xref: /freebsd/sbin/camcontrol/fwdownload.c (revision edf8578117e8844e02c0121147f45e4609b30680)
1 /*-
2  * SPDX-License-Identifier: BSD-2-Clause
3  *
4  * Copyright (c) 2011 Sandvine Incorporated. All rights reserved.
5  * Copyright (c) 2002-2011 Andre Albsmeier <andre@albsmeier.net>
6  * All rights reserved.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  * 1. Redistributions of source code must retain the above copyright
12  *    notice, this list of conditions and the following disclaimer,
13  *    without modification, immediately at the beginning of the file.
14  * 2. Redistributions in binary form must reproduce the above copyright
15  *    notice, this list of conditions and the following disclaimer in the
16  *    documentation and/or other materials provided with the distribution.
17  *
18  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
19  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
20  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
21  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
22  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
23  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
24  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
25  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
27  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28  */
29 
30 /*
31  * This software is derived from Andre Albsmeier's fwprog.c which contained
32  * the following note:
33  *
34  * Many thanks goes to Marc Frajola <marc@terasolutions.com> from
35  * TeraSolutions for the initial idea and his programme for upgrading
36  * the firmware of I*M DDYS drives.
37  */
38 
39 /*
40  * BEWARE:
41  *
42  * The fact that you see your favorite vendor listed below does not
43  * imply that your equipment won't break when you use this software
44  * with it. It only means that the firmware of at least one device type
45  * of each vendor listed has been programmed successfully using this code.
46  *
47  * The -s option simulates a download but does nothing apart from that.
48  * It can be used to check what chunk sizes would have been used with the
49  * specified device.
50  */
51 
52 #include <sys/cdefs.h>
53 #include <sys/types.h>
54 #include <sys/stat.h>
55 
56 #include <err.h>
57 #include <fcntl.h>
58 #include <stdbool.h>
59 #include <stdio.h>
60 #include <stdlib.h>
61 #include <string.h>
62 #include <unistd.h>
63 
64 #include <cam/cam.h>
65 #include <cam/scsi/scsi_all.h>
66 #include <cam/scsi/scsi_pass.h>
67 #include <cam/scsi/scsi_message.h>
68 #include <camlib.h>
69 
70 #include "progress.h"
71 
72 #include "camcontrol.h"
73 
74 #define	WB_TIMEOUT 50000	/* 50 seconds */
75 
76 typedef enum {
77 	VENDOR_HGST,
78 	VENDOR_HITACHI,
79 	VENDOR_HP,
80 	VENDOR_IBM,
81 	VENDOR_PLEXTOR,
82 	VENDOR_QUALSTAR,
83 	VENDOR_QUANTUM,
84 	VENDOR_SAMSUNG,
85 	VENDOR_SEAGATE,
86 	VENDOR_SMART,
87 	VENDOR_ATA,
88 	VENDOR_UNKNOWN
89 } fw_vendor_t;
90 
91 /*
92  * FW_TUR_READY:     The drive must return good status for a test unit ready.
93  *
94  * FW_TUR_NOT_READY: The drive must return not ready status for a test unit
95  *		     ready.  You may want this in a removable media drive.
96  *
97  * FW_TUR_NA:	     It doesn't matter whether the drive is ready or not.
98  * 		     This may be the case for a removable media drive.
99  */
100 typedef enum {
101 	FW_TUR_NONE,
102 	FW_TUR_READY,
103 	FW_TUR_NOT_READY,
104 	FW_TUR_NA
105 } fw_tur_status;
106 
107 /*
108  * FW_TIMEOUT_DEFAULT:		Attempt to probe for a WRITE BUFFER timeout
109  *				value from the drive.  If we get an answer,
110  *				use the Recommended timeout.  Otherwise,
111  * 				use the default value from the table.
112  *
113  * FW_TIMEOUT_DEV_REPORTED:	The timeout value was probed directly from
114  *				the device.
115  *
116  * FW_TIMEOUT_NO_PROBE:		Do not ask the device for a WRITE BUFFER
117  * 				timeout value.  Use the device-specific
118  *				value.
119  *
120  * FW_TIMEOUT_USER_SPEC:	The user specified a timeout on the command
121  *				line with the -t option.  This overrides any
122  *				probe or default timeout.
123  */
124 typedef enum {
125 	FW_TIMEOUT_DEFAULT,
126 	FW_TIMEOUT_DEV_REPORTED,
127 	FW_TIMEOUT_NO_PROBE,
128 	FW_TIMEOUT_USER_SPEC
129 } fw_timeout_type;
130 
131 /*
132  * type: 		Enumeration for the particular vendor.
133  *
134  * pattern:		Pattern to match for the Vendor ID from the SCSI
135  *			Inquiry data.
136  *
137  * dev_type:		SCSI device type to match, or T_ANY to match any
138  *			device from the given vendor.  Note that if there
139  *			is a specific device type listed for a particular
140  *			vendor, it must be listed before a T_ANY entry.
141  *
142  * max_pkt_size:	Maximum packet size when talking to a device.  Note
143  *			that although large data sizes may be supported by
144  *			the target device, they may not be supported by the
145  *			OS or the controller.
146  *
147  * cdb_byte2:		This specifies byte 2 (byte 1 when counting from 0)
148  *			of the CDB.  This is generally the WRITE BUFFER mode.
149  *
150  * cdb_byte2_last:	This specifies byte 2 for the last chunk of the
151  *			download.
152  *
153  * inc_cdb_buffer_id:	Increment the buffer ID by 1 for each chunk sent
154  *			down to the drive.
155  *
156  * inc_cdb_offset:	Increment the offset field in the CDB with the byte
157  *			offset into the firmware file.
158  *
159  * tur_status:		Pay attention to whether the device is ready before
160  *			upgrading the firmware, or not.  See above for the
161  *			values.
