2 * Copyright 2011 Drew Fisher <drew.m.fisher@gmail.com>. All rights reserved.
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
15 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ''AS IS'' AND
16 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18 * ARE DISCLAIMED. IN NO EVENT SHALL DREW FISHER OR CONTRIBUTORS BE LIABLE
19 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27 * The views and conclusions contained in the software and documentation are
28 * those of the authors and should not be interpreted as representing official
29 * policies, either expressed or implied, of Drew Fisher.
41 #define KINECT_AUDIO_VID 0x045e
42 #define KINECT_AUDIO_PID 0x02ad
43 #define KINECT_AUDIO_CONFIGURATION 1
44 #define KINECT_AUDIO_INTERFACE 0
45 #define KINECT_AUDIO_IN_EP 0x81
46 #define KINECT_AUDIO_OUT_EP 0x01
48 static libusb_device_handle *dev;
49 static unsigned int seq;
66 #define LOG(...) printf(__VA_ARGS__)
68 #if __BYTE_ORDER == __BIG_ENDIAN
69 static inline uint32_t fn_le32(uint32_t d)
71 return (d<<24) | ((d<<8)&0xFF0000) | ((d>>8)&0xFF00) | (d>>24);
74 #define fn_le32(x) (x)
77 static void dump_bl_cmd(bootloader_command cmd) {
79 for (i = 0; i < 24; i++)
80 LOG("%02X ", ((unsigned char*)(&cmd))[i]);
84 static int get_first_reply(void) {
85 unsigned char buffer[512];
89 res = libusb_bulk_transfer(dev, KINECT_AUDIO_IN_EP, buffer, 512, &transferred, 0);
91 LOG("Error reading first reply: %d\ttransferred: %d (expected %d)\n", res, transferred, 0x60);
94 LOG("Reading first reply: ");
96 for (i = 0; i < transferred; ++i) {
97 LOG("%02X ", buffer[i]);
103 static int get_reply(void) {
106 /* The following is needed because libusb_bulk_transfer might
107 * fail when working on a buffer smaller than 512 bytes.
109 unsigned char dump[512];
114 res = libusb_bulk_transfer(dev, KINECT_AUDIO_IN_EP, reply.dump, 512, &transferred, 0);
115 if (res != 0 || transferred != sizeof(status_code)) {
116 LOG("Error reading reply: %d\ttransferred: %d (expected %zu)\n", res, transferred, sizeof(status_code));
119 if (fn_le32(reply.buffer.magic) != 0x0a6fe000) {
120 LOG("Error reading reply: invalid magic %08X\n", reply.buffer.magic);
123 if (fn_le32(reply.buffer.seq) != seq) {
124 LOG("Error reading reply: non-matching sequence number %08X (expected %08X)\n", reply.buffer.seq, seq);
127 if (fn_le32(reply.buffer.status) != 0) {
128 LOG("Notice reading reply: last uint32_t was nonzero: %d\n", reply.buffer.status);
131 LOG("Reading reply: ");
133 for (i = 0; i < transferred; ++i) {
134 LOG("%02X ", reply.dump[i]);
141 static int upload_firmware(FILE *fw) {
146 bootloader_command cmd;
147 cmd.magic = fn_le32(0x06022009);
148 cmd.seq = fn_le32(seq);
149 cmd.bytes = fn_le32(0x60);
150 cmd.cmd = fn_le32(0);
151 cmd.write_addr = fn_le32(0x15);
152 cmd.unk = fn_le32(0);
154 LOG("About to send: ");
159 res = libusb_bulk_transfer(dev, KINECT_AUDIO_OUT_EP, (unsigned char *)&cmd, sizeof(cmd), &transferred, 0);
160 if (res != 0 || transferred != sizeof(cmd)) {
161 LOG("Error: res: %d\ttransferred: %d (expected %zu)\n", res, transferred, sizeof(cmd));
165 // This first one doesn't have the usual magic bytes at the beginning,
166 // and is 96 bytes long - much longer than the usual 12-byte replies.
