2 * SD Memory Card emulation as defined in the "SD Memory Card Physical
3 * layer specification, Version 2.00."
5 * Copyright (c) 2006 Andrzej Zaborowski <balrog@zabor.org>
6 * Copyright (c) 2007 CodeSourcery
7 * Copyright (c) 2018 Philippe Mathieu-Daudé <f4bug@amsat.org>
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
20 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS''
21 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
22 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
23 * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR
24 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
25 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
26 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
27 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
28 * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
29 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
30 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
33 #include "qemu/osdep.h"
34 #include "qemu/units.h"
36 #include "hw/registerfields.h"
37 #include "sysemu/block-backend.h"
39 #include "migration/vmstate.h"
40 #include "qapi/error.h"
41 #include "qemu/bitmap.h"
42 #include "hw/qdev-properties.h"
43 #include "qemu/error-report.h"
44 #include "qemu/timer.h"
46 #include "qemu/module.h"
47 #include "sdmmc-internal.h"
53 sd_r0
= 0, /* no response */
54 sd_r1
, /* normal response command */
55 sd_r2_i
, /* CID register */
56 sd_r2_s
, /* CSD register */
57 sd_r3
, /* OCR register */
58 sd_r6
= 6, /* Published RCA response */
59 sd_r7
, /* Operating voltage */
66 sd_card_identification_mode
,
67 sd_data_transfer_mode
,
71 sd_inactive_state
= -1,
74 sd_identification_state
,
78 sd_receivingdata_state
,
84 DeviceState parent_obj
;
86 /* If true, created by sd_init() for a non-qdevified caller */
87 /* TODO purge them with fire */
88 bool me_no_qdev_me_kill_mammoth_with_rocks
;
90 /* SD Memory Card Registers */
97 uint8_t sd_status
[64];
99 /* Configurable properties */
100 uint8_t spec_version
;
104 uint32_t mode
; /* current card mode, one of SDCardModes */
105 int32_t state
; /* current card state, one of SDCardStates */
108 unsigned long *wp_groups
;
112 uint32_t multi_blk_cnt
;
113 uint32_t erase_start
;
117 uint8_t function_group
[6];
119 /* True if we will handle the next command as an ACMD. Note that this does
120 * *not* track the APP_CMD status bit!
123 uint32_t blk_written
;
125 uint32_t data_offset
;
127 qemu_irq readonly_cb
;
128 qemu_irq inserted_cb
;
129 QEMUTimer
*ocr_power_timer
;
130 const char *proto_name
;
136 static void sd_realize(DeviceState
*dev
, Error
**errp
);
138 static const char *sd_state_name(enum SDCardStates state
)
140 static const char *state_name
[] = {
141 [sd_idle_state
] = "idle",
142 [sd_ready_state
] = "ready",
143 [sd_identification_state
] = "identification",
144 [sd_standby_state
] = "standby",
145 [sd_transfer_state
] = "transfer",
146 [sd_sendingdata_state
] = "sendingdata",
147 [sd_receivingdata_state
] = "receivingdata",
148 [sd_programming_state
] = "programming",
149 [sd_disconnect_state
] = "disconnect",
151 if (state
== sd_inactive_state
) {
154 assert(state
< ARRAY_SIZE(state_name
));
155 return state_name
[state
];
158 static const char *sd_response_name(sd_rsp_type_t rsp
)
160 static const char *response_name
[] = {
161 [sd_r0
] = "RESP#0 (no response)",
162 [sd_r1
] = "RESP#1 (normal cmd)",
163 [sd_r2_i
] = "RESP#2 (CID reg)",
164 [sd_r2_s
] = "RESP#2 (CSD reg)",
165 [sd_r3
] = "RESP#3 (OCR reg)",
166 [sd_r6
] = "RESP#6 (RCA)",
167 [sd_r7
] = "RESP#7 (operating voltage)",
169 if (rsp
== sd_illegal
) {
170 return "ILLEGAL RESP";
175 assert(rsp
< ARRAY_SIZE(response_name
));
176 return response_name
[rsp
];
179 static uint8_t sd_get_dat_lines(SDState
*sd
)
181 return sd
->enable
? sd
->dat_lines
: 0;
184 static bool sd_get_cmd_line(SDState
*sd
)
186 return sd
->enable
? sd
->cmd_line
: false;
189 static void sd_set_voltage(SDState
*sd
, uint16_t millivolts
)
191 trace_sdcard_set_voltage(millivolts
);
193 switch (millivolts
) {
194 case 3001 ... 3600: /* SD_VOLTAGE_3_3V */
195 case 2001 ... 3000: /* SD_VOLTAGE_3_0V */
198 qemu_log_mask(LOG_GUEST_ERROR
, "SD card voltage not supported: %.3fV",
199 millivolts
/ 1000.f
);
203 static void sd_set_mode(SDState
*sd
)
206 case sd_inactive_state
:
207 sd
->mode
= sd_inactive
;
212 case sd_identification_state
:
213 sd
->mode
= sd_card_identification_mode
;
216 case sd_standby_state
:
217 case sd_transfer_state
:
218 case sd_sendingdata_state
:
219 case sd_receivingdata_state
:
220 case sd_programming_state
:
221 case sd_disconnect_state
:
222 sd
->mode
= sd_data_transfer_mode
;
227 static const sd_cmd_type_t sd_cmd_type
[SDMMC_CMD_MAX
] = {
228 sd_bc
, sd_none
, sd_bcr
, sd_bcr
, sd_none
, sd_none
, sd_none
, sd_ac
,
229 sd_bcr
, sd_ac
, sd_ac
, sd_adtc
, sd_ac
, sd_ac
, sd_none
, sd_ac
,
231 sd_ac
, sd_adtc
, sd_adtc
, sd_none
, sd_none
, sd_none
, sd_none
, sd_none
,
232 sd_adtc
, sd_adtc
, sd_adtc
, sd_adtc
, sd_ac
, sd_ac
, sd_adtc
, sd_none
,
234 sd_ac
, sd_ac
, sd_none
, sd_none
, sd_none
, sd_none
, sd_ac
, sd_none
,
235 sd_none
, sd_none
, sd_bc
, sd_none
, sd_none
, sd_none
, sd_none
, sd_none
,
237 sd_none
, sd_none
, sd_none
, sd_none
, sd_none
, sd_none
, sd_none
, sd_ac
,
238 sd_adtc
, sd_none
, sd_none
, sd_none
, sd_none
, sd_none
, sd_none
, sd_none
,
241 static const int sd_cmd_class
[SDMMC_CMD_MAX
] = {
242 0, 0, 0, 0, 0, 9, 10, 0, 0, 0, 0, 1, 0, 0, 0, 0,
243 2, 2, 2, 2, 3, 3, 3, 3, 4, 4, 4, 4, 6, 6, 6, 6,
244 5, 5, 10, 10, 10, 10, 5, 9, 9, 9, 7, 7, 7, 7, 7, 7,
245 7, 7, 10, 7, 9, 9, 9, 8, 8, 10, 8, 8, 8, 8, 8, 8,
248 static uint8_t sd_crc7(void *message
, size_t width
)
251 uint8_t shift_reg
= 0x00;
252 uint8_t *msg
= (uint8_t *) message
;
254 for (i
= 0; i
< width
; i
++, msg
++)
255 for (bit
= 7; bit
>= 0; bit
