Windows: Fix USB descriptor creation code for HID devices
[libusbx.git] / examples / ezusb.c
blob5086da1932e5634a35eff1ebd28c3027df115e01
1 /*
2 * Copyright © 2001 Stephen Williams (steve@icarus.com)
3 * Copyright © 2001-2002 David Brownell (dbrownell@users.sourceforge.net)
4 * Copyright © 2008 Roger Williams (rawqux@users.sourceforge.net)
5 * Copyright © 2012 Pete Batard (pete@akeo.ie)
6 * Copyright © 2013 Federico Manzan (f.manzan@gmail.com)
8 * This source code is free software; you can redistribute it
9 * and/or modify it in source code form under the terms of the GNU
10 * General Public License as published by the Free Software
11 * Foundation; either version 2 of the License, or (at your option)
12 * any later version.
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
19 * You should have received a copy of the GNU General Public License
20 * along with this program; if not, write to the Free Software
21 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
23 #include <stdio.h>
24 #include <errno.h>
25 #include <stdlib.h>
26 #include <string.h>
27 #include <stdint.h>
29 #include "libusb.h"
30 #include "ezusb.h"
32 extern void logerror(const char *format, ...)
33 __attribute__ ((format(printf, 1, 2)));
36 * This file contains functions for uploading firmware into Cypress
37 * EZ-USB microcontrollers. These chips use control endpoint 0 and vendor
38 * specific commands to support writing into the on-chip SRAM. They also
39 * support writing into the CPUCS register, which is how we reset the
40 * processor after loading firmware (including the reset vector).
42 * These Cypress devices are 8-bit 8051 based microcontrollers with
43 * special support for USB I/O. They come in several packages, and
44 * some can be set up with external memory when device costs allow.
45 * Note that the design was originally by AnchorChips, so you may find
46 * references to that vendor (which was later merged into Cypress).
47 * The Cypress FX parts are largely compatible with the Anchorhip ones.
50 int verbose;
53 * return true if [addr,addr+len] includes external RAM
54 * for Anchorchips EZ-USB or Cypress EZ-USB FX
56 static bool fx_is_external(uint32_t addr, size_t len)
58 /* with 8KB RAM, 0x0000-0x1b3f can be written
59 * we can't tell if it's a 4KB device here
61 if (addr <= 0x1b3f)
62 return ((addr + len) > 0x1b40);
64 /* there may be more RAM; unclear if we can write it.
65 * some bulk buffers may be unused, 0x1b3f-0x1f3f
66 * firmware can set ISODISAB for 2KB at 0x2000-0x27ff
68 return true;
72 * return true if [addr,addr+len] includes external RAM
73 * for Cypress EZ-USB FX2
75 static bool fx2_is_external(uint32_t addr, size_t len)
77 /* 1st 8KB for data/code, 0x0000-0x1fff */
78 if (addr <= 0x1fff)
79 return ((addr + len) > 0x2000);
81 /* and 512 for data, 0xe000-0xe1ff */
82 else if (addr >= 0xe000 && addr <= 0xe1ff)
83 return ((addr + len) > 0xe200);
85 /* otherwise, it's certainly external */
86 else
87 return true;
91 * return true if [addr,addr+len] includes external RAM
92 * for Cypress EZ-USB FX2LP
94 static bool fx2lp_is_external(uint32_t addr, size_t len)
96 /* 1st 16KB for data/code, 0x0000-0x3fff */
97 if (addr <= 0x3fff)
98 return ((addr + len) > 0x4000);
100 /* and 512 for data, 0xe000-0xe1ff */
101 else if (addr >= 0xe000 && addr <= 0xe1ff)
102 return ((addr + len) > 0xe200);
104 /* otherwise, it's certainly external */
105 else
106 return true;
110 /*****************************************************************************/
113 * These are the requests (bRequest) that the bootstrap loader is expected
114 * to recognize. The codes are reserved by Cypress, and these values match
115 * what EZ-USB hardware, or "Vend_Ax" firmware (2nd stage loader) uses.
116 * Cypress' "a3load" is nice because it supports both FX and FX2, although
117 * it doesn't have the EEPROM support (subset of "Vend_Ax").
