1/*
2 * BCM47XX MTD partitioning
3 *
4 * Copyright © 2012 Rafał Miłecki <zajec5@gmail.com>
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License version 2 as
8 * published by the Free Software Foundation.
9 *
10 */
11
12#include <linux/module.h>
13#include <linux/kernel.h>
14#include <linux/slab.h>
15#include <linux/mtd/mtd.h>
16#include <linux/mtd/partitions.h>
17
18#include <uapi/linux/magic.h>
19
20/*
21 * NAND flash on Netgear R6250 was verified to contain 15 partitions.
22 * This will result in allocating too big array for some old devices, but the
23 * memory will be freed soon anyway (see mtd_device_parse_register).
24 */
25#define BCM47XXPART_MAX_PARTS		20
26
27/*
28 * Amount of bytes we read when analyzing each block of flash memory.
29 * Set it big enough to allow detecting partition and reading important data.
30 */
31#define BCM47XXPART_BYTES_TO_READ	0x4e8
32
33/* Magics */
34#define BOARD_DATA_MAGIC		0x5246504D	/* MPFR */
35#define BOARD_DATA_MAGIC2		0xBD0D0BBD
36#define CFE_MAGIC			0x43464531	/* 1EFC */
37#define FACTORY_MAGIC			0x59544346	/* FCTY */
38#define NVRAM_HEADER			0x48534C46	/* FLSH */
39#define POT_MAGIC1			0x54544f50	/* POTT */
40#define POT_MAGIC2			0x504f		/* OP */
41#define ML_MAGIC1			0x39685a42
42#define ML_MAGIC2			0x26594131
43#define TRX_MAGIC			0x30524448
44#define SHSQ_MAGIC			0x71736873	/* shsq (weird ZTE H218N endianness) */
45#define UBI_EC_MAGIC			0x23494255	/* UBI# */
46
47struct trx_header {
48	uint32_t magic;
49	uint32_t length;
50	uint32_t crc32;
51	uint16_t flags;
52	uint16_t version;
53	uint32_t offset[3];
54} __packed;
55
56static void bcm47xxpart_add_part(struct mtd_partition *part, const char *name,
57				 u64 offset, uint32_t mask_flags)
58{
59	part->name = name;
60	part->offset = offset;
61	part->mask_flags = mask_flags;
62}
63
64static const char *bcm47xxpart_trx_data_part_name(struct mtd_info *master,
65						  size_t offset)
66{
67	uint32_t buf;
68	size_t bytes_read;
69
70	if (mtd_read(master, offset, sizeof(buf), &bytes_read,
71		     (uint8_t *)&buf) < 0) {
72		pr_err("mtd_read error while parsing (offset: 0x%X)!\n",
73			offset);
74		goto out_default;
75	}
76
77	if (buf == UBI_EC_MAGIC)
78		return "ubi";
79
80out_default:
81	return "rootfs";
82}
83
84static int bcm47xxpart_parse(struct mtd_info *master,
85			     struct mtd_partition **pparts,
86			     struct mtd_part_parser_data *data)
87{
88	struct mtd_partition *parts;
89	uint8_t i, curr_part = 0;
90	uint32_t *buf;
91	size_t bytes_read;
92	uint32_t offset;
93	uint32_t blocksize = master->erasesize;
94	struct trx_header *trx;
95	int trx_part = -1;
96	int last_trx_part = -1;
97	int possible_nvram_sizes[] = { 0x8000, 0xF000, 0x10000, };
98
99	/*
100	 * Some really old flashes (like AT45DB*) had smaller erasesize-s, but
101	 * partitions were aligned to at least 0x1000 anyway.
