3 /* (C) 2010 by Harald Welte <laforge@gnumonks.org>
4 * (C) 2010 by Holger Hans Peter Freyther <zecke@selfish.org>
5 * (C) 2010 by Steve Markgraf <steve@steve-m.de>
9 * This program is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License as published by
11 * the Free Software Foundation; either version 2 of the License, or
12 * (at your option) any later version.
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
19 * You should have received a copy of the GNU General Public License along
20 * with this program; if not, write to the Free Software Foundation, Inc.,
21 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
33 #include <sys/ioctl.h>
34 #include <sys/types.h>
35 #include <sys/socket.h>
41 #include <osmocore/linuxlist.h>
42 #include <osmocore/select.h>
43 #include <osmocore/talloc.h>
44 #include <osmocore/timer.h>
46 #include <arpa/inet.h>
48 #define MODEM_BAUDRATE B115200
49 #define MAX_DNLOAD_SIZE 0xFFFF
50 #define MAX_HDR_SIZE 128
51 #define MAGIC_OFFSET 0x3be2
53 #define BEACON_INTERVAL 50000
54 #define ROMLOAD_INIT_BAUDRATE B19200
55 #define ROMLOAD_DL_BAUDRATE B115200
56 #define ROMLOAD_BLOCK_HDR_LEN 10
57 #define ROMLOAD_ADDRESS 0x820000
59 struct tool_server *tool_server_for_dlci[256];
62 * a connection from some other tool
64 struct tool_connection {
65 struct tool_server *server;
66 struct llist_head entry;
76 struct llist_head connections;
87 WAITING_IDENTIFICATION,
108 enum dnload_state state;
109 enum romload_state romload_state;
110 enum dnload_mode mode;
111 struct bsc_fd serial_fd;
116 /* data to be downloaded */
122 /* romload: block to be downloaded */
125 uint8_t block_number;
126 uint16_t block_payload_size;
127 int romload_dl_checksum;
129 uint8_t load_address[4];
131 struct tool_server layer2_server;
132 struct tool_server loader_server;
136 static struct dnload dnload;
137 static struct timer_list tick_timer;
139 /* Compal ramloader specific */
140 static const uint8_t phone_prompt1[] = { 0x1b, 0xf6, 0x02, 0x00, 0x41, 0x01, 0x40 };
141 static const uint8_t dnload_cmd[] = { 0x1b, 0xf6, 0x02, 0x00, 0x52, 0x01, 0x53 };
142 static const uint8_t phone_prompt2[] = { 0x1b, 0xf6, 0x02, 0x00, 0x41, 0x02, 0x43 };
143 static const uint8_t phone_ack[] = { 0x1b, 0xf6, 0x02, 0x00, 0x41, 0x03, 0x42 };
144 static const uint8_t phone_nack_magic[]= { 0x1b, 0xf6, 0x02, 0x00, 0x41, 0x03, 0x57 };
145 static const uint8_t phone_nack[] = { 0x1b, 0xf6, 0x02, 0x00, 0x45, 0x53, 0x16 };
146 static const uint8_t ftmtool[] = { 0x66, 0x74, 0x6d, 0x74, 0x6f, 0x6f, 0x6c };
147 static const uint8_t phone_magic[] = { 0x31, 0x30, 0x30, 0x33 }; /* "1003" */
149 /* The C123 has a hard-coded check inside the ramloader that requires the
150 * following bytes to be always the first four bytes of the image */
151 static const uint8_t data_hdr_c123[] = { 0xee, 0x4c, 0x9f, 0x63 };
153 /* The C155 doesn't have some strange restriction on what the first four bytes
154 * have to be, but it starts the ramloader in THUMB mode. We use the following
155 * four bytes to switch back to ARM mode:
157 800102: 46c0 nop ; (mov r8, r8)
159 static const uint8_t data_hdr_c155[] = { 0x78, 0x47, 0xc0, 0x46 };
161 /* romloader specific */
162 static const uint8_t romload_ident_cmd[] = { 0x3c, 0x69 }; /* <i */
163 static const uint8_t romload_abort_cmd[] = { 0x3c, 0x61 }; /* <a */
