2 * SD Memory Card emulation as defined in the "SD Memory Card Physical
3 * layer specification, Version 1.10."
6 * Copyright (c) 2007 CodeSourcery
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in
16 * the documentation and/or other materials provided with the
19 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS''
20 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
21 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
22 * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR
23 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
24 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
25 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
26 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
27 * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
28 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
29 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
32 #include "qemu/osdep.h"
35 #include "hw/registerfields.h"
36 #include "sysemu/block-backend.h"
38 #include "qapi/error.h"
39 #include "qemu/bitmap.h"
40 #include "qemu/cutils.h"
41 #include "hw/qdev-properties.h"
42 #include "qemu/error-report.h"
43 #include "qemu/timer.h"
45 #include "sdmmc-internal.h"
51 sd_r0 = 0, /* no response */
52 sd_r1, /* normal response command */
53 sd_r2_i, /* CID register */
54 sd_r2_s, /* CSD register */
55 sd_r3, /* OCR register */
56 sd_r6 = 6, /* Published RCA response */
57 sd_r7, /* Operating voltage */
64 sd_card_identification_mode,
65 sd_data_transfer_mode,
69 sd_inactive_state = -1,
72 sd_identification_state,
76 sd_receivingdata_state,
82 DeviceState parent_obj;
84 /* SD Memory Card Registers */
91 uint8_t sd_status[64];
93 /* Configurable properties */
97 uint32_t mode; /* current card mode, one of SDCardModes */
98 int32_t state; /* current card state, one of SDCardStates */
101 unsigned long *wp_groups;
105 uint32_t multi_blk_cnt;
106 uint32_t erase_start;
110 uint8_t function_group[6];
112 /* True if we will handle the next command as an ACMD. Note that this does
113 * *not* track the APP_CMD status bit!
116 uint32_t blk_written;
118 uint32_t data_offset;
120 qemu_irq readonly_cb;
121 qemu_irq inserted_cb;
122 QEMUTimer *ocr_power_timer;
123 const char *proto_name;
129 static const char *sd_state_name(enum SDCardStates state)
131 static const char *state_name[] = {
132 [sd_idle_state] = "idle",
133 [sd_ready_state] = "ready",
134 [sd_identification_state] = "identification",
135 [sd_standby_state] = "standby",
136 [sd_transfer_state] = "transfer",
137 [sd_sendingdata_state] = "sendingdata",
138 [sd_receivingdata_state] = "receivingdata",
139 [sd_programming_state] = "programming",
140 [sd_disconnect_state] = "disconnect",
142 if (state == sd_inactive_state) {
145 assert(state <= ARRAY_SIZE(state_name));
146 return state_name[state];
149 static const char *sd_response_name(sd_rsp_type_t rsp)
151 static const char *response_name[] = {
152 [sd_r0] = "RESP#0 (no response)",
153 [sd_r1] = "RESP#1 (normal cmd)",
154 [sd_r2_i] = "RESP#2 (CID reg)",
155 [sd_r2_s] = "RESP#2 (CSD reg)",
156 [sd_r3] = "RESP#3 (OCR reg)",
157 [sd_r6] = "RESP#6 (RCA)",
158 [sd_r7] = "RESP#7 (operating voltage)",
160 if (rsp == sd_illegal) {
161 return "ILLEGAL RESP";
166 assert(rsp <= ARRAY_SIZE(response_name));
167 return response_name[rsp];
170 static uint8_t sd_get_dat_lines(SDState *sd)
172 return sd->enable ? sd->dat_lines : 0;
175 static bool sd_get_cmd_line(SDState *sd)
177 return sd->enable ? sd->cmd_line : false;
180 static void sd_set_voltage(SDState *sd, uint16_t millivolts)
182 trace_sdcard_set_voltage(millivolts);
184 switch (millivolts) {
185 case 3001 ... 3600: /* SD_VOLTAGE_3_3V */
186 case 2001 ... 3000: /* SD_VOLTAGE_3_0V */
189 qemu_log_mask(LOG_GUEST_ERROR, "SD card voltage not supported: %.3fV",
190 millivolts / 1000.f);
194 static void sd_set_mode(SDState *sd)
197 case sd_inactive_state:
198 sd->mode = sd_inactive;
203 case sd_identification_state:
204 sd->mode = sd_card_identification_mode;
207 case sd_standby_state:
208 case sd_transfer_state:
209 case sd_sendingdata_state:
210 case sd_receivingdata_state:
211 case sd_programming_state:
212 case sd_disconnect_state:
213 sd->mode = sd_data_transfer_mode;
218 static const sd_cmd_type_t sd_cmd_type[SDMMC_CMD_MAX] = {
219 sd_bc, sd_none, sd_bcr, sd_bcr, sd_none, sd_none, sd_none, sd_ac,
220 sd_bcr, sd_ac, sd_ac, sd_adtc, sd_ac, sd_ac, sd_none, sd_ac,
222 sd_ac, sd_adtc, sd_adtc, sd_none, sd_none, sd_none, sd_none, sd_none,
223 sd_adtc, sd_adtc, sd_adtc, sd_adtc, sd_ac, sd_ac, sd_adtc, sd_none,
225 sd_ac, sd_ac, sd_none, sd_none, sd_none, sd_none, sd_ac, sd_none,
226 sd_none, sd_none, sd_bc, sd_none, sd_none, sd_none, sd_none, sd_none,
228 sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_ac,
229 sd_adtc, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none,
232 static const int sd_cmd_class[SDMMC_CMD_MAX] = {
233 0, 0, 0, 0, 0, 9, 10, 0, 0, 0, 0, 1, 0, 0, 0, 0,
234 2, 2, 2, 2, 3, 3, 3, 3, 4, 4, 4, 4, 6, 6, 6, 6,
235 5, 5, 10, 10, 10, 10, 5, 9, 9, 9, 7, 7, 7, 7, 7, 7,
236 7, 7, 10, 7, 9, 9, 9, 8, 8, 10, 8, 8, 8, 8, 8, 8,
239 static uint8_t sd_crc7(void *message, size_t width)
242 uint8_t shift_reg = 0x00;
243 uint8_t *msg = (uint8_t *) message;
245 for (i = 0; i < width; i ++, msg ++)
246 for (bit = 7; bit >= 0; bit --) {
248 if ((shift_reg >> 7) ^ ((*msg >> bit) & 1))
255 static uint16_t sd_crc16(void *message, size_t width)
258 uint16_t shift_reg = 0x0000;
259 uint16_t *msg = (uint16_t *) message;
262 for (i = 0; i < width; i ++, msg ++)
263 for (bit = 15; bit >= 0; bit --) {
