2 * SD Memory Card emulation as defined in the "SD Memory Card Physical
3 * layer specification, Version 2.00."
6 * Copyright (c) 2007 CodeSourcery
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
20 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS''
21 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
22 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
23 * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR
24 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
25 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
26 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
27 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
28 * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
29 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
30 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
33 #include "qemu/osdep.h"
34 #include "qemu/units.h"
35 #include "qemu/cutils.h"
37 #include "hw/registerfields.h"
38 #include "sysemu/block-backend.h"
40 #include "hw/sd/sdcard_legacy.h"
41 #include "migration/vmstate.h"
42 #include "qapi/error.h"
43 #include "qemu/bitmap.h"
44 #include "hw/qdev-properties.h"
45 #include "qemu/error-report.h"
46 #include "qemu/timer.h"
48 #include "qemu/module.h"
49 #include "sdmmc-internal.h"
54 #define SDSC_MAX_CAPACITY (2 * GiB)
56 #define INVALID_ADDRESS UINT32_MAX
59 sd_r0 = 0, /* no response */
60 sd_r1, /* normal response command */
61 sd_r2_i, /* CID register */
62 sd_r2_s, /* CSD register */
63 sd_r3, /* OCR register */
64 sd_r6 = 6, /* Published RCA response */
65 sd_r7, /* Operating voltage */
72 sd_card_identification_mode,
73 sd_data_transfer_mode,
77 sd_inactive_state = -1,
80 sd_identification_state,
84 sd_receivingdata_state,
90 DeviceState parent_obj;
92 /* If true, created by sd_init() for a non-qdevified caller */
93 /* TODO purge them with fire */
94 bool me_no_qdev_me_kill_mammoth_with_rocks;
96 /* SD Memory Card Registers */
102 uint32_t card_status;
103 uint8_t sd_status[64];
105 /* Configurable properties */
106 uint8_t spec_version;
110 uint32_t mode; /* current card mode, one of SDCardModes */
111 int32_t state; /* current card state, one of SDCardStates */
114 unsigned long *wp_groups;
118 uint32_t multi_blk_cnt;
119 uint32_t erase_start;
123 uint8_t function_group[6];
125 /* True if we will handle the next command as an ACMD. Note that this does
126 * *not* track the APP_CMD status bit!
129 uint32_t blk_written;
131 uint32_t data_offset;
133 qemu_irq readonly_cb;
134 qemu_irq inserted_cb;
135 QEMUTimer *ocr_power_timer;
136 const char *proto_name;
142 static void sd_realize(DeviceState *dev, Error **errp);
144 static const char *sd_state_name(enum SDCardStates state)
146 static const char *state_name[] = {
147 [sd_idle_state] = "idle",
148 [sd_ready_state] = "ready",
149 [sd_identification_state] = "identification",
150 [sd_standby_state] = "standby",
151 [sd_transfer_state] = "transfer",
152 [sd_sendingdata_state] = "sendingdata",
153 [sd_receivingdata_state] = "receivingdata",
154 [sd_programming_state] = "programming",
155 [sd_disconnect_state] = "disconnect",
157 if (state == sd_inactive_state) {
160 assert(state < ARRAY_SIZE(state_name));
161 return state_name[state];
164 static const char *sd_response_name(sd_rsp_type_t rsp)
166 static const char *response_name[] = {
167 [sd_r0] = "RESP#0 (no response)",
168 [sd_r1] = "RESP#1 (normal cmd)",
169 [sd_r2_i] = "RESP#2 (CID reg)",
170 [sd_r2_s] = "RESP#2 (CSD reg)",
171 [sd_r3] = "RESP#3 (OCR reg)",
172 [sd_r6] = "RESP#6 (RCA)",
173 [sd_r7] = "RESP#7 (operating voltage)",
175 if (rsp == sd_illegal) {
176 return "ILLEGAL RESP";
181 assert(rsp < ARRAY_SIZE(response_name));
182 return response_name[rsp];
185 static uint8_t sd_get_dat_lines(SDState *sd)
187 return sd->enable ? sd->dat_lines : 0;
190 static bool sd_get_cmd_line(SDState *sd)
192 return sd->enable ? sd->cmd_line : false;
195 static void sd_set_voltage(SDState *sd, uint16_t millivolts)
197 trace_sdcard_set_voltage(millivolts);
199 switch (millivolts) {
200 case 3001 ... 3600: /* SD_VOLTAGE_3_3V */
201 case 2001 ... 3000: /* SD_VOLTAGE_3_0V */
204 qemu_log_mask(LOG_GUEST_ERROR, "SD card voltage not supported: %.3fV",
205 millivolts / 1000.f);
209 static void sd_set_mode(SDState *sd)
212 case sd_inactive_state:
213 sd->mode = sd_inactive;
218 case sd_identification_state:
219 sd->mode = sd_card_identification_mode;
222 case sd_standby_state:
223 case sd_transfer_state:
224 case sd_sendingdata_state:
225 case sd_receivingdata_state:
226 case sd_programming_state:
227 case sd_disconnect_state:
228 sd->mode = sd_data_transfer_mode;
233 static const sd_cmd_type_t sd_cmd_type[SDMMC_CMD_MAX] = {
234 sd_bc, sd_none, sd_bcr, sd_bcr, sd_none, sd_none, sd_none, sd_ac,
235 sd_bcr, sd_ac, sd_ac, sd_adtc, sd_ac, sd_ac, sd_none, sd_ac,
237 sd_ac, sd_adtc, sd_adtc, sd_none, sd_none, sd_none, sd_none, sd_none,
238 sd_adtc, sd_adtc, sd_adtc, sd_adtc, sd_ac, sd_ac, sd_adtc, sd_none,
240 sd_ac, sd_ac, sd_none, sd_none, sd_none, sd_none, sd_ac, sd_none,
241 sd_none, sd_none, sd_bc, sd_none, sd_none, sd_none, sd_none, sd_none,
243 sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_ac,
244 sd_adtc, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none,
247 static const int sd_cmd_class[SDMMC_CMD_MAX] = {
248 0, 0, 0, 0, 0, 9, 10, 0, 0, 0, 0, 1, 0, 0, 0, 0,
249 2, 2, 2, 2, 3, 3, 3, 3, 4, 4, 4, 4, 6, 6, 6, 6,
250 5, 5, 10, 10, 10, 10, 5, 9, 9, 9, 7, 7, 7, 7, 7, 7,
251 7, 7, 10, 7, 9, 9, 9, 8, 8, 10, 8, 8, 8, 8, 8, 8,
254 static uint8_t sd_crc7(void *message, size_t width)
257 uint8_t shift_reg = 0x00;
258 uint8_t *msg = (uint8_t *) message;
260 for (i = 0; i < width; i ++, msg ++)
261 for (bit = 7; bit >= 0; bit --) {