119 #define RW_INTERNAL 0xA0 /* hardware implements this one */
120 #define RW_MEMORY 0xA3
123 * Issues the specified vendor-specific write request.
125 static int ezusb_write(libusb_device_handle *device, const char *label,
126 uint8_t opcode, uint32_t addr, const unsigned char *data, size_t len)
128 int status;
130 if (verbose)
131 logerror("%s, addr 0x%08x len %4u (0x%04x)\n", label, addr, (unsigned)len, (unsigned)len);
132 status = libusb_control_transfer(device,
133 LIBUSB_ENDPOINT_OUT | LIBUSB_REQUEST_TYPE_VENDOR | LIBUSB_RECIPIENT_DEVICE,
134 opcode, addr & 0xFFFF, addr >> 16,
135 (unsigned char*)data, (uint16_t)len, 1000);
136 if (status != len) {
137 if (status < 0)
138 logerror("%s: %s\n", label, libusb_error_name(status));
139 else
140 logerror("%s ==> %d\n", label, status);
142 return (status < 0) ? -EIO : 0;
146 * Issues the specified vendor-specific read request.
148 static int ezusb_read(libusb_device_handle *device, const char *label,
149 uint8_t opcode, uint32_t addr, const unsigned char *data, size_t len)
151 int status;
153 if (verbose)
154 logerror("%s, addr 0x%08x len %4u (0x%04x)\n", label, addr, (unsigned)len, (unsigned)len);
155 status = libusb_control_transfer(device,
156 LIBUSB_ENDPOINT_IN | LIBUSB_REQUEST_TYPE_VENDOR | LIBUSB_RECIPIENT_DEVICE,
157 opcode, addr & 0xFFFF, addr >> 16,
158 (unsigned char*)data, (uint16_t)len, 1000);
159 if (status != len) {
160 if (status < 0)
161 logerror("%s: %s\n", label, libusb_error_name(status));
162 else
163 logerror("%s ==> %d\n", label, status);
165 return (status < 0) ? -EIO : 0;
169 * Modifies the CPUCS register to stop or reset the CPU.
170 * Returns false on error.
172 static bool ezusb_cpucs(libusb_device_handle *device, uint32_t addr, bool doRun)
174 int status;
175 uint8_t data = doRun ? 0x00 : 0x01;
177 if (verbose)
178 logerror("%s\n", data ? "stop CPU" : "reset CPU");
179 status = libusb_control_transfer(device,
180 LIBUSB_ENDPOINT_OUT | LIBUSB_REQUEST_TYPE_VENDOR | LIBUSB_RECIPIENT_DEVICE,
181 RW_INTERNAL, addr & 0xFFFF, addr >> 16,
182 &data, 1, 1000);
183 if ((status != 1) &&
184 /* We may get an I/O error from libusbx as the device disappears */
185 ((!doRun) || (status != LIBUSB_ERROR_IO)))
187 const char *mesg = "can't modify CPUCS";
188 if (status < 0)
189 logerror("%s: %s\n", mesg, libusb_error_name(status));
190 else
191 logerror("%s\n", mesg);
192 return false;
193 } else
194 return true;
197 /*****************************************************************************/
200 * Parse an Intel HEX image file and invoke the poke() function on the
201 * various segments to implement policies such as writing to RAM (with
202 * a one or two stage loader setup, depending on the firmware) or to
203 * EEPROM (two stages required).
205 * image - the hex image file
206 * context - for use by poke()
207 * is_external - if non-null, used to check which segments go into
208 * external memory (writable only by software loader)
209 * poke - called with each memory segment; errors indicated
210 * by returning negative values.
212 * Caller is responsible for halting CPU as needed, such as when
213 * overwriting a second stage loader.
215 static int parse_ihex(FILE *image, void *context,
216 bool (*is_external)(uint32_t addr, size_t len),
217 int (*poke) (void *context, uint32_t addr, bool external,
218 const unsigned char *data, size_t len))
220 unsigned char data[1023];
221 uint32_t data_addr = 0;
222 size_t data_len = 0;
223 int rc;
224 int first_line = 1;
225 bool external = false;
227 /* Read the input file as an IHEX file, and report the memory segments
228 * as we go. Each line holds a max of 16 bytes, but uploading is
229 * faster (and EEPROM space smaller) if we merge those lines into larger
230 * chunks. Most hex files keep memory segments together, which makes
231 * such merging all but free. (But it may still be worth sorting the
232 * hex files to make up for undesirable behavior from tools.)
