xref: /openbsd-src/sys/dev/usb/if_uath.c (revision 4c1e55dc91edd6e69ccc60ce855900fbc12cf34f)
1 /*	$OpenBSD: if_uath.c,v 1.51 2011/07/03 15:47:17 matthew Exp $	*/
2 
3 /*-
4  * Copyright (c) 2006
5  *	Damien Bergamini <damien.bergamini@free.fr>
6  *
7  * Permission to use, copy, modify, and distribute this software for any
8  * purpose with or without fee is hereby granted, provided that the above
9  * copyright notice and this permission notice appear in all copies.
10  *
11  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
12  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
13  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
14  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
15  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18  */
19 
20 /*-
21  * Driver for Atheros AR5005UG/AR5005UX chipsets.
22  *
23  * IMPORTANT NOTICE:
24  * This driver was written without any documentation or support from Atheros
25  * Communications. It is based on a black-box analysis of the Windows binary
26  * driver. It handles both pre and post-firmware devices.
27  */
28 
29 #include "bpfilter.h"
30 
31 #include <sys/param.h>
32 #include <sys/sockio.h>
33 #include <sys/mbuf.h>
34 #include <sys/kernel.h>
35 #include <sys/socket.h>
36 #include <sys/systm.h>
37 #include <sys/timeout.h>
38 #include <sys/conf.h>
39 #include <sys/device.h>
40 
41 #include <machine/bus.h>
42 #include <machine/endian.h>
43 #include <machine/intr.h>
44 
45 #if NBPFILTER > 0
46 #include <net/bpf.h>
47 #endif
48 #include <net/if.h>
49 #include <net/if_arp.h>
50 #include <net/if_dl.h>
51 #include <net/if_media.h>
52 #include <net/if_types.h>
53 
54 #include <netinet/in.h>
55 #include <netinet/in_systm.h>
56 #include <netinet/in_var.h>
57 #include <netinet/if_ether.h>
58 #include <netinet/ip.h>
59 
60 #include <net80211/ieee80211_var.h>
61 #include <net80211/ieee80211_radiotap.h>
62 
63 #include <dev/rndvar.h>
64 #include <crypto/arc4.h>
65 
66 #include <dev/usb/usb.h>
67 #include <dev/usb/usbdi.h>
68 #include <dev/usb/usbdivar.h>	/* needs_reattach() */
69 #include <dev/usb/usbdi_util.h>
70 #include <dev/usb/usbdevs.h>
71 
72 #include <dev/usb/if_uathreg.h>
73 #include <dev/usb/if_uathvar.h>
74 
75 #ifdef USB_DEBUG
76 #define UATH_DEBUG
77 #endif
78 
79 #ifdef UATH_DEBUG
80 #define DPRINTF(x)	do { if (uath_debug) printf x; } while (0)
81 #define DPRINTFN(n, x)	do { if (uath_debug >= (n)) printf x; } while (0)
82 int uath_debug = 1;
83 #else
84 #define DPRINTF(x)
85 #define DPRINTFN(n, x)
86 #endif
87 
88 /*-
89  * Various supported device vendors/products.
90  * UB51: AR5005UG 802.11b/g, UB52: AR5005UX 802.11a/b/g
91  */
92 #define UATH_DEV(v, p, f)						\
93 	{ { USB_VENDOR_##v, USB_PRODUCT_##v##_##p }, (f) },		\
94 	{ { USB_VENDOR_##v, USB_PRODUCT_##v##_##p##_NF },		\
95 	    (f) | UATH_FLAG_PRE_FIRMWARE }
96 #define UATH_DEV_UG(v, p)	UATH_DEV(v, p, 0)
97 #define UATH_DEV_UX(v, p)	UATH_DEV(v, p, UATH_FLAG_ABG)
98 static const struct uath_type {
99 	struct usb_devno	dev;
100 	unsigned int		flags;
101 #define UATH_FLAG_PRE_FIRMWARE	(1 << 0)
102 #define UATH_FLAG_ABG		(1 << 1)
103 } uath_devs[] = {
104 	UATH_DEV_UG(ACCTON,		SMCWUSBTG2),
105 	UATH_DEV_UG(ATHEROS,		AR5523),
106 	UATH_DEV_UG(ATHEROS2,		AR5523_1),
107 	UATH_DEV_UG(ATHEROS2,		AR5523_2),
108 	UATH_DEV_UX(ATHEROS2,		AR5523_3),
109 	UATH_DEV_UG(CONCEPTRONIC,	AR5523_1),
110 	UATH_DEV_UX(CONCEPTRONIC,	AR5523_2),
111 	UATH_DEV_UX(DLINK,		DWLAG122),
112 	UATH_DEV_UX(DLINK,		DWLAG132),
113 	UATH_DEV_UG(DLINK,		DWLG132),
114 	UATH_DEV_UG(GIGASET,		AR5523),
115 	UATH_DEV_UG(GIGASET,		SMCWUSBTG),
116 	UATH_DEV_UG(GLOBALSUN,		AR5523_1),
117 	UATH_DEV_UX(GLOBALSUN,		AR5523_2),
118 	UATH_DEV_UG(IODATA,		USBWNG54US),
119 	UATH_DEV_UG(MELCO,		WLIU2KAMG54),
120 	UATH_DEV_UX(NETGEAR,		WG111U),
121 	UATH_DEV_UG(NETGEAR3,		WG111T),
122 	UATH_DEV_UG(NETGEAR3,		WPN111),
123 	UATH_DEV_UG(PHILIPS,		SNU6500),
124 	UATH_DEV_UX(UMEDIA,		AR5523_2),
125 	UATH_DEV_UG(UMEDIA,		TEW444UBEU),
126 	UATH_DEV_UG(WISTRONNEWEB,	AR5523_1),
127 	UATH_DEV_UX(WISTRONNEWEB,	AR5523_2),
128 	UATH_DEV_UG(ZCOM,		AR5523)
129 };
130 #define uath_lookup(v, p)	\
131 	((const struct uath_type *)usb_lookup(uath_devs, v, p))
132 
133 void	uath_attachhook(void *);
134 int	uath_open_pipes(struct uath_softc *);
135 void	uath_close_pipes(struct uath_softc *);
136 int	uath_alloc_tx_data_list(struct uath_softc *);
137 void	uath_free_tx_data_list(struct uath_softc *);
138 int	uath_alloc_rx_data_list(struct uath_softc *);
139 void	uath_free_rx_data_list(struct uath_softc *);
140 int	uath_alloc_tx_cmd_list(struct uath_softc *);
141 void	uath_free_tx_cmd_list(struct uath_softc *);
142 int	uath_alloc_rx_cmd_list(struct uath_softc *);
143 void	uath_free_rx_cmd_list(struct uath_softc *);
144 int	uath_media_change(struct ifnet *);
145 void	uath_stat(void *);
146 void	uath_next_scan(void *);
147 void	uath_task(void *);
148 int	uath_newstate(struct ieee80211com *, enum ieee80211_state, int);
149 #ifdef UATH_DEBUG
150 void	uath_dump_cmd(const uint8_t *, int, char);
151 #endif
152 int	uath_cmd(struct uath_softc *, uint32_t, const void *, int, void *,
153 	    int);
154 int	uath_cmd_write(struct uath_softc *, uint32_t, const void *, int, int);
155 int	uath_cmd_read(struct uath_softc *, uint32_t, const void *, int, void *,
156 	    int);
157 int	uath_write_reg(struct uath_softc *, uint32_t, uint32_t);
158 int	uath_write_multi(struct uath_softc *, uint32_t, const void *, int);
159 int	uath_read_reg(struct uath_softc *, uint32_t, uint32_t *);
160 int	uath_read_eeprom(struct uath_softc *, uint32_t, void *);
161 void	uath_cmd_rxeof(usbd_xfer_handle, usbd_private_handle, usbd_status);
162 void	uath_data_rxeof(usbd_xfer_handle, usbd_private_handle, usbd_status);
163 void	uath_data_txeof(usbd_xfer_handle, usbd_private_handle, usbd_status);
164 int	uath_tx_null(struct uath_softc *);
165 int	uath_tx_data(struct uath_softc *, struct mbuf *,
166 	    struct ieee80211_node *);
167 void	uath_start(struct ifnet *);
168 void	uath_watchdog(struct ifnet *);
169 int	uath_ioctl(struct ifnet *, u_long, caddr_t);
170 int	uath_query_eeprom(struct uath_softc *);
171 int	uath_reset(struct uath_softc *);
172 int	uath_reset_tx_queues(struct uath_softc *);
173 int	uath_wme_init(struct uath_softc *);
174 int	uath_set_chan(struct uath_softc *, struct ieee80211_channel *);
175 int	uath_set_key(struct uath_softc *, const struct ieee80211_key *, int);
176 int	uath_set_keys(struct uath_softc *);
177 int	uath_set_rates(struct uath_softc *, const struct ieee80211_rateset *);
178 int	uath_set_rxfilter(struct uath_softc *, uint32_t, uint32_t);
179 int	uath_set_led(struct uath_softc *, int, int);
180 int	uath_switch_channel(struct uath_softc *, struct ieee80211_channel *);
181 int	uath_init(struct ifnet *);
182 void	uath_stop(struct ifnet *, int);
183 int	uath_loadfirmware(struct uath_softc *, const u_char *, int);
184 int	uath_activate(struct device *, int);
185 
186 int uath_match(struct device *, void *, void *);
187 void uath_attach(struct device *, struct device *, void *);
188 int uath_detach(struct device *, int);
189 int uath_activate(struct device *, int);
190 
191 struct cfdriver uath_cd = {
192 	NULL, "uath", DV_IFNET
193 };
194 
195 const struct cfattach uath_ca = {
196 	sizeof(struct uath_softc),
197 	uath_match,
198 	uath_attach,
199 	uath_detach,
200 	uath_activate,
201 };
202 
203 int
204 uath_match(struct device *parent, void *match, void *aux)
205 {
206 	struct usb_attach_arg *uaa = aux;
207 
208 	if (uaa->iface != NULL)
209 		return UMATCH_NONE;
210 
211 	return (uath_lookup(uaa->vendor, uaa->product) != NULL) ?
212 	    UMATCH_VENDOR_PRODUCT : UMATCH_NONE;
213 }
214 
215 void
216 uath_attachhook(void *xsc)
217 {
218 	struct uath_softc *sc = xsc;
219 	u_char *fw;
220 	size_t size;
221 	int error;
222 
223 	if ((error = loadfirmware("uath-ar5523", &fw, &size)) != 0) {
224 		printf("%s: error %d, could not read firmware %s\n",
225 		    sc->sc_dev.dv_xname, error, "uath-ar5523");
226 		return;
227 	}
228 
229 	error = uath_loadfirmware(sc, fw, size);
230 	free(fw, M_DEVBUF);
231 
232 	if (error == 0) {
233 		usb_port_status_t status;
234 
235 		/*
236 		 * Hack alert: the device doesn't always gracefully detach
237 		 * from the bus after a firmware upload.  We need to force
238 		 * a port reset and a re-exploration on the parent hub.
