search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
uru4000: add fwenc search location for UareU4000
[libfprint.git] / libfprint / drivers / uru4000.c
blobbcaa0256823dea3d967eda8ebf196ac4fccef329
1 /*
2 * Digital Persona U.are.U 4000/4000B driver for libfprint
3 * Copyright (C) 2007-2008 Daniel Drake <dsd@gentoo.org>
4 *
5 * This library is free software; you can redistribute it and/or
6 * modify it under the terms of the GNU Lesser General Public
7 * License as published by the Free Software Foundation; either
8 * version 2.1 of the License, or (at your option) any later version.
9 *
10 * This library is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13 * Lesser General Public License for more details.
14 *
15 * You should have received a copy of the GNU Lesser General Public
16 * License along with this library; if not, write to the Free Software
17 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
18 */
19
20 #define FP_COMPONENT "uru4000"
21
22 #include <errno.h>
23 #include <string.h>
24 #include <unistd.h>
25
26 #include <openssl/aes.h>
27 #include <libusb.h>
28
29 #include <fp_internal.h>
30
31 #define EP_INTR (1 | LIBUSB_ENDPOINT_IN)
32 #define EP_DATA (2 | LIBUSB_ENDPOINT_IN)
33 #define USB_RQ 0x04
34 #define CTRL_IN (LIBUSB_TYPE_VENDOR | LIBUSB_ENDPOINT_IN)
35 #define CTRL_OUT (LIBUSB_TYPE_VENDOR | LIBUSB_ENDPOINT_OUT)
36 #define CTRL_TIMEOUT 5000
37 #define BULK_TIMEOUT 5000
38 #define DATABLK_RQLEN 0x1b340
39 #define DATABLK_EXPECT 0x1b1c0
40 #define CAPTURE_HDRLEN 64
41 #define IRQ_LENGTH 64
42 #define CR_LENGTH 16
43
44 enum {
45 IRQDATA_SCANPWR_ON = 0x56aa,
46 IRQDATA_FINGER_ON = 0x0101,
47 IRQDATA_FINGER_OFF = 0x0200,
48 IRQDATA_DEATH = 0x0800,
49 };
50
51 enum {
52 REG_HWSTAT = 0x07,
53 REG_MODE = 0x4e,
54 /* firmware starts at 0x100 */
55 REG_RESPONSE = 0x2000,
56 REG_CHALLENGE = 0x2010,
57 };
58
59 enum {
60 MODE_INIT = 0x00,
61 MODE_AWAIT_FINGER_ON = 0x10,
62 MODE_AWAIT_FINGER_OFF = 0x12,
63 MODE_CAPTURE = 0x20,
64 MODE_SHUT_UP = 0x30,
65 MODE_READY = 0x80,
66 };
67
68 enum {
69 MS_KBD,
70 MS_INTELLIMOUSE,
71 MS_STANDALONE,
72 MS_STANDALONE_V2,
73 DP_URU4000,
74 DP_URU4000B,
75 };
76
77 static const struct uru4k_dev_profile {
78 const char *name;
79 gboolean auth_cr;
80 } uru4k_dev_info[] = {
81 [MS_KBD] = {
82 .name = "Microsoft Keyboard with Fingerprint Reader",
83 .auth_cr = FALSE,
84 },
85 [MS_INTELLIMOUSE] = {
86 .name = "Microsoft Wireless IntelliMouse with Fingerprint Reader",
87 .auth_cr = FALSE,
88 },
89 [MS_STANDALONE] = {
90 .name = "Microsoft Fingerprint Reader",
91 .auth_cr = FALSE,
92 },
93 [MS_STANDALONE_V2] = {
94 .name = "Microsoft Fingerprint Reader v2",
95 .auth_cr = TRUE,
96 },
97 [DP_URU4000] = {
98 .name = "Digital Persona U.are.U 4000",
99 .auth_cr = FALSE,
100 },
101 [DP_URU4000B] = {
102 .name = "Digital Persona U.are.U 4000B",
103 .auth_cr = FALSE,
104 },
105 };
106
107 /* As we don't know the encryption scheme, we have to disable encryption
108 * by powering the device down and modifying the firmware. The location of
109 * the encryption control byte changes based on device revision.
110 *
111 * We use a search approach to find it: we look at the 3 bytes of data starting
112 * from these addresses, looking for a pattern "ff X7 41" (where X is dontcare)
113 * When we find a pattern we know that the encryption byte ius the X7 byte.
