1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Bluetooth supports for Qualcomm Atheros chips 4 * 5 * Copyright (c) 2015 The Linux Foundation. All rights reserved. 6 */ 7 #include <linux/module.h> 8 #include <linux/firmware.h> 9 10 #include <net/bluetooth/bluetooth.h> 11 #include <net/bluetooth/hci_core.h> 12 13 #include "btqca.h" 14 15 #define VERSION "0.1" 16 17 int qca_read_soc_version(struct hci_dev *hdev, struct qca_btsoc_version *ver, 18 enum qca_btsoc_type soc_type) 19 { 20 struct sk_buff *skb; 21 struct edl_event_hdr *edl; 22 char cmd; 23 int err = 0; 24 u8 event_type = HCI_EV_VENDOR; 25 u8 rlen = sizeof(*edl) + sizeof(*ver); 26 u8 rtype = EDL_APP_VER_RES_EVT; 27 28 bt_dev_dbg(hdev, "QCA Version Request"); 29 30 /* Unlike other SoC's sending version command response as payload to 31 * VSE event. WCN3991 sends version command response as a payload to 32 * command complete event. 33 */ 34 if (soc_type >= QCA_WCN3991) { 35 event_type = 0; 36 rlen += 1; 37 rtype = EDL_PATCH_VER_REQ_CMD; 38 } 39 40 cmd = EDL_PATCH_VER_REQ_CMD; 41 skb = __hci_cmd_sync_ev(hdev, EDL_PATCH_CMD_OPCODE, EDL_PATCH_CMD_LEN, 42 &cmd, event_type, HCI_INIT_TIMEOUT); 43 if (IS_ERR(skb)) { 44 err = PTR_ERR(skb); 45 bt_dev_err(hdev, "Reading QCA version information failed (%d)", 46 err); 47 return err; 48 } 49 50 if (skb->len != rlen) { 51 bt_dev_err(hdev, "QCA Version size mismatch len %d", skb->len); 52 err = -EILSEQ; 53 goto out; 54 } 55 56 edl = (struct edl_event_hdr *)(skb->data); 57 if (!edl) { 58 bt_dev_err(hdev, "QCA TLV with no header"); 59 err = -EILSEQ; 60 goto out; 61 } 62 63 if (edl->cresp != EDL_CMD_REQ_RES_EVT || 64 edl->rtype != rtype) { 65 bt_dev_err(hdev, "QCA Wrong packet received %d %d", edl->cresp, 66 edl->rtype); 67 err = -EIO; 68 goto out; 69 } 70 71 if (soc_type >= QCA_WCN3991) 72 memcpy(ver, edl->data + 1, sizeof(*ver)); 73 else 74 memcpy(ver, &edl->data, sizeof(*ver)); 75 76 bt_dev_info(hdev, "QCA Product ID :0x%08x", 77 le32_to_cpu(ver->product_id)); 78 bt_dev_info(hdev, "QCA SOC Version :0x%08x", 79 le32_to_cpu(ver->soc_id)); 80 bt_dev_info(hdev, "QCA ROM Version :0x%08x", 81 le16_to_cpu(ver->rom_ver)); 82 bt_dev_info(hdev, "QCA Patch Version:0x%08x", 83 le16_to_cpu(ver->patch_ver)); 84 85 if (ver->soc_id == 0 || ver->rom_ver == 0) 86 err = -EILSEQ; 87 88 out: 89 kfree_skb(skb); 90 if (err) 91 bt_dev_err(hdev, "QCA Failed to get version (%d)", err); 92 93 return err; 94 } 95 EXPORT_SYMBOL_GPL(qca_read_soc_version); 96 97 static int qca_send_reset(struct hci_dev *hdev) 98 { 99 struct sk_buff *skb; 100 int err; 101 102 bt_dev_dbg(hdev, "QCA HCI_RESET"); 103 104 skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_INIT_TIMEOUT); 105 if (IS_ERR(skb)) { 106 err = PTR_ERR(skb); 107 bt_dev_err(hdev, "QCA Reset failed (%d)", err); 108 return err; 109 } 110 111 kfree_skb(skb); 112 113 return 0; 114 } 115 116 int qca_send_pre_shutdown_cmd(struct hci_dev *hdev) 117 { 118 struct sk_buff *skb; 119 int err; 120 121 bt_dev_dbg(hdev, "QCA pre shutdown cmd"); 122 123 skb = __hci_cmd_sync_ev(hdev, QCA_PRE_SHUTDOWN_CMD, 0, 124 NULL, HCI_EV_CMD_COMPLETE, HCI_INIT_TIMEOUT); 125 126 if (IS_ERR(skb)) { 127 err = PTR_ERR(skb); 128 bt_dev_err(hdev, "QCA preshutdown_cmd failed (%d)", err); 129 return err; 130 } 131 132 kfree_skb(skb); 133 134 return 0; 135 } 136 EXPORT_SYMBOL_GPL(qca_send_pre_shutdown_cmd); 137 138 static void qca_tlv_check_data(struct qca_fw_config *config, 139 const struct firmware *fw, enum qca_btsoc_type soc_type) 140 { 141 const u8 *data; 142 u32 type_len; 143 u16 tag_id, tag_len; 144 int idx, length; 145 struct tlv_type_hdr *tlv; 146 struct tlv_type_patch *tlv_patch; 147 struct tlv_type_nvm *tlv_nvm; 148 uint8_t nvm_baud_rate = config->user_baud_rate; 149 150 tlv = (struct tlv_type_hdr *)fw->data; 151 152 type_len = le32_to_cpu(tlv->type_len); 153 length = (type_len >> 8) & 0x00ffffff; 154 155 BT_DBG("TLV Type\t\t : 0x%x", type_len & 0x000000ff); 156 BT_DBG("Length\t\t : %d bytes", length); 157 158 config->dnld_mode = QCA_SKIP_EVT_NONE; 159 config->dnld_type = QCA_SKIP_EVT_NONE; 160 161 switch (config->type) { 162 case TLV_TYPE_PATCH: 163 tlv_patch = (struct tlv_type_patch *)tlv->data; 164 165 /* For Rome version 1.1 to 3.1, all segment commands 166 * are acked by a vendor specific event (VSE). 167 * For Rome >= 3.2, the download mode field indicates 168 * if VSE is skipped by the controller. 169 * In case VSE is skipped, only the last segment is acked. 170 */ 171 config->dnld_mode = tlv_patch->download_mode; 172 config->dnld_type = config->dnld_mode; 173 174 BT_DBG("Total Length : %d bytes", 175 le32_to_cpu(tlv_patch->total_size)); 176 BT_DBG("Patch Data Length : %d bytes", 177 le32_to_cpu(tlv_patch->data_length)); 178 BT_DBG("Signing Format Version : 0x%x", 179 tlv_patch->format_version); 180 BT_DBG("Signature Algorithm : 0x%x", 181 tlv_patch->signature); 182 BT_DBG("Download mode : 0x%x", 183 tlv_patch->download_mode); 184 BT_DBG("Reserved : 0x%x", 185 tlv_patch->reserved1); 186 BT_DBG("Product ID : 0x%04x", 187 le16_to_cpu(tlv_patch->product_id)); 188 BT_DBG("Rom Build Version : 0x%04x", 189 le16_to_cpu(tlv_patch->rom_build)); 190 BT_DBG("Patch Version : 0x%04x", 191 le16_to_cpu(tlv_patch->patch_version)); 192 BT_DBG("Reserved : 0x%x", 193 le16_to_cpu(tlv_patch->reserved2)); 194 BT_DBG("Patch Entry Address : 0x%x", 195 le32_to_cpu(tlv_patch->entry)); 196 break; 197 198 case TLV_TYPE_NVM: 199 idx = 0; 200 data = tlv->data; 201 while (idx < length) { 202 tlv_nvm = (struct tlv_type_nvm *)(data + idx); 203 204 tag_id = le16_to_cpu(tlv_nvm->tag_id); 205 tag_len = le16_to_cpu(tlv_nvm->tag_len); 206 207 /* Update NVM tags as needed */ 208 switch (tag_id) { 209 case EDL_TAG_ID_HCI: 210 /* HCI transport layer parameters 211 * enabling software inband sleep 212 * onto controller side. 213 */ 214 tlv_nvm->data[0] |= 0x80; 215 216 /* UART Baud Rate */ 217 if (soc_type >= QCA_WCN3991) 218 tlv_nvm->data[1] = nvm_baud_rate; 219 else 220 tlv_nvm->data[2] = nvm_baud_rate; 221 222 break; 223 224 case EDL_TAG_ID_DEEP_SLEEP: 225 /* Sleep enable mask 226 * enabling deep sleep feature on controller. 