164 static const uint8_t romload_write_cmd[] = { 0x3c, 0x77 }; /* <w */
165 static const uint8_t romload_checksum_cmd[] = { 0x3c, 0x63 }; /* <c */
166 static const uint8_t romload_branch_cmd[] = { 0x3c, 0x62 }; /* <b */
167 static const uint8_t romload_ident_ack[] = { 0x3e, 0x69 }; /* >i */
168 static const uint8_t romload_param_ack[] = { 0x3e, 0x70 }; /* >p */
169 static const uint8_t romload_param_nack[] = { 0x3e, 0x50 }; /* >P */
170 static const uint8_t romload_block_ack[] = { 0x3e, 0x77 }; /* >w */
171 static const uint8_t romload_block_nack[] = { 0x3e, 0x57 }; /* >W */
172 static const uint8_t romload_checksum_ack[] = { 0x3e, 0x63 }; /* >c */
173 static const uint8_t romload_checksum_nack[] = { 0x3e, 0x43 }; /* >C */
174 static const uint8_t romload_branch_ack[] = { 0x3e, 0x62 }; /* >b */
175 static const uint8_t romload_branch_nack[] = { 0x3e, 0x42 }; /* >B */
177 /* romload_param: {"<p", uint8_t baudrate, uint8_t dpll, uint16_t memory_config,
178 * uint8_t strobe_af, uint32_t uart_timeout} */
180 static const uint8_t romload_param[] = { 0x3c, 0x70, 0x00, 0x00, 0x00, 0x04,
181 0x00, 0x00, 0x00, 0x00, 0x00 };
183 /* FIXME: this routine is more or less what openbsc/src/rs232:rs232_setup()
184 * does, we should move it to libosmocore at some point */
185 static int serial_init(const char *serial_port)
187 int rc, serial_fd, v24;
190 serial_fd = open(serial_port, O_RDWR | O_NOCTTY | O_NDELAY);
192 perror("cannot open serial port");
196 //fcntl(serial_fd, F_SETFL, 0);
198 /* Configure serial interface */
199 rc = tcgetattr(serial_fd, &tio);
201 perror("tcgetattr()");
204 cfsetispeed(&tio, MODEM_BAUDRATE);
205 cfsetospeed(&tio, MODEM_BAUDRATE);
206 tio.c_cflag &= ~(PARENB | CSTOPB | CSIZE | CRTSCTS);
207 tio.c_cflag |= (CREAD | CLOCAL | CS8);
208 tio.c_lflag &= ~(ICANON | ECHO | ECHOE | ISIG);
209 tio.c_iflag |= (INPCK | ISTRIP);
210 tio.c_iflag &= ~(ISTRIP | IXON | IXOFF | IGNBRK | INLCR | ICRNL | IGNCR);
211 tio.c_oflag &= ~(OPOST | ONLCR);
212 rc = tcsetattr(serial_fd, TCSANOW, &tio);
214 perror("tcsetattr()");
218 /* set ready to read/write */
219 v24 = TIOCM_DTR | TIOCM_RTS;
220 rc = ioctl(serial_fd, TIOCMBIS, &v24);
222 perror("ioctl(TIOCMBIS)");
229 static int serial_set_baudrate(speed_t baudrate)
234 rc = tcgetattr(dnload.serial_fd.fd, &tio);
236 perror("tcgetattr()");
239 cfsetispeed(&tio, baudrate);
240 cfsetospeed(&tio, baudrate);
242 rc = tcsetattr(dnload.serial_fd.fd, TCSANOW, &tio);
246 static void beacon_timer_cb(void *p)
250 if (dnload.romload_state == WAITING_IDENTIFICATION) {
251 printf("Sending beacon...\n");
252 rc = write(dnload.serial_fd.fd, romload_ident_cmd,
253 sizeof(romload_ident_cmd));
255 if (!(rc == sizeof(romload_ident_cmd)))
256 printf("Error sending identification beacon\n");
258 bsc_schedule_timer(p, 0, BEACON_INTERVAL);
262 /* Read the to-be-downloaded file, prepend header and length, append XOR sum */
263 int read_file(const char *filename)
267 const uint8_t *hdr = NULL;
273 uint8_t running_xor = 0x02;
275 fd = open(filename, O_RDONLY);
277 perror("opening file");
282 if (st.st_size > MAX_DNLOAD_SIZE) {
283 fprintf(stderr, "The maximum file size is 64kBytes (%u bytes)\n",
293 if (dnload.mode == MODE_C140 || dnload.mode == MODE_C140xor) {
294 if (st.st_size < (MAGIC_OFFSET + sizeof(phone_magic)))
295 payload_size = MAGIC_OFFSET + sizeof(phone_magic);
297 printf("\nThe filesize is larger than 15kb, code on "
