1 /******************************************************************************
2  *
3  * This file is provided under a dual BSD/GPLv2 license.  When using or
4  * redistributing this file, you may do so under either license.
5  *
6  * GPL LICENSE SUMMARY
7  *
8  * Copyright(c) 2005 - 2011 Intel Corporation. All rights reserved.
9  *
10  * This program is free software; you can redistribute it and/or modify
11  * it under the terms of version 2 of the GNU General Public License as
12  * published by the Free Software Foundation.
13  *
14  * This program is distributed in the hope that it will be useful, but
15  * WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
17  * General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License
20  * along with this program; if not, write to the Free Software
21  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110,
22  * USA
23  *
24  * The full GNU General Public License is included in this distribution
25  * in the file called LICENSE.GPL.
26  *
27  * Contact Information:
28  *  Intel Linux Wireless <ilw@linux.intel.com>
29  * Intel Corporation, 5200 N.E. Elam Young Parkway, Hillsboro, OR 97124-6497
30  *
31  * BSD LICENSE
32  *
33  * Copyright(c) 2005 - 2011 Intel Corporation. All rights reserved.
34  * All rights reserved.
35  *
36  * Redistribution and use in source and binary forms, with or without
37  * modification, are permitted provided that the following conditions
38  * are met:
39  *
40  *  * Redistributions of source code must retain the above copyright
41  *    notice, this list of conditions and the following disclaimer.
42  *  * Redistributions in binary form must reproduce the above copyright
43  *    notice, this list of conditions and the following disclaimer in
44  *    the documentation and/or other materials provided with the
45  *    distribution.
46  *  * Neither the name Intel Corporation nor the names of its
47  *    contributors may be used to endorse or promote products derived
48  *    from this software without specific prior written permission.
49  *
50  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
51  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
52  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
53  * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
54  * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
55  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
56  * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
57  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
58  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
59  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
60  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
61  *
62  *****************************************************************************/
63 
64 #ifndef __il_commands_h__
65 #define __il_commands_h__
66 
67 #include <linux/ieee80211.h>
68 
69 struct il_priv;
70 
71 /* uCode version contains 4 values: Major/Minor/API/Serial */
72 #define IL_UCODE_MAJOR(ver)	(((ver) & 0xFF000000) >> 24)
73 #define IL_UCODE_MINOR(ver)	(((ver) & 0x00FF0000) >> 16)
74 #define IL_UCODE_API(ver)	(((ver) & 0x0000FF00) >> 8)
75 #define IL_UCODE_SERIAL(ver)	((ver) & 0x000000FF)
76 
77 /* Tx rates */
78 #define IL_CCK_RATES	4
79 #define IL_OFDM_RATES	8
80 #define IL_MAX_RATES	(IL_CCK_RATES + IL_OFDM_RATES)
81 
82 enum {
83 	N_ALIVE = 0x1,
84 	N_ERROR = 0x2,
85 
86 	/* RXON and QOS commands */
87 	C_RXON = 0x10,
88 	C_RXON_ASSOC = 0x11,
89 	C_QOS_PARAM = 0x13,
90 	C_RXON_TIMING = 0x14,
91 
92 	/* Multi-Station support */
93 	C_ADD_STA = 0x18,
94 	C_REM_STA = 0x19,
95 
96 	/* Security */
97 	C_WEPKEY = 0x20,
98 
99 	/* RX, TX, LEDs */
100 	N_3945_RX = 0x1b,	/* 3945 only */
101 	C_TX = 0x1c,
102 	C_RATE_SCALE = 0x47,	/* 3945 only */
103 	C_LEDS = 0x48,
104 	C_TX_LINK_QUALITY_CMD = 0x4e,	/* for 4965 */
105 
106 	/* 802.11h related */
107 	C_CHANNEL_SWITCH = 0x72,
108 	N_CHANNEL_SWITCH = 0x73,
109 	C_SPECTRUM_MEASUREMENT = 0x74,
110 	N_SPECTRUM_MEASUREMENT = 0x75,
111 
112 	/* Power Management */
113 	C_POWER_TBL = 0x77,
114 	N_PM_SLEEP = 0x7A,
115 	N_PM_DEBUG_STATS = 0x7B,
116 
117 	/* Scan commands and notifications */
118 	C_SCAN = 0x80,
119 	C_SCAN_ABORT = 0x81,
120 	N_SCAN_START = 0x82,
121 	N_SCAN_RESULTS = 0x83,
122 	N_SCAN_COMPLETE = 0x84,
123 
124 	/* IBSS/AP commands */
125 	N_BEACON = 0x90,
126 	C_TX_BEACON = 0x91,
127 
128 	/* Miscellaneous commands */
129 	C_TX_PWR_TBL = 0x97,
130 
131 	/* Bluetooth device coexistence config command */
132 	C_BT_CONFIG = 0x9b,
133 
134 	/* Statistics */
135 	C_STATS = 0x9c,
136 	N_STATS = 0x9d,
137 
138 	/* RF-KILL commands and notifications */
139 	N_CARD_STATE = 0xa1,
140 
141 	/* Missed beacons notification */
142 	N_MISSED_BEACONS = 0xa2,
143 
144 	C_CT_KILL_CONFIG = 0xa4,
145 	C_SENSITIVITY = 0xa8,
146 	C_PHY_CALIBRATION = 0xb0,
147 	N_RX_PHY = 0xc0,
148 	N_RX_MPDU = 0xc1,
149 	N_RX = 0xc3,
150 	N_COMPRESSED_BA = 0xc5,
151 
152 	IL_CN_MAX = 0xff
153 };
154 
155 /******************************************************************************
156  * (0)
157  * Commonly used structures and definitions:
158  * Command header, rate_n_flags, txpower
159  *
160  *****************************************************************************/
161 
162 /* il_cmd_header flags value */
163 #define IL_CMD_FAILED_MSK 0x40
164 
165 #define SEQ_TO_QUEUE(s)	(((s) >> 8) & 0x1f)
166 #define QUEUE_TO_SEQ(q)	(((q) & 0x1f) << 8)
167 #define SEQ_TO_IDX(s)	((s) & 0xff)
168 #define IDX_TO_SEQ(i)	((i) & 0xff)
169 #define SEQ_HUGE_FRAME	cpu_to_le16(0x4000)
170 #define SEQ_RX_FRAME	cpu_to_le16(0x8000)
171 
172 /**
173  * struct il_cmd_header
174  *
175  * This header format appears in the beginning of each command sent from the
176  * driver, and each response/notification received from uCode.
177  */
178 struct il_cmd_header {
179 	u8 cmd;			/* Command ID:  C_RXON, etc. */
180 	u8 flags;		/* 0:5 reserved, 6 abort, 7 internal */
181 	/*
182 	 * The driver sets up the sequence number to values of its choosing.
183 	 * uCode does not use this value, but passes it back to the driver
184 	 * when sending the response to each driver-originated command, so
185 	 * the driver can match the response to the command.  Since the values
186 	 * don't get used by uCode, the driver may set up an arbitrary format.
187 	 *
188 	 * There is one exception:  uCode sets bit 15 when it originates
189 	 * the response/notification, i.e. when the response/notification
190 	 * is not a direct response to a command sent by the driver.  For
191 	 * example, uCode issues N_3945_RX when it sends a received frame
192 	 * to the driver; it is not a direct response to any driver command.
193 	 *
194 	 * The Linux driver uses the following format:
195 	 *
196 	 *  0:7         tfd idx - position within TX queue
197 	 *  8:12        TX queue id
198 	 *  13          reserved
199 	 *  14          huge - driver sets this to indicate command is in the
200 	 *              'huge' storage at the end of the command buffers
201 	 *  15          unsolicited RX or uCode-originated notification
202 	 */
203 	__le16 sequence;
204 
205 	/* command or response/notification data follows immediately */
206 	u8 data[0];
207 } __packed;
208 
209 /**
210  * struct il3945_tx_power
211  *
212  * Used in C_TX_PWR_TBL, C_SCAN, C_CHANNEL_SWITCH
213  *
214  * Each entry contains two values:
215  * 1)  DSP gain (or sometimes called DSP attenuation).  This is a fine-grained
216  *     linear value that multiplies the output of the digital signal processor,
217  *     before being sent to the analog radio.
218  * 2)  Radio gain.  This sets the analog gain of the radio Tx path.
219  *     It is a coarser setting, and behaves in a logarithmic (dB) fashion.
220  *
221  * Driver obtains values from struct il3945_tx_power power_gain_table[][].
222  */
223 struct il3945_tx_power {
224 	u8 tx_gain;		/* gain for analog radio */
225 	u8 dsp_atten;		/* gain for DSP */
226 } __packed;
227 
228 /**
229  * struct il3945_power_per_rate
230  *
231  * Used in C_TX_PWR_TBL, C_CHANNEL_SWITCH
232  */
233 struct il3945_power_per_rate {
234 	u8 rate;		/* plcp */
235 	struct il3945_tx_power tpc;
236 	u8 reserved;
237 } __packed;
238 
239 /**
240  * iwl4965 rate_n_flags bit fields
241  *
242  * rate_n_flags format is used in following iwl4965 commands:
243  *  N_RX (response only)
244  *  N_RX_MPDU (response only)
245  *  C_TX (both command and response)
246  *  C_TX_LINK_QUALITY_CMD
247  *
248  * High-throughput (HT) rate format for bits 7:0 (bit 8 must be "1"):
249  *  2-0:  0)   6 Mbps
250  *        1)  12 Mbps
251  *        2)  18 Mbps
252  *        3)  24 Mbps
253  *        4)  36 Mbps
254  *        5)  48 Mbps
255  *        6)  54 Mbps
256  *        7)  60 Mbps
257  *
258  *  4-3:  0)  Single stream (SISO)
259  *        1)  Dual stream (MIMO)
260  *        2)  Triple stream (MIMO)
261  *
262  *    5:  Value of 0x20 in bits 7:0 indicates 6 Mbps HT40 duplicate data
263  *
264  * Legacy OFDM rate format for bits 7:0 (bit 8 must be "0", bit 9 "0"):
265  *  3-0:  0xD)   6 Mbps
266  *        0xF)   9 Mbps
267  *        0x5)  12 Mbps
268  *        0x7)  18 Mbps
269  *        0x9)  24 Mbps
270  *        0xB)  36 Mbps
271  *        0x1)  48 Mbps
272  *        0x3)  54 Mbps
273  *
274  * Legacy CCK rate format for bits 7:0 (bit 8 must be "0", bit 9 "1"):
275  *  6-0:   10)  1 Mbps
276  *         20)  2 Mbps
277  *         55)  5.5 Mbps
278  *        110)  11 Mbps
279  */
280 #define RATE_MCS_CODE_MSK 0x7
281 #define RATE_MCS_SPATIAL_POS 3
282 #define RATE_MCS_SPATIAL_MSK 0x18
283 #define RATE_MCS_HT_DUP_POS 5
284 #define RATE_MCS_HT_DUP_MSK 0x20
285 
286 /* Bit 8: (1) HT format, (0) legacy format in bits 7:0 */
287 #define RATE_MCS_FLAGS_POS 8
288 #define RATE_MCS_HT_POS 8
289 #define RATE_MCS_HT_MSK 0x100
290 
291 /* Bit 9: (1) CCK, (0) OFDM.  HT (bit 8) must be "0" for this bit to be valid */
292 #define RATE_MCS_CCK_POS 9
293 #define RATE_MCS_CCK_MSK 0x200
294 
295 /* Bit 10: (1) Use Green Field preamble */
296 #define RATE_MCS_GF_POS 10
297 #define RATE_MCS_GF_MSK 0x400
298 
299 /* Bit 11: (1) Use 40Mhz HT40 chnl width, (0) use 20 MHz legacy chnl width */
300 #define RATE_MCS_HT40_POS 11
301 #define RATE_MCS_HT40_MSK 0x800
302 
303 /* Bit 12: (1) Duplicate data on both 20MHz chnls. HT40 (bit 11) must be set. */
304 #define RATE_MCS_DUP_POS 12
305 #define RATE_MCS_DUP_MSK 0x1000
306 
307 /* Bit 13: (1) Short guard interval (0.4 usec), (0) normal GI (0.8 usec) */
308 #define RATE_MCS_SGI_POS 13
309 #define RATE_MCS_SGI_MSK 0x2000
310 
311 /**
312  * rate_n_flags Tx antenna masks
313  * 4965 has 2 transmitters
314  * bit14:16
315  */
316 #define RATE_MCS_ANT_POS	14
317 #define RATE_MCS_ANT_A_MSK	0x04000
318 #define RATE_MCS_ANT_B_MSK	0x08000
319 #define RATE_MCS_ANT_C_MSK	0x10000
320 #define RATE_MCS_ANT_AB_MSK	(RATE_MCS_ANT_A_MSK | RATE_MCS_ANT_B_MSK)
321 #define RATE_MCS_ANT_ABC_MSK	(RATE_MCS_ANT_AB_MSK | RATE_MCS_ANT_C_MSK)
322 #define RATE_ANT_NUM 3
323 
324 #define POWER_TBL_NUM_ENTRIES			33
325 #define POWER_TBL_NUM_HT_OFDM_ENTRIES		32
326 #define POWER_TBL_CCK_ENTRY			32
327 
328 #define IL_PWR_NUM_HT_OFDM_ENTRIES		24
329 #define IL_PWR_CCK_ENTRIES			2
330 
331 /**
332  * union il4965_tx_power_dual_stream
333  *
334  * Host format used for C_TX_PWR_TBL, C_CHANNEL_SWITCH
335  * Use __le32 version (struct tx_power_dual_stream) when building command.
336  *
337  * Driver provides radio gain and DSP attenuation settings to device in pairs,
338  * one value for each transmitter chain.  The first value is for transmitter A,
339  * second for transmitter B.
340  *
341  * For SISO bit rates, both values in a pair should be identical.
342  * For MIMO rates, one value may be different from the other,
343  * in order to balance the Tx output between the two transmitters.
344  *
345  * See more details in doc for TXPOWER in 4965.h.
346  */
347 union il4965_tx_power_dual_stream {
348 	struct {
349 		u8 radio_tx_gain[2];
350 		u8 dsp_predis_atten[2];
351 	} s;
352 	u32 dw;
353 };
354 
355 /**
356  * struct tx_power_dual_stream
357  *
358  * Table entries in C_TX_PWR_TBL, C_CHANNEL_SWITCH
359  *
360  * Same format as il_tx_power_dual_stream, but __le32
361  */
362 struct tx_power_dual_stream {
363 	__le32 dw;
364 } __packed;
365 
366 /**
367  * struct il4965_tx_power_db
368  *
369  * Entire table within C_TX_PWR_TBL, C_CHANNEL_SWITCH
370  */
371 struct il4965_tx_power_db {
372 	struct tx_power_dual_stream power_tbl[POWER_TBL_NUM_ENTRIES];
373 } __packed;
374 
375 /******************************************************************************
376  * (0a)
377  * Alive and Error Commands & Responses:
378  *
379  *****************************************************************************/
380 
381 #define UCODE_VALID_OK	cpu_to_le32(0x1)
382 #define INITIALIZE_SUBTYPE    (9)
383 
384 /*
385  * ("Initialize") N_ALIVE = 0x1 (response only, not a command)
386  *
387  * uCode issues this "initialize alive" notification once the initialization
388  * uCode image has completed its work, and is ready to load the runtime image.
389  * This is the *first* "alive" notification that the driver will receive after
390  * rebooting uCode; the "initialize" alive is indicated by subtype field == 9.
391  *
392  * See comments documenting "BSM" (bootstrap state machine).
393  *
394  * For 4965, this notification contains important calibration data for
395  * calculating txpower settings:
396  *
397  * 1)  Power supply voltage indication.  The voltage sensor outputs higher
398  *     values for lower voltage, and vice verse.
399  *
400  * 2)  Temperature measurement parameters, for each of two channel widths
401  *     (20 MHz and 40 MHz) supported by the radios.  Temperature sensing
402  *     is done via one of the receiver chains, and channel width influences
403  *     the results.
404  *
405  * 3)  Tx gain compensation to balance 4965's 2 Tx chains for MIMO operation,
406  *     for each of 5 frequency ranges.
407  */
408 struct il_init_alive_resp {
409 	u8 ucode_minor;
410 	u8 ucode_major;
411 	__le16 reserved1;
412 	u8 sw_rev[8];
413 	u8 ver_type;
414 	u8 ver_subtype;		/* "9" for initialize alive */
415 	__le16 reserved2;
416 	__le32 log_event_table_ptr;
417 	__le32 error_event_table_ptr;
418 	__le32 timestamp;
419 	__le32 is_valid;
420 
421 	/* calibration values from "initialize" uCode */
422 	__le32 voltage;		/* signed, higher value is lower voltage */
423 	__le32 therm_r1[2];	/* signed, 1st for normal, 2nd for HT40 */
424 	__le32 therm_r2[2];	/* signed */
425 	__le32 therm_r3[2];	/* signed */
426 	__le32 therm_r4[2];	/* signed */
427 	__le32 tx_atten[5][2];	/* signed MIMO gain comp, 5 freq groups,
428 				 * 2 Tx chains */
429 } __packed;
430 
431 /**
432  * N_ALIVE = 0x1 (response only, not a command)
433  *
434  * uCode issues this "alive" notification once the runtime image is ready
435  * to receive commands from the driver.  This is the *second* "alive"
436  * notification that the driver will receive after rebooting uCode;
437  * this "alive" is indicated by subtype field != 9.
438  *
439  * See comments documenting "BSM" (bootstrap state machine).
440  *
441  * This response includes two pointers to structures within the device's
442  * data SRAM (access via HBUS_TARG_MEM_* regs) that are useful for debugging:
443  *
444  * 1)  log_event_table_ptr indicates base of the event log.  This traces
445  *     a 256-entry history of uCode execution within a circular buffer.
446  *     Its header format is:
447  *
448  *	__le32 log_size;     log capacity (in number of entries)
449  *	__le32 type;         (1) timestamp with each entry, (0) no timestamp
450  *	__le32 wraps;        # times uCode has wrapped to top of circular buffer
451  *      __le32 write_idx;  next circular buffer entry that uCode would fill
452  *
453  *     The header is followed by the circular buffer of log entries.  Entries
454  *     with timestamps have the following format:
455  *
456  *	__le32 event_id;     range 0 - 1500
457  *	__le32 timestamp;    low 32 bits of TSF (of network, if associated)
458  *	__le32 data;         event_id-specific data value
459  *
460  *     Entries without timestamps contain only event_id and data.
