1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Bluetooth supports for Qualcomm Atheros chips 4 * 5 * Copyright (c) 2015 The Linux Foundation. All rights reserved. 6 */ 7 #include <linux/module.h> 8 #include <linux/firmware.h> 9 10 #include <net/bluetooth/bluetooth.h> 11 #include <net/bluetooth/hci_core.h> 12 13 #include "btqca.h" 14 15 #define VERSION "0.1" 16 17 int qca_read_soc_version(struct hci_dev *hdev, u32 *soc_version) 18 { 19 struct sk_buff *skb; 20 struct edl_event_hdr *edl; 21 struct rome_version *ver; 22 char cmd; 23 int err = 0; 24 25 bt_dev_dbg(hdev, "QCA Version Request"); 26 27 cmd = EDL_PATCH_VER_REQ_CMD; 28 skb = __hci_cmd_sync_ev(hdev, EDL_PATCH_CMD_OPCODE, EDL_PATCH_CMD_LEN, 29 &cmd, HCI_EV_VENDOR, HCI_INIT_TIMEOUT); 30 if (IS_ERR(skb)) { 31 err = PTR_ERR(skb); 32 bt_dev_err(hdev, "Reading QCA version information failed (%d)", 33 err); 34 return err; 35 } 36 37 if (skb->len != sizeof(*edl) + sizeof(*ver)) { 38 bt_dev_err(hdev, "QCA Version size mismatch len %d", skb->len); 39 err = -EILSEQ; 40 goto out; 41 } 42 43 edl = (struct edl_event_hdr *)(skb->data); 44 if (!edl) { 45 bt_dev_err(hdev, "QCA TLV with no header"); 46 err = -EILSEQ; 47 goto out; 48 } 49 50 if (edl->cresp != EDL_CMD_REQ_RES_EVT || 51 edl->rtype != EDL_APP_VER_RES_EVT) { 52 bt_dev_err(hdev, "QCA Wrong packet received %d %d", edl->cresp, 53 edl->rtype); 54 err = -EIO; 55 goto out; 56 } 57 58 ver = (struct rome_version *)(edl->data); 59 60 BT_DBG("%s: Product:0x%08x", hdev->name, le32_to_cpu(ver->product_id)); 61 BT_DBG("%s: Patch :0x%08x", hdev->name, le16_to_cpu(ver->patch_ver)); 62 BT_DBG("%s: ROM :0x%08x", hdev->name, le16_to_cpu(ver->rome_ver)); 63 BT_DBG("%s: SOC :0x%08x", hdev->name, le32_to_cpu(ver->soc_id)); 64 65 /* QCA chipset version can be decided by patch and SoC 66 * version, combination with upper 2 bytes from SoC 67 * and lower 2 bytes from patch will be used. 68 */ 69 *soc_version = (le32_to_cpu(ver->soc_id) << 16) | 70 (le16_to_cpu(ver->rome_ver) & 0x0000ffff); 71 if (*soc_version == 0) 72 err = -EILSEQ; 73 74 out: 75 kfree_skb(skb); 76 if (err) 77 bt_dev_err(hdev, "QCA Failed to get version (%d)", err); 78 79 return err; 80 } 81 EXPORT_SYMBOL_GPL(qca_read_soc_version); 82 83 static int qca_send_reset(struct hci_dev *hdev) 84 { 85 struct sk_buff *skb; 86 int err; 87 88 bt_dev_dbg(hdev, "QCA HCI_RESET"); 89 90 skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_INIT_TIMEOUT); 91 if (IS_ERR(skb)) { 92 err = PTR_ERR(skb); 93 bt_dev_err(hdev, "QCA Reset failed (%d)", err); 94 return err; 95 } 96 97 kfree_skb(skb); 98 99 return 0; 100 } 101 102 int qca_send_pre_shutdown_cmd(struct hci_dev *hdev) 103 { 104 struct sk_buff *skb; 105 int err; 106 107 bt_dev_dbg(hdev, "QCA pre shutdown cmd"); 108 109 skb = __hci_cmd_sync_ev(hdev, QCA_PRE_SHUTDOWN_CMD, 0, 110 NULL, HCI_EV_CMD_COMPLETE, HCI_INIT_TIMEOUT); 111 112 if (IS_ERR(skb)) { 113 err = PTR_ERR(skb); 114 bt_dev_err(hdev, "QCA preshutdown_cmd failed (%d)", err); 115 return err; 116 } 117 118 kfree_skb(skb); 119 120 return 0; 121 } 122 EXPORT_SYMBOL_GPL(qca_send_pre_shutdown_cmd); 123 124 static void qca_tlv_check_data(struct rome_config *config, 125 const struct firmware *fw) 126 { 127 const