Home | History | Annotate | Download | only in hw
      1 /*
      2  * USB Mass Storage Device emulation
      3  *
      4  * Copyright (c) 2006 CodeSourcery.
      5  * Written by Paul Brook
      6  *
      7  * This code is licenced under the LGPL.
      8  */
      9 
     10 #include "qemu-common.h"
     11 #include "usb.h"
     12 #include "block.h"
     13 #include "scsi-disk.h"
     14 #include "console.h"
     15 
     16 //#define DEBUG_MSD
     17 
     18 #ifdef DEBUG_MSD
     19 #define DPRINTF(fmt, ...) \
     20 do { printf("usb-msd: " fmt , ## __VA_ARGS__); } while (0)
     21 #else
     22 #define DPRINTF(fmt, ...) do {} while(0)
     23 #endif
     24 
     25 /* USB requests.  */
     26 #define MassStorageReset  0xff
     27 #define GetMaxLun         0xfe
     28 
     29 enum USBMSDMode {
     30     USB_MSDM_CBW, /* Command Block.  */
     31     USB_MSDM_DATAOUT, /* Tranfer data to device.  */
     32     USB_MSDM_DATAIN, /* Transfer data from device.  */
     33     USB_MSDM_CSW /* Command Status.  */
     34 };
     35 
     36 typedef struct {
     37     USBDevice dev;
     38     enum USBMSDMode mode;
     39     uint32_t scsi_len;
     40     uint8_t *scsi_buf;
     41     uint32_t usb_len;
     42     uint8_t *usb_buf;
     43     uint32_t data_len;
     44     uint32_t residue;
     45     uint32_t tag;
     46     BlockDriverState *bs;
     47     SCSIDevice *scsi_dev;
     48     int result;
     49     /* For async completion.  */
     50     USBPacket *packet;
     51 } MSDState;
     52 
     53 struct usb_msd_cbw {
     54     uint32_t sig;
     55     uint32_t tag;
     56     uint32_t data_len;
     57     uint8_t flags;
     58     uint8_t lun;
     59     uint8_t cmd_len;
     60     uint8_t cmd[16];
     61 };
     62 
     63 struct usb_msd_csw {
     64     uint32_t sig;
     65     uint32_t tag;
     66     uint32_t residue;
     67     uint8_t status;
     68 };
     69 
     70 static const uint8_t qemu_msd_dev_descriptor[] = {
     71 	0x12,       /*  u8 bLength; */
     72 	0x01,       /*  u8 bDescriptorType; Device */
     73 	0x00, 0x01, /*  u16 bcdUSB; v1.0 */
     74 
     75 	0x00,	    /*  u8  bDeviceClass; */
     76 	0x00,	    /*  u8  bDeviceSubClass; */
     77 	0x00,       /*  u8  bDeviceProtocol; [ low/full speeds only ] */
     78 	0x08,       /*  u8  bMaxPacketSize0; 8 Bytes */
     79 
     80         /* Vendor and product id are arbitrary.  */
     81 	0x00, 0x00, /*  u16 idVendor; */
     82  	0x00, 0x00, /*  u16 idProduct; */
     83 	0x00, 0x00, /*  u16 bcdDevice */
     84 
     85 	0x01,       /*  u8  iManufacturer; */
     86 	0x02,       /*  u8  iProduct; */
     87 	0x03,       /*  u8  iSerialNumber; */
     88 	0x01        /*  u8  bNumConfigurations; */
     89 };
     90 
     91 static const uint8_t qemu_msd_config_descriptor[] = {
     92 
     93 	/* one configuration */
     94 	0x09,       /*  u8  bLength; */
     95 	0x02,       /*  u8  bDescriptorType; Configuration */
     96 	0x20, 0x00, /*  u16 wTotalLength; */
     97 	0x01,       /*  u8  bNumInterfaces; (1) */
     98 	0x01,       /*  u8  bConfigurationValue; */
     99 	0x00,       /*  u8  iConfiguration; */
    100 	0xc0,       /*  u8  bmAttributes;
    101 				 Bit 7: must be set,
    102 				     6: Self-powered,
    103 				     5: Remote wakeup,
    104 				     4..0: resvd */
    105 	0x00,       /*  u8  MaxPower; */
    106 
    107 	/* one interface */
    108 	0x09,       /*  u8  if_bLength; */
    109 	0x04,       /*  u8  if_bDescriptorType; Interface */
    110 	0x00,       /*  u8  if_bInterfaceNumber; */
    111 	0x00,       /*  u8  if_bAlternateSetting; */
    112 	0x02,       /*  u8  if_bNumEndpoints; */
    113 	0x08,       /*  u8  if_bInterfaceClass; MASS STORAGE */
    114 	0x06,       /*  u8  if_bInterfaceSubClass; SCSI */
    115 	0x50,       /*  u8  if_bInterfaceProtocol; Bulk Only */
    116 	0x00,       /*  u8  if_iInterface; */
    117 
    118 	/* Bulk-In endpoint */
    119 	0x07,       /*  u8  ep_bLength; */
    120 	0x05,       /*  u8  ep_bDescriptorType; Endpoint */
    121 	0x81,       /*  u8  ep_bEndpointAddress; IN Endpoint 1 */
    122  	0x02,       /*  u8  ep_bmAttributes; Bulk */
