GCC Code Coverage Report


Directory: ./
Coverage: low: ≥ 0% medium: ≥ 75.0% high: ≥ 90.0%
Coverage Exec / Excl / Total
Lines: 79.2% 453 / 0 / 572
Functions: 92.3% 36 / 0 / 39
Branches: 60.5% 130 / 0 / 215

libfprint/drivers/uru4000.c
Line Branch Exec Source
1 /*
2 * Digital Persona U.are.U 4000/4000B/4500 driver for libfprint
3 * Copyright (C) 2007-2008 Daniel Drake <dsd@gentoo.org>
4 * Copyright (C) 2012 Timo Teräs <timo.teras@iki.fi>
5 *
6 * This library is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU Lesser General Public
8 * License as published by the Free Software Foundation; either
9 * version 2.1 of the License, or (at your option) any later version.
10 *
11 * This library is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 * Lesser General Public License for more details.
15 *
16 * You should have received a copy of the GNU Lesser General Public
17 * License along with this library; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
19 */
20
21 #define FP_COMPONENT "uru4000"
22
23 #include <openssl/evp.h>
24 #include <openssl/err.h>
25
26 #include "drivers_api.h"
27
28 #define EP_INTR (1 | FPI_USB_ENDPOINT_IN)
29 #define EP_DATA (2 | FPI_USB_ENDPOINT_IN)
30 #define USB_RQ 0x04
31 #define CTRL_IN (LIBUSB_REQUEST_TYPE_VENDOR | FPI_USB_ENDPOINT_IN)
32 #define CTRL_OUT (LIBUSB_REQUEST_TYPE_VENDOR | FPI_USB_ENDPOINT_OUT)
33 #define CTRL_TIMEOUT 5000
34 #define BULK_TIMEOUT 5000
35 #define IRQ_LENGTH 64
36 #define CR_LENGTH 16
37
38 #define IMAGE_HEIGHT 290
39 #define IMAGE_WIDTH 384
40
41 #define ENC_THRESHOLD 5000
42
43 enum {
44 IRQDATA_SCANPWR_ON = 0x56aa,
45 IRQDATA_FINGER_ON = 0x0101,
46 IRQDATA_FINGER_OFF = 0x0200,
47 IRQDATA_DEATH = 0x0800,
48 };
49
50 enum {
51 REG_HWSTAT = 0x07,
52 REG_SCRAMBLE_DATA_INDEX = 0x33,
53 REG_SCRAMBLE_DATA_KEY = 0x34,
54 REG_MODE = 0x4e,
55 REG_DEVICE_INFO = 0xf0,
56 /* firmware starts at 0x100 */
57 REG_RESPONSE = 0x2000,
58 REG_CHALLENGE = 0x2010,
59 };
60
61 enum {
62 MODE_INIT = 0x00,
63 MODE_AWAIT_FINGER_ON = 0x10,
64 MODE_AWAIT_FINGER_OFF = 0x12,
65 MODE_CAPTURE = 0x20,
66 MODE_CAPTURE_AUX = 0x30,
67 MODE_OFF = 0x70,
68 MODE_READY = 0x80,
69 };
70
71 enum {
72 MS_KBD,
73 MS_INTELLIMOUSE,
74 MS_STANDALONE,
75 MS_STANDALONE_V2,
76 DP_URU4000,
77 DP_URU4000B,
78 };
79
80 static const struct uru4k_dev_profile
81 {
82 const char *name;
83 gboolean auth_cr;
84 gboolean image_not_flipped;
85 } uru4k_dev_info[] = {
86 [MS_KBD] = {
87 .name = "Microsoft Keyboard with Fingerprint Reader",
88 .auth_cr = FALSE,
89 },
90 [MS_INTELLIMOUSE] = {
91 .name = "Microsoft Wireless IntelliMouse with Fingerprint Reader",
92 .auth_cr = FALSE,
93 },
94 [MS_STANDALONE] = {
95 .name = "Microsoft Fingerprint Reader",
96 .auth_cr = FALSE,
97 },
98 [MS_STANDALONE_V2] = {
99 .name = "Microsoft Fingerprint Reader v2",
100 .auth_cr = TRUE,
101 },
102 [DP_URU4000] = {
103 .name = "Digital Persona U.are.U 4000",
104 .auth_cr = FALSE,
105 },
106 [DP_URU4000B] = {
107 .name = "Digital Persona U.are.U 4000B",
108 .auth_cr = FALSE,
109 .image_not_flipped = TRUE, /* See comment in the code where it is used. */
110 },
111 };
112
113 typedef void (*irq_cb_fn)(FpImageDevice *dev,
114 GError *error,
115 uint16_t type,
116 void *user_data);
117 typedef void (*irqs_stopped_cb_fn)(FpImageDevice *dev);
118
119 struct _FpiDeviceUru4000
120 {
121 FpImageDevice parent;
122
123 const struct uru4k_dev_profile *profile;
124 uint8_t interface;
125 FpiImageDeviceState activate_state;
126 unsigned char last_reg_rd[16];
127 unsigned char last_hwstat;
128
129 GCancellable *irq_cancellable;
130 FpiUsbTransfer *img_transfer;
131 void *img_data;
132 int img_data_actual_length;
133 uint16_t img_lines_done, img_block;
134 GRand *rand;
135 uint32_t img_enc_seed;
136
137 irq_cb_fn irq_cb;
138 void *irq_cb_data;
139 irqs_stopped_cb_fn irqs_stopped_cb;
140
141 int rebootpwr_ctr;
142 int powerup_ctr;
143 unsigned char powerup_hwstat;
144
145 int scanpwr_irq_timeouts;
146 GSource *scanpwr_irq_timeout;
147
148 int fwfixer_offset;
149 unsigned char fwfixer_value;
150
151 EVP_CIPHER_CTX *cipher_ctx;
152 };
153 G_DECLARE_FINAL_TYPE (FpiDeviceUru4000, fpi_device_uru4000, FPI, DEVICE_URU4000,
154 FpImageDevice);
155
4/6
fpi_device_uru4000_class_intern_init:
✗ Branch 3 → 4 not taken.
✓ Branch 3 → 5 taken 125 times.
fpi_device_uru4000_get_type:
✓ Branch 2 → 3 taken 125 times.
✓ Branch 2 → 7 taken 24 times.
✓ Branch 4 → 5 taken 125 times.
✗ Branch 4 → 7 not taken.
399 G_DEFINE_TYPE (FpiDeviceUru4000, fpi_device_uru4000, FP_TYPE_IMAGE_DEVICE);
156
157 /* For 2nd generation MS devices */
158 static const unsigned char crkey[] = {
159 0x79, 0xac, 0x91, 0x79, 0x5c, 0xa1, 0x47, 0x8e,
160 0x98, 0xe0, 0x0f, 0x3c, 0x59, 0x8f, 0x5f, 0x4b,
161 };
162
163 /***** REGISTER I/O *****/
164
165 static void
166 16 write_regs (FpImageDevice *dev, uint16_t first_reg,
167 uint16_t num_regs, unsigned char *values,
168 FpiUsbTransferCallback callback,
169 void *user_data)
170 {
171 16 FpiUsbTransfer *transfer = fpi_usb_transfer_new (FP_DEVICE (dev));
172
173 16 transfer->short_is_error = TRUE;
174 16 fpi_usb_transfer_fill_control (transfer,
175 G_USB_DEVICE_DIRECTION_HOST_TO_DEVICE,
176 G_USB_DEVICE_REQUEST_TYPE_VENDOR,
177 G_USB_DEVICE_RECIPIENT_DEVICE,
178 USB_RQ, first_reg, 0,
179 num_regs);
180 16 memcpy (transfer->buffer, values, num_regs);
181 16 fpi_usb_transfer_submit (transfer, CTRL_TIMEOUT, NULL, callback, user_data);
182 16 }
183
184 static void
185 8 write_reg (FpImageDevice *dev, uint16_t reg,
186 unsigned char value,
187 FpiUsbTransferCallback callback,
188 void *user_data)
189 {
190 8 write_regs (dev, reg, 1, &value, callback, user_data);
191 }
192
193 static void
194 10 read_regs (FpImageDevice *dev, uint16_t first_reg,
195 uint16_t num_regs,
196 FpiUsbTransferCallback callback,
197 void *user_data)
198 {
199 10 FpiUsbTransfer *transfer = fpi_usb_transfer_new (FP_DEVICE (dev));
200
201 10 fpi_usb_transfer_fill_control (transfer,
202 G_USB_DEVICE_DIRECTION_DEVICE_TO_HOST,
203 G_USB_DEVICE_REQUEST_TYPE_VENDOR,
204 G_USB_DEVICE_RECIPIENT_DEVICE,
205 USB_RQ, first_reg, 0, num_regs);
206 10 fpi_usb_transfer_submit (transfer, CTRL_TIMEOUT, NULL, callback, user_data);
207 10 }
208
209 /*
210 * HWSTAT
211 *
212 * This register has caused me a lot of headaches. It pretty much defines
213 * code flow, and if you don't get it right, the pretty lights don't come on.
