2 * (C) Copyright 2008 - 2009
3 * Windriver, <www.windriver.com>
4 * Tom Rix <Tom.Rix@windriver.com>
6 * Copyright 2011 Sebastian Andrzej Siewior <bigeasy@linutronix.de>
8 * Copyright 2014 Linaro, Ltd.
9 * Rob Herring <robh@kernel.org>
11 * SPDX-License-Identifier: GPL-2.0+
18 #include <linux/usb/ch9.h>
19 #include <linux/usb/gadget.h>
20 #include <linux/usb/composite.h>
21 #include <linux/compiler.h>
24 #ifdef CONFIG_FASTBOOT_FLASH_MMC_DEV
27 #ifdef CONFIG_FASTBOOT_FLASH_NAND_DEV
31 #define FASTBOOT_VERSION "0.4"
33 #define FASTBOOT_INTERFACE_CLASS 0xff
34 #define FASTBOOT_INTERFACE_SUB_CLASS 0x42
35 #define FASTBOOT_INTERFACE_PROTOCOL 0x03
37 #define RX_ENDPOINT_MAXIMUM_PACKET_SIZE_2_0 (0x0200)
38 #define RX_ENDPOINT_MAXIMUM_PACKET_SIZE_1_1 (0x0040)
39 #define TX_ENDPOINT_MAXIMUM_PACKET_SIZE (0x0040)
41 #define EP_BUFFER_SIZE 4096
43 * EP_BUFFER_SIZE must always be an integral multiple of maxpacket size
44 * (64 or 512 or 1024), else we break on certain controllers like DWC3
45 * that expect bulk OUT requests to be divisible by maxpacket size.
49 struct usb_function usb_function
;
51 /* IN/OUT EP's and corresponding requests */
52 struct usb_ep
*in_ep
, *out_ep
;
53 struct usb_request
*in_req
, *out_req
;
56 static inline struct f_fastboot
*func_to_fastboot(struct usb_function
*f
)
58 return container_of(f
, struct f_fastboot
, usb_function
);
61 static struct f_fastboot
*fastboot_func
;
62 static unsigned int download_size
;
63 static unsigned int download_bytes
;
65 static struct usb_endpoint_descriptor fs_ep_in
= {
66 .bLength
= USB_DT_ENDPOINT_SIZE
,
67 .bDescriptorType
= USB_DT_ENDPOINT
,
68 .bEndpointAddress
= USB_DIR_IN
,
69 .bmAttributes
= USB_ENDPOINT_XFER_BULK
,
70 .wMaxPacketSize
= cpu_to_le16(64),
73 static struct usb_endpoint_descriptor fs_ep_out
= {
74 .bLength
= USB_DT_ENDPOINT_SIZE
,
75 .bDescriptorType
= USB_DT_ENDPOINT
,
76 .bEndpointAddress
= USB_DIR_OUT
,
77 .bmAttributes
= USB_ENDPOINT_XFER_BULK
,
78 .wMaxPacketSize
= cpu_to_le16(64),
81 static struct usb_endpoint_descriptor hs_ep_in
= {
82 .bLength
= USB_DT_ENDPOINT_SIZE
,
83 .bDescriptorType
= USB_DT_ENDPOINT
,
84 .bEndpointAddress
= USB_DIR_IN
,
85 .bmAttributes
= USB_ENDPOINT_XFER_BULK
,
86 .wMaxPacketSize
= cpu_to_le16(512),
89 static struct usb_endpoint_descriptor hs_ep_out
= {
90 .bLength
= USB_DT_ENDPOINT_SIZE
,
91 .bDescriptorType
= USB_DT_ENDPOINT
,
92 .bEndpointAddress
= USB_DIR_OUT
,
93 .bmAttributes
= USB_ENDPOINT_XFER_BULK
,
94 .wMaxPacketSize
= cpu_to_le16(512),
97 static struct usb_interface_descriptor interface_desc
= {
98 .bLength
= USB_DT_INTERFACE_SIZE
,
99 .bDescriptorType
= USB_DT_INTERFACE
,
100 .bInterfaceNumber
= 0x00,
101 .bAlternateSetting
= 0x00,
102 .bNumEndpoints
= 0x02,
103 .bInterfaceClass
= FASTBOOT_INTERFACE_CLASS
