1 // SPDX-License-Identifier: GPL-2.0-or-later
3 * Bluetooth support for Realtek devices
5 * Copyright (C) 2015 Endless Mobile, Inc.
8 #include <linux/module.h>
9 #include <linux/firmware.h>
10 #include <asm/unaligned.h>
11 #include <linux/usb.h>
13 #include <net/bluetooth/bluetooth.h>
14 #include <net/bluetooth/hci_core.h>
20 #define RTL_EPATCH_SIGNATURE "Realtech"
21 #define RTL_ROM_LMP_3499 0x3499
22 #define RTL_ROM_LMP_8723A 0x1200
23 #define RTL_ROM_LMP_8723B 0x8723
24 #define RTL_ROM_LMP_8723D 0x8873
25 #define RTL_ROM_LMP_8821A 0x8821
26 #define RTL_ROM_LMP_8761A 0x8761
27 #define RTL_ROM_LMP_8822B 0x8822
28 #define RTL_CONFIG_MAGIC 0x8723ab55
30 #define IC_MATCH_FL_LMPSUBV (1 << 0)
31 #define IC_MATCH_FL_HCIREV (1 << 1)
32 #define IC_MATCH_FL_HCIVER (1 << 2)
33 #define IC_MATCH_FL_HCIBUS (1 << 3)
34 #define IC_INFO(lmps, hcir) \
35 .match_flags = IC_MATCH_FL_LMPSUBV | IC_MATCH_FL_HCIREV, \
36 .lmp_subver = (lmps), \
51 struct btrtl_device_info {
52 const struct id_table *ic_info;
60 static const struct id_table ic_id_table[] = {
61 { IC_MATCH_FL_LMPSUBV, RTL_ROM_LMP_8723A, 0x0,
62 .config_needed = false,
63 .has_rom_version = false,
64 .fw_name = "rtl_bt/rtl8723a_fw.bin",
67 { IC_MATCH_FL_LMPSUBV, RTL_ROM_LMP_3499, 0x0,
68 .config_needed = false,
69 .has_rom_version = false,
70 .fw_name = "rtl_bt/rtl8723a_fw.bin",
74 { .match_flags = IC_MATCH_FL_LMPSUBV | IC_MATCH_FL_HCIREV |
75 IC_MATCH_FL_HCIVER | IC_MATCH_FL_HCIBUS,
76 .lmp_subver = RTL_ROM_LMP_8723B,
80 .config_needed = true,
81 .has_rom_version = true,
82 .fw_name = "rtl_bt/rtl8723bs_fw.bin",
83 .cfg_name = "rtl_bt/rtl8723bs_config" },
86 { IC_INFO(RTL_ROM_LMP_8723B, 0xb),
87 .config_needed = false,
88 .has_rom_version = true,
89 .fw_name = "rtl_bt/rtl8723b_fw.bin",
90 .cfg_name = "rtl_bt/rtl8723b_config" },
93 { IC_INFO(RTL_ROM_LMP_8723B, 0xd),
94 .config_needed = true,
95 .has_rom_version = true,
96 .fw_name = "rtl_bt/rtl8723d_fw.bin",
97 .cfg_name = "rtl_bt/rtl8723d_config" },
100 { .match_flags = IC_MATCH_FL_LMPSUBV | IC_MATCH_FL_HCIREV |
101 IC_MATCH_FL_HCIVER | IC_MATCH_FL_HCIBUS,
102 .lmp_subver = RTL_ROM_LMP_8723B,
106 .config_needed = true,
107 .has_rom_version = true,
108 .fw_name = "rtl_bt/rtl8723ds_fw.bin",
109 .cfg_name = "rtl_bt/rtl8723ds_config" },
112 { IC_INFO(RTL_ROM_LMP_8723D, 0x826C),
113 .config_needed = true,
114 .has_rom_version = true,
115 .fw_name = "rtl_bt/rtl8723d_fw.bin",
116 .cfg_name = "rtl_bt/rtl8723d_config" },
119 { IC_INFO(RTL_ROM_LMP_8821A, 0xa),
120 .config_needed = false,
121 .has_rom_version = true,
122 .fw_name = "rtl_bt/rtl8821a_fw.bin",
123 .cfg_name = "rtl_bt/rtl8821a_config" },
126 { IC_INFO(RTL_ROM_LMP_8821A, 0xc),
127 .config_needed = false,
