1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32#include "qemu/osdep.h"
33#include "hw/qdev.h"
34#include "hw/hw.h"
35#include "sysemu/block-backend.h"
36#include "hw/sd/sd.h"
37#include "qapi/error.h"
38#include "qemu/bitmap.h"
39#include "hw/qdev-properties.h"
40#include "qemu/error-report.h"
41#include "qemu/timer.h"
42
43
44
45#ifdef DEBUG_SD
46#define DPRINTF_RAW(fmt, ...) \
47do { qemu_log_mask(DEV_LOG_SD, fmt , ## __VA_ARGS__); } while (0)
48#define DPRINTF(fmt, ...) \
49do { qemu_log_mask(DEV_LOG_SD, "sd: " fmt , ## __VA_ARGS__); } while (0)
50#else
51#define DPRINTF_RAW(fmt, ...) do {} while(0)
52#define DPRINTF(fmt, ...) do {} while(0)
53#endif
54
55#define ACMD41_ENQUIRY_MASK 0x00ffffff
56#define OCR_POWER_UP 0x80000000
57#define OCR_POWER_DELAY_NS 500000
58
59typedef enum {
60 sd_r0 = 0,
61 sd_r1,
62 sd_r2_i,
63 sd_r2_s,
64 sd_r3,
65 sd_r6 = 6,
66 sd_r7,
67 sd_r1b = -1,
68 sd_illegal = -2,
69} sd_rsp_type_t;
70
71enum SDCardModes {
72 sd_inactive,
73 sd_card_identification_mode,
74 sd_data_transfer_mode,
75};
76
77enum SDCardStates {
78 sd_inactive_state = -1,
79 sd_idle_state = 0,
80 sd_ready_state,
81 sd_identification_state,
82 sd_standby_state,
83 sd_transfer_state,
84 sd_sendingdata_state,
85 sd_receivingdata_state,
86 sd_programming_state,
87 sd_disconnect_state,
88};
89
90struct SDState {
91 DeviceState parent_obj;
92
93 uint32_t mode;
94 int32_t state;
95 uint32_t ocr;
96 QEMUTimer *ocr_power_timer;
97 uint8_t scr[8];
98 uint8_t cid[16];
99 uint8_t csd[16];
100 uint8_t ext_csd[512];
101 uint16_t rca;
102 uint32_t card_status;
103 uint8_t sd_status[64];
104 uint32_t vhs;
105 bool wp_switch;
106 unsigned long *wp_groups;
107 int32_t wpgrps_size;
108 uint64_t size;
109 uint32_t blk_len;
110 uint32_t multi_blk_cnt;
111 uint32_t erase_start;
112 uint32_t erase_end;
113 uint8_t pwd[16];
114 uint32_t pwd_len;
115 uint8_t function_group[6];
116
117 bool spi;
118 bool mmc;
119 uint8_t current_cmd;
120
121
122
123 bool expecting_acmd;
124 uint32_t blk_written;
125 uint64_t data_start;
126 uint32_t data_offset;
127 uint8_t data[512];
128 qemu_irq readonly_cb;
129 qemu_irq inserted_cb;
130 BlockBackend *blk;
131 uint8_t *buf;
132
133 bool uhs;
134 uint8_t dat_lines;
135 bool cmd_line;
136
137 bool enable;
138};
139
140uint8_t sd_get_dat_lines(SDState *sd)
141{
142 return sd->dat_lines;
143}
144
145bool sd_get_cmd_line(SDState *sd)
146{
147 return sd->cmd_line;
148}
149
150void sd_set_voltage(SDState *sd, int v)
151{
152 switch (v) {
153 case SD_VOLTAGE_18:
154 if (!sd->uhs) {
155 qemu_log_mask(LOG_GUEST_ERROR, "SD card not in correct state for"
156 "1.8V switch\n");
157 } else {
158 sd->cmd_line = true;
159 sd->dat_lines = 0xf;
160 }
161 default:
162 qemu_log_mask(LOG_UNIMP, "SD card voltage switch not implemented: %d\n",
163 v);
164 }
165}
166
167static void sd_set_mode(SDState *sd)
168{
169 switch (sd->state) {
170 case sd_inactive_state:
171 sd->mode = sd_inactive;
172 break;
173
174 case sd_idle_state:
175 case sd_ready_state:
176 case sd_identification_state:
177 sd->mode = sd_card_identification_mode;
178 break;
179
180 case sd_standby_state:
181 case sd_transfer_state:
182 case sd_sendingdata_state:
183 case sd_receivingdata_state:
184 case sd_programming_state:
185 case sd_disconnect_state:
186 sd->mode = sd_data_transfer_mode;
187 break;
188 }
189}
190
191static const sd_cmd_type_t sd_cmd_type[64] = {
192 sd_bc, sd_none, sd_bcr, sd_bcr, sd_none, sd_none, sd_none, sd_ac,
193 sd_bcr, sd_ac, sd_ac, sd_adtc, sd_ac, sd_ac, sd_none, sd_ac,
194 sd_ac, sd_adtc, sd_adtc, sd_none, sd_none, sd_none, sd_none, sd_none,
195 sd_adtc, sd_adtc, sd_adtc, sd_adtc, sd_ac, sd_ac, sd_adtc, sd_none,
196 sd_ac, sd_ac, sd_none, sd_none, sd_none, sd_none, sd_ac, sd_none,
197 sd_none, sd_none, sd_bc, sd_none, sd_none, sd_none, sd_none, sd_none,
198 sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_ac,
199 sd_adtc, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none,
200};
201
202static const int sd_cmd_class[64] = {
203 0, 0, 0, 0, 0, 9, 10, 0, 0, 0, 0, 1, 0, 0, 0, 0,
204 2, 2, 2, 2, 3, 3, 3, 3, 4, 4, 4, 4, 6, 6, 6, 6,
205 5, 5, 10, 10, 10, 10, 5, 9, 9, 9, 7, 7, 7, 7, 7, 7,
206 7, 7, 10, 7, 9, 9, 9, 8, 8, 10, 8, 8, 8, 8, 8, 8,
207};
208
209static const uint32_t sd_tunning_data[16] = {
210 0xFF0FFF00, 0xFFCC3CC, 0xC33CCCFF, 0xFEFFFEEF,
211 0xFFDFFFDD, 0xFFFBFFFB, 0XBFFF7FFF, 0X77F7BDEF,
212 0XFFF0FFF0, 0X0FFCCC3C, 0XCC33CCCF, 0XFFEFFFEE,
213 0XFFFDFFFD, 0XDFFFBFFF, 0XBBFFF7FF, 0XF77F7BDE,
214};
215
216static const uint8_t emmc_tunning_data_8bit[128] = {
217 0xff, 0xff, 0x00, 0xff, 0xff, 0xff, 0x00, 0x00,
218 0xff, 0xff, 0xcc, 0xcc, 0xcc, 0x33, 0xcc, 0xcc,
219 0xcc, 0x33, 0x33, 0xcc, 0xcc, 0xcc, 0xff, 0xff,
220 0xff, 0xee, 0xff, 0xff, 0xff, 0xee, 0xee, 0xff,
221 0xff, 0xff, 0xdd, 0xff, 0xff, 0xff, 0xdd, 0xdd,
222 0xff, 0xff, 0xff, 0xbb, 0xff, 0xff, 0xff, 0xbb,
223 0xbb, 0xff, 0xff, 0xff, 0x77, 0xff, 0xff, 0xff,
224 0x77, 0x77, 0xff, 0x77, 0xbb, 0xdd, 0xee, 0xff,
225 0xff, 0xff, 0xff, 0x00, 0xff, 0xff, 0xff, 0x00,
226 0x00, 0xff, 0xff, 0xcc, 0xcc, 0xcc, 0x33, 0xcc,
227 0xcc, 0xcc, 0x33, 0x33, 0xcc, 0xcc, 0xcc, 0xff,
228 0xff, 0xff, 0xee, 0xff, 0xff, 0xff, 0xee, 0xee,
229 0xff, 0xff, 0xff, 0xdd, 0xff, 0xff, 0xff, 0xdd,
230 0xdd, 0xff, 0xff, 0xff, 0xbb, 0xff, 0xff, 0xff,
231 0xbb, 0xbb, 0xff, 0xff, 0xff, 0x77, 0xff, 0xff,
232 0xff, 0x77, 0x77, 0xff, 0x77, 0xbb, 0xdd, 0xee,
233};
234
235static uint8_t sd_crc7(void *message, size_t width)
236{
237 int i, bit;
238 uint8_t shift_reg = 0x00;
239 uint8_t *msg = (uint8_t *) message;
240
241 for (i = 0; i < width; i ++, msg ++)
242 for (bit = 7; bit >= 0; bit --) {
243 shift_reg <<= 1;
244 if ((shift_reg >> 7) ^ ((*msg >> bit) & 1))
245 shift_reg ^= 0x89;
246 }
247
248 return shift_reg;
249}
250
251static uint16_t sd_crc16(void *message, size_t width)
252{
253 int i, bit;
254 uint16_t shift_reg = 0x0000;
255 uint16_t *msg = (uint16_t *) message;
256 width <<= 1;
257
258 for (i = 0; i < width; i ++, msg ++)
259 for (bit = 15; bit >= 0; bit --) {
260 shift_reg <<= 1;
261 if ((shift_reg >> 15) ^ ((*msg >> bit) & 1))
262 shift_reg ^= 0x1011;
263 }
264
265 return shift_reg;
266}
267
268static void sd_set_ocr(SDState *sd)
269{
270
271 sd->ocr = 0x80ffff00 | (sd->mmc ? 0 : 1 << 24);
272}
273
274static void sd_ocr_powerup(void *opaque)
275{
276 SDState *sd = opaque;
277
278
279 assert(!(sd->ocr & OCR_POWER_UP));
280 sd->ocr |= OCR_POWER_UP;
281}
282
283static void sd_set_scr(SDState *sd)
284{
285 sd->scr[0] = 0x00;
286 sd->scr[1] = 0x2f;
287 sd->scr[2] = 0x00;
288 sd->scr[3] = 0x00;
289 sd->scr[4] = 0x00;
290 sd->scr[5] = 0x00;
291 sd->scr[6] = 0x00;
292 sd->scr[7] = 0x00;
293}
294
295#define MID 0xaa
296#define OID "XY"
297#define PNM "QEMU!"
