; 588 } 589 590 static void sd_cardchange(void *opaque, bool load, Error **errp) 591 { 592 SDState *sd = opaque; 593 DeviceState *dev = DEVICE(sd); 594 SDBus *sdbus = SD_BUS(qdev_get_parent_bus(dev)); 595 bool inserted = sd_get_inserted(sd); 596 bool readonly = sd_get_readonly(sd); 597 598 if (inserted) { 599 trace_sdcard_inserted(readonly); 600 sd_reset(dev); 601 } else { 602 trace_sdcard_ejected(); 603 } 604 605 /* The IRQ notification is for legacy non-QOM SD controller devices; 606 * QOMified controllers use the SDBus APIs. 607 */ 608 if (sdbus) { 609 sdbus_set_inserted(sdbus, inserted); 610 if (inserted) { 611 sdbus_set_readonly(sdbus, readonly); 612 } 613 } else { 614 qemu_set_irq(sd->inserted_cb, inserted); 615 if (inserted) { 616 qemu_set_irq(sd->readonly_cb, readonly); 617 } 618 } 619 } 620 621 static const BlockDevOps sd_block_ops = { 622 .change_media_cb = sd_cardchange, 623 }; 624 625 static bool sd_ocr_vmstate_needed(void *opaque) 626 { 627 SDState *sd = opaque; 628 629 /* Include the OCR state (and timer) if it is not yet powered up */ 630 return !FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP); 631 } 632 633 static const VMStateDescription sd_ocr_vmstate = { 634 .name = "sd-card/ocr-state", 635 .version_id = 1, 636 .minimum_version_id = 1, 637 .needed = sd_ocr_vmstate_needed, 638 .fields = (VMStateField[]) { 639 VMSTATE_UINT32(ocr, SDState), 640 VMSTATE_TIMER_PTR(ocr_power_timer, SDState), 641 VMSTATE_END_OF_LIST() 642 }, 643 }; 644 645 static int sd_vmstate_pre_load(void *opaque) 646 { 647 SDState *sd = opaque; 648 649 /* If the OCR state is not included (prior versions, or not 650 * needed), then the OCR must be set as powered up. If the OCR state 651 * is included, this will be replaced by the state restore. 652 */ 653 sd_ocr_powerup(sd); 654 655 return 0; 656 } 657 658 static const VMStateDescription sd_vmstate = { 659 .name = "sd-card", 660 .version_id = 1, 661 .minimum_version_id = 1, 662 .pre_load = sd_vmstate_pre_load, 663 .fields = (VMStateField[]) { 664 VMSTATE_UINT32(mode, SDState), 665 VMSTATE_INT32(state, SDState), 666 VMSTATE_UINT8_ARRAY(cid, SDState, 16), 667 VMSTATE_UINT8_ARRAY(csd, SDState, 16), 668 VMSTATE_UINT16(rca, SDState), 669 VMSTATE_UINT32(card_status, SDState), 670 VMSTATE_PARTIAL_BUFFER(sd_status, SDState, 1), 671 VMSTATE_UINT32(vhs, SDState), 672 VMSTATE_BITMAP(wp_groups, SDState, 0, wpgrps_size), 673 VMSTATE_UINT32(blk_len, SDState), 674 VMSTATE_UINT32(multi_blk_cnt, SDState), 675 VMSTATE_UINT32(erase_start, SDState), 676 VMSTATE_UINT32(erase_end, SDState), 677 VMSTATE_UINT8_ARRAY(pwd, SDState, 16), 678 VMSTATE_UINT32(pwd_len, SDState), 679 VMSTATE_UINT8_ARRAY(function_group, SDState, 6), 680 VMSTATE_UINT8(current_cmd, SDState), 681 VMSTATE_BOOL(expecting_acmd, SDState), 682 VMSTATE_UINT32(blk_written, SDState), 683 VMSTATE_UINT64(data_start, SDState), 684 VMSTATE_UINT32(data_offset, SDState), 685 VMSTATE_UINT8_ARRAY(data, SDState, 512), 686 VMSTATE_UNUSED_V(1, 512), 687 VMSTATE_BOOL(enable, SDState), 688 VMSTATE_END_OF_LIST() 689 }, 690 .subsections = (const VMStateDescription*[]) { 691 &sd_ocr_vmstate, 692 NULL 693 }, 694 }; 695 696 /* Legacy initialization function for use by non-qdevified callers */ 697 SDState *sd_init(BlockBackend *blk, bool is_spi) 698 { 699 Object *obj; 700 DeviceState *dev; 701 Error *err = NULL; 702 703 obj = object_new(TYPE_SD_CARD); 704 dev = DEVICE(obj); 705 qdev_prop_set_drive(dev, "drive", blk, &err); 706 if (err) { 707 error_report("sd_init failed: %s", error_get_pretty(err)); 708 return NULL; 709 } 710 qdev_prop_set_bit(dev, "spi", is_spi); 711 object_property_set_bool(obj, true, "realized", &err); 712 if (err) { 713 error_report("sd_init failed: %s", error_get_pretty(err)); 714 return NULL; 715 } 716 717 return SD_CARD(dev); 718 } 719 720 void sd_set_cb(SDState *sd, qemu_irq readonly, qemu_irq insert) 721 { 722 sd->readonly_cb = readonly; 723 sd->inserted_cb = insert; 724 qemu_set_irq(readonly, sd->blk ? blk_is_read_only(sd->blk) : 0); 725 qemu_set_irq(insert, sd->blk ? blk_is_inserted(sd->blk) : 0); 726 } 727 728 static void sd_erase(SDState *sd) 729 { 730 int i; 731 uint64_t erase_start = sd->erase_start; 732 uint64_t erase_end = sd->erase_end; 733 734 trace_sdcard_erase(); 735 if (!sd->erase_start || !sd->erase_end) { 736 sd->card_status |= ERASE_SEQ_ERROR; 737 return; 738 } 739 740 if (FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) { 741 /* High capacity memory card: erase units are 512 byte blocks */ 742 erase_start *= 512; 743 erase_end *= 512; 744 } 745 746 erase_start = sd_addr_to_wpnum(erase_start); 747 erase_end = sd_addr_to_wpnum(erase_end); 748 sd->erase_start = 0; 749 sd->erase_end = 0; 750 sd->csd[14] |= 0x40; 751 752 for (i = erase_start; i <= erase_end; i++) { 753 if (test_bit(i, sd->wp_groups)) { 754 sd->card_status |= WP_ERASE_SKIP; 755 } 756 } 757 } 758 759 static uint32_t sd_wpbits(SDState *sd, uint64_t addr) 760 { 761 uint32_t i, wpnum; 762 uint32_t ret = 0; 763 764 wpnum = sd_addr_to_wpnum(addr); 765 766 for (i = 0; i < 32; i++, wpnum++, addr += WPGROUP_SIZE) { 767 if (addr < sd->size && test_bit(wpnum, sd->wp_groups)) { 768 ret |= (1 << i); 769 } 770 } 771 772 return ret; 773 } 774 775 static void sd_function_switch(SDState *sd, uint32_t arg) 776 { 777 int i, mode, new_func; 778 mode = !!