128 .has_rom_version = true,
129 .fw_name = "rtl_bt/rtl8821c_fw.bin",
130 .cfg_name = "rtl_bt/rtl8821c_config" },
133 { IC_MATCH_FL_LMPSUBV, RTL_ROM_LMP_8761A, 0x0,
134 .config_needed = false,
135 .has_rom_version = true,
136 .fw_name = "rtl_bt/rtl8761a_fw.bin",
137 .cfg_name = "rtl_bt/rtl8761a_config" },
139 /* 8822C with UART interface */
140 { .match_flags = IC_MATCH_FL_LMPSUBV | IC_MATCH_FL_HCIREV |
142 .lmp_subver = RTL_ROM_LMP_8822B,
146 .config_needed = true,
147 .has_rom_version = true,
148 .fw_name = "rtl_bt/rtl8822cs_fw.bin",
149 .cfg_name = "rtl_bt/rtl8822cs_config" },
151 /* 8822C with USB interface */
152 { IC_INFO(RTL_ROM_LMP_8822B, 0xc),
153 .config_needed = false,
154 .has_rom_version = true,
155 .fw_name = "rtl_bt/rtl8822cu_fw.bin",
156 .cfg_name = "rtl_bt/rtl8822cu_config" },
159 { IC_INFO(RTL_ROM_LMP_8822B, 0xb),
160 .config_needed = true,
161 .has_rom_version = true,
162 .fw_name = "rtl_bt/rtl8822b_fw.bin",
163 .cfg_name = "rtl_bt/rtl8822b_config" },
166 static const struct id_table *btrtl_match_ic(u16 lmp_subver, u16 hci_rev,
167 u8 hci_ver, u8 hci_bus)
171 for (i = 0; i < ARRAY_SIZE(ic_id_table); i++) {
172 if ((ic_id_table[i].match_flags & IC_MATCH_FL_LMPSUBV) &&
173 (ic_id_table[i].lmp_subver != lmp_subver))
175 if ((ic_id_table[i].match_flags & IC_MATCH_FL_HCIREV) &&
176 (ic_id_table[i].hci_rev != hci_rev))
178 if ((ic_id_table[i].match_flags & IC_MATCH_FL_HCIVER) &&
179 (ic_id_table[i].hci_ver != hci_ver))
181 if ((ic_id_table[i].match_flags & IC_MATCH_FL_HCIBUS) &&
182 (ic_id_table[i].hci_bus != hci_bus))
187 if (i >= ARRAY_SIZE(ic_id_table))
190 return &ic_id_table[i];
193 static struct sk_buff *btrtl_read_local_version(struct hci_dev *hdev)
197 skb = __hci_cmd_sync(hdev, HCI_OP_READ_LOCAL_VERSION, 0, NULL,
200 rtl_dev_err(hdev, "HCI_OP_READ_LOCAL_VERSION failed (%ld)",
205 if (skb->len != sizeof(struct hci_rp_read_local_version)) {
206 rtl_dev_err(hdev, "HCI_OP_READ_LOCAL_VERSION event length mismatch");
208 return ERR_PTR(-EIO);
214 static int rtl_read_rom_version(struct hci_dev *hdev, u8 *version)
216 struct rtl_rom_version_evt *rom_version;
219 /* Read RTL ROM version command */
220 skb = __hci_cmd_sync(hdev, 0xfc6d, 0, NULL, HCI_INIT_TIMEOUT);
222 rtl_dev_err(hdev, "Read ROM version failed (%ld)",
227 if (skb->len != sizeof(*rom_version)) {
228 rtl_dev_err(hdev, "version event length mismatch");
233 rom_version = (struct rtl_rom_version_evt *)skb->data;
234 rtl_dev_info(hdev, "rom_version status=%x version=%x",
235 rom_version->status, rom_version->version);
237 *version = rom_version->version;
243 static int rtlbt_parse_firmware(struct hci_dev *hdev,
244 struct btrtl_device_info *btrtl_dev,
245 unsigned char **_buf)
