search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
sdcard: Don't always set the high capacity bit
[qemu/kevin.git] / hw / sd / sd.c
blobcc347ff782af0b190c1cf71e9236f91588f0db2c
1 /*
2 * SD Memory Card emulation as defined in the "SD Memory Card Physical
3 * layer specification, Version 1.10."
4 *
5 * Copyright (c) 2006 Andrzej Zaborowski <balrog@zabor.org>
6 * Copyright (c) 2007 CodeSourcery
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in
16 * the documentation and/or other materials provided with the
17 * distribution.
18 *
19 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS''
20 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
21 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
22 * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR
23 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
24 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
25 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
26 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
27 * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
28 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
29 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
30 */
31
32 #include "qemu/osdep.h"
33 #include "hw/qdev.h"
34 #include "hw/hw.h"
35 #include "hw/registerfields.h"
36 #include "sysemu/block-backend.h"
37 #include "hw/sd/sd.h"
38 #include "qapi/error.h"
39 #include "qemu/bitmap.h"
40 #include "qemu/cutils.h"
41 #include "hw/qdev-properties.h"
42 #include "qemu/error-report.h"
43 #include "qemu/timer.h"
44 #include "qemu/log.h"
45 #include "sdmmc-internal.h"
46 #include "trace.h"
47
48 //#define DEBUG_SD 1
49
50 #define ACMD41_ENQUIRY_MASK 0x00ffffff
51
52 typedef enum {
53 sd_r0 = 0, /* no response */
54 sd_r1, /* normal response command */
55 sd_r2_i, /* CID register */
56 sd_r2_s, /* CSD register */
57 sd_r3, /* OCR register */
58 sd_r6 = 6, /* Published RCA response */
59 sd_r7, /* Operating voltage */
60 sd_r1b = -1,
61 sd_illegal = -2,
62 } sd_rsp_type_t;
63
64 enum SDCardModes {
65 sd_inactive,
66 sd_card_identification_mode,
67 sd_data_transfer_mode,
68 };
69
70 enum SDCardStates {
71 sd_inactive_state = -1,
72 sd_idle_state = 0,
73 sd_ready_state,
74 sd_identification_state,
75 sd_standby_state,
76 sd_transfer_state,
77 sd_sendingdata_state,
78 sd_receivingdata_state,
79 sd_programming_state,
80 sd_disconnect_state,
81 };
82
83 struct SDState {
84 DeviceState parent_obj;
85
86 /* SD Memory Card Registers */
87 uint32_t ocr;
88 uint8_t scr[8];
89 uint8_t cid[16];
90 uint8_t csd[16];
91 uint16_t rca;
92 uint32_t card_status;
93 uint8_t sd_status[64];
94
95 /* Configurable properties */
96 BlockBackend *blk;
97 bool spi;
98
99 uint32_t mode; /* current card mode, one of SDCardModes */
100 int32_t state; /* current card state, one of SDCardStates */
101 uint32_t vhs;
102 bool wp_switch;
103 unsigned long *wp_groups;
104 int32_t wpgrps_size;
105 uint64_t size;
106 uint32_t blk_len;
107 uint32_t multi_blk_cnt;
108 uint32_t erase_start;
109 uint32_t erase_end;
110 uint8_t pwd[16];
111 uint32_t pwd_len;
112 uint8_t function_group[6];
113 uint8_t current_cmd;
114 /* True if we will handle the next command as an ACMD. Note that this does
115 * *not* track the APP_CMD status bit!
116 */
117 bool expecting_acmd;
118 uint32_t blk_written;
119 uint64_t data_start;
120 uint32_t data_offset;
121 uint8_t data[512];
122 qemu_irq readonly_cb;
123 qemu_irq inserted_cb;
124 QEMUTimer *ocr_power_timer;
125 bool enable;
126 uint8_t dat_lines;
127 bool cmd_line;
128 };
129
130 static const char *sd_state_name(enum SDCardStates state)
131 {
132 static const char *state_name[] = {
133 [sd_idle_state] = "idle",
134 [sd_ready_state] = "ready",
135 [sd_identification_state] = "identification",
136 [sd_standby_state] = "standby",
137 [sd_transfer_state] = "transfer",
138 [sd_sendingdata_state] = "sendingdata",
139 [sd_receivingdata_state] = "receivingdata",
140 [sd_programming_state] = "programming",
141 [sd_disconnect_state] = "disconnect",
142 };
143 if (state == sd_inactive_state) {
144 return "inactive";
145 }
146 assert(state <= ARRAY_SIZE(state_name));
147 return state_name[state];
148 }
149
150 static const char *sd_response_name(sd_rsp_type_t rsp)
151 {
152 static const char *response_name[] = {
153 [sd_r0] = "RESP#0 (no response)",
154 [sd_r1] = "RESP#1 (normal cmd)",
155 [sd_r2_i] = "RESP#2 (CID reg)",
156 [sd_r2_s] = "RESP#2 (CSD reg)",
157 [sd_r3] = "RESP#3 (OCR reg)",
158 [sd_r6] = "RESP#6 (RCA)",
159 [sd_r7] = "RESP#7 (operating voltage)",
160 };
161 if (rsp == sd_illegal) {
162 return "ILLEGAL RESP";
163 }
164 if (rsp == sd_r1b) {
165 rsp = sd_r1;
166 }
167 assert(rsp <= ARRAY_SIZE(response_name));
168 return response_name[rsp];
169 }
170
171 static uint8_t sd_get_dat_lines(SDState *sd)
172 {
173 return sd->enable ? sd->dat_lines : 0;
174 }
175
176 static bool sd_get_cmd_line(SDState *sd)
177 {
178 return sd->enable ? sd->cmd_line : false;
179 }
180
181 static void sd_set_voltage(SDState *sd, uint16_t millivolts)
182 {
183 trace_sdcard_set_voltage(millivolts);
184
185 switch (millivolts) {
186 case 3001 ... 3600: /* SD_VOLTAGE_3_3V */
187 case 2001 ... 3000: /* SD_VOLTAGE_3_0V */
188 break;
189 default:
190 qemu_log_mask(LOG_GUEST_ERROR, "SD card voltage not supported: %.3fV",
191 millivolts / 1000.f);
192 }
193 }
194
195 static void sd_set_mode(SDState *sd)
196 {
197 switch (sd->state) {
198 case sd_inactive_state:
199 sd->mode = sd_inactive;
200 break;
201
202 case sd_idle_state:
203 case sd_ready_state:
204 case sd_identification_state:
205 sd->mode = sd_card_identification_mode;
206 break;
207
208 case sd_standby_state:
209 case sd_transfer_state:
210 case sd_sendingdata_state:
211 case sd_receivingdata_state:
212 case sd_programming_state:
213 case sd_disconnect_state:
214 sd->mode = sd_data_transfer_mode;
215 break;
216 }
217 }
218
219 static const sd_cmd_type_t sd_cmd_type[SDMMC_CMD_MAX] = {
220 sd_bc, sd_none, sd_bcr, sd_bcr, sd_none, sd_none, sd_none, sd_ac,
221 sd_bcr, sd_ac, sd_ac, sd_adtc, sd_ac, sd_ac, sd_none, sd_ac,
222 /* 16 */
223 sd_ac, sd_adtc, sd_adtc, sd_none, sd_none, sd_none, sd_none, sd_none,
224 sd_adtc, sd_adtc, sd_adtc, sd_adtc, sd_ac, sd_ac, sd_adtc, sd_none,
225 /* 32 */
226 sd_ac, sd_ac, sd_none, sd_none, sd_none, sd_none, sd_ac, sd_none,
227 sd_none, sd_none, sd_bc, sd_none, sd_none, sd_none, sd_none, sd_none,
228 /* 48 */
229 sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_ac,
230 sd_adtc, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none,
231 };
232
233 static const int sd_cmd_class[SDMMC_CMD_MAX] = {
234 0, 0, 0, 0, 0, 9, 10, 0, 0, 0, 0, 1, 0, 0, 0, 0,
235 2, 2, 2, 2, 3, 3, 3, 3, 4, 4, 4, 4, 6, 6, 6, 6,
236 5, 5, 10, 10, 10, 10, 5, 9, 9, 9, 7, 7, 7, 7, 7, 7,
237 7, 7, 10, 7, 9, 9, 9, 8, 8, 10, 8, 8, 8, 8, 8, 8,
238 };
239
240 static uint8_t sd_crc7(void *message, size_t width)
241 {
242 int i, bit;
243 uint8_t shift_reg = 0x00;
244 uint8_t *msg = (uint8_t *) message;
245
246 for (i = 0; i < width; i ++, msg ++)
247 for (bit = 7; bit >= 0; bit --) {
248 shift_reg <<= 1;
249 if ((shift_reg >> 7) ^ ((*msg >> bit) & 1))
250 shift_reg ^= 0x89;
251 }
252
253 return shift_reg;
254 }
255
256 static uint16_t sd_crc16(void *message, size_t width)
257 {
258 int i, bit;
259 uint16_t shift_reg = 0x0000;
260 uint16_t *msg = (uint16_t *) message;
261 width <<= 1;
262
263 for (i = 0; i < width; i ++, msg ++)
264 for (bit = 15; bit >= 0; bit --) {
265 shift_reg <<= 1;
266 if ((shift_reg >> 15) ^ ((*msg >> bit) & 1))
267 shift_reg ^= 0x1011;
268 }
269
270 return shift_reg;
271 }
272
273 #define OCR_POWER_DELAY_NS 500000 /* 0.5ms */
274
275 FIELD(OCR, CARD_CAPACITY, 30, 1) /* 0:SDSC, 1:SDHC/SDXC */
276 FIELD(OCR, CARD_POWER_UP, 31, 1)
277
278 static void sd_set_ocr(SDState *sd)
279 {
280 /* All voltages OK, Standard Capacity SD Memory Card, not yet powered up */
281 sd->ocr = 0x00ffff00;
282 }
283
284 static void sd_ocr_powerup(void *opaque)
285 {
286 SDState *sd = opaque;
287
288 trace_sdcard_powerup();
289 assert(!FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP));
290
291 /* card power-up OK */
292 sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_POWER_UP, 1);
293
294 if (sd->size > 1 * G_BYTE) {
295 sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_CAPACITY, 1);
296 }
297 }
298
299 static void sd_set_scr(SDState *sd)
300 {
301 sd->scr[0] = 0x00; /* SCR Structure */
302 sd->scr[1] = 0x2f; /* SD Security Support */
303 sd->scr[2] = 0x00;
304 sd->scr[3] = 0x00;
305 sd->scr[4] = 0x00;
306 sd->scr[5] = 0x00;
307 sd->scr[6] = 0x00;
308 sd->scr[7] = 0x00;
309 }
310
311 #define MID 0xaa
312 #define OID "XY"
313 #define PNM "QEMU!"