265 if ((shift_reg >> 15) ^ ((*msg >> bit) & 1))
272 #define OCR_POWER_DELAY_NS 500000 /* 0.5ms */
274 FIELD(OCR, VDD_VOLTAGE_WINDOW, 0, 24)
275 FIELD(OCR, VDD_VOLTAGE_WIN_LO, 0, 8)
276 FIELD(OCR, DUAL_VOLTAGE_CARD, 7, 1)
277 FIELD(OCR, VDD_VOLTAGE_WIN_HI, 8, 16)
278 FIELD(OCR, ACCEPT_SWITCH_1V8, 24, 1) /* Only UHS-I */
279 FIELD(OCR, UHS_II_CARD, 29, 1) /* Only UHS-II */
280 FIELD(OCR, CARD_CAPACITY, 30, 1) /* 0:SDSC, 1:SDHC/SDXC */
281 FIELD(OCR, CARD_POWER_UP, 31, 1)
283 #define ACMD41_ENQUIRY_MASK 0x00ffffff
284 #define ACMD41_R3_MASK (R_OCR_VDD_VOLTAGE_WIN_HI_MASK \
285 | R_OCR_ACCEPT_SWITCH_1V8_MASK \
286 | R_OCR_UHS_II_CARD_MASK \
287 | R_OCR_CARD_CAPACITY_MASK \
288 | R_OCR_CARD_POWER_UP_MASK)
290 static void sd_set_ocr(SDState *sd)
292 /* All voltages OK */
293 sd->ocr = R_OCR_VDD_VOLTAGE_WIN_HI_MASK;
296 static void sd_ocr_powerup(void *opaque)
298 SDState *sd = opaque;
300 trace_sdcard_powerup();
301 assert(!FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP));
303 /* card power-up OK */
304 sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_POWER_UP, 1);
306 if (sd->size > 1 * G_BYTE) {
307 sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_CAPACITY, 1);
311 static void sd_set_scr(SDState *sd)
313 sd->scr[0] = (0 << 4) /* SCR version 1.0 */
314 | 0; /* Spec Versions 1.0 and 1.01 */
315 sd->scr[1] = (2 << 4) /* SDSC Card (Security Version 1.01) */
316 | 0b0101; /* 1-bit or 4-bit width bus modes */
317 sd->scr[2] = 0x00; /* Extended Security is not supported. */
319 /* reserved for manufacturer usage */
333 static void sd_set_cid(SDState *sd)
335 sd->cid[0] = MID; /* Fake card manufacturer ID (MID) */
336 sd->cid[1] = OID[0]; /* OEM/Application ID (OID) */
338 sd->cid[3] = PNM[0]; /* Fake product name (PNM) */
343 sd->cid[8] = PRV; /* Fake product revision (PRV) */
344 sd->cid[9] = 0xde; /* Fake serial number (PSN) */
348 sd->cid[13] = 0x00 | /* Manufacture date (MDT) */
349 ((MDT_YR - 2000) / 10);
350 sd->cid[14] = ((MDT_YR % 10) << 4) | MDT_MON;
351 sd->cid[15] = (sd_crc7(sd->cid, 15) << 1) | 1;
354 #define HWBLOCK_SHIFT 9 /* 512 bytes */
355 #define SECTOR_SHIFT 5 /* 16 kilobytes */
356 #define WPGROUP_SHIFT 7 /* 2 megs */
357 #define CMULT_SHIFT 9 /* 512 times HWBLOCK_SIZE */
358 #define WPGROUP_SIZE (1 << (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT))
360 static const uint8_t sd_csd_rw_mask[16] = {
361 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
362 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xfc, 0xfe,
365 static void sd_set_csd(SDState *sd, uint64_t size)
367 uint32_t csize = (size >> (CMULT_SHIFT + HWBLOCK_SHIFT)) - 1;
368 uint32_t sectsize = (1 << (SECTOR_SHIFT + 1)) - 1;
369 uint32_t wpsize = (1 << (WPGROUP_SHIFT + 1)) - 1;
371 if (size <= 1 * G_BYTE) { /* Standard Capacity SD */
372 sd->csd[0] = 0x00; /* CSD structure */
373 sd->csd[1] = 0x26; /* Data read access-time-1 */
374 sd->csd[2] = 0x00; /* Data read access-time-2 */
375 sd->csd[3] = 0x32; /* Max. data transfer rate: 25 MHz */
376 sd->csd[4] = 0x5f; /* Card Command Classes */
377 sd->csd[5] = 0x50 | /* Max. read data block length */
379 sd->csd[6] = 0xe0 | /* Partial block for read allowed */
380 ((csize >> 10) & 0x03);
381 sd->csd[7] = 0x00 | /* Device size */
382 ((csize >> 2) & 0xff);
383 sd->csd[8] = 0x3f | /* Max. read current */
384 ((csize << 6) & 0xc0);
385 sd->csd[9] = 0xfc | /* Max. write current */
386 ((CMULT_SHIFT - 2) >> 1);
387 sd->csd[10] = 0x40 | /* Erase sector size */
388 (((CMULT_SHIFT - 2) << 7) & 0x80) | (sectsize >> 1);
389 sd->csd[11] = 0x00 | /* Write protect group size */
390 ((sectsize << 7) & 0x80) | wpsize;
391 sd->csd[12] = 0x90 | /* Write speed factor */
392 (HWBLOCK_SHIFT >> 2);
393 sd->csd[13] = 0x20 | /* Max. write data block length */
394 ((HWBLOCK_SHIFT << 6) & 0xc0);
395 sd->csd[14] = 0x00; /* File format group */
406 sd->csd[7] = (size >> 16) & 0xff;
407 sd->csd[8] = (size >> 8) & 0xff;
408 sd->csd[9] = (size & 0xff);
415 sd->csd[15] = (sd_crc7(sd->csd, 15) << 1) | 1;
418 static void sd_set_rca(SDState *sd)
423 FIELD(CSR, AKE_SEQ_ERROR, 3, 1)
424 FIELD(CSR, APP_CMD, 5, 1)
425 FIELD(CSR, FX_EVENT, 6, 1)
426 FIELD(CSR, READY_FOR_DATA, 8, 1)
427 FIELD(CSR, CURRENT_STATE, 9, 4)
428 FIELD(CSR, ERASE_RESET, 13, 1)
429 FIELD(CSR, CARD_ECC_DISABLED, 14, 1)
430 FIELD(CSR, WP_ERASE_SKIP, 15, 1)
431 FIELD(CSR, CSD_OVERWRITE, 16, 1)
432 FIELD(CSR, DEFERRED_RESPONSE, 17, 1)
433 FIELD(CSR, ERROR, 19, 1)
434 FIELD(CSR, CC_ERROR, 20, 1)
435 FIELD(CSR, CARD_ECC_FAILED, 21, 1)
436 FIELD(CSR, ILLEGAL_COMMAND, 22, 1)
437 FIELD(CSR, COM_CRC_ERROR, 23, 1)
438 FIELD(CSR, LOCK_UNLOCK_FAILED, 24, 1)
439 FIELD(CSR, CARD_IS_LOCKED, 25, 1)
440 FIELD(CSR, WP_VIOLATION, 26, 1)
441 FIELD(CSR, ERASE_PARAM, 27, 1)
442 FIELD(CSR, ERASE_SEQ_ERROR, 28, 1)
443 FIELD(CSR, BLOCK_LEN_ERROR, 29, 1)
444 FIELD(CSR, ADDRESS_ERROR, 30, 1)
445 FIELD(CSR, OUT_OF_RANGE, 31, 1)
447 /* Card status bits, split by clear condition:
448 * A : According to the card current state
449 * B : Always related to the previous command
450 * C : Cleared by read
452 #define CARD_STATUS_A (R_CSR_READY_FOR_DATA_MASK \
453 | R_CSR_CARD_ECC_DISABLED_MASK \
454 | R_CSR_CARD_IS_LOCKED_MASK)
455 #define CARD_STATUS_B (R_CSR_CURRENT_STATE_MASK \
456 | R_CSR_ILLEGAL_COMMAND_MASK \
457 | R_CSR_COM_CRC_ERROR_MASK)
458 #define CARD_STATUS_C (R_CSR_AKE_SEQ_ERROR_MASK \
459 | R_CSR_APP_CMD_MASK \
460 | R_CSR_ERASE_RESET_MASK \
461 | R_CSR_WP_ERASE_SKIP_MASK \
462 | R_CSR_CSD_OVERWRITE_MASK \
464 | R_CSR_CC_ERROR_MASK \
465 | R_CSR_CARD_ECC_FAILED_MASK \
