CoCalc -- hciattach

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place. Commercial Alternative to JupyterHub.

GitHub Repository: orangepi-xunlong/orangepi-build
Path: blob/next/external/cache/sources/hcitools/hciattach_rtk.c
Views: ³⁹⁵⁹
1
/*
2
 *
3
 *  BlueZ - Bluetooth protocol stack for Linux
4
 *
5
 *  Copyright (C) 2005-2010  Marcel Holtmann <[email protected]>
6
 *  Copyright (C) 2013-2014  Realtek Semiconductor Corp.
7
 *
8
 *
9
 *  This program is free software; you can redistribute it and/or modify
10
 *  it under the terms of the GNU General Public License as published by
11
 *  the Free Software Foundation; either version 2 of the License, or
12
 *  (at your option) any later version.
13
 *
14
 *  This program is distributed in the hope that it will be useful,
15
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
16
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
17
 *  GNU General Public License for more details.
18
 *
19
 *  You should have received a copy of the GNU General Public License
20
 *  along with this program; if not, write to the Free Software
21
 *  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
22
 *
23
 */
24

25
#ifdef HAVE_CONFIG_H
26
#include <config.h>
27
#endif
28

29
#include <stdio.h>
30
#include <errno.h>
31
#include <unistd.h>
32
#include <stdlib.h>
33
#include <termios.h>
34
#include <time.h>
35
#include <sys/time.h>
36
#include <sys/types.h>
37
#include <sys/param.h>
38
#include <sys/ioctl.h>
39
#include <sys/socket.h>
40
#include <sys/uio.h>
41
#include <sys/stat.h>
42
#include <fcntl.h>
43

44
#include <signal.h>
45
#define Config_Android 0 /*1 for android; 0 for Linux*/
46

47
#if Config_Android   //for Android
48
#include <bluetooth/bluetooth.h>
49
#include <bluetooth/hci.h>
50
#include <bluetooth/hci_lib.h>
51
#else //for Linux
52
#include <stdint.h>
53
#include <string.h>
54
#include <endian.h>
55
#include <byteswap.h>
56
#include <netinet/in.h>
57
#endif
58

59
#include "hciattach.h"
60

61
#define BAUDRATE_4BYTES
62
#define RTK_VERSION "2.3"
63
#if __BYTE_ORDER == __LITTLE_ENDIAN
64
#define cpu_to_le16(d)  (d)
65
#define cpu_to_le32(d)  (d)
66
#define le16_to_cpu(d)  (d)
67
#define le32_to_cpu(d)  (d)
68
#elif __BYTE_ORDER == __BIG_ENDIAN
69
#define cpu_to_le16(d)  bswap_16(d)
70
#define cpu_to_le32(d)  bswap_32(d)
71
#define le16_to_cpu(d)  bswap_16(d)
72
#define le32_to_cpu(d)  bswap_32(d)
73
#else
74
#error "Unknown byte order"
75
#endif
76

77
/* log related */
78
#define LOG_STR                    "Realtek Bluetooth"
79
#define DBG_ON                     1
80

81
#define RS_DBG(fmt, arg...)                                    \
82
	do {                                                       \
83
		if (DBG_ON)                                            \
84
			fprintf(stderr, "%s: " fmt "\n", LOG_STR, ##arg);  \
85
	} while (0)
86

87
#define RS_ERR(fmt, arg...)                                    \
88
	do {                                                       \
89
		fprintf(stderr, "%s ERROR: " fmt "\n", LOG_STR, ##arg);\
90
		perror("reason: ");                                    \
91
	} while (0)
92

93
#define RS_DUMP(buffer, len)                                   \
94
	do {                                                       \
95
		fprintf(stderr, "%s: ", LOG_STR);                      \
96
		for (int i = 0; i < len; i++) {                        \
97
			if (i && !(i % 16)) {                              \
98
				fprintf(stderr, "\n");                         \
99
				fprintf(stderr, "%s: ", LOG_STR);              \
100
			}                                                  \
101
			fprintf(stderr, "%02x ", buffer[i]);               \
102
		}                                                      \
103
		fprintf(stderr, "\n");                                 \
104
	} while (0)
105

106
struct sk_buff {
107
	uint32_t max_len;
108
	uint32_t data_len;
109
	uint8_t  data[0];
110
};
111

112
/* Skb helpers */
113
struct bt_skb_cb {
114
	uint8_t  pkt_type;
115
	uint8_t  incoming;
116
	uint16_t expect;
117
	uint8_t  tx_seq;
118
	uint8_t  retries;
119
	uint8_t  sar;
120
	uint16_t channel;
121
};
122

123
typedef struct {
124
	uint8_t index;
125
	uint8_t data[252];
126
} __attribute__ ((packed)) download_vendor_patch_cp;
127

128
struct hci_command_hdr {
129
	uint16_t opcode;     /* OCF & OGF */
130
	uint8_t  plen;
131
} __attribute__ ((packed));
132

133
struct hci_event_hdr {
134
	uint8_t  evt;
135
	uint8_t  plen;
136
} __attribute__ ((packed));
137

138
struct hci_ev_cmd_complete {
139
	uint8_t  ncmd;
140
	uint16_t opcode;
141
} __attribute__ ((packed));
142

143
#define HCI_COMMAND_HDR_SIZE               3
144
#define HCI_EVENT_HDR_SIZE                 2
145

146
#define HCI_CMD_READ_BD_ADDR               0x1009
147
#define HCI_VENDOR_CHANGE_BDRATE           0xfc17
148
#define HCI_VENDOR_READ_RTK_ROM_VERISION   0xfc6d
149
#define HCI_VENDOR_READ_LMP_VERISION       0x1001
150
#define HCI_VENDOR_READ_CHIP_TYPE          0xfc61
151

152
#define ROM_LMP_8723a                      0x1200
153

154
#define RTK_VENDOR_CONFIG_MAGIC            0x8723ab55
155

156
#define bt_cb(skb)                         ((struct bt_skb_cb *)((skb)->cb))
157

158
#if Config_Android
159
#define FIRMWARE_DIRECTORY                 "/system/vendor/etc/firmware"
160
#define BT_CONFIG_DIRECTORY                "/system/vendor/etc/firmware"
161
#else
162
#define FIRMWARE_DIRECTORY                 "/system/vendor/etc/firmware"
163
#define BT_CONFIG_DIRECTORY                "/system/vendor/etc/firmware"
164
#endif
165

166
#define BT_ADDR_DIR                        "/data/misc/bluetooth/"
167
#define BT_ADDR_FILE                       "/data/misc/bluetooth/btmac.txt"
168

169
#define PATCH_DATA_FIELD_MAX_SIZE          252
170
#define READ_DATA_SIZE                     16
171

172
/* HCI data types */
173
#define H5_ACK_PKT                         0x00
174
#define HCI_COMMAND_PKT                    0x01
175
#define HCI_ACLDATA_PKT                    0x02
176
#define HCI_SCODATA_PKT                    0x03
177
#define HCI_EVENT_PKT                      0x04
178
#define H5_VDRSPEC_PKT                     0x0E
179
#define H5_LINK_CTL_PKT                    0x0F
180

181

182
#define HCI_VERSION_MASK_10                (1<<0)        // Bluetooth Core Spec 1.0b
183
#define HCI_VERSION_MASK_11                (1<<1)        // Bluetooth Core Spec 1.1
184
#define HCI_VERSION_MASK_12                (1<<2)        // Bluetooth Core Spec 1.2
185
#define HCI_VERSION_MASK_20                (1<<3)        // Bluetooth Core Spec 2.0+EDR
186
#define HCI_VERSION_MASK_21                (1<<4)        // Bluetooth Core Spec 2.1+EDR
187
#define HCI_VERSION_MASK_30                (1<<5)        // Bluetooth Core Spec 3.0+HS
188
#define HCI_VERSION_MASK_40                (1<<6)        // Bluetooth Core Spec 4.0
189
#define HCI_VERSION_MASK_41                (1<<7)        // Bluetooth Core Spec 4.1
190
#define HCI_VERSION_MASK_42                (1<<8)        // Bluetooth Core Spec 4.2
191
#define HCI_VERSION_MASK_ALL               (0xFFFFFFFF)
192

193
#define HCI_REVISION_MASK_ALL              (0xFFFFFFFF)
194

195
#define LMP_SUBVERSION_NONE                (0x0)
196

197
#define CHIPTYPE_NONE                      (0x1F)        // Chip Type's range: 0x0 ~ 0xF
198
#define CHIP_TYPE_MASK_ALL                 (0xFFFFFFFF)
199

200
#define PROJECT_ID_MASK_ALL                (0xFFFFFFFF)  // temp used for unknow project id for a new chip
201

202
#define CONFIG_MAC_OFFSET_GEN_1_2          (0x3C)        // MAC's OFFSET in config/efuse for realtek generation 1~2 bluetooth chip
203
#define CONFIG_MAC_OFFSET_GEN_3PLUS        (0x44)        // MAC's OFFSET in config/efuse for rtk generation 3+ bluetooth chip
204
#define CONFIG_MAC_OFFSET_GEN_4PLUS        (0x30)        // MAC's OFFSET in config/efuse for rtk generation 4+ bluetooth chip
205

206
#define PATCH_OPTIONAL_MATCH_FLAG_CHIPTYPE (0x1)
207

208
#define MAX_PATCH_SIZE_24K                 (1024*24)     // 24K
209
#define MAX_PATCH_SIZE_40K                 (1024*40)     // 40K
210

211
struct rtk_bt_vendor_config_entry {
212
	uint16_t offset;
213
	uint8_t entry_len;
214
	uint8_t entry_data[0];
215
} __attribute__ ((packed));
216

217
struct rtk_bt_vendor_config {
218
	uint32_t signature;
219
	uint16_t data_len;
220
	struct rtk_bt_vendor_config_entry entry[0];
221
} __attribute__ ((packed));
222

223
struct rtk_epatch_entry {
224
	uint16_t chipID;
225
	uint16_t patch_length;
226
	uint32_t start_offset;
227
} __attribute__ ((packed));
228

229
struct rtk_epatch {
230
	uint8_t signature[8];
231
	uint32_t fm_version;
232
	uint16_t number_of_total_patch;
233
	struct rtk_epatch_entry entry[0];
234
} __attribute__ ((packed));
235

236
typedef enum _RTK_ROM_VERSION_CMD_STATE {
237
	cmd_not_send,
238
	cmd_has_sent,
239
	event_received
240
} RTK_ROM_VERSION_CMD_STATE;
241

242
#pragma pack(1)
243
#if __BYTE_ORDER == __LITTLE_ENDIAN
244
typedef struct _H5_PKT_HEADER {
245
	uint8_t SeqNumber:3;
246
	uint8_t AckNumber:3;
247
	uint8_t DicPresent:1; /* Data Integrity Check Present */
248
	uint8_t ReliablePkt:1;
249
	uint16_t PktType:4;
250
	uint16_t PayloadLen:12;
251
	uint8_t HdrChecksum;
252
} H5_PKT_HEADER;
253
#else
254
typedef struct _H5_PKT_HEADER {
255
	uint8_t ReliablePkt:1;
256
	uint8_t DicPresent:1; /* Data Integrity Check Present */
257
	uint8_t AckNumber:3;
258
	uint8_t SeqNumber:3;
259
	uint16_t PayloadLen:12;
260
	uint16_t PktType:4;
261
	uint8_t HdrChecksum;
262
} H5_PKT_HEADER;
263
#endif
264

265
typedef enum _H5_RX_STATE {
266
	H5_W4_PKT_DELIMITER,
267
	H5_W4_PKT_START,
268
	H5_W4_HDR,
269
	H5_W4_DATA,
270
	H5_W4_CRC
271
} H5_RX_STATE;
272

273
typedef enum _H5_RX_ESC_STATE {
274
	H5_ESCSTATE_NOESC,
275
	H5_ESCSTATE_ESC
276
} H5_RX_ESC_STATE;
277

278
typedef enum _H5_LINK_STATE {
279
	H5_SYNC,
280
	H5_CONFIG,
281
	H5_INIT,
282
	H5_PATCH,
283
	H5_ACTIVE
284
} H5_LINK_STATE;
285

286
typedef enum _PATCH_PROTOCOL {
287
	PATCH_PROTOCAL_H4,
288
	PATCH_PROTOCAL_H5
289
} PATCH_PROTOCOL;
290

291
struct rtk_h5_struct {
292
	uint8_t  rxseq_txack;    /* rxseq == txack. expected rx SeqNumber */
293
	uint8_t  rxack;          /* Last packet sent by us that the peer ack'ed */
294
	uint8_t  use_crc;
295
	uint8_t  is_txack_req;   /* txack required? Do we need to send ack's to the peer? */
296
	/* Reliable packet sequence number - used to assign seq to each rel pkt. */
297
	uint8_t  msgq_txseq;     /* next pkt seq */
298
	uint16_t message_crc;
299
	uint32_t rx_count;       /* expected pkts to recv */
300
	H5_RX_STATE     rx_state;
301
	H5_RX_ESC_STATE rx_esc_state;
302
	H5_LINK_STATE   link_estab_state;
303
	struct sk_buff *rx_skb;
304
	struct sk_buff *host_last_cmd;
305
};
306

307
struct patch_struct {
308
	int nTxIndex;          /* current sending pkt number */
309
	int nTotal;            /* total pkt number */
310
	int nRxIndex;          /* ack index from board */
311
	int nNeedRetry;        /* if no response from board */
312
};
313

314
typedef struct {
315
	uint16_t    lmp_subversion;
316
	uint32_t    hci_version_mask;
317
	uint32_t    hci_revision_mask;
318
	uint32_t    chip_type_mask;
319
	uint32_t    project_id_mask;
320
	char       *patch_name;
321
	char       *config_name;
322
	uint16_t    mac_offset;
323
	uint32_t    max_patch_size;
324
} patch_info;
325

326
/* h/w config control block */
327
typedef struct {
328
	uint32_t    max_patch_size;
329
	uint32_t    baudrate;
330
	uint16_t    lmp_subversion;
331
	uint16_t    lmp_subversion_default;
332
	uint16_t    lmp_sub_current;
333
	uint8_t     state;          /* Hardware configuration state */
334
	uint8_t     eversion;
335
	uint32_t    project_id_mask;
336
	uint8_t     hci_version;
337
	uint8_t     hci_revision;
338
	uint8_t     chip_type;
339
} bt_hw_cfg_cb_t;
340