--) {
257 if ((shift_reg
>> 7) ^ ((*msg
>> bit
) & 1))
264 static uint16_t sd_crc16(void *message
, size_t width
)
267 uint16_t shift_reg
= 0x0000;
268 uint16_t *msg
= (uint16_t *) message
;
271 for (i
= 0; i
< width
; i
++, msg
++)
272 for (bit
= 15; bit
>= 0; bit
--) {
274 if ((shift_reg
>> 15) ^ ((*msg
>> bit
) & 1))
281 #define OCR_POWER_DELAY_NS 500000 /* 0.5ms */
283 FIELD(OCR
, VDD_VOLTAGE_WINDOW
, 0, 24)
284 FIELD(OCR
, VDD_VOLTAGE_WIN_LO
, 0, 8)
285 FIELD(OCR
, DUAL_VOLTAGE_CARD
, 7, 1)
286 FIELD(OCR
, VDD_VOLTAGE_WIN_HI
, 8, 16)
287 FIELD(OCR
, ACCEPT_SWITCH_1V8
, 24, 1) /* Only UHS-I */
288 FIELD(OCR
, UHS_II_CARD
, 29, 1) /* Only UHS-II */
289 FIELD(OCR
, CARD_CAPACITY
, 30, 1) /* 0:SDSC, 1:SDHC/SDXC */
290 FIELD(OCR
, CARD_POWER_UP
, 31, 1)
292 #define ACMD41_ENQUIRY_MASK 0x00ffffff
293 #define ACMD41_R3_MASK (R_OCR_VDD_VOLTAGE_WIN_HI_MASK \
294 | R_OCR_ACCEPT_SWITCH_1V8_MASK \
295 | R_OCR_UHS_II_CARD_MASK \
296 | R_OCR_CARD_CAPACITY_MASK \
297 | R_OCR_CARD_POWER_UP_MASK)
299 static void sd_set_ocr(SDState
*sd
)
301 /* All voltages OK */
302 sd
->ocr
= R_OCR_VDD_VOLTAGE_WIN_HI_MASK
;
305 static void sd_ocr_powerup(void *opaque
)
307 SDState
*sd
= opaque
;
309 trace_sdcard_powerup();
310 assert(!FIELD_EX32(sd
->ocr
, OCR
, CARD_POWER_UP
));
312 /* card power-up OK */
313 sd
->ocr
= FIELD_DP32(sd
->ocr
, OCR
, CARD_POWER_UP
, 1);
315 if (sd
->size
> 1 * GiB
) {
316 sd
->ocr
= FIELD_DP32(sd
->ocr
, OCR
, CARD_CAPACITY
, 1);
320 static void sd_set_scr(SDState
*sd
)
322 sd
->scr
[0] = 0 << 4; /* SCR structure version 1.0 */
323 if (sd
->spec_version
== SD_PHY_SPECv1_10_VERS
) {
324 sd
->scr
[0] |= 1; /* Spec Version 1.10 */
326 sd
->scr
[0] |= 2; /* Spec Version 2.00 or Version 3.0X */
328 sd
->scr
[1] = (2 << 4) /* SDSC Card (Security Version 1.01) */
329 | 0b0101; /* 1-bit or 4-bit width bus modes */
330 sd
->scr
[2] = 0x00; /* Extended Security is not supported. */
331 if (sd
->spec_version
>= SD_PHY_SPECv3_01_VERS
) {
332 sd
->scr
[2] |= 1 << 7; /* Spec Version 3.0X */
335 /* reserved for manufacturer usage */
349 static void sd_set_cid(SDState
*sd
)
351 sd
->cid
[0] = MID
; /* Fake card manufacturer ID (MID) */
352 sd
->cid
[1] = OID
[0]; /* OEM/Application ID (OID) */
354 sd
->cid
[3] = PNM
[0]; /* Fake product name (PNM) */
359 sd
->cid
[8] = PRV
; /* Fake product revision (PRV) */
360 sd
->cid
[9] = 0xde; /* Fake serial number (PSN) */
364 sd
->cid
[13] = 0x00 | /* Manufacture date (MDT) */
365 ((MDT_YR
- 2000) / 10);
366 sd
->cid
[14] = ((MDT_YR
% 10) << 4) | MDT_MON
;
367 sd
->cid
[15] = (sd_crc7(sd
->cid
, 15) << 1) | 1;
370 #define HWBLOCK_SHIFT 9 /* 512 bytes */
371 #define SECTOR_SHIFT 5 /* 16 kilobytes */
372 #define WPGROUP_SHIFT 7 /* 2 megs */
373 #define CMULT_SHIFT 9 /* 512 times HWBLOCK_SIZE */
374 #define WPGROUP_SIZE (1 << (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT))
376 static const uint8_t sd_csd_rw_mask
[16] = {
377 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
378 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xfc, 0xfe,
381 static void sd_set_csd(SDState
*sd
, uint64_t size
)
383 uint32_t csize
= (size
>> (CMULT_SHIFT
+ HWBLOCK_SHIFT
)) - 1;
384 uint32_t sectsize
= (1 << (SECTOR_SHIFT
+ 1)) - 1;
385 uint32_t wpsize
= (1 << (WPGROUP_SHIFT
+ 1)) - 1;
387 if (size
<= 1 * GiB
) { /* Standard Capacity SD */
388 sd
->csd
[0] = 0x00; /* CSD structure */
389 sd
->csd
[1] = 0x26; /* Data read access-time-1 */
390 sd
->csd
[2] = 0x00; /* Data read access-time-2 */
391 sd
->csd
[3] = 0x32; /* Max. data transfer rate: 25 MHz */
392 sd
->csd
[4] = 0x5f; /* Card Command Classes */
393 sd
->csd
[5] = 0x50 | /* Max. read data block length */
395 sd
->csd
[6] = 0xe0 | /* Partial block for read allowed */
396 ((csize
>> 10) & 0x03);
397 sd
->csd
[7] = 0x00 | /* Device size */
398 ((csize
>> 2) & 0xff);
399 sd
->csd
[8] = 0x3f | /* Max. read current */
400 ((csize
<< 6) & 0xc0);
401 sd
->csd
[9] = 0xfc | /* Max. write current */
402 ((CMULT_SHIFT
- 2) >> 1);
403 sd
->csd
[10] = 0x40 | /* Erase sector size */
404 (((CMULT_SHIFT
- 2) << 7) & 0x80) | (sectsize
>> 1);
405 sd
->csd
[11] = 0x00 | /* Write protect group size */
406 ((sectsize
<< 7) & 0x80) | wpsize
;
407 sd
->csd
[12] = 0x90 | /* Write speed factor */
408 (HWBLOCK_SHIFT
>> 2);
409 sd
->csd
[13] = 0x20 | /* Max. write data block length */
410 ((HWBLOCK_SHIFT
<< 6) & 0xc0);
411 sd
->csd
[14] = 0x00; /* File format group */
422 sd
->csd
[7] = (size
>> 16) & 0xff;
423 sd
->csd
[8] = (size
>> 8) & 0xff;
424 sd
->csd
[9] = (size
& 0xff);
431 sd
->csd
[15] = (sd_crc7(sd
->csd
, 15) << 1) | 1;
434 static void sd_set_rca(SDState
*sd
)
439 FIELD(CSR
, AKE_SEQ_ERROR
, 3, 1)
440 FIELD(CSR
, APP_CMD
, 5, 1)
441 FIELD(CSR
, FX_EVENT
, 6, 1)
442 FIELD(CSR
, READY_FOR_DATA
, 8, 1)
443 FIELD(CSR
, CURRENT_STATE
, 9, 4)
444 FIELD(CSR
, ERASE_RESET
, 13, 1)
445 FIELD(CSR
, CARD_ECC_DISABLED
, 14, 1)
446 FIELD(CSR
, WP_ERASE_SKIP
, 15, 1)
447 FIELD(CSR
, CSD_OVERWRITE
, 16, 1)
448 FIELD(CSR
, DEFERRED_RESPONSE
, 17, 1)
449 FIELD(CSR
, ERROR
, 19, 1)
450 FIELD(CSR
, CC_ERROR
, 20, 1)
451 FIELD(CSR
, CARD_ECC_FAILED
, 21, 1)
452 FIELD(CSR
, ILLEGAL_COMMAND
, 22, 1)
453 FIELD(CSR
, COM_CRC_ERROR
, 23, 1)
454 FIELD(CSR
, LOCK_UNLOCK_FAILED
, 24, 1)
455 FIELD(CSR
, CARD_IS_LOCKED
, 25, 1)
456 FIELD(CSR
, WP_VIOLATION
, 26, 1)
457 FIELD(CSR
, ERASE_PARAM
, 27, 1)
458 FIELD(CSR
, ERASE_SEQ_ERROR
, 28, 1)
459 FIELD(CSR
, BLOCK_LEN_ERROR
, 29, 1)
460 FIELD(CSR
, ADDRESS_ERROR
, 30, 1)
461 FIELD(CSR
, OUT_OF_RANGE
, 31, 1)
463 /* Card status bits, split by clear condition:
464 * A : According to the card current state
465 * B : Always related to the previous command
466 * C : Cleared by read
468 #define CARD_STATUS_A (R_CSR_READY_FOR_DATA_MASK \
469 | R_CSR_CARD_ECC_DISABLED_MASK \
470 | R_CSR_CARD_IS_LOCKED_MASK)
