2 * USB UHCI controller emulation
4 * Copyright (c) 2005 Fabrice Bellard
6 * Permission is hereby granted, free of charge, to any person obtaining a copy
7 * of this software and associated documentation files (the "Software"), to deal
8 * in the Software without restriction, including without limitation the rights
9 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
10 * copies of the Software, and to permit persons to whom the Software is
11 * furnished to do so, subject to the following conditions:
13 * The above copyright notice and this permission notice shall be included in
14 * all copies or substantial portions of the Software.
16 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
17 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
18 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
19 * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
20 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
21 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
27 //#define DEBUG_PACKET
29 #define UHCI_CMD_GRESET (1 << 2)
30 #define UHCI_CMD_HCRESET (1 << 1)
31 #define UHCI_CMD_RS (1 << 0)
33 #define UHCI_STS_HCHALTED (1 << 5)
34 #define UHCI_STS_HCPERR (1 << 4)
35 #define UHCI_STS_HSERR (1 << 3)
36 #define UHCI_STS_RD (1 << 2)
37 #define UHCI_STS_USBERR (1 << 1)
38 #define UHCI_STS_USBINT (1 << 0)
40 #define TD_CTRL_SPD (1 << 29)
41 #define TD_CTRL_ERROR_SHIFT 27
42 #define TD_CTRL_IOS (1 << 25)
43 #define TD_CTRL_IOC (1 << 24)
44 #define TD_CTRL_ACTIVE (1 << 23)
45 #define TD_CTRL_STALL (1 << 22)
46 #define TD_CTRL_BABBLE (1 << 20)
47 #define TD_CTRL_NAK (1 << 19)
48 #define TD_CTRL_TIMEOUT (1 << 18)
50 #define UHCI_PORT_RESET (1 << 9)
51 #define UHCI_PORT_LSDA (1 << 8)
52 #define UHCI_PORT_ENC (1 << 3)
53 #define UHCI_PORT_EN (1 << 2)
54 #define UHCI_PORT_CSC (1 << 1)
55 #define UHCI_PORT_CCS (1 << 0)
57 #define FRAME_TIMER_FREQ 1000
59 #define FRAME_MAX_LOOPS 100
63 typedef struct UHCIPort {
68 typedef struct UHCIState {
70 uint16_t cmd; /* cmd register */
72 uint16_t intr; /* interrupt enable register */
73 uint16_t frnum; /* frame number */
74 uint32_t fl_base_addr; /* frame list base address */
76 uint8_t status2; /* bit 0 and 1 are used to generate UHCI_STS_USBINT */
77 QEMUTimer *frame_timer;
78 UHCIPort ports[NB_PORTS];
80 /* Interrupts that should be raised at the end of the current frame. */
81 uint32_t pending_int_mask;
82 /* For simplicity of implementation we only allow a single pending USB
83 request. This means all usb traffic on this controller is effectively
84 suspended until that transfer completes. When the transfer completes
85 the next transfer from that queue will be processed. However
86 other queues will not be processed until the next frame. The solution
87 is to allow multiple pending requests. */
90 uint8_t usb_buf[1280];