,
104 .bInterfaceSubClass
= FASTBOOT_INTERFACE_SUB_CLASS
,
105 .bInterfaceProtocol
= FASTBOOT_INTERFACE_PROTOCOL
,
108 static struct usb_descriptor_header
*fb_fs_function
[] = {
109 (struct usb_descriptor_header
*)&interface_desc
,
110 (struct usb_descriptor_header
*)&fs_ep_in
,
111 (struct usb_descriptor_header
*)&fs_ep_out
,
114 static struct usb_descriptor_header
*fb_hs_function
[] = {
115 (struct usb_descriptor_header
*)&interface_desc
,
116 (struct usb_descriptor_header
*)&hs_ep_in
,
117 (struct usb_descriptor_header
*)&hs_ep_out
,
121 static struct usb_endpoint_descriptor
*
122 fb_ep_desc(struct usb_gadget
*g
, struct usb_endpoint_descriptor
*fs
,
123 struct usb_endpoint_descriptor
*hs
)
125 if (gadget_is_dualspeed(g
) && g
->speed
== USB_SPEED_HIGH
)
131 * static strings, in UTF-8
133 static const char fastboot_name
[] = "Android Fastboot";
135 static struct usb_string fastboot_string_defs
[] = {
136 [0].s
= fastboot_name
,
137 { } /* end of list */
140 static struct usb_gadget_strings stringtab_fastboot
= {
141 .language
= 0x0409, /* en-us */
142 .strings
= fastboot_string_defs
,
145 static struct usb_gadget_strings
*fastboot_strings
[] = {
150 static void rx_handler_command(struct usb_ep
*ep
, struct usb_request
*req
);
151 static int strcmp_l1(const char *s1
, const char *s2
);
154 static char *fb_response_str
;
156 void fastboot_fail(const char *reason
)
158 strncpy(fb_response_str
, "FAIL\0", 5);
159 strncat(fb_response_str
, reason
, FASTBOOT_RESPONSE_LEN
- 4 - 1);
162 void fastboot_okay(const char *reason
)
164 strncpy(fb_response_str
, "OKAY\0", 5);
165 strncat(fb_response_str
, reason
, FASTBOOT_RESPONSE_LEN
- 4 - 1);
168 static void fastboot_complete(struct usb_ep
*ep
, struct usb_request
*req
)
170 int status
= req
->status
;
173 printf("status: %d ep '%s' trans: %d\n", status
, ep
->name
, req
->actual
);
176 static int fastboot_bind(struct usb_configuration
*c
, struct usb_function
*f
)
179 struct usb_gadget
*gadget
= c
->cdev
->gadget
;
180 struct f_fastboot
*f_fb
= func_to_fastboot(f
);
183 /* DYNAMIC interface numbers assignments */
184 id
= usb_interface_id(c
, f
);
187 interface_desc
.bInterfaceNumber
= id
;
189 id
= usb_string_id(c
->cdev
);
192 fastboot_string_defs
[0].id
= id
;
193 interface_desc
.iInterface
= id
;
195 f_fb
->in_ep
= usb_ep_autoconfig(gadget
, &fs_ep_in
);
198 f_fb
->in_ep
->driver_data
= c
->cdev
;
200 f_fb
->out_ep
= usb_ep_autoconfig(gadget
, &fs_ep_out
);
203 f_fb
->out_ep
->driver_data
= c
->cdev
;
205 f
->descriptors
= fb_fs_function
;
207 if (gadget_is_dualspeed(gadget
)) {
208 /* Assume endpoint addresses are the same for both speeds */
209 hs_ep_in
.bEndpointAddress
= fs_ep_in
.bEndpointAddress
;
210 hs_ep_out
.bEndpointAddress
= fs_ep_out
