1 /* Copyright (C) 2007-2008 The Android Open Source Project 2 ** 3 ** This software is licensed under the terms of the GNU General Public 4 ** License version 2, as published by the Free Software Foundation, and 5 ** may be copied, distributed, and modified under those terms. 6 ** 7 ** This program is distributed in the hope that it will be useful, 8 ** but WITHOUT ANY WARRANTY; without even the implied warranty of 9 ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 10 ** GNU General Public License for more details. 11 */ 12 #include "qemu_file.h" 13 #include "goldfish_device.h" 14 #include "mmc.h" 15 #include "sd.h" 16 #include "block.h" 17 18 enum { 19 /* status register */ 20 MMC_INT_STATUS = 0x00, 21 /* set this to enable IRQ */ 22 MMC_INT_ENABLE = 0x04, 23 /* set this to specify buffer address */ 24 MMC_SET_BUFFER = 0x08, 25 26 /* MMC command number */ 27 MMC_CMD = 0x0C, 28 29 /* MMC argument */ 30 MMC_ARG = 0x10, 31 32 /* MMC response (or R2 bits 0 - 31) */ 33 MMC_RESP_0 = 0x14, 34 35 /* MMC R2 response bits 32 - 63 */ 36 MMC_RESP_1 = 0x18, 37 38 /* MMC R2 response bits 64 - 95 */ 39 MMC_RESP_2 = 0x1C, 40 41 /* MMC R2 response bits 96 - 127 */ 42 MMC_RESP_3 = 0x20, 43 44 MMC_BLOCK_LENGTH = 0x24, 45 MMC_BLOCK_COUNT = 0x28, 46 47 /* MMC state flags */ 48 MMC_STATE = 0x2C, 49 50 /* MMC_INT_STATUS bits */ 51 52 MMC_STAT_END_OF_CMD = 1U << 0, 53 MMC_STAT_END_OF_DATA = 1U << 1, 54 MMC_STAT_STATE_CHANGE = 1U << 2, 55 56 /* MMC_STATE bits */ 57 MMC_STATE_INSERTED = 1U << 0, 58 MMC_STATE_READ_ONLY = 1U << 1, 59 }; 60 61 62 struct goldfish_mmc_state { 63 struct goldfish_device dev; 64 BlockDriverState *bs; 65 // pointer to our buffer 66 uint32_t buffer_address; 67 // offsets for read and write operations 68 uint32_t read_offset, write_offset; 69 // buffer status flags 70 uint32_t int_status; 71 // irq enable mask for int_status 72 uint32_t int_enable; 73 74 // MMC command argument 75 uint32_t arg; 76 uint32_t resp[4]; 77 78 uint32_t block_length; 79 uint32_t block_count; 80 int is_SDHC; 81 82 uint8_t* buf; 83 }; 84 85 #define GOLDFISH_MMC_SAVE_VERSION 2 86 #define QFIELD_STRUCT struct goldfish_mmc_state 87 QFIELD_BEGIN(goldfish_mmc_fields) 88 QFIELD_INT32(buffer_address), 89 QFIELD_INT32(read_offset), 90 QFIELD_INT32(write_offset), 91 QFIELD_INT32(int_status), 92 QFIELD_INT32(int_enable), 93 QFIELD_INT32(arg), 94 QFIELD_INT32(resp[0]), 95 QFIELD_INT32(resp[1]), 96 QFIELD_INT32(resp[2]), 97 QFIELD_INT32(resp[3]), 98 QFIELD_INT32(block_length), 99 QFIELD_INT32(block_count), 100 QFIELD_INT32(is_SDHC), 101 QFIELD_END 102 103 static void goldfish_mmc_save(QEMUFile* f, void* opaque) 104 { 105 struct goldfish_mmc_state* s = opaque; 106 107 qemu_put_struct(f, goldfish_mmc_fields, s); 108 } 109 110 static int goldfish_mmc_load(QEMUFile* f, void* opaque, int