1 /*- 2 * SPDX-License-Identifier: BSD-2-Clause-FreeBSD 3 * 4 * Copyright (c) 2011 Sandvine Incorporated. All rights reserved. 5 * Copyright (c) 2002-2011 Andre Albsmeier <andre@albsmeier.net> 6 * All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer, 13 * without modification, immediately at the beginning of the file. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 18 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 19 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 20 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 21 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 22 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 23 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 24 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 25 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 27 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 */ 29 30 /* 31 * This software is derived from Andre Albsmeier's fwprog.c which contained 32 * the following note: 33 * 34 * Many thanks goes to Marc Frajola <marc@terasolutions.com> from 35 * TeraSolutions for the initial idea and his programme for upgrading 36 * the firmware of I*M DDYS drives. 37 */ 38 39 /* 40 * BEWARE: 41 * 42 * The fact that you see your favorite vendor listed below does not 43 * imply that your equipment won't break when you use this software 44 * with it. It only means that the firmware of at least one device type 45 * of each vendor listed has been programmed successfully using this code. 46 * 47 * The -s option simulates a download but does nothing apart from that. 48 * It can be used to check what chunk sizes would have been used with the 49 * specified device. 50 */ 51 52 #include <sys/cdefs.h> 53 __FBSDID("$FreeBSD$"); 54 55 #include <sys/types.h> 56 #include <sys/stat.h> 57 58 #include <err.h> 59 #include <fcntl.h> 60 #include <stdio.h> 61 #include <stdlib.h> 62 #include <string.h> 63 #include <unistd.h> 64 65 #include <cam/scsi/scsi_all.h> 66 #include <cam/scsi/scsi_message.h> 67 #include <camlib.h> 68 69 #include "progress.h" 70 71 #include "camcontrol.h" 72 73 #define WB_TIMEOUT 50000 /* 50 seconds */ 74 75 typedef enum { 76 VENDOR_HGST, 77 VENDOR_HITACHI, 78 VENDOR_HP, 79 VENDOR_IBM, 80 VENDOR_PLEXTOR, 81 VENDOR_QUALSTAR, 82 VENDOR_QUANTUM, 83 VENDOR_SAMSUNG, 84 VENDOR_SEAGATE, 85 VENDOR_SMART, 86 VENDOR_ATA, 87 VENDOR_UNKNOWN 88 } fw_vendor_t; 89 90 /* 91 * FW_TUR_READY: The drive must return good status for a test unit ready. 92 * 93 * FW_TUR_NOT_READY: The drive must return not ready status for a test unit 94 * ready. You may want this in a removable media drive. 95 * 96 * FW_TUR_NA: It doesn't matter whether the drive is ready or not. 97 * This may be the case for a removable media drive. 98 */ 99 typedef enum { 100 FW_TUR_NONE, 101 FW_TUR_READY, 102 FW_TUR_NOT_READY, 103 FW_TUR_NA 104 } fw_tur_status; 105 106 /* 107 * FW_TIMEOUT_DEFAULT: Attempt to probe for a WRITE BUFFER timeout 108 * value from the drive. If we get an answer, 109 * use the Recommended timeout. Otherwise, 110 * use the default value from the table. 111 * 112 * FW_TIMEOUT_DEV_REPORTED: The timeout value was probed directly from 113 * the device. 114 * 115 * FW_TIMEOUT_NO_PROBE: Do not ask the device for a WRITE BUFFER 116 * timeout value. Use the device-specific 117 * value. 118 * 119 * FW_TIMEOUT_USER_SPEC: The user specified a timeout on the command 120 * line with the -t option. This overrides any 121 * probe or default timeout. 122 */ 123 typedef enum { 124 FW_TIMEOUT_DEFAULT, 125 FW_TIMEOUT_DEV_REPORTED, 126 FW_TIMEOUT_NO_PROBE, 127 FW_TIMEOUT_USER_SPEC 128 } fw_timeout_type; 129 130 /* 131 * type: Enumeration for the particular vendor. 132 * 133 * pattern: Pattern to match for the Vendor ID from the SCSI 134 * Inquiry data. 135 * 136 * dev_type: SCSI device type to match, or T_ANY to match any 137 * device from the given vendor. Note that if there 138 * is a specific device type listed for a particular 139 * vendor, it must be listed before a T_ANY entry. 