2 * SD Memory Card emulation as defined in the "SD Memory Card Physical
3 * layer specification, Version 1.10."
6 * Copyright (c) 2007 CodeSourcery
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in
16 * the documentation and/or other materials provided with the
19 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS''
20 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
21 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
22 * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR
23 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
24 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
25 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
26 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
27 * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
28 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
29 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
33 #include "sysemu/block-backend.h"
35 #include "qemu/bitmap.h"
40 #define DPRINTF(fmt, ...) \
41 do { fprintf(stderr, "SD: " fmt , ## __VA_ARGS__); } while (0)
43 #define DPRINTF(fmt, ...) do {} while(0)
46 #define ACMD41_ENQUIRY_MASK 0x00ffffff
49 sd_r0 = 0, /* no response */
50 sd_r1, /* normal response command */
51 sd_r2_i, /* CID register */
52 sd_r2_s, /* CSD register */
53 sd_r3, /* OCR register */
54 sd_r6 = 6, /* Published RCA response */
55 sd_r7, /* Operating voltage */
62 sd_card_identification_mode,
63 sd_data_transfer_mode,
67 sd_inactive_state = -1,
70 sd_identification_state,
74 sd_receivingdata_state,
80 uint32_t mode; /* current card mode, one of SDCardModes */
81 int32_t state; /* current card state, one of SDCardStates */
88 uint8_t sd_status[64];
91 unsigned long *wp_groups;
99 uint8_t function_group[6];
103 /* True if we will handle the next command as an ACMD. Note that this does
104 * *not* track the APP_CMD status bit!
107 uint32_t blk_written;
109 uint32_t data_offset;
111 qemu_irq readonly_cb;
112 qemu_irq inserted_cb;
119 static void sd_set_mode(SDState *sd)
122 case sd_inactive_state:
123 sd->mode = sd_inactive;
128 case sd_identification_state:
129 sd->mode = sd_card_identification_mode;
132 case sd_standby_state:
133 case sd_transfer_state:
134 case sd_sendingdata_state:
135 case sd_receivingdata_state:
136 case sd_programming_state:
137 case sd_disconnect_state:
138 sd->mode = sd_data_transfer_mode;
143 static const sd_cmd_type_t sd_cmd_type[64] = {
144 sd_bc, sd_none, sd_bcr, sd_bcr, sd_none, sd_none, sd_none, sd_ac,
145 sd_bcr, sd_ac, sd_ac, sd_adtc, sd_ac, sd_ac, sd_none, sd_ac,
146 sd_ac, sd_adtc, sd_adtc, sd_none, sd_none, sd_none, sd_none, sd_none,
147 sd_adtc, sd_adtc, sd_adtc, sd_adtc, sd_ac, sd_ac, sd_adtc, sd_none,
148 sd_ac, sd_ac, sd_none, sd_none, sd_none, sd_none, sd_ac, sd_none,
149 sd_none, sd_none, sd_bc, sd_none, sd_none, sd_none, sd_none, sd_none,
150 sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_ac,
151 sd_adtc, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none,
154 static const int sd_cmd_class[64] = {
155 0, 0, 0, 0, 0, 9, 10, 0, 0, 0, 0, 1, 0, 0, 0, 0,
156 2, 2, 2, 2, 3, 3, 3, 3, 4, 4, 4, 4, 6, 6, 6, 6,
157 5, 5, 10, 10, 10, 10, 5, 9, 9, 9, 7, 7, 7, 7, 7, 7,
158 7, 7, 10, 7, 9, 9, 9, 8, 8, 10, 8, 8, 8, 8, 8, 8,
161 static uint8_t sd_crc7(void *message, size_t width)
164 uint8_t shift_reg = 0x00;
165 uint8_t *msg = (uint8_t *) message;
167 for (i = 0; i < width; i ++, msg ++)
168 for (bit = 7; bit >= 0; bit --) {
170 if ((shift_reg >> 7) ^ ((*msg >> bit) & 1))
177 static uint16_t sd_crc16(void *message, size_t width)
180 uint16_t shift_reg = 0x0000;
181 uint16_t *msg = (uint16_t *) message;
184 for (i = 0; i < width; i ++, msg ++)
185 for (bit = 15; bit >= 0; bit --) {
187 if ((shift_reg >> 15) ^ ((*msg >> bit) & 1))
194 static void sd_set_ocr(SDState *sd)
196 /* All voltages OK, card power-up OK, Standard Capacity SD Memory Card */
197 sd->ocr = 0x80ffff00;
200 static void sd_set_scr(SDState *sd)
202 sd->scr[0] = 0x00; /* SCR Structure */
203 sd->scr[1] = 0x2f; /* SD Security Support */
219 static void sd_set_cid(SDState *sd)
221 sd->cid[0] = MID; /* Fake card manufacturer ID (MID) */
222 sd->cid[1] = OID[0]; /* OEM/Application ID (OID) */
224 sd->cid[3] = PNM[0]; /* Fake product name (PNM) */
229 sd->cid[8] = PRV; /* Fake product revision (PRV) */
