2 * SD Memory Card emulation as defined in the "SD Memory Card Physical
3 * layer specification, Version 2.00."
6 * Copyright (c) 2007 CodeSourcery
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
20 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS''
21 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
22 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
23 * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR
24 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
25 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
26 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
27 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
28 * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
29 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
30 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
33 #include "qemu/osdep.h"
34 #include "qemu/units.h"
35 #include "qemu/cutils.h"
37 #include "hw/registerfields.h"
38 #include "sysemu/block-backend.h"
40 #include "hw/sd/sdcard_legacy.h"
41 #include "migration/vmstate.h"
42 #include "qapi/error.h"
43 #include "qemu/bitmap.h"
44 #include "hw/qdev-properties.h"
45 #include "qemu/error-report.h"
46 #include "qemu/timer.h"
48 #include "qemu/module.h"
49 #include "sdmmc-internal.h"
54 #define SDSC_MAX_CAPACITY (2 * GiB)
57 sd_r0 = 0, /* no response */
58 sd_r1, /* normal response command */
59 sd_r2_i, /* CID register */
60 sd_r2_s, /* CSD register */
61 sd_r3, /* OCR register */
62 sd_r6 = 6, /* Published RCA response */
63 sd_r7, /* Operating voltage */
70 sd_card_identification_mode,
71 sd_data_transfer_mode,
75 sd_inactive_state = -1,
78 sd_identification_state,
82 sd_receivingdata_state,
88 DeviceState parent_obj;
90 /* If true, created by sd_init() for a non-qdevified caller */
91 /* TODO purge them with fire */
92 bool me_no_qdev_me_kill_mammoth_with_rocks;
94 /* SD Memory Card Registers */
100 uint32_t card_status;
101 uint8_t sd_status[64];
103 /* Configurable properties */
104 uint8_t spec_version;
108 uint32_t mode; /* current card mode, one of SDCardModes */
109 int32_t state; /* current card state, one of SDCardStates */
112 unsigned long *wp_groups;
116 uint32_t multi_blk_cnt;
117 uint32_t erase_start;
121 uint8_t function_group[6];
123 /* True if we will handle the next command as an ACMD. Note that this does
124 * *not* track the APP_CMD status bit!
127 uint32_t blk_written;
129 uint32_t data_offset;
131 qemu_irq readonly_cb;
132 qemu_irq inserted_cb;
133 QEMUTimer *ocr_power_timer;
134 const char *proto_name;
140 static void sd_realize(DeviceState *dev, Error **errp);
142 static const char *sd_state_name(enum SDCardStates state)
144 static const char *state_name[] = {
145 [sd_idle_state] = "idle",
146 [sd_ready_state] = "ready",
147 [sd_identification_state] = "identification",
148 [sd_standby_state] = "standby",
149 [sd_transfer_state] = "transfer",
150 [sd_sendingdata_state] = "sendingdata",
151 [sd_receivingdata_state] = "receivingdata",
152 [sd_programming_state] = "programming",
153 [sd_disconnect_state] = "disconnect",
155 if (state == sd_inactive_state) {
158 assert(state < ARRAY_SIZE(state_name));
159 return state_name[state];
162 static const char *sd_response_name(sd_rsp_type_t rsp)
164 static const char *response_name[] = {
165 [sd_r0] = "RESP#0 (no response)",
166 [sd_r1] = "RESP#1 (normal cmd)",
167 [sd_r2_i] = "RESP#2 (CID reg)",
168 [sd_r2_s] = "RESP#2 (CSD reg)",
169 [sd_r3] = "RESP#3 (OCR reg)",
170 [sd_r6] = "RESP#6 (RCA)",
171 [sd_r7] = "RESP#7 (operating voltage)",
173 if (rsp == sd_illegal) {
174 return "ILLEGAL RESP";
179 assert(rsp < ARRAY_SIZE(response_name));
180 return response_name[rsp];
183 static uint8_t sd_get_dat_lines(SDState *sd)
185 return sd->enable ? sd->dat_lines : 0;
188 static bool sd_get_cmd_line(SDState *sd)
190 return sd->enable ? sd->cmd_line : false;
193 static void sd_set_voltage(SDState *sd, uint16_t millivolts)
195 trace_sdcard_set_voltage(millivolts);
197 switch (millivolts) {
198 case 3001 ... 3600: /* SD_VOLTAGE_3_3V */
199 case 2001 ... 3000: /* SD_VOLTAGE_3_0V */
202 qemu_log_mask(LOG_GUEST_ERROR, "SD card voltage not supported: %.3fV",
203 millivolts / 1000.f);
207 static void sd_set_mode(SDState *sd)
210 case sd_inactive_state:
211 sd->mode = sd_inactive;
216 case sd_identification_state:
217 sd->mode = sd_card_identification_mode;
220 case sd_standby_state:
221 case sd_transfer_state:
222 case sd_sendingdata_state:
223 case sd_receivingdata_state:
224 case sd_programming_state:
225 case sd_disconnect_state:
226 sd->mode = sd_data_transfer_mode;
231 static const sd_cmd_type_t sd_cmd_type[SDMMC_CMD_MAX] = {
232 sd_bc, sd_none, sd_bcr, sd_bcr, sd_none, sd_none, sd_none, sd_ac,
233 sd_bcr, sd_ac, sd_ac, sd_adtc, sd_ac, sd_ac, sd_none, sd_ac,
235 sd_ac, sd_adtc, sd_adtc, sd_none, sd_none, sd_none, sd_none, sd_none,
236 sd_adtc, sd_adtc, sd_adtc, sd_adtc, sd_ac, sd_ac, sd_adtc, sd_none,
238 sd_ac, sd_ac, sd_none, sd_none, sd_none, sd_none, sd_ac, sd_none,
239 sd_none, sd_none, sd_bc, sd_none, sd_none, sd_none, sd_none, sd_none,
241 sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_ac,
242 sd_adtc, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none,
245 static const int sd_cmd_class[SDMMC_CMD_MAX] = {
246 0, 0, 0, 0, 0, 9, 10, 0, 0, 0, 0, 1, 0, 0, 0, 0,
247 2, 2, 2, 2, 3, 3, 3, 3, 4, 4, 4, 4, 6, 6, 6, 6,
248 5, 5, 10, 10, 10, 10, 5, 9, 9, 9, 7, 7, 7, 7, 7, 7,
249 7, 7, 10, 7, 9, 9, 9, 8, 8, 10, 8, 8, 8, 8, 8, 8,
252 static uint8_t sd_crc7(void *message, size_t width)
255 uint8_t shift_reg = 0x00;
256 uint8_t *msg = (uint8_t *) message;
258 for (i = 0; i < width; i ++, msg ++)
259 for (bit = 7; bit >= 0; bit --) {
