10 #include <sys/types.h>
11 #include <sys/socket.h>
17 #include <osmocore/linuxlist.h>
18 #include <osmocore/select.h>
19 #include <osmocore/talloc.h>
21 #include <arpa/inet.h>
23 //#include "version.h"
25 #define MODEM_BAUDRATE B115200
26 #define MAX_DNLOAD_SIZE 0xFFFF
27 #define MAX_HDR_SIZE 128
42 enum dnload_state state;
43 enum dnload_mode mode;
44 struct bsc_fd serial_fd;
49 /* data to be downloaded */
60 * a connection of the layer2
62 struct layer2_connection {
63 struct llist_head entry;
67 static LLIST_HEAD(connections);
68 static struct dnload dnload;
70 static const uint8_t phone_prompt1[] = { 0x1b, 0xf6, 0x02, 0x00, 0x41, 0x01, 0x40 };
71 static const uint8_t dnload_cmd[] = { 0x1b, 0xf6, 0x02, 0x00, 0x52, 0x01, 0x53 };
72 static const uint8_t phone_prompt2[] = { 0x1b, 0xf6, 0x02, 0x00, 0x41, 0x02, 0x43 };
73 static const uint8_t phone_ack[] = { 0x1b, 0xf6, 0x02, 0x00, 0x41, 0x03, 0x42 };
74 static const uint8_t phone_nack_magic[]= { 0x1b, 0xf6, 0x02, 0x00, 0x41, 0x03, 0x57 };
75 static const uint8_t phone_nack[] = { 0x1b, 0xf6, 0x02, 0x00, 0x45, 0x53, 0x16 };
76 static const uint8_t ftmtool[] = { "ftmtool" };
78 /* The C123 has a hard-coded check inside the ramloder that requires the following
79 * bytes to be always the first four bytes of the image */
80 static const uint8_t data_hdr_c123[] = { 0xee, 0x4c, 0x9f, 0x63 };
82 /* The C155 doesn't have some strange restriction on what the first four bytes have
83 * to be, but it starts the ramloader in THUMB mode. We use the following four bytes
84 * to switch back to ARM mode:
86 800102: 46c0 nop ; (mov r8, r8)
88 static const uint8_t data_hdr_c155[] = { 0x78, 0x47, 0xc0, 0x46 };
90 static const uint8_t dummy_data[] = { 0x12, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde };
92 static int serial_init(const char *serial_dev)
94 struct termios options;
97 fd = open(serial_dev, O_RDWR | O_NOCTTY | O_NDELAY);
101 fcntl(fd, F_SETFL, 0);
103 /* Configure serial interface */
104 tcgetattr(fd, &options);
106 cfsetispeed(&options, MODEM_BAUDRATE);
107 cfsetospeed(&options, MODEM_BAUDRATE);
110 options.c_cflag &= ~PARENB;
111 options.c_cflag &= ~CSTOPB;
112 options.c_cflag &= ~CSIZE;
113 options.c_cflag |= CS8;
115 /* hardware flow control off */
116 options.c_cflag &= ~CRTSCTS;
118 /* software flow control off */
119 options.c_iflag &= ~(IXON | IXOFF | IXANY);
121 /* we want raw i/o */
122 options.c_lflag &= ~(ICANON | ECHO | ECHOE | ISIG);
123 options.c_iflag &= ~(INLCR | ICRNL | IGNCR);
124 options.c_oflag &= ~(ONLCR);
126 options.c_cc[VMIN] = 1;
127 options.c_cc[VTIME] = 0;
128 options.c_cc[VINTR] = 0;
129 options.c_cc[VQUIT] = 0;
130 options.c_cc[VSTART] = 0;
131 options.c_cc[VSTOP] = 0;
132 options.c_cc[VSUSP] = 0;
134 tcsetattr(fd, TCSANOW, &options);
136 /* set ready to read/write */
137 v24 = TIOCM_DTR | TIOCM_RTS;
138 ioctl(fd, TIOCMBIS, &v24);
143 /* Read the to-be-downloaded file, prepend header and length, append XOR sum */
144 int read_file(const char *filename)
148 const uint8_t *hdr = NULL;
153 uint8_t running_xor = 0x02;
155 fd = open(filename, O_RDONLY);
157 perror("opening file");
162 if (st.st_size > MAX_DNLOAD_SIZE) {
163 fprintf(stderr, "The maximum file size is 64kBytes (%u bytes)\n",
173 dnload.data = malloc(MAX_HDR_SIZE + st.st_size);
176 fprintf(stderr, "No memory\n");
180 /* copy in the header, if any */
