Add L2CAP logic and a virtual SDP server for use in emulated devices.
Mon, 29 Sep 2008 00:14:22 +0000 (00:14 +0000)
Mon, 29 Sep 2008 00:14:22 +0000 (00:14 +0000)
Note that the L2CAP flow-controlled mode is not fully supported.

 OBJS+=usb.o usb-hub.o usb-linux.o usb-hid.o usb-msd.o usb-wacom.o
 OBJS+=usb-serial.o usb-net.o
 OBJS+=sd.o ssi-sd.o
-OBJS+=bt.o bt-host.o bt-hci.o
+OBJS+=bt.o bt-host.o bt-l2cap.o bt-sdp.o bt-hci.o
 OBJS+= baum.o
+ * QEMU Bluetooth L2CAP logic.
+ *
+ * Copyright (C) 2008 Andrzej Zaborowski  <>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation; either version 2 of
+ * the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston,
+ * MA  02110-1301  USA
+ */
+#include "qemu-common.h"
+#include "qemu-timer.h"
+#include "bt.h"
+#define L2CAP_CID_MAX  0x100   /* Between 0x40 and 0x10000 */
+struct l2cap_instance_s {
+    struct bt_link_s *link;
+    struct bt_l2cap_device_s *dev;
+    int role;
+    uint8_t frame_in[65535 + L2CAP_HDR_SIZE] __attribute__ ((aligned (4)));
+    int frame_in_len;
+    uint8_t frame_out[65535 + L2CAP_HDR_SIZE] __attribute__ ((aligned (4)));
+    int frame_out_len;
+    /* Signalling channel timers.  They exist per-request but we can make
+     * sure we have no more than one outstanding request at any time.  */
+    QEMUTimer *rtx;
+    QEMUTimer *ertx;
+    int last_id;
+    int next_id;
+    struct l2cap_chan_s {
+        struct bt_l2cap_conn_params_s params;
+        void (*frame_in)(struct l2cap_chan_s *chan, uint16_t cid,
+                        const l2cap_hdr *hdr, int len);
+        int mps;
+        int min_mtu;
+        struct l2cap_instance_s *l2cap;
+        /* Only allocated channels */
+        uint16_t remote_cid;
+#define L2CAP_CFG_INIT 2
+#define L2CAP_CFG_ACC  1
+        int config_req_id; /* TODO: handle outgoing requests generically */
+        int config;
+        /* Only connection-oriented channels.  Note: if we allow the tx and
+         * rx traffic to be in different modes at any time, we need two.  */
+        int mode;
+        /* Only flow-controlled, connection-oriented channels */
+        uint8_t sdu[65536]; /* TODO: dynamically allocate */
+        int len_cur, len_total;
+        int rexmit;
+        int monitor_timeout;
+        QEMUTimer *monitor_timer;
+        QEMUTimer *retransmission_timer;
+    } *cid[L2CAP_CID_MAX];
+    /* The channel state machine states map as following:
+     * CLOSED           -> !cid[N]
+     * WAIT_CONNECT     -> never occurs
+     * WAIT_CONNECT_RSP -> never occurs
+     * CONFIG           -> cid[N] && config < 3
+     *   WAIT_CONFIG         -> never occurs, cid[N] && config == 0 && !config_r
+     *   WAIT_SEND_CONFIG    -> never occurs, cid[N] && config == 1 && !config_r
+     *   WAIT_CONFIG_REQ_RSP -> cid[N] && config == 0 && config_req_id
+     *   WAIT_CONFIG_RSP     -> cid[N] && config == 1 && config_req_id
+     *   WAIT_CONFIG_REQ     -> cid[N] && config == 2
+     * OPEN             -> cid[N] && config == 3
+     * WAIT_DISCONNECT  -> never occurs
+     */
+    struct l2cap_chan_s signalling_ch;
+    struct l2cap_chan_s group_ch;
+struct slave_l2cap_instance_s {
+    struct bt_link_s link;     /* Underlying logical link (ACL) */
+    struct l2cap_instance_s l2cap;
+struct bt_l2cap_psm_s {
+    int psm;
+    int min_mtu;
+    int (*new_channel)(struct bt_l2cap_device_s *device,
+                    struct bt_l2cap_conn_params_s *params);
+    struct bt_l2cap_psm_s *next;
+static const uint16_t l2cap_fcs16_table[256] = {
+    0x0000, 0xc0c1, 0xc181, 0x0140, 0xc301, 0x03c0, 0x0280, 0xc241,
+    0xc601, 0x06c0, 0x0780, 0xc741, 0x0500, 0xc5c1, 0xc481, 0x0440,
+    0xcc01, 0x0cc0, 0x0d80, 0xcd41, 0x0f00, 0xcfc1, 0xce81, 0x0e40,
+    0x0a00, 0xcac1, 0xcb81, 0x0b40, 0xc901, 0x09c0, 0x0880, 0xc841,
+    0xd801, 0x18c0, 0x1980, 0xd941, 0x1b00, 0xdbc1, 0xda81, 0x1a40,
+    0x1e00, 0xdec1, 0xdf81, 0x1f40, 0xdd01, 0x1dc0, 0x1c80, 0xdc41,
+    0x1400, 0xd4c1, 0xd581, 0x1540, 0xd701, 0x17c0, 0x1680, 0xd641,
+    0xd201, 0x12c0, 0x1380, 0xd341, 0x1100, 0xd1c1, 0xd081, 0x1040,
+    0xf001, 0x30c0, 0x3180, 0xf141, 0x3300, 0xf3c1, 0xf281, 0x3240,
+    0x3600, 0xf6c1, 0xf781, 0x3740, 0xf501, 0x35c0, 0x3480, 0xf441,
+    0x3c00, 0xfcc1, 0xfd81, 0x3d40, 0xff01, 0x3fc0, 0x3e80, 0xfe41,
+    0xfa01, 0x3ac0, 0x3b80, 0xfb41, 0x3900, 0xf9c1, 0xf881, 0x3840,
+    0x2800, 0xe8c1, 0xe981, 0x2940, 0xeb01, 0x2bc0, 0x2a80, 0xea41,
+    0xee01, 0x2ec0, 0x2f80, 0xef41, 0x2d00, 0xedc1, 0xec81, 0x2c40,
+    0xe401, 0x24c0, 0x2580, 0xe541, 0x2700, 0xe7c1, 0xe681, 0x2640,
+    0x2200, 0xe2c1, 0xe381, 0x2340, 0xe101, 0x21c0, 0x2080, 0xe041,
+    0xa001, 0x60c0, 0x6180, 0xa141, 0x6300, 0xa3c1, 0xa281, 0x6240,
+    0x6600, 0xa6c1, 0xa781, 0x6740, 0xa501, 0x65c0, 0x6480, 0xa441,
+    0x6c00, 0xacc1, 0xad81, 0x6d40, 0xaf01, 0x6fc0, 0x6e80, 0xae41,
+    0xaa01, 0x6ac0, 0x6b80, 0xab41, 0x6900, 0xa9c1, 0xa881, 0x6840,
+    0x7800, 0xb8c1, 0xb981, 0x7940, 0xbb01, 0x7bc0, 0x7a80, 0xba41,
+    0xbe01, 0x7ec0, 0x7f80, 0xbf41, 0x7d00, 0xbdc1, 0xbc81, 0x7c40,
+    0xb401, 0x74c0, 0x7580, 0xb541, 0x7700, 0xb7c1, 0xb681, 0x7640,
+    0x7200, 0xb2c1, 0xb381, 0x7340, 0xb101, 0x71c0, 0x7080, 0xb041,
+    0x5000, 0x90c1, 0x9181, 0x5140, 0x9301, 0x53c0, 0x5280, 0x9241,
+    0x9601, 0x56c0, 0x5780, 0x9741, 0x5500, 0x95c1, 0x9481, 0x5440,
+    0x9c01, 0x5cc0, 0x5d80, 0x9d41, 0x5f00, 0x9fc1, 0x9e81, 0x5e40,
+    0x5a00, 0x9ac1, 0x9b81, 0x5b40, 0x9901, 0x59c0, 0x5880, 0x9841,
+    0x8801, 0x48c0, 0x4980, 0x8941, 0x4b00, 0x8bc1, 0x8a81, 0x4a40,
+    0x4e00, 0x8ec1, 0x8f81, 0x4f40, 0x8d01, 0x4dc0, 0x4c80, 0x8c41,
+    0x4400, 0x84c1, 0x8581, 0x4540, 0x8701, 0x47c0, 0x4680, 0x8641,
+    0x8201, 0x42c0, 0x4380, 0x8341, 0x4100, 0x81c1, 0x8081, 0x4040,
+static uint16_t l2cap_fcs16(const uint8_t *message, int len)
+    uint16_t fcs = 0x0000;
+    while (len --)
+#if 0
+    {
+        int i;
+        fcs ^= *message ++;
+        for (i = 8; i; -- i)
+            if (fcs & 1)
+                fcs = (fcs >> 1) ^ 0xa001;
+            else
+                fcs = (fcs >> 1);
+    }
+        fcs = (fcs >> 8) ^ l2cap_fcs16_table[(fcs ^ *message ++) & 0xff];
+    return fcs;
+/* L2CAP layer logic (protocol) */
+static void l2cap_retransmission_timer_update(struct l2cap_chan_s *ch)
+#if 0
+    if (ch->mode != L2CAP_MODE_BASIC && ch->rexmit)
+        qemu_mod_timer(ch->retransmission_timer);
+    else
+        qemu_del_timer(ch->retransmission_timer);
+static void l2cap_monitor_timer_update(struct l2cap_chan_s *ch)
+#if 0
+    if (ch->mode != L2CAP_MODE_BASIC && !ch->rexmit)
+        qemu_mod_timer(ch->monitor_timer);
+    else
+        qemu_del_timer(ch->monitor_timer);
+static void l2cap_command_reject(struct l2cap_instance_s *l2cap, int id,
+                uint16_t reason, const void *data, int plen)
+    uint8_t *pkt;
+    l2cap_cmd_hdr *hdr;
+    l2cap_cmd_rej *params;
+    uint16_t len;
+    reason = cpu_to_le16(reason);
+    len = cpu_to_le16(L2CAP_CMD_REJ_SIZE + plen);
+    pkt = l2cap->signalling_ch.params.sdu_out(&l2cap->signalling_ch.params,
+                    L2CAP_CMD_HDR_SIZE + L2CAP_CMD_REJ_SIZE + plen);
+    hdr = (void *) (pkt + 0);
+    params = (void *) (pkt + L2CAP_CMD_HDR_SIZE);
+    hdr->code = L2CAP_COMMAND_REJ;
+    hdr->ident = id;
+    memcpy(&hdr->len, &len, sizeof(hdr->len));
+    memcpy(&params->reason, &reason, sizeof(reason));
+    if (plen)
+       memcpy(pkt + L2CAP_CMD_HDR_SIZE + L2CAP_CMD_REJ_SIZE, data, plen);
+    l2cap->signalling_ch.params.sdu_submit(&l2cap->signalling_ch.params);
+static void l2cap_command_reject_cid(struct l2cap_instance_s *l2cap, int id,
+                uint16_t reason, uint16_t dcid, uint16_t scid)
+    l2cap_cmd_rej_cid params = {
+        .dcid = dcid,
+        .scid = scid,
+    };
+    l2cap_command_reject(l2cap, id, reason, &params, L2CAP_CMD_REJ_CID_SIZE);
+static void l2cap_connection_response(struct l2cap_instance_s *l2cap,
+                int dcid, int scid, int result, int status)
+    uint8_t *pkt;
+    l2cap_cmd_hdr *hdr;
+    l2cap_conn_rsp *params;
+    pkt = l2cap->signalling_ch.params.sdu_out(&l2cap->signalling_ch.params,
+                    L2CAP_CMD_HDR_SIZE + L2CAP_CONN_RSP_SIZE);
+    hdr = (void *) (pkt + 0);
+    params = (void *) (pkt + L2CAP_CMD_HDR_SIZE);
+    hdr->code = L2CAP_CONN_RSP;
+    hdr->ident = l2cap->last_id;
+    hdr->len = cpu_to_le16(L2CAP_CONN_RSP_SIZE);
+    params->dcid = cpu_to_le16(dcid);
+    params->scid = cpu_to_le16(scid);
+    params->result = cpu_to_le16(result);
+    params->status = cpu_to_le16(status);
+    l2cap->signalling_ch.params.sdu_submit(&l2cap->signalling_ch.params);
+static void l2cap_configuration_request(struct l2cap_instance_s *l2cap,
+                int dcid, int flag, const uint8_t *data, int len)
+    uint8_t *pkt;
+    l2cap_cmd_hdr *hdr;
+    l2cap_conf_req *params;
+    pkt = l2cap->signalling_ch.params.sdu_out(&l2cap->signalling_ch.params,
+                    L2CAP_CMD_HDR_SIZE + L2CAP_CONF_REQ_SIZE(len));
+    hdr = (void *) (pkt + 0);
+    params = (void *) (pkt + L2CAP_CMD_HDR_SIZE);
+    /* TODO: unify the id sequencing */
+    l2cap->last_id = l2cap->next_id;
+    l2cap->next_id = l2cap->next_id == 255 ? 1 : l2cap->next_id + 1;
+    hdr->code = L2CAP_CONF_REQ;
+    hdr->ident = l2cap->last_id;
+    hdr->len = cpu_to_le16(L2CAP_CONF_REQ_SIZE(len));
+    params->dcid = cpu_to_le16(dcid);
+    params->flags = cpu_to_le16(flag);
+    if (len)
+        memcpy(params->data, data, len);
+    l2cap->signalling_ch.params.sdu_submit(&l2cap->signalling_ch.params);
+static void l2cap_configuration_response(struct l2cap_instance_s *l2cap,
+                int scid, int flag, int result, const uint8_t *data, int len)
+    uint8_t *pkt;
+    l2cap_cmd_hdr *hdr;
+    l2cap_conf_rsp *params;
+    pkt = l2cap->signalling_ch.params.sdu_out(&l2cap->signalling_ch.params,
+                    L2CAP_CMD_HDR_SIZE + L2CAP_CONF_RSP_SIZE(len));
+    hdr = (void *) (pkt + 0);
+    params = (void *) (pkt + L2CAP_CMD_HDR_SIZE);
+    hdr->code = L2CAP_CONF_RSP;
+    hdr->ident = l2cap->last_id;
+    hdr->len = cpu_to_le16(L2CAP_CONF_RSP_SIZE(len));
+    params->scid = cpu_to_le16(scid);
+    params->flags = cpu_to_le16(flag);
+    params->result = cpu_to_le16(result);
+    if (len)
+        memcpy(params->data, data, len);
+    l2cap->signalling_ch.params.sdu_submit(&l2cap->signalling_ch.params);
+static void l2cap_disconnection_response(struct l2cap_instance_s *l2cap,
+                int dcid, int scid)
+    uint8_t *pkt;
+    l2cap_cmd_hdr *hdr;
+    l2cap_disconn_rsp *params;
+    pkt = l2cap->signalling_ch.params.sdu_out(&l2cap->signalling_ch.params,
+                    L2CAP_CMD_HDR_SIZE + L2CAP_DISCONN_RSP_SIZE);
+    hdr = (void *) (pkt + 0);
+    params = (void *) (pkt + L2CAP_CMD_HDR_SIZE);
+    hdr->code = L2CAP_DISCONN_RSP;
+    hdr->ident = l2cap->last_id;
+    hdr->len = cpu_to_le16(L2CAP_DISCONN_RSP_SIZE);
+    params->dcid = cpu_to_le16(dcid);