93 typedef struct UHCI_TD {
95 uint32_t ctrl; /* see TD_CTRL_xxx */
100 typedef struct UHCI_QH {
105 static void uhci_attach(USBPort *port1, USBDevice *dev);
107 static void uhci_update_irq(UHCIState *s)
110 if (((s->status2 & 1) && (s->intr & (1 << 2))) ||
111 ((s->status2 & 2) && (s->intr & (1 << 3))) ||
112 ((s->status & UHCI_STS_USBERR) && (s->intr & (1 << 0))) ||
113 ((s->status & UHCI_STS_RD) && (s->intr & (1 << 1))) ||
114 (s->status & UHCI_STS_HSERR) ||
115 (s->status & UHCI_STS_HCPERR)) {
120 pci_set_irq(&s->dev, 3, level);
123 static void uhci_reset(UHCIState *s)
129 pci_conf = s->dev.config;
131 pci_conf[0x6a] = 0x01; /* usb clock */
132 pci_conf[0x6b] = 0x00;
139 for(i = 0; i < NB_PORTS; i++) {
143 uhci_attach(&port->port, port->port.dev);
147 static void uhci_ioport_writeb(void *opaque, uint32_t addr, uint32_t val)
149 UHCIState *s = opaque;
159 static uint32_t uhci_ioport_readb(void *opaque, uint32_t addr)
161 UHCIState *s = opaque;
176 static void uhci_ioport_writew(void *opaque, uint32_t addr, uint32_t val)
178 UHCIState *s = opaque;
182 printf("uhci writew port=0x%04x val=0x%04x\n", addr, val);
186 if ((val & UHCI_CMD_RS) && !(s->cmd & UHCI_CMD_RS)) {
187 /* start frame processing */
188 qemu_mod_timer(s->frame_timer, qemu_get_clock(vm_clock));
189 s->status &= ~UHCI_STS_HCHALTED;
190 } else if (!(val & UHCI_CMD_RS)) {
191 s->status |= UHCI_STS_HCHALTED;
193 if (val & UHCI_CMD_GRESET) {
198 /* send reset on the USB bus */
199 for(i = 0; i < NB_PORTS; i++) {
201 dev = port->port.dev;
203 usb_send_msg(dev, USB_MSG_RESET);
209 if (val & UHCI_CMD_HCRESET) {
217 /* XXX: the chip spec is not coherent, so we add a hidden
218 register to distinguish between IOC and SPD */
219 if (val & UHCI_STS_USBINT)
228 if (s->status & UHCI_STS_HCHALTED)
229 s->frnum = val & 0x7ff;
241 dev = port->port.dev;
244 if ( (val & UHCI_PORT_RESET) &&
245 !(port->ctrl & UHCI_PORT_RESET) ) {
246 usb_send_msg(dev, USB_MSG_RESET);
249 port->ctrl = (port->ctrl & 0x01fb) | (val & ~0x01fb);
250 /* some bits are reset when a '1' is written to them */
251 port->ctrl &= ~(val & 0x000a);
257 static uint32_t uhci_ioport_readw(void *opaque, uint32_t addr)
259 UHCIState *s = opaque;
289 val = 0xff7f; /* disabled port */
293 printf("uhci readw port=0x%04x val=0x%04x\n", addr, val);
298 static void uhci_ioport_writel(void *opaque, uint32_t addr, uint32_t val)
300 UHCIState *s = opaque;
304 printf("uhci writel port=0x%04x val=0x%08x\n", addr, val);
308 s->fl_base_addr = val & ~0xfff;
313 static uint32_t uhci_ioport_readl(void *opaque, uint32_t addr)
315 UHCIState *s = opaque;
321 val = s->fl_base_addr;
330 static void uhci_attach(USBPort *port1, USBDevice *dev)
332 UHCIState *s = port1->opaque;
333 UHCIPort *port = &s->ports[port1->index];
336 if (port->port.dev) {
