2 * USB UHCI controller emulation
4 * Copyright (c) 2005 Fabrice Bellard
6 * Permission is hereby granted, free of charge, to any person obtaining a copy
7 * of this software and associated documentation files (the "Software"), to deal
8 * in the Software without restriction, including without limitation the rights
9 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
10 * copies of the Software, and to permit persons to whom the Software is
11 * furnished to do so, subject to the following conditions:
13 * The above copyright notice and this permission notice shall be included in
14 * all copies or substantial portions of the Software.
16 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
17 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
18 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
19 * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
20 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
21 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
27 //#define DEBUG_PACKET
29 #define UHCI_CMD_FGR (1 << 4)
30 #define UHCI_CMD_EGSM (1 << 3)
31 #define UHCI_CMD_GRESET (1 << 2)
32 #define UHCI_CMD_HCRESET (1 << 1)
33 #define UHCI_CMD_RS (1 << 0)
35 #define UHCI_STS_HCHALTED (1 << 5)
36 #define UHCI_STS_HCPERR (1 << 4)
37 #define UHCI_STS_HSERR (1 << 3)
38 #define UHCI_STS_RD (1 << 2)
39 #define UHCI_STS_USBERR (1 << 1)
40 #define UHCI_STS_USBINT (1 << 0)
42 #define TD_CTRL_SPD (1 << 29)
43 #define TD_CTRL_ERROR_SHIFT 27
44 #define TD_CTRL_IOS (1 << 25)
45 #define TD_CTRL_IOC (1 << 24)
46 #define TD_CTRL_ACTIVE (1 << 23)
47 #define TD_CTRL_STALL (1 << 22)
48 #define TD_CTRL_BABBLE (1 << 20)
49 #define TD_CTRL_NAK (1 << 19)
50 #define TD_CTRL_TIMEOUT (1 << 18)
52 #define UHCI_PORT_RESET (1 << 9)
53 #define UHCI_PORT_LSDA (1 << 8)
54 #define UHCI_PORT_ENC (1 << 3)
55 #define UHCI_PORT_EN (1 << 2)
56 #define UHCI_PORT_CSC (1 << 1)
57 #define UHCI_PORT_CCS (1 << 0)
59 #define FRAME_TIMER_FREQ 1000
61 #define FRAME_MAX_LOOPS 100
65 typedef struct UHCIPort {
70 typedef struct UHCIState {
72 uint16_t cmd; /* cmd register */
74 uint16_t intr; /* interrupt enable register */
75 uint16_t frnum; /* frame number */
76 uint32_t fl_base_addr; /* frame list base address */
78 uint8_t status2; /* bit 0 and 1 are used to generate UHCI_STS_USBINT */
79 QEMUTimer *frame_timer;
80 UHCIPort ports[NB_PORTS];
82 /* Interrupts that should be raised at the end of the current frame. */
83 uint32_t pending_int_mask;
84 /* For simplicity of implementation we only allow a single pending USB
85 request. This means all usb traffic on this controller is effectively
86 suspended until that transfer completes. When the transfer completes
87 the next transfer from that queue will be processed. However
88 other queues will not be processed until the next frame. The solution
89 is to allow multiple pending requests. */
92 uint8_t usb_buf[2048];
95 typedef struct UHCI_TD {
97 uint32_t ctrl; /* see TD_CTRL_xxx */
102 typedef struct UHCI_QH {
107 static void uhci_attach(USBPort *port1, USBDevice *dev);
109 static void uhci_update_irq(UHCIState *s)
112 if (((s->status2 & 1) && (s->intr & (1 << 2))) ||
113 ((s->status2 & 2) && (s->intr & (1 << 3))) ||
114 ((s->status & UHCI_STS_USBERR) && (s->intr & (1 << 0))) ||
115 ((s->status & UHCI_STS_RD) && (s->intr & (1 << 1))) ||
116 (s->status & UHCI_STS_HSERR) ||
117 (s->status & UHCI_STS_HCPERR)) {
