Add mtw(4), a driver for MediaTek MT7601U wifi devices.

Ported from run(4) with legacy chipsets removed.
Not yet enabled in the build.

ok stsp@ jmatthew@

2 files changed, 3595 insertions, 0 deletions

diff --git a/sys/dev/usb/if_mtw.c b/sys/dev/usb/if_mtw.c
new file mode 100644
index 00000000000..f1693ae5dea
--- /dev/null
+++ b/sys/dev/usb/if_mtw.c
@@ -0,0 +1,3352 @@
+/*	$OpenBSD: if_mtw.c,v 1.1 2021/12/20 13:59:02 hastings Exp $	*/
+/*
+ * Copyright (c) 2008-2010 Damien Bergamini <damien.bergamini@free.fr>
+ * Copyright (c) 2013-2014 Kevin Lo
+ * Copyright (c) 2021 James Hastings
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * MediaTek MT7601U 802.11b/g/n WLAN.
+ */
+
+#include "bpfilter.h"
+
+#include <sys/param.h>
+#include <sys/sockio.h>
+#include <sys/mbuf.h>
+#include <sys/kernel.h>
+#include <sys/socket.h>
+#include <sys/systm.h>
+#include <sys/timeout.h>
+#include <sys/conf.h>
+#include <sys/device.h>
+#include <sys/endian.h>
+
+#include <machine/intr.h>
+
+#if NBPFILTER > 0
+#include <net/bpf.h>
+#endif
+#include <net/if.h>
+#include <net/if_dl.h>
+#include <net/if_media.h>
+
+#include <netinet/in.h>
+#include <netinet/if_ether.h>
+
+#include <net80211/ieee80211_var.h>
+#include <net80211/ieee80211_amrr.h>
+#include <net80211/ieee80211_ra.h>
+#include <net80211/ieee80211_radiotap.h>
+
+#include <dev/usb/usb.h>
+#include <dev/usb/usbdi.h>
+#include <dev/usb/usbdi_util.h>
+#include <dev/usb/usbdevs.h>
+
+#include <dev/ic/mtwreg.h>
+#include <dev/usb/if_mtwvar.h>
+
+#ifdef MTW_DEBUG
+#define DPRINTF(x)	do { if (mtw_debug) printf x; } while (0)
+#define DPRINTFN(n, x)	do { if (mtw_debug >= (n)) printf x; } while (0)
+int mtw_debug = 0;
+#else
+#define DPRINTF(x)
+#define DPRINTFN(n, x)
+#endif
+
+#define USB_ID(v, p)	{ USB_VENDOR_##v, USB_PRODUCT_##v##_##p }
+static const struct usb_devno mtw_devs[] = {
+	USB_ID(RALINK,		MT7601),
+};
+
+int		mtw_match(struct device *, void *, void *);
+void		mtw_attach(struct device *, struct device *, void *);
+int		mtw_detach(struct device *, int);
+void		mtw_attachhook(struct device *);
+int		mtw_alloc_rx_ring(struct mtw_softc *, int);
+void		mtw_free_rx_ring(struct mtw_softc *, int);
+int		mtw_alloc_tx_ring(struct mtw_softc *, int);
+void		mtw_free_tx_ring(struct mtw_softc *, int);
+int		mtw_alloc_mcu_ring(struct mtw_softc *);
+void		mtw_free_mcu_ring(struct mtw_softc *);
+int		mtw_ucode_write(struct mtw_softc *, const uint8_t *,
+		    uint32_t, uint32_t);
+void		mtw_ucode_setup(struct mtw_softc *);
+int		mtw_load_microcode(struct mtw_softc *);
+int		mtw_reset(struct mtw_softc *);
+int		mtw_read(struct mtw_softc *, uint16_t, uint32_t *);
+int		mtw_read_cfg(struct mtw_softc *, uint16_t, uint32_t *);
+int		mtw_read_region_1(struct mtw_softc *, uint16_t,
+		    uint8_t *, int);
+int		mtw_write_2(struct mtw_softc *, uint16_t, uint16_t);
+int		mtw_write(struct mtw_softc *, uint16_t, uint32_t);
+int		mtw_write_cfg(struct mtw_softc *, uint16_t, uint32_t);
+int		mtw_write_ivb(struct mtw_softc *, const uint8_t *, uint16_t);
+int		mtw_write_region_1(struct mtw_softc *, uint16_t,
+		    uint8_t *, int);
+int		mtw_set_region_4(struct mtw_softc *, uint16_t, uint32_t, int);
+int		mtw_efuse_read_2(struct mtw_softc *, uint16_t, uint16_t *);
+int		mtw_eeprom_read_2(struct mtw_softc *, uint16_t, uint16_t *);
+int		mtw_rf_read(struct mtw_softc *, uint8_t, uint8_t, uint8_t *);
+int		mtw_rf_write(struct mtw_softc *, uint8_t, uint8_t, uint8_t);
+int		mtw_bbp_read(struct mtw_softc *, uint8_t, uint8_t *);
+int		mtw_bbp_write(struct mtw_softc *, uint8_t, uint8_t);
+int		mtw_usb_dma_read(struct mtw_softc *, uint32_t *);
+int		mtw_usb_dma_write(struct mtw_softc *, uint32_t);
+int		mtw_mcu_calibrate(struct mtw_softc *, int, uint32_t);
+int		mtw_mcu_channel(struct mtw_softc *, uint32_t, uint32_t, uint32_t);
+int		mtw_mcu_radio(struct mtw_softc *, int, uint32_t);
+int		mtw_mcu_cmd(struct mtw_softc *, int, void *, int);
+const char *	mtw_get_rf(int);
+void		mtw_get_txpower(struct mtw_softc *);
+int		mtw_read_eeprom(struct mtw_softc *);
+struct		ieee80211_node *mtw_node_alloc(struct ieee80211com *);
+int		mtw_media_change(struct ifnet *);
+void		mtw_next_scan(void *);
+void		mtw_task(void *);
+void		mtw_do_async(struct mtw_softc *, void (*)(struct mtw_softc *,
+		    void *), void *, int);
+int		mtw_newstate(struct ieee80211com *, enum ieee80211_state, int);
+void		mtw_newstate_cb(struct mtw_softc *, void *);
+void		mtw_updateedca(struct ieee80211com *);
+void		mtw_updateedca_cb(struct mtw_softc *, void *);
+void		mtw_updateslot(struct ieee80211com *);
+void		mtw_updateslot_cb(struct mtw_softc *, void *);
+int		mtw_set_key(struct ieee80211com *, struct ieee80211_node *,
+		    struct ieee80211_key *);
+void		mtw_set_key_cb(struct mtw_softc *, void *);
+void		mtw_delete_key(struct ieee80211com *, struct ieee80211_node *,
+		    struct ieee80211_key *);
+void		mtw_delete_key_cb(struct mtw_softc *, void *);
+void		mtw_calibrate_to(void *);
+void		mtw_calibrate_cb(struct mtw_softc *, void *);
+void		mtw_newassoc(struct ieee80211com *, struct ieee80211_node *,
+		    int);
+void		mtw_rx_frame(struct mtw_softc *, uint8_t *, int,
+		    struct mbuf_list *);
+void		mtw_rxeof(struct usbd_xfer *, void *, usbd_status);
+void		mtw_txeof(struct usbd_xfer *, void *, usbd_status);
+int		mtw_tx(struct mtw_softc *, struct mbuf *,
+		    struct ieee80211_node *);
+void		mtw_start(struct ifnet *);
+void		mtw_watchdog(struct ifnet *);
+int		mtw_ioctl(struct ifnet *, u_long, caddr_t);
+void		mtw_select_chan_group(struct mtw_softc *, int);
+void		mt7601_set_agc(struct mtw_softc *, uint8_t);
+void		mt7601_set_chan(struct mtw_softc *, u_int);
+int		mtw_set_chan(struct mtw_softc *, struct ieee80211_channel *);
+void		mtw_enable_tsf_sync(struct mtw_softc *);
+void		mtw_abort_tsf_sync(struct mtw_softc *);
+void		mtw_enable_mrr(struct mtw_softc *);
+void		mtw_set_txrts(struct mtw_softc *);
+void		mtw_set_txpreamble(struct mtw_softc *);
+void		mtw_set_basicrates(struct mtw_softc *);
+void		mtw_set_leds(struct mtw_softc *, uint16_t);
+void		mtw_set_bssid(struct mtw_softc *, const uint8_t *);
+void		mtw_set_macaddr(struct mtw_softc *, const uint8_t *);
+#if NBPFILTER > 0
+int8_t		mtw_rssi2dbm(struct mtw_softc *, uint8_t, uint8_t);
+#endif
+int		mt7601_bbp_init(struct mtw_softc *);
+int		mt7601_rf_init(struct mtw_softc *);
+int		mt7601_rf_setup(struct mtw_softc *);
+int		mt7601_rf_temperature(struct mtw_softc *, int8_t *);
+int		mt7601_r49_read(struct mtw_softc *, uint8_t, int8_t *);
+int		mt7601_rxdc_cal(struct mtw_softc *);
+int		mtw_wlan_enable(struct mtw_softc *, int);
+int		mtw_txrx_enable(struct mtw_softc *);
+int		mtw_init(struct ifnet *);
+void		mtw_stop(struct ifnet *, int);
+
+struct cfdriver mtw_cd = {
+	NULL, "mtw", DV_IFNET
+};
+
+const struct cfattach mtw_ca = {
+	sizeof (struct mtw_softc), mtw_match, mtw_attach, mtw_detach
+};
+
+static const struct {
+	uint32_t	reg;
+	uint32_t	val;
+} mt7601_def_mac[] = {
+	MT7601_DEF_MAC
+};
+
+static const struct {
+	uint8_t		reg;
+	uint8_t		val;
+} mt7601_def_bbp[] = {
+	MT7601_DEF_BBP
+};
+
+static const struct {
+	u_int		chan;
+	uint8_t		r17, r18, r19, r20;
+} mt7601_rf_chan[] = {
+	MT7601_RF_CHAN
+};
+
+static const struct {
+	uint8_t		reg;
+	uint8_t		val;
+} mt7601_rf_bank0[] = {
+	MT7601_BANK0_RF
+},mt7601_rf_bank4[] = {
+	MT7601_BANK4_RF
+},mt7601_rf_bank5[] = {
+	MT7601_BANK5_RF
+};
+
+int
+mtw_match(struct device *parent, void *match, void *aux)
+{
+	struct usb_attach_arg *uaa = aux;
+
+	if (uaa->iface == NULL || uaa->configno != 1)
+		return UMATCH_NONE;
+
+	return (usb_lookup(mtw_devs, uaa->vendor, uaa->product) != NULL) ?