234 * Note that EEPROM segments max out at 1023 bytes; the upload protocol
235 * allows segments of up to 64 KBytes (more than a loader could handle).
237 for (;;) {
238 char buf[512], *cp;
239 char tmp, type;
240 size_t len;
241 unsigned idx, off;
243 cp = fgets(buf, sizeof(buf), image);
244 if (cp == NULL) {
245 logerror("EOF without EOF record!\n");
246 break;
249 /* EXTENSION: "# comment-till-end-of-line", for copyrights etc */
250 if (buf[0] == '#')
251 continue;
253 if (buf[0] != ':') {
254 logerror("not an ihex record: %s", buf);
255 return -2;
258 /* ignore any newline */
259 cp = strchr(buf, '\n');
260 if (cp)
261 *cp = 0;
263 if (verbose >= 3)
264 logerror("** LINE: %s\n", buf);
266 /* Read the length field (up to 16 bytes) */
267 tmp = buf[3];
268 buf[3] = 0;
269 len = strtoul(buf+1, NULL, 16);
270 buf[3] = tmp;
272 /* Read the target offset (address up to 64KB) */
273 tmp = buf[7];
274 buf[7] = 0;
275 off = (int)strtoul(buf+3, NULL, 16);
276 buf[7] = tmp;
278 /* Initialize data_addr */
279 if (first_line) {
280 data_addr = off;
281 first_line = 0;
284 /* Read the record type */
285 tmp = buf[9];
286 buf[9] = 0;
287 type = (char)strtoul(buf+7, NULL, 16);
288 buf[9] = tmp;
290 /* If this is an EOF record, then make it so. */
291 if (type == 1) {
292 if (verbose >= 2)
293 logerror("EOF on hexfile\n");
294 break;
297 if (type != 0) {
298 logerror("unsupported record type: %u\n", type);
299 return -3;
302 if ((len * 2) + 11 > strlen(buf)) {
303 logerror("record too short?\n");
304 return -4;
307 /* FIXME check for _physically_ contiguous not just virtually
308 * e.g. on FX2 0x1f00-0x2100 includes both on-chip and external
309 * memory so it's not really contiguous */
311 /* flush the saved data if it's not contiguous,
312 * or when we've buffered as much as we can.
314 if (data_len != 0
315 && (off != (data_addr + data_len)
316 /* || !merge */
317 || (data_len + len) > sizeof(data))) {
318 if (is_external)
319 external = is_external(data_addr, data_len);
320 rc = poke(context, data_addr, external, data, data_len);
321 if (rc < 0)
322 return -1;
323 data_addr = off;
324 data_len = 0;
327 /* append to saved data, flush later */
328 for (idx = 0, cp = buf+9 ; idx < len ; idx += 1, cp += 2) {
329 tmp = cp[2];
330 cp[2] = 0;
331 data[data_len + idx] = (uint8_t)strtoul(cp, NULL, 16);
332 cp[2] = tmp;
334 data_len += len;
338 /* flush any data remaining */
339 if (data_len != 0) {
340 if (is_external)
341 external = is_external(data_addr, data_len);
342 rc = poke(context, data_addr, external, data, data_len);
343 if (rc < 0)
344 return -1;
346 return 0;
350 * Parse a binary image file and write it as is to the target.
351 * Applies to Cypress BIX images for RAM or Cypress IIC images
352 * for EEPROM.
354 * image - the BIX image file
355 * context - for use by poke()
356 * is_external - if non-null, used to check which segments go into
357 * external memory (writable only by software loader)
358 * poke - called with each memory segment; errors indicated
359 * by returning negative values.
361 * Caller is responsible for halting CPU as needed, such as when
362 * overwriting a second stage loader.