314 #define PRV 0x01
315 #define MDT_YR 2006
316 #define MDT_MON 2
317
318 static void sd_set_cid(SDState *sd)
319 {
320 sd->cid[0] = MID; /* Fake card manufacturer ID (MID) */
321 sd->cid[1] = OID[0]; /* OEM/Application ID (OID) */
322 sd->cid[2] = OID[1];
323 sd->cid[3] = PNM[0]; /* Fake product name (PNM) */
324 sd->cid[4] = PNM[1];
325 sd->cid[5] = PNM[2];
326 sd->cid[6] = PNM[3];
327 sd->cid[7] = PNM[4];
328 sd->cid[8] = PRV; /* Fake product revision (PRV) */
329 sd->cid[9] = 0xde; /* Fake serial number (PSN) */
330 sd->cid[10] = 0xad;
331 sd->cid[11] = 0xbe;
332 sd->cid[12] = 0xef;
333 sd->cid[13] = 0x00 | /* Manufacture date (MDT) */
334 ((MDT_YR - 2000) / 10);
335 sd->cid[14] = ((MDT_YR % 10) << 4) | MDT_MON;
336 sd->cid[15] = (sd_crc7(sd->cid, 15) << 1) | 1;
337 }
338
339 #define HWBLOCK_SHIFT 9 /* 512 bytes */
340 #define SECTOR_SHIFT 5 /* 16 kilobytes */
341 #define WPGROUP_SHIFT 7 /* 2 megs */
342 #define CMULT_SHIFT 9 /* 512 times HWBLOCK_SIZE */
343 #define WPGROUP_SIZE (1 << (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT))
344
345 static const uint8_t sd_csd_rw_mask[16] = {
346 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
347 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xfc, 0xfe,
348 };
349
350 static void sd_set_csd(SDState *sd, uint64_t size)
351 {
352 uint32_t csize = (size >> (CMULT_SHIFT + HWBLOCK_SHIFT)) - 1;
353 uint32_t sectsize = (1 << (SECTOR_SHIFT + 1)) - 1;
354 uint32_t wpsize = (1 << (WPGROUP_SHIFT + 1)) - 1;
355
356 if (size <= 1 * G_BYTE) { /* Standard Capacity SD */
357 sd->csd[0] = 0x00; /* CSD structure */
358 sd->csd[1] = 0x26; /* Data read access-time-1 */
359 sd->csd[2] = 0x00; /* Data read access-time-2 */
360 sd->csd[3] = 0x5a; /* Max. data transfer rate */
361 sd->csd[4] = 0x5f; /* Card Command Classes */
362 sd->csd[5] = 0x50 | /* Max. read data block length */
363 HWBLOCK_SHIFT;
364 sd->csd[6] = 0xe0 | /* Partial block for read allowed */
365 ((csize >> 10) & 0x03);
366 sd->csd[7] = 0x00 | /* Device size */
367 ((csize >> 2) & 0xff);
368 sd->csd[8] = 0x3f | /* Max. read current */
369 ((csize << 6) & 0xc0);
370 sd->csd[9] = 0xfc | /* Max. write current */
371 ((CMULT_SHIFT - 2) >> 1);
372 sd->csd[10] = 0x40 | /* Erase sector size */
373 (((CMULT_SHIFT - 2) << 7) & 0x80) | (sectsize >> 1);
374 sd->csd[11] = 0x00 | /* Write protect group size */
375 ((sectsize << 7) & 0x80) | wpsize;
376 sd->csd[12] = 0x90 | /* Write speed factor */
377 (HWBLOCK_SHIFT >> 2);
378 sd->csd[13] = 0x20 | /* Max. write data block length */
379 ((HWBLOCK_SHIFT << 6) & 0xc0);
380 sd->csd[14] = 0x00; /* File format group */
381 sd->csd[15] = (sd_crc7(sd->csd, 15) << 1) | 1;
382 } else { /* SDHC */
383 size /= 512 * 1024;
384 size -= 1;
385 sd->csd[0] = 0x40;
386 sd->csd[1] = 0x0e;
387 sd->csd[2] = 0x00;
388 sd->csd[3] = 0x32;
389 sd->csd[4] = 0x5b;
390 sd->csd[5] = 0x59;
391 sd->csd[6] = 0x00;
392 sd->csd[7] = (size >> 16) & 0xff;
393 sd->csd[8] = (size >> 8) & 0xff;
394 sd->csd[9] = (size & 0xff);
395 sd->csd[10] = 0x7f;
396 sd->csd[11] = 0x80;
397 sd->csd[12] = 0x0a;
398 sd->csd[13] = 0x40;
399 sd->csd[14] = 0x00;
400 sd->csd[15] = 0x00;
401 }
402 }
403
404 static void sd_set_rca(SDState *sd)
405 {
406 sd->rca += 0x4567;
407 }
408
409 /* Card status bits, split by clear condition:
410 * A : According to the card current state
411 * B : Always related to the previous command
412 * C : Cleared by read
413 */
414 #define CARD_STATUS_A 0x02004100
415 #define CARD_STATUS_B 0x00c01e00
416 #define CARD_STATUS_C 0xfd39a028
417
418 static void sd_set_cardstatus(SDState *sd)
419 {
420 sd->card_status = 0x00000100;
421 }
422
423 static void sd_set_sdstatus(SDState *sd)
424 {
425 memset(sd->sd_status, 0, 64);
426 }
427
428 static int sd_req_crc_validate(SDRequest *req)
429 {
430 uint8_t buffer[5];
431 buffer[0] = 0x40 | req->cmd;
432 buffer[1] = (req->arg >> 24) & 0xff;
433 buffer[2] = (req->arg >> 16) & 0xff;
434 buffer[3] = (req->arg >> 8) & 0xff;
435 buffer[4] = (req->arg >> 0) & 0xff;
436 return 0;
437 return sd_crc7(buffer, 5) != req->crc; /* TODO */
438 }
439
440 static void sd_response_r1_make(SDState *sd, uint8_t *response)
441 {
442 uint32_t status = sd->card_status;
443 /* Clear the "clear on read" status bits */
444 sd->card_status &= ~CARD_STATUS_C;
445
446 response[0] = (status >> 24) & 0xff;
447 response[1] = (status >> 16) & 0xff;
448 response[2] = (status >> 8) & 0xff;
449 response[3] = (status >> 0) & 0xff;
450 }
451
452 static void sd_response_r3_make(SDState *sd, uint8_t *response)
453 {
454 response[0] = (sd->ocr >> 24) & 0xff;
455 response[1] = (sd->ocr >> 16) & 0xff;
456 response[2] = (sd->ocr >> 8) & 0xff;
457 response[3] = (sd->ocr >> 0) & 0xff;
458 }
459
460 static void sd_response_r6_make(SDState *sd, uint8_t *response)
461 {
462 uint16_t arg;
463 uint16_t status;
464
465 arg = sd->rca;
466 status = ((sd->card_status >> 8) & 0xc000) |
467 ((sd->card_status >> 6) & 0x2000) |
468 (sd->card_status & 0x1fff);
469 sd->card_status &= ~(CARD_STATUS_C & 0xc81fff);
470
471 response[0] = (arg >> 8) & 0xff;
472 response[1] = arg & 0xff;
473 response[2] = (status >> 8) & 0xff;
474 response[3] = status & 0xff;
475 }
476
477 static void sd_response_r7_make(SDState *sd, uint8_t *response)
478 {
479 response[0] = (sd->vhs >> 24) & 0xff;
480 response[1] = (sd->vhs >> 16) & 0xff;
481 response[2] = (sd->vhs >> 8) & 0xff;
482 response[3] = (sd->vhs >> 0) & 0xff;
483 }
484
485 static inline uint64_t sd_addr_to_wpnum(uint64_t addr)
486 {
487 return addr >> (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT);
488 }
489
490 static void sd_reset(DeviceState *dev)
491 {
492 SDState *sd = SD_CARD(dev);
493 uint64_t size;
494 uint64_t sect;
495
496 trace_sdcard_reset();
497 if (sd->blk) {
498 blk_get_geometry(sd->blk, &sect);
499 } else {
500 sect = 0;
501 }
502 size = sect << 9;
503
504 sect = sd_addr_to_wpnum(size) + 1;
505
506 sd->state = sd_idle_state;
507 sd->rca = 0x0000;
508 sd_set_ocr(sd);
509 sd_set_scr(sd);
510 sd_set_cid(sd);
511 sd_set_csd(sd, size);
512 sd_set_cardstatus(sd);
513 sd_set_sdstatus(sd);
514
515 g_free(sd->wp_groups);
516 sd->wp_switch = sd->blk ? blk_is_read_only(sd->blk) : false;
517 sd->wpgrps_size = sect;
518 sd->wp_groups = bitmap_new(sd->wpgrps_size);
519 memset(sd->function_group, 0, sizeof(sd->function_group));
520 sd->erase_start = 0;
521 sd->erase_end = 0;
522 sd->size = size;
523 sd->blk_len = 0x200;
524 sd->pwd_len = 0;
525 sd->expecting_acmd = false;
526 sd->dat_lines = 0xf;
527 sd->cmd_line = true;
528 sd->multi_blk_cnt = 0;
529 }
530
531 static bool sd_get_inserted(SDState *sd)
532 {
533 return sd->blk && blk_is_inserted(sd->blk);