122 qemu_set_irq(s->dev.irq[3], level);
125 static void uhci_reset(UHCIState *s)
131 pci_conf = s->dev.config;
133 pci_conf[0x6a] = 0x01; /* usb clock */
134 pci_conf[0x6b] = 0x00;
141 for(i = 0; i < NB_PORTS; i++) {
145 uhci_attach(&port->port, port->port.dev);
149 static void uhci_ioport_writeb(void *opaque, uint32_t addr, uint32_t val)
151 UHCIState *s = opaque;
161 static uint32_t uhci_ioport_readb(void *opaque, uint32_t addr)
163 UHCIState *s = opaque;
178 static void uhci_ioport_writew(void *opaque, uint32_t addr, uint32_t val)
180 UHCIState *s = opaque;
184 printf("uhci writew port=0x%04x val=0x%04x\n", addr, val);
188 if ((val & UHCI_CMD_RS) && !(s->cmd & UHCI_CMD_RS)) {
189 /* start frame processing */
190 qemu_mod_timer(s->frame_timer, qemu_get_clock(vm_clock));
191 s->status &= ~UHCI_STS_HCHALTED;
192 } else if (!(val & UHCI_CMD_RS)) {
193 s->status |= UHCI_STS_HCHALTED;
195 if (val & UHCI_CMD_GRESET) {
200 /* send reset on the USB bus */
201 for(i = 0; i < NB_PORTS; i++) {
203 dev = port->port.dev;
205 usb_send_msg(dev, USB_MSG_RESET);
211 if (val & UHCI_CMD_HCRESET) {
219 /* XXX: the chip spec is not coherent, so we add a hidden
220 register to distinguish between IOC and SPD */
221 if (val & UHCI_STS_USBINT)
230 if (s->status & UHCI_STS_HCHALTED)
231 s->frnum = val & 0x7ff;
243 dev = port->port.dev;
246 if ( (val & UHCI_PORT_RESET) &&
247 !(port->ctrl & UHCI_PORT_RESET) ) {
248 usb_send_msg(dev, USB_MSG_RESET);
251 port->ctrl = (port->ctrl & 0x01fb) | (val & ~0x01fb);
252 /* some bits are reset when a '1' is written to them */
253 port->ctrl &= ~(val & 0x000a);
259 static uint32_t uhci_ioport_readw(void *opaque, uint32_t addr)
261 UHCIState *s = opaque;
291 val = 0xff7f; /* disabled port */
295 printf("uhci readw port=0x%04x val=0x%04x\n", addr, val);
300 static void uhci_ioport_writel(void *opaque, uint32_t addr, uint32_t val)
302 UHCIState *s = opaque;
306 printf("uhci writel port=0x%04x val=0x%08x\n", addr, val);
310 s->fl_base_addr = val & ~0xfff;
315 static uint32_t uhci_ioport_readl(void *opaque, uint32_t addr)
317 UHCIState *s = opaque;
323 val = s->fl_base_addr;
332 /* signal resume if controller suspended */
333 static void uhci_resume (void *opaque)
335 UHCIState *s = (UHCIState *)opaque;
340 if (s->cmd & UHCI_CMD_EGSM) {
341 s->cmd |= UHCI_CMD_FGR;
342 s->status |= UHCI_STS_RD;
347 static void uhci_attach(USBPort *port1, USBDevice *dev)
349 UHCIState *s = port1->opaque;
350 UHCIPort *port = &s->ports[port1->index];
353 if (port->port.dev) {
354 usb_attach(port1, NULL);
356 /* set connect status */
357 port->ctrl |= UHCI_PORT_CCS | UHCI_PORT_CSC;
360 if (dev->speed == USB_SPEED_LOW)
361 port->ctrl |= UHCI_PORT_LSDA;
363 port->ctrl &= ~UHCI_PORT_LSDA;
367 port->port.dev = dev;
368 /* send the attach message */
369 usb_send_msg(dev, USB_MSG_ATTACH);
371 /* set connect status */
372 if (port->ctrl & UHCI_PORT_CCS) {
373 port->ctrl &= ~UHCI_PORT_CCS;
374 port->ctrl |= UHCI_PORT_CSC;
377 if (port->ctrl & UHCI_PORT_EN) {
378 port->ctrl &= ~UHCI_PORT_EN;
379 port->ctrl |= UHCI_PORT_ENC;
384 dev = port->port.dev;
386 /* send the detach message */
387 usb_send_msg(dev, USB_MSG_DETACH);
389 port->port.dev = NULL;
393 static int uhci_broadcast_packet(UHCIState *s, USBPacket *p)
403 case USB_TOKEN_SETUP: pidstr = "SETUP"; break;
404 case USB_TOKEN_IN: pidstr = "IN"; break;