461  *
462  *
463  * 2)  error_event_table_ptr indicates base of the error log.  This contains
464  *     information about any uCode error that occurs.  For 4965, the format
465  *     of the error log is:
466  *
467  *	__le32 valid;        (nonzero) valid, (0) log is empty
468  *	__le32 error_id;     type of error
469  *	__le32 pc;           program counter
470  *	__le32 blink1;       branch link
471  *	__le32 blink2;       branch link
472  *	__le32 ilink1;       interrupt link
473  *	__le32 ilink2;       interrupt link
474  *	__le32 data1;        error-specific data
475  *	__le32 data2;        error-specific data
476  *	__le32 line;         source code line of error
477  *	__le32 bcon_time;    beacon timer
478  *	__le32 tsf_low;      network timestamp function timer
479  *	__le32 tsf_hi;       network timestamp function timer
480  *	__le32 gp1;          GP1 timer register
481  *	__le32 gp2;          GP2 timer register
482  *	__le32 gp3;          GP3 timer register
483  *	__le32 ucode_ver;    uCode version
484  *	__le32 hw_ver;       HW Silicon version
485  *	__le32 brd_ver;      HW board version
486  *	__le32 log_pc;       log program counter
487  *	__le32 frame_ptr;    frame pointer
488  *	__le32 stack_ptr;    stack pointer
489  *	__le32 hcmd;         last host command
490  *	__le32 isr0;         isr status register LMPM_NIC_ISR0: rxtx_flag
491  *	__le32 isr1;         isr status register LMPM_NIC_ISR1: host_flag
492  *	__le32 isr2;         isr status register LMPM_NIC_ISR2: enc_flag
493  *	__le32 isr3;         isr status register LMPM_NIC_ISR3: time_flag
494  *	__le32 isr4;         isr status register LMPM_NIC_ISR4: wico interrupt
495  *	__le32 isr_pref;     isr status register LMPM_NIC_PREF_STAT
496  *	__le32 wait_event;   wait event() caller address
497  *	__le32 l2p_control;  L2pControlField
498  *	__le32 l2p_duration; L2pDurationField
499  *	__le32 l2p_mhvalid;  L2pMhValidBits
500  *	__le32 l2p_addr_match; L2pAddrMatchStat
501  *	__le32 lmpm_pmg_sel; indicate which clocks are turned on (LMPM_PMG_SEL)
502  *	__le32 u_timestamp;  indicate when the date and time of the compilation
503  *	__le32 reserved;
504  *
505  * The Linux driver can print both logs to the system log when a uCode error
506  * occurs.
507  */
508 struct il_alive_resp {
509 	u8 ucode_minor;
510 	u8 ucode_major;
511 	__le16 reserved1;
512 	u8 sw_rev[8];
513 	u8 ver_type;
514 	u8 ver_subtype;		/* not "9" for runtime alive */
515 	__le16 reserved2;
516 	__le32 log_event_table_ptr;	/* SRAM address for event log */
517 	__le32 error_event_table_ptr;	/* SRAM address for error log */
518 	__le32 timestamp;
519 	__le32 is_valid;
520 } __packed;
521 
522 /*
523  * N_ERROR = 0x2 (response only, not a command)
524  */
525 struct il_error_resp {
526 	__le32 error_type;
527 	u8 cmd_id;
528 	u8 reserved1;
529 	__le16 bad_cmd_seq_num;
530 	__le32 error_info;
531 	__le64 timestamp;
532 } __packed;
533 
534 /******************************************************************************
535  * (1)
536  * RXON Commands & Responses:
537  *
538  *****************************************************************************/
539 
540 /*
541  * Rx config defines & structure
542  */
543 /* rx_config device types  */
544 enum {
545 	RXON_DEV_TYPE_AP = 1,
546 	RXON_DEV_TYPE_ESS = 3,
547 	RXON_DEV_TYPE_IBSS = 4,
548 	RXON_DEV_TYPE_SNIFFER = 6,
549 };
550 
551 #define RXON_RX_CHAIN_DRIVER_FORCE_MSK		cpu_to_le16(0x1 << 0)
552 #define RXON_RX_CHAIN_DRIVER_FORCE_POS		(0)
553 #define RXON_RX_CHAIN_VALID_MSK			cpu_to_le16(0x7 << 1)
554 #define RXON_RX_CHAIN_VALID_POS			(1)
555 #define RXON_RX_CHAIN_FORCE_SEL_MSK		cpu_to_le16(0x7 << 4)
556 #define RXON_RX_CHAIN_FORCE_SEL_POS		(4)
557 #define RXON_RX_CHAIN_FORCE_MIMO_SEL_MSK	cpu_to_le16(0x7 << 7)
558 #define RXON_RX_CHAIN_FORCE_MIMO_SEL_POS	(7)
559 #define RXON_RX_CHAIN_CNT_MSK			cpu_to_le16(0x3 << 10)
560 #define RXON_RX_CHAIN_CNT_POS			(10)
561 #define RXON_RX_CHAIN_MIMO_CNT_MSK		cpu_to_le16(0x3 << 12)
562 #define RXON_RX_CHAIN_MIMO_CNT_POS		(12)
563 #define RXON_RX_CHAIN_MIMO_FORCE_MSK		cpu_to_le16(0x1 << 14)
564 #define RXON_RX_CHAIN_MIMO_FORCE_POS		(14)
565 
566 /* rx_config flags */
567 /* band & modulation selection */
568 #define RXON_FLG_BAND_24G_MSK           cpu_to_le32(1 << 0)
569 #define RXON_FLG_CCK_MSK                cpu_to_le32(1 << 1)
570 /* auto detection enable */
571 #define RXON_FLG_AUTO_DETECT_MSK        cpu_to_le32(1 << 2)
572 /* TGg protection when tx */
573 #define RXON_FLG_TGG_PROTECT_MSK        cpu_to_le32(1 << 3)
574 /* cck short slot & preamble */
575 #define RXON_FLG_SHORT_SLOT_MSK          cpu_to_le32(1 << 4)
576 #define RXON_FLG_SHORT_PREAMBLE_MSK     cpu_to_le32(1 << 5)
577 /* antenna selection */
578 #define RXON_FLG_DIS_DIV_MSK            cpu_to_le32(1 << 7)
579 #define RXON_FLG_ANT_SEL_MSK            cpu_to_le32(0x0f00)
580 #define RXON_FLG_ANT_A_MSK              cpu_to_le32(1 << 8)
581 #define RXON_FLG_ANT_B_MSK              cpu_to_le32(1 << 9)
582 /* radar detection enable */
583 #define RXON_FLG_RADAR_DETECT_MSK       cpu_to_le32(1 << 12)
584 #define RXON_FLG_TGJ_NARROW_BAND_MSK    cpu_to_le32(1 << 13)
585 /* rx response to host with 8-byte TSF
586 * (according to ON_AIR deassertion) */
587 #define RXON_FLG_TSF2HOST_MSK           cpu_to_le32(1 << 15)
588 
589 /* HT flags */
590 #define RXON_FLG_CTRL_CHANNEL_LOC_POS		(22)
591 #define RXON_FLG_CTRL_CHANNEL_LOC_HI_MSK	cpu_to_le32(0x1 << 22)
592 
593 #define RXON_FLG_HT_OPERATING_MODE_POS		(23)
594 
595 #define RXON_FLG_HT_PROT_MSK			cpu_to_le32(0x1 << 23)
596 #define RXON_FLG_HT40_PROT_MSK			cpu_to_le32(0x2 << 23)
597 
598 #define RXON_FLG_CHANNEL_MODE_POS		(25)
599 #define RXON_FLG_CHANNEL_MODE_MSK		cpu_to_le32(0x3 << 25)
600 
601 /* channel mode */
602 enum {
603 	CHANNEL_MODE_LEGACY = 0,
604 	CHANNEL_MODE_PURE_40 = 1,
605 	CHANNEL_MODE_MIXED = 2,
606 	CHANNEL_MODE_RESERVED = 3,
607 };
608 #define RXON_FLG_CHANNEL_MODE_LEGACY			\
609 	cpu_to_le32(CHANNEL_MODE_LEGACY << RXON_FLG_CHANNEL_MODE_POS)
610 #define RXON_FLG_CHANNEL_MODE_PURE_40			\
611 	cpu_to_le32(CHANNEL_MODE_PURE_40 << RXON_FLG_CHANNEL_MODE_POS)
612 #define RXON_FLG_CHANNEL_MODE_MIXED			\
613 	cpu_to_le32(CHANNEL_MODE_MIXED << RXON_FLG_CHANNEL_MODE_POS)
614 
615 /* CTS to self (if spec allows) flag */
616 #define RXON_FLG_SELF_CTS_EN			cpu_to_le32(0x1<<30)
617 
618 /* rx_config filter flags */
619 /* accept all data frames */
620 #define RXON_FILTER_PROMISC_MSK         cpu_to_le32(1 << 0)
621 /* pass control & management to host */
622 #define RXON_FILTER_CTL2HOST_MSK        cpu_to_le32(1 << 1)
623 /* accept multi-cast */
624 #define RXON_FILTER_ACCEPT_GRP_MSK      cpu_to_le32(1 << 2)
625 /* don't decrypt uni-cast frames */
626 #define RXON_FILTER_DIS_DECRYPT_MSK     cpu_to_le32(1 << 3)
627 /* don't decrypt multi-cast frames */
628 #define RXON_FILTER_DIS_GRP_DECRYPT_MSK cpu_to_le32(1 << 4)
629 /* STA is associated */
630 #define RXON_FILTER_ASSOC_MSK           cpu_to_le32(1 << 5)
631 /* transfer to host non bssid beacons in associated state */
632 #define RXON_FILTER_BCON_AWARE_MSK      cpu_to_le32(1 << 6)
633 
634 /**
635  * C_RXON = 0x10 (command, has simple generic response)
636  *
637  * RXON tunes the radio tuner to a service channel, and sets up a number
638  * of parameters that are used primarily for Rx, but also for Tx operations.
639  *
640  * NOTE:  When tuning to a new channel, driver must set the
641  *        RXON_FILTER_ASSOC_MSK to 0.  This will clear station-dependent
642  *        info within the device, including the station tables, tx retry
643  *        rate tables, and txpower tables.  Driver must build a new station
644  *        table and txpower table before transmitting anything on the RXON
645  *        channel.
646  *
647  * NOTE:  All RXONs wipe clean the internal txpower table.  Driver must
648  *        issue a new C_TX_PWR_TBL after each C_RXON (0x10),
649  *        regardless of whether RXON_FILTER_ASSOC_MSK is set.
650  */
651 
652 struct il3945_rxon_cmd {
653 	u8 node_addr[6];
654 	__le16 reserved1;
655 	u8 bssid_addr[6];
656 	__le16 reserved2;
657 	u8 wlap_bssid_addr[6];
658 	__le16 reserved3;
659 	u8 dev_type;
660 	u8 air_propagation;
661 	__le16 reserved4;
662 	u8 ofdm_basic_rates;
663 	u8 cck_basic_rates;
664 	__le16 assoc_id;
665 	__le32 flags;
666 	__le32 filter_flags;
667 	__le16 channel;
668 	__le16 reserved5;
669 } __packed;
670 
671 struct il4965_rxon_cmd {
672 	u8 node_addr[6];
673 	__le16 reserved1;
674 	u8 bssid_addr[6];
675 	__le16 reserved2;
676 	u8 wlap_bssid_addr[6];
677 	__le16 reserved3;
678 	u8 dev_type;
679 	u8 air_propagation;
680 	__le16 rx_chain;
681 	u8 ofdm_basic_rates;
682 	u8 cck_basic_rates;
683 	__le16 assoc_id;
684 	__le32 flags;
685 	__le32 filter_flags;
686 	__le16 channel;
687 	u8 ofdm_ht_single_stream_basic_rates;
688 	u8 ofdm_ht_dual_stream_basic_rates;
689 } __packed;
690 
691 /* Create a common rxon cmd which will be typecast into the 3945 or 4965
692  * specific rxon cmd, depending on where it is called from.
693  */
694 struct il_rxon_cmd {
695 	u8 node_addr[6];
696 	__le16 reserved1;
697 	u8 bssid_addr[6];
698 	__le16 reserved2;
699 	u8 wlap_bssid_addr[6];
700 	__le16 reserved3;
701 	u8 dev_type;
702 	u8 air_propagation;
703 	__le16 rx_chain;
704 	u8 ofdm_basic_rates;
705 	u8 cck_basic_rates;
706 	__le16 assoc_id;
707 	__le32 flags;
708 	__le32 filter_flags;
709 	__le16 channel;
710 	u8 ofdm_ht_single_stream_basic_rates;
711 	u8 ofdm_ht_dual_stream_basic_rates;
712 	u8 reserved4;
713 	u8 reserved5;
714 } __packed;
715 
716 /*
717  * C_RXON_ASSOC = 0x11 (command, has simple generic response)
718  */
719 struct il3945_rxon_assoc_cmd {
720 	__le32 flags;
721 	__le32 filter_flags;
722 	u8 ofdm_basic_rates;
723 	u8 cck_basic_rates;
724 	__le16 reserved;
725 } __packed;
726 
727 struct il4965_rxon_assoc_cmd {
728 	__le32 flags;
729 	__le32 filter_flags;
730 	u8 ofdm_basic_rates;
731 	u8 cck_basic_rates;
732 	u8 ofdm_ht_single_stream_basic_rates;
733 	u8 ofdm_ht_dual_stream_basic_rates;
734 	__le16 rx_chain_select_flags;
735 	__le16 reserved;
736 } __packed;
737 
738 #define IL_CONN_MAX_LISTEN_INTERVAL	10
739 #define IL_MAX_UCODE_BEACON_INTERVAL	4	/* 4096 */
740 #define IL39_MAX_UCODE_BEACON_INTERVAL	1	/* 1024 */
741 
742 /*
743  * C_RXON_TIMING = 0x14 (command, has simple generic response)
744  */
745 struct il_rxon_time_cmd {
746 	__le64 timestamp;
747 	__le16 beacon_interval;
748 	__le16 atim_win;
749 	__le32 beacon_init_val;
750 	__le16 listen_interval;
751 	u8 dtim_period;
752 	u8 delta_cp_bss_tbtts;
753 } __packed;
754 
755 /*
756  * C_CHANNEL_SWITCH = 0x72 (command, has simple generic response)
757  */
758 struct il3945_channel_switch_cmd {
759 	u8 band;
760 	u8 expect_beacon;
761 	__le16 channel;
762 	__le32 rxon_flags;
763 	__le32 rxon_filter_flags;
764 	__le32 switch_time;
765 	struct il3945_power_per_rate power[IL_MAX_RATES];
766 } __packed;
767 
768 struct il4965_channel_switch_cmd {
769 	u8 band;
770 	u8 expect_beacon;
771 	__le16 channel;
772 	__le32 rxon_flags;
773 	__le32 rxon_filter_flags;
774 	__le32 switch_time;
775 	struct il4965_tx_power_db tx_power;
776 } __packed;
777 
778 /*
779  * N_CHANNEL_SWITCH = 0x73 (notification only, not a command)
780  */
781 struct il_csa_notification {
782 	__le16 band;
783 	__le16 channel;
784 	__le32 status;		/* 0 - OK, 1 - fail */
785 } __packed;
786 
787 /******************************************************************************
788  * (2)
789  * Quality-of-Service (QOS) Commands & Responses:
790  *
791  *****************************************************************************/
792 
793 /**
794  * struct il_ac_qos -- QOS timing params for C_QOS_PARAM
795  * One for each of 4 EDCA access categories in struct il_qosparam_cmd
796  *
797  * @cw_min: Contention win, start value in numbers of slots.
798  *          Should be a power-of-2, minus 1.  Device's default is 0x0f.
799  * @cw_max: Contention win, max value in numbers of slots.
800  *          Should be a power-of-2, minus 1.  Device's default is 0x3f.
801  * @aifsn:  Number of slots in Arbitration Interframe Space (before
802  *          performing random backoff timing prior to Tx).  Device default 1.
803  * @edca_txop:  Length of Tx opportunity, in uSecs.  Device default is 0.
804  *
805  * Device will automatically increase contention win by (2*CW) + 1 for each
806  * transmission retry.  Device uses cw_max as a bit mask, ANDed with new CW
807  * value, to cap the CW value.
808  */
809 struct il_ac_qos {
810 	__le16 cw_min;
811 	__le16 cw_max;
812 	u8 aifsn;
813 	u8 reserved1;
814 	__le16 edca_txop;
815 } __packed;
816 
817 /* QoS flags defines */
818 #define QOS_PARAM_FLG_UPDATE_EDCA_MSK	cpu_to_le32(0x01)
819 #define QOS_PARAM_FLG_TGN_MSK		cpu_to_le32(0x02)
820 #define QOS_PARAM_FLG_TXOP_TYPE_MSK	cpu_to_le32(0x10)
821 
822 /* Number of Access Categories (AC) (EDCA), queues 0..3 */
823 #define AC_NUM                4
824 
825 /*
826  * C_QOS_PARAM = 0x13 (command, has simple generic response)
827  *
828  * This command sets up timings for each of the 4 prioritized EDCA Tx FIFOs
829  * 0: Background, 1: Best Effort, 2: Video, 3: Voice.
830  */
831 struct il_qosparam_cmd {
832 	__le32 qos_flags;
833 	struct il_ac_qos ac[AC_NUM];
834 } __packed;
835 
836 /******************************************************************************
837  * (3)
838  * Add/Modify Stations Commands & Responses:
839  *
840  *****************************************************************************/
841 /*
842  * Multi station support
843  */
844 
845 /* Special, dedicated locations within device's station table */
846 #define	IL_AP_ID		0
847 #define	IL_STA_ID		2
848 #define	IL3945_BROADCAST_ID	24
849 #define IL3945_STATION_COUNT	25
850 #define IL4965_BROADCAST_ID	31
851 #define	IL4965_STATION_COUNT	32
852 
853 #define	IL_STATION_COUNT	32	/* MAX(3945,4965) */
854 #define	IL_INVALID_STATION	255
855 
856 #define STA_FLG_TX_RATE_MSK		cpu_to_le32(1 << 2)
857 #define STA_FLG_PWR_SAVE_MSK		cpu_to_le32(1 << 8)
858 #define STA_FLG_RTS_MIMO_PROT_MSK	cpu_to_le32(1 << 17)
859 #define STA_FLG_AGG_MPDU_8US_MSK	cpu_to_le32(1 << 18)
860 #define STA_FLG_MAX_AGG_SIZE_POS	(19)
861 #define STA_FLG_MAX_AGG_SIZE_MSK	cpu_to_le32(3 << 19)
862 #define STA_FLG_HT40_EN_MSK		cpu_to_le32(1 << 21)
863 #define STA_FLG_MIMO_DIS_MSK		cpu_to_le32(1 << 22)
864 #define STA_FLG_AGG_MPDU_DENSITY_POS	(23)
865 #define STA_FLG_AGG_MPDU_DENSITY_MSK	cpu_to_le32(7 << 23)
866 
867 /* Use in mode field.  1: modify existing entry, 0: add new station entry */
868 #define STA_CONTROL_MODIFY_MSK		0x01
869 
870 /* key flags __le16*/
871 #define STA_KEY_FLG_ENCRYPT_MSK	cpu_to_le16(0x0007)
872 #define STA_KEY_FLG_NO_ENC	cpu_to_le16(0x0000)
873 #define STA_KEY_FLG_WEP		cpu_to_le16(0x0001)
874 #define STA_KEY_FLG_CCMP	cpu_to_le16(0x0002)
875 #define STA_KEY_FLG_TKIP	cpu_to_le16(0x0003)
876 
877 #define STA_KEY_FLG_KEYID_POS	8
878 #define STA_KEY_FLG_INVALID	cpu_to_le16(0x0800)
879 /* wep key is either from global key (0) or from station info array (1) */
880 #define STA_KEY_FLG_MAP_KEY_MSK	cpu_to_le16(0x0008)
881 
882 /* wep key in STA: 5-bytes (0) or 13-bytes (1) */
883 #define STA_KEY_FLG_KEY_SIZE_MSK	cpu_to_le16(0x1000)
884 #define STA_KEY_MULTICAST_MSK		cpu_to_le16(0x4000)
885 #define STA_KEY_MAX_NUM		8
886 
887 /* Flags indicate whether to modify vs. don't change various station params */
888 #define	STA_MODIFY_KEY_MASK		0x01
889 #define	STA_MODIFY_TID_DISABLE_TX	0x02
890 #define	STA_MODIFY_TX_RATE_MSK		0x04
891 #define STA_MODIFY_ADDBA_TID_MSK	0x08
892 #define STA_MODIFY_DELBA_TID_MSK	0x10
893 #define STA_MODIFY_SLEEP_TX_COUNT_MSK	0x20
894 
895 /* Receiver address (actually, Rx station's idx into station table),
896  * combined with Traffic ID (QOS priority), in format used by Tx Scheduler */
897 #define BUILD_RAxTID(sta_id, tid)	(((sta_id) << 4) + (tid))
898 
899 struct il4965_keyinfo {
900 	__le16 key_flags;
901 	u8 tkip_rx_tsc_byte2;	/* TSC[2] for key mix ph1 detection */
902 	u8 reserved1;
903 	__le16 tkip_rx_ttak[5];	/* 10-byte unicast TKIP TTAK */
904 	u8 key_offset;
905 	u8 reserved2;
906 	u8 key[16];		/* 16-byte unicast decryption key */
907 } __packed;
908 
909 /**
910  * struct sta_id_modify
911  * @addr[ETH_ALEN]: station's MAC address
912  * @sta_id: idx of station in uCode's station table
913  * @modify_mask: STA_MODIFY_*, 1: modify, 0: don't change
914  *
915  * Driver selects unused table idx when adding new station,
916  * or the idx to a pre-existing station entry when modifying that station.
