From 29ddc66cc01cbf973d5eb2ec5fe1a7bd4d01847b Mon Sep 17 00:00:00 2001 From: zhiweijian Date: Wed, 28 Dec 2022 14:59:38 +0800 Subject: [PATCH 1/6] Fixed vulnerability attacks that could cause heap overflow in fragmented Blufi packet processing --- .../bt/common/api/include/api/esp_blufi_api.h | 1 + .../common/btc/profile/esp/blufi/blufi_prf.c | 22 +++++++++++++++++++ 2 files changed, 23 insertions(+) diff --git a/components/bt/common/api/include/api/esp_blufi_api.h b/components/bt/common/api/include/api/esp_blufi_api.h index ec95d49569..8606bc9e0d 100644 --- a/components/bt/common/api/include/api/esp_blufi_api.h +++ b/components/bt/common/api/include/api/esp_blufi_api.h @@ -86,6 +86,7 @@ typedef enum { ESP_BLUFI_DATA_FORMAT_ERROR, ESP_BLUFI_CALC_MD5_ERROR, ESP_BLUFI_WIFI_SCAN_FAIL, + ESP_BLUFI_MSG_STATE_ERROR, } esp_blufi_error_state_t; /** diff --git a/components/bt/common/btc/profile/esp/blufi/blufi_prf.c b/components/bt/common/btc/profile/esp/blufi/blufi_prf.c index 164b0ae1ed..80959b8541 100644 --- a/components/bt/common/btc/profile/esp/blufi/blufi_prf.c +++ b/components/bt/common/btc/profile/esp/blufi/blufi_prf.c @@ -144,6 +144,16 @@ void btc_blufi_recv_handler(uint8_t *data, int len) if (BLUFI_FC_IS_FRAG(hdr->fc)) { if (blufi_env.offset == 0) { + /* + blufi_env.aggr_buf should be NULL if blufi_env.offset is 0. + It is possible that the process of sending fragment packet + has not been completed + */ + if (blufi_env.aggr_buf) { + BTC_TRACE_ERROR("%s msg error, blufi_env.aggr_buf is not freed\n", __func__); + btc_blufi_report_error(ESP_BLUFI_MSG_STATE_ERROR); + return; + } blufi_env.total_len = hdr->data[0] | (((uint16_t) hdr->data[1]) << 8); blufi_env.aggr_buf = osi_malloc(blufi_env.total_len); if (blufi_env.aggr_buf == NULL) { @@ -163,6 +173,18 @@ void btc_blufi_recv_handler(uint8_t *data, int len) } else { if (blufi_env.offset > 0) { /* if previous pkt is frag */ + /* blufi_env.aggr_buf should not be NULL */ + if (blufi_env.aggr_buf == NULL) { + BTC_TRACE_ERROR("%s buffer is NULL\n", __func__); + btc_blufi_report_error(ESP_BLUFI_DH_MALLOC_ERROR); + return; + } + /* payload length should be equal to total_len */ + if ((blufi_env.offset + hdr->data_len) != blufi_env.total_len) { + BTC_TRACE_ERROR("%s payload is longer than packet length, len %d \n", __func__, blufi_env.total_len); + btc_blufi_report_error(ESP_BLUFI_DATA_FORMAT_ERROR); + return; + } memcpy(blufi_env.aggr_buf + blufi_env.offset, hdr->data, hdr->data_len); btc_blufi_protocol_handler(hdr->type, blufi_env.aggr_buf, blufi_env.total_len); From 449efd18718a81df5b012c1ceb0d5cdfc3ccd953 Mon Sep 17 00:00:00 2001 From: zhiweijian Date: Thu, 9 Mar 2023 19:21:14 +0800 Subject: [PATCH 2/6] Fixed ATT Ignore wrong response error --- components/bt/host/bluedroid/stack/gatt/include/gatt_int.