+    params->scid = cpu_to_le16(scid);
+    l2cap->signalling_ch.params.sdu_submit(&l2cap->signalling_ch.params);
+static void l2cap_echo_response(struct l2cap_instance_s *l2cap,
+                const uint8_t *data, int len)
+    uint8_t *pkt;
+    l2cap_cmd_hdr *hdr;
+    uint8_t *params;
+    pkt = l2cap->signalling_ch.params.sdu_out(&l2cap->signalling_ch.params,
+                    L2CAP_CMD_HDR_SIZE + len);
+    hdr = (void *) (pkt + 0);
+    params = (void *) (pkt + L2CAP_CMD_HDR_SIZE);
+    hdr->code = L2CAP_ECHO_RSP;
+    hdr->ident = l2cap->last_id;
+    hdr->len = cpu_to_le16(len);
+    memcpy(params, data, len);
+    l2cap->signalling_ch.params.sdu_submit(&l2cap->signalling_ch.params);
+static void l2cap_info_response(struct l2cap_instance_s *l2cap, int type,
+                int result, const uint8_t *data, int len)
+    uint8_t *pkt;
+    l2cap_cmd_hdr *hdr;
+    l2cap_info_rsp *params;
+    pkt = l2cap->signalling_ch.params.sdu_out(&l2cap->signalling_ch.params,
+                    L2CAP_CMD_HDR_SIZE + L2CAP_INFO_RSP_SIZE + len);
+    hdr = (void *) (pkt + 0);
+    params = (void *) (pkt + L2CAP_CMD_HDR_SIZE);
+    hdr->code = L2CAP_INFO_RSP;
+    hdr->ident = l2cap->last_id;
+    hdr->len = cpu_to_le16(L2CAP_INFO_RSP_SIZE + len);
+    params->type = cpu_to_le16(type);
+    params->result = cpu_to_le16(result);
+    if (len)
+       memcpy(params->data, data, len);
+    l2cap->signalling_ch.params.sdu_submit(&l2cap->signalling_ch.params);
+static uint8_t *l2cap_bframe_out(struct bt_l2cap_conn_params_s *parm, int len);
+static void l2cap_bframe_submit(struct bt_l2cap_conn_params_s *parms);
+#if 0
+static uint8_t *l2cap_iframe_out(struct bt_l2cap_conn_params_s *parm, int len);
+static void l2cap_iframe_submit(struct bt_l2cap_conn_params_s *parm);
+static void l2cap_bframe_in(struct l2cap_chan_s *ch, uint16_t cid,
+                const l2cap_hdr *hdr, int len);
+static void l2cap_iframe_in(struct l2cap_chan_s *ch, uint16_t cid,
+                const l2cap_hdr *hdr, int len);
+static int l2cap_cid_new(struct l2cap_instance_s *l2cap)
+    int i;
+    for (i = L2CAP_CID_ALLOC; i < L2CAP_CID_MAX; i ++)
+        if (!l2cap->cid[i])
+            return i;
+    return L2CAP_CID_INVALID;
+static inline struct bt_l2cap_psm_s *l2cap_psm(
+                struct bt_l2cap_device_s *device, int psm)
+    struct bt_l2cap_psm_s *ret = device->first_psm;
+    while (ret && ret->psm != psm)
+        ret = ret->next;
+    return ret;
+static struct l2cap_chan_s *l2cap_channel_open(struct l2cap_instance_s *l2cap,
+                int psm, int source_cid)
+    struct l2cap_chan_s *ch = 0;
+    struct bt_l2cap_psm_s *psm_info;
+    int result, status;
+    int cid = l2cap_cid_new(l2cap);
+    if (cid) {
+        /* See what the channel is to be used for.. */
+        psm_info = l2cap_psm(l2cap->dev, psm);
+        if (psm_info) {
+            /* Device supports this use-case.  */
+            ch = qemu_mallocz(sizeof(*ch));
+            ch->params.sdu_out = l2cap_bframe_out;
+            ch->params.sdu_submit = l2cap_bframe_submit;
+            ch->frame_in = l2cap_bframe_in;
+            ch->mps = 65536;
+            ch->min_mtu = MAX(48, psm_info->min_mtu);
+            ch->params.remote_mtu = MAX(672, ch->min_mtu);
+            ch->remote_cid = source_cid;
+            ch->mode = L2CAP_MODE_BASIC;
+            ch->l2cap = l2cap;
+            /* Does it feel like opening yet another channel though?  */
+            if (!psm_info->new_channel(l2cap->dev, &ch->params)) {
+                l2cap->cid[cid] = ch;
+                result = L2CAP_CR_SUCCESS;
+                status = L2CAP_CS_NO_INFO;
+            } else {
+                qemu_free(ch);
+                result = L2CAP_CR_NO_MEM;
+                status = L2CAP_CS_NO_INFO;
+            }
+        } else {
+            result = L2CAP_CR_BAD_PSM;
+            status = L2CAP_CS_NO_INFO;
+        }
+    } else {
+        result = L2CAP_CR_NO_MEM;
+        status = L2CAP_CS_NO_INFO;
+    }
+    l2cap_connection_response(l2cap, cid, source_cid, result, status);
+    return ch;
+static void l2cap_channel_close(struct l2cap_instance_s *l2cap,
+                int cid, int source_cid)
+    struct l2cap_chan_s *ch = 0;
+    /* According to Volume 3, section 6.1.1, pg 1048 of BT Core V2.0, a
+     * connection in CLOSED state still responds with a L2CAP_DisconnectRsp
+     * message on an L2CAP_DisconnectReq event.  */
+    if (unlikely(cid < L2CAP_CID_ALLOC)) {
+        l2cap_command_reject_cid(l2cap, l2cap->last_id, L2CAP_REJ_CID_INVAL,
+                        cid, source_cid);
+        return;
+    }
+    if (likely(cid >= L2CAP_CID_ALLOC && cid < L2CAP_CID_MAX))
+        ch = l2cap->cid[cid];
+    if (likely(ch)) {
+        if (ch->remote_cid != source_cid) {
+            fprintf(stderr, "%s: Ignoring a Disconnection Request with the "
+                            "invalid SCID %04x.\n", __FUNCTION__, source_cid);
+            return;
+        }
+        l2cap->cid[cid] = 0;
+        ch->params.close(ch->params.opaque);
+        qemu_free(ch);
+    }
+    l2cap_disconnection_response(l2cap, cid, source_cid);
+static void l2cap_channel_config_null(struct l2cap_instance_s *l2cap,
+                struct l2cap_chan_s *ch)
+    l2cap_configuration_request(l2cap, ch->remote_cid, 0, 0, 0);
+    ch->config_req_id = l2cap->last_id;
+    ch->config &= ~L2CAP_CFG_INIT;
+static void l2cap_channel_config_req_event(struct l2cap_instance_s *l2cap,
+                struct l2cap_chan_s *ch)
+    /* Use all default channel options and terminate negotiation.  */
+    l2cap_channel_config_null(l2cap, ch);
+static int l2cap_channel_config(struct l2cap_instance_s *l2cap,
+                struct l2cap_chan_s *ch, int flag,
+                const uint8_t *data, int len)
+    l2cap_conf_opt *opt;
+    l2cap_conf_opt_qos *qos;
+    uint32_t val;
+    uint8_t rsp[len];
+    int result = L2CAP_CONF_SUCCESS;
+    data = memcpy(rsp, data, len);
+    while (len) {
+        opt = (void *) data;
+        if (len < L2CAP_CONF_OPT_SIZE ||
+                        len < L2CAP_CONF_OPT_SIZE + opt->len) {
+            result = L2CAP_CONF_REJECT;
+            break;
+        }
+        data += L2CAP_CONF_OPT_SIZE + opt->len;
+        len -= L2CAP_CONF_OPT_SIZE + opt->len;
+        switch (opt->type & 0x7f) {
+        case L2CAP_CONF_MTU:
+            if (opt->len != 2) {
+                result = L2CAP_CONF_REJECT;
+                break;
+            }
+            /* MTU */
+            val = le16_to_cpup((void *) opt->val);
+            if (val < ch->min_mtu) {
+                cpu_to_le16w((void *) opt->val, ch->min_mtu);
+                result = L2CAP_CONF_UNACCEPT;
+                break;
+            }
+            ch->params.remote_mtu = val;
+            break;
+        case L2CAP_CONF_FLUSH_TO:
+            if (opt->len != 2) {
+                result = L2CAP_CONF_REJECT;
+                break;
+            }
+            /* Flush Timeout */
+            val = le16_to_cpup((void *) opt->val);
+            if (val < 0x0001) {
+                opt->val[0] = 0xff;
+                opt->val[1] = 0xff;
+                result = L2CAP_CONF_UNACCEPT;
+                break;
+            }
+            break;
+        case L2CAP_CONF_QOS:
+            if (opt->len != L2CAP_CONF_OPT_QOS_SIZE) {
+                result = L2CAP_CONF_REJECT;
+                break;
+            }
+            qos = (void *) opt->val;
+            /* Flags */
+            val = qos->flags;
+            if (val) {
+                qos->flags = 0;
+                result = L2CAP_CONF_UNACCEPT;
+            }
+            /* Service type */
+            val = qos->service_type;
+            if (val != L2CAP_CONF_QOS_BEST_EFFORT &&
+                            val != L2CAP_CONF_QOS_NO_TRAFFIC) {
+                qos->service_type = L2CAP_CONF_QOS_BEST_EFFORT;
+                result = L2CAP_CONF_UNACCEPT;
+            }
+            if (val != L2CAP_CONF_QOS_NO_TRAFFIC) {
+                /* XXX: These values should possibly be calculated
+                 * based on LM / baseband properties also.  */
+                /* Token rate */
+                val = le32_to_cpu(qos->token_rate);
+                if (val == L2CAP_CONF_QOS_WILDCARD)
+                    qos->token_rate = cpu_to_le32(0x100000);
+                /* Token bucket size */
+                val = le32_to_cpu(qos->token_bucket_size);
+                if (val == L2CAP_CONF_QOS_WILDCARD)
+                    qos->token_bucket_size = cpu_to_le32(65500);
+                /* Any Peak bandwidth value is correct to return as-is */
+                /* Any Access latency value is correct to return as-is */
+                /* Any Delay variation value is correct to return as-is */
+            }
+            break;
+        case L2CAP_CONF_RFC:
+            if (opt->len != 9) {
+                result = L2CAP_CONF_REJECT;
+                break;
+            }
+            /* Mode */
+            val = opt->val[0];
+            switch (val) {
+            case L2CAP_MODE_BASIC:
+                ch->mode = val;
+                ch->frame_in = l2cap_bframe_in;
+                /* All other parameters shall be ignored */
+                break;
+            case L2CAP_MODE_RETRANS:
+            case L2CAP_MODE_FLOWCTL:
+                ch->mode = val;
+                ch->frame_in = l2cap_iframe_in;
+                /* Note: most of these parameters refer to incoming traffic
+                 * so we don't need to save them as long as we can accept
+                 * incoming PDUs at any values of the parameters.  */
+                /* TxWindow size */
+                val = opt->val[1];
+                if (val < 1 || val > 32) {
+                    opt->val[1] = 32;
+                    result = L2CAP_CONF_UNACCEPT;
+                    break;
+                }
+                /* MaxTransmit */
+                val = opt->val[2];
+                if (val < 1) {
+                    opt->val[2] = 1;
+                    result = L2CAP_CONF_UNACCEPT;
+                    break;
+                }
+                /* Remote Retransmission time-out shouldn't affect local
+                 * operation (?) */
+                /* The Monitor time-out drives the local Monitor timer (?),
+                 * so save the value.  */
+                val = (opt->val[6] << 8) | opt->val[5];
+                if (val < 30) {
+                    opt->val[5] = 100 & 0xff;
+                    opt->val[6] = 100 >> 8;
+                    result = L2CAP_CONF_UNACCEPT;
+                    break;
+                }
+                ch->monitor_timeout = val;
+                l2cap_monitor_timer_update(ch);
+                /* MPS */
+                val = (opt->val[8] << 8) | opt->val[7];
+                if (val < ch->min_mtu) {
+                    opt->val[7] = ch->min_mtu & 0xff;