917  * Some idxes have special purposes (IL_AP_ID, idx 0, is for AP).
918  *
919  * modify_mask flags select which parameters to modify vs. leave alone.
920  */
921 struct sta_id_modify {
922 	u8 addr[ETH_ALEN];
923 	__le16 reserved1;
924 	u8 sta_id;
925 	u8 modify_mask;
926 	__le16 reserved2;
927 } __packed;
928 
929 /*
930  * C_ADD_STA = 0x18 (command)
931  *
932  * The device contains an internal table of per-station information,
933  * with info on security keys, aggregation parameters, and Tx rates for
934  * initial Tx attempt and any retries (4965 devices uses
935  * C_TX_LINK_QUALITY_CMD,
936  * 3945 uses C_RATE_SCALE to set up rate tables).
937  *
938  * C_ADD_STA sets up the table entry for one station, either creating
939  * a new entry, or modifying a pre-existing one.
940  *
941  * NOTE:  RXON command (without "associated" bit set) wipes the station table
942  *        clean.  Moving into RF_KILL state does this also.  Driver must set up
943  *        new station table before transmitting anything on the RXON channel
944  *        (except active scans or active measurements; those commands carry
945  *        their own txpower/rate setup data).
946  *
947  *        When getting started on a new channel, driver must set up the
948  *        IL_BROADCAST_ID entry (last entry in the table).  For a client
949  *        station in a BSS, once an AP is selected, driver sets up the AP STA
950  *        in the IL_AP_ID entry (1st entry in the table).  BROADCAST and AP
951  *        are all that are needed for a BSS client station.  If the device is
952  *        used as AP, or in an IBSS network, driver must set up station table
953  *        entries for all STAs in network, starting with idx IL_STA_ID.
954  */
955 
956 struct il3945_addsta_cmd {
957 	u8 mode;		/* 1: modify existing, 0: add new station */
958 	u8 reserved[3];
959 	struct sta_id_modify sta;
960 	struct il4965_keyinfo key;
961 	__le32 station_flags;	/* STA_FLG_* */
962 	__le32 station_flags_msk;	/* STA_FLG_* */
963 
964 	/* bit field to disable (1) or enable (0) Tx for Traffic ID (TID)
965 	 * corresponding to bit (e.g. bit 5 controls TID 5).
966 	 * Set modify_mask bit STA_MODIFY_TID_DISABLE_TX to use this field. */
967 	__le16 tid_disable_tx;
968 
969 	__le16 rate_n_flags;
970 
971 	/* TID for which to add block-ack support.
972 	 * Set modify_mask bit STA_MODIFY_ADDBA_TID_MSK to use this field. */
973 	u8 add_immediate_ba_tid;
974 
975 	/* TID for which to remove block-ack support.
976 	 * Set modify_mask bit STA_MODIFY_DELBA_TID_MSK to use this field. */
977 	u8 remove_immediate_ba_tid;
978 
979 	/* Starting Sequence Number for added block-ack support.
980 	 * Set modify_mask bit STA_MODIFY_ADDBA_TID_MSK to use this field. */
981 	__le16 add_immediate_ba_ssn;
982 } __packed;
983 
984 struct il4965_addsta_cmd {
985 	u8 mode;		/* 1: modify existing, 0: add new station */
986 	u8 reserved[3];
987 	struct sta_id_modify sta;
988 	struct il4965_keyinfo key;
989 	__le32 station_flags;	/* STA_FLG_* */
990 	__le32 station_flags_msk;	/* STA_FLG_* */
991 
992 	/* bit field to disable (1) or enable (0) Tx for Traffic ID (TID)
993 	 * corresponding to bit (e.g. bit 5 controls TID 5).
994 	 * Set modify_mask bit STA_MODIFY_TID_DISABLE_TX to use this field. */
995 	__le16 tid_disable_tx;
996 
997 	__le16 reserved1;
998 
999 	/* TID for which to add block-ack support.
1000 	 * Set modify_mask bit STA_MODIFY_ADDBA_TID_MSK to use this field. */
1001 	u8 add_immediate_ba_tid;
1002 
1003 	/* TID for which to remove block-ack support.
1004 	 * Set modify_mask bit STA_MODIFY_DELBA_TID_MSK to use this field. */
1005 	u8 remove_immediate_ba_tid;
1006 
1007 	/* Starting Sequence Number for added block-ack support.
1008 	 * Set modify_mask bit STA_MODIFY_ADDBA_TID_MSK to use this field. */
1009 	__le16 add_immediate_ba_ssn;
1010 
1011 	/*
1012 	 * Number of packets OK to transmit to station even though
1013 	 * it is asleep -- used to synchronise PS-poll and u-APSD
1014 	 * responses while ucode keeps track of STA sleep state.
1015 	 */
1016 	__le16 sleep_tx_count;
1017 
1018 	__le16 reserved2;
1019 } __packed;
1020 
1021 /* Wrapper struct for 3945 and 4965 addsta_cmd structures */
1022 struct il_addsta_cmd {
1023 	u8 mode;		/* 1: modify existing, 0: add new station */
1024 	u8 reserved[3];
1025 	struct sta_id_modify sta;
1026 	struct il4965_keyinfo key;
1027 	__le32 station_flags;	/* STA_FLG_* */
1028 	__le32 station_flags_msk;	/* STA_FLG_* */
1029 
1030 	/* bit field to disable (1) or enable (0) Tx for Traffic ID (TID)
1031 	 * corresponding to bit (e.g. bit 5 controls TID 5).
1032 	 * Set modify_mask bit STA_MODIFY_TID_DISABLE_TX to use this field. */
1033 	__le16 tid_disable_tx;
1034 
1035 	__le16 rate_n_flags;	/* 3945 only */
1036 
1037 	/* TID for which to add block-ack support.
1038 	 * Set modify_mask bit STA_MODIFY_ADDBA_TID_MSK to use this field. */
1039 	u8 add_immediate_ba_tid;
1040 
1041 	/* TID for which to remove block-ack support.
1042 	 * Set modify_mask bit STA_MODIFY_DELBA_TID_MSK to use this field. */
1043 	u8 remove_immediate_ba_tid;
1044 
1045 	/* Starting Sequence Number for added block-ack support.
1046 	 * Set modify_mask bit STA_MODIFY_ADDBA_TID_MSK to use this field. */
1047 	__le16 add_immediate_ba_ssn;
1048 
1049 	/*
1050 	 * Number of packets OK to transmit to station even though
1051 	 * it is asleep -- used to synchronise PS-poll and u-APSD
1052 	 * responses while ucode keeps track of STA sleep state.
1053 	 */
1054 	__le16 sleep_tx_count;
1055 
1056 	__le16 reserved2;
1057 } __packed;
1058 
1059 #define ADD_STA_SUCCESS_MSK		0x1
1060 #define ADD_STA_NO_ROOM_IN_TBL	0x2
1061 #define ADD_STA_NO_BLOCK_ACK_RESOURCE	0x4
1062 #define ADD_STA_MODIFY_NON_EXIST_STA	0x8
1063 /*
1064  * C_ADD_STA = 0x18 (response)
1065  */
1066 struct il_add_sta_resp {
1067 	u8 status;		/* ADD_STA_* */
1068 } __packed;
1069 
1070 #define REM_STA_SUCCESS_MSK              0x1
1071 /*
1072  *  C_REM_STA = 0x19 (response)
1073  */
1074 struct il_rem_sta_resp {
1075 	u8 status;
1076 } __packed;
1077 
1078 /*
1079  *  C_REM_STA = 0x19 (command)
1080  */
1081 struct il_rem_sta_cmd {
1082 	u8 num_sta;		/* number of removed stations */
1083 	u8 reserved[3];
1084 	u8 addr[ETH_ALEN];	/* MAC addr of the first station */
1085 	u8 reserved2[2];
1086 } __packed;
1087 
1088 #define IL_TX_FIFO_BK_MSK		cpu_to_le32(BIT(0))
1089 #define IL_TX_FIFO_BE_MSK		cpu_to_le32(BIT(1))
1090 #define IL_TX_FIFO_VI_MSK		cpu_to_le32(BIT(2))
1091 #define IL_TX_FIFO_VO_MSK		cpu_to_le32(BIT(3))
1092 #define IL_AGG_TX_QUEUE_MSK		cpu_to_le32(0xffc00)
1093 
1094 #define IL_DROP_SINGLE		0
1095 #define IL_DROP_SELECTED	1
1096 #define IL_DROP_ALL		2
1097 
1098 /*
1099  * REPLY_WEP_KEY = 0x20
1100  */
1101 struct il_wep_key {
1102 	u8 key_idx;
1103 	u8 key_offset;
1104 	u8 reserved1[2];
1105 	u8 key_size;
1106 	u8 reserved2[3];
1107 	u8 key[16];
1108 } __packed;
1109 
1110 struct il_wep_cmd {
1111 	u8 num_keys;
1112 	u8 global_key_type;
1113 	u8 flags;
1114 	u8 reserved;
1115 	struct il_wep_key key[0];
1116 } __packed;
1117 
1118 #define WEP_KEY_WEP_TYPE 1
1119 #define WEP_KEYS_MAX 4
1120 #define WEP_INVALID_OFFSET 0xff
1121 #define WEP_KEY_LEN_64 5
1122 #define WEP_KEY_LEN_128 13
1123 
1124 /******************************************************************************
1125  * (4)
1126  * Rx Responses:
1127  *
1128  *****************************************************************************/
1129 
1130 #define RX_RES_STATUS_NO_CRC32_ERROR	cpu_to_le32(1 << 0)
1131 #define RX_RES_STATUS_NO_RXE_OVERFLOW	cpu_to_le32(1 << 1)
1132 
1133 #define RX_RES_PHY_FLAGS_BAND_24_MSK	cpu_to_le16(1 << 0)
1134 #define RX_RES_PHY_FLAGS_MOD_CCK_MSK		cpu_to_le16(1 << 1)
1135 #define RX_RES_PHY_FLAGS_SHORT_PREAMBLE_MSK	cpu_to_le16(1 << 2)
1136 #define RX_RES_PHY_FLAGS_NARROW_BAND_MSK	cpu_to_le16(1 << 3)
1137 #define RX_RES_PHY_FLAGS_ANTENNA_MSK		0x70
1138 #define RX_RES_PHY_FLAGS_ANTENNA_POS		4
1139 #define RX_RES_PHY_FLAGS_AGG_MSK	cpu_to_le16(1 << 7)
1140 
1141 #define RX_RES_STATUS_SEC_TYPE_MSK	(0x7 << 8)
1142 #define RX_RES_STATUS_SEC_TYPE_NONE	(0x0 << 8)
1143 #define RX_RES_STATUS_SEC_TYPE_WEP	(0x1 << 8)
1144 #define RX_RES_STATUS_SEC_TYPE_CCMP	(0x2 << 8)
1145 #define RX_RES_STATUS_SEC_TYPE_TKIP	(0x3 << 8)
1146 #define	RX_RES_STATUS_SEC_TYPE_ERR	(0x7 << 8)
1147 
1148 #define RX_RES_STATUS_STATION_FOUND	(1<<6)
1149 #define RX_RES_STATUS_NO_STATION_INFO_MISMATCH	(1<<7)
1150 
1151 #define RX_RES_STATUS_DECRYPT_TYPE_MSK	(0x3 << 11)
1152 #define RX_RES_STATUS_NOT_DECRYPT	(0x0 << 11)
1153 #define RX_RES_STATUS_DECRYPT_OK	(0x3 << 11)
1154 #define RX_RES_STATUS_BAD_ICV_MIC	(0x1 << 11)
1155 #define RX_RES_STATUS_BAD_KEY_TTAK	(0x2 << 11)
1156 
1157 #define RX_MPDU_RES_STATUS_ICV_OK	(0x20)
1158 #define RX_MPDU_RES_STATUS_MIC_OK	(0x40)
1159 #define RX_MPDU_RES_STATUS_TTAK_OK	(1 << 7)
1160 #define RX_MPDU_RES_STATUS_DEC_DONE_MSK	(0x800)
1161 
1162 struct il3945_rx_frame_stats {
1163 	u8 phy_count;
1164 	u8 id;
1165 	u8 rssi;
1166 	u8 agc;
1167 	__le16 sig_avg;
1168 	__le16 noise_diff;
1169 	u8 payload[0];
1170 } __packed;
1171 
1172 struct il3945_rx_frame_hdr {
1173 	__le16 channel;
1174 	__le16 phy_flags;
1175 	u8 reserved1;
1176 	u8 rate;
1177 	__le16 len;
1178 	u8 payload[0];
1179 } __packed;
1180 
1181 struct il3945_rx_frame_end {
1182 	__le32 status;
1183 	__le64 timestamp;
1184 	__le32 beacon_timestamp;
1185 } __packed;
1186 
1187 /*
1188  * N_3945_RX = 0x1b (response only, not a command)
1189  *
1190  * NOTE:  DO NOT dereference from casts to this structure
1191  * It is provided only for calculating minimum data set size.
1192  * The actual offsets of the hdr and end are dynamic based on
1193  * stats.phy_count
1194  */
1195 struct il3945_rx_frame {
1196 	struct il3945_rx_frame_stats stats;
1197 	struct il3945_rx_frame_hdr hdr;
1198 	struct il3945_rx_frame_end end;
1199 } __packed;
1200 
1201 #define IL39_RX_FRAME_SIZE	(4 + sizeof(struct il3945_rx_frame))
1202 
1203 /* Fixed (non-configurable) rx data from phy */
1204 
1205 #define IL49_RX_RES_PHY_CNT 14
1206 #define IL49_RX_PHY_FLAGS_ANTENNAE_OFFSET	(4)
1207 #define IL49_RX_PHY_FLAGS_ANTENNAE_MASK	(0x70)
1208 #define IL49_AGC_DB_MASK			(0x3f80)	/* MASK(7,13) */
1209 #define IL49_AGC_DB_POS			(7)
1210 struct il4965_rx_non_cfg_phy {
1211 	__le16 ant_selection;	/* ant A bit 4, ant B bit 5, ant C bit 6 */
1212 	__le16 agc_info;	/* agc code 0:6, agc dB 7:13, reserved 14:15 */
1213 	u8 rssi_info[6];	/* we use even entries, 0/2/4 for A/B/C rssi */
1214 	u8 pad[0];
1215 } __packed;
1216 
1217 /*
1218  * N_RX = 0xc3 (response only, not a command)
1219  * Used only for legacy (non 11n) frames.
1220  */
1221 struct il_rx_phy_res {
1222 	u8 non_cfg_phy_cnt;	/* non configurable DSP phy data byte count */
1223 	u8 cfg_phy_cnt;		/* configurable DSP phy data byte count */
1224 	u8 stat_id;		/* configurable DSP phy data set ID */
1225 	u8 reserved1;
1226 	__le64 timestamp;	/* TSF at on air rise */
1227 	__le32 beacon_time_stamp;	/* beacon at on-air rise */
1228 	__le16 phy_flags;	/* general phy flags: band, modulation, ... */
1229 	__le16 channel;		/* channel number */
1230 	u8 non_cfg_phy_buf[32];	/* for various implementations of non_cfg_phy */
1231 	__le32 rate_n_flags;	/* RATE_MCS_* */
1232 	__le16 byte_count;	/* frame's byte-count */
1233 	__le16 frame_time;	/* frame's time on the air */
1234 } __packed;
1235 
1236 struct il_rx_mpdu_res_start {
1237 	__le16 byte_count;
1238 	__le16 reserved;
1239 } __packed;
1240 
1241 /******************************************************************************
1242  * (5)
1243  * Tx Commands & Responses:
1244  *
1245  * Driver must place each C_TX command into one of the prioritized Tx
1246  * queues in host DRAM, shared between driver and device (see comments for
1247  * SCD registers and Tx/Rx Queues).  When the device's Tx scheduler and uCode
1248  * are preparing to transmit, the device pulls the Tx command over the PCI
1249  * bus via one of the device's Tx DMA channels, to fill an internal FIFO
1250  * from which data will be transmitted.
1251  *
1252  * uCode handles all timing and protocol related to control frames
1253  * (RTS/CTS/ACK), based on flags in the Tx command.  uCode and Tx scheduler
1254  * handle reception of block-acks; uCode updates the host driver via
1255  * N_COMPRESSED_BA.
1256  *
1257  * uCode handles retrying Tx when an ACK is expected but not received.
1258  * This includes trying lower data rates than the one requested in the Tx
1259  * command, as set up by the C_RATE_SCALE (for 3945) or
1260  * C_TX_LINK_QUALITY_CMD (4965).
1261  *
1262  * Driver sets up transmit power for various rates via C_TX_PWR_TBL.
1263  * This command must be executed after every RXON command, before Tx can occur.
1264  *****************************************************************************/
1265 
1266 /* C_TX Tx flags field */
1267 
1268 /*
1269  * 1: Use Request-To-Send protocol before this frame.
1270  * Mutually exclusive vs. TX_CMD_FLG_CTS_MSK.
1271  */
1272 #define TX_CMD_FLG_RTS_MSK cpu_to_le32(1 << 1)
1273 
1274 /*
1275  * 1: Transmit Clear-To-Send to self before this frame.
1276  * Driver should set this for AUTH/DEAUTH/ASSOC-REQ/REASSOC mgmnt frames.
1277  * Mutually exclusive vs. TX_CMD_FLG_RTS_MSK.
1278  */
1279 #define TX_CMD_FLG_CTS_MSK cpu_to_le32(1 << 2)
1280 
1281 /* 1: Expect ACK from receiving station
1282  * 0: Don't expect ACK (MAC header's duration field s/b 0)
1283  * Set this for unicast frames, but not broadcast/multicast. */
1284 #define TX_CMD_FLG_ACK_MSK cpu_to_le32(1 << 3)
1285 
1286 /* For 4965 devices:
1287  * 1: Use rate scale table (see C_TX_LINK_QUALITY_CMD).
1288  *    Tx command's initial_rate_idx indicates first rate to try;
1289  *    uCode walks through table for additional Tx attempts.
1290  * 0: Use Tx rate/MCS from Tx command's rate_n_flags field.
1291  *    This rate will be used for all Tx attempts; it will not be scaled. */
1292 #define TX_CMD_FLG_STA_RATE_MSK cpu_to_le32(1 << 4)
1293 
1294 /* 1: Expect immediate block-ack.
