tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: IWN driver (5000 & 5100 series)



On Tue, Mar 17, 2009 at 09:53:34PM +0100, Nicolas wrote:
> Manuel: can you post your patch ?

Here it is. It's against netbsd-5.

Remember it's not functionnal. The kernel builds and boot; at
'ifconfig up' the firmware dies.

-- 
Manuel Bouyer <bouyer%antioche.eu.org@localhost>
     NetBSD: 26 ans d'experience feront toujours la difference
--
Index: if_iwn.c
===================================================================
RCS file: /cvsroot/src/sys/dev/pci/if_iwn.c,v
retrieving revision 1.22.4.3
diff -u -p -u -r1.22.4.3 if_iwn.c
--- if_iwn.c    15 Nov 2008 03:13:51 -0000      1.22.4.3
+++ if_iwn.c    19 Mar 2009 19:54:00 -0000
@@ -1,7 +1,8 @@
-/*     $NetBSD: if_iwn.c,v 1.22.4.3 2008/11/15 03:13:51 snj Exp $      */
+/*     $NetBSD: if_iwn.c,v 1.46 2009/01/26 19:18:52 damien Exp $       */
+/*     OpenBSD: if_iwn.c,v 1.46 2009/01/26 19:18:52 damien Exp         */
 
 /*-
- * Copyright (c) 2007
+ * Copyright (c) 2007, 2008
  *     Damien Bergamini <damien.bergamini%free.fr@localhost>
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -17,14 +18,15 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: if_iwn.c,v 1.22.4.3 2008/11/15 03:13:51 snj Exp 
$");
-
-
 /*
- * Driver for Intel Wireless WiFi Link 4965AGN 802.11 network adapters.
+ * Driver for Intel Wireless WiFi Link 4965 and Intel WiFi Link 5000 Series
+ * 802.11 network adapters.
  */
 
+
+#include <sys/cdefs.h>
+__KERNEL_RCSID(0, "$NetBSD: if_iwn.c,v 1.1 2008/02/09 12:25:43 ober Exp $");
+
 #include "bpfilter.h"
 
 #include <sys/param.h>
@@ -75,7 +77,15 @@ __KERNEL_RCSID(0, "$NetBSD: if_iwn.c,v 1
 #if 0
 static const struct pci_matchid iwn_devices[] = {
        { PCI_VENDOR_INTEL, PCI_PRODUCT_INTEL_PRO_WL_4965AGN_1 },
-       { PCI_VENDOR_INTEL, PCI_PRODUCT_INTEL_PRO_WL_4965AGN_2 }
+       { PCI_VENDOR_INTEL, PCI_PRODUCT_INTEL_PRO_WL_4965AGN_2 },
+       { PCI_VENDOR_INTEL, PCI_PRODUCT_INTEL_PRO_WL_5100AGN_1 },
+       { PCI_VENDOR_INTEL, PCI_PRODUCT_INTEL_PRO_WL_5100AGN_2 },
+       { PCI_VENDOR_INTEL, PCI_PRODUCT_INTEL_PRO_WL_5150AGN_1 },
+       { PCI_VENDOR_INTEL, PCI_PRODUCT_INTEL_PRO_WL_5150AGN_2 },
+       { PCI_VENDOR_INTEL, PCI_PRODUCT_INTEL_PRO_WL_5300AGN_1 },
+       { PCI_VENDOR_INTEL, PCI_PRODUCT_INTEL_PRO_WL_5300AGN_2 },
+       { PCI_VENDOR_INTEL, PCI_PRODUCT_INTEL_PRO_WL_5350AGN_1 },
+       { PCI_VENDOR_INTEL, PCI_PRODUCT_INTEL_PRO_WL_5350AGN_2 }
 };
 #endif
 
@@ -86,143 +96,247 @@ static const struct ieee80211_rateset iw
        { 8, { 12, 18, 24, 36, 48, 72, 96, 108 } };
 
 static const struct ieee80211_rateset iwn_rateset_11b =
-       { 4, { 2, 4, 11, 22 } };
+       { 4, { 2, 4, 11, 22 } };        
 
 static const struct ieee80211_rateset iwn_rateset_11g =
-       { 12, { 2, 4, 11, 22, 12, 18, 24, 36, 48, 72, 96, 108 } };
+       { 12, { 2, 4, 11, 22, 12, 18, 24, 36, 48, 72, 96, 108 } };      
 
 
-#define EDCA_NUM_AC    4
-static int             iwn_match(device_t , struct cfdata *, void *);
-static void            iwn_attach(device_t , device_t, void *);
-static int             iwn_detach(device_t, int);
-
-static void            iwn_radiotap_attach(struct iwn_softc *);
-static int             iwn_dma_contig_alloc(bus_dma_tag_t, struct iwn_dma_info 
*,
-    void **, bus_size_t, bus_size_t, int);
-static void            iwn_dma_contig_free(struct iwn_dma_info *);
-static int             iwn_alloc_shared(struct iwn_softc *);
-static void            iwn_free_shared(struct iwn_softc *);
-static int             iwn_alloc_kw(struct iwn_softc *);
-static void            iwn_free_kw(struct iwn_softc *);
-static int             iwn_alloc_fwmem(struct iwn_softc *);
-static void            iwn_free_fwmem(struct iwn_softc *);
-static struct          iwn_rbuf *iwn_alloc_rbuf(struct iwn_softc *);
-static void            iwn_free_rbuf(struct mbuf *, void *, size_t, void *);
-static int             iwn_alloc_rpool(struct iwn_softc *);
-static void            iwn_free_rpool(struct iwn_softc *);
-static int             iwn_alloc_rx_ring(struct iwn_softc *, struct 
iwn_rx_ring *);
-static void            iwn_reset_rx_ring(struct iwn_softc *, struct 
iwn_rx_ring *);
-static void            iwn_free_rx_ring(struct iwn_softc *, struct iwn_rx_ring 
*);
-static int             iwn_alloc_tx_ring(struct iwn_softc *, struct 
iwn_tx_ring *,
-    int, int);
-static void            iwn_reset_tx_ring(struct iwn_softc *, struct 
iwn_tx_ring *);
-static void            iwn_free_tx_ring(struct iwn_softc *, struct iwn_tx_ring 
*);
-static struct          ieee80211_node *iwn_node_alloc(struct 
ieee80211_node_table *);
-static void            iwn_newassoc(struct ieee80211_node *, int);
-static int             iwn_media_change(struct ifnet *);
-static int             iwn_newstate(struct ieee80211com *, enum 
ieee80211_state, int);
-static void            iwn_mem_lock(struct iwn_softc *);
-static void            iwn_mem_unlock(struct iwn_softc *);
-static uint32_t iwn_mem_read(struct iwn_softc *, uint32_t);
-static void            iwn_mem_write(struct iwn_softc *, uint32_t, uint32_t);
-static void            iwn_mem_write_region_4(struct iwn_softc *, uint32_t,
-    const uint32_t *, int);
-static int             iwn_eeprom_lock(struct iwn_softc *);
-static void            iwn_eeprom_unlock(struct iwn_softc *);
-static int             iwn_read_prom_data(struct iwn_softc *, uint32_t, void 
*, int);
-static int             iwn_load_microcode(struct iwn_softc *, const uint8_t *, 
int);
-static int             iwn_load_firmware(struct iwn_softc *);
-static void            iwn_calib_timeout(void *);
-static void            iwn_iter_func(void *, struct ieee80211_node *);
-static void            iwn_ampdu_rx_start(struct iwn_softc *, struct 
iwn_rx_desc *);
-static void            iwn_rx_intr(struct iwn_softc *, struct iwn_rx_desc *,
-    struct iwn_rx_data *);
-static void            iwn_rx_statistics(struct iwn_softc *, struct 
iwn_rx_desc *);
-static void            iwn_tx_intr(struct iwn_softc *, struct iwn_rx_desc *);
-static void            iwn_cmd_intr(struct iwn_softc *, struct iwn_rx_desc *);
-static void            iwn_notif_intr(struct iwn_softc *);
-static int             iwn_intr(void *);
-static void            iwn_read_eeprom(struct iwn_softc *);
-static void            iwn_read_eeprom_channels(struct iwn_softc *, int);
-static uint8_t         iwn_plcp_signal(int);
-static int             iwn_tx_data(struct iwn_softc *, struct mbuf *,
-    struct ieee80211_node *, int);
-static void            iwn_start(struct ifnet *);
-static void            iwn_watchdog(struct ifnet *);
-static int             iwn_ioctl(struct ifnet *, u_long, void *);
-static int             iwn_cmd(struct iwn_softc *, int, const void *, int, 
int);
-static int             iwn_wme_update(struct ieee80211com *);
-static int             iwn_setup_node_mrr(struct iwn_softc *, uint8_t, int);
-static void            iwn_set_led(struct iwn_softc *, uint8_t, uint8_t, 
uint8_t);
-static int             iwn_set_critical_temp(struct iwn_softc *);
-static void            iwn_enable_tsf(struct iwn_softc *, struct 
ieee80211_node *);
-static void            iwn_power_calibration(struct iwn_softc *, int);
-static int             iwn_set_txpower(struct iwn_softc *,
-    struct ieee80211_channel *, int);
-static int             iwn_get_rssi(const struct iwn_rx_stat *);
-static int             iwn_get_noise(const struct iwn_rx_general_stats *);
-static int             iwn_get_temperature(struct iwn_softc *);
-static int             iwn_init_sensitivity(struct iwn_softc *);
-static void            iwn_compute_differential_gain(struct iwn_softc *,
-    const struct iwn_rx_general_stats *);
-static void            iwn_tune_sensitivity(struct iwn_softc *,
-    const struct iwn_rx_stats *);
-static int             iwn_send_sensitivity(struct iwn_softc *);
-static int             iwn_setup_beacon(struct iwn_softc *, struct 
ieee80211_node *);
-static int             iwn_auth(struct iwn_softc *);
-static int             iwn_run(struct iwn_softc *);
-static int             iwn_scan(struct iwn_softc *, uint16_t);
-static int             iwn_config(struct iwn_softc *);
-static void            iwn_post_alive(struct iwn_softc *);
-static void            iwn_stop_master(struct iwn_softc *);
-static int             iwn_reset(struct iwn_softc *);
-static void            iwn_hw_config(struct iwn_softc *);
-static int             iwn_init(struct ifnet *);
-static void            iwn_stop(struct ifnet *, int);
-static void            iwn_fix_channel(struct ieee80211com *, struct mbuf *);
-static bool            iwn_resume(device_t PMF_FN_PROTO);
-static int             iwn_add_node(struct iwn_softc *sc,
-                                    struct ieee80211_node *ni, bool broadcast, 
bool async, uint32_t htflags);
-
+static int     iwn_match(device_t , struct cfdata *, void *);  
+static void    iwn_attach(device_t , device_t, void *);
+static int     iwn_detach(device_t, int);
+
+const struct   iwn_hal *iwn_hal_attach(struct iwn_softc *);
+static int     iwn_nic_lock(struct iwn_softc *);
+static int     iwn_eeprom_lock(struct iwn_softc *);
+static int     iwn_read_prom_data(struct iwn_softc *, uint32_t, void *, int);
+static void    iwn_radiotap_attach(struct iwn_softc *);
+static int     iwn_dma_contig_alloc(bus_dma_tag_t, struct iwn_dma_info *,
+                   void **, bus_size_t, bus_size_t, int);
+static void    iwn_dma_contig_free(struct iwn_dma_info *);
+static int     iwn_alloc_sched(struct iwn_softc *);
+static void    iwn_free_sched(struct iwn_softc *);
+static int     iwn_alloc_kw(struct iwn_softc *);
+static void    iwn_free_kw(struct iwn_softc *);
+static int     iwn_alloc_fwmem(struct iwn_softc *);
+static void    iwn_free_fwmem(struct iwn_softc *);
+static struct  iwn_rbuf *iwn_alloc_rbuf(struct iwn_softc *);
+static void    iwn_free_rbuf(struct mbuf *, void *, size_t, void *);
+static int     iwn_alloc_rpool(struct iwn_softc *);
+static void    iwn_free_rpool(struct iwn_softc *);
+static int     iwn_alloc_rx_ring(struct iwn_softc *, struct iwn_rx_ring *);
+static void    iwn_reset_rx_ring(struct iwn_softc *, struct iwn_rx_ring *);
+static void    iwn_free_rx_ring(struct iwn_softc *, struct iwn_rx_ring *);
+static int     iwn_alloc_tx_ring(struct iwn_softc *, struct iwn_tx_ring *,
+                   int, int);
+static void    iwn_reset_tx_ring(struct iwn_softc *, struct iwn_tx_ring *);
+static void    iwn_free_tx_ring(struct iwn_softc *, struct iwn_tx_ring *);
+static int     iwn_read_eeprom(struct iwn_softc *);
+static void    iwn4965_read_eeprom(struct iwn_softc *);
+static void    iwn5000_read_eeprom(struct iwn_softc *);
+static void    iwn_read_eeprom_channels(struct iwn_softc *, int, uint32_t);
+static struct  ieee80211_node *iwn_node_alloc(struct ieee80211_node_table *);
+static void    iwn_newassoc(struct ieee80211_node *, int);
+static int     iwn_media_change(struct ifnet *);
+static int     iwn_newstate(struct ieee80211com *, enum ieee80211_state, int);
+static void    iwn_iter_func(void *, struct ieee80211_node *);
+static void    iwn_calib_timeout(void *);
+#if 0
+static int     iwn_ccmp_decap(struct iwn_softc *, struct mbuf *,
+                   struct ieee80211_key *);
+#endif
+static void    iwn_rx_phy(struct iwn_softc *, struct iwn_rx_desc *);
+static void    iwn_rx_done(struct iwn_softc *, struct iwn_rx_desc *,
+                   struct iwn_rx_data *);
+static void    iwn5000_rx_calib_results(struct iwn_softc *,
+                   struct iwn_rx_desc *);
+static void    iwn_rx_statistics(struct iwn_softc *, struct iwn_rx_desc *);
+static void    iwn4965_tx_done(struct iwn_softc *, struct iwn_rx_desc *);
+static void    iwn5000_tx_done(struct iwn_softc *, struct iwn_rx_desc *);
+static void    iwn_tx_done(struct iwn_softc *, struct iwn_rx_desc *, int,
+                   uint8_t);
+static void    iwn_cmd_done(struct iwn_softc *, struct iwn_rx_desc *);
+static void    iwn_notif_intr(struct iwn_softc *);
+static void    iwn_wakeup_intr(struct iwn_softc *);
+static void    iwn_fatal_intr(struct iwn_softc *);
+static int     iwn_intr(void *);
+static void    iwn4965_update_sched(struct iwn_softc *, int, int, uint8_t,
+                   uint16_t);
+static void    iwn5000_update_sched(struct iwn_softc *, int, int, uint8_t,
+                   uint16_t);
+static void    iwn5000_reset_sched(struct iwn_softc *, int, int);
+static int     iwn_tx(struct iwn_softc *, struct mbuf *,
+                   struct ieee80211_node *, int);
+static void    iwn_start(struct ifnet *);
+static void    iwn_watchdog(struct ifnet *);
+static int     iwn_ioctl(struct ifnet *, u_long, void *);
+static int     iwn_cmd(struct iwn_softc *, int, const void *, int, int);
+static int     iwn_wme_update(struct ieee80211com *);
+static int     iwn4965_add_node(struct iwn_softc *, struct iwn_node_info *,
+                   int);
+static int     iwn5000_add_node(struct iwn_softc *, struct iwn_node_info *,
+                   int);
+static int     iwn_set_link_quality(struct iwn_softc *,
+                   struct ieee80211_node *);
+static int     iwn_add_broadcast_node(struct iwn_softc *, int);
+static void    iwn_set_led(struct iwn_softc *, uint8_t, uint8_t, uint8_t);
+static int     iwn_set_critical_temp(struct iwn_softc *);
+static int     iwn_set_timing(struct iwn_softc *, struct ieee80211_node *);
+//static void  iwn4965_power_calibration(struct iwn_softc *, int);
+static int     iwn4965_set_txpower(struct iwn_softc *, int);
+static int     iwn5000_set_txpower(struct iwn_softc *, int);
+static int     iwn4965_get_rssi(const struct iwn_rx_stat *);
+static int     iwn5000_get_rssi(const struct iwn_rx_stat *);
+static int     iwn_get_noise(const struct iwn_rx_general_stats *);
+static int     iwn4965_get_temperature(struct iwn_softc *);
+static int     iwn5000_get_temperature(struct iwn_softc *);
+static int     iwn_init_sensitivity(struct iwn_softc *);
+static void    iwn_collect_noise(struct iwn_softc *,
+                   const struct iwn_rx_general_stats *);
+static int     iwn4965_init_gains(struct iwn_softc *);
+static int     iwn5000_init_gains(struct iwn_softc *);
+static int     iwn4965_set_gains(struct iwn_softc *);
+static int     iwn5000_set_gains(struct iwn_softc *);
+static void    iwn_tune_sensitivity(struct iwn_softc *,
+                   const struct iwn_rx_stats *);
+static int     iwn_send_sensitivity(struct iwn_softc *);
+// XXX  static int     iwn_set_pslevel(struct iwn_softc *, int, int, int);
+static int     iwn_config(struct iwn_softc *);
+static int     iwn_scan(struct iwn_softc *, uint16_t);
+static int     iwn_auth(struct iwn_softc *);
+static int     iwn_run(struct iwn_softc *);
+#if 0
+static void    iwn_delete_key(struct ieee80211com *, struct ieee80211_node *,
+                   struct ieee80211_key *);
+static int     iwn_ampdu_rx_start(struct ieee80211com *,
+                   struct ieee80211_node *, uint8_t, uint16_t);
+static void    iwn_ampdu_rx_stop(struct ieee80211com *,
+                   struct ieee80211_node *, uint8_t, uint16_t);
+static int     iwn_ampdu_tx_start(struct ieee80211com *,
+                   struct ieee80211_node *, uint8_t, uint16_t);
+static void    iwn_ampdu_tx_stop(struct ieee80211com *,
+                   struct ieee80211_node *, uint8_t, uint16_t);
+static void    iwn4965_ampdu_tx_start(struct iwn_softc *,
+                   struct ieee80211_node *, uint8_t, uint16_t);
+static void    iwn4965_ampdu_tx_stop(struct iwn_softc *,
+                   uint8_t, uint16_t);
+static void    iwn5000_ampdu_tx_start(struct iwn_softc *,
+                   struct ieee80211_node *, uint8_t, uint16_t);
+static void    iwn5000_ampdu_tx_stop(struct iwn_softc *,
+                   uint8_t, uint16_t);
+#endif
+static int     iwn5000_query_calibration(struct iwn_softc *);
+static int     iwn5000_send_calibration(struct iwn_softc *);
+static int     iwn4965_post_alive(struct iwn_softc *);
+static int     iwn5000_post_alive(struct iwn_softc *);
+static int     iwn4965_load_bootcode(struct iwn_softc *, const uint8_t *,
+                   int);
+static int     iwn4965_load_firmware(struct iwn_softc *);
+static int     iwn5000_load_firmware_section(struct iwn_softc *, uint32_t,
+                   const uint8_t *, int);
+static int     iwn5000_load_firmware(struct iwn_softc *);
+static int     iwn_read_firmware(struct iwn_softc *);
+static int     iwn_clock_wait(struct iwn_softc *);
+static int     iwn4965_apm_init(struct iwn_softc *);
+static int     iwn5000_apm_init(struct iwn_softc *);
+static void    iwn_apm_stop_master(struct iwn_softc *);
+static void    iwn_apm_stop(struct iwn_softc *);
+static int     iwn4965_nic_config(struct iwn_softc *);
+static int     iwn5000_nic_config(struct iwn_softc *);
+static int     iwn_hw_init(struct iwn_softc *);
+static void    iwn_hw_stop(struct iwn_softc *);
+static int     iwn_init(struct ifnet *);
+static void    iwn_stop(struct ifnet *, int);
+static void    iwn_fix_channel(struct ieee80211com *, struct mbuf *);
+static bool    iwn_resume(device_t PMF_FN_PROTO);
 
 
 #define IWN_DEBUG
-
 #ifdef IWN_DEBUG
 #define DPRINTF(x)     do { if (iwn_debug > 0) printf x; } while (0)
 #define DPRINTFN(n, x) do { if (iwn_debug >= (n)) printf x; } while (0)
-int iwn_debug = 0;
+int iwn_debug = 10;
 #else
 #define DPRINTF(x)
 #define DPRINTFN(n, x)
 #endif
-
 #ifdef IWN_DEBUG
-static void            iwn_print_power_group(struct iwn_softc *, int);
+static void    iwn4965_print_power_group(struct iwn_softc *, int);
+#endif
+
+static const struct iwn_hal iwn4965_hal = {
+       iwn4965_load_firmware,
+       iwn4965_read_eeprom,
+       iwn4965_post_alive,
+       iwn4965_apm_init,
+       iwn4965_nic_config,
+       iwn4965_update_sched,
+       iwn4965_get_temperature,
+       iwn4965_get_rssi,
+       iwn4965_set_txpower,
+       iwn4965_init_gains,
+       iwn4965_set_gains,
+       iwn4965_add_node,
+       iwn4965_tx_done,
+#if 0
+       iwn4965_ampdu_tx_start,
+       iwn4965_ampdu_tx_stop,
 #endif
+       &iwn4965_sensitivity_limits,
+       IWN4965_NTXQUEUES,
+       IWN4965_ID_BROADCAST,
+       IWN4965_RXONSZ,
+       IWN4965_SCHEDSZ,
+       IWN4965_FW_TEXT_MAXSZ,
+       IWN4965_FW_DATA_MAXSZ,
+       IWN4965_FWSZ,
+       IWN4965_SCHED_TXFACT
+};
+
+static const struct iwn_hal iwn5000_hal = {
+       iwn5000_load_firmware,
+       iwn5000_read_eeprom,
+       iwn5000_post_alive,
+       iwn5000_apm_init,
+       iwn5000_nic_config,
+       iwn5000_update_sched,
+       iwn5000_get_temperature,
+       iwn5000_get_rssi,
+       iwn5000_set_txpower,
+       iwn5000_init_gains,
+       iwn5000_set_gains,
+       iwn5000_add_node,
+       iwn5000_tx_done,
+#if 0
+       iwn5000_ampdu_tx_start,
+       iwn5000_ampdu_tx_stop,
+#endif
+       &iwn5000_sensitivity_limits,
+       IWN5000_NTXQUEUES,
+       IWN5000_ID_BROADCAST,
+       IWN5000_RXONSZ,
+       IWN5000_SCHEDSZ,
+       IWN5000_FW_TEXT_MAXSZ,
+       IWN5000_FW_DATA_MAXSZ,
+       IWN5000_FWSZ,
+       IWN5000_SCHED_TXFACT
+};
 
 CFATTACH_DECL_NEW(iwn, sizeof(struct iwn_softc), iwn_match, iwn_attach,
-    iwn_detach, NULL);
+               iwn_detach, NULL);
+
 
 static int
 iwn_match(device_t parent, struct cfdata *match __unused, void *aux)
 {
        struct pci_attach_args *pa = aux;
-
        if (PCI_VENDOR(pa->pa_id) != PCI_VENDOR_INTEL)
                return 0;
-
-       if (PCI_PRODUCT(pa->pa_id) == PCI_PRODUCT_INTEL_PRO_WL_4965AGN_1 ||
-           PCI_PRODUCT(pa->pa_id) == PCI_PRODUCT_INTEL_PRO_WL_4965AGN_2)
+       if (PCI_PRODUCT(pa->pa_id) == 0x4235)
                return 1;
-
        return 0;
 }
 
-/* Base Address Register */
-#define IWN_PCI_BAR0   0x10
-
 static void
 iwn_attach(device_t parent __unused, device_t self, void *aux)
 {
@@ -230,10 +344,11 @@ iwn_attach(device_t parent __unused, dev
        struct ieee80211com *ic = &sc->sc_ic;
        struct ifnet *ifp = &sc->sc_ec.ec_if;
        struct pci_attach_args *pa = aux;
+       const struct iwn_hal *hal;
        const char *intrstr;
        char devinfo[256];
        pci_intr_handle_t ih;
-       pcireg_t memtype, data;
+       pcireg_t memtype, reg;
        int i, error, revision;
 
        sc->sc_dev = self;
@@ -247,20 +362,26 @@ iwn_attach(device_t parent __unused, dev
        revision = PCI_REVISION(pa->pa_class);
        aprint_normal(": %s (rev. 0x%2x)\n", devinfo, revision);
 
+       /*
+        * Get the offset of the PCI Express Capability Structure in PCI
+        * Configuration Space (the vendor driver hard-codes it as E0h.)
+        */
+       error = pci_get_capability(sc->sc_pct, sc->sc_pcitag,
+           PCI_CAP_PCIEXPRESS, &sc->sc_cap_off, NULL);
+       if (error == 0) {
+               printf(": PCIe capability structure not found!\n");
+               return;
+       }
 
-       /* clear device specific PCI configuration register 0x41 */
-       data = pci_conf_read(sc->sc_pct, sc->sc_pcitag, 0x40);
-       data &= ~0x0000ff00;
-       pci_conf_write(sc->sc_pct, sc->sc_pcitag, 0x40, data);
-
-       data = pci_conf_read(sc->sc_pct, sc->sc_pcitag, PCI_COMMAND_STATUS_REG);
-       data |= PCI_COMMAND_MASTER_ENABLE;
-       pci_conf_write(sc->sc_pct, sc->sc_pcitag, PCI_COMMAND_STATUS_REG, data);
+       /* Clear device-specific "PCI retry timeout" register (41h). */
+       reg = pci_conf_read(sc->sc_pct, sc->sc_pcitag, 0x40);
+       reg &= ~0xff00;
+       pci_conf_write(sc->sc_pct, sc->sc_pcitag, 0x40, reg);
 
        /* enable bus-mastering */
-       data = pci_conf_read(sc->sc_pct, sc->sc_pcitag, PCI_COMMAND_STATUS_REG);
-       data |= PCI_COMMAND_MASTER_ENABLE;
-       pci_conf_write(sc->sc_pct, sc->sc_pcitag, PCI_COMMAND_STATUS_REG, data);
+       reg = pci_conf_read(sc->sc_pct, sc->sc_pcitag, PCI_COMMAND_STATUS_REG);
+       reg |= PCI_COMMAND_MASTER_ENABLE;
+       pci_conf_write(sc->sc_pct, sc->sc_pcitag, PCI_COMMAND_STATUS_REG, reg);
 
        /* map the register window */
        memtype = pci_mapreg_type(pa->pa_pc, pa->pa_tag, IWN_PCI_BAR0);
@@ -270,7 +391,6 @@ iwn_attach(device_t parent __unused, dev
                aprint_error_dev(self, "could not map memory space\n");
                return;
        }
-
 #if 0
        sc->sc_dmat = pa->pa_dmat;
 #endif
@@ -283,11 +403,11 @@ iwn_attach(device_t parent __unused, dev
                sc->sc_dmat = pa->pa_dmat;
        }
 
+       /* Install interrupt handler. */
        if (pci_intr_map(pa, &ih) != 0) {
-               aprint_error_dev(self, "could not map interrupt\n");
+               printf(": could not map interrupt\n");
                return;
        }
-
        intrstr = pci_intr_string(sc->sc_pct, ih);
        sc->sc_ih = pci_intr_establish(sc->sc_pct, ih, IPL_NET, iwn_intr, sc);
 
@@ -300,82 +420,102 @@ iwn_attach(device_t parent __unused, dev
        }
        aprint_normal_dev(self, "interrupting at %s\n", intrstr);
 
-       if (iwn_reset(sc) != 0) {
-               aprint_error_dev(self, "could not reset adapter\n");
+       /* Attach Hardware Abstraction Layer. */
+       if ((hal = iwn_hal_attach(sc)) == NULL)
+               return;
+
+       /* Power ON adapter. */
+       if ((error = hal->apm_init(sc)) != 0) {
+               aprint_error_dev(self, "could not power ON adapter\n");
                return;
        }
 
-       /*
-        * Allocate DMA memory for firmware transfers.
-        */
+       /* Read MAC address, channels, etc from EEPROM. */
+       if ((error = iwn_read_eeprom(sc)) != 0) {
+               aprint_error_dev(self, "could not read EEPROM\n");
+               return;
+       }
+
+       /* Allocate DMA memory for firmware transfers. */
        if ((error = iwn_alloc_fwmem(sc)) != 0) {
-               aprint_error_dev(self, "could not allocate firmware memory\n");
+               aprint_error_dev(self,
+                   "could not allocate memory for firmware\n");
                return;
        }
 
-       /*
-        * Allocate a "keep warm" page.
-        */
+       /* Allocate "Keep Warm" page. */
        if ((error = iwn_alloc_kw(sc)) != 0) {
                aprint_error_dev(self, "could not allocate keep warm page\n");
                goto fail1;
        }
 
-       /*
-        * Allocate shared area (communication area).
-        */
-       if ((error = iwn_alloc_shared(sc)) != 0) {
-               aprint_error_dev(self, "could not allocate shared area\n");
+       /* Allocate TX scheduler "rings". */
+       if ((error = iwn_alloc_sched(sc)) != 0) {
+               aprint_error_dev(self,
+                   "could not allocate TX scheduler rings\n");
                goto fail2;
        }
 
-       /*
-        * Allocate Rx buffers and Tx/Rx rings.
-        */
+       /* Allocate RX buffers. */
        if ((error = iwn_alloc_rpool(sc)) != 0) {
-               aprint_error_dev(self, "could not allocate Rx buffers\n");
+               aprint_error_dev(self, "could not allocate RX buffers\n");
                goto fail3;
        }
 
-       for (i = 0; i < IWN_NTXQUEUES; i++) {
+       /* Allocate TX rings (16 on 4965AGN, 20 on 5000.) */
+       for (i = 0; i < hal->ntxqs; i++) {
                struct iwn_tx_ring *txq = &sc->txq[i];
                error = iwn_alloc_tx_ring(sc, txq, IWN_TX_RING_COUNT, i);
                if (error != 0) {
-                       aprint_error_dev(self, "could not allocate Tx ring 
%d\n", i);
+                       aprint_error_dev(self,
+                           "could not allocate TX ring %d\n", i);
                        goto fail4;
                }
        }
 
-       if (iwn_alloc_rx_ring(sc, &sc->rxq) != 0)  {
-               aprint_error_dev(self, "could not allocate Rx ring\n");
+       /* Allocate RX ring. */
+       if (iwn_alloc_rx_ring(sc, &sc->rxq) != 0) {
+               aprint_error_dev(self, "could not allocate RX ring\n");
                goto fail4;
        }
 
+       /* Power OFF adapter. */
+       iwn_apm_stop(sc);
+       /* Clear pending interrupts. */
+       IWN_WRITE(sc, IWN_INT, 0xffffffff);
+
+       printf(", MIMO %dT%dR, %.4s, address %s\n", sc->ntxchains,
+           sc->nrxchains, sc->eeprom_domain, ether_sprintf(ic->ic_myaddr));
+
+       /* Initialization firmware has not been loaded yet. */
+       sc->sc_flags |= IWN_FLAG_FIRST_BOOT;
+
+       /* Set the state of the RF kill switch */
+       sc->sc_radio = (IWN_READ(sc, IWN_GP_CNTRL) & IWN_GP_CNTRL_RFKILL);
 
        ic->ic_ifp = ifp;
        ic->ic_phytype = IEEE80211_T_OFDM;      /* not only, but not used */
        ic->ic_opmode = IEEE80211_M_STA;        /* default to BSS mode */
        ic->ic_state = IEEE80211_S_INIT;
 
-       /* set device capabilities */
+       /* Set device capabilities. */
        ic->ic_caps =
            IEEE80211_C_IBSS |          /* IBSS mode support */
-           IEEE80211_C_WPA  |          /* 802.11i */
+           IEEE80211_C_WPA |           /* 802.11i */
            IEEE80211_C_MONITOR |       /* monitor mode supported */
            IEEE80211_C_TXPMGT |        /* tx power management */
            IEEE80211_C_SHSLOT |        /* short slot time supported */
-           IEEE80211_C_SHPREAMBLE|     /* short preamble supported */
+           IEEE80211_C_SHPREAMBLE |    /* short preamble supported */
            IEEE80211_C_WME;            /* 802.11e */
 
-       /* read supported channels and MAC address from EEPROM */
-       iwn_read_eeprom(sc);
-
-       /* set supported .11a, .11b and .11g rates */
-       ic->ic_sup_rates[IEEE80211_MODE_11A] = iwn_rateset_11a;
+       /* Set supported rates. */
        ic->ic_sup_rates[IEEE80211_MODE_11B] = iwn_rateset_11b;
        ic->ic_sup_rates[IEEE80211_MODE_11G] = iwn_rateset_11g;
+       if (sc->sc_flags & IWN_FLAG_HAS_5GHZ) {
+               ic->ic_sup_rates[IEEE80211_MODE_11A] = iwn_rateset_11a;
+       }
 
-       /* IBSS channel undefined for now */
+       /* IBSS channel undefined for now. */
        ic->ic_ibss_chan = &ic->ic_channels[0];
 
        memset(ic->ic_des_essid, 0, IEEE80211_NWID_LEN);
@@ -383,8 +523,8 @@ iwn_attach(device_t parent __unused, dev
 
        ifp->if_softc = sc;
        ifp->if_flags = IFF_BROADCAST | IFF_SIMPLEX | IFF_MULTICAST;
-       ifp->if_init = iwn_init;
        ifp->if_stop = iwn_stop;
+       ifp->if_init = iwn_init;
        ifp->if_ioctl = iwn_ioctl;
        ifp->if_start = iwn_start;
        ifp->if_watchdog = iwn_watchdog;
@@ -396,8 +536,9 @@ iwn_attach(device_t parent __unused, dev
        ic->ic_node_alloc = iwn_node_alloc;
        ic->ic_newassoc = iwn_newassoc;
        ic->ic_wme.wme_update = iwn_wme_update;
+       // XXX ic->ic_delete_key = iwn_delete_key;
 
-       /* override state transition machine */
+       /* Override 802.11 state transition machine. */
        sc->sc_newstate = ic->ic_newstate;
        ic->ic_newstate = iwn_newstate;
        ieee80211_media_init(ic, iwn_media_change, ieee80211_media_status);
@@ -409,18 +550,17 @@ iwn_attach(device_t parent __unused, dev
                aprint_error_dev(self, "couldn't establish power handler\n");
        else
                pmf_class_network_register(self, ifp);
-
        iwn_radiotap_attach(sc);
 
        ieee80211_announce(ic);
 
        return;
 
-       /* free allocated memory if something failed during attachment */
+       /* Free allocated memory if something failed during attachment. */
 fail4: while (--i >= 0)
                iwn_free_tx_ring(sc, &sc->txq[i]);
        iwn_free_rpool(sc);
-fail3: iwn_free_shared(sc);
+fail3: iwn_free_sched(sc);
 fail2: iwn_free_kw(sc);
 fail1: iwn_free_fwmem(sc);
 }
@@ -433,7 +573,6 @@ iwn_detach(struct device* self, int flag
        int ac;
 
        iwn_stop(ifp, 1);
-
 #if NBPFILTER > 0
        if (ifp != NULL)
                bpfdetach(ifp);
@@ -442,11 +581,11 @@ iwn_detach(struct device* self, int flag
        if (ifp != NULL)
                if_detach(ifp);
 
-       for (ac = 0; ac < IWN_NTXQUEUES; ac++)
+       for (ac = 0; ac < sc->sc_hal->ntxqs; ac++)
                iwn_free_tx_ring(sc, &sc->txq[ac]);
        iwn_free_rx_ring(sc, &sc->rxq);
        iwn_free_rpool(sc);
-       iwn_free_shared(sc);
+       iwn_free_sched(sc);
 
        if (sc->sc_ih != NULL) {
                pci_intr_disestablish(sc->sc_pct, sc->sc_ih);
@@ -458,6 +597,72 @@ iwn_detach(struct device* self, int flag
        return 0;
 }
 
+const struct iwn_hal *
+iwn_hal_attach(struct iwn_softc *sc)
+{
+       sc->hw_type = (IWN_READ(sc, IWN_HW_REV) >> 4) & 0xf;
+
+       switch (sc->hw_type) {
+       case IWN_HW_REV_TYPE_4965:
+               sc->sc_hal = &iwn4965_hal;
+               sc->fwname = "iwn-4965";
+               sc->critical_temp = IWN_CTOK(110);
+               sc->txantmsk = IWN_ANT_A | IWN_ANT_B;
+               sc->rxantmsk = IWN_ANT_ABC;
+               sc->ntxchains = 2;
+               sc->nrxchains = 3;
+               break;
+       case IWN_HW_REV_TYPE_5100:
+               sc->sc_hal = &iwn5000_hal;
+               sc->fwname = "iwn-5000";
+               sc->critical_temp = 110;
+               sc->txantmsk = IWN_ANT_B;
+               sc->rxantmsk = IWN_ANT_A | IWN_ANT_B;
+               sc->ntxchains = 1;
+               sc->nrxchains = 2;
+               break;
+       case IWN_HW_REV_TYPE_5150:
+               sc->sc_hal = &iwn5000_hal;
+               sc->fwname = "iwn-5150";
+               /* NB: critical temperature will be read from EEPROM. */
+               sc->txantmsk = IWN_ANT_A;
+               sc->rxantmsk = IWN_ANT_A | IWN_ANT_B;
+               sc->ntxchains = 1;
+               sc->nrxchains = 2;
+               break;
+       case IWN_HW_REV_TYPE_5300:
+       case IWN_HW_REV_TYPE_5350:
+               sc->sc_hal = &iwn5000_hal;
+               sc->fwname = "iwn-5000";
+               sc->critical_temp = 110;
+               sc->txantmsk = sc->rxantmsk = IWN_ANT_ABC;
+               sc->ntxchains = sc->nrxchains = 3;
+               break;
+       default:
+               printf(": adapter type %d not supported\n", sc->hw_type);
+               return NULL;
+       }
+       return sc->sc_hal;
+}
+
+#if 0
+/*
+ * Attach the adapter's on-board thermal sensor to the sensors framework.
+ */
+void
+iwn_sensor_attach(struct iwn_softc *sc)
+{
+       strlcpy(sc->sensordev.xname, sc->sc_dev.dv_xname,
+           sizeof sc->sensordev.xname);
+       sc->sensor.type = SENSOR_TEMP;
+       /* Temperature is not valid unless interface is up. */
+       sc->sensor.value = 0;
+       sc->sensor.flags = SENSOR_FINVALID;
+       sensor_attach(&sc->sensordev, &sc->sensor);
+       sensordev_install(&sc->sensordev);
+}
+#endif /* 0 */
+
 /*
  * Attach the interface to 802.11 radiotap.
  */
@@ -465,11 +670,10 @@ static void
 iwn_radiotap_attach(struct iwn_softc *sc)
 {
        struct ifnet *ifp = sc->sc_ic.ic_ifp;
-
 #if NBPFILTER > 0
        bpfattach2(ifp, DLT_IEEE802_11_RADIO,
-           sizeof (struct ieee80211_frame) + IEEE80211_RADIOTAP_HDRLEN,
-           &sc->sc_drvbpf);
+                  sizeof (struct ieee80211_frame) + IEEE80211_RADIOTAP_HDRLEN,
+                  &sc->sc_drvbpf);
 
        sc->sc_rxtap_len = sizeof sc->sc_rxtapu;
        sc->sc_rxtap.wr_ihdr.it_len = htole16(sc->sc_rxtap_len);
@@ -481,7 +685,7 @@ iwn_radiotap_attach(struct iwn_softc *sc
 #endif
 }
 
-
+#if 0 /* XXX */
 /*
  * Build a beacon frame that the firmware will broadcast periodically in
  * IBSS or HostAP modes.
@@ -502,13 +706,12 @@ iwn_setup_beacon(struct iwn_softc *sc, s
 
        desc = &ring->desc[ring->cur];
        data = &ring->data[ring->cur];
-
        m0 = ieee80211_beacon_alloc(ic, ni, &bo);
        if (m0 == NULL) {
-               aprint_error_dev(sc->sc_dev, "could not allocate beacon 
frame\n");
+               aprint_error_dev(sc->sc_dev, "could not allocate beacon frame\n"
+);
                return ENOMEM;
        }
-
        cmd = &ring->cmd[ring->cur];
        cmd->code = IWN_CMD_SET_BEACON;
        cmd->flags = 0;
@@ -517,15 +720,17 @@ iwn_setup_beacon(struct iwn_softc *sc, s
 
        bcn = (struct iwn_cmd_beacon *)cmd->data;
        memset(bcn, 0, sizeof (struct iwn_cmd_beacon));
-       bcn->id = IWN_ID_BROADCAST;
+       bcn->id = sc->sc_hal->broadcast_id;
        bcn->lifetime = htole32(IWN_LIFETIME_INFINITE);
        bcn->len = htole16(m0->m_pkthdr.len);
+#if 0
+       XXX
        bcn->rate = (ic->ic_curmode == IEEE80211_MODE_11A) ?
-           iwn_plcp_signal(12) : iwn_plcp_signal(2);
+               iwn_plcp_signal(12) : iwn_plcp_signal(2);
+#endif
        bcn->flags2 = 0x2; /* RATE_MCS_CCK_MSK */
-
-       bcn->flags = htole32(IWN_TX_AUTO_SEQ | IWN_TX_INSERT_TSTAMP
-                            | IWN_TX_USE_NODE_RATE);
+       bcn->flags = htole32(IWN_TX_AUTO_SEQ | IWN_TX_INSERT_TSTAMP;
+               // XXX | IWN_TX_USE_NODE_RATE);
 
        /* save and trim IEEE802.11 header */
        m_copydata(m0, 0, sizeof (struct ieee80211_frame), (void *)&bcn->wh);
@@ -533,7 +738,7 @@ iwn_setup_beacon(struct iwn_softc *sc, s
 
        /* assume beacon frame is contiguous */
        error = bus_dmamap_load_mbuf(sc->sc_dmat, data->map, m0,
-           BUS_DMA_READ | BUS_DMA_NOWAIT);
+               BUS_DMA_READ | BUS_DMA_NOWAIT);
        if (error) {
                aprint_error_dev(sc->sc_dev, "could not map beacon\n");
                m_freem(m0);
@@ -548,7 +753,7 @@ iwn_setup_beacon(struct iwn_softc *sc, s
        IWN_SET_DESC_NSEGS(desc, 2);
        IWN_SET_DESC_SEG(desc, 0, paddr , 4 + sizeof(struct iwn_cmd_beacon));
        IWN_SET_DESC_SEG(desc, 1,  data->map->dm_segs[0].ds_addr,
-           data->map->dm_segs[1].ds_len);
+                                          data->map->dm_segs[1].ds_len);
 
        bus_dmamap_sync(sc->sc_dmat, data->map, 0,
            data->map->dm_mapsize /* calc? */, BUS_DMASYNC_PREWRITE);
@@ -556,7 +761,164 @@ iwn_setup_beacon(struct iwn_softc *sc, s
        /* kick cmd ring */
        ring->cur = (ring->cur + 1) % IWN_TX_RING_COUNT;
        IWN_WRITE(sc, IWN_TX_WIDX, ring->qid << 8 | ring->cur);
+       return 0;
+}
+#endif
+
+static int
+iwn_nic_lock(struct iwn_softc *sc)
+{
+       int ntries;
+
+       /* Request exclusive access to NIC. */
+       IWN_SETBITS(sc, IWN_GP_CNTRL, IWN_GP_CNTRL_MAC_ACCESS_REQ);
+
+       /* Spin until we actually get the lock. */
+       for (ntries = 0; ntries < 1000; ntries++) {
+               if ((IWN_READ(sc, IWN_GP_CNTRL) &
+                    (IWN_GP_CNTRL_MAC_ACCESS_ENA | IWN_GP_CNTRL_SLEEP)) ==
+                   IWN_GP_CNTRL_MAC_ACCESS_ENA)
+                       return 0;
+               DELAY(10);
+       }
+       return ETIMEDOUT;
+}
+
+static __inline void
+iwn_nic_unlock(struct iwn_softc *sc)
+{
+       IWN_CLRBITS(sc, IWN_GP_CNTRL, IWN_GP_CNTRL_MAC_ACCESS_REQ);
+}
+
+static __inline uint32_t
+iwn_prph_read(struct iwn_softc *sc, uint32_t addr)
+{
+       IWN_WRITE(sc, IWN_PRPH_RADDR, IWN_PRPH_DWORD | addr);
+       return IWN_READ(sc, IWN_PRPH_RDATA);
+}
+
+static __inline void
+iwn_prph_write(struct iwn_softc *sc, uint32_t addr, uint32_t data)
+{
+       IWN_WRITE(sc, IWN_PRPH_WADDR, IWN_PRPH_DWORD | addr);
+       IWN_WRITE(sc, IWN_PRPH_WDATA, data);
+}
+
+static __inline void
+iwn_prph_setbits(struct iwn_softc *sc, uint32_t addr, uint32_t mask)
+{
+       iwn_prph_write(sc, addr, iwn_prph_read(sc, addr) | mask);
+}
+
+static __inline void
+iwn_prph_clrbits(struct iwn_softc *sc, uint32_t addr, uint32_t mask)
+{
+       iwn_prph_write(sc, addr, iwn_prph_read(sc, addr) & ~mask);
+}
+
+static __inline void
+iwn_prph_write_region_4(struct iwn_softc *sc, uint32_t addr,
+    const uint32_t *data, int count)
+{
+       for (; count > 0; count--, data++, addr += 4)
+               iwn_prph_write(sc, addr, *data);
+}
+
+static __inline uint32_t
+iwn_mem_read(struct iwn_softc *sc, uint32_t addr)
+{
+       IWN_WRITE(sc, IWN_MEM_RADDR, addr);
+       return IWN_READ(sc, IWN_MEM_RDATA);
+}
+
+static __inline void
+iwn_mem_write(struct iwn_softc *sc, uint32_t addr, uint32_t data)
+{
+       IWN_WRITE(sc, IWN_MEM_WADDR, addr);
+       IWN_WRITE(sc, IWN_MEM_WDATA, data);
+}
+
+static __inline void
+iwn_mem_write_2(struct iwn_softc *sc, uint32_t addr, uint16_t data)
+{
+       uint32_t tmp;
+
+       tmp = iwn_mem_read(sc, addr & ~3);
+       if (addr & 3)
+               tmp = (tmp & 0x0000ffff) | data << 16;
+       else
+               tmp = (tmp & 0xffff0000) | data;
+       iwn_mem_write(sc, addr & ~3, tmp);
+}
+
+static __inline void
+iwn_mem_read_region_4(struct iwn_softc *sc, uint32_t addr, uint32_t *data,
+    int count)
+{
+       for (; count > 0; count--, addr += 4)
+               *data++ = iwn_mem_read(sc, addr);
+}
+
+static __inline void
+iwn_mem_set_region_4(struct iwn_softc *sc, uint32_t addr, uint32_t val,
+    int count)
+{
+       for (; count > 0; count--, addr += 4)
+               iwn_mem_write(sc, addr, val);
+}
+
+static int
+iwn_eeprom_lock(struct iwn_softc *sc)
+{
+       int i, ntries;
+
+       for (i = 0; i < 100; i++) {
+               /* Request exclusive access to EEPROM. */
+               IWN_SETBITS(sc, IWN_HW_IF_CONFIG,
+                   IWN_HW_IF_CONFIG_EEPROM_LOCKED);
+
+               /* Spin until we actually get the lock. */
+               for (ntries = 0; ntries < 100; ntries++) {
+                       if (IWN_READ(sc, IWN_HW_IF_CONFIG) &
+                           IWN_HW_IF_CONFIG_EEPROM_LOCKED)
+                               return 0;
+                       DELAY(10);
+               }
+       }
+       return ETIMEDOUT;
+}
+
+static __inline void
+iwn_eeprom_unlock(struct iwn_softc *sc)
+{
+       IWN_CLRBITS(sc, IWN_HW_IF_CONFIG, IWN_HW_IF_CONFIG_EEPROM_LOCKED);
+}
+
+static int
+iwn_read_prom_data(struct iwn_softc *sc, uint32_t addr, void *data, int count)
+{
+       uint8_t *out = data;
+       uint32_t val;
+       int ntries;
+
+       for (; count > 0; count -= 2, addr++) {
+               IWN_WRITE(sc, IWN_EEPROM, addr << 2);
+               IWN_CLRBITS(sc, IWN_EEPROM, IWN_EEPROM_CMD);
 
+               for (ntries = 0; ntries < 10; ntries++) {
+                       val = IWN_READ(sc, IWN_EEPROM);
+                       if (val & IWN_EEPROM_READ_VALID)
+                               break;
+                       DELAY(5);
+               }
+               if (ntries == 10) {
+                       aprint_error_dev(sc->sc_dev, "could not read EEPROM\n");
+                       return ETIMEDOUT;
+               }
+               *out++ = val >> 16;
+               if (count > 1)
+                       *out++ = val >> 24;
+       }
        return 0;
 }
 
@@ -587,6 +949,7 @@ iwn_dma_contig_alloc(bus_dma_tag_t tag, 
                goto fail;
 
        memset(dma->vaddr, 0, size);
+       bus_dmamap_sync(tag, dma->map, 0, size, BUS_DMASYNC_PREWRITE);
 
        dma->paddr = dma->map->dm_segs[0].ds_addr;
        if (kvap != NULL)
@@ -603,6 +966,8 @@ iwn_dma_contig_free(struct iwn_dma_info 
 {
        if (dma->map != NULL) {
                if (dma->vaddr != NULL) {
+                       bus_dmamap_sync(dma->tag, dma->map, 0, dma->size,
+                           BUS_DMASYNC_POSTREAD | BUS_DMASYNC_POSTWRITE);
                        bus_dmamap_unload(dma->tag, dma->map);
                        bus_dmamem_unmap(dma->tag, dma->vaddr, dma->size);
                        bus_dmamem_free(dma->tag, &dma->seg, 1);
@@ -614,34 +979,30 @@ iwn_dma_contig_free(struct iwn_dma_info 
 }
 
 static int
-iwn_alloc_shared(struct iwn_softc *sc)
+iwn_alloc_sched(struct iwn_softc *sc)
 {
        int error;
-       void *p;
-       /* must be aligned on a 1KB boundary */
-       error = iwn_dma_contig_alloc(sc->sc_dmat, &sc->shared_dma,
-           &p, sizeof (struct iwn_shared), 1024,BUS_DMA_NOWAIT);
-       sc->shared = p;
+       /* TX scheduler rings must be aligned on a 1KB boundary. */
+       error = iwn_dma_contig_alloc(sc->sc_dmat, &sc->sched_dma,
+           (void **)&sc->sched, sc->sc_hal->schedsz, 1024, BUS_DMA_NOWAIT);
        if (error != 0)
                aprint_error_dev(sc->sc_dev,
                    "could not allocate shared area DMA memory\n");
-
        return error;
-
 }
 
 static void
-iwn_free_shared(struct iwn_softc *sc)
+iwn_free_sched(struct iwn_softc *sc)
 {
-       iwn_dma_contig_free(&sc->shared_dma);
+       iwn_dma_contig_free(&sc->sched_dma);
 }
 
 static int
 iwn_alloc_kw(struct iwn_softc *sc)
 {
-       /* must be aligned on a 16-byte boundary */
-       return iwn_dma_contig_alloc(sc->sc_dmat, &sc->kw_dma, NULL,
-           PAGE_SIZE, PAGE_SIZE, BUS_DMA_NOWAIT);
+       /* "Keep Warm" page must be aligned on a 16-byte boundary. */
+       return iwn_dma_contig_alloc(sc->sc_dmat, &sc->kw_dma, NULL, 4096,
+           4096, BUS_DMA_NOWAIT);
 }
 
 static void
@@ -654,15 +1015,12 @@ static int
 iwn_alloc_fwmem(struct iwn_softc *sc)
 {
        int error;
-       /* allocate enough contiguous space to store text and data */
+       /* Must be aligned on a 16-byte boundary. */
        error = iwn_dma_contig_alloc(sc->sc_dmat, &sc->fw_dma, NULL,
-           IWN_FW_MAIN_TEXT_MAXSZ + IWN_FW_MAIN_DATA_MAXSZ, 16,
-           BUS_DMA_NOWAIT);
-
-       if (error != 0){
+           sc->sc_hal->fwsz, 16, BUS_DMA_NOWAIT);
+       if (error != 0) {
                aprint_error_dev(sc->sc_dev,
-                   "could not allocate firmware transfer area DMA memory\n" );
-
+                   "could not allocate firmware transfer area DMA memory\n");
        }
        return error;
 }
@@ -677,21 +1035,20 @@ static struct iwn_rbuf *
 iwn_alloc_rbuf(struct iwn_softc *sc)
 {
        struct iwn_rbuf *rbuf;
-
        mutex_enter(&sc->rxq.freelist_mtx);
+
        rbuf = SLIST_FIRST(&sc->rxq.freelist);
        if (rbuf != NULL) {
                SLIST_REMOVE_HEAD(&sc->rxq.freelist, next);
                sc->rxq.nb_free_entries --;
        }
        mutex_exit(&sc->rxq.freelist_mtx);
-
        return rbuf;
 }
 
 /*
  * This is called automatically by the network stack when the mbuf to which
- * our Rx buffer is attached is freed.
+ * our RX buffer is attached is freed.
  */
 static void
 iwn_free_rbuf(struct mbuf* m, void *buf,  size_t size, void *arg)
@@ -699,17 +1056,16 @@ iwn_free_rbuf(struct mbuf* m, void *buf,
        struct iwn_rbuf *rbuf = arg;
        struct iwn_softc *sc = rbuf->sc;
 
-       /* put the buffer back in the free list */
+       /* Put the RX buffer back in the free list. */
        mutex_enter(&sc->rxq.freelist_mtx);
        SLIST_INSERT_HEAD(&sc->rxq.freelist, rbuf, next);
        mutex_exit(&sc->rxq.freelist_mtx);
-       sc->rxq.nb_free_entries ++;
 
+       sc->rxq.nb_free_entries ++;
        if (__predict_true(m != NULL))
                pool_cache_put(mb_cache, m);
 }
 
-
 static int
 iwn_alloc_rpool(struct iwn_softc *sc)
 {
@@ -719,21 +1075,20 @@ iwn_alloc_rpool(struct iwn_softc *sc)
 
        mutex_init(&ring->freelist_mtx, MUTEX_DEFAULT, IPL_NET);
 