364 static int parse_bin(FILE *image, void *context,
365 bool (*is_external)(uint32_t addr, size_t len), int (*poke)(void *context,
366 uint32_t addr, bool external, const unsigned char *data, size_t len))
368 unsigned char data[4096];
369 uint32_t data_addr = 0;
370 size_t data_len = 0;
371 int rc;
372 bool external = false;
374 for (;;) {
375 data_len = fread(data, 1, 4096, image);
376 if (data_len == 0)
377 break;
378 if (is_external)
379 external = is_external(data_addr, data_len);
380 rc = poke(context, data_addr, external, data, data_len);
381 if (rc < 0)
382 return -1;
383 data_addr += (uint32_t)data_len;
385 return feof(image)?0:-1;
389 * Parse a Cypress IIC image file and invoke the poke() function on the
390 * various segments for writing to RAM
392 * image - the IIC image file
393 * context - for use by poke()
394 * is_external - if non-null, used to check which segments go into
395 * external memory (writable only by software loader)
396 * poke - called with each memory segment; errors indicated
397 * by returning negative values.
399 * Caller is responsible for halting CPU as needed, such as when
400 * overwriting a second stage loader.
402 static int parse_iic(FILE *image, void *context,
403 bool (*is_external)(uint32_t addr, size_t len),
404 int (*poke)(void *context, uint32_t addr, bool external, const unsigned char *data, size_t len))
406 unsigned char data[4096];
407 uint32_t data_addr = 0;
408 size_t data_len = 0, read_len;
409 uint8_t block_header[4];
410 int rc;
411 bool external = false;
412 long file_size, initial_pos = ftell(image);
414 fseek(image, 0L, SEEK_END);
415 file_size = ftell(image);
416 fseek(image, initial_pos, SEEK_SET);
417 for (;;) {
418 /* Ignore the trailing reset IIC data (5 bytes) */
419 if (ftell(image) >= (file_size - 5))
420 break;
421 if (fread(&block_header, 1, sizeof(block_header), image) != 4) {
422 logerror("unable to read IIC block header\n");
423 return -1;
425 data_len = (block_header[0] << 8) + block_header[1];
426 data_addr = (block_header[2] << 8) + block_header[3];
427 if (data_len > sizeof(data)) {
428 /* If this is ever reported as an error, switch to using malloc/realloc */
429 logerror("IIC data block too small - please report this error to libusbx.org\n");
430 return -1;
432 read_len = fread(data, 1, data_len, image);
433 if (read_len != data_len) {
434 logerror("read error\n");
435 return -1;
437 if (is_external)
438 external = is_external(data_addr, data_len);
439 rc = poke(context, data_addr, external, data, data_len);
440 if (rc < 0)
441 return -1;
443 return 0;
446 /* the parse call will be selected according to the image type */
447 int (*parse[IMG_TYPE_MAX])(FILE *image, void *context, bool (*is_external)(uint32_t addr, size_t len),
448 int (*poke)(void *context, uint32_t addr, bool external, const unsigned char *data, size_t len))
449 = { parse_ihex, parse_iic, parse_bin };
451 /*****************************************************************************/
454 * For writing to RAM using a first (hardware) or second (software)
455 * stage loader and 0xA0 or 0xA3 vendor requests
457 typedef enum {
458 _undef = 0,
459 internal_only, /* hardware first-stage loader */
460 skip_internal, /* first phase, second-stage loader */
461 skip_external /* second phase, second-stage loader */
462 } ram_mode;
464 struct ram_poke_context {
465 libusb_device_handle *device;
466 ram_mode mode;
467 size_t total, count;
470 #define RETRY_LIMIT 5
472 static int ram_poke(void *context, uint32_t addr, bool external,
473 const unsigned char *data, size_t len)
475 struct ram_poke_context *ctx = (struct ram_poke_context*)context;
476 int rc;
477 unsigned retry = 0;
479 switch (ctx->mode) {
480 case internal_only: /* CPU should be stopped */
481 if (external) {
482 logerror("can't write %u bytes external memory at 0x%08x\n",
483 (unsigned)len, addr);
484 return -EINVAL;
486 break;
487 case skip_internal: /* CPU must be running */
488 if (!external) {
489 if (verbose >= 2) {
490 logerror("SKIP on-chip RAM, %u bytes at 0x%08x\n",
491 (unsigned)len, addr);
493 return 0;
495 break;
496 case skip_external: /* CPU should be stopped */
497 if (external) {
498 if (verbose >= 2) {
499 logerror("SKIP external RAM, %u bytes at 0x%08x\n",
500 (unsigned)len, addr);
502 return 0;
504 break;
505 case _undef:
506 default:
507 logerror("bug\n");
508 return -EDOM;
511 ctx->total += len;
512 ctx->count++;
514 /* Retry this till we get a real error. Control messages are not
515 * NAKed (just dropped) so time out means is a real problem.
