1/* from src/prism2/download/prism2dl.c 2* 3* utility for downloading prism2 images moved into kernelspace 4* 5* Copyright (C) 1999 AbsoluteValue Systems, Inc. All Rights Reserved. 6* -------------------------------------------------------------------- 7* 8* linux-wlan 9* 10* The contents of this file are subject to the Mozilla Public 11* License Version 1.1 (the "License"); you may not use this file 12* except in compliance with the License. You may obtain a copy of 13* the License at http://www.mozilla.org/MPL/ 14* 15* Software distributed under the License is distributed on an "AS 16* IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or 17* implied. See the License for the specific language governing 18* rights and limitations under the License. 19* 20* Alternatively, the contents of this file may be used under the 21* terms of the GNU Public License version 2 (the "GPL"), in which 22* case the provisions of the GPL are applicable instead of the 23* above. If you wish to allow the use of your version of this file 24* only under the terms of the GPL and not to allow others to use 25* your version of this file under the MPL, indicate your decision 26* by deleting the provisions above and replace them with the notice 27* and other provisions required by the GPL. If you do not delete 28* the provisions above, a recipient may use your version of this 29* file under either the MPL or the GPL. 30* 31* -------------------------------------------------------------------- 32* 33* Inquiries regarding the linux-wlan Open Source project can be 34* made directly to: 35* 36* AbsoluteValue Systems Inc. 37* info@linux-wlan.com 38* http://www.linux-wlan.com 39* 40* -------------------------------------------------------------------- 41* 42* Portions of the development of this software were funded by 43* Intersil Corporation as part of PRISM(R) chipset product development. 44* 45* -------------------------------------------------------------------- 46*/ 47 48/*================================================================*/ 49/* System Includes */ 50#include <linux/ihex.h> 51#include <linux/slab.h> 52 53/*================================================================*/ 54/* Local Constants */ 55 56#define PRISM2_USB_FWFILE "prism2_ru.fw" 57MODULE_FIRMWARE(PRISM2_USB_FWFILE); 58 59#define S3DATA_MAX 5000 60#define S3PLUG_MAX 200 61#define S3CRC_MAX 200 62#define S3INFO_MAX 50 63 64#define S3ADDR_PLUG (0xff000000UL) 65#define S3ADDR_CRC (0xff100000UL) 66#define S3ADDR_INFO (0xff200000UL) 67#define S3ADDR_START (0xff400000UL) 68 69#define CHUNKS_MAX 100 70 71#define WRITESIZE_MAX 4096 72 73/*================================================================*/ 74/* Local Types */ 75 76struct s3datarec { 77 u32 len; 78 u32 addr; 79 u8 checksum; 80 u8 *data; 81}; 82 83struct s3plugrec { 84 u32 itemcode; 85 u32 addr; 86 u32 len; 87}; 88 89struct s3crcrec { 90 u32 addr; 91 u32 len; 92 unsigned int dowrite; 93}; 94 95struct s3inforec { 96 u16 len; 97 u16 type; 98 union { 99 hfa384x_compident_t version; 100 hfa384x_caplevel_t compat; 101 u16 buildseq; 102 hfa384x_compident_t platform; 103 } info; 104}; 105 106struct pda { 107 u8 buf[HFA384x_PDA_LEN_MAX]; 108 hfa384x_pdrec_t *rec[HFA384x_PDA_RECS_MAX]; 109 unsigned int nrec; 110}; 111 112struct imgchunk { 113 u32 addr; /* start address */ 114 u32 len; /* in bytes */ 115 u16 crc; /* CRC value (if it falls at a chunk boundary) */ 116 u8 *data; 117}; 118 119/*================================================================*/ 120/* Local Static Definitions */ 121 122/*----------------------------------------------------------------*/ 123/* s-record image processing */ 124 125/* Data records */ 126static unsigned int ns3data; 127static struct s3datarec s3data[S3DATA_MAX]; 128 129/* Plug records */ 130static unsigned int ns3plug; 131static struct s3plugrec s3plug[S3PLUG_MAX]; 132 133/* CRC records */ 134static unsigned int ns3crc; 135static struct s3crcrec s3crc[S3CRC_MAX]; 136 137/* Info records */ 138static unsigned int ns3info; 139static struct s3inforec s3info[S3INFO_MAX]; 140 141/* S7 record (there _better_ be only one) */ 142static u32 startaddr; 143 144/* Load image chunks */ 145static unsigned int nfchunks; 146static struct imgchunk fchunk[CHUNKS_MAX]; 147 148/* Note that for the following pdrec_t arrays, the len and code */ 149/* fields are stored in HOST byte order. The mkpdrlist() function */ 150/* does the conversion. */ 151/*----------------------------------------------------------------*/ 152/* PDA, built from [card|newfile]+[addfile1+addfile2...] */ 153 154static struct pda pda; 155static hfa384x_compident_t