1 // SPDX-License-Identifier: GPL-2.0-or-later 2 /* 3 * 4 * Bluetooth HCI UART driver for Intel/AG6xx devices 5 * 6 * Copyright (C) 2016 Intel Corporation 7 */ 8 9 #include <linux/kernel.h> 10 #include <linux/errno.h> 11 #include <linux/skbuff.h> 12 #include <linux/firmware.h> 13 #include <linux/module.h> 14 #include <linux/tty.h> 15 16 #include <net/bluetooth/bluetooth.h> 17 #include <net/bluetooth/hci_core.h> 18 19 #include "hci_uart.h" 20 #include "btintel.h" 21 22 struct ag6xx_data { 23 struct sk_buff *rx_skb; 24 struct sk_buff_head txq; 25 }; 26 27 struct pbn_entry { 28 __le32 addr; 29 __le32 plen; 30 __u8 data[]; 31 } __packed; 32 33 static int ag6xx_open(struct hci_uart *hu) 34 { 35 struct ag6xx_data *ag6xx; 36 37 BT_DBG("hu %p", hu); 38 39 ag6xx = kzalloc(sizeof(*ag6xx), GFP_KERNEL); 40 if (!ag6xx) 41 return -ENOMEM; 42 43 skb_queue_head_init(&ag6xx->txq); 44 45 hu->priv = ag6xx; 46 return 0; 47 } 48 49 static int ag6xx_close(struct hci_uart *hu) 50 { 51 struct ag6xx_data *ag6xx = hu->priv; 52 53 BT_DBG("hu %p", hu); 54 55 skb_queue_purge(&ag6xx->txq); 56 kfree_skb(ag6xx->rx_skb); 57 kfree(ag6xx); 58 59 hu->priv = NULL; 60 return 0; 61 } 62 63 static int ag6xx_flush(struct hci_uart *hu) 64 { 65 struct ag6xx_data *ag6xx = hu->priv; 66 67 BT_DBG("hu %p", hu); 68 69 skb_queue_purge(&ag6xx->txq); 70 return 0; 71 } 72 73 static struct sk_buff *ag6xx_dequeue(struct hci_uart *hu) 74 { 75 struct ag6xx_data *ag6xx = hu->priv; 76 struct sk_buff *skb; 77 78 skb = skb_dequeue(&ag6xx->txq); 79 if (!skb) 80 return skb; 81 82 /* Prepend skb with frame type */ 83 memcpy(skb_push(skb, 1), &bt_cb(skb)->pkt_type, 1); 84 return skb; 85 } 86 87 static int ag6xx_enqueue(struct hci_uart *hu, struct sk_buff *skb) 88 { 89 struct ag6xx_data *ag6xx = hu->priv; 90 91 skb_queue_tail(&ag6xx->txq, skb); 92 return 0; 93 } 94 95 static const struct h4_recv_pkt ag6xx_recv_pkts[] = { 96 { H4_RECV_ACL, .recv = hci_recv_frame }, 97 { H4_RECV_SCO, .recv = hci_recv_frame }, 98 { H4_RECV_EVENT, .recv = hci_recv_frame }, 99 }; 100 101 static int ag6xx_recv(struct hci_uart *hu, const void *data, int count) 102 { 103 struct ag6xx_data *ag6xx = hu->priv; 104 105 if (!test_bit(HCI_UART_REGISTERED, &hu->flags)) 106 return -EUNATCH; 107 108 ag6xx->rx_skb = h4_recv_buf(hu->hdev, ag6xx->rx_skb, data, count, 109 ag6xx_recv_pkts, 110 ARRAY_SIZE(ag6xx_recv_pkts)); 111 if (IS_ERR(ag6xx->rx_skb)) { 112 int err = PTR_ERR(ag6xx->rx_skb); 113 bt_dev_err(hu->hdev, "Frame reassembly failed (%d)", err); 114 ag6xx->rx_skb = NULL; 115 return err; 116 } 117 118 return count; 119 } 120 121 static int intel_mem_write(struct hci_dev *hdev, u32 addr, u32 plen, 122 const void *data) 123 { 124 /* Can write a maximum of 247 bytes per HCI command. 125 * HCI cmd Header (3), Intel mem write header (6), data (247). 126 */ 127 while (plen > 0) { 128 struct sk_buff *skb; 129 u8 cmd_param[253], fragment_len = (plen > 247) ? 247 : plen; 130 __le32 leaddr = cpu_to_le32(addr); 131 132 memcpy(cmd_param, &leaddr, 4); 133 cmd_param[4] = 0; 134 cmd_param[5] = fragment_len; 135 memcpy(cmd_param + 6, data, fragment_len); 136 137 skb = __hci_cmd_sync(hdev, 0xfc8e, fragment_len + 6, cmd_param, 138 HCI_INIT_TIMEOUT); 139 if (IS_ERR(skb)) 140 return PTR_ERR(skb); 141 kfree_skb(skb); 142 143 plen -= fragment_len; 144 data += fragment_len; 145 addr += fragment_len; 146 } 147 148 return 0; 149 } 150 151 static int ag6xx_setup(struct hci_uart *hu) 152 { 153 struct hci_dev *hdev = hu->hdev; 154 struct sk_buff *skb; 155 struct intel_version ver; 156 const struct firmware *fw; 157 const u8 *fw_ptr; 158 char fwname[64]; 159 bool patched = false; 160 int err; 161 162 hu->hdev->set_diag = btintel_set_diag; 163 hu->hdev->set_bdaddr = btintel_set_bdaddr; 164 165 err = btintel_enter_mfg(hdev); 166 if (err) 167 return err; 168 169 err = btintel_read_version(hdev, &ver); 170 if (err) 171 return err; 172 173 btintel_version_info(hdev, &ver); 174 175 /* The hardware platform number has a fixed value of 0x37 and 176 * for now only accept this single value. 