247 static const u8 extension_sig[] = { 0x51, 0x04, 0xfd, 0x77 };
248 struct rtl_epatch_header *epatch_info;
252 u8 opcode, length, data;
254 const unsigned char *fwptr, *chip_id_base;
255 const unsigned char *patch_length_base, *patch_offset_base;
256 u32 patch_offset = 0;
257 u16 patch_length, num_patches;
258 static const struct {
261 } project_id_to_lmp_subver[] = {
262 { RTL_ROM_LMP_8723A, 0 },
263 { RTL_ROM_LMP_8723B, 1 },
264 { RTL_ROM_LMP_8821A, 2 },
265 { RTL_ROM_LMP_8761A, 3 },
266 { RTL_ROM_LMP_8822B, 8 },
267 { RTL_ROM_LMP_8723B, 9 }, /* 8723D */
268 { RTL_ROM_LMP_8821A, 10 }, /* 8821C */
269 { RTL_ROM_LMP_8822B, 13 }, /* 8822C */
272 min_size = sizeof(struct rtl_epatch_header) + sizeof(extension_sig) + 3;
273 if (btrtl_dev->fw_len < min_size)
276 fwptr = btrtl_dev->fw_data + btrtl_dev->fw_len - sizeof(extension_sig);
277 if (memcmp(fwptr, extension_sig, sizeof(extension_sig)) != 0) {
278 rtl_dev_err(hdev, "extension section signature mismatch");
282 /* Loop from the end of the firmware parsing instructions, until
283 * we find an instruction that identifies the "project ID" for the
284 * hardware supported by this firwmare file.
285 * Once we have that, we double-check that that project_id is suitable
286 * for the hardware we are working with.
288 while (fwptr >= btrtl_dev->fw_data + (sizeof(*epatch_info) + 3)) {
293 BT_DBG("check op=%x len=%x data=%x", opcode, length, data);
295 if (opcode == 0xff) /* EOF */
299 rtl_dev_err(hdev, "found instruction with length 0");
303 if (opcode == 0 && length == 1) {
311 if (project_id < 0) {
312 rtl_dev_err(hdev, "failed to find version instruction");
316 /* Find project_id in table */
317 for (i = 0; i < ARRAY_SIZE(project_id_to_lmp_subver); i++) {
318 if (project_id == project_id_to_lmp_subver[i].id)
322 if (i >= ARRAY_SIZE(project_id_to_lmp_subver)) {
323 rtl_dev_err(hdev, "unknown project id %d", project_id);
327 if (btrtl_dev->ic_info->lmp_subver !=
328 project_id_to_lmp_subver[i].lmp_subver) {
329 rtl_dev_err(hdev, "firmware is for %x but this is a %x",
330 project_id_to_lmp_subver[i].lmp_subver,
331 btrtl_dev->ic_info->lmp_subver);
335 epatch_info = (struct rtl_epatch_header *)btrtl_dev->fw_data;
336 if (memcmp(epatch_info->signature, RTL_EPATCH_SIGNATURE, 8) != 0) {
337 rtl_dev_err(hdev, "bad EPATCH signature");
341 num_patches = le16_to_cpu(epatch_info->num_patches);
342 BT_DBG("fw_version=%x, num_patches=%d",
343 le32_to_cpu(epatch_info->fw_version), num_patches);
345 /* After the rtl_epatch_header there is a funky patch metadata section.
346 * Assuming 2 patches, the layout is:
347 * ChipID1 ChipID2 PatchLength1 PatchLength2 PatchOffset1 PatchOffset2
349 * Find the right patch for this chip.