230 sd->cid[9] = 0xde; /* Fake serial number (PSN) */
234 sd->cid[13] = 0x00 | /* Manufacture date (MDT) */
235 ((MDT_YR - 2000) / 10);
236 sd->cid[14] = ((MDT_YR % 10) << 4) | MDT_MON;
237 sd->cid[15] = (sd_crc7(sd->cid, 15) << 1) | 1;
240 #define HWBLOCK_SHIFT 9 /* 512 bytes */
241 #define SECTOR_SHIFT 5 /* 16 kilobytes */
242 #define WPGROUP_SHIFT 7 /* 2 megs */
243 #define CMULT_SHIFT 9 /* 512 times HWBLOCK_SIZE */
244 #define WPGROUP_SIZE (1 << (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT))
246 static const uint8_t sd_csd_rw_mask[16] = {
247 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
248 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xfc, 0xfe,
251 static void sd_set_csd(SDState *sd, uint64_t size)
253 uint32_t csize = (size >> (CMULT_SHIFT + HWBLOCK_SHIFT)) - 1;
254 uint32_t sectsize = (1 << (SECTOR_SHIFT + 1)) - 1;
255 uint32_t wpsize = (1 << (WPGROUP_SHIFT + 1)) - 1;
257 if (size <= 0x40000000) { /* Standard Capacity SD */
258 sd->csd[0] = 0x00; /* CSD structure */
259 sd->csd[1] = 0x26; /* Data read access-time-1 */
260 sd->csd[2] = 0x00; /* Data read access-time-2 */
261 sd->csd[3] = 0x5a; /* Max. data transfer rate */
262 sd->csd[4] = 0x5f; /* Card Command Classes */
263 sd->csd[5] = 0x50 | /* Max. read data block length */
265 sd->csd[6] = 0xe0 | /* Partial block for read allowed */
266 ((csize >> 10) & 0x03);
267 sd->csd[7] = 0x00 | /* Device size */
268 ((csize >> 2) & 0xff);
269 sd->csd[8] = 0x3f | /* Max. read current */
270 ((csize << 6) & 0xc0);
271 sd->csd[9] = 0xfc | /* Max. write current */
272 ((CMULT_SHIFT - 2) >> 1);
273 sd->csd[10] = 0x40 | /* Erase sector size */
274 (((CMULT_SHIFT - 2) << 7) & 0x80) | (sectsize >> 1);
275 sd->csd[11] = 0x00 | /* Write protect group size */
276 ((sectsize << 7) & 0x80) | wpsize;
277 sd->csd[12] = 0x90 | /* Write speed factor */
278 (HWBLOCK_SHIFT >> 2);
279 sd->csd[13] = 0x20 | /* Max. write data block length */
280 ((HWBLOCK_SHIFT << 6) & 0xc0);
281 sd->csd[14] = 0x00; /* File format group */
282 sd->csd[15] = (sd_crc7(sd->csd, 15) << 1) | 1;
293 sd->csd[7] = (size >> 16) & 0xff;
294 sd->csd[8] = (size >> 8) & 0xff;
295 sd->csd[9] = (size & 0xff);
302 sd->ocr |= 1 << 30; /* High Capacity SD Memory Card */
306 static void sd_set_rca(SDState *sd)
311 /* Card status bits, split by clear condition:
312 * A : According to the card current state
313 * B : Always related to the previous command
314 * C : Cleared by read
316 #define CARD_STATUS_A 0x02004100
317 #define CARD_STATUS_B 0x00c01e00
318 #define CARD_STATUS_C 0xfd39a028
320 static void sd_set_cardstatus(SDState *sd)
322 sd->card_status = 0x00000100;
325 static void sd_set_sdstatus(SDState *sd)
327 memset(sd->sd_status, 0, 64);
330 static int sd_req_crc_validate(SDRequest *req)
333 buffer[0] = 0x40 | req->cmd;
334 buffer[1] = (req->arg >> 24) & 0xff;
335 buffer[2] = (req->arg >> 16) & 0xff;
336 buffer[3] = (req->arg >> 8) & 0xff;
337 buffer[4] = (req->arg >> 0) & 0xff;
339 return sd_crc7(buffer, 5) != req->crc; /* TODO */
342 static void sd_response_r1_make(SDState *sd, uint8_t *response)
344 uint32_t status = sd->card_status;
345 /* Clear the "clear on read" status bits */
346 sd->card_status &= ~CARD_STATUS_C;
348 response[0] = (status >> 24) & 0xff;
349 response[1] = (status >> 16) & 0xff;
350 response[2] = (status >> 8) & 0xff;
351 response[3] = (status >> 0) & 0xff;
354 static void sd_response_r3_make(SDState *sd, uint8_t *response)
356 response[0] = (sd->ocr >> 24) & 0xff;
357 response[1] = (sd->ocr >> 16) & 0xff;
358 response[2] = (sd->ocr >> 8) & 0xff;
359 response[3] = (sd->ocr >> 0) & 0xff;
362 static void sd_response_r6_make(SDState *sd, uint8_t *response)
368 status = ((sd->card_status >> 8) & 0xc000) |
369 ((sd->card_status >> 6) & 0x2000) |
370 (sd->card_status & 0x1fff);
371 sd->card_status &= ~(CARD_STATUS_C & 0xc81fff);
373 response[0] = (arg >> 8) & 0xff;
374 response[1] = arg & 0xff;
375 response[2] = (status >> 8) & 0xff;
376 response[3] = status & 0xff;
379 static void sd_response_r7_make(SDState *sd, uint8_t *response)
381 response[0] = (sd->vhs >> 24) & 0xff;
382 response[1] = (sd->vhs >> 16) & 0xff;
383 response[2] = (sd->vhs >> 8) & 0xff;
384 response[3] = (sd->vhs >> 0) & 0xff;
387 static inline uint64_t sd_addr_to_wpnum(uint64_t addr)