+                    opt->val[8] = ch->min_mtu >> 8;
+                    result = L2CAP_CONF_UNACCEPT;
+                    break;
+                }
+                ch->mps = val;
+                break;
+            default:
+                result = L2CAP_CONF_UNACCEPT;
+                break;
+            }
+            break;
+        default:
+            if (!(opt->type >> 7))
+                result = L2CAP_CONF_UNKNOWN;
+            break;
+        }
+        if (result != L2CAP_CONF_SUCCESS)
+            break;     /* XXX: should continue? */
+    }
+    l2cap_configuration_response(l2cap, ch->remote_cid,
+                    flag, result, rsp, len);
+    return result == L2CAP_CONF_SUCCESS && !flag;
+static void l2cap_channel_config_req_msg(struct l2cap_instance_s *l2cap,
+                int flag, int cid, const uint8_t *data, int len)
+    struct l2cap_chan_s *ch;
+    if (unlikely(cid >= L2CAP_CID_MAX || !l2cap->cid[cid])) {
+        l2cap_command_reject_cid(l2cap, l2cap->last_id, L2CAP_REJ_CID_INVAL,
+                        cid, 0x0000);
+        return;
+    }
+    ch = l2cap->cid[cid];
+    /* From OPEN go to WAIT_CONFIG_REQ and from WAIT_CONFIG_REQ_RSP to
+     * WAIT_CONFIG_REQ_RSP.  This is assuming the transition chart for OPEN
+     * on pg 1053, section 6.1.5, volume 3 of BT Core V2.0 has a mistake
+     * and on options-acceptable we go back to OPEN and otherwise to
+     * WAIT_CONFIG_REQ and not the other way.  */
+    ch->config &= ~L2CAP_CFG_ACC;
+    if (l2cap_channel_config(l2cap, ch, flag, data, len))
+        /* Go to OPEN or WAIT_CONFIG_RSP */
+        ch->config |= L2CAP_CFG_ACC;
+    /* TODO: if the incoming traffic flow control or retransmission mode
+     * changed then we probably need to also generate the
+     * ConfigureChannel_Req event and set the outgoing traffic to the same
+     * mode.  */
+    if (!(ch->config & L2CAP_CFG_INIT) && (ch->config & L2CAP_CFG_ACC) &&
+                    !ch->config_req_id)
+        l2cap_channel_config_req_event(l2cap, ch);
+static int l2cap_channel_config_rsp_msg(struct l2cap_instance_s *l2cap,
+                int result, int flag, int cid, const uint8_t *data, int len)
+    struct l2cap_chan_s *ch;
+    if (unlikely(cid >= L2CAP_CID_MAX || !l2cap->cid[cid])) {
+        l2cap_command_reject_cid(l2cap, l2cap->last_id, L2CAP_REJ_CID_INVAL,
+                        cid, 0x0000);
+        return 0;
+    }
+    ch = l2cap->cid[cid];
+    if (ch->config_req_id != l2cap->last_id)
+        return 1;
+    ch->config_req_id = 0;
+    if (result == L2CAP_CONF_SUCCESS) {
+        if (!flag)
+            ch->config |= L2CAP_CFG_INIT;
+        else
+            l2cap_channel_config_null(l2cap, ch);
+    } else
+        /* Retry until we succeed */
+        l2cap_channel_config_req_event(l2cap, ch);
+    return 0;
+static void l2cap_channel_open_req_msg(struct l2cap_instance_s *l2cap,
+                int psm, int source_cid)
+    struct l2cap_chan_s *ch = l2cap_channel_open(l2cap, psm, source_cid);
+    if (!ch)
+        return;
+    /* Optional */
+    if (!(ch->config & L2CAP_CFG_INIT) && !ch->config_req_id)
+        l2cap_channel_config_req_event(l2cap, ch);
+static void l2cap_info(struct l2cap_instance_s *l2cap, int type)
+    uint8_t data[4];
+    int len = 0;
+    int result = L2CAP_IR_SUCCESS;
+    switch (type) {
+    case L2CAP_IT_CL_MTU:
+        data[len ++] = l2cap->group_ch.mps & 0xff;
+        data[len ++] = l2cap->group_ch.mps >> 8;
+        break;
+    case L2CAP_IT_FEAT_MASK:
+        /* (Prematurely) report Flow control and Retransmission modes.  */
+        data[len ++] = 0x03;
+        data[len ++] = 0x00;
+        data[len ++] = 0x00;
+        data[len ++] = 0x00;
+        break;
+    default:
+        result = L2CAP_IR_NOTSUPP;
+    }
+    l2cap_info_response(l2cap, type, result, data, len);
+static void l2cap_command(struct l2cap_instance_s *l2cap, int code, int id,
+                const uint8_t *params, int len)
+    int err;
+#if 0
+    /* TODO: do the IDs really have to be in sequence?  */
+    if (!id || (id != l2cap->last_id && id != l2cap->next_id)) {
+        fprintf(stderr, "%s: out of sequence command packet ignored.\n",
+                        __FUNCTION__);
+        return;
+    }
+    l2cap->next_id = id;
+    if (id == l2cap->next_id) {
+        l2cap->last_id = l2cap->next_id;
+        l2cap->next_id = l2cap->next_id == 255 ? 1 : l2cap->next_id + 1;
+    } else {
+        /* TODO: Need to re-send the same response, without re-executing
+         * the corresponding command!  */
+    }
+    switch (code) {
+    case L2CAP_COMMAND_REJ:
+        if (unlikely(len != 2 && len != 4 && len != 6)) {
+            err = L2CAP_REJ_CMD_NOT_UNDERSTOOD;
+            goto reject;
+        }
+        /* We never issue commands other than Command Reject currently.  */
+        fprintf(stderr, "%s: stray Command Reject (%02x, %04x) "
+                        "packet, ignoring.\n", __FUNCTION__, id,
+                        le16_to_cpu(((l2cap_cmd_rej *) params)->reason));
+        break;
+    case L2CAP_CONN_REQ:
+        if (unlikely(len != L2CAP_CONN_REQ_SIZE)) {
+            err = L2CAP_REJ_CMD_NOT_UNDERSTOOD;
+            goto reject;
+        }
+        l2cap_channel_open_req_msg(l2cap,
+                        le16_to_cpu(((l2cap_conn_req *) params)->psm),
+                        le16_to_cpu(((l2cap_conn_req *) params)->scid));
+        break;
+    case L2CAP_CONN_RSP:
+        if (unlikely(len != L2CAP_CONN_RSP_SIZE)) {
+            err = L2CAP_REJ_CMD_NOT_UNDERSTOOD;
+            goto reject;
+        }
+        /* We never issue Connection Requests currently. TODO  */
+        fprintf(stderr, "%s: unexpected Connection Response (%02x) "
+                        "packet, ignoring.\n", __FUNCTION__, id);
+        break;
+    case L2CAP_CONF_REQ:
+        if (unlikely(len < L2CAP_CONF_REQ_SIZE(0))) {
+            err = L2CAP_REJ_CMD_NOT_UNDERSTOOD;
+            goto reject;
+        }
+        l2cap_channel_config_req_msg(l2cap,
+                        le16_to_cpu(((l2cap_conf_req *) params)->flags) & 1,
+                        le16_to_cpu(((l2cap_conf_req *) params)->dcid),
+                        ((l2cap_conf_req *) params)->data,
+                        len - L2CAP_CONF_REQ_SIZE(0));
+        break;
+    case L2CAP_CONF_RSP:
+        if (unlikely(len < L2CAP_CONF_RSP_SIZE(0))) {
+            err = L2CAP_REJ_CMD_NOT_UNDERSTOOD;
+            goto reject;
+        }
+        if (l2cap_channel_config_rsp_msg(l2cap,
+                        le16_to_cpu(((l2cap_conf_rsp *) params)->result),
+                        le16_to_cpu(((l2cap_conf_rsp *) params)->flags) & 1,
+                        le16_to_cpu(((l2cap_conf_rsp *) params)->scid),
+                        ((l2cap_conf_rsp *) params)->data,
+                        len - L2CAP_CONF_RSP_SIZE(0)))
+            fprintf(stderr, "%s: unexpected Configure Response (%02x) "
+                            "packet, ignoring.\n", __FUNCTION__, id);
+        break;
+    case L2CAP_DISCONN_REQ:
+        if (unlikely(len != L2CAP_DISCONN_REQ_SIZE)) {
+            err = L2CAP_REJ_CMD_NOT_UNDERSTOOD;
+            goto reject;
+        }
+        l2cap_channel_close(l2cap,
+                        le16_to_cpu(((l2cap_disconn_req *) params)->dcid),
+                        le16_to_cpu(((l2cap_disconn_req *) params)->scid));
+        break;
+    case L2CAP_DISCONN_RSP:
+        if (unlikely(len != L2CAP_DISCONN_RSP_SIZE)) {
+            err = L2CAP_REJ_CMD_NOT_UNDERSTOOD;
+            goto reject;
+        }
+        /* We never issue Disconnection Requests currently. TODO  */
+        fprintf(stderr, "%s: unexpected Disconnection Response (%02x) "
+                        "packet, ignoring.\n", __FUNCTION__, id);
+        break;
+    case L2CAP_ECHO_REQ:
+        l2cap_echo_response(l2cap, params, len);
+        break;
+    case L2CAP_ECHO_RSP:
+        /* We never issue Echo Requests currently. TODO  */
+        fprintf(stderr, "%s: unexpected Echo Response (%02x) "
+                        "packet, ignoring.\n", __FUNCTION__, id);
+        break;
+    case L2CAP_INFO_REQ:
+        if (unlikely(len != L2CAP_INFO_REQ_SIZE)) {
+            err = L2CAP_REJ_CMD_NOT_UNDERSTOOD;
+            goto reject;
+        }
+        l2cap_info(l2cap, le16_to_cpu(((l2cap_info_req *) params)->type));
+        break;
+    case L2CAP_INFO_RSP:
+        if (unlikely(len != L2CAP_INFO_RSP_SIZE)) {
+            err = L2CAP_REJ_CMD_NOT_UNDERSTOOD;
+            goto reject;
+        }
+        /* We never issue Information Requests currently. TODO  */
+        fprintf(stderr, "%s: unexpected Information Response (%02x) "
+                        "packet, ignoring.\n", __FUNCTION__, id);
+        break;
+    default:
+    reject:
+        l2cap_command_reject(l2cap, id, err, 0, 0);
+        break;
+    }
+static void l2cap_rexmit_enable(struct l2cap_chan_s *ch, int enable)
+    ch->rexmit = enable;
+    l2cap_retransmission_timer_update(ch);
+    l2cap_monitor_timer_update(ch);
+/* Command frame SDU */
+static void l2cap_cframe_in(void *opaque, const uint8_t *data, int len)
+    struct l2cap_instance_s *l2cap = opaque;
+    const l2cap_cmd_hdr *hdr;
+    int clen;
+    while (len) {
+        hdr = (void *) data;
+        if (len < L2CAP_CMD_HDR_SIZE)
+            /* TODO: signal an error */
+            return;
+        len -= L2CAP_CMD_HDR_SIZE;
+        data += L2CAP_CMD_HDR_SIZE;
+        clen = le16_to_cpu(hdr->len);
+        if (len < clen) {
+            l2cap_command_reject(l2cap, hdr->ident,
+                            L2CAP_REJ_CMD_NOT_UNDERSTOOD, 0, 0);
+            break;
+        }
+        l2cap_command(l2cap, hdr->code, hdr->ident, data, clen);
+        len -= clen;
+        data += clen;
+    }
+/* Group frame SDU */
+static void l2cap_gframe_in(void *opaque, const uint8_t *data, int len)
+/* Supervisory frame */
+static void l2cap_sframe_in(struct l2cap_chan_s *ch, uint16_t ctrl)
+/* Basic L2CAP mode Information frame */
+static void l2cap_bframe_in(struct l2cap_chan_s *ch, uint16_t cid,
+                const l2cap_hdr *hdr, int len)
+    /* We have a full SDU, no further processing */
+    ch->params.sdu_in(ch->params.opaque, hdr->data, len);
+/* Flow Control and Retransmission mode frame */
+static void l2cap_iframe_in(struct l2cap_chan_s *ch, uint16_t cid,
+                const l2cap_hdr *hdr, int len)
+    uint16_t fcs = le16_to_cpup((void *) (hdr->data + len - 2));
+    if (len < 4)
+        goto len_error;
+    if (l2cap_fcs16((const uint8_t *) hdr, L2CAP_HDR_SIZE + len - 2) != fcs)
+        goto fcs_error;
+    if ((hdr->data[0] >> 7) == ch->rexmit)
+        l2cap_rexmit_enable(ch, !(hdr->data[0] >> 7));
+    if (hdr->data[0] & 1) {
+        if (len != 4)
+            /* TODO: Signal an error? */;
+            return;
+        return l2cap_sframe_in(ch, le16_to_cpup((void *) hdr->data));
