2 * SD Memory Card emulation as defined in the "SD Memory Card Physical
3 * layer specification, Version 2.00."
5 * Copyright (c) 2006 Andrzej Zaborowski <balrog@zabor.org>
6 * Copyright (c) 2007 CodeSourcery
7 * Copyright (c) 2018 Philippe Mathieu-Daudé <f4bug@amsat.org>
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
20 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS''
21 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
22 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
23 * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR
24 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
25 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
26 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
27 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
28 * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
29 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
30 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
33 #include "qemu/osdep.h"
34 #include "qemu/units.h"
35 #include "qemu/cutils.h"
37 #include "hw/registerfields.h"
38 #include "sysemu/block-backend.h"
40 #include "hw/sd/sdcard_legacy.h"
41 #include "migration/vmstate.h"
42 #include "qapi/error.h"
43 #include "qemu/bitmap.h"
44 #include "hw/qdev-properties.h"
45 #include "hw/qdev-properties-system.h"
46 #include "qemu/error-report.h"
47 #include "qemu/timer.h"
49 #include "qemu/module.h"
50 #include "qemu-common.h"
51 #include "sdmmc-internal.h"
56 #define SDSC_MAX_CAPACITY (2 * GiB)
58 #define INVALID_ADDRESS UINT32_MAX
61 sd_r0
= 0, /* no response */
62 sd_r1
, /* normal response command */
63 sd_r2_i
, /* CID register */
64 sd_r2_s
, /* CSD register */
65 sd_r3
, /* OCR register */
66 sd_r6
= 6, /* Published RCA response */
67 sd_r7
, /* Operating voltage */
74 sd_card_identification_mode
,
75 sd_data_transfer_mode
,
79 sd_inactive_state
= -1,
82 sd_identification_state
,
86 sd_receivingdata_state
,
92 DeviceState parent_obj
;
94 /* If true, created by sd_init() for a non-qdevified caller */
95 /* TODO purge them with fire */
96 bool me_no_qdev_me_kill_mammoth_with_rocks
;
98 /* SD Memory Card Registers */
104 uint32_t card_status
;
105 uint8_t sd_status
[64];
107 /* Static properties */
109 uint8_t spec_version
;
113 /* Runtime changeables */
115 uint32_t mode
; /* current card mode, one of SDCardModes */
116 int32_t state
; /* current card state, one of SDCardStates */
119 unsigned long *wp_groups
;
123 uint32_t multi_blk_cnt
;
124 uint32_t erase_start
;
128 uint8_t function_group
[6];
130 /* True if we will handle the next command as an ACMD. Note that this does
131 * *not* track the APP_CMD status bit!
134 uint32_t blk_written
;
136 uint32_t data_offset
;
138 qemu_irq readonly_cb
;
139 qemu_irq inserted_cb
;
140 QEMUTimer
*ocr_power_timer
;
141 const char *proto_name
;
147 static void sd_realize(DeviceState
*dev
, Error
**errp
);
149 static const char *sd_state_name(enum SDCardStates state
)
151 static const char *state_name
[] = {
152 [sd_idle_state
] = "idle",
153 [sd_ready_state
] = "ready",
154 [sd_identification_state
] = "identification",
155 [sd_standby_state
] = "standby",
156 [sd_transfer_state
] = "transfer",
157 [sd_sendingdata_state
] = "sendingdata",
158 [sd_receivingdata_state
] = "receivingdata",
159 [sd_programming_state
] = "programming",
160 [sd_disconnect_state
] = "disconnect",
162 if (state
== sd_inactive_state
) {
165 assert(state
< ARRAY_SIZE(state_name
));
166 return state_name
[state
];
169 static const char *sd_response_name(sd_rsp_type_t rsp
)
171 static const char *response_name
[] = {
172 [sd_r0
] = "RESP#0 (no response)",
173 [sd_r1
] = "RESP#1 (normal cmd)",
174 [sd_r2_i
] = "RESP#2 (CID reg)",
175 [sd_r2_s
] = "RESP#2 (CSD reg)",
176 [sd_r3
] = "RESP#3 (OCR reg)",
177 [sd_r6
] = "RESP#6 (RCA)",
178 [sd_r7
] = "RESP#7 (operating voltage)",
180 if (rsp
== sd_illegal
) {
181 return "ILLEGAL RESP";
186 assert(rsp
< ARRAY_SIZE(response_name
));
187 return response_name
[rsp
];
190 static uint8_t sd_get_dat_lines(SDState
*sd
)
192 return sd
->enable
? sd
->dat_lines
: 0;
195 static bool sd_get_cmd_line(SDState
*sd
)
197 return sd
->enable
? sd
->cmd_line
: false;
200 static void sd_set_voltage(SDState
*sd
, uint16_t millivolts
)
202 trace_sdcard_set_voltage(millivolts
);
204 switch (millivolts
) {
205 case 3001 ... 3600: /* SD_VOLTAGE_3_3V */
206 case 2001 ... 3000: /* SD_VOLTAGE_3_0V */
209 qemu_log_mask(LOG_GUEST_ERROR
, "SD card voltage not supported: %.3fV",
210 millivolts
/ 1000.f
);
214 static void sd_set_mode(SDState
*sd
)
217 case sd_inactive_state
:
218 sd
->mode
= sd_inactive
;
223 case sd_identification_state
:
224 sd
->mode
= sd_card_identification_mode
;
227 case sd_standby_state
:
228 case sd_transfer_state
:
229 case sd_sendingdata_state
:
230 case sd_receivingdata_state
:
231 case sd_programming_state
:
232 case sd_disconnect_state
:
233 sd
->mode
= sd_data_transfer_mode
;
238 static const sd_cmd_type_t sd_cmd_type
[SDMMC_CMD_MAX
] = {
239 sd_bc
, sd_none
, sd_bcr
, sd_bcr
, sd_none
, sd_none
, sd_none
, sd_ac
,
240 sd_bcr
, sd_ac
, sd_ac
, sd_adtc
, sd_ac
, sd_ac
, sd_none
, sd_ac
,
242 sd_ac
, sd_adtc
, sd_adtc
, sd_none
, sd_none
, sd_none
, sd_none
, sd_none
,
243 sd_adtc
, sd_adtc
, sd_adtc
, sd_adtc
, sd_ac
, sd_ac
, sd_adtc
, sd_none
,
245 sd_ac
, sd_ac
, sd_none
, sd_none
, sd_none
, sd_none
, sd_ac
, sd_none
,
246 sd_none
, sd_none
, sd_bc
, sd_none
, sd_none
, sd_none
, sd_none
, sd_none
,
248 sd_none
, sd_none
, sd_none
, sd_none
, sd_none
, sd_none
, sd_none
, sd_ac
,
249 sd_adtc
, sd_none
, sd_none
, sd_none
, sd_none
, sd_none
, sd_none
, sd_none
,
252 static const int sd_cmd_class
[SDMMC_CMD_MAX
] = {
253 0, 0, 0, 0, 0, 9, 10, 0, 0, 0, 0, 1, 0, 0, 0, 0,
254 2, 2, 2, 2, 3, 3, 3, 3, 4, 4, 4, 4, 6, 6, 6, 6,
255 5, 5, 10, 10, 10, 10, 5, 9, 9, 9, 7, 7, 7, 7, 7, 7,
256 7, 7, 10, 7, 9, 9, 9, 8, 8, 10, 8, 8, 8, 8, 8, 8,
259 static uint8_t sd_crc7(const void *message