263 if ((shift_reg >> 7) ^ ((*msg >> bit) & 1))
270 static uint16_t sd_crc16(void *message, size_t width)
273 uint16_t shift_reg = 0x0000;
274 uint16_t *msg = (uint16_t *) message;
277 for (i = 0; i < width; i ++, msg ++)
278 for (bit = 15; bit >= 0; bit --) {
280 if ((shift_reg >> 15) ^ ((*msg >> bit) & 1))
287 #define OCR_POWER_DELAY_NS 500000 /* 0.5ms */
289 FIELD(OCR, VDD_VOLTAGE_WINDOW, 0, 24)
290 FIELD(OCR, VDD_VOLTAGE_WIN_LO, 0, 8)
291 FIELD(OCR, DUAL_VOLTAGE_CARD, 7, 1)
292 FIELD(OCR, VDD_VOLTAGE_WIN_HI, 8, 16)
293 FIELD(OCR, ACCEPT_SWITCH_1V8, 24, 1) /* Only UHS-I */
294 FIELD(OCR, UHS_II_CARD, 29, 1) /* Only UHS-II */
295 FIELD(OCR, CARD_CAPACITY, 30, 1) /* 0:SDSC, 1:SDHC/SDXC */
296 FIELD(OCR, CARD_POWER_UP, 31, 1)
298 #define ACMD41_ENQUIRY_MASK 0x00ffffff
299 #define ACMD41_R3_MASK (R_OCR_VDD_VOLTAGE_WIN_HI_MASK \
300 | R_OCR_ACCEPT_SWITCH_1V8_MASK \
301 | R_OCR_UHS_II_CARD_MASK \
302 | R_OCR_CARD_CAPACITY_MASK \
303 | R_OCR_CARD_POWER_UP_MASK)
305 static void sd_set_ocr(SDState *sd)
307 /* All voltages OK */
308 sd->ocr = R_OCR_VDD_VOLTAGE_WIN_HI_MASK;
311 static void sd_ocr_powerup(void *opaque)
313 SDState *sd = opaque;
315 trace_sdcard_powerup();
316 assert(!FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP));
318 /* card power-up OK */
319 sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_POWER_UP, 1);
321 if (sd->size > SDSC_MAX_CAPACITY) {
322 sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_CAPACITY, 1);
326 static void sd_set_scr(SDState *sd)
328 sd->scr[0] = 0 << 4; /* SCR structure version 1.0 */
329 if (sd->spec_version == SD_PHY_SPECv1_10_VERS) {
330 sd->scr[0] |= 1; /* Spec Version 1.10 */
332 sd->scr[0] |= 2; /* Spec Version 2.00 or Version 3.0X */
334 sd->scr[1] = (2 << 4) /* SDSC Card (Security Version 1.01) */
335 | 0b0101; /* 1-bit or 4-bit width bus modes */
336 sd->scr[2] = 0x00; /* Extended Security is not supported. */
337 if (sd->spec_version >= SD_PHY_SPECv3_01_VERS) {
338 sd->scr[2] |= 1 << 7; /* Spec Version 3.0X */
341 /* reserved for manufacturer usage */
355 static void sd_set_cid(SDState *sd)
357 sd->cid[0] = MID; /* Fake card manufacturer ID (MID) */
358 sd->cid[1] = OID[0]; /* OEM/Application ID (OID) */
360 sd->cid[3] = PNM[0]; /* Fake product name (PNM) */
365 sd->cid[8] = PRV; /* Fake product revision (PRV) */
366 sd->cid[9] = 0xde; /* Fake serial number (PSN) */
370 sd->cid[13] = 0x00 | /* Manufacture date (MDT) */
371 ((MDT_YR - 2000) / 10);
372 sd->cid[14] = ((MDT_YR % 10) << 4) | MDT_MON;
373 sd->cid[15] = (sd_crc7(sd->cid, 15) << 1) | 1;
376 #define HWBLOCK_SHIFT 9 /* 512 bytes */
377 #define SECTOR_SHIFT 5 /* 16 kilobytes */
378 #define WPGROUP_SHIFT 7 /* 2 megs */
379 #define CMULT_SHIFT 9 /* 512 times HWBLOCK_SIZE */
380 #define WPGROUP_SIZE (1 << (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT))
382 static const uint8_t sd_csd_rw_mask[16] = {
383 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
384 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xfc, 0xfe,
387 static void sd_set_csd(SDState *sd, uint64_t size)
389 uint32_t csize = (size >> (CMULT_SHIFT + HWBLOCK_SHIFT)) - 1;
390 uint32_t sectsize = (1 << (SECTOR_SHIFT + 1)) - 1;
391 uint32_t wpsize = (1 << (WPGROUP_SHIFT + 1)) - 1;
393 if (size <= SDSC_MAX_CAPACITY) { /* Standard Capacity SD */
394 sd->csd[0] = 0x00; /* CSD structure */
395 sd->csd[1] = 0x26; /* Data read access-time-1 */
396 sd->csd[2] = 0x00; /* Data read access-time-2 */
397 sd->csd[3] = 0x32; /* Max. data transfer rate: 25 MHz */
398 sd->csd[4] = 0x5f; /* Card Command Classes */
399 sd->csd[5] = 0x50 | /* Max. read data block length */
401 sd->csd[6] = 0xe0 | /* Partial block for read allowed */
402 ((csize >> 10) & 0x03);
403 sd->csd[7] = 0x00 | /* Device size */
404 ((csize >> 2) & 0xff);
405 sd->csd[8] = 0x3f | /* Max. read current */
406 ((csize << 6) & 0xc0);
407 sd->csd[9] = 0xfc | /* Max. write current */
408 ((CMULT_SHIFT - 2) >> 1);
409 sd->csd[10] = 0x40 | /* Erase sector size */
410 (((CMULT_SHIFT - 2) << 7) & 0x80) | (sectsize >> 1);
411 sd->csd[11] = 0x00 | /* Write protect group size */
412 ((sectsize << 7) & 0x80) | wpsize;
413 sd->csd[12] = 0x90 | /* Write speed factor */
414 (HWBLOCK_SHIFT >> 2);
415 sd->csd[13] = 0x20 | /* Max. write data block length */
416 ((HWBLOCK_SHIFT << 6) & 0xc0);
417 sd->csd[14] = 0x00; /* File format group */
428 sd->csd[7] = (size >> 16) & 0xff;
429 sd->csd[8] = (size >> 8) & 0xff;
430 sd->csd[9] = (size & 0xff);
437 sd->csd[15] = (sd_crc7(sd->csd, 15) << 1) | 1;
440 static void sd_set_rca(SDState *sd)
445 FIELD(CSR, AKE_SEQ_ERROR, 3, 1)
446 FIELD(CSR, APP_CMD, 5, 1)
447 FIELD(CSR, FX_EVENT, 6, 1)
448 FIELD(CSR, READY_FOR_DATA, 8, 1)
449 FIELD(CSR, CURRENT_STATE, 9, 4)
450 FIELD(CSR, ERASE_RESET, 13, 1)
451 FIELD(CSR, CARD_ECC_DISABLED, 14, 1)
452 FIELD(CSR, WP_ERASE_SKIP, 15, 1)
453 FIELD(CSR, CSD_OVERWRITE, 16, 1)
454 FIELD(CSR, DEFERRED_RESPONSE, 17, 1)
455 FIELD(CSR, ERROR, 19, 1)
456 FIELD(CSR, CC_ERROR, 20, 1)
457 FIELD(CSR, CARD_ECC_FAILED, 21, 1)
458 FIELD(CSR, ILLEGAL_COMMAND, 22, 1)
459 FIELD(CSR, COM_CRC_ERROR, 23, 1)
460 FIELD(CSR, LOCK_UNLOCK_FAILED, 24, 1)
461 FIELD(CSR, CARD_IS_LOCKED, 25, 1)
462 FIELD(CSR, WP_VIOLATION, 26, 1)
463 FIELD(CSR, ERASE_PARAM, 27, 1)
464 FIELD(CSR, ERASE_SEQ_ERROR, 28, 1)
465 FIELD(CSR, BLOCK_LEN_ERROR, 29, 1)
466 FIELD(CSR, ADDRESS_ERROR, 30, 1)
467 FIELD(CSR, OUT_OF_RANGE, 31, 1)
469 /* Card status bits, split by clear condition:
470 * A : According to the card current state
471 * B : Always related to the previous command
472 * C : Cleared by read
474 #define CARD_STATUS_A (R_CSR_READY_FOR_DATA_MASK \
475 | R_CSR_CARD_ECC_DISABLED_MASK \
476 | R_CSR_CARD_IS_LOCKED_MASK)
477 #define CARD_STATUS_B (R_CSR_CURRENT_STATE_MASK \