471 #define CARD_STATUS_B (R_CSR_CURRENT_STATE_MASK \
472 | R_CSR_ILLEGAL_COMMAND_MASK \
473 | R_CSR_COM_CRC_ERROR_MASK)
474 #define CARD_STATUS_C (R_CSR_AKE_SEQ_ERROR_MASK \
475 | R_CSR_APP_CMD_MASK \
476 | R_CSR_ERASE_RESET_MASK \
477 | R_CSR_WP_ERASE_SKIP_MASK \
478 | R_CSR_CSD_OVERWRITE_MASK \
480 | R_CSR_CC_ERROR_MASK \
481 | R_CSR_CARD_ECC_FAILED_MASK \
482 | R_CSR_LOCK_UNLOCK_FAILED_MASK \
483 | R_CSR_WP_VIOLATION_MASK \
484 | R_CSR_ERASE_PARAM_MASK \
485 | R_CSR_ERASE_SEQ_ERROR_MASK \
486 | R_CSR_BLOCK_LEN_ERROR_MASK \
487 | R_CSR_ADDRESS_ERROR_MASK \
488 | R_CSR_OUT_OF_RANGE_MASK)
490 static void sd_set_cardstatus(SDState
*sd
)
492 sd
->card_status
= 0x00000100;
495 static void sd_set_sdstatus(SDState
*sd
)
497 memset(sd
->sd_status
, 0, 64);
500 static int sd_req_crc_validate(SDRequest
*req
)
503 buffer
[0] = 0x40 | req
->cmd
;
504 stl_be_p(&buffer
[1], req
->arg
);
506 return sd_crc7(buffer
, 5) != req
->crc
; /* TODO */
509 static void sd_response_r1_make(SDState
*sd
, uint8_t *response
)
511 stl_be_p(response
, sd
->card_status
);
513 /* Clear the "clear on read" status bits */
514 sd
->card_status
&= ~CARD_STATUS_C
;
517 static void sd_response_r3_make(SDState
*sd
, uint8_t *response
)
519 stl_be_p(response
, sd
->ocr
& ACMD41_R3_MASK
);
522 static void sd_response_r6_make(SDState
*sd
, uint8_t *response
)
526 status
= ((sd
->card_status
>> 8) & 0xc000) |
527 ((sd
->card_status
>> 6) & 0x2000) |
528 (sd
->card_status
& 0x1fff);
529 sd
->card_status
&= ~(CARD_STATUS_C
& 0xc81fff);
530 stw_be_p(response
+ 0, sd
->rca
);
531 stw_be_p(response
+ 2, status
);
534 static void sd_response_r7_make(SDState
*sd
, uint8_t *response
)
536 stl_be_p(response
, sd
->vhs
);
539 static inline uint64_t sd_addr_to_wpnum(uint64_t addr
)
541 return addr
>> (HWBLOCK_SHIFT
+ SECTOR_SHIFT
+ WPGROUP_SHIFT
);
544 static void sd_reset(DeviceState
*dev
)
546 SDState
*sd
= SD_CARD(dev
);
550 trace_sdcard_reset();
552 blk_get_geometry(sd
->blk
, §
);
558 sect
= sd_addr_to_wpnum(size
) + 1;
560 sd
->state
= sd_idle_state
;
565 sd_set_csd(sd
, size
);
566 sd_set_cardstatus(sd
);
569 g_free(sd
->wp_groups
);
570 sd
->wp_switch
= sd
->blk
? blk_is_read_only(sd
->blk
) : false;
571 sd
->wpgrps_size
= sect
;
572 sd
->wp_groups
= bitmap_new(sd
->wpgrps_size
);
573 memset(sd
->function_group
, 0, sizeof(sd
->function_group
));
579 sd
->expecting_acmd
= false;
582 sd
->multi_blk_cnt
= 0;
585 static bool sd_get_inserted(SDState
*sd
)
587 return sd
->blk
&& blk_is_inserted(sd
->blk
);
590 static bool sd_get_readonly(SDState
*sd
)
592 return sd
->wp_switch
;
595 static void sd_cardchange(void *opaque
, bool load
, Error
**errp
)
597 SDState
*sd
= opaque
;
598 DeviceState
*dev
= DEVICE(sd
);
600 bool inserted
= sd_get_inserted(sd
);
601 bool readonly
= sd_get_readonly(sd
);
604 trace_sdcard_inserted(readonly
);
607 trace_sdcard_ejected();
610 if (sd
->me_no_qdev_me_kill_mammoth_with_rocks
) {
611 qemu_set_irq(sd
->inserted_cb
, inserted
);
613 qemu_set_irq(sd
->readonly_cb
, readonly
);
616 sdbus
= SD_BUS(qdev_get_parent_bus(dev
));
617 sdbus_set_inserted(sdbus
, inserted
);
619 sdbus_set_readonly(sdbus
, readonly
);
624 static const BlockDevOps sd_block_ops
= {
625 .change_media_cb
= sd_cardchange
,
628 static bool sd_ocr_vmstate_needed(void *opaque
)
630 SDState
*sd
= opaque
;
632 /* Include the OCR state (and timer) if it is not yet powered up */
633 return !FIELD_EX32(sd
->ocr
, OCR
, CARD_POWER_UP
);
636 static const VMStateDescription sd_ocr_vmstate
= {
637 .name
= "sd-card/ocr-state",
639 .minimum_version_id
= 1,
640 .needed
= sd_ocr_vmstate_needed
,
641 .fields
= (VMStateField
[]) {
642 VMSTATE_UINT32(ocr
, SDState
),
643 VMSTATE_TIMER_PTR(ocr_power_timer
, SDState
),
644 VMSTATE_END_OF_LIST()
648 static int sd_vmstate_pre_load(void *opaque
)
650 SDState
*sd
= opaque
;
652 /* If the OCR state is not included (prior versions, or not
653 * needed), then the OCR must be set as powered up. If the OCR state
654 * is included, this will be replaced by the state restore.
661 static const VMStateDescription sd_vmstate
= {
664 .minimum_version_id
= 1,
665 .pre_load
= sd_vmstate_pre_load
,
666 .fields
= (VMStateField
[]) {
667 VMSTATE_UINT32(mode
, SDState
),
668 VMSTATE_INT32(state
, SDState
),
669 VMSTATE_UINT8_ARRAY(cid
, SDState
, 16),
670 VMSTATE_UINT8_ARRAY(csd
, SDState
, 16),
671 VMSTATE_UINT16(rca
, SDState
),
672 VMSTATE_UINT32(card_status
, SDState
),
673 VMSTATE_PARTIAL_BUFFER(sd_status
, SDState
, 1),
674 VMSTATE_UINT32(vhs
, SDState
),
675 VMSTATE_BITMAP(wp_groups
, SDState
, 0, wpgrps_size
),
676 VMSTATE_UINT32(blk_len
, SDState
),
677 VMSTATE_UINT32(multi_blk_cnt
, SDState
),
678 VMSTATE_UINT32(erase_start
, SDState
),
679 VMSTATE_UINT32(erase_end
, SDState
),
680 VMSTATE_UINT8_ARRAY(pwd
, SDState
, 16),
681 VMSTATE_UINT32(pwd_len
, SDState
),
682 VMSTATE_UINT8_ARRAY(function_group
, SDState
, 6),
683 VMSTATE_UINT8(current_cmd
, SDState
),
684 VMSTATE_BOOL(expecting_acmd
, SDState
),
685 VMSTATE_UINT32(blk_written
, SDState
),
686 VMSTATE_UINT64(data_start
, SDState
),
687 VMSTATE_UINT32(data_offset
, SDState
),
688 VMSTATE_UINT8_ARRAY(data
, SDState
, 512),
689 VMSTATE_UNUSED_V(1, 512),
690 VMSTATE_BOOL(enable
, SDState
),
691 VMSTATE_END_OF_LIST()
693 .subsections
= (const VMStateDescription
*[]) {
699 /* Legacy initialization function for use by non-qdevified callers */
700 SDState
*sd_init(BlockBackend
*blk
, bool is_spi
)
707 obj
= object_new(TYPE_SD_CARD
);
709 qdev_prop_set_drive(dev
, "drive", blk
, &err
);
711 error_reportf_err(err
, "sd_init failed: ");
714 qdev_prop_set_bit(dev
, "spi", is_spi
);
717 * Realizing the device properly would put it into the QOM
718 * composition tree even though it is not plugged into an
719 * appropriate bus. That's a no-no. Hide the device from
720 * QOM/qdev, and call its qdev realize callback directly.
