r2243 - trunk/src/host/qemu-neo1973/hw

andrew at sita.openmoko.org andrew at sita.openmoko.org
Wed Jun 13 19:13:53 CEST 2007


Author: andrew
Date: 2007-06-13 19:13:50 +0200 (Wed, 13 Jun 2007)
New Revision: 2243

Added:
   trunk/src/host/qemu-neo1973/hw/bt-hci.c
   trunk/src/host/qemu-neo1973/hw/bt.h
   trunk/src/host/qemu-neo1973/hw/usb-bt.c
Log:
Add new files forgotten from last commit.


Added: trunk/src/host/qemu-neo1973/hw/bt-hci.c
===================================================================
--- trunk/src/host/qemu-neo1973/hw/bt-hci.c	2007-06-13 17:12:06 UTC (rev 2242)
+++ trunk/src/host/qemu-neo1973/hw/bt-hci.c	2007-06-13 17:13:50 UTC (rev 2243)
@@ -0,0 +1,1323 @@
+/*
+ * QEMU Bluetooth HCI logic.
+ *
+ * Copyright (C) 2007 OpenMoko, Inc.
+ * Written by Andrzej Zaborowski <andrew at openedhand.com>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation; either version 2 of
+ * the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston,
+ * MA  02110-1301  USA
+ */
+#include "vl.h"
+
+void bt_submit_lmp(struct bt_device_s *bt, int length, uint8_t *data)
+{
+    int resp, resplen, error, op, tr;
+    uint8_t respdata[17];
+    if (length < 1)
+        return;
+
+    tr = *data & 1;
+    op = *(data ++) >> 1;
+    resp = LMP_ACCEPTED;
+    resplen = 2;
+    respdata[1] = op;
+    error = 0;
+    length --;
+
+    if (op >= 0x7c) {	/* Extended opcode */
+        op |= *(data ++) << 8;
+        resp = LMP_ACCEPTED_EXT;
+        resplen = 4;
+        respdata[0] = op >> 8;
+        respdata[1] = op & 0xff;
+        length --;
+    }
+
+    switch (op) {
+    case LMP_ACCEPTED:
+        /* data[0]	Op code
+         */
+        if (length < 1) {
+            error = HCI_UNSUPPORTED_LMP_PARAMETER_VALUE;
+            goto not_accepted;
+        }
+        resp = 0;
+        break;
+
+    case LMP_ACCEPTED_EXT:
+        /* data[0]	Escape op code
+         * data[1]	Extended op code
+         */
+        if (length < 2) {
+            error = HCI_UNSUPPORTED_LMP_PARAMETER_VALUE;
+            goto not_accepted;
+        }
+        resp = 0;
+        break;
+
+    case LMP_NOT_ACCEPTED:
+        /* data[0]	Op code
+         * data[1]	Error code
+         */
+        if (length < 2) {
+            error = HCI_UNSUPPORTED_LMP_PARAMETER_VALUE;
+            goto not_accepted;
+        }
+        resp = 0;
+        break;
+
+    case LMP_NOT_ACCEPTED_EXT:
+        /* data[0]	Op code
+         * data[1]	Extended op code
+         * data[2]	Error code
+         */
+        if (length < 3) {
+            error = HCI_UNSUPPORTED_LMP_PARAMETER_VALUE;
+            goto not_accepted;
+        }
+        resp = 0;
+        break;
+
+    case LMP_HOST_CONNECTION_REQ:
+        break;
+
+    case LMP_SETUP_COMPLETE:
+        resp = LMP_SETUP_COMPLETE;
+        resplen = 1;
+        bt->setup = 1;
+        break;
+
+    case LMP_DETACH:
+        /* data[0]	Error code
+         */
+        if (length < 1) {
+            error = HCI_UNSUPPORTED_LMP_PARAMETER_VALUE;
+            goto not_accepted;
+        }
+        bt->setup = 0;
+        resp = 0;
+        break;
+
+    case LMP_SUPERVISION_TIMEOUT:
+        /* data[0,1]	Supervision timeout
+         */
+        if (length < 2) {
+            error = HCI_UNSUPPORTED_LMP_PARAMETER_VALUE;
+            goto not_accepted;
+        }
+        resp = 0;
+        break;
+
+    case LMP_QUALITY_OF_SERVICE:
+        resp = 0;
+        /* Fall through */
+    case LMP_QOS_REQ:
+        /* data[0,1]	Poll interval
+         * data[2]	N(BC)
+         */
+        if (length < 3) {
+            error = HCI_UNSUPPORTED_LMP_PARAMETER_VALUE;
+            goto not_accepted;
+        }
+        break;
+
+    case LMP_MAX_SLOT:
+        resp = 0;
+        /* Fall through */
+    case LMP_MAX_SLOT_REQ:
+        /* data[0]	Max slots
+         */
+        if (length < 1) {
+            error = HCI_UNSUPPORTED_LMP_PARAMETER_VALUE;
+            goto not_accepted;
+        }
+        break;
+
+    case LMP_AU_RAND:
+    case LMP_IN_RAND:
+    case LMP_COMB_KEY:
+        /* data[0-15]	Random number
+         */
+        if (length < 16) {
+            error = HCI_UNSUPPORTED_LMP_PARAMETER_VALUE;
+            goto not_accepted;
+        }
+        if (op == LMP_AU_RAND) {
+            if (bt->key_present) {
+                resp = LMP_SRES;
+                resplen = 5;
+                /* XXX: [Part H] Section 6.1 on page 801 */
+            } else {
+                error = HCI_PIN_OR_KEY_MISSING;
+                goto not_accepted;
+            }
+        } else if (op == LMP_IN_RAND) {
+            error = HCI_PAIRING_NOT_ALLOWED;
+            goto not_accepted;
+        } else {
+            /* XXX: [Part H] Section 3.2 on page 779 */
+            resp = LMP_UNIT_KEY;
+            resplen = 17;
+            memcpy(respdata + 1, bt->key, 16);
+
+            error = HCI_UNIT_LINK_KEY_USED;
+            goto not_accepted;
+        }
+        break;
+
+    case LMP_UNIT_KEY:
+        /* data[0-15]	Key
+         */
+        if (length < 16) {
+            error = HCI_UNSUPPORTED_LMP_PARAMETER_VALUE;
+            goto not_accepted;
+        }
+        memcpy(bt->key, data, 16);
+        bt->key_present = 1;
+        break;
+
+    case LMP_SRES:
+        /* data[0-3]	Authentication response
+         */
+        if (length < 4) {
+            error = HCI_UNSUPPORTED_LMP_PARAMETER_VALUE;
+            goto not_accepted;
+        }
+        break;
+
+    case LMP_CLKOFFSET_REQ:
+        resp = LMP_CLKOFFSET_RES;
+        resplen = 3;
+        respdata[1] = 0x33;
+        respdata[2] = 0x33;
+        break;
+
+    case LMP_CLKOFFSET_RES:
+        /* data[0,1]	Clock offset
+         * (Slave to master only)
+         */
+        if (length < 2) {
+            error = HCI_UNSUPPORTED_LMP_PARAMETER_VALUE;
+            goto not_accepted;
+        }
+        break;
+
+    case LMP_VERSION_REQ:
+    case LMP_VERSION_RES:
+        /* data[0]	VersNr
+         * data[1,2]	CompId
+         * data[3,4]	SubVersNr
+         */
+        if (length < 5) {
+            error = HCI_UNSUPPORTED_LMP_PARAMETER_VALUE;
+            goto not_accepted;
+        }
+        if (op == LMP_VERSION_REQ) {
+            resp = LMP_VERSION_RES;
+            resplen = 6;
+            respdata[1] = 0x20;
+            respdata[2] = 0xff;
+            respdata[3] = 0xff;
+            respdata[4] = 0xff;
+            respdata[5] = 0xff;
+        } else
+            resp = 0;
+        break;
+
+    case LMP_FEATURES_REQ:
+    case LMP_FEATURES_RES:
+        /* data[0-7]	Features
+         */
+        if (length < 8) {
+            error = HCI_UNSUPPORTED_LMP_PARAMETER_VALUE;
+            goto not_accepted;
+        }
+        if (op == LMP_FEATURES_REQ) {
+            resp = LMP_FEATURES_RES;
+            resplen = 9;
+            respdata[1] = (bt->lmp_caps >> 0) & 0xff;
+            respdata[2] = (bt->lmp_caps >> 8) & 0xff;
+            respdata[3] = (bt->lmp_caps >> 16) & 0xff;
+            respdata[4] = (bt->lmp_caps >> 24) & 0xff;
+            respdata[5] = (bt->lmp_caps >> 32) & 0xff;
+            respdata[6] = (bt->lmp_caps >> 40) & 0xff;
+            respdata[7] = (bt->lmp_caps >> 48) & 0xff;
+            respdata[8] = (bt->lmp_caps >> 56) & 0xff;
+        } else
+            resp = 0;
+        break;
+
+    case LMP_NAME_REQ:
+        /* data[0]	Name offset
+         */
+        if (length < 1) {
+            error = HCI_UNSUPPORTED_LMP_PARAMETER_VALUE;
+            goto not_accepted;
+        }
+        resp = LMP_NAME_RES;
+        resplen = 17;
+        respdata[1] = data[0];
+        respdata[2] = strlen(bt->lmp_name);
+        memset(respdata + 3, 0x00, 14);
+        if (respdata[2] > respdata[1])
+            memcpy(respdata + 3, bt->lmp_name + respdata[1],
+                            respdata[2] - respdata[1]);
+        break;
+
+    case LMP_NAME_RES:
+        /* data[0]	Name offset
+         * data[1]	Name length
+         * data[2-15]	Name fragment
+         */
+        if (length < 16) {
+            error = HCI_UNSUPPORTED_LMP_PARAMETER_VALUE;
+            goto not_accepted;
+        }
+        resp = 0;
+        break;
+
+    default:
+        error = HCI_UNKNOWN_LMP_PDU;
+        /* Fall through */
+    not_accepted:
+        if (op >> 8) {
+            resp = LMP_NOT_ACCEPTED_EXT;
+            resplen = 5;
+            respdata[0] = op >> 8;
+            respdata[1] = op & 0xff;
+            respdata[2] = error;
+        } else {
+            resp = LMP_NOT_ACCEPTED;
+            resplen = 3;
+            respdata[0] = op & 0xff;
+            respdata[1] = error;
+        }
+    }
+
+    if (resp == 0)
+        return;
+
+    if (resp >> 8) {
+        respdata[0] = resp >> 8;
+        respdata[1] = resp & 0xff;
+    } else
+        respdata[0] = resp & 0xff;
+
+    respdata[0] <<= 1;
+    respdata[0] |= tr;
+}
+
+void bt_submit_raw_acl(struct bt_piconet_s *net, int length, uint8_t *data)
+{
+    struct bt_device_s *slave;
+    if (length < 1)
+        return;
+
+    slave = net->slave;
+
+    switch (data[0] & 3) {
+    case LLID_ACLC:
+        bt_submit_lmp(slave, length - 1, data + 1);
+        break;
+    case LLID_ACLU_START:
+#if 0
+        bt_sumbit_l2cap(slave, length - 1, data + 1, (data[0] >> 2) & 1);
+        breka;
+#endif
+    default:
+    case LLID_ACLU_CONT:
+        break;
+    }
+}
+
+/* XXX: handle endiannes */
+#define HNDL(raw)	(raw)
+
+static const uint8_t bt_event_reserved_mask[8] = {
+    0xff, 0x9f, 0xfb, 0xff, 0x07, 0x18, 0x00, 0x00,
+};
+
+static inline uint8_t *bt_hci_event_start(struct bt_hci_s *hci,
+                int evt, int len)
+{
+    uint8_t *packet, mask;
+    int mask_byte;
+    if (len > 255)
+        cpu_abort(cpu_single_env, "HCI event params too long (%ib)\n", len);
+
+    mask_byte = (evt - 1) >> 3;
+    mask = 1 << ((evt - 1) & 3);
+    if (mask & bt_event_reserved_mask[mask_byte] & ~hci->event_mask[mask_byte])
+        return 0;
+
+    packet = hci->evt_packet(hci->opaque);
+    packet[0] = evt;
+    packet[1] = len;
+    return &packet[2];
+}
+
+static inline void bt_hci_event(struct bt_hci_s *hci, int evt,
+                void *params, int len)
+{
+    uint8_t *packet = bt_hci_event_start(hci, evt, len);
+    if (!packet)
+        return;
+
+    if (len)
+        memcpy(packet, params, len);
+
+    hci->evt_submit(hci->opaque, len + 2);
+}
+
+static inline void bt_hci_event_status(struct bt_hci_s *hci, int status)
+{
+    evt_cmd_status params = {
+        .status	= status,
+        .ncmd	= 5,
+        .opcode	= hci->last_cmd,
+    };
+
+    bt_hci_event(hci, EVT_CMD_STATUS, &params, EVT_CMD_STATUS_SIZE);
+}
+
+static inline void bt_hci_event_complete(struct bt_hci_s *hci,
+                void *ret, int len)
+{
+    uint8_t *packet = bt_hci_event_start(hci, EVT_CMD_COMPLETE,
+                    len + EVT_CMD_COMPLETE_SIZE);
+    evt_cmd_complete *params = (evt_cmd_complete *) packet;
+    if (!packet)
+        return;
+
+    params->ncmd	= 5;
+    params->opcode	= hci->last_cmd;
+    if (len)
+        memcpy(&packet[EVT_CMD_COMPLETE_SIZE], ret, len);
+
+    hci->evt_submit(hci->opaque, len + EVT_CMD_COMPLETE_SIZE + 2);
+}
+
+static void bt_hci_inquiry_done(void *opaque)
+{
+    struct bt_hci_s *hci = (struct bt_hci_s *) opaque;
+    bt_hci_event(hci, EVT_INQUIRY_COMPLETE, 0, 0);
+}
+
+static void bt_hci_inquiry_result(struct bt_hci_s *hci,
+                struct bt_device_s *slave)
+{
+    inquiry_info params;
+
+    if (slave->acl_mode != acl_active)
+        return;
+
+    hci->lm.responses_left --;
+    hci->lm.responses ++;
+
+    params.num_responses	= 1;
+    bacpy(&params.bdaddr, &slave->bd_addr);
+    params.pscan_rep_mode	= 0x00;	/* R0 */
+    params.pscan_period_mode	= 0x00;	/* P0 - deprecated */
+    params.pscan_mode		= 0x00;	/* Standard scan - deprecated */
+    params.dev_class[0]		= slave->class[0];
+    params.dev_class[1]		= slave->class[1];
+    params.dev_class[2]		= slave->class[2];
+    params.clock_offset		= slave->clkoff;	/* XXX: Endianness */
+    bt_hci_event(hci, EVT_INQUIRY_RESULT, &params, INQUIRY_INFO_SIZE);
+
+    if (hci->lm.periodic) {
+        qemu_mod_timer(hci->lm.inquiry_next, qemu_get_clock(vm_clock) +
+                        muldiv64(hci->lm.inquiry_period << 7,
+                                ticks_per_sec, 1000));
+    }
+}
+
+static void bt_hci_inquiry_start(struct bt_hci_s *hci, int length)
+{
+    struct bt_device_s *slave;
+
+    hci->lm.inquiry_length = length;
+    if (hci->lm.responses_left == 0)
+        hci->lm.responses_left --;
+    for (slave = hci->net->slave; slave; slave = slave->next)
+        bt_hci_inquiry_result(hci, slave);
+
+    if (hci->lm.responses_left)
+        qemu_mod_timer(hci->lm.inquiry_done, qemu_get_clock(vm_clock) +
+                        muldiv64(hci->lm.inquiry_length << 7,
+                                ticks_per_sec, 1000));
+    else
+        bt_hci_inquiry_done(hci);
+}
+
+static void bt_hci_inquiry_next(void *opaque)
+{
+    struct bt_hci_s *hci = (struct bt_hci_s *) opaque;
+
+    hci->lm.responses_left += hci->lm.responses;
+    hci->lm.responses = 0;
+    bt_hci_inquiry_start(hci,  hci->lm.inquiry_length);
+}
+
+static inline int bt_hci_handle_bad(struct bt_hci_s *hci, uint16_t handle)
+{
+    return handle < HCI_HANDLE_OFFSET || handle >= HCI_HANDLE_OFFSET + 16 ||
+            !hci->lm.handle[handle & ~HCI_HANDLE_OFFSET];
+}
+
+static int bt_hci_connect(struct bt_hci_s *hci, bdaddr_t *bdaddr)
+{
+    struct bt_device_s *slave;
+    uint16_t handle;
+    evt_conn_complete params;