405 case USB_TOKEN_OUT: pidstr = "OUT"; break;
406 default: pidstr = "?"; break;
408 printf("frame %d: pid=%s addr=0x%02x ep=%d len=%d\n",
409 s->frnum, pidstr, p->devaddr, p->devep, p->len);
410 if (p->pid != USB_TOKEN_IN) {
411 printf(" data_out=");
412 for(i = 0; i < p->len; i++) {
413 printf(" %02x", p->data[i]);
419 for(i = 0; i < NB_PORTS; i++) {
421 dev = port->port.dev;
422 if (dev && (port->ctrl & UHCI_PORT_EN)) {
423 ret = dev->handle_packet(dev, p);
424 if (ret != USB_RET_NODEV) {
426 if (ret == USB_RET_ASYNC) {
427 printf("usb-uhci: Async packet\n");
429 printf(" ret=%d ", ret);
430 if (p->pid == USB_TOKEN_IN && ret > 0) {
432 for(i = 0; i < ret; i++) {
433 printf(" %02x", p->data[i]);
443 return USB_RET_NODEV;
446 static void uhci_async_complete_packet(USBPacket * packet, void *opaque);
448 /* return -1 if fatal error (frame must be stopped)
450 1 if TD unsuccessful or inactive
452 static int uhci_handle_td(UHCIState *s, UHCI_TD *td, int *int_mask)
455 int len, max_len, err, ret;
457 /* ??? This is wrong for async completion. */
458 if (td->ctrl & TD_CTRL_IOC) {
462 if (!(td->ctrl & TD_CTRL_ACTIVE))
466 max_len = ((td->token >> 21) + 1) & 0x7ff;
467 pid = td->token & 0xff;
469 ret = s->usb_packet.len;
474 ret = USB_RET_BABBLE;
477 /* write the data back */
478 cpu_physical_memory_write(td->buffer, s->usb_buf, len);
485 s->usb_packet.pid = pid;
486 s->usb_packet.devaddr = (td->token >> 8) & 0x7f;
487 s->usb_packet.devep = (td->token >> 15) & 0xf;
488 s->usb_packet.data = s->usb_buf;
489 s->usb_packet.len = max_len;
490 s->usb_packet.complete_cb = uhci_async_complete_packet;
491 s->usb_packet.complete_opaque = s;
494 case USB_TOKEN_SETUP:
495 cpu_physical_memory_read(td->buffer, s->usb_buf, max_len);
496 ret = uhci_broadcast_packet(s, &s->usb_packet);
500 ret = uhci_broadcast_packet(s, &s->usb_packet);
505 ret = USB_RET_BABBLE;
508 /* write the data back */
509 cpu_physical_memory_write(td->buffer, s->usb_buf, len);
516 /* invalid pid : frame interrupted */
517 s->status |= UHCI_STS_HCPERR;
522 if (ret == USB_RET_ASYNC) {
525 if (td->ctrl & TD_CTRL_IOS)
526 td->ctrl &= ~TD_CTRL_ACTIVE;
528 td->ctrl = (td->ctrl & ~0x7ff) | ((len - 1) & 0x7ff);
529 /* The NAK bit may have been set by a previous frame, so clear it
530 here. The docs are somewhat unclear, but win2k relies on this
532 td->ctrl &= ~(TD_CTRL_ACTIVE | TD_CTRL_NAK);
533 if (pid == USB_TOKEN_IN &&
534 (td->ctrl & TD_CTRL_SPD) &&
537 /* short packet: do not update QH */
548 td->ctrl |= TD_CTRL_TIMEOUT;
549 err = (td->ctrl >> TD_CTRL_ERROR_SHIFT) & 3;
553 td->ctrl &= ~TD_CTRL_ACTIVE;
554 s->status |= UHCI_STS_USBERR;
558 td->ctrl = (td->ctrl & ~(3 << TD_CTRL_ERROR_SHIFT)) |
559 (err << TD_CTRL_ERROR_SHIFT);
562 td->ctrl |= TD_CTRL_NAK;
563 if (pid == USB_TOKEN_SETUP)
567 td->ctrl |= TD_CTRL_STALL;
568 td->ctrl &= ~TD_CTRL_ACTIVE;
571 td->ctrl |= TD_CTRL_BABBLE | TD_CTRL_STALL;
572 td->ctrl &= ~TD_CTRL_ACTIVE;
573 /* frame interrupted */
579 static void uhci_async_complete_packet(USBPacket * packet, void *opaque)
581 UHCIState *s = opaque;
585 uint32_t old_td_ctrl;
591 /* This should never happen. It means a TD somehow got removed
592 without cancelling the associated async IO request. */
595 cpu_physical_memory_read(link & ~0xf, (uint8_t *)&qh, sizeof(qh));
596 le32_to_cpus(&qh.link);
597 le32_to_cpus(&qh.el_link);
598 /* Re-process the queue containing the async packet. */