261 if ((shift_reg >> 7) ^ ((*msg >> bit) & 1))
268 static uint16_t sd_crc16(void *message, size_t width)
271 uint16_t shift_reg = 0x0000;
272 uint16_t *msg = (uint16_t *) message;
275 for (i = 0; i < width; i ++, msg ++)
276 for (bit = 15; bit >= 0; bit --) {
278 if ((shift_reg >> 15) ^ ((*msg >> bit) & 1))
285 #define OCR_POWER_DELAY_NS 500000 /* 0.5ms */
287 FIELD(OCR, VDD_VOLTAGE_WINDOW, 0, 24)
288 FIELD(OCR, VDD_VOLTAGE_WIN_LO, 0, 8)
289 FIELD(OCR, DUAL_VOLTAGE_CARD, 7, 1)
290 FIELD(OCR, VDD_VOLTAGE_WIN_HI, 8, 16)
291 FIELD(OCR, ACCEPT_SWITCH_1V8, 24, 1) /* Only UHS-I */
292 FIELD(OCR, UHS_II_CARD, 29, 1) /* Only UHS-II */
293 FIELD(OCR, CARD_CAPACITY, 30, 1) /* 0:SDSC, 1:SDHC/SDXC */
294 FIELD(OCR, CARD_POWER_UP, 31, 1)
296 #define ACMD41_ENQUIRY_MASK 0x00ffffff
297 #define ACMD41_R3_MASK (R_OCR_VDD_VOLTAGE_WIN_HI_MASK \
298 | R_OCR_ACCEPT_SWITCH_1V8_MASK \
299 | R_OCR_UHS_II_CARD_MASK \
300 | R_OCR_CARD_CAPACITY_MASK \
301 | R_OCR_CARD_POWER_UP_MASK)
303 static void sd_set_ocr(SDState *sd)
305 /* All voltages OK */
306 sd->ocr = R_OCR_VDD_VOLTAGE_WIN_HI_MASK;
309 static void sd_ocr_powerup(void *opaque)
311 SDState *sd = opaque;
313 trace_sdcard_powerup();
314 assert(!FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP));
316 /* card power-up OK */
317 sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_POWER_UP, 1);
319 if (sd->size > SDSC_MAX_CAPACITY) {
320 sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_CAPACITY, 1);
324 static void sd_set_scr(SDState *sd)
326 sd->scr[0] = 0 << 4; /* SCR structure version 1.0 */
327 if (sd->spec_version == SD_PHY_SPECv1_10_VERS) {
328 sd->scr[0] |= 1; /* Spec Version 1.10 */
330 sd->scr[0] |= 2; /* Spec Version 2.00 or Version 3.0X */
332 sd->scr[1] = (2 << 4) /* SDSC Card (Security Version 1.01) */
333 | 0b0101; /* 1-bit or 4-bit width bus modes */
334 sd->scr[2] = 0x00; /* Extended Security is not supported. */
335 if (sd->spec_version >= SD_PHY_SPECv3_01_VERS) {
336 sd->scr[2] |= 1 << 7; /* Spec Version 3.0X */
339 /* reserved for manufacturer usage */
353 static void sd_set_cid(SDState *sd)
355 sd->cid[0] = MID; /* Fake card manufacturer ID (MID) */
356 sd->cid[1] = OID[0]; /* OEM/Application ID (OID) */
358 sd->cid[3] = PNM[0]; /* Fake product name (PNM) */
363 sd->cid[8] = PRV; /* Fake product revision (PRV) */
364 sd->cid[9] = 0xde; /* Fake serial number (PSN) */
368 sd->cid[13] = 0x00 | /* Manufacture date (MDT) */
369 ((MDT_YR - 2000) / 10);
370 sd->cid[14] = ((MDT_YR % 10) << 4) | MDT_MON;
371 sd->cid[15] = (sd_crc7(sd->cid, 15) << 1) | 1;
374 #define HWBLOCK_SHIFT 9 /* 512 bytes */
375 #define SECTOR_SHIFT 5 /* 16 kilobytes */
376 #define WPGROUP_SHIFT 7 /* 2 megs */
377 #define CMULT_SHIFT 9 /* 512 times HWBLOCK_SIZE */
378 #define WPGROUP_SIZE (1 << (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT))
380 static const uint8_t sd_csd_rw_mask[16] = {
381 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
382 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xfc, 0xfe,
385 static void sd_set_csd(SDState *sd, uint64_t size)
387 uint32_t csize = (size >> (CMULT_SHIFT + HWBLOCK_SHIFT)) - 1;
388 uint32_t sectsize = (1 << (SECTOR_SHIFT + 1)) - 1;
389 uint32_t wpsize = (1 << (WPGROUP_SHIFT + 1)) - 1;
391 if (size <= SDSC_MAX_CAPACITY) { /* Standard Capacity SD */
392 sd->csd[0] = 0x00; /* CSD structure */
393 sd->csd[1] = 0x26; /* Data read access-time-1 */
394 sd->csd[2] = 0x00; /* Data read access-time-2 */
395 sd->csd[3] = 0x32; /* Max. data transfer rate: 25 MHz */
396 sd->csd[4] = 0x5f; /* Card Command Classes */
397 sd->csd[5] = 0x50 | /* Max. read data block length */
399 sd->csd[6] = 0xe0 | /* Partial block for read allowed */
400 ((csize >> 10) & 0x03);
401 sd->csd[7] = 0x00 | /* Device size */
402 ((csize >> 2) & 0xff);
403 sd->csd[8] = 0x3f | /* Max. read current */
404 ((csize << 6) & 0xc0);
405 sd->csd[9] = 0xfc | /* Max. write current */
406 ((CMULT_SHIFT - 2) >> 1);
407 sd->csd[10] = 0x40 | /* Erase sector size */
408 (((CMULT_SHIFT - 2) << 7) & 0x80) | (sectsize >> 1);
409 sd->csd[11] = 0x00 | /* Write protect group size */
410 ((sectsize << 7) & 0x80) | wpsize;
411 sd->csd[12] = 0x90 | /* Write speed factor */
412 (HWBLOCK_SHIFT >> 2);
413 sd->csd[13] = 0x20 | /* Max. write data block length */
414 ((HWBLOCK_SHIFT << 6) & 0xc0);
415 sd->csd[14] = 0x00; /* File format group */
426 sd->csd[7] = (size >> 16) & 0xff;
427 sd->csd[8] = (size >> 8) & 0xff;
428 sd->csd[9] = (size & 0xff);
435 sd->csd[15] = (sd_crc7(sd->csd, 15) << 1) | 1;
438 static void sd_set_rca(SDState *sd)
443 FIELD(CSR, AKE_SEQ_ERROR, 3, 1)
444 FIELD(CSR, APP_CMD, 5, 1)
445 FIELD(CSR, FX_EVENT, 6, 1)
446 FIELD(CSR, READY_FOR_DATA, 8, 1)
447 FIELD(CSR, CURRENT_STATE, 9, 4)
448 FIELD(CSR, ERASE_RESET, 13, 1)
449 FIELD(CSR, CARD_ECC_DISABLED, 14, 1)
450 FIELD(CSR, WP_ERASE_SKIP, 15, 1)
451 FIELD(CSR, CSD_OVERWRITE, 16, 1)
452 FIELD(CSR, DEFERRED_RESPONSE, 17, 1)
453 FIELD(CSR, ERROR, 19, 1)
454 FIELD(CSR, CC_ERROR, 20, 1)
455 FIELD(CSR, CARD_ECC_FAILED, 21, 1)
456 FIELD(CSR, ILLEGAL_COMMAND, 22, 1)
457 FIELD(CSR, COM_CRC_ERROR, 23, 1)
458 FIELD(CSR, LOCK_UNLOCK_FAILED, 24, 1)
459 FIELD(CSR, CARD_IS_LOCKED, 25, 1)
460 FIELD(CSR, WP_VIOLATION, 26, 1)
461 FIELD(CSR, ERASE_PARAM, 27, 1)
462 FIELD(CSR, ERASE_SEQ_ERROR, 28, 1)
463 FIELD(CSR, BLOCK_LEN_ERROR, 29, 1)
464 FIELD(CSR, ADDRESS_ERROR, 30, 1)
465 FIELD(CSR, OUT_OF_RANGE, 31, 1)
467 /* Card status bits, split by clear condition:
468 * A : According to the card current state
469 * B : Always related to the previous command
470 * C : Cleared by read
472 #define CARD_STATUS_A (R_CSR_READY_FOR_DATA_MASK \
473 | R_CSR_CARD_ECC_DISABLED_MASK \
474 | R_CSR_CARD_IS_LOCKED_MASK)
