1 /*- 2 * SPDX-License-Identifier: BSD-2-Clause 3 * 4 * Copyright (c) 2011 Sandvine Incorporated. All rights reserved. 5 * Copyright (c) 2002-2011 Andre Albsmeier <andre@albsmeier.net> 6 * All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer, 13 * without modification, immediately at the beginning of the file. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 18 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 19 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 20 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 21 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 22 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 23 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 24 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 25 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 27 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 */ 29 30 /* 31 * This software is derived from Andre Albsmeier's fwprog.c which contained 32 * the following note: 33 * 34 * Many thanks goes to Marc Frajola <marc@terasolutions.com> from 35 * TeraSolutions for the initial idea and his programme for upgrading 36 * the firmware of I*M DDYS drives. 37 */ 38 39 /* 40 * BEWARE: 41 * 42 * The fact that you see your favorite vendor listed below does not 43 * imply that your equipment won't break when you use this software 44 * with it. It only means that the firmware of at least one device type 45 * of each vendor listed has been programmed successfully using this code. 46 * 47 * The -s option simulates a download but does nothing apart from that. 48 * It can be used to check what chunk sizes would have been used with the 49 * specified device. 50 */ 51 52 #include <sys/cdefs.h> 53 #include <sys/types.h> 54 #include <sys/stat.h> 55 56 #include <err.h> 57 #include <fcntl.h> 58 #include <stdbool.h> 59 #include <stdio.h> 60 #include <stdlib.h> 61 #include <string.h> 62 #include <unistd.h> 63 64 #include <cam/cam.h> 65 #include <cam/scsi/scsi_all.h> 66 #include <cam/scsi/scsi_pass.h> 67 #include <cam/scsi/scsi_message.h> 68 #include <camlib.h> 69 70 #include "progress.h" 71 72 #include "camcontrol.h" 73 74 #define WB_TIMEOUT 50000 /* 50 seconds */ 75 76 typedef enum { 77 VENDOR_HGST, 78 VENDOR_HITACHI, 79 VENDOR_HP, 80 VENDOR_IBM, 81 VENDOR_PLEXTOR, 82 VENDOR_QUALSTAR, 83 VENDOR_QUANTUM, 84 VENDOR_SAMSUNG, 85 VENDOR_SEAGATE, 86 VENDOR_SMART, 87 VENDOR_ATA, 88 VENDOR_UNKNOWN 89 } fw_vendor_t; 90 91 /* 92 * FW_TUR_READY: The drive must return good status for a test unit ready. 93 * 94 * FW_TUR_NOT_READY: The drive must return not ready status for a test unit 95 * ready. You may want this in a removable media drive. 96 * 97 * FW_TUR_NA: It doesn't matter whether the drive is ready or not. 98 * This may be the case for a removable media drive. 99 */ 100 typedef enum { 101 FW_TUR_NONE, 102 FW_TUR_READY, 103 FW_TUR_NOT_READY, 104 FW_TUR_NA 105 } fw_tur_status; 106 107 /* 108 * FW_TIMEOUT_DEFAULT: Attempt to probe for a WRITE BUFFER timeout 109 * value from the drive. If we get an answer, 110 * use the Recommended timeout. Otherwise, 111 * use the default value from the table. 112 * 113 * FW_TIMEOUT_DEV_REPORTED: The timeout value was probed directly from 114 * the device. 115 * 116 * FW_TIMEOUT_NO_PROBE: Do not ask the device for a WRITE BUFFER 117 * timeout value. Use the device-specific 118 * value. 119 * 120 * FW_TIMEOUT_USER_SPEC: The user specified a timeout on the command 121 * line with the -t option. This overrides any 122 * probe or default timeout. 123 */ 124 typedef enum { 125 FW_TIMEOUT_DEFAULT, 126 FW_TIMEOUT_DEV_REPORTED, 127 FW_TIMEOUT_NO_PROBE, 128 FW_TIMEOUT_USER_SPEC 129 } fw_timeout_type; 130 131 /* 132 * type: Enumeration for the particular vendor. 133 * 134 * pattern: Pattern to match for the Vendor ID from the SCSI 135 * Inquiry data. 136 * 137 * dev_type: SCSI device type to match, or T_ANY to match any 138 * device from the given vendor. Note that if there 139 * is a specific device type listed for a particular 140 * vendor, it must be listed before a T_ANY entry. 