Carl-Daniel Hailfinger | d38fac8 | 2010-01-19 11:15:48 +0000 | [diff] [blame] | 1 | /* |
| 2 | * This file is part of the flashrom project. |
| 3 | * |
| 4 | * Copyright (C) 2010 Carl-Daniel Hailfinger |
| 5 | * |
| 6 | * This program is free software; you can redistribute it and/or modify |
| 7 | * it under the terms of the GNU General Public License as published by |
| 8 | * the Free Software Foundation; version 2 of the License. |
| 9 | * |
| 10 | * This program is distributed in the hope that it will be useful, |
| 11 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
| 12 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| 13 | * GNU General Public License for more details. |
| 14 | * |
| 15 | * You should have received a copy of the GNU General Public License |
| 16 | * along with this program; if not, write to the Free Software |
| 17 | * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA |
| 18 | */ |
| 19 | |
| 20 | #include <string.h> |
| 21 | #include <stdlib.h> |
| 22 | #include <ctype.h> |
| 23 | #include <sys/types.h> |
| 24 | #include <usb.h> |
| 25 | #include "flash.h" |
| 26 | #include "spi.h" |
| 27 | |
| 28 | #define DEFAULT_TIMEOUT 3000 |
| 29 | usb_dev_handle *dediprog_handle; |
| 30 | |
| 31 | int dediprog_do_stuff(void); |
| 32 | |
| 33 | void print_hex(void *buf, size_t len) |
| 34 | { |
| 35 | size_t i; |
| 36 | |
| 37 | for (i = 0; i < len; i++) |
| 38 | msg_pdbg(" %02x", ((uint8_t *)buf)[i]); |
| 39 | } |
| 40 | |
| 41 | struct usb_device *get_device_by_vid_pid(uint16_t vid, uint16_t pid) |
| 42 | { |
| 43 | struct usb_bus *bus; |
| 44 | struct usb_device *dev; |
| 45 | |
| 46 | for (bus = usb_get_busses(); bus; bus = bus->next) |
| 47 | for (dev = bus->devices; dev; dev = dev->next) |
| 48 | if ((dev->descriptor.idVendor == vid) && |
| 49 | (dev->descriptor.idProduct == pid)) |
| 50 | return dev; |
| 51 | |
| 52 | return NULL; |
| 53 | } |
| 54 | |
| 55 | //int usb_control_msg(usb_dev_handle *dev, int requesttype, int request, int value, int index, char *bytes, int size, int timeout); |
| 56 | |
| 57 | int dediprog_set_spi_voltage(uint16_t voltage) |
| 58 | { |
| 59 | int ret; |
| 60 | unsigned int mv; |
| 61 | |
| 62 | switch (voltage) { |
| 63 | case 0x0: |
| 64 | /* Admittedly this one is an assumption. */ |
| 65 | mv = 0; |
| 66 | break; |
| 67 | case 0x12: |
| 68 | mv = 1800; |
| 69 | break; |
| 70 | case 0x11: |
| 71 | mv = 2500; |
| 72 | break; |
| 73 | case 0x10: |
| 74 | mv = 3500; |
| 75 | break; |
| 76 | default: |
| 77 | msg_perr("Unknown voltage selector 0x%x! Aborting.\n", voltage); |
| 78 | return 1; |
| 79 | } |
| 80 | msg_pdbg("Setting SPI voltage to %u.%03u V\n", mv / 1000, mv % 1000); |
| 81 | |
| 82 | ret = usb_control_msg(dediprog_handle, 0x42, 0x9, voltage, 0xff, NULL, 0x0, DEFAULT_TIMEOUT); |
| 83 | if (ret != 0x0) { |
| 84 | msg_perr("Command Set SPI Voltage 0x%x failed!\n", voltage); |
| 85 | return 1; |
| 86 | } |
| 87 | return 0; |
| 88 | } |
| 89 | |
