1 /*
2  * Copyright © 2001 Stephen Williams (steve@icarus.com)
3  * Copyright © 2001-2002 David Brownell (dbrownell@users.sourceforge.net)
4  * Copyright © 2008 Roger Williams (rawqux@users.sourceforge.net)
5  * Copyright © 2012 Pete Batard (pete@akeo.ie)
6  * Copyright © 2013 Federico Manzan (f.manzan@gmail.com)
7  *
8  *    This source code is free software; you can redistribute it
9  *    and/or modify it in source code form under the terms of the GNU
10  *    General Public License as published by the Free Software
11  *    Foundation; either version 2 of the License, or (at your option)
12  *    any later version.
13  *
14  *    This program is distributed in the hope that it will be useful,
15  *    but WITHOUT ANY WARRANTY; without even the implied warranty of
16  *    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
17  *    GNU General Public License for more details.
18  *
19  *    You should have received a copy of the GNU General Public License
20  *    along with this program; if not, write to the Free Software
21  *    Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
22  */
23 #include <stdio.h>
24 #include <errno.h>
25 #include <stdlib.h>
26 #include <string.h>
27 #include <stdint.h>
28 
29 #include "libusb.h"
30 #include "ezusb.h"
31 
32 extern void logerror(const char *format, ...)
33 	__attribute__ ((format(printf, 1, 2)));
34 
35 /*
36  * This file contains functions for uploading firmware into Cypress
37  * EZ-USB microcontrollers. These chips use control endpoint 0 and vendor
38  * specific commands to support writing into the on-chip SRAM. They also
39  * support writing into the CPUCS register, which is how we reset the
40  * processor after loading firmware (including the reset vector).
41  *
42  * These Cypress devices are 8-bit 8051 based microcontrollers with
43  * special support for USB I/O.  They come in several packages, and
44  * some can be set up with external memory when device costs allow.
45  * Note that the design was originally by AnchorChips, so you may find
46  * references to that vendor (which was later merged into Cypress).
47  * The Cypress FX parts are largely compatible with the Anchorhip ones.
48  */
49 
50 int verbose = 1;
51 
52 /*
53  * return true if [addr,addr+len] includes external RAM
54  * for Anchorchips EZ-USB or Cypress EZ-USB FX
55  */
fx_is_external(uint32_t addr,size_t len)56 static bool fx_is_external(uint32_t addr, size_t len)
57 {
58 	/* with 8KB RAM, 0x0000-0x1b3f can be written
59 	 * we can't tell if it's a 4KB device here
60 	 */
61 	if (addr <= 0x1b3f)
62 		return ((addr + len) > 0x1b40);
63 
64 	/* there may be more RAM; unclear if we can write it.
65 	 * some bulk buffers may be unused, 0x1b3f-0x1f3f
66 	 * firmware can set ISODISAB for 2KB at 0x2000-0x27ff
67 	 */
68 	return true;
69 }
70 
71 /*
72  * return true if [addr,addr+len] includes external RAM
73  * for Cypress EZ-USB FX2
74  */
fx2_is_external(uint32_t addr,size_t len)75 static bool fx2_is_external(uint32_t addr, size_t len)
76 {
77 	/* 1st 8KB for data/code, 0x0000-0x1fff */
78 	if (addr <= 0x1fff)
79 		return ((addr + len) > 0x2000);
80 
81 	/* and 512 for data, 0xe000-0xe1ff */
82 	else if (addr >= 0xe000 && addr <= 0xe1ff)
83 		return ((addr + len) > 0xe200);
84 
85 	/* otherwise, it's certainly external */
86 	else
87 		return true;
88 }
89 
90 /*
91  * return true if [addr,addr+len] includes external RAM
92  * for Cypress EZ-USB FX2LP
93  */
fx2lp_is_external(uint32_t addr,size_t len)94 static bool fx2lp_is_external(uint32_t addr, size_t len)
95 {
96 	/* 1st 16KB for data/code, 0x0000-0x3fff */
97 	if (addr <= 0x3fff)
98 		return ((addr + len) > 0x4000);
99 
100 	/* and 512 for data, 0xe000-0xe1ff */
101 	else if (addr >= 0xe000 && addr <= 0xe1ff)
102 		return ((addr + len) > 0xe200);
103 
104 	/* otherwise, it's certainly external */
105 	else
106 		return true;
107 }
108 
109 
110 /*****************************************************************************/
111 
112 /*
113  * These are the requests (bRequest) that the bootstrap loader is expected
114  * to recognize.  The codes are reserved by Cypress, and these values match
115  * what EZ-USB hardware, or "Vend_Ax" firmware (2nd stage loader) uses.
