1 /* 2 * SD Memory Card emulation as defined in the "SD Memory Card Physical 3 * layer specification, Version 1.10." 4 * 5 * Copyright (c) 2006 Andrzej Zaborowski <balrog@zabor.org> 6 * Copyright (c) 2007 CodeSourcery 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in 16 * the documentation and/or other materials provided with the 17 * distribution. 18 * 19 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' 20 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, 21 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A 22 * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR 23 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, 24 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, 25 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 26 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY 27 * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 28 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 29 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 30 */ 31 32 #include "qemu/osdep.h" 33 #include "hw/qdev.h" 34 #include "hw/hw.h" 35 #include "hw/registerfields.h" 36 #include "sysemu/block-backend.h" 37 #include "hw/sd/sd.h" 38 #include "qapi/error.h" 39 #include "qemu/bitmap.h" 40 #include "qemu/cutils.h" 41 #include "hw/qdev-properties.h" 42 #include "qemu/error-report.h" 43 #include "qemu/timer.h" 44 #include "qemu/log.h" 45 #include "sdmmc-internal.h" 46 #include "trace.h" 47 48 //#define DEBUG_SD 1 49 50 typedef enum { 51 sd_r0 = 0, /* no response */ 52 sd_r1, /* normal response command */ 53 sd_r2_i, /* CID register */ 54 sd_r2_s, /* CSD register */ 55 sd_r3, /* OCR register */ 56 sd_r6 = 6, /* Published RCA response */ 57 sd_r7, /* Operating voltage */ 58 sd_r1b = -1, 59 sd_illegal = -2, 60 } sd_rsp_type_t; 61 62 enum SDCardModes { 63 sd_inactive, 64 sd_card_identification_mode, 65 sd_data_transfer_mode, 66 }; 67 68 enum SDCardStates { 69 sd_inactive_state = -1, 70 sd_idle_state = 0, 71 sd_ready_state, 72 sd_identification_state, 73 sd_standby_state, 74 sd_transfer_state, 75 sd_sendingdata_state, 76 sd_receivingdata_state, 77 sd_programming_state, 78 sd_disconnect_state, 79 }; 80 81 struct SDState { 82 DeviceState parent_obj; 83 84 /* SD Memory Card Registers */ 85 uint32_t ocr; 86 uint8_t scr[8]; 87 uint8_t cid[16]; 88 uint8_t csd[16]; 89 uint16_t rca; 90 uint32_t card_status; 91 uint8_t sd_status[64]; 92 93 /* Configurable properties */ 94 BlockBackend *blk; 95 bool spi; 96 97 uint32_t mode; /* current card mode, one of SDCardModes */ 98 int32_t state; /* current card state, one of SDCardStates */ 99 uint32_t vhs; 100 bool wp_switch; 101 unsigned long *wp_groups; 102 int32_t wpgrps_size; 103 uint64_t size; 104 uint32_t blk_len; 105 uint32_t multi_blk_cnt; 106 uint32_t erase_start; 107 uint32_t erase_end; 108 uint8_t pwd[16]; 109 uint32_t pwd_len; 110 uint8_t function_group[6]; 111 uint8_t current_cmd; 112 /* True if we will handle the next command as an ACMD. Note that this does 113 * *not* track the APP_CMD status bit! 114 */ 115 bool expecting_acmd; 116 uint32_t blk_written; 117 uint64_t data_start; 118 uint32_t data_offset; 119 uint8_t data[512]; 120 qemu_irq readonly_cb; 121 qemu_irq inserted_cb; 122 QEMUTimer *ocr_power_timer; 123 const char *proto_name; 124 bool enable; 125 uint8_t dat_lines; 126 bool cmd_line; 127 }; 128 129 static const char *sd_state_name(enum SDCardStates state) 130 { 131 static const char *state_name[] = { 132 [sd_idle_state] = "idle", 133 [sd_ready_state] = "ready", 134 [sd_identification_state] = "identification", 135 [sd_standby_state] = "standby", 136 [sd_transfer_state] = "transfer", 137 [sd_sendingdata_state] = "sendingdata", 138 [sd_receivingdata_state] = "receivingdata", 139 [sd_programming_state] = "programming", 140 [sd_disconnect_state] = "disconnect", 141 }; 142 if (state == sd_inactive_state) { 143 return "inactive"; 144 } 145 assert(state <= ARRAY_SIZE(state_name)); 146 return state_name[state]; 147 } 148 149 static const char *sd_response_name(sd_rsp_type_t rsp) 150 { 151 static const char *response_name[] = { 152 [sd_r0] = "RESP#0 (no response)", 153 [sd_r1] = "RESP#1 (normal cmd)", 154 [sd_r2_i] = "RESP#2 (CID reg)", 155 [sd_r2_s] = "RESP#2 (CSD reg)", 156 [sd_r3] = "RESP#3 (OCR reg)", 157 [sd_r6] = "RESP#6 (RCA)", 158 [sd_r7] = "RESP#7 (operating voltage)", 159 }; 160 if (rsp == sd_illegal) { 161 return "ILLEGAL RESP"; 162 } 163 if (rsp == sd_r1b) { 164 rsp = sd_r1; 165 } 166 assert(rsp <= ARRAY_SIZE(response_name)); 167 return response_name[rsp]; 168 } 169 170 static uint8_t sd_get_dat_lines(SDState *sd) 171 { 172 return sd->enable ? sd->dat_lines : 0; 173 } 174 175 static bool sd_get_cmd_line(SDState *sd) 176 { 177 return sd->enable ? sd->cmd_line : false; 178 } 179 180 static void sd_set_voltage(SDState *sd, uint16_t millivolts) 181 { 182 trace_sdcard_set_voltage(millivolts); 183 184 switch (millivolts) { 185 case 3001 ... 3600: /* SD_VOLTAGE_3_3V */ 186 case 2001 ... 3000: /* SD_VOLTAGE_3_0V */ 187 break; 188 default: 189 qemu_log_mask(LOG_GUEST_ERROR, "SD card voltage not supported: %.3fV", 190 millivolts / 1000.f); 191 } 192 } 193 194 static void sd_set_mode(SDState *sd) 195 { 196 switch (sd->state) { 197 case sd_inactive_state: 198 sd->mode = sd_inactive; 199 break; 200 201 case sd_idle_state: 202 case sd_ready_state: 203 case sd_identification_state: 204 sd->mode = sd_card_identification_mode; 205 break; 206 207 case sd_standby_state: 208 case sd_transfer_state: 209 case sd_sendingdata_state: 210 case sd_receivingdata_state: 211 case sd_programming_state: 212 case sd_disconnect_state: 213 sd->mode = sd_data_transfer_mode; 214 break; 215 } 216 } 217 218 static const sd_cmd_type_t sd_cmd_type[SDMMC_CMD_MAX] = { 219 sd_bc, sd_none, sd_bcr, sd_bcr, sd_none, sd_none, sd_none, sd_ac, 220 sd_bcr, sd_ac, sd_ac, sd_adtc, sd_ac, sd_ac, sd_none, sd_ac, 221 /* 16 */ 222 sd_ac, sd_adtc, sd_adtc, sd_none, sd_none, sd_none, sd_none, sd_none, 223 sd_adtc, sd_adtc, sd_adtc, sd_adtc, sd_ac, sd_ac, sd_adtc, sd_none, 224 /* 32 */ 225 sd_ac, sd_ac, sd_none, sd_none, sd_none, sd_none, sd_ac, sd_none, 226 sd_none, sd_none, sd_bc, sd_none, sd_none, sd_none, sd_none, sd_none, 227 /* 48 */ 228 sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_ac, 229 sd_adtc, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, 230 }; 231 232 static const int sd_cmd_class[SDMMC_CMD_MAX] = { 233 0, 0, 0, 0, 0, 9, 10, 0, 0, 0, 0, 1, 0, 0, 0, 0, 234 2, 2, 2, 2, 3, 3, 3, 3, 4, 4, 4, 4, 6, 6, 6, 6, 235 5, 5, 10, 10, 10, 10, 5, 9, 9, 9, 7, 7, 7, 7, 7, 7, 236 7, 7, 10, 7, 9, 9, 9, 8, 8, 10, 8, 8, 8, 8, 8, 8, 237 }; 238 239 static uint8_t sd_crc7(void *message, size_t width) 240 { 241 int i, bit; 242 uint8_t shift_reg = 0x00; 243 uint8_t *msg = (uint8_t *) message; 244 245 for (i = 0; i < width; i ++, msg ++) 246 for (bit = 7; bit >= 0; bit --) { 247 shift_reg <<= 1; 248 if ((shift_reg >> 7) ^ ((*msg >> bit) & 1)) 249 shift_reg ^= 0x89; 250 } 251 252 return shift_reg; 253 } 254 255 static uint16_t sd_crc16(void *message, size_t width) 256 { 257 int i, bit; 258 uint16_t shift_reg = 0x0000; 259 uint16_t *msg = (uint16_t *) message; 260 width <<= 1; 261 262 for (i = 0; i < width; i ++, msg ++) 263 for (bit = 15; bit >= 0; bit --) { 264 shift_reg <<= 1; 265 if ((shift_reg >> 15) ^ ((*msg >> bit) & 1)) 266 shift_reg ^= 0x1011; 267 } 268 269 return shift_reg; 270 } 271 272 #define OCR_POWER_DELAY_NS 500000 /* 0.5ms */ 273 274 FIELD(OCR, VDD_VOLTAGE_WINDOW, 0, 24) 275 FIELD(OCR, VDD_VOLTAGE_WIN_LO, 0, 8) 276 FIELD(OCR, DUAL_VOLTAGE_CARD, 7, 1) 277 FIELD(OCR, VDD_VOLTAGE_WIN_HI, 8, 16) 278 FIELD(OCR, ACCEPT_SWITCH_1V8, 24, 1) /* Only UHS-I */ 279 FIELD(OCR, UHS_II_CARD, 29, 1) /* Only UHS-II */ 280 FIELD(OCR, CARD_CAPACITY, 30, 1) /* 0:SDSC, 1:SDHC/SDXC */ 281 FIELD(OCR, CARD_POWER_UP, 31, 1) 282 283 #define ACMD41_ENQUIRY_MASK 0x00ffffff 284 #define ACMD41_R3_MASK (R_OCR_VDD_VOLTAGE_WIN_HI_MASK \ 285 | R_OCR_ACCEPT_SWITCH_1V8_MASK \ 286 | R_OCR_UHS_II_CARD_MASK \ 287 | R_OCR_CARD_CAPACITY_MASK \ 288 | R_OCR_CARD_POWER_UP_MASK) 289 290 static void sd_set_ocr(SDState *sd) 291 { 292 /* All voltages OK */ 293 sd->ocr = R_OCR_VDD_VOLTAGE_WIN_HI_MASK; 294 } 295 296 static void sd_ocr_powerup(void *opaque) 297 { 298 SDState *sd = opaque; 299 300 trace_sdcard_powerup(); 301 assert(!FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP)); 302 303 /* card power-up OK */ 304 sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_POWER_UP, 1); 305 306 if (sd->size > 1 * G_BYTE) { 307 sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_CAPACITY, 1); 308 } 309 } 310 311 static void sd_set_scr(SDState *sd) 312 { 313 sd->scr[0] = (0 << 4) /* SCR version 1.0 */ 314 | 0; /* Spec Versions 1.0 and 1.01 */ 315 sd->scr[1] = (2 << 4) /* SDSC Card (Security Version 1.01) */ 316 | 0b0101; /* 1-bit or 4-bit width bus modes */ 317 sd->scr[2] = 0x00; /* Extended Security is not supported. */ 318 sd->scr[3] = 0x00; 319 /* reserved for manufacturer usage */ 320 sd->scr[4] = 0x00; 321 sd->scr[5] = 0x00; 322 sd->scr[6] = 0x00; 323 sd->scr[7] = 0x00; 324 } 325 326 #define MID 0xaa 327 #define OID "XY" 328 #define PNM "QEMU!" 329 #define PRV 0x01 330 #define MDT_YR 2006 331 #define MDT_MON 2 332 333 static void sd_set_cid(SDState *sd) 334 { 335 sd->cid[0] = MID; /* Fake card manufacturer ID (MID) */ 336 sd->cid[1] = OID[0]; /* OEM/Application ID (OID) */ 337 sd->cid[2] = OID[1]; 338 sd->cid[3] = PNM[0]; /* Fake product name (PNM) */ 339 sd->cid[4] = PNM[1]; 340 sd->cid[5] = PNM[2]; 341 sd->cid[6] = PNM[3]; 342 sd->cid[7] = PNM[4]; 343 sd->cid[8] = PRV; /* Fake product revision (PRV) */ 344 sd->cid[9] = 0xde; /* Fake serial number (PSN) */ 345 sd->cid[10] = 0xad; 346 sd->cid[11] = 0xbe; 347 sd->cid[12] = 0xef; 348 sd->cid[13] = 0x00 | /* Manufacture date (MDT) */ 349 ((MDT_YR - 2000) / 10); 350 sd->cid[14] = ((MDT_YR % 10) << 4) | MDT_MON; 351 sd->cid[15] = (sd_crc7(sd->cid, 15) << 1) | 1; 352 } 353 354 #define HWBLOCK_SHIFT 9 /* 512 bytes */ 355 #define SECTOR_SHIFT 5 /* 16 kilobytes */ 356 #define WPGROUP_SHIFT 7 /* 2 megs */ 357 #define CMULT_SHIFT 9 /* 512 times HWBLOCK_SIZE */ 358 #define WPGROUP_SIZE (1 << (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT)) 359 360 static const uint8_t sd_csd_rw_mask[16] = { 361 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 362 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xfc, 0xfe, 363 }; 364 365 static void sd_set_csd(SDState *sd, uint64_t size) 366 { 367 uint32_t csize = (size >> (CMULT_SHIFT + HWBLOCK_SHIFT)) - 1; 368 uint32_t sectsize = (1 << (SECTOR_SHIFT + 1)) - 1; 369 uint32_t wpsize = (1 << (WPGROUP_SHIFT + 1)) - 1; 370 371 if (size <= 1 * G_BYTE) { /* Standard Capacity SD */ 372 sd->csd[0] = 0x00; /* CSD structure */ 373 sd->csd[1] = 0x26; /* Data read access-time-1 */ 374 sd->csd[2] = 0x00; /* Data read access-time-2 */ 375 sd->csd[3] = 0x32; /* Max. data transfer rate: 25 MHz */ 376 sd->csd[4] = 0x5f; /* Card Command Classes */ 377 sd->csd[5] = 0x50 | /* Max. read data block length */ 378 HWBLOCK_SHIFT; 379 sd->csd[6] = 0xe0 | /* Partial block for read allowed */ 380 ((csize >> 10) & 0x03); 381 sd->csd[7] = 0x00 | /* Device size */ 382 ((csize >> 2) & 0xff); 383 sd->csd[8] = 0x3f | /* Max. read current */ 384 ((csize << 6) & 0xc0); 385 sd->csd[9] = 0xfc | /* Max. write current */ 386 ((CMULT_SHIFT - 2) >> 1); 387 sd->csd[10] = 0x40 | /* Erase sector size */ 388 (((CMULT_SHIFT - 2) << 7) & 0x80) | (sectsize >> 1); 389 sd->csd[11] = 0x00 | /* Write protect group size */ 390 ((sectsize << 7) & 0x80) | wpsize; 391 sd->csd[12] = 0x90 | /* Write speed factor */ 392 (HWBLOCK_SHIFT >> 2); 393 sd->csd[13] = 0x20 | /* Max. write data block length */ 394 ((HWBLOCK_SHIFT << 6) & 0xc0); 395 sd->csd[14] = 0x00; /* File format group */ 396 } else { /* SDHC */ 397 size /= 512 * 1024; 398 size -= 1; 399 sd->csd[0] = 0x40; 400 sd->csd[1] = 0x0e; 401 sd->csd[2] = 0x00; 402 sd->csd[3] = 0x32; 403 sd->csd[4] = 0x5b; 404 sd->csd[5] = 0x59; 405 sd->csd[6] = 0x00; 406 sd->csd[7] = (size >> 16) & 0xff; 407 sd->csd[8] = (size >> 8) & 0xff; 408 sd->csd[9] = (size & 0xff); 409 sd->csd[10] = 0x7f; 410 sd->csd[11] = 0x80; 411 sd->csd[12] = 0x0a; 412 sd->csd[13] = 0x40; 413 sd->csd[14] = 0x00; 414 } 415 sd->csd[15] = (sd_crc7(sd->csd, 15) << 1) | 1; 416 } 417 418 static void sd_set_rca(SDState *sd) 419 { 420 sd->rca += 0x4567; 421 } 422 423 FIELD(CSR, AKE_SEQ_ERROR, 3, 1) 424 FIELD(CSR, APP_CMD, 5, 1) 425 FIELD(CSR, FX_EVENT, 6, 1) 426 FIELD(CSR, READY_FOR_DATA, 8, 1) 427 FIELD(CSR, CURRENT_STATE, 9, 4) 428 FIELD(CSR, ERASE_RESET, 13, 1) 429 FIELD(CSR, CARD_ECC_DISABLED, 14, 1) 430 FIELD(CSR, WP_ERASE_SKIP, 15, 1) 431 FIELD(CSR, CSD_OVERWRITE, 16, 1) 432 FIELD(CSR, DEFERRED_RESPONSE, 17, 1) 433 FIELD(CSR, ERROR, 19, 1) 434 FIELD(CSR, CC_ERROR, 20, 1) 435 FIELD(CSR, CARD_ECC_FAILED, 21, 1) 436 FIELD(CSR, ILLEGAL_COMMAND, 22, 1) 437 FIELD(CSR, COM_CRC_ERROR, 23, 1) 438 FIELD(CSR, LOCK_UNLOCK_FAILED, 24, 1) 439 FIELD(CSR, CARD_IS_LOCKED, 25, 1) 440 FIELD(CSR, WP_VIOLATION, 26, 1) 441 FIELD(CSR, ERASE_PARAM, 27, 1) 442 FIELD(CSR, ERASE_SEQ_ERROR, 28, 1) 443 FIELD(CSR, BLOCK_LEN_ERROR, 29, 1) 444 FIELD(CSR, ADDRESS_ERROR, 30, 1) 445 FIELD(CSR, OUT_OF_RANGE, 31, 1) 446 447 /* Card status bits, split by clear condition: 448 * A : According to the card current state 449 * B : Always related to the previous command 450 * C : Cleared by read 451 */ 452 #define CARD_STATUS_A (R_CSR_READY_FOR_DATA_MASK \ 453 | R_CSR_CARD_ECC_DISABLED_MASK \ 454 | R_CSR_CARD_IS_LOCKED_MASK) 455 #define CARD_STATUS_B (R_CSR_CURRENT_STATE_MASK \ 456 | R_CSR_ILLEGAL_COMMAND_MASK \ 457 | R_CSR_COM_CRC_ERROR_MASK) 458 #define CARD_STATUS_C (R_CSR_AKE_SEQ_ERROR_MASK \ 459 | R_CSR_APP_CMD_MASK \ 460 | R_CSR_ERASE_RESET_MASK \ 461 | R_CSR_WP_ERASE_SKIP_MASK \ 462 | R_CSR_CSD_OVERWRITE_MASK \ 463 | R_CSR_ERROR_MASK \ 464 | R_CSR_CC_ERROR_MASK \ 465 | R_CSR_CARD_ECC_FAILED_MASK \ 466 | R_CSR_LOCK_UNLOCK_FAILED_MASK \ 467 | R_CSR_WP_VIOLATION_MASK \ 468 | R_CSR_ERASE_PARAM_MASK \ 469 | R_CSR_ERASE_SEQ_ERROR_MASK \ 470 | R_CSR_BLOCK_LEN_ERROR_MASK \ 471 | R_CSR_ADDRESS_ERROR_MASK \ 472 | R_CSR_OUT_OF_RANGE_MASK) 473 474 static void sd_set_cardstatus(SDState *sd) 475 { 476 sd->card_status = 0x00000100; 477 } 478 479 static void sd_set_sdstatus(SDState *sd) 480 { 481 memset(sd->sd_status, 0, 64); 482 } 483 484 static int sd_req_crc_validate(SDRequest *req) 485 { 486 uint8_t buffer[5]; 487 buffer[0] = 0x40 | req->cmd; 488 stl_be_p(&buffer[1], req->arg); 489 return 0; 490 return sd_crc7(buffer, 5) != req->crc; /* TODO */ 491 } 492 493 static void sd_response_r1_make(SDState *sd, uint8_t *response) 494 { 495 stl_be_p(response, sd->card_status); 496 497 /* Clear the "clear on read" status bits */ 498 sd->card_status &= ~CARD_STATUS_C; 499 } 500 501 static void sd_response_r3_make(SDState *sd, uint8_t *response) 502 { 503 stl_be_p(response, sd->ocr & ACMD41_R3_MASK); 504 } 505 506 static void sd_response_r6_make(SDState *sd, uint8_t *response) 507 { 508 uint16_t status; 509 510 status = ((sd->card_status >> 8) & 0xc000) | 511 ((sd->card_status >> 6) & 0x2000) | 512 (sd->card_status & 0x1fff); 513 sd->card_status &= ~(CARD_STATUS_C & 0xc81fff); 514 stw_be_p(response + 0, sd->rca); 515 stw_be_p(response + 2, status); 516 } 517 518 static void sd_response_r7_make(SDState *sd, uint8_t *response) 519 { 520 stl_be_p(response, sd->vhs); 521 } 522 523 static inline uint64_t sd_addr_to_wpnum(uint64_t addr) 524 { 525 return addr >> (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT); 526 } 527 528 static void sd_reset(DeviceState *dev) 529 { 530 SDState *sd = SD_CARD(dev); 531 uint64_t size; 532 uint64_t sect; 533 534 trace_sdcard_reset(); 535 if (sd->blk) { 536 blk_get_geometry(sd->blk, §); 537 } else { 538 sect = 0; 539 } 540 size = sect << 9; 541 542 sect = sd_addr_to_wpnum(size) + 1; 543 544 sd->state = sd_idle_state; 545 sd->rca = 0x0000; 546 sd_set_ocr(sd); 547 sd_set_scr(sd); 548 sd_set_cid(sd); 549 sd_set_csd(sd, size); 550 sd_set_cardstatus(sd); 551 sd_set_sdstatus(sd); 552 553 g_free(sd->wp_groups); 554 sd->wp_switch = sd->blk ? blk_is_read_only(sd->blk) : false; 555 sd->wpgrps_size = sect; 556 sd->wp_groups = bitmap_new(sd->wpgrps_size); 557 memset(sd->function_group, 0, sizeof(sd->function_group)); 558 sd->erase_start = 0; 559 sd->erase_end = 0; 560 sd->size = size; 561 sd->blk_len = 0x200; 562 sd->pwd_len = 0; 563 sd->expecting_acmd = false; 564 sd->dat_lines = 0xf; 565 sd->cmd_line = true; 566 sd->multi_blk_cnt = 0; 567 } 568 569 static bool sd_get_inserted(SDState *sd) 570 { 571 return sd->blk && blk_is_inserted(sd->blk); 572 } 573 574 static bool sd_get_readonly(SDState *sd) 575 { 576 return sd->wp_switch; 577 } 578 579 static void sd_cardchange(void *opaque, bool load, Error **errp) 580 { 581 SDState *sd = opaque; 582 DeviceState *dev = DEVICE(sd); 583 SDBus *sdbus = SD_BUS(qdev_get_parent_bus(dev)); 584 bool inserted = sd_get_inserted(sd); 585 bool readonly = sd_get_readonly(sd); 586 587 if (inserted) { 588 trace_sdcard_inserted(readonly); 589 sd_reset(dev); 590 } else { 591 trace_sdcard_ejected(); 592 } 593 594 /* The IRQ notification is for legacy non-QOM SD controller devices; 595 * QOMified controllers use the SDBus APIs. 596 */ 597 if (sdbus) { 598 sdbus_set_inserted(sdbus, inserted); 599 if (inserted) { 600 sdbus_set_readonly(sdbus, readonly); 601 } 602 } else { 603 qemu_set_irq(sd->inserted_cb, inserted); 604 if (inserted) { 605 qemu_set_irq(sd->readonly_cb, readonly); 606 } 607 } 608 } 609 610 static const BlockDevOps sd_block_ops = { 611 .change_media_cb = sd_cardchange, 612 }; 613 614 static bool sd_ocr_vmstate_needed(void *opaque) 615 { 616 SDState *sd = opaque; 617 618 /* Include the OCR state (and timer) if it is not yet powered up */ 619 return !FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP); 620 } 621 622 static const VMStateDescription sd_ocr_vmstate = { 623 .name = "sd-card/ocr-state", 624 .version_id = 1, 625 .minimum_version_id = 1, 626 .needed = sd_ocr_vmstate_needed, 627 .fields = (VMStateField[]) { 628 VMSTATE_UINT32(ocr, SDState), 629 VMSTATE_TIMER_PTR(ocr_power_timer, SDState), 630 VMSTATE_END_OF_LIST() 631 }, 632 }; 633 634 static int sd_vmstate_pre_load(void *opaque) 635 { 636 SDState *sd = opaque; 637 638 /* If the OCR state is not included (prior versions, or not 639 * needed), then the OCR must be set as powered up. If the OCR state 640 * is included, this will be replaced by the state restore. 641 */ 642 sd_ocr_powerup(sd); 643 644 return 0; 645 } 646 647 static const VMStateDescription sd_vmstate = { 648 .name = "sd-card", 649 .version_id = 1, 650 .minimum_version_id = 1, 651 .pre_load = sd_vmstate_pre_load, 652 .fields = (VMStateField[]) { 653 VMSTATE_UINT32(mode, SDState), 654 VMSTATE_INT32(state, SDState), 655 VMSTATE_UINT8_ARRAY(cid, SDState, 16), 656 VMSTATE_UINT8_ARRAY(csd, SDState, 16), 657 VMSTATE_UINT16(rca, SDState), 658 VMSTATE_UINT32(card_status, SDState), 659 VMSTATE_PARTIAL_BUFFER(sd_status, SDState, 1), 660 VMSTATE_UINT32(vhs, SDState), 661 VMSTATE_BITMAP(wp_groups, SDState, 0, wpgrps_size), 662 VMSTATE_UINT32(blk_len, SDState), 663 VMSTATE_UINT32(multi_blk_cnt, SDState), 664 VMSTATE_UINT32(erase_start, SDState), 665 VMSTATE_UINT32(erase_end, SDState), 666 VMSTATE_UINT8_ARRAY(pwd, SDState, 16), 667 VMSTATE_UINT32(pwd_len, SDState), 668 VMSTATE_UINT8_ARRAY(function_group, SDState, 6), 669 VMSTATE_UINT8(current_cmd, SDState), 670 VMSTATE_BOOL(expecting_acmd, SDState), 671 VMSTATE_UINT32(blk_written, SDState), 672 VMSTATE_UINT64(data_start, SDState), 673 VMSTATE_UINT32(data_offset, SDState), 674 VMSTATE_UINT8_ARRAY(data, SDState, 512), 675 VMSTATE_UNUSED_V(1, 512), 676 VMSTATE_BOOL(enable, SDState), 677 VMSTATE_END_OF_LIST() 678 }, 679 .subsections = (const VMStateDescription*[]) { 680 &sd_ocr_vmstate, 681 NULL 682 }, 683 }; 684 685 /* Legacy initialization function for use by non-qdevified callers */ 686 SDState *sd_init(BlockBackend *blk, bool is_spi) 687 { 688 Object *obj; 689 DeviceState *dev; 690 Error *err = NULL; 691 692 obj = object_new(TYPE_SD_CARD); 693 dev = DEVICE(obj); 694 qdev_prop_set_drive(dev, "drive", blk, &err); 695 if (err) { 696 error_report("sd_init failed: %s", error_get_pretty(err)); 697 return NULL; 698 } 699 qdev_prop_set_bit(dev, "spi", is_spi); 700 object_property_set_bool(obj, true, "realized", &err); 701 if (err) { 702 error_report("sd_init failed: %s", error_get_pretty(err)); 703 return NULL; 704 } 705 706 return SD_CARD(dev); 707 } 708 709 void sd_set_cb(SDState *sd, qemu_irq readonly, qemu_irq insert) 710 { 711 sd->readonly_cb = readonly; 712 sd->inserted_cb = insert; 713 qemu_set_irq(readonly, sd->blk ? blk_is_read_only(sd->blk) : 0); 714 qemu_set_irq(insert, sd->blk ? blk_is_inserted(sd->blk) : 0); 715 } 716 717 static void sd_erase(SDState *sd) 718 { 719 int i; 720 uint64_t erase_start = sd->erase_start; 721 uint64_t erase_end = sd->erase_end; 722 723 trace_sdcard_erase(); 724 if (!sd->erase_start || !sd->erase_end) { 725 sd->card_status |= ERASE_SEQ_ERROR; 726 return; 727 } 728 729 if (FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) { 730 /* High capacity memory card: erase units are 512 byte blocks */ 731 erase_start *= 512; 732 erase_end *= 512; 733 } 734 735 erase_start = sd_addr_to_wpnum(erase_start); 736 erase_end = sd_addr_to_wpnum(erase_end); 737 sd->erase_start = 0; 738 sd->erase_end = 0; 739 sd->csd[14] |= 0x40; 740 741 for (i = erase_start; i <= erase_end; i++) { 742 if (test_bit(i, sd->wp_groups)) { 743 sd->card_status |= WP_ERASE_SKIP; 744 } 745 } 746 } 747 748 static uint32_t sd_wpbits(SDState *sd, uint64_t addr) 749 { 750 uint32_t i, wpnum; 751 uint32_t ret = 0; 752 753 wpnum = sd_addr_to_wpnum(addr); 754 755 for (i = 0; i < 32; i++, wpnum++, addr += WPGROUP_SIZE) { 756 if (addr < sd->size && test_bit(wpnum, sd->wp_groups)) { 757 ret |= (1 << i); 758 } 759 } 760 761 return ret; 762 } 763 764 static void sd_function_switch(SDState *sd, uint32_t arg) 765 { 766 int i, mode, new_func; 767 mode = !!