.bEndpointAddress
;
211 /* copy HS descriptors */
212 f
->hs_descriptors
= fb_hs_function
;
215 s
= env_get("serial#");
217 g_dnl_set_serialnumber((char *)s
);
222 static void fastboot_unbind(struct usb_configuration
*c
, struct usb_function
*f
)
224 memset(fastboot_func
, 0, sizeof(*fastboot_func
));
227 static void fastboot_disable(struct usb_function
*f
)
229 struct f_fastboot
*f_fb
= func_to_fastboot(f
);
231 usb_ep_disable(f_fb
->out_ep
);
232 usb_ep_disable(f_fb
->in_ep
);
235 free(f_fb
->out_req
->buf
);
236 usb_ep_free_request(f_fb
->out_ep
, f_fb
->out_req
);
237 f_fb
->out_req
= NULL
;
240 free(f_fb
->in_req
->buf
);
241 usb_ep_free_request(f_fb
->in_ep
, f_fb
->in_req
);
246 static struct usb_request
*fastboot_start_ep(struct usb_ep
*ep
)
248 struct usb_request
*req
;
250 req
= usb_ep_alloc_request(ep
, 0);
254 req
->length
= EP_BUFFER_SIZE
;
255 req
->buf
= memalign(CONFIG_SYS_CACHELINE_SIZE
, EP_BUFFER_SIZE
);
257 usb_ep_free_request(ep
, req
);
261 memset(req
->buf
, 0, req
->length
);
265 static int fastboot_set_alt(struct usb_function
*f
,
266 unsigned interface
, unsigned alt
)
269 struct usb_composite_dev
*cdev
= f
->config
->cdev
;
270 struct usb_gadget
*gadget
= cdev
->gadget
;
271 struct f_fastboot
*f_fb
= func_to_fastboot(f
);
272 const struct usb_endpoint_descriptor
*d
;
274 debug("%s: func: %s intf: %d alt: %d\n",
275 __func__
, f
->name
, interface
, alt
);
277 d
= fb_ep_desc(gadget
, &fs_ep_out
, &hs_ep_out
);
278 ret
= usb_ep_enable(f_fb
->out_ep
, d
);
280 puts("failed to enable out ep\n");
284 f_fb
->out_req
= fastboot_start_ep(f_fb
->out_ep
);
285 if (!f_fb
->out_req
) {
286 puts("failed to alloc out req\n");
290 f_fb
->out_req
->complete
= rx_handler_command
;
292 d
= fb_ep_desc(gadget
, &fs_ep_in
, &hs_ep_in
);
293 ret
= usb_ep_enable(f_fb
->in_ep
, d
);
295 puts("failed to enable in ep\n");
299 f_fb
->in_req
= fastboot_start_ep(f_fb
->in_ep
);
301 puts("failed alloc req in\n");
305 f_fb
->in_req
->complete
= fastboot_complete
;
307 ret
= usb_ep_queue(f_fb
->out_ep
, f_fb
->out_req
, 0);
317 static int fastboot_add(struct usb_configuration
*c
)
319 struct f_fastboot
*f_fb
= fastboot_func
;
322 debug("%s: cdev: 0x%p\n", __func__
, c
->cdev
);
325 f_fb
= memalign(CONFIG_SYS_CACHELINE_SIZE
, sizeof(*f_fb
));
329 fastboot_func
= f_fb
;
330 memset(f_fb
, 0, sizeof(*f_fb
));
333 f_fb
->usb_function
.name
= "f_fastboot";
334 f_fb
->usb_function
.bind
= fastboot_bind
;
335 f_fb
->usb_function
.unbind
= fastboot_unbind
;
336 f_fb
->usb_function
.set_alt
= fastboot_set_alt
;
337 f_fb
->usb_function
.disable
= fastboot_disable
;
338 f_fb
->usb_function
.strings
= fastboot_strings
;
340 status
= usb_add_function(c
, &f_fb
->usb_function
);
343 fastboot_func
= f_fb
;
348 DECLARE_GADGET_BIND_CALLBACK(usb_dnl_fastboot
