2 * Bluetooth support for Realtek devices
4 * Copyright (C) 2015 Endless Mobile, Inc.
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
18 #include <linux/module.h>
19 #include <linux/firmware.h>
20 #include <asm/unaligned.h>
21 #include <linux/usb.h>
23 #include <net/bluetooth/bluetooth.h>
24 #include <net/bluetooth/hci_core.h>
30 #define RTL_EPATCH_SIGNATURE "Realtech"
31 #define RTL_ROM_LMP_3499 0x3499
32 #define RTL_ROM_LMP_8723A 0x1200
33 #define RTL_ROM_LMP_8723B 0x8723
34 #define RTL_ROM_LMP_8821A 0x8821
35 #define RTL_ROM_LMP_8761A 0x8761
36 #define RTL_ROM_LMP_8822B 0x8822
37 #define RTL_CONFIG_MAGIC 0x8723ab55
39 #define IC_MATCH_FL_LMPSUBV (1 << 0)
40 #define IC_MATCH_FL_HCIREV (1 << 1)
41 #define IC_MATCH_FL_HCIVER (1 << 2)
42 #define IC_MATCH_FL_HCIBUS (1 << 3)
43 #define IC_INFO(lmps, hcir) \
44 .match_flags = IC_MATCH_FL_LMPSUBV | IC_MATCH_FL_HCIREV, \
45 .lmp_subver = (lmps), \
60 struct btrtl_device_info
{
61 const struct id_table
*ic_info
;
69 static const struct id_table ic_id_table
[] = {
70 { IC_MATCH_FL_LMPSUBV
, RTL_ROM_LMP_8723A
, 0x0,
71 .config_needed
= false,
72 .has_rom_version
= false,
73 .fw_name
= "rtl_bt/rtl8723a_fw.bin",
76 { IC_MATCH_FL_LMPSUBV
, RTL_ROM_LMP_3499
, 0x0,
77 .config_needed
= false,
78 .has_rom_version
= false,
79 .fw_name
= "rtl_bt/rtl8723a_fw.bin",
83 { .match_flags
= IC_MATCH_FL_LMPSUBV
| IC_MATCH_FL_HCIREV
|
84 IC_MATCH_FL_HCIVER
| IC_MATCH_FL_HCIBUS
,
85 .lmp_subver
= RTL_ROM_LMP_8723B
,
89 .config_needed
= true,
90 .has_rom_version
= true,
91 .fw_name
= "rtl_bt/rtl8723bs_fw.bin",
92 .cfg_name
= "rtl_bt/rtl8723bs_config" },
95 { IC_INFO(RTL_ROM_LMP_8723B
, 0xb),
96 .config_needed
= false,
97 .has_rom_version
= true,
98 .fw_name
= "rtl_bt/rtl8723b_fw.bin",
99 .cfg_name
= "rtl_bt/rtl8723b_config" },
102 { IC_INFO(RTL_ROM_LMP_8723B
, 0xd),
103 .config_needed
= true,
104 .has_rom_version
= true,
105 .fw_name
= "rtl_bt/rtl8723d_fw.bin",
106 .cfg_name
= "rtl_bt/rtl8723d_config" },
109 { .match_flags
= IC_MATCH_FL_LMPSUBV
| IC_MATCH_FL_HCIREV
|
110 IC_MATCH_FL_HCIVER
| IC_MATCH_FL_HCIBUS
,
111 .lmp_subver
= RTL_ROM_LMP_8723B
,
115 .config_needed
= true,
116 .has_rom_version
= true,
117 .fw_name
= "rtl_bt/rtl8723ds_fw.bin",
118 .cfg_name
= "rtl_bt/rtl8723ds_config" },
121 { IC_INFO(RTL_ROM_LMP_8821A
, 0xa),
122 .config_needed
= false,
123 .has_rom_version
= true,
124 .fw_name
= "rtl_bt/rtl8821a_fw.bin",
125 .cfg_name
= "rtl_bt/rtl8821a_config" },
128 { IC_INFO(RTL_ROM_LMP_8821A
, 0xc),
129 .config_needed
= false,
130 .has_rom_version
= true,
131 .fw_name
= "rtl_bt/rtl8821c_fw.bin",
132 .cfg_name
= "rtl_bt/rtl8821c_config" },
135 { IC_MATCH_FL_LMPSUBV
, RTL_ROM_LMP_8761A
, 0x0,
136 .config_needed
= false,
137 .has_rom_version
= true,
138 .fw_name
= "rtl_bt/rtl8761a_fw.bin",
139 .cfg_name
= "rtl_bt/rtl8761a_config" },
141 /* 8822C with USB interface */
142 { IC_INFO(RTL_ROM_LMP_8822B
, 0xc),
143 .config_needed