227 */ 228 tlv_nvm->data[0] |= 0x01; 229 230 break; 231 } 232 233 idx += (sizeof(u16) + sizeof(u16) + 8 + tag_len); 234 } 235 break; 236 237 default: 238 BT_ERR("Unknown TLV type %d", config->type); 239 break; 240 } 241 } 242 243 static int qca_tlv_send_segment(struct hci_dev *hdev, int seg_size, 244 const u8 *data, enum qca_tlv_dnld_mode mode, 245 enum qca_btsoc_type soc_type) 246 { 247 struct sk_buff *skb; 248 struct edl_event_hdr *edl; 249 struct tlv_seg_resp *tlv_resp; 250 u8 cmd[MAX_SIZE_PER_TLV_SEGMENT + 2]; 251 int err = 0; 252 u8 event_type = HCI_EV_VENDOR; 253 u8 rlen = (sizeof(*edl) + sizeof(*tlv_resp)); 254 u8 rtype = EDL_TVL_DNLD_RES_EVT; 255 256 cmd[0] = EDL_PATCH_TLV_REQ_CMD; 257 cmd[1] = seg_size; 258 memcpy(cmd + 2, data, seg_size); 259 260 if (mode == QCA_SKIP_EVT_VSE_CC || mode == QCA_SKIP_EVT_VSE) 261 return __hci_cmd_send(hdev, EDL_PATCH_CMD_OPCODE, seg_size + 2, 262 cmd); 263 264 /* Unlike other SoC's sending version command response as payload to 265 * VSE event. WCN3991 sends version command response as a payload to 266 * command complete event. 267 */ 268 if (soc_type >= QCA_WCN3991) { 269 event_type = 0; 270 rlen = sizeof(*edl); 271 rtype = EDL_PATCH_TLV_REQ_CMD; 272 } 273 274 skb = __hci_cmd_sync_ev(hdev, EDL_PATCH_CMD_OPCODE, seg_size + 2, cmd, 275 event_type, HCI_INIT_TIMEOUT); 276 if (IS_ERR(skb)) { 277 err = PTR_ERR(skb); 278 bt_dev_err(hdev, "QCA Failed to send TLV segment (%d)", err); 279 return err; 280 } 281 282 if (skb->len != rlen) { 283 bt_dev_err(hdev, "QCA TLV response size mismatch"); 284 err = -EILSEQ; 285 goto out; 286 } 287 288 edl = (struct edl_event_hdr *)(skb->data); 289 if (!edl) { 290 bt_dev_err(hdev, "TLV with no header"); 291 err = -EILSEQ; 292 goto out; 293 } 294 295 if (edl->cresp != EDL_CMD_REQ_RES_EVT || edl->rtype != rtype) { 296 bt_dev_err(hdev, "QCA TLV with error stat 0x%x rtype 0x%x", 297 edl->cresp, edl->rtype); 298 err = -EIO; 299 } 300 301 if (soc_type >= QCA_WCN3991) 302 goto out; 303 304 tlv_resp = (struct tlv_seg_resp *)(edl->data); 305 if (tlv_resp->result) { 306 bt_dev_err(hdev, "QCA TLV with error stat 0x%x rtype 0x%x (0x%x)", 307 edl->cresp, edl->rtype, tlv_resp->result); 308 } 309 310 out: 311 kfree_skb(skb); 312 313 return err; 314 } 315 316 static int qca_inject_cmd_complete_event(struct hci_dev *hdev) 317 { 318 struct hci_event_hdr *hdr; 319 struct hci_ev_cmd_complete *evt; 320 struct sk_buff *skb; 321 322 skb = bt_skb_alloc(sizeof(*hdr) + sizeof(*evt) + 1, GFP_KERNEL); 323 if (!skb) 324 return -ENOMEM; 325 326 hdr = skb_put(skb, sizeof(*hdr)); 327 hdr->evt = HCI_EV_CMD_COMPLETE; 328 hdr->plen = sizeof(*evt) + 1; 329 330 evt = skb_put(skb, sizeof(*evt)); 331 evt->ncmd = 1; 332 evt->opcode = cpu_to_le16(QCA_HCI_CC_OPCODE); 333 334 skb_put_u8(skb, QCA_HCI_CC_SUCCESS); 335 336 hci_skb_pkt_type(skb) = HCI_EVENT_PKT; 337 338 return hci_recv_frame(hdev, skb); 339 } 340 341 static int qca_download_firmware(struct hci_dev *hdev, 342 struct qca_fw_config *config, 343 enum qca_btsoc_type soc_type) 344 { 345 const struct firmware *fw; 346 const u8 *segment; 347 int ret, remain, i = 0; 348 349 bt_dev_info(hdev, "QCA Downloading %s", config->fwname); 350 351 ret = request_firmware(&fw, config->fwname, &hdev->dev); 352 if (ret) { 353 bt_dev_err(hdev, "QCA Failed to request file: %s (%d)", 354 config->fwname, ret); 355 return ret; 356 } 357 358 qca_tlv_check_data(config, fw, soc_type); 359 360 segment = fw->data; 361 remain = fw->size; 362 while (remain > 0) { 363 int segsize = min(MAX_SIZE_PER_TLV_SEGMENT, remain); 364 365 bt_dev_dbg(hdev, "Send segment %d, size %d", i++, segsize); 366 367 remain -= segsize; 368 /* The last segment is always acked regardless download mode */ 369 if (!remain || segsize < MAX_SIZE_PER_TLV_SEGMENT) 370 config->dnld_mode = QCA_SKIP_EVT_NONE; 371 372 ret = qca_tlv_send_segment(hdev, segsize, segment, 373 config->dnld_mode, soc_type); 374 if (ret) 375 goto out; 376 377 segment += segsize; 378 } 379 380 /* Latest qualcomm chipsets are not sending a command complete event 381 * for every fw packet sent. They only respond with a vendor specific 382 * event for the last packet. This optimization in the chip will 383 * decrease the BT in initialization time. Here we will inject a command 384 * complete event to avoid a command timeout error message. 385 */ 386 if (config->dnld_type == QCA_SKIP_EVT_VSE_CC || 387 config->dnld_type == QCA_SKIP_EVT_VSE) 388 ret = qca_inject_cmd_complete_event(hdev); 389 390 out: 391 release_firmware(fw); 392 393 return ret; 394 } 395 396 static int qca_disable_soc_logging(struct hci_dev *hdev) 397 { 398 struct sk_buff *skb; 399 u8 cmd[2]; 400 int err; 401 402 cmd[0] = QCA_DISABLE_LOGGING_SUB_OP; 403 cmd[1] = 0x00; 404 skb = __hci_cmd_sync_ev(hdev, QCA_DISABLE_LOGGING, sizeof(cmd), cmd, 405 HCI_EV_CMD_COMPLETE, HCI_INIT_TIMEOUT); 406 if (IS_ERR(skb)) { 407 err = PTR_ERR(skb); 408 bt_dev_err(hdev, "QCA Failed to disable soc logging(%d)", err); 409 return err; 410 } 411 412 kfree_skb(skb); 413 414 return 0; 415 } 416 417 int qca_set_bdaddr_rome(struct hci_dev *hdev, const bdaddr_t *bdaddr) 418 { 419 struct sk_buff *skb; 420 u8 cmd[9]; 421 int err; 422 423 cmd[0] = EDL_NVM_ACCESS_SET_REQ_CMD; 424 cmd[1] = 0x02; /* TAG ID */ 425 cmd[2] = sizeof(bdaddr_t); /* size */ 426 memcpy(cmd + 3, bdaddr, sizeof(bdaddr_t)); 427 skb = __hci_cmd_sync_ev(hdev, EDL_NVM_ACCESS_OPCODE, sizeof(cmd), cmd, 428 HCI_EV_VENDOR, HCI_INIT_TIMEOUT); 429 if (IS_ERR(skb)) { 430 err = PTR_ERR(skb); 431 bt_dev_err(hdev, "QCA Change address command failed (%d)", err); 432 return err; 433 } 434 435 kfree_skb(skb); 436 437 return 0; 438 } 439 EXPORT_SYMBOL_GPL(qca_set_bdaddr_rome); 440 441 int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate, 442 enum qca_btsoc_type soc_type, struct qca_btsoc_version ver, 443 const char *firmware_name) 444 { 445 struct qca_fw_config config; 446 int err; 447 u8 rom_ver = 0; 448 u32 soc_ver; 449 450 bt_dev_dbg(hdev, "QCA setup on UART"); 451 452 soc_ver = get_soc_ver(ver.soc_id, ver.rom_ver); 453 454 bt_dev_info(hdev, "QCA controller version 0x%08x", soc_ver); 455 456 config.user_baud_rate = baudrate; 457 458 /* Download rampatch file */ 459 config.type = TLV_TYPE_PATCH; 460 if (qca_is_wcn399x(soc_type)) { 461 /* Firmware files to download are based on ROM version. 