116  * Cypress' "a3load" is nice because it supports both FX and FX2, although
117  * it doesn't have the EEPROM support (subset of "Vend_Ax").
118  */
119 #define RW_INTERNAL     0xA0	/* hardware implements this one */
120 #define RW_MEMORY       0xA3
121 
122 /*
123  * Issues the specified vendor-specific write request.
124  */
ezusb_write(libusb_device_handle * device,const char * label,uint8_t opcode,uint32_t addr,const unsigned char * data,size_t len)125 static int ezusb_write(libusb_device_handle *device, const char *label,
126 	uint8_t opcode, uint32_t addr, const unsigned char *data, size_t len)
127 {
128 	int status;
129 
130 	if (verbose > 1)
131 		logerror("%s, addr 0x%08x len %4u (0x%04x)\n", label, addr, (unsigned)len, (unsigned)len);
132 	status = libusb_control_transfer(device,
133 		LIBUSB_ENDPOINT_OUT | LIBUSB_REQUEST_TYPE_VENDOR | LIBUSB_RECIPIENT_DEVICE,
134 		opcode, addr & 0xFFFF, addr >> 16,
135 		(unsigned char*)data, (uint16_t)len, 1000);
136 	if (status != (signed)len) {
137 		if (status < 0)
138 			logerror("%s: %s\n", label, libusb_error_name(status));
139 		else
140 			logerror("%s ==> %d\n", label, status);
141 	}
142 	return (status < 0) ? -EIO : 0;
143 }
144 
145 /*
146  * Issues the specified vendor-specific read request.
147  */
ezusb_read(libusb_device_handle * device,const char * label,uint8_t opcode,uint32_t addr,const unsigned char * data,size_t len)148 static int ezusb_read(libusb_device_handle *device, const char *label,
149 	uint8_t opcode, uint32_t addr, const unsigned char *data, size_t len)
150 {
151 	int status;
152 
153 	if (verbose > 1)
154 		logerror("%s, addr 0x%08x len %4u (0x%04x)\n", label, addr, (unsigned)len, (unsigned)len);
155 	status = libusb_control_transfer(device,
156 		LIBUSB_ENDPOINT_IN | LIBUSB_REQUEST_TYPE_VENDOR | LIBUSB_RECIPIENT_DEVICE,
157 		opcode, addr & 0xFFFF, addr >> 16,
158 		(unsigned char*)data, (uint16_t)len, 1000);
159 	if (status != (signed)len) {
160 		if (status < 0)
161 			logerror("%s: %s\n", label, libusb_error_name(status));
162 		else
163 			logerror("%s ==> %d\n", label, status);
164 	}
165 	return (status < 0) ? -EIO : 0;
166 }
167 
168 /*
169  * Modifies the CPUCS register to stop or reset the CPU.
170  * Returns false on error.
171  */
ezusb_cpucs(libusb_device_handle * device,uint32_t addr,bool doRun)172 static bool ezusb_cpucs(libusb_device_handle *device, uint32_t addr, bool doRun)
173 {
174 	int status;
175 	uint8_t data = doRun ? 0x00 : 0x01;
176 
177 	if (verbose)
178 		logerror("%s\n", data ? "stop CPU" : "reset CPU");
179 	status = libusb_control_transfer(device,
180 		LIBUSB_ENDPOINT_OUT | LIBUSB_REQUEST_TYPE_VENDOR | LIBUSB_RECIPIENT_DEVICE,
181 		RW_INTERNAL, addr & 0xFFFF, addr >> 16,
182 		&data, 1, 1000);
183 	if ((status != 1) &&
184 		/* We may get an I/O error from libusb as the device disappears */
185 		((!doRun) || (status != LIBUSB_ERROR_IO)))
186 	{
187 		const char *mesg = "can't modify CPUCS";
188 		if (status < 0)
189 			logerror("%s: %s\n", mesg, libusb_error_name(status));
190 		else
191 			logerror("%s\n", mesg);
192 		return false;
193 	} else
194 		return true;
195 }
196 
197 /*
198  * Send an FX3 jumpt to address command
199  * Returns false on error.