214 * I think the situation is somewhat complicated by the fact that writing it
215 * doesn't affect the read results in the way you'd expect -- but then again
216 * it does have some obvious effects. Here's what we know
217 *
218 * BIT 7: LOW POWER MODE
219 * When this bit is set, the device is partially turned off or something. Some
220 * things, like firmware upload, need to be done in this state. But generally
221 * we want to clear this bit during late initialization, which can sometimes
222 * be tricky.
223 *
224 * BIT 2: SOMETHING WENT WRONG
225 * Not sure about this, but see the init function, as when we detect it,
226 * we reboot the device. Well, we mess with hwstat until this evil bit gets
227 * cleared.
228 *
229 * BIT 1: IRQ PENDING
230 * Just had a brainwave. This bit is set when the device is trying to deliver
231 * an interrupt to the host. Maybe?
232 */
233
234 static void
235 1 response_cb (FpiUsbTransfer *transfer, FpDevice *dev, void *user_data, GError *error)
236 {
237 /* NOTE: We could use the SSM function instead if we attached the ssm to the transfer! */
238 1 FpiSsm *ssm = user_data;
239
240
1/2
✓ Branch 2 → 3 taken 1 time.
✗ Branch 2 → 4 not taken.
1 if (!error)
241 1 fpi_ssm_next_state (ssm);
242 else
243 fpi_ssm_mark_failed (ssm, error);
244 1 }
245
246 static GError *
247 openssl_device_error (void)
248 {
249 char buf[256];
250 unsigned long e;
251
252 e = ERR_get_error ();
253 if (e == 0)
254 return fpi_device_error_new_msg (FP_DEVICE_ERROR_GENERAL,
255 "unexpected OpenSSL error");
256
257 ERR_error_string_n (e, buf, G_N_ELEMENTS (buf));
258
259 return fpi_device_error_new_msg (FP_DEVICE_ERROR_GENERAL, "OpenSSL error: %s",
260 buf);
261 }
262
263 static void
264 1 challenge_cb (FpiUsbTransfer *transfer, FpDevice *dev, void *user_data, GError *error)
265 {
266 1 FpiSsm *ssm = user_data;
267 1 FpiDeviceUru4000 *self = FPI_DEVICE_URU4000 (dev);
268 1 unsigned char respdata[CR_LENGTH * 2];
269 1 int outlen;
270
271
1/2
✗ Branch 2 → 3 not taken.
✓ Branch 2 → 4 taken 1 time.
1 if (error)
272 {
273 fpi_ssm_mark_failed (ssm, error);
274 return;
275 }
276
277
1/2
✗ Branch 4 → 5 not taken.
✓ Branch 4 → 8 taken 1 time.
1 if (transfer->actual_length != CR_LENGTH)
278 {
279 error = fpi_device_error_new_msg (FP_DEVICE_ERROR_PROTO,
280 "Unexpected buffer length (%" G_GSIZE_FORMAT
281 "instead of %d)",
282 transfer->actual_length, CR_LENGTH);
283 fpi_ssm_mark_failed (ssm, g_steal_pointer (&error));
284 return;
285 }
286
287 /* submit response */
288 /* produce response from challenge */
289
1/2
✗ Branch 9 → 10 not taken.
✓ Branch 9 → 13 taken 1 time.
1 if (!EVP_EncryptUpdate (self->cipher_ctx, respdata, &outlen, transfer->buffer, CR_LENGTH))
290 {
291 fpi_ssm_mark_failed (ssm, openssl_device_error ());
292 return;
293 }
294
295
1/2
✗ Branch 13 → 14 not taken.
✓ Branch 13 → 17 taken 1 time.
1 if (outlen != CR_LENGTH)
296 {
297 error = fpi_device_error_new_msg (FP_DEVICE_ERROR_PROTO,
298 "Unexpected encrypted buffer length (%d"
299 "instead of %d)",
300 outlen, CR_LENGTH);
301 fpi_ssm_mark_failed (ssm, g_steal_pointer (&error));
302 return;
303 }
304
305
1/2
✗ Branch 18 → 19 not taken.
✓ Branch 18 → 22 taken 1 time.
1 if (!EVP_EncryptFinal_ex (self->cipher_ctx, respdata + outlen, &outlen))
306 {
307 fpi_ssm_mark_failed (ssm, openssl_device_error ());
308 return;
309 }
310
311 1 if (!error)
312 1 write_regs (FP_IMAGE_DEVICE (dev), REG_RESPONSE, CR_LENGTH, respdata, response_cb, ssm);
313 else
314 fpi_ssm_mark_failed (ssm, error);
315 }
316
317 /*
318 * 2nd generation MS devices added an AES-based challenge/response
319 * authentication scheme, where the device challenges the authenticity of the
320 * driver.
321 */
322 static void
323 1 sm_do_challenge_response (FpiSsm *ssm,
324 FpImageDevice *dev)
325 {
326 1 G_DEBUG_HERE ();
327 1 read_regs (dev, REG_CHALLENGE, CR_LENGTH, challenge_cb, ssm);
328 1 }
329
330 /***** INTERRUPT HANDLING *****/
331
332 #define IRQ_HANDLER_IS_RUNNING(urudev) ((urudev)->irq_cancellable)
333
334 static void start_irq_handler (FpImageDevice *dev);
335
336 static void
337 10 irq_handler (FpiUsbTransfer *transfer,
338 FpDevice *dev,
339 void *user_data,
340 GError *error)
341 {
342 10 FpImageDevice *imgdev = FP_IMAGE_DEVICE (dev);
343 10 FpiDeviceUru4000 *urudev = FPI_DEVICE_URU4000 (dev);
344 10 unsigned char *data = transfer->buffer;
345 10 uint16_t type;
346
347
1/2
✓ Branch 2 → 3 taken 10 times.
✗ Branch 2 → 4 not taken.
10 g_clear_object (&urudev->irq_cancellable);
348
349
2/2
✓ Branch 6 → 7 taken 2 times.
✓ Branch 6 → 12 taken 8 times.
10 if (g_error_matches (error, G_IO_ERROR, G_IO_ERROR_CANCELLED))
350 {
351 2 fp_dbg ("cancelled");
352
1/2
✓ Branch 8 → 9 taken 2 times.
✗ Branch 8 → 10 not taken.
2 if (urudev->irqs_stopped_cb)
353 2 urudev->irqs_stopped_cb (imgdev);
354 2 urudev->irqs_stopped_cb = NULL;
355 2 g_clear_error (&error);
356 2 return;
357 }
358
1/2
✗ Branch 12 → 13 not taken.
✓ Branch 12 → 17 taken 8 times.
8 else if (error)
359 {
360 if (urudev->irq_cb)
361 {
362 urudev->irq_cb (imgdev, error, 0, urudev->irq_cb_data);
363 }
364 else
365 {
366 fp_dbg ("ignoring interrupt error: %s", error->message);
367 g_clear_error (&error);
368 }
369 return;
370 }
371
372 8 start_irq_handler (imgdev);
373
374 8 type = GUINT16_FROM_BE (*((uint16_t *) data));
375 8 fp_dbg ("recv irq type %04x", type);
376
377 /* The 0800 interrupt seems to indicate imminent failure (0 bytes transfer)
378 * of the next scan. It still appears on occasion. */
379
1/2
✗ Branch 19 → 20 not taken.
✓ Branch 19 → 21 taken 8 times.
8 if (type == IRQDATA_DEATH)
380 fp_warn ("oh no! got the interrupt OF DEATH! expect things to go bad");
381
382
1/2
✓ Branch 21 → 22 taken 8 times.
✗ Branch 21 → 23 not taken.
8 if (urudev->irq_cb)
383 8 urudev->irq_cb (imgdev, NULL, type, urudev->irq_cb_data);
384 else
385 fp_dbg ("ignoring interrupt");
386 }
387
388 static void
389 10 start_irq_handler (FpImageDevice *dev)
390 {
391 10 FpiDeviceUru4000 *self = FPI_DEVICE_URU4000 (dev);
392 10 FpiUsbTransfer *transfer;
393
394
1/2
✗ Branch 2 → 3 not taken.
✓ Branch 2 → 4 taken 10 times.
10 g_assert (self->irq_cancellable == NULL);
395 10 self->irq_cancellable = g_cancellable_new ();
396 10 transfer = fpi_usb_transfer_new (FP_DEVICE (dev));
397 10 transfer->ssm = NULL;
398 10 transfer->short_is_error = TRUE;
399 10 fpi_usb_transfer_fill_interrupt (transfer,
400 EP_INTR,
401 IRQ_LENGTH);
402 10 fpi_usb_transfer_submit (transfer, 0, self->irq_cancellable, irq_handler, NULL);
403 10 }
404
405 static void
406 2 stop_irq_handler (FpImageDevice *dev, irqs_stopped_cb_fn cb)
407 {
408 2 FpiDeviceUru4000 *self = FPI_DEVICE_URU4000 (dev);
409
410
1/2
✓ Branch 2 → 3 taken 2 times.