534 }
535
536 static bool sd_get_readonly(SDState *sd)
537 {
538 return sd->wp_switch;
539 }
540
541 static void sd_cardchange(void *opaque, bool load, Error **errp)
542 {
543 SDState *sd = opaque;
544 DeviceState *dev = DEVICE(sd);
545 SDBus *sdbus = SD_BUS(qdev_get_parent_bus(dev));
546 bool inserted = sd_get_inserted(sd);
547 bool readonly = sd_get_readonly(sd);
548
549 if (inserted) {
550 trace_sdcard_inserted(readonly);
551 sd_reset(dev);
552 } else {
553 trace_sdcard_ejected();
554 }
555
556 /* The IRQ notification is for legacy non-QOM SD controller devices;
557 * QOMified controllers use the SDBus APIs.
558 */
559 if (sdbus) {
560 sdbus_set_inserted(sdbus, inserted);
561 if (inserted) {
562 sdbus_set_readonly(sdbus, readonly);
563 }
564 } else {
565 qemu_set_irq(sd->inserted_cb, inserted);
566 if (inserted) {
567 qemu_set_irq(sd->readonly_cb, readonly);
568 }
569 }
570 }
571
572 static const BlockDevOps sd_block_ops = {
573 .change_media_cb = sd_cardchange,
574 };
575
576 static bool sd_ocr_vmstate_needed(void *opaque)
577 {
578 SDState *sd = opaque;
579
580 /* Include the OCR state (and timer) if it is not yet powered up */
581 return !FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP);
582 }
583
584 static const VMStateDescription sd_ocr_vmstate = {
585 .name = "sd-card/ocr-state",
586 .version_id = 1,
587 .minimum_version_id = 1,
588 .needed = sd_ocr_vmstate_needed,
589 .fields = (VMStateField[]) {
590 VMSTATE_UINT32(ocr, SDState),
591 VMSTATE_TIMER_PTR(ocr_power_timer, SDState),
592 VMSTATE_END_OF_LIST()
593 },
594 };
595
596 static int sd_vmstate_pre_load(void *opaque)
597 {
598 SDState *sd = opaque;
599
600 /* If the OCR state is not included (prior versions, or not
601 * needed), then the OCR must be set as powered up. If the OCR state
602 * is included, this will be replaced by the state restore.
603 */
604 sd_ocr_powerup(sd);
605
606 return 0;
607 }
608
609 static const VMStateDescription sd_vmstate = {
610 .name = "sd-card",
611 .version_id = 1,
612 .minimum_version_id = 1,
613 .pre_load = sd_vmstate_pre_load,
614 .fields = (VMStateField[]) {
615 VMSTATE_UINT32(mode, SDState),
616 VMSTATE_INT32(state, SDState),
617 VMSTATE_UINT8_ARRAY(cid, SDState, 16),
618 VMSTATE_UINT8_ARRAY(csd, SDState, 16),
619 VMSTATE_UINT16(rca, SDState),
620 VMSTATE_UINT32(card_status, SDState),
621 VMSTATE_PARTIAL_BUFFER(sd_status, SDState, 1),
622 VMSTATE_UINT32(vhs, SDState),
623 VMSTATE_BITMAP(wp_groups, SDState, 0, wpgrps_size),
624 VMSTATE_UINT32(blk_len, SDState),
625 VMSTATE_UINT32(multi_blk_cnt, SDState),
626 VMSTATE_UINT32(erase_start, SDState),
627 VMSTATE_UINT32(erase_end, SDState),
628 VMSTATE_UINT8_ARRAY(pwd, SDState, 16),
629 VMSTATE_UINT32(pwd_len, SDState),
630 VMSTATE_UINT8_ARRAY(function_group, SDState, 6),
631 VMSTATE_UINT8(current_cmd, SDState),
632 VMSTATE_BOOL(expecting_acmd, SDState),
633 VMSTATE_UINT32(blk_written, SDState),
634 VMSTATE_UINT64(data_start, SDState),
635 VMSTATE_UINT32(data_offset, SDState),
636 VMSTATE_UINT8_ARRAY(data, SDState, 512),
637 VMSTATE_UNUSED_V(1, 512),
638 VMSTATE_BOOL(enable, SDState),
639 VMSTATE_END_OF_LIST()
640 },
641 .subsections = (const VMStateDescription*[]) {
642 &sd_ocr_vmstate,
643 NULL
644 },
645 };
646
647 /* Legacy initialization function for use by non-qdevified callers */
648 SDState *sd_init(BlockBackend *blk, bool is_spi)
649 {
650 Object *obj;
651 DeviceState *dev;
652 Error *err = NULL;
653
654 obj = object_new(TYPE_SD_CARD);
655 dev = DEVICE(obj);
656 qdev_prop_set_drive(dev, "drive", blk, &err);
657 if (err) {
658 error_report("sd_init failed: %s", error_get_pretty(err));
659 return NULL;
660 }
661 qdev_prop_set_bit(dev, "spi", is_spi);
662 object_property_set_bool(obj, true, "realized", &err);
663 if (err) {
664 error_report("sd_init failed: %s", error_get_pretty(err));
665 return NULL;
666 }
667
668 return SD_CARD(dev);
669 }
670
671 void sd_set_cb(SDState *sd, qemu_irq readonly, qemu_irq insert)
672 {
673 sd->readonly_cb = readonly;
674 sd->inserted_cb = insert;
675 qemu_set_irq(readonly, sd->blk ? blk_is_read_only(sd->blk) : 0);
676 qemu_set_irq(insert, sd->blk ? blk_is_inserted(sd->blk) : 0);
677 }
678
679 static void sd_erase(SDState *sd)
680 {
681 int i;
682 uint64_t erase_start = sd->erase_start;
683 uint64_t erase_end = sd->erase_end;
684
685 trace_sdcard_erase();
686 if (!sd->erase_start || !sd->erase_end) {
687 sd->card_status |= ERASE_SEQ_ERROR;
688 return;
689 }
690
691 if (FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) {
692 /* High capacity memory card: erase units are 512 byte blocks */
693 erase_start *= 512;
694 erase_end *= 512;
695 }
696
697 erase_start = sd_addr_to_wpnum(erase_start);
698 erase_end = sd_addr_to_wpnum(erase_end);
699 sd->erase_start = 0;
700 sd->erase_end = 0;
701 sd->csd[14] |= 0x40;
702
703 for (i = erase_start; i <= erase_end; i++) {
704 if (test_bit(i, sd->wp_groups)) {
705 sd->card_status |= WP_ERASE_SKIP;
706 }
707 }
708 }
709
710 static uint32_t sd_wpbits(SDState *sd, uint64_t addr)
711 {
712 uint32_t i, wpnum;
713 uint32_t ret = 0;
714
715 wpnum = sd_addr_to_wpnum(addr);
716
717 for (i = 0; i < 32; i++, wpnum++, addr += WPGROUP_SIZE) {
718 if (addr < sd->size && test_bit(wpnum, sd->wp_groups)) {
719 ret |= (1 << i);
720 }
721 }
722
723 return ret;
724 }
725
726 static void sd_function_switch(SDState *sd, uint32_t arg)
727 {
728 int i, mode, new_func, crc;
729 mode = !!(arg & 0x80000000);
730
731 sd->data[0] = 0x00; /* Maximum current consumption */
732 sd->data[1] = 0x01;
733 sd->data[2] = 0x80; /* Supported group 6 functions */
734 sd->data[3] = 0x01;
735 sd->data[4] = 0x80; /* Supported group 5 functions */
736 sd->data[5] = 0x01;
737 sd->data[6] = 0x80; /* Supported group 4 functions */
738 sd->data[7] = 0x01;
739 sd->data[8] = 0x80; /* Supported group 3 functions */
740 sd->data[9] = 0x01;
741 sd->data[10] = 0x80; /* Supported group 2 functions */
742 sd->data[11] = 0x43;
743 sd->data[12] = 0x80; /* Supported group 1 functions */
744 sd->data[13] = 0x03;
745 for (i = 0; i < 6; i ++) {
746 new_func = (arg >> (i * 4)) & 0x0f;
747 if (mode && new_func != 0x0f)
748 sd->function_group[i] = new_func;
749 sd->data[14 + (i >> 1)] = new_func << ((i * 4) & 4);
750 }
751 memset(&sd->data[17], 0, 47);
752 crc = sd_crc16(sd->data, 64);
753 sd->data[65] = crc >> 8;
754 sd->data[66] = crc & 0xff;
755 }
756
757 static inline bool sd_wp_addr(SDState *sd, uint64_t addr)
758 {
759 return test_bit(sd_addr_to_wpnum(addr), sd->wp_groups);
760 }
761
762 static void sd_lock_command(SDState *sd)
763 {
764 int erase, lock, clr_pwd, set_pwd, pwd_len;
765 erase = !!(sd->data[0] & 0x08);
766 lock = sd->data[0] & 0x04;
