2
* SD Memory Card emulation as defined in the "SD Memory Card Physical
3
* layer specification, Version 1.10."
5
* Copyright (c) 2006 Andrzej Zaborowski <balrog@zabor.org>
6
* Copyright (c) 2007 CodeSourcery
8
* Redistribution and use in source and binary forms, with or without
9
* modification, are permitted provided that the following conditions
12
* 1. Redistributions of source code must retain the above copyright
13
* notice, this list of conditions and the following disclaimer.
14
* 2. Redistributions in binary form must reproduce the above copyright
15
* notice, this list of conditions and the following disclaimer in
16
* the documentation and/or other materials provided with the
19
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS''
20
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
21
* THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
22
* PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR
23
* CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
24
* EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
25
* PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
26
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
27
* OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
28
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
29
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
33
#include "block/block.h"
35
#include "qemu/bitmap.h"
40
#define DPRINTF(fmt, ...) \
41
do { fprintf(stderr, "SD: " fmt , ## __VA_ARGS__); } while (0)
43
#define DPRINTF(fmt, ...) do {} while(0)
46
#define ACMD41_ENQUIRY_MASK 0x00ffffff
49
sd_r0 = 0, /* no response */
50
sd_r1, /* normal response command */
51
sd_r2_i, /* CID register */
52
sd_r2_s, /* CSD register */
53
sd_r3, /* OCR register */
54
sd_r6 = 6, /* Published RCA response */
55
sd_r7, /* Operating voltage */
62
sd_card_identification_mode,
63
sd_data_transfer_mode,
67
sd_inactive_state = -1,
70
sd_identification_state,
74
sd_receivingdata_state,
80
uint32_t mode; /* current card mode, one of SDCardModes */
81
int32_t state; /* current card state, one of SDCardStates */
88
uint8_t sd_status[64];
91
unsigned long *wp_groups;
99
uint8_t function_group[6];
103
/* True if we will handle the next command as an ACMD. Note that this does
104
* *not* track the APP_CMD status bit!
107
uint32_t blk_written;
109
uint32_t data_offset;
111
qemu_irq readonly_cb;
112
qemu_irq inserted_cb;
113
BlockDriverState *bdrv;
119
static void sd_set_mode(SDState *sd)
122
case sd_inactive_state:
123
sd->mode = sd_inactive;
128
case sd_identification_state:
129
sd->mode = sd_card_identification_mode;
132
case sd_standby_state:
133
case sd_transfer_state:
134
case sd_sendingdata_state:
135
case sd_receivingdata_state:
136
case sd_programming_state:
137
case sd_disconnect_state:
138
sd->mode = sd_data_transfer_mode;
143
static const sd_cmd_type_t sd_cmd_type[64] = {
144
sd_bc, sd_none, sd_bcr, sd_bcr, sd_none, sd_none, sd_none, sd_ac,
145
sd_bcr, sd_ac, sd_ac, sd_adtc, sd_ac, sd_ac, sd_none, sd_ac,
146
sd_ac, sd_adtc, sd_adtc, sd_none, sd_none, sd_none, sd_none, sd_none,
147
sd_adtc, sd_adtc, sd_adtc, sd_adtc, sd_ac, sd_ac, sd_adtc, sd_none,
148
sd_ac, sd_ac, sd_none, sd_none, sd_none, sd_none, sd_ac, sd_none,
149
sd_none, sd_none, sd_bc, sd_none, sd_none, sd_none, sd_none, sd_none,
150
sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_ac,
151
sd_adtc, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none,
154
static const sd_cmd_type_t sd_acmd_type[64] = {
155
sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_ac, sd_none,
156
sd_none, sd_none, sd_none, sd_none, sd_none, sd_adtc, sd_none, sd_none,
157
sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_adtc, sd_ac,
158
sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none,
159
sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none,
160
sd_none, sd_bcr, sd_ac, sd_none, sd_none, sd_none, sd_none, sd_none,
161
sd_none, sd_none, sd_none, sd_adtc, sd_none, sd_none, sd_none, sd_none,
162
sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none, sd_none,
165
static const int sd_cmd_class[64] = {
166
0, 0, 0, 0, 0, 9, 10, 0, 0, 0, 0, 1, 0, 0, 0, 0,
167
2, 2, 2, 2, 3, 3, 3, 3, 4, 4, 4, 4, 6, 6, 6, 6,
168
5, 5, 10, 10, 10, 10, 5, 9, 9, 9, 7, 7, 7, 7, 7, 7,
169
7, 7, 10, 7, 9, 9, 9, 8, 8, 10, 8, 8, 8, 8, 8, 8,
172
static uint8_t sd_crc7(void *message, size_t width)
175
uint8_t shift_reg = 0x00;
176
uint8_t *msg = (uint8_t *) message;
178
for (i = 0; i < width; i ++, msg ++)
179