, size_t width
)
262 uint8_t shift_reg
= 0x00;
263 const uint8_t *msg
= (const uint8_t *)message
;
265 for (i
= 0; i
< width
; i
++, msg
++)
266 for (bit
= 7; bit
>= 0; bit
--) {
268 if ((shift_reg
>> 7) ^ ((*msg
>> bit
) & 1))
275 #define OCR_POWER_DELAY_NS 500000 /* 0.5ms */
277 FIELD(OCR
, VDD_VOLTAGE_WINDOW
, 0, 24)
278 FIELD(OCR
, VDD_VOLTAGE_WIN_LO
, 0, 8)
279 FIELD(OCR
, DUAL_VOLTAGE_CARD
, 7, 1)
280 FIELD(OCR
, VDD_VOLTAGE_WIN_HI
, 8, 16)
281 FIELD(OCR
, ACCEPT_SWITCH_1V8
, 24, 1) /* Only UHS-I */
282 FIELD(OCR
, UHS_II_CARD
, 29, 1) /* Only UHS-II */
283 FIELD(OCR
, CARD_CAPACITY
, 30, 1) /* 0:SDSC, 1:SDHC/SDXC */
284 FIELD(OCR
, CARD_POWER_UP
, 31, 1)
286 #define ACMD41_ENQUIRY_MASK 0x00ffffff
287 #define ACMD41_R3_MASK (R_OCR_VDD_VOLTAGE_WIN_HI_MASK \
288 | R_OCR_ACCEPT_SWITCH_1V8_MASK \
289 | R_OCR_UHS_II_CARD_MASK \
290 | R_OCR_CARD_CAPACITY_MASK \
291 | R_OCR_CARD_POWER_UP_MASK)
293 static void sd_set_ocr(SDState
*sd
)
295 /* All voltages OK */
296 sd
->ocr
= R_OCR_VDD_VOLTAGE_WIN_HI_MASK
;
299 static void sd_ocr_powerup(void *opaque
)
301 SDState
*sd
= opaque
;
303 trace_sdcard_powerup();
304 assert(!FIELD_EX32(sd
->ocr
, OCR
, CARD_POWER_UP
));
306 /* card power-up OK */
307 sd
->ocr
= FIELD_DP32(sd
->ocr
, OCR
, CARD_POWER_UP
, 1);
309 if (sd
->size
> SDSC_MAX_CAPACITY
) {
310 sd
->ocr
= FIELD_DP32(sd
->ocr
, OCR
, CARD_CAPACITY
, 1);
314 static void sd_set_scr(SDState
*sd
)
316 sd
->scr
[0] = 0 << 4; /* SCR structure version 1.0 */
317 if (sd
->spec_version
== SD_PHY_SPECv1_10_VERS
) {
318 sd
->scr
[0] |= 1; /* Spec Version 1.10 */
320 sd
->scr
[0] |= 2; /* Spec Version 2.00 or Version 3.0X */
322 sd
->scr
[1] = (2 << 4) /* SDSC Card (Security Version 1.01) */
323 | 0b0101; /* 1-bit or 4-bit width bus modes */
324 sd
->scr
[2] = 0x00; /* Extended Security is not supported. */
325 if (sd
->spec_version
>= SD_PHY_SPECv3_01_VERS
) {
326 sd
->scr
[2] |= 1 << 7; /* Spec Version 3.0X */
329 /* reserved for manufacturer usage */
343 static void sd_set_cid(SDState
*sd
)
345 sd
->cid
[0] = MID
; /* Fake card manufacturer ID (MID) */
346 sd
->cid
[1] = OID
[0]; /* OEM/Application ID (OID) */
348 sd
->cid
[3] = PNM
[0]; /* Fake product name (PNM) */
353 sd
->cid
[8] = PRV
; /* Fake product revision (PRV) */
354 sd
->cid
[9] = 0xde; /* Fake serial number (PSN) */
358 sd
->cid
[13] = 0x00 | /* Manufacture date (MDT) */
359 ((MDT_YR
- 2000) / 10);
360 sd
->cid
[14] = ((MDT_YR
% 10) << 4) | MDT_MON
;
361 sd
->cid
[15] = (sd_crc7(sd
->cid
, 15) << 1) | 1;
364 #define HWBLOCK_SHIFT 9 /* 512 bytes */
365 #define SECTOR_SHIFT 5 /* 16 kilobytes */
366 #define WPGROUP_SHIFT 7 /* 2 megs */
367 #define CMULT_SHIFT 9 /* 512 times HWBLOCK_SIZE */
368 #define WPGROUP_SIZE (1 << (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT))
370 static const uint8_t sd_csd_rw_mask
[16] = {
371 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
372 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xfc, 0xfe,
375 static void sd_set_csd(SDState
*sd
, uint64_t size
)
377 int hwblock_shift
= HWBLOCK_SHIFT
;
379 uint32_t sectsize
= (1 << (SECTOR_SHIFT
+ 1)) - 1;
380 uint32_t wpsize
= (1 << (WPGROUP_SHIFT
+ 1)) - 1;
382 /* To indicate 2 GiB card, BLOCK_LEN shall be 1024 bytes */
383 if (size
== SDSC_MAX_CAPACITY
) {
386 csize
= (size
>> (CMULT_SHIFT
+ hwblock_shift
)) - 1;
388 if (size
<= SDSC_MAX_CAPACITY
) { /* Standard Capacity SD */
389 sd
->csd
[0] = 0x00; /* CSD structure */
390 sd
->csd
[1] = 0x26; /* Data read access-time-1 */
391 sd
->csd
[2] = 0x00; /* Data read access-time-2 */
392 sd
->csd
[3] = 0x32; /* Max. data transfer rate: 25 MHz */
393 sd
->csd
[4] = 0x5f; /* Card Command Classes */
394 sd
->csd
[5] = 0x50 | /* Max. read data block length */
396 sd
->csd
[6] = 0xe0 | /* Partial block for read allowed */
397 ((csize
>> 10) & 0x03);
398 sd
->csd
[7] = 0x00 | /* Device size */
399 ((csize
>> 2) & 0xff);
400 sd
->csd
[8] = 0x3f | /* Max. read current */
401 ((csize
<< 6) & 0xc0);
402 sd
->csd
[9] = 0xfc | /* Max. write current */
403 ((CMULT_SHIFT
- 2) >> 1);
404 sd
->csd
[10] = 0x40 | /* Erase sector size */
405 (((CMULT_SHIFT
- 2) << 7) & 0x80) | (sectsize
>> 1);
406 sd
->csd
[11] = 0x00 | /* Write protect group size */
407 ((sectsize
<< 7) & 0x80) | wpsize
;
408 sd
->csd
[12] = 0x90 | /* Write speed factor */
409 (hwblock_shift
>> 2);
410 sd
->csd
[13] = 0x20 | /* Max. write data block length */
411 ((hwblock_shift
<< 6) & 0xc0);
412 sd
->csd
[14] = 0x00; /* File format group */
423 sd
->csd
[7] = (size
>> 16) & 0xff;
424 sd
->csd
[8] = (size
>> 8) & 0xff;
425 sd
->csd
[9] = (size
& 0xff);
432 sd
->csd
[15] = (sd_crc7(sd
->csd
, 15) << 1) | 1;
435 static void sd_set_rca(SDState
*sd
)
440 FIELD(CSR
, AKE_SEQ_ERROR
, 3, 1)
441 FIELD(CSR
, APP_CMD
, 5, 1)
442 FIELD(CSR
, FX_EVENT
, 6, 1)
443 FIELD(CSR
, READY_FOR_DATA
, 8, 1)
444 FIELD(CSR
, CURRENT_STATE
, 9, 4)
445 FIELD(CSR
, ERASE_RESET
, 13, 1)
446 FIELD(CSR
, CARD_ECC_DISABLED
, 14, 1)
447 FIELD(CSR
, WP_ERASE_SKIP
, 15, 1)
448 FIELD(CSR
, CSD_OVERWRITE
, 16, 1)
449 FIELD(CSR
, DEFERRED_RESPONSE
, 17, 1)
450 FIELD(CSR
, ERROR
, 19, 1)
451 FIELD(CSR
, CC_ERROR
, 20, 1)
452 FIELD(CSR
, CARD_ECC_FAILED
, 21, 1)
453 FIELD(CSR
, ILLEGAL_COMMAND
, 22, 1)
454 FIELD(CSR
, COM_CRC_ERROR
, 23, 1)
455 FIELD(CSR
, LOCK_UNLOCK_FAILED
, 24, 1)
456 FIELD(CSR
, CARD_IS_LOCKED
, 25, 1)
457 FIELD(CSR
, WP_VIOLATION
, 26, 1)
458 FIELD(CSR
, ERASE_PARAM
, 27, 1)
459 FIELD(CSR
, ERASE_SEQ_ERROR
, 28, 1)
460 FIELD(CSR
, BLOCK_LEN_ERROR
, 29, 1)
461 FIELD(CSR
, ADDRESS_ERROR
, 30, 1)
462 FIELD(CSR
, OUT_OF_RANGE
, 31, 1)
464 /* Card status bits, split by clear condition:
465 * A : According to the card current state
466 * B : Always related to the previous command
467 * C : Cleared by read
469 #define CARD_STATUS_A (R_CSR_READY_FOR_DATA_MASK \
470 | R_CSR_CARD_ECC_DISABLED_MASK \
471 | R_CSR_CARD_IS_LOCKED_MASK)
472 #define CARD_STATUS_B (R_CSR_CURRENT_STATE_MASK \