466 | R_CSR_LOCK_UNLOCK_FAILED_MASK \
467 | R_CSR_WP_VIOLATION_MASK \
468 | R_CSR_ERASE_PARAM_MASK \
469 | R_CSR_ERASE_SEQ_ERROR_MASK \
470 | R_CSR_BLOCK_LEN_ERROR_MASK \
471 | R_CSR_ADDRESS_ERROR_MASK \
472 | R_CSR_OUT_OF_RANGE_MASK)
474 static void sd_set_cardstatus(SDState *sd)
476 sd->card_status = 0x00000100;
479 static void sd_set_sdstatus(SDState *sd)
481 memset(sd->sd_status, 0, 64);
484 static int sd_req_crc_validate(SDRequest *req)
487 buffer[0] = 0x40 | req->cmd;
488 stl_be_p(&buffer[1], req->arg);
490 return sd_crc7(buffer, 5) != req->crc; /* TODO */
493 static void sd_response_r1_make(SDState *sd, uint8_t *response)
495 stl_be_p(response, sd->card_status);
497 /* Clear the "clear on read" status bits */
498 sd->card_status &= ~CARD_STATUS_C;
501 static void sd_response_r3_make(SDState *sd, uint8_t *response)
503 stl_be_p(response, sd->ocr & ACMD41_R3_MASK);
506 static void sd_response_r6_make(SDState *sd, uint8_t *response)
510 status = ((sd->card_status >> 8) & 0xc000) |
511 ((sd->card_status >> 6) & 0x2000) |
512 (sd->card_status & 0x1fff);
513 sd->card_status &= ~(CARD_STATUS_C & 0xc81fff);
514 stw_be_p(response + 0, sd->rca);
515 stw_be_p(response + 2, status);
518 static void sd_response_r7_make(SDState *sd, uint8_t *response)
520 stl_be_p(response, sd->vhs);
523 static inline uint64_t sd_addr_to_wpnum(uint64_t addr)
525 return addr >> (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT);
528 static void sd_reset(DeviceState *dev)
530 SDState *sd = SD_CARD(dev);
534 trace_sdcard_reset();
536 blk_get_geometry(sd->blk, §);
542 sect = sd_addr_to_wpnum(size) + 1;
544 sd->state = sd_idle_state;
549 sd_set_csd(sd, size);
550 sd_set_cardstatus(sd);
553 g_free(sd->wp_groups);
554 sd->wp_switch = sd->blk ? blk_is_read_only(sd->blk) : false;
555 sd->wpgrps_size = sect;
556 sd->wp_groups = bitmap_new(sd->wpgrps_size);
557 memset(sd->function_group, 0, sizeof(sd->function_group));
563 sd->expecting_acmd = false;
566 sd->multi_blk_cnt = 0;
569 static bool sd_get_inserted(SDState *sd)
571 return sd->blk && blk_is_inserted(sd->blk);
574 static bool sd_get_readonly(SDState *sd)
576 return sd->wp_switch;
579 static void sd_cardchange(void *opaque, bool load, Error **errp)
581 SDState *sd = opaque;
582 DeviceState *dev = DEVICE(sd);
583 SDBus *sdbus = SD_BUS(qdev_get_parent_bus(dev));
584 bool inserted = sd_get_inserted(sd);
585 bool readonly = sd_get_readonly(sd);
588 trace_sdcard_inserted(readonly);
591 trace_sdcard_ejected();
594 /* The IRQ notification is for legacy non-QOM SD controller devices;
595 * QOMified controllers use the SDBus APIs.
598 sdbus_set_inserted(sdbus, inserted);
600 sdbus_set_readonly(sdbus, readonly);
603 qemu_set_irq(sd->inserted_cb, inserted);
605 qemu_set_irq(sd->readonly_cb, readonly);
610 static const BlockDevOps sd_block_ops = {
611 .change_media_cb = sd_cardchange,
614 static bool sd_ocr_vmstate_needed(void *opaque)
616 SDState *sd = opaque;
618 /* Include the OCR state (and timer) if it is not yet powered up */
619 return !FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP);
622 static const VMStateDescription sd_ocr_vmstate = {
623 .name = "sd-card/ocr-state",
625 .minimum_version_id = 1,
626 .needed = sd_ocr_vmstate_needed,
627 .fields = (VMStateField[]) {
628 VMSTATE_UINT32(ocr, SDState),
629 VMSTATE_TIMER_PTR(ocr_power_timer, SDState),
630 VMSTATE_END_OF_LIST()
634 static int sd_vmstate_pre_load(void *opaque)
636 SDState *sd = opaque;
638 /* If the OCR state is not included (prior versions, or not
639 * needed), then the OCR must be set as powered up. If the OCR state
640 * is included, this will be replaced by the state restore.
647 static const VMStateDescription sd_vmstate = {
650 .minimum_version_id = 1,
651 .pre_load = sd_vmstate_pre_load,
652 .fields = (VMStateField[]) {
653 VMSTATE_UINT32(mode, SDState),
654 VMSTATE_INT32(state, SDState),
655 VMSTATE_UINT8_ARRAY(cid, SDState, 16),
656 VMSTATE_UINT8_ARRAY(csd, SDState, 16),
657 VMSTATE_UINT16(rca, SDState),
658 VMSTATE_UINT32(card_status, SDState),
659 VMSTATE_PARTIAL_BUFFER(sd_status, SDState, 1),
660 VMSTATE_UINT32(vhs, SDState),
661 VMSTATE_BITMAP(wp_groups, SDState, 0, wpgrps_size),
662 VMSTATE_UINT32(blk_len, SDState),
663 VMSTATE_UINT32(multi_blk_cnt, SDState),
664 VMSTATE_UINT32(erase_start, SDState),
665 VMSTATE_UINT32(erase_end, SDState),
666 VMSTATE_UINT8_ARRAY(pwd, SDState, 16),
667 VMSTATE_UINT32(pwd_len, SDState),
668 VMSTATE_UINT8_ARRAY(function_group, SDState, 6),
669 VMSTATE_UINT8(current_cmd, SDState),
670 VMSTATE_BOOL(expecting_acmd, SDState),
671 VMSTATE_UINT32(blk_written, SDState),
672 VMSTATE_UINT64(data_start, SDState),
673 VMSTATE_UINT32(data_offset, SDState),
674 VMSTATE_UINT8_ARRAY(data, SDState, 512),
675 VMSTATE_UNUSED_V(1, 512),
676 VMSTATE_BOOL(enable, SDState),
677 VMSTATE_END_OF_LIST()
679 .subsections = (const VMStateDescription*[]) {
685 /* Legacy initialization function for use by non-qdevified callers */
686 SDState *sd_init(BlockBackend *blk, bool is_spi)
692 obj = object_new(TYPE_SD_CARD);
694 qdev_prop_set_drive(dev, "drive", blk, &err);
696 error_report("sd_init failed: %s", error_get_pretty(err));
699 qdev_prop_set_bit(dev, "spi", is_spi);
700 object_property_set_bool(obj, true, "realized", &err);
702 error_report("sd_init failed: %s", error_get_pretty(err));
709 void sd_set_cb(SDState *sd, qemu_irq readonly, qemu_irq insert)
711 sd->readonly_cb = readonly;
712 sd->inserted_cb = insert;
713 qemu_set_irq(readonly, sd->blk ? blk_is_read_only(sd->blk) : 0);
714 qemu_set_irq(insert, sd->blk ? blk_is_inserted(sd->blk) : 0);
