1// SPDX-License-Identifier: GPL-2.0+
2/*
3 * (C) Copyright 2008 - 2009
4 * Windriver, <www.windriver.com>
5 * Tom Rix <Tom.Rix@windriver.com>
6 *
7 * Copyright 2011 Sebastian Andrzej Siewior <bigeasy@linutronix.de>
8 *
9 * Copyright 2014 Linaro, Ltd.
10 * Rob Herring <robh@kernel.org>
11 */
12#include <command.h>
13#include <config.h>
14#include <common.h>
15#include <env.h>
16#include <errno.h>
17#include <fastboot.h>
18#include <log.h>
19#include <malloc.h>
20#include <linux/printk.h>
21#include <linux/usb/ch9.h>
22#include <linux/usb/gadget.h>
23#include <linux/usb/composite.h>
24#include <linux/compiler.h>
25#include <g_dnl.h>
26
27#define FASTBOOT_INTERFACE_CLASS	0xff
28#define FASTBOOT_INTERFACE_SUB_CLASS	0x42
29#define FASTBOOT_INTERFACE_PROTOCOL	0x03
30
31#define RX_ENDPOINT_MAXIMUM_PACKET_SIZE_2_0  (0x0200)
32#define RX_ENDPOINT_MAXIMUM_PACKET_SIZE_1_1  (0x0040)
33#define TX_ENDPOINT_MAXIMUM_PACKET_SIZE      (0x0040)
34
35#define EP_BUFFER_SIZE			4096
36/*
37 * EP_BUFFER_SIZE must always be an integral multiple of maxpacket size
38 * (64 or 512 or 1024), else we break on certain controllers like DWC3
39 * that expect bulk OUT requests to be divisible by maxpacket size.
40 */
41
42struct f_fastboot {
43	struct usb_function usb_function;
44
45	/* IN/OUT EP's and corresponding requests */
46	struct usb_ep *in_ep, *out_ep;
47	struct usb_request *in_req, *out_req;
48};
49
50static char fb_ext_prop_name[] = "DeviceInterfaceGUID";
51static char fb_ext_prop_data[] = "{4866319A-F4D6-4374-93B9-DC2DEB361BA9}";
52
53static struct usb_os_desc_ext_prop fb_ext_prop = {
54	.type = 1,		/* NUL-terminated Unicode String (REG_SZ) */
55	.name = fb_ext_prop_name,
56	.data = fb_ext_prop_data,
57};
58
59/* 16 bytes of "Compatible ID" and "Subcompatible ID" */
60static char fb_cid[16] = {'W', 'I', 'N', 'U', 'S', 'B'};
61static struct usb_os_desc fb_os_desc = {
62	.ext_compat_id = fb_cid,
63};
64
65static struct usb_os_desc_table fb_os_desc_table = {
66	.os_desc = &fb_os_desc,
67};
68
69static inline struct f_fastboot *func_to_fastboot(struct usb_function *f)
70{
71	return container_of(f, struct f_fastboot, usb_function);
72}
73
74static struct f_fastboot *fastboot_func;
75
76static struct usb_endpoint_descriptor fs_ep_in = {
77	.bLength            = USB_DT_ENDPOINT_SIZE,
78	.bDescriptorType    = USB_DT_ENDPOINT,
79	.bEndpointAddress   = USB_DIR_IN,
80	.bmAttributes       = USB_ENDPOINT_XFER_BULK,
81	.wMaxPacketSize     = cpu_to_le16(64),
82};
83
84static struct usb_endpoint_descriptor fs_ep_out = {
85	.bLength		= USB_DT_ENDPOINT_SIZE,
86	.bDescriptorType	= USB_DT_ENDPOINT,
87	.bEndpointAddress	= USB_DIR_OUT,
88	.bmAttributes		= USB_ENDPOINT_XFER_BULK,
89	.wMaxPacketSize		= cpu_to_le16(64),
90};
91
92static struct usb_endpoint_descriptor hs_ep_in = {
93	.bLength		= USB_DT_ENDPOINT_SIZE,
94	.bDescriptorType	= USB_DT_ENDPOINT,
95	.bEndpointAddress	= USB_DIR_IN,
96	.bmAttributes		= USB_ENDPOINT_XFER_BULK,
97	.wMaxPacketSize		= cpu_to_le16(512),
98};
99
100static struct usb_endpoint_descriptor hs_ep_out = {
101	.bLength		= USB_DT_ENDPOINT_SIZE,
102	.bDescriptorType	= USB_DT_ENDPOINT,
103	.bEndpointAddress	= USB_DIR_OUT,
104	.bmAttributes		= USB_ENDPOINT_XFER_BULK,
105	.wMaxPacketSize		= cpu_to_le16(512),
106};
107