600 cpu_physical_memory_read(qh.el_link & ~0xf,
601 (uint8_t *)&td, sizeof(td));
602 le32_to_cpus(&td.link);
603 le32_to_cpus(&td.ctrl);
604 le32_to_cpus(&td.token);
605 le32_to_cpus(&td.buffer);
606 old_td_ctrl = td.ctrl;
607 ret = uhci_handle_td(s, &td, &s->pending_int_mask);
608 /* update the status bits of the TD */
609 if (old_td_ctrl != td.ctrl) {
610 val = cpu_to_le32(td.ctrl);
611 cpu_physical_memory_write((qh.el_link & ~0xf) + 4,
612 (const uint8_t *)&val,
616 break; /* interrupted frame */
620 } else if (ret == 0) {
621 /* update qh element link */
622 qh.el_link = td.link;
623 val = cpu_to_le32(qh.el_link);
624 cpu_physical_memory_write((link & ~0xf) + 4,
625 (const uint8_t *)&val,
627 if (!(qh.el_link & 4))
634 static void uhci_frame_timer(void *opaque)
636 UHCIState *s = opaque;
638 uint32_t frame_addr, link, old_td_ctrl, val;
639 int int_mask, cnt, ret;
642 uint32_t old_async_qh;
644 if (!(s->cmd & UHCI_CMD_RS)) {
645 qemu_del_timer(s->frame_timer);
646 /* set hchalted bit in status - UHCI11D 2.1.2 */
647 s->status |= UHCI_STS_HCHALTED;
650 /* Complete the previous frame. */
651 s->frnum = (s->frnum + 1) & 0x7ff;
652 if (s->pending_int_mask) {
653 s->status2 |= s->pending_int_mask;
654 s->status |= UHCI_STS_USBINT;
657 old_async_qh = s->async_qh;
658 frame_addr = s->fl_base_addr + ((s->frnum & 0x3ff) << 2);
659 cpu_physical_memory_read(frame_addr, (uint8_t *)&link, 4);
662 cnt = FRAME_MAX_LOOPS;
663 while ((link & 1) == 0) {
669 if (link == s->async_qh) {
670 /* We've found a previously issues packet.
671 Nothing else to do. */
675 cpu_physical_memory_read(link & ~0xf, (uint8_t *)&qh, sizeof(qh));
676 le32_to_cpus(&qh.link);
677 le32_to_cpus(&qh.el_link);
679 if (qh.el_link & 1) {
680 /* no element : go to next entry */
682 } else if (qh.el_link & 2) {
685 } else if (s->async_qh) {
686 /* We can only cope with one pending packet. Keep looking
687 for the previously issued packet. */
693 cpu_physical_memory_read(qh.el_link & ~0xf,
694 (uint8_t *)&td, sizeof(td));
695 le32_to_cpus(&td.link);
696 le32_to_cpus(&td.ctrl);
697 le32_to_cpus(&td.token);
698 le32_to_cpus(&td.buffer);
699 old_td_ctrl = td.ctrl;
700 ret = uhci_handle_td(s, &td, &int_mask);
701 /* update the status bits of the TD */
702 if (old_td_ctrl != td.ctrl) {
703 val = cpu_to_le32(td.ctrl);
704 cpu_physical_memory_write((qh.el_link & ~0xf) + 4,
705 (const uint8_t *)&val,
709 break; /* interrupted frame */
712 } else if (ret == 0) {
713 /* update qh element link */
714 qh.el_link = td.link;
715 val = cpu_to_le32(qh.el_link);
716 cpu_physical_memory_write((link & ~0xf) + 4,
717 (const uint8_t *)&val,
719 if (qh.el_link & 4) {
724 /* go to next entry */
729 cpu_physical_memory_read(link & ~0xf, (uint8_t *)&td, sizeof(td));
730 le32_to_cpus(&td.link);
731 le32_to_cpus(&td.ctrl);
732 le32_to_cpus(&td.token);
733 le32_to_cpus(&td.buffer);
734 /* Ignore isochonous transfers while there is an async packet
735 pending. This is wrong, but we don't implement isochronous
737 if (s->async_qh == 0) {
738 old_td_ctrl = td.ctrl;
739 ret = uhci_handle_td(s, &td, &int_mask);
740 /* update the status bits of the TD */
741 if (old_td_ctrl != td.ctrl) {
742 val = cpu_to_le32(td.ctrl);
743 cpu_physical_memory_write((link & ~0xf) + 4,
744 (const uint8_t *)&val,
748 break; /* interrupted frame */
750 /* We can't handle async isochronous transfers.