767 clr_pwd = sd->data[0] & 0x02;
768 set_pwd = sd->data[0] & 0x01;
769
770 if (sd->blk_len > 1)
771 pwd_len = sd->data[1];
772 else
773 pwd_len = 0;
774
775 if (lock) {
776 trace_sdcard_lock();
777 } else {
778 trace_sdcard_unlock();
779 }
780 if (erase) {
781 if (!(sd->card_status & CARD_IS_LOCKED) || sd->blk_len > 1 ||
782 set_pwd || clr_pwd || lock || sd->wp_switch ||
783 (sd->csd[14] & 0x20)) {
784 sd->card_status |= LOCK_UNLOCK_FAILED;
785 return;
786 }
787 bitmap_zero(sd->wp_groups, sd->wpgrps_size);
788 sd->csd[14] &= ~0x10;
789 sd->card_status &= ~CARD_IS_LOCKED;
790 sd->pwd_len = 0;
791 /* Erasing the entire card here! */
792 fprintf(stderr, "SD: Card force-erased by CMD42\n");
793 return;
794 }
795
796 if (sd->blk_len < 2 + pwd_len ||
797 pwd_len <= sd->pwd_len ||
798 pwd_len > sd->pwd_len + 16) {
799 sd->card_status |= LOCK_UNLOCK_FAILED;
800 return;
801 }
802
803 if (sd->pwd_len && memcmp(sd->pwd, sd->data + 2, sd->pwd_len)) {
804 sd->card_status |= LOCK_UNLOCK_FAILED;
805 return;
806 }
807
808 pwd_len -= sd->pwd_len;
809 if ((pwd_len && !set_pwd) ||
810 (clr_pwd && (set_pwd || lock)) ||
811 (lock && !sd->pwd_len && !set_pwd) ||
812 (!set_pwd && !clr_pwd &&
813 (((sd->card_status & CARD_IS_LOCKED) && lock) ||
814 (!(sd->card_status & CARD_IS_LOCKED) && !lock)))) {
815 sd->card_status |= LOCK_UNLOCK_FAILED;
816 return;
817 }
818
819 if (set_pwd) {
820 memcpy(sd->pwd, sd->data + 2 + sd->pwd_len, pwd_len);
821 sd->pwd_len = pwd_len;
822 }
823
824 if (clr_pwd) {
825 sd->pwd_len = 0;
826 }
827
828 if (lock)
829 sd->card_status |= CARD_IS_LOCKED;
830 else
831 sd->card_status &= ~CARD_IS_LOCKED;
832 }
833
834 static sd_rsp_type_t sd_normal_command(SDState *sd,
835 SDRequest req)
836 {
837 uint32_t rca = 0x0000;
838 uint64_t addr = (sd->ocr & (1 << 30)) ? (uint64_t) req.arg << 9 : req.arg;
839
840 trace_sdcard_normal_command(req.cmd, req.arg, sd_state_name(sd->state));
841
842 /* Not interpreting this as an app command */
843 sd->card_status &= ~APP_CMD;
844
845 if (sd_cmd_type[req.cmd] == sd_ac
846 || sd_cmd_type[req.cmd] == sd_adtc) {
847 rca = req.arg >> 16;
848 }
849
850 /* CMD23 (set block count) must be immediately followed by CMD18 or CMD25
851 * if not, its effects are cancelled */
852 if (sd->multi_blk_cnt != 0 && !(req.cmd == 18 || req.cmd == 25)) {
853 sd->multi_blk_cnt = 0;
854 }
855
856 switch (req.cmd) {
857 /* Basic commands (Class 0 and Class 1) */
858 case 0: /* CMD0: GO_IDLE_STATE */
859 switch (sd->state) {
860 case sd_inactive_state:
861 return sd->spi ? sd_r1 : sd_r0;
862
863 default:
864 sd->state = sd_idle_state;
865 sd_reset(DEVICE(sd));
866 return sd->spi ? sd_r1 : sd_r0;
867 }
868 break;
869
870 case 1: /* CMD1: SEND_OP_CMD */
871 if (!sd->spi)
872 goto bad_cmd;
873
874 sd->state = sd_transfer_state;
875 return sd_r1;
876
877 case 2: /* CMD2: ALL_SEND_CID */
878 if (sd->spi)
879 goto bad_cmd;
880 switch (sd->state) {
881 case sd_ready_state:
882 sd->state = sd_identification_state;
883 return sd_r2_i;
884
885 default:
886 break;
887 }
888 break;
889
890 case 3: /* CMD3: SEND_RELATIVE_ADDR */
891 if (sd->spi)
892 goto bad_cmd;
893 switch (sd->state) {
894 case sd_identification_state:
895 case sd_standby_state:
896 sd->state = sd_standby_state;
897 sd_set_rca(sd);
898 return sd_r6;
899
900 default:
901 break;
902 }
903 break;
904
905 case 4: /* CMD4: SEND_DSR */
906 if (sd->spi)
907 goto bad_cmd;
908 switch (sd->state) {
909 case sd_standby_state:
910 break;
911
912 default:
913 break;
914 }
915 break;
916
917 case 5: /* CMD5: reserved for SDIO cards */
918 return sd_illegal;
919
920 case 6: /* CMD6: SWITCH_FUNCTION */
921 if (sd->spi)
922 goto bad_cmd;
923 switch (sd->mode) {
924 case sd_data_transfer_mode:
925 sd_function_switch(sd, req.arg);
926 sd->state = sd_sendingdata_state;
927 sd->data_start = 0;
928 sd->data_offset = 0;
929 return sd_r1;
930
931 default:
932 break;
933 }
934 break;
935
936 case 7: /* CMD7: SELECT/DESELECT_CARD */
937 if (sd->spi)
938 goto bad_cmd;
939 switch (sd->state) {
940 case sd_standby_state:
941 if (sd->rca != rca)
942 return sd_r0;
943
944 sd->state = sd_transfer_state;
945 return sd_r1b;
946
947 case sd_transfer_state:
948 case sd_sendingdata_state:
949 if (sd->rca == rca)
950 break;
951
952 sd->state = sd_standby_state;
953 return sd_r1b;
954
955 case sd_disconnect_state:
956 if (sd->rca != rca)
957 return sd_r0;
958
959 sd->state = sd_programming_state;
960 return sd_r1b;
961
962 case sd_programming_state:
963 if (sd->rca == rca)
964 break;
965
966 sd->state = sd_disconnect_state;
967 return sd_r1b;
968
969 default:
970 break;
971 }
972 break;
973
974 case 8: /* CMD8: SEND_IF_COND */
975 /* Physical Layer Specification Version 2.00 command */
976 switch (sd->state) {
977 case sd_idle_state:
978 sd->vhs = 0;
979
980 /* No response if not exactly one VHS bit is set. */
981 if (!(req.arg >> 8) || (req.arg >> (ctz32(req.arg & ~0xff) + 1))) {
982 return sd->spi ? sd_r7 : sd_r0;
983 }
984
985 /* Accept. */
986 sd->vhs = req.arg;
987 return sd_r7;
988
989 default:
990 break;
991 }
992 break;
993
994 case 9: /* CMD9: SEND_CSD */
995 switch (sd->state) {
996 case sd_standby_state:
997 if (sd->rca != rca)
998 return sd_r0;
999
1000 return sd_r2_s;
1001
1002 case sd_transfer_state:
1003 if (!sd->spi)
1004 break;
1005 sd->state = sd_sendingdata_state;
1006 memcpy(sd->data, sd->csd, 16);
1007 sd->data_start = addr;
1008 sd->data_offset = 0;
1009 return sd_r1;
1010
1011 default:
1012 break;
1013 }
1014 break;
1015
1016 case 10: /* CMD10: SEND_CID */
1017 switch (sd->state) {
1018 case sd_standby_state:
1019 if (sd->rca != rca)
1020 return sd_r0;
1021
1022 return sd_r2_i;
1023
1024 case sd_transfer_state:
1025 if (!sd->spi)
1026 break;
1027 sd->state = sd_sendingdata_state;
1028 memcpy(sd->data, sd->cid, 16);
1029 sd->data_start = addr;
1030 sd->data_offset = 0;
1031 return sd_r1;
1032
1033 default:
1034 break;
1035 }
1036 break;
1037
1038 case 11: /* CMD11: READ_DAT_UNTIL_STOP */
1039 if (sd->spi)
1040 goto bad_cmd;
1041 switch (sd->state) {
1042 case sd_transfer_state:
1043 sd->state = sd_sendingdata_state;
1044 sd->data_start = req.arg;
1045 sd->data_offset = 0;
1046
1047 if (sd->data_start + sd->blk_len > sd->size)
1048 sd->card_status |= ADDRESS_ERROR;
1049 return sd_r0;
1050
1051 default:
1052 break;
1053 }
1054 break;
1055
1056 case 12: /* CMD12: STOP_TRANSMISSION */
1057 switch (sd->state) {
1058 case sd_sendingdata_state:
1059 sd->state = sd_transfer_state;
1060 return sd_r1b;
1061
1062 case sd_receivingdata_state:
1063 sd->state = sd_programming_state;
1064 /* Bzzzzzzztt .... Operation complete. */
1065 sd->state = sd_transfer_state;