| 90 | /* After dediprog_set_spi_speed, the original app always calls |
| 91 | * dediprog_set_spi_voltage(0) and then |
| 92 | * dediprog_check_devicestring() four times in a row. |
| 93 | * After that, dediprog_command_a() is called. |
| 94 | * This looks suspiciously like the microprocessor in the SF100 has to be |
| 95 | * restarted/reinitialized in case the speed changes. |
| 96 | */ |
| 97 | int dediprog_set_spi_speed(uint16_t speed) |
| 98 | { |
| 99 | int ret; |
| 100 | unsigned int khz; |
| 101 | |
| 102 | /* Case 1 and 2 are in weird order. Probably an organically "grown" |
| 103 | * interface. |
| 104 | * Base frequency is 24000 kHz, divisors are (in order) |
| 105 | * 1, 3, 2, 8, 11, 16, 32, 64. |
| 106 | */ |
| 107 | switch (speed) { |
| 108 | case 0x0: |
| 109 | khz = 24000; |
| 110 | break; |
| 111 | case 0x1: |
| 112 | khz = 8000; |
| 113 | break; |
| 114 | case 0x2: |
| 115 | khz = 12000; |
| 116 | break; |
| 117 | case 0x3: |
| 118 | khz = 3000; |
| 119 | break; |
| 120 | case 0x4: |
| 121 | khz = 2180; |
| 122 | break; |
| 123 | case 0x5: |
| 124 | khz = 1500; |
| 125 | break; |
| 126 | case 0x6: |
| 127 | khz = 750; |
| 128 | break; |
| 129 | case 0x7: |
| 130 | khz = 375; |
| 131 | break; |
| 132 | default: |
| 133 | msg_perr("Unknown frequency selector 0x%x! Aborting.\n", speed); |
| 134 | return 1; |
| 135 | } |
| 136 | msg_pdbg("Setting SPI speed to %u kHz\n", khz); |
| 137 | |
| 138 | ret = usb_control_msg(dediprog_handle, 0x42, 0x61, speed, 0xff, NULL, 0x0, DEFAULT_TIMEOUT); |
| 139 | if (ret != 0x0) { |
| 140 | msg_perr("Command Set SPI Speed 0x%x failed!\n", speed); |
| 141 | return 1; |
| 142 | } |
| 143 | return 0; |
| 144 | } |
| 145 | |
| 146 | int dediprog_spi_read(struct flashchip *flash, uint8_t *buf, int start, int len) |
| 147 | { |
Carl-Daniel Hailfinger | eac6579 | 2010-01-22 02:53:30 +0000 | [diff] [blame] | 148 | msg_pspew("%s, start=0x%x, len=0x%x\n", __func__, start, len); |
| 149 | /* Chosen read length is 16 bytes for now. */ |
| 150 | return spi_read_chunked(flash, buf, start, len, 16); |
Carl-Daniel Hailfinger | d38fac8 | 2010-01-19 11:15:48 +0000 | [diff] [blame] | 151 | } |
| 152 | |
| 153 | int dediprog_spi_send_command(unsigned int writecnt, unsigned int readcnt, |
| 154 | const unsigned char *writearr, unsigned char *readarr) |
| 155 | { |
| 156 | int ret; |
| 157 | |
Carl-Daniel Hailfinger | eac6579 | 2010-01-22 02:53:30 +0000 | [diff] [blame] | 158 | msg_pspew("%s, writecnt=%i, readcnt=%i\n", __func__, writecnt, readcnt); |
Carl-Daniel Hailfinger | d38fac8 | 2010-01-19 11:15:48 +0000 | [diff] [blame] | 159 | /* Paranoid, but I don't want to be blamed if anything explodes. */ |
Carl-Daniel Hailfinger | eac6579 | 2010-01-22 02:53:30 +0000 | [diff] [blame] | 160 | if (writecnt > 5) { |
Carl-Daniel Hailfinger | d38fac8 | 2010-01-19 11:15:48 +0000 | [diff] [blame] | 161 | msg_perr("Untested writecnt=%i, aborting.\n", writecnt); |
Carl-Daniel Hailfinger | eac6579 | 2010-01-22 02:53:30 +0000 | [diff] [blame] | 162 | return 1; |