for (bit = 7; bit >= 0; bit --) {
181
if ((shift_reg >> 7) ^ ((*msg >> bit) & 1))
188
static uint16_t sd_crc16(void *message, size_t width)
191
uint16_t shift_reg = 0x0000;
192
uint16_t *msg = (uint16_t *) message;
195
for (i = 0; i < width; i ++, msg ++)
196
for (bit = 15; bit >= 0; bit --) {
198
if ((shift_reg >> 15) ^ ((*msg >> bit) & 1))
205
static void sd_set_ocr(SDState *sd)
207
/* All voltages OK, card power-up OK, Standard Capacity SD Memory Card */
208
sd->ocr = 0x80ffff00;
211
static void sd_set_scr(SDState *sd)
213
sd->scr[0] = 0x00; /* SCR Structure */
214
sd->scr[1] = 0x2f; /* SD Security Support */
230
static void sd_set_cid(SDState *sd)
232
sd->cid[0] = MID; /* Fake card manufacturer ID (MID) */
233
sd->cid[1] = OID[0]; /* OEM/Application ID (OID) */
235
sd->cid[3] = PNM[0]; /* Fake product name (PNM) */
240
sd->cid[8] = PRV; /* Fake product revision (PRV) */
241
sd->cid[9] = 0xde; /* Fake serial number (PSN) */
245
sd->cid[13] = 0x00 | /* Manufacture date (MDT) */
246
((MDT_YR - 2000) / 10);
247
sd->cid[14] = ((MDT_YR % 10) << 4) | MDT_MON;
248
sd->cid[15] = (sd_crc7(sd->cid, 15) << 1) | 1;
251
#define HWBLOCK_SHIFT 9 /* 512 bytes */
252
#define SECTOR_SHIFT 5 /* 16 kilobytes */
253
#define WPGROUP_SHIFT 7 /* 2 megs */
254
#define CMULT_SHIFT 9 /* 512 times HWBLOCK_SIZE */
255
#define WPGROUP_SIZE (1 << (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT))
257
static const uint8_t sd_csd_rw_mask[16] = {
258
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
259
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xfc, 0xfe,
262
static void sd_set_csd(SDState *sd, uint64_t size)
264
uint32_t csize = (size >> (CMULT_SHIFT + HWBLOCK_SHIFT)) - 1;
265
uint32_t sectsize = (1 << (SECTOR_SHIFT + 1)) - 1;
266
uint32_t wpsize = (1 << (WPGROUP_SHIFT + 1)) - 1;
268
if (size <= 0x40000000) { /* Standard Capacity SD */
269
sd->csd[0] = 0x00; /* CSD structure */
270
sd->csd[1] = 0x26; /* Data read access-time-1 */
271
sd->csd[2] = 0x00; /* Data read access-time-2 */
272
sd->csd[3] = 0x5a; /* Max. data transfer rate */
273
sd->csd[4] = 0x5f; /* Card Command Classes */
274
sd->csd[5] = 0x50 | /* Max. read data block length */
276
sd->csd[6] = 0xe0 | /* Partial block for read allowed */
277
((csize >> 10) & 0x03);
278
sd->csd[7] = 0x00 | /* Device size */
279
((csize >> 2) & 0xff);
280
sd->csd[8] = 0x3f | /* Max. read current */
281
((csize << 6) & 0xc0);
282
sd->csd[9] = 0xfc | /* Max. write current */
283
((CMULT_SHIFT - 2) >> 1);
284
sd->csd[10] = 0x40 | /* Erase sector size */
285
(((CMULT_SHIFT - 2) << 7) & 0x80) | (sectsize >> 1);
286
sd->csd[11] = 0x00 | /* Write protect group size */
287
((sectsize << 7) & 0x80) | wpsize;
288
sd->csd[12] = 0x90 | /* Write speed factor */
289
(HWBLOCK_SHIFT >> 2);
290
sd->csd[13] = 0x20 | /* Max. write data block length */
291
((HWBLOCK_SHIFT << 6) & 0xc0);
292
sd->csd[14] = 0x00; /* File format group */
293
sd->csd[15] = (sd_crc7(sd->csd, 15) << 1) | 1;
304
sd->csd[7] = (size >> 16) & 0xff;
305
sd->csd[8] = (size >> 8) & 0xff;
306
sd->csd[9] = (size & 0xff);
313
sd->ocr |= 1 << 30; /* High Capacity SD Memory Card */
317
static void sd_set_rca(SDState *sd)
322
/* Card status bits, split by clear condition:
323
* A : According to the card current state
324
* B : Always related to the previous command
325
* C : Cleared by read
327
#define CARD_STATUS_A 0x02004100
328
#define CARD_STATUS_B 0x00c01e00
329
#define CARD_STATUS_C 0xfd39a028
331
static void sd_set_cardstatus(SDState *sd)
333
sd->card_status = 0x00000100;
336
static void sd_set_sdstatus(SDState *sd)
338
memset(sd->sd_status, 0, 64);
341
static int sd_req_crc_validate(SDRequest *req)
344
buffer[0] = 0x40 | req->cmd;
345
buffer[1] = (req->arg >> 24) & 0xff;
346
buffer[2] = (req->arg >> 16) & 0xff;
347
buffer[3] = (req->arg >> 8) & 0xff;
348
buffer[4] = (req->arg >> 0) & 0xff;
350
return sd_crc7(buffer, 5) != req->crc; /* TODO */
353
static void sd_response_r1_make(SDState *sd, uint8_t *response)
355
uint32_t status = sd->card_status;
356
/* Clear the "clear on read" status bits */
357
sd->card_status &= ~CARD_STATUS_C;
359
response[0] = (status >> 24) & 0xff;
360
response[1] = (status >> 16) & 0xff;
361
response[2] = (status >> 8) & 0xff;
362
response[3] = (status >> 0) & 0xff;
365
static void sd_response_r3_make(SDState *sd, uint8_t *response)
367
response[0] = (sd->ocr >> 24) & 0xff;
368
response[1] = (sd->ocr >> 16) & 0xff;
369
response[2] = (sd->ocr >> 8) & 0xff;
370
response[3] = (sd->ocr >> 0) & 0xff;
373
