search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Fix img_capture_continuous build
[libfprint.git] / libfprint / drivers / uru4000.c
blobe91e16b2c4248e64e7c96bfbd4ee14568d4e6b84
1 /*
2 * Digital Persona U.are.U 4000/4000B driver for libfprint
3 * Copyright (C) 2007 Daniel Drake <dsd@gentoo.org>
4 *
5 * This library is free software; you can redistribute it and/or
6 * modify it under the terms of the GNU Lesser General Public
7 * License as published by the Free Software Foundation; either
8 * version 2.1 of the License, or (at your option) any later version.
9 *
10 * This library is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13 * Lesser General Public License for more details.
14 *
15 * You should have received a copy of the GNU Lesser General Public
16 * License along with this library; if not, write to the Free Software
17 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
18 */
19
20 #define FP_COMPONENT "uru4000"
21
22 #include <errno.h>
23 #include <string.h>
24 #include <unistd.h>
25
26 #include <usb.h>
27
28 #include <fp_internal.h>
29
30 #define EP_INTR (1 | USB_ENDPOINT_IN)
31 #define EP_DATA (2 | USB_ENDPOINT_IN)
32 #define USB_RQ 0x04
33 #define CTRL_IN (USB_TYPE_VENDOR | USB_ENDPOINT_IN)
34 #define CTRL_OUT (USB_TYPE_VENDOR | USB_ENDPOINT_OUT)
35 #define CTRL_TIMEOUT 5000
36 #define BULK_TIMEOUT 5000
37 #define DATABLK1_RQLEN 0x10000
38 #define DATABLK2_RQLEN 0xb340
39 #define DATABLK2_EXPECT 0xb1c0
40 #define CAPTURE_HDRLEN 64
41 #define IRQ_LENGTH 64
42
43 enum {
44 IRQDATA_SCANPWR_ON = 0x56aa,
45 IRQDATA_FINGER_ON = 0x0101,
46 IRQDATA_FINGER_OFF = 0x0200,
47 IRQDATA_DEATH = 0x0800,
48 };
49
50 enum {
51 REG_HWSTAT = 0x07,
52 REG_MODE = 0x4e,
53 };
54
55 enum {
56 MODE_INIT = 0x00,
57 MODE_AWAIT_FINGER_ON = 0x10,
58 MODE_AWAIT_FINGER_OFF = 0x12,
59 MODE_CAPTURE = 0x20,
60 MODE_SHUT_UP = 0x30,
61 MODE_READY = 0x80,
62 };
63
64 enum {
65 MS_KBD,
66 MS_INTELLIMOUSE,
67 MS_STANDALONE,
68 MS_STANDALONE_V2,
69 DP_URU4000,
70 DP_URU4000B,
71 };
72
73 static const struct uru4k_dev_profile {
74 const char *name;
75 uint16_t firmware_start;
76 uint16_t fw_enc_offset;
77 } uru4k_dev_info[] = {
78 [MS_KBD] = {
79 .name = "Microsoft Keyboard with Fingerprint Reader",
80 .firmware_start = 0x100,
81 .fw_enc_offset = 0x42b,
82 },
83 [MS_INTELLIMOUSE] = {
84 .name = "Microsoft Wireless IntelliMouse with Fingerprint Reader",
85 .firmware_start = 0x100,
86 .fw_enc_offset = 0x42b,
87 },
88 [MS_STANDALONE] = {
89 .name = "Microsoft Fingerprint Reader",
90 .firmware_start = 0x100,
91 .fw_enc_offset = 0x42b,
92 },
93 [DP_URU4000B] = {
94 .name = "Digital Persona U.are.U 4000B",
95 .firmware_start = 0x100,
96 .fw_enc_offset = 0x42b,
97 },
98 };
99
100 struct uru4k_dev {
101 uint8_t interface;
102 };
103
104 /*
105 * HWSTAT
106 *
107 * This register has caused me a lot of headaches. It pretty much defines
108 * code flow, and if you don't get it right, the pretty lights don't come on.
