1 /*
2 * BCM47XX MTD partitioning
3 *
4 * Copyright © 2012 Rafał Miłecki <zajec5@gmail.com>
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License version 2 as
8 * published by the Free Software Foundation.
9 *
10 */
11
12 #include <linux/module.h>
13 #include <linux/kernel.h>
14 #include <linux/slab.h>
15 #include <linux/mtd/mtd.h>
16 #include <linux/mtd/partitions.h>
17
18 #include <uapi/linux/magic.h>
19
20 /*
21 * NAND flash on Netgear R6250 was verified to contain 15 partitions.
22 * This will result in allocating too big array for some old devices, but the
23 * memory will be freed soon anyway (see mtd_device_parse_register).
24 */
25 #define BCM47XXPART_MAX_PARTS 20
26
27 /*
28 * Amount of bytes we read when analyzing each block of flash memory.
29 * Set it big enough to allow detecting partition and reading important data.
30 */
31 #define BCM47XXPART_BYTES_TO_READ 0x4e8
32
33 /* Magics */
34 #define BOARD_DATA_MAGIC 0x5246504D /* MPFR */
35 #define BOARD_DATA_MAGIC2 0xBD0D0BBD
36 #define CFE_MAGIC 0x43464531 /* 1EFC */
37 #define FACTORY_MAGIC 0x59544346 /* FCTY */
38 #define NVRAM_HEADER 0x48534C46 /* FLSH */
39 #define POT_MAGIC1 0x54544f50 /* POTT */
40 #define POT_MAGIC2 0x504f /* OP */
41 #define ML_MAGIC1 0x39685a42
42 #define ML_MAGIC2 0x26594131
43 #define TRX_MAGIC 0x30524448
44 #define SHSQ_MAGIC 0x71736873 /* shsq (weird ZTE H218N endianness) */
45 #define UBI_EC_MAGIC 0x23494255 /* UBI# */
46
47 struct trx_header {
48 uint32_t magic;
49 uint32_t length;
50 uint32_t crc32;
51 uint16_t flags;
52 uint16_t version;
53 uint32_t offset[3];
54 } __packed;
55
bcm47xxpart_add_part(struct mtd_partition * part,const char * name,u64 offset,uint32_t mask_flags)56 static void bcm47xxpart_add_part(struct mtd_partition *part, const char *name,
57 u64 offset, uint32_t mask_flags)
58 {
59 part->name = name;
60 part->offset = offset;
61 part->mask_flags = mask_flags;
62 }
63
bcm47xxpart_trx_data_part_name(struct mtd_info * master,size_t offset)64 static const char *bcm47xxpart_trx_data_part_name(struct mtd_info *master,
65 size_t offset)
66 {
67 uint32_t buf;
68 size_t bytes_read;
69 int err;
70
71 err = mtd_read(master, offset, sizeof(buf), &bytes_read,
72 (uint8_t *)&buf);
73 if (err && !mtd_is_bitflip(err)) {
74 pr_err("mtd_read error while parsing (offset: 0x%X): %d\n",
75 offset, err);
76 goto out_default;
77 }
78
79 if (buf == UBI_EC_MAGIC)
80 return "ubi";
81
82 out_default:
83 return "rootfs";
84 }
85
bcm47xxpart_parse(struct mtd_info * master,struct mtd_partition ** pparts,struct mtd_part_parser_data * data)86 static int bcm47xxpart_parse(struct mtd_info *master,
87 struct mtd_partition **pparts,
88 struct mtd_part_parser_data *data)
89 {
90 struct mtd_partition *parts;
91 uint8_t i, curr_part = 0;
92 uint32_t *buf;
93 size_t bytes_read;
94 uint32_t offset;
95 uint32_t blocksize = master->erasesize;
96 struct trx_header *trx;
97 int trx_part = -1;
98 int last_trx_part = -1;
99 int possible_nvram_sizes[] = { 0x8000, 0xF000, 0x10000, };
100 int err;
101
102 /*
103 * Some really old flashes (like AT45DB*) had smaller erasesize-s, but
104 * partitions were aligned to at least 0x1000 anyway.