140 * 141 * max_pkt_size: Maximum packet size when talking to a device. Note 142 * that although large data sizes may be supported by 143 * the target device, they may not be supported by the 144 * OS or the controller. 145 * 146 * cdb_byte2: This specifies byte 2 (byte 1 when counting from 0) 147 * of the CDB. This is generally the WRITE BUFFER mode. 148 * 149 * cdb_byte2_last: This specifies byte 2 for the last chunk of the 150 * download. 151 * 152 * inc_cdb_buffer_id: Increment the buffer ID by 1 for each chunk sent 153 * down to the drive. 154 * 155 * inc_cdb_offset: Increment the offset field in the CDB with the byte 156 * offset into the firmware file. 157 * 158 * tur_status: Pay attention to whether the device is ready before 159 * upgrading the firmware, or not. See above for the 160 * values. 161 */ 162 struct fw_vendor { 163 fw_vendor_t type; 164 const char *pattern; 165 int dev_type; 166 int max_pkt_size; 167 u_int8_t cdb_byte2; 168 u_int8_t cdb_byte2_last; 169 int inc_cdb_buffer_id; 170 int inc_cdb_offset; 171 fw_tur_status tur_status; 172 int timeout_ms; 173 fw_timeout_type timeout_type; 174 }; 175 176 /* 177 * Vendor notes: 178 * 179 * HGST: The packets need to be sent in multiples of 4K. 180 * 181 * IBM: For LTO and TS drives, the buffer ID is ignored in mode 7 (and 182 * some other modes). It treats the request as a firmware download. 183 * The offset (and therefore the length of each chunk sent) needs 184 * to be a multiple of the offset boundary specified for firmware 185 * (buffer ID 4) in the read buffer command. At least for LTO-6, 186 * that seems to be 0, but using a 32K chunk size should satisfy 187 * most any alignment requirement. 188 * 189 * SmrtStor: Mode 5 is also supported, but since the firmware is 400KB or 190 * so, we can't fit it in a single request in most cases. 191 */ 192 static struct fw_vendor vendors_list[] = { 193 {VENDOR_HGST, "HGST", T_DIRECT, 194 0x1000, 0x07, 0x07, 1, 0, FW_TUR_READY, WB_TIMEOUT, FW_TIMEOUT_DEFAULT}, 195 {VENDOR_HITACHI, "HITACHI", T_ANY, 196 0x8000, 0x05, 0x05, 1, 0, FW_TUR_READY, WB_TIMEOUT, FW_TIMEOUT_DEFAULT}, 197 {VENDOR_HP, "HP", T_ANY, 198 0x8000, 0x07, 0x07, 0, 1, FW_TUR_READY, WB_TIMEOUT, FW_TIMEOUT_DEFAULT}, 199 {VENDOR_IBM, "IBM", T_SEQUENTIAL, 200 0x8000, 0x07, 0x07, 0, 1, FW_TUR_NA, 300 * 1000, FW_TIMEOUT_DEFAULT}, 201 {VENDOR_IBM, "IBM", T_ANY, 202 0x8000, 0x05, 0x05, 1, 0, FW_TUR_READY, WB_TIMEOUT, FW_TIMEOUT_DEFAULT}, 203 {VENDOR_PLEXTOR, "PLEXTOR", T_ANY, 204 0x2000, 0x04, 0x05, 0, 1, FW_TUR_READY, WB_TIMEOUT, FW_TIMEOUT_DEFAULT}, 205 {VENDOR_QUALSTAR, "QUALSTAR", T_ANY, 206 0x2030, 0x05, 0x05, 0, 0, FW_TUR_READY, WB_TIMEOUT, FW_TIMEOUT_DEFAULT}, 207 {VENDOR_QUANTUM, "QUANTUM", T_ANY, 208 0x2000, 0x04, 0x05, 0, 1, FW_TUR_READY, WB_TIMEOUT, FW_TIMEOUT_DEFAULT}, 209 {VENDOR_SAMSUNG, "SAMSUNG", T_ANY, 210 0x8000, 0x07, 0x07, 0, 1, FW_TUR_READY, WB_TIMEOUT, FW_TIMEOUT_DEFAULT}, 211 {VENDOR_SEAGATE, "SEAGATE", T_ANY, 212 0x8000, 0x07, 0x07, 0, 1, FW_TUR_READY, WB_TIMEOUT, FW_TIMEOUT_DEFAULT}, 213 {VENDOR_SMART, "SmrtStor", T_DIRECT, 214 0x8000, 0x07, 0x07, 0, 1, FW_TUR_READY, WB_TIMEOUT, FW_TIMEOUT_DEFAULT}, 215 {VENDOR_HGST, "WD", T_DIRECT, 216 0x1000, 0x07, 0x07, 1, 0, FW_TUR_READY, WB_TIMEOUT, FW_TIMEOUT_DEFAULT}, 217 {VENDOR_HGST, "WDC", T_DIRECT, 218 0x1000, 0x07, 0x07, 1, 0, FW_TUR_READY, WB_TIMEOUT, FW_TIMEOUT_DEFAULT}, 219 220 /* 221 * We match any ATA device. This is really just a placeholder, 222 * since we won't actually send a WRITE BUFFER with any of the 223 * listed parameters. If a SATA device is behind a SAS controller, 224 * the SCSI to ATA translation code (at least for LSI) doesn't 225 * generally translate a SCSI WRITE BUFFER into an ATA DOWNLOAD 226 * MICROCODE command. So, we use the SCSI ATA PASS_THROUGH command 227 * to send the ATA DOWNLOAD MICROCODE command instead. 