298 "the magic address will be overwritten!\nUse "
299 "loader.bin and upload the application with "
300 "osmoload instead!\n\n");
301 payload_size = st.st_size;
304 payload_size = st.st_size;
306 dnload.data = malloc(MAX_HDR_SIZE + payload_size);
310 fprintf(stderr, "No memory\n");
314 /* copy in the header, if any */
315 switch (dnload.mode) {
318 hdr_len = sizeof(data_hdr_c155);
325 hdr_len = sizeof(data_hdr_c123);
334 memcpy(dnload.data, hdr, hdr_len);
336 /* 2 bytes for length + header */
337 file_data = dnload.data + 2 + hdr_len;
339 /* write the length, keep running XOR */
340 tot_len = hdr_len + payload_size;
341 nibble = tot_len >> 8;
342 dnload.data[0] = nibble;
343 running_xor ^= nibble;
344 nibble = tot_len & 0xff;
345 dnload.data[1] = nibble;
346 running_xor ^= nibble;
348 if (hdr_len && hdr) {
349 memcpy(dnload.data+2, hdr, hdr_len);
351 for (i = 0; i < hdr_len; i++)
352 running_xor ^= hdr[i];
355 rc = read(fd, file_data, st.st_size);
357 perror("error reading file\n");
363 if (rc < st.st_size) {
367 fprintf(stderr, "Short read of file (%d < %d)\n",
368 rc, (int)st.st_size);
374 dnload.data_len = (file_data+payload_size) - dnload.data;
376 /* fill memory between data end and magic, add magic */
377 if(dnload.mode == MODE_C140 || dnload.mode == MODE_C140xor) {
378 if (st.st_size < MAGIC_OFFSET)
379 memset(file_data + st.st_size, 0x00,
380 payload_size - st.st_size);
381 memcpy(dnload.data + MAGIC_OFFSET, phone_magic,
382 sizeof(phone_magic));
385 /* calculate XOR sum */
386 for (i = 0; i < payload_size; i++)
387 running_xor ^= file_data[i];
389 dnload.data[dnload.data_len++] = running_xor;
391 /* initialize write pointer to start of data */
392 dnload.write_ptr = dnload.data;
394 printf("read_file(%s): file_size=%u, hdr_len=%u, dnload_len=%u\n",
395 filename, (int)st.st_size, hdr_len, dnload.data_len);
400 static void hexdump(const uint8_t *data, unsigned int len)
402 const uint8_t *bufptr = data;
405 for (n=0; n < len; n++, bufptr++)
406 printf("%02x ", *bufptr);
410 static int romload_prepare_block(void)
414 int block_checksum = 5;
418 uint32_t block_address;
420 dnload.block_len = ROMLOAD_BLOCK_HDR_LEN + dnload.block_payload_size;
422 /* if first block, allocate memory */
423 if (!dnload.block_number) {
424 dnload.block = malloc(dnload.block_len);
426 fprintf(stderr, "No memory\n");
429 dnload.romload_dl_checksum = 0;
430 /* initialize write pointer to start of data */
431 dnload.write_ptr = dnload.data;
434 block_address = ROMLOAD_ADDRESS +
435 (dnload.block_number * dnload.block_payload_size);
437 /* prepare our block header (10 bytes) */
438 memcpy(dnload.block, romload_write_cmd, sizeof(romload_write_cmd));
439 dnload.block[2] = 0x01; /* block index */
440 /* should normally be the block number, but hangs when sending !0x01 */
441 dnload.block[3] = 0x01; /* dnload.block_number+1 */
442 dnload.block[4] = (dnload.block_payload_size >> 8) & 0xff;
443 dnload.block[5] = dnload.block_payload_size & 0xff;
444 dnload.block[6] = (block_address >> 24) & 0xff;
445 dnload.block[7] = (block_address >> 16) & 0xff;
446 dnload.block[8] = (block_address >> 8) & 0xff;
447 dnload.block[9] = block_address & 0xff;
449 block_data = dnload.block + ROMLOAD_BLOCK_HDR_LEN;
450 dnload.write_ptr = dnload.data + 2 +
451 (dnload.block_payload_size * dnload.block_number);