+    }
+    switch (hdr->data[1] >> 6) {       /* SAR */
+    case L2CAP_SAR_NO_SEG:
+        if (ch->len_total)
+            goto seg_error;
+        if (len - 4 > ch->mps)
+            goto len_error;
+        return ch->params.sdu_in(ch->params.opaque, hdr->data + 2, len - 4);
+    case L2CAP_SAR_START:
+        if (ch->len_total || len < 6)
+            goto seg_error;
+        if (len - 6 > ch->mps)
+            goto len_error;
+        ch->len_total = le16_to_cpup((void *) (hdr->data + 2));
+        if (len >= 6 + ch->len_total)
+            goto seg_error;
+        ch->len_cur = len - 6;
+        memcpy(ch->sdu, hdr->data + 4, ch->len_cur);
+        break;
+    case L2CAP_SAR_END:
+        if (!ch->len_total || ch->len_cur + len - 4 < ch->len_total)
+            goto seg_error;
+        if (len - 4 > ch->mps)
+            goto len_error;
+        memcpy(ch->sdu + ch->len_cur, hdr->data + 2, len - 4);
+        return ch->params.sdu_in(ch->params.opaque, ch->sdu, ch->len_total);
+    case L2CAP_SAR_CONT:
+        if (!ch->len_total || ch->len_cur + len - 4 >= ch->len_total)
+            goto seg_error;
+        if (len - 4 > ch->mps)
+            goto len_error;
+        memcpy(ch->sdu + ch->len_cur, hdr->data + 2, len - 4);
+        ch->len_cur += len - 4;
+        break;
+    seg_error:
+    len_error: /* TODO */
+    fcs_error: /* TODO */
+        ch->len_cur = 0;
+        ch->len_total = 0;
+        break;
+    }
+static void l2cap_frame_in(struct l2cap_instance_s *l2cap,
+                const l2cap_hdr *frame)
+    uint16_t cid = le16_to_cpu(frame->cid);
+    uint16_t len = le16_to_cpu(frame->len);
+    if (unlikely(cid >= L2CAP_CID_MAX || !l2cap->cid[cid])) {
+        fprintf(stderr, "%s: frame addressed to a non-existent L2CAP "
+                        "channel %04x received.\n", __FUNCTION__, cid);
+        return;
+    }
+    l2cap->cid[cid]->frame_in(l2cap->cid[cid], cid, frame, len);
+/* "Recombination" */
+static void l2cap_pdu_in(struct l2cap_instance_s *l2cap,
+                const uint8_t *data, int len)
+    const l2cap_hdr *hdr = (void *) l2cap->frame_in;
+    if (unlikely(len + l2cap->frame_in_len > sizeof(l2cap->frame_in))) {
+        if (l2cap->frame_in_len < sizeof(l2cap->frame_in)) {
+            memcpy(l2cap->frame_in + l2cap->frame_in_len, data,
+                            sizeof(l2cap->frame_in) - l2cap->frame_in_len);
+            l2cap->frame_in_len = sizeof(l2cap->frame_in);
+            /* TODO: truncate */
+            l2cap_frame_in(l2cap, hdr);
+        }
+        return;
+    }
+    memcpy(l2cap->frame_in + l2cap->frame_in_len, data, len);
+    l2cap->frame_in_len += len;
+    if (len >= L2CAP_HDR_SIZE)
+        if (len >= L2CAP_HDR_SIZE + le16_to_cpu(hdr->len))
+            l2cap_frame_in(l2cap, hdr);
+            /* There is never a start of a new PDU in the same ACL packet, so
+             * no need to memmove the remaining payload and loop.  */
+static inline uint8_t *l2cap_pdu_out(struct l2cap_instance_s *l2cap,
+                uint16_t cid, uint16_t len)
+    l2cap_hdr *hdr = (void *) l2cap->frame_out;
+    l2cap->frame_out_len = len + L2CAP_HDR_SIZE;
+    hdr->cid = cpu_to_le16(cid);
+    hdr->len = cpu_to_le16(len);
+    return l2cap->frame_out + L2CAP_HDR_SIZE;
+static inline void l2cap_pdu_submit(struct l2cap_instance_s *l2cap)
+    /* TODO: Fragmentation */
+    (l2cap->role ?
+     l2cap->link->slave->lmp_acl_data : l2cap->link->host->lmp_acl_resp)
+            (l2cap->link, l2cap->frame_out, 1, l2cap->frame_out_len);
+static uint8_t *l2cap_bframe_out(struct bt_l2cap_conn_params_s *parm, int len)
+    struct l2cap_chan_s *chan = (struct l2cap_chan_s *) parm;
+    if (len > chan->params.remote_mtu) {
+        fprintf(stderr, "%s: B-Frame for CID %04x longer than %i octets.\n",
+                        __FUNCTION__,
+                        chan->remote_cid, chan->params.remote_mtu);
+        exit(-1);
+    }
+    return l2cap_pdu_out(chan->l2cap, chan->remote_cid, len);
+static void l2cap_bframe_submit(struct bt_l2cap_conn_params_s *parms)
+    struct l2cap_chan_s *chan = (struct l2cap_chan_s *) parms;
+    return l2cap_pdu_submit(chan->l2cap);
+#if 0
+/* Stub: Only used if an emulated device requests outgoing flow control */
+static uint8_t *l2cap_iframe_out(struct bt_l2cap_conn_params_s *parm, int len)
+    struct l2cap_chan_s *chan = (struct l2cap_chan_s *) parm;
+    if (len > chan->params.remote_mtu) {
+        /* TODO: slice into segments and queue each segment as a separate
+         * I-Frame in a FIFO of I-Frames, local to the CID.  */
+    } else {
+        /* TODO: add to the FIFO of I-Frames, local to the CID.  */
+        /* Possibly we need to return a pointer to a contiguous buffer
+         * for now and then memcpy from it into FIFOs in l2cap_iframe_submit
+         * while segmenting at the same time.  */
+    }
+    return 0;
+static void l2cap_iframe_submit(struct bt_l2cap_conn_params_s *parm)
+    /* TODO: If flow control indicates clear to send, start submitting the
+     * invidual I-Frames from the FIFO, but don't remove them from there.
+     * Kick the appropriate timer until we get an S-Frame, and only then
+     * remove from FIFO or resubmit and re-kick the timer if the timer
+     * expired.  */
+static void l2cap_init(struct l2cap_instance_s *l2cap,
+                struct bt_link_s *link, int role)
+    l2cap->link = link;
+    l2cap->role = role;
+    l2cap->dev = (struct bt_l2cap_device_s *)
+            (role ? link->host : link->slave);
+    l2cap->next_id = 1;
+    /* Establish the signalling channel */
+    l2cap->signalling_ch.params.sdu_in = l2cap_cframe_in;
+    l2cap->signalling_ch.params.sdu_out = l2cap_bframe_out;
+    l2cap->signalling_ch.params.sdu_submit = l2cap_bframe_submit;
+    l2cap->signalling_ch.params.opaque = l2cap;
+    l2cap->signalling_ch.params.remote_mtu = 48;
+    l2cap->signalling_ch.remote_cid = L2CAP_CID_SIGNALLING;
+    l2cap->signalling_ch.frame_in = l2cap_bframe_in;
+    l2cap->signalling_ch.mps = 65536;
+    l2cap->signalling_ch.min_mtu = 48;
+    l2cap->signalling_ch.mode = L2CAP_MODE_BASIC;
+    l2cap->signalling_ch.l2cap = l2cap;
+    l2cap->cid[L2CAP_CID_SIGNALLING] = &l2cap->signalling_ch;
+    /* Establish the connection-less data channel */
+    l2cap->group_ch.params.sdu_in = l2cap_gframe_in;
+    l2cap->group_ch.params.opaque = l2cap;
+    l2cap->group_ch.frame_in = l2cap_bframe_in;
+    l2cap->group_ch.mps = 65533;
+    l2cap->group_ch.l2cap = l2cap;
+    l2cap->group_ch.remote_cid = L2CAP_CID_INVALID;
+    l2cap->cid[L2CAP_CID_GROUP] = &l2cap->group_ch;
+static void l2cap_teardown(struct l2cap_instance_s *l2cap, int send_disconnect)
+    int cid;
+    /* Don't send DISCONNECT if we are currently handling a DISCONNECT
+     * sent from the other side.  */
+    if (send_disconnect) {
+        if (l2cap->role)
+            l2cap->dev->device.lmp_disconnect_slave(l2cap->link);
+            /* l2cap->link is invalid from now on.  */
+        else
+            l2cap->dev->device.lmp_disconnect_master(l2cap->link);
+    }
+    for (cid = L2CAP_CID_ALLOC; cid < L2CAP_CID_MAX; cid ++)
+        if (l2cap->cid[cid]) {
+            l2cap->cid[cid]->params.close(l2cap->cid[cid]->params.opaque);
+            free(l2cap->cid[cid]);
+        }
+    if (l2cap->role)
+        qemu_free(l2cap);
+    else
+        qemu_free(l2cap->link);
+/* L2CAP glue to lower layers in bluetooth stack (LMP) */
+static void l2cap_lmp_connection_request(struct bt_link_s *link)
+    struct bt_l2cap_device_s *dev = (struct bt_l2cap_device_s *) link->slave;
+    struct slave_l2cap_instance_s *l2cap;
+    /* Always accept - we only get called if (dev->device->page_scan).  */
+    l2cap = qemu_mallocz(sizeof(struct slave_l2cap_instance_s));
+    l2cap->link.slave = &dev->device;
+    l2cap-> = link->host;
+    l2cap_init(&l2cap->l2cap, &l2cap->link, 0);
+    /* Always at the end */
+    link->host->reject_reason = 0;
+    link->host->lmp_connection_complete(&l2cap->link);
+/* Stub */
+static void l2cap_lmp_connection_complete(struct bt_link_s *link)
+    struct bt_l2cap_device_s *dev = (struct bt_l2cap_device_s *) link->host;
+    struct l2cap_instance_s *l2cap;
+    if (dev->device.reject_reason) {
+        /* Signal to upper layer */
+        return;
+    }
+    l2cap = qemu_mallocz(sizeof(struct l2cap_instance_s));
+    l2cap_init(l2cap, link, 1);
+    link->acl_mode = acl_active;
+    /* Signal to upper layer */
+/* Stub */
+static void l2cap_lmp_disconnect_host(struct bt_link_s *link)
+    struct bt_l2cap_device_s *dev = (struct bt_l2cap_device_s *) link->host;
+    struct l2cap_instance_s *l2cap =
+            /* TODO: Retrieve from upper layer */ (void *) dev;
+    /* Signal to upper layer */
+    l2cap_teardown(l2cap, 0);
+static void l2cap_lmp_disconnect_slave(struct bt_link_s *link)
+    struct slave_l2cap_instance_s *l2cap =
+            (struct slave_l2cap_instance_s *) link;
+    l2cap_teardown(&l2cap->l2cap, 0);
+static void l2cap_lmp_acl_data_slave(struct bt_link_s *link,
+                const uint8_t *data, int start, int len)
+    struct slave_l2cap_instance_s *l2cap =
+            (struct slave_l2cap_instance_s *) link;
+    if (start)
+        l2cap->l2cap.frame_in_len = 0;
+    l2cap_pdu_in(&l2cap->l2cap, data, len);
+/* Stub */
+static void l2cap_lmp_acl_data_host(struct bt_link_s *link,
+                const uint8_t *data, int start, int len)
+    struct bt_l2cap_device_s *dev = (struct bt_l2cap_device_s *) link->host;
+    struct l2cap_instance_s *l2cap =
+            /* TODO: Retrieve from upper layer */ (void *) dev;
+    if (start)
+        l2cap->frame_in_len = 0;
+    l2cap_pdu_in(l2cap, data, len);
+static void l2cap_dummy_destroy(struct bt_device_s *dev)
+    struct bt_l2cap_device_s *l2cap_dev = (struct bt_l2cap_device_s *) dev;
+    bt_l2cap_device_done(l2cap_dev);
+void bt_l2cap_device_init(struct bt_l2cap_device_s *dev,
+                struct bt_scatternet_s *net)
+    bt_device_init(&dev->device, net);
+    dev->device.lmp_connection_request = l2cap_lmp_connection_request;
+    dev->device.lmp_connection_complete = l2cap_lmp_connection_complete;
+    dev->device.lmp_disconnect_master = l2cap_lmp_disconnect_host;
+    dev->device.lmp_disconnect_slave = l2cap_lmp_disconnect_slave;
+    dev->device.lmp_acl_data = l2cap_lmp_acl_data_slave;
+    dev->device.lmp_acl_resp = l2cap_lmp_acl_data_host;
+    dev->device.handle_destroy = l2cap_dummy_destroy;
+void bt_l2cap_device_done(struct bt_l2cap_device_s *dev)
+    bt_device_done(&dev->device);
+    /* Should keep a list of all instances and go through it and
+     * invoke l2cap_teardown() for each.  */
+void bt_l2cap_psm_register(struct bt_l2cap_device_s *dev, int psm, int min_mtu,
+                int (*new_channel)(struct bt_l2cap_device_s *dev,
+                        struct bt_l2cap_conn_params_s *params))
+    struct bt_l2cap_psm_s *new_psm = l2cap_psm(dev, psm);