(arg & 0x80000000); 779 780 sd->data[0] = 0x00; /* Maximum current consumption */ 781 sd->data[1] = 0x01; 782 sd->data[2] = 0x80; /* Supported group 6 functions */ 783 sd->data[3] = 0x01; 784 sd->data[4] = 0x80; /* Supported group 5 functions */ 785 sd->data[5] = 0x01; 786 sd->data[6] = 0x80; /* Supported group 4 functions */ 787 sd->data[7] = 0x01; 788 sd->data[8] = 0x80; /* Supported group 3 functions */ 789 sd->data[9] = 0x01; 790 sd->data[10] = 0x80; /* Supported group 2 functions */ 791 sd->data[11] = 0x43; 792 sd->data[12] = 0x80; /* Supported group 1 functions */ 793 sd->data[13] = 0x03; 794 for (i = 0; i < 6; i ++) { 795 new_func = (arg >> (i * 4)) & 0x0f; 796 if (mode && new_func != 0x0f) 797 sd->function_group[i] = new_func; 798 sd->data[14 + (i >> 1)] = new_func << ((i * 4) & 4); 799 } 800 memset(&sd->data[17], 0, 47); 801 stw_be_p(sd->data + 64, sd_crc16(sd->data, 64)); 802 } 803 804 static inline bool sd_wp_addr(SDState *sd, uint64_t addr) 805 { 806 return test_bit(sd_addr_to_wpnum(addr), sd->wp_groups); 807 } 808 809 static void sd_lock_command(SDState *sd) 810 { 811 int erase, lock, clr_pwd, set_pwd, pwd_len; 812 erase = !!(sd->data[0] & 0x08); 813 lock = sd->data[0] & 0x04; 814 clr_pwd = sd->data[0] & 0x02; 815 set_pwd = sd->data[0] & 0x01; 816 817 if (sd->blk_len > 1) 818 pwd_len = sd->data[1]; 819 else 820 pwd_len = 0; 821 822 if (lock) { 823 trace_sdcard_lock(); 824 } else { 825 trace_sdcard_unlock(); 826 } 827 if (erase) { 828 if (!(sd->card_status & CARD_IS_LOCKED) || sd->blk_len > 1 || 829 set_pwd || clr_pwd || lock || sd->wp_switch || 830 (sd->csd[14] & 0x20)) { 831 sd->card_status |= LOCK_UNLOCK_FAILED; 832 return; 833 } 834 bitmap_zero(sd->wp_groups, sd->wpgrps_size); 835 sd->csd[14] &= ~0x10; 836 sd->card_status &= ~CARD_IS_LOCKED; 837 sd->pwd_len = 0; 838 /* Erasing the entire card here! */ 839 fprintf(stderr, "SD: Card force-erased by CMD42\n"); 840 return; 841 } 842 843 if (sd->blk_len < 2 + pwd_len || 844 pwd_len <= sd->pwd_len || 845 pwd_len > sd->pwd_len + 16) { 846 sd->card_status |= LOCK_UNLOCK_FAILED; 847 return; 848 } 849 850 if (sd->pwd_len && memcmp(sd->pwd, sd->data + 2, sd->pwd_len)) { 851 sd->card_status |= LOCK_UNLOCK_FAILED; 852 return; 853 } 854 855 pwd_len -= sd->pwd_len; 856 if ((pwd_len && !set_pwd) || 857 (clr_pwd && (set_pwd || lock)) || 858 (lock && !sd->pwd_len && !set_pwd) || 859 (!set_pwd && !clr_pwd && 860 (((sd->card_status & CARD_IS_LOCKED) && lock) || 861 (!(sd->card_status & CARD_IS_LOCKED) && !lock)))) { 862 sd->card_status |= LOCK_UNLOCK_FAILED; 863 return; 864 } 865 866 if (set_pwd) { 867 memcpy(sd->pwd, sd->data + 2 + sd->pwd_len, pwd_len); 868 sd->pwd_len = pwd_len; 869 } 870 871 if (clr_pwd) { 872 sd->pwd_len = 0; 873 } 874 875 if (lock) 876 sd->card_status |= CARD_IS_LOCKED; 877 else 878 sd->card_status &= ~CARD_IS_LOCKED; 879 } 880 881 static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req) 882 { 883 uint32_t rca = 0x0000; 884 uint64_t addr = (sd->ocr & (1 << 30)) ? (uint64_t) req.arg << 9 : req.arg; 885 886 /* CMD55 precedes an ACMD, so we are not interested in tracing it. 887 * However there is no ACMD55, so we want to trace this particular case. 888 */ 889 if (req.cmd != 55 || sd->expecting_acmd) { 890 trace_sdcard_normal_command(sd->proto_name, 891 sd_cmd_name(req.cmd), req.cmd, 892 req.arg, sd_state_name(sd->state)); 893 } 894 895 /* Not interpreting this as an app command */ 896 sd->card_status &= ~APP_CMD; 897 898 if (sd_cmd_type[req.cmd] == sd_ac 899 || sd_cmd_type[req.cmd] == sd_adtc) { 900 rca = req.arg >> 16; 901 } 902 903 /* CMD23 (set block count) must be immediately followed by CMD18 or CMD25 904 * if not, its effects are cancelled */ 905 if (sd->multi_blk_cnt != 0 && !(req.cmd == 18 || req.cmd == 25)) { 906 sd->multi_blk_cnt = 0; 907 } 908 909 switch (req.cmd) { 910 /* Basic commands (Class 0 and Class 1) */ 911 case 0: /* CMD0: GO_IDLE_STATE */ 912 switch (sd->state) { 913 case sd_inactive_state: 914 return sd->spi ? sd_r1 : sd_r0; 915 916 default: 917 sd->state = sd_idle_state; 918 sd_reset(DEVICE(sd)); 919 return sd->spi ? sd_r1 : sd_r0; 920 } 921 break; 922 923 case 1: /* CMD1: SEND_OP_CMD */ 924 if (!sd->spi) 925 goto bad_cmd; 926 927 sd->state = sd_transfer_state; 928 return sd_r1; 929 930 case 2: /* CMD2: ALL_SEND_CID */ 931 if (sd->spi) 932 goto bad_cmd; 933 switch (sd->state) { 934 case sd_ready_state: 935 sd->state = sd_identification_state; 936 return sd_r2_i; 937 938 default: 939 break; 940 } 941 break; 942 943 case 3: /* CMD3: SEND_RELATIVE_ADDR */ 944 if (sd->spi) 945 goto bad_cmd; 946 switch (sd->state) { 947 case sd_identification_state: 948 case sd_standby_state: 949 sd->state = sd_standby_state; 950 sd_set_rca(sd); 951 return sd_r6; 952 953 default: 954 break; 955 } 956 break; 