298#define PRV 0x01
299#define MDT_YR 2006
300#define MDT_MON 2
301
302static void sd_set_cid(SDState *sd)
303{
304 sd->cid[0] = MID;
305 sd->cid[1] = OID[0];
306 sd->cid[2] = OID[1];
307 sd->cid[3] = PNM[0];
308 sd->cid[4] = PNM[1];
309 sd->cid[5] = PNM[2];
310 sd->cid[6] = PNM[3];
311 sd->cid[7] = PNM[4];
312 sd->cid[8] = PRV;
313 sd->cid[9] = 0xde;
314 sd->cid[10] = 0xad;
315 sd->cid[11] = 0xbe;
316 sd->cid[12] = 0xef;
317 sd->cid[13] = 0x00 |
318 ((MDT_YR - 2000) / 10);
319 sd->cid[14] = ((MDT_YR % 10) << 4) | MDT_MON;
320 sd->cid[15] = (sd_crc7(sd->cid, 15) << 1) | 1;
321}
322
323#define HWBLOCK_SHIFT 9
324#define SECTOR_SHIFT 5
325#define WPGROUP_SHIFT 7
326#define CMULT_SHIFT 9
327#define WPGROUP_SIZE (1 << (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT))
328
329static const uint8_t sd_csd_rw_mask[16] = {
330 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
331 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xfc, 0xfe,
332};
333
334static void sd_set_ext_csd(SDState *sd)
335{
336
337 memset(sd->ext_csd, 0, sizeof(sd->ext_csd));
338 sd->ext_csd[196] = 0x3f;
339}
340
341static void sd_set_csd(SDState *sd, uint64_t size)
342{
343 uint32_t csize = (size >> (CMULT_SHIFT + HWBLOCK_SHIFT)) - 1;
344 uint32_t sectsize = (1 << (SECTOR_SHIFT + 1)) - 1;
345 uint32_t wpsize = (1 << (WPGROUP_SHIFT + 1)) - 1;
346
347 if (size <= 0x40000000) {
348 sd->csd[0] = 0x00;
349 sd->csd[1] = 0x26;
350 sd->csd[2] = 0x00;
351 sd->csd[3] = 0x5a;
352 sd->csd[4] = 0x5f;
353 sd->csd[5] = 0x50 |
354 HWBLOCK_SHIFT;
355 sd->csd[6] = 0xe0 |
356 ((csize >> 10) & 0x03);
357 sd->csd[7] = 0x00 |
358 ((csize >> 2) & 0xff);
359 sd->csd[8] = 0x3f |
360 ((csize << 6) & 0xc0);
361 sd->csd[9] = 0xfc |
362 ((CMULT_SHIFT - 2) >> 1);
363 sd->csd[10] = 0x40 |
364 (((CMULT_SHIFT - 2) << 7) & 0x80) | (sectsize >> 1);
365 sd->csd[11] = 0x00 |
366 ((sectsize << 7) & 0x80) | wpsize;
367 sd->csd[12] = 0x90 |
368 (HWBLOCK_SHIFT >> 2);
369 sd->csd[13] = 0x20 |
370 ((HWBLOCK_SHIFT << 6) & 0xc0);
371 sd->csd[14] = 0x00;
372 sd->csd[15] = (sd_crc7(sd->csd, 15) << 1) | 1;
373 } else {
374 size /= 512 * 1024;
375 size -= 1;
376 sd->csd[0] = 0x40;
377 sd->csd[1] = 0x0e;
378 sd->csd[2] = 0x00;
379 sd->csd[3] = 0x32;
380 sd->csd[4] = 0x5b;
381 sd->csd[5] = 0x59;
382 sd->csd[6] = 0x00;
383 sd->csd[7] = (size >> 16) & 0xff;
384 sd->csd[8] = (size >> 8) & 0xff;
385 sd->csd[9] = (size & 0xff);
386 sd->csd[10] = 0x7f;
387 sd->csd[11] = 0x80;
388 sd->csd[12] = 0x0a;
389 sd->csd[13] = 0x40;
390 sd->csd[14] = 0x00;
391 sd->csd[15] = 0x00;
392 sd->ocr |= 1 << 30;
393 }
394}
395
396static void sd_set_rca(SDState *sd, uint32_t val)
397{
398 sd->rca = val;
399}
400
401
402
403
404
405
406#define CARD_STATUS_A 0x02004100
407#define CARD_STATUS_B 0x00c01e00
408#define CARD_STATUS_C 0xfd39a0a8
409
410static void sd_set_cardstatus(SDState *sd)
411{
412 sd->card_status = 0x00000100;
413}
414
415static void sd_set_sdstatus(SDState *sd)
416{
417 memset(sd->sd_status, 0, 64);
418}
419
420static int sd_req_crc_validate(SDRequest *req)
421{
422 uint8_t buffer[5];
423 buffer[0] = 0x40 | req->cmd;
424 buffer[1] = (req->arg >> 24) & 0xff;
425 buffer[2] = (req->arg >> 16) & 0xff;
426 buffer[3] = (req->arg >> 8) & 0xff;
427 buffer[4] = (req->arg >> 0) & 0xff;
428 return 0;
429 return sd_crc7(buffer, 5) != req->crc;
430}
431
432static void sd_response_r1_make(SDState *sd, uint8_t *response)
433{
434 uint32_t status = sd->card_status;
435
436 sd->card_status &= ~CARD_STATUS_C;
437
438 response[0] = (status >> 24) & 0xff;
439 response[1] = (status >> 16) & 0xff;
440 response[2] = (status >> 8) & 0xff;
441 response[3] = (status >> 0) & 0xff;
442}
443
444static void sd_response_r3_make(SDState *sd, uint8_t *response)
445{
446 response[0] = (sd->ocr >> 24) & 0xff;
447 response[1] = (sd->ocr >> 16) & 0xff;
448 response[2] = (sd->ocr >> 8) & 0xff;
449 response[3] = (sd->ocr >> 0) & 0xff;
450}
451
452static void sd_response_r6_make(SDState *sd, uint8_t *response)
453{
454 uint16_t arg;
455 uint16_t status;
456
457 arg = sd->rca;
458 status = ((sd->card_status >> 8) & 0xc000) |
459 ((sd->card_status >> 6) & 0x2000) |
460 (sd->card_status & 0x1fff);
461 sd->card_status &= ~(CARD_STATUS_C & 0xc81fff);
462
463 response[0] = (arg >> 8) & 0xff;
464 response[1] = arg & 0xff;
465 response[2] = (status >> 8) & 0xff;
466 response[3] = status & 0xff;
467}
468
469static void sd_response_r7_make(SDState *sd, uint8_t *response)
470{
471 response[0] = (sd->vhs >> 24) & 0xff;
472 response[1] = (sd->vhs >> 16) & 0xff;
473 response[2] = (sd->vhs >> 8) & 0xff;
474 response[3] = (sd->vhs >> 0) & 0xff;
475}
476
477static inline uint64_t sd_addr_to_wpnum(uint64_t addr)
478{
479 return addr >> (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT);
480}
481
482static void sd_reset(DeviceState *dev)
483{
484 SDState *sd = SD_CARD(dev);
485 uint64_t size;
486 uint64_t sect;
487
488 if (sd->blk) {
489 blk_get_geometry(sd->blk, §);
490 } else {
491 sect = 0;
492 }
493 size = sect << 9;
494
495 sect = sd_addr_to_wpnum(size) + 1;
496
497 sd->state = sd_idle_state;
498 sd->rca = 0x0000;
499 sd_set_ocr(sd);
500 sd_set_scr(sd);
501 sd_set_cid(sd);
502 sd_set_csd(sd, size);
503 sd_set_ext_csd(sd);
504 sd_set_cardstatus(sd);
505 sd_set_sdstatus(sd);
506
507 g_free(sd->wp_groups);
508 sd->wp_switch = sd->blk ? blk_is_read_only(sd->blk) : false;
509 sd->wpgrps_size = sect;
510 sd->wp_groups = bitmap_new(sd->wpgrps_size);
511 memset(sd->function_group, 0, sizeof(sd->function_group));
512 sd->erase_start = 0;
513 sd->erase_end = 0;
514 sd->size = size;
515 sd->blk_len = 0x200;
516 sd->pwd_len = 0;
517 sd->expecting_acmd = false;
518 sd->dat_lines = 0xf;
519 sd->cmd_line = true;
520 sd->multi_blk_cnt = 0;
521}
522
523static bool sd_get_inserted(SDState *sd)
524{
525 return sd->blk && blk_is_inserted(sd->blk);
526}
527
528static bool sd_get_readonly(SDState *sd)
529{
530 return sd->wp_switch;
531}
532
533static void sd_cardchange(void *opaque, bool load)
534{
535 SDState *sd = opaque;
536 DeviceState *dev = DEVICE(sd);
537 SDBus *sdbus = SD_BUS(qdev_get_parent_bus(dev));
538 bool inserted = sd_get_inserted(sd);
539 bool readonly = sd_get_readonly(sd);
540
541 if (inserted) {
542 sd_reset(dev);
543 }
544
545
546
547
548 if (sdbus) {
549 sdbus_set_inserted(sdbus, inserted);
550 if (inserted) {
551 sdbus_set_readonly(sdbus, readonly);