version_id) 111 { 112 struct goldfish_mmc_state* s = opaque; 113 114 if (version_id != GOLDFISH_MMC_SAVE_VERSION) 115 return -1; 116 117 return qemu_get_struct(f, goldfish_mmc_fields, s); 118 } 119 120 struct mmc_opcode { 121 const char* name; 122 int cmd; 123 } mmc_opcodes[] = { 124 { "MMC_GO_IDLE_STATE", 0 }, 125 { "MMC_SEND_OP_COND", 1 }, 126 { "MMC_ALL_SEND_CID", 2 }, 127 { "MMC_SET_RELATIVE_ADDR", 3 }, 128 { "MMC_SET_DSR", 4 }, 129 { "MMC_SWITCH", 6 }, 130 { "MMC_SELECT_CARD", 7 }, 131 { "MMC_SEND_EXT_CSD", 8 }, 132 { "MMC_SEND_CSD", 9 }, 133 { "MMC_SEND_CID", 10 }, 134 { "MMC_READ_DAT_UNTIL_STOP", 11 }, 135 { "MMC_STOP_TRANSMISSION", 12 }, 136 { "MMC_SEND_STATUS", 13 }, 137 { "MMC_GO_INACTIVE_STATE", 15 }, 138 { "MMC_SET_BLOCKLEN", 16 }, 139 { "MMC_READ_SINGLE_BLOCK", 17 }, 140 { "MMC_READ_MULTIPLE_BLOCK", 18 }, 141 { "MMC_WRITE_DAT_UNTIL_STOP", 20 }, 142 { "MMC_SET_BLOCK_COUNT", 23 }, 143 { "MMC_WRITE_BLOCK", 24 }, 144 { "MMC_WRITE_MULTIPLE_BLOCK", 25 }, 145 { "MMC_PROGRAM_CID", 26 }, 146 { "MMC_PROGRAM_CSD", 27 }, 147 { "MMC_SET_WRITE_PROT", 28 }, 148 { "MMC_CLR_WRITE_PROT", 29 }, 149 { "MMC_SEND_WRITE_PROT", 30 }, 150 { "MMC_ERASE_GROUP_START", 35 }, 151 { "MMC_ERASE_GROUP_END", 36 }, 152 { "MMC_ERASE", 38 }, 153 { "MMC_FAST_IO", 39 }, 154 { "MMC_GO_IRQ_STATE", 40 }, 155 { "MMC_LOCK_UNLOCK", 42 }, 156 { "MMC_APP_CMD", 55 }, 157 { "MMC_GEN_CMD", 56 }, 158 { "SD_APP_OP_COND", 41 }, 159 { "SD_APP_SEND_SCR", 51 }, 160 { "UNKNOWN", -1 } 161 }; 162 163 #if 0 164 static const char* get_command_name(int command) 165 { 166 struct mmc_opcode* opcode = mmc_opcodes; 167 168 while (opcode->cmd != command && opcode->cmd != -1) opcode++; 169 return opcode->name; 170 } 171 #endif 172 173 static int goldfish_mmc_bdrv_read(struct goldfish_mmc_state *s, 174 int64_t sector_number, 175 target_phys_addr_t dst_address, 176 int num_sectors) 177 { 178 int ret; 179 180 while (num_sectors > 0) { 181 ret = bdrv_read(s->bs, sector_number, s->buf, 1); 182 if (ret < 0) 183 return ret; 184 185 cpu_physical_memory_write(dst_address, s->buf, 512); 186 dst_address += 512; 187 num_sectors -= 1; 188 sector_number += 1; 189 } 190 return 0; 191 } 192 193 static int goldfish_mmc_bdrv_write(struct goldfish_mmc_state *s, 194 int64_t sector_number, 195 target_phys_addr_t dst_address, 196 int num_sectors) 197 { 198 int ret; 199 200 while (num_sectors > 0) { 201 cpu_physical_memory_read(dst_address, s->buf, 512); 202 203 ret = bdrv_write(s->bs, sector_number, s->buf, 1); 204 if (ret < 0) 205 return ret; 206 207 dst_address += 512; 208 num_sectors -= 1; 209 sector_number += 1; 210 } 211 return 0; 212 } 213 214 215 static void goldfish_mmc_do_command(struct goldfish_mmc_state *s, uint32_t cmd, uint32_t arg) 216 { 217 int result; 218 int new_status = MMC_STAT_END_OF_CMD; 219 int opcode = cmd & 