nicid; 156static hfa384x_caplevel_t rfid; 157static hfa384x_caplevel_t macid; 158static hfa384x_caplevel_t priid; 159 160/*================================================================*/ 161/* Local Function Declarations */ 162 163static int prism2_fwapply(const struct ihex_binrec *rfptr, 164wlandevice_t *wlandev); 165 166static int read_fwfile(const struct ihex_binrec *rfptr); 167 168static int mkimage(struct imgchunk *clist, unsigned int *ccnt); 169 170static int read_cardpda(struct pda *pda, wlandevice_t *wlandev); 171 172static int mkpdrlist(struct pda *pda); 173 174static int plugimage(struct imgchunk *fchunk, unsigned int nfchunks, 175 struct s3plugrec *s3plug, unsigned int ns3plug, struct pda *pda); 176 177static int crcimage(struct imgchunk *fchunk, unsigned int nfchunks, 178 struct s3crcrec *s3crc, unsigned int ns3crc); 179 180static int writeimage(wlandevice_t *wlandev, struct imgchunk *fchunk, 181 unsigned int nfchunks); 182static void free_chunks(struct imgchunk *fchunk, unsigned int *nfchunks); 183 184static void free_srecs(void); 185 186static int validate_identity(void); 187 188/*================================================================*/ 189/* Function Definitions */ 190 191/*---------------------------------------------------------------- 192* prism2_fwtry 193* 194* Try and get firmware into memory 195* 196* Arguments: 197* udev usb device structure 198* wlandev wlan device structure 199* 200* Returns: 201* 0 - success 202* ~0 - failure 203----------------------------------------------------------------*/ 204static int prism2_fwtry(struct usb_device *udev, wlandevice_t *wlandev) 205{ 206 const struct firmware *fw_entry = NULL; 207 208 netdev_info(wlandev->netdev, "prism2_usb: Checking for firmware %s\n", 209 PRISM2_USB_FWFILE); 210 if (request_ihex_firmware(&fw_entry, 211 PRISM2_USB_FWFILE, &udev->dev) != 0) { 212 netdev_info(wlandev->netdev, 213 "prism2_usb: Firmware not available, but not essential\n"); 214 netdev_info(wlandev->netdev, 215 "prism2_usb: can continue to use card anyway.\n"); 216 return 1; 217 } 218 219 netdev_info(wlandev->netdev, 220 "prism2_usb: %s will be processed, size %zu\n", 221 PRISM2_USB_FWFILE, fw_entry->size); 222 prism2_fwapply((const struct ihex_binrec *)fw_entry->data, wlandev); 223 224 release_firmware(fw_entry); 225 return 0; 226} 227 228/*---------------------------------------------------------------- 229* prism2_fwapply 230* 231* Apply the firmware loaded into memory 232* 233* Arguments: 234* rfptr firmware image in kernel memory 235* wlandev device 236* 237* Returns: 238* 0 - success 239* ~0 - failure 240----------------------------------------------------------------*/ 241static int prism2_fwapply(const struct ihex_binrec *rfptr, wlandevice_t *wlandev) 242{ 243 signed int result = 0; 244 struct p80211msg_dot11req_mibget getmsg; 245 p80211itemd_t *item; 246 u32 *data; 247 248 /* Initialize the data structures */ 249 ns3data = 0; 250 memset(s3data, 0, sizeof(s3data)); 251 ns3plug = 0; 252 memset(s3plug, 0, sizeof(s3plug)); 253 ns3crc = 0; 254 memset(s3crc, 0, sizeof(s3crc)); 255 ns3info = 0; 256 memset(s3info, 0, sizeof(s3info)); 257 startaddr = 0; 258 259 nfchunks = 0; 260 memset(fchunk, 0, sizeof(fchunk)); 261 memset(&nicid, 0, sizeof(nicid)); 262 memset(&rfid, 0, sizeof(rfid)); 263 memset(&macid, 0, sizeof(macid)); 264 memset(&priid, 0, sizeof(priid)); 265 266 /* clear the pda and add an initial END record */ 267 memset(&pda, 0, sizeof(pda)); 268 pda.rec[0] = (hfa384x_pdrec_t *) pda.buf; 269 pda.rec[0]->len = cpu_to_le16(2); /* len in words */ 270 pda.rec[0]->code = cpu_to_le16(HFA384x_PDR_END_OF_PDA); 271 pda.nrec = 1; 272 273 /*-----------------------------------------------------*/ 274 /* Put card into fwload state */ 275 prism2sta_ifstate(wlandev, P80211ENUM_ifstate_fwload); 276 277 /* Build the PDA we're going to use. */ 278 if (read_cardpda(&pda, wlandev)) { 279 netdev_err(wlandev->netdev, "load_cardpda failed, exiting.\n"); 280 return 1; 281 } 282 283 /* read the card's PRI-SUP */ 284 memset(&getmsg, 0, sizeof(getmsg)); 285 getmsg.msgcode = DIDmsg_dot11req_mibget; 286 getmsg.msglen = sizeof(getmsg); 287 strcpy(getmsg.devname, wlandev->name); 288 289 getmsg.mibattribute.did = DIDmsg_dot11req_mibget_mibattribute; 290 getmsg.mibattribute.status = P80211ENUM_msgitem_status_data_ok; 291 getmsg.resultcode.did = DIDmsg_dot11req_mibget_resultcode; 292 getmsg.resultcode.status = P80211ENUM_msgitem_status_no_value; 293 294 item = (p80211itemd_t *) getmsg.mibattribute.data; 295 item->did = DIDmib_p2_p2NIC_p2PRISupRange; 296 item->status = P80211ENUM_msgitem_status_no_value; 297 298 data = (u32 *) item->data; 299 300 /* DIDmsg_dot11req_mibget */ 301 prism2mgmt_mibset_mibget(wlandev, &getmsg); 302 if (getmsg.resultcode.data != P80211ENUM_resultcode_success) 303 netdev_err(wlandev->netdev, "Couldn't fetch PRI-SUP info\n"); 304 305 /* Already in host order */ 306 priid.role = *data++; 307 priid.id = *data++; 308 priid.variant = *data++; 309 priid.bottom = *data++; 310 priid.top = *data++; 311 312 /* Read the S3 file */ 313 result = read_fwfile(rfptr); 314 if (result) { 315 netdev_err(wlandev->netdev, 316 "Failed to read the data exiting.