1 /* Copyright (C) 2007-2008 The Android Open Source Project 2 ** 3 ** This software is licensed under the terms of the GNU General Public 4 ** License version 2, as published by the Free Software Foundation, and 5 ** may be copied, distributed, and modified under those terms. 6 ** 7 ** This program is distributed in the hope that it will be useful, 8 ** but WITHOUT ANY WARRANTY; without even the implied warranty of 9 ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 10 ** GNU General Public License for more details. 11 */ 12 #include "cpu.h" 13 #include "qemu-common.h" 14 #include "migration/qemu-file.h" 15 #include "hw/android/goldfish/device.h" 16 #include "hw/hw.h" 17 #include "hw/mmc.h" 18 #include "hw/sd.h" 19 #include "block/block.h" 20 21 enum { 22 /* status register */ 23 MMC_INT_STATUS = 0x00, 24 /* set this to enable IRQ */ 25 MMC_INT_ENABLE = 0x04, 26 /* set this to specify buffer address */ 27 MMC_SET_BUFFER = 0x08, 28 29 /* MMC command number */ 30 MMC_CMD = 0x0C, 31 32 /* MMC argument */ 33 MMC_ARG = 0x10, 34 35 /* MMC response (or R2 bits 0 - 31) */ 36 MMC_RESP_0 = 0x14, 37 38 /* MMC R2 response bits 32 - 63 */ 39 MMC_RESP_1 = 0x18, 40 41 /* MMC R2 response bits 64 - 95 */ 42 MMC_RESP_2 = 0x1C, 43 44 /* MMC R2 response bits 96 - 127 */ 45 MMC_RESP_3 = 0x20, 46 47 MMC_BLOCK_LENGTH = 0x24, 48 MMC_BLOCK_COUNT = 0x28, 49 50 /* MMC state flags */ 51 MMC_STATE = 0x2C, 52 53 /* 64-bit guest CPUs only */ 54 55 /* Set high 32-bits of buffer address */ 56 MMC_SET_BUFFER_HIGH = 0x30, 57 58 /* MMC_INT_STATUS bits */ 59 60 MMC_STAT_END_OF_CMD = 1U << 0, 61 MMC_STAT_END_OF_DATA = 1U << 1, 62 MMC_STAT_STATE_CHANGE = 1U << 2, 63 64 /* MMC_STATE bits */ 65 MMC_STATE_INSERTED = 1U << 0, 66 MMC_STATE_READ_ONLY = 1U << 1, 67 }; 68 69 70 struct goldfish_mmc_state { 71 struct goldfish_device dev; 72 BlockDriverState *bs; 73 // pointer to our buffer 74 uint64_t buffer_address; 75 // offsets for read and write operations 76 uint32_t read_offset, write_offset; 77 // buffer status flags 78 uint32_t int_status; 79 // irq enable mask for int_status 80 uint32_t int_enable; 81 82 // MMC command argument 83 uint32_t arg; 84 uint32_t resp[4]; 85 86 uint32_t block_length; 87 uint32_t block_count; 88 int is_SDHC; 89 90 uint8_t* buf; 91 }; 92 93 #define GOLDFISH_MMC_SAVE_VERSION 3 94 #define GOLDFISH_MMC_SAVE_VERSION_LEGACY 2 95 96 // Note: This doesn't include |buffer_address| which is saved and loaded 97 // explictly below to support legacy encodings. 98 #define QFIELD_STRUCT struct goldfish_mmc_state 99 QFIELD_BEGIN(goldfish_mmc_fields) 100 QFIELD_INT32(read_offset), 101 QFIELD_INT32(write_offset), 102 QFIELD_INT32(int_status), 103 QFIELD_INT32(int_enable), 104 QFIELD_INT32(arg), 105 QFIELD_INT32(resp[0]), 106 QFIELD_INT32(resp[1]), 107 QFIELD_INT32(resp[2]), 108 QFIELD_INT32(resp[3]), 109 QFIELD_INT32(block_length), 110 QFIELD_INT32(block_count), 111 QFIELD_INT32(is_SDHC), 112 QFIELD_END 113 114 static