162  */
163 struct fw_vendor {
164 	fw_vendor_t type;
165 	const char *pattern;
166 	int dev_type;
167 	int max_pkt_size;
168 	uint8_t cdb_byte2;
169 	uint8_t cdb_byte2_last;
170 	int inc_cdb_buffer_id;
171 	int inc_cdb_offset;
172 	fw_tur_status tur_status;
173 	int timeout_ms;
174 	fw_timeout_type timeout_type;
175 };
176 
177 /*
178  * Vendor notes:
179  *
180  * HGST:     The packets need to be sent in multiples of 4K.
181  *
182  * IBM:      For LTO and TS drives, the buffer ID is ignored in mode 7 (and
183  * 	     some other modes).  It treats the request as a firmware download.
184  *           The offset (and therefore the length of each chunk sent) needs
185  *           to be a multiple of the offset boundary specified for firmware
186  *           (buffer ID 4) in the read buffer command.  At least for LTO-6,
187  *           that seems to be 0, but using a 32K chunk size should satisfy
188  *           most any alignment requirement.
189  *
190  * SmrtStor: Mode 5 is also supported, but since the firmware is 400KB or
191  *           so, we can't fit it in a single request in most cases.
192  */
193 static struct fw_vendor vendors_list[] = {
194 	{VENDOR_HGST,	 	"HGST",		T_DIRECT,
195 	0x1000, 0x07, 0x07, 1, 0, FW_TUR_READY, WB_TIMEOUT, FW_TIMEOUT_DEFAULT},
196 	{VENDOR_HITACHI, 	"HITACHI",	T_ANY,
197 	0x8000, 0x05, 0x05, 1, 0, FW_TUR_READY, WB_TIMEOUT, FW_TIMEOUT_DEFAULT},
198 	{VENDOR_HP,	 	"HP",		T_ANY,
199 	0x8000, 0x07, 0x07, 0, 1, FW_TUR_READY, WB_TIMEOUT, FW_TIMEOUT_DEFAULT},
200 	{VENDOR_IBM,		"IBM",		T_SEQUENTIAL,
201 	0x8000, 0x07, 0x07, 0, 1, FW_TUR_NA, 300 * 1000, FW_TIMEOUT_DEFAULT},
202 	{VENDOR_IBM,		"IBM",		T_ANY,
203 	0x8000, 0x05, 0x05, 1, 0, FW_TUR_READY, WB_TIMEOUT, FW_TIMEOUT_DEFAULT},
204 	{VENDOR_PLEXTOR,	"PLEXTOR",	T_ANY,
205 	0x2000, 0x04, 0x05, 0, 1, FW_TUR_READY, WB_TIMEOUT, FW_TIMEOUT_DEFAULT},
206 	{VENDOR_QUALSTAR,	"QUALSTAR",	T_ANY,
207 	0x2030, 0x05, 0x05, 0, 0, FW_TUR_READY, WB_TIMEOUT, FW_TIMEOUT_DEFAULT},
208 	{VENDOR_QUANTUM,	"QUANTUM",	T_ANY,
209 	0x2000, 0x04, 0x05, 0, 1, FW_TUR_READY, WB_TIMEOUT, FW_TIMEOUT_DEFAULT},
210 	{VENDOR_SAMSUNG,	"SAMSUNG",	T_ANY,
211 	0x8000, 0x07, 0x07, 0, 1, FW_TUR_READY, WB_TIMEOUT, FW_TIMEOUT_DEFAULT},
212 	{VENDOR_SEAGATE,	"SEAGATE",	T_ANY,
213 	0x8000, 0x07, 0x07, 0, 1, FW_TUR_READY, WB_TIMEOUT, FW_TIMEOUT_DEFAULT},
214 	{VENDOR_SMART,		"SmrtStor",	T_DIRECT,
215 	0x8000, 0x07, 0x07, 0, 1, FW_TUR_READY, WB_TIMEOUT, FW_TIMEOUT_DEFAULT},
216 	{VENDOR_HGST,	 	"WD",		T_DIRECT,
217 	0x1000, 0x07, 0x07, 1, 0, FW_TUR_READY, WB_TIMEOUT, FW_TIMEOUT_DEFAULT},
218 	{VENDOR_HGST,	 	"WDC",		T_DIRECT,
219 	0x1000, 0x07, 0x07, 1, 0, FW_TUR_READY, WB_TIMEOUT, FW_TIMEOUT_DEFAULT},
220 
221 	/*
222 	 * We match any ATA device.  This is really just a placeholder,
223 	 * since we won't actually send a WRITE BUFFER with any of the
224 	 * listed parameters.  If a SATA device is behind a SAS controller,
225 	 * the SCSI to ATA translation code (at least for LSI) doesn't
226 	 * generally translate a SCSI WRITE BUFFER into an ATA DOWNLOAD
227 	 * MICROCODE command.  So, we use the SCSI ATA PASS_THROUGH command
228 	 * to send the ATA DOWNLOAD MICROCODE command instead.