239 		 */
240 		usbd_reset_port(sc->sc_uhub, sc->sc_port, &status);
241 		usb_needs_reattach(sc->sc_udev);
242 	} else {
243 		printf("%s: could not load firmware (error=%s)\n",
244 		    sc->sc_dev.dv_xname, usbd_errstr(error));
245 	}
246 }
247 
248 void
249 uath_attach(struct device *parent, struct device *self, void *aux)
250 {
251 	struct uath_softc *sc = (struct uath_softc *)self;
252 	struct usb_attach_arg *uaa = aux;
253 	struct ieee80211com *ic = &sc->sc_ic;
254 	struct ifnet *ifp = &ic->ic_if;
255 	usbd_status error;
256 	int i;
257 
258 	sc->sc_udev = uaa->device;
259 	sc->sc_uhub = uaa->device->myhub;
260 	sc->sc_port = uaa->port;
261 
262 	sc->sc_flags = uath_lookup(uaa->vendor, uaa->product)->flags;
263 
264 	if (usbd_set_config_no(sc->sc_udev, UATH_CONFIG_NO, 0) != 0) {
265 		printf("%s: could not set configuration no\n",
266 		    sc->sc_dev.dv_xname);
267 		return;
268 	}
269 
270 	/* get the first interface handle */
271 	error = usbd_device2interface_handle(sc->sc_udev, UATH_IFACE_INDEX,
272 	    &sc->sc_iface);
273 	if (error != 0) {
274 		printf("%s: could not get interface handle\n",
275 		    sc->sc_dev.dv_xname);
276 		return;
277 	}
278 
279 	/*
280 	 * We must open the pipes early because they're used to upload the
281 	 * firmware (pre-firmware devices) or to send firmware commands.
282 	 */
283 	if (uath_open_pipes(sc) != 0) {
284 		printf("%s: could not open pipes\n", sc->sc_dev.dv_xname);
285 		return;
286 	}
287 
288 	if (sc->sc_flags & UATH_FLAG_PRE_FIRMWARE) {
289 		if (rootvp == NULL)
290 			mountroothook_establish(uath_attachhook, sc);
291 		else
292 			uath_attachhook(sc);
293 		return;
294 	}
295 
296 	/*
297 	 * Only post-firmware devices here.
298 	 */
299 	usb_init_task(&sc->sc_task, uath_task, sc, USB_TASK_TYPE_GENERIC);
300 	timeout_set(&sc->scan_to, uath_next_scan, sc);
301 	timeout_set(&sc->stat_to, uath_stat, sc);
302 
303 	/*
304 	 * Allocate xfers for firmware commands.
305 	 */
306 	if (uath_alloc_tx_cmd_list(sc) != 0) {
307 		printf("%s: could not allocate Tx command list\n",
308 		    sc->sc_dev.dv_xname);
309 		goto fail1;
310 	}
311 	if (uath_alloc_rx_cmd_list(sc) != 0) {
312 		printf("%s: could not allocate Rx command list\n",
313 		    sc->sc_dev.dv_xname);
314 		goto fail2;
315 	}
316 
317 	/*
318 	 * Queue Rx command xfers.
319 	 */
320 	for (i = 0; i < UATH_RX_CMD_LIST_COUNT; i++) {
321 		struct uath_rx_cmd *cmd = &sc->rx_cmd[i];
322 
323 		usbd_setup_xfer(cmd->xfer, sc->cmd_rx_pipe, cmd, cmd->buf,
324 		    UATH_MAX_RXCMDSZ, USBD_SHORT_XFER_OK | USBD_NO_COPY,
325 		    USBD_NO_TIMEOUT, uath_cmd_rxeof);
326 		error = usbd_transfer(cmd->xfer);
327 		if (error != USBD_IN_PROGRESS && error != 0) {
328 			printf("%s: could not queue Rx command xfer\n",
329 			    sc->sc_dev.dv_xname);
330 			goto fail3;
331 		}
332 	}
333 
334 	/*
335 	 * We're now ready to send/receive firmware commands.
336 	 */
337 	if (uath_reset(sc) != 0) {
338 		printf("%s: could not initialize adapter\n",
339 		    sc->sc_dev.dv_xname);
340 		goto fail3;
341 	}
342 	if (uath_query_eeprom(sc) != 0) {
343 		printf("%s: could not read EEPROM\n", sc->sc_dev.dv_xname);
344 		goto fail3;
345 	}
346 
347 	printf("%s: MAC/BBP AR5523, RF AR%c112, address %s\n",
348 	    sc->sc_dev.dv_xname, (sc->sc_flags & UATH_FLAG_ABG) ? '5': '2',
349 	    ether_sprintf(ic->ic_myaddr));
350 
351 	/*
352 	 * Allocate xfers for Tx/Rx data pipes.
353 	 */
354 	if (uath_alloc_tx_data_list(sc) != 0) {
355 		printf("%s: could not allocate Tx data list\n",
356 		    sc->sc_dev.dv_xname);
357 		goto fail3;
358 	}
359 	if (uath_alloc_rx_data_list(sc) != 0) {
360 		printf("%s: could not allocate Rx data list\n",
361 		    sc->sc_dev.dv_xname);
362 		goto fail4;
363 	}
364 
365 	ic->ic_phytype = IEEE80211_T_OFDM;	/* not only, but not used */
366 	ic->ic_opmode = IEEE80211_M_STA;	/* default to BSS mode */
367 	ic->ic_state = IEEE80211_S_INIT;
368 
369 	/* set device capabilities */
370 	ic->ic_caps =
371 	    IEEE80211_C_MONITOR |	/* monitor mode supported */
372 	    IEEE80211_C_TXPMGT |	/* tx power management */
373 	    IEEE80211_C_SHPREAMBLE |	/* short preamble supported */
374 	    IEEE80211_C_SHSLOT |	/* short slot time supported */
375 	    IEEE80211_C_WEP;		/* h/w WEP */
376 
377 	/* set supported .11b and .11g rates */
378 	ic->ic_sup_rates[IEEE80211_MODE_11B] = ieee80211_std_rateset_11b;
379 	ic->ic_sup_rates[IEEE80211_MODE_11G] = ieee80211_std_rateset_11g;
380 
381 	/* set supported .11b and .11g channels (1 through 14) */
382 	for (i = 1; i <= 14; i++) {
383 		ic->ic_channels[i].ic_freq =
384 		    ieee80211_ieee2mhz(i, IEEE80211_CHAN_2GHZ);
385 		ic->ic_channels[i].ic_flags =
386 		    IEEE80211_CHAN_CCK | IEEE80211_CHAN_OFDM |
387 		    IEEE80211_CHAN_DYN | IEEE80211_CHAN_2GHZ;
388 	}
389 
390 	ifp->if_softc = sc;
391 	ifp->if_flags = IFF_BROADCAST | IFF_SIMPLEX | IFF_MULTICAST;
392 	ifp->if_ioctl = uath_ioctl;
393 	ifp->if_start = uath_start;
394 	ifp->if_watchdog = uath_watchdog;
395 	IFQ_SET_READY(&ifp->if_snd);
396 	memcpy(ifp->if_xname, sc->sc_dev.dv_xname, IFNAMSIZ);
397 
398 	if_attach(ifp);
399 	ieee80211_ifattach(ifp);
400 
401 	/* override state transition machine */
402 	sc->sc_newstate = ic->ic_newstate;
403 	ic->ic_newstate = uath_newstate;
404 	ieee80211_media_init(ifp, uath_media_change, ieee80211_media_status);
405 
406 #if NBPFILTER > 0
407 	bpfattach(&sc->sc_drvbpf, ifp, DLT_IEEE802_11_RADIO,
408 	    sizeof (struct ieee80211_frame) + IEEE80211_RADIOTAP_HDRLEN);
409 
410 	sc->sc_rxtap_len = sizeof sc->sc_rxtapu;
411 	sc->sc_rxtap.wr_ihdr.it_len = htole16(sc->sc_rxtap_len);
412 	sc->sc_rxtap.wr_ihdr.it_present = htole32(UATH_RX_RADIOTAP_PRESENT);
413 
414 	sc->sc_txtap_len = sizeof sc->sc_txtapu;
415 	sc->sc_txtap.wt_ihdr.it_len = htole16(sc->sc_txtap_len);
416 	sc->sc_txtap.wt_ihdr.it_present = htole32(UATH_TX_RADIOTAP_PRESENT);
417 #endif
418 
419 	return;
420 
421 fail4:	uath_free_tx_data_list(sc);
422 fail3:	uath_free_rx_cmd_list(sc);
423 fail2:	uath_free_tx_cmd_list(sc);
424 fail1:	uath_close_pipes(sc);
425 	usbd_deactivate(sc->sc_udev);
426 }
427 
428 int
429 uath_detach(struct device *self, int flags)
430 {
431 	struct uath_softc *sc = (struct uath_softc *)self;
432 	struct ifnet *ifp = &sc->sc_ic.ic_if;
433 	int s;
434 
435 	s = splnet();
436 
437 	if (sc->sc_flags & UATH_FLAG_PRE_FIRMWARE) {
438 		uath_close_pipes(sc);
439 		splx(s);
440 		return 0;
441 	}
442 
443 	/* post-firmware device */
444 
445 	usb_rem_task(sc->sc_udev, &sc->sc_task);
446 	if (timeout_initialized(&sc->scan_to))
447 		timeout_del(&sc->scan_to);
448 	if (timeout_initialized(&sc->stat_to))
449 		timeout_del(&sc->stat_to);
450 
451 	/* abort and free xfers */
452 	uath_free_tx_data_list(sc);
453 	uath_free_rx_data_list(sc);
454 	uath_free_tx_cmd_list(sc);
455 	uath_free_rx_cmd_list(sc);
456 
457 	/* close Tx/Rx pipes */
458 	uath_close_pipes(sc);
459 
460 	if (ifp->if_softc != NULL) {
461 		ieee80211_ifdetach(ifp);	/* free all nodes */
462 		if_detach(ifp);
463 	}
464 
465 	splx(s);
466 
467 	return 0;
468 }
469 
470 int
471 uath_open_pipes(struct uath_softc *sc)
472 {
473 	int error;
474 
475 	/*
476 	 * XXX pipes numbers are hardcoded because we don't have any way
477 	 * to distinguish the data pipes from the firmware command pipes
478 	 * (both are bulk pipes) using the endpoints descriptors.