\n"); 317 return 1; 318 } 319 320 result = validate_identity(); 321 322 if (result) { 323 netdev_err(wlandev->netdev, "Incompatible firmware image.\n"); 324 return 1; 325 } 326 327 if (startaddr == 0x00000000) { 328 netdev_err(wlandev->netdev, 329 "Can't RAM download a Flash image!\n"); 330 return 1; 331 } 332 333 /* Make the image chunks */ 334 result = mkimage(fchunk, &nfchunks); 335 336 /* Do any plugging */ 337 result = plugimage(fchunk, nfchunks, s3plug, ns3plug, &pda); 338 if (result) { 339 netdev_err(wlandev->netdev, "Failed to plug data.\n"); 340 return 1; 341 } 342 343 /* Insert any CRCs */ 344 if (crcimage(fchunk, nfchunks, s3crc, ns3crc)) { 345 netdev_err(wlandev->netdev, "Failed to insert all CRCs\n"); 346 return 1; 347 } 348 349 /* Write the image */ 350 result = writeimage(wlandev, fchunk, nfchunks); 351 if (result) { 352 netdev_err(wlandev->netdev, "Failed to ramwrite image data.\n"); 353 return 1; 354 } 355 356 /* clear any allocated memory */ 357 free_chunks(fchunk, &nfchunks); 358 free_srecs(); 359 360 netdev_info(wlandev->netdev, "prism2_usb: firmware loading finished.\n"); 361 362 return result; 363} 364 365/*---------------------------------------------------------------- 366* crcimage 367* 368* Adds a CRC16 in the two bytes prior to each block identified by 369* an S3 CRC record. Currently, we don't actually do a CRC we just 370* insert the value 0xC0DE in hfa384x order. 371* 372* Arguments: 373* fchunk Array of image chunks 374* nfchunks Number of image chunks 375* s3crc Array of crc records 376* ns3crc Number of crc records 377* 378* Returns: 379* 0 success 380* ~0 failure 381----------------------------------------------------------------*/ 382static int crcimage(struct imgchunk *fchunk, unsigned int nfchunks, 383 struct s3crcrec *s3crc, unsigned int ns3crc) 384{ 385 int result = 0; 386 int i; 387 int c; 388 u32 crcstart; 389 u32 crcend; 390 u32 cstart = 0; 391 u32 cend; 392 u8 *dest; 393 u32 chunkoff; 394 395 for (i = 0; i < ns3crc; i++) { 396 if (!s3crc[i].dowrite) 397 continue; 398 crcstart = s3crc[i].addr; 399 crcend = s3crc[i].addr + s3crc[i].len; 400 /* Find chunk */ 401 for (c = 0; c < nfchunks; c++) { 402 cstart = fchunk[c].addr; 403 cend = fchunk[c].addr + fchunk[c].len; 404 /* the line below does an address & len match search */ 405 /* unfortunately, I've found that the len fields of */ 406 /* some crc records don't match with the length of */ 407 /* the actual data, so we're not checking right now */ 408 /* if (crcstart-2 >= cstart && crcend <= cend) break; */ 409 410 /* note the -2 below, it's to make sure the chunk has */ 411 /* space for the CRC value */ 412 if (crcstart - 2 >= cstart && crcstart < cend) 413 break; 414 } 415 if (c >= nfchunks) { 416 pr_err("Failed to find chunk for crcrec[%d], addr=0x%06x len=%d , aborting crc.\n", 417 i, s3crc[i].addr, s3crc[i].len); 418 return 1; 419 } 420 421 /* Insert crc */ 422 pr_debug("Adding crc @ 0x%06x\n", s3crc[i].addr - 2); 423 chunkoff = crcstart - cstart - 2; 424 dest = fchunk[c].data + chunkoff; 425 *dest = 0xde; 426 *(dest + 1) = 0xc0; 427 428 } 429 return result; 430} 431 432/*---------------------------------------------------------------- 433* free_chunks 434* 435* Clears the chunklist data structures in preparation for a new file. 436* 437* Arguments: 438* none 439* 440* Returns: 441* nothing 442----------------------------------------------------------------*/ 443static void free_chunks(struct imgchunk *fchunk, unsigned int *nfchunks) 444{ 445 int i; 446 447 for (i = 0; i < *nfchunks; i++) 448 kfree(fchunk[i].data); 449 450 *nfchunks = 0; 451 memset(fchunk, 0, sizeof(*fchunk)); 452 453} 454 455/*---------------------------------------------------------------- 456* free_srecs 457* 458* Clears the srec data structures in preparation for a new file. 459* 460* Arguments: 461* none 462* 463* Returns: 464* nothing 465----------------------------------------------------------------*/ 466static void free_srecs(void) 467{ 468 ns3data = 0; 469 memset(s3data, 0, sizeof(s3data)); 470 ns3plug = 0; 471 memset(s3plug, 0, sizeof(s3plug)); 472 ns3crc = 0; 473 memset(s3crc, 0, sizeof(s3crc)); 474 ns3info = 0; 475 memset(s3info, 0, sizeof(s3info)); 476 startaddr = 0; 477} 478 479/*---------------------------------------------------------------- 480* mkimage 481* 482* Scans the currently loaded set of S records for data residing 483* in contiguous memory regions. Each contiguous region is then 484* made into a 'chunk'. This function assumes that we're building 485* a new chunk list. Assumes the s3data items are in sorted order. 