1 /* 2 * Copyright (C) 2022 BlueKitchen GmbH 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions 6 * are met: 7 * 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 3. Neither the name of the copyright holders nor the names of 14 * contributors may be used to endorse or promote products derived 15 * from this software without specific prior written permission. 16 * 4. Any redistribution, use, or modification is done solely for 17 * personal benefit and not for any commercial purpose or for 18 * monetary gain. 19 * 20 * THIS SOFTWARE IS PROVIDED BY BLUEKITCHEN GMBH AND CONTRIBUTORS 21 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 22 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 23 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL BLUEKITCHEN 24 * GMBH OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 25 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 26 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS 27 * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED 28 * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 29 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF 30 * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 * 33 * Please inquire about commercial licensing options at 34 * [email protected] 35 * 36 */ 37 38 #define BTSTACK_FILE__ "btstack_chipset_realtek.c" 39 40 /* 41 * btstack_chipset_realtek.c 42 * 43 * Adapter to use REALTEK-based chipsets with BTstack 44 */ 45 46 #include "btstack_chipset_realtek.h" 47 48 #include <stddef.h> /* NULL */ 49 #include <stdio.h> 50 #include <string.h> /* memcpy */ 51 52 #include "btstack_control.h" 53 #include "btstack_debug.h" 54 #include "btstack_event.h" 55 #include "btstack_linked_list.h" 56 #include "btstack_util.h" 57 #include "hci.h" 58 #include "hci_transport.h" 59 60 #ifdef _MSC_VER 61 // ignore deprecated warning for fopen 62 #pragma warning(disable : 4996) 63 #endif 64 65 #define ROM_LMP_NONE 0x0000 66 #define ROM_LMP_8723a 0x1200 67 #define ROM_LMP_8723b 0x8723 68 #define ROM_LMP_8821a 0x8821 69 #define ROM_LMP_8761a 0x8761 70 #define ROM_LMP_8822b 0x8822 71 #define ROM_LMP_8852a 0x8852 72 #define ROM_LMP_8851b 0x8851 73 74 #define HCI_OPCODE_HCI_RTK_DOWNLOAD_FW 0xFC20 75 #define HCI_OPCODE_HCI_RTK_READ_ROM_VERSION 0xFC6D 76 77 #define READ_SEC_PROJ 4 78 79 #define HCI_CMD_SET_OPCODE(buf, opcode) little_endian_store_16(buf, 0, opcode) 80 #define HCI_CMD_SET_LENGTH(buf, length) buf[2] = length 81 #define HCI_CMD_DOWNLOAD_SET_INDEX(buf, index) buf[3] = index 82 #define HCI_CMD_DOWNLOAD_COPY_FW_DATA(buf, firmware, ptr, len) memcpy(buf + 4, firmware + ptr, len) 83 84 #define PATCH_SNIPPETS 0x01 85 #define PATCH_DUMMY_HEADER 0x02 86 #define PATCH_SECURITY_HEADER 0x03 87 #define PATCH_OTA_FLAG 0x04 88 #define SECTION_HEADER_SIZE 8 89 90 /* software id */ 91 #define RTLPREVIOUS 0x00 92 #define RTL8822BU 0x70 93 #define RTL8723DU 0x71 94 #define RTL8821CU 0x72 95 #define RTL8822CU 0x73 96 #define RTL8761BU 0x74 97 #define RTL8852AU 0x75 98 #define RTL8723FU 0x76 99 #define RTL8852BU 0x77 100 #define RTL8852CU 0x78 101 #define RTL8822EU 0x79 102 #define RTL8851BU 0x7A 103 104 struct rtk_epatch_entry { 105 uint16_t chipID; 106 uint16_t patch_length; 107 uint32_t start_offset; 108 } __attribute__ ((packed)); 109 110 struct rtk_epatch { 111 uint8_t signature[8]; 112 uint32_t fw_version; 113 uint16_t number_of_total_patch; 114 struct rtk_epatch_entry entry[0]; 115 } __attribute__ ((packed)); 116 117 struct rtk_extension_entry { 118 uint8_t opcode; 119 uint8_t length; 120 uint8_t *data; 121 } __attribute__ ((packed)); 122 123 struct rtb_section_hdr { 124 uint32_t opcode; 125 uint32_t section_len; 126 uint32_t soffset; 127 } __attribute__ ((packed)); 128 129 struct rtb_new_patch_hdr { 130 uint8_t signature[8]; 131 uint8_t fw_version[8]; 132 uint32_t number_of_section; 133 } __attribute__ ((packed)); 134 135 enum { 136 // Pre-Init: runs before HCI Reset 137 STATE_PHASE_1_READ_LMP_SUBVERSION, 138 STATE_PHASE_1_W4_READ_LMP_SUBVERSION, 139 STATE_PHASE_1_READ_HCI_REVISION, 140 STATE_PHASE_1_W4_READ_HCI_REVISION, 141 STATE_PHASE_1_DONE, 142 // Custom Init: runs after HCI Reset 143 STATE_PHASE_2_READ_ROM_VERSION, 144 STATE_PHASE_2_READ_SEC_PROJ, 145 STATE_PHASE_2_W4_SEC_PROJ, 146 STATE_PHASE_2_LOAD_FIRMWARE, 147 STATE_PHASE_2_RESET, 148 STATE_PHASE_2_DONE, 149 }; 150 enum { FW_DONE, FW_MORE_TO_DO }; 151 152 typedef struct { 153 uint16_t prod_id; 154 uint16_t lmp_sub; 155 char * mp_patch_name; 156 char * patch_name; 157 char * config_name; 158 159 uint8_t *fw_cache1; 160 int fw_len1; 161 uint8_t chip_type; 162 } patch_info; 163 164 static const patch_info fw_patch_table[] = { 165 /* { pid, lmp_sub, mp_fw_name, fw_name, config_name, chip_type } */ 166 {0x1724, 0x1200, "mp_rtl8723a_fw", "rtl8723a_fw", "rtl8723a_config", NULL, 0, RTLPREVIOUS}, /* RTL8723A */ 167 {0x8723, 0x1200, "mp_rtl8723a_fw", "rtl8723a_fw", "rtl8723a_config", NULL, 0, RTLPREVIOUS}, /* 8723AE */ 168 {0xA723, 0x1200, "mp_rtl8723a_fw", "rtl8723a_fw", "rtl8723a_config", NULL, 0, RTLPREVIOUS}, /* 8723AE for LI */ 169 {0x0723, 0x1200, "mp_rtl8723a_fw", "rtl8723a_fw", "rtl8723a_config", NULL, 0, RTLPREVIOUS}, /* 8723AE */ 170 {0x3394, 0x1200, "mp_rtl8723a_fw", "rtl8723a_fw", "rtl8723a_config", NULL, 0, RTLPREVIOUS}, /* 8723AE for Azurewave */ 171 172 {0x0724, 0x1200, "mp_rtl8723a_fw", "rtl8723a_fw", "rtl8723a_config", NULL, 0, RTLPREVIOUS}, /* 8723AU */ 173 {0x8725, 0x1200, "mp_rtl8723a_fw", "rtl8723a_fw", "rtl8723a_config", NULL, 0, RTLPREVIOUS}, /* 8723AU */ 174 {0x872A, 0x1200, "mp_rtl8723a_fw", "rtl8723a_fw", "rtl8723a_config", NULL, 0, RTLPREVIOUS}, /* 8723AU */ 175 {0x872B, 0x1200, "mp_rtl8723a_fw", "rtl8723a_fw", "rtl8723a_config", NULL, 0, RTLPREVIOUS}, /* 8723AU */ 176 