479 	 */
480 	error = usbd_open_pipe(sc->sc_iface, 0x01, USBD_EXCLUSIVE_USE,
481 	    &sc->cmd_tx_pipe);
482 	if (error != 0) {
483 		printf("%s: could not open Tx command pipe: %s\n",
484 		    sc->sc_dev.dv_xname, usbd_errstr(error));
485 		goto fail;
486 	}
487 
488 	error = usbd_open_pipe(sc->sc_iface, 0x02, USBD_EXCLUSIVE_USE,
489 	    &sc->data_tx_pipe);
490 	if (error != 0) {
491 		printf("%s: could not open Tx data pipe: %s\n",
492 		    sc->sc_dev.dv_xname, usbd_errstr(error));
493 		goto fail;
494 	}
495 
496 	error = usbd_open_pipe(sc->sc_iface, 0x81, USBD_EXCLUSIVE_USE,
497 	    &sc->cmd_rx_pipe);
498 	if (error != 0) {
499 		printf("%s: could not open Rx command pipe: %s\n",
500 		    sc->sc_dev.dv_xname, usbd_errstr(error));
501 		goto fail;
502 	}
503 
504 	error = usbd_open_pipe(sc->sc_iface, 0x82, USBD_EXCLUSIVE_USE,
505 	    &sc->data_rx_pipe);
506 	if (error != 0) {
507 		printf("%s: could not open Rx data pipe: %s\n",
508 		    sc->sc_dev.dv_xname, usbd_errstr(error));
509 		goto fail;
510 	}
511 
512 	return 0;
513 
514 fail:	uath_close_pipes(sc);
515 	return error;
516 }
517 
518 void
519 uath_close_pipes(struct uath_softc *sc)
520 {
521 	/* assumes no transfers are pending on the pipes */
522 
523 	if (sc->data_tx_pipe != NULL)
524 		usbd_close_pipe(sc->data_tx_pipe);
525 
526 	if (sc->data_rx_pipe != NULL)
527 		usbd_close_pipe(sc->data_rx_pipe);
528 
529 	if (sc->cmd_tx_pipe != NULL)
530 		usbd_close_pipe(sc->cmd_tx_pipe);
531 
532 	if (sc->cmd_rx_pipe != NULL)
533 		usbd_close_pipe(sc->cmd_rx_pipe);
534 }
535 
536 int
537 uath_alloc_tx_data_list(struct uath_softc *sc)
538 {
539 	int i, error;
540 
541 	for (i = 0; i < UATH_TX_DATA_LIST_COUNT; i++) {
542 		struct uath_tx_data *data = &sc->tx_data[i];
543 
544 		data->sc = sc;	/* backpointer for callbacks */
545 
546 		data->xfer = usbd_alloc_xfer(sc->sc_udev);
547 		if (data->xfer == NULL) {
548 			printf("%s: could not allocate xfer\n",
549 			    sc->sc_dev.dv_xname);
550 			error = ENOMEM;
551 			goto fail;
552 		}
553 		data->buf = usbd_alloc_buffer(data->xfer, UATH_MAX_TXBUFSZ);
554 		if (data->buf == NULL) {
555 			printf("%s: could not allocate xfer buffer\n",
556 			    sc->sc_dev.dv_xname);
557 			error = ENOMEM;
558 			goto fail;
559 		}
560 	}
561 	return 0;
562 
563 fail:	uath_free_tx_data_list(sc);
564 	return error;
565 }
566 
567 void
568 uath_free_tx_data_list(struct uath_softc *sc)
569 {
570 	int i;
571 
572 	/* make sure no transfers are pending */
573 	usbd_abort_pipe(sc->data_tx_pipe);
574 
575 	for (i = 0; i < UATH_TX_DATA_LIST_COUNT; i++)
576 		if (sc->tx_data[i].xfer != NULL)
577 			usbd_free_xfer(sc->tx_data[i].xfer);
578 }
579 
580 int
581 uath_alloc_rx_data_list(struct uath_softc *sc)
582 {
583 	int i, error;
584 
585 	for (i = 0; i < UATH_RX_DATA_LIST_COUNT; i++) {
586 		struct uath_rx_data *data = &sc->rx_data[i];
587 
588 		data->sc = sc;	/* backpointer for callbacks */
589 
590 		data->xfer = usbd_alloc_xfer(sc->sc_udev);
591 		if (data->xfer == NULL) {
592 			printf("%s: could not allocate xfer\n",
593 			    sc->sc_dev.dv_xname);
594 			error = ENOMEM;
595 			goto fail;
596 		}
597 		if (usbd_alloc_buffer(data->xfer, sc->rxbufsz) == NULL) {
598 			printf("%s: could not allocate xfer buffer\n",
599 			    sc->sc_dev.dv_xname);
600 			error = ENOMEM;
601 			goto fail;
602 		}
603 
604 		MGETHDR(data->m, M_DONTWAIT, MT_DATA);
605 		if (data->m == NULL) {
606 			printf("%s: could not allocate rx mbuf\n",
607 			    sc->sc_dev.dv_xname);
608 			error = ENOMEM;
609 			goto fail;
610 		}
611 		MCLGET(data->m, M_DONTWAIT);
612 		if (!(data->m->m_flags & M_EXT)) {
613 			printf("%s: could not allocate rx mbuf cluster\n",
614 			    sc->sc_dev.dv_xname);
615 			error = ENOMEM;
616 			goto fail;
617 		}
618 
619 		data->buf = mtod(data->m, uint8_t *);
620 	}
621 	return 0;
622 
623 fail:	uath_free_rx_data_list(sc);
624 	return error;
625 }
626 
627 void
628 uath_free_rx_data_list(struct uath_softc *sc)
629 {
630 	int i;
631 
632 	/* make sure no transfers are pending */
633 	usbd_abort_pipe(sc->data_rx_pipe);
634 
635 	for (i = 0; i < UATH_RX_DATA_LIST_COUNT; i++) {
636 		struct uath_rx_data *data = &sc->rx_data[i];
637 
638 		if (data->xfer != NULL)
639 			usbd_free_xfer(data->xfer);
640 
641 		if (data->m != NULL)
642 			m_freem(data->m);
643 	}
644 }
645 
646 int
647 uath_alloc_tx_cmd_list(struct uath_softc *sc)
648 {
649 	int i, error;
650 
651 	for (i = 0; i < UATH_TX_CMD_LIST_COUNT; i++) {
652 		struct uath_tx_cmd *cmd = &sc->tx_cmd[i];
653 
654 		cmd->sc = sc;	/* backpointer for callbacks */
655 
656 		cmd->xfer = usbd_alloc_xfer(sc->sc_udev);
657 		if (cmd->xfer == NULL) {
658 			printf("%s: could not allocate xfer\n",
659 			    sc->sc_dev.dv_xname);
660 			error = ENOMEM;
661 			goto fail;
662 		}
663 		cmd->buf = usbd_alloc_buffer(cmd->xfer, UATH_MAX_TXCMDSZ);
664 		if (cmd->buf == NULL) {
665 			printf("%s: could not allocate xfer buffer\n",
666 			    sc->sc_dev.dv_xname);
667 			error = ENOMEM;
668 			goto fail;
669 		}
670 	}
671 	return 0;
672 
673 fail:	uath_free_tx_cmd_list(sc);
674 	return error;
675 }
676 
677 void
678 uath_free_tx_cmd_list(struct uath_softc *sc)
679 {
680 	int i;
681 
682 	/* make sure no transfers are pending */
683 	usbd_abort_pipe(sc->cmd_tx_pipe);
684 
685 	for (i = 0; i < UATH_TX_CMD_LIST_COUNT; i++)
686 		if (sc->tx_cmd[i].xfer != NULL)
687 			usbd_free_xfer(sc->tx_cmd[i].xfer);
688 }
689 
690 int
691 uath_alloc_rx_cmd_list(struct uath_softc *sc)
692 {
693 	int i, error;
694 
695 	for (i = 0; i < UATH_RX_CMD_LIST_COUNT; i++) {
696 		struct uath_rx_cmd *cmd = &sc->rx_cmd[i];
697 
698 		cmd->sc = sc;	/* backpointer for callbacks */
699 
700 		cmd->xfer = usbd_alloc_xfer(sc->sc_udev);
701 		if (cmd->xfer == NULL) {
702 			printf("%s: could not allocate xfer\n",
703 			    sc->sc_dev.dv_xname);
704 			error = ENOMEM;
705 			goto fail;
706 		}
707 		cmd->buf = usbd_alloc_buffer(cmd->xfer, UATH_MAX_RXCMDSZ);
708 		if (cmd->buf == NULL) {
709 			printf("%s: could not allocate xfer buffer\n",
710 			    sc->sc_dev.dv_xname);
711 			error = ENOMEM;
712 			goto fail;
713 		}
714 	}
715 	return 0;
716 
717 fail:	uath_free_rx_cmd_list(sc);
718 	return error;
719 }
720 
721 void
722 uath_free_rx_cmd_list(struct uath_softc *sc)
723 {
724 	int i;
725 
726 	/* make sure no transfers are pending */
727 	usbd_abort_pipe(sc->cmd_rx_pipe);
728 
729 	for (i = 0; i < UATH_RX_CMD_LIST_COUNT; i++)
730 		if (sc->rx_cmd[i].xfer != NULL)
731 			usbd_free_xfer(sc->rx_cmd[i].xfer);
732 }
733 
734 int
735 uath_media_change(struct ifnet *ifp)
736 {
737 	int error;
738 
739 	error = ieee80211_media_change(ifp);
740 	if (error != ENETRESET)
741 		return error;
742 
743 	if ((ifp->if_flags & (IFF_UP | IFF_RUNNING)) == (IFF_UP | IFF_RUNNING))
744 		uath_init(ifp);
745 
746 	return 0;
747 }
748 
749 /*
750  * This function is called periodically (every second) when associated to
751  * query device statistics.
752  */
753 void
754 uath_stat(void *arg)
755 {
756 	struct uath_softc *sc = arg;
757 	int error;
758 
759 	/*
760 	 * Send request for statistics asynchronously. The timer will be
761 	 * restarted when we'll get the stats notification.
762 	 */
763 	error = uath_cmd_write(sc, UATH_CMD_STATS, NULL, 0,
764 	    UATH_CMD_FLAG_ASYNC);
765 	if (error != 0) {
766 		printf("%s: could not query statistics (error=%d)\n",
767 		    sc->sc_dev.dv_xname, error);
768 	}
769 }
770 
771 /*
772  * This function is called periodically (every 250ms) during scanning to
773  * switch from one channel to another.
774  */
775 void
776 uath_next_scan(void *arg)
777 {
778 	struct uath_softc *sc = arg;
779 	struct ieee80211com *ic = &sc->sc_ic;
780 	struct ifnet *ifp = &ic->ic_if;
781 
782 	if (ic->ic_state == IEEE80211_S_SCAN)
783 		ieee80211_next_scan(ifp);
784 }
785 
786 void
787 uath_task(void *arg)
788 {
789 	struct uath_softc *sc = arg;
790 	struct ieee80211com *ic = &sc->sc_ic;
791 	enum ieee80211_state ostate;
792 
793 	ostate = ic->ic_state;
794 
795 	switch (sc->sc_state) {
796 	case IEEE80211_S_INIT:
797 		if (ostate == IEEE80211_S_RUN) {
798 			/* turn link and activity LEDs off */
799 			(void)uath_set_led(sc, UATH_LED_LINK, 0);
800 			(void)uath_set_led(sc, UATH_LED_ACTIVITY, 0);
801 		}
802 		break;
803 
804 	case IEEE80211_S_SCAN:
805 		if (uath_switch_channel(sc, ic->ic_bss->ni_chan) != 0) {
806 			printf("%s: could not switch channel\n",
807 			    sc->sc_dev.dv_xname);
808 			break;
809 		}
810 		timeout_add_msec(&sc->scan_to, 250);
811 		break;
812 
813 	case IEEE80211_S_AUTH:
814 	{
815 		struct ieee80211_node *ni = ic->ic_bss;
816 		struct uath_cmd_bssid bssid;
817 		struct uath_cmd_0b cmd0b;
818 		struct uath_cmd_0c cmd0c;
819 
820 		if (uath_switch_channel(sc, ni->ni_chan) != 0) {
821 			printf("%s: could not switch channel\n",
822 			    sc->sc_dev.dv_xname);
823 			break;
824 		}
825 
826 		(void)uath_cmd_write(sc, UATH_CMD_24, NULL, 0, 0);
827 
828 		bzero(&bssid, sizeof bssid);
829 		bssid.len = htobe32(IEEE80211_ADDR_LEN);
830 		IEEE80211_ADDR_COPY(bssid.bssid, ni->ni_bssid);
831 		(void)uath_cmd_write(sc, UATH_CMD_SET_BSSID, &bssid,
832 		    sizeof bssid, 0);
833 
834 		bzero(&cmd0b, sizeof cmd0b);
835 		cmd0b.code = htobe32(2);
836 		cmd0b.size = htobe32(sizeof (cmd0b.data));
837 		(void)uath_cmd_write(sc, UATH_CMD_0B, &cmd0b, sizeof cmd0b, 0);
838 
839 		bzero(&cmd0c, sizeof cmd0c);
840 		cmd0c.magic1 = htobe32(2);
841 		cmd0c.magic2 = htobe32(7);
842 		cmd0c.magic3 = htobe32(1);
843 		(void)uath_cmd_write(sc, UATH_CMD_0C, &cmd0c, sizeof cmd0c, 0);
844 
845 		if (uath_set_rates(sc, &ni->ni_rates) != 0) {
846 			printf("%s: could not set negotiated rate set\n",
847 			    sc->sc_dev.dv_xname);
848 			break;
849 		}
850 		break;
851 	}
852 
853 	case IEEE80211_S_ASSOC:
854 		break;
855 
856 	case IEEE80211_S_RUN:
857 	{
858 		struct ieee80211_node *ni = ic->ic_bss;
859 		struct uath_cmd_bssid bssid;
860 		struct uath_cmd_xled xled;
861 		uint32_t val;
862 
863 		if (ic->ic_opmode == IEEE80211_M_MONITOR) {
864 			/* make both LEDs blink while monitoring */
865 			bzero(&xled, sizeof xled);
866 			xled.which = htobe32(0);
867 			xled.rate = htobe32(1);
868 			xled.mode = htobe32(2);
869 			(void)uath_cmd_write(sc, UATH_CMD_SET_XLED, &xled,
870 			    sizeof xled, 0);
871 			break;
872 		}
873 
874 		/*
875 		 * Tx rate is controlled by firmware, report the maximum
876 		 * negotiated rate in ifconfig output.
