Archipelago » qemu

# SCSI layer

VL_OBJS+= scsi-disk.o cdrom.o

VL_OBJS+= usb.o usb-hub.o usb-linux.o usb-hid.o usb-ohci.o usb-msd.o

/*

 * QEMU ATAPI CD-ROM Emulator

 * 

 * Copyright (c) 2006 Fabrice Bellard

 * 

 * Permission is hereby granted, free of charge, to any person obtaining a copy

 * of this software and associated documentation files (the "Software"), to deal

 * in the Software without restriction, including without limitation the rights

 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell

 * copies of the Software, and to permit persons to whom the Software is

 * furnished to do so, subject to the following conditions:

 *

 * The above copyright notice and this permission notice shall be included in

 * all copies or substantial portions of the Software.

 *

 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR

 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,

 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL

 * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER

 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,

 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN

 * THE SOFTWARE.

 */

/* ??? Most of the ATAPI emulation is still in ide.c.  It should be moved

   here.  */

#include <vl.h>

static void lba_to_msf(uint8_t *buf, int lba)

{

    lba += 150;

    buf[0] = (lba / 75) / 60;

    buf[1] = (lba / 75) % 60;

    buf[2] = lba % 75;

}

/* same toc as bochs. Return -1 if error or the toc length */

/* XXX: check this */

int cdrom_read_toc(int nb_sectors, uint8_t *buf, int msf, int start_track)

{

    uint8_t *q;

    int len;

    if (start_track > 1 && start_track != 0xaa)

        return -1;

    q = buf + 2;

    *q++ = 1; /* first session */

    *q++ = 1; /* last session */

    if (start_track <= 1) {

        *q++ = 0; /* reserved */

        *q++ = 0x14; /* ADR, control */

        *q++ = 1;    /* track number */

        *q++ = 0; /* reserved */

        if (msf) {

            *q++ = 0; /* reserved */

            lba_to_msf(q, 0);

            q += 3;

        } else {

            /* sector 0 */

            cpu_to_be32wu((uint32_t *)q, 0);

            q += 4;

        }

    }

    /* lead out track */

    *q++ = 0; /* reserved */

    *q++ = 0x16; /* ADR, control */

    *q++ = 0xaa; /* track number */

    *q++ = 0; /* reserved */

    if (msf) {

        *q++ = 0; /* reserved */

        lba_to_msf(q, nb_sectors);

        q += 3;

    } else {

        cpu_to_be32wu((uint32_t *)q, nb_sectors);

        q += 4;

    }

    len = q - buf;

    cpu_to_be16wu((uint16_t *)buf, len - 2);

    return len;

}

/* mostly same info as PearPc */

int cdrom_read_toc_raw(int nb_sectors, uint8_t *buf, int msf, int session_num)

{

    uint8_t *q;

    int len;

    q = buf + 2;

    *q++ = 1; /* first session */

    *q++ = 1; /* last session */

    *q++ = 1; /* session number */

    *q++ = 0x14; /* data track */

    *q++ = 0; /* track number */

    *q++ = 0xa0; /* lead-in */

    *q++ = 0; /* min */

    *q++ = 0; /* sec */

    *q++ = 0; /* frame */

    *q++ = 0;

    *q++ = 1; /* first track */

    *q++ = 0x00; /* disk type */

    *q++ = 0x00;

    *q++ = 1; /* session number */

    *q++ = 0x14; /* data track */

    *q++ = 0; /* track number */

    *q++ = 0xa1;

    *q++ = 0; /* min */

    *q++ = 0; /* sec */

    *q++ = 0; /* frame */

    *q++ = 0;

    *q++ = 1; /* last track */

    *q++ = 0x00;

    *q++ = 0x00;

    *q++ = 1; /* session number */

    *q++ = 0x14; /* data track */

    *q++ = 0; /* track number */

    *q++ = 0xa2; /* lead-out */

    *q++ = 0; /* min */

    *q++ = 0; /* sec */

    *q++ = 0; /* frame */

    if (msf) {

        *q++ = 0; /* reserved */

        lba_to_msf(q, nb_sectors);

        q += 3;

    } else {

        cpu_to_be32wu((uint32_t *)q, nb_sectors);

        q += 4;

    }

    *q++ = 1; /* session number */

    *q++ = 0x14; /* ADR, control */

    *q++ = 0;    /* track number */

    *q++ = 1;    /* point */

    *q++ = 0; /* min */

    *q++ = 0; /* sec */

    *q++ = 0; /* frame */

    if (msf) {

        *q++ = 0; 

        lba_to_msf(q, 0);

        q += 3;

