1 // SPDX-License-Identifier: GPL-2.0-or-later 2 /* 3 * 4 * Bluetooth HCI UART driver for Intel/AG6xx devices 5 * 6 * Copyright (C) 2016 Intel Corporation 7 */ 8 9 #include <linux/kernel.h> 10 #include <linux/errno.h> 11 #include <linux/skbuff.h> 12 #include <linux/firmware.h> 13 #include <linux/module.h> 14 #include <linux/tty.h> 15 16 #include <net/bluetooth/bluetooth.h> 17 #include <net/bluetooth/hci_core.h> 18 19 #include "hci_uart.h" 20 #include "btintel.h" 21 22 struct ag6xx_data { 23 struct sk_buff *rx_skb; 24 struct sk_buff_head txq; 25 }; 26 27 struct pbn_entry { 28 __le32 addr; 29 __le32 plen; 30 __u8 data[]; 31 } __packed; 32 33 static int ag6xx_open(struct hci_uart *hu) 34 { 35 struct ag6xx_data *ag6xx; 36 37 BT_DBG("hu %p", hu); 38 39 ag6xx = kzalloc(sizeof(*ag6xx), GFP_KERNEL); 40 if (!ag6xx) 41 return -ENOMEM; 42 43 skb_queue_head_init(&ag6xx->txq); 44 45 hu->priv = ag6xx; 46 return 0; 47 } 48 49 static int ag6xx_close(struct hci_uart *hu) 50 { 51 struct ag6xx_data *ag6xx = hu->priv; 52 53 BT_DBG("hu %p", hu); 54 55 skb_queue_purge(&ag6xx->txq); 56 kfree_skb(ag6xx->rx_skb); 57 kfree(ag6xx); 58 59 hu->priv = NULL; 60 return 0; 61 } 62 63 static int ag6xx_flush(struct hci_uart *hu) 64 { 65 struct ag6xx_data *ag6xx = hu->priv; 66 67 BT_DBG("hu %p", hu); 68 69 skb_queue_purge(&ag6xx->txq); 70 return 0; 71 } 72 73 static struct sk_buff *ag6xx_dequeue(struct hci_uart *hu) 74 { 75 struct ag6xx_data *ag6xx = hu->priv; 76 struct sk_buff *skb; 77 78 skb = skb_dequeue(&ag6xx->txq); 79 if (!skb) 80 return skb; 81 82 /* Prepend skb with frame type */ 83 memcpy(skb_push(skb, 1), &bt_cb(skb)->pkt_type, 1); 84 return skb; 85 } 86 87 static int ag6xx_enqueue(struct hci_uart *hu, struct sk_buff *skb) 88 { 89 struct ag6xx_data *ag6xx = hu->priv; 90 91 skb_queue_tail(&ag6xx->txq, skb); 92 return 0; 93 } 94 95 static const struct h4_recv_pkt ag6xx_recv_pkts[] = { 96 { H4_RECV_ACL, .recv = hci_recv_frame }, 97 { H4_RECV_SCO, .recv = hci_recv_frame }, 98 { H4_RECV_EVENT, .recv = hci_recv_frame }, 99 }; 100 101 static int ag6xx_recv(struct hci_uart *hu, const void *data, int count) 102 { 103 struct ag6xx_data *ag6xx = hu->priv; 104 105 if (!test_bit(HCI_UART_REGISTERED, &hu->flags)) 106 return -EUNATCH; 107 108 ag6xx->rx_skb = h4_recv_buf(hu->hdev, ag6xx->rx_skb, data, count, 109 ag6xx_recv_pkts, 110 ARRAY_SIZE(ag6xx_recv_pkts)); 111 if (IS_ERR(ag6xx->rx_skb)) { 112 int err = PTR_ERR(ag6xx->rx_skb); 113 bt_dev_err(hu->hdev, "Frame reassembly failed (%d)", err); 114 ag6xx->rx_skb = NULL; 115 return err; 116 } 117 118 return count; 119 } 120 121 static int intel_mem_write(struct hci_dev *hdev, u32 addr, u32 plen, 122 const void *data) 123 { 124 /* Can write a maximum of 247 bytes per HCI command. 125 * HCI cmd Header (3), Intel mem write header (6), data (247). 126 */ 127 while (plen > 0) { 128 struct sk_buff *skb; 129 u8 cmd_param[253], fragment_len = (plen > 247) ? 247 : plen; 130 __le32 leaddr = cpu_to_le32(addr); 131 132 memcpy(cmd_param, &leaddr, 4); 133 cmd_param[4] = 0; 134 cmd_param[5] = fragment_len; 135 memcpy(cmd_param + 6, data, fragment_len); 136 137 skb = __hci_cmd_sync(hdev, 0xfc8e, fragment_len + 6, cmd_param, 138 HCI_INIT_TIMEOUT); 139 if (IS_ERR(skb)) 140 return PTR_ERR(skb); 141 kfree_skb(skb); 142 143 plen -= fragment_len; 144 data += fragment_len; 145 addr += fragment_len; 146 } 147 148 return 0; 149 } 150 151 static int ag6xx_setup(struct hci_uart *hu) 152 { 153 struct hci_dev *hdev = hu->hdev; 154 struct sk_buff *skb; 155 struct intel_version ver; 156 const struct firmware *fw; 157 const u8 *fw_ptr; 158 char fwname[64]; 159 bool patched = false; 160 int err; 161 162 hu->hdev->set_diag = btintel_set_diag; 163 hu->hdev->set_bdaddr = btintel_set_bdaddr; 164 165 err = btintel_enter_mfg(hdev); 166 if (err) 167 return err; 168 169 err = btintel_read_version(hdev, &ver); 170 if (err) 171 return err; 172 173 btintel_version_info(hdev, &ver); 174 175 /* The hardware platform number has a fixed value of 0x37 and 176 * for now only accept this single value. 