389 return addr >> (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT);
392 static void sd_reset(SDState *sd)
398 blk_get_geometry(sd->blk, §);
404 sect = sd_addr_to_wpnum(size) + 1;
406 sd->state = sd_idle_state;
411 sd_set_csd(sd, size);
412 sd_set_cardstatus(sd);
415 g_free(sd->wp_groups);
416 sd->wp_switch = sd->blk ? blk_is_read_only(sd->blk) : false;
417 sd->wpgrps_size = sect;
418 sd->wp_groups = bitmap_new(sd->wpgrps_size);
419 memset(sd->function_group, 0, sizeof(sd->function_group));
425 sd->expecting_acmd = false;
428 static void sd_cardchange(void *opaque, bool load)
430 SDState *sd = opaque;
432 qemu_set_irq(sd->inserted_cb, blk_is_inserted(sd->blk));
433 if (blk_is_inserted(sd->blk)) {
435 qemu_set_irq(sd->readonly_cb, sd->wp_switch);
439 static const BlockDevOps sd_block_ops = {
440 .change_media_cb = sd_cardchange,
443 static const VMStateDescription sd_vmstate = {
446 .minimum_version_id = 1,
447 .fields = (VMStateField[]) {
448 VMSTATE_UINT32(mode, SDState),
449 VMSTATE_INT32(state, SDState),
450 VMSTATE_UINT8_ARRAY(cid, SDState, 16),
451 VMSTATE_UINT8_ARRAY(csd, SDState, 16),
452 VMSTATE_UINT16(rca, SDState),
453 VMSTATE_UINT32(card_status, SDState),
454 VMSTATE_PARTIAL_BUFFER(sd_status, SDState, 1),
455 VMSTATE_UINT32(vhs, SDState),
456 VMSTATE_BITMAP(wp_groups, SDState, 0, wpgrps_size),
457 VMSTATE_UINT32(blk_len, SDState),
458 VMSTATE_UINT32(erase_start, SDState),
459 VMSTATE_UINT32(erase_end, SDState),
460 VMSTATE_UINT8_ARRAY(pwd, SDState, 16),
461 VMSTATE_UINT32(pwd_len, SDState),
462 VMSTATE_UINT8_ARRAY(function_group, SDState, 6),
463 VMSTATE_UINT8(current_cmd, SDState),
464 VMSTATE_BOOL(expecting_acmd, SDState),
465 VMSTATE_UINT32(blk_written, SDState),
466 VMSTATE_UINT64(data_start, SDState),
467 VMSTATE_UINT32(data_offset, SDState),
468 VMSTATE_UINT8_ARRAY(data, SDState, 512),
469 VMSTATE_BUFFER_POINTER_UNSAFE(buf, SDState, 1, 512),
470 VMSTATE_BOOL(enable, SDState),
471 VMSTATE_END_OF_LIST()
475 /* We do not model the chip select pin, so allow the board to select
476 whether card should be in SSI or MMC/SD mode. It is also up to the
477 board to ensure that ssi transfers only occur when the chip select
479 SDState *sd_init(BlockBackend *blk, bool is_spi)
483 if (blk && blk_is_read_only(blk)) {
484 fprintf(stderr, "sd_init: Cannot use read-only drive\n");
488 sd = (SDState *) g_malloc0(sizeof(SDState));
489 sd->buf = blk_blockalign(blk, 512);
495 /* Attach dev if not already attached. (This call ignores an
496 * error return code if sd->blk is already attached.) */
497 blk_attach_dev(sd->blk, sd);
498 blk_set_dev_ops(sd->blk, &sd_block_ops, sd);
500 vmstate_register(NULL, -1, &sd_vmstate, sd);
504 void sd_set_cb(SDState *sd, qemu_irq readonly, qemu_irq insert)
506 sd->readonly_cb = readonly;
507 sd->inserted_cb = insert;
508 qemu_set_irq(readonly, sd->blk ? blk_is_read_only(sd->blk) : 0);
509 qemu_set_irq(insert, sd->blk ? blk_is_inserted(sd->blk) : 0);
512 static void sd_erase(SDState *sd)
515 uint64_t erase_start = sd->erase_start;
516 uint64_t erase_end = sd->erase_end;
518 if (!sd->erase_start || !sd->erase_end) {
519 sd->card_status |= ERASE_SEQ_ERROR;
523 if (extract32(sd->ocr, OCR_CCS_BITN, 1)) {
524 /* High capacity memory card: erase units are 512 byte blocks */
529 erase_start = sd_addr_to_wpnum(erase_start);
530 erase_end = sd_addr_to_wpnum(erase_end);
535 for (i = erase_start; i <= erase_end; i++) {
536 if (test_bit(i, sd->wp_groups)) {
537 sd->card_status |= WP_ERASE_SKIP;
542 static uint32_t sd_wpbits(SDState *sd, uint64_t addr)
547 wpnum = sd_addr_to_wpnum(addr);
549 for (i = 0; i < 32; i++, wpnum++, addr += WPGROUP_SIZE) {
550 if (addr < sd->size && test_bit(wpnum, sd->wp_groups)) {
558 static void sd_function_switch(SDState *sd, uint32_t arg)
560 int i, mode, new_func, crc;
561 mode = !!(arg & 0x80000000);
563 sd->data[0] = 0x00; /* Maximum current consumption */
565 sd->data[2] = 0x80; /* Supported group 6 functions */
567 sd->data[4] = 0x80; /* Supported group 5 functions */
569 sd->data[6] = 0x80; /* Supported group 4 functions */
571 sd->data[8] = 0x80; /* Supported group 3 functions */
573 sd->data[10] = 0x80; /* Supported group 2 functions */
575 sd->data[12] = 0x80; /* Supported group 1 functions */
577 for (i = 0; i < 6; i ++) {
578 new_func = (arg >> (i * 4)) & 0x0f;
579 if (mode && new_func != 0x0f)