351 min_size += 8 * num_patches;
352 if (btrtl_dev->fw_len < min_size)
355 chip_id_base = btrtl_dev->fw_data + sizeof(struct rtl_epatch_header);
356 patch_length_base = chip_id_base + (sizeof(u16) * num_patches);
357 patch_offset_base = patch_length_base + (sizeof(u16) * num_patches);
358 for (i = 0; i < num_patches; i++) {
359 u16 chip_id = get_unaligned_le16(chip_id_base +
361 if (chip_id == btrtl_dev->rom_version + 1) {
362 patch_length = get_unaligned_le16(patch_length_base +
364 patch_offset = get_unaligned_le32(patch_offset_base +
371 rtl_dev_err(hdev, "didn't find patch for chip id %d",
372 btrtl_dev->rom_version);
376 BT_DBG("length=%x offset=%x index %d", patch_length, patch_offset, i);
377 min_size = patch_offset + patch_length;
378 if (btrtl_dev->fw_len < min_size)
381 /* Copy the firmware into a new buffer and write the version at
385 buf = kvmalloc(patch_length, GFP_KERNEL);
389 memcpy(buf, btrtl_dev->fw_data + patch_offset, patch_length - 4);
390 memcpy(buf + patch_length - 4, &epatch_info->fw_version, 4);
396 static int rtl_download_firmware(struct hci_dev *hdev,
397 const unsigned char *data, int fw_len)
399 struct rtl_download_cmd *dl_cmd;
400 int frag_num = fw_len / RTL_FRAG_LEN + 1;
401 int frag_len = RTL_FRAG_LEN;
405 struct hci_rp_read_local_version *rp;
407 dl_cmd = kmalloc(sizeof(struct rtl_download_cmd), GFP_KERNEL);
411 for (i = 0; i < frag_num; i++) {
414 BT_DBG("download fw (%d/%d)", i, frag_num);
417 dl_cmd->index = (i & 0x7f) + 1;
421 if (i == (frag_num - 1)) {
422 dl_cmd->index |= 0x80; /* data end */
423 frag_len = fw_len % RTL_FRAG_LEN;
425 memcpy(dl_cmd->data, data, frag_len);
427 /* Send download command */
428 skb = __hci_cmd_sync(hdev, 0xfc20, frag_len + 1, dl_cmd,
431 rtl_dev_err(hdev, "download fw command failed (%ld)",
437 if (skb->len != sizeof(struct rtl_download_response)) {
438 rtl_dev_err(hdev, "download fw event length mismatch");
445 data += RTL_FRAG_LEN;
448 skb = btrtl_read_local_version(hdev);
451 rtl_dev_err(hdev, "read local version failed");
455 rp = (struct hci_rp_read_local_version *)skb->data;
456 rtl_dev_info(hdev, "fw version 0x%04x%04x",
457 __le16_to_cpu(rp->hci_rev), __le16_to_cpu(rp->lmp_subver));
465 static int rtl_load_file(struct hci_dev *hdev, const char *name, u8 **buff)
467 const struct firmware *fw;
470 rtl_dev_info(hdev, "loading %s", name);
471 ret = request_firmware(&fw, name, &hdev->dev);
475 *buff = kvmalloc(fw->size, GFP_KERNEL);
477 memcpy(*buff, fw->data, ret);
481 release_firmware(fw);
486 static int btrtl_setup_rtl8723a(struct hci_dev *hdev,
487 struct btrtl_device_info *btrtl_dev)
489 if (btrtl_dev->fw_len < 8)
492 /* Check that the firmware doesn't have the epatch signature
493 * (which is only for RTL8723B and newer).
495 if (!memcmp(btrtl_dev->fw_data, RTL_EPATCH_SIGNATURE, 8)) {
496 rtl_dev_err(hdev, "unexpected EPATCH signature!");
500 return rtl_download_firmware(hdev, btrtl_dev->fw_data,