+
+    for (slave = hci->net->slave; slave; slave = slave->next)
+        if (slave->acl_mode == acl_active && !bacmp(&slave->bd_addr, bdaddr))
+            break;
+    if (!slave)
+        return -ENODEV;
+
+    slave->setup = 1;
+
+    /* Make a connection handle */
+    do {
+        while (hci->lm.handle[++ hci->lm.last_handle])
+            hci->lm.last_handle &= 15;
+        handle = hci->lm.last_handle | HCI_HANDLE_OFFSET;
+    } while (handle == hci->asb_handle || handle == hci->psb_handle);
+
+    hci->lm.handle[hci->lm.last_handle] = slave;
+
+    bt_hci_event_status(hci, HCI_SUCCESS);
+
+    /* XXX: Send CONNCOMPLETE to slave */
+
+    params.status	= HCI_SUCCESS;
+    params.handle	= HNDL(handle);
+    bacpy(&params.bdaddr, &slave->bd_addr);
+    params.link_type	= ACL_LINK;
+    params.encr_mode	= 0x00;		/* Encryption not required */
+    bt_hci_event(hci, EVT_CONN_COMPLETE, &params, EVT_CONN_COMPLETE_SIZE);
+    return 0;
+}
+
+static int bt_hci_disconnect(struct bt_hci_s *hci, uint16_t handle, int reason)
+{
+    struct bt_device_s *slave;
+    evt_disconn_complete params;
+
+    if (bt_hci_handle_bad(hci, handle))
+        return -ENODEV;
+
+    slave = hci->lm.handle[handle & ~HCI_HANDLE_OFFSET];
+
+    bt_hci_event_status(hci, HCI_SUCCESS);
+
+    /* XXX: send Disconnection Complete to remote dev. */
+    slave->setup = 0;
+    hci->lm.handle[handle & ~HCI_HANDLE_OFFSET] = 0;
+
+    params.status	= HCI_SUCCESS;
+    params.handle	= HNDL(handle);
+    params.reason	= HCI_CONNECTION_TERMINATED;
+    bt_hci_event(hci, EVT_DISCONN_COMPLETE,
+                    &params, EVT_DISCONN_COMPLETE_SIZE);
+    return 0;
+}
+
+static int bt_hci_name_req(struct bt_hci_s *hci, bdaddr_t *bdaddr)
+{
+    struct bt_device_s *slave;
+    evt_remote_name_req_complete params;
+
+    for (slave = hci->net->slave; slave; slave = slave->next)
+        if (slave->acl_mode == acl_active && !bacmp(&slave->bd_addr, bdaddr))
+            break;
+    if (!slave)
+        return -ENODEV;
+
+    bt_hci_event_status(hci, HCI_SUCCESS);
+
+    params.status       = HCI_SUCCESS;
+    bacpy(&params.bdaddr, &slave->bd_addr);
+    snprintf(params.name, sizeof(params.name), "%s", slave->lmp_name);
+    bt_hci_event(hci, EVT_REMOTE_NAME_REQ_COMPLETE,
+                    &params, EVT_REMOTE_NAME_REQ_COMPLETE_SIZE);
+    return 0;
+}
+
+static int bt_hci_features_req(struct bt_hci_s *hci, uint16_t handle)
+{
+    struct bt_device_s *slave;
+    evt_read_remote_features_complete params;
+
+    if (bt_hci_handle_bad(hci, handle))
+        return -ENODEV;
+
+    slave = hci->lm.handle[handle & ~HCI_HANDLE_OFFSET];
+
+    bt_hci_event_status(hci, HCI_SUCCESS);
+
+    params.status	= HCI_SUCCESS;
+    params.status	= HNDL(handle);
+    params.features[0]	= (slave->lmp_caps >> 0) & 0xff;
+    params.features[1]	= (slave->lmp_caps >> 8) & 0xff;
+    params.features[2]	= (slave->lmp_caps >> 16) & 0xff;
+    params.features[3]	= (slave->lmp_caps >> 24) & 0xff;
+    params.features[4]	= (slave->lmp_caps >> 32) & 0xff;
+    params.features[5]	= (slave->lmp_caps >> 40) & 0xff;
+    params.features[6]	= (slave->lmp_caps >> 48) & 0xff;
+    params.features[7]	= (slave->lmp_caps >> 56) & 0xff;
+    bt_hci_event(hci, EVT_READ_REMOTE_FEATURES_COMPLETE,
+                    &params, EVT_READ_REMOTE_FEATURES_COMPLETE_SIZE);
+    return 0;
+}
+
+static int bt_hci_version_req(struct bt_hci_s *hci, uint16_t handle)
+{
+    struct bt_device_s *slave;
+    evt_read_remote_version_complete params;
+
+    if (bt_hci_handle_bad(hci, handle))
+        return -ENODEV;
+
+    slave = hci->lm.handle[handle & ~HCI_HANDLE_OFFSET];
+
+    bt_hci_event_status(hci, HCI_SUCCESS);
+
+    params.status	= HCI_SUCCESS;
+    params.handle	= HNDL(handle);
+    params.lmp_ver	= 0x03;
+    params.manufacturer	= 0xa000;	/* XXX: Endianness */
+    params.lmp_subver	= 0xa607;	/* XXX: Endianness */
+    bt_hci_event(hci, EVT_READ_REMOTE_VERSION_COMPLETE,
+                    &params, EVT_READ_REMOTE_VERSION_COMPLETE_SIZE);
+    return 0;
+}
+
+static int bt_hci_clkoffset_req(struct bt_hci_s *hci, uint16_t handle)
+{
+    struct bt_device_s *slave;
+    evt_read_clock_offset_complete params;
+
+    if (bt_hci_handle_bad(hci, handle))
+        return -ENODEV;
+
+    slave = hci->lm.handle[handle & ~HCI_HANDLE_OFFSET];
+
+    bt_hci_event_status(hci, HCI_SUCCESS);
+
+    params.status	= HCI_SUCCESS;
+    params.handle	= HNDL(handle);
+    params.clock_offset	= slave->clkoff;	/* XXX: Endianness */
+    bt_hci_event(hci, EVT_READ_CLOCK_OFFSET_COMPLETE,
+                    &params, EVT_READ_CLOCK_OFFSET_COMPLETE_SIZE);
+    return 0;
+}
+
+static void bt_hci_event_mode(struct bt_hci_s *hci, uint16_t handle,
+                int mode, int interval)
+{
+    evt_mode_change params = {
+        .status		= HCI_SUCCESS,
+        .handle		= HNDL(handle),
+        .mode		= mode,
+        .interval	= interval,	/* XXX: Endianness */
+    };
+    bt_hci_event(hci, EVT_MODE_CHANGE, &params, EVT_MODE_CHANGE_SIZE);
+}
+
+static int bt_hci_mode_change(struct bt_hci_s *hci, uint16_t handle,
+                int interval, int mode)
+{
+    struct bt_device_s *slave;
+
+    if (bt_hci_handle_bad(hci, handle))
+        return -ENODEV;
+    slave = hci->lm.handle[handle & ~HCI_HANDLE_OFFSET];
+    if (slave->acl_mode != acl_active) {
+        bt_hci_event_status(hci, HCI_COMMAND_DISALLOWED);
+        return 0;
+    }
+
+    bt_hci_event_status(hci, HCI_SUCCESS);
+
+    slave->acl_mode = mode;
+    qemu_mod_timer(slave->acl_mode_timer, qemu_get_clock(vm_clock) +
+                            muldiv64(interval * 625, ticks_per_sec, 1000000));
+    bt_hci_event_mode(hci, handle, mode, interval);
+    return 0;
+}
+
+static int bt_hci_mode_cancel(struct bt_hci_s *hci, uint16_t handle, int mode)
+{
+    struct bt_device_s *slave;
+
+    if (bt_hci_handle_bad(hci, handle))
+        return -ENODEV;
+    slave = hci->lm.handle[handle & ~HCI_HANDLE_OFFSET];
+    if (slave->acl_mode != mode) {
+        bt_hci_event_status(hci, HCI_COMMAND_DISALLOWED);
+        return 0;
+    }
+
+    bt_hci_event_status(hci, HCI_SUCCESS);
+
+    slave->acl_mode = acl_active;
+    qemu_del_timer(slave->acl_mode_timer);
+
+    bt_hci_event_mode(hci, handle, acl_active, 0);
+    return 0;
+}
+
+static void bt_hci_mode_tick(void *opaque)
+{
+    uint16_t handle;
+    struct bt_device_s **slave = (struct bt_device_s **) opaque;
+
+    handle = HCI_HANDLE_OFFSET | (
+                    (slave - (*slave)->acl_hci->lm.handle) /
+                    sizeof(struct bt_device_s *));
+
+    (*slave)->acl_mode = acl_active;
+    bt_hci_event_mode((*slave)->acl_hci, handle, acl_active, 0);
+}
+
+void bt_hci_reset(struct bt_hci_s *hci)
+{
+    hci->acl_len = 0;
+    hci->last_cmd = 0;
+
+    hci->event_mask[0] = 0xff;
+    hci->event_mask[1] = 0xff;
+    hci->event_mask[2] = 0xff;
+    hci->event_mask[3] = 0xff;
+    hci->event_mask[4] = 0xff;
+    hci->event_mask[5] = 0x1f;
+    hci->event_mask[6] = 0x00;
+    hci->event_mask[7] = 0x00;
+    hci->scan_enable = SCAN_DISABLED;
+    if (hci->local_name)
+        free((void *) hci->local_name);
+    hci->local_name = 0;
+    hci->local_class[0] = 0x00;
+    hci->local_class[1] = 0x00;
+    hci->local_class[2] = 0x00;
+    hci->voice_setting = 0x0000;
+
+    /* XXX: qemu_del_timer(sl->acl_mode_timer); for all slaves */
+    qemu_del_timer(hci->lm.inquiry_done);
+    qemu_del_timer(hci->lm.inquiry_next);
+
+    bt_hci_event_status(hci, HCI_SUCCESS);
+}
+
+static void bt_hci_read_local_version_rp(struct bt_hci_s *hci)
+{
+    read_local_version_rp lv = {
+        .status		= HCI_SUCCESS,
+        .hci_ver	= 0x03,
+        .hci_rev	= 0xa607,	/* XXX: Endianness */
+        .lmp_ver	= 0x03,
+        .manufacturer	= 0xa000,	/* XXX: Endianness */
+        .lmp_subver	= 0xa607,	/* XXX: Endianness */
+    };
+
+    bt_hci_event_complete(hci, &lv, READ_LOCAL_VERSION_RP_SIZE);
+}
+
+static void bt_hci_read_local_commands_rp(struct bt_hci_s *hci)
+{
+    read_local_commands_rp lc = {
+        .status		= HCI_SUCCESS,
+        .commands	= {
+            0xbf, 0x80, 0xf9, 0x03, 0xb2, 0xc0, 0x03, 0xc3,
+            0x00, 0x0f, 0x80, 0x00, 0x00, 0x00, 0xe8, 0x13,
+            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        },
+    };
+
+    bt_hci_event_complete(hci, &lc, READ_LOCAL_COMMANDS_RP_SIZE);
+}
+
+static void bt_hci_read_local_features_rp(struct bt_hci_s *hci)
+{
+    read_local_features_rp lf = {
+        .status		= HCI_SUCCESS,
+        .features	= {
+            0x5f, 0x35, 0x85, 0x7e, 0x9b, 0x19, 0x00, 0x80,
+        },
+    };
+
+    bt_hci_event_complete(hci, &lf, READ_LOCAL_FEATURES_RP_SIZE);
+}
+
+static void bt_hci_read_local_ext_features_rp(struct bt_hci_s *hci, int page)
+{
+    read_local_ext_features_rp lef = {
+        .status		= HCI_SUCCESS,
+        .page_num	= page,
+        .max_page_num	= 0x00,
+        .features	= {
+            0x5f, 0x35, 0x85, 0x7e, 0x9b, 0x19, 0x00, 0x80,
+        },
+    };
+    if (page)
+        memset(lef.features, 0, sizeof(lef.features));
+
+    bt_hci_event_complete(hci, &lef, READ_LOCAL_EXT_FEATURES_RP_SIZE);
+}
+
+static void bt_hci_read_buffer_size_rp(struct bt_hci_s *hci)
+{
+    read_buffer_size_rp bs = {
+        .status		= HCI_SUCCESS,
+        .acl_mtu	= 0x0180,	/* XXX: Endianness */
+        .sco_mtu	= 0x40,
+        .acl_max_pkt	= 0x0008,	/* XXX: Endianness */
+        .sco_max_pkt	= 0x0008,	/* XXX: Endianness */
+    };
+
+    bt_hci_event_complete(hci, &bs, READ_BUFFER_SIZE_RP_SIZE);
+}
+
+static void bt_hci_read_country_code_rp(struct bt_hci_s *hci)
+{
+    /* This event seems to be undocumented, this code is a guess */
+    struct {
+        uint8_t status;
+        uint8_t code;
+    } cc = { 0x00, 0x00 };
+
+    bt_hci_event_complete(hci, &cc, 2);
+}
+
+static void bt_hci_read_bd_addr_rp(struct bt_hci_s *hci)
+{
+    read_bd_addr_rp ba = {
+        .status = HCI_SUCCESS,
+        .bdaddr = {{ 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, }},
+    };
+
+    bt_hci_event_complete(hci, &ba, READ_BD_ADDR_RP_SIZE);
+}
+
+static int bt_hci_link_quality_rp(struct bt_hci_s *hci, uint16_t handle)
+{
+    read_link_quality_rp lq = {
+        .status		= HCI_SUCCESS,
+        .handle		= HNDL(handle),
+        .link_quality	= 0xff,
+    };
+
+    if (bt_hci_handle_bad(hci, handle))
+        lq.status = HCI_NO_CONNECTION;
+
+    bt_hci_event_complete(hci, &lq, READ_LINK_QUALITY_RP_SIZE);
+    return 0;
+}
+
+/* Generate a Command Complete event with only the Status parameter */
+static inline void bt_hci_event_complete_status(struct bt_hci_s *hci,
+                uint8_t status)
+{
+    bt_hci_event_complete(hci, &status, 1);
+}
+
+static inline void bt_hci_event_complete_conn_cancel(struct bt_hci_s *hci,
+                bdaddr_t *bd_addr)
+{
+    int i;
+    create_conn_cancel_rp params = {
+        .status = HCI_NO_CONNECTION,
+        .bdaddr = BAINIT(bd_addr),
+    };
+
+    for (i = 0; i < 16; i ++)
+        if (hci->lm.handle[i] && !bacmp(&hci->lm.handle[i]->bd_addr, bd_addr))
+            params.status = HCI_ACL_CONNECTION_EXISTS;
+
+    bt_hci_event_complete(hci, &params, CREATE_CONN_CANCEL_RP_SIZE);
+}
+
+static inline void bt_hci_event_auth_complete(struct bt_hci_s *hci,
+                uint16_t handle)
+{
+    evt_auth_complete params = {
+        .status = HCI_SUCCESS,
+        .handle = HNDL(handle),
+    };
+
+    bt_hci_event(hci, EVT_AUTH_COMPLETE, &params, EVT_AUTH_COMPLETE_SIZE);
+}
+
+static inline void bt_hci_event_encrypt_change(struct bt_hci_s *hci,
+                uint16_t handle, uint8_t mode)
+{
+    evt_encrypt_change params = {
+        .status		= HCI_SUCCESS,
+        .handle		= HNDL(handle),
+        .encrypt	= mode,
+    };
+
+    bt_hci_event(hci, EVT_ENCRYPT_CHANGE, &params, EVT_ENCRYPT_CHANGE_SIZE);
+}
+
+static inline void bt_hci_event_complete_name_cancel(struct bt_hci_s *hci,
+                bdaddr_t *bd_addr)
+{
+    remote_name_req_cancel_rp params = {
+        .status = HCI_INVALID_PARAMETERS,
+        .bdaddr = BAINIT(bd_addr),
+    };
+
+    bt_hci_event_complete(hci, &params, REMOTE_NAME_REQ_CANCEL_RP_SIZE);
+}
+
+static inline void bt_hci_event_read_remote_ext_features(struct bt_hci_s *hci,
+                uint16_t handle)
+{
+    evt_read_remote_ext_features_complete params = {
+        .status = HCI_UNSUPPORTED_FEATURE,
+        .handle = HNDL(handle),
+        /* Rest uninitialised */
+    };
+
+    bt_hci_event(hci, EVT_READ_REMOTE_EXT_FEATURES_COMPLETE,
+                    &params, EVT_READ_REMOTE_EXT_FEATURES_COMPLETE_SIZE);
+}
+
+static inline void bt_hci_event_complete_lmp_handle(struct bt_hci_s *hci,
+                uint16_t handle)
+{
+    read_lmp_handle_rp params = {
+        .status		= HCI_NO_CONNECTION,
+        .handle		= HNDL(handle),
+        .reserved	= 0,
+        /* Rest uninitialised */
+    };
+
+    bt_hci_event_complete(hci, &params, READ_LMP_HANDLE_RP_SIZE);
+}
+
+static inline void bt_hci_event_complete_role_discovery(struct bt_hci_s *hci,
+                int status, uint16_t handle)
+{
+    role_discovery_rp params = {
+        .status		= status,
+        .handle		= HNDL(handle),
+        .role		= 0x00,	/* Master */
+    };
+
+    bt_hci_event_complete(hci, &params, ROLE_DISCOVERY_RP_SIZE);
+}
+
+static inline void bt_hci_event_complete_flush(struct bt_hci_s *hci,
+                int status, uint16_t handle)
+{
+    flush_rp params = {
+        .status		= status,
+        .handle		= HNDL(handle),
+    };
+