177 */ 178 if (ver.hw_platform != 0x37) { 179 bt_dev_err(hdev, "Unsupported Intel hardware platform: 0x%X", 180 ver.hw_platform); 181 return -EINVAL; 182 } 183 184 /* Only the hardware variant iBT 2.1 (AG6XX) is supported by this 185 * firmware setup method. 186 */ 187 if (ver.hw_variant != 0x0a) { 188 bt_dev_err(hdev, "Unsupported Intel hardware variant: 0x%x", 189 ver.hw_variant); 190 return -EINVAL; 191 } 192 193 snprintf(fwname, sizeof(fwname), "intel/ibt-hw-%x.%x.bddata", 194 ver.hw_platform, ver.hw_variant); 195 196 err = request_firmware(&fw, fwname, &hdev->dev); 197 if (err < 0) { 198 bt_dev_err(hdev, "Failed to open Intel bddata file: %s (%d)", 199 fwname, err); 200 goto patch; 201 } 202 fw_ptr = fw->data; 203 204 bt_dev_info(hdev, "Applying bddata (%s)", fwname); 205 206 skb = __hci_cmd_sync_ev(hdev, 0xfc2f, fw->size, fw->data, 207 HCI_EV_CMD_STATUS, HCI_CMD_TIMEOUT); 208 if (IS_ERR(skb)) { 209 bt_dev_err(hdev, "Applying bddata failed (%ld)", PTR_ERR(skb)); 210 release_firmware(fw); 211 return PTR_ERR(skb); 212 } 213 kfree_skb(skb); 214 215 release_firmware(fw); 216 217 patch: 218 /* If there is no applied patch, fw_patch_num is always 0x00. In other 219 * cases, current firmware is already patched. No need to patch it. 220 */ 221 if (ver.fw_patch_num) { 222 bt_dev_info(hdev, "Device is already patched. patch num: %02x", 223 ver.fw_patch_num); 224 patched = true; 225 goto complete; 226 } 227 228 snprintf(fwname, sizeof(fwname), 229 "intel/ibt-hw-%x.%x.%x-fw-%x.%x.%x.%x.%x.pbn", 230 ver.hw_platform, ver.hw_variant, ver.hw_revision, 231 ver.fw_variant, ver.fw_revision, ver.fw_build_num, 232 ver.fw_build_ww, ver.fw_build_yy); 233 234 err = request_firmware(&fw, fwname, &hdev->dev); 235 if (err < 0) { 236 bt_dev_err(hdev, "Failed to open Intel patch file: %s(%d)", 237 fwname, err); 238 goto complete; 239 } 240 fw_ptr = fw->data; 241 242 bt_dev_info(hdev, "Patching firmware file (%s)", fwname); 243 244 /* PBN patch file contains a list of binary patches to be applied on top 245 * of the embedded firmware. Each patch entry header contains the target 246 * address and patch size. 247 * 248 * Patch entry: 249 * | addr(le) | patch_len(le) | patch_data | 250 * | 4 Bytes | 4 Bytes | n Bytes | 251 * 252 * PBN file is terminated by a patch entry whose address is 0xffffffff. 253 */ 254 while (fw->size > fw_ptr - fw->data) { 255 struct pbn_entry *pbn = (void *)fw_ptr; 256 u32 addr, plen; 257 258 if (pbn->addr == 0xffffffff) { 259 bt_dev_info(hdev, "Patching complete"); 260 patched = true; 261 break; 262 } 263 264 addr = le32_to_cpu(pbn->addr); 265 plen = le32_to_cpu(pbn->plen); 266 267 if (fw->data + fw->size <= pbn->data + plen) { 268 bt_dev_info(hdev, "Invalid patch len (%d)", plen); 269 break; 270 } 271 272 bt_dev_info(hdev, "Patching %td/%zu", (fw_ptr - fw->data), 273 fw->size); 274 275 err = intel_mem_write(hdev, addr, plen, pbn->data); 276 if (err) { 277 bt_dev_err(hdev, "Patching failed"); 278 break; 279 } 280 281 fw_ptr = pbn->data + plen; 282 } 283 284 release_firmware(fw); 285 286 complete: 287 /* Exit manufacturing mode and reset */ 288 err = btintel_exit_mfg(hdev, true, patched); 289 if (err) 290 return err; 291 292 /* Set the event mask for Intel specific vendor events. This enables 293 * a few extra events that are useful during general operation. 294 */ 295 btintel_set_event_mask_mfg(hdev, false); 296 297 btintel_check_bdaddr(hdev); 298 return 0; 299 } 300 301 static const struct hci_uart_proto ag6xx_proto = { 302 .id = HCI_UART_AG6XX, 303 .name = "AG6XX", 304 .manufacturer = 2, 305 .open = ag6xx_open, 306 .close = ag6xx_close, 307 .flush = ag6xx_flush, 308 .setup = ag6xx_setup, 309 .recv = ag6xx_recv, 310 .enqueue = ag6xx_enqueue, 311 .dequeue = ag6xx_dequeue, 312 }; 313 314 int __init ag6xx_init(void) 315 { 316 return hci_uart_register_proto(&ag6xx_proto); 317 } 318 319 int __exit ag6xx_deinit(void) 320 { 321 return hci_uart_unregister_proto(&ag6xx_proto); 322 } 323