111f74023SLinus Walleij // SPDX-License-Identifier: GPL-2.0-only 211f74023SLinus Walleij /* 311f74023SLinus Walleij * BCM47XX MTD partitioning 411f74023SLinus Walleij * 511f74023SLinus Walleij * Copyright © 2012 Rafał Miłecki <zajec5@gmail.com> 611f74023SLinus Walleij */ 711f74023SLinus Walleij 811f74023SLinus Walleij #include <linux/bcm47xx_nvram.h> 911f74023SLinus Walleij #include <linux/module.h> 1011f74023SLinus Walleij #include <linux/kernel.h> 1111f74023SLinus Walleij #include <linux/slab.h> 1211f74023SLinus Walleij #include <linux/mtd/mtd.h> 1311f74023SLinus Walleij #include <linux/mtd/partitions.h> 1411f74023SLinus Walleij 1511f74023SLinus Walleij #include <uapi/linux/magic.h> 1611f74023SLinus Walleij 1711f74023SLinus Walleij /* 1811f74023SLinus Walleij * NAND flash on Netgear R6250 was verified to contain 15 partitions. 1911f74023SLinus Walleij * This will result in allocating too big array for some old devices, but the 2011f74023SLinus Walleij * memory will be freed soon anyway (see mtd_device_parse_register). 2111f74023SLinus Walleij */ 2211f74023SLinus Walleij #define BCM47XXPART_MAX_PARTS 20 2311f74023SLinus Walleij 2411f74023SLinus Walleij /* 2511f74023SLinus Walleij * Amount of bytes we read when analyzing each block of flash memory. 2611f74023SLinus Walleij * Set it big enough to allow detecting partition and reading important data. 2711f74023SLinus Walleij */ 2811f74023SLinus Walleij #define BCM47XXPART_BYTES_TO_READ 0x4e8 2911f74023SLinus Walleij 3011f74023SLinus Walleij /* Magics */ 3111f74023SLinus Walleij #define BOARD_DATA_MAGIC 0x5246504D /* MPFR */ 3211f74023SLinus Walleij #define BOARD_DATA_MAGIC2 0xBD0D0BBD 3311f74023SLinus Walleij #define CFE_MAGIC 0x43464531 /* 1EFC */ 3411f74023SLinus Walleij #define FACTORY_MAGIC 0x59544346 /* FCTY */ 3511f74023SLinus Walleij #define NVRAM_HEADER 0x48534C46 /* FLSH */ 3611f74023SLinus Walleij #define POT_MAGIC1 0x54544f50 /* POTT */ 3711f74023SLinus Walleij #define POT_MAGIC2 0x504f /* OP */ 3811f74023SLinus Walleij #define ML_MAGIC1 0x39685a42 3911f74023SLinus Walleij #define ML_MAGIC2 0x26594131 4011f74023SLinus Walleij #define TRX_MAGIC 0x30524448 4111f74023SLinus Walleij #define SHSQ_MAGIC 0x71736873 /* shsq (weird ZTE H218N endianness) */ 4211f74023SLinus Walleij 4311f74023SLinus Walleij static const char * const trx_types[] = { "trx", NULL }; 4411f74023SLinus Walleij 4511f74023SLinus Walleij struct trx_header { 4611f74023SLinus Walleij uint32_t magic; 4711f74023SLinus Walleij uint32_t length; 4811f74023SLinus Walleij uint32_t crc32; 4911f74023SLinus Walleij uint16_t flags; 5011f74023SLinus Walleij uint16_t version; 5111f74023SLinus Walleij uint32_t offset[3]; 5211f74023SLinus Walleij } __packed; 5311f74023SLinus Walleij 5411f74023SLinus Walleij static void bcm47xxpart_add_part(struct mtd_partition *part, const char *name, 5511f74023SLinus Walleij u64 offset, uint32_t mask_flags) 5611f74023SLinus Walleij { 5711f74023SLinus Walleij part->name = name; 5811f74023SLinus Walleij part->offset = offset; 5911f74023SLinus Walleij part->mask_flags = mask_flags; 6011f74023SLinus Walleij } 6111f74023SLinus Walleij 6211f74023SLinus Walleij /** 6311f74023SLinus Walleij * bcm47xxpart_bootpartition - gets index of TRX partition used by bootloader 6411f74023SLinus Walleij * 6511f74023SLinus Walleij * Some devices may have more than one TRX partition. In such case one of them 6611f74023SLinus Walleij * is the main one and another a failsafe one. Bootloader may fallback to the 6711f74023SLinus Walleij * failsafe firmware if it detects corruption of the main image. 