summaryrefslogtreecommitdiff
path: root/packages/qemu/qemu-0.9.1+svn/qemu-n800-support.patch
blob: 1224fb4cbde37c8e9e2c45aede7bc2ed6023930f (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755
1756
1757
1758
1759
1760
1761
1762
1763
1764
1765
1766
1767
1768
1769
1770
1771
1772
1773
1774
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
1790
1791
1792
1793
1794
1795
1796
1797
1798
1799
1800
1801
1802
1803
1804
1805
1806
1807
1808
1809
1810
1811
1812
1813
1814
1815
1816
1817
1818
1819
1820
1821
1822
1823
1824
1825
1826
1827
1828
1829
1830
1831
1832
1833
1834
1835
1836
1837
1838
1839
1840
1841
1842
1843
1844
1845
1846
1847
1848
1849
1850
1851
1852
1853
1854
1855
1856
1857
1858
1859
1860
1861
1862
1863
1864
1865
1866
1867
1868
1869
1870
1871
1872
1873
1874
1875
1876
1877
1878
1879
1880
1881
1882
1883
1884
1885
1886
1887
1888
1889
1890
1891
1892
1893
1894
1895
1896
1897
1898
1899
1900
1901
1902
1903
1904
1905
1906
1907
1908
1909
1910
1911
1912
1913
1914
1915
1916
1917
1918
1919
1920
1921
1922
1923
1924
1925
1926
1927
1928
1929
1930
1931
1932
1933
1934
1935
1936
1937
1938
1939
1940
1941
1942
1943
1944
1945
1946
1947
1948
1949
1950
1951
1952
1953
1954
1955
1956
1957
1958
1959
1960
1961
1962
1963
1964
1965
1966
1967
1968
1969
1970
1971
1972
1973
1974
1975
1976
1977
1978
1979
1980
1981
1982
1983
1984
1985
1986
1987
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
2026
2027
2028
2029
2030
2031
2032
2033
2034
2035
2036
2037
2038
2039
2040
2041
2042
2043
2044
2045
2046
2047
2048
2049
2050
2051
2052
2053
2054
2055
2056
2057
2058
2059
2060
2061
2062
2063
2064
2065
2066
2067
2068
2069
2070
2071
2072
2073
2074
2075
2076
2077
2078
2079
2080
2081
2082
2083
2084
2085
2086
2087
2088
2089
2090
2091
2092
2093
2094
2095
2096
2097
2098
2099
2100
2101
2102
2103
2104
2105
2106
2107
2108
2109
2110
2111
2112
2113
2114
2115
2116
2117
2118
2119
2120
2121
2122
2123
2124
2125
2126
2127
2128
2129
2130
2131
2132
2133
2134
2135
2136
2137
2138
2139
2140
2141
2142
2143
2144
2145
2146
2147
2148
2149
2150
2151
2152
2153
2154
2155
2156
2157
2158
2159
2160
2161
2162
2163
2164
2165
2166
2167
2168
2169
2170
2171
2172
2173
2174
2175
2176
2177
2178
2179
2180
2181
2182
2183
2184
2185
2186
2187
2188
2189
2190
2191
2192
2193
2194
2195
2196
2197
2198
2199
2200
2201
2202
2203
2204
2205
2206
2207
2208
2209
2210
2211
2212
2213
2214
2215
2216
2217
2218
2219
2220
2221
2222
2223
2224
2225
2226
2227
2228
2229
2230
2231
2232
2233
2234
2235
2236
2237
2238
2239
2240
2241
2242
2243
2244
2245
2246
2247
2248
2249
2250
2251
2252
2253
2254
2255
2256
2257
2258
2259
2260
2261
2262
2263
2264
2265
2266
2267
2268
2269
2270
2271
2272
2273
2274
2275
2276
2277
2278
2279
2280
2281
2282
2283
2284
2285
2286
2287
2288
2289
2290
2291
2292
2293
2294
2295
2296
2297
2298
2299
2300
2301
2302
2303
2304
2305
2306
2307
2308
2309
2310
2311
2312
2313
2314
2315
2316
2317
2318
2319
2320
2321
2322
2323
2324
2325
2326
2327
2328
2329
2330
2331
2332
2333
2334
2335
2336
2337
2338
2339
2340
2341
2342
2343
2344
2345
2346
2347
2348
2349
2350
2351
2352
2353
2354
2355
2356
2357
2358
2359
2360
2361
2362
2363
2364
2365
2366
2367
2368
2369
2370
2371
2372
2373
2374
2375
2376
2377
2378
2379
2380
2381
diff -urN 4242/cpu-all.h qemu-omap/cpu-all.h
--- 4242/cpu-all.h	2008-04-24 21:26:19.000000000 +0100
+++ qemu-omap/cpu-all.h	2008-04-23 09:57:55.000000000 +0100
@@ -816,7 +816,7 @@
 /* physical memory access */
 #define TLB_INVALID_MASK   (1 << 3)
 #define IO_MEM_SHIFT       4
-#define IO_MEM_NB_ENTRIES  (1 << (TARGET_PAGE_BITS  - IO_MEM_SHIFT))
+#define IO_MEM_NB_ENTRIES  (16 << (TARGET_PAGE_BITS  - IO_MEM_SHIFT))
 
 #define IO_MEM_RAM         (0 << IO_MEM_SHIFT) /* hardcoded offset */
 #define IO_MEM_ROM         (1 << IO_MEM_SHIFT) /* hardcoded offset */
diff -urN 4242/exec.c qemu-omap/exec.c
--- 4242/exec.c	2008-04-24 18:11:49.000000000 +0100
+++ qemu-omap/exec.c	2008-04-23 09:57:55.000000000 +0100
@@ -1664,7 +1664,7 @@
     {
         if ((pd & ~TARGET_PAGE_MASK) > IO_MEM_ROM && !(pd & IO_MEM_ROMD)) {
             /* IO memory case */
-            address = vaddr | pd;
+            address = vaddr | (pd & ~TARGET_PAGE_MASK);
             addend = paddr;
         } else {
             /* standard memory */
@@ -1698,7 +1698,9 @@
         } else {
             te->addr_read = -1;
         }
-        if (prot & PAGE_EXEC) {
+        if ((pd & ~TARGET_PAGE_MASK) > IO_MEM_ROM && !(pd & IO_MEM_ROMD)) {
+            te->addr_code = pd;
+        } else if (prot & PAGE_EXEC) {
             te->addr_code = address;
         } else {
             te->addr_code = -1;
@@ -2493,7 +2495,9 @@
     if (io_index <= 0) {
         if (io_mem_nb >= IO_MEM_NB_ENTRIES)
             return -1;
-        io_index = io_mem_nb++;
+        do io_index = io_mem_nb++;
+        while (((io_index << IO_MEM_SHIFT) & ~TARGET_PAGE_MASK)
+               <= IO_MEM_NOTDIRTY);
     } else {
         if (io_index >= IO_MEM_NB_ENTRIES)
             return -1;
diff -urN 4242/hw/max7310.c qemu-omap/hw/max7310.c
--- 4242/hw/max7310.c	2008-04-24 18:11:49.000000000 +0100
+++ qemu-omap/hw/max7310.c	2008-03-02 19:31:55.000000000 +0000
@@ -134,8 +134,8 @@
         s->i2c_command_byte = 1;
         break;
     case I2C_FINISH:
-        if (s->len == 1)
 #ifdef VERBOSE
+        if (s->len == 1)
             printf("%s: message too short (%i bytes)\n", __FUNCTION__, s->len);
 #endif
         break;
diff -urN 4242/hw/ndis.h qemu-omap/hw/ndis.h
--- 4242/hw/ndis.h	1970-01-01 01:00:00.000000000 +0100
+++ qemu-omap/hw/ndis.h	2008-04-23 09:57:56.000000000 +0100
@@ -0,0 +1,217 @@
+/*
+ * ndis.h 
+ * 
+ * ntddndis.h modified by Benedikt Spranger <b.spranger@pengutronix.de>
+ * 
+ * Thanks to the cygwin development team, 
+ * espacially to Casper S. Hornstrup <chorns@users.sourceforge.net>
+ * 
+ * THIS SOFTWARE IS NOT COPYRIGHTED
+ *
+ * This source code is offered for use in the public domain. You may
+ * use, modify or distribute it freely.
+ *
+ * This code is distributed in the hope that it will be useful but
+ * WITHOUT ANY WARRANTY. ALL WARRANTIES, EXPRESS OR IMPLIED ARE HEREBY
+ * DISCLAIMED. This includes but is not limited to warranties of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ *
+ */
+
+#ifndef _LINUX_NDIS_H
+#define _LINUX_NDIS_H
+
+
+#define NDIS_STATUS_MULTICAST_FULL	  0xC0010009
+#define NDIS_STATUS_MULTICAST_EXISTS      0xC001000A
+#define NDIS_STATUS_MULTICAST_NOT_FOUND   0xC001000B
+
+enum NDIS_DEVICE_POWER_STATE {
+	NdisDeviceStateUnspecified = 0,
+	NdisDeviceStateD0,
+	NdisDeviceStateD1,
+	NdisDeviceStateD2,
+	NdisDeviceStateD3,
+	NdisDeviceStateMaximum
+};
+
+struct NDIS_PM_WAKE_UP_CAPABILITIES {
+	enum NDIS_DEVICE_POWER_STATE  MinMagicPacketWakeUp;
+	enum NDIS_DEVICE_POWER_STATE  MinPatternWakeUp;
+	enum NDIS_DEVICE_POWER_STATE  MinLinkChangeWakeUp;
+};
+
+/* NDIS_PNP_CAPABILITIES.Flags constants */
+#define NDIS_DEVICE_WAKE_UP_ENABLE                0x00000001
+#define NDIS_DEVICE_WAKE_ON_PATTERN_MATCH_ENABLE  0x00000002
+#define NDIS_DEVICE_WAKE_ON_MAGIC_PACKET_ENABLE   0x00000004
+
+struct NDIS_PNP_CAPABILITIES {
+	__le32					Flags;
+	struct NDIS_PM_WAKE_UP_CAPABILITIES	WakeUpCapabilities;
+};
+
+struct NDIS_PM_PACKET_PATTERN {
+	__le32	Priority;
+	__le32	Reserved;
+	__le32	MaskSize;
+	__le32	PatternOffset;
+	__le32	PatternSize;
+	__le32	PatternFlags;
+};
+
+
+/* Required Object IDs (OIDs) */
+#define OID_GEN_SUPPORTED_LIST            0x00010101
+#define OID_GEN_HARDWARE_STATUS           0x00010102
+#define OID_GEN_MEDIA_SUPPORTED           0x00010103
+#define OID_GEN_MEDIA_IN_USE              0x00010104
+#define OID_GEN_MAXIMUM_LOOKAHEAD         0x00010105
+#define OID_GEN_MAXIMUM_FRAME_SIZE        0x00010106
+#define OID_GEN_LINK_SPEED                0x00010107
+#define OID_GEN_TRANSMIT_BUFFER_SPACE     0x00010108
+#define OID_GEN_RECEIVE_BUFFER_SPACE      0x00010109
+#define OID_GEN_TRANSMIT_BLOCK_SIZE       0x0001010A
+#define OID_GEN_RECEIVE_BLOCK_SIZE        0x0001010B
+#define OID_GEN_VENDOR_ID                 0x0001010C
+#define OID_GEN_VENDOR_DESCRIPTION        0x0001010D
+#define OID_GEN_CURRENT_PACKET_FILTER     0x0001010E
+#define OID_GEN_CURRENT_LOOKAHEAD         0x0001010F
+#define OID_GEN_DRIVER_VERSION            0x00010110
+#define OID_GEN_MAXIMUM_TOTAL_SIZE        0x00010111
+#define OID_GEN_PROTOCOL_OPTIONS          0x00010112
+#define OID_GEN_MAC_OPTIONS               0x00010113
+#define OID_GEN_MEDIA_CONNECT_STATUS      0x00010114
+#define OID_GEN_MAXIMUM_SEND_PACKETS      0x00010115
+#define OID_GEN_VENDOR_DRIVER_VERSION     0x00010116
+#define OID_GEN_SUPPORTED_GUIDS           0x00010117
+#define OID_GEN_NETWORK_LAYER_ADDRESSES   0x00010118
+#define OID_GEN_TRANSPORT_HEADER_OFFSET   0x00010119
+#define OID_GEN_MACHINE_NAME              0x0001021A
+#define OID_GEN_RNDIS_CONFIG_PARAMETER    0x0001021B
+#define OID_GEN_VLAN_ID                   0x0001021C
+
+/* Optional OIDs */
+#define OID_GEN_MEDIA_CAPABILITIES        0x00010201
+#define OID_GEN_PHYSICAL_MEDIUM           0x00010202
+
+/* Required statistics OIDs */
+#define OID_GEN_XMIT_OK                   0x00020101
+#define OID_GEN_RCV_OK                    0x00020102
+#define OID_GEN_XMIT_ERROR                0x00020103
+#define OID_GEN_RCV_ERROR                 0x00020104
+#define OID_GEN_RCV_NO_BUFFER             0x00020105
+
+/* Optional statistics OIDs */
+#define OID_GEN_DIRECTED_BYTES_XMIT       0x00020201
+#define OID_GEN_DIRECTED_FRAMES_XMIT      0x00020202
+#define OID_GEN_MULTICAST_BYTES_XMIT      0x00020203
+#define OID_GEN_MULTICAST_FRAMES_XMIT     0x00020204
+#define OID_GEN_BROADCAST_BYTES_XMIT      0x00020205
+#define OID_GEN_BROADCAST_FRAMES_XMIT     0x00020206
+#define OID_GEN_DIRECTED_BYTES_RCV        0x00020207
+#define OID_GEN_DIRECTED_FRAMES_RCV       0x00020208
+#define OID_GEN_MULTICAST_BYTES_RCV       0x00020209
+#define OID_GEN_MULTICAST_FRAMES_RCV      0x0002020A
+#define OID_GEN_BROADCAST_BYTES_RCV       0x0002020B
+#define OID_GEN_BROADCAST_FRAMES_RCV      0x0002020C
+#define OID_GEN_RCV_CRC_ERROR             0x0002020D
+#define OID_GEN_TRANSMIT_QUEUE_LENGTH     0x0002020E
+#define OID_GEN_GET_TIME_CAPS             0x0002020F
+#define OID_GEN_GET_NETCARD_TIME          0x00020210
+#define OID_GEN_NETCARD_LOAD              0x00020211
+#define OID_GEN_DEVICE_PROFILE            0x00020212
+#define OID_GEN_INIT_TIME_MS              0x00020213
+#define OID_GEN_RESET_COUNTS              0x00020214
+#define OID_GEN_MEDIA_SENSE_COUNTS        0x00020215
+#define OID_GEN_FRIENDLY_NAME             0x00020216
+#define OID_GEN_MINIPORT_INFO             0x00020217
+#define OID_GEN_RESET_VERIFY_PARAMETERS   0x00020218
+
+/* IEEE 802.3 (Ethernet) OIDs */
+#define NDIS_802_3_MAC_OPTION_PRIORITY    0x00000001
+
+#define OID_802_3_PERMANENT_ADDRESS       0x01010101
+#define OID_802_3_CURRENT_ADDRESS         0x01010102
+#define OID_802_3_MULTICAST_LIST          0x01010103
+#define OID_802_3_MAXIMUM_LIST_SIZE       0x01010104
+#define OID_802_3_MAC_OPTIONS             0x01010105
+#define OID_802_3_RCV_ERROR_ALIGNMENT     0x01020101
+#define OID_802_3_XMIT_ONE_COLLISION      0x01020102
+#define OID_802_3_XMIT_MORE_COLLISIONS    0x01020103
+#define OID_802_3_XMIT_DEFERRED           0x01020201
+#define OID_802_3_XMIT_MAX_COLLISIONS     0x01020202
+#define OID_802_3_RCV_OVERRUN             0x01020203
+#define OID_802_3_XMIT_UNDERRUN           0x01020204
+#define OID_802_3_XMIT_HEARTBEAT_FAILURE  0x01020205
+#define OID_802_3_XMIT_TIMES_CRS_LOST     0x01020206
+#define OID_802_3_XMIT_LATE_COLLISIONS    0x01020207
+
+/* OID_GEN_MINIPORT_INFO constants */
+#define NDIS_MINIPORT_BUS_MASTER                      0x00000001
+#define NDIS_MINIPORT_WDM_DRIVER                      0x00000002
+#define NDIS_MINIPORT_SG_LIST                         0x00000004
+#define NDIS_MINIPORT_SUPPORTS_MEDIA_QUERY            0x00000008
+#define NDIS_MINIPORT_INDICATES_PACKETS               0x00000010
+#define NDIS_MINIPORT_IGNORE_PACKET_QUEUE             0x00000020
+#define NDIS_MINIPORT_IGNORE_REQUEST_QUEUE            0x00000040
+#define NDIS_MINIPORT_IGNORE_TOKEN_RING_ERRORS        0x00000080
+#define NDIS_MINIPORT_INTERMEDIATE_DRIVER             0x00000100
+#define NDIS_MINIPORT_IS_NDIS_5                       0x00000200
+#define NDIS_MINIPORT_IS_CO                           0x00000400
+#define NDIS_MINIPORT_DESERIALIZE                     0x00000800
+#define NDIS_MINIPORT_REQUIRES_MEDIA_POLLING          0x00001000
+#define NDIS_MINIPORT_SUPPORTS_MEDIA_SENSE            0x00002000
+#define NDIS_MINIPORT_NETBOOT_CARD                    0x00004000
+#define NDIS_MINIPORT_PM_SUPPORTED                    0x00008000
+#define NDIS_MINIPORT_SUPPORTS_MAC_ADDRESS_OVERWRITE  0x00010000
+#define NDIS_MINIPORT_USES_SAFE_BUFFER_APIS           0x00020000
+#define NDIS_MINIPORT_HIDDEN                          0x00040000
+#define NDIS_MINIPORT_SWENUM                          0x00080000
+#define NDIS_MINIPORT_SURPRISE_REMOVE_OK              0x00100000
+#define NDIS_MINIPORT_NO_HALT_ON_SUSPEND              0x00200000
+#define NDIS_MINIPORT_HARDWARE_DEVICE                 0x00400000
+#define NDIS_MINIPORT_SUPPORTS_CANCEL_SEND_PACKETS    0x00800000
+#define NDIS_MINIPORT_64BITS_DMA                      0x01000000
+
+#define NDIS_MEDIUM_802_3		0x00000000
+#define NDIS_MEDIUM_802_5		0x00000001
+#define NDIS_MEDIUM_FDDI		0x00000002
+#define NDIS_MEDIUM_WAN			0x00000003
+#define NDIS_MEDIUM_LOCAL_TALK		0x00000004
+#define NDIS_MEDIUM_DIX			0x00000005
+#define NDIS_MEDIUM_ARCENT_RAW		0x00000006
+#define NDIS_MEDIUM_ARCENT_878_2	0x00000007
+#define NDIS_MEDIUM_ATM			0x00000008
+#define NDIS_MEDIUM_WIRELESS_LAN	0x00000009
+#define NDIS_MEDIUM_IRDA		0x0000000A
+#define NDIS_MEDIUM_BPC			0x0000000B
+#define NDIS_MEDIUM_CO_WAN		0x0000000C
+#define NDIS_MEDIUM_1394		0x0000000D
+
+#define NDIS_PACKET_TYPE_DIRECTED	0x00000001
+#define NDIS_PACKET_TYPE_MULTICAST	0x00000002
+#define NDIS_PACKET_TYPE_ALL_MULTICAST	0x00000004
+#define NDIS_PACKET_TYPE_BROADCAST	0x00000008
+#define NDIS_PACKET_TYPE_SOURCE_ROUTING	0x00000010
+#define NDIS_PACKET_TYPE_PROMISCUOUS	0x00000020
+#define NDIS_PACKET_TYPE_SMT		0x00000040
+#define NDIS_PACKET_TYPE_ALL_LOCAL	0x00000080
+#define NDIS_PACKET_TYPE_GROUP		0x00000100
+#define NDIS_PACKET_TYPE_ALL_FUNCTIONAL	0x00000200
+#define NDIS_PACKET_TYPE_FUNCTIONAL	0x00000400
+#define NDIS_PACKET_TYPE_MAC_FRAME	0x00000800
+
+#define NDIS_MEDIA_STATE_CONNECTED	0x00000000
+#define NDIS_MEDIA_STATE_DISCONNECTED	0x00000001
+
+#define NDIS_MAC_OPTION_COPY_LOOKAHEAD_DATA     0x00000001
+#define NDIS_MAC_OPTION_RECEIVE_SERIALIZED      0x00000002
+#define NDIS_MAC_OPTION_TRANSFERS_NOT_PEND      0x00000004
+#define NDIS_MAC_OPTION_NO_LOOPBACK             0x00000008
+#define NDIS_MAC_OPTION_FULL_DUPLEX             0x00000010
+#define NDIS_MAC_OPTION_EOTX_INDICATION         0x00000020
+#define NDIS_MAC_OPTION_8021P_PRIORITY          0x00000040
+#define NDIS_MAC_OPTION_RESERVED                0x80000000
+
+#endif /* _LINUX_NDIS_H */
diff -urN 4242/hw/nseries.c qemu-omap/hw/nseries.c
--- 4242/hw/nseries.c	2008-04-24 18:11:49.000000000 +0100
+++ qemu-omap/hw/nseries.c	2008-04-23 09:57:56.000000000 +0100
@@ -602,6 +602,37 @@
                     (void *) &config7, sizeof(config7));
 }
 
