xref: /openbmc/qemu/hw/sd/sd.c (revision db895a1e)
1 /*
2  * SD Memory Card emulation as defined in the "SD Memory Card Physical
3  * layer specification, Version 1.10."
4  *
5  * Copyright (c) 2006 Andrzej Zaborowski  <balrog@zabor.org>
6  * Copyright (c) 2007 CodeSourcery
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  *
12  * 1. Redistributions of source code must retain the above copyright
13  *    notice, this list of conditions and the following disclaimer.
14  * 2. Redistributions in binary form must reproduce the above copyright
15  *    notice, this list of conditions and the following disclaimer in
16  *    the documentation and/or other materials provided with the
17  *    distribution.
18  *
19  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS''
20  * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
21  * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
22  * PARTICULAR PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR
23  * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
24  * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
25  * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
26  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
27  * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
28  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
29  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
30  */
31 
32 #include "hw/hw.h"
33 #include "block/block.h"
34 #include "hw/sd.h"
35 #include "qemu/bitmap.h"
36 
37 //#define DEBUG_SD 1
38 
39 #ifdef DEBUG_SD
40 #define DPRINTF(fmt, ...) \
41 do { fprintf(stderr, "SD: " fmt , ## __VA_ARGS__); } while (0)
42 #else
43 #define DPRINTF(fmt, ...) do {} while(0)
44 #endif
45 
46 #define ACMD41_ENQUIRY_MASK 0x00ffffff
47 
48 typedef enum {
49     sd_r0 = 0,    /* no response */
50     sd_r1,        /* normal response command */
51     sd_r2_i,      /* CID register */
52     sd_r2_s,      /* CSD register */
53     sd_r3,        /* OCR register */
54     sd_r6 = 6,    /* Published RCA response */
55     sd_r7,        /* Operating voltage */
56     sd_r1b = -1,
57     sd_illegal = -2,
58 } sd_rsp_type_t;
59 
60 enum SDCardModes {
61     sd_inactive,
62     sd_card_identification_mode,
63     sd_data_transfer_mode,
64 };
65 
66 enum SDCardStates {
67     sd_inactive_state = -1,
68     sd_idle_state = 0,
69     sd_ready_state,
70     sd_identification_state,
71     sd_standby_state,
72     sd_transfer_state,
73     sd_sendingdata_state,
74     sd_receivingdata_state,
75     sd_programming_state,
76     sd_disconnect_state,
77 };
78 
79 struct SDState {
80     uint32_t mode;    /* current card mode, one of SDCardModes */
81     int32_t state;    /* current card state, one of SDCardStates */
82     uint32_t ocr;
83     uint8_t scr[8];
84     uint8_t cid[16];
85     uint8_t csd[16];
86     uint16_t rca;
87     uint32_t card_status;
88     uint8_t sd_status[64];
89     uint32_t vhs;
90     bool wp_switch;
91     unsigned long *wp_groups;
92     int32_t wpgrps_size;
93     uint64_t size;
94     uint32_t blk_len;
95     uint32_t erase_start;
96     uint32_t erase_end;
97     uint8_t pwd[16];
98     uint32_t pwd_len;
99     uint8_t function_group[6];
100 
101     bool spi;
102     uint8_t current_cmd;
103     /* True if we will handle the next command as an ACMD. Note that this does
104      * *not* track the APP_CMD status bit!
105      */
106     bool expecting_acmd;
107     uint32_t blk_written;
108     uint64_t data_start;
109     uint32_t data_offset;
110     uint8_t data[512];
111     qemu_irq readonly_cb;
112     qemu_irq inserted_cb;
113     BlockDriverState *bdrv;
114     uint8_t *buf;
115 
116     bool enable;
117 };
118 
119 static void sd_set_mode(SDState *sd)
120 {
121     switch (sd->state) {
122     case sd_inactive_state:
123         sd->mode = sd_inactive;
124         break;
125 
126     case sd_idle_state:
127     case sd_ready_state:
128     case sd_identification_state:
129         sd->mode = sd_card_identification_mode;
130         break;
131 
132     case sd_standby_state:
133     case sd_transfer_state:
134     case sd_sendingdata_state:
135     case sd_receivingdata_state:
136     case sd_programming_state:
137     case sd_disconnect_state:
138         sd->mode = sd_data_transfer_mode;
139         break;
140     }
141 }
142 
143 static const sd_cmd_type_t sd_cmd_type[64] = {
144     sd_bc,   sd_none, sd_bcr,  sd_bcr,  sd_none, sd_none, sd_none, sd_ac,
145     sd_bcr,  sd_ac,   sd_ac,   sd_adtc, sd_ac,   sd_ac,   sd_none, sd_ac,
146     sd_ac,   sd_adtc, sd_adtc, sd_none, sd_none, sd_none, sd_none, sd_none,
147     sd_adtc, sd_adtc, sd_adtc, sd_adtc, sd_ac,   sd_ac,   sd_adtc, sd_none,
148     sd_ac,   sd_ac,   sd_none, sd_none, sd_none, sd_none, sd_ac,   sd_none,
149     sd_none, sd_none, sd_bc,   sd_none, sd_none, sd_none, sd_none, sd_none,
150     sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_ac,
151     sd_adtc, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none,
152 };
153 
154 static const sd_cmd_type_t sd_acmd_type[64] = {
155     sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_ac,   sd_none,
156     sd_none, sd_none, sd_none, sd_none, sd_none, sd_adtc, sd_none, sd_none,
157     sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_adtc, sd_ac,
158     sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none,
159     sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none,
160     sd_none, sd_bcr,  sd_ac,   sd_none, sd_none, sd_none, sd_none, sd_none,
161     sd_none, sd_none, sd_none, sd_adtc, sd_none, sd_none, sd_none, sd_none,
162     sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none,
163 };
164 
165 static const int sd_cmd_class[64] = {
166     0,  0,  0,  0,  0,  9, 10,  0,  0,  0,  0,  1,  0,  0,  0,  0,
167     2,  2,  2,  2,  3,  3,  3,  3,  4,  4,  4,  4,  6,  6,  6,  6,
168     5,  5, 10, 10, 10, 10,  5,  9,  9,  9,  7,  7,  7,  7,  7,  7,
169     7,  7, 10,  7,  9,  9,  9,  8,  8, 10,  8,  8,  8,  8,  8,  8,
170 };
171 
172 static uint8_t sd_crc7(void *message, size_t width)
173 {
174     int i, bit;
175     uint8_t shift_reg = 0x00;
176     uint8_t *msg = (uint8_t *) message;
177 
178     for (i = 0; i < width; i ++, msg ++)
179         for (bit = 7; bit >= 0; bit --) {
180             shift_reg <<= 1;
181             if ((shift_reg >> 7) ^ ((*msg >> bit) & 1))
182                 shift_reg ^= 0x89;
183         }
184 
185     return shift_reg;
186 }
187 
188 static uint16_t sd_crc16(void *message, size_t width)
189 {
190     int i, bit;
191     uint16_t shift_reg = 0x0000;
192     uint16_t *msg = (uint16_t *) message;
193     width <<= 1;
194 
195     for (i = 0; i < width; i ++, msg ++)
196         for (bit = 15; bit >= 0; bit --) {
197             shift_reg <<= 1;
198             if ((shift_reg >> 15) ^ ((*msg >> bit) & 1))
199                 shift_reg ^= 0x1011;
200         }
201 
202     return shift_reg;
203 }
204 
205 static void sd_set_ocr(SDState *sd)
206 {
207     /* All voltages OK, card power-up OK, Standard Capacity SD Memory Card */
208     sd->ocr = 0x80ffff00;
209 }
210 
211 static void sd_set_scr(SDState *sd)
212 {
213     sd->scr[0] = 0x00;		/* SCR Structure */
214     sd->scr[1] = 0x2f;		/* SD Security Support */
215     sd->scr[2] = 0x00;
216     sd->scr[3] = 0x00;
217     sd->scr[4] = 0x00;
218     sd->scr[5] = 0x00;
219     sd->scr[6] = 0x00;
220     sd->scr[7] = 0x00;
221 }
222 
223 #define MID	0xaa
224 #define OID	"XY"
225 #define PNM	"QEMU!"