552 }
553 } else {
554 qemu_set_irq(sd->inserted_cb, inserted);
555 if (inserted) {
556 qemu_set_irq(sd->readonly_cb, readonly);
557 }
558 }
559}
560
561static const BlockDevOps sd_block_ops = {
562 .change_media_cb = sd_cardchange,
563};
564
565static bool sd_ocr_vmstate_needed(void *opaque)
566{
567 SDState *sd = opaque;
568
569
570 return !(sd->ocr & OCR_POWER_UP);
571}
572
573static const VMStateDescription sd_ocr_vmstate = {
574 .name = "sd-card/ocr-state",
575 .version_id = 1,
576 .minimum_version_id = 1,
577 .needed = sd_ocr_vmstate_needed,
578 .fields = (VMStateField[]) {
579 VMSTATE_UINT32(ocr, SDState),
580 VMSTATE_TIMER_PTR(ocr_power_timer, SDState),
581 VMSTATE_END_OF_LIST()
582 },
583};
584
585static int sd_vmstate_pre_load(void *opaque)
586{
587 SDState *sd = opaque;
588
589
590
591
592
593 sd_ocr_powerup(sd);
594
595 return 0;
596}
597
598static const VMStateDescription sd_vmstate = {
599 .name = "sd-card",
600 .version_id = 1,
601 .minimum_version_id = 1,
602 .pre_load = sd_vmstate_pre_load,
603 .fields = (VMStateField[]) {
604 VMSTATE_UINT32(mode, SDState),
605 VMSTATE_INT32(state, SDState),
606 VMSTATE_UINT8_ARRAY(cid, SDState, 16),
607 VMSTATE_UINT8_ARRAY(csd, SDState, 16),
608 VMSTATE_UINT16(rca, SDState),
609 VMSTATE_UINT32(card_status, SDState),
610 VMSTATE_PARTIAL_BUFFER(sd_status, SDState, 1),
611 VMSTATE_UINT32(vhs, SDState),
612 VMSTATE_BITMAP(wp_groups, SDState, 0, wpgrps_size),
613 VMSTATE_UINT32(blk_len, SDState),
614 VMSTATE_UINT32(multi_blk_cnt, SDState),
615 VMSTATE_UINT32(erase_start, SDState),
616 VMSTATE_UINT32(erase_end, SDState),
617 VMSTATE_UINT8_ARRAY(pwd, SDState, 16),
618 VMSTATE_UINT32(pwd_len, SDState),
619 VMSTATE_UINT8_ARRAY(function_group, SDState, 6),
620 VMSTATE_UINT8(current_cmd, SDState),
621 VMSTATE_BOOL(expecting_acmd, SDState),
622 VMSTATE_UINT32(blk_written, SDState),
623 VMSTATE_UINT64(data_start, SDState),
624 VMSTATE_UINT32(data_offset, SDState),
625 VMSTATE_UINT8_ARRAY(data, SDState, 512),
626 VMSTATE_UNUSED_V(1, 512),
627 VMSTATE_BOOL(enable, SDState),
628 VMSTATE_END_OF_LIST()
629 },
630 .subsections = (const VMStateDescription*[]) {
631 &sd_ocr_vmstate,
632 NULL
633 },
634};
635
636
637
638static SDState *sd_do_init(BlockBackend *blk, bool is_spi, bool is_mmc)
639{
640 Object *obj;
641 DeviceState *dev;
642 Error *err = NULL;
643
644 obj = object_new(TYPE_SD_CARD);
645 dev = DEVICE(obj);
646
647 qdev_prop_set_drive(dev, "drive", blk, NULL);
648 if (err) {
649 error_report("sd_init failed: %s", error_get_pretty(err));
650 return NULL;
651 }
652 qdev_prop_set_bit(dev, "spi", is_spi);
653 qdev_prop_set_bit(dev, "mmc", is_mmc);
654 object_property_set_bool(obj, true, "realized", &err);
655 if (err) {
656 error_report("sd_init failed: %s", error_get_pretty(err));
657 return NULL;
658 }
659
660 return SD_CARD(dev);
661}
662
663SDState *sd_init(BlockBackend *bs, bool is_spi)
664{
665 return sd_do_init(bs, is_spi, false);
666}
667
668SDState *mmc_init(BlockBackend *bs)
669{
670 return sd_do_init(bs, false, true);
671}
672
673void sd_set_cb(SDState *sd, qemu_irq readonly, qemu_irq insert)
674{
675 sd->readonly_cb = readonly;
676 sd->inserted_cb = insert;
677 qemu_set_irq(readonly, sd->blk ? blk_is_read_only(sd->blk) : 0);
678 qemu_set_irq(insert, sd->blk ? blk_is_inserted(sd->blk) : 0);
679}
680
681static void sd_erase(SDState *sd)
682{
683 int i;
684 uint64_t erase_start = sd->erase_start;
685 uint64_t erase_end = sd->erase_end;
686
687 if (!sd->erase_start || !sd->erase_end) {
688 sd->card_status |= ERASE_SEQ_ERROR;
689 return;
690 }
691
692 if (extract32(sd->ocr, OCR_CCS_BITN, 1)) {
693
694 erase_start *= 512;
695 erase_end *= 512;
696 }
697
698 erase_start = sd_addr_to_wpnum(erase_start);
699 erase_end = sd_addr_to_wpnum(erase_end);
700 sd->erase_start = 0;
701 sd->erase_end = 0;
702 sd->csd[14] |= 0x40;
703
704 for (i = erase_start; i <= erase_end; i++) {
705 if (test_bit(i, sd->wp_groups)) {
706 sd->card_status |= WP_ERASE_SKIP;
707 }
708 }
709}
710
711static uint32_t sd_wpbits(SDState *sd, uint64_t addr)
712{
713 uint32_t i, wpnum;
714 uint32_t ret = 0;
715
716 wpnum = sd_addr_to_wpnum(addr);
717
718 for (i = 0; i < 32; i++, wpnum++, addr += WPGROUP_SIZE) {
719 if (addr < sd->size && test_bit(wpnum, sd->wp_groups)) {
720 ret |= (1 << i);
721 }
722 }
723
724 return ret;
725}
726
727enum {
728 SD_FN_ACCESS_MODE = 1,
729 SD_FN_COMMAND_SYSTEM,
730 SD_FN_DRIVER_STRENGTH,
731 SD_FN_CURRENT_LIMIT,
732 SD_FN_RSVD_5,
733 SD_FN_RSVD_6,
734};
735
736typedef struct sd_fn_support {
737 const char *name;
738 bool uhs_only;
739 bool unimp;
740} sd_fn_support;
741
742static const sd_fn_support *sd_fn_support_defs [] = {
743 [SD_FN_ACCESS_MODE] = (sd_fn_support [15]) {
744 [0] = { .name = "default/SDR12" },
745 [1] = { .name = "high-speed/SDR25" },
746 [2] = { .name = "SDR50", .uhs_only = true },
747 [3] = { .name = "SDR104", .uhs_only = true },
748 [4] = { .name = "DDR50", .uhs_only = true },
749 },
750 [SD_FN_COMMAND_SYSTEM] = (sd_fn_support [15]) {
751 [0] = { .name = "default" },
752 [1] = { .name = "For eC" },
753 [3] = { .name = "OTP", .unimp = true },
754 [4] = { .name = "ASSD", .unimp = true },
755 },
756 [SD_FN_DRIVER_STRENGTH] = (sd_fn_support [15]) {
757 [0] = { .name = "default/Type B" },
758 [1] = { .name = "Type A", .uhs_only = true },
759 [2] = { .name = "Type C", .uhs_only = true },
760 [3] = { .name = "Type D", .uhs_only = true },
761 },
762 [SD_FN_CURRENT_LIMIT] = (sd_fn_support [15]) {
763 [0] = { .name = "default/200mA" },
764 [1] = { .name = "400mA", .uhs_only = true },
765 [2] = { .name = "600mA", .uhs_only = true },
766 [3] = { .name = "800mA", .uhs_only = true },
767 },
768 [SD_FN_RSVD_5] = (sd_fn_support [15]) {
769 [0] = { .name = "default" },
770 },
771 [SD_FN_RSVD_6] = (sd_fn_support [15]) {
772 [0] = { .name = "default" },
773 },
774};
775
776#define SD_FN_NO_INFLUENCE (1 << 15)
777
778enum {
779 MMC_CMD6_ACCESS_COMMAND_SET = 0,
780 MMC_CMD6_ACCESS_SET_BITS,
781 MMC_CMD6_ACCESS_CLEAR_BITS,
782 MMC_CMD6_ACCESS_WRITE_BYTE,
783};
784
785static void mmc_function_switch(SDState *sd, uint32_t arg)
786{
787 uint32_t access = extract32(arg, 24, 2);
788 uint32_t index = extract32(arg, 16, 8);
789 uint32_t value = extract32(arg, 8, 8);
790 uint8_t b = sd->ext_csd[index];
791
792 switch(access) {
793 case MMC_CMD6_ACCESS_COMMAND_SET:
794 qemu_log_mask(LOG_UNIMP, "MMC Command set switching not supported\n");
795 return;
796 case MMC_CMD6_ACCESS_SET_BITS:
797 b |= value;
798 break;
799 case MMC_CMD6_ACCESS_CLEAR_BITS:
800 b &= ~value;
801 break;
802 case MMC_CMD6_ACCESS_WRITE_BYTE:
803 b = value;
804 break;
805 }
806
807 if (index >= 192) {
808 sd->card_status |= SWTICH_ERROR;
809 return;
810 }
811
812 sd->ext_csd[index] = b;
813}
814
815static void sd_function_switch(SDState *sd, uint32_t arg)
816{
817 int fn_grp, new_func, crc, i;
818 uint8_t *data_p;
819 bool mode = arg & 0x80000000;
820
821 sd->data[0] = 0x00;
822 sd->data[1] = 0x01;
823
824 data_p = &sd->data[2];
825 for (fn_grp = 6; fn_grp >= 1; fn_grp--) {
826 uint16_t supported_fns = SD_FN_NO_INFLUENCE;
827 for (i = 0; i < 15; ++i) {
828 const sd_fn_support *def = &sd_fn_support_defs[fn_grp][i];
829
830 if (def->name && !def->unimp && !(def->uhs_only && !sd->uhs)) {
831 supported_fns |= 1 << i;
832 }
833 }
834 *(data_p++) = supported_fns >> 8;
835 *(data_p++) = supported_fns;
836 }
837
838 assert(data_p == &sd->data[14]);
839
840 for (fn_grp = 6; fn_grp >= 1; fn_grp--) {
841 new_func = (arg >> ((fn_grp - 1) * 4)) & 0x0f;
842 if (new_func == 0xf) {
843 new_func = sd->function_group[fn_grp - 1];
844 } else if (mode) {
845 const sd_fn_support *def = &sd_fn_support_defs[fn_grp][new_func];
846
847 if (!def->name) {
848 qemu_log_mask(LOG_GUEST_ERROR, "Function %d not a valid for "
849 "function group %d\n", new_func, fn_grp);
850 new_func = 0xf;
851 } else if (def->unimp) {
852 qemu_log_mask(LOG_UNIMP, "Function %s (fn grp %d) is not "
853 "implemented\n", def->name, fn_grp);
854 new_func = 0xf;
855 } else if (def->uhs_only && !sd->uhs) {
856 qemu_log_mask(LOG_GUEST_ERROR, "Function %s (fn grp %d) only "
857 "valid in UHS mode\n", def->name, fn_grp);
858 new_func = 0xf;
859 } else {
860 DPRINTF("Function %s selected (fn grp %d)\n",
861 def->name, fn_grp);
862 sd->function_group[fn_grp - 1] = new_func;
863 }
864 }
865 if (!(fn_grp & 0x1)) {
866 *data_p = new_func << 4;
867 } else {
868 *(data_p++) |= new_func;
869 }
870 }
871 memset(&sd->data[17], 0, 47);
872 crc = sd_crc16(sd->data, 64);
873 sd->data[65] = crc >> 8;
874 sd->data[66] = crc & 0xff;
875}
876
877static inline bool sd_wp_addr(SDState *sd, uint64_t addr)
878{
879 return test_bit(sd_addr_to_wpnum(addr), sd->wp_groups);
880}
881
882static void sd_lock_command(SDState *sd)
883{
884 int erase, lock, clr_pwd, set_pwd, pwd_len;
885 erase = !!(sd->data[0] & 0x08);
886 lock = sd->data[0] & 0x04;
887 clr_pwd = sd->data[0] & 0x02;
888 set_pwd = sd->data[0] & 0x01;
889
890 if (sd->blk_len > 1)
891 pwd_len = sd->data[1];
892 else
893 pwd_len = 0;
894
895 if (erase) {
896 if (!(sd->card_status & CARD_IS_LOCKED) || sd->blk_len > 1 ||
897 set_pwd || clr_pwd || lock || sd->wp_switch ||
898 (sd->csd[14] & 0x20)) {
899 sd->card_status |= LOCK_UNLOCK_FAILED;
900 return;
901 }
902 bitmap_zero(sd->wp_groups, sd->wpgrps_size);
903 sd->csd[14] &= ~0x10;
904 sd->card_status &= ~CARD_IS_LOCKED;
905 sd->pwd_len = 0;
906
907 fprintf(stderr, "SD: Card force-erased by CMD42\n");
908 return;
909 }
910
911 if (sd->blk_len < 2 + pwd_len ||
912 pwd_len <= sd->pwd_len ||
913 pwd_len > sd->pwd_len + 16) {
914 sd->card_status |= LOCK_UNLOCK_FAILED;
915 return;
916 }
917
918 if (sd->pwd_len && memcmp(sd->pwd, sd->data + 2, sd->pwd_len)) {
919 sd->card_status |= LOCK_UNLOCK_FAILED;
920 return;
921 }
922
923 pwd_len -= sd->pwd_len;
924 if ((pwd_len && !set_pwd) ||
925 (clr_pwd && (set_pwd || lock)) ||
926 (lock && !sd->pwd_len && !set_pwd) ||
927 (!set_pwd && !clr_pwd &&
928 (((sd->card_status & CARD_IS_LOCKED) && lock) ||
929 (!(sd->card_status & CARD_IS_LOCKED) && !lock)))) {
930 sd->card_status |= LOCK_UNLOCK_FAILED;
931 return;
932 }
933
934 if (set_pwd) {
935 memcpy(sd->pwd, sd->data + 2 + sd->pwd_len, pwd_len);
936 sd->pwd_len = pwd_len;
937 }
938
939 if (clr_pwd) {
940 sd->pwd_len = 0;
941 }
942
943 if (lock)
944 sd->card_status |= CARD_IS_LOCKED;
945 else
946 sd->card_status &= ~CARD_IS_LOCKED;
947}
948
949static sd_rsp_type_t sd_normal_command(SDState *sd,
950 SDRequest req)
951{
952 uint32_t rca = 0x0000;
953 uint64_t addr = (sd->ocr & (1 << 30)) ? (uint64_t) req.arg << 9 : req.arg;
954
955
956 sd->card_status &= ~APP_CMD;
957
958 if (sd_cmd_type[req.cmd & 0x3F] == sd_ac
959 || sd_cmd_type[req.cmd & 0x3F] == sd_adtc) {
960 rca = req.arg >> 16;
961 }
962
963
964
965 if (sd->multi_blk_cnt != 0 && !(req.cmd == 18 || req.cmd == 25)) {
966 sd->multi_blk_cnt = 0;
967 }
968
969 DPRINTF("CMD%d 0x%08x state %d\n", req.cmd, req.arg, sd->state);
970 switch (req.cmd) {
971
972 case 0:
973 switch (sd->state) {
974 case sd_inactive_state:
975 return sd->spi ? sd_r1 : sd_r0;
976
977 default:
978 sd->state = sd_idle_state;
979 sd_reset(DEVICE(sd));
980 return sd->spi ? sd_r1 : sd_r0;
981 }
982 break;
983
984 case 1:
985
986 if (!sd->mmc) {
987 return sd_r0;
988 }
989 if (sd->spi) {
990
991 sd->state = sd_transfer_state;
992 return sd_r1;
993 }
994 switch (sd->state) {
995 case sd_idle_state:
996
997 if (req.arg)
998 sd->state = sd_ready_state;
999
1000 return sd_r3;
1001
1002 default:
1003 break;
1004 }
1005 break;
1006
1007 case 2:
1008 if (sd->spi)
1009 goto bad_cmd;
1010 switch (sd->state) {
1011 case sd_ready_state:
1012 sd->state = sd_identification_state;
1013 return sd_r2_i;
1014
1015 default:
1016 break;
1017 }
1018 break;
1019
1020 case 3:
1021 if (sd->spi)
1022 goto bad_cmd;
1023 switch (sd->state) {
1024 case sd_identification_state:
1025 case sd_standby_state:
1026 sd->state = sd_standby_state;
1027 sd_set_rca(sd, sd->mmc ? extract32(req.arg, 16, 16) : 0x4567);
1028 return sd->mmc ? sd_r1 : sd_r6;
1029
1030 default:
1031 break;
1032 }
1033 break;
1034
1035 case 4:
1036 if (sd->spi)
1037 goto bad_cmd;
1038 switch (sd->state) {
1039 case sd_standby_state:
1040 break;
1041
1042 default:
1043 break;
1044 }
1045 break;
1046
1047 case 5:
1048 return sd_illegal;
1049
1050 case 6:
1051 if (sd->spi)
1052 goto bad_cmd;
1053 switch (sd->mode) {
1054 case sd_data_transfer_mode:
1055 if (sd->mmc) {
1056 sd->state = sd_programming_state;
1057 mmc_function_switch(sd, req.arg);
1058
1059 sd->state = sd_transfer_state;
1060 return sd_r1b;
1061 } else {
1062 sd_function_switch(sd, req.arg);
1063 sd->state = sd_sendingdata_state;
1064 sd->data_start = 0;
1065 sd->data_offset = 0;