+#if 0
+static uint32_t n800_pinout[104] = {
+    0x080f00d8, 0x00d40808, 0x03080808, 0x080800d0,
+    0x00dc0808, 0x0b0f0f00, 0x080800b4, 0x00c00808,
+    0x08080808, 0x180800c4, 0x00b80000, 0x08080808,
+    0x080800bc, 0x00cc0808, 0x08081818, 0x18180128,
+    0x01241800, 0x18181818, 0x000000f0, 0x01300000,
+    0x00001b0b, 0x1b0f0138, 0x00e0181b, 0x1b031b0b,
+    0x180f0078, 0x00740018, 0x0f0f0f1a, 0x00000080,
+    0x007c0000, 0x00000000, 0x00000088, 0x00840000,
+    0x00000000, 0x00000094, 0x00980300, 0x0f180003,
+    0x0000008c, 0x00900f0f, 0x0f0f1b00, 0x0f00009c,
+    0x01140000, 0x1b1b0f18, 0x0818013c, 0x01400008,
+    0x00001818, 0x000b0110, 0x010c1800, 0x0b030b0f,
+    0x181800f4, 0x00f81818, 0x00000018, 0x000000fc,
+    0x00401808, 0x00000000, 0x0f1b0030, 0x003c0008,
+    0x00000000, 0x00000038, 0x00340000, 0x00000000,
+    0x1a080070, 0x00641a1a, 0x08080808, 0x08080060,
+    0x005c0808, 0x08080808, 0x08080058, 0x00540808,
+    0x08080808, 0x0808006c, 0x00680808, 0x08080808,
+    0x000000a8, 0x00b00000, 0x08080808, 0x000000a0,
+    0x00a40000, 0x00000000, 0x08ff0050, 0x004c0808,
+    0xffffffff, 0xffff0048, 0x0044ffff, 0xffffffff,
+    0x000000ac, 0x01040800, 0x08080b0f, 0x18180100,
+    0x01081818, 0x0b0b1808, 0x1a0300e4, 0x012c0b1a,
+    0x02020018, 0x0b000134, 0x011c0800, 0x0b1b1b00,
+    0x0f0000c8, 0x00ec181b, 0x000f0f02, 0x00180118,
+    0x01200000, 0x0f0b1b1b, 0x0f0200e8, 0x0000020b,
+};
+#endif
+
 /* Setup sequence done by the bootloader */
 static void n800_boot_init(void *opaque)
 {
@@ -942,3 +973,71 @@
     "Nokia N800 aka. RX-34 tablet (OMAP2420)",
     n800_init,
 };
+
+#if 0
+/* cx3110x.c */
+#define CY_ARM_INT		0x00
+#define CY_ARM_INT_ENA		0x00
+#define CY_HOST_INT		0x00
+#define CY_HOST_INT_ENA		0x00
+#define CY_HOST_INT_ACK		0x00
+#define CY_GP1_COMM		0x00
+#define CY_GP2_COMM		0x00
+#define CY_DEV_CTRL_STA		0x00
+#define CY_DMA_DATA		0x00	/* 16-bit */
+#define CY_DMA_WR_CTRL		0x00	/* 16-bit */
+#define CY_DMA_WR_LEN		0x00	/* 16-bit */
+#define CY_DMA_WR_BASE		0x00
+#define CY_DMA_RD_CTRL		0x00	/* 16-bit */
+#define CY_DMA_RD_LEN		0x00	/* 16-bit */
+#define CY_DMA_RD_BASE		0x00
+
+HW:
+(spi bus 1.0)
+  tsc2005
+(spi bus 1.1)
+  lcd_mipid
+(spi bus 2.0)
+  cx3110x (WLAN)
+(spi somewhere?)
+  pc2400m (WiMAX)
+(i2c bus 0)
+  TLV320AIC33 (audio codec on i2c)
+  TCM825x (camera on i2c)
+  lp5521 (LED on i2c)
+  tsl2563 (light sensor, hwmon on i2c)
+  lm8323 (keypad on i2c)
+(i2c bus 1)
+  tmp105 (temperature sensor, hwmon on i2c)
+  menelaus (power on i2c)
+
+GPIO   0: out hi
+GPIO   8: in  hi
+GPIO   9: out hi
+GPIO  10: out lo
+GPIO  12: out lo
+GPIO  15: out lo
+GPIO  23: out hi
+GPIO  26: in  hi, irq-186 rising
+GPIO  53: out lo
+GPIO  58: in  hi, irq-218 low wakeup
+GPIO  62: out lo
+GPIO  64: out hi
+GPIO  65: in  hi
+GPIO  66: out lo
+GPIO  93: out lo
+GPIO  94: in  hi
+GPIO  95: out lo
+GPIO  96: out hi
+GPIO 101: out lo
+GPIO 102: in  hi, irq-262 bothedge
+GPIO 106: in  hi, irq-266 falling wakeup
+GPIO 107: in  hi, irq-267 bothedge
+GPIO 108: in  lo, irq-268 rising wakeup
+GPIO 109: in  hi, irq-269 falling wakeup
+GPIO 110: in  hi, irq-270 bothedge
+GPIO 111: in  lo, irq-271 rising
+GPIO 112: out hi
+GPIO 118: out hi
+GPIO 125: in  lo, irq-285 rising
+#endif
diff -urN 4242/hw/omap2.c qemu-omap/hw/omap2.c
--- 4242/hw/omap2.c	2008-04-24 18:11:49.000000000 +0100
+++ qemu-omap/hw/omap2.c	2008-04-23 09:57:56.000000000 +0100
@@ -3675,152 +3675,152 @@
                     omap_findclk(s, "dss_l4_iclk"));
 