517 while ((rc = ezusb_write(ctx->device,
518 external ? "write external" : "write on-chip",
519 external ? RW_MEMORY : RW_INTERNAL,
520 addr, data, len)) < 0
521 && retry < RETRY_LIMIT) {
522 if (rc != LIBUSB_ERROR_TIMEOUT)
523 break;
524 retry += 1;
526 return rc;
530 * Load an Cypress Image file into target RAM.
531 * The file is assumed to be in Cypress IMG format.
533 static int fx3_load_ram(libusb_device_handle *device, const char *path)
535 uint32_t dCheckSum, dExpectedCheckSum, dAddress, i, dLen, dLength;
536 uint32_t* dImageBuf;
537 unsigned char *bBuf, hBuf[4], rBuf[4096];
538 FILE *image;
540 image = fopen(path, "rb");
541 if (image == NULL) {
542 logerror("unable to open '%s' for input\n", path);
543 return -2;
544 } else if (verbose)
545 logerror("open firmware image %s for RAM upload\n", path);
547 // Read header
548 if (fread(hBuf, sizeof(char), sizeof(hBuf), image) != sizeof(hBuf)) {
549 logerror("could not read image header");
550 return -3;
553 // check "CY" signature byte and format
554 if ((hBuf[0] != 'C') || (hBuf[1] != 'Y')) {
555 logerror("image doesn't have a CYpress signature\n");
556 return -3;
558 if (hBuf[3] != 0xB0) {
559 logerror("invalid file format 0x%02X, expected 0xB0\n", hBuf[3]);
560 return -3;
563 dCheckSum = 0;
564 while (1) {
565 if ((fread(&dLength, sizeof(uint32_t), 1, image) != 1) || // read dLength
566 (fread(&dAddress, sizeof(uint32_t), 1, image) != 1)) { // read dAddress
567 logerror("could not read image");
568 return -3;
570 if (dLength == 0)
571 break; // done
573 dImageBuf = calloc(dLength, sizeof(uint32_t));
574 if (dImageBuf == NULL) {
575 logerror("could not allocate buffer for image chunk\n");
576 return -4;
579 // read sections
580 if (fread(dImageBuf, sizeof(uint32_t), dLength, image) != dLength) {
581 logerror("could not read image");
582 free(dImageBuf);
583 return -3;
585 for (i = 0; i < dLength; i++)
586 dCheckSum += dImageBuf[i];
587 dLength <<= 2; // convert to Byte length
588 bBuf = (unsigned char*) dImageBuf;
590 while (dLength > 0) {
591 dLen = 4096; // 4K max
592 if (dLen > dLength)
593 dLen = dLength;
594 if ((ezusb_write(device, "write firmware", RW_INTERNAL, dAddress, bBuf, dLen) < 0) ||
595 (ezusb_read(device, "read firmware", RW_INTERNAL, dAddress, rBuf, dLen) < 0)) {
596 logerror("R/W error\n");
597 free(dImageBuf);
598 return -5;
600 // Verify data: rBuf with bBuf
601 for (i = 0; i < dLen; i++) {
602 if (rBuf[i] != bBuf[i]) {
603 logerror("verify error");
604 free(dImageBuf);
605 return -6;
609 dLength -= dLen;
610 bBuf += dLen;
611 dAddress += dLen;
613 free(dImageBuf);
616 // read pre-computed checksum data
617 if ((fread(&dExpectedCheckSum, sizeof(uint32_t), 1, image) != 1) ||
618 (dCheckSum != dExpectedCheckSum)) {
619 logerror("checksum error\n");
620 return -7;
623 // transfer execution to Program Entry
624 if (ezusb_write(device, "Jump command", RW_INTERNAL, dAddress, NULL, 0) < 0) {
625 logerror("failed to send jump command\n");
626 return -6;
629 return 0;
633 * Load a firmware file into target RAM. device is the open libusbx
634 * device, and the path is the name of the source file. Open the file,
635 * parse the bytes, and write them in one or two phases.