177 {0xb720, 0x8723, "mp_rtl8723b_fw", "rtl8723b_fw", "rtl8723b_config", NULL, 0, RTLPREVIOUS}, /* RTL8723BU */ 178 {0xb72A, 0x8723, "mp_rtl8723b_fw", "rtl8723b_fw", "rtl8723b_config", NULL, 0, RTLPREVIOUS}, /* RTL8723BU */ 179 {0xb728, 0x8723, "mp_rtl8723b_fw", "rtl8723b_fw", "rtl8723b_config", NULL, 0, RTLPREVIOUS}, /* RTL8723BE for LC */ 180 {0xb723, 0x8723, "mp_rtl8723b_fw", "rtl8723b_fw", "rtl8723b_config", NULL, 0, RTLPREVIOUS}, /* RTL8723BE */ 181 {0xb72B, 0x8723, "mp_rtl8723b_fw", "rtl8723b_fw", "rtl8723b_config", NULL, 0, RTLPREVIOUS}, /* RTL8723BE */ 182 {0xb001, 0x8723, "mp_rtl8723b_fw", "rtl8723b_fw", "rtl8723b_config", NULL, 0, RTLPREVIOUS}, /* RTL8723BE for HP */ 183 {0xb002, 0x8723, "mp_rtl8723b_fw", "rtl8723b_fw", "rtl8723b_config", NULL, 0, RTLPREVIOUS}, /* RTL8723BE */ 184 {0xb003, 0x8723, "mp_rtl8723b_fw", "rtl8723b_fw", "rtl8723b_config", NULL, 0, RTLPREVIOUS}, /* RTL8723BE */ 185 {0xb004, 0x8723, "mp_rtl8723b_fw", "rtl8723b_fw", "rtl8723b_config", NULL, 0, RTLPREVIOUS}, /* RTL8723BE */ 186 {0xb005, 0x8723, "mp_rtl8723b_fw", "rtl8723b_fw", "rtl8723b_config", NULL, 0, RTLPREVIOUS}, /* RTL8723BE */ 187 188 {0x3410, 0x8723, "mp_rtl8723b_fw", "rtl8723b_fw", "rtl8723b_config", NULL, 0, RTLPREVIOUS}, /* RTL8723BE for Azurewave */ 189 {0x3416, 0x8723, "mp_rtl8723b_fw", "rtl8723b_fw", "rtl8723b_config", NULL, 0, RTLPREVIOUS}, /* RTL8723BE for Azurewave */ 190 {0x3459, 0x8723, "mp_rtl8723b_fw", "rtl8723b_fw", "rtl8723b_config", NULL, 0, RTLPREVIOUS}, /* RTL8723BE for Azurewave */ 191 {0xE085, 0x8723, "mp_rtl8723b_fw", "rtl8723b_fw", "rtl8723b_config", NULL, 0, RTLPREVIOUS}, /* RTL8723BE for Foxconn */ 192 {0xE08B, 0x8723, "mp_rtl8723b_fw", "rtl8723b_fw", "rtl8723b_config", NULL, 0, RTLPREVIOUS}, /* RTL8723BE for Foxconn */ 193 {0xE09E, 0x8723, "mp_rtl8723b_fw", "rtl8723b_fw", "rtl8723b_config", NULL, 0, RTLPREVIOUS}, /* RTL8723BE for Foxconn */ 194 195 {0xA761, 0x8761, "mp_rtl8761a_fw", "rtl8761au_fw", "rtl8761a_config", NULL, 0, RTLPREVIOUS}, /* RTL8761AU only */ 196 {0x818B, 0x8761, "mp_rtl8761a_fw", "rtl8761aw_fw", "rtl8761aw_config", NULL, 0, RTLPREVIOUS}, /* RTL8761AW + 8192EU */ 197 {0x818C, 0x8761, "mp_rtl8761a_fw", "rtl8761aw_fw", "rtl8761aw_config", NULL, 0, RTLPREVIOUS}, /* RTL8761AW + 8192EU */ 198 {0x8760, 0x8761, "mp_rtl8761a_fw", "rtl8761au8192ee_fw", "rtl8761a_config", NULL, 0, RTLPREVIOUS}, /* RTL8761AU + 8192EE */ 199 {0xB761, 0x8761, "mp_rtl8761a_fw", "rtl8761au_fw", "rtl8761a_config", NULL, 0, RTLPREVIOUS}, /* RTL8761AUV only */ 200 {0x8761, 0x8761, "mp_rtl8761a_fw", "rtl8761au8192ee_fw", "rtl8761a_config", NULL, 0, RTLPREVIOUS}, /* RTL8761AU + 8192EE for LI */ 201 {0x8A60, 0x8761, "mp_rtl8761a_fw", "rtl8761au8812ae_fw", "rtl8761a_config", NULL, 0, RTLPREVIOUS}, /* RTL8761AU + 8812AE */ 202 {0x3527, 0x8761, "mp_rtl8761a_fw", "rtl8761au8192ee_fw", "rtl8761a_config", NULL, 0, RTLPREVIOUS}, /* RTL8761AU + 8814AE */ 203 204 {0x8821, 0x8821, "mp_rtl8821a_fw", "rtl8821a_fw", "rtl8821a_config", NULL, 0, RTLPREVIOUS}, /* RTL8821AE */ 205 {0x0821, 0x8821, "mp_rtl8821a_fw", "rtl8821a_fw", "rtl8821a_config", NULL, 0, RTLPREVIOUS}, /* RTL8821AE */ 206 {0x0823, 0x8821, "mp_rtl8821a_fw", "rtl8821a_fw", "rtl8821a_config", NULL, 0, RTLPREVIOUS}, /* RTL8821AU */ 207 {0x3414, 0x8821, "mp_rtl8821a_fw", "rtl8821a_fw", "rtl8821a_config", NULL, 0, RTLPREVIOUS}, /* RTL8821AE */ 208 {0x3458, 0x8821, "mp_rtl8821a_fw", "rtl8821a_fw", "rtl8821a_config", NULL, 0, RTLPREVIOUS}, /* RTL8821AE */ 209 {0x3461, 0x8821, "mp_rtl8821a_fw", "rtl8821a_fw", "rtl8821a_config", NULL, 0, RTLPREVIOUS}, /* RTL8821AE */ 210 {0x3462, 0x8821, "mp_rtl8821a_fw", "rtl8821a_fw", "rtl8821a_config", NULL, 0, RTLPREVIOUS}, /* RTL8821AE */ 211 212 {0xb82c, 0x8822, "mp_rtl8822bu_fw", "rtl8822bu_fw", "rtl8822bu_config", NULL, 0, RTL8822BU}, /* RTL8822BU */ 213 214 {0xd720, 0x8723, "mp_rtl8723du_fw", "rtl8723du_fw", "rtl8723du_config", NULL, 0, RTL8723DU}, /* RTL8723DU */ 215 {0xd723, 0x8723, "mp_rtl8723du_fw", "rtl8723du_fw", "rtl8723du_config", NULL, 0, RTL8723DU}, /* RTL8723DU */ 216 {0xd739, 0x8723, "mp_rtl8723du_fw", "rtl8723du_fw", "rtl8723du_config", NULL, 0, RTL8723DU}, /* RTL8723DU */ 217 {0xb009, 0x8723, "mp_rtl8723du_fw", "rtl8723du_fw", "rtl8723du_config", NULL, 0, RTL8723DU}, /* RTL8723DU */ 218 {0x0231, 0x8723, "mp_rtl8723du_fw", "rtl8723du_fw", "rtl8723du_config", NULL, 0, RTL8723DU}, /* RTL8723DU for LiteOn */ 219 220 {0xb820, 0x8821, "mp_rtl8821cu_fw", "rtl8821cu_fw", "rtl8821cu_config", NULL, 0, RTL8821CU}, /* RTL8821CU */ 221 {0xc820, 0x8821, "mp_rtl8821cu_fw", "rtl8821cu_fw", "rtl8821cu_config", NULL, 0, RTL8821CU}, /* RTL8821CU */ 222 {0xc821, 0x8821, "mp_rtl8821cu_fw", "rtl8821cu_fw", "rtl8821cu_config", NULL, 0, RTL8821CU}, /* RTL8821CE */ 223 {0xc823, 0x8821, "mp_rtl8821cu_fw", "rtl8821cu_fw", "rtl8821cu_config", NULL, 0, RTL8821CU}, /* RTL8821CE */ 224 {0xc824, 0x8821, "mp_rtl8821cu_fw", "rtl8821cu_fw", "rtl8821cu_config", NULL, 0, RTL8821CU}, /* RTL8821CE */ 225 {0xc825, 0x8821, "mp_rtl8821cu_fw", "rtl8821cu_fw", "rtl8821cu_config", NULL, 0, RTL8821CU}, /* RTL8821CE */ 226 {0xc827, 0x8821, "mp_rtl8821cu_fw", "rtl8821cu_fw", "rtl8821cu_config", NULL, 0, RTL8821CU}, /* RTL8821CE */ 227 {0xc025, 0x8821, "mp_rtl8821cu_fw", "rtl8821cu_fw", "rtl8821cu_config", NULL, 0, RTL8821CU}, /* RTL8821CE */ 228 {0xc024, 0x8821, "mp_rtl8821cu_fw", "rtl8821cu_fw", "rtl8821cu_config", NULL, 0, RTL8821CU}, /* RTL8821CE */ 229 {0xc030, 0x8821, "mp_rtl8821cu_fw", "rtl8821cu_fw", "rtl8821cu_config", NULL, 0, RTL8821CU}, /* RTL8821CE */ 230 {0xb00a, 0x8821, "mp_rtl8821cu_fw", "rtl8821cu_fw", "rtl8821cu_config", NULL, 0, RTL8821CU}, /* RTL8821CE */ 231 {0xb00e, 0x8821, "mp_rtl8821cu_fw", "rtl8821cu_fw", "rtl8821cu_config", NULL, 0, RTL8821CU}, /* RTL8821CE */ 