957 958 case 4: /* CMD4: SEND_DSR */ 959 if (sd->spi) 960 goto bad_cmd; 961 switch (sd->state) { 962 case sd_standby_state: 963 break; 964 965 default: 966 break; 967 } 968 break; 969 970 case 5: /* CMD5: reserved for SDIO cards */ 971 return sd_illegal; 972 973 case 6: /* CMD6: SWITCH_FUNCTION */ 974 switch (sd->mode) { 975 case sd_data_transfer_mode: 976 sd_function_switch(sd, req.arg); 977 sd->state = sd_sendingdata_state; 978 sd->data_start = 0; 979 sd->data_offset = 0; 980 return sd_r1; 981 982 default: 983 break; 984 } 985 break; 986 987 case 7: /* CMD7: SELECT/DESELECT_CARD */ 988 if (sd->spi) 989 goto bad_cmd; 990 switch (sd->state) { 991 case sd_standby_state: 992 if (sd->rca != rca) 993 return sd_r0; 994 995 sd->state = sd_transfer_state; 996 return sd_r1b; 997 998 case sd_transfer_state: 999 case sd_sendingdata_state: 1000 if (sd->rca == rca) 1001 break; 1002 1003 sd->state = sd_standby_state; 1004 return sd_r1b; 1005 1006 case sd_disconnect_state: 1007 if (sd->rca != rca) 1008 return sd_r0; 1009 1010 sd->state = sd_programming_state; 1011 return sd_r1b; 1012 1013 case sd_programming_state: 1014 if (sd->rca == rca) 1015 break; 1016 1017 sd->state = sd_disconnect_state; 1018 return sd_r1b; 1019 1020 default: 1021 break; 1022 } 1023 break; 1024 1025 case 8: /* CMD8: SEND_IF_COND */ 1026 if (sd->spec_version < SD_PHY_SPECv2_00_VERS) { 1027 break; 1028 } 1029 if (sd->state != sd_idle_state) { 1030 break; 1031 } 1032 sd->vhs = 0; 1033 1034 /* No response if not exactly one VHS bit is set. */ 1035 if (!(req.arg >> 8) || (req.arg >> (ctz32(req.arg & ~0xff) + 1))) { 1036 return sd->spi ? sd_r7 : sd_r0; 1037 } 1038 1039 /* Accept. */ 1040 sd->vhs = req.arg; 1041 return sd_r7; 1042 1043 case 9: /* CMD9: SEND_CSD */ 1044 switch (sd->state) { 1045 case sd_standby_state: 1046 if (sd->rca != rca) 1047 return sd_r0; 1048 1049 return sd_r2_s; 1050 1051 case sd_transfer_state: 1052 if (!sd->spi) 1053 break; 1054 sd->state = sd_sendingdata_state; 1055 memcpy(sd->data, sd->csd, 16); 1056 sd->data_start = addr; 1057 sd->data_offset = 0; 1058 return sd_r1; 1059 1060 default: 1061 break; 1062 } 1063 break; 1064 1065 case 10: /* CMD10: SEND_CID */ 1066 switch (sd->state) { 1067 case sd_standby_state: 1068 if (sd->rca != rca) 1069 return sd_r0; 1070 1071 return sd_r2_i; 1072 1073 case sd_transfer_state: 1074 if (!sd->spi) 1075 break; 1076 sd->state = sd_sendingdata_state; 1077 memcpy(sd->data, sd->cid, 16); 1078 sd->data_start = addr; 1079 sd->data_offset = 0; 1080 return sd_r1; 1081 1082 default: 1083 break; 1084 } 1085 break; 1086 1087 case 12: /* CMD12: STOP_TRANSMISSION */ 1088 switch (sd->state) { 1089 case sd_sendingdata_state: 1090 sd->state = sd_transfer_state; 1091 return sd_r1b; 1092 1093 case sd_receivingdata_state: 1094 sd->state = sd_programming_state; 1095 /* Bzzzzzzztt .... Operation complete. */ 1096 sd->state = sd_transfer_state; 1097 return sd_r1b; 1098 1099 default: 1100 break; 1101 } 1102 break; 1103 1104 case 13: /* CMD13: SEND_STATUS */ 1105 switch (sd->mode) { 1106 case sd_data_transfer_mode: 1107 if (sd->rca != rca) 1108 return sd_r0; 1109 1110 return sd_r1; 1111 1112 default: 1113 break; 1114 } 1115 break; 1116 1117 case 15: /* CMD15: GO_INACTIVE_STATE */ 1118 if (sd->spi) 1119 goto bad_cmd; 1120 switch (sd->mode) { 1121 case sd_data_transfer_mode: 1122 if (sd->rca != rca) 1123 return sd_r0; 1124 1125 sd->state = sd_inactive_state; 1126 return sd_r0; 1127 1128 default: 1129 break; 1130 } 1131 break; 1132 1133 /* Block read commands (Classs 2) */ 1134 case 16: /* CMD16: SET_BLOCKLEN */ 1135 switch (sd->state) { 1136 case sd_transfer_state: 1137 if (req.arg > (1 << HWBLOCK_SHIFT)) { 1138 sd->card_status |= BLOCK_LEN_ERROR; 1139 } else { 1140 trace_sdcard_set_blocklen(req.arg); 1141 sd->blk_len = req.arg; 1142 } 1143 1144 return sd_r1; 1145 1146 default: 1147 break; 1148 } 1149 break; 1150 1151 case 17: /* CMD17: READ_SINGLE_BLOCK */ 1152 switch (sd->state) { 1153 case sd_transfer_state: 1154 sd->state = sd_sendingdata_state; 1155 sd->data_start = addr; 1156 sd->data_offset = 0; 1157 1158 if (sd->data_start + sd->blk_len > sd->size) 1159 sd->card_status |= ADDRESS_ERROR; 1160 return sd_r1; 1161 1162 default: 1163 break; 1164 } 1165 break; 1166 1167 case 18: /* CMD18: READ_MULTIPLE_BLOCK */ 1168 switch (sd->state) { 1169 case sd_transfer_state: 1170 sd->state = sd_sendingdata_state; 1171 sd->data_start = addr; 1172 sd->data_offset = 0; 1173 1174 if (sd->data_start + sd->blk_len > sd->size) 1175 sd->card_status |= ADDRESS_ERROR; 1176 return sd_r1; 1177 1178 default: 1179 break; 1180 } 1181 break; 1182 1183 case 19: /* CMD19: SEND_TUNING_BLOCK (SD) */ 1184 if (sd->spec_version < SD_PHY_SPECv3_01_VERS) { 1185 break; 1186 } 1187 if (sd->state == sd_transfer_state) { 1188 sd->state = sd_sendingdata_state; 1189 sd->data_offset = 0; 1190 return sd_r1; 1191 } 1192 break; 1193 1194 case 23: /* CMD23: SET_BLOCK_COUNT */ 1195 if (sd->spec_version < SD_PHY_SPECv3_01_VERS) { 1196 break; 1197 } 1198 switch (sd->state) { 1199 case sd_transfer_state: 