1295  * Set when Txing a block-ack request frame.  Also set TX_CMD_FLG_ACK_MSK. */
1296 #define TX_CMD_FLG_IMM_BA_RSP_MASK  cpu_to_le32(1 << 6)
1297 
1298 /*
1299  * 1: Frame requires full Tx-Op protection.
1300  * Set this if either RTS or CTS Tx Flag gets set.
1301  */
1302 #define TX_CMD_FLG_FULL_TXOP_PROT_MSK cpu_to_le32(1 << 7)
1303 
1304 /* Tx antenna selection field; used only for 3945, reserved (0) for 4965 devices.
1305  * Set field to "0" to allow 3945 uCode to select antenna (normal usage). */
1306 #define TX_CMD_FLG_ANT_SEL_MSK cpu_to_le32(0xf00)
1307 #define TX_CMD_FLG_ANT_A_MSK cpu_to_le32(1 << 8)
1308 #define TX_CMD_FLG_ANT_B_MSK cpu_to_le32(1 << 9)
1309 
1310 /* 1: uCode overrides sequence control field in MAC header.
1311  * 0: Driver provides sequence control field in MAC header.
1312  * Set this for management frames, non-QOS data frames, non-unicast frames,
1313  * and also in Tx command embedded in C_SCAN for active scans. */
1314 #define TX_CMD_FLG_SEQ_CTL_MSK cpu_to_le32(1 << 13)
1315 
1316 /* 1: This frame is non-last MPDU; more fragments are coming.
1317  * 0: Last fragment, or not using fragmentation. */
1318 #define TX_CMD_FLG_MORE_FRAG_MSK cpu_to_le32(1 << 14)
1319 
1320 /* 1: uCode calculates and inserts Timestamp Function (TSF) in outgoing frame.
1321  * 0: No TSF required in outgoing frame.
1322  * Set this for transmitting beacons and probe responses. */
1323 #define TX_CMD_FLG_TSF_MSK cpu_to_le32(1 << 16)
1324 
1325 /* 1: Driver inserted 2 bytes pad after the MAC header, for (required) dword
1326  *    alignment of frame's payload data field.
1327  * 0: No pad
1328  * Set this for MAC headers with 26 or 30 bytes, i.e. those with QOS or ADDR4
1329  * field (but not both).  Driver must align frame data (i.e. data following
1330  * MAC header) to DWORD boundary. */
1331 #define TX_CMD_FLG_MH_PAD_MSK cpu_to_le32(1 << 20)
1332 
1333 /* accelerate aggregation support
1334  * 0 - no CCMP encryption; 1 - CCMP encryption */
1335 #define TX_CMD_FLG_AGG_CCMP_MSK cpu_to_le32(1 << 22)
1336 
1337 /* HCCA-AP - disable duration overwriting. */
1338 #define TX_CMD_FLG_DUR_MSK cpu_to_le32(1 << 25)
1339 
1340 /*
1341  * TX command security control
1342  */
1343 #define TX_CMD_SEC_WEP		0x01
1344 #define TX_CMD_SEC_CCM		0x02
1345 #define TX_CMD_SEC_TKIP		0x03
1346 #define TX_CMD_SEC_MSK		0x03
1347 #define TX_CMD_SEC_SHIFT	6
1348 #define TX_CMD_SEC_KEY128	0x08
1349 
1350 /*
1351  * C_TX = 0x1c (command)
1352  */
1353 
1354 struct il3945_tx_cmd {
1355 	/*
1356 	 * MPDU byte count:
1357 	 * MAC header (24/26/30/32 bytes) + 2 bytes pad if 26/30 header size,
1358 	 * + 8 byte IV for CCM or TKIP (not used for WEP)
1359 	 * + Data payload
1360 	 * + 8-byte MIC (not used for CCM/WEP)
1361 	 * NOTE:  Does not include Tx command bytes, post-MAC pad bytes,
1362 	 *        MIC (CCM) 8 bytes, ICV (WEP/TKIP/CKIP) 4 bytes, CRC 4 bytes.i
1363 	 * Range: 14-2342 bytes.
1364 	 */
1365 	__le16 len;
1366 
1367 	/*
1368 	 * MPDU or MSDU byte count for next frame.
1369 	 * Used for fragmentation and bursting, but not 11n aggregation.
1370 	 * Same as "len", but for next frame.  Set to 0 if not applicable.
1371 	 */
1372 	__le16 next_frame_len;
1373 
1374 	__le32 tx_flags;	/* TX_CMD_FLG_* */
1375 
1376 	u8 rate;
1377 
1378 	/* Index of recipient station in uCode's station table */
1379 	u8 sta_id;
1380 	u8 tid_tspec;
1381 	u8 sec_ctl;
1382 	u8 key[16];
1383 	union {
1384 		u8 byte[8];
1385 		__le16 word[4];
1386 		__le32 dw[2];
1387 	} tkip_mic;
1388 	__le32 next_frame_info;
1389 	union {
1390 		__le32 life_time;
1391 		__le32 attempt;
1392 	} stop_time;
1393 	u8 supp_rates[2];
1394 	u8 rts_retry_limit;	/*byte 50 */
1395 	u8 data_retry_limit;	/*byte 51 */
1396 	union {
1397 		__le16 pm_frame_timeout;
1398 		__le16 attempt_duration;
1399 	} timeout;
1400 
1401 	/*
1402 	 * Duration of EDCA burst Tx Opportunity, in 32-usec units.
1403 	 * Set this if txop time is not specified by HCCA protocol (e.g. by AP).
1404 	 */
1405 	__le16 driver_txop;
1406 
1407 	/*
1408 	 * MAC header goes here, followed by 2 bytes padding if MAC header
1409 	 * length is 26 or 30 bytes, followed by payload data
1410 	 */
1411 	u8 payload[0];
1412 	struct ieee80211_hdr hdr[0];
1413 } __packed;
1414 
1415 /*
1416  * C_TX = 0x1c (response)
1417  */
1418 struct il3945_tx_resp {
1419 	u8 failure_rts;
1420 	u8 failure_frame;
1421 	u8 bt_kill_count;
1422 	u8 rate;
1423 	__le32 wireless_media_time;
1424 	__le32 status;		/* TX status */
1425 } __packed;
1426 
1427 /*
1428  * 4965 uCode updates these Tx attempt count values in host DRAM.
1429  * Used for managing Tx retries when expecting block-acks.
1430  * Driver should set these fields to 0.
1431  */
1432 struct il_dram_scratch {
1433 	u8 try_cnt;		/* Tx attempts */
1434 	u8 bt_kill_cnt;		/* Tx attempts blocked by Bluetooth device */
1435 	__le16 reserved;
1436 } __packed;
1437 
1438 struct il_tx_cmd {
1439 	/*
1440 	 * MPDU byte count:
1441 	 * MAC header (24/26/30/32 bytes) + 2 bytes pad if 26/30 header size,
1442 	 * + 8 byte IV for CCM or TKIP (not used for WEP)
1443 	 * + Data payload
1444 	 * + 8-byte MIC (not used for CCM/WEP)
1445 	 * NOTE:  Does not include Tx command bytes, post-MAC pad bytes,
1446 	 *        MIC (CCM) 8 bytes, ICV (WEP/TKIP/CKIP) 4 bytes, CRC 4 bytes.i
1447 	 * Range: 14-2342 bytes.
1448 	 */
1449 	__le16 len;
1450 
1451 	/*
1452 	 * MPDU or MSDU byte count for next frame.
1453 	 * Used for fragmentation and bursting, but not 11n aggregation.
1454 	 * Same as "len", but for next frame.  Set to 0 if not applicable.
1455 	 */
1456 	__le16 next_frame_len;
1457 
1458 	__le32 tx_flags;	/* TX_CMD_FLG_* */
1459 
1460 	/* uCode may modify this field of the Tx command (in host DRAM!).
1461 	 * Driver must also set dram_lsb_ptr and dram_msb_ptr in this cmd. */
1462 	struct il_dram_scratch scratch;
1463 
1464 	/* Rate for *all* Tx attempts, if TX_CMD_FLG_STA_RATE_MSK is cleared. */
1465 	__le32 rate_n_flags;	/* RATE_MCS_* */
1466 
1467 	/* Index of destination station in uCode's station table */
1468 	u8 sta_id;
1469 
1470 	/* Type of security encryption:  CCM or TKIP */
1471 	u8 sec_ctl;		/* TX_CMD_SEC_* */
1472 
1473 	/*
1474 	 * Index into rate table (see C_TX_LINK_QUALITY_CMD) for initial
1475 	 * Tx attempt, if TX_CMD_FLG_STA_RATE_MSK is set.  Normally "0" for
1476 	 * data frames, this field may be used to selectively reduce initial
1477 	 * rate (via non-0 value) for special frames (e.g. management), while
1478 	 * still supporting rate scaling for all frames.
1479 	 */
1480 	u8 initial_rate_idx;
1481 	u8 reserved;
1482 	u8 key[16];
1483 	__le16 next_frame_flags;
1484 	__le16 reserved2;
1485 	union {
1486 		__le32 life_time;
1487 		__le32 attempt;
1488 	} stop_time;
1489 
1490 	/* Host DRAM physical address pointer to "scratch" in this command.
1491 	 * Must be dword aligned.  "0" in dram_lsb_ptr disables usage. */
1492 	__le32 dram_lsb_ptr;
1493 	u8 dram_msb_ptr;
1494 
1495 	u8 rts_retry_limit;	/*byte 50 */
1496 	u8 data_retry_limit;	/*byte 51 */
1497 	u8 tid_tspec;
1498 	union {
1499 		__le16 pm_frame_timeout;
1500 		__le16 attempt_duration;
1501 	} timeout;
1502 
1503 	/*
1504 	 * Duration of EDCA burst Tx Opportunity, in 32-usec units.
1505 	 * Set this if txop time is not specified by HCCA protocol (e.g. by AP).
1506 	 */
1507 	__le16 driver_txop;
1508 
1509 	/*
1510 	 * MAC header goes here, followed by 2 bytes padding if MAC header
1511 	 * length is 26 or 30 bytes, followed by payload data
1512 	 */
1513 	u8 payload[0];
1514 	struct ieee80211_hdr hdr[0];
1515 } __packed;
1516 
1517 /* TX command response is sent after *3945* transmission attempts.
1518  *
1519  * NOTES:
1520  *
1521  * TX_STATUS_FAIL_NEXT_FRAG
1522  *
1523  * If the fragment flag in the MAC header for the frame being transmitted
1524  * is set and there is insufficient time to transmit the next frame, the
1525  * TX status will be returned with 'TX_STATUS_FAIL_NEXT_FRAG'.
1526  *
1527  * TX_STATUS_FIFO_UNDERRUN
1528  *
1529  * Indicates the host did not provide bytes to the FIFO fast enough while
1530  * a TX was in progress.
1531  *
1532  * TX_STATUS_FAIL_MGMNT_ABORT
1533  *
1534  * This status is only possible if the ABORT ON MGMT RX parameter was
1535  * set to true with the TX command.
1536  *
1537  * If the MSB of the status parameter is set then an abort sequence is
1538  * required.  This sequence consists of the host activating the TX Abort
1539  * control line, and then waiting for the TX Abort command response.  This
1540  * indicates that a the device is no longer in a transmit state, and that the
1541  * command FIFO has been cleared.  The host must then deactivate the TX Abort
1542  * control line.  Receiving is still allowed in this case.
1543  */
1544 enum {
1545 	TX_3945_STATUS_SUCCESS = 0x01,
1546 	TX_3945_STATUS_DIRECT_DONE = 0x02,
1547 	TX_3945_STATUS_FAIL_SHORT_LIMIT = 0x82,
1548 	TX_3945_STATUS_FAIL_LONG_LIMIT = 0x83,
1549 	TX_3945_STATUS_FAIL_FIFO_UNDERRUN = 0x84,
1550 	TX_3945_STATUS_FAIL_MGMNT_ABORT = 0x85,
1551 	TX_3945_STATUS_FAIL_NEXT_FRAG = 0x86,
1552 	TX_3945_STATUS_FAIL_LIFE_EXPIRE = 0x87,
1553 	TX_3945_STATUS_FAIL_DEST_PS = 0x88,
1554 	TX_3945_STATUS_FAIL_ABORTED = 0x89,
1555 	TX_3945_STATUS_FAIL_BT_RETRY = 0x8a,
1556 	TX_3945_STATUS_FAIL_STA_INVALID = 0x8b,
1557 	TX_3945_STATUS_FAIL_FRAG_DROPPED = 0x8c,
1558 	TX_3945_STATUS_FAIL_TID_DISABLE = 0x8d,
1559 	TX_3945_STATUS_FAIL_FRAME_FLUSHED = 0x8e,
1560 	TX_3945_STATUS_FAIL_INSUFFICIENT_CF_POLL = 0x8f,
1561 	TX_3945_STATUS_FAIL_TX_LOCKED = 0x90,
1562 	TX_3945_STATUS_FAIL_NO_BEACON_ON_RADAR = 0x91,
1563 };
1564 
1565 /*
1566  * TX command response is sent after *4965* transmission attempts.
1567  *
1568  * both postpone and abort status are expected behavior from uCode. there is
1569  * no special operation required from driver; except for RFKILL_FLUSH,
1570  * which required tx flush host command to flush all the tx frames in queues
1571  */
1572 enum {
1573 	TX_STATUS_SUCCESS = 0x01,
1574 	TX_STATUS_DIRECT_DONE = 0x02,
1575 	/* postpone TX */
1576 	TX_STATUS_POSTPONE_DELAY = 0x40,
1577 	TX_STATUS_POSTPONE_FEW_BYTES = 0x41,
1578 	TX_STATUS_POSTPONE_QUIET_PERIOD = 0x43,
1579 	TX_STATUS_POSTPONE_CALC_TTAK = 0x44,
1580 	/* abort TX */
1581 	TX_STATUS_FAIL_INTERNAL_CROSSED_RETRY = 0x81,
1582 	TX_STATUS_FAIL_SHORT_LIMIT = 0x82,
1583 	TX_STATUS_FAIL_LONG_LIMIT = 0x83,
1584 	TX_STATUS_FAIL_FIFO_UNDERRUN = 0x84,
1585 	TX_STATUS_FAIL_DRAIN_FLOW = 0x85,
1586 	TX_STATUS_FAIL_RFKILL_FLUSH = 0x86,
1587 	TX_STATUS_FAIL_LIFE_EXPIRE = 0x87,
1588 	TX_STATUS_FAIL_DEST_PS = 0x88,
1589 	TX_STATUS_FAIL_HOST_ABORTED = 0x89,
1590 	TX_STATUS_FAIL_BT_RETRY = 0x8a,
1591 	TX_STATUS_FAIL_STA_INVALID = 0x8b,
1592 	TX_STATUS_FAIL_FRAG_DROPPED = 0x8c,
1593 	TX_STATUS_FAIL_TID_DISABLE = 0x8d,
1594 	TX_STATUS_FAIL_FIFO_FLUSHED = 0x8e,
1595 	TX_STATUS_FAIL_INSUFFICIENT_CF_POLL = 0x8f,
1596 	TX_STATUS_FAIL_PASSIVE_NO_RX = 0x90,
1597 	TX_STATUS_FAIL_NO_BEACON_ON_RADAR = 0x91,
1598 };
1599 
1600 #define	TX_PACKET_MODE_REGULAR		0x0000
1601 #define	TX_PACKET_MODE_BURST_SEQ	0x0100
1602 #define	TX_PACKET_MODE_BURST_FIRST	0x0200
1603 
1604 enum {
1605 	TX_POWER_PA_NOT_ACTIVE = 0x0,
1606 };
1607 
1608 enum {
1609 	TX_STATUS_MSK = 0x000000ff,	/* bits 0:7 */
1610 	TX_STATUS_DELAY_MSK = 0x00000040,
1611 	TX_STATUS_ABORT_MSK = 0x00000080,
1612 	TX_PACKET_MODE_MSK = 0x0000ff00,	/* bits 8:15 */
1613 	TX_FIFO_NUMBER_MSK = 0x00070000,	/* bits 16:18 */
1614 	TX_RESERVED = 0x00780000,	/* bits 19:22 */
1615 	TX_POWER_PA_DETECT_MSK = 0x7f800000,	/* bits 23:30 */
1616 	TX_ABORT_REQUIRED_MSK = 0x80000000,	/* bits 31:31 */
1617 };
1618 
1619 /* *******************************
1620  * TX aggregation status
1621  ******************************* */
1622 
1623 enum {
1624 	AGG_TX_STATE_TRANSMITTED = 0x00,
1625 	AGG_TX_STATE_UNDERRUN_MSK = 0x01,
1626 	AGG_TX_STATE_FEW_BYTES_MSK = 0x04,
1627 	AGG_TX_STATE_ABORT_MSK = 0x08,
1628 	AGG_TX_STATE_LAST_SENT_TTL_MSK = 0x10,
1629 	AGG_TX_STATE_LAST_SENT_TRY_CNT_MSK = 0x20,
1630 	AGG_TX_STATE_SCD_QUERY_MSK = 0x80,
1631 	AGG_TX_STATE_TEST_BAD_CRC32_MSK = 0x100,
1632 	AGG_TX_STATE_RESPONSE_MSK = 0x1ff,
1633 	AGG_TX_STATE_DUMP_TX_MSK = 0x200,
1634 	AGG_TX_STATE_DELAY_TX_MSK = 0x400
1635 };
1636 
1637 #define AGG_TX_STATUS_MSK	0x00000fff	/* bits 0:11 */
1638 #define AGG_TX_TRY_MSK		0x0000f000	/* bits 12:15 */
1639 
1640 #define AGG_TX_STATE_LAST_SENT_MSK  (AGG_TX_STATE_LAST_SENT_TTL_MSK | \
1641 				     AGG_TX_STATE_LAST_SENT_TRY_CNT_MSK)
1642 
1643 /* # tx attempts for first frame in aggregation */
1644 #define AGG_TX_STATE_TRY_CNT_POS 12
1645 #define AGG_TX_STATE_TRY_CNT_MSK 0xf000
1646 
1647 /* Command ID and sequence number of Tx command for this frame */
1648 #define AGG_TX_STATE_SEQ_NUM_POS 16
1649 #define AGG_TX_STATE_SEQ_NUM_MSK 0xffff0000
1650 
1651 /*
1652  * C_TX = 0x1c (response)
1653  *
1654  * This response may be in one of two slightly different formats, indicated
1655  * by the frame_count field:
1656  *
1657  * 1)  No aggregation (frame_count == 1).  This reports Tx results for
1658  *     a single frame.  Multiple attempts, at various bit rates, may have
1659  *     been made for this frame.
1660  *
1661  * 2)  Aggregation (frame_count > 1).  This reports Tx results for
1662  *     2 or more frames that used block-acknowledge.  All frames were
1663  *     transmitted at same rate.  Rate scaling may have been used if first
1664  *     frame in this new agg block failed in previous agg block(s).
1665  *
1666  *     Note that, for aggregation, ACK (block-ack) status is not delivered here;
1667  *     block-ack has not been received by the time the 4965 device records
1668  *     this status.
1669  *     This status relates to reasons the tx might have been blocked or aborted
1670  *     within the sending station (this 4965 device), rather than whether it was
1671  *     received successfully by the destination station.
1672  */
1673 struct agg_tx_status {
1674 	__le16 status;
1675 	__le16 sequence;
1676 } __packed;
1677 
1678 struct il4965_tx_resp {
1679 	u8 frame_count;		/* 1 no aggregation, >1 aggregation */
1680 	u8 bt_kill_count;	/* # blocked by bluetooth (unused for agg) */
1681 	u8 failure_rts;		/* # failures due to unsuccessful RTS */
1682 	u8 failure_frame;	/* # failures due to no ACK (unused for agg) */
1683 
1684 	/* For non-agg:  Rate at which frame was successful.