232 {0xc032, 0x8821, "mp_rtl8821cu_fw", "rtl8821cu_fw", "rtl8821cu_config", NULL, 0, RTL8821CU}, /* RTL8821CE */ 233 {0x4000, 0x8821, "mp_rtl8821cu_fw", "rtl8821cu_fw", "rtl8821cu_config", NULL, 0, RTL8821CU}, /* RTL8821CE for LiteOn */ 234 {0x4001, 0x8821, "mp_rtl8821cu_fw", "rtl8821cu_fw", "rtl8821cu_config", NULL, 0, RTL8821CU}, /* RTL8821CE for LiteOn */ 235 {0x3529, 0x8821, "mp_rtl8821cu_fw", "rtl8821cu_fw", "rtl8821cu_config", NULL, 0, RTL8821CU}, /* RTL8821CE for Azurewave */ 236 {0x3530, 0x8821, "mp_rtl8821cu_fw", "rtl8821cu_fw", "rtl8821cu_config", NULL, 0, RTL8821CU}, /* RTL8821CE for Azurewave */ 237 {0x3532, 0x8821, "mp_rtl8821cu_fw", "rtl8821cu_fw", "rtl8821cu_config", NULL, 0, RTL8821CU}, /* RTL8821CE for Azurewave */ 238 {0x3533, 0x8821, "mp_rtl8821cu_fw", "rtl8821cu_fw", "rtl8821cu_config", NULL, 0, RTL8821CU}, /* RTL8821CE for Azurewave */ 239 {0x3538, 0x8821, "mp_rtl8821cu_fw", "rtl8821cu_fw", "rtl8821cu_config", NULL, 0, RTL8821CU}, /* RTL8821CE for Azurewave */ 240 {0x3539, 0x8821, "mp_rtl8821cu_fw", "rtl8821cu_fw", "rtl8821cu_config", NULL, 0, RTL8821CU}, /* RTL8821CE for Azurewave */ 241 {0x3558, 0x8821, "mp_rtl8821cu_fw", "rtl8821cu_fw", "rtl8821cu_config", NULL, 0, RTL8821CU}, /* RTL8821CE for Azurewave */ 242 {0x3559, 0x8821, "mp_rtl8821cu_fw", "rtl8821cu_fw", "rtl8821cu_config", NULL, 0, RTL8821CU}, /* RTL8821CE for Azurewave */ 243 {0x3581, 0x8821, "mp_rtl8821cu_fw", "rtl8821cu_fw", "rtl8821cu_config", NULL, 0, RTL8821CU}, /* RTL8821CE for Azurewave */ 244 {0x3540, 0x8821, "mp_rtl8821cu_fw", "rtl8821cu_fw", "rtl8821cu_config", NULL, 0, RTL8821CU}, /* RTL8821CE */ 245 {0x3541, 0x8821, "mp_rtl8821cu_fw", "rtl8821cu_fw", "rtl8821cu_config", NULL, 0, RTL8821CU}, /* RTL8821CE for GSD */ 246 {0x3543, 0x8821, "mp_rtl8821cu_fw", "rtl8821cu_fw", "rtl8821cu_config", NULL, 0, RTL8821CU}, /* RTL8821CE for GSD */ 247 {0xc80c, 0x8821, "mp_rtl8821cu_fw", "rtl8821cu_fw", "rtl8821cu_config", NULL, 0, RTL8821CU}, /* RTL8821CUH */ 248 249 {0xc82c, 0x8822, "mp_rtl8822cu_fw", "rtl8822cu_fw", "rtl8822cu_config", NULL, 0, RTL8822CU}, /* RTL8822CU */ 250 {0xc82e, 0x8822, "mp_rtl8822cu_fw", "rtl8822cu_fw", "rtl8822cu_config", NULL, 0, RTL8822CU}, /* RTL8822CU */ 251 {0xc81d, 0x8822, "mp_rtl8822cu_fw", "rtl8822cu_fw", "rtl8822cu_config", NULL, 0, RTL8822CU}, /* RTL8822CU */ 252 {0xd820, 0x8822, "mp_rtl8821du_fw", "rtl8821du_fw", "rtl8821du_config", NULL, 0, RTL8822CU}, /* RTL8821DU */ 253 254 {0xc822, 0x8822, "mp_rtl8822cu_fw", "rtl8822cu_fw", "rtl8822cu_config", NULL, 0, RTL8822CU}, /* RTL8822CE */ 255 {0xc82b, 0x8822, "mp_rtl8822cu_fw", "rtl8822cu_fw", "rtl8822cu_config", NULL, 0, RTL8822CU}, /* RTL8822CE */ 256 {0xb00c, 0x8822, "mp_rtl8822cu_fw", "rtl8822cu_fw", "rtl8822cu_config", NULL, 0, RTL8822CU}, /* RTL8822CE */ 257 {0xb00d, 0x8822, "mp_rtl8822cu_fw", "rtl8822cu_fw", "rtl8822cu_config", NULL, 0, RTL8822CU}, /* RTL8822CE */ 258 {0xc123, 0x8822, "mp_rtl8822cu_fw", "rtl8822cu_fw", "rtl8822cu_config", NULL, 0, RTL8822CU}, /* RTL8822CE */ 259 {0xc126, 0x8822, "mp_rtl8822cu_fw", "rtl8822cu_fw", "rtl8822cu_config", NULL, 0, RTL8822CU}, /* RTL8822CE */ 260 {0xc127, 0x8822, "mp_rtl8822cu_fw", "rtl8822cu_fw", "rtl8822cu_config", NULL, 0, RTL8822CU}, /* RTL8822CE */ 261 {0xc128, 0x8822, "mp_rtl8822cu_fw", "rtl8822cu_fw", "rtl8822cu_config", NULL, 0, RTL8822CU}, /* RTL8822CE */ 262 {0xc129, 0x8822, "mp_rtl8822cu_fw", "rtl8822cu_fw", "rtl8822cu_config", NULL, 0, RTL8822CU}, /* RTL8822CE */ 263 {0xc131, 0x8822, "mp_rtl8822cu_fw", "rtl8822cu_fw", "rtl8822cu_config", NULL, 0, RTL8822CU}, /* RTL8822CE */ 264 {0xc136, 0x8822, "mp_rtl8822cu_fw", "rtl8822cu_fw", "rtl8822cu_config", NULL, 0, RTL8822CU}, /* RTL8822CE */ 265 {0x3549, 0x8822, "mp_rtl8822cu_fw", "rtl8822cu_fw", "rtl8822cu_config", NULL, 0, RTL8822CU}, /* RTL8822CE for Azurewave */ 266 {0x3548, 0x8822, "mp_rtl8822cu_fw", "rtl8822cu_fw", "rtl8822cu_config", NULL, 0, RTL8822CU}, /* RTL8822CE for Azurewave */ 267 {0xc125, 0x8822, "mp_rtl8822cu_fw", "rtl8822cu_fw", "rtl8822cu_config", NULL, 0, RTL8822CU}, /* RTL8822CE */ 268 {0x4005, 0x8822, "mp_rtl8822cu_fw", "rtl8822cu_fw", "rtl8822cu_config", NULL, 0, RTL8822CU}, /* RTL8822CE for LiteOn */ 269 {0x3051, 0x8822, "mp_rtl8822cu_fw", "rtl8822cu_fw", "rtl8822cu_config", NULL, 0, RTL8822CU}, /* RTL8822CE for LiteOn */ 270 {0x18ef, 0x8822, "mp_rtl8822cu_fw", "rtl8822cu_fw", "rtl8822cu_config", NULL, 0, RTL8822CU}, /* RTL8822CE */ 271 {0x161f, 0x8822, "mp_rtl8822cu_fw", "rtl8822cu_fw", "rtl8822cu_config", NULL, 0, RTL8822CU}, /* RTL8822CE */ 272 {0x3053, 0x8822, "mp_rtl8822cu_fw", "rtl8822cu_fw", "rtl8822cu_config", NULL, 0, RTL8822CU}, /* RTL8822CE */ 273 {0xc547, 0x8822, "mp_rtl8822cu_fw", "rtl8822cu_fw", "rtl8822cu_config", NULL, 0, RTL8822CU}, /* RTL8822CE */ 274 {0x3553, 0x8822, "mp_rtl8822cu_fw", "rtl8822cu_fw", "rtl8822cu_config", NULL, 0, RTL8822CU}, /* RTL8822CE */ 275 {0x3555, 0x8822, "mp_rtl8822cu_fw", "rtl8822cu_fw", "rtl8822cu_config", NULL, 0, RTL8822CU}, /* RTL8822CE */ 276 {0xc82f, 0x8822, "mp_rtl8822cu_fw", "rtl8822cu_fw", "rtl8822cu_config", NULL, 0, RTL8822CU}, /* RTL8822CE-VS */ 277 {0xc02f, 0x8822, "mp_rtl8822cu_fw", "rtl8822cu_fw", "rtl8822cu_config", NULL, 0, RTL8822CU}, /* RTL8822CE-VS */ 278 {0xc03f, 0x8822, "mp_rtl8822cu_fw", "rtl8822cu_fw", "rtl8822cu_config", NULL, 0, RTL8822CU}, /* RTL8822CE-VS */ 279 280 {0x8771, 0x8761, "mp_rtl8761b_fw", "rtl8761bu_fw", "rtl8761bu_config", NULL, 0, RTL8761BU}, /* RTL8761BU only */ 281 {0xa725, 0x8761, "mp_rtl8761b_fw", "rtl8725au_fw", "rtl8725au_config", NULL, 0, RTL8761BU}, /* RTL8725AU */ 282 {0xa72A, 0x8761, "mp_rtl8761b_fw", "rtl8725au_fw", "rtl8725au_config", NULL, 0, RTL8761BU}, /* RTL8725AU BT only */ 283 284 {0x885a, 0x8852, "mp_rtl8852au_fw", "rtl8852au_fw", "rtl8852au_config", NULL, 