+	    UMATCH_VENDOR_PRODUCT_CONF_IFACE : UMATCH_NONE;
+}
+
+void
+mtw_attach(struct device *parent, struct device *self, void *aux)
+{
+	struct mtw_softc *sc = (struct mtw_softc *)self;
+	struct usb_attach_arg *uaa = aux;
+	usb_interface_descriptor_t *id;
+	usb_endpoint_descriptor_t *ed;
+	int i, error, nrx, ntx, ntries;
+	uint32_t ver;
+
+	sc->sc_udev = uaa->device;
+	sc->sc_iface = uaa->iface;
+
+	/*
+	 * Find all bulk endpoints.
+	 */
+	nrx = ntx = 0;
+	id = usbd_get_interface_descriptor(sc->sc_iface);
+	for (i = 0; i < id->bNumEndpoints; i++) {
+		ed = usbd_interface2endpoint_descriptor(sc->sc_iface, i);
+		if (ed == NULL || UE_GET_XFERTYPE(ed->bmAttributes) != UE_BULK)
+			continue;
+
+		if (UE_GET_DIR(ed->bEndpointAddress) == UE_DIR_IN) {
+			sc->rxq[nrx].pipe_no = ed->bEndpointAddress;
+			nrx++;
+		} else if (ntx < 6) {
+			if (ntx == 0)
+				sc->txq[MTW_TXQ_MCU].pipe_no =
+				    ed->bEndpointAddress;
+			else
+				sc->txq[ntx - 1].pipe_no =
+				    ed->bEndpointAddress;
+			ntx++;
+		}
+	}
+	/* make sure we've got them all */
+	if (nrx < 2 || ntx < 6) {
+		printf("%s: missing endpoint\n", sc->sc_dev.dv_xname);
+		return;
+	}
+
+	/* wait for the chip to settle */
+	for (ntries = 0; ntries < 100; ntries++) {
+		if ((error = mtw_read(sc, MTW_ASIC_VER, &ver)) != 0)
+			return;
+		if (ver != 0 && ver != 0xffffffff)
+			break;
+		DPRINTF(("%08x ", ver));
+		DELAY(10);
+	}
+	if (ntries == 100) {
+		printf("%s: timeout waiting for NIC to initialize\n",
+		    sc->sc_dev.dv_xname);
+		return;
+	}
+
+	sc->asic_ver = ver >> 16;
+	sc->asic_rev = ver & 0xffff;
+
+	usb_init_task(&sc->sc_task, mtw_task, sc, USB_TASK_TYPE_GENERIC);
+	timeout_set(&sc->scan_to, mtw_next_scan, sc);
+	timeout_set(&sc->calib_to, mtw_calibrate_to, sc);
+
+	sc->amrr.amrr_min_success_threshold =  1;
+	sc->amrr.amrr_max_success_threshold = 10;
+
+	config_mountroot(self, mtw_attachhook);
+}
+
+int
+mtw_detach(struct device *self, int flags)
+{
+	struct mtw_softc *sc = (struct mtw_softc *)self;
+	struct ifnet *ifp = &sc->sc_ic.ic_if;
+	int qid, s;
+
+	s = splusb();
+
+	if (timeout_initialized(&sc->scan_to))
+		timeout_del(&sc->scan_to);
+	if (timeout_initialized(&sc->calib_to))
+		timeout_del(&sc->calib_to);
+
+	/* wait for all queued asynchronous commands to complete */
+	usb_rem_wait_task(sc->sc_udev, &sc->sc_task);
+
+	usbd_ref_wait(sc->sc_udev);
+
+	if (ifp->if_softc != NULL) {
+		ifp->if_flags &= ~IFF_RUNNING;
+		ifq_clr_oactive(&ifp->if_snd);
+		ieee80211_ifdetach(ifp);
+		if_detach(ifp);
+	}
+
+	/* free rings and close pipes */
+	mtw_free_mcu_ring(sc);
+	for (qid = 0; qid < MTW_TXQ_COUNT; qid++)
+		mtw_free_tx_ring(sc, qid);
+	mtw_free_rx_ring(sc, 0);
+	mtw_free_rx_ring(sc, 1);
+
+	splx(s);
+	return 0;
+}
+
+void
+mtw_attachhook(struct device *self)
+{
+	struct mtw_softc *sc = (struct mtw_softc *)self;
+	struct ieee80211com *ic = &sc->sc_ic;
+	struct ifnet *ifp = &ic->ic_if;
+	uint32_t tmp;
+	int ntries, error, i;
+
+	if (usbd_is_dying(sc->sc_udev))
+		return;
+
+	/* enable WLAN core */
+	if ((error = mtw_wlan_enable(sc, 1)) != 0) {
+		printf("%s: could not enable WLAN core\n",
+		    sc->sc_dev.dv_xname);
+		return;
+	}
+
+	/* load firmware */
+	if ((error = mtw_load_microcode(sc)) != 0) {
+		printf("%s: could not load microcode\n",
+		    sc->sc_dev.dv_xname);
+		goto fail;
+	}
+
+	mtw_usb_dma_read(sc, &tmp);
+	mtw_usb_dma_write(sc, tmp | (MTW_USB_RX_EN | MTW_USB_TX_EN));
+
+	/* read MAC version */
+	for (ntries = 0; ntries < 100; ntries++) {
+		if ((error = mtw_read(sc, MTW_MAC_VER_ID, &tmp)) != 0)
+			goto fail;
+		if (tmp != 0 && tmp != 0xffffffff)
+			break;
+		DELAY(10);
+	}
+	if (ntries == 100) {
+		printf("%s: failed reading MAC\n", sc->sc_dev.dv_xname);
+		goto fail;
+	}
+
+	sc->mac_ver = tmp >> 16;
+	sc->mac_rev = tmp & 0xffff;
+	
+	/* retrieve RF rev. no and various other things from EEPROM */
+	mtw_read_eeprom(sc);
+
+	printf("%s: MAC/BBP MT%04X (rev 0x%04X), RF %s (MIMO %dT%dR), "
+	    "address %s\n", sc->sc_dev.dv_xname, sc->mac_ver,
+	    sc->mac_rev, mtw_get_rf(sc->rf_rev), sc->ntxchains,
+	    sc->nrxchains, ether_sprintf(ic->ic_myaddr));
+
+	ic->ic_phytype = IEEE80211_T_OFDM;	/* not only, but not used */
+	ic->ic_opmode = IEEE80211_M_STA;	/* default to BSS mode */
+	ic->ic_state = IEEE80211_S_INIT;
+
+	/* set device capabilities */
+	ic->ic_caps =
+	    IEEE80211_C_MONITOR |	/* monitor mode supported */
+	    IEEE80211_C_SHPREAMBLE |	/* short preamble supported */
+	    IEEE80211_C_SHSLOT |	/* short slot time supported */
+	    IEEE80211_C_WEP |		/* WEP */
+	    IEEE80211_C_RSN;		/* WPA/RSN */
+
+	/* set supported .11b and .11g rates */
+	ic->ic_sup_rates[IEEE80211_MODE_11B] = ieee80211_std_rateset_11b;
+	ic->ic_sup_rates[IEEE80211_MODE_11G] = ieee80211_std_rateset_11g;
+
+	/* set supported .11b and .11g channels (1 through 14) */
+	for (i = 1; i <= 14; i++) {
+		ic->ic_channels[i].ic_freq =
+		    ieee80211_ieee2mhz(i, IEEE80211_CHAN_2GHZ);
+		ic->ic_channels[i].ic_flags =
+		    IEEE80211_CHAN_CCK | IEEE80211_CHAN_OFDM |
+		    IEEE80211_CHAN_DYN | IEEE80211_CHAN_2GHZ;
+	}
+
+	ifp->if_softc = sc;
+	ifp->if_flags = IFF_BROADCAST | IFF_SIMPLEX | IFF_MULTICAST;
+	ifp->if_ioctl = mtw_ioctl;
+	ifp->if_start = mtw_start;
+	ifp->if_watchdog = mtw_watchdog;
+	memcpy(ifp->if_xname, sc->sc_dev.dv_xname, IFNAMSIZ);
+
+	if_attach(ifp);
+	ieee80211_ifattach(ifp);
+	ic->ic_node_alloc = mtw_node_alloc;
+	ic->ic_newassoc = mtw_newassoc;
+	ic->ic_updateslot = mtw_updateslot;
+	ic->ic_updateedca = mtw_updateedca;
+	ic->ic_set_key = mtw_set_key;
+	ic->ic_delete_key = mtw_delete_key;
+
+	/* override 802.11 state transition machine */
+	sc->sc_newstate = ic->ic_newstate;
+	ic->ic_newstate = mtw_newstate;
+	ieee80211_media_init(ifp, mtw_media_change, ieee80211_media_status);
+
+#if NBPFILTER > 0
+	bpfattach(&sc->sc_drvbpf, ifp, DLT_IEEE802_11_RADIO,
+	    sizeof (struct ieee80211_frame) + IEEE80211_RADIOTAP_HDRLEN);
+
+	sc->sc_rxtap_len = sizeof sc->sc_rxtapu;
+	sc->sc_rxtap.wr_ihdr.it_len = htole16(sc->sc_rxtap_len);
