• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /* Copyright (C) 2007-2008 The Android Open Source Project
2 **
3 ** This software is licensed under the terms of the GNU General Public
4 ** License version 2, as published by the Free Software Foundation, and
5 ** may be copied, distributed, and modified under those terms.
6 **
7 ** This program is distributed in the hope that it will be useful,
8 ** but WITHOUT ANY WARRANTY; without even the implied warranty of
9 ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
10 ** GNU General Public License for more details.
11 */
12 #include "qemu_file.h"
13 #include "goldfish_device.h"
14 #include "mmc.h"
15 #include "sd.h"
16 #include "block.h"
17 
18 enum {
19     /* status register */
20     MMC_INT_STATUS          = 0x00,
21     /* set this to enable IRQ */
22     MMC_INT_ENABLE          = 0x04,
23     /* set this to specify buffer address */
24     MMC_SET_BUFFER          = 0x08,
25 
26     /* MMC command number */
27     MMC_CMD                 = 0x0C,
28 
29     /* MMC argument */
30     MMC_ARG                 = 0x10,
31 
32     /* MMC response (or R2 bits 0 - 31) */
33     MMC_RESP_0              = 0x14,
34 
35     /* MMC R2 response bits 32 - 63 */
36     MMC_RESP_1              = 0x18,
37 
38     /* MMC R2 response bits 64 - 95 */
39     MMC_RESP_2              = 0x1C,
40 
41     /* MMC R2 response bits 96 - 127 */
42     MMC_RESP_3              = 0x20,
43 
44     MMC_BLOCK_LENGTH        = 0x24,
45     MMC_BLOCK_COUNT         = 0x28,
46 
47     /* MMC state flags */
48     MMC_STATE               = 0x2C,
49 
50     /* MMC_INT_STATUS bits */
51 
52     MMC_STAT_END_OF_CMD     = 1U << 0,
53     MMC_STAT_END_OF_DATA    = 1U << 1,
54     MMC_STAT_STATE_CHANGE   = 1U << 2,
55 
56     /* MMC_STATE bits */
57     MMC_STATE_INSERTED     = 1U << 0,
58     MMC_STATE_READ_ONLY     = 1U << 1,
59 };
60 
61 
62 struct goldfish_mmc_state {
63     struct goldfish_device dev;
64     BlockDriverState *bs;
65     // pointer to our buffer
66     uint32_t buffer_address;
67     // offsets for read and write operations
68     uint32_t read_offset, write_offset;
69     // buffer status flags
70     uint32_t int_status;
71     // irq enable mask for int_status
72     uint32_t int_enable;
73 
74     // MMC command argument
75     uint32_t arg;
76     uint32_t resp[4];
77 
78     uint32_t block_length;
79     uint32_t block_count;
80     int is_SDHC;
81 
82     uint8_t* buf;
83 };
84 
85 #define  GOLDFISH_MMC_SAVE_VERSION  2
86 #define  QFIELD_STRUCT  struct goldfish_mmc_state
87 QFIELD_BEGIN(goldfish_mmc_fields)
QFIELD_INT32(buffer_address)88     QFIELD_INT32(buffer_address),
89     QFIELD_INT32(read_offset),
90     QFIELD_INT32(write_offset),
91     QFIELD_INT32(int_status),
92     QFIELD_INT32(int_enable),
93     QFIELD_INT32(arg),
94     QFIELD_INT32(resp[0]),
95     QFIELD_INT32(resp[1]),
96     QFIELD_INT32(resp[2]),
97     QFIELD_INT32(resp[3]),
98     QFIELD_INT32(block_length),
99     QFIELD_INT32(block_count),
100     QFIELD_INT32(is_SDHC),
101 QFIELD_END
102 
103 static void  goldfish_mmc_save(QEMUFile*  f, void*  opaque)
104 {
105     struct goldfish_mmc_state*  s = opaque;
106 
107     qemu_put_struct(f, goldfish_mmc_fields, s);
108 }
109 
goldfish_mmc_load(QEMUFile * f,void * opaque,int version_id)110 static int  goldfish_mmc_load(QEMUFile*  f, void*  opaque, int  version_id)
111 {
112     struct goldfish_mmc_state*  s = opaque;
113 
114     if (version_id != GOLDFISH_MMC_SAVE_VERSION)
115         return -1;
116 
117     return qemu_get_struct(f, goldfish_mmc_fields, s);
118 }
119 
120 struct mmc_opcode {
121     const char* name;
122     int cmd;
123 } mmc_opcodes[] = {
124     { "MMC_GO_IDLE_STATE",         0  },
125     { "MMC_SEND_OP_COND",          1  },