0, RTL8852AU}, /* RTL8852AU */ 285 {0x8852, 0x8852, "mp_rtl8852au_fw", "rtl8852au_fw", "rtl8852au_config", NULL, 0, RTL8852AU}, /* RTL8852AE */ 286 {0xa852, 0x8852, "mp_rtl8852au_fw", "rtl8852au_fw", "rtl8852au_config", NULL, 0, RTL8852AU}, /* RTL8852AE */ 287 {0x2852, 0x8852, "mp_rtl8852au_fw", "rtl8852au_fw", "rtl8852au_config", NULL, 0, RTL8852AU}, /* RTL8852AE */ 288 {0x385a, 0x8852, "mp_rtl8852au_fw", "rtl8852au_fw", "rtl8852au_config", NULL, 0, RTL8852AU}, /* RTL8852AE */ 289 {0x3852, 0x8852, "mp_rtl8852au_fw", "rtl8852au_fw", "rtl8852au_config", NULL, 0, RTL8852AU}, /* RTL8852AE */ 290 {0x1852, 0x8852, "mp_rtl8852au_fw", "rtl8852au_fw", "rtl8852au_config", NULL, 0, RTL8852AU}, /* RTL8852AE */ 291 {0x4852, 0x8852, "mp_rtl8852au_fw", "rtl8852au_fw", "rtl8852au_config", NULL, 0, RTL8852AU}, /* RTL8852AE */ 292 {0x4006, 0x8852, "mp_rtl8852au_fw", "rtl8852au_fw", "rtl8852au_config", NULL, 0, RTL8852AU}, /* RTL8852AE */ 293 {0x3561, 0x8852, "mp_rtl8852au_fw", "rtl8852au_fw", "rtl8852au_config", NULL, 0, RTL8852AU}, /* RTL8852AE */ 294 {0x3562, 0x8852, "mp_rtl8852au_fw", "rtl8852au_fw", "rtl8852au_config", NULL, 0, RTL8852AU}, /* RTL8852AE */ 295 {0x588a, 0x8852, "mp_rtl8852au_fw", "rtl8852au_fw", "rtl8852au_config", NULL, 0, RTL8852AU}, /* RTL8852AE */ 296 {0x589a, 0x8852, "mp_rtl8852au_fw", "rtl8852au_fw", "rtl8852au_config", NULL, 0, RTL8852AU}, /* RTL8852AE */ 297 {0x590a, 0x8852, "mp_rtl8852au_fw", "rtl8852au_fw", "rtl8852au_config", NULL, 0, RTL8852AU}, /* RTL8852AE */ 298 {0xc125, 0x8852, "mp_rtl8852au_fw", "rtl8852au_fw", "rtl8852au_config", NULL, 0, RTL8852AU}, /* RTL8852AE */ 299 {0xe852, 0x8852, "mp_rtl8852au_fw", "rtl8852au_fw", "rtl8852au_config", NULL, 0, RTL8852AU}, /* RTL8852AE */ 300 {0xb852, 0x8852, "mp_rtl8852au_fw", "rtl8852au_fw", "rtl8852au_config", NULL, 0, RTL8852AU}, /* RTL8852AE */ 301 {0xc852, 0x8852, "mp_rtl8852au_fw", "rtl8852au_fw", "rtl8852au_config", NULL, 0, RTL8852AU}, /* RTL8852AE */ 302 {0xc549, 0x8852, "mp_rtl8852au_fw", "rtl8852au_fw", "rtl8852au_config", NULL, 0, RTL8852AU}, /* RTL8852AE */ 303 {0xc127, 0x8852, "mp_rtl8852au_fw", "rtl8852au_fw", "rtl8852au_config", NULL, 0, RTL8852AU}, /* RTL8852AE */ 304 {0x3565, 0x8852, "mp_rtl8852au_fw", "rtl8852au_fw", "rtl8852au_config", NULL, 0, RTL8852AU}, /* RTL8852AE */ 305 306 {0xb733, 0x8723, "mp_rtl8723fu_fw", "rtl8723fu_fw", "rtl8723fu_config", NULL, 0, RTL8723FU}, /* RTL8723FU */ 307 {0xb73a, 0x8723, "mp_rtl8723fu_fw", "rtl8723fu_fw", "rtl8723fu_config", NULL, 0, RTL8723FU}, /* RTL8723FU */ 308 {0xf72b, 0x8723, "mp_rtl8723fu_fw", "rtl8723fu_fw", "rtl8723fu_config", NULL, 0, RTL8723FU}, /* RTL8723FU */ 309 310 {0x8851, 0x8852, "mp_rtl8851au_fw", "rtl8851au_fw", "rtl8851au_config", NULL, 0, RTL8852BU}, /* RTL8851AU */ 311 {0xa85b, 0x8852, "mp_rtl8852bu_fw", "rtl8852bu_fw", "rtl8852bu_config", NULL, 0, RTL8852BU}, /* RTL8852BU */ 312 {0xb85b, 0x8852, "mp_rtl8852bu_fw", "rtl8852bu_fw", "rtl8852bu_config", NULL, 0, RTL8852BU}, /* RTL8852BE */ 313 {0xb85c, 0x8852, "mp_rtl8852bu_fw", "rtl8852bu_fw", "rtl8852bu_config", NULL, 0, RTL8852BU}, /* RTL8852BE */ 314 {0x3571, 0x8852, "mp_rtl8852bu_fw", "rtl8852bu_fw", "rtl8852bu_config", NULL, 0, RTL8852BU}, /* RTL8852BE */ 315 {0x3570, 0x8852, "mp_rtl8852bu_fw", "rtl8852bu_fw", "rtl8852bu_config", NULL, 0, RTL8852BU}, /* RTL8852BE */ 316 {0x3572, 0x8852, "mp_rtl8852bu_fw", "rtl8852bu_fw", "rtl8852bu_config", NULL, 0, RTL8852BU}, /* RTL8852BE */ 317 {0x4b06, 0x8852, "mp_rtl8852bu_fw", "rtl8852bu_fw", "rtl8852bu_config", NULL, 0, RTL8852BU}, /* RTL8852BE */ 318 {0x885b, 0x8852, "mp_rtl8852bu_fw", "rtl8852bu_fw", "rtl8852bu_config", NULL, 0, RTL8852BU}, /* RTL8852BE */ 319 {0x886b, 0x8852, "mp_rtl8852bu_fw", "rtl8852bu_fw", "rtl8852bu_config", NULL, 0, RTL8852BU}, /* RTL8852BE */ 320 {0x887b, 0x8852, "mp_rtl8852bu_fw", "rtl8852bu_fw", "rtl8852bu_config", NULL, 0, RTL8852BU}, /* RTL8852BE */ 321 {0xc559, 0x8852, "mp_rtl8852bu_fw", "rtl8852bu_fw", "rtl8852bu_config", NULL, 0, RTL8852BU}, /* RTL8852BE */ 322 {0xb052, 0x8852, "mp_rtl8852bu_fw", "rtl8852bu_fw", "rtl8852bu_config", NULL, 0, RTL8852BU}, /* RTL8852BE */ 323 {0xb152, 0x8852, "mp_rtl8852bu_fw", "rtl8852bu_fw", "rtl8852bu_config", NULL, 0, RTL8852BU}, /* RTL8852BE */ 324 {0xb252, 0x8852, "mp_rtl8852bu_fw", "rtl8852bu_fw", "rtl8852bu_config", NULL, 0, RTL8852BU}, /* RTL8852BE */ 325 {0x4853, 0x8852, "mp_rtl8852bu_fw", "rtl8852bu_fw", "rtl8852bu_config", NULL, 0, RTL8852BU}, /* RTL8852BE */ 326 {0x1670, 0x8852, "mp_rtl8852bu_fw", "rtl8852bu_fw", "rtl8852bu_config", NULL, 0, RTL8852BU}, /* RTL8852BE */ 327 328 {0xc85a, 0x8852, "mp_rtl8852cu_fw", "rtl8852cu_fw", "rtl8852cu_config", NULL, 0, RTL8852CU}, /* RTL8852CU */ 329 {0x0852, 0x8852, "mp_rtl8852cu_fw", "rtl8852cu_fw", "rtl8852cu_config", NULL, 0, RTL8852CU}, /* RTL8852CE */ 330 {0x5852, 0x8852, "mp_rtl8852cu_fw", "rtl8852cu_fw", "rtl8852cu_config", NULL, 0, RTL8852CU}, /* RTL8852CE */ 331 {0xc85c, 0x8852, "mp_rtl8852cu_fw", "rtl8852cu_fw", "rtl8852cu_config", NULL, 0, RTL8852CU}, /* RTL8852CE */ 332 {0x885c, 0x8852, "mp_rtl8852cu_fw", "rtl8852cu_fw", "rtl8852cu_config", NULL, 0, RTL8852CU}, /* RTL8852CE */ 333 {0x886c, 0x8852, "mp_rtl8852cu_fw", "rtl8852cu_fw", "rtl8852cu_config", NULL, 0, RTL8852CU}, /* RTL8852CE */ 334 {0x887c, 0x8852, "mp_rtl8852cu_fw", "rtl8852cu_fw", "rtl8852cu_config", NULL, 0, RTL8852CU}, /* RTL8852CE */ 335 {0x4007, 0x8852, "mp_rtl8852cu_fw", "rtl8852cu_fw", "rtl8852cu_config", NULL, 0, RTL8852CU}, /* RTL8852CE */ 336 337 {0xe822, 0x8822, "mp_rtl8822eu_fw", "rtl8822eu_fw", "rtl8822eu_config", NULL, 0, RTL8822EU}, /* RTL8822EU */ 338 {0xa82a, 0x8822, "mp_rtl8822eu_fw", "rtl8822eu_fw", "rtl8822eu_config", NULL, 0, RTL8822EU}, /* RTL8822EU */ 339 340 {0xb851, 