723 object_unparent(obj
);
724 sd_realize(dev
, &err
);
726 error_reportf_err(err
, "sd_init failed: ");
731 sd
->me_no_qdev_me_kill_mammoth_with_rocks
= true;
735 void sd_set_cb(SDState
*sd
, qemu_irq readonly
, qemu_irq insert
)
737 sd
->readonly_cb
= readonly
;
738 sd
->inserted_cb
= insert
;
739 qemu_set_irq(readonly
, sd
->blk
? blk_is_read_only(sd
->blk
) : 0);
740 qemu_set_irq(insert
, sd
->blk
? blk_is_inserted(sd
->blk
) : 0);
743 static void sd_erase(SDState
*sd
)
746 uint64_t erase_start
= sd
->erase_start
;
747 uint64_t erase_end
= sd
->erase_end
;
749 trace_sdcard_erase();
750 if (!sd
->erase_start
|| !sd
->erase_end
) {
751 sd
->card_status
|= ERASE_SEQ_ERROR
;
755 if (FIELD_EX32(sd
->ocr
, OCR
, CARD_CAPACITY
)) {
756 /* High capacity memory card: erase units are 512 byte blocks */
761 erase_start
= sd_addr_to_wpnum(erase_start
);
762 erase_end
= sd_addr_to_wpnum(erase_end
);
767 for (i
= erase_start
; i
<= erase_end
; i
++) {
768 if (test_bit(i
, sd
->wp_groups
)) {
769 sd
->card_status
|= WP_ERASE_SKIP
;
774 static uint32_t sd_wpbits(SDState
*sd
, uint64_t addr
)
779 wpnum
= sd_addr_to_wpnum(addr
);
781 for (i
= 0; i
< 32; i
++, wpnum
++, addr
+= WPGROUP_SIZE
) {
782 if (addr
< sd
->size
&& test_bit(wpnum
, sd
->wp_groups
)) {
790 static void sd_function_switch(SDState
*sd
, uint32_t arg
)
792 int i
, mode
, new_func
;
793 mode
= !!(arg
& 0x80000000);
795 sd
->data
[0] = 0x00; /* Maximum current consumption */
797 sd
->data
[2] = 0x80; /* Supported group 6 functions */
799 sd
->data
[4] = 0x80; /* Supported group 5 functions */
801 sd
->data
[6] = 0x80; /* Supported group 4 functions */
803 sd
->data
[8] = 0x80; /* Supported group 3 functions */
805 sd
->data
[10] = 0x80; /* Supported group 2 functions */
807 sd
->data
[12] = 0x80; /* Supported group 1 functions */
809 for (i
= 0; i
< 6; i
++) {
810 new_func
= (arg
>> (i
* 4)) & 0x0f;
811 if (mode
&& new_func
!= 0x0f)
812 sd
->function_group
[i
] = new_func
;
813 sd
->data
[14 + (i
>> 1)] = new_func
<< ((i
* 4) & 4);
815 memset(&sd
->data
[17], 0, 47);
816 stw_be_p(sd
->data
+ 64, sd_crc16(sd
->data
, 64));
819 static inline bool sd_wp_addr(SDState
*sd
, uint64_t addr
)
821 return test_bit(sd_addr_to_wpnum(addr
), sd
->wp_groups
);
824 static void sd_lock_command(SDState
*sd
)
826 int erase
, lock
, clr_pwd
, set_pwd
, pwd_len
;
827 erase
= !!(sd
->data
[0] & 0x08);
828 lock
= sd
->data
[0] & 0x04;
829 clr_pwd
= sd
->data
[0] & 0x02;
830 set_pwd
= sd
->data
[0] & 0x01;
833 pwd_len
= sd
->data
[1];
840 trace_sdcard_unlock();
843 if (!(sd
->card_status
& CARD_IS_LOCKED
) || sd
->blk_len
> 1 ||
844 set_pwd
|| clr_pwd
|| lock
|| sd
->wp_switch
||
845 (sd
->csd
[14] & 0x20)) {
846 sd
->card_status
|= LOCK_UNLOCK_FAILED
;
849 bitmap_zero(sd
->wp_groups
, sd
->wpgrps_size
);
850 sd
->csd
[14] &= ~0x10;
851 sd
->card_status
&= ~CARD_IS_LOCKED
;
853 /* Erasing the entire card here! */
854 fprintf(stderr
, "SD: Card force-erased by CMD42\n");
858 if (sd
->blk_len
< 2 + pwd_len
||
859 pwd_len
<= sd
->pwd_len
||
860 pwd_len
> sd
->pwd_len
+ 16) {
861 sd
->card_status
|= LOCK_UNLOCK_FAILED
;
865 if (sd
->pwd_len
&& memcmp(sd
->pwd
, sd
->data
+ 2, sd
->pwd_len
)) {
866 sd
->card_status
|= LOCK_UNLOCK_FAILED
;
870 pwd_len
-= sd
->pwd_len
;
871 if ((pwd_len
&& !set_pwd
) ||
872 (clr_pwd
&& (set_pwd
|| lock
)) ||
873 (lock
&& !sd
->pwd_len
&& !set_pwd
) ||
874 (!set_pwd
&& !clr_pwd
&&
875 (((sd
->card_status
& CARD_IS_LOCKED
) && lock
) ||
876 (!(sd
->card_status
& CARD_IS_LOCKED
) && !lock
)))) {
877 sd
->card_status
|= LOCK_UNLOCK_FAILED
;
882 memcpy(sd
->pwd
, sd
->data
+ 2 + sd
->pwd_len
, pwd_len
);
883 sd
->pwd_len
= pwd_len
;
891 sd
->card_status
|= CARD_IS_LOCKED
;
893 sd
->card_status
&= ~CARD_IS_LOCKED
;
896 static sd_rsp_type_t
sd_normal_command(SDState
*sd
, SDRequest req
)
898 uint32_t rca
= 0x0000;
899 uint64_t addr
= (sd
->ocr
& (1 << 30)) ? (uint64_t) req
.arg
<< 9 : req
.arg
;
901 /* CMD55 precedes an ACMD, so we are not interested in tracing it.
902 * However there is no ACMD55, so we want to trace this particular case.