109 * I think the situation is somewhat complicated by the fact that writing it
110 * doesn't affect the read results in the way you'd expect -- but then again
111 * it does have some obvious effects. Here's what we know
112 *
113 * BIT 7: LOW POWER MODE
114 * When this bit is set, the device is partially turned off or something. Some
115 * things, like firmware upload, need to be done in this state. But generally
116 * we want to clear this bit during late initialization, which can sometimes
117 * be tricky.
118 *
119 * BIT 2: SOMETHING WENT WRONG
120 * Not sure about this, but see the init function, as when we detect it,
121 * we reboot the device. Well, we mess with hwstat until this evil bit gets
122 * cleared.
123 *
124 * BIT 1: IRQ PENDING
125 * Just had a brainwave. This bit is set when the device is trying to deliver
126 * and interrupt to the host. Maybe?
127 */
128
129 static int get_hwstat(struct fp_img_dev *dev, unsigned char *data)
130 {
131 int r;
132
133 /* The windows driver uses a request of 0x0c here. We use 0x04 to be
134 * consistent with every other command we know about. */
135 r = usb_control_msg(dev->udev, CTRL_IN, USB_RQ, REG_HWSTAT, 0,
136 data, 1, CTRL_TIMEOUT);
137 if (r < 0) {
138 fp_err("error %d", r);
139 return r;
140 } else if (r < 1) {
141 fp_err("read too short (%d)", r);
142 return -EIO;
143 }
144
145 fp_dbg("val=%02x", *data);
146 return 0;
147 }
148
149 static int set_hwstat(struct fp_img_dev *dev, unsigned char data)
150 {
151 int r;
152 fp_dbg("val=%02x", data);
153
154 r = usb_control_msg(dev->udev, CTRL_OUT, USB_RQ, REG_HWSTAT, 0,
155 &data, 1, CTRL_TIMEOUT);
156 if (r < 0) {
157 fp_err("error %d", r);
158 return r;
159 } else if (r < 1) {
160 fp_err("read too short (%d)", r);
161 return -EIO;
162 }
163
164 return 0;
165 }
166
167 static int set_mode(struct fp_img_dev *dev, unsigned char mode)
168 {
169 int r;
170
171 fp_dbg("%02x", mode);
172 r = usb_control_msg(dev->udev, CTRL_OUT, USB_RQ, REG_MODE, 0, &mode, 1,
173 CTRL_TIMEOUT);
174 if (r < 0) {
175 fp_err("error %d", r);
176 return r;
177 } else if (r < 1) {
178 fp_err("write too short (%d)", r);
179 return -EIO;
180 }
181
182 return 0;
183 }
184
185 static int get_irq(struct fp_img_dev *dev, unsigned char *buf, int timeout)
186 {
187 uint16_t type;
188 int r;
189 int infinite_timeout = 0;
190
191 if (timeout == 0) {
192 infinite_timeout = 1;
193 timeout = 1000;
194 }
195
196 /* Darwin and Linux behave inconsistently with regard to infinite timeouts.
197 * Linux accepts a timeout value of 0 as infinite timeout, whereas darwin
198 * returns -ETIMEDOUT immediately when a 0 timeout is used. We use a
199 * looping hack until libusb is fixed.