, fastboot_add
);
350 static int fastboot_tx_write(const char *buffer
, unsigned int buffer_size
)
352 struct usb_request
*in_req
= fastboot_func
->in_req
;
355 memcpy(in_req
->buf
, buffer
, buffer_size
);
356 in_req
->length
= buffer_size
;
358 usb_ep_dequeue(fastboot_func
->in_ep
, in_req
);
360 ret
= usb_ep_queue(fastboot_func
->in_ep
, in_req
, 0);
362 printf("Error %d on queue\n", ret
);
366 static int fastboot_tx_write_str(const char *buffer
)
368 return fastboot_tx_write(buffer
, strlen(buffer
));
371 static void compl_do_reset(struct usb_ep
*ep
, struct usb_request
*req
)
373 do_reset(NULL
, 0, 0, NULL
);
376 int __weak
fb_set_reboot_flag(void)
381 static void cb_reboot(struct usb_ep
*ep
, struct usb_request
*req
)
383 char *cmd
= req
->buf
;
384 if (!strcmp_l1("reboot-bootloader", cmd
)) {
385 if (fb_set_reboot_flag()) {
386 fastboot_tx_write_str("FAILCannot set reboot flag");
390 fastboot_func
->in_req
->complete
= compl_do_reset
;
391 fastboot_tx_write_str("OKAY");
394 static int strcmp_l1(const char *s1
, const char *s2
)
398 return strncmp(s1
, s2
, strlen(s1
));
401 static void cb_getvar(struct usb_ep
*ep
, struct usb_request
*req
)
403 char *cmd
= req
->buf
;
404 char response
[FASTBOOT_RESPONSE_LEN
];
408 strcpy(response
, "OKAY");
409 chars_left
= sizeof(response
) - strlen(response
) - 1;
413 pr_err("missing variable");
414 fastboot_tx_write_str("FAILmissing var");
418 if (!strcmp_l1("version", cmd
)) {
419 strncat(response
, FASTBOOT_VERSION
, chars_left
);
420 } else if (!strcmp_l1("bootloader-version", cmd
)) {
421 strncat(response
, U_BOOT_VERSION
, chars_left
);
422 } else if (!strcmp_l1("downloadsize", cmd
) ||
423 !strcmp_l1("max-download-size", cmd
)) {
426 sprintf(str_num
, "0x%08x", CONFIG_FASTBOOT_BUF_SIZE
);
427 strncat(response
, str_num
, chars_left
);
428 } else if (!strcmp_l1("serialno", cmd
)) {
429 s
= env_get("serial#");
431 strncat(response
, s
, chars_left
);
433 strcpy(response
, "FAILValue not set");
437 envstr
= malloc(strlen("fastboot.") + strlen(cmd
) + 1);
439 fastboot_tx_write_str("FAILmalloc error");
443 sprintf(envstr
, "fastboot.%s", cmd
);
446 strncat(response
, s
, chars_left
);
448 printf("WARNING: unknown variable: %s\n", cmd
);
449 strcpy(response
, "FAILVariable not implemented");
454 fastboot_tx_write_str(response
);
457 static unsigned int rx_bytes_expected(struct usb_ep
*ep
)
459 int rx_remain
= download_size
- download_bytes
;
461 unsigned int maxpacket
= ep
->maxpacket
;
465 else if (rx_remain
> EP_BUFFER_SIZE
)
466 return EP_BUFFER_SIZE
;
469 * Some controllers e.g. DWC3 don't like OUT transfers to be
470 * not ending in maxpacket boundary. So just make them happy by
471 * always requesting for integral multiple of maxpackets.