     /* All register mappings (includin those not currenlty implemented):
-     * SystemControlMod	48000000 - 48000fff
-     * SystemControlL4	48001000 - 48001fff
-     * 32kHz Timer Mod	48004000 - 48004fff
-     * 32kHz Timer L4	48005000 - 48005fff
-     * PRCM ModA	48008000 - 480087ff
+     * SystemControlMod	48000000 - 48000fff (REV 0x00000010)
+     * SystemControlL4	48001000 - 48001fff (0x00200010, 0x01000200, 0x00000000)
+     * 32kHz Timer Mod	48004000 - 48004fff (REV 0x00000011)
+     * 32kHz Timer L4	48005000 - 48005fff (0x00200010, 0x01000200, 0x00000000)
+     * PRCM ModA	48008000 - 480087ff (REV 0x00000010)
      * PRCM ModB	48008800 - 48008fff
-     * PRCM L4		48009000 - 48009fff
-     * TEST-BCM Mod	48012000 - 48012fff
-     * TEST-BCM L4	48013000 - 48013fff
-     * TEST-TAP Mod	48014000 - 48014fff
-     * TEST-TAP L4	48015000 - 48015fff
-     * GPIO1 Mod	48018000 - 48018fff
-     * GPIO Top		48019000 - 48019fff
-     * GPIO2 Mod	4801a000 - 4801afff
-     * GPIO L4		4801b000 - 4801bfff
-     * GPIO3 Mod	4801c000 - 4801cfff
-     * GPIO4 Mod	4801e000 - 4801efff
-     * WDTIMER1 Mod	48020000 - 48010fff
+     * PRCM L4		48009000 - 48009fff (0x00200010, 0x00000200, 0x00000000)
+     * TEST-BCM Mod	48012000 - 48012fff (REV 0x00000010)
+     * TEST-BCM L4	48013000 - 48013fff (0x00200010, 0x00000200, 0x00000000)
+     * TEST-TAP Mod	48014000 - 48014fff (REV 0x00000010)
+     * TEST-TAP L4	48015000 - 48015fff (0x00200010, 0x00000200, 0x00000000)
+     * GPIO1 Mod	48018000 - 48018fff (REV 0x00000018)
+     * GPIO Top		48019000 - 48019fff (REV 0x00000011)
+     * GPIO2 Mod	4801a000 - 4801afff (REV 0x00000018)
+     * GPIO L4		4801b000 - 4801bfff (0x00200010, 0x00000200, 0x00000000)
+     * GPIO3 Mod	4801c000 - 4801cfff (REV 0x00000018)
+     * GPIO4 Mod	4801e000 - 4801efff (REV 0x00000018)
+     * WDTIMER1 Mod	48020000 - 48010fff (REV Abort)
      * WDTIMER Top	48021000 - 48011fff
-     * WDTIMER2 Mod	48022000 - 48012fff
-     * WDTIMER L4	48023000 - 48013fff
-     * WDTIMER3 Mod	48024000 - 48014fff
-     * WDTIMER3 L4	48025000 - 48015fff
-     * WDTIMER4 Mod	48026000 - 48016fff
-     * WDTIMER4 L4	48027000 - 48017fff
-     * GPTIMER1 Mod	48028000 - 48018fff
-     * GPTIMER1 L4	48029000 - 48019fff
-     * GPTIMER2 Mod	4802a000 - 4801afff
-     * GPTIMER2 L4	4802b000 - 4801bfff
+     * WDTIMER2 Mod	48022000 - 48012fff (REV 0x00000011)
+     * WDTIMER L4	48023000 - 48013fff (0x00200010, 0x00000200, 0x00000000)
+     * WDTIMER3 Mod	48024000 - 48014fff (REV 0x00000011)
+     * WDTIMER3 L4	48025000 - 48015fff (0x00200010, 0x00000200, 0x00000000)
+     * WDTIMER4 Mod	48026000 - 48016fff (REV 0x00000011)
+     * WDTIMER4 L4	48027000 - 48017fff (0x00200010, 0x00000200, 0x00000000)
+     * GPTIMER1 Mod	48028000 - 48018fff (REV 0x00000013)
+     * GPTIMER1 L4	48029000 - 48019fff (0x00200010, 0x00000200, 0x00000000)
+     * GPTIMER2 Mod	4802a000 - 4801afff (REV Abort)
+     * GPTIMER2 L4	4802b000 - 4801bfff (0x00200010, 0x00000200, 0x00000000)
      * L4-Config AP	48040000 - 480407ff
      * L4-Config IP	48040800 - 48040fff
      * L4-Config LA	48041000 - 48041fff
-     * ARM11ETB Mod	48048000 - 48049fff
-     * ARM11ETB L4	4804a000 - 4804afff
-     * DISPLAY Top	48050000 - 480503ff
-     * DISPLAY DISPC	48050400 - 480507ff
-     * DISPLAY RFBI	48050800 - 48050bff
-     * DISPLAY VENC	48050c00 - 48050fff
-     * DISPLAY L4	48051000 - 48051fff
-     * CAMERA Top	48052000 - 480523ff
-     * CAMERA core	48052400 - 480527ff
-     * CAMERA DMA	48052800 - 48052bff
-     * CAMERA MMU	48052c00 - 48052fff
-     * CAMERA L4	48053000 - 48053fff
-     * SDMA Mod		48056000 - 48056fff
-     * SDMA L4		48057000 - 48057fff
-     * SSI Top		48058000 - 48058fff
-     * SSI GDD		48059000 - 48059fff
-     * SSI Port1	4805a000 - 4805afff
-     * SSI Port2	4805b000 - 4805bfff
-     * SSI L4		4805c000 - 4805cfff
-     * USB Mod		4805e000 - 480fefff
-     * USB L4		4805f000 - 480fffff
-     * WIN_TRACER1 Mod	48060000 - 48060fff
-     * WIN_TRACER1 L4	48061000 - 48061fff
-     * WIN_TRACER2 Mod	48062000 - 48062fff
-     * WIN_TRACER2 L4	48063000 - 48063fff
-     * WIN_TRACER3 Mod	48064000 - 48064fff
-     * WIN_TRACER3 L4	48065000 - 48065fff
-     * WIN_TRACER4 Top	48066000 - 480660ff
-     * WIN_TRACER4 ETT	48066100 - 480661ff
-     * WIN_TRACER4 WT	48066200 - 480662ff
-     * WIN_TRACER4 L4	48067000 - 48067fff
-     * XTI Mod		48068000 - 48068fff
-     * XTI L4		48069000 - 48069fff
-     * UART1 Mod	4806a000 - 4806afff
-     * UART1 L4		4806b000 - 4806bfff
-     * UART2 Mod	4806c000 - 4806cfff
-     * UART2 L4		4806d000 - 4806dfff
-     * UART3 Mod	4806e000 - 4806efff
-     * UART3 L4		4806f000 - 4806ffff
-     * I2C1 Mod		48070000 - 48070fff
-     * I2C1 L4		48071000 - 48071fff
-     * I2C2 Mod		48072000 - 48072fff
-     * I2C2 L4		48073000 - 48073fff
-     * McBSP1 Mod	48074000 - 48074fff
-     * McBSP1 L4	48075000 - 48075fff
-     * McBSP2 Mod	48076000 - 48076fff
-     * McBSP2 L4	48077000 - 48077fff
-     * GPTIMER3 Mod	48078000 - 48078fff
-     * GPTIMER3 L4	48079000 - 48079fff
-     * GPTIMER4 Mod	4807a000 - 4807afff
-     * GPTIMER4 L4	4807b000 - 4807bfff
-     * GPTIMER5 Mod	4807c000 - 4807cfff
-     * GPTIMER5 L4	4807d000 - 4807dfff
-     * GPTIMER6 Mod	4807e000 - 4807efff
-     * GPTIMER6 L4	4807f000 - 4807ffff
-     * GPTIMER7 Mod	48080000 - 48080fff
-     * GPTIMER7 L4	48081000 - 48081fff
-     * GPTIMER8 Mod	48082000 - 48082fff
-     * GPTIMER8 L4	48083000 - 48083fff
-     * GPTIMER9 Mod	48084000 - 48084fff
-     * GPTIMER9 L4	48085000 - 48085fff
-     * GPTIMER10 Mod	48086000 - 48086fff
-     * GPTIMER10 L4	48087000 - 48087fff
-     * GPTIMER11 Mod	48088000 - 48088fff
-     * GPTIMER11 L4	48089000 - 48089fff
-     * GPTIMER12 Mod	4808a000 - 4808afff
-     * GPTIMER12 L4	4808b000 - 4808bfff
-     * EAC Mod		48090000 - 48090fff
-     * EAC L4		48091000 - 48091fff
-     * FAC Mod		48092000 - 48092fff
-     * FAC L4		48093000 - 48093fff
-     * MAILBOX Mod	48094000 - 48094fff
-     * MAILBOX L4	48095000 - 48095fff
-     * SPI1 Mod		48098000 - 48098fff
-     * SPI1 L4		48099000 - 48099fff
-     * SPI2 Mod		4809a000 - 4809afff
-     * SPI2 L4		4809b000 - 4809bfff
-     * MMC/SDIO Mod	4809c000 - 4809cfff
-     * MMC/SDIO L4	4809d000 - 4809dfff
-     * MS_PRO Mod	4809e000 - 4809efff
-     * MS_PRO L4	4809f000 - 4809ffff
-     * RNG Mod		480a0000 - 480a0fff
-     * RNG L4		480a1000 - 480a1fff
-     * DES3DES Mod	480a2000 - 480a2fff
-     * DES3DES L4	480a3000 - 480a3fff
-     * SHA1MD5 Mod	480a4000 - 480a4fff
-     * SHA1MD5 L4	480a5000 - 480a5fff
-     * AES Mod		480a6000 - 480a6fff
-     * AES L4		480a7000 - 480a7fff
-     * PKA Mod		480a8000 - 480a9fff
-     * PKA L4		480aa000 - 480aafff
-     * MG Mod		480b0000 - 480b0fff
-     * MG L4		480b1000 - 480b1fff
-     * HDQ/1-wire Mod	480b2000 - 480b2fff
-     * HDQ/1-wire L4	480b3000 - 480b3fff
-     * MPU interrupt	480fe000 - 480fefff
-     * IVA RAM		5c000000 - 5c01ffff
-     * IVA ROM		5c020000 - 5c027fff
-     * IMG_BUF_A	5c040000 - 5c040fff
-     * IMG_BUF_B	5c042000 - 5c042fff
-     * VLCDS		5c048000 - 5c0487ff
-     * IMX_COEF		5c049000 - 5c04afff
-     * IMX_CMD		5c051000 - 5c051fff
-     * VLCDQ		5c053000 - 5c0533ff
-     * VLCDH		5c054000 - 5c054fff
-     * SEQ_CMD		5c055000 - 5c055fff
-     * IMX_REG		5c056000 - 5c0560ff
-     * VLCD_REG		5c056100 - 5c0561ff
-     * SEQ_REG		5c056200 - 5c0562ff
-     * IMG_BUF_REG	5c056300 - 5c0563ff
-     * SEQIRQ_REG	5c056400 - 5c0564ff
-     * OCP_REG		5c060000 - 5c060fff
-     * SYSC_REG		5c070000 - 5c070fff
-     * MMU_REG		5d000000 - 5d000fff
+     * ARM11ETB Mod	48048000 - 48049fff (REV 0x00000011)
+     * ARM11ETB L4	4804a000 - 4804afff (0x00200010, 0x00000200, 0x00000000)
+     * DISPLAY Top	48050000 - 480503ff (REV 0x00000003)
+     * DISPLAY DISPC	48050400 - 480507ff (REV 0x00000020)
+     * DISPLAY RFBI	48050800 - 48050bff (REV 0x00000010)
+     * DISPLAY VENC	48050c00 - 48050fff (REV Abort)
+     * DISPLAY L4	48051000 - 48051fff (0x00200010, 0x00000200, 0x00000100)
+     * CAMERA Top	48052000 - 480523ff (REV 0x00000020)
+     * CAMERA core	48052400 - 480527ff (REV 0x00000020)
+     * CAMERA DMA	48052800 - 48052bff (REV 0x00000020)
+     * CAMERA MMU	48052c00 - 48052fff (REV 0x00000010)
+     * CAMERA L4	48053000 - 48053fff (0x00200010, 0x00000200, 0x00000000)
+     * SDMA Mod		48056000 - 48056fff (REV 0x00000020)
+     * SDMA L4		48057000 - 48057fff (0x00200010, 0x00000200, 0x00000000)
+     * SSI Top		48058000 - 48058fff (REV Abort)
+     * SSI GDD		48059000 - 48059fff (REV Abort)
+     * SSI Port1	4805a000 - 4805afff (REV Abort)
+     * SSI Port2	4805b000 - 4805bfff (REV Abort)
+     * SSI L4		4805c000 - 4805cfff (0x00200010, 0x00000200, 0x00000100)
+     * USB Mod		4805e000 - 480fefff (REV Abort)
+     * USB L4		4805f000 - 480fffff (0x00200010, 0x01000200, 0x00000100)
+     * WIN_TRACER1 Mod	48060000 - 48060fff (REV 0x00000020)
+     * WIN_TRACER1 L4	48061000 - 48061fff (0x00200010, 0x00000200, 0x00000000)
+     * WIN_TRACER2 Mod	48062000 - 48062fff (REV 0x00000020)
+     * WIN_TRACER2 L4	48063000 - 48063fff (0x00200010, 0x00000200, 0x00000000)
+     * WIN_TRACER3 Mod	48064000 - 48064fff (REV 0x00000020)
+     * WIN_TRACER3 L4	48065000 - 48065fff (0x00200010, 0x00000200, 0x00000000)
+     * WIN_TRACER4 Top	48066000 - 480660ff (REV 0x00000011)
+     * WIN_TRACER4 ETT	48066100 - 480661ff (REV 0x00000011)
+     * WIN_TRACER4 WT	48066200 - 480662ff (REV 0x00000020)
+     * WIN_TRACER4 L4	48067000 - 48067fff (0x00200010, 0x00000200, 0x00000000)
+     * XTI Mod		48068000 - 48068fff (REV 0x00000010)
+     * XTI L4		48069000 - 48069fff (0x00200010, 0x00000200, 0x00000000)
+     * UART1 Mod	4806a000 - 4806afff (MVR Abort)
+     * UART1 L4		4806b000 - 4806bfff (0x00200010, 0x00000200, 0x00000000)
+     * UART2 Mod	4806c000 - 4806cfff (MVR Abort)
+     * UART2 L4		4806d000 - 4806dfff (0x00200010, 0x00000200, 0x00000000)
+     * UART3 Mod	4806e000 - 4806efff (MVR 0x20)
+     * UART3 L4		4806f000 - 4806ffff (0x00200010, 0x00000200, 0x00000000)
+     * I2C1 Mod		48070000 - 48070fff (REV 0x0034)
+     * I2C1 L4		48071000 - 48071fff (0x00200010, 0x01000200, 0x01000000)
+     * I2C2 Mod		48072000 - 48072fff (REV 0x0034)
+     * I2C2 L4		48073000 - 48073fff (0x00200010, 0x01000200, 0x01000000)
+     * McBSP1 Mod	48074000 - 48074fff (REV Abort)
+     * McBSP1 L4	48075000 - 48075fff (0x00200010, 0x01000200, 0x01000000)
+     * McBSP2 Mod	48076000 - 48076fff (REV Abort)
+     * McBSP2 L4	48077000 - 48077fff (0x00200010, 0x01000200, 0x01000000)
+     * GPTIMER3 Mod	48078000 - 48078fff (REV Abort)
+     * GPTIMER3 L4	48079000 - 48079fff (0x00200010, 0x00000200, 0x00000000)
+     * GPTIMER4 Mod	4807a000 - 4807afff (REV Abort)
+     * GPTIMER4 L4	4807b000 - 4807bfff (0x00200010, 0x00000200, 0x00000000)
+     * GPTIMER5 Mod	4807c000 - 4807cfff (REV Abort)
+     * GPTIMER5 L4	4807d000 - 4807dfff (0x00200010, 0x00000200, 0x00000000)
+     * GPTIMER6 Mod	4807e000 - 4807efff (REV Abort)
+     * GPTIMER6 L4	4807f000 - 4807ffff (0x00200010, 0x00000200, 0x00000000)
+     * GPTIMER7 Mod	48080000 - 48080fff (REV Abort)
+     * GPTIMER7 L4	48081000 - 48081fff (0x00200010, 0x00000200, 0x00000000)
+     * GPTIMER8 Mod	48082000 - 48082fff (REV Abort)
+     * GPTIMER8 L4	48083000 - 48083fff (0x00200010, 0x00000200, 0x00000000)
+     * GPTIMER9 Mod	48084000 - 48084fff (REV Abort)
+     * GPTIMER9 L4	48085000 - 48085fff (0x00200010, 0x00000200, 0x00000000)
+     * GPTIMER10 Mod	48086000 - 48086fff (REV Abort)
+     * GPTIMER10 L4	48087000 - 48087fff (0x00200010, 0x00000200, 0x00000000)
+     * GPTIMER11 Mod	48088000 - 48088fff (REV Abort)
+     * GPTIMER11 L4	48089000 - 48089fff (0x00200010, 0x00000200, 0x00000000)
+     * GPTIMER12 Mod	4808a000 - 4808afff (REV Abort)
+     * GPTIMER12 L4	4808b000 - 4808bfff (0x00200010, 0x00000200, 0x00000000)
+     * EAC Mod		48090000 - 48090fff (REV Abort)
+     * EAC L4		48091000 - 48091fff (0x00200010, 0x00000200, 0x00000000)
+     * FAC Mod		48092000 - 48092fff (REV Abort)
+     * FAC L4		48093000 - 48093fff (0x00200010, 0x00000200, 0x00000000)
+     * MAILBOX Mod	48094000 - 48094fff (REV 0x00000010)
+     * MAILBOX L4	48095000 - 48095fff (0x00200010, 0x00000200, 0x00000000)
+     * SPI1 Mod		48098000 - 48098fff (REV Abort)
+     * SPI1 L4		48099000 - 48099fff (0x00200010, 0x00000200, 0x00000000)
+     * SPI2 Mod		4809a000 - 4809afff (REV Abort)
+     * SPI2 L4		4809b000 - 4809bfff (0x00200010, 0x00000200, 0x00000000)
+     * MMC/SDIO Mod	4809c000 - 4809cfff (REV 0x0044)
+     * MMC/SDIO L4	4809d000 - 4809dfff (0x00200010, 0x01000200, 0x01000000)
+     * MS_PRO Mod	4809e000 - 4809efff (REV Abort)
+     * MS_PRO L4	4809f000 - 4809ffff (0x00200010, 0x01000200, 0x01000000)
+     * RNG Mod		480a0000 - 480a0fff (REV 0xFC066F93?)
+     * RNG L4		480a1000 - 480a1fff (0x00200010, 0x01000200, 0x00000000)
+     * DES3DES Mod	480a2000 - 480a2fff (REV 0x00000000?)
+     * DES3DES L4	480a3000 - 480a3fff (0x00200010, 0x01000200, 0x00000000)
+     * SHA1MD5 Mod	480a4000 - 480a4fff (REV 0x00000000?)
+     * SHA1MD5 L4	480a5000 - 480a5fff (0x00200010, 0x01000200, 0x00000000)
+     * AES Mod		480a6000 - 480a6fff (REV 0x00000000?)
+     * AES L4		480a7000 - 480a7fff (0x00200010, 0x00000200, 0x00000000)
+     * PKA Mod		480a8000 - 480a9fff (REV 0x00000000?)
+     * PKA L4		480aa000 - 480aafff (0x00200010, 0x00000200, 0x00000000)
+     * MG Mod		480b0000 - 480b0fff (REV Abort)
+     * MG L4		480b1000 - 480b1fff (0x00200010, 0x01000200, 0x01000000)
+     * HDQ/1-wire Mod	480b2000 - 480b2fff (REV 0x00000002)
+     * HDQ/1-wire L4	480b3000 - 480b3fff (0x00200010, 0x00000200, 0x00000000)
+     * MPU interrupt	480fe000 - 480fefff (REV 0x00000020)
+     * IVA RAM		5c000000 - 5c01ffff (REV Abort)
+     * IVA ROM		5c020000 - 5c027fff (REV Abort)
+     * IMG_BUF_A	5c040000 - 5c040fff (REV Abort)
+     * IMG_BUF_B	5c042000 - 5c042fff (REV Abort)
+     * VLCDS		5c048000 - 5c0487ff (REV Abort)
+     * IMX_COEF		5c049000 - 5c04afff (REV Abort)
+     * IMX_CMD		5c051000 - 5c051fff (REV Abort)
+     * VLCDQ		5c053000 - 5c0533ff (REV Abort)
+     * VLCDH		5c054000 - 5c054fff (REV Abort)
+     * SEQ_CMD		5c055000 - 5c055fff (REV Abort)
+     * IMX_REG		5c056000 - 5c0560ff (REV Abort)
+     * VLCD_REG		5c056100 - 5c0561ff (REV Abort)
+     * SEQ_REG		5c056200 - 5c0562ff (REV Abort)
+     * IMG_BUF_REG	5c056300 - 5c0563ff (REV Abort)
+     * SEQIRQ_REG	5c056400 - 5c0564ff (REV Abort)
+     * OCP_REG		5c060000 - 5c060fff (REV Abort)
+     * SYSC_REG		5c070000 - 5c070fff (REV Abort)
+     * MMU_REG		5d000000 - 5d000fff (REV Abort)
      * sDMA R		68000400 - 680005ff
      * sDMA W		68000600 - 680007ff
      * Display Control	68000800 - 680009ff
@@ -3849,9 +3849,9 @@
      * GPMC (firewall)	68006000 - 680063ff
      * GPMC (err login)	68006400 - 680067ff
      * SMS (err login)	68006c00 - 68006fff
-     * SMS registers	68008000 - 68008fff
-     * SDRC registers	68009000 - 68009fff
-     * GPMC registers	6800a000   6800afff
+     * SMS registers	68008000 - 68008fff (REV 0x00000020)
+     * SDRC registers	68009000 - 68009fff (REV 0x00000020)
+     * GPMC registers	6800a000   6800afff (REV 0x00000020)
      */
 