751 Cancel The packet. */
752 fprintf(stderr, "usb-uhci: Unimplemented async packet\n");
753 usb_cancel_packet(&s->usb_packet);
759 s->pending_int_mask = int_mask;
761 /* A previously started transfer has disappeared from the transfer
762 list. There's nothing useful we can do with it now, so just
763 discard the packet and hope it wasn't too important. */
765 printf("Discarding USB packet\n");
767 usb_cancel_packet(&s->usb_packet);
770 /* prepare the timer for the next frame */
771 expire_time = qemu_get_clock(vm_clock) +
772 (ticks_per_sec / FRAME_TIMER_FREQ);
773 qemu_mod_timer(s->frame_timer, expire_time);
776 static void uhci_map(PCIDevice *pci_dev, int region_num,
777 uint32_t addr, uint32_t size, int type)
779 UHCIState *s = (UHCIState *)pci_dev;
781 register_ioport_write(addr, 32, 2, uhci_ioport_writew, s);
782 register_ioport_read(addr, 32, 2, uhci_ioport_readw, s);
783 register_ioport_write(addr, 32, 4, uhci_ioport_writel, s);
784 register_ioport_read(addr, 32, 4, uhci_ioport_readl, s);
785 register_ioport_write(addr, 32, 1, uhci_ioport_writeb, s);
786 register_ioport_read(addr, 32, 1, uhci_ioport_readb, s);
789 void usb_uhci_piix3_init(PCIBus *bus, int devfn)
795 s = (UHCIState *)pci_register_device(bus,
796 "USB-UHCI", sizeof(UHCIState),
798 pci_conf = s->dev.config;
799 pci_conf[0x00] = 0x86;
800 pci_conf[0x01] = 0x80;
801 pci_conf[0x02] = 0x20;
802 pci_conf[0x03] = 0x70;
803 pci_conf[0x08] = 0x01; // revision number
804 pci_conf[0x09] = 0x00;
805 pci_conf[0x0a] = 0x03;
806 pci_conf[0x0b] = 0x0c;
807 pci_conf[0x0e] = 0x00; // header_type
808 pci_conf[0x3d] = 4; // interrupt pin 3
809 pci_conf[0x60] = 0x10; // release number
811 for(i = 0; i < NB_PORTS; i++) {
812 qemu_register_usb_port(&s->ports[i].port, s, i, uhci_attach);
814 s->frame_timer = qemu_new_timer(vm_clock, uhci_frame_timer, s);
818 /* Use region 4 for consistency with real hardware. BSD guests seem
820 pci_register_io_region(&s->dev, 4, 0x20,
821 PCI_ADDRESS_SPACE_IO, uhci_map);
824 void usb_uhci_piix4_init(PCIBus *bus, int devfn)
830 s = (UHCIState *)pci_register_device(bus,
831 "USB-UHCI", sizeof(UHCIState),
833 pci_conf = s->dev.config;
834 pci_conf[0x00] = 0x86;
835 pci_conf[0x01] = 0x80;
836 pci_conf[0x02] = 0x12;
837 pci_conf[0x03] = 0x71;
838 pci_conf[0x08] = 0x01; // revision number
839 pci_conf[0x09] = 0x00;
840 pci_conf[0x0a] = 0x03;
841 pci_conf[0x0b] = 0x0c;
842 pci_conf[0x0e] = 0x00; // header_type
843 pci_conf[0x3d] = 4; // interrupt pin 3
844 pci_conf[0x60] = 0x10; // release number
846 for(i = 0; i < NB_PORTS; i++) {
847 qemu_register_usb_port(&s->ports[i].port, s, i, uhci_attach);
849 s->frame_timer = qemu_new_timer(vm_clock, uhci_frame_timer, s);
853 /* Use region 4 for consistency with real hardware. BSD guests seem
855 pci_register_io_region(&s->dev, 4, 0x20,
856 PCI_ADDRESS_SPACE_IO, uhci_map);
projects / qemu / blob