877 		 */
878 		ni->ni_txrate = ni->ni_rates.rs_nrates - 1;
879 
880 		val = htobe32(1);
881 		(void)uath_cmd_write(sc, UATH_CMD_2E, &val, sizeof val, 0);
882 
883 		bzero(&bssid, sizeof bssid);
884 		bssid.flags1 = htobe32(0xc004);
885 		bssid.flags2 = htobe32(0x003b);
886 		bssid.len = htobe32(IEEE80211_ADDR_LEN);
887 		IEEE80211_ADDR_COPY(bssid.bssid, ni->ni_bssid);
888 		(void)uath_cmd_write(sc, UATH_CMD_SET_BSSID, &bssid,
889 		    sizeof bssid, 0);
890 
891 		/* turn link LED on */
892 		(void)uath_set_led(sc, UATH_LED_LINK, 1);
893 
894 		/* make activity LED blink */
895 		bzero(&xled, sizeof xled);
896 		xled.which = htobe32(1);
897 		xled.rate = htobe32(1);
898 		xled.mode = htobe32(2);
899 		(void)uath_cmd_write(sc, UATH_CMD_SET_XLED, &xled, sizeof xled,
900 		    0);
901 
902 		/* set state to associated */
903 		val = htobe32(1);
904 		(void)uath_cmd_write(sc, UATH_CMD_SET_STATE, &val, sizeof val,
905 		    0);
906 
907 		/* start statistics timer */
908 		timeout_add_sec(&sc->stat_to, 1);
909 		break;
910 	}
911 	}
912 	sc->sc_newstate(ic, sc->sc_state, sc->sc_arg);
913 }
914 
915 int
916 uath_newstate(struct ieee80211com *ic, enum ieee80211_state nstate, int arg)
917 {
918 	struct uath_softc *sc = ic->ic_softc;
919 
920 	usb_rem_task(sc->sc_udev, &sc->sc_task);
921 	timeout_del(&sc->scan_to);
922 	timeout_del(&sc->stat_to);
923 
924 	/* do it in a process context */
925 	sc->sc_state = nstate;
926 	sc->sc_arg = arg;
927 	usb_add_task(sc->sc_udev, &sc->sc_task);
928 	return 0;
929 }
930 
931 #ifdef UATH_DEBUG
932 void
933 uath_dump_cmd(const uint8_t *buf, int len, char prefix)
934 {
935 	int i;
936 
937 	for (i = 0; i < len; i++) {
938 		if ((i % 16) == 0)
939 			printf("\n%c ", prefix);
940 		else if ((i % 4) == 0)
941 			printf(" ");
942 		printf("%02x", buf[i]);
943 	}
944 	printf("\n");
945 }
946 #endif
947 
948 /*
949  * Low-level function to send read or write commands to the firmware.
950  */
951 int
952 uath_cmd(struct uath_softc *sc, uint32_t code, const void *idata, int ilen,
953     void *odata, int flags)
954 {
955 	struct uath_cmd_hdr *hdr;
956 	struct uath_tx_cmd *cmd;
957 	uint16_t xferflags;
958 	int s, xferlen, error;
959 
960 	/* grab a xfer */
961 	cmd = &sc->tx_cmd[sc->cmd_idx];
962 
963 	/* always bulk-out a multiple of 4 bytes */
964 	xferlen = (sizeof (struct uath_cmd_hdr) + ilen + 3) & ~3;
965 
966 	hdr = (struct uath_cmd_hdr *)cmd->buf;
967 	bzero(hdr, sizeof (struct uath_cmd_hdr));
968 	hdr->len   = htobe32(xferlen);
969 	hdr->code  = htobe32(code);
970 	hdr->priv  = sc->cmd_idx;	/* don't care about endianness */
971 	hdr->magic = htobe32((flags & UATH_CMD_FLAG_MAGIC) ? 1 << 24 : 0);
972 	bcopy(idata, (uint8_t *)(hdr + 1), ilen);
973 
974 #ifdef UATH_DEBUG
975 	if (uath_debug >= 5) {
976 		printf("sending command code=0x%02x flags=0x%x index=%u",
977 		    code, flags, sc->cmd_idx);
978 		uath_dump_cmd(cmd->buf, xferlen, '+');
979 	}
980 #endif
981 	xferflags = USBD_FORCE_SHORT_XFER | USBD_NO_COPY;
982 	if (!(flags & UATH_CMD_FLAG_READ)) {
983 		if (!(flags & UATH_CMD_FLAG_ASYNC))
984 			xferflags |= USBD_SYNCHRONOUS;
985 	} else
986 		s = splusb();
987 
988 	cmd->odata = odata;
989 
990 	usbd_setup_xfer(cmd->xfer, sc->cmd_tx_pipe, cmd, cmd->buf, xferlen,
991 	    xferflags, UATH_CMD_TIMEOUT, NULL);
992 	error = usbd_transfer(cmd->xfer);
993 	if (error != USBD_IN_PROGRESS && error != 0) {
994 		if (flags & UATH_CMD_FLAG_READ)
995 			splx(s);
996 		printf("%s: could not send command 0x%x (error=%s)\n",
997 		    sc->sc_dev.dv_xname, code, usbd_errstr(error));
998 		return error;
999 	}
1000 	sc->cmd_idx = (sc->cmd_idx + 1) % UATH_TX_CMD_LIST_COUNT;
1001 
1002 	if (!(flags & UATH_CMD_FLAG_READ))
1003 		return 0;	/* write: don't wait for reply */
1004 
1005 	/* wait at most two seconds for command reply */
1006 	error = tsleep(cmd, PCATCH, "uathcmd", 2 * hz);
1007 	cmd->odata = NULL;	/* in case answer is received too late */
1008 	splx(s);
1009 	if (error != 0) {
1010 		printf("%s: timeout waiting for command reply\n",
1011 		    sc->sc_dev.dv_xname);
1012 	}
1013 	return error;
1014 }
1015 
1016 int
1017 uath_cmd_write(struct uath_softc *sc, uint32_t code, const void *data, int len,
1018     int flags)
1019 {
1020 	flags &= ~UATH_CMD_FLAG_READ;
1021 	return uath_cmd(sc, code, data, len, NULL, flags);
1022 }
1023 
1024 int
1025 uath_cmd_read(struct uath_softc *sc, uint32_t code, const void *idata,
1026     int ilen, void *odata, int flags)
1027 {
1028 	flags |= UATH_CMD_FLAG_READ;
1029 	return uath_cmd(sc, code, idata, ilen, odata, flags);
1030 }
1031 
1032 int
1033 uath_write_reg(struct uath_softc *sc, uint32_t reg, uint32_t val)
1034 {
1035 	struct uath_write_mac write;
1036 	int error;
1037 
1038 	write.reg = htobe32(reg);
1039 	write.len = htobe32(0);	/* 0 = single write */
1040 	*(uint32_t *)write.data = htobe32(val);
1041 
1042 	error = uath_cmd_write(sc, UATH_CMD_WRITE_MAC, &write,
1043 	    3 * sizeof (uint32_t), 0);
1044 	if (error != 0) {
1045 		printf("%s: could not write register 0x%02x\n",
1046 		    sc->sc_dev.dv_xname, reg);
1047 	}
1048 	return error;
1049 }
1050 
1051 int
1052 uath_write_multi(struct uath_softc *sc, uint32_t reg, const void *data,
1053     int len)
1054 {
1055 	struct uath_write_mac write;
1056 	int error;
1057 
1058 	write.reg = htobe32(reg);
1059 	write.len = htobe32(len);
1060 	bcopy(data, write.data, len);
1061 
1062 	/* properly handle the case where len is zero (reset) */
1063 	error = uath_cmd_write(sc, UATH_CMD_WRITE_MAC, &write,
1064 	    (len == 0) ? sizeof (uint32_t) : 2 * sizeof (uint32_t) + len, 0);
1065 	if (error != 0) {
1066 		printf("%s: could not write %d bytes to register 0x%02x\n",
1067 		    sc->sc_dev.dv_xname, len, reg);
1068 	}
1069 	return error;
1070 }
1071 
1072 int
1073 uath_read_reg(struct uath_softc *sc, uint32_t reg, uint32_t *val)
1074 {
1075 	struct uath_read_mac read;
1076 	int error;
1077 
1078 	reg = htobe32(reg);
1079 	error = uath_cmd_read(sc, UATH_CMD_READ_MAC, &reg, sizeof reg, &read,
1080 	    0);
1081 	if (error != 0) {
1082 		printf("%s: could not read register 0x%02x\n",
1083 		    sc->sc_dev.dv_xname, betoh32(reg));
1084 		return error;
1085 	}
1086 	*val = betoh32(*(uint32_t *)read.data);
1087 	return error;
1088 }
1089 
1090 int
1091 uath_read_eeprom(struct uath_softc *sc, uint32_t reg, void *odata)
1092 {
1093 	struct uath_read_mac read;
1094 	int len, error;
1095 
1096 	reg = htobe32(reg);
1097 	error = uath_cmd_read(sc, UATH_CMD_READ_EEPROM, &reg, sizeof reg,
1098 	    &read, 0);
1099 	if (error != 0) {
1100 		printf("%s: could not read EEPROM offset 0x%02x\n",
1101 		    sc->sc_dev.dv_xname, betoh32(reg));
1102 		return error;
1103 	}
1104 	len = betoh32(read.len);
1105 	bcopy(read.data, odata, (len == 0) ? sizeof (uint32_t) : len);
1106 	return error;
1107 }
1108 
1109 void
1110 uath_cmd_rxeof(usbd_xfer_handle xfer, usbd_private_handle priv,
1111     usbd_status status)
1112 {
1113 	struct uath_rx_cmd *cmd = priv;
1114 	struct uath_softc *sc = cmd->sc;
1115 	struct uath_cmd_hdr *hdr;
1116 
1117 	if (status != USBD_NORMAL_COMPLETION) {
1118 		if (status == USBD_STALLED)
1119 			usbd_clear_endpoint_stall_async(sc->cmd_rx_pipe);