+	sc->sc_rxtap.wr_ihdr.it_present = htole32(MTW_RX_RADIOTAP_PRESENT);
+
+	sc->sc_txtap_len = sizeof sc->sc_txtapu;
+	sc->sc_txtap.wt_ihdr.it_len = htole16(sc->sc_txtap_len);
+	sc->sc_txtap.wt_ihdr.it_present = htole32(MTW_TX_RADIOTAP_PRESENT);
+#endif
+fail:
+	return;
+}
+
+int
+mtw_alloc_rx_ring(struct mtw_softc *sc, int qid)
+{
+	struct mtw_rx_ring *rxq = &sc->rxq[qid];
+	int i, error;
+
+	if ((error = usbd_open_pipe(sc->sc_iface, rxq->pipe_no, 0,
+	    &rxq->pipeh)) != 0)
+		goto fail;
+
+	for (i = 0; i < MTW_RX_RING_COUNT; i++) {
+		struct mtw_rx_data *data = &rxq->data[i];
+
+		data->sc = sc;	/* backpointer for callbacks */
+
+		data->xfer = usbd_alloc_xfer(sc->sc_udev);
+		if (data->xfer == NULL) {
+			error = ENOMEM;
+			goto fail;
+		}
+		data->buf = usbd_alloc_buffer(data->xfer, MTW_MAX_RXSZ);
+		if (data->buf == NULL) {
+			error = ENOMEM;
+			goto fail;
+		}
+	}
+	if (error != 0)
+fail:		mtw_free_rx_ring(sc, 0);
+	return error;
+}
+
+void
+mtw_free_rx_ring(struct mtw_softc *sc, int qid)
+{
+	struct mtw_rx_ring *rxq = &sc->rxq[qid];
+	int i;
+
+	if (rxq->pipeh != NULL) {
+		usbd_close_pipe(rxq->pipeh);
+		rxq->pipeh = NULL;
+	}
+	for (i = 0; i < MTW_RX_RING_COUNT; i++) {
+		if (rxq->data[i].xfer != NULL)
+			usbd_free_xfer(rxq->data[i].xfer);
+		rxq->data[i].xfer = NULL;
+	}
+}
+
+int
+mtw_alloc_tx_ring(struct mtw_softc *sc, int qid)
+{
+	struct mtw_tx_ring *txq = &sc->txq[qid];
+	int i, error;
+	uint16_t txwisize;
+
+	txwisize = sizeof(struct mtw_txwi);
+
+	txq->cur = txq->queued = 0;
+
+	if ((error = usbd_open_pipe(sc->sc_iface, txq->pipe_no, 0,
+	    &txq->pipeh)) != 0)
+		goto fail;
+
+	for (i = 0; i < MTW_TX_RING_COUNT; i++) {
+		struct mtw_tx_data *data = &txq->data[i];
+
+		data->sc = sc;	/* backpointer for callbacks */
+		data->qid = qid;
+
+		data->xfer = usbd_alloc_xfer(sc->sc_udev);
+		if (data->xfer == NULL) {
+			error = ENOMEM;
+			goto fail;
+		}
+
+		data->buf = usbd_alloc_buffer(data->xfer, MTW_MAX_TXSZ);
+		if (data->buf == NULL) {
+			error = ENOMEM;
+			goto fail;
+		}
+
+		/* zeroize the TXD + TXWI part */
+		memset(data->buf, 0, MTW_MAX_TXSZ);
+	}
+	if (error != 0)
+fail:		mtw_free_tx_ring(sc, qid);
+	return error;
+}
+
+void
+mtw_free_tx_ring(struct mtw_softc *sc, int qid)
+{
+	struct mtw_tx_ring *txq = &sc->txq[qid];
+	int i;
+
+	if (txq->pipeh != NULL) {
+		usbd_close_pipe(txq->pipeh);
+		txq->pipeh = NULL;
+	}
+	for (i = 0; i < MTW_TX_RING_COUNT; i++) {
+		if (txq->data[i].xfer != NULL)
+			usbd_free_xfer(txq->data[i].xfer);
+		txq->data[i].xfer = NULL;
+	}
+}
+
+int
+mtw_alloc_mcu_ring(struct mtw_softc *sc)
+{
+	struct mtw_tx_ring *ring = &sc->sc_mcu;
+	struct mtw_tx_data *data = &ring->data[0];
+	int error = 0;
+	
+	ring->cur = ring->queued = 0;
+
+	data->sc = sc;	/* backpointer for callbacks */
+	data->qid = 5;
+
+	data->xfer = usbd_alloc_xfer(sc->sc_udev);
+	if (data->xfer == NULL) {
+		error = ENOMEM;
+		goto fail;
+	}
+
+	data->buf = usbd_alloc_buffer(data->xfer, MTW_MAX_TXSZ);
+	if (data->buf == NULL) {
+		error = ENOMEM;
+		goto fail;
+	}
+	/* zeroize the TXD */
+	memset(data->buf, 0, 4);
+
+	if (error != 0)
+fail:		mtw_free_mcu_ring(sc);
+	return error;
+
+
+}
+void
+mtw_free_mcu_ring(struct mtw_softc *sc)
+{
+	struct mtw_tx_ring *txq = &sc->sc_mcu;
+
+	if (txq->data[0].xfer != NULL)
+		usbd_free_xfer(txq->data[0].xfer);
+	txq->data[0].xfer = NULL;
+}
+
+int
+mtw_ucode_write(struct mtw_softc *sc, const uint8_t *fw, uint32_t len,
+    uint32_t offset)
+{
+	struct mtw_tx_ring *ring = &sc->txq[MTW_TXQ_MCU];
+	struct usbd_xfer *xfer;
+	struct mtw_txd *txd;
+	uint8_t *buf;
+	uint32_t blksz, sent, tmp, xferlen;
+	int error;
+
+	blksz = 0x2000;
+	if (sc->asic_ver == 0x7612 && offset >= 0x90000)
+		blksz = 0x800; /* MT7612 ROM Patch */
+
+	xfer = usbd_alloc_xfer(sc->sc_udev);
+	if (xfer == NULL) {
+		error = ENOMEM;
+		goto fail;
+	}
+	buf = usbd_alloc_buffer(xfer, blksz + 12);
+	if (buf == NULL) {
+		error = ENOMEM;
+		goto fail;
+	}
+
+	sent = 0;
+	for (;;) {
+		xferlen = min(len - sent, blksz);
+		if (xferlen == 0)
+			break;
+
+		txd = (struct mtw_txd *)buf;
+		txd->len = htole16(xferlen);
+		txd->flags = htole16(MTW_TXD_DATA | MTW_TXD_MCU);
+
+		memcpy(buf + sizeof(struct mtw_txd), fw + sent, xferlen);
+		memset(buf + sizeof(struct mtw_txd) + xferlen, 0, MTW_DMA_PAD);
+		mtw_write_cfg(sc, MTW_MCU_DMA_ADDR, offset + sent);
+		mtw_write_cfg(sc, MTW_MCU_DMA_LEN, (xferlen << 16));
+
+		usbd_setup_xfer(xfer, ring->pipeh, NULL, buf,
+		    xferlen + sizeof(struct mtw_txd) + MTW_DMA_PAD,
+		    USBD_SHORT_XFER_OK | USBD_SYNCHRONOUS | USBD_NO_COPY,
+		    MTW_TX_TIMEOUT, NULL);
+		if ((error = usbd_transfer(xfer)) != 0)
+			break;
+
+		mtw_read_cfg(sc, MTW_MCU_DMA_LEN, &tmp);
+
+		mtw_read(sc, MTW_MCU_FW_IDX, &tmp);
+		mtw_write(sc, MTW_MCU_FW_IDX, tmp++);
+
+		sent += xferlen;
+	}
+fail:
+	if (xfer != NULL) {
+		usbd_free_xfer(xfer);
+		xfer = NULL;
+	}
+	return error;
+}
+
+void
+mtw_ucode_setup(struct mtw_softc *sc)
+{
+	mtw_usb_dma_write(sc, (MTW_USB_TX_EN | MTW_USB_RX_EN));
+	mtw_write(sc, MTW_FCE_PSE_CTRL, 1);
+	mtw_write(sc, MTW_TX_CPU_FCE_BASE, 0x400230);
+	mtw_write(sc, MTW_TX_CPU_FCE_MAX_COUNT, 1);
+	mtw_write(sc, MTW_MCU_FW_IDX, 1);
+	mtw_write(sc, MTW_FCE_PDMA, 0x44);
+	mtw_write(sc, MTW_FCE_SKIP_FS, 3);
+}
+
+int
+mtw_load_microcode(struct mtw_softc *sc)
+{
+	const struct mtw_ucode_hdr *hdr;
+	const struct mtw_ucode *fw;
+	const char *fwname;
+	u_char *ucode;
+	size_t size;
+	uint32_t tmp, iofs, dofs;
+	int ntries, error;
+	int dlen, ilen;
+
+	/* is firmware already running? */
+	mtw_read_cfg(sc, MTW_MCU_DMA_ADDR, &tmp);
+	if (tmp == MTW_MCU_READY)
+		return 0;
+
+	/* open MCU pipe */
+	if ((error = usbd_open_pipe(sc->sc_iface, sc->txq[MTW_TXQ_MCU].pipe_no,
+	    0, &sc->txq[MTW_TXQ_MCU].pipeh)) != 0)
+		return error;
+
+	if (sc->asic_ver == 0x7612) {
+		fwname = "mtw-mt7662u_rom_patch";
+
+		if ((error = loadfirmware(fwname, &ucode, &size)) != 0) {
+			printf("%s: failed loadfirmware of file %s (error %d)\n",
+			    sc->sc_dev.dv_xname, fwname, error);
+			return error;
+		}