229 	 */
230 	{VENDOR_ATA,		"ATA",		T_ANY,
231 	 0x8000, 0x07, 0x07, 0, 1, FW_TUR_READY, WB_TIMEOUT,
232 	 FW_TIMEOUT_NO_PROBE},
233 	{VENDOR_UNKNOWN,	NULL,		T_ANY,
234 	0x0000, 0x00, 0x00, 0, 0, FW_TUR_NONE, WB_TIMEOUT, FW_TIMEOUT_DEFAULT}
235 };
236 
237 struct fw_timeout_desc {
238 	fw_timeout_type timeout_type;
239 	const char *timeout_desc;
240 };
241 
242 static const struct fw_timeout_desc fw_timeout_desc_table[] = {
243 	{ FW_TIMEOUT_DEFAULT, "the default" },
244 	{ FW_TIMEOUT_DEV_REPORTED, "recommended by this particular device" },
245 	{ FW_TIMEOUT_NO_PROBE, "the default" },
246 	{ FW_TIMEOUT_USER_SPEC, "what was specified on the command line" }
247 };
248 
249 #ifndef ATA_DOWNLOAD_MICROCODE
250 #define ATA_DOWNLOAD_MICROCODE	0x92
251 #endif
252 
253 #define USE_OFFSETS_FEATURE	0x3
254 
255 #ifndef LOW_SECTOR_SIZE
256 #define LOW_SECTOR_SIZE		512
257 #endif
258 
259 #define ATA_MAKE_LBA(o, p)	\
260 	((((((o) / LOW_SECTOR_SIZE) >> 8) & 0xff) << 16) | \
261 	  ((((o) / LOW_SECTOR_SIZE) & 0xff) << 8) | \
262 	  ((((p) / LOW_SECTOR_SIZE) >> 8) & 0xff))
263 
264 #define ATA_MAKE_SECTORS(p)	(((p) / 512) & 0xff)
265 
266 #ifndef UNKNOWN_MAX_PKT_SIZE
267 #define UNKNOWN_MAX_PKT_SIZE	0x8000
268 #endif
269 
270 static struct fw_vendor *fw_get_vendor(struct cam_device *cam_dev,
271 				       struct ata_params *ident_buf);
272 static int fw_get_timeout(struct cam_device *cam_dev, struct fw_vendor *vp,
273 			  int task_attr, int retry_count, int timeout);
274 static int fw_validate_ibm(struct cam_device *dev, int retry_count,
275 			   int timeout, int fd, char *buf,
276 			    const char *fw_img_path, int quiet);
277 static char *fw_read_img(struct cam_device *dev, int retry_count,
278 			 int timeout, int quiet, const char *fw_img_path,
279 			 struct fw_vendor *vp, int *num_bytes);
280 static int fw_check_device_ready(struct cam_device *dev,
281 				 camcontrol_devtype devtype,
282 				 struct fw_vendor *vp, int printerrors,
283 				 int timeout);
284 static int fw_download_img(struct cam_device *cam_dev,
285 			   struct fw_vendor *vp, char *buf, int img_size,
286 			   int sim_mode, int printerrors, int quiet,
287 			   int retry_count, int timeout, const char */*name*/,
288 			   camcontrol_devtype devtype);
289 
290 /*
291  * Find entry in vendors list that belongs to
292  * the vendor of given cam device.
293  */
294 static struct fw_vendor *
295 fw_get_vendor(struct cam_device *cam_dev, struct ata_params *ident_buf)
296 {
297 	char vendor[42];
298 	struct fw_vendor *vp;
299 
300 	if (cam_dev == NULL)
301 		return (NULL);
302 
303 	if (ident_buf != NULL) {
304 		cam_strvis((u_char *)vendor, ident_buf->model,
305 		    sizeof(ident_buf->model), sizeof(vendor));
306 		for (vp = vendors_list; vp->pattern != NULL; vp++) {
307 			if (vp->type == VENDOR_ATA)
308 				return (vp);
309 		}
310 	} else {
311 		cam_strvis((u_char *)vendor, (u_char *)cam_dev->inq_data.vendor,
312 		    sizeof(cam_dev->inq_data.vendor), sizeof(vendor));
313 	}
314 	for (vp = vendors_list; vp->pattern != NULL; vp++) {
315 		if (!cam_strmatch((const u_char *)vendor,
316 		    (const u_char *)vp->pattern, strlen(vendor))) {
317 			if ((vp->dev_type == T_ANY)
318 			 || (vp->dev_type == SID_TYPE(&cam_dev->inq_data)))
319 				break;
320 		}
321 	}
322 	return (vp);
323 }
324 
325 static int
326 fw_get_timeout(struct cam_device *cam_dev, struct fw_vendor *vp,
327 	       int task_attr, int retry_count, int timeout)
328 {
329 	struct scsi_report_supported_opcodes_one *one;
330 	struct scsi_report_supported_opcodes_timeout *td;
331 	uint8_t *buf = NULL;
332 	uint32_t fill_len = 0, cdb_len = 0, rec_timeout = 0;
333 	int retval = 0;
334 
335 	/*
336 	 * If the user has specified a timeout on the command line, we let
337 	 * him override any default or probed value.
338 	 */
339 	if (timeout != 0) {
340 		vp->timeout_type = FW_TIMEOUT_USER_SPEC;
341 		vp->timeout_ms = timeout;
342 		goto bailout;
343 	}
344 
345 	/*
346 	 * Check to see whether we should probe for a timeout for this
347 	 * device.
348 	 */
349 	if (vp->timeout_type == FW_TIMEOUT_NO_PROBE)
350 		goto bailout;
351 
352 	retval = scsigetopcodes(/*device*/ cam_dev,
353 				/*opcode_set*/ 1,
354 				/*opcode*/ WRITE_BUFFER,
355 				/*show_sa_errors*/ 1,
356 				/*sa_set*/ 0,
357 				/*service_action*/ 0,
358 				/*timeout_desc*/ 1,
359 				/*task_attr*/ task_attr,
360 				/*retry_count*/ retry_count,
361 				/*timeout*/ 10000,
362 				/*verbose*/ 0,
363 				/*fill_len*/ &fill_len,
364 				/*data_ptr*/ &buf);
365 	/*
366 	 * It isn't an error if we can't get a timeout descriptor.  We just
367 	 * continue on with the default timeout.
368 	 */
369 	if (retval != 0) {
370 		retval = 0;
371 		goto bailout;
372 	}
373 
374 	/*
375 	 * Even if the drive didn't return a SCSI error, if we don't have
376 	 * enough data to contain the one opcode descriptor, the CDB
377 	 * structure and a timeout descriptor, we don't have the timeout
378 	 * value we're looking for.  So we'll just fall back to the
379 	 * default value.