453 remaining_bytes = dnload.data_len - 3 -
454 (dnload.block_payload_size * dnload.block_number);
456 memcpy(block_data, dnload.write_ptr, dnload.block_payload_size);
458 if (remaining_bytes <= dnload.block_payload_size) {
459 fill_bytes = (dnload.block_payload_size - remaining_bytes);
460 printf("Preparing the last block, filling %i bytes,",
462 memset(block_data + remaining_bytes, 0x00, fill_bytes);
463 dnload.romload_state = SENDING_LAST_BLOCK;
465 dnload.romload_state = SENDING_BLOCKS;
466 printf("Preparing block %i,", dnload.block_number+1);
469 /* block checksum is lsb of ~(5 + block_size_lsb + all bytes of
470 * block_address + all data bytes) */
471 for (i = 5; i < ROMLOAD_BLOCK_HDR_LEN + dnload.block_payload_size; i++)
472 block_checksum += dnload.block[i];
474 /* checksum is lsb of ~(sum of LSBs of all block checksums) */
475 printf(" block checksum is 0x%02x \n", ~(block_checksum) & 0xff);
476 dnload.romload_dl_checksum += ~(block_checksum) & 0xff;
478 /* initialize block pointer to start of block */
479 dnload.block_ptr = dnload.block;
481 dnload.block_number++;
482 dnload.serial_fd.when = BSC_FD_READ | BSC_FD_WRITE;
486 static int handle_write_block(void)
488 int bytes_left, write_len, rc;
490 printf("handle_write_block(): ");
492 if (dnload.block_ptr >= dnload.block + dnload.block_len) {
493 printf("Block %i finished\n", dnload.block_number);
494 dnload.write_ptr = dnload.data;
495 dnload.serial_fd.when &= ~BSC_FD_WRITE;
496 if (dnload.romload_state == SENDING_LAST_BLOCK) {
497 dnload.romload_state = LAST_BLOCK_SENT;
498 printf("Finished, sent %i blocks in total\n",
499 dnload.block_number);
501 dnload.romload_state = WAITING_BLOCK_ACK;
507 /* try to write a maximum of block_len bytes */
508 bytes_left = (dnload.block + dnload.block_len) - dnload.block_ptr;
509 write_len = dnload.block_len;
510 if (bytes_left < dnload.block_len)
511 write_len = bytes_left;
513 rc = write(dnload.serial_fd.fd, dnload.block_ptr, write_len);
515 perror("Error during write");
519 dnload.block_ptr += rc;
521 printf("%u bytes (%tu/%u)\n", rc, dnload.block_ptr - dnload.block,
527 #define WRITE_BLOCK 4096
529 static int handle_write_dnload(void)
531 int bytes_left, write_len, rc;
532 uint8_t xor_init = 0x02;
534 printf("handle_write(): ");
535 if (dnload.write_ptr == dnload.data) {
536 /* no bytes have been transferred yet */
537 switch (dnload.mode) {
541 rc = write(dnload.serial_fd.fd, &xor_init, 1);
546 } else if (dnload.write_ptr >= dnload.data + dnload.data_len) {
547 printf("finished\n");
548 dnload.write_ptr = dnload.data;
549 dnload.serial_fd.when &= ~BSC_FD_WRITE;
553 /* try to write a maximum of WRITE_BLOCK bytes */
554 bytes_left = (dnload.data + dnload.data_len) - dnload.write_ptr;
555 write_len = WRITE_BLOCK;
556 if (bytes_left < WRITE_BLOCK)
557 write_len = bytes_left;
559 rc = write(dnload.serial_fd.fd, dnload.write_ptr, write_len);
561 perror("Error during write");
565 dnload.write_ptr += rc;
567 printf("%u bytes (%tu/%u)\n", rc, dnload.write_ptr - dnload.data,
573 static int handle_sercomm_write(void)
577 if (sercomm_drv_pull(&c) != 0) {
578 if (write(dnload.serial_fd.fd, &c, 1) != 1)
579 perror("short write");
581 dnload.serial_fd.when &= ~BSC_FD_WRITE;
586 static int handle_write(void)
588 if (dnload.mode == MODE_ROMLOAD) {
589 switch (dnload.romload_state) {
591 case SENDING_LAST_BLOCK:
592 return handle_write_block();
594 return handle_sercomm_write();
597 switch (dnload.state) {
599 return handle_write_dnload();
601 return handle_sercomm_write();
608 static uint8_t buffer[sizeof(phone_prompt1)];
609 static uint8_t *bufptr = buffer;
611 static void hdlc_send_to_phone(uint8_t dlci, uint8_t *data, int len)
616 printf("hdlc_send_to_phone(dlci=%u): ", dlci);
620 fprintf(stderr, "Too much data to send. %u\n", len);
624 /* push the message into the stack */
625 msg = sercomm_alloc_msgb(512);
627 fprintf(stderr, "Failed to create data for the frame.\n");
632 dest = msgb_put(msg, len);
633 memcpy(dest, data, len);
635 sercomm_sendmsg(dlci, msg);
637 dnload.serial_fd.when |= BSC_FD_WRITE;
640 static void hdlc_console_cb(uint8_t dlci, struct msgb *msg)
644 rc = write(1, msg->data, msg->len);
648 static void hdlc_tool_cb(uint8_t dlci, struct msgb *msg)
650 struct tool_server *srv = tool_server_for_dlci[dlci];
653 struct tool_connection *con;
656 len = (u_int16_t *) msgb_push(msg, 2);
657 *len = htons(msg->len - sizeof(*len));
659 llist_for_each_entry(con, &srv->connections, entry) {
660 if (write(con->fd.fd, msg->data, msg->len) != msg->len) {
662 "Failed to write msg to the socket..\n");
671 static void print_hdlc(uint8_t *buffer, int length)
675 for (i = 0; i < length; ++i)
676 if (sercomm_drv_rx_char(buffer[i]) == 0)
677 printf("Dropping sample '%c'\n", buffer[i]);
680 static int handle_buffer(int buf_used_len)
682 int nbytes, buf_left;
684 buf_left = buf_used_len - (bufptr - buffer);
686 memmove(buffer, buffer+1, buf_used_len-1);
691 nbytes = read(dnload.serial_fd.fd, bufptr, buf_left);
695 if (!dnload.print_hdlc) {
696 printf("got %i bytes from modem, ", nbytes);
697 printf("data looks like: ");
698 hexdump(bufptr, nbytes);
700 print_hdlc(bufptr, nbytes);
706 /* Compal ramloader */
707 static int handle_read(void)
711 nbytes = handle_buffer(sizeof(buffer));
715 if (!memcmp(buffer, phone_prompt1, sizeof(phone_prompt1))) {
716 printf("Received PROMPT1 from phone, responding with CMD\n");
717 dnload.print_hdlc = 0;
718 dnload.state = WAITING_PROMPT2;
719 rc = write(dnload.serial_fd.fd, dnload_cmd, sizeof(dnload_cmd));
722 rc = read_file(dnload.filename);
724 fprintf(stderr, "read_file(%s) failed with %d\n",
725 dnload.filename, rc);
728 } else if (!memcmp(buffer, phone_prompt2, sizeof(phone_prompt2))) {
729 printf("Received PROMPT2 from phone, starting download\n");
730 dnload.serial_fd.when = BSC_FD_READ | BSC_FD_WRITE;
731 dnload.state = DOWNLOADING;
732 } else if (!memcmp(buffer, phone_ack, sizeof(phone_ack))) {
733 printf("Received DOWNLOAD ACK from phone, your code is"
735 dnload.serial_fd.when = BSC_FD_READ;
736 dnload.state = WAITING_PROMPT1;
737 dnload.write_ptr = dnload.data;
738 dnload.print_hdlc = 1;
739 } else if (!memcmp(buffer, phone_nack, sizeof(phone_nack))) {
740 printf("Received DOWNLOAD NACK from phone, something went"
742 dnload.serial_fd.when = BSC_FD_READ;
743 dnload.state = WAITING_PROMPT1;
744 dnload.write_ptr = dnload.data;
745 } else if (!memcmp(buffer, phone_nack_magic, sizeof(phone_nack_magic))) {
746 printf("Received MAGIC NACK from phone, you need to"
747 " have \"1003\" at 0x803ce0\n");
748 dnload.serial_fd.when = BSC_FD_READ;
749 dnload.state = WAITING_PROMPT1;
750 dnload.write_ptr = dnload.data;
751 } else if (!memcmp(buffer, ftmtool, sizeof(ftmtool))) {