341
static patch_info patch_table[] = {
342
/*   lmp_subv    hci_version_mask        hci_revision_mask    chip_type_mask  project_id_mask  fw name          config name                    mac offset           max_patch_size  */
343
	{0x1200,   HCI_VERSION_MASK_ALL,   HCI_REVISION_MASK_ALL, CHIP_TYPE_MASK_ALL,  1<<0,  "rtl8723as_fw",     "rtl8723as_config",     CONFIG_MAC_OFFSET_GEN_1_2,   MAX_PATCH_SIZE_24K},  //Rtl8723AS
344
#ifdef RTL_8723BS_BT_USED
345
	{0x8723, ~(HCI_VERSION_MASK_21), ~(1<<0xd),               CHIP_TYPE_MASK_ALL,  1<<1,  "rtl8723bs_fw",     "rtl8723bs_config",     CONFIG_MAC_OFFSET_GEN_1_2,   MAX_PATCH_SIZE_24K},  //Rtl8723BS
346
#else
347
	{0x8723, ~(HCI_VERSION_MASK_21), ~(1<<0xd),               CHIP_TYPE_MASK_ALL,  1<<1,  "rtl8723bs_VQ0_fw", "rtl8723bs_VQ0_config", CONFIG_MAC_OFFSET_GEN_1_2,   MAX_PATCH_SIZE_24K},  //Rtl8723BS_VQ0
348
#endif
349
	{0x8821,   HCI_VERSION_MASK_ALL, ~(1<<0xc),               CHIP_TYPE_MASK_ALL,  1<<2,  "rtl8821as_fw",     "rtl8821as_config",     CONFIG_MAC_OFFSET_GEN_1_2,   MAX_PATCH_SIZE_24K},  //Rtl8821AS
350
/*  {0x8761,   HCI_VERSION_MASK_ALL,   HCI_REVISION_MASK_ALL, CHIP_TYPE_MASK_ALL,  1<<3,  "rtl8761at_fw",     "rtl8761at_config",     CONFIG_MAC_OFFSET_GEN_1_2,   MAX_PATCH_SIZE_24K},  //Rtl8761AW */
351
	{0x8761,   HCI_VERSION_MASK_ALL, ~(1<<0xb),               CHIP_TYPE_MASK_ALL,  1<<3,  "rtl8761at_fw",     "rtl8761at_config",     CONFIG_MAC_OFFSET_GEN_1_2,   MAX_PATCH_SIZE_24K},  //Rtl8761AW
352
	{0x8761,   HCI_VERSION_MASK_ALL,  (1<<0xb),               CHIP_TYPE_MASK_ALL,  1<<14, "rtl8761bt_fw",     "rtl8761bt_config",     CONFIG_MAC_OFFSET_GEN_4PLUS, MAX_PATCH_SIZE_40K},  //Rtl8761BW
353

354
	{0x8723,   HCI_VERSION_MASK_21,    HCI_REVISION_MASK_ALL, CHIP_TYPE_MASK_ALL,  1<<4,  "rtl8703as_fw",     "rtl8703as_config",     CONFIG_MAC_OFFSET_GEN_1_2,   MAX_PATCH_SIZE_24K},  //Rtl8703AS
355

356
	{0x8703,   HCI_VERSION_MASK_ALL,   HCI_REVISION_MASK_ALL, 1<<7,                1<<6,  "rtl8703bs_fw",     "rtl8703bs_config",     CONFIG_MAC_OFFSET_GEN_3PLUS, MAX_PATCH_SIZE_24K},  //Rtl8703BS
357
	{0x8703,   HCI_VERSION_MASK_ALL,   HCI_REVISION_MASK_ALL, 1<<5,                1<<7,  "rtl8723cs_xx_fw",  "rtl8723cs_xx_config",  CONFIG_MAC_OFFSET_GEN_3PLUS, MAX_PATCH_SIZE_24K},  //rtl8723cs_xx
358
	{0x8703,   HCI_VERSION_MASK_ALL,   HCI_REVISION_MASK_ALL, 1<<3,                1<<7,  "rtl8723cs_cg_fw",  "rtl8723cs_cg_config",  CONFIG_MAC_OFFSET_GEN_3PLUS, MAX_PATCH_SIZE_24K},  //rtl8723cs_cg
359
	{0x8703,   HCI_VERSION_MASK_ALL,   HCI_REVISION_MASK_ALL, 1<<4,                1<<7,  "rtl8723cs_vf_fw",  "rtl8723cs_vf_config",  CONFIG_MAC_OFFSET_GEN_3PLUS, MAX_PATCH_SIZE_24K},  //rtl8723cs_vf
360
/*  {0x8822,   HCI_VERSION_MASK_ALL,   HCI_REVISION_MASK_ALL, CHIP_TYPE_MASK_ALL,  1<<8,  "rtl8822bs_fw",     "rtl8822bs_config",     CONFIG_MAC_OFFSET_GEN_3PLUS, MAX_PATCH_SIZE_24K},  //Rtl8822BS */
361
	{0x8822,   HCI_VERSION_MASK_ALL, ~(1<<0xc),               CHIP_TYPE_MASK_ALL,  1<<8,  "rtl8822bs_fw",     "rtl8822bs_config",     CONFIG_MAC_OFFSET_GEN_3PLUS, MAX_PATCH_SIZE_24K},  //Rtl8822BS
362
	{0x8822,   HCI_VERSION_MASK_ALL,  (1<<0xc),               CHIP_TYPE_MASK_ALL,  1<<13, "rtl8822cs_fw",     "rtl8822cs_config",     CONFIG_MAC_OFFSET_GEN_4PLUS, MAX_PATCH_SIZE_40K},  //Rtl8822CS
363

364
	{0x8723,   HCI_VERSION_MASK_ALL,  (1<<0xd),               ~(1<<7),             1<<9,  "rtl8723ds_fw",     "rtl8723ds_config",     CONFIG_MAC_OFFSET_GEN_3PLUS, MAX_PATCH_SIZE_40K},  //Rtl8723ds
365
	{0x8723,   HCI_VERSION_MASK_ALL,  (1<<0xd),               1<<7,                1<<9,  "rtl8703cs_fw",     "rtl8703cs_config",     CONFIG_MAC_OFFSET_GEN_3PLUS, MAX_PATCH_SIZE_40K},  //Rtl8703cs
366
	{0x8821,   HCI_VERSION_MASK_ALL,  (1<<0xc),               CHIP_TYPE_MASK_ALL,  1<<10, "rtl8821cs_fw",     "rtl8821cs_config",     CONFIG_MAC_OFFSET_GEN_3PLUS, MAX_PATCH_SIZE_40K},  //RTL8821CS
367
/*  todo: RTL8703CS */
368
	{LMP_SUBVERSION_NONE, HCI_VERSION_MASK_ALL, HCI_REVISION_MASK_ALL, CHIP_TYPE_MASK_ALL, PROJECT_ID_MASK_ALL, "rtl_none_fw", "rtl_none_config", CONFIG_MAC_OFFSET_GEN_1_2, MAX_PATCH_SIZE_24K}
369
};
370

371
static bt_hw_cfg_cb_t hw_cfg_cb;
372
static uint8_t gEVersion;
373
static RTK_ROM_VERSION_CMD_STATE gRom_version_cmd_state;
374
static RTK_ROM_VERSION_CMD_STATE ghci_version_cmd_state;
375
static RTK_ROM_VERSION_CMD_STATE gchip_type_cmd_state;
376
static int gHwFlowControlEnable;
377
static int gFinalSpeed;
378

379
/* signature: Realtech */
380
static const uint8_t RTK_EPATCH_SIGNATURE[8] = {0x52, 0x65, 0x61, 0x6C, 0x74, 0x65, 0x63, 0x68};
381
/* Extension Section IGNATURE:0x77FD0451 */
382
static const uint8_t Extension_Section_SIGNATURE[4] = {0x51, 0x04, 0xFD, 0x77};
383

384
static int serial_fd;
385
static int h5_max_retries = 40;
386
static struct rtk_h5_struct rtk_h5;
387
static struct patch_struct rtk_patch;
388

389
/* bite reverse in bytes
390
   00000001 -> 10000000
391
   00000100 -> 00100000
392
 */
393
static const uint8_t byte_rev_table[256] = {
394
	0x00, 0x80, 0x40, 0xc0, 0x20, 0xa0, 0x60, 0xe0,
395
	0x10, 0x90, 0x50, 0xd0, 0x30, 0xb0, 0x70, 0xf0,
396
	0x08, 0x88, 0x48, 0xc8, 0x28, 0xa8, 0x68, 0xe8,
397
	0x18, 0x98, 0x58, 0xd8, 0x38, 0xb8, 0x78, 0xf8,
398
	0x04, 0x84, 0x44, 0xc4, 0x24, 0xa4, 0x64, 0xe4,
399
	0x14, 0x94, 0x54, 0xd4, 0x34, 0xb4, 0x74, 0xf4,
400
	0x0c, 0x8c, 0x4c, 0xcc, 0x2c, 0xac, 0x6c, 0xec,
401
	0x1c, 0x9c, 0x5c, 0xdc, 0x3c, 0xbc, 0x7c, 0xfc,
402
	0x02, 0x82, 0x42, 0xc2, 0x22, 0xa2, 0x62, 0xe2,
403
	0x12, 0x92, 0x52, 0xd2, 0x32, 0xb2, 0x72, 0xf2,
404
	0x0a, 0x8a, 0x4a, 0xca, 0x2a, 0xaa, 0x6a, 0xea,
405
	0x1a, 0x9a, 0x5a, 0xda, 0x3a, 0xba, 0x7a, 0xfa,
406
	0x06, 0x86, 0x46, 0xc6, 0x26, 0xa6, 0x66, 0xe6,
407
	0x16, 0x96, 0x56, 0xd6, 0x36, 0xb6, 0x76, 0xf6,
408
	0x0e, 0x8e, 0x4e, 0xce, 0x2e, 0xae, 0x6e, 0xee,
409
	0x1e, 0x9e, 0x5e, 0xde, 0x3e, 0xbe, 0x7e, 0xfe,
410
	0x01, 0x81, 0x41, 0xc1, 0x21, 0xa1, 0x61, 0xe1,
411
	0x11, 0x91, 0x51, 0xd1, 0x31, 0xb1, 0x71, 0xf1,
412
	0x09, 0x89, 0x49, 0xc9, 0x29, 0xa9, 0x69, 0xe9,
413
	0x19, 0x99, 0x59, 0xd9, 0x39, 0xb9, 0x79, 0xf9,
414
	0x05, 0x85, 0x45, 0xc5, 0x25, 0xa5, 0x65, 0xe5,
415
	0x15, 0x95, 0x55, 0xd5, 0x35, 0xb5, 0x75, 0xf5,
416
	0x0d, 0x8d, 0x4d, 0xcd, 0x2d, 0xad, 0x6d, 0xed,
417
	0x1d, 0x9d, 0x5d, 0xdd, 0x3d, 0xbd, 0x7d, 0xfd,
418
	0x03, 0x83, 0x43, 0xc3, 0x23, 0xa3, 0x63, 0xe3,
419
	0x13, 0x93, 0x53, 0xd3, 0x33, 0xb3, 0x73, 0xf3,
420
	0x0b, 0x8b, 0x4b, 0xcb, 0x2b, 0xab, 0x6b, 0xeb,
421
	0x1b, 0x9b, 0x5b, 0xdb, 0x3b, 0xbb, 0x7b, 0xfb,
422
	0x07, 0x87, 0x47, 0xc7, 0x27, 0xa7, 0x67, 0xe7,
423
	0x17, 0x97, 0x57, 0xd7, 0x37, 0xb7, 0x77, 0xf7,
424
	0x0f, 0x8f, 0x4f, 0xcf, 0x2f, 0xaf, 0x6f, 0xef,
425
	0x1f, 0x9f, 0x5f, 0xdf, 0x3f, 0xbf, 0x7f, 0xff,
426
};
427

428
/* reverse bit */
429
static __inline uint8_t bit_rev8(uint8_t byte)
430
{
431
	return byte_rev_table[byte];
432
}
433

434
/* reverse bit */
435
static __inline uint16_t bit_rev16(uint16_t x)
436
{
437
	return (bit_rev8(x & 0xff) << 8) | bit_rev8(x >> 8);
438
}
439

440
static const uint16_t crc_table[] = {
441
	0x0000, 0x1081, 0x2102, 0x3183,
442
	0x4204, 0x5285, 0x6306, 0x7387,
443
	0x8408, 0x9489, 0xa50a, 0xb58b,
444
	0xc60c, 0xd68d, 0xe70e, 0xf78f
445
};
446

447
/**
448
* Malloc the socket buffer
449
*
450
* @param skb socket buffer
451
* @return the point to the malloc buffer
452
*/
453
static __inline struct sk_buff *skb_alloc(uint32_t len)
454
{
455
	struct sk_buff *skb = NULL;
456
	skb = malloc(len + 8);
457
	if (skb) {
458
		skb->max_len  = len;
459
		skb->data_len = 0;
460
		memset(skb->data, 0, len);
461
	} else {
462
		RS_ERR("Allocate skb fails!!!");
463
		skb = NULL;
464
	}
465
	return skb;
466
}
467

468
/**
469
* Free the socket buffer
470
*
471
* @param skb socket buffer
472
*/
473
static __inline void skb_free(struct sk_buff *skb)
474
{
475
	free(skb);
476
	return;
477
}
478

479
/**
480
* Increase the date length in sk_buffer by len,
481
* and return the increased header pointer
482
*
483
* @param skb socket buffer
484
* @param len length want to increase
485
* @return the pointer to increased header
486
*/
487
static uint8_t *skb_put(struct sk_buff *skb, uint32_t len)
488
{
489
	uint32_t old_len = skb->data_len;
490
	if ((skb->data_len + len) > (skb->max_len)) {
491
		RS_ERR("Buffer too small");
492
		return NULL;
493
	}
494
	skb->data_len += len;
495
	return (skb->data + old_len);
496
}
497

498
/**
499
* decrease data length in sk_buffer by to len by cut the tail
500
*
501
* @warning len should be less than skb->len
502
*
503
* @param skb socket buffer
504
* @param len length want to be changed
505
*/
506
static void skb_trim(struct sk_buff *skb,  int len)
507
{
508
	if (skb->data_len > len) {
509
		skb->data_len = len;
510
	} else {
511
		RS_ERR("Error: skb->data_len(%ld) < len(%d)", (long int)skb->data_len, len);
512
	}
513
}
514

515
/**
516
* Decrease the data length in sk_buffer by len,
517
* and move the content forward to the header.
518
* the data in header will be removed.
519
*
520
* @param skb socket buffer
521
* @param len length of data
522
* @return new data
523
*/
524
static uint8_t *skb_pull(struct sk_buff *skb, uint32_t len)
525
{
526
	skb->data_len -= len;
527
	char *buf;
528
	buf = malloc(skb->data_len);
529
	if (!buf) {
530
		RS_ERR("Unable to allocate file buffer");
531
		exit(1);
532
	}
533
	memcpy(buf, skb->data+len, skb->data_len);
534
	memcpy(skb->data, buf, skb->data_len);
535
	free(buf);
536
	return skb->data;
537
}
538