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/components/bt/host/bluedroid/stack/gatt/include/gatt_int.h b/components/bt/host/bluedroid/stack/gatt/include/gatt_int.h index 31c2ce479a..05174ee638 100644 --- a/components/bt/host/bluedroid/stack/gatt/include/gatt_int.h +++ b/components/bt/host/bluedroid/stack/gatt/include/gatt_int.h @@ -78,7 +78,7 @@ typedef UINT8 tGATT_SEC_ACTION; /* wait for ATT cmd response timeout value */ #define GATT_WAIT_FOR_RSP_TOUT 30 -#define GATT_WAIT_FOR_DISC_RSP_TOUT 5 +#define GATT_WAIT_FOR_DISC_RSP_TOUT 15 #define GATT_REQ_RETRY_LIMIT 2 #define GATT_WAIT_FOR_IND_ACK_TOUT 5 From fbdbb5af62ac740a9a77c2c6da54949762d349b4 Mon Sep 17 00:00:00 2001 From: zhiweijian Date: Fri, 10 Mar 2023 14:18:36 +0800 Subject: [PATCH 3/6] set BT_CTRL_BLE_MAX_ACT default value to 6 --- components/bt/controller/esp32c3/Kconfig.in | 6 ++++-- .../bluedroid/ble_50/multi-adv/main/multi_adv_demo.c | 2 +- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/components/bt/controller/esp32c3/Kconfig.in b/components/bt/controller/esp32c3/Kconfig.in index b0323c5717..415009fa52 100644 --- a/components/bt/controller/esp32c3/Kconfig.in +++ b/components/bt/controller/esp32c3/Kconfig.in @@ -4,11 +4,13 @@ config BT_CTRL_MODE_EFF config BT_CTRL_BLE_MAX_ACT int "BLE Max Instances" - default 10 + default 6 range 1 10 help BLE maximum activities of bluetooth controller,both of connections, - scan , sync and adv(periodic adv, multi-adv). + scan , sync and adv(periodic adv, multi-adv). Each instance needs to + consume 828 bytes, you can save RAM by modifying the instance value + according to actual needs. config BT_CTRL_BLE_MAX_ACT_EFF int diff --git a/examples/bluetooth/bluedroid/ble_50/multi-adv/main/multi_adv_demo.c b/examples/bluetooth/bluedroid/ble_50/multi-adv/main/multi_adv_demo.c index b3fb958afa..8c066272a9 100644 --- a/examples/bluetooth/bluedroid/ble_50/multi-adv/main/multi_adv_demo.c +++ b/examples/bluetooth/bluedroid/ble_50/multi-adv/main/multi_adv_demo.c @@ -251,7 +251,7 @@ void app_main(void) FUNC_SEND_WAIT_SEM(esp_ble_gap_config_ext_adv_data_raw(2, sizeof(legacy_adv_data), &legacy_adv_data[0]), test_sem); FUNC_SEND_WAIT_SEM(esp_ble_gap_config_ext_scan_rsp_data_raw(2, sizeof(legacy_scan_rsp_data), &legacy_scan_rsp_data[0]), test_sem); - // coded phy extend adv, Connectable advertising + // coded phy extend adv, Scannable advertising FUNC_SEND_WAIT_SEM(esp_ble_gap_ext_adv_set_params(3, &ext_adv_params_coded), test_sem); FUNC_SEND_WAIT_SEM(esp_ble_gap_ext_adv_set_rand_addr(3, addr_coded), test_sem); FUNC_SEND_WAIT_SEM(esp_ble_gap_config_ext_scan_rsp_data_raw(3, sizeof(raw_scan_rsp_data_coded), &raw_scan_rsp_data_coded[0]), test_sem); From 5e39c2316dd61f193450d1310f846c0ea1a4eacd Mon Sep 17 00:00:00 2001 From: zwj Date: Thu, 30 Mar 2023 19:07:15 +0800 Subject: [PATCH 4/6] remove SOC_BLE_UPDATE_OWN_RPA --- components/soc/esp32c3/include/soc/soc_caps.h | 3 --- components/soc/esp32s3/include/soc/soc_caps.h | 3 --- 2 files changed, 6 deletions(-) diff --git a/components/soc/esp32c3/include/soc/soc_caps.h b/components/soc/esp32c3/include/soc/soc_caps.h index 031d8cc03e..5bad7354e4 100644 --- a/components/soc/esp32c3/include/soc/soc_caps.h +++ b/components/soc/esp32c3/include/soc/soc_caps.h @@ -271,6 +271,3 @@ #define SOC_PM_SUPPORT_WIFI_PD (1) #define SOC_PM_SUPPORT_BT_PD (1) - -/*------------------------------ BLE --------------------------------------------*/ -#define SOC_BLE_UPDATE_OWN_RPA (1) diff --git a/components/soc/esp32s3/include/soc/soc_caps.h b/components/soc/esp32s3/include/soc/soc_caps.h index c329a6d33d..eb6ee1ca38 100644 --- a/components/soc/esp32s3/include/soc/soc_caps.h +++ b/components/soc/esp32s3/include/soc/soc_caps.h @@ -184,6 +184,3 @@ #define SOC_SPI_MEM_SUPPORT_SW_SUSPEND (1) /*-------------------------- COEXISTENCE HARDWARE PTI CAPS -------------------------------*/ #define SOC_COEX_HW_PTI (1) - -/*------------------------------ BLE --------------------------------------------*/ -#define SOC_BLE_UPDATE_OWN_RPA (1) From 3ef7e529b4b2f58692d9ed87e486482fc885b76c Mon Sep 17 00:00:00 2001 From: zwj Date: Thu, 30 Mar 2023 19:28:38 +0800 Subject: [PATCH 5/6] If it is not esp32 chips, hide the configuration item: BT_BLE_RPA_SUPPORTED --- components/bt/host/bluedroid/Kconfig.in | 7 +++---- .../common/include/common/bluedroid_user_config.h | 5 +++++ components/soc/esp32/include/soc/soc_caps.h | 3 +++ components/soc/esp32c3/include/soc/soc_caps.h | 3 +++ components/soc/esp32s3/include/soc/soc_caps.h | 3 +++ 5 files changed, 17 insertions(+), 4 deletions(-) diff --git a/components/bt/host/bluedroid/Kconfig.in b/components/bt/host/bluedroid/Kconfig.in index 6f9137e72b..63e6167806 100644 --- a/components/bt/host/bluedroid/Kconfig.in +++ b/components/bt/host/bluedroid/Kconfig.in @@ -1057,9 +1057,8 @@ config BT_MAX_DEVICE_NAME_LEN config BT_BLE_RPA_SUPPORTED bool "Update RPA to Controller" - depends on BT_BLUEDROID_ENABLED - default y if (IDF_TARGET_ESP32C3 || IDF_TARGET_ESP32S3) - default n if IDF_TARGET_ESP32 + depends on BT_BLUEDROID_ENABLED && IDF_TARGET_ESP32 + default n help This enables controller RPA list function. For ESP32, ESP32 only support network privacy mode. If this option is enabled, ESP32 will only accept @@ -1069,7 +1068,7 @@ config BT_BLE_RPA_SUPPORTED cannot be used. This option is disabled by default on ESP32, please enable or disable this option according to your own needs. - For ESP32C3 and esp32s3, devices support network privacy mode and device privacy mode, users can switch the + For BLE other chips, devices support network privacy mode and device privacy mode, users can switch the two modes according to their own needs. So this option is enabled by default. config BT_BLE_50_FEATURES_SUPPORTED diff --git a/components/bt/host/bluedroid/common/include/common/bluedroid_user_config.h b/components/bt/host/bluedroid/common/include/common/bluedroid_user_config.h index 42389a39c7..0c02f10c6c 100644 --- a/components/bt/host/bluedroid/common/include/common/bluedroid_user_config.h +++ b/components/bt/host/bluedroid/common/include/common/bluedroid_user_config.h @@ -18,6 +18,7 @@ /* All the configuration from SDK defined here */ #include "bt_common.h" #include "bt_user_config.h" +#include "soc/soc_caps.h" /********************************************************** * Thread/Task reference @@ -91,8 +92,12 @@ #ifdef CONFIG_BT_BLE_RPA_SUPPORTED #define UC_BT_BLE_RPA_SUPPORTED CONFIG_BT_BLE_RPA_SUPPORTED #else +#if SOC_BLE_DEVICE_PRIVACY_SUPPORTED +#define UC_BT_BLE_RPA_SUPPORTED TRUE +#else #define UC_BT_BLE_RPA_SUPPORTED FALSE #endif +#endif #ifdef CONFIG_BT_BLE_50_FEATURES_SUPPORTED #define UC_BT_BLE_50_FEATURES_SUPPORTED CONFIG_BT_BLE_50_FEATURES_SUPPORTED diff --git a/components/soc/esp32/include/soc/soc_caps.h b/components/soc/esp32/include/soc/soc_caps.h index ef80572c63..c6e0a0ff70 100644 --- a/components/soc/esp32/include/soc/soc_caps.h +++ b/components/soc/esp32/include/soc/soc_caps.h @@ -278,3 +278,6 @@ # define CAN_BRP_DIV_SUPPORTED SOC_TWAI_BRP_DIV_SUPPORTED # define CAN_BRP_DIV_THRESH SOC_TWAI_BRP_DIV_THRESH #endif + +/* ---------------------------- Bluetooth ------------------------------- */ +#define SOC_BLE_DEVICE_PRIVACY_SUPPORTED (0) diff --git a/components/soc/esp32c3/include/soc/soc_caps.h b/components/soc/esp32c3/include/soc/soc_caps.h index 5bad7354e4..dd7065889b 100644 --- a/components/soc/esp32c3/include/soc/soc_caps.h +++ b/components/soc/esp32c3/include/soc/soc_caps.h @@ -271,3 +271,6 @@ #define SOC_PM_SUPPORT_WIFI_PD (1) #define SOC_PM_SUPPORT_BT_PD (1) + +/* ---------------------------- Bluetooth ------------------------------- */ +#define SOC_BLE_DEVICE_PRIVACY_SUPPORTED (1) diff --git a/components/soc/esp32s3/include/soc/soc_caps.h b/components/soc/esp32s3/include/soc/soc_caps.h index eb6ee1ca38..17e38fa49c 100644 --- a/components/soc/esp32s3/include/soc/soc_caps.h +++ b/components/soc/esp32s3/include/soc/soc_caps.h @@ -184,3 +184,6 @@ #define SOC_SPI_MEM_SUPPORT_SW_SUSPEND (1) /*-------------------------- COEXISTENCE HARDWARE PTI CAPS -------------------------------*/ #define SOC_COEX_HW_PTI (1) + +/* ---------------------------- Bluetooth ------------------------------- */ +#define SOC_BLE_DEVICE_PRIVACY_SUPPORTED (1) From e1a1e707206cf8bbd3741861102a3165eba6ccbe Mon Sep 17 00:00:00 2001 From: zwj Date: Sat, 14 Jan 2023 16:53:18 +0800 Subject: [PATCH 6/6] - Support ESP32C3 and ESP32S3 new BLE lib - Disable controller 5.0 feature bits if host 5.0 feature is not enabled - Fixed extend ADV parameters check for ADV_DIRECT_HI - Fixed HW RAL_UNDERRUN assert --- components/bt/controller/esp32c3/bt.c | 8 +- components/bt/controller/lib_esp32c3_family | 2 +- .../bt/include/esp32c3/include/esp_bt.h | 15 +++- .../esp_rom/esp32c3/ld/esp32c3.rom.eco3.ld | 4 + components/esp_rom/esp32c3/ld/esp32c3.rom.ld | 83 +++++++++++++++++++ 5 files changed, 106 insertions(+), 6 deletions(-) diff --git a/components/bt/controller/esp32c3/bt.c b/components/bt/controller/esp32c3/bt.c index b368fb8c3a..f799340e05 100644 --- a/components/bt/controller/esp32c3/bt.c +++ b/components/bt/controller/esp32c3/bt.c @@ -217,8 +217,8 @@ extern void btdm_in_wakeup_requesting_set(bool in_wakeup_requesting); /* vendor dependent tasks to be posted and handled by controller task*/ extern int btdm_vnd_offload_task_register(btdm_vnd_ol_sig_t sig, btdm_vnd_ol_task_func_t func); extern int btdm_vnd_offload_task_deregister(btdm_vnd_ol_sig_t sig); -extern int btdm_vnd_offload_post_from_isr(btdm_vnd_ol_sig_t sig, void *param, bool need_yield); -extern int btdm_vnd_offload_post(btdm_vnd_ol_sig_t