486* 487* Arguments: none 488* 489* Returns: 490* 0 - success 491* ~0 - failure (probably an errno) 492----------------------------------------------------------------*/ 493static int mkimage(struct imgchunk *clist, unsigned int *ccnt) 494{ 495 int result = 0; 496 int i; 497 int j; 498 int currchunk = 0; 499 u32 nextaddr = 0; 500 u32 s3start; 501 u32 s3end; 502 u32 cstart = 0; 503 u32 cend; 504 u32 coffset; 505 506 /* There may already be data in the chunklist */ 507 *ccnt = 0; 508 509 /* Establish the location and size of each chunk */ 510 for (i = 0; i < ns3data; i++) { 511 if (s3data[i].addr == nextaddr) { 512 /* existing chunk, grow it */ 513 clist[currchunk].len += s3data[i].len; 514 nextaddr += s3data[i].len; 515 } else { 516 /* New chunk */ 517 (*ccnt)++; 518 currchunk = *ccnt - 1; 519 clist[currchunk].addr = s3data[i].addr; 520 clist[currchunk].len = s3data[i].len; 521 nextaddr = s3data[i].addr + s3data[i].len; 522 /* Expand the chunk if there is a CRC record at */ 523 /* their beginning bound */ 524 for (j = 0; j < ns3crc; j++) { 525 if (s3crc[j].dowrite && 526 s3crc[j].addr == clist[currchunk].addr) { 527 clist[currchunk].addr -= 2; 528 clist[currchunk].len += 2; 529 } 530 } 531 } 532 } 533 534 /* We're currently assuming there aren't any overlapping chunks */ 535 /* if this proves false, we'll need to add code to coalesce. */ 536 537 /* Allocate buffer space for chunks */ 538 for (i = 0; i < *ccnt; i++) { 539 clist[i].data = kzalloc(clist[i].len, GFP_KERNEL); 540 if (clist[i].data == NULL) { 541 pr_err("failed to allocate image space, exitting.\n"); 542 return 1; 543 } 544 pr_debug("chunk[%d]: addr=0x%06x len=%d\n", 545 i, clist[i].addr, clist[i].len); 546 } 547 548 /* Copy srec data to chunks */ 549 for (i = 0; i < ns3data; i++) { 550 s3start = s3data[i].addr; 551 s3end = s3start + s3data[i].len - 1; 552 for (j = 0; j < *ccnt; j++) { 553 cstart = clist[j].addr; 554 cend = cstart + clist[j].len - 1; 555 if (s3start >= cstart && s3end <= cend) 556 break; 557 } 558 if (((unsigned int)j) >= (*ccnt)) { 559 pr_err("s3rec(a=0x%06x,l=%d), no chunk match, exiting.\n", 560 s3start, s3data[i].len); 561 return 1; 562 } 563 coffset = s3start - cstart; 564 memcpy(clist[j].data + coffset, s3data[i].data, s3data[i].len); 565 } 566 567 return result; 568} 569 570/*---------------------------------------------------------------- 571* mkpdrlist 572* 573* Reads a raw PDA and builds an array of pdrec_t structures. 574* 575* Arguments: 576* pda buffer containing raw PDA bytes 577* pdrec ptr to an array of pdrec_t's. Will be filled on exit. 578* nrec ptr to a variable that will contain the count of PDRs 579* 580* Returns: 581* 0 - success 582* ~0 - failure (probably an errno) 583----------------------------------------------------------------*/ 584static int mkpdrlist(struct pda *pda) 585{ 586 int result = 0; 587 u16 *pda16 = (u16 *) pda->buf; 588 int curroff; /* in 'words' */ 589 590 pda->nrec = 0; 591 curroff = 0; 592 while (curroff < (HFA384x_PDA_LEN_MAX / 2) && 593 le16_to_cpu(pda16[curroff + 1]) != HFA384x_PDR_END_OF_PDA) { 594 pda->rec[pda->nrec] = (hfa384x_pdrec_t *) &(pda16[curroff]); 595 596 if (le16_to_cpu(pda->rec[pda->nrec]->code) == 597 HFA384x_PDR_NICID) { 598 memcpy(&nicid, &pda->rec[pda->nrec]->data.nicid, 599 sizeof(nicid)); 600 nicid.id = le16_to_cpu(nicid.id); 601 nicid.variant = le16_to_cpu(nicid.variant); 602 nicid.major = le16_to_cpu(nicid.major); 603 nicid.minor = le16_to_cpu(nicid.minor); 604 } 605 if (le16_to_cpu(pda->rec[pda->nrec]->code) == 606 HFA384x_PDR_MFISUPRANGE) { 607 memcpy(&rfid, &pda->rec[pda->nrec]->data.mfisuprange, 608 sizeof(rfid)); 609 rfid.id = le16_to_cpu(rfid.id); 610 rfid.variant = le16_to_cpu(rfid.variant); 611 rfid.bottom = le16_to_cpu(rfid.bottom); 612 rfid.top = le16_to_cpu(rfid.top); 613 } 614 if (le16_to_cpu(pda->rec[pda->nrec]->code) == 615 HFA384x_PDR_CFISUPRANGE) { 616 memcpy(&macid, &pda->rec[pda->nrec]->data.cfisuprange, 617 sizeof(macid)); 618 macid.id = le16_to_cpu(macid.id); 619 macid.variant = le16_to_cpu(macid.variant); 620 macid.bottom = le16_to_cpu(macid.bottom); 621 macid.top = le16_to_cpu(macid.top); 622 } 623 624 (pda->nrec)++; 625 curroff += le16_to_cpu(pda16[curroff]) + 1; 626 627 } 628 if (curroff >= (HFA384x_PDA_LEN_MAX / 2)) { 629 pr_err("no end record found or invalid lengths in PDR data, exiting. %x %d\n", 630 curroff, pda->nrec); 631 return 1; 632 } 633 if (le16_to_cpu(pda16[curroff + 1]) == HFA384x_PDR_END_OF_PDA) { 634 pda->rec[pda->nrec] = (hfa384x_pdrec_t *) &(pda16[curroff]); 635 (pda->nrec)++; 636 } 637 return result; 638} 639 640/*---------------------------------------------------------------- 641* plugimage 642* 643* Plugs the given image using the given plug records from the given 644* PDA and filename. 