+    bt_hci_event_complete(hci, &params, FLUSH_RP_SIZE);
+}
+
+static inline void bt_hci_event_complete_read_local_name(struct bt_hci_s *hci)
+{
+    read_local_name_rp params;
+    params.status = HCI_SUCCESS;
+    memset(params.name, 0, sizeof(params.name));
+    if (hci->local_name)
+        strncpy(params.name, hci->local_name, sizeof(params.name));
+
+    bt_hci_event_complete(hci, &params, READ_LOCAL_NAME_RP_SIZE);
+}
+
+static inline void bt_hci_event_complete_read_scan_enable(struct bt_hci_s *hci)
+{
+    read_scan_enable_rp params = {
+        .status = HCI_SUCCESS,
+        .enable = hci->scan_enable,
+    };
+
+    bt_hci_event_complete(hci, &params, READ_SCAN_ENABLE_RP_SIZE);
+}
+
+static inline void bt_hci_event_complete_read_local_class(struct bt_hci_s *hci)
+{
+    read_class_of_dev_rp params;
+    params.status = HCI_SUCCESS;
+    memcpy(params.dev_class, hci->local_class, sizeof(params.dev_class));
+
+    bt_hci_event_complete(hci, &params, READ_CLASS_OF_DEV_RP_SIZE);
+}
+
+static inline void bt_hci_event_complete_voice_setting(struct bt_hci_s *hci)
+{
+    read_voice_setting_rp params = {
+        .status		= HCI_SUCCESS,
+        .voice_setting	= hci->voice_setting,	/* XXX: Endianness */
+    };
+
+    bt_hci_event_complete(hci, &params, READ_VOICE_SETTING_RP_SIZE);
+}
+
+void bt_submit_hci(struct bt_hci_s *hci, int length, uint8_t *data)
+{
+    uint16_t cmd;
+    int paramlen, i;
+
+    if (length < 3)
+        return;
+
+    hci->last_cmd = *(uint16_t *) data;
+
+    cmd = (data[1] << 8) | data[0];
+    paramlen = data[2];
+    if (cmd_opcode_ogf(cmd) == 0 || cmd_opcode_ocf(cmd) == 0)	/* NOP */
+        return;
+
+    data += 3;
+    length -= 3;
+
+    if (paramlen > length)
+        return;
+
+#define PARAM(cmd, param)	(((cmd *) data)->param)
+#define PARAMHANDLE(cmd)	HNDL(((cmd *) data)->handle)
+    switch (cmd) {
+    case cmd_opcode_pack(OGF_LINK_CTL, OCF_INQUIRY):
+        hci->lm.inquire = 1;
+        hci->lm.periodic = 0;
+        hci->lm.responses_left = PARAM(inquiry_cp, num_rsp);
+        hci->lm.responses = 0;
+        bt_hci_event_status(hci, HCI_SUCCESS);
+        bt_hci_inquiry_start(hci, PARAM(inquiry_cp, length));
+        break;
+
+    case cmd_opcode_pack(OGF_LINK_CTL, OCF_INQUIRY_CANCEL):
+        hci->lm.inquire = 0;
+        qemu_del_timer(hci->lm.inquiry_done);
+        bt_hci_event_complete_status(hci, HCI_SUCCESS);
+        break;
+
+    case cmd_opcode_pack(OGF_LINK_CTL, OCF_PERIODIC_INQUIRY):
+        hci->lm.inquire = 1;
+        hci->lm.periodic = 1;
+        hci->lm.responses_left = PARAM(periodic_inquiry_cp, num_rsp);
+        hci->lm.responses = 0;
+        hci->lm.inquiry_period = PARAM(periodic_inquiry_cp, max_period);
+        bt_hci_event_complete_status(hci, HCI_SUCCESS);
+        bt_hci_inquiry_start(hci, PARAM(periodic_inquiry_cp, length));
+        break;
+
+    case cmd_opcode_pack(OGF_LINK_CTL, OCF_EXIT_PERIODIC_INQUIRY):
+        hci->lm.inquire = 0;
+        qemu_del_timer(hci->lm.inquiry_done);
+        qemu_del_timer(hci->lm.inquiry_next);
+        bt_hci_event_complete_status(hci, HCI_SUCCESS);
+        break;
+
+    case cmd_opcode_pack(OGF_LINK_CTL, OCF_CREATE_CONN):
+        if (bt_hci_connect(hci, &PARAM(create_conn_cp, bdaddr)))
+            bt_hci_event_status(hci, HCI_NO_CONNECTION);
+        break;
+
+    case cmd_opcode_pack(OGF_LINK_CTL, OCF_DISCONNECT):
+        if (bt_hci_disconnect(hci, PARAMHANDLE(disconnect_cp),
+                                PARAM(disconnect_cp, reason)))
+            bt_hci_event_status(hci, HCI_NO_CONNECTION);
+        break;
+
+    case cmd_opcode_pack(OGF_LINK_CTL, OCF_CREATE_CONN_CANCEL):
+        bt_hci_event_complete_conn_cancel(hci,
+                        &PARAM(create_conn_cancel_cp, bdaddr));
+        break;
+
+    case cmd_opcode_pack(OGF_LINK_CTL, OCF_AUTH_REQUESTED):
+        if (bt_hci_handle_bad(hci, PARAMHANDLE(auth_requested_cp)))
+            bt_hci_event_status(hci, HCI_NO_CONNECTION);
+        else {
+            bt_hci_event_status(hci, HCI_SUCCESS);
+            bt_hci_event_auth_complete(hci, PARAMHANDLE(auth_requested_cp));
+        }
+        break;
+
+    case cmd_opcode_pack(OGF_LINK_CTL, OCF_SET_CONN_ENCRYPT):
+        if (bt_hci_handle_bad(hci, PARAMHANDLE(set_conn_encrypt_cp)))
+            bt_hci_event_status(hci, HCI_NO_CONNECTION);
+        else {
+            bt_hci_event_status(hci, HCI_SUCCESS);
+            bt_hci_event_encrypt_change(hci,
+                            PARAMHANDLE(set_conn_encrypt_cp),
+                            PARAM(set_conn_encrypt_cp, encrypt));
+        }
+        break;
+
+    case cmd_opcode_pack(OGF_LINK_CTL, OCF_REMOTE_NAME_REQ):
+        if (bt_hci_name_req(hci, &PARAM(remote_name_req_cp, bdaddr)))
+            bt_hci_event_status(hci, HCI_NO_CONNECTION);
+        break;
+
+    case cmd_opcode_pack(OGF_LINK_CTL, OCF_REMOTE_NAME_REQ_CANCEL):
+        bt_hci_event_complete_name_cancel(hci,
+                        &PARAM(remote_name_req_cancel_cp, bdaddr));
+        break;
+
+    case cmd_opcode_pack(OGF_LINK_CTL, OCF_READ_REMOTE_FEATURES):
+        if (bt_hci_features_req(hci, PARAMHANDLE(read_remote_features_cp)))
+            bt_hci_event_status(hci, HCI_NO_CONNECTION);
+        break;
+
+    case cmd_opcode_pack(OGF_LINK_CTL, OCF_READ_REMOTE_EXT_FEATURES):
+        if (bt_hci_handle_bad(hci, PARAMHANDLE(read_remote_ext_features_cp)))
+            bt_hci_event_status(hci, HCI_NO_CONNECTION);
+        else {
+            bt_hci_event_status(hci, HCI_SUCCESS);
+            bt_hci_event_read_remote_ext_features(hci,
+                            PARAMHANDLE(read_remote_ext_features_cp));
+        }
+        break;
+
+    case cmd_opcode_pack(OGF_LINK_CTL, OCF_READ_REMOTE_VERSION):
+        if (bt_hci_version_req(hci, PARAMHANDLE(read_remote_version_cp)))
+            bt_hci_event_status(hci, HCI_NO_CONNECTION);
+        break;
+
+    case cmd_opcode_pack(OGF_LINK_CTL, OCF_READ_CLOCK_OFFSET):
+        if (bt_hci_clkoffset_req(hci, PARAMHANDLE(read_clock_offset_cp)))
+            bt_hci_event_status(hci, HCI_NO_CONNECTION);
+        break;
+
+    case cmd_opcode_pack(OGF_LINK_CTL, OCF_READ_LMP_HANDLE):
+        bt_hci_event_complete_lmp_handle(hci, PARAMHANDLE(read_lmp_handle_cp));
+        break;
+
+    case cmd_opcode_pack(OGF_LINK_POLICY, OCF_HOLD_MODE):
+        if (bt_hci_mode_change(hci, PARAMHANDLE(hold_mode_cp),
+                                PARAM(hold_mode_cp, max_interval), acl_hold))
+            bt_hci_event_status(hci, HCI_NO_CONNECTION);
+        break;
+
+    case cmd_opcode_pack(OGF_LINK_POLICY, OCF_PARK_MODE):
+        if (bt_hci_mode_change(hci, PARAMHANDLE(park_mode_cp),
+                                PARAM(park_mode_cp, max_interval), acl_parked))
+            bt_hci_event_status(hci, HCI_NO_CONNECTION);
+        break;
+
+    case cmd_opcode_pack(OGF_LINK_POLICY, OCF_EXIT_PARK_MODE):
+        if (bt_hci_mode_cancel(hci, PARAMHANDLE(exit_park_mode_cp),
+                                acl_parked))
+            bt_hci_event_status(hci, HCI_NO_CONNECTION);
+        break;
+
+    case cmd_opcode_pack(OGF_LINK_POLICY, OCF_ROLE_DISCOVERY):
+        if (bt_hci_handle_bad(hci, PARAMHANDLE(role_discovery_cp)))
+            bt_hci_event_complete_role_discovery(hci,
+                            HCI_NO_CONNECTION, PARAMHANDLE(role_discovery_cp));
+        else
+            bt_hci_event_complete_role_discovery(hci,
+                            HCI_SUCCESS, PARAMHANDLE(role_discovery_cp));
+        break;
+
+    case cmd_opcode_pack(OGF_HOST_CTL, OCF_SET_EVENT_MASK):
+        memcpy(hci->event_mask, PARAM(set_event_mask_cp, mask), 8);
+        bt_hci_event_complete_status(hci, HCI_SUCCESS);
+        break;
+
+    case cmd_opcode_pack(OGF_HOST_CTL, OCF_RESET):
+        bt_hci_reset(hci);
+        break;
+
+    case cmd_opcode_pack(OGF_HOST_CTL, OCF_SET_EVENT_FLT):
+        /* Filters are not implemented */
+        bt_hci_event_complete_status(hci, HCI_SUCCESS);
+        break;
+
+    case cmd_opcode_pack(OGF_HOST_CTL, OCF_FLUSH):
+        if (bt_hci_handle_bad(hci, PARAMHANDLE(flush_cp)))
+            bt_hci_event_complete_flush(hci,
+                            HCI_NO_CONNECTION, PARAMHANDLE(flush_cp));
+        else {
+            bt_hci_event(hci, EVT_FLUSH_OCCURRED,
+                            &PARAM(flush_cp, handle),
+                            EVT_FLUSH_OCCURRED_SIZE);
+            bt_hci_event_complete_flush(hci,
+                            HCI_SUCCESS, PARAMHANDLE(flush_cp));
+        }
+        break;
+
+    case cmd_opcode_pack(OGF_HOST_CTL, OCF_CHANGE_LOCAL_NAME):
+        if (hci->local_name)
+            free((void *) hci->local_name);
+        hci->local_name = strdup(PARAM(change_local_name_cp, name));
+        bt_hci_event_complete_status(hci, HCI_SUCCESS);
+        break;
+
+    case cmd_opcode_pack(OGF_HOST_CTL, OCF_READ_LOCAL_NAME):
+        bt_hci_event_complete_read_local_name(hci);
+        break;
+
+    case cmd_opcode_pack(OGF_HOST_CTL, OCF_READ_SCAN_ENABLE):
+        bt_hci_event_complete_read_scan_enable(hci);
+        break;
+
+    case cmd_opcode_pack(OGF_HOST_CTL, OCF_WRITE_SCAN_ENABLE):
+        hci->scan_enable = PARAM(write_scan_enable_cp, scan_enable);
+        bt_hci_event_complete_status(hci, HCI_SUCCESS);
+        break;
+
+    case cmd_opcode_pack(OGF_HOST_CTL, OCF_READ_CLASS_OF_DEV):
+        bt_hci_event_complete_read_local_class(hci);
+        break;
+
+    case cmd_opcode_pack(OGF_HOST_CTL, OCF_WRITE_CLASS_OF_DEV):
+        memcpy(hci->local_class, PARAM(write_class_of_dev_cp, dev_class), 3);
+        bt_hci_event_complete_status(hci, HCI_SUCCESS);
+        break;
+
+    case cmd_opcode_pack(OGF_HOST_CTL, OCF_READ_VOICE_SETTING):
+        bt_hci_event_complete_voice_setting(hci);
+        break;
+
+    case cmd_opcode_pack(OGF_HOST_CTL, OCF_WRITE_VOICE_SETTING):
+        hci->voice_setting = PARAM(write_voice_setting_cp, voice_setting);
+        bt_hci_event_complete_status(hci, HCI_SUCCESS);
+        break;
+
+    case cmd_opcode_pack(OGF_HOST_CTL, OCF_HOST_NUMBER_OF_COMPLETED_PACKETS):
+        for (i = 0; i < data[0]; i ++)
+            if (bt_hci_handle_bad(hci,
+                                    data[i * 2 + 1] | (data[i * 2 + 2] << 16)))
+                bt_hci_event_complete_status(hci, HCI_INVALID_PARAMETERS);
+        break;
+
+    case cmd_opcode_pack(OGF_INFO_PARAM, OCF_READ_LOCAL_VERSION):
+        bt_hci_read_local_version_rp(hci);
+        break;
+
+    case cmd_opcode_pack(OGF_INFO_PARAM, OCF_READ_LOCAL_COMMANDS):
+        bt_hci_read_local_commands_rp(hci);
+        break;
+
+    case cmd_opcode_pack(OGF_INFO_PARAM, OCF_READ_LOCAL_FEATURES):
+        bt_hci_read_local_features_rp(hci);
+        break;
+
+    case cmd_opcode_pack(OGF_INFO_PARAM, OCF_READ_LOCAL_EXT_FEATURES):
+        bt_hci_read_local_ext_features_rp(hci,
+                        PARAM(read_local_ext_features_cp, page_num));
+        break;
+
+    case cmd_opcode_pack(OGF_INFO_PARAM, OCF_READ_BUFFER_SIZE):
+        bt_hci_read_buffer_size_rp(hci);
+        break;
+
+    case cmd_opcode_pack(OGF_INFO_PARAM, OCF_READ_COUNTRY_CODE):
+        bt_hci_read_country_code_rp(hci);
+        break;
+
+    case cmd_opcode_pack(OGF_INFO_PARAM, OCF_READ_BD_ADDR):
+        bt_hci_read_bd_addr_rp(hci);
+        break;
+
+    case cmd_opcode_pack(OGF_STATUS_PARAM, OCF_READ_LINK_QUALITY):
+        bt_hci_link_quality_rp(hci, PARAMHANDLE(read_link_quality_cp));
+        break;
+
+    default:
+        bt_hci_event_status(hci, HCI_UNKNOWN_COMMAND);
+    }
+}
+
+void bt_submit_acl(struct bt_hci_s *hci, int length, uint8_t *data)
+{
+    uint16_t handle;
+    int datalen, flags;
+
+    if (length < 4)
+        return;
+
+    handle = acl_handle((data[1] << 8) | data[0]);
+    flags = acl_flags((data[1] << 8) | data[0]);
+    datalen = (data[3] << 8) | data[2];
+    data += 4;
+    length -= 4;
+
+    if (datalen > length);
+        return;
+
+    switch (flags & 3) {
+    case ACL_CONT:
+        memcpy(hci->acl_buf + hci->acl_len, data + 4, datalen);
+        hci->acl_len += datalen;
+        break;
+    case ACL_START:
+        memcpy(hci->acl_buf, data + 4, datalen);
+        hci->acl_len = datalen;
+        break;
+    default:
+        return;
+    }
+
+    if (flags & ACL_ACTIVE_BCAST)
+        hci->asb_handle = handle;
+
+    if (flags & ACL_PICO_BCAST)
+        hci->psb_handle = handle;
+
+    /* TODO */
+}
+
+void bt_submit_sco(struct bt_hci_s *hci, int length, uint8_t *data)
+{
+    uint16_t handle;
+    int datalen;
+
+    if (length < 3)
+        return;
+
+    handle = acl_handle((data[1] << 8) | data[0]);
+    datalen = data[2];
+    data += 3;
+    length -= 3;
+
+    if (datalen > length);
+        return;
+
+    /* TODO */
+}
+
+void bt_hci_init(struct bt_hci_s *hci)
+{
+    hci->lm.inquiry_done = qemu_new_timer(vm_clock, bt_hci_inquiry_done, hci);
+    hci->lm.inquiry_next = qemu_new_timer(vm_clock, bt_hci_inquiry_next, hci);
+}
+
+void bt_hci_done(struct bt_hci_s *hci)
+{
+    if (hci->local_name)
+        free((void *) hci->local_name);
+
+    /* XXX: Send DISCONNECT to all slaves */
+    qemu_free_timer(hci->lm.inquiry_done);
+    qemu_free_timer(hci->lm.inquiry_next);
+}

Added: trunk/src/host/qemu-neo1973/hw/bt.h
===================================================================
--- trunk/src/host/qemu-neo1973/hw/bt.h	2007-06-13 17:12:06 UTC (rev 2242)
+++ trunk/src/host/qemu-neo1973/hw/bt.h	2007-06-13 17:13:50 UTC (rev 2243)
@@ -0,0 +1,1558 @@
+/*
+ * QEMU Bluetooth HCI helpers.
+ *
+ * Copyright (C) 2007 OpenMoko, Inc.
