2
* SD Memory Card emulation as defined in the "SD Memory Card Physical
3
* layer specification, Version 1.10."
5
* Copyright (c) 2006 Andrzej Zaborowski <balrog@zabor.org>
6
* Copyright (c) 2007 CodeSourcery
8
* Redistribution and use in source and binary forms, with or without
9
* modification, are permitted provided that the following conditions
12
* 1. Redistributions of source code must retain the above copyright
13
* notice, this list of conditions and the following disclaimer.
14
* 2. Redistributions in binary form must reproduce the above copyright
15
* notice, this list of conditions and the following disclaimer in
16
* the documentation and/or other materials provided with the
19
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS''
20
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
21
* THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
22
* PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR
23
* CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
24
* EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
25
* PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
26
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
27
* OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
28
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
29
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
33
#include "block/block.h"
35
#include "qemu/bitmap.h"
40
#define DPRINTF(fmt, ...) \
41
do { fprintf(stderr, "SD: " fmt , ## __VA_ARGS__); } while (0)
43
#define DPRINTF(fmt, ...) do {} while(0)
47
sd_r0 = 0, /* no response */
48
sd_r1, /* normal response command */
49
sd_r2_i, /* CID register */
50
sd_r2_s, /* CSD register */
51
sd_r3, /* OCR register */
52
sd_r6 = 6, /* Published RCA response */
53
sd_r7, /* Operating voltage */
60
sd_card_identification_mode,
61
sd_data_transfer_mode,
65
sd_inactive_state = -1,
68
sd_identification_state,
72
sd_receivingdata_state,
78
uint32_t mode; /* current card mode, one of SDCardModes */
79
int32_t state; /* current card state, one of SDCardStates */
86
uint8_t sd_status[64];
89
unsigned long *wp_groups;
97
uint8_t function_group[6];
101
/* True if we will handle the next command as an ACMD. Note that this does
102
* *not* track the APP_CMD status bit!
105
uint32_t blk_written;
107
uint32_t data_offset;
109
qemu_irq readonly_cb;
110
qemu_irq inserted_cb;
111
BlockDriverState *bdrv;
117
static void sd_set_mode(SDState *sd)
120
case sd_inactive_state:
121
sd->mode = sd_inactive;
126
case sd_identification_state:
127
sd->mode = sd_card_identification_mode;
130
case sd_standby_state:
131
case sd_transfer_state:
132
case sd_sendingdata_state:
133
case sd_receivingdata_state:
134
case sd_programming_state:
135
case sd_disconnect_state:
136
sd->mode = sd_data_transfer_mode;
141
static const sd_cmd_type_t sd_cmd_type[64] = {
142
sd_bc, sd_none, sd_bcr, sd_bcr, sd_none, sd_none, sd_none, sd_ac,
143
sd_bcr, sd_ac, sd_ac, sd_adtc, sd_ac, sd_ac, sd_none, sd_ac,
144
sd_ac, sd_adtc, sd_adtc, sd_none, sd_none, sd_none, sd_none, sd_none,
145
sd_adtc, sd_adtc, sd_adtc, sd_adtc, sd_ac, sd_ac, sd_adtc, sd_none,
146
sd_ac, sd_ac, sd_none, sd_none, sd_none, sd_none, sd_ac, sd_none,
147
sd_none, sd_none, sd_bc, sd_none, sd_none, sd_none, sd_none, sd_none,
148
sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_ac,
149
sd_adtc, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none,
152
static const sd_cmd_type_t sd_acmd_type[64] = {
153
sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_ac, sd_none,
154
sd_none, sd_none, sd_none, sd_none, sd_none, sd_adtc, sd_none, sd_none,
155
sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_adtc, sd_ac,
156
sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none,
157
sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none,
158
sd_none, sd_bcr, sd_ac, sd_none, sd_none, sd_none, sd_none, sd_none,
159
sd_none, sd_none, sd_none, sd_adtc, sd_none, sd_none, sd_none, sd_none,
160
sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none,
163
static const int sd_cmd_class[64] = {
164
0, 0, 0, 0, 0, 9, 10, 0, 0, 0, 0, 1, 0, 0, 0, 0,
165
2, 2, 2, 2, 3, 3, 3, 3, 4, 4, 4, 4, 6, 6, 6, 6,
166
5, 5, 10, 10, 10, 10, 5, 9, 9, 9, 7, 7, 7, 7, 7, 7,
167
7, 7, 10, 7, 9, 9, 9, 8, 8, 10, 8, 8, 8, 8, 8, 8,
170
static uint8_t sd_crc7(void *message, size_t width)
173
uint8_t shift_reg = 0x00;
174
uint8_t *msg = (uint8_t *) message;
176
for (i = 0; i < width; i ++, msg ++)
177
for (bit = 7; bit >= 0; bit --) {
179