645* 646* Arguments: 647* fchunk Array of image chunks 648* nfchunks Number of image chunks 649* s3plug Array of plug records 650* ns3plug Number of plug records 651* pda Current pda data 652* 653* Returns: 654* 0 success 655* ~0 failure 656----------------------------------------------------------------*/ 657static int plugimage(struct imgchunk *fchunk, unsigned int nfchunks, 658 struct s3plugrec *s3plug, unsigned int ns3plug, struct pda *pda) 659{ 660 int result = 0; 661 int i; /* plug index */ 662 int j; /* index of PDR or -1 if fname plug */ 663 int c; /* chunk index */ 664 u32 pstart; 665 u32 pend; 666 u32 cstart = 0; 667 u32 cend; 668 u32 chunkoff; 669 u8 *dest; 670 671 /* for each plug record */ 672 for (i = 0; i < ns3plug; i++) { 673 pstart = s3plug[i].addr; 674 pend = s3plug[i].addr + s3plug[i].len; 675 /* find the matching PDR (or filename) */ 676 if (s3plug[i].itemcode != 0xffffffffUL) { /* not filename */ 677 for (j = 0; j < pda->nrec; j++) { 678 if (s3plug[i].itemcode == 679 le16_to_cpu(pda->rec[j]->code)) 680 break; 681 } 682 } else { 683 j = -1; 684 } 685 if (j >= pda->nrec && j != -1) { /* if no matching PDR, fail */ 686 pr_warn("warning: Failed to find PDR for plugrec 0x%04x.\n", 687 s3plug[i].itemcode); 688 continue; /* and move on to the next PDR */ 689#if 0 690 /* MSM: They swear that unless it's the MAC address, 691 * the serial number, or the TX calibration records, 692 * then there's reasonable defaults in the f/w 693 * image. Therefore, missing PDRs in the card 694 * should only be a warning, not fatal. 695 * TODO: add fatals for the PDRs mentioned above. 696 */ 697 result = 1; 698 continue; 699#endif 700 } 701 702 /* Validate plug len against PDR len */ 703 if (j != -1 && s3plug[i].len < le16_to_cpu(pda->rec[j]->len)) { 704 pr_err("error: Plug vs. PDR len mismatch for plugrec 0x%04x, abort plugging.\n", 705 s3plug[i].itemcode); 706 result = 1; 707 continue; 708 } 709 710 /* Validate plug address against chunk data and identify chunk */ 711 for (c = 0; c < nfchunks; c++) { 712 cstart = fchunk[c].addr; 713 cend = fchunk[c].addr + fchunk[c].len; 714 if (pstart >= cstart && pend <= cend) 715 break; 716 } 717 if (c >= nfchunks) { 718 pr_err("error: Failed to find image chunk for plugrec 0x%04x.\n", 719 s3plug[i].itemcode); 720 result = 1; 721 continue; 722 } 723 724 /* Plug data */ 725 chunkoff = pstart - cstart; 726 dest = fchunk[c].data + chunkoff; 727 pr_debug("Plugging item 0x%04x @ 0x%06x, len=%d, cnum=%d coff=0x%06x\n", 728 s3plug[i].itemcode, pstart, s3plug[i].len, 729 c, chunkoff); 730 731 if (j == -1) { /* plug the filename */ 732 memset(dest, 0, s3plug[i].len); 733 strncpy(dest, PRISM2_USB_FWFILE, s3plug[i].len - 1); 734 } else { /* plug a PDR */ 735 memcpy(dest, &(pda->rec[j]->data), s3plug[i].len); 736 } 737 } 738 return result; 739 740} 741 742/*---------------------------------------------------------------- 743* read_cardpda 744* 745* Sends the command for the driver to read the pda from the card 746* named in the device variable. Upon success, the card pda is 747* stored in the "cardpda" variables. Note that the pda structure 748* is considered 'well formed' after this function. That means 749* that the nrecs is valid, the rec array has been set up, and there's 750* a valid PDAEND record in the raw PDA data. 751* 752* Arguments: 753* pda pda structure 754* wlandev device 755* 756* Returns: 757* 0 - success 758* ~0 - failure (probably an errno) 759----------------------------------------------------------------*/ 760static int read_cardpda(struct pda *pda, wlandevice_t *wlandev) 761{ 762 int result = 0; 763 struct p80211msg_p2req_readpda *msg; 764 765 msg = kzalloc(sizeof(*msg), GFP_KERNEL); 766 if (!msg) 767 return -ENOMEM; 768 769 /* set up the msg */ 770 msg->msgcode = DIDmsg_p2req_readpda; 771 msg->msglen = sizeof(msg); 772 strcpy(msg->devname, wlandev->name); 773 msg->pda.did = DIDmsg_p2req_readpda_pda; 774 msg->pda.len = HFA384x_PDA_LEN_MAX; 