228 */ 229 {VENDOR_ATA, "ATA", T_ANY, 230 0x8000, 0x07, 0x07, 0, 1, FW_TUR_READY, WB_TIMEOUT, 231 FW_TIMEOUT_NO_PROBE}, 232 {VENDOR_UNKNOWN, NULL, T_ANY, 233 0x0000, 0x00, 0x00, 0, 0, FW_TUR_NONE, WB_TIMEOUT, FW_TIMEOUT_DEFAULT} 234 }; 235 236 struct fw_timeout_desc { 237 fw_timeout_type timeout_type; 238 const char *timeout_desc; 239 }; 240 241 static const struct fw_timeout_desc fw_timeout_desc_table[] = { 242 { FW_TIMEOUT_DEFAULT, "the default" }, 243 { FW_TIMEOUT_DEV_REPORTED, "recommended by this particular device" }, 244 { FW_TIMEOUT_NO_PROBE, "the default" }, 245 { FW_TIMEOUT_USER_SPEC, "what was specified on the command line" } 246 }; 247 248 #ifndef ATA_DOWNLOAD_MICROCODE 249 #define ATA_DOWNLOAD_MICROCODE 0x92 250 #endif 251 252 #define USE_OFFSETS_FEATURE 0x3 253 254 #ifndef LOW_SECTOR_SIZE 255 #define LOW_SECTOR_SIZE 512 256 #endif 257 258 #define ATA_MAKE_LBA(o, p) \ 259 ((((((o) / LOW_SECTOR_SIZE) >> 8) & 0xff) << 16) | \ 260 ((((o) / LOW_SECTOR_SIZE) & 0xff) << 8) | \ 261 ((((p) / LOW_SECTOR_SIZE) >> 8) & 0xff)) 262 263 #define ATA_MAKE_SECTORS(p) (((p) / 512) & 0xff) 264 265 #ifndef UNKNOWN_MAX_PKT_SIZE 266 #define UNKNOWN_MAX_PKT_SIZE 0x8000 267 #endif 268 269 static struct fw_vendor *fw_get_vendor(struct cam_device *cam_dev, 270 struct ata_params *ident_buf); 271 static int fw_get_timeout(struct cam_device *cam_dev, struct fw_vendor *vp, 272 int task_attr, int retry_count, int timeout); 273 static int fw_validate_ibm(struct cam_device *dev, int retry_count, 274 int timeout, int fd, char *buf, 275 const char *fw_img_path, int quiet); 276 static char *fw_read_img(struct cam_device *dev, int retry_count, 277 int timeout, int quiet, const char *fw_img_path, 278 struct fw_vendor *vp, int *num_bytes); 279 static int fw_check_device_ready(struct cam_device *dev, 280 camcontrol_devtype devtype, 281 struct fw_vendor *vp, int printerrors, 282 int timeout); 283 static int fw_download_img(struct cam_device *cam_dev, 284 struct fw_vendor *vp, char *buf, int img_size, 285 int sim_mode, int printerrors, int quiet, 286 int retry_count, int timeout, const char */*name*/, 287 camcontrol_devtype devtype); 288 289 /* 290 * Find entry in vendors list that belongs to 291 * the vendor of given cam device. 292 */ 293 static struct fw_vendor * 294 fw_get_vendor(struct cam_device *cam_dev, struct ata_params *ident_buf) 295 { 296 char vendor[42]; 297 struct fw_vendor *vp; 298 299 if (cam_dev == NULL) 300 return (NULL); 301 302 if (ident_buf != NULL) { 303 cam_strvis((u_char *)vendor, ident_buf->model, 304 sizeof(ident_buf->model), sizeof(vendor)); 305 for (vp = vendors_list; vp->pattern != NULL; vp++) { 306 if (vp->type == VENDOR_ATA) 307 return (vp); 308 } 309 } else { 310 cam_strvis((u_char *)vendor, (u_char *)cam_dev->inq_data.vendor, 311 sizeof(cam_dev->inq_data.vendor), sizeof(vendor)); 312 } 313 for (vp = vendors_list; vp->pattern != NULL; vp++) { 314 if (!cam_strmatch((const u_char *)vendor, 315 (const u_char *)vp->pattern, strlen(vendor))) { 316 if ((vp->dev_type == T_ANY) 317 || (vp->dev_type == SID_TYPE(&cam_dev->inq_data))) 318 break; 319 } 320 } 321 return (vp); 322 } 323 324 static int 325 fw_get_timeout(struct cam_device *cam_dev, struct fw_vendor *vp, 326 int task_attr, int retry_count, int timeout) 327 { 328 struct scsi_report_supported_opcodes_one *one; 329 struct scsi_report_supported_opcodes_timeout *td; 330 uint8_t *buf = NULL; 331 uint32_t fill_len = 0, cdb_len = 0, rec_timeout = 0; 332 int retval = 0; 333 334 /* 335 * If the user has specified a timeout on the command line, we let 336 * him override any default or probed value. 337 */ 338 if (timeout != 0) { 339 vp->timeout_type = FW_TIMEOUT_USER_SPEC; 340 vp->timeout_ms = timeout; 341 goto bailout; 342 } 343 344 /* 345 * Check to see whether we should probe for a timeout for this 346 * device. 