1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * BCM47XX MTD partitioning
4 *
5 * Copyright © 2012 Rafał Miłecki <zajec5@gmail.com>
6 */
7
8 #include <linux/bcm47xx_nvram.h>
9 #include <linux/module.h>
10 #include <linux/kernel.h>
11 #include <linux/slab.h>
12 #include <linux/mtd/mtd.h>
13 #include <linux/mtd/partitions.h>
14
15 #include <uapi/linux/magic.h>
16
17 /*
18 * NAND flash on Netgear R6250 was verified to contain 15 partitions.
19 * This will result in allocating too big array for some old devices, but the
20 * memory will be freed soon anyway (see mtd_device_parse_register).
21 */
22 #define BCM47XXPART_MAX_PARTS 20
23
24 /*
25 * Amount of bytes we read when analyzing each block of flash memory.
26 * Set it big enough to allow detecting partition and reading important data.
27 */
28 #define BCM47XXPART_BYTES_TO_READ 0x4e8
29
30 /* Magics */
31 #define BOARD_DATA_MAGIC 0x5246504D /* MPFR */
32 #define BOARD_DATA_MAGIC2 0xBD0D0BBD
33 #define CFE_MAGIC 0x43464531 /* 1EFC */
34 #define FACTORY_MAGIC 0x59544346 /* FCTY */
35 #define NVRAM_HEADER 0x48534C46 /* FLSH */
36 #define POT_MAGIC1 0x54544f50 /* POTT */
37 #define POT_MAGIC2 0x504f /* OP */
38 #define ML_MAGIC1 0x39685a42
39 #define ML_MAGIC2 0x26594131
40 #define TRX_MAGIC 0x30524448
41 #define SHSQ_MAGIC 0x71736873 /* shsq (weird ZTE H218N endianness) */
42
43 static const char * const trx_types[] = { "trx", NULL };
44
45 struct trx_header {
46 uint32_t magic;
47 uint32_t length;
48 uint32_t crc32;
49 uint16_t flags;
50 uint16_t version;
51 uint32_t offset[3];
52 } __packed;
53
bcm47xxpart_add_part(struct mtd_partition * part,const char * name,u64 offset,uint32_t mask_flags)54 static void bcm47xxpart_add_part(struct mtd_partition *part, const char *name,
55 u64 offset, uint32_t mask_flags)
56 {
57 part->name = name;
58 part->offset = offset;
59 part->mask_flags = mask_flags;
60 }
61
62 /**
63 * bcm47xxpart_bootpartition - gets index of TRX partition used by bootloader
64 *
65 * Some devices may have more than one TRX partition. In such case one of them
66 * is the main one and another a failsafe one. Bootloader may fallback to the
67 * failsafe firmware if it detects corruption of the main image.
68 *
69 * This function provides info about currently used TRX partition. It's the one
70 * containing kernel started by the bootloader.
71 */
bcm47xxpart_bootpartition(void)72 static int bcm47xxpart_bootpartition(void)
73 {
74 char buf[4];
75 int bootpartition;
76
77 /* Check CFE environment variable */
78 if (bcm47xx_nvram_getenv("bootpartition", buf, sizeof(buf)) > 0) {
79 if (!kstrtoint(buf, 0, &bootpartition))
80 return bootpartition;
81 }
82
83 return 0;
84 }
85
bcm47xxpart_parse(struct mtd_info * master,const struct mtd_partition ** pparts,struct mtd_part_parser_data * data)86 static int bcm47xxpart_parse(struct mtd_info *master,
87 const struct mtd_partition **pparts,
88 struct mtd_part_parser_data *data)
89 {
90 struct mtd_partition *parts;
91 uint8_t i, curr_part = 0;
92 uint32_t *buf;
93 size_t bytes_read;
94 uint32_t offset;
95 uint32_t blocksize = master->erasesize;
96 int trx_parts[2]; /* Array with indexes of TRX partitions */
97 int trx_num = 0; /* Number of found TRX partitions */
98 static const int possible_nvram_sizes[] = { 0x8000, 0xF000, 0x10000, };
99 int err;
100
101 /*
102 * Some really old flashes (like AT45DB*) had smaller erasesize-s, but
103 * partitions were aligned to at least 0x1000 anyway.
