From 5a1926bb416fa4e5a38fa10b9ac3da04ce9f3f72 Mon Sep 17 00:00:00 2001 From: Jorge Suarez de Lis Date: Tue, 17 Aug 2010 19:36:56 +0100 Subject: [PATCH] Add (disabled) UPEK EikonII (TCRD4C) driver The device driver is always disabled as it uses the same Device ID as another working reader: https://bugzilla.redhat.com/show_bug.cgi?id=504399#c38 --- configure.ac | 8 +- libfprint/Makefile.am | 5 + libfprint/core.c | 3 + libfprint/drivers/upeke2.c | 1462 ++++++++++++++++++++++++++++++++++++ libfprint/fp_internal.h | 3 + 5 files changed, 1480 insertions(+), 1 deletion(-) create mode 100644 libfprint/drivers/upeke2.c diff --git a/configure.ac b/configure.ac index a892a967..d48e95d6 100644 --- a/configure.ac +++ b/configure.ac @@ -19,10 +19,11 @@ AC_SUBST(lt_major) AC_SUBST(lt_revision) AC_SUBST(lt_age) -all_drivers="upekts upektc upeksonly vcom5s uru4000 fdu2000 aes1610 aes2501 aes4000" +all_drivers="upeke2 upekts upektc upeksonly vcom5s uru4000 fdu2000 aes1610 aes2501 aes4000" require_imaging='no' require_aeslib='no' +enable_upeke2='no' enable_upekts='no' enable_upektc='no' enable_upeksonly='no' @@ -44,6 +45,10 @@ for driver in `echo ${drivers} | sed -e 's/,/ /g' -e 's/,$//g'`; do AC_DEFINE([ENABLE_UPEKTS], [], [Build UPEK TouchStrip driver]) enable_upekts="yes" ;; + upeke2) + AC_DEFINE([ENABLE_UPEKE2], [], [Build UPEK Eikon 2]) + enable_upeke2="yes" + ;; upektc) AC_DEFINE([ENABLE_UPEKTC], [], [Build UPEK TouchChip driver]) enable_upektc="yes" @@ -84,6 +89,7 @@ for driver in `echo ${drivers} | sed -e 's/,/ /g' -e 's/,$//g'`; do done AM_CONDITIONAL([ENABLE_UPEKTS], [test "$enable_upekts" != "no"]) +AM_CONDITIONAL([ENABLE_UPEKE2], [test "$enable_upeke2" != "no"]) #AM_CONDITIONAL([ENABLE_UPEKTC], [test "$enable_upektc" != "no"]) AM_CONDITIONAL([ENABLE_UPEKSONLY], [test "$enable_upeksonly" != "no"]) AM_CONDITIONAL([ENABLE_VCOM5S], [test "$enable_vcom5s" != "no"]) diff --git a/libfprint/Makefile.am b/libfprint/Makefile.am index 83167968..431f66cb 100644 --- a/libfprint/Makefile.am +++ b/libfprint/Makefile.am @@ -2,6 +2,7 @@ lib_LTLIBRARIES = libfprint.la noinst_PROGRAMS = fprint-list-hal-info fprint-list-udev-rules MOSTLYCLEANFILES = $(hal_fdi_DATA) $(udev_rules_DATA) +UPEKE2_SRC = drivers/upeke2.c UPEKTS_SRC = drivers/upekts.c UPEKTC_SRC = drivers/upektc.c UPEKSONLY_SRC = drivers/upeksonly.c @@ -76,6 +77,10 @@ udev_rulesdir = $(sysconfdir)/udev/rules.d/ $(udev_rules_DATA): fprint-list-udev-rules $(builddir)/fprint-list-udev-rules > $@ +if ENABLE_UPEKE2 +DRIVER_SRC += $(UPEKE2_SRC) +endif + if ENABLE_UPEKTS DRIVER_SRC += $(UPEKTS_SRC) endif diff --git a/libfprint/core.c b/libfprint/core.c index 724d5e59..af97bdf5 100644 --- a/libfprint/core.c +++ b/libfprint/core.c @@ -343,6 +343,9 @@ static struct fp_driver * const primitive_drivers[] = { #ifdef ENABLE_UPEKTS &upekts_driver, #endif +#ifdef ENABLE_UPEKE2 + &upeke2_driver, +#endif }; static struct fp_img_driver * const img_drivers[] = { diff --git a/libfprint/drivers/upeke2.c b/libfprint/drivers/upeke2.c new file mode 100644 index 00000000..4139fc5d --- /dev/null +++ b/libfprint/drivers/upeke2.c @@ -0,0 +1,1462 @@ +/* + * Copyright (C) 2010 Jorge Suarez de Lis + * + * Heavily based on UPEK TouchStrip driver for libfprint + * Copyright (C) 2007-2008 Daniel Drake + * + * Based in part on libthinkfinger: + * Copyright (C) 2006-2007 Timo Hoenig + * Copyright (C) 2006 Pavel Machek + * + * LGPL CRC code copied from GStreamer-0.10.10: + * Copyright (C) <1999> Erik Walthinsen + * Copyright (C) 2004,2006 Thomas Vander Stichele + + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; version + * 2.1 of the License. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#define FP_COMPONENT "upeke2" + +#include +#include + +#include +#include + +#include + +#define EP_IN (1 | LIBUSB_ENDPOINT_IN) +#define EP_OUT (2 | LIBUSB_ENDPOINT_OUT) +#define TIMEOUT 5000 + +#define MSG_READ_BUF_SIZE 0x40 +#define MAX_DATA_IN_READ_BUF (MSG_READ_BUF_SIZE - 9) + +struct upeke2_dev { + gboolean enroll_passed; + gboolean first_verify_iteration; + gboolean stop_verify; + uint8_t seq; /* FIXME: improve/automate seq handling */ +}; + +static const uint16_t crc_table[256] = { + 0x0000, 0x1021, 0x2042, 0x3063, 0x4084, 0x50a5, 0x60c6, 0x70e7, + 0x8108, 0x9129, 0xa14a, 0xb16b, 0xc18c, 0xd1ad, 0xe1ce, 0xf1ef, + 0x1231, 0x0210, 0x3273, 0x2252, 0x52b5, 0x4294, 0x72f7, 0x62d6, + 0x9339, 0x8318, 0xb37b, 0xa35a, 0xd3bd, 0xc39c, 0xf3ff, 0xe3de, + 0x2462, 0x3443, 0x0420, 0x1401, 0x64e6, 0x74c7, 0x44a4, 0x5485, + 0xa56a, 0xb54b, 0x8528, 0x9509, 0xe5ee, 0xf5cf, 0xc5ac, 0xd58d, + 0x3653, 0x2672, 0x1611, 0x0630, 0x76d7, 0x66f6, 0x5695, 0x46b4, + 0xb75b, 0xa77a, 0x9719, 0x8738, 0xf7df, 0xe7fe, 0xd79d, 0xc7bc, + 0x48c4, 0x58e5, 0x6886, 0x78a7, 0x0840, 0x1861, 0x2802, 0x3823, + 0xc9cc, 0xd9ed, 0xe98e, 0xf9af, 0x8948, 0x9969, 0xa90a, 0xb92b, + 0x5af5, 0x4ad4, 0x7ab7, 0x6a96, 0x1a71, 0x0a50, 0x3a33, 0x2a12, + 0xdbfd, 0xcbdc, 0xfbbf, 0xeb9e, 0x9b79, 0x8b58, 0xbb3b, 0xab1a, + 0x6ca6, 0x7c87, 0x4ce4, 0x5cc5, 0x2c22, 0x3c03, 0x0c60, 0x1c41, + 0xedae, 0xfd8f, 0xcdec, 0xddcd, 0xad2a, 0xbd0b, 0x8d68, 0x9d49, + 0x7e97, 0x6eb6, 0x5ed5, 0x4ef4, 0x3e13, 0x2e32, 0x1e51, 0x0e70, + 0xff9f, 0xefbe, 0xdfdd, 0xcffc, 0xbf1b, 0xaf3a, 0x9f59, 0x8f78, + 0x9188, 0x81a9, 0xb1ca, 0xa1eb, 0xd10c, 0xc12d, 0xf14e, 0xe16f, + 0x1080, 0x00a1, 0x30c2, 0x20e3, 0x5004, 0x4025, 0x7046, 0x6067, + 0x83b9, 0x9398, 0xa3fb, 0xb3da, 0xc33d, 0xd31c, 0xe37f, 0xf35e, + 0x02b1, 0x1290, 0x22f3, 0x32d2, 0x4235, 0x5214, 0x6277, 0x7256, + 0xb5ea, 0xa5cb, 0x95a8, 0x8589, 0xf56e, 0xe54f, 0xd52c, 0xc50d, + 0x34e2, 