637 * If stage == 0, this uses the first stage loader, built into EZ-USB
638 * hardware but limited to writing on-chip memory or CPUCS. Everything
639 * is written during one stage, unless there's an error such as the image
640 * holding data that needs to be written to external memory.
642 * Otherwise, things are written in two stages. First the external
643 * memory is written, expecting a second stage loader to have already
644 * been loaded. Then file is re-parsed and on-chip memory is written.
646 int ezusb_load_ram(libusb_device_handle *device, const char *path, int fx_type, int img_type, int stage)
648 FILE *image;
649 uint32_t cpucs_addr;
650 bool (*is_external)(uint32_t off, size_t len);
651 struct ram_poke_context ctx;
652 int status;
653 uint8_t iic_header[8] = { 0 };
655 if (fx_type == FX_TYPE_FX3)
656 return fx3_load_ram(device, path);
658 image = fopen(path, "rb");
659 if (image == NULL) {
660 logerror("%s: unable to open for input.\n", path);
661 return -2;
662 } else if (verbose)
663 logerror("open firmware image %s for RAM upload\n", path);
665 if (img_type == IMG_TYPE_IIC) {
666 if ( (fread(iic_header, 1, sizeof(iic_header), image) != sizeof(iic_header))
667 || (((fx_type == FX_TYPE_FX2LP) || (fx_type == FX_TYPE_FX2)) && (iic_header[0] != 0xC2))
668 || ((fx_type == FX_TYPE_AN21) && (iic_header[0] != 0xB2))
669 || ((fx_type == FX_TYPE_FX1) && (iic_header[0] != 0xB6)) ) {
670 logerror("IIC image does not contain executable code - cannot load to RAM.\n");
671 return -1;
675 /* EZ-USB original/FX and FX2 devices differ, apart from the 8051 core */
676 switch(fx_type) {
677 case FX_TYPE_FX2LP:
678 cpucs_addr = 0xe600;
679 is_external = fx2lp_is_external;
680 break;
681 case FX_TYPE_FX2:
682 cpucs_addr = 0xe600;
683 is_external = fx2_is_external;
684 break;
685 default:
686 cpucs_addr = 0x7f92;
687 is_external = fx_is_external;
688 break;
691 /* use only first stage loader? */
692 if (stage == 0) {
693 ctx.mode = internal_only;
695 /* if required, halt the CPU while we overwrite its code/data */
696 if (cpucs_addr && !ezusb_cpucs(device, cpucs_addr, false))
697 return -1;
699 /* 2nd stage, first part? loader was already uploaded */
700 } else {
701 ctx.mode = skip_internal;
703 /* let CPU run; overwrite the 2nd stage loader later */
704 if (verbose)
705 logerror("2nd stage: write external memory\n");
708 /* scan the image, first (maybe only) time */
709 ctx.device = device;
710 ctx.total = ctx.count = 0;
711 status = parse[img_type](image, &ctx, is_external, ram_poke);
712 if (status < 0) {
713 logerror("unable to upload %s\n", path);
714 return status;
717 /* second part of 2nd stage: rescan */
718 // TODO: what should we do for non HEX images there?
719 if (stage) {
720 ctx.mode = skip_external;
722 /* if needed, halt the CPU while we overwrite the 1st stage loader */
723 if (cpucs_addr && !ezusb_cpucs(device, cpucs_addr, false))
724 return -1;
726 /* at least write the interrupt vectors (at 0x0000) for reset! */
727 rewind(image);
728 if (verbose)
729 logerror("2nd stage: write on-chip memory\n");
730 status = parse_ihex(image, &ctx, is_external, ram_poke);
731 if (status < 0) {
732 logerror("unable to completely upload %s\n", path);
733 return status;
737 if (verbose)
738 logerror("... WROTE: %d bytes, %d segments, avg %d\n",
739 (int)ctx.total, (int)ctx.count, (int)(ctx.total/ctx.count));
741 /* if required, reset the CPU so it runs what we just uploaded */
742 if (cpucs_addr && !ezusb_cpucs(device, cpucs_addr, true))
743 return -1;
745 return 0;