200  */
ezusb_fx3_jump(libusb_device_handle * device,uint32_t addr)201 static bool ezusb_fx3_jump(libusb_device_handle *device, uint32_t addr)
202 {
203 	int status;
204 
205 	if (verbose)
206 		logerror("transfer execution to Program Entry at 0x%08x\n", addr);
207 	status = libusb_control_transfer(device,
208 		LIBUSB_ENDPOINT_OUT | LIBUSB_REQUEST_TYPE_VENDOR | LIBUSB_RECIPIENT_DEVICE,
209 		RW_INTERNAL, addr & 0xFFFF, addr >> 16,
210 		NULL, 0, 1000);
211 	/* We may get an I/O error from libusb as the device disappears */
212 	if ((status != 0) && (status != LIBUSB_ERROR_IO))
213 	{
214 		const char *mesg = "failed to send jump command";
215 		if (status < 0)
216 			logerror("%s: %s\n", mesg, libusb_error_name(status));
217 		else
218 			logerror("%s\n", mesg);
219 		return false;
220 	} else
221 		return true;
222 }
223 
224 /*****************************************************************************/
225 
226 /*
227  * Parse an Intel HEX image file and invoke the poke() function on the
228  * various segments to implement policies such as writing to RAM (with
229  * a one or two stage loader setup, depending on the firmware) or to
230  * EEPROM (two stages required).
231  *
232  * image       - the hex image file
233  * context     - for use by poke()
234  * is_external - if non-null, used to check which segments go into
235  *               external memory (writable only by software loader)
236  * poke        - called with each memory segment; errors indicated
237  *               by returning negative values.
238  *
239  * Caller is responsible for halting CPU as needed, such as when
240  * overwriting a second stage loader.
241  */
parse_ihex(FILE * image,void * context,bool (* is_external)(uint32_t addr,size_t len),int (* poke)(void * context,uint32_t addr,bool external,const unsigned char * data,size_t len))242 static int parse_ihex(FILE *image, void *context,
243 	bool (*is_external)(uint32_t addr, size_t len),
244 	int (*poke) (void *context, uint32_t addr, bool external,
245 	const unsigned char *data, size_t len))
246 {
247 	unsigned char data[1023];
248 	uint32_t data_addr = 0;
249 	size_t data_len = 0;
250 	int rc;
251 	int first_line = 1;
252 	bool external = false;
253 
254 	/* Read the input file as an IHEX file, and report the memory segments
255 	 * as we go.  Each line holds a max of 16 bytes, but uploading is
256 	 * faster (and EEPROM space smaller) if we merge those lines into larger
257 	 * chunks.  Most hex files keep memory segments together, which makes
258 	 * such merging all but free.  (But it may still be worth sorting the
259 	 * hex files to make up for undesirable behavior from tools.)
260 	 *
261 	 * Note that EEPROM segments max out at 1023 bytes; the upload protocol
262 	 * allows segments of up to 64 KBytes (more than a loader could handle).