1066 return sd_r1;
1067 }
1068 default:
1069 break;
1070 }
1071 break;
1072
1073 case 7:
1074 if (sd->spi)
1075 goto bad_cmd;
1076 switch (sd->state) {
1077 case sd_standby_state:
1078 if (sd->rca != rca)
1079 return sd_r0;
1080
1081 sd->state = sd_transfer_state;
1082 return sd_r1b;
1083
1084 case sd_transfer_state:
1085 case sd_sendingdata_state:
1086 if (sd->rca == rca)
1087 break;
1088
1089 sd->state = sd_standby_state;
1090 return sd_r1b;
1091
1092 case sd_disconnect_state:
1093 if (sd->rca != rca)
1094 return sd_r0;
1095
1096 sd->state = sd_programming_state;
1097 return sd_r1b;
1098
1099 case sd_programming_state:
1100 if (sd->rca == rca)
1101 break;
1102
1103 sd->state = sd_disconnect_state;
1104 return sd_r1b;
1105
1106 default:
1107 break;
1108 }
1109 break;
1110
1111 case 8:
1112 if (sd->spi) {
1113 goto bad_cmd;
1114 }
1115
1116 switch (sd->state) {
1117 case sd_idle_state:
1118 sd->vhs = 0;
1119
1120
1121 if (!(req.arg >> 8) || (req.arg >> (ctz32(req.arg & ~0xff) + 1))) {
1122 return sd->spi ? sd_r7 : sd_r0;
1123 }
1124
1125
1126 sd->vhs = req.arg;
1127 return sd_r7;
1128 case sd_transfer_state:
1129 if (!sd->mmc) {
1130 break;
1131 }
1132 sd->state = sd_sendingdata_state;
1133 memcpy(sd->data, sd->ext_csd, 512);
1134 sd->data_start = 0;
1135 sd->data_offset = 0;
1136 return sd_r1;
1137 default:
1138 break;
1139 }
1140 break;
1141
1142 case 9:
1143 switch (sd->state) {
1144 case sd_standby_state:
1145 if (sd->rca != rca)
1146 return sd_r0;
1147
1148 return sd_r2_s;
1149
1150 case sd_transfer_state:
1151 if (!sd->spi)
1152 break;
1153 sd->state = sd_sendingdata_state;
1154 memcpy(sd->data, sd->csd, 16);
1155 sd->data_start = addr;
1156 sd->data_offset = 0;
1157 return sd_r1;
1158
1159 default:
1160 break;
1161 }
1162 break;
1163
1164 case 10:
1165 switch (sd->state) {
1166 case sd_standby_state:
1167 if (sd->rca != rca)
1168 return sd_r0;
1169
1170 return sd_r2_i;
1171
1172 case sd_transfer_state:
1173 if (!sd->spi)
1174 break;
1175 sd->state = sd_sendingdata_state;
1176 memcpy(sd->data, sd->cid, 16);
1177 sd->data_start = addr;
1178 sd->data_offset = 0;
1179 return sd_r1;
1180
1181 default:
1182 break;
1183 }
1184 break;
1185
1186 case 11:
1187 switch (sd->state) {
1188 case sd_ready_state:
1189 sd->uhs = true;
1190 sd->dat_lines = 0;
1191 sd->cmd_line = false;
1192 return sd_r1;
1193 default:
1194 break;
1195 }
1196
1197 case 12:
1198 switch (sd->state) {
1199 case sd_sendingdata_state:
1200 sd->state = sd_transfer_state;
1201 return sd_r1b;
1202
1203 case sd_receivingdata_state:
1204 sd->state = sd_programming_state;
1205
1206 sd->state = sd_transfer_state;
1207 return sd_r1b;
1208
1209 default:
1210 break;
1211 }
1212 break;
1213
1214 case 13:
1215 switch (sd->mode) {
1216 case sd_data_transfer_mode:
1217 if (sd->rca != rca)
1218 return sd_r0;
1219
1220 return sd_r1;
1221
1222 default:
1223 break;
1224 }
1225 break;
1226
1227 case 15:
1228 if (sd->spi)
1229 goto bad_cmd;
1230 switch (sd->mode) {
1231 case sd_data_transfer_mode:
1232 if (sd->rca != rca)
1233 return sd_r0;
1234
1235 sd->state = sd_inactive_state;
1236 return sd_r0;
1237
1238 default:
1239 break;
1240 }
1241 break;
1242
1243
1244 case 16:
1245 switch (sd->state) {
1246 case sd_transfer_state:
1247 if (req.arg > (1 << HWBLOCK_SHIFT))
1248 sd->card_status |= BLOCK_LEN_ERROR;
1249 else
1250 sd->blk_len = req.arg;
1251
1252 return sd_r1;
1253
1254 default:
1255 break;
1256 }
1257 break;
1258
1259 case 17:
1260 switch (sd->state) {
1261 case sd_transfer_state:
1262 sd->state = sd_sendingdata_state;
1263 sd->data_start = addr;
1264 sd->data_offset = 0;
1265
1266 if (sd->data_start + sd->blk_len > sd->size)
1267 sd->card_status |= ADDRESS_ERROR;
1268 return sd_r1;
1269
1270 default:
1271 break;
1272 }
1273 break;
1274
1275 case 18:
1276 switch (sd->state) {
1277 case sd_transfer_state:
1278 sd->state = sd_sendingdata_state;
1279 sd->data_start = addr;
1280 sd->data_offset = 0;
1281
1282 if (sd->data_start + sd->blk_len > sd->size)
1283 sd->card_status |= ADDRESS_ERROR;
1284 return sd_r1;
1285
1286 default:
1287 break;
1288 }
1289 break;
1290
1291 case 19:
1292 switch (sd->state) {
1293 case sd_transfer_state:
1294 sd->state = sd_sendingdata_state;
1295 sd->data_offset = 0;
1296 return sd_r1;
1297 default:
1298 break;
1299 }
1300 break;
1301
1302 case 21:
1303 if (!sd->mmc) {
1304 break;
1305 }
1306 switch (sd->state) {
1307 case sd_transfer_state:
1308 sd->state = sd_sendingdata_state;
1309 sd->data_offset = 0;
1310 return sd_r1;
1311 default:
1312 break;
1313 }
1314
1315 case 23:
1316 switch (sd->state) {
1317 case sd_transfer_state:
1318 sd->multi_blk_cnt = req.arg;
1319 return sd_r1;
1320
1321 default:
1322 break;
1323 }
1324 break;
1325
1326
1327 case 24:
1328 if (sd->spi)
1329 goto unimplemented_cmd;
1330 switch (sd->state) {
1331 case sd_transfer_state:
1332
1333 if (sd->spi)
1334 break;
1335 sd->state = sd_receivingdata_state;
1336 sd->data_start = addr;
1337 sd->data_offset = 0;
1338 sd->blk_written = 0;
1339
1340 if (sd->data_start + sd->blk_len > sd->size)
1341 sd->card_status |= ADDRESS_ERROR;
1342 if (sd_wp_addr(sd, sd->data_start))
1343 sd->card_status |= WP_VIOLATION;
1344 if (sd->csd[14] & 0x30)
1345 sd->card_status |= WP_VIOLATION;
1346 return sd_r1;
1347
1348 default:
1349 break;
1350 }
1351 break;
1352
1353 case 25:
1354 if (sd->spi)
1355 goto unimplemented_cmd;
1356 switch (sd->state) {
1357 case sd_transfer_state:
1358
1359 if (sd->spi)
1360 break;
1361 sd->state = sd_receivingdata_state;
1362 sd->data_start = addr;
1363 sd->data_offset = 0;
1364 sd->blk_written = 0;
1365
1366 if (sd->data_start + sd->blk_len > sd->size)
1367 sd->card_status |= ADDRESS_ERROR;
1368 if (sd_wp_addr(sd, sd->data_start))
1369 sd->card_status |= WP_VIOLATION;
1370 if (sd->csd[14] & 0x30)
1371 sd->card_status |= WP_VIOLATION;
1372 return sd_r1;
1373
1374 default:
1375 break;
1376 }
1377 break;
1378
1379 case 26:
1380 if (sd->spi)
1381 goto bad_cmd;
1382 switch (sd->state) {
1383 case sd_transfer_state:
1384 sd->state = sd_receivingdata_state;
1385 sd->data_start = 0;
1386 sd->data_offset = 0;
1387 return sd_r1;
1388
1389 default:
1390 break;
1391 }
1392 break;
1393
1394 case 27:
1395 if (sd->spi)
1396 goto unimplemented_cmd;
1397 switch (sd->state) {
1398 case sd_transfer_state:
1399 sd->state = sd_receivingdata_state;