347 */ 348 if (vp->timeout_type == FW_TIMEOUT_NO_PROBE) 349 goto bailout; 350 351 retval = scsigetopcodes(/*device*/ cam_dev, 352 /*opcode_set*/ 1, 353 /*opcode*/ WRITE_BUFFER, 354 /*show_sa_errors*/ 1, 355 /*sa_set*/ 0, 356 /*service_action*/ 0, 357 /*timeout_desc*/ 1, 358 /*task_attr*/ task_attr, 359 /*retry_count*/ retry_count, 360 /*timeout*/ 10000, 361 /*verbose*/ 0, 362 /*fill_len*/ &fill_len, 363 /*data_ptr*/ &buf); 364 /* 365 * It isn't an error if we can't get a timeout descriptor. We just 366 * continue on with the default timeout. 367 */ 368 if (retval != 0) { 369 retval = 0; 370 goto bailout; 371 } 372 373 /* 374 * Even if the drive didn't return a SCSI error, if we don't have 375 * enough data to contain the one opcode descriptor, the CDB 376 * structure and a timeout descriptor, we don't have the timeout 377 * value we're looking for. So we'll just fall back to the 378 * default value. 379 */ 380 if (fill_len < (sizeof(*one) + sizeof(struct scsi_write_buffer) + 381 sizeof(*td))) 382 goto bailout; 383 384 one = (struct scsi_report_supported_opcodes_one *)buf; 385 386 /* 387 * If the drive claims to not support the WRITE BUFFER command... 388 * fall back to the default timeout value and let things fail on 389 * the actual firmware download. 390 */ 391 if ((one->support & RSO_ONE_SUP_MASK) == RSO_ONE_SUP_NOT_SUP) 392 goto bailout; 393 394 cdb_len = scsi_2btoul(one->cdb_length); 395 td = (struct scsi_report_supported_opcodes_timeout *) 396 &buf[sizeof(*one) + cdb_len]; 397 398 rec_timeout = scsi_4btoul(td->recommended_time); 399 /* 400 * If the recommended timeout is 0, then the device has probably 401 * returned a bogus value. 402 */ 403 if (rec_timeout == 0) 404 goto bailout; 405 406 /* CAM timeouts are in ms */ 407 rec_timeout *= 1000; 408 409 vp->timeout_ms = rec_timeout; 410 vp->timeout_type = FW_TIMEOUT_DEV_REPORTED; 411 412 bailout: 413 return (retval); 414 } 415 416 #define SVPD_IBM_FW_DESIGNATION 0x03 417 418 /* 419 * IBM LTO and TS tape drives have an INQUIRY VPD page 0x3 with the following 420 * format: 421 */ 422 struct fw_ibm_tape_fw_designation { 423 uint8_t device; 424 uint8_t page_code; 425 uint8_t reserved; 426 uint8_t length; 427 uint8_t ascii_length; 428 uint8_t reserved2[3]; 429 uint8_t load_id[4]; 430 uint8_t fw_rev[4]; 431 uint8_t ptf_number[4]; 432 uint8_t patch_number[4]; 433 uint8_t ru_name[8]; 434 uint8_t lib_seq_num[5]; 435 }; 436 437 /* 438 * The firmware for IBM tape drives has the following header format. The 439 * load_id and ru_name in the header file should match what is returned in 440 * VPD page 0x3. 441 */ 442 struct fw_ibm_tape_fw_header { 443 uint8_t unspec[4]; 444 uint8_t length[4]; /* Firmware and header! */ 445 uint8_t load_id[4]; 446 uint8_t fw_rev[4]; 447 uint8_t reserved[8]; 448 uint8_t ru_name[8]; 449 }; 450 451 static int 452 fw_validate_ibm(struct cam_device *dev, int retry_count, int timeout, int fd, 453 char *buf, const char *fw_img_path, int quiet) 454 { 455 union ccb *ccb; 456 struct fw_ibm_tape_fw_designation vpd_page; 457 struct fw_ibm_tape_fw_header *header; 458 char drive_rev[sizeof(vpd_page.fw_rev) + 1]; 459 char file_rev[sizeof(vpd_page.fw_rev) + 1]; 460 int retval = 1; 461 462 ccb = cam_getccb(dev); 463 if (ccb == NULL) { 464 warnx("couldn't allocate CCB"); 465 goto bailout; 466 } 467 468 bzero(&vpd_page, sizeof(vpd_page)); 469 470 scsi_inquiry(&ccb->csio, 471 /*retries*/ retry_count, 472 /*cbfcnp*/ NULL, 473 /* tag_action */ MSG_SIMPLE_Q_TAG, 474 /* inq_buf */ (u_int8_t *)&vpd_page, 475 /* inq_len */ sizeof(vpd_page), 476 /* evpd */ 1, 477 /* page_code */ SVPD_IBM_FW_DESIGNATION, 478 /* sense_len */ SSD_FULL_SIZE, 479 /* timeout */ timeout ? timeout : 5000); 480 481 /* Disable freezing the device queue */ 482 ccb->ccb_h.flags |= CAM_DEV_QFRZDIS; 483 484 if (retry_count != 0) 485 ccb->ccb_h.flags |= CAM_PASS_ERR_RECOVER; 486 487 if (cam_send_ccb(dev, ccb) < 0) { 488 warn("error getting firmware designation page"); 489 490 cam_error_print(dev, ccb, CAM_ESF_ALL, 491 CAM_EPF_ALL, stderr); 492 493 cam_freeccb(ccb); 494 ccb = NULL; 495 goto bailout; 496 } 497 498 if ((ccb->ccb_h.status & CAM_STATUS_MASK) != CAM_REQ_CMP) { 499 cam_error_print(dev, ccb, CAM_ESF_ALL, 500 CAM_EPF_ALL, stderr); 501 goto bailout; 502 } 503 504 /* 505 * Read the firmware header only. 506 */ 507 if (read(fd, buf, sizeof(*header)) != sizeof(*header)) { 508 warn("unable to read %zu bytes from %s", sizeof(*header), 509 fw_img_path); 510 goto bailout; 511 } 512 513 /* Rewind the file back to 0 for the full file read. */ 514 if (lseek(fd, 0, SEEK_SET) == -1) { 515 warn("Unable to lseek"); 516 goto bailout; 517 } 518 519 header = (struct fw_ibm_tape_fw_header *)buf; 520 521 bzero(drive_rev, sizeof(drive_rev)); 522 bcopy(vpd_page.fw_rev, drive_rev, sizeof(vpd_page.fw_rev)); 523 bzero(file_rev, sizeof(file_rev)); 524 bcopy(header->fw_rev, file_rev, sizeof(header->fw_rev)); 525 526 if (quiet == 0) { 527 fprintf(stdout, "Current Drive Firmware version: %s\n", 528 drive_rev); 529 fprintf(stdout, "Firmware File version: %s\n", file_rev); 530 } 531 532 /* 533 * For IBM tape drives the load ID and RU name reported by the 534 * drive should match what is in the firmware file. 535 */ 536 if (bcmp(vpd_page.load_id, header->load_id, 537 MIN(sizeof(vpd_page.load_id), sizeof(header->load_id))) != 0) { 538 warnx("Drive Firmware load ID 0x%x does not match firmware " 539 "file load ID 0x%x", scsi_4btoul(vpd_page.load_id), 540 scsi_4btoul(header->load_id)); 541 goto bailout; 542 } 543 544 if (bcmp(vpd_page.ru_name, header->ru_name, 545 MIN(sizeof(vpd_page.ru_name), sizeof(header->ru_name))) != 0) { 546 warnx("Drive Firmware RU name 0x%jx does not match firmware " 547 "file RU name 0x%jx", 548 (uintmax_t)scsi_8btou64(vpd_page.ru_name), 549 (uintmax_t)scsi_8btou64(header->ru_name)); 550 goto bailout; 551 } 552 if (quiet == 0) 553 fprintf(stdout, "Firmware file is valid for this drive.\n"); 554 retval = 0; 555 bailout: 556 cam_freeccb(ccb); 557 558 return (retval); 559 } 560 561 /* 562 * Allocate a buffer and read fw image file into it 563 * from given path. Number of bytes read is stored 564 * in num_bytes. 565 */ 566 static char * 567 fw_read_img(struct cam_device *dev, int retry_count, int timeout, int quiet, 568 const char *fw_img_path, struct fw_vendor *vp, int *num_bytes) 569 { 570 int fd; 571 struct stat stbuf; 572 char *buf; 573 off_t img_size; 574 int skip_bytes = 0; 575 576 if ((fd = open(fw_img_path, O_RDONLY)) < 0) { 577 warn("Could not open image file %s", fw_img_path); 578 return (NULL); 579 } 580 if (fstat(fd, &stbuf) < 0) { 581 warn("Could not stat image file %s", fw_img_path); 582 goto bailout1; 583 } 584 if ((img_size = stbuf.st_size) == 0) { 585 warnx("Zero length image file %s", fw_img_path); 586 goto bailout1; 587 } 588 if ((buf = malloc(img_size)) == NULL) { 589 warnx("Could not allocate buffer to read image file %s", 590 fw_img_path); 591 goto bailout1; 592 } 593 /* Skip headers if applicable. */ 594 switch (vp->type) { 595 case VENDOR_SEAGATE: 596 if (read(fd, buf, 16) != 16) { 597 warn("Could not read image file %s", fw_img_path); 598 goto bailout; 599 } 600 if (lseek(fd, 0, SEEK_SET) == -1) { 601 warn("Unable to lseek"); 602 goto bailout; 603 } 604 if ((strncmp(buf, "SEAGATE,SEAGATE ", 16) == 0) || 605 (img_size % 512 == 80)) 606 skip_bytes = 80; 607 break; 608 case VENDOR_QUALSTAR: 609 skip_bytes = img_size % 1030; 610 break; 611 case VENDOR_IBM: { 612 if (vp->dev_type != T_SEQUENTIAL) 613 break; 614 if (fw_validate_ibm(dev, retry_count, timeout, fd, buf, 615 fw_img_path, quiet) != 0) 616 goto bailout; 617 break; 618 } 619 default: 620 break; 621 } 622 if (skip_bytes != 0) { 623 fprintf(stdout, "Skipping %d byte header.