904 if (req
.cmd
!= 55 || sd
->expecting_acmd
) {
905 trace_sdcard_normal_command(sd
->proto_name
,
906 sd_cmd_name(req
.cmd
), req
.cmd
,
907 req
.arg
, sd_state_name(sd
->state
));
910 /* Not interpreting this as an app command */
911 sd
->card_status
&= ~APP_CMD
;
913 if (sd_cmd_type
[req
.cmd
] == sd_ac
914 || sd_cmd_type
[req
.cmd
] == sd_adtc
) {
918 /* CMD23 (set block count) must be immediately followed by CMD18 or CMD25
919 * if not, its effects are cancelled */
920 if (sd
->multi_blk_cnt
!= 0 && !(req
.cmd
== 18 || req
.cmd
== 25)) {
921 sd
->multi_blk_cnt
= 0;
925 /* Basic commands (Class 0 and Class 1) */
926 case 0: /* CMD0: GO_IDLE_STATE */
928 case sd_inactive_state
:
929 return sd
->spi
? sd_r1
: sd_r0
;
932 sd
->state
= sd_idle_state
;
933 sd_reset(DEVICE(sd
));
934 return sd
->spi
? sd_r1
: sd_r0
;
938 case 1: /* CMD1: SEND_OP_CMD */
942 sd
->state
= sd_transfer_state
;
945 case 2: /* CMD2: ALL_SEND_CID */
950 sd
->state
= sd_identification_state
;
958 case 3: /* CMD3: SEND_RELATIVE_ADDR */
962 case sd_identification_state
:
963 case sd_standby_state
:
964 sd
->state
= sd_standby_state
;
973 case 4: /* CMD4: SEND_DSR */
977 case sd_standby_state
:
985 case 5: /* CMD5: reserved for SDIO cards */
988 case 6: /* CMD6: SWITCH_FUNCTION */
990 case sd_data_transfer_mode
:
991 sd_function_switch(sd
, req
.arg
);
992 sd
->state
= sd_sendingdata_state
;
1002 case 7: /* CMD7: SELECT/DESELECT_CARD */
1005 switch (sd
->state
) {
1006 case sd_standby_state
:
1010 sd
->state
= sd_transfer_state
;
1013 case sd_transfer_state
:
1014 case sd_sendingdata_state
:
1018 sd
->state
= sd_standby_state
;
1021 case sd_disconnect_state
:
1025 sd
->state
= sd_programming_state
;
1028 case sd_programming_state
:
1032 sd
->state
= sd_disconnect_state
;
1040 case 8: /* CMD8: SEND_IF_COND */
1041 if (sd
->spec_version
< SD_PHY_SPECv2_00_VERS
) {
1044 if (sd
->state
!= sd_idle_state
) {
1049 /* No response if not exactly one VHS bit is set. */
1050 if (!(req
.arg
>> 8) || (req
.arg
>> (ctz32(req
.arg
& ~0xff) + 1))) {
1051 return sd
->spi
? sd_r7
: sd_r0
;
1058 case 9: /* CMD9: SEND_CSD */
1059 switch (sd
->state
) {
1060 case sd_standby_state
:
1066 case sd_transfer_state
:
1069 sd
->state
= sd_sendingdata_state
;
1070 memcpy(sd
->data
, sd
->csd
, 16);
1071 sd
->data_start
= addr
;
1072 sd
->data_offset
= 0;
1080 case 10: /* CMD10: SEND_CID */
1081 switch (sd
->state
) {
1082 case sd_standby_state
:
1088 case sd_transfer_state
:
1091 sd
->state
= sd_sendingdata_state
;
1092 memcpy(sd
->data
, sd
->cid
, 16);
1093 sd
->data_start
= addr
;
1094 sd
->data_offset
= 0;
1102 case 12: /* CMD12: STOP_TRANSMISSION */
1103 switch (sd
->state
) {
1104 case sd_sendingdata_state
:
1105 sd
->state
= sd_transfer_state
;
1108 case sd_receivingdata_state
:
1109 sd
->state
= sd_programming_state
;
1110 /* Bzzzzzzztt .... Operation complete. */
1111 sd
->state
= sd_transfer_state
;
1119 case 13: /* CMD13: SEND_STATUS */
1121 case sd_data_transfer_mode
:
1132 case 15: /* CMD15: GO_INACTIVE_STATE */
1136 case sd_data_transfer_mode
:
1140 sd
->state
= sd_inactive_state
;
1148 /* Block read commands (Classs 2) */
1149 case 16: /* CMD16: SET_BLOCKLEN */
1150 switch (sd
->state
) {
1151 case sd_transfer_state
:
1152 if (req
.arg
> (1 << HWBLOCK_SHIFT
)) {
1153 sd
->card_status
|= BLOCK_LEN_ERROR
;
1155 trace_sdcard_set_blocklen(req
.arg
);
1156 sd
->blk_len
= req
.arg
;
1166 case 17: /* CMD17: READ_SINGLE_BLOCK */
1167 switch (sd
->state
) {
1168 case sd_transfer_state
:
1169 sd
->state
= sd_sendingdata_state
;
1170 sd
->data_start
= addr
;
1171 sd
->data_offset
= 0;
1173 if (sd
->data_start
+ sd
->blk_len
> sd
->size
)
1174 sd
->card_status
|= ADDRESS_ERROR
;
1182 case 18: /* CMD18: READ_MULTIPLE_BLOCK */
1183 switch (sd
->state
) {
1184 case sd_transfer_state
:
1185 sd
->state
= sd_sendingdata_state
;
1186 sd
->data_start
= addr
;
1187 sd
->data_offset
= 0;
1189 if (sd
->data_start
+ sd
->blk_len
> sd
->size
)
1190 sd
->card_status
|= ADDRESS_ERROR
;
1198 case 19: /* CMD19: SEND_TUNING_BLOCK (SD) */
1199 if (sd
->spec_version
< SD_PHY_SPECv3_01_VERS
) {
1202 if (sd
->state
== sd_transfer_state
) {
1203 sd
->state
= sd_sendingdata_state
;
1204 sd
->data_offset
= 0;
1209 case 23: /* CMD23: SET_BLOCK_COUNT */
1210 if (sd
->spec_version
< SD_PHY_SPECv3_01_VERS
) {
1213 switch (sd
->state
) {
1214 case sd_transfer_state
:
1215 sd
->multi_blk_cnt
= req
.arg
;
1223 /* Block write commands (Class 4) */
1224 case 24: /* CMD24: WRITE_SINGLE_BLOCK */
1225 switch (sd
->state
) {
1226 case sd_transfer_state
:
1227 /* Writing in SPI mode not implemented. */
1230 sd
->state
= sd_receivingdata_state
;
1231 sd
->data_start
= addr
;
1232 sd
->data_offset
= 0;
1233 sd
->blk_written
= 0;
1235 if (sd
->data_start
+ sd
->blk_len
> sd
->size
)
1236 sd
->card_status
|= ADDRESS_ERROR
;
1237 if (sd_wp_addr(sd
, sd
->data_start
))
1238 sd
->card_status
|= WP_VIOLATION
;
1239 if (sd
->csd
[14] & 0x30)
1240 sd
->card_status
|= WP_VIOLATION
;
1248 case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */
1249 switch (sd
->state
) {
1250 case sd_transfer_state
:
1251 /* Writing in SPI mode not implemented. */
1254 sd
->state
= sd_receivingdata_state
;
1255 sd
->data_start
= addr
;
1256 sd
->data_offset
= 0;
1257 sd
->blk_written
= 0;
1259 if (sd
->data_start
+ sd
->blk_len
> sd
->size
)
1260 sd
->card_status
|= ADDRESS_ERROR
;
1261 if (sd_wp_addr(sd
, sd
->data_start
))
1262 sd
->card_status
|= WP_VIOLATION
;
1263 if (sd
->csd
[14] & 0x30)
1264 sd
->card_status
|= WP_VIOLATION
;
1272 case 26: /* CMD26: PROGRAM_CID */
1275 switch (sd
->state
) {
1276 case sd_transfer_state
:
1277 sd
->state
= sd_receivingdata_state
;
1279 sd
->data_offset
= 0;
1287 case 27: /* CMD27: PROGRAM_CSD */
1288 switch (sd
->state
) {
1289 case sd_transfer_state
:
1290 sd
->state
= sd_receivingdata_state
;
1292 sd
->data_offset
= 0;
1300 /* Write protection (Class 6) */
1301 case 28: /* CMD28: SET_WRITE_PROT */
1302 switch (sd
->state
) {
1303 case sd_transfer_state
:
1304 if (addr
>= sd
->size
) {
1305 sd
->card_status
|= ADDRESS_ERROR
;
1309 sd
->state
= sd_programming_state
;
1310 set_bit(sd_addr_to_wpnum(addr
), sd
->wp_groups
);
1311 /* Bzzzzzzztt .... Operation complete. */
1312 sd
->state
= sd_transfer_state
;
1320 case 29: /* CMD29: CLR_WRITE_PROT */
1321 switch (sd
->state
) {
1322 case sd_transfer_state
:
1323 if (addr
>= sd
->size
) {
1324 sd
->card_status
|= ADDRESS_ERROR
;
1328 sd
->state
= sd_programming_state
;
1329 clear_bit(sd_addr_to_wpnum(addr
), sd
->wp_groups
);
1330 /* Bzzzzzzztt .... Operation complete. */
1331 sd
->state
= sd_transfer_state
;
1339 case 30: /* CMD30: SEND_WRITE_PROT */
1340 switch (sd
->state
) {
1341 case sd_transfer_state
:
1342 sd
->state
= sd_sendingdata_state
;
1343 *(uint32_t *) sd
->data
= sd_wpbits(sd
, req
.arg
);
1344 sd
->data_start
= addr
;
1345 sd
->data_offset
= 0;
1353 /* Erase commands (Class 5) */
1354 case 32: /* CMD32: ERASE_WR_BLK_START */
1355 switch (sd
->state
) {
1356 case sd_transfer_state
:
1357 sd
->erase_start
= req
.arg
;
1365 case 33: /* CMD33: ERASE_WR_BLK_END */
1366 switch (sd
->state
) {
1367 case sd_transfer_state
:
1368 sd
->erase_end
= req
.arg
;
1376 case 38: /* CMD38: ERASE */
1377 switch (sd
->state
) {
1378 case sd_transfer_state
:
1379 if (sd
->csd
[14] & 0x30) {
1380 sd
->card_status
|= WP_VIOLATION
;
1384 sd
->state
= sd_programming_state
;
1386 /* Bzzzzzzztt .... Operation complete. */
1387 sd
->state
= sd_transfer_state
;
1395 /* Lock card commands (Class 7) */
1396 case 42: /* CMD42: LOCK_UNLOCK */
1397 switch (sd
->state
) {
1398 case sd_transfer_state
:
1399 sd
->state
= sd_receivingdata_state
;
1401 sd
->data_offset
= 0;
1410 /* CMD52, CMD53, CMD54: reserved for SDIO cards
1411 * (see the SDIO Simplified Specification V2.0)
1412 * Handle as illegal command but do not complain
1413 * on stderr, as some OSes may use these in their
1414 * probing for presence of an SDIO card.
