2 * SD Memory Card emulation as defined in the "SD Memory Card Physical
3 * layer specification, Version 1.10."
6 * Copyright (c) 2007 CodeSourcery
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in
16 * the documentation and/or other materials provided with the
19 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS''
20 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
21 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
22 * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR
23 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
24 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
25 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
26 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
27 * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
28 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
29 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
32 #include "qemu/osdep.h"
35 #include "hw/registerfields.h"
36 #include "sysemu/block-backend.h"
38 #include "qapi/error.h"
39 #include "qemu/bitmap.h"
40 #include "qemu/cutils.h"
41 #include "hw/qdev-properties.h"
42 #include "qemu/error-report.h"
43 #include "qemu/timer.h"
45 #include "sdmmc-internal.h"
51 sd_r0 = 0, /* no response */
52 sd_r1, /* normal response command */
53 sd_r2_i, /* CID register */
54 sd_r2_s, /* CSD register */
55 sd_r3, /* OCR register */
56 sd_r6 = 6, /* Published RCA response */
57 sd_r7, /* Operating voltage */
64 sd_card_identification_mode,
65 sd_data_transfer_mode,
69 sd_inactive_state = -1,
72 sd_identification_state,
76 sd_receivingdata_state,
82 DeviceState parent_obj;
84 /* SD Memory Card Registers */
91 uint8_t sd_status[64];
93 /* Configurable properties */
97 uint32_t mode; /* current card mode, one of SDCardModes */
98 int32_t state; /* current card state, one of SDCardStates */
101 unsigned long *wp_groups;
105 uint32_t multi_blk_cnt;
106 uint32_t erase_start;
110 uint8_t function_group[6];
112 /* True if we will handle the next command as an ACMD. Note that this does
113 * *not* track the APP_CMD status bit!
116 uint32_t blk_written;
118 uint32_t data_offset;
120 qemu_irq readonly_cb;
121 qemu_irq inserted_cb;
122 QEMUTimer *ocr_power_timer;
128 static const char *sd_state_name(enum SDCardStates state)
130 static const char *state_name[] = {
131 [sd_idle_state] = "idle",
132 [sd_ready_state] = "ready",
133 [sd_identification_state] = "identification",
134 [sd_standby_state] = "standby",
135 [sd_transfer_state] = "transfer",
136 [sd_sendingdata_state] = "sendingdata",
137 [sd_receivingdata_state] = "receivingdata",
138 [sd_programming_state] = "programming",
139 [sd_disconnect_state] = "disconnect",
141 if (state == sd_inactive_state) {
144 assert(state <= ARRAY_SIZE(state_name));
145 return state_name[state];
148 static const char *sd_response_name(sd_rsp_type_t rsp)
150 static const char *response_name[] = {
151 [sd_r0] = "RESP#0 (no response)",
152 [sd_r1] = "RESP#1 (normal cmd)",
153 [sd_r2_i] = "RESP#2 (CID reg)",
154 [sd_r2_s] = "RESP#2 (CSD reg)",
155 [sd_r3] = "RESP#3 (OCR reg)",
156 [sd_r6] = "RESP#6 (RCA)",
157 [sd_r7] = "RESP#7 (operating voltage)",
159 if (rsp == sd_illegal) {
160 return "ILLEGAL RESP";
165 assert(rsp <= ARRAY_SIZE(response_name));
166 return response_name[rsp];
169 static uint8_t sd_get_dat_lines(SDState *sd)
171 return sd->enable ? sd->dat_lines : 0;
174 static bool sd_get_cmd_line(SDState *sd)
176 return sd->enable ? sd->cmd_line : false;
179 static void sd_set_voltage(SDState *sd, uint16_t millivolts)
181 trace_sdcard_set_voltage(millivolts);
183 switch (millivolts) {
184 case 3001 ... 3600: /* SD_VOLTAGE_3_3V */
185 case 2001 ... 3000: /* SD_VOLTAGE_3_0V */
188 qemu_log_mask(LOG_GUEST_ERROR, "SD card voltage not supported: %.3fV",
189 millivolts / 1000.f);
193 static void sd_set_mode(SDState *sd)
196 case sd_inactive_state:
197 sd->mode = sd_inactive;
202 case sd_identification_state:
203 sd->mode = sd_card_identification_mode;
206 case sd_standby_state:
207 case sd_transfer_state:
208 case sd_sendingdata_state:
209 case sd_receivingdata_state:
210 case sd_programming_state:
211 case sd_disconnect_state:
212 sd->mode = sd_data_transfer_mode;
217 static const sd_cmd_type_t sd_cmd_type[SDMMC_CMD_MAX] = {
218 sd_bc, sd_none, sd_bcr, sd_bcr, sd_none, sd_none, sd_none, sd_ac,
219 sd_bcr, sd_ac, sd_ac, sd_adtc, sd_ac, sd_ac, sd_none, sd_ac,
221 sd_ac, sd_adtc, sd_adtc, sd_none, sd_none, sd_none, sd_none, sd_none,
222 sd_adtc, sd_adtc, sd_adtc, sd_adtc, sd_ac, sd_ac, sd_adtc, sd_none,
224 sd_ac, sd_ac, sd_none, sd_none, sd_none, sd_none, sd_ac, sd_none,
225 sd_none, sd_none, sd_bc, sd_none, sd_none, sd_none, sd_none, sd_none,
227 sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_ac,
228 sd_adtc, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none,
231 static const int sd_cmd_class[SDMMC_CMD_MAX] = {
232 0, 0, 0, 0, 0, 9, 10, 0, 0, 0, 0, 1, 0, 0, 0, 0,