1200 sd->multi_blk_cnt = req.arg; 1201 return sd_r1; 1202 1203 default: 1204 break; 1205 } 1206 break; 1207 1208 /* Block write commands (Class 4) */ 1209 case 24: /* CMD24: WRITE_SINGLE_BLOCK */ 1210 switch (sd->state) { 1211 case sd_transfer_state: 1212 /* Writing in SPI mode not implemented. */ 1213 if (sd->spi) 1214 break; 1215 sd->state = sd_receivingdata_state; 1216 sd->data_start = addr; 1217 sd->data_offset = 0; 1218 sd->blk_written = 0; 1219 1220 if (sd->data_start + sd->blk_len > sd->size) 1221 sd->card_status |= ADDRESS_ERROR; 1222 if (sd_wp_addr(sd, sd->data_start)) 1223 sd->card_status |= WP_VIOLATION; 1224 if (sd->csd[14] & 0x30) 1225 sd->card_status |= WP_VIOLATION; 1226 return sd_r1; 1227 1228 default: 1229 break; 1230 } 1231 break; 1232 1233 case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */ 1234 switch (sd->state) { 1235 case sd_transfer_state: 1236 /* Writing in SPI mode not implemented. */ 1237 if (sd->spi) 1238 break; 1239 sd->state = sd_receivingdata_state; 1240 sd->data_start = addr; 1241 sd->data_offset = 0; 1242 sd->blk_written = 0; 1243 1244 if (sd->data_start + sd->blk_len > sd->size) 1245 sd->card_status |= ADDRESS_ERROR; 1246 if (sd_wp_addr(sd, sd->data_start)) 1247 sd->card_status |= WP_VIOLATION; 1248 if (sd->csd[14] & 0x30) 1249 sd->card_status |= WP_VIOLATION; 1250 return sd_r1; 1251 1252 default: 1253 break; 1254 } 1255 break; 1256 1257 case 26: /* CMD26: PROGRAM_CID */ 1258 if (sd->spi) 1259 goto bad_cmd; 1260 switch (sd->state) { 1261 case sd_transfer_state: 1262 sd->state = sd_receivingdata_state; 1263 sd->data_start = 0; 1264 sd->data_offset = 0; 1265 return sd_r1; 1266 1267 default: 1268 break; 1269 } 1270 break; 1271 1272 case 27: /* CMD27: PROGRAM_CSD */ 1273 switch (sd->state) { 1274 case sd_transfer_state: 1275 sd->state = sd_receivingdata_state; 1276 sd->data_start = 0; 1277 sd->data_offset = 0; 1278 return sd_r1; 1279 1280 default: 1281 break; 1282 } 1283 break; 1284 1285 /* Write protection (Class 6) */ 1286 case 28: /* CMD28: SET_WRITE_PROT */ 1287 switch (sd->state) { 1288 case sd_transfer_state: 1289 if (addr >= sd->size) { 1290 sd->card_status |= ADDRESS_ERROR; 1291 return sd_r1b; 1292 } 1293 1294 sd->state = sd_programming_state; 1295 set_bit(sd_addr_to_wpnum(addr), sd->wp_groups); 1296 /* Bzzzzzzztt .... Operation complete. */ 1297 sd->state = sd_transfer_state; 1298 return sd_r1b; 1299 1300 default: 1301 break; 1302 } 1303 break; 1304 1305 case 29: /* CMD29: CLR_WRITE_PROT */ 1306 switch (sd->state) { 1307 case sd_transfer_state: 1308 if (addr >= sd->size) { 1309 sd->card_status |= ADDRESS_ERROR; 1310 return sd_r1b; 1311 } 1312 1313 sd->state = sd_programming_state; 1314 clear_bit(sd_addr_to_wpnum(addr), sd->wp_groups); 1315 /* Bzzzzzzztt .... Operation complete. */ 1316 sd->state = sd_transfer_state; 1317 return sd_r1b; 1318 1319 default: 1320 break; 1321 } 1322 break; 1323 1324 case 30: /* CMD30: SEND_WRITE_PROT */ 1325 switch (sd->state) { 1326 case sd_transfer_state: 1327 sd->state = sd_sendingdata_state; 1328 *(uint32_t *) sd->data = sd_wpbits(sd, req.arg); 1329 sd->data_start = addr; 1330 sd->data_offset = 0; 1331 return sd_r1b; 1332 1333 default: 1334 break; 1335 } 1336 break; 1337 1338 /* Erase commands (Class 5) */ 1339 case 32: /* CMD32: ERASE_WR_BLK_START */ 1340 switch (sd->state) { 1341 case sd_transfer_state: 1342 sd->erase_start = req.arg; 1343 return sd_r1; 1344 1345 default: 1346 break; 1347 } 1348 break; 1349 1350 case 33: /* CMD33: ERASE_WR_BLK_END */ 1351 switch (sd->state) { 1352 case sd_transfer_state: 1353 sd->erase_end = req.arg; 1354 return sd_r1; 1355 1356 default: 1357 break; 1358 } 1359 break; 1360 1361 case 38: /* CMD38: ERASE */ 1362 switch (sd->state) { 1363 case sd_transfer_state: 1364 if (sd->csd[14] & 0x30) { 1365 sd->card_status |= WP_VIOLATION; 1366 return sd_r1b; 1367 } 1368 1369 sd->state = sd_programming_state; 1370 sd_erase(sd); 1371 /* Bzzzzzzztt .... Operation complete. */ 1372 sd->state = sd_transfer_state; 1373 return sd_r1b; 1374 1375 default: 1376 break; 1377 } 1378 break; 1379 1380 /* Lock card commands (Class 7) */ 1381 case 42: /* CMD42: LOCK_UNLOCK */ 1382 switch (sd->state) { 1383 case sd_transfer_state: 1384 sd->state = sd_receivingdata_state; 1385 sd->data_start = 0; 1386 sd->data_offset = 0; 1387 return sd_r1; 1388 1389 default: 1390 break; 1391 } 1392 break; 1393 1394 case 52 ... 