263 	 */
264 	for (;;) {
265 		char buf[512], *cp;
266 		char tmp, type;
267 		size_t len;
268 		unsigned idx, off;
269 
270 		cp = fgets(buf, sizeof(buf), image);
271 		if (cp == NULL) {
272 			logerror("EOF without EOF record!\n");
273 			break;
274 		}
275 
276 		/* EXTENSION: "# comment-till-end-of-line", for copyrights etc */
277 		if (buf[0] == '#')
278 			continue;
279 
280 		if (buf[0] != ':') {
281 			logerror("not an ihex record: %s", buf);
282 			return -2;
283 		}
284 
285 		/* ignore any newline */
286 		cp = strchr(buf, '\n');
287 		if (cp)
288 			*cp = 0;
289 
290 		if (verbose >= 3)
291 			logerror("** LINE: %s\n", buf);
292 
293 		/* Read the length field (up to 16 bytes) */
294 		tmp = buf[3];
295 		buf[3] = 0;
296 		len = strtoul(buf+1, NULL, 16);
297 		buf[3] = tmp;
298 
299 		/* Read the target offset (address up to 64KB) */
300 		tmp = buf[7];
301 		buf[7] = 0;
302 		off = (int)strtoul(buf+3, NULL, 16);
303 		buf[7] = tmp;
304 
305 		/* Initialize data_addr */
306 		if (first_line) {
307 			data_addr = off;
308 			first_line = 0;
309 		}
310 
311 		/* Read the record type */
312 		tmp = buf[9];
313 		buf[9] = 0;
314 		type = (char)strtoul(buf+7, NULL, 16);
315 		buf[9] = tmp;
316 
317 		/* If this is an EOF record, then make it so. */
318 		if (type == 1) {
319 			if (verbose >= 2)
320 				logerror("EOF on hexfile\n");
321 			break;
322 		}
323 
324 		if (type != 0) {
325 			logerror("unsupported record type: %u\n", type);
326 			return -3;
327 		}
328 
329 		if ((len * 2) + 11 > strlen(buf)) {
330 			logerror("record too short?\n");
331 			return -4;
332 		}
333 
334 		/* FIXME check for _physically_ contiguous not just virtually
335 		 * e.g. on FX2 0x1f00-0x2100 includes both on-chip and external
336 		 * memory so it's not really contiguous */
337 
338 		/* flush the saved data if it's not contiguous,
339 		* or when we've buffered as much as we can.
340 		*/
341 		if (data_len != 0
342 			&& (off != (data_addr + data_len)
343 			/* || !merge */
344 			|| (data_len + len) > sizeof(data))) {
345 				if (is_external)
346 					external = is_external(data_addr, data_len);
347 				rc = poke(context, data_addr, external, data, data_len);
348 				if (rc < 0)
349 					return -1;
350 				data_addr = off;
351 				data_len = 0;
352 		}
353 
354 		/* append to saved data, flush later */
355 		for (idx = 0, cp = buf+9 ;  idx < len ;  idx += 1, cp += 2) {
356 			tmp = cp[2];
357 			cp[2] = 0;
358 			data[data_len + idx] = (uint8_t)strtoul(cp, NULL, 16);
359 			cp[2] = tmp;
360 		}
361 		data_len += len;
362 	}
363 
364 
365 	/* flush any data remaining */
366 	if (data_len != 0) {
367 		if (is_external)
368 			external = is_external(data_addr, data_len);
369 		rc = poke(context, data_addr, external, data, data_len);
370 		if (rc < 0)
371 			return -1;
372 	}
373 	return 0;
374 }
375 
376 /*
377  * Parse a binary image file and write it as is to the target.
378  * Applies to Cypress BIX images for RAM or Cypress IIC images
379  * for EEPROM.
380  *
381  * image       - the BIX image file
382  * context     - for use by poke()
383  * is_external - if non-null, used to check which segments go into
384  *               external memory (writable only by software loader)
385  * poke        - called with each memory segment; errors indicated
386  *               by returning negative values.
387  *
388  * Caller is responsible for halting CPU as needed, such as when
389  * overwriting a second stage loader.