✗ Branch 2 → 5 not taken.
2 if (self->irq_cancellable)
411 {
412 2 g_cancellable_cancel (self->irq_cancellable);
413 2 self->irqs_stopped_cb = cb;
414 }
415 else
416 {
417 cb (dev);
418 }
419 2 }
420
421 /***** STATE CHANGING *****/
422
423 static void execute_state_change (FpImageDevice *dev);
424
425 static void
426 6 finger_presence_irq_cb (FpImageDevice *dev,
427 GError *error,
428 uint16_t type,
429 void *user_data)
430 {
431
1/2
✗ Branch 2 → 3 not taken.
✓ Branch 2 → 4 taken 6 times.
6 if (error)
432 fpi_image_device_session_error (dev, error);
433
2/2
✓ Branch 4 → 5 taken 2 times.
✓ Branch 4 → 6 taken 4 times.
6 else if (type == IRQDATA_FINGER_ON)
434 2 fpi_image_device_report_finger_status (dev, TRUE);
435
2/2
✓ Branch 6 → 7 taken 2 times.
✓ Branch 6 → 8 taken 2 times.
4 else if (type == IRQDATA_FINGER_OFF)
436 2 fpi_image_device_report_finger_status (dev, FALSE);
437
1/2
✗ Branch 8 → 9 not taken.
✓ Branch 8 → 10 taken 2 times.
2 else if (type != IRQDATA_SCANPWR_ON)
438 fp_warn ("ignoring unexpected interrupt %04x", type);
439 6 }
440
441 static void
442 6 change_state_write_reg_cb (FpiUsbTransfer *transfer,
443 FpDevice *dev,
444 void *user_data,
445 GError *error)
446 {
447
1/2
✗ Branch 2 → 3 not taken.
✓ Branch 2 → 4 taken 6 times.
6 if (error)
448 fpi_image_device_session_error (FP_IMAGE_DEVICE (dev), error);
449 6 }
450
451 static void
452 16 dev_change_state (FpImageDevice *dev, FpiImageDeviceState state)
453 {
454 16 FpiDeviceUru4000 *self = FPI_DEVICE_URU4000 (dev);
455
456 16 self->activate_state = state;
457
2/2
✓ Branch 2 → 3 taken 14 times.
✓ Branch 2 → 4 taken 2 times.
16 if (self->img_transfer != NULL)
458 return;
459
460 14 execute_state_change (dev);
461 }
462
463 /***** GENERIC STATE MACHINE HELPER FUNCTIONS *****/
464
465 static void
466 7 sm_write_reg_cb (FpiUsbTransfer *transfer,
467 FpDevice *dev,
468 void *user_data,
469 GError *error)
470 {
471 7 FpiSsm *ssm = user_data;
472
473
1/2
✗ Branch 2 → 3 not taken.
✓ Branch 2 → 4 taken 7 times.
7 if (error)
474 fpi_ssm_mark_failed (ssm, error);
475 else
476 7 fpi_ssm_next_state (ssm);
477 7 }
478
479 static void
480 7 sm_write_regs (FpiSsm *ssm,
481 FpImageDevice *dev,
482 uint16_t first_reg,
483 uint16_t num_regs,
484 void *data)
485 {
486 7 write_regs (dev, first_reg, num_regs, data, sm_write_reg_cb, ssm);
487 }
488
489 static void
490 5 sm_write_reg (FpiSsm *ssm,
491 FpImageDevice *dev,
492 uint16_t reg,
493 unsigned char value)
494 {
495 10 sm_write_regs (ssm, dev, reg, 1, &value);
496 }
497
498 static void
499 9 sm_read_reg_cb (FpiUsbTransfer *transfer,
500 FpDevice *dev,
501 void *user_data,
502 GError *error)
503 {
504 9 FpiSsm *ssm = user_data;
505 9 FpiDeviceUru4000 *self = FPI_DEVICE_URU4000 (dev);
506
507
1/2
✗ Branch 2 → 3 not taken.
✓ Branch 2 → 4 taken 9 times.
9 if (error)
508 {
509 fpi_ssm_mark_failed (ssm, error);
510 }
511 else
512 {
513 9 memcpy (self->last_reg_rd, transfer->buffer, transfer->actual_length);
514 9 fp_dbg ("reg value %x", self->last_reg_rd[0]);
515 9 fpi_ssm_next_state (ssm);
516 }
517 9 }
518
519 #define member_size(type, member) sizeof (((type *) 0)->member)
520
521 static void
522 9 sm_read_regs (FpiSsm *ssm,
523 FpImageDevice *dev,
524 uint16_t reg,
525 uint16_t num_regs)
526 {
527
1/2
✗ Branch 2 → 3 not taken.
✓ Branch 2 → 4 taken 9 times.
9 g_assert (num_regs <= member_size (FpiDeviceUru4000, last_reg_rd));
528
529 9 fp_dbg ("read %d regs at %x", num_regs, reg);
530 9 read_regs (dev, reg, num_regs, sm_read_reg_cb, ssm);
531 9 }
532
533 static void
534 5 sm_read_reg (FpiSsm *ssm,
535 FpImageDevice *dev,
536 uint16_t reg)
537 {
538 5 sm_read_regs (ssm, dev, reg, 1);
539 }
540
541 static void
542 5 sm_set_hwstat (FpiSsm *ssm,
543 FpImageDevice *dev,
544 unsigned char value)
545 {
546 5 fp_dbg ("set %02x", value);
547 5 sm_write_reg (ssm, dev, REG_HWSTAT, value);
548 5 }
549
550 /***** IMAGING LOOP *****/
551
552 enum imaging_states {
553 IMAGING_CAPTURE,
554 IMAGING_SEND_INDEX,
555 IMAGING_READ_KEY,
556 IMAGING_DECODE,
557 IMAGING_REPORT_IMAGE,
558 IMAGING_NUM_STATES
559 };
560
561 struct uru4k_image
562 {
563 uint8_t unknown_00[4];
564 uint16_t num_lines;
565 uint8_t key_number;
566 uint8_t unknown_07[9];
567 struct
568 {
569 uint8_t flags;
570 uint8_t num_lines;
571 } block_info[15];
572 uint8_t unknown_2E[18];
573 uint8_t data[IMAGE_HEIGHT][IMAGE_WIDTH];
574 };
575
576 static void
577 2 image_transfer_cb (FpiUsbTransfer *transfer, FpDevice *dev,
578 gpointer user_data, GError *error)
579 {
580 2 FpiDeviceUru4000 *self = FPI_DEVICE_URU4000 (dev);
581 2 FpiSsm *ssm = transfer->ssm;
582
583
1/2
✗ Branch 2 → 3 not taken.
✓ Branch 2 → 5 taken 2 times.
2 if (error)
584 {
585 fp_dbg ("error");
586 fpi_ssm_mark_failed (ssm, error);
587 }
588 else
589 {
590 2 struct uru4k_image *img = g_memdup2 (transfer->buffer, sizeof (struct uru4k_image));
591
592 2 img->num_lines = GUINT16_FROM_LE (img->num_lines);
593 2 self->img_data = g_steal_pointer (&img);
594 2 self->img_data_actual_length = transfer->actual_length;
595 2 fpi_ssm_next_state (ssm);
596 }
597 2 }
598
599 enum {
600 BLOCKF_CHANGE_KEY = 0x80,
601 BLOCKF_NO_KEY_UPDATE = 0x04,
602 BLOCKF_ENCRYPTED = 0x02,
603 BLOCKF_NOT_PRESENT = 0x01,
604 };
605
606 static uint32_t
607 222720 update_key (uint32_t key)
608 {
609 /* linear feedback shift register
610 * taps at bit positions 1 3 4 7 11 13 20 23 26 29 32 */
611 222720 uint32_t bit = key & 0x9248144d;
612
613 222720 bit ^= bit << 16;
614 222720 bit ^= bit << 8;
615 222720 bit ^= bit << 4;
616 222720 bit ^= bit << 2;
617 222720 bit ^= bit << 1;
618 222720 return (bit & 0x80000000) | (key >> 1);
619 }
620
621 static uint32_t
622 8 do_decode (uint8_t *data, int num_bytes, uint32_t key)
623 {
624 8 uint8_t xorbyte;
625 8 int i;
626
627
2/2
✓ Branch 4 → 3 taken 219640 times.
✓ Branch 4 → 5 taken 8 times.
