xref: /linux/drivers/bluetooth/btqca.c (revision 15a1fbdcfb519c2bd291ed01c6c94e0b89537a77)
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  *  Bluetooth supports for Qualcomm Atheros chips
4  *
5  *  Copyright (c) 2015 The Linux Foundation. All rights reserved.
6  */
7 #include <linux/module.h>
8 #include <linux/firmware.h>
9 
10 #include <net/bluetooth/bluetooth.h>
11 #include <net/bluetooth/hci_core.h>
12 
13 #include "btqca.h"
14 
15 #define VERSION "0.1"
16 
17 int qca_read_soc_version(struct hci_dev *hdev, u32 *soc_version,
18 			 enum qca_btsoc_type soc_type)
19 {
20 	struct sk_buff *skb;
21 	struct edl_event_hdr *edl;
22 	struct qca_btsoc_version *ver;
23 	char cmd;
24 	int err = 0;
25 	u8 event_type = HCI_EV_VENDOR;
26 	u8 rlen = sizeof(*edl) + sizeof(*ver);
27 	u8 rtype = EDL_APP_VER_RES_EVT;
28 
29 	bt_dev_dbg(hdev, "QCA Version Request");
30 
31 	/* Unlike other SoC's sending version command response as payload to
32 	 * VSE event. WCN3991 sends version command response as a payload to
33 	 * command complete event.
34 	 */
35 	if (soc_type == QCA_WCN3991) {
36 		event_type = 0;
37 		rlen += 1;
38 		rtype = EDL_PATCH_VER_REQ_CMD;
39 	}
40 
41 	cmd = EDL_PATCH_VER_REQ_CMD;
42 	skb = __hci_cmd_sync_ev(hdev, EDL_PATCH_CMD_OPCODE, EDL_PATCH_CMD_LEN,
43 				&cmd, event_type, HCI_INIT_TIMEOUT);
44 	if (IS_ERR(skb)) {
45 		err = PTR_ERR(skb);
46 		bt_dev_err(hdev, "Reading QCA version information failed (%d)",
47 			   err);
48 		return err;
49 	}
50 
51 	if (skb->len != rlen) {
52 		bt_dev_err(hdev, "QCA Version size mismatch len %d", skb->len);
53 		err = -EILSEQ;
54 		goto out;
55 	}
56 
57 	edl = (struct edl_event_hdr *)(skb->data);
58 	if (!edl) {
59 		bt_dev_err(hdev, "QCA TLV with no header");
60 		err = -EILSEQ;
61 		goto out;
62 	}
63 
64 	if (edl->cresp != EDL_CMD_REQ_RES_EVT ||
65 	    edl->rtype != rtype) {
66 		bt_dev_err(hdev, "QCA Wrong packet received %d %d", edl->cresp,
67 			   edl->rtype);
68 		err = -EIO;
69 		goto out;
70 	}
71 
72 	if (soc_type == QCA_WCN3991)
73 		memmove(&edl->data, &edl->data[1], sizeof(*ver));
74 
75 	ver = (struct qca_btsoc_version *)(edl->data);
76 
77 	BT_DBG("%s: Product:0x%08x", hdev->name, le32_to_cpu(ver->product_id));
78 	BT_DBG("%s: Patch  :0x%08x", hdev->name, le16_to_cpu(ver->patch_ver));
79 	BT_DBG("%s: ROM    :0x%08x", hdev->name, le16_to_cpu(ver->rom_ver));
80 	BT_DBG("%s: SOC    :0x%08x", hdev->name, le32_to_cpu(ver->soc_id));
81 
82 	/* QCA chipset version can be decided by patch and SoC
83 	 * version, combination with upper 2 bytes from SoC
84 	 * and lower 2 bytes from patch will be used.
