1 /* 2 * Copyright (C) 2018 BlueKitchen GmbH 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions 6 * are met: 7 * 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 3. Neither the name of the copyright holders nor the names of 14 * contributors may be used to endorse or promote products derived 15 * from this software without specific prior written permission. 16 * 4. Any redistribution, use, or modification is done solely for 17 * personal benefit and not for any commercial purpose or for 18 * monetary gain. 19 * 20 * THIS SOFTWARE IS PROVIDED BY BLUEKITCHEN GMBH AND CONTRIBUTORS 21 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 22 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 23 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL BLUEKITCHEN 24 * GMBH OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 25 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 26 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS 27 * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED 28 * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 29 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF 30 * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 * 33 * Please inquire about commercial licensing options at 34 * [email protected] 35 * 36 */ 37 38 #define BTSTACK_FILE__ "btstack_chipset_intel_firmware.c" 39 40 #include <fcntl.h> 41 #include <stdio.h> 42 #include <inttypes.h> 43 44 #include "btstack_chipset_intel_firmware.h" 45 46 #include "bluetooth.h" 47 #include "btstack_debug.h" 48 #include "btstack_event.h" 49 #include "btstack_run_loop.h" 50 #include "btstack_util.h" 51 #include "hci.h" 52 #include "hci_cmd.h" 53 #include "hci_dump.h" 54 55 #ifdef _MSC_VER 56 // ignore deprecated warning for fopen 57 #pragma warning(disable : 4996) 58 #endif 59 60 // assert outgoing and incoming hci packet buffers can hold max hci command resp. event packet 61 #if HCI_OUTGOING_PACKET_BUFFER_SIZE < (HCI_CMD_HEADER_SIZE + 255) 62 #error "HCI_OUTGOING_PACKET_BUFFER_SIZE to small. Outgoing HCI packet buffer to small for largest HCI Command packet. Please set HCI_ACL_PAYLOAD_SIZE to 258 or higher." 63 #endif 64 #if HCI_INCOMING_PACKET_BUFFER_SIZE < (HCI_EVENT_HEADER_SIZE_HEADER_SIZE + 255) 65 #error "HCI_INCOMING_PACKET_BUFFER_SIZE to small. Incoming HCI packet buffer to small for largest HCI Event packet. Please set HCI_ACL_PAYLOAD_SIZE to 257 or higher." 66 #endif 67 68 // Vendor specific structs 69 70 typedef struct { 71 uint8_t status; 72 uint8_t hw_platform; 73 uint8_t hw_variant; 74 uint8_t hw_revision; 75 uint8_t fw_variant; 76 uint8_t fw_revision; 77 uint8_t fw_build_num; 78 uint8_t fw_build_ww; 79 uint8_t fw_build_yy; 80 uint8_t fw_patch_num; 81 } intel_version_t; 82 83 typedef struct { 84 uint8_t status; 85 uint8_t otp_format; 86 uint8_t otp_content; 87 uint8_t otp_patch; 88 uint16_t dev_revid; 89 uint8_t secure_boot; 90 uint8_t key_from_hdr; 91 uint8_t key_type; 92 uint8_t otp_lock; 93 uint8_t api_lock; 94 uint8_t debug_lock; 95 bd_addr_t otp_bdaddr; 96 uint8_t min_fw_build_nn; 97 uint8_t min_fw_build_cw; 98 uint8_t min_fw_build_yy; 99 uint8_t limited_cce; 100 uint8_t unlocked_state; 101 } intel_boot_params_t; 102 103 typedef enum { 104 INTEL_CONTROLLER_LEGACY, 105 INTEL_CONTROLLER_TLV, 106 } intel_controller_mode_t; 107 108 typedef enum { 109 STATE_INITIAL = 0, 110 STATE_HANDLE_HCI_RESET = 1, 111 STATE_HANDLE_READ_VERSION_1 = 2, 112 STATE_HANDLE_READ_SECURE_BOOT_PARAMS = 3, 113 STATE_SEND_PUBLIC_KEY_1 = 4, 114 STATE_SEND_PUBLIC_KEY_2 = 5, 115 STATE_SEND_SIGNATURE_PART_1 = 6, 116 STATE_SEND_SIGNATURE_PART_2 = 7, 117 STATE_SEND_FIRMWARE_CHUNK = 8, 118 STATE_HANDLE_FIRMWARE_CHUNKS_SENT = 9, 119 STATE_HANDLE_VENDOR_SPECIFIC_EVENT_02 = 10, 120 STATE_HANDLE_READ_VERSION_2 = 11, 121 STATE_SEND_DDC = 12, 122 STATE_DONE = 15 123 } state_t; 124 125 // Vendor specific commands 126 127 static const hci_cmd_t hci_intel_read_version = { 128 0xfc05, "1" 129 }; 130 static const hci_cmd_t hci_intel_read_secure_boot_params = { 131 0xfc0d, "" 132 }; 133 134 static const hci_cmd_t hci_intel_reset_param = { 135 0xfc01, "11111111" 136 }; 137 138 static const hci_cmd_t hci_intel_set_event_mask = { 139 0xfc52, "11111111" 140 }; 141 142 // state 143 144 const char * firmware_folder_path = "."; 145 146 static intel_version_t intel_version; 147 static intel_boot_params_t intel_boot_params; 148 149 static intel_controller_mode_t controller_mode; 150 151 const hci_transport_t * transport; 152 153 static state_t state; 154 155 static int vendor_firmware_complete_received; 156 static int waiting_for_command_complete; 157 158 static uint8_t hci_outgoing[300]; 159 static uint8_t fw_buffer[300]; 160 161 static uint8_t hw_variant; 162 static uint16_t dev_revid; 163 164 static FILE * fw_file; 165 static size_t fw_offset; 166 167 static void (*done)(int result); 168 169 // functions 170 171 static int intel_get_firmware_name(intel_version_t *version, intel_boot_params_t *params, const char *folder_path, 172 const char *suffix, char *firmware_path, size_t firmware_path_len) { 173 switch (version->hw_variant) 174 { 175 case 0x0b: /* SfP */ 176 case 0x0c: /* WsP */ 177 snprintf(firmware_path, firmware_path_len, "%s/ibt-%u-%u.%s", 178 folder_path, 179 version->hw_variant, 180 little_endian_read_16((const uint8_t *)¶ms->dev_revid, 0), 181 suffix); 182 break; 183 case 0x11: /* JfP */ 184 case 0x12: /* ThP */ 185 case 0x13: /* HrP */ 186 case 0x14: /* CcP */ 187 snprintf(firmware_path, firmware_path_len, "%s/ibt-%u-%u-%u.%s", 188 folder_path, 189 version->hw_variant, 190 version->hw_revision, 191 version->fw_revision, 192 suffix); 193 break; 194 default: 195 printf("Unsupported Intel hardware variant (%u)\n", version->hw_variant); 196 break; 197 } 198 199 return 0; 200 } 201 202 static int transport_send_packet(uint8_t packet_type, const uint8_t * packet, uint16_t size){ 203 hci_dump_packet(HCI_COMMAND_DATA_PACKET, 0, (uint8_t*) packet, size); 204 return transport->send_packet(packet_type, (uint8_t *) packet, size); 205 } 206 207 static int transport_send_cmd_va_arg(const hci_cmd_t *cmd, va_list argptr){ 208 uint8_t * packet = hci_outgoing; 209 uint16_t size = hci_cmd_create_from_template(packet, cmd, argptr); 210 return transport_send_packet(HCI_COMMAND_DATA_PACKET, packet, size); 211 } 212 213 static int transport_send_cmd(const hci_cmd_t *cmd, ...){ 214 va_list argptr; 215 va_start(argptr, cmd); 216 int res = transport_send_cmd_va_arg(cmd, argptr); 217 va_end(argptr); 218 return res; 219 } 220 221 static int transport_send_intel_secure(uint8_t fragment_type, const uint8_t * data, uint8_t len){ 222 little_endian_store_16(hci_outgoing, 0, 0xfc09); 223 hci_outgoing[2] = 1 + len; 224 hci_outgoing[3] = fragment_type; 225 memcpy(&hci_outgoing[4], data, len); 226 uint16_t size = 3 + 1 + len; 227 return transport_send_packet(HCI_ACL_DATA_PACKET, hci_outgoing, size); 228 } 229 230 static int transport_send_intel_ddc(const uint8_t * data, uint8_t len){ 231 little_endian_store_16(hci_outgoing, 0, 0xfc8b); 232 hci_outgoing[2] = len; 