473 | R_CSR_ILLEGAL_COMMAND_MASK \
474 | R_CSR_COM_CRC_ERROR_MASK)
475 #define CARD_STATUS_C (R_CSR_AKE_SEQ_ERROR_MASK \
476 | R_CSR_APP_CMD_MASK \
477 | R_CSR_ERASE_RESET_MASK \
478 | R_CSR_WP_ERASE_SKIP_MASK \
479 | R_CSR_CSD_OVERWRITE_MASK \
481 | R_CSR_CC_ERROR_MASK \
482 | R_CSR_CARD_ECC_FAILED_MASK \
483 | R_CSR_LOCK_UNLOCK_FAILED_MASK \
484 | R_CSR_WP_VIOLATION_MASK \
485 | R_CSR_ERASE_PARAM_MASK \
486 | R_CSR_ERASE_SEQ_ERROR_MASK \
487 | R_CSR_BLOCK_LEN_ERROR_MASK \
488 | R_CSR_ADDRESS_ERROR_MASK \
489 | R_CSR_OUT_OF_RANGE_MASK)
491 static void sd_set_cardstatus(SDState
*sd
)
493 sd
->card_status
= 0x00000100;
496 static void sd_set_sdstatus(SDState
*sd
)
498 memset(sd
->sd_status
, 0, 64);
501 static int sd_req_crc_validate(SDRequest
*req
)
504 buffer
[0] = 0x40 | req
->cmd
;
505 stl_be_p(&buffer
[1], req
->arg
);
507 return sd_crc7(buffer
, 5) != req
->crc
; /* TODO */
510 static void sd_response_r1_make(SDState
*sd
, uint8_t *response
)
512 stl_be_p(response
, sd
->card_status
);
514 /* Clear the "clear on read" status bits */
515 sd
->card_status
&= ~CARD_STATUS_C
;
518 static void sd_response_r3_make(SDState
*sd
, uint8_t *response
)
520 stl_be_p(response
, sd
->ocr
& ACMD41_R3_MASK
);
523 static void sd_response_r6_make(SDState
*sd
, uint8_t *response
)
527 status
= ((sd
->card_status
>> 8) & 0xc000) |
528 ((sd
->card_status
>> 6) & 0x2000) |
529 (sd
->card_status
& 0x1fff);
530 sd
->card_status
&= ~(CARD_STATUS_C
& 0xc81fff);
531 stw_be_p(response
+ 0, sd
->rca
);
532 stw_be_p(response
+ 2, status
);
535 static void sd_response_r7_make(SDState
*sd
, uint8_t *response
)
537 stl_be_p(response
, sd
->vhs
);
540 static inline uint64_t sd_addr_to_wpnum(uint64_t addr
)
542 return addr
>> (HWBLOCK_SHIFT
+ SECTOR_SHIFT
+ WPGROUP_SHIFT
);
545 static void sd_reset(DeviceState
*dev
)
547 SDState
*sd
= SD_CARD(dev
);
551 trace_sdcard_reset();
553 blk_get_geometry(sd
->blk
, §
);
559 sect
= sd_addr_to_wpnum(size
) + 1;
561 sd
->state
= sd_idle_state
;
566 sd_set_csd(sd
, size
);
567 sd_set_cardstatus(sd
);
570 g_free(sd
->wp_groups
);
571 sd
->wp_switch
= sd
->blk
? !blk_is_writable(sd
->blk
) : false;
572 sd
->wpgrps_size
= sect
;
573 sd
->wp_groups
= bitmap_new(sd
->wpgrps_size
);
574 memset(sd
->function_group
, 0, sizeof(sd
->function_group
));
575 sd
->erase_start
= INVALID_ADDRESS
;
576 sd
->erase_end
= INVALID_ADDRESS
;
580 sd
->expecting_acmd
= false;
583 sd
->multi_blk_cnt
= 0;
586 static bool sd_get_inserted(SDState
*sd
)
588 return sd
->blk
&& blk_is_inserted(sd
->blk
);
591 static bool sd_get_readonly(SDState
*sd
)
593 return sd
->wp_switch
;
596 static void sd_cardchange(void *opaque
, bool load
, Error
**errp
)
598 SDState
*sd
= opaque
;
599 DeviceState
*dev
= DEVICE(sd
);
601 bool inserted
= sd_get_inserted(sd
);
602 bool readonly
= sd_get_readonly(sd
);
605 trace_sdcard_inserted(readonly
);
608 trace_sdcard_ejected();
611 if (sd
->me_no_qdev_me_kill_mammoth_with_rocks
) {
612 qemu_set_irq(sd
->inserted_cb
, inserted
);
614 qemu_set_irq(sd
->readonly_cb
, readonly
);
617 sdbus
= SD_BUS(qdev_get_parent_bus(dev
));
618 sdbus_set_inserted(sdbus
, inserted
);
620 sdbus_set_readonly(sdbus
, readonly
);
625 static const BlockDevOps sd_block_ops
= {
626 .change_media_cb
= sd_cardchange
,
629 static bool sd_ocr_vmstate_needed(void *opaque
)
631 SDState
*sd
= opaque
;
633 /* Include the OCR state (and timer) if it is not yet powered up */
634 return !FIELD_EX32(sd
->ocr
, OCR
, CARD_POWER_UP
);
637 static const VMStateDescription sd_ocr_vmstate
= {
638 .name
= "sd-card/ocr-state",
640 .minimum_version_id
= 1,
641 .needed
= sd_ocr_vmstate_needed
,
642 .fields
= (VMStateField
[]) {
643 VMSTATE_UINT32(ocr
, SDState
),
644 VMSTATE_TIMER_PTR(ocr_power_timer
, SDState
),
645 VMSTATE_END_OF_LIST()
649 static int sd_vmstate_pre_load(void *opaque
)
651 SDState
*sd
= opaque
;
653 /* If the OCR state is not included (prior versions, or not
654 * needed), then the OCR must be set as powered up. If the OCR state
655 * is included, this will be replaced by the state restore.
662 static const VMStateDescription sd_vmstate
= {
665 .minimum_version_id
= 2,
666 .pre_load
= sd_vmstate_pre_load
,
667 .fields
= (VMStateField
[]) {
668 VMSTATE_UINT32(mode
, SDState
),
669 VMSTATE_INT32(state
, SDState
),
670 VMSTATE_UINT8_ARRAY(cid
, SDState
, 16),
671 VMSTATE_UINT8_ARRAY(csd
, SDState
, 16),
672 VMSTATE_UINT16(rca
, SDState
),
673 VMSTATE_UINT32(card_status
, SDState
),
674 VMSTATE_PARTIAL_BUFFER(sd_status
, SDState
, 1),
675 VMSTATE_UINT32(vhs
, SDState
),
676 VMSTATE_BITMAP(wp_groups
, SDState
, 0, wpgrps_size
),
677 VMSTATE_UINT32(blk_len
, SDState
),
678 VMSTATE_UINT32(multi_blk_cnt
, SDState
),
679 VMSTATE_UINT32(erase_start
, SDState
),
680 VMSTATE_UINT32(erase_end
, SDState
),
681 VMSTATE_UINT8_ARRAY(pwd
, SDState
, 16),
682 VMSTATE_UINT32(pwd_len
, SDState
),
683 VMSTATE_UINT8_ARRAY(function_group
, SDState
, 6),
684 VMSTATE_UINT8(current_cmd
, SDState
),
685 VMSTATE_BOOL(expecting_acmd
, SDState
),
686 VMSTATE_UINT32(blk_written
, SDState
),
687 VMSTATE_UINT64(data_start
, SDState
),
688 VMSTATE_UINT32(data_offset
, SDState
),
689 VMSTATE_UINT8_ARRAY(data
, SDState
, 512),
690 VMSTATE_UNUSED_V(1, 512),
691 VMSTATE_BOOL(enable
, SDState
),
692 VMSTATE_END_OF_LIST()
694 .subsections
= (const VMStateDescription
*[]) {
700 /* Legacy initialization function for use by non-qdevified callers */
701 SDState
*sd_init(BlockBackend
*blk
, bool is_spi
)
708 obj
= object_new(TYPE_SD_CARD
);
710 if (!qdev_prop_set_drive_err(dev
, "drive", blk
, &err
)) {
711 error_reportf_err(err
, "sd_init failed: ");
714 qdev_prop_set_bit(dev
, "spi", is_spi
);
717 * Realizing the device properly would put it into the QOM
718 * composition tree even though it is not plugged into an
719 * appropriate bus. That's a no-no. Hide the device from
720 * QOM/qdev, and call its qdev realize callback directly.