219648 for (i = 0; i < num_bytes - 1; i++)
628 {
629 /* calculate xor byte and update key */
630 219640 xorbyte = ((key >> 4) & 1) << 0;
631 219640 xorbyte |= ((key >> 8) & 1) << 1;
632 219640 xorbyte |= ((key >> 11) & 1) << 2;
633 219640 xorbyte |= ((key >> 14) & 1) << 3;
634 219640 xorbyte |= ((key >> 18) & 1) << 4;
635 219640 xorbyte |= ((key >> 21) & 1) << 5;
636 219640 xorbyte |= ((key >> 24) & 1) << 6;
637 219640 xorbyte |= ((key >> 29) & 1) << 7;
638 219640 key = update_key (key);
639
640 /* decrypt data */
641 219640 data[i] = data[i + 1] ^ xorbyte;
642 }
643
644 /* the final byte is implicitly zero */
645 8 data[i] = 0;
646 8 return update_key (key);
647 }
648
649 static int
650 2 calc_dev2 (struct uru4k_image *img)
651 {
652 2 uint8_t *b[2] = { NULL, NULL };
653 2 int res = 0, mean = 0, i, r, j, idx;
654
655
2/2
✓ Branch 9 → 3 taken 2 times.
✓ Branch 9 → 10 taken 2 times.
4 for (i = r = idx = 0; i < G_N_ELEMENTS (img->block_info) && idx < 2; i++)
656 {
657
1/2
✗ Branch 3 → 4 not taken.
✓ Branch 3 → 6 taken 2 times.
2 if (img->block_info[i].flags & BLOCKF_NOT_PRESENT)
658 continue;
659
3/4
✓ Branch 6 → 7 taken 6 times.
✗ Branch 6 → 8 not taken.
✓ Branch 7 → 5 taken 4 times.
✓ Branch 7 → 8 taken 2 times.
6 for (j = 0; j < img->block_info[i].num_lines && idx < 2; j++)
660 4 b[idx++] = img->data[r++];
661 }
662
2/4
✓ Branch 10 → 11 taken 2 times.
✗ Branch 10 → 12 not taken.
✗ Branch 11 → 12 not taken.
✓ Branch 11 → 15 taken 2 times.
2 if (!b[0] || !b[1])
663 {
664 fp_dbg ("NULL! %p %p", b[0], b[1]);
665 return 0;
666 }
667
2/2
✓ Branch 15 → 14 taken 768 times.
✓ Branch 15 → 16 taken 2 times.
770 for (i = 0; i < IMAGE_WIDTH; i++)
668 768 mean += (int) b[0][i] + (int) b[1][i];
669
670 2 mean /= IMAGE_WIDTH;
671
672
2/2
✓ Branch 18 → 17 taken 768 times.
✓ Branch 18 → 19 taken 2 times.
770 for (i = 0; i < IMAGE_WIDTH; i++)
673 {
674 768 int dev = (int) b[0][i] + (int) b[1][i] - mean;
675 768 res += dev * dev;
676 }
677
678 2 return res / IMAGE_WIDTH;
679 }
680
681 static void
682 10 imaging_run_state (FpiSsm *ssm, FpDevice *_dev)
683 {
684 10 g_autoptr(FpImage) fpimg = NULL;
685 10 FpImageDevice *dev = FP_IMAGE_DEVICE (_dev);
686 10 FpiDeviceUru4000 *self = FPI_DEVICE_URU4000 (_dev);
687 10 struct uru4k_image *img = self->img_data;
688 10 uint32_t key;
689 10 uint8_t flags, num_lines;
690 10 int i, r, to, dev2;
691 10 unsigned char buf[5];
692
693
5/6
✓ Branch 3 → 4 taken 2 times.
✓ Branch 3 → 7 taken 2 times.
✓ Branch 3 → 19 taken 2 times.
✓ Branch 3 → 21 taken 2 times.
✓ Branch 3 → 49 taken 2 times.
✗ Branch 3 → 69 not taken.
10 switch (fpi_ssm_get_cur_state (ssm))
694 {
695 2 case IMAGING_CAPTURE:
696 2 self->img_lines_done = 0;
697 2 self->img_block = 0;
698 2 fpi_usb_transfer_submit (fpi_usb_transfer_ref (self->img_transfer),
699 0,
700 NULL,
701 image_transfer_cb,
702 NULL);
703
704 2 break;
705
706 2 case IMAGING_SEND_INDEX:
707 2 fp_dbg ("hw header lines %d", img->num_lines);
708
709
1/2
✓ Branch 8 → 9 taken 2 times.
✗ Branch 8 → 10 not taken.
2 if (img->num_lines >= IMAGE_HEIGHT ||
710
1/2
✗ Branch 9 → 10 not taken.
✓ Branch 9 → 12 taken 2 times.
2 self->img_data_actual_length < img->num_lines * IMAGE_WIDTH + 64)
711 {
712 fp_err ("bad captured image (%d lines) or size mismatch %d < %d",
713 img->num_lines,
714 self->img_data_actual_length,
715 img->num_lines * IMAGE_WIDTH + 64);
716 fpi_ssm_jump_to_state (ssm, IMAGING_CAPTURE);
717 return;
718 }
719
720 /* Detect whether image is encrypted (by checking how noisy it is) */
721 2 dev2 = calc_dev2 (img);
722 2 fp_dbg ("dev2: %d", dev2);
723
1/2
✗ Branch 14 → 15 not taken.
✓ Branch 14 → 16 taken 2 times.
2 if (dev2 < ENC_THRESHOLD)
724 {
725 fpi_ssm_jump_to_state (ssm, IMAGING_REPORT_IMAGE);
726 return;
727 }
728 2 fp_info ("image seems to be encrypted");
729
730 2 buf[0] = img->key_number;
731 2 buf[1] = self->img_enc_seed;
732 2 buf[2] = self->img_enc_seed >> 8;
733 2 buf[3] = self->img_enc_seed >> 16;
734 2 buf[4] = self->img_enc_seed >> 24;
735 2 sm_write_regs (ssm, dev, REG_SCRAMBLE_DATA_INDEX, 5, buf);
736 2 break;
737
738 2 case IMAGING_READ_KEY:
739 2 sm_read_regs (ssm, dev, REG_SCRAMBLE_DATA_KEY, 4);
740 2 break;
741
742 2 case IMAGING_DECODE:
743 2 key = self->last_reg_rd[0];
744 2 key |= (uint32_t) self->last_reg_rd[1] << 8;
745 2 key |= (uint32_t) self->last_reg_rd[2] << 16;
746 2 key |= (uint32_t) self->last_reg_rd[3] << 24;
747 2 key ^= self->img_enc_seed;
748
749 2 fp_dbg ("encryption id %02x -> key %08x", img->key_number, key);
750
1/2
✓ Branch 45 → 46 taken 18 times.
✗ Branch 45 → 47 not taken.
18 while (self->img_block < G_N_ELEMENTS (img->block_info) &&
751
2/2
✓ Branch 46 → 23 taken 16 times.
✓ Branch 46 → 47 taken 2 times.
18 self->img_lines_done < img->num_lines)
752 {
753 16 flags = img->block_info[self->img_block].flags;
754 16 num_lines = img->block_info[self->img_block].num_lines;
755
1/2
✓ Branch 23 → 24 taken 16 times.
✗ Branch 23 → 47 not taken.
16 if (num_lines == 0)
756 break;
757
758 /* num_lines is device-supplied; make sure decoding this block stays
759 * within the captured image buffer (IMAGE_HEIGHT rows). */
760
1/2
✗ Branch 24 → 25 not taken.
✓ Branch 24 → 28 taken 16 times.
16 if ((size_t) self->img_lines_done + num_lines > IMAGE_HEIGHT)
761 {
762 fp_err ("bad captured image: block %d (%d lines) overflows buffer",
763 self->img_block, num_lines);
764 fpi_ssm_mark_failed (ssm,
765 fpi_device_error_new (FP_DEVICE_ERROR_PROTO));
766 return;
767 }
768
769 16 fp_dbg ("%d %02x %d", self->img_block, flags,
770 num_lines);
771
1/2
✗ Branch 29 → 30 not taken.
✓ Branch 29 → 34 taken 16 times.
16 if (flags & BLOCKF_CHANGE_KEY)
772 {
773 fp_dbg ("changing encryption keys.");
774 img->block_info[self->img_block].flags &= ~BLOCKF_CHANGE_KEY;
775 img->key_number++;
776 self->img_enc_seed = g_rand_int_range (self->rand, 0, RAND_MAX);
777 fp_dbg ("New image encryption seed: %d", self->img_enc_seed);
778 fpi_ssm_jump_to_state (ssm, IMAGING_SEND_INDEX);
779 return;
780 }
781
2/3
✓ Branch 34 → 35 taken 8 times.
✓ Branch 34 → 38 taken 8 times.
✗ Branch 34 → 42 not taken.