337 usb_attach(port1, NULL);
339 /* set connect status */
340 port->ctrl |= UHCI_PORT_CCS | UHCI_PORT_CSC;
343 if (dev->speed == USB_SPEED_LOW)
344 port->ctrl |= UHCI_PORT_LSDA;
346 port->ctrl &= ~UHCI_PORT_LSDA;
347 port->port.dev = dev;
348 /* send the attach message */
349 usb_send_msg(dev, USB_MSG_ATTACH);
351 /* set connect status */
352 if (port->ctrl & UHCI_PORT_CCS) {
353 port->ctrl &= ~UHCI_PORT_CCS;
354 port->ctrl |= UHCI_PORT_CSC;
357 if (port->ctrl & UHCI_PORT_EN) {
358 port->ctrl &= ~UHCI_PORT_EN;
359 port->ctrl |= UHCI_PORT_ENC;
361 dev = port->port.dev;
363 /* send the detach message */
364 usb_send_msg(dev, USB_MSG_DETACH);
366 port->port.dev = NULL;
370 static int uhci_broadcast_packet(UHCIState *s, USBPacket *p)
380 case USB_TOKEN_SETUP: pidstr = "SETUP"; break;
381 case USB_TOKEN_IN: pidstr = "IN"; break;
382 case USB_TOKEN_OUT: pidstr = "OUT"; break;
383 default: pidstr = "?"; break;
385 printf("frame %d: pid=%s addr=0x%02x ep=%d len=%d\n",
386 s->frnum, pidstr, p->devaddr, p->devep, p->len);
387 if (p->pid != USB_TOKEN_IN) {
388 printf(" data_out=");
389 for(i = 0; i < p->len; i++) {
390 printf(" %02x", p->data[i]);
396 for(i = 0; i < NB_PORTS; i++) {
398 dev = port->port.dev;
399 if (dev && (port->ctrl & UHCI_PORT_EN)) {
400 ret = dev->handle_packet(dev, p);
401 if (ret != USB_RET_NODEV) {
403 if (ret == USB_RET_ASYNC) {
404 printf("usb-uhci: Async packet\n");
406 printf(" ret=%d ", ret);
407 if (p->pid == USB_TOKEN_IN && ret > 0) {
409 for(i = 0; i < ret; i++) {
410 printf(" %02x", p->data[i]);
420 return USB_RET_NODEV;
423 static void uhci_async_complete_packet(USBPacket * packet, void *opaque);
425 /* return -1 if fatal error (frame must be stopped)
427 1 if TD unsuccessful or inactive
429 static int uhci_handle_td(UHCIState *s, UHCI_TD *td, int *int_mask)
432 int len, max_len, err, ret;
434 /* ??? This is wrong for async completion. */
435 if (td->ctrl & TD_CTRL_IOC) {
439 if (!(td->ctrl & TD_CTRL_ACTIVE))
443 max_len = ((td->token >> 21) + 1) & 0x7ff;
444 pid = td->token & 0xff;
446 ret = s->usb_packet.len;
451 ret = USB_RET_BABBLE;
454 /* write the data back */
455 cpu_physical_memory_write(td->buffer, s->usb_buf, len);
462 s->usb_packet.pid = pid;
463 s->usb_packet.devaddr = (td->token >> 8) & 0x7f;
464 s->usb_packet.devep = (td->token >> 15) & 0xf;
465 s->usb_packet.data = s->usb_buf;
466 s->usb_packet.len = max_len;
467 s->usb_packet.complete_cb = uhci_async_complete_packet;
468 s->usb_packet.complete_opaque = s;
471 case USB_TOKEN_SETUP:
472 cpu_physical_memory_read(td->buffer, s->usb_buf, max_len);
473 ret = uhci_broadcast_packet(s, &s->usb_packet);
477 ret = uhci_broadcast_packet(s, &s->usb_packet);
482 ret = USB_RET_BABBLE;
485 /* write the data back */
486 cpu_physical_memory_write(td->buffer, s->usb_buf, len);
493 /* invalid pid : frame interrupted */