1685 	 * For agg:  Rate at which all frames were transmitted. */
1686 	__le32 rate_n_flags;	/* RATE_MCS_*  */
1687 
1688 	/* For non-agg:  RTS + CTS + frame tx attempts time + ACK.
1689 	 * For agg:  RTS + CTS + aggregation tx time + block-ack time. */
1690 	__le16 wireless_media_time;	/* uSecs */
1691 
1692 	__le16 reserved;
1693 	__le32 pa_power1;	/* RF power amplifier measurement (not used) */
1694 	__le32 pa_power2;
1695 
1696 	/*
1697 	 * For non-agg:  frame status TX_STATUS_*
1698 	 * For agg:  status of 1st frame, AGG_TX_STATE_*; other frame status
1699 	 *           fields follow this one, up to frame_count.
1700 	 *           Bit fields:
1701 	 *           11- 0:  AGG_TX_STATE_* status code
1702 	 *           15-12:  Retry count for 1st frame in aggregation (retries
1703 	 *                   occur if tx failed for this frame when it was a
1704 	 *                   member of a previous aggregation block).  If rate
1705 	 *                   scaling is used, retry count indicates the rate
1706 	 *                   table entry used for all frames in the new agg.
1707 	 *           31-16:  Sequence # for this frame's Tx cmd (not SSN!)
1708 	 */
1709 	union {
1710 		__le32 status;
1711 		struct agg_tx_status agg_status[0];	/* for each agg frame */
1712 	} u;
1713 } __packed;
1714 
1715 /*
1716  * N_COMPRESSED_BA = 0xc5 (response only, not a command)
1717  *
1718  * Reports Block-Acknowledge from recipient station
1719  */
1720 struct il_compressed_ba_resp {
1721 	__le32 sta_addr_lo32;
1722 	__le16 sta_addr_hi16;
1723 	__le16 reserved;
1724 
1725 	/* Index of recipient (BA-sending) station in uCode's station table */
1726 	u8 sta_id;
1727 	u8 tid;
1728 	__le16 seq_ctl;
1729 	__le64 bitmap;
1730 	__le16 scd_flow;
1731 	__le16 scd_ssn;
1732 } __packed;
1733 
1734 /*
1735  * C_TX_PWR_TBL = 0x97 (command, has simple generic response)
1736  *
1737  * See details under "TXPOWER" in 4965.h.
1738  */
1739 
1740 struct il3945_txpowertable_cmd {
1741 	u8 band;		/* 0: 5 GHz, 1: 2.4 GHz */
1742 	u8 reserved;
1743 	__le16 channel;
1744 	struct il3945_power_per_rate power[IL_MAX_RATES];
1745 } __packed;
1746 
1747 struct il4965_txpowertable_cmd {
1748 	u8 band;		/* 0: 5 GHz, 1: 2.4 GHz */
1749 	u8 reserved;
1750 	__le16 channel;
1751 	struct il4965_tx_power_db tx_power;
1752 } __packed;
1753 
1754 /**
1755  * struct il3945_rate_scaling_cmd - Rate Scaling Command & Response
1756  *
1757  * C_RATE_SCALE = 0x47 (command, has simple generic response)
1758  *
1759  * NOTE: The table of rates passed to the uCode via the
1760  * RATE_SCALE command sets up the corresponding order of
1761  * rates used for all related commands, including rate
1762  * masks, etc.
1763  *
1764  * For example, if you set 9MB (PLCP 0x0f) as the first
1765  * rate in the rate table, the bit mask for that rate
1766  * when passed through ofdm_basic_rates on the C_RXON
1767  * command would be bit 0 (1 << 0)
1768  */
1769 struct il3945_rate_scaling_info {
1770 	__le16 rate_n_flags;
1771 	u8 try_cnt;
1772 	u8 next_rate_idx;
1773 } __packed;
1774 
1775 struct il3945_rate_scaling_cmd {
1776 	u8 table_id;
1777 	u8 reserved[3];
1778 	struct il3945_rate_scaling_info table[IL_MAX_RATES];
1779 } __packed;
1780 
1781 /*RS_NEW_API: only TLC_RTS remains and moved to bit 0 */
1782 #define  LINK_QUAL_FLAGS_SET_STA_TLC_RTS_MSK	(1 << 0)
1783 
1784 /* # of EDCA prioritized tx fifos */
1785 #define  LINK_QUAL_AC_NUM AC_NUM
1786 
1787 /* # entries in rate scale table to support Tx retries */
1788 #define  LINK_QUAL_MAX_RETRY_NUM 16
1789 
1790 /* Tx antenna selection values */
1791 #define  LINK_QUAL_ANT_A_MSK (1 << 0)
1792 #define  LINK_QUAL_ANT_B_MSK (1 << 1)
1793 #define  LINK_QUAL_ANT_MSK   (LINK_QUAL_ANT_A_MSK|LINK_QUAL_ANT_B_MSK)
1794 
1795 /**
1796  * struct il_link_qual_general_params
1797  *
1798  * Used in C_TX_LINK_QUALITY_CMD
1799  */
1800 struct il_link_qual_general_params {
1801 	u8 flags;
1802 
1803 	/* No entries at or above this (driver chosen) idx contain MIMO */
1804 	u8 mimo_delimiter;
1805 
1806 	/* Best single antenna to use for single stream (legacy, SISO). */
1807 	u8 single_stream_ant_msk;	/* LINK_QUAL_ANT_* */
1808 
1809 	/* Best antennas to use for MIMO (unused for 4965, assumes both). */
1810 	u8 dual_stream_ant_msk;	/* LINK_QUAL_ANT_* */
1811 
1812 	/*
1813 	 * If driver needs to use different initial rates for different
1814 	 * EDCA QOS access categories (as implemented by tx fifos 0-3),
1815 	 * this table will set that up, by indicating the idxes in the
1816 	 * rs_table[LINK_QUAL_MAX_RETRY_NUM] rate table at which to start.
1817 	 * Otherwise, driver should set all entries to 0.
1818 	 *
1819 	 * Entry usage:
1820 	 * 0 = Background, 1 = Best Effort (normal), 2 = Video, 3 = Voice
1821 	 * TX FIFOs above 3 use same value (typically 0) as TX FIFO 3.
1822 	 */
1823 	u8 start_rate_idx[LINK_QUAL_AC_NUM];
1824 } __packed;
1825 
1826 #define LINK_QUAL_AGG_TIME_LIMIT_DEF	(4000)	/* 4 milliseconds */
1827 #define LINK_QUAL_AGG_TIME_LIMIT_MAX	(8000)
1828 #define LINK_QUAL_AGG_TIME_LIMIT_MIN	(100)
1829 
1830 #define LINK_QUAL_AGG_DISABLE_START_DEF	(3)
1831 #define LINK_QUAL_AGG_DISABLE_START_MAX	(255)
1832 #define LINK_QUAL_AGG_DISABLE_START_MIN	(0)
1833 
1834 #define LINK_QUAL_AGG_FRAME_LIMIT_DEF	(31)
1835 #define LINK_QUAL_AGG_FRAME_LIMIT_MAX	(63)
1836 #define LINK_QUAL_AGG_FRAME_LIMIT_MIN	(0)
1837 
1838 /**
1839  * struct il_link_qual_agg_params
1840  *
1841  * Used in C_TX_LINK_QUALITY_CMD
1842  */
1843 struct il_link_qual_agg_params {
1844 
1845 	/*
1846 	 *Maximum number of uSec in aggregation.
1847 	 * default set to 4000 (4 milliseconds) if not configured in .cfg
1848 	 */
1849 	__le16 agg_time_limit;
1850 
1851 	/*
1852 	 * Number of Tx retries allowed for a frame, before that frame will
1853 	 * no longer be considered for the start of an aggregation sequence
1854 	 * (scheduler will then try to tx it as single frame).
1855 	 * Driver should set this to 3.
1856 	 */
1857 	u8 agg_dis_start_th;
1858 
1859 	/*
1860 	 * Maximum number of frames in aggregation.
1861 	 * 0 = no limit (default).  1 = no aggregation.
1862 	 * Other values = max # frames in aggregation.
1863 	 */
1864 	u8 agg_frame_cnt_limit;
1865 
1866 	__le32 reserved;
1867 } __packed;
1868 
1869 /*
1870  * C_TX_LINK_QUALITY_CMD = 0x4e (command, has simple generic response)
1871  *
1872  * For 4965 devices only; 3945 uses C_RATE_SCALE.
1873  *
1874  * Each station in the 4965 device's internal station table has its own table
1875  * of 16
1876  * Tx rates and modulation modes (e.g. legacy/SISO/MIMO) for retrying Tx when
1877  * an ACK is not received.  This command replaces the entire table for
1878  * one station.
1879  *
1880  * NOTE:  Station must already be in 4965 device's station table.
1881  *	  Use C_ADD_STA.
1882  *
1883  * The rate scaling procedures described below work well.  Of course, other
1884  * procedures are possible, and may work better for particular environments.
1885  *
1886  *
1887  * FILLING THE RATE TBL
1888  *
1889  * Given a particular initial rate and mode, as determined by the rate
1890  * scaling algorithm described below, the Linux driver uses the following
1891  * formula to fill the rs_table[LINK_QUAL_MAX_RETRY_NUM] rate table in the
1892  * Link Quality command:
1893  *
1894  *
1895  * 1)  If using High-throughput (HT) (SISO or MIMO) initial rate:
1896  *     a) Use this same initial rate for first 3 entries.
1897  *     b) Find next lower available rate using same mode (SISO or MIMO),
1898  *        use for next 3 entries.  If no lower rate available, switch to
1899  *        legacy mode (no HT40 channel, no MIMO, no short guard interval).
1900  *     c) If using MIMO, set command's mimo_delimiter to number of entries
1901  *        using MIMO (3 or 6).
1902  *     d) After trying 2 HT rates, switch to legacy mode (no HT40 channel,
1903  *        no MIMO, no short guard interval), at the next lower bit rate
1904  *        (e.g. if second HT bit rate was 54, try 48 legacy), and follow
1905  *        legacy procedure for remaining table entries.
1906  *
1907  * 2)  If using legacy initial rate:
1908  *     a) Use the initial rate for only one entry.
1909  *     b) For each following entry, reduce the rate to next lower available
1910  *        rate, until reaching the lowest available rate.
1911  *     c) When reducing rate, also switch antenna selection.
1912  *     d) Once lowest available rate is reached, repeat this rate until
1913  *        rate table is filled (16 entries), switching antenna each entry.
1914  *
1915  *
1916  * ACCUMULATING HISTORY
1917  *
1918  * The rate scaling algorithm for 4965 devices, as implemented in Linux driver,
1919  * uses two sets of frame Tx success history:  One for the current/active
1920  * modulation mode, and one for a speculative/search mode that is being
1921  * attempted. If the speculative mode turns out to be more effective (i.e.
1922  * actual transfer rate is better), then the driver continues to use the
1923  * speculative mode as the new current active mode.
1924  *
1925  * Each history set contains, separately for each possible rate, data for a
1926  * sliding win of the 62 most recent tx attempts at that rate.  The data
1927  * includes a shifting bitmap of success(1)/failure(0), and sums of successful
1928  * and attempted frames, from which the driver can additionally calculate a
1929  * success ratio (success / attempted) and number of failures
1930  * (attempted - success), and control the size of the win (attempted).
1931  * The driver uses the bit map to remove successes from the success sum, as
1932  * the oldest tx attempts fall out of the win.
1933  *
1934  * When the 4965 device makes multiple tx attempts for a given frame, each
1935  * attempt might be at a different rate, and have different modulation
1936  * characteristics (e.g. antenna, fat channel, short guard interval), as set
1937  * up in the rate scaling table in the Link Quality command.  The driver must
1938  * determine which rate table entry was used for each tx attempt, to determine
1939  * which rate-specific history to update, and record only those attempts that
1940  * match the modulation characteristics of the history set.
1941  *
1942  * When using block-ack (aggregation), all frames are transmitted at the same
1943  * rate, since there is no per-attempt acknowledgment from the destination
1944  * station.  The Tx response struct il_tx_resp indicates the Tx rate in
1945  * rate_n_flags field.  After receiving a block-ack, the driver can update
1946  * history for the entire block all at once.
1947  *
1948  *
1949  * FINDING BEST STARTING RATE:
1950  *
1951  * When working with a selected initial modulation mode (see below), the
1952  * driver attempts to find a best initial rate.  The initial rate is the
1953  * first entry in the Link Quality command's rate table.
1954  *
1955  * 1)  Calculate actual throughput (success ratio * expected throughput, see
1956  *     table below) for current initial rate.  Do this only if enough frames
1957  *     have been attempted to make the value meaningful:  at least 6 failed
1958  *     tx attempts, or at least 8 successes.  If not enough, don't try rate
1959  *     scaling yet.
1960  *
1961  * 2)  Find available rates adjacent to current initial rate.  Available means:
1962  *     a)  supported by hardware &&
1963  *     b)  supported by association &&
1964  *     c)  within any constraints selected by user
1965  *
1966  * 3)  Gather measured throughputs for adjacent rates.  These might not have
1967  *     enough history to calculate a throughput.  That's okay, we might try
1968  *     using one of them anyway!
1969  *
1970  * 4)  Try decreasing rate if, for current rate:
1971  *     a)  success ratio is < 15% ||
1972  *     b)  lower adjacent rate has better measured throughput ||
1973  *     c)  higher adjacent rate has worse throughput, and lower is unmeasured
1974  *
1975  *     As a sanity check, if decrease was determined above, leave rate
1976  *     unchanged if:
1977  *     a)  lower rate unavailable
1978  *     b)  success ratio at current rate > 85% (very good)
1979  *     c)  current measured throughput is better than expected throughput
1980  *         of lower rate (under perfect 100% tx conditions, see table below)
1981  *
1982  * 5)  Try increasing rate if, for current rate:
1983  *     a)  success ratio is < 15% ||
1984  *     b)  both adjacent rates' throughputs are unmeasured (try it!) ||
1985  *     b)  higher adjacent rate has better measured throughput ||
1986  *     c)  lower adjacent rate has worse throughput, and higher is unmeasured
1987  *
1988  *     As a sanity check, if increase was determined above, leave rate
1989  *     unchanged if:
1990  *     a)  success ratio at current rate < 70%.  This is not particularly
1991  *         good performance; higher rate is sure to have poorer success.
1992  *
1993  * 6)  Re-evaluate the rate after each tx frame.  If working with block-
1994  *     acknowledge, history and stats may be calculated for the entire
1995  *     block (including prior history that fits within the history wins),
1996  *     before re-evaluation.
1997  *
1998  * FINDING BEST STARTING MODULATION MODE:
1999  *
2000  * After working with a modulation mode for a "while" (and doing rate scaling),
2001  * the driver searches for a new initial mode in an attempt to improve
2002  * throughput.  The "while" is measured by numbers of attempted frames:
2003  *
2004  * For legacy mode, search for new mode after:
2005  *   480 successful frames, or 160 failed frames
2006  * For high-throughput modes (SISO or MIMO), search for new mode after:
2007  *   4500 successful frames, or 400 failed frames
2008  *
2009  * Mode switch possibilities are (3 for each mode):
2010  *
2011  * For legacy:
2012  *   Change antenna, try SISO (if HT association), try MIMO (if HT association)
2013  * For SISO:
2014  *   Change antenna, try MIMO, try shortened guard interval (SGI)
2015  * For MIMO:
2016  *   Try SISO antenna A, SISO antenna B, try shortened guard interval (SGI)
2017  *
2018  * When trying a new mode, use the same bit rate as the old/current mode when
2019  * trying antenna switches and shortened guard interval.  When switching to
2020  * SISO from MIMO or legacy, or to MIMO from SISO or legacy, use a rate
2021  * for which the expected throughput (under perfect conditions) is about the
2022  * same or slightly better than the actual measured throughput delivered by
2023  * the old/current mode.
2024  *
2025  * Actual throughput can be estimated by multiplying the expected throughput
2026  * by the success ratio (successful / attempted tx frames).  Frame size is
2027  * not considered in this calculation; it assumes that frame size will average
2028  * out to be fairly consistent over several samples.  The following are
2029  * metric values for expected throughput assuming 100% success ratio.
2030  * Only G band has support for CCK rates:
2031  *
2032  *           RATE:  1    2    5   11    6   9   12   18   24   36   48   54   60
2033  *
2034  *              G:  7   13   35   58   40  57   72   98  121  154  177  186  186
2035  *              A:  0    0    0    0   40  57   72   98  121  154  177  186  186
2036  *     SISO 20MHz:  0    0    0    0   42  42   76  102  124  159  183  193  202
2037  * SGI SISO 20MHz:  0    0    0    0   46  46   82  110  132  168  192  202  211
2038  *     MIMO 20MHz:  0    0    0    0   74  74  123  155  179  214  236  244  251
2039  * SGI MIMO 20MHz:  0    0    0    0   81  81  131  164  188  222  243  251  257
2040  *     SISO 40MHz:  0    0    0    0   77  77  127  160  184  220  242  250  257
2041  * SGI SISO 40MHz:  0    0    0    0   83  83  135  169  193  229  250  257  264
2042  *     MIMO 40MHz:  0    0    0    0  123 123  182  214  235  264  279  285  289
2043  * SGI MIMO 40MHz:  0    0    0    0  131 131  191  222  242  270  284  289  293
2044  *
2045  * After the new mode has been tried for a short while (minimum of 6 failed
2046  * frames or 8 successful frames), compare success ratio and actual throughput
2047  * estimate of the new mode with the old.  If either is better with the new
2048  * mode, continue to use the new mode.
2049  *
2050  * Continue comparing modes until all 3 possibilities have been tried.
2051  * If moving from legacy to HT, try all 3 possibilities from the new HT
2052  * mode.  After trying all 3, a best mode is found.  Continue to use this mode
2053  * for the longer "while" described above (e.g. 480 successful frames for
2054  * legacy), and then repeat the search process.
2055  *
2056  */
2057 struct il_link_quality_cmd {
2058 
2059 	/* Index of destination/recipient station in uCode's station table */
2060 	u8 sta_id;
2061 	u8 reserved1;
2062 	__le16 control;		/* not used */
2063 	struct il_link_qual_general_params general_params;
2064 	struct il_link_qual_agg_params agg_params;
2065 
2066 	/*
2067 	 * Rate info; when using rate-scaling, Tx command's initial_rate_idx
2068 	 * specifies 1st Tx rate attempted, via idx into this table.
2069 	 * 4965 devices works its way through table when retrying Tx.
2070 	 */
2071 	struct {
2072 		__le32 rate_n_flags;	/* RATE_MCS_*, RATE_* */
2073 	} rs_table[LINK_QUAL_MAX_RETRY_NUM];
2074 	__le32 reserved2;
2075 } __packed;
2076 
2077 /*
2078  * BT configuration enable flags:
2079  *   bit 0 - 1: BT channel announcement enabled
2080  *           0: disable
2081  *   bit 1 - 1: priority of BT device enabled
2082  *           0: disable
2083  */
2084 #define BT_COEX_DISABLE (0x0)
2085 #define BT_ENABLE_CHANNEL_ANNOUNCE BIT(0)
2086 #define BT_ENABLE_PRIORITY	   BIT(1)
2087 
2088 #define BT_COEX_ENABLE  (BT_ENABLE_CHANNEL_ANNOUNCE | BT_ENABLE_PRIORITY)
2089 
2090 #define BT_LEAD_TIME_DEF (0x1E)
2091 
2092 #define BT_MAX_KILL_DEF (0x5)
2093 
2094 /*
2095  * C_BT_CONFIG = 0x9b (command, has simple generic response)
2096  *
2097  * 3945 and 4965 devices support hardware handshake with Bluetooth device on
2098  * same platform.  Bluetooth device alerts wireless device when it will Tx;
2099  * wireless device can delay or kill its own Tx to accommodate.