580 sd->function_group[i] = new_func;
581 sd->data[14 + (i >> 1)] = new_func << ((i * 4) & 4);
583 memset(&sd->data[17], 0, 47);
584 crc = sd_crc16(sd->data, 64);
585 sd->data[65] = crc >> 8;
586 sd->data[66] = crc & 0xff;
589 static inline bool sd_wp_addr(SDState *sd, uint64_t addr)
591 return test_bit(sd_addr_to_wpnum(addr), sd->wp_groups);
594 static void sd_lock_command(SDState *sd)
596 int erase, lock, clr_pwd, set_pwd, pwd_len;
597 erase = !!(sd->data[0] & 0x08);
598 lock = sd->data[0] & 0x04;
599 clr_pwd = sd->data[0] & 0x02;
600 set_pwd = sd->data[0] & 0x01;
603 pwd_len = sd->data[1];
608 if (!(sd->card_status & CARD_IS_LOCKED) || sd->blk_len > 1 ||
609 set_pwd || clr_pwd || lock || sd->wp_switch ||
610 (sd->csd[14] & 0x20)) {
611 sd->card_status |= LOCK_UNLOCK_FAILED;
614 bitmap_zero(sd->wp_groups, sd->wpgrps_size);
615 sd->csd[14] &= ~0x10;
616 sd->card_status &= ~CARD_IS_LOCKED;
618 /* Erasing the entire card here! */
619 fprintf(stderr, "SD: Card force-erased by CMD42\n");
623 if (sd->blk_len < 2 + pwd_len ||
624 pwd_len <= sd->pwd_len ||
625 pwd_len > sd->pwd_len + 16) {
626 sd->card_status |= LOCK_UNLOCK_FAILED;
630 if (sd->pwd_len && memcmp(sd->pwd, sd->data + 2, sd->pwd_len)) {
631 sd->card_status |= LOCK_UNLOCK_FAILED;
635 pwd_len -= sd->pwd_len;
636 if ((pwd_len && !set_pwd) ||
637 (clr_pwd && (set_pwd || lock)) ||
638 (lock && !sd->pwd_len && !set_pwd) ||
639 (!set_pwd && !clr_pwd &&
640 (((sd->card_status & CARD_IS_LOCKED) && lock) ||
641 (!(sd->card_status & CARD_IS_LOCKED) && !lock)))) {
642 sd->card_status |= LOCK_UNLOCK_FAILED;
647 memcpy(sd->pwd, sd->data + 2 + sd->pwd_len, pwd_len);
648 sd->pwd_len = pwd_len;
656 sd->card_status |= CARD_IS_LOCKED;
658 sd->card_status &= ~CARD_IS_LOCKED;
661 static sd_rsp_type_t sd_normal_command(SDState *sd,
664 uint32_t rca = 0x0000;
665 uint64_t addr = (sd->ocr & (1 << 30)) ? (uint64_t) req.arg << 9 : req.arg;
667 /* Not interpreting this as an app command */
668 sd->card_status &= ~APP_CMD;
670 if (sd_cmd_type[req.cmd] == sd_ac || sd_cmd_type[req.cmd] == sd_adtc)
673 DPRINTF("CMD%d 0x%08x state %d\n", req.cmd, req.arg, sd->state);
675 /* Basic commands (Class 0 and Class 1) */
676 case 0: /* CMD0: GO_IDLE_STATE */
678 case sd_inactive_state:
679 return sd->spi ? sd_r1 : sd_r0;
682 sd->state = sd_idle_state;
684 return sd->spi ? sd_r1 : sd_r0;
688 case 1: /* CMD1: SEND_OP_CMD */
692 sd->state = sd_transfer_state;
695 case 2: /* CMD2: ALL_SEND_CID */
700 sd->state = sd_identification_state;
708 case 3: /* CMD3: SEND_RELATIVE_ADDR */
712 case sd_identification_state:
713 case sd_standby_state:
714 sd->state = sd_standby_state;
723 case 4: /* CMD4: SEND_DSR */
727 case sd_standby_state:
735 case 5: /* CMD5: reserved for SDIO cards */
738 case 6: /* CMD6: SWITCH_FUNCTION */
742 case sd_data_transfer_mode:
743 sd_function_switch(sd, req.arg);
744 sd->state = sd_sendingdata_state;
754 case 7: /* CMD7: SELECT/DESELECT_CARD */
758 case sd_standby_state:
762 sd->state = sd_transfer_state;
765 case sd_transfer_state:
766 case sd_sendingdata_state:
770 sd->state = sd_standby_state;
773 case sd_disconnect_state:
777 sd->state = sd_programming_state;
780 case sd_programming_state:
784 sd->state = sd_disconnect_state;
792 case 8: /* CMD8: SEND_IF_COND */
793 /* Physical Layer Specification Version 2.00 command */
798 /* No response if not exactly one VHS bit is set. */
799 if (!(req.arg >> 8) || (req.arg >> (ctz32(req.arg & ~0xff) + 1))) {
800 return sd->spi ? sd_r7 : sd_r0;
812 case 9: /* CMD9: SEND_CSD */
814 case sd_standby_state:
820 case sd_transfer_state:
823 sd->state = sd_sendingdata_state;
824 memcpy(sd->data, sd->csd, 16);
825 sd->data_start = addr;
834 case 10: /* CMD10: SEND_CID */
836 case sd_standby_state:
842 case sd_transfer_state:
845 sd->state = sd_sendingdata_state;
846 memcpy(sd->data, sd->cid, 16);
847 sd->data_start = addr;
856 case 11: /* CMD11: READ_DAT_UNTIL_STOP */
860 case sd_transfer_state:
861 sd->state = sd_sendingdata_state;
862 sd->data_start = req.arg;
865 if (sd->data_start + sd->blk_len > sd->size)
866 sd->card_status |= ADDRESS_ERROR;
874 case 12: /* CMD12: STOP_TRANSMISSION */
876 case sd_sendingdata_state:
877 sd->state = sd_transfer_state;
880 case sd_receivingdata_state:
881 sd->state = sd_programming_state;