200 * See http://thread.gmane.org/gmane.comp.lib.libusb.devel.general/1315 */
201
202 retry:
203 r = usb_interrupt_read(dev->udev, EP_INTR, buf, IRQ_LENGTH, timeout);
204 if (r == -ETIMEDOUT && infinite_timeout)
205 goto retry;
206
207 if (r < 0) {
208 if (r != -ETIMEDOUT)
209 fp_err("interrupt read failed, error %d", r);
210 return r;
211 } else if (r < IRQ_LENGTH) {
212 fp_err("received %d byte IRQ!?", r);
213 return -EIO;
214 }
215
216 type = GUINT16_FROM_BE(*((uint16_t *) buf));
217 fp_dbg("irq type %04x", type);
218
219 /* The 0800 interrupt seems to indicate imminent failure (0 bytes transfer)
220 * of the next scan. I think I've stopped it from coming up, not sure
221 * though! */
222 if (type == IRQDATA_DEATH)
223 fp_warn("oh no! got the interrupt OF DEATH! expect things to go bad");
224
225 return 0;
226 }
227
228 enum get_irq_status {
229 GET_IRQ_SUCCESS = 0,
230 GET_IRQ_OVERFLOW = 1,
231 };
232
233 static int get_irq_with_type(struct fp_img_dev *dev,
234 uint16_t irqtype, int timeout)
235 {
236 uint16_t hdr;
237 int discarded = 0;
238 unsigned char irqbuf[IRQ_LENGTH];
239
240 fp_dbg("type=%04x", irqtype);
241
242 do {
243 int r = get_irq(dev, irqbuf, timeout);
244 if (r < 0)
245 return r;
246
247 hdr = GUINT16_FROM_BE(*((uint16_t *) irqbuf));
248 if (hdr == irqtype)
249 break;
250 discarded++;
251 } while (discarded < 3);
252
253 if (discarded > 0)
254 fp_dbg("discarded %d interrupts", discarded);
255
256 if (hdr == irqtype) {
257 return GET_IRQ_SUCCESS;
258 } else {
259 /* I've seen several cases where we're waiting for the 56aa powerup
260 * interrupt, but instead we just get three 0200 interrupts and then
261 * nothing. My theory is that the device can only queue 3 interrupts,
262 * or something. So, if we discard 3, ask the caller to retry whatever
263 * it was doing. */
264 fp_dbg("possible IRQ overflow detected!");
265 return GET_IRQ_OVERFLOW;
266 }
267 }
268
269 static int await_finger_on(struct fp_img_dev *dev)
270 {
271 int r;
272
273 retry:
274 r = set_mode(dev, MODE_AWAIT_FINGER_ON);
275 if (r < 0)
276 return r;
277
278 r = get_irq_with_type(dev, IRQDATA_FINGER_ON, 0);
279 if (r == GET_IRQ_OVERFLOW)
280 goto retry;
281 else
282 return r;
283 }
284
285 static int await_finger_off(struct fp_img_dev *dev)
286 {
287 int r;
288
289 retry:
290 r = set_mode(dev, MODE_AWAIT_FINGER_OFF);
291 if (r < 0)
292 return r;
293
294 r = get_irq_with_type(dev, IRQDATA_FINGER_OFF, 0);
295 if (r == GET_IRQ_OVERFLOW)
296 goto retry;
297 else
298 return r;
299 }
300
301 static int capture(struct fp_img_dev *dev, gboolean unconditional,
302 struct fp_img **ret)
303 {
304 int r;
305 struct fp_img *img;
306 size_t image_size = DATABLK1_RQLEN + DATABLK2_EXPECT - CAPTURE_HDRLEN;
307 int hdr_skip = CAPTURE_HDRLEN;
308
309 r = set_mode(dev, MODE_CAPTURE);
310 if (r < 0)
311 return r;
312
313 /* The image is split up into 2 blocks over 2 USB transactions, which are
314 * joined contiguously. The image is prepended by a 64 byte header which
315 * we completely ignore.