226 #define PRV	0x01
227 #define MDT_YR	2006
228 #define MDT_MON	2
229 
230 static void sd_set_cid(SDState *sd)
231 {
232     sd->cid[0] = MID;		/* Fake card manufacturer ID (MID) */
233     sd->cid[1] = OID[0];	/* OEM/Application ID (OID) */
234     sd->cid[2] = OID[1];
235     sd->cid[3] = PNM[0];	/* Fake product name (PNM) */
236     sd->cid[4] = PNM[1];
237     sd->cid[5] = PNM[2];
238     sd->cid[6] = PNM[3];
239     sd->cid[7] = PNM[4];
240     sd->cid[8] = PRV;		/* Fake product revision (PRV) */
241     sd->cid[9] = 0xde;		/* Fake serial number (PSN) */
242     sd->cid[10] = 0xad;
243     sd->cid[11] = 0xbe;
244     sd->cid[12] = 0xef;
245     sd->cid[13] = 0x00 |	/* Manufacture date (MDT) */
246         ((MDT_YR - 2000) / 10);
247     sd->cid[14] = ((MDT_YR % 10) << 4) | MDT_MON;
248     sd->cid[15] = (sd_crc7(sd->cid, 15) << 1) | 1;
249 }
250 
251 #define HWBLOCK_SHIFT	9			/* 512 bytes */
252 #define SECTOR_SHIFT	5			/* 16 kilobytes */
253 #define WPGROUP_SHIFT	7			/* 2 megs */
254 #define CMULT_SHIFT	9			/* 512 times HWBLOCK_SIZE */
255 #define WPGROUP_SIZE	(1 << (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT))
256 
257 static const uint8_t sd_csd_rw_mask[16] = {
258     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
259     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xfc, 0xfe,
260 };
261 
262 static void sd_set_csd(SDState *sd, uint64_t size)
263 {
264     uint32_t csize = (size >> (CMULT_SHIFT + HWBLOCK_SHIFT)) - 1;
265     uint32_t sectsize = (1 << (SECTOR_SHIFT + 1)) - 1;
266     uint32_t wpsize = (1 << (WPGROUP_SHIFT + 1)) - 1;
267 
268     if (size <= 0x40000000) {	/* Standard Capacity SD */
269         sd->csd[0] = 0x00;	/* CSD structure */
270         sd->csd[1] = 0x26;	/* Data read access-time-1 */
271         sd->csd[2] = 0x00;	/* Data read access-time-2 */
272         sd->csd[3] = 0x5a;	/* Max. data transfer rate */
273         sd->csd[4] = 0x5f;	/* Card Command Classes */
274         sd->csd[5] = 0x50 |	/* Max. read data block length */
275             HWBLOCK_SHIFT;
276         sd->csd[6] = 0xe0 |	/* Partial block for read allowed */
277             ((csize >> 10) & 0x03);
278         sd->csd[7] = 0x00 |	/* Device size */
279             ((csize >> 2) & 0xff);
280         sd->csd[8] = 0x3f |	/* Max. read current */
281             ((csize << 6) & 0xc0);
282         sd->csd[9] = 0xfc |	/* Max. write current */
283             ((CMULT_SHIFT - 2) >> 1);
284         sd->csd[10] = 0x40 |	/* Erase sector size */
285             (((CMULT_SHIFT - 2) << 7) & 0x80) | (sectsize >> 1);
286         sd->csd[11] = 0x00 |	/* Write protect group size */
287             ((sectsize << 7) & 0x80) | wpsize;
288         sd->csd[12] = 0x90 |	/* Write speed factor */
289             (HWBLOCK_SHIFT >> 2);
290         sd->csd[13] = 0x20 |	/* Max. write data block length */
291             ((HWBLOCK_SHIFT << 6) & 0xc0);
292         sd->csd[14] = 0x00;	/* File format group */
293         sd->csd[15] = (sd_crc7(sd->csd, 15) << 1) | 1;
294     } else {			/* SDHC */
295         size /= 512 * 1024;
296         size -= 1;
297         sd->csd[0] = 0x40;
298         sd->csd[1] = 0x0e;
299         sd->csd[2] = 0x00;
300         sd->csd[3] = 0x32;
301         sd->csd[4] = 0x5b;
302         sd->csd[5] = 0x59;
303         sd->csd[6] = 0x00;
304         sd->csd[7] = (size >> 16) & 0xff;
305         sd->csd[8] = (size >> 8) & 0xff;
306         sd->csd[9] = (size & 0xff);
307         sd->csd[10] = 0x7f;
308         sd->csd[11] = 0x80;
309         sd->csd[12] = 0x0a;
310         sd->csd[13] = 0x40;
311         sd->csd[14] = 0x00;
312         sd->csd[15] = 0x00;
313         sd->ocr |= 1 << 30;     /* High Capacity SD Memory Card */
314     }
315 }
316 
317 static void sd_set_rca(SDState *sd)
318 {
319     sd->rca += 0x4567;
320 }
321 
322 /* Card status bits, split by clear condition:
323  * A : According to the card current state
324  * B : Always related to the previous command
325  * C : Cleared by read
326  */
327 #define CARD_STATUS_A	0x02004100
328 #define CARD_STATUS_B	0x00c01e00
329 #define CARD_STATUS_C	0xfd39a028
330 
331 static void sd_set_cardstatus(SDState *sd)
332 {
333     sd->card_status = 0x00000100;
334 }
335 
336 static void sd_set_sdstatus(SDState *sd)
337 {
338     memset(sd->sd_status, 0, 64);
339 }
340 
341 static int sd_req_crc_validate(SDRequest *req)
342 {
343     uint8_t buffer[5];
344     buffer[0] = 0x40 | req->cmd;
345     buffer[1] = (req->arg >> 24) & 0xff;
346     buffer[2] = (req->arg >> 16) & 0xff;
347     buffer[3] = (req->arg >> 8) & 0xff;
348     buffer[4] = (req->arg >> 0) & 0xff;
349     return 0;
350     return sd_crc7(buffer, 5) != req->crc;	/* TODO */
351 }
352 
353 static void sd_response_r1_make(SDState *sd, uint8_t *response)
354 {
355     uint32_t status = sd->card_status;
356     /* Clear the "clear on read" status bits */
357     sd->card_status &= ~CARD_STATUS_C;
358 
359     response[0] = (status >> 24) & 0xff;
360     response[1] = (status >> 16) & 0xff;
361     response[2] = (status >> 8) & 0xff;
362     response[3] = (status >> 0) & 0xff;
363 }
364 
365 static void sd_response_r3_make(SDState *sd, uint8_t *response)
366 {
367     response[0] = (sd->ocr >> 24) & 0xff;
368     response[1] = (sd->ocr >> 16) & 0xff;
369     response[2] = (sd->ocr >> 8) & 0xff;
370     response[3] = (sd->ocr >> 0) & 0xff;
371 }
372 
373 static void sd_response_r6_make(SDState *sd, uint8_t *response)
374 {
375     uint16_t arg;
376     uint16_t status;
377 
378     arg = sd->rca;
379     status = ((sd->card_status >> 8) & 0xc000) |
380              ((sd->card_status >> 6) & 0x2000) |
381               (sd->card_status & 0x1fff);
382     sd->card_status &= ~(CARD_STATUS_C & 0xc81fff);
383 
384     response[0] = (arg >> 8) & 0xff;
385     response[1] = arg & 0xff;
386     response[2] = (status >> 8) & 0xff;
387     response[3] = status & 0xff;
388 }
389 
390 static void sd_response_r7_make(SDState *sd, uint8_t *response)
391 {
392     response[0] = (sd->vhs >> 24) & 0xff;
393     response[1] = (sd->vhs >> 16) & 0xff;
394     response[2] = (sd->vhs >>  8) & 0xff;
395     response[3] = (sd->vhs >>  0) & 0xff;
396 }
397 
398 static inline uint64_t sd_addr_to_wpnum(uint64_t addr)
399 {
400     return addr >> (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT);
401 }
402 
403 static void sd_reset(SDState *sd, BlockDriverState *bdrv)
404 {
405     uint64_t size;
406     uint64_t sect;
407 
408     if (bdrv) {
409         bdrv_get_geometry(bdrv, &sect);
410     } else {
411         sect = 0;
412     }
413     size = sect << 9;
414 
415     sect = sd_addr_to_wpnum(size) + 1;
416 
417     sd->state = sd_idle_state;
418     sd->rca = 0x0000;
419     sd_set_ocr(sd);
420     sd_set_scr(sd);
421     sd_set_cid(sd);
422     sd_set_csd(sd, size);
423     sd_set_cardstatus(sd);
424     sd_set_sdstatus(sd);
425 
426     sd->bdrv = bdrv;
427 
428     if (sd->wp_groups)
429         g_free(sd->wp_groups);
430     sd->wp_switch = bdrv ? bdrv_is_read_only(bdrv) : false;
431     sd->wpgrps_size = sect;
432     sd->wp_groups = bitmap_new(sd->wpgrps_size);
433     memset(sd->function_group, 0, sizeof(sd->function_group));
434     sd->erase_start = 0;
435     sd->erase_end = 0;
436     sd->size = size;
437     sd->blk_len = 0x200;
438     sd->pwd_len = 0;
439     sd->expecting_acmd = false;
440 }
441 
442 static void sd_cardchange(void *opaque, bool load)
443 {
444     SDState *sd = opaque;
445 
446     qemu_set_irq(sd->inserted_cb, bdrv_is_inserted(sd->bdrv));
447     if (bdrv_is_inserted(sd->bdrv)) {