    123  	0x40, 0x00, /*  u16 ep_wMaxPacketSize; */
    124 	0x00,       /*  u8  ep_bInterval; */
    125 
    126 	/* Bulk-Out endpoint */
    127 	0x07,       /*  u8  ep_bLength; */
    128 	0x05,       /*  u8  ep_bDescriptorType; Endpoint */
    129 	0x02,       /*  u8  ep_bEndpointAddress; OUT Endpoint 2 */
    130  	0x02,       /*  u8  ep_bmAttributes; Bulk */
    131  	0x40, 0x00, /*  u16 ep_wMaxPacketSize; */
    132 	0x00        /*  u8  ep_bInterval; */
    133 };
    134 
    135 static void usb_msd_copy_data(MSDState *s)
    136 {
    137     uint32_t len;
    138     len = s->usb_len;
    139     if (len > s->scsi_len)
    140         len = s->scsi_len;
    141     if (s->mode == USB_MSDM_DATAIN) {
    142         memcpy(s->usb_buf, s->scsi_buf, len);
    143     } else {
    144         memcpy(s->scsi_buf, s->usb_buf, len);
    145     }
    146     s->usb_len -= len;
    147     s->scsi_len -= len;
    148     s->usb_buf += len;
    149     s->scsi_buf += len;
    150     s->data_len -= len;
    151     if (s->scsi_len == 0) {
    152         if (s->mode == USB_MSDM_DATAIN) {
    153             s->scsi_dev->read_data(s->scsi_dev, s->tag);
    154         } else if (s->mode == USB_MSDM_DATAOUT) {
    155             s->scsi_dev->write_data(s->scsi_dev, s->tag);
    156         }
    157     }
    158 }
    159 
    160 static void usb_msd_send_status(MSDState *s)
    161 {
    162     struct usb_msd_csw csw;
    163 
    164     csw.sig = cpu_to_le32(0x53425355);
    165     csw.tag = cpu_to_le32(s->tag);
    166     csw.residue = s->residue;
    167     csw.status = s->result;
    168     memcpy(s->usb_buf, &csw, 13);
    169 }
    170 
    171 static void usb_msd_command_complete(void *opaque, int reason, uint32_t tag,
    172                                      uint32_t arg)
    173 {
    174     MSDState *s = (MSDState *)opaque;
    175     USBPacket *p = s->packet;
    176 
    177     if (tag != s->tag) {
    178         fprintf(stderr, "usb-msd: Unexpected SCSI Tag 0x%x\n", tag);
    179     }
    180     if (reason == SCSI_REASON_DONE) {
    181         DPRINTF("Command complete %d\n", arg);
    182         s->residue = s->data_len;
    183         s->result = arg != 0;
    184         if (s->packet) {
    185             if (s->data_len == 0 && s->mode == USB_MSDM_DATAOUT) {
    186                 /* A deferred packet with no write data remaining must be
    187                    the status read packet.  */
    188                 usb_msd_send_status(s);
    189                 s->mode = USB_MSDM_CBW;
    190             } else {
    191                 if (s->data_len) {
    192                     s->data_len -= s->usb_len;
    193                     if (s->mode == USB_MSDM_DATAIN)
    194                         memset(s->usb_buf, 0, s->usb_len);
    195                     s->usb_len = 0;
    196                 }
    197                 if (s->data_len == 0)
    198                     s->mode = USB_MSDM_CSW;
    199             }
    200             s->packet = NULL;
    201             usb_packet_complete(p);
    202         } else if (s->data_len == 0) {
    203             s->mode = USB_MSDM_CSW;
    204         }
    205         return;
    206     }
    207     s->scsi_len = arg;
    208     s->scsi_buf = s->scsi_dev->get_buf(s->scsi_dev, tag);
    209     if (p) {
    210         usb_msd_copy_data(s);
    211         if (s->usb_len == 0) {
    212             /* Set s->packet to NULL before calling usb_packet_complete
    213                because annother request may be issued before
    214                usb_packet_complete returns.  */
    215             DPRINTF("Packet complete %p\n", p);
    216             s->packet = NULL;
    217             usb_packet_complete(p);
    218         }
    219     }
    220 }
    221 
    222 static void usb_msd_handle_reset(USBDevice *dev)
    223 {
    224     MSDState *s = (MSDState *)dev;
    225 
    226     DPRINTF("Reset\n");
    227     s->mode = USB_MSDM_CBW;
    228 }
    229 
    230 static int usb_msd_handle_control(USBDevice *dev, int request, int value,
    231                                   int index, int length, uint8_t *data)