752 printf("Received FTMTOOL from phone, ramloader has aborted\n");
753 dnload.serial_fd.when = BSC_FD_READ;
754 dnload.state = WAITING_PROMPT1;
755 dnload.write_ptr = dnload.data;
762 /* "Calypso non-secure romloader" */
763 static int handle_read_romload(void)
765 int rc, nbytes, buf_used_len;
767 /* virtually limit buffer length for romloader, since responses
768 * are shorter and vary in length */
770 switch (dnload.romload_state) {
771 case WAITING_PARAM_ACK:
772 buf_used_len = 4; /* ">p" + uint16_t len */
774 case WAITING_CHECKSUM_ACK:
775 buf_used_len = 3; /* ">c" + uint8_t checksum */
778 buf_used_len = sizeof(buffer);
781 buf_used_len = 2; /* ">*" */
784 nbytes = handle_buffer(buf_used_len);
788 switch (dnload.romload_state) {
789 case WAITING_IDENTIFICATION:
790 if (memcmp(buffer, romload_ident_ack,
791 sizeof(romload_ident_ack)))
794 printf("Received ident ack from phone, sending "
795 "parameter sequence\n");
796 dnload.print_hdlc = 1;
797 dnload.romload_state = WAITING_PARAM_ACK;
798 rc = write(dnload.serial_fd.fd, romload_param,
799 sizeof(romload_param));
801 rc = read_file(dnload.filename);
803 fprintf(stderr, "read_file(%s) failed with %d\n",
804 dnload.filename, rc);
808 case WAITING_PARAM_ACK:
809 if (memcmp(buffer, romload_param_ack,
810 sizeof(romload_param_ack)))
813 printf("Received parameter ack from phone, "
814 "starting download\n");
815 serial_set_baudrate(ROMLOAD_DL_BAUDRATE);
817 /* using the max blocksize the phone tells us */
818 dnload.block_payload_size = ((buffer[3] << 8) + buffer[2]);
819 printf("Used blocksize for download is %i bytes\n",
820 dnload.block_payload_size);
821 dnload.block_payload_size -= ROMLOAD_BLOCK_HDR_LEN;
822 dnload.romload_state = SENDING_BLOCKS;
823 dnload.block_number = 0;
824 romload_prepare_block();
827 case WAITING_BLOCK_ACK:
828 case LAST_BLOCK_SENT:
829 if (!memcmp(buffer, romload_block_ack,
830 sizeof(romload_block_ack))) {
831 printf("Received block ack from phone\n");
832 if (dnload.romload_state == LAST_BLOCK_SENT) {
833 /* send the checksum */
834 uint8_t final_checksum =
835 (~(dnload.romload_dl_checksum) & 0xff);
836 printf("Sending checksum: 0x%02x \n",
838 rc = write(dnload.serial_fd.fd,
839 romload_checksum_cmd,
840 sizeof(romload_checksum_cmd));
841 rc = write(dnload.serial_fd.fd,
843 dnload.romload_state = WAITING_CHECKSUM_ACK;
845 romload_prepare_block();
846 } else if (!memcmp(buffer, romload_block_nack,
847 sizeof(romload_block_nack))) {
848 printf("Received block nack from phone, "
849 "something went wrong, aborting\n");
850 serial_set_baudrate(ROMLOAD_INIT_BAUDRATE);
851 dnload.romload_state = WAITING_IDENTIFICATION;
852 bsc_schedule_timer(&tick_timer, 0, BEACON_INTERVAL);
855 case WAITING_CHECKSUM_ACK:
856 if (!memcmp(buffer, romload_checksum_ack,
857 sizeof(romload_checksum_ack))) {
858 printf("Checksum on phone side matches, "
859 "let's branch to your code\n");
860 printf("Branching to 0x%08x\n", ROMLOAD_ADDRESS);
862 rc = write(dnload.serial_fd.fd, romload_branch_cmd,
863 sizeof(romload_branch_cmd));
864 rc = write(dnload.serial_fd.fd, &dnload.load_address,
865 sizeof(dnload.load_address));
866 dnload.romload_state = WAITING_BRANCH_ACK;
868 } else if (!memcmp(buffer, romload_checksum_nack,
869 sizeof(romload_checksum_nack))) {
870 printf("Checksum on phone side (0x%02x) doesn't "