+ * Written by Andrzej Zaborowski <andrew at openedhand.com>
+ *
+ * Useful definitions taken from BlueZ project's include/hci.h
+ *
+ * Copyright (C) 2000-2001  Qualcomm Incorporated
+ * Copyright (C) 2002-2003  Maxim Krasnyansky <maxk at qualcomm.com>
+ * Copyright (C) 2002-2006  Marcel Holtmann <marcel at holtmann.org>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation; either version 2 of
+ * the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston,
+ * MA  02110-1301  USA
+ */
+
+/* BD Address */
+typedef struct {
+    uint8_t b[6];
+} __attribute__((packed)) bdaddr_t;
+
+#define BDADDR_ANY	(&(bdaddr_t) {{0, 0, 0, 0, 0, 0}})
+#define BDADDR_ALL	(&(bdaddr_t) {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff}})
+#define BDADDR_LOCAL	(&(bdaddr_t) {{0, 0, 0, 0xff, 0xff, 0xff}})
+
+/* Copy, swap, convert BD Address */
+static inline int bacmp(const bdaddr_t *ba1, const bdaddr_t *ba2)
+{
+    return memcmp(ba1, ba2, sizeof(bdaddr_t));
+}
+static inline void bacpy(bdaddr_t *dst, const bdaddr_t *src)
+{
+    memcpy(dst, src, sizeof(bdaddr_t));
+}
+
+#define BAINIT(orig)	{ .b = {	\
+    orig->b[0], orig->b[1], orig->b[2], orig->b[3], orig->b[4], orig->b[5], \
+}, }
+
+struct bt_device_s;
+struct bt_piconet_s;
+struct bt_hci_s;
+
+struct bt_piconet_s {
+    struct bt_device_s *slave;
+};
+
+struct bt_device_s {
+    int lt_addr;
+    bdaddr_t bd_addr;
+    int mtu;
+    int setup;
+
+    uint64_t lmp_caps;
+    uint8_t key[16];
+    int key_present;
+    const char *lmp_name;
+    uint8_t class[3];
+
+    struct bt_device_s *next;
+
+    enum {
+        acl_active,
+        acl_hold,
+        acl_sniff,
+        acl_parked,
+    } acl_mode;
+    QEMUTimer *acl_mode_timer;
+    struct bt_hci_s *acl_hci;
+    uint16_t clkoff;
+};
+
+#define LLID_ACLU_CONT		0x1
+#define LLID_ACLU_START		0x2
+#define LLID_ACLC		0x3
+
+#define LMP_NAME_REQ		0x0001
+#define LMP_NAME_RES		0x0002
+#define LMP_ACCEPTED		0x0003
+#define LMP_NOT_ACCEPTED	0x0004
+#define LMP_CLKOFFSET_REQ	0x0005
+#define LMP_CLKOFFSET_RES	0x0006
+#define LMP_DETACH		0x0007
+#define LMP_IN_RAND		0x0008
+#define LMP_COMB_KEY		0x0009
+#define LMP_UNIT_KEY		0x000a
+#define LMP_AU_RAND		0x000b
+#define LMP_SRES		0x000c
+#define LMP_TEMP_RAND		0x000d
+#define LMP_TEMP_KEY		0x000e
+#define LMP_CRYPT_MODE_REQ	0x000f
+#define LMP_CRYPT_KEY_SIZE_REQ	0x0010
+#define LMP_START_ENCRYPT_REQ	0x0011
+#define LMP_STOP_ENCRYPT_REQ	0x0012
+#define LMP_SWITCH_REQ		0x0013
+#define LMP_HOLD		0x0014
+#define LMP_HOLD_REQ		0x0015
+#define LMP_SNIFF_REQ		0x0017
+#define LMP_UNSNIFF_REQ		0x0018
+#define LMP_LMP_PARK_REQ	0x0019
+#define LMP_SET_BCAST_SCAN_WND	0x001b
+#define LMP_MODIFY_BEACON	0x001c
+#define LMP_UNPARK_BD_ADDR_REQ	0x001d
+#define LMP_UNPARK_PM_ADDR_REQ	0x001e
+#define LMP_INCR_POWER_REQ	0x001f
+#define LMP_DECR_POWER_REQ	0x0020
+#define LMP_MAX_POWER		0x0021
+#define LMP_MIN_POWER		0x0022
+#define LMP_AUTO_RATE		0x0023
+#define LMP_PREFERRED_RATE	0x0024
+#define LMP_VERSION_REQ		0x0025
+#define LMP_VERSION_RES		0x0026
+#define LMP_FEATURES_REQ	0x0027
+#define LMP_FEATURES_RES	0x0028
+#define LMP_QUALITY_OF_SERVICE	0x0029
+#define LMP_QOS_REQ		0x002a
+#define LMP_RM_SCO_LINK_REQ	0x002b
+#define LMP_SCO_LINK_REQ	0x002c
+#define LMP_MAX_SLOT		0x002d
+#define LMP_MAX_SLOT_REQ	0x002e
+#define LMP_TIMING_ACCURACY_REQ	0x002f
+#define LMP_TIMING_ACCURACY_RES	0x0030
+#define LMP_SETUP_COMPLETE	0x0031
+#define LMP_USE_SEMIPERM_KEY	0x0032
+#define LMP_HOST_CONNECTION_REQ	0x0033
+#define LMP_SLOT_OFFSET		0x0034
+#define LMP_PAGE_MODE_REQ	0x0035
+#define LMP_PAGE_SCAN_MODE_REQ	0x0036
+#define LMP_SUPERVISION_TIMEOUT	0x0037
+#define LMP_TEST_ACTIVATE	0x0038
+#define LMP_TEST_CONTROL	0x0039
+#define LMP_CRYPT_KEY_MASK_REQ	0x003a
+#define LMP_CRYPT_KEY_MASK_RES	0x003b
+#define LMP_SET_AFH		0x003c
+#define LMP_ACCEPTED_EXT	0x7f01
+#define LMP_NOT_ACCEPTED_EXT	0x7f02
+#define LMP_FEATURES_REQ_EXT	0x7f03
+#define LMP_FEATURES_RES_EXT	0x7f04
+#define LMP_PACKET_TYPE_TBL_REQ	0x7f0b
+#define LMP_ESCO_LINK_REQ	0x7f0c
+#define LMP_RM_ESCO_LINK_REQ	0x7f0d
+#define LMP_CHANNEL_CLASS_REQ	0x7f10
+#define LMP_CHANNEL_CLASS	0x7f11
+
+struct bt_hci_s {
+    void *opaque;
+    struct bt_piconet_s *net;
+
+    uint8_t *(*evt_packet)(void *opaque);
+    void (*evt_submit)(void *opaque, int len);
+    void (*acl_submit)(void *opaque, uint8_t *data, int len);
+    void (*sco_submit)(void *opaque, uint8_t *data, int len);
+
+    uint8_t acl_buf[4096];
+    int acl_len;
+
+    uint16_t asb_handle;
+    uint16_t psb_handle;
+
+    int last_cmd;
+
+    struct {
+        int inquire;
+        int periodic;
+        int responses_left;
+        int responses;
+        QEMUTimer *inquiry_done;
+        QEMUTimer *inquiry_next;
+        int inquiry_length;
+        int inquiry_period;
+
+#define HCI_HANDLE_OFFSET	0x20
+        struct bt_device_s *handle[16];
+        int last_handle;
+    } lm;
+
+    uint8_t event_mask[8];
+    const char *local_name;
+    uint8_t scan_enable;
+    uint8_t local_class[3];
+    uint16_t voice_setting;
+};
+
+void bt_hci_reset(struct bt_hci_s *hci);
+void bt_hci_init(struct bt_hci_s *hci);
+void bt_hci_done(struct bt_hci_s *hci);
+void bt_submit_hci(struct bt_hci_s *hci, int length, uint8_t *data);
+void bt_submit_acl(struct bt_hci_s *hci, int length, uint8_t *data);
+void bt_submit_sco(struct bt_hci_s *hci, int length, uint8_t *data);
+
+/* HCI Packet types */
+#define HCI_COMMAND_PKT		0x01
+#define HCI_ACLDATA_PKT		0x02
+#define HCI_SCODATA_PKT		0x03
+#define HCI_EVENT_PKT		0x04
+#define HCI_VENDOR_PKT		0xff
+
+/* HCI Packet types */
+#define HCI_2DH1	0x0002
+#define HCI_3DH1	0x0004
+#define HCI_DM1		0x0008
+#define HCI_DH1		0x0010
+#define HCI_2DH3	0x0100
+#define HCI_3DH3	0x0200
+#define HCI_DM3		0x0400
+#define HCI_DH3		0x0800
+#define HCI_2DH5	0x1000
+#define HCI_3DH5	0x2000
+#define HCI_DM5		0x4000
+#define HCI_DH5		0x8000
+
+#define HCI_HV1		0x0020
+#define HCI_HV2		0x0040
+#define HCI_HV3		0x0080
+
+#define HCI_EV3		0x0008
+#define HCI_EV4		0x0010
+#define HCI_EV5		0x0020
+#define HCI_2EV3	0x0040
+#define HCI_3EV3	0x0080
+#define HCI_2EV5	0x0100
+#define HCI_3EV5	0x0200
+
+#define SCO_PTYPE_MASK	(HCI_HV1 | HCI_HV2 | HCI_HV3)
+#define ACL_PTYPE_MASK	(HCI_DM1 | HCI_DH1 | HCI_DM3 | HCI_DH3 | HCI_DM5 | HCI_DH5)
+
+/* HCI Error codes */
+#define HCI_SUCCESS				0x00
+#define HCI_UNKNOWN_COMMAND			0x01
+#define HCI_NO_CONNECTION			0x02
+#define HCI_HARDWARE_FAILURE			0x03
+#define HCI_PAGE_TIMEOUT			0x04
+#define HCI_AUTHENTICATION_FAILURE		0x05
+#define HCI_PIN_OR_KEY_MISSING			0x06
+#define HCI_MEMORY_FULL				0x07
+#define HCI_CONNECTION_TIMEOUT			0x08
+#define HCI_MAX_NUMBER_OF_CONNECTIONS		0x09
+#define HCI_MAX_NUMBER_OF_SCO_CONNECTIONS	0x0a
+#define HCI_ACL_CONNECTION_EXISTS		0x0b
+#define HCI_COMMAND_DISALLOWED			0x0c
+#define HCI_REJECTED_LIMITED_RESOURCES		0x0d
+#define HCI_REJECTED_SECURITY			0x0e
+#define HCI_REJECTED_PERSONAL			0x0f
+#define HCI_HOST_TIMEOUT			0x10
+#define HCI_UNSUPPORTED_FEATURE			0x11
+#define HCI_INVALID_PARAMETERS			0x12
+#define HCI_OE_USER_ENDED_CONNECTION		0x13
+#define HCI_OE_LOW_RESOURCES			0x14
+#define HCI_OE_POWER_OFF			0x15
+#define HCI_CONNECTION_TERMINATED		0x16
+#define HCI_REPEATED_ATTEMPTS			0x17
+#define HCI_PAIRING_NOT_ALLOWED			0x18
+#define HCI_UNKNOWN_LMP_PDU			0x19
+#define HCI_UNSUPPORTED_REMOTE_FEATURE		0x1a
+#define HCI_SCO_OFFSET_REJECTED			0x1b
+#define HCI_SCO_INTERVAL_REJECTED		0x1c
+#define HCI_AIR_MODE_REJECTED			0x1d
+#define HCI_INVALID_LMP_PARAMETERS		0x1e
+#define HCI_UNSPECIFIED_ERROR			0x1f
+#define HCI_UNSUPPORTED_LMP_PARAMETER_VALUE	0x20
+#define HCI_ROLE_CHANGE_NOT_ALLOWED		0x21
+#define HCI_LMP_RESPONSE_TIMEOUT		0x22
+#define HCI_LMP_ERROR_TRANSACTION_COLLISION	0x23
+#define HCI_LMP_PDU_NOT_ALLOWED			0x24
+#define HCI_ENCRYPTION_MODE_NOT_ACCEPTED	0x25
+#define HCI_UNIT_LINK_KEY_USED			0x26
+#define HCI_QOS_NOT_SUPPORTED			0x27
+#define HCI_INSTANT_PASSED			0x28
+#define HCI_PAIRING_NOT_SUPPORTED		0x29
+#define HCI_TRANSACTION_COLLISION		0x2a
+#define HCI_QOS_UNACCEPTABLE_PARAMETER		0x2c
+#define HCI_QOS_REJECTED			0x2d
+#define HCI_CLASSIFICATION_NOT_SUPPORTED	0x2e
+#define HCI_INSUFFICIENT_SECURITY		0x2f
+#define HCI_PARAMETER_OUT_OF_RANGE		0x30
+#define HCI_ROLE_SWITCH_PENDING			0x32
+#define HCI_SLOT_VIOLATION			0x34
+#define HCI_ROLE_SWITCH_FAILED			0x35
+
+/* ACL flags */
+#define ACL_CONT		0x01
+#define ACL_START		0x02
+#define ACL_ACTIVE_BCAST	0x04
+#define ACL_PICO_BCAST		0x08
+
+/* Baseband links */
+#define SCO_LINK	0x00
+#define ACL_LINK	0x01
+
+/* LMP features */
+#define LMP_3SLOT	0x01
+#define LMP_5SLOT	0x02
+#define LMP_ENCRYPT	0x04
+#define LMP_SOFFSET	0x08
+#define LMP_TACCURACY	0x10
+#define LMP_RSWITCH	0x20
+#define LMP_HOLD_MODE	0x40
+#define LMP_SNIFF_MODE	0x80
+
+#define LMP_PARK	0x01
+#define LMP_RSSI	0x02
+#define LMP_QUALITY	0x04
+#define LMP_SCO		0x08
+#define LMP_HV2		0x10
+#define LMP_HV3		0x20
+#define LMP_ULAW	0x40
+#define LMP_ALAW	0x80
+
+#define LMP_CVSD	0x01
+#define LMP_PSCHEME	0x02
+#define LMP_PCONTROL	0x04
+#define LMP_TRSP_SCO	0x08
+#define LMP_BCAST_ENC	0x80
+
+#define LMP_EDR_ACL_2M	0x02
+#define LMP_EDR_ACL_3M	0x04
+#define LMP_ENH_ISCAN	0x08
+#define LMP_ILACE_ISCAN	0x10
+#define LMP_ILACE_PSCAN	0x20
+#define LMP_RSSI_INQ	0x40
+#define LMP_ESCO	0x80
+
+#define LMP_EV4		0x01
+#define LMP_EV5		0x02
+#define LMP_AFH_CAP_SLV	0x08
+#define LMP_AFH_CLS_SLV	0x10
+#define LMP_EDR_3SLOT	0x80
+
+#define LMP_EDR_5SLOT	0x01
+#define LMP_SNIFF_SUBR	0x02
+#define LMP_AFH_CAP_MST	0x08
+#define LMP_AFH_CLS_MST	0x10
+#define LMP_EDR_ESCO_2M	0x20
+#define LMP_EDR_ESCO_3M	0x40
+#define LMP_EDR_3S_ESCO	0x80
+
+#define LMP_EXT_INQ	0x01
+
+#define LMP_EXT_FEAT	0x80
+
+/* Link policies */
+#define HCI_LP_RSWITCH	0x0001
+#define HCI_LP_HOLD	0x0002
+#define HCI_LP_SNIFF	0x0004
+#define HCI_LP_PARK	0x0008
+
+/* Link mode */
+#define HCI_LM_ACCEPT	0x8000
+#define HCI_LM_MASTER	0x0001
+#define HCI_LM_AUTH	0x0002
+#define HCI_LM_ENCRYPT	0x0004
+#define HCI_LM_TRUSTED	0x0008
+#define HCI_LM_RELIABLE	0x0010
+#define HCI_LM_SECURE	0x0020
+
+/* -----  HCI Commands ----- */
+
+/* Link Control */
+#define OGF_LINK_CTL		0x01
+
+#define OCF_INQUIRY			0x0001
+typedef struct {
+	uint8_t		lap[3];
+	uint8_t		length;		/* 1.28s units */
+	uint8_t		num_rsp;
+} __attribute__ ((packed)) inquiry_cp;
+#define INQUIRY_CP_SIZE 5
+
+typedef struct {
+	uint8_t		status;
+	bdaddr_t	bdaddr;
+} __attribute__ ((packed)) status_bdaddr_rp;
+#define STATUS_BDADDR_RP_SIZE 7
+
+#define OCF_INQUIRY_CANCEL		0x0002
+
+#define OCF_PERIODIC_INQUIRY		0x0003
+typedef struct {
+	uint16_t	max_period;	/* 1.28s units */
+	uint16_t	min_period;	/* 1.28s units */
+	uint8_t		lap[3];
+	uint8_t		length;		/* 1.28s units */
+	uint8_t		num_rsp;
+} __attribute__ ((packed)) periodic_inquiry_cp;
+#define PERIODIC_INQUIRY_CP_SIZE 9
+
+#define OCF_EXIT_PERIODIC_INQUIRY	0x0004
+
+#define OCF_CREATE_CONN			0x0005
+typedef struct {
+	bdaddr_t	bdaddr;
+	uint16_t	pkt_type;
+	uint8_t		pscan_rep_mode;
+	uint8_t		pscan_mode;
+	uint16_t	clock_offset;
+	uint8_t		role_switch;
+} __attribute__ ((packed)) create_conn_cp;
+#define CREATE_CONN_CP_SIZE 13
+
+#define OCF_DISCONNECT			0x0006
+typedef struct {
+	uint16_t	handle;
+	uint8_t		reason;
+} __attribute__ ((packed)) disconnect_cp;
+#define DISCONNECT_CP_SIZE 3
+
+#define OCF_ADD_SCO			0x0007
+typedef struct {
+	uint16_t	handle;
+	uint16_t	pkt_type;
+} __attribute__ ((packed)) add_sco_cp;
+#define ADD_SCO_CP_SIZE 4
+
+#define OCF_CREATE_CONN_CANCEL		0x0008
+typedef struct {
+	uint8_t		status;
+	bdaddr_t	bdaddr;
+} __attribute__ ((packed)) create_conn_cancel_cp;
+#define CREATE_CONN_CANCEL_CP_SIZE 6
+
+typedef struct {
+	uint8_t		status;
+	bdaddr_t	bdaddr;
+} __attribute__ ((packed)) create_conn_cancel_rp;
+#define CREATE_CONN_CANCEL_RP_SIZE 7
+
+#define OCF_ACCEPT_CONN_REQ		0x0009
+typedef struct {
+	bdaddr_t	bdaddr;
+	uint8_t		role;
+} __attribute__ ((packed)) accept_conn_req_cp;
