1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Bluetooth supports for Qualcomm Atheros chips 4 * 5 * Copyright (c) 2015 The Linux Foundation. All rights reserved. 6 */ 7 #include <linux/module.h> 8 #include <linux/firmware.h> 9 10 #include <net/bluetooth/bluetooth.h> 11 #include <net/bluetooth/hci_core.h> 12 13 #include "btqca.h" 14 15 #define VERSION "0.1" 16 17 int qca_read_soc_version(struct hci_dev *hdev, u32 *soc_version, 18 enum qca_btsoc_type soc_type) 19 { 20 struct sk_buff *skb; 21 struct edl_event_hdr *edl; 22 struct qca_btsoc_version *ver; 23 char cmd; 24 int err = 0; 25 u8 event_type = HCI_EV_VENDOR; 26 u8 rlen = sizeof(*edl) + sizeof(*ver); 27 u8 rtype = EDL_APP_VER_RES_EVT; 28 29 bt_dev_dbg(hdev, "QCA Version Request"); 30 31 /* Unlike other SoC's sending version command response as payload to 32 * VSE event. WCN3991 sends version command response as a payload to 33 * command complete event. 34 */ 35 if (soc_type == QCA_WCN3991) { 36 event_type = 0; 37 rlen += 1; 38 rtype = EDL_PATCH_VER_REQ_CMD; 39 } 40 41 cmd = EDL_PATCH_VER_REQ_CMD; 42 skb = __hci_cmd_sync_ev(hdev, EDL_PATCH_CMD_OPCODE, EDL_PATCH_CMD_LEN, 43 &cmd, event_type, HCI_INIT_TIMEOUT); 44 if (IS_ERR(skb)) { 45 err = PTR_ERR(skb); 46 bt_dev_err(hdev, "Reading QCA version information failed (%d)", 47 err); 48 return err; 49 } 50 51 if (skb->len != rlen) { 52 bt_dev_err(hdev, "QCA Version size mismatch len %d", skb->len); 53 err = -EILSEQ; 54 goto out; 55 } 56 57 edl = (struct edl_event_hdr *)(skb->data); 58 if (!edl) { 59 bt_dev_err(hdev, "QCA TLV with no header"); 60 err = -EILSEQ; 61 goto out; 62 } 63 64 if (edl->cresp != EDL_CMD_REQ_RES_EVT || 65 edl->rtype != rtype) { 66 bt_dev_err(hdev, "QCA Wrong packet received %d %d", edl->cresp, 67 edl->rtype); 68 err = -EIO; 69 goto out; 70 } 71 72 if (soc_type == QCA_WCN3991) 73 memmove(&edl->data, &edl->data[1], sizeof(*ver)); 74 75 ver = (struct qca_btsoc_version *)(edl->data); 76 77 BT_DBG("%s: Product:0x%08x", hdev->name, le32_to_cpu(ver->product_id)); 78 BT_DBG("%s: Patch :0x%08x", hdev->name, le16_to_cpu(ver->patch_ver)); 79 BT_DBG("%s: ROM :0x%08x", hdev->name, le16_to_cpu(ver->rom_ver)); 80 BT_DBG("%s: SOC :0x%08x", hdev->name, le32_to_cpu(ver->soc_id)); 81 82 /* QCA chipset version can be decided by patch and SoC 83 * version, combination with upper 2 bytes from SoC 84 * and lower 2 bytes from patch will be used. 85 */ 86 *soc_version = (le32_to_cpu(ver->soc_id) << 16) | 87 (le16_to_cpu(ver->rom_ver) & 0x0000ffff); 88 if (*soc_version == 0) 89 err = -EILSEQ; 90 91 out: 92 kfree_skb(skb); 93 if (err) 94 bt_dev_err(hdev, "QCA Failed to get version (%d)", err); 95 96 return err; 97 } 98 EXPORT_SYMBOL_GPL(qca_read_soc_version); 99 100 static int qca_send_reset(struct hci_dev *hdev) 101 { 102 struct sk_buff *skb; 103 int err; 104 105 