882 /* Bzzzzzzztt .... Operation complete. */
883 sd->state = sd_transfer_state;
891 case 13: /* CMD13: SEND_STATUS */
893 case sd_data_transfer_mode:
904 case 15: /* CMD15: GO_INACTIVE_STATE */
908 case sd_data_transfer_mode:
912 sd->state = sd_inactive_state;
920 /* Block read commands (Classs 2) */
921 case 16: /* CMD16: SET_BLOCKLEN */
923 case sd_transfer_state:
924 if (req.arg > (1 << HWBLOCK_SHIFT))
925 sd->card_status |= BLOCK_LEN_ERROR;
927 sd->blk_len = req.arg;
936 case 17: /* CMD17: READ_SINGLE_BLOCK */
938 case sd_transfer_state:
939 sd->state = sd_sendingdata_state;
940 sd->data_start = addr;
943 if (sd->data_start + sd->blk_len > sd->size)
944 sd->card_status |= ADDRESS_ERROR;
952 case 18: /* CMD18: READ_MULTIPLE_BLOCK */
954 case sd_transfer_state:
955 sd->state = sd_sendingdata_state;
956 sd->data_start = addr;
959 if (sd->data_start + sd->blk_len > sd->size)
960 sd->card_status |= ADDRESS_ERROR;
968 /* Block write commands (Class 4) */
969 case 24: /* CMD24: WRITE_SINGLE_BLOCK */
971 goto unimplemented_cmd;
973 case sd_transfer_state:
974 /* Writing in SPI mode not implemented. */
977 sd->state = sd_receivingdata_state;
978 sd->data_start = addr;
982 if (sd->data_start + sd->blk_len > sd->size)
983 sd->card_status |= ADDRESS_ERROR;
984 if (sd_wp_addr(sd, sd->data_start))
985 sd->card_status |= WP_VIOLATION;
986 if (sd->csd[14] & 0x30)
987 sd->card_status |= WP_VIOLATION;
995 case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */
997 goto unimplemented_cmd;
999 case sd_transfer_state:
1000 /* Writing in SPI mode not implemented. */
1003 sd->state = sd_receivingdata_state;
1004 sd->data_start = addr;
1005 sd->data_offset = 0;
1006 sd->blk_written = 0;
1008 if (sd->data_start + sd->blk_len > sd->size)
1009 sd->card_status |= ADDRESS_ERROR;
1010 if (sd_wp_addr(sd, sd->data_start))
1011 sd->card_status |= WP_VIOLATION;
1012 if (sd->csd[14] & 0x30)
1013 sd->card_status |= WP_VIOLATION;
1021 case 26: /* CMD26: PROGRAM_CID */
1024 switch (sd->state) {
1025 case sd_transfer_state:
1026 sd->state = sd_receivingdata_state;
1028 sd->data_offset = 0;
1036 case 27: /* CMD27: PROGRAM_CSD */
1038 goto unimplemented_cmd;
1039 switch (sd->state) {
1040 case sd_transfer_state:
1041 sd->state = sd_receivingdata_state;
1043 sd->data_offset = 0;
1051 /* Write protection (Class 6) */
1052 case 28: /* CMD28: SET_WRITE_PROT */
1053 switch (sd->state) {
1054 case sd_transfer_state:
1055 if (addr >= sd->size) {
1056 sd->card_status |= ADDRESS_ERROR;
1060 sd->state = sd_programming_state;
1061 set_bit(sd_addr_to_wpnum(addr), sd->wp_groups);
1062 /* Bzzzzzzztt .... Operation complete. */
1063 sd->state = sd_transfer_state;
1071 case 29: /* CMD29: CLR_WRITE_PROT */
1072 switch (sd->state) {
1073 case sd_transfer_state:
1074 if (addr >= sd->size) {
1075 sd->card_status |= ADDRESS_ERROR;
1079 sd->state = sd_programming_state;
1080 clear_bit(sd_addr_to_wpnum(addr), sd->wp_groups);
1081 /* Bzzzzzzztt .... Operation complete. */
1082 sd->state = sd_transfer_state;
1090 case 30: /* CMD30: SEND_WRITE_PROT */
1091 switch (sd->state) {
1092 case sd_transfer_state:
1093 sd->state = sd_sendingdata_state;
1094 *(uint32_t *) sd->data = sd_wpbits(sd, req.arg);
1095 sd->data_start = addr;
1096 sd->data_offset = 0;
1104 /* Erase commands (Class 5) */
1105 case 32: /* CMD32: ERASE_WR_BLK_START */
1106 switch (sd->state) {
1107 case sd_transfer_state:
1108 sd->erase_start = req.arg;
1116 case 33: /* CMD33: ERASE_WR_BLK_END */
1117 switch (sd->state) {
1118 case sd_transfer_state:
1119 sd->erase_end = req.arg;
1127 case 38: /* CMD38: ERASE */
1128 switch (sd->state) {
1129 case sd_transfer_state:
1130 if (sd->csd[14] & 0x30) {
1131 sd->card_status |= WP_VIOLATION;
1135 sd->state = sd_programming_state;
1137 /* Bzzzzzzztt .... Operation complete. */
1138 sd->state = sd_transfer_state;
1146 /* Lock card commands (Class 7) */
1147 case 42: /* CMD42: LOCK_UNLOCK */
1149 goto unimplemented_cmd;
1150 switch (sd->state) {
1151 case sd_transfer_state:
1152 sd->state = sd_receivingdata_state;
1154 sd->data_offset = 0;
1164 /* CMD52, CMD53: reserved for SDIO cards
1165 * (see the SDIO Simplified Specification V2.0)
1166 * Handle as illegal command but do not complain
1167 * on stderr, as some OSes may use these in their
1168 * probing for presence of an SDIO card.