114 */
115 static const uint16_t fwenc_offsets[] = {
116 0x510, 0x62d, 0x792, 0x7f4,
117 };
118
119 typedef void (*irq_cb_fn)(struct fp_img_dev *dev, int status, uint16_t type,
120 void *user_data);
121 typedef void (*irqs_stopped_cb_fn)(struct fp_img_dev *dev);
122
123 struct uru4k_dev {
124 const struct uru4k_dev_profile *profile;
125 uint8_t interface;
126 enum fp_imgdev_state activate_state;
127 unsigned char last_reg_rd;
128 unsigned char last_hwstat;
129
130 struct libusb_transfer *irq_transfer;
131 struct libusb_transfer *img_transfer;
132
133 irq_cb_fn irq_cb;
134 void *irq_cb_data;
135 irqs_stopped_cb_fn irqs_stopped_cb;
136
137 int rebootpwr_ctr;
138 int powerup_ctr;
139 unsigned char powerup_hwstat;
140
141 int scanpwr_irq_timeouts;
142 struct fpi_timeout *scanpwr_irq_timeout;
143
144 int fwfixer_offset;
145 unsigned char fwfixer_value;
146
147 AES_KEY aeskey;
148 };
149
150 /* For 2nd generation MS devices */
151 static const unsigned char crkey[] = {
152 0x79, 0xac, 0x91, 0x79, 0x5c, 0xa1, 0x47, 0x8e,
153 0x98, 0xe0, 0x0f, 0x3c, 0x59, 0x8f, 0x5f, 0x4b,
154 };
155
156 /***** REGISTER I/O *****/
157
158 typedef void (*write_regs_cb_fn)(struct fp_img_dev *dev, int status,
159 void *user_data);
160
161 struct write_regs_data {
162 struct fp_img_dev *dev;
163 write_regs_cb_fn callback;
164 void *user_data;
165 };
166
167 static void write_regs_cb(struct libusb_transfer *transfer)
168 {
169 struct write_regs_data *wrdata = transfer->user_data;
170 struct libusb_control_setup *setup =
171 libusb_control_transfer_get_setup(transfer);
172 int r = 0;
173
174 if (transfer->status != LIBUSB_TRANSFER_COMPLETED)
175 r = -EIO;
176 else if (transfer->actual_length != setup->wLength)
177 r = -EPROTO;
178
179 g_free(transfer->buffer);
180 libusb_free_transfer(transfer);
181 wrdata->callback(wrdata->dev, r, wrdata->user_data);
182 g_free(wrdata);
183 }
184
185 static int write_regs(struct fp_img_dev *dev, uint16_t first_reg,
186 uint16_t num_regs, unsigned char *values, write_regs_cb_fn callback,
187 void *user_data)
188 {
189 struct write_regs_data *wrdata;
190 struct libusb_transfer *transfer = libusb_alloc_transfer();
191 unsigned char *data;
192 int r;
193
194 if (!transfer)
195 return -ENOMEM;
196
197 wrdata = g_malloc(sizeof(*wrdata));
198 wrdata->dev = dev;
199 wrdata->callback = callback;
200 wrdata->user_data = user_data;
201
202 data = g_malloc(LIBUSB_CONTROL_SETUP_SIZE + num_regs);
203 memcpy(data + LIBUSB_CONTROL_SETUP_SIZE, values, num_regs);
204 libusb_fill_control_setup(data, CTRL_OUT, USB_RQ, first_reg, 0, num_regs);
205 libusb_fill_control_transfer(transfer, dev->udev, data, write_regs_cb,
206 wrdata, CTRL_TIMEOUT);
207
208 r = libusb_submit_transfer(transfer);
209 if (r < 0) {
210 g_free(wrdata);
211 g_free(data);
212 libusb_free_transfer(transfer);
213 }
214 return r;
215 }
216
217 static int write_reg(struct fp_img_dev *dev, uint16_t reg,
218 unsigned char value, write_regs_cb_fn callback, void *user_data)
219 {
220 return write_regs(dev, reg, 1, &value, callback, user_data);
221 }
222
223 typedef void (*read_regs_cb_fn)(struct fp_img_dev *dev, int status,
224 unsigned char *data, void *user_data);
225
226 struct read_regs_data {
227 struct fp_img_dev *dev;
228 read_regs_cb_fn callback;
229 void *user_data;
230 };
231
232 static void read_regs_cb(struct libusb_transfer *transfer)
233 {
234 struct read_regs_data *rrdata = transfer->user_data;
235 struct libusb_control_setup *setup =
236 libusb_control_transfer_get_setup(transfer);
237 unsigned char *data = NULL;
238 int r = 0;
239
240 if (transfer->status != LIBUSB_TRANSFER_COMPLETED)
241 r = -EIO;
242 else if (transfer->actual_length != setup->wLength)
243 r = -EPROTO;
244 else
245 data = libusb_control_transfer_get_data(transfer);
246
247 rrdata->callback(rrdata->dev, r, data, rrdata->user_data);
248 g_free(rrdata);
249 g_free(transfer->buffer);
250 libusb_free_transfer(transfer);
251 }
252
253 static int read_regs(struct fp_img_dev *dev, uint16_t first_reg,
254 uint16_t num_regs, read_regs_cb_fn callback, void *user_data)
255 {
256 struct read_regs_data *rrdata;
257 struct libusb_transfer *transfer = libusb_alloc_transfer();
258 unsigned char *data;
259 int r;
260
261 if (!transfer)
262 return -ENOMEM;
263
264 rrdata = g_malloc(sizeof(*rrdata));
265 rrdata->dev = dev;
266 rrdata->callback = callback;
267 rrdata->user_data = user_data;
268
269 data = g_malloc(LIBUSB_CONTROL_SETUP_SIZE + num_regs);
270 libusb_fill_control_setup(data, CTRL_IN, USB_RQ, first_reg, 0, num_regs);
271 libusb_fill_control_transfer(transfer, dev->udev, data, read_regs_cb,
272 rrdata, CTRL_TIMEOUT);
273
274 r = libusb_submit_transfer(transfer);
275 if (r < 0) {
276 g_free(rrdata);
277 g_free(data);
278 libusb_free_transfer(transfer);
279 }
280 return r;
281 }
282
283 static int read_reg(struct fp_img_dev *dev, uint16_t reg,
284 read_regs_cb_fn callback, void *user_data)
285 {
286 return read_regs(dev, reg, 1, callback, user_data);
287 }
288
289 /*
290 * HWSTAT
291 *
292 * This register has caused me a lot of headaches. It pretty much defines
293 * code flow, and if you don't get it right, the pretty lights don't come on.
294 * I think the situation is somewhat complicated by the fact that writing it
295 * doesn't affect the read results in the way you'd expect -- but then again
296 * it does have some obvious effects. Here's what we know
297 *
298 * BIT 7: LOW POWER MODE
299 * When this bit is set, the device is partially turned off or something. Some
300 * things, like firmware upload, need to be done in this state. But generally
301 * we want to clear this bit during late initialization, which can sometimes
302 * be tricky.
303 *
304 * BIT 2: SOMETHING WENT WRONG
305 * Not sure about this, but see the init function, as when we detect it,
306 * we reboot the device. Well, we mess with hwstat until this evil bit gets
307 * cleared.
308 *
309 * BIT 1: IRQ PENDING
310 * Just had a brainwave. This bit is set when the device is trying to deliver
311 * and interrupt to the host. Maybe?