if ((shift_reg >> 7) ^ ((*msg >> bit) & 1))
186
static uint16_t sd_crc16(void *message, size_t width)
189
uint16_t shift_reg = 0x0000;
190
uint16_t *msg = (uint16_t *) message;
193
for (i = 0; i < width; i ++, msg ++)
194
for (bit = 15; bit >= 0; bit --) {
196
if ((shift_reg >> 15) ^ ((*msg >> bit) & 1))
203
static void sd_set_ocr(SDState *sd)
205
/* All voltages OK, card power-up OK, Standard Capacity SD Memory Card */
206
sd->ocr = 0x80ffff00;
209
static void sd_set_scr(SDState *sd)
211
sd->scr[0] = 0x00; /* SCR Structure */
212
sd->scr[1] = 0x2f; /* SD Security Support */
228
static void sd_set_cid(SDState *sd)
230
sd->cid[0] = MID; /* Fake card manufacturer ID (MID) */
231
sd->cid[1] = OID[0]; /* OEM/Application ID (OID) */
233
sd->cid[3] = PNM[0]; /* Fake product name (PNM) */
238
sd->cid[8] = PRV; /* Fake product revision (PRV) */
239
sd->cid[9] = 0xde; /* Fake serial number (PSN) */
243
sd->cid[13] = 0x00 | /* Manufacture date (MDT) */
244
((MDT_YR - 2000) / 10);
245
sd->cid[14] = ((MDT_YR % 10) << 4) | MDT_MON;
246
sd->cid[15] = (sd_crc7(sd->cid, 15) << 1) | 1;
249
#define HWBLOCK_SHIFT 9 /* 512 bytes */
250
#define SECTOR_SHIFT 5 /* 16 kilobytes */
251
#define WPGROUP_SHIFT 7 /* 2 megs */
252
#define CMULT_SHIFT 9 /* 512 times HWBLOCK_SIZE */
253
#define WPGROUP_SIZE (1 << (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT))
255
static const uint8_t sd_csd_rw_mask[16] = {
256
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
257
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xfc, 0xfe,
260
static void sd_set_csd(SDState *sd, uint64_t size)
262
uint32_t csize = (size >> (CMULT_SHIFT + HWBLOCK_SHIFT)) - 1;
263
uint32_t sectsize = (1 << (SECTOR_SHIFT + 1)) - 1;
264
uint32_t wpsize = (1 << (WPGROUP_SHIFT + 1)) - 1;
266
if (size <= 0x40000000) { /* Standard Capacity SD */
267
sd->csd[0] = 0x00; /* CSD structure */
268
sd->csd[1] = 0x26; /* Data read access-time-1 */
269
sd->csd[2] = 0x00; /* Data read access-time-2 */
270
sd->csd[3] = 0x5a; /* Max. data transfer rate */
271
sd->csd[4] = 0x5f; /* Card Command Classes */
272
sd->csd[5] = 0x50 | /* Max. read data block length */
274
sd->csd[6] = 0xe0 | /* Partial block for read allowed */
275
((csize >> 10) & 0x03);
276
sd->csd[7] = 0x00 | /* Device size */
277
((csize >> 2) & 0xff);
278
sd->csd[8] = 0x3f | /* Max. read current */
279
((csize << 6) & 0xc0);
280
sd->csd[9] = 0xfc | /* Max. write current */
281
((CMULT_SHIFT - 2) >> 1);
282
sd->csd[10] = 0x40 | /* Erase sector size */
283
(((CMULT_SHIFT - 2) << 7) & 0x80) | (sectsize >> 1);
284
sd->csd[11] = 0x00 | /* Write protect group size */
285
((sectsize << 7) & 0x80) | wpsize;
286
sd->csd[12] = 0x90 | /* Write speed factor */
287
(HWBLOCK_SHIFT >> 2);
288
sd->csd[13] = 0x20 | /* Max. write data block length */
289
((HWBLOCK_SHIFT << 6) & 0xc0);
290
sd->csd[14] = 0x00; /* File format group */
291
sd->csd[15] = (sd_crc7(sd->csd, 15) << 1) | 1;
302
sd->csd[7] = (size >> 16) & 0xff;
303
sd->csd[8] = (size >> 8) & 0xff;
304
sd->csd[9] = (size & 0xff);
311
sd->ocr |= 1 << 30; /* High Capacity SD Memory Card */
315
static void sd_set_rca(SDState *sd)
320
/* Card status bits, split by clear condition:
321
* A : According to the card current state
322
* B : Always related to the previous command
323
* C : Cleared by read
325
#define CARD_STATUS_A 0x02004100
326
#define CARD_STATUS_B 0x00c01e00
327
#define CARD_STATUS_C 0xfd39a028
329
static void sd_set_cardstatus(SDState *sd)
331
sd->card_status = 0x00000100;
334
static void sd_set_sdstatus(SDState *sd)
336
memset(sd->sd_status, 0, 64);
339
static int sd_req_crc_validate(SDRequest *req)
342
buffer[0] = 0x40 | req->cmd;
343
buffer[1] = (req->arg >> 24) & 0xff;
344
buffer[2] = (req->arg >> 16) & 0xff;
345
buffer[3] = (req->arg >> 8) & 0xff;
346
buffer[4] = (req->arg >> 0) & 0xff;
348
return sd_crc7(buffer, 5) != req->crc; /* TODO */
351
static void sd_response_r1_make(SDState *sd, uint8_t *response)
353
uint32_t status = sd->card_status;
354
/* Clear the "clear on read" status bits */
355
sd->card_status &= ~CARD_STATUS_C;
357
response[0] = (status >> 24) & 0xff;
358
response[1] = (status >> 16) & 0xff;
359
response[2] = (status >> 8) & 0xff;
360
response[3] = (status >> 0) & 0xff;
363
static void sd_response_r3_make(SDState *sd, uint8_t *response)
365
response[0] = (sd->ocr >> 24) & 0xff;
366
response[1] = (sd->ocr >> 16) & 0xff;
367
response[2] = (sd->ocr >> 8) & 0xff;
368
response[3] = (sd->ocr >> 0) & 0xff;
371
static void sd_response_r6_make(SDState *sd, uint8_t *response)