472 * This shouldn't bother controllers that don't care about it.
474 rem
= rx_remain
% maxpacket
;
476 rx_remain
= rx_remain
+ (maxpacket
- rem
);
481 #define BYTES_PER_DOT 0x20000
482 static void rx_handler_dl_image(struct usb_ep
*ep
, struct usb_request
*req
)
484 char response
[FASTBOOT_RESPONSE_LEN
];
485 unsigned int transfer_size
= download_size
- download_bytes
;
486 const unsigned char *buffer
= req
->buf
;
487 unsigned int buffer_size
= req
->actual
;
488 unsigned int pre_dot_num
, now_dot_num
;
490 if (req
->status
!= 0) {
491 printf("Bad status: %d\n", req
->status
);
495 if (buffer_size
< transfer_size
)
496 transfer_size
= buffer_size
;
498 memcpy((void *)CONFIG_FASTBOOT_BUF_ADDR
+ download_bytes
,
499 buffer
, transfer_size
);
501 pre_dot_num
= download_bytes
/ BYTES_PER_DOT
;
502 download_bytes
+= transfer_size
;
503 now_dot_num
= download_bytes
/ BYTES_PER_DOT
;
505 if (pre_dot_num
!= now_dot_num
) {
507 if (!(now_dot_num
% 74))
511 /* Check if transfer is done */
512 if (download_bytes
>= download_size
) {
514 * Reset global transfer variable, keep download_bytes because
515 * it will be used in the next possible flashing command
518 req
->complete
= rx_handler_command
;
519 req
->length
= EP_BUFFER_SIZE
;
521 strcpy(response
, "OKAY");
522 fastboot_tx_write_str(response
);
524 printf("\ndownloading of %d bytes finished\n", download_bytes
);
526 req
->length
= rx_bytes_expected(ep
);
530 usb_ep_queue(ep
, req
, 0);
533 static void cb_download(struct usb_ep
*ep
, struct usb_request
*req
)
535 char *cmd
= req
->buf
;
536 char response
[FASTBOOT_RESPONSE_LEN
];
539 download_size
= simple_strtoul(cmd
, NULL
, 16);
542 printf("Starting download of %d bytes\n", download_size
);
544 if (0 == download_size
) {
545 strcpy(response
, "FAILdata invalid size");
546 } else if (download_size
> CONFIG_FASTBOOT_BUF_SIZE
) {
548 strcpy(response
, "FAILdata too large");
550 sprintf(response
, "DATA%08x", download_size
);
551 req
->complete
= rx_handler_dl_image
;
552 req
->length
= rx_bytes_expected(ep
);
554 fastboot_tx_write_str(response
);
557 static void do_bootm_on_complete(struct usb_ep
*ep
, struct usb_request
*req
)
559 char boot_addr_start
[12];
560 char *bootm_args
[] = { "bootm", boot_addr_start
, NULL
};
562 puts("Booting kernel..\n");
564 sprintf(boot_addr_start
, "0x%lx", (long)CONFIG_FASTBOOT_BUF_ADDR
);
565 do_bootm(NULL
, 0, 2, bootm_args
);
567 /* This only happens if image is somehow faulty so we start over */
568 do_reset(NULL
, 0, 0, NULL
);
571 static void cb_boot(struct usb_ep
*ep
, struct usb_request
*req
)
573 fastboot_func
->in_req
->complete
= do_bootm_on_complete
;
574 fastboot_tx_write_str("OKAY");
577 static void do_exit_on_complete(struct usb_ep
*ep
, struct usb_request
*req
)
579 g_dnl_trigger_detach();