1120 		return;
1121 	}
1122 
1123 	hdr = (struct uath_cmd_hdr *)cmd->buf;
1124 
1125 #ifdef UATH_DEBUG
1126 	if (uath_debug >= 5) {
1127 		printf("received command code=0x%x index=%u len=%u",
1128 		    betoh32(hdr->code), hdr->priv, betoh32(hdr->len));
1129 		uath_dump_cmd(cmd->buf, betoh32(hdr->len), '-');
1130 	}
1131 #endif
1132 
1133 	switch (betoh32(hdr->code) & 0xff) {
1134 	/* reply to a read command */
1135 	default:
1136 	{
1137 		struct uath_tx_cmd *txcmd = &sc->tx_cmd[hdr->priv];
1138 
1139 		if (txcmd->odata != NULL) {
1140 			/* copy answer into caller's supplied buffer */
1141 			bcopy((uint8_t *)(hdr + 1), txcmd->odata,
1142 			    betoh32(hdr->len) - sizeof (struct uath_cmd_hdr));
1143 		}
1144 		wakeup(txcmd);	/* wake up caller */
1145 		break;
1146 	}
1147 	/* spontaneous firmware notifications */
1148 	case UATH_NOTIF_READY:
1149 		DPRINTF(("received device ready notification\n"));
1150 		wakeup(UATH_COND_INIT(sc));
1151 		break;
1152 
1153 	case UATH_NOTIF_TX:
1154 		/* this notification is sent when UATH_TX_NOTIFY is set */
1155 		DPRINTF(("received Tx notification\n"));
1156 		break;
1157 
1158 	case UATH_NOTIF_STATS:
1159 		DPRINTFN(2, ("received device statistics\n"));
1160 		timeout_add_sec(&sc->stat_to, 1);
1161 		break;
1162 	}
1163 
1164 	/* setup a new transfer */
1165 	usbd_setup_xfer(xfer, sc->cmd_rx_pipe, cmd, cmd->buf, UATH_MAX_RXCMDSZ,
1166 	    USBD_SHORT_XFER_OK | USBD_NO_COPY, USBD_NO_TIMEOUT,
1167 	    uath_cmd_rxeof);
1168 	(void)usbd_transfer(xfer);
1169 }
1170 
1171 void
1172 uath_data_rxeof(usbd_xfer_handle xfer, usbd_private_handle priv,
1173     usbd_status status)
1174 {
1175 	struct uath_rx_data *data = priv;
1176 	struct uath_softc *sc = data->sc;
1177 	struct ieee80211com *ic = &sc->sc_ic;
1178 	struct ifnet *ifp = &ic->ic_if;
1179 	struct ieee80211_frame *wh;
1180 	struct ieee80211_rxinfo rxi;
1181 	struct ieee80211_node *ni;
1182 	struct uath_rx_desc *desc;
1183 	struct mbuf *mnew, *m;
1184 	uint32_t hdr;
1185 	int s, len;
1186 
1187 	if (status != USBD_NORMAL_COMPLETION) {
1188 		if (status == USBD_NOT_STARTED || status == USBD_CANCELLED)
1189 			return;
1190 
1191 		if (status == USBD_STALLED)
1192 			usbd_clear_endpoint_stall_async(sc->data_rx_pipe);
1193 
1194 		ifp->if_ierrors++;
1195 		return;
1196 	}
1197 	usbd_get_xfer_status(xfer, NULL, NULL, &len, NULL);
1198 
1199 	if (len < UATH_MIN_RXBUFSZ) {
1200 		DPRINTF(("wrong xfer size (len=%d)\n", len));
1201 		ifp->if_ierrors++;
1202 		goto skip;
1203 	}
1204 
1205 	hdr = betoh32(*(uint32_t *)data->buf);
1206 
1207 	/* Rx descriptor is located at the end, 32-bit aligned */
1208 	desc = (struct uath_rx_desc *)
1209 	    (data->buf + len - sizeof (struct uath_rx_desc));
1210 
1211 	if (betoh32(desc->len) > sc->rxbufsz) {
1212 		DPRINTF(("bad descriptor (len=%d)\n", betoh32(desc->len)));
1213 		ifp->if_ierrors++;
1214 		goto skip;
1215 	}
1216 
1217 	/* there's probably a "bad CRC" flag somewhere in the descriptor.. */
1218 
1219 	MGETHDR(mnew, M_DONTWAIT, MT_DATA);
1220 	if (mnew == NULL) {
1221 		printf("%s: could not allocate rx mbuf\n",
1222 		    sc->sc_dev.dv_xname);
1223 		ifp->if_ierrors++;
1224 		goto skip;
1225 	}
1226 	MCLGET(mnew, M_DONTWAIT);
1227 	if (!(mnew->m_flags & M_EXT)) {
1228 		printf("%s: could not allocate rx mbuf cluster\n",
1229 		    sc->sc_dev.dv_xname);
1230 		m_freem(mnew);
1231 		ifp->if_ierrors++;
1232 		goto skip;
1233 	}
1234 
1235 	m = data->m;
1236 	data->m = mnew;
1237 
1238 	/* finalize mbuf */
1239 	m->m_pkthdr.rcvif = ifp;
1240 	m->m_data = data->buf + sizeof (uint32_t);
1241 	m->m_pkthdr.len = m->m_len = betoh32(desc->len) -
1242 	    sizeof (struct uath_rx_desc) - IEEE80211_CRC_LEN;
1243 
1244 	data->buf = mtod(data->m, uint8_t *);
1245 
1246 	wh = mtod(m, struct ieee80211_frame *);
1247 	rxi.rxi_flags = 0;
1248 	if ((wh->i_fc[1] & IEEE80211_FC1_WEP) &&
1249 	    ic->ic_opmode != IEEE80211_M_MONITOR) {
1250 		/*
1251 		 * Hardware decrypts the frame itself but leaves the WEP bit
1252 		 * set in the 802.11 header and doesn't remove the IV and CRC
1253 		 * fields.
1254 		 */
1255 		wh->i_fc[1] &= ~IEEE80211_FC1_WEP;
1256 		ovbcopy(wh, (caddr_t)wh + IEEE80211_WEP_IVLEN +
1257 		    IEEE80211_WEP_KIDLEN, sizeof (struct ieee80211_frame));
1258 		m_adj(m, IEEE80211_WEP_IVLEN + IEEE80211_WEP_KIDLEN);
1259 		m_adj(m, -IEEE80211_WEP_CRCLEN);
1260 		wh = mtod(m, struct ieee80211_frame *);
1261 
1262 		rxi.rxi_flags |= IEEE80211_RXI_HWDEC;
1263 	}
1264 
1265 #if NBPFILTER > 0
1266 	/* there are a lot more fields in the Rx descriptor */
1267 	if (sc->sc_drvbpf != NULL) {
1268 		struct mbuf mb;
1269 		struct uath_rx_radiotap_header *tap = &sc->sc_rxtap;
1270 
1271 		tap->wr_flags = 0;
1272 		tap->wr_chan_freq = htole16(betoh32(desc->freq));
1273 		tap->wr_chan_flags = htole16(ic->ic_bss->ni_chan->ic_flags);
1274 		tap->wr_dbm_antsignal = (int8_t)betoh32(desc->rssi);
1275 
1276 		mb.m_data = (caddr_t)tap;
1277 		mb.m_len = sc->sc_rxtap_len;
1278 		mb.m_next = m;
1279 		mb.m_nextpkt = NULL;
1280 		mb.m_type = 0;
1281 		mb.m_flags = 0;
1282 		bpf_mtap(sc->sc_drvbpf, &mb, BPF_DIRECTION_IN);
1283 	}
1284 #endif
1285 
1286 	s = splnet();
1287 	ni = ieee80211_find_rxnode(ic, wh);
1288 	rxi.rxi_rssi = (int)betoh32(desc->rssi);
1289 	rxi.rxi_tstamp = 0;	/* unused */
1290 	ieee80211_input(ifp, m, ni, &rxi);
1291 
1292 	/* node is no longer needed */
1293 	ieee80211_release_node(ic, ni);
1294 	splx(s);
1295 
1296 skip:	/* setup a new transfer */
1297 	usbd_setup_xfer(xfer, sc->data_rx_pipe, data, data->buf, sc->rxbufsz,
1298 	    USBD_SHORT_XFER_OK, USBD_NO_TIMEOUT, uath_data_rxeof);
1299 	(void)usbd_transfer(data->xfer);
1300 }
1301 
1302 int
1303 uath_tx_null(struct uath_softc *sc)
1304 {
1305 	struct uath_tx_data *data;
1306 	struct uath_tx_desc *desc;
1307 
1308 	data = &sc->tx_data[sc->data_idx];
1309 
1310 	data->ni = NULL;
1311 
1312 	*(uint32_t *)data->buf = UATH_MAKECTL(1, sizeof (struct uath_tx_desc));
1313 	desc = (struct uath_tx_desc *)(data->buf + sizeof (uint32_t));
1314 
1315 	bzero(desc, sizeof (struct uath_tx_desc));
1316 	desc->len  = htobe32(sizeof (struct uath_tx_desc));
1317 	desc->type = htobe32(UATH_TX_NULL);
1318 
1319 	usbd_setup_xfer(data->xfer, sc->data_tx_pipe, data, data->buf,
1320 	    sizeof (uint32_t) + sizeof (struct uath_tx_desc), USBD_NO_COPY |
1321 	    USBD_FORCE_SHORT_XFER, UATH_DATA_TIMEOUT, NULL);
1322 	if (usbd_sync_transfer(data->xfer) != 0)
1323 		return EIO;
1324 
1325 	sc->data_idx = (sc->data_idx + 1) % UATH_TX_DATA_LIST_COUNT;
1326 
1327 	return uath_cmd_write(sc, UATH_CMD_0F, NULL, 0, UATH_CMD_FLAG_ASYNC);
1328 }
1329 
1330 void
1331 uath_data_txeof(usbd_xfer_handle xfer, usbd_private_handle priv,
1332     usbd_status status)
1333 {
1334 	struct uath_tx_data *data = priv;
1335 	struct uath_softc *sc = data->sc;
1336 	struct ieee80211com *ic = &sc->sc_ic;
1337 	struct ifnet *ifp = &ic->ic_if;
1338 	int s;
1339 
1340 	if (status != USBD_NORMAL_COMPLETION) {
1341 		if (status == USBD_NOT_STARTED || status == USBD_CANCELLED)
1342 			return;
1343 
1344 		printf("%s: could not transmit buffer: %s\n",
1345 		    sc->sc_dev.dv_xname, usbd_errstr(status));
1346 