= false,
144 .has_rom_version
= true,
145 .fw_name
= "rtl_bt/rtl8822cu_fw.bin",
146 .cfg_name
= "rtl_bt/rtl8822cu_config" },
149 { IC_INFO(RTL_ROM_LMP_8822B
, 0xb),
150 .config_needed
= true,
151 .has_rom_version
= true,
152 .fw_name
= "rtl_bt/rtl8822b_fw.bin",
153 .cfg_name
= "rtl_bt/rtl8822b_config" },
156 static const struct id_table
*btrtl_match_ic(u16 lmp_subver
, u16 hci_rev
,
157 u8 hci_ver
, u8 hci_bus
)
161 for (i
= 0; i
< ARRAY_SIZE(ic_id_table
); i
++) {
162 if ((ic_id_table
[i
].match_flags
& IC_MATCH_FL_LMPSUBV
) &&
163 (ic_id_table
[i
].lmp_subver
!= lmp_subver
))
165 if ((ic_id_table
[i
].match_flags
& IC_MATCH_FL_HCIREV
) &&
166 (ic_id_table
[i
].hci_rev
!= hci_rev
))
168 if ((ic_id_table
[i
].match_flags
& IC_MATCH_FL_HCIVER
) &&
169 (ic_id_table
[i
].hci_ver
!= hci_ver
))
171 if ((ic_id_table
[i
].match_flags
& IC_MATCH_FL_HCIBUS
) &&
172 (ic_id_table
[i
].hci_bus
!= hci_bus
))
177 if (i
>= ARRAY_SIZE(ic_id_table
))
180 return &ic_id_table
[i
];
183 static int rtl_read_rom_version(struct hci_dev
*hdev
, u8
*version
)
185 struct rtl_rom_version_evt
*rom_version
;
188 /* Read RTL ROM version command */
189 skb
= __hci_cmd_sync(hdev
, 0xfc6d, 0, NULL
, HCI_INIT_TIMEOUT
);
191 rtl_dev_err(hdev
, "Read ROM version failed (%ld)\n",
196 if (skb
->len
!= sizeof(*rom_version
)) {
197 rtl_dev_err(hdev
, "RTL version event length mismatch\n");
202 rom_version
= (struct rtl_rom_version_evt
*)skb
->data
;
203 rtl_dev_info(hdev
, "rom_version status=%x version=%x\n",
204 rom_version
->status
, rom_version
->version
);
206 *version
= rom_version
->version
;
212 static int rtlbt_parse_firmware(struct hci_dev
*hdev
,
213 struct btrtl_device_info
*btrtl_dev
,
214 unsigned char **_buf
)
216 static const u8 extension_sig
[] = { 0x51, 0x04, 0xfd, 0x77 };
217 struct rtl_epatch_header
*epatch_info
;
221 u8 opcode
, length
, data
;
223 const unsigned char *fwptr
, *chip_id_base
;
224 const unsigned char *patch_length_base
, *patch_offset_base
;
225 u32 patch_offset
= 0;
226 u16 patch_length
, num_patches
;
227 static const struct {
230 } project_id_to_lmp_subver
[] = {
231 { RTL_ROM_LMP_8723A
, 0 },
232 { RTL_ROM_LMP_8723B
, 1 },
233 { RTL_ROM_LMP_8821A
, 2 },
234 { RTL_ROM_LMP_8761A
, 3 },
235 { RTL_ROM_LMP_8822B
, 8 },
236 { RTL_ROM_LMP_8723B
, 9 }, /* 8723D */
237 { RTL_ROM_LMP_8821A
, 10 }, /* 8821C */
238 { RTL_ROM_LMP_8822B
, 13 }, /* 8822C */
241 min_size
= sizeof(struct rtl_epatch_header
) + sizeof(extension_sig
) + 3;
242 if (btrtl_dev
->fw_len
< min_size
)
245 fwptr
= btrtl_dev
->fw_data
+ btrtl_dev
->fw_len
- sizeof(extension_sig
);
246 if (memcmp(fwptr
, extension_sig
, sizeof(extension_sig
)) != 0) {
247 rtl_dev_err(hdev
, "extension section signature mismatch\n");
251 /* Loop from the end of the firmware parsing instructions, until
252 * we find an instruction that identifies the "project ID" for the
253 * hardware supported by this firwmare file.