126     { "MMC_ALL_SEND_CID",          2  },
127     { "MMC_SET_RELATIVE_ADDR",     3  },
128     { "MMC_SET_DSR",               4  },
129     { "MMC_SWITCH",                6  },
130     { "MMC_SELECT_CARD",           7  },
131     { "MMC_SEND_EXT_CSD",          8  },
132     { "MMC_SEND_CSD",              9  },
133     { "MMC_SEND_CID",             10  },
134     { "MMC_READ_DAT_UNTIL_STOP",  11  },
135     { "MMC_STOP_TRANSMISSION",    12  },
136     { "MMC_SEND_STATUS",          13  },
137     { "MMC_GO_INACTIVE_STATE",    15  },
138     { "MMC_SET_BLOCKLEN",         16  },
139     { "MMC_READ_SINGLE_BLOCK",    17  },
140     { "MMC_READ_MULTIPLE_BLOCK",  18  },
141     { "MMC_WRITE_DAT_UNTIL_STOP", 20  },
142     { "MMC_SET_BLOCK_COUNT",      23  },
143     { "MMC_WRITE_BLOCK",          24  },
144     { "MMC_WRITE_MULTIPLE_BLOCK", 25  },
145     { "MMC_PROGRAM_CID",          26  },
146     { "MMC_PROGRAM_CSD",          27  },
147     { "MMC_SET_WRITE_PROT",       28  },
148     { "MMC_CLR_WRITE_PROT",       29  },
149     { "MMC_SEND_WRITE_PROT",      30  },
150     { "MMC_ERASE_GROUP_START",    35  },
151     { "MMC_ERASE_GROUP_END",      36  },
152     { "MMC_ERASE",                38  },
153     { "MMC_FAST_IO",              39  },
154     { "MMC_GO_IRQ_STATE",         40  },
155     { "MMC_LOCK_UNLOCK",          42  },
156     { "MMC_APP_CMD",              55  },
157     { "MMC_GEN_CMD",              56  },
158     { "SD_APP_OP_COND",           41  },
159     { "SD_APP_SEND_SCR",          51  },
160     { "UNKNOWN",                  -1  }
161 };
162 
163 #if 0
164 static const char* get_command_name(int command)
165 {
166     struct mmc_opcode* opcode = mmc_opcodes;
167 
168     while (opcode->cmd != command && opcode->cmd != -1) opcode++;
169     return opcode->name;
170 }
171 #endif
172 
goldfish_mmc_bdrv_read(struct goldfish_mmc_state * s,int64_t sector_number,target_phys_addr_t dst_address,int num_sectors)173 static int  goldfish_mmc_bdrv_read(struct goldfish_mmc_state *s,
174                                    int64_t                    sector_number,
175                                    target_phys_addr_t         dst_address,
176                                    int                        num_sectors)
177 {
178     int  ret;
179 
180     while (num_sectors > 0) {
181         ret = bdrv_read(s->bs, sector_number, s->buf, 1);
182         if (ret < 0)
183             return ret;
184 
185         cpu_physical_memory_write(dst_address, s->buf, 512);
186         dst_address   += 512;
187         num_sectors   -= 1;
188         sector_number += 1;
189     }
190     return 0;
191 }
192 
goldfish_mmc_bdrv_write(struct goldfish_mmc_state * s,int64_t sector_number,target_phys_addr_t dst_address,int num_sectors)193 static int  goldfish_mmc_bdrv_write(struct goldfish_mmc_state *s,
194                                     int64_t                    sector_number,
195                                     target_phys_addr_t         dst_address,
196                                     int                        num_sectors)
197 {
198     int  ret;
199 
200     while (num_sectors > 0) {
201         cpu_physical_memory_read(dst_address, s->buf, 512);
202 
203         ret = bdrv_write(s->bs, sector_number, s->buf, 1);
204         if (ret < 0)
205             return ret;
206 
207         dst_address   += 512;
208         num_sectors   -= 1;
209         sector_number += 1;
210     }
211     return 0;
212 }
213 
214 
goldfish_mmc_do_command(struct goldfish_mmc_state * s,uint32_t cmd,uint32_t arg)215 static void goldfish_mmc_do_command(struct goldfish_mmc_state *s, uint32_t cmd, uint32_t arg)
216 {
217     int result;
218     int new_status = MMC_STAT_END_OF_CMD;
219     int opcode = cmd & 63;
220 