+    if (new_psm) {
+        fprintf(stderr, "%s: PSM %04x already registered for device `%s'.\n",
+                        __FUNCTION__, psm, dev->device.lmp_name);
+        exit(-1);
+    }
+    new_psm = qemu_mallocz(sizeof(*new_psm));
+    new_psm->psm = psm;
+    new_psm->min_mtu = min_mtu;
+    new_psm->new_channel = new_channel;
+    new_psm->next = dev->first_psm;
+    dev->first_psm = new_psm;
+ * Service Discover Protocol server for QEMU L2CAP devices
+ *
+ * Copyright (C) 2008 Andrzej Zaborowski  <>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation; either version 2 of
+ * the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston,
+ * MA 02111-1307 USA
+ */
+#include "qemu-common.h"
+#include "bt.h"
+struct bt_l2cap_sdp_state_s {
+    struct bt_l2cap_conn_params_s *channel;
+    struct sdp_service_record_s {
+        int match;
+        int *uuid;
+        int uuids;
+        struct sdp_service_attribute_s {
+            int match;
+            int attribute_id;
+            int len;
+            void *pair;
+        } *attribute_list;
+        int attributes;
+    } *service_list;
+    int services;
+static ssize_t sdp_datalen(const uint8_t **element, ssize_t *left)
+    size_t len = *(*element) ++ & SDP_DSIZE_MASK;
+    if (!*left)
+        return -1;
+    (*left) --;
+    if (len < SDP_DSIZE_NEXT1)
+        return 1 << len;
+    else if (len == SDP_DSIZE_NEXT1) {
+        if (*left < 1)
+            return -1;
+        (*left) --;
+        return *(*element) ++;
+    } else if (len == SDP_DSIZE_NEXT2) {
+        if (*left < 2)
+            return -1;
+        (*left) -= 2;
+        len = (*(*element) ++) << 8;
+        return len | (*(*element) ++);
+    } else {
+        if (*left < 4)
+            return -1;
+        (*left) -= 4;
+        len = (*(*element) ++) << 24;
+        len |= (*(*element) ++) << 16;
+        len |= (*(*element) ++) << 8;
+        return len | (*(*element) ++);
+    }
+static const uint8_t bt_base_uuid[12] = {
+    0x00, 0x00, 0x10, 0x00, 0x80, 0x00, 0x00, 0x80, 0x5f, 0x9b, 0x34, 0xfb,
+static int sdp_uuid_match(struct sdp_service_record_s *record,
+                const uint8_t *uuid, ssize_t datalen)
+    int *lo, hi, val;
+    if (datalen == 16 || datalen == 4) {
+        if (datalen == 16 && memcmp(uuid + 4, bt_base_uuid, 12))
+            return 0;
+        if (uuid[0] | uuid[1])
+            return 0;
+        uuid += 2;
+    }
+    val = (uuid[0] << 8) | uuid[1];
+    lo = record->uuid;
+    hi = record->uuids;
+    while (hi >>= 1)
+        if (lo[hi] <= val)
+            lo += hi;
+    return *lo == val;
+#define CONTINUATION_PARAM_SIZE        (1 + sizeof(int))
+#define MAX_PDU_OUT_SIZE       96      /* Arbitrary */
+#define PDU_HEADER_SIZE                5
+static int sdp_svc_match(struct bt_l2cap_sdp_state_s *sdp,
+                const uint8_t **req, ssize_t *len)
+    size_t datalen;
+    int i;
+    if ((**req & ~SDP_DSIZE_MASK) != SDP_DTYPE_UUID)
+        return 1;
+    datalen = sdp_datalen(req, len);
+    if (datalen != 2 && datalen != 4 && datalen != 16)
+        return 1;
+    for (i = 0; i < sdp->services; i ++)
+        if (sdp_uuid_match(&sdp->service_list[i], *req, datalen))
+            sdp->service_list[i].match = 1;
+    (*req) += datalen;
+    (*len) -= datalen;
+    return 0;
+static ssize_t sdp_svc_search(struct bt_l2cap_sdp_state_s *sdp,
+                uint8_t *rsp, const uint8_t *req, ssize_t len)
+    ssize_t seqlen;
+    int i, count, start, end, max;
+    int32_t handle;
+    /* Perform the search */
+    for (i = 0; i < sdp->services; i ++)
+        sdp->service_list[i].match = 0;
+    if (len < 1)
+        return -SDP_INVALID_SYNTAX;
+    if ((*req & ~SDP_DSIZE_MASK) == SDP_DTYPE_SEQ) {
+        seqlen = sdp_datalen(&req, &len);
+        if (seqlen < 3 || len < seqlen)
+            return -SDP_INVALID_SYNTAX;
+        len -= seqlen;
+        while (seqlen)
+            if (sdp_svc_match(sdp, &req, &seqlen))
+                return -SDP_INVALID_SYNTAX;
+    } else if (sdp_svc_match(sdp, &req, &seqlen))
+        return -SDP_INVALID_SYNTAX;
+    if (len < 3)
+        return -SDP_INVALID_SYNTAX;
+    end = (req[0] << 8) | req[1];
+    req += 2;
+    len -= 2;
+    if (*req) {
+        if (len <= sizeof(int))
+            return -SDP_INVALID_SYNTAX;
+        len -= sizeof(int);
+        memcpy(&start, req + 1, sizeof(int));
+    } else
+        start = 0;
+    if (len > 1);
+        return -SDP_INVALID_SYNTAX;
+    /* Output the results */
+    len = 4;
+    count = 0;
+    end = start;
+    for (i = 0; i < sdp->services; i ++)
+        if (sdp->service_list[i].match) {
+            if (count >= start && count < max && len + 4 < MAX_RSP_PARAM_SIZE) {
+                handle = i;
+                memcpy(rsp + len, &handle, 4);
+                len += 4;
+                end = count + 1;
+            }
+            count ++;
+        }
+    rsp[0] = count >> 8;
+    rsp[1] = count & 0xff;
+    rsp[2] = (end - start) >> 8;
+    rsp[3] = (end - start) & 0xff;
+    if (end < count) {
+        rsp[len ++] = sizeof(int);
+        memcpy(rsp + len, &end, sizeof(int));
+        len += 4;
+    } else
+        rsp[len ++] = 0;
+    return len;
+static int sdp_attr_match(struct sdp_service_record_s *record,
+                const uint8_t **req, ssize_t *len)
+    int i, start, end;
+    if (**req == (SDP_DTYPE_UINT | SDP_DSIZE_2)) {
+        (*req) ++;
+        if (*len < 3)
+            return 1;
+        start = (*(*req) ++) << 8;
+        start |= *(*req) ++;
+        end = start;
+        *len -= 3;
+    } else if (**req == (SDP_DTYPE_UINT | SDP_DSIZE_4)) {
+        (*req) ++;
+        if (*len < 5)
+            return 1;
+        start = (*(*req) ++) << 8;
+        start |= *(*req) ++;
+        end = (*(*req) ++) << 8;
+        end |= *(*req) ++;
+        *len -= 5;
+    } else
+        return 1;
+    for (i = 0; i < record->attributes; i ++)
+        if (record->attribute_list[i].attribute_id >= start &&
+                        record->attribute_list[i].attribute_id <= end)
+            record->attribute_list[i].match = 1;
+    return 0;
+static ssize_t sdp_attr_get(struct bt_l2cap_sdp_state_s *sdp,
+                uint8_t *rsp, const uint8_t *req, ssize_t len)
+    ssize_t seqlen;
+    int i, start, end, max;
+    int32_t handle;
+    struct sdp_service_record_s *record;
+    uint8_t *lst;
+    /* Perform the search */
+    if (len < 7)
+        return -SDP_INVALID_SYNTAX;
+    memcpy(&handle, req, 6);
+    req += 4;
+    len -= 4;
+    if (handle < 0 || handle > sdp->services)
+    record = &sdp->service_list[handle];
+    for (i = 0; i < record->attributes; i ++)
+        record->attribute_list[i].match = 0;
+    max = (req[0] << 8) | req[1];
+    req += 2;
+    len -= 2;
+    if (max < 0x0007)
+        return -SDP_INVALID_SYNTAX;
+    if ((*req & ~SDP_DSIZE_MASK) == SDP_DTYPE_SEQ) {
+        seqlen = sdp_datalen(&req, &len);
+        if (seqlen < 3 || len < seqlen)
+            return -SDP_INVALID_SYNTAX;
+        len -= seqlen;
+        while (seqlen)
+            if (sdp_attr_match(record, &req, &seqlen))
+                return -SDP_INVALID_SYNTAX;
+    } else if (sdp_attr_match(record, &req, &seqlen))
+        return -SDP_INVALID_SYNTAX;
+    if (len < 1)
+        return -SDP_INVALID_SYNTAX;
+    if (*req) {
+        if (len <= sizeof(int))
+            return -SDP_INVALID_SYNTAX;
+        len -= sizeof(int);
+        memcpy(&start, req + 1, sizeof(int));
+    } else
+        start = 0;
+    if (len > 1)
+        return -SDP_INVALID_SYNTAX;
+    /* Output the results */
+    lst = rsp + 2;
+    max = MIN(max, MAX_RSP_PARAM_SIZE);
+    len = 3 - start;
+    end = 0;
+    for (i = 0; i < record->attributes; i ++)
+        if (record->attribute_list[i].match) {
+            if (len >= 0 && len + record->attribute_list[i].len < max) {
+                memcpy(lst + len, record->attribute_list[i].pair,
+                                record->attribute_list[i].len);
+                end = len + record->attribute_list[i].len;
+            }
+            len += record->attribute_list[i].len;
+        }
+    if (0 >= start) {
+       lst[0] = SDP_DTYPE_SEQ | SDP_DSIZE_NEXT2;
+       lst[1] = (len + start - 3) >> 8;
+       lst[2] = (len + start - 3) & 0xff;
+    }
+    rsp[0] = end >> 8;
+    rsp[1] = end & 0xff;
+    if (end < len) {
+        len = end + start;
+        lst[end ++] = sizeof(int);
+        memcpy(lst + end, &len, sizeof(int));
+        end += sizeof(int);
+    } else
+        lst[end ++] = 0;
+    return end + 2;
+static int sdp_svc_attr_match(struct bt_l2cap_sdp_state_s *sdp,
+                const uint8_t **req, ssize_t *len)
+    int i, j, start, end;
+    struct sdp_service_record_s *record;
+    if (**req == (SDP_DTYPE_UINT | SDP_DSIZE_2)) {
+        (*req) ++;
+        if (*len < 3)
+            return 1;
+        start = (*(*req) ++) << 8;
+        start |= *(*req) ++;
+        end = start;
+        *len -= 3;
+    } else if (**req == (SDP_DTYPE_UINT | SDP_DSIZE_4)) {
+        (*req) ++;
+        if (*len < 5)
+            return 1;
+        start = (*(*req) ++) << 8;
+        start |= *(*req) ++;
+        end = (*(*req) ++) << 8;
+        end |= *(*req) ++;
+        *len -= 5;
+    } else
+        return 1;
+    for (i = 0; i < sdp->services; i ++)
+        if ((record = &sdp->service_list[i])->match)
+            for (j = 0; j < record->attributes; j ++)
+                if (record->attribute_list[j].attribute_id >= start &&
+                                record->attribute_list[j].attribute_id <= end)
+                    record->attribute_list[j].match = 1;
+    return 0;
+static ssize_t sdp_svc_search_attr_get(struct bt_l2cap_sdp_state_s *sdp,
+                uint8_t *rsp, const uint8_t *req, ssize_t len)
+    ssize_t seqlen;
+    int i, j, start, end, max;
+    struct sdp_service_record_s *record;
+    uint8_t *lst;
+    /* Perform the search */
+    for (i = 0; i < sdp->services; i ++) {
+        sdp->service_list[i].match = 0;
+            for (j = 0; j < sdp->service_list[i].attributes; j ++)
+                sdp->service_list[i].attribute_list[j].match = 0;
+    }
+    if (len < 1)
+        return -SDP_INVALID_SYNTAX;
+    if ((*req & ~SDP_DSIZE_MASK) == SDP_DTYPE_SEQ) {
+        seqlen = sdp_datalen(&req, &len);
+        if (seqlen < 3 || len < seqlen)
+            return -SDP_INVALID_SYNTAX;
+        len -= seqlen;
+        while (seqlen)
+            if (sdp_svc_match(sdp, &req, &seqlen))
+                return -SDP_INVALID_SYNTAX;
+    } else if (sdp_svc_match(sdp, &req, &seqlen))
+        return -SDP_INVALID_SYNTAX;
+    if (len < 3)
+        return -SDP_INVALID_SYNTAX;
+    max = (req[0] << 8) | req[1];
+    req += 2;
+    len -= 2;
+    if (max < 0x0007)
+        return -SDP_INVALID_SYNTAX;
+    if ((*req & ~SDP_DSIZE_MASK) == SDP_DTYPE_SEQ) {
+        seqlen = sdp_datalen(&req, &len);