254 * Once we have that, we double-check that that project_id is suitable
255 * for the hardware we are working with.
257 while (fwptr
>= btrtl_dev
->fw_data
+ (sizeof(*epatch_info
) + 3)) {
262 BT_DBG("check op=%x len=%x data=%x", opcode
, length
, data
);
264 if (opcode
== 0xff) /* EOF */
268 rtl_dev_err(hdev
, "found instruction with length 0\n");
272 if (opcode
== 0 && length
== 1) {
280 if (project_id
< 0) {
281 rtl_dev_err(hdev
, "failed to find version instruction\n");
285 /* Find project_id in table */
286 for (i
= 0; i
< ARRAY_SIZE(project_id_to_lmp_subver
); i
++) {
287 if (project_id
== project_id_to_lmp_subver
[i
].id
)
291 if (i
>= ARRAY_SIZE(project_id_to_lmp_subver
)) {
292 rtl_dev_err(hdev
, "unknown project id %d\n", project_id
);
296 if (btrtl_dev
->ic_info
->lmp_subver
!=
297 project_id_to_lmp_subver
[i
].lmp_subver
) {
298 rtl_dev_err(hdev
, "firmware is for %x but this is a %x\n",
299 project_id_to_lmp_subver
[i
].lmp_subver
,
300 btrtl_dev
->ic_info
->lmp_subver
);
304 epatch_info
= (struct rtl_epatch_header
*)btrtl_dev
->fw_data
;
305 if (memcmp(epatch_info
->signature
, RTL_EPATCH_SIGNATURE
, 8) != 0) {
306 rtl_dev_err(hdev
, "bad EPATCH signature\n");
310 num_patches
= le16_to_cpu(epatch_info
->num_patches
);
311 BT_DBG("fw_version=%x, num_patches=%d",
312 le32_to_cpu(epatch_info
->fw_version
), num_patches
);
314 /* After the rtl_epatch_header there is a funky patch metadata section.
315 * Assuming 2 patches, the layout is:
316 * ChipID1 ChipID2 PatchLength1 PatchLength2 PatchOffset1 PatchOffset2
318 * Find the right patch for this chip.
320 min_size
+= 8 * num_patches
;
321 if (btrtl_dev
->fw_len
< min_size
)
324 chip_id_base
= btrtl_dev
->fw_data
+ sizeof(struct rtl_epatch_header
);
325 patch_length_base
= chip_id_base
+ (sizeof(u16
) * num_patches
);
326 patch_offset_base
= patch_length_base
+ (sizeof(u16
) * num_patches
);
327 for (i
= 0; i
< num_patches
; i
++) {
328 u16 chip_id
= get_unaligned_le16(chip_id_base
+
330 if (chip_id
== btrtl_dev
->rom_version
+ 1) {
331 patch_length
= get_unaligned_le16(patch_length_base
+
333 patch_offset
= get_unaligned_le32(patch_offset_base
+
340 rtl_dev_err(hdev
, "didn't find patch for chip id %d",
341 btrtl_dev
->rom_version
);
345 BT_DBG("length=%x offset=%x index %d", patch_length
, patch_offset
, i
);
346 min_size
= patch_offset
+ patch_length
;
347 if (btrtl_dev
->fw_len
< min_size
)
350 /* Copy the firmware into a new buffer and write the version at
354 buf
= kmemdup(btrtl_dev
->fw_data
+ patch_offset