233 2, 2, 2, 2, 3, 3, 3, 3, 4, 4, 4, 4, 6, 6, 6, 6,
234 5, 5, 10, 10, 10, 10, 5, 9, 9, 9, 7, 7, 7, 7, 7, 7,
235 7, 7, 10, 7, 9, 9, 9, 8, 8, 10, 8, 8, 8, 8, 8, 8,
238 static uint8_t sd_crc7(void *message, size_t width)
241 uint8_t shift_reg = 0x00;
242 uint8_t *msg = (uint8_t *) message;
244 for (i = 0; i < width; i ++, msg ++)
245 for (bit = 7; bit >= 0; bit --) {
247 if ((shift_reg >> 7) ^ ((*msg >> bit) & 1))
254 static uint16_t sd_crc16(void *message, size_t width)
257 uint16_t shift_reg = 0x0000;
258 uint16_t *msg = (uint16_t *) message;
261 for (i = 0; i < width; i ++, msg ++)
262 for (bit = 15; bit >= 0; bit --) {
264 if ((shift_reg >> 15) ^ ((*msg >> bit) & 1))
271 #define OCR_POWER_DELAY_NS 500000 /* 0.5ms */
273 FIELD(OCR, VDD_VOLTAGE_WINDOW, 0, 24)
274 FIELD(OCR, VDD_VOLTAGE_WIN_LO, 0, 8)
275 FIELD(OCR, DUAL_VOLTAGE_CARD, 7, 1)
276 FIELD(OCR, VDD_VOLTAGE_WIN_HI, 8, 16)
277 FIELD(OCR, ACCEPT_SWITCH_1V8, 24, 1) /* Only UHS-I */
278 FIELD(OCR, UHS_II_CARD, 29, 1) /* Only UHS-II */
279 FIELD(OCR, CARD_CAPACITY, 30, 1) /* 0:SDSC, 1:SDHC/SDXC */
280 FIELD(OCR, CARD_POWER_UP, 31, 1)
282 #define ACMD41_ENQUIRY_MASK 0x00ffffff
283 #define ACMD41_R3_MASK (R_OCR_VDD_VOLTAGE_WIN_HI_MASK \
284 | R_OCR_ACCEPT_SWITCH_1V8_MASK \
285 | R_OCR_UHS_II_CARD_MASK \
286 | R_OCR_CARD_CAPACITY_MASK \
287 | R_OCR_CARD_POWER_UP_MASK)
289 static void sd_set_ocr(SDState *sd)
291 /* All voltages OK */
292 sd->ocr = R_OCR_VDD_VOLTAGE_WIN_HI_MASK;
295 static void sd_ocr_powerup(void *opaque)
297 SDState *sd = opaque;
299 trace_sdcard_powerup();
300 assert(!FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP));
302 /* card power-up OK */
303 sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_POWER_UP, 1);
305 if (sd->size > 1 * G_BYTE) {
306 sd->ocr = FIELD_DP32(sd->ocr, OCR, CARD_CAPACITY, 1);
310 static void sd_set_scr(SDState *sd)
312 sd->scr[0] = (0 << 4) /* SCR version 1.0 */
313 | 0; /* Spec Versions 1.0 and 1.01 */
314 sd->scr[1] = (2 << 4) /* SDSC Card (Security Version 1.01) */
315 | 0b0101; /* 1-bit or 4-bit width bus modes */
316 sd->scr[2] = 0x00; /* Extended Security is not supported. */
318 /* reserved for manufacturer usage */
332 static void sd_set_cid(SDState *sd)
334 sd->cid[0] = MID; /* Fake card manufacturer ID (MID) */
335 sd->cid[1] = OID[0]; /* OEM/Application ID (OID) */
337 sd->cid[3] = PNM[0]; /* Fake product name (PNM) */
342 sd->cid[8] = PRV; /* Fake product revision (PRV) */
343 sd->cid[9] = 0xde; /* Fake serial number (PSN) */
347 sd->cid[13] = 0x00 | /* Manufacture date (MDT) */
348 ((MDT_YR - 2000) / 10);
349 sd->cid[14] = ((MDT_YR % 10) << 4) | MDT_MON;
350 sd->cid[15] = (sd_crc7(sd->cid, 15) << 1) | 1;
353 #define HWBLOCK_SHIFT 9 /* 512 bytes */
354 #define SECTOR_SHIFT 5 /* 16 kilobytes */
355 #define WPGROUP_SHIFT 7 /* 2 megs */
356 #define CMULT_SHIFT 9 /* 512 times HWBLOCK_SIZE */
357 #define WPGROUP_SIZE (1 << (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT))
359 static const uint8_t sd_csd_rw_mask[16] = {
360 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
361 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xfc, 0xfe,
364 static void sd_set_csd(SDState *sd, uint64_t size)
366 uint32_t csize = (size >> (CMULT_SHIFT + HWBLOCK_SHIFT)) - 1;
367 uint32_t sectsize = (1 << (SECTOR_SHIFT + 1)) - 1;
368 uint32_t wpsize = (1 << (WPGROUP_SHIFT + 1)) - 1;
370 if (size <= 1 * G_BYTE) { /* Standard Capacity SD */
371 sd->csd[0] = 0x00; /* CSD structure */
372 sd->csd[1] = 0x26; /* Data read access-time-1 */
373 sd->csd[2] = 0x00; /* Data read access-time-2 */
374 sd->csd[3] = 0x32; /* Max. data transfer rate: 25 MHz */
375 sd->csd[4] = 0x5f; /* Card Command Classes */
376 sd->csd[5] = 0x50 | /* Max. read data block length */
378 sd->csd[6] = 0xe0 | /* Partial block for read allowed */
379 ((csize >> 10) & 0x03);
380 sd->csd[7] = 0x00 | /* Device size */
381 ((csize >> 2) & 0xff);
382 sd->csd[8] = 0x3f | /* Max. read current */
383 ((csize << 6) & 0xc0);
384 sd->csd[9] = 0xfc | /* Max. write current */
385 ((CMULT_SHIFT - 2) >> 1);
386 sd->csd[10] = 0x40 | /* Erase sector size */
387 (((CMULT_SHIFT - 2) << 7) & 0x80) | (sectsize >> 1);
388 sd->csd[11] = 0x00 | /* Write protect group size */
389 ((sectsize << 7) & 0x80) | wpsize;
390 sd->csd[12] = 0x90 | /* Write speed factor */
391 (HWBLOCK_SHIFT >> 2);
392 sd->csd[13] = 0x20 | /* Max. write data block length */
393 ((HWBLOCK_SHIFT << 6) & 0xc0);
394 sd->csd[14] = 0x00; /* File format group */
405 sd->csd[7] = (size >> 16) & 0xff;
406 sd->csd[8] = (size >> 8) & 0xff;
407 sd->csd[9] = (size & 0xff);
414 sd->csd[15] = (sd_crc7(sd->csd, 15) << 1) | 1;
417 static void sd_set_rca(SDState *sd)
422 FIELD(CSR, AKE_SEQ_ERROR, 3, 1)
423 FIELD(CSR, APP_CMD, 5, 1)
424 FIELD(CSR, FX_EVENT, 6, 1)
425 FIELD(CSR, READY_FOR_DATA, 8, 1)
426 FIELD(CSR, CURRENT_STATE, 9, 4)
427 FIELD(CSR, ERASE_RESET, 13, 1)
428 FIELD(CSR, CARD_ECC_DISABLED, 14, 1)