-       /* allocate a big chunk of DMA'able memory.. */
+       /* Allocate a big chunk of DMA'able memory... */
        error = iwn_dma_contig_alloc(sc->sc_dmat, &ring->buf_dma, NULL,
-           IWN_RBUF_COUNT * IWN_RBUF_SIZE, IWN_BUF_ALIGN, BUS_DMA_NOWAIT);
+           IWN_RBUF_COUNT * IWN_RBUF_SIZE, PAGE_SIZE, BUS_DMA_NOWAIT);
        if (error != 0) {
                aprint_error_dev(sc->sc_dev,
-                   "could not allocate Rx buffers DMA memory\n");
+                   "could not allocate RX buffers DMA memory\n");
                return error;
        }
-
-       /* ..and split it into chunks of "rbufsz" bytes */
+       /* ...and split it into chunks of IWN_RBUF_SIZE bytes. */
        SLIST_INIT(&ring->freelist);
        for (i = 0; i < IWN_RBUF_COUNT; i++) {
                rbuf = &ring->rbuf[i];
 
-               rbuf->sc = sc;  /* backpointer for callbacks */
+               rbuf->sc = sc;  /* Backpointer for callbacks. */
                rbuf->vaddr = (char *)ring->buf_dma.vaddr + i * IWN_RBUF_SIZE;
                rbuf->paddr = ring->buf_dma.paddr + i * IWN_RBUF_SIZE;
 
@@ -753,50 +1108,65 @@ static int
 iwn_alloc_rx_ring(struct iwn_softc *sc, struct iwn_rx_ring *ring)
 {
        struct iwn_rx_data *data;
+       bus_size_t size;
        struct iwn_rbuf *rbuf;
        int i, error;
-       void *p;
 
        ring->cur = 0;
 
+       /* Allocate RX descriptors (256-byte aligned.) */
+       size = IWN_RX_RING_COUNT * sizeof (struct iwn_rx_desc);
        error = iwn_dma_contig_alloc(sc->sc_dmat, &ring->desc_dma,
-           &p, IWN_RX_RING_COUNT * sizeof (struct iwn_rx_desc),
-           IWN_RING_DMA_ALIGN, BUS_DMA_NOWAIT);
+           (void **)&ring->desc, size, 256, BUS_DMA_NOWAIT);
+       if (error != 0) {
+               aprint_error_dev(sc->sc_dev,
+                   "could not allocate RX ring DMA memory\n");
+               goto fail;
+       }
+
+       /* Allocate RX status area (16-byte aligned.) */
+       error = iwn_dma_contig_alloc(sc->sc_dmat, &ring->stat_dma,
+           (void **)&ring->stat, sizeof (struct iwn_rx_status), 16,
+           BUS_DMA_NOWAIT);
        if (error != 0) {
                aprint_error_dev(sc->sc_dev,
-                   "could not allocate rx ring DMA memory\n");
+                   "could not allocate RX status DMA memory\n");
                goto fail;
        }
-       ring->desc = p;
 
        /*
-        * Setup Rx buffers.
+        * Allocate RX buffers.
         */
        for (i = 0; i < IWN_RX_RING_COUNT; i++) {
                data = &ring->data[i];
 
                MGETHDR(data->m, M_DONTWAIT, MT_DATA);
                if (data->m == NULL) {
-                       aprint_error_dev(sc->sc_dev, "could not allocate rx 
mbuf\n");
+                       aprint_error_dev(sc->sc_dev,
+                           "could not allocate RX mbuf\n");
                        error = ENOMEM;
                        goto fail;
                }
                if ((rbuf = iwn_alloc_rbuf(sc)) == NULL) {
                        m_freem(data->m);
                        data->m = NULL;
-                       aprint_error_dev(sc->sc_dev, "could not allocate rx 
buffer\n");
+                       aprint_error_dev(sc->sc_dev,
+                          "could not allocate RX buffer\n");
                        error = ENOMEM;
                        goto fail;
                }
-               /* attach Rx buffer to mbuf */
+               /* Attach RX buffer to mbuf header. */
                MEXTADD(data->m, rbuf->vaddr, IWN_RBUF_SIZE, 0, iwn_free_rbuf,
                    rbuf);
-
                data->m->m_flags |= M_EXT_RW;
-               /* Rx buffers are aligned on a 256-byte boundary */
+
+               /* Set physical address of RX buffer (256-byte aligned.) */
                ring->desc[i] = htole32(rbuf->paddr >> 8);
        }
 
+       bus_dmamap_sync(sc->sc_dmat, ring->desc_dma.map,
+           0, ring->desc_dma.size, BUS_DMASYNC_PREWRITE);
+
        return 0;
 
 fail:  iwn_free_rx_ring(sc, ring);
@@ -808,21 +1178,18 @@ iwn_reset_rx_ring(struct iwn_softc *sc, 
 {
        int ntries;
 
-       iwn_mem_lock(sc);
-
-       IWN_WRITE(sc, IWN_RX_CONFIG, 0);
-       for (ntries = 0; ntries < 100; ntries++) {
-               if (IWN_READ(sc, IWN_RX_STATUS) & IWN_RX_IDLE)
-                       break;
-               DELAY(10);
+       if (iwn_nic_lock(sc) == 0) {
+               IWN_WRITE(sc, IWN_FH_RX_CONFIG, 0);
+               for (ntries = 0; ntries < 1000; ntries++) {
+                       if (IWN_READ(sc, IWN_FH_RX_STATUS) &
+                           IWN_FH_RX_STATUS_IDLE)
+                               break;
+                       DELAY(10);
+               }
+               iwn_nic_unlock(sc);
        }
-#ifdef IWN_DEBUG
-       if (ntries == 100 && iwn_debug > 0)
-               aprint_error_dev(sc->sc_dev, "timeout resetting Rx ring\n");
-#endif
-       iwn_mem_unlock(sc);
-
        ring->cur = 0;
+       sc->last_rx_valid = 0;
 }
 
 static void
@@ -831,6 +1198,7 @@ iwn_free_rx_ring(struct iwn_softc *sc, s
        int i;
 
        iwn_dma_contig_free(&ring->desc_dma);
+       iwn_dma_contig_free(&ring->stat_dma);
 
        for (i = 0; i < IWN_RX_RING_COUNT; i++) {
                if (ring->data[i].m != NULL)
@@ -842,53 +1210,59 @@ static int
 iwn_alloc_tx_ring(struct iwn_softc *sc, struct iwn_tx_ring *ring, int count,
     int qid)
 {
+       bus_addr_t paddr;
        struct iwn_tx_data *data;
-       int i, error;
-       void *p;
+       int i, error, size;
 
        ring->qid = qid;
        ring->count = count;
        ring->queued = 0;
        ring->cur = 0;
 
+       /* Allocate TX descriptors (256-byte aligned.) */
+       size = count * sizeof (struct iwn_tx_desc);
        error = iwn_dma_contig_alloc(sc->sc_dmat, &ring->desc_dma,
-           &p, count * sizeof (struct iwn_tx_desc),
-           IWN_RING_DMA_ALIGN, BUS_DMA_NOWAIT);
+           (void **)&ring->desc, size, 256, BUS_DMA_NOWAIT);
        if (error != 0) {
-               aprint_error_dev(sc->sc_dev, "could not allocate tx ring DMA 
memory\n");
+               aprint_error_dev(sc->sc_dev,
+                   "could not allocate TX ring DMA memory\n");
                goto fail;
        }
-       ring->desc = p;
+       /*
+        * We only use rings 0 through 4 (4 EDCA + cmd) so there is no need
+        * to allocate commands space for other rings.
+        * XXX Do we really need to allocate descriptors for other rings?
+        */
+       if (qid > 4)
+               return 0;
 
+       size = count * sizeof (struct iwn_tx_cmd);
        error = iwn_dma_contig_alloc(sc->sc_dmat, &ring->cmd_dma,
-           &p, count * sizeof (struct iwn_tx_cmd), 4, BUS_DMA_NOWAIT);
+           (void **)&ring->cmd, size, 4, BUS_DMA_NOWAIT);
        if (error != 0) {
-               aprint_error_dev(sc->sc_dev, "could not allocate tx cmd DMA 
memory\n");
-               goto fail;
-       }
-       ring->cmd = p;
-
-       ring->data = malloc(count * sizeof (struct iwn_tx_data), M_DEVBUF, 
M_NOWAIT);
-
-       if (ring->data == NULL) {
-               aprint_error_dev(sc->sc_dev,"could not allocate tx data 
slots\n");
+               aprint_error_dev(sc->sc_dev,
+                   "could not allocate TX cmd DMA memory\n");
                goto fail;
        }
 
-       memset(ring->data, 0, count * sizeof (struct iwn_tx_data));
+       paddr = ring->cmd_dma.paddr;
 
        for (i = 0; i < count; i++) {
                data = &ring->data[i];
 
+               data->cmd_paddr = paddr;
+               data->scratch_paddr = paddr + 12;
+               paddr += sizeof (struct iwn_tx_cmd);
+
                error = bus_dmamap_create(sc->sc_dmat, MCLBYTES,
                    IWN_MAX_SCATTER - 1, MCLBYTES, 0, BUS_DMA_NOWAIT,
                    &data->map);
                if (error != 0) {
-                       aprint_error_dev(sc->sc_dev, "could not create tx buf 
DMA map\n");
+                       aprint_error_dev(sc->sc_dev,
+                           "could not create TX buf DMA map\n");
                        goto fail;
                }
        }
-
        return 0;
 
 fail:  iwn_free_tx_ring(sc, ring);
@@ -902,32 +1276,33 @@ iwn_reset_tx_ring(struct iwn_softc *sc, 
        uint32_t tmp;
        int i, ntries;
 
-       iwn_mem_lock(sc);
-
-       IWN_WRITE(sc, IWN_TX_CONFIG(ring->qid), 0);
-       for (ntries = 0; ntries < 100; ntries++) {
-               tmp = IWN_READ(sc, IWN_TX_STATUS);
-               if ((tmp & IWN_TX_IDLE(ring->qid)) == IWN_TX_IDLE(ring->qid))
-                       break;
-               DELAY(10);
-       }
-#ifdef IWN_DEBUG
-       if (ntries == 100 && iwn_debug > 1) {
-               aprint_error_dev(sc->sc_dev, "timeout resetting Tx ring %d\n", 
ring->qid);
+       if (iwn_nic_lock(sc) == 0) {
+               IWN_WRITE(sc, IWN_FH_TX_CONFIG(ring->qid), 0);
+               for (ntries = 0; ntries < 200; ntries++) {
+                       tmp = IWN_READ(sc, IWN_FH_TX_STATUS);
+                       if ((tmp & IWN_FH_TX_STATUS_IDLE(ring->qid)) ==
+                           IWN_FH_TX_STATUS_IDLE(ring->qid))
+                               break;
+                       DELAY(10);
+               }
+               iwn_nic_unlock(sc);
        }
-#endif
-       iwn_mem_unlock(sc);
-
        for (i = 0; i < ring->count; i++) {
                data = &ring->data[i];
 
                if (data->m != NULL) {
+                       bus_dmamap_sync(sc->sc_dmat, data->map, 0,
+                           data->map->dm_mapsize, BUS_DMASYNC_POSTWRITE);
                        bus_dmamap_unload(sc->sc_dmat, data->map);
                        m_freem(data->m);
                        data->m = NULL;
                }
        }
-
+       /* Clear TX descriptors. */
+       memset(ring->desc, 0, ring->desc_dma.size);
+       bus_dmamap_sync(sc->sc_dmat, ring->desc_dma.map, 0,
+           ring->desc_dma.size, BUS_DMASYNC_PREWRITE);
+       sc->qfullmsk &= ~(1 << ring->qid);
        ring->queued = 0;
        ring->cur = 0;
 }
@@ -946,53 +1321,287 @@ iwn_free_tx_ring(struct iwn_softc *sc, s
                        data = &ring->data[i];
 
                        if (data->m != NULL) {
+                               bus_dmamap_sync(sc->sc_dmat, data->map, 0,
+                                   data->map->dm_mapsize, 
BUS_DMASYNC_POSTWRITE);
                                bus_dmamap_unload(sc->sc_dmat, data->map);
                                m_freem(data->m);
                        }
+                       if (data->map != NULL)
+                               bus_dmamap_destroy(sc->sc_dmat, data->map);
                }
                free(ring->data, M_DEVBUF);
        }
 }
 
-/*ARGUSED*/
-struct ieee80211_node *
-iwn_node_alloc(struct ieee80211_node_table *nt __unused)
+static int
+iwn_read_eeprom(struct iwn_softc *sc)
 {
-       struct iwn_node *wn;
+       const struct iwn_hal *hal = sc->sc_hal;
+       struct ieee80211com *ic = &sc->sc_ic;
+       uint16_t val;
+       int error;
 
-       wn = malloc(sizeof (struct iwn_node), M_80211_NODE, M_NOWAIT | M_ZERO);
+       if ((IWN_READ(sc, IWN_EEPROM_GP) & 0x6) == 0) {
+               aprint_error_dev(sc->sc_dev, "bad EEPROM signature\n");
+               return EIO;
+       }
+       if ((error = iwn_eeprom_lock(sc)) != 0) {
+               aprint_error_dev(sc->sc_dev,
+                   "could not lock EEPROM (error=%d)\n", error);
+               return error;
+       }
 
-       return (struct ieee80211_node *)wn;
-}
+       iwn_read_prom_data(sc, IWN_EEPROM_RFCFG, &val, 2);
+       sc->rfcfg = le16toh(val);
+       DPRINTF(("radio config=0x%04x\n", sc->rfcfg));
 
-static void
-iwn_newassoc(struct ieee80211_node *ni, int isnew)
-{
-       struct iwn_softc *sc = ni->ni_ic->ic_ifp->if_softc;
-       int i;
+       /* Read MAC address. */
+       iwn_read_prom_data(sc, IWN_EEPROM_MAC, ic->ic_myaddr, 6);
 
-       ieee80211_amrr_node_init(&sc->amrr, &((struct iwn_node *)ni)->amn);
+       /* Read adapter-specific information from EEPROM. */
+       hal->read_eeprom(sc);
 
-       /* set rate to some reasonable initial value */
-       for (i = ni->ni_rates.rs_nrates - 1;
-            i > 0 && (ni->ni_rates.rs_rates[i] & IEEE80211_RATE_VAL) > 72;
-            i--);
-       ni->ni_txrate = i;
+       iwn_eeprom_unlock(sc);
+       return 0;
 }
 
-static int
-iwn_media_change(struct ifnet *ifp)
+static void
+iwn4965_read_eeprom(struct iwn_softc *sc)
 {
-       int error;
+       uint32_t addr;
+       uint16_t val;
+       int i;
 
-       error = ieee80211_media_change(ifp);
-       if (error != ENETRESET)
-               return error;
+       /* Read regulatory domain (4 ASCII characters.) */
+       iwn_read_prom_data(sc, IWN4965_EEPROM_DOMAIN, sc->eeprom_domain, 4);
 
-       if ((ifp->if_flags & (IFF_UP | IFF_RUNNING)) == (IFF_UP | IFF_RUNNING))
-               iwn_init(ifp);
+       /* Read the list of authorized channels (20MHz ones only.) */
+       for (i = 0; i < 5; i++) {
+               addr = iwn4965_regulatory_bands[i];
+               iwn_read_eeprom_channels(sc, i, addr);
+       }
 
-       return 0;
+       /* Read maximum allowed TX power for 2GHz and 5GHz bands. */
+       iwn_read_prom_data(sc, IWN4965_EEPROM_MAXPOW, &val, 2);
+       sc->maxpwr2GHz = val & 0xff;
+       sc->maxpwr5GHz = val >> 8;
+       /* Check that EEPROM values are within valid range. */
+       if (sc->maxpwr5GHz < 20 || sc->maxpwr5GHz > 50)
+               sc->maxpwr5GHz = 38;
+       if (sc->maxpwr2GHz < 20 || sc->maxpwr2GHz > 50)
+               sc->maxpwr2GHz = 38;
+       DPRINTF(("maxpwr 2GHz=%d 5GHz=%d\n", sc->maxpwr2GHz, sc->maxpwr5GHz));
+
+       /* Read samples for each TX power group. */
+       iwn_read_prom_data(sc, IWN4965_EEPROM_BANDS, sc->bands,
+           sizeof sc->bands);
+
+       /* Read voltage at which samples were taken. */
+       iwn_read_prom_data(sc, IWN4965_EEPROM_VOLTAGE, &val, 2);
+       sc->eeprom_voltage = (int16_t)le16toh(val);
+       DPRINTF(("voltage=%d (in 0.3V)\n", sc->eeprom_voltage));
+
+#ifdef IWN_DEBUG
+       /* Print samples. */
+       if (iwn_debug > 0) {
+               for (i = 0; i < IWN_NBANDS; i++)
+                       iwn4965_print_power_group(sc, i);
+       }
+#endif
+}
+
+#ifdef IWN_DEBUG
+static void
+iwn4965_print_power_group(struct iwn_softc *sc, int i)
+{
+       struct iwn4965_eeprom_band *band = &sc->bands[i];
+       struct iwn4965_eeprom_chan_samples *chans = band->chans;
+       int j, c;
+
+       printf("===band %d===\n", i);
+       printf("chan lo=%d, chan hi=%d\n", band->lo, band->hi);
+       printf("chan1 num=%d\n", chans[0].num);
+       for (c = 0; c < 2; c++) {
+               for (j = 0; j < IWN_NSAMPLES; j++) {
+                       printf("chain %d, sample %d: temp=%d gain=%d "
+                           "power=%d pa_det=%d\n", c, j,
+                           chans[0].samples[c][j].temp,
+                           chans[0].samples[c][j].gain,
+                           chans[0].samples[c][j].power,
+                           chans[0].samples[c][j].pa_det);
+               }
+       }
+       printf("chan2 num=%d\n", chans[1].num);
+       for (c = 0; c < 2; c++) {
+               for (j = 0; j < IWN_NSAMPLES; j++) {
+                       printf("chain %d, sample %d: temp=%d gain=%d "
+                           "power=%d pa_det=%d\n", c, j,
+                           chans[1].samples[c][j].temp,
+                           chans[1].samples[c][j].gain,
+                           chans[1].samples[c][j].power,
+                           chans[1].samples[c][j].pa_det);
+               }
+       }
+}
+#endif
+
+static void
+iwn5000_read_eeprom(struct iwn_softc *sc)
+{
+       int32_t temp, volt, delta;
+       uint32_t base, addr;
+       uint16_t val;
+       int i;
+
+       /* Read regulatory domain (4 ASCII characters.) */
+       iwn_read_prom_data(sc, IWN5000_EEPROM_REG, &val, 2);
+       base = le16toh(val);
+       iwn_read_prom_data(sc, base + IWN5000_EEPROM_DOMAIN,
+           sc->eeprom_domain, 4);
+
+       /* Read the list of authorized channels (20MHz ones only.) */
+       for (i = 0; i < 5; i++) {
+               addr = base + iwn5000_regulatory_bands[i];
+               iwn_read_eeprom_channels(sc, i, addr);
+       }
+
+       iwn_read_prom_data(sc, IWN5000_EEPROM_CAL, &val, 2);
+       base = le16toh(val);
+       if (sc->hw_type == IWN_HW_REV_TYPE_5150) {
+               /* Compute critical temperature (in Kelvin.) */
+               iwn_read_prom_data(sc, base + IWN5000_EEPROM_TEMP, &val, 2);
+               temp = le16toh(val);
+               iwn_read_prom_data(sc, base + IWN5000_EEPROM_VOLT, &val, 2);
+               volt = le16toh(val);
+               delta = temp - (volt / -5);
+               sc->critical_temp = (IWN_CTOK(110) - delta) * -5;
+               DPRINTF(("temp=%d volt=%d delta=%dK\n",
+                   temp, volt, delta));
+       } else {
+               /* Read crystal calibration. */
+               iwn_read_prom_data(sc, base + IWN5000_EEPROM_CRYSTAL,
+                   &sc->eeprom_crystal, sizeof (uint32_t));
+               DPRINTF(("crystal calibration 0x%08x\n",
+                   le32toh(sc->eeprom_crystal)));
+       }
+}
+
+static void
+iwn_read_eeprom_channels(struct iwn_softc *sc, int n, uint32_t addr)
+{
+       struct ieee80211com *ic = &sc->sc_ic;
+       const struct iwn_chan_band *band = &iwn_bands[n];
+       struct iwn_eeprom_chan channels[IWN_MAX_CHAN_PER_BAND];
+       uint8_t chan;
+       int i;
+
+       iwn_read_prom_data(sc, addr, channels,
+           band->nchan * sizeof (struct iwn_eeprom_chan));
+
+       for (i = 0; i < band->nchan; i++) {
+               if (!(channels[i].flags & IWN_EEPROM_CHAN_VALID))
+                       continue;
+
+               chan = band->chan[i];
+
+               if (n == 0) {   /* 2GHz band */
+                       ic->ic_channels[chan].ic_freq =
+                           ieee80211_ieee2mhz(chan, IEEE80211_CHAN_2GHZ);
+                       ic->ic_channels[chan].ic_flags =
+                           IEEE80211_CHAN_CCK | IEEE80211_CHAN_OFDM |
+                           IEEE80211_CHAN_DYN | IEEE80211_CHAN_2GHZ;
+
+               } else {        /* 5GHz band */
+                       /*
+                        * Some adapters support channels 7, 8, 11 and 12
+                        * both in the 2GHz and 4.9GHz bands.
+                        * Because of limitations in our net80211 layer,
+                        * we don't support them in the 4.9GHz band.
+                        */
+                       if (chan <= 14)
+                               continue;
+
+                       ic->ic_channels[chan].ic_freq =
+                           ieee80211_ieee2mhz(chan, IEEE80211_CHAN_5GHZ);
+                       ic->ic_channels[chan].ic_flags = IEEE80211_CHAN_A;
+                       /* We have at least one valid 5GHz channel. */
+                       sc->sc_flags |= IWN_FLAG_HAS_5GHZ;
+               }
+
+               /* Is active scan allowed on this channel? */
+               if (!(channels[i].flags & IWN_EEPROM_CHAN_ACTIVE)) {
+                       ic->ic_channels[chan].ic_flags |=
+                           IEEE80211_CHAN_PASSIVE;
+               }
+
+               /* Save maximum allowed TX power for this channel. */
+               sc->maxpwr[chan] = channels[i].maxpwr;
+
+               DPRINTF(("adding chan %d flags=0x%x maxpwr=%d\n",
+                   chan, channels[i].flags, sc->maxpwr[chan]));
+       }
+}
+
+/*ARGUSED*/
+static struct ieee80211_node *
+iwn_node_alloc(struct ieee80211_node_table *nt __unused)
+{
+       struct iwn_node *wn;
+
+       wn = malloc(sizeof (struct iwn_node), M_80211_NODE, M_NOWAIT | M_ZERO);
+       return (struct ieee80211_node *)wn;
+}
+
+static void
+iwn_newassoc(struct ieee80211_node *ni, int isnew)
+{
+       struct iwn_softc *sc = ni->ni_ic->ic_ifp->if_softc;
+       struct iwn_node *wn = (void *)ni;
+       uint8_t rate;
+       int ridx, i;
+
+       ieee80211_amrr_node_init(&sc->amrr, &wn->amn);
+
+       for (i = 0; i < ni->ni_rates.rs_nrates; i++) {
+               rate = ni->ni_rates.rs_rates[i] & IEEE80211_RATE_VAL;
+               /* Map 802.11 rate to HW rate index. */
+               for (ridx = 0; ridx <= IWN_RIDX_MAX; ridx++)
+                       if (iwn_rates[ridx].rate == rate)
+                               break;
+               wn->ridx[i] = ridx;
+               /* Initial TX rate <= 24Mbps. */
+               if (rate <= 48)
+                       ni->ni_txrate = i;
+       }
+}
+
+static int
+iwn_media_change(struct ifnet *ifp)
+{
+       struct iwn_softc *sc = ifp->if_softc;
+       struct ieee80211com *ic = &sc->sc_ic;
+       uint8_t rate, ridx;
+       int error;
+
+       error = ieee80211_media_change(ifp);
+       if (error != ENETRESET)
+               return error;
+
+       if (ic->ic_fixed_rate != -1) {
+               rate = ic->ic_sup_rates[ic->ic_curmode].
+                   rs_rates[ic->ic_fixed_rate] & IEEE80211_RATE_VAL;
+               /* Map 802.11 rate to HW rate index. */
+               for (ridx = 0; ridx <= IWN_RIDX_MAX; ridx++)
+                       if (iwn_rates[ridx].rate == rate)
+                               break;
+               sc->fixed_ridx = ridx;
+       }
+
+       if ((ifp->if_flags & (IFF_UP | IFF_RUNNING)) ==
+           (IFF_UP | IFF_RUNNING)) {
+               error = iwn_init(ifp);
+       }
+       return error;
 }
 
 static int
@@ -1004,26 +1613,21 @@ iwn_newstate(struct ieee80211com *ic, en
 
        callout_stop(&sc->calib_to);
 
-       DPRINTF(("iwn_newstate: nstate = %d, ic->ic_state = %d\n", nstate,
-               ic->ic_state));
-
        switch (nstate) {
-
        case IEEE80211_S_SCAN:
-
                if (sc->is_scanning)
                        break;
-
+               
                sc->is_scanning = true;
                ieee80211_node_table_reset(&ic->ic_scan);
                ic->ic_flags |= IEEE80211_F_SCAN | IEEE80211_F_ASCAN;
 
-               /* make the link LED blink while we're scanning */
-               iwn_set_led(sc, IWN_LED_LINK, 20, 2);
+               /* Make the link LED blink while we're scanning. */
+               iwn_set_led(sc, IWN_LED_LINK, 10, 10);
 
-               if ((error = iwn_scan(sc, IEEE80211_CHAN_G)) != 0) {
-                       aprint_error_dev(sc->sc_dev, "could not initiate 
scan\n");
-                       ic->ic_flags &= ~(IEEE80211_F_SCAN | IEEE80211_F_ASCAN);
+               if ((error = iwn_scan(sc, IEEE80211_CHAN_2GHZ)) != 0) {
+                       aprint_error_dev(sc->sc_dev,
+                           "could not initiate scan\n");
                        return error;
                }
                ic->ic_state = nstate;
@@ -1035,11 +1639,11 @@ iwn_newstate(struct ieee80211com *ic, en
                /* FALLTHROUGH */
        case IEEE80211_S_AUTH:
                /* cancel any active scan - it apparently breaks auth */
-               /*(void)iwn_cmd(sc, IWN_CMD_SCAN_ABORT, NULL, 0, 1);*/
+               /* (void)iwn_cmd(sc, IWN_CMD_SCAN_ABORT, NULL, 0, 1); */
 
                if ((error = iwn_auth(sc)) != 0) {
                        aprint_error_dev(sc->sc_dev,
-                                        "could not move to auth state\n");
+                           "could not move to auth state\n");
                        return error;
                }
                break;
@@ -1047,7 +1651,7 @@ iwn_newstate(struct ieee80211com *ic, en
        case IEEE80211_S_RUN:
                if ((error = iwn_run(sc)) != 0) {
                        aprint_error_dev(sc->sc_dev,
-                                        "could not move to run state\n");
+                           "could not move to run state\n");
                        return error;
                }
                break;
@@ -1060,450 +1664,257 @@ iwn_newstate(struct ieee80211com *ic, en
        return sc->sc_newstate(ic, nstate, arg);
 }
 
-/*
- * Grab exclusive access to NIC memory.
- */
 static void
-iwn_mem_lock(struct iwn_softc *sc)
+iwn_iter_func(void *arg, struct ieee80211_node *ni)
 {
-       uint32_t tmp;
-       int ntries;
-
-       tmp = IWN_READ(sc, IWN_GPIO_CTL);
-       IWN_WRITE(sc, IWN_GPIO_CTL, tmp | IWN_GPIO_MAC);
+       struct iwn_softc *sc = arg;
+       struct iwn_node *wn = (struct iwn_node *)ni;
 
-       /* spin until we actually get the lock */
-       for (ntries = 0; ntries < 1000; ntries++) {
-               if ((IWN_READ(sc, IWN_GPIO_CTL) &
-                       (IWN_GPIO_CLOCK | IWN_GPIO_SLEEP)) == IWN_GPIO_CLOCK)
-                       break;
-               DELAY(10);
-       }
-       if (ntries == 1000)
-               aprint_error_dev(sc->sc_dev, "could not lock memory\n");
+       ieee80211_amrr_choose(&sc->amrr, ni, &wn->amn);
 }
 
-/*
- * Release lock on NIC memory.
- */
 static void
-iwn_mem_unlock(struct iwn_softc *sc)
-{
-       uint32_t tmp = IWN_READ(sc, IWN_GPIO_CTL);
-       IWN_WRITE(sc, IWN_GPIO_CTL, tmp & ~IWN_GPIO_MAC);
-}
-
-static uint32_t
-iwn_mem_read(struct iwn_softc *sc, uint32_t addr)
+iwn_calib_timeout(void *arg)
 {
-       IWN_WRITE(sc, IWN_READ_MEM_ADDR, IWN_MEM_4 | addr);
-       return IWN_READ(sc, IWN_READ_MEM_DATA);
-}
+       struct iwn_softc *sc = arg;
+       struct ieee80211com *ic = &sc->sc_ic;
+       int s;
 
-static void
-iwn_mem_write(struct iwn_softc *sc, uint32_t addr, uint32_t data)
-{
-       IWN_WRITE(sc, IWN_WRITE_MEM_ADDR, IWN_MEM_4 | addr);
-       IWN_WRITE(sc, IWN_WRITE_MEM_DATA, data);
-}
+       if (ic->ic_fixed_rate == -1) {
+               s = splnet();
+               if (ic->ic_opmode == IEEE80211_M_STA)
+                       iwn_iter_func(sc, ic->ic_bss);
+               else
+                       ieee80211_iterate_nodes(&ic->ic_sta, iwn_iter_func, sc);
+               splx(s);
+       }
+       /* Force automatic TX power calibration every 60 secs. */
+       if (++sc->calib_cnt >= 120) {
+               uint32_t flags = 0;
 
-static void
-iwn_mem_write_region_4(struct iwn_softc *sc, uint32_t addr,
-    const uint32_t *data, int wlen)
-{
-       for (; wlen > 0; wlen--, data++, addr += 4)
-               iwn_mem_write(sc, addr, *data);
+               DPRINTF(("sending request for statistics\n"));
+               (void)iwn_cmd(sc, IWN_CMD_GET_STATISTICS, &flags,
+                   sizeof flags, 1);
+               sc->calib_cnt = 0;
+       }
+       /* Automatic rate control triggered every 500ms. */
+       callout_schedule(&sc->calib_to, hz/2);
 }
 
+#if 0
 static int
-iwn_eeprom_lock(struct iwn_softc *sc)
+iwn_ccmp_decap(struct iwn_softc *sc, struct mbuf *m, struct ieee80211_key *k)
 {
-       uint32_t tmp;
-       int ntries;
+       struct ieee80211_frame *wh;
+       uint64_t pn, *prsc;
+       uint8_t *ivp;
+       uint8_t tid;
+       int hdrlen;
 
-       tmp = IWN_READ(sc, IWN_HWCONFIG);
-       IWN_WRITE(sc, IWN_HWCONFIG, tmp | IWN_HW_EEPROM_LOCKED);
+       wh = mtod(m, struct ieee80211_frame *);
+       hdrlen = ieee80211_get_hdrlen(wh);
+       ivp = (uint8_t *)wh + hdrlen;
 
-       /* spin until we actually get the lock */
-       for (ntries = 0; ntries < 100; ntries++) {
-               if (IWN_READ(sc, IWN_HWCONFIG) & IWN_HW_EEPROM_LOCKED)
-                       return 0;
-               DELAY(10);
+       /* Check that ExtIV bit is be set. */
+       if (!(ivp[3] & IEEE80211_WEP_EXTIV)) {
+               DPRINTF(("CCMP decap ExtIV not set\n"));
+               return 1;
        }
-       return ETIMEDOUT;
-}
+       tid = ieee80211_has_qos(wh) ?
+           ieee80211_get_qos(wh) & IEEE80211_QOS_TID : 0;
+       prsc = &k->k_rsc[tid];
+
+       /* Extract the 48-bit PN from the CCMP header. */
+       pn = (uint64_t)ivp[0]       |
+            (uint64_t)ivp[1] <<  8 |
+            (uint64_t)ivp[4] << 16 |
+            (uint64_t)ivp[5] << 24 |
+            (uint64_t)ivp[6] << 32 |
+            (uint64_t)ivp[7] << 40;
+       if (pn <= *prsc) {
+               /*
+                * Not necessarily a replayed frame since we did not check
+                * the sequence number of the 802.11 header yet.
+                */
+               DPRINTF(("CCMP replayed\n"));
+               return 1;
+       }
+       /* Update last seen packet number. */
+       *prsc = pn;
 
-static void
-iwn_eeprom_unlock(struct iwn_softc *sc)
-{
-       uint32_t tmp = IWN_READ(sc, IWN_HWCONFIG);
-       IWN_WRITE(sc, IWN_HWCONFIG, tmp & ~IWN_HW_EEPROM_LOCKED);
+       /* Clear Protected bit and strip IV. */
+       wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED;
+       ovbcopy(wh, mtod(m, char *) + IEEE80211_CCMP_HDRLEN, hdrlen);
+       m_adj(m, IEEE80211_CCMP_HDRLEN);
+       /* Strip MIC. */
+       m_adj(m, -IEEE80211_CCMP_MICLEN);
+       return 0;
 }
+#endif
 
 /*
- * Read `len' bytes from the EEPROM. We access the EEPROM through the MAC
- * instead of using the traditional bit-bang method.
+ * Process an RX_PHY firmware notification.  This is usually immediately
+ * followed by an MPDU_RX_DONE notification.
  */
-static int
-iwn_read_prom_data(struct iwn_softc *sc, uint32_t addr, void *data, int len)
+void
+iwn_rx_phy(struct iwn_softc *sc, struct iwn_rx_desc *desc)
 {
-       uint8_t *out = data;
-       uint32_t val;
-       int ntries;
+       struct iwn_rx_stat *stat = (struct iwn_rx_stat *)(desc + 1);
 
-       iwn_mem_lock(sc);
-       for (; len > 0; len -= 2, addr++) {
-               IWN_WRITE(sc, IWN_EEPROM_CTL, addr << 2);
-               IWN_WRITE(sc, IWN_EEPROM_CTL,
-                   IWN_READ(sc, IWN_EEPROM_CTL) & ~IWN_EEPROM_CMD);
-
-               for (ntries = 0; ntries < 10; ntries++) {
-                       if ((val = IWN_READ(sc, IWN_EEPROM_CTL)) &
-                           IWN_EEPROM_READY)
-                               break;
-                       DELAY(5);
-               }
-               if (ntries == 10) {
-                       aprint_error_dev(sc->sc_dev, "could not read EEPROM\n");
-                       return ETIMEDOUT;
-               }
-               *out++ = val >> 16;
-               if (len > 1)
-                       *out++ = val >> 24;
-       }
-       iwn_mem_unlock(sc);
+       DPRINTFN(2, ("received PHY stats\n"));
+       bus_dmamap_sync(sc->sc_dmat, sc->rxq.buf_dma.map,
+           (vaddr_t)stat - (vaddr_t)sc->rxq.buf_dma.vaddr, sizeof (*stat),
+           BUS_DMASYNC_POSTREAD);
 
-       return 0;
+       /* Save RX statistics, they will be used on MPDU_RX_DONE. */
+       memcpy(&sc->last_rx_stat, stat, sizeof (*stat));
+       sc->last_rx_valid = 1;
 }
 
 /*
- * The firmware boot code is small and is intended to be copied directly into
- * the NIC internal memory.
+ * Process an RX_DONE (4965AGN only) or MPDU_RX_DONE firmware notification.
+ * Each MPDU_RX_DONE notification must be preceded by an RX_PHY one.
  */
-static int
-iwn_load_microcode(struct iwn_softc *sc, const uint8_t *ucode, int size)
+void
+iwn_rx_done(struct iwn_softc *sc, struct iwn_rx_desc *desc,
+    struct iwn_rx_data *data)
 {
-       int ntries;
-
-       size /= sizeof (uint32_t);
+       const struct iwn_hal *hal = sc->sc_hal;
+       struct ieee80211com *ic = &sc->sc_ic;
+       struct ifnet *ifp = ic->ic_ifp;
+       struct iwn_rx_ring *ring = &sc->rxq;
+       struct iwn_rbuf *rbuf;
+       struct ieee80211_frame *wh;
+       struct ieee80211_node *ni;
+       struct mbuf *m, *m1;
+       struct iwn_rx_stat *stat;
+       char * head;
+       uint32_t flags;
+       int len, rssi;
 
-       iwn_mem_lock(sc);
+       if (desc->type == IWN_MPDU_RX_DONE) {
+               /* Check for prior RX_PHY notification. */
+               if (!sc->last_rx_valid) {
+                       DPRINTF(("missing RX_PHY\n"));
+                       ifp->if_ierrors++;
+                       return;
+               }
+               sc->last_rx_valid = 0;
+               stat = &sc->last_rx_stat;
+       } else
+               stat = (struct iwn_rx_stat *)(desc + 1);
 
-       /* copy microcode image into NIC memory */
-       iwn_mem_write_region_4(sc, IWN_MEM_UCODE_BASE,
-           (const uint32_t *)ucode, size);
+       bus_dmamap_sync(sc->sc_dmat, ring->buf_dma.map,
+           (vaddr_t)(desc + 1) - (vaddr_t)ring->buf_dma.vaddr, IWN_RBUF_SIZE,
+           BUS_DMASYNC_POSTREAD);
 
-       iwn_mem_write(sc, IWN_MEM_UCODE_SRC, 0);
-       iwn_mem_write(sc, IWN_MEM_UCODE_DST, IWN_FW_TEXT);
-       iwn_mem_write(sc, IWN_MEM_UCODE_SIZE, size);
+       if (stat->cfg_phy_len > IWN_STAT_MAXLEN) {
+               aprint_error_dev(sc->sc_dev, "invalid RX statistic header\n");
+               ifp->if_ierrors++;
+               return;
+       }
+       if (desc->type == IWN_MPDU_RX_DONE) {
+               struct iwn_rx_mpdu *mpdu =
+                   (struct iwn_rx_mpdu *)(desc + 1);
+               head = (char *)(mpdu + 1);
+               len = le16toh(mpdu->len);
+       } else {
+               head = (char *)(stat + 1) + stat->cfg_phy_len;
+               len = le16toh(stat->len);
+       }
 
-       /* run microcode */
-       iwn_mem_write(sc, IWN_MEM_UCODE_CTL, IWN_UC_RUN);
+       flags = le32toh(*(uint32_t *)(head + len));
 
-       /* wait for transfer to complete */
-       for (ntries = 0; ntries < 1000; ntries++) {
-               if (!(iwn_mem_read(sc, IWN_MEM_UCODE_CTL) & IWN_UC_RUN))
-                       break;
-               DELAY(10);
+       /* Discard frames with a bad FCS early. */
+       if ((flags & IWN_RX_NOERROR) != IWN_RX_NOERROR) {
+               DPRINTFN(2, ("RX flags error %x\n", flags));
+               ifp->if_ierrors++;
+               return;
        }
-       if (ntries == 1000) {
-               iwn_mem_unlock(sc);
-               aprint_error_dev(sc->sc_dev, "could not load boot firmware\n");
-               return ETIMEDOUT;
+       /* Discard frames that are too short. */
+       if (len < sizeof (struct ieee80211_frame)) {
+               DPRINTF(("frame too short: %d\n", len));
+               ic->ic_stats.is_rx_tooshort++;
+               ifp->if_ierrors++;
+               return;
        }
-       iwn_mem_write(sc, IWN_MEM_UCODE_CTL, IWN_UC_ENABLE);
 
-       iwn_mem_unlock(sc);
+       m = data->m;
 
-       return 0;
-}
-
-static int
-iwn_load_firmware(struct iwn_softc *sc)
-{
-       struct iwn_dma_info *dma = &sc->fw_dma;
-       struct iwn_firmware_hdr hdr;
-       const uint8_t *init_text, *init_data, *main_text, *main_data;
-       const uint8_t *boot_text;
-       uint32_t init_textsz, init_datasz, main_textsz, main_datasz;
-       uint32_t boot_textsz;
-       firmware_handle_t fw;
-       u_char *dfw;
-       size_t size;
-       int error;
-
-       /* load firmware image from disk */
-       if ((error = firmware_open("if_iwn","iwlwifi-4965-1.ucode", &fw)) != 0) 
{
-               aprint_error_dev(sc->sc_dev, "could not read firmware file\n");
-               goto fail1;
-       }
-
-       size = firmware_get_size(fw);
-
-       /* extract firmware header information */
-       if (size < sizeof (struct iwn_firmware_hdr)) {
-               aprint_error_dev(sc->sc_dev, "truncated firmware header: %zu 
bytes\n", size);
-
-               error = EINVAL;
-               goto fail2;
-       }
-
-
-       if ((error = firmware_read(fw, 0, &hdr,
-                   sizeof (struct iwn_firmware_hdr))) != 0) {
-               aprint_error_dev(sc->sc_dev, "can't get firmware header\n");
-               goto fail2;
-       }
-
-       main_textsz = le32toh(hdr.main_textsz);
-       main_datasz = le32toh(hdr.main_datasz);
-       init_textsz = le32toh(hdr.init_textsz);
-       init_datasz = le32toh(hdr.init_datasz);
-       boot_textsz = le32toh(hdr.boot_textsz);
-
-       /* sanity-check firmware segments sizes */
-       if (main_textsz > IWN_FW_MAIN_TEXT_MAXSZ ||
-           main_datasz > IWN_FW_MAIN_DATA_MAXSZ ||
-           init_textsz > IWN_FW_INIT_TEXT_MAXSZ ||
-           init_datasz > IWN_FW_INIT_DATA_MAXSZ ||
-           boot_textsz > IWN_FW_BOOT_TEXT_MAXSZ ||
-           (boot_textsz & 3) != 0) {
-               aprint_error_dev(sc->sc_dev, "invalid firmware header\n");
-               error = EINVAL;
-               goto fail2;
-       }
-
-       /* check that all firmware segments are present */
-       if (size < sizeof (struct iwn_firmware_hdr) + main_textsz +
-           main_datasz + init_textsz + init_datasz + boot_textsz) {
-               aprint_error_dev(sc->sc_dev, "firmware file too short: %zu 
bytes\n", size);
-               error = EINVAL;
-               goto fail2;
-       }
-
-       dfw = firmware_malloc(size);
-       if (dfw == NULL) {
-               aprint_error_dev(sc->sc_dev, "not enough memory to stock 
firmware\n");
-               error = ENOMEM;
-               goto fail2;
-       }
-
-       if ((error = firmware_read(fw, 0, dfw, size)) != 0) {
-               aprint_error_dev(sc->sc_dev, "can't get firmware\n");
-               goto fail2;
-       }
-
-       /* get pointers to firmware segments */
-       main_text = dfw + sizeof (struct iwn_firmware_hdr);
-       main_data = main_text + main_textsz;
-       init_text = main_data + main_datasz;
-       init_data = init_text + init_textsz;
-       boot_text = init_data + init_datasz;
-
-       /* copy initialization images into pre-allocated DMA-safe memory */
-       memcpy(dma->vaddr, init_data, init_datasz);
-       memcpy((char *)dma->vaddr + IWN_FW_INIT_DATA_MAXSZ, init_text, 
init_textsz);
-
-       /* tell adapter where to find initialization images */
-       iwn_mem_lock(sc);
-       iwn_mem_write(sc, IWN_MEM_DATA_BASE, dma->paddr >> 4);
-       iwn_mem_write(sc, IWN_MEM_DATA_SIZE, init_datasz);
-       iwn_mem_write(sc, IWN_MEM_TEXT_BASE,
-           (dma->paddr + IWN_FW_INIT_DATA_MAXSZ) >> 4);
-       iwn_mem_write(sc, IWN_MEM_TEXT_SIZE, init_textsz);
-       iwn_mem_unlock(sc);
-
-       /* load firmware boot code */
-       if ((error = iwn_load_microcode(sc, boot_text, boot_textsz)) != 0) {
-               aprint_error_dev(sc->sc_dev, "could not load boot firmware\n");
-               goto fail3;
-       }
-
-       /* now press "execute" ;-) */
-       IWN_WRITE(sc, IWN_RESET, 0);
-
-       /* ..and wait at most one second for adapter to initialize */
-       if ((error = tsleep(sc, PCATCH, "iwninit", hz)) != 0) {
-               /* this isn't what was supposed to happen.. */
-               aprint_error_dev(sc->sc_dev, "timeout waiting for adapter to 
initialize\n");
-       }
-
-       /* copy runtime images into pre-allocated DMA-safe memory */
-       memcpy((char *)dma->vaddr, main_data, main_datasz);
-       memcpy((char *)dma->vaddr + IWN_FW_MAIN_DATA_MAXSZ, main_text, 
main_textsz);
-
-       /* tell adapter where to find runtime images */
-       iwn_mem_lock(sc);
-       iwn_mem_write(sc, IWN_MEM_DATA_BASE, dma->paddr >> 4);
-       iwn_mem_write(sc, IWN_MEM_DATA_SIZE, main_datasz);
-       iwn_mem_write(sc, IWN_MEM_TEXT_BASE,
-           (dma->paddr + IWN_FW_MAIN_DATA_MAXSZ) >> 4);
-       iwn_mem_write(sc, IWN_MEM_TEXT_SIZE, IWN_FW_UPDATED | main_textsz);
-       iwn_mem_unlock(sc);
-
-       /* wait at most one second for second alive notification */
-       if ((error = tsleep(sc, PCATCH, "iwninit", hz)) != 0) {
-               /* this isn't what was supposed to happen.. */
-               aprint_error_dev(sc->sc_dev, "timeout waiting for adapter to 
initialize\n");
-       }
-
-fail3: firmware_free(dfw,size);
-fail2: firmware_close(fw);
-fail1: return error;
-}
-
-static void
-iwn_calib_timeout(void *arg)
-{
-       struct iwn_softc *sc = arg;
-       struct ieee80211com *ic = &sc->sc_ic;
-       int s;
-
-       /* automatic rate control triggered every 500ms */
-       if (ic->ic_fixed_rate == -1) {
-               s = splnet();
-               if (ic->ic_opmode == IEEE80211_M_STA)
-                       iwn_iter_func(sc, ic->ic_bss);
-               else
-                       ieee80211_iterate_nodes(&ic->ic_sta, iwn_iter_func, sc);
-               splx(s);
-       }
-
-       /* automatic calibration every 60s */
-       if (++sc->calib_cnt >= 120) {
-               DPRINTF(("sending request for statistics\n"));
-               (void)iwn_cmd(sc, IWN_CMD_GET_STATISTICS, NULL, 0, 1);
-               sc->calib_cnt = 0;
-       }
-
-       callout_schedule(&sc->calib_to, hz/2);
-
-}
-
-static void
-iwn_iter_func(void *arg, struct ieee80211_node *ni)
-{
-       struct iwn_softc *sc = arg;
-       struct iwn_node *wn = (struct iwn_node *)ni;
-
-       ieee80211_amrr_choose(&sc->amrr, ni, &wn->amn);
-}
-
-static void
-iwn_ampdu_rx_start(struct iwn_softc *sc, struct iwn_rx_desc *desc)
-{
-       struct iwn_rx_stat *stat;
-
-       DPRINTFN(2, ("received AMPDU stats\n"));
-       /* save Rx statistics, they will be used on IWN_AMPDU_RX_DONE */
-       stat = (struct iwn_rx_stat *)(desc + 1);
-       memcpy(&sc->last_rx_stat, stat, sizeof (*stat));
-       sc->last_rx_valid = 1;
-}
+       /* Finalize mbuf. */
+       m->m_pkthdr.rcvif = ifp;
+       m->m_data = head;
+       m->m_pkthdr.len = m->m_len = len;
 
-void
-iwn_rx_intr(struct iwn_softc *sc, struct iwn_rx_desc *desc,
-    struct iwn_rx_data *data)
-{
-       struct ieee80211com *ic = &sc->sc_ic;
-       struct ifnet *ifp = ic->ic_ifp;
-       struct iwn_rx_ring *ring = &sc->rxq;
-       struct iwn_rbuf *rbuf;
-       struct ieee80211_frame *wh;
-       struct ieee80211_node *ni;
-       struct mbuf *m, *mnew;
-       struct iwn_rx_stat *stat;
-       char *head;
-       uint32_t *tail;
-       int len, rssi;
+       /* Grab a reference to the source node. */
+       wh = mtod(m, struct ieee80211_frame *);
+       ni = ieee80211_find_rxnode(ic,(struct ieee80211_frame_min *)wh);
 
-       if (desc->type == IWN_AMPDU_RX_DONE) {
-               /* check for prior AMPDU_RX_START */
-               if (!sc->last_rx_valid) {
-                       DPRINTF(("missing AMPDU_RX_START\n"));
+#if 0
+       if ((wh->i_fc[1] & IEEE80211_FC1_PROTECTED) &&
+           !IEEE80211_IS_MULTICAST(wh->i_addr1) &&
+           (ni->ni_flags & IEEE80211_NODE_RXPROT) &&
+           ni->ni_pairwise_key.k_cipher == IEEE80211_CIPHER_CCMP) {
+               if ((flags & IWN_RX_CIPHER_MASK) != IWN_RX_CIPHER_CCMP) {
+                       ic->ic_stats.is_ccmp_dec_errs++;
                        ifp->if_ierrors++;
                        return;
                }
-               sc->last_rx_valid = 0;
-               stat = &sc->last_rx_stat;
-       } else
-               stat = (struct iwn_rx_stat *)(desc + 1);
-
-       if (stat->cfg_phy_len > IWN_STAT_MAXLEN) {
-               aprint_error_dev(sc->sc_dev, "invalid rx statistic header\n");
-               ifp->if_ierrors++;
-               return;
-       }
-
-       if (desc->type == IWN_AMPDU_RX_DONE) {
-               struct iwn_rx_ampdu *ampdu =
-                   (struct iwn_rx_ampdu *)(desc + 1);
-               head = (char *)(ampdu + 1);
-               len = le16toh(ampdu->len);
-       } else {
-               head = (char *)(stat + 1) + stat->cfg_phy_len;
-               len = le16toh(stat->len);
-       }
-
-       DPRINTF(("rx packet len %d\n", len));
-       /* discard Rx frames with bad CRC early */
-       tail = (uint32_t *)(head + len);
-       if ((le32toh(*tail) & IWN_RX_NOERROR) != IWN_RX_NOERROR) {
-               DPRINTFN(2, ("rx flags error %x\n", le32toh(*tail)));
-               ifp->if_ierrors++;
-               return;
-       }
-       /* XXX for ieee80211_find_rxnode() */
-       if (len < sizeof (struct ieee80211_frame)) {
-               DPRINTF(("frame too short: %d\n", len));
-               ic->ic_stats.is_rx_tooshort++;
-               ifp->if_ierrors++;
-               return;
+               /* Check whether decryption was successful or not. */
+               if ((desc->type == IWN_MPDU_RX_DONE &&
+                    (flags & (IWN_RX_MPDU_DEC | IWN_RX_MPDU_MIC_OK)) !=
+                     (IWN_RX_MPDU_DEC | IWN_RX_MPDU_MIC_OK)) ||
+                   (desc->type != IWN_MPDU_RX_DONE &&
+                    (flags & IWN_RX_DECRYPT_MASK) != IWN_RX_DECRYPT_OK)) {
+                       DPRINTF(("CCMP decryption failed 0x%x\n", flags));
+                       ic->ic_stats.is_ccmp_dec_errs++;
+                       ifp->if_ierrors++;
+                       return;
+               }
+               if (iwn_ccmp_decap(sc, m, &ni->ni_pairwise_key) != 0) {
+                       ifp->if_ierrors++;
+                       return;
+               }
+               rxi.rxi_flags |= IEEE80211_RXI_HWDEC;
        }
-
-       m = data->m;
-
-       /* finalize mbuf */
-       m->m_pkthdr.rcvif = ifp;
-       m->m_data = head;
-       m->m_pkthdr.len = m->m_len = len;
+#endif
 
        /*
         * See comment in if_wpi.c:wpi_rx_intr() about locking
         * nb_free_entries here.  In short:  it's not required.
         */
        if (sc->rxq.nb_free_entries > 0) {
-               MGETHDR(mnew, M_DONTWAIT, MT_DATA);
-               if (mnew == NULL) {
+               MGETHDR(m1, M_DONTWAIT, MT_DATA);
+               if (m1 == NULL) {
                        ic->ic_stats.is_rx_nobuf++;
                        ifp->if_ierrors++;
                        return;
                }
-
                rbuf = iwn_alloc_rbuf(sc);
-
-               /* attach Rx buffer to mbuf */
-               MEXTADD(mnew, rbuf->vaddr, IWN_RBUF_SIZE, 0, iwn_free_rbuf,
+               /* Attach RX buffer to mbuf header. */
+               MEXTADD(m1, rbuf->vaddr, IWN_RBUF_SIZE, 0, iwn_free_rbuf,
                    rbuf);
-               mnew->m_flags |= M_EXT_RW;
+               m1->m_flags |= M_EXT_RW;
 
-               data->m = mnew;
+               data->m = m1;
 
-               /* update Rx descriptor */
+               /* Update RX descriptor. */
                ring->desc[ring->cur] = htole32(rbuf->paddr >> 8);
+               bus_dmamap_sync(sc->sc_dmat, ring->desc_dma.map,
+                   ring->cur * sizeof (uint32_t), sizeof (uint32_t),
+                   BUS_DMASYNC_PREWRITE);
        } else {
-               /* no free rbufs, copy frame */
+               /* No free rbufs, copy frame into an mbuf. */
                m = m_dup(m, 0, M_COPYALL, M_DONTWAIT);
                if (m == NULL) {
-                       /* no free mbufs either, drop frame */
+                       /* No free mbufs either, drop frame. */
                        ic->ic_stats.is_rx_nobuf++;
                        ifp->if_ierrors++;
                        return;
                }
        }
 
-       rssi = iwn_get_rssi(stat);
-
+       rssi = hal->get_rssi(stat);
        if (ic->ic_state == IEEE80211_S_SCAN)
                iwn_fix_channel(ic, m);
 
