1 /* $NetBSD: umodeswitch.c,v 1.6 2023/08/04 13:25:17 manu Exp $ */
2
3 /*-
4 * Copyright (c) 2009, 2017 The NetBSD Foundation, Inc.
5 * All rights reserved.
6 *
7 * This code is derived from software contributed to The NetBSD Foundation.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 *
18 * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
19 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
20 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
21 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
22 * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
23 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
24 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
25 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
26 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
27 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
28 * POSSIBILITY OF SUCH DAMAGE.
29 */
30
31
32 #include <sys/cdefs.h>
33 __KERNEL_RCSID(0, "$NetBSD: umodeswitch.c,v 1.6 2023/08/04 13:25:17 manu Exp $");
34
35 #include <sys/param.h>
36 #include <sys/systm.h>
37 #include <sys/kernel.h>
38 #include <sys/kmem.h>
39 #include <sys/bus.h>
40 #include <sys/conf.h>
41 #include <sys/tty.h>
42
43 #include <dev/usb/usb.h>
44 #include <dev/usb/usbdi.h>
45 #include <dev/usb/usbdivar.h>
46 #include <dev/usb/usbdi_util.h>
47
48 #include "usbdevs.h"
49
50 /*
51 * This device driver handles devices that have two personalities.
52 * The first uses the 'usbdevif'
53 * interface attribute so that a match will claim the entire USB device
54 * for itself. This is used for when a device needs to be mode-switched
55 * and ensures any other interfaces present cannot be claimed by other
56 * drivers while the mode-switch is in progress.
57 */
58 static int umodeswitch_match(device_t, cfdata_t, void *);
59 static void umodeswitch_attach(device_t, device_t, void *);
60 static int umodeswitch_detach(device_t, int);
61
62 CFATTACH_DECL2_NEW(umodeswitch, 0, umodeswitch_match,
63 umodeswitch_attach, umodeswitch_detach, NULL, NULL, NULL);
64
65 static int
send_bulkmsg(struct usbd_device * dev,void * cmd,size_t cmdlen)66 send_bulkmsg(struct usbd_device *dev, void *cmd, size_t cmdlen)
67 {
68 struct usbd_interface *iface;
69 usb_interface_descriptor_t *id;
70 usb_endpoint_descriptor_t *ed;
71 struct usbd_pipe *pipe;
72 struct usbd_xfer *xfer;
73 int err, i;
74
75 /* Move the device into the configured state. */
76 err = usbd_set_config_index(dev, 0, 0);
77 if (err) {
78 aprint_error("%s: failed to set config index\n", __func__);
79 return UMATCH_NONE;
80 }
81
82 err = usbd_device2interface_handle(dev, 0, &iface);
83 if (err != 0) {
84 aprint_error("%s: failed to get interface\n", __func__);
85 return UMATCH_NONE;
86 }
87
88 id = usbd_get_interface_descriptor(iface);
89 ed = NULL;
90 for (i = 0 ; i < id->bNumEndpoints ; i++) {
91 ed = usbd_interface2endpoint_descriptor(iface, i);
92 if (ed == NULL)
93 continue;
94 if (UE_GET_DIR(ed->bEndpointAddress) != UE_DIR_OUT)
95 continue;
96 if ((ed->bmAttributes & UE_XFERTYPE) == UE_BULK)
97 break;
98 }
99
100 if (i == id->bNumEndpoints)
101 return UMATCH_NONE;
102
103 err = usbd_open_pipe(iface, ed->bEndpointAddress,
104 USBD_EXCLUSIVE_USE, &pipe);
105 if (err != 0) {
106 aprint_error("%s: failed to open bulk transfer pipe %d\n",
107 __func__, ed->bEndpointAddress);
108 return UMATCH_NONE;
109 }
110
111 int error = usbd_create_xfer(pipe, cmdlen, 0, 0, &xfer);
112 if (!error) {