    232 {
    233     MSDState *s = (MSDState *)dev;
    234     int ret = 0;
    235 
    236     switch (request) {
    237     case DeviceRequest | USB_REQ_GET_STATUS:
    238         data[0] = (1 << USB_DEVICE_SELF_POWERED) |
    239             (dev->remote_wakeup << USB_DEVICE_REMOTE_WAKEUP);
    240         data[1] = 0x00;
    241         ret = 2;
    242         break;
    243     case DeviceOutRequest | USB_REQ_CLEAR_FEATURE:
    244         if (value == USB_DEVICE_REMOTE_WAKEUP) {
    245             dev->remote_wakeup = 0;
    246         } else {
    247             goto fail;
    248         }
    249         ret = 0;
    250         break;
    251     case DeviceOutRequest | USB_REQ_SET_FEATURE:
    252         if (value == USB_DEVICE_REMOTE_WAKEUP) {
    253             dev->remote_wakeup = 1;
    254         } else {
    255             goto fail;
    256         }
    257         ret = 0;
    258         break;
    259     case DeviceOutRequest | USB_REQ_SET_ADDRESS:
    260         dev->addr = value;
    261         ret = 0;
    262         break;
    263     case DeviceRequest | USB_REQ_GET_DESCRIPTOR:
    264         switch(value >> 8) {
    265         case USB_DT_DEVICE:
    266             memcpy(data, qemu_msd_dev_descriptor,
    267                    sizeof(qemu_msd_dev_descriptor));
    268             ret = sizeof(qemu_msd_dev_descriptor);
    269             break;
    270         case USB_DT_CONFIG:
    271             memcpy(data, qemu_msd_config_descriptor,
    272                    sizeof(qemu_msd_config_descriptor));
    273             ret = sizeof(qemu_msd_config_descriptor);
    274             break;
    275         case USB_DT_STRING:
    276             switch(value & 0xff) {
    277             case 0:
    278                 /* language ids */
    279                 data[0] = 4;
    280                 data[1] = 3;
    281                 data[2] = 0x09;
    282                 data[3] = 0x04;
    283                 ret = 4;
    284                 break;
    285             case 1:
    286                 /* vendor description */
    287                 ret = set_usb_string(data, "QEMU " QEMU_VERSION);
    288                 break;
    289             case 2:
    290                 /* product description */
    291                 ret = set_usb_string(data, "QEMU USB HARDDRIVE");
    292                 break;
    293             case 3:
    294                 /* serial number */
    295                 ret = set_usb_string(data, "1");
    296                 break;
    297             default:
    298                 goto fail;
    299             }
    300             break;
    301         default:
    302             goto fail;
    303         }
    304         break;
    305     case DeviceRequest | USB_REQ_GET_CONFIGURATION:
    306         data[0] = 1;
    307         ret = 1;
    308         break;
    309     case DeviceOutRequest | USB_REQ_SET_CONFIGURATION:
    310         ret = 0;
    311         break;
    312     case DeviceRequest | USB_REQ_GET_INTERFACE:
    313         data[0] = 0;
    314         ret = 1;
    315         break;
    316     case DeviceOutRequest | USB_REQ_SET_INTERFACE:
    317         ret = 0;
    318         break;
    319     case EndpointOutRequest | USB_REQ_CLEAR_FEATURE:
    320         if (value == 0 && index != 0x81) { /* clear ep halt */
    321             goto fail;
    322         }
    323         ret = 0;
    324         break;
    325         /* Class specific requests.  */
    326     case MassStorageReset:
    327         /* Reset state ready for the next CBW.  */
    328         s->mode = USB_MSDM_CBW;
    329         ret = 0;
    330         break;
    331     case GetMaxLun:
    332         data[0] = 0;
    333         ret = 1;
    334         break;
    335     default:
    336     fail:
    337         ret = USB_RET_STALL;
    338         break;
    339     }
    340     return ret;
    341 }
    342 
    343 static void usb_msd_cancel_io(USBPacket *p, void *opaque)
    344 {
    345     MSDState *s = opaque;
    346     s->scsi_dev->cancel_io(s->scsi_dev, s->tag);
    347     s->packet = NULL;
    348     s->scsi_len = 0;
    349 }
    350 