85 	 */
86 	*soc_version = (le32_to_cpu(ver->soc_id) << 16) |
87 			(le16_to_cpu(ver->rom_ver) & 0x0000ffff);
88 	if (*soc_version == 0)
89 		err = -EILSEQ;
90 
91 out:
92 	kfree_skb(skb);
93 	if (err)
94 		bt_dev_err(hdev, "QCA Failed to get version (%d)", err);
95 
96 	return err;
97 }
98 EXPORT_SYMBOL_GPL(qca_read_soc_version);
99 
100 static int qca_send_reset(struct hci_dev *hdev)
101 {
102 	struct sk_buff *skb;
103 	int err;
104 
105 	bt_dev_dbg(hdev, "QCA HCI_RESET");
106 
107 	skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_INIT_TIMEOUT);
108 	if (IS_ERR(skb)) {
109 		err = PTR_ERR(skb);
110 		bt_dev_err(hdev, "QCA Reset failed (%d)", err);
111 		return err;
112 	}
113 
114 	kfree_skb(skb);
115 
116 	return 0;
117 }
118 
119 int qca_send_pre_shutdown_cmd(struct hci_dev *hdev)
120 {
121 	struct sk_buff *skb;
122 	int err;
123 
124 	bt_dev_dbg(hdev, "QCA pre shutdown cmd");
125 
126 	skb = __hci_cmd_sync_ev(hdev, QCA_PRE_SHUTDOWN_CMD, 0,
127 				NULL, HCI_EV_CMD_COMPLETE, HCI_INIT_TIMEOUT);
128 
129 	if (IS_ERR(skb)) {
130 		err = PTR_ERR(skb);
131 		bt_dev_err(hdev, "QCA preshutdown_cmd failed (%d)", err);
132 		return err;
133 	}
134 
135 	kfree_skb(skb);
136 
137 	return 0;
138 }
139 EXPORT_SYMBOL_GPL(qca_send_pre_shutdown_cmd);
140 
141 static void qca_tlv_check_data(struct qca_fw_config *config,
142 				const struct firmware *fw)
143 {
144 	const u8 *data;
145 	u32 type_len;
146 	u16 tag_id, tag_len;
147 	int idx, length;
148 	struct tlv_type_hdr *tlv;
149 	struct tlv_type_patch *tlv_patch;
150 	struct tlv_type_nvm *tlv_nvm;
151 
152 	tlv = (struct tlv_type_hdr *)fw->data;
153 
154 	type_len = le32_to_cpu(tlv->type_len);
155 	length = (type_len >> 8) & 0x00ffffff;
156 
157 	BT_DBG("TLV Type\t\t : 0x%x", type_len & 0x000000ff);
158 	BT_DBG("Length\t\t : %d bytes", length);
159 
160 	config->dnld_mode = QCA_SKIP_EVT_NONE;
161 	config->dnld_type = QCA_SKIP_EVT_NONE;
162 
163 	switch (config->type) {
164 	case TLV_TYPE_PATCH:
165 		tlv_patch = (struct tlv_type_patch *)tlv->data;
166 
167 		/* For Rome version 1.1 to 3.1, all segment commands
168 		 * are acked by a vendor specific event (VSE).
169 		 * For Rome >= 3.2, the download mode field indicates
170 		 * if VSE is skipped by the controller.
171 		 * In case VSE is skipped, only the last segment is acked.
172 		 */
173 		config->dnld_mode = tlv_patch->download_mode;
174 		config->dnld_type = config->dnld_mode;
175 
176 		BT_DBG("Total Length           : %d bytes",
177 		       le32_to_cpu(tlv_patch->total_size));
178 		BT_DBG("Patch Data Length      : %d bytes",
179 		       le32_to_cpu(tlv_patch->data_length));
180 		BT_DBG("Signing Format Version : 0x%x",
181 		       tlv_patch->format_version);
182 		BT_DBG("Signature Algorithm    : 0x%x",
183 		       tlv_patch->signature);
184 		BT_DBG("Download mode          : 0x%x",
185 		       tlv_patch->download_mode);
186 		BT_DBG("Reserved               : 0x%x",
187 		       tlv_patch->reserved1);
188 		BT_DBG("Product ID             : 0x%04x",
189 		       le16_to_cpu(tlv_patch->product_id));
190 		BT_DBG("Rom Build Version      : 0x%04x",
191 		       le16_to_cpu(tlv_patch->rom_build));
192 		BT_DBG("Patch Version          : 0x%04x",
193 		       le16_to_cpu(tlv_patch->patch_version));
194 		BT_DBG("Reserved               : 0x%x",
195 		       le16_to_cpu(tlv_patch->reserved2));
196 		BT_DBG("Patch Entry Address    : 0x%x",
197 		       le32_to_cpu(tlv_patch->entry));
198 		break;
199 
200 	case TLV_TYPE_NVM:
201 		idx = 0;
202 		data = tlv->data;
203 		while (idx < length) {
204 			tlv_nvm = (struct tlv_type_nvm *)(data + idx);
205 
206 			tag_id = le16_to_cpu(tlv_nvm->tag_id);
207 			tag_len = le16_to_cpu(tlv_nvm->tag_len);
208 
209 			/* Update NVM tags as needed */
210 			switch (tag_id) {
211 			case EDL_TAG_ID_HCI:
212 				/* HCI transport layer parameters
213 				 * enabling software inband sleep
214 				 * onto controller side.