    } else {

        *q++ = 0; 

        *q++ = 0; 

        *q++ = 0; 

        *q++ = 0; 

    }

    len = q - buf;

    cpu_to_be16wu((uint16_t *)buf, len - 2);

    return len;

}

#define TI_BUFSZ 32

#define DMA_WRITE_MEM 0x100

    SCSIDevice *scsi_dev[MAX_DISKS];

    SCSIDevice *current_dev;

    int32_t datalen;

	DPRINTF("DMA Direction: %c, addr 0x%8.8x\n",

                s->espdmaregs[0] & DMA_WRITE_MEM ? 'w': 'r', dmaptr);

    if (target >= 4 || !s->scsi_dev[target]) {

        // No such drive

    s->current_dev = s->scsi_dev[target];

    datalen = scsi_send_command(s->current_dev, 0, &buf[1]);

    if (datalen == 0) {

        s->ti_size = 0;

    } else {

        s->rregs[4] = STAT_IN | STAT_TC;

        if (datalen > 0) {

            s->rregs[4] |= STAT_DI;

            s->ti_size = datalen;

        } else {

            s->rregs[4] |= STAT_DO;

            s->ti_size = -datalen;

	DPRINTF("DMA Direction: %c\n",

                s->espdmaregs[0] & DMA_WRITE_MEM ? 'w': 'r');

static void esp_command_complete(void *opaque, uint32_t tag, int fail)

{

    ESPState *s = (ESPState *)opaque;

    DPRINTF("SCSI Command complete\n");

    if (s->ti_size != 0)

        DPRINTF("SCSI command completed unexpectedly\n");

    s->ti_size = 0;

    /* ??? Report failures.  */

    if (fail)

        DPRINTF("Command failed\n");

    s->rregs[4] = STAT_IN | STAT_TC | STAT_ST;

}

    int to_device;

    uint8_t buf[TARGET_PAGE_SIZE];

        /* Check if the transfer writes to to reads from the device.  */

        to_device = (s->espdmaregs[0] & DMA_WRITE_MEM) == 0;

	DPRINTF("DMA Direction: %c, addr 0x%8.8x %08x\n",

                to_device ? 'r': 'w', dmaptr, s->ti_size);

            s->ti_size -= len;

            if (to_device) {

                cpu_physical_memory_read(dmaptr, buf, len);

                scsi_write_data(s->current_dev, buf, len);

            } else {

                scsi_read_data(s->current_dev, buf, len);

                cpu_physical_memory_write(dmaptr, buf, len);

            }

        if (s->ti_size) {

	    s->rregs[4] = STAT_IN | STAT_TC | (to_device ? STAT_DO : STAT_DI);

            if ((s->rregs[4] & 6) == 0) {

                /* Data in/out.  */

                scsi_read_data(s->current_dev, &s->rregs[2], 0);

            } else {

                s->rregs[2] = s->ti_buf[s->ti_rptr++];

            }

        if ((s->rregs[4] & 6) == 0) {

            uint8_t buf;

            buf = val & 0xff;

            s->ti_size--;

            scsi_write_data(s->current_dev, &buf, 0);

        } else {

            s->ti_size++;

            s->ti_buf[s->ti_wptr++] = val & 0xff;

        }

    int i;

    for (i = 0; i < MAX_DISKS; i++) {

        if (bs_table[i]) {

            s->scsi_dev[i] =

                scsi_disk_init(bs_table[i], esp_command_complete, s);

        }

    }

                len = cdrom_read_toc(s->nb_sectors >> 2, buf, msf, start_track);

                len = cdrom_read_toc_raw(s->nb_sectors >> 2, buf, msf, start_track);

/*

 * SCSI Device emulation

 *

 * Copyright (c) 2006 CodeSourcery.

 * Based on code by Fabrice Bellard

 *

 * Written by Paul Brook

 *

 * This code is licenced under the LGPL.