475 #define CARD_STATUS_B (R_CSR_CURRENT_STATE_MASK \
476 | R_CSR_ILLEGAL_COMMAND_MASK \
477 | R_CSR_COM_CRC_ERROR_MASK)
478 #define CARD_STATUS_C (R_CSR_AKE_SEQ_ERROR_MASK \
479 | R_CSR_APP_CMD_MASK \
480 | R_CSR_ERASE_RESET_MASK \
481 | R_CSR_WP_ERASE_SKIP_MASK \
482 | R_CSR_CSD_OVERWRITE_MASK \
484 | R_CSR_CC_ERROR_MASK \
485 | R_CSR_CARD_ECC_FAILED_MASK \
486 | R_CSR_LOCK_UNLOCK_FAILED_MASK \
487 | R_CSR_WP_VIOLATION_MASK \
488 | R_CSR_ERASE_PARAM_MASK \
489 | R_CSR_ERASE_SEQ_ERROR_MASK \
490 | R_CSR_BLOCK_LEN_ERROR_MASK \
491 | R_CSR_ADDRESS_ERROR_MASK \
492 | R_CSR_OUT_OF_RANGE_MASK)
494 static void sd_set_cardstatus(SDState *sd)
496 sd->card_status = 0x00000100;
499 static void sd_set_sdstatus(SDState *sd)
501 memset(sd->sd_status, 0, 64);
504 static int sd_req_crc_validate(SDRequest *req)
507 buffer[0] = 0x40 | req->cmd;
508 stl_be_p(&buffer[1], req->arg);
510 return sd_crc7(buffer, 5) != req->crc; /* TODO */
513 static void sd_response_r1_make(SDState *sd, uint8_t *response)
515 stl_be_p(response, sd->card_status);
517 /* Clear the "clear on read" status bits */
518 sd->card_status &= ~CARD_STATUS_C;
521 static void sd_response_r3_make(SDState *sd, uint8_t *response)
523 stl_be_p(response, sd->ocr & ACMD41_R3_MASK);
526 static void sd_response_r6_make(SDState *sd, uint8_t *response)
530 status = ((sd->card_status >> 8) & 0xc000) |
531 ((sd->card_status >> 6) & 0x2000) |
532 (sd->card_status & 0x1fff);
533 sd->card_status &= ~(CARD_STATUS_C & 0xc81fff);
534 stw_be_p(response + 0, sd->rca);
535 stw_be_p(response + 2, status);
538 static void sd_response_r7_make(SDState *sd, uint8_t *response)
540 stl_be_p(response, sd->vhs);
543 static inline uint64_t sd_addr_to_wpnum(uint64_t addr)
545 return addr >> (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT);
548 static void sd_reset(DeviceState *dev)
550 SDState *sd = SD_CARD(dev);
554 trace_sdcard_reset();
556 blk_get_geometry(sd->blk, §);
562 sect = sd_addr_to_wpnum(size) + 1;
564 sd->state = sd_idle_state;
569 sd_set_csd(sd, size);
570 sd_set_cardstatus(sd);
573 g_free(sd->wp_groups);
574 sd->wp_switch = sd->blk ? blk_is_read_only(sd->blk) : false;
575 sd->wpgrps_size = sect;
576 sd->wp_groups = bitmap_new(sd->wpgrps_size);
577 memset(sd->function_group, 0, sizeof(sd->function_group));
583 sd->expecting_acmd = false;
586 sd->multi_blk_cnt = 0;
589 static bool sd_get_inserted(SDState *sd)
591 return sd->blk && blk_is_inserted(sd->blk);
594 static bool sd_get_readonly(SDState *sd)
596 return sd->wp_switch;
599 static void sd_cardchange(void *opaque, bool load, Error **errp)
601 SDState *sd = opaque;
602 DeviceState *dev = DEVICE(sd);
604 bool inserted = sd_get_inserted(sd);
605 bool readonly = sd_get_readonly(sd);
608 trace_sdcard_inserted(readonly);
611 trace_sdcard_ejected();
614 if (sd->me_no_qdev_me_kill_mammoth_with_rocks) {
615 qemu_set_irq(sd->inserted_cb, inserted);
617 qemu_set_irq(sd->readonly_cb, readonly);
620 sdbus = SD_BUS(qdev_get_parent_bus(dev));
621 sdbus_set_inserted(sdbus, inserted);
623 sdbus_set_readonly(sdbus, readonly);
628 static const BlockDevOps sd_block_ops = {
629 .change_media_cb = sd_cardchange,
632 static bool sd_ocr_vmstate_needed(void *opaque)
634 SDState *sd = opaque;
636 /* Include the OCR state (and timer) if it is not yet powered up */
637 return !FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP);
640 static const VMStateDescription sd_ocr_vmstate = {
641 .name = "sd-card/ocr-state",
643 .minimum_version_id = 1,
644 .needed = sd_ocr_vmstate_needed,
645 .fields = (VMStateField[]) {
646 VMSTATE_UINT32(ocr, SDState),
647 VMSTATE_TIMER_PTR(ocr_power_timer, SDState),
648 VMSTATE_END_OF_LIST()
652 static int sd_vmstate_pre_load(void *opaque)
654 SDState *sd = opaque;
656 /* If the OCR state is not included (prior versions, or not
657 * needed), then the OCR must be set as powered up. If the OCR state
658 * is included, this will be replaced by the state restore.
665 static const VMStateDescription sd_vmstate = {
668 .minimum_version_id = 1,
669 .pre_load = sd_vmstate_pre_load,
670 .fields = (VMStateField[]) {
671 VMSTATE_UINT32(mode, SDState),
672 VMSTATE_INT32(state, SDState),
673 VMSTATE_UINT8_ARRAY(cid, SDState, 16),
674 VMSTATE_UINT8_ARRAY(csd, SDState, 16),
675 VMSTATE_UINT16(rca, SDState),
676 VMSTATE_UINT32(card_status, SDState),
677 VMSTATE_PARTIAL_BUFFER(sd_status, SDState, 1),
678 VMSTATE_UINT32(vhs, SDState),
679 VMSTATE_BITMAP(wp_groups, SDState, 0, wpgrps_size),
680 VMSTATE_UINT32(blk_len, SDState),
681 VMSTATE_UINT32(multi_blk_cnt, SDState),
682 VMSTATE_UINT32(erase_start, SDState),
683 VMSTATE_UINT32(erase_end, SDState),
684 VMSTATE_UINT8_ARRAY(pwd, SDState, 16),
685 VMSTATE_UINT32(pwd_len, SDState),
686 VMSTATE_UINT8_ARRAY(function_group, SDState, 6),
687 VMSTATE_UINT8(current_cmd, SDState),
688 VMSTATE_BOOL(expecting_acmd, SDState),
689 VMSTATE_UINT32(blk_written, SDState),
690 VMSTATE_UINT64(data_start, SDState),
691 VMSTATE_UINT32(data_offset, SDState),
692 VMSTATE_UINT8_ARRAY(data, SDState, 512),
693 VMSTATE_UNUSED_V(1, 512),
694 VMSTATE_BOOL(enable, SDState),
695 VMSTATE_END_OF_LIST()
697 .subsections = (const VMStateDescription*[]) {
703 /* Legacy initialization function for use by non-qdevified callers */
704 SDState *sd_init(BlockBackend *blk, bool is_spi)
711 obj = object_new(TYPE_SD_CARD);
713 if (!qdev_prop_set_drive_err(dev, "drive", blk, &err)) {
714 error_reportf_err(err, "sd_init failed: ");
717 qdev_prop_set_bit(dev, "spi", is_spi);
720 * Realizing the device properly would put it into the QOM
721 * composition tree even though it is not plugged into an
722 * appropriate bus. That's a no-no. Hide the device from
723 * QOM/qdev, and call its qdev realize callback directly.