108static struct usb_interface_descriptor interface_desc = {
109	.bLength		= USB_DT_INTERFACE_SIZE,
110	.bDescriptorType	= USB_DT_INTERFACE,
111	.bInterfaceNumber	= 0x00,
112	.bAlternateSetting	= 0x00,
113	.bNumEndpoints		= 0x02,
114	.bInterfaceClass	= FASTBOOT_INTERFACE_CLASS,
115	.bInterfaceSubClass	= FASTBOOT_INTERFACE_SUB_CLASS,
116	.bInterfaceProtocol	= FASTBOOT_INTERFACE_PROTOCOL,
117};
118
119static struct usb_descriptor_header *fb_fs_function[] = {
120	(struct usb_descriptor_header *)&interface_desc,
121	(struct usb_descriptor_header *)&fs_ep_in,
122	(struct usb_descriptor_header *)&fs_ep_out,
123	NULL,
124};
125
126static struct usb_descriptor_header *fb_hs_function[] = {
127	(struct usb_descriptor_header *)&interface_desc,
128	(struct usb_descriptor_header *)&hs_ep_in,
129	(struct usb_descriptor_header *)&hs_ep_out,
130	NULL,
131};
132
133/* Super speed */
134static struct usb_endpoint_descriptor ss_ep_in = {
135	.bLength		= USB_DT_ENDPOINT_SIZE,
136	.bDescriptorType	= USB_DT_ENDPOINT,
137	.bEndpointAddress	= USB_DIR_IN,
138	.bmAttributes		= USB_ENDPOINT_XFER_BULK,
139	.wMaxPacketSize		= cpu_to_le16(1024),
140};
141
142static struct usb_endpoint_descriptor ss_ep_out = {
143	.bLength		= USB_DT_ENDPOINT_SIZE,
144	.bDescriptorType	= USB_DT_ENDPOINT,
145	.bEndpointAddress	= USB_DIR_OUT,
146	.bmAttributes		= USB_ENDPOINT_XFER_BULK,
147	.wMaxPacketSize		= cpu_to_le16(1024),
148};
149
150static struct usb_ss_ep_comp_descriptor fb_ss_bulk_comp_desc = {
151	.bLength =		sizeof(fb_ss_bulk_comp_desc),
152	.bDescriptorType =	USB_DT_SS_ENDPOINT_COMP,
153};
154
155static struct usb_descriptor_header *fb_ss_function[] = {
156	(struct usb_descriptor_header *)&interface_desc,
157	(struct usb_descriptor_header *)&ss_ep_in,
158	(struct usb_descriptor_header *)&fb_ss_bulk_comp_desc,
159	(struct usb_descriptor_header *)&ss_ep_out,
160	(struct usb_descriptor_header *)&fb_ss_bulk_comp_desc,
161	NULL,
162};
163
164static struct usb_endpoint_descriptor *
165fb_ep_desc(struct usb_gadget *g, struct usb_endpoint_descriptor *fs,
166	    struct usb_endpoint_descriptor *hs,
167	    struct usb_endpoint_descriptor *ss)
168{
169	if (gadget_is_superspeed(g) && g->speed >= USB_SPEED_SUPER)
170		return ss;
171
172	if (gadget_is_dualspeed(g) && g->speed == USB_SPEED_HIGH)
173		return hs;
174	return fs;
175}
176
177/*
178 * static strings, in UTF-8
179 */
180static const char fastboot_name[] = "Android Fastboot";
181
182static struct usb_string fastboot_string_defs[] = {
183	[0].s = fastboot_name,
184	{  }			/* end of list */
185};
186
187static struct usb_gadget_strings stringtab_fastboot = {
188	.language	= 0x0409,	/* en-us */
189	.strings	= fastboot_string_defs,
190};
191
192static struct usb_gadget_strings *fastboot_strings[] = {
193	&stringtab_fastboot,
194	NULL,
195};
196
197static void rx_handler_command(struct usb_ep *ep, struct usb_request *req);
198
199static void fastboot_complete(struct usb_ep *ep, struct usb_request *req)
200{
201	int status = req->status;
202	if (!status)
203		return;
204	printf("status: %d ep '%s' trans: %d\n", status, ep->name, req->actual);
205}
206
207static int fastboot_bind(struct usb_configuration *c, struct usb_function *f)
208{
209	int id;
210	struct usb_gadget *gadget = c->cdev->gadget;