static void sd_response_r6_make(SDState *sd, uint8_t *response)
379
status = ((sd->card_status >> 8) & 0xc000) |
380
((sd->card_status >> 6) & 0x2000) |
381
(sd->card_status & 0x1fff);
382
sd->card_status &= ~(CARD_STATUS_C & 0xc81fff);
384
response[0] = (arg >> 8) & 0xff;
385
response[1] = arg & 0xff;
386
response[2] = (status >> 8) & 0xff;
387
response[3] = status & 0xff;
390
static void sd_response_r7_make(SDState *sd, uint8_t *response)
392
response[0] = (sd->vhs >> 24) & 0xff;
393
response[1] = (sd->vhs >> 16) & 0xff;
394
response[2] = (sd->vhs >> 8) & 0xff;
395
response[3] = (sd->vhs >> 0) & 0xff;
398
static inline uint64_t sd_addr_to_wpnum(uint64_t addr)
400
return addr >> (HWBLOCK_SHIFT + SECTOR_SHIFT + WPGROUP_SHIFT);
403
void sd_reset(SDState *sd)
409
bdrv_get_geometry(sd->bdrv, §);
415
sect = sd_addr_to_wpnum(size) + 1;
417
sd->state = sd_idle_state;
422
sd_set_csd(sd, size);
423
sd_set_cardstatus(sd);
427
g_free(sd->wp_groups);
428
sd->wp_switch = sd->bdrv ? bdrv_is_read_only(sd->bdrv) : false;
429
sd->wpgrps_size = sect;
430
sd->wp_groups = bitmap_new(sd->wpgrps_size);
431
memset(sd->function_group, 0, sizeof(sd->function_group));
437
sd->expecting_acmd = false;
440
static void sd_cardchange(void *opaque, bool load)
442
SDState *sd = opaque;
444
qemu_set_irq(sd->inserted_cb, bdrv_is_inserted(sd->bdrv));
445
if (bdrv_is_inserted(sd->bdrv)) {
447
qemu_set_irq(sd->readonly_cb, sd->wp_switch);
451
static const BlockDevOps sd_block_ops = {
452
.change_media_cb = sd_cardchange,
455
static const VMStateDescription sd_vmstate = {
458
.minimum_version_id = 1,
459
.fields = (VMStateField[]) {
460
VMSTATE_UINT32(mode, SDState),
461
VMSTATE_INT32(state, SDState),
462
VMSTATE_UINT8_ARRAY(cid, SDState, 16),
463
VMSTATE_UINT8_ARRAY(csd, SDState, 16),
464
VMSTATE_UINT16(rca, SDState),
465
VMSTATE_UINT32(card_status, SDState),
466
VMSTATE_PARTIAL_BUFFER(sd_status, SDState, 1),
467
VMSTATE_UINT32(vhs, SDState),
468
VMSTATE_BITMAP(wp_groups, SDState, 0, wpgrps_size),
469
VMSTATE_UINT32(blk_len, SDState),
470
VMSTATE_UINT32(erase_start, SDState),
471
VMSTATE_UINT32(erase_end, SDState),
472
VMSTATE_UINT8_ARRAY(pwd, SDState, 16),
473
VMSTATE_UINT32(pwd_len, SDState),
474
VMSTATE_UINT8_ARRAY(function_group, SDState, 6),
475
VMSTATE_UINT8(current_cmd, SDState),
476
VMSTATE_BOOL(expecting_acmd, SDState),
477
VMSTATE_UINT32(blk_written, SDState),
478
VMSTATE_UINT64(data_start, SDState),
479
VMSTATE_UINT32(data_offset, SDState),
480
VMSTATE_UINT8_ARRAY(data, SDState, 512),
481
VMSTATE_BUFFER_POINTER_UNSAFE(buf, SDState, 1, 512),
482
VMSTATE_BOOL(enable, SDState),
483
VMSTATE_END_OF_LIST()
487
/* We do not model the chip select pin, so allow the board to select
488
whether card should be in SSI or MMC/SD mode. It is also up to the
489
board to ensure that ssi transfers only occur when the chip select
491
SDState *sd_init(BlockDriverState *bs, bool is_spi, bool is_mmc)
495
if (bs && bdrv_is_read_only(bs)) {
496
fprintf(stderr, "sd_init: Cannot use read-only drive\n");
500
sd = (SDState *) g_malloc0(sizeof(SDState));
501
sd->buf = qemu_blockalign(bs, 512);
507
bdrv_attach_dev_nofail(sd->bdrv, sd);
508
bdrv_set_dev_ops(sd->bdrv, &sd_block_ops, sd);
510
vmstate_register(NULL, -1, &sd_vmstate, sd);
514
void sd_set_cb(SDState *sd, qemu_irq readonly, qemu_irq insert)
516
sd->readonly_cb = readonly;
517
sd->inserted_cb = insert;
518
qemu_set_irq(readonly, sd->bdrv ? bdrv_is_read_only(sd->bdrv) : 0);
519
qemu_set_irq(insert, sd->bdrv ? bdrv_is_inserted(sd->bdrv) : 0);
522
static void sd_erase(SDState *sd)
525
uint64_t erase_start = sd->erase_start;
526
uint64_t erase_end = sd->erase_end;
528
if (!sd->erase_start || !sd->erase_end) {
529
sd->card_status |= ERASE_SEQ_ERROR;
533
if (extract32(sd->ocr, OCR_CCS_BITN, 1)) {
534
/* High capacity memory card: erase units are 512 byte blocks */
539
erase_start = sd_addr_to_wpnum(erase_start);
540
erase_end = sd_addr_to_wpnum(erase_end);
545
for (i = erase_start; i <= erase_end; i++) {
546
if (test_bit(i, sd->wp_groups)) {
547
sd->card_status |= WP_ERASE_SKIP;
552
static uint32_t sd_wpbits(SDState *sd, uint64_t addr)
557
wpnum = sd_addr_to_wpnum(addr);
559
for (i = 0; i < 32; i++, wpnum++, addr += WPGROUP_SIZE) {
560
if (addr < sd->size && test_bit(wpnum, sd->wp_groups)) {
568
static void sd_function_switch(SDState *sd, uint32_t arg)
570
int i, mode, new_func, crc;
571
mode = !!(arg & 0x80000000);
573
sd->data[0] = 0x00; /* Maximum current consumption */
575
sd->data[2] = 0x80; /* Supported group 6 functions */
577