429 FIELD(CSR, WP_ERASE_SKIP, 15, 1)
430 FIELD(CSR, CSD_OVERWRITE, 16, 1)
431 FIELD(CSR, DEFERRED_RESPONSE, 17, 1)
432 FIELD(CSR, ERROR, 19, 1)
433 FIELD(CSR, CC_ERROR, 20, 1)
434 FIELD(CSR, CARD_ECC_FAILED, 21, 1)
435 FIELD(CSR, ILLEGAL_COMMAND, 22, 1)
436 FIELD(CSR, COM_CRC_ERROR, 23, 1)
437 FIELD(CSR, LOCK_UNLOCK_FAILED, 24, 1)
438 FIELD(CSR, CARD_IS_LOCKED, 25, 1)
439 FIELD(CSR, WP_VIOLATION, 26, 1)
440 FIELD(CSR, ERASE_PARAM, 27, 1)
441 FIELD(CSR, ERASE_SEQ_ERROR, 28, 1)
442 FIELD(CSR, BLOCK_LEN_ERROR, 29, 1)
443 FIELD(CSR, ADDRESS_ERROR, 30, 1)
444 FIELD(CSR, OUT_OF_RANGE, 31, 1)
446 /* Card status bits, split by clear condition:
447 * A : According to the card current state
448 * B : Always related to the previous command
449 * C : Cleared by read
451 #define CARD_STATUS_A (R_CSR_READY_FOR_DATA_MASK \
452 | R_CSR_CARD_ECC_DISABLED_MASK \
453 | R_CSR_CARD_IS_LOCKED_MASK)
454 #define CARD_STATUS_B (R_CSR_CURRENT_STATE_MASK \
455 | R_CSR_ILLEGAL_COMMAND_MASK \
456 | R_CSR_COM_CRC_ERROR_MASK)
457 #define CARD_STATUS_C (R_CSR_AKE_SEQ_ERROR_MASK \
458 | R_CSR_APP_CMD_MASK \
459 | R_CSR_ERASE_RESET_MASK \
460 | R_CSR_WP_ERASE_SKIP_MASK \
461 | R_CSR_CSD_OVERWRITE_MASK \
463 | R_CSR_CC_ERROR_MASK \
464 | R_CSR_CARD_ECC_FAILED_MASK \
465 | R_CSR_LOCK_UNLOCK_FAILED_MASK \
466 | R_CSR_WP_VIOLATION_MASK \
467 | R_CSR_ERASE_PARAM_MASK \
468 | R_CSR_ERASE_SEQ_ERROR_MASK \
469 | R_CSR_BLOCK_LEN_ERROR_MASK \
470 | R_CSR_ADDRESS_ERROR_MASK \
471 | R_CSR_OUT_OF_RANGE_MASK)
473 static void sd_set_cardstatus(SDState *sd)
475 sd->card_status = 0x00000100;
478 static void sd_set_sdstatus(SDState *sd)
480 memset(sd->sd_status, 0, 64);
483 static int sd_req_crc_validate(SDRequest *req)
486 buffer[0] = 0x40 | req->cmd;
487 stl_be_p(&buffer[1], req->arg);
489 return sd_crc7(buffer, 5) != req->crc; /* TODO */
492 static void sd_response_r1_make(SDState *sd, uint8_t *response)
494 stl_be_p(response, sd->card_status);
496 /* Clear the "clear on read" status bits */
497 sd->card_status &= ~CARD_STATUS_C;
500 static void sd_response_r3_make(SDState *sd, uint8_t *response)
502 stl_be_p(response, sd->ocr & ACMD41_R3_MASK);
505 static void sd_response_r6_make(SDState *sd, uint8_t *response)
509 status = ((sd->card_status >> 8) & 0xc000) |
510 ((sd->card_status >> 6) & 0x2000) |
511 (sd->card_status & 0x1fff);
512 sd->card_status &= ~(CARD_STATUS_C & 0xc81fff);
513 stw_be_p(response + 0, sd->rca);
514 stw_be_p(response + 2, status);
517 static void sd_response_r7_make(SDState *sd, uint8_t *response)
519 stl_be_p(response, sd->vhs);
522 static inline uint64_t sd_addr_to_wpnum(uint64_t addr)
524 return addr >> (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT);
527 static void sd_reset(DeviceState *dev)
529 SDState *sd = SD_CARD(dev);
533 trace_sdcard_reset();
535 blk_get_geometry(sd->blk, §);
541 sect = sd_addr_to_wpnum(size) + 1;
543 sd->state = sd_idle_state;
548 sd_set_csd(sd, size);
549 sd_set_cardstatus(sd);
552 g_free(sd->wp_groups);
553 sd->wp_switch = sd->blk ? blk_is_read_only(sd->blk) : false;
554 sd->wpgrps_size = sect;
555 sd->wp_groups = bitmap_new(sd->wpgrps_size);
556 memset(sd->function_group, 0, sizeof(sd->function_group));
562 sd->expecting_acmd = false;
565 sd->multi_blk_cnt = 0;
568 static bool sd_get_inserted(SDState *sd)
570 return sd->blk && blk_is_inserted(sd->blk);
573 static bool sd_get_readonly(SDState *sd)
575 return sd->wp_switch;
578 static void sd_cardchange(void *opaque, bool load, Error **errp)
580 SDState *sd = opaque;
581 DeviceState *dev = DEVICE(sd);
582 SDBus *sdbus = SD_BUS(qdev_get_parent_bus(dev));
583 bool inserted = sd_get_inserted(sd);
584 bool readonly = sd_get_readonly(sd);
587 trace_sdcard_inserted(readonly);
590 trace_sdcard_ejected();
593 /* The IRQ notification is for legacy non-QOM SD controller devices;
594 * QOMified controllers use the SDBus APIs.
597 sdbus_set_inserted(sdbus, inserted);
599 sdbus_set_readonly(sdbus, readonly);
602 qemu_set_irq(sd->inserted_cb, inserted);
604 qemu_set_irq(sd->readonly_cb, readonly);
609 static const BlockDevOps sd_block_ops = {
610 .change_media_cb = sd_cardchange,
613 static bool sd_ocr_vmstate_needed(void *opaque)
615 SDState *sd = opaque;
617 /* Include the OCR state (and timer) if it is not yet powered up */
618 return !FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP);
621 static const VMStateDescription sd_ocr_vmstate = {
622 .name = "sd-card/ocr-state",
624 .minimum_version_id = 1,
625 .needed = sd_ocr_vmstate_needed,
626 .fields = (VMStateField[]) {
627 VMSTATE_UINT32(ocr, SDState),
628 VMSTATE_TIMER_PTR(ocr_power_timer, SDState),
629 VMSTATE_END_OF_LIST()
633 static int sd_vmstate_pre_load(void *opaque)
635 SDState *sd = opaque;
637 /* If the OCR state is not included (prior versions, or not
638 * needed), then the OCR must be set as powered up. If the OCR state
639 * is included, this will be replaced by the state restore.