@@ -1512,6 +1923,8 @@ iwn_rx_intr(struct iwn_softc *sc, struct
                struct iwn_rx_radiotap_header *tap = &sc->sc_rxtap;
 
                tap->wr_flags = 0;
+               if (stat->flags & htole16(IWN_STAT_FLAG_SHPREAMBLE))
+                       tap->wr_flags |= IEEE80211_RADIOTAP_F_SHORTPRE;
                tap->wr_chan_freq =
                    htole16(ic->ic_channels[stat->chan].ic_freq);
                tap->wr_chan_flags =
@@ -1520,12 +1933,12 @@ iwn_rx_intr(struct iwn_softc *sc, struct
                tap->wr_dbm_antnoise = (int8_t)sc->noise;
                tap->wr_tsft = stat->tstamp;
                switch (stat->rate) {
-                       /* CCK rates */
+               /* CCK rates. */
                case  10: tap->wr_rate =   2; break;
                case  20: tap->wr_rate =   4; break;
                case  55: tap->wr_rate =  11; break;
                case 110: tap->wr_rate =  22; break;
-                       /* OFDM rates */
+               /* OFDM rates. */
                case 0xd: tap->wr_rate =  12; break;
                case 0xf: tap->wr_rate =  18; break;
                case 0x5: tap->wr_rate =  24; break;
@@ -1534,7 +1947,7 @@ iwn_rx_intr(struct iwn_softc *sc, struct
                case 0xb: tap->wr_rate =  72; break;
                case 0x1: tap->wr_rate =  96; break;
                case 0x3: tap->wr_rate = 108; break;
-                       /* unknown rate: should not happen */
+               /* Unknown rate: should not happen. */
                default:  tap->wr_rate =   0;
                }
 
@@ -1542,17 +1955,69 @@ iwn_rx_intr(struct iwn_softc *sc, struct
        }
 #endif
 
-       /* grab a reference to the source node */
-       wh = mtod(m, struct ieee80211_frame *);
-       ni = ieee80211_find_rxnode(ic,(struct ieee80211_frame_min *)wh);
-
-       /* send the frame to the 802.11 layer */
+       /* Send the frame to the 802.11 layer. */
        ieee80211_input(ic, m, ni, rssi, 0);
 
-       /* node is no longer needed */
+       /* Node is no longer needed. */
        ieee80211_free_node(ni);
 }
 
+/*
+ * Process a CALIBRATION_RESULT notification sent by the initialization
+ * firmware on response to a CMD_CALIB_CONFIG command (5000 only.)
+ */
+void
+iwn5000_rx_calib_results(struct iwn_softc *sc, struct iwn_rx_desc *desc)
+{
+       struct iwn_phy_calib *calib = (struct iwn_phy_calib *)(desc + 1);
+       int len, idx = -1;
+
+       /* Runtime firmware should not send such a notification. */
+       if (!(sc->sc_flags & IWN_FLAG_FIRST_BOOT))
+               return;
+
+       len = (le32toh(desc->len) & 0x3fff) - 4;
+       bus_dmamap_sync(sc->sc_dmat, sc->rxq.buf_dma.map,
+           (vaddr_t)calib - (vaddr_t)sc->rxq.buf_dma.vaddr, len,
+           BUS_DMASYNC_POSTREAD);
+
+       switch (calib->code) {
+       case IWN5000_PHY_CALIB_DC:
+               if (sc->hw_type == IWN_HW_REV_TYPE_5150)
+                       idx = 0;
+               break;
+       case IWN5000_PHY_CALIB_LO:
+               idx = 1;
+               break;
+       case IWN5000_PHY_CALIB_TX_IQ:
+               idx = 2;
+               break;
+       case IWN5000_PHY_CALIB_TX_IQ_PERD:
+               if (sc->hw_type != IWN_HW_REV_TYPE_5150)
+                       idx = 3;
+               break;
+       case IWN5000_PHY_CALIB_BASE_BAND:
+               idx = 4;
+               break;
+       }
+       if (idx == -1)  /* Ignore other results. */
+               return;
+
+       /* Save calibration result. */
+       if (sc->calibcmd[idx].buf != NULL)
+               free(sc->calibcmd[idx].buf, M_DEVBUF);
+       sc->calibcmd[idx].buf = malloc(len, M_DEVBUF, M_NOWAIT);
+       if (sc->calibcmd[idx].buf == NULL) {
+               DPRINTF(("not enough memory for calibration result %d\n",
+                   calib->code));
+               return;
+       }
+       DPRINTF(("saving calibration result code=%d len=%d\n",
+           calib->code, len));
+       sc->calibcmd[idx].len = len;
+       memcpy(sc->calibcmd[idx].buf, calib, len);
+}
+
 
 /*
  * XXX: Hack to set the current channel to the value advertised in beacons or
@@ -1580,18 +2045,23 @@ iwn_fix_channel(struct ieee80211com *ic,
        frm = (uint8_t *)(wh + 1);
        efrm = mtod(m, uint8_t *) + m->m_len;
 
-       frm += 12;      /* skip tstamp, bintval and capinfo fields */
+       frm += 12;      /* skip tstamp, bintval and capinfo fields */
        while (frm < efrm) {
                if (*frm == IEEE80211_ELEMID_DSPARMS)
 #if IEEE80211_CHAN_MAX < 255
-                       if (frm[2] <= IEEE80211_CHAN_MAX)
+               if (frm[2] <= IEEE80211_CHAN_MAX)
 #endif
-                               ic->ic_curchan = &ic->ic_channels[frm[2]];
+                       ic->ic_curchan = &ic->ic_channels[frm[2]];
 
                frm += frm[1] + 2;
        }
 }
 
+
+/*
+ * Process an RX_STATISTICS or BEACON_STATISTICS firmware notification.
+ * The latter is sent by the firmware after each received beacon.
+ */
 static void
 iwn_rx_statistics(struct iwn_softc *sc, struct iwn_rx_desc *desc)
 {
@@ -1599,139 +2069,249 @@ iwn_rx_statistics(struct iwn_softc *sc, 
        struct iwn_calib_state *calib = &sc->calib;
        struct iwn_stats *stats = (struct iwn_stats *)(desc + 1);
 
-       /* ignore beacon statistics received during a scan */
+       /* Ignore statistics received during a scan. */
        if (ic->ic_state != IEEE80211_S_RUN)
                return;
 
+       bus_dmamap_sync(sc->sc_dmat, sc->rxq.buf_dma.map,
+           (vaddr_t)stats - (vaddr_t)sc->rxq.buf_dma.vaddr, sizeof (*stats),
+           BUS_DMASYNC_POSTREAD);
+
        DPRINTFN(3, ("received statistics (cmd=%d)\n", desc->type));
-       sc->calib_cnt = 0;      /* reset timeout */
+       sc->calib_cnt = 0;      /* Reset TX power calibration timeout. */
 
-       /* test if temperature has changed */
+#if 0
+       /* Test if temperature has changed. */
        if (stats->general.temp != sc->rawtemp) {
-               int temp;
-
+               /* Convert "raw" temperature to degC. */
                sc->rawtemp = stats->general.temp;
-               temp = iwn_get_temperature(sc);
-               DPRINTFN(2, ("temperature=%d\n", temp));
+               temp = hal->get_temperature(sc);
+               DPRINTFN(2, ("temperature=%dC\n", temp));
 
-               /* update Tx power if need be */
-               iwn_power_calibration(sc, temp);
+               /* Update temperature sensor. */
+               sc->sensor.value = IWN_CTOMUK(temp);
+               sc->sensor.flags &= ~SENSOR_FINVALID;
+
+               /* Update TX power if need be (4965AGN only.) */
+               if (sc->hw_type == IWN_HW_REV_TYPE_4965)
+                       iwn4965_power_calibration(sc, temp);
        }
+#endif
 
        if (desc->type != IWN_BEACON_STATISTICS)
-               return; /* reply to a statistics request */
+               return; /* Reply to a statistics request. */
 
        sc->noise = iwn_get_noise(&stats->rx.general);
-       DPRINTFN(3, ("noise=%d\n", sc->noise));
 
-       /* test that RSSI and noise are present in stats report */
+       /* Test that RSSI and noise are present in stats report. */
        if (le32toh(stats->rx.general.flags) != 1) {
                DPRINTF(("received statistics without RSSI\n"));
                return;
        }
 
        if (calib->state == IWN_CALIB_STATE_ASSOC)
-               iwn_compute_differential_gain(sc, &stats->rx.general);
+               iwn_collect_noise(sc, &stats->rx.general);
        else if (calib->state == IWN_CALIB_STATE_RUN)
                iwn_tune_sensitivity(sc, &stats->rx);
 }
 
+/*
+ * Process a TX_DONE firmware notification.  Unfortunately, the 4965AGN
+ * and 5000 adapters have different incompatible TX status formats.
+ */
+static void
+iwn4965_tx_done(struct iwn_softc *sc, struct iwn_rx_desc *desc)
+{
+       struct iwn4965_tx_stat *stat = (struct iwn4965_tx_stat *)(desc + 1);
+
+       bus_dmamap_sync(sc->sc_dmat, sc->rxq.buf_dma.map,
+           (vaddr_t)stat - (vaddr_t)sc->rxq.buf_dma.vaddr, sizeof (*stat),
+           BUS_DMASYNC_POSTREAD);
+       iwn_tx_done(sc, desc, stat->retrycnt, le32toh(stat->status) & 0xff);
+}
+
+static void
+iwn5000_tx_done(struct iwn_softc *sc, struct iwn_rx_desc *desc)
+{
+       struct iwn5000_tx_stat *stat = (struct iwn5000_tx_stat *)(desc + 1);
+
+       /* Reset TX scheduler slot. */
+       iwn5000_reset_sched(sc, desc->qid & 0xf, desc->idx);
+
+       bus_dmamap_sync(sc->sc_dmat, sc->rxq.buf_dma.map,
+           (vaddr_t)stat - (vaddr_t)sc->rxq.buf_dma.vaddr, sizeof (*stat),
+           BUS_DMASYNC_POSTREAD);
+       iwn_tx_done(sc, desc, stat->retrycnt, le16toh(stat->status) & 0xff);
+}
+
+/*
+ * Adapter-independent backend for TX_DONE firmware notifications.
+ */
 static void
-iwn_tx_intr(struct iwn_softc *sc, struct iwn_rx_desc *desc)
+iwn_tx_done(struct iwn_softc *sc, struct iwn_rx_desc *desc, int retrycnt,
+    uint8_t status)
 {
        struct ifnet *ifp = sc->sc_ic.ic_ifp;
        struct iwn_tx_ring *ring = &sc->txq[desc->qid & 0xf];
-       struct iwn_tx_data *txdata = &ring->data[desc->idx];
-       struct iwn_tx_stat *stat = (struct iwn_tx_stat *)(desc + 1);
-       struct iwn_node *wn = (struct iwn_node *)txdata->ni;
-       uint32_t status;
-
-       DPRINTFN(4, ("tx done: qid=%d idx=%d retries=%d nkill=%d rate=%x "
-               "duration=%d status=%x\n", desc->qid, desc->idx, stat->ntries,
-               stat->nkill, stat->rate, le16toh(stat->duration),
-               le32toh(stat->status)));
+       struct iwn_tx_data *data = &ring->data[desc->idx];
+       struct iwn_node *wn = (struct iwn_node *)data->ni;
 
-       /*
-        * Update rate control statistics for the node.
-        */
+       /* Update rate control statistics. */
        wn->amn.amn_txcnt++;
-       if (stat->ntries > 0) {
-               DPRINTFN(3, ("tx intr ntries %d\n", stat->ntries));
+       if (retrycnt > 0)
                wn->amn.amn_retrycnt++;
-       }
 
-       status = le32toh(stat->status) & 0xff;
        if (status != 1 && status != 2)
                ifp->if_oerrors++;
        else
                ifp->if_opackets++;
 
-       bus_dmamap_unload(sc->sc_dmat, txdata->map);
-       m_freem(txdata->m);
-       txdata->m = NULL;
-       ieee80211_free_node(txdata->ni);
-       txdata->ni = NULL;
-
-       ring->queued--;
+       /* Unmap and free mbuf. */
+       bus_dmamap_sync(sc->sc_dmat, data->map, 0, data->map->dm_mapsize,
+           BUS_DMASYNC_POSTWRITE);
+       bus_dmamap_unload(sc->sc_dmat, data->map);
+       m_freem(data->m);
+       data->m = NULL;
+       ieee80211_free_node(data->ni);
+       data->ni = NULL;
 
        sc->sc_tx_timer = 0;
-       ifp->if_flags &= ~IFF_OACTIVE;
-       iwn_start(ifp);
+       if (--ring->queued < IWN_TX_RING_LOMARK) {
+               sc->qfullmsk &= ~(1 << ring->qid);
+               if (sc->qfullmsk == 0 && (ifp->if_flags & IFF_OACTIVE)) {
+                       ifp->if_flags &= ~IFF_OACTIVE;
+                       iwn_start(ifp);
+               }
+       }
 }
 
+/*
+ * Process a "command done" firmware notification.  This is where we wakeup
+ * processes waiting for a synchronous command completion.
+ */
 static void
-iwn_cmd_intr(struct iwn_softc *sc, struct iwn_rx_desc *desc)
+iwn_cmd_done(struct iwn_softc *sc, struct iwn_rx_desc *desc)
 {
        struct iwn_tx_ring *ring = &sc->txq[4];
        struct iwn_tx_data *data;
 
        if ((desc->qid & 0xf) != 4)
-               return; /* not a command ack */
+               return; /* Not a command ack. */
 
        data = &ring->data[desc->idx];
 
-       /* if the command was mapped in a mbuf, free it */
+       /* If the command was mapped in an mbuf, free it. */
        if (data->m != NULL) {
+               bus_dmamap_sync(sc->sc_dmat, data->map, 0,
+                   data->map->dm_mapsize, BUS_DMASYNC_POSTWRITE);
                bus_dmamap_unload(sc->sc_dmat, data->map);
                m_freem(data->m);
                data->m = NULL;
        }
+       wakeup(&ring->desc[desc->idx]);
+}
+
+static void
+iwn_microcode_ready(struct iwn_softc *sc, struct iwn_ucode_info *uc)
+{
 
-       wakeup(&ring->cmd[desc->idx]);
+       /* the microcontroller is ready */
+       DPRINTF(("microcode alive notification version=%d.%d "
+                "subtype=%x alive=%x\n", uc->major, uc->minor,
+                uc->subtype, le32toh(uc->valid)));
+
+       if (le32toh(uc->valid) != 1) {
+               aprint_error_dev(sc->sc_dev, "microcontroller initialization "
+                                "failed\n");
+               return;
+       }
+       if (uc->subtype == IWN_UCODE_INIT) {
+               /* save microcontroller's report */
+               memcpy(&sc->ucode_info, uc, sizeof (*uc));
+       }
+       /* Save the address of the error log in SRAM. */
+       sc->errptr = le32toh(uc->errptr);
 }
 
+/*
+ * Process an INT_FH_RX or INT_SW_RX interrupt.
+ */
 static void
 iwn_notif_intr(struct iwn_softc *sc)
 {
        struct ieee80211com *ic = &sc->sc_ic;
        struct ifnet *ifp = ic->ic_ifp;
+       struct iwn_rx_data *data;
+       struct iwn_rx_desc *desc;
        uint16_t hw;
 
-       hw = le16toh(sc->shared->closed_count);
+       bus_dmamap_sync(sc->sc_dmat, sc->rxq.stat_dma.map,
+           0, sc->rxq.stat_dma.size, BUS_DMASYNC_POSTREAD);
+
+       hw = le16toh(sc->rxq.stat->closed_count) & 0xfff;
+
+       /*
+        * If the radio is disabled then down the interface and stop
+        * processing - scan the queue for a microcode load command
+        * result.  It is the only thing that we can do with the radio
+        * off.
+        */
+       if (!sc->sc_radio) {
+               while (sc->rxq.cur != hw) {
+                       data = &sc->rxq.data[sc->rxq.cur];
+                       desc = (void *)data->m->m_ext.ext_buf;
+                       if (desc->type == IWN_UC_READY) {
+                               iwn_microcode_ready(sc,
+                                   (struct iwn_ucode_info *)(desc + 1));
+                       } else if (desc->type == IWN_STATE_CHANGED) {
+                               uint32_t *status = (uint32_t *)(desc + 1);
+
+                               /* enabled/disabled notification */
+                               DPRINTF(("state changed to %x\n",
+                                        le32toh(*status)));
+
+                               sc->sc_radio = !(le32toh(*status) & 1);
+                       }
+
+                       sc->rxq.cur = (sc->rxq.cur + 1) % IWN_RX_RING_COUNT;
+               }
+
+               if (!sc->sc_radio) {
+                       ifp->if_flags &= ~IFF_UP;
+                       iwn_stop(ifp, 1);
+               }
+
+               return;
+       }
+
        while (sc->rxq.cur != hw) {
-               struct iwn_rx_data *data = &sc->rxq.data[sc->rxq.cur];
-               struct iwn_rx_desc *desc = (void *)data->m->m_ext.ext_buf;
+               data = &sc->rxq.data[sc->rxq.cur];
+               desc = (void *)data->m->m_ext.ext_buf;
+
+               bus_dmamap_sync(sc->sc_dmat, sc->rxq.buf_dma.map,
+                   (vaddr_t)desc - (vaddr_t)sc->rxq.buf_dma.vaddr, sizeof 
(*desc),
+                   BUS_DMASYNC_POSTREAD);
 
-               DPRINTFN(4,("rx notification qid=%x idx=%d flags=%x type=%d "
-                       "len=%d\n", desc->qid, desc->idx, desc->flags, 
desc->type,
-                       le32toh(desc->len)));
+               DPRINTFN(4, ("notification qid=%d idx=%d flags=%x type=%d\n",
+                   desc->qid & 0xf, desc->idx, desc->flags, desc->type));
 
-               if (!(desc->qid & 0x80))        /* reply to a command */
-                       iwn_cmd_intr(sc, desc);
+               if (!(desc->qid & 0x80))        /* Reply to a command. */
+                       iwn_cmd_done(sc, desc);
 
                switch (desc->type) {
-               case IWN_RX_DONE:
-               case IWN_AMPDU_RX_DONE:
-                       iwn_rx_intr(sc, desc, data);
+               case IWN_RX_PHY:
+                       iwn_rx_phy(sc, desc);
                        break;
 
-               case IWN_AMPDU_RX_START:
-                       iwn_ampdu_rx_start(sc, desc);
+               case IWN_RX_DONE:               /* 4965AGN only. */
+               case IWN_MPDU_RX_DONE:
+                       /* An 802.11 frame has been received. */
+                       iwn_rx_done(sc, desc, data);
                        break;
 
                case IWN_TX_DONE:
-                       /* a 802.11 frame has been transmitted */
-                       iwn_tx_intr(sc, desc);
+                       /* An 802.11 frame has been transmitted. */
+                       sc->sc_hal->tx_done(sc, desc);
                        break;
 
                case IWN_RX_STATISTICS:
@@ -1743,53 +2323,47 @@ iwn_notif_intr(struct iwn_softc *sc)
                {
                        struct iwn_beacon_missed *miss =
                            (struct iwn_beacon_missed *)(desc + 1);
+
+                       bus_dmamap_sync(sc->sc_dmat, sc->rxq.buf_dma.map,
+                           (vaddr_t)miss - (vaddr_t)sc->rxq.buf_dma.vaddr,
+                           sizeof (*miss), BUS_DMASYNC_POSTREAD);
                        /*
                         * If more than 5 consecutive beacons are missed,
                         * reinitialize the sensitivity state machine.
                         */
-                       DPRINTFN(2, ("beacons missed %d/%d\n",
-                               le32toh(miss->consecutive), 
le32toh(miss->total)));
+                       DPRINTF(("beacons missed %d/%d\n",
+                           le32toh(miss->consecutive), le32toh(miss->total)));
                        if (ic->ic_state == IEEE80211_S_RUN &&
                            le32toh(miss->consecutive) > 5)
                                (void)iwn_init_sensitivity(sc);
                        break;
                }
-
                case IWN_UC_READY:
                {
-                       struct iwn_ucode_info *uc =
-                           (struct iwn_ucode_info *)(desc + 1);
-
-                       /* the microcontroller is ready */
-                       DPRINTF(("microcode alive notification version=%d.%d "
-                               "subtype=%x alive=%x\n", uc->major, uc->minor,
-                               uc->subtype, le32toh(uc->valid)));
-
-                       if (le32toh(uc->valid) != 1) {
-                               aprint_error_dev(sc->sc_dev, "microcontroller 
initialization "
-                                   "failed\n");
-                               break;
-                       }
-                       if (uc->subtype == IWN_UCODE_INIT) {
-                               /* save microcontroller's report */
-                               memcpy(&sc->ucode_info, uc, sizeof (*uc));
-                       }
+                       iwn_microcode_ready(sc,
+                           (struct iwn_ucode_info *)(desc + 1));
                        break;
                }
                case IWN_STATE_CHANGED:
                {
                        uint32_t *status = (uint32_t *)(desc + 1);
 
-                       /* enabled/disabled notification */
+                       /* Enabled/disabled notification. */
+                       bus_dmamap_sync(sc->sc_dmat, sc->rxq.buf_dma.map,
+                           (vaddr_t)status - (vaddr_t)sc->rxq.buf_dma.vaddr,
+                           sizeof (*status), BUS_DMASYNC_POSTREAD);
                        DPRINTF(("state changed to %x\n", le32toh(*status)));
 
+                       sc->sc_radio = !(le32toh(*status) & 1);
+
                        if (le32toh(*status) & 1) {
-                               /* the radio button has to be pushed */
-                               aprint_error_dev(sc->sc_dev, "Radio transmitter 
is off\n");
-                               /* turn the interface down */
+                               /* The radio button has to be pushed. */
+                               aprint_error_dev(sc->sc_dev,
+                                   "Radio transmitter is off\n");
+                               /* Turn the interface down. */
                                ifp->if_flags &= ~IFF_UP;
                                iwn_stop(ifp, 1);
-                               return; /* no further processing */
+                               return; /* No further processing. */
                        }
                        break;
                }
@@ -1798,10 +2372,13 @@ iwn_notif_intr(struct iwn_softc *sc)
                        struct iwn_start_scan *scan =
                            (struct iwn_start_scan *)(desc + 1);
 
+                       bus_dmamap_sync(sc->sc_dmat, sc->rxq.buf_dma.map,
+                           (vaddr_t)scan - (vaddr_t)sc->rxq.buf_dma.vaddr,
+                           sizeof (*scan), BUS_DMASYNC_POSTREAD);
                        DPRINTFN(2, ("scanning channel %d status %x\n",
-                               scan->chan, le32toh(scan->status)));
+                           scan->chan, le32toh(scan->status)));
 
-                       /* fix current channel */
+                       /* Fix current channel. */
                        ic->ic_bss->ni_chan = &ic->ic_channels[scan->chan];
                        break;
                }
@@ -1810,173 +2387,305 @@ iwn_notif_intr(struct iwn_softc *sc)
                        struct iwn_stop_scan *scan =
                            (struct iwn_stop_scan *)(desc + 1);
 
+                       bus_dmamap_sync(sc->sc_dmat, sc->rxq.buf_dma.map,
+                           (vaddr_t)scan - (vaddr_t)sc->rxq.buf_dma.vaddr,
+                           sizeof (*scan), BUS_DMASYNC_POSTREAD);
                        DPRINTF(("scan finished nchan=%d status=%d chan=%d\n",
-                               scan->nchan, scan->status, scan->chan));
+                           scan->nchan, scan->status, scan->chan));
 
-                       if (scan->status == 1 && scan->chan <= 14) {
+                       if (scan->status == 1 && scan->chan <= 14 &&
+                           (sc->sc_flags & IWN_FLAG_HAS_5GHZ)) {
                                /*
-                                * We just finished scanning 802.11g channels,
-                                * start scanning 802.11a ones.
+                                * We just finished scanning 2GHz channels,
+                                * start scanning 5GHz ones.
                                 */
-                               if (iwn_scan(sc, IEEE80211_CHAN_A) == 0)
+                               if (iwn_scan(sc, IEEE80211_CHAN_5GHZ) == 0)
                                        break;
                        }
                        sc->is_scanning = false;
                        ieee80211_end_scan(ic);
                        break;
                }
+               case IWN5000_CALIBRATION_RESULT:
+                       iwn5000_rx_calib_results(sc, desc);
+                       break;
+
+               case IWN5000_CALIBRATION_DONE:
+                       wakeup(sc);
+                       break;
                }
 
                sc->rxq.cur = (sc->rxq.cur + 1) % IWN_RX_RING_COUNT;
        }
 
-       /* tell the firmware what we have processed */
+       /* Tell the firmware what we have processed. */
        hw = (hw == 0) ? IWN_RX_RING_COUNT - 1 : hw - 1;
-       IWN_WRITE(sc, IWN_RX_WIDX, hw & ~7);
+       IWN_WRITE(sc, IWN_FH_RX_WPTR, hw & ~7);
 }
 
-static int
-iwn_intr(void *arg)
+/*
+ * Process an INT_WAKEUP interrupt raised when the microcontroller wakes up
+ * from power-down sleep mode.
+ */
+static void
+iwn_wakeup_intr(struct iwn_softc *sc)
 {
-       struct iwn_softc *sc = arg;
-       struct ifnet *ifp = sc->sc_ic.ic_ifp;
-       uint32_t r1, r2;
+       int qid;
+
+       DPRINTF(("ucode wakeup from power-down sleep\n"));
+
+       /* Wakeup RX and TX rings. */
+       IWN_WRITE(sc, IWN_FH_RX_WPTR, sc->rxq.cur & ~7);
+       for (qid = 0; qid < 6; qid++) {
+               struct iwn_tx_ring *ring = &sc->txq[qid];
+               IWN_WRITE(sc, IWN_HBUS_TARG_WRPTR, qid << 8 | ring->cur);
+       }
+}
+
+/*
+ * Dump the error log of the firmware when a firmware panic occurs.  Although
+ * we can't debug the firmware because it is neither open source nor free, it
+ * can help us to identify certain classes of problems.
+ */
+void
+iwn_fatal_intr(struct iwn_softc *sc)
+{
+       const struct iwn_hal *hal = sc->sc_hal;
+       struct iwn_fw_dump dump;
+       int i;
+
+       /* Check that the error log address is valid. */
+       if (sc->errptr < IWN_FW_DATA_BASE ||
+           sc->errptr + sizeof (dump) >
+           IWN_FW_DATA_BASE + hal->fw_data_maxsz) {
+               aprint_error_dev(sc->sc_dev,
+                   "bad firmware error log address 0x%08x\n", sc->errptr);
+               return;
+       }
+       if (iwn_nic_lock(sc) != 0) {
+               aprint_error_dev(sc->sc_dev,
+                   "could not read firmware error log\n");
+               return;
+       }
+       /* Read firmware error log from SRAM. */
+       iwn_mem_read_region_4(sc, sc->errptr, (uint32_t *)&dump,
+           sizeof (dump) / sizeof (uint32_t));
+       iwn_nic_unlock(sc);
+
+       if (dump.valid == 0) {
+               aprint_error_dev(sc->sc_dev, "firmware error log is empty\n");
+               return;
+       }
+       printf("firmware error log:\n");
+#if 0
+       printf("  error type      = \"%s\" (0x%08X)\n",
+           (dump.id < nitems(iwn_fw_errmsg)) ?
+               iwn_fw_errmsg[dump.id] : "UNKNOWN",
+           dump.id);
+#endif
+       printf("  program counter = 0x%08X\n", dump.pc);
+       printf("  source line     = 0x%08X\n", dump.src_line);
+       printf("  error data      = 0x%08X%08X\n",
+           dump.error_data[0], dump.error_data[1]);
+       printf("  branch link     = 0x%08X%08X\n",
+           dump.branch_link[0], dump.branch_link[1]);
+       printf("  interrupt link  = 0x%08X%08X\n",
+           dump.interrupt_link[0], dump.interrupt_link[1]);
+       printf("  time      = %u\n", dump.time[0]);
+
+       /* Dump driver status (TX and RX rings) while we're here. */
+       printf("driver status:\n");
+       for (i = 0; i < hal->ntxqs; i++) {
+               struct iwn_tx_ring *ring = &sc->txq[i];
+               printf("  tx ring %2d: qid=%-2d cur=%-3d queued=%-3d\n",
+                   i, ring->qid, ring->cur, ring->queued);
+       }
+       printf("  rx ring: cur=%d\n", sc->rxq.cur);
+       printf("  802.11 state %d\n", sc->sc_ic.ic_state);
+}
+
+static int
+iwn_intr(void *arg)
+{
+       struct iwn_softc *sc = arg;
+       struct ifnet *ifp = sc->sc_ic.ic_ifp;
+       uint32_t r1, r2;
 
-       /* disable interrupts */
+       /* Disable interrupts. */
        IWN_WRITE(sc, IWN_MASK, 0);
 
-       r1 = IWN_READ(sc, IWN_INTR);
-       r2 = IWN_READ(sc, IWN_INTR_STATUS);
+       r1 = IWN_READ(sc, IWN_INT);
+       r2 = IWN_READ(sc, IWN_FH_INT);
 
        if (r1 == 0 && r2 == 0) {
                if (ifp->if_flags & IFF_UP)
-                       IWN_WRITE(sc, IWN_MASK, IWN_INTR_MASK);
-               return 0;       /* not for us */
+                       IWN_WRITE(sc, IWN_MASK, IWN_INT_MASK);
+               return 0;       /* Interrupt not for us. */
        }
+       if (r1 == 0xffffffff || (r1 & 0xfffffff0) == 0xa5a5a5a0)
+               return 0;       /* Hardware gone! */
 
-       if (r1 == 0xffffffff)
-               return 0;       /* hardware gone */
+       /* Acknowledge interrupts. */
+       IWN_WRITE(sc, IWN_INT, r1);
+       IWN_WRITE(sc, IWN_FH_INT, r2);
 
-       /* ack interrupts */
-       IWN_WRITE(sc, IWN_INTR, r1);
-       IWN_WRITE(sc, IWN_INTR_STATUS, r2);
-
-       DPRINTFN(5, ("interrupt reg1=%x reg2=%x\n", r1, r2));
-
-       if (r1 & IWN_RF_TOGGLED) {
-               uint32_t tmp = IWN_READ(sc, IWN_GPIO_CTL);
+       if (r1 & IWN_INT_RF_TOGGLED) {
+               uint32_t tmp = IWN_READ(sc, IWN_GP_CNTRL);
                aprint_error_dev(sc->sc_dev, "RF switch: radio %s\n",
-                   (tmp & IWN_GPIO_RF_ENABLED) ? "enabled" : "disabled");
+                   (tmp & IWN_GP_CNTRL_RFKILL) ? "enabled" : "disabled");
+               sc->sc_radio = (tmp & IWN_GP_CNTRL_RFKILL);
        }
-       if (r1 & IWN_CT_REACHED) {
+       if (r1 & IWN_INT_CT_REACHED) {
                aprint_error_dev(sc->sc_dev, "critical temperature reached!\n");
+               /* XXX Reduce TX power? */
        }
-       if (r1 & (IWN_SW_ERROR | IWN_HW_ERROR)) {
+       if (r1 & (IWN_INT_SW_ERR | IWN_INT_HW_ERR)) {
                aprint_error_dev(sc->sc_dev, "fatal firmware error\n");
+               /* Dump firmware error log and stop. */
+               iwn_fatal_intr(sc);
                sc->sc_ic.ic_ifp->if_flags &= ~IFF_UP;
                iwn_stop(sc->sc_ic.ic_ifp, 1);
                return 1;
        }
-
-       if ((r1 & (IWN_RX_INTR | IWN_SW_RX_INTR)) ||
-           (r2 & IWN_RX_STATUS_INTR))
+       if ((r1 & (IWN_INT_FH_RX | IWN_INT_SW_RX)) ||
+           (r2 & IWN_FH_INT_RX))
                iwn_notif_intr(sc);
 
-       if (r1 & IWN_ALIVE_INTR)
-               wakeup(sc);
+       if ((r1 & IWN_INT_FH_TX) || (r2 & IWN_FH_INT_TX))
+               wakeup(sc);     /* FH DMA transfer completed. */
+
+       if (r1 & IWN_INT_ALIVE)
+               wakeup(sc);     /* Firmware is alive. */
 
-       /* re-enable interrupts */
+       if (r1 & IWN_INT_WAKEUP)
+               iwn_wakeup_intr(sc);
+
+       /* Re-enable interrupts. */
        if (ifp->if_flags & IFF_UP)
-               IWN_WRITE(sc, IWN_MASK, IWN_INTR_MASK);
+               IWN_WRITE(sc, IWN_MASK, IWN_INT_MASK);
 
        return 1;
 }
 
-static uint8_t
-iwn_plcp_signal(int rate)
+/*
+ * Update TX scheduler ring when transmitting an 802.11 frame (4965AGN and
+ * 5000 adapters use a slightly different format.)
+ */
+static void
+iwn4965_update_sched(struct iwn_softc *sc, int qid, int idx, uint8_t id,
+    uint16_t len)
+{
+       uint16_t *w = &sc->sched[qid * IWN4965_SCHED_COUNT + idx];
+
+       *w = htole16(len + 8);
+       bus_dmamap_sync(sc->sc_dmat, sc->sched_dma.map,
+           (vaddr_t)w - (vaddr_t)sc->sched_dma.vaddr, sizeof (uint16_t),
+           BUS_DMASYNC_PREWRITE);
+       if (idx < IWN_SCHED_WINSZ) {
+               *(w + IWN_TX_RING_COUNT) = *w;
+               bus_dmamap_sync(sc->sc_dmat, sc->sched_dma.map,
+                   (vaddr_t)(w + IWN_TX_RING_COUNT) - 
(vaddr_t)sc->sched_dma.vaddr,
+                   sizeof (uint16_t), BUS_DMASYNC_PREWRITE);
+       }
+}
+
+static void
+iwn5000_update_sched(struct iwn_softc *sc, int qid, int idx, uint8_t id,
+    uint16_t len)
 {
-       switch (rate) {
-               /* CCK rates (returned values are device-dependent) */
-       case 2:         return 10;
-       case 4:         return 20;
-       case 11:        return 55;
-       case 22:        return 110;
-
-               /* OFDM rates (cf IEEE Std 802.11a-1999, pp. 14 Table 80) */
-               /* R1-R4, (u)ral is R4-R1 */
-       case 12:        return 0xd;
-       case 18:        return 0xf;
-       case 24:        return 0x5;
-       case 36:        return 0x7;
-       case 48:        return 0x9;
-       case 72:        return 0xb;
-       case 96:        return 0x1;
-       case 108:       return 0x3;
-       case 120:       return 0x3;
-       }
-       /* unknown rate (should not get there) */
-       return 0;
+       uint16_t *w = &sc->sched[qid * IWN5000_SCHED_COUNT + idx];
+
+       *w = htole16(id << 12 | (len + 8));
+       bus_dmamap_sync(sc->sc_dmat, sc->sched_dma.map,
+           (vaddr_t)w - (vaddr_t)sc->sched_dma.vaddr, sizeof (uint16_t),
+           BUS_DMASYNC_PREWRITE);
+       if (idx < IWN_SCHED_WINSZ) {
+               *(w + IWN_TX_RING_COUNT) = *w;
+               bus_dmamap_sync(sc->sc_dmat, sc->sched_dma.map,
+                   (vaddr_t)(w + IWN_TX_RING_COUNT) - 
(vaddr_t)sc->sched_dma.vaddr,
+                   sizeof (uint16_t), BUS_DMASYNC_PREWRITE);
+       }
 }
 
-/* determine if a given rate is CCK or OFDM */
-#define IWN_RATE_IS_OFDM(rate) ((rate) >= 12 && (rate) != 22)
+static void
+iwn5000_reset_sched(struct iwn_softc *sc, int qid, int idx)
+{
+       uint16_t *w = &sc->sched[qid * IWN5000_SCHED_COUNT + idx];
+
+       *w = (*w & htole16(0xf000)) | htole16(1);
+       bus_dmamap_sync(sc->sc_dmat, sc->sched_dma.map,
+           (vaddr_t)w - (vaddr_t)sc->sched_dma.vaddr, sizeof (uint16_t),
+           BUS_DMASYNC_PREWRITE);
+       if (idx < IWN_SCHED_WINSZ) {
+               *(w + IWN_TX_RING_COUNT) = *w;
+               bus_dmamap_sync(sc->sc_dmat, sc->sched_dma.map,
+                   (vaddr_t)(w + IWN_TX_RING_COUNT) - 
(vaddr_t)sc->sched_dma.vaddr,
+                   sizeof (uint16_t), BUS_DMASYNC_PREWRITE);
+       }
+}
 
 static int
-iwn_tx_data(struct iwn_softc *sc, struct mbuf *m0, struct ieee80211_node *ni,
-    int ac)
+iwn_tx(struct iwn_softc *sc, struct mbuf *m, struct ieee80211_node *ni, int ac)
 {
+       const struct iwn_hal *hal = sc->sc_hal;
        struct ieee80211com *ic = &sc->sc_ic;
-       struct iwn_tx_ring *ring = &sc->txq[ac];
+       struct iwn_node *wn = (void *)ni;
+       struct iwn_tx_ring *ring;
        struct iwn_tx_desc *desc;
        struct iwn_tx_data *data;
        struct iwn_tx_cmd *cmd;
        struct iwn_cmd_data *tx;
+       const struct iwn_rate *rinfo;
        struct ieee80211_frame *wh;
-       struct ieee80211_key *k;
+       struct ieee80211_key *k = NULL;
        const struct chanAccParams *cap;
-       struct mbuf *mnew;
-       bus_addr_t paddr;
+       struct mbuf *m1;
        uint32_t flags;
-       uint8_t type;
-       int i, error, pad, rate, hdrlen, noack = 0;
-
-       DPRINTFN(5, ("iwn_tx_data entry\n"));
+       u_int hdrlen;
+       bus_dma_segment_t *seg;
+       uint8_t ridx, txant, type;
+       int i, totlen, error, pad, noack;
 
-       desc = &ring->desc[ring->cur];
-       data = &ring->data[ring->cur];
-
-       wh = mtod(m0, struct ieee80211_frame *);
+       wh = mtod(m, struct ieee80211_frame *);
        type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
 
+       /* JAF XXX two lines above were not in wpi. check we don't duplicate 
this */
+
        if (IEEE80211_QOS_HAS_SEQ(wh)) {
                hdrlen = sizeof (struct ieee80211_qosframe);
                cap = &ic->ic_wme.wme_chanParams;
                noack = cap->cap_wmeParams[ac].wmep_noackPolicy;
-       } else
+       } else {
                hdrlen = sizeof (struct ieee80211_frame);
-
+               noack = 0;
+       }
+       
        if (wh->i_fc[1] & IEEE80211_FC1_WEP) {
-               k = ieee80211_crypto_encap(ic, ni, m0);
+               k = ieee80211_crypto_encap(ic, ni, m);
                if (k == NULL) {
-                       m_freem(m0);
+                       m_freem(m);
                        return ENOBUFS;
                }
                /* packet header may have moved, reset our local pointer */
-               wh = mtod(m0, struct ieee80211_frame *);
+               wh = mtod(m, struct ieee80211_frame *);
        }
 
-       /* pickup a rate */
+       ring = &sc->txq[ac];
+       desc = &ring->desc[ring->cur];
+       data = &ring->data[ring->cur];
+
+       /* Choose a TX rate index. */
        if (type == IEEE80211_FC0_TYPE_MGT) {
                /* mgmt frames are sent at the lowest available bit-rate */
-               rate = ni->ni_rates.rs_rates[0];
+               ridx = (ic->ic_curmode == IEEE80211_MODE_11A) ?
+                   IWN_RIDX_OFDM6 : IWN_RIDX_CCK1;
        } else {
                if (ic->ic_fixed_rate != -1) {
-                       rate = ic->ic_sup_rates[ic->ic_curmode].
-                           rs_rates[ic->ic_fixed_rate];
+                       ridx = sc->fixed_ridx;
                } else
-                       rate = ni->ni_rates.rs_rates[ni->ni_txrate];
+                       ridx = wn->ridx[ni->ni_txrate];
        }
-       rate &= IEEE80211_RATE_VAL;
+       rinfo = &iwn_rates[ridx];
 
 #if NBPFILTER > 0
        if (sc->sc_drvbpf != NULL) {
@@ -1985,15 +2694,36 @@ iwn_tx_data(struct iwn_softc *sc, struct
                tap->wt_flags = 0;
                tap->wt_chan_freq = htole16(ni->ni_chan->ic_freq);
                tap->wt_chan_flags = htole16(ni->ni_chan->ic_flags);
-               tap->wt_rate = rate;
+               tap->wt_rate = rinfo->rate;
                tap->wt_hwqueue = ac;
                if (wh->i_fc[1] & IEEE80211_FC1_WEP)
                        tap->wt_flags |= IEEE80211_RADIOTAP_F_WEP;
 
-               bpf_mtap2(sc->sc_drvbpf, tap, sc->sc_txtap_len, m0);
+               bpf_mtap2(sc->sc_drvbpf, tap, sc->sc_txtap_len, m);
+       }
+#endif
+
+       totlen = m->m_pkthdr.len;
+
+#if 0
+       /* Encrypt the frame if need be. */
+       if (wh->i_fc[1] & IEEE80211_FC1_PROTECTED) {
+               /* Retrieve key for TX. */
+               k = ieee80211_get_txkey(ic, wh, ni);
+               if (k->k_cipher != IEEE80211_CIPHER_CCMP) {
+                       /* Do software encryption. */
+                       if ((m = ieee80211_encrypt(ic, m, k)) == NULL)
+                               return ENOBUFS;
+                       /* 802.11 header may have moved. */
+                       wh = mtod(m, struct ieee80211_frame *);
+                       totlen = m->m_pkthdr.len;
+
+               } else  /* HW appends CCMP MIC. */
+                       totlen += IEEE80211_CCMP_HDRLEN;
        }
 #endif
 
+       /* Prepare TX firmware command. */
        cmd = &ring->cmd[ring->cur];
        cmd->code = IWN_CMD_TX_DATA;
        cmd->flags = 0;
@@ -2001,31 +2731,38 @@ iwn_tx_data(struct iwn_softc *sc, struct
        cmd->idx = ring->cur;
 
        tx = (struct iwn_cmd_data *)cmd->data;
+       /* NB: No need to clear tx, all fields are reinitialized here. */
+       tx->scratch = 0;        /* clear "scratch" area */
 
-       flags = IWN_TX_AUTO_SEQ;
-       if (!noack && !IEEE80211_IS_MULTICAST(wh->i_addr1)){
+       flags = 0;
+       if (!noack && !IEEE80211_IS_MULTICAST(wh->i_addr1)) {
                flags |= IWN_TX_NEED_ACK;
-       }else if (m0->m_pkthdr.len + IEEE80211_CRC_LEN > ic->ic_rtsthreshold)
-               flags |= (IWN_TX_NEED_RTS | IWN_TX_FULL_TXOP);
+       } else if (m->m_pkthdr.len + IEEE80211_CRC_LEN > ic->ic_rtsthreshold)
+               flags |= IWN_TX_NEED_RTS | IWN_TX_FULL_TXOP;
 
-       if (IEEE80211_IS_MULTICAST(wh->i_addr1)
-           || (type != IEEE80211_FC0_TYPE_DATA))
-               tx->id = IWN_ID_BROADCAST;
-       else
-               tx->id = IWN_ID_BSS;
+#if 0
+       if ((wh->i_fc[0] &
+           (IEEE80211_FC0_TYPE_MASK | IEEE80211_FC0_SUBTYPE_MASK)) ==
+           (IEEE80211_FC0_TYPE_CTL | IEEE80211_FC0_SUBTYPE_BAR))
+               flags |= IWN_TX_IMM_BA;         /* Cannot happen yet. */
 
-       DPRINTFN(5, ("addr1: %x:%x:%x:%x:%x:%x, id = 0x%x\n",
-                    wh->i_addr1[0], wh->i_addr1[1], wh->i_addr1[2],
-                    wh->i_addr1[3], wh->i_addr1[4], wh->i_addr1[5], tx->id));
+       if (wh->i_fc[1] & IEEE80211_FC1_MORE_FRAG)
+               flags |= IWN_TX_MORE_FRAG;      /* Cannot happen yet. */
+#endif
+
+       if (IEEE80211_IS_MULTICAST(wh->i_addr1) ||
+           type != IEEE80211_FC0_TYPE_DATA)
+               tx->id = hal->broadcast_id;
+       else
+               tx->id = wn->id;
 
        if (type == IEEE80211_FC0_TYPE_MGT) {
                uint8_t subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK;
 
-               /* tell h/w to set timestamp in probe responses */
+               /* Tell HW to set timestamp in probe responses. */
                if ((subtype == IEEE80211_FC0_SUBTYPE_PROBE_RESP) ||
                    (subtype == IEEE80211_FC0_SUBTYPE_PROBE_REQ))
                        flags |= IWN_TX_INSERT_TSTAMP;
-
                if (subtype == IEEE80211_FC0_SUBTYPE_ASSOC_REQ ||
                    subtype == IEEE80211_FC0_SUBTYPE_REASSOC_REQ ||
                    subtype == IEEE80211_FC0_SUBTYPE_AUTH ||
@@ -2039,12 +2776,13 @@ iwn_tx_data(struct iwn_softc *sc, struct
                tx->timeout = htole16(0);
 
        if (hdrlen & 3) {
-               /* first segment's length must be a multiple of 4 */
+               /* First segment's length must be a multiple of 4. */
                flags |= IWN_TX_NEED_PADDING;
                pad = 4 - (hdrlen & 3);
        } else
                pad = 0;
 
+#if 0
        if (type == IEEE80211_FC0_TYPE_CTL) {
                uint8_t subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK;
 
@@ -2053,103 +2791,116 @@ iwn_tx_data(struct iwn_softc *sc, struct
                        /* linux says (1 << 6) is IMM_BA_RSP_MASK */
                        flags |= (IWN_TX_NEED_ACK | (1 << 6));
        }
+#endif
 
-
-       tx->flags = htole32(flags);
-       tx->len = htole16(m0->m_pkthdr.len);
-       tx->rate = iwn_plcp_signal(rate);
+       tx->len = htole16(totlen);
+       tx->tid = 0 /* tid */;
        tx->rts_ntries = 60;
        tx->data_ntries = 15;
        tx->lifetime = htole32(IWN_LIFETIME_INFINITE);
-
-       /* XXX alternate between Ant A and Ant B ? */
-       tx->rflags = IWN_RFLAG_ANT_B;
-       if (tx->id == IWN_ID_BROADCAST) {
-               tx->ridx = IWN_MAX_TX_RETRIES - 1;
-               if (!IWN_RATE_IS_OFDM(rate))
-                       tx->rflags |= IWN_RFLAG_CCK;
+       tx->plcp = rinfo->plcp;
+       tx->rflags = rinfo->flags;
+       if (tx->id == hal->broadcast_id) {
+               /* Group or management frame. */
+               tx->linkq = 0;
+               /* XXX Alternate between antenna A and B? */
+               txant = IWN_LSB(sc->txantmsk);
+               tx->rflags |= IWN_RFLAG_ANT(txant);
        } else {
-               tx->ridx = 0;
-               /* tell adapter to ignore rflags */
-               tx->flags |= htole32(IWN_TX_USE_NODE_RATE);
+               tx->linkq = ni->ni_rates.rs_nrates - ni->ni_txrate - 1;
+               flags |= IWN_TX_LINKQ;  /* enable MRR */
        }
+       /* Set physical address of "scratch area". */
+       tx->loaddr = htole32(IWN_LOADDR(data->scratch_paddr));
+       tx->hiaddr = IWN_HIADDR(data->scratch_paddr);
 
-       /* copy and trim IEEE802.11 header */
+       /* Copy 802.11 header in TX command. */
        memcpy(((uint8_t *)tx) + sizeof(*tx), wh, hdrlen);
-       m_adj(m0, hdrlen);
 
-       error = bus_dmamap_load_mbuf(sc->sc_dmat, data->map, m0,
+       /* Trim 802.11 header. */
+       m_adj(m, hdrlen);    
+       tx->security = 0;    
+
+       tx->flags = htole32(flags);
+
+       error = bus_dmamap_load_mbuf(sc->sc_dmat, data->map, m,
            BUS_DMA_WRITE | BUS_DMA_NOWAIT);
        if (error != 0 && error != EFBIG) {
-               aprint_error_dev(sc->sc_dev, "could not map mbuf (error %d)\n", 
error);
-               m_freem(m0);
+               aprint_error_dev(sc->sc_dev, "could not map mbuf (error %d)\n",
+                   error);
+               m_freem(m);
                return error;
        }
        if (error != 0) {
-               /* too many fragments, linearize */
-
-               MGETHDR(mnew, M_DONTWAIT, MT_DATA);
-               if (mnew == NULL) {
-                       m_freem(m0);
-                       return ENOMEM;
+               /* Too many DMA segments, linearize mbuf. */
+               MGETHDR(m1, M_DONTWAIT, MT_DATA);
+               if (m1 == NULL) {
+                       m_freem(m);
+                       return ENOBUFS;
                }
-               M_COPY_PKTHDR(mnew, m0);
-               if (m0->m_pkthdr.len > MHLEN) {
-                       MCLGET(mnew, M_DONTWAIT);
-                       if (!(mnew->m_flags & M_EXT)) {
-                               m_freem(m0);
-                               m_freem(mnew);
-                               return ENOMEM;
+               if (m->m_pkthdr.len > MHLEN) {
+                       MCLGET(m1, M_DONTWAIT);
+                       if (!(m1->m_flags & M_EXT)) {
+                               m_freem(m);
+                               m_freem(m1);
+                               return ENOBUFS;
                        }
                }
+               m_copydata(m, 0, m->m_pkthdr.len, mtod(m1, void *));
+               m1->m_pkthdr.len = m1->m_len = m->m_pkthdr.len;
+               m_freem(m);
+               m = m1;
 
-               m_copydata(m0, 0, m0->m_pkthdr.len, mtod(mnew, void *));
-               m_freem(m0);
-               mnew->m_len = mnew->m_pkthdr.len;
-               m0 = mnew;
-
-               error = bus_dmamap_load_mbuf(sc->sc_dmat, data->map, m0,
+               error = bus_dmamap_load_mbuf(sc->sc_dmat, data->map, m,
                    BUS_DMA_WRITE | BUS_DMA_NOWAIT);
                if (error != 0) {
-                       aprint_error_dev(sc->sc_dev, "could not map mbuf (error 
%d)\n", error);
-                       m_freem(m0);
+                       aprint_error_dev(sc->sc_dev,
+                           "could not map mbuf (error %d)\n", error);
+                       m_freem(m);
                        return error;
                }
        }
 
-       data->m = m0;
+       data->m = m;
        data->ni = ni;
 
        DPRINTFN(4, ("sending data: qid=%d idx=%d len=%d nsegs=%d\n",
-               ring->qid, ring->cur, m0->m_pkthdr.len, data->map->dm_nsegs));
+           ring->qid, ring->cur, m->m_pkthdr.len, data->map->dm_nsegs));
 
-       paddr = ring->cmd_dma.paddr + ring->cur * sizeof (struct iwn_tx_cmd);
-       tx->loaddr = htole32(paddr + 4 +
-           offsetof(struct iwn_cmd_data, ntries));
-       tx->hiaddr = 0; /* limit to 32-bit physical addresses */
-
-       /* first scatter/gather segment is used by the tx data command */
-       IWN_SET_DESC_NSEGS(desc, 1 + data->map->dm_nsegs);
-       IWN_SET_DESC_SEG(desc, 0, paddr, 4 + sizeof (*tx) + hdrlen + pad);
+       /* Fill TX descriptor. */
+       desc->nsegs = 1 + data->map->dm_nsegs;
+       /* First DMA segment is used by the TX command. */
+       desc->segs[0].addr = htole32(IWN_LOADDR(data->cmd_paddr));
+       desc->segs[0].len  = htole16(IWN_HIADDR(data->cmd_paddr) |
+           (4 + sizeof (*tx) + hdrlen + pad) << 4);
+       /* Other DMA segments are for data payload. */
+       seg = data->map->dm_segs;
        for (i = 1; i <= data->map->dm_nsegs; i++) {
-               IWN_SET_DESC_SEG(desc, i, data->map->dm_segs[i - 1].ds_addr,
-                   data->map->dm_segs[i - 1].ds_len);
-       }
-       sc->shared->len[ring->qid][ring->cur] =
-           htole16(hdrlen + m0->m_pkthdr.len + 8);
-       if (ring->cur < IWN_TX_WINDOW) {
-               sc->shared->len[ring->qid][ring->cur + IWN_TX_RING_COUNT] =
-                   htole16(hdrlen + m0->m_pkthdr.len + 8);
-       }
+               desc->segs[i].addr = htole32(IWN_LOADDR(seg->ds_addr));
+               desc->segs[i].len  = htole16(IWN_HIADDR(seg->ds_addr) |
+                   seg->ds_len << 4);
+               seg++;
+       }
+
+       bus_dmamap_sync(sc->sc_dmat, data->map, 0, data->map->dm_mapsize,
+           BUS_DMASYNC_PREWRITE);
+       bus_dmamap_sync(sc->sc_dmat, ring->cmd_dma.map,
+           (vaddr_t)cmd - (vaddr_t)ring->cmd_dma.vaddr, sizeof (*cmd),
+           BUS_DMASYNC_PREWRITE);
+       bus_dmamap_sync(sc->sc_dmat, ring->desc_dma.map,
+           (vaddr_t)desc - (vaddr_t)ring->desc_dma.vaddr, sizeof (*desc),
+           BUS_DMASYNC_PREWRITE);
 
-       ring->queued++;
-
-       bus_dmamap_sync(sc->sc_dmat, data->map, 0,
-           data->map->dm_mapsize /* calc? */, BUS_DMASYNC_PREWRITE);
+       /* Update TX scheduler. */
+       hal->update_sched(sc, ring->qid, ring->cur, tx->id, totlen);
 
-       /* kick ring */
+       /* Kick TX ring. */
        ring->cur = (ring->cur + 1) % IWN_TX_RING_COUNT;
-       IWN_WRITE(sc, IWN_TX_WIDX, ring->qid << 8 | ring->cur);
+       IWN_WRITE(sc, IWN_HBUS_TARG_WRPTR, ring->qid << 8 | ring->cur);
+
+       /* Mark TX ring as full if we reach a certain threshold. */
+       if (++ring->queued > IWN_TX_RING_HIMARK)
+               sc->qfullmsk |= 1 << ring->qid;
 
        return 0;
 }
@@ -2161,98 +2912,73 @@ iwn_start(struct ifnet *ifp)
        struct ieee80211com *ic = &sc->sc_ic;
        struct ieee80211_node *ni;
        struct ether_header *eh;
-       struct mbuf *m0;
+       struct mbuf *m;
        int ac;
 