1400 sd->data_start = 0;
1401 sd->data_offset = 0;
1402 return sd_r1;
1403
1404 default:
1405 break;
1406 }
1407 break;
1408
1409
1410 case 28:
1411 switch (sd->state) {
1412 case sd_transfer_state:
1413 if (addr >= sd->size) {
1414 sd->card_status |= ADDRESS_ERROR;
1415 return sd_r1b;
1416 }
1417
1418 sd->state = sd_programming_state;
1419 set_bit(sd_addr_to_wpnum(addr), sd->wp_groups);
1420
1421 sd->state = sd_transfer_state;
1422 return sd_r1b;
1423
1424 default:
1425 break;
1426 }
1427 break;
1428
1429 case 29:
1430 switch (sd->state) {
1431 case sd_transfer_state:
1432 if (addr >= sd->size) {
1433 sd->card_status |= ADDRESS_ERROR;
1434 return sd_r1b;
1435 }
1436
1437 sd->state = sd_programming_state;
1438 clear_bit(sd_addr_to_wpnum(addr), sd->wp_groups);
1439
1440 sd->state = sd_transfer_state;
1441 return sd_r1b;
1442
1443 default:
1444 break;
1445 }
1446 break;
1447
1448 case 30:
1449 switch (sd->state) {
1450 case sd_transfer_state:
1451 sd->state = sd_sendingdata_state;
1452 *(uint32_t *) sd->data = sd_wpbits(sd, req.arg);
1453 sd->data_start = addr;
1454 sd->data_offset = 0;
1455 return sd_r1b;
1456
1457 default:
1458 break;
1459 }
1460 break;
1461
1462
1463 case 35:
1464 case 32:
1465 switch (sd->state) {
1466 case sd_transfer_state:
1467 sd->erase_start = req.arg;
1468 return sd_r1;
1469
1470 default:
1471 break;
1472 }
1473 break;
1474
1475 case 36:
1476 case 33:
1477 switch (sd->state) {
1478 case sd_transfer_state:
1479 sd->erase_end = req.arg;
1480 return sd_r1;
1481
1482 default:
1483 break;
1484 }
1485 break;
1486
1487 case 38:
1488 switch (sd->state) {
1489 case sd_transfer_state:
1490 if (sd->csd[14] & 0x30) {
1491 sd->card_status |= WP_VIOLATION;
1492 return sd_r1b;
1493 }
1494
1495 sd->state = sd_programming_state;
1496 sd_erase(sd);
1497
1498 sd->state = sd_transfer_state;
1499 return sd_r1b;
1500
1501 default:
1502 break;
1503 }
1504 break;
1505
1506
1507 case 42:
1508 if (sd->spi)
1509 goto unimplemented_cmd;
1510 switch (sd->state) {
1511 case sd_transfer_state:
1512 sd->state = sd_receivingdata_state;
1513 sd->data_start = 0;
1514 sd->data_offset = 0;
1515 return sd_r1;
1516
1517 default:
1518 break;
1519 }
1520 break;
1521
1522 case 52:
1523 case 53:
1524
1525
1526
1527
1528
1529
1530 return sd_illegal;
1531
1532
1533 case 55:
1534 switch (sd->state) {
1535 case sd_idle_state:
1536 case sd_standby_state:
1537 case sd_transfer_state:
1538 case sd_sendingdata_state:
1539 case sd_receivingdata_state:
1540 case sd_programming_state:
1541 case sd_disconnect_state:
1542 if (sd->rca != rca) {
1543 return sd_r0;
1544 }
1545
1546 sd->expecting_acmd = true;
1547 sd->card_status |= APP_CMD;
1548 return sd_r1;
1549
1550 default:
1551 break;
1552 }
1553
1554 case 56:
1555 fprintf(stderr, "SD: GEN_CMD 0x%08x\n", req.arg);
1556
1557 switch (sd->state) {
1558 case sd_transfer_state:
1559 sd->data_offset = 0;
1560 if (req.arg & 1)
1561 sd->state = sd_sendingdata_state;
1562 else
1563 sd->state = sd_receivingdata_state;
1564 return sd_r1;
1565
1566 default:
1567 break;
1568 }
1569 break;
1570
1571 default:
1572 bad_cmd:
1573 qemu_log_mask(LOG_GUEST_ERROR, "SD: Unknown CMD%i\n", req.cmd);
1574 return sd_illegal;
1575
1576 unimplemented_cmd:
1577
1578 qemu_log_mask(LOG_UNIMP, "SD: CMD%i not implemented in SPI mode\n",
1579 req.cmd);
1580 return sd_illegal;
1581 }
1582
1583 qemu_log_mask(LOG_GUEST_ERROR, "SD: CMD%i in a wrong state\n", req.cmd);
1584 return sd_illegal;
1585}
1586
1587static sd_rsp_type_t sd_app_command(SDState *sd,
1588 SDRequest req)
1589{
1590 DPRINTF("ACMD%d 0x%08x\n", req.cmd, req.arg);
1591 sd->card_status |= APP_CMD;
1592 switch (req.cmd) {
1593 case 6:
1594 switch (sd->state) {
1595 case sd_transfer_state:
1596 sd->sd_status[0] &= 0x3f;
1597 sd->sd_status[0] |= (req.arg & 0x03) << 6;
1598 return sd_r1;
1599
1600 default:
1601 break;
1602 }
1603 break;
1604
1605 case 13:
1606 switch (sd->state) {
1607 case sd_transfer_state:
1608 sd->state = sd_sendingdata_state;
1609 sd->data_start = 0;
1610 sd->data_offset = 0;
1611 return sd_r1;
1612
1613 default:
1614 break;
1615 }
1616 break;
1617
1618 case 22:
1619 switch (sd->state) {
1620 case sd_transfer_state:
1621 *(uint32_t *) sd->data = sd->blk_written;
1622
1623 sd->state = sd_sendingdata_state;
1624 sd->data_start = 0;
1625 sd->data_offset = 0;
1626 return sd_r1;
1627
1628 default:
1629 break;
1630 }
1631 break;
1632
1633 case 23:
1634 switch (sd->state) {
1635 case sd_transfer_state:
1636 return sd_r1;
1637
1638 default:
1639 break;
1640 }
1641 break;
1642
1643 case 41:
1644 if (sd->spi) {
1645
1646 sd->state = sd_transfer_state;
1647 return sd_r1;
1648 }
1649 switch (sd->state) {
1650 case sd_idle_state:
1651
1652
1653
1654
1655
1656
1657
1658
1659 if (!(sd->ocr & OCR_POWER_UP)) {
1660 if ((req.arg & ACMD41_ENQUIRY_MASK) != 0) {
1661 timer_del(sd->ocr_power_timer);
1662 sd_ocr_powerup(sd);
1663 } else if (!timer_pending(sd->ocr_power_timer)) {
1664 timer_mod_ns(sd->ocr_power_timer,
1665 (qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL)
1666 + OCR_POWER_DELAY_NS));
1667 }
1668 }
1669
1670
1671
1672
1673
1674
1675 if (req.arg & ACMD41_ENQUIRY_MASK) {
1676 sd->state = sd_ready_state;
1677 }
1678
1679 return sd_r3;
1680
1681 default:
1682 break;
1683 }
1684 break;
1685
1686 case 42:
1687 switch (sd->state) {
1688 case sd_transfer_state:
1689
1690 return sd_r1;
1691
1692 default:
1693 break;
1694 }
1695 break;
1696
1697 case 51:
1698 switch (sd->state) {
1699 case sd_transfer_state:
1700 sd->state = sd_sendingdata_state;
1701 sd->data_start = 0;
1702 sd->data_offset = 0;
1703 return sd_r1;
1704
1705 default:
1706 break;
1707 }
1708 break;
1709
1710 default:
1711
1712 return sd_normal_command(sd, req);
1713 }
1714
1715 qemu_log_mask(LOG_GUEST_ERROR, "SD: ACMD%i in a wrong state\n", req.cmd);
1716 return sd_illegal;
1717}
1718
1719static int cmd_valid_while_locked(SDState *sd, SDRequest *req)
1720{
1721
1722
1723
1724
1725
1726
1727
1728
1729 if (sd->expecting_acmd) {
1730 return req->cmd == 41 || req->cmd == 42;
1731 }
1732 if (req->cmd == 16 || req->cmd == 55) {
1733 return 1;
1734 }
1735 return sd_cmd_class[req->cmd & 0x3F] == 0
1736 || sd_cmd_class[req->cmd & 0x3F] == 7;
1737}
1738
1739int sd_do_command(SDState *sd, SDRequest *req,
1740 uint8_t *response) {
1741 int last_state;
1742 sd_rsp_type_t rtype;
1743 int rsplen;
1744