+#define ACCEPT_CONN_REQ_CP_SIZE	7
+
+#define OCF_REJECT_CONN_REQ		0x000A
+typedef struct {
+	bdaddr_t	bdaddr;
+	uint8_t		reason;
+} __attribute__ ((packed)) reject_conn_req_cp;
+#define REJECT_CONN_REQ_CP_SIZE	7
+
+#define OCF_LINK_KEY_REPLY		0x000B
+typedef struct {
+	bdaddr_t	bdaddr;
+	uint8_t		link_key[16];
+} __attribute__ ((packed)) link_key_reply_cp;
+#define LINK_KEY_REPLY_CP_SIZE 22
+
+#define OCF_LINK_KEY_NEG_REPLY		0x000C
+
+#define OCF_PIN_CODE_REPLY		0x000D
+typedef struct {
+	bdaddr_t	bdaddr;
+	uint8_t		pin_len;
+	uint8_t		pin_code[16];
+} __attribute__ ((packed)) pin_code_reply_cp;
+#define PIN_CODE_REPLY_CP_SIZE 23
+
+#define OCF_PIN_CODE_NEG_REPLY		0x000E
+
+#define OCF_SET_CONN_PTYPE		0x000F
+typedef struct {
+	uint16_t	 handle;
+	uint16_t	 pkt_type;
+} __attribute__ ((packed)) set_conn_ptype_cp;
+#define SET_CONN_PTYPE_CP_SIZE 4
+
+#define OCF_AUTH_REQUESTED		0x0011
+typedef struct {
+	uint16_t	 handle;
+} __attribute__ ((packed)) auth_requested_cp;
+#define AUTH_REQUESTED_CP_SIZE 2
+
+#define OCF_SET_CONN_ENCRYPT		0x0013
+typedef struct {
+	uint16_t	handle;
+	uint8_t		encrypt;
+} __attribute__ ((packed)) set_conn_encrypt_cp;
+#define SET_CONN_ENCRYPT_CP_SIZE 3
+
+#define OCF_CHANGE_CONN_LINK_KEY	0x0015
+typedef struct {
+	uint16_t	handle;
+} __attribute__ ((packed)) change_conn_link_key_cp;
+#define CHANGE_CONN_LINK_KEY_CP_SIZE 2
+
+#define OCF_MASTER_LINK_KEY		0x0017
+typedef struct {
+	uint8_t		key_flag;
+} __attribute__ ((packed)) master_link_key_cp;
+#define MASTER_LINK_KEY_CP_SIZE 1
+
+#define OCF_REMOTE_NAME_REQ		0x0019
+typedef struct {
+	bdaddr_t	bdaddr;
+	uint8_t		pscan_rep_mode;
+	uint8_t		pscan_mode;
+	uint16_t	clock_offset;
+} __attribute__ ((packed)) remote_name_req_cp;
+#define REMOTE_NAME_REQ_CP_SIZE 10
+
+#define OCF_REMOTE_NAME_REQ_CANCEL	0x001A
+typedef struct {
+	bdaddr_t	bdaddr;
+} __attribute__ ((packed)) remote_name_req_cancel_cp;
+#define REMOTE_NAME_REQ_CANCEL_CP_SIZE 6
+
+typedef struct {
+	uint8_t		status;
+	bdaddr_t	bdaddr;
+} __attribute__ ((packed)) remote_name_req_cancel_rp;
+#define REMOTE_NAME_REQ_CANCEL_RP_SIZE 7
+
+#define OCF_READ_REMOTE_FEATURES	0x001B
+typedef struct {
+	uint16_t	handle;
+} __attribute__ ((packed)) read_remote_features_cp;
+#define READ_REMOTE_FEATURES_CP_SIZE 2
+
+#define OCF_READ_REMOTE_EXT_FEATURES	0x001C
+typedef struct {
+	uint16_t	handle;
+	uint8_t		page_num;
+} __attribute__ ((packed)) read_remote_ext_features_cp;
+#define READ_REMOTE_EXT_FEATURES_CP_SIZE 3
+
+#define OCF_READ_REMOTE_VERSION		0x001D
+typedef struct {
+	uint16_t	handle;
+} __attribute__ ((packed)) read_remote_version_cp;
+#define READ_REMOTE_VERSION_CP_SIZE 2
+
+#define OCF_READ_CLOCK_OFFSET		0x001F
+typedef struct {
+	uint16_t	handle;
+} __attribute__ ((packed)) read_clock_offset_cp;
+#define READ_CLOCK_OFFSET_CP_SIZE 2
+
+#define OCF_READ_LMP_HANDLE		0x0020
+typedef struct {
+	uint16_t	handle;
+} __attribute__ ((packed)) read_lmp_handle_cp;
+#define READ_LMP_HANDLE_CP_SIZE 2
+
+typedef struct {
+	uint8_t		status;
+	uint16_t	handle;
+	uint8_t		lmp_handle;
+	uint32_t	reserved;
+} __attribute__ ((packed)) read_lmp_handle_rp;
+#define READ_LMP_HANDLE_RP_SIZE 8
+
+#define OCF_SETUP_SYNC_CONN		0x0028
+typedef struct {
+	uint16_t	handle;
+	uint32_t	tx_bandwith;
+	uint32_t	rx_bandwith;
+	uint16_t	max_latency;
+	uint16_t	voice_setting;
+	uint8_t		retrans_effort;
+	uint16_t	pkt_type;
+} __attribute__ ((packed)) setup_sync_conn_cp;
+#define SETUP_SYNC_CONN_CP_SIZE 17
+
+#define OCF_ACCEPT_SYNC_CONN_REQ	0x0029
+typedef struct {
+	bdaddr_t	bdaddr;
+	uint32_t	tx_bandwith;
+	uint32_t	rx_bandwith;
+	uint16_t	max_latency;
+	uint16_t	voice_setting;
+	uint8_t		retrans_effort;
+	uint16_t	pkt_type;
+} __attribute__ ((packed)) accept_sync_conn_req_cp;
+#define ACCEPT_SYNC_CONN_REQ_CP_SIZE 21
+
+#define OCF_REJECT_SYNC_CONN_REQ	0x002A
+typedef struct {
+	bdaddr_t	bdaddr;
+	uint8_t		reason;
+} __attribute__ ((packed)) reject_sync_conn_req_cp;
+#define REJECT_SYNC_CONN_REQ_CP_SIZE 7
+
+/* Link Policy */
+#define OGF_LINK_POLICY		0x02
+
+#define OCF_HOLD_MODE			0x0001
+typedef struct {
+	uint16_t	handle;
+	uint16_t	max_interval;
+	uint16_t	min_interval;
+} __attribute__ ((packed)) hold_mode_cp;
+#define HOLD_MODE_CP_SIZE 6
+
+#define OCF_SNIFF_MODE			0x0003
+typedef struct {
+	uint16_t	handle;
+	uint16_t	max_interval;
+	uint16_t	min_interval;
+	uint16_t	attempt;
+	uint16_t	timeout;
+} __attribute__ ((packed)) sniff_mode_cp;
+#define SNIFF_MODE_CP_SIZE 10
+
+#define OCF_EXIT_SNIFF_MODE		0x0004
+typedef struct {
+	uint16_t	handle;
+} __attribute__ ((packed)) exit_sniff_mode_cp;
+#define EXIT_SNIFF_MODE_CP_SIZE 2
+
+#define OCF_PARK_MODE			0x0005
+typedef struct {
+	uint16_t	handle;
+	uint16_t	max_interval;
+	uint16_t	min_interval;
+} __attribute__ ((packed)) park_mode_cp;
+#define PARK_MODE_CP_SIZE 6
+
+#define OCF_EXIT_PARK_MODE		0x0006
+typedef struct {
+	uint16_t	handle;
+} __attribute__ ((packed)) exit_park_mode_cp;
+#define EXIT_PARK_MODE_CP_SIZE 2
+
+#define OCF_QOS_SETUP			0x0007
+typedef struct {
+	uint8_t		service_type;		/* 1 = best effort */
+	uint32_t	token_rate;		/* Byte per seconds */
+	uint32_t	peak_bandwidth;		/* Byte per seconds */
+	uint32_t	latency;		/* Microseconds */
+	uint32_t	delay_variation;	/* Microseconds */
+} __attribute__ ((packed)) hci_qos;
+#define HCI_QOS_CP_SIZE 17
+typedef struct {
+	uint16_t 	handle;
+	uint8_t 	flags;			/* Reserved */
+	hci_qos 	qos;
+} __attribute__ ((packed)) qos_setup_cp;
+#define QOS_SETUP_CP_SIZE (3 + HCI_QOS_CP_SIZE)
+
+#define OCF_ROLE_DISCOVERY		0x0009
+typedef struct {
+	uint16_t	handle;
+} __attribute__ ((packed)) role_discovery_cp;
+#define ROLE_DISCOVERY_CP_SIZE 2
+typedef struct {
+	uint8_t		status;
+	uint16_t	handle;
+	uint8_t		role;
+} __attribute__ ((packed)) role_discovery_rp;
+#define ROLE_DISCOVERY_RP_SIZE 4
+
+#define OCF_SWITCH_ROLE			0x000B
+typedef struct {
+	bdaddr_t	bdaddr;
+	uint8_t		role;
+} __attribute__ ((packed)) switch_role_cp;
+#define SWITCH_ROLE_CP_SIZE 7
+
+#define OCF_READ_LINK_POLICY		0x000C
+typedef struct {
+	uint16_t	handle;
+} __attribute__ ((packed)) read_link_policy_cp;
+#define READ_LINK_POLICY_CP_SIZE 2
+typedef struct {
+	uint8_t 	status;
+	uint16_t	handle;
+	uint16_t	policy;
+} __attribute__ ((packed)) read_link_policy_rp;
+#define READ_LINK_POLICY_RP_SIZE 5
+
+#define OCF_WRITE_LINK_POLICY		0x000D
+typedef struct {
+	uint16_t	handle;
+	uint16_t	policy;
+} __attribute__ ((packed)) write_link_policy_cp;
+#define WRITE_LINK_POLICY_CP_SIZE 4
+typedef struct {
+	uint8_t 	status;
+	uint16_t	handle;
+} __attribute__ ((packed)) write_link_policy_rp;
+#define WRITE_LINK_POLICY_RP_SIZE 3
+
+#define OCF_READ_DEFAULT_LINK_POLICY	0x000E
+
+#define OCF_WRITE_DEFAULT_LINK_POLICY	0x000F
+
+#define OCF_FLOW_SPECIFICATION		0x0010
+
+#define OCF_SNIFF_SUBRATE		0x0011
+typedef struct {
+	uint16_t	handle;
+	uint16_t	max_remote_latency;
+	uint16_t	max_local_latency;
+	uint16_t	min_remote_timeout;
+	uint16_t	min_local_timeout;
+} __attribute__ ((packed)) sniff_subrate_cp;
+#define SNIFF_SUBRATE_CP_SIZE 10
+
+/* Host Controller and Baseband */
+#define OGF_HOST_CTL		0x03
+
+#define OCF_SET_EVENT_MASK		0x0001
+typedef struct {
+	uint8_t		mask[8];
+} __attribute__ ((packed)) set_event_mask_cp;
+#define SET_EVENT_MASK_CP_SIZE 8
+
+#define OCF_RESET			0x0003
+
+#define OCF_SET_EVENT_FLT		0x0005
+typedef struct {
+	uint8_t		flt_type;
+	uint8_t		cond_type;
+	uint8_t		condition[0];
+} __attribute__ ((packed)) set_event_flt_cp;
+#define SET_EVENT_FLT_CP_SIZE 2
+
+/* Filter types */
+#define FLT_CLEAR_ALL			0x00
+#define FLT_INQ_RESULT			0x01
+#define FLT_CONN_SETUP			0x02
+/* INQ_RESULT Condition types */
+#define INQ_RESULT_RETURN_ALL		0x00
+#define INQ_RESULT_RETURN_CLASS		0x01
+#define INQ_RESULT_RETURN_BDADDR	0x02
+/* CONN_SETUP Condition types */
+#define CONN_SETUP_ALLOW_ALL		0x00
+#define CONN_SETUP_ALLOW_CLASS		0x01
+#define CONN_SETUP_ALLOW_BDADDR		0x02
+/* CONN_SETUP Conditions */
+#define CONN_SETUP_AUTO_OFF		0x01
+#define CONN_SETUP_AUTO_ON		0x02
+
+#define OCF_FLUSH			0x0008
+typedef struct {
+	uint16_t	handle;
+} __attribute__ ((packed)) flush_cp;
+#define FLUSH_CP_SIZE 2
+
+typedef struct {
+	uint8_t		status;
+	uint16_t	handle;
+} __attribute__ ((packed)) flush_rp;
+#define FLUSH_RP_SIZE 3
+
+#define OCF_READ_PIN_TYPE		0x0009
+typedef struct {
+	uint8_t		status;
+	uint8_t		pin_type;
+} __attribute__ ((packed)) read_pin_type_rp;
+#define READ_PIN_TYPE_RP_SIZE 2
+
+#define OCF_WRITE_PIN_TYPE		0x000A
+typedef struct {
+	uint8_t		pin_type;
+} __attribute__ ((packed)) write_pin_type_cp;
+#define WRITE_PIN_TYPE_CP_SIZE 1
+
+#define OCF_CREATE_NEW_UNIT_KEY		0x000B
+
+#define OCF_READ_STORED_LINK_KEY	0x000D
+typedef struct {
+	bdaddr_t	bdaddr;
+	uint8_t		read_all;
+} __attribute__ ((packed)) read_stored_link_key_cp;
+#define READ_STORED_LINK_KEY_CP_SIZE 7
+typedef struct {
+	uint8_t		status;
+	uint16_t	max_keys;
+	uint16_t	num_keys;
+} __attribute__ ((packed)) read_stored_link_key_rp;
+#define READ_STORED_LINK_KEY_RP_SIZE 5
+
+#define OCF_WRITE_STORED_LINK_KEY	0x0011
+typedef struct {
+	uint8_t		num_keys;
+	/* variable length part */
+} __attribute__ ((packed)) write_stored_link_key_cp;
+#define WRITE_STORED_LINK_KEY_CP_SIZE 1
+typedef struct {
+	uint8_t		status;
+	uint8_t		num_keys;
+} __attribute__ ((packed)) write_stored_link_key_rp;
+#define READ_WRITE_LINK_KEY_RP_SIZE 2
+
+#define OCF_DELETE_STORED_LINK_KEY	0x0012
+typedef struct {
+	bdaddr_t	bdaddr;
+	uint8_t		delete_all;
+} __attribute__ ((packed)) delete_stored_link_key_cp;
+#define DELETE_STORED_LINK_KEY_CP_SIZE 7
+typedef struct {
+	uint8_t		status;
+	uint16_t	num_keys;
+} __attribute__ ((packed)) delete_stored_link_key_rp;
+#define DELETE_STORED_LINK_KEY_RP_SIZE 3
+
+#define OCF_CHANGE_LOCAL_NAME		0x0013
+typedef struct {
+	uint8_t		name[248];
+} __attribute__ ((packed)) change_local_name_cp;
+#define CHANGE_LOCAL_NAME_CP_SIZE 248 
+
+#define OCF_READ_LOCAL_NAME		0x0014
+typedef struct {
+	uint8_t		status;
+	uint8_t		name[248];
+} __attribute__ ((packed)) read_local_name_rp;
+#define READ_LOCAL_NAME_RP_SIZE 249 
+
+#define OCF_READ_CONN_ACCEPT_TIMEOUT	0x0015
+typedef struct {
+	uint8_t		status;
+	uint16_t	timeout;
+} __attribute__ ((packed)) read_conn_accept_timeout_rp;
+#define READ_CONN_ACCEPT_TIMEOUT_RP_SIZE 3
+
+#define OCF_WRITE_CONN_ACCEPT_TIMEOUT	0x0016
+typedef struct {
+	uint16_t	timeout;
+} __attribute__ ((packed)) write_conn_accept_timeout_cp;
+#define WRITE_CONN_ACCEPT_TIMEOUT_CP_SIZE 2
+
+#define OCF_READ_PAGE_TIMEOUT		0x0017
+typedef struct {
+	uint8_t		status;
+	uint16_t	timeout;
+} __attribute__ ((packed)) read_page_timeout_rp;
+#define READ_PAGE_TIMEOUT_RP_SIZE 3
+
+#define OCF_WRITE_PAGE_TIMEOUT		0x0018
+typedef struct {
+	uint16_t	timeout;
+} __attribute__ ((packed)) write_page_timeout_cp;
+#define WRITE_PAGE_TIMEOUT_CP_SIZE 2
+
+#define OCF_READ_SCAN_ENABLE		0x0019
+typedef struct {
+	uint8_t		status;
+	uint8_t		enable;
+} __attribute__ ((packed)) read_scan_enable_rp;
+#define READ_SCAN_ENABLE_RP_SIZE 2
+
+#define OCF_WRITE_SCAN_ENABLE		0x001A
+typedef struct {
+	uint8_t		scan_enable;
+} __attribute__ ((packed)) write_scan_enable_cp;
+#define WRITE_SCAN_ENABLE_CP_SIZE 1
+	#define SCAN_DISABLED		0x00
+	#define SCAN_INQUIRY		0x01
+	#define SCAN_PAGE		0x02
+
+#define OCF_READ_PAGE_ACTIVITY		0x001B
+typedef struct {
+	uint8_t		status;
+	uint16_t	interval;
+	uint16_t	window;
+} __attribute__ ((packed)) read_page_activity_rp;
+#define READ_PAGE_ACTIVITY_RP_SIZE 5
+
+#define OCF_WRITE_PAGE_ACTIVITY		0x001C
+typedef struct {
+	uint16_t	interval;
+	uint16_t	window;
+} __attribute__ ((packed)) write_page_activity_cp;
+#define WRITE_PAGE_ACTIVITY_CP_SIZE 4
+
+#define OCF_READ_INQ_ACTIVITY		0x001D
+typedef struct {
+	uint8_t		status;
+	uint16_t	interval;
+	uint16_t	window;
+} __attribute__ ((packed)) read_inq_activity_rp;
+#define READ_INQ_ACTIVITY_RP_SIZE 5
+
+#define OCF_WRITE_INQ_ACTIVITY		0x001E
+typedef struct {