448         sd_reset(sd, sd->bdrv);
449         qemu_set_irq(sd->readonly_cb, sd->wp_switch);
450     }
451 }
452 
453 static const BlockDevOps sd_block_ops = {
454     .change_media_cb = sd_cardchange,
455 };
456 
457 static const VMStateDescription sd_vmstate = {
458     .name = "sd-card",
459     .version_id = 1,
460     .minimum_version_id = 1,
461     .fields = (VMStateField[]) {
462         VMSTATE_UINT32(mode, SDState),
463         VMSTATE_INT32(state, SDState),
464         VMSTATE_UINT8_ARRAY(cid, SDState, 16),
465         VMSTATE_UINT8_ARRAY(csd, SDState, 16),
466         VMSTATE_UINT16(rca, SDState),
467         VMSTATE_UINT32(card_status, SDState),
468         VMSTATE_PARTIAL_BUFFER(sd_status, SDState, 1),
469         VMSTATE_UINT32(vhs, SDState),
470         VMSTATE_BITMAP(wp_groups, SDState, 0, wpgrps_size),
471         VMSTATE_UINT32(blk_len, SDState),
472         VMSTATE_UINT32(erase_start, SDState),
473         VMSTATE_UINT32(erase_end, SDState),
474         VMSTATE_UINT8_ARRAY(pwd, SDState, 16),
475         VMSTATE_UINT32(pwd_len, SDState),
476         VMSTATE_UINT8_ARRAY(function_group, SDState, 6),
477         VMSTATE_UINT8(current_cmd, SDState),
478         VMSTATE_BOOL(expecting_acmd, SDState),
479         VMSTATE_UINT32(blk_written, SDState),
480         VMSTATE_UINT64(data_start, SDState),
481         VMSTATE_UINT32(data_offset, SDState),
482         VMSTATE_UINT8_ARRAY(data, SDState, 512),
483         VMSTATE_BUFFER_POINTER_UNSAFE(buf, SDState, 1, 512),
484         VMSTATE_BOOL(enable, SDState),
485         VMSTATE_END_OF_LIST()
486     }
487 };
488 
489 /* We do not model the chip select pin, so allow the board to select
490    whether card should be in SSI or MMC/SD mode.  It is also up to the
491    board to ensure that ssi transfers only occur when the chip select
492    is asserted.  */
493 SDState *sd_init(BlockDriverState *bs, bool is_spi)
494 {
495     SDState *sd;
496 
497     sd = (SDState *) g_malloc0(sizeof(SDState));
498     sd->buf = qemu_blockalign(bs, 512);
499     sd->spi = is_spi;
500     sd->enable = true;
501     sd_reset(sd, bs);
502     if (sd->bdrv) {
503         bdrv_attach_dev_nofail(sd->bdrv, sd);
504         bdrv_set_dev_ops(sd->bdrv, &sd_block_ops, sd);
505     }
506     vmstate_register(NULL, -1, &sd_vmstate, sd);
507     return sd;
508 }
509 
510 void sd_set_cb(SDState *sd, qemu_irq readonly, qemu_irq insert)
511 {
512     sd->readonly_cb = readonly;
513     sd->inserted_cb = insert;
514     qemu_set_irq(readonly, sd->bdrv ? bdrv_is_read_only(sd->bdrv) : 0);
515     qemu_set_irq(insert, sd->bdrv ? bdrv_is_inserted(sd->bdrv) : 0);
516 }
517 
518 static void sd_erase(SDState *sd)
519 {
520     int i;
521     uint64_t erase_start = sd->erase_start;
522     uint64_t erase_end = sd->erase_end;
523 
524     if (!sd->erase_start || !sd->erase_end) {
525         sd->card_status |= ERASE_SEQ_ERROR;
526         return;
527     }
528 
529     if (extract32(sd->ocr, OCR_CCS_BITN, 1)) {
530         /* High capacity memory card: erase units are 512 byte blocks */
531         erase_start *= 512;
532         erase_end *= 512;
533     }
534 
535     erase_start = sd_addr_to_wpnum(erase_start);
536     erase_end = sd_addr_to_wpnum(erase_end);
537     sd->erase_start = 0;
538     sd->erase_end = 0;
539     sd->csd[14] |= 0x40;
540 
541     for (i = erase_start; i <= erase_end; i++) {
542         if (test_bit(i, sd->wp_groups)) {
543             sd->card_status |= WP_ERASE_SKIP;
544         }
545     }
546 }
547 
548 static uint32_t sd_wpbits(SDState *sd, uint64_t addr)
549 {
550     uint32_t i, wpnum;
551     uint32_t ret = 0;
552 
553     wpnum = sd_addr_to_wpnum(addr);
554 
555     for (i = 0; i < 32; i++, wpnum++, addr += WPGROUP_SIZE) {
556         if (addr < sd->size && test_bit(wpnum, sd->wp_groups)) {
557             ret |= (1 << i);
558         }
559     }
560 
561     return ret;
562 }
563 
564 static void sd_function_switch(SDState *sd, uint32_t arg)
565 {
566     int i, mode, new_func, crc;
567     mode = !!(arg & 0x80000000);
568 
569     sd->data[0] = 0x00;		/* Maximum current consumption */
570     sd->data[1] = 0x01;
571     sd->data[2] = 0x80;		/* Supported group 6 functions */
572     sd->data[3] = 0x01;
573     sd->data[4] = 0x80;		/* Supported group 5 functions */
574     sd->data[5] = 0x01;
575     sd->data[6] = 0x80;		/* Supported group 4 functions */
576     sd->data[7] = 0x01;
577     sd->data[8] = 0x80;		/* Supported group 3 functions */
578     sd->data[9] = 0x01;
579     sd->data[10] = 0x80;	/* Supported group 2 functions */
580     sd->data[11] = 0x43;
581     sd->data[12] = 0x80;	/* Supported group 1 functions */
582     sd->data[13] = 0x03;
583     for (i = 0; i < 6; i ++) {
584         new_func = (arg >> (i * 4)) & 0x0f;
585         if (mode && new_func != 0x0f)
586             sd->function_group[i] = new_func;
587         sd->data[14 + (i >> 1)] = new_func << ((i * 4) & 4);
588     }
589     memset(&sd->data[17], 0, 47);
590     crc = sd_crc16(sd->data, 64);
591     sd->data[65] = crc >> 8;
592     sd->data[66] = crc & 0xff;
593 }
594 
595 static inline bool sd_wp_addr(SDState *sd, uint64_t addr)
596 {
597     return test_bit(sd_addr_to_wpnum(addr), sd->wp_groups);
598 }
599 
600 static void sd_lock_command(SDState *sd)
601 {
602     int erase, lock, clr_pwd, set_pwd, pwd_len;
603     erase = !!(sd->data[0] & 0x08);
604     lock = sd->data[0] & 0x04;
605     clr_pwd = sd->data[0] & 0x02;
606     set_pwd = sd->data[0] & 0x01;
607 
608     if (sd->blk_len > 1)
609         pwd_len = sd->data[1];
610     else
611         pwd_len = 0;
612 
613     if (erase) {
614         if (!(sd->card_status & CARD_IS_LOCKED) || sd->blk_len > 1 ||
615                         set_pwd || clr_pwd || lock || sd->wp_switch ||
616                         (sd->csd[14] & 0x20)) {
617             sd->card_status |= LOCK_UNLOCK_FAILED;
618             return;
619         }
620         bitmap_zero(sd->wp_groups, sd->wpgrps_size);
621         sd->csd[14] &= ~0x10;
622         sd->card_status &= ~CARD_IS_LOCKED;
623         sd->pwd_len = 0;
624         /* Erasing the entire card here! */
625         fprintf(stderr, "SD: Card force-erased by CMD42\n");
626         return;
627     }
628 
629     if (sd->blk_len < 2 + pwd_len ||
630                     pwd_len <= sd->pwd_len ||
631                     pwd_len > sd->pwd_len + 16) {
632         sd->card_status |= LOCK_UNLOCK_FAILED;
633         return;
634     }
635 
636     if (sd->pwd_len && memcmp(sd->pwd, sd->data + 2, sd->pwd_len)) {
637         sd->card_status |= LOCK_UNLOCK_FAILED;
638         return;
639     }
640 
641     pwd_len -= sd->pwd_len;
642     if ((pwd_len && !set_pwd) ||
643                     (clr_pwd && (set_pwd || lock)) ||
644                     (lock && !sd->pwd_len && !set_pwd) ||
645                     (!set_pwd && !clr_pwd &&
646                      (((sd->card_status & CARD_IS_LOCKED) && lock) ||
647                       (!(sd->card_status & CARD_IS_LOCKED) && !lock)))) {
648         sd->card_status |= LOCK_UNLOCK_FAILED;
649         return;
650     }
651 
652     if (set_pwd) {
653         memcpy(sd->pwd, sd->data + 2 + sd->pwd_len, pwd_len);
654         sd->pwd_len = pwd_len;
655     }
656 
657     if (clr_pwd) {
658         sd->pwd_len = 0;
659     }
660 
661     if (lock)
662         sd->card_status |= CARD_IS_LOCKED;
663     else
664         sd->card_status &= ~CARD_IS_LOCKED;
665 }
666 
667 static sd_rsp_type_t sd_normal_command(SDState *sd,
668                                        SDRequest req)