16 switch (flags & (BLOCKF_NO_KEY_UPDATE | BLOCKF_ENCRYPTED))
782 {
783 8 case BLOCKF_ENCRYPTED:
784 8 fp_dbg ("decoding %d lines", num_lines);
785 8 key = do_decode (&img->data[self->img_lines_done][0],
786 IMAGE_WIDTH * num_lines, key);
787 8 break;
788
789 8 case 0:
790 8 fp_dbg ("skipping %d lines", num_lines);
791
2/2
✓ Branch 41 → 40 taken 3072 times.
✓ Branch 41 → 42 taken 8 times.
3088 for (r = 0; r < IMAGE_WIDTH * num_lines; r++)
792 3072 key = update_key (key);
793 break;
794 }
795
2/2
✓ Branch 42 → 43 taken 14 times.
✓ Branch 42 → 44 taken 2 times.
16 if ((flags & BLOCKF_NOT_PRESENT) == 0)
796 14 self->img_lines_done += num_lines;
797 16 self->img_block++;
798 }
799 2 fpi_ssm_next_state (ssm);
800 2 break;
801
802 2 case IMAGING_REPORT_IMAGE:
803 2 fpimg = fp_image_new (IMAGE_WIDTH, IMAGE_HEIGHT);
804
805 2 to = r = 0;
806
3/4
✓ Branch 61 → 62 taken 18 times.
✗ Branch 61 → 63 not taken.
✓ Branch 62 → 51 taken 16 times.
✓ Branch 62 → 63 taken 2 times.
20 for (i = 0; i < G_N_ELEMENTS (img->block_info) && r < img->num_lines; i++)
807 {
808 16 flags = img->block_info[i].flags;
809 16 num_lines = img->block_info[i].num_lines;
810
1/2
✓ Branch 51 → 52 taken 16 times.
✗ Branch 51 → 63 not taken.
16 if (num_lines == 0)
811 break;
812
813
1/2
✓ Branch 52 → 53 taken 16 times.
✗ Branch 52 → 54 not taken.
16 if ((size_t) r + num_lines > IMAGE_HEIGHT ||
814
1/2
✗ Branch 53 → 54 not taken.
✓ Branch 53 → 58 taken 16 times.
16 (size_t) to + (size_t) num_lines * IMAGE_WIDTH > fpimg->width * fpimg->height)
815 {
816 fp_err ("bad captured image: block %d (%d lines) overflows buffer",
817 i, num_lines);
818 fpi_ssm_mark_failed (ssm,
819 fpi_device_error_new (FP_DEVICE_ERROR_PROTO));
820 return;
821 }
822
823 16 memcpy (&fpimg->data[to], &img->data[r][0],
824 16 num_lines * IMAGE_WIDTH);
825
2/2
✓ Branch 58 → 59 taken 14 times.
✓ Branch 58 → 60 taken 2 times.
16 if (!(flags & BLOCKF_NOT_PRESENT))
826 14 r += num_lines;
827 16 to += num_lines * IMAGE_WIDTH;
828 }
829
830 2 fpimg->flags = FPI_IMAGE_COLORS_INVERTED;
831 /* NOTE: For some reason all but U4000B (or rather U4500?) flipped the
832 * image, we retain this behaviour here, but it is not clear whether it
833 * is correct.
834 * It may be that there are different models with the same USB ID that
835 * behave differently.
836 */
837
2/2
✓ Branch 63 → 64 taken 1 time.
✓ Branch 63 → 65 taken 1 time.
2 if (self->profile->image_not_flipped)
838 1 fpimg->flags |= FPI_IMAGE_V_FLIPPED | FPI_IMAGE_H_FLIPPED;
839
840 2 fpi_image_device_image_captured (dev, g_steal_pointer (&fpimg));
841
842
1/2
✗ Branch 66 → 67 not taken.
✓ Branch 66 → 68 taken 2 times.
2 if (self->activate_state == FPI_IMAGE_DEVICE_STATE_CAPTURE)
843 fpi_ssm_jump_to_state (ssm, IMAGING_CAPTURE);
844 else
845 2 fpi_ssm_mark_completed (ssm);
846 break;
847 }
848 }
849
850 static void
851 2 imaging_complete (FpiSsm *ssm, FpDevice *dev, GError *error)
852 {
853 2 FpiDeviceUru4000 *self = FPI_DEVICE_URU4000 (dev);
854
855
856 /* Report error before exiting imaging loop - the error handler
857 * can request state change, which needs to be postponed to end of
858 * this function. */
859
1/2
✗ Branch 2 → 3 not taken.
✓ Branch 2 → 4 taken 2 times.
2 if (error)
860 fpi_image_device_session_error (FP_IMAGE_DEVICE (dev), error);
861
862
1/2
✓ Branch 4 → 5 taken 2 times.
✗ Branch 4 → 6 not taken.
2 g_clear_pointer (&self->img_transfer, fpi_usb_transfer_unref);
863
864 2 g_free (self->img_data);
865 2 self->img_data = NULL;
866 2 self->img_data_actual_length = 0;
867
868 2 execute_state_change (FP_IMAGE_DEVICE (dev));
869 2 }
870
871 /***** INITIALIZATION *****/
872
873 /* After closing an app and setting hwstat to 0x80, my ms keyboard gets in a
874 * confused state and returns hwstat 0x85. On next app run, we don't get the
875 * 56aa interrupt. This is the best way I've found to fix it: mess around
876 * with hwstat until it starts returning more recognisable values. This
877 * doesn't happen on my other devices: uru4000, uru4000b, ms fp rdr v2
878 *
879 * The windows driver copes with this OK, but then again it uploads firmware
880 * right after reading the 0x85 hwstat, allowing some time to pass before it
881 * attempts to tweak hwstat again...
882 *
883 * This is implemented with a reboot power state machine. the ssm runs during
884 * initialization if bits 2 and 7 are set in hwstat. it masks off the 4 high
885 * hwstat bits then checks that bit 1 is set. if not, it pauses before reading
886 * hwstat again. machine completes when reading hwstat shows bit 1 is set,
887 * and fails after 100 tries. */
888
889 enum rebootpwr_states {
890 REBOOTPWR_SET_HWSTAT = 0,
891 REBOOTPWR_GET_HWSTAT,
892 REBOOTPWR_CHECK_HWSTAT,
893 REBOOTPWR_PAUSE,
894 REBOOTPWR_NUM_STATES,
895 };
896
897 static void
898 rebootpwr_run_state (FpiSsm *ssm, FpDevice *_dev)
899 {
900 FpImageDevice *dev = FP_IMAGE_DEVICE (_dev);
901 FpiDeviceUru4000 *self = FPI_DEVICE_URU4000 (_dev);
902
903 switch (fpi_ssm_get_cur_state (ssm))
904 {
905 case REBOOTPWR_SET_HWSTAT:
906 self->rebootpwr_ctr = 100;
907 sm_set_hwstat (ssm, dev, self->last_hwstat & 0xf);
908 break;
909
910 case REBOOTPWR_GET_HWSTAT:
911 sm_read_reg (ssm, dev, REG_HWSTAT);
912 break;
913
914 case REBOOTPWR_CHECK_HWSTAT:
915 self->last_hwstat = self->last_reg_rd[0];
916 if (self->last_hwstat & 0x1)
917 fpi_ssm_mark_completed (ssm);
918 else
919 fpi_ssm_next_state (ssm);
920 break;
921
922 case REBOOTPWR_PAUSE:
923 if (!--self->rebootpwr_ctr)
924 {
925 fp_err ("could not reboot device power");
926 fpi_ssm_mark_failed (ssm,
927 fpi_device_error_new_msg (FP_DEVICE_ERROR,
928 "Could not reboot device"));
929 }
930 else
931 {
932 fpi_ssm_jump_to_state_delayed (ssm, 10, REBOOTPWR_GET_HWSTAT);
933 }
934 break;
935 }
936 }
937
938 /* After messing with the device firmware in its low-power state, we have to
939 * power it back up and wait for interrupt notification. It's not quite as easy
940 * as that: the combination of both modifying firmware *and* doing C-R auth on
941 * my ms fp v2 device causes us not to get the 56aa interrupt and
942 * for the hwstat write not to take effect. We have to loop a few times,
943 * authenticating each time, until the device wakes up.
944 *
945 * This is implemented as the powerup state machine below. Pseudo-code:
946
947 status = get_hwstat();
948 for (i = 0; i < 100; i++) {
949 set_hwstat(status & 0xf);
950 if ((get_hwstat() & 0x80) == 0)
951 break;
952
953 usleep(10000);
954 if (need_auth_cr)
955 auth_cr();
956 }
957
958 if (tmp & 0x80)
959 error("could not power up device");
960
961 */
962
963 enum powerup_states {
964 POWERUP_INIT = 0,
965 POWERUP_SET_HWSTAT,
966 POWERUP_GET_HWSTAT,
967 POWERUP_CHECK_HWSTAT,
968 POWERUP_PAUSE,
969 POWERUP_CHALLENGE_RESPONSE,
970 POWERUP_CHALLENGE_RESPONSE_SUCCESS,
971 POWERUP_NUM_STATES,
972 };
973
974 static void
975 14 powerup_run_state (FpiSsm *ssm, FpDevice *_dev)
976 {
977 14 FpImageDevice *dev = FP_IMAGE_DEVICE (_dev);
978 14 FpiDeviceUru4000 *self = FPI_DEVICE_URU4000 (_dev);
979
980
7/8
✓ Branch 3 → 4 taken 2 times.