105 */
106 if (blocksize < 0x1000)
107 blocksize = 0x1000;
108
109 /* Alloc */
110 parts = kzalloc(sizeof(struct mtd_partition) * BCM47XXPART_MAX_PARTS,
111 GFP_KERNEL);
112 if (!parts)
113 return -ENOMEM;
114
115 buf = kzalloc(BCM47XXPART_BYTES_TO_READ, GFP_KERNEL);
116 if (!buf) {
117 kfree(parts);
118 return -ENOMEM;
119 }
120
121 /* Parse block by block looking for magics */
122 for (offset = 0; offset <= master->size - blocksize;
123 offset += blocksize) {
124 /* Nothing more in higher memory on BCM47XX (MIPS) */
125 if (config_enabled(CONFIG_BCM47XX) && offset >= 0x2000000)
126 break;
127
128 if (curr_part >= BCM47XXPART_MAX_PARTS) {
129 pr_warn("Reached maximum number of partitions, scanning stopped!\n");
130 break;
131 }
132
133 /* Read beginning of the block */
134 err = mtd_read(master, offset, BCM47XXPART_BYTES_TO_READ,
135 &bytes_read, (uint8_t *)buf);
136 if (err && !mtd_is_bitflip(err)) {
137 pr_err("mtd_read error while parsing (offset: 0x%X): %d\n",
138 offset, err);
139 continue;
140 }
141
142 /* Magic or small NVRAM at 0x400 */
143 if ((buf[0x4e0 / 4] == CFE_MAGIC && buf[0x4e4 / 4] == CFE_MAGIC) ||
144 (buf[0x400 / 4] == NVRAM_HEADER)) {
145 bcm47xxpart_add_part(&parts[curr_part++], "boot",
146 offset, MTD_WRITEABLE);
147 continue;
148 }
149
150 /*
151 * board_data starts with board_id which differs across boards,
152 * but we can use 'MPFR' (hopefully) magic at 0x100
153 */
154 if (buf[0x100 / 4] == BOARD_DATA_MAGIC) {
155 bcm47xxpart_add_part(&parts[curr_part++], "board_data",
156 offset, MTD_WRITEABLE);
157 continue;
158 }
159
160 /* Found on Huawei E970 */
161 if (buf[0x000 / 4] == FACTORY_MAGIC) {
162 bcm47xxpart_add_part(&parts[curr_part++], "factory",
163 offset, MTD_WRITEABLE);
164 continue;
165 }
166
167 /* POT(TOP) */
168 if (buf[0x000 / 4] == POT_MAGIC1 &&
169 (buf[0x004 / 4] & 0xFFFF) == POT_MAGIC2) {
170 bcm47xxpart_add_part(&parts[curr_part++], "POT", offset,
171 MTD_WRITEABLE);
172 continue;
173 }
174
175 /* ML */
176 if (buf[0x010 / 4] == ML_MAGIC1 &&
177 buf[0x014 / 4] == ML_MAGIC2) {
178 bcm47xxpart_add_part(&parts[curr_part++], "ML", offset,
179 MTD_WRITEABLE);
180 continue;
181 }
182
183 /* TRX */
184 if (buf[0x000 / 4] == TRX_MAGIC) {
185 if (BCM47XXPART_MAX_PARTS - curr_part < 4) {
186 pr_warn("Not enough partitions left to register trx, scanning stopped!\n");
187 break;
188 }
189
190 trx = (struct trx_header *)buf;
191
192 trx_part = curr_part;
193 bcm47xxpart_add_part(&parts[curr_part++], "firmware",
194 offset, 0);
195
196 i = 0;
197 /* We have LZMA loader if offset[2] points to sth */
198 if (trx->offset[2]) {
199 bcm47xxpart_add_part(&parts[curr_part++],
200 "loader",
201 offset + trx->offset[i],
202 0);
203 i++;
204 }
205
206 if (trx->offset[i]) {
207 bcm47xxpart_add_part(&parts[curr_part++],
208 "linux",
209 offset + trx->offset[i],
210 0);
211 i++;
212 }
213
214 /*
215 * Pure rootfs size is known and can be calculated as:
216 * trx->length - trx->offset[i]. We don't fill it as
217 * we want to have jffs2 (overlay) in the same mtd.