\n", skip_bytes); 624 if (lseek(fd, skip_bytes, SEEK_SET) == -1) { 625 warn("Could not lseek"); 626 goto bailout; 627 } 628 img_size -= skip_bytes; 629 } 630 /* Read image into a buffer. */ 631 if (read(fd, buf, img_size) != img_size) { 632 warn("Could not read image file %s", fw_img_path); 633 goto bailout; 634 } 635 *num_bytes = img_size; 636 close(fd); 637 return (buf); 638 bailout: 639 free(buf); 640 bailout1: 641 close(fd); 642 *num_bytes = 0; 643 return (NULL); 644 } 645 646 /* 647 * Returns 0 for "success", where success means that the device has met the 648 * requirement in the vendor structure for being ready or not ready when 649 * firmware is downloaded. 650 * 651 * Returns 1 for a failure to be ready to accept a firmware download. 652 * (e.g., a drive needs to be ready, but returns not ready) 653 * 654 * Returns -1 for any other failure. 655 */ 656 static int 657 fw_check_device_ready(struct cam_device *dev, camcontrol_devtype devtype, 658 struct fw_vendor *vp, int printerrors, int timeout) 659 { 660 union ccb *ccb; 661 int retval = 0; 662 int16_t *ptr = NULL; 663 size_t dxfer_len = 0; 664 665 if ((ccb = cam_getccb(dev)) == NULL) { 666 warnx("Could not allocate CCB"); 667 retval = -1; 668 goto bailout; 669 } 670 671 if (devtype != CC_DT_SCSI) { 672 dxfer_len = sizeof(struct ata_params); 673 674 ptr = (uint16_t *)malloc(dxfer_len); 675 if (ptr == NULL) { 676 warnx("can't malloc memory for identify"); 677 retval = -1; 678 goto bailout; 679 } 680 bzero(ptr, dxfer_len); 681 } 682 683 switch (devtype) { 684 case CC_DT_SCSI: 685 scsi_test_unit_ready(&ccb->csio, 686 /*retries*/ 0, 687 /*cbfcnp*/ NULL, 688 /*tag_action*/ MSG_SIMPLE_Q_TAG, 689 /*sense_len*/ SSD_FULL_SIZE, 690 /*timeout*/ 5000); 691 break; 692 case CC_DT_SATL: 693 case CC_DT_ATA: { 694 retval = build_ata_cmd(ccb, 695 /*retries*/ 1, 696 /*flags*/ CAM_DIR_IN, 697 /*tag_action*/ MSG_SIMPLE_Q_TAG, 698 /*protocol*/ AP_PROTO_PIO_IN, 699 /*ata_flags*/ AP_FLAG_BYT_BLOK_BLOCKS | 700 AP_FLAG_TLEN_SECT_CNT | 701 AP_FLAG_TDIR_FROM_DEV, 702 /*features*/ 0, 703 /*sector_count*/ dxfer_len / 512, 704 /*lba*/ 0, 705 /*command*/ ATA_ATA_IDENTIFY, 706 /*auxiliary*/ 0, 707 /*data_ptr*/ (uint8_t *)ptr, 708 /*dxfer_len*/ dxfer_len, 709 /*cdb_storage*/ NULL, 710 /*cdb_storage_len*/ 0, 711 /*sense_len*/ SSD_FULL_SIZE, 712 /*timeout*/ timeout ? timeout : 30 * 1000, 713 /*is48bit*/ 0, 714 /*devtype*/ devtype); 715 if (retval != 0) { 716 retval = -1; 717 warnx("%s: build_ata_cmd() failed, likely " 718 "programmer error", __func__); 719 goto bailout; 720 } 721 break; 722 } 723 default: 724 warnx("Unknown disk type %d", devtype); 725 retval = -1; 726 goto bailout; 727 break; /*NOTREACHED*/ 728 } 729 730 ccb->ccb_h.flags |= CAM_DEV_QFRZDIS; 731 732 retval = cam_send_ccb(dev, ccb); 733 if (retval != 0) { 734 warn("error sending %s CCB", (devtype == CC_DT_SCSI) ? 735 "Test Unit Ready" : "Identify"); 736 retval = -1; 737 goto bailout; 738 } 739 740 if (((ccb->ccb_h.status & CAM_STATUS_MASK) != CAM_REQ_CMP) 741 && (vp->tur_status == FW_TUR_READY)) { 742 warnx("Device is not ready"); 743 if (printerrors) 744 cam_error_print(dev, ccb, CAM_ESF_ALL, 745 CAM_EPF_ALL, stderr); 746 retval = 1; 747 goto bailout; 748 } else if (((ccb->ccb_h.status & CAM_STATUS_MASK) == CAM_REQ_CMP) 749 && (vp->tur_status == FW_TUR_NOT_READY)) { 750 warnx("Device cannot have media loaded when firmware is " 751 "downloaded"); 752 retval = 1; 753 goto bailout; 754 } 755 bailout: 756 free(ptr); 757 cam_freeccb(ccb); 758 759 return (retval); 760 } 761 762 /* 763 * Download firmware stored in buf to cam_dev. If simulation mode 764 * is enabled, only show what packet sizes would be sent to the 765 * device but do not sent any actual packets 766 */ 767 static int 768 fw_download_img(struct cam_device *cam_dev, struct fw_vendor *vp, 769 char *buf, int img_size, int sim_mode, int printerrors, int quiet, 770 int retry_count, int timeout, const char *imgname, 771 camcontrol_devtype devtype) 772 { 773 struct scsi_write_buffer cdb; 774 progress_t progress; 775 int size = 0; 776 union ccb *ccb = NULL; 777 int pkt_count = 0; 778 int max_pkt_size; 779 u_int32_t pkt_size = 0; 780 char *pkt_ptr = buf; 781 u_int32_t offset; 782 int last_pkt = 0; 783 int retval = 0; 784 785 /* 786 * Check to see whether the device is ready to accept a firmware 787 * download. 