211	struct f_fastboot *f_fb = func_to_fastboot(f);
212	const char *s;
213
214	/* DYNAMIC interface numbers assignments */
215	id = usb_interface_id(c, f);
216	if (id < 0)
217		return id;
218	interface_desc.bInterfaceNumber = id;
219
220	/* Enable OS and Extended Properties Feature Descriptor */
221	c->cdev->use_os_string = 1;
222	f->os_desc_table = &fb_os_desc_table;
223	f->os_desc_n = 1;
224	f->os_desc_table->if_id = id;
225	INIT_LIST_HEAD(&fb_os_desc.ext_prop);
226	fb_ext_prop.name_len = strlen(fb_ext_prop.name) * 2 + 2;
227	fb_os_desc.ext_prop_len = 10 + fb_ext_prop.name_len;
228	fb_os_desc.ext_prop_count = 1;
229	fb_ext_prop.data_len = strlen(fb_ext_prop.data) * 2 + 2;
230	fb_os_desc.ext_prop_len += fb_ext_prop.data_len + 4;
231	list_add_tail(&fb_ext_prop.entry, &fb_os_desc.ext_prop);
232
233	id = usb_string_id(c->cdev);
234	if (id < 0)
235		return id;
236	fastboot_string_defs[0].id = id;
237	interface_desc.iInterface = id;
238
239	f_fb->in_ep = usb_ep_autoconfig(gadget, &fs_ep_in);
240	if (!f_fb->in_ep)
241		return -ENODEV;
242	f_fb->in_ep->driver_data = c->cdev;
243
244	f_fb->out_ep = usb_ep_autoconfig(gadget, &fs_ep_out);
245	if (!f_fb->out_ep)
246		return -ENODEV;
247	f_fb->out_ep->driver_data = c->cdev;
248
249	f->descriptors = fb_fs_function;
250
251	if (gadget_is_dualspeed(gadget)) {
252		/* Assume endpoint addresses are the same for both speeds */
253		hs_ep_in.bEndpointAddress = fs_ep_in.bEndpointAddress;
254		hs_ep_out.bEndpointAddress = fs_ep_out.bEndpointAddress;
255		/* copy HS descriptors */
256		f->hs_descriptors = fb_hs_function;
257	}
258
259	if (gadget_is_superspeed(gadget)) {
260		ss_ep_in.bEndpointAddress = fs_ep_in.bEndpointAddress;
261		ss_ep_out.bEndpointAddress = fs_ep_out.bEndpointAddress;
262		f->ss_descriptors = fb_ss_function;
263	}
264
265	s = env_get("serial#");
266	if (s)
267		g_dnl_set_serialnumber((char *)s);
268
269	return 0;
270}
271
272static void fastboot_unbind(struct usb_configuration *c, struct usb_function *f)
273{
274	f->os_desc_table = NULL;
275	list_del(&fb_os_desc.ext_prop);
276	memset(fastboot_func, 0, sizeof(*fastboot_func));
277}
278
279static void fastboot_disable(struct usb_function *f)
280{
281	struct f_fastboot *f_fb = func_to_fastboot(f);
282
283	usb_ep_disable(f_fb->out_ep);
284	usb_ep_disable(f_fb->in_ep);
285
286	if (f_fb->out_req) {
287		free(f_fb->out_req->buf);
288		usb_ep_free_request(f_fb->out_ep, f_fb->out_req);
289		f_fb->out_req = NULL;
290	}
291	if (f_fb->in_req) {
292		free(f_fb->in_req->buf);
293		usb_ep_free_request(f_fb->in_ep, f_fb->in_req);
294		f_fb->in_req = NULL;
295	}
296}
297
298static struct usb_request *fastboot_start_ep(struct usb_ep *ep)
299{
300	struct usb_request *req;
301
302	req = usb_ep_alloc_request(ep, 0);
303	if (!req)
304		return NULL;
305
306	req->length = EP_BUFFER_SIZE;
307	req->buf = memalign(CONFIG_SYS_CACHELINE_SIZE, EP_BUFFER_SIZE);
308	if (!req->buf) {
309		usb_ep_free_request(ep, req);
310		return NULL;
311	}
312
313	memset(req->buf, 0, req->length);
314	return req;
315}
316
317static int fastboot_set_alt(struct usb_function *f,
318			    unsigned interface, unsigned alt)
319{
320	int ret;
321	struct usb_composite_dev *cdev = f->config->cdev;
322	struct usb_gadget *gadget = cdev->gadget;
323	struct f_fastboot *f_fb = func_to_fastboot(f);