u8 *data; 128 u32 type_len; 129 u16 tag_id, tag_len; 130 int idx, length; 131 struct tlv_type_hdr *tlv; 132 struct tlv_type_patch *tlv_patch; 133 struct tlv_type_nvm *tlv_nvm; 134 135 tlv = (struct tlv_type_hdr *)fw->data; 136 137 type_len = le32_to_cpu(tlv->type_len); 138 length = (type_len >> 8) & 0x00ffffff; 139 140 BT_DBG("TLV Type\t\t : 0x%x", type_len & 0x000000ff); 141 BT_DBG("Length\t\t : %d bytes", length); 142 143 config->dnld_mode = ROME_SKIP_EVT_NONE; 144 config->dnld_type = ROME_SKIP_EVT_NONE; 145 146 switch (config->type) { 147 case TLV_TYPE_PATCH: 148 tlv_patch = (struct tlv_type_patch *)tlv->data; 149 150 /* For Rome version 1.1 to 3.1, all segment commands 151 * are acked by a vendor specific event (VSE). 152 * For Rome >= 3.2, the download mode field indicates 153 * if VSE is skipped by the controller. 154 * In case VSE is skipped, only the last segment is acked. 155 */ 156 config->dnld_mode = tlv_patch->download_mode; 157 config->dnld_type = config->dnld_mode; 158 159 BT_DBG("Total Length : %d bytes", 160 le32_to_cpu(tlv_patch->total_size)); 161 BT_DBG("Patch Data Length : %d bytes", 162 le32_to_cpu(tlv_patch->data_length)); 163 BT_DBG("Signing Format Version : 0x%x", 164 tlv_patch->format_version); 165 BT_DBG("Signature Algorithm : 0x%x", 166 tlv_patch->signature); 167 BT_DBG("Download mode : 0x%x", 168 tlv_patch->download_mode); 169 BT_DBG("Reserved : 0x%x", 170 tlv_patch->reserved1); 171 BT_DBG("Product ID : 0x%04x", 172 le16_to_cpu(tlv_patch->product_id)); 173 BT_DBG("Rom Build Version : 0x%04x", 174 le16_to_cpu(tlv_patch->rom_build)); 175 BT_DBG("Patch Version : 0x%04x", 176 le16_to_cpu(tlv_patch->patch_version)); 177 BT_DBG("Reserved : 0x%x", 178 le16_to_cpu(tlv_patch->reserved2)); 179 BT_DBG("Patch Entry Address : 0x%x", 180 le32_to_cpu(tlv_patch->entry)); 181 break; 182 183 case TLV_TYPE_NVM: 184 idx = 0; 185 data = tlv->data; 186 while (idx < length) { 187 tlv_nvm = (struct tlv_type_nvm *)(data + idx); 188 189 tag_id = le16_to_cpu(tlv_nvm->tag_id); 190 tag_len = le16_to_cpu(tlv_nvm->tag_len); 191 192 /* Update NVM tags as needed */ 193 switch (tag_id) { 194 case EDL_TAG_ID_HCI: 195 /* HCI transport layer parameters 196 * enabling software inband sleep 197 * onto controller side. 198 */ 199 tlv_nvm->data[0] |= 0x80; 200 201 /* UART Baud Rate */ 202 tlv_nvm->data[2] = config->user_baud_rate; 203 204 break; 205 206 case EDL_TAG_ID_DEEP_SLEEP: 207 /* Sleep enable mask 208 * enabling deep sleep feature on controller. 209 */ 210 tlv_nvm->data[0] |= 0x01; 211 212 break; 213 } 214 215 idx += (sizeof(u16) + sizeof(u16) + 8 + tag_len); 216 } 217 break; 218 219 default: 220 BT_ERR("Unknown TLV type %d", config->type); 221 break; 222 } 223 } 224 225 static int qca_tlv_send_segment(struct hci_dev *hdev, int seg_size, 226 const u8 *data, enum rome_tlv_dnld_mode mode) 227 { 228 struct sk_buff *skb; 229 struct edl_event_hdr *edl; 230 struct tlv_seg_resp *tlv_resp; 231 u8 cmd[MAX_SIZE_PER_TLV_SEGMENT + 2]; 232 int err = 0; 233 234 cmd[0] = EDL_PATCH_TLV_REQ_CMD; 235 cmd[1] = seg_size; 236 memcpy(cmd + 2, data, seg_size); 237 238 if (mode == ROME_SKIP_EVT_VSE_CC || mode == ROME_SKIP_EVT_VSE) 239 return __hci_cmd_send(hdev, EDL_PATCH_CMD_OPCODE, seg_size + 2, 240 cmd); 241 242 skb = __hci_cmd_sync_ev(hdev, EDL_PATCH_CMD_OPCODE, seg_size + 2, cmd, 243 HCI_EV_VENDOR, HCI_INIT_TIMEOUT); 244 if (IS_ERR(skb)) { 245 err = PTR_ERR(skb); 246 bt_dev_err(hdev, "QCA Failed to send TLV segment (%d)", err); 247 return err; 248 } 249 250 if (skb->len != sizeof(*edl) + sizeof(*tlv_resp)) { 251 bt_dev_err(hdev, "QCA TLV response size mismatch"); 252 err = -EILSEQ; 253 goto out; 254 } 255 256 edl = (struct edl_event_hdr *)(skb->data); 257 if (!edl) { 258 bt_dev_err(hdev, "TLV with no header"); 259 err = -EILSEQ; 260 goto out; 261 } 262 263 tlv_resp = (struct tlv_seg_resp *)(edl->data); 264 265 if (edl->cresp != EDL_CMD_REQ_RES_EVT || 266 edl->rtype != EDL_TVL_DNLD_RES_EVT || tlv_resp->result != 0x00) { 267 bt_dev_err(hdev, "QCA TLV with error stat 0x%x rtype 0x%x (0x%x)", 268 edl->cresp, edl->rtype, tlv_resp->result); 269 err = -EIO; 270 } 271 272 out: 273 kfree_skb(skb); 274 275 return err; 276 } 277 278 static int qca_inject_cmd_complete_event(struct hci_dev *hdev) 279 { 280 struct hci_event_hdr *hdr; 281 struct hci_ev_cmd_complete *evt; 282 struct sk_buff *skb; 283 284 skb = bt_skb_alloc(sizeof(*hdr) + sizeof(*evt) + 1, GFP_KERNEL); 285 if (!skb) 286 return -ENOMEM; 287 288 hdr = skb_put(skb, sizeof(*hdr)); 289 hdr->evt = HCI_EV_CMD_COMPLETE; 290 hdr->plen = sizeof(*evt) + 1; 291 292 evt = skb_put(skb, sizeof(*evt)); 293 evt->ncmd = 1; 294 evt->opcode = cpu_to_le16(QCA_HCI_CC_OPCODE); 295 296 skb_put_u8(skb, QCA_HCI_CC_SUCCESS); 297 298 hci_skb_pkt_type(skb) = HCI_EVENT_PKT; 299 300 return hci_recv_frame(hdev, skb); 301 } 302 303 static int qca_download_firmware(struct hci_dev *hdev, 304 struct rome_config *config) 305 { 306 const struct firmware *fw; 307 const u8 *segment; 308 int ret, remain, i = 0; 309 310 bt_dev_info(hdev, "QCA Downloading %s", config->fwname); 311 312 ret = request_firmware(&fw, config->fwname, &hdev->dev); 313 if (ret) { 314 bt_dev_err(hdev, "QCA Failed to request file: %s (%d)", 315 config->fwname, ret); 316 return ret; 317 } 318 319 qca_tlv_check_data(config, fw); 320 321 segment = fw->data; 322 remain = fw->size; 323 while (remain > 0) { 324 int segsize = min(MAX_SIZE_PER_TLV_SEGMENT, remain); 325 326 bt_dev_dbg(hdev, "Send segment %d, size %d", i++, segsize); 327 328 remain -= segsize; 329 /* The last segment is always acked regardless download mode */ 330 if (!remain || segsize < MAX_SIZE_PER_TLV_SEGMENT) 331 config->dnld_mode = ROME_SKIP_EVT_NONE; 332 333 ret = qca_tlv_send_segment(hdev, segsize, segment, 334 config->dnld_mode); 335 if (ret) 336 goto out; 337 338 segment += segsize; 339 } 340 341 /* Latest qualcomm chipsets are not sending a command complete event 342 * for every fw packet sent. They only respond with a vendor specific 343 * event for the last packet. This optimization in the chip will 344 * decrease the BT in initialization time. Here we will inject a command 345 * complete event to avoid a command timeout error message. 