void goldfish_mmc_save(QEMUFile* f, void* opaque) 115 { 116 struct goldfish_mmc_state* s = opaque; 117 118 qemu_put_be64(f, s->buffer_address); 119 qemu_put_struct(f, goldfish_mmc_fields, s); 120 } 121 122 static int goldfish_mmc_load(QEMUFile* f, void* opaque, int version_id) 123 { 124 struct goldfish_mmc_state* s = opaque; 125 126 if (version_id == GOLDFISH_MMC_SAVE_VERSION) { 127 s->buffer_address = qemu_get_be64(f); 128 } else if (version_id == GOLDFISH_MMC_SAVE_VERSION_LEGACY) { 129 s->buffer_address = qemu_get_be32(f); 130 } else { 131 // Unsupported version! 132 return -1; 133 } 134 return qemu_get_struct(f, goldfish_mmc_fields, s); 135 } 136 137 struct mmc_opcode { 138 const char* name; 139 int cmd; 140 } mmc_opcodes[] = { 141 { "MMC_GO_IDLE_STATE", 0 }, 142 { "MMC_SEND_OP_COND", 1 }, 143 { "MMC_ALL_SEND_CID", 2 }, 144 { "MMC_SET_RELATIVE_ADDR", 3 }, 145 { "MMC_SET_DSR", 4 }, 146 { "MMC_SWITCH", 6 }, 147 { "MMC_SELECT_CARD", 7 }, 148 { "MMC_SEND_EXT_CSD", 8 }, 149 { "MMC_SEND_CSD", 9 }, 150 { "MMC_SEND_CID", 10 }, 151 { "MMC_READ_DAT_UNTIL_STOP", 11 }, 152 { "MMC_STOP_TRANSMISSION", 12 }, 153 { "MMC_SEND_STATUS", 13 }, 154 { "MMC_GO_INACTIVE_STATE", 15 }, 155 { "MMC_SET_BLOCKLEN", 16 }, 156 { "MMC_READ_SINGLE_BLOCK", 17 }, 157 { "MMC_READ_MULTIPLE_BLOCK", 18 }, 158 { "MMC_WRITE_DAT_UNTIL_STOP", 20 }, 159 { "MMC_SET_BLOCK_COUNT", 23 }, 160 { "MMC_WRITE_BLOCK", 24 }, 161 { "MMC_WRITE_MULTIPLE_BLOCK", 25 }, 162 { "MMC_PROGRAM_CID", 26 }, 163 { "MMC_PROGRAM_CSD", 27 }, 164 { "MMC_SET_WRITE_PROT", 28 }, 165 { "MMC_CLR_WRITE_PROT", 29 }, 166 { "MMC_SEND_WRITE_PROT", 30 }, 167 { "MMC_ERASE_GROUP_START", 35 }, 168 { "MMC_ERASE_GROUP_END", 36 }, 169 { "MMC_ERASE", 38 }, 170 { "MMC_FAST_IO", 39 }, 171 { "MMC_GO_IRQ_STATE", 40 }, 172 { "MMC_LOCK_UNLOCK", 42 }, 173 { "MMC_APP_CMD", 55 }, 174 { "MMC_GEN_CMD", 56 }, 175 { "SD_APP_OP_COND", 41 }, 176 { "SD_APP_SEND_SCR", 51 }, 177 { "UNKNOWN", -1 } 178 }; 179 180 #if 0 181 static const char* get_command_name(int command) 182 { 183 struct mmc_opcode* opcode = mmc_opcodes; 184 185 while (opcode->cmd != command && opcode->cmd != -1) opcode++; 186 return opcode->name; 187 } 188 #endif 189 190 static int goldfish_mmc_bdrv_read(struct goldfish_mmc_state *s, 191 int64_t sector_number, 192 hwaddr dst_address, 193 int num_sectors) 194 { 195 int ret; 196 197 while (num_sectors > 0) { 198 ret = bdrv_read(s->bs, sector_number, s->buf, 1); 199 if (ret < 0) 200 return ret; 201 202 cpu_physical_memory_write(dst_address, s->buf, 512); 203 dst_address += 512; 204 num_sectors -= 1; 205 sector_number += 1; 206 } 207 return 0; 208 } 209 210 static int goldfish_mmc_bdrv_write(struct goldfish_mmc_state *s, 211 int64_t sector_number, 212 hwaddr dst_address, 213 int num_sectors) 214 { 215 int ret; 216 217 while (num_sectors > 0) { 218 cpu_physical_memory_read(dst_address, s->buf, 512); 219 220 ret = bdrv_write(s->bs, sector_number, s->buf, 1); 221 if (ret < 0) 222 return