316 *
317 * We mimic the windows driver behaviour by requesting 0xb340 bytes in the
318 * 2nd request, but we only expect 0xb1c0 in response. However, our buffers
319 * must be set up on the offchance that we receive as much data as we
320 * asked for. */
321
322 img = fpi_img_new(DATABLK1_RQLEN + DATABLK2_RQLEN);
323
324 r = usb_bulk_read(dev->udev, EP_DATA, img->data, DATABLK1_RQLEN,
325 BULK_TIMEOUT);
326 if (r < 0) {
327 fp_err("part 1 capture failed, error %d", r);
328 goto err;
329 } else if (r < DATABLK1_RQLEN) {
330 fp_err("part 1 capture too short (%d)", r);
331 r = -EIO;
332 goto err;
333 }
334
335 r = usb_bulk_read(dev->udev, EP_DATA, img->data + DATABLK1_RQLEN,
336 DATABLK2_RQLEN, BULK_TIMEOUT);
337 if (r < 0) {
338 fp_err("part 2 capture failed, error %d", r);
339 goto err;
340 } else if (r != DATABLK2_EXPECT) {
341 if (r == DATABLK2_EXPECT - CAPTURE_HDRLEN) {
342 /* this is rather odd, but it happens sometimes with my MS
343 * keyboard */
344 fp_dbg("got image with no header!");
345 hdr_skip = 0;
346 } else {
347 fp_err("unexpected part 2 capture size (%d)", r);
348 r = -EIO;
349 goto err;
350 }
351 }
352
353 /* remove header and shrink allocation */
354 g_memmove(img->data, img->data + hdr_skip, image_size);
355 img = fpi_img_resize(img, image_size);
356 img->flags = FP_IMG_V_FLIPPED | FP_IMG_H_FLIPPED | FP_IMG_COLORS_INVERTED;
357
358 *ret = img;
359 return 0;
360 err:
361 g_free(img);
362 return r;
363 }
364
365 static int do_init(struct fp_img_dev *dev)
366 {
367 unsigned char status;
368 unsigned char tmp;
369 int timeouts = 0;
370 int i;
371 int r;
372
373 retry:
374 r = get_hwstat(dev, &status);
375 if (r < 0)
376 return r;
377
378 /* After closing an app and setting hwstat to 0x80, my ms keyboard
379 * gets in a confused state and returns hwstat 0x85. On next app run,
380 * we don't get the 56aa interrupt. This is the best way I've found to
381 * fix it: mess around with hwstat until it starts returning more
382 * recognisable values. This doesn't happen on my other devices:
383 * uru4000, uru4000b, ms fp rdr v2
384 * The windows driver copes with this OK, but then again it uploads
385 * firmware right after reading the 0x85 hwstat, allowing some time
386 * to pass before it attempts to tweak hwstat again... */
387 if ((status & 0x84) == 0x84) {
388 fp_dbg("rebooting device power");
389 r = set_hwstat(dev, status & 0xf);
390 if (r < 0)
391 return r;
392
393 for (i = 0; i < 100; i++) {
394 r = get_hwstat(dev, &status);
395 if (r < 0)
396 return r;
397 if (status & 0x1)
398 break;
399 usleep(10000);
400 }
401 if ((status & 0x1) == 0) {
402 fp_err("could not reboot device power");
403 return -EIO;
404 }
405 }
406
407 if ((status & 0x80) == 0) {
408 status |= 0x80;
409 r = set_hwstat(dev, status);
410 if (r < 0)
411 return r;
412 }
413
414 /* FIXME fix firmware (disable encryption) */
415
416 /* Power up device and wait for interrupt notification */
417 /* The combination of both modifying firmware *and* doing C-R auth on
418 * my ms fp v2 device causes us not to get to get the 56aa interrupt and
419 * for the hwstat write not to take effect. We loop a few times,
420 * authenticating each time, until the device wakes up. */
421 for (i = 0; i < 100; i++) { /* max 1 sec */
422 r = set_hwstat(dev, status & 0xf);
423 if (r < 0)
424 return r;
425
426 r = get_hwstat(dev, &tmp);
427 if (r < 0)
428 return r;
429
430 if ((tmp & 0x80) == 0)
431 break;
432
433 usleep(10000);
434
435 /* FIXME do C-R auth for v2 devices */
436 }
437
438 if (tmp & 0x80) {
439 fp_err("could not power up device");
440 return -EIO;
441 }
442
443 r = get_irq_with_type(dev, IRQDATA_SCANPWR_ON, 300);