669 {
670     uint32_t rca = 0x0000;
671     uint64_t addr = (sd->ocr & (1 << 30)) ? (uint64_t) req.arg << 9 : req.arg;
672 
673     /* Not interpreting this as an app command */
674     sd->card_status &= ~APP_CMD;
675 
676     if (sd_cmd_type[req.cmd] == sd_ac || sd_cmd_type[req.cmd] == sd_adtc)
677         rca = req.arg >> 16;
678 
679     DPRINTF("CMD%d 0x%08x state %d\n", req.cmd, req.arg, sd->state);
680     switch (req.cmd) {
681     /* Basic commands (Class 0 and Class 1) */
682     case 0:	/* CMD0:   GO_IDLE_STATE */
683         switch (sd->state) {
684         case sd_inactive_state:
685             return sd->spi ? sd_r1 : sd_r0;
686 
687         default:
688             sd->state = sd_idle_state;
689             sd_reset(sd, sd->bdrv);
690             return sd->spi ? sd_r1 : sd_r0;
691         }
692         break;
693 
694     case 1:	/* CMD1:   SEND_OP_CMD */
695         if (!sd->spi)
696             goto bad_cmd;
697 
698         sd->state = sd_transfer_state;
699         return sd_r1;
700 
701     case 2:	/* CMD2:   ALL_SEND_CID */
702         if (sd->spi)
703             goto bad_cmd;
704         switch (sd->state) {
705         case sd_ready_state:
706             sd->state = sd_identification_state;
707             return sd_r2_i;
708 
709         default:
710             break;
711         }
712         break;
713 
714     case 3:	/* CMD3:   SEND_RELATIVE_ADDR */
715         if (sd->spi)
716             goto bad_cmd;
717         switch (sd->state) {
718         case sd_identification_state:
719         case sd_standby_state:
720             sd->state = sd_standby_state;
721             sd_set_rca(sd);
722             return sd_r6;
723 
724         default:
725             break;
726         }
727         break;
728 
729     case 4:	/* CMD4:   SEND_DSR */
730         if (sd->spi)
731             goto bad_cmd;
732         switch (sd->state) {
733         case sd_standby_state:
734             break;
735 
736         default:
737             break;
738         }
739         break;
740 
741     case 5: /* CMD5: reserved for SDIO cards */
742         return sd_illegal;
743 
744     case 6:	/* CMD6:   SWITCH_FUNCTION */
745         if (sd->spi)
746             goto bad_cmd;
747         switch (sd->mode) {
748         case sd_data_transfer_mode:
749             sd_function_switch(sd, req.arg);
750             sd->state = sd_sendingdata_state;
751             sd->data_start = 0;
752             sd->data_offset = 0;
753             return sd_r1;
754 
755         default:
756             break;
757         }
758         break;
759 
760     case 7:	/* CMD7:   SELECT/DESELECT_CARD */
761         if (sd->spi)
762             goto bad_cmd;
763         switch (sd->state) {
764         case sd_standby_state:
765             if (sd->rca != rca)
766                 return sd_r0;
767 
768             sd->state = sd_transfer_state;
769             return sd_r1b;
770 
771         case sd_transfer_state:
772         case sd_sendingdata_state:
773             if (sd->rca == rca)
774                 break;
775 
776             sd->state = sd_standby_state;
777             return sd_r1b;
778 
779         case sd_disconnect_state:
780             if (sd->rca != rca)
781                 return sd_r0;
782 
783             sd->state = sd_programming_state;
784             return sd_r1b;
785 
786         case sd_programming_state:
787             if (sd->rca == rca)
788                 break;
789 
790             sd->state = sd_disconnect_state;
791             return sd_r1b;
792 
793         default:
794             break;
795         }
796         break;
797 
798     case 8:	/* CMD8:   SEND_IF_COND */
799         /* Physical Layer Specification Version 2.00 command */
800         switch (sd->state) {
801         case sd_idle_state:
802             sd->vhs = 0;
803 
804             /* No response if not exactly one VHS bit is set.  */
805             if (!(req.arg >> 8) || (req.arg >> ffs(req.arg & ~0xff)))
806                 return sd->spi ? sd_r7 : sd_r0;
807 
808             /* Accept.  */
809             sd->vhs = req.arg;
810             return sd_r7;
811 
812         default:
813             break;
814         }
815         break;
816 
817     case 9:	/* CMD9:   SEND_CSD */
818         switch (sd->state) {
819         case sd_standby_state:
820             if (sd->rca != rca)
821                 return sd_r0;
822 
823             return sd_r2_s;
824 
825         case sd_transfer_state:
826             if (!sd->spi)
827                 break;
828             sd->state = sd_sendingdata_state;
829             memcpy(sd->data, sd->csd, 16);
830             sd->data_start = addr;
831             sd->data_offset = 0;
832             return sd_r1;
833 
834         default:
835             break;
836         }
837         break;
838 
839     case 10:	/* CMD10:  SEND_CID */
840         switch (sd->state) {
841         case sd_standby_state:
842             if (sd->rca != rca)
843                 return sd_r0;
844 
845             return sd_r2_i;
846 
847         case sd_transfer_state:
848             if (!sd->spi)
849                 break;
850             sd->state = sd_sendingdata_state;
851             memcpy(sd->data, sd->cid, 16);
852             sd->data_start = addr;
853             sd->data_offset = 0;
854             return sd_r1;
855 
856         default:
857             break;
858         }
859         break;
860 
861     case 11:	/* CMD11:  READ_DAT_UNTIL_STOP */
862         if (sd->spi)
863             goto bad_cmd;
864         switch (sd->state) {
865         case sd_transfer_state:
866             sd->state = sd_sendingdata_state;
867             sd->data_start = req.arg;
868             sd->data_offset = 0;
869 
870             if (sd->data_start + sd->blk_len > sd->size)
871                 sd->card_status |= ADDRESS_ERROR;
872             return sd_r0;
873 
874         default:
875             break;
876         }
877         break;
878 
879     case 12:	/* CMD12:  STOP_TRANSMISSION */
880         switch (sd->state) {
881         case sd_sendingdata_state:
882             sd->state = sd_transfer_state;
883             return sd_r1b;
884 
885         case sd_receivingdata_state:
886             sd->state = sd_programming_state;
887             /* Bzzzzzzztt .... Operation complete.  */
888             sd->state = sd_transfer_state;
889             return sd_r1b;
890 
891         default:
892             break;
893         }
894         break;
895 
896     case 13:	/* CMD13:  SEND_STATUS */
897         switch (sd->mode) {
898         case sd_data_transfer_mode:
899             if (sd->rca != rca)
900                 return sd_r0;
901 
902             return sd_r1;
903 
904         default:
905             break;
906         }
907         break;
908 
909     case 15:	/* CMD15:  GO_INACTIVE_STATE */
910         if (sd->spi)
911             goto bad_cmd;
912         switch (sd->mode) {
913         case sd_data_transfer_mode:
914             if (sd->rca != rca)
915                 return sd_r0;
916 
917             sd->state = sd_inactive_state;
918             return sd_r0;
919 
920         default:
921             break;
922         }
923         break;
924 
925     /* Block read commands (Classs 2) */
926     case 16:	/* CMD16:  SET_BLOCKLEN */
927         switch (sd->state) {
928         case sd_transfer_state:
929             if (req.arg > (1 << HWBLOCK_SHIFT))
930                 sd->card_status |= BLOCK_LEN_ERROR;
931             else
932                 sd->blk_len = req.arg;
933 