    351 static int usb_msd_handle_data(USBDevice *dev, USBPacket *p)
    352 {
    353     MSDState *s = (MSDState *)dev;
    354     int ret = 0;
    355     struct usb_msd_cbw cbw;
    356     uint8_t devep = p->devep;
    357     uint8_t *data = p->data;
    358     int len = p->len;
    359 
    360     switch (p->pid) {
    361     case USB_TOKEN_OUT:
    362         if (devep != 2)
    363             goto fail;
    364 
    365         switch (s->mode) {
    366         case USB_MSDM_CBW:
    367             if (len != 31) {
    368                 fprintf(stderr, "usb-msd: Bad CBW size");
    369                 goto fail;
    370             }
    371             memcpy(&cbw, data, 31);
    372             if (le32_to_cpu(cbw.sig) != 0x43425355) {
    373                 fprintf(stderr, "usb-msd: Bad signature %08x\n",
    374                         le32_to_cpu(cbw.sig));
    375                 goto fail;
    376             }
    377             DPRINTF("Command on LUN %d\n", cbw.lun);
    378             if (cbw.lun != 0) {
    379                 fprintf(stderr, "usb-msd: Bad LUN %d\n", cbw.lun);
    380                 goto fail;
    381             }
    382             s->tag = le32_to_cpu(cbw.tag);
    383             s->data_len = le32_to_cpu(cbw.data_len);
    384             if (s->data_len == 0) {
    385                 s->mode = USB_MSDM_CSW;
    386             } else if (cbw.flags & 0x80) {
    387                 s->mode = USB_MSDM_DATAIN;
    388             } else {
    389                 s->mode = USB_MSDM_DATAOUT;
    390             }
    391             DPRINTF("Command tag 0x%x flags %08x len %d data %d\n",
    392                     s->tag, cbw.flags, cbw.cmd_len, s->data_len);
    393             s->residue = 0;
    394             s->scsi_dev->send_command(s->scsi_dev, s->tag, cbw.cmd, 0);
    395             /* ??? Should check that USB and SCSI data transfer
    396                directions match.  */
    397             if (s->residue == 0) {
    398                 if (s->mode == USB_MSDM_DATAIN) {
    399                     s->scsi_dev->read_data(s->scsi_dev, s->tag);
    400                 } else if (s->mode == USB_MSDM_DATAOUT) {
    401                     s->scsi_dev->write_data(s->scsi_dev, s->tag);
    402                 }
    403             }
    404             ret = len;
    405             break;
    406 
    407         case USB_MSDM_DATAOUT:
    408             DPRINTF("Data out %d/%d\n", len, s->data_len);
    409             if (len > s->data_len)
    410                 goto fail;
    411 
    412             s->usb_buf = data;
    413             s->usb_len = len;
    414             if (s->scsi_len) {
    415                 usb_msd_copy_data(s);
    416             }
    417             if (s->residue && s->usb_len) {
    418                 s->data_len -= s->usb_len;
    419                 if (s->data_len == 0)
    420                     s->mode = USB_MSDM_CSW;
    421                 s->usb_len = 0;
    422             }
    423             if (s->usb_len) {
    424                 DPRINTF("Deferring packet %p\n", p);
    425                 usb_defer_packet(p, usb_msd_cancel_io, s);
    426                 s->packet = p;
    427                 ret = USB_RET_ASYNC;
    428             } else {
    429                 ret = len;
    430             }
    431             break;
    432 
    433         default:
    434             DPRINTF("Unexpected write (len %d)\n", len);
    435             goto fail;
    436         }
    437         break;
    438 
    439     case USB_TOKEN_IN:
    440         if (devep != 1)
    441             goto fail;
    442 
    443         switch (s->mode) {
    444         case USB_MSDM_DATAOUT:
    445             if (s->data_len != 0 || len < 13)
    446                 goto fail;
    447             /* Waiting for SCSI write to complete.  */
    448             usb_defer_packet(p, usb_msd_cancel_io, s);
    449             s->packet = p;
    450             ret = USB_RET_ASYNC;
    451             break;
    452 
    453         case USB_MSDM_CSW:
    454             DPRINTF("Command status %d tag 0x%x, len %d\n",