444 if (r == GET_IRQ_OVERFLOW) {
445 goto retry;
446 } else if (r == -ETIMEDOUT) {
447 timeouts++;
448 if (timeouts <= 3) {
449 fp_dbg("scan power up timeout, retrying...");
450 goto retry;
451 } else {
452 fp_err("could not power up scanner after 3 attempts");
453 }
454 }
455 return r;
456 }
457
458 static int dev_init(struct fp_img_dev *dev, unsigned long driver_data)
459 {
460 struct usb_config_descriptor *config;
461 struct usb_interface *iface = NULL;
462 struct usb_interface_descriptor *iface_desc;
463 struct usb_endpoint_descriptor *ep;
464 struct uru4k_dev *urudev;
465 int i;
466 int r;
467
468 /* Find fingerprint interface */
469 config = usb_device(dev->udev)->config;
470 for (i = 0; i < config->bNumInterfaces; i++) {
471 struct usb_interface *cur_iface = &config->interface[i];
472
473 if (cur_iface->num_altsetting < 1)
474 continue;
475
476 iface_desc = &cur_iface->altsetting[0];
477 if (iface_desc->bInterfaceClass == 255
478 && iface_desc->bInterfaceSubClass == 255
479 && iface_desc->bInterfaceProtocol == 255) {
480 iface = cur_iface;
481 break;
482 }
483 }
484
485 if (iface == NULL) {
486 fp_err("could not find interface");
487 return -ENODEV;
488 }
489
490 /* Find/check endpoints */
491
492 if (iface_desc->bNumEndpoints != 2) {
493 fp_err("found %d endpoints!?", iface_desc->bNumEndpoints);
494 return -ENODEV;
495 }
496
497 ep = &iface_desc->endpoint[0];
498 if (ep->bEndpointAddress != EP_INTR
499 || (ep->bmAttributes & USB_ENDPOINT_TYPE_MASK) !=
500 USB_ENDPOINT_TYPE_INTERRUPT) {
501 fp_err("unrecognised interrupt endpoint");
502 return -ENODEV;
503 }
504
505 ep = &iface_desc->endpoint[1];
506 if (ep->bEndpointAddress != EP_DATA
507 || (ep->bmAttributes & USB_ENDPOINT_TYPE_MASK) !=
508 USB_ENDPOINT_TYPE_BULK) {
509 fp_err("unrecognised bulk endpoint");
510 return -ENODEV;
511 }
512
513 /* Device looks like a supported reader */
514
515 r = usb_claim_interface(dev->udev, iface_desc->bInterfaceNumber);
516 if (r < 0) {
517 fp_err("interface claim failed");
518 return r;
519 }
520
521 urudev = g_malloc0(sizeof(*urudev));
522 urudev->interface = iface_desc->bInterfaceNumber;
523 dev->priv = urudev;
524
525 r = do_init(dev);
526 if (r < 0)
527 goto err;
528
529 return 0;
530 err:
531 usb_release_interface(dev->udev, iface_desc->bInterfaceNumber);
532 g_free(urudev);
533 return r;
534 }
535
536 static void dev_exit(struct fp_img_dev *dev)
537 {
538 struct uru4k_dev *urudev = dev->priv;
539
540 set_mode(dev, MODE_INIT);
541 set_hwstat(dev, 0x80);
542 usb_release_interface(dev->udev, urudev->interface);
543 g_free(urudev);
544 }
545
546 static const struct usb_id id_table[] = {
547 /* ms kbd with fp rdr */
548 { .vendor = 0x045e, .product = 0x00bb, .driver_data = MS_KBD },
549
550 /* ms intellimouse with fp rdr */
551 { .vendor = 0x045e, .product = 0x00bc, .driver_data = MS_INTELLIMOUSE },
552
553 /* ms fp rdr (standalone) */
554 { .vendor = 0x045e, .product = 0x00bd, .driver_data = MS_STANDALONE },
555
556 /* dp uru4000b (standalone) */
557 { .vendor = 0x05ba, .product = 0x000a, .driver_data = DP_URU4000B },
558
559 /* terminating entry */
560 { 0, 0, 0, },
561 };
562
563 struct fp_img_driver uru4000_driver = {
564 .driver = {
565 .id = 2,
566 .name = FP_COMPONENT,
567 .full_name = "Digital Persona U.are.U 4000/4000B",
568 .id_table = id_table,
569 },
570 .flags = FP_IMGDRV_SUPPORTS_UNCONDITIONAL_CAPTURE,
571 .img_height = 289,
572 .img_width = 384,
573
574 .init = dev_init,
575 .exit = dev_exit,
576 .await_finger_on = await_finger_on,
577 .await_finger_off = await_finger_off,
578 .capture = capture,
579 };
580
Library for fingerprint scanning and recognition