 */

//#define DEBUG_SCSI

#ifdef DEBUG_SCSI

#define DPRINTF(fmt, args...) \

do { printf("scsi-disk: " fmt , ##args); } while (0)

#else

#define DPRINTF(fmt, args...) do {} while(0)

#endif

#define BADF(fmt, args...) \

do { fprintf(stderr, "scsi-disk: " fmt , ##args); } while (0)

#include "vl.h"

#define SENSE_NO_SENSE        0

#define SENSE_ILLEGAL_REQUEST 5

struct SCSIDevice

{

    int command;

    uint32_t tag;

    BlockDriverState *bdrv;

    int sector_size;

    /* When transfering data buf_pos and buf_len contain a partially

       transferred block of data (or response to a command), and

       sector/sector_count identify any remaining sectors.  */

    /* ??? We should probably keep track of whether the data trasfer is

       a read or a write.  Currently we rely on the host getting it right.  */

    int sector;

    int sector_count;

    int buf_pos;

    int buf_len;

    int sense;

    char buf[2048];

    scsi_completionfn completion;

    void *opaque;

};

static void scsi_command_complete(SCSIDevice *s, int sense)

{

    s->sense = sense;

    s->completion(s->opaque, s->tag, sense != SENSE_NO_SENSE);

}

/* Read data from a scsi device.  Returns nonzero on failure.  */

int scsi_read_data(SCSIDevice *s, uint8_t *data, uint32_t len)

{

    uint32_t n;

    DPRINTF("Read %d (%d/%d)\n", len, s->buf_len, s->sector_count);

    if (s->buf_len == 0 && s->sector_count == 0)

        return 1;

    if (s->buf_len) {

        n = s->buf_len;

        if (n > len)

            n = len;

        memcpy(data, s->buf + s->buf_pos, n);

        s->buf_pos += n;

        s->buf_len -= n;

        data += n;

        len -= n;

        if (s->buf_len == 0)

            s->buf_pos = 0;

    }

    n = len / s->sector_size;

    if (n > s->sector_count)

      n = s->sector_count;

    if (n != 0) {

        bdrv_read(s->bdrv, s->sector, data, n);

        data += n * s->sector_size;

        len -= n * s->sector_size;

        s->sector += n;

        s->sector_count -= n;

    }

    if (len && s->sector_count) {

        bdrv_read(s->bdrv, s->sector, s->buf, 1);

        s->sector++;

        s->sector_count--;

        s->buf_pos = 0;

        s->buf_len = s->sector_size;

        /* Recurse to complete the partial read.  */

        return scsi_read_data(s, data, len);

    }

    if (len != 0)

        return 1;

    if (s->buf_len == 0 && s->sector_count == 0)

        scsi_command_complete(s, SENSE_NO_SENSE);

    return 0;

}

/* Read data to a scsi device.  Returns nonzero on failure.  */

int scsi_write_data(SCSIDevice *s, uint8_t *data, uint32_t len)

{

    uint32_t n;

    DPRINTF("Write %d (%d/%d)\n", len, s->buf_len, s->sector_count);

    if (s->buf_pos != 0) {

        BADF("Bad state on write\n");

        return 1;

    }

    if (s->sector_count == 0)

        return 1;

    if (s->buf_len != 0 || len < s->sector_size) {

        n = s->sector_size - s->buf_len;

        if (n > len)

            n = len;

        memcpy(s->buf + s->buf_len, data, n);

        data += n;

        s->buf_len += n;

        len -= n;

        if (s->buf_len == s->sector_size) {

            /* A full sector has been accumulated. Write it to disk.  */

            bdrv_write(s->bdrv, s->sector, s->buf, 1);

            s->buf_len = 0;

            s->sector++;

            s->sector_count--;

        }

    }

    n = len / s->sector_size;

    if (n > s->sector_count)

        n = s->sector_count;

    if (n != 0) {

        bdrv_write(s->bdrv, s->sector, data, n);

        data += n * s->sector_size;

        len -= n * s->sector_size;

        s->sector += n;

        s->sector_count -= n;

    }

    if (len >= s->sector_size)

        return 1;

    if (len && s->sector_count) {

        /* Recurse to complete the partial write.  */

        return scsi_write_data(s, data, len);

    }

    if (len != 0)

        return 1;

    if (s->sector_count == 0)

        scsi_command_complete(s, SENSE_NO_SENSE);

    return 0;

}

/* Execute a scsi command.  Returns the length of the data expected by the

   command.  This will be Positive for data transfers from the device

   (eg. disk reads), negative for transfers to the device (eg. disk writes),

   and zero if the command does not transfer any data.  */

int32_t scsi_send_command(SCSIDevice *s, uint32_t tag, uint8_t *buf)