141 * 142 * max_pkt_size: Maximum packet size when talking to a device. Note 143 * that although large data sizes may be supported by 144 * the target device, they may not be supported by the 145 * OS or the controller. 146 * 147 * cdb_byte2: This specifies byte 2 (byte 1 when counting from 0) 148 * of the CDB. This is generally the WRITE BUFFER mode. 149 * 150 * cdb_byte2_last: This specifies byte 2 for the last chunk of the 151 * download. 152 * 153 * inc_cdb_buffer_id: Increment the buffer ID by 1 for each chunk sent 154 * down to the drive. 155 * 156 * inc_cdb_offset: Increment the offset field in the CDB with the byte 157 * offset into the firmware file. 158 * 159 * tur_status: Pay attention to whether the device is ready before 160 * upgrading the firmware, or not. See above for the 161 * values. 162 */ 163 struct fw_vendor { 164 fw_vendor_t type; 165 const char *pattern; 166 int dev_type; 167 int max_pkt_size; 168 uint8_t cdb_byte2; 169 uint8_t cdb_byte2_last; 170 int inc_cdb_buffer_id; 171 int inc_cdb_offset; 172 fw_tur_status tur_status; 173 int timeout_ms; 174 fw_timeout_type timeout_type; 175 }; 176 177 /* 178 * Vendor notes: 179 * 180 * HGST: The packets need to be sent in multiples of 4K. 181 * 182 * IBM: For LTO and TS drives, the buffer ID is ignored in mode 7 (and 183 * some other modes). It treats the request as a firmware download. 184 * The offset (and therefore the length of each chunk sent) needs 185 * to be a multiple of the offset boundary specified for firmware 186 * (buffer ID 4) in the read buffer command. At least for LTO-6, 187 * that seems to be 0, but using a 32K chunk size should satisfy 188 * most any alignment requirement. 189 * 190 * SmrtStor: Mode 5 is also supported, but since the firmware is 400KB or 191 * so, we can't fit it in a single request in most cases. 192 */ 193 static struct fw_vendor vendors_list[] = { 194 {VENDOR_HGST, "HGST", T_DIRECT, 195 0x1000, 0x07, 0x07, 1, 0, FW_TUR_READY, WB_TIMEOUT, FW_TIMEOUT_DEFAULT}, 196 {VENDOR_HITACHI, "HITACHI", T_ANY, 197 0x8000, 0x05, 0x05, 1, 0, FW_TUR_READY, WB_TIMEOUT, FW_TIMEOUT_DEFAULT}, 198 {VENDOR_HP, "HP", T_ANY, 199 0x8000, 0x07, 0x07, 0, 1, FW_TUR_READY, WB_TIMEOUT, FW_TIMEOUT_DEFAULT}, 200 {VENDOR_IBM, "IBM", T_SEQUENTIAL, 201 0x8000, 0x07, 0x07, 0, 1, FW_TUR_NA, 300 * 1000, FW_TIMEOUT_DEFAULT}, 202 {VENDOR_IBM, "IBM", T_ANY, 203 0x8000, 0x05, 0x05, 1, 0, FW_TUR_READY, WB_TIMEOUT, FW_TIMEOUT_DEFAULT}, 204 {VENDOR_PLEXTOR, "PLEXTOR", T_ANY, 205 0x2000, 0x04, 0x05, 0, 1, FW_TUR_READY, WB_TIMEOUT, FW_TIMEOUT_DEFAULT}, 206 {VENDOR_QUALSTAR, "QUALSTAR", T_ANY, 207 0x2030, 0x05, 0x05, 0, 0, FW_TUR_READY, WB_TIMEOUT, FW_TIMEOUT_DEFAULT}, 208 {VENDOR_QUANTUM, "QUANTUM", T_ANY, 209 0x2000, 0x04, 0x05, 0, 1, FW_TUR_READY, WB_TIMEOUT, FW_TIMEOUT_DEFAULT}, 210 {VENDOR_SAMSUNG, "SAMSUNG", T_ANY, 211 0x8000, 0x07, 0x07, 0, 1, FW_TUR_READY, WB_TIMEOUT, FW_TIMEOUT_DEFAULT}, 212 {VENDOR_SEAGATE, "SEAGATE", T_ANY, 213 0x8000, 0x07, 0x07, 0, 1, FW_TUR_READY, WB_TIMEOUT, FW_TIMEOUT_DEFAULT}, 214 {VENDOR_SMART, "SmrtStor", T_DIRECT, 215 0x8000, 0x07, 0x07, 0, 1, FW_TUR_READY, WB_TIMEOUT, FW_TIMEOUT_DEFAULT}, 216 {VENDOR_HGST, "WD", T_DIRECT, 217 0x1000, 0x07, 0x07, 1, 0, FW_TUR_READY, WB_TIMEOUT, FW_TIMEOUT_DEFAULT}, 218 {VENDOR_HGST, "WDC", T_DIRECT, 219 0x1000, 0x07, 0x07, 1, 0, FW_TUR_READY, WB_TIMEOUT, FW_TIMEOUT_DEFAULT}, 220 221 /* 222 * We match any ATA device. This is really just a placeholder, 223 * since we won't actually send a WRITE BUFFER with any of the 224 * listed parameters. If a SATA device is behind a SAS controller, 225 * the SCSI to ATA translation code (at least for LSI) doesn't 226 * generally translate a SCSI WRITE BUFFER into an ATA DOWNLOAD 227 * MICROCODE command. So, we use the SCSI ATA PASS_THROUGH command 228 * to send the ATA DOWNLOAD MICROCODE command instead. 