181 switch (dnload.mode) {
184 hdr_len = sizeof(data_hdr_c155);
189 hdr_len = sizeof(data_hdr_c123);
196 memcpy(dnload.data, hdr, hdr_len);
198 /* 2 bytes for length + header */
199 file_data = dnload.data + 2 + hdr_len;
201 /* write the length, keep running XOR */
202 tot_len = hdr_len + st.st_size;
203 nibble = tot_len >> 8;
204 dnload.data[0] = nibble;
205 running_xor ^= nibble;
206 nibble = tot_len & 0xff;
207 dnload.data[1] = nibble;
208 running_xor ^= nibble;
210 if (hdr_len && hdr) {
211 memcpy(dnload.data+2, hdr, hdr_len);
213 for (i = 0; i < hdr_len; i++)
214 running_xor ^= hdr[i];
217 rc = read(fd, file_data, st.st_size);
219 perror("error reading file\n");
225 if (rc < st.st_size) {
229 fprintf(stderr, "Short read of file (%d < %d)\n",
230 rc, (int)st.st_size);
236 dnload.data_len = (file_data+st.st_size) - dnload.data;
238 /* calculate XOR sum */
239 for (i = 0; i < st.st_size; i++)
240 running_xor ^= file_data[i];
242 dnload.data[dnload.data_len++] = running_xor;
244 /* initialize write pointer to start of data */
245 dnload.write_ptr = dnload.data;
247 printf("read_file(%s): file_size=%u, hdr_len=%u, dnload_len=%u\n",
248 filename, (int)st.st_size, hdr_len, dnload.data_len);
253 static void hexdump(const uint8_t *data, unsigned int len)
255 const uint8_t *bufptr = data;
258 for (n=0; bufptr, n < len; n++, bufptr++)
259 printf("%02x ", *bufptr);
263 #define WRITE_BLOCK 4096
265 static int handle_write_dnload(void)
267 int bytes_left, write_len, rc;
269 printf("handle_write(): ");
270 if (dnload.write_ptr == dnload.data) {
271 /* no bytes have been transferred yet */
272 if (dnload.mode == MODE_C155 ||
273 dnload.mode == MODE_C123xor) {
274 uint8_t xor_init = 0x02;
275 write(dnload.serial_fd.fd, &xor_init, 1);
278 } else if (dnload.write_ptr >= dnload.data + dnload.data_len) {
279 printf("finished\n");
280 dnload.write_ptr = dnload.data;
281 dnload.serial_fd.when &= ~BSC_FD_WRITE;
285 /* try to write a maximum of WRITE_BLOCK bytes */
286 bytes_left = (dnload.data + dnload.data_len) - dnload.write_ptr;
287 write_len = WRITE_BLOCK;
288 if (bytes_left < WRITE_BLOCK)
289 write_len = bytes_left;
291 rc = write(dnload.serial_fd.fd, dnload.write_ptr, write_len);
293 perror("Error during write");
297 dnload.write_ptr += rc;
299 printf("%u bytes (%tu/%u)\n", rc, dnload.write_ptr - dnload.data, dnload.data_len);
304 static int handle_write(void)
308 switch (dnload.state) {
310 return handle_write_dnload();
312 if (sercomm_drv_pull(&c) != 0) {
313 if (write(dnload.serial_fd.fd, &c, 1) != 1)
314 perror("short write");
316 dnload.serial_fd.when &= ~BSC_FD_WRITE;
322 static uint8_t buffer[sizeof(phone_prompt1)];
323 static uint8_t *bufptr = buffer;
325 static void hdlc_send_to_phone(uint8_t dlci, uint8_t *data, int len)
330 printf("hdlc_send_to_phone(dlci=%u): ", dlci);
334 fprintf(stderr, "Too much data to send. %u\n", len);
338 /* push the message into the stack */
339 msg = sercomm_alloc_msgb(512);
341 fprintf(stderr, "Failed to create data for the frame.\n");
346 dest = msgb_put(msg, len);
347 memcpy(dest, data, len);
349 sercomm_sendmsg(dlci, msg);
351 dnload.serial_fd.when |= BSC_FD_WRITE;
354 static void hdlc_console_cb(uint8_t dlci, struct msgb *msg)
356 write(1, msg->data, msg->len);
360 static void hdlc_l1a_cb(uint8_t dlci, struct msgb *msg)
362 struct layer2_connection *con;