377
status = ((sd->card_status >> 8) & 0xc000) |
378
((sd->card_status >> 6) & 0x2000) |
379
(sd->card_status & 0x1fff);
380
sd->card_status &= ~(CARD_STATUS_C & 0xc81fff);
382
response[0] = (arg >> 8) & 0xff;
383
response[1] = arg & 0xff;
384
response[2] = (status >> 8) & 0xff;
385
response[3] = status & 0xff;
388
static void sd_response_r7_make(SDState *sd, uint8_t *response)
390
response[0] = (sd->vhs >> 24) & 0xff;
391
response[1] = (sd->vhs >> 16) & 0xff;
392
response[2] = (sd->vhs >> 8) & 0xff;
393
response[3] = (sd->vhs >> 0) & 0xff;
396
static inline uint64_t sd_addr_to_wpnum(uint64_t addr)
398
return addr >> (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT);
401
static void sd_reset(SDState *sd, BlockDriverState *bdrv)
407
bdrv_get_geometry(bdrv, §);
413
sect = sd_addr_to_wpnum(size) + 1;
415
sd->state = sd_idle_state;
420
sd_set_csd(sd, size);
421
sd_set_cardstatus(sd);
427
g_free(sd->wp_groups);
428
sd->wp_switch = bdrv ? bdrv_is_read_only(bdrv) : false;
429
sd->wpgrps_size = sect;
430
sd->wp_groups = bitmap_new(sd->wpgrps_size);
431
memset(sd->function_group, 0, sizeof(sd->function_group));
437
sd->expecting_acmd = false;
440
static void sd_cardchange(void *opaque, bool load)
442
SDState *sd = opaque;
444
qemu_set_irq(sd->inserted_cb, bdrv_is_inserted(sd->bdrv));
445
if (bdrv_is_inserted(sd->bdrv)) {
446
sd_reset(sd, sd->bdrv);
447
qemu_set_irq(sd->readonly_cb, sd->wp_switch);
451
static const BlockDevOps sd_block_ops = {
452
.change_media_cb = sd_cardchange,
455
static const VMStateDescription sd_vmstate = {
458
.minimum_version_id = 1,
459
.fields = (VMStateField[]) {
460
VMSTATE_UINT32(mode, SDState),
461
VMSTATE_INT32(state, SDState),
462
VMSTATE_UINT8_ARRAY(cid, SDState, 16),
463
VMSTATE_UINT8_ARRAY(csd, SDState, 16),
464
VMSTATE_UINT16(rca, SDState),
465
VMSTATE_UINT32(card_status, SDState),
466
VMSTATE_PARTIAL_BUFFER(sd_status, SDState, 1),
467
VMSTATE_UINT32(vhs, SDState),
468
VMSTATE_BITMAP(wp_groups, SDState, 0, wpgrps_size),
469
VMSTATE_UINT32(blk_len, SDState),
470
VMSTATE_UINT32(erase_start, SDState),
471
VMSTATE_UINT32(erase_end, SDState),
472
VMSTATE_UINT8_ARRAY(pwd, SDState, 16),
473
VMSTATE_UINT32(pwd_len, SDState),
474
VMSTATE_UINT8_ARRAY(function_group, SDState, 6),
475
VMSTATE_UINT8(current_cmd, SDState),
476
VMSTATE_BOOL(expecting_acmd, SDState),
477
VMSTATE_UINT32(blk_written, SDState),
478
VMSTATE_UINT64(data_start, SDState),
479
VMSTATE_UINT32(data_offset, SDState),
480
VMSTATE_UINT8_ARRAY(data, SDState, 512),
481
VMSTATE_BUFFER_POINTER_UNSAFE(buf, SDState, 1, 512),
482
VMSTATE_BOOL(enable, SDState),
483
VMSTATE_END_OF_LIST()
487
/* We do not model the chip select pin, so allow the board to select
488
whether card should be in SSI or MMC/SD mode. It is also up to the
489
board to ensure that ssi transfers only occur when the chip select
491
SDState *sd_init(BlockDriverState *bs, bool is_spi)
495
sd = (SDState *) g_malloc0(sizeof(SDState));
496
sd->buf = qemu_blockalign(bs, 512);
501
bdrv_attach_dev_nofail(sd->bdrv, sd);
502
bdrv_set_dev_ops(sd->bdrv, &sd_block_ops, sd);
504
vmstate_register(NULL, -1, &sd_vmstate, sd);
508
void sd_set_cb(SDState *sd, qemu_irq readonly, qemu_irq insert)
510
sd->readonly_cb = readonly;
511
sd->inserted_cb = insert;
512
qemu_set_irq(readonly, sd->bdrv ? bdrv_is_read_only(sd->bdrv) : 0);
513
qemu_set_irq(insert, sd->bdrv ? bdrv_is_inserted(sd->bdrv) : 0);
516
static void sd_erase(SDState *sd)
519
uint64_t erase_start = sd->erase_start;
520
uint64_t erase_end = sd->erase_end;
522
if (!sd->erase_start || !sd->erase_end) {
523
sd->card_status |= ERASE_SEQ_ERROR;
527
if (extract32(sd->ocr, OCR_CCS_BITN, 1)) {
528
/* High capacity memory card: erase units are 512 byte blocks */
533
erase_start = sd_addr_to_wpnum(erase_start);
534
erase_end = sd_addr_to_wpnum(erase_end);
539
for (i = erase_start; i <= erase_end; i++) {
540
if (test_bit(i, sd->wp_groups)) {
541
sd->card_status |= WP_ERASE_SKIP;
546
static uint32_t sd_wpbits(SDState *sd, uint64_t addr)
551
wpnum = sd_addr_to_wpnum(addr);
553
for (i = 0; i < 32; i++, wpnum++, addr += WPGROUP_SIZE) {
554
if (addr < sd->size && test_bit(wpnum, sd->wp_groups)) {
562
static void sd_function_switch(SDState *sd, uint32_t arg)
564
int i, mode, new_func, crc;
565
mode = !!(arg & 0x80000000);
567
sd->data[0] = 0x00; /* Maximum current consumption */
569
sd->data[2] = 0x80; /* Supported group 6 functions */
571
sd->data[4] = 0x80; /* Supported group 5 functions */
573