63; 220 221 // fprintf(stderr, "goldfish_mmc_do_command opcode: %s (0x%04X), arg: %d\n", get_command_name(opcode), cmd, arg); 222 223 s->resp[0] = 0; 224 s->resp[1] = 0; 225 s->resp[2] = 0; 226 s->resp[3] = 0; 227 228 #define SET_R1_CURRENT_STATE(s) ((s << 9) & 0x00001E00) /* sx, b (4 bits) */ 229 230 switch (opcode) { 231 case MMC_SEND_CSD: { 232 int64_t sector_count = 0; 233 uint64_t capacity; 234 uint8_t exponent; 235 uint32_t m; 236 237 bdrv_get_geometry(s->bs, (uint64_t*)§or_count); 238 capacity = sector_count * 512; 239 if (capacity > 2147483648U) { 240 // if storages is > 2 gig, then emulate SDHC card 241 s->is_SDHC = 1; 242 243 // CSD bits borrowed from a real SDHC card, with capacity bits zeroed out 244 s->resp[3] = 0x400E0032; 245 s->resp[2] = 0x5B590000; 246 s->resp[1] = 0x00007F80; 247 s->resp[0] = 0x0A4040DF; 248 249 // stuff in the real capacity 250 // m = UNSTUFF_BITS(resp, 48, 22); 251 m = (uint32_t)(capacity / (512*1024)) - 1; 252 // m must fit into 22 bits 253 if (m & 0xFFC00000) { 254 fprintf(stderr, "SD card too big (%lld bytes). Maximum SDHC card size is 128 gigabytes.\n", (long long)capacity); 255 abort(); 256 } 257 258 // low 16 bits go in high end of resp[1] 259 s->resp[1] |= ((m & 0x0000FFFF) << 16); 260 // high 6 bits go in low end of resp[2] 261 s->resp[2] |= (m >> 16); 262 } else { 263 // emulate standard SD card 264 s->is_SDHC = 0; 265 266 // CSD bits borrowed from a real SD card, with capacity bits zeroed out 267 s->resp[3] = 0x00260032; 268 s->resp[2] = 0x5F5A8000; 269 s->resp[1] = 0x3EF84FFF; 270 s->resp[0] = 0x928040CB; 271 272 // stuff in the real capacity 273 // e = UNSTUFF_BITS(resp, 47, 3); 274 // m = UNSTUFF_BITS(resp, 62, 12); 275 // csd->capacity = (1 + m) << (e + 2); 276 // need to reverse the formula and calculate e and m 277 exponent = 0; 278 capacity = sector_count * 512; 279 if (capacity > 2147483648U) { 280 fprintf(stderr, "SD card too big (%lld bytes). Maximum SD card size is 2 gigabytes.\n", (long long)capacity); 281 abort(); 282 } 283 capacity >>= 10; // convert to Kbytes 284 while (capacity > 4096) { 285 // (capacity - 1) must fit into 12 bits 286 exponent++; 287 capacity >>= 1; 288 } 289 capacity -= 1; 290 if (exponent < 2) { 291 cpu_abort(cpu_single_env, "SDCard too small, must be at least 9MB\n"); 292 } 293 exponent -= 2; 294 if (exponent > 7) { 295 cpu_abort(cpu_single_env, "SDCard too large.