-       DPRINTFN(5, ("iwn_start enter\n"));
-
-       /*
-        * net80211 may still try to send management frames even if the
-        * IFF_RUNNING flag is not set...
-        */
-       if ((ifp->if_flags & (IFF_RUNNING | IFF_OACTIVE)) != IFF_RUNNING)
+       if (((ifp->if_flags & (IFF_RUNNING | IFF_OACTIVE)) != IFF_RUNNING) ||
+           !sc->sc_radio)
                return;
 
        for (;;) {
-               IF_DEQUEUE(&ic->ic_mgtq, m0);
-               if (m0 != NULL) {
-                       /* management frames go into ring 0 */
-
-
-                       ni = (struct ieee80211_node *)m0->m_pkthdr.rcvif;
-                       m0->m_pkthdr.rcvif = NULL;
-
-                       /* management goes into ring 0 */
-                       if (sc->txq[0].queued > sc->txq[0].count - 8) {
-                               ifp->if_oerrors++;
-                               continue;
-                       }
-
-#if NBPFILTER > 0
-                       if (ic->ic_rawbpf != NULL)
-                               bpf_mtap(ic->ic_rawbpf, m0);
-#endif
-                       if (iwn_tx_data(sc, m0, ni, 0) != 0) {
-                               ifp->if_oerrors++;
-                               break;
-                       }
-               } else {
-                       if (ic->ic_state != IEEE80211_S_RUN)
-                               break;
-                       IFQ_POLL(&ifp->if_snd, m0);
-                       if (m0 == NULL)
-                               break;
-
-                       if (m0->m_len < sizeof (*eh) &&
-                           (m0 = m_pullup(m0, sizeof (*eh))) == NULL) {
-                               ifp->if_oerrors++;
-                               continue;
-                       }
-                       eh = mtod(m0, struct ether_header *);
-                       ni = ieee80211_find_txnode(ic, eh->ether_dhost);
-                       if (ni == NULL) {
-                               m_freem(m0);
-                               ifp->if_oerrors++;
-                               continue;
-                       }
-                       /* classify mbuf so we can find which tx ring to use */
-                       if (ieee80211_classify(ic, m0, ni) != 0) {
-                               m_freem(m0);
-                               ieee80211_free_node(ni);
-                               ifp->if_oerrors++;
-                               continue;
-                       }
-
-                       /* no QoS encapsulation for EAPOL frames */
-                       ac = (eh->ether_type != htons(ETHERTYPE_PAE)) ?
-                           M_WME_GETAC(m0) : WME_AC_BE;
+               if (sc->qfullmsk != 0) {
+                       ifp->if_flags |= IFF_OACTIVE;
+                       break;
+               }
+               /* Send pending management frames first. */
+               IF_DEQUEUE(&ic->ic_mgtq, m);
+               if (m != NULL) {
+                       ni = (void *)m->m_pkthdr.rcvif;
+                       ac = 0;
+                       goto sendit;
+               }
+               if (ic->ic_state != IEEE80211_S_RUN)
+                       break;
 
-                       if (sc->txq[ac].queued > sc->txq[ac].count - 8) {
+               /* Encapsulate and send data frames. */
+               IFQ_DEQUEUE(&ifp->if_snd, m);
+               if (m == NULL)
+                       break;
+               if (m->m_len < sizeof (*eh) &&
+                   (m = m_pullup(m, sizeof (*eh))) == NULL) {
+                       ifp->if_oerrors++;
+                       continue;
+               }
+               eh = mtod(m, struct ether_header *);
+               ni = ieee80211_find_txnode(ic, eh->ether_dhost);
+               if (ni == NULL) {
+                       m_freem(m);
+                       ifp->if_oerrors++;
+                       continue;
+               }
+               /* classify mbuf so we can find which tx ring to use */
+               if (ieee80211_classify(ic, m, ni) != 0) {
+                       m_freem(m);
+                       ieee80211_free_node(ni);
+                       ifp->if_oerrors++;
+                       continue;
+               }
 
-                               /* there is no place left in this ring */
-                               ifp->if_flags |= IFF_OACTIVE;
-                               break;
-                       }
-                       IFQ_DEQUEUE(&ifp->if_snd, m0);
+               /* no QoS encapsulation for EAPOL frames */
+               ac = (eh->ether_type != htons(ETHERTYPE_PAE)) ?
+                   M_WME_GETAC(m) : WME_AC_BE;
 #if NBPFILTER > 0
-                       if (ifp->if_bpf != NULL)
-                               bpf_mtap(ifp->if_bpf, m0);
+               if (ifp->if_bpf != NULL)
+                       bpf_mtap(ifp->if_bpf, m);
 #endif
-                       m0 = ieee80211_encap(ic, m0, ni);
-                       if (m0 == NULL) {
-                               ieee80211_free_node(ni);
-                               ifp->if_oerrors++;
-                               continue;
-                       }
+               if ((m = ieee80211_encap(ic, m, ni)) == NULL) {
+                       ieee80211_free_node(ni);
+                       ifp->if_oerrors++;
+                       continue;
+               }
+sendit:
 #if NBPFILTER > 0
-                       if (ic->ic_rawbpf != NULL)
-                               bpf_mtap(ic->ic_rawbpf, m0);
+               if (ic->ic_rawbpf != NULL)
+                       bpf_mtap(ic->ic_rawbpf, m);
 #endif
-                       if (iwn_tx_data(sc, m0, ni, ac) != 0) {
-                               ieee80211_free_node(ni);
-                               ifp->if_oerrors++;
-                               break;
-                       }
+               if (iwn_tx(sc, m, ni, ac) != 0) {
+                       ieee80211_free_node(ni);
+                       ifp->if_oerrors++;
+                       continue;
                }
 
                sc->sc_tx_timer = 5;
@@ -2282,10 +3008,9 @@ iwn_watchdog(struct ifnet *ifp)
 }
 
 static int
-iwn_ioctl(struct ifnet *ifp, u_long cmd, void * data)
+iwn_ioctl(struct ifnet *ifp, u_long cmd, void* data)
 {
-
-#define IS_RUNNING(ifp)                                                        
\
+#define IS_RUNNING(ifp) \
        ((ifp->if_flags & IFF_UP) && (ifp->if_flags & IFF_RUNNING))
 
        struct iwn_softc *sc = ifp->if_softc;
@@ -2295,10 +3020,27 @@ iwn_ioctl(struct ifnet *ifp, u_long cmd,
        s = splnet();
 
        switch (cmd) {
+       case SIOCSIFADDR:
+               /* FALLTHROUGH */
        case SIOCSIFFLAGS:
+               if ((error = ifioctl_common(ifp, cmd, data)) != 0)
+                       break;
                if (ifp->if_flags & IFF_UP) {
-                       if (!(ifp->if_flags & IFF_RUNNING))
-                               iwn_init(ifp);
+                       /*
+                        * resync the radio state just in case we missed
+                        * and event.
+                        */
+                       sc->sc_radio =
+                           (IWN_READ(sc, IWN_GP_CNTRL) & IWN_GP_CNTRL_RFKILL);
+
+                       if (!sc->sc_radio) {
+                               ifp->if_flags &= ~IFF_UP;
+                               error = EBUSY; /* XXX not really but same as els
+ewhere in driver */
+                               if (ifp->if_flags & IFF_RUNNING)
+                                       iwn_stop(ifp, 1);
+                       } else if (!(ifp->if_flags & IFF_RUNNING))
+                               error = iwn_init(ifp);
                } else {
                        if (ifp->if_flags & IFF_RUNNING)
                                iwn_stop(ifp, 1);
@@ -2309,411 +3051,394 @@ iwn_ioctl(struct ifnet *ifp, u_long cmd,
        case SIOCDELMULTI:
                /* XXX no h/w multicast filter? --dyoung */
                if ((error = ether_ioctl(ifp, cmd, data)) == ENETRESET) {
-                       /* setup multicast filter, etc */
+                        /* setup multicast filter, etc */
+                       error = 0;
+               }
+               break;
+
+#if 0
+       case SIOCS80211POWER:
+               error = ieee80211_ioctl(ifp, cmd, data);
+               if (error != ENETRESET)
+                       break;
+               if (ic->ic_state == IEEE80211_S_RUN &&
+                   sc->calib.state == IWN_CALIB_STATE_RUN) {
+                       if (ic->ic_flags & IEEE80211_F_PMGTON)
+                               error = iwn_set_pslevel(sc, 0, 3, 0);
+                       else    /* back to CAM */
+                               error = iwn_set_pslevel(sc, 0, 0, 0);
+               } else {
+                       /* Defer until transition to IWN_CALIB_STATE_RUN. */
                        error = 0;
                }
                break;
+#endif
 
        default:
                error = ieee80211_ioctl(ic, cmd, data);
        }
 
        if (error == ENETRESET) {
-               if (IS_RUNNING(ifp) &&
-                   (ic->ic_roaming != IEEE80211_ROAMING_MANUAL))
-                       iwn_init(ifp);
                error = 0;
+               if (IS_RUNNING(ifp) &&
+                   (ic->ic_roaming != IEEE80211_ROAMING_MANUAL)) {
+                       error = iwn_init(ifp);
+               }
        }
-
        splx(s);
        return error;
-
 #undef IS_RUNNING
 }
 
-static void
-iwn_read_eeprom(struct iwn_softc *sc)
+/*
+ * Send a command to the firmware.
+ */
+static int
+iwn_cmd(struct iwn_softc *sc, int code, const void *buf, int size, int async)
 {
-       struct ieee80211com *ic = &sc->sc_ic;
-       char domain[4];
-       uint16_t val;
-       int i, error;
+       const struct iwn_hal *hal = sc->sc_hal;
+       struct iwn_tx_ring *ring = &sc->txq[4];
+       struct iwn_tx_desc *desc;
+       struct iwn_tx_data *data;
+       struct iwn_tx_cmd *cmd;
+       struct mbuf *m;
+       bus_addr_t paddr;
+       int totlen, error;
 
-       if ((error = iwn_eeprom_lock(sc)) != 0) {
-               aprint_error_dev(sc->sc_dev, "could not lock EEPROM 
(error=%d)\n", error);
-               return;
+       desc = &ring->desc[ring->cur];
+       data = &ring->data[ring->cur];
+       totlen = 4 + size;
+
+       if (size > sizeof cmd->data) {
+               /* Command is too large to fit in a descriptor. */
+               if (totlen > MCLBYTES)
+                       return EINVAL;
+               MGETHDR(m, M_DONTWAIT, MT_DATA);
+               if (m == NULL)
+                       return ENOMEM;
+               if (totlen > MHLEN) {
+                       MCLGET(m, M_DONTWAIT);
+                       if (!(m->m_flags & M_EXT)) {
+                               m_freem(m);
+                               return ENOMEM;
+                       }
+               }
+               cmd = mtod(m, struct iwn_tx_cmd *);
+               error = bus_dmamap_load(sc->sc_dmat, data->map, cmd, totlen,
+                   NULL, BUS_DMA_NOWAIT);
+               if (error != 0) {
+                       m_freem(m);
+                       return error;
+               }
+               data->m = m;
+               paddr = data->map->dm_segs[0].ds_addr;
+       } else {
+               cmd = &ring->cmd[ring->cur];
+               paddr = data->cmd_paddr;
        }
-       /* read and print regulatory domain */
-       iwn_read_prom_data(sc, IWN_EEPROM_DOMAIN, domain, 4);
-       aprint_error_dev(sc->sc_dev, "%.4s", domain);
 
-       /* read and print MAC address */
-       iwn_read_prom_data(sc, IWN_EEPROM_MAC, ic->ic_myaddr, 6);
-       aprint_error(", address %s\n", ether_sprintf(ic->ic_myaddr));
+       cmd->code = code;
+       cmd->flags = 0;
+       cmd->qid = ring->qid;
+       cmd->idx = ring->cur;
+       memcpy(cmd->data, buf, size);
 
-       /* read the list of authorized channels */
-       for (i = 0; i < IWN_CHAN_BANDS_COUNT; i++)
-               iwn_read_eeprom_channels(sc, i);
+       desc->nsegs = 1;
+       desc->segs[0].addr = htole32(IWN_LOADDR(paddr));
+       desc->segs[0].len  = htole16(IWN_HIADDR(paddr) | totlen << 4);
+
+       if (size > sizeof cmd->data) {
+               bus_dmamap_sync(sc->sc_dmat, data->map, 0, totlen,
+                   BUS_DMASYNC_PREWRITE);
+       } else {
+               bus_dmamap_sync(sc->sc_dmat, ring->cmd_dma.map,
+                   (vaddr_t)cmd - (vaddr_t)ring->cmd_dma.vaddr, totlen,
+                   BUS_DMASYNC_PREWRITE);
+       }
+       bus_dmamap_sync(sc->sc_dmat, ring->desc_dma.map,
+           (vaddr_t)desc - (vaddr_t)ring->desc_dma.vaddr, sizeof (*desc),
+           BUS_DMASYNC_PREWRITE);
 
-       /* read maximum allowed Tx power for 2GHz and 5GHz bands */
-       iwn_read_prom_data(sc, IWN_EEPROM_MAXPOW, &val, 2);
-       sc->maxpwr2GHz = val & 0xff;
-       sc->maxpwr5GHz = val >> 8;
-       /* check that EEPROM values are correct */
-       if (sc->maxpwr5GHz < 20 || sc->maxpwr5GHz > 50)
-               sc->maxpwr5GHz = 38;
-       if (sc->maxpwr2GHz < 20 || sc->maxpwr2GHz > 50)
-               sc->maxpwr2GHz = 38;
-       DPRINTF(("maxpwr 2GHz=%d 5GHz=%d\n", sc->maxpwr2GHz, sc->maxpwr5GHz));
+       /* Update TX scheduler. */
+       hal->update_sched(sc, ring->qid, ring->cur, 0, 0);
 
-       /* read voltage at which samples were taken */
-       iwn_read_prom_data(sc, IWN_EEPROM_VOLTAGE, &val, 2);
-       sc->eeprom_voltage = (int16_t)le16toh(val);
-       DPRINTF(("voltage=%d (in 0.3V)\n", sc->eeprom_voltage));
+       /* Kick command ring. */
+       ring->cur = (ring->cur + 1) % IWN_TX_RING_COUNT;
+       IWN_WRITE(sc, IWN_HBUS_TARG_WRPTR, ring->qid << 8 | ring->cur);
 
-       /* read power groups */
-       iwn_read_prom_data(sc, IWN_EEPROM_BANDS, sc->bands, sizeof sc->bands);
-#ifdef IWN_DEBUG
-       if (iwn_debug > 0) {
-               for (i = 0; i < IWN_NBANDS; i++)
-                       iwn_print_power_group(sc, i);
-       }
-#endif
-       iwn_eeprom_unlock(sc);
+       return async ? 0 : tsleep(desc, PCATCH, "iwncmd", hz);
 }
 
-static void
-iwn_read_eeprom_channels(struct iwn_softc *sc, int n)
+static int
+iwn_add_node(struct iwn_softc *sc, struct ieee80211_node *ni, bool broadcast,
+    bool async, uint32_t htflags)
 {
-       struct ieee80211com *ic = &sc->sc_ic;
-       const struct iwn_chan_band *band = &iwn_bands[n];
-       struct iwn_eeprom_chan channels[IWN_MAX_CHAN_PER_BAND];
-       int chan, i;
-
-       iwn_read_prom_data(sc, band->addr, channels,
-           band->nchan * sizeof (struct iwn_eeprom_chan));
-
-       for (i = 0; i < band->nchan; i++) {
-               if (!(channels[i].flags & IWN_EEPROM_CHAN_VALID))
-                       continue;
-
-               chan = band->chan[i];
+       const struct iwn_hal *hal = sc->sc_hal;
+       struct iwn_node_info node;
+       int error;
 
-               if (n == 0) {   /* 2GHz band */
-                       ic->ic_channels[chan].ic_freq =
-                           ieee80211_ieee2mhz(chan, IEEE80211_CHAN_2GHZ);
-                       ic->ic_channels[chan].ic_flags =
-                           IEEE80211_CHAN_CCK | IEEE80211_CHAN_OFDM |
-                           IEEE80211_CHAN_DYN | IEEE80211_CHAN_2GHZ;
+       error = 0;
 
-               } else {        /* 5GHz band */
-                       /*
-                        * Some adapters support channels 7, 8, 11 and 12
-                        * both in the 2GHz *and* 5GHz bands.
-                        * Because of limitations in our net80211(9) stack,
-                        * we can't support these channels in 5GHz band.
-                        */
-                       if (chan <= 14)
-                               continue;
-
-                       ic->ic_channels[chan].ic_freq =
-                           ieee80211_ieee2mhz(chan, IEEE80211_CHAN_5GHZ);
-                       ic->ic_channels[chan].ic_flags = IEEE80211_CHAN_A;
-               }
-
-               /* is active scan allowed on this channel? */
-               if (!(channels[i].flags & IWN_EEPROM_CHAN_ACTIVE)) {
-                       ic->ic_channels[chan].ic_flags |=
-                           IEEE80211_CHAN_PASSIVE;
-               }
-
-               /* save maximum allowed power for this channel */
-               sc->maxpwr[chan] = channels[i].maxpwr;
-
-               DPRINTF(("adding chan %d flags=0x%x maxpwr=%d\n",
-                       chan, channels[i].flags, sc->maxpwr[chan]));
+       memset(&node, 0, sizeof node);
+       if (broadcast == true) {
+               IEEE80211_ADDR_COPY(node.macaddr, etherbroadcastaddr);
+               node.id = hal->broadcast_id;
+               DPRINTF(("adding broadcast node\n"));
+       } else {
+               IEEE80211_ADDR_COPY(node.macaddr, ni->ni_macaddr);
+               node.id = IWN_ID_BSS;
+               node.htflags = htole32(htflags);
+               DPRINTF(("adding BSS node\n"));
        }
-}
-
-#ifdef IWN_DEBUG
-static void
-iwn_print_power_group(struct iwn_softc *sc, int i)
-{
-       struct iwn_eeprom_band *band = &sc->bands[i];
-       struct iwn_eeprom_chan_samples *chans = band->chans;
-       int j, c;
-
-       DPRINTF(("===band %d===\n", i));
-       DPRINTF(("chan lo=%d, chan hi=%d\n", band->lo, band->hi));
-       DPRINTF(("chan1 num=%d\n", chans[0].num));
-       for (c = 0; c < IWN_NTXCHAINS; c++) {
-               for (j = 0; j < IWN_NSAMPLES; j++) {
-                       DPRINTF(("chain %d, sample %d: temp=%d gain=%d "
-                               "power=%d pa_det=%d\n", c, j,
-                               chans[0].samples[c][j].temp,
-                               chans[0].samples[c][j].gain,
-                               chans[0].samples[c][j].power,
-                               chans[0].samples[c][j].pa_det));
-               }
+       if ((error = hal->add_node(sc, &node, async)) != 0) {
+               aprint_error_dev(sc->sc_dev, "could not add %s node\n",
+                   (broadcast == 1)? "broadcast" : "BSS");
+               return error;
        }
-       DPRINTF(("chan2 num=%d\n", chans[1].num));
-       for (c = 0; c < IWN_NTXCHAINS; c++) {
-               for (j = 0; j < IWN_NSAMPLES; j++) {
-                       DPRINTF(("chain %d, sample %d: temp=%d gain=%d "
-                               "power=%d pa_det=%d\n", c, j,
-                               chans[1].samples[c][j].temp,
-                               chans[1].samples[c][j].gain,
-                               chans[1].samples[c][j].power,
-                               chans[1].samples[c][j].pa_det));
-               }
+       DPRINTF(("setting link quality for node %d\n", node.id));
+       if ((error = iwn_set_link_quality(sc, ni)) != 0) {
+               aprint_error_dev(sc->sc_dev,
+                                "could not setup MRR for %s node\n",
+                                (broadcast == 1)? "broadcast" : "BSS");
+               return error;
+       }
+       if ((error = iwn_init_sensitivity(sc)) != 0) {
+               aprint_error_dev(sc->sc_dev, "could not set sensitivity\n");
+               return error;
        }
+
+       return error;
 }
-#endif
 
-/*
- * Send a command to the firmware.
- */
+
 static int
-iwn_cmd(struct iwn_softc *sc, int code, const void *buf, int size, int async)
+iwn4965_add_node(struct iwn_softc *sc, struct iwn_node_info *node, int async)
 {
-       struct iwn_tx_ring *ring = &sc->txq[4];
-       struct iwn_tx_desc *desc;
-       struct iwn_tx_cmd *cmd;
-       bus_addr_t paddr;
-
-       KASSERT(size <= sizeof cmd->data);
-
-       desc = &ring->desc[ring->cur];
-       cmd = &ring->cmd[ring->cur];
-
-       cmd->code = code;
-       cmd->flags = 0;
-       cmd->qid = ring->qid;
-       cmd->idx = ring->cur;
-       memcpy(cmd->data, buf, size);
-
-       paddr = ring->cmd_dma.paddr + ring->cur * sizeof (struct iwn_tx_cmd);
-
-       IWN_SET_DESC_NSEGS(desc, 1);
-       IWN_SET_DESC_SEG(desc, 0, paddr, 4 + size);
-       sc->shared->len[ring->qid][ring->cur] = htole16(8);
-       if (ring->cur < IWN_TX_WINDOW) {
-               sc->shared->len[ring->qid][ring->cur + IWN_TX_RING_COUNT] =
-                   htole16(8);
-       }
+       struct iwn4965_node_info hnode;
+       char *src, *dst;
 
-       bus_dmamap_sync(sc->sc_dmat, ring->cmd_dma.map, 0,
-           4 + size, BUS_DMASYNC_PREWRITE);
-
-       /* kick cmd ring */
-       ring->cur = (ring->cur + 1) % IWN_TX_RING_COUNT;
-       IWN_WRITE(sc, IWN_TX_WIDX, ring->qid << 8 | ring->cur);
+       /*
+        * We use the node structure for 5000 Series internally (it is
+        * a superset of the one for 4965AGN). We thus copy the common
+        * fields before sending the command.
+        */
+       src = (char *)node;
+       dst = (char *)&hnode;
+       memcpy(dst, src, 48);
+       /* Skip TSC, RX MIC and TX MIC fields from ``src''. */
+       memcpy(dst + 48, src + 72, 20);
+       return iwn_cmd(sc, IWN_CMD_ADD_NODE, &hnode, sizeof hnode, async);
+}
 
-       return async ? 0 : tsleep(cmd, PCATCH, "iwncmd", hz);
+static int
+iwn5000_add_node(struct iwn_softc *sc, struct iwn_node_info *node, int async)
+{
+       /* Direct mapping. */
+       return iwn_cmd(sc, IWN_CMD_ADD_NODE, node, sizeof (*node), async);
 }
 
-/*
- * Configure hardware multi-rate retries for one node.
- */
 static int
-iwn_setup_node_mrr(struct iwn_softc *sc, uint8_t id, int async)
+iwn_set_link_quality(struct iwn_softc *sc, struct ieee80211_node *ni)
 {
-       struct ieee80211com *ic = &sc->sc_ic;
-       struct iwn_cmd_mrr mrr;
-       int i, ridx;
+       struct iwn_node *wn = (void *)ni;
+       struct ieee80211_rateset *rs = &ni->ni_rates;
+       struct iwn_cmd_link_quality linkq;
+       const struct iwn_rate *rinfo;
+       uint8_t txant;
+       int i, txrate;
+
+       /* Use the first valid TX antenna. */
+       txant = IWN_LSB(sc->txantmsk);
+
+       memset(&linkq, 0, sizeof linkq);
+       linkq.id = wn->id;
+       linkq.antmsk_1stream = txant;
+       linkq.antmsk_2stream = IWN_ANT_A | IWN_ANT_B;
+       linkq.ampdu_max = 64;
+       linkq.ampdu_threshold = 3;
+       linkq.ampdu_limit = htole16(4000);      /* 4ms */
 
-       memset(&mrr, 0, sizeof mrr);
-       mrr.id = id;
-       mrr.ssmask = 2;
-       mrr.dsmask = 3;
-       mrr.ampdu_disable = 3;
-       mrr.ampdu_limit = htole16(4000);
-
-       if (id == IWN_ID_BSS)
-               ridx = IWN_OFDM54;
-       else if (ic->ic_curmode == IEEE80211_MODE_11A)
-               ridx = IWN_OFDM6;
-       else
-               ridx = IWN_CCK1;
+       /* Start at highest available bit-rate. */
+       txrate = rs->rs_nrates - 1;
        for (i = 0; i < IWN_MAX_TX_RETRIES; i++) {
-               mrr.table[i].rate = iwn_ridx_to_plcp[ridx];
-               mrr.table[i].rflags = IWN_RFLAG_ANT_B;
-               if (ridx <= IWN_CCK11)
-                       mrr.table[i].rflags |= IWN_RFLAG_CCK;
-               ridx = iwn_prev_ridx[ridx];
+               rinfo = &iwn_rates[wn->ridx[txrate]];
+               linkq.retry[i].plcp = rinfo->plcp;
+               linkq.retry[i].rflags = rinfo->flags;
+               linkq.retry[i].rflags |= IWN_RFLAG_ANT(txant);
+               /* Next retry at immediate lower bit-rate. */
+               if (txrate > 0)
+                       txrate--;
        }
-       return iwn_cmd(sc, IWN_CMD_NODE_MRR_SETUP, &mrr, sizeof mrr, async);
+       return iwn_cmd(sc, IWN_CMD_LINK_QUALITY, &linkq, sizeof linkq, 1);
 }
 
+/*
+ * Broadcast node is used to send group-addressed and management frames.
+ */
 static int
-iwn_wme_update(struct ieee80211com *ic)
+iwn_add_broadcast_node(struct iwn_softc *sc, int async)
 {
-#define IWN_EXP2(v)    htole16((1 << (v)) - 1)
-#define IWN_USEC(v)    htole16(IEEE80211_TXOP_TO_US(v))
-       struct iwn_softc *sc = ic->ic_ifp->if_softc;
-       const struct wmeParams *wmep;
-       struct iwn_wme_setup wme;
-       int ac;
+       const struct iwn_hal *hal = sc->sc_hal;
+       struct iwn_node_info node;
+       struct iwn_cmd_link_quality linkq;
+       const struct iwn_rate *rinfo;
+       uint8_t txant;
+       int i, error;
 
-       /* don't override default WME values if WME is not actually enabled */
-       if (!(ic->ic_flags & IEEE80211_F_WME))
-               return 0;
+       memset(&node, 0, sizeof node);
+       IEEE80211_ADDR_COPY(node.macaddr, etherbroadcastaddr);
+       node.id = hal->broadcast_id;
+       DPRINTF(("adding broadcast node\n"));
+       if ((error = hal->add_node(sc, &node, async)) != 0)
+               return error;
 
-       wme.flags = 0;
-       for (ac = 0; ac < WME_NUM_AC; ac++) {
-               wmep = &ic->ic_wme.wme_chanParams.cap_wmeParams[ac];
-               wme.ac[ac].aifsn = wmep->wmep_aifsn;
-               wme.ac[ac].cwmin = IWN_EXP2(wmep->wmep_logcwmin);
-               wme.ac[ac].cwmax = IWN_EXP2(wmep->wmep_logcwmax);
-               wme.ac[ac].txop  = IWN_USEC(wmep->wmep_txopLimit);
+       /* Use the first valid TX antenna. */
+       txant = IWN_LSB(sc->txantmsk);
 
-               DPRINTF(("setting WME for queue %d aifsn=%d cwmin=%d cwmax=%d "
-                       "txop=%d\n", ac, wme.ac[ac].aifsn, wme.ac[ac].cwmin,
-                       wme.ac[ac].cwmax, wme.ac[ac].txop));
+       memset(&linkq, 0, sizeof linkq);
+       linkq.id = hal->broadcast_id;
+       linkq.antmsk_1stream = txant;
+       linkq.antmsk_2stream = IWN_ANT_A | IWN_ANT_B;
+       linkq.ampdu_max = 64;
+       linkq.ampdu_threshold = 3;
+       linkq.ampdu_limit = htole16(4000);      /* 4ms */
+
+       /* Use lowest mandatory bit-rate. */
+       rinfo = (sc->sc_ic.ic_curmode != IEEE80211_MODE_11A) ?
+           &iwn_rates[IWN_RIDX_CCK1] : &iwn_rates[IWN_RIDX_OFDM6];
+       linkq.retry[0].plcp = rinfo->plcp;
+       linkq.retry[0].rflags = rinfo->flags;
+       linkq.retry[0].rflags |= IWN_RFLAG_ANT(txant);
+       /* Use same bit-rate for all TX retries. */
+       for (i = 1; i < IWN_MAX_TX_RETRIES; i++) {
+               linkq.retry[i].plcp = linkq.retry[0].plcp;
+               linkq.retry[i].rflags = linkq.retry[0].rflags;
        }
-
-       return iwn_cmd(sc, IWN_CMD_SET_WME, &wme, sizeof wme, 1);
-#undef IWN_USEC
-#undef IWN_EXP2
+       return iwn_cmd(sc, IWN_CMD_LINK_QUALITY, &linkq, sizeof linkq, async);
 }
 
-
-
 static void
 iwn_set_led(struct iwn_softc *sc, uint8_t which, uint8_t off, uint8_t on)
 {
        struct iwn_cmd_led led;
 
+       /* Clear microcode LED ownership. */
+       IWN_CLRBITS(sc, IWN_LED, IWN_LED_BSM_CTRL);
+
        led.which = which;
-       led.unit = htole32(100000);     /* on/off in unit of 100ms */
+       led.unit = htole32(10000);      /* on/off in unit of 100ms */
        led.off = off;
        led.on = on;
-
        (void)iwn_cmd(sc, IWN_CMD_SET_LED, &led, sizeof led, 1);
 }
 
 /*
- * Set the critical temperature at which the firmware will automatically stop
- * the radio transmitter.
+ * Set the critical temperature at which the firmware will notify us.
  */
 static int
 iwn_set_critical_temp(struct iwn_softc *sc)
 {
-       struct iwn_ucode_info *uc = &sc->ucode_info;
        struct iwn_critical_temp crit;
-       uint32_t r1, r2, r3, temp;
-
-       IWN_WRITE(sc, IWN_UCODE_CLR, IWN_CTEMP_STOP_RF);
-
-       r1 = le32toh(uc->temp[0].chan20MHz);
-       r2 = le32toh(uc->temp[1].chan20MHz);
-       r3 = le32toh(uc->temp[2].chan20MHz);
-       /* inverse function of iwn_get_temperature() */
 
-       temp = r2 + ((IWN_CTOK(110) * (r3 - r1)) / 259);
+       IWN_WRITE(sc, IWN_UCODE_GP1_CLR, IWN_UCODE_GP1_CTEMP_STOP_RF);
 
        memset(&crit, 0, sizeof crit);
-       crit.tempR = htole32(temp);
-       DPRINTF(("setting critical temperature to %u\n", temp));
+       crit.tempR = htole32(sc->critical_temp);
+       DPRINTF(("setting critical temperature to %u\n", sc->critical_temp));
        return iwn_cmd(sc, IWN_CMD_SET_CRITICAL_TEMP, &crit, sizeof crit, 0);
 }
 
-static void
-iwn_enable_tsf(struct iwn_softc *sc, struct ieee80211_node *ni)
+static int
+iwn_set_timing(struct iwn_softc *sc, struct ieee80211_node *ni)
 {
-       struct iwn_cmd_tsf tsf;
+       struct iwn_cmd_timing cmd;
        uint64_t val, mod;
 
-       memset(&tsf, 0, sizeof tsf);
-       memcpy(&tsf.tstamp, ni->ni_tstamp.data, 8);
-       tsf.bintval = htole16(ni->ni_intval);
-       tsf.lintval = htole16(10);
+       memset(&cmd, 0, sizeof cmd);
+       memcpy(&cmd.tstamp, ni->ni_tstamp.data, sizeof (uint64_t));
+       cmd.bintval = htole16(ni->ni_intval);
+       cmd.lintval = htole16(10);
 
-       /* compute remaining time until next beacon */
+       /* Compute remaining time until next beacon. */
        val = (uint64_t)ni->ni_intval * 1024;   /* msecs -> usecs */
-       mod = le64toh(tsf.tstamp) % val;
-       tsf.binitval = htole32((uint32_t)(val - mod));
+       mod = le64toh(cmd.tstamp) % val;
+       cmd.binitval = htole32((uint32_t)(val - mod));
 
-       DPRINTF(("TSF bintval=%u tstamp=%" PRIu64 ", init=%" PRIu64 "\n",
-           ni->ni_intval, le64toh(tsf.tstamp), val - mod));
+       DPRINTF(("timing bintval=%u, tstamp=%llu, init=%u\n",
+           ni->ni_intval, le64toh(cmd.tstamp), (uint32_t)(val - mod)));
 
-       if (iwn_cmd(sc, IWN_CMD_TSF, &tsf, sizeof tsf, 1) != 0)
-               aprint_error_dev(sc->sc_dev, "could not enable TSF\n");
+       return iwn_cmd(sc, IWN_CMD_TIMING, &cmd, sizeof cmd, 1);
 }
 
+#if 0
 static void
-iwn_power_calibration(struct iwn_softc *sc, int temp)
+iwn4965_power_calibration(struct iwn_softc *sc, int temp)
 {
-       struct ieee80211com *ic = &sc->sc_ic;
-
+       /* Adjust TX power if need be (delta >= 3 degC.) */
        DPRINTF(("temperature %d->%d\n", sc->temp, temp));
-
-       /* adjust Tx power if need be (delta >= 3�C) */
-       if (abs(temp - sc->temp) < 3)
-               return;
-
-       sc->temp = temp;
-
-       DPRINTF(("setting Tx power for channel %d\n",
-               ieee80211_chan2ieee(ic, ic->ic_bss->ni_chan)));
-       if (iwn_set_txpower(sc, ic->ic_bss->ni_chan, 1) != 0) {
-               /* just warn, too bad for the automatic calibration... */
-               aprint_error_dev(sc->sc_dev, "could not adjust Tx power\n");
+       if (abs(temp - sc->temp) >= 3) {
+               /* Record temperature of last calibration. */
+               sc->temp = temp;
+               (void)iwn4965_set_txpower(sc, 1);
        }
 }
+#endif
 
 /*
- * Set Tx power for a given channel (each rate has its own power settings).
+ * Set TX power for current channel (each rate has its own power settings).
  * This function takes into account the regulatory information from EEPROM,
  * the current temperature and the current voltage.
  */
 static int
-iwn_set_txpower(struct iwn_softc *sc, struct ieee80211_channel *ch, int async)
+iwn4965_set_txpower(struct iwn_softc *sc, int async)
 {
-/* fixed-point arithmetic division using a n-bit fractional part */
-#define fdivround(a, b, n)                                             \
+/* Fixed-point arithmetic division using a n-bit fractional part. */
+#define fdivround(a, b, n)     \
        ((((1 << n) * (a)) / (b) + (1 << n) / 2) / (1 << n))
-/* linear interpolation */
-#define interpolate(x, x1, y1, x2, y2, n)                              \
+/* Linear interpolation. */
+#define interpolate(x, x1, y1, x2, y2, n)      \
        ((y1) + fdivround(((int)(x) - (x1)) * ((y2) - (y1)), (x2) - (x1), n))
 
        static const int tdiv[IWN_NATTEN_GROUPS] = { 9, 8, 8, 8, 6 };
        struct ieee80211com *ic = &sc->sc_ic;
        struct iwn_ucode_info *uc = &sc->ucode_info;
-       struct iwn_cmd_txpower cmd;
-       struct iwn_eeprom_chan_samples *chans;
+       struct ieee80211_channel *ch;
+       struct iwn4965_cmd_txpower cmd;
+       struct iwn4965_eeprom_chan_samples *chans;
        const uint8_t *rf_gain, *dsp_gain;
        int32_t vdiff, tdiff;
        int i, c, grp, maxpwr;
-       u_int chan;
+       uint8_t chan;
 
-       /* get channel number */
-       chan = ieee80211_chan2ieee(ic, ch);
+       /* Retrieve current channel from last RXON. */
+       chan = sc->rxon.chan;
+       DPRINTF(("setting TX power for channel %d\n", chan));
+       ch = &ic->ic_channels[chan];
 
        memset(&cmd, 0, sizeof cmd);
        cmd.band = IEEE80211_IS_CHAN_5GHZ(ch) ? 0 : 1;
        cmd.chan = chan;
 
        if (IEEE80211_IS_CHAN_5GHZ(ch)) {
-               maxpwr   = sc->maxpwr5GHz;
-               rf_gain  = iwn_rf_gain_5ghz;
-               dsp_gain = iwn_dsp_gain_5ghz;
+               maxpwr   = sc->maxpwr5GHz;
+               rf_gain  = iwn4965_rf_gain_5ghz;
+               dsp_gain = iwn4965_dsp_gain_5ghz;
        } else {
-               maxpwr   = sc->maxpwr2GHz;
-               rf_gain  = iwn_rf_gain_2ghz;
-               dsp_gain = iwn_dsp_gain_2ghz;
+               maxpwr   = sc->maxpwr2GHz;
+               rf_gain  = iwn4965_rf_gain_2ghz;
+               dsp_gain = iwn4965_dsp_gain_2ghz;
        }
 
-       /* compute voltage compensation */
+       /* Compute voltage compensation. */
        vdiff = ((int32_t)le32toh(uc->volt) - sc->eeprom_voltage) / 7;
        if (vdiff > 0)
                vdiff *= 2;
        if (abs(vdiff) > 2)
                vdiff = 0;
        DPRINTF(("voltage compensation=%d (UCODE=%d, EEPROM=%d)\n",
-               vdiff, le32toh(uc->volt), sc->eeprom_voltage));
+           vdiff, le32toh(uc->volt), sc->eeprom_voltage));
 
-       /* get channel's attenuation group */
+       /* Get channel's attenuation group. */
        if (chan <= 20)         /* 1-20 */
                grp = 4;
        else if (chan <= 43)    /* 34-43 */
@@ -2726,7 +3451,7 @@ iwn_set_txpower(struct iwn_softc *sc, st
                grp = 3;
        DPRINTF(("chan %d, attenuation group=%d\n", chan, grp));
 
-       /* get channel's sub-band */
+       /* Get channel's sub-band. */
        for (i = 0; i < IWN_NBANDS; i++)
                if (sc->bands[i].lo != 0 &&
                    sc->bands[i].lo <= chan && chan <= sc->bands[i].hi)
@@ -2734,7 +3459,7 @@ iwn_set_txpower(struct iwn_softc *sc, st
        chans = sc->bands[i].chans;
        DPRINTF(("chan %d sub-band=%d\n", chan, i));
 
-       for (c = 0; c < IWN_NTXCHAINS; c++) {
+       for (c = 0; c < 2; c++) {
                uint8_t power, gain, temp;
                int maxchpwr, pwr, ridx, idx;
 
@@ -2747,31 +3472,32 @@ iwn_set_txpower(struct iwn_softc *sc, st
                temp  = interpolate(chan,
                    chans[0].num, chans[0].samples[c][1].temp,
                    chans[1].num, chans[1].samples[c][1].temp, 1);
-               DPRINTF(("Tx chain %d: power=%d gain=%d temp=%d\n",
-                       c, power, gain, temp));
+               DPRINTF(("TX chain %d: power=%d gain=%d temp=%d\n",
+                   c, power, gain, temp));
 
-               /* compute temperature compensation */
+               /* Compute temperature compensation. */
                tdiff = ((sc->temp - temp) * 2) / tdiv[grp];
                DPRINTF(("temperature compensation=%d (current=%d, "
-                       "EEPROM=%d)\n", tdiff, sc->temp, temp));
+                   "EEPROM=%d)\n", tdiff, sc->temp, temp));
 
                for (ridx = 0; ridx <= IWN_RIDX_MAX; ridx++) {
                        maxchpwr = sc->maxpwr[chan] * 2;
-                       if ((ridx / 8) & 1) {
-                               /* MIMO: decrease Tx power (-3dB) */
-                               maxchpwr -= 6;
-                       }
+                       if ((ridx / 8) & 1)
+                               maxchpwr -= 6;  /* MIMO 2T: -3dB */
 
-                       pwr = maxpwr - 10;
+                       pwr = maxpwr;
 
-                       /* decrease power for highest OFDM rates */
-                       if ((ridx % 8) == 5)            /* 48Mbit/s */
-                               pwr -= 5;
-                       else if ((ridx % 8) == 6)       /* 54Mbit/s */
-                               pwr -= 7;
-                       else if ((ridx % 8) == 7)       /* 60Mbit/s */
-                               pwr -= 10;
+                       /* Adjust TX power based on rate. */
+                       if ((ridx % 8) == 5)
+                               pwr -= 15;      /* OFDM48: -7.5dB */
+                       else if ((ridx % 8) == 6)
+                               pwr -= 17;      /* OFDM54: -8.5dB */
+                       else if ((ridx % 8) == 7)
+                               pwr -= 20;      /* OFDM60: -10dB */
+                       else
+                               pwr -= 10;      /* Others: -5dB */
 
+                       /* Do not exceed channel's max TX power. */
                        if (pwr > maxchpwr)
                                pwr = maxchpwr;
 
@@ -2784,51 +3510,85 @@ iwn_set_txpower(struct iwn_softc *sc, st
                        if (ridx == IWN_RIDX_MAX)
                                idx += 5;       /* CCK */
 
-                       /* make sure idx stays in a valid range */
+                       /* Make sure idx stays in a valid range. */
                        if (idx < 0)
                                idx = 0;
-                       else if (idx > IWN_MAX_PWR_INDEX)
-                               idx = IWN_MAX_PWR_INDEX;
+                       else if (idx > IWN4965_MAX_PWR_INDEX)
+                               idx = IWN4965_MAX_PWR_INDEX;
 
-                       DPRINTF(("Tx chain %d, rate idx %d: power=%d\n",
-                               c, ridx, idx));
+                       DPRINTF(("TX chain %d, rate idx %d: power=%d\n",
+                           c, ridx, idx));
                        cmd.power[ridx].rf_gain[c] = rf_gain[idx];
                        cmd.power[ridx].dsp_gain[c] = dsp_gain[idx];
                }
        }
 
-       DPRINTF(("setting tx power for chan %d\n", chan));
+       DPRINTF(("setting TX power for chan %d\n", chan));
        return iwn_cmd(sc, IWN_CMD_TXPOWER, &cmd, sizeof cmd, async);
 
 #undef interpolate
 #undef fdivround
 }
 
+static int
+iwn5000_set_txpower(struct iwn_softc *sc, int async)
+{
+       struct iwn5000_cmd_txpower cmd;
+
+       /*
+        * TX power calibration is handled automatically by the firmware
+        * for 5000 Series.
+        */
+       memset(&cmd, 0, sizeof cmd);
+       cmd.global_limit = 2 * IWN5000_TXPOWER_MAX_DBM; /* 16 dBm */
+       cmd.flags = IWN5000_TXPOWER_NO_CLOSED;
+       cmd.srv_limit = IWN5000_TXPOWER_AUTO;
+       DPRINTF(("setting TX power\n"));
+       return iwn_cmd(sc, IWN_CMD_TXPOWER_DBM, &cmd, sizeof cmd, async);
+}
+
 /*
- * Get the best (maximum) RSSI among Rx antennas (in dBm).
+ * Retrieve the maximum RSSI (in dBm) among receivers.
  */
 static int
-iwn_get_rssi(const struct iwn_rx_stat *stat)
+iwn4965_get_rssi(const struct iwn_rx_stat *stat)
 {
+       const struct iwn4965_rx_phystat *phy = (const void *)stat->phybuf;
        uint8_t mask, agc;
        int rssi;
 
-       mask = (le16toh(stat->antenna) >> 4) & 0x7;
-       agc  = (le16toh(stat->agc) >> 7) & 0x7f;
+       mask = (le16toh(phy->antenna) >> 4) & 0x7;
+       agc  = (le16toh(phy->agc) >> 7) & 0x7f;
 
        rssi = 0;
-       if (mask & (1 << 0))    /* Ant A */
-               rssi = max(rssi, stat->rssi[0]);
-       if (mask & (1 << 1))    /* Ant B */
-               rssi = max(rssi, stat->rssi[2]);
-       if (mask & (1 << 2))    /* Ant C */
-               rssi = max(rssi, stat->rssi[4]);
+       if (mask & IWN_ANT_A)
+               rssi = MAX(rssi, phy->rssi[0]);
+       if (mask & IWN_ANT_B)
+               rssi = MAX(rssi, phy->rssi[2]);
+       if (mask & IWN_ANT_C)
+               rssi = MAX(rssi, phy->rssi[4]);
+
+       return rssi - agc - IWN_RSSI_TO_DBM;
+}
+
+static int
+iwn5000_get_rssi(const struct iwn_rx_stat *stat)
+{
+       const struct iwn5000_rx_phystat *phy = (const void *)stat->phybuf;
+       uint8_t agc;
+       int rssi;
+
+       agc = (le32toh(phy->agc) >> 9) & 0x7f;
+
+       rssi = MAX(le16toh(phy->rssi[0]) & 0xff,
+                  le16toh(phy->rssi[1]) & 0xff);
+       rssi = MAX(le16toh(phy->rssi[2]) & 0xff, rssi);
 
        return rssi - agc - IWN_RSSI_TO_DBM;
 }
 
 /*
- * Get the average noise among Rx antennas (in dBm).
+ * Retrieve the average noise (in dBm) among receivers.
  */
 static int
 iwn_get_noise(const struct iwn_rx_general_stats *stats)
@@ -2842,15 +3602,15 @@ iwn_get_noise(const struct iwn_rx_genera
                total += noise;
                nbant++;
        }
-       /* there should be at least one antenna but check anyway */
+       /* There should be at least one antenna but check anyway. */
        return (nbant == 0) ? -127 : (total / nbant) - 107;
 }
 
 /*
- * Read temperature (in degC) from the on-board thermal sensor.
+ * Compute temperature (in degC) from last received statistics.
  */
 static int
-iwn_get_temperature(struct iwn_softc *sc)
+iwn4965_get_temperature(struct iwn_softc *sc)
 {
        struct iwn_ucode_info *uc = &sc->ucode_info;
        int32_t r1, r2, r3, r4, temp;
@@ -2860,12 +3620,12 @@ iwn_get_temperature(struct iwn_softc *sc
        r3 = le32toh(uc->temp[2].chan20MHz);
        r4 = le32toh(sc->rawtemp);
 
-       if (r1 == r3)   /* prevents division by 0 (should not happen) */
+       if (r1 == r3)   /* Prevents division by 0 (should not happen.) */
                return 0;
 
-       /* sign-extend 23-bit R4 value to 32-bit */
+       /* Sign-extend 23-bit R4 value to 32-bit. */
        r4 = (r4 << 8) >> 8;
-       /* compute temperature */
+       /* Compute temperature in Kelvin. */
        temp = (259 * (r4 - r2)) / (r3 - r1);
        temp = (temp * 97) / 100 + 8;
 
@@ -2873,375 +3633,733 @@ iwn_get_temperature(struct iwn_softc *sc
        return IWN_KTOC(temp);
 }
 
+static int
+iwn5000_get_temperature(struct iwn_softc *sc)
+{
+       /*
+        * Temperature is not used by the driver for 5000 Series because
+        * TX power calibration is handled by firmware.  We export it to
+        * users through the sensor framework though.
+        */
+       return le32toh(sc->rawtemp);
+}
+
 /*
  * Initialize sensitivity calibration state machine.
  */
 static int
 iwn_init_sensitivity(struct iwn_softc *sc)
 {
+       const struct iwn_hal *hal = sc->sc_hal;
        struct iwn_calib_state *calib = &sc->calib;
-       struct iwn_phy_calib_cmd cmd;
+       uint32_t flags;
        int error;
 
-       /* reset calibration state */
+       /* Reset calibration state machine. */
        memset(calib, 0, sizeof (*calib));
        calib->state = IWN_CALIB_STATE_INIT;
        calib->cck_state = IWN_CCK_STATE_HIFA;
-       /* initial values taken from the reference driver */
-       calib->corr_ofdm_x1     = 105;
-       calib->corr_ofdm_mrc_x1 = 220;
-       calib->corr_ofdm_x4     =  90;
-       calib->corr_ofdm_mrc_x4 = 170;
-       calib->corr_cck_x4      = 125;
-       calib->corr_cck_mrc_x4  = 200;
-       calib->energy_cck       = 100;
+       /* Set initial correlation values. */
+       calib->ofdm_x1     = hal->limits->min_ofdm_x1;
+       calib->ofdm_mrc_x1 = hal->limits->min_ofdm_mrc_x1;
+       calib->ofdm_x4     = 90;
+       calib->ofdm_mrc_x4 = hal->limits->min_ofdm_mrc_x4;
+       calib->cck_x4      = 125;
+       calib->cck_mrc_x4  = hal->limits->min_cck_mrc_x4;
+       calib->energy_cck  = hal->limits->energy_cck;
 
-       /* write initial sensitivity values */
+       /* Write initial sensitivity. */
        if ((error = iwn_send_sensitivity(sc)) != 0)
                return error;
 
-       memset(&cmd, 0, sizeof cmd);
-       cmd.code = IWN_SET_DIFF_GAIN;
-       /* differential gains initially set to 0 for all 3 antennas */
-       DPRINTF(("setting differential gains\n"));
-       return iwn_cmd(sc, IWN_PHY_CALIB, &cmd, sizeof cmd, 1);
+       /* Write initial gains. */
+       if ((error = hal->init_gains(sc)) != 0)
+               return error;
+
+       /* Request statistics at each beacon interval. */
+       flags = 0;
+       DPRINTF(("sending request for statistics\n"));
+       return iwn_cmd(sc, IWN_CMD_GET_STATISTICS, &flags, sizeof flags, 1);
 }
 
 /*
  * Collect noise and RSSI statistics for the first 20 beacons received
  * after association and use them to determine connected antennas and
- * set differential gains.
+ * to set differential gains.
  */
 static void
-iwn_compute_differential_gain(struct iwn_softc *sc,
+iwn_collect_noise(struct iwn_softc *sc,
     const struct iwn_rx_general_stats *stats)
 {
+       const struct iwn_hal *hal = sc->sc_hal;
        struct iwn_calib_state *calib = &sc->calib;
-       struct iwn_phy_calib_cmd cmd;
-       int i, val;
+       uint32_t val;
+       int i;
 
-       /* accumulate RSSI and noise for all 3 antennas */
+       /* Accumulate RSSI and noise for all 3 antennas. */
        for (i = 0; i < 3; i++) {
                calib->rssi[i] += le32toh(stats->rssi[i]) & 0xff;
                calib->noise[i] += le32toh(stats->noise[i]) & 0xff;
        }
-
-       /* we update differential gain only once after 20 beacons */
+       /* NB: We update differential gains only once after 20 beacons. */
        if (++calib->nbeacons < 20)
                return;
 
-       /* determine antenna with highest average RSSI */
-       val = max(calib->rssi[0], calib->rssi[1]);
-       val = max(calib->rssi[2], val);
+       /* Determine highest average RSSI. */
+       val = MAX(calib->rssi[0], calib->rssi[1]);
+       val = MAX(calib->rssi[2], val);
 
-       /* determine which antennas are connected */
+       /* Determine which antennas are connected. */
        sc->antmsk = 0;
        for (i = 0; i < 3; i++)
                if (val - calib->rssi[i] <= 15 * 20)
                        sc->antmsk |= 1 << i;
-       /* if neither Ant A and Ant B are connected.. */
-       if ((sc->antmsk & (1 << 0 | 1 << 1)) == 0)
-               sc->antmsk |= 1 << 1;   /* ..mark Ant B as connected! */
+       /* If none of the TX antennas are connected, keep at least one. */
+       if ((sc->antmsk & sc->txantmsk) == 0)
+               sc->antmsk |= IWN_LSB(sc->txantmsk);
+
+       (void)hal->set_gains(sc);
+       calib->state = IWN_CALIB_STATE_RUN;
+
+#ifdef notyet
+       /* XXX Disable RX chains with no antennas connected. */
+       sc->rxon.rxchain = htole16(IWN_RXCHAIN_SEL(sc->antmsk));
+       (void)iwn_cmd(sc, IWN_CMD_CONFIGURE, &sc->rxon, hal->rxonsz, 1);
+
+       /* Enable power-saving mode if requested by user. */
+       if (sc->sc_ic.ic_flags & IEEE80211_F_PMGTON)
+               (void)iwn_set_pslevel(sc, 0, 3, 1);
+#endif
+}
+
+static int
+iwn4965_init_gains(struct iwn_softc *sc)
+{
+       struct iwn_phy_calib_gain cmd;
+
+       memset(&cmd, 0, sizeof cmd);
+       cmd.code = IWN4965_PHY_CALIB_DIFF_GAIN;
+       /* Differential gains initially set to 0 for all 3 antennas. */
+       DPRINTF(("setting initial differential gains\n"));
+       return iwn_cmd(sc, IWN_CMD_PHY_CALIB, &cmd, sizeof cmd, 1);
+}
+
+static int
+iwn5000_init_gains(struct iwn_softc *sc)
+{
+       struct iwn_phy_calib cmd;
+
+       memset(&cmd, 0, sizeof cmd);
+       cmd.code = IWN5000_PHY_CALIB_RESET_NOISE_GAIN;
+       cmd.ngroups = 1;
+       cmd.isvalid = 1;
+       DPRINTF(("setting initial differential gains\n"));
+       return iwn_cmd(sc, IWN_CMD_PHY_CALIB, &cmd, sizeof cmd, 1);
+}
+
+static int
+iwn4965_set_gains(struct iwn_softc *sc)
+{
+       struct iwn_calib_state *calib = &sc->calib;
+       struct iwn_phy_calib_gain cmd;
+       int i, delta, noise;
 
-       /* get minimal noise among connected antennas */
-       val = INT_MAX;  /* ok, there's at least one */
+       /* Get minimal noise among connected antennas. */
+       noise = INT_MAX;        /* NB: There's at least one antenna. */
        for (i = 0; i < 3; i++)
                if (sc->antmsk & (1 << i))
-                       val = min(calib->noise[i], val);
+                       noise = MIN(calib->noise[i], noise);
 
        memset(&cmd, 0, sizeof cmd);
-       cmd.code = IWN_SET_DIFF_GAIN;
-       /* set differential gains for connected antennas */
+       cmd.code = IWN4965_PHY_CALIB_DIFF_GAIN;
+       /* Set differential gains for connected antennas. */
        for (i = 0; i < 3; i++) {
                if (sc->antmsk & (1 << i)) {
-                       cmd.gain[i] = (calib->noise[i] - val) / 30;
-                       /* limit differential gain to 3 */
-                       cmd.gain[i] = min(cmd.gain[i], 3);
-                       cmd.gain[i] |= IWN_GAIN_SET;
+                       /* Compute attenuation (in unit of 1.5dB). */
+                       delta = (noise - (int32_t)calib->noise[i]) / 30;
+                       /* NB: delta <= 0 */
+                       /* Limit to [-4.5dB,0]. */
+                       cmd.gain[i] = MIN(abs(delta), 3);
+                       if (delta < 0)
+                               cmd.gain[i] |= 1 << 2;  /* sign bit */
                }
        }
        DPRINTF(("setting differential gains Ant A/B/C: %x/%x/%x (%x)\n",
-               cmd.gain[0], cmd.gain[1], cmd.gain[2], sc->antmsk));
-       if (iwn_cmd(sc, IWN_PHY_CALIB, &cmd, sizeof cmd, 1) == 0)
-               calib->state = IWN_CALIB_STATE_RUN;
+           cmd.gain[0], cmd.gain[1], cmd.gain[2], sc->antmsk));
+       return iwn_cmd(sc, IWN_CMD_PHY_CALIB, &cmd, sizeof cmd, 1);
+}
+
+static int
+iwn5000_set_gains(struct iwn_softc *sc)
+{
+       struct iwn_calib_state *calib = &sc->calib;
+       struct iwn_phy_calib_gain cmd;
+       int i, delta;
+
+       memset(&cmd, 0, sizeof cmd);
+       cmd.code = IWN5000_PHY_CALIB_NOISE_GAIN;
+       cmd.ngroups = 1;
+       cmd.isvalid = 1;
+       /* Set differential gains for antennas B and C. */
+       for (i = 1; i < 3; i++) {
+               if (sc->antmsk & (1 << i)) {
+                       /* The delta is relative to antenna A. */
+                       delta = ((int32_t)calib->noise[0] -
+                           (int32_t)calib->noise[i]) / 30;
+                       /* Limit to [-4.5dB,+4.5dB]. */
+                       cmd.gain[i - 1] = MIN(abs(delta), 3);
+                       if (delta < 0)
+                               cmd.gain[i - 1] |= 1 << 2;      /* sign bit */
+               }
+       }
+       DPRINTF(("setting differential gains Ant B/C: %x/%x (%x)\n",
+           cmd.gain[0], cmd.gain[1], sc->antmsk));
+       return iwn_cmd(sc, IWN_CMD_PHY_CALIB, &cmd, sizeof cmd, 1);
 }
 