723 object_unparent(obj
);
724 sd_realize(dev
, &err
);
726 error_reportf_err(err
, "sd_init failed: ");
731 sd
->me_no_qdev_me_kill_mammoth_with_rocks
= true;
735 void sd_set_cb(SDState
*sd
, qemu_irq readonly
, qemu_irq insert
)
737 sd
->readonly_cb
= readonly
;
738 sd
->inserted_cb
= insert
;
739 qemu_set_irq(readonly
, sd
->blk
? !blk_is_writable(sd
->blk
) : 0);
740 qemu_set_irq(insert
, sd
->blk
? blk_is_inserted(sd
->blk
) : 0);
743 static void sd_blk_read(SDState
*sd
, uint64_t addr
, uint32_t len
)
745 trace_sdcard_read_block(addr
, len
);
746 if (!sd
->blk
|| blk_pread(sd
->blk
, addr
, sd
->data
, len
) < 0) {
747 fprintf(stderr
, "sd_blk_read: read error on host side\n");
751 static void sd_blk_write(SDState
*sd
, uint64_t addr
, uint32_t len
)
753 trace_sdcard_write_block(addr
, len
);
754 if (!sd
->blk
|| blk_pwrite(sd
->blk
, addr
, sd
->data
, len
, 0) < 0) {
755 fprintf(stderr
, "sd_blk_write: write error on host side\n");
759 #define BLK_READ_BLOCK(a, len) sd_blk_read(sd, a, len)
760 #define BLK_WRITE_BLOCK(a, len) sd_blk_write(sd, a, len)
761 #define APP_READ_BLOCK(a, len) memset(sd->data, 0xec, len)
762 #define APP_WRITE_BLOCK(a, len)
764 static void sd_erase(SDState
*sd
)
766 uint64_t erase_start
= sd
->erase_start
;
767 uint64_t erase_end
= sd
->erase_end
;
771 int erase_len
= 1 << HWBLOCK_SHIFT
;
773 trace_sdcard_erase(sd
->erase_start
, sd
->erase_end
);
774 if (sd
->erase_start
== INVALID_ADDRESS
775 || sd
->erase_end
== INVALID_ADDRESS
) {
776 sd
->card_status
|= ERASE_SEQ_ERROR
;
777 sd
->erase_start
= INVALID_ADDRESS
;
778 sd
->erase_end
= INVALID_ADDRESS
;
782 if (FIELD_EX32(sd
->ocr
, OCR
, CARD_CAPACITY
)) {
783 /* High capacity memory card: erase units are 512 byte blocks */
789 if (erase_start
> sd
->size
|| erase_end
> sd
->size
) {
790 sd
->card_status
|= OUT_OF_RANGE
;
791 sd
->erase_start
= INVALID_ADDRESS
;
792 sd
->erase_end
= INVALID_ADDRESS
;
796 sd
->erase_start
= INVALID_ADDRESS
;
797 sd
->erase_end
= INVALID_ADDRESS
;
800 memset(sd
->data
, 0xff, erase_len
);
801 for (erase_addr
= erase_start
; erase_addr
<= erase_end
;
802 erase_addr
+= erase_len
) {
804 /* Only SDSC cards support write protect groups */
805 wpnum
= sd_addr_to_wpnum(erase_addr
);
806 assert(wpnum
< sd
->wpgrps_size
);
807 if (test_bit(wpnum
, sd
->wp_groups
)) {
808 sd
->card_status
|= WP_ERASE_SKIP
;
812 BLK_WRITE_BLOCK(erase_addr
, erase_len
);
816 static uint32_t sd_wpbits(SDState
*sd
, uint64_t addr
)
821 wpnum
= sd_addr_to_wpnum(addr
);
823 for (i
= 0; i
< 32; i
++, wpnum
++, addr
+= WPGROUP_SIZE
) {
824 assert(wpnum
< sd
->wpgrps_size
);
825 if (addr
< sd
->size
&& test_bit(wpnum
, sd
->wp_groups
)) {
833 static void sd_function_switch(SDState
*sd
, uint32_t arg
)
835 int i
, mode
, new_func
;
836 mode
= !!(arg
& 0x80000000);
838 sd
->data
[0] = 0x00; /* Maximum current consumption */
840 sd
->data
[2] = 0x80; /* Supported group 6 functions */
842 sd
->data
[4] = 0x80; /* Supported group 5 functions */
844 sd
->data
[6] = 0x80; /* Supported group 4 functions */
846 sd
->data
[8] = 0x80; /* Supported group 3 functions */
848 sd
->data
[10] = 0x80; /* Supported group 2 functions */
850 sd
->data
[12] = 0x80; /* Supported group 1 functions */
853 memset(&sd
->data
[14], 0, 3);
854 for (i
= 0; i
< 6; i
++) {
855 new_func
= (arg
>> (i
* 4)) & 0x0f;
856 if (mode
&& new_func
!= 0x0f)
857 sd
->function_group
[i
] = new_func
;
858 sd
->data
[16 - (i
>> 1)] |= new_func
<< ((i
% 2) * 4);
860 memset(&sd
->data
[17], 0, 47);
863 static inline bool sd_wp_addr(SDState
*sd
, uint64_t addr
)
865 return test_bit(sd_addr_to_wpnum(addr
), sd
->wp_groups
);
868 static void sd_lock_command(SDState
*sd
)
870 int erase
, lock
, clr_pwd
, set_pwd
, pwd_len
;
871 erase
= !!(sd
->data
[0] & 0x08);
872 lock
= sd
->data
[0] & 0x04;
873 clr_pwd
= sd
->data
[0] & 0x02;
874 set_pwd
= sd
->data
[0] & 0x01;
877 pwd_len
= sd
->data
[1];
884 trace_sdcard_unlock();
887 if (!(sd
->card_status
& CARD_IS_LOCKED
) || sd
->blk_len
> 1 ||
888 set_pwd
|| clr_pwd
|| lock
|| sd
->wp_switch
||
889 (sd
->csd
[14] & 0x20)) {
890 sd
->card_status
|= LOCK_UNLOCK_FAILED
;
893 bitmap_zero(sd
->wp_groups
, sd
->wpgrps_size
);
894 sd
->csd
[14] &= ~0x10;
895 sd
->card_status
&= ~CARD_IS_LOCKED
;
897 /* Erasing the entire card here! */
898 fprintf(stderr
, "SD: Card force-erased by CMD42\n");
902 if (sd
->blk_len
< 2 + pwd_len
||
903 pwd_len
<= sd
->pwd_len
||
904 pwd_len
> sd
->pwd_len
+ 16) {
905 sd
->card_status
|= LOCK_UNLOCK_FAILED
;
909 if (sd
->pwd_len
&& memcmp(sd
->pwd
, sd
->data
+ 2, sd
->pwd_len
)) {
910 sd
->card_status
|= LOCK_UNLOCK_FAILED
;
914 pwd_len
-= sd
->pwd_len
;
915 if ((pwd_len
&& !set_pwd
) ||
916 (clr_pwd
&& (set_pwd
|| lock
)) ||
917 (lock
&& !sd
->pwd_len
&& !set_pwd
) ||
918 (!set_pwd
&& !clr_pwd
&&
919 (((sd
->card_status
& CARD_IS_LOCKED
) && lock
) ||
920 (!(sd
->card_status
& CARD_IS_LOCKED
) && !lock
)))) {
921 sd
->card_status
|= LOCK_UNLOCK_FAILED
;
926 memcpy(sd
->pwd
, sd
->data
+ 2 + sd
->pwd_len
, pwd_len
);
927 sd
->pwd_len
= pwd_len
;
935 sd
->card_status
|= CARD_IS_LOCKED
;
937 sd
->card_status
&= ~CARD_IS_LOCKED
;
940 static sd_rsp_type_t
sd_normal_command(SDState
*sd
, SDRequest req
)
942 uint32_t rca
= 0x0000;
943 uint64_t addr
= (sd
->ocr
& (1 << 30)) ? (uint64_t) req
.arg
<< 9 : req
.arg
;
945 /* CMD55 precedes an ACMD, so we are not interested in tracing it.
946 * However there is no ACMD55, so we want to trace this particular case.