(arg & 0x80000000); 768 769 sd->data[0] = 0x00; /* Maximum current consumption */ 770 sd->data[1] = 0x01; 771 sd->data[2] = 0x80; /* Supported group 6 functions */ 772 sd->data[3] = 0x01; 773 sd->data[4] = 0x80; /* Supported group 5 functions */ 774 sd->data[5] = 0x01; 775 sd->data[6] = 0x80; /* Supported group 4 functions */ 776 sd->data[7] = 0x01; 777 sd->data[8] = 0x80; /* Supported group 3 functions */ 778 sd->data[9] = 0x01; 779 sd->data[10] = 0x80; /* Supported group 2 functions */ 780 sd->data[11] = 0x43; 781 sd->data[12] = 0x80; /* Supported group 1 functions */ 782 sd->data[13] = 0x03; 783 for (i = 0; i < 6; i ++) { 784 new_func = (arg >> (i * 4)) & 0x0f; 785 if (mode && new_func != 0x0f) 786 sd->function_group[i] = new_func; 787 sd->data[14 + (i >> 1)] = new_func << ((i * 4) & 4); 788 } 789 memset(&sd->data[17], 0, 47); 790 stw_be_p(sd->data + 65, sd_crc16(sd->data, 64)); 791 } 792 793 static inline bool sd_wp_addr(SDState *sd, uint64_t addr) 794 { 795 return test_bit(sd_addr_to_wpnum(addr), sd->wp_groups); 796 } 797 798 static void sd_lock_command(SDState *sd) 799 { 800 int erase, lock, clr_pwd, set_pwd, pwd_len; 801 erase = !!(sd->data[0] & 0x08); 802 lock = sd->data[0] & 0x04; 803 clr_pwd = sd->data[0] & 0x02; 804 set_pwd = sd->data[0] & 0x01; 805 806 if (sd->blk_len > 1) 807 pwd_len = sd->data[1]; 808 else 809 pwd_len = 0; 810 811 if (lock) { 812 trace_sdcard_lock(); 813 } else { 814 trace_sdcard_unlock(); 815 } 816 if (erase) { 817 if (!(sd->card_status & CARD_IS_LOCKED) || sd->blk_len > 1 || 818 set_pwd || clr_pwd || lock || sd->wp_switch || 819 (sd->csd[14] & 0x20)) { 820 sd->card_status |= LOCK_UNLOCK_FAILED; 821 return; 822 } 823 bitmap_zero(sd->wp_groups, sd->wpgrps_size); 824 sd->csd[14] &= ~0x10; 825 sd->card_status &= ~CARD_IS_LOCKED; 826 sd->pwd_len = 0; 827 /* Erasing the entire card here! */ 828 fprintf(stderr, "SD: Card force-erased by CMD42\n"); 829 return; 830 } 831 832 if (sd->blk_len < 2 + pwd_len || 833 pwd_len <= sd->pwd_len || 834 pwd_len > sd->pwd_len + 16) { 835 sd->card_status |= LOCK_UNLOCK_FAILED; 836 return; 837 } 838 839 if (sd->pwd_len && memcmp(sd->pwd, sd->data + 2, sd->pwd_len)) { 840 sd->card_status |= LOCK_UNLOCK_FAILED; 841 return; 842 } 843 844 pwd_len -= sd->pwd_len; 845 if ((pwd_len && !set_pwd) || 846 (clr_pwd && (set_pwd || lock)) || 847 (lock && !sd->pwd_len && !set_pwd) || 848 (!set_pwd && !clr_pwd && 849 (((sd->card_status & CARD_IS_LOCKED) && lock) || 850 (!(sd->card_status & CARD_IS_LOCKED) && !lock)))) { 851 sd->card_status |= LOCK_UNLOCK_FAILED; 852 return; 853 } 854 855 if (set_pwd) { 856 memcpy(sd->pwd, sd->data + 2 + sd->pwd_len, pwd_len); 857 sd->pwd_len = pwd_len; 858 } 859 860 if (clr_pwd) { 861 sd->pwd_len = 0; 862 } 863 864 if (lock) 865 sd->card_status |= CARD_IS_LOCKED; 866 else 867 sd->card_status &= ~CARD_IS_LOCKED; 868 } 869 870 static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req) 871 { 872 uint32_t rca = 0x0000; 873 uint64_t addr = (sd->ocr & (1 << 30)) ? (uint64_t) req.arg << 9 : req.arg; 874 875 /* CMD55 precedes an ACMD, so we are not interested in tracing it. 876 * However there is no ACMD55, so we want to trace this particular case. 877 */ 878 if (req.cmd != 55 || sd->expecting_acmd) { 879 trace_sdcard_normal_command(sd->proto_name, 880 sd_cmd_name(req.cmd), req.cmd, 881 req.arg, sd_state_name(sd->state)); 882 } 883 884 /* Not interpreting this as an app command */ 885 sd->card_status &= ~APP_CMD; 886 887 if (sd_cmd_type[req.cmd] == sd_ac 888 || sd_cmd_type[req.cmd] == sd_adtc) { 889 rca = req.arg >> 16; 890 } 891 892 /* CMD23 (set block count) must be immediately followed by CMD18 or CMD25 893 * if not, its effects are cancelled */ 894 if (sd->multi_blk_cnt != 0 && !(req.cmd == 18 || req.cmd == 25)) { 895 sd->multi_blk_cnt = 0; 896 } 897 898 switch (req.cmd) { 899 /* Basic commands (Class 0 and Class 1) */ 900 case 0: /* CMD0: GO_IDLE_STATE */ 901 switch (sd->state) { 902 case sd_inactive_state: 903 return sd->spi ? sd_r1 : sd_r0; 904 905 default: 906 sd->state = sd_idle_state; 907 sd_reset(DEVICE(sd)); 908 return sd->spi ? sd_r1 : sd_r0; 909 } 910 break; 911 912 case 1: /* CMD1: SEND_OP_CMD */ 913 if (!sd->spi) 914 goto bad_cmd; 915 916 sd->state = sd_transfer_state; 917 return sd_r1; 918 919 case 2: /* CMD2: ALL_SEND_CID */ 920 if (sd->spi) 921 goto bad_cmd; 922 switch (sd->state) { 923 case sd_ready_state: 924 sd->state = sd_identification_state; 925 return sd_r2_i; 926 927 default: 928 break; 929 } 930 break; 931 932 case 3: /* CMD3: SEND_RELATIVE_ADDR */ 933 if (sd->spi) 934 goto bad_cmd; 935 switch (sd->state) { 936 case sd_identification_state: 937 case sd_standby_state: 938 sd->state = sd_standby_state; 939 sd_set_rca(sd); 940 return sd_r6; 941 942 default: 943 break; 944 } 945 break; 946 947 case 4: /* CMD4: SEND_DSR */ 948 if (sd->spi) 949 goto bad_cmd; 950 switch (sd->state) { 951 case sd_standby_state: 952 break; 953 954 default: 955 break; 956 } 957 break; 958 959 case 5: /* CMD5: reserved for SDIO cards */ 960 return sd_illegal; 961 962 case 6: /* CMD6: SWITCH_FUNCTION */ 963 if (sd->spi) 964 goto bad_cmd; 965 switch (sd->mode) { 966 case sd_data_transfer_mode: 967 sd_function_switch(sd, req.arg); 968 sd->state = sd_sendingdata_state; 969 sd->data_start = 0; 970 sd->data_offset = 0; 971 return sd_r1; 972 973 default: 974 break; 975 } 976 break; 977 978 case 7: /* CMD7: SELECT/DESELECT_CARD */ 979 if (sd->spi) 980 goto bad_cmd; 981 switch (sd->state) { 982 case sd_standby_state: 983 if (sd->rca != rca) 984 return sd_r0; 985 986 sd->state = sd_transfer_state; 987 return sd_r1b; 988 989 case sd_transfer_state: 990 case sd_sendingdata_state: 991 if (sd->rca == rca) 992 break; 993 994 sd->state = sd_standby_state; 995 return sd_r1b; 996 997 case sd_disconnect_state: 998 if (sd->rca != rca) 999 return sd_r0; 1000 1001 sd->state = sd_programming_state; 1002 return sd_r1b; 1003 1004 case sd_programming_state: 1005 if (sd->rca == rca) 1006 break; 1007 1008 sd->state = sd_disconnect_state; 1009 return sd_r1b; 1010 1011 default: 1012 break; 1013 } 1014 break; 1015 1016 case 8: /* CMD8: SEND_IF_COND */ 1017 /* Physical Layer Specification Version 2.00 command */ 1018 if (sd->state != sd_idle_state) { 1019 break; 1020 } 1021 sd->vhs = 0; 1022 1023 /* No response if not exactly one VHS bit is set. */ 1024 if (!