54: 1395 /* CMD52, CMD53, CMD54: reserved for SDIO cards 1396 * (see the SDIO Simplified Specification V2.0) 1397 * Handle as illegal command but do not complain 1398 * on stderr, as some OSes may use these in their 1399 * probing for presence of an SDIO card. 1400 */ 1401 return sd_illegal; 1402 1403 /* Application specific commands (Class 8) */ 1404 case 55: /* CMD55: APP_CMD */ 1405 switch (sd->state) { 1406 case sd_ready_state: 1407 case sd_identification_state: 1408 case sd_inactive_state: 1409 return sd_illegal; 1410 case sd_idle_state: 1411 if (rca) { 1412 qemu_log_mask(LOG_GUEST_ERROR, 1413 "SD: illegal RCA 0x%04x for APP_CMD\n", req.cmd); 1414 } 1415 default: 1416 break; 1417 } 1418 if (!sd->spi) { 1419 if (sd->rca != rca) { 1420 return sd_r0; 1421 } 1422 } 1423 sd->expecting_acmd = true; 1424 sd->card_status |= APP_CMD; 1425 return sd_r1; 1426 1427 case 56: /* CMD56: GEN_CMD */ 1428 switch (sd->state) { 1429 case sd_transfer_state: 1430 sd->data_offset = 0; 1431 if (req.arg & 1) 1432 sd->state = sd_sendingdata_state; 1433 else 1434 sd->state = sd_receivingdata_state; 1435 return sd_r1; 1436 1437 default: 1438 break; 1439 } 1440 break; 1441 1442 case 58: /* CMD58: READ_OCR (SPI) */ 1443 if (!sd->spi) { 1444 goto bad_cmd; 1445 } 1446 return sd_r3; 1447 1448 case 59: /* CMD59: CRC_ON_OFF (SPI) */ 1449 if (!sd->spi) { 1450 goto bad_cmd; 1451 } 1452 goto unimplemented_spi_cmd; 1453 1454 default: 1455 bad_cmd: 1456 qemu_log_mask(LOG_GUEST_ERROR, "SD: Unknown CMD%i\n", req.cmd); 1457 return sd_illegal; 1458 1459 unimplemented_spi_cmd: 1460 /* Commands that are recognised but not yet implemented in SPI mode. */ 1461 qemu_log_mask(LOG_UNIMP, "SD: CMD%i not implemented in SPI mode\n", 1462 req.cmd); 1463 return sd_illegal; 1464 } 1465 1466 qemu_log_mask(LOG_GUEST_ERROR, "SD: CMD%i in a wrong state\n", req.cmd); 1467 return sd_illegal; 1468 } 1469 1470 static sd_rsp_type_t sd_app_command(SDState *sd, 1471 SDRequest req) 1472 { 1473 trace_sdcard_app_command(sd->proto_name, sd_acmd_name(req.cmd), 1474 req.cmd, req.arg, sd_state_name(sd->state)); 1475 sd->card_status |= APP_CMD; 1476 switch (req.cmd) { 1477 case 6: /* ACMD6: SET_BUS_WIDTH */ 1478 if (sd->spi) { 1479 goto unimplemented_spi_cmd; 1480 } 1481 switch (sd->state) { 1482 case sd_transfer_state: 1483 sd->sd_status[0] &= 0x3f; 1484 sd->sd_status[0] |= (req.arg & 0x03) << 6; 1485 return sd_r1; 1486 1487 default: 1488 break; 1489 } 1490 break; 1491 1492 case 13: /* ACMD13: SD_STATUS */ 1493 switch (sd->state) { 1494 case sd_transfer_state: 1495 sd->state = sd_sendingdata_state; 1496 sd->data_start = 0; 1497 sd->data_offset = 0; 1498 return sd_r1; 1499 1500 default: 1501 break; 1502 } 1503 break; 1504 1505 case 22: /* ACMD22: SEND_NUM_WR_BLOCKS */ 1506 switch (sd->state) { 1507 case sd_transfer_state: 1508 *(uint32_t *) sd->data = sd->blk_written; 1509 1510 sd->state = sd_sendingdata_state; 1511 sd->data_start = 0; 1512 sd->data_offset = 0; 1513 return sd_r1; 1514 1515 default: 1516 break; 1517 } 1518 break; 1519 1520 case 23: /* ACMD23: SET_WR_BLK_ERASE_COUNT */ 1521 switch (sd->state) { 1522 case sd_transfer_state: 1523 return sd_r1; 1524 1525 default: 1526 break; 1527 } 1528 break; 1529 1530 case 41: /* ACMD41: SD_APP_OP_COND */ 1531 if (sd->spi) { 1532 /* SEND_OP_CMD */ 1533 sd->state = sd_transfer_state; 1534 return sd_r1; 1535 } 1536 if (sd->state != sd_idle_state) { 1537 break; 1538 } 1539 /* If it's the first ACMD41 since reset, we need to decide 1540 * whether to power up. If this is not an enquiry ACMD41, 1541 * we immediately report power on and proceed below to the 1542 * ready state, but if it is, we set a timer to model a 1543 * delay for power up. This works around a bug in EDK2 1544 * UEFI, which sends an initial enquiry ACMD41, but 1545 * assumes that the card is in ready state as soon as it 1546 * sees the power up bit set. */ 1547 if (!FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP)) { 1548 if ((req.arg & ACMD41_ENQUIRY_MASK) != 0) { 1549 timer_del(sd->ocr_power_timer); 1550 sd_ocr_powerup(sd); 1551 } else { 1552 trace_sdcard_inquiry_cmd41(); 1553 if (!timer_pending(sd->ocr_power_timer)) { 1554 timer_mod_ns(sd->ocr_power_timer, 1555 (qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) 1556 + OCR_POWER_DELAY_NS)); 1557 } 1558 } 1559 } 1560 1561 if (FIELD_EX32(sd->ocr & req.arg, OCR, VDD_VOLTAGE_WINDOW)) { 1562 /* We accept any voltage. 10000 V is nothing. 1563 * 1564 * Once we're powered up, we advance straight to ready state 1565 * unless it's an enquiry ACMD41 (bits 23:0 == 0). 1566 */ 1567 sd->state = sd_ready_state; 1568 } 1569 1570 return sd_r3; 1571 1572 case 42: /* ACMD42: SET_CLR_CARD_DETECT */ 1573 switch (sd->state) { 1574 case sd_transfer_state: 1575 /* Bringing in the 50KOhm pull-up resistor... Done. */ 1576 return sd_r1; 1577 1578 default: 1579 break; 1580 } 1581 break; 1582 1583 case 51: /* ACMD51: SEND_SCR */ 1584 switch (sd->state) { 1585 case sd_transfer_state: 1586 sd->state = sd_sendingdata_state; 1587 sd->data_start = 0; 1588 sd->data_offset = 0; 1589 return sd_r1; 1590 1591 default: 1592 break; 1593 } 1594 break; 1595 1596 case 18: /* Reserved for SD security applications */ 1597 case 25: 1598 case 26: 1599 case 38: 1600 case 43 ... 49: 1601 /* Refer to the "SD Specifications Part3 Security Specification" for 1602 * information about the SD Security Features. 