bt_dev_dbg(hdev, "QCA HCI_RESET"); 106 107 skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_INIT_TIMEOUT); 108 if (IS_ERR(skb)) { 109 err = PTR_ERR(skb); 110 bt_dev_err(hdev, "QCA Reset failed (%d)", err); 111 return err; 112 } 113 114 kfree_skb(skb); 115 116 return 0; 117 } 118 119 int qca_send_pre_shutdown_cmd(struct hci_dev *hdev) 120 { 121 struct sk_buff *skb; 122 int err; 123 124 bt_dev_dbg(hdev, "QCA pre shutdown cmd"); 125 126 skb = __hci_cmd_sync_ev(hdev, QCA_PRE_SHUTDOWN_CMD, 0, 127 NULL, HCI_EV_CMD_COMPLETE, HCI_INIT_TIMEOUT); 128 129 if (IS_ERR(skb)) { 130 err = PTR_ERR(skb); 131 bt_dev_err(hdev, "QCA preshutdown_cmd failed (%d)", err); 132 return err; 133 } 134 135 kfree_skb(skb); 136 137 return 0; 138 } 139 EXPORT_SYMBOL_GPL(qca_send_pre_shutdown_cmd); 140 141 static void qca_tlv_check_data(struct qca_fw_config *config, 142 const struct firmware *fw, enum qca_btsoc_type soc_type) 143 { 144 const u8 *data; 145 u32 type_len; 146 u16 tag_id, tag_len; 147 int idx, length; 148 struct tlv_type_hdr *tlv; 149 struct tlv_type_patch *tlv_patch; 150 struct tlv_type_nvm *tlv_nvm; 151 uint8_t nvm_baud_rate = config->user_baud_rate; 152 153 tlv = (struct tlv_type_hdr *)fw->data; 154 155 type_len = le32_to_cpu(tlv->type_len); 156 length = (type_len >> 8) & 0x00ffffff; 157 158 BT_DBG("TLV Type\t\t : 0x%x", type_len & 0x000000ff); 159 BT_DBG("Length\t\t : %d bytes", length); 160 161 config->dnld_mode = QCA_SKIP_EVT_NONE; 162 config->dnld_type = QCA_SKIP_EVT_NONE; 163 164 switch (config->type) { 165 case TLV_TYPE_PATCH: 166 tlv_patch = (struct tlv_type_patch *)tlv->data; 167 168 /* For Rome version 1.1 to 3.1, all segment commands 169 * are acked by a vendor specific event (VSE). 170 * For Rome >= 3.2, the download mode field indicates 171 * if VSE is skipped by the controller. 172 * In case VSE is skipped, only the last segment is acked. 173 */ 174 config->dnld_mode = tlv_patch->download_mode; 175 config->dnld_type = config->dnld_mode; 176 177 BT_DBG("Total Length : %d bytes", 178 le32_to_cpu(tlv_patch->total_size)); 179 BT_DBG("Patch Data Length : %d bytes", 180 le32_to_cpu(tlv_patch->data_length)); 181 BT_DBG("Signing Format Version : 0x%x", 182 tlv_patch->format_version); 183 BT_DBG("Signature Algorithm : 0x%x", 184 tlv_patch->signature); 185 BT_DBG("Download mode : 0x%x", 186 tlv_patch->download_mode); 187 BT_DBG("Reserved : 0x%x", 188 tlv_patch->reserved1); 189 BT_DBG("Product ID : 0x%04x", 190 le16_to_cpu(tlv_patch->product_id)); 191 BT_DBG("Rom Build Version : 0x%04x", 192 le16_to_cpu(tlv_patch->rom_build)); 193 BT_DBG("Patch Version : 0x%04x", 194 le16_to_cpu(tlv_patch->patch_version)); 195 BT_DBG("Reserved : 0x%x", 196 le16_to_cpu(tlv_patch->reserved2)); 197 BT_DBG("Patch Entry Address : 0x%x", 198 le32_to_cpu(tlv_patch->entry)); 199 break; 200 201 case TLV_TYPE_NVM: 202 