• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  *
3  *  Bluetooth HCI UART driver for Intel/AG6xx devices
4  *
5  *  Copyright (C) 2016  Intel Corporation
6  *
7  *
8  *  This program is free software; you can redistribute it and/or modify
9  *  it under the terms of the GNU General Public License as published by
10  *  the Free Software Foundation; either version 2 of the License, or
11  *  (at your option) any later version.
12  *
13  *  This program is distributed in the hope that it will be useful,
14  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
15  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
16  *  GNU General Public License for more details.
17  *
18  *  You should have received a copy of the GNU General Public License
19  *  along with this program; if not, write to the Free Software
20  *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
21  *
22  */
23 
24 #include <linux/kernel.h>
25 #include <linux/errno.h>
26 #include <linux/skbuff.h>
27 #include <linux/firmware.h>
28 #include <linux/module.h>
29 #include <linux/tty.h>
30 
31 #include <net/bluetooth/bluetooth.h>
32 #include <net/bluetooth/hci_core.h>
33 
34 #include "hci_uart.h"
35 #include "btintel.h"
36 
37 struct ag6xx_data {
38 	struct sk_buff *rx_skb;
39 	struct sk_buff_head txq;
40 };
41 
42 struct pbn_entry {
43 	__le32 addr;
44 	__le32 plen;
45 	__u8 data[0];
46 } __packed;
47 
ag6xx_open(struct hci_uart * hu)48 static int ag6xx_open(struct hci_uart *hu)
49 {
50 	struct ag6xx_data *ag6xx;
51 
52 	BT_DBG("hu %p", hu);
53 
54 	ag6xx = kzalloc(sizeof(*ag6xx), GFP_KERNEL);
55 	if (!ag6xx)
56 		return -ENOMEM;
57 
58 	skb_queue_head_init(&ag6xx->txq);
59 
60 	hu->priv = ag6xx;
61 	return 0;
62 }
63 
ag6xx_close(struct hci_uart * hu)64 static int ag6xx_close(struct hci_uart *hu)
65 {
66 	struct ag6xx_data *ag6xx = hu->priv;
67 
68 	BT_DBG("hu %p", hu);
69 
70 	skb_queue_purge(&ag6xx->txq);
71 	kfree_skb(ag6xx->rx_skb);
72 	kfree(ag6xx);
73 
74 	hu->priv = NULL;
75 	return 0;
76 }
77 
ag6xx_flush(struct hci_uart * hu)78 static int ag6xx_flush(struct hci_uart *hu)
79 {
80 	struct ag6xx_data *ag6xx = hu->priv;
81 
82 	BT_DBG("hu %p", hu);
83 
84 	skb_queue_purge(&ag6xx->txq);
85 	return 0;
86 }
87 
ag6xx_dequeue(struct hci_uart * hu)88 static struct sk_buff *ag6xx_dequeue(struct hci_uart *hu)
89 {
90 	struct ag6xx_data *ag6xx = hu->priv;
91 	struct sk_buff *skb;
92 
93 	skb = skb_dequeue(&ag6xx->txq);
94 	if (!skb)
95 		return skb;
96 
97 	/* Prepend skb with frame type */
98 	memcpy(skb_push(skb, 1), &bt_cb(skb)->pkt_type, 1);
99 	return skb;
100 }
101 
ag6xx_enqueue(struct hci_uart * hu,struct sk_buff * skb)102 static int ag6xx_enqueue(struct hci_uart *hu, struct sk_buff *skb)
103 {
104 	struct ag6xx_data *ag6xx = hu->priv;
105 
106 	skb_queue_tail(&ag6xx->txq, skb);
107 	return 0;
108 }
109 
110 static const struct h4_recv_pkt ag6xx_recv_pkts[] = {
111 	{ H4_RECV_ACL,    .recv = hci_recv_frame   },
112 	{ H4_RECV_SCO,    .recv = hci_recv_frame   },
113 	{ H4_RECV_EVENT,  .recv = hci_recv_frame   },
114 };
115 
ag6xx_recv(struct hci_uart * hu,const void * data,int count)116 static int ag6xx_recv(struct hci_uart *hu, const void *data, int count)
117 {
118 	struct ag6xx_data *ag6xx = hu->priv;
119 
120 	if (!test_bit(HCI_UART_REGISTERED, &hu->flags))
121 		return -EUNATCH;
122 
123 	ag6xx->rx_skb = h4_recv_buf(hu->hdev, ag6xx->rx_skb, data, count,
124 				    ag6xx_recv_pkts,
125 				    ARRAY_SIZE(ag6xx_recv_pkts));
126 	if (IS_ERR(ag6xx->rx_skb)) {
127 		int err = PTR_ERR(ag6xx->rx_skb);
128 		bt_dev_err(hu->hdev, "Frame reassembly failed (%d)", err);
129 		ag6xx->rx_skb = NULL;
130 		return err;
131 	}
132 
133 	return count;
134 }
135 
intel_mem_write(struct hci_dev * hdev,u32 addr,u32 plen,const void * data)136 static int intel_mem_write(struct hci_dev *hdev, u32 addr, u32 plen,
137 			   const void *data)
138 {
139 	/* Can write a maximum of 247 bytes per HCI command.