sd->data[4] = 0x80; /* Supported group 5 functions */
579
sd->data[6] = 0x80; /* Supported group 4 functions */
581
sd->data[8] = 0x80; /* Supported group 3 functions */
583
sd->data[10] = 0x80; /* Supported group 2 functions */
585
sd->data[12] = 0x80; /* Supported group 1 functions */
587
for (i = 0; i < 6; i ++) {
588
new_func = (arg >> (i * 4)) & 0x0f;
589
if (mode && new_func != 0x0f)
590
sd->function_group[i] = new_func;
591
sd->data[14 + (i >> 1)] = new_func << ((i * 4) & 4);
593
memset(&sd->data[17], 0, 47);
594
crc = sd_crc16(sd->data, 64);
595
sd->data[65] = crc >> 8;
596
sd->data[66] = crc & 0xff;
599
static inline bool sd_wp_addr(SDState *sd, uint64_t addr)
601
return test_bit(sd_addr_to_wpnum(addr), sd->wp_groups);
604
static void sd_lock_command(SDState *sd)
606
int erase, lock, clr_pwd, set_pwd, pwd_len;
607
erase = !!(sd->data[0] & 0x08);
608
lock = sd->data[0] & 0x04;
609
clr_pwd = sd->data[0] & 0x02;
610
set_pwd = sd->data[0] & 0x01;
613
pwd_len = sd->data[1];
618
if (!(sd->card_status & CARD_IS_LOCKED) || sd->blk_len > 1 ||
619
set_pwd || clr_pwd || lock || sd->wp_switch ||
620
(sd->csd[14] & 0x20)) {
621
sd->card_status |= LOCK_UNLOCK_FAILED;
624
bitmap_zero(sd->wp_groups, sd->wpgrps_size);
625
sd->csd[14] &= ~0x10;
626
sd->card_status &= ~CARD_IS_LOCKED;
628
/* Erasing the entire card here! */
629
fprintf(stderr, "SD: Card force-erased by CMD42\n");
633
if (sd->blk_len < 2 + pwd_len ||
634
pwd_len <= sd->pwd_len ||
635
pwd_len > sd->pwd_len + 16) {
636
sd->card_status |= LOCK_UNLOCK_FAILED;
640
if (sd->pwd_len && memcmp(sd->pwd, sd->data + 2, sd->pwd_len)) {
641
sd->card_status |= LOCK_UNLOCK_FAILED;
645
pwd_len -= sd->pwd_len;
646
if ((pwd_len && !set_pwd) ||
647
(clr_pwd && (set_pwd || lock)) ||
648
(lock && !sd->pwd_len && !set_pwd) ||
649
(!set_pwd && !clr_pwd &&
650
(((sd->card_status & CARD_IS_LOCKED) && lock) ||
651
(!(sd->card_status & CARD_IS_LOCKED) && !lock)))) {
652
sd->card_status |= LOCK_UNLOCK_FAILED;
657
memcpy(sd->pwd, sd->data + 2 + sd->pwd_len, pwd_len);
658
sd->pwd_len = pwd_len;
666
sd->card_status |= CARD_IS_LOCKED;
668
sd->card_status &= ~CARD_IS_LOCKED;
671
static sd_rsp_type_t sd_normal_command(SDState *sd,
674
uint32_t rca = 0x0000;
675
uint64_t addr = (sd->ocr & (1 << 30)) ? (uint64_t) req.arg << 9 : req.arg;
677
/* Not interpreting this as an app command */
678
sd->card_status &= ~APP_CMD;
680
if (sd_cmd_type[req.cmd] == sd_ac || sd_cmd_type[req.cmd] == sd_adtc)
683
DPRINTF("CMD%d 0x%08x state %d\n", req.cmd, req.arg, sd->state);
685
/* Basic commands (Class 0 and Class 1) */
686
case 0: /* CMD0: GO_IDLE_STATE */
688
case sd_inactive_state:
689
return sd->spi ? sd_r1 : sd_r0;
692
sd->state = sd_idle_state;
694
return sd->spi ? sd_r1 : sd_r0;
698
case 1: /* CMD1: SEND_OP_CMD */
702
sd->state = sd_transfer_state;
705
case 2: /* CMD2: ALL_SEND_CID */
710
sd->state = sd_identification_state;
718
case 3: /* CMD3: SEND_RELATIVE_ADDR */
722
case sd_identification_state:
723
case sd_standby_state:
724
sd->state = sd_standby_state;
733
case 4: /* CMD4: SEND_DSR */
737
case sd_standby_state:
745
case 5: /* CMD5: reserved for SDIO cards */
748
case 6: /* CMD6: SWITCH_FUNCTION */
752
case sd_data_transfer_mode:
753
sd_function_switch(sd, req.arg);
754
sd->state = sd_sendingdata_state;
764
case 7: /* CMD7: SELECT/DESELECT_CARD */
768
case sd_standby_state:
772
sd->state = sd_transfer_state;
775
case sd_transfer_state:
776
case sd_sendingdata_state:
780
sd->state = sd_standby_state;
783
case sd_disconnect_state:
787
sd->state = sd_programming_state;
790
case sd_programming_state:
794
sd->state = sd_disconnect_state;
802
case 8: /* CMD8: SEND_IF_COND */
803
/* Physical Layer Specification Version 2.00 command */
808
/* No response if not exactly one VHS bit is set. */
809
if (!(req.arg >> 8) || (req.arg >> ffs(req.arg & ~0xff)))
810
return sd->spi ? sd_r7 : sd_r0;
821
case 9: /* CMD9: SEND_CSD */
823
case sd_standby_state:
829
case sd_transfer_state:
832
sd->state = sd_sendingdata_state;
833
memcpy(sd->data, sd->csd, 16);
834
sd->data_start = addr;
843
case 10: /* CMD10: SEND_CID */
845
case sd_standby_state:
851
case sd_transfer_state:
854
sd->state = sd_sendingdata_state;
855
memcpy(sd->data, sd->cid, 16);
856
sd->data_start = addr;
865
case 11: /* CMD11: READ_DAT_UNTIL_STOP */
869
case sd_transfer_state:
870
sd->state = sd_sendingdata_state;
871
sd->data_start = req.arg;
874
if (sd->data_start + sd->blk_len > sd->size)
875
sd->card_status |= ADDRESS_ERROR;
883