sd->data[6] = 0x80; /* Supported group 4 functions */
575
sd->data[8] = 0x80; /* Supported group 3 functions */
577
sd->data[10] = 0x80; /* Supported group 2 functions */
579
sd->data[12] = 0x80; /* Supported group 1 functions */
581
for (i = 0; i < 6; i ++) {
582
new_func = (arg >> (i * 4)) & 0x0f;
583
if (mode && new_func != 0x0f)
584
sd->function_group[i] = new_func;
585
sd->data[14 + (i >> 1)] = new_func << ((i * 4) & 4);
587
memset(&sd->data[17], 0, 47);
588
crc = sd_crc16(sd->data, 64);
589
sd->data[65] = crc >> 8;
590
sd->data[66] = crc & 0xff;
593
static inline bool sd_wp_addr(SDState *sd, uint64_t addr)
595
return test_bit(sd_addr_to_wpnum(addr), sd->wp_groups);
598
static void sd_lock_command(SDState *sd)
600
int erase, lock, clr_pwd, set_pwd, pwd_len;
601
erase = !!(sd->data[0] & 0x08);
602
lock = sd->data[0] & 0x04;
603
clr_pwd = sd->data[0] & 0x02;
604
set_pwd = sd->data[0] & 0x01;
607
pwd_len = sd->data[1];
612
if (!(sd->card_status & CARD_IS_LOCKED) || sd->blk_len > 1 ||
613
set_pwd || clr_pwd || lock || sd->wp_switch ||
614
(sd->csd[14] & 0x20)) {
615
sd->card_status |= LOCK_UNLOCK_FAILED;
618
bitmap_zero(sd->wp_groups, sd->wpgrps_size);
619
sd->csd[14] &= ~0x10;
620
sd->card_status &= ~CARD_IS_LOCKED;
622
/* Erasing the entire card here! */
623
fprintf(stderr, "SD: Card force-erased by CMD42\n");
627
if (sd->blk_len < 2 + pwd_len ||
628
pwd_len <= sd->pwd_len ||
629
pwd_len > sd->pwd_len + 16) {
630
sd->card_status |= LOCK_UNLOCK_FAILED;
634
if (sd->pwd_len && memcmp(sd->pwd, sd->data + 2, sd->pwd_len)) {
635
sd->card_status |= LOCK_UNLOCK_FAILED;
639
pwd_len -= sd->pwd_len;
640
if ((pwd_len && !set_pwd) ||
641
(clr_pwd && (set_pwd || lock)) ||
642
(lock && !sd->pwd_len && !set_pwd) ||
643
(!set_pwd && !clr_pwd &&
644
(((sd->card_status & CARD_IS_LOCKED) && lock) ||
645
(!(sd->card_status & CARD_IS_LOCKED) && !lock)))) {
646
sd->card_status |= LOCK_UNLOCK_FAILED;
651
memcpy(sd->pwd, sd->data + 2 + sd->pwd_len, pwd_len);
652
sd->pwd_len = pwd_len;
660
sd->card_status |= CARD_IS_LOCKED;
662
sd->card_status &= ~CARD_IS_LOCKED;
665
static sd_rsp_type_t sd_normal_command(SDState *sd,
668
uint32_t rca = 0x0000;
669
uint64_t addr = (sd->ocr & (1 << 30)) ? (uint64_t) req.arg << 9 : req.arg;
671
/* Not interpreting this as an app command */
672
sd->card_status &= ~APP_CMD;
674
if (sd_cmd_type[req.cmd] == sd_ac || sd_cmd_type[req.cmd] == sd_adtc)
677
DPRINTF("CMD%d 0x%08x state %d\n", req.cmd, req.arg, sd->state);
679
/* Basic commands (Class 0 and Class 1) */
680
case 0: /* CMD0: GO_IDLE_STATE */
682
case sd_inactive_state:
683
return sd->spi ? sd_r1 : sd_r0;
686
sd->state = sd_idle_state;
687
sd_reset(sd, sd->bdrv);
688
return sd->spi ? sd_r1 : sd_r0;
692
case 1: /* CMD1: SEND_OP_CMD */
696
sd->state = sd_transfer_state;
699
case 2: /* CMD2: ALL_SEND_CID */
704
sd->state = sd_identification_state;
712
case 3: /* CMD3: SEND_RELATIVE_ADDR */
716
case sd_identification_state:
717
case sd_standby_state:
718
sd->state = sd_standby_state;
727
case 4: /* CMD4: SEND_DSR */
731
case sd_standby_state:
739
case 5: /* CMD5: reserved for SDIO cards */
742
case 6: /* CMD6: SWITCH_FUNCTION */
746
case sd_data_transfer_mode:
747
sd_function_switch(sd, req.arg);
748
sd->state = sd_sendingdata_state;
758
case 7: /* CMD7: SELECT/DESELECT_CARD */
762
case sd_standby_state:
766
sd->state = sd_transfer_state;
769
case sd_transfer_state:
770
case sd_sendingdata_state:
774
sd->state = sd_standby_state;
777
case sd_disconnect_state:
781
sd->state = sd_programming_state;
784
case sd_programming_state:
788
sd->state = sd_disconnect_state;
796
case 8: /* CMD8: SEND_IF_COND */
797
/* Physical Layer Specification Version 2.00 command */
802
/* No response if not exactly one VHS bit is set. */
803
if (!(req.arg >> 8) || (req.arg >> ffs(req.arg & ~0xff)))
804
return sd->spi ? sd_r7 : sd_r0;
815
case 9: /* CMD9: SEND_CSD */
817
case sd_standby_state:
823
case sd_transfer_state:
826
sd->state = sd_sendingdata_state;
827
memcpy(sd->data, sd->csd, 16);
828
sd->data_start = addr;
837
case 10: /* CMD10: SEND_CID */
839
case sd_standby_state:
845
case sd_transfer_state:
848
sd->state = sd_sendingdata_state;
849
memcpy(sd->data, sd->cid, 16);
850
sd->data_start = addr;
859
case 11: /* CMD11: READ_DAT_UNTIL_STOP */
863
case sd_transfer_state:
864
sd->state = sd_sendingdata_state;
865
sd->data_start = req.arg;
868
if (sd->data_start + sd->blk_len > sd->size)
869
sd->card_status |= ADDRESS_ERROR;
877
case 12: /* CMD12: STOP_TRANSMISSION */