{

    int64_t nb_sectors;

    uint32_t lba;

    uint32_t len;

    int cmdlen;

    int is_write;

    s->command = buf[0];

    s->tag = tag;

    s->sector_count = 0;

    s->buf_pos = 0;

    s->buf_len = 0;

    is_write = 0;

    DPRINTF("Command: 0x%02x", buf[0]);

    switch (s->command >> 5) {

    case 0:

        lba = buf[3] | (buf[2] << 8) | ((buf[1] & 0x1f) << 16);

        len = buf[4];

        cmdlen = 6;

        break;

    case 1:

    case 2:

        lba = buf[5] | (buf[4] << 8) | (buf[3] << 16) | (buf[2] << 24);

        len = buf[8] | (buf[7] << 8);

        cmdlen = 10;

        break;

    case 4:

        lba = buf[5] | (buf[4] << 8) | (buf[3] << 16) | (buf[2] << 24);

        len = buf[13] | (buf[12] << 8) | (buf[11] << 16) | (buf[10] << 24);

        cmdlen = 16;

        break;

    case 5:

        lba = buf[5] | (buf[4] << 8) | (buf[3] << 16) | (buf[2] << 24);

        len = buf[9] | (buf[8] << 8) | (buf[7] << 16) | (buf[6] << 24);

        cmdlen = 12;

        break;

    default:

        BADF("Unsupported command length\n");

        goto fail;

    }

#ifdef DEBUG_SCSI

    {

        int i;

        for (i = 1; i < cmdlen; i++) {

            printf(" 0x%02x", buf[i]);

        }

        printf("\n");

    }

#endif

    if (buf[1] >> 5) {

        /* Only LUN 0 supported.  */

        goto fail;

    }

    switch (s->command) {

    case 0x0:

	DPRINTF("Test Unit Ready\n");

	break;

    case 0x03:

        DPRINTF("Request Sense (len %d)\n", len);

        if (len < 4)

            goto fail;

        memset(buf, 0, 4);

        s->buf[0] = 0xf0;

        s->buf[1] = 0;

        s->buf[2] = s->sense;

        s->buf_len = 4;

        break;

    case 0x12:

	DPRINTF("Inquiry (len %d)\n", len);

        if (len < 36) {

            BADF("Inquiry buffer too small (%d)\n", len);

        }

	memset(s->buf, 0, 36);

	if (bdrv_get_type_hint(s->bdrv) == BDRV_TYPE_CDROM) {

	    s->buf[0] = 5;

            s->buf[1] = 0x80;

	    memcpy(&s->buf[16], "QEMU CDROM     ", 16);

	} else {

	    s->buf[0] = 0;

	    memcpy(&s->buf[16], "QEMU HARDDISK  ", 16);

	}

	memcpy(&s->buf[8], "QEMU   ", 8);

	s->buf[2] = 3; /* SCSI-3 */

	s->buf[3] = 2; /* Format 2 */

	s->buf[4] = 32;

	s->buf_len = 36;

	break;

    case 0x16:

        DPRINTF("Reserve(6)\n");

        if (buf[1] & 1)

            goto fail;

        break;

    case 0x17:

        DPRINTF("Release(6)\n");

        if (buf[1] & 1)

            goto fail;

        break;

    case 0x1a:

	DPRINTF("Mode Sense(6) (page %d, len %d)\n", buf[2], len);

        memset(s->buf, 0, 4);

        s->buf[0] = 0x16; /* Mode data length (4 + 0x12).  */

        s->buf[1] = 0; /* Default media type.  */

        s->buf[2] = 0; /* Write enabled.  */

        s->buf[3] = 0; /* Block descriptor length.  */

        /* Caching page.  */

        s->buf[4 + 0] = 8;

        s->buf[4 + 1] = 0x12;

        s->buf[4 + 2] = 4; /* WCE */

        if (len > 0x16)

            len = 0x16;

        s->buf_len = len;

	break;

    case 0x25:

	DPRINTF("Read Capacity\n");

        /* The normal LEN field for this command is zero.  */

	memset(s->buf, 0, 8);

	bdrv_get_geometry(s->bdrv, &nb_sectors);

	s->buf[0] = (nb_sectors >> 24) & 0xff;

	s->buf[1] = (nb_sectors >> 16) & 0xff;

	s->buf[2] = (nb_sectors >> 8) & 0xff;

	s->buf[3] = nb_sectors & 0xff;

	s->buf[4] = 0;

	s->buf[5] = 0;

        s->buf[6] = s->sector_size >> 8;

	s->buf[7] = s->sector_size & 0xff;

	s->buf_len = 8;

	break;

    case 0x08:

    case 0x28:

        DPRINTF("Read (sector %d, count %d)\n", lba, len);

        s->sector = lba;

        s->sector_count = len;

        break;

    case 0x0a:

    case 0x2a:

        DPRINTF("Write (sector %d, count %d)\n", lba, len);

        s->sector = lba;

        s->sector_count = len;

        is_write = 1;

        break;

    case 0x43:

        {

            int start_track, format, msf;

            msf = buf[1] & 2;

            format = buf[2] & 0xf;

            start_track = buf[6];

            bdrv_get_geometry(s->bdrv, &nb_sectors);

            DPRINTF("Read TOC (track %d format %d msf %d)\n", start_track, format, msf >> 1);

            switch(format) {

            case 0:

                len = cdrom_read_toc(nb_sectors, s->buf, msf, start_track);

                if (len < 0)

                    goto error_cmd;

                s->buf_len = len;

                break;

            case 1:

                /* multi session : only a single session defined */

                memset(s->buf, 0, 12);

                s->buf[1] = 0x0a;

                s->buf[2] = 0x01;

                s->buf[3] = 0x01;

                s->buf_len = 12;

                break;

            case 2:

                len = cdrom_read_toc_raw(nb_sectors, s->buf, msf, start_track);

                if (len < 0)

                    goto error_cmd;

                s->buf_len = len;

                break;

            default:

            error_cmd:

                DPRINTF("Read TOC error\n");

                goto fail;

            }

            break;

        }

    case 0x56:

        DPRINTF("Reserve(10)\n");

        if (buf[1] & 3)

            goto fail;

        break;

    case 0x57:

        DPRINTF("Release(10)\n");

        if (buf[1] & 3)

            goto fail;

        break;

    case 0xa0:

        DPRINTF("Report LUNs (len %d)\n", len);

        if (len < 16)

            goto fail;

        memset(s->buf, 0, 16);

        s->buf[3] = 8;

        s->buf_len = 16;

        break;

    default:

	DPRINTF("Unknown SCSI command (%2.2x)\n", buf[0]);

    fail:

        scsi_command_complete(s, SENSE_ILLEGAL_REQUEST);

	return 0;

    }

    if (s->sector_count == 0 && s->buf_len == 0) {

        scsi_command_complete(s, SENSE_NO_SENSE);

    }

    len = s->sector_count * s->sector_size + s->buf_len;

    return is_write ? -len : len;

}

void scsi_disk_destroy(SCSIDevice *s)

{

    bdrv_close(s->bdrv);

    qemu_free(s);

}

SCSIDevice *scsi_disk_init(BlockDriverState *bdrv,

                           scsi_completionfn completion,

                           void *opaque)

{

    SCSIDevice *s;

    s = (SCSIDevice *)qemu_mallocz(sizeof(SCSIDevice));

    s->bdrv = bdrv;

    s->completion = completion;

    s->opaque = opaque;

    if (bdrv_get_type_hint(s->bdrv) == BDRV_TYPE_CDROM) {

        s->sector_size = 2048;

    } else {

        s->sector_size = 512;

    }

    return s;

}

static void usb_mouse_handle_reset(USBDevice *dev, int destroy)

    if (destroy) {

        qemu_add_mouse_event_handler(NULL, NULL, 0);

        qemu_free(s);

        return;

    }

static void usb_hub_handle_reset(USBDevice *dev, int destroy)

    if (destroy)

        qemu_free(dev);

/* 

 * USB Mass Storage Device emulation

 *

 * Copyright (c) 2006 CodeSourcery.

 * Written by Paul Brook

 *

 * This code is licenced under the LGPL.