934             return sd_r1;
935 
936         default:
937             break;
938         }
939         break;
940 
941     case 17:	/* CMD17:  READ_SINGLE_BLOCK */
942         switch (sd->state) {
943         case sd_transfer_state:
944             sd->state = sd_sendingdata_state;
945             sd->data_start = addr;
946             sd->data_offset = 0;
947 
948             if (sd->data_start + sd->blk_len > sd->size)
949                 sd->card_status |= ADDRESS_ERROR;
950             return sd_r1;
951 
952         default:
953             break;
954         }
955         break;
956 
957     case 18:	/* CMD18:  READ_MULTIPLE_BLOCK */
958         switch (sd->state) {
959         case sd_transfer_state:
960             sd->state = sd_sendingdata_state;
961             sd->data_start = addr;
962             sd->data_offset = 0;
963 
964             if (sd->data_start + sd->blk_len > sd->size)
965                 sd->card_status |= ADDRESS_ERROR;
966             return sd_r1;
967 
968         default:
969             break;
970         }
971         break;
972 
973     /* Block write commands (Class 4) */
974     case 24:	/* CMD24:  WRITE_SINGLE_BLOCK */
975         if (sd->spi)
976             goto unimplemented_cmd;
977         switch (sd->state) {
978         case sd_transfer_state:
979             /* Writing in SPI mode not implemented.  */
980             if (sd->spi)
981                 break;
982             sd->state = sd_receivingdata_state;
983             sd->data_start = addr;
984             sd->data_offset = 0;
985             sd->blk_written = 0;
986 
987             if (sd->data_start + sd->blk_len > sd->size)
988                 sd->card_status |= ADDRESS_ERROR;
989             if (sd_wp_addr(sd, sd->data_start))
990                 sd->card_status |= WP_VIOLATION;
991             if (sd->csd[14] & 0x30)
992                 sd->card_status |= WP_VIOLATION;
993             return sd_r1;
994 
995         default:
996             break;
997         }
998         break;
999 
1000     case 25:	/* CMD25:  WRITE_MULTIPLE_BLOCK */
1001         if (sd->spi)
1002             goto unimplemented_cmd;
1003         switch (sd->state) {
1004         case sd_transfer_state:
1005             /* Writing in SPI mode not implemented.  */
1006             if (sd->spi)
1007                 break;
1008             sd->state = sd_receivingdata_state;
1009             sd->data_start = addr;
1010             sd->data_offset = 0;
1011             sd->blk_written = 0;
1012 
1013             if (sd->data_start + sd->blk_len > sd->size)
1014                 sd->card_status |= ADDRESS_ERROR;
1015             if (sd_wp_addr(sd, sd->data_start))
1016                 sd->card_status |= WP_VIOLATION;
1017             if (sd->csd[14] & 0x30)
1018                 sd->card_status |= WP_VIOLATION;
1019             return sd_r1;
1020 
1021         default:
1022             break;
1023         }
1024         break;
1025 
1026     case 26:	/* CMD26:  PROGRAM_CID */
1027         if (sd->spi)
1028             goto bad_cmd;
1029         switch (sd->state) {
1030         case sd_transfer_state:
1031             sd->state = sd_receivingdata_state;
1032             sd->data_start = 0;
1033             sd->data_offset = 0;
1034             return sd_r1;
1035 
1036         default:
1037             break;
1038         }
1039         break;
1040 
1041     case 27:	/* CMD27:  PROGRAM_CSD */
1042         if (sd->spi)
1043             goto unimplemented_cmd;
1044         switch (sd->state) {
1045         case sd_transfer_state:
1046             sd->state = sd_receivingdata_state;
1047             sd->data_start = 0;
1048             sd->data_offset = 0;
1049             return sd_r1;
1050 
1051         default:
1052             break;
1053         }
1054         break;
1055 
1056     /* Write protection (Class 6) */
1057     case 28:	/* CMD28:  SET_WRITE_PROT */
1058         switch (sd->state) {
1059         case sd_transfer_state:
1060             if (addr >= sd->size) {
1061                 sd->card_status |= ADDRESS_ERROR;
1062                 return sd_r1b;
1063             }
1064 
1065             sd->state = sd_programming_state;
1066             set_bit(sd_addr_to_wpnum(addr), sd->wp_groups);
1067             /* Bzzzzzzztt .... Operation complete.  */
1068             sd->state = sd_transfer_state;
1069             return sd_r1b;
1070 
1071         default:
1072             break;
1073         }
1074         break;
1075 
1076     case 29:	/* CMD29:  CLR_WRITE_PROT */
1077         switch (sd->state) {
1078         case sd_transfer_state:
1079             if (addr >= sd->size) {
1080                 sd->card_status |= ADDRESS_ERROR;
1081                 return sd_r1b;
1082             }
1083 
1084             sd->state = sd_programming_state;
1085             clear_bit(sd_addr_to_wpnum(addr), sd->wp_groups);
1086             /* Bzzzzzzztt .... Operation complete.  */
1087             sd->state = sd_transfer_state;
1088             return sd_r1b;
1089 
1090         default:
1091             break;
1092         }
1093         break;
1094 
1095     case 30:	/* CMD30:  SEND_WRITE_PROT */
1096         switch (sd->state) {
1097         case sd_transfer_state:
1098             sd->state = sd_sendingdata_state;
1099             *(uint32_t *) sd->data = sd_wpbits(sd, req.arg);
1100             sd->data_start = addr;
1101             sd->data_offset = 0;
1102             return sd_r1b;
1103 
1104         default:
1105             break;
1106         }
1107         break;
1108 
1109     /* Erase commands (Class 5) */
1110     case 32:	/* CMD32:  ERASE_WR_BLK_START */
1111         switch (sd->state) {
1112         case sd_transfer_state:
1113             sd->erase_start = req.arg;
1114             return sd_r1;
1115 
1116         default:
1117             break;
1118         }
1119         break;
1120 
1121     case 33:	/* CMD33:  ERASE_WR_BLK_END */
1122         switch (sd->state) {
1123         case sd_transfer_state:
1124             sd->erase_end = req.arg;
1125             return sd_r1;
1126 
1127         default:
1128             break;
1129         }
1130         break;
1131 
1132     case 38:	/* CMD38:  ERASE */
1133         switch (sd->state) {
1134         case sd_transfer_state:
1135             if (sd->csd[14] & 0x30) {
1136                 sd->card_status |= WP_VIOLATION;
1137                 return sd_r1b;
1138             }
1139 
1140             sd->state = sd_programming_state;
1141             sd_erase(sd);
1142             /* Bzzzzzzztt .... Operation complete.  */
1143             sd->state = sd_transfer_state;
1144             return sd_r1b;
1145 
1146         default:
1147             break;
1148         }
1149         break;
1150 
1151     /* Lock card commands (Class 7) */
1152     case 42:	/* CMD42:  LOCK_UNLOCK */
1153         if (sd->spi)
1154             goto unimplemented_cmd;
1155         switch (sd->state) {
1156         case sd_transfer_state:
1157             sd->state = sd_receivingdata_state;
1158             sd->data_start = 0;
1159             sd->data_offset = 0;
1160             return sd_r1;
1161 
1162         default:
1163             break;
1164         }
1165         break;
1166 
1167     case 52:
1168     case 53:
1169         /* CMD52, CMD53: reserved for SDIO cards
1170          * (see the SDIO Simplified Specification V2.0)
1171          * Handle as illegal command but do not complain
1172          * on stderr, as some OSes may use these in their
1173          * probing for presence of an SDIO card.