215 				 */
216 				tlv_nvm->data[0] |= 0x80;
217 
218 				/* UART Baud Rate */
219 				tlv_nvm->data[2] = config->user_baud_rate;
220 
221 				break;
222 
223 			case EDL_TAG_ID_DEEP_SLEEP:
224 				/* Sleep enable mask
225 				 * enabling deep sleep feature on controller.
226 				 */
227 				tlv_nvm->data[0] |= 0x01;
228 
229 				break;
230 			}
231 
232 			idx += (sizeof(u16) + sizeof(u16) + 8 + tag_len);
233 		}
234 		break;
235 
236 	default:
237 		BT_ERR("Unknown TLV type %d", config->type);
238 		break;
239 	}
240 }
241 
242 static int qca_tlv_send_segment(struct hci_dev *hdev, int seg_size,
243 				const u8 *data, enum qca_tlv_dnld_mode mode,
244 				enum qca_btsoc_type soc_type)
245 {
246 	struct sk_buff *skb;
247 	struct edl_event_hdr *edl;
248 	struct tlv_seg_resp *tlv_resp;
249 	u8 cmd[MAX_SIZE_PER_TLV_SEGMENT + 2];
250 	int err = 0;
251 	u8 event_type = HCI_EV_VENDOR;
252 	u8 rlen = (sizeof(*edl) + sizeof(*tlv_resp));
253 	u8 rtype = EDL_TVL_DNLD_RES_EVT;
254 
255 	cmd[0] = EDL_PATCH_TLV_REQ_CMD;
256 	cmd[1] = seg_size;
257 	memcpy(cmd + 2, data, seg_size);
258 
259 	if (mode == QCA_SKIP_EVT_VSE_CC || mode == QCA_SKIP_EVT_VSE)
260 		return __hci_cmd_send(hdev, EDL_PATCH_CMD_OPCODE, seg_size + 2,
261 				      cmd);
262 
263 	/* Unlike other SoC's sending version command response as payload to
264 	 * VSE event. WCN3991 sends version command response as a payload to
265 	 * command complete event.
266 	 */
267 	if (soc_type == QCA_WCN3991) {
268 		event_type = 0;
269 		rlen = sizeof(*edl);
270 		rtype = EDL_PATCH_TLV_REQ_CMD;
271 	}
272 
273 	skb = __hci_cmd_sync_ev(hdev, EDL_PATCH_CMD_OPCODE, seg_size + 2, cmd,
274 				event_type, HCI_INIT_TIMEOUT);
275 	if (IS_ERR(skb)) {
276 		err = PTR_ERR(skb);
277 		bt_dev_err(hdev, "QCA Failed to send TLV segment (%d)", err);
278 		return err;
279 	}
280 
281 	if (skb->len != rlen) {
282 		bt_dev_err(hdev, "QCA TLV response size mismatch");
283 		err = -EILSEQ;
284 		goto out;
285 	}
286 
287 	edl = (struct edl_event_hdr *)(skb->data);
288 	if (!edl) {
289 		bt_dev_err(hdev, "TLV with no header");
290 		err = -EILSEQ;
291 		goto out;
292 	}
293 
294 	if (edl->cresp != EDL_CMD_REQ_RES_EVT || edl->rtype != rtype) {
295 		bt_dev_err(hdev, "QCA TLV with error stat 0x%x rtype 0x%x",
296 			   edl->cresp, edl->rtype);
297 		err = -EIO;
298 	}
299 
300 	if (soc_type == QCA_WCN3991)
301 		goto out;
302 