0x24c3, 0x14a0, 0x0481, 0x7466, 0x6447, 0x5424, 0x4405, + 0xa7db, 0xb7fa, 0x8799, 0x97b8, 0xe75f, 0xf77e, 0xc71d, 0xd73c, + 0x26d3, 0x36f2, 0x0691, 0x16b0, 0x6657, 0x7676, 0x4615, 0x5634, + 0xd94c, 0xc96d, 0xf90e, 0xe92f, 0x99c8, 0x89e9, 0xb98a, 0xa9ab, + 0x5844, 0x4865, 0x7806, 0x6827, 0x18c0, 0x08e1, 0x3882, 0x28a3, + 0xcb7d, 0xdb5c, 0xeb3f, 0xfb1e, 0x8bf9, 0x9bd8, 0xabbb, 0xbb9a, + 0x4a75, 0x5a54, 0x6a37, 0x7a16, 0x0af1, 0x1ad0, 0x2ab3, 0x3a92, + 0xfd2e, 0xed0f, 0xdd6c, 0xcd4d, 0xbdaa, 0xad8b, 0x9de8, 0x8dc9, + 0x7c26, 0x6c07, 0x5c64, 0x4c45, 0x3ca2, 0x2c83, 0x1ce0, 0x0cc1, + 0xef1f, 0xff3e, 0xcf5d, 0xdf7c, 0xaf9b, 0xbfba, 0x8fd9, 0x9ff8, + 0x6e17, 0x7e36, 0x4e55, 0x5e74, 0x2e93, 0x3eb2, 0x0ed1, 0x1ef0 +}; + +static uint16_t udf_crc(unsigned char *buffer, size_t size) +{ + uint16_t crc = 0; + while (size--) + crc = (uint16_t) ((crc << 8) ^ + crc_table[((crc >> 8) & 0x00ff) ^ *buffer++]); + return crc; +} + +/* + * MESSAGE FORMAT + * + * Messages to and from the device have the same format. + * + * Byte-wise: + * 'C' 'i' 'a' 'o' A B L C1 C2 + * + * Ciao prefixes all messages. The rightmost 4 bits of B become the uppermost + * 4 bits of L, and when combined with the lower 8 bits listed as 'L', L is + * the length of the data, is L bytes long. C1 and C2 are the + * UDF-CRC16 for the whole message minus the Ciao prefix. + * + * When the device wants to command the driver to do something, it sends + * a message where B=0 and A!=0. The A value indicates the type of command. + * If the system is expected to respond to the command, it sends a message back + * with B=0 and A incremented. + * + * When the driver sends a command to the device, A=0 and B is used as a + * sequence counter. It starts at 0, increments by 0x10 on each command, and + * wraps around. + * After each command is sent, the device responds with another message + * indicating completion of the command including any data that was requested. + * This message has the same A and B values. + * + * When the driver is sending commands as above, and when the device is + * responding, the seems to follow this structure: + * + * 28 L1 L2 0 0 S + * + * Where the length of is L-3, and S is some kind of subcommand + * code. L1 is the least significant bits of L, L2 is the most significant. In + * the device's response to a command, the subcommand code will be unchanged. + * + * After deducing and documenting the above, I found a few places where the + * above doesn't hold true. Those are marked with FIXME's below. + */ + +#define CMD_SEQ_INCREMENT 0x10 + +static struct libusb_transfer *alloc_send_cmd_transfer(struct fp_dev *dev, + unsigned char seq_a, unsigned char seq_b, const unsigned char *data, + uint16_t len, libusb_transfer_cb_fn callback, void *user_data) +{ + struct libusb_transfer *transfer = libusb_alloc_transfer(0); + uint16_t crc; + + /* 9 bytes extra for: 4 byte 'Ciao', 1 byte A, 1 byte B | lenHI, + * 1 byte lenLO, 2 byte CRC */ + size_t urblen = len + 9; + unsigned char *buf; + + if (!transfer) + return NULL; + + if (!data && len > 0) { + fp_err("len>0 but no data?"); + return NULL; + } + + buf = g_malloc(urblen); + + /* Write header */ + strncpy(buf, "Ciao", 4); + len = GUINT16_TO_LE(len); + buf[4] = seq_a; + buf[5] = seq_b | ((len & 0xf00) >> 8); + buf[6] = len & 0x00ff; + + /* Copy data */ + if (data) + memcpy(buf + 7, data, len); + + /* Append CRC */ + crc = GUINT16_TO_BE(udf_crc(buf + 4, urblen - 6)); + buf[urblen - 2] = crc >> 8; + buf[urblen - 1] = crc & 0xff; + + libusb_fill_bulk_transfer(transfer, dev->udev, EP_OUT, buf, urblen, + callback, user_data, TIMEOUT); + return transfer; +} + +static struct libusb_transfer *alloc_send_cmd28_transfer(struct fp_dev *dev, + unsigned char subcmd, const unsigned char *data, uint16_t innerlen, + libusb_transfer_cb_fn callback, void *user_data) +{ + uint16_t _innerlen = innerlen; + size_t len = innerlen + 6; + unsigned char *buf = g_malloc0(len); + struct upeke2_dev *upekdev = dev->priv; + uint8_t seq = upekdev->seq + CMD_SEQ_INCREMENT; + struct libusb_transfer *ret; + + fp_dbg("seq=%02x subcmd=%02x with %d bytes of data", seq, subcmd, innerlen); + + _innerlen = GUINT16_TO_LE(innerlen + 3); + buf[0] = 0x28; + buf[1] = _innerlen & 0x00ff; + buf[2] = (_innerlen & 0xff00) >> 8; + buf[5] = subcmd; + memcpy(buf + 6, data, innerlen); + + ret = alloc_send_cmd_transfer(dev, 0, seq, buf, len, callback, user_data); + upekdev->seq = seq; + + g_free(buf); + return ret; +} + +static struct libusb_transfer *alloc_send_cmdresponse_transfer( + struct fp_dev *dev, unsigned char seq, const unsigned char *data, + uint8_t len, libusb_transfer_cb_fn callback, void *user_data) +{ + fp_dbg("seq=%02x len=%d", seq, len); + return alloc_send_cmd_transfer(dev, seq, 0, data, len, callback, user_data); +} + +enum read_msg_status { + READ_MSG_ERROR, + READ_MSG_CMD, + READ_MSG_RESPONSE, +}; + +typedef void (*read_msg_cb_fn)(struct fp_dev *dev, enum read_msg_status status, + uint8_t seq, unsigned char subcmd, unsigned char *data, size_t data_len, + void *user_data); + +struct read_msg_data { + struct fp_dev *dev; + read_msg_cb_fn callback; + void *user_data; +}; + +static int __read_msg_async(struct read_msg_data *udata); + +#define READ_MSG_DATA_CB_ERR(udata) (udata)->callback((udata)->dev, \ + READ_MSG_ERROR, 0, 0, NULL, 0, (udata)->user_data) + +static void busy_ack_sent_cb(struct libusb_transfer *transfer) +{ + struct read_msg_data *udata = transfer->user_data; + + if (transfer->status != LIBUSB_TRANSFER_COMPLETED || + transfer->length != transfer->actual_length) { + READ_MSG_DATA_CB_ERR(udata); + g_free(udata); + } else { + int r = __read_msg_async(udata); + if (r < 0) { + READ_MSG_DATA_CB_ERR(udata); + g_free(udata); + } + } + libusb_free_transfer(transfer); +} + +static int busy_ack_retry_read(struct read_msg_data *udata) +{ + struct libusb_transfer *transfer; + int r; + + transfer = alloc_send_cmdresponse_transfer(udata->dev, 0x09, NULL, 0, + busy_ack_sent_cb, udata); + if (!transfer) + return -ENOMEM; + + r = libusb_submit_transfer(transfer); + if (r < 0) { + g_free(transfer->buffer); + libusb_free_transfer(transfer); + } + return r; +} + +/* Returns 0 if message was handled, 1 if it was a device-busy message, and + * negative on error. */ +static int __handle_incoming_msg(struct read_msg_data *udata, + unsigned char *buf) +{ + uint16_t len = GUINT16_FROM_LE(((buf[5] & 0xf) << 8) | buf[6]); + uint16_t computed_crc = udf_crc(buf + 4, len + 3); + uint16_t msg_crc = GUINT16_FROM_LE((buf[len + 8] << 8) | buf[len + 7]); + unsigned char *retdata = NULL; + unsigned char code_a, code_b; + + if (computed_crc != msg_crc) { + fp_err("CRC failed, got %04x expected %04x", msg_crc, computed_crc); + return -1; + } + + code_a = buf[4]; + code_b = buf[5] & 0xf0; + len = GUINT16_FROM_LE(((buf[5] & 0xf) << 8) | buf[6]); + fp_dbg("A=%02x B=%02x len=%d", code_a, code_b, len); + + if (code_a && !code_b) { + /* device sends command to driver */ + fp_dbg("cmd %x from device to driver", code_a); + + if (code_a == 0x08) { + int r; + fp_dbg("device busy, send busy-ack"); + r = busy_ack_retry_read(udata); + return (r < 0) ? r : 1; + } + + if (len > 0) { + retdata = g_malloc(len); + memcpy(retdata, buf + 7, len); + } + udata->callback(udata->dev, READ_MSG_CMD, code_a, 0, retdata, len, + udata->user_data); + g_free(retdata); + } else if (!code_a) { + /* device sends response to a previously executed command */ + unsigned char *innerbuf = buf + 7; + unsigned char _subcmd; + uint16_t innerlen; + + if (len < 6) { + fp_err("cmd response too short (%d)", len); + return -1; + } + if (innerbuf[0] != 0x28) { + fp_err("cmd response without 28 byte?"); + return -1; + } + + /* not really sure what these 2 bytes are. on most people's hardware, + * these bytes are always 0. However, Alon Bar-Lev's hardware gives + * 0xfb 0xff during the READ28_OB initsm stage. so don't error out + * if they are different... */ + if (innerbuf[3] || innerbuf[4]) + fp_dbg("non-zero bytes in cmd response"); + + innerlen = innerbuf[1] | (innerbuf[2] << 8); + innerlen = GUINT16_FROM_LE(innerlen) - 3; + _subcmd = innerbuf[5]; + fp_dbg("device responds to subcmd %x with %d bytes", _subcmd, innerlen); + if (innerlen > 0) { + retdata = g_malloc(innerlen); + memcpy(retdata, innerbuf + 6, innerlen); + } + udata->callback(udata->dev, READ_MSG_RESPONSE, code_b, _subcmd, + retdata, innerlen, udata->user_data); + g_free(retdata); + } else { + fp_err("don't know how to handle this message"); + return -1; + } + return 0; +} + +static void read_msg_extend_cb(struct libusb_transfer *transfer) +{ + struct read_msg_data *udata = transfer->user_data; + unsigned char *buf = transfer->buffer - MSG_READ_BUF_SIZE; + int handle_result = 0; + + if (transfer->status != LIBUSB_TRANSFER_COMPLETED) { + fp_err("extended msg read failed, code %d", transfer->status); + goto err; + } + if (transfer->actual_length < transfer->length) { + fp_err("extended msg short read (%d/%d)", transfer->actual_length, + transfer->length); + goto err; + } + + handle_result = __handle_incoming_msg(udata, buf); + if (handle_result < 0) + goto err; + goto out; + +err: + READ_MSG_DATA_CB_ERR(udata); +out: + if (handle_result != 1) + g_free(udata); + g_free(buf); + libusb_free_transfer(transfer); +} + +static void read_msg_cb(struct libusb_transfer *transfer) +{ + struct read_msg_data *udata = transfer->user_data; + unsigned char *data = transfer->buffer; + uint16_t len; + int handle_result = 0; + + if (transfer->status != LIBUSB_TRANSFER_COMPLETED) { + fp_err("async msg read failed, code %d", transfer->status); + goto err; + } + if (transfer->actual_length < 9) { + fp_err("async msg read too short (%d)", transfer->actual_length); + goto err; + } + + if (strncmp(data, "Ciao", 4) != 0) { + fp_err("no Ciao for you!!"); + goto err; + } + + len = GUINT16_FROM_LE(((data[5] & 0xf) << 8) | data[6]); + if (transfer->actual_length != MSG_READ_BUF_SIZE + && (len + 9) > transfer->actual_length) { + /* Check that the length claimed inside the message is in line with + * the amount of data that was transferred over USB. */ + fp_err("msg didn't include enough data, expected=%d recv=%d", + len + 9, transfer->actual_length); + goto err; + } + + /* We use a 64 byte buffer for reading messages. However, sometimes + * messages are longer, in which case we have to do another USB bulk read + * to read the remainder. This is handled below. */ + if (len > MAX_DATA_IN_READ_BUF) { + int needed = len - MAX_DATA_IN_READ_BUF; + struct libusb_transfer *etransfer = libusb_alloc_transfer(0); + int r; + + if (!transfer) + goto err; + + fp_dbg("didn't fit in buffer, need to extend by %d bytes", needed); + data = g_realloc((gpointer) data, MSG_READ_BUF_SIZE + needed); + + libusb_fill_bulk_transfer(etransfer, udata->dev->udev, EP_IN, + data + MSG_READ_BUF_SIZE, needed, read_msg_extend_cb, udata, + TIMEOUT); + + r = libusb_submit_transfer(etransfer); + if (r < 0) { + fp_err("extended read submission failed"); + /* FIXME memory leak here? */ + goto err; + } + libusb_free_transfer(transfer); + return; + } + + handle_result = __handle_incoming_msg(udata, data); + if (handle_result < 0) + goto err; + goto out; + +err: + READ_MSG_DATA_CB_ERR(udata); +out: + libusb_free_transfer(transfer); + if (handle_result != 1) + g_free(udata); + g_free(data); +} + +static int __read_msg_async(struct read_msg_data *udata) +{ + unsigned char *buf = g_malloc(MSG_READ_BUF_SIZE); + struct libusb_transfer *transfer = libusb_alloc_transfer(0); + int r; + + if (!transfer) { + g_free(buf); + return -ENOMEM; + } + + libusb_fill_bulk_transfer(transfer, udata->dev->udev, EP_IN, buf, + MSG_READ_BUF_SIZE, read_msg_cb, udata, TIMEOUT); + r = libusb_submit_transfer(transfer); + if (r < 0) { + g_free(buf); + libusb_free_transfer(transfer); + } + + return r; +} + +static int read_msg_async(struct fp_dev *dev, read_msg_cb_fn callback, + void *user_data) +{ + struct read_msg_data *udata = g_malloc(sizeof(*udata)); + int r; + + udata->dev = dev; + udata->callback = callback; + udata->user_data = user_data; + r = __read_msg_async(udata); + if (r) + g_free(udata); + return r; +} + +static const unsigned char init_resp03[] = { + 0x01, 0x00, 0xbc, 0x02, 0x00, 0x00, 0x00, 0x00 +}; + +static const unsigned char init28_08[] = { + 0x03, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x38, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, + 0x00, 0x00, 0x05, 0x1f, 0x88, 0x59, 0x2a, 0x09, 0x7e, 0x35, 0x2f, 0x68, 0xc8, 0x10, 0x4f, 0x19, + 0xd6, 0xea, 0xc8, 0xd9, 0x41, 0x73, 0x14, 0x99, 0xa8, 0x77, 0x94, 0xa0, 0x9c, 0xe3, 0x8b, 0x77, + 0xf8, 0x83, 0xdc, 0x14, 0xef, 0x2b, 0x5f, 0xaa, 0xb7, 0x18, 0x3b, 0x7d, 0x11, 0x71, 0xf5, 0x95, + 0x18, 0x6f, 0x40, 0xcd, 0x5d, 0xbd, 0x13, 0x58, 0x15, 0x10, 0x03, 0xdb, 0x96, 0x86, 0xc6, 0x25, + 0xdd, 0x61, 0x7f, 0x54 +}; + +/* device initialisation state machine */ + +enum initsm_states { + WRITE_CTRL400 = 0, + READ_MSG03, + SEND_RESP03, + READ_MSG05, + SEND28_06, + READ28_06, + SEND28_51, + READ28_51, + SEND28_07, + READ28_07, + SEND28_08, + READ28_08, + INITSM_NUM_STATES +}; + +static void initsm_read_msg_response_cb(struct fpi_ssm *ssm, + enum read_msg_status status, uint8_t seq, + unsigned char expect_subcmd, unsigned char subcmd) +{ + struct fp_dev *dev = ssm->dev; + struct upeke2_dev *upekdev = dev->priv; + + if (status != READ_MSG_RESPONSE) { + fp_err("expected response, got %d seq=%x in state %d", status, seq, + ssm->cur_state); + fpi_ssm_mark_aborted(ssm, -1); + } else if (subcmd != expect_subcmd) { + fp_warn("expected response to subcmd 0x%02x, got response to %02x in " + "state %d", expect_subcmd, subcmd, ssm->cur_state); + fpi_ssm_mark_aborted(ssm, -1); + } else if (seq != upekdev->seq) { + fp_err("expected response to cmd seq=%02x, got response to %02x " + "in state %d", upekdev->seq, seq, ssm->cur_state); + fpi_ssm_mark_aborted(ssm, -1); + } else { + fp_dbg("state %d completed", ssm->cur_state); + fpi_ssm_next_state(ssm); + } +} +static void read28_08_cb(struct fp_dev *dev, enum read_msg_status status, + uint8_t seq, unsigned char subcmd, unsigned char *data, size_t data_len, + void *user_data) +{ + initsm_read_msg_response_cb((struct fpi_ssm *) user_data, status, seq, + 0x08, subcmd); +} + +static void read28_07_cb(struct fp_dev *dev, enum read_msg_status status, + uint8_t seq, unsigned char subcmd, unsigned char *data, size_t data_len, + void *user_data) +{ + initsm_read_msg_response_cb((struct fpi_ssm *) user_data, status, seq, + 0x07, subcmd); +} + +static void read28_51_cb(struct fp_dev *dev, enum read_msg_status status, + uint8_t seq, unsigned char subcmd, unsigned char *data, size_t data_len, + void *user_data) +{ + initsm_read_msg_response_cb((struct fpi_ssm *) user_data, status, seq, + 0x51, subcmd); +} + +static void read28_06_cb(struct fp_dev *dev, enum read_msg_status status, + uint8_t seq, unsigned char subcmd, unsigned char *data, size_t data_len, + void *user_data) +{ + initsm_read_msg_response_cb((struct fpi_ssm *) user_data, status, seq, + 0x06, subcmd); +} + +static void initsm_read_msg_cmd_cb(struct fpi_ssm *ssm, + enum read_msg_status status, uint8_t expect_seq, uint8_t seq) +{ + struct fp_dev *dev = ssm->dev; + struct upeke2_dev *upekdev = dev->priv; + + if (status == READ_MSG_ERROR) { + fpi_ssm_mark_aborted(ssm, -1); + return; + } else if (status != READ_MSG_CMD) { + fp_err("expected command, got %d seq=%x in state %d", status, seq, + ssm->cur_state); + fpi_ssm_mark_aborted(ssm, -1); + return; + } + upekdev->seq = seq; + if (seq != expect_seq) { + fp_err("expected seq=%x, got %x in state %d", expect_seq, seq, + ssm->cur_state); + fpi_ssm_mark_aborted(ssm, -1); + return; + } + + fpi_ssm_next_state(ssm); +} + +static void read_msg05_cb(struct fp_dev *dev, enum read_msg_status status, + uint8_t seq, unsigned char subcmd, unsigned char *data, size_t data_len, + void *user_data) +{ + initsm_read_msg_cmd_cb((struct fpi_ssm *) user_data, status, 5, seq); +} + +static void read_msg03_cb(struct fp_dev *dev, enum read_msg_status status, + uint8_t seq, unsigned char subcmd, unsigned char *data, size_t data_len, + void *user_data) +{ + initsm_read_msg_cmd_cb((struct fpi_ssm *) user_data, status, 3, seq); +} + +static void ctrl400_cb(struct libusb_transfer *transfer) +{ + struct fpi_ssm *ssm = transfer->user_data; + /* FIXME check length? */ + if (transfer->status == LIBUSB_TRANSFER_COMPLETED) + fpi_ssm_next_state(ssm); + else + fpi_ssm_mark_aborted(ssm, -1); + g_free(transfer->buffer); + libusb_free_transfer(transfer); +} + +static void initsm_read_msg_handler(struct fpi_ssm *ssm, + read_msg_cb_fn callback) +{ + int r = read_msg_async(ssm->dev, callback, ssm); + if (r < 0) { + fp_err("async