1066 return sd_r1b;
1067
1068 default:
1069 break;
1070 }
1071 break;
1072
1073 case 13: /* CMD13: SEND_STATUS */
1074 switch (sd->mode) {
1075 case sd_data_transfer_mode:
1076 if (sd->rca != rca)
1077 return sd_r0;
1078
1079 return sd_r1;
1080
1081 default:
1082 break;
1083 }
1084 break;
1085
1086 case 15: /* CMD15: GO_INACTIVE_STATE */
1087 if (sd->spi)
1088 goto bad_cmd;
1089 switch (sd->mode) {
1090 case sd_data_transfer_mode:
1091 if (sd->rca != rca)
1092 return sd_r0;
1093
1094 sd->state = sd_inactive_state;
1095 return sd_r0;
1096
1097 default:
1098 break;
1099 }
1100 break;
1101
1102 /* Block read commands (Classs 2) */
1103 case 16: /* CMD16: SET_BLOCKLEN */
1104 switch (sd->state) {
1105 case sd_transfer_state:
1106 if (req.arg > (1 << HWBLOCK_SHIFT)) {
1107 sd->card_status |= BLOCK_LEN_ERROR;
1108 } else {
1109 trace_sdcard_set_blocklen(req.arg);
1110 sd->blk_len = req.arg;
1111 }
1112
1113 return sd_r1;
1114
1115 default:
1116 break;
1117 }
1118 break;
1119
1120 case 17: /* CMD17: READ_SINGLE_BLOCK */
1121 switch (sd->state) {
1122 case sd_transfer_state:
1123 sd->state = sd_sendingdata_state;
1124 sd->data_start = addr;
1125 sd->data_offset = 0;
1126
1127 if (sd->data_start + sd->blk_len > sd->size)
1128 sd->card_status |= ADDRESS_ERROR;
1129 return sd_r1;
1130
1131 default:
1132 break;
1133 }
1134 break;
1135
1136 case 18: /* CMD18: READ_MULTIPLE_BLOCK */
1137 switch (sd->state) {
1138 case sd_transfer_state:
1139 sd->state = sd_sendingdata_state;
1140 sd->data_start = addr;
1141 sd->data_offset = 0;
1142
1143 if (sd->data_start + sd->blk_len > sd->size)
1144 sd->card_status |= ADDRESS_ERROR;
1145 return sd_r1;
1146
1147 default:
1148 break;
1149 }
1150 break;
1151
1152 case 23: /* CMD23: SET_BLOCK_COUNT */
1153 switch (sd->state) {
1154 case sd_transfer_state:
1155 sd->multi_blk_cnt = req.arg;
1156 return sd_r1;
1157
1158 default:
1159 break;
1160 }
1161 break;
1162
1163 /* Block write commands (Class 4) */
1164 case 24: /* CMD24: WRITE_SINGLE_BLOCK */
1165 if (sd->spi)
1166 goto unimplemented_cmd;
1167 switch (sd->state) {
1168 case sd_transfer_state:
1169 /* Writing in SPI mode not implemented. */
1170 if (sd->spi)
1171 break;
1172 sd->state = sd_receivingdata_state;
1173 sd->data_start = addr;
1174 sd->data_offset = 0;
1175 sd->blk_written = 0;
1176
1177 if (sd->data_start + sd->blk_len > sd->size)
1178 sd->card_status |= ADDRESS_ERROR;
1179 if (sd_wp_addr(sd, sd->data_start))
1180 sd->card_status |= WP_VIOLATION;
1181 if (sd->csd[14] & 0x30)
1182 sd->card_status |= WP_VIOLATION;
1183 return sd_r1;
1184
1185 default:
1186 break;
1187 }
1188 break;
1189
1190 case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */
1191 if (sd->spi)
1192 goto unimplemented_cmd;
1193 switch (sd->state) {
1194 case sd_transfer_state:
1195 /* Writing in SPI mode not implemented. */
1196 if (sd->spi)
1197 break;
1198 sd->state = sd_receivingdata_state;
1199 sd->data_start = addr;
1200 sd->data_offset = 0;
1201 sd->blk_written = 0;
1202
1203 if (sd->data_start + sd->blk_len > sd->size)
1204 sd->card_status |= ADDRESS_ERROR;
1205 if (sd_wp_addr(sd, sd->data_start))
1206 sd->card_status |= WP_VIOLATION;
1207 if (sd->csd[14] & 0x30)
1208 sd->card_status |= WP_VIOLATION;
1209 return sd_r1;
1210
1211 default:
1212 break;
1213 }
1214 break;
1215
1216 case 26: /* CMD26: PROGRAM_CID */
1217 if (sd->spi)
1218 goto bad_cmd;
1219 switch (sd->state) {
1220 case sd_transfer_state:
1221 sd->state = sd_receivingdata_state;
1222 sd->data_start = 0;
1223 sd->data_offset = 0;
1224 return sd_r1;
1225
1226 default:
1227 break;
1228 }
1229 break;
1230
1231 case 27: /* CMD27: PROGRAM_CSD */
1232 if (sd->spi)
1233 goto unimplemented_cmd;
1234 switch (sd->state) {
1235 case sd_transfer_state:
1236 sd->state = sd_receivingdata_state;
1237 sd->data_start = 0;
1238 sd->data_offset = 0;
1239 return sd_r1;
1240
1241 default:
1242 break;
1243 }
1244 break;
1245
1246 /* Write protection (Class 6) */
1247 case 28: /* CMD28: SET_WRITE_PROT */
1248 switch (sd->state) {
1249 case sd_transfer_state:
1250 if (addr >= sd->size) {
1251 sd->card_status |= ADDRESS_ERROR;
1252 return sd_r1b;
1253 }
1254
1255 sd->state = sd_programming_state;
1256 set_bit(sd_addr_to_wpnum(addr), sd->wp_groups);
1257 /* Bzzzzzzztt .... Operation complete. */
1258 sd->state = sd_transfer_state;
1259 return sd_r1b;
1260
1261 default:
1262 break;
1263 }
1264 break;
1265
1266 case 29: /* CMD29: CLR_WRITE_PROT */
1267 switch (sd->state) {
1268 case sd_transfer_state:
1269 if (addr >= sd->size) {
1270 sd->card_status |= ADDRESS_ERROR;
1271 return sd_r1b;
1272 }
1273
1274 sd->state = sd_programming_state;
1275 clear_bit(sd_addr_to_wpnum(addr), sd->wp_groups);
1276 /* Bzzzzzzztt .... Operation complete. */
1277 sd->state = sd_transfer_state;
1278 return sd_r1b;
1279
1280 default:
1281 break;
1282 }
1283 break;
1284
1285 case 30: /* CMD30: SEND_WRITE_PROT */
1286 switch (sd->state) {
1287 case sd_transfer_state:
1288 sd->state = sd_sendingdata_state;
1289 *(uint32_t *) sd->data = sd_wpbits(sd, req.arg);
1290 sd->data_start = addr;
1291 sd->data_offset = 0;
1292 return sd_r1b;
1293
1294 default:
1295 break;
1296 }
1297 break;
1298
1299 /* Erase commands (Class 5) */
1300 case 32: /* CMD32: ERASE_WR_BLK_START */
1301 switch (sd->state) {
1302 case sd_transfer_state:
1303 sd->erase_start = req.arg;
1304 return sd_r1;
1305
1306 default:
1307 break;
1308 }
1309 break;
1310
1311 case 33: /* CMD33: ERASE_WR_BLK_END */
1312 switch (sd->state) {
1313 case sd_transfer_state:
1314 sd->erase_end = req.arg;
1315 return sd_r1;
1316
1317 default:
1318 break;
1319 }
1320 break;
1321
1322 case 38: /* CMD38: ERASE */
1323 switch (sd->state) {
1324 case sd_transfer_state:
1325 if (sd->csd[14] & 0x30) {
1326 sd->card_status |= WP_VIOLATION;
1327 return sd_r1b;
1328 }
1329
1330 sd->state = sd_programming_state;
1331 sd_erase(sd);
1332 /* Bzzzzzzztt .... Operation complete. */
1333 sd->state = sd_transfer_state;
1334 return sd_r1b;
1335
1336 default:
1337 break;
1338 }
1339 break;
1340
1341 /* Lock card commands (Class 7) */
1342 case 42: /* CMD42: LOCK_UNLOCK */
1343 if (sd->spi)
1344 goto unimplemented_cmd;
1345 switch (sd->state) {
1346 case sd_transfer_state:
1347 sd->state = sd_receivingdata_state;
1348 sd->data_start = 0;
1349 sd->data_offset = 0;
1350 return sd_r1;
1351
1352 default:
1353 break;
1354 }
1355 break;
1356
1357 case 52:
1358 case 53:
1359 /* CMD52, CMD53: reserved for SDIO cards
1360 * (see the SDIO Simplified Specification V2.0)
1361 * Handle as illegal command but do not complain
1362 * on stderr, as some OSes may use these in their
1363 * probing for presence of an SDIO card.