646 static const VMStateDescription sd_vmstate = {
649 .minimum_version_id = 1,
650 .pre_load = sd_vmstate_pre_load,
651 .fields = (VMStateField[]) {
652 VMSTATE_UINT32(mode, SDState),
653 VMSTATE_INT32(state, SDState),
654 VMSTATE_UINT8_ARRAY(cid, SDState, 16),
655 VMSTATE_UINT8_ARRAY(csd, SDState, 16),
656 VMSTATE_UINT16(rca, SDState),
657 VMSTATE_UINT32(card_status, SDState),
658 VMSTATE_PARTIAL_BUFFER(sd_status, SDState, 1),
659 VMSTATE_UINT32(vhs, SDState),
660 VMSTATE_BITMAP(wp_groups, SDState, 0, wpgrps_size),
661 VMSTATE_UINT32(blk_len, SDState),
662 VMSTATE_UINT32(multi_blk_cnt, SDState),
663 VMSTATE_UINT32(erase_start, SDState),
664 VMSTATE_UINT32(erase_end, SDState),
665 VMSTATE_UINT8_ARRAY(pwd, SDState, 16),
666 VMSTATE_UINT32(pwd_len, SDState),
667 VMSTATE_UINT8_ARRAY(function_group, SDState, 6),
668 VMSTATE_UINT8(current_cmd, SDState),
669 VMSTATE_BOOL(expecting_acmd, SDState),
670 VMSTATE_UINT32(blk_written, SDState),
671 VMSTATE_UINT64(data_start, SDState),
672 VMSTATE_UINT32(data_offset, SDState),
673 VMSTATE_UINT8_ARRAY(data, SDState, 512),
674 VMSTATE_UNUSED_V(1, 512),
675 VMSTATE_BOOL(enable, SDState),
676 VMSTATE_END_OF_LIST()
678 .subsections = (const VMStateDescription*[]) {
684 /* Legacy initialization function for use by non-qdevified callers */
685 SDState *sd_init(BlockBackend *blk, bool is_spi)
691 obj = object_new(TYPE_SD_CARD);
693 qdev_prop_set_drive(dev, "drive", blk, &err);
695 error_report("sd_init failed: %s", error_get_pretty(err));
698 qdev_prop_set_bit(dev, "spi", is_spi);
699 object_property_set_bool(obj, true, "realized", &err);
701 error_report("sd_init failed: %s", error_get_pretty(err));
708 void sd_set_cb(SDState *sd, qemu_irq readonly, qemu_irq insert)
710 sd->readonly_cb = readonly;
711 sd->inserted_cb = insert;
712 qemu_set_irq(readonly, sd->blk ? blk_is_read_only(sd->blk) : 0);
713 qemu_set_irq(insert, sd->blk ? blk_is_inserted(sd->blk) : 0);
716 static void sd_erase(SDState *sd)
719 uint64_t erase_start = sd->erase_start;
720 uint64_t erase_end = sd->erase_end;
722 trace_sdcard_erase();
723 if (!sd->erase_start || !sd->erase_end) {
724 sd->card_status |= ERASE_SEQ_ERROR;
728 if (FIELD_EX32(sd->ocr, OCR, CARD_CAPACITY)) {
729 /* High capacity memory card: erase units are 512 byte blocks */
734 erase_start = sd_addr_to_wpnum(erase_start);
735 erase_end = sd_addr_to_wpnum(erase_end);
740 for (i = erase_start; i <= erase_end; i++) {
741 if (test_bit(i, sd->wp_groups)) {
742 sd->card_status |= WP_ERASE_SKIP;
747 static uint32_t sd_wpbits(SDState *sd, uint64_t addr)
752 wpnum = sd_addr_to_wpnum(addr);
754 for (i = 0; i < 32; i++, wpnum++, addr += WPGROUP_SIZE) {
755 if (addr < sd->size && test_bit(wpnum, sd->wp_groups)) {
763 static void sd_function_switch(SDState *sd, uint32_t arg)
765 int i, mode, new_func;
766 mode = !!(arg & 0x80000000);
768 sd->data[0] = 0x00; /* Maximum current consumption */
770 sd->data[2] = 0x80; /* Supported group 6 functions */
772 sd->data[4] = 0x80; /* Supported group 5 functions */
774 sd->data[6] = 0x80; /* Supported group 4 functions */
776 sd->data[8] = 0x80; /* Supported group 3 functions */
778 sd->data[10] = 0x80; /* Supported group 2 functions */
780 sd->data[12] = 0x80; /* Supported group 1 functions */
782 for (i = 0; i < 6; i ++) {
783 new_func = (arg >> (i * 4)) & 0x0f;
784 if (mode && new_func != 0x0f)
785 sd->function_group[i] = new_func;
786 sd->data[14 + (i >> 1)] = new_func << ((i * 4) & 4);
788 memset(&sd->data[17], 0, 47);
789 stw_be_p(sd->data + 65, sd_crc16(sd->data, 64));
792 static inline bool sd_wp_addr(SDState *sd, uint64_t addr)
794 return test_bit(sd_addr_to_wpnum(addr), sd->wp_groups);
797 static void sd_lock_command(SDState *sd)
799 int erase, lock, clr_pwd, set_pwd, pwd_len;
800 erase = !!(sd->data[0] & 0x08);
801 lock = sd->data[0] & 0x04;
802 clr_pwd = sd->data[0] & 0x02;
803 set_pwd = sd->data[0] & 0x01;
806 pwd_len = sd->data[1];
813 trace_sdcard_unlock();
816 if (!(sd->card_status & CARD_IS_LOCKED) || sd->blk_len > 1 ||
817 set_pwd || clr_pwd || lock || sd->wp_switch ||
818 (sd->csd[14] & 0x20)) {
819 sd->card_status |= LOCK_UNLOCK_FAILED;
822 bitmap_zero(sd->wp_groups, sd->wpgrps_size);
823 sd->csd[14] &= ~0x10;
824 sd->card_status &= ~CARD_IS_LOCKED;
826 /* Erasing the entire card here! */
827 fprintf(stderr, "SD: Card force-erased by CMD42\n");
831 if (sd->blk_len < 2 + pwd_len ||
832 pwd_len <= sd->pwd_len ||
833 pwd_len > sd->pwd_len + 16) {
834 sd->card_status |= LOCK_UNLOCK_FAILED;
838 if (sd->pwd_len && memcmp(sd->pwd, sd->data + 2, sd->pwd_len)) {
839 sd->card_status |= LOCK_UNLOCK_FAILED;
843 pwd_len -= sd->pwd_len;
844 if ((pwd_len && !set_pwd) ||
845 (clr_pwd && (set_pwd || lock)) ||
846 (lock && !sd->pwd_len && !set_pwd) ||
847 (!set_pwd && !clr_pwd &&
848 (((sd->card_status & CARD_IS_LOCKED) && lock) ||
849 (!(sd->card_status & CARD_IS_LOCKED) && !lock)))) {
850 sd->card_status |= LOCK_UNLOCK_FAILED;
855 memcpy(sd->pwd, sd->data + 2 + sd->pwd_len, pwd_len);
856 sd->pwd_len = pwd_len;
864 sd->card_status |= CARD_IS_LOCKED;
866 sd->card_status &= ~CARD_IS_LOCKED;
869 static sd_rsp_type_t sd_normal_command(SDState *sd,
872 uint32_t rca = 0x0000;
873 uint64_t addr = (sd->ocr & (1 << 30)) ? (uint64_t) req.arg << 9 : req.arg;
875 trace_sdcard_normal_command(req.cmd, req.arg, sd_state_name(sd->state));
877 /* Not interpreting this as an app command */
878 sd->card_status &= ~APP_CMD;
880 if (sd_cmd_type[req.cmd] == sd_ac
881 || sd_cmd_type[req.cmd] == sd_adtc) {
885 /* CMD23 (set block count) must be immediately followed by CMD18 or CMD25
886 * if not, its effects are cancelled */
887 if (sd->multi_blk_cnt != 0 && !(req.cmd == 18 || req.cmd == 25)) {
888 sd->multi_blk_cnt = 0;
892 /* Basic commands (Class 0 and Class 1) */
893 case 0: /* CMD0: GO_IDLE_STATE */
895 case sd_inactive_state:
896 return sd->spi ? sd_r1 : sd_r0;
899 sd->state = sd_idle_state;
900 sd_reset(DEVICE(sd));
901 return sd->spi ? sd_r1 : sd_r0;
905 case 1: /* CMD1: SEND_OP_CMD */
909 sd->state = sd_transfer_state;
912 case 2: /* CMD2: ALL_SEND_CID */
917 sd->state = sd_identification_state;
925 case 3: /* CMD3: SEND_RELATIVE_ADDR */
929 case sd_identification_state:
930 case sd_standby_state:
931 sd->state = sd_standby_state;
940 case 4: /* CMD4: SEND_DSR */
944 case sd_standby_state:
952 case 5: /* CMD5: reserved for SDIO cards */
955 case 6: /* CMD6: SWITCH_FUNCTION */
959 case sd_data_transfer_mode:
960 sd_function_switch(sd, req.arg);
961 sd->state = sd_sendingdata_state;
971 case 7: /* CMD7: SELECT/DESELECT_CARD */
975 case sd_standby_state:
979 sd->state = sd_transfer_state;
982 case sd_transfer_state:
983 case sd_sendingdata_state:
987 sd->state = sd_standby_state;
990 case sd_disconnect_state:
994 sd->state = sd_programming_state;
997 case sd_programming_state:
1001 sd->state = sd_disconnect_state;
1009 case 8: /* CMD8: SEND_IF_COND */
1010 /* Physical Layer Specification Version 2.00 command */
1011 switch (sd->state) {
1015 /* No response if not exactly one VHS bit is set. */
1016 if (!(req.arg >> 8) || (req.arg >> (ctz32(req.arg & ~0xff) + 1))) {
1017 return sd->spi ? sd_r7 : sd_r0;
1029 case 9: /* CMD9: SEND_CSD */
1030 switch (sd->state) {
1031 case sd_standby_state:
1037 case sd_transfer_state:
1040 sd->state = sd_sendingdata_state;
1041 memcpy(sd->data, sd->csd, 16);
1042 sd->data_start = addr;
1043 sd->data_offset = 0;
1051 case 10: /* CMD10: SEND_CID */
1052 switch (sd->state) {
1053 case sd_standby_state:
1059 case sd_transfer_state:
1062 sd->state = sd_sendingdata_state;
1063 memcpy(sd->data, sd->cid, 16);
1064 sd->data_start = addr;
1065 sd->data_offset = 0;
1073 case 12: /* CMD12: STOP_TRANSMISSION */
1074 switch (sd->state) {
1075 case sd_sendingdata_state:
1076 sd->state = sd_transfer_state;
1079 case sd_receivingdata_state:
1080 sd->state = sd_programming_state;
1081 /* Bzzzzzzztt .... Operation complete. */
1082 sd->state = sd_transfer_state;
1090 case 13: /* CMD13: SEND_STATUS */
1092 case sd_data_transfer_mode:
1103 case 15: /* CMD15: GO_INACTIVE_STATE */
1107 case sd_data_transfer_mode:
1111 sd->state = sd_inactive_state;
1119 /* Block read commands (Classs 2) */
1120 case 16: /* CMD16: SET_BLOCKLEN */
1121 switch (sd->state) {
1122 case sd_transfer_state:
1123 if (req.arg > (1 << HWBLOCK_SHIFT)) {
1124 sd->card_status |= BLOCK_LEN_ERROR;
1126 trace_sdcard_set_blocklen(req.arg);
1127 sd->blk_len = req.arg;
1137 case 17: /* CMD17: READ_SINGLE_BLOCK */
1138 switch (sd->state) {
1139 case sd_transfer_state:
1140 sd->state = sd_sendingdata_state;
1141 sd->data_start = addr;
1142 sd->data_offset = 0;
1144 if (sd->data_start + sd->blk_len > sd->size)
1145 sd->card_status |= ADDRESS_ERROR;
1153 case 18: /* CMD18: READ_MULTIPLE_BLOCK */
1154 switch (sd->state) {
1155 case sd_transfer_state:
1156 sd->state = sd_sendingdata_state;
1157 sd->data_start = addr;
1158 sd->data_offset = 0;
1160 if (sd->data_start + sd->blk_len > sd->size)
1161 sd->card_status |= ADDRESS_ERROR;
1169 case 23: /* CMD23: SET_BLOCK_COUNT */
1170 switch (sd->state) {
1171 case sd_transfer_state:
1172 sd->multi_blk_cnt = req.arg;
1180 /* Block write commands (Class 4) */
1181 case 24: /* CMD24: WRITE_SINGLE_BLOCK */
1183 goto unimplemented_spi_cmd;
1185 switch (sd->state) {
1186 case sd_transfer_state:
1187 /* Writing in SPI mode not implemented. */
1190 sd->state = sd_receivingdata_state;
1191 sd->data_start = addr;
1192 sd->data_offset = 0;
1193 sd->blk_written = 0;
1195 if (sd->data_start + sd->blk_len > sd->size)
1196 sd->card_status |= ADDRESS_ERROR;
1197 if (sd_wp_addr(sd, sd->data_start))
1198 sd->card_status |= WP_VIOLATION;
1199 if (sd->csd[14] & 0x30)
1200 sd->card_status |= WP_VIOLATION;
1208 case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */
1210 goto unimplemented_spi_cmd;
1212 switch (sd->state) {
1213 case sd_transfer_state:
1214 /* Writing in SPI mode not implemented. */
1217 sd->state = sd_receivingdata_state;
1218 sd->data_start = addr;
1219 sd->data_offset = 0;
1220 sd->blk_written = 0;
1222 if (sd->data_start + sd->blk_len > sd->size)
1223 sd->card_status |= ADDRESS_ERROR;
1224 if (sd_wp_addr(sd, sd->data_start))
1225 sd->card_status |= WP_VIOLATION;
1226 if (sd->csd[14] & 0x30)
1227 sd->card_status |= WP_VIOLATION;
1235 case 26: /* CMD26: PROGRAM_CID */
1238 switch (sd->state) {
1239 case sd_transfer_state:
1240 sd->state = sd_receivingdata_state;
1242 sd->data_offset = 0;
1250 case 27: /* CMD27: PROGRAM_CSD */
1252 goto unimplemented_spi_cmd;
1254 switch (sd->state) {
1255 case sd_transfer_state:
1256 sd->state = sd_receivingdata_state;
1258 sd->data_offset = 0;
1266 /* Write protection (Class 6) */
1267 case 28: /* CMD28: SET_WRITE_PROT */
1268 switch (sd->state) {
1269 case sd_transfer_state:
1270 if (addr >= sd->size) {
1271 sd->card_status |= ADDRESS_ERROR;
1275 sd->state = sd_programming_state;
1276 set_bit(sd_addr_to_wpnum(addr), sd->wp_groups);
1277 /* Bzzzzzzztt .... Operation complete. */
1278 sd->state = sd_transfer_state;
1286 case 29: /* CMD29: CLR_WRITE_PROT */
1287 switch (sd->state) {
1288 case sd_transfer_state:
1289 if (addr >= sd->size) {
1290 sd->card_status |= ADDRESS_ERROR;
1294 sd->state = sd_programming_state;
1295 clear_bit(sd_addr_to_wpnum(addr), sd->wp_groups);
1296 /* Bzzzzzzztt .... Operation complete. */
1297 sd->state = sd_transfer_state;
1305 case 30: /* CMD30: SEND_WRITE_PROT */
1306 switch (sd->state) {
1307 case sd_transfer_state:
1308 sd->state = sd_sendingdata_state;
1309 *(uint32_t *) sd->data = sd_wpbits(sd, req.arg);
1310 sd->data_start = addr;
1311 sd->data_offset = 0;
1319 /* Erase commands (Class 5) */
1320 case 32: /* CMD32: ERASE_WR_BLK_START */
1321 switch (sd->state) {
1322 case sd_transfer_state:
1323 sd->erase_start = req.arg;
1331 case 33: /* CMD33: ERASE_WR_BLK_END */
1332 switch (sd->state) {
1333 case sd_transfer_state:
1334 sd->erase_end = req.arg;
1342 case 38: /* CMD38: ERASE */
1343 switch (sd->state) {
1344 case sd_transfer_state:
1345 if (sd->csd[14] & 0x30) {
1346 sd->card_status |= WP_VIOLATION;
1350 sd->state = sd_programming_state;
1352 /* Bzzzzzzztt .... Operation complete. */
1353 sd->state = sd_transfer_state;
1361 /* Lock card commands (Class 7) */
1362 case 42: /* CMD42: LOCK_UNLOCK */
1364 goto unimplemented_spi_cmd;
1366 switch (sd->state) {
1367 case sd_transfer_state:
1368 sd->state = sd_receivingdata_state;
1370 sd->data_offset = 0;
1379 /* CMD52, CMD53, CMD54: reserved for SDIO cards
1380 * (see the SDIO Simplified Specification V2.0)
1381 * Handle as illegal command but do not complain
1382 * on stderr, as some OSes may use these in their
1383 * probing for presence of an SDIO card.
