1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * BCM47XX MTD partitioning
4 *
5 * Copyright © 2012 Rafał Miłecki <zajec5@gmail.com>
6 */
7
8 #include <linux/bcm47xx_nvram.h>
9 #include <linux/module.h>
10 #include <linux/kernel.h>
11 #include <linux/slab.h>
12 #include <linux/mtd/mtd.h>
13 #include <linux/mtd/partitions.h>
14
15 #include <uapi/linux/magic.h>
16
17 /*
18 * NAND flash on Netgear R6250 was verified to contain 15 partitions.
19 * This will result in allocating too big array for some old devices, but the
20 * memory will be freed soon anyway (see mtd_device_parse_register).
21 */
22 #define BCM47XXPART_MAX_PARTS 20
23
24 /*
25 * Amount of bytes we read when analyzing each block of flash memory.
26 * Set it big enough to allow detecting partition and reading important data.
27 */
28 #define BCM47XXPART_BYTES_TO_READ 0x4e8
29
30 /* Magics */
31 #define BOARD_DATA_MAGIC 0x5246504D /* MPFR */
32 #define BOARD_DATA_MAGIC2 0xBD0D0BBD
33 #define CFE_MAGIC 0x43464531 /* 1EFC */
34 #define FACTORY_MAGIC 0x59544346 /* FCTY */
35 #define NVRAM_HEADER 0x48534C46 /* FLSH */
36 #define POT_MAGIC1 0x54544f50 /* POTT */
37 #define POT_MAGIC2 0x504f /* OP */
38 #define ML_MAGIC1 0x39685a42
39 #define ML_MAGIC2 0x26594131
40 #define TRX_MAGIC 0x30524448
41 #define SHSQ_MAGIC 0x71736873 /* shsq (weird ZTE H218N endianness) */
42
43 static const char * const trx_types[] = { "trx", NULL };
44
45 struct trx_header {
46 uint32_t magic;
47 uint32_t length;
48 uint32_t crc32;
49 uint16_t flags;
50 uint16_t version;
51 uint32_t offset[3];
52 } __packed;
53
bcm47xxpart_add_part(struct mtd_partition * part,const char * name,u64 offset,uint32_t mask_flags)54 static void bcm47xxpart_add_part(struct mtd_partition *part, const char *name,
55 u64 offset, uint32_t mask_flags)
56 {
57 part->name = name;
58 part->offset = offset;
59 part->mask_flags = mask_flags;
60 }
61
62 /**
63 * bcm47xxpart_bootpartition - gets index of TRX partition used by bootloader
64 *
65 * Some devices may have more than one TRX partition. In such case one of them
66 * is the main one and another a failsafe one. Bootloader may fallback to the
67 * failsafe firmware if it detects corruption of the main image.
68 *
69 * This function provides info about currently used TRX partition. It's the one
70 * containing kernel started by the bootloader.
71 */
bcm47xxpart_bootpartition(void)72 static int bcm47xxpart_bootpartition(void)
73 {
74 char buf[4];
75 int bootpartition;
76
77 /* Check CFE environment variable */
78 if (bcm47xx_nvram_getenv("bootpartition", buf, sizeof(buf)) > 0) {
79 if (!kstrtoint(buf, 0, &bootpartition))
80 return bootpartition;
81 }
82
83 return 0;
84 }
85
bcm47xxpart_parse(struct mtd_info * master,const struct mtd_partition ** pparts,struct mtd_part_parser_data * data)86 static int bcm47xxpart_parse(struct mtd_info *master,
87 const struct mtd_partition **pparts,
88 struct mtd_part_parser_data *data)
89 {
90 struct mtd_partition *parts;
91 uint8_t i, curr_part = 0;
92 uint32_t *buf;
93 size_t bytes_read;
94 uint32_t offset;
95 uint32_t blocksize = master->erasesize;
96 int trx_parts[2]; /* Array with indexes of TRX partitions */
97 int trx_num = 0; /* Number of found TRX partitions */
98 static const int possible_nvram_sizes[] = { 0x8000, 0xF000, 0x10000, };
99 int err;
100
101 /*
102 * Some really old flashes (like AT45DB*) had smaller erasesize-s, but
103 * partitions were aligned to at least 0x1000 anyway.