494 s->status |= UHCI_STS_HCPERR;
499 if (ret == USB_RET_ASYNC) {
502 if (td->ctrl & TD_CTRL_IOS)
503 td->ctrl &= ~TD_CTRL_ACTIVE;
505 td->ctrl = (td->ctrl & ~0x7ff) | ((len - 1) & 0x7ff);
506 td->ctrl &= ~TD_CTRL_ACTIVE;
507 if (pid == USB_TOKEN_IN &&
508 (td->ctrl & TD_CTRL_SPD) &&
511 /* short packet: do not update QH */
522 td->ctrl |= TD_CTRL_TIMEOUT;
523 err = (td->ctrl >> TD_CTRL_ERROR_SHIFT) & 3;
527 td->ctrl &= ~TD_CTRL_ACTIVE;
528 s->status |= UHCI_STS_USBERR;
532 td->ctrl = (td->ctrl & ~(3 << TD_CTRL_ERROR_SHIFT)) |
533 (err << TD_CTRL_ERROR_SHIFT);
536 td->ctrl |= TD_CTRL_NAK;
537 if (pid == USB_TOKEN_SETUP)
541 td->ctrl |= TD_CTRL_STALL;
542 td->ctrl &= ~TD_CTRL_ACTIVE;
545 td->ctrl |= TD_CTRL_BABBLE | TD_CTRL_STALL;
546 td->ctrl &= ~TD_CTRL_ACTIVE;
547 /* frame interrupted */
553 static void uhci_async_complete_packet(USBPacket * packet, void *opaque)
555 UHCIState *s = opaque;
559 uint32_t old_td_ctrl;
565 /* This should never happen. It means a TD somehow got removed
566 without cancelling the associated async IO request. */
569 cpu_physical_memory_read(link & ~0xf, (uint8_t *)&qh, sizeof(qh));
570 le32_to_cpus(&qh.link);
571 le32_to_cpus(&qh.el_link);
572 /* Re-process the queue containing the async packet. */
574 cpu_physical_memory_read(qh.el_link & ~0xf,
575 (uint8_t *)&td, sizeof(td));
576 le32_to_cpus(&td.link);
577 le32_to_cpus(&td.ctrl);
578 le32_to_cpus(&td.token);
579 le32_to_cpus(&td.buffer);
580 old_td_ctrl = td.ctrl;
581 ret = uhci_handle_td(s, &td, &s->pending_int_mask);
582 /* update the status bits of the TD */
583 if (old_td_ctrl != td.ctrl) {
584 val = cpu_to_le32(td.ctrl);
585 cpu_physical_memory_write((qh.el_link & ~0xf) + 4,
586 (const uint8_t *)&val,
590 break; /* interrupted frame */
594 } else if (ret == 0) {
595 /* update qh element link */
596 qh.el_link = td.link;
597 val = cpu_to_le32(qh.el_link);
598 cpu_physical_memory_write((link & ~0xf) + 4,
599 (const uint8_t *)&val,
601 if (!(qh.el_link & 4))
608 static void uhci_frame_timer(void *opaque)
610 UHCIState *s = opaque;
612 uint32_t frame_addr, link, old_td_ctrl, val;
613 int int_mask, cnt, ret;
616 uint32_t old_async_qh;
618 if (!(s->cmd & UHCI_CMD_RS)) {
619 qemu_del_timer(s->frame_timer);
620 /* set hchalted bit in status - UHCI11D 2.1.2 */
621 s->status |= UHCI_STS_HCHALTED;
624 /* Complete the previous frame. */
625 s->frnum = (s->frnum + 1) & 0x7ff;
626 if (s->pending_int_mask) {
627 s->status2 |= s->pending_int_mask;
628 s->status |= UHCI_STS_USBINT;
631 old_async_qh = s->async_qh;
632 frame_addr = s->fl_base_addr + ((s->frnum & 0x3ff) << 2);
633 cpu_physical_memory_read(frame_addr, (uint8_t *)&link, 4);
636 cnt = FRAME_MAX_LOOPS;
637 while ((link & 1) == 0) {
643 if (link == s->async_qh) {
644 /* We've found a previously issues packet.