2100  */
2101 struct il_bt_cmd {
2102 	u8 flags;
2103 	u8 lead_time;
2104 	u8 max_kill;
2105 	u8 reserved;
2106 	__le32 kill_ack_mask;
2107 	__le32 kill_cts_mask;
2108 } __packed;
2109 
2110 /******************************************************************************
2111  * (6)
2112  * Spectrum Management (802.11h) Commands, Responses, Notifications:
2113  *
2114  *****************************************************************************/
2115 
2116 /*
2117  * Spectrum Management
2118  */
2119 #define MEASUREMENT_FILTER_FLAG (RXON_FILTER_PROMISC_MSK         | \
2120 				 RXON_FILTER_CTL2HOST_MSK        | \
2121 				 RXON_FILTER_ACCEPT_GRP_MSK      | \
2122 				 RXON_FILTER_DIS_DECRYPT_MSK     | \
2123 				 RXON_FILTER_DIS_GRP_DECRYPT_MSK | \
2124 				 RXON_FILTER_ASSOC_MSK           | \
2125 				 RXON_FILTER_BCON_AWARE_MSK)
2126 
2127 struct il_measure_channel {
2128 	__le32 duration;	/* measurement duration in extended beacon
2129 				 * format */
2130 	u8 channel;		/* channel to measure */
2131 	u8 type;		/* see enum il_measure_type */
2132 	__le16 reserved;
2133 } __packed;
2134 
2135 /*
2136  * C_SPECTRUM_MEASUREMENT = 0x74 (command)
2137  */
2138 struct il_spectrum_cmd {
2139 	__le16 len;		/* number of bytes starting from token */
2140 	u8 token;		/* token id */
2141 	u8 id;			/* measurement id -- 0 or 1 */
2142 	u8 origin;		/* 0 = TGh, 1 = other, 2 = TGk */
2143 	u8 periodic;		/* 1 = periodic */
2144 	__le16 path_loss_timeout;
2145 	__le32 start_time;	/* start time in extended beacon format */
2146 	__le32 reserved2;
2147 	__le32 flags;		/* rxon flags */
2148 	__le32 filter_flags;	/* rxon filter flags */
2149 	__le16 channel_count;	/* minimum 1, maximum 10 */
2150 	__le16 reserved3;
2151 	struct il_measure_channel channels[10];
2152 } __packed;
2153 
2154 /*
2155  * C_SPECTRUM_MEASUREMENT = 0x74 (response)
2156  */
2157 struct il_spectrum_resp {
2158 	u8 token;
2159 	u8 id;			/* id of the prior command replaced, or 0xff */
2160 	__le16 status;		/* 0 - command will be handled
2161 				 * 1 - cannot handle (conflicts with another
2162 				 *     measurement) */
2163 } __packed;
2164 
2165 enum il_measurement_state {
2166 	IL_MEASUREMENT_START = 0,
2167 	IL_MEASUREMENT_STOP = 1,
2168 };
2169 
2170 enum il_measurement_status {
2171 	IL_MEASUREMENT_OK = 0,
2172 	IL_MEASUREMENT_CONCURRENT = 1,
2173 	IL_MEASUREMENT_CSA_CONFLICT = 2,
2174 	IL_MEASUREMENT_TGH_CONFLICT = 3,
2175 	/* 4-5 reserved */
2176 	IL_MEASUREMENT_STOPPED = 6,
2177 	IL_MEASUREMENT_TIMEOUT = 7,
2178 	IL_MEASUREMENT_PERIODIC_FAILED = 8,
2179 };
2180 
2181 #define NUM_ELEMENTS_IN_HISTOGRAM 8
2182 
2183 struct il_measurement_histogram {
2184 	__le32 ofdm[NUM_ELEMENTS_IN_HISTOGRAM];	/* in 0.8usec counts */
2185 	__le32 cck[NUM_ELEMENTS_IN_HISTOGRAM];	/* in 1usec counts */
2186 } __packed;
2187 
2188 /* clear channel availability counters */
2189 struct il_measurement_cca_counters {
2190 	__le32 ofdm;
2191 	__le32 cck;
2192 } __packed;
2193 
2194 enum il_measure_type {
2195 	IL_MEASURE_BASIC = (1 << 0),
2196 	IL_MEASURE_CHANNEL_LOAD = (1 << 1),
2197 	IL_MEASURE_HISTOGRAM_RPI = (1 << 2),
2198 	IL_MEASURE_HISTOGRAM_NOISE = (1 << 3),
2199 	IL_MEASURE_FRAME = (1 << 4),
2200 	/* bits 5:6 are reserved */
2201 	IL_MEASURE_IDLE = (1 << 7),
2202 };
2203 
2204 /*
2205  * N_SPECTRUM_MEASUREMENT = 0x75 (notification only, not a command)
2206  */
2207 struct il_spectrum_notification {
2208 	u8 id;			/* measurement id -- 0 or 1 */
2209 	u8 token;
2210 	u8 channel_idx;		/* idx in measurement channel list */
2211 	u8 state;		/* 0 - start, 1 - stop */
2212 	__le32 start_time;	/* lower 32-bits of TSF */
2213 	u8 band;		/* 0 - 5.2GHz, 1 - 2.4GHz */
2214 	u8 channel;
2215 	u8 type;		/* see enum il_measurement_type */
2216 	u8 reserved1;
2217 	/* NOTE:  cca_ofdm, cca_cck, basic_type, and histogram are only only
2218 	 * valid if applicable for measurement type requested. */
2219 	__le32 cca_ofdm;	/* cca fraction time in 40Mhz clock periods */
2220 	__le32 cca_cck;		/* cca fraction time in 44Mhz clock periods */
2221 	__le32 cca_time;	/* channel load time in usecs */
2222 	u8 basic_type;		/* 0 - bss, 1 - ofdm preamble, 2 -
2223 				 * unidentified */
2224 	u8 reserved2[3];
2225 	struct il_measurement_histogram histogram;
2226 	__le32 stop_time;	/* lower 32-bits of TSF */
2227 	__le32 status;		/* see il_measurement_status */
2228 } __packed;
2229 
2230 /******************************************************************************
2231  * (7)
2232  * Power Management Commands, Responses, Notifications:
2233  *
2234  *****************************************************************************/
2235 
2236 /**
2237  * struct il_powertable_cmd - Power Table Command
2238  * @flags: See below:
2239  *
2240  * C_POWER_TBL = 0x77 (command, has simple generic response)
2241  *
2242  * PM allow:
2243  *   bit 0 - '0' Driver not allow power management
2244  *           '1' Driver allow PM (use rest of parameters)
2245  *
2246  * uCode send sleep notifications:
2247  *   bit 1 - '0' Don't send sleep notification
2248  *           '1' send sleep notification (SEND_PM_NOTIFICATION)
2249  *
2250  * Sleep over DTIM
2251  *   bit 2 - '0' PM have to walk up every DTIM
2252  *           '1' PM could sleep over DTIM till listen Interval.
2253  *
2254  * PCI power managed
2255  *   bit 3 - '0' (PCI_CFG_LINK_CTRL & 0x1)
2256  *           '1' !(PCI_CFG_LINK_CTRL & 0x1)
2257  *
2258  * Fast PD
2259  *   bit 4 - '1' Put radio to sleep when receiving frame for others
2260  *
2261  * Force sleep Modes
2262  *   bit 31/30- '00' use both mac/xtal sleeps
2263  *              '01' force Mac sleep
2264  *              '10' force xtal sleep
2265  *              '11' Illegal set
2266  *
2267  * NOTE: if sleep_interval[SLEEP_INTRVL_TBL_SIZE-1] > DTIM period then
2268  * ucode assume sleep over DTIM is allowed and we don't need to wake up
2269  * for every DTIM.
2270  */
2271 #define IL_POWER_VEC_SIZE 5
2272 
2273 #define IL_POWER_DRIVER_ALLOW_SLEEP_MSK		cpu_to_le16(BIT(0))
2274 #define IL_POWER_SLEEP_OVER_DTIM_MSK		cpu_to_le16(BIT(2))
2275 #define IL_POWER_PCI_PM_MSK			cpu_to_le16(BIT(3))
2276 
2277 struct il3945_powertable_cmd {
2278 	__le16 flags;
2279 	u8 reserved[2];
2280 	__le32 rx_data_timeout;
2281 	__le32 tx_data_timeout;
2282 	__le32 sleep_interval[IL_POWER_VEC_SIZE];
2283 } __packed;
2284 
2285 struct il_powertable_cmd {
2286 	__le16 flags;
2287 	u8 keep_alive_seconds;	/* 3945 reserved */
2288 	u8 debug_flags;		/* 3945 reserved */
2289 	__le32 rx_data_timeout;
2290 	__le32 tx_data_timeout;
2291 	__le32 sleep_interval[IL_POWER_VEC_SIZE];
2292 	__le32 keep_alive_beacons;
2293 } __packed;
2294 
2295 /*
2296  * N_PM_SLEEP = 0x7A (notification only, not a command)
2297  * all devices identical.
2298  */
2299 struct il_sleep_notification {
2300 	u8 pm_sleep_mode;
2301 	u8 pm_wakeup_src;
2302 	__le16 reserved;
2303 	__le32 sleep_time;
2304 	__le32 tsf_low;
2305 	__le32 bcon_timer;
2306 } __packed;
2307 
2308 /* Sleep states.  all devices identical. */
2309 enum {
2310 	IL_PM_NO_SLEEP = 0,
2311 	IL_PM_SLP_MAC = 1,
2312 	IL_PM_SLP_FULL_MAC_UNASSOCIATE = 2,
2313 	IL_PM_SLP_FULL_MAC_CARD_STATE = 3,
2314 	IL_PM_SLP_PHY = 4,
2315 	IL_PM_SLP_REPENT = 5,
2316 	IL_PM_WAKEUP_BY_TIMER = 6,
2317 	IL_PM_WAKEUP_BY_DRIVER = 7,
2318 	IL_PM_WAKEUP_BY_RFKILL = 8,
2319 	/* 3 reserved */
2320 	IL_PM_NUM_OF_MODES = 12,
2321 };
2322 
2323 /*
2324  * N_CARD_STATE = 0xa1 (notification only, not a command)
2325  */
2326 struct il_card_state_notif {
2327 	__le32 flags;
2328 } __packed;
2329 
2330 #define HW_CARD_DISABLED   0x01
2331 #define SW_CARD_DISABLED   0x02
2332 #define CT_CARD_DISABLED   0x04
2333 #define RXON_CARD_DISABLED 0x10
2334 
2335 struct il_ct_kill_config {
2336 	__le32 reserved;
2337 	__le32 critical_temperature_M;
2338 	__le32 critical_temperature_R;
2339 } __packed;
2340 
2341 /******************************************************************************
2342  * (8)
2343  * Scan Commands, Responses, Notifications:
2344  *
2345  *****************************************************************************/
2346 
2347 #define SCAN_CHANNEL_TYPE_PASSIVE cpu_to_le32(0)
2348 #define SCAN_CHANNEL_TYPE_ACTIVE  cpu_to_le32(1)
2349 
2350 /**
2351  * struct il_scan_channel - entry in C_SCAN channel table
2352  *
2353  * One for each channel in the scan list.
2354  * Each channel can independently select:
2355  * 1)  SSID for directed active scans
2356  * 2)  Txpower setting (for rate specified within Tx command)
2357  * 3)  How long to stay on-channel (behavior may be modified by quiet_time,
2358  *     quiet_plcp_th, good_CRC_th)
2359  *
2360  * To avoid uCode errors, make sure the following are true (see comments
2361  * under struct il_scan_cmd about max_out_time and quiet_time):
2362  * 1)  If using passive_dwell (i.e. passive_dwell != 0):
2363  *     active_dwell <= passive_dwell (< max_out_time if max_out_time != 0)
2364  * 2)  quiet_time <= active_dwell
2365  * 3)  If restricting off-channel time (i.e. max_out_time !=0):
2366  *     passive_dwell < max_out_time
2367  *     active_dwell < max_out_time
2368  */
2369 struct il3945_scan_channel {
2370 	/*
2371 	 * type is defined as:
2372 	 * 0:0 1 = active, 0 = passive
2373 	 * 1:4 SSID direct bit map; if a bit is set, then corresponding
2374 	 *     SSID IE is transmitted in probe request.
2375 	 * 5:7 reserved
2376 	 */
2377 	u8 type;
2378 	u8 channel;		/* band is selected by il3945_scan_cmd "flags" field */
2379 	struct il3945_tx_power tpc;
2380 	__le16 active_dwell;	/* in 1024-uSec TU (time units), typ 5-50 */
2381 	__le16 passive_dwell;	/* in 1024-uSec TU (time units), typ 20-500 */
2382 } __packed;
2383 
2384 /* set number of direct probes u8 type */
2385 #define IL39_SCAN_PROBE_MASK(n) ((BIT(n) | (BIT(n) - BIT(1))))
2386 
2387 struct il_scan_channel {
2388 	/*
2389 	 * type is defined as:
2390 	 * 0:0 1 = active, 0 = passive
2391 	 * 1:20 SSID direct bit map; if a bit is set, then corresponding
2392 	 *     SSID IE is transmitted in probe request.
2393 	 * 21:31 reserved
2394 	 */
2395 	__le32 type;
2396 	__le16 channel;		/* band is selected by il_scan_cmd "flags" field */
2397 	u8 tx_gain;		/* gain for analog radio */
2398 	u8 dsp_atten;		/* gain for DSP */
2399 	__le16 active_dwell;	/* in 1024-uSec TU (time units), typ 5-50 */
2400 	__le16 passive_dwell;	/* in 1024-uSec TU (time units), typ 20-500 */
2401 } __packed;
2402 
2403 /* set number of direct probes __le32 type */
2404 #define IL_SCAN_PROBE_MASK(n)	cpu_to_le32((BIT(n) | (BIT(n) - BIT(1))))
2405 
2406 /**
2407  * struct il_ssid_ie - directed scan network information element
2408  *
2409  * Up to 20 of these may appear in C_SCAN (Note: Only 4 are in
2410  * 3945 SCAN api), selected by "type" bit field in struct il_scan_channel;
2411  * each channel may select different ssids from among the 20 (4) entries.
2412  * SSID IEs get transmitted in reverse order of entry.
2413  */
2414 struct il_ssid_ie {
2415 	u8 id;
2416 	u8 len;
2417 	u8 ssid[32];
2418 } __packed;
2419 
2420 #define PROBE_OPTION_MAX_3945		4
2421 #define PROBE_OPTION_MAX		20
2422 #define TX_CMD_LIFE_TIME_INFINITE	cpu_to_le32(0xFFFFFFFF)
2423 #define IL_GOOD_CRC_TH_DISABLED	0
2424 #define IL_GOOD_CRC_TH_DEFAULT		cpu_to_le16(1)
2425 #define IL_GOOD_CRC_TH_NEVER		cpu_to_le16(0xffff)
2426 #define IL_MAX_SCAN_SIZE 1024
2427 #define IL_MAX_CMD_SIZE 4096
2428 
2429 /*
2430  * C_SCAN = 0x80 (command)
2431  *
2432  * The hardware scan command is very powerful; the driver can set it up to
2433  * maintain (relatively) normal network traffic while doing a scan in the
2434  * background.  The max_out_time and suspend_time control the ratio of how
2435  * long the device stays on an associated network channel ("service channel")
2436  * vs. how long it's away from the service channel, i.e. tuned to other channels
2437  * for scanning.
2438  *
2439  * max_out_time is the max time off-channel (in usec), and suspend_time
2440  * is how long (in "extended beacon" format) that the scan is "suspended"
2441  * after returning to the service channel.  That is, suspend_time is the
2442  * time that we stay on the service channel, doing normal work, between
2443  * scan segments.  The driver may set these parameters differently to support
2444  * scanning when associated vs. not associated, and light vs. heavy traffic
2445  * loads when associated.
2446  *
2447  * After receiving this command, the device's scan engine does the following;
2448  *
2449  * 1)  Sends SCAN_START notification to driver
2450  * 2)  Checks to see if it has time to do scan for one channel
2451  * 3)  Sends NULL packet, with power-save (PS) bit set to 1,
2452  *     to tell AP that we're going off-channel
2453  * 4)  Tunes to first channel in scan list, does active or passive scan
2454  * 5)  Sends SCAN_RESULT notification to driver
2455  * 6)  Checks to see if it has time to do scan on *next* channel in list
2456  * 7)  Repeats 4-6 until it no longer has time to scan the next channel
2457  *     before max_out_time expires
2458  * 8)  Returns to service channel
2459  * 9)  Sends NULL packet with PS=0 to tell AP that we're back
2460  * 10) Stays on service channel until suspend_time expires
2461  * 11) Repeats entire process 2-10 until list is complete
2462  * 12) Sends SCAN_COMPLETE notification
2463  *
2464  * For fast, efficient scans, the scan command also has support for staying on
2465  * a channel for just a short time, if doing active scanning and getting no
2466  * responses to the transmitted probe request.  This time is controlled by
2467  * quiet_time, and the number of received packets below which a channel is
2468  * considered "quiet" is controlled by quiet_plcp_threshold.
2469  *
2470  * For active scanning on channels that have regulatory restrictions against
2471  * blindly transmitting, the scan can listen before transmitting, to make sure
2472  * that there is already legitimate activity on the channel.  If enough
2473  * packets are cleanly received on the channel (controlled by good_CRC_th,
2474  * typical value 1), the scan engine starts transmitting probe requests.
2475  *
2476  * Driver must use separate scan commands for 2.4 vs. 5 GHz bands.
2477  *
2478  * To avoid uCode errors, see timing restrictions described under
2479  * struct il_scan_channel.
2480  */
2481 
2482 struct il3945_scan_cmd {
2483 	__le16 len;
2484 	u8 reserved0;
2485 	u8 channel_count;	/* # channels in channel list */
2486 	__le16 quiet_time;	/* dwell only this # millisecs on quiet channel
2487 				 * (only for active scan) */
2488 	__le16 quiet_plcp_th;	/* quiet chnl is < this # pkts (typ. 1) */
2489 	__le16 good_CRC_th;	/* passive -> active promotion threshold */
2490 	__le16 reserved1;
2491 	__le32 max_out_time;	/* max usec to be away from associated (service)
2492 				 * channel */
2493 	__le32 suspend_time;	/* pause scan this long (in "extended beacon
2494 				 * format") when returning to service channel:
2495 				 * 3945; 31:24 # beacons, 19:0 additional usec,
2496 				 * 4965; 31:22 # beacons, 21:0 additional usec.
2497 				 */
2498 	__le32 flags;		/* RXON_FLG_* */
2499 	__le32 filter_flags;	/* RXON_FILTER_* */
2500 
2501 	/* For active scans (set to all-0s for passive scans).
2502 	 * Does not include payload.  Must specify Tx rate; no rate scaling. */
2503 	struct il3945_tx_cmd tx_cmd;
2504 
2505 	/* For directed active scans (set to all-0s otherwise) */
2506 	struct il_ssid_ie direct_scan[PROBE_OPTION_MAX_3945];
2507 
2508 	/*
2509 	 * Probe request frame, followed by channel list.