726 object_unparent(obj);
727 sd_realize(dev, &err);
729 error_reportf_err(err, "sd_init failed: ");
734 sd->me_no_qdev_me_kill_mammoth_with_rocks = true;
738 void sd_set_cb(SDState *sd, qemu_irq readonly, qemu_irq insert)
740 sd->readonly_cb = readonly;
741 sd->inserted_cb = insert;
742 qemu_set_irq(readonly, sd->blk ? blk_is_read_only(sd->blk) : 0);
743 qemu_set_irq(insert, sd->blk ? blk_is_inserted(sd->blk) : 0);
746 static void sd_erase(SDState *sd)
749 uint64_t erase_start = sd->erase_start;
750 uint64_t erase_end = sd->erase_end;
752 trace_sdcard_erase();
753 if (!sd->erase_start || !sd->erase_end) {
754 sd->card_status |= ERASE_SEQ_ERROR;
758 if (FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) {
759 /* High capacity memory card: erase units are 512 byte blocks */
764 erase_start = sd_addr_to_wpnum(erase_start);
765 erase_end = sd_addr_to_wpnum(erase_end);
770 for (i = erase_start; i <= erase_end; i++) {
771 if (test_bit(i, sd->wp_groups)) {
772 sd->card_status |= WP_ERASE_SKIP;
777 static uint32_t sd_wpbits(SDState *sd, uint64_t addr)
782 wpnum = sd_addr_to_wpnum(addr);
784 for (i = 0; i < 32; i++, wpnum++, addr += WPGROUP_SIZE) {
785 if (addr < sd->size && test_bit(wpnum, sd->wp_groups)) {
793 static void sd_function_switch(SDState *sd, uint32_t arg)
795 int i, mode, new_func;
796 mode = !!(arg & 0x80000000);
798 sd->data[0] = 0x00; /* Maximum current consumption */
800 sd->data[2] = 0x80; /* Supported group 6 functions */
802 sd->data[4] = 0x80; /* Supported group 5 functions */
804 sd->data[6] = 0x80; /* Supported group 4 functions */
806 sd->data[8] = 0x80; /* Supported group 3 functions */
808 sd->data[10] = 0x80; /* Supported group 2 functions */
810 sd->data[12] = 0x80; /* Supported group 1 functions */
813 for (i = 0; i < 6; i ++) {
814 new_func = (arg >> (i * 4)) & 0x0f;
815 if (mode && new_func != 0x0f)
816 sd->function_group[i] = new_func;
817 sd->data[16 - (i >> 1)] |= new_func << ((i % 2) * 4);
819 memset(&sd->data[17], 0, 47);
820 stw_be_p(sd->data + 64, sd_crc16(sd->data, 64));
823 static inline bool sd_wp_addr(SDState *sd, uint64_t addr)
825 return test_bit(sd_addr_to_wpnum(addr), sd->wp_groups);
828 static void sd_lock_command(SDState *sd)
830 int erase, lock, clr_pwd, set_pwd, pwd_len;
831 erase = !!(sd->data[0] & 0x08);
832 lock = sd->data[0] & 0x04;
833 clr_pwd = sd->data[0] & 0x02;
834 set_pwd = sd->data[0] & 0x01;
837 pwd_len = sd->data[1];
844 trace_sdcard_unlock();
847 if (!(sd->card_status & CARD_IS_LOCKED) || sd->blk_len > 1 ||
848 set_pwd || clr_pwd || lock || sd->wp_switch ||
849 (sd->csd[14] & 0x20)) {
850 sd->card_status |= LOCK_UNLOCK_FAILED;
853 bitmap_zero(sd->wp_groups, sd->wpgrps_size);
854 sd->csd[14] &= ~0x10;
855 sd->card_status &= ~CARD_IS_LOCKED;
857 /* Erasing the entire card here! */
858 fprintf(stderr, "SD: Card force-erased by CMD42\n");
862 if (sd->blk_len < 2 + pwd_len ||
863 pwd_len <= sd->pwd_len ||
864 pwd_len > sd->pwd_len + 16) {
865 sd->card_status |= LOCK_UNLOCK_FAILED;
869 if (sd->pwd_len && memcmp(sd->pwd, sd->data + 2, sd->pwd_len)) {
870 sd->card_status |= LOCK_UNLOCK_FAILED;
874 pwd_len -= sd->pwd_len;
875 if ((pwd_len && !set_pwd) ||
876 (clr_pwd && (set_pwd || lock)) ||
877 (lock && !sd->pwd_len && !set_pwd) ||
878 (!set_pwd && !clr_pwd &&
879 (((sd->card_status & CARD_IS_LOCKED) && lock) ||
880 (!(sd->card_status & CARD_IS_LOCKED) && !lock)))) {
881 sd->card_status |= LOCK_UNLOCK_FAILED;
886 memcpy(sd->pwd, sd->data + 2 + sd->pwd_len, pwd_len);
887 sd->pwd_len = pwd_len;
895 sd->card_status |= CARD_IS_LOCKED;
897 sd->card_status &= ~CARD_IS_LOCKED;
900 static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
902 uint32_t rca = 0x0000;
903 uint64_t addr = (sd->ocr & (1 << 30)) ? (uint64_t) req.arg << 9 : req.arg;
905 /* CMD55 precedes an ACMD, so we are not interested in tracing it.
906 * However there is no ACMD55, so we want to trace this particular case.
908 if (req.cmd != 55 || sd->expecting_acmd) {
909 trace_sdcard_normal_command(sd->proto_name,
910 sd_cmd_name(req.cmd), req.cmd,
911 req.arg, sd_state_name(sd->state));
914 /* Not interpreting this as an app command */
915 sd->card_status &= ~APP_CMD;
917 if (sd_cmd_type[req.cmd] == sd_ac
918 || sd_cmd_type[req.cmd] == sd_adtc) {
922 /* CMD23 (set block count) must be immediately followed by CMD18 or CMD25
923 * if not, its effects are cancelled */
924 if (sd->multi_blk_cnt != 0 && !(req.cmd == 18 || req.cmd == 25)) {
925 sd->multi_blk_cnt = 0;
928 if (sd_cmd_class[req.cmd] == 6 && FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) {
929 /* Only Standard Capacity cards support class 6 commands */
934 /* Basic commands (Class 0 and Class 1) */
935 case 0: /* CMD0: GO_IDLE_STATE */
937 case sd_inactive_state:
938 return sd->spi ? sd_r1 : sd_r0;
941 sd->state = sd_idle_state;
942 sd_reset(DEVICE(sd));
943 return sd->spi ? sd_r1 : sd_r0;
947 case 1: /* CMD1: SEND_OP_CMD */
951 sd->state = sd_transfer_state;
954 case 2: /* CMD2: ALL_SEND_CID */
959 sd->state = sd_identification_state;
967 case 3: /* CMD3: SEND_RELATIVE_ADDR */
971 case sd_identification_state:
972 case sd_standby_state:
973 sd->state = sd_standby_state;
982 case 4: /* CMD4: SEND_DSR */
986 case sd_standby_state:
994 case 5: /* CMD5: reserved for SDIO cards */
997 case 6: /* CMD6: SWITCH_FUNCTION */
999 case sd_data_transfer_mode:
1000 sd_function_switch(sd, req.arg);
1001 sd->state = sd_sendingdata_state;
1003 sd->data_offset = 0;
1011 case 7: /* CMD7: SELECT/DESELECT_CARD */
1014 switch (sd->state) {
1015 case sd_standby_state:
1019 sd->state = sd_transfer_state;
1022 case sd_transfer_state:
1023 case sd_sendingdata_state:
1027 sd->state = sd_standby_state;
1030 case sd_disconnect_state:
1034 sd->state = sd_programming_state;
1037 case sd_programming_state:
1041 sd->state = sd_disconnect_state;
1049 case 8: /* CMD8: SEND_IF_COND */