478 | R_CSR_ILLEGAL_COMMAND_MASK \
479 | R_CSR_COM_CRC_ERROR_MASK)
480 #define CARD_STATUS_C (R_CSR_AKE_SEQ_ERROR_MASK \
481 | R_CSR_APP_CMD_MASK \
482 | R_CSR_ERASE_RESET_MASK \
483 | R_CSR_WP_ERASE_SKIP_MASK \
484 | R_CSR_CSD_OVERWRITE_MASK \
486 | R_CSR_CC_ERROR_MASK \
487 | R_CSR_CARD_ECC_FAILED_MASK \
488 | R_CSR_LOCK_UNLOCK_FAILED_MASK \
489 | R_CSR_WP_VIOLATION_MASK \
490 | R_CSR_ERASE_PARAM_MASK \
491 | R_CSR_ERASE_SEQ_ERROR_MASK \
492 | R_CSR_BLOCK_LEN_ERROR_MASK \
493 | R_CSR_ADDRESS_ERROR_MASK \
494 | R_CSR_OUT_OF_RANGE_MASK)
496 static void sd_set_cardstatus(SDState *sd)
498 sd->card_status = 0x00000100;
501 static void sd_set_sdstatus(SDState *sd)
503 memset(sd->sd_status, 0, 64);
506 static int sd_req_crc_validate(SDRequest *req)
509 buffer[0] = 0x40 | req->cmd;
510 stl_be_p(&buffer[1], req->arg);
512 return sd_crc7(buffer, 5) != req->crc; /* TODO */
515 static void sd_response_r1_make(SDState *sd, uint8_t *response)
517 stl_be_p(response, sd->card_status);
519 /* Clear the "clear on read" status bits */
520 sd->card_status &= ~CARD_STATUS_C;
523 static void sd_response_r3_make(SDState *sd, uint8_t *response)
525 stl_be_p(response, sd->ocr & ACMD41_R3_MASK);
528 static void sd_response_r6_make(SDState *sd, uint8_t *response)
532 status = ((sd->card_status >> 8) & 0xc000) |
533 ((sd->card_status >> 6) & 0x2000) |
534 (sd->card_status & 0x1fff);
535 sd->card_status &= ~(CARD_STATUS_C & 0xc81fff);
536 stw_be_p(response + 0, sd->rca);
537 stw_be_p(response + 2, status);
540 static void sd_response_r7_make(SDState *sd, uint8_t *response)
542 stl_be_p(response, sd->vhs);
545 static inline uint64_t sd_addr_to_wpnum(uint64_t addr)
547 return addr >> (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT);
550 static void sd_reset(DeviceState *dev)
552 SDState *sd = SD_CARD(dev);
556 trace_sdcard_reset();
558 blk_get_geometry(sd->blk, §);
564 sect = sd_addr_to_wpnum(size) + 1;
566 sd->state = sd_idle_state;
571 sd_set_csd(sd, size);
572 sd_set_cardstatus(sd);
575 g_free(sd->wp_groups);
576 sd->wp_switch = sd->blk ? blk_is_read_only(sd->blk) : false;
577 sd->wpgrps_size = sect;
578 sd->wp_groups = bitmap_new(sd->wpgrps_size);
579 memset(sd->function_group, 0, sizeof(sd->function_group));
580 sd->erase_start = INVALID_ADDRESS;
581 sd->erase_end = INVALID_ADDRESS;
585 sd->expecting_acmd = false;
588 sd->multi_blk_cnt = 0;
591 static bool sd_get_inserted(SDState *sd)
593 return sd->blk && blk_is_inserted(sd->blk);
596 static bool sd_get_readonly(SDState *sd)
598 return sd->wp_switch;
601 static void sd_cardchange(void *opaque, bool load, Error **errp)
603 SDState *sd = opaque;
604 DeviceState *dev = DEVICE(sd);
606 bool inserted = sd_get_inserted(sd);
607 bool readonly = sd_get_readonly(sd);
610 trace_sdcard_inserted(readonly);
613 trace_sdcard_ejected();
616 if (sd->me_no_qdev_me_kill_mammoth_with_rocks) {
617 qemu_set_irq(sd->inserted_cb, inserted);
619 qemu_set_irq(sd->readonly_cb, readonly);
622 sdbus = SD_BUS(qdev_get_parent_bus(dev));
623 sdbus_set_inserted(sdbus, inserted);
625 sdbus_set_readonly(sdbus, readonly);
630 static const BlockDevOps sd_block_ops = {
631 .change_media_cb = sd_cardchange,
634 static bool sd_ocr_vmstate_needed(void *opaque)
636 SDState *sd = opaque;
638 /* Include the OCR state (and timer) if it is not yet powered up */
639 return !FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP);
642 static const VMStateDescription sd_ocr_vmstate = {
643 .name = "sd-card/ocr-state",
645 .minimum_version_id = 1,
646 .needed = sd_ocr_vmstate_needed,
647 .fields = (VMStateField[]) {
648 VMSTATE_UINT32(ocr, SDState),
649 VMSTATE_TIMER_PTR(ocr_power_timer, SDState),
650 VMSTATE_END_OF_LIST()
654 static int sd_vmstate_pre_load(void *opaque)
656 SDState *sd = opaque;
658 /* If the OCR state is not included (prior versions, or not
659 * needed), then the OCR must be set as powered up. If the OCR state
660 * is included, this will be replaced by the state restore.
667 static const VMStateDescription sd_vmstate = {
670 .minimum_version_id = 2,
671 .pre_load = sd_vmstate_pre_load,
672 .fields = (VMStateField[]) {
673 VMSTATE_UINT32(mode, SDState),
674 VMSTATE_INT32(state, SDState),
675 VMSTATE_UINT8_ARRAY(cid, SDState, 16),
676 VMSTATE_UINT8_ARRAY(csd, SDState, 16),
677 VMSTATE_UINT16(rca, SDState),
678 VMSTATE_UINT32(card_status, SDState),
679 VMSTATE_PARTIAL_BUFFER(sd_status, SDState, 1),
680 VMSTATE_UINT32(vhs, SDState),
681 VMSTATE_BITMAP(wp_groups, SDState, 0, wpgrps_size),
682 VMSTATE_UINT32(blk_len, SDState),
683 VMSTATE_UINT32(multi_blk_cnt, SDState),
684 VMSTATE_UINT32(erase_start, SDState),
685 VMSTATE_UINT32(erase_end, SDState),
686 VMSTATE_UINT8_ARRAY(pwd, SDState, 16),
687 VMSTATE_UINT32(pwd_len, SDState),
688 VMSTATE_UINT8_ARRAY(function_group, SDState, 6),
689 VMSTATE_UINT8(current_cmd, SDState),
690 VMSTATE_BOOL(expecting_acmd, SDState),
691 VMSTATE_UINT32(blk_written, SDState),
692 VMSTATE_UINT64(data_start, SDState),
693 VMSTATE_UINT32(data_offset, SDState),
694 VMSTATE_UINT8_ARRAY(data, SDState, 512),
695 VMSTATE_UNUSED_V(1, 512),
696 VMSTATE_BOOL(enable, SDState),
697 VMSTATE_END_OF_LIST()
699 .subsections = (const VMStateDescription*[]) {
705 /* Legacy initialization function for use by non-qdevified callers */
706 SDState *sd_init(BlockBackend *blk, bool is_spi)
713 obj = object_new(TYPE_SD_CARD);
715 if (!qdev_prop_set_drive_err(dev, "drive", blk, &err)) {
716 error_reportf_err(err, "sd_init failed: ");
719 qdev_prop_set_bit(dev, "spi", is_spi);
722 * Realizing the device properly would put it into the QOM
723 * composition tree even though it is not plugged into an
724 * appropriate bus. That's a no-no. Hide the device from
725 * QOM/qdev, and call its qdev realize callback directly.