229 */ 230 {VENDOR_ATA, "ATA", T_ANY, 231 0x8000, 0x07, 0x07, 0, 1, FW_TUR_READY, WB_TIMEOUT, 232 FW_TIMEOUT_NO_PROBE}, 233 {VENDOR_UNKNOWN, NULL, T_ANY, 234 0x0000, 0x00, 0x00, 0, 0, FW_TUR_NONE, WB_TIMEOUT, FW_TIMEOUT_DEFAULT} 235 }; 236 237 struct fw_timeout_desc { 238 fw_timeout_type timeout_type; 239 const char *timeout_desc; 240 }; 241 242 static const struct fw_timeout_desc fw_timeout_desc_table[] = { 243 { FW_TIMEOUT_DEFAULT, "the default" }, 244 { FW_TIMEOUT_DEV_REPORTED, "recommended by this particular device" }, 245 { FW_TIMEOUT_NO_PROBE, "the default" }, 246 { FW_TIMEOUT_USER_SPEC, "what was specified on the command line" } 247 }; 248 249 #ifndef ATA_DOWNLOAD_MICROCODE 250 #define ATA_DOWNLOAD_MICROCODE 0x92 251 #endif 252 253 #define USE_OFFSETS_FEATURE 0x3 254 255 #ifndef LOW_SECTOR_SIZE 256 #define LOW_SECTOR_SIZE 512 257 #endif 258 259 #define ATA_MAKE_LBA(o, p) \ 260 ((((((o) / LOW_SECTOR_SIZE) >> 8) & 0xff) << 16) | \ 261 ((((o) / LOW_SECTOR_SIZE) & 0xff) << 8) | \ 262 ((((p) / LOW_SECTOR_SIZE) >> 8) & 0xff)) 263 264 #define ATA_MAKE_SECTORS(p) (((p) / 512) & 0xff) 265 266 #ifndef UNKNOWN_MAX_PKT_SIZE 267 #define UNKNOWN_MAX_PKT_SIZE 0x8000 268 #endif 269 270 static struct fw_vendor *fw_get_vendor(struct cam_device *cam_dev, 271 struct ata_params *ident_buf); 272 static int fw_get_timeout(struct cam_device *cam_dev, struct fw_vendor *vp, 273 int task_attr, int retry_count, int timeout); 274 static int fw_validate_ibm(struct cam_device *dev, int retry_count, 275 int timeout, int fd, char *buf, 276 const char *fw_img_path, int quiet); 277 static char *fw_read_img(struct cam_device *dev, int retry_count, 278 int timeout, int quiet, const char *fw_img_path, 279 struct fw_vendor *vp, int *num_bytes); 280 static int fw_check_device_ready(struct cam_device *dev, 281 camcontrol_devtype devtype, 282 struct fw_vendor *vp, int printerrors, 283 int timeout); 284 static int fw_download_img(struct cam_device *cam_dev, 285 struct fw_vendor *vp, char *buf, int img_size, 286 int sim_mode, int printerrors, int quiet, 287 int retry_count, int timeout, const char */*name*/, 288 camcontrol_devtype devtype); 289 290 /* 291 * Find entry in vendors list that belongs to 292 * the vendor of given cam device. 293 */ 294 static struct fw_vendor * 295 fw_get_vendor(struct cam_device *cam_dev, struct ata_params *ident_buf) 296 { 297 char vendor[42]; 298 struct fw_vendor *vp; 299 300 if (cam_dev == NULL) 301 return (NULL); 302 303 if (ident_buf != NULL) { 304 cam_strvis((u_char *)vendor, ident_buf->model, 305 sizeof(ident_buf->model), sizeof(vendor)); 306 for (vp = vendors_list; vp->pattern != NULL; vp++) { 307 if (vp->type == VENDOR_ATA) 308 return (vp); 309 } 310 } else { 311 cam_strvis((u_char *)vendor, (u_char *)cam_dev->inq_data.vendor, 312 sizeof(cam_dev->inq_data.vendor), sizeof(vendor)); 313 } 314 for (vp = vendors_list; vp->pattern != NULL; vp++) { 315 if (!cam_strmatch((const u_char *)vendor, 316 (const u_char *)vp->pattern, strlen(vendor))) { 317 if ((vp->dev_type == T_ANY) 318 || (vp->dev_type == SID_TYPE(&cam_dev->inq_data))) 319 break; 320 } 321 } 322 return (vp); 323 } 324 325 static int 326 fw_get_timeout(struct cam_device *cam_dev, struct fw_vendor *vp, 327 int task_attr, int retry_count, int timeout) 328 { 329 struct scsi_report_supported_opcodes_one *one; 330 struct scsi_report_supported_opcodes_timeout *td; 331 uint8_t *buf = NULL; 332 uint32_t fill_len = 0, cdb_len = 0, rec_timeout = 0; 333 int retval = 0; 334 335 /* 336 * If the user has specified a timeout on the command line, we let 337 * him override any default or probed value. 338 */ 339 if (timeout != 0) { 340 vp->timeout_type = FW_TIMEOUT_USER_SPEC; 341 vp->timeout_ms = timeout; 342 goto bailout; 343 } 344 345 /* 346 * Check to see whether we should probe for a timeout for this 347 * device. 348 */ 349 if (vp->timeout_type == FW_TIMEOUT_NO_PROBE) 350 goto bailout; 351 352 retval = scsigetopcodes(/*device*/ cam_dev, 353 /*opcode_set*/ 1, 354 /*opcode*/ WRITE_BUFFER, 355 /*show_sa_errors*/ 1, 356 /*sa_set*/ 0, 357 /*service_action*/ 0, 358 /*timeout_desc*/ 1, 359 /*task_attr*/ task_attr, 360 /*retry_count*/ retry_count, 361 /*timeout*/ 10000, 362 /*verbose*/ 0, 363 /*fill_len*/ &fill_len, 364 /*data_ptr*/ &buf); 365 /* 366 * It isn't an error if we can't get a timeout descriptor. We just 367 * continue on with the default timeout. 