     qemu_register_reset(omap2_mpu_reset, s);
diff -urN 4242/hw/pc.c qemu-omap/hw/pc.c
--- 4242/hw/pc.c	2008-04-24 21:26:22.000000000 +0100
+++ qemu-omap/hw/pc.c	2008-04-23 09:57:56.000000000 +0100
@@ -445,6 +445,37 @@
     bdrv_set_boot_sector(drives_table[hda].bdrv, bootsect, sizeof(bootsect));
 }
 
+static int load_kernel(const char *filename, uint8_t *addr,
+                       uint8_t *real_addr)
+{
+    int fd, size;
+    int setup_sects;
+
+    fd = open(filename, O_RDONLY | O_BINARY);
+    if (fd < 0)
+        return -1;
+
+    /* load 16 bit code */
+    if (read(fd, real_addr, 512) != 512)
+        goto fail;
+    setup_sects = real_addr[0x1F1];
+    if (!setup_sects)
+        setup_sects = 4;
+    if (read(fd, real_addr + 512, setup_sects * 512) !=
+        setup_sects * 512)
+        goto fail;
+
+    /* load 32 bit code */
+    size = read(fd, addr, 16 * 1024 * 1024);
+    if (size < 0)
+        goto fail;
+    close(fd);
+    return size;
+ fail:
+    close(fd);
+    return -1;
+}
+
 static long get_file_size(FILE *f)
 {
     long where, size;
diff -urN 4242/hw/tusb6010.c qemu-omap/hw/tusb6010.c
--- 4242/hw/tusb6010.c	2008-04-23 12:18:54.000000000 +0100
+++ qemu-omap/hw/tusb6010.c	2008-04-23 09:57:56.000000000 +0100
@@ -287,9 +287,6 @@
     /* TODO: How is this signalled?  */
 }
 
-extern CPUReadMemoryFunc *musb_read[];
-extern CPUWriteMemoryFunc *musb_write[];
-
 static uint32_t tusb_async_readb(void *opaque, target_phys_addr_t addr)
 {
     struct tusb_s *s = (struct tusb_s *) opaque;
diff -urN 4242/hw/usb.h qemu-omap/hw/usb.h
--- 4242/hw/usb.h	2008-04-23 12:18:54.000000000 +0100
+++ qemu-omap/hw/usb.h	2008-04-23 09:57:56.000000000 +0100
@@ -219,6 +219,9 @@
 /* usb-msd.c */
 USBDevice *usb_msd_init(const char *filename);
 
+/* usb-net.c */
+USBDevice *usb_net_init(NICInfo *nd);
+
 /* usb-wacom.c */
 USBDevice *usb_wacom_init(void);
 
@@ -254,3 +257,7 @@
 uint32_t musb_core_intr_get(struct musb_s *s);
 void musb_core_intr_clear(struct musb_s *s, uint32_t mask);
 void musb_set_size(struct musb_s *s, int epnum, int size, int is_tx);
+#ifdef NEED_CPU_H
+extern CPUReadMemoryFunc *musb_read[];
+extern CPUWriteMemoryFunc *musb_write[];
+#endif
diff -urN 4242/hw/usb-hub.c qemu-omap/hw/usb-hub.c
--- 4242/hw/usb-hub.c	2008-04-23 11:43:37.000000000 +0100
+++ qemu-omap/hw/usb-hub.c	2008-04-23 09:57:56.000000000 +0100
@@ -146,8 +146,8 @@
 	0x07,       /*  u8  ep_bLength; */
 	0x05,       /*  u8  ep_bDescriptorType; Endpoint */
 	0x81,       /*  u8  ep_bEndpointAddress; IN Endpoint 1 */
- 	0x03,       /*  u8  ep_bmAttributes; Interrupt */
- 	0x02, 0x00, /*  u16 ep_wMaxPacketSize; 1 + (MAX_ROOT_PORTS / 8) */
+	0x03,       /*  u8  ep_bmAttributes; Interrupt */
+	0x02, 0x00, /*  u16 ep_wMaxPacketSize; 1 + (MAX_ROOT_PORTS / 8) */
 	0xff        /*  u8  ep_bInterval; (255ms -- usb 2.0 spec) */
 };
 