717 static void sd_erase(SDState *sd)
720 uint64_t erase_start = sd->erase_start;
721 uint64_t erase_end = sd->erase_end;
723 trace_sdcard_erase();
724 if (!sd->erase_start || !sd->erase_end) {
725 sd->card_status |= ERASE_SEQ_ERROR;
729 if (FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) {
730 /* High capacity memory card: erase units are 512 byte blocks */
735 erase_start = sd_addr_to_wpnum(erase_start);
736 erase_end = sd_addr_to_wpnum(erase_end);
741 for (i = erase_start; i <= erase_end; i++) {
742 if (test_bit(i, sd->wp_groups)) {
743 sd->card_status |= WP_ERASE_SKIP;
748 static uint32_t sd_wpbits(SDState *sd, uint64_t addr)
753 wpnum = sd_addr_to_wpnum(addr);
755 for (i = 0; i < 32; i++, wpnum++, addr += WPGROUP_SIZE) {
756 if (addr < sd->size && test_bit(wpnum, sd->wp_groups)) {
764 static void sd_function_switch(SDState *sd, uint32_t arg)
766 int i, mode, new_func;
767 mode = !!(arg & 0x80000000);
769 sd->data[0] = 0x00; /* Maximum current consumption */
771 sd->data[2] = 0x80; /* Supported group 6 functions */
773 sd->data[4] = 0x80; /* Supported group 5 functions */
775 sd->data[6] = 0x80; /* Supported group 4 functions */
777 sd->data[8] = 0x80; /* Supported group 3 functions */
779 sd->data[10] = 0x80; /* Supported group 2 functions */
781 sd->data[12] = 0x80; /* Supported group 1 functions */
783 for (i = 0; i < 6; i ++) {
784 new_func = (arg >> (i * 4)) & 0x0f;
785 if (mode && new_func != 0x0f)
786 sd->function_group[i] = new_func;
787 sd->data[14 + (i >> 1)] = new_func << ((i * 4) & 4);
789 memset(&sd->data[17], 0, 47);
790 stw_be_p(sd->data + 65, sd_crc16(sd->data, 64));
793 static inline bool sd_wp_addr(SDState *sd, uint64_t addr)
795 return test_bit(sd_addr_to_wpnum(addr), sd->wp_groups);
798 static void sd_lock_command(SDState *sd)
800 int erase, lock, clr_pwd, set_pwd, pwd_len;
801 erase = !!(sd->data[0] & 0x08);
802 lock = sd->data[0] & 0x04;
803 clr_pwd = sd->data[0] & 0x02;
804 set_pwd = sd->data[0] & 0x01;
807 pwd_len = sd->data[1];
814 trace_sdcard_unlock();
817 if (!(sd->card_status & CARD_IS_LOCKED) || sd->blk_len > 1 ||
818 set_pwd || clr_pwd || lock || sd->wp_switch ||
819 (sd->csd[14] & 0x20)) {
820 sd->card_status |= LOCK_UNLOCK_FAILED;
823 bitmap_zero(sd->wp_groups, sd->wpgrps_size);
824 sd->csd[14] &= ~0x10;
825 sd->card_status &= ~CARD_IS_LOCKED;
827 /* Erasing the entire card here! */
828 fprintf(stderr, "SD: Card force-erased by CMD42\n");
832 if (sd->blk_len < 2 + pwd_len ||
833 pwd_len <= sd->pwd_len ||
834 pwd_len > sd->pwd_len + 16) {
835 sd->card_status |= LOCK_UNLOCK_FAILED;
839 if (sd->pwd_len && memcmp(sd->pwd, sd->data + 2, sd->pwd_len)) {
840 sd->card_status |= LOCK_UNLOCK_FAILED;
844 pwd_len -= sd->pwd_len;
845 if ((pwd_len && !set_pwd) ||
846 (clr_pwd && (set_pwd || lock)) ||
847 (lock && !sd->pwd_len && !set_pwd) ||
848 (!set_pwd && !clr_pwd &&
849 (((sd->card_status & CARD_IS_LOCKED) && lock) ||
850 (!(sd->card_status & CARD_IS_LOCKED) && !lock)))) {
851 sd->card_status |= LOCK_UNLOCK_FAILED;
856 memcpy(sd->pwd, sd->data + 2 + sd->pwd_len, pwd_len);
857 sd->pwd_len = pwd_len;
865 sd->card_status |= CARD_IS_LOCKED;
867 sd->card_status &= ~CARD_IS_LOCKED;
870 static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
872 uint32_t rca = 0x0000;
873 uint64_t addr = (sd->ocr & (1 << 30)) ? (uint64_t) req.arg << 9 : req.arg;
875 /* CMD55 precedes an ACMD, so we are not interested in tracing it.
876 * However there is no ACMD55, so we want to trace this particular case.
878 if (req.cmd != 55 || sd->expecting_acmd) {
879 trace_sdcard_normal_command(sd->proto_name,
880 sd_cmd_name(req.cmd), req.cmd,
881 req.arg, sd_state_name(sd->state));
884 /* Not interpreting this as an app command */
885 sd->card_status &= ~APP_CMD;
887 if (sd_cmd_type[req.cmd] == sd_ac
888 || sd_cmd_type[req.cmd] == sd_adtc) {
892 /* CMD23 (set block count) must be immediately followed by CMD18 or CMD25
893 * if not, its effects are cancelled */
894 if (sd->multi_blk_cnt != 0 && !(req.cmd == 18 || req.cmd == 25)) {
895 sd->multi_blk_cnt = 0;
899 /* Basic commands (Class 0 and Class 1) */
900 case 0: /* CMD0: GO_IDLE_STATE */
902 case sd_inactive_state:
903 return sd->spi ? sd_r1 : sd_r0;
906 sd->state = sd_idle_state;
907 sd_reset(DEVICE(sd));
908 return sd->spi ? sd_r1 : sd_r0;
912 case 1: /* CMD1: SEND_OP_CMD */
916 sd->state = sd_transfer_state;
919 case 2: /* CMD2: ALL_SEND_CID */
924 sd->state = sd_identification_state;
932 case 3: /* CMD3: SEND_RELATIVE_ADDR */
936 case sd_identification_state:
937 case sd_standby_state:
938 sd->state = sd_standby_state;
947 case 4: /* CMD4: SEND_DSR */
951 case sd_standby_state:
959 case 5: /* CMD5: reserved for SDIO cards */
962 case 6: /* CMD6: SWITCH_FUNCTION */
966 case sd_data_transfer_mode:
967 sd_function_switch(sd, req.arg);
968 sd->state = sd_sendingdata_state;
978 case 7: /* CMD7: SELECT/DESELECT_CARD */
982 case sd_standby_state:
986 sd->state = sd_transfer_state;
989 case sd_transfer_state:
990 case sd_sendingdata_state:
994 sd->state = sd_standby_state;
997 case sd_disconnect_state:
1001 sd->state = sd_programming_state;
1004 case sd_programming_state:
1008 sd->state = sd_disconnect_state;
1016 case 8: /* CMD8: SEND_IF_COND */
1017 /* Physical Layer Specification Version 2.00 command */
1018 if (sd->state != sd_idle_state) {
1023 /* No response if not exactly one VHS bit is set. */
1024 if (!(req.arg >> 8) || (req.arg >> (ctz32(req.arg & ~0xff) + 1))) {
1025 return sd->spi ? sd_r7 : sd_r0;
1032 case 9: /* CMD9: SEND_CSD */
1033 switch (sd->state) {
1034 case sd_standby_state:
1040 case sd_transfer_state:
1043 sd->state = sd_sendingdata_state;
1044 memcpy(sd->data, sd->csd, 16);
1045 sd->data_start = addr;
1046 sd->data_offset = 0;
1054 case 10: /* CMD10: SEND_CID */
1055 switch (sd->state) {
1056 case sd_standby_state:
1062 case sd_transfer_state:
1065 sd->state = sd_sendingdata_state;
1066 memcpy(sd->data, sd->cid, 16);
1067 sd->data_start = addr;
1068 sd->data_offset = 0;
1076 case 12: /* CMD12: STOP_TRANSMISSION */
1077 switch (sd->state) {
1078 case sd_sendingdata_state:
1079 sd->state = sd_transfer_state;
1082 case sd_receivingdata_state:
1083 sd->state = sd_programming_state;
1084 /* Bzzzzzzztt .... Operation complete. */
1085 sd->state = sd_transfer_state;
1093 case 13: /* CMD13: SEND_STATUS */
1095 case sd_data_transfer_mode:
1106 case 15: /* CMD15: GO_INACTIVE_STATE */
1110 case sd_data_transfer_mode:
1114 sd->state = sd_inactive_state;
1122 /* Block read commands (Classs 2) */
1123 case 16: /* CMD16: SET_BLOCKLEN */
1124 switch (sd->state) {
1125 case sd_transfer_state:
1126 if (req.arg > (1 << HWBLOCK_SHIFT)) {
1127 sd->card_status |= BLOCK_LEN_ERROR;
1129 trace_sdcard_set_blocklen(req.arg);
1130 sd->blk_len = req.arg;
1140 case 17: /* CMD17: READ_SINGLE_BLOCK */
1141 switch (sd->state) {
1142 case sd_transfer_state:
1143 sd->state = sd_sendingdata_state;
1144 sd->data_start = addr;
1145 sd->data_offset = 0;
1147 if (sd->data_start + sd->blk_len > sd->size)
1148 sd->card_status |= ADDRESS_ERROR;
1156 case 18: /* CMD18: READ_MULTIPLE_BLOCK */
1157 switch (sd->state) {
1158 case sd_transfer_state:
1159 sd->state = sd_sendingdata_state;
1160 sd->data_start = addr;
1161 sd->data_offset = 0;
1163 if (sd->data_start + sd->blk_len > sd->size)
1164 sd->card_status |= ADDRESS_ERROR;
1172 case 19: /* CMD19: SEND_TUNING_BLOCK (SD) */
1173 if (sd->state == sd_transfer_state) {
1174 sd->state = sd_sendingdata_state;
1175 sd->data_offset = 0;
1180 case 23: /* CMD23: SET_BLOCK_COUNT */
1181 switch (sd->state) {
1182 case sd_transfer_state:
1183 sd->multi_blk_cnt = req.arg;
1191 /* Block write commands (Class 4) */
1192 case 24: /* CMD24: WRITE_SINGLE_BLOCK */
1194 goto unimplemented_spi_cmd;
1196 switch (sd->state) {
1197 case sd_transfer_state:
1198 /* Writing in SPI mode not implemented. */
1201 sd->state = sd_receivingdata_state;
1202 sd->data_start = addr;
1203 sd->data_offset = 0;
1204 sd->blk_written = 0;
1206 if (sd->data_start + sd->blk_len > sd->size)
1207 sd->card_status |= ADDRESS_ERROR;
1208 if (sd_wp_addr(sd, sd->data_start))
1209 sd->card_status |= WP_VIOLATION;
1210 if (sd->csd[14] & 0x30)
1211 sd->card_status |= WP_VIOLATION;
1219 case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */
1221 goto unimplemented_spi_cmd;
1223 switch (sd->state) {
1224 case sd_transfer_state:
1225 /* Writing in SPI mode not implemented. */
1228 sd->state = sd_receivingdata_state;
1229 sd->data_start = addr;
1230 sd->data_offset = 0;
1231 sd->blk_written = 0;
1233 if (sd->data_start + sd->blk_len > sd->size)
1234 sd->card_status |= ADDRESS_ERROR;
1235 if (sd_wp_addr(sd, sd->data_start))
1236 sd->card_status |= WP_VIOLATION;
1237 if (sd->csd[14] & 0x30)
1238 sd->card_status |= WP_VIOLATION;
1246 case 26: /* CMD26: PROGRAM_CID */
1249 switch (sd->state) {
1250 case sd_transfer_state:
1251 sd->state = sd_receivingdata_state;
1253 sd->data_offset = 0;
1261 case 27: /* CMD27: PROGRAM_CSD */
1263 goto unimplemented_spi_cmd;
1265 switch (sd->state) {
1266 case sd_transfer_state:
1267 sd->state = sd_receivingdata_state;
1269 sd->data_offset = 0;
1277 /* Write protection (Class 6) */
1278 case 28: /* CMD28: SET_WRITE_PROT */
1279 switch (sd->state) {
1280 case sd_transfer_state:
1281 if (addr >= sd->size) {
1282 sd->card_status |= ADDRESS_ERROR;
1286 sd->state = sd_programming_state;
1287 set_bit(sd_addr_to_wpnum(addr), sd->wp_groups);
1288 /* Bzzzzzzztt .... Operation complete. */
1289 sd->state = sd_transfer_state;
1297 case 29: /* CMD29: CLR_WRITE_PROT */
1298 switch (sd->state) {
1299 case sd_transfer_state:
1300 if (addr >= sd->size) {
1301 sd->card_status |= ADDRESS_ERROR;
1305 sd->state = sd_programming_state;
1306 clear_bit(sd_addr_to_wpnum(addr), sd->wp_groups);
1307 /* Bzzzzzzztt .... Operation complete. */
1308 sd->state = sd_transfer_state;
1316 case 30: /* CMD30: SEND_WRITE_PROT */
1317 switch (sd->state) {
1318 case sd_transfer_state:
1319 sd->state = sd_sendingdata_state;
1320 *(uint32_t *) sd->data = sd_wpbits(sd, req.arg);
1321 sd->data_start = addr;
1322 sd->data_offset = 0;
1330 /* Erase commands (Class 5) */
1331 case 32: /* CMD32: ERASE_WR_BLK_START */
1332 switch (sd->state) {
1333 case sd_transfer_state:
1334 sd->erase_start = req.arg;
1342 case 33: /* CMD33: ERASE_WR_BLK_END */
1343 switch (sd->state) {
1344 case sd_transfer_state:
1345 sd->erase_end = req.arg;
1353 case 38: /* CMD38: ERASE */
1354 switch (sd->state) {
1355 case sd_transfer_state:
1356 if (sd->csd[14] & 0x30) {
1357 sd->card_status |= WP_VIOLATION;
1361 sd->state = sd_programming_state;
1363 /* Bzzzzzzztt .... Operation complete. */
1364 sd->state = sd_transfer_state;
1372 /* Lock card commands (Class 7) */
1373 case 42: /* CMD42: LOCK_UNLOCK */
1375 goto unimplemented_spi_cmd;
1377 switch (sd->state) {
1378 case sd_transfer_state:
1379 sd->state = sd_receivingdata_state;
1381 sd->data_offset = 0;
1390 /* CMD52, CMD53, CMD54: reserved for SDIO cards
1391 * (see the SDIO Simplified Specification V2.0)
1392 * Handle as illegal command but do not complain
1393 * on stderr, as some OSes may use these in their
1394 * probing for presence of an SDIO card.