1387 /* Application specific commands (Class 8) */
1388 case 55: /* CMD55: APP_CMD */
1390 if (sd->rca != rca) {
1394 sd->expecting_acmd = true;
1395 sd->card_status |= APP_CMD;
1398 case 56: /* CMD56: GEN_CMD */
1399 switch (sd->state) {
1400 case sd_transfer_state:
1401 sd->data_offset = 0;
1403 sd->state = sd_sendingdata_state;
1405 sd->state = sd_receivingdata_state;
1413 case 58: /* CMD58: READ_OCR (SPI) */
1419 case 59: /* CMD59: CRC_ON_OFF (SPI) */
1423 goto unimplemented_spi_cmd;
1427 qemu_log_mask(LOG_GUEST_ERROR, "SD: Unknown CMD%i\n", req.cmd);
1430 unimplemented_spi_cmd:
1431 /* Commands that are recognised but not yet implemented in SPI mode. */
1432 qemu_log_mask(LOG_UNIMP, "SD: CMD%i not implemented in SPI mode\n",
1437 qemu_log_mask(LOG_GUEST_ERROR, "SD: CMD%i in a wrong state\n", req.cmd);
1441 static sd_rsp_type_t sd_app_command(SDState *sd,
1444 trace_sdcard_app_command(req.cmd, req.arg);
1445 sd->card_status |= APP_CMD;
1447 case 6: /* ACMD6: SET_BUS_WIDTH */
1449 goto unimplemented_spi_cmd;
1451 switch (sd->state) {
1452 case sd_transfer_state:
1453 sd->sd_status[0] &= 0x3f;
1454 sd->sd_status[0] |= (req.arg & 0x03) << 6;
1462 case 13: /* ACMD13: SD_STATUS */
1463 switch (sd->state) {
1464 case sd_transfer_state:
1465 sd->state = sd_sendingdata_state;
1467 sd->data_offset = 0;
1475 case 22: /* ACMD22: SEND_NUM_WR_BLOCKS */
1476 switch (sd->state) {
1477 case sd_transfer_state:
1478 *(uint32_t *) sd->data = sd->blk_written;
1480 sd->state = sd_sendingdata_state;
1482 sd->data_offset = 0;
1490 case 23: /* ACMD23: SET_WR_BLK_ERASE_COUNT */
1491 switch (sd->state) {
1492 case sd_transfer_state:
1500 case 41: /* ACMD41: SD_APP_OP_COND */
1503 sd->state = sd_transfer_state;
1506 switch (sd->state) {
1508 /* If it's the first ACMD41 since reset, we need to decide
1509 * whether to power up. If this is not an enquiry ACMD41,
1510 * we immediately report power on and proceed below to the
1511 * ready state, but if it is, we set a timer to model a
1512 * delay for power up. This works around a bug in EDK2
1513 * UEFI, which sends an initial enquiry ACMD41, but
1514 * assumes that the card is in ready state as soon as it
1515 * sees the power up bit set. */
1516 if (!FIELD_EX32(sd->ocr, OCR, CARD_POWER_UP)) {
1517 if ((req.arg & ACMD41_ENQUIRY_MASK) != 0) {
1518 timer_del(sd->ocr_power_timer);
1521 trace_sdcard_inquiry_cmd41();
1522 if (!timer_pending(sd->ocr_power_timer)) {
1523 timer_mod_ns(sd->ocr_power_timer,
1524 (qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL)
1525 + OCR_POWER_DELAY_NS));
1530 /* We accept any voltage. 10000 V is nothing.
1532 * Once we're powered up, we advance straight to ready state
1533 * unless it's an enquiry ACMD41 (bits 23:0 == 0).
1535 if (req.arg & ACMD41_ENQUIRY_MASK) {
1536 sd->state = sd_ready_state;
1546 case 42: /* ACMD42: SET_CLR_CARD_DETECT */
1547 switch (sd->state) {
1548 case sd_transfer_state:
1549 /* Bringing in the 50KOhm pull-up resistor... Done. */
1557 case 51: /* ACMD51: SEND_SCR */
1558 switch (sd->state) {
1559 case sd_transfer_state:
1560 sd->state = sd_sendingdata_state;
1562 sd->data_offset = 0;
1570 case 18: /* Reserved for SD security applications */
1575 /* Refer to the "SD Specifications Part3 Security Specification" for
1576 * information about the SD Security Features.
1578 qemu_log_mask(LOG_UNIMP, "SD: CMD%i Security not implemented\n",
1583 /* Fall back to standard commands. */
1584 return sd_normal_command(sd, req);
1586 unimplemented_spi_cmd:
1587 /* Commands that are recognised but not yet implemented in SPI mode. */
1588 qemu_log_mask(LOG_UNIMP, "SD: CMD%i not implemented in SPI mode\n",
1593 qemu_log_mask(LOG_GUEST_ERROR, "SD: ACMD%i in a wrong state\n", req.cmd);
1597 static int cmd_valid_while_locked(SDState *sd, SDRequest *req)
1599 /* Valid commands in locked state:
1601 * lock card class (7)
1603 * implicitly, the ACMD prefix CMD55
1605 * Anything else provokes an "illegal command" response.