879
case sd_sendingdata_state:
880
sd->state = sd_transfer_state;
883
case sd_receivingdata_state:
884
sd->state = sd_programming_state;
885
/* Bzzzzzzztt .... Operation complete. */
886
sd->state = sd_transfer_state;
894
case 13: /* CMD13: SEND_STATUS */
896
case sd_data_transfer_mode:
907
case 15: /* CMD15: GO_INACTIVE_STATE */
911
case sd_data_transfer_mode:
915
sd->state = sd_inactive_state;
923
/* Block read commands (Classs 2) */
924
case 16: /* CMD16: SET_BLOCKLEN */
926
case sd_transfer_state:
927
if (req.arg > (1 << HWBLOCK_SHIFT))
928
sd->card_status |= BLOCK_LEN_ERROR;
930
sd->blk_len = req.arg;
939
case 17: /* CMD17: READ_SINGLE_BLOCK */
941
case sd_transfer_state:
942
sd->state = sd_sendingdata_state;
943
sd->data_start = addr;
946
if (sd->data_start + sd->blk_len > sd->size)
947
sd->card_status |= ADDRESS_ERROR;
955
case 18: /* CMD18: READ_MULTIPLE_BLOCK */
957
case sd_transfer_state:
958
sd->state = sd_sendingdata_state;
959
sd->data_start = addr;
962
if (sd->data_start + sd->blk_len > sd->size)
963
sd->card_status |= ADDRESS_ERROR;
971
/* Block write commands (Class 4) */
972
case 24: /* CMD24: WRITE_SINGLE_BLOCK */
974
goto unimplemented_cmd;
976
case sd_transfer_state:
977
/* Writing in SPI mode not implemented. */
980
sd->state = sd_receivingdata_state;
981
sd->data_start = addr;
985
if (sd->data_start + sd->blk_len > sd->size)
986
sd->card_status |= ADDRESS_ERROR;
987
if (sd_wp_addr(sd, sd->data_start))
988
sd->card_status |= WP_VIOLATION;
989
if (sd->csd[14] & 0x30)
990
sd->card_status |= WP_VIOLATION;
998
case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */
1000
goto unimplemented_cmd;
1001
switch (sd->state) {
1002
case sd_transfer_state:
1003
/* Writing in SPI mode not implemented. */
1006
sd->state = sd_receivingdata_state;
1007
sd->data_start = addr;
1008
sd->data_offset = 0;
1009
sd->blk_written = 0;
1011
if (sd->data_start + sd->blk_len > sd->size)
1012
sd->card_status |= ADDRESS_ERROR;
1013
if (sd_wp_addr(sd, sd->data_start))
1014
sd->card_status |= WP_VIOLATION;
1015
if (sd->csd[14] & 0x30)
1016
sd->card_status |= WP_VIOLATION;
1024
case 26: /* CMD26: PROGRAM_CID */
1027
switch (sd->state) {
1028
case sd_transfer_state:
1029
sd->state = sd_receivingdata_state;
1031
sd->data_offset = 0;
1039
case 27: /* CMD27: PROGRAM_CSD */
1041
goto unimplemented_cmd;
1042
switch (sd->state) {
1043
case sd_transfer_state:
1044
sd->state = sd_receivingdata_state;
1046
sd->data_offset = 0;
1054
/* Write protection (Class 6) */
1055
case 28: /* CMD28: SET_WRITE_PROT */
1056
switch (sd->state) {
1057
case sd_transfer_state:
1058
if (addr >= sd->size) {
1059
sd->card_status |= ADDRESS_ERROR;
1063
sd->state = sd_programming_state;
1064
set_bit(sd_addr_to_wpnum(addr), sd->wp_groups);
1065
/* Bzzzzzzztt .... Operation complete. */
1066
sd->state = sd_transfer_state;
1074
case 29: /* CMD29: CLR_WRITE_PROT */
1075
switch (sd->state) {
1076
case sd_transfer_state:
1077
if (addr >= sd->size) {
1078
sd->card_status |= ADDRESS_ERROR;
1082
sd->state = sd_programming_state;
1083
clear_bit(sd_addr_to_wpnum(addr), sd->wp_groups);
1084
/* Bzzzzzzztt .... Operation complete. */
1085
sd->state = sd_transfer_state;
1093
case 30: /* CMD30: SEND_WRITE_PROT */
1094
switch (sd->state) {
1095
case sd_transfer_state:
1096
sd->state = sd_sendingdata_state;
1097
*(uint32_t *) sd->data = sd_wpbits(sd, req.arg);
1098
sd->data_start = addr;
1099
sd->data_offset = 0;
1107
/* Erase commands (Class 5) */
1108
case 32: /* CMD32: ERASE_WR_BLK_START */
1109
switch (sd->state) {
1110
case sd_transfer_state:
1111
sd->erase_start = req.arg;
1119
case 33: /* CMD33: ERASE_WR_BLK_END */
1120
switch (sd->state) {
1121
case sd_transfer_state:
1122
sd->erase_end = req.arg;
1130
case 38: /* CMD38: ERASE */
1131
switch (sd->state) {
1132
case sd_transfer_state:
1133
if (sd->csd[14] & 0x30) {
1134
sd->card_status |= WP_VIOLATION;
1138
sd->state = sd_programming_state;
1140
/* Bzzzzzzztt .... Operation complete. */
1141
sd->state = sd_transfer_state;
1149
/* Lock card commands (Class 7) */
1150
case 42: /* CMD42: LOCK_UNLOCK */
1152
goto unimplemented_cmd;
1153
switch (sd->state) {
1154
case sd_transfer_state:
1155
sd->state = sd_receivingdata_state;
1157
sd->data_offset = 0;
1167
/* CMD52, CMD53: reserved for SDIO cards
1168
* (see the SDIO Simplified Specification V2.0)
1169
* Handle as illegal command but do not complain
1170
* on stderr, as some OSes may use these in their
1171
* probing for presence of an SDIO card.