1418 /* Application specific commands (Class 8) */
1419 case 55: /* CMD55: APP_CMD */
1420 switch (sd
->state
) {
1421 case sd_ready_state
:
1422 case sd_identification_state
:
1423 case sd_inactive_state
:
1427 qemu_log_mask(LOG_GUEST_ERROR
,
1428 "SD: illegal RCA 0x%04x for APP_CMD\n", req
.cmd
);
1434 if (sd
->rca
!= rca
) {
1438 sd
->expecting_acmd
= true;
1439 sd
->card_status
|= APP_CMD
;
1442 case 56: /* CMD56: GEN_CMD */
1443 switch (sd
->state
) {
1444 case sd_transfer_state
:
1445 sd
->data_offset
= 0;
1447 sd
->state
= sd_sendingdata_state
;
1449 sd
->state
= sd_receivingdata_state
;
1457 case 58: /* CMD58: READ_OCR (SPI) */
1463 case 59: /* CMD59: CRC_ON_OFF (SPI) */
1467 goto unimplemented_spi_cmd
;
1471 qemu_log_mask(LOG_GUEST_ERROR
, "SD: Unknown CMD%i\n", req
.cmd
);
1474 unimplemented_spi_cmd
:
1475 /* Commands that are recognised but not yet implemented in SPI mode. */
1476 qemu_log_mask(LOG_UNIMP
, "SD: CMD%i not implemented in SPI mode\n",
1481 qemu_log_mask(LOG_GUEST_ERROR
, "SD: CMD%i in a wrong state\n", req
.cmd
);
1485 static sd_rsp_type_t
sd_app_command(SDState
*sd
,
1488 trace_sdcard_app_command(sd
->proto_name
, sd_acmd_name(req
.cmd
),
1489 req
.cmd
, req
.arg
, sd_state_name(sd
->state
));
1490 sd
->card_status
|= APP_CMD
;
1492 case 6: /* ACMD6: SET_BUS_WIDTH */
1494 goto unimplemented_spi_cmd
;
1496 switch (sd
->state
) {
1497 case sd_transfer_state
:
1498 sd
->sd_status
[0] &= 0x3f;
1499 sd
->sd_status
[0] |= (req
.arg
& 0x03) << 6;
1507 case 13: /* ACMD13: SD_STATUS */
1508 switch (sd
->state
) {
1509 case sd_transfer_state
:
1510 sd
->state
= sd_sendingdata_state
;
1512 sd
->data_offset
= 0;
1520 case 22: /* ACMD22: SEND_NUM_WR_BLOCKS */
1521 switch (sd
->state
) {
1522 case sd_transfer_state
:
1523 *(uint32_t *) sd
->data
= sd
->blk_written
;
1525 sd
->state
= sd_sendingdata_state
;
1527 sd
->data_offset
= 0;
1535 case 23: /* ACMD23: SET_WR_BLK_ERASE_COUNT */
1536 switch (sd
->state
) {
1537 case sd_transfer_state
:
1545 case 41: /* ACMD41: SD_APP_OP_COND */
1548 sd
->state
= sd_transfer_state
;
1551 if (sd
->state
!= sd_idle_state
) {
1554 /* If it's the first ACMD41 since reset, we need to decide
1555 * whether to power up. If this is not an enquiry ACMD41,
1556 * we immediately report power on and proceed below to the
1557 * ready state, but if it is, we set a timer to model a
1558 * delay for power up. This works around a bug in EDK2
1559 * UEFI, which sends an initial enquiry ACMD41, but
1560 * assumes that the card is in ready state as soon as it
1561 * sees the power up bit set. */
1562 if (!FIELD_EX32(sd
->ocr
, OCR
, CARD_POWER_UP
)) {
1563 if ((req
.arg
& ACMD41_ENQUIRY_MASK
) != 0) {
1564 timer_del(sd
->ocr_power_timer
);
1567 trace_sdcard_inquiry_cmd41();
1568 if (!timer_pending(sd
->ocr_power_timer
)) {
1569 timer_mod_ns(sd
->ocr_power_timer
,
1570 (qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL
)
1571 + OCR_POWER_DELAY_NS
));
1576 if (FIELD_EX32(sd
->ocr
& req
.arg
, OCR
, VDD_VOLTAGE_WINDOW
)) {
1577 /* We accept any voltage. 10000 V is nothing.
1579 * Once we're powered up, we advance straight to ready state
1580 * unless it's an enquiry ACMD41 (bits 23:0 == 0).
1582 sd
->state
= sd_ready_state
;
1587 case 42: /* ACMD42: SET_CLR_CARD_DETECT */
1588 switch (sd
->state
) {
1589 case sd_transfer_state
:
1590 /* Bringing in the 50KOhm pull-up resistor... Done. */
1598 case 51: /* ACMD51: SEND_SCR */
1599 switch (sd
->state
) {
1600 case sd_transfer_state
:
1601 sd
->state
= sd_sendingdata_state
;
1603 sd
->data_offset
= 0;
1611 case 18: /* Reserved for SD security applications */
1616 /* Refer to the "SD Specifications Part3 Security Specification" for
1617 * information about the SD Security Features.
1619 qemu_log_mask(LOG_UNIMP
, "SD: CMD%i Security not implemented\n",
1624 /* Fall back to standard commands. */
1625 return sd_normal_command(sd
, req
);
1627 unimplemented_spi_cmd
:
1628 /* Commands that are recognised but not yet implemented in SPI mode. */
1629 qemu_log_mask(LOG_UNIMP
, "SD: CMD%i not implemented in SPI mode\n",
1634 qemu_log_mask(LOG_GUEST_ERROR
, "SD: ACMD%i in a wrong state\n", req
.cmd
);
1638 static int cmd_valid_while_locked(SDState
*sd
, SDRequest
*req
)
1640 /* Valid commands in locked state:
1642 * lock card class (7)
1644 * implicitly, the ACMD prefix CMD55
1646 * Anything else provokes an "illegal command" response.
1648 if (sd
->expecting_acmd
) {
1649 return req
->cmd
== 41 || req
->cmd
== 42;
1651 if (req
->cmd
== 16 || req
->cmd
== 55) {
1654 return sd_cmd_class
[req
->cmd
] == 0
1655 || sd_cmd_class
[req
->cmd
] == 7;
1658 int sd_do_command(SDState
*sd
, SDRequest
*req
,
1659 uint8_t *response
) {
1661 sd_rsp_type_t rtype
;
1664 if (!sd
->blk
|| !blk_is_inserted(sd
->blk
) || !sd
->enable
) {
1668 if (sd_req_crc_validate(req
)) {
1669 sd
->card_status
|= COM_CRC_ERROR
;
1674 if (req
->cmd
>= SDMMC_CMD_MAX
) {
1675 qemu_log_mask(LOG_GUEST_ERROR
, "SD: incorrect command 0x%02x\n",
1680 if (sd
->card_status
& CARD_IS_LOCKED
) {
1681 if (!cmd_valid_while_locked(sd
, req
)) {
1682 sd
->card_status
|= ILLEGAL_COMMAND
;
1683 sd
->expecting_acmd
= false;
1684 qemu_log_mask(LOG_GUEST_ERROR
, "SD: Card is locked\n");
1690 last_state
= sd
->state
;
1693 if (sd
->expecting_acmd
) {
1694 sd
->expecting_acmd
= false;
1695 rtype
= sd_app_command(sd
, *req
);
1697 rtype
= sd_normal_command(sd
, *req
);
1700 if (rtype
== sd_illegal
) {
1701 sd
->card_status
|= ILLEGAL_COMMAND
;
1703 /* Valid command, we can update the 'state before command' bits.
1704 * (Do this now so they appear in r1 responses.)