788 */ 789 retval = fw_check_device_ready(cam_dev, devtype, vp, printerrors, 790 timeout); 791 if (retval != 0) 792 goto bailout; 793 794 if ((ccb = cam_getccb(cam_dev)) == NULL) { 795 warnx("Could not allocate CCB"); 796 retval = 1; 797 goto bailout; 798 } 799 800 max_pkt_size = vp->max_pkt_size; 801 if (max_pkt_size == 0) 802 max_pkt_size = UNKNOWN_MAX_PKT_SIZE; 803 804 pkt_size = max_pkt_size; 805 progress_init(&progress, imgname, size = img_size); 806 /* Download single fw packets. */ 807 do { 808 if (img_size <= max_pkt_size) { 809 last_pkt = 1; 810 pkt_size = img_size; 811 } 812 progress_update(&progress, size - img_size); 813 if (((sim_mode == 0) && (quiet == 0)) 814 || ((sim_mode != 0) && (printerrors == 0))) 815 progress_draw(&progress); 816 bzero(&cdb, sizeof(cdb)); 817 switch (devtype) { 818 case CC_DT_SCSI: 819 cdb.opcode = WRITE_BUFFER; 820 cdb.control = 0; 821 /* Parameter list length. */ 822 scsi_ulto3b(pkt_size, &cdb.length[0]); 823 offset = vp->inc_cdb_offset ? (pkt_ptr - buf) : 0; 824 scsi_ulto3b(offset, &cdb.offset[0]); 825 cdb.byte2 = last_pkt ? vp->cdb_byte2_last : 826 vp->cdb_byte2; 827 cdb.buffer_id = vp->inc_cdb_buffer_id ? pkt_count : 0; 828 /* Zero out payload of ccb union after ccb header. */ 829 CCB_CLEAR_ALL_EXCEPT_HDR(&ccb->csio); 830 /* 831 * Copy previously constructed cdb into ccb_scsiio 832 * struct. 833 */ 834 bcopy(&cdb, &ccb->csio.cdb_io.cdb_bytes[0], 835 sizeof(struct scsi_write_buffer)); 836 /* Fill rest of ccb_scsiio struct. */ 837 cam_fill_csio(&ccb->csio, /* ccb_scsiio*/ 838 retry_count, /* retries*/ 839 NULL, /* cbfcnp*/ 840 CAM_DIR_OUT | CAM_DEV_QFRZDIS, /* flags*/ 841 CAM_TAG_ACTION_NONE, /* tag_action*/ 842 (u_char *)pkt_ptr, /* data_ptr*/ 843 pkt_size, /* dxfer_len*/ 844 SSD_FULL_SIZE, /* sense_len*/ 845 sizeof(struct scsi_write_buffer), /* cdb_len*/ 846 timeout ? timeout : WB_TIMEOUT); /* timeout*/ 847 break; 848 case CC_DT_ATA: 849 case CC_DT_SATL: { 850 uint32_t off; 851 852 off = (uint32_t)(pkt_ptr - buf); 853 854 retval = build_ata_cmd(ccb, 855 /*retry_count*/ retry_count, 856 /*flags*/ CAM_DIR_OUT | CAM_DEV_QFRZDIS, 857 /*tag_action*/ CAM_TAG_ACTION_NONE, 858 /*protocol*/ AP_PROTO_PIO_OUT, 859 /*ata_flags*/ AP_FLAG_BYT_BLOK_BYTES | 860 AP_FLAG_TLEN_SECT_CNT | 861 AP_FLAG_TDIR_TO_DEV, 862 /*features*/ USE_OFFSETS_FEATURE, 863 /*sector_count*/ ATA_MAKE_SECTORS(pkt_size), 864 /*lba*/ ATA_MAKE_LBA(off, pkt_size), 865 /*command*/ ATA_DOWNLOAD_MICROCODE, 866 /*auxiliary*/ 0, 867 /*data_ptr*/ (uint8_t *)pkt_ptr, 868 /*dxfer_len*/ pkt_size, 869 /*cdb_storage*/ NULL, 870 /*cdb_storage_len*/ 0, 871 /*sense_len*/ SSD_FULL_SIZE, 872 /*timeout*/ timeout ? timeout : WB_TIMEOUT, 873 /*is48bit*/ 0, 874 /*devtype*/ devtype); 875 876 if (retval != 0) { 877 warnx("%s: build_ata_cmd() failed, likely " 878 "programmer error", __func__); 879 goto bailout; 880 } 881 break; 882 } 883 default: 884 warnx("Unknown device type %d", devtype); 885 retval = 1; 886 goto bailout; 887 break; /*NOTREACHED*/ 888 } 889 if (!sim_mode) { 890 /* Execute the command. */ 891 if (cam_send_ccb(cam_dev, ccb) < 0 || 892 (ccb->ccb_h.status & CAM_STATUS_MASK) != 893 CAM_REQ_CMP) { 894 warnx("Error writing image to device"); 895 if (printerrors) 896 cam_error_print(cam_dev, ccb, 897 CAM_ESF_ALL, CAM_EPF_ALL, stderr); 898 retval = 1; 899 goto bailout; 900 } 901 } else if (printerrors) { 902 cam_error_print(cam_dev, ccb, CAM_ESF_COMMAND, 0, 903 stdout); 904 } 905 906 /* Prepare