728 object_unparent(obj);
729 sd_realize(dev, &err);
731 error_reportf_err(err, "sd_init failed: ");
736 sd->me_no_qdev_me_kill_mammoth_with_rocks = true;
740 void sd_set_cb(SDState *sd, qemu_irq readonly, qemu_irq insert)
742 sd->readonly_cb = readonly;
743 sd->inserted_cb = insert;
744 qemu_set_irq(readonly, sd->blk ? blk_is_read_only(sd->blk) : 0);
745 qemu_set_irq(insert, sd->blk ? blk_is_inserted(sd->blk) : 0);
748 static void sd_erase(SDState *sd)
751 uint64_t erase_start = sd->erase_start;
752 uint64_t erase_end = sd->erase_end;
754 trace_sdcard_erase(sd->erase_start, sd->erase_end);
755 if (sd->erase_start == INVALID_ADDRESS
756 || sd->erase_end == INVALID_ADDRESS) {
757 sd->card_status |= ERASE_SEQ_ERROR;
758 sd->erase_start = INVALID_ADDRESS;
759 sd->erase_end = INVALID_ADDRESS;
763 if (FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) {
764 /* High capacity memory card: erase units are 512 byte blocks */
769 if (sd->erase_start > sd->size || sd->erase_end > sd->size) {
770 sd->card_status |= OUT_OF_RANGE;
771 sd->erase_start = INVALID_ADDRESS;
772 sd->erase_end = INVALID_ADDRESS;
776 erase_start = sd_addr_to_wpnum(erase_start);
777 erase_end = sd_addr_to_wpnum(erase_end);
778 sd->erase_start = INVALID_ADDRESS;
779 sd->erase_end = INVALID_ADDRESS;
782 for (i = erase_start; i <= erase_end; i++) {
783 if (test_bit(i, sd->wp_groups)) {
784 sd->card_status |= WP_ERASE_SKIP;
789 static uint32_t sd_wpbits(SDState *sd, uint64_t addr)
794 wpnum = sd_addr_to_wpnum(addr);
796 for (i = 0; i < 32; i++, wpnum++, addr += WPGROUP_SIZE) {
797 if (addr < sd->size && test_bit(wpnum, sd->wp_groups)) {
805 static void sd_function_switch(SDState *sd, uint32_t arg)
807 int i, mode, new_func;
808 mode = !!(arg & 0x80000000);
810 sd->data[0] = 0x00; /* Maximum current consumption */
812 sd->data[2] = 0x80; /* Supported group 6 functions */
814 sd->data[4] = 0x80; /* Supported group 5 functions */
816 sd->data[6] = 0x80; /* Supported group 4 functions */
818 sd->data[8] = 0x80; /* Supported group 3 functions */
820 sd->data[10] = 0x80; /* Supported group 2 functions */
822 sd->data[12] = 0x80; /* Supported group 1 functions */
825 for (i = 0; i < 6; i ++) {
826 new_func = (arg >> (i * 4)) & 0x0f;
827 if (mode && new_func != 0x0f)
828 sd->function_group[i] = new_func;
829 sd->data[16 - (i >> 1)] |= new_func << ((i % 2) * 4);
831 memset(&sd->data[17], 0, 47);
832 stw_be_p(sd->data + 64, sd_crc16(sd->data, 64));
835 static inline bool sd_wp_addr(SDState *sd, uint64_t addr)
837 return test_bit(sd_addr_to_wpnum(addr), sd->wp_groups);
840 static void sd_lock_command(SDState *sd)
842 int erase, lock, clr_pwd, set_pwd, pwd_len;
843 erase = !!(sd->data[0] & 0x08);
844 lock = sd->data[0] & 0x04;
845 clr_pwd = sd->data[0] & 0x02;
846 set_pwd = sd->data[0] & 0x01;
849 pwd_len = sd->data[1];
856 trace_sdcard_unlock();
859 if (!(sd->card_status & CARD_IS_LOCKED) || sd->blk_len > 1 ||
860 set_pwd || clr_pwd || lock || sd->wp_switch ||
861 (sd->csd[14] & 0x20)) {
862 sd->card_status |= LOCK_UNLOCK_FAILED;
865 bitmap_zero(sd->wp_groups, sd->wpgrps_size);
866 sd->csd[14] &= ~0x10;
867 sd->card_status &= ~CARD_IS_LOCKED;
869 /* Erasing the entire card here! */
870 fprintf(stderr, "SD: Card force-erased by CMD42\n");
874 if (sd->blk_len < 2 + pwd_len ||
875 pwd_len <= sd->pwd_len ||
876 pwd_len > sd->pwd_len + 16) {
877 sd->card_status |= LOCK_UNLOCK_FAILED;
881 if (sd->pwd_len && memcmp(sd->pwd, sd->data + 2, sd->pwd_len)) {
882 sd->card_status |= LOCK_UNLOCK_FAILED;
886 pwd_len -= sd->pwd_len;
887 if ((pwd_len && !set_pwd) ||
888 (clr_pwd && (set_pwd || lock)) ||
889 (lock && !sd->pwd_len && !set_pwd) ||
890 (!set_pwd && !clr_pwd &&
891 (((sd->card_status & CARD_IS_LOCKED) && lock) ||
892 (!(sd->card_status & CARD_IS_LOCKED) && !lock)))) {
893 sd->card_status |= LOCK_UNLOCK_FAILED;
898 memcpy(sd->pwd, sd->data + 2 + sd->pwd_len, pwd_len);
899 sd->pwd_len = pwd_len;
907 sd->card_status |= CARD_IS_LOCKED;
909 sd->card_status &= ~CARD_IS_LOCKED;
912 static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
914 uint32_t rca = 0x0000;
915 uint64_t addr = (sd->ocr & (1 << 30)) ? (uint64_t) req.arg << 9 : req.arg;
917 /* CMD55 precedes an ACMD, so we are not interested in tracing it.
918 * However there is no ACMD55, so we want to trace this particular case.