1172 /* Application specific commands (Class 8) */
1173 case 55: /* CMD55: APP_CMD */
1177 sd->expecting_acmd = true;
1178 sd->card_status |= APP_CMD;
1181 case 56: /* CMD56: GEN_CMD */
1182 fprintf(stderr, "SD: GEN_CMD 0x%08x\n", req.arg);
1184 switch (sd->state) {
1185 case sd_transfer_state:
1186 sd->data_offset = 0;
1188 sd->state = sd_sendingdata_state;
1190 sd->state = sd_receivingdata_state;
1200 fprintf(stderr, "SD: Unknown CMD%i\n", req.cmd);
1204 /* Commands that are recognised but not yet implemented in SPI mode. */
1205 fprintf(stderr, "SD: CMD%i not implemented in SPI mode\n", req.cmd);
1209 fprintf(stderr, "SD: CMD%i in a wrong state\n", req.cmd);
1213 static sd_rsp_type_t sd_app_command(SDState *sd,
1216 DPRINTF("ACMD%d 0x%08x\n", req.cmd, req.arg);
1217 sd->card_status |= APP_CMD;
1219 case 6: /* ACMD6: SET_BUS_WIDTH */
1220 switch (sd->state) {
1221 case sd_transfer_state:
1222 sd->sd_status[0] &= 0x3f;
1223 sd->sd_status[0] |= (req.arg & 0x03) << 6;
1231 case 13: /* ACMD13: SD_STATUS */
1232 switch (sd->state) {
1233 case sd_transfer_state:
1234 sd->state = sd_sendingdata_state;
1236 sd->data_offset = 0;
1244 case 22: /* ACMD22: SEND_NUM_WR_BLOCKS */
1245 switch (sd->state) {
1246 case sd_transfer_state:
1247 *(uint32_t *) sd->data = sd->blk_written;
1249 sd->state = sd_sendingdata_state;
1251 sd->data_offset = 0;
1259 case 23: /* ACMD23: SET_WR_BLK_ERASE_COUNT */
1260 switch (sd->state) {
1261 case sd_transfer_state:
1269 case 41: /* ACMD41: SD_APP_OP_COND */
1272 sd->state = sd_transfer_state;
1275 switch (sd->state) {
1277 /* We accept any voltage. 10000 V is nothing.
1279 * We don't model init delay so just advance straight to ready state
1280 * unless it's an enquiry ACMD41 (bits 23:0 == 0).
1282 if (req.arg & ACMD41_ENQUIRY_MASK) {
1283 sd->state = sd_ready_state;
1293 case 42: /* ACMD42: SET_CLR_CARD_DETECT */
1294 switch (sd->state) {
1295 case sd_transfer_state:
1296 /* Bringing in the 50KOhm pull-up resistor... Done. */
1304 case 51: /* ACMD51: SEND_SCR */
1305 switch (sd->state) {
1306 case sd_transfer_state:
1307 sd->state = sd_sendingdata_state;
1309 sd->data_offset = 0;
1318 /* Fall back to standard commands. */
1319 return sd_normal_command(sd, req);
1322 fprintf(stderr, "SD: ACMD%i in a wrong state\n", req.cmd);
1326 static int cmd_valid_while_locked(SDState *sd, SDRequest *req)
1328 /* Valid commands in locked state:
1330 * lock card class (7)
1332 * implicitly, the ACMD prefix CMD55
1334 * Anything else provokes an "illegal command" response.
1336 if (sd->expecting_acmd) {
1337 return req->cmd == 41 || req->cmd == 42;
1339 if (req->cmd == 16 || req->cmd == 55) {
1342 return sd_cmd_class[req->cmd] == 0 || sd_cmd_class[req->cmd] == 7;
1345 int sd_do_command(SDState *sd, SDRequest *req,
1346 uint8_t *response) {
1348 sd_rsp_type_t rtype;
1351 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable) {
1355 if (sd_req_crc_validate(req)) {
1356 sd->card_status |= COM_CRC_ERROR;
1361 if (sd->card_status & CARD_IS_LOCKED) {
1362 if (!cmd_valid_while_locked(sd, req)) {
1363 sd->card_status |= ILLEGAL_COMMAND;
1364 sd->expecting_acmd = false;
1365 fprintf(stderr, "SD: Card is locked\n");
1371 last_state = sd->state;
1374 if (sd->expecting_acmd) {
1375 sd->expecting_acmd = false;
1376 rtype = sd_app_command(sd, *req);
1378 rtype = sd_normal_command(sd, *req);
1381 if (rtype == sd_illegal) {
1382 sd->card_status |= ILLEGAL_COMMAND;
1384 /* Valid command, we can update the 'state before command' bits.
1385 * (Do this now so they appear in r1 responses.)