368 */ 369 if (retval != 0) { 370 retval = 0; 371 goto bailout; 372 } 373 374 /* 375 * Even if the drive didn't return a SCSI error, if we don't have 376 * enough data to contain the one opcode descriptor, the CDB 377 * structure and a timeout descriptor, we don't have the timeout 378 * value we're looking for. So we'll just fall back to the 379 * default value. 380 */ 381 if (fill_len < (sizeof(*one) + sizeof(struct scsi_write_buffer) + 382 sizeof(*td))) 383 goto bailout; 384 385 one = (struct scsi_report_supported_opcodes_one *)buf; 386 387 /* 388 * If the drive claims to not support the WRITE BUFFER command... 389 * fall back to the default timeout value and let things fail on 390 * the actual firmware download. 391 */ 392 if ((one->support & RSO_ONE_SUP_MASK) == RSO_ONE_SUP_NOT_SUP) 393 goto bailout; 394 395 cdb_len = scsi_2btoul(one->cdb_length); 396 td = (struct scsi_report_supported_opcodes_timeout *) 397 &buf[sizeof(*one) + cdb_len]; 398 399 rec_timeout = scsi_4btoul(td->recommended_time); 400 /* 401 * If the recommended timeout is 0, then the device has probably 402 * returned a bogus value. 403 */ 404 if (rec_timeout == 0) 405 goto bailout; 406 407 /* CAM timeouts are in ms */ 408 rec_timeout *= 1000; 409 410 vp->timeout_ms = rec_timeout; 411 vp->timeout_type = FW_TIMEOUT_DEV_REPORTED; 412 413 bailout: 414 return (retval); 415 } 416 417 #define SVPD_IBM_FW_DESIGNATION 0x03 418 419 /* 420 * IBM LTO and TS tape drives have an INQUIRY VPD page 0x3 with the following 421 * format: 422 */ 423 struct fw_ibm_tape_fw_designation { 424 uint8_t device; 425 uint8_t page_code; 426 uint8_t reserved; 427 uint8_t length; 428 uint8_t ascii_length; 429 uint8_t reserved2[3]; 430 uint8_t load_id[4]; 431 uint8_t fw_rev[4]; 432 uint8_t ptf_number[4]; 433 uint8_t patch_number[4]; 434 uint8_t ru_name[8]; 435 uint8_t lib_seq_num[5]; 436 }; 437 438 /* 439 * The firmware for IBM tape drives has the following header format. The 440 * load_id and ru_name in the header file should match what is returned in 441 * VPD page 0x3. 442 */ 443 struct fw_ibm_tape_fw_header { 444 uint8_t unspec[4]; 445 uint8_t length[4]; /* Firmware and header! */ 446 uint8_t load_id[4]; 447 uint8_t fw_rev[4]; 448 uint8_t reserved[8]; 449 uint8_t ru_name[8]; 450 }; 451 452 static int 453 fw_validate_ibm(struct cam_device *dev, int retry_count, int timeout, int fd, 454 char *buf, const char *fw_img_path, int quiet) 455 { 456 union ccb *ccb; 457 struct fw_ibm_tape_fw_designation vpd_page; 458 struct fw_ibm_tape_fw_header *header; 459 char drive_rev[sizeof(vpd_page.fw_rev) + 1]; 460 char file_rev[sizeof(vpd_page.fw_rev) + 1]; 461 int retval = 1; 462 463 ccb = cam_getccb(dev); 464 if (ccb == NULL) { 465 warnx("couldn't allocate CCB"); 466 goto bailout; 467 } 468 469 bzero(&vpd_page, sizeof(vpd_page)); 470 471 scsi_inquiry(&ccb->csio, 472 /*retries*/ retry_count, 473 /*cbfcnp*/ NULL, 474 /* tag_action */ MSG_SIMPLE_Q_TAG, 475 /* inq_buf */ (uint8_t *)&vpd_page, 476 /* inq_len */ sizeof(vpd_page), 477 /* evpd */ 1, 478 /* page_code */ SVPD_IBM_FW_DESIGNATION, 479 /* sense_len */ SSD_FULL_SIZE, 480 /* timeout */ timeout ? timeout : 5000); 481 482 /* Disable freezing the device queue */ 483 ccb->ccb_h.flags |= CAM_DEV_QFRZDIS; 484 485 if (retry_count != 0) 486 ccb->ccb_h.flags |= CAM_PASS_ERR_RECOVER; 487 488 if (cam_send_ccb(dev, ccb) < 0) { 489 warn("error getting firmware designation page"); 490 491 cam_error_print(dev, ccb, CAM_ESF_ALL, 492 CAM_EPF_ALL, stderr); 493 494 cam_freeccb(ccb); 495 ccb = NULL; 496 goto bailout; 497 } 498 499 if ((ccb->ccb_h.status & CAM_STATUS_MASK) != CAM_REQ_CMP) { 500 cam_error_print(dev, ccb, CAM_ESF_ALL, 501 CAM_EPF_ALL, stderr); 502 goto bailout; 503 } 504 505 /* 506 * Read the firmware header only. 507 */ 508 if (read(fd, buf, sizeof(*header)) != sizeof(*header)) { 509 warn("unable to read %zu bytes from %s", sizeof(*header), 510 fw_img_path); 511 goto bailout; 512 } 513 514 /* Rewind the file back to 0 for the full file read. */ 515 if (lseek(fd, 0, SEEK_SET) == -1) { 516 warn("Unable to lseek"); 517 goto bailout; 518 } 519 520 header = (struct fw_ibm_tape_fw_header *)buf; 521 522 bzero(drive_rev, sizeof(drive_rev)); 523 