140 	 * HCI cmd Header (3), Intel mem write header (6), data (247).
141 	 */
142 	while (plen > 0) {
143 		struct sk_buff *skb;
144 		u8 cmd_param[253], fragment_len = (plen > 247) ? 247 : plen;
145 		__le32 leaddr = cpu_to_le32(addr);
146 
147 		memcpy(cmd_param, &leaddr, 4);
148 		cmd_param[4] = 0;
149 		cmd_param[5] = fragment_len;
150 		memcpy(cmd_param + 6, data, fragment_len);
151 
152 		skb = __hci_cmd_sync(hdev, 0xfc8e, fragment_len + 6, cmd_param,
153 				     HCI_INIT_TIMEOUT);
154 		if (IS_ERR(skb))
155 			return PTR_ERR(skb);
156 		kfree_skb(skb);
157 
158 		plen -= fragment_len;
159 		data += fragment_len;
160 		addr += fragment_len;
161 	}
162 
163 	return 0;
164 }
165 
ag6xx_setup(struct hci_uart * hu)166 static int ag6xx_setup(struct hci_uart *hu)
167 {
168 	struct hci_dev *hdev = hu->hdev;
169 	struct sk_buff *skb;
170 	struct intel_version ver;
171 	const struct firmware *fw;
172 	const u8 *fw_ptr;
173 	char fwname[64];
174 	bool patched = false;
175 	int err;
176 
177 	hu->hdev->set_diag = btintel_set_diag;
178 	hu->hdev->set_bdaddr = btintel_set_bdaddr;
179 
180 	err = btintel_enter_mfg(hdev);
181 	if (err)
182 		return err;
183 
184 	err = btintel_read_version(hdev, &ver);
185 	if (err)
186 		return err;
187 
188 	btintel_version_info(hdev, &ver);
189 
190 	/* The hardware platform number has a fixed value of 0x37 and
191 	 * for now only accept this single value.
192 	 */
193 	if (ver.hw_platform != 0x37) {
194 		bt_dev_err(hdev, "Unsupported Intel hardware platform: 0x%X",
195 			   ver.hw_platform);
196 		return -EINVAL;
197 	}
198 
199 	/* Only the hardware variant iBT 2.1 (AG6XX) is supported by this
200 	 * firmware setup method.
201 	 */
202 	if (ver.hw_variant != 0x0a) {
203 		bt_dev_err(hdev, "Unsupported Intel hardware variant: 0x%x",
204 			   ver.hw_variant);
205 		return -EINVAL;
206 	}
207 
208 	snprintf(fwname, sizeof(fwname), "intel/ibt-hw-%x.%x.bddata",
209 		 ver.hw_platform, ver.hw_variant);
210 
211 	err = request_firmware(&fw, fwname, &hdev->dev);
212 	if (err < 0) {
213 		bt_dev_err(hdev, "Failed to open Intel bddata file: %s (%d)",
214 			   fwname, err);
215 		goto patch;
216 	}
217 	fw_ptr = fw->data;
218 
219 	bt_dev_info(hdev, "Applying bddata (%s)", fwname);
220 
221 	skb = __hci_cmd_sync_ev(hdev, 0xfc2f, fw->size, fw->data,
222 				HCI_EV_CMD_STATUS, HCI_CMD_TIMEOUT);
223 	if (IS_ERR(skb)) {
224 		bt_dev_err(hdev, "Applying bddata failed (%ld)", PTR_ERR(skb));
225 		release_firmware(fw);
226 		return PTR_ERR(skb);
227 	}
228 	kfree_skb(skb);
229 
230 	release_firmware(fw);
231 
232 patch:
233 	/* If there is no applied patch, fw_patch_num is always 0x00. In other
234 	 * cases, current firmware is already patched. No need to patch it.