✓ Branch 3 → 6 taken 3 times.
✓ Branch 3 → 8 taken 3 times.
✓ Branch 3 → 10 taken 3 times.
✓ Branch 3 → 13 taken 1 time.
✓ Branch 3 → 20 taken 1 time.
✓ Branch 3 → 22 taken 1 time.
✗ Branch 3 → 24 not taken.
14 switch (fpi_ssm_get_cur_state (ssm))
981 {
982 2 case POWERUP_INIT:
983 2 self->powerup_ctr = 100;
984 2 self->powerup_hwstat = self->last_hwstat & 0xf;
985 2 fpi_ssm_next_state (ssm);
986 2 break;
987
988 3 case POWERUP_SET_HWSTAT:
989 3 sm_set_hwstat (ssm, dev, self->powerup_hwstat);
990 3 break;
991
992 case POWERUP_GET_HWSTAT:
993 3 sm_read_reg (ssm, dev, REG_HWSTAT);
994 3 break;
995
996 3 case POWERUP_CHECK_HWSTAT:
997 3 self->last_hwstat = self->last_reg_rd[0];
998
2/2
✓ Branch 10 → 11 taken 2 times.
✓ Branch 10 → 12 taken 1 time.
3 if ((self->last_reg_rd[0] & 0x80) == 0)
999 2 fpi_ssm_mark_completed (ssm);
1000 else
1001 1 fpi_ssm_next_state (ssm);
1002 break;
1003
1004 1 case POWERUP_PAUSE:
1005
1/2
✗ Branch 13 → 14 not taken.
✓ Branch 13 → 17 taken 1 time.
1 if (!--self->powerup_ctr)
1006 {
1007 fp_err ("could not power device up");
1008 fpi_ssm_mark_failed (ssm,
1009 fpi_device_error_new_msg (FP_DEVICE_ERROR_GENERAL,
1010 "could not power device up"));
1011 }
1012
1/2
✗ Branch 17 → 18 not taken.
✓ Branch 17 → 19 taken 1 time.
1 else if (!self->profile->auth_cr)
1013 {
1014 fpi_ssm_jump_to_state_delayed (ssm, POWERUP_SET_HWSTAT, 10);
1015 }
1016 else
1017 {
1018 1 fpi_ssm_next_state_delayed (ssm, 10);
1019 }
1020 break;
1021
1022 1 case POWERUP_CHALLENGE_RESPONSE:
1023 1 sm_do_challenge_response (ssm, dev);
1024 1 break;
1025
1026 1 case POWERUP_CHALLENGE_RESPONSE_SUCCESS:
1027 1 fpi_ssm_jump_to_state (ssm, POWERUP_SET_HWSTAT);
1028 1 break;
1029 }
1030 14 }
1031
1032 /*
1033 * This is the main initialization state machine. As pseudo-code:
1034
1035 status = get_hwstat();
1036
1037 // correct device power state
1038 if ((status & 0x84) == 0x84)
1039 run_reboot_sm();
1040
1041 // power device down
1042 if ((status & 0x80) == 0)
1043 set_hwstat(status | 0x80);
1044
1045 // power device up
1046 run_powerup_sm();
1047 await_irq(IRQDATA_SCANPWR_ON);
1048 */
1049
1050 enum init_states {
1051 INIT_GET_HWSTAT = 0,
1052 INIT_CHECK_HWSTAT_REBOOT,
1053 INIT_REBOOT_POWER,
1054 INIT_CHECK_HWSTAT_POWERDOWN,
1055 INIT_POWERUP,
1056 INIT_AWAIT_SCAN_POWER,
1057 INIT_DONE,
1058 INIT_GET_VERSION,
1059 INIT_REPORT_VERSION,
1060 INIT_NUM_STATES,
1061 };
1062
1063 static void
1064 2 init_scanpwr_irq_cb (FpImageDevice *dev, GError *error,
1065 uint16_t type, void *user_data)
1066 {
1067 2 FpiSsm *ssm = user_data;
1068 2 FpiDeviceUru4000 *urudev = FPI_DEVICE_URU4000 (dev);
1069
1070
1/2
✗ Branch 2 → 3 not taken.
✓ Branch 2 → 4 taken 2 times.
2 if (error)
1071 {
1072 fpi_ssm_mark_failed (ssm, error);
1073 }
1074
1/2
✗ Branch 4 → 5 not taken.
✓ Branch 4 → 6 taken 2 times.
2 else if (type != IRQDATA_SCANPWR_ON)
1075 {
1076 fp_dbg ("ignoring interrupt");
1077 }
1078
2/2
✓ Branch 7 → 8 taken 1 time.
✓ Branch 7 → 10 taken 1 time.
2 else if (fpi_ssm_get_cur_state (ssm) != INIT_AWAIT_SCAN_POWER)
1079 {
1080 1 fp_dbg ("early scanpwr interrupt");
1081 1 urudev->scanpwr_irq_timeouts = -1;
1082 }
1083 else
1084 {
1085 1 fp_dbg ("late scanpwr interrupt");
1086 1 fpi_ssm_next_state (ssm);
1087 }
1088 2 }
1089
1090 static void
1091 init_scanpwr_timeout (FpDevice *dev,
1092 void *user_data)
1093 {
1094 FpiSsm *ssm = user_data;
1095 FpiDeviceUru4000 *self = FPI_DEVICE_URU4000 (dev);
1096
1097 fp_warn ("powerup timed out");
1098 self->irq_cb = NULL;
1099 self->scanpwr_irq_timeout = NULL;
1100
1101 if (++self->scanpwr_irq_timeouts >= 3)
1102 {
1103 fp_err ("powerup timed out 3 times, giving up");
1104 fpi_ssm_mark_failed (ssm,
1105 g_error_new_literal (G_USB_DEVICE_ERROR,
1106 G_USB_DEVICE_ERROR_TIMED_OUT,
1107 "Powerup timed out 3 times, giving up"));
1108 }
1109 else
1110 {
1111 fpi_ssm_jump_to_state (ssm, INIT_GET_HWSTAT);
1112 }
1113 }
1114
1115 static void
1116 16 init_run_state (FpiSsm *ssm, FpDevice *_dev)
1117 {
1118 16 FpImageDevice *dev = FP_IMAGE_DEVICE (_dev);
1119 16 FpiDeviceUru4000 *self = FPI_DEVICE_URU4000 (_dev);
1120
1121
8/10
✓ Branch 3 → 4 taken 2 times.
✓ Branch 3 → 6 taken 2 times.
✗ Branch 3 → 9 not taken.
✓ Branch 3 → 12 taken 2 times.
✓ Branch 3 → 15 taken 2 times.
✓ Branch 3 → 22 taken 2 times.
✓ Branch 3 → 27 taken 2 times.
✓ Branch 3 → 32 taken 2 times.
✓ Branch 3 → 34 taken 2 times.
✗ Branch 3 → 37 not taken.
16 switch (fpi_ssm_get_cur_state (ssm))
1122 {
1123 case INIT_GET_HWSTAT:
1124 2 sm_read_reg (ssm, dev, REG_HWSTAT);
1125 2 break;
1126
1127 2 case INIT_CHECK_HWSTAT_REBOOT:
1128 2 self->last_hwstat = self->last_reg_rd[0];
1129
1/2
✗ Branch 6 → 7 not taken.
✓ Branch 6 → 8 taken 2 times.
2 if ((self->last_hwstat & 0x84) == 0x84)
1130 fpi_ssm_next_state (ssm);
1131 else
1132 2 fpi_ssm_jump_to_state (ssm, INIT_CHECK_HWSTAT_POWERDOWN);
1133 break;
1134
1135 case INIT_REBOOT_POWER:;
1136 FpiSsm *rebootsm = fpi_ssm_new (FP_DEVICE (dev),
1137 rebootpwr_run_state,
1138 REBOOTPWR_NUM_STATES);
1139 fpi_ssm_start_subsm (ssm, rebootsm);
1140 break;
1141
1142 2 case INIT_CHECK_HWSTAT_POWERDOWN:
1143
1/2
✓ Branch 12 → 13 taken 2 times.
✗ Branch 12 → 14 not taken.
2 if ((self->last_hwstat & 0x80) == 0)
1144 2 sm_set_hwstat (ssm, dev, self->last_hwstat | 0x80);
1145 else
1146 fpi_ssm_next_state (ssm);
1147 break;
1148
1149 2 case INIT_POWERUP:
1150
1/2
✗ Branch 15 → 16 not taken.