1745 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable) {
1746 return 0;
1747 }
1748
1749 if (sd_req_crc_validate(req)) {
1750 sd->card_status |= COM_CRC_ERROR;
1751 rtype = sd_illegal;
1752 goto send_response;
1753 }
1754
1755 if (sd->card_status & CARD_IS_LOCKED) {
1756 if (!cmd_valid_while_locked(sd, req)) {
1757 sd->card_status |= ILLEGAL_COMMAND;
1758 sd->expecting_acmd = false;
1759 qemu_log_mask(LOG_GUEST_ERROR, "SD: Card is locked\n");
1760 rtype = sd_illegal;
1761 goto send_response;
1762 }
1763 }
1764
1765 last_state = sd->state;
1766 sd_set_mode(sd);
1767
1768 if (sd->expecting_acmd) {
1769 sd->expecting_acmd = false;
1770 rtype = sd_app_command(sd, *req);
1771 } else {
1772 rtype = sd_normal_command(sd, *req);
1773 }
1774
1775 if (rtype == sd_illegal) {
1776 sd->card_status |= ILLEGAL_COMMAND;
1777 } else {
1778
1779
1780
1781 sd->current_cmd = req->cmd;
1782 sd->card_status &= ~CURRENT_STATE;
1783 sd->card_status |= (last_state << 9);
1784 }
1785
1786send_response:
1787 switch (rtype) {
1788 case sd_r1:
1789 case sd_r1b:
1790 sd_response_r1_make(sd, response);
1791 rsplen = 4;
1792 break;
1793
1794 case sd_r2_i:
1795 memcpy(response, sd->cid, sizeof(sd->cid));
1796 rsplen = 16;
1797 break;
1798
1799 case sd_r2_s:
1800 memcpy(response, sd->csd, sizeof(sd->csd));
1801 rsplen = 16;
1802 break;
1803
1804 case sd_r3:
1805 sd_response_r3_make(sd, response);
1806 rsplen = 4;
1807 break;
1808
1809 case sd_r6:
1810 sd_response_r6_make(sd, response);
1811 rsplen = 4;
1812 break;
1813
1814 case sd_r7:
1815 sd_response_r7_make(sd, response);
1816 rsplen = 4;
1817 break;
1818
1819 case sd_r0:
1820 case sd_illegal:
1821 default:
1822 rsplen = 0;
1823 break;
1824 }
1825
1826 if (rtype != sd_illegal) {
1827
1828
1829
1830 sd->card_status &= ~CARD_STATUS_B;
1831 }
1832
1833#ifdef DEBUG_SD
1834 if (rsplen) {
1835 int i;
1836 DPRINTF("Response:");
1837 for (i = 0; i < rsplen; i++)
1838 DPRINTF_RAW(" %02x", response[i]);
1839 DPRINTF_RAW(" state %d\n", sd->state);
1840 } else {
1841 DPRINTF("No response %d\n", sd->state);
1842 }
1843#endif
1844
1845 return rsplen;
1846}
1847
1848static void sd_blk_read(SDState *sd, uint64_t addr, uint32_t len)
1849{
1850 DPRINTF("sd_blk_read: addr = 0x%08llx, len = %d\n",
1851 (unsigned long long) addr, len);
1852 if (!sd->blk || blk_pread(sd->blk, addr, sd->data, len) < 0) {
1853 fprintf(stderr, "sd_blk_read: read error on host side\n");
1854 }
1855}
1856
1857static void sd_blk_write(SDState *sd, uint64_t addr, uint32_t len)
1858{
1859 uint64_t end = addr + len;
1860
1861 if (sd->wp_switch) {
1862 qemu_log_mask(LOG_GUEST_ERROR,
1863 "Write to write protected SD card\n");
1864 return;
1865 }
1866
1867 if ((addr & 511) || len < 512)
1868 if (!sd->blk || blk_read(sd->blk, addr >> 9, sd->buf, 1) < 0) {
1869 fprintf(stderr, "sd_blk_write: read error on host side\n");
1870 return;
1871 }
1872
1873 if (end > (addr & ~511) + 512) {
1874 memcpy(sd->buf + (addr & 511), sd->data, 512 - (addr & 511));
1875 if (blk_write(sd->blk, addr >> 9, sd->buf, 1) < 0) {
1876 fprintf(stderr, "sd_blk_write: write error on host side\n");
1877 return;
1878 }
1879
1880 if (blk_read(sd->blk, end >> 9, sd->buf, 1) < 0) {
1881 fprintf(stderr, "sd_blk_write: read error on host side\n");
1882 return;
1883 }
1884 memcpy(sd->buf, sd->data + 512 - (addr & 511), end & 511);
1885 if (blk_write(sd->blk, end >> 9, sd->buf, 1) < 0) {
1886 fprintf(stderr, "sd_blk_write: write error on host side\n");
1887 }
1888 } else {
1889 memcpy(sd->buf + (addr & 511), sd->data, len);
1890 if (!sd->blk || blk_write(sd->blk, addr >> 9, sd->buf, 1) < 0) {
1891 fprintf(stderr, "sd_blk_write: write error on host side\n");
1892 }
1893 }
1894}
1895
1896#define BLK_READ_BLOCK(a, len) sd_blk_read(sd, a, len)
1897#define BLK_WRITE_BLOCK(a, len) sd_blk_write(sd, a, len)
1898#define APP_READ_BLOCK(a, len) memset(sd->data, 0xec, len)
1899#define APP_WRITE_BLOCK(a, len)
1900
1901void sd_write_data(SDState *sd, uint8_t value)
1902{
1903 int i;
1904
1905 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable)
1906 return;
1907
1908 if (sd->state != sd_receivingdata_state) {
1909 qemu_log_mask(LOG_GUEST_ERROR,
1910 "sd_write_data: not in Receiving-Data state\n");
1911 return;
1912 }
1913
1914 if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION))
1915 return;
1916
1917 switch (sd->current_cmd) {
1918 case 24:
1919 sd->data[sd->data_offset ++] = value;
1920 if (sd->data_offset >= sd->blk_len) {
1921
1922 sd->state = sd_programming_state;
1923 BLK_WRITE_BLOCK(sd->data_start, sd->data_offset);
1924 sd->blk_written ++;
1925 sd->csd[14] |= 0x40;
1926
1927 sd->state = sd_transfer_state;
1928 }
1929 break;
1930
1931 case 25:
1932 if (sd->data_offset == 0) {
1933
1934 if (sd->data_start + sd->blk_len > sd->size) {
1935 sd->card_status |= ADDRESS_ERROR;
1936 break;
1937 }
1938 if (sd_wp_addr(sd, sd->data_start)) {
1939 sd->card_status |= WP_VIOLATION;
1940 break;
1941 }
1942 }
1943 sd->data[sd->data_offset++] = value;
1944 if (sd->data_offset >= sd->blk_len) {
1945
1946 sd->state = sd_programming_state;
1947 BLK_WRITE_BLOCK(sd->data_start, sd->data_offset);
1948 sd->blk_written++;
1949 sd->data_start += sd->blk_len;
1950 sd->data_offset = 0;
1951 sd->csd[14] |= 0x40;
1952
1953
1954 if (sd->multi_blk_cnt != 0) {
1955 if (--sd->multi_blk_cnt == 0) {
1956
1957 sd->state = sd_transfer_state;
1958 break;
1959 }
1960 }
1961
1962 sd->state = sd_receivingdata_state;
1963 }
1964 break;
1965
1966 case 26:
1967 sd->data[sd->data_offset ++] = value;
1968 if (sd->data_offset >= sizeof(sd->cid)) {
1969
1970 sd->state = sd_programming_state;
1971 for (i = 0; i < sizeof(sd->cid); i ++)
1972 if ((sd->cid[i] | 0x00) != sd->data[i])
1973 sd->card_status |= CID_CSD_OVERWRITE;
1974
1975 if (!(sd->card_status & CID_CSD_OVERWRITE))
1976 for (i = 0; i < sizeof(sd->cid); i ++) {
1977 sd->cid[i] |= 0x00;
1978 sd->cid[i] &= sd->data[i];
1979 }
1980
1981 sd->state = sd_transfer_state;
1982 }
1983 break;
1984
1985 case 27:
1986 sd->data[sd->data_offset ++] = value;
1987 if (sd->data_offset >= sizeof(sd->csd)) {
1988
1989 sd->state = sd_programming_state;
1990 for (i = 0; i < sizeof(sd->csd); i ++)
1991 if ((sd->csd[i] | sd_csd_rw_mask[i]) !=
1992 (sd->data[i] | sd_csd_rw_mask[i]))
1993 sd->card_status |= CID_CSD_OVERWRITE;
1994
1995
1996 if (sd->csd[14] & ~sd->data[14] & 0x60)