+		fw = (const struct mtw_ucode *) ucode + 0x1e;
+		ilen = size - 0x1e;
+
+		mtw_ucode_setup(sc);
+
+		if ((error = mtw_ucode_write(sc, fw->data, ilen, 0x90000)) != 0)
+			goto fail;
+
+		mtw_read_cfg(sc, 0x0208, &tmp);
+		mtw_usb_dma_write(sc, 0x00e41814);
+		free(ucode, M_DEVBUF, size);
+	}
+
+	fwname = "mtw-mt7601u";
+	iofs = 0x40;
+	dofs = 0;
+	if (sc->asic_ver == 0x7612) {
+		fwname = "mtw-mt7662u";
+		iofs = 0x80040;
+		dofs = 0x110800;
+	} else if (sc->asic_ver == 0x7610) {
+		fwname = "mtw-mt7610u";
+		dofs = 0x80000;
+	}
+
+	if ((error = loadfirmware(fwname, &ucode, &size)) != 0) {
+		printf("%s: failed loadfirmware of file %s (error %d)\n",
+		    sc->sc_dev.dv_xname, fwname, error);
+		return error;
+	}
+
+	if (size < sizeof(struct mtw_ucode_hdr)) {
+		printf("%s: firmware header too short\n",
+		    sc->sc_dev.dv_xname);
+		goto fail;
+	}
+
+	fw = (const struct mtw_ucode *) ucode;
+	hdr = (const struct mtw_ucode_hdr *) &fw->hdr;
+
+	if (size < sizeof(struct mtw_ucode_hdr) + letoh32(hdr->ilm_len) +
+	    letoh32(hdr->dlm_len)) {
+		printf("%s: firmware payload too short\n",
+		    sc->sc_dev.dv_xname);
+		goto fail;
+	}
+
+	ilen = le32toh(hdr->ilm_len) - MTW_MCU_IVB_LEN;
+	dlen = le32toh(hdr->dlm_len);
+
+	if (ilen > size || dlen > size) {
+		printf("%s: firmware payload too large\n",
+		    sc->sc_dev.dv_xname);
+		goto fail;
+	}
+
+	mtw_write(sc, MTW_FCE_PDMA, 0);
+	mtw_write(sc, MTW_FCE_PSE_CTRL, 0);
+	mtw_ucode_setup(sc);
+
+	if ((error = mtw_ucode_write(sc, fw->data, ilen, iofs)) != 0)
+		goto fail;
+	if (dlen > 0 && dofs > 0) {
+		if ((error = mtw_ucode_write(sc, fw->data + ilen,
+		    dlen, dofs)) != 0)
+			goto fail;
+	}
+
+	/* write interrupt vectors */
+	if (sc->asic_ver == 0x7612) {
+		/* MT7612 */
+		if ((error = mtw_ucode_write(sc, fw->ivb,
+		    MTW_MCU_IVB_LEN, 0x80000)) != 0)
+			goto fail;
+		mtw_write_cfg(sc, MTW_MCU_DMA_ADDR, 0x00095000);
+		mtw_write_ivb(sc, NULL, 0);
+	} else {
+		/* MT7601/MT7610 */
+		if ((error = mtw_write_ivb(sc, fw->ivb,
+		    MTW_MCU_IVB_LEN)) != 0)
+			goto fail;
+	}
+
+	/* wait until microcontroller is ready */
+	usbd_delay_ms(sc->sc_udev, 10);
+
+	for (ntries = 0; ntries < 100; ntries++) {
+		if ((error = mtw_read_cfg(sc, MTW_MCU_DMA_ADDR, &tmp)) != 0)
+			return error;
+		if (tmp & MTW_MCU_READY)
+			break;
+		usbd_delay_ms(sc->sc_udev, 100);
+	}
+
+	if (ntries == 100) {
+		printf("%s: timeout waiting for MCU to initialize\n",
+		    sc->sc_dev.dv_xname);
+		error = ETIMEDOUT;
+	}
+
+	DPRINTF(("%s: loaded firmware ver %d.%d\n", sc->sc_dev.dv_xname,
+	    le16toh(hdr->build_ver), le16toh(hdr->fw_ver)));
+fail:
+	free(ucode, M_DEVBUF, size);
+	usbd_close_pipe(sc->txq[MTW_TXQ_MCU].pipeh);
+	sc->txq[MTW_TXQ_MCU].pipeh = NULL;
+	return error;
+}
+
+int
+mtw_reset(struct mtw_softc *sc)
+{
+	usb_device_request_t req;
+
+	req.bmRequestType = UT_WRITE_VENDOR_DEVICE;
+	req.bRequest = MTW_RESET;
+	USETW(req.wValue, 1);
+	USETW(req.wIndex, 0);
+	USETW(req.wLength, 0);
+	return usbd_do_request(sc->sc_udev, &req, NULL);
+}
+
+int
+mtw_read(struct mtw_softc *sc, uint16_t reg, uint32_t *val)
+{
+	uint32_t tmp;
+	int error;
+
+	error = mtw_read_region_1(sc, reg,
+	    (uint8_t *)&tmp, sizeof tmp);
+	if (error == 0)
+		*val = letoh32(tmp);
+	else
+		*val = 0xffffffff;
+	return error;
+}
+
+int
+mtw_read_cfg(struct mtw_softc *sc, uint16_t reg, uint32_t *val)
+{
+	usb_device_request_t req;
+	uint32_t tmp;
+	int error;
+
+	req.bmRequestType = UT_READ_VENDOR_DEVICE;
+	req.bRequest = MTW_READ_CFG;
+	USETW(req.wValue, 0);
+	USETW(req.wIndex, reg);
+	USETW(req.wLength, 4);
+	error = usbd_do_request(sc->sc_udev, &req, &tmp);
+
+	if (error == 0)
+		*val = letoh32(tmp);
+	else
+		*val = 0xffffffff;
+	return error;
+}
+
+int
+mtw_read_region_1(struct mtw_softc *sc, uint16_t reg,
+    uint8_t *buf, int len)
+{
+	usb_device_request_t req;
+
+	req.bmRequestType = UT_READ_VENDOR_DEVICE;
+	req.bRequest = MTW_READ_REGION_1;
+	USETW(req.wValue, 0);
+	USETW(req.wIndex, reg);
+	USETW(req.wLength, len);
+	return usbd_do_request(sc->sc_udev, &req, buf);
+}
+
+int
+mtw_write_2(struct mtw_softc *sc, uint16_t reg, uint16_t val)
+{
+	usb_device_request_t req;
+
+	req.bmRequestType = UT_WRITE_VENDOR_DEVICE;
+	req.bRequest = MTW_WRITE_2;
+	USETW(req.wValue, val);
+	USETW(req.wIndex, reg);
+	USETW(req.wLength, 0);
+	return usbd_do_request(sc->sc_udev, &req, NULL);
+}
+
+int
+mtw_write(struct mtw_softc *sc, uint16_t reg, uint32_t val)
+{
+	int error;
+
+	if ((error = mtw_write_2(sc, reg, val & 0xffff)) == 0)
+		error = mtw_write_2(sc, reg + 2, val >> 16);
+	return error;
+}
+
+int
+mtw_write_cfg(struct mtw_softc *sc, uint16_t reg, uint32_t val)
+{
+	usb_device_request_t req;
+	int error;
+
+	req.bmRequestType = UT_WRITE_VENDOR_DEVICE;
+	req.bRequest = MTW_WRITE_CFG;
+	USETW(req.wValue, 0);
+	USETW(req.wIndex, reg);
+	USETW(req.wLength, 4);
+	error = usbd_do_request(sc->sc_udev, &req, &val);
+	return error;
+}
+
+int
+mtw_write_ivb(struct mtw_softc *sc, const uint8_t *buf, uint16_t len)
+{
+	usb_device_request_t req;
+
+	req.bmRequestType = UT_WRITE_VENDOR_DEVICE;
+	req.bRequest = MTW_RESET;
+	USETW(req.wValue, 0x12);
+	USETW(req.wIndex, 0);
+	USETW(req.wLength, len);
+	return usbd_do_request(sc->sc_udev, &req, (void *)buf);
+}
+
+int
+mtw_write_region_1(struct mtw_softc *sc, uint16_t reg,
+    uint8_t *buf, int len)
+{
+	usb_device_request_t req;
+
+	req.bmRequestType = UT_WRITE_VENDOR_DEVICE;
+	req.bRequest = MTW_WRITE_REGION_1;
+	USETW(req.wValue, 0);
+	USETW(req.wIndex, reg);
+	USETW(req.wLength, len);
+	return usbd_do_request(sc->sc_udev, &req, buf);
+}
+
+int
+mtw_set_region_4(struct mtw_softc *sc, uint16_t reg, uint32_t val, int count)
+{
+	int error = 0;
+
+	for (; count > 0 && error == 0; count--, reg += 4)
+		error = mtw_write(sc, reg, val);
+	return error;
+}
+
+/* Read 16-bit from eFUSE ROM. */
+int
+mtw_efuse_read_2(struct mtw_softc *sc, uint16_t addr, uint16_t *val)
+{
+	uint32_t tmp;
+	uint16_t reg;
+	int error, ntries;
+
+	if ((error = mtw_read(sc, MTW_EFUSE_CTRL, &tmp)) != 0)
+		return error;
+