+        if (seqlen < 3 || len < seqlen)
+            return -SDP_INVALID_SYNTAX;
+        len -= seqlen;
+        while (seqlen)
+            if (sdp_svc_attr_match(sdp, &req, &seqlen))
+                return -SDP_INVALID_SYNTAX;
+    } else if (sdp_svc_attr_match(sdp, &req, &seqlen))
+        return -SDP_INVALID_SYNTAX;
+    if (len < 1)
+        return -SDP_INVALID_SYNTAX;
+    if (*req) {
+        if (len <= sizeof(int))
+            return -SDP_INVALID_SYNTAX;
+        len -= sizeof(int);
+        memcpy(&start, req + 1, sizeof(int));
+    } else
+        start = 0;
+    if (len > 1)
+        return -SDP_INVALID_SYNTAX;
+    /* Output the results */
+    /* This assumes empty attribute lists are never to be returned even
+     * for matching Service Records.  In practice this shouldn't happen
+     * as the requestor will usually include the always present
+     * ServiceRecordHandle AttributeID in AttributeIDList.  */
+    lst = rsp + 2;
+    max = MIN(max, MAX_RSP_PARAM_SIZE);
+    len = 3 - start;
+    end = 0;
+    for (i = 0; i < sdp->services; i ++)
+        if ((record = &sdp->service_list[i])->match) {
+            len += 3;
+            seqlen = len;
+            for (j = 0; j < record->attributes; j ++)
+                if (record->attribute_list[j].match) {
+                    if (len >= 0)
+                        if (len + record->attribute_list[j].len < max) {
+                            memcpy(lst + len, record->attribute_list[j].pair,
+                                            record->attribute_list[j].len);
+                            end = len + record->attribute_list[j].len;
+                        }
+                    len += record->attribute_list[j].len;
+                }
+            if (seqlen == len)
+                len -= 3;
+            else if (seqlen >= 3 && seqlen < max) {
+                lst[seqlen - 3] = SDP_DTYPE_SEQ | SDP_DSIZE_NEXT2;
+                lst[seqlen - 2] = (len - seqlen) >> 8;
+                lst[seqlen - 1] = (len - seqlen) & 0xff;
+            }
+        }
+    if (len == 3 - start)
+        len -= 3;
+    else if (0 >= start) {
+       lst[0] = SDP_DTYPE_SEQ | SDP_DSIZE_NEXT2;
+       lst[1] = (len + start - 3) >> 8;
+       lst[2] = (len + start - 3) & 0xff;
+    }
+    rsp[0] = end >> 8;
+    rsp[1] = end & 0xff;
+    if (end < len) {
+        len = end + start;
+        lst[end ++] = sizeof(int);
+        memcpy(lst + end, &len, sizeof(int));
+        end += sizeof(int);
+    } else
+        lst[end ++] = 0;
+    return end + 2;
+static void bt_l2cap_sdp_sdu_in(void *opaque, const uint8_t *data, int len)
+    struct bt_l2cap_sdp_state_s *sdp = opaque;
+    enum bt_sdp_cmd pdu_id;
+    uint8_t rsp[MAX_PDU_OUT_SIZE - PDU_HEADER_SIZE], *sdu_out;
+    int transaction_id, plen;
+    int err = 0;
+    int rsp_len = 0;
+    if (len < 5) {
+        fprintf(stderr, "%s: short SDP PDU (%iB).\n", __FUNCTION__, len);
+        return;
+    }
+    pdu_id = *data ++;
+    transaction_id = (data[0] << 8) | data[1];
+    plen = (data[2] << 8) | data[3];
+    data += 4;
+    len -= 5;
+    if (len != plen) {
+        fprintf(stderr, "%s: wrong SDP PDU length (%iB != %iB).\n",
+                        __FUNCTION__, plen, len);
+        err = SDP_INVALID_PDU_SIZE;
+        goto respond;
+    }
+    switch (pdu_id) {
+        rsp_len = sdp_svc_search(sdp, rsp, data, len);
+        pdu_id = SDP_SVC_SEARCH_RSP;
+        break;
+    case SDP_SVC_ATTR_REQ:
+        rsp_len = sdp_attr_get(sdp, rsp, data, len);
+        pdu_id = SDP_SVC_ATTR_RSP;
+        break;
+        rsp_len = sdp_svc_search_attr_get(sdp, rsp, data, len);
+        pdu_id = SDP_SVC_SEARCH_ATTR_RSP;
+        break;
+    case SDP_ERROR_RSP:
+    case SDP_SVC_ATTR_RSP:
+    default:
+        fprintf(stderr, "%s: unexpected SDP PDU ID %02x.\n",
+                        __FUNCTION__, pdu_id);
+        err = SDP_INVALID_SYNTAX;
+        break;
+    }
+    if (rsp_len < 0) {
+        err = -rsp_len;
+        rsp_len = 0;
+    }
+    if (err) {
+        pdu_id = SDP_ERROR_RSP;
+        rsp[rsp_len ++] = err >> 8;
+        rsp[rsp_len ++] = err & 0xff;
+    }
+    sdu_out = sdp->channel->sdu_out(sdp->channel, rsp_len + PDU_HEADER_SIZE);
+    sdu_out[0] = pdu_id;
+    sdu_out[1] = transaction_id >> 8;
+    sdu_out[2] = transaction_id & 0xff;
+    sdu_out[3] = rsp_len >> 8;
+    sdu_out[4] = rsp_len & 0xff;
+    memcpy(sdu_out + PDU_HEADER_SIZE, rsp, rsp_len);
+    sdp->channel->sdu_submit(sdp->channel);
+static void bt_l2cap_sdp_close_ch(void *opaque)
+    struct bt_l2cap_sdp_state_s *sdp = opaque;
+    int i;
+    for (i = 0; i < sdp->services; i ++) {
+        qemu_free(sdp->service_list[i].attribute_list->pair);
+        qemu_free(sdp->service_list[i].attribute_list);
+        qemu_free(sdp->service_list[i].uuid);
+    }
+    qemu_free(sdp->service_list);
+    qemu_free(sdp);
+struct sdp_def_service_s {
+    uint16_t class_uuid;
+    struct sdp_def_attribute_s {
+        uint16_t id;
+        struct sdp_def_data_element_s {
+            uint8_t type;
+            union {
+                uint32_t uint;
+                const char *str;
+                struct sdp_def_data_element_s *list;
+            } value;
+        } data;
+    } attributes[];
+/* Calculate a safe byte count to allocate that will store the given
+ * element, at the same time count elements of a UUID type.  */
+static int sdp_attr_max_size(struct sdp_def_data_element_s *element,
+                int *uuids)
+    int type = element->type & ~SDP_DSIZE_MASK;
+    int len;
+    if (type == SDP_DTYPE_UINT || type == SDP_DTYPE_UUID ||
+                    type == SDP_DTYPE_BOOL) {
+        if (type == SDP_DTYPE_UUID)
+            (*uuids) ++;
+        return 1 + (1 << (element->type & SDP_DSIZE_MASK));
+    }
+    if (type == SDP_DTYPE_STRING || type == SDP_DTYPE_URL) {
+        if (element->type & SDP_DSIZE_MASK) {
+            for (len = 0; element->value.str[len] |
+                            element->value.str[len + 1]; len ++);
+            return len;
+        } else
+            return 2 + strlen(element->value.str);
+    }
+    if (type != SDP_DTYPE_SEQ)
+        exit(-1);
+    len = 2;
+    element = element->value.list;
+    while (element->type)
+        len += sdp_attr_max_size(element ++, uuids);
+    if (len > 255)
+        exit (-1);
+    return len;
+static int sdp_attr_write(uint8_t *data,
+                struct sdp_def_data_element_s *element, int **uuid)
+    int type = element->type & ~SDP_DSIZE_MASK;
+    int len = 0;
+    if (type == SDP_DTYPE_UINT || type == SDP_DTYPE_BOOL) {
+        data[len ++] = element->type;
+        if ((element->type & SDP_DSIZE_MASK) == SDP_DSIZE_1)
+            data[len ++] = (element->value.uint >>  0) & 0xff;
+        else if ((element->type & SDP_DSIZE_MASK) == SDP_DSIZE_2) {
+            data[len ++] = (element->value.uint >>  8) & 0xff;
+            data[len ++] = (element->value.uint >>  0) & 0xff;
+        } else if ((element->type & SDP_DSIZE_MASK) == SDP_DSIZE_4) {
+            data[len ++] = (element->value.uint >>  24) & 0xff;
+            data[len ++] = (element->value.uint >>  16) & 0xff;
+            data[len ++] = (element->value.uint >>  8) & 0xff;
+            data[len ++] = (element->value.uint >>  0) & 0xff;
+        }
+        return len;
+    }
+    if (type == SDP_DTYPE_UUID) {
+        *(*uuid) ++ = element->value.uint;
+        data[len ++] = element->type;
+        data[len ++] = (element->value.uint >>  24) & 0xff;
+        data[len ++] = (element->value.uint >>  16) & 0xff;
+        data[len ++] = (element->value.uint >>  8) & 0xff;
+        data[len ++] = (element->value.uint >>  0) & 0xff;
+        memcpy(data + len, bt_base_uuid, 12);
+        return len + 12;
+    }
+    data[0] = type | SDP_DSIZE_NEXT1;
+    if (type == SDP_DTYPE_STRING || type == SDP_DTYPE_URL) {
+        if (element->type & SDP_DSIZE_MASK)
+            for (len = 0; element->value.str[len] |
+                            element->value.str[len + 1]; len ++);
+        else
+            len = strlen(element->value.str);
+        memcpy(data + 2, element->value.str, data[1] = len);
+        return len + 2;
+    }
+    len = 2;
+    element = element->value.list;
+    while (element->type)
+        len += sdp_attr_write(data + len, element ++, uuid);
+    data[1] = len - 2;
+    return len;
+static int sdp_attributeid_compare(const struct sdp_service_attribute_s *a,
+                const struct sdp_service_attribute_s *b)
+    return (int) b->attribute_id - a->attribute_id;
+static int sdp_uuid_compare(const int *a, const int *b)
+    return *a - *b;
+static void sdp_service_record_build(struct sdp_service_record_s *record,
+                struct sdp_def_service_s *def, int handle)
+    int len = 0;
+    uint8_t *data;
+    int *uuid;
+    record->uuids = 0;
+    while (def->attributes[record->attributes].data.type) {
+        len += 3;
+        len += sdp_attr_max_size(&def->attributes[record->attributes ++].data,
+                        &record->uuids);
+    }
+    record->uuids = 1 << ffs(record->uuids - 1);
+    record->attribute_list =
+            qemu_mallocz(record->attributes * sizeof(*record->attribute_list));
+    record->uuid =
+            qemu_mallocz(record->uuids * sizeof(*record->uuid));
+    data = qemu_malloc(len);
+    record->attributes = 0;
+    uuid = record->uuid;
+    while (def->attributes[record->attributes].data.type) {
+        record->attribute_list[record->attributes].pair = data;
+        len = 0;
+        data[len ++] = SDP_DTYPE_UINT | SDP_DSIZE_2;
+        data[len ++] = def->attributes[record->attributes].id >> 8;
+        data[len ++] = def->attributes[record->attributes].id & 0xff;
+        len += sdp_attr_write(data + len,
+                        &def->attributes[record->attributes].data, &uuid);
+        /* Special case: assign a ServiceRecordHandle in sequence */
+        if (def->attributes[record->attributes].id == SDP_ATTR_RECORD_HANDLE)
+            def->attributes[record->attributes].data.value.uint = handle;
+        /* Note: we could also assign a ServiceDescription based on
+         * sdp->device.device->lmp_name.  */
+        record->attribute_list[record->attributes ++].len = len;
+        data += len;
+    }
+    /* Sort the attribute list by the AttributeID */
+    qsort(record->attribute_list, record->attributes,
+                    sizeof(*record->attribute_list),
+                    (void *) sdp_attributeid_compare);
+    /* Sort the searchable UUIDs list for bisection */
+    qsort(record->uuid, record->uuids,
+                    sizeof(*record->uuid),
+                    (void *) sdp_uuid_compare);
+static void sdp_service_db_build(struct bt_l2cap_sdp_state_s *sdp,
+                struct sdp_def_service_s **service)
+    sdp->services = 0;
+    while (service[sdp->services])
+        sdp->services ++;
+    sdp->service_list =