0x8851, "mp_rtl8851bu_fw", "rtl8851bu_fw", "rtl8851bu_config", NULL, 0, RTL8851BU}, /* RTL8851BU */ 341 342 /* NOTE: must append patch entries above the null entry */ 343 {0, 0, NULL, NULL, NULL, NULL, 0, 0} 344 }; 345 346 static uint16_t project_id[] = { 347 ROM_LMP_8723a, ROM_LMP_8723b, ROM_LMP_8821a, ROM_LMP_8761a, ROM_LMP_NONE, 348 ROM_LMP_NONE, ROM_LMP_NONE, ROM_LMP_NONE, ROM_LMP_8822b, ROM_LMP_8723b, /* RTL8723DU */ 349 ROM_LMP_8821a, /* RTL8821CU */ 350 ROM_LMP_NONE, ROM_LMP_NONE, ROM_LMP_8822b, /* RTL8822CU */ 351 ROM_LMP_8761a, /* index 14 for 8761BU */ 352 ROM_LMP_NONE, ROM_LMP_NONE, ROM_LMP_NONE, ROM_LMP_8852a, /* index 18 for 8852AU */ 353 ROM_LMP_8723b, /* index 19 for 8723FU */ 354 ROM_LMP_8852a, /* index 20 for 8852BU */ 355 ROM_LMP_NONE, ROM_LMP_NONE, ROM_LMP_NONE, ROM_LMP_NONE, ROM_LMP_8852a, /* index 25 for 8852CU */ 356 ROM_LMP_NONE, ROM_LMP_NONE, ROM_LMP_NONE, ROM_LMP_NONE, ROM_LMP_NONE, 357 ROM_LMP_NONE, ROM_LMP_NONE, ROM_LMP_8822b, /* index 33 for 8822EU */ 358 ROM_LMP_NONE, ROM_LMP_NONE, ROM_LMP_8851b, /* index 36 for 8851BU */ 359 }; 360 361 static btstack_packet_callback_registration_t hci_event_callback_registration; 362 static uint8_t state; 363 static uint8_t rom_version; 364 static uint16_t lmp_subversion; 365 static uint16_t product_id; 366 static const patch_info * patch; 367 static uint8_t g_key_id = 0; 368 369 #ifdef HAVE_POSIX_FILE_IO 370 static const char *firmware_folder_path = "."; 371 static const char *firmware_file_path; 372 static const char *config_folder_path = "."; 373 static const char *config_file_path; 374 static char firmware_file[1000]; 375 static char config_file[1000]; 376 #endif 377 378 static const uint8_t FW_SIGNATURE[8] = {0x52, 0x65, 0x61, 0x6C, 0x74, 0x65, 0x63, 0x68}; 379 static const uint8_t FW_SIGNATURE_NEW[8] = {0x52, 0x54, 0x42, 0x54, 0x43, 0x6F, 0x72, 0x65}; 380 static const uint8_t EXTENSION_SIGNATURE[4] = {0x51, 0x04, 0xFD, 0x77}; 381 382 static void hci_packet_handler(uint8_t packet_type, uint16_t channel, uint8_t *packet, uint16_t size) { 383 UNUSED(channel); 384 UNUSED(size); 385 if (packet_type != HCI_EVENT_PACKET) { 386 return; 387 } 388 if (hci_event_packet_get_type(packet) != HCI_EVENT_COMMAND_COMPLETE) { 389 return; 390 } 391 392 uint16_t opcode = hci_event_command_complete_get_command_opcode(packet); 393 const uint8_t * return_para = hci_event_command_complete_get_return_parameters(packet); 394 switch (opcode) { 395 case HCI_OPCODE_HCI_READ_LOCAL_VERSION_INFORMATION: 396 lmp_subversion = little_endian_read_16(packet, 12); 397 break; 398 case HCI_OPCODE_HCI_RTK_READ_ROM_VERSION: 399 rom_version = return_para[1]; 400 log_info("Received ROM version 0x%02x", rom_version); 401 printf("Realtek: Received ROM version 0x%02x\n", rom_version); 402 if (patch->lmp_sub != lmp_subversion) { 403 printf("Realtek: Firmware already exists\n"); 404 state = STATE_PHASE_2_DONE; 405 } 406 break; 407 case HCI_OPCODE_HCI_RTK_READ_CARD_INFO: 408 switch (state){ 409 case STATE_PHASE_1_W4_READ_LMP_SUBVERSION: 410 log_info("Read Card: LMP Subversion"); 411 if (little_endian_read_16(hci_event_command_complete_get_return_parameters(packet), 1) == 0x8822){ 412 state = STATE_PHASE_1_READ_HCI_REVISION; 413 } else { 414 state = STATE_PHASE_1_DONE; 415 } 416 break; 417 case STATE_PHASE_1_W4_READ_HCI_REVISION: 418 log_info("Read Card: HCI Revision"); 419 if (little_endian_read_16(hci_event_command_complete_get_return_parameters(packet), 1) == 0x000e){ 420 state = STATE_PHASE_2_READ_ROM_VERSION; 421 } else { 422 state = STATE_PHASE_1_DONE; 423 } 424 break; 425 case STATE_PHASE_2_W4_SEC_PROJ: 426 g_key_id = return_para[1]; 427 printf("Realtek: Received key id 0x%02x\n", g_key_id); 428 state = STATE_PHASE_2_LOAD_FIRMWARE; 429 break; 430 default: 431 btstack_assert(false); 432 break; 433 } 434 break; 435 default: 436 break; 437 } 438 } 439 440 static void chipset_init(const void *config) { 441 UNUSED(config); 442 443 // pre-set lmp subversion: HCI starts custom download only if HCI Version = 0x00e, and LMP Subversion = 0x8822 444 lmp_subversion = 0x8822; 445 446 #ifdef HAVE_POSIX_FILE_IO 447 // determine file path 448 if (firmware_file_path == NULL || config_file_path == NULL) { 449 log_info("firmware or config file path is empty. Using product id 0x%04x!", product_id); 450 patch = NULL; 451 for (uint16_t i = 0; i < sizeof(fw_patch_table) / sizeof(patch_info); i++) { 452 if (fw_patch_table[i].prod_id == product_id) { 453 patch = &fw_patch_table[i]; 454 break; 455 } 456 } 457 if (patch == NULL) { 458 log_info("Product id 0x%04x is unknown", product_id); 459 state = STATE_PHASE_2_DONE; 460 return; 461 } 462 snprintf(firmware_file, sizeof(firmware_file), "%s/%s", firmware_folder_path, patch->patch_name); 463 snprintf(config_file, sizeof(config_file), "%s/%s", config_folder_path, patch->config_name); 464 firmware_file_path = &firmware_file[0]; 465 config_file_path = &config_file[0]; 466 //lmp_subversion = patch->lmp_sub; 467 } 468 log_info("Using firmware '%s' and config '%s'", firmware_file_path, config_file_path); 469 printf("Realtek: Using firmware '%s' and config '%s'\n", firmware_file_path, config_file_path); 470 471 // activate hci callback 472 hci_event_callback_registration.callback = &hci_packet_handler; 473 hci_add_event_handler(&hci_event_callback_registration); 474 state = STATE_PHASE_1_READ_LMP_SUBVERSION; 475 #endif 476 } 477 478 #ifdef HAVE_POSIX_FILE_IO 479 480 /** 481 * @brief Opens the specified file and stores content to an allocated buffer 482 * 483 * @param file 484 * @param buf 485 * @param name 486 * @return uint32_t Length of file 487 */ 488 static uint32_t read_file(FILE **file, uint8_t **buf, const char *name) { 489 uint32_t size; 490 491 // open file 492 *file = fopen(name, "rb"); 