1175
/* Application specific commands (Class 8) */
1176
case 55: /* CMD55: APP_CMD */
1180
sd->expecting_acmd = true;
1181
sd->card_status |= APP_CMD;
1184
case 56: /* CMD56: GEN_CMD */
1185
fprintf(stderr, "SD: GEN_CMD 0x%08x\n", req.arg);
1187
switch (sd->state) {
1188
case sd_transfer_state:
1189
sd->data_offset = 0;
1191
sd->state = sd_sendingdata_state;
1193
sd->state = sd_receivingdata_state;
1203
fprintf(stderr, "SD: Unknown CMD%i\n", req.cmd);
1207
/* Commands that are recognised but not yet implemented in SPI mode. */
1208
fprintf(stderr, "SD: CMD%i not implemented in SPI mode\n", req.cmd);
1212
fprintf(stderr, "SD: CMD%i in a wrong state\n", req.cmd);
1216
static sd_rsp_type_t sd_app_command(SDState *sd,
1219
DPRINTF("ACMD%d 0x%08x\n", req.cmd, req.arg);
1220
sd->card_status |= APP_CMD;
1222
case 6: /* ACMD6: SET_BUS_WIDTH */
1223
switch (sd->state) {
1224
case sd_transfer_state:
1225
sd->sd_status[0] &= 0x3f;
1226
sd->sd_status[0] |= (req.arg & 0x03) << 6;
1234
case 13: /* ACMD13: SD_STATUS */
1235
switch (sd->state) {
1236
case sd_transfer_state:
1237
sd->state = sd_sendingdata_state;
1239
sd->data_offset = 0;
1247
case 22: /* ACMD22: SEND_NUM_WR_BLOCKS */
1248
switch (sd->state) {
1249
case sd_transfer_state:
1250
*(uint32_t *) sd->data = sd->blk_written;
1252
sd->state = sd_sendingdata_state;
1254
sd->data_offset = 0;
1262
case 23: /* ACMD23: SET_WR_BLK_ERASE_COUNT */
1263
switch (sd->state) {
1264
case sd_transfer_state:
1272
case 41: /* ACMD41: SD_APP_OP_COND */
1275
sd->state = sd_transfer_state;
1278
switch (sd->state) {
1280
/* We accept any voltage. 10000 V is nothing. */
1282
sd->state = sd_ready_state;
1291
case 42: /* ACMD42: SET_CLR_CARD_DETECT */
1292
switch (sd->state) {
1293
case sd_transfer_state:
1294
/* Bringing in the 50KOhm pull-up resistor... Done. */
1302
case 51: /* ACMD51: SEND_SCR */
1303
switch (sd->state) {
1304
case sd_transfer_state:
1305
sd->state = sd_sendingdata_state;
1307
sd->data_offset = 0;
1316
/* Fall back to standard commands. */
1317
return sd_normal_command(sd, req);
1320
fprintf(stderr, "SD: ACMD%i in a wrong state\n", req.cmd);
1324
static int cmd_valid_while_locked(SDState *sd, SDRequest *req)
1326
/* Valid commands in locked state:
1328
* lock card class (7)
1330
* implicitly, the ACMD prefix CMD55
1332
* Anything else provokes an "illegal command" response.
1334
if (sd->expecting_acmd) {
1335
return req->cmd == 41 || req->cmd == 42;
1337
if (req->cmd == 16 || req->cmd == 55) {
1340
return sd_cmd_class[req->cmd] == 0 || sd_cmd_class[req->cmd] == 7;
1343
int sd_do_command(SDState *sd, SDRequest *req,
1344
uint8_t *response) {
1346
sd_rsp_type_t rtype;
1349
if (!sd->bdrv || !bdrv_is_inserted(sd->bdrv) || !sd->enable) {
1353
if (sd_req_crc_validate(req)) {
1354
sd->card_status |= COM_CRC_ERROR;
1359
if (sd->card_status & CARD_IS_LOCKED) {
1360
if (!cmd_valid_while_locked(sd, req)) {
1361
sd->card_status |= ILLEGAL_COMMAND;
1362
sd->expecting_acmd = false;
1363
fprintf(stderr, "SD: Card is locked\n");
1369
last_state = sd->state;
1372
if (sd->expecting_acmd) {
1373
sd->expecting_acmd = false;
1374
rtype = sd_app_command(sd, *req);
1376
rtype = sd_normal_command(sd, *req);
1379
if (rtype == sd_illegal) {
1380
sd->card_status |= ILLEGAL_COMMAND;
1382
/* Valid command, we can update the 'state before command' bits.
1383
* (Do this now so they appear in r1 responses.)