113
114 usbd_setup_xfer(xfer, NULL, cmd, cmdlen,
115 USBD_SYNCHRONOUS, USBD_DEFAULT_TIMEOUT, NULL);
116
117 err = usbd_transfer(xfer);
118
119 #if 0 /* XXXpooka: at least my huawei "fails" this always, but still detaches */
120 if (err)
121 aprint_error("%s: transfer failed\n", __func__);
122 #else
123 err = 0;
124 #endif
125 usbd_destroy_xfer(xfer);
126 } else {
127 aprint_error("%s: failed to allocate xfer\n", __func__);
128 err = USBD_NOMEM;
129 }
130
131 usbd_abort_pipe(pipe);
132 usbd_close_pipe(pipe);
133
134 return err == USBD_NORMAL_COMPLETION ? UMATCH_HIGHEST : UMATCH_NONE;
135 }
136
137 /* Byte 0..3: Command Block Wrapper (CBW) signature */
138 static void
set_cbw(unsigned char * cmd)139 set_cbw(unsigned char *cmd)
140 {
141 cmd[0] = 0x55;
142 cmd[1] = 0x53;
143 cmd[2] = 0x42;
144 cmd[3] = 0x43;
145 }
146
147 static int
u3g_bulk_scsi_eject(struct usbd_device * dev)148 u3g_bulk_scsi_eject(struct usbd_device *dev)
149 {
150 unsigned char cmd[31];
151
152 memset(cmd, 0, sizeof(cmd));
153 /* Byte 0..3: Command Block Wrapper (CBW) signature */
154 set_cbw(cmd);
155 /* 4..7: CBW Tag, has to unique, but only a single transfer used. */
156 cmd[4] = 0x01;
157 /* 8..11: CBW Transfer Length, no data here */
158 /* 12: CBW Flag: output, so 0 */
159 /* 13: CBW Lun: 0 */
160 /* 14: CBW Length */
161 cmd[14] = 0x06;
162
163 /* Rest is the SCSI payload */
164
165 /* 0: SCSI START/STOP opcode */
166 cmd[15] = 0x1b;
167 /* 1..3 unused */
168 /* 4 Load/Eject command */
169 cmd[19] = 0x02;
170 /* 5: unused */
171
172 return send_bulkmsg(dev, cmd, sizeof(cmd));
173 }
174
175 static int
u3g_bulk_ata_eject(struct usbd_device * dev)176 u3g_bulk_ata_eject(struct usbd_device *dev)
177 {
178 unsigned char cmd[31];
179
180 memset(cmd, 0, sizeof(cmd));
181 /* Byte 0..3: Command Block Wrapper (CBW) signature */
182 set_cbw(cmd);
183 /* 4..7: CBW Tag, has to unique, but only a single transfer used. */
184 cmd[4] = 0x01;
185 /* 8..11: CBW Transfer Length, no data here */
186 /* 12: CBW Flag: output, so 0 */
187 /* 13: CBW Lun: 0 */
188 /* 14: CBW Length */
189 cmd[14] = 0x06;
190
191 /* Rest is the SCSI payload */
192
193 /* 0: ATA pass-through */
194 cmd[15] = 0x85;
195 /* 1..3 unused */
196 /* 4 XXX What is this command? */
197 cmd[19] = 0x24;
198 /* 5: unused */
199
200 return send_bulkmsg(dev, cmd, sizeof(cmd));
201 }
202
203 static int
u3g_huawei_reinit(struct usbd_device * dev)204 u3g_huawei_reinit(struct usbd_device *dev)
205 {
206 /*
207 * The Huawei device presents itself as a umass device with Windows
208 * drivers on it. After installation of the driver, it reinits into a
209 * 3G serial device.
210 */
211 usb_device_request_t req;
212 usb_config_descriptor_t *cdesc;
213
214 /* Get the config descriptor */
215 cdesc = usbd_get_config_descriptor(dev);
216 if (cdesc == NULL) {
217 usb_device_descriptor_t dd;
218
219 if (usbd_get_device_desc(dev, &dd) != 0)
220 return UMATCH_NONE;
221
222 if (dd.bNumConfigurations != 1)
223 return UMATCH_NONE;
224
225 if (usbd_set_config_index(dev, 0, 1) != 0)
226 return UMATCH_NONE;
227
228 cdesc = usbd_get_config_descriptor(dev);
229
230 if (cdesc == NULL)
231 return UMATCH_NONE;
232 }
233
234 /*
235 * One iface means umass mode, more than 1 (4 usually) means 3G mode.
236 *
237 * XXX: We should check the first interface's device class just to be
238 * sure. If it's a mass storage device, then we can be fairly certain
239 * it needs a mode-switch.