read msg failed in state %d", ssm->cur_state); + fpi_ssm_mark_aborted(ssm, r); + } +} + +static void initsm_send_msg_cb(struct libusb_transfer *transfer) +{ + struct fpi_ssm *ssm = transfer->user_data; + if (transfer->status == LIBUSB_TRANSFER_COMPLETED + && transfer->length == transfer->actual_length) { + fp_dbg("state %d completed", ssm->cur_state); + fpi_ssm_next_state(ssm); + } else { + fp_err("failed, state=%d rqlength=%d actual_length=%d", ssm->cur_state, + transfer->length, transfer->actual_length); + fpi_ssm_mark_aborted(ssm, -1); + } + libusb_free_transfer(transfer); +} + +static void initsm_send_msg28_handler(struct fpi_ssm *ssm, + unsigned char subcmd, const unsigned char *data, uint16_t innerlen) +{ + struct fp_dev *dev = ssm->dev; + struct libusb_transfer *transfer; + int r; + + transfer = alloc_send_cmd28_transfer(dev, subcmd, data, innerlen, + initsm_send_msg_cb, ssm); + if (!transfer) { + fpi_ssm_mark_aborted(ssm, -ENOMEM); + return; + } + + r = libusb_submit_transfer(transfer); + if (r < 0) { + fp_err("urb submission failed error %d in state %d", r, ssm->cur_state); + g_free(transfer->buffer); + libusb_free_transfer(transfer); + fpi_ssm_mark_aborted(ssm, -EIO); + } +} + +static void initsm_run_state(struct fpi_ssm *ssm) +{ + struct fp_dev *dev = ssm->dev; + struct upeke2_dev *upekdev = dev->priv; + struct libusb_transfer *transfer; + int r; + + switch (ssm->cur_state) { + case WRITE_CTRL400: ; + unsigned char *data; + + transfer = libusb_alloc_transfer(0); + if (!transfer) { + fpi_ssm_mark_aborted(ssm, -ENOMEM); + break; + } + + data = g_malloc(LIBUSB_CONTROL_SETUP_SIZE + 1); + libusb_fill_control_setup(data, + LIBUSB_REQUEST_TYPE_VENDOR | LIBUSB_RECIPIENT_DEVICE, 0x0c, 0x100, 0x0400, 1); + libusb_fill_control_transfer(transfer, ssm->dev->udev, data, + ctrl400_cb, ssm, TIMEOUT); + + r = libusb_submit_transfer(transfer); + if (r < 0) { + g_free(data); + libusb_free_transfer(transfer); + fpi_ssm_mark_aborted(ssm, r); + } + break; + case READ_MSG03: + initsm_read_msg_handler(ssm, read_msg03_cb); + break; + case SEND_RESP03: ; + transfer = alloc_send_cmdresponse_transfer(dev, ++upekdev->seq, + init_resp03, sizeof(init_resp03), initsm_send_msg_cb, ssm); + if (!transfer) { + fpi_ssm_mark_aborted(ssm, -ENOMEM); + break; + } + + r = libusb_submit_transfer(transfer); + if (r < 0) { + g_free(transfer->buffer); + libusb_free_transfer(transfer); + fpi_ssm_mark_aborted(ssm, r); + } + break; + case READ_MSG05: + initsm_read_msg_handler(ssm, read_msg05_cb); + break; + case SEND28_06: ; + unsigned char dummy28_06 = 0x04; + upekdev->seq = 0xf0; + initsm_send_msg28_handler(ssm, 0x06, &dummy28_06, 1); + break; + case READ28_06: + initsm_read_msg_handler(ssm, read28_06_cb); + break; + case SEND28_51: ; + unsigned char dummy28_51[] = { 0x04, 0x0a, 0x00, 0x00, 0x00 }; + initsm_send_msg28_handler(ssm, 0x51, &dummy28_51, 5); + break; + case READ28_51: + initsm_read_msg_handler(ssm, read28_51_cb); + break; + case SEND28_07: ; + unsigned char dummy28_07[] = { 0x04, 0x20, 0x00, 0x00, 0x00 }; + initsm_send_msg28_handler(ssm, 0x07, &dummy28_07, 5); + break; + case READ28_07: + initsm_read_msg_handler(ssm, read28_07_cb); + break; + case SEND28_08: + initsm_send_msg28_handler(ssm, 0x08, init28_08, sizeof(init28_08)); + break; + case READ28_08: + initsm_read_msg_handler(ssm, read28_08_cb); + break; + } +} + +static struct fpi_ssm *initsm_new(struct fp_dev *dev) +{ + return fpi_ssm_new(dev, initsm_run_state, INITSM_NUM_STATES); +} + +enum deinitsm_states { + SEND_RESP07 = 0, + READ_MSG01, + DEINITSM_NUM_STATES, +}; + +static void send_resp07_cb(struct libusb_transfer *transfer) +{ + struct fpi_ssm *ssm = transfer->user_data; + if (transfer->status != LIBUSB_TRANSFER_COMPLETED) + fpi_ssm_mark_aborted(ssm, -EIO); + else if (transfer->length != transfer->actual_length) + fpi_ssm_mark_aborted(ssm, -EPROTO); + else + fpi_ssm_next_state(ssm); + libusb_free_transfer(transfer); +} + +static void read_msg01_cb(struct fp_dev *dev, enum read_msg_status status, + uint8_t seq, unsigned char subcmd, unsigned char *data, size_t data_len, + void *user_data) +{ + struct fpi_ssm *ssm = user_data; + struct upeke2_dev *upekdev = dev->priv; + + if (status == READ_MSG_ERROR) { + fpi_ssm_mark_aborted(ssm, -1); + return; + } else if (status != READ_MSG_CMD) { + fp_err("expected command, got %d seq=%x", status, seq); + fpi_ssm_mark_aborted(ssm, -1); + return; + } + upekdev->seq = seq; + if (seq != 1) { + fp_err("expected seq=1, got %x", seq); + fpi_ssm_mark_aborted(ssm, -1); + return; + } + + fpi_ssm_next_state(ssm); +} + +static void deinitsm_state_handler(struct fpi_ssm *ssm) +{ + struct fp_dev *dev = ssm->dev; + int r; + + switch (ssm->cur_state) { + case SEND_RESP07: ; + struct libusb_transfer *transfer; + unsigned char dummy = 0; + + transfer = alloc_send_cmdresponse_transfer(dev, 0x07, &dummy, 1, + send_resp07_cb, ssm); + if (!transfer) { + fpi_ssm_mark_aborted(ssm, -ENOMEM); + break; + } + + r = libusb_submit_transfer(transfer); + if (r < 0) { + g_free(transfer->buffer); + libusb_free_transfer(transfer); + fpi_ssm_mark_aborted(ssm, r); + } + break; + case READ_MSG01: ; + r = read_msg_async(dev, read_msg01_cb, ssm); + if (r < 0) + fpi_ssm_mark_aborted(ssm, r); + break; + } +} + +static struct fpi_ssm *deinitsm_new(struct fp_dev *dev) +{ + return fpi_ssm_new(dev, deinitsm_state_handler, DEINITSM_NUM_STATES); +} + +static int dev_init(struct fp_dev *dev, unsigned long driver_data) +{ + struct upeke2_dev *upekdev = NULL; + int r; + + r = libusb_claim_interface(dev->udev, 0); + if (r < 0) + return r; + + upekdev = g_malloc(sizeof(*upekdev)); + upekdev->seq = 0xf0; /* incremented to 0x00 before first cmd */ + dev->priv = upekdev; + dev->nr_enroll_stages = 5; + + fpi_drvcb_open_complete(dev, 0); + return 0; +} + +static void dev_exit(struct fp_dev *dev) +{ + libusb_release_interface(dev->udev, 0); + g_free(dev->priv); + fpi_drvcb_close_complete(dev); +} + +static const unsigned char enroll_init[] = { + 0x02, 0xc0, 0xd4, 0x01, 0x00, 0x04, 0x00, 0x08 +}; +static const unsigned char scan_comp[] = { + 0x12, 0xff, 0xff, 0xff, 0xff /* scan completion, prefixes print data */ +}; + +/* used for enrollment and verification */ +static const unsigned char poll_data[] = { 0x30, 0x01 }; + +enum enroll_start_sm_states { + RUN_INITSM = 0, + ENROLL_INIT, + READ_ENROLL_MSG28, + ENROLL_START_NUM_STATES, +}; + +/* Called when the device initialization state machine completes */ +static void enroll_start_sm_cb_initsm(struct fpi_ssm *initsm) +{ + struct fpi_ssm *enroll_start_ssm = initsm->priv; + int error = initsm->error; + + fpi_ssm_free(initsm); + if (error) + fpi_ssm_mark_aborted(enroll_start_ssm, error); + else + fpi_ssm_next_state(enroll_start_ssm); +} + +/* called when enroll init URB has completed */ +static void enroll_start_sm_cb_init(struct libusb_transfer *transfer) +{ + struct fpi_ssm *ssm = transfer->user_data; + if (transfer->status != LIBUSB_TRANSFER_COMPLETED) + fpi_ssm_mark_aborted(ssm, -EIO); + else if (transfer->length != transfer->actual_length) + fpi_ssm_mark_aborted(ssm, -EPROTO); + else + fpi_ssm_next_state(ssm); + libusb_free_transfer(transfer); +} + +static void enroll_start_sm_cb_msg28(struct fp_dev *dev, + enum read_msg_status status, uint8_t seq, unsigned char subcmd, + unsigned char *data, size_t data_len, void *user_data) +{ + struct upeke2_dev *upekdev = dev->priv; + struct fpi_ssm *ssm = user_data; + + if (status != READ_MSG_RESPONSE) { + fp_err("expected response, got %d seq=%x", status, seq); + fpi_ssm_mark_aborted(ssm, -1); + } else if (subcmd != 0) { + fp_warn("expected response to subcmd 0, got response to %02x", + subcmd); + fpi_ssm_mark_aborted(ssm, -1); + } else if (seq != upekdev->seq) { + fp_err("expected response to cmd seq=%02x, got response to %02x", + upekdev->seq, seq); + fpi_ssm_mark_aborted(ssm, -1); + } else { + fpi_ssm_next_state(ssm); + } +} + +static void enroll_start_sm_run_state(struct fpi_ssm *ssm) +{ + struct fp_dev *dev = ssm->dev; + int r; + + switch (ssm->cur_state) { + case RUN_INITSM: ; + struct fpi_ssm *initsm = initsm_new(dev); + initsm->priv = ssm; + fpi_ssm_start(initsm, enroll_start_sm_cb_initsm); + break; + case ENROLL_INIT: ; + struct libusb_transfer *transfer; + transfer = alloc_send_cmd28_transfer(dev, 0x02, enroll_init, + sizeof(enroll_init), enroll_start_sm_cb_init, ssm); + if (!transfer) { + fpi_ssm_mark_aborted(ssm, -ENOMEM); + break; + } + + r = libusb_submit_transfer(transfer); + if (r < 0) { + g_free(transfer->buffer); + libusb_free_transfer(transfer); + fpi_ssm_mark_aborted(ssm, r); + } + break; + case READ_ENROLL_MSG28: ; + /* FIXME: protocol misunderstanding here. device receives response + * to subcmd 0 after submitting subcmd 2? */ + /* actually this is probably a poll response? does the above cmd + * include a 30 01 poll somewhere? */ + r = read_msg_async(dev, enroll_start_sm_cb_msg28, ssm); + //if (r < 0) + //fpi_ssm_mark_aborted(ssm, r); + break; + } +} + +static void enroll_iterate(struct fp_dev *dev); + +static void e_handle_resp00(struct fp_dev *dev, unsigned char *data, + size_t data_len) +{ + + + struct upeke2_dev *upekdev = dev->priv; + unsigned char status; + int result = 0; + + if (data_len != 14) { + fp_err("received 3001 poll response of %d bytes?", data_len); + fpi_drvcb_enroll_stage_completed(dev, -EPROTO, NULL, NULL); + return; + } + + status = data[5]; + fp_dbg("poll result = %02x", status); + + switch (status) { + case 0x0c: + case 0x0d: + case 0x0e: + case 0x26: + case 0x27: + /* if we previously completed a non-last enrollment stage, we'll + * get this code to indicate successful stage completion */ + if (upekdev->enroll_passed) { + result = FP_ENROLL_PASS; + upekdev->enroll_passed = FALSE; + } + /* otherwise it just means "no news" so we poll again */ + break; + case 0x1c: /* FIXME what does this one mean? */ + case 0x0b: /* FIXME what does this one mean? */ + case 0x23: /* FIXME what does this one mean? */ + result = FP_ENROLL_RETRY; + break; + case 0x0f: /* scan taking too long, remove finger and try again */ + result = FP_ENROLL_RETRY_REMOVE_FINGER; + break; + case 0x1e: /* swipe too short */ + result = FP_ENROLL_RETRY_TOO_SHORT; + break; + case 0x24: /* finger not centered */ + result = FP_ENROLL_RETRY_CENTER_FINGER; + break; + case 0x20: + /* finger scanned successfully */ + /* need to look at the next poll result to determine if enrollment is + * complete or not */ + upekdev->enroll_passed = 1; + break; + case 0x00: /* enrollment complete */ + /* we can now expect the enrollment data on the next poll, so we + * have nothing to do here */ + break; + default: + fp_err("unrecognised scan status code %02x", status); + result = -EPROTO; + break; + } + + if (result) { + fpi_drvcb_enroll_stage_completed(dev, result, NULL, NULL); + if (result > 0){ + enroll_iterate(dev); + } + } else { + enroll_iterate(dev); + } + + /* FIXME: need to extend protocol research to handle the case when + * enrolment fails, e.g. you scan a different finger on each stage */ + /* FIXME: should do proper tracking of when we expect cmd0 results and + * cmd2 results and