871 "match ours, aborting\n", ~buffer[2]);
872 serial_set_baudrate(ROMLOAD_INIT_BAUDRATE);
873 dnload.romload_state = WAITING_IDENTIFICATION;
874 bsc_schedule_timer(&tick_timer, 0, BEACON_INTERVAL);
878 case WAITING_BRANCH_ACK:
879 if (!memcmp(buffer, romload_branch_ack,
880 sizeof(romload_branch_ack))) {
881 printf("Received branch ack, your code is running now!\n");
882 dnload.serial_fd.when = BSC_FD_READ;
883 dnload.romload_state = FINISHED;
884 dnload.write_ptr = dnload.data;
885 dnload.print_hdlc = 1;
886 } else if (!memcmp(buffer, romload_branch_nack,
887 sizeof(romload_branch_nack))) {
888 printf("Received branch nack, aborting\n");
889 serial_set_baudrate(ROMLOAD_INIT_BAUDRATE);
890 dnload.romload_state = WAITING_IDENTIFICATION;
891 bsc_schedule_timer(&tick_timer, 0, BEACON_INTERVAL);
902 static int serial_read(struct bsc_fd *fd, unsigned int flags)
905 if (flags & BSC_FD_READ) {
906 if (dnload.mode == MODE_ROMLOAD)
907 rc = handle_read_romload();
915 if (flags & BSC_FD_WRITE) {
918 dnload.state = WAITING_PROMPT1;
923 static int parse_mode(const char *arg)
925 if (!strcasecmp(arg, "c123"))
927 else if (!strcasecmp(arg, "c123xor"))
929 else if (!strcasecmp(arg, "c140"))
931 else if (!strcasecmp(arg, "c140xor"))
933 else if (!strcasecmp(arg, "c155"))
935 else if (!strcasecmp(arg, "romload"))
942 "[ -v | -h ] [ -p /dev/ttyXXXX ] [ -s /tmp/osmocom_l2 ]\n" \
943 "\t\t[ -l /tmp/osmocom_loader ]\n" \
944 "\t\t[ -m {c123,c123xor,c140,c140xor,c155,romload} ]\n" \
945 "\t\t file.bin\n\n" \
946 "* Open serial port /dev/ttyXXXX (connected to your phone)\n" \
947 "* Perform handshaking with the ramloader in the phone\n" \
948 "* Download file.bin to the attached phone (base address 0x00800100)\n"
950 static int usage(const char *name)
952 printf("Usage: %s ", name);
957 static int version(const char *name)
959 printf("%s version %s\n", name, PACKAGE_VERSION);
963 static int un_tool_read(struct bsc_fd *fd, unsigned int flags)
966 u_int16_t length = 0xffff;
968 struct tool_connection *con = (struct tool_connection *)fd->data;
972 rc = read(fd->fd, &buf + c, 2 - c);
978 if(errno == EAGAIN) {
981 fprintf(stderr, "Err from socket: %s\n", strerror(errno));
987 length = ntohs(*(u_int16_t*)buf);
991 rc = read(fd->fd, &buf + c, length - c);
997 if(errno == EAGAIN) {
1000 fprintf(stderr, "Err from socket: %s\n", strerror(errno));
1006 hdlc_send_to_phone(con->server->dlci, buf, length);
1012 bsc_unregister_fd(fd);
1013 llist_del(&con->entry);
1018 /* accept a new connection */
1019 static int tool_accept(struct bsc_fd *fd, unsigned int flags)
1021 struct tool_server *srv = (struct tool_server *)fd->data;
1022 struct tool_connection *con;
1023 struct sockaddr_un un_addr;
1027 len = sizeof(un_addr);
1028 rc = accept(fd->fd, (struct sockaddr *) &un_addr, &len);
1030 fprintf(stderr, "Failed to accept a new connection.\n");
1034 con = talloc_zero(NULL, struct tool_connection);
1036 fprintf(stderr, "Failed to create tool connection.\n");
1043 con->fd.when = BSC_FD_READ;
1044 con->fd.cb = un_tool_read;
1046 if (bsc_register_fd(&con->fd) != 0) {
1047 fprintf(stderr, "Failed to register the fd.\n");
1051 llist_add(&con->entry, &srv->connections);
1056 * Register and start a tool server
1058 static int register_tool_server(struct tool_server *ts,
1062 struct bsc_fd *bfd = &ts->bfd;
1063 struct sockaddr_un local;
1064 unsigned int namelen;