948 if (req
.cmd
!= 55 || sd
->expecting_acmd
) {
949 trace_sdcard_normal_command(sd
->proto_name
,
950 sd_cmd_name(req
.cmd
), req
.cmd
,
951 req
.arg
, sd_state_name(sd
->state
));
954 /* Not interpreting this as an app command */
955 sd
->card_status
&= ~APP_CMD
;
957 if (sd_cmd_type
[req
.cmd
] == sd_ac
958 || sd_cmd_type
[req
.cmd
] == sd_adtc
) {
962 /* CMD23 (set block count) must be immediately followed by CMD18 or CMD25
963 * if not, its effects are cancelled */
964 if (sd
->multi_blk_cnt
!= 0 && !(req
.cmd
== 18 || req
.cmd
== 25)) {
965 sd
->multi_blk_cnt
= 0;
968 if (sd_cmd_class
[req
.cmd
] == 6 && FIELD_EX32(sd
->ocr
, OCR
, CARD_CAPACITY
)) {
969 /* Only Standard Capacity cards support class 6 commands */
974 /* Basic commands (Class 0 and Class 1) */
975 case 0: /* CMD0: GO_IDLE_STATE */
977 case sd_inactive_state
:
978 return sd
->spi
? sd_r1
: sd_r0
;
981 sd
->state
= sd_idle_state
;
982 sd_reset(DEVICE(sd
));
983 return sd
->spi
? sd_r1
: sd_r0
;
987 case 1: /* CMD1: SEND_OP_CMD */
991 sd
->state
= sd_transfer_state
;
994 case 2: /* CMD2: ALL_SEND_CID */
999 sd
->state
= sd_identification_state
;
1007 case 3: /* CMD3: SEND_RELATIVE_ADDR */
1010 switch (sd
->state
) {
1011 case sd_identification_state
:
1012 case sd_standby_state
:
1013 sd
->state
= sd_standby_state
;
1022 case 4: /* CMD4: SEND_DSR */
1025 switch (sd
->state
) {
1026 case sd_standby_state
:
1034 case 5: /* CMD5: reserved for SDIO cards */
1037 case 6: /* CMD6: SWITCH_FUNCTION */
1039 case sd_data_transfer_mode
:
1040 sd_function_switch(sd
, req
.arg
);
1041 sd
->state
= sd_sendingdata_state
;
1043 sd
->data_offset
= 0;
1051 case 7: /* CMD7: SELECT/DESELECT_CARD */
1054 switch (sd
->state
) {
1055 case sd_standby_state
:
1059 sd
->state
= sd_transfer_state
;
1062 case sd_transfer_state
:
1063 case sd_sendingdata_state
:
1067 sd
->state
= sd_standby_state
;
1070 case sd_disconnect_state
:
1074 sd
->state
= sd_programming_state
;
1077 case sd_programming_state
:
1081 sd
->state
= sd_disconnect_state
;
1089 case 8: /* CMD8: SEND_IF_COND */
1090 if (sd
->spec_version
< SD_PHY_SPECv2_00_VERS
) {
1093 if (sd
->state
!= sd_idle_state
) {
1098 /* No response if not exactly one VHS bit is set. */
1099 if (!(req
.arg
>> 8) || (req
.arg
>> (ctz32(req
.arg
& ~0xff) + 1))) {
1100 return sd
->spi
? sd_r7
: sd_r0
;
1107 case 9: /* CMD9: SEND_CSD */
1108 switch (sd
->state
) {
1109 case sd_standby_state
:
1115 case sd_transfer_state
:
1118 sd
->state
= sd_sendingdata_state
;
1119 memcpy(sd
->data
, sd
->csd
, 16);
1120 sd
->data_start
= addr
;
1121 sd
->data_offset
= 0;
1129 case 10: /* CMD10: SEND_CID */
1130 switch (sd
->state
) {
1131 case sd_standby_state
:
1137 case sd_transfer_state
:
1140 sd
->state
= sd_sendingdata_state
;
1141 memcpy(sd
->data
, sd
->cid
, 16);
1142 sd
->data_start
= addr
;
1143 sd
->data_offset
= 0;
1151 case 12: /* CMD12: STOP_TRANSMISSION */
1152 switch (sd
->state
) {
1153 case sd_sendingdata_state
:
1154 sd
->state
= sd_transfer_state
;
1157 case sd_receivingdata_state
:
1158 sd
->state
= sd_programming_state
;
1159 /* Bzzzzzzztt .... Operation complete. */
1160 sd
->state
= sd_transfer_state
;
1168 case 13: /* CMD13: SEND_STATUS */
1170 case sd_data_transfer_mode
:
1171 if (!sd
->spi
&& sd
->rca
!= rca
) {
1182 case 15: /* CMD15: GO_INACTIVE_STATE */
1186 case sd_data_transfer_mode
:
1190 sd
->state
= sd_inactive_state
;
1198 /* Block read commands (Classs 2) */
1199 case 16: /* CMD16: SET_BLOCKLEN */
1200 switch (sd
->state
) {
1201 case sd_transfer_state
:
1202 if (req
.arg
> (1 << HWBLOCK_SHIFT
)) {
1203 sd
->card_status
|= BLOCK_LEN_ERROR
;
1205 trace_sdcard_set_blocklen(req
.arg
);
1206 sd
->blk_len
= req
.arg
;
1216 case 17: /* CMD17: READ_SINGLE_BLOCK */
1217 case 18: /* CMD18: READ_MULTIPLE_BLOCK */
1218 switch (sd
->state
) {
1219 case sd_transfer_state
:
1221 if (addr
+ sd
->blk_len
> sd
->size
) {
1222 sd
->card_status
|= ADDRESS_ERROR
;
1226 sd
->state
= sd_sendingdata_state
;
1227 sd
->data_start
= addr
;
1228 sd
->data_offset
= 0;
1236 case 19: /* CMD19: SEND_TUNING_BLOCK (SD) */
1237 if (sd
->spec_version
< SD_PHY_SPECv3_01_VERS
) {
1240 if (sd
->state
== sd_transfer_state
) {
1241 sd
->state
= sd_sendingdata_state
;
1242 sd
->data_offset
= 0;
1247 case 23: /* CMD23: SET_BLOCK_COUNT */
1248 if (sd
->spec_version
< SD_PHY_SPECv3_01_VERS
) {
1251 switch (sd
->state
) {
1252 case sd_transfer_state
:
1253 sd
->multi_blk_cnt
= req
.arg
;
1261 /* Block write commands (Class 4) */
1262 case 24: /* CMD24: WRITE_SINGLE_BLOCK */
1263 case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */
1264 switch (sd
->state
) {
1265 case sd_transfer_state
:
1267 if (addr
+ sd
->blk_len
> sd
->size
) {
1268 sd
->card_status
|= ADDRESS_ERROR
;
1272 sd
->state
= sd_receivingdata_state
;
1273 sd
->data_start
= addr
;
1274 sd
->data_offset
= 0;
1275 sd
->blk_written
= 0;
1277 if (sd
->size
<= SDSC_MAX_CAPACITY
) {
1278 if (sd_wp_addr(sd
, sd
->data_start
)) {
1279 sd
->card_status
|= WP_VIOLATION
;
1282 if (sd
->csd
[14] & 0x30) {
1283 sd
->card_status
|= WP_VIOLATION
;
1292 case 26: /* CMD26: PROGRAM_CID */
1295 switch (sd
->state
) {
1296 case sd_transfer_state
:
1297 sd
->state
= sd_receivingdata_state
;
1299 sd
->data_offset
= 0;
1307 case 27: /* CMD27: PROGRAM_CSD */
1308 switch (sd
->state
) {
1309 case sd_transfer_state
:
1310 sd
->state
= sd_receivingdata_state
;
1312 sd
->data_offset
= 0;
1320 /* Write protection (Class 6) */
1321 case 28: /* CMD28: SET_WRITE_PROT */
1322 if (sd
->size
> SDSC_MAX_CAPACITY
) {
1326 switch (sd
->state
) {
1327 case sd_transfer_state
:
1328 if (addr
>= sd
->size
) {
1329 sd
->card_status
|= ADDRESS_ERROR
;
1333 sd
->state
= sd_programming_state
;
1334 set_bit(sd_addr_to_wpnum(addr
), sd
->wp_groups
);
1335 /* Bzzzzzzztt .... Operation complete. */
1336 sd
->state
= sd_transfer_state
;
1344 case 29: /* CMD29: CLR_WRITE_PROT */
1345 if (sd
->size
> SDSC_MAX_CAPACITY
) {
1349 switch (sd
->state
) {
1350 case sd_transfer_state
:
1351 if (addr
>= sd
->size
) {
1352 sd
->card_status
|= ADDRESS_ERROR
;
1356 sd
->state
= sd_programming_state
;
1357 clear_bit(sd_addr_to_wpnum(addr
), sd
->wp_groups
);
1358 /* Bzzzzzzztt .... Operation complete. */
1359 sd
->state
= sd_transfer_state
;
1367 case 30: /* CMD30: SEND_WRITE_PROT */
1368 if (sd
->size
> SDSC_MAX_CAPACITY
) {
1372 switch (sd
->state
) {
1373 case sd_transfer_state
:
1374 sd
->state
= sd_sendingdata_state
;
1375 *(uint32_t *) sd
->data
= sd_wpbits(sd
, req
.arg
);
1376 sd
->data_start
= addr
;
1377 sd
->data_offset
= 0;
1385 /* Erase commands (Class 5) */
1386 case 32: /* CMD32: ERASE_WR_BLK_START */
1387 switch (sd
->state
) {
1388 case sd_transfer_state
:
1389 sd
->erase_start
= req
.arg
;
1397 case 33: /* CMD33: ERASE_WR_BLK_END */
1398 switch (sd
->state
) {
1399 case sd_transfer_state
:
1400 sd
->erase_end
= req
.arg
;
1408 case 38: /* CMD38: ERASE */
1409 switch (sd
->state
) {
1410 case sd_transfer_state
:
1411 if (sd
->csd
[14] & 0x30) {
1412 sd
->card_status
|= WP_VIOLATION
;
1416 sd
->state
= sd_programming_state
;
1418 /* Bzzzzzzztt .... Operation complete. */
1419 sd
->state
= sd_transfer_state
;
1427 /* Lock card commands (Class 7) */
1428 case 42: /* CMD42: LOCK_UNLOCK */
1429 switch (sd
->state
) {
1430 case sd_transfer_state
:
1431 sd
->state
= sd_receivingdata_state
;
1433 sd
->data_offset
= 0;
1442 /* CMD52, CMD53, CMD54: reserved for SDIO cards
1443 * (see the SDIO Simplified Specification V2.0)
1444 * Handle as illegal command but do not complain
1445 * on stderr, as some OSes may use these in their
1446 * probing for presence of an SDIO card.
