1 /*
2  * This file is part of the flashrom project.
3  *
4  * Copyright (C) 2011-2012 Stefan Tauner
5  *
6  * This program is free software; you can redistribute it and/or modify
7  * it under the terms of the GNU General Public License as published by
8  * the Free Software Foundation; version 2 of the License.
9  *
10  * This program is distributed in the hope that it will be useful,
11  * but WITHOUT ANY WARRANTY; without even the implied warranty of
12  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
13  * GNU General Public License for more details.
14  */
15 
16 #include <stdint.h>
17 #include <stdlib.h>
18 #include <string.h>
19 #include "flash.h"
20 #include "spi.h"
21 #include "chipdrivers.h"
22 
spi_sfdp_read_sfdp_chunk(struct flashctx * flash,uint32_t address,uint8_t * buf,int len)23 static int spi_sfdp_read_sfdp_chunk(struct flashctx *flash, uint32_t address, uint8_t *buf, int len)
24 {
25 	int i, ret;
26 	uint8_t *newbuf;
27 	const unsigned char cmd[JEDEC_SFDP_OUTSIZE] = {
28 		JEDEC_SFDP,
29 		(address >> 16) & 0xff,
30 		(address >> 8) & 0xff,
31 		(address >> 0) & 0xff,
32 		/* FIXME: the following dummy byte explodes on some programmers.
33 		 * One workaround is to read the dummy byte
34 		 * instead and discard its value.
35 		 */
36 		0
37 	};
38 	msg_cspew("%s: addr=0x%"PRIx32", len=%d, data:\n", __func__, address, len);
39 	newbuf = malloc(len + 1);
40 	if (!newbuf)
41 		return SPI_PROGRAMMER_ERROR;
42 	ret = spi_send_command(flash, sizeof(cmd) - 1, len + 1, cmd, newbuf);
43 	memmove(buf, newbuf + 1, len);
44 	free(newbuf);
45 	if (ret)
46 		return ret;
47 	for (i = 0; i < len; i++)
48 		msg_cspew(" 0x%02x", buf[i]);
49 	msg_cspew("\n");
50 	return 0;
51 }
52 
spi_sfdp_read_sfdp(struct flashctx * flash,uint32_t address,uint8_t * buf,int len)53 static int spi_sfdp_read_sfdp(struct flashctx *flash, uint32_t address, uint8_t *buf, int len)
54 {
55 	/* FIXME: There are different upper bounds for the number of bytes to
56 	 * read on the various programmers (even depending on the rest of the
57 	 * structure of the transaction). 2 is a safe bet. */
58 	int maxstep = 2;
59 	int ret = 0;
60 	while (len > 0) {
61 		int step = min(len, maxstep);
62 		ret = spi_sfdp_read_sfdp_chunk(flash, address, buf, step);
63 		if (ret)
64 			return ret;
65 		address += step;
66 		buf += step;
67 		len -= step;
68 	}
69 	return ret;
70 }
71 
72 struct sfdp_tbl_hdr {
73 	uint8_t id;
74 	uint8_t v_minor;
75 	uint8_t v_major;
76 	uint8_t len;
77 	uint32_t ptp; /* 24b pointer */
78 };
79 
sfdp_add_uniform_eraser(struct flashchip * chip,uint8_t opcode,uint32_t block_size)80 static int sfdp_add_uniform_eraser(struct flashchip *chip, uint8_t opcode, uint32_t block_size)
81 {
82 	int i;
83 	uint32_t total_size = chip->total_size * 1024;
84 	enum block_erase_func erasefn = spi25_get_erasefn_from_opcode(opcode);
85 
86 	if (erasefn == NO_BLOCK_ERASE_FUNC || total_size == 0 || block_size == 0 ||
87 	    total_size % block_size != 0) {
88 		msg_cdbg("%s: invalid input, please report to "
89 			 "flashrom@flashrom.org\n", __func__);
90 		return 1;
91 	}
92 
93 	for (i = 0; i < NUM_ERASEFUNCTIONS; i++) {
94 		struct block_eraser *eraser = &chip->block_erasers[i];
95 		/* Check for duplicates (including (some) non-uniform ones). */
96 		if (eraser->eraseblocks[0].size == block_size &&
97 		    eraser->block_erase == erasefn) {
98 			msg_cdbg2("  Tried to add a duplicate block eraser: "
99 				  "%"PRId32" x %"PRId32" B with opcode 0x%02x.\n",
100 				  total_size/block_size, block_size, opcode);
101 			return 1;
102 		}
103 		if (eraser->eraseblocks[0].size != 0 ||
104 		    eraser->block_erase != NO_BLOCK_ERASE_FUNC) {
105 			msg_cspew("  Block Eraser %d is already occupied.\n",
106 				  i);
107 			continue;
108 		}
109 
110 		eraser->block_erase = erasefn;
111 		eraser->eraseblocks[0].size = block_size;
112 		eraser->eraseblocks[0].count = total_size/block_size;
113 		msg_cdbg2("  Block eraser %d: %"PRId32" x %"PRId32" B with opcode "
114 			  "0x%02x\n", i, total_size/block_size, block_size,
115 			  opcode);
116 		return 0;
117 	}
118 	msg_cinfo("%s: Not enough space to store another eraser (i=%d)."