177 */ 178 if (ver.hw_platform != 0x37) { 179 bt_dev_err(hdev, "Unsupported Intel hardware platform: 0x%X", 180 ver.hw_platform); 181 return -EINVAL; 182 } 183 184 /* Only the hardware variant iBT 2.1 (AG6XX) is supported by this 185 * firmware setup method. 186 */ 187 if (ver.hw_variant != 0x0a) { 188 bt_dev_err(hdev, "Unsupported Intel hardware variant: 0x%x", 189 ver.hw_variant); 190 return -EINVAL; 191 } 192 193 snprintf(fwname, sizeof(fwname), "intel/ibt-hw-%x.%x.bddata", 194 ver.hw_platform, ver.hw_variant); 195 196 err = request_firmware(&fw, fwname, &hdev->dev); 197 if (err < 0) { 198 bt_dev_err(hdev, "Failed to open Intel bddata file: %s (%d)", 199 fwname, err); 200 goto patch; 201 } 202 203 bt_dev_info(hdev, "Applying bddata (%s)", fwname); 204 205 skb = __hci_cmd_sync_ev(hdev, 0xfc2f, fw->size, fw->data, 206 HCI_EV_CMD_STATUS, HCI_CMD_TIMEOUT); 207 if (IS_ERR(skb)) { 208 bt_dev_err(hdev, "Applying bddata failed (%ld)", PTR_ERR(skb)); 209 release_firmware(fw); 210 return PTR_ERR(skb); 211 } 212 kfree_skb(skb); 213 214 release_firmware(fw); 215 216 patch: 217 /* If there is no applied patch, fw_patch_num is always 0x00. In other 218 * cases, current firmware is already patched. No need to patch it. 219 */ 220 if (ver.fw_patch_num) { 221 bt_dev_info(hdev, "Device is already patched. patch num: %02x", 222 ver.fw_patch_num); 223 patched = true; 224 goto complete; 225 } 226 227 snprintf(fwname, sizeof(fwname), 228 "intel/ibt-hw-%x.%x.%x-fw-%x.%x.%x.%x.%x.pbn", 229 ver.hw_platform, ver.hw_variant, ver.hw_revision, 230 ver.fw_variant, ver.fw_revision, ver.fw_build_num, 231 ver.fw_build_ww, ver.fw_build_yy); 232 233 err = request_firmware(&fw, fwname, &hdev->dev); 234 if (err < 0) { 235 bt_dev_err(hdev, "Failed to open Intel patch file: %s(%d)", 236 fwname, err); 237 goto complete; 238 } 239 fw_ptr = fw->data; 240 241 bt_dev_info(hdev, "Patching firmware file (%s)", fwname); 242 243 /* PBN patch file contains a list of binary patches to be applied on top 244 * of the embedded firmware. Each patch entry header contains the target 245 * address and patch size. 246 * 247 * Patch entry: 248 * | addr(le) | patch_len(le) | patch_data | 249 * | 4 Bytes | 4 Bytes | n Bytes | 250 * 251 * PBN file is terminated by a patch entry whose address is 0xffffffff. 252 */ 253 while (fw->size > fw_ptr - fw->data) { 254 struct pbn_entry *pbn = (void *)fw_ptr; 255 u32 addr, plen; 256 257 if (pbn->addr == 0xffffffff) { 258 bt_dev_info(hdev, "Patching complete"); 259 patched = true; 260 break; 261 } 262 263 addr = le32_to_cpu(pbn->addr); 264 plen = le32_to_cpu(pbn->plen); 265 266 if (fw->data + fw->size <= pbn->data + plen) { 267 bt_dev_info(hdev, "Invalid patch len (%d)", plen); 268 break; 269 } 270 271 bt_dev_info(hdev, "Patching %td/%zu", (fw_ptr - fw->data), 272 fw->size); 273 274 err = intel_mem_write(hdev, addr, plen, pbn->data); 275 if (err) { 276 bt_dev_err(hdev, "Patching failed"); 277 break; 278 } 279 280 fw_ptr = pbn->data + plen; 281 } 282 283 release_firmware(fw); 284 285 complete: 286 /* Exit manufacturing mode and reset */ 287 err = btintel_exit_mfg(hdev, true, patched); 288 if (err) 289 return err; 290 291 /* Set the event mask for Intel specific vendor events. This enables 292 * a few extra events that are useful during general operation. 293 */ 294 btintel_set_event_mask_mfg(hdev, false); 295 296 btintel_check_bdaddr(hdev); 297 return 0; 298 } 299 300 static const struct hci_uart_proto ag6xx_proto = { 301 .id = HCI_UART_AG6XX, 302 .name = "AG6XX", 303 .manufacturer = 2, 304 .open = ag6xx_open, 305 .close = ag6xx_close, 306 .flush = ag6xx_flush, 307 .setup = ag6xx_setup, 308 .recv = ag6xx_recv, 309 .enqueue = ag6xx_enqueue, 310 .dequeue = ag6xx_dequeue, 311 }; 312 313 int __init ag6xx_init(void) 314 { 315 return hci_uart_register_proto(&ag6xx_proto); 316 } 317 318 int __exit ag6xx_deinit(void) 319 { 320 return hci_uart_unregister_proto(&ag6xx_proto); 321 } 322