775 msg->pda.status = P80211ENUM_msgitem_status_no_value; 776 msg->resultcode.did = DIDmsg_p2req_readpda_resultcode; 777 msg->resultcode.len = sizeof(u32); 778 msg->resultcode.status = P80211ENUM_msgitem_status_no_value; 779 780 if (prism2mgmt_readpda(wlandev, msg) != 0) { 781 /* prism2mgmt_readpda prints an errno if appropriate */ 782 result = -1; 783 } else if (msg->resultcode.data == P80211ENUM_resultcode_success) { 784 memcpy(pda->buf, msg->pda.data, HFA384x_PDA_LEN_MAX); 785 result = mkpdrlist(pda); 786 } else { 787 /* resultcode must've been something other than success */ 788 result = -1; 789 } 790 791 kfree(msg); 792 return result; 793} 794 795/*---------------------------------------------------------------- 796* read_fwfile 797* 798* Reads the given fw file which should have been compiled from an srec 799* file. Each record in the fw file will either be a plain data record, 800* a start address record, or other records used for plugging. 801* 802* Note that data records are expected to be sorted into 803* ascending address order in the fw file. 804* 805* Note also that the start address record, originally an S7 record in 806* the srec file, is expected in the fw file to be like a data record but 807* with a certain address to make it identifiable. 808* 809* Here's the SREC format that the fw should have come from: 810* S[37]nnaaaaaaaaddd...dddcc 811* 812* nn - number of bytes starting with the address field 813* aaaaaaaa - address in readable (or big endian) format 814* dd....dd - 0-245 data bytes (two chars per byte) 815* cc - checksum 816* 817* The S7 record's (there should be only one) address value gets 818* converted to an S3 record with address of 0xff400000, with the 819* start address being stored as a 4 byte data word. That address is 820* the start execution address used for RAM downloads. 821* 822* The S3 records have a collection of subformats indicated by the 823* value of aaaaaaaa: 824* 0xff000000 - Plug record, data field format: 825* xxxxxxxxaaaaaaaassssssss 826* x - PDR code number (little endian) 827* a - Address in load image to plug (little endian) 828* s - Length of plug data area (little endian) 829* 830* 0xff100000 - CRC16 generation record, data field format: 831* aaaaaaaassssssssbbbbbbbb 832* a - Start address for CRC calculation (little endian) 833* s - Length of data to calculate over (little endian) 834* b - Boolean, true=write crc, false=don't write 835* 836* 0xff200000 - Info record, data field format: 837* ssssttttdd..dd 838* s - Size in words (little endian) 839* t - Info type (little endian), see #defines and 840* struct s3inforec for details about types. 841* d - (s - 1) little endian words giving the contents of 842* the given info type. 843* 844* 0xff400000 - Start address record, data field format: 845* aaaaaaaa 846* a - Address in load image to plug (little endian) 847* 848* Arguments: 849* record firmware image (ihex record structure) in kernel memory 850* 851* Returns: 852* 0 - success 853* ~0 - failure (probably an errno) 854----------------------------------------------------------------*/ 855static int read_fwfile(const struct ihex_binrec *record) 856{ 857 int i; 858 int rcnt = 0; 859 u16 *tmpinfo; 860 u16 *ptr16; 861 u32 *ptr32, len, addr; 862 863 pr_debug("Reading fw file ...\n"); 864 865 while (record) { 866 867 rcnt++; 868 869 len = be16_to_cpu(record->len); 870 addr = be32_to_cpu(record->addr); 871 872 /* Point into data for different word lengths */ 873 ptr32 = (u32 *) record->data; 874 ptr16 = (u16 *) record->data; 875 876 /* parse what was an S3 srec and put it in the right array */ 877 switch (addr) { 878 case S3ADDR_START: 879 startaddr = *ptr32; 880 pr_debug(" S7 start addr, record=%d addr=0x%08x\n", 881 rcnt, 882 startaddr); 883 break; 884 case S3ADDR_PLUG: 885 s3plug[ns3plug].itemcode = *ptr32; 886 s3plug[ns3plug].addr = *(ptr32 + 1); 887 s3plug[ns3plug].len = *(ptr32 + 2); 888 889 pr_debug(" S3 plugrec, record=%d itemcode=0x%08x addr=0x%08x len=%d\n", 890 rcnt, 891 s3plug[ns3plug].itemcode, 892 s3plug[ns3plug].addr, 893 s3plug[ns3plug].len); 894 895 ns3plug++; 896 if (ns3plug == S3PLUG_MAX) { 897 pr_err("S3 plugrec limit reached - aborting\n"); 898 return 1; 899 } 900 break; 901 case S3ADDR_CRC: 902 s3crc[ns3crc].addr = *ptr32; 903 s3crc[ns3crc].len = *(ptr32 + 1); 904 s3crc[ns3crc].dowrite = *(ptr32 + 2); 905 906 pr_debug(" S3 crcrec, record=%d addr=0x%08x len=%d write=0x%08x\n", 907 rcnt, 908 s3crc[ns3crc].addr, 909 s3crc[ns3crc].len, 910 s3crc[ns3crc].dowrite); 911 ns3crc++; 912 if (ns3crc == S3CRC_MAX) { 913 pr_err("S3 crcrec limit reached - aborting\n"); 914 