1398 /* Application specific commands (Class 8) */
1399 case 55: /* CMD55: APP_CMD */
1400 switch (sd->state) {
1401 case sd_ready_state:
1402 case sd_identification_state:
1403 case sd_inactive_state:
1407 qemu_log_mask(LOG_GUEST_ERROR,
1408 "SD: illegal RCA 0x%04x for APP_CMD\n", req.cmd);
1414 if (sd->rca != rca) {
1418 sd->expecting_acmd = true;
1419 sd->card_status |= APP_CMD;
1422 case 56: /* CMD56: GEN_CMD */
1423 switch (sd->state) {
1424 case sd_transfer_state:
1425 sd->data_offset = 0;
1427 sd->state = sd_sendingdata_state;
1429 sd->state = sd_receivingdata_state;
1437 case 58: /* CMD58: READ_OCR (SPI) */
1443 case 59: /* CMD59: CRC_ON_OFF (SPI) */
1447 goto unimplemented_spi_cmd;
1451 qemu_log_mask(LOG_GUEST_ERROR, "SD: Unknown CMD%i\n", req.cmd);
1454 unimplemented_spi_cmd:
1455 /* Commands that are recognised but not yet implemented in SPI mode. */
1456 qemu_log_mask(LOG_UNIMP, "SD: CMD%i not implemented in SPI mode\n",
1461 qemu_log_mask(LOG_GUEST_ERROR, "SD: CMD%i in a wrong state\n", req.cmd);
1465 static sd_rsp_type_t sd_app_command(SDState *sd,
1468 trace_sdcard_app_command(sd->proto_name, sd_acmd_name(req.cmd),
1469 req.cmd, req.arg, sd_state_name(sd->state));
1470 sd->card_status |= APP_CMD;
1472 case 6: /* ACMD6: SET_BUS_WIDTH */
1474 goto unimplemented_spi_cmd;
1476 switch (sd->state) {
1477 case sd_transfer_state:
1478 sd->sd_status[0] &= 0x3f;
1479 sd->sd_status[0] |= (req.arg & 0x03) << 6;
1487 case 13: /* ACMD13: SD_STATUS */
1488 switch (sd->state) {
1489 case sd_transfer_state:
1490 sd->state = sd_sendingdata_state;
1492 sd->data_offset = 0;
1500 case 22: /* ACMD22: SEND_NUM_WR_BLOCKS */
1501 switch (sd->state) {
1502 case sd_transfer_state:
1503 *(uint32_t *) sd->data = sd->blk_written;
1505 sd->state = sd_sendingdata_state;
1507 sd->data_offset = 0;
1515 case 23: /* ACMD23: SET_WR_BLK_ERASE_COUNT */
1516 switch (sd->state) {
1517 case sd_transfer_state:
1525 case 41: /* ACMD41: SD_APP_OP_COND */
1528 sd->state = sd_transfer_state;
1531 if (sd->state != sd_idle_state) {
1534 /* If it's the first ACMD41 since reset, we need to decide
1535 * whether to power up. If this is not an enquiry ACMD41,
1536 * we immediately report power on and proceed below to the
1537 * ready state, but if it is, we set a timer to model a
1538 * delay for power up. This works around a bug in EDK2
1539 * UEFI, which sends an initial enquiry ACMD41, but
1540 * assumes that the card is in ready state as soon as it
1541 * sees the power up bit set. */
1542 if (!FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP)) {
1543 if ((req.arg & ACMD41_ENQUIRY_MASK) != 0) {
1544 timer_del(sd->ocr_power_timer);
1547 trace_sdcard_inquiry_cmd41();
1548 if (!timer_pending(sd->ocr_power_timer)) {
1549 timer_mod_ns(sd->ocr_power_timer,
1550 (qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL)
1551 + OCR_POWER_DELAY_NS));
1556 if (FIELD_EX32(sd->ocr & req.arg, OCR, VDD_VOLTAGE_WINDOW)) {
1557 /* We accept any voltage. 10000 V is nothing.
1559 * Once we're powered up, we advance straight to ready state
1560 * unless it's an enquiry ACMD41 (bits 23:0 == 0).
1562 sd->state = sd_ready_state;
1567 case 42: /* ACMD42: SET_CLR_CARD_DETECT */
1568 switch (sd->state) {
1569 case sd_transfer_state:
1570 /* Bringing in the 50KOhm pull-up resistor... Done. */
1578 case 51: /* ACMD51: SEND_SCR */
1579 switch (sd->state) {
1580 case sd_transfer_state:
1581 sd->state = sd_sendingdata_state;
1583 sd->data_offset = 0;
1591 case 18: /* Reserved for SD security applications */
1596 /* Refer to the "SD Specifications Part3 Security Specification" for
1597 * information about the SD Security Features.
1599 qemu_log_mask(LOG_UNIMP, "SD: CMD%i Security not implemented\n",
1604 /* Fall back to standard commands. */
1605 return sd_normal_command(sd, req);
1607 unimplemented_spi_cmd:
1608 /* Commands that are recognised but not yet implemented in SPI mode. */
1609 qemu_log_mask(LOG_UNIMP, "SD: CMD%i not implemented in SPI mode\n",
1614 qemu_log_mask(LOG_GUEST_ERROR, "SD: ACMD%i in a wrong state\n", req.cmd);
1618 static int cmd_valid_while_locked(SDState *sd, SDRequest *req)
1620 /* Valid commands in locked state:
1622 * lock card class (7)
1624 * implicitly, the ACMD prefix CMD55
1626 * Anything else provokes an "illegal command" response.
1628 if (sd->expecting_acmd) {
1629 return req->cmd == 41 || req->cmd == 42;
1631 if (req->cmd == 16 || req->cmd == 55) {
1634 return sd_cmd_class[req->cmd] == 0
1635 || sd_cmd_class[req->cmd] == 7;
1638 int sd_do_command(SDState *sd, SDRequest *req,
1639 uint8_t *response) {
1641 sd_rsp_type_t rtype;
1644 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable) {
1648 if (sd_req_crc_validate(req)) {
1649 sd->card_status |= COM_CRC_ERROR;
1654 if (req->cmd >= SDMMC_CMD_MAX) {
1655 qemu_log_mask(LOG_GUEST_ERROR, "SD: incorrect command 0x%02x\n",
1660 if (sd->card_status & CARD_IS_LOCKED) {
1661 if (!cmd_valid_while_locked(sd, req)) {
1662 sd->card_status |= ILLEGAL_COMMAND;
1663 sd->expecting_acmd = false;
1664 qemu_log_mask(LOG_GUEST_ERROR, "SD: Card is locked\n");
1670 last_state = sd->state;
1673 if (sd->expecting_acmd) {
1674 sd->expecting_acmd = false;
1675 rtype = sd_app_command(sd, *req);
1677 rtype = sd_normal_command(sd, *req);
1680 if (rtype == sd_illegal) {
1681 sd->card_status |= ILLEGAL_COMMAND;
1683 /* Valid command, we can update the 'state before command' bits.