ret; 223 224 dst_address += 512; 225 num_sectors -= 1; 226 sector_number += 1; 227 } 228 return 0; 229 } 230 231 232 static void goldfish_mmc_do_command(struct goldfish_mmc_state *s, uint32_t cmd, uint32_t arg) 233 { 234 int new_status = MMC_STAT_END_OF_CMD; 235 int opcode = cmd & 63; 236 237 // fprintf(stderr, "goldfish_mmc_do_command opcode: %s (0x%04X), arg: %d\n", get_command_name(opcode), cmd, arg); 238 239 s->resp[0] = 0; 240 s->resp[1] = 0; 241 s->resp[2] = 0; 242 s->resp[3] = 0; 243 244 #define SET_R1_CURRENT_STATE(s) ((s << 9) & 0x00001E00) /* sx, b (4 bits) */ 245 246 switch (opcode) { 247 case MMC_SEND_CSD: { 248 int64_t sector_count = 0; 249 uint64_t capacity; 250 uint8_t exponent; 251 uint32_t m; 252 253 bdrv_get_geometry(s->bs, (uint64_t*)§or_count); 254 capacity = sector_count * 512; 255 if (capacity > 2147483648U) { 256 // if storages is > 2 gig, then emulate SDHC card 257 s->is_SDHC = 1; 258 259 // CSD bits borrowed from a real SDHC card, with capacity bits zeroed out 260 s->resp[3] = 0x400E0032; 261 s->resp[2] = 0x5B590000; 262 s->resp[1] = 0x00007F80; 263 s->resp[0] = 0x0A4040DF; 264 265 // stuff in the real capacity 266 // m = UNSTUFF_BITS(resp, 48, 22); 267 m = (uint32_t)(capacity / (512*1024)) - 1; 268 // m must fit into 22 bits 269 if (m & 0xFFC00000) { 270 fprintf(stderr, "SD card too big (%" PRId64 " bytes). " 271 "Maximum SDHC card size is 128 gigabytes.\n", 272 capacity); 273 abort(); 274 } 275 276 // low 16 bits go in high end of resp[1] 277 s->resp[1] |= ((m & 0x0000FFFF) << 16); 278 // high 6 bits go in low end of resp[2] 279 s->resp[2] |= (m >> 16); 280 } else { 281 // emulate standard SD card 282 s->is_SDHC = 0; 283 284 // CSD bits borrowed from a real SD card, with capacity bits zeroed out 285 s->resp[3] = 0x00260032; 286 s->resp[2] = 0x5F5A8000; 287 s->resp[1] = 0x3EF84FFF; 288 s->resp[0] = 0x928040CB; 289 290 // stuff in the real capacity 291 // e = UNSTUFF_BITS(resp, 47, 3); 292 // m = UNSTUFF_BITS(resp, 62, 12); 293 // csd->capacity = (1 + m) << (e + 2); 294 // need to reverse the formula and calculate e and m 295 exponent = 0; 296 capacity = sector_count * 512; 297 if (capacity > 2147483648U) { 298 fprintf(stderr, "SD card too big (%" PRIu64 " bytes). " 299 "Maximum SD card size is 2 gigabytes.\n", 300 capacity); 301 abort(); 302 } 303 capacity >>= 10; // convert to Kbytes 304 while (capacity > 4096) { 305 // (capacity - 1) must fit into 12 bits 306 exponent++; 307 capacity >>= 1; 308 } 309 capacity -= 1; 310 if (exponent < 2) { 311 cpu_abort(cpu_single_env, "SDCard too small, must be at least 9MB\n"); 312 } 313 exponent -= 2; 314 if (exponent > 7) { 315 cpu_abort(cpu_single_env, "SDCard too large.