380 	 */
381 	if (fill_len < (sizeof(*one) + sizeof(struct scsi_write_buffer) +
382 	    sizeof(*td)))
383 		goto bailout;
384 
385 	one = (struct scsi_report_supported_opcodes_one *)buf;
386 
387 	/*
388 	 * If the drive claims to not support the WRITE BUFFER command...
389 	 * fall back to the default timeout value and let things fail on
390 	 * the actual firmware download.
391 	 */
392 	if ((one->support & RSO_ONE_SUP_MASK) == RSO_ONE_SUP_NOT_SUP)
393 		goto bailout;
394 
395 	cdb_len = scsi_2btoul(one->cdb_length);
396 	td = (struct scsi_report_supported_opcodes_timeout *)
397 	    &buf[sizeof(*one) + cdb_len];
398 
399 	rec_timeout = scsi_4btoul(td->recommended_time);
400 	/*
401 	 * If the recommended timeout is 0, then the device has probably
402 	 * returned a bogus value.
403 	 */
404 	if (rec_timeout == 0)
405 		goto bailout;
406 
407 	/* CAM timeouts are in ms */
408 	rec_timeout *= 1000;
409 
410 	vp->timeout_ms = rec_timeout;
411 	vp->timeout_type = FW_TIMEOUT_DEV_REPORTED;
412 
413 bailout:
414 	return (retval);
415 }
416 
417 #define	SVPD_IBM_FW_DESIGNATION		0x03
418 
419 /*
420  * IBM LTO and TS tape drives have an INQUIRY VPD page 0x3 with the following
421  * format:
422  */
423 struct fw_ibm_tape_fw_designation {
424 	uint8_t	device;
425 	uint8_t page_code;
426 	uint8_t reserved;
427 	uint8_t length;
428 	uint8_t ascii_length;
429 	uint8_t reserved2[3];
430 	uint8_t load_id[4];
431 	uint8_t fw_rev[4];
432 	uint8_t ptf_number[4];
433 	uint8_t patch_number[4];
434 	uint8_t ru_name[8];
435 	uint8_t lib_seq_num[5];
436 };
437 
438 /*
439  * The firmware for IBM tape drives has the following header format.  The
440  * load_id and ru_name in the header file should match what is returned in
441  * VPD page 0x3.
442  */
443 struct fw_ibm_tape_fw_header {
444 	uint8_t unspec[4];
445 	uint8_t length[4];		/* Firmware and header! */
446 	uint8_t load_id[4];
447 	uint8_t fw_rev[4];
448 	uint8_t reserved[8];
449 	uint8_t ru_name[8];
450 };
451 
452 static int
453 fw_validate_ibm(struct cam_device *dev, int retry_count, int timeout, int fd,
454 		char *buf, const char *fw_img_path, int quiet)
455 {
456 	union ccb *ccb;
457 	struct fw_ibm_tape_fw_designation vpd_page;
458 	struct fw_ibm_tape_fw_header *header;
459 	char drive_rev[sizeof(vpd_page.fw_rev) + 1];
460 	char file_rev[sizeof(vpd_page.fw_rev) + 1];
461 	int retval = 1;
462 
463 	ccb = cam_getccb(dev);
464 	if (ccb == NULL) {
465 		warnx("couldn't allocate CCB");
466 		goto bailout;
467 	}
468 
469 	bzero(&vpd_page, sizeof(vpd_page));
470 
471 	scsi_inquiry(&ccb->csio,
472 		     /*retries*/ retry_count,
473 		     /*cbfcnp*/ NULL,
474 		     /* tag_action */ MSG_SIMPLE_Q_TAG,
475 		     /* inq_buf */ (uint8_t *)&vpd_page,
476 		     /* inq_len */ sizeof(vpd_page),
477 		     /* evpd */ 1,
478 		     /* page_code */ SVPD_IBM_FW_DESIGNATION,
479 		     /* sense_len */ SSD_FULL_SIZE,
480 		     /* timeout */ timeout ? timeout : 5000);
481 
482 	/* Disable freezing the device queue */
483 	ccb->ccb_h.flags |= CAM_DEV_QFRZDIS;
484 
485 	if (retry_count != 0)
486 		ccb->ccb_h.flags |= CAM_PASS_ERR_RECOVER;
487 
488 	if (cam_send_ccb(dev, ccb) < 0) {
489 		warn("error getting firmware designation page");
490 
491 		cam_error_print(dev, ccb, CAM_ESF_ALL,
492 				CAM_EPF_ALL, stderr);
493 
494 		cam_freeccb(ccb);
495 		ccb = NULL;
496 		goto bailout;
497 	}
498 
499 	if ((ccb->ccb_h.status & CAM_STATUS_MASK) != CAM_REQ_CMP) {
500 		cam_error_print(dev, ccb, CAM_ESF_ALL,
501 				CAM_EPF_ALL, stderr);
502 		goto bailout;
503 	}
504 
505 	/*
506 	 * Read the firmware header only.
507 	 */
508 	if (read(fd, buf, sizeof(*header)) != sizeof(*header)) {
509 		warn("unable to read %zu bytes from %s", sizeof(*header),
510 		     fw_img_path);
511 		goto bailout;
512 	}
513 
514 	/* Rewind the file back to 0 for the full file read. */
515 	if (lseek(fd, 0, SEEK_SET) == -1) {
516 		warn("Unable to lseek");
517 		goto bailout;
518 	}
519 
520 	header = (struct fw_ibm_tape_fw_header *)buf;
521 
522 	bzero(drive_rev, sizeof(drive_rev));
523 	bcopy(vpd_page.fw_rev, drive_rev, sizeof(vpd_page.fw_rev));
524 	bzero(file_rev, sizeof(file_rev));
525 	bcopy(header->fw_rev, file_rev, sizeof(header->fw_rev));
526 
527 	if (quiet == 0) {
528 		fprintf(stdout, "Current Drive Firmware version: %s\n",
529 			drive_rev);
530 		fprintf(stdout, "Firmware File version: %s\n", file_rev);
531 	}
532 
533 	/*
534 	 * For IBM tape drives the load ID and RU name reported by the
535 	 * drive should match what is in the firmware file.