idx = 0; 203 data = tlv->data; 204 while (idx < length) { 205 tlv_nvm = (struct tlv_type_nvm *)(data + idx); 206 207 tag_id = le16_to_cpu(tlv_nvm->tag_id); 208 tag_len = le16_to_cpu(tlv_nvm->tag_len); 209 210 /* Update NVM tags as needed */ 211 switch (tag_id) { 212 case EDL_TAG_ID_HCI: 213 /* HCI transport layer parameters 214 * enabling software inband sleep 215 * onto controller side. 216 */ 217 tlv_nvm->data[0] |= 0x80; 218 219 /* UART Baud Rate */ 220 if (soc_type == QCA_WCN3991) 221 tlv_nvm->data[1] = nvm_baud_rate; 222 else 223 tlv_nvm->data[2] = nvm_baud_rate; 224 225 break; 226 227 case EDL_TAG_ID_DEEP_SLEEP: 228 /* Sleep enable mask 229 * enabling deep sleep feature on controller. 230 */ 231 tlv_nvm->data[0] |= 0x01; 232 233 break; 234 } 235 236 idx += (sizeof(u16) + sizeof(u16) + 8 + tag_len); 237 } 238 break; 239 240 default: 241 BT_ERR("Unknown TLV type %d", config->type); 242 break; 243 } 244 } 245 246 static int qca_tlv_send_segment(struct hci_dev *hdev, int seg_size, 247 const u8 *data, enum qca_tlv_dnld_mode mode, 248 enum qca_btsoc_type soc_type) 249 { 250 struct sk_buff *skb; 251 struct edl_event_hdr *edl; 252 struct tlv_seg_resp *tlv_resp; 253 u8 cmd[MAX_SIZE_PER_TLV_SEGMENT + 2]; 254 int err = 0; 255 u8 event_type = HCI_EV_VENDOR; 256 u8 rlen = (sizeof(*edl) + sizeof(*tlv_resp)); 257 u8 rtype = EDL_TVL_DNLD_RES_EVT; 258 259 cmd[0] = EDL_PATCH_TLV_REQ_CMD; 260 cmd[1] = seg_size; 261 memcpy(cmd + 2, data, seg_size); 262 263 if (mode == QCA_SKIP_EVT_VSE_CC || mode == QCA_SKIP_EVT_VSE) 264 return __hci_cmd_send(hdev, EDL_PATCH_CMD_OPCODE, seg_size + 2, 265 cmd); 266 267 /* Unlike other SoC's sending version command response as payload to 268 * VSE event. WCN3991 sends version command response as a payload to 269 * command complete event. 270 */ 271 if (soc_type == QCA_WCN3991) { 272 event_type = 0; 273 rlen = sizeof(*edl); 274 rtype = EDL_PATCH_TLV_REQ_CMD; 275 } 276 277 skb = __hci_cmd_sync_ev(hdev, EDL_PATCH_CMD_OPCODE, seg_size + 2, cmd, 278 event_type, HCI_INIT_TIMEOUT); 279 if (IS_ERR(skb)) { 280 err = PTR_ERR(skb); 281 bt_dev_err(hdev, "QCA Failed to send TLV segment (%d)", err); 282 return err; 283 } 284 285 if (skb->len != rlen) { 286 bt_dev_err(hdev, "QCA TLV response size mismatch"); 287 err = -EILSEQ; 288 goto out; 289 } 290 291 edl = (struct edl_event_hdr *)(skb->data); 292 if (!edl) { 293 bt_dev_err(hdev, "TLV with no header"); 294 err = -EILSEQ; 295 goto out; 296 } 297 298 if (edl->cresp != EDL_CMD_REQ_RES_EVT || edl->rtype != rtype) { 299 bt_dev_err(hdev, "QCA TLV with error stat 0x%x rtype 0x%x", 300 edl->cresp, edl->rtype); 301 err = -EIO; 302 } 303 304 if (soc_type == QCA_WCN3991) 305 goto out; 306 307 tlv_resp = (struct tlv_seg_resp *)(edl->data); 308 if (tlv_resp->result) { 309 bt_dev_err(hdev, "QCA TLV with error stat 0x%x rtype 0x%x (0x%x)", 310 edl->cresp, edl->rtype, tlv_resp->result); 311 } 312 313 out: 314 kfree_skb(skb); 315 316 return err; 317 } 318 319 static int qca_inject_cmd_complete_event(struct hci_dev *hdev) 320 { 321 struct hci_event_hdr *hdr; 322 struct hci_ev_cmd_complete *evt; 323 struct sk_buff *skb; 324 325 skb = bt_skb_alloc(sizeof(*hdr) + sizeof(*evt) + 1, GFP_KERNEL); 326 if (!skb) 327 return -ENOMEM; 328 329 hdr = skb_put(skb, sizeof(*hdr)); 330 hdr->evt = HCI_EV_CMD_COMPLETE; 331 hdr->plen = sizeof(*evt) + 1; 332 333 evt = skb_put(skb, sizeof(*evt)); 334 evt->ncmd = 1; 335 evt->opcode = cpu_to_le16(QCA_HCI_CC_OPCODE); 336 337 skb_put_u8(skb, QCA_HCI_CC_SUCCESS); 338 339 hci_skb_pkt_type(skb) = HCI_EVENT_PKT; 340 341 return hci_recv_frame(hdev, skb); 342 } 343 344 static int qca_download_firmware(struct hci_dev *hdev, 345 struct qca_fw_config *config, 346 enum qca_btsoc_type soc_type) 347 { 348 const struct firmware *fw; 349 const u8 *segment; 350 int ret, remain, i = 0; 351 352 bt_dev_info(hdev, "QCA Downloading %s", config->fwname); 353 354 ret = request_firmware(&fw, config->fwname, &hdev->dev); 355 if (ret) { 356 bt_dev_err(hdev, "QCA Failed to request file: %s (%d)", 357 config->fwname, ret); 358 return ret; 359 } 360 361 qca_tlv_check_data(config, fw, soc_type); 362 363 segment = fw->data; 364 remain = fw->size; 365 while (remain > 0) { 366 int segsize = min(MAX_SIZE_PER_TLV_SEGMENT, remain); 367 368 bt_dev_dbg(hdev, "Send segment %d, size %d", i++, segsize); 369 370 remain -= segsize; 371 /* The last segment is always acked regardless download mode */ 372 if (!remain || segsize < MAX_SIZE_PER_TLV_SEGMENT) 373 config->dnld_mode = QCA_SKIP_EVT_NONE; 374 375 ret = qca_tlv_send_segment(hdev, segsize, segment, 376 config->dnld_mode, soc_type); 377 if (ret) 378 goto out; 379 380 segment += segsize; 381 } 382 383 /* Latest qualcomm chipsets are not sending a command complete event 384 * for every fw packet sent. They only respond with a vendor specific 385 * event for the last packet. This optimization in the chip will 386 * decrease the BT in initialization time. Here we will inject a command 387 * complete event to avoid a command timeout error message. 388 */ 389 if (config->dnld_type == QCA_SKIP_EVT_VSE_CC || 390 config->dnld_type == QCA_SKIP_EVT_VSE) 391 ret = qca_inject_cmd_complete_event(hdev); 392 393 out: 394 release_firmware(fw); 395 396 return ret; 397 } 398 399 int qca_set_bdaddr_rome(struct hci_dev *hdev, const bdaddr_t *bdaddr) 400 { 401 struct sk_buff *skb; 402 u8 cmd[9]; 403 int err; 404 405 cmd[0] = EDL_NVM_ACCESS_SET_REQ_CMD; 406 cmd[1] = 0x02; /* TAG ID */ 407 cmd[2] = sizeof(bdaddr_t); /* size */ 408 memcpy(cmd + 3, bdaddr, sizeof(bdaddr_t)); 409 skb = __hci_cmd_sync_ev(hdev, EDL_NVM_ACCESS_OPCODE, sizeof(cmd), cmd, 410 HCI_EV_VENDOR, HCI_INIT_TIMEOUT); 411 