+	uint16_t	interval;
+	uint16_t	window;
+} __attribute__ ((packed)) write_inq_activity_cp;
+#define WRITE_INQ_ACTIVITY_CP_SIZE 4
+
+#define OCF_READ_AUTH_ENABLE		0x001F
+
+#define OCF_WRITE_AUTH_ENABLE		0x0020
+	#define AUTH_DISABLED		0x00
+	#define AUTH_ENABLED		0x01
+
+#define OCF_READ_ENCRYPT_MODE		0x0021
+
+#define OCF_WRITE_ENCRYPT_MODE		0x0022
+	#define ENCRYPT_DISABLED	0x00
+	#define ENCRYPT_P2P		0x01
+	#define ENCRYPT_BOTH		0x02
+
+#define OCF_READ_CLASS_OF_DEV		0x0023
+typedef struct {
+	uint8_t		status;
+	uint8_t		dev_class[3];
+} __attribute__ ((packed)) read_class_of_dev_rp;
+#define READ_CLASS_OF_DEV_RP_SIZE 4 
+
+#define OCF_WRITE_CLASS_OF_DEV		0x0024
+typedef struct {
+	uint8_t		dev_class[3];
+} __attribute__ ((packed)) write_class_of_dev_cp;
+#define WRITE_CLASS_OF_DEV_CP_SIZE 3
+
+#define OCF_READ_VOICE_SETTING		0x0025
+typedef struct {
+	uint8_t		status;
+	uint16_t	voice_setting;
+} __attribute__ ((packed)) read_voice_setting_rp;
+#define READ_VOICE_SETTING_RP_SIZE 3
+
+#define OCF_WRITE_VOICE_SETTING		0x0026
+typedef struct {
+	uint16_t	voice_setting;
+} __attribute__ ((packed)) write_voice_setting_cp;
+#define WRITE_VOICE_SETTING_CP_SIZE 2
+
+#define OCF_READ_AUTOMATIC_FLUSH_TIMEOUT	0x0027
+
+#define OCF_WRITE_AUTOMATIC_FLUSH_TIMEOUT	0x0028
+
+#define OCF_READ_NUM_BROADCAST_RETRANS	0x0029
+
+#define OCF_WRITE_NUM_BROADCAST_RETRANS	0x002A
+
+#define OCF_READ_HOLD_MODE_ACTIVITY	0x002B
+
+#define OCF_WRITE_HOLD_MODE_ACTIVITY	0x002C
+
+#define OCF_READ_TRANSMIT_POWER_LEVEL	0x002D
+typedef struct {
+	uint16_t	handle;
+	uint8_t		type;
+} __attribute__ ((packed)) read_transmit_power_level_cp;
+#define READ_TRANSMIT_POWER_LEVEL_CP_SIZE 3
+typedef struct {
+	uint8_t		status;
+	uint16_t	handle;
+	int8_t		level;
+} __attribute__ ((packed)) read_transmit_power_level_rp;
+#define READ_TRANSMIT_POWER_LEVEL_RP_SIZE 4
+
+#define OCF_HOST_BUFFER_SIZE		0x0033
+typedef struct {
+	uint16_t	acl_mtu;
+	uint8_t		sco_mtu;
+	uint16_t	acl_max_pkt;
+	uint16_t	sco_max_pkt;
+} __attribute__ ((packed)) host_buffer_size_cp;
+#define HOST_BUFFER_SIZE_CP_SIZE 7
+
+#define OCF_HOST_NUMBER_OF_COMPLETED_PACKETS	0x0035
+
+#define OCF_READ_LINK_SUPERVISION_TIMEOUT	0x0036
+typedef struct {
+	uint8_t		status;
+	uint16_t	handle;
+	uint16_t	link_sup_to;
+} __attribute__ ((packed)) read_link_supervision_timeout_rp;
+#define READ_LINK_SUPERVISION_TIMEOUT_RP_SIZE 5
+
+#define OCF_WRITE_LINK_SUPERVISION_TIMEOUT	0x0037
+typedef struct {
+	uint16_t	handle;
+	uint16_t	link_sup_to;
+} __attribute__ ((packed)) write_link_supervision_timeout_cp;
+#define WRITE_LINK_SUPERVISION_TIMEOUT_CP_SIZE 4
+typedef struct {
+	uint8_t		status;
+	uint16_t	handle;
+} __attribute__ ((packed)) write_link_supervision_timeout_rp;
+#define WRITE_LINK_SUPERVISION_TIMEOUT_RP_SIZE 3
+
+#define OCF_READ_NUM_SUPPORTED_IAC	0x0038
+
+#define MAX_IAC_LAP 0x40
+#define OCF_READ_CURRENT_IAC_LAP	0x0039
+typedef struct {
+	uint8_t		status;
+	uint8_t		num_current_iac;
+	uint8_t		lap[MAX_IAC_LAP][3];
+} __attribute__ ((packed)) read_current_iac_lap_rp;
+#define READ_CURRENT_IAC_LAP_RP_SIZE 2+3*MAX_IAC_LAP
+
+#define OCF_WRITE_CURRENT_IAC_LAP	0x003A
+typedef struct {
+	uint8_t		num_current_iac;
+	uint8_t		lap[MAX_IAC_LAP][3];
+} __attribute__ ((packed)) write_current_iac_lap_cp;
+#define WRITE_CURRENT_IAC_LAP_CP_SIZE 1+3*MAX_IAC_LAP
+
+#define OCF_READ_PAGE_SCAN_PERIOD_MODE	0x003B
+
+#define OCF_WRITE_PAGE_SCAN_PERIOD_MODE	0x003C
+
+#define OCF_READ_PAGE_SCAN_MODE		0x003D
+
+#define OCF_WRITE_PAGE_SCAN_MODE	0x003E
+
+#define OCF_SET_AFH_CLASSIFICATION	0x003F
+typedef struct {
+	uint8_t		map[10];
+} __attribute__ ((packed)) set_afh_classification_cp;
+#define SET_AFH_CLASSIFICATION_CP_SIZE 10
+typedef struct {
+	uint8_t		status;
+} __attribute__ ((packed)) set_afh_classification_rp;
+#define SET_AFH_CLASSIFICATION_RP_SIZE 1
+
+#define OCF_READ_INQUIRY_SCAN_TYPE	0x0042
+typedef struct {
+	uint8_t		status;
+	uint8_t		type;
+} __attribute__ ((packed)) read_inquiry_scan_type_rp;
+#define READ_INQUIRY_SCAN_TYPE_RP_SIZE 2
+
+#define OCF_WRITE_INQUIRY_SCAN_TYPE	0x0043
+typedef struct {
+	uint8_t		type;
+} __attribute__ ((packed)) write_inquiry_scan_type_cp;
+#define WRITE_INQUIRY_SCAN_TYPE_CP_SIZE 1
+typedef struct {
+	uint8_t		status;
+} __attribute__ ((packed)) write_inquiry_scan_type_rp;
+#define WRITE_INQUIRY_SCAN_TYPE_RP_SIZE 1
+
+#define OCF_READ_INQUIRY_MODE		0x0044
+typedef struct {
+	uint8_t		status;
+	uint8_t		mode;
+} __attribute__ ((packed)) read_inquiry_mode_rp;
+#define READ_INQUIRY_MODE_RP_SIZE 2
+
+#define OCF_WRITE_INQUIRY_MODE		0x0045
+typedef struct {
+	uint8_t		mode;
+} __attribute__ ((packed)) write_inquiry_mode_cp;
+#define WRITE_INQUIRY_MODE_CP_SIZE 1
+typedef struct {
+	uint8_t		status;
+} __attribute__ ((packed)) write_inquiry_mode_rp;
+#define WRITE_INQUIRY_MODE_RP_SIZE 1
+
+#define OCF_READ_PAGE_SCAN_TYPE		0x0046
+
+#define OCF_WRITE_PAGE_SCAN_TYPE	0x0047
+
+#define OCF_READ_AFH_MODE		0x0048
+typedef struct {
+	uint8_t		status;
+	uint8_t		mode;
+} __attribute__ ((packed)) read_afh_mode_rp;
+#define READ_AFH_MODE_RP_SIZE 2
+
+#define OCF_WRITE_AFH_MODE		0x0049
+typedef struct {
+	uint8_t		mode;
+} __attribute__ ((packed)) write_afh_mode_cp;
+#define WRITE_AFH_MODE_CP_SIZE 1
+typedef struct {
+	uint8_t		status;
+} __attribute__ ((packed)) write_afh_mode_rp;
+#define WRITE_AFH_MODE_RP_SIZE 1
+
+#define OCF_READ_EXT_INQUIRY_RESPONSE	0x0051
+typedef struct {
+	uint8_t		status;
+	uint8_t		fec;
+	uint8_t		data[240];
+} __attribute__ ((packed)) read_ext_inquiry_response_rp;
+#define READ_EXT_INQUIRY_RESPONSE_RP_SIZE 242
+
+#define OCF_WRITE_EXT_INQUIRY_RESPONSE	0x0052
+typedef struct {
+	uint8_t		fec;
+	uint8_t		data[240];
+} __attribute__ ((packed)) write_ext_inquiry_response_cp;
+#define WRITE_EXT_INQUIRY_RESPONSE_CP_SIZE 241
+typedef struct {
+	uint8_t		status;
+} __attribute__ ((packed)) write_ext_inquiry_response_rp;
+#define WRITE_EXT_INQUIRY_RESPONSE_RP_SIZE 1
+
+/* Informational Parameters */
+#define OGF_INFO_PARAM		0x04
+
+#define OCF_READ_LOCAL_VERSION		0x0001
+typedef struct {
+	uint8_t		status;
+	uint8_t		hci_ver;
+	uint16_t	hci_rev;
+	uint8_t		lmp_ver;
+	uint16_t	manufacturer;
+	uint16_t	lmp_subver;
+} __attribute__ ((packed)) read_local_version_rp;
+#define READ_LOCAL_VERSION_RP_SIZE 9
+
+#define OCF_READ_LOCAL_COMMANDS		0x0002
+typedef struct {
+	uint8_t		status;
+	uint8_t		commands[64];
+} __attribute__ ((packed)) read_local_commands_rp;
+#define READ_LOCAL_COMMANDS_RP_SIZE 65
+
+#define OCF_READ_LOCAL_FEATURES		0x0003
+typedef struct {
+	uint8_t		status;
+	uint8_t		features[8];
+} __attribute__ ((packed)) read_local_features_rp;
+#define READ_LOCAL_FEATURES_RP_SIZE 9
+
+#define OCF_READ_LOCAL_EXT_FEATURES	0x0004
+typedef struct {
+	uint8_t		page_num;
+} __attribute__ ((packed)) read_local_ext_features_cp;
+#define READ_LOCAL_EXT_FEATURES_CP_SIZE 1
+typedef struct {
+	uint8_t		status;
+	uint8_t		page_num;
+	uint8_t		max_page_num;
+	uint8_t		features[8];
+} __attribute__ ((packed)) read_local_ext_features_rp;
+#define READ_LOCAL_EXT_FEATURES_RP_SIZE 11
+
+#define OCF_READ_BUFFER_SIZE		0x0005
+typedef struct {
+	uint8_t		status;
+	uint16_t	acl_mtu;
+	uint8_t		sco_mtu;
+	uint16_t	acl_max_pkt;
+	uint16_t	sco_max_pkt;
+} __attribute__ ((packed)) read_buffer_size_rp;
+#define READ_BUFFER_SIZE_RP_SIZE 8
+
+#define OCF_READ_COUNTRY_CODE		0x0007
+
+#define OCF_READ_BD_ADDR		0x0009
+typedef struct {
+	uint8_t		status;
+	bdaddr_t	bdaddr;
+} __attribute__ ((packed)) read_bd_addr_rp;
+#define READ_BD_ADDR_RP_SIZE 7
+
+/* Status params */
+#define OGF_STATUS_PARAM	0x05
+
+#define OCF_READ_FAILED_CONTACT_COUNTER		0x0001
+typedef struct {
+	uint8_t		status;
+	uint16_t	handle;
+	uint8_t		counter;
+} __attribute__ ((packed)) read_failed_contact_counter_rp;
+#define READ_FAILED_CONTACT_COUNTER_RP_SIZE 4
+
+#define OCF_RESET_FAILED_CONTACT_COUNTER	0x0002
+typedef struct {
+	uint8_t		status;
+	uint16_t	handle;
+} __attribute__ ((packed)) reset_failed_contact_counter_rp;
+#define RESET_FAILED_CONTACT_COUNTER_RP_SIZE 4
+
+#define OCF_READ_LINK_QUALITY		0x0003
+typedef struct {
+	uint16_t	handle;
+} __attribute__ ((packed)) read_link_quality_cp;
+#define READ_LINK_QUALITY_CP_SIZE 4
+
+typedef struct {
+	uint8_t		status;
+	uint16_t	handle;
+	uint8_t		link_quality;
+} __attribute__ ((packed)) read_link_quality_rp;
+#define READ_LINK_QUALITY_RP_SIZE 4
+
+#define OCF_READ_RSSI			0x0005
+typedef struct {
+	uint8_t		status;
+	uint16_t	handle;
+	int8_t		rssi;
+} __attribute__ ((packed)) read_rssi_rp;
+#define READ_RSSI_RP_SIZE 4
+
+#define OCF_READ_AFH_MAP		0x0006
+typedef struct {
+	uint8_t		status;
+	uint16_t	handle;
+	uint8_t		mode;
+	uint8_t		map[10];
+} __attribute__ ((packed)) read_afh_map_rp;
+#define READ_AFH_MAP_RP_SIZE 14
+
+#define OCF_READ_CLOCK			0x0007
+typedef struct {
+	uint16_t	handle;
+	uint8_t		which_clock;
+} __attribute__ ((packed)) read_clock_cp;
+#define READ_CLOCK_CP_SIZE 3
+typedef struct {
+	uint8_t		status;
+	uint16_t	handle;
+	uint32_t	clock;
+	uint16_t	accuracy;
+} __attribute__ ((packed)) read_clock_rp;
+#define READ_CLOCK_RP_SIZE 9
+
+/* Testing commands */
+#define OGF_TESTING_CMD		0x3e
+
+/* Vendor specific commands */
+#define OGF_VENDOR_CMD		0x3f
+
+/* ---- HCI Events ---- */
+
+#define EVT_INQUIRY_COMPLETE		0x01
+
+#define EVT_INQUIRY_RESULT		0x02
+typedef struct {
+	uint8_t		num_responses;
+	bdaddr_t	bdaddr;
+	uint8_t		pscan_rep_mode;
+	uint8_t		pscan_period_mode;
+	uint8_t		pscan_mode;
+	uint8_t		dev_class[3];
+	uint16_t	clock_offset;
+} __attribute__ ((packed)) inquiry_info;
+#define INQUIRY_INFO_SIZE 14
+
+#define EVT_CONN_COMPLETE		0x03
+typedef struct {
+	uint8_t		status;
+	uint16_t	handle;
+	bdaddr_t	bdaddr;
+	uint8_t		link_type;
+	uint8_t		encr_mode;
+} __attribute__ ((packed)) evt_conn_complete;
+#define EVT_CONN_COMPLETE_SIZE 13
+
+#define EVT_CONN_REQUEST		0x04
+typedef struct {
+	bdaddr_t	bdaddr;
+	uint8_t		dev_class[3];
+	uint8_t		link_type;
+} __attribute__ ((packed)) evt_conn_request;
+#define EVT_CONN_REQUEST_SIZE 10
+
+#define EVT_DISCONN_COMPLETE		0x05
+typedef struct {
+	uint8_t		status;
+	uint16_t	handle;
+	uint8_t		reason;
+} __attribute__ ((packed)) evt_disconn_complete;
+#define EVT_DISCONN_COMPLETE_SIZE 4
+
+#define EVT_AUTH_COMPLETE		0x06
+typedef struct {
+	uint8_t		status;
+	uint16_t	handle;
+} __attribute__ ((packed)) evt_auth_complete;
+#define EVT_AUTH_COMPLETE_SIZE 3
+
+#define EVT_REMOTE_NAME_REQ_COMPLETE	0x07
+typedef struct {
+	uint8_t		status;
+	bdaddr_t	bdaddr;
+	uint8_t		name[248];
+} __attribute__ ((packed)) evt_remote_name_req_complete;
+#define EVT_REMOTE_NAME_REQ_COMPLETE_SIZE 255
+
+#define EVT_ENCRYPT_CHANGE		0x08
+typedef struct {
+	uint8_t		status;
+	uint16_t	handle;
+	uint8_t		encrypt;
+} __attribute__ ((packed)) evt_encrypt_change;
+#define EVT_ENCRYPT_CHANGE_SIZE 5
+
+#define EVT_CHANGE_CONN_LINK_KEY_COMPLETE	0x09
+typedef struct {
+	uint8_t		status;
+	uint16_t	handle;
+}  __attribute__ ((packed)) evt_change_conn_link_key_complete;
+#define EVT_CHANGE_CONN_LINK_KEY_COMPLETE_SIZE 3
+
+#define EVT_MASTER_LINK_KEY_COMPLETE		0x0A
+typedef struct {
+	uint8_t		status;
+	uint16_t	handle;
+	uint8_t		key_flag;
+} __attribute__ ((packed)) evt_master_link_key_complete;
+#define EVT_MASTER_LINK_KEY_COMPLETE_SIZE 4
+
+#define EVT_READ_REMOTE_FEATURES_COMPLETE	0x0B
+typedef struct {
+	uint8_t		status;
+	uint16_t	handle;
+	uint8_t		features[8];
+} __attribute__ ((packed)) evt_read_remote_features_complete;
+#define EVT_READ_REMOTE_FEATURES_COMPLETE_SIZE 11
+
+#define EVT_READ_REMOTE_VERSION_COMPLETE	0x0C
+typedef struct {
+	uint8_t		status;
+	uint16_t	handle;
+	uint8_t		lmp_ver;
+	uint16_t	manufacturer;
+	uint16_t	lmp_subver;
+} __attribute__ ((packed)) evt_read_remote_version_complete;
+#define EVT_READ_REMOTE_VERSION_COMPLETE_SIZE 8
+
+#define EVT_QOS_SETUP_COMPLETE		0x0D
+typedef struct {
+	uint8_t		status;
+	uint16_t	handle;
+	uint8_t		flags;			/* Reserved */
+	hci_qos		qos;