102	 */
103	if (blocksize < 0x1000)
104		blocksize = 0x1000;
105
106	/* Alloc */
107	parts = kzalloc(sizeof(struct mtd_partition) * BCM47XXPART_MAX_PARTS,
108			GFP_KERNEL);
109	if (!parts)
110		return -ENOMEM;
111
112	buf = kzalloc(BCM47XXPART_BYTES_TO_READ, GFP_KERNEL);
113	if (!buf) {
114		kfree(parts);
115		return -ENOMEM;
116	}
117
118	/* Parse block by block looking for magics */
119	for (offset = 0; offset <= master->size - blocksize;
120	     offset += blocksize) {
121		/* Nothing more in higher memory */
122		if (offset >= 0x2000000)
123			break;
124
125		if (curr_part >= BCM47XXPART_MAX_PARTS) {
126			pr_warn("Reached maximum number of partitions, scanning stopped!\n");
127			break;
128		}
129
130		/* Read beginning of the block */
131		if (mtd_read(master, offset, BCM47XXPART_BYTES_TO_READ,
132			     &bytes_read, (uint8_t *)buf) < 0) {
133			pr_err("mtd_read error while parsing (offset: 0x%X)!\n",
134			       offset);
135			continue;
136		}
137
138		/* Magic or small NVRAM at 0x400 */
139		if ((buf[0x4e0 / 4] == CFE_MAGIC && buf[0x4e4 / 4] == CFE_MAGIC) ||
140		    (buf[0x400 / 4] == NVRAM_HEADER)) {
141			bcm47xxpart_add_part(&parts[curr_part++], "boot",
142					     offset, MTD_WRITEABLE);
143			continue;
144		}
145
146		/*
147		 * board_data starts with board_id which differs across boards,
148		 * but we can use 'MPFR' (hopefully) magic at 0x100
149		 */
150		if (buf[0x100 / 4] == BOARD_DATA_MAGIC) {
151			bcm47xxpart_add_part(&parts[curr_part++], "board_data",
152					     offset, MTD_WRITEABLE);
153			continue;
154		}
155
156		/* Found on Huawei E970 */
157		if (buf[0x000 / 4] == FACTORY_MAGIC) {
158			bcm47xxpart_add_part(&parts[curr_part++], "factory",
159					     offset, MTD_WRITEABLE);
160			continue;
161		}
162
163		/* POT(TOP) */
164		if (buf[0x000 / 4] == POT_MAGIC1 &&
165		    (buf[0x004 / 4] & 0xFFFF) == POT_MAGIC2) {
166			bcm47xxpart_add_part(&parts[curr_part++], "POT", offset,
167					     MTD_WRITEABLE);
168			continue;
169		}
170
171		/* ML */
172		if (buf[0x010 / 4] == ML_MAGIC1 &&
173		    buf[0x014 / 4] == ML_MAGIC2) {
174			bcm47xxpart_add_part(&parts[curr_part++], "ML", offset,
175					     MTD_WRITEABLE);
176			continue;
177		}
178
179		/* TRX */
180		if (buf[0x000 / 4] == TRX_MAGIC) {
181			if (BCM47XXPART_MAX_PARTS - curr_part < 4) {
182				pr_warn("Not enough partitions left to register trx, scanning stopped!\n");
183				break;
184			}
185
186			trx = (struct trx_header *)buf;
187
188			trx_part = curr_part;
189			bcm47xxpart_add_part(&parts[curr_part++], "firmware",
190					     offset, 0);
191
192			i = 0;
193			/* We have LZMA loader if offset[2] points to sth */
194			if (trx->offset[2]) {
195				bcm47xxpart_add_part(&parts[curr_part++],
196						     "loader",
197						     offset + trx->offset[i],
198						     0);
199				i++;
200			}
201
202			if (trx->offset[i]) {
203				bcm47xxpart_add_part(&parts[curr_part++],
204						     "linux",
205						     offset + trx->offset[i],
206						     0);
207				i++;
208			}
209
210			/*
211			 * Pure rootfs size is known and can be calculated as:
212			 * trx->length - trx->offset[i]. We don't fill it as
213			 * we want to have jffs2 (overlay) in the same mtd.