✓ Branch 15 → 19 taken 2 times.
2 if (!IRQ_HANDLER_IS_RUNNING (self))
1151 {
1152 fpi_ssm_mark_failed (ssm, fpi_device_error_new_msg (FP_DEVICE_ERROR_GENERAL,
1153 "IRQ handler should be running but is not"));
1154 return;
1155 }
1156 2 self->irq_cb_data = ssm;
1157 2 self->irq_cb = init_scanpwr_irq_cb;
1158
1159 2 FpiSsm *powerupsm = fpi_ssm_new (FP_DEVICE (dev),
1160 powerup_run_state,
1161 POWERUP_NUM_STATES);
1162 2 fpi_ssm_start_subsm (ssm, powerupsm);
1163 2 break;
1164
1165 2 case INIT_AWAIT_SCAN_POWER:
1166
2/2
✓ Branch 22 → 23 taken 1 time.
✓ Branch 22 → 25 taken 1 time.
2 if (self->scanpwr_irq_timeouts < 0)
1167 {
1168 1 fpi_ssm_next_state (ssm);
1169 1 break;
1170 }
1171
1172 /* sometimes the 56aa interrupt that we are waiting for never arrives,
1173 * so we include this timeout loop to retry the whole process 3 times
1174 * if we don't get an irq any time soon. */
1175 1 self->scanpwr_irq_timeout = fpi_device_add_timeout (_dev,
1176 300,
1177 init_scanpwr_timeout,
1178 ssm, NULL);
1179 1 break;
1180
1181 2 case INIT_DONE:
1182
2/2
✓ Branch 27 → 28 taken 1 time.
✓ Branch 27 → 30 taken 1 time.
2 if (self->scanpwr_irq_timeout)
1183 {
1184 1 g_source_destroy (self->scanpwr_irq_timeout);
1185 1 self->scanpwr_irq_timeout = NULL;
1186 }
1187 2 self->irq_cb_data = NULL;
1188 2 self->irq_cb = NULL;
1189 2 fpi_ssm_next_state (ssm);
1190 2 break;
1191
1192 2 case INIT_GET_VERSION:
1193 2 sm_read_regs (ssm, dev, REG_DEVICE_INFO, 16);
1194 2 break;
1195
1196 2 case INIT_REPORT_VERSION:
1197 /* Likely hardware revision, and firmware version.
1198 * Not sure which is which. */
1199 2 fp_info ("Versions %02x%02x and %02x%02x",
1200 self->last_reg_rd[10], self->last_reg_rd[11],
1201 self->last_reg_rd[4], self->last_reg_rd[5]);
1202 2 fpi_ssm_mark_completed (ssm);
1203 2 break;
1204 }
1205 }
1206
1207 static void
1208 2 activate_initsm_complete (FpiSsm *ssm, FpDevice *dev, GError *error)
1209 {
1210 2 FpiDeviceUru4000 *self = FPI_DEVICE_URU4000 (dev);
1211
1212
1/2
✗ Branch 2 → 3 not taken.
✓ Branch 2 → 4 taken 2 times.
2 g_clear_pointer (&self->scanpwr_irq_timeout, g_source_destroy);
1213 2 self->irq_cb_data = NULL;
1214 2 self->irq_cb = NULL;
1215
1216 2 fpi_image_device_activate_complete (FP_IMAGE_DEVICE (dev), error);
1217 2 }
1218
1219 static void
1220 2 dev_activate (FpImageDevice *dev)
1221 {
1222 2 FpiDeviceUru4000 *self = FPI_DEVICE_URU4000 (dev);
1223 2 FpiSsm *ssm;
1224
1225 2 start_irq_handler (dev);
1226
1227 2 self->scanpwr_irq_timeouts = 0;
1228 2 ssm = fpi_ssm_new (FP_DEVICE (dev), init_run_state, INIT_NUM_STATES);
1229 2 fpi_ssm_start (ssm, activate_initsm_complete);
1230 2 }
1231
1232 /***** DEINITIALIZATION *****/
1233
1234 static void
1235 2 deactivate_irqs_stopped (FpImageDevice *dev)
1236 {
1237 2 fpi_image_device_deactivate_complete (dev, NULL);
1238 2 }
1239
1240 static void
1241 2 deactivate_write_reg_cb (FpiUsbTransfer *transfer, FpDevice *dev,
1242 gpointer user_data, GError *error)
1243 {
1244 2 stop_irq_handler (FP_IMAGE_DEVICE (dev), deactivate_irqs_stopped);
1245 2 }
1246
1247 static void
1248 2 dev_deactivate (FpImageDevice *dev)
1249 {
1250 /* This is started/handled by execute_state_change in order to delay the
1251 * action until after the image transfer has completed.
1252 * We just need to override the function so that the complete handler is
1253 * not called automatically. */
1254 2 }
1255
1256 static void
1257 16 execute_state_change (FpImageDevice *dev)
1258 {
1259 16 FpiDeviceUru4000 *self = FPI_DEVICE_URU4000 (dev);
1260 16 FpiSsm *ssm;
1261
1262
5/5
✓ Branch 2 → 3 taken 2 times.
✓ Branch 2 → 6 taken 2 times.
✓ Branch 2 → 13 taken 2 times.
✓ Branch 2 → 22 taken 2 times.
✓ Branch 2 → 29 taken 8 times.
16 switch (self->activate_state)
1263 {
1264 2 case FPI_IMAGE_DEVICE_STATE_DEACTIVATING:
1265 2 fp_dbg ("deactivating");
1266 2 self->irq_cb = NULL;
1267 2 self->irq_cb_data = NULL;
1268 2 write_reg (dev, REG_MODE, MODE_OFF,
1269 deactivate_write_reg_cb, NULL);
1270 2 break;
1271
1272 2 case FPI_IMAGE_DEVICE_STATE_AWAIT_FINGER_ON:
1273 2 fp_dbg ("wait finger on");
1274
1/2
✗ Branch 7 → 8 not taken.
✓ Branch 7 → 11 taken 2 times.
2 if (!IRQ_HANDLER_IS_RUNNING (self))
1275 {
1276 fpi_image_device_session_error (dev,
1277 fpi_device_error_new_msg (FP_DEVICE_ERROR_GENERAL,
1278 "IRQ handler should be running but is not"));
1279 return;
1280 }
1281 2 self->irq_cb = finger_presence_irq_cb;
1282 2 write_reg (dev, REG_MODE, MODE_AWAIT_FINGER_ON,
1283 change_state_write_reg_cb, NULL);
1284 2 break;
1285
1286 2 case FPI_IMAGE_DEVICE_STATE_CAPTURE:
1287 2 fp_dbg ("starting capture");
1288 2 self->irq_cb = NULL;
1289
1290 2 ssm = fpi_ssm_new (FP_DEVICE (dev), imaging_run_state,
1291 IMAGING_NUM_STATES);
1292 2 self->img_enc_seed = g_rand_int_range (self->rand, 0, RAND_MAX);
1293 2 fp_dbg ("Image encryption seed: %d", self->img_enc_seed);
1294 2 self->img_transfer = fpi_usb_transfer_new (FP_DEVICE (dev));
1295 2 self->img_transfer->ssm = ssm;
1296 2 self->img_transfer->short_is_error = FALSE;
1297 2 fpi_usb_transfer_fill_bulk (self->img_transfer,
1298 EP_DATA,
1299 sizeof (struct uru4k_image));
1300
1301 2 fpi_ssm_start (ssm, imaging_complete);
1302
1303 2 write_reg (dev, REG_MODE, MODE_CAPTURE,
1304 change_state_write_reg_cb, NULL);
1305 2 break;
1306
1307 2 case FPI_IMAGE_DEVICE_STATE_AWAIT_FINGER_OFF:
1308 2 fp_dbg ("await finger off");
1309
1/2
✗ Branch 23 → 24 not taken.
✓ Branch 23 → 27 taken 2 times.
2 if (!IRQ_HANDLER_IS_RUNNING (self))
1310 {
1311 fpi_image_device_session_error (dev,
1312 fpi_device_error_new_msg (FP_DEVICE_ERROR_GENERAL,
1313 "IRQ handler should be running but is not"));
1314 return;
1315 }
1316 2 self->irq_cb = finger_presence_irq_cb;
1317 2 write_reg (dev, REG_MODE, MODE_AWAIT_FINGER_OFF,
1318 change_state_write_reg_cb, NULL);
1319 2 break;
1320
1321 /* Ignored states */
1322 case FPI_IMAGE_DEVICE_STATE_IDLE:
1323 case FPI_IMAGE_DEVICE_STATE_ACTIVATING:
1324 case FPI_IMAGE_DEVICE_STATE_INACTIVE:
1325 break;
1326 }
1327 }
1328
1329 /***** LIBRARY STUFF *****/
1330
1331 static void
1332 2 dev_init (FpImageDevice *dev)
1333 {
1334 2 GError *error = NULL;
1335 2 FpiDeviceUru4000 *self;
1336
1337 2 g_autoptr(GPtrArray) interfaces = NULL;
1338 2 GUsbInterface *iface = NULL;
1339 2 guint64 driver_data;
1340 2 int i;
1341
1342 2 interfaces = g_usb_device_get_interfaces (fpi_device_get_usb_device (FP_DEVICE (dev)), &error);
1343
1/2
✗ Branch 4 → 5 not taken.