+} __attribute__ ((packed)) evt_qos_setup_complete;
+#define EVT_QOS_SETUP_COMPLETE_SIZE (4 + HCI_QOS_CP_SIZE)
+
+#define EVT_CMD_COMPLETE 		0x0E
+typedef struct {
+	uint8_t		ncmd;
+	uint16_t	opcode;
+} __attribute__ ((packed)) evt_cmd_complete;
+#define EVT_CMD_COMPLETE_SIZE 3
+
+#define EVT_CMD_STATUS 			0x0F
+typedef struct {
+	uint8_t		status;
+	uint8_t		ncmd;
+	uint16_t	opcode;
+} __attribute__ ((packed)) evt_cmd_status;
+#define EVT_CMD_STATUS_SIZE 4
+
+#define EVT_HARDWARE_ERROR		0x10
+typedef struct {
+	uint8_t		code;
+} __attribute__ ((packed)) evt_hardware_error;
+#define EVT_HARDWARE_ERROR_SIZE 1
+
+#define EVT_FLUSH_OCCURRED		0x11
+typedef struct {
+	uint16_t	handle;
+} __attribute__ ((packed)) evt_flush_occured;
+#define EVT_FLUSH_OCCURRED_SIZE 2
+
+#define EVT_ROLE_CHANGE			0x12
+typedef struct {
+	uint8_t		status;
+	bdaddr_t	bdaddr;
+	uint8_t		role;
+} __attribute__ ((packed)) evt_role_change;
+#define EVT_ROLE_CHANGE_SIZE 8
+
+#define EVT_NUM_COMP_PKTS		0x13
+typedef struct {
+	uint8_t		num_hndl;
+	/* variable length part */
+} __attribute__ ((packed)) evt_num_comp_pkts;
+#define EVT_NUM_COMP_PKTS_SIZE 1
+
+#define EVT_MODE_CHANGE			0x14
+typedef struct {
+	uint8_t		status;
+	uint16_t	handle;
+	uint8_t		mode;
+	uint16_t	interval;
+} __attribute__ ((packed)) evt_mode_change;
+#define EVT_MODE_CHANGE_SIZE 6
+
+#define EVT_RETURN_LINK_KEYS		0x15
+typedef struct {
+	uint8_t		num_keys;
+	/* variable length part */
+} __attribute__ ((packed)) evt_return_link_keys;
+#define EVT_RETURN_LINK_KEYS_SIZE 1
+
+#define EVT_PIN_CODE_REQ		0x16
+typedef struct {
+	bdaddr_t	bdaddr;
+} __attribute__ ((packed)) evt_pin_code_req;
+#define EVT_PIN_CODE_REQ_SIZE 6
+
+#define EVT_LINK_KEY_REQ		0x17
+typedef struct {
+	bdaddr_t	bdaddr;
+} __attribute__ ((packed)) evt_link_key_req;
+#define EVT_LINK_KEY_REQ_SIZE 6
+
+#define EVT_LINK_KEY_NOTIFY		0x18
+typedef struct {
+	bdaddr_t	bdaddr;
+	uint8_t		link_key[16];
+	uint8_t		key_type;
+} __attribute__ ((packed)) evt_link_key_notify;
+#define EVT_LINK_KEY_NOTIFY_SIZE 23
+
+#define EVT_LOOPBACK_COMMAND		0x19
+
+#define EVT_DATA_BUFFER_OVERFLOW	0x1A
+typedef struct {
+	uint8_t		link_type;
+} __attribute__ ((packed)) evt_data_buffer_overflow;
+#define EVT_DATA_BUFFER_OVERFLOW_SIZE 1
+
+#define EVT_MAX_SLOTS_CHANGE		0x1B
+typedef struct {
+	uint16_t	handle;
+	uint8_t		max_slots;
+} __attribute__ ((packed)) evt_max_slots_change;
+#define EVT_MAX_SLOTS_CHANGE_SIZE 3
+
+#define EVT_READ_CLOCK_OFFSET_COMPLETE	0x1C
+typedef struct {
+	uint8_t		status;
+	uint16_t	handle;
+	uint16_t	clock_offset;
+} __attribute__ ((packed)) evt_read_clock_offset_complete;
+#define EVT_READ_CLOCK_OFFSET_COMPLETE_SIZE 5
+
+#define EVT_CONN_PTYPE_CHANGED		0x1D
+typedef struct {
+	uint8_t		status;
+	uint16_t	handle;
+	uint16_t	ptype;
+} __attribute__ ((packed)) evt_conn_ptype_changed;
+#define EVT_CONN_PTYPE_CHANGED_SIZE 5
+
+#define EVT_QOS_VIOLATION		0x1E
+typedef struct {
+	uint16_t	handle;
+} __attribute__ ((packed)) evt_qos_violation;
+#define EVT_QOS_VIOLATION_SIZE 2
+
+#define EVT_PSCAN_REP_MODE_CHANGE	0x20
+typedef struct {
+	bdaddr_t	bdaddr;
+	uint8_t		pscan_rep_mode;
+} __attribute__ ((packed)) evt_pscan_rep_mode_change;
+#define EVT_PSCAN_REP_MODE_CHANGE_SIZE 7
+
+#define EVT_FLOW_SPEC_COMPLETE		0x21
+typedef struct {
+	uint8_t		status;
+	uint16_t	handle;
+	uint8_t		flags;
+	uint8_t		direction;
+	hci_qos		qos;
+} __attribute__ ((packed)) evt_flow_spec_complete;
+#define EVT_FLOW_SPEC_COMPLETE_SIZE (5 + HCI_QOS_CP_SIZE)
+
+#define EVT_INQUIRY_RESULT_WITH_RSSI	0x22
+typedef struct {
+	bdaddr_t	bdaddr;
+	uint8_t		pscan_rep_mode;
+	uint8_t		pscan_period_mode;
+	uint8_t		dev_class[3];
+	uint16_t	clock_offset;
+	int8_t		rssi;
+} __attribute__ ((packed)) inquiry_info_with_rssi;
+#define INQUIRY_INFO_WITH_RSSI_SIZE 14
+typedef struct {
+	bdaddr_t	bdaddr;
+	uint8_t		pscan_rep_mode;
+	uint8_t		pscan_period_mode;
+	uint8_t		pscan_mode;
+	uint8_t		dev_class[3];
+	uint16_t	clock_offset;
+	int8_t		rssi;
+} __attribute__ ((packed)) inquiry_info_with_rssi_and_pscan_mode;
+#define INQUIRY_INFO_WITH_RSSI_AND_PSCAN_MODE_SIZE 15
+
+#define EVT_READ_REMOTE_EXT_FEATURES_COMPLETE	0x23
+typedef struct {
+	uint8_t		status;
+	uint16_t	handle;
+	uint8_t		page_num;
+	uint8_t		max_page_num;
+	uint8_t		features[8];
+} __attribute__ ((packed)) evt_read_remote_ext_features_complete;
+#define EVT_READ_REMOTE_EXT_FEATURES_COMPLETE_SIZE 13
+
+#define EVT_SYNC_CONN_COMPLETE		0x2C
+typedef struct {
+	uint8_t		status;
+	uint16_t	handle;
+	bdaddr_t	bdaddr;
+	uint8_t		link_type;
+	uint8_t		trans_interval;
+	uint8_t		retrans_window;
+	uint16_t	rx_pkt_len;
+	uint16_t	tx_pkt_len;
+	uint8_t		air_mode;
+} __attribute__ ((packed)) evt_sync_conn_complete;
+#define EVT_SYNC_CONN_COMPLETE_SIZE 17
+
+#define EVT_SYNC_CONN_CHANGED		0x2D
+typedef struct {
+	uint8_t		status;
+	uint16_t	handle;
+	uint8_t		trans_interval;
+	uint8_t		retrans_window;
+	uint16_t	rx_pkt_len;
+	uint16_t	tx_pkt_len;
+} __attribute__ ((packed)) evt_sync_conn_changed;
+#define EVT_SYNC_CONN_CHANGED_SIZE 9
+
+#define EVT_SNIFF_SUBRATE		0x2E
+typedef struct {
+	uint8_t		status;
+	uint16_t	handle;
+	uint16_t	max_remote_latency;
+	uint16_t	max_local_latency;
+	uint16_t	min_remote_timeout;
+	uint16_t	min_local_timeout;
+} __attribute__ ((packed)) evt_sniff_subrate;
+#define EVT_SNIFF_SUBRATE_SIZE 11
+
+#define EVT_EXTENDED_INQUIRY_RESULT	0x2F
+typedef struct {
+	bdaddr_t	bdaddr;
+	uint8_t		pscan_rep_mode;
+	uint8_t		pscan_period_mode;
+	uint8_t		dev_class[3];
+	uint16_t	clock_offset;
+	int8_t		rssi;
+	uint8_t		data[240];
+} __attribute__ ((packed)) extended_inquiry_info;
+#define EXTENDED_INQUIRY_INFO_SIZE 254
+
+#define EVT_TESTING			0xFE
+
+#define EVT_VENDOR			0xFF
+
+/* Command opcode pack/unpack */
+#define cmd_opcode_pack(ogf, ocf)	(uint16_t)((ocf & 0x03ff)|(ogf << 10))
+#define cmd_opcode_ogf(op)		(op >> 10)
+#define cmd_opcode_ocf(op)		(op & 0x03ff)
+
+/* ACL handle and flags pack/unpack */
+#define acl_handle_pack(h, f)	(uint16_t)(((h) & 0x0fff)|((f) << 12))
+#define acl_handle(h)		((h) & 0x0fff)
+#define acl_flags(h)		((h) >> 12)

Added: trunk/src/host/qemu-neo1973/hw/usb-bt.c
===================================================================
--- trunk/src/host/qemu-neo1973/hw/usb-bt.c	2007-06-13 17:12:06 UTC (rev 2242)
+++ trunk/src/host/qemu-neo1973/hw/usb-bt.c	2007-06-13 17:13:50 UTC (rev 2243)
@@ -0,0 +1,530 @@
+/*
+ * QEMU Bluetooth HCI USB Transport Layer
+ *
+ * Copyright (C) 2007 OpenMoko, Inc.
+ * Written by Andrzej Zaborowski <andrew at openedhand.com>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation; either version 2 of
+ * the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston,
+ * MA 02111-1307 USA
+ */
+#include "vl.h"
+
+struct USBBtState {
+    int altsetting;
+    USBDevice dev;
+    struct bt_hci_s hci;
+
+    int config;
+
+#define EVT_FIFO_LEN_MASK	15
+    struct {
+        int start, len;
+        uint8_t pkt[262];
+    } evt_fifo[EVT_FIFO_LEN_MASK + 1];
+    int evt_start, evt_len;
+};
+
+#define USB_EVT_EP	1
+#define USB_ACL_EP	2
+#define USB_SCO_EP	3
+
+static const uint8_t qemu_bt_dev_descriptor[] = {
+    0x12,	/*  u8 bLength; */
+    0x01,	/*  u8 bDescriptorType; Device */
+    0x00, 0x02,	/*  u16 bcdUSB; v1.0 */
+
+    0xe0,	/*  u8  bDeviceClass; Wireless */
+    0x01,	/*  u8  bDeviceSubClass; Radio Frequency */
+    0x01,	/*  u8  bDeviceProtocol; Bluetooth */
+    0x40,	/*  u8  bMaxPacketSize0; 64 Bytes */
+
+    0x12, 0x0a,	/*  u16 idVendor; */
+    0x01, 0x00,	/*  u16 idProduct; Bluetooth Dongle (HCI mode) */
+    0x58, 0x19,	/*  u16 bcdDevice */
+
+    0x00,	/*  u8  iManufacturer; */
+    0x00,	/*  u8  iProduct; */
+    0x00,	/*  u8  iSerialNumber; */
+    0x01,	/*  u8  bNumConfigurations; */
+};
+
+static const uint8_t qemu_bt_config_descriptor[] = {
+    /* one configuration */
+    0x09,	/*  u8  bLength; */
+    0x02,	/*  u8  bDescriptorType; Configuration */
+    0xb1, 0x00,	/*  u16 wTotalLength; */
+    0x02,	/*  u8  bNumInterfaces; (2) */
+    0x01,	/*  u8  bConfigurationValue; */
+    0x00,	/*  u8  iConfiguration; */
+    0x80,	/*  u8  bmAttributes; 
+			     Bit 7: must be set,
+				 6: Self-powered,
+				 5: Remote wakeup,
+				 4..0: resvd */
+    0x00,	/*  u8  MaxPower; */
+  
+    /* USB 1.1:
+     * USB 2.0, single TT organization (mandatory):
+     *	one interface, protocol 0
+     *
+     * USB 2.0, multiple TT organization (optional):
+     *	two interfaces, protocols 1 (like single TT)
+     *	and 2 (multiple TT mode) ... config is
+     *	sometimes settable
+     *	NOT IMPLEMENTED
+     */
+
+    /* interface one */
+    0x09,	/*  u8  if_bLength; */
+    0x04,	/*  u8  if_bDescriptorType; Interface */
+    0x00,	/*  u8  if_bInterfaceNumber; */
+    0x00,	/*  u8  if_bAlternateSetting; */
+    0x03,	/*  u8  if_bNumEndpoints; */
+    0xe0,	/*  u8  if_bInterfaceClass; Wireless */
+    0x01,	/*  u8  if_bInterfaceSubClass; Radio Frequency */
+    0x01,	/*  u8  if_bInterfaceProtocol; Bluetooth */
+    0x00,	/*  u8  if_iInterface; */
+ 
+    /* endpoint one */
+    0x07,	/*  u8  ep_bLength; */
+    0x05,	/*  u8  ep_bDescriptorType; Endpoint */
+    USB_DIR_IN | USB_EVT_EP,	/*  u8  ep_bEndpointAddress; */
+    0x03,	/*  u8  ep_bmAttributes; Interrupt */
+    0x10, 0x00,	/*  u16 ep_wMaxPacketSize; */
+    0x01,	/*  u8  ep_bInterval; (255ms -- usb 2.0 spec) */
+ 
+    /* endpoint two */
+    0x07,	/*  u8  ep_bLength; */
+    0x05,	/*  u8  ep_bDescriptorType; Endpoint */
+    USB_DIR_OUT | USB_ACL_EP,	/*  u8  ep_bEndpointAddress; */
+    0x02,	/*  u8  ep_bmAttributes; Bulk */
+    0x40, 0x00,	/*  u16 ep_wMaxPacketSize; */
+    0x0a,	/*  u8  ep_bInterval; (255ms -- usb 2.0 spec) */
+ 
+    /* endpoint three */
+    0x07,	/*  u8  ep_bLength; */
+    0x05,	/*  u8  ep_bDescriptorType; Endpoint */
+    USB_DIR_IN | USB_ACL_EP,	/*  u8  ep_bEndpointAddress; */
+    0x02,	/*  u8  ep_bmAttributes; Bulk */
+    0x40, 0x00,	/*  u16 ep_wMaxPacketSize; */
+    0x0a,	/*  u8  ep_bInterval; (255ms -- usb 2.0 spec) */
+
+    /* interface two setting one */
+    0x09,	/*  u8  if_bLength; */
+    0x04,	/*  u8  if_bDescriptorType; Interface */
+    0x01,	/*  u8  if_bInterfaceNumber; */
+    0x00,	/*  u8  if_bAlternateSetting; */
+    0x02,	/*  u8  if_bNumEndpoints; */
+    0xe0,	/*  u8  if_bInterfaceClass; Wireless */
+    0x01,	/*  u8  if_bInterfaceSubClass; Radio Frequency */
+    0x01,	/*  u8  if_bInterfaceProtocol; Bluetooth */
+    0x00,	/*  u8  if_iInterface; */
+ 
+    /* endpoint one */
+    0x07,	/*  u8  ep_bLength; */
+    0x05,	/*  u8  ep_bDescriptorType; Endpoint */
+    USB_DIR_OUT | USB_SCO_EP,	/*  u8  ep_bEndpointAddress; */
+    0x01,	/*  u8  ep_bmAttributes; Isochronous */
+    0x00, 0x00,	/*  u16 ep_wMaxPacketSize; */
+    0x01,	/*  u8  ep_bInterval; (255ms -- usb 2.0 spec) */
+ 
+    /* endpoint two */
+    0x07,	/*  u8  ep_bLength; */
+    0x05,	/*  u8  ep_bDescriptorType; Endpoint */
+    USB_DIR_IN | USB_SCO_EP,	/*  u8  ep_bEndpointAddress; */
+    0x01,	/*  u8  ep_bmAttributes; Isochronous */
+    0x00, 0x00,	/*  u16 ep_wMaxPacketSize; */
+    0x01,	/*  u8  ep_bInterval; (255ms -- usb 2.0 spec) */
+
+    /* interface two setting two */
+    0x09,	/*  u8  if_bLength; */
+    0x04,	/*  u8  if_bDescriptorType; Interface */
+    0x01,	/*  u8  if_bInterfaceNumber; */
+    0x01,	/*  u8  if_bAlternateSetting; */
+    0x02,	/*  u8  if_bNumEndpoints; */
+    0xe0,	/*  u8  if_bInterfaceClass; Wireless */
+    0x01,	/*  u8  if_bInterfaceSubClass; Radio Frequency */
+    0x01,	/*  u8  if_bInterfaceProtocol; Bluetooth */
+    0x00,	/*  u8  if_iInterface; */
+ 
+    /* endpoint one */
+    0x07,	/*  u8  ep_bLength; */
+    0x05,	/*  u8  ep_bDescriptorType; Endpoint */
+    USB_DIR_OUT | USB_SCO_EP,	/*  u8  ep_bEndpointAddress; */
+    0x01,	/*  u8  ep_bmAttributes; Isochronous */
+    0x09, 0x00,	/*  u16 ep_wMaxPacketSize; */
+    0x01,	/*  u8  ep_bInterval; (255ms -- usb 2.0 spec) */
+ 
+    /* endpoint two */