return 1; 915 } 916 break; 917 case S3ADDR_INFO: 918 s3info[ns3info].len = *ptr16; 919 s3info[ns3info].type = *(ptr16 + 1); 920 921 pr_debug(" S3 inforec, record=%d len=0x%04x type=0x%04x\n", 922 rcnt, 923 s3info[ns3info].len, 924 s3info[ns3info].type); 925 if (((s3info[ns3info].len - 1) * sizeof(u16)) > sizeof(s3info[ns3info].info)) { 926 pr_err("S3 inforec length too long - aborting\n"); 927 return 1; 928 } 929 930 tmpinfo = (u16 *)&(s3info[ns3info].info.version); 931 pr_debug(" info="); 932 for (i = 0; i < s3info[ns3info].len - 1; i++) { 933 tmpinfo[i] = *(ptr16 + 2 + i); 934 pr_debug("%04x ", tmpinfo[i]); 935 } 936 pr_debug("\n"); 937 938 ns3info++; 939 if (ns3info == S3INFO_MAX) { 940 pr_err("S3 inforec limit reached - aborting\n"); 941 return 1; 942 } 943 break; 944 default: /* Data record */ 945 s3data[ns3data].addr = addr; 946 s3data[ns3data].len = len; 947 s3data[ns3data].data = (uint8_t *) record->data; 948 ns3data++; 949 if (ns3data == S3DATA_MAX) { 950 pr_err("S3 datarec limit reached - aborting\n"); 951 return 1; 952 } 953 break; 954 } 955 record = ihex_next_binrec(record); 956 } 957 return 0; 958} 959 960/*---------------------------------------------------------------- 961* writeimage 962* 963* Takes the chunks, builds p80211 messages and sends them down 964* to the driver for writing to the card. 965* 966* Arguments: 967* wlandev device 968* fchunk Array of image chunks 969* nfchunks Number of image chunks 970* 971* Returns: 972* 0 success 973* ~0 failure 974----------------------------------------------------------------*/ 975static int writeimage(wlandevice_t *wlandev, struct imgchunk *fchunk, 976 unsigned int nfchunks) 977{ 978 int result = 0; 979 struct p80211msg_p2req_ramdl_state *rstmsg; 980 struct p80211msg_p2req_ramdl_write *rwrmsg; 981 u32 resultcode; 982 int i; 983 int j; 984 unsigned int nwrites; 985 u32 curroff; 986 u32 currlen; 987 u32 currdaddr; 988 989 rstmsg = kmalloc(sizeof(*rstmsg), GFP_KERNEL); 990 rwrmsg = kmalloc(sizeof(*rwrmsg), GFP_KERNEL); 991 if (!rstmsg || !rwrmsg) { 992 kfree(rstmsg); 993 kfree(rwrmsg); 994 netdev_err(wlandev->netdev, 995 "writeimage: no memory for firmware download, aborting download\n"); 996 return -ENOMEM; 997 } 998 999 /* Initialize the messages */ 1000 memset(rstmsg, 0, sizeof(*rstmsg)); 1001 strcpy(rstmsg->devname, wlandev->name); 1002 rstmsg->msgcode = DIDmsg_p2req_ramdl_state; 1003 rstmsg->msglen = sizeof(*rstmsg); 1004 rstmsg->enable.did = DIDmsg_p2req_ramdl_state_enable; 1005 rstmsg->exeaddr.did = DIDmsg_p2req_ramdl_state_exeaddr; 1006 rstmsg->resultcode.did = DIDmsg_p2req_ramdl_state_resultcode; 1007 rstmsg->enable.status = P80211ENUM_msgitem_status_data_ok; 1008 rstmsg->exeaddr.status = P80211ENUM_msgitem_status_data_ok; 1009 rstmsg->resultcode.status = P80211ENUM_msgitem_status_no_value; 1010 rstmsg->enable.len = sizeof(u32); 1011 rstmsg->exeaddr.len = sizeof(u32); 1012 rstmsg->resultcode.len = sizeof(u32); 1013 1014 memset(rwrmsg, 0, sizeof(*rwrmsg)); 1015 strcpy(rwrmsg->devname, wlandev->name); 1016 rwrmsg->msgcode = DIDmsg_p2req_ramdl_write; 1017 rwrmsg->msglen = sizeof(*rwrmsg); 1018 rwrmsg->addr.did = DIDmsg_p2req_ramdl_write_addr; 1019 rwrmsg->len.did = DIDmsg_p2req_ramdl_write_len; 1020 rwrmsg->data.did = DIDmsg_p2req_ramdl_write_data; 1021 rwrmsg->resultcode.did = DIDmsg_p2req_ramdl_write_resultcode; 1022 rwrmsg->addr.status = P80211ENUM_msgitem_status_data_ok; 1023 rwrmsg->len.status = P80211ENUM_msgitem_status_data_ok; 1024 rwrmsg->data.status = P80211ENUM_msgitem_status_data_ok; 1025 rwrmsg->resultcode.status = P80211ENUM_msgitem_status_no_value; 1026 rwrmsg->addr.len = sizeof(u32); 1027 rwrmsg->len.len = sizeof(u32); 1028 rwrmsg->data.len = WRITESIZE_MAX; 1029 rwrmsg->resultcode.len = sizeof(u32); 1030 1031 /* Send xxx_state(enable) */ 1032 pr_debug("Sending dl_state(enable) message.\n"); 1033 rstmsg->enable.data = P80211ENUM_truth_true; 1034 rstmsg->exeaddr.data = startaddr; 1035 1036 result = prism2mgmt_ramdl_state(wlandev, rstmsg); 1037 if (result) { 1038 netdev_err(wlandev->netdev, 1039 "writeimage state enable failed w/ result=%d, aborting download\n", 1040 result); 1041 goto free_result; 1042 } 1043 resultcode = rstmsg->resultcode.data; 1044 if (resultcode != P80211ENUM_resultcode_success) { 1045 netdev_err(wlandev->netdev, 1046 "writeimage()->xxxdl_state msg indicates failure, w/ resultcode=%d, aborting download.\n", 1047 resultcode); 1048 result = 1; 1049 goto free_result; 1050 } 1051 1052 /* Now, loop through the data chunks and send WRITESIZE_MAX data */ 1053 for (i = 0; i < nfchunks; i++) { 1054 nwrites = fchunk[i].len / WRITESIZE_MAX; 1055 nwrites += (fchunk[i].len % WRITESIZE_MAX) ? 