1174          */
1175         return sd_illegal;
1176 
1177     /* Application specific commands (Class 8) */
1178     case 55:	/* CMD55:  APP_CMD */
1179         if (sd->rca != rca)
1180             return sd_r0;
1181 
1182         sd->expecting_acmd = true;
1183         sd->card_status |= APP_CMD;
1184         return sd_r1;
1185 
1186     case 56:	/* CMD56:  GEN_CMD */
1187         fprintf(stderr, "SD: GEN_CMD 0x%08x\n", req.arg);
1188 
1189         switch (sd->state) {
1190         case sd_transfer_state:
1191             sd->data_offset = 0;
1192             if (req.arg & 1)
1193                 sd->state = sd_sendingdata_state;
1194             else
1195                 sd->state = sd_receivingdata_state;
1196             return sd_r1;
1197 
1198         default:
1199             break;
1200         }
1201         break;
1202 
1203     default:
1204     bad_cmd:
1205         fprintf(stderr, "SD: Unknown CMD%i\n", req.cmd);
1206         return sd_illegal;
1207 
1208     unimplemented_cmd:
1209         /* Commands that are recognised but not yet implemented in SPI mode.  */
1210         fprintf(stderr, "SD: CMD%i not implemented in SPI mode\n", req.cmd);
1211         return sd_illegal;
1212     }
1213 
1214     fprintf(stderr, "SD: CMD%i in a wrong state\n", req.cmd);
1215     return sd_illegal;
1216 }
1217 
1218 static sd_rsp_type_t sd_app_command(SDState *sd,
1219                                     SDRequest req)
1220 {
1221     DPRINTF("ACMD%d 0x%08x\n", req.cmd, req.arg);
1222     sd->card_status |= APP_CMD;
1223     switch (req.cmd) {
1224     case 6:	/* ACMD6:  SET_BUS_WIDTH */
1225         switch (sd->state) {
1226         case sd_transfer_state:
1227             sd->sd_status[0] &= 0x3f;
1228             sd->sd_status[0] |= (req.arg & 0x03) << 6;
1229             return sd_r1;
1230 
1231         default:
1232             break;
1233         }
1234         break;
1235 
1236     case 13:	/* ACMD13: SD_STATUS */
1237         switch (sd->state) {
1238         case sd_transfer_state:
1239             sd->state = sd_sendingdata_state;
1240             sd->data_start = 0;
1241             sd->data_offset = 0;
1242             return sd_r1;
1243 
1244         default:
1245             break;
1246         }
1247         break;
1248 
1249     case 22:	/* ACMD22: SEND_NUM_WR_BLOCKS */
1250         switch (sd->state) {
1251         case sd_transfer_state:
1252             *(uint32_t *) sd->data = sd->blk_written;
1253 
1254             sd->state = sd_sendingdata_state;
1255             sd->data_start = 0;
1256             sd->data_offset = 0;
1257             return sd_r1;
1258 
1259         default:
1260             break;
1261         }
1262         break;
1263 
1264     case 23:	/* ACMD23: SET_WR_BLK_ERASE_COUNT */
1265         switch (sd->state) {
1266         case sd_transfer_state:
1267             return sd_r1;
1268 
1269         default:
1270             break;
1271         }
1272         break;
1273 
1274     case 41:	/* ACMD41: SD_APP_OP_COND */
1275         if (sd->spi) {
1276             /* SEND_OP_CMD */
1277             sd->state = sd_transfer_state;
1278             return sd_r1;
1279         }
1280         switch (sd->state) {
1281         case sd_idle_state:
1282             /* We accept any voltage.  10000 V is nothing.
1283              *
1284              * We don't model init delay so just advance straight to ready state
1285              * unless it's an enquiry ACMD41 (bits 23:0 == 0).
1286              */
1287             if (req.arg & ACMD41_ENQUIRY_MASK) {
1288                 sd->state = sd_ready_state;
1289             }
1290 
1291             return sd_r3;
1292 
1293         default:
1294             break;
1295         }
1296         break;
1297 
1298     case 42:	/* ACMD42: SET_CLR_CARD_DETECT */
1299         switch (sd->state) {
1300         case sd_transfer_state:
1301             /* Bringing in the 50KOhm pull-up resistor... Done.  */
1302             return sd_r1;
1303 
1304         default:
1305             break;
1306         }
1307         break;
1308 
1309     case 51:	/* ACMD51: SEND_SCR */
1310         switch (sd->state) {
1311         case sd_transfer_state:
1312             sd->state = sd_sendingdata_state;
1313             sd->data_start = 0;
1314             sd->data_offset = 0;
1315             return sd_r1;
1316 
1317         default:
1318             break;
1319         }
1320         break;
1321 
1322     default:
1323         /* Fall back to standard commands.  */
1324         return sd_normal_command(sd, req);
1325     }
1326 
1327     fprintf(stderr, "SD: ACMD%i in a wrong state\n", req.cmd);
1328     return sd_illegal;
1329 }
1330 
1331 static int cmd_valid_while_locked(SDState *sd, SDRequest *req)
1332 {
1333     /* Valid commands in locked state:
1334      * basic class (0)
1335      * lock card class (7)
1336      * CMD16
1337      * implicitly, the ACMD prefix CMD55
1338      * ACMD41 and ACMD42
1339      * Anything else provokes an "illegal command" response.