235 	 */
236 	if (ver.fw_patch_num) {
237 		bt_dev_info(hdev, "Device is already patched. patch num: %02x",
238 			    ver.fw_patch_num);
239 		patched = true;
240 		goto complete;
241 	}
242 
243 	snprintf(fwname, sizeof(fwname),
244 		 "intel/ibt-hw-%x.%x.%x-fw-%x.%x.%x.%x.%x.pbn",
245 		 ver.hw_platform, ver.hw_variant, ver.hw_revision,
246 		 ver.fw_variant,  ver.fw_revision, ver.fw_build_num,
247 		 ver.fw_build_ww, ver.fw_build_yy);
248 
249 	err = request_firmware(&fw, fwname, &hdev->dev);
250 	if (err < 0) {
251 		bt_dev_err(hdev, "Failed to open Intel patch file: %s(%d)",
252 			   fwname, err);
253 		goto complete;
254 	}
255 	fw_ptr = fw->data;
256 
257 	bt_dev_info(hdev, "Patching firmware file (%s)", fwname);
258 
259 	/* PBN patch file contains a list of binary patches to be applied on top
260 	 * of the embedded firmware. Each patch entry header contains the target
261 	 * address and patch size.
262 	 *
263 	 * Patch entry:
264 	 * | addr(le) | patch_len(le) | patch_data |
265 	 * | 4 Bytes  |    4 Bytes    |   n Bytes  |
266 	 *
267 	 * PBN file is terminated by a patch entry whose address is 0xffffffff.
268 	 */
269 	while (fw->size > fw_ptr - fw->data) {
270 		struct pbn_entry *pbn = (void *)fw_ptr;
271 		u32 addr, plen;
272 
273 		if (pbn->addr == 0xffffffff) {
274 			bt_dev_info(hdev, "Patching complete");
275 			patched = true;
276 			break;
277 		}
278 
279 		addr = le32_to_cpu(pbn->addr);
280 		plen = le32_to_cpu(pbn->plen);
281 
282 		if (fw->data + fw->size <= pbn->data + plen) {
283 			bt_dev_info(hdev, "Invalid patch len (%d)", plen);
284 			break;
285 		}
286 
287 		bt_dev_info(hdev, "Patching %td/%zu", (fw_ptr - fw->data),
288 			    fw->size);
289 
290 		err = intel_mem_write(hdev, addr, plen, pbn->data);
291 		if (err) {
292 			bt_dev_err(hdev, "Patching failed");
293 			break;
294 		}
295 
296 		fw_ptr = pbn->data + plen;
297 	}
298 
299 	release_firmware(fw);
300 
301 complete:
302 	/* Exit manufacturing mode and reset */
303 	err = btintel_exit_mfg(hdev, true, patched);
304 	if (err)
305 		return err;
306 
307 	/* Set the event mask for Intel specific vendor events. This enables
308 	 * a few extra events that are useful during general operation.
309 	 */
310 	btintel_set_event_mask_mfg(hdev, false);
311 
312 	btintel_check_bdaddr(hdev);
313 	return 0;
314 }
315 
316 static const struct hci_uart_proto ag6xx_proto = {
317 	.id		= HCI_UART_AG6XX,
318 	.name		= "AG6XX",
319 	.manufacturer	= 2,
320 	.open		= ag6xx_open,
321 	.close		= ag6xx_close,
322 	.flush		= ag6xx_flush,
323 	.setup		= ag6xx_setup,
324 	.recv		= ag6xx_recv,
325 	.enqueue	= ag6xx_enqueue,
326 	.dequeue	= ag6xx_dequeue,
327 };
328 
ag6xx_init(void)329 int __init ag6xx_init(void)
330 {
331 	return hci_uart_register_proto(&ag6xx_proto);
332 }
333 
ag6xx_deinit(void)334 int __exit ag6xx_deinit(void)
335 {
336 	return hci_uart_unregister_proto(&ag6xx_proto);
337 }
338