493 if (*file == NULL) { 494 log_info("Failed to open file %s", name); 495 return 0; 496 } 497 498 // determine length of file 499 fseek(*file, 0, SEEK_END); 500 size = ftell(*file); 501 fseek(*file, 0, SEEK_SET); 502 if (size <= 0) { 503 return 0; 504 } 505 506 // allocate memory 507 *buf = malloc(size); 508 if (*buf == NULL) { 509 fclose(*file); 510 *file = NULL; 511 log_info("Failed to allocate %u bytes for file %s", size, name); 512 return 0; 513 } 514 515 // read file 516 size_t ret = fread(*buf, size, 1, *file); 517 if (ret != 1) { 518 log_info("Failed to read %u bytes from file %s (ret = %d)", size, name, (int) ret); 519 fclose(*file); 520 free(*buf); 521 *file = NULL; 522 *buf = NULL; 523 return 0; 524 } 525 526 log_info("Opened file %s and read %u bytes", name, size); 527 return size; 528 } 529 530 static void finalize_file_and_buffer(FILE **file, uint8_t **buffer) { 531 fclose(*file); 532 free(*buffer); 533 *buffer = NULL; 534 *file = NULL; 535 } 536 537 static uint8_t rtk_get_fw_project_id(uint8_t * p_buf) 538 { 539 uint8_t opcode; 540 uint8_t len; 541 uint8_t data = 0; 542 543 do { 544 opcode = *p_buf; 545 len = *(p_buf - 1); 546 if (opcode == 0x00) { 547 if (len == 1) { 548 data = *(p_buf - 2); 549 log_info 550 ("rtk_get_fw_project_id: opcode %d, len %d, data %d", 551 opcode, len, data); 552 break; 553 } else { 554 log_error 555 ("rtk_get_fw_project_id: invalid len %d", 556 len); 557 } 558 } 559 p_buf -= len + 2; 560 } while (*p_buf != 0xFF); 561 562 return data; 563 } 564 565 struct rtb_ota_flag { 566 uint8_t eco; 567 uint8_t enable; 568 uint16_t reserve; 569 }; 570 571 struct patch_node { 572 btstack_linked_item_t item; 573 uint8_t eco; 574 uint8_t pri; 575 uint8_t key_id; 576 uint8_t reserve; 577 uint32_t len; 578 uint8_t *payload; 579 }; 580 581 /* Add a node to alist that is in ascending order. */ 582 static void insert_queue_sort(btstack_linked_list_t * list, struct patch_node *node) 583 { 584 btstack_assert(list != NULL); 585 btstack_assert(node != NULL); 586 587 struct patch_node *next; 588 btstack_linked_item_t *it; 589 590 for (it = (btstack_linked_item_t *) list; it->next ; it = it->next){ 591 next = (struct patch_node *) it->next; 592 if(next->pri >= node->pri) { 593 break; 594 } 595 } 596 node->item.next = it->next; 597 it->next = (btstack_linked_item_t *) node; 598 } 599 600 static int insert_patch(btstack_linked_list_t * patch_list, uint8_t *section_pos, 601 uint32_t opcode, uint32_t *patch_len, uint8_t *sec_flag) 602 { 603 struct patch_node *tmp; 604 uint32_t i; 605 uint32_t numbers; 606 uint32_t section_len = 0; 607 uint8_t eco = 0; 608 uint8_t *pos = section_pos + 8; 609 610 numbers = little_endian_read_16(pos, 0); 611 log_info("number 0x%04x", numbers); 612 613 pos += 4; 614 for (i = 0; i < numbers; i++) { 615 eco = (uint8_t)*(pos); 616 log_info("eco 0x%02x, Eversion:%02x", eco, rom_version); 617 if (eco == rom_version + 1) { 618 //tmp = (struct patch_node*)kzalloc(sizeof(struct patch_node), GFP_KERNEL); 619 tmp = (struct patch_node*)malloc(sizeof(struct patch_node)); 620 tmp->pri = (uint8_t)*(pos + 1); 621 if(opcode == PATCH_SECURITY_HEADER) 622 tmp->key_id = (uint8_t)*(pos + 1); 623 624 section_len = little_endian_read_32(pos, 4); 625 tmp->len = section_len; 626 *patch_len += section_len; 627 log_info("Pri:%d, Patch length 0x%04x", tmp->pri, tmp->len); 628 tmp->payload = pos + 8; 629 if(opcode != PATCH_SECURITY_HEADER) { 630 insert_queue_sort(patch_list, tmp); 631 } else { 632 if((g_key_id == tmp->key_id) && (g_key_id > 0)) { 633 insert_queue_sort(patch_list, tmp); 634 *sec_flag = 1; 635 } else { 636 pos += (8 + section_len); 637 free(tmp); 638 continue; 639 } 640 } 641 } else { 642 section_len = little_endian_read_32(pos, 4); 643 log_info("Patch length 0x%04x", section_len); 644 } 645 pos += (8 + section_len); 646 } 647 return 0; 648 } 649 static uint8_t *rtb_get_patch_header(uint32_t *len, 650 btstack_linked_list_t * patch_list, uint8_t * epatch_buf, 651 uint8_t key_id) 652 { 653 uint16_t i, j; 654 struct rtb_new_patch_hdr *new_patch; 655 uint8_t sec_flag = 0; 656 uint32_t number_of_ota_flag; 657 uint32_t patch_len = 0; 658 uint8_t *section_pos; 659 uint8_t *ota_flag_pos; 660 uint32_t number_of_section; 661 662 struct rtb_section_hdr section_hdr; 663 struct rtb_ota_flag ota_flag; 664 665 new_patch = (struct rtb_new_patch_hdr *)epatch_buf; 666 number_of_section = new_patch->number_of_section; 667 668 log_info("FW version 0x%02x,%02x,%02x,%02x,%02x,%02x,%02x,%02x", 669 *(epatch_buf + 8), *(epatch_buf + 9), *(epatch_buf + 10), 670 *(epatch_buf + 11),*(epatch_buf + 12), *(epatch_buf + 13), 671 *(epatch_buf + 14), *(epatch_buf + 15)); 672 673 section_pos = epatch_buf + 20; 674 675 for (i = 0; i < number_of_section; i++) { 676 section_hdr.opcode = little_endian_read_32(section_pos, 0); 677 section_hdr.section_len = little_endian_read_32(section_pos, 4); 678 log_info("opcode 0x%04x", section_hdr.opcode); 679 switch (section_hdr.opcode) { 680 case PATCH_SNIPPETS: 681 insert_patch(patch_list, section_pos, PATCH_SNIPPETS, &patch_len, NULL); 682 printf("Realtek: patch len is %d\n",patch_len); 683 break; 684 case PATCH_SECURITY_HEADER: 685 if(!g_key_id) 686 break; 687 688 sec_flag = 0; 689 insert_patch(patch_list, section_pos, PATCH_SECURITY_HEADER, &patch_len, &sec_flag); 690 if(sec_flag) 691 break; 692 693 for (i = 0; i < number_of_section; i++) { 694 section_hdr.opcode = little_endian_read_32(section_pos, 0); 695 section_hdr.section_len = little_endian_read_32(section_pos, 4); 696 if(section_hdr.opcode == PATCH_DUMMY_HEADER) { 697 insert_patch(patch_list, section_pos, PATCH_DUMMY_HEADER, &patch_len, NULL); 698 } 699 section_pos += (SECTION_HEADER_SIZE + section_hdr.section_len); 700 } 701 break; 702 