1347 		if (status == USBD_STALLED)
1348 			usbd_clear_endpoint_stall_async(sc->data_tx_pipe);
1349 
1350 		ifp->if_oerrors++;
1351 		return;
1352 	}
1353 
1354 	s = splnet();
1355 
1356 	ieee80211_release_node(ic, data->ni);
1357 	data->ni = NULL;
1358 
1359 	sc->tx_queued--;
1360 	ifp->if_opackets++;
1361 
1362 	sc->sc_tx_timer = 0;
1363 	ifp->if_flags &= ~IFF_OACTIVE;
1364 	uath_start(ifp);
1365 
1366 	splx(s);
1367 }
1368 
1369 int
1370 uath_tx_data(struct uath_softc *sc, struct mbuf *m0, struct ieee80211_node *ni)
1371 {
1372 	struct ieee80211com *ic = &sc->sc_ic;
1373 	struct uath_tx_data *data;
1374 	struct uath_tx_desc *desc;
1375 	const struct ieee80211_frame *wh;
1376 	int paylen, totlen, xferlen, error;
1377 
1378 	data = &sc->tx_data[sc->data_idx];
1379 	desc = (struct uath_tx_desc *)(data->buf + sizeof (uint32_t));
1380 
1381 	data->ni = ni;
1382 
1383 #if NBPFILTER > 0
1384 	if (sc->sc_drvbpf != NULL) {
1385 		struct mbuf mb;
1386 		struct uath_tx_radiotap_header *tap = &sc->sc_txtap;
1387 
1388 		tap->wt_flags = 0;
1389 		tap->wt_chan_freq = htole16(ic->ic_bss->ni_chan->ic_freq);
1390 		tap->wt_chan_flags = htole16(ic->ic_bss->ni_chan->ic_flags);
1391 
1392 		mb.m_data = (caddr_t)tap;
1393 		mb.m_len = sc->sc_txtap_len;
1394 		mb.m_next = m0;
1395 		mb.m_nextpkt = NULL;
1396 		mb.m_type = 0;
1397 		mb.m_flags = 0;
1398 		bpf_mtap(sc->sc_drvbpf, &mb, BPF_DIRECTION_OUT);
1399 	}
1400 #endif
1401 
1402 	paylen = m0->m_pkthdr.len;
1403 	xferlen = sizeof (uint32_t) + sizeof (struct uath_tx_desc) + paylen;
1404 
1405 	wh = mtod(m0, struct ieee80211_frame *);
1406 	if (wh->i_fc[1] & IEEE80211_FC1_WEP) {
1407 		uint8_t *frm = (uint8_t *)(desc + 1);
1408 		uint32_t iv;
1409 
1410 		/* h/w WEP: it's up to the host to fill the IV field */
1411 		bcopy(wh, frm, sizeof (struct ieee80211_frame));
1412 		frm += sizeof (struct ieee80211_frame);
1413 
1414 		/* insert IV: code copied from net80211 */
1415 		iv = (ic->ic_iv != 0) ? ic->ic_iv : arc4random();
1416 		if (iv >= 0x03ff00 && (iv & 0xf8ff00) == 0x00ff00)
1417 			iv += 0x000100;
1418 		ic->ic_iv = iv + 1;
1419 
1420 		*frm++ = iv & 0xff;
1421 		*frm++ = (iv >>  8) & 0xff;
1422 		*frm++ = (iv >> 16) & 0xff;
1423 		*frm++ = ic->ic_wep_txkey << 6;
1424 
1425 		m_copydata(m0, sizeof (struct ieee80211_frame),
1426 		    m0->m_pkthdr.len - sizeof (struct ieee80211_frame), frm);
1427 
1428 		paylen  += IEEE80211_WEP_IVLEN + IEEE80211_WEP_KIDLEN;
1429 		xferlen += IEEE80211_WEP_IVLEN + IEEE80211_WEP_KIDLEN;
1430 		totlen = xferlen + IEEE80211_WEP_CRCLEN;
1431 	} else {
1432 		m_copydata(m0, 0, m0->m_pkthdr.len, (uint8_t *)(desc + 1));
1433 		totlen = xferlen;
1434 	}
1435 
1436 	/* fill Tx descriptor */
1437 	*(uint32_t *)data->buf = UATH_MAKECTL(1, xferlen - sizeof (uint32_t));
1438 
1439 	desc->len    = htobe32(totlen);
1440 	desc->priv   = sc->data_idx;	/* don't care about endianness */
1441 	desc->paylen = htobe32(paylen);
1442 	desc->type   = htobe32(UATH_TX_DATA);
1443 	desc->flags  = htobe32(0);
1444 	if (IEEE80211_IS_MULTICAST(wh->i_addr1)) {
1445 		desc->dest  = htobe32(UATH_ID_BROADCAST);
1446 		desc->magic = htobe32(3);
1447 	} else {
1448 		desc->dest  = htobe32(UATH_ID_BSS);
1449 		desc->magic = htobe32(1);
1450 	}
1451 
1452 	m_freem(m0);	/* mbuf is no longer needed */
1453 
1454 #ifdef UATH_DEBUG
1455 	if (uath_debug >= 6) {
1456 		printf("sending frame index=%u len=%d xferlen=%d",
1457 		    sc->data_idx, paylen, xferlen);
1458 		uath_dump_cmd(data->buf, xferlen, '+');
1459 	}
1460 #endif
1461 	usbd_setup_xfer(data->xfer, sc->data_tx_pipe, data, data->buf, xferlen,
1462 	    USBD_FORCE_SHORT_XFER | USBD_NO_COPY, UATH_DATA_TIMEOUT,
1463 	    uath_data_txeof);
1464 	error = usbd_transfer(data->xfer);
1465 	if (error != USBD_IN_PROGRESS && error != 0) {
1466 		ic->ic_if.if_oerrors++;
1467 		return error;
1468 	}
1469 	sc->data_idx = (sc->data_idx + 1) % UATH_TX_DATA_LIST_COUNT;
1470 	sc->tx_queued++;
1471 
1472 	return 0;
1473 }
1474 
1475 void
1476 uath_start(struct ifnet *ifp)
1477 {
1478 	struct uath_softc *sc = ifp->if_softc;
1479 	struct ieee80211com *ic = &sc->sc_ic;
1480 	struct ieee80211_node *ni;
1481 	struct mbuf *m0;
1482 
1483 	/*
1484 	 * net80211 may still try to send management frames even if the
1485 	 * IFF_RUNNING flag is not set...
1486 	 */
1487 	if ((ifp->if_flags & (IFF_RUNNING | IFF_OACTIVE)) != IFF_RUNNING)
1488 		return;
1489 
1490 	for (;;) {
1491 		IF_POLL(&ic->ic_mgtq, m0);
1492 		if (m0 != NULL) {
1493 			if (sc->tx_queued >= UATH_TX_DATA_LIST_COUNT) {
1494 				ifp->if_flags |= IFF_OACTIVE;
1495 				break;
1496 			}
1497 			IF_DEQUEUE(&ic->ic_mgtq, m0);
1498 
1499 			ni = (struct ieee80211_node *)m0->m_pkthdr.rcvif;
1500 			m0->m_pkthdr.rcvif = NULL;
1501 #if NBPFILTER > 0
1502 			if (ic->ic_rawbpf != NULL)
1503 				bpf_mtap(ic->ic_rawbpf, m0, BPF_DIRECTION_OUT);
1504 #endif
1505 			if (uath_tx_data(sc, m0, ni) != 0)
1506 				break;
1507 		} else {
1508 			if (ic->ic_state != IEEE80211_S_RUN)
1509 				break;
1510 			IFQ_POLL(&ifp->if_snd, m0);
1511 			if (m0 == NULL)
1512 				break;
1513 			if (sc->tx_queued >= UATH_TX_DATA_LIST_COUNT) {
1514 				ifp->if_flags |= IFF_OACTIVE;
1515 				break;
1516 			}
1517 			IFQ_DEQUEUE(&ifp->if_snd, m0);
1518 #if NBPFILTER > 0
1519 			if (ifp->if_bpf != NULL)
1520 				bpf_mtap(ifp->if_bpf, m0, BPF_DIRECTION_OUT);
1521 #endif
1522 			m0 = ieee80211_encap(ifp, m0, &ni);
1523 			if (m0 == NULL)
1524 				continue;
1525 #if NBPFILTER > 0
1526 			if (ic->ic_rawbpf != NULL)
1527 				bpf_mtap(ic->ic_rawbpf, m0, BPF_DIRECTION_OUT);
1528 #endif
1529 			if (uath_tx_data(sc, m0, ni) != 0) {
1530 				if (ni != NULL)
1531 					ieee80211_release_node(ic, ni);
1532 				ifp->if_oerrors++;
1533 				break;
1534 			}
1535 		}
1536 
1537 		sc->sc_tx_timer = 5;
1538 		ifp->if_timer = 1;
1539 	}
1540 }
1541 
1542 void
1543 uath_watchdog(struct ifnet *ifp)
1544 {
1545 	struct uath_softc *sc = ifp->if_softc;
1546 
1547 	ifp->if_timer = 0;
1548 
1549 	if (sc->sc_tx_timer > 0) {
1550 		if (--sc->sc_tx_timer == 0) {
1551 			printf("%s: device timeout\n", sc->sc_dev.dv_xname);
1552 			/*uath_init(ifp); XXX needs a process context! */
1553 			ifp->if_oerrors++;
1554 			return;
1555 		}
1556 		ifp->if_timer = 1;
1557 	}
1558 
1559 	ieee80211_watchdog(ifp);
1560 }
1561 
1562 int
1563 uath_ioctl(struct ifnet *ifp, u_long cmd, caddr_t data)
1564 {
1565 	struct uath_softc *sc = ifp->if_softc;
1566 	struct ieee80211com *ic = &sc->sc_ic;
1567 	struct ifaddr *ifa;
1568 	struct ifreq *ifr;
1569 	int s, error = 0;
1570 
1571 	s = splnet();
1572 
1573 	switch (cmd) {
1574 	case SIOCSIFADDR:
1575 		ifa = (struct ifaddr *)data;
1576 		ifp->if_flags |= IFF_UP;
1577 #ifdef INET
1578 		if (ifa->ifa_addr->sa_family == AF_INET)
1579 			arp_ifinit(&ic->ic_ac, ifa);
1580 #endif
1581 		/* FALLTHROUGH */
1582 	case SIOCSIFFLAGS:
1583 		if (ifp->if_flags & IFF_UP) {
1584 			if (!(ifp->if_flags & IFF_RUNNING))
1585 				uath_init(ifp);
1586 		} else {
1587 			if (ifp->if_flags & IFF_RUNNING)
1588 				uath_stop(ifp, 1);
1589 		}
1590 		break;
1591 
1592 	case SIOCADDMULTI:
1593 	case SIOCDELMULTI:
1594 		ifr = (struct ifreq *)data;
1595 		error = (cmd == SIOCADDMULTI) ?