920 if (req.cmd != 55 || sd->expecting_acmd) {
921 trace_sdcard_normal_command(sd->proto_name,
922 sd_cmd_name(req.cmd), req.cmd,
923 req.arg, sd_state_name(sd->state));
926 /* Not interpreting this as an app command */
927 sd->card_status &= ~APP_CMD;
929 if (sd_cmd_type[req.cmd] == sd_ac
930 || sd_cmd_type[req.cmd] == sd_adtc) {
934 /* CMD23 (set block count) must be immediately followed by CMD18 or CMD25
935 * if not, its effects are cancelled */
936 if (sd->multi_blk_cnt != 0 && !(req.cmd == 18 || req.cmd == 25)) {
937 sd->multi_blk_cnt = 0;
940 if (sd_cmd_class[req.cmd] == 6 && FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) {
941 /* Only Standard Capacity cards support class 6 commands */
946 /* Basic commands (Class 0 and Class 1) */
947 case 0: /* CMD0: GO_IDLE_STATE */
949 case sd_inactive_state:
950 return sd->spi ? sd_r1 : sd_r0;
953 sd->state = sd_idle_state;
954 sd_reset(DEVICE(sd));
955 return sd->spi ? sd_r1 : sd_r0;
959 case 1: /* CMD1: SEND_OP_CMD */
963 sd->state = sd_transfer_state;
966 case 2: /* CMD2: ALL_SEND_CID */
971 sd->state = sd_identification_state;
979 case 3: /* CMD3: SEND_RELATIVE_ADDR */
983 case sd_identification_state:
984 case sd_standby_state:
985 sd->state = sd_standby_state;
994 case 4: /* CMD4: SEND_DSR */
998 case sd_standby_state:
1006 case 5: /* CMD5: reserved for SDIO cards */
1009 case 6: /* CMD6: SWITCH_FUNCTION */
1011 case sd_data_transfer_mode:
1012 sd_function_switch(sd, req.arg);
1013 sd->state = sd_sendingdata_state;
1015 sd->data_offset = 0;
1023 case 7: /* CMD7: SELECT/DESELECT_CARD */
1026 switch (sd->state) {
1027 case sd_standby_state:
1031 sd->state = sd_transfer_state;
1034 case sd_transfer_state:
1035 case sd_sendingdata_state:
1039 sd->state = sd_standby_state;
1042 case sd_disconnect_state:
1046 sd->state = sd_programming_state;
1049 case sd_programming_state:
1053 sd->state = sd_disconnect_state;
1061 case 8: /* CMD8: SEND_IF_COND */
1062 if (sd->spec_version < SD_PHY_SPECv2_00_VERS) {
1065 if (sd->state != sd_idle_state) {
1070 /* No response if not exactly one VHS bit is set. */
1071 if (!(req.arg >> 8) || (req.arg >> (ctz32(req.arg & ~0xff) + 1))) {
1072 return sd->spi ? sd_r7 : sd_r0;
1079 case 9: /* CMD9: SEND_CSD */
1080 switch (sd->state) {
1081 case sd_standby_state:
1087 case sd_transfer_state:
1090 sd->state = sd_sendingdata_state;
1091 memcpy(sd->data, sd->csd, 16);
1092 sd->data_start = addr;
1093 sd->data_offset = 0;
1101 case 10: /* CMD10: SEND_CID */
1102 switch (sd->state) {
1103 case sd_standby_state:
1109 case sd_transfer_state:
1112 sd->state = sd_sendingdata_state;
1113 memcpy(sd->data, sd->cid, 16);
1114 sd->data_start = addr;
1115 sd->data_offset = 0;
1123 case 12: /* CMD12: STOP_TRANSMISSION */
1124 switch (sd->state) {
1125 case sd_sendingdata_state:
1126 sd->state = sd_transfer_state;
1129 case sd_receivingdata_state:
1130 sd->state = sd_programming_state;
1131 /* Bzzzzzzztt .... Operation complete. */
1132 sd->state = sd_transfer_state;
1140 case 13: /* CMD13: SEND_STATUS */
1142 case sd_data_transfer_mode:
1153 case 15: /* CMD15: GO_INACTIVE_STATE */
1157 case sd_data_transfer_mode:
1161 sd->state = sd_inactive_state;
1169 /* Block read commands (Classs 2) */
1170 case 16: /* CMD16: SET_BLOCKLEN */
1171 switch (sd->state) {
1172 case sd_transfer_state:
1173 if (req.arg > (1 << HWBLOCK_SHIFT)) {
1174 sd->card_status |= BLOCK_LEN_ERROR;
1176 trace_sdcard_set_blocklen(req.arg);
1177 sd->blk_len = req.arg;
1187 case 17: /* CMD17: READ_SINGLE_BLOCK */
1188 switch (sd->state) {
1189 case sd_transfer_state:
1191 if (addr + sd->blk_len > sd->size) {
1192 sd->card_status |= ADDRESS_ERROR;
1196 sd->state = sd_sendingdata_state;
1197 sd->data_start = addr;
1198 sd->data_offset = 0;
1206 case 18: /* CMD18: READ_MULTIPLE_BLOCK */
1207 switch (sd->state) {
1208 case sd_transfer_state:
1210 if (addr + sd->blk_len > sd->size) {
1211 sd->card_status |= ADDRESS_ERROR;
1215 sd->state = sd_sendingdata_state;
1216 sd->data_start = addr;
1217 sd->data_offset = 0;
1225 case 19: /* CMD19: SEND_TUNING_BLOCK (SD) */
1226 if (sd->spec_version < SD_PHY_SPECv3_01_VERS) {
1229 if (sd->state == sd_transfer_state) {
1230 sd->state = sd_sendingdata_state;
1231 sd->data_offset = 0;
1236 case 23: /* CMD23: SET_BLOCK_COUNT */
1237 if (sd->spec_version < SD_PHY_SPECv3_01_VERS) {
1240 switch (sd->state) {
1241 case sd_transfer_state:
1242 sd->multi_blk_cnt = req.arg;
1250 /* Block write commands (Class 4) */
1251 case 24: /* CMD24: WRITE_SINGLE_BLOCK */
1252 switch (sd->state) {
1253 case sd_transfer_state:
1254 /* Writing in SPI mode not implemented. */
1258 if (addr + sd->blk_len > sd->size) {
1259 sd->card_status |= ADDRESS_ERROR;
1263 sd->state = sd_receivingdata_state;
1264 sd->data_start = addr;
1265 sd->data_offset = 0;
1266 sd->blk_written = 0;
1268 if (sd_wp_addr(sd, sd->data_start)) {
1269 sd->card_status |= WP_VIOLATION;
1271 if (sd->csd[14] & 0x30) {
1272 sd->card_status |= WP_VIOLATION;
1281 case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */
1282 switch (sd->state) {
1283 case sd_transfer_state:
1284 /* Writing in SPI mode not implemented. */
1288 if (addr + sd->blk_len > sd->size) {
1289 sd->card_status |= ADDRESS_ERROR;
1293 sd->state = sd_receivingdata_state;
1294 sd->data_start = addr;
1295 sd->data_offset = 0;
1296 sd->blk_written = 0;
1298 if (sd_wp_addr(sd, sd->data_start)) {
1299 sd->card_status |= WP_VIOLATION;
1301 if (sd->csd[14] & 0x30) {
1302 sd->card_status |= WP_VIOLATION;
1311 case 26: /* CMD26: PROGRAM_CID */
1314 switch (sd->state) {
1315 case sd_transfer_state:
1316 sd->state = sd_receivingdata_state;
1318 sd->data_offset = 0;
1326 case 27: /* CMD27: PROGRAM_CSD */
1327 switch (sd->state) {
1328 case sd_transfer_state:
1329 sd->state = sd_receivingdata_state;
1331 sd->data_offset = 0;
1339 /* Write protection (Class 6) */
1340 case 28: /* CMD28: SET_WRITE_PROT */
1341 switch (sd->state) {
1342 case sd_transfer_state:
1343 if (addr >= sd->size) {
1344 sd->card_status |= ADDRESS_ERROR;
1348 sd->state = sd_programming_state;
1349 set_bit(sd_addr_to_wpnum(addr), sd->wp_groups);
1350 /* Bzzzzzzztt .... Operation complete. */
1351 sd->state = sd_transfer_state;
1359 case 29: /* CMD29: CLR_WRITE_PROT */
1360 switch (sd->state) {
1361 case sd_transfer_state:
1362 if (addr >= sd->size) {
1363 sd->card_status |= ADDRESS_ERROR;
1367 sd->state = sd_programming_state;
1368 clear_bit(sd_addr_to_wpnum(addr), sd->wp_groups);
1369 /* Bzzzzzzztt .... Operation complete. */
1370 sd->state = sd_transfer_state;
1378 case 30: /* CMD30: SEND_WRITE_PROT */
1379 switch (sd->state) {
1380 case sd_transfer_state:
1381 sd->state = sd_sendingdata_state;
1382 *(uint32_t *) sd->data = sd_wpbits(sd, req.arg);
1383 sd->data_start = addr;
1384 sd->data_offset = 0;
1392 /* Erase commands (Class 5) */
1393 case 32: /* CMD32: ERASE_WR_BLK_START */
1394 switch (sd->state) {
1395 case sd_transfer_state:
1396 sd->erase_start = req.arg;
1404 case 33: /* CMD33: ERASE_WR_BLK_END */
1405 switch (sd->state) {
1406 case sd_transfer_state:
1407 sd->erase_end = req.arg;
1415 case 38: /* CMD38: ERASE */
1416 switch (sd->state) {
1417 case sd_transfer_state:
1418 if (sd->csd[14] & 0x30) {
1419 sd->card_status |= WP_VIOLATION;
1423 sd->state = sd_programming_state;
1425 /* Bzzzzzzztt .... Operation complete. */
1426 sd->state = sd_transfer_state;
1434 /* Lock card commands (Class 7) */
1435 case 42: /* CMD42: LOCK_UNLOCK */
1436 switch (sd->state) {
1437 case sd_transfer_state:
1438 sd->state = sd_receivingdata_state;
1440 sd->data_offset = 0;
1449 /* CMD52, CMD53, CMD54: reserved for SDIO cards
1450 * (see the SDIO Simplified Specification V2.0)
1451 * Handle as illegal command but do not complain
1452 * on stderr, as some OSes may use these in their
1453 * probing for presence of an SDIO card.