6811f74023SLinus Walleij * 6911f74023SLinus Walleij * This function provides info about currently used TRX partition. It's the one 7011f74023SLinus Walleij * containing kernel started by the bootloader. 7111f74023SLinus Walleij */ 7211f74023SLinus Walleij static int bcm47xxpart_bootpartition(void) 7311f74023SLinus Walleij { 7411f74023SLinus Walleij char buf[4]; 7511f74023SLinus Walleij int bootpartition; 7611f74023SLinus Walleij 7711f74023SLinus Walleij /* Check CFE environment variable */ 7811f74023SLinus Walleij if (bcm47xx_nvram_getenv("bootpartition", buf, sizeof(buf)) > 0) { 7911f74023SLinus Walleij if (!kstrtoint(buf, 0, &bootpartition)) 8011f74023SLinus Walleij return bootpartition; 8111f74023SLinus Walleij } 8211f74023SLinus Walleij 8311f74023SLinus Walleij return 0; 8411f74023SLinus Walleij } 8511f74023SLinus Walleij 8611f74023SLinus Walleij static int bcm47xxpart_parse(struct mtd_info *master, 8711f74023SLinus Walleij const struct mtd_partition **pparts, 8811f74023SLinus Walleij struct mtd_part_parser_data *data) 8911f74023SLinus Walleij { 9011f74023SLinus Walleij struct mtd_partition *parts; 9111f74023SLinus Walleij uint8_t i, curr_part = 0; 9211f74023SLinus Walleij uint32_t *buf; 9311f74023SLinus Walleij size_t bytes_read; 9411f74023SLinus Walleij uint32_t offset; 9511f74023SLinus Walleij uint32_t blocksize = master->erasesize; 9611f74023SLinus Walleij int trx_parts[2]; /* Array with indexes of TRX partitions */ 9711f74023SLinus Walleij int trx_num = 0; /* Number of found TRX partitions */ 9811f74023SLinus Walleij int possible_nvram_sizes[] = { 0x8000, 0xF000, 0x10000, }; 9911f74023SLinus Walleij int err; 10011f74023SLinus Walleij 10111f74023SLinus Walleij /* 10211f74023SLinus Walleij * Some really old flashes (like AT45DB*) had smaller erasesize-s, but 10311f74023SLinus Walleij * partitions were aligned to at least 0x1000 anyway. 10411f74023SLinus Walleij */ 10511f74023SLinus Walleij if (blocksize < 0x1000) 10611f74023SLinus Walleij blocksize = 0x1000; 10711f74023SLinus Walleij 10811f74023SLinus Walleij /* Alloc */ 10911f74023SLinus Walleij parts = kcalloc(BCM47XXPART_MAX_PARTS, sizeof(struct mtd_partition), 11011f74023SLinus Walleij GFP_KERNEL); 11111f74023SLinus Walleij if (!parts) 11211f74023SLinus Walleij return -ENOMEM; 11311f74023SLinus Walleij 11411f74023SLinus Walleij buf = kzalloc(BCM47XXPART_BYTES_TO_READ, GFP_KERNEL); 11511f74023SLinus Walleij if (!buf) { 11611f74023SLinus Walleij kfree(parts); 11711f74023SLinus Walleij return -ENOMEM; 11811f74023SLinus Walleij } 11911f74023SLinus Walleij 12011f74023SLinus Walleij /* Parse block by block looking for magics */ 12111f74023SLinus Walleij for (offset = 0; offset <= master->size - blocksize; 12211f74023SLinus Walleij offset += blocksize) { 12311f74023SLinus Walleij /* Nothing more in higher memory on BCM47XX (MIPS) */ 12411f74023SLinus Walleij if (IS_ENABLED(CONFIG_BCM47XX) && offset >= 0x2000000) 12511f74023SLinus Walleij break; 12611f74023SLinus Walleij 12711f74023SLinus Walleij if (curr_part >= BCM47XXPART_MAX_PARTS) { 12811f74023SLinus Walleij pr_warn("Reached maximum number of partitions, scanning stopped!