]>
Commit | Line | Data |
---|---|---|
db33c77d CC |
1 | /* |
2 | * Bluetooth support for Realtek devices | |
3 | * | |
4 | * Copyright (C) 2015 Endless Mobile, Inc. | |
5 | * | |
6 | * This program is free software; you can redistribute it and/or modify | |
7 | * it under the terms of the GNU General Public License as published by | |
8 | * the Free Software Foundation; either version 2 of the License, or | |
9 | * (at your option) any later version. | |
10 | * | |
11 | * This program is distributed in the hope that it will be useful, | |
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
14 | * GNU General Public License for more details. | |
15 | * | |
16 | */ | |
17 | ||
18 | #include <linux/module.h> | |
19 | #include <linux/firmware.h> | |
20 | #include <asm/unaligned.h> | |
21 | #include <linux/usb.h> | |
22 | ||
23 | #include <net/bluetooth/bluetooth.h> | |
24 | #include <net/bluetooth/hci_core.h> | |
25 | ||
26 | #include "btrtl.h" | |
27 | ||
28 | #define VERSION "0.1" | |
29 | ||
30 | #define RTL_EPATCH_SIGNATURE "Realtech" | |
31 | #define RTL_ROM_LMP_3499 0x3499 | |
32 | #define RTL_ROM_LMP_8723A 0x1200 | |
33 | #define RTL_ROM_LMP_8723B 0x8723 | |
34 | #define RTL_ROM_LMP_8821A 0x8821 | |
35 | #define RTL_ROM_LMP_8761A 0x8761 | |
1110a2db | 36 | #define RTL_ROM_LMP_8822B 0x8822 |
db33c77d CC |
37 | |
38 | static int rtl_read_rom_version(struct hci_dev *hdev, u8 *version) | |
39 | { | |
40 | struct rtl_rom_version_evt *rom_version; | |
41 | struct sk_buff *skb; | |
42 | ||
43 | /* Read RTL ROM version command */ | |
44 | skb = __hci_cmd_sync(hdev, 0xfc6d, 0, NULL, HCI_INIT_TIMEOUT); | |
45 | if (IS_ERR(skb)) { | |
46 | BT_ERR("%s: Read ROM version failed (%ld)", | |
47 | hdev->name, PTR_ERR(skb)); | |
48 | return PTR_ERR(skb); | |
49 | } | |
50 | ||
51 | if (skb->len != sizeof(*rom_version)) { | |
52 | BT_ERR("%s: RTL version event length mismatch", hdev->name); | |
53 | kfree_skb(skb); | |
54 | return -EIO; | |
55 | } | |
56 | ||
57 | rom_version = (struct rtl_rom_version_evt *)skb->data; | |
2064ee33 MH |
58 | bt_dev_info(hdev, "rom_version status=%x version=%x", |
59 | rom_version->status, rom_version->version); | |
db33c77d CC |
60 | |
61 | *version = rom_version->version; | |
62 | ||
63 | kfree_skb(skb); | |
64 | return 0; | |
65 | } | |
66 | ||
67 | static int rtl8723b_parse_firmware(struct hci_dev *hdev, u16 lmp_subver, | |
68 | const struct firmware *fw, | |
69 | unsigned char **_buf) | |
70 | { | |
71 | const u8 extension_sig[] = { 0x51, 0x04, 0xfd, 0x77 }; | |
72 | struct rtl_epatch_header *epatch_info; | |
73 | unsigned char *buf; | |
74 | int i, ret, len; | |
75 | size_t min_size; | |
76 | u8 opcode, length, data, rom_version = 0; | |
77 | int project_id = -1; | |
78 | const unsigned char *fwptr, *chip_id_base; | |
79 | const unsigned char *patch_length_base, *patch_offset_base; | |
80 | u32 patch_offset = 0; | |
81 | u16 patch_length, num_patches; | |
1110a2db LF |
82 | static const struct { |
83 | __u16 lmp_subver; | |
84 | __u8 id; | |
85 | } project_id_to_lmp_subver[] = { | |
86 | { RTL_ROM_LMP_8723A, 0 }, | |
87 | { RTL_ROM_LMP_8723B, 1 }, | |
88 | { RTL_ROM_LMP_8821A, 2 }, | |
89 | { RTL_ROM_LMP_8761A, 3 }, | |
90 | { RTL_ROM_LMP_8822B, 8 }, | |
db33c77d CC |
91 | }; |
92 | ||
93 | ret = rtl_read_rom_version(hdev, &rom_version); | |