1607 if (sd->expecting_acmd) {
1608 return req->cmd == 41 || req->cmd == 42;
1610 if (req->cmd == 16 || req->cmd == 55) {
1613 return sd_cmd_class[req->cmd] == 0
1614 || sd_cmd_class[req->cmd] == 7;
1617 int sd_do_command(SDState *sd, SDRequest *req,
1618 uint8_t *response) {
1620 sd_rsp_type_t rtype;
1623 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable) {
1627 if (sd_req_crc_validate(req)) {
1628 sd->card_status |= COM_CRC_ERROR;
1633 if (req->cmd >= SDMMC_CMD_MAX) {
1634 qemu_log_mask(LOG_GUEST_ERROR, "SD: incorrect command 0x%02x\n",
1639 if (sd->card_status & CARD_IS_LOCKED) {
1640 if (!cmd_valid_while_locked(sd, req)) {
1641 sd->card_status |= ILLEGAL_COMMAND;
1642 sd->expecting_acmd = false;
1643 qemu_log_mask(LOG_GUEST_ERROR, "SD: Card is locked\n");
1649 last_state = sd->state;
1652 if (sd->expecting_acmd) {
1653 sd->expecting_acmd = false;
1654 rtype = sd_app_command(sd, *req);
1656 rtype = sd_normal_command(sd, *req);
1659 if (rtype == sd_illegal) {
1660 sd->card_status |= ILLEGAL_COMMAND;
1662 /* Valid command, we can update the 'state before command' bits.
1663 * (Do this now so they appear in r1 responses.)
1665 sd->current_cmd = req->cmd;
1666 sd->card_status &= ~CURRENT_STATE;
1667 sd->card_status |= (last_state << 9);
1674 sd_response_r1_make(sd, response);
1679 memcpy(response, sd->cid, sizeof(sd->cid));
1684 memcpy(response, sd->csd, sizeof(sd->csd));
1689 sd_response_r3_make(sd, response);
1694 sd_response_r6_make(sd, response);
1699 sd_response_r7_make(sd, response);
1708 g_assert_not_reached();
1710 trace_sdcard_response(sd_response_name(rtype), rsplen);
1712 if (rtype != sd_illegal) {
1713 /* Clear the "clear on valid command" status bits now we've
1716 sd->card_status &= ~CARD_STATUS_B;
1720 qemu_hexdump((const char *)response, stderr, "Response", rsplen);
1726 static void sd_blk_read(SDState *sd, uint64_t addr, uint32_t len)
1728 trace_sdcard_read_block(addr, len);
1729 if (!sd->blk || blk_pread(sd->blk, addr, sd->data, len) < 0) {
1730 fprintf(stderr, "sd_blk_read: read error on host side\n");
1734 static void sd_blk_write(SDState *sd, uint64_t addr, uint32_t len)
1736 trace_sdcard_write_block(addr, len);
1737 if (!sd->blk || blk_pwrite(sd->blk, addr, sd->data, len, 0) < 0) {
1738 fprintf(stderr, "sd_blk_write: write error on host side\n");
1742 #define BLK_READ_BLOCK(a, len) sd_blk_read(sd, a, len)
1743 #define BLK_WRITE_BLOCK(a, len) sd_blk_write(sd, a, len)
1744 #define APP_READ_BLOCK(a, len) memset(sd->data, 0xec, len)
1745 #define APP_WRITE_BLOCK(a, len)
1747 void sd_write_data(SDState *sd, uint8_t value)
1751 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable)
1754 if (sd->state != sd_receivingdata_state) {
1755 qemu_log_mask(LOG_GUEST_ERROR,
1756 "sd_write_data: not in Receiving-Data state\n");
1760 if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION))
1763 trace_sdcard_write_data(sd->current_cmd, value);
1764 switch (sd->current_cmd) {
1765 case 24: /* CMD24: WRITE_SINGLE_BLOCK */
1766 sd->data[sd->data_offset ++] = value;
1767 if (sd->data_offset >= sd->blk_len) {
1768 /* TODO: Check CRC before committing */
1769 sd->state = sd_programming_state;
1770 BLK_WRITE_BLOCK(sd->data_start, sd->data_offset);
1772 sd->csd[14] |= 0x40;
1773 /* Bzzzzzzztt .... Operation complete. */
1774 sd->state = sd_transfer_state;
1778 case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */
1779 if (sd->data_offset == 0) {
1780 /* Start of the block - let's check the address is valid */
1781 if (sd->data_start + sd->blk_len > sd->size) {
1782 sd->card_status |= ADDRESS_ERROR;
1785 if (sd_wp_addr(sd, sd->data_start)) {
1786 sd->card_status |= WP_VIOLATION;
1790 sd->data[sd->data_offset++] = value;
1791 if (sd->data_offset >= sd->blk_len) {
1792 /* TODO: Check CRC before committing */
1793 sd->state = sd_programming_state;
1794 BLK_WRITE_BLOCK(sd->data_start, sd->data_offset);
1796 sd->data_start += sd->blk_len;
1797 sd->data_offset = 0;
1798 sd->csd[14] |= 0x40;
1800 /* Bzzzzzzztt .... Operation complete. */
1801 if (sd->multi_blk_cnt != 0) {
1802 if (--sd->multi_blk_cnt == 0) {
1804 sd->state = sd_transfer_state;
1809 sd->state = sd_receivingdata_state;
1813 case 26: /* CMD26: PROGRAM_CID */
1814 sd->data[sd->data_offset ++] = value;
1815 if (sd->data_offset >= sizeof(sd->cid)) {
1816 /* TODO: Check CRC before committing */
1817 sd->state = sd_programming_state;
1818 for (i = 0; i < sizeof(sd->cid); i ++)
1819 if ((sd->cid[i] | 0x00) != sd->data[i])
1820 sd->card_status |= CID_CSD_OVERWRITE;
1822 if (!(sd->card_status & CID_CSD_OVERWRITE))
1823 for (i = 0; i < sizeof(sd->cid); i ++) {
1825 sd->cid[i] &= sd->data[i];
1827 /* Bzzzzzzztt .... Operation complete. */
1828 sd->state = sd_transfer_state;
1832 case 27: /* CMD27: PROGRAM_CSD */
1833 sd->data[sd->data_offset ++] = value;
1834 if (sd->data_offset >= sizeof(sd->csd)) {
1835 /* TODO: Check CRC before committing */
1836 sd->state = sd_programming_state;
1837 for (i = 0; i < sizeof(sd->csd); i ++)
1838 if ((sd->csd[i] | sd_csd_rw_mask[i]) !=
1839 (sd->data[i] | sd_csd_rw_mask[i]))
1840 sd->card_status |= CID_CSD_OVERWRITE;
1842 /* Copy flag (OTP) & Permanent write protect */
1843 if (sd->csd[14] & ~sd->data[14] & 0x60)
1844 sd->card_status |= CID_CSD_OVERWRITE;
1846 if (!(sd->card_status & CID_CSD_OVERWRITE))
1847 for (i = 0; i < sizeof(sd->csd); i ++) {
1848 sd->csd[i] |= sd_csd_rw_mask[i];
1849 sd->csd[i] &= sd->data[i];
1851 /* Bzzzzzzztt .... Operation complete. */