1050 if (sd->spec_version < SD_PHY_SPECv2_00_VERS) {
1053 if (sd->state != sd_idle_state) {
1058 /* No response if not exactly one VHS bit is set. */
1059 if (!(req.arg >> 8) || (req.arg >> (ctz32(req.arg & ~0xff) + 1))) {
1060 return sd->spi ? sd_r7 : sd_r0;
1067 case 9: /* CMD9: SEND_CSD */
1068 switch (sd->state) {
1069 case sd_standby_state:
1075 case sd_transfer_state:
1078 sd->state = sd_sendingdata_state;
1079 memcpy(sd->data, sd->csd, 16);
1080 sd->data_start = addr;
1081 sd->data_offset = 0;
1089 case 10: /* CMD10: SEND_CID */
1090 switch (sd->state) {
1091 case sd_standby_state:
1097 case sd_transfer_state:
1100 sd->state = sd_sendingdata_state;
1101 memcpy(sd->data, sd->cid, 16);
1102 sd->data_start = addr;
1103 sd->data_offset = 0;
1111 case 12: /* CMD12: STOP_TRANSMISSION */
1112 switch (sd->state) {
1113 case sd_sendingdata_state:
1114 sd->state = sd_transfer_state;
1117 case sd_receivingdata_state:
1118 sd->state = sd_programming_state;
1119 /* Bzzzzzzztt .... Operation complete. */
1120 sd->state = sd_transfer_state;
1128 case 13: /* CMD13: SEND_STATUS */
1130 case sd_data_transfer_mode:
1141 case 15: /* CMD15: GO_INACTIVE_STATE */
1145 case sd_data_transfer_mode:
1149 sd->state = sd_inactive_state;
1157 /* Block read commands (Classs 2) */
1158 case 16: /* CMD16: SET_BLOCKLEN */
1159 switch (sd->state) {
1160 case sd_transfer_state:
1161 if (req.arg > (1 << HWBLOCK_SHIFT)) {
1162 sd->card_status |= BLOCK_LEN_ERROR;
1164 trace_sdcard_set_blocklen(req.arg);
1165 sd->blk_len = req.arg;
1175 case 17: /* CMD17: READ_SINGLE_BLOCK */
1176 switch (sd->state) {
1177 case sd_transfer_state:
1179 if (addr + sd->blk_len > sd->size) {
1180 sd->card_status |= ADDRESS_ERROR;
1184 sd->state = sd_sendingdata_state;
1185 sd->data_start = addr;
1186 sd->data_offset = 0;
1194 case 18: /* CMD18: READ_MULTIPLE_BLOCK */
1195 switch (sd->state) {
1196 case sd_transfer_state:
1198 if (addr + sd->blk_len > sd->size) {
1199 sd->card_status |= ADDRESS_ERROR;
1203 sd->state = sd_sendingdata_state;
1204 sd->data_start = addr;
1205 sd->data_offset = 0;
1213 case 19: /* CMD19: SEND_TUNING_BLOCK (SD) */
1214 if (sd->spec_version < SD_PHY_SPECv3_01_VERS) {
1217 if (sd->state == sd_transfer_state) {
1218 sd->state = sd_sendingdata_state;
1219 sd->data_offset = 0;
1224 case 23: /* CMD23: SET_BLOCK_COUNT */
1225 if (sd->spec_version < SD_PHY_SPECv3_01_VERS) {
1228 switch (sd->state) {
1229 case sd_transfer_state:
1230 sd->multi_blk_cnt = req.arg;
1238 /* Block write commands (Class 4) */
1239 case 24: /* CMD24: WRITE_SINGLE_BLOCK */
1240 switch (sd->state) {
1241 case sd_transfer_state:
1242 /* Writing in SPI mode not implemented. */
1246 if (addr + sd->blk_len > sd->size) {
1247 sd->card_status |= ADDRESS_ERROR;
1251 sd->state = sd_receivingdata_state;
1252 sd->data_start = addr;
1253 sd->data_offset = 0;
1254 sd->blk_written = 0;
1256 if (sd_wp_addr(sd, sd->data_start)) {
1257 sd->card_status |= WP_VIOLATION;
1259 if (sd->csd[14] & 0x30) {
1260 sd->card_status |= WP_VIOLATION;
1269 case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */
1270 switch (sd->state) {
1271 case sd_transfer_state:
1272 /* Writing in SPI mode not implemented. */
1276 if (addr + sd->blk_len > sd->size) {
1277 sd->card_status |= ADDRESS_ERROR;
1281 sd->state = sd_receivingdata_state;
1282 sd->data_start = addr;
1283 sd->data_offset = 0;
1284 sd->blk_written = 0;
1286 if (sd_wp_addr(sd, sd->data_start)) {
1287 sd->card_status |= WP_VIOLATION;
1289 if (sd->csd[14] & 0x30) {
1290 sd->card_status |= WP_VIOLATION;
1299 case 26: /* CMD26: PROGRAM_CID */
1302 switch (sd->state) {
1303 case sd_transfer_state:
1304 sd->state = sd_receivingdata_state;
1306 sd->data_offset = 0;
1314 case 27: /* CMD27: PROGRAM_CSD */
1315 switch (sd->state) {
1316 case sd_transfer_state:
1317 sd->state = sd_receivingdata_state;
1319 sd->data_offset = 0;
1327 /* Write protection (Class 6) */
1328 case 28: /* CMD28: SET_WRITE_PROT */
1329 switch (sd->state) {
1330 case sd_transfer_state:
1331 if (addr >= sd->size) {
1332 sd->card_status |= ADDRESS_ERROR;
1336 sd->state = sd_programming_state;
1337 set_bit(sd_addr_to_wpnum(addr), sd->wp_groups);
1338 /* Bzzzzzzztt .... Operation complete. */
1339 sd->state = sd_transfer_state;
1347 case 29: /* CMD29: CLR_WRITE_PROT */
1348 switch (sd->state) {
1349 case sd_transfer_state:
1350 if (addr >= sd->size) {
1351 sd->card_status |= ADDRESS_ERROR;
1355 sd->state = sd_programming_state;
1356 clear_bit(sd_addr_to_wpnum(addr), sd->wp_groups);
1357 /* Bzzzzzzztt .... Operation complete. */
1358 sd->state = sd_transfer_state;
1366 case 30: /* CMD30: SEND_WRITE_PROT */
1367 switch (sd->state) {
1368 case sd_transfer_state:
1369 sd->state = sd_sendingdata_state;
1370 *(uint32_t *) sd->data = sd_wpbits(sd, req.arg);
1371 sd->data_start = addr;
1372 sd->data_offset = 0;
1380 /* Erase commands (Class 5) */
1381 case 32: /* CMD32: ERASE_WR_BLK_START */
1382 switch (sd->state) {
1383 case sd_transfer_state:
1384 sd->erase_start = req.arg;
1392 case 33: /* CMD33: ERASE_WR_BLK_END */
1393 switch (sd->state) {
1394 case sd_transfer_state:
1395 sd->erase_end = req.arg;
1403 case 38: /* CMD38: ERASE */
1404 switch (sd->state) {
1405 case sd_transfer_state:
1406 if (sd->csd[14] & 0x30) {
1407 sd->card_status |= WP_VIOLATION;
1411 sd->state = sd_programming_state;
1413 /* Bzzzzzzztt .... Operation complete. */
1414 sd->state = sd_transfer_state;
1422 /* Lock card commands (Class 7) */
1423 case 42: /* CMD42: LOCK_UNLOCK */
1424 switch (sd->state) {
1425 case sd_transfer_state:
1426 sd->state = sd_receivingdata_state;
1428 sd->data_offset = 0;
1437 /* CMD52, CMD53, CMD54: reserved for SDIO cards
1438 * (see the SDIO Simplified Specification V2.0)
1439 * Handle as illegal command but do not complain
1440 * on stderr, as some OSes may use these in their
1441 * probing for presence of an SDIO card.