536 	 */
537 	if (bcmp(vpd_page.load_id, header->load_id,
538 		 MIN(sizeof(vpd_page.load_id), sizeof(header->load_id))) != 0) {
539 		warnx("Drive Firmware load ID 0x%x does not match firmware "
540 		      "file load ID 0x%x", scsi_4btoul(vpd_page.load_id),
541 		      scsi_4btoul(header->load_id));
542 		goto bailout;
543 	}
544 
545 	if (bcmp(vpd_page.ru_name, header->ru_name,
546 		 MIN(sizeof(vpd_page.ru_name), sizeof(header->ru_name))) != 0) {
547 		warnx("Drive Firmware RU name 0x%jx does not match firmware "
548 		      "file RU name 0x%jx",
549 		      (uintmax_t)scsi_8btou64(vpd_page.ru_name),
550 		      (uintmax_t)scsi_8btou64(header->ru_name));
551 		goto bailout;
552 	}
553 	if (quiet == 0)
554 		fprintf(stdout, "Firmware file is valid for this drive.\n");
555 	retval = 0;
556 bailout:
557 	cam_freeccb(ccb);
558 
559 	return (retval);
560 }
561 
562 /*
563  * Allocate a buffer and read fw image file into it
564  * from given path. Number of bytes read is stored
565  * in num_bytes.
566  */
567 static char *
568 fw_read_img(struct cam_device *dev, int retry_count, int timeout, int quiet,
569 	    const char *fw_img_path, struct fw_vendor *vp, int *num_bytes)
570 {
571 	int fd;
572 	struct stat stbuf;
573 	char *buf;
574 	off_t img_size;
575 	int skip_bytes = 0;
576 
577 	if ((fd = open(fw_img_path, O_RDONLY)) < 0) {
578 		warn("Could not open image file %s", fw_img_path);
579 		return (NULL);
580 	}
581 	if (fstat(fd, &stbuf) < 0) {
582 		warn("Could not stat image file %s", fw_img_path);
583 		goto bailout1;
584 	}
585 	if ((img_size = stbuf.st_size) == 0) {
586 		warnx("Zero length image file %s", fw_img_path);
587 		goto bailout1;
588 	}
589 	if ((buf = malloc(img_size)) == NULL) {
590 		warnx("Could not allocate buffer to read image file %s",
591 		    fw_img_path);
592 		goto bailout1;
593 	}
594 	/* Skip headers if applicable. */
595 	switch (vp->type) {
596 	case VENDOR_SEAGATE:
597 		if (read(fd, buf, 16) != 16) {
598 			warn("Could not read image file %s", fw_img_path);
599 			goto bailout;
600 		}
601 		if (lseek(fd, 0, SEEK_SET) == -1) {
602 			warn("Unable to lseek");
603 			goto bailout;
604 		}
605 		if ((strncmp(buf, "SEAGATE,SEAGATE ", 16) == 0) ||
606 		    (img_size % 512 == 80))
607 			skip_bytes = 80;
608 		break;
609 	case VENDOR_QUALSTAR:
610 		skip_bytes = img_size % 1030;
611 		break;
612 	case VENDOR_IBM: {
613 		if (vp->dev_type != T_SEQUENTIAL)
614 			break;
615 		if (fw_validate_ibm(dev, retry_count, timeout, fd, buf,
616 				    fw_img_path, quiet) != 0)
617 			goto bailout;
618 		break;
619 	}
620 	default:
621 		break;
622 	}
623 	if (skip_bytes != 0) {
624 		fprintf(stdout, "Skipping %d byte header.\n", skip_bytes);
625 		if (lseek(fd, skip_bytes, SEEK_SET) == -1) {
626 			warn("Could not lseek");
627 			goto bailout;
628 		}
629 		img_size -= skip_bytes;
630 	}
631 	/* Read image into a buffer. */
632 	if (read(fd, buf, img_size) != img_size) {
633 		warn("Could not read image file %s", fw_img_path);
634 		goto bailout;
635 	}
636 	*num_bytes = img_size;
637 	close(fd);
638 	return (buf);
639 bailout:
640 	free(buf);
641 bailout1:
642 	close(fd);
643 	*num_bytes = 0;
644 	return (NULL);
645 }
646 
647 /*
648  * Returns 0 for "success", where success means that the device has met the
649  * requirement in the vendor structure for being ready or not ready when
650  * firmware is downloaded.
651  *
652  * Returns 1 for a failure to be ready to accept a firmware download.
653  * (e.g., a drive needs to be ready, but returns not ready)
654  *
655  * Returns -1 for any other failure.