539
/**
540
* Add "d" into crc scope, caculate the new crc value
541
*
542
* @param crc crc data
543
* @param d one byte data
544
*/
545
static void h5_crc_update(uint16_t *crc, uint8_t d)
546
{
547
	uint16_t reg = *crc;
548

549
	reg = (reg >> 4) ^ crc_table[(reg ^ d) & 0x000f];
550
	reg = (reg >> 4) ^ crc_table[(reg ^ (d >> 4)) & 0x000f];
551

552
	*crc = reg;
553
}
554

555
struct __una_u16 { uint16_t x; };
556

557
static __inline uint16_t __get_unaligned_cpu16(const void *p)
558
{
559
	const struct __una_u16 *ptr = (const struct __una_u16 *)p;
560
	return ptr->x;
561
}
562

563
static __inline uint16_t get_unaligned_be16(const void *p)
564
{
565
	return __get_unaligned_cpu16((const uint8_t *)p);
566
}
567

568
/**
569
* Get crc data.
570
*
571
* @param h5 realtek h5 struct
572
* @return crc data
573
*/
574
static uint16_t h5_get_crc(struct rtk_h5_struct *h5)
575
{
576
	uint16_t crc = 0;
577
	uint8_t *data = h5->rx_skb->data + h5->rx_skb->data_len - 2;
578
	crc = data[1] + (data[0] << 8);
579
	return crc;
580
}
581

582
/**
583
* Just add 0xc0 at the end of skb,
584
* we can also use this to add 0xc0 at start while there is no data in skb
585
*
586
* @param skb socket buffer
587
*/
588
static void h5_slip_msgdelim(struct sk_buff *skb)
589
{
590
	const char pkt_delim = 0xc0;
591
	memcpy(skb_put(skb, 1), &pkt_delim, 1);
592
}
593

594
/**
595
* Slip ecode one byte in h5 proto, as follows:
596
* 0xc0 -> 0xdb, 0xdc
597
* 0xdb -> 0xdb, 0xdd
598
* 0x11 -> 0xdb, 0xde
599
* 0x13 -> 0xdb, 0xdf
600
* others will not change
601
*
602
* @param skb socket buffer
603
* @c pure data in the one byte
604
*/
605
static void h5_slip_one_byte(struct sk_buff *skb, uint8_t c)
606
{
607
	const int8_t esc_c0[2] = { 0xdb, 0xdc };
608
	const int8_t esc_db[2] = { 0xdb, 0xdd };
609
	const int8_t esc_11[2] = { 0xdb, 0xde };
610
	const int8_t esc_13[2] = { 0xdb, 0xdf };
611

612
	switch (c) {
613
	case 0xc0:
614
		memcpy(skb_put(skb, 2), &esc_c0, 2);
615
		break;
616
	case 0xdb:
617
		memcpy(skb_put(skb, 2), &esc_db, 2);
618
		break;
619
	case 0x11:
620
		memcpy(skb_put(skb, 2), &esc_11, 2);
621
		break;
622
	case 0x13:
623
		memcpy(skb_put(skb, 2), &esc_13, 2);
624
		break;
625
	default:
626
		memcpy(skb_put(skb, 1), &c, 1);
627
	}
628
}
629

630
/**
631
* Decode one byte in h5 proto, as follows:
632
* 0xdb, 0xdc -> 0xc0
633
* 0xdb, 0xdd -> 0xdb
634
* 0xdb, 0xde -> 0x11
635
* 0xdb, 0xdf -> 0x13
636
* others will not change
637
*
638
* @param h5 realtek h5 struct
639
* @byte pure data in the one byte
640
*/
641
static void h5_unslip_one_byte(struct rtk_h5_struct *h5,  char byte)
642
{
643
	const uint8_t c0 = 0xc0, db = 0xdb;
644
	const uint8_t oof1 = 0x11, oof2 = 0x13;
645
	//RS_DBG("HCI 3wire h5_unslip_one_byte");
646

647
	if (H5_ESCSTATE_NOESC == h5->rx_esc_state) {
648
		if (0xdb == byte) {
649
			h5->rx_esc_state = H5_ESCSTATE_ESC;
650
		} else {
651
			memcpy(skb_put(h5->rx_skb, 1), &byte, 1);
652
			//Check Pkt Header's CRC enable bit
653
			if ((h5->rx_skb->data[0] & 0x40) != 0 && h5->rx_state != H5_W4_CRC) {
654
				h5_crc_update(&h5->message_crc, byte);
655
			}
656
			h5->rx_count--;
657
		}
658
	} else if (H5_ESCSTATE_ESC == h5->rx_esc_state) {
659
		switch (byte) {
660
		case 0xdc:
661
			memcpy(skb_put(h5->rx_skb, 1), &c0, 1);
662
			if ((h5->rx_skb->data[0] & 0x40) != 0 && h5->rx_state != H5_W4_CRC)
663
				h5_crc_update(&h5->message_crc, 0xc0);
664
			h5->rx_esc_state = H5_ESCSTATE_NOESC;
665
			h5->rx_count--;
666
			break;
667
		case 0xdd:
668
			memcpy(skb_put(h5->rx_skb, 1), &db, 1);
669
			if ((h5->rx_skb->data[0] & 0x40) != 0 && h5->rx_state != H5_W4_CRC)
670
				h5_crc_update(&h5->message_crc, 0xdb);
671
			h5->rx_esc_state = H5_ESCSTATE_NOESC;
672
			h5->rx_count--;
673
			break;
674
		case 0xde:
675
			memcpy(skb_put(h5->rx_skb, 1), &oof1, 1);
676
			if ((h5->rx_skb->data[0] & 0x40) != 0 && h5->rx_state != H5_W4_CRC)
677
				h5_crc_update(&h5->message_crc, oof1);
678
			h5->rx_esc_state = H5_ESCSTATE_NOESC;
679
			h5->rx_count--;
680
			break;
681
		case 0xdf:
682
			memcpy(skb_put(h5->rx_skb, 1), &oof2, 1);
683
			if ((h5->rx_skb->data[0] & 0x40) != 0 && h5->rx_state != H5_W4_CRC)
684
				h5_crc_update(&h5->message_crc, oof2);
685
			h5->rx_esc_state = H5_ESCSTATE_NOESC;
686
			h5->rx_count--;
687
			break;
688
		default:
689
			RS_ERR("Error: Invalid byte %02x after esc byte", byte);
690
			skb_free(h5->rx_skb);
691
			h5->rx_skb = NULL;
692
			h5->rx_state = H5_W4_PKT_DELIMITER;
693
			h5->rx_count = 0;
694
			break;
695
		}
696
	}
697
}
698

699
/**
700
* Prepare h5 packet, packet format as follow:
701
*  | LSB 4 octets | 0 ~ 4095 | 2 MSB
702
*  |packet header | payload  | data integrity check |
703
*
704
* pakcket header fromat is show below:
705
*  | LSB 3 bits     | 3 bits                 | 1 bits                       | 1 bits          |
706
*  | 4 bits         | 12 bits                | 8 bits MSB
707
*  |sequence number | acknowledgement number | data integrity check present | reliable packet |
708
*  |packet type     | payload length         | header checksum
709
*
710
* @param h5 realtek h5 struct
711
* @param data pure data
712
* @param len the length of data
713
* @param pkt_type packet type
714
* @return socket buff after prepare in h5 proto
715
*/
716
static struct sk_buff *h5_prepare_pkt(struct rtk_h5_struct *h5, uint8_t *data, int32_t len, int32_t pkt_type)
717
{
718
	struct sk_buff *nskb;
719
	uint8_t hdr[4];
720
	uint16_t h5_txmsg_crc = 0xffff;
721
	int rel, i;
722

723
	switch (pkt_type) {
724
	case HCI_ACLDATA_PKT:
725
	case HCI_COMMAND_PKT:
726
	case HCI_EVENT_PKT:
727
		rel = 1;    /* reliable */
728
		break;
729
	case H5_ACK_PKT:
730
	case H5_VDRSPEC_PKT:
731
	case H5_LINK_CTL_PKT:
732
		rel = 0;	/* unreliable */
733
		break;
734
	default:
735
		RS_ERR("Unknown packet type");
736
		return NULL;
737
	}
738

739
	/* Max len of packet: (original len +4(h5 hdr) + 2(crc)) * 2
740
	 * (because bytes 0xc0 and 0xdb are escaped, worst case is
741
	 * when the packet is all made of 0xc0 and 0xdb :))
742
	 * + 2 (0xc0 delimiters at start and end). */
743
	nskb = skb_alloc((len + 6) * 2 + 2);
744
	if (!nskb)
745
		return NULL;
746

747
	/* Add SLIP start byte: 0xc0 */
748
	h5_slip_msgdelim(nskb);
749
	/* set AckNumber in SlipHeader */
750
	hdr[0] = h5->rxseq_txack << 3;
751
	h5->is_txack_req = 0;
752

753
	if (rel) {
754
		/* set reliable pkt bit and SeqNumber */
755
		hdr[0] |= 0x80 + h5->msgq_txseq;
756
		++(h5->msgq_txseq);
757
		h5->msgq_txseq = (h5->msgq_txseq) & 0x07;
758
	}
759

760
	/* set DicPresent bit */
761
	if (h5->use_crc)
762
		hdr[0] |= 0x40;
763

764
	/* set packet type and payload length */
765
	hdr[1] = ((len << 4) & 0xff) | pkt_type;
766
	hdr[2] = (uint8_t)(len >> 4);
767
	/* set checksum */
768
	hdr[3] = ~(hdr[0] + hdr[1] + hdr[2]);
769

770
	/* Put h5 header */
771
	for (i = 0; i < 4; i++) {
772
		h5_slip_one_byte(nskb, hdr[i]);
773

774
		if (h5->use_crc)
775
			h5_crc_update(&h5_txmsg_crc, hdr[i]);
776
	}
777

778
	/* Put payload */
779
	for (i = 0; i < len; i++) {
780
		h5_slip_one_byte(nskb, data[i]);
781

782
		if (h5->use_crc)
783
			h5_crc_update(&h5_txmsg_crc, data[i]);
784
	}
785

786
	/* Put CRC */
787
	if (h5->use_crc) {
788
		h5_txmsg_crc = bit_rev16(h5_txmsg_crc);
789
		h5_slip_one_byte(nskb, (uint8_t) ((h5_txmsg_crc >> 8) & 0x00ff));
790
		h5_slip_one_byte(nskb, (uint8_t) (h5_txmsg_crc & 0x00ff));
791
	}
792

793
	/* Add SLIP end byte: 0xc0 */
794
	h5_slip_msgdelim(nskb);
795
	return nskb;
796
}
797

798
/**
799
* Removed controller acked packet from Host's unacked lists
800
*
801
* @param h5 realtek h5 struct
802
*/
803
static void h5_remove_acked_pkt(struct rtk_h5_struct *h5)
804
{
805
	int pkts_to_be_removed = 0;
806
	int seqno = 0;
807
	int i = 0;
808

809
	seqno = h5->msgq_txseq;
810

811
	while (pkts_to_be_removed) {
812
		if (h5->rxack == seqno)
813
			break;
814

815
		pkts_to_be_removed--;
816
		seqno = (seqno - 1) & 0x07;
817
	}
818

819
	if (h5->rxack != seqno) {
820
		RS_DBG("Peer acked invalid packet");
821
	}
822

823
	i = 0;
824
	for (i = 0; i < 5; ++i) {
825
		if (i >= pkts_to_be_removed)
826
			break;
827
		i++;
828
	}
829

830
	if (i != pkts_to_be_removed)
831
		RS_DBG("Removed only (%d) out of (%d) pkts", i, pkts_to_be_removed);
832
}
833

834
/**
835
* Realtek send pure ack, send a packet only with an ack
836
*
837
* @param fd uart file descriptor
838
*
839
*/
840
static void rtk_send_pure_ack_down(int fd)
841
{
842
	struct sk_buff *nskb = h5_prepare_pkt(&rtk_h5, NULL, 0, H5_ACK_PKT);
843
	write(fd, nskb->data, nskb->data_len);
844
	skb_free(nskb);
845
	return;
846
}
847

848
/**
849
* Parse hci event command complete, pull the cmd complete event header
850
*
851
* @param skb socket buffer
852
*
853
*/
854
static void hci_event_cmd_complete(struct sk_buff *skb)
855
{
856
	struct hci_ev_cmd_complete *ev = NULL;
857
	uint16_t opcode = 0;
858
	uint8_t status = 0;
859

860
	/* omit length check */
861
	/* pull hdr */
862
	skb_pull(skb, HCI_EVENT_HDR_SIZE);
863
	ev = (struct hci_ev_cmd_complete *)skb->data;
864
	opcode = le16_to_cpu(ev->opcode);
865

866
	RS_DBG("receive hci command complete event with command: %x", opcode);
867
	if (DBG_ON) {
868
		RS_DBG("Dump event data with event header (header size %d):", sizeof(struct hci_ev_cmd_complete));
869
		RS_DUMP(skb->data, skb->data_len);
870
	}
871

872
	/* pull command complete event header */
873
	skb_pull(skb, sizeof(struct hci_ev_cmd_complete));
874

875
	switch (opcode) {
876
	case HCI_VENDOR_CHANGE_BDRATE:
877
		status = skb->data[0];
878
		RS_DBG("Change BD Rate with status:%x", status);
879
		skb_free(rtk_h5.host_last_cmd);
880
		rtk_h5.host_last_cmd = NULL;
881
		rtk_h5.link_estab_state = H5_PATCH;
882
		break;
883
	case HCI_CMD_READ_BD_ADDR:
884
		status = skb->data[0];
885
		RS_DBG("Read BD Address with Status:%x", status);
886
		if (!status) {
887
			RS_DBG("BD Address: %8x%8x", *(int *)&skb->data[1], *(int *)&skb->data[5]);
888
		}
889
		break;
890
	case HCI_VENDOR_READ_LMP_VERISION:
891
		ghci_version_cmd_state = event_received;
892
		status = skb->data[0];
893
		RS_DBG("Read RTK LMP version with Status:%x", status);
894
		if (0 == status) {
895
			hw_cfg_cb.hci_version    = *(uint8_t *)(&skb->data[1]);
896
			hw_cfg_cb.hci_revision   = *(uint8_t *)(&skb->data[2]);
897
			hw_cfg_cb.lmp_subversion = le16_to_cpu(*(uint16_t *)(&skb->data[7]));
898
		} else {
899
			RS_ERR("READ_RTK_ROM_VERISION return status error!");
900
			/* Need to do more */
901
		}
902
		skb_free(rtk_h5.host_last_cmd);
903
		rtk_h5.host_last_cmd = NULL;
904
		break;
905
	case HCI_VENDOR_READ_CHIP_TYPE:
906
		gchip_type_cmd_state = event_received;
907
		status = skb->data[0];
908
		RS_DBG("Read RTK CHIP TYPE with Status:%x", status);
909
		if (0 == status) {
910
			hw_cfg_cb.chip_type = *(uint8_t *)(&skb->data[1]);
911
		} else {
912
			RS_ERR("READ_RTK_CHIP_TYPE return status error!");
913
		}
914
		skb_free(rtk_h5.host_last_cmd);
915
		rtk_h5.host_last_cmd = NULL;
916
		break;
917
	case HCI_VENDOR_READ_RTK_ROM_VERISION:
918
		gRom_version_cmd_state = event_received;
919
		status = skb->data[0];
920
		RS_DBG("Read RTK rom version with Status:%x", status);
921
		if (0 == status)
922
			gEVersion = skb->data[1];
923
		else if (1 == status)
924
			gEVersion = 0;
925
		else {
926
			gEVersion = 0;
927
			RS_ERR("READ_RTK_ROM_VERISION return status error!");
928
			/* Need to do more */
929
		}
930
		skb_free(rtk_h5.host_last_cmd);
931
		rtk_h5.host_last_cmd = NULL;
932
		break;
933
	}
934
}
935