1450 /* Application specific commands (Class 8) */
1451 case 55: /* CMD55: APP_CMD */
1452 switch (sd
->state
) {
1453 case sd_ready_state
:
1454 case sd_identification_state
:
1455 case sd_inactive_state
:
1459 qemu_log_mask(LOG_GUEST_ERROR
,
1460 "SD: illegal RCA 0x%04x for APP_CMD\n", req
.cmd
);
1466 if (sd
->rca
!= rca
) {
1470 sd
->expecting_acmd
= true;
1471 sd
->card_status
|= APP_CMD
;
1474 case 56: /* CMD56: GEN_CMD */
1475 switch (sd
->state
) {
1476 case sd_transfer_state
:
1477 sd
->data_offset
= 0;
1479 sd
->state
= sd_sendingdata_state
;
1481 sd
->state
= sd_receivingdata_state
;
1489 case 58: /* CMD58: READ_OCR (SPI) */
1495 case 59: /* CMD59: CRC_ON_OFF (SPI) */
1503 qemu_log_mask(LOG_GUEST_ERROR
, "SD: Unknown CMD%i\n", req
.cmd
);
1507 qemu_log_mask(LOG_GUEST_ERROR
, "SD: CMD%i in a wrong state\n", req
.cmd
);
1511 static sd_rsp_type_t
sd_app_command(SDState
*sd
,
1514 trace_sdcard_app_command(sd
->proto_name
, sd_acmd_name(req
.cmd
),
1515 req
.cmd
, req
.arg
, sd_state_name(sd
->state
));
1516 sd
->card_status
|= APP_CMD
;
1518 case 6: /* ACMD6: SET_BUS_WIDTH */
1520 goto unimplemented_spi_cmd
;
1522 switch (sd
->state
) {
1523 case sd_transfer_state
:
1524 sd
->sd_status
[0] &= 0x3f;
1525 sd
->sd_status
[0] |= (req
.arg
& 0x03) << 6;
1533 case 13: /* ACMD13: SD_STATUS */
1534 switch (sd
->state
) {
1535 case sd_transfer_state
:
1536 sd
->state
= sd_sendingdata_state
;
1538 sd
->data_offset
= 0;
1546 case 22: /* ACMD22: SEND_NUM_WR_BLOCKS */
1547 switch (sd
->state
) {
1548 case sd_transfer_state
:
1549 *(uint32_t *) sd
->data
= sd
->blk_written
;
1551 sd
->state
= sd_sendingdata_state
;
1553 sd
->data_offset
= 0;
1561 case 23: /* ACMD23: SET_WR_BLK_ERASE_COUNT */
1562 switch (sd
->state
) {
1563 case sd_transfer_state
:
1571 case 41: /* ACMD41: SD_APP_OP_COND */
1574 sd
->state
= sd_transfer_state
;
1577 if (sd
->state
!= sd_idle_state
) {
1580 /* If it's the first ACMD41 since reset, we need to decide
1581 * whether to power up. If this is not an enquiry ACMD41,
1582 * we immediately report power on and proceed below to the
1583 * ready state, but if it is, we set a timer to model a
1584 * delay for power up. This works around a bug in EDK2
1585 * UEFI, which sends an initial enquiry ACMD41, but
1586 * assumes that the card is in ready state as soon as it
1587 * sees the power up bit set. */
1588 if (!FIELD_EX32(sd
->ocr
, OCR
, CARD_POWER_UP
)) {
1589 if ((req
.arg
& ACMD41_ENQUIRY_MASK
) != 0) {
1590 timer_del(sd
->ocr_power_timer
);
1593 trace_sdcard_inquiry_cmd41();
1594 if (!timer_pending(sd
->ocr_power_timer
)) {
1595 timer_mod_ns(sd
->ocr_power_timer
,
1596 (qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL
)
1597 + OCR_POWER_DELAY_NS
));
1602 if (FIELD_EX32(sd
->ocr
& req
.arg
, OCR
, VDD_VOLTAGE_WINDOW
)) {
1603 /* We accept any voltage. 10000 V is nothing.
1605 * Once we're powered up, we advance straight to ready state
1606 * unless it's an enquiry ACMD41 (bits 23:0 == 0).
1608 sd
->state
= sd_ready_state
;
1613 case 42: /* ACMD42: SET_CLR_CARD_DETECT */
1614 switch (sd
->state
) {
1615 case sd_transfer_state
:
1616 /* Bringing in the 50KOhm pull-up resistor... Done. */
1624 case 51: /* ACMD51: SEND_SCR */
1625 switch (sd
->state
) {
1626 case sd_transfer_state
:
1627 sd
->state
= sd_sendingdata_state
;
1629 sd
->data_offset
= 0;
1637 case 18: /* Reserved for SD security applications */
1642 /* Refer to the "SD Specifications Part3 Security Specification" for
1643 * information about the SD Security Features.
1645 qemu_log_mask(LOG_UNIMP
, "SD: CMD%i Security not implemented\n",
1650 /* Fall back to standard commands. */
1651 return sd_normal_command(sd
, req
);
1653 unimplemented_spi_cmd
:
1654 /* Commands that are recognised but not yet implemented in SPI mode. */
1655 qemu_log_mask(LOG_UNIMP
, "SD: CMD%i not implemented in SPI mode\n",
1660 qemu_log_mask(LOG_GUEST_ERROR
, "SD: ACMD%i in a wrong state\n", req
.cmd
);
1664 static int cmd_valid_while_locked(SDState
*sd
, const uint8_t cmd
)
1666 /* Valid commands in locked state:
1668 * lock card class (7)
1670 * implicitly, the ACMD prefix CMD55
1672 * Anything else provokes an "illegal command" response.
1674 if (sd
->expecting_acmd
) {
1675 return cmd
== 41 || cmd
== 42;
1677 if (cmd
== 16 || cmd
== 55) {
1680 return sd_cmd_class
[cmd
] == 0 || sd_cmd_class
[cmd
] == 7;
1683 int sd_do_command(SDState
*sd
, SDRequest
*req
,
1684 uint8_t *response
) {
1686 sd_rsp_type_t rtype
;
1689 if (!sd
->blk
|| !blk_is_inserted(sd
->blk
) || !sd
->enable
) {
1693 if (sd_req_crc_validate(req
)) {
1694 sd
->card_status
|= COM_CRC_ERROR
;
1699 if (req
->cmd
>= SDMMC_CMD_MAX
) {
1700 qemu_log_mask(LOG_GUEST_ERROR
, "SD: incorrect command 0x%02x\n",
1705 if (sd
->card_status
& CARD_IS_LOCKED
) {
1706 if (!cmd_valid_while_locked(sd
, req
->cmd
)) {
1707 sd
->card_status
|= ILLEGAL_COMMAND
;
1708 sd
->expecting_acmd
= false;
1709 qemu_log_mask(LOG_GUEST_ERROR
, "SD: Card is locked\n");
1715 last_state
= sd
->state
;
1718 if (sd
->expecting_acmd
) {
1719 sd
->expecting_acmd
= false;
1720 rtype
= sd_app_command(sd
, *req
);
1722 rtype
= sd_normal_command(sd
, *req
);
1725 if (rtype
== sd_illegal
) {
1726 sd
->card_status
|= ILLEGAL_COMMAND
;
1728 /* Valid command, we can update the 'state before command' bits.