1684 * (Do this now so they appear in r1 responses.)
1686 sd->current_cmd = req->cmd;
1687 sd->card_status &= ~CURRENT_STATE;
1688 sd->card_status |= (last_state << 9);
1695 sd_response_r1_make(sd, response);
1700 memcpy(response, sd->cid, sizeof(sd->cid));
1705 memcpy(response, sd->csd, sizeof(sd->csd));
1710 sd_response_r3_make(sd, response);
1715 sd_response_r6_make(sd, response);
1720 sd_response_r7_make(sd, response);
1729 g_assert_not_reached();
1731 trace_sdcard_response(sd_response_name(rtype), rsplen);
1733 if (rtype != sd_illegal) {
1734 /* Clear the "clear on valid command" status bits now we've
1737 sd->card_status &= ~CARD_STATUS_B;
1741 qemu_hexdump((const char *)response, stderr, "Response", rsplen);
1747 static void sd_blk_read(SDState *sd, uint64_t addr, uint32_t len)
1749 trace_sdcard_read_block(addr, len);
1750 if (!sd->blk || blk_pread(sd->blk, addr, sd->data, len) < 0) {
1751 fprintf(stderr, "sd_blk_read: read error on host side\n");
1755 static void sd_blk_write(SDState *sd, uint64_t addr, uint32_t len)
1757 trace_sdcard_write_block(addr, len);
1758 if (!sd->blk || blk_pwrite(sd->blk, addr, sd->data, len, 0) < 0) {
1759 fprintf(stderr, "sd_blk_write: write error on host side\n");
1763 #define BLK_READ_BLOCK(a, len) sd_blk_read(sd, a, len)
1764 #define BLK_WRITE_BLOCK(a, len) sd_blk_write(sd, a, len)
1765 #define APP_READ_BLOCK(a, len) memset(sd->data, 0xec, len)
1766 #define APP_WRITE_BLOCK(a, len)
1768 void sd_write_data(SDState *sd, uint8_t value)
1772 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable)
1775 if (sd->state != sd_receivingdata_state) {
1776 qemu_log_mask(LOG_GUEST_ERROR,
1777 "sd_write_data: not in Receiving-Data state\n");
1781 if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION))
1784 trace_sdcard_write_data(sd->proto_name,
1785 sd_acmd_name(sd->current_cmd),
1786 sd->current_cmd, value);
1787 switch (sd->current_cmd) {
1788 case 24: /* CMD24: WRITE_SINGLE_BLOCK */
1789 sd->data[sd->data_offset ++] = value;
1790 if (sd->data_offset >= sd->blk_len) {
1791 /* TODO: Check CRC before committing */
1792 sd->state = sd_programming_state;
1793 BLK_WRITE_BLOCK(sd->data_start, sd->data_offset);
1795 sd->csd[14] |= 0x40;
1796 /* Bzzzzzzztt .... Operation complete. */
1797 sd->state = sd_transfer_state;
1801 case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */
1802 if (sd->data_offset == 0) {
1803 /* Start of the block - let's check the address is valid */
1804 if (sd->data_start + sd->blk_len > sd->size) {
1805 sd->card_status |= ADDRESS_ERROR;
1808 if (sd_wp_addr(sd, sd->data_start)) {
1809 sd->card_status |= WP_VIOLATION;
1813 sd->data[sd->data_offset++] = value;
1814 if (sd->data_offset >= sd->blk_len) {
1815 /* TODO: Check CRC before committing */
1816 sd->state = sd_programming_state;
1817 BLK_WRITE_BLOCK(sd->data_start, sd->data_offset);
1819 sd->data_start += sd->blk_len;
1820 sd->data_offset = 0;
1821 sd->csd[14] |= 0x40;
1823 /* Bzzzzzzztt .... Operation complete. */
1824 if (sd->multi_blk_cnt != 0) {
1825 if (--sd->multi_blk_cnt == 0) {
1827 sd->state = sd_transfer_state;
1832 sd->state = sd_receivingdata_state;
1836 case 26: /* CMD26: PROGRAM_CID */
1837 sd->data[sd->data_offset ++] = value;
1838 if (sd->data_offset >= sizeof(sd->cid)) {
1839 /* TODO: Check CRC before committing */
1840 sd->state = sd_programming_state;
1841 for (i = 0; i < sizeof(sd->cid); i ++)
1842 if ((sd->cid[i] | 0x00) != sd->data[i])
1843 sd->card_status |= CID_CSD_OVERWRITE;
1845 if (!(sd->card_status & CID_CSD_OVERWRITE))
1846 for (i = 0; i < sizeof(sd->cid); i ++) {
1848 sd->cid[i] &= sd->data[i];
1850 /* Bzzzzzzztt .... Operation complete. */
1851 sd->state = sd_transfer_state;
1855 case 27: /* CMD27: PROGRAM_CSD */
1856 sd->data[sd->data_offset ++] = value;
1857 if (sd->data_offset >= sizeof(sd->csd)) {
1858 /* TODO: Check CRC before committing */
1859 sd->state = sd_programming_state;
1860 for (i = 0; i < sizeof(sd->csd); i ++)
1861 if ((sd->csd[i] | sd_csd_rw_mask[i]) !=
1862 (sd->data[i] | sd_csd_rw_mask[i]))
1863 sd->card_status |= CID_CSD_OVERWRITE;
1865 /* Copy flag (OTP) & Permanent write protect */
1866 if (sd->csd[14] & ~sd->data[14] & 0x60)
1867 sd->card_status |= CID_CSD_OVERWRITE;
1869 if (!(sd->card_status & CID_CSD_OVERWRITE))
1870 for (i = 0; i < sizeof(sd->csd); i ++) {
1871 sd->csd[i] |= sd_csd_rw_mask[i];
1872 sd->csd[i] &= sd->data[i];
1874 /* Bzzzzzzztt .... Operation complete. */
1875 sd->state = sd_transfer_state;
1879 case 42: /* CMD42: LOCK_UNLOCK */
1880 sd->data[sd->data_offset ++] = value;
1881 if (sd->data_offset >= sd->blk_len) {
1882 /* TODO: Check CRC before committing */
1883 sd->state = sd_programming_state;
1884 sd_lock_command(sd);
1885 /* Bzzzzzzztt .... Operation complete. */
1886 sd->state = sd_transfer_state;
1890 case 56: /* CMD56: GEN_CMD */
1891 sd->data[sd->data_offset ++] = value;
1892 if (sd->data_offset >= sd->blk_len) {
1893 APP_WRITE_BLOCK(sd->data_start, sd->data_offset);
1894 sd->state = sd_transfer_state;
1899 qemu_log_mask(LOG_GUEST_ERROR, "sd_write_data: unknown command\n");
1904 #define SD_TUNING_BLOCK_SIZE 64
1906 static const uint8_t sd_tuning_block_pattern[SD_TUNING_BLOCK_SIZE] = {
1907 /* See: Physical Layer Simplified Specification Version 3.01, Table 4-2 */
1908 0xff, 0x0f, 0xff, 0x00, 0x0f, 0xfc, 0xc3, 0xcc,
1909 0xc3, 0x3c, 0xcc, 0xff, 0xfe, 0xff, 0xfe, 0xef,