936
/**
937
* Check if it's a hci frame, if it is, complete it with response or parse the cmd complete event
938
*
939
* @param skb socket buffer
940
*
941
*/
942
static void hci_recv_frame(struct sk_buff *skb)
943
{
944
	 char h5sync[2] = {0x01, 0x7E},
945
	h5syncresp[2] = {0x02, 0x7D},
946
	h5_sync_resp_pkt[0x8] = {0xc0, 0x00, 0x2F, 0x00, 0xD0, 0x02, 0x7D, 0xc0},
947
	h5_conf_resp_pkt_to_Ctrl[0x8] = {0xc0, 0x00, 0x2F, 0x00, 0xD0, 0x04, 0x7B, 0xc0},
948
	h5conf[3] = {0x03, 0xFC, 0x10},
949
	h5confresp[3] = {0x04, 0x7B, 0x10},
950
	cmd_complete_evt_code = 0xe;
951

952
	if (rtk_h5.link_estab_state == H5_SYNC) {  /* sync */
953
		if (!memcmp(skb->data, h5sync, 2)) {
954
			RS_DBG("Get Sync Pkt\n");
955
			write(serial_fd, &h5_sync_resp_pkt, 0x8);
956
		} else if (!memcmp(skb->data, h5syncresp, 2)) {
957
			RS_DBG("Get Sync Resp Pkt\n");
958
			rtk_h5.link_estab_state = H5_CONFIG;
959
		}
960
		skb_free(skb);
961
	} else if (rtk_h5.link_estab_state == H5_CONFIG) {  /* config */
962
		if (!memcmp(skb->data, h5sync, 0x2)) {
963
			write(serial_fd, &h5_sync_resp_pkt, 0x8);
964
			RS_DBG("Get SYNC pkt-active mode\n");
965
		} else if (!memcmp(skb->data, h5conf, 0x2)) {
966
			write(serial_fd, &h5_conf_resp_pkt_to_Ctrl, 0x8);
967
			RS_DBG("Get CONFG pkt-active mode\n");
968
		} else if (!memcmp(skb->data, h5confresp,  0x2)) {
969
			RS_DBG("Get CONFG resp pkt-active mode\n");
970
			rtk_h5.link_estab_state = H5_INIT;//H5_PATCH;
971
			//rtk_send_pure_ack_down(serial_fd);
972
		} else {
973
			RS_DBG("H5_CONFIG receive event\n");
974
			rtk_send_pure_ack_down(serial_fd);
975
		}
976
		skb_free(skb);
977
	} else if (rtk_h5.link_estab_state == H5_INIT) {
978
		if (skb->data[0] == cmd_complete_evt_code) {
979
			hci_event_cmd_complete(skb);
980
		}
981

982
		rtk_send_pure_ack_down(serial_fd);
983
		usleep(10000);
984
		rtk_send_pure_ack_down(serial_fd);
985
		usleep(10000);
986
		rtk_send_pure_ack_down(serial_fd);
987
		skb_free(skb);
988
	} else if (rtk_h5.link_estab_state == H5_PATCH) {  /* patch */
989
		rtk_patch.nRxIndex = skb->data[6];
990
		if (rtk_patch.nRxIndex & 0x80)
991
			rtk_patch.nRxIndex &= ~0x80;
992

993
		RS_DBG("rtk_patch.nRxIndex %d\n", rtk_patch.nRxIndex);
994
		if (rtk_patch.nRxIndex == rtk_patch.nTotal)
995
			rtk_h5.link_estab_state = H5_ACTIVE;
996
		skb_free(skb);
997
	} else {
998
		RS_ERR("receive packets in active state");
999
		skb_free(skb);
1000
	}
1001
}
1002

1003
/**
1004
* after rx data is parsed, and we got a rx frame saved in h5->rx_skb,
1005
* this routinue is called.
1006
* things todo in this function:
1007
* 1. check if it's a hci frame, if it is, complete it with response or ack
1008
* 2. see the ack number, free acked frame in queue
1009
* 3. reset h5->rx_state, set rx_skb to null.
1010
*
1011
* @param h5 realtek h5 struct
1012
*
1013
*/
1014
static void h5_complete_rx_pkt(struct rtk_h5_struct *h5)
1015
{
1016
	int pass_up = 1;
1017
	uint16_t *valuep, value_t;
1018
	H5_PKT_HEADER *h5_hdr = NULL;
1019
	/* 1 is offset of uint16_t in H5_PKT_HEADER */
1020
	valuep  = (uint16_t *)(h5->rx_skb->data+1);
1021
	value_t = le16_to_cpu(*valuep);
1022
	*valuep = value_t;
1023
	h5_hdr  = (H5_PKT_HEADER *)(h5->rx_skb->data);
1024
	if (h5_hdr->ReliablePkt) {
1025
		RS_DBG("Received reliable seqno %u from card", h5->rxseq_txack);
1026
		h5->rxseq_txack = h5_hdr->SeqNumber + 1;
1027
		h5->rxseq_txack %= 8;
1028
		h5->is_txack_req = 1;
1029
		/* send down an empty ack if needed. */
1030
	}
1031

1032
	h5->rxack = h5_hdr->AckNumber;
1033

1034
	switch (h5_hdr->PktType) {
1035
	case HCI_ACLDATA_PKT:
1036
	case HCI_EVENT_PKT:
1037
	case HCI_SCODATA_PKT:
1038
	case HCI_COMMAND_PKT:
1039
	case H5_LINK_CTL_PKT:
1040
		pass_up = 1;
1041
		break;
1042
	default:
1043
		pass_up = 0;
1044
	}
1045

1046
	h5_remove_acked_pkt(h5);
1047

1048
	/* decide if we need to pass up. */
1049
	if (pass_up) {
1050
		/* remove h5 header and send packet to hci */
1051
		skb_pull(h5->rx_skb, sizeof(H5_PKT_HEADER));
1052
		hci_recv_frame(h5->rx_skb);
1053
		/* should skb be freed here? */
1054
	} else {
1055
		/* free skb buffer */
1056
		skb_free(h5->rx_skb);
1057
	}
1058

1059
	h5->rx_state = H5_W4_PKT_DELIMITER;
1060
	h5->rx_skb = NULL;
1061
}
1062

1063
/**
1064
* Parse the receive data in h5 proto.
1065
*
1066
* @param h5 realtek h5 struct
1067
* @param data point to data received before parse
1068
* @param count num of data
1069
* @return reserved count
1070
*/
1071
static int h5_recv(struct rtk_h5_struct *h5, void *data, int count)
1072
{
1073
	char *ptr;
1074
	ptr = (char *)data;
1075

1076
	while (count) {
1077
		if (h5->rx_count) {
1078
			if (*ptr == 0xc0) {
1079
				RS_ERR("short h5 packet");
1080
				skb_free(h5->rx_skb);
1081
				h5->rx_state = H5_W4_PKT_START;
1082
				h5->rx_count = 0;
1083
			} else {
1084
				h5_unslip_one_byte(h5, *ptr);
1085
			}
1086
			ptr++;
1087
			count--;
1088
			continue;
1089
		}
1090

1091
		switch (h5->rx_state) {
1092
		case H5_W4_HDR:
1093
			/* check header checksum. see Core Spec V4 "3-wire uart" page 67 */
1094
			if ((0xff & (uint8_t) ~(h5->rx_skb->data[0] + h5->rx_skb->data[1] +
1095
					h5->rx_skb->data[2])) != h5->rx_skb->data[3]) {
1096
				RS_ERR("h5 hdr checksum error!!!");
1097
				skb_free(h5->rx_skb);
1098
				h5->rx_state = H5_W4_PKT_DELIMITER;
1099
				h5->rx_count = 0;
1100
				continue;
1101
			}
1102

1103
			if (h5->rx_skb->data[0] & 0x80	/* reliable pkt */
1104
					&& (h5->rx_skb->data[0] & 0x07) != h5->rxseq_txack) {
1105
				RS_ERR("Out-of-order packet arrived, got(%d)expected(%u)",
1106
				h5->rx_skb->data[0] & 0x07, h5->rxseq_txack);
1107
				h5->is_txack_req = 1;
1108
				skb_free(h5->rx_skb);
1109
				h5->rx_state = H5_W4_PKT_DELIMITER;
1110
				h5->rx_count = 0;
1111

1112
				if (rtk_patch.nTxIndex == rtk_patch.nTotal) {
1113
					/* depend on weather remote will reset ack numb or not!!!!!!!!!!!!!!!special */
1114
					rtk_h5.rxseq_txack = h5->rx_skb->data[0] & 0x07;
1115
				}
1116
				continue;
1117
			}
1118

1119
			h5->rx_state = H5_W4_DATA;
1120

1121
			/* payload length: May be 0 */
1122
			h5->rx_count = (h5->rx_skb->data[1] >> 4) + (h5->rx_skb->data[2] << 4);
1123
			continue;
1124
		case H5_W4_DATA:
1125
			if (h5->rx_skb->data[0] & 0x40) {  /* pkt with crc */
1126
				h5->rx_state = H5_W4_CRC;
1127
				h5->rx_count = 2;
1128
			} else {
1129
				h5_complete_rx_pkt(h5);        /* Send ACK */
1130
			}
1131
			continue;
1132

1133
		case H5_W4_CRC:
1134
			if (bit_rev16(h5->message_crc) != h5_get_crc(h5)) {
1135
				RS_ERR("Checksum failed, computed(%04x)received(%04x)",
1136
				bit_rev16(h5->message_crc), h5_get_crc(h5));
1137
				skb_free(h5->rx_skb);
1138
				h5->rx_state = H5_W4_PKT_DELIMITER;
1139
				h5->rx_count = 0;
1140
				continue;
1141
			}
1142
			skb_trim(h5->rx_skb, h5->rx_skb->data_len - 2);
1143
			h5_complete_rx_pkt(h5);
1144
			continue;
1145

1146
		case H5_W4_PKT_DELIMITER:
1147
			switch (*ptr) {
1148
			case 0xc0:
1149
				h5->rx_state = H5_W4_PKT_START;
1150
				break;
1151
			default:
1152
				break;
1153
			}
1154
			ptr++;
1155
			count--;
1156
			break;
1157

1158
		case H5_W4_PKT_START:
1159
			switch (*ptr) {
1160
			case 0xc0:
1161
				ptr++;
1162
				count--;
1163
				break;
1164
			default:
1165
				h5->rx_state = H5_W4_HDR;
1166
				h5->rx_count = 4;
1167
				h5->rx_esc_state = H5_ESCSTATE_NOESC;
1168
				h5->message_crc = 0xffff;
1169

1170
				/* Do not increment ptr or decrement count
1171
				 * Allocate packet. Max len of a H5 pkt=
1172
				 * 0xFFF (payload) +4 (header) +2 (crc) */
1173
				h5->rx_skb = skb_alloc(0x1005);
1174
				if (!h5->rx_skb) {
1175
					h5->rx_state = H5_W4_PKT_DELIMITER;
1176
					h5->rx_count = 0;
1177
					return 0;
1178
				}
1179
				break;
1180
			}
1181
			break;
1182
		}
1183
	}
1184
	return count;
1185
}
1186

1187
/**
1188
* Read data to buf from uart.
1189
*
1190
* @param fd uart file descriptor
1191
* @param buf point to the addr where read data stored
1192
* @param count num of data want to read
1193
* @return num of data successfully read
1194
*/
1195
static int read_check(int fd, void *buf, int count)
1196
{
1197
	int res;
1198
	do {
1199
		res = read(fd, buf, count);
1200
		if (res != -1) {
1201
			buf = (uint8_t *)buf + res;
1202
			count -= res;
1203
			return res;
1204
		}
1205
	} while (count && (errno == 0 || errno == EINTR));
1206
	return res;
1207
}
1208

1209
/**
1210
* Retry to sync when timeout in h5 proto, max retry times is 10.
1211
*
1212
* @warning Each time to retry, the time for timeout will be set as 1s.
1213
*
1214
* @param sig signaction for timeout
1215
*
1216
*/
1217
static void h5_tshy_sig_alarm(int sig)
1218
{
1219
	uint8_t h5sync[2] = {0x01, 0x7E};
1220
	static int retries;
1221
	struct itimerval value;
1222

1223
	if (retries < h5_max_retries) {
1224
		retries++;
1225
		struct sk_buff *nskb = h5_prepare_pkt(&rtk_h5, h5sync, sizeof(h5sync), H5_LINK_CTL_PKT);
1226
		int len = write(serial_fd, nskb->data, nskb->data_len);
1227
		RS_DBG("3-wire sync pattern resend : %d, len: %d\n", retries, len);
1228
		skb_free(nskb);
1229

1230
		/* retry per 250ms */
1231
		value.it_value.tv_sec = 0;
1232
		value.it_value.tv_usec = 250000;
1233
		value.it_interval.tv_sec = 0;
1234
		value.it_interval.tv_usec = 250000;
1235
		setitimer(ITIMER_REAL, &value, NULL);
1236

1237
		return;
1238
	}
1239

1240
	tcflush(serial_fd, TCIOFLUSH);
1241
	RS_ERR("H5 sync timed out\n");
1242
	exit(1);
1243
}
1244

1245
/**
1246
* Retry to config when timeout in h5 proto, max retry times is 10.
1247
*
1248
* @warning Each time to retry, the time for timeout will be set as 1s.
1249
*
1250
* @param sig signaction for timeout
1251
*
1252
*/
1253
static void h5_tconf_sig_alarm(int sig)
1254
{
1255
	uint8_t h5conf[3] = {0x03, 0xFC, 0x14};
1256
	static int retries;
1257
	struct itimerval value;
1258