645 Nothing else to do. */
649 cpu_physical_memory_read(link & ~0xf, (uint8_t *)&qh, sizeof(qh));
650 le32_to_cpus(&qh.link);
651 le32_to_cpus(&qh.el_link);
653 if (qh.el_link & 1) {
654 /* no element : go to next entry */
656 } else if (qh.el_link & 2) {
659 } else if (s->async_qh) {
660 /* We can only cope with one pending packet. Keep looking
661 for the previously issued packet. */
667 cpu_physical_memory_read(qh.el_link & ~0xf,
668 (uint8_t *)&td, sizeof(td));
669 le32_to_cpus(&td.link);
670 le32_to_cpus(&td.ctrl);
671 le32_to_cpus(&td.token);
672 le32_to_cpus(&td.buffer);
673 old_td_ctrl = td.ctrl;
674 ret = uhci_handle_td(s, &td, &int_mask);
675 /* update the status bits of the TD */
676 if (old_td_ctrl != td.ctrl) {
677 val = cpu_to_le32(td.ctrl);
678 cpu_physical_memory_write((qh.el_link & ~0xf) + 4,
679 (const uint8_t *)&val,
683 break; /* interrupted frame */
686 } else if (ret == 0) {
687 /* update qh element link */
688 qh.el_link = td.link;
689 val = cpu_to_le32(qh.el_link);
690 cpu_physical_memory_write((link & ~0xf) + 4,
691 (const uint8_t *)&val,
693 if (qh.el_link & 4) {
698 /* go to next entry */
703 cpu_physical_memory_read(link & ~0xf, (uint8_t *)&td, sizeof(td));
704 le32_to_cpus(&td.link);
705 le32_to_cpus(&td.ctrl);
706 le32_to_cpus(&td.token);
707 le32_to_cpus(&td.buffer);
708 /* Ignore isochonous transfers while there is an async packet
709 pending. This is wrong, but we don't implement isochronous
711 if (s->async_qh == 0) {
712 old_td_ctrl = td.ctrl;
713 ret = uhci_handle_td(s, &td, &int_mask);
714 /* update the status bits of the TD */
715 if (old_td_ctrl != td.ctrl) {
716 val = cpu_to_le32(td.ctrl);
717 cpu_physical_memory_write((link & ~0xf) + 4,
718 (const uint8_t *)&val,
722 break; /* interrupted frame */
724 /* We can't handle async isochronous transfers.
725 Cancel The packet. */
726 fprintf(stderr, "usb-uhci: Unimplemented async packet\n");
727 usb_cancel_packet(&s->usb_packet);
733 s->pending_int_mask = int_mask;
735 /* A previously started transfer has disappeared from the transfer
736 list. There's nothing useful we can do with it now, so just
737 discard the packet and hope it wasn't too important. */
739 printf("Discarding USB packet\n");
741 usb_cancel_packet(&s->usb_packet);
744 /* prepare the timer for the next frame */
745 expire_time = qemu_get_clock(vm_clock) +
746 (ticks_per_sec / FRAME_TIMER_FREQ);
747 qemu_mod_timer(s->frame_timer, expire_time);
750 static void uhci_map(PCIDevice *pci_dev, int region_num,
751 uint32_t addr, uint32_t size, int type)
753 UHCIState *s = (UHCIState *)pci_dev;
755 register_ioport_write(addr, 32, 2, uhci_ioport_writew, s);
756 register_ioport_read(addr, 32, 2, uhci_ioport_readw, s);
757 register_ioport_write(addr, 32, 4, uhci_ioport_writel, s);
758 register_ioport_read(addr, 32, 4, uhci_ioport_readl, s);
759 register_ioport_write(addr, 32, 1, uhci_ioport_writeb, s);
760 register_ioport_read(addr, 32, 1, uhci_ioport_readb, s);
763 void usb_uhci_init(PCIBus *bus, int devfn)
769 s = (UHCIState *)pci_register_device(bus,
770 "USB-UHCI", sizeof(UHCIState),
772 pci_conf = s->dev.config;
773 pci_conf[0x00] = 0x86;
774 pci_conf[0x01] = 0x80;
775 pci_conf[0x02] = 0x20;
776 pci_conf[0x03] = 0x70;
777 pci_conf[0x08] = 0x01; // revision number
778 pci_conf[0x09] = 0x00;
779 pci_conf[0x0a] = 0x03;
780 pci_conf[0x0b] = 0x0c;
781 pci_conf[0x0e] = 0x00; // header_type
782 pci_conf[0x3d] = 4; // interrupt pin 3
783 pci_conf[0x60] = 0x10; // release number
785 for(i = 0; i < NB_PORTS; i++) {
786 qemu_register_usb_port(&s->ports[i].port, s, i, uhci_attach);
788 s->frame_timer = qemu_new_timer(vm_clock, uhci_frame_timer, s);
792 /* Use region 4 for consistency with real hardware. BSD guests seem
794 pci_register_io_region(&s->dev, 4, 0x20,
795 PCI_ADDRESS_SPACE_IO, uhci_map);
projects / qemu / blob