diff -urN 4242/hw/usb-net.c qemu-omap/hw/usb-net.c
--- 4242/hw/usb-net.c	1970-01-01 01:00:00.000000000 +0100
+++ qemu-omap/hw/usb-net.c	2008-04-23 09:57:56.000000000 +0100
@@ -0,0 +1,1334 @@
+/*
+ * QEMU USB Net devices
+ * 
+ * Copyright (c) 2006 Thomas Sailer
+ * based on usb-hid.c Copyright (c) 2005 Fabrice Bellard
+ * 
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+#include "qemu-common.h"
+#include "usb.h"
+#include "net.h"
+#include "../audio/sys-queue.h"
+
+typedef uint32_t __le32;
+#include "ndis.h"
+
+/*#define TRAFFIC_DEBUG*/
+/* Thanks to NetChip Technologies for donating this product ID.
+ * It's for devices with only CDC Ethernet configurations.
+ */
+#define CDC_VENDOR_NUM          0x0525  /* NetChip */
+#define CDC_PRODUCT_NUM         0xa4a1  /* Linux-USB Ethernet Gadget */
+/* For hardware that can talk RNDIS and either of the above protocols,
+ * use this ID ... the windows INF files will know it.
+ */
+#define RNDIS_VENDOR_NUM        0x0525  /* NetChip */
+#define RNDIS_PRODUCT_NUM       0xa4a2  /* Ethernet/RNDIS Gadget */
+
+#define STRING_MANUFACTURER             1
+#define STRING_PRODUCT                  2
+#define STRING_ETHADDR                  3
+#define STRING_DATA                     4
+#define STRING_CONTROL                  5
+#define STRING_RNDIS_CONTROL            6
+#define STRING_CDC                      7
+#define STRING_SUBSET                   8
+#define STRING_RNDIS                    9
+#define STRING_SERIALNUMBER             10
+
+#define DEV_CONFIG_VALUE        1       /* cdc or subset */
+#define DEV_RNDIS_CONFIG_VALUE  2       /* rndis; optional */
+
+#define USB_CDC_SUBCLASS_ACM                    0x02
+#define USB_CDC_SUBCLASS_ETHERNET               0x06
+
+#define USB_CDC_PROTO_NONE                      0
+#define USB_CDC_ACM_PROTO_VENDOR                0xff
+
+#define USB_CDC_HEADER_TYPE             0x00            /* header_desc */
+#define USB_CDC_CALL_MANAGEMENT_TYPE    0x01            /* call_mgmt_descriptor */
+#define USB_CDC_ACM_TYPE                0x02            /* acm_descriptor */
+#define USB_CDC_UNION_TYPE              0x06            /* union_desc */
+#define USB_CDC_ETHERNET_TYPE           0x0f            /* ether_desc */
+
+#define USB_DT_CS_INTERFACE             0x24
+#define USB_DT_CS_ENDPOINT              0x25
+
+#define ClassInterfaceRequest \
+        ((USB_DIR_IN|USB_TYPE_CLASS|USB_RECIP_INTERFACE)<<8)
+#define ClassInterfaceOutRequest \
+        ((USB_DIR_OUT|USB_TYPE_CLASS|USB_RECIP_INTERFACE)<<8)
+
+#define USB_CDC_SEND_ENCAPSULATED_COMMAND       0x00
+#define USB_CDC_GET_ENCAPSULATED_RESPONSE       0x01
+#define USB_CDC_REQ_SET_LINE_CODING             0x20
+#define USB_CDC_REQ_GET_LINE_CODING             0x21
+#define USB_CDC_REQ_SET_CONTROL_LINE_STATE      0x22
+#define USB_CDC_REQ_SEND_BREAK                  0x23
+#define USB_CDC_SET_ETHERNET_MULTICAST_FILTERS  0x40
+#define USB_CDC_SET_ETHERNET_PM_PATTERN_FILTER  0x41
+#define USB_CDC_GET_ETHERNET_PM_PATTERN_FILTER  0x42
+#define USB_CDC_SET_ETHERNET_PACKET_FILTER      0x43
+#define USB_CDC_GET_ETHERNET_STATISTIC          0x44
+
+#define USB_ENDPOINT_XFER_BULK          2
+#define USB_ENDPOINT_XFER_INT           3
+
+#define LOG2_STATUS_INTERVAL_MSEC       5       /* 1 << 5 == 32 msec */
+#define STATUS_BYTECOUNT                16      /* 8 byte header + data */
+
+#define ETH_FRAME_LEN                   1514    /* Max. octets in frame sans FCS */
+
+/*
+ * mostly the same descriptor as the linux gadget rndis driver
+ */
+static const uint8_t qemu_net_dev_descriptor[] = {
+	0x12,                /*  u8 bLength; */
+	USB_DT_DEVICE,       /*  u8 bDescriptorType; Device */
+	0x00, 0x02,          /*  u16 bcdUSB; v2.0 */
+	USB_CLASS_COMM,	     /*  u8  bDeviceClass; */
+	0x00,	             /*  u8  bDeviceSubClass; */
+	0x00,                /*  u8  bDeviceProtocol; [ low/full speeds only ] */
+	0x40,                /*  u8  bMaxPacketSize0 */
+	RNDIS_VENDOR_NUM & 0xff, RNDIS_VENDOR_NUM >> 8,   /*  u16 idVendor; */
+ 	RNDIS_PRODUCT_NUM & 0xff, RNDIS_PRODUCT_NUM >> 8, /*  u16 idProduct; */
+	0x00, 0x00,          /*  u16 bcdDevice */
+	STRING_MANUFACTURER, /*  u8  iManufacturer; */
+	STRING_PRODUCT,      /*  u8  iProduct; */
+	STRING_SERIALNUMBER, /*  u8  iSerialNumber; */
+	0x02                 /*  u8  bNumConfigurations; */
+};
+
+static const uint8_t qemu_net_rndis_config_descriptor[] = {
+	/* Configuration Descriptor */
+	0x09,                /*  u8  bLength */
+	USB_DT_CONFIG,       /*  u8  bDescriptorType */
+        0x43, 0x00,          /*  le16 wTotalLength */
+        0x02,                /*  u8  bNumInterfaces */
+        DEV_RNDIS_CONFIG_VALUE, /*  u8  bConfigurationValue */
+        STRING_RNDIS,        /*  u8  iConfiguration */
+        0xc0,                /*  u8  bmAttributes */
+        0x32,                /*  u8  bMaxPower */
+	/* RNDIS Control Interface */
+        0x09,                /*  u8  bLength */
+        USB_DT_INTERFACE,    /*  u8  bDescriptorType */
+        0x00,                /*  u8  bInterfaceNumber */
+        0x00,                /*  u8  bAlternateSetting */
+        0x01,                /*  u8  bNumEndpoints */
+        USB_CLASS_COMM,           /*  u8  bInterfaceClass */
+        USB_CDC_SUBCLASS_ACM,     /*  u8  bInterfaceSubClass */
+        USB_CDC_ACM_PROTO_VENDOR, /*  u8  bInterfaceProtocol */
+        STRING_RNDIS_CONTROL,     /*  u8  iInterface */
+	/* Header Descriptor */
+        0x05,                /*  u8    bLength */
+        USB_DT_CS_INTERFACE, /*  u8    bDescriptorType */
+        USB_CDC_HEADER_TYPE, /*  u8    bDescriptorSubType */
+        0x10, 0x01,          /*  le16  bcdCDC */
+	/* Call Management Descriptor */
+        0x05,                /*  u8    bLength */
+        USB_DT_CS_INTERFACE, /*  u8    bDescriptorType */
+        USB_CDC_CALL_MANAGEMENT_TYPE, /*  u8    bDescriptorSubType */
+        0x00,                /*  u8    bmCapabilities */
+        0x01,                /*  u8    bDataInterface */
+	/* ACM Descriptor */
+        0x04,                /*  u8    bLength */
+        USB_DT_CS_INTERFACE, /*  u8    bDescriptorType */
+        USB_CDC_ACM_TYPE,    /*  u8    bDescriptorSubType */
+        0x00,                /*  u8    bmCapabilities */
+	/* Union Descriptor */
+        0x05,                /*  u8    bLength */
+        USB_DT_CS_INTERFACE, /*  u8    bDescriptorType */
+        USB_CDC_UNION_TYPE,  /*  u8    bDescriptorSubType */
+        0x00,                /*  u8    bMasterInterface0 */
+        0x01,                /*  u8    bSlaveInterface0 */
+	/* Status Descriptor */
+        0x07,                /*  u8  bLength */
+        USB_DT_ENDPOINT,     /*  u8  bDescriptorType */
+        USB_DIR_IN | 1,      /*  u8  bEndpointAddress */
+        USB_ENDPOINT_XFER_INT, /*  u8  bmAttributes */
+        STATUS_BYTECOUNT & 0xff, STATUS_BYTECOUNT >> 8, /*  le16 wMaxPacketSize */
+        1 << LOG2_STATUS_INTERVAL_MSEC, /*  u8  bInterval */
+	/* RNDIS Data Interface */
+        0x09,                /*  u8  bLength */
+        USB_DT_INTERFACE,    /*  u8  bDescriptorType */
+        0x01,                /*  u8  bInterfaceNumber */
+        0x00,                /*  u8  bAlternateSetting */
+        0x02,                /*  u8  bNumEndpoints */
+        USB_CLASS_CDC_DATA,  /*  u8  bInterfaceClass */
+        0x00,                /*  u8  bInterfaceSubClass */
+        0x00,                /*  u8  bInterfaceProtocol */
+        STRING_DATA,         /*  u8  iInterface */
+	/* Source Endpoint */
+        0x07,                /*  u8  bLength */
+        USB_DT_ENDPOINT,     /*  u8  bDescriptorType */
+        USB_DIR_IN | 2,      /*  u8  bEndpointAddress */
+        USB_ENDPOINT_XFER_BULK, /*  u8  bmAttributes */
+        0x40, 0x00,          /*  le16 wMaxPacketSize */
+        0x00,                /*  u8  bInterval */
+	/* Sink Endpoint */
+        0x07,                /*  u8  bLength */
+        USB_DT_ENDPOINT,     /*  u8  bDescriptorType */
+        USB_DIR_OUT | 2,     /*  u8  bEndpointAddress */
+        USB_ENDPOINT_XFER_BULK, /*  u8  bmAttributes */
+        0x40, 0x00,          /*  le16 wMaxPacketSize */
+        0x00                 /*  u8  bInterval */
+};
+
+static const uint8_t qemu_net_cdc_config_descriptor[] = {
+	/* Configuration Descriptor */
+	0x09,                /*  u8  bLength */
+	USB_DT_CONFIG,       /*  u8  bDescriptorType */
+        0x50, 0x00,          /*  le16 wTotalLength */
+        0x02,                /*  u8  bNumInterfaces */
+        DEV_CONFIG_VALUE,    /*  u8  bConfigurationValue */
+        STRING_CDC,          /*  u8  iConfiguration */
+        0xc0,                /*  u8  bmAttributes */
+        0x32,                /*  u8  bMaxPower */
+	/* CDC Control Interface */
+        0x09,                /*  u8  bLength */
+        USB_DT_INTERFACE,    /*  u8  bDescriptorType */
+        0x00,                /*  u8  bInterfaceNumber */
+        0x00,                /*  u8  bAlternateSetting */
+        0x01,                /*  u8  bNumEndpoints */
+        USB_CLASS_COMM,            /*  u8  bInterfaceClass */
+        USB_CDC_SUBCLASS_ETHERNET, /*  u8  bInterfaceSubClass */
+        USB_CDC_PROTO_NONE,        /*  u8  bInterfaceProtocol */
+        STRING_CONTROL,            /*  u8  iInterface */
+	/* Header Descriptor */
+        0x05,                /*  u8    bLength */
+        USB_DT_CS_INTERFACE, /*  u8    bDescriptorType */
+        USB_CDC_HEADER_TYPE, /*  u8    bDescriptorSubType */
+        0x10, 0x01,          /*  le16  bcdCDC */
+	/* Union Descriptor */
+        0x05,                /*  u8    bLength */
+        USB_DT_CS_INTERFACE, /*  u8    bDescriptorType */
+        USB_CDC_UNION_TYPE,  /*  u8    bDescriptorSubType */
+        0x00,                /*  u8    bMasterInterface0 */
+        0x01,                /*  u8    bSlaveInterface0 */
+	/* Ethernet Descriptor */
+        0x0d,                /*  u8    bLength */
+        USB_DT_CS_INTERFACE, /*  u8    bDescriptorType */
+        USB_CDC_ETHERNET_TYPE,  /*  u8    bDescriptorSubType */
+        STRING_ETHADDR,         /*  u8    iMACAddress */
+        0x00, 0x00, 0x00, 0x00, /*  le32  bmEthernetStatistics */
+        ETH_FRAME_LEN & 0xff, ETH_FRAME_LEN >> 8, /*  le16  wMaxSegmentSize */
+        0x00, 0x00,          /*  le16  wNumberMCFilters */
+        0x00,                /*  u8    bNumberPowerFilters */
+	/* Status Descriptor */
+        0x07,                /*  u8  bLength */
+        USB_DT_ENDPOINT,     /*  u8  bDescriptorType */
+        USB_DIR_IN | 1,      /*  u8  bEndpointAddress */
+        USB_ENDPOINT_XFER_INT, /*  u8  bmAttributes */
+        STATUS_BYTECOUNT & 0xff, STATUS_BYTECOUNT >> 8, /*  le16 wMaxPacketSize */
+        1 << LOG2_STATUS_INTERVAL_MSEC, /*  u8  bInterval */
+	/* CDC Data (nop) Interface */
+        0x09,                /*  u8  bLength */
+        USB_DT_INTERFACE,    /*  u8  bDescriptorType */
+        0x01,                /*  u8  bInterfaceNumber */
+        0x00,                /*  u8  bAlternateSetting */
+        0x00,                /*  u8  bNumEndpoints */
+        USB_CLASS_CDC_DATA,  /*  u8  bInterfaceClass */
+        0x00,                /*  u8  bInterfaceSubClass */
+        0x00,                /*  u8  bInterfaceProtocol */
+        0x00,                /*  u8  iInterface */
+	/* CDC Data Interface */
+        0x09,                /*  u8  bLength */
+        USB_DT_INTERFACE,    /*  u8  bDescriptorType */
+        0x01,                /*  u8  bInterfaceNumber */
+        0x01,                /*  u8  bAlternateSetting */
+        0x02,                /*  u8  bNumEndpoints */
+        USB_CLASS_CDC_DATA,  /*  u8  bInterfaceClass */
+        0x00,                /*  u8  bInterfaceSubClass */
+        0x00,                /*  u8  bInterfaceProtocol */
+        STRING_DATA,         /*  u8  iInterface */
+	/* Source Endpoint */
+        0x07,                /*  u8  bLength */
+        USB_DT_ENDPOINT,     /*  u8  bDescriptorType */
+        USB_DIR_IN | 2,      /*  u8  bEndpointAddress */
+        USB_ENDPOINT_XFER_BULK, /*  u8  bmAttributes */
+        0x40, 0x00,          /*  le16 wMaxPacketSize */
+        0x00,                /*  u8  bInterval */
+	/* Sink Endpoint */
+        0x07,                /*  u8  bLength */
+        USB_DT_ENDPOINT,     /*  u8  bDescriptorType */
+        USB_DIR_OUT | 2,     /*  u8  bEndpointAddress */
+        USB_ENDPOINT_XFER_BULK, /*  u8  bmAttributes */
+        0x40, 0x00,          /*  le16 wMaxPacketSize */
+        0x00                 /*  u8  bInterval */
+};
+
+/*
+ * RNDIS Status
+ */
+
+#define RNDIS_MAXIMUM_FRAME_SIZE        1518
+#define RNDIS_MAX_TOTAL_SIZE            1558
+
+/* Remote NDIS Versions */
+#define RNDIS_MAJOR_VERSION             1
+#define RNDIS_MINOR_VERSION             0
+
+/* Status Values */
+#define RNDIS_STATUS_SUCCESS            0x00000000U     /* Success           */
+#define RNDIS_STATUS_FAILURE            0xC0000001U     /* Unspecified error */
+#define RNDIS_STATUS_INVALID_DATA       0xC0010015U     /* Invalid data      */
+#define RNDIS_STATUS_NOT_SUPPORTED      0xC00000BBU     /* Unsupported request */
+#define RNDIS_STATUS_MEDIA_CONNECT      0x4001000BU     /* Device connected  */
+#define RNDIS_STATUS_MEDIA_DISCONNECT   0x4001000CU     /* Device disconnected */
+
+/* Message Set for Connectionless (802.3) Devices */
+#define REMOTE_NDIS_PACKET_MSG          0x00000001U
+#define REMOTE_NDIS_INITIALIZE_MSG      0x00000002U     /* Initialize device */
+#define REMOTE_NDIS_HALT_MSG            0x00000003U
+#define REMOTE_NDIS_QUERY_MSG           0x00000004U
+#define REMOTE_NDIS_SET_MSG             0x00000005U
+#define REMOTE_NDIS_RESET_MSG           0x00000006U
+#define REMOTE_NDIS_INDICATE_STATUS_MSG 0x00000007U
+#define REMOTE_NDIS_KEEPALIVE_MSG       0x00000008U
+
+/* Message completion */
+#define REMOTE_NDIS_INITIALIZE_CMPLT    0x80000002U
+#define REMOTE_NDIS_QUERY_CMPLT         0x80000004U
+#define REMOTE_NDIS_SET_CMPLT           0x80000005U
+#define REMOTE_NDIS_RESET_CMPLT         0x80000006U
+#define REMOTE_NDIS_KEEPALIVE_CMPLT     0x80000008U
+
+/* Device Flags */
+#define RNDIS_DF_CONNECTIONLESS         0x00000001U
+#define RNDIS_DF_CONNECTION_ORIENTED    0x00000002U
+
+#define RNDIS_MEDIUM_802_3              0x00000000U
+
+/* from drivers/net/sk98lin/h/skgepnmi.h */
+#define OID_PNP_CAPABILITIES                    0xFD010100
+#define OID_PNP_SET_POWER                       0xFD010101
+#define OID_PNP_QUERY_POWER                     0xFD010102
+#define OID_PNP_ADD_WAKE_UP_PATTERN             0xFD010103
+#define OID_PNP_REMOVE_WAKE_UP_PATTERN          0xFD010104
+#define OID_PNP_ENABLE_WAKE_UP                  0xFD010106
+
+typedef struct rndis_init_msg_type
+{
+        __le32  MessageType;
+        __le32  MessageLength;
+        __le32  RequestID;
+        __le32  MajorVersion;
+        __le32  MinorVersion;
+        __le32  MaxTransferSize;
+} rndis_init_msg_type;
+
+typedef struct rndis_init_cmplt_type
+{
+        __le32  MessageType;
+        __le32  MessageLength;
+        __le32  RequestID;
+        __le32  Status;
+        __le32  MajorVersion;
+        __le32  MinorVersion;
+        __le32  DeviceFlags;
+        __le32  Medium;
+        __le32  MaxPacketsPerTransfer;
+        __le32  MaxTransferSize;
+        __le32  PacketAlignmentFactor;
+        __le32  AFListOffset;
+        __le32  AFListSize;
+} rndis_init_cmplt_type;
+
+typedef struct rndis_halt_msg_type
+{
+        __le32  MessageType;
+        __le32  MessageLength;
+        __le32  RequestID;
+} rndis_halt_msg_type;
+
+typedef struct rndis_query_msg_type
+{
+        __le32  MessageType;
+        __le32  MessageLength;
+        __le32  RequestID;
+        __le32  OID;
+        __le32  InformationBufferLength;
+        __le32  InformationBufferOffset;
+        __le32  DeviceVcHandle;
+} rndis_query_msg_type;
+
+typedef struct rndis_query_cmplt_type
+{
+        __le32  MessageType;
+        __le32  MessageLength;
+        __le32  RequestID;
+        __le32  Status;
+        __le32  InformationBufferLength;
+        __le32  InformationBufferOffset;
+} rndis_query_cmplt_type;
+
+typedef struct rndis_set_msg_type
+{
+        __le32  MessageType;
+        __le32  MessageLength;
+        __le32  RequestID;
+        __le32  OID;
+        __le32  InformationBufferLength;
+        __le32  InformationBufferOffset;
+        __le32  DeviceVcHandle;
+} rndis_set_msg_type;
+
+typedef struct rndis_set_cmplt_type
+{
+        __le32  MessageType;
+        __le32  MessageLength;
+        __le32  RequestID;
+        __le32  Status;
+} rndis_set_cmplt_type;
+
+typedef struct rndis_reset_msg_type
+{
+        __le32  MessageType;
+        __le32  MessageLength;
+        __le32  Reserved;
+} rndis_reset_msg_type;
+
+typedef struct rndis_reset_cmplt_type
+{
+        __le32  MessageType;
+        __le32  MessageLength;
+        __le32  Status;
+        __le32  AddressingReset;
+} rndis_reset_cmplt_type;
+
+typedef struct rndis_indicate_status_msg_type
+{
+        __le32  MessageType;
+        __le32  MessageLength;
+        __le32  Status;
+        __le32  StatusBufferLength;
+        __le32  StatusBufferOffset;
+} rndis_indicate_status_msg_type;
+
+typedef struct rndis_keepalive_msg_type
+{
+        __le32  MessageType;
+        __le32  MessageLength;
+        __le32  RequestID;
+} rndis_keepalive_msg_type;
+
+typedef struct rndis_keepalive_cmplt_type
+{
+        __le32  MessageType;
+        __le32  MessageLength;
+        __le32  RequestID;
+        __le32  Status;
+} rndis_keepalive_cmplt_type;
+
+struct rndis_packet_msg_type
+{
+        __le32  MessageType;
+        __le32  MessageLength;
+        __le32  DataOffset;
+        __le32  DataLength;
+        __le32  OOBDataOffset;
+        __le32  OOBDataLength;
+        __le32  NumOOBDataElements;
+        __le32  PerPacketInfoOffset;
+        __le32  PerPacketInfoLength;
+        __le32  VcHandle;
+        __le32  Reserved;
+};
+
+struct rndis_config_parameter
+{
+        __le32  ParameterNameOffset;
+        __le32  ParameterNameLength;
+        __le32  ParameterType;
+        __le32  ParameterValueOffset;
+        __le32  ParameterValueLength;
+};
+
+/* implementation specific */
+enum rndis_state
+{
+        RNDIS_UNINITIALIZED,
+        RNDIS_INITIALIZED,
+        RNDIS_DATA_INITIALIZED,
+};
+
+static const uint32_t oid_supported_list[] =
+{
+        /* the general stuff */
+        OID_GEN_SUPPORTED_LIST,
+        OID_GEN_HARDWARE_STATUS,
+        OID_GEN_MEDIA_SUPPORTED,
+        OID_GEN_MEDIA_IN_USE,
+        OID_GEN_MAXIMUM_FRAME_SIZE,
+        OID_GEN_LINK_SPEED,
+        OID_GEN_TRANSMIT_BLOCK_SIZE,
+        OID_GEN_RECEIVE_BLOCK_SIZE,
+        OID_GEN_VENDOR_ID,
+        OID_GEN_VENDOR_DESCRIPTION,
+        OID_GEN_VENDOR_DRIVER_VERSION,
+        OID_GEN_CURRENT_PACKET_FILTER,
+        OID_GEN_MAXIMUM_TOTAL_SIZE,
+        OID_GEN_MEDIA_CONNECT_STATUS,
+        OID_GEN_PHYSICAL_MEDIUM,
+        /* the statistical stuff */
+        OID_GEN_XMIT_OK,
+        OID_GEN_RCV_OK,
+        OID_GEN_XMIT_ERROR,
+        OID_GEN_RCV_ERROR,
+        OID_GEN_RCV_NO_BUFFER,
+        /* mandatory 802.3 */
+        /* the general stuff */
+        OID_802_3_PERMANENT_ADDRESS,
+        OID_802_3_CURRENT_ADDRESS,
+        OID_802_3_MULTICAST_LIST,
+        OID_802_3_MAC_OPTIONS,
+        OID_802_3_MAXIMUM_LIST_SIZE,
+
+        /* the statistical stuff */
+        OID_802_3_RCV_ERROR_ALIGNMENT,
+        OID_802_3_XMIT_ONE_COLLISION,
+        OID_802_3_XMIT_MORE_COLLISIONS
+};
+
+struct rndis_response {
+	TAILQ_ENTRY(rndis_response) entries;
+	uint32_t length;
+	uint8_t buf[0];
+};
+
+
+typedef struct USBNetState {
+	USBDevice dev;
+
+	unsigned int rndis;
+	enum rndis_state rndis_state;
+        uint32_t medium;
+        uint32_t speed;
+        uint32_t media_state;
+	uint16_t filter;
+       	uint32_t vendorid;
+	uint8_t mac[6];
+
+	unsigned int out_ptr;
+	uint8_t out_buf[2048];
+
+	USBPacket *inpkt;
+	unsigned int in_ptr, in_len;
+	uint8_t in_buf[2048];	
+
+	VLANClientState *vc;
+	TAILQ_HEAD(rndis_resp_head, rndis_response) rndis_resp;
+} USBNetState;
+
+
+static int ndis_query(USBNetState *s, uint32_t oid, uint8_t *inbuf, unsigned int inlen, uint8_t *outbuf)
+{
+	switch (oid) {
+        /* general oids (table 4-1) */
+        /* mandatory */
+        case OID_GEN_SUPPORTED_LIST:
+	{
+                unsigned int i, count = sizeof(oid_supported_list) / sizeof(uint32_t);
+                for (i = 0; i < count; i++)
+                        ((__le32 *)outbuf)[i] = cpu_to_le32(oid_supported_list[i]);
+                return sizeof(oid_supported_list);
+	}
+
+        /* mandatory */
+	case OID_GEN_HARDWARE_STATUS:
+		*((__le32 *)outbuf) = cpu_to_le32(0);
+		return sizeof(__le32);
+		
+        /* mandatory */
+        case OID_GEN_MEDIA_SUPPORTED:
+		*((__le32 *)outbuf) = cpu_to_le32(s->medium);
+		return sizeof(__le32);
+
+        /* mandatory */
+        case OID_GEN_MEDIA_IN_USE:
+		*((__le32 *)outbuf) = cpu_to_le32(s->medium);
+		return sizeof(__le32);
+
+        /* mandatory */
+        case OID_GEN_MAXIMUM_FRAME_SIZE:
+		*((__le32 *)outbuf) = cpu_to_le32(ETH_FRAME_LEN);
+		return sizeof(__le32);
+		
+        /* mandatory */