if (IS_ERR(skb)) { 412 err = PTR_ERR(skb); 413 bt_dev_err(hdev, "QCA Change address command failed (%d)", err); 414 return err; 415 } 416 417 kfree_skb(skb); 418 419 return 0; 420 } 421 EXPORT_SYMBOL_GPL(qca_set_bdaddr_rome); 422 423 int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate, 424 enum qca_btsoc_type soc_type, u32 soc_ver, 425 const char *firmware_name) 426 { 427 struct qca_fw_config config; 428 int err; 429 u8 rom_ver = 0; 430 431 bt_dev_dbg(hdev, "QCA setup on UART"); 432 433 config.user_baud_rate = baudrate; 434 435 /* Download rampatch file */ 436 config.type = TLV_TYPE_PATCH; 437 if (qca_is_wcn399x(soc_type)) { 438 /* Firmware files to download are based on ROM version. 439 * ROM version is derived from last two bytes of soc_ver. 440 */ 441 rom_ver = ((soc_ver & 0x00000f00) >> 0x04) | 442 (soc_ver & 0x0000000f); 443 snprintf(config.fwname, sizeof(config.fwname), 444 "qca/crbtfw%02x.tlv", rom_ver); 445 } else { 446 snprintf(config.fwname, sizeof(config.fwname), 447 "qca/rampatch_%08x.bin", soc_ver); 448 } 449 450 err = qca_download_firmware(hdev, &config, soc_type); 451 if (err < 0) { 452 bt_dev_err(hdev, "QCA Failed to download patch (%d)", err); 453 return err; 454 } 455 456 /* Give the controller some time to get ready to receive the NVM */ 457 msleep(10); 458 459 /* Download NVM configuration */ 460 config.type = TLV_TYPE_NVM; 461 if (firmware_name) 462 snprintf(config.fwname, sizeof(config.fwname), 463 "qca/%s", firmware_name); 464 else if (qca_is_wcn399x(soc_type)) 465 snprintf(config.fwname, sizeof(config.fwname), 466 "qca/crnv%02x.bin", rom_ver); 467 else 468 snprintf(config.fwname, sizeof(config.fwname), 469 "qca/nvm_%08x.bin", soc_ver); 470 471 err = qca_download_firmware(hdev, &config, soc_type); 472 if (err < 0) { 473 bt_dev_err(hdev, "QCA Failed to download NVM (%d)", err); 474 return err; 475 } 476 477 /* Perform HCI reset */ 478 err = qca_send_reset(hdev); 479 if (err < 0) { 480 bt_dev_err(hdev, "QCA Failed to run HCI_RESET (%d)", err); 481 return err; 482 } 483 484 bt_dev_info(hdev, "QCA setup on UART is completed"); 485 486 return 0; 487 } 488 EXPORT_SYMBOL_GPL(qca_uart_setup); 489 490 int qca_set_bdaddr(struct hci_dev *hdev, const bdaddr_t *bdaddr) 491 { 492 struct sk_buff *skb; 493 int err; 494 495 skb = __hci_cmd_sync_ev(hdev, EDL_WRITE_BD_ADDR_OPCODE, 6, bdaddr, 496 HCI_EV_VENDOR, HCI_INIT_TIMEOUT); 497 if (IS_ERR(skb)) { 498 err = PTR_ERR(skb); 499 bt_dev_err(hdev, "QCA Change address cmd failed (%d)", err); 500 return err; 501 } 502 503 kfree_skb(skb); 504 505 return 0; 506 } 507 EXPORT_SYMBOL_GPL(qca_set_bdaddr); 508 509 510 MODULE_AUTHOR("Ben Young Tae Kim <ytkim@qca.qualcomm.com>"); 511 MODULE_DESCRIPTION("Bluetooth support for Qualcomm Atheros family ver " VERSION); 512 MODULE_VERSION(VERSION); 513 MODULE_LICENSE("GPL"); 514