1067 bfd->fd = socket(AF_UNIX, SOCK_STREAM, 0);
1070 fprintf(stderr, "Failed to create Unix Domain Socket.\n");
1074 local.sun_family = AF_UNIX;
1075 strncpy(local.sun_path, path, sizeof(local.sun_path));
1076 local.sun_path[sizeof(local.sun_path) - 1] = '\0';
1077 unlink(local.sun_path);
1079 /* we use the same magic that X11 uses in Xtranssock.c for
1080 * calculating the proper length of the sockaddr */
1081 #if defined(BSD44SOCKETS) || defined(__UNIXWARE__)
1082 local.sun_len = strlen(local.sun_path);
1084 #if defined(BSD44SOCKETS) || defined(SUN_LEN)
1085 namelen = SUN_LEN(&local);
1087 namelen = strlen(local.sun_path) +
1088 offsetof(struct sockaddr_un, sun_path);
1091 rc = bind(bfd->fd, (struct sockaddr *) &local, namelen);
1093 fprintf(stderr, "Failed to bind the unix domain socket. '%s'\n",
1098 if (listen(bfd->fd, 0) != 0) {
1099 fprintf(stderr, "Failed to listen.\n");
1103 bfd->when = BSC_FD_READ;
1104 bfd->cb = tool_accept;
1108 INIT_LLIST_HEAD(&ts->connections);
1110 tool_server_for_dlci[dlci] = ts;
1112 sercomm_register_rx_cb(dlci, hdlc_tool_cb);
1114 if (bsc_register_fd(bfd) != 0) {
1115 fprintf(stderr, "Failed to register the bfd.\n");
1122 extern void hdlc_tpudbg_cb(uint8_t dlci, struct msgb *msg);
1124 int main(int argc, char **argv)
1127 uint32_t tmp_load_address = 0;
1128 const char *serial_dev = "/dev/ttyUSB1";
1129 const char *layer2_un_path = "/tmp/osmocom_l2";
1130 const char *loader_un_path = "/tmp/osmocom_loader";
1132 dnload.mode = MODE_C123;
1134 while ((opt = getopt(argc, argv, "hl:p:m:s:v")) != -1) {
1137 serial_dev = optarg;
1140 dnload.mode = parse_mode(optarg);
1141 if (dnload.mode < 0)
1145 layer2_un_path = optarg;
1148 loader_un_path = optarg;
1160 if (argc <= optind) {
1161 fprintf(stderr, "You have to specify the filename\n");
1165 dnload.filename = argv[optind];
1167 dnload.serial_fd.fd = serial_init(serial_dev);
1168 if (dnload.serial_fd.fd < 0) {
1169 fprintf(stderr, "Cannot open serial device %s\n", serial_dev);
1173 if (bsc_register_fd(&dnload.serial_fd) != 0) {
1174 fprintf(stderr, "Failed to register the serial.\n");
1178 /* Set serial socket to non-blocking mode of operation */
1179 flags = fcntl(dnload.serial_fd.fd, F_GETFL);
1180 flags |= O_NONBLOCK;
1181 fcntl(dnload.serial_fd.fd, F_SETFL, flags);
1183 dnload.serial_fd.when = BSC_FD_READ;
1184 dnload.serial_fd.cb = serial_read;
1186 /* initialize the HDLC layer */
1188 sercomm_register_rx_cb(SC_DLCI_CONSOLE, hdlc_console_cb);
1189 sercomm_register_rx_cb(SC_DLCI_DEBUG, hdlc_tpudbg_cb);
1191 /* unix domain socket handling */
1192 if (register_tool_server(&dnload.layer2_server, layer2_un_path,
1193 SC_DLCI_L1A_L23) != 0)
1196 if (register_tool_server(&dnload.loader_server, loader_un_path,
1197 SC_DLCI_LOADER) != 0)
1200 /* if in romload mode, start our beacon timer */
1201 if (dnload.mode == MODE_ROMLOAD) {
1202 tmp_load_address = ROMLOAD_ADDRESS;
1203 serial_set_baudrate(ROMLOAD_INIT_BAUDRATE);
1204 tick_timer.cb = &beacon_timer_cb;
1205 tick_timer.data = &tick_timer;
1206 bsc_schedule_timer(&tick_timer, 0, BEACON_INTERVAL);
1209 dnload.load_address[0] = (tmp_load_address >> 24) & 0xff;
1210 dnload.load_address[1] = (tmp_load_address >> 16) & 0xff;
1211 dnload.load_address[2] = (tmp_load_address >> 8) & 0xff;
1212 dnload.load_address[3] = tmp_load_address & 0xff;
1217 close(dnload.serial_fd.fd);