1445 /* Application specific commands (Class 8) */
1446 case 55: /* CMD55: APP_CMD */
1447 switch (sd->state) {
1448 case sd_ready_state:
1449 case sd_identification_state:
1450 case sd_inactive_state:
1454 qemu_log_mask(LOG_GUEST_ERROR,
1455 "SD: illegal RCA 0x%04x for APP_CMD\n", req.cmd);
1461 if (sd->rca != rca) {
1465 sd->expecting_acmd = true;
1466 sd->card_status |= APP_CMD;
1469 case 56: /* CMD56: GEN_CMD */
1470 switch (sd->state) {
1471 case sd_transfer_state:
1472 sd->data_offset = 0;
1474 sd->state = sd_sendingdata_state;
1476 sd->state = sd_receivingdata_state;
1484 case 58: /* CMD58: READ_OCR (SPI) */
1490 case 59: /* CMD59: CRC_ON_OFF (SPI) */
1494 goto unimplemented_spi_cmd;
1498 qemu_log_mask(LOG_GUEST_ERROR, "SD: Unknown CMD%i\n", req.cmd);
1501 unimplemented_spi_cmd:
1502 /* Commands that are recognised but not yet implemented in SPI mode. */
1503 qemu_log_mask(LOG_UNIMP, "SD: CMD%i not implemented in SPI mode\n",
1508 qemu_log_mask(LOG_GUEST_ERROR, "SD: CMD%i in a wrong state\n", req.cmd);
1512 static sd_rsp_type_t sd_app_command(SDState *sd,
1515 trace_sdcard_app_command(sd->proto_name, sd_acmd_name(req.cmd),
1516 req.cmd, req.arg, sd_state_name(sd->state));
1517 sd->card_status |= APP_CMD;
1519 case 6: /* ACMD6: SET_BUS_WIDTH */
1521 goto unimplemented_spi_cmd;
1523 switch (sd->state) {
1524 case sd_transfer_state:
1525 sd->sd_status[0] &= 0x3f;
1526 sd->sd_status[0] |= (req.arg & 0x03) << 6;
1534 case 13: /* ACMD13: SD_STATUS */
1535 switch (sd->state) {
1536 case sd_transfer_state:
1537 sd->state = sd_sendingdata_state;
1539 sd->data_offset = 0;
1547 case 22: /* ACMD22: SEND_NUM_WR_BLOCKS */
1548 switch (sd->state) {
1549 case sd_transfer_state:
1550 *(uint32_t *) sd->data = sd->blk_written;
1552 sd->state = sd_sendingdata_state;
1554 sd->data_offset = 0;
1562 case 23: /* ACMD23: SET_WR_BLK_ERASE_COUNT */
1563 switch (sd->state) {
1564 case sd_transfer_state:
1572 case 41: /* ACMD41: SD_APP_OP_COND */
1575 sd->state = sd_transfer_state;
1578 if (sd->state != sd_idle_state) {
1581 /* If it's the first ACMD41 since reset, we need to decide
1582 * whether to power up. If this is not an enquiry ACMD41,
1583 * we immediately report power on and proceed below to the
1584 * ready state, but if it is, we set a timer to model a
1585 * delay for power up. This works around a bug in EDK2
1586 * UEFI, which sends an initial enquiry ACMD41, but
1587 * assumes that the card is in ready state as soon as it
1588 * sees the power up bit set. */
1589 if (!FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP)) {
1590 if ((req.arg & ACMD41_ENQUIRY_MASK) != 0) {
1591 timer_del(sd->ocr_power_timer);
1594 trace_sdcard_inquiry_cmd41();
1595 if (!timer_pending(sd->ocr_power_timer)) {
1596 timer_mod_ns(sd->ocr_power_timer,
1597 (qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL)
1598 + OCR_POWER_DELAY_NS));
1603 if (FIELD_EX32(sd->ocr & req.arg, OCR, VDD_VOLTAGE_WINDOW)) {
1604 /* We accept any voltage. 10000 V is nothing.
1606 * Once we're powered up, we advance straight to ready state
1607 * unless it's an enquiry ACMD41 (bits 23:0 == 0).
1609 sd->state = sd_ready_state;
1614 case 42: /* ACMD42: SET_CLR_CARD_DETECT */
1615 switch (sd->state) {
1616 case sd_transfer_state:
1617 /* Bringing in the 50KOhm pull-up resistor... Done. */
1625 case 51: /* ACMD51: SEND_SCR */
1626 switch (sd->state) {
1627 case sd_transfer_state:
1628 sd->state = sd_sendingdata_state;
1630 sd->data_offset = 0;
1638 case 18: /* Reserved for SD security applications */
1643 /* Refer to the "SD Specifications Part3 Security Specification" for
1644 * information about the SD Security Features.
1646 qemu_log_mask(LOG_UNIMP, "SD: CMD%i Security not implemented\n",
1651 /* Fall back to standard commands. */
1652 return sd_normal_command(sd, req);
1654 unimplemented_spi_cmd:
1655 /* Commands that are recognised but not yet implemented in SPI mode. */
1656 qemu_log_mask(LOG_UNIMP, "SD: CMD%i not implemented in SPI mode\n",
1661 qemu_log_mask(LOG_GUEST_ERROR, "SD: ACMD%i in a wrong state\n", req.cmd);
1665 static int cmd_valid_while_locked(SDState *sd, SDRequest *req)
1667 /* Valid commands in locked state:
1669 * lock card class (7)
1671 * implicitly, the ACMD prefix CMD55
1673 * Anything else provokes an "illegal command" response.
1675 if (sd->expecting_acmd) {
1676 return req->cmd == 41 || req->cmd == 42;
1678 if (req->cmd == 16 || req->cmd == 55) {
1681 return sd_cmd_class[req->cmd] == 0
1682 || sd_cmd_class[req->cmd] == 7;
1685 int sd_do_command(SDState *sd, SDRequest *req,
1686 uint8_t *response) {
1688 sd_rsp_type_t rtype;
1691 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable) {
1695 if (sd_req_crc_validate(req)) {
1696 sd->card_status |= COM_CRC_ERROR;
1701 if (req->cmd >= SDMMC_CMD_MAX) {
1702 qemu_log_mask(LOG_GUEST_ERROR, "SD: incorrect command 0x%02x\n",
1707 if (sd->card_status & CARD_IS_LOCKED) {
1708 if (!cmd_valid_while_locked(sd, req)) {
1709 sd->card_status |= ILLEGAL_COMMAND;
1710 sd->expecting_acmd = false;
1711 qemu_log_mask(LOG_GUEST_ERROR, "SD: Card is locked\n");
1717 last_state = sd->state;
1720 if (sd->expecting_acmd) {
1721 sd->expecting_acmd = false;
1722 rtype = sd_app_command(sd, *req);
1724 rtype = sd_normal_command(sd, *req);
1727 if (rtype == sd_illegal) {
1728 sd->card_status |= ILLEGAL_COMMAND;
1730 /* Valid command, we can update the 'state before command' bits.
1731 * (Do this now so they appear in r1 responses.)