214			 */
215			if (trx->offset[i]) {
216				const char *name;
217
218				name = bcm47xxpart_trx_data_part_name(master, offset + trx->offset[i]);
219				bcm47xxpart_add_part(&parts[curr_part++],
220						     name,
221						     offset + trx->offset[i],
222						     0);
223				i++;
224			}
225
226			last_trx_part = curr_part - 1;
227
228			/*
229			 * We have whole TRX scanned, skip to the next part. Use
230			 * roundown (not roundup), as the loop will increase
231			 * offset in next step.
232			 */
233			offset = rounddown(offset + trx->length, blocksize);
234			continue;
235		}
236
237		/* Squashfs on devices not using TRX */
238		if (le32_to_cpu(buf[0x000 / 4]) == SQUASHFS_MAGIC ||
239		    buf[0x000 / 4] == SHSQ_MAGIC) {
240			bcm47xxpart_add_part(&parts[curr_part++], "rootfs",
241					     offset, 0);
242			continue;
243		}
244
245		/*
246		 * New (ARM?) devices may have NVRAM in some middle block. Last
247		 * block will be checked later, so skip it.
248		 */
249		if (offset != master->size - blocksize &&
250		    buf[0x000 / 4] == NVRAM_HEADER) {
251			bcm47xxpart_add_part(&parts[curr_part++], "nvram",
252					     offset, 0);
253			continue;
254		}
255
256		/* Read middle of the block */
257		if (mtd_read(master, offset + 0x8000, 0x4,
258			     &bytes_read, (uint8_t *)buf) < 0) {
259			pr_err("mtd_read error while parsing (offset: 0x%X)!\n",
260			       offset);
261			continue;
262		}
263
264		/* Some devices (ex. WNDR3700v3) don't have a standard 'MPFR' */
265		if (buf[0x000 / 4] == BOARD_DATA_MAGIC2) {
266			bcm47xxpart_add_part(&parts[curr_part++], "board_data",
267					     offset, MTD_WRITEABLE);
268			continue;
269		}
270	}
271
272	/* Look for NVRAM at the end of the last block. */
273	for (i = 0; i < ARRAY_SIZE(possible_nvram_sizes); i++) {
274		if (curr_part >= BCM47XXPART_MAX_PARTS) {
275			pr_warn("Reached maximum number of partitions, scanning stopped!\n");
276			break;
277		}
278
279		offset = master->size - possible_nvram_sizes[i];
280		if (mtd_read(master, offset, 0x4, &bytes_read,
281			     (uint8_t *)buf) < 0) {
282			pr_err("mtd_read error while reading at offset 0x%X!\n",
283			       offset);
284			continue;
285		}
286
287		/* Standard NVRAM */
288		if (buf[0] == NVRAM_HEADER) {
289			bcm47xxpart_add_part(&parts[curr_part++], "nvram",
290					     master->size - blocksize, 0);
291			break;
292		}
293	}
294
295	kfree(buf);
296
297	/*
298	 * Assume that partitions end at the beginning of the one they are
299	 * followed by.
300	 */
301	for (i = 0; i < curr_part; i++) {
302		u64 next_part_offset = (i < curr_part - 1) ?
303				       parts[i + 1].offset : master->size;
304
305		parts[i].size = next_part_offset - parts[i].offset;
306		if (i == last_trx_part && trx_part >= 0)
307			parts[trx_part].size = next_part_offset -
308					       parts[trx_part].offset;
309	}
310
311	*pparts = parts;
312	return curr_part;
313};
314
315static struct mtd_part_parser bcm47xxpart_mtd_parser = {
316	.owner = THIS_MODULE,
317	.parse_fn = bcm47xxpart_parse,
318	.name = "bcm47xxpart",
319};
320
321static int __init bcm47xxpart_init(void)
322{
323	register_mtd_parser(&bcm47xxpart_mtd_parser);
324	return 0;
325}
326
327static void __exit bcm47xxpart_exit(void)
328{
329	deregister_mtd_parser(&bcm47xxpart_mtd_parser);
330}
331
332module_init(bcm47xxpart_init);
333module_exit(bcm47xxpart_exit);
334
335MODULE_LICENSE("GPL");
336MODULE_DESCRIPTION("MTD partitioning for BCM47XX flash memories");
337