1364 */
1365 return sd_illegal;
1366
1367 /* Application specific commands (Class 8) */
1368 case 55: /* CMD55: APP_CMD */
1369 if (sd->rca != rca)
1370 return sd_r0;
1371
1372 sd->expecting_acmd = true;
1373 sd->card_status |= APP_CMD;
1374 return sd_r1;
1375
1376 case 56: /* CMD56: GEN_CMD */
1377 switch (sd->state) {
1378 case sd_transfer_state:
1379 sd->data_offset = 0;
1380 if (req.arg & 1)
1381 sd->state = sd_sendingdata_state;
1382 else
1383 sd->state = sd_receivingdata_state;
1384 return sd_r1;
1385
1386 default:
1387 break;
1388 }
1389 break;
1390
1391 default:
1392 bad_cmd:
1393 qemu_log_mask(LOG_GUEST_ERROR, "SD: Unknown CMD%i\n", req.cmd);
1394 return sd_illegal;
1395
1396 unimplemented_cmd:
1397 /* Commands that are recognised but not yet implemented in SPI mode. */
1398 qemu_log_mask(LOG_UNIMP, "SD: CMD%i not implemented in SPI mode\n",
1399 req.cmd);
1400 return sd_illegal;
1401 }
1402
1403 qemu_log_mask(LOG_GUEST_ERROR, "SD: CMD%i in a wrong state\n", req.cmd);
1404 return sd_illegal;
1405 }
1406
1407 static sd_rsp_type_t sd_app_command(SDState *sd,
1408 SDRequest req)
1409 {
1410 trace_sdcard_app_command(req.cmd, req.arg);
1411 sd->card_status |= APP_CMD;
1412 switch (req.cmd) {
1413 case 6: /* ACMD6: SET_BUS_WIDTH */
1414 switch (sd->state) {
1415 case sd_transfer_state:
1416 sd->sd_status[0] &= 0x3f;
1417 sd->sd_status[0] |= (req.arg & 0x03) << 6;
1418 return sd_r1;
1419
1420 default:
1421 break;
1422 }
1423 break;
1424
1425 case 13: /* ACMD13: SD_STATUS */
1426 switch (sd->state) {
1427 case sd_transfer_state:
1428 sd->state = sd_sendingdata_state;
1429 sd->data_start = 0;
1430 sd->data_offset = 0;
1431 return sd_r1;
1432
1433 default:
1434 break;
1435 }
1436 break;
1437
1438 case 22: /* ACMD22: SEND_NUM_WR_BLOCKS */
1439 switch (sd->state) {
1440 case sd_transfer_state:
1441 *(uint32_t *) sd->data = sd->blk_written;
1442
1443 sd->state = sd_sendingdata_state;
1444 sd->data_start = 0;
1445 sd->data_offset = 0;
1446 return sd_r1;
1447
1448 default:
1449 break;
1450 }
1451 break;
1452
1453 case 23: /* ACMD23: SET_WR_BLK_ERASE_COUNT */
1454 switch (sd->state) {
1455 case sd_transfer_state:
1456 return sd_r1;
1457
1458 default:
1459 break;
1460 }
1461 break;
1462
1463 case 41: /* ACMD41: SD_APP_OP_COND */
1464 if (sd->spi) {
1465 /* SEND_OP_CMD */
1466 sd->state = sd_transfer_state;
1467 return sd_r1;
1468 }
1469 switch (sd->state) {
1470 case sd_idle_state:
1471 /* If it's the first ACMD41 since reset, we need to decide
1472 * whether to power up. If this is not an enquiry ACMD41,
1473 * we immediately report power on and proceed below to the
1474 * ready state, but if it is, we set a timer to model a
1475 * delay for power up. This works around a bug in EDK2
1476 * UEFI, which sends an initial enquiry ACMD41, but
1477 * assumes that the card is in ready state as soon as it
1478 * sees the power up bit set. */
1479 if (!FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP)) {
1480 if ((req.arg & ACMD41_ENQUIRY_MASK) != 0) {
1481 timer_del(sd->ocr_power_timer);
1482 sd_ocr_powerup(sd);
1483 } else {
1484 trace_sdcard_inquiry_cmd41();
1485 if (!timer_pending(sd->ocr_power_timer)) {
1486 timer_mod_ns(sd->ocr_power_timer,
1487 (qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL)
1488 + OCR_POWER_DELAY_NS));
1489 }
1490 }
1491 }
1492
1493 /* We accept any voltage. 10000 V is nothing.
1494 *
1495 * Once we're powered up, we advance straight to ready state
1496 * unless it's an enquiry ACMD41 (bits 23:0 == 0).
1497 */
1498 if (req.arg & ACMD41_ENQUIRY_MASK) {
1499 sd->state = sd_ready_state;
1500 }
1501
1502 return sd_r3;
1503
1504 default:
1505 break;
1506 }
1507 break;
1508
1509 case 42: /* ACMD42: SET_CLR_CARD_DETECT */
1510 switch (sd->state) {
1511 case sd_transfer_state:
1512 /* Bringing in the 50KOhm pull-up resistor... Done. */
1513 return sd_r1;
1514
1515 default:
1516 break;
1517 }
1518 break;
1519
1520 case 51: /* ACMD51: SEND_SCR */
1521 switch (sd->state) {
1522 case sd_transfer_state:
1523 sd->state = sd_sendingdata_state;
1524 sd->data_start = 0;
1525 sd->data_offset = 0;
1526 return sd_r1;
1527
1528 default:
1529 break;
1530 }
1531 break;
1532
1533 default:
1534 /* Fall back to standard commands. */
1535 return sd_normal_command(sd, req);
1536 }
1537
1538 qemu_log_mask(LOG_GUEST_ERROR, "SD: ACMD%i in a wrong state\n", req.cmd);
1539 return sd_illegal;
1540 }
1541
1542 static int cmd_valid_while_locked(SDState *sd, SDRequest *req)
1543 {
1544 /* Valid commands in locked state:
1545 * basic class (0)
1546 * lock card class (7)
1547 * CMD16
1548 * implicitly, the ACMD prefix CMD55
1549 * ACMD41 and ACMD42
1550 * Anything else provokes an "illegal command" response.