1596 		    ether_addmulti(ifr, &ic->ic_ac) :
1597 		    ether_delmulti(ifr, &ic->ic_ac);
1598 		if (error == ENETRESET)
1599 			error = 0;
1600 		break;
1601 
1602 	default:
1603 		error = ieee80211_ioctl(ifp, cmd, data);
1604 	}
1605 
1606 	if (error == ENETRESET) {
1607 		if ((ifp->if_flags & (IFF_UP | IFF_RUNNING)) ==
1608 		    (IFF_UP | IFF_RUNNING))
1609 			uath_init(ifp);
1610 		error = 0;
1611 	}
1612 
1613 	splx(s);
1614 
1615 	return error;
1616 }
1617 
1618 int
1619 uath_query_eeprom(struct uath_softc *sc)
1620 {
1621 	uint32_t tmp;
1622 	int error;
1623 
1624 	/* retrieve MAC address */
1625 	error = uath_read_eeprom(sc, UATH_EEPROM_MACADDR, sc->sc_ic.ic_myaddr);
1626 	if (error != 0) {
1627 		printf("%s: could not read MAC address\n",
1628 		    sc->sc_dev.dv_xname);
1629 		return error;
1630 	}
1631 
1632 	/* retrieve the maximum frame size that the hardware can receive */
1633 	error = uath_read_eeprom(sc, UATH_EEPROM_RXBUFSZ, &tmp);
1634 	if (error != 0) {
1635 		printf("%s: could not read maximum Rx buffer size\n",
1636 		    sc->sc_dev.dv_xname);
1637 		return error;
1638 	}
1639 	sc->rxbufsz = betoh32(tmp) & 0xfff;
1640 	DPRINTF(("maximum Rx buffer size %d\n", sc->rxbufsz));
1641 	return 0;
1642 }
1643 
1644 int
1645 uath_reset(struct uath_softc *sc)
1646 {
1647 	struct uath_cmd_setup setup;
1648 	uint32_t reg, val;
1649 	int s, error;
1650 
1651 	/* init device with some voodoo incantations.. */
1652 	setup.magic1 = htobe32(1);
1653 	setup.magic2 = htobe32(5);
1654 	setup.magic3 = htobe32(200);
1655 	setup.magic4 = htobe32(27);
1656 	s = splusb();
1657 	error = uath_cmd_write(sc, UATH_CMD_SETUP, &setup, sizeof setup,
1658 	    UATH_CMD_FLAG_ASYNC);
1659 	/* ..and wait until firmware notifies us that it is ready */
1660 	if (error == 0)
1661 		error = tsleep(UATH_COND_INIT(sc), PCATCH, "uathinit", 5 * hz);
1662 	splx(s);
1663 	if (error != 0)
1664 		return error;
1665 
1666 	/* read PHY registers */
1667 	for (reg = 0x09; reg <= 0x24; reg++) {
1668 		if (reg == 0x0b || reg == 0x0c)
1669 			continue;
1670 		DELAY(100);
1671 		if ((error = uath_read_reg(sc, reg, &val)) != 0)
1672 			return error;
1673 		DPRINTFN(2, ("reg 0x%02x=0x%08x\n", reg, val));
1674 	}
1675 	return error;
1676 }
1677 
1678 int
1679 uath_reset_tx_queues(struct uath_softc *sc)
1680 {
1681 	int ac, error;
1682 
1683 	for (ac = 0; ac < 4; ac++) {
1684 		const uint32_t qid = htobe32(UATH_AC_TO_QID(ac));
1685 
1686 		DPRINTF(("resetting Tx queue %d\n", UATH_AC_TO_QID(ac)));
1687 		error = uath_cmd_write(sc, UATH_CMD_RESET_QUEUE, &qid,
1688 		    sizeof qid, 0);
1689 		if (error != 0)
1690 			break;
1691 	}
1692 	return error;
1693 }
1694 
1695 int
1696 uath_wme_init(struct uath_softc *sc)
1697 {
1698 	struct uath_qinfo qinfo;
1699 	int ac, error;
1700 	static const struct uath_wme_settings uath_wme_11g[4] = {
1701 		{ 7, 4, 10,  0, 0 },	/* Background */
1702 		{ 3, 4, 10,  0, 0 },	/* Best-Effort */
1703 		{ 3, 3,  4, 26, 0 },	/* Video */
1704 		{ 2, 2,  3, 47, 0 }	/* Voice */
1705 	};
1706 
1707 	bzero(&qinfo, sizeof qinfo);
1708 	qinfo.size   = htobe32(32);
1709 	qinfo.magic1 = htobe32(1);	/* XXX ack policy? */
1710 	qinfo.magic2 = htobe32(1);
1711 	for (ac = 0; ac < 4; ac++) {
1712 		qinfo.qid      = htobe32(UATH_AC_TO_QID(ac));
1713 		qinfo.ac       = htobe32(ac);
1714 		qinfo.aifsn    = htobe32(uath_wme_11g[ac].aifsn);
1715 		qinfo.logcwmin = htobe32(uath_wme_11g[ac].logcwmin);
1716 		qinfo.logcwmax = htobe32(uath_wme_11g[ac].logcwmax);
1717 		qinfo.txop     = htobe32(UATH_TXOP_TO_US(
1718 				     uath_wme_11g[ac].txop));
1719 		qinfo.acm      = htobe32(uath_wme_11g[ac].acm);
1720 
1721 		DPRINTF(("setting up Tx queue %d\n", UATH_AC_TO_QID(ac)));
1722 		error = uath_cmd_write(sc, UATH_CMD_SET_QUEUE, &qinfo,
1723 		    sizeof qinfo, 0);
1724 		if (error != 0)
1725 			break;
1726 	}
1727 	return error;
1728 }
1729 
1730 int
1731 uath_set_chan(struct uath_softc *sc, struct ieee80211_channel *c)
1732 {
1733 	struct uath_set_chan chan;
1734 
1735 	bzero(&chan, sizeof chan);
1736 	chan.flags  = htobe32(0x1400);
1737 	chan.freq   = htobe32(c->ic_freq);
1738 	chan.magic1 = htobe32(20);
1739 	chan.magic2 = htobe32(50);
1740 	chan.magic3 = htobe32(1);
1741 
1742 	DPRINTF(("switching to channel %d\n",
1743 	    ieee80211_chan2ieee(&sc->sc_ic, c)));
1744 	return uath_cmd_write(sc, UATH_CMD_SET_CHAN, &chan, sizeof chan, 0);
1745 }
1746 
1747 int
1748 uath_set_key(struct uath_softc *sc, const struct ieee80211_key *k, int index)
1749 {
1750 	struct uath_cmd_crypto crypto;
1751 	int i;
1752 
1753 	bzero(&crypto, sizeof crypto);
1754 	crypto.keyidx = htobe32(index);
1755 	crypto.magic1 = htobe32(1);
1756 	crypto.size   = htobe32(368);
1757 	crypto.mask   = htobe32(0xffff);
1758 	crypto.flags  = htobe32(0x80000068);
1759 	if (index != UATH_DEFAULT_KEY)
1760 		crypto.flags |= htobe32(index << 16);
1761 	memset(crypto.magic2, 0xff, sizeof crypto.magic2);
1762 
1763 	/*
1764 	 * Each byte of the key must be XOR'ed with 10101010 before being
1765 	 * transmitted to the firmware.
1766 	 */
1767 	for (i = 0; i < k->k_len; i++)
1768 		crypto.key[i] = k->k_key[i] ^ 0xaa;
1769 
1770 	DPRINTF(("setting crypto key index=%d len=%d\n", index, k->k_len));
1771 	return uath_cmd_write(sc, UATH_CMD_CRYPTO, &crypto, sizeof crypto, 0);
1772 }
1773 
1774 int
1775 uath_set_keys(struct uath_softc *sc)
1776 {
1777 	const struct ieee80211com *ic = &sc->sc_ic;
1778 	int i, error;
1779 
1780 	for (i = 0; i < IEEE80211_WEP_NKID; i++) {
1781 		const struct ieee80211_key *k = &ic->ic_nw_keys[i];
1782 
1783 		if (k->k_len > 0 && (error = uath_set_key(sc, k, i)) != 0)
1784 			return error;
1785 	}
1786 	return uath_set_key(sc, &ic->ic_nw_keys[ic->ic_wep_txkey],
1787 	    UATH_DEFAULT_KEY);
1788 }
1789 
1790 int
1791 uath_set_rates(struct uath_softc *sc, const struct ieee80211_rateset *rs)
1792 {
1793 	struct uath_cmd_rates rates;
1794 
1795 	bzero(&rates, sizeof rates);
1796 	rates.magic1 = htobe32(0x02);
1797 	rates.size   = htobe32(1 + sizeof rates.rates);
1798 	rates.nrates = rs->rs_nrates;
1799 	bcopy(rs->rs_rates, rates.rates, rs->rs_nrates);
1800 
1801 	DPRINTF(("setting supported rates nrates=%d\n", rs->rs_nrates));
1802 	return uath_cmd_write(sc, UATH_CMD_SET_RATES, &rates, sizeof rates, 0);
1803 }
1804 
1805 int
1806 uath_set_rxfilter(struct uath_softc *sc, uint32_t filter, uint32_t flags)
1807 {
1808 	struct uath_cmd_filter rxfilter;
1809 
1810 	rxfilter.filter = htobe32(filter);
1811 	rxfilter.flags  = htobe32(flags);
1812 
1813 	DPRINTF(("setting Rx filter=0x%x flags=0x%x\n", filter, flags));
1814 	return uath_cmd_write(sc, UATH_CMD_SET_FILTER, &rxfilter,
1815 	    sizeof rxfilter, 0);
1816 }
1817 
1818 int
1819 uath_set_led(struct uath_softc *sc, int which, int on)
1820 {
1821 	struct uath_cmd_led led;
1822 
1823 	led.which = htobe32(which);
1824 	led.state = htobe32(on ? UATH_LED_ON : UATH_LED_OFF);
1825 
1826 	DPRINTFN(2, ("switching %s led %s\n",
1827 	    (which == UATH_LED_LINK) ? "link" : "activity",
1828 	    on ? "on" : "off"));
1829 	return uath_cmd_write(sc, UATH_CMD_SET_LED, &led, sizeof led, 0);
1830 }
1831 
1832 int
1833 uath_switch_channel(struct uath_softc *sc, struct ieee80211_channel *c)
1834 {
1835 	uint32_t val;
1836 	int error;
1837 
1838 	/* set radio frequency */
1839 	if ((error = uath_set_chan(sc, c)) != 0) {
1840 		printf("%s: could not set channel\n", sc->sc_dev.dv_xname);
1841 		return error;
1842 	}
1843 
1844 	/* reset Tx rings */
1845 	if ((error = uath_reset_tx_queues(sc)) != 0) {
1846 		printf("%s: could not reset Tx queues\n",
1847 		    sc->sc_dev.dv_xname);
1848 		return error;
1849 	}
1850 
1851 	/* set Tx rings WME properties */
1852 	if ((error = uath_wme_init(sc)) != 0) {
1853 		printf("%s: could not init Tx queues\n",
1854 		    sc->sc_dev.dv_xname);
1855 		return error;
1856 	}
1857 
1858 	val = htobe32(0);
1859 	error = uath_cmd_write(sc, UATH_CMD_SET_STATE, &val, sizeof val, 0);
1860 	if (error != 0) {
1861 		printf("%s: could not set state\n", sc->sc_dev.dv_xname);
1862 		return error;
1863 	}
1864 
1865 	return uath_tx_null(sc);
1866 }
1867 
1868 int
1869 uath_init(struct ifnet *ifp)
1870 {
1871 	struct uath_softc *sc = ifp->if_softc;
1872 	struct ieee80211com *ic = &sc->sc_ic;
1873 	struct uath_cmd_31 cmd31;
1874 	uint32_t val;
1875 	int i, error;
1876 
1877 	/* reset data and command rings */
1878 	sc->tx_queued = sc->data_idx = sc->cmd_idx = 0;
1879 
1880 	val = htobe32(0);
1881 	(void)uath_cmd_write(sc, UATH_CMD_02, &val, sizeof val, 0);
1882 
1883 	/* set MAC address */
1884 	IEEE80211_ADDR_COPY(ic->ic_myaddr, LLADDR(ifp->if_sadl));
1885 	(void)uath_write_multi(sc, 0x13, ic->ic_myaddr, IEEE80211_ADDR_LEN);
1886 
1887 	(void)uath_write_reg(sc, 0x02, 0x00000001);
1888 	(void)uath_write_reg(sc, 0x0e, 0x0000003f);
1889 	(void)uath_write_reg(sc, 0x10, 0x00000001);
1890 	(void)uath_write_reg(sc, 0x06, 0x0000001e);
1891 
1892 	/*
1893 	 * Queue Rx data xfers.