1733 sd->current_cmd = req->cmd;
1734 sd->card_status &= ~CURRENT_STATE;
1735 sd->card_status |= (last_state << 9);
1742 sd_response_r1_make(sd, response);
1747 memcpy(response, sd->cid, sizeof(sd->cid));
1752 memcpy(response, sd->csd, sizeof(sd->csd));
1757 sd_response_r3_make(sd, response);
1762 sd_response_r6_make(sd, response);
1767 sd_response_r7_make(sd, response);
1776 g_assert_not_reached();
1778 trace_sdcard_response(sd_response_name(rtype), rsplen);
1780 if (rtype != sd_illegal) {
1781 /* Clear the "clear on valid command" status bits now we've
1784 sd->card_status &= ~CARD_STATUS_B;
1788 qemu_hexdump(stderr, "Response", response, rsplen);
1794 static void sd_blk_read(SDState *sd, uint64_t addr, uint32_t len)
1796 trace_sdcard_read_block(addr, len);
1797 if (!sd->blk || blk_pread(sd->blk, addr, sd->data, len) < 0) {
1798 fprintf(stderr, "sd_blk_read: read error on host side\n");
1802 static void sd_blk_write(SDState *sd, uint64_t addr, uint32_t len)
1804 trace_sdcard_write_block(addr, len);
1805 if (!sd->blk || blk_pwrite(sd->blk, addr, sd->data, len, 0) < 0) {
1806 fprintf(stderr, "sd_blk_write: write error on host side\n");
1810 #define BLK_READ_BLOCK(a, len) sd_blk_read(sd, a, len)
1811 #define BLK_WRITE_BLOCK(a, len) sd_blk_write(sd, a, len)
1812 #define APP_READ_BLOCK(a, len) memset(sd->data, 0xec, len)
1813 #define APP_WRITE_BLOCK(a, len)
1815 void sd_write_byte(SDState *sd, uint8_t value)
1819 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable)
1822 if (sd->state != sd_receivingdata_state) {
1823 qemu_log_mask(LOG_GUEST_ERROR,
1824 "%s: not in Receiving-Data state\n", __func__);
1828 if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION))
1831 trace_sdcard_write_data(sd->proto_name,
1832 sd_acmd_name(sd->current_cmd),
1833 sd->current_cmd, value);
1834 switch (sd->current_cmd) {
1835 case 24: /* CMD24: WRITE_SINGLE_BLOCK */
1836 sd->data[sd->data_offset ++] = value;
1837 if (sd->data_offset >= sd->blk_len) {
1838 /* TODO: Check CRC before committing */
1839 sd->state = sd_programming_state;
1840 BLK_WRITE_BLOCK(sd->data_start, sd->data_offset);
1842 sd->csd[14] |= 0x40;
1843 /* Bzzzzzzztt .... Operation complete. */
1844 sd->state = sd_transfer_state;
1848 case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */
1849 if (sd->data_offset == 0) {
1850 /* Start of the block - let's check the address is valid */
1851 if (sd->data_start + sd->blk_len > sd->size) {
1852 sd->card_status |= ADDRESS_ERROR;
1855 if (sd_wp_addr(sd, sd->data_start)) {
1856 sd->card_status |= WP_VIOLATION;
1860 sd->data[sd->data_offset++] = value;
1861 if (sd->data_offset >= sd->blk_len) {
1862 /* TODO: Check CRC before committing */
1863 sd->state = sd_programming_state;
1864 BLK_WRITE_BLOCK(sd->data_start, sd->data_offset);
1866 sd->data_start += sd->blk_len;
1867 sd->data_offset = 0;
1868 sd->csd[14] |= 0x40;
1870 /* Bzzzzzzztt .... Operation complete. */
1871 if (sd->multi_blk_cnt != 0) {
1872 if (--sd->multi_blk_cnt == 0) {
1874 sd->state = sd_transfer_state;
1879 sd->state = sd_receivingdata_state;
1883 case 26: /* CMD26: PROGRAM_CID */
1884 sd->data[sd->data_offset ++] = value;
1885 if (sd->data_offset >= sizeof(sd->cid)) {
1886 /* TODO: Check CRC before committing */
1887 sd->state = sd_programming_state;
1888 for (i = 0; i < sizeof(sd->cid); i ++)
1889 if ((sd->cid[i] | 0x00) != sd->data[i])
1890 sd->card_status |= CID_CSD_OVERWRITE;
1892 if (!(sd->card_status & CID_CSD_OVERWRITE))
1893 for (i = 0; i < sizeof(sd->cid); i ++) {
1895 sd->cid[i] &= sd->data[i];
1897 /* Bzzzzzzztt .... Operation complete. */
1898 sd->state = sd_transfer_state;
1902 case 27: /* CMD27: PROGRAM_CSD */
1903 sd->data[sd->data_offset ++] = value;
1904 if (sd->data_offset >= sizeof(sd->csd)) {
1905 /* TODO: Check CRC before committing */
1906 sd->state = sd_programming_state;
1907 for (i = 0; i < sizeof(sd->csd); i ++)
1908 if ((sd->csd[i] | sd_csd_rw_mask[i]) !=
1909 (sd->data[i] | sd_csd_rw_mask[i]))
1910 sd->card_status |= CID_CSD_OVERWRITE;
1912 /* Copy flag (OTP) & Permanent write protect */
1913 if (sd->csd[14] & ~sd->data[14] & 0x60)
1914 sd->card_status |= CID_CSD_OVERWRITE;
1916 if (!(sd->card_status & CID_CSD_OVERWRITE))
1917 for (i = 0; i < sizeof(sd->csd); i ++) {
1918 sd->csd[i] |= sd_csd_rw_mask[i];
1919 sd->csd[i] &= sd->data[i];
1921 /* Bzzzzzzztt .... Operation complete. */
1922 sd->state = sd_transfer_state;
1926 case 42: /* CMD42: LOCK_UNLOCK */
1927 sd->data[sd->data_offset ++] = value;
1928 if (sd->data_offset >= sd->blk_len) {
1929 /* TODO: Check CRC before committing */
1930 sd->state = sd_programming_state;
1931 sd_lock_command(sd);
1932 /* Bzzzzzzztt .... Operation complete. */
1933 sd->state = sd_transfer_state;
1937 case 56: /* CMD56: GEN_CMD */
1938 sd->data[sd->data_offset ++] = value;
1939 if (sd->data_offset >= sd->blk_len) {
1940 APP_WRITE_BLOCK(sd->data_start, sd->data_offset);
1941 sd->state = sd_transfer_state;
1946 qemu_log_mask(LOG_GUEST_ERROR, "%s: unknown command\n", __func__);
1951 #define SD_TUNING_BLOCK_SIZE 64
1953 static const uint8_t sd_tuning_block_pattern[SD_TUNING_BLOCK_SIZE] = {
1954 /* See: Physical Layer Simplified Specification Version 3.01, Table 4-2 */
1955 0xff, 0x0f, 0xff, 0x00, 0x0f, 0xfc, 0xc3, 0xcc,
1956 0xc3, 0x3c, 0xcc, 0xff, 0xfe, 0xff, 0xfe, 0xef,
1957 0xff, 0xdf, 0xff, 0xdd, 0xff, 0xfb, 0xff, 0xfb,
1958 0xbf, 0xff, 0x7f, 0xff, 0x77, 0xf7, 0xbd, 0xef,
1959 0xff, 0xf0, 0xff, 0xf0, 0x0f, 0xfc, 0xcc, 0x3c,
1960 0xcc, 0x33, 0xcc, 0xcf, 0xff, 0xef, 0xff, 0xee,
1961 0xff, 0xfd, 0xff, 0xfd, 0xdf, 0xff, 0xbf, 0xff,
1962 0xbb, 0xff, 0xf7, 0xff, 0xf7, 0x7f, 0x7b, 0xde,
1965 uint8_t sd_read_byte(SDState *sd)
1967 /* TODO: Append CRCs */
1971 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable)
1974 if (sd->state != sd_sendingdata_state) {
1975 qemu_log_mask(LOG_GUEST_ERROR,