312 */
313
314 static void response_cb(struct fp_img_dev *dev, int status, void *user_data)
315 {
316 struct fpi_ssm *ssm = user_data;
317 if (status == 0)
318 fpi_ssm_next_state(ssm);
319 else
320 fpi_ssm_mark_aborted(ssm, status);
321 }
322
323 static void challenge_cb(struct fp_img_dev *dev, int status,
324 unsigned char *data, void *user_data)
325 {
326 struct fpi_ssm *ssm = user_data;
327 struct uru4k_dev *urudev = dev->priv;
328 unsigned char *respdata;
329 int r;
330
331 if (status != 0) {
332 fpi_ssm_mark_aborted(ssm, status);
333 return;
334 }
335
336 /* submit response */
337 /* produce response from challenge */
338 /* FIXME would this work in-place? */
339 respdata = g_malloc(CR_LENGTH);
340 AES_encrypt(data, respdata, &urudev->aeskey);
341
342 r = write_regs(dev, REG_RESPONSE, CR_LENGTH, respdata, response_cb, ssm);
343 g_free(respdata);
344 if (r < 0)
345 fpi_ssm_mark_aborted(ssm, r);
346 }
347
348 /*
349 * 2nd generation MS devices added an AES-based challenge/response
350 * authentication scheme, where the device challenges the authenticity of the
351 * driver.
352 */
353 static void sm_do_challenge_response(struct fpi_ssm *ssm)
354 {
355 struct fp_img_dev *dev = ssm->priv;
356 int r;
357
358 fp_dbg("");
359 r = read_regs(dev, REG_CHALLENGE, CR_LENGTH, challenge_cb, ssm);
360 if (r < 0)
361 fpi_ssm_mark_aborted(ssm, r);
362 }
363
364 /***** INTERRUPT HANDLING *****/
365
366 #define IRQ_HANDLER_IS_RUNNING(urudev) ((urudev)->irq_transfer)
367
368 static int start_irq_handler(struct fp_img_dev *dev);
369
370 static void irq_handler(struct libusb_transfer *transfer)
371 {
372 struct fp_img_dev *dev = transfer->user_data;
373 struct uru4k_dev *urudev = dev->priv;
374 unsigned char *data = transfer->buffer;
375 uint16_t type;
376 int r = 0;
377
378 if (transfer->status == LIBUSB_TRANSFER_CANCELLED) {
379 fp_dbg("cancelled");
380 if (urudev->irqs_stopped_cb)
381 urudev->irqs_stopped_cb(dev);
382 urudev->irqs_stopped_cb = NULL;
383 goto out;
384 } else if (transfer->status != LIBUSB_TRANSFER_COMPLETED) {
385 r = -EIO;
386 goto err;
387 } else if (transfer->actual_length != transfer->length) {
388 fp_err("short interrupt read? %d", transfer->actual_length);
389 r = -EPROTO;
390 goto err;
391 }
392
393 type = GUINT16_FROM_BE(*((uint16_t *) data));
394 fp_dbg("recv irq type %04x", type);
395 g_free(data);
396 libusb_free_transfer(transfer);
397
398 /* The 0800 interrupt seems to indicate imminent failure (0 bytes transfer)
399 * of the next scan. It still appears on occasion. */
400 if (type == IRQDATA_DEATH)
401 fp_warn("oh no! got the interrupt OF DEATH! expect things to go bad");
402
403 if (urudev->irq_cb)
404 urudev->irq_cb(dev, 0, type, urudev->irq_cb_data);
405 else
406 fp_dbg("ignoring interrupt");
407
408 r = start_irq_handler(dev);
409 if (r == 0)
410 return;
411
412 transfer = NULL;
413 data = NULL;
414 err:
415 if (urudev->irq_cb)
416 urudev->irq_cb(dev, r, 0, urudev->irq_cb_data);
417 out:
418 g_free(data);
419 libusb_free_transfer(transfer);
420 urudev->irq_transfer = NULL;
421 }
422
423 static int start_irq_handler(struct fp_img_dev *dev)
424 {
425 struct uru4k_dev *urudev = dev->priv;
426 struct libusb_transfer *transfer = libusb_alloc_transfer();
427 unsigned char *data;
428 int r;
429
430 if (!transfer)
431 return -ENOMEM;
432
433 data = g_malloc(IRQ_LENGTH);
434 libusb_fill_bulk_transfer(transfer, dev->udev, EP_INTR, data, IRQ_LENGTH,
435 irq_handler, dev, 0);
436
437 urudev->irq_transfer = transfer;
438 r = libusb_submit_transfer(transfer);
439 if (r < 0) {
440 g_free(data);
441 libusb_free_transfer(transfer);
442 urudev->irq_transfer = NULL;
443 }
444 return r;
445 }
446
447 static void stop_irq_handler(struct fp_img_dev *dev, irqs_stopped_cb_fn cb)
448 {
449 struct uru4k_dev *urudev = dev->priv;
450 struct libusb_transfer *transfer = urudev->irq_transfer;
451 if (transfer) {
452 libusb_cancel_transfer(transfer);
453 urudev->irqs_stopped_cb = cb;
454 }
455 }
456
457 /***** IMAGING LOOP *****/
458
459 static int start_imaging_loop(struct fp_img_dev *dev);
460
461 static void image_cb(struct libusb_transfer *transfer)
462 {
463 struct fp_img_dev *dev = transfer->user_data;
464 struct uru4k_dev *urudev = dev->priv;
465 int hdr_skip = CAPTURE_HDRLEN;
466 int image_size = DATABLK_EXPECT - CAPTURE_HDRLEN;
467 struct fp_img *img;
468 int r = 0;
469
470 if (transfer->status == LIBUSB_TRANSFER_CANCELLED) {
471 fp_dbg("cancelled");
472 urudev->img_transfer = NULL;
473 g_free(transfer->buffer);
474 libusb_free_transfer(transfer);
475 return;
476 } else if (transfer->status != LIBUSB_TRANSFER_COMPLETED) {
477 r = -EIO;
478 goto out;
479 }
480
481 if (transfer->actual_length == image_size) {