1910 0xff, 0xdf, 0xff, 0xdd, 0xff, 0xfb, 0xff, 0xfb,
1911 0xbf, 0xff, 0x7f, 0xff, 0x77, 0xf7, 0xbd, 0xef,
1912 0xff, 0xf0, 0xff, 0xf0, 0x0f, 0xfc, 0xcc, 0x3c,
1913 0xcc, 0x33, 0xcc, 0xcf, 0xff, 0xef, 0xff, 0xee,
1914 0xff, 0xfd, 0xff, 0xfd, 0xdf, 0xff, 0xbf, 0xff,
1915 0xbb, 0xff, 0xf7, 0xff, 0xf7, 0x7f, 0x7b, 0xde,
1918 uint8_t sd_read_data(SDState *sd)
1920 /* TODO: Append CRCs */
1924 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable)
1927 if (sd->state != sd_sendingdata_state) {
1928 qemu_log_mask(LOG_GUEST_ERROR,
1929 "sd_read_data: not in Sending-Data state\n");
1933 if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION))
1936 io_len = (sd->ocr & (1 << 30)) ? 512 : sd->blk_len;
1938 trace_sdcard_read_data(sd->proto_name,
1939 sd_acmd_name(sd->current_cmd),
1940 sd->current_cmd, io_len);
1941 switch (sd->current_cmd) {
1942 case 6: /* CMD6: SWITCH_FUNCTION */
1943 ret = sd->data[sd->data_offset ++];
1945 if (sd->data_offset >= 64)
1946 sd->state = sd_transfer_state;
1949 case 9: /* CMD9: SEND_CSD */
1950 case 10: /* CMD10: SEND_CID */
1951 ret = sd->data[sd->data_offset ++];
1953 if (sd->data_offset >= 16)
1954 sd->state = sd_transfer_state;
1957 case 13: /* ACMD13: SD_STATUS */
1958 ret = sd->sd_status[sd->data_offset ++];
1960 if (sd->data_offset >= sizeof(sd->sd_status))
1961 sd->state = sd_transfer_state;
1964 case 17: /* CMD17: READ_SINGLE_BLOCK */
1965 if (sd->data_offset == 0)
1966 BLK_READ_BLOCK(sd->data_start, io_len);
1967 ret = sd->data[sd->data_offset ++];
1969 if (sd->data_offset >= io_len)
1970 sd->state = sd_transfer_state;
1973 case 18: /* CMD18: READ_MULTIPLE_BLOCK */
1974 if (sd->data_offset == 0) {
1975 if (sd->data_start + io_len > sd->size) {
1976 sd->card_status |= ADDRESS_ERROR;
1979 BLK_READ_BLOCK(sd->data_start, io_len);
1981 ret = sd->data[sd->data_offset ++];
1983 if (sd->data_offset >= io_len) {
1984 sd->data_start += io_len;
1985 sd->data_offset = 0;
1987 if (sd->multi_blk_cnt != 0) {
1988 if (--sd->multi_blk_cnt == 0) {
1990 sd->state = sd_transfer_state;
1997 case 19: /* CMD19: SEND_TUNING_BLOCK (SD) */
1998 if (sd->data_offset >= SD_TUNING_BLOCK_SIZE - 1) {
1999 sd->state = sd_transfer_state;
2001 ret = sd_tuning_block_pattern[sd->data_offset++];
2004 case 22: /* ACMD22: SEND_NUM_WR_BLOCKS */
2005 ret = sd->data[sd->data_offset ++];
2007 if (sd->data_offset >= 4)
2008 sd->state = sd_transfer_state;
2011 case 30: /* CMD30: SEND_WRITE_PROT */
2012 ret = sd->data[sd->data_offset ++];
2014 if (sd->data_offset >= 4)
2015 sd->state = sd_transfer_state;
2018 case 51: /* ACMD51: SEND_SCR */
2019 ret = sd->scr[sd->data_offset ++];
2021 if (sd->data_offset >= sizeof(sd->scr))
2022 sd->state = sd_transfer_state;
2025 case 56: /* CMD56: GEN_CMD */
2026 if (sd->data_offset == 0)
2027 APP_READ_BLOCK(sd->data_start, sd->blk_len);
2028 ret = sd->data[sd->data_offset ++];
2030 if (sd->data_offset >= sd->blk_len)
2031 sd->state = sd_transfer_state;
2035 qemu_log_mask(LOG_GUEST_ERROR, "sd_read_data: unknown command\n");
2042 bool sd_data_ready(SDState *sd)
2044 return sd->state == sd_sendingdata_state;
2047 void sd_enable(SDState *sd, bool enable)
2049 sd->enable = enable;
2052 static void sd_instance_init(Object *obj)
2054 SDState *sd = SD_CARD(obj);
2057 sd->ocr_power_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, sd_ocr_powerup, sd);
2060 static void sd_instance_finalize(Object *obj)
2062 SDState *sd = SD_CARD(obj);
2064 timer_del(sd->ocr_power_timer);
2065 timer_free(sd->ocr_power_timer);
2068 static void sd_realize(DeviceState *dev, Error **errp)
2070 SDState *sd = SD_CARD(dev);
2073 sd->proto_name = sd->spi ? "SPI" : "SD";
2075 if (sd->blk && blk_is_read_only(sd->blk)) {
2076 error_setg(errp, "Cannot use read-only drive as SD card");
2081 ret = blk_set_perm(sd->blk, BLK_PERM_CONSISTENT_READ | BLK_PERM_WRITE,
2082 BLK_PERM_ALL, errp);
2086 blk_set_dev_ops(sd->blk, &sd_block_ops, sd);
2090 static Property sd_properties[] = {
2091 DEFINE_PROP_DRIVE("drive", SDState, blk),
2092 /* We do not model the chip select pin, so allow the board to select
2093 * whether card should be in SSI or MMC/SD mode. It is also up to the
2094 * board to ensure that ssi transfers only occur when the chip select
2096 DEFINE_PROP_BOOL("spi", SDState, spi, false),
2097 DEFINE_PROP_END_OF_LIST()
2100 static void sd_class_init(ObjectClass *klass, void *data)
2102 DeviceClass *dc = DEVICE_CLASS(klass);
2103 SDCardClass *sc = SD_CARD_CLASS(klass);
2105 dc->realize = sd_realize;
2106 dc->props = sd_properties;
2107 dc->vmsd = &sd_vmstate;
2108 dc->reset = sd_reset;
2109 dc->bus_type = TYPE_SD_BUS;
2111 sc->set_voltage = sd_set_voltage;
2112 sc->get_dat_lines = sd_get_dat_lines;
2113 sc->get_cmd_line = sd_get_cmd_line;
2114 sc->do_command = sd_do_command;
2115 sc->write_data = sd_write_data;
2116 sc->read_data = sd_read_data;
2117 sc->data_ready = sd_data_ready;
2118 sc->enable = sd_enable;
2119 sc->get_inserted = sd_get_inserted;
2120 sc->get_readonly = sd_get_readonly;
2123 static const TypeInfo sd_info = {
2124 .name = TYPE_SD_CARD,
2125 .parent = TYPE_DEVICE,
2126 .instance_size = sizeof(SDState),
2127 .class_size = sizeof(SDCardClass),
2128 .class_init = sd_class_init,
2129 .instance_init = sd_instance_init,
2130 .instance_finalize = sd_instance_finalize,
2133 static void sd_register_types(void)
2135 type_register_static(&sd_info);
2138 type_init(sd_register_types)
projects / qemu.git / blob