1706 sd
->current_cmd
= req
->cmd
;
1707 sd
->card_status
&= ~CURRENT_STATE
;
1708 sd
->card_status
|= (last_state
<< 9);
1715 sd_response_r1_make(sd
, response
);
1720 memcpy(response
, sd
->cid
, sizeof(sd
->cid
));
1725 memcpy(response
, sd
->csd
, sizeof(sd
->csd
));
1730 sd_response_r3_make(sd
, response
);
1735 sd_response_r6_make(sd
, response
);
1740 sd_response_r7_make(sd
, response
);
1749 g_assert_not_reached();
1751 trace_sdcard_response(sd_response_name(rtype
), rsplen
);
1753 if (rtype
!= sd_illegal
) {
1754 /* Clear the "clear on valid command" status bits now we've
1757 sd
->card_status
&= ~CARD_STATUS_B
;
1761 qemu_hexdump((const char *)response
, stderr
, "Response", rsplen
);
1767 static void sd_blk_read(SDState
*sd
, uint64_t addr
, uint32_t len
)
1769 trace_sdcard_read_block(addr
, len
);
1770 if (!sd
->blk
|| blk_pread(sd
->blk
, addr
, sd
->data
, len
) < 0) {
1771 fprintf(stderr
, "sd_blk_read: read error on host side\n");
1775 static void sd_blk_write(SDState
*sd
, uint64_t addr
, uint32_t len
)
1777 trace_sdcard_write_block(addr
, len
);
1778 if (!sd
->blk
|| blk_pwrite(sd
->blk
, addr
, sd
->data
, len
, 0) < 0) {
1779 fprintf(stderr
, "sd_blk_write: write error on host side\n");
1783 #define BLK_READ_BLOCK(a, len) sd_blk_read(sd, a, len)
1784 #define BLK_WRITE_BLOCK(a, len) sd_blk_write(sd, a, len)
1785 #define APP_READ_BLOCK(a, len) memset(sd->data, 0xec, len)
1786 #define APP_WRITE_BLOCK(a, len)
1788 void sd_write_data(SDState
*sd
, uint8_t value
)
1792 if (!sd
->blk
|| !blk_is_inserted(sd
->blk
) || !sd
->enable
)
1795 if (sd
->state
!= sd_receivingdata_state
) {
1796 qemu_log_mask(LOG_GUEST_ERROR
,
1797 "sd_write_data: not in Receiving-Data state\n");
1801 if (sd
->card_status
& (ADDRESS_ERROR
| WP_VIOLATION
))
1804 trace_sdcard_write_data(sd
->proto_name
,
1805 sd_acmd_name(sd
->current_cmd
),
1806 sd
->current_cmd
, value
);
1807 switch (sd
->current_cmd
) {
1808 case 24: /* CMD24: WRITE_SINGLE_BLOCK */
1809 sd
->data
[sd
->data_offset
++] = value
;
1810 if (sd
->data_offset
>= sd
->blk_len
) {
1811 /* TODO: Check CRC before committing */
1812 sd
->state
= sd_programming_state
;
1813 BLK_WRITE_BLOCK(sd
->data_start
, sd
->data_offset
);
1815 sd
->csd
[14] |= 0x40;
1816 /* Bzzzzzzztt .... Operation complete. */
1817 sd
->state
= sd_transfer_state
;
1821 case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */
1822 if (sd
->data_offset
== 0) {
1823 /* Start of the block - let's check the address is valid */
1824 if (sd
->data_start
+ sd
->blk_len
> sd
->size
) {
1825 sd
->card_status
|= ADDRESS_ERROR
;
1828 if (sd_wp_addr(sd
, sd
->data_start
)) {
1829 sd
->card_status
|= WP_VIOLATION
;
1833 sd
->data
[sd
->data_offset
++] = value
;
1834 if (sd
->data_offset
>= sd
->blk_len
) {
1835 /* TODO: Check CRC before committing */
1836 sd
->state
= sd_programming_state
;
1837 BLK_WRITE_BLOCK(sd
->data_start
, sd
->data_offset
);
1839 sd
->data_start
+= sd
->blk_len
;
1840 sd
->data_offset
= 0;
1841 sd
->csd
[14] |= 0x40;
1843 /* Bzzzzzzztt .... Operation complete. */
1844 if (sd
->multi_blk_cnt
!= 0) {
1845 if (--sd
->multi_blk_cnt
== 0) {
1847 sd
->state
= sd_transfer_state
;
1852 sd
->state
= sd_receivingdata_state
;
1856 case 26: /* CMD26: PROGRAM_CID */
1857 sd
->data
[sd
->data_offset
++] = value
;
1858 if (sd
->data_offset
>= sizeof(sd
->cid
)) {
1859 /* TODO: Check CRC before committing */
1860 sd
->state
= sd_programming_state
;
1861 for (i
= 0; i
< sizeof(sd
->cid
); i
++)
1862 if ((sd
->cid
[i
] | 0x00) != sd
->data
[i
])
1863 sd
->card_status
|= CID_CSD_OVERWRITE
;
1865 if (!(sd
->card_status
& CID_CSD_OVERWRITE
))
1866 for (i
= 0; i
< sizeof(sd
->cid
); i
++) {
1868 sd
->cid
[i
] &= sd
->data
[i
];
1870 /* Bzzzzzzztt .... Operation complete. */
1871 sd
->state
= sd_transfer_state
;
1875 case 27: /* CMD27: PROGRAM_CSD */
1876 sd
->data
[sd
->data_offset
++] = value
;
1877 if (sd
->data_offset
>= sizeof(sd
->csd
)) {
1878 /* TODO: Check CRC before committing */
1879 sd
->state
= sd_programming_state
;
1880 for (i
= 0; i
< sizeof(sd
->csd
); i
++)
1881 if ((sd
->csd
[i
] | sd_csd_rw_mask
[i
]) !=
1882 (sd
->data
[i
] | sd_csd_rw_mask
[i
]))
1883 sd
->card_status
|= CID_CSD_OVERWRITE
;
1885 /* Copy flag (OTP) & Permanent write protect */
1886 if (sd
->csd
[14] & ~sd
->data
[14] & 0x60)
1887 sd
->card_status
|= CID_CSD_OVERWRITE
;
1889 if (!(sd
->card_status
& CID_CSD_OVERWRITE
))
1890 for (i
= 0; i
< sizeof(sd
->csd
); i
++) {
1891 sd
->csd
[i
] |= sd_csd_rw_mask
[i
];
1892 sd
->csd
[i
] &= sd
->data
[i
];
1894 /* Bzzzzzzztt .... Operation complete. */
1895 sd
->state
= sd_transfer_state
;
1899 case 42: /* CMD42: LOCK_UNLOCK */
1900 sd
->data
[sd
->data_offset
++] = value
;
1901 if (sd
->data_offset
>= sd
->blk_len
) {
1902 /* TODO: Check CRC before committing */
1903 sd
->state
= sd_programming_state
;
1904 sd_lock_command(sd
);
1905 /* Bzzzzzzztt .... Operation complete. */
1906 sd
->state
= sd_transfer_state
;
1910 case 56: /* CMD56: GEN_CMD */
1911 sd
->data
[sd
->data_offset
++] = value
;
1912 if (sd
->data_offset
>= sd
->blk_len
) {
1913 APP_WRITE_BLOCK(sd
->data_start
, sd
->data_offset
);
1914 sd
->state
= sd_transfer_state
;
1919 qemu_log_mask(LOG_GUEST_ERROR
, "sd_write_data: unknown command\n");
1924 #define SD_TUNING_BLOCK_SIZE 64
1926 static const uint8_t sd_tuning_block_pattern
[SD_TUNING_BLOCK_SIZE
] = {
1927 /* See: Physical Layer Simplified Specification Version 3.01, Table 4-2 */
1928 0xff, 0x0f, 0xff, 0x00, 0x0f, 0xfc, 0xc3, 0xcc,
1929 0xc3, 0x3c, 0xcc, 0xff, 0xfe, 0xff, 0xfe, 0xef,
1930 0xff, 0xdf, 0xff, 0xdd, 0xff, 0xfb, 0xff, 0xfb,
1931 0xbf, 0xff, 0x7f, 0xff, 0x77, 0xf7, 0xbd, 0xef,
1932 0xff, 0xf0, 0xff, 0xf0, 0x0f, 0xfc, 0xcc, 0x3c,