1387 sd->current_cmd = req->cmd;
1388 sd->card_status &= ~CURRENT_STATE;
1389 sd->card_status |= (last_state << 9);
1396 sd_response_r1_make(sd, response);
1401 memcpy(response, sd->cid, sizeof(sd->cid));
1406 memcpy(response, sd->csd, sizeof(sd->csd));
1411 sd_response_r3_make(sd, response);
1416 sd_response_r6_make(sd, response);
1421 sd_response_r7_make(sd, response);
1432 if (rtype != sd_illegal) {
1433 /* Clear the "clear on valid command" status bits now we've
1436 sd->card_status &= ~CARD_STATUS_B;
1442 DPRINTF("Response:");
1443 for (i = 0; i < rsplen; i++)
1444 fprintf(stderr, " %02x", response[i]);
1445 fprintf(stderr, " state %d\n", sd->state);
1447 DPRINTF("No response %d\n", sd->state);
1454 static void sd_blk_read(SDState *sd, uint64_t addr, uint32_t len)
1456 uint64_t end = addr + len;
1458 DPRINTF("sd_blk_read: addr = 0x%08llx, len = %d\n",
1459 (unsigned long long) addr, len);
1460 if (!sd->blk || blk_read(sd->blk, addr >> 9, sd->buf, 1) < 0) {
1461 fprintf(stderr, "sd_blk_read: read error on host side\n");
1465 if (end > (addr & ~511) + 512) {
1466 memcpy(sd->data, sd->buf + (addr & 511), 512 - (addr & 511));
1468 if (blk_read(sd->blk, end >> 9, sd->buf, 1) < 0) {
1469 fprintf(stderr, "sd_blk_read: read error on host side\n");
1472 memcpy(sd->data + 512 - (addr & 511), sd->buf, end & 511);
1474 memcpy(sd->data, sd->buf + (addr & 511), len);
1477 static void sd_blk_write(SDState *sd, uint64_t addr, uint32_t len)
1479 uint64_t end = addr + len;
1481 if ((addr & 511) || len < 512)
1482 if (!sd->blk || blk_read(sd->blk, addr >> 9, sd->buf, 1) < 0) {
1483 fprintf(stderr, "sd_blk_write: read error on host side\n");
1487 if (end > (addr & ~511) + 512) {
1488 memcpy(sd->buf + (addr & 511), sd->data, 512 - (addr & 511));
1489 if (blk_write(sd->blk, addr >> 9, sd->buf, 1) < 0) {
1490 fprintf(stderr, "sd_blk_write: write error on host side\n");
1494 if (blk_read(sd->blk, end >> 9, sd->buf, 1) < 0) {
1495 fprintf(stderr, "sd_blk_write: read error on host side\n");
1498 memcpy(sd->buf, sd->data + 512 - (addr & 511), end & 511);
1499 if (blk_write(sd->blk, end >> 9, sd->buf, 1) < 0) {
1500 fprintf(stderr, "sd_blk_write: write error on host side\n");
1503 memcpy(sd->buf + (addr & 511), sd->data, len);
1504 if (!sd->blk || blk_write(sd->blk, addr >> 9, sd->buf, 1) < 0) {
1505 fprintf(stderr, "sd_blk_write: write error on host side\n");
1510 #define BLK_READ_BLOCK(a, len) sd_blk_read(sd, a, len)
1511 #define BLK_WRITE_BLOCK(a, len) sd_blk_write(sd, a, len)
1512 #define APP_READ_BLOCK(a, len) memset(sd->data, 0xec, len)
1513 #define APP_WRITE_BLOCK(a, len)
1515 void sd_write_data(SDState *sd, uint8_t value)
1519 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable)
1522 if (sd->state != sd_receivingdata_state) {
1523 fprintf(stderr, "sd_write_data: not in Receiving-Data state\n");
1527 if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION))
1530 switch (sd->current_cmd) {
1531 case 24: /* CMD24: WRITE_SINGLE_BLOCK */
1532 sd->data[sd->data_offset ++] = value;
1533 if (sd->data_offset >= sd->blk_len) {
1534 /* TODO: Check CRC before committing */
1535 sd->state = sd_programming_state;
1536 BLK_WRITE_BLOCK(sd->data_start, sd->data_offset);
1538 sd->csd[14] |= 0x40;
1539 /* Bzzzzzzztt .... Operation complete. */
1540 sd->state = sd_transfer_state;
1544 case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */
1545 if (sd->data_offset == 0) {
1546 /* Start of the block - let's check the address is valid */
1547 if (sd->data_start + sd->blk_len > sd->size) {
1548 sd->card_status |= ADDRESS_ERROR;
1551 if (sd_wp_addr(sd, sd->data_start)) {
1552 sd->card_status |= WP_VIOLATION;
1556 sd->data[sd->data_offset++] = value;
1557 if (sd->data_offset >= sd->blk_len) {
1558 /* TODO: Check CRC before committing */
1559 sd->state = sd_programming_state;
1560 BLK_WRITE_BLOCK(sd->data_start, sd->data_offset);
1562 sd->data_start += sd->blk_len;
1563 sd->data_offset = 0;
1564 sd->csd[14] |= 0x40;
1566 /* Bzzzzzzztt .... Operation complete. */
1567 sd->state = sd_receivingdata_state;
1571 case 26: /* CMD26: PROGRAM_CID */
1572 sd->data[sd->data_offset ++] = value;
1573 if (sd->data_offset >= sizeof(sd->cid)) {
1574 /* TODO: Check CRC before committing */
1575 sd->state = sd_programming_state;
1576 for (i = 0; i < sizeof(sd->cid); i ++)
1577 if ((sd->cid[i] | 0x00) != sd->data[i])