656  */
657 static int
658 fw_check_device_ready(struct cam_device *dev, camcontrol_devtype devtype,
659 		      struct fw_vendor *vp, int printerrors, int timeout)
660 {
661 	union ccb *ccb;
662 	int retval = 0;
663 	int16_t *ptr = NULL;
664 	size_t dxfer_len = 0;
665 
666 	if ((ccb = cam_getccb(dev)) == NULL) {
667 		warnx("Could not allocate CCB");
668 		retval = -1;
669 		goto bailout;
670 	}
671 
672 	if (devtype != CC_DT_SCSI) {
673 		dxfer_len = sizeof(struct ata_params);
674 
675 		ptr = (uint16_t *)malloc(dxfer_len);
676 		if (ptr == NULL) {
677 			warnx("can't malloc memory for identify");
678 			retval = -1;
679 			goto bailout;
680 		}
681 		bzero(ptr, dxfer_len);
682 	}
683 
684 	switch (devtype) {
685 	case CC_DT_SCSI:
686 		scsi_test_unit_ready(&ccb->csio,
687 				     /*retries*/ 0,
688 				     /*cbfcnp*/ NULL,
689 				     /*tag_action*/ MSG_SIMPLE_Q_TAG,
690 		    		     /*sense_len*/ SSD_FULL_SIZE,
691 				     /*timeout*/ 5000);
692 		break;
693 	case CC_DT_SATL:
694 	case CC_DT_ATA: {
695 		retval = build_ata_cmd(ccb,
696 			     /*retries*/ 1,
697 			     /*flags*/ CAM_DIR_IN,
698 			     /*tag_action*/ MSG_SIMPLE_Q_TAG,
699 			     /*protocol*/ AP_PROTO_PIO_IN,
700 			     /*ata_flags*/ AP_FLAG_BYT_BLOK_BLOCKS |
701 					   AP_FLAG_TLEN_SECT_CNT |
702 					   AP_FLAG_TDIR_FROM_DEV,
703 			     /*features*/ 0,
704 			     /*sector_count*/ dxfer_len / 512,
705 			     /*lba*/ 0,
706 			     /*command*/ ATA_ATA_IDENTIFY,
707 			     /*auxiliary*/ 0,
708 			     /*data_ptr*/ (uint8_t *)ptr,
709 			     /*dxfer_len*/ dxfer_len,
710 			     /*cdb_storage*/ NULL,
711 			     /*cdb_storage_len*/ 0,
712 			     /*sense_len*/ SSD_FULL_SIZE,
713 			     /*timeout*/ timeout ? timeout : 30 * 1000,
714 			     /*is48bit*/ 0,
715 			     /*devtype*/ devtype);
716 		if (retval != 0) {
717 			retval = -1;
718 			warnx("%s: build_ata_cmd() failed, likely "
719 			    "programmer error", __func__);
720 			goto bailout;
721 		}
722 		break;
723 	}
724 	default:
725 		warnx("Unknown disk type %d", devtype);
726 		retval = -1;
727 		goto bailout;
728 		break; /*NOTREACHED*/
729 	}
730 
731 	ccb->ccb_h.flags |= CAM_DEV_QFRZDIS;
732 
733 	retval = cam_send_ccb(dev, ccb);
734 	if (retval != 0) {
735 		warn("error sending %s CCB", (devtype == CC_DT_SCSI) ?
736 		     "Test Unit Ready" : "Identify");
737 		retval = -1;
738 		goto bailout;
739 	}
740 
741 	if (((ccb->ccb_h.status & CAM_STATUS_MASK) != CAM_REQ_CMP)
742 	 && (vp->tur_status == FW_TUR_READY)) {
743 		warnx("Device is not ready");
744 		if (printerrors)
745 			cam_error_print(dev, ccb, CAM_ESF_ALL,
746 			    CAM_EPF_ALL, stderr);
747 		retval = 1;
748 		goto bailout;
749 	} else if (((ccb->ccb_h.status & CAM_STATUS_MASK) == CAM_REQ_CMP)
750 		&& (vp->tur_status == FW_TUR_NOT_READY)) {
751 		warnx("Device cannot have media loaded when firmware is "
752 		    "downloaded");
753 		retval = 1;
754 		goto bailout;
755 	}
756 bailout:
757 	free(ptr);
758 	cam_freeccb(ccb);
759 
760 	return (retval);
761 }
762 
763 /*
764  * After the firmware is downloaded, we know the sense data has changed (or is
765  * likely to change since it contains the firmware version).  Rescan the target
766  * with a flag to tell the kernel it's OK. This allows us to continnue using the
767  * old periph/disk in the kernel, which is less disruptive. We rescan the target
768  * because multilun devices usually update all the luns after the first firmware
769  * download.
770  */
771 static int
772 fw_rescan_target(struct cam_device *dev, bool printerrors, bool sim_mode)
773 {
774 	union ccb ccb;
775 	int fd;
776 
777 	printf("Rescanning target %d:%d:* to pick up new fw revision / parameters.\n",
778 	    dev->path_id, dev->target_id);
779 	if (sim_mode)
780 		return (0);
781 
782 	/* Can only send XPT_SCAN_TGT via /dev/xpt, not pass device in *dev */
783 	if ((fd = open(XPT_DEVICE, O_RDWR)) < 0) {
784 		warnx("error opening transport layer device %s\n",
785 		    XPT_DEVICE);
786 		warn("%s", XPT_DEVICE);
787 		return (1);
788 	}
789 
790 	/* Rescan the target */
791 	bzero(&ccb, sizeof(union ccb));
792 	ccb.ccb_h.func_code = XPT_SCAN_TGT;
793 	ccb.ccb_h.path_id = dev->path_id;
794 	ccb.ccb_h.target_id = dev->target_id;
795 	ccb.ccb_h.target_lun = CAM_LUN_WILDCARD;
796 	ccb.crcn.flags = CAM_EXPECT_INQ_CHANGE;
797 	ccb.ccb_h.pinfo.priority = 5;	/* run this at a low priority */
798 
799 	if (ioctl(fd, CAMIOCOMMAND, &ccb) < 0) {
800 		warn("CAMIOCOMMAND XPT_SCAN_TGT ioctl failed");
801 		close(fd);
802 		return (1);
803 	}
804 	if ((ccb.ccb_h.status & CAM_STATUS_MASK) != CAM_REQ_CMP) {
805 		warn("Can't send rescan lun");
806 		if (printerrors)
807 			cam_error_print(dev, &ccb, CAM_ESF_ALL, CAM_EPF_ALL,
808 			    stderr);
809 		close(fd);
810 		return (1);
811 	}
812 	close(fd);
813 	return (0);
814 }
815 
816 /*
817  * Download firmware stored in buf to cam_dev. If simulation mode
818  * is enabled, only show what packet sizes would be sent to the
819  * device but do not sent any actual packets
820  */
821 static int
822 fw_download_img(struct cam_device *cam_dev, struct fw_vendor *vp,
823     char *buf, int img_size, int sim_mode, int printerrors, int quiet,
824     int retry_count, int timeout, const char *imgname,
825     camcontrol_devtype devtype)
826 {
827 	struct scsi_write_buffer cdb;
828 	progress_t progress;
829 	int size = 0;
830 	union ccb *ccb = NULL;
831 	int pkt_count = 0;
832 	int max_pkt_size;
833 	uint32_t pkt_size = 0;
834 	char *pkt_ptr = buf;
835 	uint32_t offset;
836 	int last_pkt = 0;
837 	int retval = 0;
838 
839 	/*
840 	 * Check to see whether the device is ready to accept a firmware
841 	 * download.