\n"); 12911f74023SLinus Walleij break; 13011f74023SLinus Walleij } 13111f74023SLinus Walleij 13211f74023SLinus Walleij /* Read beginning of the block */ 13311f74023SLinus Walleij err = mtd_read(master, offset, BCM47XXPART_BYTES_TO_READ, 13411f74023SLinus Walleij &bytes_read, (uint8_t *)buf); 13511f74023SLinus Walleij if (err && !mtd_is_bitflip(err)) { 13611f74023SLinus Walleij pr_err("mtd_read error while parsing (offset: 0x%X): %d\n", 13711f74023SLinus Walleij offset, err); 13811f74023SLinus Walleij continue; 13911f74023SLinus Walleij } 14011f74023SLinus Walleij 14111f74023SLinus Walleij /* Magic or small NVRAM at 0x400 */ 14211f74023SLinus Walleij if ((buf[0x4e0 / 4] == CFE_MAGIC && buf[0x4e4 / 4] == CFE_MAGIC) || 14311f74023SLinus Walleij (buf[0x400 / 4] == NVRAM_HEADER)) { 14411f74023SLinus Walleij bcm47xxpart_add_part(&parts[curr_part++], "boot", 14511f74023SLinus Walleij offset, MTD_WRITEABLE); 14611f74023SLinus Walleij continue; 14711f74023SLinus Walleij } 14811f74023SLinus Walleij 14911f74023SLinus Walleij /* 15011f74023SLinus Walleij * board_data starts with board_id which differs across boards, 15111f74023SLinus Walleij * but we can use 'MPFR' (hopefully) magic at 0x100 15211f74023SLinus Walleij */ 15311f74023SLinus Walleij if (buf[0x100 / 4] == BOARD_DATA_MAGIC) { 15411f74023SLinus Walleij bcm47xxpart_add_part(&parts[curr_part++], "board_data", 15511f74023SLinus Walleij offset, MTD_WRITEABLE); 15611f74023SLinus Walleij continue; 15711f74023SLinus Walleij } 15811f74023SLinus Walleij 15911f74023SLinus Walleij /* Found on Huawei E970 */ 16011f74023SLinus Walleij if (buf[0x000 / 4] == FACTORY_MAGIC) { 16111f74023SLinus Walleij bcm47xxpart_add_part(&parts[curr_part++], "factory", 16211f74023SLinus Walleij offset, MTD_WRITEABLE); 16311f74023SLinus Walleij continue; 16411f74023SLinus Walleij } 16511f74023SLinus Walleij 16611f74023SLinus Walleij /* POT(TOP) */ 16711f74023SLinus Walleij if (buf[0x000 / 4] == POT_MAGIC1 && 16811f74023SLinus Walleij (buf[0x004 / 4] & 0xFFFF) == POT_MAGIC2) { 16911f74023SLinus Walleij bcm47xxpart_add_part(&parts[curr_part++], "POT", offset, 17011f74023SLinus Walleij MTD_WRITEABLE); 17111f74023SLinus Walleij continue; 17211f74023SLinus Walleij } 17311f74023SLinus Walleij 17411f74023SLinus Walleij /* ML */ 17511f74023SLinus Walleij if (buf[0x010 / 4] == ML_MAGIC1 && 17611f74023SLinus Walleij buf[0x014 / 4] == ML_MAGIC2) { 17711f74023SLinus Walleij bcm47xxpart_add_part(&parts[curr_part++], "ML", offset, 17811f74023SLinus Walleij MTD_WRITEABLE); 17911f74023SLinus Walleij continue; 18011f74023SLinus Walleij } 18111f74023SLinus Walleij 18211f74023SLinus Walleij /* TRX */ 18311f74023SLinus Walleij if (buf[0x000 / 4] == TRX_MAGIC) { 18411f74023SLinus Walleij struct trx_header *trx; 18511f74023SLinus Walleij uint32_t last_subpart; 18611f74023SLinus Walleij uint32_t trx_size; 18711f74023SLinus Walleij 18811f74023SLinus Walleij if (trx_num >= ARRAY_SIZE(trx_parts)) 18911f74023SLinus Walleij pr_warn("No enough space to store another TRX found at 0x%X\n", 19011f74023SLinus Walleij offset); 