1997 sd->card_status |= CID_CSD_OVERWRITE;
1998
1999 if (!(sd->card_status & CID_CSD_OVERWRITE))
2000 for (i = 0; i < sizeof(sd->csd); i ++) {
2001 sd->csd[i] |= sd_csd_rw_mask[i];
2002 sd->csd[i] &= sd->data[i];
2003 }
2004
2005 sd->state = sd_transfer_state;
2006 }
2007 break;
2008
2009 case 42:
2010 sd->data[sd->data_offset ++] = value;
2011 if (sd->data_offset >= sd->blk_len) {
2012
2013 sd->state = sd_programming_state;
2014 sd_lock_command(sd);
2015
2016 sd->state = sd_transfer_state;
2017 }
2018 break;
2019
2020 case 56:
2021 sd->data[sd->data_offset ++] = value;
2022 if (sd->data_offset >= sd->blk_len) {
2023 APP_WRITE_BLOCK(sd->data_start, sd->data_offset);
2024 sd->state = sd_transfer_state;
2025 }
2026 break;
2027
2028 default:
2029 qemu_log_mask(LOG_GUEST_ERROR, "sd_write_data: unknown command\n");
2030 break;
2031 }
2032}
2033
2034uint8_t sd_read_data(SDState *sd)
2035{
2036
2037 uint8_t ret;
2038 int io_len;
2039
2040 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable)
2041 return 0x00;
2042
2043 if (sd->state != sd_sendingdata_state) {
2044 qemu_log_mask(LOG_GUEST_ERROR,
2045 "sd_read_data: not in Sending-Data state\n");
2046 return 0x00;
2047 }
2048
2049 if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION))
2050 return 0x00;
2051
2052 io_len = (sd->ocr & (1 << 30)) ? 512 : sd->blk_len;
2053
2054 switch (sd->current_cmd) {
2055 case 6:
2056 ret = sd->data[sd->data_offset ++];
2057
2058 if (sd->data_offset >= 64)
2059 sd->state = sd_transfer_state;
2060 break;
2061
2062 case 8:
2063 assert(sd->mmc);
2064 ret = sd->data[sd->data_offset ++];
2065
2066 if (sd->data_offset >= 512)
2067 sd->state = sd_transfer_state;
2068 break;
2069
2070 case 9:
2071 case 10:
2072 ret = sd->data[sd->data_offset ++];
2073
2074 if (sd->data_offset >= 16)
2075 sd->state = sd_transfer_state;
2076 break;
2077
2078 case 13:
2079 ret = sd->sd_status[sd->data_offset ++];
2080
2081 if (sd->data_offset >= sizeof(sd->sd_status))
2082 sd->state = sd_transfer_state;
2083 break;
2084
2085 case 17:
2086 if (sd->data_offset == 0)
2087 BLK_READ_BLOCK(sd->data_start, io_len);
2088 ret = sd->data[sd->data_offset ++];
2089
2090 if (sd->data_offset >= io_len)
2091 sd->state = sd_transfer_state;
2092 break;
2093
2094 case 18:
2095 if (sd->data_offset == 0)
2096 BLK_READ_BLOCK(sd->data_start, io_len);
2097 ret = sd->data[sd->data_offset ++];
2098
2099 if (sd->data_offset >= io_len) {
2100 sd->data_start += io_len;
2101 sd->data_offset = 0;
2102
2103 if (sd->multi_blk_cnt != 0) {
2104 if (--sd->multi_blk_cnt == 0) {
2105
2106 sd->state = sd_transfer_state;
2107 break;
2108 }
2109 }
2110
2111 if (sd->data_start + io_len > sd->size) {
2112 sd->card_status |= ADDRESS_ERROR;
2113 break;
2114 }
2115 }
2116 break;
2117
2118 case 19:
2119 if (sd->data_offset >= SD_TUNING_BLOCK_SIZE - 1) {
2120 sd->state = sd_transfer_state;
2121 }
2122 ret = ((uint8_t *)(&sd_tunning_data))[sd->data_offset++];
2123 break;
2124
2125 case 21:
2126 if (sd->data_offset >= MMC_TUNING_BLOCK_SIZE - 1) {
2127 sd->state = sd_transfer_state;
2128 }
2129 if (sd->ext_csd[EXCSD_BUS_WIDTH_OFFSET] & BUS_WIDTH_8_MASK) {
2130 ret = emmc_tunning_data_8bit[sd->data_offset++];
2131 } else {
2132
2133
2134
2135 ret = emmc_tunning_data_8bit[sd->data_offset++] & 0x0F;
2136 ret |= (emmc_tunning_data_8bit[sd->data_offset++] & 0x0F) << 4;
2137 }
2138 break;
2139
2140 case 22:
2141 ret = sd->data[sd->data_offset ++];
2142
2143 if (sd->data_offset >= 4)
2144 sd->state = sd_transfer_state;
2145 break;
2146
2147 case 30:
2148 ret = sd->data[sd->data_offset ++];
2149
2150 if (sd->data_offset >= 4)
2151 sd->state = sd_transfer_state;
2152 break;
2153
2154 case 51:
2155 ret = sd->scr[sd->data_offset ++];
2156
2157 if (sd->data_offset >= sizeof(sd->scr))
2158 sd->state = sd_transfer_state;
2159 break;
2160
2161 case 56:
2162 if (sd->data_offset == 0)
2163 APP_READ_BLOCK(sd->data_start, sd->blk_len);
2164 ret = sd->data[sd->data_offset ++];
2165
2166 if (sd->data_offset >= sd->blk_len)
2167 sd->state = sd_transfer_state;
2168 break;
2169
2170 default:
2171 qemu_log_mask(LOG_GUEST_ERROR, "sd_read_data: unknown command\n");
2172 return 0x00;
2173 }
2174
2175 return ret;
2176}
2177
2178bool sd_data_ready(SDState *sd)
2179{
2180 return sd->state == sd_sendingdata_state;
2181}
2182
2183void sd_enable(SDState *sd, bool enable)
2184{
2185 sd->enable = enable;
2186}
2187
2188static void sd_instance_init(Object *obj)
2189{
2190 SDState *sd = SD_CARD(obj);
2191
2192 sd->enable = true;
2193 sd->ocr_power_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, sd_ocr_powerup, sd);
2194}
2195
2196static void sd_realize(DeviceState *dev, Error **errp)
2197{
2198 SDState *sd = SD_CARD(dev);
2199
2200 if (sd->blk && blk_is_read_only(sd->blk)) {
2201 error_setg(errp, "Cannot use read-only drive as SD card");
2202 return;
2203 }
2204
2205 sd->buf = blk_blockalign(sd->blk, 512);
2206
2207 if (sd->blk) {
2208 blk_set_dev_ops(sd->blk, &sd_block_ops, sd);
2209 }
2210}
2211
2212static Property sd_properties[] = {
2213 DEFINE_PROP_DRIVE("drive", SDState, blk),
2214
2215
2216
2217
2218 DEFINE_PROP_BOOL("spi", SDState, spi, false),
2219 DEFINE_PROP_BOOL("mmc", SDState, mmc, false),
2220 DEFINE_PROP_END_OF_LIST()
2221};
2222
2223static void sd_class_init(ObjectClass *klass, void *data)
2224{
2225 DeviceClass *dc = DEVICE_CLASS(klass);
2226 SDCardClass *sc = SD_CARD_CLASS(klass);
2227
2228 dc->realize = sd_realize;
2229 dc->props = sd_properties;
2230 dc->vmsd = &sd_vmstate;
2231 dc->reset = sd_reset;
2232 dc->bus_type = TYPE_SD_BUS;
2233
2234 sc->get_dat_lines = sd_get_dat_lines;
2235 sc->get_cmd_line = sd_get_cmd_line;
2236 sc->set_voltage = sd_set_voltage;
2237 sc->do_command = sd_do_command;
2238 sc->write_data = sd_write_data;
2239 sc->read_data = sd_read_data;
2240 sc->data_ready = sd_data_ready;
2241 sc->enable = sd_enable;
2242 sc->get_inserted = sd_get_inserted;
2243 sc->get_readonly = sd_get_readonly;
2244}
2245
2246static const TypeInfo sd_info = {
2247 .name = TYPE_SD_CARD,
2248 .parent = TYPE_DEVICE,
2249 .instance_size = sizeof(SDState),
2250 .class_size = sizeof(SDCardClass),
2251 .class_init = sd_class_init,
2252 .instance_init = sd_instance_init,
2253};
2254
2255static void sd_register_types(void)
2256{
2257 type_register_static(&sd_info);
2258}
2259
2260type_init(sd_register_types)
2261