 /*
- * Tune RF Rx sensitivity based on the number of false alarms detected
+ * Tune RF RX sensitivity based on the number of false alarms detected
  * during the last beacon period.
  */
 static void
 iwn_tune_sensitivity(struct iwn_softc *sc, const struct iwn_rx_stats *stats)
 {
-#define inc_clip(val, inc, max)                                                
\
-       if ((val) < (max)) {                                            \
-               if ((val) < (max) - (inc))                              \
-                       (val) += (inc);                                 \
-               else                                                    \
-                       (val) = (max);                                  \
-               needs_update = 1;                                       \
-       }
-#define dec_clip(val, dec, min)                                                
\
-       if ((val) > (min)) {                                            \
-               if ((val) > (min) + (dec))                              \
-                       (val) -= (dec);                                 \
-               else                                                    \
-                       (val) = (min);                                  \
-               needs_update = 1;                                       \
+#define inc(val, inc, max)                     \
+       if ((val) < (max)) {                    \
+               if ((val) < (max) - (inc))      \
+                       (val) += (inc);         \
+               else                            \
+                       (val) = (max);          \
+               needs_update = 1;               \
+       }
+#define dec(val, dec, min)                     \
+       if ((val) > (min)) {                    \
+               if ((val) > (min) + (dec))      \
+                       (val) -= (dec);         \
+               else                            \
+                       (val) = (min);          \
+               needs_update = 1;               \
        }
 
+       const struct iwn_hal *hal = sc->sc_hal;
+       const struct iwn_sensitivity_limits *limits = hal->limits;
        struct iwn_calib_state *calib = &sc->calib;
        uint32_t val, rxena, fa;
        uint32_t energy[3], energy_min;
        uint8_t noise[3], noise_ref;
        int i, needs_update = 0;
 
-       /* check that we've been enabled long enough */
+       /* Check that we've been enabled long enough. */
        if ((rxena = le32toh(stats->general.load)) == 0)
                return;
 
-       /* compute number of false alarms since last call for OFDM */
+       /* Compute number of false alarms since last call for OFDM. */
        fa  = le32toh(stats->ofdm.bad_plcp) - calib->bad_plcp_ofdm;
        fa += le32toh(stats->ofdm.fa) - calib->fa_ofdm;
        fa *= 200 * 1024;       /* 200TU */
 
-       /* save counters values for next call */
+       /* Save counters values for next call. */
        calib->bad_plcp_ofdm = le32toh(stats->ofdm.bad_plcp);
        calib->fa_ofdm = le32toh(stats->ofdm.fa);
 
        if (fa > 50 * rxena) {
-               /* high false alarm count, decrease sensitivity */
+               /* High false alarm count, decrease sensitivity. */
                DPRINTFN(2, ("OFDM high false alarm count: %u\n", fa));
-               inc_clip(calib->corr_ofdm_x1,     1, 140);
-               inc_clip(calib->corr_ofdm_mrc_x1, 1, 270);
-               inc_clip(calib->corr_ofdm_x4,     1, 120);
-               inc_clip(calib->corr_ofdm_mrc_x4, 1, 210);
+               inc(calib->ofdm_x1,     1, limits->max_ofdm_x1);
+               inc(calib->ofdm_mrc_x1, 1, limits->max_ofdm_mrc_x1);
+               inc(calib->ofdm_x4,     1, limits->max_ofdm_x4);
+               inc(calib->ofdm_mrc_x4, 1, limits->max_ofdm_mrc_x4);
 
        } else if (fa < 5 * rxena) {
-               /* low false alarm count, increase sensitivity */
+               /* Low false alarm count, increase sensitivity. */
                DPRINTFN(2, ("OFDM low false alarm count: %u\n", fa));
-               dec_clip(calib->corr_ofdm_x1,     1, 105);
-               dec_clip(calib->corr_ofdm_mrc_x1, 1, 220);
-               dec_clip(calib->corr_ofdm_x4,     1,  85);
-               dec_clip(calib->corr_ofdm_mrc_x4, 1, 170);
+               dec(calib->ofdm_x1,     1, limits->min_ofdm_x1);
+               dec(calib->ofdm_mrc_x1, 1, limits->min_ofdm_mrc_x1);
+               dec(calib->ofdm_x4,     1, limits->min_ofdm_x4);
+               dec(calib->ofdm_mrc_x4, 1, limits->min_ofdm_mrc_x4);
        }
 
-       /* compute maximum noise among 3 antennas */
+       /* Compute maximum noise among 3 receivers. */
        for (i = 0; i < 3; i++)
                noise[i] = (le32toh(stats->general.noise[i]) >> 8) & 0xff;
-       val = max(noise[0], noise[1]);
-       val = max(noise[2], val);
-       /* insert it into our samples table */
+       val = MAX(noise[0], noise[1]);
+       val = MAX(noise[2], val);
+       /* Insert it into our samples table. */
        calib->noise_samples[calib->cur_noise_sample] = val;
        calib->cur_noise_sample = (calib->cur_noise_sample + 1) % 20;
 
-       /* compute maximum noise among last 20 samples */
+       /* Compute maximum noise among last 20 samples. */
        noise_ref = calib->noise_samples[0];
        for (i = 1; i < 20; i++)
-               noise_ref = max(noise_ref, calib->noise_samples[i]);
+               noise_ref = MAX(noise_ref, calib->noise_samples[i]);
 
-       /* compute maximum energy among 3 antennas */
+       /* Compute maximum energy among 3 receivers. */
        for (i = 0; i < 3; i++)
                energy[i] = le32toh(stats->general.energy[i]);
-       val = min(energy[0], energy[1]);
-       val = min(energy[2], val);
-       /* insert it into our samples table */
+       val = MIN(energy[0], energy[1]);
+       val = MIN(energy[2], val);
+       /* Insert it into our samples table. */
        calib->energy_samples[calib->cur_energy_sample] = val;
        calib->cur_energy_sample = (calib->cur_energy_sample + 1) % 10;
 
-       /* compute minimum energy among last 10 samples */
+       /* Compute minimum energy among last 10 samples. */
        energy_min = calib->energy_samples[0];
        for (i = 1; i < 10; i++)
-               energy_min = max(energy_min, calib->energy_samples[i]);
+               energy_min = MAX(energy_min, calib->energy_samples[i]);
        energy_min += 6;
 
-       /* compute number of false alarms since last call for CCK */
+       /* Compute number of false alarms since last call for CCK. */
        fa  = le32toh(stats->cck.bad_plcp) - calib->bad_plcp_cck;
        fa += le32toh(stats->cck.fa) - calib->fa_cck;
        fa *= 200 * 1024;       /* 200TU */
 
-       /* save counters values for next call */
+       /* Save counters values for next call. */
        calib->bad_plcp_cck = le32toh(stats->cck.bad_plcp);
        calib->fa_cck = le32toh(stats->cck.fa);
 
        if (fa > 50 * rxena) {
-               /* high false alarm count, decrease sensitivity */
+               /* High false alarm count, decrease sensitivity. */
                DPRINTFN(2, ("CCK high false alarm count: %u\n", fa));
                calib->cck_state = IWN_CCK_STATE_HIFA;
                calib->low_fa = 0;
 
-               if (calib->corr_cck_x4 > 160) {
+               if (calib->cck_x4 > 160) {
                        calib->noise_ref = noise_ref;
                        if (calib->energy_cck > 2)
-                               dec_clip(calib->energy_cck, 2, energy_min);
+                               dec(calib->energy_cck, 2, energy_min);
                }
-               if (calib->corr_cck_x4 < 160) {
-                       calib->corr_cck_x4 = 161;
+               if (calib->cck_x4 < 160) {
+                       calib->cck_x4 = 161;
                        needs_update = 1;
                } else
-                       inc_clip(calib->corr_cck_x4, 3, 200);
+                       inc(calib->cck_x4, 3, limits->max_cck_x4);
 
-               inc_clip(calib->corr_cck_mrc_x4, 3, 400);
+               inc(calib->cck_mrc_x4, 3, limits->max_cck_mrc_x4);
 
        } else if (fa < 5 * rxena) {
-               /* low false alarm count, increase sensitivity */
+               /* Low false alarm count, increase sensitivity. */
                DPRINTFN(2, ("CCK low false alarm count: %u\n", fa));
                calib->cck_state = IWN_CCK_STATE_LOFA;
                calib->low_fa++;
 
-               if (calib->cck_state != 0 &&
-                   ((calib->noise_ref - noise_ref) > 2 ||
-                       calib->low_fa > 100)) {
-                       inc_clip(calib->energy_cck,      2,  97);
-                       dec_clip(calib->corr_cck_x4,     3, 125);
-                       dec_clip(calib->corr_cck_mrc_x4, 3, 200);
+               if (calib->cck_state != IWN_CCK_STATE_INIT &&
+                   (((int32_t)calib->noise_ref - (int32_t)noise_ref) > 2 ||
+                    calib->low_fa > 100)) {
+                       inc(calib->energy_cck, 2, limits->min_energy_cck);
+                       dec(calib->cck_x4,     3, limits->min_cck_x4);
+                       dec(calib->cck_mrc_x4, 3, limits->min_cck_mrc_x4);
                }
        } else {
-               /* not worth to increase or decrease sensitivity */
+               /* Not worth to increase or decrease sensitivity. */
                DPRINTFN(2, ("CCK normal false alarm count: %u\n", fa));
                calib->low_fa = 0;
                calib->noise_ref = noise_ref;
 
                if (calib->cck_state == IWN_CCK_STATE_HIFA) {
-                       /* previous interval had many false alarms */
-                       dec_clip(calib->energy_cck, 8, energy_min);
+                       /* Previous interval had many false alarms. */
+                       dec(calib->energy_cck, 8, energy_min);
                }
                calib->cck_state = IWN_CCK_STATE_INIT;
        }
 
        if (needs_update)
                (void)iwn_send_sensitivity(sc);
-#undef dec_clip
-#undef inc_clip
+#undef dec
+#undef inc
 }
 
 static int
 iwn_send_sensitivity(struct iwn_softc *sc)
 {
+       const struct iwn_hal *hal = sc->sc_hal;
        struct iwn_calib_state *calib = &sc->calib;
        struct iwn_sensitivity_cmd cmd;
 
        memset(&cmd, 0, sizeof cmd);
        cmd.which = IWN_SENSITIVITY_WORKTBL;
-       /* OFDM modulation */
-       cmd.corr_ofdm_x1     = le16toh(calib->corr_ofdm_x1);
-       cmd.corr_ofdm_mrc_x1 = le16toh(calib->corr_ofdm_mrc_x1);
-       cmd.corr_ofdm_x4     = le16toh(calib->corr_ofdm_x4);
-       cmd.corr_ofdm_mrc_x4 = le16toh(calib->corr_ofdm_mrc_x4);
-       cmd.energy_ofdm      = le16toh(100);
-       cmd.energy_ofdm_th   = le16toh(62);
-       /* CCK modulation */
-       cmd.corr_cck_x4      = le16toh(calib->corr_cck_x4);
-       cmd.corr_cck_mrc_x4  = le16toh(calib->corr_cck_mrc_x4);
-       cmd.energy_cck       = le16toh(calib->energy_cck);
-       /* Barker modulation: use default values */
-       cmd.corr_barker      = le16toh(190);
-       cmd.corr_barker_mrc  = le16toh(390);
-
-       DPRINTFN(2, ("setting sensitivity\n"));
-       return iwn_cmd(sc, IWN_SENSITIVITY, &cmd, sizeof cmd, 1);
+       /* OFDM modulation. */
+       cmd.corr_ofdm_x1     = htole16(calib->ofdm_x1);
+       cmd.corr_ofdm_mrc_x1 = htole16(calib->ofdm_mrc_x1);
+       cmd.corr_ofdm_x4     = htole16(calib->ofdm_x4);
+       cmd.corr_ofdm_mrc_x4 = htole16(calib->ofdm_mrc_x4);
+       cmd.energy_ofdm      = htole16(hal->limits->energy_ofdm);
+       cmd.energy_ofdm_th   = htole16(62);
+       /* CCK modulation. */
+       cmd.corr_cck_x4      = htole16(calib->cck_x4);
+       cmd.corr_cck_mrc_x4  = htole16(calib->cck_mrc_x4);
+       cmd.energy_cck       = htole16(calib->energy_cck);
+       /* Barker modulation: use default values. */
+       cmd.corr_barker      = htole16(190);
+       cmd.corr_barker_mrc  = htole16(390);
+
+       DPRINTFN(2, ("setting sensitivity %d/%d/%d/%d/%d/%d/%d\n",
+           calib->ofdm_x1, calib->ofdm_mrc_x1, calib->ofdm_x4,
+           calib->ofdm_mrc_x4, calib->cck_x4, calib->cck_mrc_x4,
+           calib->energy_cck));
+       return iwn_cmd(sc, IWN_CMD_SET_SENSITIVITY, &cmd, sizeof cmd, 1);
 }
 
+#if 0
+/*
+ * Set STA mode power saving level (between 0 and 5).
+ * Level 0 is CAM (Continuously Aware Mode), 5 is for maximum power saving.
+ */
 static int
-iwn_add_node(struct iwn_softc *sc, struct ieee80211_node *ni, bool broadcast,
-            bool async, uint32_t htflags)
+iwn_set_pslevel(struct iwn_softc *sc, int dtim, int level, int async)
 {
-       struct iwn_node_info node;
-       int error;
-
-       error = 0;
+       struct iwn_pmgt_cmd cmd;
+       const struct iwn_pmgt *pmgt;
+       uint32_t umax, skip_dtim;
+       pcireg_t reg;
+       int i;
 
-       memset(&node, 0, sizeof node);
-       if (broadcast == true) {
-               IEEE80211_ADDR_COPY(node.macaddr, etherbroadcastaddr);
-               node.id = IWN_ID_BROADCAST;
-               DPRINTF(("adding broadcast node\n"));
-       } else {
-               IEEE80211_ADDR_COPY(node.macaddr, ni->ni_macaddr);
-               node.id = IWN_ID_BSS;
-               node.htflags = htole32(htflags);
-               DPRINTF(("adding BSS node\n"));
-       }
+       /* Select which PS parameters to use. */
+       if (dtim <= 2)
+               pmgt = &iwn_pmgt[0][level];
+       else if (dtim <= 10)
+               pmgt = &iwn_pmgt[1][level];
+       else
+               pmgt = &iwn_pmgt[2][level];
 
-       error = iwn_cmd(sc, IWN_CMD_ADD_NODE, &node, sizeof node, async);
-       if (error != 0) {
-               aprint_error_dev(sc->sc_dev, "could not add %s node\n",
-                                (broadcast == 1)? "broadcast" : "BSS");
-               return error;
-       }
-       DPRINTF(("setting MRR for node %d\n", node.id));
-       if ((error = iwn_setup_node_mrr(sc, node.id, async)) != 0) {
-               aprint_error_dev(sc->sc_dev,
-                                "could not setup MRR for %s node\n",
-                                (broadcast == 1)? "broadcast" : "BSS");
-               return error;
-       }
+       memset(&cmd, 0, sizeof cmd);
+       if (level != 0) /* not CAM */
+               cmd.flags |= htole16(IWN_PS_ALLOW_SLEEP);
+       if (level == 5)
+               cmd.flags |= htole16(IWN_PS_FAST_PD);
+       /* Retrieve PCIe Active State Power Management (ASPM). */
+       reg = pci_conf_read(sc->sc_pct, sc->sc_pcitag,
+           sc->sc_cap_off + PCI_PCIE_LCSR);
+       if (!(reg & PCI_PCIE_LCSR_ASPM_L0S))    /* L0s Entry disabled. */
+               cmd.flags |= htole16(IWN_PS_PCI_PMGT);
+       cmd.rxtimeout = htole32(pmgt->rxtimeout * 1024);
+       cmd.txtimeout = htole32(pmgt->txtimeout * 1024);
+
+       if (dtim == 0) {
+               dtim = 1;
+               skip_dtim = 0;
+       } else
+               skip_dtim = pmgt->skip_dtim;
+       if (skip_dtim != 0) {
+               cmd.flags |= htole16(IWN_PS_SLEEP_OVER_DTIM);
+               umax = pmgt->intval[4];
+               if (umax == (uint32_t)-1)
+                       umax = dtim * (skip_dtim + 1);
+               else if (umax > dtim)
+                       umax = (umax / dtim) * dtim;
+       } else
+               umax = dtim;
+       for (i = 0; i < 5; i++)
+               cmd.intval[i] = htole32(MIN(umax, pmgt->intval[i]));
 
-       return error;
+       DPRINTF(("setting power saving level to %d\n", level));
+       return iwn_cmd(sc, IWN_CMD_SET_POWER_MODE, &cmd, sizeof cmd, async);
 }
+#endif
 
 static int
-iwn_auth(struct iwn_softc *sc)
+iwn_config(struct iwn_softc *sc)
 {
+       const struct iwn_hal *hal = sc->sc_hal;
        struct ieee80211com *ic = &sc->sc_ic;
-       struct ieee80211_node *ni = ic->ic_bss;
+       struct ifnet *ifp = ic->ic_ifp;
+       struct iwn_bluetooth bluetooth;
+       uint16_t rxchain;
        int error;
+       struct iwn_pmgt_cmd power;
 
-       sc->calib.state = IWN_CALIB_STATE_INIT;
 
-       /* update adapter's configuration */
-       sc->config.associd = 0;
-       IEEE80211_ADDR_COPY(sc->config.bssid, ni->ni_bssid);
-       sc->config.chan = ieee80211_chan2ieee(ic, ni->ni_chan);
-       sc->config.flags = htole32(IWN_CONFIG_TSF);
-       if (IEEE80211_IS_CHAN_2GHZ(ni->ni_chan)) {
-               sc->config.flags |= htole32(IWN_CONFIG_AUTO |
-                   IWN_CONFIG_24GHZ);
-       }
-       switch (ic->ic_curmode) {
-       case IEEE80211_MODE_11A:
-               sc->config.cck_mask  = 0;
-               sc->config.ofdm_mask = 0x15;
-               break;
-       case IEEE80211_MODE_11B:
-               sc->config.cck_mask  = 0x03;
-               sc->config.ofdm_mask = 0;
-               break;
-       default:        /* assume 802.11b/g */
-               sc->config.cck_mask  = 0xf;
-               sc->config.ofdm_mask = 0x15;
+#if 0
+       /* Set power saving level to CAM during initialization. */
+       if ((error = iwn_set_pslevel(sc, 0, 0, 0)) != 0) {
+               aprint_error_dev(sc->sc_dev,
+                   "could not set power saving level\n");
+               return error;
        }
-
-/*     iwn_enable_tsf(sc, ni);*/
-       if (ic->ic_flags & IEEE80211_F_SHSLOT)
-               sc->config.flags |= htole32(IWN_CONFIG_SHSLOT);
-       if (ic->ic_flags & IEEE80211_F_SHPREAMBLE)
-               sc->config.flags |= htole32(IWN_CONFIG_SHPREAMBLE);
-       sc->config.filter &= ~htole32(IWN_FILTER_BSS);
-
-       DPRINTF(("config chan %d flags %x cck %x ofdm %x\n", sc->config.chan,
-               sc->config.flags, sc->config.cck_mask, sc->config.ofdm_mask));
-       error = iwn_cmd(sc, IWN_CMD_CONFIGURE, &sc->config,
-           sizeof (struct iwn_config), 1);
+#else
+       /* set power mode */
+       memset(&power, 0, sizeof power);
+       power.flags = htole16(/*IWN_POWER_CAM*/0 | 0x8);
+       DPRINTF(("setting power mode\n"));
+       error = iwn_cmd(sc, IWN_CMD_SET_POWER_MODE, &power, sizeof power, 0);
        if (error != 0) {
-               aprint_error_dev(sc->sc_dev, "could not configure\n");
+               aprint_error_dev(sc->sc_dev, "could not set power mode\n");
                return error;
        }
+#endif
 
-       /* configuration has changed, set Tx power accordingly */
-       if ((error = iwn_set_txpower(sc, ni->ni_chan, 1)) != 0) {
-               aprint_error_dev(sc->sc_dev, "could not set Tx power\n");
+       /* Configure bluetooth coexistence. */
+       memset(&bluetooth, 0, sizeof bluetooth);
+       bluetooth.flags = 3;
+       bluetooth.lead = 0xaa;
+       bluetooth.kill = 1;
+       DPRINTF(("configuring bluetooth coexistence\n"));
+       error = iwn_cmd(sc, IWN_CMD_BT_COEX, &bluetooth, sizeof bluetooth, 0);
+       if (error != 0) {
+               aprint_error_dev(sc->sc_dev,
+                   "could not configure bluetooth coexistence\n");
                return error;
        }
 
-       /*
-        * Reconfiguring clears the adapter's nodes table so we must
-        * add the broadcast node again.
-        */
-       if ((error = iwn_add_node(sc, ni, true, true, 0)) != 0)
-               return error;
-
+       /* Configure adapter. */
+       memset(&sc->rxon, 0, sizeof (struct iwn_rxon));
+       IEEE80211_ADDR_COPY(ic->ic_myaddr, CLLADDR(ifp->if_sadl));
+       IEEE80211_ADDR_COPY(sc->rxon.myaddr, ic->ic_myaddr);
+       IEEE80211_ADDR_COPY(sc->rxon.wlap, ic->ic_myaddr);
+       /* Set default channel. */
+       sc->rxon.chan = htole16(ieee80211_chan2ieee(ic, ic->ic_ibss_chan));
+       sc->rxon.flags = htole32(IWN_RXON_TSF | IWN_RXON_CTS_TO_SELF);
+       if (IEEE80211_IS_CHAN_2GHZ(ic->ic_ibss_chan))
+               sc->rxon.flags |= htole32(IWN_RXON_AUTO | IWN_RXON_24GHZ);
+       switch (ic->ic_opmode) {
+       case IEEE80211_M_STA:
+               sc->rxon.mode = IWN_MODE_STA;
+               sc->rxon.filter = htole32(IWN_FILTER_MULTICAST);
+               break;
+       case IEEE80211_M_MONITOR:
+               sc->rxon.mode = IWN_MODE_MONITOR;
+               sc->rxon.filter = htole32(IWN_FILTER_MULTICAST |
+                   IWN_FILTER_CTL | IWN_FILTER_PROMISC);
+               break;
+       default:
+               /* Should not get there. */
+               break;
+       }
+       sc->rxon.cck_mask  = 0x0f;      /* not yet negotiated */
+       sc->rxon.ofdm_mask = 0xff;      /* not yet negotiated */
+       sc->rxon.ht_single_mask = 0xff;
+       sc->rxon.ht_dual_mask = 0xff;
+       rxchain = IWN_RXCHAIN_VALID(IWN_ANT_ABC) | IWN_RXCHAIN_IDLE_COUNT(2) |
+           IWN_RXCHAIN_MIMO_COUNT(2);
+       sc->rxon.rxchain = htole16(rxchain);
+       DPRINTF(("setting configuration\n"));
+       error = iwn_cmd(sc, IWN_CMD_CONFIGURE, &sc->rxon, hal->rxonsz, 0);
+       if (error != 0) {
+               aprint_error_dev(sc->sc_dev, "configure command failed\n");
+               return error;
+       }
+
+       /* Configuration has changed, set TX power accordingly. */
+       if ((error = hal->set_txpower(sc, 0)) != 0) {
+               aprint_error_dev(sc->sc_dev, "could not set TX power\n");
+               return error;
+       }
+
+       if ((error = iwn_add_broadcast_node(sc, 0)) != 0) {
+               aprint_error_dev(sc->sc_dev, "could not add broadcast node\n");
+               return error;
+       }
+
+       if ((error = iwn_set_critical_temp(sc)) != 0) {
+               aprint_error_dev(sc->sc_dev,
+                   "could not set critical temperature\n");
+               return error;
+       }
+       return 0;
+}
+
+static int
+iwn_scan(struct iwn_softc *sc, uint16_t flags)
+{
+       struct ieee80211com *ic = &sc->sc_ic;
+       struct iwn_scan_hdr *hdr;
+       struct iwn_cmd_data *tx;
+       struct iwn_scan_chan *chan;
+       struct ieee80211_frame *wh;
+       struct ieee80211_rateset *rs;
+       struct ieee80211_channel *c;
+       enum ieee80211_phymode mode;
+       uint8_t *buf, *frm;
+       uint16_t rxchain;
+       uint8_t txant;
+       int buflen, error, nrates;
+
+       buf = malloc(IWN_SCAN_MAXSZ, M_DEVBUF, M_NOWAIT | M_ZERO);
+       if (buf == NULL) {
+               aprint_error_dev(sc->sc_dev,
+                   "could not allocate buffer for scan command\n");
+               return ENOMEM;
+       }
+       hdr = (struct iwn_scan_hdr *)buf;
+       /*
+        * Move to the next channel if no frames are received within 10ms
+        * after sending the probe request.
+        */
+       hdr->quiet_time = htole16(10);          /* timeout in milliseconds */
+       hdr->quiet_threshold = htole16(1);      /* min # of packets */
+
+       /* Select antennas for scanning. */
+       rxchain = IWN_RXCHAIN_FORCE | IWN_RXCHAIN_VALID(IWN_ANT_ABC) |
+           IWN_RXCHAIN_MIMO(IWN_ANT_ABC);
+       if ((flags & IEEE80211_CHAN_5GHZ) &&
+           sc->hw_type == IWN_HW_REV_TYPE_4965) {
+               /* Ant A must be avoided in 5GHz because of an HW bug. */
+               rxchain |= IWN_RXCHAIN_SEL(IWN_ANT_B | IWN_ANT_C);
+       } else  /* Use all available RX antennas. */
+               rxchain |= IWN_RXCHAIN_SEL(IWN_ANT_ABC);
+       hdr->rxchain = htole16(rxchain);
+       hdr->filter = htole32(IWN_FILTER_MULTICAST | IWN_FILTER_BEACON);
+
+       tx = &(hdr->tx_cmd);
+       tx->flags = htole32(IWN_TX_AUTO_SEQ);
+       tx->id = sc->sc_hal->broadcast_id;
+       tx->lifetime = htole32(IWN_LIFETIME_INFINITE);
+
+       if (flags & IEEE80211_CHAN_5GHZ) {
+               hdr->crc_threshold = htole16(1);
+               /* Send probe requests at 6Mbps. */
+               tx->plcp = iwn_rates[IWN_RIDX_OFDM6].plcp;
+               rs = &ic->ic_sup_rates[IEEE80211_MODE_11A];
+       } else {
+               hdr->flags = htole32(IWN_RXON_24GHZ | IWN_RXON_AUTO);
+               /* Send probe requests at 1Mbps. */
+               tx->plcp = iwn_rates[IWN_RIDX_CCK1].plcp;
+               tx->rflags = IWN_RFLAG_CCK;
+               rs = &ic->ic_sup_rates[IEEE80211_MODE_11G];
+       }
+       /* Use the first valid TX antenna. */
+       txant = IWN_LSB(sc->txantmsk);
+       tx->rflags |= IWN_RFLAG_ANT(txant);
+
+       if (ic->ic_des_esslen != 0) {
+               hdr->scan_essid[0].id = IEEE80211_ELEMID_SSID;
+               hdr->scan_essid[0].len = ic->ic_des_esslen;
+               memcpy(hdr->scan_essid[0].data, ic->ic_des_essid, 
ic->ic_des_esslen);
+       }
+       /*
+        * Build a probe request frame.  Most of the following code is a
+        * copy & paste of what is done in net80211.
+        */
+       wh = &(hdr->wh);
+       wh->i_fc[0] = IEEE80211_FC0_VERSION_0 | IEEE80211_FC0_TYPE_MGT |
+           IEEE80211_FC0_SUBTYPE_PROBE_REQ;
+       wh->i_fc[1] = IEEE80211_FC1_DIR_NODS;
+       IEEE80211_ADDR_COPY(wh->i_addr1, etherbroadcastaddr);
+       IEEE80211_ADDR_COPY(wh->i_addr2, ic->ic_myaddr);
+       IEEE80211_ADDR_COPY(wh->i_addr3, etherbroadcastaddr);
+       *(uint16_t *)&wh->i_dur[0] = 0; /* filled by HW */
+       *(uint16_t *)&wh->i_seq[0] = 0; /* filled by HW */
+
+       frm = &(hdr->data[0]);
+       /* add empty SSID IE */
+       *frm++ = IEEE80211_ELEMID_SSID;
+       *frm++ = 0;
+
+       mode = ieee80211_chan2mode(ic, ic->ic_ibss_chan);
+       rs = &ic->ic_sup_rates[mode];
+
+       /* add supported rates IE */
+       *frm++ = IEEE80211_ELEMID_RATES;
+       nrates = rs->rs_nrates;
+       if (nrates > IEEE80211_RATE_SIZE)
+               nrates = IEEE80211_RATE_SIZE;
+       *frm++ = nrates;
+       memcpy(frm, rs->rs_rates, nrates);
+       frm += nrates;
+
+       if (rs->rs_nrates > IEEE80211_RATE_SIZE) {
+               nrates = rs->rs_nrates - IEEE80211_RATE_SIZE;
+               *frm++ = IEEE80211_ELEMID_XRATES;
+               *frm++ = nrates;
+               memcpy(frm, rs->rs_rates + IEEE80211_RATE_SIZE, nrates);
+               frm += nrates;
+       }
+
+       /* Set length of probe request. */
+       tx->len = htole16(frm - (uint8_t *)wh);
+
+       chan = (struct iwn_scan_chan *)frm;
+       for (c  = &ic->ic_channels[1];
+            c <= &ic->ic_channels[IEEE80211_CHAN_MAX]; c++) {
+               if ((c->ic_flags & flags) != flags)
+                       continue;
+
+               chan->chan = htole16(ieee80211_chan2ieee(ic, c));
+               DPRINTFN(2, ("adding channel %d\n", chan->chan));
+               chan->flags = 0;
+               if (!(c->ic_flags & IEEE80211_CHAN_PASSIVE))
+                       chan->flags |= htole32(IWN_CHAN_ACTIVE);
+               if (ic->ic_des_esslen != 0)
+                       chan->flags |= htole32(IWN_CHAN_NPBREQS(1));
+               chan->dsp_gain = 0x6e;
+               if (IEEE80211_IS_CHAN_5GHZ(c)) {
+                       chan->rf_gain = 0x3b;
+                       chan->active  = htole16(24);
+                       chan->passive = htole16(110);
+               } else {
+                       chan->rf_gain = 0x28;
+                       chan->active  = htole16(36);
+                       chan->passive = htole16(120);
+               }
+               hdr->nchan++;
+               chan++;
+       }
+
+       buflen = (uint8_t *)chan - buf;
+       hdr->len = htole16(buflen);
+
+       DPRINTF(("sending scan command nchan=%d\n", hdr->nchan));
+       error = iwn_cmd(sc, IWN_CMD_SCAN, buf, buflen, 1);
+       free(buf, M_DEVBUF);
+       return error;
+}
+
+static int
+iwn_auth(struct iwn_softc *sc)
+{
+       const struct iwn_hal *hal = sc->sc_hal;
+       struct ieee80211com *ic = &sc->sc_ic;
+       struct ieee80211_node *ni = ic->ic_bss;
+       int error;
+
+       sc->calib.state = IWN_CALIB_STATE_INIT;
+
+       /* Update adapter's configuration. */
+       sc->rxon.associd = 0;
+       IEEE80211_ADDR_COPY(sc->rxon.bssid, ni->ni_bssid);
+       sc->rxon.chan = htole16(ieee80211_chan2ieee(ic, ni->ni_chan));
+       sc->rxon.flags = htole32(IWN_RXON_TSF | IWN_RXON_CTS_TO_SELF);
+       if (IEEE80211_IS_CHAN_2GHZ(ni->ni_chan))
+               sc->rxon.flags |= htole32(IWN_RXON_AUTO | IWN_RXON_24GHZ);
+       if (IEEE80211_IS_CHAN_A(ni->ni_chan)) {
+               sc->rxon.cck_mask  = 0;
+               sc->rxon.ofdm_mask = 0x15;
+       } else if (IEEE80211_IS_CHAN_B(ni->ni_chan)) {
+               sc->rxon.cck_mask  = 0x03;
+               sc->rxon.ofdm_mask = 0;
+       } else {        /* Assume 802.11b/g. */
+               sc->rxon.cck_mask  = 0x0f;
+               sc->rxon.ofdm_mask = 0x15;
+       }
+/*     iwn_enable_tsf(sc, ni);*/
+       if (ic->ic_flags & IEEE80211_F_SHSLOT)
+               sc->rxon.flags |= htole32(IWN_RXON_SHSLOT);
+       if (ic->ic_flags & IEEE80211_F_SHPREAMBLE)
+               sc->rxon.flags |= htole32(IWN_RXON_SHPREAMBLE);
+       sc->rxon.filter &= ~htole32(IWN_FILTER_BSS);
+
+       DPRINTF(("rxon chan %d flags %x cck %x ofdm %x\n", sc->rxon.chan,
+           sc->rxon.flags, sc->rxon.cck_mask, sc->rxon.ofdm_mask));
+       error = iwn_cmd(sc, IWN_CMD_CONFIGURE, &sc->rxon, hal->rxonsz, 1);
+       if (error != 0) {
+               aprint_error_dev(sc->sc_dev, "could not configure\n");
+               return error;
+       }
+
+       /* Configuration has changed, set TX power accordingly. */
+       if ((error = hal->set_txpower(sc, 1)) != 0) {
+               aprint_error_dev(sc->sc_dev, "could not set TX power\n");
+               return error;
+       }
+       /*
+        * Reconfiguring RXON clears the firmware's nodes table so we must
+        * add the broadcast node again.
+        */
+       if ((error = iwn_add_broadcast_node(sc, 1)) != 0) {
+               aprint_error_dev(sc->sc_dev, "could not add broadcast node\n");
+               return error;
+       }
        /* add BSS node */
+       DPRINTF(("adding BSS node from auth\n"));
        if ((error = iwn_add_node(sc, ni, false, true, 0)) != 0)
                return error;
 
@@ -3249,660 +4367,1197 @@ iwn_auth(struct iwn_softc *sc)
                /* fake a join to init the tx rate */
                iwn_newassoc(ni, 1);
        }
-
+       
        if ((error = iwn_init_sensitivity(sc)) != 0) {
                aprint_error_dev(sc->sc_dev, "could not set sensitivity\n");
                return error;
        }
-
-
        return 0;
 }
 
-/*
- * Configure the adapter for associated state.
- */
 static int
 iwn_run(struct iwn_softc *sc)
 {
+       const struct iwn_hal *hal = sc->sc_hal;
        struct ieee80211com *ic = &sc->sc_ic;
        struct ieee80211_node *ni = ic->ic_bss;
        int error;
 
        if (ic->ic_opmode == IEEE80211_M_MONITOR) {
-               /* link LED blinks while monitoring */
+               /* Link LED blinks while monitoring. */
                iwn_set_led(sc, IWN_LED_LINK, 5, 5);
                return 0;
        }
+       if ((error = iwn_set_timing(sc, ni)) != 0) {
+               aprint_error_dev(sc->sc_dev, "could not set timing\n");
+               return error;
+       }
 
-       iwn_enable_tsf(sc, ni);
-
-       /* update adapter's configuration */
-       sc->config.associd = htole16(ni->ni_associd & ~0xc000);
-       /* short preamble/slot time are negotiated when associating */
-       sc->config.flags &= ~htole32(IWN_CONFIG_SHPREAMBLE |
-           IWN_CONFIG_SHSLOT);
+       /* Update adapter's configuration. */
+       sc->rxon.associd = htole16(IEEE80211_AID(ni->ni_associd));
+       /* Short preamble and slot time are negotiated when associating. */
+       sc->rxon.flags &= ~htole32(IWN_RXON_SHPREAMBLE | IWN_RXON_SHSLOT);
        if (ic->ic_flags & IEEE80211_F_SHSLOT)
-               sc->config.flags |= htole32(IWN_CONFIG_SHSLOT);
+               sc->rxon.flags |= htole32(IWN_RXON_SHSLOT);
        if (ic->ic_flags & IEEE80211_F_SHPREAMBLE)
-               sc->config.flags |= htole32(IWN_CONFIG_SHPREAMBLE);
-       sc->config.filter |= htole32(IWN_FILTER_BSS);
-
-       DPRINTF(("config chan %d flags %x\n", sc->config.chan,
-               sc->config.flags));
-       error = iwn_cmd(sc, IWN_CMD_CONFIGURE, &sc->config,
-           sizeof (struct iwn_config), 1);
+               sc->rxon.flags |= htole32(IWN_RXON_SHPREAMBLE);
+       sc->rxon.filter |= htole32(IWN_FILTER_BSS);
+       DPRINTF(("rxon chan %d flags %x\n", sc->rxon.chan, sc->rxon.flags));
+       error = iwn_cmd(sc, IWN_CMD_CONFIGURE, &sc->rxon, hal->rxonsz, 1);
        if (error != 0) {
                aprint_error_dev(sc->sc_dev,
-                       "could not update configuration\n");
+                   "could not update configuration\n");
                return error;
        }
 
-       /* configuration has changed, set Tx power accordingly */
-       if ((error = iwn_set_txpower(sc, ni->ni_chan, 1)) != 0) {
-               aprint_error_dev(sc->sc_dev, "could not set Tx power\n");
+       /* Configuration has changed, set TX power accordingly. */
+       if ((error = hal->set_txpower(sc, 1)) != 0) {
+               aprint_error_dev(sc->sc_dev, "could not set TX power\n");
                return error;
        }
 
-       /* add BSS node */
-       iwn_add_node(sc, ni, false, true,
-                    (3 << IWN_AMDPU_SIZE_FACTOR_SHIFT |
-                     5 << IWN_AMDPU_DENSITY_SHIFT));
+       /* Fake a join to initialize the TX rate. */
+       ((struct iwn_node *)ni)->id = IWN_ID_BSS;
+       iwn_newassoc(ni, 1);
+
+       /* Add BSS node. */
+       iwn_add_node(sc, ni, false, true, 0);
+       /* Start periodic calibration timer. */
+       sc->calib.state = IWN_CALIB_STATE_ASSOC;
+       sc->calib_cnt = 0;
+       callout_schedule(&sc->calib_to, hz / 2);
 
-       if (ic->ic_opmode == IEEE80211_M_STA) {
-               /* fake a join to init the tx rate */
-               iwn_newassoc(ni, 1);
+       /* Link LED always on while associated. */
+       iwn_set_led(sc, IWN_LED_LINK, 0, 1);
+       return 0;
+}
+
+static int
+iwn_wme_update(struct ieee80211com *ic)
+{
+#define IWN_EXP2(v)    htole16((1 << (v)) - 1)
+#define IWN_USEC(v)    htole16(IEEE80211_TXOP_TO_US(v))
+       struct iwn_softc *sc = ic->ic_ifp->if_softc;
+       const struct wmeParams *wmep;
+       struct iwn_edca_params cmd;
+       int ac;
+
+       /* don't override default WME values if WME is not actually enabled */
+       if (!(ic->ic_flags & IEEE80211_F_WME))
+               return 0;
+       cmd.flags = 0;
+       for (ac = 0; ac < WME_NUM_AC; ac++) {
+               wmep = &ic->ic_wme.wme_chanParams.cap_wmeParams[ac];
+               cmd.ac[ac].aifsn = wmep->wmep_aifsn;
+               cmd.ac[ac].cwmin = IWN_EXP2(wmep->wmep_logcwmin);
+               cmd.ac[ac].cwmax = IWN_EXP2(wmep->wmep_logcwmax);
+               cmd.ac[ac].txoplimit  = IWN_USEC(wmep->wmep_txopLimit);
+
+               DPRINTF(("setting WME for queue %d aifsn=%d cwmin=%d cwmax=%d "
+                                       "txop=%d\n", ac, cmd.ac[ac].aifsn,
+                                       cmd.ac[ac].cwmin,
+                                       cmd.ac[ac].cwmax, 
cmd.ac[ac].txoplimit));
        }
+       return iwn_cmd(sc, IWN_CMD_EDCA_PARAMS, &cmd, sizeof cmd, 1);
+#undef IWN_USEC
+#undef IWN_EXP2
+}
 
-       if ((error = iwn_init_sensitivity(sc)) != 0) {
-               aprint_error_dev(sc->sc_dev, "could not set sensitivity\n");
-               return error;
+#if 0
+/*
+ * We support CCMP hardware encryption/decryption of unicast frames only.
+ * HW support for TKIP really sucks.  We should let TKIP die anyway.
+ */
+static int
+iwn_set_key(struct ieee80211com *ic, struct ieee80211_node *ni,
+    struct ieee80211_key *k)
+{
+       struct iwn_softc *sc = ic->ic_softc;
+       const struct iwn_hal *hal = sc->sc_hal;
+       struct iwn_node *wn = (void *)ni;
+       struct iwn_node_info node;
+       uint16_t kflags;
+
+       if ((k->k_flags & IEEE80211_KEY_GROUP) ||
+           k->k_cipher != IEEE80211_CIPHER_CCMP)
+               return ieee80211_set_key(ic, ni, k);
+
+       kflags = IWN_KFLAG_CCMP | IWN_KFLAG_MAP | IWN_KFLAG_KID(k->k_id);
+       if (k->k_flags & IEEE80211_KEY_GROUP)
+               kflags |= IWN_KFLAG_GROUP;
+
+       memset(&node, 0, sizeof node);
+       node.id = (k->k_flags & IEEE80211_KEY_GROUP) ?
+           hal->broadcast_id : wn->id;
+       node.control = IWN_NODE_UPDATE;
+       node.flags = IWN_FLAG_SET_KEY;
+       node.kflags = htole16(kflags);
+       node.kid = k->k_id;
+       memcpy(node.key, k->k_key, k->k_len);
+       DPRINTF(("set key id=%d for node %d\n", k->k_id, node.id));
+       return hal->add_node(sc, &node, 1);
+}
+
+static void
+iwn_delete_key(struct ieee80211com *ic, struct ieee80211_node *ni,
+    struct ieee80211_key *k)
+{
+       struct iwn_softc *sc = ic->ic_softc;
+       const struct iwn_hal *hal = sc->sc_hal;
+       struct iwn_node *wn = (void *)ni;
+       struct iwn_node_info node;
+
+       if ((k->k_flags & IEEE80211_KEY_GROUP) ||
+           k->k_cipher != IEEE80211_CIPHER_CCMP) {
+               /* See comment about other ciphers above. */
+               ieee80211_delete_key(ic, ni, k);
+               return;
        }
+       if (ic->ic_state != IEEE80211_S_RUN)
+               return; /* Nothing to do. */
+       memset(&node, 0, sizeof node);
+       node.id = (k->k_flags & IEEE80211_KEY_GROUP) ?
+           hal->broadcast_id : wn->id;
+       node.control = IWN_NODE_UPDATE;
+       node.flags = IWN_FLAG_SET_KEY;
+       node.kflags = htole16(IWN_KFLAG_INVALID);
+       node.kid = 0xff;
+       DPRINTF(("delete keys for node %d\n", node.id));
+       (void)hal->add_node(sc, &node, 1);
+}
 
-       /* start periodic calibration timer */
-       sc->calib.state = IWN_CALIB_STATE_ASSOC;
-       sc->calib_cnt = 0;
-       callout_schedule(&sc->calib_to, hz / 2);
+/*
+ * This function is called by upper layer when a ADDBA request is received
+ * from another STA and before the ADDBA response is sent.
+ */
+static int
+iwn_ampdu_rx_start(struct ieee80211com *ic, struct ieee80211_node *ni,
+    uint8_t tid, uint16_t ssn)
+{
+       struct iwn_softc *sc = ic->ic_softc;
+       struct iwn_node *wn = (void *)ni;
+       struct iwn_node_info node;
+
+       memset(&node, 0, sizeof node);
+       node.id = wn->id;
+       node.control = IWN_NODE_UPDATE;
+       node.flags = IWN_FLAG_SET_ADDBA;
+       node.addba_tid = tid;
+       node.addba_ssn = htole16(ssn);
+       DPRINTFN(2, ("ADDBA RA=%d TID=%d SSN=%d\n", wn->id, tid, ssn));
+       return sc->sc_hal->add_node(sc, &node, 1);
+}
+
+/*
+ * This function is called by upper layer on teardown of an HT-immediate
+ * Block Ack (eg. uppon receipt of a DELBA frame.)
+ */
+static void
+iwn_ampdu_rx_stop(struct ieee80211com *ic, struct ieee80211_node *ni,
+    uint8_t tid, uint16_t ssn)
+{
+       struct iwn_softc *sc = ic->ic_softc;
+       struct iwn_node *wn = (void *)ni;
+       struct iwn_node_info node;
+
+       memset(&node, 0, sizeof node);
+       node.id = wn->id;
+       node.control = IWN_NODE_UPDATE;
+       node.flags = IWN_FLAG_SET_DELBA;
+       node.delba_tid = tid;
+       DPRINTFN(2, ("DELBA RA=%d TID=%d\n", wn->id, tid));
+       (void)sc->sc_hal->add_node(sc, &node, 1);
+}
+
+/*
+ * This function is called by upper layer when a ADDBA response is received
+ * from another STA.
+ */
+static int
+iwn_ampdu_tx_start(struct ieee80211com *ic, struct ieee80211_node *ni,
+    uint8_t tid, uint16_t ssn)
+{
+       struct iwn_softc *sc = ic->ic_softc;
+       const struct iwn_hal *hal = sc->sc_hal;
+       struct iwn_node *wn = (void *)ni;
+       struct iwn_node_info node;
+       int error;
+
+       /* Enable TX for the specified RA/TID. */
+       wn->disable_tid &= ~(1 << tid);
+       memset(&node, 0, sizeof node);
+       node.id = wn->id;
+       node.control = IWN_NODE_UPDATE;
+       node.flags = IWN_FLAG_SET_DISABLE_TID;
+       node.disable_tid = htole16(wn->disable_tid);
+       error = hal->add_node(sc, &node, 1);
+       if (error != 0)
+               return error;
+
+       if ((error = iwn_nic_lock(sc)) != 0)
+               return error;
+       hal->ampdu_tx_start(sc, ni, tid, ssn);
+       iwn_nic_unlock(sc);
+       return 0;
+}
+
+static void
+iwn_ampdu_tx_stop(struct ieee80211com *ic, struct ieee80211_node *ni,
+    uint8_t tid, uint16_t ssn)
+{
+       struct iwn_softc *sc = ic->ic_softc;
+
+       if (iwn_nic_lock(sc) != 0)
+               return;
+       sc->sc_hal->ampdu_tx_stop(sc, tid, ssn);
+       iwn_nic_unlock(sc);
+}
+
+static void
+iwn4965_ampdu_tx_start(struct iwn_softc *sc, struct ieee80211_node *ni,
+    uint8_t tid, uint16_t ssn)
+{
+       struct iwn_node *wn = (void *)ni;
+       int qid = 7 + tid;
+
+       /* Stop TX scheduler while we're changing its configuration. */
+       iwn_prph_write(sc, IWN4965_SCHED_QUEUE_STATUS(qid),
+           IWN4965_TXQ_STATUS_CHGACT);
+
+       /* Assign RA/TID translation to the queue. */
+       iwn_mem_write_2(sc, sc->sched_base + IWN4965_SCHED_TRANS_TBL(qid),
+           wn->id << 4 | tid);
+
+       /* Enable chain mode for the queue. */
+       iwn_prph_setbits(sc, IWN4965_SCHED_QCHAIN_SEL, 1 << qid);
+
+       /* Set starting sequence number from the ADDBA request. */
+       IWN_WRITE(sc, IWN_HBUS_TARG_WRPTR, ssn);
+       iwn_prph_write(sc, IWN4965_SCHED_QUEUE_RDPTR(qid), ssn);
+
+       /* Set scheduler window size. */
+       iwn_mem_write(sc, sc->sched_base + IWN4965_SCHED_QUEUE_OFFSET(qid),
+           IWN_SCHED_WINSZ);
+       /* Set scheduler frame limit. */
+       iwn_mem_write(sc, sc->sched_base + IWN4965_SCHED_QUEUE_OFFSET(qid) + 4,
+           IWN_SCHED_LIMIT << 16);
+
+       /* Enable interrupts for the queue. */
+       iwn_prph_setbits(sc, IWN4965_SCHED_INTR_MASK, 1 << qid);
+
+       /* Mark the queue as active. */
+       iwn_prph_write(sc, IWN4965_SCHED_QUEUE_STATUS(qid),
+           IWN4965_TXQ_STATUS_ACTIVE | IWN4965_TXQ_STATUS_AGGR_ENA |
+           iwn_tid2fifo[tid] << 1);
+}
+
+static void
+iwn4965_ampdu_tx_stop(struct iwn_softc *sc, uint8_t tid, uint16_t ssn)
+{
+       int qid = 7 + tid;
+
+       /* Stop TX scheduler while we're changing its configuration. */
+       iwn_prph_write(sc, IWN4965_SCHED_QUEUE_STATUS(qid),
+           IWN4965_TXQ_STATUS_CHGACT);
+
+       /* Set starting sequence number from the ADDBA request. */
+       IWN_WRITE(sc, IWN_HBUS_TARG_WRPTR, ssn);
+       iwn_prph_write(sc, IWN4965_SCHED_QUEUE_RDPTR(qid), ssn);
+
+       /* Disable interrupts for the queue. */
+       iwn_prph_clrbits(sc, IWN4965_SCHED_INTR_MASK, 1 << qid);
+
+       /* Mark the queue as inactive. */
+       iwn_prph_write(sc, IWN4965_SCHED_QUEUE_STATUS(qid),
+           IWN4965_TXQ_STATUS_INACTIVE | iwn_tid2fifo[tid] << 1);
+}
+
+static void
+iwn5000_ampdu_tx_start(struct iwn_softc *sc, struct ieee80211_node *ni,
+    uint8_t tid, uint16_t ssn)
+{
+       struct iwn_node *wn = (void *)ni;
+       int qid = 10 + tid;
+
+       /* Stop TX scheduler while we're changing its configuration. */
+       iwn_prph_write(sc, IWN5000_SCHED_QUEUE_STATUS(qid),
+           IWN5000_TXQ_STATUS_CHGACT);
+
+       /* Assign RA/TID translation to the queue. */
+       iwn_mem_write_2(sc, sc->sched_base + IWN5000_SCHED_TRANS_TBL(qid),
+           wn->id << 4 | tid);
+
+       /* Enable chain mode for the queue. */
+       iwn_prph_setbits(sc, IWN5000_SCHED_QCHAIN_SEL, 1 << qid);
+
+       /* Enable aggregation for the queue. */
+       iwn_prph_setbits(sc, IWN5000_SCHED_AGGR_SEL, 1 << qid);
 
-       if (0 == 1) { /* XXX don't do the beacon - we get a firmware error
-                        XXX when we try. Something is wrong with the
-                        XXX setup of the frame. Just don't ever call
-                        XXX the function but reference it to keep gcc happy
-                     */
-               /* now we are associated set up the beacon frame */
-               if ((error = iwn_setup_beacon(sc, ni))) {
+       /* Set starting sequence number from the ADDBA request. */
+       IWN_WRITE(sc, IWN_HBUS_TARG_WRPTR, ssn);
+       iwn_prph_write(sc, IWN5000_SCHED_QUEUE_RDPTR(qid), ssn);
+
+       /* Set scheduler window size and frame limit. */
+       iwn_mem_write(sc, sc->sched_base + IWN5000_SCHED_QUEUE_OFFSET(qid) + 4,
+           IWN_SCHED_LIMIT << 16 | IWN_SCHED_WINSZ);
+
+       /* Enable interrupts for the queue. */
+       iwn_prph_setbits(sc, IWN5000_SCHED_INTR_MASK, 1 << qid);
+
+       /* Mark the queue as active. */
+       iwn_prph_write(sc, IWN5000_SCHED_QUEUE_STATUS(qid),
+           IWN5000_TXQ_STATUS_ACTIVE | iwn_tid2fifo[tid]);
+}
+
+static void
+iwn5000_ampdu_tx_stop(struct iwn_softc *sc, uint8_t tid, uint16_t ssn)
+{
+       int qid = 10 + tid;
+
+       /* Stop TX scheduler while we're changing its configuration. */
+       iwn_prph_write(sc, IWN5000_SCHED_QUEUE_STATUS(qid),
+           IWN5000_TXQ_STATUS_CHGACT);
+
+       /* Disable aggregation for the queue. */
+       iwn_prph_clrbits(sc, IWN5000_SCHED_AGGR_SEL, 1 << qid);
+
+       /* Set starting sequence number from the ADDBA request. */
+       IWN_WRITE(sc, IWN_HBUS_TARG_WRPTR, ssn);
+       iwn_prph_write(sc, IWN5000_SCHED_QUEUE_RDPTR(qid), ssn);
+
+       /* Disable interrupts for the queue. */
+       iwn_prph_clrbits(sc, IWN5000_SCHED_INTR_MASK, 1 << qid);
+
+       /* Mark the queue as inactive. */
+       iwn_prph_write(sc, IWN5000_SCHED_QUEUE_STATUS(qid),
+           IWN5000_TXQ_STATUS_INACTIVE | iwn_tid2fifo[tid]);
+}
+#endif /* 0 */
+
+/*
+ * Query calibration tables from the initialization firmware.  We do this
+ * only once at first boot.  Called from a process context.
+ */
+static int
+iwn5000_query_calibration(struct iwn_softc *sc)
+{
+       struct iwn5000_calib_config cmd;
+       int error;
+
+       memset(&cmd, 0, sizeof cmd);
+       cmd.ucode.once.enable = 0xffffffff;
+       cmd.ucode.once.start  = 0xffffffff;
+       cmd.ucode.once.send   = 0xffffffff;
+       cmd.ucode.flags       = 0xffffffff;
+       DPRINTF(("sending calibration query\n"));
+       error = iwn_cmd(sc, IWN5000_CMD_CALIB_CONFIG, &cmd, sizeof cmd, 0);
+       if (error != 0)
+               return error;
+
+       /* Wait at most two seconds for calibration to complete. */
+       return tsleep(sc, PCATCH, "iwncal", 2 * hz);
+}
+
+/*
+ * Send calibration results to the runtime firmware.  These results were
+ * obtained on first boot from the initialization firmware.
+ */
+static int
+iwn5000_send_calibration(struct iwn_softc *sc)
+{
+       int idx, error;
+
+       for (idx = 0; idx < 5; idx++) {
+               if (sc->calibcmd[idx].buf == NULL)
+                       continue;       /* No results available. */
+               DPRINTF(("send calibration result idx=%d len=%d\n",
+                   idx, sc->calibcmd[idx].len));
+               error = iwn_cmd(sc, IWN_CMD_PHY_CALIB, sc->calibcmd[idx].buf,
+                   sc->calibcmd[idx].len, 0);
+               if (error != 0) {
                        aprint_error_dev(sc->sc_dev,
-                                        "could not setup beacon frame\n");
+                           "could not send calibration result\n");
                        return error;
                }
        }
+       return 0;
+}
 