1976 "%s: not in Sending-Data state\n", __func__);
1980 if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION))
1983 io_len = (sd->ocr & (1 << 30)) ? 512 : sd->blk_len;
1985 trace_sdcard_read_data(sd->proto_name,
1986 sd_acmd_name(sd->current_cmd),
1987 sd->current_cmd, io_len);
1988 switch (sd->current_cmd) {
1989 case 6: /* CMD6: SWITCH_FUNCTION */
1990 ret = sd->data[sd->data_offset ++];
1992 if (sd->data_offset >= 64)
1993 sd->state = sd_transfer_state;
1996 case 9: /* CMD9: SEND_CSD */
1997 case 10: /* CMD10: SEND_CID */
1998 ret = sd->data[sd->data_offset ++];
2000 if (sd->data_offset >= 16)
2001 sd->state = sd_transfer_state;
2004 case 13: /* ACMD13: SD_STATUS */
2005 ret = sd->sd_status[sd->data_offset ++];
2007 if (sd->data_offset >= sizeof(sd->sd_status))
2008 sd->state = sd_transfer_state;
2011 case 17: /* CMD17: READ_SINGLE_BLOCK */
2012 if (sd->data_offset == 0)
2013 BLK_READ_BLOCK(sd->data_start, io_len);
2014 ret = sd->data[sd->data_offset ++];
2016 if (sd->data_offset >= io_len)
2017 sd->state = sd_transfer_state;
2020 case 18: /* CMD18: READ_MULTIPLE_BLOCK */
2021 if (sd->data_offset == 0) {
2022 if (sd->data_start + io_len > sd->size) {
2023 sd->card_status |= ADDRESS_ERROR;
2026 BLK_READ_BLOCK(sd->data_start, io_len);
2028 ret = sd->data[sd->data_offset ++];
2030 if (sd->data_offset >= io_len) {
2031 sd->data_start += io_len;
2032 sd->data_offset = 0;
2034 if (sd->multi_blk_cnt != 0) {
2035 if (--sd->multi_blk_cnt == 0) {
2037 sd->state = sd_transfer_state;
2044 case 19: /* CMD19: SEND_TUNING_BLOCK (SD) */
2045 if (sd->data_offset >= SD_TUNING_BLOCK_SIZE - 1) {
2046 sd->state = sd_transfer_state;
2048 ret = sd_tuning_block_pattern[sd->data_offset++];
2051 case 22: /* ACMD22: SEND_NUM_WR_BLOCKS */
2052 ret = sd->data[sd->data_offset ++];
2054 if (sd->data_offset >= 4)
2055 sd->state = sd_transfer_state;
2058 case 30: /* CMD30: SEND_WRITE_PROT */
2059 ret = sd->data[sd->data_offset ++];
2061 if (sd->data_offset >= 4)
2062 sd->state = sd_transfer_state;
2065 case 51: /* ACMD51: SEND_SCR */
2066 ret = sd->scr[sd->data_offset ++];
2068 if (sd->data_offset >= sizeof(sd->scr))
2069 sd->state = sd_transfer_state;
2072 case 56: /* CMD56: GEN_CMD */
2073 if (sd->data_offset == 0)
2074 APP_READ_BLOCK(sd->data_start, sd->blk_len);
2075 ret = sd->data[sd->data_offset ++];
2077 if (sd->data_offset >= sd->blk_len)
2078 sd->state = sd_transfer_state;
2082 qemu_log_mask(LOG_GUEST_ERROR, "%s: unknown command\n", __func__);
2089 static bool sd_data_ready(SDState *sd)
2091 return sd->state == sd_sendingdata_state;
2094 void sd_enable(SDState *sd, bool enable)
2096 sd->enable = enable;
2099 static void sd_instance_init(Object *obj)
2101 SDState *sd = SD_CARD(obj);
2104 sd->ocr_power_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, sd_ocr_powerup, sd);
2107 static void sd_instance_finalize(Object *obj)
2109 SDState *sd = SD_CARD(obj);
2111 timer_del(sd->ocr_power_timer);
2112 timer_free(sd->ocr_power_timer);
2115 static void sd_realize(DeviceState *dev, Error **errp)
2117 SDState *sd = SD_CARD(dev);
2120 sd->proto_name = sd->spi ? "SPI" : "SD";
2122 switch (sd->spec_version) {
2123 case SD_PHY_SPECv1_10_VERS
2124 ... SD_PHY_SPECv3_01_VERS:
2127 error_setg(errp, "Invalid SD card Spec version: %u", sd->spec_version);
2134 if (blk_is_read_only(sd->blk)) {
2135 error_setg(errp, "Cannot use read-only drive as SD card");
2139 blk_size = blk_getlength(sd->blk);
2140 if (blk_size > 0 && !is_power_of_2(blk_size)) {
2141 int64_t blk_size_aligned = pow2ceil(blk_size);
2144 blk_size_str = size_to_str(blk_size);
2145 error_setg(errp, "Invalid SD card size: %s", blk_size_str);
2146 g_free(blk_size_str);
2148 blk_size_str = size_to_str(blk_size_aligned);
2149 error_append_hint(errp,
2150 "SD card size has to be a power of 2, e.g. %s.\n"
2151 "You can resize disk images with"
2152 " 'qemu-img resize <imagefile> <new-size>'\n"
2153 "(note that this will lose data if you make the"
2154 " image smaller than it currently is).\n",
2156 g_free(blk_size_str);
2161 ret = blk_set_perm(sd->blk, BLK_PERM_CONSISTENT_READ | BLK_PERM_WRITE,
2162 BLK_PERM_ALL, errp);
2166 blk_set_dev_ops(sd->blk, &sd_block_ops, sd);
2170 static Property sd_properties[] = {
2171 DEFINE_PROP_UINT8("spec_version", SDState,
2172 spec_version, SD_PHY_SPECv2_00_VERS),
2173 DEFINE_PROP_DRIVE("drive", SDState, blk),
2174 /* We do not model the chip select pin, so allow the board to select
2175 * whether card should be in SSI or MMC/SD mode. It is also up to the
2176 * board to ensure that ssi transfers only occur when the chip select
2178 DEFINE_PROP_BOOL("spi", SDState, spi, false),
2179 DEFINE_PROP_END_OF_LIST()
2182 static void sd_class_init(ObjectClass *klass, void *data)
2184 DeviceClass *dc = DEVICE_CLASS(klass);
2185 SDCardClass *sc = SD_CARD_CLASS(klass);
2187 dc->realize = sd_realize;
2188 device_class_set_props(dc, sd_properties);
2189 dc->vmsd = &sd_vmstate;
2190 dc->reset = sd_reset;
2191 dc->bus_type = TYPE_SD_BUS;
2192 set_bit(DEVICE_CATEGORY_STORAGE, dc->categories);
2194 sc->set_voltage = sd_set_voltage;
2195 sc->get_dat_lines = sd_get_dat_lines;
2196 sc->get_cmd_line = sd_get_cmd_line;
2197 sc->do_command = sd_do_command;
2198 sc->write_byte = sd_write_byte;
2199 sc->read_byte = sd_read_byte;
2200 sc->data_ready = sd_data_ready;
2201 sc->enable = sd_enable;
2202 sc->get_inserted = sd_get_inserted;
2203 sc->get_readonly = sd_get_readonly;
2206 static const TypeInfo sd_info = {
2207 .name = TYPE_SD_CARD,
2208 .parent = TYPE_DEVICE,
2209 .instance_size = sizeof(SDState),
2210 .class_size = sizeof(SDCardClass),
2211 .class_init = sd_class_init,
2212 .instance_init = sd_instance_init,
2213 .instance_finalize = sd_instance_finalize,
2216 static void sd_register_types(void)
2218 type_register_static(&sd_info);
2221 type_init(sd_register_types)
projects / qemu.git / blob