94 | if (ret) | |
95 | return ret; | |
96 | ||
97 | min_size = sizeof(struct rtl_epatch_header) + sizeof(extension_sig) + 3; | |
98 | if (fw->size < min_size) | |
99 | return -EINVAL; | |
100 | ||
101 | fwptr = fw->data + fw->size - sizeof(extension_sig); | |
102 | if (memcmp(fwptr, extension_sig, sizeof(extension_sig)) != 0) { | |
103 | BT_ERR("%s: extension section signature mismatch", hdev->name); | |
104 | return -EINVAL; | |
105 | } | |
106 | ||
107 | /* Loop from the end of the firmware parsing instructions, until | |
108 | * we find an instruction that identifies the "project ID" for the | |
109 | * hardware supported by this firwmare file. | |
110 | * Once we have that, we double-check that that project_id is suitable | |
111 | * for the hardware we are working with. | |
112 | */ | |
113 | while (fwptr >= fw->data + (sizeof(struct rtl_epatch_header) + 3)) { | |
114 | opcode = *--fwptr; | |
115 | length = *--fwptr; | |
116 | data = *--fwptr; | |
117 | ||
118 | BT_DBG("check op=%x len=%x data=%x", opcode, length, data); | |
119 | ||
120 | if (opcode == 0xff) /* EOF */ | |
121 | break; | |
122 | ||
123 | if (length == 0) { | |
124 | BT_ERR("%s: found instruction with length 0", | |
125 | hdev->name); | |
126 | return -EINVAL; | |
127 | } | |
128 | ||
129 | if (opcode == 0 && length == 1) { | |
130 | project_id = data; | |
131 | break; | |
132 | } | |
133 | ||
134 | fwptr -= length; | |
135 | } | |
136 | ||
137 | if (project_id < 0) { | |
138 | BT_ERR("%s: failed to find version instruction", hdev->name); | |
139 | return -EINVAL; | |
140 | } | |
141 | ||
1110a2db LF |
142 | /* Find project_id in table */ |
143 | for (i = 0; i < ARRAY_SIZE(project_id_to_lmp_subver); i++) { | |
144 | if (project_id == project_id_to_lmp_subver[i].id) | |
145 | break; | |
146 | } | |
147 | ||
148 | if (i >= ARRAY_SIZE(project_id_to_lmp_subver)) { | |
db33c77d CC |
149 | BT_ERR("%s: unknown project id %d", hdev->name, project_id); |
150 | return -EINVAL; | |
151 | } | |
152 | ||
1110a2db | 153 | if (lmp_subver != project_id_to_lmp_subver[i].lmp_subver) { |
db33c77d | 154 | BT_ERR("%s: firmware is for %x but this is a %x", hdev->name, |
1110a2db | 155 | project_id_to_lmp_subver[i].lmp_subver, lmp_subver); |
db33c77d CC |
156 | return -EINVAL; |
157 | } | |
158 | ||
159 | epatch_info = (struct rtl_epatch_header *)fw->data; | |
160 | if (memcmp(epatch_info->signature, RTL_EPATCH_SIGNATURE, 8) != 0) { | |
161 | BT_ERR("%s: bad EPATCH signature", hdev->name); | |
162 | return -EINVAL; | |
163 | } | |
164 | ||
165 | num_patches = le16_to_cpu(epatch_info->num_patches); | |
166 | BT_DBG("fw_version=%x, num_patches=%d", | |
167 | le32_to_cpu(epatch_info->fw_version), num_patches); | |
168 | ||
169 | /* After the rtl_epatch_header there is a funky patch metadata section. | |
170 | * Assuming 2 patches, the layout is: | |
171 | * ChipID1 ChipID2 PatchLength1 PatchLength2 PatchOffset1 PatchOffset2 | |
172 | * | |
173 | * Find the right patch for this chip. | |
174 | */ | |
175 | min_size += 8 * num_patches; | |
176 | if (fw->size < min_size) | |
177 | return -EINVAL; | |
178 | ||
179 | chip_id_base = fw->data + sizeof(struct rtl_epatch_header); | |
180 | patch_length_base = chip_id_base + (sizeof(u16) * num_patches); | |