104 */
105 if (blocksize < 0x1000)
106 blocksize = 0x1000;
107
108 /* Alloc */
109 parts = kzalloc_objs(struct mtd_partition, BCM47XXPART_MAX_PARTS);
110 if (!parts)
111 return -ENOMEM;
112
113 buf = kzalloc(BCM47XXPART_BYTES_TO_READ, GFP_KERNEL);
114 if (!buf) {
115 kfree(parts);
116 return -ENOMEM;
117 }
118
119 /* Parse block by block looking for magics */
120 for (offset = 0; offset <= master->size - blocksize;
121 offset += blocksize) {
122 /* Nothing more in higher memory on BCM47XX (MIPS) */
123 if (IS_ENABLED(CONFIG_BCM47XX) && offset >= 0x2000000)
124 break;
125
126 if (curr_part >= BCM47XXPART_MAX_PARTS) {
127 pr_warn("Reached maximum number of partitions, scanning stopped!\n");
128 break;
129 }
130
131 /* Read beginning of the block */
132 err = mtd_read(master, offset, BCM47XXPART_BYTES_TO_READ,
133 &bytes_read, (uint8_t *)buf);
134 if (err && !mtd_is_bitflip(err)) {
135 pr_err("mtd_read error while parsing (offset: 0x%X): %d\n",
136 offset, err);
137 continue;
138 }
139
140 /* Magic or small NVRAM at 0x400 */
141 if ((buf[0x4e0 / 4] == CFE_MAGIC && buf[0x4e4 / 4] == CFE_MAGIC) ||
142 (buf[0x400 / 4] == NVRAM_HEADER)) {
143 bcm47xxpart_add_part(&parts[curr_part++], "boot",
144 offset, MTD_WRITEABLE);
145 continue;
146 }
147
148 /*
149 * board_data starts with board_id which differs across boards,
150 * but we can use 'MPFR' (hopefully) magic at 0x100
151 */
152 if (buf[0x100 / 4] == BOARD_DATA_MAGIC) {
153 bcm47xxpart_add_part(&parts[curr_part++], "board_data",
154 offset, MTD_WRITEABLE);
155 continue;
156 }
157
158 /* Found on Huawei E970 */
159 if (buf[0x000 / 4] == FACTORY_MAGIC) {
160 bcm47xxpart_add_part(&parts[curr_part++], "factory",
161 offset, MTD_WRITEABLE);
162 continue;
163 }
164
165 /* POT(TOP) */
166 if (buf[0x000 / 4] == POT_MAGIC1 &&
167 (buf[0x004 / 4] & 0xFFFF) == POT_MAGIC2) {
168 bcm47xxpart_add_part(&parts[curr_part++], "POT", offset,
169 MTD_WRITEABLE);
170 continue;
171 }
172
173 /* ML */
174 if (buf[0x010 / 4] == ML_MAGIC1 &&
175 buf[0x014 / 4] == ML_MAGIC2) {
176 bcm47xxpart_add_part(&parts[curr_part++], "ML", offset,
177 MTD_WRITEABLE);
178 continue;
179 }
180
181 /* TRX */
182 if (buf[0x000 / 4] == TRX_MAGIC) {
183 struct trx_header *trx;
184 uint32_t last_subpart;
185 uint32_t trx_size;
186
187 if (trx_num >= ARRAY_SIZE(trx_parts))
188 pr_warn("No enough space to store another TRX found at 0x%X\n",
189 offset);
190 else
191 trx_parts[trx_num++] = curr_part;
192 bcm47xxpart_add_part(&parts[curr_part++], "firmware",
193 offset, 0);
194
195 /*
196 * Try to find TRX size. The "length" field isn't fully
197 * reliable as it could be decreased to make CRC32 cover
198 * only part of TRX data. It's commonly used as checksum
199 * can't cover e.g. ever-changing rootfs partition.
200 * Use offsets as helpers for assuming min TRX size.