390  */
parse_bin(FILE * image,void * context,bool (* is_external)(uint32_t addr,size_t len),int (* poke)(void * context,uint32_t addr,bool external,const unsigned char * data,size_t len))391 static int parse_bin(FILE *image, void *context,
392 	bool (*is_external)(uint32_t addr, size_t len), int (*poke)(void *context,
393 	uint32_t addr, bool external, const unsigned char *data, size_t len))
394 {
395 	unsigned char data[4096];
396 	uint32_t data_addr = 0;
397 	size_t data_len = 0;
398 	int rc;
399 	bool external = false;
400 
401 	for (;;) {
402 		data_len = fread(data, 1, 4096, image);
403 		if (data_len == 0)
404 			break;
405 		if (is_external)
406 			external = is_external(data_addr, data_len);
407 		rc = poke(context, data_addr, external, data, data_len);
408 		if (rc < 0)
409 			return -1;
410 		data_addr += (uint32_t)data_len;
411 	}
412 	return feof(image)?0:-1;
413 }
414 
415 /*
416  * Parse a Cypress IIC image file and invoke the poke() function on the
417  * various segments for writing to RAM
418  *
419  * image       - the IIC image file
420  * context     - for use by poke()
421  * is_external - if non-null, used to check which segments go into
422  *               external memory (writable only by software loader)
423  * poke        - called with each memory segment; errors indicated
424  *               by returning negative values.
425  *
426  * Caller is responsible for halting CPU as needed, such as when
427  * overwriting a second stage loader.
428  */
parse_iic(FILE * image,void * context,bool (* is_external)(uint32_t addr,size_t len),int (* poke)(void * context,uint32_t addr,bool external,const unsigned char * data,size_t len))429 static int parse_iic(FILE *image, void *context,
430 	bool (*is_external)(uint32_t addr, size_t len),
431 	int (*poke)(void *context, uint32_t addr, bool external, const unsigned char *data, size_t len))
432 {
433 	unsigned char data[4096];
434 	uint32_t data_addr = 0;
435 	size_t data_len = 0, read_len;
436 	uint8_t block_header[4];
437 	int rc;
438 	bool external = false;
439 	long file_size, initial_pos;
440 
441 	initial_pos = ftell(image);
442 	if (initial_pos < 0)
443 		return -1;
444 
445 	if (fseek(image, 0L, SEEK_END) != 0)
446 		return -1;
447 	file_size = ftell(image);
448 	if (fseek(image, initial_pos, SEEK_SET) != 0)
449 		return -1;
450 	for (;;) {
451 		/* Ignore the trailing reset IIC data (5 bytes) */
452 		if (ftell(image) >= (file_size - 5))
453 			break;
454 		if (fread(&block_header, 1, sizeof(block_header), image) != 4) {
455 			logerror("unable to read IIC block header\n");
456 			return -1;
457 		}
458 		data_len = (block_header[0] << 8) + block_header[1];
459 		data_addr = (block_header[2] << 8) + block_header[3];
460 		if (data_len > sizeof(data)) {
461 			/* If this is ever reported as an error, switch to using malloc/realloc */
462 			logerror("IIC data block too small - please report this error to libusb.info\n");
463 			return -1;
464 		}
465 		read_len = fread(data, 1, data_len, image);
466 		if (read_len != data_len) {
467 			logerror("read error\n");
468 			return -1;
469 		}
470 		if (is_external)
471 			external = is_external(data_addr, data_len);
472 		rc = poke(context, data_addr, external, data, data_len);
473 		if (rc < 0)
474 			return -1;
475 	}
476 	return 0;
477 }
478 
479 /* the parse call will be selected according to the image type */
480 static int (*parse[IMG_TYPE_MAX])(FILE *image, void *context, bool (*is_external)(uint32_t addr, size_t len),
481            int (*poke)(void *context, uint32_t addr, bool external, const unsigned char *data, size_t len))