346 */ 347 if (config->dnld_type == ROME_SKIP_EVT_VSE_CC || 348 config->dnld_type == ROME_SKIP_EVT_VSE) 349 ret = qca_inject_cmd_complete_event(hdev); 350 351 out: 352 release_firmware(fw); 353 354 return ret; 355 } 356 357 int qca_set_bdaddr_rome(struct hci_dev *hdev, const bdaddr_t *bdaddr) 358 { 359 struct sk_buff *skb; 360 u8 cmd[9]; 361 int err; 362 363 cmd[0] = EDL_NVM_ACCESS_SET_REQ_CMD; 364 cmd[1] = 0x02; /* TAG ID */ 365 cmd[2] = sizeof(bdaddr_t); /* size */ 366 memcpy(cmd + 3, bdaddr, sizeof(bdaddr_t)); 367 skb = __hci_cmd_sync_ev(hdev, EDL_NVM_ACCESS_OPCODE, sizeof(cmd), cmd, 368 HCI_EV_VENDOR, HCI_INIT_TIMEOUT); 369 if (IS_ERR(skb)) { 370 err = PTR_ERR(skb); 371 bt_dev_err(hdev, "QCA Change address command failed (%d)", err); 372 return err; 373 } 374 375 kfree_skb(skb); 376 377 return 0; 378 } 379 EXPORT_SYMBOL_GPL(qca_set_bdaddr_rome); 380 381 int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate, 382 enum qca_btsoc_type soc_type, u32 soc_ver, 383 const char *firmware_name) 384 { 385 struct rome_config config; 386 int err; 387 u8 rom_ver = 0; 388 389 bt_dev_dbg(hdev, "QCA setup on UART"); 390 391 config.user_baud_rate = baudrate; 392 393 /* Download rampatch file */ 394 config.type = TLV_TYPE_PATCH; 395 if (qca_is_wcn399x(soc_type)) { 396 /* Firmware files to download are based on ROM version. 397 * ROM version is derived from last two bytes of soc_ver. 398 */ 399 rom_ver = ((soc_ver & 0x00000f00) >> 0x04) | 400 (soc_ver & 0x0000000f); 401 snprintf(config.fwname, sizeof(config.fwname), 402 "qca/crbtfw%02x.tlv", rom_ver); 403 } else { 404 snprintf(config.fwname, sizeof(config.fwname), 405 "qca/rampatch_%08x.bin", soc_ver); 406 } 407 408 err = qca_download_firmware(hdev, &config); 409 if (err < 0) { 410 bt_dev_err(hdev, "QCA Failed to download patch (%d)", err); 411 return err; 412 } 413 414 /* Give the controller some time to get ready to receive the NVM */ 415 msleep(10); 416 417 /* Download NVM configuration */ 418 config.type = TLV_TYPE_NVM; 419 if (firmware_name) 420 snprintf(config.fwname, sizeof(config.fwname), 421 "qca/%s", firmware_name); 422 else if (qca_is_wcn399x(soc_type)) 423 snprintf(config.fwname, sizeof(config.fwname), 424 "qca/crnv%02x.bin", rom_ver); 425 else 426 snprintf(config.fwname, sizeof(config.fwname), 427 "qca/nvm_%08x.bin", soc_ver); 428 429 err = qca_download_firmware(hdev, &config); 430 if (err < 0) { 431 bt_dev_err(hdev, "QCA Failed to download NVM (%d)", err); 432 return err; 433 } 434 435 /* Perform HCI reset */ 436 err = qca_send_reset(hdev); 437 if (err < 0) { 438 bt_dev_err(hdev, "QCA Failed to run HCI_RESET (%d)", err); 439 return err; 440 } 441 442 bt_dev_info(hdev, "QCA setup on UART is completed"); 443 444 return 0; 445 } 446 EXPORT_SYMBOL_GPL(qca_uart_setup); 447 448 int qca_set_bdaddr(struct hci_dev *hdev, const bdaddr_t *bdaddr) 449 { 450 struct sk_buff *skb; 451 int err; 452 453 skb = __hci_cmd_sync_ev(hdev, EDL_WRITE_BD_ADDR_OPCODE, 6, bdaddr, 454 HCI_EV_VENDOR, HCI_INIT_TIMEOUT); 455 if (IS_ERR(skb)) { 456 err = PTR_ERR(skb); 457 bt_dev_err(hdev, "QCA Change address cmd failed (%d)", err); 458 return err; 459 } 460 461 kfree_skb(skb); 462 463 return 0; 464 } 465 EXPORT_SYMBOL_GPL(qca_set_bdaddr); 466 467 468 MODULE_AUTHOR("Ben Young Tae Kim <ytkim@qca.qualcomm.com>"); 469 MODULE_DESCRIPTION("Bluetooth support for Qualcomm Atheros family ver " VERSION); 470 MODULE_VERSION(VERSION); 471 MODULE_LICENSE("GPL"); 472