+	addr *= 2;
+	/*
+	 * Read one 16-byte block into registers EFUSE_DATA[0-3]:
+	 * DATA0: 3 2 1 0
+	 * DATA1: 7 6 5 4
+	 * DATA2: B A 9 8
+	 * DATA3: F E D C
+	 */
+	tmp &= ~(MTW_EFSROM_MODE_MASK | MTW_EFSROM_AIN_MASK);
+	tmp |= (addr & ~0xf) << MTW_EFSROM_AIN_SHIFT | MTW_EFSROM_KICK;
+	mtw_write(sc, MTW_EFUSE_CTRL, tmp);
+	for (ntries = 0; ntries < 100; ntries++) {
+		if ((error = mtw_read(sc, MTW_EFUSE_CTRL, &tmp)) != 0)
+			return error;
+		if (!(tmp & MTW_EFSROM_KICK))
+			break;
+		DELAY(2);
+	}
+	if (ntries == 100)
+		return ETIMEDOUT;
+
+	if ((tmp & MTW_EFUSE_AOUT_MASK) == MTW_EFUSE_AOUT_MASK) {
+		*val = 0xffff;	/* address not found */
+		return 0;
+	}
+	/* determine to which 32-bit register our 16-bit word belongs */
+	reg = MTW_EFUSE_DATA0 + (addr & 0xc);
+	if ((error = mtw_read(sc, reg, &tmp)) != 0)
+		return error;
+
+	*val = (addr & 2) ? tmp >> 16 : tmp & 0xffff;
+	return 0;
+}
+
+int
+mtw_eeprom_read_2(struct mtw_softc *sc, uint16_t addr, uint16_t *val)
+{
+	usb_device_request_t req;
+	uint16_t tmp;
+	int error;
+
+	addr *= 2;
+	req.bmRequestType = UT_READ_VENDOR_DEVICE;
+	req.bRequest = MTW_EEPROM_READ;
+	USETW(req.wValue, 0);
+	USETW(req.wIndex, addr);
+	USETW(req.wLength, sizeof tmp);
+	error = usbd_do_request(sc->sc_udev, &req, &tmp);
+	if (error == 0)
+		*val = letoh16(tmp);
+	else
+		*val = 0xffff;
+	return error;
+}
+
+static __inline int
+mtw_srom_read(struct mtw_softc *sc, uint16_t addr, uint16_t *val)
+{
+	/* either eFUSE ROM or EEPROM */
+	return sc->sc_srom_read(sc, addr, val);
+}
+
+int
+mtw_rf_read(struct mtw_softc *sc, uint8_t bank, uint8_t reg, uint8_t *val)
+{
+	uint32_t tmp;
+	int error, ntries, shift;
+
+	for (ntries = 0; ntries < 100; ntries++) {
+		if ((error = mtw_read(sc, MTW_RF_CSR, &tmp)) != 0)
+			return error;
+		if (!(tmp & MTW_RF_CSR_KICK))
+			break;
+	}
+	if (ntries == 100)
+		return ETIMEDOUT;
+
+	if (sc->mac_ver == 0x7601)
+		shift = MT7601_BANK_SHIFT;
+	else
+		shift = MT7610_BANK_SHIFT;
+
+	tmp = MTW_RF_CSR_KICK | (bank & 0xf) << shift | reg << 8;
+	if ((error = mtw_write(sc, MTW_RF_CSR, tmp)) != 0)
+		return error;
+
+	for (ntries = 0; ntries < 100; ntries++) {
+		if ((error = mtw_read(sc, MTW_RF_CSR, &tmp)) != 0)
+			return error;
+		if (!(tmp & MTW_RF_CSR_KICK))
+			break;
+	}
+	if (ntries == 100)
+		return ETIMEDOUT;
+
+	*val = tmp & 0xff;
+	return 0;
+}
+
+int
+mtw_rf_write(struct mtw_softc *sc, uint8_t bank, uint8_t reg, uint8_t val)
+{
+	uint32_t tmp;
+	int error, ntries, shift;
+
+	for (ntries = 0; ntries < 10; ntries++) {
+		if ((error = mtw_read(sc, MTW_RF_CSR, &tmp)) != 0)
+			return error;
+		if (!(tmp & MTW_RF_CSR_KICK))
+			break;
+	}
+	if (ntries == 10)
+		return ETIMEDOUT;
+
+	if (sc->mac_ver == 0x7601)
+		shift = MT7601_BANK_SHIFT;
+	else
+		shift = MT7610_BANK_SHIFT;
+
+	tmp = MTW_RF_CSR_WRITE | MTW_RF_CSR_KICK | (bank & 0xf) << shift |
+	    reg << 8 | val;
+	return mtw_write(sc, MTW_RF_CSR, tmp);
+}
+
+int
+mtw_bbp_read(struct mtw_softc *sc, uint8_t reg, uint8_t *val)
+{
+	uint32_t tmp;
+	int ntries, error;
+
+	for (ntries = 0; ntries < 10; ntries++) {
+		if ((error = mtw_read(sc, MTW_BBP_CSR, &tmp)) != 0)
+			return error;
+		if (!(tmp & MTW_BBP_CSR_KICK))
+			break;
+	}
+	if (ntries == 10)
+		return ETIMEDOUT;
+
+	tmp = MTW_BBP_CSR_READ | MTW_BBP_CSR_KICK | reg << MTW_BBP_ADDR_SHIFT;
+	if ((error = mtw_write(sc, MTW_BBP_CSR, tmp)) != 0)
+		return error;
+
+	for (ntries = 0; ntries < 10; ntries++) {
+		if ((error = mtw_read(sc, MTW_BBP_CSR, &tmp)) != 0)
+			return error;
+		if (!(tmp & MTW_BBP_CSR_KICK))
+			break;
+	}
+	if (ntries == 10)
+		return ETIMEDOUT;
+
+	*val = tmp & 0xff;
+	return 0;
+}
+
+int
+mtw_bbp_write(struct mtw_softc *sc, uint8_t reg, uint8_t val)
+{
+	uint32_t tmp;
+	int ntries, error;
+
+	for (ntries = 0; ntries < 10; ntries++) {
+		if ((error = mtw_read(sc, MTW_BBP_CSR, &tmp)) != 0)
+			return error;
+		if (!(tmp & MTW_BBP_CSR_KICK))
+			break;
+	}
+	if (ntries == 10)
+		return ETIMEDOUT;
+
+	tmp = MTW_BBP_CSR_KICK | reg << MTW_BBP_ADDR_SHIFT | val;
+	return mtw_write(sc, MTW_BBP_CSR, tmp);
+}
+
+int
+mtw_usb_dma_read(struct mtw_softc *sc, uint32_t *val)
+{
+	if (sc->asic_ver == 0x7612)
+		return mtw_read_cfg(sc, MTW_USB_U3DMA_CFG, val);
+	else
+		return mtw_read(sc, MTW_USB_DMA_CFG, val);
+}
+
+int
+mtw_usb_dma_write(struct mtw_softc *sc, uint32_t val)
+{
+	if (sc->asic_ver == 0x7612)
+		return mtw_write_cfg(sc, MTW_USB_U3DMA_CFG, val);
+	else
+		return mtw_write(sc, MTW_USB_DMA_CFG, val);
+}
+
+int
+mtw_mcu_calibrate(struct mtw_softc *sc, int func, uint32_t val)
+{
+	struct mtw_mcu_cmd_8 cmd;
+	
+	cmd.func = htole32(func);
+	cmd.val = htole32(val);
+	return mtw_mcu_cmd(sc, 31, &cmd, sizeof(struct mtw_mcu_cmd_8));
+}
+
+int
+mtw_mcu_channel(struct mtw_softc *sc, uint32_t r1, uint32_t r2, uint32_t r4)
+{
+	struct mtw_mcu_cmd_16 cmd;
+
+	cmd.r1 = htole32(r1);
+	cmd.r2 = htole32(r2);
+	cmd.r3 = 0;
+	cmd.r4 = htole32(r4);
+	return mtw_mcu_cmd(sc, 30, &cmd, sizeof(struct mtw_mcu_cmd_16));
+}
+
+int
+mtw_mcu_radio(struct mtw_softc *sc, int func, uint32_t val)
+{
+	struct mtw_mcu_cmd_16 cmd;
+
+	cmd.r1 = htole32(func);
+	cmd.r2 = htole32(val);
+	cmd.r3 = 0;
+	cmd.r4 = 0;
+	return mtw_mcu_cmd(sc, 20, &cmd, sizeof(struct mtw_mcu_cmd_16));
+}
+
+int
+mtw_mcu_cmd(struct mtw_softc *sc, int cmd, void *buf, int len)
+{
+	struct mtw_tx_ring *ring = &sc->sc_mcu;
+	struct mtw_tx_data *data = &ring->data[0];
+	struct mtw_txd *txd;
+	int xferlen;
+
+	txd = (struct mtw_txd *)(data->buf);
+	txd->len = htole16(len);
+	txd->flags = htole16(MTW_TXD_CMD | MTW_TXD_MCU |
+	    (cmd & 0x1f) << MTW_TXD_CMD_SHIFT | (sc->cmd_seq & 0xf));
+
+	memcpy(&txd[1], buf, len);
+	memset(&txd[1] + len, 0, MTW_DMA_PAD);
+	xferlen = len + sizeof(struct mtw_txd) + MTW_DMA_PAD;
+
+	usbd_setup_xfer(data->xfer, sc->txq[MTW_TXQ_MCU].pipeh,
+	    NULL, data->buf, xferlen,
+	    USBD_SHORT_XFER_OK | USBD_FORCE_SHORT_XFER | USBD_SYNCHRONOUS,
+	    MTW_TX_TIMEOUT, NULL);
+	return usbd_transfer(data->xfer);
+}
+
+/*
+ * Add `delta' (signed) to each 4-bit sub-word of a 32-bit word.