482 /* no header! this is rather odd, but it happens sometimes with my MS
483 * keyboard */
484 fp_dbg("got image with no header!");
485 hdr_skip = 0;
486 } else if (transfer->actual_length != DATABLK_EXPECT) {
487 fp_err("unexpected image capture size (%d)", transfer->actual_length);
488 r = -EPROTO;
489 goto out;
490 }
491
492 img = fpi_img_new(image_size);
493 memcpy(img->data, transfer->buffer + hdr_skip, image_size);
494 img->flags = FP_IMG_V_FLIPPED | FP_IMG_H_FLIPPED | FP_IMG_COLORS_INVERTED;
495 fpi_imgdev_image_captured(dev, img);
496
497 out:
498 g_free(transfer->buffer);
499 libusb_free_transfer(transfer);
500 if (r == 0)
501 r = start_imaging_loop(dev);
502
503 if (r)
504 fpi_imgdev_session_error(dev, r);
505 }
506
507 static int start_imaging_loop(struct fp_img_dev *dev)
508 {
509 struct uru4k_dev *urudev = dev->priv;
510 struct libusb_transfer *transfer = libusb_alloc_transfer();
511 unsigned char *data;
512 int r;
513
514 if (!transfer)
515 return -ENOMEM;
516
517 data = g_malloc(DATABLK_RQLEN);
518 libusb_fill_bulk_transfer(transfer, dev->udev, EP_DATA, data,
519 DATABLK_RQLEN, image_cb, dev, 0);
520
521 urudev->img_transfer = transfer;
522 r = libusb_submit_transfer(transfer);
523 if (r < 0) {
524 g_free(data);
525 libusb_free_transfer(transfer);
526 }
527
528 return r;
529 }
530
531 static void stop_imaging_loop(struct fp_img_dev *dev)
532 {
533 struct uru4k_dev *urudev = dev->priv;
534 struct libusb_transfer *transfer = urudev->img_transfer;
535 if (transfer)
536 libusb_cancel_transfer(transfer);
537 /* FIXME: should probably wait for cancellation to complete */
538 }
539
540 /***** STATE CHANGING *****/
541
542 static void finger_presence_irq_cb(struct fp_img_dev *dev, int status,
543 uint16_t type, void *user_data)
544 {
545 if (status)
546 fpi_imgdev_session_error(dev, status);
547 else if (type == IRQDATA_FINGER_ON)
548 fpi_imgdev_report_finger_status(dev, TRUE);
549 else if (type == IRQDATA_FINGER_OFF)
550 fpi_imgdev_report_finger_status(dev, FALSE);
551 else
552 fp_warn("ignoring unexpected interrupt %04x", type);
553 }
554
555 static void change_state_write_reg_cb(struct fp_img_dev *dev, int status,
556 void *user_data)
557 {
558 if (status)
559 fpi_imgdev_session_error(dev, status);
560 }
561
562 static int dev_change_state(struct fp_img_dev *dev, enum fp_imgdev_state state)
563 {
564 struct uru4k_dev *urudev = dev->priv;
565
566 stop_imaging_loop(dev);
567
568 switch (state) {
569 case IMGDEV_STATE_AWAIT_FINGER_ON:
570 if (!IRQ_HANDLER_IS_RUNNING(urudev))
571 return -EIO;
572 urudev->irq_cb = finger_presence_irq_cb;
573 return write_reg(dev, REG_MODE, MODE_AWAIT_FINGER_ON,
574 change_state_write_reg_cb, NULL);
575
576 case IMGDEV_STATE_CAPTURE:
577 urudev->irq_cb = NULL;
578 start_imaging_loop(dev);
579 return write_reg(dev, REG_MODE, MODE_CAPTURE, change_state_write_reg_cb,
580 NULL);
581
582 case IMGDEV_STATE_AWAIT_FINGER_OFF:
583 if (!IRQ_HANDLER_IS_RUNNING(urudev))
584 return -EIO;
585 urudev->irq_cb = finger_presence_irq_cb;
586 return write_reg(dev, REG_MODE, MODE_AWAIT_FINGER_OFF,
587 change_state_write_reg_cb, NULL);
588
589 default:
590 fp_err("unrecognised state %d", state);
591 return -EINVAL;
592 }
593 }
594
595 /***** GENERIC STATE MACHINE HELPER FUNCTIONS *****/
596
597 static void sm_write_reg_cb(struct fp_img_dev *dev, int result, void *user_data)
598 {
599 struct fpi_ssm *ssm = user_data;
600
601 if (result)
602 fpi_ssm_mark_aborted(ssm, result);
603 else
604 fpi_ssm_next_state(ssm);
605 }
606
607 static void sm_write_reg(struct fpi_ssm *ssm, uint16_t reg,
608 unsigned char value)
609 {
610 struct fp_img_dev *dev = ssm->priv;
611 int r = write_reg(dev, reg, value, sm_write_reg_cb, ssm);
612 if (r < 0)
613 fpi_ssm_mark_aborted(ssm, r);
614 }
615
616 static void sm_read_reg_cb(struct fp_img_dev *dev, int result,
617 unsigned char *data, void *user_data)
618 {
619 struct fpi_ssm *ssm = user_data;
620 struct uru4k_dev *urudev = dev->priv;
621
622 if (result) {
623 fpi_ssm_mark_aborted(ssm, result);
624 } else {
625 urudev->last_reg_rd = *data;
626 fp_dbg("reg value %x", urudev->last_reg_rd);
627 fpi_ssm_next_state(ssm);
628 }
629 }
630
631 static void sm_read_reg(struct fpi_ssm *ssm, uint16_t reg)
632 {
633 struct fp_img_dev *dev = ssm->priv;
634 int r;
635
636 fp_dbg("read reg %x", reg);
637 r = read_reg(dev, reg, sm_read_reg_cb, ssm);
638 if (r < 0)
639 fpi_ssm_mark_aborted(ssm, r);
640 }
641
642 static void sm_set_mode(struct fpi_ssm *ssm, unsigned char mode)
643 {
644 fp_dbg("mode %02x", mode);
645 sm_write_reg(ssm, REG_MODE, mode);
646 }
647
648 static void sm_set_hwstat(struct fpi_ssm *ssm, unsigned char value)
649 {
650 fp_dbg("set %02x", value);
651 sm_write_reg(ssm, REG_HWSTAT, value);