1894 	 */
1895 	for (i = 0; i < UATH_RX_DATA_LIST_COUNT; i++) {
1896 		struct uath_rx_data *data = &sc->rx_data[i];
1897 
1898 		usbd_setup_xfer(data->xfer, sc->data_rx_pipe, data, data->buf,
1899 		    sc->rxbufsz, USBD_SHORT_XFER_OK, USBD_NO_TIMEOUT,
1900 		    uath_data_rxeof);
1901 		error = usbd_transfer(data->xfer);
1902 		if (error != USBD_IN_PROGRESS && error != 0) {
1903 			printf("%s: could not queue Rx transfer\n",
1904 			    sc->sc_dev.dv_xname);
1905 			goto fail;
1906 		}
1907 	}
1908 
1909 	error = uath_cmd_read(sc, UATH_CMD_07, NULL, 0, &val,
1910 	    UATH_CMD_FLAG_MAGIC);
1911 	if (error != 0) {
1912 		printf("%s: could not send read command 07h\n",
1913 		    sc->sc_dev.dv_xname);
1914 		goto fail;
1915 	}
1916 	DPRINTF(("command 07h return code: %x\n", betoh32(val)));
1917 
1918 	/* set default channel */
1919 	ic->ic_bss->ni_chan = ic->ic_ibss_chan;
1920 	if ((error = uath_set_chan(sc, ic->ic_bss->ni_chan)) != 0) {
1921 		printf("%s: could not set channel\n", sc->sc_dev.dv_xname);
1922 		goto fail;
1923 	}
1924 
1925 	if ((error = uath_wme_init(sc)) != 0) {
1926 		printf("%s: could not setup WME parameters\n",
1927 		    sc->sc_dev.dv_xname);
1928 		goto fail;
1929 	}
1930 
1931 	/* init MAC registers */
1932 	(void)uath_write_reg(sc, 0x19, 0x00000000);
1933 	(void)uath_write_reg(sc, 0x1a, 0x0000003c);
1934 	(void)uath_write_reg(sc, 0x1b, 0x0000003c);
1935 	(void)uath_write_reg(sc, 0x1c, 0x00000000);
1936 	(void)uath_write_reg(sc, 0x1e, 0x00000000);
1937 	(void)uath_write_reg(sc, 0x1f, 0x00000003);
1938 	(void)uath_write_reg(sc, 0x0c, 0x00000000);
1939 	(void)uath_write_reg(sc, 0x0f, 0x00000002);
1940 	(void)uath_write_reg(sc, 0x0a, 0x00000007);	/* XXX retry? */
1941 	(void)uath_write_reg(sc, 0x09, ic->ic_rtsthreshold);
1942 
1943 	val = htobe32(4);
1944 	(void)uath_cmd_write(sc, UATH_CMD_27, &val, sizeof val, 0);
1945 	(void)uath_cmd_write(sc, UATH_CMD_27, &val, sizeof val, 0);
1946 	(void)uath_cmd_write(sc, UATH_CMD_1B, NULL, 0, 0);
1947 
1948 	if ((error = uath_set_keys(sc)) != 0) {
1949 		printf("%s: could not set crypto keys\n",
1950 		    sc->sc_dev.dv_xname);
1951 		goto fail;
1952 	}
1953 
1954 	/* enable Rx */
1955 	(void)uath_set_rxfilter(sc, 0x0000, 4);
1956 	(void)uath_set_rxfilter(sc, 0x0817, 1);
1957 
1958 	cmd31.magic1 = htobe32(0xffffffff);
1959 	cmd31.magic2 = htobe32(0xffffffff);
1960 	(void)uath_cmd_write(sc, UATH_CMD_31, &cmd31, sizeof cmd31, 0);
1961 
1962 	ifp->if_flags &= ~IFF_OACTIVE;
1963 	ifp->if_flags |= IFF_RUNNING;
1964 
1965 	if (ic->ic_opmode == IEEE80211_M_MONITOR)
1966 		ieee80211_new_state(ic, IEEE80211_S_RUN, -1);
1967 	else
1968 		ieee80211_new_state(ic, IEEE80211_S_SCAN, -1);
1969 
1970 	return 0;
1971 
1972 fail:	uath_stop(ifp, 1);
1973 	return error;
1974 }
1975 
1976 void
1977 uath_stop(struct ifnet *ifp, int disable)
1978 {
1979 	struct uath_softc *sc = ifp->if_softc;
1980 	struct ieee80211com *ic = &sc->sc_ic;
1981 	uint32_t val;
1982 	int s;
1983 
1984 	s = splusb();
1985 
1986 	sc->sc_tx_timer = 0;
1987 	ifp->if_timer = 0;
1988 	ifp->if_flags &= ~(IFF_RUNNING | IFF_OACTIVE);
1989 
1990 	ieee80211_new_state(ic, IEEE80211_S_INIT, -1);	/* free all nodes */
1991 
1992 	val = htobe32(0);
1993 	(void)uath_cmd_write(sc, UATH_CMD_SET_STATE, &val, sizeof val, 0);
1994 	(void)uath_cmd_write(sc, UATH_CMD_RESET, NULL, 0, 0);
1995 
1996 	val = htobe32(0);
1997 	(void)uath_cmd_write(sc, UATH_CMD_15, &val, sizeof val, 0);
1998 
1999 #if 0
2000 	(void)uath_cmd_read(sc, UATH_CMD_SHUTDOWN, NULL, 0, NULL,
2001 	    UATH_CMD_FLAG_MAGIC);
2002 #endif
2003 
2004 	/* abort any pending transfers */
2005 	usbd_abort_pipe(sc->data_tx_pipe);
2006 	usbd_abort_pipe(sc->data_rx_pipe);
2007 	usbd_abort_pipe(sc->cmd_tx_pipe);
2008 
2009 	splx(s);
2010 }
2011 
2012 /*
2013  * Load the MIPS R4000 microcode into the device.  Once the image is loaded,
2014  * the device will detach itself from the bus and reattach later with a new
2015  * product Id (a la ezusb).  XXX this could also be implemented in userland
2016  * through /dev/ugen.
2017  */
2018 int
2019 uath_loadfirmware(struct uath_softc *sc, const u_char *fw, int len)
2020 {
2021 	usbd_xfer_handle ctlxfer, txxfer, rxxfer;
2022 	struct uath_fwblock *txblock, *rxblock;
2023 	uint8_t *txdata;
2024 	int error = 0;
2025 
2026 	if ((ctlxfer = usbd_alloc_xfer(sc->sc_udev)) == NULL) {
2027 		printf("%s: could not allocate Tx control xfer\n",
2028 		    sc->sc_dev.dv_xname);
2029 		error = USBD_NOMEM;
2030 		goto fail1;
2031 	}
2032 	txblock = usbd_alloc_buffer(ctlxfer, sizeof (struct uath_fwblock));
2033 	if (txblock == NULL) {
2034 		printf("%s: could not allocate Tx control block\n",
2035 		    sc->sc_dev.dv_xname);
2036 		error = USBD_NOMEM;
2037 		goto fail2;
2038 	}
2039 
2040 	if ((txxfer = usbd_alloc_xfer(sc->sc_udev)) == NULL) {
2041 		printf("%s: could not allocate Tx xfer\n",
2042 		    sc->sc_dev.dv_xname);
2043 		error = USBD_NOMEM;
2044 		goto fail2;
2045 	}
2046 	txdata = usbd_alloc_buffer(txxfer, UATH_MAX_FWBLOCK_SIZE);
2047 	if (txdata == NULL) {
2048 		printf("%s: could not allocate Tx buffer\n",
2049 		    sc->sc_dev.dv_xname);
2050 		error = USBD_NOMEM;
2051 		goto fail3;
2052 	}
2053 
2054 	if ((rxxfer = usbd_alloc_xfer(sc->sc_udev)) == NULL) {
2055 		printf("%s: could not allocate Rx control xfer\n",
2056 		    sc->sc_dev.dv_xname);
2057 		error = USBD_NOMEM;
2058 		goto fail3;
2059 	}
2060 	rxblock = usbd_alloc_buffer(rxxfer, sizeof (struct uath_fwblock));
2061 	if (rxblock == NULL) {
2062 		printf("%s: could not allocate Rx control block\n",
2063 		    sc->sc_dev.dv_xname);
2064 		error = USBD_NOMEM;
2065 		goto fail4;
2066 	}
2067 
2068 	bzero(txblock, sizeof (struct uath_fwblock));
2069 	txblock->flags = htobe32(UATH_WRITE_BLOCK);
2070 	txblock->total = htobe32(len);
2071 
2072 	while (len > 0) {
2073 		int mlen = min(len, UATH_MAX_FWBLOCK_SIZE);
2074 
2075 		txblock->remain = htobe32(len - mlen);
2076 		txblock->len = htobe32(mlen);
2077 
2078 		DPRINTF(("sending firmware block: %d bytes remaining\n",
2079 		    len - mlen));
2080 
2081 		/* send firmware block meta-data */
2082 		usbd_setup_xfer(ctlxfer, sc->cmd_tx_pipe, sc, txblock,
2083 		    sizeof (struct uath_fwblock), USBD_NO_COPY,
2084 		    UATH_CMD_TIMEOUT, NULL);
2085 		if ((error = usbd_sync_transfer(ctlxfer)) != 0) {
2086 			printf("%s: could not send firmware block info\n",
2087 			    sc->sc_dev.dv_xname);
2088 			break;
2089 		}
2090 
2091 		/* send firmware block data */
2092 		bcopy(fw, txdata, mlen);
2093 		usbd_setup_xfer(txxfer, sc->data_tx_pipe, sc, txdata, mlen,
2094 		    USBD_NO_COPY, UATH_DATA_TIMEOUT, NULL);
2095 		if ((error = usbd_sync_transfer(txxfer)) != 0) {
2096 			printf("%s: could not send firmware block data\n",
2097 			    sc->sc_dev.dv_xname);
2098 			break;
2099 		}
2100 
2101 		/* wait for ack from firmware */
2102 		usbd_setup_xfer(rxxfer, sc->cmd_rx_pipe, sc, rxblock,
2103 		    sizeof (struct uath_fwblock), USBD_SHORT_XFER_OK |
2104 		    USBD_NO_COPY, UATH_CMD_TIMEOUT, NULL);
2105 		if ((error = usbd_sync_transfer(rxxfer)) != 0) {
2106 			printf("%s: could not read firmware answer\n",
2107 			    sc->sc_dev.dv_xname);
2108 			break;
2109 		}
2110 
2111 		DPRINTFN(2, ("rxblock flags=0x%x total=%d\n",
2112 		    betoh32(rxblock->flags), betoh32(rxblock->rxtotal)));
2113 		fw += mlen;
2114 		len -= mlen;
2115 	}
2116 
2117 fail4:	usbd_free_xfer(rxxfer);
2118 fail3:	usbd_free_xfer(txxfer);
2119 fail2:	usbd_free_xfer(ctlxfer);
2120 fail1:	return error;
2121 }
2122 
2123 int
2124 uath_activate(struct device *self, int act)
2125 {
2126 	struct uath_softc *sc = (struct uath_softc *)self;
2127 
2128 	switch (act) {
2129 	case DVACT_DEACTIVATE:
2130 		usbd_deactivate(sc->sc_udev);
2131 		break;
2132 	}
2133 	return 0;
2134 }
2135