    455                     s->result, s->tag, len);
    456             if (len < 13)
    457                 goto fail;
    458 
    459             s->usb_len = len;
    460             s->usb_buf = data;
    461             usb_msd_send_status(s);
    462             s->mode = USB_MSDM_CBW;
    463             ret = 13;
    464             break;
    465 
    466         case USB_MSDM_DATAIN:
    467             DPRINTF("Data in %d/%d\n", len, s->data_len);
    468             if (len > s->data_len)
    469                 len = s->data_len;
    470             s->usb_buf = data;
    471             s->usb_len = len;
    472             if (s->scsi_len) {
    473                 usb_msd_copy_data(s);
    474             }
    475             if (s->residue && s->usb_len) {
    476                 s->data_len -= s->usb_len;
    477                 memset(s->usb_buf, 0, s->usb_len);
    478                 if (s->data_len == 0)
    479                     s->mode = USB_MSDM_CSW;
    480                 s->usb_len = 0;
    481             }
    482             if (s->usb_len) {
    483                 DPRINTF("Deferring packet %p\n", p);
    484                 usb_defer_packet(p, usb_msd_cancel_io, s);
    485                 s->packet = p;
    486                 ret = USB_RET_ASYNC;
    487             } else {
    488                 ret = len;
    489             }
    490             break;
    491 
    492         default:
    493             DPRINTF("Unexpected read (len %d)\n", len);
    494             goto fail;
    495         }
    496         break;
    497 
    498     default:
    499         DPRINTF("Bad token\n");
    500     fail:
    501         ret = USB_RET_STALL;
    502         break;
    503     }
    504 
    505     return ret;
    506 }
    507 
    508 static void usb_msd_handle_destroy(USBDevice *dev)
    509 {
    510     MSDState *s = (MSDState *)dev;
    511 
    512     s->scsi_dev->destroy(s->scsi_dev);
    513     bdrv_delete(s->bs);
    514     qemu_free(s);
    515 }
    516 
    517 USBDevice *usb_msd_init(const char *filename)
    518 {
    519     MSDState *s;
    520     BlockDriverState *bdrv;
    521     BlockDriver *drv = NULL;
    522     const char *p1;
    523     char fmt[32];
    524 
    525     p1 = strchr(filename, ':');
    526     if (p1++) {
    527         const char *p2;
    528 
    529         if (strstart(filename, "format=", &p2)) {
    530             int len = MIN(p1 - p2, sizeof(fmt));
    531             pstrcpy(fmt, len, p2);
    532 
    533             drv = bdrv_find_format(fmt);
    534             if (!drv) {
    535                 printf("invalid format %s\n", fmt);
    536                 return NULL;
    537             }
    538         } else if (*filename != ':') {
    539             printf("unrecognized USB mass-storage option %s\n", filename);
    540             return NULL;
    541         }
    542 
    543         filename = p1;
    544     }
    545 
    546     if (!*filename) {
    547         printf("block device specification needed\n");
    548         return NULL;
    549     }
    550 
    551     s = qemu_mallocz(sizeof(MSDState));
    552 
    553     bdrv = bdrv_new("usb");
    554     if (bdrv_open(bdrv, filename, 0, drv) < 0)
    555         goto fail;
    556     s->bs = bdrv;
    557 
    558     s->dev.speed = USB_SPEED_FULL;
    559     s->dev.handle_packet = usb_generic_handle_packet;
    560 
    561     s->dev.handle_reset = usb_msd_handle_reset;
    562     s->dev.handle_control = usb_msd_handle_control;
    563     s->dev.handle_data = usb_msd_handle_data;
    564     s->dev.handle_destroy = usb_msd_handle_destroy;
    565 
    566     snprintf(s->dev.devname, sizeof(s->dev.devname), "QEMU USB MSD(%.16s)",
    567              filename);
    568 
    569     s->scsi_dev = scsi_disk_init(bdrv, 0, usb_msd_command_complete, s);
    570     usb_msd_handle_reset((USBDevice *)s);
    571     return (USBDevice *)s;
    572  fail:
    573     qemu_free(s);
    574     return NULL;
    575 }
    576 
    577 BlockDriverState *usb_msd_get_bdrv(USBDevice *dev)
    578 {
    579     MSDState *s = (MSDState *)dev;
    580 
    581     return s->bs;
    582 }
    583