582 static void cb_continue(struct usb_ep
*ep
, struct usb_request
*req
)
584 fastboot_func
->in_req
->complete
= do_exit_on_complete
;
585 fastboot_tx_write_str("OKAY");
588 #ifdef CONFIG_FASTBOOT_FLASH
589 static void cb_flash(struct usb_ep
*ep
, struct usb_request
*req
)
591 char *cmd
= req
->buf
;
592 char response
[FASTBOOT_RESPONSE_LEN
];
596 pr_err("missing partition name");
597 fastboot_tx_write_str("FAILmissing partition name");
601 /* initialize the response buffer */
602 fb_response_str
= response
;
604 fastboot_fail("no flash device defined");
605 #ifdef CONFIG_FASTBOOT_FLASH_MMC_DEV
606 fb_mmc_flash_write(cmd
, (void *)CONFIG_FASTBOOT_BUF_ADDR
,
609 #ifdef CONFIG_FASTBOOT_FLASH_NAND_DEV
610 fb_nand_flash_write(cmd
,
611 (void *)CONFIG_FASTBOOT_BUF_ADDR
,
614 fastboot_tx_write_str(response
);
618 static void cb_oem(struct usb_ep
*ep
, struct usb_request
*req
)
620 char *cmd
= req
->buf
;
621 #ifdef CONFIG_FASTBOOT_FLASH_MMC_DEV
622 if (strncmp("format", cmd
+ 4, 6) == 0) {
624 sprintf(cmdbuf
, "gpt write mmc %x $partitions",
625 CONFIG_FASTBOOT_FLASH_MMC_DEV
);
626 if (run_command(cmdbuf
, 0))
627 fastboot_tx_write_str("FAIL");
629 fastboot_tx_write_str("OKAY");
632 if (strncmp("unlock", cmd
+ 4, 8) == 0) {
633 fastboot_tx_write_str("FAILnot implemented");
636 fastboot_tx_write_str("FAILunknown oem command");
640 #ifdef CONFIG_FASTBOOT_FLASH
641 static void cb_erase(struct usb_ep
*ep
, struct usb_request
*req
)
643 char *cmd
= req
->buf
;
644 char response
[FASTBOOT_RESPONSE_LEN
];
648 pr_err("missing partition name");
649 fastboot_tx_write_str("FAILmissing partition name");
653 /* initialize the response buffer */
654 fb_response_str
= response
;
656 fastboot_fail("no flash device defined");
657 #ifdef CONFIG_FASTBOOT_FLASH_MMC_DEV
660 #ifdef CONFIG_FASTBOOT_FLASH_NAND_DEV
663 fastboot_tx_write_str(response
);
667 struct cmd_dispatch_info
{
669 void (*cb
)(struct usb_ep
*ep
, struct usb_request
*req
);
672 static const struct cmd_dispatch_info cmd_dispatch_info
[] = {
689 #ifdef CONFIG_FASTBOOT_FLASH
704 static void rx_handler_command(struct usb_ep
*ep
, struct usb_request
*req
)
706 char *cmdbuf
= req
->buf
;
707 void (*func_cb
)(struct usb_ep
*ep
, struct usb_request
*req
) = NULL
;
710 if (req
->status
!= 0 || req
->length
== 0)
713 for (i
= 0; i
< ARRAY_SIZE(cmd_dispatch_info
); i
++) {
714 if (!strcmp_l1(cmd_dispatch_info
[i
].cmd
, cmdbuf
)) {
715 func_cb
= cmd_dispatch_info
[i
].cb
;
721 pr_err("unknown command: %.*s", req
->actual
, cmdbuf
);
722 fastboot_tx_write_str("FAILunknown command");
724 if (req
->actual
< req
->length
) {
725 u8
*buf
= (u8
*)req
->buf
;
726 buf
[req
->actual
] = 0;
729 pr_err("buffer overflow");
730 fastboot_tx_write_str("FAILbuffer overflow");
736 usb_ep_queue(ep
, req
, 0);