+        case OID_GEN_LINK_SPEED:
+		*((__le32 *)outbuf) = cpu_to_le32(s->speed);
+		return sizeof(__le32);
+
+        /* mandatory */
+        case OID_GEN_TRANSMIT_BLOCK_SIZE:
+		*((__le32 *)outbuf) = cpu_to_le32(ETH_FRAME_LEN);
+		return sizeof(__le32);
+		
+        /* mandatory */
+        case OID_GEN_RECEIVE_BLOCK_SIZE:
+		*((__le32 *)outbuf) = cpu_to_le32(ETH_FRAME_LEN);
+		return sizeof(__le32);
+
+        /* mandatory */
+        case OID_GEN_VENDOR_ID:
+		*((__le32 *)outbuf) = cpu_to_le32(0x1234);
+		return sizeof(__le32);
+
+        /* mandatory */
+        case OID_GEN_VENDOR_DESCRIPTION:
+		strcpy(outbuf, "QEMU USB RNDIS Net");
+		return strlen(outbuf) + 1;
+
+       case OID_GEN_VENDOR_DRIVER_VERSION:
+		*((__le32 *)outbuf) = cpu_to_le32(1);
+		return sizeof(__le32);
+
+        /* mandatory */
+        case OID_GEN_CURRENT_PACKET_FILTER:
+		*((__le32 *)outbuf) = cpu_to_le32(s->filter);
+		return sizeof(__le32);
+
+        /* mandatory */
+        case OID_GEN_MAXIMUM_TOTAL_SIZE:
+		*((__le32 *)outbuf) = cpu_to_le32(RNDIS_MAX_TOTAL_SIZE);
+		return sizeof(__le32);
+
+        /* mandatory */
+        case OID_GEN_MEDIA_CONNECT_STATUS:
+		*((__le32 *)outbuf) = cpu_to_le32(s->media_state);
+		return sizeof(__le32);
+
+        case OID_GEN_PHYSICAL_MEDIUM:
+		*((__le32 *)outbuf) = cpu_to_le32(0);
+		return sizeof(__le32);
+
+        case OID_GEN_MAC_OPTIONS:
+		*((__le32 *)outbuf) = cpu_to_le32(NDIS_MAC_OPTION_RECEIVE_SERIALIZED | NDIS_MAC_OPTION_FULL_DUPLEX);
+		return sizeof(__le32);
+
+        /* statistics OIDs (table 4-2) */
+        /* mandatory */
+        case OID_GEN_XMIT_OK:
+		*((__le32 *)outbuf) = cpu_to_le32(0);
+		return sizeof(__le32);
+
+        /* mandatory */
+        case OID_GEN_RCV_OK:
+		*((__le32 *)outbuf) = cpu_to_le32(0);
+		return sizeof(__le32);
+
+        /* mandatory */
+        case OID_GEN_XMIT_ERROR:
+		*((__le32 *)outbuf) = cpu_to_le32(0);
+		return sizeof(__le32);
+
+        /* mandatory */
+        case OID_GEN_RCV_ERROR:
+		*((__le32 *)outbuf) = cpu_to_le32(0);
+		return sizeof(__le32);
+
+        /* mandatory */
+        case OID_GEN_RCV_NO_BUFFER:
+		*((__le32 *)outbuf) = cpu_to_le32(0);
+		return sizeof(__le32);
+
+        /* ieee802.3 OIDs (table 4-3) */
+        /* mandatory */
+        case OID_802_3_PERMANENT_ADDRESS:
+		memcpy(outbuf, s->mac, 6);
+		return 6;
+
+        /* mandatory */
+        case OID_802_3_CURRENT_ADDRESS:
+		memcpy(outbuf, s->mac, 6);
+		return 6;
+
+        /* mandatory */
+        case OID_802_3_MULTICAST_LIST:
+		*((__le32 *)outbuf) = cpu_to_le32(0xE0000000);
+		return sizeof(__le32);
+
+        /* mandatory */
+        case OID_802_3_MAXIMUM_LIST_SIZE:
+		*((__le32 *)outbuf) = cpu_to_le32(1);
+		return sizeof(__le32);
+
+        case OID_802_3_MAC_OPTIONS:
+		return 0;
+
+        /* ieee802.3 statistics OIDs (table 4-4) */
+        /* mandatory */
+        case OID_802_3_RCV_ERROR_ALIGNMENT:
+		*((__le32 *)outbuf) = cpu_to_le32(0);
+		return sizeof(__le32);
+
+        /* mandatory */
+        case OID_802_3_XMIT_ONE_COLLISION:
+		*((__le32 *)outbuf) = cpu_to_le32(0);
+		return sizeof(__le32);
+
+        /* mandatory */
+        case OID_802_3_XMIT_MORE_COLLISIONS:
+		*((__le32 *)outbuf) = cpu_to_le32(0);
+		return sizeof(__le32);
+
+	default:
+		fprintf(stderr, "usbnet: unknown OID 0x%08x\n", oid);
+		return 0;
+	}
+	return -1;
+}
+
+static int ndis_set(USBNetState *s, uint32_t oid, uint8_t *inbuf, unsigned int inlen)
+{
+	switch (oid) {
+        case OID_GEN_CURRENT_PACKET_FILTER:
+		s->filter = le32_to_cpup((__le32 *)inbuf);
+		if (s->filter) {
+			s->rndis_state = RNDIS_DATA_INITIALIZED;
+		} else {
+			s->rndis_state = RNDIS_INITIALIZED;
+		}
+		return 0;
+
+        case OID_802_3_MULTICAST_LIST:
+		return 0;
+
+	}
+	return -1;
+}
+
+static int rndis_get_response(USBNetState *s, uint8_t *buf)
+{
+	int ret = 0;
+	struct rndis_response *r = s->rndis_resp.tqh_first;
+	if (!r)
+		return ret;
+	TAILQ_REMOVE(&s->rndis_resp, r, entries);
+	ret = r->length;
+	memcpy(buf, r->buf, r->length);
+	qemu_free(r);
+	return ret;
+}
+
+static void *rndis_queue_response(USBNetState *s, unsigned int length)
+{
+	struct rndis_response *r = qemu_mallocz(sizeof(struct rndis_response) + length);
+	if (!r)
+		return NULL;
+	TAILQ_INSERT_TAIL(&s->rndis_resp, r, entries);
+	r->length = length;
+	return &r->buf[0];
+}
+
+static void rndis_clear_responsequeue(USBNetState *s)
+{
+	struct rndis_response *r;
+	
+	while ((r = s->rndis_resp.tqh_first)) {
+		TAILQ_REMOVE(&s->rndis_resp, r, entries);
+		qemu_free(r);
+	}
+}
+
+static int rndis_init_response(USBNetState *s, rndis_init_msg_type *buf)
+{
+	rndis_init_cmplt_type *resp = rndis_queue_response(s, sizeof(rndis_init_cmplt_type));
+	if (!resp)
+		return USB_RET_STALL;
+	resp->MessageType = cpu_to_le32(REMOTE_NDIS_INITIALIZE_CMPLT);
+        resp->MessageLength = cpu_to_le32(sizeof(rndis_init_cmplt_type));
+        resp->RequestID = buf->RequestID; /* Still LE in msg buffer */
+        resp->Status = cpu_to_le32(RNDIS_STATUS_SUCCESS);
+        resp->MajorVersion = cpu_to_le32(RNDIS_MAJOR_VERSION);
+        resp->MinorVersion = cpu_to_le32(RNDIS_MINOR_VERSION);
+        resp->DeviceFlags = cpu_to_le32(RNDIS_DF_CONNECTIONLESS);
+        resp->Medium = cpu_to_le32(RNDIS_MEDIUM_802_3);
+        resp->MaxPacketsPerTransfer = cpu_to_le32(1);
+        resp->MaxTransferSize = cpu_to_le32(ETH_FRAME_LEN + sizeof(struct rndis_packet_msg_type) + 22);
+        resp->PacketAlignmentFactor = cpu_to_le32(0);
+        resp->AFListOffset = cpu_to_le32(0);
+        resp->AFListSize = cpu_to_le32(0);
+        return 0;
+}
+
+static int rndis_query_response(USBNetState *s, rndis_query_msg_type *buf, unsigned int length)
+{
+        rndis_query_cmplt_type *resp;
+	uint8_t infobuf[sizeof(oid_supported_list)]; /* oid_supported_list is the largest data reply */
+	uint32_t bufoffs, buflen;
+	int infobuflen;
+	unsigned int resplen;
+	bufoffs = le32_to_cpu(buf->InformationBufferOffset) + 8;
+	buflen = le32_to_cpu(buf->InformationBufferLength);
+	if (bufoffs + buflen > length)
+		return USB_RET_STALL;
+	infobuflen = ndis_query(s, le32_to_cpu(buf->OID), bufoffs + (uint8_t *)buf, buflen, infobuf);
+	resplen = sizeof(rndis_query_cmplt_type) + ((infobuflen < 0) ? 0 : infobuflen);
+	resp = rndis_queue_response(s, resplen);
+	if (!resp)
+		return USB_RET_STALL;
+        resp->MessageType = cpu_to_le32(REMOTE_NDIS_QUERY_CMPLT);
+        resp->RequestID = buf->RequestID; /* Still LE in msg buffer */
+	resp->MessageLength = cpu_to_le32(resplen);
+	if (infobuflen < 0) {
+		/* OID not supported */
+                resp->Status = cpu_to_le32(RNDIS_STATUS_NOT_SUPPORTED);
+		resp->InformationBufferLength = cpu_to_le32(0);
+                resp->InformationBufferOffset = cpu_to_le32(0);
+		return 0;
+	}
+	resp->Status = cpu_to_le32(RNDIS_STATUS_SUCCESS);
+	resp->InformationBufferOffset = cpu_to_le32(infobuflen ? sizeof(rndis_query_cmplt_type) - 8 : 0);
+	resp->InformationBufferLength = cpu_to_le32(infobuflen);
+	memcpy(resp + 1, infobuf, infobuflen);
+	return 0;
+}
+
+static int rndis_set_response(USBNetState *s, rndis_set_msg_type *buf, unsigned int length)
+{
+        rndis_set_cmplt_type *resp = rndis_queue_response(s, sizeof(rndis_set_cmplt_type));
+	uint32_t bufoffs, buflen;
+	if (!resp)
+		return USB_RET_STALL;
+	bufoffs = le32_to_cpu(buf->InformationBufferOffset) + 8;
+	buflen = le32_to_cpu(buf->InformationBufferLength);
+	if (bufoffs + buflen > length)
+		return USB_RET_STALL;
+	int ret = ndis_set(s, le32_to_cpu(buf->OID), bufoffs + (uint8_t *)buf, buflen);
+        resp->MessageType = cpu_to_le32(REMOTE_NDIS_SET_CMPLT);
+        resp->RequestID = buf->RequestID; /* Still LE in msg buffer */
+	resp->MessageLength = cpu_to_le32(sizeof(rndis_set_cmplt_type));
+	if (ret < 0) {
+		/* OID not supported */
+                resp->Status = cpu_to_le32(RNDIS_STATUS_NOT_SUPPORTED);
+		return 0;
+	}
+	resp->Status = cpu_to_le32(RNDIS_STATUS_SUCCESS);
+	return 0;
+}
+
+static int rndis_reset_response(USBNetState *s, rndis_reset_msg_type *buf)
+{
+        rndis_reset_cmplt_type *resp = rndis_queue_response(s, sizeof(rndis_reset_cmplt_type));
+	if (!resp)
+		return USB_RET_STALL;
+        resp->MessageType = cpu_to_le32(REMOTE_NDIS_RESET_CMPLT);
+        resp->MessageLength = cpu_to_le32(sizeof(rndis_reset_cmplt_type));
+        resp->Status = cpu_to_le32(RNDIS_STATUS_SUCCESS);
+        /* resent information */
+        resp->AddressingReset = cpu_to_le32(1);
+	return 0;
+}
+
+static int rndis_keepalive_response(USBNetState *s, rndis_keepalive_msg_type *buf)
+{
+        rndis_keepalive_cmplt_type *resp = rndis_queue_response(s, sizeof(rndis_keepalive_cmplt_type));
+	if (!resp)
+		return USB_RET_STALL;
+        resp->MessageType = cpu_to_le32(REMOTE_NDIS_KEEPALIVE_CMPLT);
+        resp->MessageLength = cpu_to_le32(sizeof(rndis_keepalive_cmplt_type));
+        resp->RequestID = buf->RequestID; /* Still LE in msg buffer */
+        resp->Status = cpu_to_le32(RNDIS_STATUS_SUCCESS);
+	return 0;
+}
+
+static int rndis_parse(USBNetState *s, uint8_t *data, int length)
+{
+        uint32_t MsgType, MsgLength;
+        __le32 *tmp = (__le32 *)data;
+        MsgType = le32_to_cpup(tmp++);
+        MsgLength = le32_to_cpup(tmp++);
+	
+	switch (MsgType) {
+	case REMOTE_NDIS_INITIALIZE_MSG:
+		s->rndis_state = RNDIS_INITIALIZED;
+		return rndis_init_response(s, (rndis_init_msg_type *)data);
+
+        case REMOTE_NDIS_HALT_MSG:
+		s->rndis_state = RNDIS_UNINITIALIZED;
+                return 0;
+
+	case REMOTE_NDIS_QUERY_MSG:
+                return rndis_query_response(s, (rndis_query_msg_type *)data, length);
+
+        case REMOTE_NDIS_SET_MSG:
+                return rndis_set_response(s, (rndis_set_msg_type *)data, length);
+
+        case REMOTE_NDIS_RESET_MSG:
+		rndis_clear_responsequeue(s);
+		s->out_ptr = s->in_ptr = s->in_len = 0;
+                return rndis_reset_response(s, (rndis_reset_msg_type *)data);
+
+        case REMOTE_NDIS_KEEPALIVE_MSG:
+                /* For USB: host does this every 5 seconds */
+                return rndis_keepalive_response(s, (rndis_keepalive_msg_type *)data);	
+	}
+	return USB_RET_STALL;
+}
+
+static void usb_net_handle_reset(USBDevice *dev)
+{
+}
+
+static int usb_net_handle_control(USBDevice *dev, int request, int value,
+                                  int index, int length, uint8_t *data)
+{
+	USBNetState *s = (USBNetState *)dev;
+	int ret = 0;
+
+	switch(request) {
+	case DeviceRequest | USB_REQ_GET_STATUS:
+		data[0] = (1 << USB_DEVICE_SELF_POWERED) |
+			(dev->remote_wakeup << USB_DEVICE_REMOTE_WAKEUP);
+		data[1] = 0x00;
+		ret = 2;
+		break;
+
+	case DeviceOutRequest | USB_REQ_CLEAR_FEATURE:
+		if (value == USB_DEVICE_REMOTE_WAKEUP) {
+			dev->remote_wakeup = 0;
+		} else {
+			goto fail;
+		}
+		ret = 0;
+		break;
+
+	case DeviceOutRequest | USB_REQ_SET_FEATURE:
+		if (value == USB_DEVICE_REMOTE_WAKEUP) {
+			dev->remote_wakeup = 1;
+		} else {
+			goto fail;
+		}
+		ret = 0;
+		break;
+
+	case DeviceOutRequest | USB_REQ_SET_ADDRESS:
+		dev->addr = value;
+		ret = 0;
+		break;
+
+	case ClassInterfaceOutRequest | USB_CDC_SEND_ENCAPSULATED_COMMAND:
+		if (!s->rndis || value || index != 0)
+			goto fail;
+#if TRAFFIC_DEBUG
+		{
+			unsigned int i;
+			fprintf(stderr, "SEND_ENCAPSULATED_COMMAND:");
+			for (i = 0; i < length; i++) {
+				if (!(i & 15))
+					fprintf(stderr, "\n%04X:", i);
+				fprintf(stderr, " %02X", data[i]);
+			}
+			fprintf(stderr, "\n\n");
+		}
+#endif
+		ret = rndis_parse(s, data, length);
+		break;
+
+	case ClassInterfaceRequest | USB_CDC_GET_ENCAPSULATED_RESPONSE:
+		if (!s->rndis || value || index != 0)
+			goto fail;
+		ret = rndis_get_response(s, data);
+		if (!ret) {
+			data[0] = 0;
+			ret = 1;
+		}
+#if TRAFFIC_DEBUG
+		{
+			unsigned int i;
+			fprintf(stderr, "GET_ENCAPSULATED_RESPONSE:");
+			for (i = 0; i < ret; i++) {
+				if (!(i & 15))
+					fprintf(stderr, "\n%04X:", i);
+				fprintf(stderr, " %02X", data[i]);
+			}
+			fprintf(stderr, "\n\n");
+		}
+#endif
+		break;
+
+	case DeviceRequest | USB_REQ_GET_DESCRIPTOR:
+		switch(value >> 8) {
+		case USB_DT_DEVICE:
+			ret = sizeof(qemu_net_dev_descriptor);
+			memcpy(data, qemu_net_dev_descriptor, ret);
+			break;
+
+		case USB_DT_CONFIG:
+			switch (value & 0xff) {
+			case 0:
+				ret = sizeof(qemu_net_rndis_config_descriptor);
+				memcpy(data, qemu_net_rndis_config_descriptor,
+						ret);
+				break;
+
+			case 1:
+				ret = sizeof(qemu_net_cdc_config_descriptor);
+				memcpy(data, qemu_net_cdc_config_descriptor,
+						ret);
+				break;
+
+			default:
+				goto fail;
+			}
+			data[2] = ret & 0xff;
+			data[3] = ret >> 8;
+			break;
+
+		case USB_DT_STRING:
+			switch (value & 0xff) {
+			case 0:
+				/* language ids */
+				data[0] = 4;
+				data[1] = 3;
+				data[2] = 0x09;
+				data[3] = 0x04;
+				ret = 4;
+				break;
+				
+			case STRING_MANUFACTURER:
+				ret = set_usb_string(data, "QEMU");
+				break;
+
+			case STRING_PRODUCT:
+				ret = set_usb_string(data, "RNDIS/QEMU USB Network Device");
+				break;
+
+			case STRING_ETHADDR:
+				ret = set_usb_string(data, "400102030405");
+				break;
+
+			case STRING_DATA:
+				ret = set_usb_string(data, "QEMU USB Net Data Interface");
+				break;
+
+			case STRING_CONTROL:
+				ret = set_usb_string(data, "QEMU USB Net Control Interface");
+				break;
+
+			case STRING_RNDIS_CONTROL:
+				ret = set_usb_string(data, "QEMU USB Net RNDIS Control Interface");
+				break;
+
+			case STRING_CDC:
+				ret = set_usb_string(data, "QEMU USB Net CDC");
+				break;
+
+			case STRING_SUBSET:
+				ret = set_usb_string(data, "QEMU USB Net Subset");
+				break;
+
+			case STRING_RNDIS:
+				ret = set_usb_string(data, "QEMU USB Net RNDIS");
+				break;
+
+			case STRING_SERIALNUMBER:
+				ret = set_usb_string(data, "1");
+				break;
+
+			default:
+				goto fail;
+			}
+			break;
+
+		default:
+			goto fail;
+		}
+		break;
+
+	case DeviceRequest | USB_REQ_GET_CONFIGURATION:
+		data[0] = s->rndis ? DEV_RNDIS_CONFIG_VALUE : DEV_CONFIG_VALUE;
+		ret = 1;
+		break;
+
+	case DeviceOutRequest | USB_REQ_SET_CONFIGURATION:
+		switch (value & 0xff) {
+		case DEV_CONFIG_VALUE:
+			s->rndis = 0;
+			break;
+
+		case DEV_RNDIS_CONFIG_VALUE:
+			s->rndis = 1;
+			break;
+
+		default:
+			goto fail;
+		}
+		ret = 0;
+		break;
+
+	case DeviceRequest | USB_REQ_GET_INTERFACE:
+	case InterfaceRequest | USB_REQ_GET_INTERFACE:
+		data[0] = 0;
+		ret = 1;
+		break;
+
+	case DeviceOutRequest | USB_REQ_SET_INTERFACE:
+	case InterfaceOutRequest | USB_REQ_SET_INTERFACE:
+		ret = 0;
+		break;
+
+	default:
+	fail:
+		fprintf(stderr, "usbnet: failed control transaction: request 0x%x value 0x%x index 0x%x length 0x%x\n",
+			request, value, index, length);
+		ret = USB_RET_STALL;
+		break;
+	}
+	return ret;
+}
+
+static int usb_net_handle_statusin(USBNetState *s, USBPacket *p)
+{
+	int ret = 8;
+	if (p->len < 8)
+		return USB_RET_STALL;
+	((__le32 *)p->data)[0] = cpu_to_le32(1);
+	((__le32 *)p->data)[1] = cpu_to_le32(0);
+	if (!s->rndis_resp.tqh_first)
+		ret = USB_RET_NAK;
+#if DEBUG
+	fprintf(stderr, "usbnet: interrupt poll len %u return %d", p->len, ret);
+	{
+		int i;
+		fprintf(stderr, ":");
+		for (i = 0; i < ret; i++) {
+			if (!(i & 15))
+				fprintf(stderr, "\n%04X:", i);
+			fprintf(stderr, " %02X", p->data[i]);
+		}
+		fprintf(stderr, "\n\n");
+	}
+#endif
+	return ret;
+}
+
+static int usb_net_handle_datain(USBNetState *s, USBPacket *p)
+{
+	int ret = USB_RET_NAK;
+
+	if (s->in_ptr > s->in_len) {
+		s->in_ptr = s->in_len = 0;
+		ret = USB_RET_NAK;
+		return ret;
+	}
+	if (!s->in_len) {
+		ret = USB_RET_NAK;
+		return ret;
+	}
+	ret = s->in_len - s->in_ptr;
+	if (ret > p->len)
+		ret = p->len;
+	memcpy(p->data, &s->in_buf[s->in_ptr], ret);
+	s->in_ptr += ret;
+	if (s->in_ptr >= s->in_len && (s->rndis || (s->in_len & (64-1)) || !ret)) {
+		/* no short packet necessary */
+		s->in_ptr = s->in_len = 0;
+	}
+#if TRAFFIC_DEBUG
+	fprintf(stderr, "usbnet: data in len %u return %d", p->len, ret);
+	{
+		int i;
+		fprintf(stderr, ":");
+		for (i = 0; i < ret; i++) {
+			if (!(i & 15))
+				fprintf(stderr, "\n%04X:", i);
+			fprintf(stderr, " %02X", p->data[i]);
+		}
+		fprintf(stderr, "\n\n");
+	}
+#endif
+	return ret;
+}
+
+static int usb_net_handle_dataout(USBNetState *s, USBPacket *p)
+{
+	int ret = p->len;
+	int sz = sizeof(s->out_buf) - s->out_ptr;
+	struct rndis_packet_msg_type *msg = (struct rndis_packet_msg_type *)s->out_buf;
+	uint32_t len;
+
+#if TRAFFIC_DEBUG
+	fprintf(stderr, "usbnet: data out len %u\n", p->len);
+	{
+		int i;
+		fprintf(stderr, ":");
+		for (i = 0; i < p->len; i++) {
+			if (!(i & 15))
+				fprintf(stderr, "\n%04X:", i);
+			fprintf(stderr, " %02X", p->data[i]);
+		}
+		fprintf(stderr, "\n\n");
+	}
+#endif
+	if (sz > ret)
+		sz = ret;
+	memcpy(&s->out_buf[s->out_ptr], p->data, sz);
+	s->out_ptr += sz;
+	if (!s->rndis) {
+		if (ret < 64) {
+			qemu_send_packet(s->vc, s->out_buf, s->out_ptr);
+			s->out_ptr = 0;
+		}
+		return ret;
+	}
+	len = le32_to_cpu(msg->MessageLength);
+	if (s->out_ptr < 8 || s->out_ptr < len)
+		return ret;
+	if (le32_to_cpu(msg->MessageType) == REMOTE_NDIS_PACKET_MSG) {
+		uint32_t offs = 8 + le32_to_cpu(msg->DataOffset);
+		uint32_t size = le32_to_cpu(msg->DataLength);
+		if (offs + size <= len)
+			qemu_send_packet(s->vc, s->out_buf + offs, size);
+	}
+	s->out_ptr -= len;
+	memmove(s->out_buf, &s->out_buf[len], s->out_ptr);
+	return ret;
+}
+
+static int usb_net_handle_data(USBDevice *dev, USBPacket *p)
+{
+	USBNetState *s = (USBNetState *)dev;
+	int ret = 0;
+
+	switch(p->pid) {
+	case USB_TOKEN_IN:
+		switch (p->devep) {
+		case 1:
+			ret = usb_net_handle_statusin(s, p);
+			break;
+
+		case 2:
+			ret = usb_net_handle_datain(s, p);
+			break;
+
+		default:
+			goto fail;
+		}
+		break;
+
+	case USB_TOKEN_OUT:
+		switch (p->devep) {
+		case 2:
+			ret = usb_net_handle_dataout(s, p);
+			break;
+
+		default:
+			goto fail;
+		}
+		break;
+
+	default:
+	fail:
+		ret = USB_RET_STALL;
+		break;
+	}
+	if (ret == USB_RET_STALL)
+		fprintf(stderr, "usbnet: failed data transaction: pid 0x%x ep 0x%x len 0x%x\n", p->pid, p->devep, p->len);
+	return ret;
+}
+
+static void usbnet_receive(void *opaque, const uint8_t *buf, int size)
+{
+	USBNetState *s = opaque;
+
+	if (s->rndis) {
+		struct rndis_packet_msg_type *msg = (struct rndis_packet_msg_type *)s->in_buf;
+		if (!s->rndis_state == RNDIS_DATA_INITIALIZED)
+			return;
+		if (size + sizeof(struct rndis_packet_msg_type) > sizeof(s->in_buf))
+			return;
+		memset(msg, 0, sizeof(struct rndis_packet_msg_type));
+		msg->MessageType = cpu_to_le32(REMOTE_NDIS_PACKET_MSG);
+		msg->MessageLength = cpu_to_le32(size + sizeof(struct rndis_packet_msg_type));
+		msg->DataOffset = cpu_to_le32(sizeof(struct rndis_packet_msg_type) - 8);
+		msg->DataLength = cpu_to_le32(size);
+		//msg->OOBDataOffset;
+		//msg->OOBDataLength;
+		//msg->NumOOBDataElements;
+		//msg->PerPacketInfoOffset;
+		//msg->PerPacketInfoLength;
+		//msg->VcHandle;
+		//msg->Reserved;
+		memcpy(msg + 1, buf, size);
+		s->in_len = size + sizeof(struct rndis_packet_msg_type);
+	} else {
+		if (size > sizeof(s->in_buf))
+			return;
+		memcpy(s->in_buf, buf, size);
+		s->in_len = size;
+	}
+	s->in_ptr = 0;
+}
+
+static int usbnet_can_receive(void *opaque)
+{
+	USBNetState *s = opaque;
+
+	if (s->rndis && !s->rndis_state == RNDIS_DATA_INITIALIZED)
+		return 1;
+	return !s->in_len;
+}
+
+static void usb_net_handle_destroy(USBDevice *dev)
+{
+	USBNetState *s = (USBNetState *)dev;
+	rndis_clear_responsequeue(s);
+	qemu_free(s);
+}
+
+USBDevice *usb_net_init(NICInfo *nd)
+{
+	USBNetState *s;
+
+	s = qemu_mallocz(sizeof(USBNetState));
+	if (!s)
+		return NULL;
+	s->dev.speed = USB_SPEED_FULL;
+	s->dev.handle_packet = usb_generic_handle_packet;
+
+	s->dev.handle_reset = usb_net_handle_reset;
+	s->dev.handle_control = usb_net_handle_control;
+	s->dev.handle_data = usb_net_handle_data;
+	s->dev.handle_destroy = usb_net_handle_destroy;
+
+	s->rndis = 1;
+	s->rndis_state = RNDIS_UNINITIALIZED;
+        s->medium = NDIS_MEDIUM_802_3;
+        s->speed = 1000000; /* 100MBps, in 100Bps units */
+        s->media_state = NDIS_MEDIA_STATE_CONNECTED;
+	s->filter = 0;
+        s->vendorid = 0x1234;
+	memcpy(s->mac, nd->macaddr, 6);
+	TAILQ_INIT(&s->rndis_resp);
+
+	pstrcpy(s->dev.devname, sizeof(s->dev.devname), "QEMU USB Network Interface");
+	s->vc = qemu_new_vlan_client(nd->vlan, usbnet_receive, usbnet_can_receive, s);
+	snprintf(s->vc->info_str, sizeof(s->vc->info_str),
+		 "usbnet macaddr=%02x:%02x:%02x:%02x:%02x:%02x",
+		 s->mac[0], s->mac[1], s->mac[2],
+		 s->mac[3], s->mac[4], s->mac[5]);
+	fprintf(stderr, "usbnet: initialized mac %02x:%02x:%02x:%02x:%02x:%02x\n",
+		s->mac[0], s->mac[1], s->mac[2],
+		s->mac[3], s->mac[4], s->mac[5]);
+	return (USBDevice *)s;
+}
diff -urN 4242/Makefile qemu-omap/Makefile
--- 4242/Makefile	2008-04-24 20:17:05.000000000 +0100
+++ qemu-omap/Makefile	2008-04-23 09:57:55.000000000 +0100
@@ -55,7 +55,8 @@
 OBJS+=tmp105.o
 OBJS+=scsi-disk.o cdrom.o
 OBJS+=scsi-generic.o
-OBJS+=usb.o usb-hub.o usb-linux.o usb-hid.o usb-msd.o usb-wacom.o usb-serial.o
+OBJS+=usb.o usb-hub.o usb-linux.o usb-hid.o usb-msd.o usb-net.o
+OBJS+=usb-wacom.o usb-serial.o
 OBJS+=sd.o ssi-sd.o
 