104 */
105 if (blocksize < 0x1000)
106 blocksize = 0x1000;
107
108 /* Alloc */
109 parts = kcalloc(BCM47XXPART_MAX_PARTS, sizeof(struct mtd_partition),
110 GFP_KERNEL);
111 if (!parts)
112 return -ENOMEM;
113
114 buf = kzalloc(BCM47XXPART_BYTES_TO_READ, GFP_KERNEL);
115 if (!buf) {
116 kfree(parts);
117 return -ENOMEM;
118 }
119
120 /* Parse block by block looking for magics */
121 for (offset = 0; offset <= master->size - blocksize;
122 offset += blocksize) {
123 /* Nothing more in higher memory on BCM47XX (MIPS) */
124 if (IS_ENABLED(CONFIG_BCM47XX) && offset >= 0x2000000)
125 break;
126
127 if (curr_part >= BCM47XXPART_MAX_PARTS) {
128 pr_warn("Reached maximum number of partitions, scanning stopped!\n");
129 break;
130 }
131
132 /* Read beginning of the block */
133 err = mtd_read(master, offset, BCM47XXPART_BYTES_TO_READ,
134 &bytes_read, (uint8_t *)buf);
135 if (err && !mtd_is_bitflip(err)) {
136 pr_err("mtd_read error while parsing (offset: 0x%X): %d\n",
137 offset, err);
138 continue;
139 }
140
141 /* Magic or small NVRAM at 0x400 */
142 if ((buf[0x4e0 / 4] == CFE_MAGIC && buf[0x4e4 / 4] == CFE_MAGIC) ||
143 (buf[0x400 / 4] == NVRAM_HEADER)) {
144 bcm47xxpart_add_part(&parts[curr_part++], "boot",
145 offset, MTD_WRITEABLE);
146 continue;
147 }
148
149 /*
150 * board_data starts with board_id which differs across boards,
151 * but we can use 'MPFR' (hopefully) magic at 0x100
152 */
153 if (buf[0x100 / 4] == BOARD_DATA_MAGIC) {
154 bcm47xxpart_add_part(&parts[curr_part++], "board_data",
155 offset, MTD_WRITEABLE);
156 continue;
157 }
158
159 /* Found on Huawei E970 */
160 if (buf[0x000 / 4] == FACTORY_MAGIC) {
161 bcm47xxpart_add_part(&parts[curr_part++], "factory",
162 offset, MTD_WRITEABLE);
163 continue;
164 }
165
166 /* POT(TOP) */
167 if (buf[0x000 / 4] == POT_MAGIC1 &&
168 (buf[0x004 / 4] & 0xFFFF) == POT_MAGIC2) {
169 bcm47xxpart_add_part(&parts[curr_part++], "POT", offset,
170 MTD_WRITEABLE);
171 continue;
172 }
173
174 /* ML */
175 if (buf[0x010 / 4] == ML_MAGIC1 &&
176 buf[0x014 / 4] == ML_MAGIC2) {
177 bcm47xxpart_add_part(&parts[curr_part++], "ML", offset,
178 MTD_WRITEABLE);
179 continue;
180 }
181
182 /* TRX */
183 if (buf[0x000 / 4] == TRX_MAGIC) {
184 struct trx_header *trx;
185 uint32_t last_subpart;
186 uint32_t trx_size;
187
188 if (trx_num >= ARRAY_SIZE(trx_parts))
189 pr_warn("No enough space to store another TRX found at 0x%X\n",
190 offset);
191 else
192 trx_parts[trx_num++] = curr_part;
193 bcm47xxpart_add_part(&parts[curr_part++], "firmware",
194 offset, 0);
195
196 /*
197 * Try to find TRX size. The "length" field isn't fully
198 * reliable as it could be decreased to make CRC32 cover
199 * only part of TRX data. It's commonly used as checksum
200 * can't cover e.g. ever-changing rootfs partition.
201 * Use offsets as helpers for assuming min TRX size.