201 */
202 trx = (struct trx_header *)buf;
203 last_subpart = max3(trx->offset[0], trx->offset[1],
204 trx->offset[2]);
205 trx_size = max(trx->length, last_subpart + blocksize);
206
207 /*
208 * Skip the TRX data. Decrease offset by block size as
209 * the next loop iteration will increase it.
210 */
211 offset += roundup(trx_size, blocksize) - blocksize;
212 continue;
213 }
214
215 /* Squashfs on devices not using TRX */
216 if (le32_to_cpu(buf[0x000 / 4]) == SQUASHFS_MAGIC ||
217 buf[0x000 / 4] == SHSQ_MAGIC) {
218 bcm47xxpart_add_part(&parts[curr_part++], "rootfs",
219 offset, 0);
220 continue;
221 }
222
223 /*
224 * New (ARM?) devices may have NVRAM in some middle block. Last
225 * block will be checked later, so skip it.
226 */
227 if (offset != master->size - blocksize &&
228 buf[0x000 / 4] == NVRAM_HEADER) {
229 bcm47xxpart_add_part(&parts[curr_part++], "nvram",
230 offset, 0);
231 continue;
232 }
233
234 /* Read middle of the block */
235 err = mtd_read(master, offset + (blocksize / 2), 0x4, &bytes_read,
236 (uint8_t *)buf);
237 if (err && !mtd_is_bitflip(err)) {
238 pr_err("mtd_read error while parsing (offset: 0x%X): %d\n",
239 offset + (blocksize / 2), err);
240 continue;
241 }
242
243 /* Some devices (ex. WNDR3700v3) don't have a standard 'MPFR' */
244 if (buf[0x000 / 4] == BOARD_DATA_MAGIC2) {
245 bcm47xxpart_add_part(&parts[curr_part++], "board_data",
246 offset, MTD_WRITEABLE);
247 continue;
248 }
249 }
250
251 /* Look for NVRAM at the end of the last block. */
252 for (i = 0; i < ARRAY_SIZE(possible_nvram_sizes); i++) {
253 if (curr_part >= BCM47XXPART_MAX_PARTS) {
254 pr_warn("Reached maximum number of partitions, scanning stopped!\n");
255 break;
256 }
257
258 offset = master->size - possible_nvram_sizes[i];
259 err = mtd_read(master, offset, 0x4, &bytes_read,
260 (uint8_t *)buf);
261 if (err && !mtd_is_bitflip(err)) {
262 pr_err("mtd_read error while reading (offset 0x%X): %d\n",
263 offset, err);
264 continue;
265 }
266
267 /* Standard NVRAM */
268 if (buf[0] == NVRAM_HEADER) {
269 bcm47xxpart_add_part(&parts[curr_part++], "nvram",
270 master->size - blocksize, 0);
271 break;
272 }
273 }
274
275 kfree(buf);
276
277 /*
278 * Assume that partitions end at the beginning of the one they are
279 * followed by.
280 */
281 for (i = 0; i < curr_part; i++) {
282 u64 next_part_offset = (i < curr_part - 1) ?
283 parts[i + 1].offset : master->size;
284
285 parts[i].size = next_part_offset - parts[i].offset;
286 }
287
288 /* If there was TRX parse it now */
289 for (i = 0; i < trx_num; i++) {
290 struct mtd_partition *trx = &parts[trx_parts[i]];
291
292 if (i == bcm47xxpart_bootpartition())
293 trx->types = trx_types;
294 else
295 trx->name = "failsafe";
296 }
297
298 *pparts = parts;
299 return curr_part;
300 };
301
302 static const struct of_device_id bcm47xxpart_of_match_table[] = {
303 { .compatible = "brcm,bcm947xx-cfe-partitions" },
304 {},
305 };
306 MODULE_DEVICE_TABLE(of, bcm47xxpart_of_match_table);
307
308 static struct mtd_part_parser bcm47xxpart_mtd_parser = {
309 .parse_fn = bcm47xxpart_parse,
310 .name = "bcm47xxpart",
311 .of_match_table = bcm47xxpart_of_match_table,
312 };
313 module_mtd_part_parser(bcm47xxpart_mtd_parser);
314
315 MODULE_LICENSE("GPL");
316 MODULE_DESCRIPTION("MTD partitioning for BCM47XX flash memories");
317