1259
	if (retries < h5_max_retries) {
1260
		retries++;
1261
		struct sk_buff *nskb = h5_prepare_pkt(&rtk_h5, h5conf, 3, H5_LINK_CTL_PKT);
1262
		int len = write(serial_fd,  nskb->data, nskb->data_len);
1263
		RS_DBG("3-wire config pattern resend : %d , len: %d", retries, len);
1264
		skb_free(nskb);
1265

1266
		/* retry per 250ms */
1267
		value.it_value.tv_sec = 0;
1268
		value.it_value.tv_usec = 250000;
1269
		value.it_interval.tv_sec = 0;
1270
		value.it_interval.tv_usec = 250000;
1271
		setitimer(ITIMER_REAL, &value, NULL);
1272

1273
		return;
1274
	}
1275

1276
	tcflush(serial_fd, TCIOFLUSH);
1277
	RS_ERR("H5 config timed out\n");
1278
	exit(1);
1279
}
1280

1281
/**
1282
* Retry to init when timeout in h5 proto, max retry times is 10.
1283
*
1284
* @warning Each time to retry, the time for timeout will be set as 1s.
1285
*
1286
* @param sig signaction for timeout
1287
*
1288
*/
1289
static void h5_tinit_sig_alarm(int sig)
1290
{
1291
	static int retries;
1292
	if (retries < h5_max_retries) {
1293
		retries++;
1294
		if (rtk_h5.host_last_cmd) {
1295
			int len = write(serial_fd, rtk_h5.host_last_cmd->data, rtk_h5.host_last_cmd->data_len);
1296
			RS_DBG("3-wire change baudrate re send:%d, len:%d", retries, len);
1297
			alarm(1);
1298
			return;
1299
		} else {
1300
			RS_DBG("3-wire init timeout without last command stored\n");
1301
		}
1302
	}
1303

1304
	tcflush(serial_fd, TCIOFLUSH);
1305
	RS_ERR("H5 init process timed out");
1306
	exit(1);
1307
}
1308

1309
/**
1310
* Retry to download patch when timeout in h5 proto, max retry times is 10.
1311
*
1312
* @warning Each time to retry, the time for timeout will be set as 3s.
1313
*
1314
* @param sig signaction for timeout
1315
*
1316
*/
1317
static void h5_tpatch_sig_alarm(int sig)
1318
{
1319
	static int retries;
1320
	if (retries < h5_max_retries) {
1321
		RS_DBG("patch timerout, retry:\n");
1322
		if (rtk_h5.host_last_cmd) {
1323
			write(serial_fd, rtk_h5.host_last_cmd->data, rtk_h5.host_last_cmd->data_len);
1324
			RS_DBG("3-wire download patch re send:%d", retries);
1325
		}
1326
		retries++;
1327
		alarm(3);
1328
		return;
1329
	}
1330
	RS_ERR("H5 patch timed out\n");
1331
	exit(1);
1332
}
1333

1334
/**
1335
* Download patch using hci. For h5 proto, not recv reply for 2s will timeout.
1336
* Call h5_tpatch_sig_alarm for retry.
1337
*
1338
* @param dd uart file descriptor
1339
* @param index current index
1340
* @param data point to the config file
1341
* @param len current buf length
1342
* @return #0 on success
1343
*
1344
*/
1345
static int hci_download_patch(int dd, int index, uint8_t *data, int len, struct termios *ti)
1346
{
1347
	uint8_t hcipatch[256] = {0x20, 0xfc, 00};
1348
	char bytes[READ_DATA_SIZE];
1349
	int retlen;
1350
	struct sigaction sa;
1351

1352
	sa.sa_handler = h5_tpatch_sig_alarm;
1353
	sigaction(SIGALRM, &sa, NULL);
1354
	alarm(2);
1355

1356
	download_vendor_patch_cp cp;
1357
	memset(&cp, 0, sizeof(cp));
1358
	cp.index = index;
1359
	if (data != NULL) {
1360
		memcpy(cp.data, data, len);
1361
	}
1362

1363
	int nValue = rtk_patch.nTotal|0x80;
1364
	if (index == nValue) {
1365
		rtk_patch.nTxIndex = rtk_patch.nTotal;
1366
	} else {
1367
		rtk_patch.nTxIndex = index;
1368
	}
1369
	hcipatch[2] = len+1;
1370
	memcpy(hcipatch+3, &cp, len+1);
1371

1372
	struct sk_buff *nskb = h5_prepare_pkt(&rtk_h5, hcipatch, len+4, HCI_COMMAND_PKT); /* data: len + head: 4 */
1373

1374
	if (rtk_h5.host_last_cmd) {
1375
		skb_free(rtk_h5.host_last_cmd);
1376
		rtk_h5.host_last_cmd = NULL;
1377
	}
1378

1379
	rtk_h5.host_last_cmd = nskb;
1380

1381
	len = write(dd, nskb->data, nskb->data_len);
1382
	RS_DBG("hci_download_patch nTxIndex:%d nRxIndex: %d\n", rtk_patch.nTxIndex, rtk_patch.nRxIndex);
1383

1384
	if (index & 0x80) {
1385
		RS_DBG("Hw Flow Control enable after last command sent before last event recv ! ");
1386
		if (tcsetattr(dd, TCSADRAIN, ti) < 0) {
1387
			RS_ERR("Can't set port settings");
1388
			return -1;
1389
		}
1390
	}
1391

1392
	while (rtk_patch.nRxIndex != rtk_patch.nTxIndex) {  /* receive data and wait last pkt */
1393
		retlen = read_check(dd, &bytes, READ_DATA_SIZE);
1394
		if (retlen == -1) {
1395
			perror("read fail");
1396
			return -1;
1397
		}
1398
		h5_recv(&rtk_h5, &bytes, retlen);
1399
	}
1400

1401
	alarm(0);
1402
	return 0;
1403
}
1404

1405
/**
1406
* Download h4 patch
1407
*
1408
* @param dd uart file descriptor
1409
* @param index current index
1410
* @param data point to the config file
1411
* @param len current buf length
1412
* @return ret_index
1413
*
1414
*/
1415
static int hci_download_patch_h4(int dd, int index, uint8_t *data, int len)
1416
{
1417
	 char bytes[257] = {0};
1418
	 char buf[257] = {0x01, 0x20, 0xfc, 00};
1419

1420
	RS_DBG("dd:%d, index:%d, len:%d", dd, index, len);
1421
	if (NULL != data) {
1422
		memcpy(&buf[5], data, len);
1423
	}
1424

1425
	int cur_index = index;
1426
	int ret_Index = -1;
1427

1428
	/* Set data struct. */
1429
	buf[3] = len + 1; /* add index */
1430
	buf[4] = cur_index;
1431
	size_t total_len = len + 5;
1432

1433
	/* write */
1434
	uint16_t w_len;
1435
	w_len = write(dd, buf, total_len);
1436
	RS_DBG("h4 write success with len: %d.\n", w_len);
1437

1438
	uint16_t res;
1439
	res = read(dd, bytes, 8);
1440

1441
	if (DBG_ON) {
1442
		RS_DBG("h4 read success with len: %d.\n", res);
1443
		int i = 0;
1444
		for (i = 0; i < 8; i++) {
1445
			fprintf(stderr, "byte[%d] = 0x%x\n", i, bytes[i]);
1446
		}
1447
	}
1448

1449
	uint8_t rstatus;
1450
	if ((0x04 == bytes[0]) && (0x20 == bytes[4]) && (0xfc == bytes[5])) {
1451
		ret_Index = bytes[7];
1452
		rstatus = bytes[6];
1453
		RS_DBG("---->ret_Index:%d, ----->rstatus:%d\n", ret_Index, rstatus);
1454
		if (0x00 != rstatus) {
1455
			RS_ERR("---->read event status is wrong.\n");
1456
			return -1;
1457
		}
1458
	} else {
1459
		RS_ERR("==========>Didn't read curret data.\n");
1460
		return -1;
1461
	}
1462

1463
	return ret_Index;
1464
}
1465

1466
/**
1467
* Realtek change speed with h4 proto. Using vendor specified command packet to achieve this.
1468
*
1469
* @warning before write, need to wait 1s for device up
1470
*
1471
* @param fd uart file descriptor
1472
* @param baudrate the speed want to change
1473
* @return #0 on success
1474
*/
1475
static int rtk_vendor_change_speed_h4(int fd, uint32_t baudrate)
1476
{
1477
	 char bytes[257];
1478
	uint8_t cmd[8] = {0};
1479

1480
	cmd[0] = 1;    /* cmd */
1481
	cmd[1] = 0x17; /* ocf */
1482
	cmd[2] = 0xfc; /* ogf, vendor specified */
1483

1484
	cmd[3] = 4;    /* length */
1485
#ifdef BAUDRATE_4BYTES
1486
	memcpy((uint16_t *)&cmd[4], &baudrate, 4);
1487
#else
1488
	memcpy((uint16_t *)&cmd[4], &baudrate, 2);
1489

1490
	cmd[6] = 0;
1491
	cmd[7] = 0;
1492
#endif
1493

1494
	/* wait for a while for device to up, just h4 need it */
1495
	sleep(1);
1496

1497
	if (write(fd, cmd, 8) != 8) {
1498
		RS_ERR("H4 change uart speed error when writing vendor command");
1499
		return -1;
1500
	}
1501
	RS_DBG("H4 Change uart Baudrate after write ");
1502
	int res;
1503
	res = read(fd, bytes, sizeof(bytes));
1504

1505
	if (DBG_ON) {
1506
		RS_DBG("Realtek Receving H4 change uart speed event:%x", res);
1507
		RS_DUMP(bytes, res);
1508
	}
1509
	if ((0x04 == bytes[0]) && (0x17 == bytes[4]) && (0xfc == bytes[5])) {
1510
		RS_DBG("H4 change uart speed success, receving status:%x", bytes[6]);
1511
		if (bytes[6] == 0)
1512
			return 0;
1513
	}
1514
	return -1;
1515
}
1516

1517
/**
1518
* Parse realtek Bluetooth config file.
1519
* The config file if begin with vendor magic: RTK_VENDOR_CONFIG_MAGIC(8723ab55)
1520
* bt_addr is followed by 0x3c offset, it will be changed by bt_addr param
1521
* proto, baudrate and flow control is followed by 0xc offset,
1522
*
1523
* @param config_buf point to config file content
1524
* @param filelen length of config file
1525
* @param bt_addr where bt addr is stored
1526
* @return baudrate in config file
1527
*
1528
*/
1529

1530
static uint32_t rtk_parse_config_file(uint8_t *config_buf, size_t filelen, char bt_addr[6])
1531
{
1532
	struct rtk_bt_vendor_config *config = (struct rtk_bt_vendor_config *) config_buf;
1533
	uint16_t config_len = le16_to_cpu(config->data_len), temp = 0;
1534
	struct rtk_bt_vendor_config_entry *entry = config->entry;
1535

1536
	uint16_t i;
1537
	uint32_t baudrate = 0;
1538

1539
	if (le32_to_cpu(config->signature) != RTK_VENDOR_CONFIG_MAGIC) {
1540
		RS_ERR("config signature magic number(%x) is not set to RTK_VENDOR_CONFIG_MAGIC", (int)config->signature);
1541
		return 0;
1542
	}
1543

1544
	if (config_len != filelen - sizeof(struct rtk_bt_vendor_config)) {
1545
		RS_ERR("config len(%x) is not right(%x)", config_len, filelen-sizeof(struct rtk_bt_vendor_config));
1546
		return 0;
1547
	}
1548

1549
	for (i = 0; i < config_len;) {
1550
		switch (le16_to_cpu(entry->offset)) {
1551
		case 0x3c:
1552
			{
1553
				int j = 0;
1554
				for (j = 0; j < entry->entry_len; j++)
1555
					entry->entry_data[j] = bt_addr[entry->entry_len - 1 - j];
1556
			}
1557
			break;
1558
		case 0xc:
1559
#ifdef BAUDRATE_4BYTES
1560
			baudrate = *(uint32_t *)entry->entry_data;
1561
#else
1562
			baudrate = *(uint16_t *)entry->entry_data;
1563
#endif
1564
			gHwFlowControlEnable = 0;
1565
			if (entry->entry_len >= 12) { //0ffset 0x18 - 0xc
1566
				gHwFlowControlEnable = (entry->entry_data[12] & 0x4) ? 1:0; //0x18 byte bit2
1567
			}
1568
			RS_DBG("config baud rate to :%x, hwflowcontrol:%x, %x", (int)baudrate, entry->entry_data[12], gHwFlowControlEnable);
1569
			break;
1570
		default:
1571
			RS_DBG("config offset(%x),length(%x)", entry->offset, entry->entry_len);
1572
			break;
1573
		}
1574
		temp = entry->entry_len + sizeof(struct rtk_bt_vendor_config_entry);
1575
		i += temp;
1576
		entry = (struct rtk_bt_vendor_config_entry *)((uint8_t *)entry + temp);
1577
	}
1578

1579
	return baudrate;
1580
}
1581

1582
/**
1583
* get random realtek Bluetooth addr.
1584
*
1585
* @param bt_addr where bt addr is stored
1586
*
1587
*/
1588
static void rtk_get_ram_addr(char bt_addr[0])
1589
{
1590
	srand(time(NULL)+getpid()+getpid()*987654+rand());
1591

1592
	uint32_t addr = rand();
1593
	memcpy(bt_addr, &addr, sizeof(uint8_t));
1594
}
1595

1596
/**
1597
* Write the random bt addr to the file /data/misc/bluetooth/btmac.txt.
1598
*
1599
* @param bt_addr where bt addr is stored
1600
*
1601
*/
1602
static void rtk_write_btmac2file(char bt_addr[6])
1603
{
1604
	int fd;
1605
	mkdir(BT_ADDR_DIR, 0777);
1606
	fd = open(BT_ADDR_FILE, O_CREAT|O_RDWR|O_TRUNC, 0666);
1607

1608
	if (fd > 0) {
1609
		chmod(BT_ADDR_FILE, 0666);
1610
		char addr[18] = {0};
1611
		addr[17] = '\0';
1612
		sprintf(addr, "%2x:%2x:%2x:%2x:%2x:%2x", bt_addr[0], bt_addr[1], bt_addr[2], bt_addr[3], bt_addr[4], bt_addr[5]);
1613
		write(fd, addr, strlen(addr));
1614
		close(fd);
1615
	} else {
1616
		RS_ERR("open file error:%s\n", BT_ADDR_FILE);
1617
	}
1618
}
1619