221 // fprintf(stderr, "goldfish_mmc_do_command opcode: %s (0x%04X), arg: %d\n", get_command_name(opcode), cmd, arg);
222 
223     s->resp[0] = 0;
224     s->resp[1] = 0;
225     s->resp[2] = 0;
226     s->resp[3] = 0;
227 
228 #define SET_R1_CURRENT_STATE(s)    ((s << 9) & 0x00001E00) /* sx, b (4 bits) */
229 
230     switch (opcode) {
231         case MMC_SEND_CSD: {
232             int64_t sector_count = 0;
233             uint64_t capacity;
234             uint8_t exponent;
235             uint32_t m;
236 
237             bdrv_get_geometry(s->bs, (uint64_t*)&sector_count);
238             capacity = sector_count * 512;
239             if (capacity > 2147483648U) {
240                 // if storages is > 2 gig, then emulate SDHC card
241                 s->is_SDHC = 1;
242 
243                 // CSD bits borrowed from a real SDHC card, with capacity bits zeroed out
244                 s->resp[3] = 0x400E0032;
245                 s->resp[2] = 0x5B590000;
246                 s->resp[1] = 0x00007F80;
247                 s->resp[0] = 0x0A4040DF;
248 
249                 // stuff in the real capacity
250                 // m = UNSTUFF_BITS(resp, 48, 22);
251                 m = (uint32_t)(capacity / (512*1024)) - 1;
252                 // m must fit into 22 bits
253                 if (m & 0xFFC00000) {
254                     fprintf(stderr, "SD card too big (%lld bytes).  Maximum SDHC card size is 128 gigabytes.\n", (long long)capacity);
255                     abort();
256                 }
257 
258                 // low 16 bits go in high end of resp[1]
259                 s->resp[1] |= ((m & 0x0000FFFF) << 16);
260                 // high 6 bits go in low end of resp[2]
261                 s->resp[2] |= (m >> 16);
262             } else {
263                 // emulate standard SD card
264                 s->is_SDHC = 0;
265 
266                 // CSD bits borrowed from a real SD card, with capacity bits zeroed out
267                 s->resp[3] = 0x00260032;
268                 s->resp[2] = 0x5F5A8000;
269                 s->resp[1] = 0x3EF84FFF;
270                 s->resp[0] = 0x928040CB;
271 
272                 // stuff in the real capacity
273                 // e = UNSTUFF_BITS(resp, 47, 3);
274                 // m = UNSTUFF_BITS(resp, 62, 12);
275                 // csd->capacity = (1 + m) << (e + 2);
276                 // need to reverse the formula and calculate e and m
277                 exponent = 0;
278                 capacity = sector_count * 512;
279                 if (capacity > 2147483648U) {
280                     fprintf(stderr, "SD card too big (%lld bytes).  Maximum SD card size is 2 gigabytes.\n", (long long)capacity);
281                     abort();
282                 }
283                 capacity >>= 10; // convert to Kbytes
284                 while (capacity > 4096) {
285                     // (capacity - 1) must fit into 12 bits
286                     exponent++;
287                     capacity >>= 1;
288                 }
289                 capacity -= 1;
290                 if (exponent < 2) {
291                     cpu_abort(cpu_single_env, "SDCard too small, must be at least 9MB\n");
292                 }
293                 exponent -= 2;
294                 if (exponent > 7) {
295                     cpu_abort(cpu_single_env, "SDCard too large.\n");
296                 }
297 
298                 s->resp[2] |= (((uint32_t)capacity >> 2) & 0x3FF);  // high 10 bits to bottom of resp[2]
299                 s->resp[1] |= (((uint32_t)capacity & 3) << 30);    // low 2 bits to top of resp[1]
300                 s->resp[1] |= (exponent << (47 - 32));
301             }
302             break;
303         }
304 
305         case MMC_SEND_EXT_CSD:
306             s->resp[0] = arg;
307             break;
308 
309         case MMC_APP_CMD:
310             s->resp[0] = SET_R1_CURRENT_STATE(4) | R1_READY_FOR_DATA | R1_APP_CMD; //2336
311             break;
312 
313         case SD_APP_OP_COND:
314             s->resp[0] = 0x80FF8000;
315             break;
316 
317         case SD_APP_SEND_SCR:
318         {
319 #if 1 /* this code is actually endian-safe */
320             const uint8_t  scr[8] = "\x02\x25\x00\x00\x00\x00\x00\x00";
321 #else /* this original code wasn't */
322             uint32_t scr[2];
323             scr[0] = 0x00002502;
324             scr[1] = 0x00000000;
325 #endif
326             cpu_physical_memory_write(s->buffer_address, (uint8_t*)scr, 8);
327 
328             s->resp[0] = SET_R1_CURRENT_STATE(4) | R1_READY_FOR_DATA | R1_APP_CMD; //2336
329             new_status |= MMC_STAT_END_OF_DATA;
330             break;
331         }
332         case MMC_SET_RELATIVE_ADDR:
333             s->resp[0] = -518519520;
334             break;
335 
336         case MMC_ALL_SEND_CID:
337             s->resp[3] = 55788627;
338             s->resp[2] = 1429221959;
339             s->resp[1] = -2147479692;
340             s->resp[0] = -436179883;
341             break;
342 
343         case MMC_SELECT_CARD:
344             s->resp[0] = SET_R1_CURRENT_STATE(3) | R1_READY_FOR_DATA; // 1792
345             break;
346 
347          case MMC_SWITCH:
348             if (arg == 0x00FFFFF1 || arg == 0x80FFFFF1) {
349                 uint8_t  buff0[64];
350                 memset(buff0, 0, sizeof buff0);
351                 buff0[13] = 2;
352                 cpu_physical_memory_write(s->buffer_address, buff0, sizeof buff0);
353                 new_status |= MMC_STAT_END_OF_DATA;
354             }
355             s->resp[0] = SET_R1_CURRENT_STATE(4) | R1_READY_FOR_DATA | R1_APP_CMD; //2336
356             break;
357 
358          case MMC_SET_BLOCKLEN:
359             s->block_length = arg;
360             s->resp[0] = SET_R1_CURRENT_STATE(4) | R1_READY_FOR_DATA; // 2304
361             break;
362 
363         case MMC_READ_SINGLE_BLOCK:
364             s->block_count = 1;
365             // fall through
366         case MMC_READ_MULTIPLE_BLOCK: {
367             if (s->is_SDHC) {
368                 // arg is block offset
369             } else {
370                 // arg is byte offset
371                 if (arg & 511) fprintf(stderr, "offset %d is not multiple of 512 when reading\n", arg);
372                 arg /= s->block_length;
373             }
374             result = goldfish_mmc_bdrv_read(s, arg, s->buffer_address, s->block_count);
375             new_status |= MMC_STAT_END_OF_DATA;
376             s->resp[0] = SET_R1_CURRENT_STATE(4) | R1_READY_FOR_DATA; // 2304
377             break;
378         }
379 
380         case MMC_WRITE_BLOCK:
381             s->block_count = 1;
382             // fall through
383         case MMC_WRITE_MULTIPLE_BLOCK: {
384             if (s->is_SDHC) {
385                 // arg is block offset
386             } else {
387                 // arg is byte offset
388                 if (arg & 511) fprintf(stderr, "offset %d is not multiple of 512 when writing\n", arg);
389                 arg /= s->block_length;
390             }
391             // arg is byte offset
392             result = goldfish_mmc_bdrv_write(s, arg, s->buffer_address, s->block_count);
393 //            bdrv_flush(s->bs);
394             new_status |= MMC_STAT_END_OF_DATA;
395             s->resp[0] = SET_R1_CURRENT_STATE(4) | R1_READY_FOR_DATA; // 2304
396             break;
397         }
398 
399         case MMC_STOP_TRANSMISSION:
400             s->resp[0] = SET_R1_CURRENT_STATE(5) | R1_READY_FOR_DATA; // 2816
401             break;
402 
403         case MMC_SEND_STATUS:
404             s->resp[0] = SET_R1_CURRENT_STATE(4) | R1_READY_FOR_DATA; // 2304