181 | patch_offset_base = patch_length_base + (sizeof(u16) * num_patches); | |
182 | for (i = 0; i < num_patches; i++) { | |
183 | u16 chip_id = get_unaligned_le16(chip_id_base + | |
184 | (i * sizeof(u16))); | |
185 | if (chip_id == rom_version + 1) { | |
186 | patch_length = get_unaligned_le16(patch_length_base + | |
187 | (i * sizeof(u16))); | |
188 | patch_offset = get_unaligned_le32(patch_offset_base + | |
189 | (i * sizeof(u32))); | |
190 | break; | |
191 | } | |
192 | } | |
193 | ||
194 | if (!patch_offset) { | |
195 | BT_ERR("%s: didn't find patch for chip id %d", | |
196 | hdev->name, rom_version); | |
197 | return -EINVAL; | |
198 | } | |
199 | ||
200 | BT_DBG("length=%x offset=%x index %d", patch_length, patch_offset, i); | |
201 | min_size = patch_offset + patch_length; | |
202 | if (fw->size < min_size) | |
203 | return -EINVAL; | |
204 | ||
205 | /* Copy the firmware into a new buffer and write the version at | |
206 | * the end. | |
207 | */ | |
208 | len = patch_length; | |
209 | buf = kmemdup(fw->data + patch_offset, patch_length, GFP_KERNEL); | |
210 | if (!buf) | |
211 | return -ENOMEM; | |
212 | ||
213 | memcpy(buf + patch_length - 4, &epatch_info->fw_version, 4); | |
214 | ||
215 | *_buf = buf; | |
216 | return len; | |
217 | } | |
218 | ||
219 | static int rtl_download_firmware(struct hci_dev *hdev, | |
220 | const unsigned char *data, int fw_len) | |
221 | { | |
222 | struct rtl_download_cmd *dl_cmd; | |
223 | int frag_num = fw_len / RTL_FRAG_LEN + 1; | |
224 | int frag_len = RTL_FRAG_LEN; | |
225 | int ret = 0; | |
226 | int i; | |
227 | ||
228 | dl_cmd = kmalloc(sizeof(struct rtl_download_cmd), GFP_KERNEL); | |
229 | if (!dl_cmd) | |
230 | return -ENOMEM; | |
231 | ||
232 | for (i = 0; i < frag_num; i++) { | |
233 | struct sk_buff *skb; | |
234 | ||
235 | BT_DBG("download fw (%d/%d)", i, frag_num); | |
236 | ||
237 | dl_cmd->index = i; | |
238 | if (i == (frag_num - 1)) { | |
239 | dl_cmd->index |= 0x80; /* data end */ | |
240 | frag_len = fw_len % RTL_FRAG_LEN; | |
241 | } | |
242 | memcpy(dl_cmd->data, data, frag_len); | |
243 | ||
244 | /* Send download command */ | |
245 | skb = __hci_cmd_sync(hdev, 0xfc20, frag_len + 1, dl_cmd, | |
246 | HCI_INIT_TIMEOUT); | |
247 | if (IS_ERR(skb)) { | |
248 | BT_ERR("%s: download fw command failed (%ld)", | |
249 | hdev->name, PTR_ERR(skb)); | |
250 | ret = -PTR_ERR(skb); | |
251 | goto out; | |
252 | } | |
253 | ||
254 | if (skb->len != sizeof(struct rtl_download_response)) { | |
255 | BT_ERR("%s: download fw event length mismatch", | |
256 | hdev->name); | |
257 | kfree_skb(skb); | |
258 | ret = -EIO; | |
259 | goto out; | |
260 | } | |
261 | ||
262 | kfree_skb(skb); | |
263 | data += RTL_FRAG_LEN; | |
264 | } | |
265 | ||
266 | out: | |
267 | kfree(dl_cmd); | |
268 | return ret; | |
269 | } | |
270 | ||
1110a2db LF |
271 | static int rtl_load_config(struct hci_dev *hdev, const char *name, u8 **buff) |
272 | { | |
273 | const struct firmware *fw; | |
274 | int ret; | |
275 | ||
2064ee33 | 276 | bt_dev_info(hdev, "rtl: loading %s", name); |
1110a2db | 277 | ret = request_firmware(&fw, name, &hdev->dev); |
abed84a0 | 278 | if (ret < 0) |
1110a2db | 279 | return ret; |
1110a2db LF |
280 | ret = fw->size; |
281 | *buff = kmemdup(fw->data, ret, GFP_KERNEL); | |
c3327bde DC |
282 | if (!*buff) |