next round. */ 907 pkt_count++; 908 pkt_ptr += pkt_size; 909 img_size -= pkt_size; 910 } while(!last_pkt); 911 bailout: 912 if (quiet == 0) 913 progress_complete(&progress, size - img_size); 914 cam_freeccb(ccb); 915 return (retval); 916 } 917 918 int 919 fwdownload(struct cam_device *device, int argc, char **argv, 920 char *combinedopt, int printerrors, int task_attr, int retry_count, 921 int timeout) 922 { 923 union ccb *ccb = NULL; 924 struct fw_vendor *vp; 925 char *fw_img_path = NULL; 926 struct ata_params *ident_buf = NULL; 927 camcontrol_devtype devtype; 928 char *buf = NULL; 929 int img_size; 930 int c; 931 int sim_mode = 0; 932 int confirmed = 0; 933 int quiet = 0; 934 int retval = 0; 935 936 while ((c = getopt(argc, argv, combinedopt)) != -1) { 937 switch (c) { 938 case 'f': 939 fw_img_path = optarg; 940 break; 941 case 'q': 942 quiet = 1; 943 break; 944 case 's': 945 sim_mode = 1; 946 break; 947 case 'y': 948 confirmed = 1; 949 break; 950 default: 951 break; 952 } 953 } 954 955 if (fw_img_path == NULL) 956 errx(1, "you must specify a firmware image file using -f " 957 "option"); 958 959 retval = get_device_type(device, retry_count, timeout, printerrors, 960 &devtype); 961 if (retval != 0) 962 errx(1, "Unable to determine device type"); 963 964 if ((devtype == CC_DT_ATA) 965 || (devtype == CC_DT_SATL)) { 966 ccb = cam_getccb(device); 967 if (ccb == NULL) { 968 warnx("couldn't allocate CCB"); 969 retval = 1; 970 goto bailout; 971 } 972 973 if (ata_do_identify(device, retry_count, timeout, ccb, 974 &ident_buf) != 0) { 975 retval = 1; 976 goto bailout; 977 } 978 } else if (devtype != CC_DT_SCSI) 979 errx(1, "Unsupported device type %d", devtype); 980 981 vp = fw_get_vendor(device, ident_buf); 982 /* 983 * Bail out if we have an unknown vendor and this isn't an ATA 984 * disk. For a SCSI disk, we have no chance of working properly 985 * with the default values in the VENDOR_UNKNOWN case. For an ATA 986 * disk connected via an ATA transport, we may work for drives that 987 * support the ATA_DOWNLOAD_MICROCODE command. 988 */ 989 if (((vp == NULL) 990 || (vp->type == VENDOR_UNKNOWN)) 991 && (devtype == CC_DT_SCSI)) 992 errx(1, "Unsupported device"); 993 994 retval = fw_get_timeout(device, vp, task_attr, retry_count, timeout); 995 if (retval != 0) { 996 warnx("Unable to get a firmware download timeout value"); 997 goto bailout; 998 } 999 1000 buf = fw_read_img(device, retry_count, timeout, quiet, fw_img_path, 1001 vp, &img_size); 1002 if (buf == NULL) { 1003 retval = 1; 1004 goto bailout; 1005 } 1006 1007 if (!confirmed) { 1008 fprintf(stdout, "You are about to download firmware image (%s)" 1009 " into the following device:\n", 1010 fw_img_path); 1011 if (devtype == CC_DT_SCSI) { 1012 if (scsidoinquiry(device, argc, argv, combinedopt, 1013 MSG_SIMPLE_Q_TAG, 0, 5000) != 0) { 1014 warnx("Error sending inquiry"); 1015 retval = 1; 1016 goto bailout; 1017 } 1018 } else { 1019 printf("%s%d: ", device->device_name, 1020 device->dev_unit_num); 1021 ata_print_ident(ident_buf); 1022 camxferrate(device); 1023 free(ident_buf); 1024 } 1025 fprintf(stdout, "Using a timeout of %u ms, which is %s.\n", 1026 vp->timeout_ms, 1027 fw_timeout_desc_table[vp->timeout_type].timeout_desc); 1028 fprintf(stdout, "\nIt may damage your drive. "); 1029 if (!get_confirmation()) { 1030 retval = 1; 1031 goto bailout; 1032 } 1033 } 1034 if ((sim_mode != 0) && (quiet == 0)) 1035 fprintf(stdout, "Running in simulation mode\n"); 1036 1037 if (fw_download_img(device, vp, buf, img_size, sim_mode, printerrors, 1038 quiet, retry_count, vp->timeout_ms, fw_img_path, devtype) != 0) { 1039 fprintf(stderr, "Firmware download failed\n"); 1040 retval = 1; 1041 goto bailout; 1042 } else if (quiet == 0) 1043 fprintf(stdout, "Firmware download successful\n"); 1044 1045 bailout: 1046 cam_freeccb(ccb); 1047 free(buf); 1048 return (retval); 1049 } 1050 1051