324	const struct usb_endpoint_descriptor *d;
325
326	debug("%s: func: %s intf: %d alt: %d\n",
327	      __func__, f->name, interface, alt);
328
329	d = fb_ep_desc(gadget, &fs_ep_out, &hs_ep_out, &ss_ep_out);
330	ret = usb_ep_enable(f_fb->out_ep, d);
331	if (ret) {
332		puts("failed to enable out ep\n");
333		return ret;
334	}
335
336	f_fb->out_req = fastboot_start_ep(f_fb->out_ep);
337	if (!f_fb->out_req) {
338		puts("failed to alloc out req\n");
339		ret = -EINVAL;
340		goto err;
341	}
342	f_fb->out_req->complete = rx_handler_command;
343
344	d = fb_ep_desc(gadget, &fs_ep_in, &hs_ep_in, &ss_ep_in);
345	ret = usb_ep_enable(f_fb->in_ep, d);
346	if (ret) {
347		puts("failed to enable in ep\n");
348		goto err;
349	}
350
351	f_fb->in_req = fastboot_start_ep(f_fb->in_ep);
352	if (!f_fb->in_req) {
353		puts("failed alloc req in\n");
354		ret = -EINVAL;
355		goto err;
356	}
357	f_fb->in_req->complete = fastboot_complete;
358
359	ret = usb_ep_queue(f_fb->out_ep, f_fb->out_req, 0);
360	if (ret)
361		goto err;
362
363	return 0;
364err:
365	fastboot_disable(f);
366	return ret;
367}
368
369static int fastboot_add(struct usb_configuration *c)
370{
371	struct f_fastboot *f_fb = fastboot_func;
372	int status;
373
374	debug("%s: cdev: 0x%p\n", __func__, c->cdev);
375
376	if (!f_fb) {
377		f_fb = memalign(CONFIG_SYS_CACHELINE_SIZE, sizeof(*f_fb));
378		if (!f_fb)
379			return -ENOMEM;
380
381		fastboot_func = f_fb;
382		memset(f_fb, 0, sizeof(*f_fb));
383	}
384
385	f_fb->usb_function.name = "f_fastboot";
386	f_fb->usb_function.bind = fastboot_bind;
387	f_fb->usb_function.unbind = fastboot_unbind;
388	f_fb->usb_function.set_alt = fastboot_set_alt;
389	f_fb->usb_function.disable = fastboot_disable;
390	f_fb->usb_function.strings = fastboot_strings;
391
392	status = usb_add_function(c, &f_fb->usb_function);
393	if (status) {
394		free(f_fb);
395		fastboot_func = NULL;
396	}
397
398	return status;
399}
400DECLARE_GADGET_BIND_CALLBACK(usb_dnl_fastboot, fastboot_add);
401
402static int fastboot_tx_write(const char *buffer, unsigned int buffer_size)
403{
404	struct usb_request *in_req = fastboot_func->in_req;
405	int ret;
406
407	memcpy(in_req->buf, buffer, buffer_size);
408	in_req->length = buffer_size;
409
410	usb_ep_dequeue(fastboot_func->in_ep, in_req);
411
412	ret = usb_ep_queue(fastboot_func->in_ep, in_req, 0);
413	if (ret)
414		printf("Error %d on queue\n", ret);
415	return 0;
416}
417
418static int fastboot_tx_write_str(const char *buffer)
419{
420	return fastboot_tx_write(buffer, strlen(buffer));
421}
422
423static void compl_do_reset(struct usb_ep *ep, struct usb_request *req)
424{
425	g_dnl_unregister();
426	do_reset(NULL, 0, 0, NULL);
427}
428
429static unsigned int rx_bytes_expected(struct usb_ep *ep)
430{
431	int rx_remain = fastboot_data_remaining();
432	unsigned int rem;
433	unsigned int maxpacket = usb_endpoint_maxp(ep->desc);
434
435	if (rx_remain <= 0)
436		return 0;
437	else if (rx_remain > EP_BUFFER_SIZE)
438		return EP_BUFFER_SIZE;
439
440	/*
441	 * Some controllers e.g. DWC3 don't like OUT transfers to be
442	 * not ending in maxpacket boundary. So just make them happy by
443	 * always requesting for integral multiple of maxpackets.
444	 * This shouldn't bother controllers that don't care about it.