bcopy(vpd_page.fw_rev, drive_rev, sizeof(vpd_page.fw_rev)); 524 bzero(file_rev, sizeof(file_rev)); 525 bcopy(header->fw_rev, file_rev, sizeof(header->fw_rev)); 526 527 if (quiet == 0) { 528 fprintf(stdout, "Current Drive Firmware version: %s\n", 529 drive_rev); 530 fprintf(stdout, "Firmware File version: %s\n", file_rev); 531 } 532 533 /* 534 * For IBM tape drives the load ID and RU name reported by the 535 * drive should match what is in the firmware file. 536 */ 537 if (bcmp(vpd_page.load_id, header->load_id, 538 MIN(sizeof(vpd_page.load_id), sizeof(header->load_id))) != 0) { 539 warnx("Drive Firmware load ID 0x%x does not match firmware " 540 "file load ID 0x%x", scsi_4btoul(vpd_page.load_id), 541 scsi_4btoul(header->load_id)); 542 goto bailout; 543 } 544 545 if (bcmp(vpd_page.ru_name, header->ru_name, 546 MIN(sizeof(vpd_page.ru_name), sizeof(header->ru_name))) != 0) { 547 warnx("Drive Firmware RU name 0x%jx does not match firmware " 548 "file RU name 0x%jx", 549 (uintmax_t)scsi_8btou64(vpd_page.ru_name), 550 (uintmax_t)scsi_8btou64(header->ru_name)); 551 goto bailout; 552 } 553 if (quiet == 0) 554 fprintf(stdout, "Firmware file is valid for this drive.\n"); 555 retval = 0; 556 bailout: 557 cam_freeccb(ccb); 558 559 return (retval); 560 } 561 562 /* 563 * Allocate a buffer and read fw image file into it 564 * from given path. Number of bytes read is stored 565 * in num_bytes. 566 */ 567 static char * 568 fw_read_img(struct cam_device *dev, int retry_count, int timeout, int quiet, 569 const char *fw_img_path, struct fw_vendor *vp, int *num_bytes) 570 { 571 int fd; 572 struct stat stbuf; 573 char *buf; 574 off_t img_size; 575 int skip_bytes = 0; 576 577 if ((fd = open(fw_img_path, O_RDONLY)) < 0) { 578 warn("Could not open image file %s", fw_img_path); 579 return (NULL); 580 } 581 if (fstat(fd, &stbuf) < 0) { 582 warn("Could not stat image file %s", fw_img_path); 583 goto bailout1; 584 } 585 if ((img_size = stbuf.st_size) == 0) { 586 warnx("Zero length image file %s", fw_img_path); 587 goto bailout1; 588 } 589 if ((buf = malloc(img_size)) == NULL) { 590 warnx("Could not allocate buffer to read image file %s", 591 fw_img_path); 592 goto bailout1; 593 } 594 /* Skip headers if applicable. */ 595 switch (vp->type) { 596 case VENDOR_SEAGATE: 597 if (read(fd, buf, 16) != 16) { 598 warn("Could not read image file %s", fw_img_path); 599 goto bailout; 600 } 601 if (lseek(fd, 0, SEEK_SET) == -1) { 602 warn("Unable to lseek"); 603 goto bailout; 604 } 605 if ((strncmp(buf, "SEAGATE,SEAGATE ", 16) == 0) || 606 (img_size % 512 == 80)) 607 skip_bytes = 80; 608 break; 609 case VENDOR_QUALSTAR: 610 skip_bytes = img_size % 1030; 611 break; 612 case VENDOR_IBM: { 613 if (vp->dev_type != T_SEQUENTIAL) 614 break; 615 if (fw_validate_ibm(dev, retry_count, timeout, fd, buf, 616 fw_img_path, quiet) != 0) 617 goto bailout; 618 break; 619 } 620 default: 621 break; 622 } 623 if (skip_bytes != 0) { 624 fprintf(stdout, "Skipping %d byte header.\n", skip_bytes); 625 if (lseek(fd, skip_bytes, SEEK_SET) == -1) { 626 warn("Could not lseek"); 627 goto bailout; 628 } 629 img_size -= skip_bytes; 630 } 631 /* Read image into a buffer. */ 632 if (read(fd, buf, img_size) != img_size) { 633 warn("Could not read image file %s", fw_img_path); 634 goto bailout; 635 } 636 *num_bytes = img_size; 637 close(fd); 638 return (buf); 639 bailout: 640 free(buf); 641 bailout1: 642 close(fd); 643 *num_bytes = 0; 644 return (NULL); 645 } 646 647 /* 648 * Returns 0 for "success", where success means that the device has met the 649 * requirement in the vendor structure for being ready or not ready when 650 * firmware is downloaded. 651 * 652 * Returns 1 for a failure to be ready to accept a firmware download. 653 * (e.g., a drive needs to be ready, but returns not ready) 654 * 655 * Returns -1 for any other failure. 