1340      */
1341     if (sd->expecting_acmd) {
1342         return req->cmd == 41 || req->cmd == 42;
1343     }
1344     if (req->cmd == 16 || req->cmd == 55) {
1345         return 1;
1346     }
1347     return sd_cmd_class[req->cmd] == 0 || sd_cmd_class[req->cmd] == 7;
1348 }
1349 
1350 int sd_do_command(SDState *sd, SDRequest *req,
1351                   uint8_t *response) {
1352     int last_state;
1353     sd_rsp_type_t rtype;
1354     int rsplen;
1355 
1356     if (!sd->bdrv || !bdrv_is_inserted(sd->bdrv) || !sd->enable) {
1357         return 0;
1358     }
1359 
1360     if (sd_req_crc_validate(req)) {
1361         sd->card_status |= COM_CRC_ERROR;
1362         rtype = sd_illegal;
1363         goto send_response;
1364     }
1365 
1366     if (sd->card_status & CARD_IS_LOCKED) {
1367         if (!cmd_valid_while_locked(sd, req)) {
1368             sd->card_status |= ILLEGAL_COMMAND;
1369             sd->expecting_acmd = false;
1370             fprintf(stderr, "SD: Card is locked\n");
1371             rtype = sd_illegal;
1372             goto send_response;
1373         }
1374     }
1375 
1376     last_state = sd->state;
1377     sd_set_mode(sd);
1378 
1379     if (sd->expecting_acmd) {
1380         sd->expecting_acmd = false;
1381         rtype = sd_app_command(sd, *req);
1382     } else {
1383         rtype = sd_normal_command(sd, *req);
1384     }
1385 
1386     if (rtype == sd_illegal) {
1387         sd->card_status |= ILLEGAL_COMMAND;
1388     } else {
1389         /* Valid command, we can update the 'state before command' bits.
1390          * (Do this now so they appear in r1 responses.)
1391          */
1392         sd->current_cmd = req->cmd;
1393         sd->card_status &= ~CURRENT_STATE;
1394         sd->card_status |= (last_state << 9);
1395     }
1396 
1397 send_response:
1398     switch (rtype) {
1399     case sd_r1:
1400     case sd_r1b:
1401         sd_response_r1_make(sd, response);
1402         rsplen = 4;
1403         break;
1404 
1405     case sd_r2_i:
1406         memcpy(response, sd->cid, sizeof(sd->cid));
1407         rsplen = 16;
1408         break;
1409 
1410     case sd_r2_s:
1411         memcpy(response, sd->csd, sizeof(sd->csd));
1412         rsplen = 16;
1413         break;
1414 
1415     case sd_r3:
1416         sd_response_r3_make(sd, response);
1417         rsplen = 4;
1418         break;
1419 
1420     case sd_r6:
1421         sd_response_r6_make(sd, response);
1422         rsplen = 4;
1423         break;
1424 
1425     case sd_r7:
1426         sd_response_r7_make(sd, response);
1427         rsplen = 4;
1428         break;
1429 
1430     case sd_r0:
1431     case sd_illegal:
1432     default:
1433         rsplen = 0;
1434         break;
1435     }
1436 
1437     if (rtype != sd_illegal) {
1438         /* Clear the "clear on valid command" status bits now we've
1439          * sent any response
1440          */
1441         sd->card_status &= ~CARD_STATUS_B;
1442     }
1443 
1444 #ifdef DEBUG_SD
1445     if (rsplen) {
1446         int i;
1447         DPRINTF("Response:");
1448         for (i = 0; i < rsplen; i++)
1449             fprintf(stderr, " %02x", response[i]);
1450         fprintf(stderr, " state %d\n", sd->state);
1451     } else {
1452         DPRINTF("No response %d\n", sd->state);
1453     }
1454 #endif
1455 
1456     return rsplen;
1457 }
1458 
1459 static void sd_blk_read(SDState *sd, uint64_t addr, uint32_t len)
1460 {
1461     uint64_t end = addr + len;
1462 
1463     DPRINTF("sd_blk_read: addr = 0x%08llx, len = %d\n",
1464             (unsigned long long) addr, len);
1465     if (!sd->bdrv || bdrv_read(sd->bdrv, addr >> 9, sd->buf, 1) < 0) {
1466         fprintf(stderr, "sd_blk_read: read error on host side\n");
1467         return;
1468     }
1469 
1470     if (end > (addr & ~511) + 512) {
1471         memcpy(sd->data, sd->buf + (addr & 511), 512 - (addr & 511));
1472 
1473         if (bdrv_read(sd->bdrv, end >> 9, sd->buf, 1) < 0) {
1474             fprintf(stderr, "sd_blk_read: read error on host side\n");
1475             return;
1476         }
1477         memcpy(sd->data + 512 - (addr & 511), sd->buf, end & 511);
1478     } else
1479         memcpy(sd->data, sd->buf + (addr & 511), len);
1480 }
1481 
1482 static void sd_blk_write(SDState *sd, uint64_t addr, uint32_t len)
1483 {
1484     uint64_t end = addr + len;
1485 
1486     if ((addr & 511) || len < 512)
1487         if (!sd->bdrv || bdrv_read(sd->bdrv, addr >> 9, sd->buf, 1) < 0) {
1488             fprintf(stderr, "sd_blk_write: read error on host side\n");
1489             return;
1490         }
1491 
1492     if (end > (addr & ~511) + 512) {
1493         memcpy(sd->buf + (addr & 511), sd->data, 512 - (addr & 511));
1494         if (bdrv_write(sd->bdrv, addr >> 9, sd->buf, 1) < 0) {
1495             fprintf(stderr, "sd_blk_write: write error on host side\n");
1496             return;
1497         }
1498 
1499         if (bdrv_read(sd->bdrv, end >> 9, sd->buf, 1) < 0) {
1500             fprintf(stderr, "sd_blk_write: read error on host side\n");
1501             return;
1502         }
1503         memcpy(sd->buf, sd->data + 512 - (addr & 511), end & 511);
1504         if (bdrv_write(sd->bdrv, end >> 9, sd->buf, 1) < 0) {
1505             fprintf(stderr, "sd_blk_write: write error on host side\n");
1506         }
1507     } else {
1508         memcpy(sd->buf + (addr & 511), sd->data, len);
1509         if (!sd->bdrv || bdrv_write(sd->bdrv, addr >> 9, sd->buf, 1) < 0) {
1510             fprintf(stderr, "sd_blk_write: write error on host side\n");
1511         }
1512     }
1513 }
1514 
1515 #define BLK_READ_BLOCK(a, len)	sd_blk_read(sd, a, len)
1516 #define BLK_WRITE_BLOCK(a, len)	sd_blk_write(sd, a, len)
1517 #define APP_READ_BLOCK(a, len)	memset(sd->data, 0xec, len)
1518 #define APP_WRITE_BLOCK(a, len)
1519 
1520 void sd_write_data(SDState *sd, uint8_t value)
1521 {
1522     int i;
1523 
1524     if (!sd->bdrv || !bdrv_is_inserted(sd->bdrv) || !sd->enable)
1525         return;
1526 
1527     if (sd->state != sd_receivingdata_state) {
1528         fprintf(stderr, "sd_write_data: not in Receiving-Data state\n");
1529         return;
1530     }
1531 
1532     if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION))
1533         return;
1534 
1535     switch (sd->current_cmd) {
1536     case 24:	/* CMD24:  WRITE_SINGLE_BLOCK */
1537         sd->data[sd->data_offset ++] = value;
1538         if (sd->data_offset >= sd->blk_len) {
1539             /* TODO: Check CRC before committing */
1540             sd->state = sd_programming_state;
1541             BLK_WRITE_BLOCK(sd->data_start, sd->data_offset);
1542             sd->blk_written ++;
1543             sd->csd[14] |= 0x40;
1544             /* Bzzzzzzztt .... Operation complete.  */
1545             sd->state = sd_transfer_state;
1546         }
1547         break;
1548 
1549     case 25:	/* CMD25:  WRITE_MULTIPLE_BLOCK */
1550         if (sd->data_offset == 0) {
1551             /* Start of the block - let's check the address is valid */
1552             if (sd->data_start + sd->blk_len > sd->size) {
1553                 sd->card_status |= ADDRESS_ERROR;
1554                 break;
1555             }
1556             if (sd_wp_addr(sd, sd->data_start)) {
1557                 sd->card_status |= WP_VIOLATION;
1558                 break;
1559             }
1560         }
1561         sd->data[sd->data_offset++] = value;