1385
sd->current_cmd = req->cmd;
1386
sd->card_status &= ~CURRENT_STATE;
1387
sd->card_status |= (last_state << 9);
1394
sd_response_r1_make(sd, response);
1399
memcpy(response, sd->cid, sizeof(sd->cid));
1404
memcpy(response, sd->csd, sizeof(sd->csd));
1409
sd_response_r3_make(sd, response);
1414
sd_response_r6_make(sd, response);
1419
sd_response_r7_make(sd, response);
1430
if (rtype != sd_illegal) {
1431
/* Clear the "clear on valid command" status bits now we've
1434
sd->card_status &= ~CARD_STATUS_B;
1440
DPRINTF("Response:");
1441
for (i = 0; i < rsplen; i++)
1442
fprintf(stderr, " %02x", response[i]);
1443
fprintf(stderr, " state %d\n", sd->state);
1445
DPRINTF("No response %d\n", sd->state);
1452
static void sd_blk_read(SDState *sd, uint64_t addr, uint32_t len)
1454
uint64_t end = addr + len;
1456
DPRINTF("sd_blk_read: addr = 0x%08llx, len = %d\n",
1457
(unsigned long long) addr, len);
1458
if (!sd->bdrv || bdrv_read(sd->bdrv, addr >> 9, sd->buf, 1) < 0) {
1459
fprintf(stderr, "sd_blk_read: read error on host side\n");
1463
if (end > (addr & ~511) + 512) {
1464
memcpy(sd->data, sd->buf + (addr & 511), 512 - (addr & 511));
1466
if (bdrv_read(sd->bdrv, end >> 9, sd->buf, 1) < 0) {
1467
fprintf(stderr, "sd_blk_read: read error on host side\n");
1470
memcpy(sd->data + 512 - (addr & 511), sd->buf, end & 511);
1472
memcpy(sd->data, sd->buf + (addr & 511), len);
1475
static void sd_blk_write(SDState *sd, uint64_t addr, uint32_t len)
1477
uint64_t end = addr + len;
1479
if ((addr & 511) || len < 512)
1480
if (!sd->bdrv || bdrv_read(sd->bdrv, addr >> 9, sd->buf, 1) < 0) {
1481
fprintf(stderr, "sd_blk_write: read error on host side\n");
1485
if (end > (addr & ~511) + 512) {
1486
memcpy(sd->buf + (addr & 511), sd->data, 512 - (addr & 511));
1487
if (bdrv_write(sd->bdrv, addr >> 9, sd->buf, 1) < 0) {
1488
fprintf(stderr, "sd_blk_write: write error on host side\n");
1492
if (bdrv_read(sd->bdrv, end >> 9, sd->buf, 1) < 0) {
1493
fprintf(stderr, "sd_blk_write: read error on host side\n");
1496
memcpy(sd->buf, sd->data + 512 - (addr & 511), end & 511);
1497
if (bdrv_write(sd->bdrv, end >> 9, sd->buf, 1) < 0) {
1498
fprintf(stderr, "sd_blk_write: write error on host side\n");
1501
memcpy(sd->buf + (addr & 511), sd->data, len);
1502
if (!sd->bdrv || bdrv_write(sd->bdrv, addr >> 9, sd->buf, 1) < 0) {
1503
fprintf(stderr, "sd_blk_write: write error on host side\n");
1508
#define BLK_READ_BLOCK(a, len) sd_blk_read(sd, a, len)
1509
#define BLK_WRITE_BLOCK(a, len) sd_blk_write(sd, a, len)
1510
#define APP_READ_BLOCK(a, len) memset(sd->data, 0xec, len)
1511
#define APP_WRITE_BLOCK(a, len)
1513
void sd_write_data(SDState *sd, uint8_t value)
1517
if (!sd->bdrv || !bdrv_is_inserted(sd->bdrv) || !sd->enable)
1520
if (sd->state != sd_receivingdata_state) {
1521
fprintf(stderr, "sd_write_data: not in Receiving-Data state\n");
1525
if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION))
1528
switch (sd->current_cmd) {
1529
case 24: /* CMD24: WRITE_SINGLE_BLOCK */
1530
sd->data[sd->data_offset ++] = value;
1531
if (sd->data_offset >= sd->blk_len) {
1532
/* TODO: Check CRC before committing */
1533
sd->state = sd_programming_state;
1534
BLK_WRITE_BLOCK(sd->data_start, sd->data_offset);
1536
sd->csd[14] |= 0x40;
1537
/* Bzzzzzzztt .... Operation complete. */
1538
sd->state = sd_transfer_state;
1542
case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */
1543
if (sd->data_offset == 0) {
1544
/* Start of the block - let's check the address is valid */
1545
if (sd->data_start + sd->blk_len > sd->size) {
1546
sd->card_status |= ADDRESS_ERROR;
1549
if (sd_wp_addr(sd, sd->data_start)) {
1550
sd->card_status |= WP_VIOLATION;
1554
sd->data[sd->data_offset++] = value;
1555
if (sd->data_offset >= sd->blk_len) {
1556
/* TODO: Check CRC before committing */
1557
sd->state = sd_programming_state;
1558
BLK_WRITE_BLOCK(sd->data_start, sd->data_offset);
1560
sd->data_start += sd->blk_len;
1561
sd->data_offset = 0;
1562
sd->csd[14] |= 0x40;
1564
/* Bzzzzzzztt .... Operation complete. */
1565
sd->state = sd_receivingdata_state;
1569
case 26: /* CMD26: PROGRAM_CID */
1570
sd->data[sd->data_offset ++] = value;
1571
if (sd->data_offset >= sizeof(sd->cid)) {
1572
/* TODO: Check CRC before committing */
1573
sd->state = sd_programming_state;
1574
for (i = 0; i < sizeof(sd->cid); i ++)
1575
if ((sd->cid[i] | 0x00) != sd->data[i])