1551 */
1552 if (sd->expecting_acmd) {
1553 return req->cmd == 41 || req->cmd == 42;
1554 }
1555 if (req->cmd == 16 || req->cmd == 55) {
1556 return 1;
1557 }
1558 return sd_cmd_class[req->cmd] == 0
1559 || sd_cmd_class[req->cmd] == 7;
1560 }
1561
1562 int sd_do_command(SDState *sd, SDRequest *req,
1563 uint8_t *response) {
1564 int last_state;
1565 sd_rsp_type_t rtype;
1566 int rsplen;
1567
1568 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable) {
1569 return 0;
1570 }
1571
1572 if (sd_req_crc_validate(req)) {
1573 sd->card_status |= COM_CRC_ERROR;
1574 rtype = sd_illegal;
1575 goto send_response;
1576 }
1577
1578 if (req->cmd >= SDMMC_CMD_MAX) {
1579 qemu_log_mask(LOG_GUEST_ERROR, "SD: incorrect command 0x%02x\n",
1580 req->cmd);
1581 req->cmd &= 0x3f;
1582 }
1583
1584 if (sd->card_status & CARD_IS_LOCKED) {
1585 if (!cmd_valid_while_locked(sd, req)) {
1586 sd->card_status |= ILLEGAL_COMMAND;
1587 sd->expecting_acmd = false;
1588 qemu_log_mask(LOG_GUEST_ERROR, "SD: Card is locked\n");
1589 rtype = sd_illegal;
1590 goto send_response;
1591 }
1592 }
1593
1594 last_state = sd->state;
1595 sd_set_mode(sd);
1596
1597 if (sd->expecting_acmd) {
1598 sd->expecting_acmd = false;
1599 rtype = sd_app_command(sd, *req);
1600 } else {
1601 rtype = sd_normal_command(sd, *req);
1602 }
1603
1604 if (rtype == sd_illegal) {
1605 sd->card_status |= ILLEGAL_COMMAND;
1606 } else {
1607 /* Valid command, we can update the 'state before command' bits.
1608 * (Do this now so they appear in r1 responses.)
1609 */
1610 sd->current_cmd = req->cmd;
1611 sd->card_status &= ~CURRENT_STATE;
1612 sd->card_status |= (last_state << 9);
1613 }
1614
1615 send_response:
1616 switch (rtype) {
1617 case sd_r1:
1618 case sd_r1b:
1619 sd_response_r1_make(sd, response);
1620 rsplen = 4;
1621 break;
1622
1623 case sd_r2_i:
1624 memcpy(response, sd->cid, sizeof(sd->cid));
1625 rsplen = 16;
1626 break;
1627
1628 case sd_r2_s:
1629 memcpy(response, sd->csd, sizeof(sd->csd));
1630 rsplen = 16;
1631 break;
1632
1633 case sd_r3:
1634 sd_response_r3_make(sd, response);
1635 rsplen = 4;
1636 break;
1637
1638 case sd_r6:
1639 sd_response_r6_make(sd, response);
1640 rsplen = 4;
1641 break;
1642
1643 case sd_r7:
1644 sd_response_r7_make(sd, response);
1645 rsplen = 4;
1646 break;
1647
1648 case sd_r0:
1649 case sd_illegal:
1650 rsplen = 0;
1651 break;
1652 default:
1653 g_assert_not_reached();
1654 }
1655 trace_sdcard_response(sd_response_name(rtype), rsplen);
1656
1657 if (rtype != sd_illegal) {
1658 /* Clear the "clear on valid command" status bits now we've
1659 * sent any response
1660 */
1661 sd->card_status &= ~CARD_STATUS_B;
1662 }
1663
1664 #ifdef DEBUG_SD
1665 qemu_hexdump((const char *)response, stderr, "Response", rsplen);
1666 #endif
1667
1668 return rsplen;
1669 }
1670
1671 static void sd_blk_read(SDState *sd, uint64_t addr, uint32_t len)
1672 {
1673 trace_sdcard_read_block(addr, len);
1674 if (!sd->blk || blk_pread(sd->blk, addr, sd->data, len) < 0) {
1675 fprintf(stderr, "sd_blk_read: read error on host side\n");
1676 }
1677 }
1678
1679 static void sd_blk_write(SDState *sd, uint64_t addr, uint32_t len)
1680 {
1681 trace_sdcard_write_block(addr, len);
1682 if (!sd->blk || blk_pwrite(sd->blk, addr, sd->data, len, 0) < 0) {
1683 fprintf(stderr, "sd_blk_write: write error on host side\n");
1684 }
1685 }
1686
1687 #define BLK_READ_BLOCK(a, len) sd_blk_read(sd, a, len)
1688 #define BLK_WRITE_BLOCK(a, len) sd_blk_write(sd, a, len)
1689 #define APP_READ_BLOCK(a, len) memset(sd->data, 0xec, len)
1690 #define APP_WRITE_BLOCK(a, len)
1691
1692 void sd_write_data(SDState *sd, uint8_t value)
1693 {
1694 int i;
1695
1696 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable)
1697 return;
1698
1699 if (sd->state != sd_receivingdata_state) {
1700 qemu_log_mask(LOG_GUEST_ERROR,
1701 "sd_write_data: not in Receiving-Data state\n");
1702 return;
1703 }
1704
1705 if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION))
1706 return;
1707
1708 trace_sdcard_write_data(sd->current_cmd, value);
1709 switch (sd->current_cmd) {
1710 case 24: /* CMD24: WRITE_SINGLE_BLOCK */
1711 sd->data[sd->data_offset ++] = value;
1712 if (sd->data_offset >= sd->blk_len) {
1713 /* TODO: Check CRC before committing */
1714 sd->state = sd_programming_state;
1715 BLK_WRITE_BLOCK(sd->data_start, sd->data_offset);
1716 sd->blk_written ++;
1717 sd->csd[14] |= 0x40;
1718 /* Bzzzzzzztt .... Operation complete. */
1719 sd->state = sd_transfer_state;
1720 }
1721 break;
1722
1723 case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */
1724 if (sd->data_offset == 0) {
1725 /* Start of the block - let's check the address is valid */
1726 if (sd->data_start + sd->blk_len > sd->size) {
1727 sd->card_status |= ADDRESS_ERROR;
1728 break;
1729 }
1730 if (sd_wp_addr(sd, sd->data_start)) {
1731 sd->card_status |= WP_VIOLATION;
1732 break;
1733 }
1734 }
1735 sd->data[sd->data_offset++] = value;
1736 if (sd->data_offset >= sd->blk_len) {
1737 /* TODO: Check CRC before committing */
1738 sd->state = sd_programming_state;
1739 BLK_WRITE_BLOCK(sd->data_start, sd->data_offset);
1740 sd->blk_written++;
1741 sd->data_start += sd->blk_len;
1742 sd->data_offset = 0;
1743 sd->csd[14] |= 0x40;
1744
1745 /* Bzzzzzzztt .... Operation complete. */
1746 if (sd->multi_blk_cnt != 0) {
1747 if (--sd->multi_blk_cnt == 0) {
1748 /* Stop! */
1749 sd->state = sd_transfer_state;
1750 break;
1751 }
1752 }
1753
1754 sd->state = sd_receivingdata_state;
1755 }
1756 break;
1757
1758 case 26: /* CMD26: PROGRAM_CID */
1759 sd->data[sd->data_offset ++] = value;
1760 if (sd->data_offset >= sizeof(sd->cid)) {
1761 /* TODO: Check CRC before committing */
1762 sd->state = sd_programming_state;
1763 for (i = 0; i < sizeof(sd->cid); i ++)
1764 if ((sd->cid[i] | 0x00) != sd->data[i])
1765 sd->card_status |= CID_CSD_OVERWRITE;
1766
1767 if (!(sd->card_status & CID_CSD_OVERWRITE))
1768 for (i = 0; i < sizeof(sd->cid); i ++) {
1769 sd->cid[i] |= 0x00;
1770 sd->cid[i] &= sd->data[i];
1771 }
1772 /* Bzzzzzzztt .... Operation complete. */
1773 sd->state = sd_transfer_state;
1774 }
1775 break;
1776
1777 case 27: /* CMD27: PROGRAM_CSD */
1778 sd->data[sd->data_offset ++] = value;
1779 if (sd->data_offset >= sizeof(sd->csd)) {
1780 /* TODO: Check CRC before committing */
1781 sd->state = sd_programming_state;
1782 for (i = 0; i < sizeof(sd->csd); i ++)
1783 if ((sd->csd[i] | sd_csd_rw_mask[i]) !=
1784 (sd->data[i] | sd_csd_rw_mask[i]))
1785 sd->card_status |= CID_CSD_OVERWRITE;
1786
1787 /* Copy flag (OTP) & Permanent write protect */
1788 if (sd->csd[14] & ~sd->data[14] & 0x60)
1789 sd->card_status |= CID_CSD_OVERWRITE;
1790
1791 if (!(sd->card_status & CID_CSD_OVERWRITE))
1792 for (i = 0; i < sizeof(sd->csd); i ++) {
1793 sd->csd[i] |= sd_csd_rw_mask[i];
1794 sd->csd[i] &= sd->data[i];
1795 }