1578 sd->card_status |= CID_CSD_OVERWRITE;
1580 if (!(sd->card_status & CID_CSD_OVERWRITE))
1581 for (i = 0; i < sizeof(sd->cid); i ++) {
1583 sd->cid[i] &= sd->data[i];
1585 /* Bzzzzzzztt .... Operation complete. */
1586 sd->state = sd_transfer_state;
1590 case 27: /* CMD27: PROGRAM_CSD */
1591 sd->data[sd->data_offset ++] = value;
1592 if (sd->data_offset >= sizeof(sd->csd)) {
1593 /* TODO: Check CRC before committing */
1594 sd->state = sd_programming_state;
1595 for (i = 0; i < sizeof(sd->csd); i ++)
1596 if ((sd->csd[i] | sd_csd_rw_mask[i]) !=
1597 (sd->data[i] | sd_csd_rw_mask[i]))
1598 sd->card_status |= CID_CSD_OVERWRITE;
1600 /* Copy flag (OTP) & Permanent write protect */
1601 if (sd->csd[14] & ~sd->data[14] & 0x60)
1602 sd->card_status |= CID_CSD_OVERWRITE;
1604 if (!(sd->card_status & CID_CSD_OVERWRITE))
1605 for (i = 0; i < sizeof(sd->csd); i ++) {
1606 sd->csd[i] |= sd_csd_rw_mask[i];
1607 sd->csd[i] &= sd->data[i];
1609 /* Bzzzzzzztt .... Operation complete. */
1610 sd->state = sd_transfer_state;
1614 case 42: /* CMD42: LOCK_UNLOCK */
1615 sd->data[sd->data_offset ++] = value;
1616 if (sd->data_offset >= sd->blk_len) {
1617 /* TODO: Check CRC before committing */
1618 sd->state = sd_programming_state;
1619 sd_lock_command(sd);
1620 /* Bzzzzzzztt .... Operation complete. */
1621 sd->state = sd_transfer_state;
1625 case 56: /* CMD56: GEN_CMD */
1626 sd->data[sd->data_offset ++] = value;
1627 if (sd->data_offset >= sd->blk_len) {
1628 APP_WRITE_BLOCK(sd->data_start, sd->data_offset);
1629 sd->state = sd_transfer_state;
1634 fprintf(stderr, "sd_write_data: unknown command\n");
1639 uint8_t sd_read_data(SDState *sd)
1641 /* TODO: Append CRCs */
1645 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable)
1648 if (sd->state != sd_sendingdata_state) {
1649 fprintf(stderr, "sd_read_data: not in Sending-Data state\n");
1653 if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION))
1656 io_len = (sd->ocr & (1 << 30)) ? 512 : sd->blk_len;
1658 switch (sd->current_cmd) {
1659 case 6: /* CMD6: SWITCH_FUNCTION */
1660 ret = sd->data[sd->data_offset ++];
1662 if (sd->data_offset >= 64)
1663 sd->state = sd_transfer_state;
1666 case 9: /* CMD9: SEND_CSD */
1667 case 10: /* CMD10: SEND_CID */
1668 ret = sd->data[sd->data_offset ++];
1670 if (sd->data_offset >= 16)
1671 sd->state = sd_transfer_state;
1674 case 11: /* CMD11: READ_DAT_UNTIL_STOP */
1675 if (sd->data_offset == 0)
1676 BLK_READ_BLOCK(sd->data_start, io_len);
1677 ret = sd->data[sd->data_offset ++];
1679 if (sd->data_offset >= io_len) {
1680 sd->data_start += io_len;
1681 sd->data_offset = 0;
1682 if (sd->data_start + io_len > sd->size) {
1683 sd->card_status |= ADDRESS_ERROR;
1689 case 13: /* ACMD13: SD_STATUS */
1690 ret = sd->sd_status[sd->data_offset ++];
1692 if (sd->data_offset >= sizeof(sd->sd_status))
1693 sd->state = sd_transfer_state;
1696 case 17: /* CMD17: READ_SINGLE_BLOCK */
1697 if (sd->data_offset == 0)
1698 BLK_READ_BLOCK(sd->data_start, io_len);
1699 ret = sd->data[sd->data_offset ++];
1701 if (sd->data_offset >= io_len)
1702 sd->state = sd_transfer_state;
1705 case 18: /* CMD18: READ_MULTIPLE_BLOCK */
1706 if (sd->data_offset == 0)
1707 BLK_READ_BLOCK(sd->data_start, io_len);
1708 ret = sd->data[sd->data_offset ++];
1710 if (sd->data_offset >= io_len) {
1711 sd->data_start += io_len;
1712 sd->data_offset = 0;
1713 if (sd->data_start + io_len > sd->size) {
1714 sd->card_status |= ADDRESS_ERROR;
1720 case 22: /* ACMD22: SEND_NUM_WR_BLOCKS */
1721 ret = sd->data[sd->data_offset ++];
1723 if (sd->data_offset >= 4)
1724 sd->state = sd_transfer_state;
1727 case 30: /* CMD30: SEND_WRITE_PROT */
1728 ret = sd->data[sd->data_offset ++];
1730 if (sd->data_offset >= 4)
1731 sd->state = sd_transfer_state;
1734 case 51: /* ACMD51: SEND_SCR */
1735 ret = sd->scr[sd->data_offset ++];
1737 if (sd->data_offset >= sizeof(sd->scr))
1738 sd->state = sd_transfer_state;
1741 case 56: /* CMD56: GEN_CMD */
1742 if (sd->data_offset == 0)
1743 APP_READ_BLOCK(sd->data_start, sd->blk_len);
1744 ret = sd->data[sd->data_offset ++];
1746 if (sd->data_offset >= sd->blk_len)
1747 sd->state = sd_transfer_state;
1751 fprintf(stderr, "sd_read_data: unknown command\n");
1758 bool sd_data_ready(SDState *sd)
1760 return sd->state == sd_sendingdata_state;
1763 void sd_enable(SDState *sd, bool enable)
1765 sd->enable = enable;
projects / qemu.git / blob