(req.arg >> 8) || (req.arg >> (ctz32(req.arg & ~0xff) + 1))) { 1025 return sd->spi ? sd_r7 : sd_r0; 1026 } 1027 1028 /* Accept. */ 1029 sd->vhs = req.arg; 1030 return sd_r7; 1031 1032 case 9: /* CMD9: SEND_CSD */ 1033 switch (sd->state) { 1034 case sd_standby_state: 1035 if (sd->rca != rca) 1036 return sd_r0; 1037 1038 return sd_r2_s; 1039 1040 case sd_transfer_state: 1041 if (!sd->spi) 1042 break; 1043 sd->state = sd_sendingdata_state; 1044 memcpy(sd->data, sd->csd, 16); 1045 sd->data_start = addr; 1046 sd->data_offset = 0; 1047 return sd_r1; 1048 1049 default: 1050 break; 1051 } 1052 break; 1053 1054 case 10: /* CMD10: SEND_CID */ 1055 switch (sd->state) { 1056 case sd_standby_state: 1057 if (sd->rca != rca) 1058 return sd_r0; 1059 1060 return sd_r2_i; 1061 1062 case sd_transfer_state: 1063 if (!sd->spi) 1064 break; 1065 sd->state = sd_sendingdata_state; 1066 memcpy(sd->data, sd->cid, 16); 1067 sd->data_start = addr; 1068 sd->data_offset = 0; 1069 return sd_r1; 1070 1071 default: 1072 break; 1073 } 1074 break; 1075 1076 case 12: /* CMD12: STOP_TRANSMISSION */ 1077 switch (sd->state) { 1078 case sd_sendingdata_state: 1079 sd->state = sd_transfer_state; 1080 return sd_r1b; 1081 1082 case sd_receivingdata_state: 1083 sd->state = sd_programming_state; 1084 /* Bzzzzzzztt .... Operation complete. */ 1085 sd->state = sd_transfer_state; 1086 return sd_r1b; 1087 1088 default: 1089 break; 1090 } 1091 break; 1092 1093 case 13: /* CMD13: SEND_STATUS */ 1094 switch (sd->mode) { 1095 case sd_data_transfer_mode: 1096 if (sd->rca != rca) 1097 return sd_r0; 1098 1099 return sd_r1; 1100 1101 default: 1102 break; 1103 } 1104 break; 1105 1106 case 15: /* CMD15: GO_INACTIVE_STATE */ 1107 if (sd->spi) 1108 goto bad_cmd; 1109 switch (sd->mode) { 1110 case sd_data_transfer_mode: 1111 if (sd->rca != rca) 1112 return sd_r0; 1113 1114 sd->state = sd_inactive_state; 1115 return sd_r0; 1116 1117 default: 1118 break; 1119 } 1120 break; 1121 1122 /* Block read commands (Classs 2) */ 1123 case 16: /* CMD16: SET_BLOCKLEN */ 1124 switch (sd->state) { 1125 case sd_transfer_state: 1126 if (req.arg > (1 << HWBLOCK_SHIFT)) { 1127 sd->card_status |= BLOCK_LEN_ERROR; 1128 } else { 1129 trace_sdcard_set_blocklen(req.arg); 1130 sd->blk_len = req.arg; 1131 } 1132 1133 return sd_r1; 1134 1135 default: 1136 break; 1137 } 1138 break; 1139 1140 case 17: /* CMD17: READ_SINGLE_BLOCK */ 1141 switch (sd->state) { 1142 case sd_transfer_state: 1143 sd->state = sd_sendingdata_state; 1144 sd->data_start = addr; 1145 sd->data_offset = 0; 1146 1147 if (sd->data_start + sd->blk_len > sd->size) 1148 sd->card_status |= ADDRESS_ERROR; 1149 return sd_r1; 1150 1151 default: 1152 break; 1153 } 1154 break; 1155 1156 case 18: /* CMD18: READ_MULTIPLE_BLOCK */ 1157 switch (sd->state) { 1158 case sd_transfer_state: 1159 sd->state = sd_sendingdata_state; 1160 sd->data_start = addr; 1161 sd->data_offset = 0; 1162 1163 if (sd->data_start + sd->blk_len > sd->size) 1164 sd->card_status |= ADDRESS_ERROR; 1165 return sd_r1; 1166 1167 default: 1168 break; 1169 } 1170 break; 1171 1172 case 19: /* CMD19: SEND_TUNING_BLOCK (SD) */ 1173 if (sd->state == sd_transfer_state) { 1174 sd->state = sd_sendingdata_state; 1175 sd->data_offset = 0; 1176 return sd_r1; 1177 } 1178 break; 1179 1180 case 23: /* CMD23: SET_BLOCK_COUNT */ 1181 switch (sd->state) { 1182 case sd_transfer_state: 1183 sd->multi_blk_cnt = req.arg; 1184 return sd_r1; 1185 1186 default: 1187 break; 1188 } 1189 break; 1190 1191 /* Block write commands (Class 4) */ 1192 case 24: /* CMD24: WRITE_SINGLE_BLOCK */ 1193 if (sd->spi) { 1194 goto unimplemented_spi_cmd; 1195 } 1196 switch (sd->state) { 1197 case sd_transfer_state: 1198 /* Writing in SPI mode not implemented. */ 1199 if (sd->spi) 1200 break; 1201 sd->state = sd_receivingdata_state; 1202 sd->data_start = addr; 1203 sd->data_offset = 0; 1204 sd->blk_written = 0; 1205 1206 if (sd->data_start + sd->blk_len > sd->size) 1207 sd->card_status |= ADDRESS_ERROR; 1208 if (sd_wp_addr(sd, sd->data_start)) 1209 sd->card_status |= WP_VIOLATION; 1210 if (sd->csd[14] & 0x30) 1211 sd->card_status |= WP_VIOLATION; 1212 return sd_r1; 1213 1214 default: 1215 break; 1216 } 1217 break; 1218 1219 case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */ 1220 if (sd->spi) { 1221 goto unimplemented_spi_cmd; 1222 } 1223 switch (sd->state) { 1224 case sd_transfer_state: 1225 /* Writing in SPI mode not implemented. */ 1226 if (sd->spi) 1227 break; 1228 sd->state = sd_receivingdata_state; 1229 sd->data_start = addr; 1230 sd->data_offset = 0; 1231 sd->blk_written = 0; 1232 1233 if (sd->data_start + sd->blk_len > sd->size) 1234 sd->card_status |= ADDRESS_ERROR; 1235 if (sd_wp_addr(sd, sd->data_start)) 1236 sd->card_status |= WP_VIOLATION; 1237 if (sd->csd[14] & 0x30) 1238 sd->card_status |= WP_VIOLATION; 1239 return sd_r1; 1240 1241 default: 1242 break; 1243 } 1244 break; 1245 1246 case 26: /* CMD26: PROGRAM_CID */ 1247 if (sd->spi) 1248 goto bad_cmd; 1249 switch (sd->state) { 1250 case sd_transfer_state: 1251 sd->state = sd_receivingdata_state; 1252 sd->data_start = 0; 1253 sd->data_offset = 0; 1254 return sd_r1; 1255 1256 default: 1257 break; 1258 } 1259 break; 1260 1261 case 27: /* CMD27: PROGRAM_CSD */ 1262 if (sd->spi) { 1263 goto unimplemented_spi_cmd; 1264 } 1265 switch (sd->state) { 1266 case sd_transfer_state: 1267 sd->state = sd_receivingdata_state; 1268 sd->data_start = 0; 1269 sd->data_offset = 0; 1270 return sd_r1; 1271 1272 default: 1273 break; 1274 } 1275 break; 1276 1277 /* Write protection (Class 6) */ 1278 case 28: /* CMD28: SET_WRITE_PROT */ 1279 switch (sd->state) { 1280 case sd_transfer_state: 1281 if (addr >= sd->size) { 1282 sd->card_status |= ADDRESS_ERROR; 1283 return sd_r1b; 1284 } 1285 1286 sd->state = sd_programming_state; 1287 set_bit(sd_addr_to_wpnum(addr), sd->wp_groups); 1288 /* Bzzzzzzztt .... Operation complete. */ 1289 sd->state = sd_transfer_state; 1290 return sd_r1b; 1291 1292 default: 1293 break; 1294 } 1295 break; 1296 1297 case 29: /* CMD29: CLR_WRITE_PROT */ 1298 switch (sd->state) { 1299 case sd_transfer_state: 1300 if (addr >= sd->size) { 1301 sd->card_status |= ADDRESS_ERROR; 1302 return sd_r1b; 1303 } 1304 1305 sd->state = sd_programming_state; 1306 clear_bit(sd_addr_to_wpnum(addr), sd->wp_groups); 1307 /* Bzzzzzzztt .... Operation complete. */ 1308 sd->state = sd_transfer_state; 1309 return sd_r1b; 1310 1311 default: 1312 break; 1313 } 1314 break; 1315 1316 case 30: /* CMD30: SEND_WRITE_PROT */ 1317 switch (sd->state) { 1318 case sd_transfer_state: 1319 sd->state = sd_sendingdata_state; 1320 *(uint32_t *) sd->data = sd_wpbits(sd, req.arg); 1321 sd->data_start = addr; 1322 sd->data_offset = 0; 1323 return sd_r1b; 1324 1325 default: 1326 break; 1327 } 1328 break; 1329 1330 /* Erase commands (Class 5) */ 1331 case 32: /* CMD32: ERASE_WR_BLK_START */ 1332 switch (sd->state) { 1333 case sd_transfer_state: 1334 sd->erase_start = req.arg; 1335 return sd_r1; 1336 1337 default: 1338 break; 1339 } 1340 break; 1341 1342 case 33: /* CMD33: ERASE_WR_BLK_END */ 1343 switch (sd->state) { 1344 case sd_transfer_state: 1345 sd->erase_end = req.arg; 1346 return sd_r1; 1347 1348 default: 1349 break; 1350 } 1351 break; 1352 1353 case 38: /* CMD38: ERASE */ 1354 switch (sd->state) { 1355 case sd_transfer_state: 1356 if (sd->csd[14] & 0x30) { 1357 sd->card_status |= WP_VIOLATION; 1358 return sd_r1b; 1359 } 1360 1361 sd->state = sd_programming_state; 1362 sd_erase(sd); 1363 /* Bzzzzzzztt .... Operation complete. */ 1364 sd->state = sd_transfer_state; 1365 return sd_r1b; 1366 1367 default: 1368 break; 1369 } 1370 break; 1371 1372 /* Lock card commands (Class 7) */ 1373 case 42: /* CMD42: LOCK_UNLOCK */ 1374 if (sd->spi) { 1375 goto unimplemented_spi_cmd; 1376 } 1377 switch (sd->state) { 1378 case sd_transfer_state: 1379 sd->state = sd_receivingdata_state; 1380 sd->data_start = 0; 1381 sd->data_offset = 0; 1382 return sd_r1; 1383 1384 default: 1385 break; 1386 } 1387 break; 1388 1389 case 52 ... 