\n"); 296 } 297 298 s->resp[2] |= (((uint32_t)capacity >> 2) & 0x3FF); // high 10 bits to bottom of resp[2] 299 s->resp[1] |= (((uint32_t)capacity & 3) << 30); // low 2 bits to top of resp[1] 300 s->resp[1] |= (exponent << (47 - 32)); 301 } 302 break; 303 } 304 305 case MMC_SEND_EXT_CSD: 306 s->resp[0] = arg; 307 break; 308 309 case MMC_APP_CMD: 310 s->resp[0] = SET_R1_CURRENT_STATE(4) | R1_READY_FOR_DATA | R1_APP_CMD; //2336 311 break; 312 313 case SD_APP_OP_COND: 314 s->resp[0] = 0x80FF8000; 315 break; 316 317 case SD_APP_SEND_SCR: 318 { 319 #if 1 /* this code is actually endian-safe */ 320 const uint8_t scr[8] = "\x02\x25\x00\x00\x00\x00\x00\x00"; 321 #else /* this original code wasn't */ 322 uint32_t scr[2]; 323 scr[0] = 0x00002502; 324 scr[1] = 0x00000000; 325 #endif 326 cpu_physical_memory_write(s->buffer_address, (uint8_t*)scr, 8); 327 328 s->resp[0] = SET_R1_CURRENT_STATE(4) | R1_READY_FOR_DATA | R1_APP_CMD; //2336 329 new_status |= MMC_STAT_END_OF_DATA; 330 break; 331 } 332 case MMC_SET_RELATIVE_ADDR: 333 s->resp[0] = -518519520; 334 break; 335 336 case MMC_ALL_SEND_CID: 337 s->resp[3] = 55788627; 338 s->resp[2] = 1429221959; 339 s->resp[1] = -2147479692; 340 s->resp[0] = -436179883; 341 break; 342 343 case MMC_SELECT_CARD: 344 s->resp[0] = SET_R1_CURRENT_STATE(3) | R1_READY_FOR_DATA; // 1792 345 break; 346 347 case MMC_SWITCH: 348 if (arg == 0x00FFFFF1 || arg == 0x80FFFFF1) { 349 uint8_t buff0[64]; 350 memset(buff0, 0, sizeof buff0); 351 buff0[13] = 2; 352 cpu_physical_memory_write(s->buffer_address, buff0, sizeof buff0); 353 new_status |= MMC_STAT_END_OF_DATA; 354 } 355 s->resp[0] = SET_R1_CURRENT_STATE(4) | R1_READY_FOR_DATA | R1_APP_CMD; //2336 356 break; 357 358 case MMC_SET_BLOCKLEN: 359 s->block_length = arg; 360 s->resp[0] = SET_R1_CURRENT_STATE(4) | R1_READY_FOR_DATA; // 2304 361 break; 362 363 case MMC_READ_SINGLE_BLOCK: 364 s->block_count = 1; 365 // fall through 366 case MMC_READ_MULTIPLE_BLOCK: { 367 if (s->is_SDHC) { 368 // arg is block offset 369 } else { 370 // arg is byte offset 371 if (arg & 511) fprintf(stderr, "offset %d is not multiple of 512 when reading\n", arg); 372 arg /= s->block_length; 373 } 374 result = goldfish_mmc_bdrv_read(s, arg, s->buffer_address, s->block_count); 375 new_status |= MMC_STAT_END_OF_DATA; 376 s->resp[0] = SET_R1_CURRENT_STATE(4) | R1_READY_FOR_DATA; // 2304 377 break; 378 } 379 380 case MMC_WRITE_BLOCK: 381 s->block_count = 1; 382 // fall through 383 case MMC_WRITE_MULTIPLE_BLOCK: { 384 if (s->is_SDHC) { 385 // arg is block offset 386 } else { 387 // arg is byte offset 388 if (arg & 511) fprintf(stderr, "offset %d is not multiple of 512 when writing\n", arg); 389 arg /= s->block_length; 390 } 391 // arg is byte offset 392 result = goldfish_mmc_bdrv_write(s, arg, s->buffer_address, s->block_count); 393 // bdrv_flush(s->bs); 394 new_status |= MMC_STAT_END_OF_DATA; 395 s->resp[0] = SET_R1_CURRENT_STATE(4) | R1_READY_FOR_DATA; // 2304 396 break; 397 } 398 399 case MMC_STOP_TRANSMISSION: 400 s->resp[0] = SET_R1_CURRENT_STATE(5) | R1_READY_FOR_DATA; // 2816 401 break; 402 403 case MMC_SEND_STATUS: 404 s->resp[0] = SET_R1_CURRENT_STATE(4) | R1_READY_FOR_DATA; // 2304 405 break; 406 } 407 408 s->int_status |= new_status; 