119 		  " Please report this at flashrom@flashrom.org\n",
120 		  __func__, i);
121 	return 1;
122 }
123 
sfdp_fill_flash(struct flashchip * chip,uint8_t * buf,uint16_t len)124 static int sfdp_fill_flash(struct flashchip *chip, uint8_t *buf, uint16_t len)
125 {
126 	uint8_t opcode_4k_erase = 0xFF;
127 	uint32_t tmp32;
128 	uint8_t tmp8;
129 	uint32_t total_size; /* in bytes */
130 	uint32_t block_size;
131 	int j;
132 
133 	msg_cdbg("Parsing JEDEC flash parameter table... ");
134 	msg_cdbg2("\n");
135 
136 	/* 1. double word */
137 	tmp32 =  ((unsigned int)buf[(4 * 0) + 0]);
138 	tmp32 |= ((unsigned int)buf[(4 * 0) + 1]) << 8;
139 	tmp32 |= ((unsigned int)buf[(4 * 0) + 2]) << 16;
140 	tmp32 |= ((unsigned int)buf[(4 * 0) + 3]) << 24;
141 
142 	tmp8 = (tmp32 >> 17) & 0x3;
143 	switch (tmp8) {
144 	case 0x0:
145 		msg_cdbg2("  3-Byte only addressing.\n");
146 		break;
147 	case 0x1:
148 		msg_cdbg2("  3-Byte (and optionally 4-Byte) addressing.\n");
149 		break;
150 	case 0x2:
151 		msg_cdbg("  4-Byte only addressing (not supported by "
152 			 "flashrom).\n");
153 		return 1;
154 	default:
155 		msg_cdbg("  Required addressing mode (0x%x) not supported.\n",
156 			 tmp8);
157 		return 1;
158 	}
159 
160 	msg_cdbg2("  Status register is ");
161 	if (tmp32 & (1 << 3)) {
162 		msg_cdbg2("volatile and writes to the status register have to "
163 			  "be enabled with ");
164 		if (tmp32 & (1 << 4)) {
165 			chip->feature_bits = FEATURE_WRSR_WREN;
166 			msg_cdbg2("WREN (0x06).\n");
167 		} else {
168 			chip->feature_bits = FEATURE_WRSR_EWSR;
169 			msg_cdbg2("EWSR (0x50).\n");
170 		}
171 	} else {
172 		msg_cdbg2("non-volatile and the standard does not allow "
173 			  "vendors to tell us whether EWSR/WREN is needed for "
174 			  "status register writes - assuming EWSR.\n");
175 			chip->feature_bits = FEATURE_WRSR_EWSR;
176 		}
177 
178 	msg_cdbg2("  Write chunk size is ");
179 	if (tmp32 & (1 << 2)) {
180 		msg_cdbg2("at least 64 B.\n");
181 		chip->page_size = 64;
182 		chip->write = SPI_CHIP_WRITE256;
183 	} else {
184 		msg_cdbg2("1 B only.\n");
185 		chip->page_size = 256;
186 		chip->write = SPI_CHIP_WRITE1;
187 	}
188 
189 	if ((tmp32 & 0x3) == 0x1) {
190 		opcode_4k_erase = (tmp32 >> 8) & 0xFF;
191 		msg_cspew("  4kB erase opcode is 0x%02x.\n", opcode_4k_erase);
192 		/* add the eraser later, because we don't know total_size yet */
193 	} else
194 		msg_cspew("  4kB erase opcode is not defined.\n");
195 
196 	/* 2. double word */
197 	tmp32 =  ((unsigned int)buf[(4 * 1) + 0]);
198 	tmp32 |= ((unsigned int)buf[(4 * 1) + 1]) << 8;
199 	tmp32 |= ((unsigned int)buf[(4 * 1) + 2]) << 16;
200 	tmp32 |= ((unsigned int)buf[(4 * 1) + 3]) << 24;
201 
202 	if (tmp32 & (1 << 31)) {
203 		msg_cdbg("Flash chip size >= 4 Gb/512 MB not supported.\n");
204 		return 1;
205 	}
206 	total_size = ((tmp32 & 0x7FFFFFFF) + 1) / 8;