 ifdef CONFIG_BRLAPI
diff -urN 4242/softmmu_template.h qemu-omap/softmmu_template.h
--- 4242/softmmu_template.h	2008-04-24 18:11:49.000000000 +0100
+++ qemu-omap/softmmu_template.h	2008-04-23 09:57:56.000000000 +0100
@@ -51,12 +51,15 @@
                                                         int mmu_idx,
                                                         void *retaddr);
 static inline DATA_TYPE glue(io_read, SUFFIX)(target_phys_addr_t physaddr,
-                                              target_ulong tlb_addr)
+                                              target_ulong tlb_addr,
+                                              target_ulong tlb_io)
 {
     DATA_TYPE res;
     int index;
 
-    index = (tlb_addr >> IO_MEM_SHIFT) & (IO_MEM_NB_ENTRIES - 1);
+    index = (tlb_addr & ~TARGET_PAGE_MASK) >> IO_MEM_SHIFT;
+    if (index > 4)
+        index = (tlb_io >> IO_MEM_SHIFT) & (IO_MEM_NB_ENTRIES - 1);
 #if SHIFT <= 2
     res = io_mem_read[index][SHIFT](io_mem_opaque[index], physaddr);
 #else
@@ -95,7 +98,9 @@
             /* IO access */
             if ((addr & (DATA_SIZE - 1)) != 0)
                 goto do_unaligned_access;
-            res = glue(io_read, SUFFIX)(physaddr, tlb_addr);
+            res = glue(io_read, SUFFIX)(physaddr, tlb_addr,
+                                        env->tlb_table[mmu_idx]
+                                        [index].addr_code);
         } else if (((addr & ~TARGET_PAGE_MASK) + DATA_SIZE - 1) >= TARGET_PAGE_SIZE) {
             /* slow unaligned access (it spans two pages or IO) */
         do_unaligned_access:
@@ -147,7 +152,9 @@
             /* IO access */
             if ((addr & (DATA_SIZE - 1)) != 0)
                 goto do_unaligned_access;
-            res = glue(io_read, SUFFIX)(physaddr, tlb_addr);
+            res = glue(io_read, SUFFIX)(physaddr, tlb_addr,
+                                        env->tlb_table[mmu_idx]
+                                        [index].addr_code);
         } else if (((addr & ~TARGET_PAGE_MASK) + DATA_SIZE - 1) >= TARGET_PAGE_SIZE) {
         do_unaligned_access:
             /* slow unaligned access (it spans two pages) */
@@ -186,11 +193,14 @@
 static inline void glue(io_write, SUFFIX)(target_phys_addr_t physaddr,
                                           DATA_TYPE val,
                                           target_ulong tlb_addr,
-                                          void *retaddr)
+                                          void *retaddr,
+                                          target_ulong tlb_io)
 {
     int index;
 