240 */
241 if (cdesc->bNumInterface > 1)
242 return UMATCH_NONE;
243
244 req.bmRequestType = UT_WRITE_DEVICE;
245 req.bRequest = UR_SET_FEATURE;
246 USETW(req.wValue, UF_DEVICE_REMOTE_WAKEUP);
247 USETW(req.wIndex, UHF_PORT_SUSPEND);
248 USETW(req.wLength, 0);
249
250 (void) usbd_do_request(dev, &req, 0);
251
252 return UMATCH_HIGHEST; /* Prevent umass from attaching */
253 }
254
255 static int
u3g_huawei_k3765_reinit(struct usbd_device * dev)256 u3g_huawei_k3765_reinit(struct usbd_device *dev)
257 {
258 unsigned char cmd[31];
259
260 /* magic string adapted from some webpage */
261 memset(cmd, 0, sizeof(cmd));
262 /* Byte 0..3: Command Block Wrapper (CBW) signature */
263 set_cbw(cmd);
264
265 cmd[15]= 0x11;
266 cmd[16]= 0x06;
267
268 return send_bulkmsg(dev, cmd, sizeof(cmd));
269 }
270 static int
u3g_huawei_e171_reinit(struct usbd_device * dev)271 u3g_huawei_e171_reinit(struct usbd_device *dev)
272 {
273 unsigned char cmd[31];
274
275 /* magic string adapted from some webpage */
276 memset(cmd, 0, sizeof(cmd));
277 /* Byte 0..3: Command Block Wrapper (CBW) signature */
278 set_cbw(cmd);
279
280 cmd[15]= 0x11;
281 cmd[16]= 0x06;
282 cmd[17]= 0x20;
283 cmd[20]= 0x01;
284
285 return send_bulkmsg(dev, cmd, sizeof(cmd));
286 }
287
288 static int
u3g_huawei_e353_reinit(struct usbd_device * dev)289 u3g_huawei_e353_reinit(struct usbd_device *dev)
290 {
291 unsigned char cmd[31];
292
293 /* magic string adapted from some webpage */
294 memset(cmd, 0, sizeof(cmd));
295 /* Byte 0..3: Command Block Wrapper (CBW) signature */
296 set_cbw(cmd);
297
298 cmd[4] = 0x7f;
299 cmd[9] = 0x02;
300 cmd[12] = 0x80;
301 cmd[14] = 0x0a;
302 cmd[15] = 0x11;
303 cmd[16] = 0x06;
304 cmd[17] = 0x20;
305 cmd[23] = 0x01;
306
307 return send_bulkmsg(dev, cmd, sizeof(cmd));
308 }
309
310 static int
u3g_sierra_reinit(struct usbd_device * dev)311 u3g_sierra_reinit(struct usbd_device *dev)
312 {
313 /* Some Sierra devices presents themselves as a umass device with
314 * Windows drivers on it. After installation of the driver, it
315 * reinits into a * 3G serial device.
316 */
317 usb_device_request_t req;
318
319 req.bmRequestType = UT_VENDOR;
320 req.bRequest = UR_SET_INTERFACE;
321 USETW(req.wValue, UF_DEVICE_REMOTE_WAKEUP);
322 USETW(req.wIndex, UHF_PORT_CONNECTION);
323 USETW(req.wLength, 0);
324
325 (void) usbd_do_request(dev, &req, 0);
326
327 return UMATCH_HIGHEST; /* Match to prevent umass from attaching */
328 }
329
330 static int
u3g_4gsystems_reinit(struct usbd_device * dev)331 u3g_4gsystems_reinit(struct usbd_device *dev)
332 {
333 /* magic string adapted from usb_modeswitch database */
334 unsigned char cmd[31];
335
336 memset(cmd, 0, sizeof(cmd));
337 /* Byte 0..3: Command Block Wrapper (CBW) signature */
338 set_cbw(cmd);
339
340 cmd[4] = 0x12;
341 cmd[5] = 0x34;
342 cmd[6] = 0x56;
343 cmd[7] = 0x78;
344 cmd[8] = 0x80;
345 cmd[12] = 0x80;
346 cmd[14] = 0x06;
347 cmd[15] = 0x06;
348 cmd[16] = 0xf5;
349 cmd[17] = 0x04;
350 cmd[18] = 0x02;
351 cmd[19] = 0x52;
352 cmd[20] = 0x70;
353
354 return send_bulkmsg(dev, cmd, sizeof(cmd));
355 }
356
357 /*
358 * First personality:
359 *
360 * Claim the entire device if a mode-switch is required.
361 */
362
363 static int
umodeswitch_match(device_t parent,cfdata_t match,void * aux)364 umodeswitch_match(device_t parent, cfdata_t match, void *aux)
365 {
366 struct usb_attach_arg *uaa = aux;
367
368 /*
369 * Huawei changes product when it is configured as a modem.