1457 /* Application specific commands (Class 8) */
1458 case 55: /* CMD55: APP_CMD */
1459 switch (sd->state) {
1460 case sd_ready_state:
1461 case sd_identification_state:
1462 case sd_inactive_state:
1466 qemu_log_mask(LOG_GUEST_ERROR,
1467 "SD: illegal RCA 0x%04x for APP_CMD\n", req.cmd);
1473 if (sd->rca != rca) {
1477 sd->expecting_acmd = true;
1478 sd->card_status |= APP_CMD;
1481 case 56: /* CMD56: GEN_CMD */
1482 switch (sd->state) {
1483 case sd_transfer_state:
1484 sd->data_offset = 0;
1486 sd->state = sd_sendingdata_state;
1488 sd->state = sd_receivingdata_state;
1496 case 58: /* CMD58: READ_OCR (SPI) */
1502 case 59: /* CMD59: CRC_ON_OFF (SPI) */
1506 goto unimplemented_spi_cmd;
1510 qemu_log_mask(LOG_GUEST_ERROR, "SD: Unknown CMD%i\n", req.cmd);
1513 unimplemented_spi_cmd:
1514 /* Commands that are recognised but not yet implemented in SPI mode. */
1515 qemu_log_mask(LOG_UNIMP, "SD: CMD%i not implemented in SPI mode\n",
1520 qemu_log_mask(LOG_GUEST_ERROR, "SD: CMD%i in a wrong state\n", req.cmd);
1524 static sd_rsp_type_t sd_app_command(SDState *sd,
1527 trace_sdcard_app_command(sd->proto_name, sd_acmd_name(req.cmd),
1528 req.cmd, req.arg, sd_state_name(sd->state));
1529 sd->card_status |= APP_CMD;
1531 case 6: /* ACMD6: SET_BUS_WIDTH */
1533 goto unimplemented_spi_cmd;
1535 switch (sd->state) {
1536 case sd_transfer_state:
1537 sd->sd_status[0] &= 0x3f;
1538 sd->sd_status[0] |= (req.arg & 0x03) << 6;
1546 case 13: /* ACMD13: SD_STATUS */
1547 switch (sd->state) {
1548 case sd_transfer_state:
1549 sd->state = sd_sendingdata_state;
1551 sd->data_offset = 0;
1559 case 22: /* ACMD22: SEND_NUM_WR_BLOCKS */
1560 switch (sd->state) {
1561 case sd_transfer_state:
1562 *(uint32_t *) sd->data = sd->blk_written;
1564 sd->state = sd_sendingdata_state;
1566 sd->data_offset = 0;
1574 case 23: /* ACMD23: SET_WR_BLK_ERASE_COUNT */
1575 switch (sd->state) {
1576 case sd_transfer_state:
1584 case 41: /* ACMD41: SD_APP_OP_COND */
1587 sd->state = sd_transfer_state;
1590 if (sd->state != sd_idle_state) {
1593 /* If it's the first ACMD41 since reset, we need to decide
1594 * whether to power up. If this is not an enquiry ACMD41,
1595 * we immediately report power on and proceed below to the
1596 * ready state, but if it is, we set a timer to model a
1597 * delay for power up. This works around a bug in EDK2
1598 * UEFI, which sends an initial enquiry ACMD41, but
1599 * assumes that the card is in ready state as soon as it
1600 * sees the power up bit set. */
1601 if (!FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP)) {
1602 if ((req.arg & ACMD41_ENQUIRY_MASK) != 0) {
1603 timer_del(sd->ocr_power_timer);
1606 trace_sdcard_inquiry_cmd41();
1607 if (!timer_pending(sd->ocr_power_timer)) {
1608 timer_mod_ns(sd->ocr_power_timer,
1609 (qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL)
1610 + OCR_POWER_DELAY_NS));
1615 if (FIELD_EX32(sd->ocr & req.arg, OCR, VDD_VOLTAGE_WINDOW)) {
1616 /* We accept any voltage. 10000 V is nothing.
1618 * Once we're powered up, we advance straight to ready state
1619 * unless it's an enquiry ACMD41 (bits 23:0 == 0).
1621 sd->state = sd_ready_state;
1626 case 42: /* ACMD42: SET_CLR_CARD_DETECT */
1627 switch (sd->state) {
1628 case sd_transfer_state:
1629 /* Bringing in the 50KOhm pull-up resistor... Done. */
1637 case 51: /* ACMD51: SEND_SCR */
1638 switch (sd->state) {
1639 case sd_transfer_state:
1640 sd->state = sd_sendingdata_state;
1642 sd->data_offset = 0;
1650 case 18: /* Reserved for SD security applications */
1655 /* Refer to the "SD Specifications Part3 Security Specification" for
1656 * information about the SD Security Features.
1658 qemu_log_mask(LOG_UNIMP, "SD: CMD%i Security not implemented\n",
1663 /* Fall back to standard commands. */
1664 return sd_normal_command(sd, req);
1666 unimplemented_spi_cmd:
1667 /* Commands that are recognised but not yet implemented in SPI mode. */
1668 qemu_log_mask(LOG_UNIMP, "SD: CMD%i not implemented in SPI mode\n",
1673 qemu_log_mask(LOG_GUEST_ERROR, "SD: ACMD%i in a wrong state\n", req.cmd);
1677 static int cmd_valid_while_locked(SDState *sd, SDRequest *req)
1679 /* Valid commands in locked state:
1681 * lock card class (7)
1683 * implicitly, the ACMD prefix CMD55
1685 * Anything else provokes an "illegal command" response.
1687 if (sd->expecting_acmd) {
1688 return req->cmd == 41 || req->cmd == 42;
1690 if (req->cmd == 16 || req->cmd == 55) {
1693 return sd_cmd_class[req->cmd] == 0
1694 || sd_cmd_class[req->cmd] == 7;
1697 int sd_do_command(SDState *sd, SDRequest *req,
1698 uint8_t *response) {
1700 sd_rsp_type_t rtype;
1703 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable) {
1707 if (sd_req_crc_validate(req)) {
1708 sd->card_status |= COM_CRC_ERROR;
1713 if (req->cmd >= SDMMC_CMD_MAX) {
1714 qemu_log_mask(LOG_GUEST_ERROR, "SD: incorrect command 0x%02x\n",
1719 if (sd->card_status & CARD_IS_LOCKED) {
1720 if (!cmd_valid_while_locked(sd, req)) {
1721 sd->card_status |= ILLEGAL_COMMAND;
1722 sd->expecting_acmd = false;
1723 qemu_log_mask(LOG_GUEST_ERROR, "SD: Card is locked\n");
1729 last_state = sd->state;
1732 if (sd->expecting_acmd) {
1733 sd->expecting_acmd = false;
1734 rtype = sd_app_command(sd, *req);
1736 rtype = sd_normal_command(sd, *req);
1739 if (rtype == sd_illegal) {
1740 sd->card_status |= ILLEGAL_COMMAND;
1742 /* Valid command, we can update the 'state before command' bits.
1743 * (Do this now so they appear in r1 responses.)