| 163 | } |
| 164 | /* 16 byte reads should work. */ |
| 165 | if (readcnt > 16) { |
Carl-Daniel Hailfinger | d38fac8 | 2010-01-19 11:15:48 +0000 | [diff] [blame] | 166 | msg_perr("Untested readcnt=%i, aborting.\n", readcnt); |
Carl-Daniel Hailfinger | eac6579 | 2010-01-22 02:53:30 +0000 | [diff] [blame] | 167 | return 1; |
| 168 | } |
Carl-Daniel Hailfinger | d38fac8 | 2010-01-19 11:15:48 +0000 | [diff] [blame] | 169 | |
| 170 | ret = usb_control_msg(dediprog_handle, 0x42, 0x1, 0xff, readcnt ? 0x1 : 0x0, (char *)writearr, writecnt, DEFAULT_TIMEOUT); |
| 171 | if (ret != writecnt) { |
Carl-Daniel Hailfinger | eac6579 | 2010-01-22 02:53:30 +0000 | [diff] [blame] | 172 | msg_perr("Send SPI failed, expected %i, got %i %s!\n", |
| 173 | writecnt, ret, usb_strerror()); |
Carl-Daniel Hailfinger | d38fac8 | 2010-01-19 11:15:48 +0000 | [diff] [blame] | 174 | return 1; |
| 175 | } |
| 176 | if (!readcnt) |
| 177 | return 0; |
| 178 | memset(readarr, 0, readcnt); |
| 179 | ret = usb_control_msg(dediprog_handle, 0xc2, 0x01, 0xbb8, 0x0000, (char *)readarr, readcnt, DEFAULT_TIMEOUT); |
| 180 | if (ret != readcnt) { |
Carl-Daniel Hailfinger | eac6579 | 2010-01-22 02:53:30 +0000 | [diff] [blame] | 181 | msg_perr("Receive SPI failed, expected %i, got %i %s!\n", |
| 182 | readcnt, ret, usb_strerror()); |
Carl-Daniel Hailfinger | d38fac8 | 2010-01-19 11:15:48 +0000 | [diff] [blame] | 183 | return 1; |
| 184 | } |
| 185 | return 0; |
| 186 | } |
| 187 | |
| 188 | int dediprog_check_devicestring(void) |
| 189 | { |
| 190 | int ret; |
| 191 | char buf[0x11]; |
| 192 | |
| 193 | /* Command Prepare Receive Device String. */ |
| 194 | memset(buf, 0, sizeof(buf)); |
| 195 | ret = usb_control_msg(dediprog_handle, 0xc3, 0x7, 0x0, 0xef03, buf, 0x1, DEFAULT_TIMEOUT); |
| 196 | /* The char casting is needed to stop gcc complaining about an always true comparison. */ |
| 197 | if ((ret != 0x1) || (buf[0] != (char)0xff)) { |
| 198 | msg_perr("Unexpected response to Command Prepare Receive Device" |
| 199 | " String!\n"); |
| 200 | return 1; |
| 201 | } |
| 202 | /* Command Receive Device String. */ |
| 203 | memset(buf, 0, sizeof(buf)); |
| 204 | ret = usb_control_msg(dediprog_handle, 0xc2, 0x8, 0xff, 0xff, buf, 0x10, DEFAULT_TIMEOUT); |
| 205 | if (ret != 0x10) { |
| 206 | msg_perr("Incomplete/failed Command Receive Device String!\n"); |
| 207 | return 1; |
| 208 | } |
| 209 | buf[0x10] = '\0'; |
| 210 | msg_pdbg("Found a %s\n", buf); |
| 211 | if (memcmp(buf, "SF100", 0x5)) { |
| 212 | msg_perr("Device not a SF100!\n"); |
| 213 | return 1; |
| 214 | } |
| 215 | /* Only these versions were tested. */ |
| 216 | if (memcmp(buf, "SF100 V:2.1.1 ", 0x10) && |
| 217 | memcmp(buf, "SF100 V:3.1.8 ", 0x10)) { |
| 218 | msg_perr("Unexpected firmware version!\n"); |
| 219 | return 1; |
| 220 | } |
| 221 | return 0; |
| 222 | } |
| 223 | |
| 224 | /* Command A seems to be some sort of device init. It is either followed by |
| 225 | * dediprog_check_devicestring (often) or Command A (often) or |