405             break;
406      }
407 
408     s->int_status |= new_status;
409 
410     if ((s->int_status & s->int_enable)) {
411         goldfish_device_set_irq(&s->dev, 0, (s->int_status & s->int_enable));
412     }
413 }
414 
goldfish_mmc_read(void * opaque,target_phys_addr_t offset)415 static uint32_t goldfish_mmc_read(void *opaque, target_phys_addr_t offset)
416 {
417     uint32_t ret;
418     struct goldfish_mmc_state *s = opaque;
419 
420     switch(offset) {
421         case MMC_INT_STATUS:
422             // return current buffer status flags
423             return s->int_status & s->int_enable;
424         case MMC_RESP_0:
425             return s->resp[0];
426         case MMC_RESP_1:
427             return s->resp[1];
428         case MMC_RESP_2:
429             return s->resp[2];
430         case MMC_RESP_3:
431             return s->resp[3];
432         case MMC_STATE: {
433             ret = MMC_STATE_INSERTED;
434             if (bdrv_is_read_only(s->bs)) {
435                 ret |= MMC_STATE_READ_ONLY;
436             }
437             return ret;
438         }
439         default:
440             cpu_abort(cpu_single_env, "goldfish_mmc_read: Bad offset %x\n", offset);
441             return 0;
442     }
443 }
444 
goldfish_mmc_write(void * opaque,target_phys_addr_t offset,uint32_t val)445 static void goldfish_mmc_write(void *opaque, target_phys_addr_t offset, uint32_t val)
446 {
447     struct goldfish_mmc_state *s = opaque;
448     int status, old_status;
449 
450     switch(offset) {
451 
452         case MMC_INT_STATUS:
453             status = s->int_status;
454             old_status = status;
455             status &= ~val;
456             s->int_status = status;
457             if(status != old_status) {
458                 goldfish_device_set_irq(&s->dev, 0, status);
459             }
460             break;
461 
462         case MMC_INT_ENABLE:
463             /* enable buffer interrupts */
464             s->int_enable = val;
465             s->int_status = 0;
466             goldfish_device_set_irq(&s->dev, 0, (s->int_status & s->int_enable));
467             break;
468         case MMC_SET_BUFFER:
469             /* save pointer to buffer 1 */
470             s->buffer_address = val;
471             break;
472         case MMC_CMD:
473             goldfish_mmc_do_command(s, val, s->arg);
474             break;
475         case MMC_ARG:
476             s->arg = val;
477             break;
478         case MMC_BLOCK_LENGTH:
479             s->block_length = val + 1;
480             break;
481         case MMC_BLOCK_COUNT:
482             s->block_count = val + 1;
483             break;
484 
485         default:
486             cpu_abort (cpu_single_env, "goldfish_mmc_write: Bad offset %x\n", offset);
487     }
488 }
489 
490 static CPUReadMemoryFunc *goldfish_mmc_readfn[] = {
491    goldfish_mmc_read,
492    goldfish_mmc_read,
493    goldfish_mmc_read
494 };
495 
496 static CPUWriteMemoryFunc *goldfish_mmc_writefn[] = {
497    goldfish_mmc_write,
498    goldfish_mmc_write,
499    goldfish_mmc_write
500 };
501 
goldfish_mmc_init(uint32_t base,int id,BlockDriverState * bs)502 void goldfish_mmc_init(uint32_t base, int id, BlockDriverState* bs)
503 {
504     struct goldfish_mmc_state *s;
505 
506     s = (struct goldfish_mmc_state *)qemu_mallocz(sizeof(*s));
507     s->dev.name = "goldfish_mmc";
508     s->dev.id = id;
509     s->dev.base = base;
510     s->dev.size = 0x1000;
511     s->dev.irq_count = 1;
512     s->bs = bs;
513     s->buf = qemu_memalign(512,512);
514 
515     goldfish_device_add(&s->dev, goldfish_mmc_readfn, goldfish_mmc_writefn, s);
516 
517     register_savevm( "goldfish_mmc", 0, GOLDFISH_MMC_SAVE_VERSION,
518                      goldfish_mmc_save, goldfish_mmc_load, s);
519 }
520 
521