504 static int btrtl_setup_rtl8723b(struct hci_dev *hdev,
505 struct btrtl_device_info *btrtl_dev)
507 unsigned char *fw_data = NULL;
511 ret = rtlbt_parse_firmware(hdev, btrtl_dev, &fw_data);
515 if (btrtl_dev->cfg_len > 0) {
516 tbuff = kvzalloc(ret + btrtl_dev->cfg_len, GFP_KERNEL);
522 memcpy(tbuff, fw_data, ret);
525 memcpy(tbuff + ret, btrtl_dev->cfg_data, btrtl_dev->cfg_len);
526 ret += btrtl_dev->cfg_len;
531 rtl_dev_info(hdev, "cfg_sz %d, total sz %d", btrtl_dev->cfg_len, ret);
533 ret = rtl_download_firmware(hdev, fw_data, ret);
540 void btrtl_free(struct btrtl_device_info *btrtl_dev)
542 kvfree(btrtl_dev->fw_data);
543 kvfree(btrtl_dev->cfg_data);
546 EXPORT_SYMBOL_GPL(btrtl_free);
548 struct btrtl_device_info *btrtl_initialize(struct hci_dev *hdev,
551 struct btrtl_device_info *btrtl_dev;
553 struct hci_rp_read_local_version *resp;
555 u16 hci_rev, lmp_subver;
559 btrtl_dev = kzalloc(sizeof(*btrtl_dev), GFP_KERNEL);
565 skb = btrtl_read_local_version(hdev);
571 resp = (struct hci_rp_read_local_version *)skb->data;
572 rtl_dev_info(hdev, "examining hci_ver=%02x hci_rev=%04x lmp_ver=%02x lmp_subver=%04x",
573 resp->hci_ver, resp->hci_rev,
574 resp->lmp_ver, resp->lmp_subver);
576 hci_ver = resp->hci_ver;
577 hci_rev = le16_to_cpu(resp->hci_rev);
578 lmp_subver = le16_to_cpu(resp->lmp_subver);
581 btrtl_dev->ic_info = btrtl_match_ic(lmp_subver, hci_rev, hci_ver,
584 if (!btrtl_dev->ic_info) {
585 rtl_dev_info(hdev, "unknown IC info, lmp subver %04x, hci rev %04x, hci ver %04x",
586 lmp_subver, hci_rev, hci_ver);
590 if (btrtl_dev->ic_info->has_rom_version) {
591 ret = rtl_read_rom_version(hdev, &btrtl_dev->rom_version);
596 btrtl_dev->fw_len = rtl_load_file(hdev, btrtl_dev->ic_info->fw_name,
597 &btrtl_dev->fw_data);
598 if (btrtl_dev->fw_len < 0) {
599 rtl_dev_err(hdev, "firmware file %s not found",
600 btrtl_dev->ic_info->fw_name);
601 ret = btrtl_dev->fw_len;
605 if (btrtl_dev->ic_info->cfg_name) {
607 snprintf(cfg_name, sizeof(cfg_name), "%s-%s.bin",
608 btrtl_dev->ic_info->cfg_name, postfix);
610 snprintf(cfg_name, sizeof(cfg_name), "%s.bin",
611 btrtl_dev->ic_info->cfg_name);
613 btrtl_dev->cfg_len = rtl_load_file(hdev, cfg_name,
614 &btrtl_dev->cfg_data);
615 if (btrtl_dev->ic_info->config_needed &&
616 btrtl_dev->cfg_len <= 0) {
617 rtl_dev_err(hdev, "mandatory config file %s not found",
618 btrtl_dev->ic_info->cfg_name);
619 ret = btrtl_dev->cfg_len;
627 btrtl_free(btrtl_dev);
631 EXPORT_SYMBOL_GPL(btrtl_initialize);
633 int btrtl_download_firmware(struct hci_dev *hdev,
634 struct btrtl_device_info *btrtl_dev)
636 /* Match a set of subver values that correspond to stock firmware,
637 * which is not compatible with standard btusb.
638 * If matched, upload an alternative firmware that does conform to
639 * standard btusb. Once that firmware is uploaded, the subver changes
640 * to a different value.