+ * Used to adjust per-rate Tx power registers.
+ */
+static __inline uint32_t
+b4inc(uint32_t b32, int8_t delta)
+{
+	int8_t i, b4;
+
+	for (i = 0; i < 8; i++) {
+		b4 = b32 & 0xf;
+		b4 += delta;
+		if (b4 < 0)
+			b4 = 0;
+		else if (b4 > 0xf)
+			b4 = 0xf;
+		b32 = b32 >> 4 | b4 << 28;
+	}
+	return b32;
+}
+
+const char *
+mtw_get_rf(int rev)
+{
+	switch (rev) {
+	case MT7601_RF_7601:	return "MT7601";
+	case MT7610_RF_7610:	return "MT7610";
+	case MT7612_RF_7612:	return "MT7612";
+	}
+	return "unknown";
+}
+
+void
+mtw_get_txpower(struct mtw_softc *sc)
+{
+	uint16_t val;
+	int i;
+
+	/* Read power settings for 2GHz channels. */
+	for (i = 0; i < 14; i += 2) {
+		mtw_srom_read(sc, MTW_EEPROM_PWR2GHZ_BASE1 + i / 2, &val);
+		sc->txpow1[i + 0] = (int8_t)(val & 0xff);
+		sc->txpow1[i + 1] = (int8_t)(val >> 8);
+		mtw_srom_read(sc, MTW_EEPROM_PWR2GHZ_BASE2 + i / 2, &val);
+		sc->txpow2[i + 0] = (int8_t)(val & 0xff);
+		sc->txpow2[i + 1] = (int8_t)(val >> 8);
+	}
+	/* Fix broken Tx power entries. */
+	for (i = 0; i < 14; i++) {
+		if (sc->txpow1[i] < 0 || sc->txpow1[i] > 27)
+			sc->txpow1[i] = 5;
+		if (sc->txpow2[i] < 0 || sc->txpow2[i] > 27)
+			sc->txpow2[i] = 5;
+		DPRINTF(("chan %d: power1=%d, power2=%d\n",
+		    mt7601_rf_chan[i].chan, sc->txpow1[i], sc->txpow2[i]));
+	}
+#if 0
+	/* Read power settings for 5GHz channels. */
+	for (i = 0; i < 40; i += 2) {
+		mtw_srom_read(sc, MTW_EEPROM_PWR5GHZ_BASE1 + i / 2, &val);
+		sc->txpow1[i + 14] = (int8_t)(val & 0xff);
+		sc->txpow1[i + 15] = (int8_t)(val >> 8);
+
+		mtw_srom_read(sc, MTW_EEPROM_PWR5GHZ_BASE2 + i / 2, &val);
+		sc->txpow2[i + 14] = (int8_t)(val & 0xff);
+		sc->txpow2[i + 15] = (int8_t)(val >> 8);
+	}
+	/* Fix broken Tx power entries. */
+	for (i = 0; i < 40; i++ ) {
+		if (sc->mac_ver != 0x5592) {
+			if (sc->txpow1[14 + i] < -7 || sc->txpow1[14 + i] > 15)
+				sc->txpow1[14 + i] = 5;
+			if (sc->txpow2[14 + i] < -7 || sc->txpow2[14 + i] > 15)
+				sc->txpow2[14 + i] = 5;
+		}
+		DPRINTF(("chan %d: power1=%d, power2=%d\n",
+		    mt7601_rf_chan[14 + i].chan, sc->txpow1[14 + i],
+		    sc->txpow2[14 + i]));
+	}
+#endif
+}
+
+int
+mtw_read_eeprom(struct mtw_softc *sc)
+{
+	struct ieee80211com *ic = &sc->sc_ic;
+	int8_t delta_2ghz, delta_5ghz;
+	uint16_t val;
+	int ridx, ant;
+
+	sc->sc_srom_read = mtw_efuse_read_2;
+
+	/* read RF information */
+	mtw_srom_read(sc, MTW_EEPROM_CHIPID, &val);
+	sc->rf_rev = val;
+	mtw_srom_read(sc, MTW_EEPROM_ANTENNA, &val);
+	sc->ntxchains = (val >> 4) & 0xf;
+	sc->nrxchains = val & 0xf;
+	DPRINTF(("EEPROM RF rev=0x%02x chains=%dT%dR\n",
+	    sc->rf_rev, sc->ntxchains, sc->nrxchains));
+
+	/* read ROM version */
+	mtw_srom_read(sc, MTW_EEPROM_VERSION, &val);
+	DPRINTF(("EEPROM rev=%d, FAE=%d\n", val & 0xff, val >> 8));
+
+	/* read MAC address */
+	mtw_srom_read(sc, MTW_EEPROM_MAC01, &val);
+	ic->ic_myaddr[0] = val & 0xff;
+	ic->ic_myaddr[1] = val >> 8;
+	mtw_srom_read(sc, MTW_EEPROM_MAC23, &val);
+	ic->ic_myaddr[2] = val & 0xff;
+	ic->ic_myaddr[3] = val >> 8;
+	mtw_srom_read(sc, MTW_EEPROM_MAC45, &val);
+	ic->ic_myaddr[4] = val & 0xff;
+	ic->ic_myaddr[5] = val >> 8;
+#if 0
+	printf("eFUSE ROM\n00: ");
+	for (int i = 0; i < 256; i++) {
+		if (((i % 8) == 0) && i > 0)
+			printf("\n%02x: ", i);
+		mtw_srom_read(sc, i, &val);
+		printf(" %04x", val);
+	}
+	printf("\n");
+#endif
+	/* check if RF supports automatic Tx access gain control */
+	mtw_srom_read(sc, MTW_EEPROM_CONFIG, &val);
+	DPRINTF(("EEPROM CFG 0x%04x\n", val));
+	if ((val & 0xff) != 0xff) {
+		sc->ext_5ghz_lna = (val >> 3) & 1;
+		sc->ext_2ghz_lna = (val >> 2) & 1;
+		/* check if RF supports automatic Tx access gain control */
+		sc->calib_2ghz = sc->calib_5ghz = (val >> 1) & 1;
+		/* check if we have a hardware radio switch */
+		sc->rfswitch = val & 1;
+	}
+
+	/* read RF frequency offset from EEPROM */
+	mtw_srom_read(sc, MTW_EEPROM_FREQ_OFFSET, &val);
+	if ((val & 0xff) != 0xff)
+		sc->rf_freq_offset = val;
+	else
+		sc->rf_freq_offset = 0;
+	DPRINTF(("frequency offset 0x%x\n", sc->rf_freq_offset));
+
+	/* Read Tx power settings. */
+	mtw_get_txpower(sc);
+
+	/* read Tx power compensation for each Tx rate */
+	mtw_srom_read(sc, MTW_EEPROM_DELTAPWR, &val);
+	delta_2ghz = delta_5ghz = 0;
+	if ((val & 0xff) != 0xff && (val & 0x80)) {
+		delta_2ghz = val & 0xf;
+		if (!(val & 0x40))	/* negative number */
+			delta_2ghz = -delta_2ghz;
+	}
+	val >>= 8;
+	if ((val & 0xff) != 0xff && (val & 0x80)) {
+		delta_5ghz = val & 0xf;
+		if (!(val & 0x40))	/* negative number */
+			delta_5ghz = -delta_5ghz;
+	}
+	DPRINTF(("power compensation=%d (2GHz), %d (5GHz)\n",
+	    delta_2ghz, delta_5ghz));
+
+	for (ridx = 0; ridx < 5; ridx++) {
+		uint32_t reg;
+
+		mtw_srom_read(sc, MTW_EEPROM_RPWR + ridx * 2, &val);
+		reg = val;
+		mtw_srom_read(sc, MTW_EEPROM_RPWR + ridx * 2 + 1, &val);
+		reg |= (uint32_t)val << 16;
+
+		sc->txpow20mhz[ridx] = reg;
+		sc->txpow40mhz_2ghz[ridx] = b4inc(reg, delta_2ghz);
+		sc->txpow40mhz_5ghz[ridx] = b4inc(reg, delta_5ghz);
+
+		DPRINTF(("ridx %d: power 20MHz=0x%08x, 40MHz/2GHz=0x%08x, "
+		    "40MHz/5GHz=0x%08x\n", ridx, sc->txpow20mhz[ridx],
+		    sc->txpow40mhz_2ghz[ridx], sc->txpow40mhz_5ghz[ridx]));
+	}
+
+	/* read RSSI offsets and LNA gains from EEPROM */
+	val = 0;
+	mtw_srom_read(sc, MTW_EEPROM_RSSI1_2GHZ, &val);
+	sc->rssi_2ghz[0] = val & 0xff;	/* Ant A */
+	sc->rssi_2ghz[1] = val >> 8;	/* Ant B */
+	mtw_srom_read(sc, MTW_EEPROM_RSSI2_2GHZ, &val);
+	/*
+	 * On RT3070 chips (limited to 2 Rx chains), this ROM
+	 * field contains the Tx mixer gain for the 2GHz band.