1620
/**
1621
* Get realtek Bluetooth config file. The bt addr arg is stored in /data/btmac.txt, if there is not this file,
1622
* change to /data/misc/bluetooth/btmac.txt. If both of them are not found, using
1623
* random bt addr.
1624
*
1625
* The config file is rtk8723_bt_config whose bt addr will be changed by the one read previous
1626
*
1627
* @param config_buf point to the content of realtek Bluetooth config file
1628
* @param config_baud_rate the baudrate set in the config file
1629
* @return file_len the length of config file
1630
*/
1631
static int rtk_get_bt_config(uint8_t **config_buf, uint32_t *config_baud_rate, patch_info *info)
1632
{
1633
	char bt_config_file_name[PATH_MAX] = {0};
1634
	char bt_addr[6] = {0x00, 0xe0, 0x4c, 0x88, 0x88, 0x88};
1635
	struct stat st;
1636
	size_t filelen;
1637
	int fd;
1638
	FILE *file = NULL;
1639
	int i = 0;
1640

1641
	sprintf(bt_config_file_name, "%s/%s", BT_CONFIG_DIRECTORY, "btmac.txt");
1642
	RS_DBG("BT mac addr file: %s", bt_config_file_name);
1643
	if (stat(bt_config_file_name, &st) < 0) {
1644
		RS_ERR("can't access bt bt_mac_addr file:%s, try use another path", bt_config_file_name);
1645
		sprintf(bt_config_file_name, BT_ADDR_FILE);
1646
		if (stat(bt_config_file_name, &st) < 0) {
1647
			RS_ERR("can't access bt bt_mac_addr file:%s, try use ramdom BT Addr", bt_config_file_name);
1648

1649
			for (i = 0; i < 6; i++)
1650
				rtk_get_ram_addr(&bt_addr[i]);
1651
			rtk_write_btmac2file(bt_addr);
1652
			goto GET_CONFIG;
1653
		}
1654
	}
1655

1656
	filelen = st.st_size;
1657
	file = fopen(bt_config_file_name, "rb");
1658
	if (file == NULL) {
1659
		RS_ERR("Can't open bt btaddr file, just use preset BT Addr");
1660
	} else {
1661
		fscanf(file, "%2x:%2x:%2x:%2x:%2x:%2x", (int *)&bt_addr[0], (uint32_t *)&bt_addr[1], (uint32_t *)&bt_addr[2], (uint32_t *)&bt_addr[3], (uint32_t *)&bt_addr[4], (uint32_t *)&bt_addr[5]);
1662
		/* do not set bt_add[0] to zero */
1663
		/* reserve LAP addr from 0x9e8b00 to 0x9e8b3f, change to 0x008b */
1664
		if (0x9e == bt_addr[3] && 0x8b == bt_addr[4] && (bt_addr[5] <= 0x3f)) {
1665
			/* get random value */
1666
			bt_addr[3] = 0x00;
1667
		}
1668
		RS_DBG("BT MAC IS : %02X:%02X:%02X:%02X:%02X:%02X", bt_addr[0], bt_addr[1], bt_addr[2], bt_addr[3], bt_addr[4], bt_addr[5]);
1669
	}
1670

1671
GET_CONFIG:
1672
	if (info != NULL) {
1673
		 sprintf(bt_config_file_name, "%s/%s", BT_CONFIG_DIRECTORY, info->config_name);
1674
	} else {
1675
		 sprintf(bt_config_file_name, "%s/%s", BT_CONFIG_DIRECTORY, "rtlbt_config");
1676
	}
1677
	RS_DBG("Final bt config file: %s", bt_config_file_name);
1678

1679
	if (stat(bt_config_file_name, &st) < 0) {
1680
		RS_ERR("Can't access firmware, errno:%d", errno);
1681
		return -1;
1682
	}
1683

1684
	filelen = st.st_size;
1685

1686
	fd = open(bt_config_file_name, O_RDONLY);
1687
	if (fd < 0) {
1688
		perror("Can't open bt config file");
1689
		return -1;
1690
	}
1691

1692
	*config_buf = malloc(filelen);
1693
	if (*config_buf == NULL) {
1694
		RS_DBG("malloc buffer for config file fail(%x)\n", filelen);
1695
		close(fd);
1696
		return -1;
1697
	}
1698

1699
	/* we may need to parse this config file. */
1700
	/* for easy debug, only get need data. */
1701
	if (read(fd, *config_buf, filelen) < (ssize_t)filelen) {
1702
		perror("Can't load bt config file");
1703
		free(*config_buf);
1704
		*config_buf = NULL;
1705
		close(fd);
1706
		return -1;
1707
	}
1708

1709
	*config_baud_rate = rtk_parse_config_file(*config_buf, filelen, bt_addr);
1710
	RS_DBG("Get config baud rate(4 bytes) from config file:%x", (int)*config_baud_rate);
1711

1712
	close(fd);
1713
	return filelen;
1714
}
1715

1716
/**
1717
* Realtek change speed with h5 proto. Using vendor specified command packet to achieve this.
1718
*
1719
* @warning it will waiting 2s for reply.
1720
*
1721
* @param fd uart file descriptor
1722
* @param baudrate the speed want to change
1723
*
1724
*/
1725
static int rtk_vendor_change_speed_h5(int fd, uint32_t baudrate)
1726
{
1727
	struct  sk_buff *cmd_change_bdrate = NULL;
1728
	uint8_t cmd[7] = {0};
1729
	int     retlen;
1730
	char    bytes[READ_DATA_SIZE];
1731
	struct  sigaction sa;
1732

1733
	sa.sa_handler = h5_tinit_sig_alarm;
1734
	sigaction(SIGALRM, &sa, NULL);
1735

1736
	cmd[0] = 0x17; /* ocf */
1737
	cmd[1] = 0xfc; /* ogf, vendor specified */
1738

1739
	cmd[2] = 4;    /* length */
1740
#ifdef BAUDRATE_4BYTES
1741
	memcpy((uint16_t *)&cmd[3], &baudrate, 4);
1742
#else
1743
	memcpy((uint16_t *)&cmd[3], &baudrate, 2);
1744
	cmd[5] = 0;
1745
	cmd[6] = 0;
1746
#endif
1747

1748
	if (DBG_ON) {
1749
		RS_DUMP(cmd, 7);
1750
		RS_DBG("change speed command ready baudrate=%d n", baudrate);
1751
	}
1752
	cmd_change_bdrate = h5_prepare_pkt(&rtk_h5, cmd, 7, HCI_COMMAND_PKT);
1753
	if (!cmd_change_bdrate) {
1754
		RS_ERR("Prepare command packet for change speed fail");
1755
		return -1;
1756
	}
1757

1758
	rtk_h5.host_last_cmd = cmd_change_bdrate;
1759
	alarm(1);
1760
	write(fd, cmd_change_bdrate->data, cmd_change_bdrate->data_len);
1761

1762
	while (rtk_h5.link_estab_state == H5_INIT) {
1763
		retlen = read_check(fd, &bytes, READ_DATA_SIZE);
1764
		if (retlen == -1) {
1765
			perror("read fail");
1766
			return -1;
1767
		}
1768

1769
		/* add pure ack check */
1770
		h5_recv(&rtk_h5, &bytes, retlen);
1771
	}
1772

1773
	alarm(0);
1774
	return 0;
1775
}
1776

1777
/**
1778
* Init realtek Bluetooth h5 proto. h5 proto is added by realtek in the right kernel.
1779
* Generally there are two steps: h5 sync and h5 config
1780
*
1781
* @param fd uart file descriptor
1782
* @param ti termios struct
1783
*
1784
*/
1785
static int rtk_init_h5(int fd, struct termios *ti)
1786
{
1787
	 char bytes[READ_DATA_SIZE];
1788
	struct sigaction sa;
1789
	int retlen;
1790
	struct itimerval value;
1791

1792
	/* set even parity here */
1793
	ti->c_cflag |= PARENB;
1794
	ti->c_cflag &= ~(PARODD);
1795
	if (tcsetattr(fd, TCSANOW, ti) < 0) {
1796
		RS_ERR("Can't set port settings");
1797
		return -1;
1798
	}
1799

1800
	alarm(0);
1801
	serial_fd = fd;
1802
	memset(&sa, 0, sizeof(sa));
1803
	sa.sa_flags = SA_NOCLDSTOP;
1804
	sa.sa_handler = h5_tshy_sig_alarm;
1805
	sigaction(SIGALRM, &sa, NULL);
1806

1807
	/* h5 sync */
1808
	h5_tshy_sig_alarm(0);
1809
	memset(&rtk_h5, 0, sizeof(rtk_h5));
1810
	rtk_h5.link_estab_state = H5_SYNC;
1811
	while (rtk_h5.link_estab_state == H5_SYNC) {
1812
		retlen = read_check(fd, &bytes, READ_DATA_SIZE);
1813
		if (retlen == -1) {
1814
			RS_ERR("H5 Read Sync Response Failed");
1815
			/* retry per 250ms */
1816
			value.it_value.tv_sec = 0;
1817
			value.it_value.tv_usec = 0;
1818
			value.it_interval.tv_sec = 0;
1819
			value.it_interval.tv_usec = 0;
1820
			setitimer(ITIMER_REAL, &value, NULL);
1821
			return -1;
1822
		}
1823
		h5_recv(&rtk_h5, &bytes, retlen);
1824
	}
1825

1826
	/* retry per 250ms */
1827
	value.it_value.tv_sec = 0;
1828
	value.it_value.tv_usec = 0;
1829
	value.it_interval.tv_sec = 0;
1830
	value.it_interval.tv_usec = 0;
1831
	setitimer(ITIMER_REAL, &value, NULL);
1832

1833
	/* h5 config */
1834
	sa.sa_handler = h5_tconf_sig_alarm;
1835
	sigaction(SIGALRM, &sa, NULL);
1836
	h5_tconf_sig_alarm(0);
1837
	while (rtk_h5.link_estab_state == H5_CONFIG) {
1838
		retlen = read_check(fd, &bytes, READ_DATA_SIZE);
1839
		if (retlen == -1) {
1840
			RS_ERR("H5 Read Config Response Failed");
1841
			/* retry per 250ms */
1842
			value.it_value.tv_sec = 0;
1843
			value.it_value.tv_usec = 0;
1844
			value.it_interval.tv_sec = 0;
1845
			value.it_interval.tv_usec = 0;
1846
			setitimer(ITIMER_REAL, &value, NULL);
1847
			return -1;
1848
		}
1849
		h5_recv(&rtk_h5, &bytes, retlen);
1850
	}
1851
	/* retry per 250ms */
1852
	value.it_value.tv_sec = 0;
1853
	value.it_value.tv_usec = 0;
1854
	value.it_interval.tv_sec = 0;
1855
	value.it_interval.tv_usec = 0;
1856
	setitimer(ITIMER_REAL, &value, NULL);
1857

1858
	rtk_send_pure_ack_down(fd);
1859
	RS_DBG("H5 init finished\n");
1860
	return 0;
1861
}
1862

1863
/**
1864
* Download realtek firmware and config file from uart with the proto.
1865
* Parse the content to serval packets follow the proto and then write the packets from uart
1866
*
1867
* @param fd uart file descriptor
1868
* @param buf addr where stor the content of firmware and config file
1869
* @param filesize length of buf
1870
* @param is_sent_changerate if baudrate need to be changed
1871
* @param proto realtek Bluetooth protocol, shall be either HCI_UART_H4 or HCI_UART_3WIRE
1872
*
1873
*/
1874
static void rtk_download_fw_config(int fd, uint8_t *buf, size_t filesize, int is_sent_changerate, int proto, struct termios *ti)
1875
{
1876
	uint8_t iCurIndex = 0;
1877
	uint8_t iCurLen = 0;
1878
	uint8_t iEndIndex = 0;
1879
	uint8_t iLastPacketLen = 0;
1880
	uint8_t iAdditionPkt = 0;
1881
	uint8_t iTotalIndex = 0;
1882
	uint8_t iCmdSentNum = 0;   /* the number of CMDs which have been sent */
1883
	uint8_t *bufpatch;
1884

1885
	iEndIndex = (uint8_t)((filesize-1)/PATCH_DATA_FIELD_MAX_SIZE);
1886
	iLastPacketLen = (filesize)%PATCH_DATA_FIELD_MAX_SIZE;
1887

1888
	if (is_sent_changerate)
1889
		iCmdSentNum++;
1890
	if (gRom_version_cmd_state >= cmd_has_sent)
1891
		iCmdSentNum++;
1892
	if (ghci_version_cmd_state >= cmd_has_sent)
1893
		iCmdSentNum++;
1894
	if (gchip_type_cmd_state   >= cmd_has_sent)
1895
		iCmdSentNum++;
1896

1897
	iAdditionPkt = (iEndIndex+1+iCmdSentNum)%8?(8-(iEndIndex+1+iCmdSentNum)%8):0;
1898
	iTotalIndex = iAdditionPkt + iEndIndex;
1899
	rtk_patch.nTotal = iTotalIndex; /* init TotalIndex */
1900

1901
	RS_DBG("iEndIndex:%d  iLastPacketLen:%d iAdditionpkt:%d\n", iEndIndex, iLastPacketLen, iAdditionPkt);
1902

1903
	if (iLastPacketLen == 0)
1904
		iLastPacketLen = PATCH_DATA_FIELD_MAX_SIZE;
1905

1906
	bufpatch = buf;
1907

1908
	int i;
1909
	for (i = 0; i <= iTotalIndex; i++) {
1910
		if (iCurIndex < iEndIndex) {
1911
			iCurIndex = iCurIndex&0x7F;
1912
			iCurLen = PATCH_DATA_FIELD_MAX_SIZE;
1913
		} else if (iCurIndex == iEndIndex) { /* send last data packet */
1914
			if (iCurIndex == iTotalIndex)
1915
				iCurIndex = iCurIndex | 0x80;
1916
			else
1917
				iCurIndex = iCurIndex&0x7F;
1918
			iCurLen = iLastPacketLen;
1919
		} else if (iCurIndex < iTotalIndex) {
1920
			iCurIndex = iCurIndex&0x7F;
1921
			bufpatch = NULL;
1922
			iCurLen = 0;
1923
		} else {                             /* send end packet */
1924
			bufpatch = NULL;
1925
			iCurLen = 0;
1926
			iCurIndex = iCurIndex|0x80;
1927
		}
1928

1929
		if (iCurIndex & 0x80)
1930
			RS_DBG("Send FW last command");
1931

1932
		if (proto == HCI_UART_H4) {
1933
			iCurIndex = hci_download_patch_h4(fd, iCurIndex, bufpatch, iCurLen);
1934
			if ((iCurIndex != i) && (i != rtk_patch.nTotal)) {
1935
				/* check index but ignore last pkt */
1936
				RS_DBG("index mismatch i:%d iCurIndex:%d, patch fail\n", i, iCurIndex);
1937
				return;
1938
			}
1939
		} else if (proto == HCI_UART_3WIRE)
1940
			hci_download_patch(fd, iCurIndex, bufpatch, iCurLen, ti);
1941