482            = { parse_ihex, parse_iic, parse_bin };
483 
484 /*****************************************************************************/
485 
486 /*
487  * For writing to RAM using a first (hardware) or second (software)
488  * stage loader and 0xA0 or 0xA3 vendor requests
489  */
490 typedef enum {
491 	_undef = 0,
492 	internal_only,		/* hardware first-stage loader */
493 	skip_internal,		/* first phase, second-stage loader */
494 	skip_external		/* second phase, second-stage loader */
495 } ram_mode;
496 
497 struct ram_poke_context {
498 	libusb_device_handle *device;
499 	ram_mode mode;
500 	size_t total, count;
501 };
502 
503 #define RETRY_LIMIT 5
504 
ram_poke(void * context,uint32_t addr,bool external,const unsigned char * data,size_t len)505 static int ram_poke(void *context, uint32_t addr, bool external,
506 	const unsigned char *data, size_t len)
507 {
508 	struct ram_poke_context *ctx = (struct ram_poke_context*)context;
509 	int rc;
510 	unsigned retry = 0;
511 
512 	switch (ctx->mode) {
513 	case internal_only:		/* CPU should be stopped */
514 		if (external) {
515 			logerror("can't write %u bytes external memory at 0x%08x\n",
516 				(unsigned)len, addr);
517 			return -EINVAL;
518 		}
519 		break;
520 	case skip_internal:		/* CPU must be running */
521 		if (!external) {
522 			if (verbose >= 2) {
523 				logerror("SKIP on-chip RAM, %u bytes at 0x%08x\n",
524 					(unsigned)len, addr);
525 			}
526 			return 0;
527 		}
528 		break;
529 	case skip_external:		/* CPU should be stopped */
530 		if (external) {
531 			if (verbose >= 2) {
532 				logerror("SKIP external RAM, %u bytes at 0x%08x\n",
533 					(unsigned)len, addr);
534 			}
535 			return 0;
536 		}
537 		break;
538 	case _undef:
539 	default:
540 		logerror("bug\n");
541 		return -EDOM;
542 	}
543 
544 	ctx->total += len;
545 	ctx->count++;
546 
547 	/* Retry this till we get a real error. Control messages are not
548 	 * NAKed (just dropped) so time out means is a real problem.
549 	 */
550 	while ((rc = ezusb_write(ctx->device,
551 		external ? "write external" : "write on-chip",
552 		external ? RW_MEMORY : RW_INTERNAL,
553 		addr, data, len)) < 0
554 		&& retry < RETRY_LIMIT) {
555 		if (rc != LIBUSB_ERROR_TIMEOUT)
556 			break;
557 		retry += 1;
558 	}
559 	return rc;
560 }
561 
562 /*
563  * Load a Cypress Image file into target RAM.
564  * See http://www.cypress.com/?docID=41351 (AN76405 PDF) for more info.
565  */
fx3_load_ram(libusb_device_handle * device,const char * path)566 static int fx3_load_ram(libusb_device_handle *device, const char *path)
567 {
568 	uint32_t dCheckSum, dExpectedCheckSum, dAddress, i, dLen, dLength;
569 	uint32_t* dImageBuf;
570 	unsigned char *bBuf, hBuf[4], blBuf[4], rBuf[4096];
571 	FILE *image;
572 	int ret = 0;
573 
574 	image = fopen(path, "rb");
575 	if (image == NULL) {
576 		logerror("unable to open '%s' for input\n", path);
577 		return -2;
578 	} else if (verbose)
579 		logerror("open firmware image %s for RAM upload\n", path);
580 
581 	// Read header
582 	if (fread(hBuf, sizeof(char), sizeof(hBuf), image) != sizeof(hBuf)) {
583 		logerror("could not read image header");
584 		ret = -3;
585 		goto exit;
586 	}
587 
588 	// check "CY" signature byte and format
589 	if ((hBuf[0] != 'C') || (hBuf[1] != 'Y')) {
590 		logerror("image doesn't have a CYpress signature\n");
591 		ret = -3;
592 		goto exit;
593 	}
594 
595 	// Check bImageType
596 	switch(hBuf[3]) {
597 	case 0xB0:
598 		if (verbose)
599 			logerror("normal FW binary %s image with checksum\n", (hBuf[2]&0x01)?"data":"executable");
600 		break;