652 }
653
654 /***** INITIALIZATION *****/
655
656 enum fwfixer_states {
657 FWFIXER_INIT,
658 FWFIXER_READ_NEXT,
659 FWFIXER_WRITE,
660 FWFIXER_NUM_STATES,
661 };
662
663 static void fwfixer_read_cb(struct fp_img_dev *dev, int status,
664 unsigned char *data, void *user_data)
665 {
666 struct fpi_ssm *ssm = user_data;
667 struct uru4k_dev *urudev = dev->priv;
668
669 if (status != 0)
670 fpi_ssm_mark_aborted(ssm, status);
671
672 fp_dbg("data: %02x %02x %02x", data[0], data[1], data[2]);
673 if (data[0] == 0xff && (data[1] & 0x0f) == 0x07 && data[2] == 0x41) {
674 fp_dbg("using offset %x", fwenc_offsets[urudev->fwfixer_offset]);
675 urudev->fwfixer_value = data[1];
676 fpi_ssm_jump_to_state(ssm, FWFIXER_WRITE);
677 } else {
678 fpi_ssm_jump_to_state(ssm, FWFIXER_READ_NEXT);
679 }
680 }
681
682 static void fwfixer_run_state(struct fpi_ssm *ssm)
683 {
684 struct fp_img_dev *dev = ssm->priv;
685 struct uru4k_dev *urudev = dev->priv;
686 int r;
687
688 switch (ssm->cur_state) {
689 case FWFIXER_INIT:
690 urudev->fwfixer_offset = -1;
691 fpi_ssm_next_state(ssm);
692 break;
693 case FWFIXER_READ_NEXT: ;
694 int offset = ++urudev->fwfixer_offset;
695 uint16_t try_addr;
696
697 if (offset == G_N_ELEMENTS(fwenc_offsets)) {
698 fp_err("could not find encryption byte");
699 fpi_ssm_mark_aborted(ssm, -ENODEV);
700 return;
701 }
702
703 try_addr = fwenc_offsets[offset];
704 fp_dbg("looking for encryption byte at %x", try_addr);
705
706 r = read_regs(dev, try_addr, 3, fwfixer_read_cb, ssm);
707 if (r < 0)
708 fpi_ssm_mark_aborted(ssm, r);
709 break;
710 case FWFIXER_WRITE: ;
711 uint16_t enc_addr = fwenc_offsets[urudev->fwfixer_offset] + 1;
712 unsigned char cur = urudev->fwfixer_value;
713 unsigned char new = cur & 0xef;
714 if (new == cur) {
715 fp_dbg("encryption is already disabled");
716 fpi_ssm_next_state(ssm);
717 } else {
718 fp_dbg("fixing encryption byte at %x to %02x", enc_addr, new);
719 sm_write_reg(ssm, enc_addr, new);
720 }
721 break;
722 }
723 }
724
725 /* After closing an app and setting hwstat to 0x80, my ms keyboard gets in a
726 * confused state and returns hwstat 0x85. On next app run, we don't get the
727 * 56aa interrupt. This is the best way I've found to fix it: mess around
728 * with hwstat until it starts returning more recognisable values. This
729 * doesn't happen on my other devices: uru4000, uru4000b, ms fp rdr v2
730 *
731 * The windows driver copes with this OK, but then again it uploads firmware
732 * right after reading the 0x85 hwstat, allowing some time to pass before it
733 * attempts to tweak hwstat again...
734 *
735 * This is implemented with a reboot power state machine. the ssm runs during
736 * initialization if bits 2 and 7 are set in hwstat. it masks off the 4 high
737 * hwstat bits then checks that bit 1 is set. if not, it pauses before reading
738 * hwstat again. machine completes when reading hwstat shows bit 1 is set,
739 * and fails after 100 tries. */
740
741 enum rebootpwr_states {
742 REBOOTPWR_SET_HWSTAT = 0,
743 REBOOTPWR_GET_HWSTAT,
744 REBOOTPWR_CHECK_HWSTAT,
745 REBOOTPWR_PAUSE,
746 REBOOTPWR_NUM_STATES,
747 };
748
749 static void rebootpwr_pause_cb(void *data)
750 {
751 struct fpi_ssm *ssm = data;
752 struct fp_img_dev *dev = ssm->priv;
753 struct uru4k_dev *urudev = dev->priv;
754
755 if (!--urudev->rebootpwr_ctr) {
756 fp_err("could not reboot device power");
757 fpi_ssm_mark_aborted(ssm, -EIO);
758 } else {
759 fpi_ssm_jump_to_state(ssm, REBOOTPWR_GET_HWSTAT);
760 }
761 }
762
763 static void rebootpwr_run_state(struct fpi_ssm *ssm)
764 {
765 struct fp_img_dev *dev = ssm->priv;
766 struct uru4k_dev *urudev = dev->priv;
767
768 switch (ssm->cur_state) {
769 case REBOOTPWR_SET_HWSTAT:
770 urudev->rebootpwr_ctr = 100;
771 sm_set_hwstat(ssm, urudev->last_hwstat & 0xf);
772 break;
773 case REBOOTPWR_GET_HWSTAT:
774 sm_read_reg(ssm, REG_HWSTAT);
775 break;
776 case REBOOTPWR_CHECK_HWSTAT:
777 urudev->last_hwstat = urudev->last_reg_rd;
778 if (urudev->last_hwstat & 0x1)
779 fpi_ssm_mark_completed(ssm);
780 else
781 fpi_ssm_next_state(ssm);
782 break;
783 case REBOOTPWR_PAUSE:
784 if (fpi_timeout_add(10, rebootpwr_pause_cb, ssm) == NULL)
785 fpi_ssm_mark_aborted(ssm, -ETIME);
786 break;
787 }
788 }
789
790 /* After messing with the device firmware in it's low-power state, we have to
791 * power it back up and wait for interrupt notification. It's not quite as easy
792 * as that: the combination of both modifying firmware *and* doing C-R auth on
793 * my ms fp v2 device causes us not to get to get the 56aa interrupt and
794 * for the hwstat write not to take effect. We have to loop a few times,
795 * authenticating each time, until the device wakes up.