1796 /* Bzzzzzzztt .... Operation complete. */
1797 sd->state = sd_transfer_state;
1798 }
1799 break;
1800
1801 case 42: /* CMD42: LOCK_UNLOCK */
1802 sd->data[sd->data_offset ++] = value;
1803 if (sd->data_offset >= sd->blk_len) {
1804 /* TODO: Check CRC before committing */
1805 sd->state = sd_programming_state;
1806 sd_lock_command(sd);
1807 /* Bzzzzzzztt .... Operation complete. */
1808 sd->state = sd_transfer_state;
1809 }
1810 break;
1811
1812 case 56: /* CMD56: GEN_CMD */
1813 sd->data[sd->data_offset ++] = value;
1814 if (sd->data_offset >= sd->blk_len) {
1815 APP_WRITE_BLOCK(sd->data_start, sd->data_offset);
1816 sd->state = sd_transfer_state;
1817 }
1818 break;
1819
1820 default:
1821 qemu_log_mask(LOG_GUEST_ERROR, "sd_write_data: unknown command\n");
1822 break;
1823 }
1824 }
1825
1826 uint8_t sd_read_data(SDState *sd)
1827 {
1828 /* TODO: Append CRCs */
1829 uint8_t ret;
1830 int io_len;
1831
1832 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable)
1833 return 0x00;
1834
1835 if (sd->state != sd_sendingdata_state) {
1836 qemu_log_mask(LOG_GUEST_ERROR,
1837 "sd_read_data: not in Sending-Data state\n");
1838 return 0x00;
1839 }
1840
1841 if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION))
1842 return 0x00;
1843
1844 io_len = (sd->ocr & (1 << 30)) ? 512 : sd->blk_len;
1845
1846 trace_sdcard_read_data(sd->current_cmd, io_len);
1847 switch (sd->current_cmd) {
1848 case 6: /* CMD6: SWITCH_FUNCTION */
1849 ret = sd->data[sd->data_offset ++];
1850
1851 if (sd->data_offset >= 64)
1852 sd->state = sd_transfer_state;
1853 break;
1854
1855 case 9: /* CMD9: SEND_CSD */
1856 case 10: /* CMD10: SEND_CID */
1857 ret = sd->data[sd->data_offset ++];
1858
1859 if (sd->data_offset >= 16)
1860 sd->state = sd_transfer_state;
1861 break;
1862
1863 case 11: /* CMD11: READ_DAT_UNTIL_STOP */
1864 if (sd->data_offset == 0)
1865 BLK_READ_BLOCK(sd->data_start, io_len);
1866 ret = sd->data[sd->data_offset ++];
1867
1868 if (sd->data_offset >= io_len) {
1869 sd->data_start += io_len;
1870 sd->data_offset = 0;
1871 if (sd->data_start + io_len > sd->size) {
1872 sd->card_status |= ADDRESS_ERROR;
1873 break;
1874 }
1875 }
1876 break;
1877
1878 case 13: /* ACMD13: SD_STATUS */
1879 ret = sd->sd_status[sd->data_offset ++];
1880
1881 if (sd->data_offset >= sizeof(sd->sd_status))
1882 sd->state = sd_transfer_state;
1883 break;
1884
1885 case 17: /* CMD17: READ_SINGLE_BLOCK */
1886 if (sd->data_offset == 0)
1887 BLK_READ_BLOCK(sd->data_start, io_len);
1888 ret = sd->data[sd->data_offset ++];
1889
1890 if (sd->data_offset >= io_len)
1891 sd->state = sd_transfer_state;
1892 break;
1893
1894 case 18: /* CMD18: READ_MULTIPLE_BLOCK */
1895 if (sd->data_offset == 0) {
1896 if (sd->data_start + io_len > sd->size) {
1897 sd->card_status |= ADDRESS_ERROR;
1898 return 0x00;
1899 }
1900 BLK_READ_BLOCK(sd->data_start, io_len);
1901 }
1902 ret = sd->data[sd->data_offset ++];
1903
1904 if (sd->data_offset >= io_len) {
1905 sd->data_start += io_len;
1906 sd->data_offset = 0;
1907
1908 if (sd->multi_blk_cnt != 0) {
1909 if (--sd->multi_blk_cnt == 0) {
1910 /* Stop! */
1911 sd->state = sd_transfer_state;
1912 break;
1913 }
1914 }
1915 }
1916 break;
1917
1918 case 22: /* ACMD22: SEND_NUM_WR_BLOCKS */
1919 ret = sd->data[sd->data_offset ++];
1920
1921 if (sd->data_offset >= 4)
1922 sd->state = sd_transfer_state;
1923 break;
1924
1925 case 30: /* CMD30: SEND_WRITE_PROT */
1926 ret = sd->data[sd->data_offset ++];
1927
1928 if (sd->data_offset >= 4)
1929 sd->state = sd_transfer_state;
1930 break;
1931
1932 case 51: /* ACMD51: SEND_SCR */
1933 ret = sd->scr[sd->data_offset ++];
1934
1935 if (sd->data_offset >= sizeof(sd->scr))
1936 sd->state = sd_transfer_state;
1937 break;
1938
1939 case 56: /* CMD56: GEN_CMD */
1940 if (sd->data_offset == 0)
1941 APP_READ_BLOCK(sd->data_start, sd->blk_len);
1942 ret = sd->data[sd->data_offset ++];
1943
1944 if (sd->data_offset >= sd->blk_len)
1945 sd->state = sd_transfer_state;
1946 break;
1947
1948 default:
1949 qemu_log_mask(LOG_GUEST_ERROR, "sd_read_data: unknown command\n");
1950 return 0x00;
1951 }
1952
1953 return ret;
1954 }
1955
1956 bool sd_data_ready(SDState *sd)
1957 {
1958 return sd->state == sd_sendingdata_state;
1959 }
1960
1961 void sd_enable(SDState *sd, bool enable)
1962 {
1963 sd->enable = enable;
1964 }
1965
1966 static void sd_instance_init(Object *obj)
1967 {
1968 SDState *sd = SD_CARD(obj);
1969
1970 sd->enable = true;
1971 sd->ocr_power_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, sd_ocr_powerup, sd);
1972 }
1973
1974 static void sd_instance_finalize(Object *obj)
1975 {
1976 SDState *sd = SD_CARD(obj);
1977
1978 timer_del(sd->ocr_power_timer);
1979 timer_free(sd->ocr_power_timer);
1980 }
1981
1982 static void sd_realize(DeviceState *dev, Error **errp)
1983 {
1984 SDState *sd = SD_CARD(dev);
1985 int ret;
1986
1987 if (sd->blk && blk_is_read_only(sd->blk)) {
1988 error_setg(errp, "Cannot use read-only drive as SD card");
1989 return;
1990 }
1991
1992 if (sd->blk) {
1993 ret = blk_set_perm(sd->blk, BLK_PERM_CONSISTENT_READ | BLK_PERM_WRITE,
1994 BLK_PERM_ALL, errp);
1995 if (ret < 0) {
1996 return;
1997 }
1998 blk_set_dev_ops(sd->blk, &sd_block_ops, sd);
1999 }
2000 }
2001
2002 static Property sd_properties[] = {
2003 DEFINE_PROP_DRIVE("drive", SDState, blk),
2004 /* We do not model the chip select pin, so allow the board to select
2005 * whether card should be in SSI or MMC/SD mode. It is also up to the
2006 * board to ensure that ssi transfers only occur when the chip select
2007 * is asserted. */
2008 DEFINE_PROP_BOOL("spi", SDState, spi, false),
2009 DEFINE_PROP_END_OF_LIST()
2010 };
2011
2012 static void sd_class_init(ObjectClass *klass, void *data)
2013 {
2014 DeviceClass *dc = DEVICE_CLASS(klass);
2015 SDCardClass *sc = SD_CARD_CLASS(klass);
2016
2017 dc->realize = sd_realize;
2018 dc->props = sd_properties;
2019 dc->vmsd = &sd_vmstate;
2020 dc->reset = sd_reset;
2021 dc->bus_type = TYPE_SD_BUS;
2022
2023 sc->set_voltage = sd_set_voltage;
2024 sc->get_dat_lines = sd_get_dat_lines;
2025 sc->get_cmd_line = sd_get_cmd_line;
2026 sc->do_command = sd_do_command;
2027 sc->write_data = sd_write_data;
2028 sc->read_data = sd_read_data;
2029 sc->data_ready = sd_data_ready;
2030 sc->enable = sd_enable;
2031 sc->get_inserted = sd_get_inserted;
2032 sc->get_readonly = sd_get_readonly;
2033 }
2034
2035 static const TypeInfo sd_info = {
2036 .name = TYPE_SD_CARD,
2037 .parent = TYPE_DEVICE,
2038 .instance_size = sizeof(SDState),
2039 .class_size = sizeof(SDCardClass),
2040 .class_init = sd_class_init,
2041 .instance_init = sd_instance_init,
2042 .instance_finalize = sd_instance_finalize,
2043 };
2044
2045 static void sd_register_types(void)
2046 {
2047 type_register_static(&sd_info);
2048 }
2049
2050 type_init(sd_register_types)
Random patches