case 12: /* CMD12: STOP_TRANSMISSION */
885
case sd_sendingdata_state:
886
sd->state = sd_transfer_state;
889
case sd_receivingdata_state:
890
sd->state = sd_programming_state;
891
/* Bzzzzzzztt .... Operation complete. */
892
sd->state = sd_transfer_state;
900
case 13: /* CMD13: SEND_STATUS */
902
case sd_data_transfer_mode:
913
case 15: /* CMD15: GO_INACTIVE_STATE */
917
case sd_data_transfer_mode:
921
sd->state = sd_inactive_state;
929
/* Block read commands (Classs 2) */
930
case 16: /* CMD16: SET_BLOCKLEN */
932
case sd_transfer_state:
933
if (req.arg > (1 << HWBLOCK_SHIFT))
934
sd->card_status |= BLOCK_LEN_ERROR;
936
sd->blk_len = req.arg;
945
case 17: /* CMD17: READ_SINGLE_BLOCK */
947
case sd_transfer_state:
948
sd->state = sd_sendingdata_state;
949
sd->data_start = addr;
952
if (sd->data_start + sd->blk_len > sd->size)
953
sd->card_status |= ADDRESS_ERROR;
961
case 18: /* CMD18: READ_MULTIPLE_BLOCK */
963
case sd_transfer_state:
964
sd->state = sd_sendingdata_state;
965
sd->data_start = addr;
968
if (sd->data_start + sd->blk_len > sd->size)
969
sd->card_status |= ADDRESS_ERROR;
977
/* Block write commands (Class 4) */
978
case 24: /* CMD24: WRITE_SINGLE_BLOCK */
980
goto unimplemented_cmd;
982
case sd_transfer_state:
983
/* Writing in SPI mode not implemented. */
986
sd->state = sd_receivingdata_state;
987
sd->data_start = addr;
991
if (sd->data_start + sd->blk_len > sd->size)
992
sd->card_status |= ADDRESS_ERROR;
993
if (sd_wp_addr(sd, sd->data_start))
994
sd->card_status |= WP_VIOLATION;
995
if (sd->csd[14] & 0x30)
996
sd->card_status |= WP_VIOLATION;
1004
case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */
1006
goto unimplemented_cmd;
1007
switch (sd->state) {
1008
case sd_transfer_state:
1009
/* Writing in SPI mode not implemented. */
1012
sd->state = sd_receivingdata_state;
1013
sd->data_start = addr;
1014
sd->data_offset = 0;
1015
sd->blk_written = 0;
1017
if (sd->data_start + sd->blk_len > sd->size)
1018
sd->card_status |= ADDRESS_ERROR;
1019
if (sd_wp_addr(sd, sd->data_start))
1020
sd->card_status |= WP_VIOLATION;
1021
if (sd->csd[14] & 0x30)
1022
sd->card_status |= WP_VIOLATION;
1030
case 26: /* CMD26: PROGRAM_CID */
1033
switch (sd->state) {
1034
case sd_transfer_state:
1035
sd->state = sd_receivingdata_state;
1037
sd->data_offset = 0;
1045
case 27: /* CMD27: PROGRAM_CSD */
1047
goto unimplemented_cmd;
1048
switch (sd->state) {
1049
case sd_transfer_state:
1050
sd->state = sd_receivingdata_state;
1052
sd->data_offset = 0;
1060
/* Write protection (Class 6) */
1061
case 28: /* CMD28: SET_WRITE_PROT */
1062
switch (sd->state) {
1063
case sd_transfer_state:
1064
if (addr >= sd->size) {
1065
sd->card_status |= ADDRESS_ERROR;
1069
sd->state = sd_programming_state;
1070
set_bit(sd_addr_to_wpnum(addr), sd->wp_groups);
1071
/* Bzzzzzzztt .... Operation complete. */
1072
sd->state = sd_transfer_state;
1080
case 29: /* CMD29: CLR_WRITE_PROT */
1081
switch (sd->state) {
1082
case sd_transfer_state:
1083
if (addr >= sd->size) {
1084
sd->card_status |= ADDRESS_ERROR;
1088
sd->state = sd_programming_state;
1089
clear_bit(sd_addr_to_wpnum(addr), sd->wp_groups);
1090
/* Bzzzzzzztt .... Operation complete. */
1091
sd->state = sd_transfer_state;
1099
case 30: /* CMD30: SEND_WRITE_PROT */
1100
switch (sd->state) {
1101
case sd_transfer_state:
1102
sd->state = sd_sendingdata_state;
1103
*(uint32_t *) sd->data = sd_wpbits(sd, req.arg);
1104
sd->data_start = addr;
1105
sd->data_offset = 0;
1113
/* Erase commands (Class 5) */
1114
case 32: /* CMD32: ERASE_WR_BLK_START */
1115
switch (sd->state) {
1116
case sd_transfer_state:
1117
sd->erase_start = req.arg;
1125
case 33: /* CMD33: ERASE_WR_BLK_END */
1126
switch (sd->state) {
1127
case sd_transfer_state:
1128
sd->erase_end = req.arg;
1136
case 38: /* CMD38: ERASE */
1137
switch (sd->state) {
1138
case sd_transfer_state:
1139
if (sd->csd[14] & 0x30) {
1140
sd->card_status |= WP_VIOLATION;
1144
sd->state = sd_programming_state;
1146
/* Bzzzzzzztt .... Operation complete. */
1147
sd->state = sd_transfer_state;
1155
/* Lock card commands (Class 7) */
1156
case 42: /* CMD42: LOCK_UNLOCK */
1158
goto unimplemented_cmd;
1159
switch (sd->state) {
1160
case sd_transfer_state:
1161
sd->state = sd_receivingdata_state;
1163
sd->data_offset = 0;
1173
/* CMD52, CMD53: reserved for SDIO cards
1174
* (see the SDIO Simplified Specification V2.0)
1175
* Handle as illegal command but do not complain
1176
* on stderr, as some OSes may use these in their
1177
* probing for presence of an SDIO card.