✓ Branch 4 → 13 taken 2 times.
2 if (error)
1344 {
1345 fpi_image_device_open_complete (dev, error);
1346 return;
1347 }
1348
1349 /* Find fingerprint interface; TODO: Move this into probe() */
1350
1/2
✓ Branch 13 → 6 taken 2 times.
✗ Branch 13 → 14 not taken.
2 for (i = 0; i < interfaces->len; i++)
1351 {
1352 2 GUsbInterface *cur_iface = g_ptr_array_index (interfaces, i);
1353
1354
2/4
✓ Branch 7 → 8 taken 2 times.
✗ Branch 7 → 12 not taken.
✓ Branch 9 → 10 taken 2 times.
✗ Branch 9 → 12 not taken.
4 if (g_usb_interface_get_class (cur_iface) == 255 &&
1355
1/2
✗ Branch 11 → 12 not taken.
✓ Branch 11 → 14 taken 2 times.
4 g_usb_interface_get_subclass (cur_iface) == 255 &&
1356 2 g_usb_interface_get_protocol (cur_iface) == 255)
1357 {
1358 iface = cur_iface;
1359 break;
1360 }
1361 }
1362
1363
1/2
✗ Branch 14 → 15 not taken.
✓ Branch 14 → 19 taken 2 times.
2 if (iface == NULL)
1364 {
1365 fp_err ("could not find interface");
1366 fpi_image_device_open_complete (dev,
1367 fpi_device_error_new_msg (FP_DEVICE_ERROR_GENERAL,
1368 "Could not find interface"));
1369 return;
1370 }
1371
1372 /* TODO: Find/check endpoints; does not seem easily possible with GUsb unfortunately! */
1373 #if 0
1374 if (iface_desc->bNumEndpoints != 2)
1375 {
1376 fp_err ("found %d endpoints!?", iface_desc->bNumEndpoints);
1377 r = -ENODEV;
1378 goto out;
1379 }
1380
1381 ep = &iface_desc->endpoint[0];
1382 if (ep->bEndpointAddress != EP_INTR ||
1383 (ep->bmAttributes & LIBUSB_TRANSFER_TYPE_MASK) !=
1384 LIBUSB_TRANSFER_TYPE_INTERRUPT)
1385 {
1386 fp_err ("unrecognised interrupt endpoint");
1387 r = -ENODEV;
1388 goto out;
1389 }
1390
1391 ep = &iface_desc->endpoint[1];
1392 if (ep->bEndpointAddress != EP_DATA ||
1393 (ep->bmAttributes & LIBUSB_TRANSFER_TYPE_MASK) !=
1394 LIBUSB_TRANSFER_TYPE_BULK)
1395 {
1396 fp_err ("unrecognised bulk endpoint");
1397 r = -ENODEV;
1398 goto out;
1399 }
1400 #endif
1401
1402 /* Device looks like a supported reader */
1403
1404
1/2
✗ Branch 22 → 23 not taken.
✓ Branch 22 → 25 taken 2 times.
2 if (!g_usb_device_claim_interface (fpi_device_get_usb_device (FP_DEVICE (dev)),
1405 2 g_usb_interface_get_number (iface), 0, &error))
1406 {
1407 fpi_image_device_open_complete (dev, error);
1408 return;
1409 }
1410
1411 2 self = FPI_DEVICE_URU4000 (dev);
1412
1413
1/2
✗ Branch 25 → 26 not taken.
✓ Branch 25 → 27 taken 2 times.
2 g_clear_pointer (&self->rand, g_rand_free);
1414 2 self->rand = g_rand_new ();
1415
1/2
✓ Branch 29 → 30 taken 2 times.
✗ Branch 29 → 31 not taken.
2 if (fpi_device_emulation_mode_enabled (FP_DEVICE (dev)))
1416 2 g_rand_set_seed (self->rand, 0xFACADE);
1417
1418 2 driver_data = fpi_device_get_driver_data (FP_DEVICE (dev));
1419 2 self->profile = &uru4k_dev_info[driver_data];
1420 2 self->interface = g_usb_interface_get_number (iface);
1421
1422 /* Set up encryption */
1423
1/2
✗ Branch 34 → 35 not taken.
✓ Branch 34 → 38 taken 2 times.
2 if (!(self->cipher_ctx = EVP_CIPHER_CTX_new ()))
1424 {
1425 fpi_image_device_open_complete (dev, openssl_device_error ());
1426 return;
1427 }
1428
1429
1/2
✗ Branch 40 → 41 not taken.
✓ Branch 40 → 44 taken 2 times.
2 if (!EVP_EncryptInit_ex (self->cipher_ctx, EVP_aes_128_ecb (), NULL, crkey, NULL))
1430 {
1431 fpi_image_device_open_complete (dev, openssl_device_error ());
1432 return;
1433 }
1434
1435 2 fpi_image_device_open_complete (dev, NULL);
1436 }
1437
1438 static void
1439 2 dev_deinit (FpImageDevice *dev)
1440 {
1441 2 GError *error = NULL;
1442 2 FpiDeviceUru4000 *self = FPI_DEVICE_URU4000 (dev);
1443
1444
1/2
✓ Branch 2 → 3 taken 2 times.
✗ Branch 2 → 4 not taken.
2 g_clear_pointer (&self->cipher_ctx, EVP_CIPHER_CTX_free);
1445
1446 2 g_usb_device_release_interface (fpi_device_get_usb_device (FP_DEVICE (dev)),
1447 2 self->interface, 0, &error);
1448
1/2
✓ Branch 6 → 7 taken 2 times.
✗ Branch 6 → 8 not taken.
2 g_clear_pointer (&self->rand, g_rand_free);
1449 2 fpi_image_device_close_complete (dev, error);
1450 2 }
1451
1452 static const FpIdEntry id_table[] = {
1453 /* ms kbd with fp rdr */
1454 { .vid = 0x045e, .pid = 0x00bb, .driver_data = MS_KBD },
1455
1456 /* ms intellimouse with fp rdr */
1457 { .vid = 0x045e, .pid = 0x00bc, .driver_data = MS_INTELLIMOUSE },
1458
1459 /* ms fp rdr (standalone) */
1460 { .vid = 0x045e, .pid = 0x00bd, .driver_data = MS_STANDALONE },
1461
1462 /* ms fp rdr (standalone) v2 */
1463 { .vid = 0x045e, .pid = 0x00ca, .driver_data = MS_STANDALONE_V2 },
1464
1465 /* dp uru4000 (standalone) */
1466 { .vid = 0x05ba, .pid = 0x0007, .driver_data = DP_URU4000 },
1467
1468 /* dp uru4000 (keyboard) */
1469 { .vid = 0x05ba, .pid = 0x0008, .driver_data = DP_URU4000 },
1470
1471 /* dp uru4000b (standalone) */
1472 { .vid = 0x05ba, .pid = 0x000a, .driver_data = DP_URU4000B },
1473
1474 /* terminating entry */
1475 { .vid = 0, .pid = 0, .driver_data = 0 },
1476 };
1477
1478 static void
1479 2 fpi_device_uru4000_init (FpiDeviceUru4000 *self)
1480 {
1481 2 }
1482
1483 static void
1484 125 fpi_device_uru4000_class_init (FpiDeviceUru4000Class *klass)
1485 {
1486 125 FpDeviceClass *dev_class = FP_DEVICE_CLASS (klass);
1487 125 FpImageDeviceClass *img_class = FP_IMAGE_DEVICE_CLASS (klass);
1488
1489 125 dev_class->id = "uru4000";
1490 125 dev_class->full_name = "Digital Persona U.are.U 4000/4000B/4500";
1491 125 dev_class->type = FP_DEVICE_TYPE_USB;
1492 125 dev_class->id_table = id_table;
1493 125 dev_class->scan_type = FP_SCAN_TYPE_PRESS;
1494
1495 125 img_class->img_open = dev_init;
1496 125 img_class->img_close = dev_deinit;
1497 125 img_class->activate = dev_activate;
1498 125 img_class->deactivate = dev_deactivate;
1499 125 img_class->change_state = dev_change_state;
1500
1501 125 img_class->img_width = IMAGE_WIDTH;
1502 125 img_class->img_height = IMAGE_HEIGHT;
1503 }
1504