1603 */ 1604 qemu_log_mask(LOG_UNIMP, "SD: CMD%i Security not implemented\n", 1605 req.cmd); 1606 return sd_illegal; 1607 1608 default: 1609 /* Fall back to standard commands. */ 1610 return sd_normal_command(sd, req); 1611 1612 unimplemented_spi_cmd: 1613 /* Commands that are recognised but not yet implemented in SPI mode. */ 1614 qemu_log_mask(LOG_UNIMP, "SD: CMD%i not implemented in SPI mode\n", 1615 req.cmd); 1616 return sd_illegal; 1617 } 1618 1619 qemu_log_mask(LOG_GUEST_ERROR, "SD: ACMD%i in a wrong state\n", req.cmd); 1620 return sd_illegal; 1621 } 1622 1623 static int cmd_valid_while_locked(SDState *sd, SDRequest *req) 1624 { 1625 /* Valid commands in locked state: 1626 * basic class (0) 1627 * lock card class (7) 1628 * CMD16 1629 * implicitly, the ACMD prefix CMD55 1630 * ACMD41 and ACMD42 1631 * Anything else provokes an "illegal command" response. 1632 */ 1633 if (sd->expecting_acmd) { 1634 return req->cmd == 41 || req->cmd == 42; 1635 } 1636 if (req->cmd == 16 || req->cmd == 55) { 1637 return 1; 1638 } 1639 return sd_cmd_class[req->cmd] == 0 1640 || sd_cmd_class[req->cmd] == 7; 1641 } 1642 1643 int sd_do_command(SDState *sd, SDRequest *req, 1644 uint8_t *response) { 1645 int last_state; 1646 sd_rsp_type_t rtype; 1647 int rsplen; 1648 1649 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable) { 1650 return 0; 1651 } 1652 1653 if (sd_req_crc_validate(req)) { 1654 sd->card_status |= COM_CRC_ERROR; 1655 rtype = sd_illegal; 1656 goto send_response; 1657 } 1658 1659 if (req->cmd >= SDMMC_CMD_MAX) { 1660 qemu_log_mask(LOG_GUEST_ERROR, "SD: incorrect command 0x%02x\n", 1661 req->cmd); 1662 req->cmd &= 0x3f; 1663 } 1664 1665 if (sd->card_status & CARD_IS_LOCKED) { 1666 if (!cmd_valid_while_locked(sd, req)) { 1667 sd->card_status |= ILLEGAL_COMMAND; 1668 sd->expecting_acmd = false; 1669 qemu_log_mask(LOG_GUEST_ERROR, "SD: Card is locked\n"); 1670 rtype = sd_illegal; 1671 goto send_response; 1672 } 1673 } 1674 1675 last_state = sd->state; 1676 sd_set_mode(sd); 1677 1678 if (sd->expecting_acmd) { 1679 sd->expecting_acmd = false; 1680 rtype = sd_app_command(sd, *req); 1681 } else { 1682 rtype = sd_normal_command(sd, *req); 1683 } 1684 1685 if (rtype == sd_illegal) { 1686 sd->card_status |= ILLEGAL_COMMAND; 1687 } else { 1688 /* Valid command, we can update the 'state before command' bits. 1689 * (Do this now so they appear in r1 responses.) 1690 */ 1691 sd->current_cmd = req->cmd; 1692 sd->card_status &= ~CURRENT_STATE; 1693 sd->card_status |= (last_state << 9); 1694 } 1695 1696 send_response: 1697 switch (rtype) { 1698 case sd_r1: 1699 case sd_r1b: 1700 sd_response_r1_make(sd, response); 1701 rsplen = 4; 1702 break; 1703 1704 case sd_r2_i: 1705 memcpy(response, sd->cid, sizeof(sd->cid)); 1706 rsplen = 16; 1707 break; 1708 1709 case sd_r2_s: 1710 memcpy(response, sd->csd, sizeof(sd->csd)); 1711 rsplen = 16; 1712 break; 1713 1714 case sd_r3: 1715 sd_response_r3_make(sd, response); 1716 rsplen = 4; 1717 break; 1718 1719 case sd_r6: 1720 sd_response_r6_make(sd, response); 1721 rsplen = 4; 1722 break; 1723 1724 case sd_r7: 1725 sd_response_r7_make(sd, response); 1726 rsplen = 4; 1727 break; 1728 1729 case sd_r0: 1730 case sd_illegal: 1731 rsplen = 0; 1732 break; 1733 default: 1734 g_assert_not_reached(); 1735 } 1736 trace_sdcard_response(sd_response_name(rtype), rsplen); 1737 1738 if (rtype != sd_illegal) { 1739 /* Clear the "clear on valid command" status bits now we've 1740 * sent any response 1741 */ 1742 sd->card_status &= ~CARD_STATUS_B; 1743 } 1744 1745 #ifdef DEBUG_SD 1746 qemu_hexdump((const char *)response, stderr, "Response", rsplen); 1747 #endif 1748 1749 return rsplen; 1750 } 1751 1752 static void sd_blk_read(SDState *sd, uint64_t addr, uint32_t len) 1753 { 1754 trace_sdcard_read_block(addr, len); 1755 if (!sd->blk || blk_pread(sd->blk, addr, sd->data, len) < 0) { 1756 fprintf(stderr, "sd_blk_read: read error on host side\n"); 1757 } 1758 } 1759 1760 static void sd_blk_write(SDState *sd, uint64_t addr, uint32_t len) 1761 { 1762 trace_sdcard_write_block(addr, len); 1763 if (!sd->blk || blk_pwrite(sd->blk, addr, sd->data, len, 0) < 0) { 1764 fprintf(stderr, "sd_blk_write: write error on host side\n"); 1765 } 1766 } 1767 1768 #define BLK_READ_BLOCK(a, len) sd_blk_read(sd, a, len) 1769 #define BLK_WRITE_BLOCK(a, len) sd_blk_write(sd, a, len) 1770 #define APP_READ_BLOCK(a, len) memset(sd->data, 0xec, len) 1771 #define APP_WRITE_BLOCK(a, len) 1772 1773 void sd_write_data(SDState *sd, uint8_t value) 1774 { 1775 int i; 1776 1777 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable) 1778 return; 1779 1780 if (sd->state != sd_receivingdata_state) { 1781 qemu_log_mask(LOG_GUEST_ERROR, 1782 "sd_write_data: not in Receiving-Data state\n"); 1783 return; 1784 } 1785 1786 if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION)) 1787 return; 1788 1789 trace_sdcard_write_data(sd->proto_name, 1790 sd_acmd_name(sd->current_cmd), 1791 sd->current_cmd, value); 1792 switch (sd->current_cmd) { 1793 case 24: /* CMD24: WRITE_SINGLE_BLOCK */ 1794 sd->data[sd->data_offset ++] = value; 1795 if (sd->data_offset >= sd->blk_len) { 1796 /* TODO: Check CRC before committing */ 1797 sd->state = sd_programming_state; 1798 BLK_WRITE_BLOCK(sd->data_start, sd->data_offset); 1799 sd->blk_written ++; 1800 sd->csd[14] |= 0x40; 1801 /* Bzzzzzzztt .... Operation complete. */ 1802 sd->state = sd_transfer_state; 1803 } 1804 break; 1805 1806 case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */ 1807 if (sd->data_offset == 0) { 1808 /* Start of the block - let's check the address is valid */ 1809 if (sd->data_start + sd->blk_len > sd->size) { 1810 sd->card_status |= ADDRESS_ERROR; 1811 break; 1812 } 1813 if (sd_wp_addr(sd, sd->data_start)) { 1814 sd->card_status |= WP_VIOLATION; 1815 break; 1816 } 1817 } 1818 sd->data[sd->data_offset++] = value; 1819 if (sd->data_offset >= sd->blk_len) { 1820 /* TODO: Check CRC before committing */ 1821 sd->state = sd_programming_state; 1822 BLK_WRITE_BLOCK(sd->data_start, sd->data_offset); 1823 sd->blk_written++; 1824 sd->data_start += sd->blk_len; 1825 sd->data_offset = 0; 1826 sd->csd[14] |= 0x40; 1827 1828 /* Bzzzzzzztt .... Operation complete. */ 1829 if (sd->multi_blk_cnt != 0) { 1830 if (--sd->multi_blk_cnt == 0) { 1831 /* Stop! */ 1832 sd->state = sd_transfer_state; 1833 break; 1834 } 1835 } 1836 1837 sd->state = sd_receivingdata_state; 1838 } 1839 break; 1840 1841 case 26: /* CMD26: PROGRAM_CID */ 1842 sd->data[sd->data_offset ++] = value; 1843 if (sd->data_offset >= sizeof(sd->cid)) { 1844 /* TODO: Check CRC before committing */ 1845 sd->state = sd_programming_state; 1846 for (i = 0; i < sizeof(sd->cid); i ++) 1847 if ((sd->cid[i] | 0x00) != sd->data[i]) 1848 sd->card_status |= CID_CSD_OVERWRITE; 1849 1850 if (!(sd->card_status & CID_CSD_OVERWRITE)) 1851 for (i = 0; i < sizeof(sd->cid); i ++) { 1852 sd->cid[i] |= 0x00; 1853 sd->cid[i] &= sd->data[i]; 1854 } 1855 /* Bzzzzzzztt .... Operation complete. */ 1856 sd->state = sd_transfer_state; 1857 } 1858 break; 1859 1860 case 27: /* CMD27: PROGRAM_CSD */ 1861 sd->data[sd->data_offset ++] = value; 1862 if (sd->data_offset >= sizeof(sd->csd)) { 1863 /* TODO: Check CRC before committing */ 1864 sd->state = sd_programming_state; 1865 for (i = 0; i < sizeof(sd->csd); i ++) 1866 if ((sd->csd[i] | sd_csd_rw_mask[i]) != 1867 (sd->data[i] | sd_csd_rw_mask[i])) 1868 sd->card_status |= CID_CSD_OVERWRITE; 1869 1870 /* Copy flag (OTP) & Permanent write protect */ 1871 if (sd->csd[14] & ~sd->data[14] & 0x60) 1872 sd->card_status |= CID_CSD_OVERWRITE; 1873 1874 if (!(sd->card_status & CID_CSD_OVERWRITE)) 1875 for (i = 0; i < sizeof(sd->csd); i ++) { 1876 sd->csd[i] |= sd_csd_rw_mask[i]; 1877 sd->csd[i] &= sd->data[i]; 1878 } 1879 /* Bzzzzzzztt .... Operation complete. */ 1880 sd->state = sd_transfer_state; 1881 } 1882 break; 1883 1884 case 42: /* CMD42: LOCK_UNLOCK */ 1885 sd->data[sd->data_offset ++] = value; 1886 if (sd->data_offset >= sd->blk_len) { 1887 /* TODO: Check CRC before committing */ 1888 sd->state = sd_programming_state; 1889 sd_lock_command(sd); 1890 /* Bzzzzzzztt .... Operation complete. */ 1891 sd->state = sd_transfer_state; 1892 } 1893 break; 1894 1895 case 56: /* CMD56: GEN_CMD */ 1896 sd->data[sd->data_offset ++] = value; 1897 if (sd->data_offset >= sd->blk_len) { 1898 APP_WRITE_BLOCK(sd->data_start, sd->data_offset); 1899 sd->state = sd_transfer_state; 1900 } 1901 break; 1902 1903 default: 1904 qemu_log_mask(LOG_GUEST_ERROR, "sd_write_data: unknown command\n"); 1905 break; 1906 } 1907 } 1908 1909 #define SD_TUNING_BLOCK_SIZE 64 1910 1911 static const uint8_t sd_tuning_block_pattern[SD_TUNING_BLOCK_SIZE] = { 1912 /* See: Physical Layer Simplified Specification Version 3.01, Table 4-2 */ 1913 0xff, 0x0f, 0xff, 0x00, 0x0f, 0xfc, 0xc3, 0xcc, 1914 0xc3, 0x3c, 0xcc, 0xff, 0xfe, 0xff, 0xfe, 0xef, 1915 0xff, 0xdf, 0xff, 0xdd, 0xff, 0xfb, 0xff, 0xfb, 1916 0xbf, 0xff, 0x7f, 0xff, 0x77, 0xf7, 0xbd, 0xef, 1917 0xff, 0xf0, 0xff, 0xf0, 0x0f, 0xfc, 0xcc, 0x3c, 1918 0xcc, 0x33, 0xcc, 0xcf, 0xff, 0xef, 0xff, 0xee, 1919 0xff, 0xfd, 0xff, 0xfd, 0xdf, 0xff, 0xbf, 0xff, 1920 0xbb, 0xff, 0xf7, 0xff, 0xf7, 0x7f, 0x7b, 0xde, 1921 }; 1922 1923 uint8_t sd_read_data(SDState *sd) 1924 { 1925 /* TODO: Append CRCs */ 1926 uint8_t ret; 1927 int io_len; 1928 1929 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable) 1930 return 0x00; 1931 1932 if (sd->state != sd_sendingdata_state) { 1933 qemu_log_mask(LOG_GUEST_ERROR, 1934 "sd_read_data: not in Sending-Data state\n"); 1935 return 0x00; 1936 } 1937 1938 if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION)) 1939 return 0x00; 1940 1941 io_len = (sd->ocr & (1 << 30)) ? 512 : sd->blk_len; 1942 1943 trace_sdcard_read_data(sd->proto_name, 1944 sd_acmd_name(sd->current_cmd), 1945 sd->current_cmd, io_len); 1946 switch (sd->current_cmd) { 1947 case 6: /* CMD6: SWITCH_FUNCTION */ 1948 ret = sd->data[sd->data_offset ++]; 1949 1950 if (sd->data_offset >= 64) 1951 sd->state = sd_transfer_state; 1952 break; 1953 1954 case 9: /* CMD9: SEND_CSD */ 1955 case 10: /* CMD10: SEND_CID */ 1956 ret = sd->data[sd->data_offset ++]; 1957 1958 if (sd->data_offset >= 16) 1959 sd->state = sd_transfer_state; 1960 break; 1961 1962 case 13: /* ACMD13: SD_STATUS */ 1963 ret = sd->sd_status[sd->data_offset ++]; 1964 1965 if (sd->data_offset >= sizeof(sd->sd_status)) 1966 sd->state = sd_transfer_state; 1967 break; 1968 1969 case 17: /* CMD17: READ_SINGLE_BLOCK */ 1970 if (sd->data_offset == 0) 1971 BLK_READ_BLOCK(sd->data_start, io_len); 1972 ret = sd->data[sd->data_offset ++]; 1973 1974 if (sd->data_offset >= io_len) 1975 sd->state = sd_transfer_state; 1976 break; 1977 1978 case 18: /* CMD18: READ_MULTIPLE_BLOCK */ 1979 if (sd->data_offset == 0) { 1980 if (sd->data_start + io_len > sd->size) { 1981 sd->card_status |= ADDRESS_ERROR; 1982 return 0x00; 1983 } 1984 BLK_READ_BLOCK(sd->data_start, io_len); 1985 } 1986 ret = sd->data[sd->data_offset ++]; 1987 1988 if (sd->data_offset >= io_len) { 1989 sd->data_start += io_len; 1990 sd->data_offset = 0; 1991 1992 if (sd->multi_blk_cnt != 0) { 1993 if (--sd->multi_blk_cnt == 0) { 1994 /* Stop! */ 1995 sd->state = sd_transfer_state; 1996 break; 1997 } 1998 } 1999 } 2000 break; 2001 2002 case 19: /* CMD19: SEND_TUNING_BLOCK (SD) */ 2003 if (sd->data_offset >= SD_TUNING_BLOCK_SIZE - 1) { 2004 sd->state = sd_transfer_state; 2005 } 2006 ret = sd_tuning_block_pattern[sd->data_offset++]; 2007 break; 2008 2009 case 22: /* ACMD22: SEND_NUM_WR_BLOCKS */ 2010 ret = sd->data[sd->data_offset ++]; 2011 2012 if (sd->data_offset >= 4) 2013 sd->state = sd_transfer_state; 2014 break; 2015 2016 case 30: /* CMD30: SEND_WRITE_PROT */ 2017 ret = sd->data[sd->data_offset ++]; 2018 2019 if (sd->data_offset >= 4) 2020 sd->state = sd_transfer_state; 2021 break; 2022 2023 case 51: /* ACMD51: SEND_SCR */ 2024 ret = sd->scr[sd->data_offset ++]; 2025 2026 if (sd->data_offset >= sizeof(sd->scr)) 2027 sd->state = sd_transfer_state; 2028 break; 2029 2030 case 56: /* CMD56: GEN_CMD */ 2031 if (sd->data_offset == 0) 2032 APP_READ_BLOCK(sd->data_start, sd->blk_len); 2033 ret = sd->data[sd->data_offset ++]; 2034 2035 if (sd->data_offset >= sd->blk_len) 2036 sd->state = sd_transfer_state; 2037 break; 2038 2039 default: 2040 qemu_log_mask(LOG_GUEST_ERROR, "sd_read_data: unknown command\n"); 2041 return 0x00; 2042 } 2043 2044 return ret; 2045 } 2046 2047 bool sd_data_ready(SDState *sd) 2048 { 2049 return sd->state == sd_sendingdata_state; 2050 } 2051 2052 void sd_enable(SDState *sd, bool enable) 2053 { 2054 sd->enable = enable; 2055 } 2056 2057 static void sd_instance_init(Object *obj) 2058 { 2059 SDState *sd = SD_CARD(obj); 2060 2061 sd->enable = true; 2062 sd->ocr_power_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, sd_ocr_powerup, sd); 2063 } 2064 2065 static void sd_instance_finalize(Object *obj) 2066 { 2067 SDState *sd = SD_CARD(obj); 2068 2069 timer_del(sd->ocr_power_timer); 2070 timer_free(sd->ocr_power_timer); 2071 } 2072 2073 static void sd_realize(DeviceState *dev, Error **errp) 2074 { 2075 SDState *sd = SD_CARD(dev); 2076 int ret; 2077 2078 sd->proto_name = sd->spi ? "SPI" : "SD"; 2079 2080 switch (sd->spec_version) { 2081 case SD_PHY_SPECv1_10_VERS 2082 ... SD_PHY_SPECv3_01_VERS: 2083 break; 2084 default: 2085 error_setg(errp, "Invalid SD card Spec version: %u", sd->spec_version); 2086 return; 2087 } 2088 2089 if (sd->blk && blk_is_read_only(sd->blk)) { 2090 error_setg(errp, "Cannot use read-only drive as SD card"); 2091 return; 2092 } 2093 2094 if (sd->blk) { 2095 ret = blk_set_perm(sd->blk, BLK_PERM_CONSISTENT_READ | BLK_PERM_WRITE, 2096 BLK_PERM_ALL, errp); 2097 if (ret < 0) { 2098 return; 2099 } 2100 blk_set_dev_ops(sd->blk, &sd_block_ops, sd); 2101 } 2102 } 2103 2104 static Property sd_properties[] = { 2105 DEFINE_PROP_UINT8("spec_version", SDState, 2106 spec_version, SD_PHY_SPECv2_00_VERS), 2107 DEFINE_PROP_DRIVE("drive", SDState, blk), 2108 /* We do not model the chip select pin, so allow the board to select 2109 * whether card should be in SSI or MMC/SD mode. It is also up to the 2110 * board to ensure that ssi transfers only occur when the chip select 2111 * is asserted. */ 2112 DEFINE_PROP_BOOL("spi", SDState, spi, false), 2113 DEFINE_PROP_END_OF_LIST() 2114 }; 2115 2116 static void sd_class_init(ObjectClass *klass, void *data) 2117 { 2118 DeviceClass *dc = DEVICE_CLASS(klass); 2119 SDCardClass *sc = SD_CARD_CLASS(klass); 2120 2121 dc->realize = sd_realize; 2122 dc->props = sd_properties; 2123 dc->vmsd = &sd_vmstate; 2124 dc->reset = sd_reset; 2125 dc->bus_type = TYPE_SD_BUS; 2126 set_bit(DEVICE_CATEGORY_STORAGE, dc->categories); 2127 2128 sc->set_voltage = sd_set_voltage; 2129 sc->get_dat_lines = sd_get_dat_lines; 2130 sc->get_cmd_line = sd_get_cmd_line; 2131 sc->do_command = sd_do_command; 2132 sc->write_data = sd_write_data; 2133 sc->read_data = sd_read_data; 2134 sc->data_ready = sd_data_ready; 2135 sc->enable = sd_enable; 2136 sc->get_inserted = sd_get_inserted; 2137 sc->get_readonly = sd_get_readonly; 2138 } 2139 2140 static const TypeInfo sd_info = { 2141 .name = TYPE_SD_CARD, 2142 .parent = TYPE_DEVICE, 2143 .instance_size = sizeof(SDState), 2144 .class_size = sizeof(SDCardClass), 2145 .class_init = sd_class_init, 2146 .instance_init = sd_instance_init, 2147 .instance_finalize = sd_instance_finalize, 2148 }; 2149 2150 static void sd_register_types(void) 2151 { 2152 type_register_static(&sd_info); 2153 } 2154 2155 type_init(sd_register_types) 2156