2510 	 *
2511 	 * Size of probe request frame is specified by byte count in tx_cmd.
2512 	 * Channel list follows immediately after probe request frame.
2513 	 * Number of channels in list is specified by channel_count.
2514 	 * Each channel in list is of type:
2515 	 *
2516 	 * struct il3945_scan_channel channels[0];
2517 	 *
2518 	 * NOTE:  Only one band of channels can be scanned per pass.  You
2519 	 * must not mix 2.4GHz channels and 5.2GHz channels, and you must wait
2520 	 * for one scan to complete (i.e. receive N_SCAN_COMPLETE)
2521 	 * before requesting another scan.
2522 	 */
2523 	u8 data[0];
2524 } __packed;
2525 
2526 struct il_scan_cmd {
2527 	__le16 len;
2528 	u8 reserved0;
2529 	u8 channel_count;	/* # channels in channel list */
2530 	__le16 quiet_time;	/* dwell only this # millisecs on quiet channel
2531 				 * (only for active scan) */
2532 	__le16 quiet_plcp_th;	/* quiet chnl is < this # pkts (typ. 1) */
2533 	__le16 good_CRC_th;	/* passive -> active promotion threshold */
2534 	__le16 rx_chain;	/* RXON_RX_CHAIN_* */
2535 	__le32 max_out_time;	/* max usec to be away from associated (service)
2536 				 * channel */
2537 	__le32 suspend_time;	/* pause scan this long (in "extended beacon
2538 				 * format") when returning to service chnl:
2539 				 * 3945; 31:24 # beacons, 19:0 additional usec,
2540 				 * 4965; 31:22 # beacons, 21:0 additional usec.
2541 				 */
2542 	__le32 flags;		/* RXON_FLG_* */
2543 	__le32 filter_flags;	/* RXON_FILTER_* */
2544 
2545 	/* For active scans (set to all-0s for passive scans).
2546 	 * Does not include payload.  Must specify Tx rate; no rate scaling. */
2547 	struct il_tx_cmd tx_cmd;
2548 
2549 	/* For directed active scans (set to all-0s otherwise) */
2550 	struct il_ssid_ie direct_scan[PROBE_OPTION_MAX];
2551 
2552 	/*
2553 	 * Probe request frame, followed by channel list.
2554 	 *
2555 	 * Size of probe request frame is specified by byte count in tx_cmd.
2556 	 * Channel list follows immediately after probe request frame.
2557 	 * Number of channels in list is specified by channel_count.
2558 	 * Each channel in list is of type:
2559 	 *
2560 	 * struct il_scan_channel channels[0];
2561 	 *
2562 	 * NOTE:  Only one band of channels can be scanned per pass.  You
2563 	 * must not mix 2.4GHz channels and 5.2GHz channels, and you must wait
2564 	 * for one scan to complete (i.e. receive N_SCAN_COMPLETE)
2565 	 * before requesting another scan.
2566 	 */
2567 	u8 data[0];
2568 } __packed;
2569 
2570 /* Can abort will notify by complete notification with abort status. */
2571 #define CAN_ABORT_STATUS	cpu_to_le32(0x1)
2572 /* complete notification statuses */
2573 #define ABORT_STATUS            0x2
2574 
2575 /*
2576  * C_SCAN = 0x80 (response)
2577  */
2578 struct il_scanreq_notification {
2579 	__le32 status;		/* 1: okay, 2: cannot fulfill request */
2580 } __packed;
2581 
2582 /*
2583  * N_SCAN_START = 0x82 (notification only, not a command)
2584  */
2585 struct il_scanstart_notification {
2586 	__le32 tsf_low;
2587 	__le32 tsf_high;
2588 	__le32 beacon_timer;
2589 	u8 channel;
2590 	u8 band;
2591 	u8 reserved[2];
2592 	__le32 status;
2593 } __packed;
2594 
2595 #define  SCAN_OWNER_STATUS 0x1
2596 #define  MEASURE_OWNER_STATUS 0x2
2597 
2598 #define IL_PROBE_STATUS_OK		0
2599 #define IL_PROBE_STATUS_TX_FAILED	BIT(0)
2600 /* error statuses combined with TX_FAILED */
2601 #define IL_PROBE_STATUS_FAIL_TTL	BIT(1)
2602 #define IL_PROBE_STATUS_FAIL_BT	BIT(2)
2603 
2604 #define NUMBER_OF_STATS 1	/* first __le32 is good CRC */
2605 /*
2606  * N_SCAN_RESULTS = 0x83 (notification only, not a command)
2607  */
2608 struct il_scanresults_notification {
2609 	u8 channel;
2610 	u8 band;
2611 	u8 probe_status;
2612 	u8 num_probe_not_sent;	/* not enough time to send */
2613 	__le32 tsf_low;
2614 	__le32 tsf_high;
2615 	__le32 stats[NUMBER_OF_STATS];
2616 } __packed;
2617 
2618 /*
2619  * N_SCAN_COMPLETE = 0x84 (notification only, not a command)
2620  */
2621 struct il_scancomplete_notification {
2622 	u8 scanned_channels;
2623 	u8 status;
2624 	u8 last_channel;
2625 	__le32 tsf_low;
2626 	__le32 tsf_high;
2627 } __packed;
2628 
2629 /******************************************************************************
2630  * (9)
2631  * IBSS/AP Commands and Notifications:
2632  *
2633  *****************************************************************************/
2634 
2635 enum il_ibss_manager {
2636 	IL_NOT_IBSS_MANAGER = 0,
2637 	IL_IBSS_MANAGER = 1,
2638 };
2639 
2640 /*
2641  * N_BEACON = 0x90 (notification only, not a command)
2642  */
2643 
2644 struct il3945_beacon_notif {
2645 	struct il3945_tx_resp beacon_notify_hdr;
2646 	__le32 low_tsf;
2647 	__le32 high_tsf;
2648 	__le32 ibss_mgr_status;
2649 } __packed;
2650 
2651 struct il4965_beacon_notif {
2652 	struct il4965_tx_resp beacon_notify_hdr;
2653 	__le32 low_tsf;
2654 	__le32 high_tsf;
2655 	__le32 ibss_mgr_status;
2656 } __packed;
2657 
2658 /*
2659  * C_TX_BEACON= 0x91 (command, has simple generic response)
2660  */
2661 
2662 struct il3945_tx_beacon_cmd {
2663 	struct il3945_tx_cmd tx;
2664 	__le16 tim_idx;
2665 	u8 tim_size;
2666 	u8 reserved1;
2667 	struct ieee80211_hdr frame[0];	/* beacon frame */
2668 } __packed;
2669 
2670 struct il_tx_beacon_cmd {
2671 	struct il_tx_cmd tx;
2672 	__le16 tim_idx;
2673 	u8 tim_size;
2674 	u8 reserved1;
2675 	struct ieee80211_hdr frame[0];	/* beacon frame */
2676 } __packed;
2677 
2678 /******************************************************************************
2679  * (10)
2680  * Statistics Commands and Notifications:
2681  *
2682  *****************************************************************************/
2683 
2684 #define IL_TEMP_CONVERT 260
2685 
2686 #define SUP_RATE_11A_MAX_NUM_CHANNELS  8
2687 #define SUP_RATE_11B_MAX_NUM_CHANNELS  4
2688 #define SUP_RATE_11G_MAX_NUM_CHANNELS  12
2689 
2690 /* Used for passing to driver number of successes and failures per rate */
2691 struct rate_histogram {
2692 	union {
2693 		__le32 a[SUP_RATE_11A_MAX_NUM_CHANNELS];
2694 		__le32 b[SUP_RATE_11B_MAX_NUM_CHANNELS];
2695 		__le32 g[SUP_RATE_11G_MAX_NUM_CHANNELS];
2696 	} success;
2697 	union {
2698 		__le32 a[SUP_RATE_11A_MAX_NUM_CHANNELS];
2699 		__le32 b[SUP_RATE_11B_MAX_NUM_CHANNELS];
2700 		__le32 g[SUP_RATE_11G_MAX_NUM_CHANNELS];
2701 	} failed;
2702 } __packed;
2703 
2704 /* stats command response */
2705 
2706 struct iwl39_stats_rx_phy {
2707 	__le32 ina_cnt;
2708 	__le32 fina_cnt;
2709 	__le32 plcp_err;
2710 	__le32 crc32_err;
2711 	__le32 overrun_err;
2712 	__le32 early_overrun_err;
2713 	__le32 crc32_good;
2714 	__le32 false_alarm_cnt;
2715 	__le32 fina_sync_err_cnt;
2716 	__le32 sfd_timeout;
2717 	__le32 fina_timeout;
2718 	__le32 unresponded_rts;
2719 	__le32 rxe_frame_limit_overrun;
2720 	__le32 sent_ack_cnt;
2721 	__le32 sent_cts_cnt;
2722 } __packed;
2723 
2724 struct iwl39_stats_rx_non_phy {
2725 	__le32 bogus_cts;	/* CTS received when not expecting CTS */
2726 	__le32 bogus_ack;	/* ACK received when not expecting ACK */
2727 	__le32 non_bssid_frames;	/* number of frames with BSSID that
2728 					 * doesn't belong to the STA BSSID */
2729 	__le32 filtered_frames;	/* count frames that were dumped in the
2730 				 * filtering process */
2731 	__le32 non_channel_beacons;	/* beacons with our bss id but not on
2732 					 * our serving channel */
2733 } __packed;
2734 
2735 struct iwl39_stats_rx {
2736 	struct iwl39_stats_rx_phy ofdm;
2737 	struct iwl39_stats_rx_phy cck;
2738 	struct iwl39_stats_rx_non_phy general;
2739 } __packed;
2740 
2741 struct iwl39_stats_tx {
2742 	__le32 preamble_cnt;
2743 	__le32 rx_detected_cnt;
2744 	__le32 bt_prio_defer_cnt;
2745 	__le32 bt_prio_kill_cnt;
2746 	__le32 few_bytes_cnt;
2747 	__le32 cts_timeout;
2748 	__le32 ack_timeout;
2749 	__le32 expected_ack_cnt;
2750 	__le32 actual_ack_cnt;
2751 } __packed;
2752 
2753 struct stats_dbg {
2754 	__le32 burst_check;
2755 	__le32 burst_count;
2756 	__le32 wait_for_silence_timeout_cnt;
2757 	__le32 reserved[3];
2758 } __packed;
2759 
2760 struct iwl39_stats_div {
2761 	__le32 tx_on_a;
2762 	__le32 tx_on_b;
2763 	__le32 exec_time;
2764 	__le32 probe_time;
2765 } __packed;
2766 
2767 struct iwl39_stats_general {
2768 	__le32 temperature;
2769 	struct stats_dbg dbg;
2770 	__le32 sleep_time;
2771 	__le32 slots_out;
2772 	__le32 slots_idle;
2773 	__le32 ttl_timestamp;
2774 	struct iwl39_stats_div div;
2775 } __packed;
2776 
2777 struct stats_rx_phy {
2778 	__le32 ina_cnt;
2779 	__le32 fina_cnt;
2780 	__le32 plcp_err;
2781 	__le32 crc32_err;
2782 	__le32 overrun_err;
2783 	__le32 early_overrun_err;
2784 	__le32 crc32_good;
2785 	__le32 false_alarm_cnt;
2786 	__le32 fina_sync_err_cnt;
2787 	__le32 sfd_timeout;
2788 	__le32 fina_timeout;
2789 	__le32 unresponded_rts;
2790 	__le32 rxe_frame_limit_overrun;
2791 	__le32 sent_ack_cnt;
2792 	__le32 sent_cts_cnt;
2793 	__le32 sent_ba_rsp_cnt;
2794 	__le32 dsp_self_kill;
2795 	__le32 mh_format_err;
2796 	__le32 re_acq_main_rssi_sum;
2797 	__le32 reserved3;
2798 } __packed;
2799 
2800 struct stats_rx_ht_phy {
2801 	__le32 plcp_err;
2802 	__le32 overrun_err;
2803 	__le32 early_overrun_err;
2804 	__le32 crc32_good;
2805 	__le32 crc32_err;
2806 	__le32 mh_format_err;
2807 	__le32 agg_crc32_good;
2808 	__le32 agg_mpdu_cnt;
2809 	__le32 agg_cnt;
2810 	__le32 unsupport_mcs;
2811 } __packed;
2812 
2813 #define INTERFERENCE_DATA_AVAILABLE      cpu_to_le32(1)
2814 
2815 struct stats_rx_non_phy {
2816 	__le32 bogus_cts;	/* CTS received when not expecting CTS */
2817 	__le32 bogus_ack;	/* ACK received when not expecting ACK */
2818 	__le32 non_bssid_frames;	/* number of frames with BSSID that
2819 					 * doesn't belong to the STA BSSID */
2820 	__le32 filtered_frames;	/* count frames that were dumped in the
2821 				 * filtering process */
2822 	__le32 non_channel_beacons;	/* beacons with our bss id but not on
2823 					 * our serving channel */
2824 	__le32 channel_beacons;	/* beacons with our bss id and in our
2825 				 * serving channel */
2826 	__le32 num_missed_bcon;	/* number of missed beacons */
2827 	__le32 adc_rx_saturation_time;	/* count in 0.8us units the time the
2828 					 * ADC was in saturation */
2829 	__le32 ina_detection_search_time;	/* total time (in 0.8us) searched
2830 						 * for INA */
2831 	__le32 beacon_silence_rssi_a;	/* RSSI silence after beacon frame */
2832 	__le32 beacon_silence_rssi_b;	/* RSSI silence after beacon frame */
2833 	__le32 beacon_silence_rssi_c;	/* RSSI silence after beacon frame */
2834 	__le32 interference_data_flag;	/* flag for interference data
2835 					 * availability. 1 when data is
2836 					 * available. */
2837 	__le32 channel_load;	/* counts RX Enable time in uSec */
2838 	__le32 dsp_false_alarms;	/* DSP false alarm (both OFDM
2839 					 * and CCK) counter */
2840 	__le32 beacon_rssi_a;
2841 	__le32 beacon_rssi_b;
2842 	__le32 beacon_rssi_c;
2843 	__le32 beacon_energy_a;
2844 	__le32 beacon_energy_b;
2845 	__le32 beacon_energy_c;
2846 } __packed;
2847 
2848 struct stats_rx {
2849 	struct stats_rx_phy ofdm;
2850 	struct stats_rx_phy cck;
2851 	struct stats_rx_non_phy general;
2852 	struct stats_rx_ht_phy ofdm_ht;
2853 } __packed;
2854 
2855 /**
2856  * struct stats_tx_power - current tx power
2857  *
2858  * @ant_a: current tx power on chain a in 1/2 dB step
2859  * @ant_b: current tx power on chain b in 1/2 dB step
2860  * @ant_c: current tx power on chain c in 1/2 dB step
2861  */
2862 struct stats_tx_power {
2863 	u8 ant_a;
2864 	u8 ant_b;
2865 	u8 ant_c;
2866 	u8 reserved;
2867 } __packed;
2868 
2869 struct stats_tx_non_phy_agg {
2870 	__le32 ba_timeout;
2871 	__le32 ba_reschedule_frames;
2872 	__le32 scd_query_agg_frame_cnt;
2873 	__le32 scd_query_no_agg;
2874 	__le32 scd_query_agg;
2875 	__le32 scd_query_mismatch;
2876 	__le32 frame_not_ready;
2877 	__le32 underrun;
2878 	__le32 bt_prio_kill;
2879 	__le32 rx_ba_rsp_cnt;
2880 } __packed;
2881 
2882 struct stats_tx {
2883 	__le32 preamble_cnt;
2884 	__le32 rx_detected_cnt;
2885 	__le32 bt_prio_defer_cnt;
2886 	__le32 bt_prio_kill_cnt;
2887 	__le32 few_bytes_cnt;
2888 	__le32 cts_timeout;
2889 	__le32 ack_timeout;
2890 	__le32 expected_ack_cnt;
2891 	__le32 actual_ack_cnt;
2892 	__le32 dump_msdu_cnt;
2893 	__le32 burst_abort_next_frame_mismatch_cnt;
2894 	__le32 burst_abort_missing_next_frame_cnt;
2895 	__le32 cts_timeout_collision;
2896 	__le32 ack_or_ba_timeout_collision;
2897 	struct stats_tx_non_phy_agg agg;
2898 
2899 	__le32 reserved1;
2900 } __packed;
2901 
2902 struct stats_div {
2903 	__le32 tx_on_a;
2904 	__le32 tx_on_b;
2905 	__le32 exec_time;
2906 	__le32 probe_time;
2907 	__le32 reserved1;
2908 	__le32 reserved2;
2909 } __packed;
2910 
2911 struct stats_general_common {
2912 	__le32 temperature;	/* radio temperature */
2913 	struct stats_dbg dbg;
2914 	__le32 sleep_time;
2915 	__le32 slots_out;
2916 	__le32 slots_idle;
2917 	__le32 ttl_timestamp;
2918 	struct stats_div div;
2919 	__le32 rx_enable_counter;
2920 	/*
2921 	 * num_of_sos_states:
2922 	 *  count the number of times we have to re-tune
2923 	 *  in order to get out of bad PHY status
2924 	 */
2925 	__le32 num_of_sos_states;
2926 } __packed;
2927 
2928 struct stats_general {
2929 	struct stats_general_common common;
2930 	__le32 reserved2;
2931 	__le32 reserved3;
2932 } __packed;
2933 
2934 #define UCODE_STATS_CLEAR_MSK		(0x1 << 0)
2935 #define UCODE_STATS_FREQUENCY_MSK		(0x1 << 1)
2936 #define UCODE_STATS_NARROW_BAND_MSK	(0x1 << 2)
2937 
2938 /*
2939  * C_STATS = 0x9c,
2940  * all devices identical.
2941  *
2942  * This command triggers an immediate response containing uCode stats.
2943  * The response is in the same format as N_STATS 0x9d, below.
2944  *
2945  * If the CLEAR_STATS configuration flag is set, uCode will clear its
2946  * internal copy of the stats (counters) after issuing the response.
2947  * This flag does not affect N_STATSs after beacons (see below).
2948  *
2949  * If the DISABLE_NOTIF configuration flag is set, uCode will not issue
2950  * N_STATSs after received beacons (see below).  This flag
2951  * does not affect the response to the C_STATS 0x9c itself.
2952  */
2953 #define IL_STATS_CONF_CLEAR_STATS cpu_to_le32(0x1)	/* see above */
2954 #define IL_STATS_CONF_DISABLE_NOTIF cpu_to_le32(0x2)	/* see above */
2955 struct il_stats_cmd {
2956 	__le32 configuration_flags;	/* IL_STATS_CONF_* */
2957 } __packed;
2958 
2959 /*
2960  * N_STATS = 0x9d (notification only, not a command)
2961  *
2962  * By default, uCode issues this notification after receiving a beacon
2963  * while associated.  To disable this behavior, set DISABLE_NOTIF flag in the
2964  * C_STATS 0x9c, above.
2965  *
2966  * Statistics counters continue to increment beacon after beacon, but are
2967  * cleared when changing channels or when driver issues C_STATS
2968  * 0x9c with CLEAR_STATS bit set (see above).
2969  *
2970  * uCode also issues this notification during scans.  uCode clears stats
2971  * appropriately so that each notification contains stats for only the
2972  * one channel that has just been scanned.