 */

#include "vl.h"

//#define DEBUG_MSD

#ifdef DEBUG_MSD

#define DPRINTF(fmt, args...) \

do { printf("usb-msd: " fmt , ##args); } while (0)

#else

#define DPRINTF(fmt, args...) do {} while(0)

#endif

/* USB requests.  */

#define MassStorageReset  0xff

#define GetMaxLun         0xfe

enum USBMSDMode {

    USB_MSDM_CBW, /* Command Block.  */

    USB_MSDM_DATAOUT, /* Tranfer data to device.  */

    USB_MSDM_DATAIN, /* Transfer data from device.  */

    USB_MSDM_CSW /* Command Status.  */

};

typedef struct {

    USBDevice dev;

    enum USBMSDMode mode;

    uint32_t data_len;

    uint32_t tag;

    SCSIDevice *scsi_dev;

    int result;

} MSDState;

static const uint8_t qemu_msd_dev_descriptor[] = {

	0x12,       /*  u8 bLength; */

	0x01,       /*  u8 bDescriptorType; Device */

	0x10, 0x00, /*  u16 bcdUSB; v1.0 */

	0x00,	    /*  u8  bDeviceClass; */

	0x00,	    /*  u8  bDeviceSubClass; */

	0x00,       /*  u8  bDeviceProtocol; [ low/full speeds only ] */

	0x08,       /*  u8  bMaxPacketSize0; 8 Bytes */

        /* Vendor and product id are arbitrary.  */

	0x00, 0x00, /*  u16 idVendor; */

 	0x00, 0x00, /*  u16 idProduct; */

	0x00, 0x00, /*  u16 bcdDevice */

	0x01,       /*  u8  iManufacturer; */

	0x02,       /*  u8  iProduct; */

	0x03,       /*  u8  iSerialNumber; */

	0x01        /*  u8  bNumConfigurations; */

};

static const uint8_t qemu_msd_config_descriptor[] = {

	/* one configuration */

	0x09,       /*  u8  bLength; */

	0x02,       /*  u8  bDescriptorType; Configuration */

	0x20, 0x00, /*  u16 wTotalLength; */

	0x01,       /*  u8  bNumInterfaces; (1) */

	0x01,       /*  u8  bConfigurationValue; */

	0x00,       /*  u8  iConfiguration; */

	0xc0,       /*  u8  bmAttributes; 

				 Bit 7: must be set,

				     6: Self-powered,

				     5: Remote wakeup,

				     4..0: resvd */

	0x00,       /*  u8  MaxPower; */

	/* one interface */

	0x09,       /*  u8  if_bLength; */

	0x04,       /*  u8  if_bDescriptorType; Interface */

	0x00,       /*  u8  if_bInterfaceNumber; */

	0x00,       /*  u8  if_bAlternateSetting; */

	0x02,       /*  u8  if_bNumEndpoints; */

	0x08,       /*  u8  if_bInterfaceClass; MASS STORAGE */

	0x06,       /*  u8  if_bInterfaceSubClass; SCSI */

	0x50,       /*  u8  if_bInterfaceProtocol; Bulk Only */

	0x00,       /*  u8  if_iInterface; */

	/* Bulk-In endpoint */

	0x07,       /*  u8  ep_bLength; */

	0x05,       /*  u8  ep_bDescriptorType; Endpoint */

	0x81,       /*  u8  ep_bEndpointAddress; IN Endpoint 1 */

 	0x02,       /*  u8  ep_bmAttributes; Bulk */

 	0x40, 0x00, /*  u16 ep_wMaxPacketSize; */

	0x00,       /*  u8  ep_bInterval; */

	/* Bulk-Out endpoint */

	0x07,       /*  u8  ep_bLength; */

	0x05,       /*  u8  ep_bDescriptorType; Endpoint */

	0x02,       /*  u8  ep_bEndpointAddress; OUT Endpoint 2 */

 	0x02,       /*  u8  ep_bmAttributes; Bulk */

 	0x40, 0x00, /*  u16 ep_wMaxPacketSize; */

	0x00        /*  u8  ep_bInterval; */

};

static void usb_msd_command_complete(void *opaque, uint32_t tag, int fail)

{

    MSDState *s = (MSDState *)opaque;

    DPRINTF("Command complete\n");

    s->result = fail;

    s->mode = USB_MSDM_CSW;

}

static void usb_msd_handle_reset(USBDevice *dev, int destroy)

{

    MSDState *s = (MSDState *)dev;

    DPRINTF("Reset\n");

    s->mode = USB_MSDM_CBW;

    if (destroy) {

        scsi_disk_destroy(s->scsi_dev);

        qemu_free(s);

    }

}

static int usb_msd_handle_control(USBDevice *dev, int request, int value,

                                  int index, int length, uint8_t *data)

{

    MSDState *s = (MSDState *)dev;

    int ret = 0;

    switch (request) {

    case DeviceRequest | USB_REQ_GET_STATUS:

        data[0] = (1 << USB_DEVICE_SELF_POWERED) |