303 	tlv_resp = (struct tlv_seg_resp *)(edl->data);
304 	if (tlv_resp->result) {
305 		bt_dev_err(hdev, "QCA TLV with error stat 0x%x rtype 0x%x (0x%x)",
306 			   edl->cresp, edl->rtype, tlv_resp->result);
307 	}
308 
309 out:
310 	kfree_skb(skb);
311 
312 	return err;
313 }
314 
315 static int qca_inject_cmd_complete_event(struct hci_dev *hdev)
316 {
317 	struct hci_event_hdr *hdr;
318 	struct hci_ev_cmd_complete *evt;
319 	struct sk_buff *skb;
320 
321 	skb = bt_skb_alloc(sizeof(*hdr) + sizeof(*evt) + 1, GFP_KERNEL);
322 	if (!skb)
323 		return -ENOMEM;
324 
325 	hdr = skb_put(skb, sizeof(*hdr));
326 	hdr->evt = HCI_EV_CMD_COMPLETE;
327 	hdr->plen = sizeof(*evt) + 1;
328 
329 	evt = skb_put(skb, sizeof(*evt));
330 	evt->ncmd = 1;
331 	evt->opcode = cpu_to_le16(QCA_HCI_CC_OPCODE);
332 
333 	skb_put_u8(skb, QCA_HCI_CC_SUCCESS);
334 
335 	hci_skb_pkt_type(skb) = HCI_EVENT_PKT;
336 
337 	return hci_recv_frame(hdev, skb);
338 }
339 
340 static int qca_download_firmware(struct hci_dev *hdev,
341 				 struct qca_fw_config *config,
342 				 enum qca_btsoc_type soc_type)
343 {
344 	const struct firmware *fw;
345 	const u8 *segment;
346 	int ret, remain, i = 0;
347 
348 	bt_dev_info(hdev, "QCA Downloading %s", config->fwname);
349 
350 	ret = request_firmware(&fw, config->fwname, &hdev->dev);
351 	if (ret) {
352 		bt_dev_err(hdev, "QCA Failed to request file: %s (%d)",
353 			   config->fwname, ret);
354 		return ret;
355 	}
356 
357 	qca_tlv_check_data(config, fw);
358 
359 	segment = fw->data;
360 	remain = fw->size;
361 	while (remain > 0) {
362 		int segsize = min(MAX_SIZE_PER_TLV_SEGMENT, remain);
363 
364 		bt_dev_dbg(hdev, "Send segment %d, size %d", i++, segsize);
365 
366 		remain -= segsize;
367 		/* The last segment is always acked regardless download mode */
368 		if (!remain || segsize < MAX_SIZE_PER_TLV_SEGMENT)
369 			config->dnld_mode = QCA_SKIP_EVT_NONE;
370 
371 		ret = qca_tlv_send_segment(hdev, segsize, segment,
372 					   config->dnld_mode, soc_type);
373 		if (ret)
374 			goto out;
375 
376 		segment += segsize;
377 	}
378 
379 	/* Latest qualcomm chipsets are not sending a command complete event
380 	 * for every fw packet sent. They only respond with a vendor specific
381 	 * event for the last packet. This optimization in the chip will
382 	 * decrease the BT in initialization time. Here we will inject a command
383 	 * complete event to avoid a command timeout error message.