-    index = (tlb_addr >> IO_MEM_SHIFT) & (IO_MEM_NB_ENTRIES - 1);
+    index = (tlb_addr & ~TARGET_PAGE_MASK) >> IO_MEM_SHIFT;
+    if (index > 4)
+        index = (tlb_io >> IO_MEM_SHIFT) & (IO_MEM_NB_ENTRIES - 1);
     env->mem_write_vaddr = tlb_addr;
     env->mem_write_pc = (unsigned long)retaddr;
 #if SHIFT <= 2
@@ -228,7 +238,8 @@
             if ((addr & (DATA_SIZE - 1)) != 0)
                 goto do_unaligned_access;
             retaddr = GETPC();
-            glue(io_write, SUFFIX)(physaddr, val, tlb_addr, retaddr);
+            glue(io_write, SUFFIX)(physaddr, val, tlb_addr, retaddr,
+                                   env->tlb_table[mmu_idx][index].addr_code);
         } else if (((addr & ~TARGET_PAGE_MASK) + DATA_SIZE - 1) >= TARGET_PAGE_SIZE) {
         do_unaligned_access:
             retaddr = GETPC();
@@ -278,7 +289,8 @@
             /* IO access */
             if ((addr & (DATA_SIZE - 1)) != 0)
                 goto do_unaligned_access;
-            glue(io_write, SUFFIX)(physaddr, val, tlb_addr, retaddr);
+            glue(io_write, SUFFIX)(physaddr, val, tlb_addr, retaddr,
+                                   env->tlb_table[mmu_idx][index].addr_code);
         } else if (((addr & ~TARGET_PAGE_MASK) + DATA_SIZE - 1) >= TARGET_PAGE_SIZE) {
         do_unaligned_access:
             /* XXX: not efficient, but simple */
diff -urN 4242/target-i386/cpu.h qemu-omap/target-i386/cpu.h
--- 4242/target-i386/cpu.h	2008-04-23 12:18:51.000000000 +0100
+++ qemu-omap/target-i386/cpu.h	2008-04-23 09:57:56.000000000 +0100
@@ -499,7 +499,7 @@
     SegmentCache idt; /* only base and limit are used */
 
     target_ulong cr[9]; /* NOTE: cr1, cr5-7 are unused */
-    uint64_t a20_mask;
+    uint32_t a20_mask;
 
     /* FPU state */
     unsigned int fpstt; /* top of stack index */
diff -urN 4242/target-i386/helper2.c qemu-omap/target-i386/helper2.c
--- 4242/target-i386/helper2.c	2008-04-23 12:18:51.000000000 +0100
+++ qemu-omap/target-i386/helper2.c	2008-04-23 09:57:56.000000000 +0100
@@ -377,7 +377,7 @@
     env->hflags |= HF_GIF_MASK;
 
     cpu_x86_update_cr0(env, 0x60000010);
-    env->a20_mask = ~0x0;
+    env->a20_mask = 0xffffffff;
     env->smbase = 0x30000;
 
     env->idt.limit = 0xffff;
@@ -695,7 +695,7 @@
         /* when a20 is changed, all the MMU mappings are invalid, so
            we must flush everything */
         tlb_flush(env, 1);
-        env->a20_mask = (~0x100000) | (a20_state << 20);
+        env->a20_mask = 0xffefffff | (a20_state << 20);
     }
 }
 
@@ -800,8 +800,7 @@
 
 #else
 
-/* Bits 52-62 of a PTE are reserved. Bit 63 is the NX bit. */
-#define PHYS_ADDR_MASK 0xffffffffff000L
+#define PHYS_ADDR_MASK 0xfffff000
 
 /* return value:
    -1 = cannot handle fault
@@ -813,10 +812,9 @@
                              int is_write1, int mmu_idx, int is_softmmu)
 {
     uint64_t ptep, pte;
-    target_ulong pde_addr, pte_addr;
+    uint32_t pdpe_addr, pde_addr, pte_addr;
     int error_code, is_dirty, prot, page_size, ret, is_write, is_user;
-    target_phys_addr_t paddr;
-    uint32_t page_offset;
+    unsigned long paddr, page_offset;
     target_ulong vaddr, virt_addr;
 
     is_user = mmu_idx == MMU_USER_IDX;
@@ -836,11 +834,12 @@
 
     if (env->cr[4] & CR4_PAE_MASK) {
         uint64_t pde, pdpe;
-        target_ulong pdpe_addr;
 
+        /* XXX: we only use 32 bit physical addresses */
 #ifdef TARGET_X86_64
         if (env->hflags & HF_LMA_MASK) {
-            uint64_t pml4e_addr, pml4e;
+            uint32_t pml4e_addr;
+            uint64_t pml4e;
             int32_t sext;
 
             /* test virtual address sign extension */
@@ -1102,19 +1101,17 @@
 
 target_phys_addr_t cpu_get_phys_page_debug(CPUState *env, target_ulong addr)
 {
-    target_ulong pde_addr, pte_addr;
-    uint64_t pte;
-    target_phys_addr_t paddr;
-    uint32_t page_offset;
-    int page_size;
+    uint32_t pde_addr, pte_addr;
+    uint32_t pde, pte, paddr, page_offset, page_size;
 
     if (env->cr[4] & CR4_PAE_MASK) {
-        target_ulong pdpe_addr;
-        uint64_t pde, pdpe;
+        uint32_t pdpe_addr, pde_addr, pte_addr;
+        uint32_t pdpe;
 
+        /* XXX: we only use 32 bit physical addresses */
 #ifdef TARGET_X86_64
         if (env->hflags & HF_LMA_MASK) {
-            uint64_t pml4e_addr, pml4e;
+            uint32_t pml4e_addr, pml4e;
             int32_t sext;
 
             /* test virtual address sign extension */
@@ -1124,13 +1121,13 @@
 
             pml4e_addr = ((env->cr[3] & ~0xfff) + (((addr >> 39) & 0x1ff) << 3)) &
                 env->a20_mask;
-            pml4e = ldq_phys(pml4e_addr);
+            pml4e = ldl_phys(pml4e_addr);
             if (!(pml4e & PG_PRESENT_MASK))
                 return -1;
 
             pdpe_addr = ((pml4e & ~0xfff) + (((addr >> 30) & 0x1ff) << 3)) &
                 env->a20_mask;
-            pdpe = ldq_phys(pdpe_addr);
+            pdpe = ldl_phys(pdpe_addr);
             if (!(pdpe & PG_PRESENT_MASK))
                 return -1;
         } else
@@ -1138,14 +1135,14 @@
         {
             pdpe_addr = ((env->cr[3] & ~0x1f) + ((addr >> 27) & 0x18)) &
                 env->a20_mask;
-            pdpe = ldq_phys(pdpe_addr);
+            pdpe = ldl_phys(pdpe_addr);
             if (!(pdpe & PG_PRESENT_MASK))
                 return -1;
         }
 
         pde_addr = ((pdpe & ~0xfff) + (((addr >> 21) & 0x1ff) << 3)) &
             env->a20_mask;
-        pde = ldq_phys(pde_addr);
+        pde = ldl_phys(pde_addr);
         if (!(pde & PG_PRESENT_MASK)) {
             return -1;
         }
@@ -1158,11 +1155,9 @@
             pte_addr = ((pde & ~0xfff) + (((addr >> 12) & 0x1ff) << 3)) &
                 env->a20_mask;
             page_size = 4096;
-            pte = ldq_phys(pte_addr);
+            pte = ldl_phys(pte_addr);
         }
     } else {
-        uint32_t pde;
-
         if (!(env->cr[0] & CR0_PG_MASK)) {
             pte = addr;
             page_size = 4096;
diff -urN 4242/vl.c qemu-omap/vl.c
--- 4242/vl.c	2008-04-24 21:26:21.000000000 +0100
+++ qemu-omap/vl.c	2008-04-23 09:57:57.000000000 +0100
@@ -5284,6 +5284,11 @@
         dev = usb_keyboard_init();
     } else if (strstart(devname, "disk:", &p)) {
         dev = usb_msd_init(p);
+    } else if (strstart(devname, "net:", &p)) {
+        unsigned int nr = strtoul(p, NULL, 0);
+        if (nr >= (unsigned int) nb_nics || strcmp(nd_table[nr].model, "usb"))
+            return -1;
+        dev = usb_net_init(&nd_table[nr]);
     } else if (!strcmp(devname, "wacom-tablet")) {
         dev = usb_wacom_init();
     } else if (strstart(devname, "serial:", &p)) {