1852 sd->state = sd_transfer_state;
1856 case 42: /* CMD42: LOCK_UNLOCK */
1857 sd->data[sd->data_offset ++] = value;
1858 if (sd->data_offset >= sd->blk_len) {
1859 /* TODO: Check CRC before committing */
1860 sd->state = sd_programming_state;
1861 sd_lock_command(sd);
1862 /* Bzzzzzzztt .... Operation complete. */
1863 sd->state = sd_transfer_state;
1867 case 56: /* CMD56: GEN_CMD */
1868 sd->data[sd->data_offset ++] = value;
1869 if (sd->data_offset >= sd->blk_len) {
1870 APP_WRITE_BLOCK(sd->data_start, sd->data_offset);
1871 sd->state = sd_transfer_state;
1876 qemu_log_mask(LOG_GUEST_ERROR, "sd_write_data: unknown command\n");
1881 uint8_t sd_read_data(SDState *sd)
1883 /* TODO: Append CRCs */
1887 if (!sd->blk || !blk_is_inserted(sd->blk) || !sd->enable)
1890 if (sd->state != sd_sendingdata_state) {
1891 qemu_log_mask(LOG_GUEST_ERROR,
1892 "sd_read_data: not in Sending-Data state\n");
1896 if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION))
1899 io_len = (sd->ocr & (1 << 30)) ? 512 : sd->blk_len;
1901 trace_sdcard_read_data(sd->current_cmd, io_len);
1902 switch (sd->current_cmd) {
1903 case 6: /* CMD6: SWITCH_FUNCTION */
1904 ret = sd->data[sd->data_offset ++];
1906 if (sd->data_offset >= 64)
1907 sd->state = sd_transfer_state;
1910 case 9: /* CMD9: SEND_CSD */
1911 case 10: /* CMD10: SEND_CID */
1912 ret = sd->data[sd->data_offset ++];
1914 if (sd->data_offset >= 16)
1915 sd->state = sd_transfer_state;
1918 case 13: /* ACMD13: SD_STATUS */
1919 ret = sd->sd_status[sd->data_offset ++];
1921 if (sd->data_offset >= sizeof(sd->sd_status))
1922 sd->state = sd_transfer_state;
1925 case 17: /* CMD17: READ_SINGLE_BLOCK */
1926 if (sd->data_offset == 0)
1927 BLK_READ_BLOCK(sd->data_start, io_len);
1928 ret = sd->data[sd->data_offset ++];
1930 if (sd->data_offset >= io_len)
1931 sd->state = sd_transfer_state;
1934 case 18: /* CMD18: READ_MULTIPLE_BLOCK */
1935 if (sd->data_offset == 0) {
1936 if (sd->data_start + io_len > sd->size) {
1937 sd->card_status |= ADDRESS_ERROR;
1940 BLK_READ_BLOCK(sd->data_start, io_len);
1942 ret = sd->data[sd->data_offset ++];
1944 if (sd->data_offset >= io_len) {
1945 sd->data_start += io_len;
1946 sd->data_offset = 0;
1948 if (sd->multi_blk_cnt != 0) {
1949 if (--sd->multi_blk_cnt == 0) {
1951 sd->state = sd_transfer_state;
1958 case 22: /* ACMD22: SEND_NUM_WR_BLOCKS */
1959 ret = sd->data[sd->data_offset ++];
1961 if (sd->data_offset >= 4)
1962 sd->state = sd_transfer_state;
1965 case 30: /* CMD30: SEND_WRITE_PROT */
1966 ret = sd->data[sd->data_offset ++];
1968 if (sd->data_offset >= 4)
1969 sd->state = sd_transfer_state;
1972 case 51: /* ACMD51: SEND_SCR */
1973 ret = sd->scr[sd->data_offset ++];
1975 if (sd->data_offset >= sizeof(sd->scr))
1976 sd->state = sd_transfer_state;
1979 case 56: /* CMD56: GEN_CMD */
1980 if (sd->data_offset == 0)
1981 APP_READ_BLOCK(sd->data_start, sd->blk_len);
1982 ret = sd->data[sd->data_offset ++];
1984 if (sd->data_offset >= sd->blk_len)
1985 sd->state = sd_transfer_state;
1989 qemu_log_mask(LOG_GUEST_ERROR, "sd_read_data: unknown command\n");
1996 bool sd_data_ready(SDState *sd)
1998 return sd->state == sd_sendingdata_state;
2001 void sd_enable(SDState *sd, bool enable)
2003 sd->enable = enable;
2006 static void sd_instance_init(Object *obj)
2008 SDState *sd = SD_CARD(obj);
2011 sd->ocr_power_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, sd_ocr_powerup, sd);
2014 static void sd_instance_finalize(Object *obj)
2016 SDState *sd = SD_CARD(obj);
2018 timer_del(sd->ocr_power_timer);
2019 timer_free(sd->ocr_power_timer);
2022 static void sd_realize(DeviceState *dev, Error **errp)
2024 SDState *sd = SD_CARD(dev);
2027 if (sd->blk && blk_is_read_only(sd->blk)) {
2028 error_setg(errp, "Cannot use read-only drive as SD card");
2033 ret = blk_set_perm(sd->blk, BLK_PERM_CONSISTENT_READ | BLK_PERM_WRITE,
2034 BLK_PERM_ALL, errp);
2038 blk_set_dev_ops(sd->blk, &sd_block_ops, sd);
2042 static Property sd_properties[] = {
2043 DEFINE_PROP_DRIVE("drive", SDState, blk),
2044 /* We do not model the chip select pin, so allow the board to select
2045 * whether card should be in SSI or MMC/SD mode. It is also up to the
2046 * board to ensure that ssi transfers only occur when the chip select
2048 DEFINE_PROP_BOOL("spi", SDState, spi, false),
2049 DEFINE_PROP_END_OF_LIST()
2052 static void sd_class_init(ObjectClass *klass, void *data)
2054 DeviceClass *dc = DEVICE_CLASS(klass);
2055 SDCardClass *sc = SD_CARD_CLASS(klass);
2057 dc->realize = sd_realize;
2058 dc->props = sd_properties;
2059 dc->vmsd = &sd_vmstate;
2060 dc->reset = sd_reset;
2061 dc->bus_type = TYPE_SD_BUS;
2063 sc->set_voltage = sd_set_voltage;
2064 sc->get_dat_lines = sd_get_dat_lines;
2065 sc->get_cmd_line = sd_get_cmd_line;
2066 sc->do_command = sd_do_command;
2067 sc->write_data = sd_write_data;
2068 sc->read_data = sd_read_data;
2069 sc->data_ready = sd_data_ready;
2070 sc->enable = sd_enable;
2071 sc->get_inserted = sd_get_inserted;
2072 sc->get_readonly = sd_get_readonly;
2075 static const TypeInfo sd_info = {
2076 .name = TYPE_SD_CARD,
2077 .parent = TYPE_DEVICE,
2078 .instance_size = sizeof(SDState),
2079 .class_size = sizeof(SDCardClass),
2080 .class_init = sd_class_init,
2081 .instance_init = sd_instance_init,
2082 .instance_finalize = sd_instance_finalize,
2085 static void sd_register_types(void)
2087 type_register_static(&sd_info);
2090 type_init(sd_register_types)
projects / qemu.git / blob