enforce it */ +} + +static void e_handle_resp02(struct fp_dev *dev, unsigned char *data, + size_t data_len) +{ + struct fp_print_data *fdata = NULL; + int result = -EPROTO; + + if (data_len < sizeof(scan_comp)) { + fp_err("fingerprint data too short (%d bytes)", data_len); + } else if (memcmp(data, scan_comp, sizeof(scan_comp)) != 0) { + fp_err("unrecognised data prefix %x %x %x %x %x", + data[0], data[1], data[2], data[3], data[4]); + } else { + fdata = fpi_print_data_new(dev, data_len - sizeof(scan_comp)); + memcpy(fdata->data, data + sizeof(scan_comp), + data_len - sizeof(scan_comp)); + + result = FP_ENROLL_COMPLETE; + } + + fpi_drvcb_enroll_stage_completed(dev, result, fdata, NULL); +} + +static void enroll_iterate_msg_cb(struct fp_dev *dev, + enum read_msg_status msgstat, uint8_t seq, unsigned char subcmd, + unsigned char *data, size_t data_len, void *user_data) +{ + if (msgstat != READ_MSG_RESPONSE) { + fp_err("expected response, got %d seq=%x", msgstat, seq); + fpi_drvcb_enroll_stage_completed(dev, -EPROTO, NULL, NULL); + return; + } + if (subcmd == 0) { + e_handle_resp00(dev, data, data_len); + } else if (subcmd == 2) { + e_handle_resp02(dev, data, data_len); + } else { + fp_err("unexpected subcmd %d", subcmd); + fpi_drvcb_enroll_stage_completed(dev, -EPROTO, NULL, NULL); + } + +} + +static void enroll_iterate_cmd_cb(struct libusb_transfer *transfer) +{ + struct fp_dev *dev = transfer->user_data; + + if (transfer->status != LIBUSB_TRANSFER_COMPLETED) { + fpi_drvcb_enroll_stage_completed(dev, -EIO, NULL, NULL); + } else if (transfer->length != transfer->actual_length) { + fpi_drvcb_enroll_stage_completed(dev, -EPROTO, NULL, NULL); + } else { + int r = read_msg_async(dev, enroll_iterate_msg_cb, NULL); + if (r < 0) + fpi_drvcb_enroll_stage_completed(dev, r, NULL, NULL); + } + libusb_free_transfer(transfer); +} + +static void enroll_iterate(struct fp_dev *dev) +{ + int r; + struct libusb_transfer *transfer = alloc_send_cmd28_transfer(dev, 0x00, + poll_data, sizeof(poll_data), enroll_iterate_cmd_cb, dev); + + if (!transfer) { + fpi_drvcb_enroll_stage_completed(dev, -ENOMEM, NULL, NULL); + return; + } + + r = libusb_submit_transfer(transfer); + if (r < 0) { + g_free(transfer->buffer); + libusb_free_transfer(transfer); + fpi_drvcb_enroll_stage_completed(dev, -EIO, NULL, NULL); + } +} + +static void enroll_started(struct fpi_ssm *ssm) +{ + struct fp_dev *dev = ssm->dev; + fpi_drvcb_enroll_started(dev, ssm->error); + + if (!ssm->error) + enroll_iterate(dev); + + fpi_ssm_free(ssm); +} + +static int enroll_start(struct fp_dev *dev) +{ + struct upeke2_dev *upekdev = dev->priv; + + /* do_init state machine first */ + struct fpi_ssm *ssm = fpi_ssm_new(dev, enroll_start_sm_run_state, + ENROLL_START_NUM_STATES); + + upekdev->enroll_passed = FALSE; + fpi_ssm_start(ssm, enroll_started); + return 0; +} + +static void enroll_stop_deinit_cb(struct fpi_ssm *ssm) +{ + /* don't really care about errors */ + fpi_drvcb_enroll_stopped(ssm->dev); + fpi_ssm_free(ssm); +} + +static int enroll_stop(struct fp_dev *dev) +{ + struct fpi_ssm *ssm = deinitsm_new(dev); + fpi_ssm_start(ssm, enroll_stop_deinit_cb); + return 0; +} + +static void verify_stop_deinit_cb(struct fpi_ssm *ssm) +{ + /* don't really care about errors */ + fpi_drvcb_verify_stopped(ssm->dev); + fpi_ssm_free(ssm); +} + +static void do_verify_stop(struct fp_dev *dev) +{ + struct fpi_ssm *ssm = deinitsm_new(dev); + fpi_ssm_start(ssm, verify_stop_deinit_cb); +} + +static const unsigned char verify_hdr[] = { + 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0xc0, 0xd4, 0x01, 0x00, 0x20, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, + 0x00 +}; + +enum { + VERIFY_RUN_INITSM = 0, + VERIFY_INIT, + VERIFY_NUM_STATES, +}; + +/* Called when the device initialization state machine completes */ +static void verify_start_sm_cb_initsm(struct fpi_ssm *initsm) +{ + struct fpi_ssm *verify_start_ssm = initsm->priv; + if (initsm->error) + fpi_ssm_mark_aborted(verify_start_ssm, initsm->error); + else + fpi_ssm_next_state(verify_start_ssm); + fpi_ssm_free(initsm); +} + +static void verify_init_2803_cb(struct libusb_transfer *transfer) +{ + struct fpi_ssm *ssm = transfer->user_data; + if (transfer->status != LIBUSB_TRANSFER_COMPLETED) + fpi_ssm_mark_aborted(ssm, -EIO); + else if (transfer->length != transfer->actual_length) + fpi_ssm_mark_aborted(ssm, -EPROTO); + else + fpi_ssm_next_state(ssm); + libusb_free_transfer(transfer); +} + +static void verify_start_sm_run_state(struct fpi_ssm *ssm) +{ + struct fp_dev *dev = ssm->dev; + int r; + + switch (ssm->cur_state) { + case VERIFY_RUN_INITSM: ; + struct fpi_ssm *initsm = initsm_new(dev); + initsm->priv = ssm; + fpi_ssm_start(initsm, verify_start_sm_cb_initsm); + break; + case VERIFY_INIT: ; + struct fp_print_data *print = dev->verify_data; + size_t data_len = sizeof(verify_hdr) + print->length; + unsigned char *data = g_malloc(data_len); + struct libusb_transfer *transfer; + + memcpy(data, verify_hdr, sizeof(verify_hdr)); + memcpy(data + sizeof(verify_hdr), print->data, print->length); + transfer = alloc_send_cmd28_transfer(dev, 0x03, data, data_len, + verify_init_2803_cb, ssm); + g_free(data); + if (!transfer) { + fpi_ssm_mark_aborted(ssm, -ENOMEM); + break; + } + + r = libusb_submit_transfer(transfer); + if (r < 0) { + g_free(transfer->buffer); + libusb_free_transfer(transfer); + fpi_ssm_mark_aborted(ssm, -EIO); + } + break; + } +} + +static void verify_iterate(struct fp_dev *dev); + +static void v_handle_resp00(struct fp_dev *dev, unsigned char *data, + size_t data_len) +{ + unsigned char status; + int r = 0; + + if (data_len != 14) { + fp_err("received 3001 poll response of %d bytes?", data_len); + r = -EPROTO; + goto out; + } + + status = data[5]; + fp_dbg("poll result = %02x", status); + + /* These codes indicate that we're waiting for a finger scan, so poll + * again */ + switch (status) { + case 0x0c: /* no news, poll again */ + break; + case 0x20: + fp_dbg("processing scan for verification"); + break; + case 0x00: + fp_dbg("good image"); + break; + case 0x1c: /* FIXME what does this one mean? */ + case 0x0b: /* FIXME what does this one mean? */ + case 0x23: /* FIXME what does this one mean? */ + r = FP_VERIFY_RETRY; + break; + case 0x0f: /* scan taking too long, remove finger and try again */ + r = FP_VERIFY_RETRY_REMOVE_FINGER; + break; + case 0x1e: /* swipe too short */ + r = FP_VERIFY_RETRY_TOO_SHORT; + break; + case 0x24: /* finger not centered */ + r = FP_VERIFY_RETRY_CENTER_FINGER; + break; + default: + fp_err("unrecognised verify status code %02x", status); + r = -EPROTO; + } + +out: + if (r) + fpi_drvcb_report_verify_result(dev, r, NULL); + if (r >= 0) + verify_iterate(dev); +} + +static void v_handle_resp03(struct fp_dev *dev, unsigned char *data, + size_t data_len) +{ + int r; + + if (data_len < 2) { + fp_err("verify result abnormally short!"); + r = -EPROTO; + } else if (data[0] != 0x12) { + fp_err("unexpected verify header byte %02x", data[0]); + r = -EPROTO; + } else if (data[1] == 0x00) { + r = FP_VERIFY_NO_MATCH; + } else if (data[1] == 0x01) { + r = FP_VERIFY_MATCH; + } else { + fp_err("unrecognised verify result %02x", data[1]); + r = -EPROTO; + } + fpi_drvcb_report_verify_result(dev, r, NULL); +} + +static void verify_rd2800_cb(struct fp_dev *dev, enum read_msg_status msgstat, + uint8_t seq, unsigned char subcmd, unsigned char *data, size_t data_len, + void *user_data) +{ + struct upeke2_dev *upekdev = dev->priv; + + if (msgstat != READ_MSG_RESPONSE) { + fp_err("expected response, got %d seq=%x", msgstat, seq); + fpi_drvcb_report_verify_result(dev, -EPROTO, NULL); + return; + } else if (seq != upekdev->seq) { + fp_err("expected response to cmd seq=%02x, got response to %02x", + upekdev->seq, seq); + fpi_drvcb_report_verify_result(dev, -EPROTO, NULL); + return; + } + + if (subcmd == 0) + v_handle_resp00(dev, data, data_len); + else if (subcmd == 3) + v_handle_resp03(dev, data, data_len); + else + fpi_drvcb_report_verify_result(dev, -EPROTO, NULL); +} + +static void verify_wr2800_cb(struct libusb_transfer *transfer) +{ + struct fp_dev *dev = transfer->user_data; + + if (transfer->status != LIBUSB_TRANSFER_COMPLETED) { + fpi_drvcb_report_verify_result(dev, -EIO, NULL); + } else if (transfer->length != transfer->actual_length) { + fpi_drvcb_report_verify_result(dev, -EIO, NULL); + } else { + int r = read_msg_async(dev, verify_rd2800_cb, NULL); + if (r < 0) + fpi_drvcb_report_verify_result(dev, r, NULL); + } + libusb_free_transfer(transfer); +} + +static void verify_iterate(struct fp_dev *dev) +{ + struct upeke2_dev *upekdev = dev->priv; + + if (upekdev->stop_verify) { + do_verify_stop(dev); + return; + } + + /* FIXME: this doesn't flow well, should the first cmd be moved from + * verify init to here? */ + if (upekdev->first_verify_iteration) { + int r = read_msg_async(dev, verify_rd2800_cb, NULL); + upekdev->first_verify_iteration = FALSE; + if (r < 0) + fpi_drvcb_report_verify_result(dev, r, NULL); + } else { + int r; + struct libusb_transfer *transfer = alloc_send_cmd28_transfer(dev, + 0x00, poll_data, sizeof(poll_data), verify_wr2800_cb, dev); + + if (!transfer) { + fpi_drvcb_report_verify_result(dev, -ENOMEM, NULL); + return; + } + + r = libusb_submit_transfer(transfer); + if (r < 0) { + g_free(transfer->buffer); + libusb_free_transfer(transfer); + fpi_drvcb_report_verify_result(dev, -EIO, NULL); + } + } +} + +static void verify_started(struct fpi_ssm *ssm) +{ + struct fp_dev *dev = ssm->dev; + struct upeke2_dev *upekdev = dev->priv; + + fpi_drvcb_verify_started(dev, ssm->error); + if (!ssm->error) { + upekdev->first_verify_iteration = TRUE; + verify_iterate(dev); + } + + fpi_ssm_free(ssm); +} + +static int verify_start(struct fp_dev *dev) +{ + struct upeke2_dev *upekdev = dev->priv; + struct fpi_ssm *ssm = fpi_ssm_new(dev, verify_start_sm_run_state, + VERIFY_NUM_STATES); + upekdev->stop_verify = FALSE; + fpi_ssm_start(ssm, verify_started); + return 0; +} + +static int verify_stop(struct fp_dev *dev, gboolean iterating) +{ + struct upeke2_dev *upekdev = dev->priv; + + if (!iterating) + do_verify_stop(dev); + else + upekdev->stop_verify = TRUE; + return 0; +} + +static const struct usb_id id_table[] = { +/* FIXME: Disabled for now, as this clashes with the upeksonly driver */ +/* { .vendor = 0x147e, .product = 0x2016 }, */ + { 0, 0, 0, }, /* terminating entry */ +}; + +struct fp_driver upeke2_driver = { + .id = 1, + .name = FP_COMPONENT, + .full_name = "UPEK Eikon 2", + .id_table = id_table, + .scan_type = FP_SCAN_TYPE_SWIPE, + .open = dev_init, + .close = dev_exit, + .enroll_start = enroll_start, + .enroll_stop = enroll_stop, + .verify_start = verify_start, + .verify_stop = verify_stop, +}; + diff --git a/libfprint/fp_internal.h b/libfprint/fp_internal.h index bebf3241..5196ca20 100644 --- a/libfprint/fp_internal.h +++ b/libfprint/fp_internal.h @@ -238,6 +238,9 @@ struct fp_img_driver { #ifdef ENABLE_UPEKTS extern struct fp_driver upekts_driver; #endif +#ifdef ENABLE_UPEKE2 +extern struct fp_driver upeke2_driver; +#endif #ifdef ENABLE_UPEKTC extern struct fp_img_driver upektc_driver; #endif