case PATCH_DUMMY_HEADER: 703 if(g_key_id) { 704 break; 705 } 706 insert_patch(patch_list, section_pos, PATCH_DUMMY_HEADER, &patch_len, NULL); 707 break; 708 case PATCH_OTA_FLAG: 709 ota_flag_pos = section_pos + 4; 710 number_of_ota_flag = little_endian_read_32(ota_flag_pos, 0); 711 ota_flag.eco = (uint8_t)*(ota_flag_pos + 1); 712 if (ota_flag.eco == rom_version + 1) { 713 for (j = 0; j < number_of_ota_flag; j++) { 714 if (ota_flag.eco == rom_version + 1) { 715 ota_flag.enable = little_endian_read_32(ota_flag_pos, 4); 716 } 717 } 718 } 719 break; 720 default: 721 log_error("Unknown Opcode"); 722 break; 723 } 724 section_pos += (SECTION_HEADER_SIZE + section_hdr.section_len); 725 } 726 *len = patch_len; 727 728 return NULL; 729 } 730 731 static inline int get_max_patch_size(uint8_t chip_type) 732 { 733 int max_patch_size = 0; 734 735 switch (chip_type) { 736 case RTLPREVIOUS: 737 max_patch_size = 24 * 1024; 738 break; 739 case RTL8822BU: 740 max_patch_size = 25 * 1024; 741 break; 742 case RTL8723DU: 743 case RTL8822CU: 744 case RTL8761BU: 745 case RTL8821CU: 746 max_patch_size = 40 * 1024; 747 break; 748 case RTL8852AU: 749 max_patch_size = 0x114D0 + 529; /* 69.2KB */ 750 break; 751 case RTL8723FU: 752 max_patch_size = 0xC4Cf + 529; /* 49.2KB */ 753 break; 754 case RTL8852BU: 755 case RTL8851BU: 756 max_patch_size = 0x104D0 + 529; /* 65KB */ 757 break; 758 case RTL8852CU: 759 max_patch_size = 0x130D0 + 529; /* 76.2KB */ 760 break; 761 case RTL8822EU: 762 max_patch_size = 0x24620 + 529; /* 145KB */ 763 break; 764 default: 765 max_patch_size = 40 * 1024; 766 break; 767 } 768 769 return max_patch_size; 770 } 771 772 static uint8_t update_firmware(const char *firmware, const char *config, uint8_t *hci_cmd_buffer) { 773 static uint8_t *patch_buf = NULL; 774 static uint32_t fw_total_len; 775 static uint32_t fw_ptr; 776 static uint8_t index; 777 778 // read firmware and config 779 if (patch_buf == NULL) { 780 uint16_t patch_length = 0; 781 uint32_t offset; 782 FILE * fw = NULL; 783 uint32_t fw_size; 784 uint8_t *fw_buf = NULL; 785 786 FILE * conf = NULL; 787 uint32_t conf_size; 788 uint8_t *conf_buf = NULL; 789 790 uint32_t fw_version; 791 uint16_t fw_num_patches; 792 793 struct patch_node *tmp; 794 int max_patch_size = 0; 795 796 if (firmware == NULL || config == NULL) { 797 log_info("Please specify realtek firmware and config file paths"); 798 return FW_DONE; 799 } 800 // read config 801 conf_size = read_file(&conf, &conf_buf, config); 802 if (conf_size == 0) { 803 log_info("Config size is 0, using efuse settings!"); 804 } 805 // read firmware 806 fw_size = read_file(&fw, &fw_buf, firmware); 807 if (fw_size == 0) { 808 log_info("Firmware size is 0. Quit!"); 809 if (conf_size != 0){ 810 finalize_file_and_buffer(&conf, &conf_buf); 811 } 812 return FW_DONE; 813 } 814 // check signature 815 if (((memcmp(fw_buf, FW_SIGNATURE, 8) != 0) && (memcmp(fw_buf, FW_SIGNATURE_NEW, 8) != 0)) 816 || memcmp(fw_buf + fw_size - 4, EXTENSION_SIGNATURE, 4) != 0) { 817 log_info("Wrong signature. Quit!"); 818 finalize_file_and_buffer(&fw, &fw_buf); 819 finalize_file_and_buffer(&conf, &conf_buf); 820 return FW_DONE; 821 } 822 // check project id 823 if (lmp_subversion != project_id[rtk_get_fw_project_id(fw_buf + fw_size - 5)]) { 824 log_info("Wrong project id. Quit!"); 825 finalize_file_and_buffer(&fw, &fw_buf); 826 finalize_file_and_buffer(&conf, &conf_buf); 827 return FW_DONE; 828 } 829 // init ordered list for new firmware signature 830 btstack_linked_list_t patch_list = NULL; 831 bool have_new_firmware_signature = memcmp(fw_buf, FW_SIGNATURE_NEW, 8) == 0; 832 if (have_new_firmware_signature){ 833 printf("Realtek: Using new signature\n"); 834 uint8_t key_id = g_key_id; 835 if (key_id < 0) { 836 log_info("Wrong key id. Quit!"); 837 finalize_file_and_buffer(&fw, &fw_buf); 838 finalize_file_and_buffer(&conf, &conf_buf); 839 return FW_DONE; 840 } 841 842 rtb_get_patch_header(&fw_total_len, &patch_list, fw_buf, key_id); 843 if (fw_total_len == 0) { 844 finalize_file_and_buffer(&fw, &fw_buf); 845 finalize_file_and_buffer(&conf, &conf_buf); 846 return FW_DONE; 847 } 848 fw_total_len += conf_size; 849 } else { 850 printf("Realtek: Using old signature\n"); 851 // read firmware version 852 fw_version = little_endian_read_32(fw_buf, 8); 853 log_info("Firmware version: 0x%x", fw_version); 854 855 // read number of patches 856 fw_num_patches = little_endian_read_16(fw_buf, 12); 857 log_info("Number of patches: %d", fw_num_patches); 858 859 // find correct entry 860 for (uint16_t i = 0; i < fw_num_patches; i++) { 861 if (little_endian_read_16(fw_buf, 14 + 2 * i) == rom_version + 1) { 862 patch_length = little_endian_read_16(fw_buf, 14 + 2 * fw_num_patches + 2 * i); 863 offset = little_endian_read_32(fw_buf, 14 + 4 * fw_num_patches + 4 * i); 864 log_info("patch_length %u, offset %u", patch_length, offset); 865 break; 866 } 867 } 868 if (patch_length == 0) { 869 log_debug("Failed to find valid patch"); 870 finalize_file_and_buffer(&fw, &fw_buf); 871 finalize_file_and_buffer(&conf, &conf_buf); 872 return FW_DONE; 873 } 874 fw_total_len = patch_length + conf_size; 875 } 876 877 max_patch_size = get_max_patch_size(patch->chip_type); 878 printf("Realtek: FW/CONFIG total length is %d, max patch size id %d\n", fw_total_len, max_patch_size); 879 if (fw_total_len > max_patch_size) { 880 printf("FRealtek: W/CONFIG total length larger than allowed %d\n", max_patch_size); 881 finalize_file_and_buffer(&fw, &fw_buf); 882 finalize_file_and_buffer(&conf, &conf_buf); 883 return FW_DONE; 884 } 885 // allocate patch buffer 886 patch_buf = malloc(fw_total_len); 887 if (patch_buf == NULL) { 888 log_debug("Failed to allocate %u bytes for patch buffer", fw_total_len); 889 finalize_file_and_buffer(&fw, &fw_buf); 