207 	chip->total_size = total_size / 1024;
208 	msg_cdbg2("  Flash chip size is %d kB.\n", chip->total_size);
209 	if (total_size > (1 << 24)) {
210 		msg_cdbg("Flash chip size is bigger than what 3-Byte addressing "
211 			 "can access.\n");
212 		return 1;
213 	}
214 
215 	if (opcode_4k_erase != 0xFF)
216 		sfdp_add_uniform_eraser(chip, opcode_4k_erase, 4 * 1024);
217 
218 	/* FIXME: double words 3-7 contain unused fast read information */
219 
220 	if (len == 4 * 4) {
221 		msg_cdbg("  It seems like this chip supports the preliminary "
222 			 "Intel version of SFDP, skipping processing of double "
223 			 "words 3-9.\n");
224 		goto done;
225 	}
226 
227 	/* 8. double word */
228 	for (j = 0; j < 4; j++) {
229 		/* 7 double words from the start + 2 bytes for every eraser */
230 		tmp8 = buf[(4 * 7) + (j * 2)];
231 		msg_cspew("   Erase Sector Type %d Size: 0x%02x\n", j + 1,
232 			  tmp8);
233 		if (tmp8 == 0) {
234 			msg_cspew("  Erase Sector Type %d is unused.\n", j);
235 			continue;
236 		}
237 		if (tmp8 >= 31) {
238 			msg_cdbg2("  Block size of erase Sector Type %d (2^%d) "
239 				 "is too big for flashrom.\n", j, tmp8);
240 			continue;
241 		}
242 		block_size = 1 << (tmp8); /* block_size = 2 ^ field */
243 
244 		tmp8 = buf[(4 * 7) + (j * 2) + 1];
245 		msg_cspew("   Erase Sector Type %d Opcode: 0x%02x\n", j + 1,
246 			  tmp8);
247 		sfdp_add_uniform_eraser(chip, tmp8, block_size);
248 	}
249 
250 done:
251 	msg_cdbg("done.\n");
252 	return 0;
253 }
254 
probe_spi_sfdp(struct flashctx * flash)255 int probe_spi_sfdp(struct flashctx *flash)
256 {
257 	int ret = 0;
258 	uint8_t buf[8];
259 	uint32_t tmp32;
260 	uint8_t nph;
261 	/* need to limit the table loop by comparing i to uint8_t nph hence: */
262 	uint16_t i;
263 	struct sfdp_tbl_hdr *hdrs;
264 	uint8_t *hbuf;
265 	uint8_t *tbuf;
266 
267 	if (spi_sfdp_read_sfdp(flash, 0x00, buf, 4)) {
268 		msg_cdbg("Receiving SFDP signature failed.\n");
269 		return 0;
270 	}
271 	tmp32 = buf[0];
272 	tmp32 |= ((unsigned int)buf[1]) << 8;
273 	tmp32 |= ((unsigned int)buf[2]) << 16;
274 	tmp32 |= ((unsigned int)buf[3]) << 24;
275 
276 	if (tmp32 != 0x50444653) {
277 		msg_cdbg2("Signature = 0x%08"PRIx32" (should be 0x50444653)\n", tmp32);
278 		msg_cdbg("No SFDP signature found.\n");
279 		return 0;
280 	}
281 
282 	if (spi_sfdp_read_sfdp(flash, 0x04, buf, 3)) {
283 		msg_cdbg("Receiving SFDP revision and number of parameter "
284 			 "headers (NPH) failed. ");
285 		return 0;
286 	}
287 	msg_cdbg2("SFDP revision = %d.%d\n", buf[1], buf[0]);
288 	if (buf[1] != 0x01) {
289 		msg_cdbg("The chip supports an unknown version of SFDP. "
290 			  "Aborting SFDP probe!\n");
291 		return 0;
292 	}
293 	nph = buf[2];
294 	msg_cdbg2("SFDP number of parameter headers is %d (NPH = %d).\n",
295 		  nph + 1, nph);
296 
297 	/* Fetch all parameter headers, even if we don't use them all (yet). */