+	 */
+	if ((val & 0xff) != 0xff)
+		sc->txmixgain_2ghz = val & 0x7;
+	DPRINTF(("tx mixer gain=%u (2GHz)\n", sc->txmixgain_2ghz));
+	sc->lna[2] = val >> 8;		/* channel group 2 */
+	mtw_srom_read(sc, MTW_EEPROM_RSSI1_5GHZ, &val);
+	sc->rssi_5ghz[0] = val & 0xff;	/* Ant A */
+	sc->rssi_5ghz[1] = val >> 8;	/* Ant B */
+	mtw_srom_read(sc, MTW_EEPROM_RSSI2_5GHZ, &val);
+	sc->rssi_5ghz[2] = val & 0xff;	/* Ant C */
+
+	sc->lna[3] = val >> 8;		/* channel group 3 */
+
+	mtw_srom_read(sc, MTW_EEPROM_LNA, &val);
+	sc->lna[0] = val & 0xff;	/* channel group 0 */
+	sc->lna[1] = val >> 8;		/* channel group 1 */
+	DPRINTF(("LNA0 0x%x\n", sc->lna[0]));
+
+	/* fix broken 5GHz LNA entries */
+	if (sc->lna[2] == 0 || sc->lna[2] == 0xff) {
+		DPRINTF(("invalid LNA for channel group %d\n", 2));
+		sc->lna[2] = sc->lna[1];
+	}
+	if (sc->lna[3] == 0 || sc->lna[3] == 0xff) {
+		DPRINTF(("invalid LNA for channel group %d\n", 3));
+		sc->lna[3] = sc->lna[1];
+	}
+
+	/* fix broken RSSI offset entries */
+	for (ant = 0; ant < 3; ant++) {
+		if (sc->rssi_2ghz[ant] < -10 || sc->rssi_2ghz[ant] > 10) {
+			DPRINTF(("invalid RSSI%d offset: %d (2GHz)\n",
+			    ant + 1, sc->rssi_2ghz[ant]));
+			sc->rssi_2ghz[ant] = 0;
+		}
+		if (sc->rssi_5ghz[ant] < -10 || sc->rssi_5ghz[ant] > 10) {
+			DPRINTF(("invalid RSSI%d offset: %d (5GHz)\n",
+			    ant + 1, sc->rssi_5ghz[ant]));
+			sc->rssi_5ghz[ant] = 0;
+		}
+	}
+	return 0;
+}
+
+struct ieee80211_node *
+mtw_node_alloc(struct ieee80211com *ic)
+{
+	struct mtw_node *mn;
+
+	mn = malloc(sizeof (struct mtw_node), M_USBDEV, M_NOWAIT | M_ZERO);
+	return (struct ieee80211_node *)mn;
+}
+
+int
+mtw_media_change(struct ifnet *ifp)
+{
+	struct mtw_softc *sc = ifp->if_softc;
+	struct ieee80211com *ic = &sc->sc_ic;
+	uint8_t rate, ridx;
+	int error;
+
+	error = ieee80211_media_change(ifp);
+	if (error != ENETRESET)
+		return error;
+
+	if (ic->ic_fixed_rate != -1) {
+		rate = ic->ic_sup_rates[ic->ic_curmode].
+		    rs_rates[ic->ic_fixed_rate] & IEEE80211_RATE_VAL;
+		for (ridx = 0; ridx <= MTW_RIDX_MAX; ridx++)
+			if (rt2860_rates[ridx].rate == rate)
+				break;
+		sc->fixed_ridx = ridx;
+	}
+
+	if ((ifp->if_flags & (IFF_UP | IFF_RUNNING)) ==
+	    (IFF_UP | IFF_RUNNING)) {
+		mtw_stop(ifp, 0);
+		error = mtw_init(ifp);
+	}
+	return error;
+}
+
+void
+mtw_next_scan(void *arg)
+{
+	struct mtw_softc *sc = arg;
+	int s;
+
+	if (usbd_is_dying(sc->sc_udev))
+		return;
+
+	usbd_ref_incr(sc->sc_udev);
+
+	s = splnet();
+	if (sc->sc_ic.ic_state == IEEE80211_S_SCAN)
+		ieee80211_next_scan(&sc->sc_ic.ic_if);
+	splx(s);
+
+	usbd_ref_decr(sc->sc_udev);
+}
+
+void
+mtw_task(void *arg)
+{
+	struct mtw_softc *sc = arg;
+	struct mtw_host_cmd_ring *ring = &sc->cmdq;
+	struct mtw_host_cmd *cmd;
+	int s;
+
+	if (usbd_is_dying(sc->sc_udev))
+		return;
+
+	/* process host commands */
+	s = splusb();
+	while (ring->next != ring->cur) {
+		cmd = &ring->cmd[ring->next];
+		splx(s);
+		/* callback */
+		cmd->cb(sc, cmd->data);
+		s = splusb();
+		ring->queued--;
+		ring->next = (ring->next + 1) % MTW_HOST_CMD_RING_COUNT;
+	}
+	splx(s);
+}
+
+void
+mtw_do_async(struct mtw_softc *sc, void (*cb)(struct mtw_softc *, void *),
+    void *arg, int len)
+{
+	struct mtw_host_cmd_ring *ring = &sc->cmdq;
+	struct mtw_host_cmd *cmd;
+	int s;
+
+	if (usbd_is_dying(sc->sc_udev))
+		return;
+
+	s = splusb();
+	cmd = &ring->cmd[ring->cur];
+	cmd->cb = cb;
+	KASSERT(len <= sizeof (cmd->data));
+	memcpy(cmd->data, arg, len);
+	ring->cur = (ring->cur + 1) % MTW_HOST_CMD_RING_COUNT;
+
+	/* if there is no pending command already, schedule a task */
+	if (++ring->queued == 1)
+		usb_add_task(sc->sc_udev, &sc->sc_task);
+	splx(s);
+}
+
+int
+mtw_newstate(struct ieee80211com *ic, enum ieee80211_state nstate, int arg)
+{
+	struct mtw_softc *sc = ic->ic_softc;
+	struct mtw_cmd_newstate cmd;
+
+	/* do it in a process context */
+	cmd.state = nstate;
+	cmd.arg = arg;
+	mtw_do_async(sc, mtw_newstate_cb, &cmd, sizeof cmd);
+	return 0;
+}
+
+void	
+mtw_newstate_cb(struct mtw_softc *sc, void *arg)
+{
+	struct mtw_cmd_newstate *cmd = arg;
+	struct ieee80211com *ic = &sc->sc_ic;
+	enum ieee80211_state ostate;
+	struct ieee80211_node *ni;
+	uint32_t sta[3];
+	uint8_t wcid;
+	int s;
+
+	s = splnet();
+	ostate = ic->ic_state;
+
+	if (ostate == IEEE80211_S_RUN) {
+		/* turn link LED on */
+		mtw_set_leds(sc, MTW_LED_MODE_ON);
+	}
+
+	switch (cmd->state) {
+	case IEEE80211_S_INIT:
+		if (ostate == IEEE80211_S_RUN) {
+			/* abort TSF synchronization */
+			mtw_abort_tsf_sync(sc);
+		}
+		break;
+
+	case IEEE80211_S_SCAN:
+		mtw_set_chan(sc, ic->ic_bss->ni_chan);
+		if (!usbd_is_dying(sc->sc_udev))
+			timeout_add_msec(&sc->scan_to, 200);
+		break;
+
+	case IEEE80211_S_AUTH:
+	case IEEE80211_S_ASSOC:
+		mtw_set_chan(sc, ic->ic_bss->ni_chan);
+		break;
+
+	case IEEE80211_S_RUN:
+		mtw_set_chan(sc, ic->ic_bss->ni_chan);
+
+		ni = ic->ic_bss;
+
+		if (ic->ic_opmode != IEEE80211_M_MONITOR) {
+			mtw_updateslot(ic);
+			mtw_enable_mrr(sc);
+			mtw_set_txpreamble(sc);
+			mtw_set_basicrates(sc);
+			mtw_set_bssid(sc, ni->ni_bssid);
+		}
+		if (ic->ic_opmode == IEEE80211_M_STA) {
+			/* add BSS entry to the WCID table */
+			wcid = MTW_AID2WCID(ni->ni_associd);
+			mtw_write_region_1(sc, MTW_WCID_ENTRY(wcid),
+			    ni->ni_macaddr, IEEE80211_ADDR_LEN);
+
+			/* fake a join to init the tx rate */
+			mtw_newassoc(ic, ni, 1);
+		}
+		if (ic->ic_opmode != IEEE80211_M_MONITOR) {
+			mtw_enable_tsf_sync(sc);
+
+			/* clear statistic registers used by AMRR */
+			mtw_read_region_1(sc, MTW_TX_STA_CNT0,
+			    (uint8_t *)sta, sizeof sta);
+			/* start calibration timer */
+			if (!usbd_is_dying(sc->sc_udev))
+				timeout_add_sec(&sc->calib_to, 1);
+		}
+
+		/* turn link LED on */
+		mtw_set_leds(sc, MTW_LED_MODE_BLINK_TX);
+		break;
+	}
+	(void)sc->sc_newstate(ic, cmd->state, cmd->arg);
+	splx(s);
+}
+
+void
+mtw_updateedca(struct ieee80211com *ic)
+{
+	/* do it in a process context */
+	mtw_do_async(ic->ic_softc, mtw_updateedca_cb, NULL, 0);