233 memcpy(&hci_outgoing[3], data, len); 234 uint16_t size = 3 + len; 235 return transport_send_packet(HCI_COMMAND_DATA_PACKET, hci_outgoing, size); 236 } 237 238 static void state_machine(uint8_t *packet, uint16_t size); 239 240 // read data from fw file and send it via intel_secure + update state 241 static int intel_send_fragment(uint8_t fragment_type, uint8_t len){ 242 size_t res = fread(fw_buffer, 1, len, fw_file); 243 log_info("offset %6" PRId32 ", read %3u -> res %" PRId32 "", (int32_t)fw_offset, len, (int32_t)res); 244 fw_offset += res; 245 return transport_send_intel_secure(fragment_type, fw_buffer, len); 246 } 247 248 // read data from ddc file and send iva intel ddc command 249 // @returns -1 on eof 250 static int intel_send_ddc(void){ 251 size_t res; 252 // read len 253 res = fread(fw_buffer, 1, 1, fw_file); 254 log_info("offset %6" PRId32 ", read 1 -> res %" PRId32 "", (int32_t)fw_offset, (int32_t)res); 255 if (res == 0) return -1; 256 uint8_t len = fw_buffer[0]; 257 fw_offset += 1; 258 res = fread(&fw_buffer[1], 1, len, fw_file); 259 log_info("offset %6" PRId32 ", read %u -> res %" PRId32 "", (int32_t)fw_offset, 1, (int32_t)res); 260 return transport_send_intel_ddc(fw_buffer, 1 + len); 261 } 262 263 static void dump_intel_version(intel_version_t * version){ 264 log_info("status 0x%02x", version->status); 265 log_info("hw_platform 0x%02x", version->hw_platform); 266 log_info("hw_variant 0x%02x", version->hw_variant); 267 log_info("hw_revision 0x%02x", version->hw_revision); 268 log_info("fw_variant 0x%02x", version->fw_variant); 269 log_info("fw_revision 0x%02x", version->fw_revision); 270 log_info("fw_build_num 0x%02x", version->fw_build_num); 271 log_info("fw_build_ww 0x%02x", version->fw_build_ww); 272 log_info("fw_build_yy 0x%02x", version->fw_build_yy); 273 log_info("fw_patch_num 0x%02x", version->fw_patch_num); 274 } 275 276 static void dump_intel_boot_params(intel_boot_params_t * boot_params){ 277 bd_addr_t addr; 278 reverse_bd_addr(boot_params->otp_bdaddr, addr); 279 log_info("Device revision: %u", dev_revid); 280 log_info("Secure Boot: %s", boot_params->secure_boot ? "enabled" : "disabled"); 281 log_info("OTP lock: %s", boot_params->otp_lock ? "enabled" : "disabled"); 282 log_info("API lock: %s", boot_params->api_lock ? "enabled" : "disabled"); 283 log_info("Debug lock: %s", boot_params->debug_lock ? "enabled" : "disabled"); 284 log_info("Minimum firmware build %u week %u %u", boot_params->min_fw_build_nn, boot_params->min_fw_build_cw, 2000 + boot_params->min_fw_build_yy); 285 log_info("OTC BD_ADDR: %s", bd_addr_to_str(addr)); 286 } 287 288 static void state_machine(uint8_t *packet, uint16_t size) { 289 size_t res; 290 size_t buffer_offset; 291 bd_addr_t addr; 292 char fw_path[300]; 293 294 if (packet){ 295 // firmware upload complete event? 296 if (packet[0] == 0xff && packet[2] == 0x06) { 297 vendor_firmware_complete_received = 1; 298 } 299 300 // command complete 301 if (packet[0] == 0x0e){ 302 waiting_for_command_complete = 0; 303 } 304 } 305 306 switch (state){ 307 case STATE_INITIAL: 308 controller_mode = INTEL_CONTROLLER_LEGACY; 309 state = STATE_HANDLE_HCI_RESET; 310 transport_send_cmd(&hci_reset); 311 break; 312 case STATE_HANDLE_HCI_RESET: 313 // check if HCI Reset was supported 314 if (packet[0] == 0x0e && packet[1] == 0x04 && packet[3] == 0x03 && packet[4] == 0x0c && packet[5] == 0x00){ 315 log_info("HCI Reset was successful, no need for firmware upload / or not an Intel chipset"); 316 (*done)(0); 317 break; 318 } 