+    0x07,	/*  u8  ep_bLength; */
+    0x05,	/*  u8  ep_bDescriptorType; Endpoint */
+    USB_DIR_IN | USB_SCO_EP,	/*  u8  ep_bEndpointAddress; */
+    0x01,	/*  u8  ep_bmAttributes; Isochronous */
+    0x09, 0x00,	/*  u16 ep_wMaxPacketSize; */
+    0x01,	/*  u8  ep_bInterval; (255ms -- usb 2.0 spec) */
+
+    /* interface two setting three */
+    0x09,	/*  u8  if_bLength; */
+    0x04,	/*  u8  if_bDescriptorType; Interface */
+    0x01,	/*  u8  if_bInterfaceNumber; */
+    0x02,	/*  u8  if_bAlternateSetting; */
+    0x02,	/*  u8  if_bNumEndpoints; */
+    0xe0,	/*  u8  if_bInterfaceClass; Wireless */
+    0x01,	/*  u8  if_bInterfaceSubClass; Radio Frequency */
+    0x01,	/*  u8  if_bInterfaceProtocol; Bluetooth */
+    0x00,	/*  u8  if_iInterface; */
+ 
+    /* endpoint one */
+    0x07,	/*  u8  ep_bLength; */
+    0x05,	/*  u8  ep_bDescriptorType; Endpoint */
+    USB_DIR_OUT | USB_SCO_EP,	/*  u8  ep_bEndpointAddress; */
+    0x01,	/*  u8  ep_bmAttributes; Isochronous */
+    0x11, 0x00,	/*  u16 ep_wMaxPacketSize; */
+    0x01,	/*  u8  ep_bInterval; (255ms -- usb 2.0 spec) */
+ 
+    /* endpoint two */
+    0x07,	/*  u8  ep_bLength; */
+    0x05,	/*  u8  ep_bDescriptorType; Endpoint */
+    USB_DIR_IN | USB_SCO_EP,	/*  u8  ep_bEndpointAddress; */
+    0x01,	/*  u8  ep_bmAttributes; Isochronous */
+    0x11, 0x00,	/*  u16 ep_wMaxPacketSize; */
+    0x01,	/*  u8  ep_bInterval; (255ms -- usb 2.0 spec) */
+
+    /* interface two setting four */
+    0x09,	/*  u8  if_bLength; */
+    0x04,	/*  u8  if_bDescriptorType; Interface */
+    0x01,	/*  u8  if_bInterfaceNumber; */
+    0x03,	/*  u8  if_bAlternateSetting; */
+    0x02,	/*  u8  if_bNumEndpoints; */
+    0xe0,	/*  u8  if_bInterfaceClass; Wireless */
+    0x01,	/*  u8  if_bInterfaceSubClass; Radio Frequency */
+    0x01,	/*  u8  if_bInterfaceProtocol; Bluetooth */
+    0x00,	/*  u8  if_iInterface; */
+ 
+    /* endpoint one */
+    0x07,	/*  u8  ep_bLength; */
+    0x05,	/*  u8  ep_bDescriptorType; Endpoint */
+    USB_DIR_OUT | USB_SCO_EP,	/*  u8  ep_bEndpointAddress; */
+    0x01,	/*  u8  ep_bmAttributes; Isochronous */
+    0x19, 0x00,	/*  u16 ep_wMaxPacketSize; */
+    0x01,	/*  u8  ep_bInterval; (255ms -- usb 2.0 spec) */
+ 
+    /* endpoint two */
+    0x07,	/*  u8  ep_bLength; */
+    0x05,	/*  u8  ep_bDescriptorType; Endpoint */
+    USB_DIR_IN | USB_SCO_EP,	/*  u8  ep_bEndpointAddress; */
+    0x01,	/*  u8  ep_bmAttributes; Isochronous */
+    0x19, 0x00,	/*  u16 ep_wMaxPacketSize; */
+    0x01,	/*  u8  ep_bInterval; (255ms -- usb 2.0 spec) */
+
+    /* interface two setting five */
+    0x09,	/*  u8  if_bLength; */
+    0x04,	/*  u8  if_bDescriptorType; Interface */
+    0x01,	/*  u8  if_bInterfaceNumber; */
+    0x04,	/*  u8  if_bAlternateSetting; */
+    0x02,	/*  u8  if_bNumEndpoints; */
+    0xe0,	/*  u8  if_bInterfaceClass; Wireless */
+    0x01,	/*  u8  if_bInterfaceSubClass; Radio Frequency */
+    0x01,	/*  u8  if_bInterfaceProtocol; Bluetooth */
+    0x00,	/*  u8  if_iInterface; */
+ 
+    /* endpoint one */
+    0x07,	/*  u8  ep_bLength; */
+    0x05,	/*  u8  ep_bDescriptorType; Endpoint */
+    USB_DIR_OUT | USB_SCO_EP,	/*  u8  ep_bEndpointAddress; */
+    0x01,	/*  u8  ep_bmAttributes; Isochronous */
+    0x21, 0x00,	/*  u16 ep_wMaxPacketSize; */
+    0x01,	/*  u8  ep_bInterval; (255ms -- usb 2.0 spec) */
+ 
+    /* endpoint two */
+    0x07,	/*  u8  ep_bLength; */
+    0x05,	/*  u8  ep_bDescriptorType; Endpoint */
+    USB_DIR_IN | USB_SCO_EP,	/*  u8  ep_bEndpointAddress; */
+    0x01,	/*  u8  ep_bmAttributes; Isochronous */
+    0x21, 0x00,	/*  u16 ep_wMaxPacketSize; */
+    0x01,	/*  u8  ep_bInterval; (255ms -- usb 2.0 spec) */
+
+    /* interface two setting six */
+    0x09,	/*  u8  if_bLength; */
+    0x04,	/*  u8  if_bDescriptorType; Interface */
+    0x01,	/*  u8  if_bInterfaceNumber; */
+    0x05,	/*  u8  if_bAlternateSetting; */
+    0x02,	/*  u8  if_bNumEndpoints; */
+    0xe0,	/*  u8  if_bInterfaceClass; Wireless */
+    0x01,	/*  u8  if_bInterfaceSubClass; Radio Frequency */
+    0x01,	/*  u8  if_bInterfaceProtocol; Bluetooth */
+    0x00,	/*  u8  if_iInterface; */
+ 
+    /* endpoint one */
+    0x07,	/*  u8  ep_bLength; */
+    0x05,	/*  u8  ep_bDescriptorType; Endpoint */
+    USB_DIR_OUT | USB_SCO_EP,	/*  u8  ep_bEndpointAddress; */
+    0x01,	/*  u8  ep_bmAttributes; Isochronous */
+    0x31, 0x00,	/*  u16 ep_wMaxPacketSize; */
+    0x01,	/*  u8  ep_bInterval; (255ms -- usb 2.0 spec) */
+
+    /* endpoint two */
+    0x07,	/*  u8  ep_bLength; */
+    0x05,	/*  u8  ep_bDescriptorType; Endpoint */
+    USB_DIR_IN | USB_SCO_EP,	/*  u8  ep_bEndpointAddress; */
+    0x01,	/*  u8  ep_bmAttributes; Isochronous */
+    0x31, 0x00,	/*  u16 ep_wMaxPacketSize; */
+    0x01,	/*  u8  ep_bInterval; (255ms -- usb 2.0 spec) */
+};
+
+static void usb_bt_handle_reset(USBDevice *dev)
+{
+    struct USBBtState *s = (struct USBBtState *) dev->opaque;
+    s->altsetting = 0;
+}
+
+static int usb_bt_handle_control(USBDevice *dev, int request, int value,
+                int index, int length, uint8_t *data)
+{
+    struct USBBtState *s = (struct USBBtState *) dev->opaque;
+    int ret = 0;
+        printf("setup token req %x val %x idx %x len %x\n", request, value, index, length);////
+
+    switch (request) {
+    case DeviceRequest | USB_REQ_GET_STATUS:
+    case InterfaceRequest | USB_REQ_GET_STATUS:
+    case EndpointRequest | USB_REQ_GET_STATUS:
+        data[0] = (1 << USB_DEVICE_SELF_POWERED) |
+            (dev->remote_wakeup << USB_DEVICE_REMOTE_WAKEUP);
+        data[1] = 0x00;
+        ret = 2;
+        break;
+    case DeviceOutRequest | USB_REQ_CLEAR_FEATURE:
+    case InterfaceOutRequest | USB_REQ_CLEAR_FEATURE:
+    case EndpointOutRequest | USB_REQ_CLEAR_FEATURE:
+        if (value == USB_DEVICE_REMOTE_WAKEUP) {
+            dev->remote_wakeup = 0;
+        } else {
+            goto fail;
+        }
+        ret = 0;
+        break;
+    case DeviceOutRequest | USB_REQ_SET_FEATURE:
+    case InterfaceOutRequest | USB_REQ_SET_FEATURE:
+    case EndpointOutRequest | USB_REQ_SET_FEATURE:
+        if (value == USB_DEVICE_REMOTE_WAKEUP) {
+            dev->remote_wakeup = 1;
+        } else {
+            goto fail;
+        }
+        ret = 0;
+        break;
+    case DeviceOutRequest | USB_REQ_SET_ADDRESS:
+        dev->addr = value;
+        ret = 0;
+        break;
+    case DeviceRequest | USB_REQ_GET_DESCRIPTOR:
+        switch (value >> 8) {
+        case USB_DT_DEVICE:
+            ret = sizeof(qemu_bt_dev_descriptor);
+            memcpy(data, qemu_bt_dev_descriptor, ret);
+            break;
+        case USB_DT_CONFIG:
+            ret = sizeof(qemu_bt_config_descriptor);
+            memcpy(data, qemu_bt_config_descriptor, ret);
+            break;
+        case USB_DT_STRING:
+            switch(value & 0xff) {
+            case 0:
+                /* language ids */
+                data[0] = 4;
+                data[1] = 3;
+                data[2] = 0x09;
+                data[3] = 0x04;
+                ret = 4;
+                break;
+            default:
+                goto fail;
+            }
+            break;
+        default:
+            goto fail;
+        }
+        break;
+    case DeviceRequest | USB_REQ_GET_CONFIGURATION:
+        data[0] = qemu_bt_config_descriptor[0x5];
+        ret = 1;
+        s->config = 0;
+        break;
+    case DeviceOutRequest | USB_REQ_SET_CONFIGURATION:
+        ret = 0;
+        if (value != qemu_bt_config_descriptor[0x5] && value != 0) {
+            printf("%s: Wrong SET_CONFIGURATION request (%i)\n",
+                            __FUNCTION__, value);
+            goto fail;
+        }
+        s->config = 1;
+        s->evt_len = 0;
+        bt_hci_reset(&s->hci);
+        break;
+    case InterfaceRequest | USB_REQ_GET_INTERFACE:
+        if (value != 0 || (index & ~1) || length != 1)
+            goto fail;
+        if (index == 1)
+            data[0] = s->altsetting;
+        else
+            data[0] = 0;
+        ret = 1;
+        break;
+    case InterfaceOutRequest | USB_REQ_SET_INTERFACE:
+        if ((index & ~1) || length != 0 ||
+                        (index == 1 && (value < 0 || value > 4)) ||
+                        (index == 0 && value != 0)) {
+            printf("%s: Wrong SET_INTERFACE request (%i, %i)\n",
+                            __FUNCTION__, index, value);
+            goto fail;
+        }
+        s->altsetting = value;
+        ret = 0;
+        break;
+    case ((USB_DIR_OUT | USB_TYPE_CLASS | USB_RECIP_DEVICE) << 8):
+        if (s->config)
+            bt_submit_hci(&s->hci, length, data);
+        break;
+    default:
+    fail:
+        ret = USB_RET_STALL;
+        break;
+    }
+    return ret;
+}
+
+static int usb_bt_event_dequeue(struct USBBtState *s, USBPacket *p)
+{
+    int pkt, ret;
+    if (!s->evt_len)
+        return 0;
+
+    pkt = s->evt_start;
+    ret = MIN(p->len, s->evt_fifo[pkt].len);
+
+    if (!ret) {
+        s->evt_len --;
+        s->evt_start ++;
+        s->evt_start &= EVT_FIFO_LEN_MASK;
+    }
+
+    memcpy(p->data, s->evt_fifo[pkt].pkt + s->evt_fifo[pkt].start, ret);
+    s->evt_fifo[pkt].start += ret;
+    s->evt_fifo[pkt].len -= ret;
+
+    return ret;
+}
+
+static int usb_bt_handle_data(USBDevice *dev, USBPacket *p)
+{
+    struct USBBtState *s = (struct USBBtState *) dev->opaque;
+    int ret = 0;
+
+    if (!s->config)
+        goto fail;
+
+    switch (p->pid) {
+    case USB_TOKEN_IN:
+        switch (p->devep & 0xf) {
+        case USB_EVT_EP:
+            ret = usb_bt_event_dequeue(s, p);
+            break;
+
+        default:
+            goto fail;
+        }
+        break;
+
+    case USB_TOKEN_OUT:
+        switch (p->devep & 0xf) {
+        case USB_ACL_EP:
+            bt_submit_acl(&s->hci, p->len, p->data);
+            break;
+        case USB_SCO_EP:
+            bt_submit_sco(&s->hci, p->len, p->data);
+            break;
+
+        default:
+            goto fail;
+        }
+        break;
+
+    default:
+    fail:
+        ret = USB_RET_STALL;
+        break;
+    }
+    return ret;
+}
+
+static void usb_bt_handle_destroy(USBDevice *dev)
+{
+    struct USBBtState *s = (struct USBBtState *) dev->opaque;
+
+    bt_hci_done(&s->hci);
+    qemu_free(s);
+}
+
+static uint8_t *usb_bt_evt_packet(void *opaque)
+{
+    struct USBBtState *s = (struct USBBtState *) opaque;
+    return s->evt_fifo[(s->evt_start + s->evt_len) & EVT_FIFO_LEN_MASK].pkt;
+}
+
+static void usb_bt_evt_submit(void *opaque, int len)
+{
+    struct USBBtState *s = (struct USBBtState *) opaque;
+    s->evt_fifo[(s->evt_start + s->evt_len) & EVT_FIFO_LEN_MASK].start = 0;
+    s->evt_fifo[(s->evt_start + s->evt_len ++) & EVT_FIFO_LEN_MASK].len = len;
+}
+
+static void usb_bt_acl_submit(void *opaque, uint8_t *data, int len)
+{
+    struct USBBtState *s = (struct USBBtState *) opaque;
+}
+
+static void usb_bt_sco_submit(void *opaque, uint8_t *data, int len)
+{
+    struct USBBtState *s = (struct USBBtState *) opaque;
+}
+
+USBDevice *usb_bt_init(struct bt_piconet_s *net)
+{
+    struct USBBtState *s;
+
+    s = qemu_mallocz(sizeof(struct USBBtState));
+    if (!s)
+        return NULL;
+    s->dev.opaque = s;
+    s->dev.speed = USB_SPEED_HIGH;
+    s->dev.handle_packet = usb_generic_handle_packet;
+    pstrcpy(s->dev.devname, sizeof(s->dev.devname), "QEMU BT dongle");
+
+    s->dev.handle_reset = usb_bt_handle_reset;
+    s->dev.handle_control = usb_bt_handle_control;
+    s->dev.handle_data = usb_bt_handle_data;
+    s->dev.handle_destroy = usb_bt_handle_destroy;
+
+    bt_hci_init(&s->hci);
+    s->hci.evt_packet = usb_bt_evt_packet;
+    s->hci.evt_submit = usb_bt_evt_submit;
+    s->hci.acl_submit = usb_bt_acl_submit;
+    s->hci.sco_submit = usb_bt_sco_submit;
+    s->hci.opaque = s;
+    s->hci.net = net;
+
+    return &s->dev;
+}





More information about the commitlog mailing list