\n"); 316 } 317 318 s->resp[2] |= (((uint32_t)capacity >> 2) & 0x3FF); // high 10 bits to bottom of resp[2] 319 s->resp[1] |= (((uint32_t)capacity & 3) << 30); // low 2 bits to top of resp[1] 320 s->resp[1] |= (exponent << (47 - 32)); 321 } 322 break; 323 } 324 325 case MMC_SEND_EXT_CSD: 326 s->resp[0] = arg; 327 break; 328 329 case MMC_APP_CMD: 330 s->resp[0] = SET_R1_CURRENT_STATE(4) | R1_READY_FOR_DATA | R1_APP_CMD; //2336 331 break; 332 333 case SD_APP_OP_COND: 334 s->resp[0] = 0x80FF8000; 335 break; 336 337 case SD_APP_SEND_SCR: 338 { 339 #if 1 /* this code is actually endian-safe */ 340 const uint8_t scr[8] = "\x02\x25\x00\x00\x00\x00\x00\x00"; 341 #else /* this original code wasn't */ 342 uint32_t scr[2]; 343 scr[0] = 0x00002502; 344 scr[1] = 0x00000000; 345 #endif 346 cpu_physical_memory_write(s->buffer_address, (uint8_t*)scr, 8); 347 348 s->resp[0] = SET_R1_CURRENT_STATE(4) | R1_READY_FOR_DATA | R1_APP_CMD; //2336 349 new_status |= MMC_STAT_END_OF_DATA; 350 break; 351 } 352 case MMC_SET_RELATIVE_ADDR: 353 s->resp[0] = -518519520; 354 break; 355 356 case MMC_ALL_SEND_CID: 357 s->resp[3] = 55788627; 358 s->resp[2] = 1429221959; 359 s->resp[1] = -2147479692; 360 s->resp[0] = -436179883; 361 break; 362 363 case MMC_SELECT_CARD: 364 s->resp[0] = SET_R1_CURRENT_STATE(3) | R1_READY_FOR_DATA; // 1792 365 break; 366 367 case MMC_SWITCH: 368 if (arg == 0x00FFFFF1 || arg == 0x80FFFFF1) { 369 uint8_t buff0[64]; 370 memset(buff0, 0, sizeof buff0); 371 buff0[13] = 2; 372 cpu_physical_memory_write(s->buffer_address, buff0, sizeof buff0); 373 new_status |= MMC_STAT_END_OF_DATA; 374 } 375 s->resp[0] = SET_R1_CURRENT_STATE(4) | R1_READY_FOR_DATA | R1_APP_CMD; //2336 376 break; 377 378 case MMC_SET_BLOCKLEN: 379 s->block_length = arg; 380 s->resp[0] = SET_R1_CURRENT_STATE(4) | R1_READY_FOR_DATA; // 2304 381 break; 382 383 case MMC_READ_SINGLE_BLOCK: 384 s->block_count = 1; 385 // fall through 386 case MMC_READ_MULTIPLE_BLOCK: { 387 if (s->is_SDHC) { 388 // arg is block offset 389 } else { 390 // arg is byte offset 391 if (arg & 511) fprintf(stderr, "offset %d is not multiple of 512 when reading\n", arg); 392 arg /= s->block_length; 393 } 394 goldfish_mmc_bdrv_read(s, arg, s->buffer_address, s->block_count); 395 new_status |= MMC_STAT_END_OF_DATA; 396 s->resp[0] = SET_R1_CURRENT_STATE(4) | R1_READY_FOR_DATA; // 2304 397 break; 398 } 399 400 case MMC_WRITE_BLOCK: 401 s->block_count = 1; 402 // fall through 403 case MMC_WRITE_MULTIPLE_BLOCK: { 404 if (s->is_SDHC) { 405 // arg is block offset 406 } else { 407 // arg is byte offset 408 if (arg & 511) fprintf(stderr, "offset %d is not multiple of 512 when writing\n", arg); 409 arg /= s->block_length; 410 } 411 // arg is byte offset 412 goldfish_mmc_bdrv_write(s, arg, s->buffer_address, s->block_count); 413 // bdrv_flush(s->bs); 414 new_status |= MMC_STAT_END_OF_DATA; 415 s->resp[0] = SET_R1_CURRENT_STATE(4) | R1_READY_FOR_DATA; // 2304 416 break; 417 } 418 419 case MMC_STOP_TRANSMISSION: 420 s->resp[0] = SET_R1_CURRENT_STATE(5) | R1_READY_FOR_DATA; // 2816 421 break; 422 423 case MMC_SEND_STATUS: 424 s->resp[0] = SET_R1_CURRENT_STATE(4) | R1_READY_FOR_DATA; // 2304 425 break; 426 } 427 428 s->int_status |= new_status; 429 430 if ((s->int_status & s->int_enable)) { 431 goldfish_device_set_irq(&s->dev, 0, (s->int_status & s->int_enable)); 432 } 433 } 434 435 static uint32_t goldfish_mmc_read(void *opaque, hwaddr offset) 436 { 437 uint32_t ret; 438 struct goldfish_mmc_state *s = opaque; 439 440 switch(offset) { 441 case MMC_INT_STATUS: 442 // return current buffer status flags 443 return s->int_status & s->int_enable; 444 case MMC_RESP_0: 445 return s->resp[0]; 446 case MMC_RESP_1: 447 return s->resp[1]; 448 case MMC_RESP_2: 449 return s->resp[2]; 450 case MMC_RESP_3: 451 return s->resp[3]; 452 case MMC_STATE: { 453 ret = MMC_STATE_INSERTED; 454 if (bdrv_is_read_only(s->bs)) { 455 ret |= MMC_STATE_READ_ONLY; 456 } 457 return ret; 458 } 459 default: 460 cpu_abort(cpu_single_env, "goldfish_mmc_read: Bad offset %x\n", offset); 461 return 0; 462 } 463 } 464 465 static void goldfish_mmc_write(void *opaque, hwaddr offset, uint32_t val) 466 { 467 struct goldfish_mmc_state *s = opaque; 468 int status, old_status; 469 470 switch(offset) { 471 472 case MMC_INT_STATUS: 473 status = s->int_status; 474 old_status = status; 475 status &= ~val; 476 s->int_status = status; 477 if(status != old_status) { 478 goldfish_device_set_irq(&s->dev, 0, status); 479 } 480 break; 481 482 case MMC_INT_ENABLE: 483 /* enable buffer interrupts */ 484 s->int_enable = val; 485 s->int_status = 0; 486 goldfish_device_set_irq(&s->dev, 0, (s->int_status & s->int_enable)); 487 break; 488 case MMC_SET_BUFFER: 489 /* save pointer to buffer 1 */ 490 uint64_set_low(&s->buffer_address, val); 491 break; 492 case MMC_SET_BUFFER_HIGH: 493 /* save pointer to buffer 1 */ 494 uint64_set_high(&s->buffer_address, val); 495 break; 496 case MMC_CMD: 497 goldfish_mmc_do_command(s, val, s->arg); 498 break; 499 case MMC_ARG: 500 s->arg = val; 501 break; 502 case MMC_BLOCK_LENGTH: 503 s->block_length = val + 1; 504 break; 505 case MMC_BLOCK_COUNT: 506 s->block_count = val + 1; 507 break; 508 509 default: 510 cpu_abort (cpu_single_env, "goldfish_mmc_write: Bad offset %x\n", offset); 511 } 512 } 513 514 static CPUReadMemoryFunc *goldfish_mmc_readfn[] = { 515 goldfish_mmc_read, 516 goldfish_mmc_read, 517 goldfish_mmc_read 518 }; 519 520 static CPUWriteMemoryFunc *goldfish_mmc_writefn[] = { 521 goldfish_mmc_write, 522 goldfish_mmc_write, 523 goldfish_mmc_write 524 }; 525 526 void goldfish_mmc_init(uint32_t base, int id, BlockDriverState* bs) 527 { 528 struct goldfish_mmc_state *s; 529 530 s = (struct goldfish_mmc_state *)g_malloc0(sizeof(*s)); 531 s->dev.name = "goldfish_mmc"; 532 s->dev.id = id; 533 s->dev.base = base; 534 s->dev.size = 0x1000; 535 s->dev.irq_count = 1; 536 s->bs = bs; 537 s->buf = qemu_memalign(512,512); 538 539 goldfish_device_add(&s->dev, goldfish_mmc_readfn, goldfish_mmc_writefn, s); 540 541 register_savevm(NULL, 542 "goldfish_mmc", 543 0, 544 GOLDFISH_MMC_SAVE_VERSION, 545 goldfish_mmc_save, 546 goldfish_mmc_load, 547 s); 548 } 549 550