sig, void *param); +extern int r_btdm_vnd_offload_post_from_isr(btdm_vnd_ol_sig_t sig, void *param, bool need_yield); +extern int r_btdm_vnd_offload_post(btdm_vnd_ol_sig_t sig, void *param); /* Low Power Clock */ extern bool btdm_lpclk_select_src(uint32_t sel); @@ -771,7 +771,7 @@ static void IRAM_ATTR btdm_sleep_exit_phase0(void *param) static void IRAM_ATTR btdm_slp_tmr_callback(void *arg) { #ifdef CONFIG_PM_ENABLE - btdm_vnd_offload_post(BTDM_VND_OL_SIG_WAKEUP_TMR, (void *)BTDM_ASYNC_WAKEUP_SRC_TMR); + r_btdm_vnd_offload_post(BTDM_VND_OL_SIG_WAKEUP_TMR, (void *)BTDM_ASYNC_WAKEUP_SRC_TMR); #endif } @@ -788,7 +788,7 @@ static bool async_wakeup_request(int event) case BTDM_ASYNC_WAKEUP_SRC_DISA: btdm_in_wakeup_requesting_set(true); if (!btdm_power_state_active()) { - btdm_vnd_offload_post(BTDM_VND_OL_SIG_WAKEUP_TMR, (void *)event); + r_btdm_vnd_offload_post(BTDM_VND_OL_SIG_WAKEUP_TMR, (void *)event); do_wakeup_request = true; semphr_take_wrapper(s_wakeup_req_sem, OSI_FUNCS_TIME_BLOCKING); } diff --git a/components/bt/controller/lib_esp32c3_family b/components/bt/controller/lib_esp32c3_family index 793b526c7c..036564af71 160000 --- a/components/bt/controller/lib_esp32c3_family +++ b/components/bt/controller/lib_esp32c3_family @@ -1 +1 @@ -Subproject commit 793b526c7cbec6ff3575216e62d2d571d8c837ed +Subproject commit 036564af715f6c3f0b27238fd7d68fab27aa29c2 diff --git a/components/bt/include/esp32c3/include/esp_bt.h b/components/bt/include/esp32c3/include/esp_bt.h index d54b33a657..f726539419 100644 --- a/components/bt/include/esp32c3/include/esp_bt.h +++ b/components/bt/include/esp32c3/include/esp_bt.h @@ -18,7 +18,7 @@ extern "C" { #endif #define ESP_BT_CTRL_CONFIG_MAGIC_VAL 0x5A5AA5A5 -#define ESP_BT_CTRL_CONFIG_VERSION 0x02212090 +#define ESP_BT_CTRL_CONFIG_VERSION 0x02302140 #define ESP_BT_HCI_TL_MAGIC_VALUE 0xfadebead #define ESP_BT_HCI_TL_VERSION 0x00010000 @@ -147,6 +147,17 @@ typedef void (* esp_bt_hci_tl_callback_t) (void *arg, uint8_t status); #define BT_CTRL_CODED_AGC_RECORRECT 0 #endif +#if defined (CONFIG_BT_BLE_50_FEATURES_SUPPORTED) || defined (CONFIG_BT_NIMBLE_50_FEATURE_SUPPORT) +#ifdef CONFIG_BT_BLE_50_FEATURES_SUPPORTED +#define BT_CTRL_50_FEATURE_SUPPORT (CONFIG_BT_BLE_50_FEATURES_SUPPORTED) +#endif +#ifdef CONFIG_BT_NIMBLE_50_FEATURE_SUPPORT +#define BT_CTRL_50_FEATURE_SUPPORT (CONFIG_BT_NIMBLE_50_FEATURE_SUPPORT) +#endif +#else +#define BT_CTRL_50_FEATURE_SUPPORT (1) +#endif + #define AGC_RECORRECT_EN ((BT_CTRL_AGC_RECORRECT_EN << 0) | (BT_CTRL_CODED_AGC_RECORRECT <<1)) #ifdef CONFIG_BT_CTRL_SCAN_BACKOFF_UPPERLIMITMAX @@ -194,6 +205,7 @@ typedef void (* esp_bt_hci_tl_callback_t) (void *arg, uint8_t status); .cca_thresh = CONFIG_BT_CTRL_HW_CCA_VAL, \ .scan_backoff_upperlimitmax = BT_CTRL_SCAN_BACKOFF_UPPERLIMITMAX, \ .dup_list_refresh_period = DUPL_SCAN_CACHE_REFRESH_PERIOD, \ + .ble_50_feat_supp = BT_CTRL_50_FEATURE_SUPPORT, \ } #else @@ -263,6 +275,7 @@ typedef struct { uint8_t cca_thresh; /*!< cca threshold*/ uint16_t scan_backoff_upperlimitmax; /*!< scan backoff upperlimitmax value */ uint16_t dup_list_refresh_period; /*!