, patch_length
,
359 memcpy(buf
+ patch_length
- 4, &epatch_info
->fw_version
, 4);
365 static int rtl_download_firmware(struct hci_dev
*hdev
,
366 const unsigned char *data
, int fw_len
)
368 struct rtl_download_cmd
*dl_cmd
;
369 int frag_num
= fw_len
/ RTL_FRAG_LEN
+ 1;
370 int frag_len
= RTL_FRAG_LEN
;
374 dl_cmd
= kmalloc(sizeof(struct rtl_download_cmd
), GFP_KERNEL
);
378 for (i
= 0; i
< frag_num
; i
++) {
381 BT_DBG("download fw (%d/%d)", i
, frag_num
);
384 if (i
== (frag_num
- 1)) {
385 dl_cmd
->index
|= 0x80; /* data end */
386 frag_len
= fw_len
% RTL_FRAG_LEN
;
388 memcpy(dl_cmd
->data
, data
, frag_len
);
390 /* Send download command */
391 skb
= __hci_cmd_sync(hdev
, 0xfc20, frag_len
+ 1, dl_cmd
,
394 rtl_dev_err(hdev
, "download fw command failed (%ld)\n",
400 if (skb
->len
!= sizeof(struct rtl_download_response
)) {
401 rtl_dev_err(hdev
, "download fw event length mismatch\n");
408 data
+= RTL_FRAG_LEN
;
416 static int rtl_load_file(struct hci_dev
*hdev
, const char *name
, u8
**buff
)
418 const struct firmware
*fw
;
421 rtl_dev_info(hdev
, "rtl: loading %s\n", name
);
422 ret
= request_firmware(&fw
, name
, &hdev
->dev
);
426 *buff
= kmemdup(fw
->data
, ret
, GFP_KERNEL
);
430 release_firmware(fw
);
435 static int btrtl_setup_rtl8723a(struct hci_dev
*hdev
,
436 struct btrtl_device_info
*btrtl_dev
)
438 if (btrtl_dev
->fw_len
< 8)
441 /* Check that the firmware doesn't have the epatch signature
442 * (which is only for RTL8723B and newer).
444 if (!memcmp(btrtl_dev
->fw_data
, RTL_EPATCH_SIGNATURE
, 8)) {
445 rtl_dev_err(hdev
, "unexpected EPATCH signature!\n");
449 return rtl_download_firmware(hdev
, btrtl_dev
->fw_data
,
453 static int btrtl_setup_rtl8723b(struct hci_dev
*hdev
,
454 struct btrtl_device_info
*btrtl_dev
)
456 unsigned char *fw_data
= NULL
;
460 ret
= rtlbt_parse_firmware(hdev
, btrtl_dev
, &fw_data
);
464 if (btrtl_dev
->cfg_len
> 0) {
465 tbuff
= kzalloc(ret
+ btrtl_dev
->cfg_len
, GFP_KERNEL
);
471 memcpy(tbuff
, fw_data
, ret
);
474 memcpy(tbuff
+ ret
, btrtl_dev
->cfg_data
, btrtl_dev
->cfg_len
);
475 ret
+= btrtl_dev
->cfg_len
;
480 rtl_dev_info(hdev
, "cfg_sz %d, total sz %d\n", btrtl_dev
->cfg_len
, ret
);
482 ret
= rtl_download_firmware(hdev
, fw_data
, ret
);
489 static struct sk_buff
*btrtl_read_local_version(struct hci_dev
*hdev
)
493 skb
= __hci_cmd_sync(hdev
, HCI_OP_READ_LOCAL_VERSION
, 0, NULL
,
496 rtl_dev_err(hdev
, "HCI_OP_READ_LOCAL_VERSION failed (%ld)\n",
501 if (skb
->len
!= sizeof(struct hci_rp_read_local_version
)) {