601 	case 0xB1:
602 		logerror("security binary image is not currently supported\n");
603 		ret = -3;
604 		goto exit;
605 	case 0xB2:
606 		logerror("VID:PID image is not currently supported\n");
607 		ret = -3;
608 		goto exit;
609 	default:
610 		logerror("invalid image type 0x%02X\n", hBuf[3]);
611 		ret = -3;
612 		goto exit;
613 	}
614 
615 	// Read the bootloader version
616 	if (verbose) {
617 		if ((ezusb_read(device, "read bootloader version", RW_INTERNAL, 0xFFFF0020, blBuf, 4) < 0)) {
618 			logerror("Could not read bootloader version\n");
619 			ret = -8;
620 			goto exit;
621 		}
622 		logerror("FX3 bootloader version: 0x%02X%02X%02X%02X\n", blBuf[3], blBuf[2], blBuf[1], blBuf[0]);
623 	}
624 
625 	dCheckSum = 0;
626 	if (verbose)
627 		logerror("writing image...\n");
628 	while (1) {
629 		if ((fread(&dLength, sizeof(uint32_t), 1, image) != 1) ||  // read dLength
630 			(fread(&dAddress, sizeof(uint32_t), 1, image) != 1)) { // read dAddress
631 			logerror("could not read image");
632 			ret = -3;
633 			goto exit;
634 		}
635 		if (dLength == 0)
636 			break; // done
637 
638 		// coverity[tainted_data]
639 		dImageBuf = (uint32_t*)calloc(dLength, sizeof(uint32_t));
640 		if (dImageBuf == NULL) {
641 			logerror("could not allocate buffer for image chunk\n");
642 			ret = -4;
643 			goto exit;
644 		}
645 
646 		// read sections
647 		if (fread(dImageBuf, sizeof(uint32_t), dLength, image) != dLength) {
648 			logerror("could not read image");
649 			free(dImageBuf);
650 			ret = -3;
651 			goto exit;
652 		}
653 		for (i = 0; i < dLength; i++)
654 			dCheckSum += dImageBuf[i];
655 		dLength <<= 2; // convert to Byte length
656 		bBuf = (unsigned char*) dImageBuf;
657 
658 		while (dLength > 0) {
659 			dLen = 4096; // 4K max
660 			if (dLen > dLength)
661 				dLen = dLength;
662 			if ((ezusb_write(device, "write firmware", RW_INTERNAL, dAddress, bBuf, dLen) < 0) ||
663 				(ezusb_read(device, "read firmware", RW_INTERNAL, dAddress, rBuf, dLen) < 0)) {
664 				logerror("R/W error\n");
665 				free(dImageBuf);
666 				ret = -5;
667 				goto exit;
668 			}
669 			// Verify data: rBuf with bBuf
670 			for (i = 0; i < dLen; i++) {
671 				if (rBuf[i] != bBuf[i]) {
672 					logerror("verify error");
673 					free(dImageBuf);
674 					ret = -6;
675 					goto exit;
676 				}
677 			}
678 
679 			dLength -= dLen;
680 			bBuf += dLen;
681 			dAddress += dLen;
682 		}
683 		free(dImageBuf);
684 	}
685 
686 	// read pre-computed checksum data
687 	if ((fread(&dExpectedCheckSum, sizeof(uint32_t), 1, image) != 1) ||
688 		(dCheckSum != dExpectedCheckSum)) {
689 		logerror("checksum error\n");
690 		ret = -7;
691 		goto exit;
692 	}
693 
694 	// transfer execution to Program Entry
695 	if (!ezusb_fx3_jump(device, dAddress)) {
696 		ret = -6;
697 	}
698 
699 exit:
700 	fclose(image);
701 	return ret;
702 }
703 
704 /*
705  * Load a firmware file into target RAM. device is the open libusb
706  * device, and the path is the name of the source file. Open the file,
707  * parse the bytes, and write them in one or two phases.
708  *
709  * If stage == 0, this uses the first stage loader, built into EZ-USB
710  * hardware but limited to writing on-chip memory or CPUCS.  Everything
711  * is written during one stage, unless there's an error such as the image
712  * holding data that needs to be written to external memory.
713  *
714  * Otherwise, things are written in two stages.  First the external
715  * memory is written, expecting a second stage loader to have already
716  * been loaded.  Then file is re-parsed and on-chip memory is written.