1745 sd->current_cmd = req->cmd;
1746 sd->card_status &= ~CURRENT_STATE;
1747 sd->card_status |= (last_state << 9);
1754 sd_response_r1_make(sd, response);
1759 memcpy(response, sd->cid, sizeof(sd->cid));
1764 memcpy(response, sd->csd, sizeof(sd->csd));
1769 sd_response_r3_make(sd, response);
1774 sd_response_r6_make(sd, response);
1779 sd_response_r7_make(sd, response);
1788 g_assert_not_reached();
1790 trace_sdcard_response(sd_response_name(rtype), rsplen);
1792 if (rtype != sd_illegal) {
1793 /* Clear the "clear on valid command" status bits now we've
1796 sd->card_status &= ~CARD_STATUS_B;
1800 qemu_hexdump(stderr, "Response", response, rsplen);
1806 static void sd_blk_read(SDState *sd, uint64_t addr, uint32_t len)
1808 trace_sdcard_read_block(addr, len);
1809 if (!sd->blk || blk_pread(sd->blk, addr, sd->data, len) < 0) {
1810 fprintf(stderr, "sd_blk_read: read error on host side\n");
1814 static void sd_blk_write(SDState *sd, uint64_t addr, uint32_t len)
1816 trace_sdcard_write_block(addr, len);
1817 if (!sd->blk || blk_pwrite(sd->blk, addr, sd->data, len, 0) < 0) {
1818 fprintf(stderr, "sd_blk_write: write error on host side\n");
1822 #define BLK_READ_BLOCK(a, len) sd_blk_read(sd, a, len)
1823 #define BLK_WRITE_BLOCK(a, len) sd_blk_write(sd, a, len)
1824 #define APP_READ_BLOCK(a, len) memset(sd->data, 0xec, len)
1825 #define APP_WRITE_BLOCK(a, len)
1827 void sd_write_byte(SDState *sd, uint8_t value)
1831 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable)
1834 if (sd->state != sd_receivingdata_state) {
1835 qemu_log_mask(LOG_GUEST_ERROR,
1836 "%s: not in Receiving-Data state\n", __func__);
1840 if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION))
1843 trace_sdcard_write_data(sd->proto_name,
1844 sd_acmd_name(sd->current_cmd),
1845 sd->current_cmd, value);
1846 switch (sd->current_cmd) {
1847 case 24: /* CMD24: WRITE_SINGLE_BLOCK */
1848 sd->data[sd->data_offset ++] = value;
1849 if (sd->data_offset >= sd->blk_len) {
1850 /* TODO: Check CRC before committing */
1851 sd->state = sd_programming_state;
1852 BLK_WRITE_BLOCK(sd->data_start, sd->data_offset);
1854 sd->csd[14] |= 0x40;
1855 /* Bzzzzzzztt .... Operation complete. */
1856 sd->state = sd_transfer_state;
1860 case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */
1861 if (sd->data_offset == 0) {
1862 /* Start of the block - let's check the address is valid */
1863 if (sd->data_start + sd->blk_len > sd->size) {
1864 sd->card_status |= ADDRESS_ERROR;
1867 if (sd_wp_addr(sd, sd->data_start)) {
1868 sd->card_status |= WP_VIOLATION;
1872 sd->data[sd->data_offset++] = value;
1873 if (sd->data_offset >= sd->blk_len) {
1874 /* TODO: Check CRC before committing */
1875 sd->state = sd_programming_state;
1876 BLK_WRITE_BLOCK(sd->data_start, sd->data_offset);
1878 sd->data_start += sd->blk_len;
1879 sd->data_offset = 0;
1880 sd->csd[14] |= 0x40;
1882 /* Bzzzzzzztt .... Operation complete. */
1883 if (sd->multi_blk_cnt != 0) {
1884 if (--sd->multi_blk_cnt == 0) {
1886 sd->state = sd_transfer_state;
1891 sd->state = sd_receivingdata_state;
1895 case 26: /* CMD26: PROGRAM_CID */
1896 sd->data[sd->data_offset ++] = value;
1897 if (sd->data_offset >= sizeof(sd->cid)) {
1898 /* TODO: Check CRC before committing */
1899 sd->state = sd_programming_state;
1900 for (i = 0; i < sizeof(sd->cid); i ++)
1901 if ((sd->cid[i] | 0x00) != sd->data[i])
1902 sd->card_status |= CID_CSD_OVERWRITE;
1904 if (!(sd->card_status & CID_CSD_OVERWRITE))
1905 for (i = 0; i < sizeof(sd->cid); i ++) {
1907 sd->cid[i] &= sd->data[i];
1909 /* Bzzzzzzztt .... Operation complete. */
1910 sd->state = sd_transfer_state;
1914 case 27: /* CMD27: PROGRAM_CSD */
1915 sd->data[sd->data_offset ++] = value;
1916 if (sd->data_offset >= sizeof(sd->csd)) {
1917 /* TODO: Check CRC before committing */
1918 sd->state = sd_programming_state;
1919 for (i = 0; i < sizeof(sd->csd); i ++)
1920 if ((sd->csd[i] | sd_csd_rw_mask[i]) !=
1921 (sd->data[i] | sd_csd_rw_mask[i]))
1922 sd->card_status |= CID_CSD_OVERWRITE;
1924 /* Copy flag (OTP) & Permanent write protect */
1925 if (sd->csd[14] & ~sd->data[14] & 0x60)
1926 sd->card_status |= CID_CSD_OVERWRITE;
1928 if (!(sd->card_status & CID_CSD_OVERWRITE))
1929 for (i = 0; i < sizeof(sd->csd); i ++) {
1930 sd->csd[i] |= sd_csd_rw_mask[i];
1931 sd->csd[i] &= sd->data[i];
1933 /* Bzzzzzzztt .... Operation complete. */
1934 sd->state = sd_transfer_state;
1938 case 42: /* CMD42: LOCK_UNLOCK */
1939 sd->data[sd->data_offset ++] = value;
1940 if (sd->data_offset >= sd->blk_len) {
1941 /* TODO: Check CRC before committing */
1942 sd->state = sd_programming_state;
1943 sd_lock_command(sd);
1944 /* Bzzzzzzztt .... Operation complete. */
1945 sd->state = sd_transfer_state;
1949 case 56: /* CMD56: GEN_CMD */
1950 sd->data[sd->data_offset ++] = value;
1951 if (sd->data_offset >= sd->blk_len) {
1952 APP_WRITE_BLOCK(sd->data_start, sd->data_offset);
1953 sd->state = sd_transfer_state;
1958 qemu_log_mask(LOG_GUEST_ERROR, "%s: unknown command\n", __func__);
1963 #define SD_TUNING_BLOCK_SIZE 64
1965 static const uint8_t sd_tuning_block_pattern[SD_TUNING_BLOCK_SIZE] = {
1966 /* See: Physical Layer Simplified Specification Version 3.01, Table 4-2 */
1967 0xff, 0x0f, 0xff, 0x00, 0x0f, 0xfc, 0xc3, 0xcc,
1968 0xc3, 0x3c, 0xcc, 0xff, 0xfe, 0xff, 0xfe, 0xef,
1969 0xff, 0xdf, 0xff, 0xdd, 0xff, 0xfb, 0xff, 0xfb,
1970 0xbf, 0xff, 0x7f, 0xff, 0x77, 0xf7, 0xbd, 0xef,
1971 0xff, 0xf0, 0xff, 0xf0, 0x0f, 0xfc, 0xcc, 0x3c,
1972 0xcc, 0x33, 0xcc, 0xcf, 0xff, 0xef, 0xff, 0xee,
1973 0xff, 0xfd, 0xff, 0xfd, 0xdf, 0xff, 0xbf, 0xff,
1974 0xbb, 0xff, 0xf7, 0xff, 0xf7, 0x7f, 0x7b, 0xde,
1977 uint8_t sd_read_byte(SDState *sd)
1979 /* TODO: Append CRCs */
1983 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable)
1986 if (sd->state != sd_sendingdata_state) {
1987 qemu_log_mask(LOG_GUEST_ERROR,