202 */
203 trx = (struct trx_header *)buf;
204 last_subpart = max3(trx->offset[0], trx->offset[1],
205 trx->offset[2]);
206 trx_size = max(trx->length, last_subpart + blocksize);
207
208 /*
209 * Skip the TRX data. Decrease offset by block size as
210 * the next loop iteration will increase it.
211 */
212 offset += roundup(trx_size, blocksize) - blocksize;
213 continue;
214 }
215
216 /* Squashfs on devices not using TRX */
217 if (le32_to_cpu(buf[0x000 / 4]) == SQUASHFS_MAGIC ||
218 buf[0x000 / 4] == SHSQ_MAGIC) {
219 bcm47xxpart_add_part(&parts[curr_part++], "rootfs",
220 offset, 0);
221 continue;
222 }
223
224 /*
225 * New (ARM?) devices may have NVRAM in some middle block. Last
226 * block will be checked later, so skip it.
227 */
228 if (offset != master->size - blocksize &&
229 buf[0x000 / 4] == NVRAM_HEADER) {
230 bcm47xxpart_add_part(&parts[curr_part++], "nvram",
231 offset, 0);
232 continue;
233 }
234
235 /* Read middle of the block */
236 err = mtd_read(master, offset + (blocksize / 2), 0x4, &bytes_read,
237 (uint8_t *)buf);
238 if (err && !mtd_is_bitflip(err)) {
239 pr_err("mtd_read error while parsing (offset: 0x%X): %d\n",
240 offset + (blocksize / 2), err);
241 continue;
242 }
243
244 /* Some devices (ex. WNDR3700v3) don't have a standard 'MPFR' */
245 if (buf[0x000 / 4] == BOARD_DATA_MAGIC2) {
246 bcm47xxpart_add_part(&parts[curr_part++], "board_data",
247 offset, MTD_WRITEABLE);
248 continue;
249 }
250 }
251
252 /* Look for NVRAM at the end of the last block. */
253 for (i = 0; i < ARRAY_SIZE(possible_nvram_sizes); i++) {
254 if (curr_part >= BCM47XXPART_MAX_PARTS) {
255 pr_warn("Reached maximum number of partitions, scanning stopped!\n");
256 break;
257 }
258
259 offset = master->size - possible_nvram_sizes[i];
260 err = mtd_read(master, offset, 0x4, &bytes_read,
261 (uint8_t *)buf);
262 if (err && !mtd_is_bitflip(err)) {
263 pr_err("mtd_read error while reading (offset 0x%X): %d\n",
264 offset, err);
265 continue;
266 }
267
268 /* Standard NVRAM */
269 if (buf[0] == NVRAM_HEADER) {
270 bcm47xxpart_add_part(&parts[curr_part++], "nvram",
271 master->size - blocksize, 0);
272 break;
273 }
274 }
275
276 kfree(buf);
277
278 /*
279 * Assume that partitions end at the beginning of the one they are
280 * followed by.
281 */
282 for (i = 0; i < curr_part; i++) {
283 u64 next_part_offset = (i < curr_part - 1) ?
284 parts[i + 1].offset : master->size;
285
286 parts[i].size = next_part_offset - parts[i].offset;
287 }
288
289 /* If there was TRX parse it now */
290 for (i = 0; i < trx_num; i++) {
291 struct mtd_partition *trx = &parts[trx_parts[i]];
292
293 if (i == bcm47xxpart_bootpartition())
294 trx->types = trx_types;
295 else
296 trx->name = "failsafe";
297 }
298
299 *pparts = parts;
300 return curr_part;
301 };
302
303 static const struct of_device_id bcm47xxpart_of_match_table[] = {
304 { .compatible = "brcm,bcm947xx-cfe-partitions" },
305 {},
306 };
307 MODULE_DEVICE_TABLE(of, bcm47xxpart_of_match_table);
308
309 static struct mtd_part_parser bcm47xxpart_mtd_parser = {
310 .parse_fn = bcm47xxpart_parse,
311 .name = "bcm47xxpart",
312 .of_match_table = bcm47xxpart_of_match_table,
313 };
314 module_mtd_part_parser(bcm47xxpart_mtd_parser);
315
316 MODULE_LICENSE("GPL");
317 MODULE_DESCRIPTION("MTD partitioning for BCM47XX flash memories");
318