384 	 */
385 	if (config->dnld_type == QCA_SKIP_EVT_VSE_CC ||
386 	    config->dnld_type == QCA_SKIP_EVT_VSE)
387 		ret = qca_inject_cmd_complete_event(hdev);
388 
389 out:
390 	release_firmware(fw);
391 
392 	return ret;
393 }
394 
395 int qca_set_bdaddr_rome(struct hci_dev *hdev, const bdaddr_t *bdaddr)
396 {
397 	struct sk_buff *skb;
398 	u8 cmd[9];
399 	int err;
400 
401 	cmd[0] = EDL_NVM_ACCESS_SET_REQ_CMD;
402 	cmd[1] = 0x02; 			/* TAG ID */
403 	cmd[2] = sizeof(bdaddr_t);	/* size */
404 	memcpy(cmd + 3, bdaddr, sizeof(bdaddr_t));
405 	skb = __hci_cmd_sync_ev(hdev, EDL_NVM_ACCESS_OPCODE, sizeof(cmd), cmd,
406 				HCI_EV_VENDOR, HCI_INIT_TIMEOUT);
407 	if (IS_ERR(skb)) {
408 		err = PTR_ERR(skb);
409 		bt_dev_err(hdev, "QCA Change address command failed (%d)", err);
410 		return err;
411 	}
412 
413 	kfree_skb(skb);
414 
415 	return 0;
416 }
417 EXPORT_SYMBOL_GPL(qca_set_bdaddr_rome);
418 
419 int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate,
420 		   enum qca_btsoc_type soc_type, u32 soc_ver,
421 		   const char *firmware_name)
422 {
423 	struct qca_fw_config config;
424 	int err;
425 	u8 rom_ver = 0;
426 
427 	bt_dev_dbg(hdev, "QCA setup on UART");
428 
429 	config.user_baud_rate = baudrate;
430 
431 	/* Download rampatch file */
432 	config.type = TLV_TYPE_PATCH;
433 	if (qca_is_wcn399x(soc_type)) {
434 		/* Firmware files to download are based on ROM version.
435 		 * ROM version is derived from last two bytes of soc_ver.
436 		 */
437 		rom_ver = ((soc_ver & 0x00000f00) >> 0x04) |
438 			    (soc_ver & 0x0000000f);
439 		snprintf(config.fwname, sizeof(config.fwname),
440 			 "qca/crbtfw%02x.tlv", rom_ver);
441 	} else {
442 		snprintf(config.fwname, sizeof(config.fwname),
443 			 "qca/rampatch_%08x.bin", soc_ver);
444 	}
445 
446 	err = qca_download_firmware(hdev, &config, soc_type);
447 	if (err < 0) {
448 		bt_dev_err(hdev, "QCA Failed to download patch (%d)", err);
449 		return err;
450 	}
451 
452 	/* Give the controller some time to get ready to receive the NVM */
453 	msleep(10);
454 
455 	/* Download NVM configuration */
456 	config.type = TLV_TYPE_NVM;
457 	if (firmware_name)
458 		snprintf(config.fwname, sizeof(config.fwname),
459 			 "qca/%s", firmware_name);
460 	else if (qca_is_wcn399x(soc_type))
461 		snprintf(config.fwname, sizeof(config.fwname),
462 			 "qca/crnv%02x.bin", rom_ver);
463 	else
464 		snprintf(config.fwname, sizeof(config.fwname),
465 			 "qca/nvm_%08x.bin", soc_ver);
466 
467 	err = qca_download_firmware(hdev, &config, soc_type);
468 	if (err < 0) {
469 		bt_dev_err(hdev, "QCA Failed to download NVM (%d)", err);
470 		return err;
471 	}
472 
473 	/* Perform HCI reset */
474 	err = qca_send_reset(hdev);
475 	if (err < 0) {
476 		bt_dev_err(hdev, "QCA Failed to run HCI_RESET (%d)", err);
477 		return err;
478 	}
479 
480 	bt_dev_info(hdev, "QCA setup on UART is completed");
481 
482 	return 0;
483 }
484 EXPORT_SYMBOL_GPL(qca_uart_setup);
485 
486 int qca_set_bdaddr(struct hci_dev *hdev, const bdaddr_t *bdaddr)
487 {
488 	struct sk_buff *skb;
489 	int err;
490 
491 	skb = __hci_cmd_sync_ev(hdev, EDL_WRITE_BD_ADDR_OPCODE, 6, bdaddr,
492 				HCI_EV_VENDOR, HCI_INIT_TIMEOUT);
493 	if (IS_ERR(skb)) {
494 		err = PTR_ERR(skb);
495 		bt_dev_err(hdev, "QCA Change address cmd failed (%d)", err);
496 		return err;
497 	}
498 
499 	kfree_skb(skb);
500 
501 	return 0;
502 }
503 EXPORT_SYMBOL_GPL(qca_set_bdaddr);
504 
505 
506 MODULE_AUTHOR("Ben Young Tae Kim <ytkim@qca.qualcomm.com>");
507 MODULE_DESCRIPTION("Bluetooth support for Qualcomm Atheros family ver " VERSION);
508 MODULE_VERSION(VERSION);
509 MODULE_LICENSE("GPL");
510