796 *
797 * This is implemented as the powerup state machine below. Pseudo-code:
798
799 status = get_hwstat();
800 for (i = 0; i < 100; i++) {
801 set_hwstat(status & 0xf);
802 if ((get_hwstat() & 0x80) == 0)
803 break;
804
805 usleep(10000);
806 if (need_auth_cr)
807 auth_cr();
808 }
809
810 if (tmp & 0x80)
811 error("could not power up device");
812
813 */
814
815 enum powerup_states {
816 POWERUP_INIT = 0,
817 POWERUP_SET_HWSTAT,
818 POWERUP_GET_HWSTAT,
819 POWERUP_CHECK_HWSTAT,
820 POWERUP_PAUSE,
821 POWERUP_CHALLENGE_RESPONSE,
822 POWERUP_CHALLENGE_RESPONSE_SUCCESS,
823 POWERUP_NUM_STATES,
824 };
825
826 static void powerup_pause_cb(void *data)
827 {
828 struct fpi_ssm *ssm = data;
829 struct fp_img_dev *dev = ssm->priv;
830 struct uru4k_dev *urudev = dev->priv;
831
832 if (!--urudev->powerup_ctr) {
833 fp_err("could not power device up");
834 fpi_ssm_mark_aborted(ssm, -EIO);
835 } else if (!urudev->profile->auth_cr) {
836 fpi_ssm_jump_to_state(ssm, POWERUP_SET_HWSTAT);
837 } else {
838 fpi_ssm_next_state(ssm);
839 }
840 }
841
842 static void powerup_run_state(struct fpi_ssm *ssm)
843 {
844 struct fp_img_dev *dev = ssm->priv;
845 struct uru4k_dev *urudev = dev->priv;
846
847 switch (ssm->cur_state) {
848 case POWERUP_INIT:
849 urudev->powerup_ctr = 100;
850 urudev->powerup_hwstat = urudev->last_hwstat & 0xf;
851 fpi_ssm_next_state(ssm);
852 break;
853 case POWERUP_SET_HWSTAT:
854 sm_set_hwstat(ssm, urudev->powerup_hwstat);
855 break;
856 case POWERUP_GET_HWSTAT:
857 sm_read_reg(ssm, REG_HWSTAT);
858 break;
859 case POWERUP_CHECK_HWSTAT:
860 urudev->last_hwstat = urudev->last_reg_rd;
861 if ((urudev->last_reg_rd & 0x80) == 0)
862 fpi_ssm_mark_completed(ssm);
863 else
864 fpi_ssm_next_state(ssm);
865 break;
866 case POWERUP_PAUSE:
867 if (fpi_timeout_add(10, powerup_pause_cb, ssm) == NULL)
868 fpi_ssm_mark_aborted(ssm, -ETIME);
869 break;
870 case POWERUP_CHALLENGE_RESPONSE:
871 sm_do_challenge_response(ssm);
872 break;
873 case POWERUP_CHALLENGE_RESPONSE_SUCCESS:
874 fpi_ssm_jump_to_state(ssm, POWERUP_SET_HWSTAT);
875 break;
876 }
877 }
878
879 /*
880 * This is the main initialization state machine. As pseudo-code:
881
882 status = get_hwstat();
883
884 // correct device power state
885 if ((status & 0x84) == 0x84)
886 run_reboot_sm();
887
888 // power device down
889 if ((status & 0x80) == 0)
890 set_hwstat(status | 0x80);
891
892 // disable encryption
893 fwenc = read_firmware_encryption_byte();
894 new = fwenc & 0xef;
895 if (new != fwenc)
896 write_firmware_encryption_byte(new);
897
898 // power device up
899 run_powerup_sm();
900 await_irq(IRQDATA_SCANPWR_ON);
901 */
902
903 enum init_states {
904 INIT_GET_HWSTAT = 0,
905 INIT_CHECK_HWSTAT_REBOOT,
906 INIT_REBOOT_POWER,
907 INIT_CHECK_HWSTAT_POWERDOWN,
908 INIT_FIX_FIRMWARE,
909 INIT_POWERUP,
910 INIT_AWAIT_SCAN_POWER,
911 INIT_DONE,
912 INIT_NUM_STATES,
913 };
914
915 static void init_scanpwr_irq_cb(struct fp_img_dev *dev, int status,
916 uint16_t type, void *user_data)
917 {
918 struct fpi_ssm *ssm = user_data;
919
920 if (status)
921 fpi_ssm_mark_aborted(ssm, status);
922 else if (type != IRQDATA_SCANPWR_ON)
923 fp_dbg("ignoring interrupt");
924 else if (ssm->cur_state != INIT_AWAIT_SCAN_POWER)
925 fp_err("ignoring scanpwr interrupt due to being in wrong state %d",
926 ssm->cur_state);
927 else
928 fpi_ssm_next_state(ssm);
929 }
930
931 static void init_scanpwr_timeout(void *user_data)
932 {
933 struct fpi_ssm *ssm = user_data;
934 struct fp_img_dev *dev = ssm->priv;
935 struct uru4k_dev *urudev = dev->priv;
936
937 fp_warn("powerup timed out");
938 urudev->irq_cb = NULL;
939 urudev->scanpwr_irq_timeout = NULL;
940
941 if (++urudev->scanpwr_irq_timeouts >= 3) {
942 fp_err("powerup timed out 3 times, giving up");
943 fpi_ssm_mark_aborted(ssm, -ETIMEDOUT);
944 } else {
945 fpi_ssm_jump_to_state(ssm, INIT_GET_HWSTAT);
946 }
947 }
948
949 static void init_run_state(struct fpi_ssm *ssm)
950 {
951 struct fp_img_dev *dev = ssm->priv;
952 struct uru4k_dev *urudev = dev->priv;