54: 1390 /* CMD52, CMD53, CMD54: reserved for SDIO cards 1391 * (see the SDIO Simplified Specification V2.0) 1392 * Handle as illegal command but do not complain 1393 * on stderr, as some OSes may use these in their 1394 * probing for presence of an SDIO card. 1395 */ 1396 return sd_illegal; 1397 1398 /* Application specific commands (Class 8) */ 1399 case 55: /* CMD55: APP_CMD */ 1400 switch (sd->state) { 1401 case sd_ready_state: 1402 case sd_identification_state: 1403 case sd_inactive_state: 1404 return sd_illegal; 1405 case sd_idle_state: 1406 if (rca) { 1407 qemu_log_mask(LOG_GUEST_ERROR, 1408 "SD: illegal RCA 0x%04x for APP_CMD\n", req.cmd); 1409 } 1410 default: 1411 break; 1412 } 1413 if (!sd->spi) { 1414 if (sd->rca != rca) { 1415 return sd_r0; 1416 } 1417 } 1418 sd->expecting_acmd = true; 1419 sd->card_status |= APP_CMD; 1420 return sd_r1; 1421 1422 case 56: /* CMD56: GEN_CMD */ 1423 switch (sd->state) { 1424 case sd_transfer_state: 1425 sd->data_offset = 0; 1426 if (req.arg & 1) 1427 sd->state = sd_sendingdata_state; 1428 else 1429 sd->state = sd_receivingdata_state; 1430 return sd_r1; 1431 1432 default: 1433 break; 1434 } 1435 break; 1436 1437 case 58: /* CMD58: READ_OCR (SPI) */ 1438 if (!sd->spi) { 1439 goto bad_cmd; 1440 } 1441 return sd_r3; 1442 1443 case 59: /* CMD59: CRC_ON_OFF (SPI) */ 1444 if (!sd->spi) { 1445 goto bad_cmd; 1446 } 1447 goto unimplemented_spi_cmd; 1448 1449 default: 1450 bad_cmd: 1451 qemu_log_mask(LOG_GUEST_ERROR, "SD: Unknown CMD%i\n", req.cmd); 1452 return sd_illegal; 1453 1454 unimplemented_spi_cmd: 1455 /* Commands that are recognised but not yet implemented in SPI mode. */ 1456 qemu_log_mask(LOG_UNIMP, "SD: CMD%i not implemented in SPI mode\n", 1457 req.cmd); 1458 return sd_illegal; 1459 } 1460 1461 qemu_log_mask(LOG_GUEST_ERROR, "SD: CMD%i in a wrong state\n", req.cmd); 1462 return sd_illegal; 1463 } 1464 1465 static sd_rsp_type_t sd_app_command(SDState *sd, 1466 SDRequest req) 1467 { 1468 trace_sdcard_app_command(sd->proto_name, sd_acmd_name(req.cmd), 1469 req.cmd, req.arg, sd_state_name(sd->state)); 1470 sd->card_status |= APP_CMD; 1471 switch (req.cmd) { 1472 case 6: /* ACMD6: SET_BUS_WIDTH */ 1473 if (sd->spi) { 1474 goto unimplemented_spi_cmd; 1475 } 1476 switch (sd->state) { 1477 case sd_transfer_state: 1478 sd->sd_status[0] &= 0x3f; 1479 sd->sd_status[0] |= (req.arg & 0x03) << 6; 1480 return sd_r1; 1481 1482 default: 1483 break; 1484 } 1485 break; 1486 1487 case 13: /* ACMD13: SD_STATUS */ 1488 switch (sd->state) { 1489 case sd_transfer_state: 1490 sd->state = sd_sendingdata_state; 1491 sd->data_start = 0; 1492 sd->data_offset = 0; 1493 return sd_r1; 1494 1495 default: 1496 break; 1497 } 1498 break; 1499 1500 case 22: /* ACMD22: SEND_NUM_WR_BLOCKS */ 1501 switch (sd->state) { 1502 case sd_transfer_state: 1503 *(uint32_t *) sd->data = sd->blk_written; 1504 1505 sd->state = sd_sendingdata_state; 1506 sd->data_start = 0; 1507 sd->data_offset = 0; 1508 return sd_r1; 1509 1510 default: 1511 break; 1512 } 1513 break; 1514 1515 case 23: /* ACMD23: SET_WR_BLK_ERASE_COUNT */ 1516 switch (sd->state) { 1517 case sd_transfer_state: 1518 return sd_r1; 1519 1520 default: 1521 break; 1522 } 1523 break; 1524 1525 case 41: /* ACMD41: SD_APP_OP_COND */ 1526 if (sd->spi) { 1527 /* SEND_OP_CMD */ 1528 sd->state = sd_transfer_state; 1529 return sd_r1; 1530 } 1531 if (sd->state != sd_idle_state) { 1532 break; 1533 } 1534 /* If it's the first ACMD41 since reset, we need to decide 1535 * whether to power up. If this is not an enquiry ACMD41, 1536 * we immediately report power on and proceed below to the 1537 * ready state, but if it is, we set a timer to model a 1538 * delay for power up. This works around a bug in EDK2 1539 * UEFI, which sends an initial enquiry ACMD41, but 1540 * assumes that the card is in ready state as soon as it 1541 * sees the power up bit set. */ 1542 if (!FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP)) { 1543 if ((req.arg & ACMD41_ENQUIRY_MASK) != 0) { 1544 timer_del(sd->ocr_power_timer); 1545 sd_ocr_powerup(sd); 1546 } else { 1547 trace_sdcard_inquiry_cmd41(); 1548 if (!timer_pending(sd->ocr_power_timer)) { 1549 timer_mod_ns(sd->ocr_power_timer, 1550 (qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) 1551 + OCR_POWER_DELAY_NS)); 1552 } 1553 } 1554 } 1555 1556 if (FIELD_EX32(sd->ocr & req.arg, OCR, VDD_VOLTAGE_WINDOW)) { 1557 /* We accept any voltage. 10000 V is nothing. 1558 * 1559 * Once we're powered up, we advance straight to ready state 1560 * unless it's an enquiry ACMD41 (bits 23:0 == 0). 1561 */ 1562 sd->state = sd_ready_state; 1563 } 1564 1565 return sd_r3; 1566 1567 case 42: /* ACMD42: SET_CLR_CARD_DETECT */ 1568 switch (sd->state) { 1569 case sd_transfer_state: 1570 /* Bringing in the 50KOhm pull-up resistor... Done. */ 1571 return sd_r1; 1572 1573 default: 1574 break; 1575 } 1576 break; 1577 1578 case 51: /* ACMD51: SEND_SCR */ 1579 switch (sd->state) { 1580 case sd_transfer_state: 1581 sd->state = sd_sendingdata_state; 1582 sd->data_start = 0; 1583 sd->data_offset = 0; 1584 return sd_r1; 1585 1586 default: 1587 break; 1588 } 1589 break; 1590 1591 case 18: /* Reserved for SD security applications */ 1592 case 25: 1593 case 26: 1594 case 38: 1595 case 43 ... 49: 1596 /* Refer to the "SD Specifications Part3 Security Specification" for 1597 * information about the SD Security Features. 1598 */ 1599 qemu_log_mask(LOG_UNIMP, "SD: CMD%i Security not implemented\n", 1600 req.cmd); 1601 return sd_illegal; 1602 1603 default: 1604 /* Fall back to standard commands. */ 1605 return sd_normal_command(sd, req); 1606 1607 unimplemented_spi_cmd: 1608 /* Commands that are recognised but not yet implemented in SPI mode. */ 1609 qemu_log_mask(LOG_UNIMP, "SD: CMD%i not implemented in SPI mode\n", 1610 req.cmd); 1611 return sd_illegal; 1612 } 1613 1614 qemu_log_mask(LOG_GUEST_ERROR, "SD: ACMD%i in a wrong state\n", req.cmd); 1615 return sd_illegal; 1616 } 1617 1618 static int cmd_valid_while_locked(SDState *sd, SDRequest *req) 1619 { 1620 /* Valid commands in locked state: 1621 * basic class (0) 1622 * lock card class (7) 1623 * CMD16 1624 * implicitly, the ACMD prefix CMD55 1625 * ACMD41 and ACMD42 1626 * Anything else provokes an "illegal command" response. 