1 : 0; 1056 curroff = 0; 1057 for (j = 0; j < nwrites; j++) { 1058 /* TODO Move this to a separate function */ 1059 int lenleft = fchunk[i].len - (WRITESIZE_MAX * j); 1060 1061 if (fchunk[i].len > WRITESIZE_MAX) 1062 currlen = WRITESIZE_MAX; 1063 else 1064 currlen = lenleft; 1065 curroff = j * WRITESIZE_MAX; 1066 currdaddr = fchunk[i].addr + curroff; 1067 /* Setup the message */ 1068 rwrmsg->addr.data = currdaddr; 1069 rwrmsg->len.data = currlen; 1070 memcpy(rwrmsg->data.data, 1071 fchunk[i].data + curroff, currlen); 1072 1073 /* Send flashdl_write(pda) */ 1074 pr_debug 1075 ("Sending xxxdl_write message addr=%06x len=%d.\n", 1076 currdaddr, currlen); 1077 1078 result = prism2mgmt_ramdl_write(wlandev, rwrmsg); 1079 1080 /* Check the results */ 1081 if (result) { 1082 netdev_err(wlandev->netdev, 1083 "writeimage chunk write failed w/ result=%d, aborting download\n", 1084 result); 1085 goto free_result; 1086 } 1087 resultcode = rstmsg->resultcode.data; 1088 if (resultcode != P80211ENUM_resultcode_success) { 1089 pr_err("writeimage()->xxxdl_write msg indicates failure, w/ resultcode=%d, aborting download.\n", 1090 resultcode); 1091 result = 1; 1092 goto free_result; 1093 } 1094 1095 } 1096 } 1097 1098 /* Send xxx_state(disable) */ 1099 pr_debug("Sending dl_state(disable) message.\n"); 1100 rstmsg->enable.data = P80211ENUM_truth_false; 1101 rstmsg->exeaddr.data = 0; 1102 1103 result = prism2mgmt_ramdl_state(wlandev, rstmsg); 1104 if (result) { 1105 netdev_err(wlandev->netdev, 1106 "writeimage state disable failed w/ result=%d, aborting download\n", 1107 result); 1108 goto free_result; 1109 } 1110 resultcode = rstmsg->resultcode.data; 1111 if (resultcode != P80211ENUM_resultcode_success) { 1112 netdev_err(wlandev->netdev, 1113 "writeimage()->xxxdl_state msg indicates failure, w/ resultcode=%d, aborting download.\n", 1114 resultcode); 1115 result = 1; 1116 goto free_result; 1117 } 1118 1119free_result: 1120 kfree(rstmsg); 1121 kfree(rwrmsg); 1122 return result; 1123} 1124 1125static int validate_identity(void) 1126{ 1127 int i; 1128 int result = 1; 1129 int trump = 0; 1130 1131 pr_debug("NIC ID: %#x v%d.%d.%d\n", 1132 nicid.id, nicid.major, nicid.minor, nicid.variant); 1133 pr_debug("MFI ID: %#x v%d %d->%d\n", 1134 rfid.id, rfid.variant, rfid.bottom, rfid.top); 1135 pr_debug("CFI ID: %#x v%d %d->%d\n", 1136 macid.id, macid.variant, macid.bottom, macid.top); 1137 pr_debug("PRI ID: %#x v%d %d->%d\n", 1138 priid.id, priid.variant, priid.bottom, priid.top); 1139 1140 for (i = 0; i < ns3info; i++) { 1141 switch (s3info[i].type) { 1142 case 1: 1143 pr_debug("Version: ID %#x %d.%d.%d\n", 1144 s3info[i].info.version.id, 1145 s3info[i].info.version.major, 1146 s3info[i].info.version.minor, 1147 s3info[i].info.version.variant); 1148 break; 1149 case 2: 1150 pr_debug("Compat: Role %#x Id %#x v%d %d->%d\n", 1151 s3info[i].info.compat.role, 1152 s3info[i].info.compat.id, 1153 s3info[i].info.compat.variant, 1154 s3info[i].info.compat.bottom, 1155 s3info[i].info.compat.top); 1156 1157 /* MAC compat range */ 1158 if ((s3info[i].info.compat.role == 1) && 1159 (s3info[i].info.compat.id == 2)) { 1160 if (s3info[i].info.compat.variant != 1161 macid.variant) { 1162 result = 2; 1163 } 1164 } 1165 1166 /* PRI compat range */ 1167 if ((s3info[i].info.compat.role == 1) && 1168 (s3info[i].info.compat.id == 3)) { 1169 if ((s3info[i].info.compat.bottom > priid.top) 1170 || (s3info[i].info.compat.top < 1171 priid.bottom)) { 1172 result = 3; 1173 } 1174 } 1175 /* SEC compat range */ 1176 if ((s3info[i].info.compat.role == 1) && 1177 (s3info[i].info.compat.id == 4)) { 1178 /* FIXME: isn't something missing here? */ 1179 } 1180 1181 break; 1182 case 3: 1183 pr_debug("Seq: %#x\n", s3info[i].info.buildseq); 1184 1185 break; 1186 case 4: 1187 pr_debug("Platform: ID %#x %d.%d.%d\n", 1188 s3info[i].info.version.id, 1189 s3info[i].info.version.major, 1190 s3info[i].info.version.minor, 1191 s3info[i].info.version.variant); 1192 1193 if (nicid.id != s3info[i].info.version.id) 1194 continue; 1195 if (nicid.major != s3info[i].info.version.major) 1196 continue; 1197 if (nicid.minor != s3info[i].info.version.minor) 1198 continue; 1199 if ((nicid.variant != s3info[i].info.version.variant) && 1200 (nicid.id != 0x8008)) 1201 continue; 1202 1203 trump = 1; 1204 break; 1205 case 0x8001: 1206 pr_debug("name inforec len %d\n", s3info[i].len); 1207 1208 break; 1209 default: 1210 pr_debug("Unknown inforec type %d\n", s3info[i].type); 1211 } 1212 } 1213 /* walk through */ 1214 1215 if (trump && (result != 2)) 1216 result = 0; 1217 return result; 1218} 1219