167 res = get_first_reply();
169 LOG("get_first_reply() failed");
173 // I'm not sure why we do this twice here, but maybe it'll make sense
177 LOG("First get_reply() failed");
182 // Split addr declaration and assignment in order to compile as C++,
183 // otherwise this would give "jump to label '...' crosses initialization"
187 unsigned char page[0x4000];
190 read = (int)fread(page, 1, 0x4000, fw);
195 cmd.seq = fn_le32(seq);
196 cmd.bytes = fn_le32((unsigned int)read);
197 cmd.cmd = fn_le32(0x03);
198 cmd.write_addr = fn_le32(addr);
199 LOG("About to send: ");
203 res = libusb_bulk_transfer(dev, KINECT_AUDIO_OUT_EP, (unsigned char *)&cmd, sizeof(cmd), &transferred, 0);
204 if (res != 0 || transferred != sizeof(cmd)) {
205 LOG("Error: res: %d\ttransferred: %d (expected %zu)\n", res, transferred, sizeof(cmd));
209 while (bytes_sent < read) {
210 int to_send = (read - bytes_sent > 512 ? 512 : read - bytes_sent);
212 res = libusb_bulk_transfer(dev, KINECT_AUDIO_OUT_EP, &page[bytes_sent], to_send, &transferred, 0);
213 if (res != 0 || transferred != to_send) {
214 LOG("Error: res: %d\ttransferred: %d (expected %d)\n", res, transferred, to_send);
217 bytes_sent += to_send;
221 LOG("get_reply failed");
225 addr += (uint32_t)read;
229 cmd.seq = fn_le32(seq);
230 cmd.bytes = fn_le32(0);
231 cmd.cmd = fn_le32(0x04);
232 cmd.write_addr = fn_le32(0x00080030);
235 res = libusb_bulk_transfer(dev, KINECT_AUDIO_OUT_EP, (unsigned char *)&cmd, sizeof(cmd), &transferred, 0);
236 if (res != 0 || transferred != sizeof(cmd)) {
237 LOG("Error: res: %d\ttransferred: %d (expected %zu)\n", res, transferred, sizeof(cmd));
247 int main(int argc, char *argv[]) {
248 char default_filename[] = "firmware.bin";
249 char *filename = default_filename;
256 FILE *fw = fopen(filename, "rb");
258 fprintf(stderr, "Failed to open %s: %s\n", filename, strerror(errno));
262 ret = libusb_init(NULL);
264 fprintf(stderr, "libusb_init failed: %s\n",
265 libusb_error_name(ret));
269 libusb_set_debug(NULL, 3);
271 dev = libusb_open_device_with_vid_pid(NULL, KINECT_AUDIO_VID, KINECT_AUDIO_PID);
273 fprintf(stderr, "libusb_open failed: %s\n", strerror(errno));
275 goto out_libusb_exit;
278 int current_configuration = -1;
279 ret = libusb_get_configuration(dev, ¤t_configuration);
281 fprintf(stderr, "libusb_get_configuration failed: %s\n",
282 libusb_error_name(ret));
283 goto out_libusb_close;
286 if (current_configuration != KINECT_AUDIO_CONFIGURATION) {
287 ret = libusb_set_configuration(dev, KINECT_AUDIO_CONFIGURATION);
289 fprintf(stderr, "libusb_set_configuration failed: %s\n",
290 libusb_error_name(ret));
291 fprintf(stderr, "Cannot set configuration %d\n",
292 KINECT_AUDIO_CONFIGURATION);
293 goto out_libusb_close;
297 ret = libusb_claim_interface(dev, KINECT_AUDIO_INTERFACE);
299 fprintf(stderr, "libusb_claim_interface failed: %s\n",
300 libusb_error_name(ret));
301 fprintf(stderr, "Cannot claim interface %d\n",
302 KINECT_AUDIO_INTERFACE);
303 goto out_libusb_close;
307 * Checking that the configuration has not changed, as suggested in
308 * http://libusb.sourceforge.net/api-1.0/caveats.html
310 current_configuration = -1;
311 ret = libusb_get_configuration(dev, ¤t_configuration);
313 fprintf(stderr, "libusb_get_configuration after claim failed: %s\n",
314 libusb_error_name(ret));
315 goto out_libusb_release_interface;
318 if (current_configuration != KINECT_AUDIO_CONFIGURATION) {
319 fprintf(stderr, "libusb configuration changed (expected: %d, current: %d)\n",
320 KINECT_AUDIO_CONFIGURATION, current_configuration);
322 goto out_libusb_release_interface;
325 ret = upload_firmware(fw);
326 // Now the device reenumerates.
328 out_libusb_release_interface:
329 libusb_release_interface(dev, KINECT_AUDIO_INTERFACE);