642 if (!btrtl_dev->ic_info) {
643 rtl_dev_info(hdev, "assuming no firmware upload needed");
647 switch (btrtl_dev->ic_info->lmp_subver) {
648 case RTL_ROM_LMP_8723A:
649 case RTL_ROM_LMP_3499:
650 return btrtl_setup_rtl8723a(hdev, btrtl_dev);
651 case RTL_ROM_LMP_8723B:
652 case RTL_ROM_LMP_8821A:
653 case RTL_ROM_LMP_8761A:
654 case RTL_ROM_LMP_8822B:
655 return btrtl_setup_rtl8723b(hdev, btrtl_dev);
657 rtl_dev_info(hdev, "assuming no firmware upload needed");
661 EXPORT_SYMBOL_GPL(btrtl_download_firmware);
663 int btrtl_setup_realtek(struct hci_dev *hdev)
665 struct btrtl_device_info *btrtl_dev;
668 btrtl_dev = btrtl_initialize(hdev, NULL);
669 if (IS_ERR(btrtl_dev))
670 return PTR_ERR(btrtl_dev);
672 ret = btrtl_download_firmware(hdev, btrtl_dev);
674 btrtl_free(btrtl_dev);
676 /* Enable controller to do both LE scan and BR/EDR inquiry
679 set_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks);
683 EXPORT_SYMBOL_GPL(btrtl_setup_realtek);
685 int btrtl_shutdown_realtek(struct hci_dev *hdev)
690 /* According to the vendor driver, BT must be reset on close to avoid
693 skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_INIT_TIMEOUT);
696 bt_dev_err(hdev, "HCI reset during shutdown failed");
703 EXPORT_SYMBOL_GPL(btrtl_shutdown_realtek);
705 static unsigned int btrtl_convert_baudrate(u32 device_baudrate)
707 switch (device_baudrate) {
742 int btrtl_get_uart_settings(struct hci_dev *hdev,
743 struct btrtl_device_info *btrtl_dev,
744 unsigned int *controller_baudrate,
745 u32 *device_baudrate, bool *flow_control)
747 struct rtl_vendor_config *config;
748 struct rtl_vendor_config_entry *entry;
749 int i, total_data_len;
752 total_data_len = btrtl_dev->cfg_len - sizeof(*config);
753 if (total_data_len <= 0) {
754 rtl_dev_warn(hdev, "no config loaded");
758 config = (struct rtl_vendor_config *)btrtl_dev->cfg_data;
759 if (le32_to_cpu(config->signature) != RTL_CONFIG_MAGIC) {
760 rtl_dev_err(hdev, "invalid config magic");
764 if (total_data_len < le16_to_cpu(config->total_len)) {
765 rtl_dev_err(hdev, "config is too short");
769 for (i = 0; i < total_data_len; ) {
770 entry = ((void *)config->entry) + i;
772 switch (le16_to_cpu(entry->offset)) {
774 if (entry->len < sizeof(*device_baudrate)) {
775 rtl_dev_err(hdev, "invalid UART config entry");
779 *device_baudrate = get_unaligned_le32(entry->data);
780 *controller_baudrate = btrtl_convert_baudrate(
783 if (entry->len >= 13)
784 *flow_control = !!(entry->data[12] & BIT(2));
786 *flow_control = false;
792 rtl_dev_dbg(hdev, "skipping config entry 0x%x (len %u)",
793 le16_to_cpu(entry->offset), entry->len);
797 i += sizeof(*entry) + entry->len;
801 rtl_dev_err(hdev, "no UART config entry found");
805 rtl_dev_dbg(hdev, "device baudrate = 0x%08x", *device_baudrate);
806 rtl_dev_dbg(hdev, "controller baudrate = %u", *controller_baudrate);
807 rtl_dev_dbg(hdev, "flow control %d", *flow_control);
811 EXPORT_SYMBOL_GPL(btrtl_get_uart_settings);
813 MODULE_AUTHOR("Daniel Drake <drake@endlessm.com>");
814 MODULE_DESCRIPTION("Bluetooth support for Realtek devices ver " VERSION);
815 MODULE_VERSION(VERSION);
816 MODULE_LICENSE("GPL");
817 MODULE_FIRMWARE("rtl_bt/rtl8723a_fw.bin");
818 MODULE_FIRMWARE("rtl_bt/rtl8723b_fw.bin");
819 MODULE_FIRMWARE("rtl_bt/rtl8723b_config.bin");
820 MODULE_FIRMWARE("rtl_bt/rtl8723bs_fw.bin");
821 MODULE_FIRMWARE("rtl_bt/rtl8723bs_config.bin");
822 MODULE_FIRMWARE("rtl_bt/rtl8723ds_fw.bin");
823 MODULE_FIRMWARE("rtl_bt/rtl8723ds_config.bin");
824 MODULE_FIRMWARE("rtl_bt/rtl8761a_fw.bin");
825 MODULE_FIRMWARE("rtl_bt/rtl8761a_config.bin");
826 MODULE_FIRMWARE("rtl_bt/rtl8821a_fw.bin");
827 MODULE_FIRMWARE("rtl_bt/rtl8821a_config.bin");
828 MODULE_FIRMWARE("rtl_bt/rtl8822b_fw.bin");
829 MODULE_FIRMWARE("rtl_bt/rtl8822b_config.bin");
OSDN Git Service