298 	hbuf = malloc((nph + 1) * 8);
299 	hdrs = malloc((nph + 1) * sizeof(*hdrs));
300 	if (hbuf == NULL || hdrs == NULL ) {
301 		msg_gerr("Out of memory!\n");
302 		goto cleanup_hdrs;
303 	}
304 	if (spi_sfdp_read_sfdp(flash, 0x08, hbuf, (nph + 1) * 8)) {
305 		msg_cdbg("Receiving SFDP parameter table headers failed.\n");
306 		goto cleanup_hdrs;
307 	}
308 
309 	for (i = 0; i <= nph; i++) {
310 		uint16_t len;
311 		hdrs[i].id = hbuf[(8 * i) + 0];
312 		hdrs[i].v_minor = hbuf[(8 * i) + 1];
313 		hdrs[i].v_major = hbuf[(8 * i) + 2];
314 		hdrs[i].len = hbuf[(8 * i) + 3];
315 		hdrs[i].ptp = hbuf[(8 * i) + 4];
316 		hdrs[i].ptp |= ((unsigned int)hbuf[(8 * i) + 5]) << 8;
317 		hdrs[i].ptp |= ((unsigned int)hbuf[(8 * i) + 6]) << 16;
318 		msg_cdbg2("\nSFDP parameter table header %d/%d:\n", i, nph);
319 		msg_cdbg2("  ID 0x%02x, version %d.%d\n", hdrs[i].id,
320 			  hdrs[i].v_major, hdrs[i].v_minor);
321 		len = hdrs[i].len * 4;
322 		tmp32 = hdrs[i].ptp;
323 		msg_cdbg2("  Length %d B, Parameter Table Pointer 0x%06"PRIx32"\n",
324 			  len, tmp32);
325 
326 		if (tmp32 + len >= (1 << 24)) {
327 			msg_cdbg("SFDP Parameter Table %d supposedly overflows "
328 				  "addressable SFDP area. This most\nprobably "
329 				  "indicates a corrupt SFDP parameter table "
330 				  "header. Skipping it.\n", i);
331 			continue;
332 		}
333 
334 		tbuf = malloc(len);
335 		if (tbuf == NULL) {
336 			msg_gerr("Out of memory!\n");
337 			goto cleanup_hdrs;
338 		}
339 		if (spi_sfdp_read_sfdp(flash, tmp32, tbuf, len)){
340 			msg_cdbg("Fetching SFDP parameter table %d failed.\n",
341 				 i);
342 			free(tbuf);
343 			continue;
344 		}
345 		msg_cspew("  Parameter table contents:\n");
346 		for (tmp32 = 0; tmp32 < len; tmp32++) {
347 			if ((tmp32 % 8) == 0) {
348 				msg_cspew("    0x%04"PRIx32": ", tmp32);
349 			}
350 			msg_cspew(" %02x", tbuf[tmp32]);
351 			if ((tmp32 % 8) == 7) {
352 				msg_cspew("\n");
353 				continue;
354 			}
355 			if ((tmp32 % 8) == 3) {
356 				msg_cspew(" ");
357 				continue;
358 			}
359 		}
360 		msg_cspew("\n");
361 
362 		if (i == 0) { /* Mandatory JEDEC SFDP parameter table */
363 			if (hdrs[i].id != 0)
364 				msg_cdbg("ID of the mandatory JEDEC SFDP "
365 					 "parameter table is not 0 as demanded "
366 					 "by JESD216 (warning only).\n");
367 
368 			if (hdrs[i].v_major != 0x01) {
369 				msg_cdbg("The chip contains an unknown "
370 					  "version of the JEDEC flash "
371 					  "parameters table, skipping it.\n");
372 			} else if (len != 4 * 4 && len < 9 * 4) {
373 				msg_cdbg("Length of the mandatory JEDEC SFDP "
374 					 "parameter table is wrong (%d B), "
375 					 "skipping it.\n", len);
376 			} else if (sfdp_fill_flash(flash->chip, tbuf, len) == 0)
377 				ret = 1;
378 		}
379 		free(tbuf);
380 	}
381 
382 cleanup_hdrs:
383 	free(hdrs);
384 	free(hbuf);
385 	return ret;
386 }
387