1181
/* Application specific commands (Class 8) */
1182
case 55: /* CMD55: APP_CMD */
1186
sd->expecting_acmd = true;
1187
sd->card_status |= APP_CMD;
1190
case 56: /* CMD56: GEN_CMD */
1191
fprintf(stderr, "SD: GEN_CMD 0x%08x\n", req.arg);
1193
switch (sd->state) {
1194
case sd_transfer_state:
1195
sd->data_offset = 0;
1197
sd->state = sd_sendingdata_state;
1199
sd->state = sd_receivingdata_state;
1209
fprintf(stderr, "SD: Unknown CMD%i\n", req.cmd);
1213
/* Commands that are recognised but not yet implemented in SPI mode. */
1214
fprintf(stderr, "SD: CMD%i not implemented in SPI mode\n", req.cmd);
1218
fprintf(stderr, "SD: CMD%i in a wrong state\n", req.cmd);
1222
static sd_rsp_type_t sd_app_command(SDState *sd,
1225
DPRINTF("ACMD%d 0x%08x\n", req.cmd, req.arg);
1226
sd->card_status |= APP_CMD;
1228
case 6: /* ACMD6: SET_BUS_WIDTH */
1229
switch (sd->state) {
1230
case sd_transfer_state:
1231
sd->sd_status[0] &= 0x3f;
1232
sd->sd_status[0] |= (req.arg & 0x03) << 6;
1240
case 13: /* ACMD13: SD_STATUS */
1241
switch (sd->state) {
1242
case sd_transfer_state:
1243
sd->state = sd_sendingdata_state;
1245
sd->data_offset = 0;
1253
case 22: /* ACMD22: SEND_NUM_WR_BLOCKS */
1254
switch (sd->state) {
1255
case sd_transfer_state:
1256
*(uint32_t *) sd->data = sd->blk_written;
1258
sd->state = sd_sendingdata_state;
1260
sd->data_offset = 0;
1268
case 23: /* ACMD23: SET_WR_BLK_ERASE_COUNT */
1269
switch (sd->state) {
1270
case sd_transfer_state:
1278
case 41: /* ACMD41: SD_APP_OP_COND */
1281
sd->state = sd_transfer_state;
1284
switch (sd->state) {
1286
/* We accept any voltage. 10000 V is nothing.
1288
* We don't model init delay so just advance straight to ready state
1289
* unless it's an enquiry ACMD41 (bits 23:0 == 0).
1291
if (req.arg & ACMD41_ENQUIRY_MASK) {
1292
sd->state = sd_ready_state;
1302
case 42: /* ACMD42: SET_CLR_CARD_DETECT */
1303
switch (sd->state) {
1304
case sd_transfer_state:
1305
/* Bringing in the 50KOhm pull-up resistor... Done. */
1313
case 51: /* ACMD51: SEND_SCR */
1314
switch (sd->state) {
1315
case sd_transfer_state:
1316
sd->state = sd_sendingdata_state;
1318
sd->data_offset = 0;
1327
/* Fall back to standard commands. */
1328
return sd_normal_command(sd, req);
1331
fprintf(stderr, "SD: ACMD%i in a wrong state\n", req.cmd);
1335
static int cmd_valid_while_locked(SDState *sd, SDRequest *req)
1337
/* Valid commands in locked state:
1339
* lock card class (7)
1341
* implicitly, the ACMD prefix CMD55
1343
* Anything else provokes an "illegal command" response.
1345
if (sd->expecting_acmd) {
1346
return req->cmd == 41 || req->cmd == 42;
1348
if (req->cmd == 16 || req->cmd == 55) {
1351
return sd_cmd_class[req->cmd] == 0 || sd_cmd_class[req->cmd] == 7;
1354
int sd_do_command(SDState *sd, SDRequest *req,
1355
uint8_t *response) {
1357
sd_rsp_type_t rtype;
1360
if (!sd->bdrv || !bdrv_is_inserted(sd->bdrv) || !sd->enable) {
1364
if (sd_req_crc_validate(req)) {
1365
sd->card_status |= COM_CRC_ERROR;
1370
if (sd->card_status & CARD_IS_LOCKED) {
1371
if (!cmd_valid_while_locked(sd, req)) {
1372
sd->card_status |= ILLEGAL_COMMAND;
1373
sd->expecting_acmd = false;
1374
fprintf(stderr, "SD: Card is locked\n");
1380
last_state = sd->state;
1383
if (sd->expecting_acmd) {
1384
sd->expecting_acmd = false;
1385
rtype = sd_app_command(sd, *req);
1387
rtype = sd_normal_command(sd, *req);
1390
if (rtype == sd_illegal) {
1391
sd->card_status |= ILLEGAL_COMMAND;
1393
/* Valid command, we can update the 'state before command' bits.
1394
* (Do this now so they appear in r1 responses.)