656 */ 657 static int 658 fw_check_device_ready(struct cam_device *dev, camcontrol_devtype devtype, 659 struct fw_vendor *vp, int printerrors, int timeout) 660 { 661 union ccb *ccb; 662 int retval = 0; 663 int16_t *ptr = NULL; 664 size_t dxfer_len = 0; 665 666 if ((ccb = cam_getccb(dev)) == NULL) { 667 warnx("Could not allocate CCB"); 668 retval = -1; 669 goto bailout; 670 } 671 672 if (devtype != CC_DT_SCSI) { 673 dxfer_len = sizeof(struct ata_params); 674 675 ptr = (uint16_t *)malloc(dxfer_len); 676 if (ptr == NULL) { 677 warnx("can't malloc memory for identify"); 678 retval = -1; 679 goto bailout; 680 } 681 bzero(ptr, dxfer_len); 682 } 683 684 switch (devtype) { 685 case CC_DT_SCSI: 686 scsi_test_unit_ready(&ccb->csio, 687 /*retries*/ 0, 688 /*cbfcnp*/ NULL, 689 /*tag_action*/ MSG_SIMPLE_Q_TAG, 690 /*sense_len*/ SSD_FULL_SIZE, 691 /*timeout*/ 5000); 692 break; 693 case CC_DT_SATL: 694 case CC_DT_ATA: { 695 retval = build_ata_cmd(ccb, 696 /*retries*/ 1, 697 /*flags*/ CAM_DIR_IN, 698 /*tag_action*/ MSG_SIMPLE_Q_TAG, 699 /*protocol*/ AP_PROTO_PIO_IN, 700 /*ata_flags*/ AP_FLAG_BYT_BLOK_BLOCKS | 701 AP_FLAG_TLEN_SECT_CNT | 702 AP_FLAG_TDIR_FROM_DEV, 703 /*features*/ 0, 704 /*sector_count*/ dxfer_len / 512, 705 /*lba*/ 0, 706 /*command*/ ATA_ATA_IDENTIFY, 707 /*auxiliary*/ 0, 708 /*data_ptr*/ (uint8_t *)ptr, 709 /*dxfer_len*/ dxfer_len, 710 /*cdb_storage*/ NULL, 711 /*cdb_storage_len*/ 0, 712 /*sense_len*/ SSD_FULL_SIZE, 713 /*timeout*/ timeout ? timeout : 30 * 1000, 714 /*is48bit*/ 0, 715 /*devtype*/ devtype); 716 if (retval != 0) { 717 retval = -1; 718 warnx("%s: build_ata_cmd() failed, likely " 719 "programmer error", __func__); 720 goto bailout; 721 } 722 break; 723 } 724 default: 725 warnx("Unknown disk type %d", devtype); 726 retval = -1; 727 goto bailout; 728 break; /*NOTREACHED*/ 729 } 730 731 ccb->ccb_h.flags |= CAM_DEV_QFRZDIS; 732 733 retval = cam_send_ccb(dev, ccb); 734 if (retval != 0) { 735 warn("error sending %s CCB", (devtype == CC_DT_SCSI) ? 736 "Test Unit Ready" : "Identify"); 737 retval = -1; 738 goto bailout; 739 } 740 741 if (((ccb->ccb_h.status & CAM_STATUS_MASK) != CAM_REQ_CMP) 742 && (vp->tur_status == FW_TUR_READY)) { 743 warnx("Device is not ready"); 744 if (printerrors) 745 cam_error_print(dev, ccb, CAM_ESF_ALL, 746 CAM_EPF_ALL, stderr); 747 retval = 1; 748 goto bailout; 749 } else if (((ccb->ccb_h.status & CAM_STATUS_MASK) == CAM_REQ_CMP) 750 && (vp->tur_status == FW_TUR_NOT_READY)) { 751 warnx("Device cannot have media loaded when firmware is " 752 "downloaded"); 753 retval = 1; 754 goto bailout; 755 } 756 bailout: 757 free(ptr); 758 cam_freeccb(ccb); 759 760 return (retval); 761 } 762 763 /* 764 * After the firmware is downloaded, we know the sense data has changed (or is 765 * likely to change since it contains the firmware version). Rescan the target 766 * with a flag to tell the kernel it's OK. This allows us to continnue using the 767 * old periph/disk in the kernel, which is less disruptive. We rescan the target 768 * because multilun devices usually update all the luns after the first firmware 769 * download. 770 */ 771 static int 772 fw_rescan_target(struct cam_device *dev, bool printerrors, bool sim_mode) 773 { 774 union ccb ccb; 775 int fd; 776 777 printf("Rescanning target %d:%d:* to pick up new fw revision / parameters.\n", 778 dev->path_id, dev->target_id); 779 if (sim_mode) 780 return (0); 781 782 /* Can only send XPT_SCAN_TGT via /dev/xpt, not pass device in *dev */ 783 if ((fd = open(XPT_DEVICE, O_RDWR)) < 0) { 784 warnx("error opening transport layer device %s\n", 785 XPT_DEVICE); 786 warn("%s", XPT_DEVICE); 787 return (1); 788 } 789 790 /* Rescan the target */ 791 bzero(&ccb, sizeof(union ccb)); 792 ccb.ccb_h.func_code = XPT_SCAN_TGT; 793 ccb.ccb_h.path_id = dev->path_id; 794 ccb.ccb_h.target_id = dev->target_id; 795 ccb.ccb_h.target_lun = CAM_LUN_WILDCARD; 796 ccb.crcn.flags = CAM_EXPECT_INQ_CHANGE; 797 ccb.ccb_h.pinfo.priority = 5; /* run this at a low priority */ 798 799 if (ioctl(fd, CAMIOCOMMAND, &ccb) < 0) { 800 warn("CAMIOCOMMAND XPT_SCAN_TGT ioctl failed"); 801 close(fd); 802 return (1); 803 } 804 if ((ccb.ccb_h.status & CAM_STATUS_MASK) != CAM_REQ_CMP) { 805 warn("Can't send rescan lun"); 806 if (printerrors) 807 cam_error_print(dev, &ccb, CAM_ESF_ALL, CAM_EPF_ALL, 808 stderr); 809 close(fd); 810 return (1); 811 } 812 close(fd); 813 return (0); 814 } 815 816 /* 817 * Download firmware