+/*
+ * This function is called after the runtime firmware notifies us of its
+ * readiness (called in a process context.)
+ */
+static int
+iwn4965_post_alive(struct iwn_softc *sc)
+{
+       int error, qid;
 
-       /* link LED always on while associated */
-       iwn_set_led(sc, IWN_LED_LINK, 0, 1);
+       if ((error = iwn_nic_lock(sc)) != 0)
+               return error;
+
+       /* Clear TX scheduler's state in SRAM. */
+       sc->sched_base = iwn_prph_read(sc, IWN_SCHED_SRAM_ADDR);
+       iwn_mem_set_region_4(sc, sc->sched_base + IWN4965_SCHED_CTX_OFF, 0,
+           IWN4965_SCHED_CTX_LEN);
+
+       /* Set physical address of TX scheduler rings (1KB aligned.) */
+       iwn_prph_write(sc, IWN4965_SCHED_DRAM_ADDR, sc->sched_dma.paddr >> 10);
+
+       IWN_SETBITS(sc, IWN_FH_TX_CHICKEN, IWN_FH_TX_CHICKEN_SCHED_RETRY);
+
+       /* Disable chain mode for all our 16 queues. */
+       iwn_prph_write(sc, IWN4965_SCHED_QCHAIN_SEL, 0);
+
+       for (qid = 0; qid < IWN4965_NTXQUEUES; qid++) {
+               iwn_prph_write(sc, IWN4965_SCHED_QUEUE_RDPTR(qid), 0);
+               IWN_WRITE(sc, IWN_HBUS_TARG_WRPTR, qid << 8 | 0);
+
+               /* Set scheduler window size. */
+               iwn_mem_write(sc, sc->sched_base +
+                   IWN4965_SCHED_QUEUE_OFFSET(qid), IWN_SCHED_WINSZ);
+               /* Set scheduler frame limit. */
+               iwn_mem_write(sc, sc->sched_base +
+                   IWN4965_SCHED_QUEUE_OFFSET(qid) + 4,
+                   IWN_SCHED_LIMIT << 16);
+       }
+
+       /* Enable interrupts for all our 16 queues. */
+       iwn_prph_write(sc, IWN4965_SCHED_INTR_MASK, 0xffff);
+       /* Identify TX FIFO rings (0-7). */
+       iwn_prph_write(sc, IWN4965_SCHED_TXFACT, 0xff);
 
+       /* Mark TX rings (4 EDCA + cmd + 2 HCCA) as active. */
+       for (qid = 0; qid < 7; qid++) {
+               static uint8_t qid2fifo[] = { 3, 2, 1, 0, 4, 5, 6 };
+               iwn_prph_write(sc, IWN4965_SCHED_QUEUE_STATUS(qid),
+                   IWN4965_TXQ_STATUS_ACTIVE | qid2fifo[qid] << 1);
+       }
+       iwn_nic_unlock(sc);
        return 0;
 }
 
 /*
- * Send a scan request to the firmware. Since this command is huge, we map it
- * into a mbuf instead of using the pre-allocated set of commands. this 
function
- * implemented as iwl4965_bg_request_scan in the linux driver.
+ * This function is called after the initialization or runtime firmware
+ * notifies us of its readiness (called in a process context.)
  */
 static int
-iwn_scan(struct iwn_softc *sc, uint16_t flags)
+iwn5000_post_alive(struct iwn_softc *sc)
 {
-       struct ieee80211com *ic = &sc->sc_ic;
-       struct iwn_tx_ring *ring = &sc->txq[4];
-       struct iwn_tx_desc *desc;
-       struct iwn_tx_data *data;
-       struct iwn_tx_cmd *cmd;
-       struct iwn_cmd_data *tx;
-       struct iwn_scan_hdr *hdr;
-       struct iwn_scan_essid *essid;
-       struct iwn_scan_chan *chan;
-       struct ieee80211_frame *wh;
-       struct ieee80211_rateset *rs;
-       struct ieee80211_channel *c;
-       enum ieee80211_phymode mode;
-       uint8_t *frm;
-       int pktlen, error, nrates;
+       struct iwn5000_wimax_coex wimax;
+       int error, qid;
 
-       desc = &ring->desc[ring->cur];
-       data = &ring->data[ring->cur];
+       if ((error = iwn_nic_lock(sc)) != 0)
+               return error;
 
-       /*
-        * allocate an mbuf and initialize it so that it contains a packet
-        * header. M_DONTWAIT can fail and MT_DATA means it is dynamically
-        * allocated.
-        */
-       MGETHDR(data->m, M_DONTWAIT, MT_DATA);
-       if (data->m == NULL) {
-               aprint_error_dev(sc->sc_dev, "could not allocate mbuf for scan 
command\n");
-               return ENOMEM;
-       }
+       /* Clear TX scheduler's state in SRAM. */
+       sc->sched_base = iwn_prph_read(sc, IWN_SCHED_SRAM_ADDR);
+       iwn_mem_set_region_4(sc, sc->sched_base + IWN5000_SCHED_CTX_OFF, 0,
+           IWN5000_SCHED_CTX_LEN);
+
+       /* Set physical address of TX scheduler rings (1KB aligned.) */
+       iwn_prph_write(sc, IWN5000_SCHED_DRAM_ADDR, sc->sched_dma.paddr >> 10);
+
+       IWN_SETBITS(sc, IWN_FH_TX_CHICKEN, IWN_FH_TX_CHICKEN_SCHED_RETRY);
+
+       /* Enable chain mode for all our 20 queues. */
+       iwn_prph_write(sc, IWN5000_SCHED_QCHAIN_SEL, 0xfffff);
+       iwn_prph_write(sc, IWN5000_SCHED_AGGR_SEL, 0);
+
+       for (qid = 0; qid < IWN5000_NTXQUEUES; qid++) {
+               iwn_prph_write(sc, IWN5000_SCHED_QUEUE_RDPTR(qid), 0);
+               IWN_WRITE(sc, IWN_HBUS_TARG_WRPTR, qid << 8 | 0);
+
+               iwn_mem_write(sc, sc->sched_base +
+                   IWN5000_SCHED_QUEUE_OFFSET(qid), 0);
+               /* Set scheduler window size and frame limit. */
+               iwn_mem_write(sc, sc->sched_base +
+                   IWN5000_SCHED_QUEUE_OFFSET(qid) + 4,
+                   IWN_SCHED_LIMIT << 16 | IWN_SCHED_WINSZ);
+       }
+
+       /* Enable interrupts for all our 20 queues. */
+       iwn_prph_write(sc, IWN5000_SCHED_INTR_MASK, 0xfffff);
+       /* Identify TX FIFO rings (0-7). */
+       iwn_prph_write(sc, IWN5000_SCHED_TXFACT, 0xff);
 
-       /*
-        * allocates and adds an mbuf cluster to a normal mbuf m. the how
-        * is M_DONTWAIT and the flag M_EXT is set upon success.
-        */
-       MCLGET(data->m, M_DONTWAIT);
-       if (!(data->m->m_flags & M_EXT)) {
-               m_freem(data->m);
-               data->m = NULL;
-               aprint_error_dev(sc->sc_dev, "could not allocate mbuf for scan 
command\n");
-               return ENOMEM;
+       /* Mark TX rings (4 EDCA + cmd + 2 HCCA) as active. */
+       for (qid = 0; qid < 7; qid++) {
+               static uint8_t qid2fifo[] = { 3, 2, 1, 0, 7, 5, 6 };
+               iwn_prph_write(sc, IWN5000_SCHED_QUEUE_STATUS(qid),
+                   IWN5000_TXQ_STATUS_ACTIVE | qid2fifo[qid]);
+       }
+       iwn_nic_unlock(sc);
+
+       /* Configure WiMAX (IEEE 802.16e) coexistence. */
+       memset(&wimax, 0, sizeof wimax);
+       DPRINTF(("Configuring WiMAX coexistence\n"));
+       error = iwn_cmd(sc, IWN5000_CMD_WIMAX_COEX, &wimax, sizeof wimax, 0);
+       if (error != 0) {
+               aprint_error_dev(sc->sc_dev,
+                   "could not configure WiMAX coexistence\n");
+               return error;
        }
 
-       /*
-        * returns a pointer to the data contained in the specified mbuf.
-        * in this case it is our iwn_tx_cmd. we initialize the basic
-        * members of the command here with exception to data[136].
-        */
-       cmd = mtod(data->m, struct iwn_tx_cmd *);
-       cmd->code = IWN_CMD_SCAN;
-       cmd->flags = 0;
-       cmd->qid = ring->qid;
-       cmd->idx = ring->cur;
+       if (sc->hw_type != IWN_HW_REV_TYPE_5150) {
+               struct iwn5000_phy_calib_crystal cmd;
 
-       hdr = (struct iwn_scan_hdr *)cmd->data;
-       memset(hdr, 0, sizeof (struct iwn_scan_hdr));
-       /*
-        * Move to the next channel if no packets are received within 5 msecs
-        * after sending the probe request (this helps to reduce the duration
-        * of active scans).
-        */
-       hdr->quiet = htole16(5);        /* timeout in milliseconds */
-       hdr->plcp_threshold = htole16(1);       /* min # of packets */
+               /* Perform crystal calibration. */
+               memset(&cmd, 0, sizeof cmd);
+               cmd.code = IWN5000_PHY_CALIB_CRYSTAL;
+               cmd.ngroups = 1;
+               cmd.isvalid = 1;
+               cmd.cap_pin[0] = le32toh(sc->eeprom_crystal) & 0xff;
+               cmd.cap_pin[1] = (le32toh(sc->eeprom_crystal) >> 16) & 0xff;
+               DPRINTF(("sending crystal calibration %d, %d\n",
+                   cmd.cap_pin[0], cmd.cap_pin[1]));
+               error = iwn_cmd(sc, IWN_CMD_PHY_CALIB, &cmd, sizeof cmd, 0);
+               if (error != 0) {
+                       aprint_error_dev(sc->sc_dev,
+                           "crystal calibration failed\n");
+                       return error;
+               }
+       }
+       if (sc->sc_flags & IWN_FLAG_FIRST_BOOT) {
+               /* Query calibration from the initialization firmware. */
+               if ((error = iwn5000_query_calibration(sc)) != 0) {
+                       aprint_error_dev(sc->sc_dev,
+                           "could not query calibration\n");
+                       return error;
+               }
+               /*
+                * We have the calibration results now so we can skip
+                * loading the initialization firmware next time.
+                */
+               sc->sc_flags &= ~IWN_FLAG_FIRST_BOOT;
+
+               /* Reboot (call ourselves recursively!) */
+               iwn_hw_stop(sc);
+               error = iwn_hw_init(sc);
+       } else {
+               /* Send calibration results to runtime firmware. */
+               error = iwn5000_send_calibration(sc);
+       }
+       return error;
+}
 
-       /* select Ant B and Ant C for scanning */
-       hdr->rxchain = htole16(0x3e1 | 7 << IWN_RXCHAIN_ANTMSK_SHIFT);
+/*
+ * The firmware boot code is small and is intended to be copied directly into
+ * the NIC internal memory (no DMA transfer.)
+ */
+static int
+iwn4965_load_bootcode(struct iwn_softc *sc, const uint8_t *ucode, int size)
+{
+       int error, ntries;
 
-       tx = (struct iwn_cmd_data *)(hdr + 1);
-       memset(tx, 0, sizeof (struct iwn_cmd_data));
-       /*
-        * linux
-        * flags = IWN_TX_AUTO_SEQ
-        *         0x200 is rate selection?
-        * id = ???
-        * lifetime = IWN_LIFETIME_INFINITE
-        *
-        */
-       tx->flags = htole32(IWN_TX_AUTO_SEQ | 0x200); // XXX
-       tx->id = IWN_ID_BROADCAST;
-       tx->lifetime = htole32(IWN_LIFETIME_INFINITE);
-       tx->rflags = IWN_RFLAG_ANT_B;
+       size /= sizeof (uint32_t);
 
-       if (flags & IEEE80211_CHAN_A) {
-               hdr->crc_threshold = htole16(1);
-               /* send probe requests at 6Mbps */
-               tx->rate = iwn_ridx_to_plcp[IWN_OFDM6];
-       } else {
-               hdr->flags = htole32(IWN_CONFIG_24GHZ | IWN_CONFIG_AUTO);
-               /* send probe requests at 1Mbps */
-               tx->rate = iwn_ridx_to_plcp[IWN_CCK1];
-               tx->rflags |= IWN_RFLAG_CCK;
-       }
+       if ((error = iwn_nic_lock(sc)) != 0)
+               return error;
 
-       essid = (struct iwn_scan_essid *)(tx + 1);
-       memset(essid, 0, 4 * sizeof (struct iwn_scan_essid));
-       essid[0].id  = IEEE80211_ELEMID_SSID;
-       essid[0].len = ic->ic_des_esslen;
-       memcpy(essid[0].data, ic->ic_des_essid, ic->ic_des_esslen);
+       /* Copy microcode image into NIC memory. */
+       iwn_prph_write_region_4(sc, IWN_BSM_SRAM_BASE,
+           (const uint32_t *)ucode, size);
 
-       /*
-        * Build a probe request frame.  Most of the following code is a
-        * copy & paste of what is done in net80211.
-        */
-       wh = (struct ieee80211_frame *)&essid[4];
-       wh->i_fc[0] = IEEE80211_FC0_VERSION_0 | IEEE80211_FC0_TYPE_MGT |
-           IEEE80211_FC0_SUBTYPE_PROBE_REQ;
-       wh->i_fc[1] = IEEE80211_FC1_DIR_NODS;
-       IEEE80211_ADDR_COPY(wh->i_addr1, etherbroadcastaddr);
-       IEEE80211_ADDR_COPY(wh->i_addr2, ic->ic_myaddr);
-       IEEE80211_ADDR_COPY(wh->i_addr3, etherbroadcastaddr);
-       *(u_int16_t *)&wh->i_dur[0] = 0;        /* filled by h/w */
-       *(u_int16_t *)&wh->i_seq[0] = 0;        /* filled by h/w */
+       iwn_prph_write(sc, IWN_BSM_WR_MEM_SRC, 0);
+       iwn_prph_write(sc, IWN_BSM_WR_MEM_DST, IWN_FW_TEXT_BASE);
+       iwn_prph_write(sc, IWN_BSM_WR_DWCOUNT, size);
 
-       frm = (uint8_t *)(wh + 1);
+       /* Start boot load now. */
+       iwn_prph_write(sc, IWN_BSM_WR_CTRL, IWN_BSM_WR_CTRL_START);
 
-       /* add empty SSID IE (firmware generates it for directed scans) */
-       *frm++ = IEEE80211_ELEMID_SSID;
-       *frm++ = 0;
+       /* Wait for transfer to complete. */
+       for (ntries = 0; ntries < 1000; ntries++) {
+               if (!(iwn_prph_read(sc, IWN_BSM_WR_CTRL) &
+                   IWN_BSM_WR_CTRL_START))
+                       break;
+               DELAY(10);
+       }
+       if (ntries == 1000) {
+               aprint_error_dev(sc->sc_dev, "could not load boot firmware\n");
+               iwn_nic_unlock(sc);
+               return ETIMEDOUT;
+       }
 
-       mode = ieee80211_chan2mode(ic, ic->ic_ibss_chan);
-       rs = &ic->ic_sup_rates[mode];
+       /* Enable boot after power up. */
+       iwn_prph_write(sc, IWN_BSM_WR_CTRL, IWN_BSM_WR_CTRL_START_EN);
 
-       /* add supported rates IE */
+       iwn_nic_unlock(sc);
+       return 0;
+}
 
-       *frm++ = IEEE80211_ELEMID_RATES;
-       nrates = rs->rs_nrates;
-       if (nrates > IEEE80211_RATE_SIZE)
-               nrates = IEEE80211_RATE_SIZE;
-       *frm++ = nrates;
-       memcpy(frm, rs->rs_rates, nrates);
-       frm += nrates;
+static int
+iwn4965_load_firmware(struct iwn_softc *sc)
+{
+       struct iwn_fw_info *fw = &sc->fw;
+       struct iwn_dma_info *dma = &sc->fw_dma;
+       int error;
 
-       /* add supported xrates IE */
+       /* Copy initialization sections into pre-allocated DMA-safe memory. */
+       memcpy(dma->vaddr, fw->init.data, fw->init.datasz);
+       bus_dmamap_sync(sc->sc_dmat, dma->map, 0, fw->init.datasz,
+           BUS_DMASYNC_PREWRITE);
+       memcpy((char *)dma->vaddr + IWN4965_FW_DATA_MAXSZ,
+           fw->init.text, fw->init.textsz);
+       bus_dmamap_sync(sc->sc_dmat, dma->map, IWN4965_FW_DATA_MAXSZ,
+           fw->init.textsz, BUS_DMASYNC_PREWRITE);
 
-       if (rs->rs_nrates > IEEE80211_RATE_SIZE) {
-               nrates = rs->rs_nrates - IEEE80211_RATE_SIZE;
-               *frm++ = IEEE80211_ELEMID_XRATES;
-               *frm++ = nrates;
-               memcpy(frm, rs->rs_rates + IEEE80211_RATE_SIZE, nrates);
-               frm += nrates;
+       /* Tell adapter where to find initialization sections. */
+       if ((error = iwn_nic_lock(sc)) != 0)
+               return error;
+       iwn_prph_write(sc, IWN_BSM_DRAM_DATA_ADDR, dma->paddr >> 4);
+       iwn_prph_write(sc, IWN_BSM_DRAM_DATA_SIZE, fw->init.datasz);
+       iwn_prph_write(sc, IWN_BSM_DRAM_TEXT_ADDR,
+           (dma->paddr + IWN4965_FW_DATA_MAXSZ) >> 4);
+       iwn_prph_write(sc, IWN_BSM_DRAM_TEXT_SIZE, fw->init.textsz);
+       iwn_nic_unlock(sc);
+
+       /* Load firmware boot code. */
+       error = iwn4965_load_bootcode(sc, fw->boot.text, fw->boot.textsz);
+       if (error != 0) {
+               aprint_error_dev(sc->sc_dev, "could not load boot firmware\n");
+               return error;
        }
+       /* Now press "execute". */
+       IWN_WRITE(sc, IWN_RESET, 0);
 
-       /* setup length of probe request */
-       tx->len = htole16(frm - (uint8_t *)wh);
+       /* Wait at most one second for first alive notification. */
+       if ((error = tsleep(sc, PCATCH, "iwninit", hz)) != 0) {
+               aprint_error_dev(sc->sc_dev,
+                   "timeout waiting for adapter to initialize\n");
+               return error;
+       }
 
-       chan = (struct iwn_scan_chan *)frm;
-       for (c  = &ic->ic_channels[1];
-            c <= &ic->ic_channels[IEEE80211_CHAN_MAX]; c++) {
-               if ((c->ic_flags & flags) != flags)
-                       continue;
+       /* Retrieve current temperature for initial TX power calibration. */
+       sc->rawtemp = sc->ucode_info.temp[3].chan20MHz;
+       sc->temp = iwn4965_get_temperature(sc);
 
-               chan->chan = ieee80211_chan2ieee(ic, c);
-               chan->flags = 0;
-               if (!(c->ic_flags & IEEE80211_CHAN_PASSIVE)) {
-                       chan->flags |= IWN_CHAN_ACTIVE;
-                       if (ic->ic_des_esslen != 0)
-                               chan->flags |= IWN_CHAN_DIRECT;
-               }
-               chan->dsp_gain = 0x6e;
-               if (IEEE80211_IS_CHAN_5GHZ(c)) {
-                       chan->rf_gain = 0x3b;
-                       chan->active  = htole16(10);
-                       chan->passive = htole16(110);
-               } else {
-                       chan->rf_gain = 0x28;
-                       chan->active  = htole16(20);
-                       chan->passive = htole16(120);
-               }
-               hdr->nchan++;
-               chan++;
+       /* Copy runtime sections into pre-allocated DMA-safe memory. */
+       memcpy(dma->vaddr, fw->main.data, fw->main.datasz);
+       bus_dmamap_sync(sc->sc_dmat, dma->map, 0, fw->main.datasz,
+           BUS_DMASYNC_PREWRITE);
+       memcpy((char *)dma->vaddr + IWN4965_FW_DATA_MAXSZ,
+           fw->main.text, fw->main.textsz);
+       bus_dmamap_sync(sc->sc_dmat, dma->map, IWN4965_FW_DATA_MAXSZ,
+           fw->main.textsz, BUS_DMASYNC_PREWRITE);
 
-               frm += sizeof (struct iwn_scan_chan);
-       }
+       /* Tell adapter where to find runtime sections. */
+       if ((error = iwn_nic_lock(sc)) != 0)
+               return error;
+       iwn_prph_write(sc, IWN_BSM_DRAM_DATA_ADDR, dma->paddr >> 4);
+       iwn_prph_write(sc, IWN_BSM_DRAM_DATA_SIZE, fw->main.datasz);
+       iwn_prph_write(sc, IWN_BSM_DRAM_TEXT_ADDR,
+           (dma->paddr + IWN4965_FW_DATA_MAXSZ) >> 4);
+       iwn_prph_write(sc, IWN_BSM_DRAM_TEXT_SIZE,
+           IWN_FW_UPDATED | fw->main.textsz);
+       iwn_nic_unlock(sc);
 
-       hdr->len = htole16(frm - (uint8_t *)hdr);
-       pktlen = frm - (uint8_t *)cmd;
+       return 0;
+}
 
-       error = bus_dmamap_load(sc->sc_dmat, data->map, cmd, pktlen, NULL,
-           BUS_DMA_NOWAIT);
-       if (error) {
-               aprint_error_dev(sc->sc_dev, "could not map scan command\n");
-               m_freem(data->m);
-               data->m = NULL;
+static int
+iwn5000_load_firmware_section(struct iwn_softc *sc, uint32_t dst,
+    const uint8_t *section, int size)
+{
+       struct iwn_dma_info *dma = &sc->fw_dma;
+       int error;
+
+       /* Copy firmware section into pre-allocated DMA-safe memory. */
+       memcpy(dma->vaddr, section, size);
+       bus_dmamap_sync(sc->sc_dmat, dma->map, 0, size, BUS_DMASYNC_PREWRITE);
+
+       if ((error = iwn_nic_lock(sc)) != 0)
                return error;
-       }
 
-       IWN_SET_DESC_NSEGS(desc, 1);
-       IWN_SET_DESC_SEG(desc, 0, data->map->dm_segs[0].ds_addr,
-           data->map->dm_segs[0].ds_len);
-       sc->shared->len[ring->qid][ring->cur] = htole16(8);
-       if (ring->cur < IWN_TX_WINDOW) {
-               sc->shared->len[ring->qid][ring->cur + IWN_TX_RING_COUNT] =
-                   htole16(8);
-       }
+       IWN_WRITE(sc, IWN_FH_TX_CONFIG(IWN_SRVC_CHNL),
+           IWN_FH_TX_CONFIG_DMA_PAUSE);
 
-       bus_dmamap_sync(sc->sc_dmat, data->map, 0,
-           data->map->dm_segs[0].ds_len, BUS_DMASYNC_PREWRITE);
+       IWN_WRITE(sc, IWN_FH_SRAM_ADDR(IWN_SRVC_CHNL), dst);
+       IWN_WRITE(sc, IWN_FH_TFBD_CTRL0(IWN_SRVC_CHNL),
+           IWN_LOADDR(dma->paddr));
+       IWN_WRITE(sc, IWN_FH_TFBD_CTRL1(IWN_SRVC_CHNL),
+           IWN_HIADDR(dma->paddr) << 28 | size);
+       IWN_WRITE(sc, IWN_FH_TXBUF_STATUS(IWN_SRVC_CHNL),
+           IWN_FH_TXBUF_STATUS_TBNUM(1) |
+           IWN_FH_TXBUF_STATUS_TBIDX(1) |
+           IWN_FH_TXBUF_STATUS_TFBD_VALID);
+
+       /* Kick Flow Handler to start DMA transfer. */
+       IWN_WRITE(sc, IWN_FH_TX_CONFIG(IWN_SRVC_CHNL),
+           IWN_FH_TX_CONFIG_DMA_ENA | IWN_FH_TX_CONFIG_CIRQ_HOST_ENDTFD);
 
-       /* kick cmd ring */
-       ring->cur = (ring->cur + 1) % IWN_TX_RING_COUNT;
-       IWN_WRITE(sc, IWN_TX_WIDX, ring->qid << 8 | ring->cur);
+       iwn_nic_unlock(sc);
 
-       return 0;       /* will be notified async. of failure/success */
+       /* Wait at most five seconds for FH DMA transfer to complete. */
+       return tsleep(sc, PCATCH, "iwninit", 5 * hz);
 }
 
 static int
-iwn_config(struct iwn_softc *sc)
+iwn5000_load_firmware(struct iwn_softc *sc)
 {
-       struct ieee80211com *ic = &sc->sc_ic;
-       struct ifnet *ifp = ic->ic_ifp;
-       struct iwn_power power;
-       struct iwn_bluetooth bluetooth;
+       struct iwn_fw_part *fw;
        int error;
 
-       /* set power mode */
-       memset(&power, 0, sizeof power);
-       power.flags = htole16(IWN_POWER_CAM | 0x8);
-       DPRINTF(("setting power mode\n"));
-       error = iwn_cmd(sc, IWN_CMD_SET_POWER_MODE, &power, sizeof power, 0);
+       /* Load the initialization firmware on first boot only. */
+       fw = (sc->sc_flags & IWN_FLAG_FIRST_BOOT) ?
+           &sc->fw.init : &sc->fw.main;
+
+       error = iwn5000_load_firmware_section(sc, IWN_FW_TEXT_BASE,
+           fw->text, fw->textsz);
        if (error != 0) {
-               aprint_error_dev(sc->sc_dev, "could not set power mode\n");
+               aprint_error_dev(sc->sc_dev,
+                   "could not load firmware %s section\n",
+                   ".text");
                return error;
        }
-
-       /* configure bluetooth coexistence */
-       memset(&bluetooth, 0, sizeof bluetooth);
-       bluetooth.flags = 3;
-       bluetooth.lead = 0xaa;
-       bluetooth.kill = 1;
-       DPRINTF(("configuring bluetooth coexistence\n"));
-       error = iwn_cmd(sc, IWN_CMD_BLUETOOTH, &bluetooth, sizeof bluetooth,
-           0);
+       error = iwn5000_load_firmware_section(sc, IWN_FW_DATA_BASE,
+           fw->data, fw->datasz);
        if (error != 0) {
-               aprint_error_dev(sc->sc_dev, "could not configure bluetooth 
coexistence\n");
+               aprint_error_dev(sc->sc_dev,
+                   "could not load firmware %s section\n",
+                   ".data");
                return error;
        }
 
-       /* configure adapter */
-       memset(&sc->config, 0, sizeof (struct iwn_config));
-       IEEE80211_ADDR_COPY(ic->ic_myaddr, CLLADDR(ifp->if_sadl));
-       IEEE80211_ADDR_COPY(sc->config.myaddr, ic->ic_myaddr);
-       IEEE80211_ADDR_COPY(sc->config.wlap, ic->ic_myaddr);
-       /* set default channel */
-       sc->config.chan = ieee80211_chan2ieee(ic, ic->ic_ibss_chan);
-       sc->config.flags = htole32(IWN_CONFIG_TSF);
-       if (IEEE80211_IS_CHAN_2GHZ(ic->ic_ibss_chan)) {
-               sc->config.flags |= htole32(IWN_CONFIG_AUTO |
-                   IWN_CONFIG_24GHZ);
+       /* Now press "execute". */
+       IWN_WRITE(sc, IWN_RESET, 0);
+       return 0;
+}
+
+static int
+iwn_read_firmware(struct iwn_softc *sc)
+{
+       const struct iwn_hal *hal = sc->sc_hal;
+       struct iwn_fw_info *fw = &sc->fw;
+       struct iwn_firmware_hdr hdr;
+       firmware_handle_t fwh;
+       size_t size;
+       int error;
+
+       /* Read firmware image from filesystem. */
+       if ((error = firmware_open("if_iwn", sc->fwname, &fwh)) != 0) {
+               aprint_error_dev(sc->sc_dev,
+                   "could not read firmware file %s\n", sc->fwname);
+               return error;
        }
-       sc->config.filter = 0;
-       switch (ic->ic_opmode) {
-       case IEEE80211_M_STA:
-               sc->config.mode = IWN_MODE_STA;
-               sc->config.filter |= htole32(IWN_FILTER_MULTICAST);
-               break;
-       case IEEE80211_M_IBSS:
-       case IEEE80211_M_AHDEMO:
-               sc->config.mode = IWN_MODE_IBSS;
-               break;
-       case IEEE80211_M_HOSTAP:
-               sc->config.mode = IWN_MODE_HOSTAP;
-               break;
-       case IEEE80211_M_MONITOR:
-               sc->config.mode = IWN_MODE_MONITOR;
-               sc->config.filter |= htole32(IWN_FILTER_MULTICAST |
-                   IWN_FILTER_CTL | IWN_FILTER_PROMISC);
-               break;
+       size = firmware_get_size(fwh);
+       if (size < sizeof (hdr)) {
+               aprint_error_dev(sc->sc_dev,
+                   "truncated firmware header: %zu bytes\n", size);
+               error = EINVAL;
+               goto fail2;
        }
-       sc->config.cck_mask  = 0x0f;    /* not yet negotiated */
-       sc->config.ofdm_mask = 0xff;    /* not yet negotiated */
-       sc->config.ht_single_mask = 0xff;
-       sc->config.ht_dual_mask = 0xff;
-       sc->config.rxchain = htole16(0x2800 | 7 << IWN_RXCHAIN_ANTMSK_SHIFT);
-       DPRINTF(("setting configuration\n"));
-       error = iwn_cmd(sc, IWN_CMD_CONFIGURE, &sc->config,
-           sizeof (struct iwn_config), 0);
-       if (error != 0) {
-               aprint_error_dev(sc->sc_dev, "configure command failed\n");
-               return error;
+       /* Extract firmware header information. */
+       if ((error = firmware_read(fwh, 0, &hdr,
+           sizeof (struct iwn_firmware_hdr))) != 0) {
+               aprint_error_dev(sc->sc_dev, "can't get firmware header\n");
+               goto fail2;
        }
-
-       /* configuration has changed, set Tx power accordingly */
-       if ((error = iwn_set_txpower(sc, ic->ic_ibss_chan, 0)) != 0) {
-               aprint_error_dev(sc->sc_dev, "could not set Tx power\n");
-               return error;
+       fw->main.textsz = le32toh(hdr.main_textsz);
+       fw->main.datasz = le32toh(hdr.main_datasz);
+       fw->init.textsz = le32toh(hdr.init_textsz);
+       fw->init.datasz = le32toh(hdr.init_datasz);
+       fw->boot.textsz = le32toh(hdr.boot_textsz);
+       fw->boot.datasz = 0;
+
+       /* Sanity-check firmware header. */
+       if (fw->main.textsz > hal->fw_text_maxsz ||
+           fw->main.datasz > hal->fw_data_maxsz ||
+           fw->init.textsz > hal->fw_text_maxsz ||
+           fw->init.datasz > hal->fw_data_maxsz ||
+           fw->boot.textsz > IWN_FW_BOOT_TEXT_MAXSZ ||
+           (fw->boot.textsz & 3) != 0) {
+               aprint_error_dev(sc->sc_dev, "invalid firmware header\n");
+               error = EINVAL;
+               goto fail2;
        }
 
-       /* add broadcast node */
-       if ((error = iwn_add_node(sc, NULL, true, false, 0)) != 0)
-               return error;
-
-       if ((error = iwn_set_critical_temp(sc)) != 0) {
-               aprint_error_dev(sc->sc_dev, "could not set critical 
temperature\n");
-               return error;
+       /* Check that all firmware sections fit. */
+       if (size < sizeof (hdr) + fw->main.textsz + fw->main.datasz +
+           fw->init.textsz + fw->init.datasz + fw->boot.textsz) {
+               aprint_error_dev(sc->sc_dev,
+                   "firmware file too short: %d bytes\n", size);
+               error = EINVAL;
+               goto fail2;
        }
+       fw->data = firmware_malloc(size);
+       if (fw->data == NULL) {
+               aprint_error_dev(sc->sc_dev,
+                   "not enough memory to stock firmware\n");
+               error = ENOMEM;
+               goto fail2;
+       }
+       if ((error = firmware_read(fwh, 0, fw->data, size)) != 0) {
+               aprint_error_dev(sc->sc_dev, "can't get firmware\n");
+               goto fail3;
+       }
+
+       /* Get pointers to firmware sections. */
+       fw->main.text = fw->data + sizeof (struct iwn_firmware_hdr);
+       fw->main.data = fw->main.text + fw->main.textsz;
+       fw->init.text = fw->main.data + fw->main.datasz;
+       fw->init.data = fw->init.text + fw->init.textsz;
+       fw->boot.text = fw->init.data + fw->init.datasz;
 
        return 0;
+fail3: firmware_free(fw->data, size);
+fail2: firmware_close(fwh);
+       return error;
 }
 
-/*
- * Do post-alive initialization of the NIC (after firmware upload).
- */
-static void
-iwn_post_alive(struct iwn_softc *sc)
+static int
+iwn_clock_wait(struct iwn_softc *sc)
 {
-       uint32_t base;
-       uint16_t offset;
-       int qid;
+       int ntries;
 
-       iwn_mem_lock(sc);
+       /* Set "initialization complete" bit. */
+       IWN_SETBITS(sc, IWN_GP_CNTRL, IWN_GP_CNTRL_INIT_DONE);
 
-       /* clear SRAM */
-       base = iwn_mem_read(sc, IWN_SRAM_BASE);
-       for (offset = 0x380; offset < 0x520; offset += 4) {
-               IWN_WRITE(sc, IWN_MEM_WADDR, base + offset);
-               IWN_WRITE(sc, IWN_MEM_WDATA, 0);
+       /* Wait for clock stabilization. */
+       for (ntries = 0; ntries < 25000; ntries++) {
+               if (IWN_READ(sc, IWN_GP_CNTRL) & IWN_GP_CNTRL_MAC_CLOCK_READY)
+                       return 0;
+               DELAY(100);
        }
+       aprint_error_dev(sc->sc_dev,
+           "timeout waiting for clock stabilization\n");
+       return ETIMEDOUT;
+}
+
+static int
+iwn4965_apm_init(struct iwn_softc *sc)
+{
+       int error;
 
-       /* shared area is aligned on a 1K boundary */
-       iwn_mem_write(sc, IWN_SRAM_BASE, sc->shared_dma.paddr >> 10);
-       iwn_mem_write(sc, IWN_SELECT_QCHAIN, 0);
+       /* Disable L0s. */
+       IWN_SETBITS(sc, IWN_GIO_CHICKEN, IWN_GIO_CHICKEN_DIS_L0S_TIMER);
+       IWN_SETBITS(sc, IWN_GIO_CHICKEN, IWN_GIO_CHICKEN_L1A_NO_L0S_RX);
 
-       for (qid = 0; qid < IWN_NTXQUEUES; qid++) {
-               iwn_mem_write(sc, IWN_QUEUE_RIDX(qid), 0);
-               IWN_WRITE(sc, IWN_TX_WIDX, qid << 8 | 0);
+       if ((error = iwn_clock_wait(sc)) != 0)
+               return error;
 
-               /* set sched. window size */
-               IWN_WRITE(sc, IWN_MEM_WADDR, base + IWN_QUEUE_OFFSET(qid));
-               IWN_WRITE(sc, IWN_MEM_WDATA, 64);
-               /* set sched. frame limit */
-               IWN_WRITE(sc, IWN_MEM_WADDR, base + IWN_QUEUE_OFFSET(qid) + 4);
-               IWN_WRITE(sc, IWN_MEM_WDATA, 64 << 16);
-       }
+       if ((error = iwn_nic_lock(sc)) != 0)
+               return error;
+       /* Enable DMA. */
+       iwn_prph_write(sc, IWN_APMG_CLK_CTRL,
+           IWN_APMG_CLK_CTRL_DMA_CLK_RQT | IWN_APMG_CLK_CTRL_BSM_CLK_RQT);
+       DELAY(20);
+       /* Disable L1. */
+       iwn_prph_setbits(sc, IWN_APMG_PCI_STT, IWN_APMG_PCI_STT_L1A_DIS);
+       iwn_nic_unlock(sc);
 
-       /* enable interrupts for all 16 queues */
-       iwn_mem_write(sc, IWN_QUEUE_INTR_MASK, 0xffff);
+       return 0;
+}
 
-       /* identify active Tx rings (0-7) */
-       iwn_mem_write(sc, IWN_TX_ACTIVE, 0xff);
+static int
+iwn5000_apm_init(struct iwn_softc *sc)
+{
+       int error;
 
-       /* mark Tx rings (4 EDCA + cmd + 2 HCCA) as active */
-       for (qid = 0; qid < 7; qid++) {
-               iwn_mem_write(sc, IWN_TXQ_STATUS(qid),
-                   IWN_TXQ_STATUS_ACTIVE | qid << 1);
-       }
+       /* Disable L0s. */
+       IWN_SETBITS(sc, IWN_GIO_CHICKEN, IWN_GIO_CHICKEN_DIS_L0S_TIMER);
+       IWN_SETBITS(sc, IWN_GIO_CHICKEN, IWN_GIO_CHICKEN_L1A_NO_L0S_RX);
+
+       /* Set Flow Handler wait threshold to the maximum. */
+       IWN_SETBITS(sc, IWN_DBG_HPET_MEM, 0xffff0000);
+
+       /* Enable HAP to move adapter from L1a to L0s. */
+       IWN_SETBITS(sc, IWN_HW_IF_CONFIG, IWN_HW_IF_CONFIG_HAP_WAKE_L1A);
+       IWN_SETBITS(sc, IWN_ANA_PLL, IWN_ANA_PLL_INIT);
+
+       if ((error = iwn_clock_wait(sc)) != 0)
+               return error;
+
+       if ((error = iwn_nic_lock(sc)) != 0)
+               return error;
+       /* Enable DMA. */
+       iwn_prph_write(sc, IWN_APMG_CLK_CTRL, IWN_APMG_CLK_CTRL_DMA_CLK_RQT);
+       DELAY(20);
+       /* Disable L1. */
+       iwn_prph_setbits(sc, IWN_APMG_PCI_STT, IWN_APMG_PCI_STT_L1A_DIS);
+       iwn_nic_unlock(sc);
 
-       iwn_mem_unlock(sc);
+       return 0;
 }
 
 static void
-iwn_stop_master(struct iwn_softc *sc)
+iwn_apm_stop_master(struct iwn_softc *sc)
 {
-       uint32_t tmp;
        int ntries;
 
-       tmp = IWN_READ(sc, IWN_RESET);
-       IWN_WRITE(sc, IWN_RESET, tmp | IWN_STOP_MASTER);
-
-       tmp = IWN_READ(sc, IWN_GPIO_CTL);
-       if ((tmp & IWN_GPIO_PWR_STATUS) == IWN_GPIO_PWR_SLEEP)
-               return; /* already asleep */
-
+       IWN_SETBITS(sc, IWN_RESET, IWN_RESET_STOP_MASTER);
        for (ntries = 0; ntries < 100; ntries++) {
-               if (IWN_READ(sc, IWN_RESET) & IWN_MASTER_DISABLED)
-                       break;
+               if (IWN_READ(sc, IWN_RESET) & IWN_RESET_MASTER_DISABLED)
+                       return;
                DELAY(10);
        }
-       if (ntries == 100) {
-               aprint_error_dev(sc->sc_dev, "timeout waiting for master\n");
-       }
+       aprint_error_dev(sc->sc_dev, "timeout waiting for master\n");
 }
 
-static int
-iwn_reset(struct iwn_softc *sc)
+static void
+iwn_apm_stop(struct iwn_softc *sc)
 {
-       uint32_t tmp;
-       int ntries;
-
-       /* clear any pending interrupts */
-       IWN_WRITE(sc, IWN_INTR, 0xffffffff);
+       iwn_apm_stop_master(sc);
 
-       tmp = IWN_READ(sc, IWN_CHICKEN);
-       IWN_WRITE(sc, IWN_CHICKEN, tmp | IWN_CHICKEN_DISLOS);
+       IWN_SETBITS(sc, IWN_RESET, IWN_RESET_SW);
+       DELAY(10);
+       /* Clear "initialization complete" bit. */
+       IWN_CLRBITS(sc, IWN_GP_CNTRL, IWN_GP_CNTRL_INIT_DONE);
+}
 
-       tmp = IWN_READ(sc, IWN_GPIO_CTL);
-       IWN_WRITE(sc, IWN_GPIO_CTL, tmp | IWN_GPIO_INIT);
+static int
+iwn4965_nic_config(struct iwn_softc *sc)
+{
+       pcireg_t reg;
+       uint8_t rev;
 
-       /* wait for clock stabilization */
-       for (ntries = 0; ntries < 1000; ntries++) {
-               if (IWN_READ(sc, IWN_GPIO_CTL) & IWN_GPIO_CLOCK)
-                       break;
-               DELAY(10);
+       reg = pci_conf_read(sc->sc_pct, sc->sc_pcitag, PCI_CLASS_REG);
+       rev = PCI_REVISION(reg);
+#if 0
+       if ((rev & 0x80) && (rev & 0x7f) < 8) {
+               reg = pci_conf_read(sc->sc_pct, sc->sc_pcitag,
+                   sc->sc_cap_off + PCI_PCIE_DCSR);
+               /* Clear PCIe "Enable No Snoop" bit. */
+               reg &= ~PCI_PCIE_DCSR_ENA_NO_SNOOP;
+               pci_conf_write(sc->sc_pct, sc->sc_pcitag,
+                   sc->sc_cap_off + PCI_PCIE_DCSR, reg);
        }
-       if (ntries == 1000) {
-               aprint_error_dev(sc->sc_dev, "timeout waiting for clock 
stabilization\n");
-               return ETIMEDOUT;
+
+       /* Retrieve PCIe Active State Power Management (ASPM). */
+       reg = pci_conf_read(sc->sc_pct, sc->sc_pcitag,
+           sc->sc_cap_off + PCI_PCIE_LCSR);
+       if (reg & PCI_PCIE_LCSR_ASPM_L1)        /* L1 Entry enabled. */
+               IWN_SETBITS(sc, IWN_GIO, IWN_GIO_L0S_ENA);
+       else
+               IWN_CLRBITS(sc, IWN_GIO, IWN_GIO_L0S_ENA);
+#endif
+
+       if (IWN_RFCFG_TYPE(sc->rfcfg) == 1) {
+               /*
+                * I don't believe this to be correct but this is what the
+                * vendor driver is doing. Probably the bits should not be
+                * shifted in IWN_RFCFG_*.
+                */
+               IWN_SETBITS(sc, IWN_HW_IF_CONFIG,
+                   IWN_RFCFG_TYPE(sc->rfcfg) |
+                   IWN_RFCFG_STEP(sc->rfcfg) |
+                   IWN_RFCFG_DASH(sc->rfcfg));
        }
+       IWN_SETBITS(sc, IWN_HW_IF_CONFIG,
+           IWN_HW_IF_CONFIG_RADIO_SI | IWN_HW_IF_CONFIG_MAC_SI);
        return 0;
 }
 
-static void
-iwn_hw_config(struct iwn_softc *sc)
+static int
+iwn5000_nic_config(struct iwn_softc *sc)
 {
-       uint32_t tmp, hw;
+       int error;
+
+#if 0
+       /* Retrieve PCIe Active State Power Management (ASPM). */
+       reg = pci_conf_read(sc->sc_pct, sc->sc_pcitag,
+           sc->sc_cap_off + PCI_PCIE_LCSR);
+       if (reg & PCI_PCIE_LCSR_ASPM_L1)        /* L1 Entry enabled. */
+               IWN_SETBITS(sc, IWN_GIO, IWN_GIO_L0S_ENA);
+       else
+               IWN_CLRBITS(sc, IWN_GIO, IWN_GIO_L0S_ENA);
+#endif
 
-       /* enable interrupts mitigation */
-       IWN_WRITE(sc, IWN_INTR_MIT, 512 / 32);
+       if (IWN_RFCFG_TYPE(sc->rfcfg) < 3) {
+               IWN_SETBITS(sc, IWN_HW_IF_CONFIG,
+                   IWN_RFCFG_TYPE(sc->rfcfg) |
+                   IWN_RFCFG_STEP(sc->rfcfg) |
+                   IWN_RFCFG_DASH(sc->rfcfg));
+       }
+       IWN_SETBITS(sc, IWN_HW_IF_CONFIG,
+           IWN_HW_IF_CONFIG_RADIO_SI | IWN_HW_IF_CONFIG_MAC_SI);
 
-       /* voodoo from the reference driver */
-       tmp = pci_conf_read(sc->sc_pct, sc->sc_pcitag, PCI_CLASS_REG);
-       tmp = PCI_REVISION(tmp);
-       if ((tmp & 0x80) && (tmp & 0x7f) < 8) {
-               /* enable "no snoop" field */
-               tmp = pci_conf_read(sc->sc_pct, sc->sc_pcitag, 0xe8);
-               tmp &= ~IWN_DIS_NOSNOOP;
-               pci_conf_write(sc->sc_pct, sc->sc_pcitag, 0xe8, tmp);
-       }
-
-       /* disable L1 entry to work around a hardware bug */
-       tmp = pci_conf_read(sc->sc_pct, sc->sc_pcitag, 0xf0);
-       tmp &= ~IWN_ENA_L1;
-       pci_conf_write(sc->sc_pct, sc->sc_pcitag, 0xf0, tmp);
-
-       hw = IWN_READ(sc, IWN_HWCONFIG);
-       IWN_WRITE(sc, IWN_HWCONFIG, hw | 0x310);
-
-       iwn_mem_lock(sc);
-       tmp = iwn_mem_read(sc, IWN_MEM_POWER);
-       iwn_mem_write(sc, IWN_MEM_POWER, tmp | IWN_POWER_RESET);
-       DELAY(5);
-       tmp = iwn_mem_read(sc, IWN_MEM_POWER);
-       iwn_mem_write(sc, IWN_MEM_POWER, tmp & ~IWN_POWER_RESET);
-       iwn_mem_unlock(sc);
+       if ((error = iwn_nic_lock(sc)) != 0)
+               return error;
+       iwn_prph_setbits(sc, IWN_APMG_PS, IWN_APMG_PS_EARLY_PWROFF_DIS);
+       iwn_nic_unlock(sc);
+       return 0;
 }
 
 static int
-iwn_init(struct ifnet *ifp)
+iwn_hw_init(struct iwn_softc *sc)
 {
-       struct iwn_softc *sc = ifp->if_softc;
-       struct ieee80211com *ic = &sc->sc_ic;
-       uint32_t tmp;
+       const struct iwn_hal *hal = sc->sc_hal;
        int error, qid;
 
-       iwn_stop(ifp, 1);
-       if ((error = iwn_reset(sc)) != 0) {
-               aprint_error_dev(sc->sc_dev, "could not reset adapter\n");
-               goto fail1;
+       /* Clear pending interrupts. */
+       IWN_WRITE(sc, IWN_INT, 0xffffffff);
+
+       if ((error = hal->apm_init(sc)) != 0) {
+               aprint_error_dev(sc->sc_dev, "could not power ON adapter\n");
+               return error;
        }
 
-       iwn_mem_lock(sc);
-       iwn_mem_read(sc, IWN_CLOCK_CTL);
-       iwn_mem_write(sc, IWN_CLOCK_CTL, 0xa00);
-       iwn_mem_read(sc, IWN_CLOCK_CTL);
-       iwn_mem_unlock(sc);
+       /* Select VMAIN power source. */
+       if ((error = iwn_nic_lock(sc)) != 0)
+               return error;
+       iwn_prph_clrbits(sc, IWN_APMG_PS, IWN_APMG_PS_PWR_SRC_MASK);
+       iwn_nic_unlock(sc);
 
-       DELAY(20);
+       /* Perform adapter-specific initialization. */
+       if ((error = hal->nic_config(sc)) != 0)
+               return error;
+
+       /* Initialize RX ring. */
+       if ((error = iwn_nic_lock(sc)) != 0)
+               return error;
+       IWN_WRITE(sc, IWN_FH_RX_CONFIG, 0);
+       IWN_WRITE(sc, IWN_FH_RX_WPTR, 0);
+       /* Set physical address of RX ring (256-byte aligned.) */
+       IWN_WRITE(sc, IWN_FH_RX_BASE, sc->rxq.desc_dma.paddr >> 8);
+       /* Set physical address of RX status (16-byte aligned.) */
+       IWN_WRITE(sc, IWN_FH_STATUS_WPTR, sc->rxq.stat_dma.paddr >> 4);
+       /* Enable RX. */
+       IWN_WRITE(sc, IWN_FH_RX_CONFIG,
+           IWN_FH_RX_CONFIG_ENA           |
+           IWN_FH_RX_CONFIG_IGN_RXF_EMPTY |    /* HW bug workaround */
+           IWN_FH_RX_CONFIG_IRQ_DST_HOST  |
+           IWN_FH_RX_CONFIG_SINGLE_FRAME  |
+           IWN_FH_RX_CONFIG_RB_TIMEOUT(0) |
+           IWN_FH_RX_CONFIG_NRBD(IWN_RX_RING_COUNT_LOG));
+       iwn_nic_unlock(sc);
+       IWN_WRITE(sc, IWN_FH_RX_WPTR, (IWN_RX_RING_COUNT - 1) & ~7);
 
-       iwn_mem_lock(sc);
-       tmp = iwn_mem_read(sc, IWN_MEM_PCIDEV);
-       iwn_mem_write(sc, IWN_MEM_PCIDEV, tmp | 0x800);
-       iwn_mem_unlock(sc);
-
-       iwn_mem_lock(sc);
-       tmp = iwn_mem_read(sc, IWN_MEM_POWER);
-       iwn_mem_write(sc, IWN_MEM_POWER, tmp & ~0x03000000);
-       iwn_mem_unlock(sc);
-
-       iwn_hw_config(sc);
-
-       /* init Rx ring */
-       iwn_mem_lock(sc);
-       IWN_WRITE(sc, IWN_RX_CONFIG, 0);
-       IWN_WRITE(sc, IWN_RX_WIDX, 0);
-       /* Rx ring is aligned on a 256-byte boundary */
-       IWN_WRITE(sc, IWN_RX_BASE, sc->rxq.desc_dma.paddr >> 8);
-       /* shared area is aligned on a 16-byte boundary */
-       IWN_WRITE(sc, IWN_RW_WIDX_PTR, (sc->shared_dma.paddr +
-               offsetof(struct iwn_shared, closed_count)) >> 4);
-       IWN_WRITE(sc, IWN_RX_CONFIG, 0x80601000);
-       iwn_mem_unlock(sc);
-
-       IWN_WRITE(sc, IWN_RX_WIDX, (IWN_RX_RING_COUNT - 1) & ~7);
+       if ((error = iwn_nic_lock(sc)) != 0)
+               return error;
 
-       iwn_mem_lock(sc);
-       iwn_mem_write(sc, IWN_TX_ACTIVE, 0);
+       /* Initialize TX scheduler. */
+       iwn_prph_write(sc, hal->sched_txfact_addr, 0);
 
-       /* set physical address of "keep warm" page */
-       IWN_WRITE(sc, IWN_KW_BASE, sc->kw_dma.paddr >> 4);
+       /* Set physical address of "keep warm" page (16-byte aligned.) */
+       IWN_WRITE(sc, IWN_FH_KW_ADDR, sc->kw_dma.paddr >> 4);
 
-       /* init Tx rings */
-       for (qid = 0; qid < IWN_NTXQUEUES; qid++) {
+       /* Initialize TX rings. */
+       for (qid = 0; qid < hal->ntxqs; qid++) {
                struct iwn_tx_ring *txq = &sc->txq[qid];
-               IWN_WRITE(sc, IWN_TX_BASE(qid), txq->desc_dma.paddr >> 8);
-               IWN_WRITE(sc, IWN_TX_CONFIG(qid), 0x80000008);
+
+               /* Set physical address of TX ring (256-byte aligned.) */
+               IWN_WRITE(sc, IWN_FH_CBBC_QUEUE(qid),
+                   txq->desc_dma.paddr >> 8);
+               /* Enable TX for this ring. */
+               IWN_WRITE(sc, IWN_FH_TX_CONFIG(qid),
+                   IWN_FH_TX_CONFIG_DMA_ENA |
+                   IWN_FH_TX_CONFIG_DMA_CREDIT_ENA);
+       }
+       iwn_nic_unlock(sc);
+
+       /* Clear "radio off" and "commands blocked" bits. */
+       IWN_WRITE(sc, IWN_UCODE_GP1_CLR, IWN_UCODE_GP1_RFKILL);
+       IWN_WRITE(sc, IWN_UCODE_GP1_CLR, IWN_UCODE_GP1_CMD_BLOCKED);
+
+       /* Clear pending interrupts. */
+       IWN_WRITE(sc, IWN_INT, 0xffffffff);
+       /* Enable interrupt coalescing. */
+       IWN_WRITE(sc, IWN_INT_COALESCING, 512 / 8);
+       /* Enable interrupts. */
+       IWN_WRITE(sc, IWN_MASK, IWN_INT_MASK);
+
+       /* _Really_ make sure "radio off" bit is cleared! */
+       IWN_WRITE(sc, IWN_UCODE_GP1_CLR, IWN_UCODE_GP1_RFKILL);
+       IWN_WRITE(sc, IWN_UCODE_GP1_CLR, IWN_UCODE_GP1_RFKILL);
+
+       if ((error = hal->load_firmware(sc)) != 0) {
+               aprint_error_dev(sc->sc_dev, "could not load firmware\n");
+               return error;
+       }
+       /* Wait at most one second for firmware alive notification. */
+       if ((error = tsleep(sc, PCATCH, "iwninit", hz)) != 0) {
+               aprint_error_dev(sc->sc_dev, "timeout waiting for adapter to 
initialize\n");
+               return error;
        }
-       iwn_mem_unlock(sc);
+       /* Do post-firmware initialization. */
+       return hal->post_alive(sc);
+}
 