502 rtl_dev_err(hdev
, "HCI_OP_READ_LOCAL_VERSION event length mismatch\n");
504 return ERR_PTR(-EIO
);
510 void btrtl_free(struct btrtl_device_info
*btrtl_dev
)
512 kfree(btrtl_dev
->fw_data
);
513 kfree(btrtl_dev
->cfg_data
);
516 EXPORT_SYMBOL_GPL(btrtl_free
);
518 struct btrtl_device_info
*btrtl_initialize(struct hci_dev
*hdev
,
521 struct btrtl_device_info
*btrtl_dev
;
523 struct hci_rp_read_local_version
*resp
;
525 u16 hci_rev
, lmp_subver
;
529 btrtl_dev
= kzalloc(sizeof(*btrtl_dev
), GFP_KERNEL
);
535 skb
= btrtl_read_local_version(hdev
);
541 resp
= (struct hci_rp_read_local_version
*)skb
->data
;
542 rtl_dev_info(hdev
, "rtl: examining hci_ver=%02x hci_rev=%04x lmp_ver=%02x lmp_subver=%04x\n",
543 resp
->hci_ver
, resp
->hci_rev
,
544 resp
->lmp_ver
, resp
->lmp_subver
);
546 hci_ver
= resp
->hci_ver
;
547 hci_rev
= le16_to_cpu(resp
->hci_rev
);
548 lmp_subver
= le16_to_cpu(resp
->lmp_subver
);
551 btrtl_dev
->ic_info
= btrtl_match_ic(lmp_subver
, hci_rev
, hci_ver
,
554 if (!btrtl_dev
->ic_info
) {
555 rtl_dev_err(hdev
, "rtl: unknown IC info, lmp subver %04x, hci rev %04x, hci ver %04x",
556 lmp_subver
, hci_rev
, hci_ver
);
561 if (btrtl_dev
->ic_info
->has_rom_version
) {
562 ret
= rtl_read_rom_version(hdev
, &btrtl_dev
->rom_version
);
567 btrtl_dev
->fw_len
= rtl_load_file(hdev
, btrtl_dev
->ic_info
->fw_name
,
568 &btrtl_dev
->fw_data
);
569 if (btrtl_dev
->fw_len
< 0) {
570 rtl_dev_err(hdev
, "firmware file %s not found\n",
571 btrtl_dev
->ic_info
->fw_name
);
572 ret
= btrtl_dev
->fw_len
;
576 if (btrtl_dev
->ic_info
->cfg_name
) {
578 snprintf(cfg_name
, sizeof(cfg_name
), "%s-%s.bin",
579 btrtl_dev
->ic_info
->cfg_name
, postfix
);
581 snprintf(cfg_name
, sizeof(cfg_name
), "%s.bin",
582 btrtl_dev
->ic_info
->cfg_name
);
584 btrtl_dev
->cfg_len
= rtl_load_file(hdev
, cfg_name
,
585 &btrtl_dev
->cfg_data
);
586 if (btrtl_dev
->ic_info
->config_needed
&&
587 btrtl_dev
->cfg_len
<= 0) {
588 rtl_dev_err(hdev
, "mandatory config file %s not found\n",
589 btrtl_dev
->ic_info
->cfg_name
);
590 ret
= btrtl_dev
->cfg_len
;
598 btrtl_free(btrtl_dev
);
602 EXPORT_SYMBOL_GPL(btrtl_initialize
);
604 int btrtl_download_firmware(struct hci_dev
*hdev
,
605 struct btrtl_device_info
*btrtl_dev
)
607 /* Match a set of subver values that correspond to stock firmware,
608 * which is not compatible with standard btusb.
609 * If matched, upload an alternative firmware that does conform to
610 * standard btusb. Once that firmware is uploaded, the subver changes
611 * to a different value.