365 len = (u_int16_t *) msgb_push(msg, 2);
366 *len = htons(msg->len - sizeof(*len));
368 llist_for_each_entry(con, &connections, entry) {
369 if (write(con->fd.fd, msg->data, msg->len) != msg->len) {
370 fprintf(stderr, "Failed to write msg to the socket..\n");
378 static void print_hdlc(uint8_t *buffer, int length)
382 for (i = 0; i < length; ++i)
383 if (sercomm_drv_rx_char(buffer[i]) == 0)
384 printf("Dropping sample '%c'\n", buffer[i]);
387 static int handle_read(void)
389 int rc, nbytes, buf_left;
391 buf_left = sizeof(buffer) - (bufptr - buffer);
393 memmove(buffer, buffer+1, sizeof(buffer)-1);
398 nbytes = read(dnload.serial_fd.fd, bufptr, buf_left);
402 if (!dnload.print_hdlc) {
403 printf("got %i bytes from modem, ", nbytes);
404 printf("data looks like: ");
405 hexdump(bufptr, nbytes);
407 print_hdlc(bufptr, nbytes);
410 if (!memcmp(buffer, phone_prompt1, sizeof(phone_prompt1))) {
411 printf("Received PROMPT1 from phone, responding with CMD\n");
412 dnload.print_hdlc = 0;
413 dnload.state = WAITING_PROMPT2;
414 rc = write(dnload.serial_fd.fd, dnload_cmd, sizeof(dnload_cmd));
417 rc = read_file(dnload.filename);
419 fprintf(stderr, "read_file(%s) failed with %d\n", dnload.filename, rc);
422 } else if (!memcmp(buffer, phone_prompt2, sizeof(phone_prompt2))) {
423 printf("Received PROMPT2 from phone, starting download\n");
424 dnload.serial_fd.when = BSC_FD_READ | BSC_FD_WRITE;
425 dnload.state = DOWNLOADING;
426 } else if (!memcmp(buffer, phone_ack, sizeof(phone_ack))) {
427 printf("Received DOWNLOAD ACK from phone, your code is running now!\n");
428 dnload.serial_fd.when = BSC_FD_READ;
429 dnload.state = WAITING_PROMPT1;
430 dnload.write_ptr = dnload.data;
431 dnload.print_hdlc = 1;
432 } else if (!memcmp(buffer, phone_nack, sizeof(phone_nack))) {
433 printf("Received DOWNLOAD NACK from phone, something went wrong :(\n");
434 dnload.serial_fd.when = BSC_FD_READ;
435 dnload.state = WAITING_PROMPT1;
436 dnload.write_ptr = dnload.data;
437 } else if (!memcmp(buffer, phone_nack_magic, sizeof(phone_nack_magic))) {
438 printf("Received MAGIC NACK from phone, you need to have \"1003\" at 0x803ce0\n");
439 dnload.serial_fd.when = BSC_FD_READ;
440 dnload.state = WAITING_PROMPT1;
441 dnload.write_ptr = dnload.data;
442 } else if (!memcmp(buffer, ftmtool, sizeof(ftmtool))) {
443 printf("Received FTMTOOL from phone, ramolader has aborted\n");
444 dnload.serial_fd.when = BSC_FD_READ;
445 dnload.state = WAITING_PROMPT1;
446 dnload.write_ptr = dnload.data;
453 static int serial_read(struct bsc_fd *fd, unsigned int flags)
457 if (flags & BSC_FD_READ) {
463 if (flags & BSC_FD_WRITE) {
466 dnload.state = WAITING_PROMPT1;
471 static int parse_mode(const char *arg)
473 if (!strcasecmp(arg, "c123") ||
474 !strcasecmp(arg, "c140"))
476 else if (!strcasecmp(arg, "c123xor"))
478 else if (!strcasecmp(arg, "c155"))
485 static int usage(const char *name)
487 printf("\nUsage: %s [ -v | -h ] [ -p /dev/ttyXXXX ] [ -s /tmp/osmocom_l2 ] ][ -m {c123,c123xor,c155} ] file.bin\n", name);
488 printf("\t* Open serial port /dev/ttyXXXX (connected to your phone)\n"
489 "\t* Perform handshaking with the ramloader in the phone\n"
490 "\t* Download file.bin to the attached phone (base address 0x00800100)\n");
494 static int version(const char *name)
496 //printf("\n%s version %s\n", name, VERSION);