1729 * (Do this now so they appear in r1 responses.)
1731 sd
->current_cmd
= req
->cmd
;
1732 sd
->card_status
&= ~CURRENT_STATE
;
1733 sd
->card_status
|= (last_state
<< 9);
1740 sd_response_r1_make(sd
, response
);
1745 memcpy(response
, sd
->cid
, sizeof(sd
->cid
));
1750 memcpy(response
, sd
->csd
, sizeof(sd
->csd
));
1755 sd_response_r3_make(sd
, response
);
1760 sd_response_r6_make(sd
, response
);
1765 sd_response_r7_make(sd
, response
);
1774 g_assert_not_reached();
1776 trace_sdcard_response(sd_response_name(rtype
), rsplen
);
1778 if (rtype
!= sd_illegal
) {
1779 /* Clear the "clear on valid command" status bits now we've
1782 sd
->card_status
&= ~CARD_STATUS_B
;
1786 qemu_hexdump(stderr
, "Response", response
, rsplen
);
1792 void sd_write_byte(SDState
*sd
, uint8_t value
)
1796 if (!sd
->blk
|| !blk_is_inserted(sd
->blk
) || !sd
->enable
)
1799 if (sd
->state
!= sd_receivingdata_state
) {
1800 qemu_log_mask(LOG_GUEST_ERROR
,
1801 "%s: not in Receiving-Data state\n", __func__
);
1805 if (sd
->card_status
& (ADDRESS_ERROR
| WP_VIOLATION
))
1808 trace_sdcard_write_data(sd
->proto_name
,
1809 sd_acmd_name(sd
->current_cmd
),
1810 sd
->current_cmd
, value
);
1811 switch (sd
->current_cmd
) {
1812 case 24: /* CMD24: WRITE_SINGLE_BLOCK */
1813 sd
->data
[sd
->data_offset
++] = value
;
1814 if (sd
->data_offset
>= sd
->blk_len
) {
1815 /* TODO: Check CRC before committing */
1816 sd
->state
= sd_programming_state
;
1817 BLK_WRITE_BLOCK(sd
->data_start
, sd
->data_offset
);
1819 sd
->csd
[14] |= 0x40;
1820 /* Bzzzzzzztt .... Operation complete. */
1821 sd
->state
= sd_transfer_state
;
1825 case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */
1826 if (sd
->data_offset
== 0) {
1827 /* Start of the block - let's check the address is valid */
1828 if (sd
->data_start
+ sd
->blk_len
> sd
->size
) {
1829 sd
->card_status
|= ADDRESS_ERROR
;
1832 if (sd
->size
<= SDSC_MAX_CAPACITY
) {
1833 if (sd_wp_addr(sd
, sd
->data_start
)) {
1834 sd
->card_status
|= WP_VIOLATION
;
1839 sd
->data
[sd
->data_offset
++] = value
;
1840 if (sd
->data_offset
>= sd
->blk_len
) {
1841 /* TODO: Check CRC before committing */
1842 sd
->state
= sd_programming_state
;
1843 BLK_WRITE_BLOCK(sd
->data_start
, sd
->data_offset
);
1845 sd
->data_start
+= sd
->blk_len
;
1846 sd
->data_offset
= 0;
1847 sd
->csd
[14] |= 0x40;
1849 /* Bzzzzzzztt .... Operation complete. */
1850 if (sd
->multi_blk_cnt
!= 0) {
1851 if (--sd
->multi_blk_cnt
== 0) {
1853 sd
->state
= sd_transfer_state
;
1858 sd
->state
= sd_receivingdata_state
;
1862 case 26: /* CMD26: PROGRAM_CID */
1863 sd
->data
[sd
->data_offset
++] = value
;
1864 if (sd
->data_offset
>= sizeof(sd
->cid
)) {
1865 /* TODO: Check CRC before committing */
1866 sd
->state
= sd_programming_state
;
1867 for (i
= 0; i
< sizeof(sd
->cid
); i
++)
1868 if ((sd
->cid
[i
] | 0x00) != sd
->data
[i
])
1869 sd
->card_status
|= CID_CSD_OVERWRITE
;
1871 if (!(sd
->card_status
& CID_CSD_OVERWRITE
))
1872 for (i
= 0; i
< sizeof(sd
->cid
); i
++) {
1874 sd
->cid
[i
] &= sd
->data
[i
];
1876 /* Bzzzzzzztt .... Operation complete. */
1877 sd
->state
= sd_transfer_state
;
1881 case 27: /* CMD27: PROGRAM_CSD */
1882 sd
->data
[sd
->data_offset
++] = value
;
1883 if (sd
->data_offset
>= sizeof(sd
->csd
)) {
1884 /* TODO: Check CRC before committing */
1885 sd
->state
= sd_programming_state
;
1886 for (i
= 0; i
< sizeof(sd
->csd
); i
++)
1887 if ((sd
->csd
[i
] | sd_csd_rw_mask
[i
]) !=
1888 (sd
->data
[i
] | sd_csd_rw_mask
[i
]))
1889 sd
->card_status
|= CID_CSD_OVERWRITE
;
1891 /* Copy flag (OTP) & Permanent write protect */
1892 if (sd
->csd
[14] & ~sd
->data
[14] & 0x60)
1893 sd
->card_status
|= CID_CSD_OVERWRITE
;
1895 if (!(sd
->card_status
& CID_CSD_OVERWRITE
))
1896 for (i
= 0; i
< sizeof(sd
->csd
); i
++) {
1897 sd
->csd
[i
] |= sd_csd_rw_mask
[i
];
1898 sd
->csd
[i
] &= sd
->data
[i
];
1900 /* Bzzzzzzztt .... Operation complete. */
1901 sd
->state
= sd_transfer_state
;
1905 case 42: /* CMD42: LOCK_UNLOCK */
1906 sd
->data
[sd
->data_offset
++] = value
;
1907 if (sd
->data_offset
>= sd
->blk_len
) {
1908 /* TODO: Check CRC before committing */
1909 sd
->state
= sd_programming_state
;
1910 sd_lock_command(sd
);
1911 /* Bzzzzzzztt .... Operation complete. */
1912 sd
->state
= sd_transfer_state
;
1916 case 56: /* CMD56: GEN_CMD */
1917 sd
->data
[sd
->data_offset
++] = value
;
1918 if (sd
->data_offset
>= sd
->blk_len
) {
1919 APP_WRITE_BLOCK(sd
->data_start
, sd
->data_offset
);
1920 sd
->state
= sd_transfer_state
;
1925 qemu_log_mask(LOG_GUEST_ERROR
, "%s: unknown command\n", __func__
);
1930 #define SD_TUNING_BLOCK_SIZE 64
1932 static const uint8_t sd_tuning_block_pattern
[SD_TUNING_BLOCK_SIZE
] = {
1933 /* See: Physical Layer Simplified Specification Version 3.01, Table 4-2 */
1934 0xff, 0x0f, 0xff, 0x00, 0x0f, 0xfc, 0xc3, 0xcc,
1935 0xc3, 0x3c, 0xcc, 0xff, 0xfe, 0xff, 0xfe, 0xef,
1936 0xff, 0xdf, 0xff, 0xdd, 0xff, 0xfb, 0xff, 0xfb,
1937 0xbf, 0xff, 0x7f, 0xff, 0x77, 0xf7, 0xbd, 0xef,
1938 0xff, 0xf0, 0xff, 0xf0, 0x0f, 0xfc, 0xcc, 0x3c,
1939 0xcc, 0x33, 0xcc, 0xcf, 0xff, 0xef, 0xff, 0xee,
1940 0xff, 0xfd, 0xff, 0xfd, 0xdf, 0xff, 0xbf, 0xff,
1941 0xbb, 0xff, 0xf7, 0xff, 0xf7, 0x7f, 0x7b, 0xde,
1944 uint8_t sd_read_byte(SDState
*sd
)
1946 /* TODO: Append CRCs */
1950 if (!sd
->blk
|| !blk_is_inserted(sd
->blk
) || !sd
->enable
)
1953 if (sd
->state
!= sd_sendingdata_state
) {
1954 qemu_log_mask(LOG_GUEST_ERROR
,
1955 "%s: not in Sending-Data state\n", __func__
);
1959 if (sd
->card_status
& (ADDRESS_ERROR
| WP_VIOLATION
))
1962 io_len
= (sd
->ocr
& (1 << 30)) ? 512 : sd
->blk_len
;
1964 trace_sdcard_read_data(sd
->proto_name
,
1965 sd_acmd_name(sd
->current_cmd
),
1966 sd
->current_cmd
, io_len
);
1967 switch (sd
->current_cmd
) {
1968 case 6: /* CMD6: SWITCH_FUNCTION */