319 320 // Read Intel Version 321 state = STATE_HANDLE_READ_VERSION_1; 322 transport_send_cmd(&hci_intel_read_version, 0xff); 323 break; 324 case STATE_HANDLE_READ_VERSION_1: 325 // detect legacy vs. new TLV mode based on Read Version response 326 if ((size == sizeof(intel_version_t)) || (packet[1] != 0x037)){ 327 controller_mode = INTEL_CONTROLLER_TLV; 328 printf("\nERROR: Intel Controller uses new TLV mode. TLV mode is not supported yet\n"); 329 printf("Details: https://github.com/torvalds/linux/blob/master/drivers/bluetooth/btintel.c\n\n"); 330 log_error("TLV mode not supported"); 331 (*done)(1); 332 break; 333 } 334 335 // legacy mode 336 intel_version = *(intel_version_t*) hci_event_command_complete_get_return_parameters(packet); 337 dump_intel_version(&intel_version); 338 339 hw_variant = intel_version.hw_variant; 340 341 // fw_variant = 0x06 bootloader mode / 0x23 operational mode 342 if (intel_version.fw_variant == 0x23) { 343 (*done)(0); 344 break; 345 } 346 347 if (intel_version.fw_variant != 0x06){ 348 log_error("unknown fw_variant 0x%02x", intel_version.fw_variant); 349 break; 350 } 351 352 // Read Intel Secure Boot Params 353 state = STATE_HANDLE_READ_SECURE_BOOT_PARAMS; 354 transport_send_cmd(&hci_intel_read_secure_boot_params); 355 break; 356 case STATE_HANDLE_READ_SECURE_BOOT_PARAMS: 357 intel_boot_params = *(intel_boot_params_t *) hci_event_command_complete_get_return_parameters(packet); 358 dump_intel_boot_params(&intel_boot_params); 359 360 reverse_bd_addr(intel_boot_params.otp_bdaddr, addr); 361 dev_revid = little_endian_read_16((uint8_t*)&intel_boot_params.dev_revid, 0); 362 363 // assert command complete is required 364 if (intel_boot_params.limited_cce != 0) break; 365 366 // firmware file 367 intel_get_firmware_name(&intel_version, &intel_boot_params, firmware_folder_path, 368 "sfi", fw_path, sizeof(fw_path)); 369 log_info("Open firmware %s", fw_path); 370 printf("Firmware %s\n", fw_path); 371 372 // open firmware file 373 fw_offset = 0; 374 fw_file = fopen(fw_path, "rb"); 375 if (!fw_file){ 376 log_error("can't open file %s", fw_path); 377 (*done)(1); 378 return; 379 } 380 381 vendor_firmware_complete_received = 0; 382 383 // send CCS segment - offset 0 384 state = STATE_SEND_PUBLIC_KEY_1; 385 intel_send_fragment(0x00, 128); 386 break; 387 case STATE_SEND_PUBLIC_KEY_1: 388 // send public key / part 1 - offset 128 389 state = STATE_SEND_PUBLIC_KEY_2; 390 intel_send_fragment(0x03, 128); 391 break; 392 case STATE_SEND_PUBLIC_KEY_2: 393 // send public key / part 2 - offset 384 394 state = STATE_SEND_SIGNATURE_PART_1; 395 intel_send_fragment(0x03, 128); 396 break; 397 case STATE_SEND_SIGNATURE_PART_1: 398 // skip 4 bytes 399 res = fread(fw_buffer, 1, 4, fw_file); 400 log_info("read res %d", (int)res); 401 fw_offset += res; 402 403 // send signature / part 1 - offset 388 404 state = STATE_SEND_SIGNATURE_PART_2; 405 intel_send_fragment(0x02, 128); 406 break; 407 case STATE_SEND_SIGNATURE_PART_2: 408 // send signature / part 2 - offset 516 409 state = STATE_SEND_FIRMWARE_CHUNK; 410 intel_send_fragment(0x02, 128); 411 break; 412 case STATE_SEND_FIRMWARE_CHUNK: 413 // send firmware chunks - offset 644 414 // chunk len must be 4 byte aligned 415 // multiple commands can be combined 416 buffer_offset = 0; 417 do { 418 res = fread(&fw_buffer[buffer_offset], 1, 3, fw_file); 419 log_info("fw_offset %6" PRId32 ", buffer_offset %" PRId32 ", read %3u -> res %" PRId32 "", (int32_t)fw_offset, (int32_t)buffer_offset, 3, (int32_t)res); 420 fw_offset += res; 421 if (res == 0 ){ 422 // EOF 423 log_info("End of file"); 424 fclose(fw_file); 425 fw_file = NULL; 426 state = STATE_HANDLE_FIRMWARE_CHUNKS_SENT; 427 break; 428 } 429 int param_len = fw_buffer[buffer_offset + 2]; 430 buffer_offset += 3; 431 if (param_len){ 432 res = fread(&fw_buffer[buffer_offset], 1, param_len, fw_file); 433 fw_offset += res; 434 buffer_offset += res; 435 } 436 } while ((buffer_offset & 3) != 0); 437 438 if (buffer_offset == 0) break; 439 440 waiting_for_command_complete = 1; 441 transport_send_intel_secure(0x01, fw_buffer, (uint8_t) buffer_offset); 442 break; 443 444 case STATE_HANDLE_FIRMWARE_CHUNKS_SENT: 445 // expect Vendor Specific Event 0x06 446 if (!vendor_firmware_complete_received) break; 447 448 printf("Firmware upload complete\n"); 449 log_info("Vendor Event 0x06 - firmware complete"); 450 451 // Reset Params - constants from Windows Intel driver 452 state = STATE_HANDLE_VENDOR_SPECIFIC_EVENT_02; 453 transport_send_cmd(&hci_intel_reset_param, 0x00, 0x00, 0x00, 0x01, 0x00, 0x08, 0x04, 0x00); 454 break; 455 456 case STATE_HANDLE_VENDOR_SPECIFIC_EVENT_02: 457 // expect Vendor Specific Event 0x02 458 if (packet[0] != 0xff) break; 459 if (packet[2] != 0x02) break; 460 461 printf("Firmware operational\n"); 462 log_info("Vendor Event 0x02 - firmware operational"); 463 464 // Read Intel Version 465 state = STATE_HANDLE_READ_VERSION_2; 466 transport_send_cmd(&hci_intel_read_version); 467 break; 468 469 case STATE_HANDLE_READ_VERSION_2: 470 intel_version = *(intel_version_t*) hci_event_command_complete_get_return_parameters(packet); 471 dump_intel_version(&intel_version); 472 473 // ddc config 474 intel_get_firmware_name(&intel_version, &intel_boot_params, firmware_folder_path, 475 "ddc", fw_path, sizeof(fw_path)); 476 log_info("Open DDC %s", fw_path); 477 478 // open ddc file 479 fw_offset = 0; 480 fw_file = fopen(fw_path, "rb"); 481 if (!fw_file){ 482 log_error("can't open file %s", fw_path); 483 484 (*done)(1); 485 return; 486 } 487 488 // load ddc 489 state = STATE_SEND_DDC; 490 491 /* fall through */ 492 493 case STATE_SEND_DDC: 494 res = intel_send_ddc(); 495 if (res == 0) break; 496 497 // DDC download complete 498 log_info("Load DDC Complete"); 499 500 // TODO: check if we need to wait for HCI Command Complete, resp. add another state here 501 502 // Set Intel event mask 0xfc52 503 state = STATE_DONE; 504 transport_send_cmd(&hci_intel_set_event_mask, 0x87, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00); 505 break; 506 507 case STATE_DONE: 508 (*done)(0); 509 break; 510 511 default: 512 break; 513 } 514 } 515 516 static void transport_packet_handler (uint8_t packet_type, uint8_t *packet, uint16_t size){ 517 UNUSED(packet_type); 518 // we also get events with packet_type ACL from the controller 519 hci_dump_packet(HCI_EVENT_PACKET, 1, packet, size); 520 switch (hci_event_packet_get_type(packet)){ 521 case HCI_EVENT_COMMAND_COMPLETE: 522 case HCI_EVENT_VENDOR_SPECIFIC: 523 state_machine(packet, size); 524 break; 525 default: 526 break; 527 } 528 } 529 530 void btstack_chipset_intel_set_firmware_path(const char * path){ 531 firmware_folder_path = path; 532 } 533 534 void btstack_chipset_intel_download_firmware(const hci_transport_t * hci_transport, void (*callback)(int result)){ 535 536 done = callback; 537 538 transport = hci_transport;; 539 transport->register_packet_handler(&transport_packet_handler); 540 transport->open(); 541 542 // get started 543 state = STATE_INITIAL; 544 state_machine(NULL, 0); 545 } 546