1396
sd->current_cmd = req->cmd;
1397
sd->card_status &= ~CURRENT_STATE;
1398
sd->card_status |= (last_state << 9);
1405
sd_response_r1_make(sd, response);
1410
memcpy(response, sd->cid, sizeof(sd->cid));
1415
memcpy(response, sd->csd, sizeof(sd->csd));
1420
sd_response_r3_make(sd, response);
1425
sd_response_r6_make(sd, response);
1430
sd_response_r7_make(sd, response);
1441
if (rtype != sd_illegal) {
1442
/* Clear the "clear on valid command" status bits now we've
1445
sd->card_status &= ~CARD_STATUS_B;
1451
DPRINTF("Response:");
1452
for (i = 0; i < rsplen; i++)
1453
fprintf(stderr, " %02x", response[i]);
1454
fprintf(stderr, " state %d\n", sd->state);
1456
DPRINTF("No response %d\n", sd->state);
1463
static void sd_blk_read(SDState *sd, uint64_t addr, uint32_t len)
1465
uint64_t end = addr + len;
1467
DPRINTF("sd_blk_read: addr = 0x%08llx, len = %d\n",
1468
(unsigned long long) addr, len);
1469
if (!sd->bdrv || bdrv_read(sd->bdrv, addr >> 9, sd->buf, 1) < 0) {
1470
fprintf(stderr, "sd_blk_read: read error on host side\n");
1474
if (end > (addr & ~511) + 512) {
1475
memcpy(sd->data, sd->buf + (addr & 511), 512 - (addr & 511));
1477
if (bdrv_read(sd->bdrv, end >> 9, sd->buf, 1) < 0) {
1478
fprintf(stderr, "sd_blk_read: read error on host side\n");
1481
memcpy(sd->data + 512 - (addr & 511), sd->buf, end & 511);
1483
memcpy(sd->data, sd->buf + (addr & 511), len);
1486
static void sd_blk_write(SDState *sd, uint64_t addr, uint32_t len)
1488
uint64_t end = addr + len;
1490
if ((addr & 511) || len < 512)
1491
if (!sd->bdrv || bdrv_read(sd->bdrv, addr >> 9, sd->buf, 1) < 0) {
1492
fprintf(stderr, "sd_blk_write: read error on host side\n");
1496
if (end > (addr & ~511) + 512) {
1497
memcpy(sd->buf + (addr & 511), sd->data, 512 - (addr & 511));
1498
if (bdrv_write(sd->bdrv, addr >> 9, sd->buf, 1) < 0) {
1499
fprintf(stderr, "sd_blk_write: write error on host side\n");
1503
if (bdrv_read(sd->bdrv, end >> 9, sd->buf, 1) < 0) {
1504
fprintf(stderr, "sd_blk_write: read error on host side\n");
1507
memcpy(sd->buf, sd->data + 512 - (addr & 511), end & 511);
1508
if (bdrv_write(sd->bdrv, end >> 9, sd->buf, 1) < 0) {
1509
fprintf(stderr, "sd_blk_write: write error on host side\n");
1512
memcpy(sd->buf + (addr & 511), sd->data, len);
1513
if (!sd->bdrv || bdrv_write(sd->bdrv, addr >> 9, sd->buf, 1) < 0) {
1514
fprintf(stderr, "sd_blk_write: write error on host side\n");
1519
#define BLK_READ_BLOCK(a, len) sd_blk_read(sd, a, len)
1520
#define BLK_WRITE_BLOCK(a, len) sd_blk_write(sd, a, len)
1521
#define APP_READ_BLOCK(a, len) memset(sd->data, 0xec, len)
1522
#define APP_WRITE_BLOCK(a, len)
1524
void sd_write_data(SDState *sd, uint8_t value)
1528
if (!sd->bdrv || !bdrv_is_inserted(sd->bdrv) || !sd->enable)
1531
if (sd->state != sd_receivingdata_state) {
1532
fprintf(stderr, "sd_write_data: not in Receiving-Data state\n");
1536
if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION))
1539
switch (sd->current_cmd) {
1540
case 24: /* CMD24: WRITE_SINGLE_BLOCK */
1541
sd->data[sd->data_offset ++] = value;
1542
if (sd->data_offset >= sd->blk_len) {
1543
/* TODO: Check CRC before committing */
1544
sd->state = sd_programming_state;
1545
BLK_WRITE_BLOCK(sd->data_start, sd->data_offset);
1547
sd->csd[14] |= 0x40;
1548
/* Bzzzzzzztt .... Operation complete. */
1549
sd->state = sd_transfer_state;
1553
case 25: /* CMD25: WRITE_MULTIPLE_BLOCK */
1554
if (sd->data_offset == 0) {
1555
/* Start of the block - let's check the address is valid */
1556
if (sd->data_start + sd->blk_len > sd->size) {
1557
sd->card_status |= ADDRESS_ERROR;
1560
if (sd_wp_addr(sd, sd->data_start)) {
1561
sd->card_status |= WP_VIOLATION;
1565
sd->data[sd->data_offset++] = value;
1566
if (sd->data_offset >= sd->blk_len) {
1567
/* TODO: Check CRC before committing */
1568
sd->state = sd_programming_state;
1569
BLK_WRITE_BLOCK(sd->data_start, sd->data_offset);
1571
sd->data_start += sd->blk_len;
1572
sd->data_offset = 0;
1573
sd->csd[14] |= 0x40;
1575
/* Bzzzzzzztt .... Operation complete. */
1576
sd->state = sd_receivingdata_state;
1580
case 26: /* CMD26: PROGRAM_CID */
1581
sd->data[sd->data_offset ++] = value;
1582
if (sd->data_offset >= sizeof(sd->cid)) {
1583
/* TODO: Check CRC before committing */
1584
sd->state = sd_programming_state;
1585
for (i = 0; i < sizeof(sd->cid); i ++)
1586
if ((sd->cid[i] | 0x00) != sd->data[i])