1969 ret
= sd
->data
[sd
->data_offset
++];
1971 if (sd
->data_offset
>= 64)
1972 sd
->state
= sd_transfer_state
;
1975 case 9: /* CMD9: SEND_CSD */
1976 case 10: /* CMD10: SEND_CID */
1977 ret
= sd
->data
[sd
->data_offset
++];
1979 if (sd
->data_offset
>= 16)
1980 sd
->state
= sd_transfer_state
;
1983 case 13: /* ACMD13: SD_STATUS */
1984 ret
= sd
->sd_status
[sd
->data_offset
++];
1986 if (sd
->data_offset
>= sizeof(sd
->sd_status
))
1987 sd
->state
= sd_transfer_state
;
1990 case 17: /* CMD17: READ_SINGLE_BLOCK */
1991 if (sd
->data_offset
== 0)
1992 BLK_READ_BLOCK(sd
->data_start
, io_len
);
1993 ret
= sd
->data
[sd
->data_offset
++];
1995 if (sd
->data_offset
>= io_len
)
1996 sd
->state
= sd_transfer_state
;
1999 case 18: /* CMD18: READ_MULTIPLE_BLOCK */
2000 if (sd
->data_offset
== 0) {
2001 if (sd
->data_start
+ io_len
> sd
->size
) {
2002 sd
->card_status
|= ADDRESS_ERROR
;
2005 BLK_READ_BLOCK(sd
->data_start
, io_len
);
2007 ret
= sd
->data
[sd
->data_offset
++];
2009 if (sd
->data_offset
>= io_len
) {
2010 sd
->data_start
+= io_len
;
2011 sd
->data_offset
= 0;
2013 if (sd
->multi_blk_cnt
!= 0) {
2014 if (--sd
->multi_blk_cnt
== 0) {
2016 sd
->state
= sd_transfer_state
;
2023 case 19: /* CMD19: SEND_TUNING_BLOCK (SD) */
2024 if (sd
->data_offset
>= SD_TUNING_BLOCK_SIZE
- 1) {
2025 sd
->state
= sd_transfer_state
;
2027 ret
= sd_tuning_block_pattern
[sd
->data_offset
++];
2030 case 22: /* ACMD22: SEND_NUM_WR_BLOCKS */
2031 ret
= sd
->data
[sd
->data_offset
++];
2033 if (sd
->data_offset
>= 4)
2034 sd
->state
= sd_transfer_state
;
2037 case 30: /* CMD30: SEND_WRITE_PROT */
2038 ret
= sd
->data
[sd
->data_offset
++];
2040 if (sd
->data_offset
>= 4)
2041 sd
->state
= sd_transfer_state
;
2044 case 51: /* ACMD51: SEND_SCR */
2045 ret
= sd
->scr
[sd
->data_offset
++];
2047 if (sd
->data_offset
>= sizeof(sd
->scr
))
2048 sd
->state
= sd_transfer_state
;
2051 case 56: /* CMD56: GEN_CMD */
2052 if (sd
->data_offset
== 0)
2053 APP_READ_BLOCK(sd
->data_start
, sd
->blk_len
);
2054 ret
= sd
->data
[sd
->data_offset
++];
2056 if (sd
->data_offset
>= sd
->blk_len
)
2057 sd
->state
= sd_transfer_state
;
2061 qemu_log_mask(LOG_GUEST_ERROR
, "%s: unknown command\n", __func__
);
2068 static bool sd_receive_ready(SDState
*sd
)
2070 return sd
->state
== sd_receivingdata_state
;
2073 static bool sd_data_ready(SDState
*sd
)
2075 return sd
->state
== sd_sendingdata_state
;
2078 void sd_enable(SDState
*sd
, bool enable
)
2080 sd
->enable
= enable
;
2083 static void sd_instance_init(Object
*obj
)
2085 SDState
*sd
= SD_CARD(obj
);
2088 sd
->ocr_power_timer
= timer_new_ns(QEMU_CLOCK_VIRTUAL
, sd_ocr_powerup
, sd
);
2091 static void sd_instance_finalize(Object
*obj
)
2093 SDState
*sd
= SD_CARD(obj
);
2095 timer_free(sd
->ocr_power_timer
);
2098 static void sd_realize(DeviceState
*dev
, Error
**errp
)
2100 SDState
*sd
= SD_CARD(dev
);
2103 sd
->proto_name
= sd
->spi
? "SPI" : "SD";
2105 switch (sd
->spec_version
) {
2106 case SD_PHY_SPECv1_10_VERS
2107 ... SD_PHY_SPECv3_01_VERS
:
2110 error_setg(errp
, "Invalid SD card Spec version: %u", sd
->spec_version
);
2117 if (!blk_supports_write_perm(sd
->blk
)) {
2118 error_setg(errp
, "Cannot use read-only drive as SD card");
2122 blk_size
= blk_getlength(sd
->blk
);
2123 if (blk_size
> 0 && !is_power_of_2(blk_size
)) {
2124 int64_t blk_size_aligned
= pow2ceil(blk_size
);
2127 blk_size_str
= size_to_str(blk_size
);
2128 error_setg(errp
, "Invalid SD card size: %s", blk_size_str
);
2129 g_free(blk_size_str
);
2131 blk_size_str
= size_to_str(blk_size_aligned
);
2132 error_append_hint(errp
,
2133 "SD card size has to be a power of 2, e.g. %s.\n"
2134 "You can resize disk images with"
2135 " 'qemu-img resize <imagefile> <new-size>'\n"
2136 "(note that this will lose data if you make the"
2137 " image smaller than it currently is).\n",
2139 g_free(blk_size_str
);
2144 ret
= blk_set_perm(sd
->blk
, BLK_PERM_CONSISTENT_READ
| BLK_PERM_WRITE
,
2145 BLK_PERM_ALL
, errp
);
2149 blk_set_dev_ops(sd
->blk
, &sd_block_ops
, sd
);
2153 static Property sd_properties
[] = {
2154 DEFINE_PROP_UINT8("spec_version", SDState
,
2155 spec_version
, SD_PHY_SPECv2_00_VERS
),
2156 DEFINE_PROP_DRIVE("drive", SDState
, blk
),
2157 /* We do not model the chip select pin, so allow the board to select
2158 * whether card should be in SSI or MMC/SD mode. It is also up to the
2159 * board to ensure that ssi transfers only occur when the chip select
2161 DEFINE_PROP_BOOL("spi", SDState
, spi
, false),
2162 DEFINE_PROP_END_OF_LIST()
2165 static void sd_class_init(ObjectClass
*klass
, void *data
)
2167 DeviceClass
*dc
= DEVICE_CLASS(klass
);
2168 SDCardClass
*sc
= SD_CARD_CLASS(klass
);
2170 dc
->realize
= sd_realize
;
2171 device_class_set_props(dc
, sd_properties
);
2172 dc
->vmsd
= &sd_vmstate
;
2173 dc
->reset
= sd_reset
;
2174 dc
->bus_type
= TYPE_SD_BUS
;
2175 set_bit(DEVICE_CATEGORY_STORAGE
, dc
->categories
);
2177 sc
->set_voltage
= sd_set_voltage
;
2178 sc
->get_dat_lines
= sd_get_dat_lines
;
2179 sc
->get_cmd_line
= sd_get_cmd_line
;
2180 sc
->do_command
= sd_do_command
;
2181 sc
->write_byte
= sd_write_byte
;
2182 sc
->read_byte
= sd_read_byte
;
2183 sc
->receive_ready
= sd_receive_ready
;
2184 sc
->data_ready
= sd_data_ready
;
2185 sc
->enable
= sd_enable
;
2186 sc
->get_inserted
= sd_get_inserted
;
2187 sc
->get_readonly
= sd_get_readonly
;
2190 static const TypeInfo sd_info
= {
2191 .name
= TYPE_SD_CARD
,
2192 .parent
= TYPE_DEVICE
,
2193 .instance_size
= sizeof(SDState
),
2194 .class_size
= sizeof(SDCardClass
),
2195 .class_init
= sd_class_init
,
2196 .instance_init
= sd_instance_init
,
2197 .instance_finalize
= sd_instance_finalize
,
2200 static void sd_register_types(void)
2202 type_register_static(&sd_info
);
2205 type_init(sd_register_types
)