-       /* clear "radio off" and "disable command" bits (reversed logic) */
-       IWN_WRITE(sc, IWN_UCODE_CLR, IWN_RADIO_OFF);
-       IWN_WRITE(sc, IWN_UCODE_CLR, IWN_DISABLE_CMD);
-
-       /* clear any pending interrupts */
-       IWN_WRITE(sc, IWN_INTR, 0xffffffff);
-       /* enable interrupts */
-       IWN_WRITE(sc, IWN_MASK, IWN_INTR_MASK);
-
-       /* not sure why/if this is necessary... */
-       IWN_WRITE(sc, IWN_UCODE_CLR, IWN_RADIO_OFF);
-       IWN_WRITE(sc, IWN_UCODE_CLR, IWN_RADIO_OFF);
-
-       /* check that the radio is not disabled by RF switch */
-       if (!(IWN_READ(sc, IWN_GPIO_CTL) & IWN_GPIO_RF_ENABLED)) {
-               aprint_error_dev(sc->sc_dev, "radio is disabled by hardware 
switch\n");
-               error = EBUSY;  /* XXX ;-) */
-               goto fail1;
+static void
+iwn_hw_stop(struct iwn_softc *sc)
+{
+       const struct iwn_hal *hal = sc->sc_hal;
+       int qid;
+
+       IWN_WRITE(sc, IWN_RESET, IWN_RESET_NEVO);
+
+       /* Disable interrupts. */
+       IWN_WRITE(sc, IWN_MASK, 0);
+       IWN_WRITE(sc, IWN_INT, 0xffffffff);
+       IWN_WRITE(sc, IWN_FH_INT, 0xffffffff);
+
+       /* Make sure we no longer hold the NIC lock. */
+       iwn_nic_unlock(sc);
+
+       /* Stop TX scheduler. */
+       iwn_prph_write(sc, hal->sched_txfact_addr, 0);
+
+       /* Stop all TX rings. */
+       for (qid = 0; qid < hal->ntxqs; qid++)
+               iwn_reset_tx_ring(sc, &sc->txq[qid]);
+
+       /* Stop RX ring. */
+       iwn_reset_rx_ring(sc, &sc->rxq);
+
+       if (iwn_nic_lock(sc) == 0) {
+               iwn_prph_write(sc, IWN_APMG_CLK_DIS, IWN_APMG_CLK_DMA_RQT);
+               iwn_nic_unlock(sc);
        }
+       DELAY(5);
+       /* Power OFF adapter. */
+       iwn_apm_stop(sc);
+}
 
-       if ((error = iwn_load_firmware(sc)) != 0) {
-               aprint_error_dev(sc->sc_dev, "could not load firmware\n");
-               goto fail1;
+static int
+iwn_init(struct ifnet *ifp)
+{
+       struct iwn_softc *sc = ifp->if_softc;
+       struct ieee80211com *ic = &sc->sc_ic;
+       int error;
+
+       iwn_stop(ifp, 1);
+       /* Check that the radio is not disabled by hardware switch. */
+       if (!(IWN_READ(sc, IWN_GP_CNTRL) & IWN_GP_CNTRL_RFKILL)) {
+               aprint_error_dev(sc->sc_dev,
+                   "radio is disabled by hardware switch\n");
+               sc->sc_radio = false;
+               error = EPERM;  /* :-) */
+               goto fail;
        }
+       sc->sc_radio = true;
 
-       /* firmware has notified us that it is alive.. */
-       iwn_post_alive(sc);     /* ..do post alive initialization */
+       /* Read firmware images from the filesystem. */
+       if ((error = iwn_read_firmware(sc)) != 0) {
+               aprint_error_dev(sc->sc_dev, "could not read firmware\n");
+               goto fail;
+       }
 
-       sc->rawtemp = sc->ucode_info.temp[3].chan20MHz;
-       sc->temp = iwn_get_temperature(sc);
-       DPRINTF(("temperature=%d\n", sc->temp));
+       /* Initialize hardware and upload firmware. */
+       error = iwn_hw_init(sc);
+       free(sc->fw.data, M_DEVBUF);
+       if (error != 0) {
+               aprint_error_dev(sc->sc_dev, "could not initialize hardware\n");
+               goto fail;
+       }
 
+       /* Configure adapter now that it is ready. */
        if ((error = iwn_config(sc)) != 0) {
                aprint_error_dev(sc->sc_dev, "could not configure device\n");
-               goto fail1;
+               goto fail;
        }
 
-       DPRINTF(("iwn_config end\n"));
-
        ifp->if_flags &= ~IFF_OACTIVE;
        ifp->if_flags |= IFF_RUNNING;
 
        if (ic->ic_opmode != IEEE80211_M_MONITOR) {
-               if (ic->ic_roaming != IEEE80211_ROAMING_MANUAL)
+               if (ic->ic_opmode != IEEE80211_ROAMING_MANUAL)
                        ieee80211_new_state(ic, IEEE80211_S_SCAN, -1);
-       }
-       else
+       } else
                ieee80211_new_state(ic, IEEE80211_S_RUN, -1);
 
-       DPRINTF(("iwn_init ok\n"));
        return 0;
 
-fail1:
-       DPRINTF(("iwn_init error\n"));
-       iwn_stop(ifp, 1);
+fail:  iwn_stop(ifp, 1);
        return error;
 }
 
@@ -3911,48 +5566,30 @@ iwn_stop(struct ifnet *ifp, int disable)
 {
        struct iwn_softc *sc = ifp->if_softc;
        struct ieee80211com *ic = &sc->sc_ic;
-       uint32_t tmp;
-       int i;
 
        ifp->if_timer = sc->sc_tx_timer = 0;
        ifp->if_flags &= ~(IFF_RUNNING | IFF_OACTIVE);
 
        ieee80211_new_state(ic, IEEE80211_S_INIT, -1);
 
-       IWN_WRITE(sc, IWN_RESET, IWN_NEVO_RESET);
-
-       /* disable interrupts */
-       IWN_WRITE(sc, IWN_MASK, 0);
-       IWN_WRITE(sc, IWN_INTR, 0xffffffff);
-       IWN_WRITE(sc, IWN_INTR_STATUS, 0xffffffff);
-
-       /* make sure we no longer hold the memory lock */
-       iwn_mem_unlock(sc);
-
-       /* reset all Tx rings */
-       for (i = 0; i < IWN_NTXQUEUES; i++)
-               iwn_reset_tx_ring(sc, &sc->txq[i]);
-
-       /* reset Rx ring */
-       iwn_reset_rx_ring(sc, &sc->rxq);
-
-       iwn_mem_lock(sc);
-       iwn_mem_write(sc, IWN_MEM_CLOCK2, 0x200);
-       iwn_mem_unlock(sc);
-
-       DELAY(5);
+       /* Power OFF hardware. */
+       iwn_hw_stop(sc);
 
-       iwn_stop_master(sc);
-       tmp = IWN_READ(sc, IWN_RESET);
-       IWN_WRITE(sc, IWN_RESET, tmp | IWN_SW_RESET);
+#if 0
+       /* Temperature sensor is no longer valid. */
+       sc->sensor.value = 0;
+       sc->sensor.flags |= SENSOR_FINVALID;
+#endif
 }
 
 static bool
 iwn_resume(device_t dv PMF_FN_ARGS)
 {
+#if 0
        struct iwn_softc *sc = device_private(dv);
 
        (void)iwn_reset(sc);
+#endif
 
        return true;
 }
Index: if_iwnreg.h
===================================================================
RCS file: /cvsroot/src/sys/dev/pci/if_iwnreg.h,v
retrieving revision 1.4
diff -u -p -u -r1.4 if_iwnreg.h
--- if_iwnreg.h 13 Oct 2008 12:39:26 -0000      1.4
+++ if_iwnreg.h 19 Mar 2009 19:54:00 -0000
@@ -1,8 +1,7 @@
-/*     $NetBSD: if_iwnreg.h,v 1.4 2008/10/13 12:39:26 blymn Exp $      */
-/*     OpenBSD: if_iwnreg.h,v 1.9 2007/11/27 20:59:40 damien Exp       */
+/*     $OpenBSD: if_iwnreg.h,v 1.20 2008/12/12 17:15:40 damien Exp $   */
 
 /*-
- * Copyright (c) 2007
+ * Copyright (c) 2007, 2008
  *     Damien Bergamini <damien.bergamini%free.fr@localhost>
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -18,174 +17,304 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
+#define IWN_TKIP_MICLEN 8
+
 #define IWN_TX_RING_COUNT      256
-#define IWN_RX_RING_COUNT      64
+#define IWN_TX_RING_LOMARK     192
+#define IWN_TX_RING_HIMARK     224
+#define IWN_RX_RING_COUNT_LOG  8
+#define IWN_RX_RING_COUNT      (1 << IWN_RX_RING_COUNT_LOG)
+
+#define IWN4965_NTXQUEUES      16
+#define IWN5000_NTXQUEUES      20
+#define IWN_SRVC_CHNL          9
 
-#define IWN_NTXQUEUES          16
-#define IWN_NTXCHAINS          2
+/* Maximum number of DMA segments for TX. */
+#define IWN_MAX_SCATTER        20
 
-#define        IWN_BUF_ALIGN           4096
+/* RX buffers must be large enough to hold a full 4K A-MPDU. */
+#define IWN_RBUF_SIZE  (4 * 1024)
 
-/*
- * Rings must be aligned on a 256-byte boundary.
- */
-#define IWN_RING_DMA_ALIGN     256
+#if defined(__LP64__)
+/* HW supports 36-bit DMA addresses. */
+#define IWN_LOADDR(paddr)      ((uint32_t)(paddr))
+#define IWN_HIADDR(paddr)      (((paddr) >> 32) & 0xf)
+#else
+#define IWN_LOADDR(paddr)      (paddr)
+#define IWN_HIADDR(paddr)      (0)
+#endif
 
-/* maximum scatter/gather */
-#define IWN_MAX_SCATTER        20
-
-/* Rx buffers must be large enough to hold a full 4K A-MPDU */
-#define IWN_RBUF_SIZE  (8 * 1024)
+/* Base Address Register. */
+#define IWN_PCI_BAR0   PCI_MAPREG_START
 
 /*
  * Control and status registers.
  */
-#define IWN_HWCONFIG           0x000
-#define IWN_INTR_MIT           0x004
-#define IWN_INTR               0x008
+#define IWN_HW_IF_CONFIG       0x000
+#define IWN_INT_COALESCING     0x004
+#define IWN_INT                        0x008
 #define IWN_MASK               0x00c
-#define IWN_INTR_STATUS                0x010
+#define IWN_FH_INT             0x010
 #define IWN_RESET              0x020
-#define IWN_GPIO_CTL           0x024
-#define IWN_EEPROM_CTL         0x02c
-#define IWN_UCODE_CLR          0x05c
-#define IWN_CHICKEN            0x100
-#define IWN_QUEUE_OFFSET(qid)  (0x380 + (qid) * 8)
+#define IWN_GP_CNTRL           0x024
+#define IWN_HW_REV             0x028
+#define IWN_EEPROM             0x02c
+#define IWN_EEPROM_GP          0x030
+#define IWN_GIO                        0x03c
+#define IWN_UCODE_GP1_CLR      0x05c
+#define IWN_LED                        0x094
+#define IWN_GIO_CHICKEN                0x100
+#define IWN_ANA_PLL            0x20c
+#define IWN_DBG_HPET_MEM       0x240
+#define IWN_MEM_RADDR          0x40c
 #define IWN_MEM_WADDR          0x410
 #define IWN_MEM_WDATA          0x418
-#define IWN_WRITE_MEM_ADDR     0x444
-#define IWN_READ_MEM_ADDR      0x448
-#define IWN_WRITE_MEM_DATA     0x44c
-#define IWN_READ_MEM_DATA      0x450
-#define IWN_TX_WIDX            0x460
-
-#define IWN_KW_BASE            0x197c
-#define IWN_TX_BASE(qid)       (0x19d0 + (qid) * 4)
-#define IWN_RW_WIDX_PTR                0x1bc0
-#define IWN_RX_BASE            0x1bc4
-#define IWN_RX_WIDX            0x1bc8
-#define IWN_RX_CONFIG          0x1c00
-#define IWN_RX_STATUS          0x1c44
-#define IWN_TX_CONFIG(qid)     (0x1d00 + (qid) * 32)
-#define IWN_TX_STATUS          0x1eb0
-
-#define IWN_SRAM_BASE          0xa02c00
-#define IWN_TX_ACTIVE          (IWN_SRAM_BASE + 0x01c)
-#define IWN_QUEUE_RIDX(qid)    (IWN_SRAM_BASE + 0x064 + (qid) * 4)
-#define IWN_SELECT_QCHAIN      (IWN_SRAM_BASE + 0x0d0)
-#define IWN_QUEUE_INTR_MASK    (IWN_SRAM_BASE + 0x0e4)
-#define IWN_TXQ_STATUS(qid)    (IWN_SRAM_BASE + 0x104 + (qid) * 4)
+#define IWN_MEM_RDATA          0x41c
+#define IWN_PRPH_WADDR         0x444
+#define IWN_PRPH_RADDR         0x448
+#define IWN_PRPH_WDATA         0x44c
+#define IWN_PRPH_RDATA         0x450
+#define IWN_HBUS_TARG_WRPTR    0x460
+
+/*
+ * Flow-Handler registers.
+ */
+#define IWN_FH_TFBD_CTRL0(qid)         (0x1900 + (qid) * 8)
+#define IWN_FH_TFBD_CTRL1(qid)         (0x1904 + (qid) * 8)
+#define IWN_FH_KW_ADDR                 0x197c
+#define IWN_FH_SRAM_ADDR(qid)          (0x19a4 + (qid) * 4)
+#define IWN_FH_CBBC_QUEUE(qid)         (0x19d0 + (qid) * 4)
+#define IWN_FH_STATUS_WPTR             0x1bc0
+#define IWN_FH_RX_BASE                 0x1bc4
+#define IWN_FH_RX_WPTR                 0x1bc8
+#define IWN_FH_RX_CONFIG               0x1c00
+#define IWN_FH_RX_STATUS               0x1c44
+#define IWN_FH_TX_CONFIG(qid)          (0x1d00 + (qid) * 32)
+#define IWN_FH_TXBUF_STATUS(qid)       (0x1d08 + (qid) * 32)
+#define IWN_FH_TX_CHICKEN              0x1e98
+#define IWN_FH_TX_STATUS               0x1eb0
+
+/*
+ * TX scheduler registers.
+ */
+#define IWN_SCHED_BASE                 0xa02c00
+#define IWN_SCHED_SRAM_ADDR            (IWN_SCHED_BASE + 0x000)
+#define IWN5000_SCHED_DRAM_ADDR                (IWN_SCHED_BASE + 0x008)
+#define IWN4965_SCHED_DRAM_ADDR                (IWN_SCHED_BASE + 0x010)
+#define IWN5000_SCHED_TXFACT           (IWN_SCHED_BASE + 0x010)
+#define IWN4965_SCHED_TXFACT           (IWN_SCHED_BASE + 0x01c)
+#define IWN4965_SCHED_QUEUE_RDPTR(qid) (IWN_SCHED_BASE + 0x064 + (qid) * 4)
+#define IWN5000_SCHED_QUEUE_RDPTR(qid) (IWN_SCHED_BASE + 0x068 + (qid) * 4)
+#define IWN4965_SCHED_QCHAIN_SEL       (IWN_SCHED_BASE + 0x0d0)
+#define IWN4965_SCHED_INTR_MASK                (IWN_SCHED_BASE + 0x0e4)
+#define IWN5000_SCHED_QCHAIN_SEL       (IWN_SCHED_BASE + 0x0e8)
+#define IWN4965_SCHED_QUEUE_STATUS(qid)        (IWN_SCHED_BASE + 0x104 + (qid) 
* 4)
+#define IWN5000_SCHED_INTR_MASK                (IWN_SCHED_BASE + 0x108)
+#define IWN5000_SCHED_QUEUE_STATUS(qid)        (IWN_SCHED_BASE + 0x10c + (qid) 
* 4)
+#define IWN5000_SCHED_AGGR_SEL         (IWN_SCHED_BASE + 0x248)
+
+/*
+ * Offsets in TX scheduler's SRAM.
+ */
+#define IWN4965_SCHED_CTX_OFF          0x380
+#define IWN4965_SCHED_CTX_LEN          416
+#define IWN4965_SCHED_QUEUE_OFFSET(qid)        (0x380 + (qid) * 8)
+#define IWN4965_SCHED_TRANS_TBL(qid)   (0x500 + (qid) * 2)
+#define IWN5000_SCHED_CTX_OFF          0x600
+#define IWN5000_SCHED_CTX_LEN          520
+#define IWN5000_SCHED_QUEUE_OFFSET(qid)        (0x600 + (qid) * 8)
+#define IWN5000_SCHED_TRANS_TBL(qid)   (0x7e0 + (qid) * 2)
 
 /*
  * NIC internal memory offsets.
  */
 #define IWN_CLOCK_CTL          0x3000
-#define IWN_MEM_CLOCK2         0x3008
-#define IWN_MEM_POWER          0x300c
-#define IWN_MEM_PCIDEV         0x3010
-#define IWN_MEM_UCODE_CTL      0x3400
-#define IWN_MEM_UCODE_SRC      0x3404
-#define IWN_MEM_UCODE_DST      0x3408
-#define IWN_MEM_UCODE_SIZE     0x340c
-#define IWN_MEM_TEXT_BASE      0x3490
-#define IWN_MEM_TEXT_SIZE      0x3494
-#define IWN_MEM_DATA_BASE      0x3498
-#define IWN_MEM_DATA_SIZE      0x349c
-#define IWN_MEM_UCODE_BASE     0x3800
-
-
-/* possible flags for register IWN_HWCONFIG */
-#define IWN_HW_EEPROM_LOCKED   (1 << 21)
-
-/* possible flags for registers IWN_READ_MEM_ADDR/IWN_WRITE_MEM_ADDR */
-#define IWN_MEM_4      ((sizeof (uint32_t) - 1) << 24)
-
-/* possible values for IWN_MEM_UCODE_DST */
-#define IWN_FW_TEXT    0x00000000
-
-/* possible flags for register IWN_RESET */
-#define IWN_NEVO_RESET         (1 << 0)
-#define IWN_SW_RESET           (1 << 7)
-#define IWN_MASTER_DISABLED    (1 << 8)
-#define IWN_STOP_MASTER                (1 << 9)
-
-/* possible flags for register IWN_GPIO_CTL */
-#define IWN_GPIO_CLOCK         (1 << 0)
-#define IWN_GPIO_INIT          (1 << 2)
-#define IWN_GPIO_MAC           (1 << 3)
-#define IWN_GPIO_SLEEP         (1 << 4)
-#define IWN_GPIO_PWR_STATUS    0x07000000
-#define IWN_GPIO_PWR_SLEEP     (4 << 24)
-#define IWN_GPIO_RF_ENABLED    (1 << 27)
-
-/* possible flags for register IWN_CHICKEN */
-#define IWN_CHICKEN_DISLOS     (1 << 29)
-
-/* possible flags for register IWN_UCODE_CLR */
-#define IWN_RADIO_OFF          (1 << 1)
-#define IWN_DISABLE_CMD                (1 << 2)
-#define IWN_CTEMP_STOP_RF      (1 << 3)
-
-/* possible flags for IWN_RX_STATUS */
-#define        IWN_RX_IDLE     (1 << 24)
-
-/* possible flags for register IWN_UC_CTL */
-#define IWN_UC_ENABLE  (1 << 30)
-#define IWN_UC_RUN     (1 << 31)
-
-/* possible flags for register IWN_INTR */
-#define IWN_ALIVE_INTR (1 <<  0)
-#define IWN_WAKEUP_INTR        (1 <<  1)
-#define IWN_SW_RX_INTR (1 <<  3)
-#define IWN_CT_REACHED (1 <<  6)
-#define IWN_RF_TOGGLED (1 <<  7)
-#define IWN_SW_ERROR   (1 << 25)
-#define IWN_TX_INTR    (1 << 27)
-#define IWN_HW_ERROR   (1 << 29)
-#define IWN_RX_INTR    (1 << 31)
-
-#define IWN_INTR_MASK                                                  \
-       (IWN_SW_ERROR | IWN_HW_ERROR | IWN_TX_INTR | IWN_RX_INTR |      \
-           IWN_ALIVE_INTR | IWN_WAKEUP_INTR | IWN_SW_RX_INTR |         \
-           IWN_CT_REACHED | IWN_RF_TOGGLED)
-
-/* possible flags for register IWN_INTR_STATUS */
-#define IWN_STATUS_TXQ(x)      (1 << (x))
-#define IWN_STATUS_RXQ(x)      (1 << ((x) + 16))
-#define IWN_STATUS_PRI         (1 << 30)
-/* shortcuts for the above */
-#define IWN_TX_STATUS_INTR                                             \
-       (IWN_STATUS_TXQ(0) | IWN_STATUS_TXQ(1) | IWN_STATUS_TXQ(6))
-#define IWN_RX_STATUS_INTR                                             \
-       (IWN_STATUS_RXQ(0) | IWN_STATUS_RXQ(1) | IWN_STATUS_RXQ(2) |    \
-           IWN_STATUS_PRI)
-
-/* possible flags for register IWN_TX_STATUS */
-#define IWN_TX_IDLE(qid)       (1 << ((qid) + 24) | 1 << ((qid) + 16))
+#define IWN_APMG_CLK_CTRL      0x3004
+#define IWN_APMG_CLK_DIS       0x3008
+#define IWN_APMG_PS            0x300c
+#define IWN_APMG_PCI_STT       0x3010
+#define IWN_BSM_WR_CTRL                0x3400
+#define IWN_BSM_WR_MEM_SRC     0x3404
+#define IWN_BSM_WR_MEM_DST     0x3408
+#define IWN_BSM_WR_DWCOUNT     0x340c
+#define IWN_BSM_DRAM_TEXT_ADDR 0x3490
+#define IWN_BSM_DRAM_TEXT_SIZE 0x3494
+#define IWN_BSM_DRAM_DATA_ADDR 0x3498
+#define IWN_BSM_DRAM_DATA_SIZE 0x349c
+#define IWN_BSM_SRAM_BASE      0x3800
+
+/* Possible values for IWN_APMG_CLK_DIS. */
+#define IWN_APMG_CLK_DMA_RQT   (1 << 9)
+
+/* Possible flags for register IWN_HW_IF_CONFIG. */
+#define IWN_HW_IF_CONFIG_4965_R                (1 <<  4)
+#define IWN_HW_IF_CONFIG_MAC_SI                (1 <<  8)
+#define IWN_HW_IF_CONFIG_RADIO_SI      (1 <<  9)
+#define IWN_HW_IF_CONFIG_EEPROM_LOCKED (1 << 21)
+#define IWN_HW_IF_CONFIG_HAP_WAKE_L1A  (1 << 23)
+
+/* Possible flags for registers IWN_PRPH_RADDR/IWN_PRPH_WADDR. */
+#define IWN_PRPH_DWORD ((sizeof (uint32_t) - 1) << 24)
+
+/* Possible values for IWN_BSM_WR_MEM_DST. */
+#define IWN_FW_TEXT_BASE       0x00000000
+#define IWN_FW_DATA_BASE       0x00800000
+
+/* Possible flags for register IWN_RESET. */
+#define IWN_RESET_NEVO                 (1 << 0)
+#define IWN_RESET_SW                   (1 << 7)
+#define IWN_RESET_MASTER_DISABLED      (1 << 8)
+#define IWN_RESET_STOP_MASTER          (1 << 9)
+
+/* Possible flags for register IWN_GP_CNTRL. */
+#define IWN_GP_CNTRL_MAC_ACCESS_ENA    (1 << 0)
+#define IWN_GP_CNTRL_MAC_CLOCK_READY   (1 << 0)
+#define IWN_GP_CNTRL_INIT_DONE         (1 << 2)
+#define IWN_GP_CNTRL_MAC_ACCESS_REQ    (1 << 3)
+#define IWN_GP_CNTRL_SLEEP             (1 << 4)
+#define IWN_GP_CNTRL_RFKILL            (1 << 27)
+
+/* Possible flags for register IWN_HW_REV. */
+#define IWN_HW_REV_TYPE_SHIFT  4
+#define IWN_HW_REV_TYPE_MASK   0x000000f0
+#define IWN_HW_REV_TYPE_4965   0
+#define IWN_HW_REV_TYPE_5300   2
+#define IWN_HW_REV_TYPE_5350   3
+#define IWN_HW_REV_TYPE_5150   4
+#define IWN_HW_REV_TYPE_5100   5
+
+/* Possible flags for register IWN_GIO_CHICKEN. */
+#define IWN_GIO_CHICKEN_L1A_NO_L0S_RX  (1 << 23)
+#define IWN_GIO_CHICKEN_DIS_L0S_TIMER  (1 << 29)
+
+/* Possible flags for register IWN_GIO. */
+#define IWN_GIO_L0S_ENA                (1 << 1)
+
+/* Possible flags for register IWN_UCODE_GP1_CLR. */
+#define IWN_UCODE_GP1_RFKILL           (1 << 1)
+#define IWN_UCODE_GP1_CMD_BLOCKED      (1 << 2)
+#define IWN_UCODE_GP1_CTEMP_STOP_RF    (1 << 3)
+
+/* Possible flags/values for register IWN_LED. */
+#define IWN_LED_BSM_CTRL       (1 << 5)
+#define IWN_LED_OFF            0x00000038
+#define IWN_LED_ON             0x00000078
+
+/* Possible values for register IWN_ANA_PLL. */
+#define IWN_ANA_PLL_INIT       0x00880300
+
+/* Possible flags for register IWN_FH_RX_STATUS. */
+#define        IWN_FH_RX_STATUS_IDLE   (1 << 24)
+
+/* Possible flags for register IWN_BSM_WR_CTRL. */
+#define IWN_BSM_WR_CTRL_START_EN       (1 << 30)
+#define IWN_BSM_WR_CTRL_START          (1 << 31)
+
+/* Possible flags for register IWN_INT. */
+#define IWN_INT_ALIVE          (1 <<  0)
+#define IWN_INT_WAKEUP         (1 <<  1)
+#define IWN_INT_SW_RX          (1 <<  3)
+#define IWN_INT_CT_REACHED     (1 <<  6)
+#define IWN_INT_RF_TOGGLED     (1 <<  7)
+#define IWN_INT_SW_ERR         (1 << 25)
+#define IWN_INT_FH_TX          (1 << 27)
+#define IWN_INT_HW_ERR         (1 << 29)
+#define IWN_INT_FH_RX          (1 << 31)
+
+/* Shortcut. */
+#define IWN_INT_MASK                                                   \
+       (IWN_INT_SW_ERR | IWN_INT_HW_ERR | IWN_INT_FH_TX |              \
+        IWN_INT_FH_RX | IWN_INT_ALIVE | IWN_INT_WAKEUP |               \
+        IWN_INT_SW_RX | IWN_INT_CT_REACHED | IWN_INT_RF_TOGGLED)
+
+/* Possible flags for register IWN_FH_INT. */
+#define IWN_FH_INT_TX_CHNL(x)  (1 << (x))
+#define IWN_FH_INT_RX_CHNL(x)  (1 << ((x) + 16))
+#define IWN_FH_INT_HI_PRIOR    (1 << 30)
+/* Shortcuts for the above. */
+#define IWN_FH_INT_TX                                                  \
+       (IWN_FH_INT_TX_CHNL(0) | IWN_FH_INT_TX_CHNL(1))
+#define IWN_FH_INT_RX                                                  \
+       (IWN_FH_INT_RX_CHNL(0) | IWN_FH_INT_RX_CHNL(1) | IWN_FH_INT_HI_PRIOR)
+
+/* Possible flags/values for register IWN_FH_TX_CONFIG. */
+#define IWN_FH_TX_CONFIG_DMA_PAUSE             0
+#define IWN_FH_TX_CONFIG_DMA_ENA               (1 << 31)
+#define IWN_FH_TX_CONFIG_CIRQ_HOST_ENDTFD      (1 << 20)
+
+/* Possible flags/values for register IWN_FH_TXBUF_STATUS. */
+#define IWN_FH_TXBUF_STATUS_TBNUM(x)   ((x) << 20)
+#define IWN_FH_TXBUF_STATUS_TBIDX(x)   ((x) << 12)
+#define IWN_FH_TXBUF_STATUS_TFBD_VALID 3
+
+/* Possible flags for register IWN_FH_TX_CHICKEN. */
+#define IWN_FH_TX_CHICKEN_SCHED_RETRY  (1 << 1)
+
+/* Possible flags for register IWN_FH_TX_STATUS. */
+#define IWN_FH_TX_STATUS_IDLE(chnl)                                    \
+       (1 << ((chnl) + 24) | 1 << ((chnl) + 16))
+
+/* Possible flags for register IWN_FH_RX_CONFIG. */
+#define IWN_FH_RX_CONFIG_ENA           (1 << 31)
+#define IWN_FH_RX_CONFIG_NRBD(x)       ((x) << 20)
+#define IWN_FH_RX_CONFIG_RB_SIZE_8K    (1 << 16)
+#define IWN_FH_RX_CONFIG_SINGLE_FRAME  (1 << 15)
+#define IWN_FH_RX_CONFIG_IRQ_DST_HOST  (1 << 12)
+#define IWN_FH_RX_CONFIG_RB_TIMEOUT(x) ((x) << 4)
+#define IWN_FH_RX_CONFIG_IGN_RXF_EMPTY (1 <<  2)
+
+/* Possible flags for register IWN_FH_TX_CONFIG. */
+#define IWN_FH_TX_CONFIG_DMA_ENA       (1 << 31)
+#define IWN_FH_TX_CONFIG_DMA_CREDIT_ENA        (1 <<  3)
 
-/* possible flags for register IWN_EEPROM_CTL */
-#define IWN_EEPROM_READY       (1 << 0)
+/* Possible flags for register IWN_EEPROM. */
+#define IWN_EEPROM_READ_VALID  (1 << 0)
 #define IWN_EEPROM_CMD         (1 << 1)
 
-/* possible flags for register IWN_TXQ_STATUS */
-#define IWN_TXQ_STATUS_ACTIVE  0x0007fc01
+/* Possible flags for register IWN_SCHED_QUEUE_STATUS. */
+#define IWN4965_TXQ_STATUS_ACTIVE      0x0007fc01
+#define IWN4965_TXQ_STATUS_INACTIVE    0x0007fc00
+#define IWN4965_TXQ_STATUS_AGGR_ENA    (1 << 5 | 1 << 8)
+#define IWN4965_TXQ_STATUS_CHGACT      (1 << 10)
+#define IWN5000_TXQ_STATUS_ACTIVE      0x00ff0018
+#define IWN5000_TXQ_STATUS_INACTIVE    0x00ff0010
+#define IWN5000_TXQ_STATUS_CHGACT      (1 << 19)
+
+/* Possible flags for register IWN_APMG_CLK_CTRL. */
+#define IWN_APMG_CLK_CTRL_DMA_CLK_RQT  (1 <<  9)
+#define IWN_APMG_CLK_CTRL_BSM_CLK_RQT  (1 << 11)
+
+/* Possible flags for register IWN_APMG_PS. */
+#define IWN_APMG_PS_EARLY_PWROFF_DIS   (1 << 22)
+#define IWN_APMG_PS_PWR_SRC_MASK       (3 << 24)
+#define IWN_APMG_PS_PWR_SRC(x)         ((x) << 24)
+#define IWN_APMG_PS_PWR_SRC_VMAIN      0
 
-/* possible flags for register IWN_MEM_POWER */
-#define IWN_POWER_RESET        (1 << 26)
+/* Possible flags for IWN_APMG_PCI_STT. */
+#define IWN_APMG_PCI_STT_L1A_DIS       (1 << 11)
 
-/* possible flags for register IWN_MEM_TEXT_SIZE */
+/* Possible flags for register IWN_BSM_DRAM_TEXT_SIZE. */
 #define IWN_FW_UPDATED (1 << 31)
 
-/* possible flags for device-specific PCI register 0xe8 */
-#define IWN_DIS_NOSNOOP        (1 << 11)
-
-/* possible flags for device-specific PCI register 0xf0 */
-#define IWN_ENA_L1     (1 << 1)
+#define IWN_SCHED_WINSZ                64
+#define IWN_SCHED_LIMIT                64
+#define IWN4965_SCHED_COUNT    512
+#define IWN5000_SCHED_COUNT    (IWN_TX_RING_COUNT + IWN_SCHED_WINSZ)
+#define IWN4965_SCHEDSZ                (IWN4965_NTXQUEUES * 
IWN4965_SCHED_COUNT * 2)
+#define IWN5000_SCHEDSZ                (IWN5000_NTXQUEUES * 
IWN5000_SCHED_COUNT * 2)
 
+struct iwn_tx_desc {
+       uint8_t         reserved1[3];
+       uint8_t         nsegs;
+       struct {
+               uint32_t        addr;
+               uint16_t        len;
+       } __packed      segs[IWN_MAX_SCATTER];
+       /* Pad to 128 bytes. */
+       uint32_t        reserved2;
+} __packed;
 
-#define IWN_TX_WINDOW  64
-struct iwn_shared {
-       uint16_t        len[IWN_NTXQUEUES][512];        /* 16KB total */
+struct iwn_rx_status {
        uint16_t        closed_count;
        uint16_t        closed_rx_count;
        uint16_t        finished_count;
@@ -193,80 +322,63 @@ struct iwn_shared {
        uint32_t        reserved[2];
 } __packed;
 
-struct iwn_tx_desc {
-       uint32_t        flags;
-       struct {
-               uint32_t        w1;
-               uint32_t        w2;
-               uint32_t        w3;
-       } __packed      segs[IWN_MAX_SCATTER / 2];
-       /* pad to 128 bytes */
-       uint32_t        reserved;
-} __packed;
-
-#define IWN_SET_DESC_NSEGS(d, x)                                       \
-       (d)->flags = htole32(((x) & 0x1f) << 24)
-
-/* set a segment physical address and length in a Tx descriptor */
-#define IWN_SET_DESC_SEG(d, n, addr, size) do {                                
\
-               if ((n) & 1) {                                          \
-                       (d)->segs[(n) / 2].w2 |=                        \
-                           htole32(((addr) & 0xffff) << 16);           \
-                       (d)->segs[(n) / 2].w3 =                         \
-                           htole32((((addr) >> 16) & 0xffff) | (size) << 20); \
-               } else {                                                \
-                       (d)->segs[(n) / 2].w1 = htole32(addr);          \
-                       (d)->segs[(n) / 2].w2 = htole32((size) << 4);   \
-               }                                                       \
-       } while (0)
-
 struct iwn_rx_desc {
        uint32_t        len;
        uint8_t         type;
-#define IWN_UC_READY             1
-#define IWN_ADD_NODE_DONE       24
-#define IWN_TX_DONE             28
-#define IWN_START_SCAN         130
-#define IWN_STOP_SCAN          132
-#define IWN_RX_STATISTICS      156
-#define IWN_BEACON_STATISTICS  157
-#define IWN_STATE_CHANGED      161
-#define IWN_BEACON_MISSED      162
-#define IWN_AMPDU_RX_START     192
-#define IWN_AMPDU_RX_DONE      193
-#define IWN_RX_DONE            195
+#define IWN_UC_READY                     1
+#define IWN_ADD_NODE_DONE               24
+#define IWN_TX_DONE                     28
+#define IWN5000_CALIBRATION_RESULT     102
+#define IWN5000_CALIBRATION_DONE       103
+#define IWN_START_SCAN                 130
+#define IWN_STOP_SCAN                  132
+#define IWN_RX_STATISTICS              156
+#define IWN_BEACON_STATISTICS          157
+#define IWN_STATE_CHANGED              161
+#define IWN_BEACON_MISSED              162
+#define IWN_RX_PHY                     192
+#define IWN_MPDU_RX_DONE               193
+#define IWN_RX_DONE                    195
 
        uint8_t         flags;
        uint8_t         idx;
        uint8_t         qid;
 } __packed;
 
-/* possible Rx status flags */
-#define IWN_RX_NO_CRC_ERR      (1 << 0)
-#define IWN_RX_NO_OVFL_ERR     (1 << 1)
-/* shortcut for the above */
+/* Possible RX status flags. */
+#define IWN_RX_NO_CRC_ERR      (1 <<  0)
+#define IWN_RX_NO_OVFL_ERR     (1 <<  1)
+/* Shortcut for the above. */
 #define IWN_RX_NOERROR (IWN_RX_NO_CRC_ERR | IWN_RX_NO_OVFL_ERR)
+#define IWN_RX_MPDU_MIC_OK     (1 <<  6)
+#define IWN_RX_CIPHER_MASK     (7 <<  8)
+#define IWN_RX_CIPHER_CCMP     (2 <<  8)
+#define IWN_RX_MPDU_DEC                (1 << 11)
+#define IWN_RX_DECRYPT_MASK    (3 << 11)
+#define IWN_RX_DECRYPT_OK      (3 << 11)
 
 struct iwn_tx_cmd {
        uint8_t code;
 #define IWN_CMD_CONFIGURE               16
 #define IWN_CMD_ASSOCIATE               17
-#define IWN_CMD_SET_WME          19
-#define IWN_CMD_TSF                     20
+#define IWN_CMD_EDCA_PARAMS             19
+#define IWN_CMD_TIMING                  20
 #define IWN_CMD_ADD_NODE                24
 #define IWN_CMD_TX_DATA                         28
-#define IWN_CMD_NODE_MRR_SETUP          78
+#define IWN_CMD_LINK_QUALITY            78
 #define IWN_CMD_SET_LED                         72
+#define IWN5000_CMD_WIMAX_COEX          90
+#define IWN5000_CMD_CALIB_CONFIG       101
 #define IWN_CMD_SET_POWER_MODE         119
 #define IWN_CMD_SCAN                   128
-#define IWN_CMD_SCAN_ABORT             129
 #define IWN_CMD_SET_BEACON             145
 #define IWN_CMD_TXPOWER                        151
-#define IWN_CMD_BLUETOOTH              155
+#define IWN_CMD_TXPOWER_DBM            152
+#define IWN_CMD_BT_COEX                        155
 #define IWN_CMD_GET_STATISTICS         156
 #define IWN_CMD_SET_CRITICAL_TEMP      164
-#define IWN_SENSITIVITY                        168
-#define IWN_PHY_CALIB                  176
+#define IWN_CMD_SET_SENSITIVITY                168
+#define IWN_CMD_PHY_CALIB              176
 
        uint8_t flags;
        uint8_t idx;
@@ -274,8 +386,15 @@ struct iwn_tx_cmd {
        uint8_t data[136];
 } __packed;
 
-/* structure for command IWN_CMD_CONFIGURE */
-struct iwn_config {
+/* Antenna flags, used in various commands. */
+#define IWN_ANT_A      (1 << 0)
+#define IWN_ANT_B      (1 << 1)
+#define IWN_ANT_C      (1 << 2)
+/* Shortcut. */
+#define IWN_ANT_ABC    (IWN_ANT_A | IWN_ANT_B | IWN_ANT_C)
+
+/* Structure for command IWN_CMD_CONFIGURE. */
+struct iwn_rxon {
        uint8_t         myaddr[IEEE80211_ADDR_LEN];
        uint16_t        reserved1;
        uint8_t         bssid[IEEE80211_ADDR_LEN];
@@ -288,24 +407,30 @@ struct iwn_config {
 #define IWN_MODE_IBSS          4
 #define IWN_MODE_MONITOR       6
 
-       uint8_t         reserved4;
+       uint8_t         air;
        uint16_t        rxchain;
-#define IWN_RXCHAIN_ANTMSK_SHIFT       1
-#define IWN_RXCHAIN_FORCE_MIMO         (1 << 14)
+#define IWN_RXCHAIN_FORCE              (1 << 0)
+#define IWN_RXCHAIN_VALID(x)           ((x) <<  1)
+#define IWN_RXCHAIN_SEL(x)             ((x) <<  4)
+#define IWN_RXCHAIN_MIMO(x)            ((x) <<  7)
+#define IWN_RXCHAIN_IDLE_COUNT(x)      ((x) << 10)
+#define IWN_RXCHAIN_MIMO_COUNT(x)      ((x) << 12)
+#define IWN_RXCHAIN_MIMO_FORCE         (1 << 14)
 
        uint8_t         ofdm_mask;
        uint8_t         cck_mask;
        uint16_t        associd;
        uint32_t        flags;
-#define IWN_CONFIG_24GHZ       (1 <<  0)
-#define IWN_CONFIG_CCK         (1 <<  1)
-#define IWN_CONFIG_AUTO                (1 <<  2)
-#define IWN_CONFIG_SHSLOT      (1 <<  4)
-#define IWN_CONFIG_SHPREAMBLE  (1 <<  5)
-#define IWN_CONFIG_NODIVERSITY (1 <<  7)
-#define IWN_CONFIG_ANTENNA_A   (1 <<  8)
-#define IWN_CONFIG_ANTENNA_B   (1 <<  9)
-#define IWN_CONFIG_TSF         (1 << 15)
+#define IWN_RXON_24GHZ (1 <<  0)
+#define IWN_RXON_CCK           (1 <<  1)
+#define IWN_RXON_AUTO          (1 <<  2)
+#define IWN_RXON_SHSLOT                (1 <<  4)
+#define IWN_RXON_SHPREAMBLE    (1 <<  5)
+#define IWN_RXON_NODIVERSITY   (1 <<  7)
+#define IWN_RXON_ANTENNA_A     (1 <<  8)
+#define IWN_RXON_ANTENNA_B     (1 <<  9)
+#define IWN_RXON_TSF           (1 << 15)
+#define IWN_RXON_CTS_TO_SELF   (1 << 30)
 
        uint32_t        filter;
 #define IWN_FILTER_PROMISC     (1 << 0)
@@ -313,14 +438,23 @@ struct iwn_config {
 #define IWN_FILTER_MULTICAST   (1 << 2)
 #define IWN_FILTER_NODECRYPT   (1 << 3)
 #define IWN_FILTER_BSS         (1 << 5)
+#define IWN_FILTER_BEACON      (1 << 6)
 
        uint8_t         chan;
-       uint8_t         reserved5;
+       uint8_t         reserved4;
        uint8_t         ht_single_mask;
        uint8_t         ht_dual_mask;
+       /* The following fields are for 5000 Series only. */
+       uint8_t         ht_triple_mask;
+       uint8_t         reserved5;
+       uint16_t        acquisition;
+       uint16_t        reserved6;
 } __packed;
 
-/* structure for command IWN_CMD_ASSOCIATE */
+#define IWN4965_RXONSZ (sizeof (struct iwn_rxon) - 6)
+#define IWN5000_RXONSZ (sizeof (struct iwn_rxon))
+
+/* Structure for command IWN_CMD_ASSOCIATE. */
 struct iwn_assoc {
        uint32_t        flags;
        uint32_t        filter;
@@ -329,8 +463,8 @@ struct iwn_assoc {
        uint16_t        reserved;
 } __packed;
 
-/* structure for command IWN_CMD_SET_WME */
-struct iwn_wme_setup {
+/* Structure for command IWN_CMD_EDCA_PARAMS. */
+struct iwn_edca_params {
        uint32_t        flags;
 #define IWN_EDCA_UPDATE        (1 << 0)
 #define IWN_EDCA_TXOP  (1 << 4)
@@ -340,12 +474,12 @@ struct iwn_wme_setup {
                uint16_t        cwmax;
                uint8_t         aifsn;
                uint8_t         reserved;
-               uint16_t        txop;
+               uint16_t        txoplimit;
        } __packed      ac[WME_NUM_AC];
 } __packed;
 
-/* structure for command IWN_CMD_TSF */
-struct iwn_cmd_tsf {
+/* Structure for command IWN_CMD_TIMING. */
+struct iwn_cmd_timing {
        uint64_t        tstamp;
        uint16_t        bintval;
        uint16_t        atim;
@@ -354,67 +488,110 @@ struct iwn_cmd_tsf {
        uint16_t        reserved;
 } __packed;
 
-/* structure for command IWN_CMD_ADD_NODE */
+/* Structure for command IWN_CMD_ADD_NODE. */
 struct iwn_node_info {
        uint8_t         control;
 #define IWN_NODE_UPDATE                (1 << 0)
 
        uint8_t         reserved1[3];
+
        uint8_t         macaddr[IEEE80211_ADDR_LEN];
        uint16_t        reserved2;
        uint8_t         id;
 #define IWN_ID_BSS              0
-#define IWN_ID_BROADCAST       31
+#define IWN5000_ID_BROADCAST   15
+#define IWN4965_ID_BROADCAST   31
 
        uint8_t         flags;
-#define IWN_FLAG_SET_KEY       (1 << 0)
+#define IWN_FLAG_SET_KEY               (1 << 0)
+#define IWN_FLAG_SET_DISABLE_TID       (1 << 1)
+#define IWN_FLAG_SET_TXRATE            (1 << 2)
+#define IWN_FLAG_SET_ADDBA             (1 << 3)
+#define IWN_FLAG_SET_DELBA             (1 << 4)
 
        uint16_t        reserved3;
-       uint16_t        security;
+       uint16_t        kflags;
+#define IWN_KFLAG_CCMP         (1 <<  1)
+#define IWN_KFLAG_MAP          (1 <<  3)
+#define IWN_KFLAG_KID(kid)     ((kid) << 8)
+#define IWN_KFLAG_INVALID      (1 << 11)
+#define IWN_KFLAG_GROUP                (1 << 14)
+
        uint8_t         tsc2;   /* TKIP TSC2 */
        uint8_t         reserved4;
        uint16_t        ttak[5];
-       uint16_t        reserved5;
-       uint8_t         key[IEEE80211_KEYBUF_SIZE];
+       uint8_t         kid;
+       uint8_t         reserved5;
+       uint8_t         key[16];
+       /* The following 3 fields are for 5000 Series only. */
+       uint64_t        tsc;
+       uint8_t         rxmic[IWN_TKIP_MICLEN];
+       uint8_t         txmic[IWN_TKIP_MICLEN];
+
        uint32_t        htflags;
-#define IWN_AMDPU_SIZE_FACTOR_SHIFT    19
-#define IWN_AMDPU_DENSITY_SHIFT                23
+#define IWN_AMDPU_SIZE_FACTOR(x)       ((x) << 19)
+#define IWN_AMDPU_DENSITY(x)           ((x) << 23)
 
        uint32_t        mask;
-       uint16_t        tid;
-       uint8_t         rate;
-       uint8_t         rflags;
-#define IWN_RFLAG_CCK  (1 << 1)
-#define IWN_RFLAG_ANT_A        (1 << 6)
-#define IWN_RFLAG_ANT_B        (1 << 7)
+       uint16_t        disable_tid;
+       uint16_t        reserved6;
+       uint8_t         addba_tid;
+       uint8_t         delba_tid;
+       uint16_t        addba_ssn;
+       uint32_t        reserved7;
+} __packed;
 
-       uint8_t         add_imm;
-       uint8_t         del_imm;
-       uint16_t        add_imm_start;
-       uint32_t        reserved6;
+struct iwn4965_node_info {
+       uint8_t         control;
+       uint8_t         reserved1[3];
+       uint8_t         macaddr[IEEE80211_ADDR_LEN];
+       uint16_t        reserved2;
+       uint8_t         id;
+       uint8_t         flags;
+       uint16_t        reserved3;
+       uint16_t        kflags;
+       uint8_t         tsc2;   /* TKIP TSC2 */
+       uint8_t         reserved4;
+       uint16_t        ttak[5];
+       uint8_t         kid;
+       uint8_t         reserved5;
+       uint8_t         key[16];
+       uint32_t        htflags;
+       uint32_t        mask;
+       uint16_t        disable_tid;
+       uint16_t        reserved6;
+       uint8_t         addba_tid;
+       uint8_t         delba_tid;
+       uint16_t        addba_ssn;
+       uint32_t        reserved7;
 } __packed;
 
-/* structure for command IWN_CMD_TX_DATA */
+#define IWN_RFLAG_CCK          (1 << 1)
+#define IWN_RFLAG_ANT(x)       ((x) << 6)
+
+/* Structure for command IWN_CMD_TX_DATA. */
 struct iwn_cmd_data {
        uint16_t        len;
        uint16_t        lnext;
        uint32_t        flags;
+#define IWN_TX_NEED_PROTECTION (1 <<  0)       /* 5000 only */
 #define IWN_TX_NEED_RTS                (1 <<  1)
 #define IWN_TX_NEED_CTS                (1 <<  2)
 #define IWN_TX_NEED_ACK                (1 <<  3)
-#define IWN_TX_USE_NODE_RATE   (1 <<  4)
+#define IWN_TX_LINKQ           (1 <<  4)
+#define IWN_TX_IMM_BA          (1 <<  6)
 #define IWN_TX_FULL_TXOP       (1 <<  7)
 #define IWN_TX_BT_DISABLE      (1 << 12)       /* bluetooth coexistence */
 #define IWN_TX_AUTO_SEQ                (1 << 13)
+#define IWN_TX_MORE_FRAG       (1 << 14)
 #define IWN_TX_INSERT_TSTAMP   (1 << 16)
 #define IWN_TX_NEED_PADDING    (1 << 20)
 
-       uint8_t         ntries;
-       uint8_t         bluetooth;
-       uint16_t        reserved1;
-       uint8_t         rate;
+       uint32_t        scratch;
+       uint8_t         plcp;
        uint8_t         rflags;
        uint16_t        xrflags;
+
        uint8_t         id;
        uint8_t         security;
 #define IWN_CIPHER_WEP40       1
@@ -422,9 +599,9 @@ struct iwn_cmd_data {
 #define IWN_CIPHER_TKIP                3
 #define IWN_CIPHER_WEP104      9
 
-       uint8_t         ridx;
+       uint8_t         linkq;
        uint8_t         reserved2;
-       uint8_t         key[IEEE80211_KEYBUF_SIZE];
+       uint8_t         key[16];
        uint16_t        fnext;
        uint16_t        reserved3;
        uint32_t        lifetime;
@@ -439,60 +616,30 @@ struct iwn_cmd_data {
        uint16_t        txop;
 } __packed;
 
-/* structure for command IWN_CMD_SET_BEACON */
-struct iwn_cmd_beacon {
-       uint16_t        len;
-       uint16_t        reserved1;
-       uint32_t        flags;  /* same as iwn_cmd_data */
-       uint8_t         try_cnt;
-       uint8_t         kill_cnt;
-       uint16_t        reserved2;
-       uint8_t         rate;
-       uint8_t         flags2;
-       uint16_t        ext_flags;
-       uint8_t         id;
-       uint8_t         reserved3[23];
-       uint32_t        lifetime;
-       uint32_t        reserved4;
-       uint8_t         reserved5;
-       uint8_t         reserved6;
-       uint8_t         reserved7;
-       uint16_t        reserved8[9];
-       uint16_t        tim;
-       uint8_t         timsz;
-       uint8_t         reserved9;
-       struct          ieee80211_frame wh;
-} __packed;
-
-/* structure for command IWN_CMD_MRR_NODE_SETUP */
+/* Structure for command IWN_CMD_LINK_QUALITY. */
 #define IWN_MAX_TX_RETRIES     16
-struct iwn_cmd_mrr {
+struct iwn_cmd_link_quality {
        uint8_t         id;
        uint8_t         reserved1;
        uint16_t        ctl;
        uint8_t         flags;
        uint8_t         mimo;
-       uint8_t         ssmask;
-       uint8_t         dsmask;
+       uint8_t         antmsk_1stream;
+       uint8_t         antmsk_2stream;
        uint8_t         ridx[WME_NUM_AC];
        uint16_t        ampdu_limit;
-       uint8_t         ampdu_disable;
+       uint8_t         ampdu_threshold;
        uint8_t         ampdu_max;
        uint32_t        reserved2;
        struct {
-               uint8_t         rate;
-#define IWN_CCK1        0
-#define IWN_CCK11       3
-#define IWN_OFDM6       4
-#define IWN_OFDM54     11
-
+               uint8_t         plcp;
                uint8_t         rflags;
                uint16_t        xrflags;
-       }               table[IWN_MAX_TX_RETRIES];
+       } __packed      retry[IWN_MAX_TX_RETRIES];
        uint32_t        reserved3;
 } __packed;
 
-/* structure for command IWN_CMD_SET_LED */
+/* Structure for command IWN_CMD_SET_LED. */
 struct iwn_cmd_led {
        uint32_t        unit;   /* multiplier (in usecs) */
        uint8_t         which;
@@ -504,71 +651,150 @@ struct iwn_cmd_led {
        uint8_t         reserved;
 } __packed;
 
-/* structure for command IWN_CMD_SET_POWER_MODE */
-struct iwn_power {
+/* Structure for command IWN5000_CMD_WIMAX_COEX. */
+struct iwn5000_wimax_coex {
+       uint32_t        flags;
+       struct {
+               uint8_t request;
+               uint8_t window;
+               uint8_t reserved;
+               uint8_t flags;
+       } __packed      events[16];
+} __packed;
+
+/* Structures for command IWN5000_CMD_CALIB_CONFIG. */
+struct iwn5000_calib_elem {
+       uint32_t        enable;
+       uint32_t        start;
+       uint32_t        send;
+       uint32_t        apply;
+       uint32_t        reserved;
+} __packed;
+
+struct iwn5000_calib_status {
+       struct iwn5000_calib_elem       once;
+       struct iwn5000_calib_elem       perd;
+       uint32_t                        flags;
+} __packed;
+
+struct iwn5000_calib_config {
+       struct iwn5000_calib_status     ucode;
+       struct iwn5000_calib_status     driver;
+       uint32_t                        reserved;
+} __packed;
+
+/* Structure for command IWN_CMD_SET_POWER_MODE. */
+struct iwn_pmgt_cmd {
        uint16_t        flags;
-#define IWN_POWER_CAM  0       /* constantly awake mode */
+#define IWN_PS_ALLOW_SLEEP     (1 << 0)
+#define IWN_PS_NOTIFY          (1 << 1)
+#define IWN_PS_SLEEP_OVER_DTIM (1 << 2)
+#define IWN_PS_PCI_PMGT                (1 << 3)
+#define IWN_PS_FAST_PD         (1 << 4)
 