445	 */
446	rem = rx_remain % maxpacket;
447	if (rem > 0)
448		rx_remain = rx_remain + (maxpacket - rem);
449
450	return rx_remain;
451}
452
453static void rx_handler_dl_image(struct usb_ep *ep, struct usb_request *req)
454{
455	char response[FASTBOOT_RESPONSE_LEN] = {0};
456	unsigned int transfer_size = fastboot_data_remaining();
457	const unsigned char *buffer = req->buf;
458	unsigned int buffer_size = req->actual;
459
460	if (req->status != 0) {
461		printf("Bad status: %d\n", req->status);
462		return;
463	}
464
465	if (buffer_size < transfer_size)
466		transfer_size = buffer_size;
467
468	fastboot_data_download(buffer, transfer_size, response);
469	if (response[0]) {
470		fastboot_tx_write_str(response);
471	} else if (!fastboot_data_remaining()) {
472		fastboot_data_complete(response);
473
474		/*
475		 * Reset global transfer variable
476		 */
477		req->complete = rx_handler_command;
478		req->length = EP_BUFFER_SIZE;
479
480		fastboot_tx_write_str(response);
481	} else {
482		req->length = rx_bytes_expected(ep);
483	}
484
485	req->actual = 0;
486	usb_ep_queue(ep, req, 0);
487}
488
489static void do_exit_on_complete(struct usb_ep *ep, struct usb_request *req)
490{
491	g_dnl_trigger_detach();
492}
493
494static void do_bootm_on_complete(struct usb_ep *ep, struct usb_request *req)
495{
496	fastboot_boot();
497	do_exit_on_complete(ep, req);
498}
499
500static int multiresponse_cmd = -1;
501static void multiresponse_on_complete(struct usb_ep *ep, struct usb_request *req)
502{
503	char response[FASTBOOT_RESPONSE_LEN] = {0};
504
505	if (multiresponse_cmd == -1)
506		return;
507
508	/* Call handler to obtain next response */
509	fastboot_multiresponse(multiresponse_cmd, response);
510	fastboot_tx_write_str(response);
511
512	/* If response is final OKAY/FAIL response disconnect this handler and unset cmd */
513	if (!strncmp("OKAY", response, 4) || !strncmp("FAIL", response, 4)) {
514		multiresponse_cmd = -1;
515		fastboot_func->in_req->complete = fastboot_complete;
516	}
517}
518
519static void do_acmd_complete(struct usb_ep *ep, struct usb_request *req)
520{
521	/* When usb dequeue complete will be called
522	 *  Need status value before call run_command.
523	 * otherwise, host can't get last message.
524	 */
525	if (req->status == 0)
526		fastboot_acmd_complete();
527}
528
529static void rx_handler_command(struct usb_ep *ep, struct usb_request *req)
530{
531	char *cmdbuf = req->buf;
532	char response[FASTBOOT_RESPONSE_LEN] = {0};
533	int cmd = -1;
534
535	if (req->status != 0 || req->length == 0)
536		return;
537
538	if (req->actual < req->length) {
539		cmdbuf[req->actual] = '\0';
540		cmd = fastboot_handle_command(cmdbuf, response);
541	} else {
542		pr_err("buffer overflow\n");
543		fastboot_fail("buffer overflow", response);
544	}
545
546	if (!strncmp(FASTBOOT_MULTIRESPONSE_START, response, 4)) {
547		multiresponse_cmd = cmd;
548		fastboot_multiresponse(multiresponse_cmd, response);
549
550		/* Only add complete callback if first is not a final OKAY/FAIL response */
551		if (strncmp("OKAY", response, 4) && strncmp("FAIL", response, 4)) {
552			fastboot_func->in_req->complete = multiresponse_on_complete;
553		}
554	}
555
556	if (!strncmp("DATA", response, 4)) {
557		req->complete = rx_handler_dl_image;
558		req->length = rx_bytes_expected(ep);
559	}
560
561	if (!strncmp("OKAY", response, 4)) {
562		switch (cmd) {
563		case FASTBOOT_COMMAND_BOOT:
564			fastboot_func->in_req->complete = do_bootm_on_complete;
565			break;
566
567		case FASTBOOT_COMMAND_CONTINUE:
568			fastboot_func->in_req->complete = do_exit_on_complete;
569			break;
570
571		case FASTBOOT_COMMAND_REBOOT:
572		case FASTBOOT_COMMAND_REBOOT_BOOTLOADER:
573		case FASTBOOT_COMMAND_REBOOT_FASTBOOTD:
574		case FASTBOOT_COMMAND_REBOOT_RECOVERY:
575			fastboot_func->in_req->complete = compl_do_reset;
576			break;
577		case FASTBOOT_COMMAND_ACMD:
578			if (CONFIG_IS_ENABLED(FASTBOOT_UUU_SUPPORT))
579				fastboot_func->in_req->complete = do_acmd_complete;
580			break;
581		}
582	}
583
584	fastboot_tx_write_str(response);
585
586	*cmdbuf = '\0';
587	req->actual = 0;
588	usb_ep_queue(ep, req, 0);
589}
590