2973  */
2974 #define STATS_REPLY_FLG_BAND_24G_MSK         cpu_to_le32(0x2)
2975 #define STATS_REPLY_FLG_HT40_MODE_MSK        cpu_to_le32(0x8)
2976 
2977 struct il3945_notif_stats {
2978 	__le32 flag;
2979 	struct iwl39_stats_rx rx;
2980 	struct iwl39_stats_tx tx;
2981 	struct iwl39_stats_general general;
2982 } __packed;
2983 
2984 struct il_notif_stats {
2985 	__le32 flag;
2986 	struct stats_rx rx;
2987 	struct stats_tx tx;
2988 	struct stats_general general;
2989 } __packed;
2990 
2991 /*
2992  * N_MISSED_BEACONS = 0xa2 (notification only, not a command)
2993  *
2994  * uCode send N_MISSED_BEACONS to driver when detect beacon missed
2995  * in regardless of how many missed beacons, which mean when driver receive the
2996  * notification, inside the command, it can find all the beacons information
2997  * which include number of total missed beacons, number of consecutive missed
2998  * beacons, number of beacons received and number of beacons expected to
2999  * receive.
3000  *
3001  * If uCode detected consecutive_missed_beacons > 5, it will reset the radio
3002  * in order to bring the radio/PHY back to working state; which has no relation
3003  * to when driver will perform sensitivity calibration.
3004  *
3005  * Driver should set it own missed_beacon_threshold to decide when to perform
3006  * sensitivity calibration based on number of consecutive missed beacons in
3007  * order to improve overall performance, especially in noisy environment.
3008  *
3009  */
3010 
3011 #define IL_MISSED_BEACON_THRESHOLD_MIN	(1)
3012 #define IL_MISSED_BEACON_THRESHOLD_DEF	(5)
3013 #define IL_MISSED_BEACON_THRESHOLD_MAX	IL_MISSED_BEACON_THRESHOLD_DEF
3014 
3015 struct il_missed_beacon_notif {
3016 	__le32 consecutive_missed_beacons;
3017 	__le32 total_missed_becons;
3018 	__le32 num_expected_beacons;
3019 	__le32 num_recvd_beacons;
3020 } __packed;
3021 
3022 /******************************************************************************
3023  * (11)
3024  * Rx Calibration Commands:
3025  *
3026  * With the uCode used for open source drivers, most Tx calibration (except
3027  * for Tx Power) and most Rx calibration is done by uCode during the
3028  * "initialize" phase of uCode boot.  Driver must calibrate only:
3029  *
3030  * 1)  Tx power (depends on temperature), described elsewhere
3031  * 2)  Receiver gain balance (optimize MIMO, and detect disconnected antennas)
3032  * 3)  Receiver sensitivity (to optimize signal detection)
3033  *
3034  *****************************************************************************/
3035 
3036 /**
3037  * C_SENSITIVITY = 0xa8 (command, has simple generic response)
3038  *
3039  * This command sets up the Rx signal detector for a sensitivity level that
3040  * is high enough to lock onto all signals within the associated network,
3041  * but low enough to ignore signals that are below a certain threshold, so as
3042  * not to have too many "false alarms".  False alarms are signals that the
3043  * Rx DSP tries to lock onto, but then discards after determining that they
3044  * are noise.
3045  *
3046  * The optimum number of false alarms is between 5 and 50 per 200 TUs
3047  * (200 * 1024 uSecs, i.e. 204.8 milliseconds) of actual Rx time (i.e.
3048  * time listening, not transmitting).  Driver must adjust sensitivity so that
3049  * the ratio of actual false alarms to actual Rx time falls within this range.
3050  *
3051  * While associated, uCode delivers N_STATSs after each
3052  * received beacon.  These provide information to the driver to analyze the
3053  * sensitivity.  Don't analyze stats that come in from scanning, or any
3054  * other non-associated-network source.  Pertinent stats include:
3055  *
3056  * From "general" stats (struct stats_rx_non_phy):
3057  *
3058  * (beacon_energy_[abc] & 0x0FF00) >> 8 (unsigned, higher value is lower level)
3059  *   Measure of energy of desired signal.  Used for establishing a level
3060  *   below which the device does not detect signals.
3061  *
3062  * (beacon_silence_rssi_[abc] & 0x0FF00) >> 8 (unsigned, units in dB)
3063  *   Measure of background noise in silent period after beacon.
3064  *
3065  * channel_load
3066  *   uSecs of actual Rx time during beacon period (varies according to
3067  *   how much time was spent transmitting).
3068  *
3069  * From "cck" and "ofdm" stats (struct stats_rx_phy), separately:
3070  *
3071  * false_alarm_cnt
3072  *   Signal locks abandoned early (before phy-level header).
3073  *
3074  * plcp_err
3075  *   Signal locks abandoned late (during phy-level header).
3076  *
3077  * NOTE:  Both false_alarm_cnt and plcp_err increment monotonically from
3078  *        beacon to beacon, i.e. each value is an accumulation of all errors
3079  *        before and including the latest beacon.  Values will wrap around to 0
3080  *        after counting up to 2^32 - 1.  Driver must differentiate vs.
3081  *        previous beacon's values to determine # false alarms in the current
3082  *        beacon period.
3083  *
3084  * Total number of false alarms = false_alarms + plcp_errs
3085  *
3086  * For OFDM, adjust the following table entries in struct il_sensitivity_cmd
3087  * (notice that the start points for OFDM are at or close to settings for
3088  * maximum sensitivity):
3089  *
3090  *                                             START  /  MIN  /  MAX
3091  *   HD_AUTO_CORR32_X1_TH_ADD_MIN_IDX          90   /   85  /  120
3092  *   HD_AUTO_CORR32_X1_TH_ADD_MIN_MRC_IDX     170   /  170  /  210
3093  *   HD_AUTO_CORR32_X4_TH_ADD_MIN_IDX         105   /  105  /  140
3094  *   HD_AUTO_CORR32_X4_TH_ADD_MIN_MRC_IDX     220   /  220  /  270
3095  *
3096  *   If actual rate of OFDM false alarms (+ plcp_errors) is too high
3097  *   (greater than 50 for each 204.8 msecs listening), reduce sensitivity
3098  *   by *adding* 1 to all 4 of the table entries above, up to the max for
3099  *   each entry.  Conversely, if false alarm rate is too low (less than 5
3100  *   for each 204.8 msecs listening), *subtract* 1 from each entry to
3101  *   increase sensitivity.
3102  *
3103  * For CCK sensitivity, keep track of the following:
3104  *
3105  *   1).  20-beacon history of maximum background noise, indicated by
3106  *        (beacon_silence_rssi_[abc] & 0x0FF00), units in dB, across the
3107  *        3 receivers.  For any given beacon, the "silence reference" is
3108  *        the maximum of last 60 samples (20 beacons * 3 receivers).
3109  *
3110  *   2).  10-beacon history of strongest signal level, as indicated
3111  *        by (beacon_energy_[abc] & 0x0FF00) >> 8, across the 3 receivers,
3112  *        i.e. the strength of the signal through the best receiver at the
3113  *        moment.  These measurements are "upside down", with lower values
3114  *        for stronger signals, so max energy will be *minimum* value.
3115  *
3116  *        Then for any given beacon, the driver must determine the *weakest*
3117  *        of the strongest signals; this is the minimum level that needs to be
3118  *        successfully detected, when using the best receiver at the moment.
3119  *        "Max cck energy" is the maximum (higher value means lower energy!)
3120  *        of the last 10 minima.  Once this is determined, driver must add
3121  *        a little margin by adding "6" to it.
3122  *
3123  *   3).  Number of consecutive beacon periods with too few false alarms.
3124  *        Reset this to 0 at the first beacon period that falls within the
3125  *        "good" range (5 to 50 false alarms per 204.8 milliseconds rx).
3126  *
3127  * Then, adjust the following CCK table entries in struct il_sensitivity_cmd
3128  * (notice that the start points for CCK are at maximum sensitivity):
3129  *
3130  *                                             START  /  MIN  /  MAX
3131  *   HD_AUTO_CORR40_X4_TH_ADD_MIN_IDX         125   /  125  /  200
3132  *   HD_AUTO_CORR40_X4_TH_ADD_MIN_MRC_IDX     200   /  200  /  400
3133  *   HD_MIN_ENERGY_CCK_DET_IDX                100   /    0  /  100
3134  *
3135  *   If actual rate of CCK false alarms (+ plcp_errors) is too high
3136  *   (greater than 50 for each 204.8 msecs listening), method for reducing
3137  *   sensitivity is:
3138  *
3139  *   1)  *Add* 3 to value in HD_AUTO_CORR40_X4_TH_ADD_MIN_MRC_IDX,
3140  *       up to max 400.
3141  *
3142  *   2)  If current value in HD_AUTO_CORR40_X4_TH_ADD_MIN_IDX is < 160,
3143  *       sensitivity has been reduced a significant amount; bring it up to
3144  *       a moderate 161.  Otherwise, *add* 3, up to max 200.
3145  *
3146  *   3)  a)  If current value in HD_AUTO_CORR40_X4_TH_ADD_MIN_IDX is > 160,
3147  *       sensitivity has been reduced only a moderate or small amount;
3148  *       *subtract* 2 from value in HD_MIN_ENERGY_CCK_DET_IDX,
3149  *       down to min 0.  Otherwise (if gain has been significantly reduced),
3150  *       don't change the HD_MIN_ENERGY_CCK_DET_IDX value.
3151  *
3152  *       b)  Save a snapshot of the "silence reference".
3153  *
3154  *   If actual rate of CCK false alarms (+ plcp_errors) is too low
3155  *   (less than 5 for each 204.8 msecs listening), method for increasing
3156  *   sensitivity is used only if:
3157  *
3158  *   1a)  Previous beacon did not have too many false alarms
3159  *   1b)  AND difference between previous "silence reference" and current
3160  *        "silence reference" (prev - current) is 2 or more,
3161  *   OR 2)  100 or more consecutive beacon periods have had rate of
3162  *          less than 5 false alarms per 204.8 milliseconds rx time.
3163  *
3164  *   Method for increasing sensitivity:
3165  *
3166  *   1)  *Subtract* 3 from value in HD_AUTO_CORR40_X4_TH_ADD_MIN_IDX,
3167  *       down to min 125.
3168  *
3169  *   2)  *Subtract* 3 from value in HD_AUTO_CORR40_X4_TH_ADD_MIN_MRC_IDX,
3170  *       down to min 200.
3171  *
3172  *   3)  *Add* 2 to value in HD_MIN_ENERGY_CCK_DET_IDX, up to max 100.
3173  *
3174  *   If actual rate of CCK false alarms (+ plcp_errors) is within good range
3175  *   (between 5 and 50 for each 204.8 msecs listening):
3176  *
3177  *   1)  Save a snapshot of the silence reference.
3178  *
3179  *   2)  If previous beacon had too many CCK false alarms (+ plcp_errors),
3180  *       give some extra margin to energy threshold by *subtracting* 8
3181  *       from value in HD_MIN_ENERGY_CCK_DET_IDX.
3182  *
3183  *   For all cases (too few, too many, good range), make sure that the CCK
3184  *   detection threshold (energy) is below the energy level for robust
3185  *   detection over the past 10 beacon periods, the "Max cck energy".
3186  *   Lower values mean higher energy; this means making sure that the value
3187  *   in HD_MIN_ENERGY_CCK_DET_IDX is at or *above* "Max cck energy".
3188  *
3189  */
3190 
3191 /*
3192  * Table entries in C_SENSITIVITY (struct il_sensitivity_cmd)
3193  */
3194 #define HD_TBL_SIZE  (11)	/* number of entries */
3195 #define HD_MIN_ENERGY_CCK_DET_IDX                 (0)	/* table idxes */
3196 #define HD_MIN_ENERGY_OFDM_DET_IDX                (1)
3197 #define HD_AUTO_CORR32_X1_TH_ADD_MIN_IDX          (2)
3198 #define HD_AUTO_CORR32_X1_TH_ADD_MIN_MRC_IDX      (3)
3199 #define HD_AUTO_CORR40_X4_TH_ADD_MIN_MRC_IDX      (4)
3200 #define HD_AUTO_CORR32_X4_TH_ADD_MIN_IDX          (5)
3201 #define HD_AUTO_CORR32_X4_TH_ADD_MIN_MRC_IDX      (6)
3202 #define HD_BARKER_CORR_TH_ADD_MIN_IDX             (7)
3203 #define HD_BARKER_CORR_TH_ADD_MIN_MRC_IDX         (8)
3204 #define HD_AUTO_CORR40_X4_TH_ADD_MIN_IDX          (9)
3205 #define HD_OFDM_ENERGY_TH_IN_IDX                  (10)
3206 
3207 /* Control field in struct il_sensitivity_cmd */
3208 #define C_SENSITIVITY_CONTROL_DEFAULT_TBL	cpu_to_le16(0)
3209 #define C_SENSITIVITY_CONTROL_WORK_TBL	cpu_to_le16(1)
3210 
3211 /**
3212  * struct il_sensitivity_cmd
3213  * @control:  (1) updates working table, (0) updates default table
3214  * @table:  energy threshold values, use HD_* as idx into table
3215  *
3216  * Always use "1" in "control" to update uCode's working table and DSP.
3217  */
3218 struct il_sensitivity_cmd {
3219 	__le16 control;		/* always use "1" */
3220 	__le16 table[HD_TBL_SIZE];	/* use HD_* as idx */
3221 } __packed;
3222 
3223 /**
3224  * C_PHY_CALIBRATION = 0xb0 (command, has simple generic response)
3225  *
3226  * This command sets the relative gains of 4965 device's 3 radio receiver chains.
3227  *
3228  * After the first association, driver should accumulate signal and noise
3229  * stats from the N_STATSs that follow the first 20
3230  * beacons from the associated network (don't collect stats that come
3231  * in from scanning, or any other non-network source).
3232  *
3233  * DISCONNECTED ANTENNA:
3234  *
3235  * Driver should determine which antennas are actually connected, by comparing
3236  * average beacon signal levels for the 3 Rx chains.  Accumulate (add) the
3237  * following values over 20 beacons, one accumulator for each of the chains
3238  * a/b/c, from struct stats_rx_non_phy:
3239  *
3240  * beacon_rssi_[abc] & 0x0FF (unsigned, units in dB)
3241  *
3242  * Find the strongest signal from among a/b/c.  Compare the other two to the
3243  * strongest.  If any signal is more than 15 dB (times 20, unless you
3244  * divide the accumulated values by 20) below the strongest, the driver
3245  * considers that antenna to be disconnected, and should not try to use that
3246  * antenna/chain for Rx or Tx.  If both A and B seem to be disconnected,
3247  * driver should declare the stronger one as connected, and attempt to use it
3248  * (A and B are the only 2 Tx chains!).
3249  *
3250  *
3251  * RX BALANCE:
3252  *
3253  * Driver should balance the 3 receivers (but just the ones that are connected
3254  * to antennas, see above) for gain, by comparing the average signal levels
3255  * detected during the silence after each beacon (background noise).
3256  * Accumulate (add) the following values over 20 beacons, one accumulator for
3257  * each of the chains a/b/c, from struct stats_rx_non_phy:
3258  *
3259  * beacon_silence_rssi_[abc] & 0x0FF (unsigned, units in dB)
3260  *
3261  * Find the weakest background noise level from among a/b/c.  This Rx chain
3262  * will be the reference, with 0 gain adjustment.  Attenuate other channels by
3263  * finding noise difference:
3264  *
3265  * (accum_noise[i] - accum_noise[reference]) / 30
3266  *
3267  * The "30" adjusts the dB in the 20 accumulated samples to units of 1.5 dB.
3268  * For use in diff_gain_[abc] fields of struct il_calibration_cmd, the
3269  * driver should limit the difference results to a range of 0-3 (0-4.5 dB),
3270  * and set bit 2 to indicate "reduce gain".  The value for the reference
3271  * (weakest) chain should be "0".
3272  *
3273  * diff_gain_[abc] bit fields:
3274  *   2: (1) reduce gain, (0) increase gain
3275  * 1-0: amount of gain, units of 1.5 dB
3276  */
3277 
3278 /* Phy calibration command for series */
3279 /* The default calibrate table size if not specified by firmware */
3280 #define IL_DEFAULT_STANDARD_PHY_CALIBRATE_TBL_SIZE	18
3281 enum {
3282 	IL_PHY_CALIBRATE_DIFF_GAIN_CMD = 7,
3283 	IL_MAX_STANDARD_PHY_CALIBRATE_TBL_SIZE = 19,
3284 };
3285 
3286 #define IL_MAX_PHY_CALIBRATE_TBL_SIZE		(253)
3287 
3288 struct il_calib_hdr {
3289 	u8 op_code;
3290 	u8 first_group;
3291 	u8 groups_num;
3292 	u8 data_valid;
3293 } __packed;
3294 
3295 /* IL_PHY_CALIBRATE_DIFF_GAIN_CMD (7) */
3296 struct il_calib_diff_gain_cmd {
3297 	struct il_calib_hdr hdr;
3298 	s8 diff_gain_a;		/* see above */
3299 	s8 diff_gain_b;
3300 	s8 diff_gain_c;
3301 	u8 reserved1;
3302 } __packed;
3303 
3304 /******************************************************************************
3305  * (12)
3306  * Miscellaneous Commands:
3307  *
3308  *****************************************************************************/
3309 
3310 /*
3311  * LEDs Command & Response
3312  * C_LEDS = 0x48 (command, has simple generic response)
3313  *
3314  * For each of 3 possible LEDs (Activity/Link/Tech, selected by "id" field),
3315  * this command turns it on or off, or sets up a periodic blinking cycle.
3316  */
3317 struct il_led_cmd {
3318 	__le32 interval;	/* "interval" in uSec */
3319 	u8 id;			/* 1: Activity, 2: Link, 3: Tech */
3320 	u8 off;			/* # intervals off while blinking;
3321 				 * "0", with >0 "on" value, turns LED on */
3322 	u8 on;			/* # intervals on while blinking;
3323 				 * "0", regardless of "off", turns LED off */
3324 	u8 reserved;
3325 } __packed;
3326 
3327 /******************************************************************************
3328  * (13)
3329  * Union of all expected notifications/responses:
3330  *
3331  *****************************************************************************/
3332 
3333 #define IL_RX_FRAME_SIZE_MSK	0x00003fff
3334 
3335 struct il_rx_pkt {
3336 	/*
3337 	 * The first 4 bytes of the RX frame header contain both the RX frame
3338 	 * size and some flags.
3339 	 * Bit fields:
3340 	 * 31:    flag flush RB request
3341 	 * 30:    flag ignore TC (terminal counter) request
3342 	 * 29:    flag fast IRQ request
3343 	 * 28-14: Reserved
3344 	 * 13-00: RX frame size
3345 	 */
3346 	__le32 len_n_flags;
3347 	struct il_cmd_header hdr;
3348 	union {
3349 		struct il3945_rx_frame rx_frame;
3350 		struct il3945_tx_resp tx_resp;
3351 		struct il3945_beacon_notif beacon_status;
3352 
3353 		struct il_alive_resp alive_frame;
3354 		struct il_spectrum_notification spectrum_notif;
3355 		struct il_csa_notification csa_notif;
3356 		struct il_error_resp err_resp;
3357 		struct il_card_state_notif card_state_notif;
3358 		struct il_add_sta_resp add_sta;
3359 		struct il_rem_sta_resp rem_sta;
3360 		struct il_sleep_notification sleep_notif;
3361 		struct il_spectrum_resp spectrum;
3362 		struct il_notif_stats stats;
3363 		struct il_compressed_ba_resp compressed_ba;
3364 		struct il_missed_beacon_notif missed_beacon;
3365 		__le32 status;
3366 		u8 raw[0];
3367 	} u;
3368 } __packed;
3369 
3370 #endif /* __il_commands_h__ */
3371