-       uint8_t         alive;
+       uint8_t         keepalive;
        uint8_t         debug;
-       uint32_t        rx_timeout;
-       uint32_t        tx_timeout;
-       uint32_t        sleep[5];
+       uint32_t        rxtimeout;
+       uint32_t        txtimeout;
+       uint32_t        intval[5];
        uint32_t        beacons;
 } __packed;
 
-/* structures for command IWN_CMD_SCAN */
+/* Structures for command IWN_CMD_SCAN. */
 struct iwn_scan_essid {
        uint8_t id;
        uint8_t len;
        uint8_t data[IEEE80211_NWID_LEN];
 } __packed;
 
+#define IWN_MAX_PROBES  20
+
 struct iwn_scan_hdr {
        uint16_t        len;
        uint8_t         reserved1;
        uint8_t         nchan;
-       uint16_t        quiet;
-       uint16_t        plcp_threshold;
+       uint16_t        quiet_time;
+       uint16_t        quiet_threshold;
        uint16_t        crc_threshold;
        uint16_t        rxchain;
        uint32_t        max_svc;        /* background scans */
        uint32_t        pause_svc;      /* background scans */
        uint32_t        flags;
        uint32_t        filter;
-
-       /* followed by a struct iwn_cmd_data */
-       /* followed by an array of 4x struct iwn_scan_essid */
-       /* followed by probe request body */
-       /* followed by nchan x struct iwn_scan_chan */
+       struct iwn_cmd_data tx_cmd;
+       struct iwn_scan_essid scan_essid[IWN_MAX_PROBES];
+       struct ieee80211_frame  wh;
+       uint8_t         data[0];    /* nchan x struct iwn_scan_chan */
 } __packed;
 
 struct iwn_scan_chan {
-       uint8_t         flags;
-#define IWN_CHAN_ACTIVE        (1 << 0)
-#define IWN_CHAN_DIRECT        (1 << 1)
+       uint32_t        flags;
+#define IWN_CHAN_ACTIVE                (1 << 0)
+#define IWN_CHAN_NPBREQS(x)    (((1 << (x)) - 1) << 1)
 
-       uint8_t         chan;
+       uint16_t        chan;
        uint8_t         rf_gain;
        uint8_t         dsp_gain;
        uint16_t        active;         /* msecs */
        uint16_t        passive;        /* msecs */
 } __packed;
 
-/* structure for command IWN_CMD_TXPOWER */
+/* Maximum size of a scan command. */
+#define IWN_SCAN_MAXSZ (MCLBYTES - 4)
+
+/* structure for command IWN_CMD_SET_BEACON */
+struct iwn_cmd_beacon {
+        uint16_t        len;            
+       uint16_t        reserved1;      
+       uint32_t        flags;  /* same as iwn_cmd_data */
+       uint8_t         try_cnt;
+       uint8_t         kill_cnt;       
+       uint16_t        reserved2;      
+       uint8_t         rate;
+       uint8_t         flags2;
+       uint16_t        ext_flags;
+       uint8_t         id;
+       uint8_t         reserved3[23];
+       uint32_t        lifetime;     
+       uint32_t        reserved4;    
+       uint8_t         reserved5;    
+       uint8_t         reserved6;    
+       uint8_t         reserved7;    
+       uint16_t        reserved8[9]; 
+       uint16_t        tim;
+       uint8_t         timsz;
+       uint8_t         reserved9;    
+       struct          ieee80211_frame wh;
+} __packed;
+
+
+/* Structure for command IWN_CMD_TXPOWER (4965AGN only.) */
 #define IWN_RIDX_MAX   32
-struct iwn_cmd_txpower {
-       uint8_t band;
-       uint8_t reserved1;
-       uint8_t chan;
-       uint8_t reserved2;
+struct iwn4965_cmd_txpower {
+       uint8_t         band;
+       uint8_t         reserved1;
+       uint8_t         chan;
+       uint8_t         reserved2;
        struct {
-               uint8_t rf_gain[IWN_NTXCHAINS];
-               uint8_t dsp_gain[IWN_NTXCHAINS];
-       }       power[IWN_RIDX_MAX + 1];
+               uint8_t rf_gain[2];
+               uint8_t dsp_gain[2];
+       } __packed      power[IWN_RIDX_MAX + 1];
+} __packed;
+
+/* Structure for command IWN_CMD_TXPOWER_DBM (5000 Series only.) */
+struct iwn5000_cmd_txpower {
+       int8_t  global_limit;   /* in half-dBm */
+#define IWN5000_TXPOWER_AUTO           0x7f
+#define IWN5000_TXPOWER_MAX_DBM                16
+
+       uint8_t flags;
+#define IWN5000_TXPOWER_NO_CLOSED      (1 << 6)
+
+       int8_t  srv_limit;      /* in half-dBm */
+       uint8_t reserved;
 } __packed;
 
-/* structure for command IWN_CMD_BLUETOOTH */
+/* Structure for command IWN_CMD_BLUETOOTH. */
 struct iwn_bluetooth {
        uint8_t         flags;
        uint8_t         lead;
@@ -578,18 +804,18 @@ struct iwn_bluetooth {
        uint32_t        cts;
 } __packed;
 
-/* structure for command IWN_CMD_SET_CRITICAL_TEMP */
+/* Structure for command IWN_CMD_SET_CRITICAL_TEMP. */
 struct iwn_critical_temp {
        uint32_t        reserved;
        uint32_t        tempM;
        uint32_t        tempR;
-/* degK <-> degC conversion macros */
+/* degK <-> degC conversion macros. */
 #define IWN_CTOK(c)    ((c) + 273)
 #define IWN_KTOC(k)    ((k) - 273)
 #define IWN_CTOMUK(c)  (((c) * 1000000) + 273150000)
 } __packed;
 
-/* structure for command IWN_SENSITIVITY */
+/* Structure for command IWN_CMD_SET_SENSITIVITY. */
 struct iwn_sensitivity_cmd {
        uint16_t        which;
 #define IWN_SENSITIVITY_DEFAULTTBL     0
@@ -608,21 +834,74 @@ struct iwn_sensitivity_cmd {
        uint16_t        energy_ofdm_th;
 } __packed;
 
-/* structure for command IWN_PHY_CALIB */
-struct iwn_phy_calib_cmd {
-       uint8_t         code;
-#define IWN_SET_DIFF_GAIN      7
+/* Structures for command IWN_CMD_PHY_CALIB. */
+struct iwn_phy_calib {
+       uint8_t code;
+#define IWN4965_PHY_CALIB_DIFF_GAIN             7
+#define IWN5000_PHY_CALIB_DC                    8
+#define IWN5000_PHY_CALIB_LO                    9
+#define IWN5000_PHY_CALIB_TX_IQ                        11
+#define IWN5000_PHY_CALIB_CRYSTAL              15
+#define IWN5000_PHY_CALIB_BASE_BAND            16
+#define IWN5000_PHY_CALIB_TX_IQ_PERD           17
+#define IWN5000_PHY_CALIB_RESET_NOISE_GAIN     18
+#define IWN5000_PHY_CALIB_NOISE_GAIN           19
+
+       uint8_t group;
+       uint8_t ngroups;
+       uint8_t isvalid;
+} __packed;
 
-       uint8_t         flags;
-       uint16_t        reserved1;
-       int8_t          gain[3];
-#define IWN_GAIN_SET   (1 << 2)
+struct iwn5000_phy_calib_crystal {
+       uint8_t code;
+       uint8_t group;
+       uint8_t ngroups;
+       uint8_t isvalid;
 
-       uint8_t         reserved2;
+       uint8_t cap_pin[2];
+       uint8_t reserved[2];
 } __packed;
 
+struct iwn_phy_calib_gain {
+       uint8_t code;
+       uint8_t group;
+       uint8_t ngroups;
+       uint8_t isvalid;
+
+       int8_t  gain[3];
+       uint8_t reserved;
+} __packed;
+
+/* Structure for command IWN_CMD_SPECTRUM_MEASUREMENT. */
+struct iwn_spectrum_cmd {
+       uint16_t        len;
+       uint8_t         token;
+       uint8_t         id;
+       uint8_t         origin;
+       uint8_t         periodic;
+       uint16_t        timeout;
+       uint32_t        start;
+       uint32_t        reserved1;
+       uint32_t        flags;
+       uint32_t        filter;
+       uint16_t        nchan;
+       uint16_t        reserved2;
+       struct {
+               uint32_t        duration;
+               uint8_t         chan;
+               uint8_t         type;
+#define IWN_MEASUREMENT_BASIC          (1 << 0)
+#define IWN_MEASUREMENT_CCA            (1 << 1)
+#define IWN_MEASUREMENT_RPI_HISTOGRAM  (1 << 2)
+#define IWN_MEASUREMENT_NOISE_HISTOGRAM        (1 << 3)
+#define IWN_MEASUREMENT_FRAME          (1 << 4)
+#define IWN_MEASUREMENT_IDLE           (1 << 7)
 
-/* structure for IWN_UC_READY notification */
+               uint16_t        reserved;
+       } __packed      chan[10];
+} __packed;
+
+/* Structure for IWN_UC_READY notification. */
 #define IWN_NATTEN_GROUPS      5
 struct iwn_ucode_info {
        uint8_t         minor;
@@ -636,25 +915,25 @@ struct iwn_ucode_info {
 
        uint16_t        reserved2;
        uint32_t        logptr;
-       uint32_t        errorptr;
+       uint32_t        errptr;
        uint32_t        tstamp;
        uint32_t        valid;
 
-       /* the following fields are for UCODE_INIT only */
+       /* The following fields are for UCODE_INIT only. */
        int32_t         volt;
        struct {
                int32_t chan20MHz;
                int32_t chan40MHz;
        } __packed      temp[4];
-       int32_t         atten[IWN_NATTEN_GROUPS][IWN_NTXCHAINS];
+       int32_t         atten[IWN_NATTEN_GROUPS][2];
 } __packed;
 
-/* structure for IWN_TX_DONE notification */
-struct iwn_tx_stat {
+/* Structures for IWN_TX_DONE notification. */
+struct iwn4965_tx_stat {
        uint8_t         nframes;
-       uint8_t         nkill;
-       uint8_t         nrts;
-       uint8_t         ntries;
+       uint8_t         killcnt;
+       uint8_t         rtscnt;
+       uint8_t         retrycnt;
        uint8_t         rate;
        uint8_t         rflags;
        uint16_t        xrflags;
@@ -662,17 +941,28 @@ struct iwn_tx_stat {
        uint16_t        reserved;
        uint32_t        power[2];
        uint32_t        status;
-       /* from FreeBSD driver... XXX */
-#define IWN_TX_SUCCESS                  0x00
-#define IWN_TX_FAIL                     0x80    /* all failures have 0x80 set 
*/
-#define IWN_TX_FAIL_SHORT_LIMIT         0x82    /* too many RTS retries */
-#define IWN_TX_FAIL_LONG_LIMIT          0x83    /* too many retries */
-#define IWN_TX_FAIL_FIFO_UNDERRRUN      0x84    /* tx fifo not kept running */
-#define IWN_TX_FAIL_DEST_IN_PS          0x88    /* sta found in power save */
-#define IWN_TX_FAIL_TX_LOCKED           0x90    /* waiting to see traffic */
 } __packed;
 
-/* structure for IWN_BEACON_MISSED notification */
+struct iwn5000_tx_stat {
+       uint8_t         nframes;
+       uint8_t         killcnt;
+       uint8_t         rtscnt;
+       uint8_t         retrycnt;
+       uint8_t         rate;
+       uint8_t         rflags;
+       uint16_t        xrflags;
+       uint16_t        duration;
+       uint16_t        reserved;
+       uint32_t        power[2];
+       uint32_t        info;
+       uint16_t        seq;
+       uint16_t        len;
+       uint32_t        tlc;
+       uint16_t        status;
+       uint16_t        sequence;
+} __packed;
+
+/* Structure for IWN_BEACON_MISSED notification. */
 struct iwn_beacon_missed {
        uint32_t        consecutive;
        uint32_t        total;
@@ -680,13 +970,25 @@ struct iwn_beacon_missed {
        uint32_t        received;
 } __packed;
 
-/* structure for IWN_AMPDU_RX_DONE notification */
-struct iwn_rx_ampdu {
+/* Structure for IWN_MPDU_RX_DONE notification. */
+struct iwn_rx_mpdu {
        uint16_t        len;
        uint16_t        reserved;
 } __packed;
 
-/* structure for IWN_RX_DONE and IWN_AMPDU_RX_START notifications */
+/* Structures for IWN_RX_DONE and IWN_MPDU_RX_DONE notifications. */
+struct iwn4965_rx_phystat {
+       uint16_t        antenna;
+       uint16_t        agc;
+       uint8_t         rssi[6];
+} __packed;
+
+struct iwn5000_rx_phystat {
+       uint32_t        reserved1;
+       uint32_t        agc;
+       uint16_t        rssi[3];
+} __packed;
+
 struct iwn_rx_stat {
        uint8_t         phy_len;
        uint8_t         cfg_phy_len;
@@ -697,13 +999,10 @@ struct iwn_rx_stat {
        uint64_t        tstamp;
        uint32_t        beacon;
        uint16_t        flags;
-       uint16_t        chan;
-       uint16_t        antenna;
-       uint16_t        agc;
-       uint8_t         rssi[6];
-#define IWN_RSSI_TO_DBM        44
+#define IWN_STAT_FLAG_SHPREAMBLE       (1 << 2)
 
-       uint8_t         reserved2[22];
+       uint16_t        chan;
+       uint8_t         phybuf[32];
        uint8_t         rate;
        uint8_t         rflags;
        uint16_t        xrflags;
@@ -711,7 +1010,9 @@ struct iwn_rx_stat {
        uint16_t        reserve3;
 } __packed;
 
-/* structure for IWN_START_SCAN notification */
+#define IWN_RSSI_TO_DBM        44
+
+/* Structure for IWN_START_SCAN notification. */
 struct iwn_start_scan {
        uint64_t        tstamp;
        uint32_t        tbeacon;
@@ -721,7 +1022,7 @@ struct iwn_start_scan {
        uint32_t        status;
 } __packed;
 
-/* structure for IWN_STOP_SCAN notification */
+/* Structure for IWN_STOP_SCAN notification. */
 struct iwn_stop_scan {
        uint8_t         nchan;
        uint8_t         status;
@@ -730,7 +1031,39 @@ struct iwn_stop_scan {
        uint64_t        tsf;
 } __packed;
 
-/* structure for IWN_{RX,BEACON}_STATISTICS notification */
+/* Structure for IWN_SPECTRUM_MEASUREMENT notification. */
+struct iwn_spectrum_notif {
+       uint8_t         id;
+       uint8_t         token;
+       uint8_t         idx;
+       uint8_t         state;
+#define IWN_MEASUREMENT_START  0
+#define IWN_MEASUREMENT_STOP   1
+
+       uint32_t        start;
+       uint8_t         band;
+       uint8_t         chan;
+       uint8_t         type;
+       uint8_t         reserved1;
+       uint32_t        cca_ofdm;
+       uint32_t        cca_cck;
+       uint32_t        cca_time;
+       uint8_t         basic;
+       uint8_t         reserved2[3];
+       uint32_t        ofdm[8];
+       uint32_t        cck[8];
+       uint32_t        stop;
+       uint32_t        status;
+#define IWN_MEASUREMENT_OK             0
+#define IWN_MEASUREMENT_CONCURRENT     1
+#define IWN_MEASUREMENT_CSA_CONFLICT   2
+#define IWN_MEASUREMENT_TGH_CONFLICT   3
+#define IWN_MEASUREMENT_STOPPED                6
+#define IWN_MEASUREMENT_TIMEOUT                7
+#define IWN_MEASUREMENT_FAILED         8
+} __packed;
+
+/* Structure for IWN_{RX,BEACON}_STATISTICS notification. */
 struct iwn_rx_phy_stats {
        uint32_t        ina;
        uint32_t        fina;
@@ -847,7 +1180,20 @@ struct iwn_stats {
 } __packed;
 
 
-/* firmware image header */
+/* Firmware error dump. */
+struct iwn_fw_dump {
+       uint32_t        valid;
+       uint32_t        id;
+       uint32_t        pc;
+       uint32_t        branch_link[2];
+       uint32_t        interrupt_link[2];
+       uint32_t        error_data[2];
+       uint32_t        src_line;
+       uint32_t        tsf;
+       uint32_t        time[2];
+} __packed;
+
+/* Firmware image file header. */
 struct iwn_firmware_hdr {
        uint32_t        version;
        uint32_t        main_textsz;
@@ -857,28 +1203,51 @@ struct iwn_firmware_hdr {
        uint32_t        boot_textsz;
 } __packed;
 
-#define IWN_FW_MAIN_TEXT_MAXSZ (96 * 1024)
-#define IWN_FW_MAIN_DATA_MAXSZ (40 * 1024)
-#define IWN_FW_INIT_TEXT_MAXSZ (96 * 1024)
-#define IWN_FW_INIT_DATA_MAXSZ (40 * 1024)
+#define IWN4965_FW_TEXT_MAXSZ  ( 96 * 1024)
+#define IWN4965_FW_DATA_MAXSZ  ( 40 * 1024)
+#define IWN5000_FW_TEXT_MAXSZ  (128 * 1024)
+#define IWN5000_FW_DATA_MAXSZ  ( 48 * 1024)
 #define IWN_FW_BOOT_TEXT_MAXSZ 1024
-
+#define IWN4965_FWSZ           (IWN4965_FW_TEXT_MAXSZ + IWN4965_FW_DATA_MAXSZ)
+#define IWN5000_FWSZ           IWN5000_FW_TEXT_MAXSZ
 
 /*
  * Offsets into EEPROM.
  */
 #define IWN_EEPROM_MAC         0x015
-#define IWN_EEPROM_DOMAIN      0x060
-#define IWN_EEPROM_BAND1       0x063
-#define IWN_EEPROM_BAND2       0x072
-#define IWN_EEPROM_BAND3       0x080
-#define IWN_EEPROM_BAND4       0x08d
-#define IWN_EEPROM_BAND5       0x099
-#define IWN_EEPROM_BAND6       0x0a0
-#define IWN_EEPROM_BAND7       0x0a8
-#define IWN_EEPROM_MAXPOW      0x0e8
-#define IWN_EEPROM_VOLTAGE     0x0e9
-#define IWN_EEPROM_BANDS       0x0ea
+#define IWN_EEPROM_RFCFG       0x048
+#define IWN4965_EEPROM_DOMAIN  0x060
+#define IWN4965_EEPROM_BAND1   0x063
+#define IWN5000_EEPROM_REG     0x066
+#define IWN5000_EEPROM_CAL     0x067
+#define IWN4965_EEPROM_BAND2   0x072
+#define IWN4965_EEPROM_BAND3   0x080
+#define IWN4965_EEPROM_BAND4   0x08d
+#define IWN4965_EEPROM_BAND5   0x099
+#define IWN4965_EEPROM_BAND6   0x0a0
+#define IWN4965_EEPROM_BAND7   0x0a8
+#define IWN4965_EEPROM_MAXPOW  0x0e8
+#define IWN4965_EEPROM_VOLTAGE 0x0e9
+#define IWN4965_EEPROM_BANDS   0x0ea
+/* Indirect offsets. */
+#define IWN5000_EEPROM_DOMAIN  0x001
+#define IWN5000_EEPROM_BAND1   0x004
+#define IWN5000_EEPROM_BAND2   0x013
+#define IWN5000_EEPROM_BAND3   0x021
+#define IWN5000_EEPROM_BAND4   0x02e
+#define IWN5000_EEPROM_BAND5   0x03a
+#define IWN5000_EEPROM_BAND6   0x041
+#define IWN5000_EEPROM_BAND7   0x049
+#define IWN5000_EEPROM_CRYSTAL 0x128
+#define IWN5000_EEPROM_TEMP    0x12a
+#define IWN5000_EEPROM_VOLT    0x12b
+
+/* Possible flags for IWN_EEPROM_RFCFG. */
+#define IWN_RFCFG_TYPE(x)      (((x) >>  0) & 0x3)
+#define IWN_RFCFG_STEP(x)      (((x) >>  2) & 0x3)
+#define IWN_RFCFG_DASH(x)      (((x) >>  4) & 0x3)
+#define IWN_RFCFG_TXANTMSK(x)  (((x) >>  8) & 0xf)
+#define IWN_RFCFG_RXANTMSK(x)  (((x) >> 12) & 0xf)
 
 struct iwn_eeprom_chan {
        uint8_t flags;
@@ -891,125 +1260,285 @@ struct iwn_eeprom_chan {
 } __packed;
 
 #define IWN_NSAMPLES   3
-struct iwn_eeprom_chan_samples {
+struct iwn4965_eeprom_chan_samples {
        uint8_t num;
        struct {
                uint8_t temp;
                uint8_t gain;
                uint8_t power;
                int8_t  pa_det;
-       }       samples[IWN_NTXCHAINS][IWN_NSAMPLES];
+       }       samples[2][IWN_NSAMPLES];
 } __packed;
 
 #define IWN_NBANDS     8
-struct iwn_eeprom_band {
+struct iwn4965_eeprom_band {
        uint8_t lo;     /* low channel number */
        uint8_t hi;     /* high channel number */
-       struct  iwn_eeprom_chan_samples chans[2];
+       struct  iwn4965_eeprom_chan_samples chans[2];
 } __packed;
 
+/*
+ * Offsets of channels descriptions in EEPROM.
+ */
+static const uint32_t iwn4965_regulatory_bands[IWN_NBANDS] = {
+       IWN4965_EEPROM_BAND1,
+       IWN4965_EEPROM_BAND2,
+       IWN4965_EEPROM_BAND3,
+       IWN4965_EEPROM_BAND4,
+       IWN4965_EEPROM_BAND5,
+       IWN4965_EEPROM_BAND6,
+       IWN4965_EEPROM_BAND7
+};
+
+static const uint32_t iwn5000_regulatory_bands[IWN_NBANDS] = {
+       IWN5000_EEPROM_BAND1,
+       IWN5000_EEPROM_BAND2,
+       IWN5000_EEPROM_BAND3,
+       IWN5000_EEPROM_BAND4,
+       IWN5000_EEPROM_BAND5,
+       IWN5000_EEPROM_BAND6,
+       IWN5000_EEPROM_BAND7
+};
+
 #define IWN_CHAN_BANDS_COUNT    7
 #define IWN_MAX_CHAN_PER_BAND  14
 static const struct iwn_chan_band {
-       uint32_t        addr;   /* offset in EEPROM */
-       uint8_t         nchan;
-       uint8_t         chan[IWN_MAX_CHAN_PER_BAND];
+       uint8_t nchan;
+       uint8_t chan[IWN_MAX_CHAN_PER_BAND];
 } iwn_bands[] = {
-       { IWN_EEPROM_BAND1, 14,
-         { 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14 } },
-       { IWN_EEPROM_BAND2, 13,
-         { 183, 184, 185, 187, 188, 189, 192, 196, 7, 8, 11, 12, 16 } },
-       { IWN_EEPROM_BAND3, 12,
-         { 34, 36, 38, 40, 42, 44, 46, 48, 52, 56, 60, 64 } },
-       { IWN_EEPROM_BAND4, 11,
-         { 100, 104, 108, 112, 116, 120, 124, 128, 132, 136, 140 } },
-       { IWN_EEPROM_BAND5, 6,
-         { 145, 149, 153, 157, 161, 165 } },
-       { IWN_EEPROM_BAND6, 7,
-         { 1, 2, 3, 4, 5, 6, 7 } },
-       { IWN_EEPROM_BAND7, 11,
-         { 36, 44, 52, 60, 100, 108, 116, 124, 132, 149, 157 } }
-};
-
-static const uint8_t iwn_ridx_to_plcp[] = {
-       10, 20, 55, 110, /* CCK */
-               0xd, 0xf, 0x5, 0x7, 0x9, 0xb, 0x1, 0x3, 0x3 /* OFDM R1-R4 */
-};
-
-/* allow fallback from CCK11 to OFDM9 and from OFDM6 to CCK5 */
-static const uint8_t iwn_prev_ridx[] = {
-       0, 0, 1, 5, /* CCK */
-               2, 4, 3, 6, 7, 8, 9, 10, 10 /* OFDM */
+       /* 20MHz channels, 2GHz band. */
+       { 14, { 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14 } },
+       /* 20MHz channels, 5GHz band. */
+       { 13, { 183, 184, 185, 187, 188, 189, 192, 196, 7, 8, 11, 12, 16 } },
+       { 12, { 34, 36, 38, 40, 42, 44, 46, 48, 52, 56, 60, 64 } },
+       { 11, { 100, 104, 108, 112, 116, 120, 124, 128, 132, 136, 140 } },
+       {  6, { 145, 149, 153, 157, 161, 165 } },
+       /* 40MHz channels (primary channels), 2GHz band. */
+       {  7, { 1, 2, 3, 4, 5, 6, 7 } },
+       /* 40MHz channels (primary channels), 5GHz band. */
+       { 11, { 36, 44, 52, 60, 100, 108, 116, 124, 132, 149, 157 } }
+};
+
+/* HW rate indices. */
+#define IWN_RIDX_CCK1  0
+#define IWN_RIDX_OFDM6 4
+
+static const struct iwn_rate {
+       uint8_t rate;
+       uint8_t plcp;
+       uint8_t flags;
+} iwn_rates[IWN_RIDX_MAX + 1] = {
+       {   2,  10, IWN_RFLAG_CCK },
+       {   4,  20, IWN_RFLAG_CCK },
+       {  11,  55, IWN_RFLAG_CCK },
+       {  22, 110, IWN_RFLAG_CCK },
+       {  12, 0xd, 0 },
+       {  18, 0xf, 0 },
+       {  24, 0x5, 0 },
+       {  36, 0x7, 0 },
+       {  48, 0x9, 0 },
+       {  72, 0xb, 0 },
+       {  96, 0x1, 0 },
+       { 108, 0x3, 0 },
+       { 120, 0x3, 0 }
 };
 
-#define IWN_MAX_PWR_INDEX      107
+#define IWN4965_MAX_PWR_INDEX  107
 
 /*
  * RF Tx gain values from highest to lowest power (values obtained from
  * the reference driver.)
  */
-static const uint8_t iwn_rf_gain_2ghz[IWN_MAX_PWR_INDEX + 1] = {
+static const uint8_t iwn4965_rf_gain_2ghz[IWN4965_MAX_PWR_INDEX + 1] = {
        0x3f, 0x3f, 0x3f, 0x3e, 0x3e, 0x3e, 0x3d, 0x3d, 0x3d, 0x3c, 0x3c,
-               0x3c, 0x3b, 0x3b, 0x3b, 0x3a, 0x3a, 0x3a, 0x39, 0x39, 0x39, 
0x38,
-               0x38, 0x38, 0x37, 0x37, 0x37, 0x36, 0x36, 0x36, 0x35, 0x35, 
0x35,
-               0x34, 0x34, 0x34, 0x33, 0x33, 0x33, 0x32, 0x32, 0x32, 0x31, 
0x31,
-               0x31, 0x30, 0x30, 0x30, 0x06, 0x06, 0x06, 0x05, 0x05, 0x05, 
0x04,
-               0x04, 0x04, 0x03, 0x03, 0x03, 0x02, 0x02, 0x02, 0x01, 0x01, 
0x01,
-               0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
0x00,
-               0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
0x00,
-               0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
0x00,
-               0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+       0x3c, 0x3b, 0x3b, 0x3b, 0x3a, 0x3a, 0x3a, 0x39, 0x39, 0x39, 0x38,
+       0x38, 0x38, 0x37, 0x37, 0x37, 0x36, 0x36, 0x36, 0x35, 0x35, 0x35,
+       0x34, 0x34, 0x34, 0x33, 0x33, 0x33, 0x32, 0x32, 0x32, 0x31, 0x31,
+       0x31, 0x30, 0x30, 0x30, 0x06, 0x06, 0x06, 0x05, 0x05, 0x05, 0x04,
+       0x04, 0x04, 0x03, 0x03, 0x03, 0x02, 0x02, 0x02, 0x01, 0x01, 0x01,
+       0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+       0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+       0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+       0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
 };
 
-static const uint8_t iwn_rf_gain_5ghz[IWN_MAX_PWR_INDEX + 1] = {
+static const uint8_t iwn4965_rf_gain_5ghz[IWN4965_MAX_PWR_INDEX + 1] = {
        0x3f, 0x3f, 0x3f, 0x3f, 0x3f, 0x3e, 0x3e, 0x3e, 0x3d, 0x3d, 0x3d,
-               0x3c, 0x3c, 0x3c, 0x3b, 0x3b, 0x3b, 0x3a, 0x3a, 0x3a, 0x39, 
0x39,
-               0x39, 0x38, 0x38, 0x38, 0x37, 0x37, 0x37, 0x36, 0x36, 0x36, 
0x35,
-               0x35, 0x35, 0x34, 0x34, 0x34, 0x33, 0x33, 0x33, 0x32, 0x32, 
0x32,
-               0x31, 0x31, 0x31, 0x30, 0x30, 0x30, 0x25, 0x25, 0x25, 0x24, 
0x24,
-               0x24, 0x23, 0x23, 0x23, 0x22, 0x18, 0x18, 0x17, 0x17, 0x17, 
0x16,
-               0x16, 0x16, 0x15, 0x15, 0x15, 0x14, 0x14, 0x14, 0x13, 0x13, 
0x13,
-               0x12, 0x08, 0x08, 0x07, 0x07, 0x07, 0x06, 0x06, 0x06, 0x05, 
0x05,
-               0x05, 0x04, 0x04, 0x04, 0x03, 0x03, 0x03, 0x02, 0x02, 0x02, 
0x01,
-               0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+       0x3c, 0x3c, 0x3c, 0x3b, 0x3b, 0x3b, 0x3a, 0x3a, 0x3a, 0x39, 0x39,
+       0x39, 0x38, 0x38, 0x38, 0x37, 0x37, 0x37, 0x36, 0x36, 0x36, 0x35,
+       0x35, 0x35, 0x34, 0x34, 0x34, 0x33, 0x33, 0x33, 0x32, 0x32, 0x32,
+       0x31, 0x31, 0x31, 0x30, 0x30, 0x30, 0x25, 0x25, 0x25, 0x24, 0x24,
+       0x24, 0x23, 0x23, 0x23, 0x22, 0x18, 0x18, 0x17, 0x17, 0x17, 0x16,
+       0x16, 0x16, 0x15, 0x15, 0x15, 0x14, 0x14, 0x14, 0x13, 0x13, 0x13,
+       0x12, 0x08, 0x08, 0x07, 0x07, 0x07, 0x06, 0x06, 0x06, 0x05, 0x05,
+       0x05, 0x04, 0x04, 0x04, 0x03, 0x03, 0x03, 0x02, 0x02, 0x02, 0x01,
+       0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
 };
 
 /*
  * DSP pre-DAC gain values from highest to lowest power (values obtained
  * from the reference driver.)
  */
-static const uint8_t iwn_dsp_gain_2ghz[IWN_MAX_PWR_INDEX + 1] = {
+static const uint8_t iwn4965_dsp_gain_2ghz[IWN4965_MAX_PWR_INDEX + 1] = {
+       0x6e, 0x68, 0x62, 0x6e, 0x68, 0x62, 0x6e, 0x68, 0x62, 0x6e, 0x68,
+       0x62, 0x6e, 0x68, 0x62, 0x6e, 0x68, 0x62, 0x6e, 0x68, 0x62, 0x6e,
+       0x68, 0x62, 0x6e, 0x68, 0x62, 0x6e, 0x68, 0x62, 0x6e, 0x68, 0x62,
        0x6e, 0x68, 0x62, 0x6e, 0x68, 0x62, 0x6e, 0x68, 0x62, 0x6e, 0x68,
-               0x62, 0x6e, 0x68, 0x62, 0x6e, 0x68, 0x62, 0x6e, 0x68, 0x62, 
0x6e,
-               0x68, 0x62, 0x6e, 0x68, 0x62, 0x6e, 0x68, 0x62, 0x6e, 0x68, 
0x62,
-               0x6e, 0x68, 0x62, 0x6e, 0x68, 0x62, 0x6e, 0x68, 0x62, 0x6e, 
0x68,
-               0x62, 0x6e, 0x68, 0x62, 0x6e, 0x68, 0x62, 0x6e, 0x68, 0x62, 
0x6e,
-               0x68, 0x62, 0x6e, 0x68, 0x62, 0x6e, 0x68, 0x62, 0x6e, 0x68, 
0x62,
-               0x6e, 0x68, 0x62, 0x61, 0x60, 0x5f, 0x5e, 0x5d, 0x5c, 0x5b, 
0x5a,
-               0x59, 0x58, 0x57, 0x56, 0x55, 0x54, 0x53, 0x52, 0x51, 0x50, 
0x4f,
-               0x4e, 0x4d, 0x4c, 0x4b, 0x4a, 0x49, 0x48, 0x47, 0x46, 0x45, 
0x44,
-               0x43, 0x42, 0x41, 0x40, 0x3f, 0x3e, 0x3d, 0x3c, 0x3b
+       0x62, 0x6e, 0x68, 0x62, 0x6e, 0x68, 0x62, 0x6e, 0x68, 0x62, 0x6e,
+       0x68, 0x62, 0x6e, 0x68, 0x62, 0x6e, 0x68, 0x62, 0x6e, 0x68, 0x62,
+       0x6e, 0x68, 0x62, 0x61, 0x60, 0x5f, 0x5e, 0x5d, 0x5c, 0x5b, 0x5a,
+       0x59, 0x58, 0x57, 0x56, 0x55, 0x54, 0x53, 0x52, 0x51, 0x50, 0x4f,
+       0x4e, 0x4d, 0x4c, 0x4b, 0x4a, 0x49, 0x48, 0x47, 0x46, 0x45, 0x44,
+       0x43, 0x42, 0x41, 0x40, 0x3f, 0x3e, 0x3d, 0x3c, 0x3b
 };
 
-static const uint8_t iwn_dsp_gain_5ghz[IWN_MAX_PWR_INDEX + 1] = {
+static const uint8_t iwn4965_dsp_gain_5ghz[IWN4965_MAX_PWR_INDEX + 1] = {
        0x7b, 0x75, 0x6e, 0x68, 0x62, 0x6e, 0x68, 0x62, 0x6e, 0x68, 0x62,
-               0x6e, 0x68, 0x62, 0x6e, 0x68, 0x62, 0x6e, 0x68, 0x62, 0x6e, 
0x68,
-               0x62, 0x6e, 0x68, 0x62, 0x6e, 0x68, 0x62, 0x6e, 0x68, 0x62, 
0x6e,
-               0x68, 0x62, 0x6e, 0x68, 0x62, 0x6e, 0x68, 0x62, 0x6e, 0x68, 
0x62,
-               0x6e, 0x68, 0x62, 0x6e, 0x68, 0x62, 0x6e, 0x68, 0x62, 0x6e, 
0x68,
-               0x62, 0x6e, 0x68, 0x62, 0x6e, 0x68, 0x62, 0x6e, 0x68, 0x62, 
0x6e,
-               0x68, 0x62, 0x6e, 0x68, 0x62, 0x6e, 0x68, 0x62, 0x6e, 0x68, 
0x62,
-               0x6e, 0x68, 0x62, 0x6e, 0x68, 0x62, 0x6e, 0x68, 0x62, 0x6e, 
0x68,
-               0x62, 0x6e, 0x68, 0x62, 0x6e, 0x68, 0x62, 0x6e, 0x68, 0x62, 
0x6e,
-               0x68, 0x62, 0x6e, 0x68, 0x62, 0x5d, 0x58, 0x53, 0x4e
+       0x6e, 0x68, 0x62, 0x6e, 0x68, 0x62, 0x6e, 0x68, 0x62, 0x6e, 0x68,
+       0x62, 0x6e, 0x68, 0x62, 0x6e, 0x68, 0x62, 0x6e, 0x68, 0x62, 0x6e,
+       0x68, 0x62, 0x6e, 0x68, 0x62, 0x6e, 0x68, 0x62, 0x6e, 0x68, 0x62,
+       0x6e, 0x68, 0x62, 0x6e, 0x68, 0x62, 0x6e, 0x68, 0x62, 0x6e, 0x68,
+       0x62, 0x6e, 0x68, 0x62, 0x6e, 0x68, 0x62, 0x6e, 0x68, 0x62, 0x6e,
+       0x68, 0x62, 0x6e, 0x68, 0x62, 0x6e, 0x68, 0x62, 0x6e, 0x68, 0x62,
+       0x6e, 0x68, 0x62, 0x6e, 0x68, 0x62, 0x6e, 0x68, 0x62, 0x6e, 0x68,
+       0x62, 0x6e, 0x68, 0x62, 0x6e, 0x68, 0x62, 0x6e, 0x68, 0x62, 0x6e,
+       0x68, 0x62, 0x6e, 0x68, 0x62, 0x5d, 0x58, 0x53, 0x4e
+};
+
+/*
+ * Power saving settings (values obtained from the reference driver.)
+ */
+#define IWN_NDTIMRANGES                3
+#define IWN_NPOWERLEVELS       6
+static const struct iwn_pmgt {
+       uint32_t        rxtimeout;
+       uint32_t        txtimeout;
+       uint32_t        intval[5];
+       int             skip_dtim;
+} iwn_pmgt[IWN_NDTIMRANGES][IWN_NPOWERLEVELS] = {
+       /* DTIM <= 2 */
+       {
+       {   0,   0, {  0,  0,  0,  0,  0 }, 0 },        /* CAM */
+       { 200, 500, {  1,  2,  2,  2, -1 }, 0 },        /* PS level 1 */
+       { 200, 300, {  1,  2,  2,  2, -1 }, 0 },        /* PS level 2 */
+       {  50, 100, {  2,  2,  2,  2, -1 }, 0 },        /* PS level 3 */
+       {  50,  25, {  2,  2,  4,  4, -1 }, 1 },        /* PS level 4 */
+       {  25,  25, {  2,  2,  4,  6, -1 }, 2 }         /* PS level 5 */
+       },
+       /* 3 <= DTIM <= 10 */
+       {
+       {   0,   0, {  0,  0,  0,  0,  0 }, 0 },        /* CAM */
+       { 200, 500, {  1,  2,  3,  4,  4 }, 0 },        /* PS level 1 */
+       { 200, 300, {  1,  2,  3,  4,  7 }, 0 },        /* PS level 2 */
+       {  50, 100, {  2,  4,  6,  7,  9 }, 0 },        /* PS level 3 */
+       {  50,  25, {  2,  4,  6,  9, 10 }, 1 },        /* PS level 4 */
+       {  25,  25, {  2,  4,  7, 10, 10 }, 2 }         /* PS level 5 */
+       },
+       /* DTIM >= 11 */
+       {
+       {   0,   0, {  0,  0,  0,  0,  0 }, 0 },        /* CAM */
+       { 200, 500, {  1,  2,  3,  4, -1 }, 0 },        /* PS level 1 */
+       { 200, 300, {  2,  4,  6,  7, -1 }, 0 },        /* PS level 2 */
+       {  50, 100, {  2,  7,  9,  9, -1 }, 0 },        /* PS level 3 */
+       {  50,  25, {  2,  7,  9,  9, -1 }, 0 },        /* PS level 4 */
+       {  25,  25, {  4,  7, 10, 10, -1 }, 0 }         /* PS level 5 */
+       }
+};
+
+struct iwn_sensitivity_limits {
+       uint32_t        min_ofdm_x1;
+       uint32_t        max_ofdm_x1;
+       uint32_t        min_ofdm_mrc_x1;
+       uint32_t        max_ofdm_mrc_x1;
+       uint32_t        min_ofdm_x4;
+       uint32_t        max_ofdm_x4;
+       uint32_t        min_ofdm_mrc_x4;
+       uint32_t        max_ofdm_mrc_x4;
+       uint32_t        min_cck_x4;
+       uint32_t        max_cck_x4;
+       uint32_t        min_cck_mrc_x4;
+       uint32_t        max_cck_mrc_x4;
+       uint32_t        min_energy_cck;
+       uint32_t        energy_cck;
+       uint32_t        energy_ofdm;
 };
 
+/*
+ * RX sensitivity limits (values obtained from the reference driver.)
+ */
+static const struct iwn_sensitivity_limits iwn4965_sensitivity_limits = {
+       105, 140,
+       170, 210,
+        85, 120,
+       170, 210,
+       125, 200,
+       200, 400,
+        97,
+       100,
+       100
+};
+
+static const struct iwn_sensitivity_limits iwn5000_sensitivity_limits = {
+       120, 155,
+       240, 290,
+        90, 120,
+       170, 210,
+       125, 200,
+       170, 400,
+        95,
+        95,
+        95
+};
+
+/* Map TID to TX scheduler's FIFO. */
+static const uint8_t iwn_tid2fifo[] = {
+       1, 0, 0, 1, 2, 2, 3, 3, 7, 7, 7, 7, 7, 7, 7, 7, 3
+};
+
+/* Firmware errors. */
+static const char * const iwn_fw_errmsg[] = {
+       "OK",
+       "FAIL",
+       "BAD_PARAM",
+       "BAD_CHECKSUM",
+       "NMI_INTERRUPT_WDG",
+       "SYSASSERT",
+       "FATAL_ERROR",
+       "BAD_COMMAND",
+       "HW_ERROR_TUNE_LOCK",
+       "HW_ERROR_TEMPERATURE",
+       "ILLEGAL_CHAN_FREQ",
+       "VCC_NOT_STABLE",
+       "FH_ERROR",
+       "NMI_INTERRUPT_HOST",
+       "NMI_INTERRUPT_ACTION_PT",
+       "NMI_INTERRUPT_UNKNOWN",
+       "UCODE_VERSION_MISMATCH",
+       "HW_ERROR_ABS_LOCK",
+       "HW_ERROR_CAL_LOCK_FAIL",
+       "NMI_INTERRUPT_INST_ACTION_PT",
+       "NMI_INTERRUPT_DATA_ACTION_PT",
+       "NMI_TRM_HW_ER",
+       "NMI_INTERRUPT_TRM",
+       "NMI_INTERRUPT_BREAKPOINT"
+       "DEBUG_0",
+       "DEBUG_1",
+       "DEBUG_2",
+       "DEBUG_3",
+       "UNKNOWN"
+};
+
+/* Find least significant bit that is set. */
+#define IWN_LSB(x)     ((((x) - 1) & (x)) ^ (x))
+
 #define IWN_READ(sc, reg)                                              \
        bus_space_read_4((sc)->sc_st, (sc)->sc_sh, (reg))
 
 #define IWN_WRITE(sc, reg, val)                                                
\
        bus_space_write_4((sc)->sc_st, (sc)->sc_sh, (reg), (val))
 
-#define IWN_WRITE_REGION_4(sc, offset, datap, count)                   \
-       bus_space_write_region_4((sc)->sc_st, (sc)->sc_sh, (offset),    \
-           (datap), (count))
+#define IWN_SETBITS(sc, reg, mask)                                     \
+       IWN_WRITE(sc, reg, IWN_READ(sc, reg) | (mask))
+
+#define IWN_CLRBITS(sc, reg, mask)                                     \
+       IWN_WRITE(sc, reg, IWN_READ(sc, reg) & ~(mask))
Index: if_iwnvar.h
===================================================================
RCS file: /cvsroot/src/sys/dev/pci/if_iwnvar.h,v
retrieving revision 1.4
diff -u -p -u -r1.4 if_iwnvar.h
--- if_iwnvar.h 18 Aug 2008 21:19:22 -0000      1.4
+++ if_iwnvar.h 19 Mar 2009 19:54:00 -0000
@@ -1,8 +1,7 @@
-/*     $NetBSD: if_iwnvar.h,v 1.4 2008/08/18 21:19:22 cube Exp $       */
-/*     OpenBSD: if_iwnvar.h,v 1.2 2007/11/19 19:34:25 damien Exp       */
+/*     $OpenBSD: if_iwnvar.h,v 1.8 2008/12/03 17:17:08 damien Exp $    */
 
 /*-
- * Copyright (c) 2007
+ * Copyright (c) 2007, 2008
  *     Damien Bergamini <damien.bergamini%free.fr@localhost>
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -31,11 +30,11 @@ struct iwn_rx_radiotap_header {
 
 #define IWN_RX_RADIOTAP_PRESENT                                                
\
        ((1 << IEEE80211_RADIOTAP_TSFT) |                               \
-           (1 << IEEE80211_RADIOTAP_FLAGS) |                           \
-           (1 << IEEE80211_RADIOTAP_RATE) |                            \
-           (1 << IEEE80211_RADIOTAP_CHANNEL) |                         \
-           (1 << IEEE80211_RADIOTAP_DBM_ANTSIGNAL) |                   \
-           (1 << IEEE80211_RADIOTAP_DBM_ANTNOISE))
+        (1 << IEEE80211_RADIOTAP_FLAGS) |                              \
+        (1 << IEEE80211_RADIOTAP_RATE) |                               \
+        (1 << IEEE80211_RADIOTAP_CHANNEL) |                            \
+        (1 << IEEE80211_RADIOTAP_DBM_ANTSIGNAL) |                      \
+        (1 << IEEE80211_RADIOTAP_DBM_ANTNOISE))
 
 struct iwn_tx_radiotap_header {
        struct ieee80211_radiotap_header wt_ihdr;
@@ -46,10 +45,10 @@ struct iwn_tx_radiotap_header {
        uint8_t         wt_hwqueue;
 } __packed;
 
-#define IWN_TX_RADIOTAP_PRESENT                                                
\
-       ((1 << IEEE80211_RADIOTAP_FLAGS) |                              \
-           (1 << IEEE80211_RADIOTAP_RATE) |                            \
-           (1 << IEEE80211_RADIOTAP_CHANNEL))
+#define IWN_TX_RADIOTAP_PRESENT                                      \
+        ((1 << IEEE80211_RADIOTAP_FLAGS) |                           \
+        (1 << IEEE80211_RADIOTAP_RATE) |                            \
+        (1 << IEEE80211_RADIOTAP_CHANNEL))
 
 struct iwn_dma_info {
        bus_dma_tag_t           tag;
@@ -62,6 +61,8 @@ struct iwn_dma_info {
 
 struct iwn_tx_data {
        bus_dmamap_t            map;
+       bus_addr_t              cmd_paddr;
+       bus_addr_t              scratch_paddr;
        struct mbuf             *m;
        struct ieee80211_node   *ni;
 };
@@ -71,7 +72,7 @@ struct iwn_tx_ring {
        struct iwn_dma_info     cmd_dma;
        struct iwn_tx_desc      *desc;
        struct iwn_tx_cmd       *cmd;
-       struct iwn_tx_data      *data;
+       struct iwn_tx_data      data[IWN_TX_RING_COUNT];
        int                     qid;
        int                     queued;
        int                     count;
@@ -95,12 +96,14 @@ struct iwn_rx_data {
 
 struct iwn_rx_ring {
        struct iwn_dma_info     desc_dma;
+       struct iwn_dma_info     stat_dma;
        struct iwn_dma_info     buf_dma;
        uint32_t                *desc;
+       struct iwn_rx_status    *stat;
        struct iwn_rx_data      data[IWN_RX_RING_COUNT];
        struct iwn_rbuf         rbuf[IWN_RBUF_COUNT];
+       kmutex_t                freelist_mtx;
        SLIST_HEAD(, iwn_rbuf)  freelist;
-       kmutex_t                freelist_mtx;
        int                     nb_free_entries;
        int                     cur;
 };
@@ -108,6 +111,9 @@ struct iwn_rx_ring {
 struct iwn_node {
        struct  ieee80211_node          ni;     /* must be the first */
        struct  ieee80211_amrr_node     amn;
+       uint16_t                        disable_tid;
+       uint8_t                         id;
+       uint8_t                         ridx[IEEE80211_RATE_MAXSIZE];
 };
 
 struct iwn_calib_state {
@@ -119,12 +125,12 @@ struct iwn_calib_state {
        u_int           nbeacons;
        uint32_t        noise[3];
        uint32_t        rssi[3];
-       uint32_t        corr_ofdm_x1;
-       uint32_t        corr_ofdm_mrc_x1;
-       uint32_t        corr_ofdm_x4;
-       uint32_t        corr_ofdm_mrc_x4;
-       uint32_t        corr_cck_x4;
-       uint32_t        corr_cck_mrc_x4;
+       uint32_t        ofdm_x1;
+       uint32_t        ofdm_mrc_x1;
+       uint32_t        ofdm_x4;
+       uint32_t        ofdm_mrc_x4;
+       uint32_t        cck_x4;
+       uint32_t        cck_mrc_x4;
        uint32_t        bad_plcp_ofdm;
        uint32_t        fa_ofdm;
        uint32_t        bad_plcp_cck;
@@ -143,29 +149,92 @@ struct iwn_calib_state {
        uint32_t        energy_cck;
 };
 
+struct iwn_calib_info {
+       uint8_t         *buf;
+       u_int           len;
+};
+
+struct iwn_fw_part {
+       const uint8_t   *text;
+       uint32_t        textsz;
+       const uint8_t   *data;
+       uint32_t        datasz;
+};
+
+struct iwn_fw_info {
+       u_char                  *data;
+       struct iwn_fw_part      init;
+       struct iwn_fw_part      main;
+       struct iwn_fw_part      boot;
+};
+
+struct iwn_hal {
+       int             (*load_firmware)(struct iwn_softc *);
+       void            (*read_eeprom)(struct iwn_softc *);
+       int             (*post_alive)(struct iwn_softc *);
+       int             (*apm_init)(struct iwn_softc *);
+       int             (*nic_config)(struct iwn_softc *);
+       void            (*update_sched)(struct iwn_softc *, int, int, uint8_t,
+                           uint16_t);
+       int             (*get_temperature)(struct iwn_softc *);
+       int             (*get_rssi)(const struct iwn_rx_stat *);
+       int             (*set_txpower)(struct iwn_softc *, int);
+       int             (*init_gains)(struct iwn_softc *);
+       int             (*set_gains)(struct iwn_softc *);
+       int             (*add_node)(struct iwn_softc *, struct iwn_node_info *,
+                           int);
+       void            (*tx_done)(struct iwn_softc *, struct iwn_rx_desc *);
+#if 0
+       void            (*ampdu_tx_start)(struct iwn_softc *,
+                           struct ieee80211_node *, uint8_t, uint16_t);
+       void            (*ampdu_tx_stop)(struct iwn_softc *, uint8_t,
+                           uint16_t);
+#endif
+       const struct    iwn_sensitivity_limits *limits;
+       int             ntxqs;
+       uint8_t         broadcast_id;
+       int             rxonsz;
+       int             schedsz;
+       uint32_t        fw_text_maxsz;
+       uint32_t        fw_data_maxsz;
+       uint32_t        fwsz;
+       bus_size_t      sched_txfact_addr;
+};
+
 struct iwn_softc {
-       device_t                        sc_dev;
-       struct ethercom         sc_ec;
+       device_t                sc_dev;
+
+       struct ethercom         sc_ec;
        struct ieee80211com     sc_ic;
        int                     (*sc_newstate)(struct ieee80211com *,
-           enum ieee80211_state, int);
+                                   enum ieee80211_state, int);
 
        struct ieee80211_amrr   amrr;
+       uint8_t                 fixed_ridx;
 
        bus_dma_tag_t           sc_dmat;
 
-       /* shared area */
-       struct iwn_dma_info     shared_dma;
-       struct iwn_shared       *shared;
+       u_int                   sc_flags;
+#define IWN_FLAG_HAS_5GHZ      (1 << 0)
+#define IWN_FLAG_FIRST_BOOT    (1 << 1)
+
+       uint8_t                 hw_type;
+       const struct iwn_hal    *sc_hal;
+       const char              *fwname;
+
+       /* TX scheduler rings. */
+       struct iwn_dma_info     sched_dma;
+       uint16_t                *sched;
+       uint32_t                sched_base;
 
-       /* "keep warm" page */
+       /* "Keep Warm" page. */
        struct iwn_dma_info     kw_dma;
 
-       /* firmware DMA transfer */
+       /* Firmware DMA transfer. */
        struct iwn_dma_info     fw_dma;
 
-       /* rings */
-       struct iwn_tx_ring      txq[IWN_NTXQUEUES];
+       /* TX/RX rings. */
+       struct iwn_tx_ring      txq[IWN5000_NTXQUEUES];
        struct iwn_rx_ring      rxq;
 
        bus_space_tag_t         sc_st;
@@ -174,27 +243,48 @@ struct iwn_softc {
        pci_chipset_tag_t       sc_pct;
        pcitag_t                sc_pcitag;
        bus_size_t              sc_sz;
+       int                     sc_cap_off;     /* PCIe Capabilities. */
 
-       struct callout calib_to;
+#if 0
+       struct ksensordev       sensordev;
+       struct ksensor          sensor;
+#endif
+       callout_t               calib_to;
        int                     calib_cnt;
        struct iwn_calib_state  calib;
 
+       struct iwn_fw_info      fw;
+       struct iwn_calib_info   calibcmd[5];
+       uint32_t                errptr;
+
        struct iwn_rx_stat      last_rx_stat;
        int                     last_rx_valid;
        struct iwn_ucode_info   ucode_info;
-       struct iwn_config       config;
+       struct iwn_rxon         rxon;
        uint32_t                rawtemp;
        int                     temp;
        int                     noise;
-       uint8_t                 antmsk;
+       uint32_t                qfullmsk;
 
-       struct iwn_eeprom_band  bands[IWN_NBANDS];
+       struct iwn4965_eeprom_band
+                               bands[IWN_NBANDS];
+       uint16_t                rfcfg;
+       char                    eeprom_domain[4];
+       uint32_t                eeprom_crystal;
        int16_t                 eeprom_voltage;
        int8_t                  maxpwr2GHz;
        int8_t                  maxpwr5GHz;
        int8_t                  maxpwr[IEEE80211_CHAN_MAX];
 
+       uint32_t                critical_temp;
+       uint8_t                 ntxchains;
+       uint8_t                 nrxchains;
+       uint8_t                 txantmsk;
+       uint8_t                 rxantmsk;
+       uint8_t                 antmsk;
+
        int                     sc_tx_timer;
+       void                    *powerhook;
 
 #if NBPFILTER > 0
        void *                  sc_drvbpf;
@@ -213,6 +303,6 @@ struct iwn_softc {
 #define sc_txtap       sc_txtapu.th
        int                     sc_txtap_len;
 #endif
-
        bool            is_scanning;
+       bool            sc_radio;
 };


Home | Main Index | Thread Index | Old Index