1942
		if (iCurIndex < iEndIndex) {
1943
			bufpatch += PATCH_DATA_FIELD_MAX_SIZE;
1944
		}
1945
		iCurIndex++;
1946
	}
1947

1948
	/* set last ack packet down */
1949
	if (proto == HCI_UART_3WIRE) {
1950
		rtk_send_pure_ack_down(fd);
1951
	}
1952
}
1953

1954
/**
1955
* Get realtek Bluetooth firmaware file. The content will be saved in *fw_buf which is malloc here.
1956
* The length malloc here will be lager than length of firmware file if there is a config file.
1957
* The content of config file will copy to the tail of *fw_buf in rtk_config.
1958
*
1959
* @param fw_buf point to the addr where stored the content of firmware.
1960
* @param addi_len length of config file.
1961
* @return length of *fw_buf.
1962
*
1963
*/
1964
static int rtk_get_bt_firmware(uint8_t **fw_buf, size_t addi_len, patch_info *info)
1965
{
1966
	char filename[PATH_MAX] = {0};
1967
	struct stat st;
1968
	int fd = -1;
1969
	size_t fwsize, buf_size;
1970

1971
	if (info != NULL) {
1972
		 sprintf(filename, "%s/%s", FIRMWARE_DIRECTORY, info->patch_name);
1973
	} else {
1974
		 sprintf(filename, "%s/%s", FIRMWARE_DIRECTORY, "rtlbt_fw");
1975
	}
1976

1977
	RS_DBG("Final bt firmware file: %s", filename);
1978

1979
	if (stat(filename, &st) < 0) {
1980
		RS_ERR("Can't access firmware, errno:%d", errno);
1981
		return -1;
1982
	}
1983

1984
	fwsize = st.st_size;
1985
	buf_size = fwsize + addi_len;
1986

1987
	fd = open(filename, O_RDONLY);
1988
	if (fd < 0) {
1989
		RS_ERR("Can't open firmware, errno:%d", errno);
1990
		return -1;
1991
	}
1992

1993
	*fw_buf = malloc(buf_size);
1994
	if (!(*fw_buf)) {
1995
		RS_ERR("Can't alloc memory for fw&config, errno:%d", errno);
1996
		close(fd);
1997
		return -1;
1998
	}
1999

2000
	if (read(fd, *fw_buf, fwsize) < (ssize_t) fwsize) {
2001
		free(*fw_buf);
2002
		*fw_buf = NULL;
2003
		close(fd);
2004
		return -1;
2005
	}
2006
	RS_DBG("Load FW OK");
2007
	close(fd);
2008
	return buf_size;
2009
}
2010

2011
/* These two function(rtk<-->uart speed transfer) need check Host uart speed at first!!!! IMPORTANT
2012
 * add more speed if neccessary */
2013
typedef struct _baudrate_ex {
2014
	uint32_t rtk_speed;
2015
	int uart_speed;
2016
} baudrate_ex;
2017

2018
#ifdef BAUDRATE_4BYTES
2019
static baudrate_ex baudrates[] = {
2020
	{0x00006004, 921600},
2021
	{0x05F75004, 921600},   // RTL8723BS
2022
	{0x00004003, 1500000},
2023
	{0x04928002, 1500000},  // RTL8723BS
2024
	{0x00005002, 2000000},  // same as RTL8723AS
2025
	{0x00008001, 3000000},
2026
	{0x00009001, 3000000},  // Lory add new, t169 and t9e use 0x00009001.
2027
	{0x06DD8001, 3000000},  // RTL8723BS, Baudrate: 2920000
2028
	{0x036D8001, 3000000},  // RTL8723BS, Baudrate: 2929999
2029
	{0x06B58001, 3000000},  // RTL8723BS, Baudrate: 2940000
2030
	{0x02B58001, 3000000},  // RTL8723BS, Baudrate: 2945000
2031
	{0x02D58001, 3000000},  // RTL8723BS, Baudrate: 2950000
2032
	{0x05558001, 3000000},  // RTL8723BS, Baudrate: 2960000
2033
	{0x02AA8001, 3000000},  // RTL8723BS, Baudrate: 2969999
2034
	{0x052A8001, 3000000},  // RTL8723BS, Baudrate: 2980000
2035
	{0x04928001, 3000000},  // RTL8723BS, Baudrate: 2998000
2036
	{0x00007001, 3500000},
2037
	{0x052A6001, 3500000},  // RTL8723BS
2038
	{0x00005001, 4000000},  // same as RTL8723AS
2039
	{0x05AD9005, 547000},
2040
	{0x0252C00A, 230400},
2041
	{0x0000701d, 115200},
2042
	{0x0252C002, 115200},   // RTL8723BS
2043
	{0x0252C014, 115200}    // RTL8723BS
2044
};
2045

2046
#else
2047
static baudrate_ex baudrates[] = {
2048
	{0x7001, 3500000},
2049
	{0x6004, 921600},
2050
	{0x4003, 1500000},
2051
	{0x5001, 4000000},
2052
	{0x5002, 2000000},
2053
	{0x8001, 3000000},
2054
	{0x9001, 3000000},
2055
	{0x701d, 115200}
2056
};
2057

2058
#endif
2059

2060

2061
/**
2062
* Change realtek Bluetooth speed to uart speed. It is matching in the struct baudrates:
2063
*
2064
* @code
2065
* baudrate_ex baudrates[] =
2066
* {
2067
*  	{0x7001, 3500000},
2068
*	{0x6004, 921600},
2069
*	{0x4003, 1500000},
2070
*	{0x5001, 4000000},
2071
*	{0x5002, 2000000},
2072
*	{0x8001, 3000000},
2073
*	{0x701d, 115200}
2074
* };
2075
* @endcode
2076
*
2077
* If there is no match in baudrates, uart speed will be set as #115200.
2078
*
2079
* @param rtk_speed realtek Bluetooth speed
2080
* @param uart_speed uart speed
2081
*
2082
*/
2083
static void rtk_speed_to_uart_speed(uint32_t rtk_speed, uint32_t *uart_speed)
2084
{
2085
	*uart_speed = 115200;
2086

2087
	 int i;
2088
	for (i = 0; i < sizeof(baudrates)/sizeof(baudrate_ex); i++) {
2089
		if (baudrates[i].rtk_speed == le32_to_cpu(rtk_speed)) {
2090
			*uart_speed = baudrates[i].uart_speed;
2091
			return;
2092
		}
2093
	}
2094
	return;
2095
}
2096

2097
/**
2098
* Change uart speed to realtek Bluetooth speed. It is matching in the struct baudrates:
2099
*
2100
* @code
2101
* baudrate_ex baudrates[] =
2102
* {
2103
*  	{0x7001, 3500000},
2104
*	{0x6004, 921600},
2105
*	{0x4003, 1500000},
2106
*	{0x5001, 4000000},
2107
*	{0x5002, 2000000},
2108
*	{0x8001, 3000000},
2109
*	{0x701d, 115200}
2110
* };
2111
* @endcode
2112
*
2113
* If there is no match in baudrates, realtek Bluetooth speed will be set as #0x701D.
2114
*
2115
* @param uart_speed uart speed
2116
* @param rtk_speed realtek Bluetooth speed
2117
*
2118
*/
2119
static inline void uart_speed_to_rtk_speed(int uart_speed, uint32_t *rtk_speed)
2120
{
2121
	*rtk_speed = 0x701D;
2122

2123
	int i;
2124
	for (i = 0; i < sizeof(baudrates) / sizeof(baudrate_ex); i++) {
2125
		if (baudrates[i].uart_speed == uart_speed) {
2126
			*rtk_speed = baudrates[i].rtk_speed;
2127
			return;
2128
		}
2129
	}
2130

2131
	return;
2132
}
2133

2134
static void rtk_get_eversion_timeout(int sig)
2135
{
2136
	static int retries;
2137
	RS_DBG("RTK get HCI_VENDOR_READ_RTK_ROM_VERISION_Command\n");
2138
	if (retries < h5_max_retries) {
2139
		RS_DBG("patch timerout, retry:\n");
2140
		if (rtk_h5.host_last_cmd) {
2141
			write(serial_fd, rtk_h5.host_last_cmd->data, rtk_h5.host_last_cmd->data_len);
2142
			RS_DBG("3-wire download patch re send:%d", retries);
2143
		}
2144
		retries++;
2145
		alarm(3);
2146
		return;
2147
	}
2148
	tcflush(serial_fd, TCIOFLUSH);
2149
	RS_ERR("rtk get eversion cmd complete event timed out\n");
2150
	exit(1);
2151
}
2152

2153
/**
2154
* Send vendor cmd to get eversion: 0xfc6d
2155
* If Rom code does not support this cmd, use default.
2156
*/
2157
static void rtk_get_eversion(int dd)
2158
{
2159
	char bytes[READ_DATA_SIZE];
2160
	int retlen;
2161
	struct sigaction sa;
2162
	/* send HCI_VENDOR_READ_RTK_ROM_VERISION Command */
2163
	uint8_t read_rom_patch_cmd[3] = {0x6d, 0xfc, 0x00};
2164
	struct  sk_buff *nskb = h5_prepare_pkt(&rtk_h5, read_rom_patch_cmd, 3, HCI_COMMAND_PKT); /* data: len+head: 4 */
2165

2166
	if (rtk_h5.host_last_cmd) {
2167
		skb_free(rtk_h5.host_last_cmd);
2168
		rtk_h5.host_last_cmd = NULL;
2169
	}
2170

2171
	rtk_h5.host_last_cmd = nskb;
2172

2173
	write(dd, nskb->data, nskb->data_len);
2174
	gRom_version_cmd_state = cmd_has_sent;
2175
	RS_DBG("RTK send HCI_VENDOR_READ_RTK_ROM_VERISION_Command\n");
2176

2177
	alarm(0);
2178
	memset(&sa, 0, sizeof(sa));
2179
	sa.sa_flags = SA_NOCLDSTOP;
2180
	sa.sa_handler = rtk_get_eversion_timeout;
2181
	sigaction(SIGALRM, &sa, NULL);
2182

2183
	alarm(3);
2184
	while (gRom_version_cmd_state != event_received) {
2185
		retlen = read_check(dd, &bytes, READ_DATA_SIZE);
2186
		if (retlen == -1) {
2187
			perror("read fail");
2188
			return;
2189
		}
2190
		h5_recv(&rtk_h5, &bytes, retlen);
2191
	}
2192
	alarm(0);
2193
	return;
2194
}
2195

2196
static void rtk_get_lmp_version_timeout(int sig)
2197
{
2198
	static int retries;
2199
	RS_DBG("RTK get HCI_VENDOR_READ_RTK_LMP_VERISION_Command\n");
2200
	if (retries < h5_max_retries) {
2201
		RS_DBG("patch timerout, retry:\n");
2202
		if (rtk_h5.host_last_cmd) {
2203
			write(serial_fd, rtk_h5.host_last_cmd->data, rtk_h5.host_last_cmd->data_len);
2204
			RS_DBG("3-wire download patch re send:%d", retries);
2205
		}
2206
		retries++;
2207
		alarm(3);
2208
		return;
2209
	}
2210
	tcflush(serial_fd, TCIOFLUSH);
2211
	RS_ERR("rtk get lmp version cmd complete event timed out\n");
2212
	exit(1);
2213
}
2214

2215
static void rtk_get_lmp_version(int dd)
2216
{
2217
	char bytes[READ_DATA_SIZE];
2218
	int retlen;
2219
	struct sigaction sa;
2220
	/* send HCI_VENDOR_READ_RTK_ROM_VERISION_Command */
2221
	uint8_t read_rom_patch_cmd[3] = {0x01, 0x10, 00};
2222
	struct  sk_buff *nskb = h5_prepare_pkt(&rtk_h5, read_rom_patch_cmd, 3, HCI_COMMAND_PKT); /* data: len+head: 4 */
2223

2224
	if (rtk_h5.host_last_cmd) {
2225
		skb_free(rtk_h5.host_last_cmd);
2226
		rtk_h5.host_last_cmd = NULL;
2227
	}
2228

2229
	rtk_h5.host_last_cmd = nskb;
2230

2231
	write(dd, nskb->data, nskb->data_len);
2232
	ghci_version_cmd_state = cmd_has_sent;
2233
	RS_DBG("RTK send HCI_VENDOR_READ_RTK_ROM_VERISION_Command\n");
2234

2235
	alarm(0);
2236
	memset(&sa, 0, sizeof(sa));
2237
	sa.sa_flags = SA_NOCLDSTOP;
2238
	sa.sa_handler = rtk_get_lmp_version_timeout;
2239
	sigaction(SIGALRM, &sa, NULL);
2240

2241
	alarm(3);
2242
	while (ghci_version_cmd_state != event_received) {
2243
		retlen = read_check(dd, &bytes, READ_DATA_SIZE);
2244
		if (retlen == -1) {
2245
			perror("read fail");
2246
			return;
2247
		}
2248
		h5_recv(&rtk_h5, &bytes, retlen);
2249
	}
2250
	alarm(0);
2251
	return;
2252
}
2253

2254
static void rtk_get_chip_type(int dd)
2255
{
2256
	char bytes[READ_DATA_SIZE];
2257
	int retlen;
2258
	struct sigaction sa;
2259
	uint8_t read_rom_patch_cmd[8] = {0x61, 0xfc, 0x05, 0x00, 0x94, 0xa0, 0x00, 0xb0};
2260
	struct  sk_buff *nskb = h5_prepare_pkt(&rtk_h5, read_rom_patch_cmd, 8, HCI_COMMAND_PKT); /* data: len+head: 4 */
2261

2262
	if (rtk_h5.host_last_cmd) {
2263
		skb_free(rtk_h5.host_last_cmd);
2264
		rtk_h5.host_last_cmd = NULL;
2265
	}
2266

2267
	rtk_h5.host_last_cmd = nskb;
2268

2269
	write(dd, nskb->data, nskb->data_len);
2270
	gchip_type_cmd_state = cmd_has_sent;
2271
	RS_DBG("RTK send HCI_VENDOR_READ_CHIP_TYPE Command");
2272

2273
	alarm(0);
2274
	memset(&sa, 0, sizeof(sa));
2275
	sa.sa_flags = SA_NOCLDSTOP;
2276
	sa.sa_handler = rtk_get_lmp_version_timeout;
2277
	sigaction(SIGALRM, &sa, NULL);
2278