+            qemu_mallocz(sdp->services * sizeof(*sdp->service_list));
+    sdp->services = 0;
+    while (*service) {
+        sdp_service_record_build(&sdp->service_list[sdp->services],
+                        *service, sdp->services);
+        service ++;
+        sdp->services ++;
+    }
+#define LAST { .type = 0 }
+#define SERVICE(name, attrs)                           \
+    static struct sdp_def_service_s glue(glue(sdp_service_, name), _s) = { \
+        .attributes = { attrs { .data = LAST } },      \
+    };
+#define ATTRIBUTE(attrid, val) { .id = glue(SDP_ATTR_, attrid), .data = val },
+#define UINT8(val)     {                               \
+        .type       = SDP_DTYPE_UINT | SDP_DSIZE_1,    \
+        .value.uint = val,                             \
+    },
+#define UINT16(val)    {                               \
+        .type       = SDP_DTYPE_UINT | SDP_DSIZE_2,    \
+        .value.uint = val,                             \
+    },
+#define UINT32(val)    {                               \
+        .type       = SDP_DTYPE_UINT | SDP_DSIZE_4,    \
+        .value.uint = val,                             \
+    },
+#define UUID128(val)   {                               \
+        .type       = SDP_DTYPE_UUID | SDP_DSIZE_16,   \
+        .value.uint = val,                             \
+    },
+#define TRUE   {                               \
+        .type       = SDP_DTYPE_BOOL | SDP_DSIZE_1,    \
+        .value.uint = 1,                               \
+    },
+#define FALSE  {                               \
+        .type       = SDP_DTYPE_BOOL | SDP_DSIZE_1,    \
+        .value.uint = 0,                               \
+    },
+#define STRING(val)    {                               \
+        .type       = SDP_DTYPE_STRING,                        \
+        .value.str  = val,                             \
+    },
+#define ARRAY(...)     {                               \
+        .type       = SDP_DTYPE_STRING | SDP_DSIZE_2,  \
+        .value.str  = (char []) { __VA_ARGS__, 0, 0 }, \
+    },
+#define URL(val)       {                               \
+        .type       = SDP_DTYPE_URL,                   \
+        .value.str  = val,                             \
+    },
+#if 1
+#define LIST(val)      {                               \
+        .type       = SDP_DTYPE_SEQ,                   \
+        .value.list = (struct sdp_def_data_element_s []) { val LAST }, \
+    },
+/* Try to keep each single attribute below MAX_PDU_OUT_SIZE bytes
+ * in resulting SDP data representation size.  */
+    ATTRIBUTE(RECORD_HANDLE,   UINT32(0))      /* Filled in later */
+        LIST(UUID128(HIDP_UUID))
+    ))
+        UINT16(0x656e) UINT16(0x006a) UINT16(0x0100)
+    ))
+        LIST(UUID128(HID_PROFILE_ID) UINT16(0x0100))
+    ))
+    ATTRIBUTE(DOC_URL,         URL(""))
+    /* Profile specific */
+    ATTRIBUTE(DEVICE_RELEASE_NUMBER,   UINT16(0x0091)) /* Deprecated, remove */
+    ATTRIBUTE(PARSER_VERSION,          UINT16(0x0111))
+    /* TODO: extract from l2cap_device->device.class[0] */
+    ATTRIBUTE(COUNTRY_CODE,            UINT8(0x15))
+    /* TODO: extract from hid->usbdev->report_desc */
+        LIST(UINT8(0x22) ARRAY(
+            0x05, 0x01,        /* Usage Page (Generic Desktop) */
+            0x09, 0x06,        /* Usage (Keyboard) */
+            0xa1, 0x01,        /* Collection (Application) */
+            0x75, 0x01,        /*   Report Size (1) */
+            0x95, 0x08,        /*   Report Count (8) */
+            0x05, 0x07,        /*   Usage Page (Key Codes) */
+            0x19, 0xe0,        /*   Usage Minimum (224) */
+            0x29, 0xe7,        /*   Usage Maximum (231) */
+            0x15, 0x00,        /*   Logical Minimum (0) */
+            0x25, 0x01,        /*   Logical Maximum (1) */
+            0x81, 0x02,        /*   Input (Data, Variable, Absolute) */
+            0x95, 0x01,        /*   Report Count (1) */
+            0x75, 0x08,        /*   Report Size (8) */
+            0x81, 0x01,        /*   Input (Constant) */
+            0x95, 0x05,        /*   Report Count (5) */
+            0x75, 0x01,        /*   Report Size (1) */
+            0x05, 0x08,        /*   Usage Page (LEDs) */
+            0x19, 0x01,        /*   Usage Minimum (1) */
+            0x29, 0x05,        /*   Usage Maximum (5) */
+            0x91, 0x02,        /*   Output (Data, Variable, Absolute) */
+            0x95, 0x01,        /*   Report Count (1) */
+            0x75, 0x03,        /*   Report Size (3) */
+            0x91, 0x01,        /*   Output (Constant) */
+            0x95, 0x06,        /*   Report Count (6) */
+            0x75, 0x08,        /*   Report Size (8) */
+            0x15, 0x00,        /*   Logical Minimum (0) */
+            0x25, 0xff,        /*   Logical Maximum (255) */
+            0x05, 0x07,        /*   Usage Page (Key Codes) */
+            0x19, 0x00,        /*   Usage Minimum (0) */
+            0x29, 0xff,        /*   Usage Maximum (255) */
+            0x81, 0x00,        /*   Input (Data, Array) */
+            0xc0       /* End Collection */
+    ))))
+        LIST(UINT16(0x0409) UINT16(0x0100))
+    ))
+    ATTRIBUTE(BOOT_DEVICE,             TRUE)   /* XXX: untested */
+    ATTRIBUTE(PROFILE_VERSION,         UINT16(0x0100))
+    ATTRIBUTE(RECORD_HANDLE,   UINT32(0))      /* Filled in later */
+        LIST(UUID128(SDP_UUID))
+    ))
+        UINT16(0x656e) UINT16(0x006a) UINT16(0x0100)
+    ))
+        LIST(UUID128(SDP_SERVER_PROFILE_ID) UINT16(0x0100))
+    ))
+    ATTRIBUTE(DOC_URL,         URL(""))
+    /* Profile specific */
+    ATTRIBUTE(RECORD_HANDLE,   UINT32(0))      /* Filled in later */
+        LIST(UUID128(SDP_UUID))
+    ))
+        UINT16(0x656e) UINT16(0x006a) UINT16(0x0100)
+    ))
+        LIST(UUID128(PNP_INFO_PROFILE_ID) UINT16(0x0100))
+    ))
+    ATTRIBUTE(DOC_URL,         URL(""))
+    /* Profile specific */
+    ATTRIBUTE(VERSION,         UINT16(0x0100))
+static int bt_l2cap_sdp_new_ch(struct bt_l2cap_device_s *dev,
+                struct bt_l2cap_conn_params_s *params)
+    struct bt_l2cap_sdp_state_s *sdp = qemu_mallocz(sizeof(*sdp));
+    struct sdp_def_service_s *services[] = {
+        &sdp_service_sdp_s,
+        &sdp_service_hid_s,
+        &sdp_service_pnp_s,
+        0,
+    };
+    sdp->channel = params;
+    sdp->channel->opaque = sdp;
+    sdp->channel->close = bt_l2cap_sdp_close_ch;
+    sdp->channel->sdu_in = bt_l2cap_sdp_sdu_in;
+    sdp_service_db_build(sdp, services);
+    return 0;
+void bt_l2cap_sdp_init(struct bt_l2cap_device_s *dev)
+    bt_l2cap_psm_register(dev, BT_PSM_SDP,
+                    MAX_PDU_OUT_SIZE, bt_l2cap_sdp_new_ch);
 qemu_irq *csrhci_pins_get(CharDriverState *chr);
 CharDriverState *uart_hci_init(qemu_irq wakeup);
+/* bt-l2cap.c */
+struct bt_l2cap_device_s;
+struct bt_l2cap_conn_params_s;
+struct bt_l2cap_psm_s;
+void bt_l2cap_device_init(struct bt_l2cap_device_s *dev,
+                struct bt_scatternet_s *net);
+void bt_l2cap_device_done(struct bt_l2cap_device_s *dev);
+void bt_l2cap_psm_register(struct bt_l2cap_device_s *dev, int psm,
+                int min_mtu, int (*new_channel)(struct bt_l2cap_device_s *dev,
+                        struct bt_l2cap_conn_params_s *params));
+struct bt_l2cap_device_s {
+    struct bt_device_s device;
+    struct bt_l2cap_psm_s *first_psm;
+struct bt_l2cap_conn_params_s {
+    /* Input */
+    uint8_t *(*sdu_out)(struct bt_l2cap_conn_params_s *chan, int len);
+    void (*sdu_submit)(struct bt_l2cap_conn_params_s *chan);
+    int remote_mtu;
+    /* Output */
+    void *opaque;
+    void (*sdu_in)(void *opaque, const uint8_t *data, int len);
+    void (*close)(void *opaque);
+enum bt_l2cap_psm_predef {
+    BT_PSM_SDP         = 0x0001,
+    BT_PSM_RFCOMM      = 0x0003,
+    BT_PSM_TELEPHONY   = 0x0005,
+    BT_PSM_TCS         = 0x0007,
+    BT_PSM_BNEP                = 0x000f,
+    BT_PSM_HID_CTRL    = 0x0011,
+    BT_PSM_HID_INTR    = 0x0013,
+    BT_PSM_UPNP                = 0x0015,
+    BT_PSM_AVCTP       = 0x0017,
+    BT_PSM_AVDTP       = 0x0019,
+/* bt-sdp.c */
+void bt_l2cap_sdp_init(struct bt_l2cap_device_s *dev);
 /* Link Management Protocol layer defines */
 #define LLID_ACLU_CONT         0x1
@@ -1626,3 +1669,512 @@ struct hci_sco_hdr {
     uint16_t   handle;
     uint8_t    dlen;
 } __attribute__ ((packed));
+/* L2CAP layer defines */
+enum bt_l2cap_lm_bits {
+    L2CAP_LM_MASTER    = 1 << 0,
+    L2CAP_LM_AUTH      = 1 << 1,
+    L2CAP_LM_ENCRYPT   = 1 << 2,
+    L2CAP_LM_TRUSTED   = 1 << 3,
+    L2CAP_LM_RELIABLE  = 1 << 4,
+    L2CAP_LM_SECURE    = 1 << 5,
+enum bt_l2cap_cid_predef {
+    L2CAP_CID_INVALID  = 0x0000,
+    L2CAP_CID_SIGNALLING= 0x0001,
+    L2CAP_CID_GROUP    = 0x0002,
+    L2CAP_CID_ALLOC    = 0x0040,
+/* L2CAP command codes */
+enum bt_l2cap_cmd {
+    L2CAP_COMMAND_REJ  = 1,
+enum bt_l2cap_sar_bits {
+    L2CAP_SAR_NO_SEG   = 0,
+/* L2CAP structures */
+typedef struct {
+    uint16_t   len;
+    uint16_t   cid;
+    uint8_t    data[0];
+} __attribute__ ((packed)) l2cap_hdr;
+#define L2CAP_HDR_SIZE 4
+typedef struct {
+    uint8_t    code;
+    uint8_t    ident;
+    uint16_t   len;
+} __attribute__ ((packed)) l2cap_cmd_hdr;
+#define L2CAP_CMD_HDR_SIZE 4
+typedef struct {
+    uint16_t   reason;
+} __attribute__ ((packed)) l2cap_cmd_rej;
+#define L2CAP_CMD_REJ_SIZE 2
+typedef struct {
+    uint16_t   dcid;
+    uint16_t   scid;
+} __attribute__ ((packed)) l2cap_cmd_rej_cid;
+/* reject reason */
+enum bt_l2cap_rej_reason {
+typedef struct {
+    uint16_t   psm;
+    uint16_t   scid;
+} __attribute__ ((packed)) l2cap_conn_req;
+#define L2CAP_CONN_REQ_SIZE 4
+typedef struct {
+    uint16_t   dcid;
+    uint16_t   scid;
+    uint16_t   result;
+    uint16_t   status;
+} __attribute__ ((packed)) l2cap_conn_rsp;
+#define L2CAP_CONN_RSP_SIZE 8
+/* connect result */
+enum bt_l2cap_conn_res {
+    L2CAP_CR_SUCCESS   = 0,
+/* connect status */
+enum bt_l2cap_conn_stat {
+    L2CAP_CS_NO_INFO   = 0,
+typedef struct {
+    uint16_t   dcid;
+    uint16_t   flags;
+    uint8_t    data[0];
+} __attribute__ ((packed)) l2cap_conf_req;
+#define L2CAP_CONF_REQ_SIZE(datalen) (4 + (datalen))
+typedef struct {
+    uint16_t   scid;
+    uint16_t   flags;
+    uint16_t   result;
+    uint8_t    data[0];
+} __attribute__ ((packed)) l2cap_conf_rsp;
+#define L2CAP_CONF_RSP_SIZE(datalen) (6 + datalen)
+enum bt_l2cap_conf_res {
+typedef struct {
+    uint8_t    type;
+    uint8_t    len;
+    uint8_t    val[0];
+} __attribute__ ((packed)) l2cap_conf_opt;
+#define L2CAP_CONF_OPT_SIZE 2
+enum bt_l2cap_conf_val {
+    L2CAP_CONF_MTU     = 1,
+typedef struct {
+    uint8_t    flags;
+    uint8_t    service_type;
+    uint32_t   token_rate;
+    uint32_t   token_bucket_size;
+    uint32_t   peak_bandwidth;
+    uint32_t   latency;
+    uint32_t   delay_variation;
+} __attribute__ ((packed)) l2cap_conf_opt_qos;
+enum bt_l2cap_conf_opt_qos_st {