842 	 */
843 	retval = fw_check_device_ready(cam_dev, devtype, vp, printerrors,
844 				       timeout);
845 	if (retval != 0)
846 		goto bailout;
847 
848 	if ((ccb = cam_getccb(cam_dev)) == NULL) {
849 		warnx("Could not allocate CCB");
850 		retval = 1;
851 		goto bailout;
852 	}
853 
854 	max_pkt_size = vp->max_pkt_size;
855 	if (max_pkt_size == 0)
856 		max_pkt_size = UNKNOWN_MAX_PKT_SIZE;
857 
858 	pkt_size = max_pkt_size;
859 	progress_init(&progress, imgname, size = img_size);
860 	/* Download single fw packets. */
861 	do {
862 		if (img_size <= max_pkt_size) {
863 			last_pkt = 1;
864 			pkt_size = img_size;
865 		}
866 		progress_update(&progress, size - img_size);
867 		if (((sim_mode == 0) && (quiet == 0))
868 		 || ((sim_mode != 0) && (printerrors == 0)))
869 			progress_draw(&progress);
870 		bzero(&cdb, sizeof(cdb));
871 		switch (devtype) {
872 		case CC_DT_SCSI:
873 			cdb.opcode  = WRITE_BUFFER;
874 			cdb.control = 0;
875 			/* Parameter list length. */
876 			scsi_ulto3b(pkt_size, &cdb.length[0]);
877 			offset = vp->inc_cdb_offset ? (pkt_ptr - buf) : 0;
878 			scsi_ulto3b(offset, &cdb.offset[0]);
879 			cdb.byte2 = last_pkt ? vp->cdb_byte2_last :
880 					       vp->cdb_byte2;
881 			cdb.buffer_id = vp->inc_cdb_buffer_id ? pkt_count : 0;
882 			/* Zero out payload of ccb union after ccb header. */
883 			CCB_CLEAR_ALL_EXCEPT_HDR(&ccb->csio);
884 			/*
885 			 * Copy previously constructed cdb into ccb_scsiio
886 			 * struct.
887 			 */
888 			bcopy(&cdb, &ccb->csio.cdb_io.cdb_bytes[0],
889 			    sizeof(struct scsi_write_buffer));
890 			/* Fill rest of ccb_scsiio struct. */
891 			cam_fill_csio(&ccb->csio,		/* ccb_scsiio*/
892 			    retry_count,			/* retries*/
893 			    NULL,				/* cbfcnp*/
894 			    CAM_DIR_OUT | CAM_DEV_QFRZDIS,	/* flags*/
895 			    CAM_TAG_ACTION_NONE,		/* tag_action*/
896 			    (u_char *)pkt_ptr,			/* data_ptr*/
897 			    pkt_size,				/* dxfer_len*/
898 			    SSD_FULL_SIZE,			/* sense_len*/
899 			    sizeof(struct scsi_write_buffer),	/* cdb_len*/
900 			    timeout ? timeout : WB_TIMEOUT);	/* timeout*/
901 			break;
902 		case CC_DT_ATA:
903 		case CC_DT_SATL: {
904 			uint32_t	off;
905 
906 			off = (uint32_t)(pkt_ptr - buf);
907 
908 			retval = build_ata_cmd(ccb,
909 			    /*retry_count*/ retry_count,
910 			    /*flags*/ CAM_DIR_OUT | CAM_DEV_QFRZDIS,
911 			    /*tag_action*/ CAM_TAG_ACTION_NONE,
912 			    /*protocol*/ AP_PROTO_PIO_OUT,
913 			    /*ata_flags*/ AP_FLAG_BYT_BLOK_BYTES |
914 					  AP_FLAG_TLEN_SECT_CNT |
915 					  AP_FLAG_TDIR_TO_DEV,
916 			    /*features*/ USE_OFFSETS_FEATURE,
917 			    /*sector_count*/ ATA_MAKE_SECTORS(pkt_size),
918 			    /*lba*/ ATA_MAKE_LBA(off, pkt_size),
919 			    /*command*/ ATA_DOWNLOAD_MICROCODE,
920 			    /*auxiliary*/ 0,
921 			    /*data_ptr*/ (uint8_t *)pkt_ptr,
922 			    /*dxfer_len*/ pkt_size,
923 			    /*cdb_storage*/ NULL,
924 			    /*cdb_storage_len*/ 0,
925 			    /*sense_len*/ SSD_FULL_SIZE,
926 			    /*timeout*/ timeout ? timeout : WB_TIMEOUT,
927 			    /*is48bit*/ 0,
928 			    /*devtype*/ devtype);
929 
930 			if (retval != 0) {
931 				warnx("%s: build_ata_cmd() failed, likely "
932 				    "programmer error", __func__);
933 				goto bailout;
934 			}
935 			break;
936 		}
937 		default:
938 			warnx("Unknown device type %d", devtype);
939 			retval = 1;
940 			goto bailout;
941 			break; /*NOTREACHED*/
942 		}
943 		if (!sim_mode) {
944 			/* Execute the command. */
945 			if (cam_send_ccb(cam_dev, ccb) < 0 ||
946 			    (ccb->ccb_h.status & CAM_STATUS_MASK) !=
947 			    CAM_REQ_CMP) {
948 				warnx("Error writing image to device");
949 				if (printerrors)
950 					cam_error_print(cam_dev, ccb,
951 					    CAM_ESF_ALL, CAM_EPF_ALL, stderr);
952 				retval = 1;
953 				goto bailout;
954 			}
955 		} else if (printerrors) {
956 			cam_error_print(cam_dev, ccb, CAM_ESF_COMMAND, 0,
957 			    stdout);
958 		}
959 
960 		/* Prepare next round. */
961 		pkt_count++;
962 		pkt_ptr += pkt_size;
963 		img_size -= pkt_size;
964 	} while(!last_pkt);
965 bailout:
966 	if (quiet == 0)
967 		progress_complete(&progress, size - img_size);