stored in buf to cam_dev. If simulation mode 818 * is enabled, only show what packet sizes would be sent to the 819 * device but do not sent any actual packets 820 */ 821 static int 822 fw_download_img(struct cam_device *cam_dev, struct fw_vendor *vp, 823 char *buf, int img_size, int sim_mode, int printerrors, int quiet, 824 int retry_count, int timeout, const char *imgname, 825 camcontrol_devtype devtype) 826 { 827 struct scsi_write_buffer cdb; 828 progress_t progress; 829 int size = 0; 830 union ccb *ccb = NULL; 831 int pkt_count = 0; 832 int max_pkt_size; 833 uint32_t pkt_size = 0; 834 char *pkt_ptr = buf; 835 uint32_t offset; 836 int last_pkt = 0; 837 int retval = 0; 838 839 /* 840 * Check to see whether the device is ready to accept a firmware 841 * download. 842 */ 843 retval = fw_check_device_ready(cam_dev, devtype, vp, printerrors, 844 timeout); 845 if (retval != 0) 846 goto bailout; 847 848 if ((ccb = cam_getccb(cam_dev)) == NULL) { 849 warnx("Could not allocate CCB"); 850 retval = 1; 851 goto bailout; 852 } 853 854 max_pkt_size = vp->max_pkt_size; 855 if (max_pkt_size == 0) 856 max_pkt_size = UNKNOWN_MAX_PKT_SIZE; 857 858 pkt_size = max_pkt_size; 859 progress_init(&progress, imgname, size = img_size); 860 /* Download single fw packets. */ 861 do { 862 if (img_size <= max_pkt_size) { 863 last_pkt = 1; 864 pkt_size = img_size; 865 } 866 progress_update(&progress, size - img_size); 867 if (((sim_mode == 0) && (quiet == 0)) 868 || ((sim_mode != 0) && (printerrors == 0))) 869 progress_draw(&progress); 870 bzero(&cdb, sizeof(cdb)); 871 switch (devtype) { 872 case CC_DT_SCSI: 873 cdb.opcode = WRITE_BUFFER; 874 cdb.control = 0; 875 /* Parameter list length. */ 876 scsi_ulto3b(pkt_size, &cdb.length[0]); 877 offset = vp->inc_cdb_offset ? (pkt_ptr - buf) : 0; 878 scsi_ulto3b(offset, &cdb.offset[0]); 879 cdb.byte2 = last_pkt ? vp->cdb_byte2_last : 880 vp->cdb_byte2; 881 cdb.buffer_id = vp->inc_cdb_buffer_id ? pkt_count : 0; 882 /* Zero out payload of ccb union after ccb header. */ 883 CCB_CLEAR_ALL_EXCEPT_HDR(&ccb->csio); 884 /* 885 * Copy previously constructed cdb into ccb_scsiio 886 * struct. 887 */ 888 bcopy(&cdb, &ccb->csio.cdb_io.cdb_bytes[0], 889 sizeof(struct scsi_write_buffer)); 890 /* Fill rest of ccb_scsiio struct. */ 891 cam_fill_csio(&ccb->csio, /* ccb_scsiio*/ 892 retry_count, /* retries*/ 893 NULL, /* cbfcnp*/ 894 CAM_DIR_OUT | CAM_DEV_QFRZDIS, /* flags*/ 895 CAM_TAG_ACTION_NONE, /* tag_action*/ 896 (u_char *)pkt_ptr, /* data_ptr*/ 897 pkt_size, /* dxfer_len*/ 898 SSD_FULL_SIZE, /* sense_len*/ 899 sizeof(struct scsi_write_buffer), /* cdb_len*/ 900 timeout ? timeout : WB_TIMEOUT); /* timeout*/ 901 break; 902 case CC_DT_ATA: 903 case CC_DT_SATL: { 904 uint32_t off; 905 906 off = (uint32_t)(pkt_ptr - buf); 907 908 retval = build_ata_cmd(ccb, 909 /*retry_count*/ retry_count, 910 /*flags*/ CAM_DIR_OUT | CAM_DEV_QFRZDIS, 911 /*tag_action*/ CAM_TAG_ACTION_NONE, 912 /*protocol*/ AP_PROTO_PIO_OUT, 913 /*ata_flags*/ AP_FLAG_BYT_BLOK_BYTES | 914 AP_FLAG_TLEN_SECT_CNT | 915 AP_FLAG_TDIR_TO_DEV, 916 /*features*/ USE_OFFSETS_FEATURE, 917 /*sector_count*/ ATA_MAKE_SECTORS(pkt_size), 918 /*lba*/ ATA_MAKE_LBA(off, pkt_size), 919 /*command*/ ATA_DOWNLOAD_MICROCODE, 920 /*auxiliary*/ 0, 921 /*data_ptr*/ (uint8_t *)pkt_ptr, 922 /*dxfer_len*/ pkt_size, 923 /*cdb_storage*/ NULL, 924 /*cdb_storage_len*/ 0, 925 /*sense_len*/ SSD_FULL_SIZE, 926 /*timeout*/ timeout ? timeout : WB_TIMEOUT, 927 /*is48bit*/ 0, 928 /*devtype*/ devtype); 929 930 if (retval != 0) { 931 warnx("%s: build_ata_cmd() failed, likely " 932 "programmer error", __func__); 933 goto bailout; 934 } 935 break; 936 } 937 default: 938 warnx("Unknown device type %d", devtype); 939 retval = 1; 940 goto bailout; 941 break; /*NOTREACHED*/ 942 } 943 if (!sim_mode) { 944 /* Execute the command. */ 945 if (cam_send_ccb(cam_dev, ccb) < 0 || 946 (ccb->ccb_h.status & CAM_STATUS_MASK) != 947 CAM_REQ_CMP) { 948 warnx("Error writing image to device"); 949 if (printerrors) 950 cam_error_print(cam_dev, ccb, 951 CAM_ESF_ALL, CAM_EPF_ALL, stderr); 952 retval = 1; 953 goto bailout; 954 } 955 } else if (printerrors) { 956 cam_error_print(cam_dev, ccb, CAM_ESF_COMMAND, 0, 957 stdout); 958 } 959 960 /* Prepare next round. */ 961 pkt_count++; 962 pkt_ptr += pkt_size; 963 img_size -= pkt_size; 964 } while(!last_pkt); 965 bailout: 966 if (quiet == 0) 967 progress_complete(&progress, size - img_size); 968 cam_freeccb(ccb); 969 if (retval == 0) { 970 fw_rescan_target(cam_dev, printerrors, sim_mode); 971 } 972 return (retval); 973 } 974 975 int 976 fwdownload(struct cam_device *device, int argc, char **argv, 977 char *combinedopt, int printerrors, int task_attr, int retry_count, 978 int timeout) 979 { 980 union ccb *ccb = NULL; 981 struct fw_vendor *vp; 982 char *fw_img_path = NULL; 983 struct ata_params *ident_buf = NULL; 984 camcontrol_devtype devtype; 985 char *buf = NULL; 986 int img_size; 987 int c; 988 int sim_mode = 0; 989 int confirmed = 0; 990 int quiet = 0; 991 int retval = 0; 992 993 while ((c = getopt(argc, argv, combinedopt)) != -1) { 994 switch (c) { 995 case 'f': 996 fw_img_path = optarg; 997 break; 998 case 'q': 999 quiet = 1; 1000 break; 1001 case 's': 1002 sim_mode = 1; 1003 break; 1004 case 'y': 1005 confirmed = 1; 1006 break; 1007 default: 1008 break; 1009 } 1010 } 1011 1012 if (fw_img_path == NULL) 1013 errx(1, "you must specify a firmware image file using -f " 1014 "option"); 1015 1016 retval = get_device_type(device, retry_count, timeout, printerrors, 1017 &devtype); 1018 if (retval != 0) 1019 errx(1, "Unable to determine device type"); 1020 1021 if ((devtype == CC_DT_ATA) 1022 || (devtype == CC_DT_SATL)) { 1023 ccb = cam_getccb(device); 1024 if (ccb == NULL) { 1025 warnx("couldn't allocate CCB"); 1026 retval = 1; 1027 goto bailout; 1028 } 1029 1030 if (ata_do_identify(device, retry_count, timeout, ccb, 1031 &ident_buf) != 0) { 1032 retval = 1; 1033 goto bailout; 1034 } 1035 } else if (devtype != CC_DT_SCSI) 1036 errx(1, "Unsupported device type %d", devtype); 1037 1038 vp = fw_get_vendor(device, ident_buf); 1039 /* 1040 * Bail out if we have an unknown vendor and this isn't an ATA 1041 * disk. For a SCSI disk, we have no chance of working properly 1042 * with the default values in the VENDOR_UNKNOWN case. For an ATA 1043 * disk connected via an ATA transport, we may work for drives that 1044 * support the ATA_DOWNLOAD_MICROCODE command. 1045 */ 1046 if (((vp == NULL) 1047 || (vp->type == VENDOR_UNKNOWN)) 1048 && (devtype == CC_DT_SCSI)) 1049 errx(1, "Unsupported device"); 1050 1051 retval = fw_get_timeout(device, vp, task_attr, retry_count, timeout); 1052 if (retval != 0) { 1053 warnx("Unable to get a firmware download timeout value"); 1054 goto bailout; 1055 } 1056 1057 buf = fw_read_img(device, retry_count, timeout, quiet, fw_img_path, 1058 vp, &img_size); 1059 if (buf == NULL) { 1060 retval = 1; 1061 goto bailout; 1062 } 1063 1064 if (!confirmed) { 1065 fprintf(stdout, "You are about to download firmware image (%s)" 1066 " into the following device:\n", 1067 fw_img_path); 1068 if (devtype == CC_DT_SCSI) { 1069 if (scsidoinquiry(device, argc, argv, combinedopt, 1070 MSG_SIMPLE_Q_TAG, 0, 5000) != 0) { 1071 warnx("Error sending inquiry"); 1072 retval = 1; 1073 goto bailout; 1074 } 1075 } else { 1076 printf("%s%d: ", device->device_name, 1077 device->dev_unit_num); 1078 ata_print_ident(ident_buf); 1079 camxferrate(device); 1080 free(ident_buf); 1081 } 1082 fprintf(stdout, "Using a timeout of %u ms, which is %s.\n", 1083 vp->timeout_ms, 1084 fw_timeout_desc_table[vp->timeout_type].timeout_desc); 1085 fprintf(stdout, "\nIt may damage your drive. "); 1086 if (!get_confirmation()) { 1087 retval = 1; 1088 goto bailout; 1089 } 1090 } 1091 if ((sim_mode != 0) && (quiet == 0)) 1092 fprintf(stdout, "Running in simulation mode\n"); 1093 1094 if (fw_download_img(device, vp, buf, img_size, sim_mode, printerrors, 1095 quiet, retry_count, vp->timeout_ms, fw_img_path, devtype) != 0) { 1096 fprintf(stderr, "Firmware download failed\n"); 1097 retval = 1; 1098 goto bailout; 1099 } else if (quiet == 0) 1100 fprintf(stdout, "Firmware download successful\n"); 1101 1102 bailout: 1103 cam_freeccb(ccb); 1104 free(buf); 1105 return (retval); 1106 } 1107 1108