1988 "%s: not in Sending-Data state\n", __func__);
1992 if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION))
1995 io_len = (sd->ocr & (1 << 30)) ? 512 : sd->blk_len;
1997 trace_sdcard_read_data(sd->proto_name,
1998 sd_acmd_name(sd->current_cmd),
1999 sd->current_cmd, io_len);
2000 switch (sd->current_cmd) {
2001 case 6: /* CMD6: SWITCH_FUNCTION */
2002 ret = sd->data[sd->data_offset ++];
2004 if (sd->data_offset >= 64)
2005 sd->state = sd_transfer_state;
2008 case 9: /* CMD9: SEND_CSD */
2009 case 10: /* CMD10: SEND_CID */
2010 ret = sd->data[sd->data_offset ++];
2012 if (sd->data_offset >= 16)
2013 sd->state = sd_transfer_state;
2016 case 13: /* ACMD13: SD_STATUS */
2017 ret = sd->sd_status[sd->data_offset ++];
2019 if (sd->data_offset >= sizeof(sd->sd_status))
2020 sd->state = sd_transfer_state;
2023 case 17: /* CMD17: READ_SINGLE_BLOCK */
2024 if (sd->data_offset == 0)
2025 BLK_READ_BLOCK(sd->data_start, io_len);
2026 ret = sd->data[sd->data_offset ++];
2028 if (sd->data_offset >= io_len)
2029 sd->state = sd_transfer_state;
2032 case 18: /* CMD18: READ_MULTIPLE_BLOCK */
2033 if (sd->data_offset == 0) {
2034 if (sd->data_start + io_len > sd->size) {
2035 sd->card_status |= ADDRESS_ERROR;
2038 BLK_READ_BLOCK(sd->data_start, io_len);
2040 ret = sd->data[sd->data_offset ++];
2042 if (sd->data_offset >= io_len) {
2043 sd->data_start += io_len;
2044 sd->data_offset = 0;
2046 if (sd->multi_blk_cnt != 0) {
2047 if (--sd->multi_blk_cnt == 0) {
2049 sd->state = sd_transfer_state;
2056 case 19: /* CMD19: SEND_TUNING_BLOCK (SD) */
2057 if (sd->data_offset >= SD_TUNING_BLOCK_SIZE - 1) {
2058 sd->state = sd_transfer_state;
2060 ret = sd_tuning_block_pattern[sd->data_offset++];
2063 case 22: /* ACMD22: SEND_NUM_WR_BLOCKS */
2064 ret = sd->data[sd->data_offset ++];
2066 if (sd->data_offset >= 4)
2067 sd->state = sd_transfer_state;
2070 case 30: /* CMD30: SEND_WRITE_PROT */
2071 ret = sd->data[sd->data_offset ++];
2073 if (sd->data_offset >= 4)
2074 sd->state = sd_transfer_state;
2077 case 51: /* ACMD51: SEND_SCR */
2078 ret = sd->scr[sd->data_offset ++];
2080 if (sd->data_offset >= sizeof(sd->scr))
2081 sd->state = sd_transfer_state;
2084 case 56: /* CMD56: GEN_CMD */
2085 if (sd->data_offset == 0)
2086 APP_READ_BLOCK(sd->data_start, sd->blk_len);
2087 ret = sd->data[sd->data_offset ++];
2089 if (sd->data_offset >= sd->blk_len)
2090 sd->state = sd_transfer_state;
2094 qemu_log_mask(LOG_GUEST_ERROR, "%s: unknown command\n", __func__);
2101 static bool sd_data_ready(SDState *sd)
2103 return sd->state == sd_sendingdata_state;
2106 void sd_enable(SDState *sd, bool enable)
2108 sd->enable = enable;
2111 static void sd_instance_init(Object *obj)
2113 SDState *sd = SD_CARD(obj);
2116 sd->ocr_power_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, sd_ocr_powerup, sd);
2119 static void sd_instance_finalize(Object *obj)
2121 SDState *sd = SD_CARD(obj);
2123 timer_del(sd->ocr_power_timer);
2124 timer_free(sd->ocr_power_timer);
2127 static void sd_realize(DeviceState *dev, Error **errp)
2129 SDState *sd = SD_CARD(dev);
2132 sd->proto_name = sd->spi ? "SPI" : "SD";
2134 switch (sd->spec_version) {
2135 case SD_PHY_SPECv1_10_VERS
2136 ... SD_PHY_SPECv3_01_VERS:
2139 error_setg(errp, "Invalid SD card Spec version: %u", sd->spec_version);
2146 if (blk_is_read_only(sd->blk)) {
2147 error_setg(errp, "Cannot use read-only drive as SD card");
2151 blk_size = blk_getlength(sd->blk);
2152 if (blk_size > 0 && !is_power_of_2(blk_size)) {
2153 int64_t blk_size_aligned = pow2ceil(blk_size);
2156 blk_size_str = size_to_str(blk_size);
2157 error_setg(errp, "Invalid SD card size: %s", blk_size_str);
2158 g_free(blk_size_str);
2160 blk_size_str = size_to_str(blk_size_aligned);
2161 error_append_hint(errp,
2162 "SD card size has to be a power of 2, e.g. %s.\n"
2163 "You can resize disk images with"
2164 " 'qemu-img resize <imagefile> <new-size>'\n"
2165 "(note that this will lose data if you make the"
2166 " image smaller than it currently is).\n",
2168 g_free(blk_size_str);
2173 ret = blk_set_perm(sd->blk, BLK_PERM_CONSISTENT_READ | BLK_PERM_WRITE,
2174 BLK_PERM_ALL, errp);
2178 blk_set_dev_ops(sd->blk, &sd_block_ops, sd);
2182 static Property sd_properties[] = {
2183 DEFINE_PROP_UINT8("spec_version", SDState,
2184 spec_version, SD_PHY_SPECv2_00_VERS),
2185 DEFINE_PROP_DRIVE("drive", SDState, blk),
2186 /* We do not model the chip select pin, so allow the board to select
2187 * whether card should be in SSI or MMC/SD mode. It is also up to the
2188 * board to ensure that ssi transfers only occur when the chip select
2190 DEFINE_PROP_BOOL("spi", SDState, spi, false),
2191 DEFINE_PROP_END_OF_LIST()
2194 static void sd_class_init(ObjectClass *klass, void *data)
2196 DeviceClass *dc = DEVICE_CLASS(klass);
2197 SDCardClass *sc = SD_CARD_CLASS(klass);
2199 dc->realize = sd_realize;
2200 device_class_set_props(dc, sd_properties);
2201 dc->vmsd = &sd_vmstate;
2202 dc->reset = sd_reset;
2203 dc->bus_type = TYPE_SD_BUS;
2204 set_bit(DEVICE_CATEGORY_STORAGE, dc->categories);
2206 sc->set_voltage = sd_set_voltage;
2207 sc->get_dat_lines = sd_get_dat_lines;
2208 sc->get_cmd_line = sd_get_cmd_line;
2209 sc->do_command = sd_do_command;
2210 sc->write_byte = sd_write_byte;
2211 sc->read_byte = sd_read_byte;
2212 sc->data_ready = sd_data_ready;
2213 sc->enable = sd_enable;
2214 sc->get_inserted = sd_get_inserted;
2215 sc->get_readonly = sd_get_readonly;
2218 static const TypeInfo sd_info = {
2219 .name = TYPE_SD_CARD,
2220 .parent = TYPE_DEVICE,
2221 .instance_size = sizeof(SDState),
2222 .class_size = sizeof(SDCardClass),
2223 .class_init = sd_class_init,
2224 .instance_init = sd_instance_init,
2225 .instance_finalize = sd_instance_finalize,
2228 static void sd_register_types(void)
2230 type_register_static(&sd_info);
2233 type_init(sd_register_types)
projects / qemu.git / blob