953
954 switch (ssm->cur_state) {
955 case INIT_GET_HWSTAT:
956 sm_read_reg(ssm, REG_HWSTAT);
957 break;
958 case INIT_CHECK_HWSTAT_REBOOT:
959 urudev->last_hwstat = urudev->last_reg_rd;
960 if ((urudev->last_hwstat & 0x84) == 0x84)
961 fpi_ssm_next_state(ssm);
962 else
963 fpi_ssm_jump_to_state(ssm, INIT_CHECK_HWSTAT_POWERDOWN);
964 break;
965 case INIT_REBOOT_POWER: ;
966 struct fpi_ssm *rebootsm = fpi_ssm_new(dev->dev, rebootpwr_run_state,
967 REBOOTPWR_NUM_STATES);
968 rebootsm->priv = dev;
969 fpi_ssm_start_subsm(ssm, rebootsm);
970 break;
971 case INIT_CHECK_HWSTAT_POWERDOWN:
972 if ((urudev->last_hwstat & 0x80) == 0)
973 sm_set_hwstat(ssm, urudev->last_hwstat | 0x80);
974 else
975 fpi_ssm_next_state(ssm);
976 break;
977 case INIT_FIX_FIRMWARE: ;
978 struct fpi_ssm *fwsm = fpi_ssm_new(dev->dev, fwfixer_run_state,
979 FWFIXER_NUM_STATES);
980 fwsm->priv = dev;
981 fpi_ssm_start_subsm(ssm, fwsm);
982 break;
983 case INIT_POWERUP: ;
984 struct fpi_ssm *powerupsm = fpi_ssm_new(dev->dev, powerup_run_state,
985 POWERUP_NUM_STATES);
986 powerupsm->priv = dev;
987 fpi_ssm_start_subsm(ssm, powerupsm);
988 break;
989 case INIT_AWAIT_SCAN_POWER:
990 if (!IRQ_HANDLER_IS_RUNNING(urudev)) {
991 fpi_ssm_mark_aborted(ssm, -EIO);
992 break;
993 }
994
995 /* sometimes the 56aa interrupt that we are waiting for never arrives,
996 * so we include this timeout loop to retry the whole process 3 times
997 * if we don't get an irq any time soon. */
998 urudev->scanpwr_irq_timeout = fpi_timeout_add(300,
999 init_scanpwr_timeout, ssm);
1000 if (!urudev->scanpwr_irq_timeout) {
1001 fpi_ssm_mark_aborted(ssm, -ETIME);
1002 break;
1003 }
1004
1005 urudev->irq_cb_data = ssm;
1006 urudev->irq_cb = init_scanpwr_irq_cb;
1007 break;
1008 case INIT_DONE:
1009 fpi_timeout_cancel(urudev->scanpwr_irq_timeout);
1010 urudev->scanpwr_irq_timeout = NULL;
1011 urudev->irq_cb_data = NULL;
1012 urudev->irq_cb = NULL;
1013 fpi_ssm_mark_completed(ssm);
1014 break;
1015 }
1016 }
1017
1018 static void activate_initsm_complete(struct fpi_ssm *ssm)
1019 {
1020 struct fp_img_dev *dev = ssm->priv;
1021 struct uru4k_dev *urudev = dev->priv;
1022 int r = ssm->error;
1023 fpi_ssm_free(ssm);
1024
1025 if (r) {
1026 fpi_imgdev_activate_complete(dev, r);
1027 return;
1028 }
1029
1030 r = dev_change_state(dev, urudev->activate_state);
1031 fpi_imgdev_activate_complete(dev, r);
1032 }
1033
1034 /* FIXME: having state parameter here is kinda useless, will we ever
1035 * see a scenario where the parameter is useful so early on in the activation
1036 * process? asynchronity means that it'll only be used in a later function
1037 * call. */
1038 static int dev_activate(struct fp_img_dev *dev, enum fp_imgdev_state state)
1039 {
1040 struct uru4k_dev *urudev = dev->priv;
1041 struct fpi_ssm *ssm;
1042 int r;
1043
1044 r = start_irq_handler(dev);
1045 if (r < 0)
1046 return r;
1047
1048 urudev->scanpwr_irq_timeouts = 0;
1049 urudev->activate_state = state;
1050 ssm = fpi_ssm_new(dev->dev, init_run_state, INIT_NUM_STATES);
1051 ssm->priv = dev;
1052 fpi_ssm_start(ssm, activate_initsm_complete);
1053 return 0;
1054 }
1055
1056 /***** DEINITIALIZATION *****/
1057
1058 enum deinit_states {
1059 DEINIT_SET_MODE_INIT = 0,
1060 DEINIT_POWERDOWN,
1061 DEINIT_NUM_STATES,
1062 };
1063
1064 static void deinit_run_state(struct fpi_ssm *ssm)
1065 {
1066 switch (ssm->cur_state) {
1067 case DEINIT_SET_MODE_INIT:
1068 sm_set_mode(ssm, MODE_INIT);
1069 break;
1070 case DEINIT_POWERDOWN:
1071 sm_set_hwstat(ssm, 0x80);
1072 break;
1073 }
1074 }
1075
1076 static void deactivate_irqs_stopped(struct fp_img_dev *dev)
1077 {
1078 fpi_imgdev_deactivate_complete(dev);
1079 }
1080
1081 static void deactivate_deinitsm_complete(struct fpi_ssm *ssm)
1082 {
1083 struct fp_img_dev *dev = ssm->priv;
1084 fpi_ssm_free(ssm);
1085 stop_irq_handler(dev, deactivate_irqs_stopped);
1086 }
1087
1088 static void dev_deactivate(struct fp_img_dev *dev)
1089 {
1090 struct uru4k_dev *urudev = dev->priv;