1576
sd->card_status |= CID_CSD_OVERWRITE;
1578
if (!(sd->card_status & CID_CSD_OVERWRITE))
1579
for (i = 0; i < sizeof(sd->cid); i ++) {
1581
sd->cid[i] &= sd->data[i];
1583
/* Bzzzzzzztt .... Operation complete. */
1584
sd->state = sd_transfer_state;
1588
case 27: /* CMD27: PROGRAM_CSD */
1589
sd->data[sd->data_offset ++] = value;
1590
if (sd->data_offset >= sizeof(sd->csd)) {
1591
/* TODO: Check CRC before committing */
1592
sd->state = sd_programming_state;
1593
for (i = 0; i < sizeof(sd->csd); i ++)
1594
if ((sd->csd[i] | sd_csd_rw_mask[i]) !=
1595
(sd->data[i] | sd_csd_rw_mask[i]))
1596
sd->card_status |= CID_CSD_OVERWRITE;
1598
/* Copy flag (OTP) & Permanent write protect */
1599
if (sd->csd[14] & ~sd->data[14] & 0x60)
1600
sd->card_status |= CID_CSD_OVERWRITE;
1602
if (!(sd->card_status & CID_CSD_OVERWRITE))
1603
for (i = 0; i < sizeof(sd->csd); i ++) {
1604
sd->csd[i] |= sd_csd_rw_mask[i];
1605
sd->csd[i] &= sd->data[i];
1607
/* Bzzzzzzztt .... Operation complete. */
1608
sd->state = sd_transfer_state;
1612
case 42: /* CMD42: LOCK_UNLOCK */
1613
sd->data[sd->data_offset ++] = value;
1614
if (sd->data_offset >= sd->blk_len) {
1615
/* TODO: Check CRC before committing */
1616
sd->state = sd_programming_state;
1617
sd_lock_command(sd);
1618
/* Bzzzzzzztt .... Operation complete. */
1619
sd->state = sd_transfer_state;
1623
case 56: /* CMD56: GEN_CMD */
1624
sd->data[sd->data_offset ++] = value;
1625
if (sd->data_offset >= sd->blk_len) {
1626
APP_WRITE_BLOCK(sd->data_start, sd->data_offset);
1627
sd->state = sd_transfer_state;
1632
fprintf(stderr, "sd_write_data: unknown command\n");
1637
uint8_t sd_read_data(SDState *sd)
1639
/* TODO: Append CRCs */
1643
if (!sd->bdrv || !bdrv_is_inserted(sd->bdrv) || !sd->enable)
1646
if (sd->state != sd_sendingdata_state) {
1647
fprintf(stderr, "sd_read_data: not in Sending-Data state\n");
1651
if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION))
1654
io_len = (sd->ocr & (1 << 30)) ? 512 : sd->blk_len;
1656
switch (sd->current_cmd) {
1657
case 6: /* CMD6: SWITCH_FUNCTION */
1658
ret = sd->data[sd->data_offset ++];
1660
if (sd->data_offset >= 64)
1661
sd->state = sd_transfer_state;
1664
case 9: /* CMD9: SEND_CSD */
1665
case 10: /* CMD10: SEND_CID */
1666
ret = sd->data[sd->data_offset ++];
1668
if (sd->data_offset >= 16)
1669
sd->state = sd_transfer_state;
1672
case 11: /* CMD11: READ_DAT_UNTIL_STOP */
1673
if (sd->data_offset == 0)
1674
BLK_READ_BLOCK(sd->data_start, io_len);
1675
ret = sd->data[sd->data_offset ++];
1677
if (sd->data_offset >= io_len) {
1678
sd->data_start += io_len;
1679
sd->data_offset = 0;
1680
if (sd->data_start + io_len > sd->size) {
1681
sd->card_status |= ADDRESS_ERROR;
1687
case 13: /* ACMD13: SD_STATUS */
1688
ret = sd->sd_status[sd->data_offset ++];
1690
if (sd->data_offset >= sizeof(sd->sd_status))
1691
sd->state = sd_transfer_state;
1694
case 17: /* CMD17: READ_SINGLE_BLOCK */
1695
if (sd->data_offset == 0)
1696
BLK_READ_BLOCK(sd->data_start, io_len);
1697
ret = sd->data[sd->data_offset ++];
1699
if (sd->data_offset >= io_len)
1700
sd->state = sd_transfer_state;
1703
case 18: /* CMD18: READ_MULTIPLE_BLOCK */
1704
if (sd->data_offset == 0)
1705
BLK_READ_BLOCK(sd->data_start, io_len);
1706
ret = sd->data[sd->data_offset ++];
1708
if (sd->data_offset >= io_len) {
1709
sd->data_start += io_len;
1710
sd->data_offset = 0;
1711
if (sd->data_start + io_len > sd->size) {
1712
sd->card_status |= ADDRESS_ERROR;
1718
case 22: /* ACMD22: SEND_NUM_WR_BLOCKS */
1719
ret = sd->data[sd->data_offset ++];
1721
if (sd->data_offset >= 4)
1722
sd->state = sd_transfer_state;
1725
case 30: /* CMD30: SEND_WRITE_PROT */
1726
ret = sd->data[sd->data_offset ++];
1728
if (sd->data_offset >= 4)
1729
sd->state = sd_transfer_state;
1732
case 51: /* ACMD51: SEND_SCR */
1733
ret = sd->scr[sd->data_offset ++];
1735
if (sd->data_offset >= sizeof(sd->scr))
1736
sd->state = sd_transfer_state;
1739
case 56: /* CMD56: GEN_CMD */
1740
if (sd->data_offset == 0)
1741
APP_READ_BLOCK(sd->data_start, sd->blk_len);
1742
ret = sd->data[sd->data_offset ++];
1744
if (sd->data_offset >= sd->blk_len)
1745
sd->state = sd_transfer_state;
1749
fprintf(stderr, "sd_read_data: unknown command\n");
1756
bool sd_data_ready(SDState *sd)
1758
return sd->state == sd_sendingdata_state;
1761
void sd_enable(SDState *sd, bool enable)
1763
sd->enable = enable;