+#define L2CAP_CONF_QOS_WILDCARD        0xffffffff
+enum bt_l2cap_mode {
+    L2CAP_MODE_BASIC   = 0,
+typedef struct {
+    uint16_t   dcid;
+    uint16_t   scid;
+} __attribute__ ((packed)) l2cap_disconn_req;
+typedef struct {
+    uint16_t   dcid;
+    uint16_t   scid;
+} __attribute__ ((packed)) l2cap_disconn_rsp;
+typedef struct {
+    uint16_t   type;
+} __attribute__ ((packed)) l2cap_info_req;
+#define L2CAP_INFO_REQ_SIZE 2
+typedef struct {
+    uint16_t   type;
+    uint16_t   result;
+    uint8_t    data[0];
+} __attribute__ ((packed)) l2cap_info_rsp;
+#define L2CAP_INFO_RSP_SIZE 4
+/* info type */
+enum bt_l2cap_info_type {
+    L2CAP_IT_CL_MTU    = 1,
+/* info result */
+enum bt_l2cap_info_result {
+    L2CAP_IR_SUCCESS   = 0,
+/* Service Discovery Protocol defines */
+/* Note that all multibyte values in lower layer protocols (above in this file)
+ * are little-endian while SDP is big-endian.  */
+/* Protocol UUIDs */
+enum sdp_proto_uuid {
+    SDP_UUID           = 0x0001,
+    UDP_UUID           = 0x0002,
+    RFCOMM_UUID                = 0x0003,
+    TCP_UUID           = 0x0004,
+    TCS_BIN_UUID       = 0x0005,
+    TCS_AT_UUID                = 0x0006,
+    OBEX_UUID          = 0x0008,
+    IP_UUID            = 0x0009,
+    FTP_UUID           = 0x000a,
+    HTTP_UUID          = 0x000c,
+    WSP_UUID           = 0x000e,
+    BNEP_UUID          = 0x000f,
+    UPNP_UUID          = 0x0010,
+    HIDP_UUID          = 0x0011,
+    HCRP_CTRL_UUID     = 0x0012,
+    HCRP_DATA_UUID     = 0x0014,
+    HCRP_NOTE_UUID     = 0x0016,
+    AVCTP_UUID         = 0x0017,
+    AVDTP_UUID         = 0x0019,
+    CMTP_UUID          = 0x001b,
+    UDI_UUID           = 0x001d,
+    MCAP_CTRL_UUID     = 0x001e,
+    MCAP_DATA_UUID     = 0x001f,
+    L2CAP_UUID         = 0x0100,
+ * Service class identifiers of standard services and service groups
+ */
+enum service_class_id {
+    SDP_SERVER_SVCLASS_ID              = 0x1000,
+    BROWSE_GRP_DESC_SVCLASS_ID         = 0x1001,
+    PUBLIC_BROWSE_GROUP                        = 0x1002,
+    SERIAL_PORT_SVCLASS_ID             = 0x1101,
+    LAN_ACCESS_SVCLASS_ID              = 0x1102,
+    DIALUP_NET_SVCLASS_ID              = 0x1103,
+    IRMC_SYNC_SVCLASS_ID               = 0x1104,
+    OBEX_OBJPUSH_SVCLASS_ID            = 0x1105,
+    OBEX_FILETRANS_SVCLASS_ID          = 0x1106,
+    IRMC_SYNC_CMD_SVCLASS_ID           = 0x1107,
+    HEADSET_SVCLASS_ID                 = 0x1108,
+    AUDIO_SOURCE_SVCLASS_ID            = 0x110a,
+    AUDIO_SINK_SVCLASS_ID              = 0x110b,
+    AV_REMOTE_TARGET_SVCLASS_ID                = 0x110c,
+    ADVANCED_AUDIO_SVCLASS_ID          = 0x110d,
+    AV_REMOTE_SVCLASS_ID               = 0x110e,
+    VIDEO_CONF_SVCLASS_ID              = 0x110f,
+    INTERCOM_SVCLASS_ID                        = 0x1110,
+    FAX_SVCLASS_ID                     = 0x1111,
+    HEADSET_AGW_SVCLASS_ID             = 0x1112,
+    WAP_SVCLASS_ID                     = 0x1113,
+    WAP_CLIENT_SVCLASS_ID              = 0x1114,
+    PANU_SVCLASS_ID                    = 0x1115,
+    NAP_SVCLASS_ID                     = 0x1116,
+    GN_SVCLASS_ID                      = 0x1117,
+    DIRECT_PRINTING_SVCLASS_ID         = 0x1118,
+    IMAGING_SVCLASS_ID                 = 0x111a,
+    IMAGING_ARCHIVE_SVCLASS_ID         = 0x111c,
+    IMAGING_REFOBJS_SVCLASS_ID         = 0x111d,
+    HANDSFREE_SVCLASS_ID               = 0x111e,
+    HANDSFREE_AGW_SVCLASS_ID           = 0x111f,
+    REFLECTED_UI_SVCLASS_ID            = 0x1121,
+    BASIC_PRINTING_SVCLASS_ID          = 0x1122,
+    PRINTING_STATUS_SVCLASS_ID         = 0x1123,
+    HID_SVCLASS_ID                     = 0x1124,
+    HCR_SVCLASS_ID                     = 0x1125,
+    HCR_PRINT_SVCLASS_ID               = 0x1126,
+    HCR_SCAN_SVCLASS_ID                        = 0x1127,
+    CIP_SVCLASS_ID                     = 0x1128,
+    VIDEO_CONF_GW_SVCLASS_ID           = 0x1129,
+    UDI_MT_SVCLASS_ID                  = 0x112a,
+    UDI_TA_SVCLASS_ID                  = 0x112b,
+    AV_SVCLASS_ID                      = 0x112c,
+    SAP_SVCLASS_ID                     = 0x112d,
+    PBAP_PCE_SVCLASS_ID                        = 0x112e,
+    PBAP_PSE_SVCLASS_ID                        = 0x112f,
+    PBAP_SVCLASS_ID                    = 0x1130,
+    PNP_INFO_SVCLASS_ID                        = 0x1200,
+    GENERIC_AUDIO_SVCLASS_ID           = 0x1203,
+    UPNP_SVCLASS_ID                    = 0x1205,
+    UPNP_IP_SVCLASS_ID                 = 0x1206,
+    UPNP_PAN_SVCLASS_ID                        = 0x1300,
+    UPNP_LAP_SVCLASS_ID                        = 0x1301,
+    UPNP_L2CAP_SVCLASS_ID              = 0x1302,
+    VIDEO_SOURCE_SVCLASS_ID            = 0x1303,
+    VIDEO_SINK_SVCLASS_ID              = 0x1304,
+    MDP_SVCLASS_ID                     = 0x1400,
+    MDP_SOURCE_SVCLASS_ID              = 0x1401,
+    MDP_SINK_SVCLASS_ID                        = 0x1402,
+    APPLE_AGENT_SVCLASS_ID             = 0x2112,
+ * Standard profile descriptor identifiers; note these
+ * may be identical to some of the service classes defined above
+ */
+#define FAX_PROFILE_ID                 FAX_SVCLASS_ID
+#define WAP_PROFILE_ID                 WAP_SVCLASS_ID
+#define PANU_PROFILE_ID                        PANU_SVCLASS_ID
+#define NAP_PROFILE_ID                 NAP_SVCLASS_ID
+#define GN_PROFILE_ID                  GN_SVCLASS_ID
+#define HID_PROFILE_ID                 HID_SVCLASS_ID
+#define HCR_PROFILE_ID                 HCR_SCAN_SVCLASS_ID
+#define CIP_PROFILE_ID                 CIP_SVCLASS_ID
+#define UDI_MT_PROFILE_ID              UDI_MT_SVCLASS_ID
+#define UDI_TA_PROFILE_ID              UDI_TA_SVCLASS_ID
+#define AV_PROFILE_ID                  AV_SVCLASS_ID
+#define SAP_PROFILE_ID                 SAP_SVCLASS_ID
+#define PBAP_PROFILE_ID                        PBAP_SVCLASS_ID
+#define UPNP_PROFILE_ID                        UPNP_SVCLASS_ID
+#define MDP_PROFILE_ID                 MDP_SVCLASS_ID
+/* Data Representation */
+enum bt_sdp_data_type {
+    SDP_DTYPE_NIL      = 0 << 3,
+    SDP_DTYPE_UINT     = 1 << 3,
+    SDP_DTYPE_SINT     = 2 << 3,
+    SDP_DTYPE_UUID     = 3 << 3,
+    SDP_DTYPE_STRING   = 4 << 3,
+    SDP_DTYPE_BOOL     = 5 << 3,
+    SDP_DTYPE_SEQ      = 6 << 3,
+    SDP_DTYPE_ALT      = 7 << 3,
+    SDP_DTYPE_URL      = 8 << 3,
+enum bt_sdp_data_size {
+    SDP_DSIZE_1                = 0,
+    SDP_DSIZE_2,
+    SDP_DSIZE_4,
+    SDP_DSIZE_8,
+    SDP_DSIZE_16,
+enum bt_sdp_cmd {
+    SDP_ERROR_RSP              = 0x01,
+    SDP_SVC_SEARCH_REQ         = 0x02,
+    SDP_SVC_SEARCH_RSP         = 0x03,
+    SDP_SVC_ATTR_REQ           = 0x04,
+    SDP_SVC_ATTR_RSP           = 0x05,
+    SDP_SVC_SEARCH_ATTR_REQ    = 0x06,
+    SDP_SVC_SEARCH_ATTR_RSP    = 0x07,
+enum bt_sdp_errorcode {
+    SDP_INVALID_VERSION                = 0x0001,
+    SDP_INVALID_SYNTAX         = 0x0003,
+    SDP_INVALID_PDU_SIZE       = 0x0004,
+    SDP_INVALID_CSTATE         = 0x0005,
+ * String identifiers are based on the SDP spec stating that
+ * "base attribute id of the primary (universal) language must be 0x0100"
+ *
+ * Other languages should have their own offset; e.g.:
+ * #define XXXLangBase yyyy
+ * #define AttrServiceName_XXX 0x0000+XXXLangBase
+ */
+#define SDP_PRIMARY_LANG_BASE          0x0100
+enum bt_sdp_attribute_id {
+    SDP_ATTR_RECORD_HANDLE                     = 0x0000,
+    SDP_ATTR_SVCLASS_ID_LIST                   = 0x0001,
+    SDP_ATTR_RECORD_STATE                      = 0x0002,
+    SDP_ATTR_SERVICE_ID                                = 0x0003,
+    SDP_ATTR_PROTO_DESC_LIST                   = 0x0004,
+    SDP_ATTR_BROWSE_GRP_LIST                   = 0x0005,
+    SDP_ATTR_LANG_BASE_ATTR_ID_LIST            = 0x0006,
+    SDP_ATTR_SVCINFO_TTL                       = 0x0007,
+    SDP_ATTR_SERVICE_AVAILABILITY              = 0x0008,
+    SDP_ATTR_PFILE_DESC_LIST                   = 0x0009,
+    SDP_ATTR_DOC_URL                           = 0x000a,
+    SDP_ATTR_CLNT_EXEC_URL                     = 0x000b,
+    SDP_ATTR_ICON_URL                          = 0x000c,
+    SDP_ATTR_ADD_PROTO_DESC_LIST               = 0x000d,
+    SDP_ATTR_GROUP_ID                          = 0x0200,
+    SDP_ATTR_IP_SUBNET                         = 0x0200,
+    /* SDP */
+    SDP_ATTR_VERSION_NUM_LIST                  = 0x0200,
+    SDP_ATTR_SVCDB_STATE                       = 0x0201,
+    SDP_ATTR_SERVICE_VERSION                   = 0x0300,
+    SDP_ATTR_EXTERNAL_NETWORK                  = 0x0301,
+    SDP_ATTR_SUPPORTED_DATA_STORES_LIST                = 0x0301,
+    SDP_ATTR_FAX_CLASS1_SUPPORT                        = 0x0302,
+    SDP_ATTR_FAX_CLASS20_SUPPORT               = 0x0303,
+    SDP_ATTR_SUPPORTED_FORMATS_LIST            = 0x0303,
+    SDP_ATTR_FAX_CLASS2_SUPPORT                        = 0x0304,
+    SDP_ATTR_AUDIO_FEEDBACK_SUPPORT            = 0x0305,
+    SDP_ATTR_NETWORK_ADDRESS                   = 0x0306,
+    SDP_ATTR_WAP_GATEWAY                       = 0x0307,
+    SDP_ATTR_HOMEPAGE_URL                      = 0x0308,
+    SDP_ATTR_WAP_STACK_TYPE                    = 0x0309,
+    SDP_ATTR_SECURITY_DESC                     = 0x030a,
+    SDP_ATTR_NET_ACCESS_TYPE                   = 0x030b,
+    SDP_ATTR_MAX_NET_ACCESSRATE                        = 0x030c,
+    SDP_ATTR_IP4_SUBNET                                = 0x030d,
+    SDP_ATTR_IP6_SUBNET                                = 0x030e,
+    SDP_ATTR_SUPPORTED_CAPABILITIES            = 0x0310,
+    SDP_ATTR_SUPPORTED_FEATURES                        = 0x0311,
+    SDP_ATTR_SUPPORTED_FUNCTIONS               = 0x0312,
+    SDP_ATTR_SUPPORTED_REPOSITORIES            = 0x0314,
+    /* PnP Information */
+    SDP_ATTR_SPECIFICATION_ID                  = 0x0200,
+    SDP_ATTR_VENDOR_ID                         = 0x0201,
+    SDP_ATTR_PRODUCT_ID                                = 0x0202,
+    SDP_ATTR_VERSION                           = 0x0203,
+    SDP_ATTR_PRIMARY_RECORD                    = 0x0204,
+    SDP_ATTR_VENDOR_ID_SOURCE                  = 0x0205,
+    /* BT HID */
+    SDP_ATTR_DEVICE_RELEASE_NUMBER             = 0x0200,
+    SDP_ATTR_PARSER_VERSION                    = 0x0201,
+    SDP_ATTR_DEVICE_SUBCLASS                   = 0x0202,
+    SDP_ATTR_COUNTRY_CODE                      = 0x0203,
+    SDP_ATTR_VIRTUAL_CABLE                     = 0x0204,
+    SDP_ATTR_RECONNECT_INITIATE                        = 0x0205,
+    SDP_ATTR_DESCRIPTOR_LIST                   = 0x0206,
+    SDP_ATTR_LANG_ID_BASE_LIST                 = 0x0207,
+    SDP_ATTR_SDP_DISABLE                       = 0x0208,
+    SDP_ATTR_BATTERY_POWER                     = 0x0209,
+    SDP_ATTR_REMOTE_WAKEUP                     = 0x020a,
+    SDP_ATTR_PROFILE_VERSION                   = 0x020b,
+    SDP_ATTR_SUPERVISION_TIMEOUT               = 0x020c,
+    SDP_ATTR_NORMALLY_CONNECTABLE              = 0x020d,
+    SDP_ATTR_BOOT_DEVICE                       = 0x020e,