462 * ROM version is derived from last two bytes of soc_ver. 463 */ 464 rom_ver = ((soc_ver & 0x00000f00) >> 0x04) | 465 (soc_ver & 0x0000000f); 466 snprintf(config.fwname, sizeof(config.fwname), 467 "qca/crbtfw%02x.tlv", rom_ver); 468 } else if (soc_type == QCA_QCA6390) { 469 rom_ver = ((soc_ver & 0x00000f00) >> 0x04) | 470 (soc_ver & 0x0000000f); 471 snprintf(config.fwname, sizeof(config.fwname), 472 "qca/htbtfw%02x.tlv", rom_ver); 473 } else { 474 snprintf(config.fwname, sizeof(config.fwname), 475 "qca/rampatch_%08x.bin", soc_ver); 476 } 477 478 err = qca_download_firmware(hdev, &config, soc_type); 479 if (err < 0) { 480 bt_dev_err(hdev, "QCA Failed to download patch (%d)", err); 481 return err; 482 } 483 484 /* Give the controller some time to get ready to receive the NVM */ 485 msleep(10); 486 487 /* Download NVM configuration */ 488 config.type = TLV_TYPE_NVM; 489 if (firmware_name) 490 snprintf(config.fwname, sizeof(config.fwname), 491 "qca/%s", firmware_name); 492 else if (qca_is_wcn399x(soc_type)) { 493 if (ver.soc_id == QCA_WCN3991_SOC_ID) { 494 snprintf(config.fwname, sizeof(config.fwname), 495 "qca/crnv%02xu.bin", rom_ver); 496 } else { 497 snprintf(config.fwname, sizeof(config.fwname), 498 "qca/crnv%02x.bin", rom_ver); 499 } 500 } 501 else if (soc_type == QCA_QCA6390) 502 snprintf(config.fwname, sizeof(config.fwname), 503 "qca/htnv%02x.bin", rom_ver); 504 else 505 snprintf(config.fwname, sizeof(config.fwname), 506 "qca/nvm_%08x.bin", soc_ver); 507 508 err = qca_download_firmware(hdev, &config, soc_type); 509 if (err < 0) { 510 bt_dev_err(hdev, "QCA Failed to download NVM (%d)", err); 511 return err; 512 } 513 514 if (soc_type >= QCA_WCN3991) { 515 err = qca_disable_soc_logging(hdev); 516 if (err < 0) 517 return err; 518 } 519 520 /* Perform HCI reset */ 521 err = qca_send_reset(hdev); 522 if (err < 0) { 523 bt_dev_err(hdev, "QCA Failed to run HCI_RESET (%d)", err); 524 return err; 525 } 526 527 bt_dev_info(hdev, "QCA setup on UART is completed"); 528 529 return 0; 530 } 531 EXPORT_SYMBOL_GPL(qca_uart_setup); 532 533 int qca_set_bdaddr(struct hci_dev *hdev, const bdaddr_t *bdaddr) 534 { 535 struct sk_buff *skb; 536 int err; 537 538 skb = __hci_cmd_sync_ev(hdev, EDL_WRITE_BD_ADDR_OPCODE, 6, bdaddr, 539 HCI_EV_VENDOR, HCI_INIT_TIMEOUT); 540 if (IS_ERR(skb)) { 541 err = PTR_ERR(skb); 542 bt_dev_err(hdev, "QCA Change address cmd failed (%d)", err); 543 return err; 544 } 545 546 kfree_skb(skb); 547 548 return 0; 549 } 550 EXPORT_SYMBOL_GPL(qca_set_bdaddr); 551 552 553 MODULE_AUTHOR("Ben Young Tae Kim <ytkim@qca.qualcomm.com>"); 554 MODULE_DESCRIPTION("Bluetooth support for Qualcomm Atheros family ver " VERSION); 555 MODULE_VERSION(VERSION); 556 MODULE_LICENSE("GPL"); 557