1562         if (sd->data_offset >= sd->blk_len) {
1563             /* TODO: Check CRC before committing */
1564             sd->state = sd_programming_state;
1565             BLK_WRITE_BLOCK(sd->data_start, sd->data_offset);
1566             sd->blk_written++;
1567             sd->data_start += sd->blk_len;
1568             sd->data_offset = 0;
1569             sd->csd[14] |= 0x40;
1570 
1571             /* Bzzzzzzztt .... Operation complete.  */
1572             sd->state = sd_receivingdata_state;
1573         }
1574         break;
1575 
1576     case 26:	/* CMD26:  PROGRAM_CID */
1577         sd->data[sd->data_offset ++] = value;
1578         if (sd->data_offset >= sizeof(sd->cid)) {
1579             /* TODO: Check CRC before committing */
1580             sd->state = sd_programming_state;
1581             for (i = 0; i < sizeof(sd->cid); i ++)
1582                 if ((sd->cid[i] | 0x00) != sd->data[i])
1583                     sd->card_status |= CID_CSD_OVERWRITE;
1584 
1585             if (!(sd->card_status & CID_CSD_OVERWRITE))
1586                 for (i = 0; i < sizeof(sd->cid); i ++) {
1587                     sd->cid[i] |= 0x00;
1588                     sd->cid[i] &= sd->data[i];
1589                 }
1590             /* Bzzzzzzztt .... Operation complete.  */
1591             sd->state = sd_transfer_state;
1592         }
1593         break;
1594 
1595     case 27:	/* CMD27:  PROGRAM_CSD */
1596         sd->data[sd->data_offset ++] = value;
1597         if (sd->data_offset >= sizeof(sd->csd)) {
1598             /* TODO: Check CRC before committing */
1599             sd->state = sd_programming_state;
1600             for (i = 0; i < sizeof(sd->csd); i ++)
1601                 if ((sd->csd[i] | sd_csd_rw_mask[i]) !=
1602                     (sd->data[i] | sd_csd_rw_mask[i]))
1603                     sd->card_status |= CID_CSD_OVERWRITE;
1604 
1605             /* Copy flag (OTP) & Permanent write protect */
1606             if (sd->csd[14] & ~sd->data[14] & 0x60)
1607                 sd->card_status |= CID_CSD_OVERWRITE;
1608 
1609             if (!(sd->card_status & CID_CSD_OVERWRITE))
1610                 for (i = 0; i < sizeof(sd->csd); i ++) {
1611                     sd->csd[i] |= sd_csd_rw_mask[i];
1612                     sd->csd[i] &= sd->data[i];
1613                 }
1614             /* Bzzzzzzztt .... Operation complete.  */
1615             sd->state = sd_transfer_state;
1616         }
1617         break;
1618 
1619     case 42:	/* CMD42:  LOCK_UNLOCK */
1620         sd->data[sd->data_offset ++] = value;
1621         if (sd->data_offset >= sd->blk_len) {
1622             /* TODO: Check CRC before committing */
1623             sd->state = sd_programming_state;
1624             sd_lock_command(sd);
1625             /* Bzzzzzzztt .... Operation complete.  */
1626             sd->state = sd_transfer_state;
1627         }
1628         break;
1629 
1630     case 56:	/* CMD56:  GEN_CMD */
1631         sd->data[sd->data_offset ++] = value;
1632         if (sd->data_offset >= sd->blk_len) {
1633             APP_WRITE_BLOCK(sd->data_start, sd->data_offset);
1634             sd->state = sd_transfer_state;
1635         }
1636         break;
1637 
1638     default:
1639         fprintf(stderr, "sd_write_data: unknown command\n");
1640         break;
1641     }
1642 }
1643 
1644 uint8_t sd_read_data(SDState *sd)
1645 {
1646     /* TODO: Append CRCs */
1647     uint8_t ret;
1648     int io_len;
1649 
1650     if (!sd->bdrv || !bdrv_is_inserted(sd->bdrv) || !sd->enable)
1651         return 0x00;
1652 
1653     if (sd->state != sd_sendingdata_state) {
1654         fprintf(stderr, "sd_read_data: not in Sending-Data state\n");
1655         return 0x00;
1656     }
1657 
1658     if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION))
1659         return 0x00;
1660 
1661     io_len = (sd->ocr & (1 << 30)) ? 512 : sd->blk_len;
1662 
1663     switch (sd->current_cmd) {
1664     case 6:	/* CMD6:   SWITCH_FUNCTION */
1665         ret = sd->data[sd->data_offset ++];
1666 
1667         if (sd->data_offset >= 64)
1668             sd->state = sd_transfer_state;
1669         break;
1670 
1671     case 9:	/* CMD9:   SEND_CSD */
1672     case 10:	/* CMD10:  SEND_CID */
1673         ret = sd->data[sd->data_offset ++];
1674 
1675         if (sd->data_offset >= 16)
1676             sd->state = sd_transfer_state;
1677         break;
1678 
1679     case 11:	/* CMD11:  READ_DAT_UNTIL_STOP */
1680         if (sd->data_offset == 0)
1681             BLK_READ_BLOCK(sd->data_start, io_len);
1682         ret = sd->data[sd->data_offset ++];
1683 
1684         if (sd->data_offset >= io_len) {
1685             sd->data_start += io_len;
1686             sd->data_offset = 0;
1687             if (sd->data_start + io_len > sd->size) {
1688                 sd->card_status |= ADDRESS_ERROR;
1689                 break;
1690             }
1691         }
1692         break;
1693 
1694     case 13:	/* ACMD13: SD_STATUS */
1695         ret = sd->sd_status[sd->data_offset ++];
1696 
1697         if (sd->data_offset >= sizeof(sd->sd_status))
1698             sd->state = sd_transfer_state;
1699         break;
1700 
1701     case 17:	/* CMD17:  READ_SINGLE_BLOCK */
1702         if (sd->data_offset == 0)
1703             BLK_READ_BLOCK(sd->data_start, io_len);
1704         ret = sd->data[sd->data_offset ++];
1705 
1706         if (sd->data_offset >= io_len)
1707             sd->state = sd_transfer_state;
1708         break;
1709 
1710     case 18:	/* CMD18:  READ_MULTIPLE_BLOCK */
1711         if (sd->data_offset == 0)
1712             BLK_READ_BLOCK(sd->data_start, io_len);
1713         ret = sd->data[sd->data_offset ++];
1714 
1715         if (sd->data_offset >= io_len) {
1716             sd->data_start += io_len;
1717             sd->data_offset = 0;
1718             if (sd->data_start + io_len > sd->size) {
1719                 sd->card_status |= ADDRESS_ERROR;
1720                 break;
1721             }
1722         }
1723         break;
1724 
1725     case 22:	/* ACMD22: SEND_NUM_WR_BLOCKS */
1726         ret = sd->data[sd->data_offset ++];
1727 
1728         if (sd->data_offset >= 4)
1729             sd->state = sd_transfer_state;
1730         break;
1731 
1732     case 30:	/* CMD30:  SEND_WRITE_PROT */
1733         ret = sd->data[sd->data_offset ++];
1734 
1735         if (sd->data_offset >= 4)
1736             sd->state = sd_transfer_state;
1737         break;
1738 
1739     case 51:	/* ACMD51: SEND_SCR */
1740         ret = sd->scr[sd->data_offset ++];
1741 
1742         if (sd->data_offset >= sizeof(sd->scr))
1743             sd->state = sd_transfer_state;
1744         break;
1745 
1746     case 56:	/* CMD56:  GEN_CMD */
1747         if (sd->data_offset == 0)
1748             APP_READ_BLOCK(sd->data_start, sd->blk_len);
1749         ret = sd->data[sd->data_offset ++];
1750 
1751         if (sd->data_offset >= sd->blk_len)
1752             sd->state = sd_transfer_state;
1753         break;
1754 
1755     default:
1756         fprintf(stderr, "sd_read_data: unknown command\n");
1757         return 0x00;
1758     }
1759 
1760     return ret;
1761 }
1762 
1763 bool sd_data_ready(SDState *sd)
1764 {
1765     return sd->state == sd_sendingdata_state;
1766 }
1767 
1768 void sd_enable(SDState *sd, bool enable)
1769 {
1770     sd->enable = enable;
1771 }
1772