1627 */ 1628 if (sd->expecting_acmd) { 1629 return req->cmd == 41 || req->cmd == 42; 1630 } 1631 if (req->cmd == 16 || req->cmd == 55) { 1632 return 1; 1633 } 1634 return sd_cmd_class[req->cmd] == 0 1635 || sd_cmd_class[req->cmd] == 7; 1636 } 1637 1638 int sd_do_command(SDState *sd, SDRequest *req, 1639 uint8_t *response) { 1640 int last_state; 1641 sd_rsp_type_t rtype; 1642 int rsplen; 1643 1644 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable) { 1645 return 0; 1646 } 1647 1648 if (sd_req_crc_validate(req)) { 1649 sd->card_status |= COM_CRC_ERROR; 1650 rtype = sd_illegal; 1651 goto send_response; 1652 } 1653 1654 if (req->cmd >= SDMMC_CMD_MAX) { 1655 qemu_log_mask(LOG_GUEST_ERROR, "SD: incorrect command 0x%02x\n", 1656 req->cmd); 1657 req->cmd &= 0x3f; 1658 } 1659 1660 if (sd->card_status & CARD_IS_LOCKED) { 1661 if (!cmd_valid_while_locked(sd, req)) { 1662 sd->card_status |= ILLEGAL_COMMAND; 1663 sd->expecting_acmd = false; 1664 qemu_log_mask(LOG_GUEST_ERROR, "SD: Card is locked\n"); 1665 rtype = sd_illegal; 1666 goto send_response; 1667 } 1668 } 1669 1670 last_state = sd->state; 1671 sd_set_mode(sd); 1672 1673 if (sd->expecting_acmd) { 1674 sd->expecting_acmd = false; 1675 rtype = sd_app_command(sd, *req); 1676 } else { 1677 rtype = sd_normal_command(sd, *req); 1678 } 1679 1680 if (rtype == sd_illegal) { 1681 sd->card_status |= ILLEGAL_COMMAND; 1682 } else { 1683 /* Valid command, we can update the 'state before command' bits. 1684 * (Do this now so they appear in r1 responses.) 1685 */ 1686 sd->current_cmd = req->cmd; 1687 sd->card_status &= ~CURRENT_STATE; 1688 sd->card_status |= (last_state << 9); 1689 } 1690 1691 send_response: 1692 switch (rtype) { 1693 case sd_r1: 1694 case sd_r1b: 1695 sd_response_r1_make(sd, response); 1696 rsplen = 4; 1697 break; 1698 1699 case sd_r2_i: 1700 memcpy(response, sd->cid, sizeof(sd->cid)); 1701 rsplen = 16; 1702 break; 1703 1704 case sd_r2_s: 1705 memcpy(response, sd->csd, sizeof(sd->csd)); 1706 rsplen = 16; 1707 break; 1708 1709 case sd_r3: 1710 sd_response_r3_make(sd, response); 1711 rsplen = 4; 1712 break; 1713 1714 case sd_r6: 1715 sd_response_r6_make(sd, response); 1716 rsplen = 4; 1717 break; 1718 1719 case sd_r7: 1720 sd_response_r7_make(sd, response); 1721 rsplen = 4; 1722 break; 1723 1724 case sd_r0: 1725 case sd_illegal: 1726 rsplen = 0; 1727 break; 1728 default: 1729 g_assert_not_reached(); 1730 } 1731 trace_sdcard_response(sd_response_name(rtype), rsplen); 1732 1733 if (rtype != sd_illegal) { 1734 /* Clear the "clear on valid command" status bits now we've 1735 * sent any response 1736 */ 1737 sd->card_status &= ~CARD_STATUS_B; 1738 } 1739 1740 #ifdef DEBUG_SD 1741 qemu_hexdump((const char *)response, stderr, "Response", rsplen); 1742 #endif 1743 1744 return rsplen; 1745 } 1746 1747 static void sd_blk_read(SDState *sd, uint64_t addr, uint32_t len) 1748 { 1749 trace_sdcard_read_block(addr, len); 1750 if (!sd->blk || blk_pread(sd->blk, addr, sd->data, len) < 0) { 1751 fprintf(stderr, "sd_blk_read: read error on host side\n"); 1752 } 1753 } 1754 1755 static void sd_blk_write(SDState *sd, uint64_t addr, uint32_t len) 1756 { 1757 trace_sdcard_write_block(addr, len); 1758 if (!sd->blk || blk_pwrite(sd->blk, addr, sd->data, len, 0) < 0) { 1759 fprintf(stderr, "sd_blk_write: write error on host side\n"); 1760 } 1761 } 1762 1763 #define BLK_READ_BLOCK(a, len) sd_blk_read(sd, a, len) 1764 #define BLK_WRITE_BLOCK(a, len) sd_blk_write(sd, a, len) 1765 #define APP_READ_BLOCK(a, len) memset(sd->data, 0xec, len) 1766 #define APP_WRITE_BLOCK(a, len) 1767 1768 void sd_write_data(SDState *sd, uint8_t value) 1769 { 1770 int i; 1771 1772 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable) 1773 return; 1774 1775 if (sd->state != sd_receivingdata_state) { 1776 qemu_log_mask(LOG_GUEST_ERROR, 1777 "sd_write_data: not in Receiving-Data state\n"); 1778 return; 1779 } 1780 1781 if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION)) 1782 return; 1783 1784 trace_sdcard_write_data(sd->proto_name, 1785 sd_acmd_name(sd->current_cmd), 1786 sd->current_cmd, value); 1787 switch (sd->current_cmd) { 1788 case 24: /* CMD24: WRITE_SINGLE_BLOCK */ 1789 sd->data[sd->data_offset ++] = value; 1790 if (sd->data_offset >= sd->blk_len) { 1791 /* TODO: Check CRC before committing */ 1792 sd->state = sd_programming_state; 1793 BLK_WRITE_BLOCK(sd->data_start, sd->data_offset); 1794 sd->blk_written ++; 1795 sd->csd[14] |= 0x40; 1796 /* Bzzzzzzztt .... Operation complete. */ 1797 sd->state = sd_transfer_state; 1798 } 1799 break; 1800 1801 case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */ 1802 if (sd->data_offset == 0) { 1803 /* Start of the block - let's check the address is valid */ 1804 if (sd->data_start + sd->blk_len > sd->size) { 1805 sd->card_status |= ADDRESS_ERROR; 1806 break; 1807 } 1808 if (sd_wp_addr(sd, sd->data_start)) { 1809 sd->card_status |= WP_VIOLATION; 1810 break; 1811 } 1812 } 1813 sd->data[sd->data_offset++] = value; 1814 if (sd->data_offset >= sd->blk_len) { 1815 /* TODO: Check CRC before committing */ 1816 sd->state = sd_programming_state; 1817 BLK_WRITE_BLOCK(sd->data_start, sd->data_offset); 1818 sd->blk_written++; 1819 sd->data_start += sd->blk_len; 1820 sd->data_offset = 0; 1821 sd->csd[14] |= 0x40; 1822 1823 /* Bzzzzzzztt .... Operation complete. */ 1824 if (sd->multi_blk_cnt != 0) { 1825 if (--sd->multi_blk_cnt == 0) { 1826 /* Stop! */ 1827 sd->state = sd_transfer_state; 1828 break; 1829 } 1830 } 1831 1832 sd->state = sd_receivingdata_state; 1833 } 1834 break; 1835 1836 case 26: /* CMD26: PROGRAM_CID */ 1837 sd->data[sd->data_offset ++] = value; 1838 if (sd->data_offset >= sizeof(sd->cid)) { 1839 /* TODO: Check CRC before committing */ 1840 sd->state = sd_programming_state; 1841 for (i = 0; i < sizeof(sd->cid); i ++) 1842 if ((sd->cid[i] | 0x00) != sd->data[i]) 1843 sd->card_status |= CID_CSD_OVERWRITE; 1844 1845 if (!(sd->card_status & CID_CSD_OVERWRITE)) 1846 for (i = 0; i < sizeof(sd->cid); i ++) { 1847 sd->cid[i] |= 0x00; 1848 sd->cid[i] &= sd->data[i]; 1849 } 1850 /* Bzzzzzzztt .... Operation complete. */ 1851 sd->state = sd_transfer_state; 1852 } 1853 break; 1854 1855 case 27: /* CMD27: PROGRAM_CSD */ 1856 sd->data[sd->data_offset ++] = value; 1857 if (sd->data_offset >= sizeof(sd->csd)) { 1858 /* TODO: Check CRC before committing */ 1859 sd->state = sd_programming_state; 1860 for (i = 0; i < sizeof(sd->csd); i ++) 1861 if ((sd->csd[i] | sd_csd_rw_mask[i]) != 1862 (sd->data[i] | sd_csd_rw_mask[i])) 1863 sd->card_status |= CID_CSD_OVERWRITE; 1864 1865 /* Copy flag (OTP) & Permanent write protect */ 1866 if (sd->csd[14] & ~sd->data[14] & 0x60) 1867 sd->card_status |= CID_CSD_OVERWRITE; 1868 1869 if (!