| 226 | * Command F (once). |
| 227 | */ |
| 228 | int dediprog_command_a(void) |
| 229 | { |
| 230 | int ret; |
| 231 | char buf[0x1]; |
| 232 | |
| 233 | memset(buf, 0, sizeof(buf)); |
| 234 | ret = usb_control_msg(dediprog_handle, 0xc3, 0xb, 0x0, 0x0, buf, 0x1, DEFAULT_TIMEOUT); |
| 235 | if ((ret != 0x1) || (buf[0] != 0x6f)) { |
| 236 | msg_perr("Unexpected response to Command A!\n"); |
| 237 | return 1; |
| 238 | } |
| 239 | return 0; |
| 240 | } |
| 241 | |
| 242 | /* Command C is only sent after dediprog_check_devicestring, but not after every |
| 243 | * invocation of dediprog_check_devicestring. It is only sent after the first |
| 244 | * dediprog_command_a(); dediprog_check_devicestring() sequence in each session. |
| 245 | * I'm tempted to call this one start_SPI_engine or finish_init. |
| 246 | */ |
| 247 | int dediprog_command_c(void) |
| 248 | { |
| 249 | int ret; |
| 250 | |
| 251 | ret = usb_control_msg(dediprog_handle, 0x42, 0x4, 0x0, 0x0, NULL, 0x0, DEFAULT_TIMEOUT); |
| 252 | if (ret != 0x0) { |
| 253 | msg_perr("Unexpected response to Command C!\n"); |
| 254 | return 1; |
| 255 | } |
| 256 | return 0; |
| 257 | } |
| 258 | |
| 259 | /* Very strange. Seems to be a programmer keepalive or somesuch. |
| 260 | * Wait unsuccessfully for timeout ms to read one byte. |
| 261 | * Is usually called after setting voltage to 0. |
| 262 | */ |
| 263 | int dediprog_command_f(int timeout) |
| 264 | { |
| 265 | int ret; |
| 266 | char buf[0x1]; |
| 267 | |
| 268 | memset(buf, 0, sizeof(buf)); |
| 269 | ret = usb_control_msg(dediprog_handle, 0xc2, 0x11, 0xff, 0xff, buf, 0x1, timeout); |
| 270 | if (ret != 0x0) { |
| 271 | msg_perr("Unexpected response to Command F!\n"); |
| 272 | return 1; |
| 273 | } |
| 274 | return 0; |
| 275 | } |
| 276 | |
| 277 | /* URB numbers refer to the first log ever captured. */ |
| 278 | int dediprog_init(void) |
| 279 | { |
| 280 | struct usb_device *dev; |
| 281 | |
| 282 | msg_pspew("%s\n", __func__); |
| 283 | |
| 284 | /* Here comes the USB stuff. */ |
| 285 | usb_init(); |
| 286 | usb_find_busses(); |
| 287 | usb_find_devices(); |
| 288 | dev = get_device_by_vid_pid(0x0483, 0xdada); |
| 289 | if (!dev) { |
| 290 | msg_perr("Could not find a Dediprog SF100 on USB!\n"); |
| 291 | return 1; |
| 292 | } |
| 293 | msg_pdbg("Found USB device (%04x:%04x).\n", |
| 294 | dev->descriptor.idVendor, |
| 295 | dev->descriptor.idProduct); |
| 296 | dediprog_handle = usb_open(dev); |
| 297 | /* URB 6. Command A. */ |
| 298 | if (dediprog_command_a()) |
| 299 | return 1; |
| 300 | /* URB 7. Command A. */ |
| 301 | if (dediprog_command_a()) |
| 302 | return 1; |
| 303 | /* URB 8. Command Prepare Receive Device String. */ |
| 304 | /* URB 9. Command Receive Device String. */ |
| 305 | if (dediprog_check_devicestring()) |
| 306 | return 1; |
| 307 | /* URB 10. Command C. */ |
| 308 | if (dediprog_command_c()) |
| 309 | return 1; |
| 310 | /* URB 11. Command Set SPI Voltage. */ |
| 311 | if (dediprog_set_spi_voltage(0x10)) |