1587
sd->card_status |= CID_CSD_OVERWRITE;
1589
if (!(sd->card_status & CID_CSD_OVERWRITE))
1590
for (i = 0; i < sizeof(sd->cid); i ++) {
1592
sd->cid[i] &= sd->data[i];
1594
/* Bzzzzzzztt .... Operation complete. */
1595
sd->state = sd_transfer_state;
1599
case 27: /* CMD27: PROGRAM_CSD */
1600
sd->data[sd->data_offset ++] = value;
1601
if (sd->data_offset >= sizeof(sd->csd)) {
1602
/* TODO: Check CRC before committing */
1603
sd->state = sd_programming_state;
1604
for (i = 0; i < sizeof(sd->csd); i ++)
1605
if ((sd->csd[i] | sd_csd_rw_mask[i]) !=
1606
(sd->data[i] | sd_csd_rw_mask[i]))
1607
sd->card_status |= CID_CSD_OVERWRITE;
1609
/* Copy flag (OTP) & Permanent write protect */
1610
if (sd->csd[14] & ~sd->data[14] & 0x60)
1611
sd->card_status |= CID_CSD_OVERWRITE;
1613
if (!(sd->card_status & CID_CSD_OVERWRITE))
1614
for (i = 0; i < sizeof(sd->csd); i ++) {
1615
sd->csd[i] |= sd_csd_rw_mask[i];
1616
sd->csd[i] &= sd->data[i];
1618
/* Bzzzzzzztt .... Operation complete. */
1619
sd->state = sd_transfer_state;
1623
case 42: /* CMD42: LOCK_UNLOCK */
1624
sd->data[sd->data_offset ++] = value;
1625
if (sd->data_offset >= sd->blk_len) {
1626
/* TODO: Check CRC before committing */
1627
sd->state = sd_programming_state;
1628
sd_lock_command(sd);
1629
/* Bzzzzzzztt .... Operation complete. */
1630
sd->state = sd_transfer_state;
1634
case 56: /* CMD56: GEN_CMD */
1635
sd->data[sd->data_offset ++] = value;
1636
if (sd->data_offset >= sd->blk_len) {
1637
APP_WRITE_BLOCK(sd->data_start, sd->data_offset);
1638
sd->state = sd_transfer_state;
1643
fprintf(stderr, "sd_write_data: unknown command\n");
1648
uint8_t sd_read_data(SDState *sd)
1650
/* TODO: Append CRCs */
1654
if (!sd->bdrv || !bdrv_is_inserted(sd->bdrv) || !sd->enable)
1657
if (sd->state != sd_sendingdata_state) {
1658
fprintf(stderr, "sd_read_data: not in Sending-Data state\n");
1662
if (sd->card_status & (ADDRESS_ERROR | WP_VIOLATION))
1665
io_len = (sd->ocr & (1 << 30)) ? 512 : sd->blk_len;
1667
switch (sd->current_cmd) {
1668
case 6: /* CMD6: SWITCH_FUNCTION */
1669
ret = sd->data[sd->data_offset ++];
1671
if (sd->data_offset >= 64)
1672
sd->state = sd_transfer_state;
1675
case 9: /* CMD9: SEND_CSD */
1676
case 10: /* CMD10: SEND_CID */
1677
ret = sd->data[sd->data_offset ++];
1679
if (sd->data_offset >= 16)
1680
sd->state = sd_transfer_state;
1683
case 11: /* CMD11: READ_DAT_UNTIL_STOP */
1684
if (sd->data_offset == 0)
1685
BLK_READ_BLOCK(sd->data_start, io_len);
1686
ret = sd->data[sd->data_offset ++];
1688
if (sd->data_offset >= io_len) {
1689
sd->data_start += io_len;
1690
sd->data_offset = 0;
1691
if (sd->data_start + io_len > sd->size) {
1692
sd->card_status |= ADDRESS_ERROR;
1698
case 13: /* ACMD13: SD_STATUS */
1699
ret = sd->sd_status[sd->data_offset ++];
1701
if (sd->data_offset >= sizeof(sd->sd_status))
1702
sd->state = sd_transfer_state;
1705
case 17: /* CMD17: READ_SINGLE_BLOCK */
1706
if (sd->data_offset == 0)
1707
BLK_READ_BLOCK(sd->data_start, io_len);
1708
ret = sd->data[sd->data_offset ++];
1710
if (sd->data_offset >= io_len)
1711
sd->state = sd_transfer_state;
1714
case 18: /* CMD18: READ_MULTIPLE_BLOCK */
1715
if (sd->data_offset == 0)
1716
BLK_READ_BLOCK(sd->data_start, io_len);
1717
ret = sd->data[sd->data_offset ++];
1719
if (sd->data_offset >= io_len) {
1720
sd->data_start += io_len;
1721
sd->data_offset = 0;
1722
if (sd->data_start + io_len > sd->size) {
1723
sd->card_status |= ADDRESS_ERROR;
1729
case 22: /* ACMD22: SEND_NUM_WR_BLOCKS */
1730
ret = sd->data[sd->data_offset ++];
1732
if (sd->data_offset >= 4)
1733
sd->state = sd_transfer_state;
1736
case 30: /* CMD30: SEND_WRITE_PROT */
1737
ret = sd->data[sd->data_offset ++];
1739
if (sd->data_offset >= 4)
1740
sd->state = sd_transfer_state;
1743
case 51: /* ACMD51: SEND_SCR */
1744
ret = sd->scr[sd->data_offset ++];
1746
if (sd->data_offset >= sizeof(sd->scr))
1747
sd->state = sd_transfer_state;
1750
case 56: /* CMD56: GEN_CMD */
1751
if (sd->data_offset == 0)
1752
APP_READ_BLOCK(sd->data_start, sd->blk_len);
1753
ret = sd->data[sd->data_offset ++];
1755
if (sd->data_offset >= sd->blk_len)
1756
sd->state = sd_transfer_state;
1760
fprintf(stderr, "sd_read_data: unknown command\n");
1767
bool sd_data_ready(SDState *sd)
1769
return sd->state == sd_sendingdata_state;
1772
void sd_enable(SDState *sd, bool enable)
1774
sd->enable = enable;