283 | ret = -ENOMEM; | |
1110a2db LF |
284 | |
285 | release_firmware(fw); | |
286 | ||
287 | return ret; | |
288 | } | |
289 | ||
db33c77d CC |
290 | static int btrtl_setup_rtl8723a(struct hci_dev *hdev) |
291 | { | |
292 | const struct firmware *fw; | |
293 | int ret; | |
294 | ||
2064ee33 | 295 | bt_dev_info(hdev, "rtl: loading rtl_bt/rtl8723a_fw.bin"); |
db33c77d CC |
296 | ret = request_firmware(&fw, "rtl_bt/rtl8723a_fw.bin", &hdev->dev); |
297 | if (ret < 0) { | |
298 | BT_ERR("%s: Failed to load rtl_bt/rtl8723a_fw.bin", hdev->name); | |
299 | return ret; | |
300 | } | |
301 | ||
302 | if (fw->size < 8) { | |
303 | ret = -EINVAL; | |
304 | goto out; | |
305 | } | |
306 | ||
307 | /* Check that the firmware doesn't have the epatch signature | |
308 | * (which is only for RTL8723B and newer). | |
309 | */ | |
310 | if (!memcmp(fw->data, RTL_EPATCH_SIGNATURE, 8)) { | |
311 | BT_ERR("%s: unexpected EPATCH signature!", hdev->name); | |
312 | ret = -EINVAL; | |
313 | goto out; | |
314 | } | |
315 | ||
316 | ret = rtl_download_firmware(hdev, fw->data, fw->size); | |
317 | ||
318 | out: | |
319 | release_firmware(fw); | |
320 | return ret; | |
321 | } | |
322 | ||
323 | static int btrtl_setup_rtl8723b(struct hci_dev *hdev, u16 lmp_subver, | |
324 | const char *fw_name) | |
325 | { | |
326 | unsigned char *fw_data = NULL; | |
327 | const struct firmware *fw; | |
328 | int ret; | |
1110a2db LF |
329 | int cfg_sz; |
330 | u8 *cfg_buff = NULL; | |
331 | u8 *tbuff; | |
332 | char *cfg_name = NULL; | |
abed84a0 | 333 | bool config_needed = false; |
1110a2db LF |
334 | |
335 | switch (lmp_subver) { | |
336 | case RTL_ROM_LMP_8723B: | |
337 | cfg_name = "rtl_bt/rtl8723b_config.bin"; | |
338 | break; | |
339 | case RTL_ROM_LMP_8821A: | |
340 | cfg_name = "rtl_bt/rtl8821a_config.bin"; | |
341 | break; | |
342 | case RTL_ROM_LMP_8761A: | |
343 | cfg_name = "rtl_bt/rtl8761a_config.bin"; | |
344 | break; | |
345 | case RTL_ROM_LMP_8822B: | |
346 | cfg_name = "rtl_bt/rtl8822b_config.bin"; | |
abed84a0 | 347 | config_needed = true; |
1110a2db LF |
348 | break; |
349 | default: | |
350 | BT_ERR("%s: rtl: no config according to lmp_subver %04x", | |
351 | hdev->name, lmp_subver); | |
352 | break; | |
353 | } | |
354 | ||
355 | if (cfg_name) { | |
356 | cfg_sz = rtl_load_config(hdev, cfg_name, &cfg_buff); | |
abed84a0 | 357 | if (cfg_sz < 0) { |
1110a2db | 358 | cfg_sz = 0; |
abed84a0 LF |
359 | if (config_needed) |
360 | BT_ERR("Necessary config file %s not found\n", | |
361 | cfg_name); | |
362 | } | |
1110a2db LF |
363 | } else |
364 | cfg_sz = 0; | |
db33c77d | 365 | |
2064ee33 | 366 | bt_dev_info(hdev, "rtl: loading %s", fw_name); |
db33c77d CC |
367 | ret = request_firmware(&fw, fw_name, &hdev->dev); |
368 | if (ret < 0) { | |
369 | BT_ERR("%s: Failed to load %s", hdev->name, fw_name); | |
1110a2db | 370 | goto err_req_fw; |
db33c77d CC |
371 | } |
372 | ||
373 | ret = rtl8723b_parse_firmware(hdev, lmp_subver, fw, &fw_data); | |
374 | if (ret < 0) | |
375 | goto out; | |
376 | ||
1110a2db LF |
377 | if (cfg_sz) { |
378 | tbuff = kzalloc(ret + cfg_sz, GFP_KERNEL); | |
379 | if (!tbuff) { | |
380 | ret = -ENOMEM; | |
381 | goto out; | |
382 | } | |
383 | ||
384 | memcpy(tbuff, fw_data, ret); | |
385 | kfree(fw_data); | |
386 | ||
387 | memcpy(tbuff + ret, cfg_buff, cfg_sz); | |