1091 struct fpi_ssm *ssm = fpi_ssm_new(dev->dev, deinit_run_state,
1092 DEINIT_NUM_STATES);
1093
1094 stop_imaging_loop(dev);
1095 urudev->irq_cb = NULL;
1096 urudev->irq_cb_data = NULL;
1097 ssm->priv = dev;
1098 fpi_ssm_start(ssm, deactivate_deinitsm_complete);
1099 }
1100
1101 /***** LIBRARY STUFF *****/
1102
1103 static int dev_init(struct fp_img_dev *dev, unsigned long driver_data)
1104 {
1105 struct libusb_config_descriptor *config;
1106 struct libusb_interface *iface = NULL;
1107 struct libusb_interface_descriptor *iface_desc;
1108 struct libusb_endpoint_descriptor *ep;
1109 struct uru4k_dev *urudev;
1110 int i;
1111 int r;
1112
1113 /* Find fingerprint interface */
1114 config = libusb_get_config_descriptor(libusb_get_device(dev->udev));
1115 for (i = 0; i < config->bNumInterfaces; i++) {
1116 struct libusb_interface *cur_iface = &config->interface[i];
1117
1118 if (cur_iface->num_altsetting < 1)
1119 continue;
1120
1121 iface_desc = &cur_iface->altsetting[0];
1122 if (iface_desc->bInterfaceClass == 255
1123 && iface_desc->bInterfaceSubClass == 255
1124 && iface_desc->bInterfaceProtocol == 255) {
1125 iface = cur_iface;
1126 break;
1127 }
1128 }
1129
1130 if (iface == NULL) {
1131 fp_err("could not find interface");
1132 return -ENODEV;
1133 }
1134
1135 /* Find/check endpoints */
1136
1137 if (iface_desc->bNumEndpoints != 2) {
1138 fp_err("found %d endpoints!?", iface_desc->bNumEndpoints);
1139 return -ENODEV;
1140 }
1141
1142 ep = &iface_desc->endpoint[0];
1143 if (ep->bEndpointAddress != EP_INTR
1144 || (ep->bmAttributes & LIBUSB_ENDPOINT_TYPE_MASK) !=
1145 LIBUSB_ENDPOINT_TYPE_INTERRUPT) {
1146 fp_err("unrecognised interrupt endpoint");
1147 return -ENODEV;
1148 }
1149
1150 ep = &iface_desc->endpoint[1];
1151 if (ep->bEndpointAddress != EP_DATA
1152 || (ep->bmAttributes & LIBUSB_ENDPOINT_TYPE_MASK) !=
1153 LIBUSB_ENDPOINT_TYPE_BULK) {
1154 fp_err("unrecognised bulk endpoint");
1155 return -ENODEV;
1156 }
1157
1158 /* Device looks like a supported reader */
1159
1160 r = libusb_claim_interface(dev->udev, iface_desc->bInterfaceNumber);
1161 if (r < 0) {
1162 fp_err("interface claim failed");
1163 return r;
1164 }
1165
1166 urudev = g_malloc0(sizeof(*urudev));
1167 urudev->profile = &uru4k_dev_info[driver_data];
1168 urudev->interface = iface_desc->bInterfaceNumber;
1169 AES_set_encrypt_key(crkey, 128, &urudev->aeskey);
1170 dev->priv = urudev;
1171 fpi_imgdev_open_complete(dev, 0);
1172 return 0;
1173 }
1174
1175 static void dev_deinit(struct fp_img_dev *dev)
1176 {
1177 struct uru4k_dev *urudev = dev->priv;
1178 libusb_release_interface(dev->udev, urudev->interface);
1179 g_free(urudev);
1180 fpi_imgdev_close_complete(dev);
1181 }
1182
1183 static const struct usb_id id_table[] = {
1184 /* ms kbd with fp rdr */
1185 { .vendor = 0x045e, .product = 0x00bb, .driver_data = MS_KBD },
1186
1187 /* ms intellimouse with fp rdr */
1188 { .vendor = 0x045e, .product = 0x00bc, .driver_data = MS_INTELLIMOUSE },
1189
1190 /* ms fp rdr (standalone) */
1191 { .vendor = 0x045e, .product = 0x00bd, .driver_data = MS_STANDALONE },
1192
1193 /* ms fp rdr (standalone) v2 */
1194 { .vendor = 0x045e, .product = 0x00ca, .driver_data = MS_STANDALONE_V2 },
1195
1196 /* dp uru4000 (standalone) */
1197 { .vendor = 0x05ba, .product = 0x0007, .driver_data = DP_URU4000 },
1198
1199 /* dp uru4000b (standalone) */
1200 { .vendor = 0x05ba, .product = 0x000a, .driver_data = DP_URU4000B },
1201
1202 /* terminating entry */
1203 { 0, 0, 0, },
1204 };
1205
1206 struct fp_img_driver uru4000_driver = {
1207 .driver = {
1208 .id = 2,
1209 .name = FP_COMPONENT,
1210 .full_name = "Digital Persona U.are.U 4000/4000B",
1211 .id_table = id_table,
1212 },
1213 .flags = FP_IMGDRV_SUPPORTS_UNCONDITIONAL_CAPTURE,
1214 .img_height = 289,
1215 .img_width = 384,
1216
1217 .open = dev_init,
1218 .close = dev_deinit,
1219 .activate = dev_activate,
1220 .deactivate = dev_deactivate,
1221 .change_state = dev_change_state,
1222 };
1223
Library for fingerprint scanning and recognition