(sd->card_status & CID_CSD_OVERWRITE)) 1870 for (i = 0; i < sizeof(sd->csd); i ++) { 1871 sd->csd[i] |= sd_csd_rw_mask[i]; 1872 sd->csd[i] &= sd->data[i]; 1873 } 1874 /* Bzzzzzzztt .... Operation complete. */ 1875 sd->state = sd_transfer_state; 1876 } 1877 break; 1878 1879 case 42: /* CMD42: LOCK_UNLOCK */ 1880 sd->data[sd->data_offset ++] = value; 1881 if (sd->data_offset >= sd->blk_len) { 1882 /* TODO: Check CRC before committing */ 1883 sd->state = sd_programming_state; 1884 sd_lock_command(sd); 1885 /* Bzzzzzzztt .... Operation complete. */ 1886 sd->state = sd_transfer_state; 1887 } 1888 break; 1889 1890 case 56: /* CMD56: GEN_CMD */ 1891 sd->data[sd->data_offset ++] = value; 1892 if (sd->data_offset >= sd->blk_len) { 1893 APP_WRITE_BLOCK(sd->data_start, sd->data_offset); 1894 sd->state = sd_transfer_state; 1895 } 1896 break; 1897 1898 default: 1899 qemu_log_mask(LOG_GUEST_ERROR, "sd_write_data: unknown command\n"); 1900 break; 1901 } 1902 } 1903 1904 #define SD_TUNING_BLOCK_SIZE 64 1905 1906 static const uint8_t sd_tuning_block_pattern[SD_TUNING_BLOCK_SIZE] = { 1907 /* See: Physical Layer Simplified Specification Version 3.01, Table 4-2 */ 1908 0xff, 0x0f, 0xff, 0x00, 0x0f, 0xfc, 0xc3, 0xcc, 1909 0xc3, 0x3c, 0xcc, 0xff, 0xfe, 0xff, 0xfe, 0xef, 1910 0xff, 0xdf, 0xff, 0xdd, 0xff, 0xfb, 0xff, 0xfb, 1911 0xbf, 0xff, 0x7f, 0xff, 0x77, 0xf7, 0xbd, 0xef, 1912 0xff, 0xf0, 0xff, 0xf0, 0x0f, 0xfc, 0xcc, 0x3c, 1913 0xcc, 0x33, 0xcc, 0xcf, 0xff, 0xef, 0xff, 0xee, 1914 0xff, 0xfd, 0xff, 0xfd, 0xdf, 0xff, 0xbf, 0xff, 1915 0xbb, 0xff, 0xf7, 0xff, 0xf7, 0x7f, 0x7b, 0xde, 1916 }; 1917 1918 uint8_t sd_read_data(SDState *sd) 1919 { 1920 /* TODO: Append CRCs */ 1921 uint8_t ret; 1922 int io_len; 1923 1924 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable) 1925 return 0x00; 1926 1927 if (sd->state != sd_sendingdata_state) { 1928 qemu_log_mask(LOG_GUEST_ERROR, 1929 "sd_read_data: not in Sending-Data state\n"); 1930 return 0x00; 1931 } 1932 1933 if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION)) 1934 return 0x00; 1935 1936 io_len = (sd->ocr & (1 << 30)) ? 512 : sd->blk_len; 1937 1938 trace_sdcard_read_data(sd->proto_name, 1939 sd_acmd_name(sd->current_cmd), 1940 sd->current_cmd, io_len); 1941 switch (sd->current_cmd) { 1942 case 6: /* CMD6: SWITCH_FUNCTION */ 1943 ret = sd->data[sd->data_offset ++]; 1944 1945 if (sd->data_offset >= 64) 1946 sd->state = sd_transfer_state; 1947 break; 1948 1949 case 9: /* CMD9: SEND_CSD */ 1950 case 10: /* CMD10: SEND_CID */ 1951 ret = sd->data[sd->data_offset ++]; 1952 1953 if (sd->data_offset >= 16) 1954 sd->state = sd_transfer_state; 1955 break; 1956 1957 case 13: /* ACMD13: SD_STATUS */ 1958 ret = sd->sd_status[sd->data_offset ++]; 1959 1960 if (sd->data_offset >= sizeof(sd->sd_status)) 1961 sd->state = sd_transfer_state; 1962 break; 1963 1964 case 17: /* CMD17: READ_SINGLE_BLOCK */ 1965 if (sd->data_offset == 0) 1966 BLK_READ_BLOCK(sd->data_start, io_len); 1967 ret = sd->data[sd->data_offset ++]; 1968 1969 if (sd->data_offset >= io_len) 1970 sd->state = sd_transfer_state; 1971 break; 1972 1973 case 18: /* CMD18: READ_MULTIPLE_BLOCK */ 1974 if (sd->data_offset == 0) { 1975 if (sd->data_start + io_len > sd->size) { 1976 sd->card_status |= ADDRESS_ERROR; 1977 return 0x00; 1978 } 1979 BLK_READ_BLOCK(sd->data_start, io_len); 1980 } 1981 ret = sd->data[sd->data_offset ++]; 1982 1983 if (sd->data_offset >= io_len) { 1984 sd->data_start += io_len; 1985 sd->data_offset = 0; 1986 1987 if (sd->multi_blk_cnt != 0) { 1988 if (--sd->multi_blk_cnt == 0) { 1989 /* Stop! */ 1990 sd->state = sd_transfer_state; 1991 break; 1992 } 1993 } 1994 } 1995 break; 1996 1997 case 19: /* CMD19: SEND_TUNING_BLOCK (SD) */ 1998 if (sd->data_offset >= SD_TUNING_BLOCK_SIZE - 1) { 1999 sd->state = sd_transfer_state; 2000 } 2001 ret = sd_tuning_block_pattern[sd->data_offset++]; 2002 break; 2003 2004 case 22: /* ACMD22: SEND_NUM_WR_BLOCKS */ 2005 ret = sd->data[sd->data_offset ++]; 2006 2007 if (sd->data_offset >= 4) 2008 sd->state = sd_transfer_state; 2009 break; 2010 2011 case 30: /* CMD30: SEND_WRITE_PROT */ 2012 ret = sd->data[sd->data_offset ++]; 2013 2014 if (sd->data_offset >= 4) 2015 sd->state = sd_transfer_state; 2016 break; 2017 2018 case 51: /* ACMD51: SEND_SCR */ 2019 ret = sd->scr[sd->data_offset ++]; 2020 2021 if (sd->data_offset >= sizeof(sd->scr)) 2022 sd->state = sd_transfer_state; 2023 break; 2024 2025 case 56: /* CMD56: GEN_CMD */ 2026 if (sd->data_offset == 0) 2027 APP_READ_BLOCK(sd->data_start, sd->blk_len); 2028 ret = sd->data[sd->data_offset ++]; 2029 2030 if (sd->data_offset >= sd->blk_len) 2031 sd->state = sd_transfer_state; 2032 break; 2033 2034 default: 2035 qemu_log_mask(LOG_GUEST_ERROR, "sd_read_data: unknown command\n"); 2036 return 0x00; 2037 } 2038 2039 return ret; 2040 } 2041 2042 bool sd_data_ready(SDState *sd) 2043 { 2044 return sd->state == sd_sendingdata_state; 2045 } 2046 2047 void sd_enable(SDState *sd, bool enable) 2048 { 2049 sd->enable = enable; 2050 } 2051 2052 static void sd_instance_init(Object *obj) 2053 { 2054 SDState *sd = SD_CARD(obj); 2055 2056 sd->enable = true; 2057 sd->ocr_power_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, sd_ocr_powerup, sd); 2058 } 2059 2060 static void sd_instance_finalize(Object *obj) 2061 { 2062 SDState *sd = SD_CARD(obj); 2063 2064 timer_del(sd->ocr_power_timer); 2065 timer_free(sd->ocr_power_timer); 2066 } 2067 2068 static void sd_realize(DeviceState *dev, Error **errp) 2069 { 2070 SDState *sd = SD_CARD(dev); 2071 int ret; 2072 2073 sd->proto_name = sd->spi ? "SPI" : "SD"; 2074 2075 if (sd->blk && blk_is_read_only(sd->blk)) { 2076 error_setg(errp, "Cannot use read-only drive as SD card"); 2077 return; 2078 } 2079 2080 if (sd->blk) { 2081 ret = blk_set_perm(sd->blk, BLK_PERM_CONSISTENT_READ | BLK_PERM_WRITE, 2082 BLK_PERM_ALL, errp); 2083 if (ret < 0) { 2084 return; 2085 } 2086 blk_set_dev_ops(sd->blk, &sd_block_ops, sd); 2087 } 2088 } 2089 2090 static Property sd_properties[] = { 2091 DEFINE_PROP_DRIVE("drive", SDState, blk), 2092 /* We do not model the chip select pin, so allow the board to select 2093 * whether card should be in SSI or MMC/SD mode. It is also up to the 2094 * board to ensure that ssi transfers only occur when the chip select 2095 * is asserted. */ 2096 DEFINE_PROP_BOOL("spi", SDState, spi, false), 2097 DEFINE_PROP_END_OF_LIST() 2098 }; 2099 2100 static void sd_class_init(ObjectClass *klass, void *data) 2101 { 2102 DeviceClass *dc = DEVICE_CLASS(klass); 2103 SDCardClass *sc = SD_CARD_CLASS(klass); 2104 2105 dc->realize = sd_realize; 2106 dc->props = sd_properties; 2107 dc->vmsd = &sd_vmstate; 2108 dc->reset = sd_reset; 2109 dc->bus_type = TYPE_SD_BUS; 2110 2111 sc->set_voltage = sd_set_voltage; 2112 sc->get_dat_lines = sd_get_dat_lines; 2113 sc->get_cmd_line = sd_get_cmd_line; 2114 sc->do_command = sd_do_command; 2115 sc->write_data = sd_write_data; 2116 sc->read_data = sd_read_data; 2117 sc->data_ready = sd_data_ready; 2118 sc->enable = sd_enable; 2119 sc->get_inserted = sd_get_inserted; 2120 sc->get_readonly = sd_get_readonly; 2121 } 2122 2123 static const TypeInfo sd_info = { 2124 .name = TYPE_SD_CARD, 2125 .parent = TYPE_DEVICE, 2126 .instance_size = sizeof(SDState), 2127 .class_size = sizeof(SDCardClass), 2128 .class_init = sd_class_init, 2129 .instance_init = sd_instance_init, 2130 .instance_finalize = sd_instance_finalize, 2131 }; 2132 2133 static void sd_register_types(void) 2134 { 2135 type_register_static(&sd_info); 2136 } 2137 2138 type_init(sd_register_types) 2139