19111f74023SLinus Walleij else 19211f74023SLinus Walleij trx_parts[trx_num++] = curr_part; 19311f74023SLinus Walleij bcm47xxpart_add_part(&parts[curr_part++], "firmware", 19411f74023SLinus Walleij offset, 0); 19511f74023SLinus Walleij 19611f74023SLinus Walleij /* 19711f74023SLinus Walleij * Try to find TRX size. The "length" field isn't fully 19811f74023SLinus Walleij * reliable as it could be decreased to make CRC32 cover 19911f74023SLinus Walleij * only part of TRX data. It's commonly used as checksum 20011f74023SLinus Walleij * can't cover e.g. ever-changing rootfs partition. 20111f74023SLinus Walleij * Use offsets as helpers for assuming min TRX size. 20211f74023SLinus Walleij */ 20311f74023SLinus Walleij trx = (struct trx_header *)buf; 20411f74023SLinus Walleij last_subpart = max3(trx->offset[0], trx->offset[1], 20511f74023SLinus Walleij trx->offset[2]); 20611f74023SLinus Walleij trx_size = max(trx->length, last_subpart + blocksize); 20711f74023SLinus Walleij 20811f74023SLinus Walleij /* 20911f74023SLinus Walleij * Skip the TRX data. Decrease offset by block size as 21011f74023SLinus Walleij * the next loop iteration will increase it. 21111f74023SLinus Walleij */ 21211f74023SLinus Walleij offset += roundup(trx_size, blocksize) - blocksize; 21311f74023SLinus Walleij continue; 21411f74023SLinus Walleij } 21511f74023SLinus Walleij 21611f74023SLinus Walleij /* Squashfs on devices not using TRX */ 21711f74023SLinus Walleij if (le32_to_cpu(buf[0x000 / 4]) == SQUASHFS_MAGIC || 21811f74023SLinus Walleij buf[0x000 / 4] == SHSQ_MAGIC) { 21911f74023SLinus Walleij bcm47xxpart_add_part(&parts[curr_part++], "rootfs", 22011f74023SLinus Walleij offset, 0); 22111f74023SLinus Walleij continue; 22211f74023SLinus Walleij } 22311f74023SLinus Walleij 22411f74023SLinus Walleij /* 22511f74023SLinus Walleij * New (ARM?) devices may have NVRAM in some middle block. Last 22611f74023SLinus Walleij * block will be checked later, so skip it. 22711f74023SLinus Walleij */ 22811f74023SLinus Walleij if (offset != master->size - blocksize && 22911f74023SLinus Walleij buf[0x000 / 4] == NVRAM_HEADER) { 23011f74023SLinus Walleij bcm47xxpart_add_part(&parts[curr_part++], "nvram", 23111f74023SLinus Walleij offset, 0); 23211f74023SLinus Walleij continue; 23311f74023SLinus Walleij } 23411f74023SLinus Walleij 23511f74023SLinus Walleij /* Read middle of the block */ 236*05e258c6SLinus Walleij err = mtd_read(master, offset + (blocksize / 2), 0x4, &bytes_read, 23711f74023SLinus Walleij (uint8_t *)buf); 23811f74023SLinus Walleij if (err && !mtd_is_bitflip(err)) { 23911f74023SLinus Walleij pr_err("mtd_read error while parsing (offset: 0x%X): %d\n", 240*05e258c6SLinus Walleij offset + (blocksize / 2), err); 24111f74023SLinus Walleij continue; 24211f74023SLinus Walleij } 24311f74023SLinus Walleij 24411f74023SLinus Walleij /* Some devices (ex. WNDR3700v3) don't have a standard 'MPFR' */ 24511f74023SLinus Walleij if (buf[0x000 / 4] == BOARD_DATA_MAGIC2) { 24611f74023SLinus Walleij bcm47xxpart_add_part(&parts[curr_part++], "board_data", 24711f74023SLinus Walleij offset, MTD_WRITEABLE); 24811f74023SLinus Walleij continue; 24911f74023SLinus Walleij } 25011f74023SLinus Walleij } 25111f74023SLinus Walleij 25211f74023SLinus Walleij /* Look for NVRAM at the end of the last block. */ 25311f74023SLinus Walleij for (i = 0; i < ARRAY_SIZE(possible_nvram_sizes); i++) { 25411f74023SLinus Walleij if (curr_part >= BCM47XXPART_MAX_PARTS) { 25511f74023SLinus Walleij pr_warn("Reached maximum number of partitions, scanning stopped!