370 */
371 switch (uaa->uaa_vendor) {
372 case USB_VENDOR_HUAWEI:
373 if (uaa->uaa_product == USB_PRODUCT_HUAWEI_K3765)
374 return UMATCH_NONE;
375
376 switch (uaa->uaa_product) {
377 case USB_PRODUCT_HUAWEI_E1750INIT:
378 case USB_PRODUCT_HUAWEI_K3765INIT:
379 return u3g_huawei_k3765_reinit(uaa->uaa_device);
380 break;
381 case USB_PRODUCT_HUAWEI_E171INIT:
382 return u3g_huawei_e171_reinit(uaa->uaa_device);
383 break;
384 case USB_PRODUCT_HUAWEI_E353INIT:
385 return u3g_huawei_e353_reinit(uaa->uaa_device);
386 break;
387 default:
388 return u3g_huawei_reinit(uaa->uaa_device);
389 break;
390 }
391 break;
392
393 case USB_VENDOR_NOVATEL2:
394 switch (uaa->uaa_product){
395 case USB_PRODUCT_NOVATEL2_MC950D_DRIVER:
396 case USB_PRODUCT_NOVATEL2_U760_DRIVER:
397 return u3g_bulk_scsi_eject(uaa->uaa_device);
398 break;
399 default:
400 break;
401 }
402 break;
403
404 case USB_VENDOR_LG:
405 if (uaa->uaa_product == USB_PRODUCT_LG_NTT_DOCOMO_L02C_STORAGE)
406 return u3g_bulk_scsi_eject(uaa->uaa_device);
407 break;
408
409 case USB_VENDOR_RALINK:
410 switch (uaa->uaa_product){
411 case USB_PRODUCT_RALINK_RT73:
412 return u3g_bulk_scsi_eject(uaa->uaa_device);
413 break;
414 }
415 break;
416
417 case USB_VENDOR_SIERRA:
418 if (uaa->uaa_product == USB_PRODUCT_SIERRA_INSTALLER)
419 return u3g_sierra_reinit(uaa->uaa_device);
420 break;
421
422 case USB_VENDOR_ZTE:
423 switch (uaa->uaa_product){
424 case USB_PRODUCT_ZTE_INSTALLER:
425 case USB_PRODUCT_ZTE_MF820D_INSTALLER:
426 (void)u3g_bulk_ata_eject(uaa->uaa_device);
427 (void)u3g_bulk_scsi_eject(uaa->uaa_device);
428 return UMATCH_HIGHEST;
429 default:
430 break;
431 }
432 break;
433
434 case USB_VENDOR_LONGCHEER:
435 if (uaa->uaa_product == USB_PRODUCT_LONGCHEER_XSSTICK_P14_INSTALLER)
436 return u3g_4gsystems_reinit(uaa->uaa_device);
437 break;
438
439 case USB_VENDOR_DLINK:
440 switch (uaa->uaa_product) {
441 case USB_PRODUCT_DLINK_DWM157E_CD:
442 case USB_PRODUCT_DLINK_DWM157_CD:
443 case USB_PRODUCT_DLINK_DWM222_CD:
444 (void)u3g_bulk_ata_eject(uaa->uaa_device);
445 (void)u3g_bulk_scsi_eject(uaa->uaa_device);
446 return UMATCH_HIGHEST;
447 default:
448 break;
449 }
450
451 default:
452 break;
453 }
454
455 return UMATCH_NONE;
456 }
457
458 static void
umodeswitch_attach(device_t parent,device_t self,void * aux)459 umodeswitch_attach(device_t parent, device_t self, void *aux)
460 {
461 struct usb_attach_arg *uaa = aux;
462
463 aprint_naive("\n");
464 aprint_normal(": Switching off umass mode\n");
465
466 if (uaa->uaa_vendor == USB_VENDOR_NOVATEL2) {
467 switch (uaa->uaa_product) {
468 case USB_PRODUCT_NOVATEL2_MC950D_DRIVER:
469 case USB_PRODUCT_NOVATEL2_U760_DRIVER:
470 /* About to disappear... */
471 return;
472 break;
473 default:
474 break;
475 }
476 }
477
478 /* Move the device into the configured state. */
479 (void) usbd_set_config_index(uaa->uaa_device, 0, 1);
480 }
481
482 static int
umodeswitch_detach(device_t self,int flags)483 umodeswitch_detach(device_t self, int flags)
484 {
485
486 return 0;
487 }
488