409 410 if ((s->int_status & s->int_enable)) { 411 goldfish_device_set_irq(&s->dev, 0, (s->int_status & s->int_enable)); 412 } 413 } 414 415 static uint32_t goldfish_mmc_read(void *opaque, target_phys_addr_t offset) 416 { 417 uint32_t ret; 418 struct goldfish_mmc_state *s = opaque; 419 420 switch(offset) { 421 case MMC_INT_STATUS: 422 // return current buffer status flags 423 return s->int_status & s->int_enable; 424 case MMC_RESP_0: 425 return s->resp[0]; 426 case MMC_RESP_1: 427 return s->resp[1]; 428 case MMC_RESP_2: 429 return s->resp[2]; 430 case MMC_RESP_3: 431 return s->resp[3]; 432 case MMC_STATE: { 433 ret = MMC_STATE_INSERTED; 434 if (bdrv_is_read_only(s->bs)) { 435 ret |= MMC_STATE_READ_ONLY; 436 } 437 return ret; 438 } 439 default: 440 cpu_abort(cpu_single_env, "goldfish_mmc_read: Bad offset %x\n", offset); 441 return 0; 442 } 443 } 444 445 static void goldfish_mmc_write(void *opaque, target_phys_addr_t offset, uint32_t val) 446 { 447 struct goldfish_mmc_state *s = opaque; 448 int status, old_status; 449 450 switch(offset) { 451 452 case MMC_INT_STATUS: 453 status = s->int_status; 454 old_status = status; 455 status &= ~val; 456 s->int_status = status; 457 if(status != old_status) { 458 goldfish_device_set_irq(&s->dev, 0, status); 459 } 460 break; 461 462 case MMC_INT_ENABLE: 463 /* enable buffer interrupts */ 464 s->int_enable = val; 465 s->int_status = 0; 466 goldfish_device_set_irq(&s->dev, 0, (s->int_status & s->int_enable)); 467 break; 468 case MMC_SET_BUFFER: 469 /* save pointer to buffer 1 */ 470 s->buffer_address = val; 471 break; 472 case MMC_CMD: 473 goldfish_mmc_do_command(s, val, s->arg); 474 break; 475 case MMC_ARG: 476 s->arg = val; 477 break; 478 case MMC_BLOCK_LENGTH: 479 s->block_length = val + 1; 480 break; 481 case MMC_BLOCK_COUNT: 482 s->block_count = val + 1; 483 break; 484 485 default: 486 cpu_abort (cpu_single_env, "goldfish_mmc_write: Bad offset %x\n", offset); 487 } 488 } 489 490 static CPUReadMemoryFunc *goldfish_mmc_readfn[] = { 491 goldfish_mmc_read, 492 goldfish_mmc_read, 493 goldfish_mmc_read 494 }; 495 496 static CPUWriteMemoryFunc *goldfish_mmc_writefn[] = { 497 goldfish_mmc_write, 498 goldfish_mmc_write, 499 goldfish_mmc_write 500 }; 501 502 void goldfish_mmc_init(uint32_t base, int id, BlockDriverState* bs) 503 { 504 struct goldfish_mmc_state *s; 505 506 s = (struct goldfish_mmc_state *)qemu_mallocz(sizeof(*s)); 507 s->dev.name = "goldfish_mmc"; 508 s->dev.id = id; 509 s->dev.base = base; 510 s->dev.size = 0x1000; 511 s->dev.irq_count = 1; 512 s->bs = bs; 513 s->buf = qemu_memalign(512,512); 514 515 goldfish_device_add(&s->dev, goldfish_mmc_readfn, goldfish_mmc_writefn, s); 516 517 register_savevm( "goldfish_mmc", 0, GOLDFISH_MMC_SAVE_VERSION, 518 goldfish_mmc_save, goldfish_mmc_load, s); 519 } 520 521