| 312 | return 1; |
| 313 | |
| 314 | buses_supported = CHIP_BUSTYPE_SPI; |
| 315 | spi_controller = SPI_CONTROLLER_DEDIPROG; |
| 316 | |
| 317 | /* RE leftover, leave in until the driver is complete. */ |
| 318 | #if 0 |
| 319 | /* Execute RDID by hand if you want to test it. */ |
| 320 | dediprog_do_stuff(); |
| 321 | #endif |
| 322 | |
| 323 | return 0; |
| 324 | } |
| 325 | |
| 326 | /* Leftovers from reverse engineering. Keep for documentation purposes until |
| 327 | * completely understood. |
| 328 | */ |
| 329 | int dediprog_do_stuff(void) |
| 330 | { |
| 331 | char buf[0x4]; |
| 332 | /* SPI command processing starts here. */ |
| 333 | |
| 334 | /* URB 12. Command Send SPI. */ |
| 335 | /* URB 13. Command Receive SPI. */ |
| 336 | memset(buf, 0, sizeof(buf)); |
| 337 | /* JEDEC RDID */ |
| 338 | msg_pdbg("Sending RDID\n"); |
| 339 | buf[0] = JEDEC_RDID; |
| 340 | if (dediprog_spi_send_command(JEDEC_RDID_OUTSIZE, JEDEC_RDID_INSIZE, (unsigned char *)buf, (unsigned char *)buf)) |
| 341 | return 1; |
| 342 | msg_pdbg("Receiving response: "); |
| 343 | print_hex(buf, JEDEC_RDID_INSIZE); |
| 344 | #if 0 |
| 345 | /* URB 14-27 are more SPI commands. */ |
| 346 | /* URB 28. Command Set SPI Voltage. */ |
| 347 | if (dediprog_set_spi_voltage(0x0)) |
| 348 | return 1; |
| 349 | /* URB 29-38. Command F, unsuccessful wait. */ |
| 350 | if (dediprog_command_f(544)) |
| 351 | return 1; |
| 352 | /* URB 39. Command Set SPI Voltage. */ |
| 353 | if (dediprog_set_spi_voltage(0x10)) |
| 354 | return 1; |
| 355 | /* URB 40. Command Set SPI Speed. */ |
| 356 | if (dediprog_set_spi_speed(0x2)) |
| 357 | return 1; |
| 358 | /* URB 41 is just URB 28. */ |
| 359 | /* URB 42,44,46,48,51,53 is just URB 8. */ |
| 360 | /* URB 43,45,47,49,52,54 is just URB 9. */ |
| 361 | /* URB 50 is just URB 6/7. */ |
| 362 | /* URB 55-131 is just URB 29-38. (wait unsuccessfully for 4695 (maybe 4751) ms)*/ |
| 363 | /* URB 132,134 is just URB 6/7. */ |
| 364 | /* URB 133 is just URB 29-38. */ |
| 365 | /* URB 135 is just URB 8. */ |
| 366 | /* URB 136 is just URB 9. */ |
| 367 | /* URB 137 is just URB 11. */ |
| 368 | |
| 369 | /* Command I is probably Start Bulk Read. Data is u16 blockcount, u16 blocksize. */ |
| 370 | /* Command J is probably Start Bulk Write. Data is u16 blockcount, u16 blocksize. */ |
| 371 | /* Bulk transfer sizes for Command I/J are always 512 bytes, rest is filled with 0xff. */ |
| 372 | #endif |
| 373 | |
| 374 | msg_pinfo("All probes will fail because this driver is not hooked up " |
| 375 | "to the SPI infrastructure yet."); |
| 376 | return 0; |
| 377 | } |
| 378 | |
| 379 | int dediprog_shutdown(void) |
| 380 | { |
| 381 | msg_pspew("%s\n", __func__); |
| 382 | |
| 383 | /* URB 28. Command Set SPI Voltage to 0. */ |
| 384 | if (dediprog_set_spi_voltage(0x0)) |
| 385 | return 1; |
| 386 | |
| 387 | if (usb_close(dediprog_handle)) { |
| 388 | msg_perr("Couldn't close USB device!\n"); |
| 389 | return 1; |
| 390 | } |
| 391 | return 0; |
| 392 | } |