1933 0xcc, 0x33, 0xcc, 0xcf, 0xff, 0xef, 0xff, 0xee,
1934 0xff, 0xfd, 0xff, 0xfd, 0xdf, 0xff, 0xbf, 0xff,
1935 0xbb, 0xff, 0xf7, 0xff, 0xf7, 0x7f, 0x7b, 0xde,
1938 uint8_t sd_read_data(SDState
*sd
)
1940 /* TODO: Append CRCs */
1944 if (!sd
->blk
|| !blk_is_inserted(sd
->blk
) || !sd
->enable
)
1947 if (sd
->state
!= sd_sendingdata_state
) {
1948 qemu_log_mask(LOG_GUEST_ERROR
,
1949 "sd_read_data: not in Sending-Data state\n");
1953 if (sd
->card_status
& (ADDRESS_ERROR
| WP_VIOLATION
))
1956 io_len
= (sd
->ocr
& (1 << 30)) ? 512 : sd
->blk_len
;
1958 trace_sdcard_read_data(sd
->proto_name
,
1959 sd_acmd_name(sd
->current_cmd
),
1960 sd
->current_cmd
, io_len
);
1961 switch (sd
->current_cmd
) {
1962 case 6: /* CMD6: SWITCH_FUNCTION */
1963 ret
= sd
->data
[sd
->data_offset
++];
1965 if (sd
->data_offset
>= 64)
1966 sd
->state
= sd_transfer_state
;
1969 case 9: /* CMD9: SEND_CSD */
1970 case 10: /* CMD10: SEND_CID */
1971 ret
= sd
->data
[sd
->data_offset
++];
1973 if (sd
->data_offset
>= 16)
1974 sd
->state
= sd_transfer_state
;
1977 case 13: /* ACMD13: SD_STATUS */
1978 ret
= sd
->sd_status
[sd
->data_offset
++];
1980 if (sd
->data_offset
>= sizeof(sd
->sd_status
))
1981 sd
->state
= sd_transfer_state
;
1984 case 17: /* CMD17: READ_SINGLE_BLOCK */
1985 if (sd
->data_offset
== 0)
1986 BLK_READ_BLOCK(sd
->data_start
, io_len
);
1987 ret
= sd
->data
[sd
->data_offset
++];
1989 if (sd
->data_offset
>= io_len
)
1990 sd
->state
= sd_transfer_state
;
1993 case 18: /* CMD18: READ_MULTIPLE_BLOCK */
1994 if (sd
->data_offset
== 0) {
1995 if (sd
->data_start
+ io_len
> sd
->size
) {
1996 sd
->card_status
|= ADDRESS_ERROR
;
1999 BLK_READ_BLOCK(sd
->data_start
, io_len
);
2001 ret
= sd
->data
[sd
->data_offset
++];
2003 if (sd
->data_offset
>= io_len
) {
2004 sd
->data_start
+= io_len
;
2005 sd
->data_offset
= 0;
2007 if (sd
->multi_blk_cnt
!= 0) {
2008 if (--sd
->multi_blk_cnt
== 0) {
2010 sd
->state
= sd_transfer_state
;
2017 case 19: /* CMD19: SEND_TUNING_BLOCK (SD) */
2018 if (sd
->data_offset
>= SD_TUNING_BLOCK_SIZE
- 1) {
2019 sd
->state
= sd_transfer_state
;
2021 ret
= sd_tuning_block_pattern
[sd
->data_offset
++];
2024 case 22: /* ACMD22: SEND_NUM_WR_BLOCKS */
2025 ret
= sd
->data
[sd
->data_offset
++];
2027 if (sd
->data_offset
>= 4)
2028 sd
->state
= sd_transfer_state
;
2031 case 30: /* CMD30: SEND_WRITE_PROT */
2032 ret
= sd
->data
[sd
->data_offset
++];
2034 if (sd
->data_offset
>= 4)
2035 sd
->state
= sd_transfer_state
;
2038 case 51: /* ACMD51: SEND_SCR */
2039 ret
= sd
->scr
[sd
->data_offset
++];
2041 if (sd
->data_offset
>= sizeof(sd
->scr
))
2042 sd
->state
= sd_transfer_state
;
2045 case 56: /* CMD56: GEN_CMD */
2046 if (sd
->data_offset
== 0)
2047 APP_READ_BLOCK(sd
->data_start
, sd
->blk_len
);
2048 ret
= sd
->data
[sd
->data_offset
++];
2050 if (sd
->data_offset
>= sd
->blk_len
)
2051 sd
->state
= sd_transfer_state
;
2055 qemu_log_mask(LOG_GUEST_ERROR
, "sd_read_data: unknown command\n");
2062 bool sd_data_ready(SDState
*sd
)
2064 return sd
->state
== sd_sendingdata_state
;
2067 void sd_enable(SDState
*sd
, bool enable
)
2069 sd
->enable
= enable
;
2072 static void sd_instance_init(Object
*obj
)
2074 SDState
*sd
= SD_CARD(obj
);
2077 sd
->ocr_power_timer
= timer_new_ns(QEMU_CLOCK_VIRTUAL
, sd_ocr_powerup
, sd
);
2080 static void sd_instance_finalize(Object
*obj
)
2082 SDState
*sd
= SD_CARD(obj
);
2084 timer_del(sd
->ocr_power_timer
);
2085 timer_free(sd
->ocr_power_timer
);
2088 static void sd_realize(DeviceState
*dev
, Error
**errp
)
2090 SDState
*sd
= SD_CARD(dev
);
2093 sd
->proto_name
= sd
->spi
? "SPI" : "SD";
2095 switch (sd
->spec_version
) {
2096 case SD_PHY_SPECv1_10_VERS
2097 ... SD_PHY_SPECv3_01_VERS
:
2100 error_setg(errp
, "Invalid SD card Spec version: %u", sd
->spec_version
);
2104 if (sd
->blk
&& blk_is_read_only(sd
->blk
)) {
2105 error_setg(errp
, "Cannot use read-only drive as SD card");
2110 ret
= blk_set_perm(sd
->blk
, BLK_PERM_CONSISTENT_READ
| BLK_PERM_WRITE
,
2111 BLK_PERM_ALL
, errp
);
2115 blk_set_dev_ops(sd
->blk
, &sd_block_ops
, sd
);
2119 static Property sd_properties
[] = {
2120 DEFINE_PROP_UINT8("spec_version", SDState
,
2121 spec_version
, SD_PHY_SPECv2_00_VERS
),
2122 DEFINE_PROP_DRIVE("drive", SDState
, blk
),
2123 /* We do not model the chip select pin, so allow the board to select
2124 * whether card should be in SSI or MMC/SD mode. It is also up to the
2125 * board to ensure that ssi transfers only occur when the chip select
2127 DEFINE_PROP_BOOL("spi", SDState
, spi
, false),
2128 DEFINE_PROP_END_OF_LIST()
2131 static void sd_class_init(ObjectClass
*klass
, void *data
)
2133 DeviceClass
*dc
= DEVICE_CLASS(klass
);
2134 SDCardClass
*sc
= SD_CARD_CLASS(klass
);
2136 dc
->realize
= sd_realize
;
2137 device_class_set_props(dc
, sd_properties
);
2138 dc
->vmsd
= &sd_vmstate
;
2139 dc
->reset
= sd_reset
;
2140 dc
->bus_type
= TYPE_SD_BUS
;
2141 set_bit(DEVICE_CATEGORY_STORAGE
, dc
->categories
);
2143 sc
->set_voltage
= sd_set_voltage
;
2144 sc
->get_dat_lines
= sd_get_dat_lines
;
2145 sc
->get_cmd_line
= sd_get_cmd_line
;
2146 sc
->do_command
= sd_do_command
;
2147 sc
->write_data
= sd_write_data
;
2148 sc
->read_data
= sd_read_data
;
2149 sc
->data_ready
= sd_data_ready
;
2150 sc
->enable
= sd_enable
;
2151 sc
->get_inserted
= sd_get_inserted
;
2152 sc
->get_readonly
= sd_get_readonly
;
2155 static const TypeInfo sd_info
= {
2156 .name
= TYPE_SD_CARD
,
2157 .parent
= TYPE_DEVICE
,
2158 .instance_size
= sizeof(SDState
),
2159 .class_size
= sizeof(SDCardClass
),
2160 .class_init
= sd_class_init
,
2161 .instance_init
= sd_instance_init
,
2162 .instance_finalize
= sd_instance_finalize
,
2165 static void sd_register_types(void)
2167 type_register_static(&sd_info
);
2170 type_init(sd_register_types
)