890 finalize_file_and_buffer(&conf, &conf_buf); 891 return FW_DONE; 892 } 893 if (have_new_firmware_signature) { 894 int tmp_len = 0; 895 // append patches based on priority and free 896 while (patch_list) { 897 tmp = (struct patch_node *) patch_list; 898 log_info("len = 0x%x", tmp->len); 899 memcpy(patch_buf + tmp_len, tmp->payload, tmp->len); 900 tmp_len += tmp->len; 901 patch_list = patch_list->next; 902 free(tmp); 903 } 904 if (conf_size) { 905 memcpy(&patch_buf[fw_total_len - conf_size], conf_buf, conf_size); 906 } 907 } else { 908 // copy patch 909 memcpy(patch_buf, fw_buf + offset, patch_length); 910 memcpy(patch_buf + patch_length - 4, &fw_version, 4); 911 memcpy(patch_buf + patch_length, conf_buf, conf_size); 912 } 913 fw_ptr = 0; 914 index = 0; 915 916 // close files 917 finalize_file_and_buffer(&fw, &fw_buf); 918 finalize_file_and_buffer(&conf, &conf_buf); 919 } 920 921 uint8_t len; 922 if (fw_total_len - fw_ptr > 252) { 923 len = 252; 924 } else { 925 len = fw_total_len - fw_ptr; 926 index |= 0x80; // end 927 } 928 929 if (len) { 930 little_endian_store_16(hci_cmd_buffer, 0, HCI_OPCODE_HCI_RTK_DOWNLOAD_FW); 931 HCI_CMD_SET_LENGTH(hci_cmd_buffer, len + 1); 932 HCI_CMD_DOWNLOAD_SET_INDEX(hci_cmd_buffer, index); 933 HCI_CMD_DOWNLOAD_COPY_FW_DATA(hci_cmd_buffer, patch_buf, fw_ptr, len); 934 index++; 935 if (index > 0x7f) { 936 index = (index & 0x7f) +1; 937 } 938 fw_ptr += len; 939 return FW_MORE_TO_DO; 940 } 941 942 // cleanup and return 943 free(patch_buf); 944 patch_buf = NULL; 945 printf("Realtek: Init process finished\n"); 946 return FW_DONE; 947 } 948 949 #endif // HAVE_POSIX_FILE_IO 950 951 static const uint8_t hci_realtek_read_sec_proj[] = {0x61, 0xfc, 0x05, 0x10, 0xA4, 0x0D, 0x00, 0xb0 }; 952 static const uint8_t hci_realtek_read_lmp_subversion[] = {0x61, 0xfc, 0x05, 0x10, 0x38, 0x04, 0x28, 0x80 }; 953 static const uint8_t hci_realtek_read_hci_revision[] = {0x61, 0xfc, 0x05, 0x10, 0x3A, 0x04, 0x28, 0x80 }; 954 955 static btstack_chipset_result_t chipset_next_command(uint8_t *hci_cmd_buffer) { 956 #ifdef HAVE_POSIX_FILE_IO 957 uint8_t ret; 958 while (true) { 959 switch (state) { 960 case STATE_PHASE_1_READ_LMP_SUBVERSION: 961 memcpy(hci_cmd_buffer, hci_realtek_read_lmp_subversion, sizeof(hci_realtek_read_lmp_subversion)); 962 state = STATE_PHASE_1_W4_READ_LMP_SUBVERSION; 963 break; 964 case STATE_PHASE_1_READ_HCI_REVISION: 965 memcpy(hci_cmd_buffer, hci_realtek_read_hci_revision, sizeof(hci_realtek_read_hci_revision)); 966 state = STATE_PHASE_1_W4_READ_HCI_REVISION; 967 break; 968 case STATE_PHASE_1_DONE: 969 // custom pre-init done, continue with read ROM version in main custom init 970 state = STATE_PHASE_2_READ_ROM_VERSION; 971 return BTSTACK_CHIPSET_DONE; 972 case STATE_PHASE_2_READ_ROM_VERSION: 973 HCI_CMD_SET_OPCODE(hci_cmd_buffer, HCI_OPCODE_HCI_RTK_READ_ROM_VERSION); 974 HCI_CMD_SET_LENGTH(hci_cmd_buffer, 0); 975 state = STATE_PHASE_2_READ_SEC_PROJ; 976 break; 977 case STATE_PHASE_2_READ_SEC_PROJ: 978 memcpy(hci_cmd_buffer, hci_realtek_read_sec_proj, sizeof(hci_realtek_read_sec_proj)); 979 state = STATE_PHASE_2_W4_SEC_PROJ; 980 break; 981 case STATE_PHASE_2_LOAD_FIRMWARE: 982 if (lmp_subversion != ROM_LMP_8723a) { 983 ret = update_firmware(firmware_file_path, config_file_path, hci_cmd_buffer); 984 } else { 985 log_info("Realtek firmware for old patch style not implemented"); 986 ret = FW_DONE; 987 } 988 if (ret != FW_DONE) { 989 break; 990 } 991 // we are done 992 state = STATE_PHASE_2_RESET; 993 994 /* fall through */ 995 996 case STATE_PHASE_2_RESET: 997 HCI_CMD_SET_OPCODE(hci_cmd_buffer, HCI_OPCODE_HCI_RESET); 998 HCI_CMD_SET_LENGTH(hci_cmd_buffer, 0); 999 state = STATE_PHASE_2_DONE; 1000 break; 1001 case STATE_PHASE_2_DONE: 1002 hci_remove_event_handler(&hci_event_callback_registration); 1003 return BTSTACK_CHIPSET_DONE; 1004 default: 1005 log_info("Invalid state %d", state); 1006 return BTSTACK_CHIPSET_DONE; 1007 } 1008 return BTSTACK_CHIPSET_VALID_COMMAND; 1009 } 1010 #else // HAVE_POSIX_FILE_IO 1011 log_info("Realtek without File IO is not implemented yet"); 1012 return BTSTACK_CHIPSET_NO_INIT_SCRIPT; 1013 #endif // HAVE_POSIX_FILE_IO 1014 } 1015 1016 void btstack_chipset_realtek_set_firmware_file_path(const char *path) { 1017 #ifdef HAVE_POSIX_FILE_IO 1018 firmware_file_path = path; 1019 #endif 1020 } 1021 1022 void btstack_chipset_realtek_set_firmware_folder_path(const char *path) { 1023 #ifdef HAVE_POSIX_FILE_IO 1024 firmware_folder_path = path; 1025 #endif 1026 } 1027 1028 void btstack_chipset_realtek_set_config_file_path(const char *path) { 1029 #ifdef HAVE_POSIX_FILE_IO 1030 config_file_path = path; 1031 #endif 1032 } 1033 1034 void btstack_chipset_realtek_set_config_folder_path(const char *path) { 1035 #ifdef HAVE_POSIX_FILE_IO 1036 config_folder_path = path; 1037 #endif 1038 } 1039 1040 void btstack_chipset_realtek_set_product_id(uint16_t id) { 1041 product_id = id; 1042 } 1043 1044 uint16_t btstack_chipset_realtek_get_num_usb_controllers(void){ 1045 return (sizeof(fw_patch_table) / sizeof(patch_info)) - 1; // sentinel 1046 } 1047 1048 void btstack_chipset_realtek_get_vendor_product_id(uint16_t index, uint16_t * out_vendor_id, uint16_t * out_product_id){ 1049 btstack_assert(index < ((sizeof(fw_patch_table) / sizeof(patch_info)) - 1)); 1050 *out_vendor_id = 0xbda; 1051 *out_product_id = fw_patch_table[index].prod_id; 1052 } 1053 1054 static const btstack_chipset_t btstack_chipset_realtek = { 1055 "REALTEK", chipset_init, chipset_next_command, 1056 NULL, // chipset_set_baudrate_command, 1057 NULL, // chipset_set_bd_addr_command not supported or implemented 1058 }; 1059 1060 const btstack_chipset_t *btstack_chipset_realtek_instance(void) { return &btstack_chipset_realtek; } 1061