218 */
219 if (trx->offset[i]) {
220 const char *name;
221
222 name = bcm47xxpart_trx_data_part_name(master, offset + trx->offset[i]);
223 bcm47xxpart_add_part(&parts[curr_part++],
224 name,
225 offset + trx->offset[i],
226 0);
227 i++;
228 }
229
230 last_trx_part = curr_part - 1;
231
232 /* Jump to the end of TRX */
233 offset = roundup(offset + trx->length, blocksize);
234 /* Next loop iteration will increase the offset */
235 offset -= blocksize;
236 continue;
237 }
238
239 /* Squashfs on devices not using TRX */
240 if (le32_to_cpu(buf[0x000 / 4]) == SQUASHFS_MAGIC ||
241 buf[0x000 / 4] == SHSQ_MAGIC) {
242 bcm47xxpart_add_part(&parts[curr_part++], "rootfs",
243 offset, 0);
244 continue;
245 }
246
247 /*
248 * New (ARM?) devices may have NVRAM in some middle block. Last
249 * block will be checked later, so skip it.
250 */
251 if (offset != master->size - blocksize &&
252 buf[0x000 / 4] == NVRAM_HEADER) {
253 bcm47xxpart_add_part(&parts[curr_part++], "nvram",
254 offset, 0);
255 continue;
256 }
257
258 /* Read middle of the block */
259 err = mtd_read(master, offset + 0x8000, 0x4, &bytes_read,
260 (uint8_t *)buf);
261 if (err && !mtd_is_bitflip(err)) {
262 pr_err("mtd_read error while parsing (offset: 0x%X): %d\n",
263 offset, err);
264 continue;
265 }
266
267 /* Some devices (ex. WNDR3700v3) don't have a standard 'MPFR' */
268 if (buf[0x000 / 4] == BOARD_DATA_MAGIC2) {
269 bcm47xxpart_add_part(&parts[curr_part++], "board_data",
270 offset, MTD_WRITEABLE);
271 continue;
272 }
273 }
274
275 /* Look for NVRAM at the end of the last block. */
276 for (i = 0; i < ARRAY_SIZE(possible_nvram_sizes); i++) {
277 if (curr_part >= BCM47XXPART_MAX_PARTS) {
278 pr_warn("Reached maximum number of partitions, scanning stopped!\n");
279 break;
280 }
281
282 offset = master->size - possible_nvram_sizes[i];
283 err = mtd_read(master, offset, 0x4, &bytes_read,
284 (uint8_t *)buf);
285 if (err && !mtd_is_bitflip(err)) {
286 pr_err("mtd_read error while reading (offset 0x%X): %d\n",
287 offset, err);
288 continue;
289 }
290
291 /* Standard NVRAM */
292 if (buf[0] == NVRAM_HEADER) {
293 bcm47xxpart_add_part(&parts[curr_part++], "nvram",
294 master->size - blocksize, 0);
295 break;
296 }
297 }
298
299 kfree(buf);
300
301 /*
302 * Assume that partitions end at the beginning of the one they are
303 * followed by.
304 */
305 for (i = 0; i < curr_part; i++) {
306 u64 next_part_offset = (i < curr_part - 1) ?
307 parts[i + 1].offset : master->size;
308
309 parts[i].size = next_part_offset - parts[i].offset;
310 if (i == last_trx_part && trx_part >= 0)
311 parts[trx_part].size = next_part_offset -
312 parts[trx_part].offset;
313 }
314
315 *pparts = parts;
316 return curr_part;
317 };
318
319 static struct mtd_part_parser bcm47xxpart_mtd_parser = {
320 .owner = THIS_MODULE,
321 .parse_fn = bcm47xxpart_parse,
322 .name = "bcm47xxpart",
323 };
324
bcm47xxpart_init(void)325 static int __init bcm47xxpart_init(void)
326 {
327 register_mtd_parser(&bcm47xxpart_mtd_parser);
328 return 0;
329 }
330
bcm47xxpart_exit(void)331 static void __exit bcm47xxpart_exit(void)
332 {
333 deregister_mtd_parser(&bcm47xxpart_mtd_parser);
334 }
335
336 module_init(bcm47xxpart_init);
337 module_exit(bcm47xxpart_exit);
338
339 MODULE_LICENSE("GPL");
340 MODULE_DESCRIPTION("MTD partitioning for BCM47XX flash memories");
341