968 	cam_freeccb(ccb);
969 	if (retval == 0) {
970 		fw_rescan_target(cam_dev, printerrors, sim_mode);
971 	}
972 	return (retval);
973 }
974 
975 int
976 fwdownload(struct cam_device *device, int argc, char **argv,
977     char *combinedopt, int printerrors, int task_attr, int retry_count,
978     int timeout)
979 {
980 	union ccb *ccb = NULL;
981 	struct fw_vendor *vp;
982 	char *fw_img_path = NULL;
983 	struct ata_params *ident_buf = NULL;
984 	camcontrol_devtype devtype;
985 	char *buf = NULL;
986 	int img_size;
987 	int c;
988 	int sim_mode = 0;
989 	int confirmed = 0;
990 	int quiet = 0;
991 	int retval = 0;
992 
993 	while ((c = getopt(argc, argv, combinedopt)) != -1) {
994 		switch (c) {
995 		case 'f':
996 			fw_img_path = optarg;
997 			break;
998 		case 'q':
999 			quiet = 1;
1000 			break;
1001 		case 's':
1002 			sim_mode = 1;
1003 			break;
1004 		case 'y':
1005 			confirmed = 1;
1006 			break;
1007 		default:
1008 			break;
1009 		}
1010 	}
1011 
1012 	if (fw_img_path == NULL)
1013 		errx(1, "you must specify a firmware image file using -f "
1014 		     "option");
1015 
1016 	retval = get_device_type(device, retry_count, timeout, printerrors,
1017 				 &devtype);
1018 	if (retval != 0)
1019 		errx(1, "Unable to determine device type");
1020 
1021 	if ((devtype == CC_DT_ATA)
1022 	 || (devtype == CC_DT_SATL)) {
1023 		ccb = cam_getccb(device);
1024 		if (ccb == NULL) {
1025 			warnx("couldn't allocate CCB");
1026 			retval = 1;
1027 			goto bailout;
1028 		}
1029 
1030 		if (ata_do_identify(device, retry_count, timeout, ccb,
1031 		    		    &ident_buf) != 0) {
1032 			retval = 1;
1033 			goto bailout;
1034 		}
1035 	} else if (devtype != CC_DT_SCSI)
1036 		errx(1, "Unsupported device type %d", devtype);
1037 
1038 	vp = fw_get_vendor(device, ident_buf);
1039 	/*
1040 	 * Bail out if we have an unknown vendor and this isn't an ATA
1041 	 * disk.  For a SCSI disk, we have no chance of working properly
1042 	 * with the default values in the VENDOR_UNKNOWN case.  For an ATA
1043 	 * disk connected via an ATA transport, we may work for drives that
1044 	 * support the ATA_DOWNLOAD_MICROCODE command.
1045 	 */
1046 	if (((vp == NULL)
1047 	  || (vp->type == VENDOR_UNKNOWN))
1048 	 && (devtype == CC_DT_SCSI))
1049 		errx(1, "Unsupported device");
1050 
1051 	retval = fw_get_timeout(device, vp, task_attr, retry_count, timeout);
1052 	if (retval != 0) {
1053 		warnx("Unable to get a firmware download timeout value");
1054 		goto bailout;
1055 	}
1056 
1057 	buf = fw_read_img(device, retry_count, timeout, quiet, fw_img_path,
1058 	    vp, &img_size);
1059 	if (buf == NULL) {
1060 		retval = 1;
1061 		goto bailout;
1062 	}
1063 
1064 	if (!confirmed) {
1065 		fprintf(stdout, "You are about to download firmware image (%s)"
1066 		    " into the following device:\n",
1067 		    fw_img_path);
1068 		if (devtype == CC_DT_SCSI) {
1069 			if (scsidoinquiry(device, argc, argv, combinedopt,
1070 					  MSG_SIMPLE_Q_TAG, 0, 5000) != 0) {
1071 				warnx("Error sending inquiry");
1072 				retval = 1;
1073 				goto bailout;
1074 			}
1075 		} else {
1076 			printf("%s%d: ", device->device_name,
1077 			    device->dev_unit_num);
1078 			ata_print_ident(ident_buf);
1079 			camxferrate(device);
1080 			free(ident_buf);
1081 		}
1082 		fprintf(stdout, "Using a timeout of %u ms, which is %s.\n",
1083 			vp->timeout_ms,
1084 			fw_timeout_desc_table[vp->timeout_type].timeout_desc);
1085 		fprintf(stdout, "\nIt may damage your drive. ");
1086 		if (!get_confirmation()) {
1087 			retval = 1;
1088 			goto bailout;
1089 		}
1090 	}
1091 	if ((sim_mode != 0) && (quiet == 0))
1092 		fprintf(stdout, "Running in simulation mode\n");
1093 
1094 	if (fw_download_img(device, vp, buf, img_size, sim_mode, printerrors,
1095 	    quiet, retry_count, vp->timeout_ms, fw_img_path, devtype) != 0) {
1096 		fprintf(stderr, "Firmware download failed\n");
1097 		retval = 1;
1098 		goto bailout;
1099 	} else if (quiet == 0)
1100 		fprintf(stdout, "Firmware download successful\n");
1101 
1102 bailout:
1103 	cam_freeccb(ccb);
1104 	free(buf);
1105 	return (retval);
1106 }
1107 
1108