388 | ret += cfg_sz; | |
389 | ||
390 | fw_data = tbuff; | |
391 | } | |
392 | ||
2064ee33 | 393 | bt_dev_info(hdev, "cfg_sz %d, total size %d", cfg_sz, ret); |
1110a2db | 394 | |
db33c77d | 395 | ret = rtl_download_firmware(hdev, fw_data, ret); |
db33c77d CC |
396 | |
397 | out: | |
398 | release_firmware(fw); | |
1110a2db LF |
399 | kfree(fw_data); |
400 | err_req_fw: | |
401 | if (cfg_sz) | |
402 | kfree(cfg_buff); | |
db33c77d CC |
403 | return ret; |
404 | } | |
405 | ||
406 | static struct sk_buff *btrtl_read_local_version(struct hci_dev *hdev) | |
407 | { | |
408 | struct sk_buff *skb; | |
409 | ||
410 | skb = __hci_cmd_sync(hdev, HCI_OP_READ_LOCAL_VERSION, 0, NULL, | |
411 | HCI_INIT_TIMEOUT); | |
412 | if (IS_ERR(skb)) { | |
413 | BT_ERR("%s: HCI_OP_READ_LOCAL_VERSION failed (%ld)", | |
414 | hdev->name, PTR_ERR(skb)); | |
415 | return skb; | |
416 | } | |
417 | ||
418 | if (skb->len != sizeof(struct hci_rp_read_local_version)) { | |
419 | BT_ERR("%s: HCI_OP_READ_LOCAL_VERSION event length mismatch", | |
420 | hdev->name); | |
421 | kfree_skb(skb); | |
422 | return ERR_PTR(-EIO); | |
423 | } | |
424 | ||
425 | return skb; | |
426 | } | |
427 | ||
428 | int btrtl_setup_realtek(struct hci_dev *hdev) | |
429 | { | |
430 | struct sk_buff *skb; | |
431 | struct hci_rp_read_local_version *resp; | |
432 | u16 lmp_subver; | |
433 | ||
434 | skb = btrtl_read_local_version(hdev); | |
435 | if (IS_ERR(skb)) | |
436 | return -PTR_ERR(skb); | |
437 | ||
438 | resp = (struct hci_rp_read_local_version *)skb->data; | |
2064ee33 MH |
439 | bt_dev_info(hdev, "rtl: examining hci_ver=%02x hci_rev=%04x " |
440 | "lmp_ver=%02x lmp_subver=%04x", | |
441 | resp->hci_ver, resp->hci_rev, | |
442 | resp->lmp_ver, resp->lmp_subver); | |
db33c77d CC |
443 | |
444 | lmp_subver = le16_to_cpu(resp->lmp_subver); | |
445 | kfree_skb(skb); | |
446 | ||
447 | /* Match a set of subver values that correspond to stock firmware, | |
448 | * which is not compatible with standard btusb. | |
449 | * If matched, upload an alternative firmware that does conform to | |
450 | * standard btusb. Once that firmware is uploaded, the subver changes | |
451 | * to a different value. | |
452 | */ | |
453 | switch (lmp_subver) { | |
454 | case RTL_ROM_LMP_8723A: | |
455 | case RTL_ROM_LMP_3499: | |
456 | return btrtl_setup_rtl8723a(hdev); | |
457 | case RTL_ROM_LMP_8723B: | |
458 | return btrtl_setup_rtl8723b(hdev, lmp_subver, | |
459 | "rtl_bt/rtl8723b_fw.bin"); | |
460 | case RTL_ROM_LMP_8821A: | |
461 | return btrtl_setup_rtl8723b(hdev, lmp_subver, | |
462 | "rtl_bt/rtl8821a_fw.bin"); | |
463 | case RTL_ROM_LMP_8761A: | |
464 | return btrtl_setup_rtl8723b(hdev, lmp_subver, | |
465 | "rtl_bt/rtl8761a_fw.bin"); | |
1110a2db LF |
466 | case RTL_ROM_LMP_8822B: |
467 | return btrtl_setup_rtl8723b(hdev, lmp_subver, | |
468 | "rtl_bt/rtl8822b_fw.bin"); | |
db33c77d | 469 | default: |
2064ee33 | 470 | bt_dev_info(hdev, "rtl: assuming no firmware upload needed"); |
db33c77d CC |
471 | return 0; |
472 | } | |
473 | } | |
474 | EXPORT_SYMBOL_GPL(btrtl_setup_realtek); | |
475 | ||
476 | MODULE_AUTHOR("Daniel Drake <drake@endlessm.com>"); | |
477 | MODULE_DESCRIPTION("Bluetooth support for Realtek devices ver " VERSION); | |
478 | MODULE_VERSION(VERSION); | |
479 | MODULE_LICENSE("GPL"); |