2279
	alarm(3);
2280
	while (gchip_type_cmd_state != event_received) {
2281
		retlen = read_check(dd, &bytes, READ_DATA_SIZE);
2282
		if (retlen == -1) {
2283
			perror("read fail");
2284
			return;
2285
		}
2286
		h5_recv(&rtk_h5, &bytes, retlen);
2287
	}
2288
	alarm(0);
2289
	return;
2290
}
2291

2292
static int check_match_state(bt_hw_cfg_cb_t *cfg, uint32_t mask)
2293
{
2294
	patch_info *patch_entry;
2295
	int res = 0;
2296

2297
	for (patch_entry = patch_table; patch_entry->lmp_subversion != LMP_SUBVERSION_NONE; patch_entry++) {
2298
		if (patch_entry->lmp_subversion != cfg->lmp_subversion)
2299
			continue;
2300
		if ((patch_entry->hci_version_mask != HCI_VERSION_MASK_ALL) && ((patch_entry->hci_version_mask & (1 << cfg->hci_version)) == 0))
2301
			 continue;
2302
		if ((patch_entry->hci_revision_mask != HCI_REVISION_MASK_ALL) && ((patch_entry->hci_revision_mask & (1 << cfg->hci_revision)) == 0))
2303
			 continue;
2304
		if ((mask & PATCH_OPTIONAL_MATCH_FLAG_CHIPTYPE) && (patch_entry->chip_type_mask != CHIP_TYPE_MASK_ALL) && ((patch_entry->chip_type_mask & (1 << cfg->chip_type)) == 0))
2305
			 continue;
2306
		res++;
2307
	}
2308
	RS_DBG("check_match_state return %d(cfg->lmp_subversion:0x%x cfg->hci_vesion:0x%x cfg->hci_revision:0x%x cfg->chip_type:0x%x mask:%08x)",
2309
			res, cfg->lmp_subversion, cfg->hci_version, cfg->hci_revision, cfg->chip_type, mask);
2310
	return res;
2311
}
2312

2313
static patch_info *get_patch_entry(bt_hw_cfg_cb_t *cfg)
2314
{
2315
	patch_info *patch_entry;
2316

2317
	RS_DBG("get_patch_entry(lmp_subversion:0x%x hci_vesion:0x%x cfg->hci_revision:0x%x chip_type:0x%x)",
2318
			cfg->lmp_subversion, cfg->hci_version, cfg->hci_revision, cfg->chip_type);
2319
	for (patch_entry = patch_table; patch_entry->lmp_subversion != LMP_SUBVERSION_NONE; patch_entry++) {
2320
		if (patch_entry->lmp_subversion != cfg->lmp_subversion)
2321
			continue;
2322
		if ((patch_entry->hci_version_mask != HCI_VERSION_MASK_ALL) && ((patch_entry->hci_version_mask & (1 << cfg->hci_version)) == 0))
2323
			 continue;
2324
		if ((patch_entry->hci_revision_mask != HCI_REVISION_MASK_ALL) && ((patch_entry->hci_revision_mask & (1<<cfg->hci_revision)) == 0))
2325
			 continue;
2326
		if ((patch_entry->chip_type_mask != CHIP_TYPE_MASK_ALL) && ((patch_entry->chip_type_mask & (1<<cfg->chip_type)) == 0))
2327
			 continue;
2328
		break;
2329
	}
2330
	RS_DBG("get_patch_entry return(patch_name:%s config_name:%s mac_offset:0x%x)",
2331
			patch_entry->patch_name, patch_entry->config_name, patch_entry->mac_offset);
2332
	return patch_entry;
2333
}
2334

2335
/**
2336
* Config realtek Bluetooth. The configuration parameter is get from config file and fw.
2337
*
2338
* @warning maybe only one of config file and fw file exists. The bt_addr arg is stored in "/data/btmac.txt"
2339
* or "/data/misc/bluetoothd/bt_mac/btmac.txt",
2340
*
2341
* @param fd uart file descriptor
2342
* @param proto realtek Bluetooth protocol, shall be either HCI_UART_H4 or HCI_UART_3WIRE
2343
* @param speed init_speed in uart struct
2344
* @param ti termios struct
2345
* @returns #0 on success
2346
*/
2347
static int rtk_config(int fd, int proto, int speed, struct termios *ti)
2348
{
2349
	int config_len = -1, buf_len = -1, final_speed = 0;
2350
	uint8_t *config_file_buf = NULL;
2351
	uint8_t *buf = NULL;
2352
	uint32_t baudrate = 0;
2353

2354
	uint8_t *epatch_buf = NULL;
2355
	struct rtk_epatch *epatch_info = NULL;
2356
	struct rtk_epatch_entry current_entry;
2357
	uint8_t need_download_fw = 1;
2358
	patch_info *prtk_patch_file_info = NULL;
2359

2360
	current_entry.start_offset = 0;
2361
	current_entry.patch_length = 0;
2362
	current_entry.chipID       = 0;
2363

2364
	/*
2365
	* 1. if both config file and fw exists, use it and change rate according to config file
2366
	* 2. if config file not exists while fw does, not change baudrate and only download fw
2367
	* 3. if fw doesnot exist, only change rate to 3.25M or from config file if it exist. This case is only for early debug before any efuse is setting.
2368
	*/
2369

2370
	/* Get version from ROM */
2371
	rtk_get_lmp_version(fd);
2372
	if (check_match_state(&hw_cfg_cb, 0) > 1) {
2373
		rtk_get_chip_type(fd);
2374
		RS_DBG("lmp_subversion = 0x%x, hci_version = 0x%x, hci_revision = 0x%x, chip_type = 0x%x",
2375
				hw_cfg_cb.lmp_subversion, hw_cfg_cb.hci_version, hw_cfg_cb.hci_revision, hw_cfg_cb.chip_type);
2376
	}
2377

2378
	prtk_patch_file_info = get_patch_entry(&hw_cfg_cb);
2379

2380
	if (prtk_patch_file_info == NULL) {
2381
		RS_ERR("lmp_version is %x, no matched project found!", hw_cfg_cb.lmp_subversion);
2382
		need_download_fw = 0;
2383
		goto FETCH_DONE;
2384
	}
2385

2386
	config_len = rtk_get_bt_config(&config_file_buf, &baudrate, prtk_patch_file_info);
2387
	if (config_len < 0) {
2388
		RS_ERR("Get Config file error, just use efuse settings");
2389
		config_len = 0;
2390
	}
2391

2392
	buf_len = rtk_get_bt_firmware(&epatch_buf, config_len, prtk_patch_file_info);
2393
	if (buf_len < 0) {
2394
		RS_ERR("Get BT firmware error, continue without bt firmware");
2395
		goto FETCH_DONE;
2396
	}
2397

2398
	if (hw_cfg_cb.lmp_subversion == ROM_LMP_8723a) {
2399
		if (memcmp(epatch_buf, RTK_EPATCH_SIGNATURE, 8) == 0) {
2400
			RS_ERR("8723as Check signature error!");
2401
			need_download_fw = 0;
2402
			goto FETCH_DONE;
2403
		}
2404

2405
		buf = malloc(buf_len);
2406
		if (!buf) {
2407
			RS_ERR("Can't alloc memory for fw&config, errno:%d", errno);
2408
			buf_len = -1;
2409
			goto FETCH_DONE;
2410
		}
2411

2412
		RS_DBG("8723as, fw copy direct");
2413
		memcpy(buf, epatch_buf, buf_len);
2414
	} else {
2415
		/* Get version from ROM */
2416
		rtk_get_eversion(fd);  /* gEVersion is set. */
2417
		RS_DBG("gEVersion=%d", gEVersion);
2418
		/* check Extension Section Field */
2419
		if (memcmp(epatch_buf + buf_len - config_len - 4, Extension_Section_SIGNATURE, 4) != 0) {
2420
			RS_ERR("Check Extension_Section_SIGNATURE error! do not download fw");
2421
			need_download_fw = 0;
2422
			goto FETCH_DONE;
2423
		}
2424

2425
		if (memcmp(epatch_buf, RTK_EPATCH_SIGNATURE, 8) != 0) {
2426
			RS_DBG("Check signature error!");
2427
			need_download_fw = 0;
2428
			goto FETCH_DONE;
2429
		}
2430

2431
		int i = 0;
2432
    	uint32_t value_t = 0;
2433
		epatch_info = (struct rtk_epatch *)epatch_buf;
2434
		value_t = le32_to_cpu(epatch_info->fm_version);
2435
		epatch_info->fm_version = (uint32_t)value_t;
2436
		value_t = le16_to_cpu(epatch_info->number_of_total_patch);
2437
		epatch_info->number_of_total_patch = (uint16_t)value_t;
2438
		RS_DBG("fm_version = 0x%x", epatch_info->fm_version);
2439
		RS_DBG("number_of_total_patch = %d", epatch_info->number_of_total_patch);
2440
		/* get right epatch entry */
2441
		for (i = 0; i < epatch_info->number_of_total_patch; i++) {
2442
			if (le16_to_cpu(*(uint16_t *)(epatch_buf + 14 + 2 * i)) == gEVersion + 1) {
2443
				current_entry.chipID = gEVersion + 1;
2444
				current_entry.patch_length = le16_to_cpu(*(uint16_t *)(epatch_buf + 14 + 2 * epatch_info->number_of_total_patch + 2 * i));
2445
				current_entry.start_offset = le32_to_cpu(*(uint32_t *)(epatch_buf + 14 + 4 * epatch_info->number_of_total_patch + 4 * i));
2446
				break;
2447
			}
2448
		}
2449
		RS_DBG("chipID = %d", current_entry.chipID);
2450
		RS_DBG("patch_length = 0x%x", current_entry.patch_length);
2451
		RS_DBG("start_offset = 0x%x", current_entry.start_offset);
2452
		/* get right version patch: buf, buf_len */
2453
		buf_len = current_entry.patch_length + config_len;
2454
		RS_DBG("buf_len = 0x%x", buf_len);
2455
		buf = malloc(buf_len);
2456
		if (!buf) {
2457
			RS_ERR("Can't alloc memory for multi fw&config, errno:%d", errno);
2458
			buf_len = -1;
2459
			goto FETCH_DONE;
2460
		}
2461
		memcpy(buf, &epatch_buf[current_entry.start_offset], current_entry.patch_length);
2462
		value_t = cpu_to_le32(epatch_info->fm_version);
2463
		epatch_info->fm_version = (uint32_t)value_t;
2464
		memcpy(&buf[current_entry.patch_length-4], &epatch_info->fm_version, 4);
2465
		value_t = cpu_to_le32(epatch_info->fm_version);
2466
		epatch_info->fm_version = value_t;
2467
	}
2468

2469
	if (config_len) {
2470
		memcpy(&buf[buf_len - config_len], config_file_buf, config_len);
2471
	}
2472

2473
FETCH_DONE:
2474
	free(epatch_buf);
2475
	epatch_buf = NULL;
2476
	if (config_file_buf)
2477
		free(config_file_buf);
2478

2479
	RS_DBG("Fw:%s exists, config file:%s exists", (buf_len > 0) ? "" : "not", (config_len > 0) ? "" : "not");
2480
	if ((buf_len > 0) && (config_len == 0)) {
2481
		rtk_h5.link_estab_state = H5_PATCH;
2482
		goto DOWNLOAD_FW;
2483
	}
2484

2485
	/* change baudrate if needed */
2486
	if (baudrate == 0) {
2487
		uart_speed_to_rtk_speed(speed, &baudrate);
2488
		RS_DBG("Since no config file to set uart baudrate, so use user input parameters:%x, %x", (int)speed, (uint32_t)baudrate);
2489
	} else
2490
		rtk_speed_to_uart_speed(baudrate, (uint32_t *)&gFinalSpeed);
2491

2492
	if (proto == HCI_UART_3WIRE)
2493
		rtk_vendor_change_speed_h5(fd, baudrate);
2494
	else
2495
		rtk_vendor_change_speed_h4(fd, baudrate);
2496

2497
	usleep(50000);
2498
	final_speed = gFinalSpeed ? gFinalSpeed : speed;
2499
	RS_DBG("final_speed %d\n", final_speed);
2500
	if (set_speed(fd, ti, final_speed) < 0) {
2501
		RS_ERR("Can't set baud rate:%x, %x, %x", final_speed, gFinalSpeed, speed);
2502
		return -1;
2503
	}
2504

2505
	if (gHwFlowControlEnable) {
2506
		RS_DBG("Hw Flow Control enable");
2507
		ti->c_cflag |= CRTSCTS;
2508
	} else {
2509
		RS_DBG("Hw Flow Control disable");
2510
		ti->c_cflag &= ~CRTSCTS;
2511
	}
2512
	RS_DBG("Hw Flow Control do not enable before download fw! ");
2513

2514
	/* wait for while for controller to setup */
2515
	usleep(10000);
2516

2517
DOWNLOAD_FW:
2518
	if (buf && (buf_len > 0) && (need_download_fw)) {
2519
		/* baudrate 0 means no change baudrate send */
2520
		memset(&rtk_patch, 0, sizeof(rtk_patch));
2521
		rtk_patch.nRxIndex = -1;
2522

2523
		rtk_download_fw_config(fd, buf, buf_len, baudrate, proto, ti);
2524
		free(buf);
2525
	}
2526
	RS_DBG("Init Process finished");
2527
	return 0;
2528
}
2529

2530
/**
2531
* Init uart by realtek Bluetooth.
2532
*
2533
* @param fd uart file descriptor
2534
* @param proto realtek Bluetooth protocol, shall be either HCI_UART_H4 or HCI_UART_3WIRE
2535
* @param speed init_speed in uart struct
2536
* @param ti termios struct
2537
* @returns #0 on success, depend on rtk_config
2538
*/
2539
int rtk_init(int fd, int proto, int speed, struct termios *ti)
2540
{
2541
	RS_DBG("Realtek hciattach version %s \n", RTK_VERSION);
2542

2543
	if (proto == HCI_UART_3WIRE) { /*h4 will do nothing for init */
2544
		rtk_init_h5(fd, ti);
2545
	}
2546
	return rtk_config(fd, proto, speed, ti);
2547
}
2548

2549
/**
2550
* Post uart by realtek Bluetooth. If gFinalSpeed is set, set uart speed with it.
2551
*
2552
* @param fd uart file descriptor
2553
* @param proto realtek Bluetooth protocol, shall be either HCI_UART_H4 or HCI_UART_3WIRE
2554
* @param ti termios struct
2555
* @returns #0 on success.
2556
*/
2557
int rtk_post(int fd, int proto, struct termios *ti)
2558
{
2559
	if (gFinalSpeed) {
2560
		return set_speed(fd, ti, gFinalSpeed);
2561
	}
2562
	return 0;
2563
}
2564

2565
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place. Commercial Alternative to JupyterHub.

Product

Resources

Company

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more, all in one place. Commercial Alternative to JupyterHub.

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place. Commercial Alternative to JupyterHub.