500 static int un_layer2_read(struct bsc_fd *fd, unsigned int flags)
503 u_int16_t length = 0xffff;
505 struct layer2_connection *con;
508 rc = read(fd->fd, &length, sizeof(length));
509 if (rc <= 0 || ntohs(length) > 512) {
510 fprintf(stderr, "Unexpected result from socket. rc: %d len: %d\n",
515 rc = read(fd->fd, buf, ntohs(length));
516 if (rc != ntohs(length)) {
517 fprintf(stderr, "Could not read data.\n");
521 hdlc_send_to_phone(SC_DLCI_L1A_L23, buf, ntohs(length));
525 con = (struct layer2_connection *) fd->data;
528 bsc_unregister_fd(fd);
529 llist_del(&con->entry);
534 /* accept a new connection */
535 static int un_layer2_accept(struct bsc_fd *fd, unsigned int flags)
537 struct layer2_connection *con;
538 struct sockaddr_un un_addr;
542 len = sizeof(un_addr);
543 rc = accept(fd->fd, (struct sockaddr *) &un_addr, &len);
545 fprintf(stderr, "Failed to accept a new connection.\n");
549 con = talloc_zero(NULL, struct layer2_connection);
551 fprintf(stderr, "Failed to create layer2 connection.\n");
556 con->fd.when = BSC_FD_READ;
557 con->fd.cb = un_layer2_read;
559 if (bsc_register_fd(&con->fd) != 0) {
560 fprintf(stderr, "Failed to register the fd.\n");
564 llist_add(&con->entry, &connections);
569 * Create a server socket for the layer2 stack
571 static int register_af_unix(const char *un_path)
573 struct sockaddr_un local;
576 dnload.socket.fd = socket(AF_UNIX, SOCK_STREAM, 0);
578 if (dnload.socket.fd < 0) {
579 fprintf(stderr, "Failed to create Unix Domain Socket.\n");
583 local.sun_family = AF_UNIX;
584 strncpy(local.sun_path, un_path, sizeof(local.sun_path));
585 local.sun_path[sizeof(local.sun_path) - 1] = '\0';
586 unlink(local.sun_path);
587 rc = bind(dnload.socket.fd, (struct sockaddr *) &local,
588 sizeof(local.sun_family) + strlen(local.sun_path));
590 fprintf(stderr, "Failed to bind the unix domain socket. '%s'\n",
595 if (listen(dnload.socket.fd, 0) != 0) {
596 fprintf(stderr, "Failed to listen.\n");
600 dnload.socket.when = BSC_FD_READ;
601 dnload.socket.cb = un_layer2_accept;
603 if (bsc_register_fd(&dnload.socket) != 0) {
604 fprintf(stderr, "Failed to register the bfd.\n");
611 extern void hdlc_tpudbg_cb(uint8_t dlci, struct msgb *msg);
613 int main(int argc, char **argv)
616 char *serial_dev = "/dev/ttyUSB1";
617 char *un_path = "/tmp/osmocom_l2";
619 dnload.mode = MODE_C123;
621 while ((opt = getopt(argc, argv, "hp:m:s:v")) != -1) {
627 dnload.mode = parse_mode(optarg);
644 if (argc <= optind) {
645 fprintf(stderr, "You have to specify the filename\n");
649 dnload.filename = argv[optind];
651 dnload.serial_fd.fd = serial_init(serial_dev);
652 if (dnload.serial_fd.fd < 0) {
653 fprintf(stderr, "Cannot open serial device %s\n", serial_dev);
657 if (bsc_register_fd(&dnload.serial_fd) != 0) {
658 fprintf(stderr, "Failed to register the serial.\n");
662 /* Set serial socket to non-blocking mode of operation */
663 flags = fcntl(dnload.serial_fd.fd, F_GETFL);
665 fcntl(dnload.serial_fd.fd, F_SETFL, flags);
667 dnload.serial_fd.when = BSC_FD_READ;
668 dnload.serial_fd.cb = serial_read;
670 /* unix domain socket handling */
671 if (register_af_unix(un_path) != 0)
675 /* initialize the HDLC layer */
677 sercomm_register_rx_cb(SC_DLCI_CONSOLE, hdlc_console_cb);
678 sercomm_register_rx_cb(SC_DLCI_DEBUG, hdlc_tpudbg_cb);
679 sercomm_register_rx_cb(SC_DLCI_L1A_L23, hdlc_l1a_cb);
683 close(dnload.serial_fd.fd);