613 switch (btrtl_dev
->ic_info
->lmp_subver
) {
614 case RTL_ROM_LMP_8723A
:
615 case RTL_ROM_LMP_3499
:
616 return btrtl_setup_rtl8723a(hdev
, btrtl_dev
);
617 case RTL_ROM_LMP_8723B
:
618 case RTL_ROM_LMP_8821A
:
619 case RTL_ROM_LMP_8761A
:
620 case RTL_ROM_LMP_8822B
:
621 return btrtl_setup_rtl8723b(hdev
, btrtl_dev
);
623 rtl_dev_info(hdev
, "rtl: assuming no firmware upload needed\n");
627 EXPORT_SYMBOL_GPL(btrtl_download_firmware
);
629 int btrtl_setup_realtek(struct hci_dev
*hdev
)
631 struct btrtl_device_info
*btrtl_dev
;
634 btrtl_dev
= btrtl_initialize(hdev
, NULL
);
635 if (IS_ERR(btrtl_dev
))
636 return PTR_ERR(btrtl_dev
);
638 ret
= btrtl_download_firmware(hdev
, btrtl_dev
);
640 btrtl_free(btrtl_dev
);
644 EXPORT_SYMBOL_GPL(btrtl_setup_realtek
);
646 static unsigned int btrtl_convert_baudrate(u32 device_baudrate
)
648 switch (device_baudrate
) {
683 int btrtl_get_uart_settings(struct hci_dev
*hdev
,
684 struct btrtl_device_info
*btrtl_dev
,
685 unsigned int *controller_baudrate
,
686 u32
*device_baudrate
, bool *flow_control
)
688 struct rtl_vendor_config
*config
;
689 struct rtl_vendor_config_entry
*entry
;
690 int i
, total_data_len
;
693 total_data_len
= btrtl_dev
->cfg_len
- sizeof(*config
);
694 if (total_data_len
<= 0) {
695 rtl_dev_warn(hdev
, "no config loaded\n");
699 config
= (struct rtl_vendor_config
*)btrtl_dev
->cfg_data
;
700 if (le32_to_cpu(config
->signature
) != RTL_CONFIG_MAGIC
) {
701 rtl_dev_err(hdev
, "invalid config magic\n");
705 if (total_data_len
< le16_to_cpu(config
->total_len
)) {
706 rtl_dev_err(hdev
, "config is too short\n");
710 for (i
= 0; i
< total_data_len
; ) {
711 entry
= ((void *)config
->entry
) + i
;
713 switch (le16_to_cpu(entry
->offset
)) {
715 if (entry
->len
< sizeof(*device_baudrate
)) {
716 rtl_dev_err(hdev
, "invalid UART config entry\n");
720 *device_baudrate
= get_unaligned_le32(entry
->data
);
721 *controller_baudrate
= btrtl_convert_baudrate(
724 if (entry
->len
>= 13)
725 *flow_control
= !!(entry
->data
[12] & BIT(2));
727 *flow_control
= false;
733 rtl_dev_dbg(hdev
, "skipping config entry 0x%x (len %u)\n",
734 le16_to_cpu(entry
->offset
), entry
->len
);
738 i
+= sizeof(*entry
) + entry
->len
;
742 rtl_dev_err(hdev
, "no UART config entry found\n");
746 rtl_dev_dbg(hdev
, "device baudrate = 0x%08x\n", *device_baudrate
);
747 rtl_dev_dbg(hdev
, "controller baudrate = %u\n", *controller_baudrate
);
748 rtl_dev_dbg(hdev
, "flow control %d\n", *flow_control
);
752 EXPORT_SYMBOL_GPL(btrtl_get_uart_settings
);
754 MODULE_AUTHOR("Daniel Drake <drake@endlessm.com>");
755 MODULE_DESCRIPTION("Bluetooth support for Realtek devices ver " VERSION
);
756 MODULE_VERSION(VERSION
);
757 MODULE_LICENSE("GPL");
758 MODULE_FIRMWARE("rtl_bt/rtl8723a_fw.bin");
759 MODULE_FIRMWARE("rtl_bt/rtl8723b_fw.bin");
760 MODULE_FIRMWARE("rtl_bt/rtl8723b_config.bin");
761 MODULE_FIRMWARE("rtl_bt/rtl8723bs_fw.bin");
762 MODULE_FIRMWARE("rtl_bt/rtl8723bs_config.bin");
763 MODULE_FIRMWARE("rtl_bt/rtl8723ds_fw.bin");
764 MODULE_FIRMWARE("rtl_bt/rtl8723ds_config.bin");
765 MODULE_FIRMWARE("rtl_bt/rtl8761a_fw.bin");
766 MODULE_FIRMWARE("rtl_bt/rtl8761a_config.bin");
767 MODULE_FIRMWARE("rtl_bt/rtl8821a_fw.bin");
768 MODULE_FIRMWARE("rtl_bt/rtl8821a_config.bin");
769 MODULE_FIRMWARE("rtl_bt/rtl8822b_fw.bin");
770 MODULE_FIRMWARE("rtl_bt/rtl8822b_config.bin");