717  */
ezusb_load_ram(libusb_device_handle * device,const char * path,int fx_type,int img_type,int stage)718 int ezusb_load_ram(libusb_device_handle *device, const char *path, int fx_type, int img_type, int stage)
719 {
720 	FILE *image;
721 	uint32_t cpucs_addr;
722 	bool (*is_external)(uint32_t off, size_t len);
723 	struct ram_poke_context ctx;
724 	int status;
725 	uint8_t iic_header[8] = { 0 };
726 	int ret = 0;
727 
728 	if (fx_type == FX_TYPE_FX3)
729 		return fx3_load_ram(device, path);
730 
731 	image = fopen(path, "rb");
732 	if (image == NULL) {
733 		logerror("%s: unable to open for input.\n", path);
734 		return -2;
735 	} else if (verbose > 1)
736 		logerror("open firmware image %s for RAM upload\n", path);
737 
738 	if (img_type == IMG_TYPE_IIC) {
739 		if ( (fread(iic_header, 1, sizeof(iic_header), image) != sizeof(iic_header))
740 		  || (((fx_type == FX_TYPE_FX2LP) || (fx_type == FX_TYPE_FX2)) && (iic_header[0] != 0xC2))
741 		  || ((fx_type == FX_TYPE_AN21) && (iic_header[0] != 0xB2))
742 		  || ((fx_type == FX_TYPE_FX1) && (iic_header[0] != 0xB6)) ) {
743 			logerror("IIC image does not contain executable code - cannot load to RAM.\n");
744 			ret = -1;
745 			goto exit;
746 		}
747 	}
748 
749 	/* EZ-USB original/FX and FX2 devices differ, apart from the 8051 core */
750 	switch(fx_type) {
751 	case FX_TYPE_FX2LP:
752 		cpucs_addr = 0xe600;
753 		is_external = fx2lp_is_external;
754 		break;
755 	case FX_TYPE_FX2:
756 		cpucs_addr = 0xe600;
757 		is_external = fx2_is_external;
758 		break;
759 	default:
760 		cpucs_addr = 0x7f92;
761 		is_external = fx_is_external;
762 		break;
763 	}
764 
765 	/* use only first stage loader? */
766 	if (stage == 0) {
767 		ctx.mode = internal_only;
768 
769 		/* if required, halt the CPU while we overwrite its code/data */
770 		if (cpucs_addr && !ezusb_cpucs(device, cpucs_addr, false))
771 		{
772 			ret = -1;
773 			goto exit;
774 		}
775 
776 		/* 2nd stage, first part? loader was already uploaded */
777 	} else {
778 		ctx.mode = skip_internal;
779 
780 		/* let CPU run; overwrite the 2nd stage loader later */
781 		if (verbose)
782 			logerror("2nd stage: write external memory\n");
783 	}
784 
785 	/* scan the image, first (maybe only) time */
786 	ctx.device = device;
787 	ctx.total = ctx.count = 0;
788 	status = parse[img_type](image, &ctx, is_external, ram_poke);
789 	if (status < 0) {
790 		logerror("unable to upload %s\n", path);
791 		ret = status;
792 		goto exit;
793 	}
794 
795 	/* second part of 2nd stage: rescan */
796 	// TODO: what should we do for non HEX images there?
797 	if (stage) {
798 		ctx.mode = skip_external;
799 
800 		/* if needed, halt the CPU while we overwrite the 1st stage loader */
801 		if (cpucs_addr && !ezusb_cpucs(device, cpucs_addr, false))
802 		{
803 			ret = -1;
804 			goto exit;
805 		}
806 
807 		/* at least write the interrupt vectors (at 0x0000) for reset! */
808 		rewind(image);
809 		if (verbose)
810 			logerror("2nd stage: write on-chip memory\n");
811 		status = parse_ihex(image, &ctx, is_external, ram_poke);
812 		if (status < 0) {
813 			logerror("unable to completely upload %s\n", path);
814 			ret = status;
815 			goto exit;
816 		}
817 	}
818 
819 	if (verbose && (ctx.count != 0)) {
820 		logerror("... WROTE: %d bytes, %d segments, avg %d\n",
821 			(int)ctx.total, (int)ctx.count, (int)(ctx.total/ctx.count));
822 	}
823 
824 	/* if required, reset the CPU so it runs what we just uploaded */
825 	if (cpucs_addr && !ezusb_cpucs(device, cpucs_addr, true))
826 		ret = -1;
827 
828 exit:
829 	fclose(image);
830 	return ret;
831 }
832