\n"); 25611f74023SLinus Walleij break; 25711f74023SLinus Walleij } 25811f74023SLinus Walleij 25911f74023SLinus Walleij offset = master->size - possible_nvram_sizes[i]; 26011f74023SLinus Walleij err = mtd_read(master, offset, 0x4, &bytes_read, 26111f74023SLinus Walleij (uint8_t *)buf); 26211f74023SLinus Walleij if (err && !mtd_is_bitflip(err)) { 26311f74023SLinus Walleij pr_err("mtd_read error while reading (offset 0x%X): %d\n", 26411f74023SLinus Walleij offset, err); 26511f74023SLinus Walleij continue; 26611f74023SLinus Walleij } 26711f74023SLinus Walleij 26811f74023SLinus Walleij /* Standard NVRAM */ 26911f74023SLinus Walleij if (buf[0] == NVRAM_HEADER) { 27011f74023SLinus Walleij bcm47xxpart_add_part(&parts[curr_part++], "nvram", 27111f74023SLinus Walleij master->size - blocksize, 0); 27211f74023SLinus Walleij break; 27311f74023SLinus Walleij } 27411f74023SLinus Walleij } 27511f74023SLinus Walleij 27611f74023SLinus Walleij kfree(buf); 27711f74023SLinus Walleij 27811f74023SLinus Walleij /* 27911f74023SLinus Walleij * Assume that partitions end at the beginning of the one they are 28011f74023SLinus Walleij * followed by. 28111f74023SLinus Walleij */ 28211f74023SLinus Walleij for (i = 0; i < curr_part; i++) { 28311f74023SLinus Walleij u64 next_part_offset = (i < curr_part - 1) ? 28411f74023SLinus Walleij parts[i + 1].offset : master->size; 28511f74023SLinus Walleij 28611f74023SLinus Walleij parts[i].size = next_part_offset - parts[i].offset; 28711f74023SLinus Walleij } 28811f74023SLinus Walleij 28911f74023SLinus Walleij /* If there was TRX parse it now */ 29011f74023SLinus Walleij for (i = 0; i < trx_num; i++) { 29111f74023SLinus Walleij struct mtd_partition *trx = &parts[trx_parts[i]]; 29211f74023SLinus Walleij 29311f74023SLinus Walleij if (i == bcm47xxpart_bootpartition()) 29411f74023SLinus Walleij trx->types = trx_types; 29511f74023SLinus Walleij else 29611f74023SLinus Walleij trx->name = "failsafe"; 29711f74023SLinus Walleij } 29811f74023SLinus Walleij 29911f74023SLinus Walleij *pparts = parts; 30011f74023SLinus Walleij return curr_part; 30111f74023SLinus Walleij }; 30211f74023SLinus Walleij 30311f74023SLinus Walleij static const struct of_device_id bcm47xxpart_of_match_table[] = { 30411f74023SLinus Walleij { .compatible = "brcm,bcm947xx-cfe-partitions" }, 30511f74023SLinus Walleij {}, 30611f74023SLinus Walleij }; 30711f74023SLinus Walleij MODULE_DEVICE_TABLE(of, bcm47xxpart_of_match_table); 30811f74023SLinus Walleij 30911f74023SLinus Walleij static struct mtd_part_parser bcm47xxpart_mtd_parser = { 31011f74023SLinus Walleij .parse_fn = bcm47xxpart_parse, 31111f74023SLinus Walleij .name = "bcm47xxpart", 31211f74023SLinus Walleij .of_match_table = bcm47xxpart_of_match_table, 31311f74023SLinus Walleij }; 31411f74023SLinus Walleij module_mtd_part_parser(bcm47xxpart_mtd_parser); 31511f74023SLinus Walleij 31611f74023SLinus Walleij MODULE_LICENSE("GPL"); 31711f74023SLinus Walleij MODULE_DESCRIPTION("MTD partitioning for BCM47XX flash memories"); 318