< duplicate scan list refresh time */ + bool ble_50_feat_supp; /*!< BLE 5.0 feature support */ } esp_bt_controller_config_t; /** diff --git a/components/esp_rom/esp32c3/ld/esp32c3.rom.eco3.ld b/components/esp_rom/esp32c3/ld/esp32c3.rom.eco3.ld index 390cf6a06c..60fa15b7ea 100644 --- a/components/esp_rom/esp32c3/ld/esp32c3.rom.eco3.ld +++ b/components/esp_rom/esp32c3/ld/esp32c3.rom.eco3.ld @@ -57,14 +57,18 @@ r_lld_ext_adv_dynamic_pti_process = 0x40001b48; r_lld_adv_ext_pkt_prepare_set = 0x40001b4c; r_lld_adv_ext_chain_none_construct = 0x40001b50; r_lld_adv_ext_chain_connectable_construct = 0x40001b54; +/* r_lld_adv_ext_chain_scannable_construct = 0x40001b58; +*/ r_lld_adv_pkt_rx_connect_post = 0x40001b5c; r_lld_adv_start_init_evt_param = 0x40001b60; r_lld_adv_start_set_cs = 0x40001b64; r_lld_adv_start_update_filter_policy = 0x40001b68; r_lld_adv_start_schedule_asap = 0x40001b6c; r_lld_con_tx_prog_new_packet_coex = 0x40001b70; +/* r_lld_con_tx_prog_new_packet = 0x40001b74; +*/ r_lld_per_adv_dynamic_pti_get = 0x40001b78; r_lld_per_adv_evt_start_chm_upd = 0x40001b7c; r_lld_ext_scan_dynamic_pti_get = 0x40001b80; diff --git a/components/esp_rom/esp32c3/ld/esp32c3.rom.ld b/components/esp_rom/esp32c3/ld/esp32c3.rom.ld index b33d284b05..adc7b4080b 100644 --- a/components/esp_rom/esp32c3/ld/esp32c3.rom.ld +++ b/components/esp_rom/esp32c3/ld/esp32c3.rom.ld @@ -703,10 +703,14 @@ r_ble_util_data_rx_buf_reset = 0x40000b8c; r_bt_bb_get_intr_mask = 0x40000b90; r_bt_bb_intr_clear = 0x40000b94; r_bt_bb_intr_mask_set = 0x40000b98; +/* r_bt_bb_isr = 0x40000b9c; +*/ r_bt_rf_coex_cfg_set = 0x40000ba0; r_bt_rf_coex_conn_dynamic_pti_en_get = 0x40000ba4; +/* r_bt_rf_coex_conn_phy_coded_data_time_limit_en_get = 0x40000ba8; +*/ r_bt_rf_coex_ext_adv_dynamic_pti_en_get = 0x40000bac; r_bt_rf_coex_ext_scan_dynamic_pti_en_get = 0x40000bb0; r_bt_rf_coex_legacy_adv_dynamic_pti_en_get = 0x40000bb4; @@ -728,14 +732,18 @@ r_bt_rtp_apply_rule_cs_fmt = 0x40000bf0; r_bt_rtp_apply_rule_cs_idx = 0x40000bf4; r_bt_rtp_deregister_rule_cs_fmt = 0x40000bf8; r_bt_rtp_deregister_rule_cs_idx = 0x40000bfc; +/* r_bt_rtp_get_txpwr_idx_by_act = 0x40000c00; +*/ r_bt_rtp_init = 0x40000c04; r_bt_rtp_register_rule_cs_fmt = 0x40000c08; r_bt_rtp_register_rule_cs_idx = 0x40000c0c; r_btdm_isr = 0x40000c10; +/* r_btdm_task_post = 0x40000c14; r_btdm_task_post_from_isr = 0x40000c18; r_btdm_task_recycle = 0x40000c1c; +*/ r_cali_phase_match_p = 0x40000c20; r_cmp_abs_time = 0x40000c24; r_cmp_dest_id = 0x40000c28; @@ -831,7 +839,9 @@ r_hci_look_for_evt_desc = 0x40000d8c; r_hci_look_for_le_evt_desc = 0x40000d90; r_hci_look_for_le_evt_desc_esp = 0x40000d94; r_hci_pack_bytes = 0x40000d98; +/* r_hci_register_vendor_desc_tab = 0x40000d9c; +*/ r_hci_send_2_controller = 0x40000da0; r_hci_send_2_host = 0x40000da4; r_hci_tl_c2h_data_flow_on = 0x40000da8; @@ -888,7 +898,9 @@ r_ke_task_handler_get = 0x40000e70; r_ke_task_init = 0x40000e74; r_ke_task_msg_flush = 0x40000e78; r_ke_task_saved_update = 0x40000e7c; +/* r_ke_task_schedule = 0x40000e80; +*/ r_ke_time = 0x40000e84; r_ke_time_cmp = 0x40000e88; r_ke_time_past = 0x40000e8c; @@ -916,7 +928,9 @@ r_llc_dl_chg_check = 0x40000ee0; r_llc_dle_proc_err_cb = 0x40000ee4; r_llc_feats_exch_proc_err_cb = 0x40000ee8; r_llc_hci_cmd_handler_tab_p_get = 0x40000eec; +/* r_llc_hci_command_handler = 0x40000ef0; +*/ r_llc_hci_con_param_req_evt_send = 0x40000ef4; r_llc_hci_con_upd_info_send = 0x40000ef8; r_llc_hci_disconnected_dis = 0x40000efc; @@ -944,7 +958,9 @@ r_llc_llcp_state_set = 0x40000f50; r_llc_llcp_trans_timer_set = 0x40000f54; r_llc_llcp_tx_check = 0x40000f58; r_llc_loc_ch_map_proc_continue = 0x40000f5c; +/* r_llc_loc_con_upd_proc_continue = 0x40000f60; +*/ r_llc_loc_con_upd_proc_err_cb = 0x40000f64; r_llc_loc_dl_upd_proc_continue = 0x40000f68; r_llc_loc_encrypt_proc_continue = 0x40000f6c; @@ -965,7 +981,9 @@ r_llc_proc_timer_pause_set = 0x40000fa4; r_llc_proc_timer_set = 0x40000fa8; r_llc_proc_unreg = 0x40000fac; r_llc_rem_ch_map_proc_continue = 0x40000fb0; +/* r_llc_rem_con_upd_proc_continue = 0x40000fb4; +*/ r_llc_rem_con_upd_proc_err_cb = 0x40000fb8; r_llc_rem_dl_upd_proc = 0x40000fbc; r_llc_rem_encrypt_proc_continue = 0x40000fc0; @@ -1054,10 +1072,14 @@ r_lld_con_rx_isr = 0x40001108; r_lld_con_rx_link_info_check = 0x4000110c; r_lld_con_rx_llcp_check = 0x40001110; r_lld_con_rx_sync_time_update = 0x40001114; +/* r_lld_con_sched = 0x40001118; +*/ r_lld_con_set_tx_power = 0x4000111c; r_lld_con_start = 0x40001120; +/* r_lld_con_stop = 0x40001124; +*/ r_lld_con_tx = 0x40001128; r_lld_con_tx_enc = 0x4000112c; r_lld_con_tx_isr = 0x40001130; @@ -1092,7 +1114,9 @@ r_lld_init_set_tx_power = 0x400011a0; r_lld_init_start = 0x400011a4; r_lld_init_stop = 0x400011a8; r_lld_instant_proc_end = 0x400011ac; +/* r_lld_llcp_rx_ind_handler = 0x400011b0; +*/ r_lld_per_adv_ch_map_update = 0x400011b4; r_lld_per_adv_chain_construct = 0x400011b8; r_lld_per_adv_cleanup = 0x400011bc; @@ -1110,7 +1134,9 @@ r_lld_per_adv_init = 0x400011e8; r_lld_per_adv_init_info_get = 0x400011ec; r_lld_per_adv_list_add = 0x400011f0; r_lld_per_adv_list_rem = 0x400011f4; +/* r_lld_per_adv_sched = 0x400011f8; +*/ r_lld_per_adv_set_tx_power = 0x400011fc; r_lld_per_adv_start = 0x40001200; r_lld_per_adv_stop = 0x40001204; @@ -1144,8 +1170,10 @@ r_lld_scan_frm_rx_isr = 0x40001270; r_lld_scan_frm_skip_isr = 0x40001274; r_lld_scan_init = 0x40001278; r_lld_scan_params_update = 0x4000127c; +/* r_lld_scan_process_pkt_rx = 0x40001280; r_lld_scan_process_pkt_rx_adv_rep = 0x40001284; +*/ r_lld_scan_process_pkt_rx_aux_adv_ind = 0x40001288; r_lld_scan_process_pkt_rx_aux_chain_ind = 0x4000128c; r_lld_scan_process_pkt_rx_aux_scan_rsp = 0x40001290; @@ -1220,7 +1248,9 @@ r_llm_is_dev_synced = 0x400013a0; r_llm_is_non_con_act_ongoing_check = 0x400013a4; r_llm_is_wl_accessible = 0x400013a8; r_llm_le_evt_mask_check = 0x400013ac; +/* r_llm_le_features_get = 0x400013b0; +*/ r_llm_link_disc = 0x400013b4; r_llm_master_ch_map_get = 0x400013b8; r_llm_msg_handler_tab_p_get = 0x400013bc; @@ -1240,7 +1270,9 @@ r_misc_msg_handler_tab_p_get = 0x400013f0; r_notEqual256 = 0x400013f4; r_phy_upd_proc_start = 0x400013f8; r_platform_reset = 0x400013fc; +/* r_register_esp_vendor_cmd_handler = 0x40001400; +*/ r_rf_em_init = 0x40001404; r_rf_force_agc_enable = 0x40001408; r_rf_reg_rd = 0x4000140c; @@ -1250,8 +1282,10 @@ r_rf_rssi_convert = 0x40001418; r_rf_rw_v9_le_disable = 0x4000141c; r_rf_rw_v9_le_enable = 0x40001420; r_rf_sleep = 0x40001424; +/* r_rf_txpwr_cs_get = 0x40001428; r_rf_txpwr_dbm_get = 0x4000142c; +*/ r_rf_util_cs_fmt_convert = 0x40001430; r_rw_crypto_aes_ccm = 0x40001434; r_rw_crypto_aes_encrypt = 0x40001438; @@ -1265,7 +1299,9 @@ r_rw_crypto_aes_result_handler = 0x40001454; r_rw_crypto_aes_s1 = 0x40001458; r_rw_cryto_aes_cmac = 0x4000145c; r_rw_v9_init_em_radio_table = 0x40001460; +/* r_rwble_isr = 0x40001464; +*/ r_rwble_sleep_enter = 0x40001468; r_rwble_sleep_wakeup_end = 0x4000146c; r_rwbtdm_isr_wrapper = 0x40001470; @@ -1302,7 +1338,9 @@ r_sch_alarm_set = 0x400014e8; r_sch_alarm_timer_isr = 0x400014ec; r_sch_arb_conflict_check = 0x400014f0; r_sch_arb_elt_cancel = 0x400014f4; +/* r_sch_arb_event_start_isr = 0x400014f8; +*/ r_sch_arb_init = 0x400014fc; r_sch_arb_insert = 0x40001500; r_sch_arb_prog_timer = 0x40001504; @@ -1317,8 +1355,10 @@ r_sch_plan_offset_req = 0x40001524; r_sch_plan_position_range_compute = 0x40001528; r_sch_plan_rem = 0x4000152c; r_sch_plan_req = 0x40001530; +/* r_sch_plan_set = 0x40001534; r_sch_prog_end_isr = 0x40001538; +*/ r_sch_prog_init = 0x4000153c; r_sch_prog_push = 0x40001540; r_sch_prog_rx_isr = 0x40001544; @@ -1491,6 +1531,49 @@ rwip_coex_cfg = 0x3ff1eeac; rwip_priority = 0x3ff1ee94; veryBigHexP256 = 0x3ff1ee48; +/* bluetooth hook funcs */ +r_llc_loc_encrypt_proc_continue_hook = 0x40001c60; +r_llc_loc_phy_upd_proc_continue_hook = 0x40001c64; +r_llc_rem_phy_upd_proc_continue_hook = 0x40001c68; +r_lld_scan_frm_eof_isr_hook = 0x40001c6c; +r_lld_scan_evt_start_cbk_hook = 0x40001c70; +/* +r_lld_scan_start_hook = 0x40001c74; +*/ +r_lld_scan_process_pkt_rx_ext_adv_hook = 0x40001c78; +r_lld_scan_sched_hook = 0x40001c7c; +/* +r_lld_adv_start_hook = 0x40001c80; +*/ +r_lld_adv_evt_start_cbk_hook = 0x40001c84; +r_lld_adv_aux_evt_start_cbk_hook = 0x40001c88; +r_lld_adv_frm_isr_hook = 0x40001c8c; +r_lld_adv_start_init_evt_param_hook = 0x40001c90; +r_lld_con_evt_canceled_cbk_hook = 0x40001c94; +r_lld_con_frm_isr_hook = 0x40001c98; +r_lld_con_tx_hook = 0x40001c9c; +r_lld_con_rx_hook = 0x40001ca0; +r_lld_con_evt_start_cbk_hook = 0x40001ca4; +/* +r_lld_con_start_hook = 0x40001ca8; +*/ +r_lld_con_tx_prog_new_packet_hook = 0x40001cac; +r_lld_init_frm_eof_isr_hook = 0x40001cb0; +r_lld_init_evt_start_cbk_hook = 0x40001cb4; +/* +r_lld_init_start_hook = 0x40001cb8; +*/ +r_lld_init_sched_hook = 0x40001cbc; +r_lld_init_process_pkt_tx_hook = 0x40001cc0; +r_lld_per_adv_evt_start_cbk_hook = 0x40001cc4; +r_lld_per_adv_frm_isr_hook = 0x40001cc8; +r_lld_per_adv_start_hook = 0x40001ccc; +r_lld_sync_frm_eof_isr_hook = 0x40001cd0; +r_lld_sync_evt_start_cbk_hook = 0x40001cd4; +r_lld_sync_start_hook = 0x40001cd8; +r_lld_sync_process_pkt_rx_pkt_check_hook = 0x40001cdc; +r_sch_arb_insert_hook = 0x40001ce0; +r_sch_plan_offset_req_hook = 0x40001ce4; /*************************************** Group rom_pp