+}
+
+/* ARGSUSED */
+void
+mtw_updateedca_cb(struct mtw_softc *sc, void *arg)
+{
+	struct ieee80211com *ic = &sc->sc_ic;
+	int s, aci;
+
+	s = splnet();
+	/* update MAC TX configuration registers */
+	for (aci = 0; aci < EDCA_NUM_AC; aci++) {
+		mtw_write(sc, MTW_EDCA_AC_CFG(aci),
+		    ic->ic_edca_ac[aci].ac_ecwmax << 16 |
+		    ic->ic_edca_ac[aci].ac_ecwmin << 12 |
+		    ic->ic_edca_ac[aci].ac_aifsn  <<  8 |
+		    ic->ic_edca_ac[aci].ac_txoplimit);
+	}
+
+	/* update SCH/DMA registers too */
+	mtw_write(sc, MTW_WMM_AIFSN_CFG,
+	    ic->ic_edca_ac[EDCA_AC_VO].ac_aifsn  << 12 |
+	    ic->ic_edca_ac[EDCA_AC_VI].ac_aifsn  <<  8 |
+	    ic->ic_edca_ac[EDCA_AC_BK].ac_aifsn  <<  4 |
+	    ic->ic_edca_ac[EDCA_AC_BE].ac_aifsn);
+	mtw_write(sc, MTW_WMM_CWMIN_CFG,
+	    ic->ic_edca_ac[EDCA_AC_VO].ac_ecwmin << 12 |
+	    ic->ic_edca_ac[EDCA_AC_VI].ac_ecwmin <<  8 |
+	    ic->ic_edca_ac[EDCA_AC_BK].ac_ecwmin <<  4 |
+	    ic->ic_edca_ac[EDCA_AC_BE].ac_ecwmin);
+	mtw_write(sc, MTW_WMM_CWMAX_CFG,
+	    ic->ic_edca_ac[EDCA_AC_VO].ac_ecwmax << 12 |
+	    ic->ic_edca_ac[EDCA_AC_VI].ac_ecwmax <<  8 |
+	    ic->ic_edca_ac[EDCA_AC_BK].ac_ecwmax <<  4 |
+	    ic->ic_edca_ac[EDCA_AC_BE].ac_ecwmax);
+	mtw_write(sc, MTW_WMM_TXOP0_CFG,
+	    ic->ic_edca_ac[EDCA_AC_BK].ac_txoplimit << 16 |
+	    ic->ic_edca_ac[EDCA_AC_BE].ac_txoplimit);
+	mtw_write(sc, MTW_WMM_TXOP1_CFG,
+	    ic->ic_edca_ac[EDCA_AC_VO].ac_txoplimit << 16 |
+	    ic->ic_edca_ac[EDCA_AC_VI].ac_txoplimit);
+	splx(s);
+}
+
+void
+mtw_updateslot(struct ieee80211com *ic)
+{
+	/* do it in a process context */
+	mtw_do_async(ic->ic_softc, mtw_updateslot_cb, NULL, 0);
+}
+
+/* ARGSUSED */
+void
+mtw_updateslot_cb(struct mtw_softc *sc, void *arg)
+{
+	uint32_t tmp;
+
+	mtw_read(sc, MTW_BKOFF_SLOT_CFG, &tmp);
+	tmp &= ~0xff;
+	tmp |= (sc->sc_ic.ic_flags & IEEE80211_F_SHSLOT) ?
+	    IEEE80211_DUR_DS_SHSLOT : IEEE80211_DUR_DS_SLOT;
+	mtw_write(sc, MTW_BKOFF_SLOT_CFG, tmp);
+}
+
+int
+mtw_set_key(struct ieee80211com *ic, struct ieee80211_node *ni,
+    struct ieee80211_key *k)
+{
+	struct mtw_softc *sc = ic->ic_softc;
+	struct mtw_cmd_key cmd;
+
+	/* defer setting of WEP keys until interface is brought up */
+	if ((ic->ic_if.if_flags & (IFF_UP | IFF_RUNNING)) !=
+	    (IFF_UP | IFF_RUNNING))
+		return 0;
+
+	/* do it in a process context */
+	cmd.key = *k;
+	cmd.ni = ni;
+	mtw_do_async(sc, mtw_set_key_cb, &cmd, sizeof cmd);
+	sc->sc_key_tasks++;
+	return EBUSY;
+}
+
+void
+mtw_set_key_cb(struct mtw_softc *sc, void *arg)
+{
+	struct ieee80211com *ic = &sc->sc_ic;
+	struct mtw_cmd_key *cmd = arg;
+	struct ieee80211_key *k = &cmd->key;
+	uint32_t attr;
+	uint16_t base;
+	uint8_t mode, wcid, iv[8];
+
+	sc->sc_key_tasks--;
+
+	/* map net80211 cipher to RT2860 security mode */
+	switch (k->k_cipher) {
+	case IEEE80211_CIPHER_WEP40:
+		mode = MTW_MODE_WEP40;
+		break;
+	case IEEE80211_CIPHER_WEP104:
+		mode = MTW_MODE_WEP104;
+		break;
+	case IEEE80211_CIPHER_TKIP:
+		mode = MTW_MODE_TKIP;
+		break;
+	case IEEE80211_CIPHER_CCMP:
+		mode = MTW_MODE_AES_CCMP;
+		break;
+	default:
+		if (cmd->ni != NULL) {
+			IEEE80211_SEND_MGMT(ic, cmd->ni,
+			    IEEE80211_FC0_SUBTYPE_DEAUTH,
+			    IEEE80211_REASON_AUTH_LEAVE);
+		}
+		ieee80211_new_state(ic, IEEE80211_S_SCAN, -1);
+		return;
+	}
+
+	if (k->k_flags & IEEE80211_KEY_GROUP) {
+		wcid = 0;	/* NB: update WCID0 for group keys */
+		base = MTW_SKEY(0, k->k_id);
+	} else {
+		wcid = (cmd->ni != NULL) ? MTW_AID2WCID(cmd->ni->ni_associd) : 0;
+		base = MTW_PKEY(wcid);
+	}
+
+	if (k->k_cipher == IEEE80211_CIPHER_TKIP) {
+		mtw_write_region_1(sc, base, k->k_key, 16);
+		mtw_write_region_1(sc, base + 16, &k->k_key[24], 8);
+		mtw_write_region_1(sc, base + 24, &k->k_key[16], 8);
+	} else {
+		/* roundup len to 16-bit: XXX fix write_region_1() instead */
+		mtw_write_region_1(sc, base, k->k_key, (k->k_len + 1) & ~1);
+	}
+
+	if (!(k->k_flags & IEEE80211_KEY_GROUP) ||
+	    (k->k_flags & IEEE80211_KEY_TX)) {
+		/* set initial packet number in IV+EIV */
+		if (k->k_cipher == IEEE80211_CIPHER_WEP40 ||
+		    k->k_cipher == IEEE80211_CIPHER_WEP104) {
+			memset(iv, 0, sizeof iv);
+			iv[3] = sc->sc_ic.ic_def_txkey << 6;
+		} else {
+			if (k->k_cipher == IEEE80211_CIPHER_TKIP) {
+				iv[0] = k->k_tsc >> 8;
+				iv[1] = (iv[0] | 0x20) & 0x7f;
+				iv[2] = k->k_tsc;
+			} else /* CCMP */ {
+				iv[0] = k->k_tsc;
+				iv[1] = k->k_tsc >> 8;
+				iv[2] = 0;
+			}
+			iv[3] = k->k_id << 6 | IEEE80211_WEP_EXTIV;
+			iv[4] = k->k_tsc >> 16;
+			iv[5] = k->k_tsc >> 24;
+			iv[6] = k->k_tsc >> 32;
+			iv[7] = k->k_tsc >> 40;
+		}
+		mtw_write_region_1(sc, MTW_IVEIV(wcid), iv, 8);
+	}
+
+	if (k->k_flags & IEEE80211_KEY_GROUP) {
+		/* install group key */
+		mtw_read(sc, MTW_SKEY_MODE_0_7, &attr);
+		attr &= ~(0xf << (k->k_id * 4));
+		attr |= mode << (k->k_id * 4);
+		mtw_write(sc, MTW_SKEY_MODE_0_7, attr);
+
+		if (k->k_cipher & (IEEE80211_CIPHER_WEP104 |
+		    IEEE80211_CIPHER_WEP40)) {
+			mtw_read(sc, MTW_WCID_ATTR(wcid + 1), &attr);
+			attr = (attr & ~0xf) | (mode << 1);
+			mtw_write(sc, MTW_WCID_ATTR(wcid + 1), attr);
+
+			mtw_set_region_4(sc, MTW_IVEIV(0), 0, 4);
+
+			mtw_read(sc, MTW_WCID_ATTR(wcid), &attr);
+			attr = (attr & ~0xf) | (mode << 1);
+			mtw_write(sc, MTW_WCID_ATTR(wcid), attr);
+		}
+	} else {
+		/* install pairwise key */
+		mtw_read(sc, MTW_WCID_ATTR(wcid), &attr);
+		attr = (attr & ~0xf) | (mode << 1) | MTW_RX_PKEY_EN;
+		mtw_write(sc, MTW_WCID_ATTR(wcid), attr);
+	}
+
+	if (sc->sc_key_tasks == 0) {
+		if (cmd->ni != NULL)
+			cmd->ni->ni_port_valid = 1;
+		ieee80211_set_link_state(ic, LINK_STATE_UP);
+	}
+}
+
+void
+mtw_delete_key(struct ieee80211com *ic, struct ieee80211_node *ni,
+    struct ieee80211_key *k)
+{
+	struct mtw_softc *sc = ic->ic_softc;
+	struct mtw_cmd_key cmd;
+
+	if (!(ic->ic_if.if_flags & IFF_RUNNING) ||
+	    ic->ic_state != IEEE80211_S_RUN)
+		return;	/* nothing to do */
+
+	/* do it in a process context */
+	cmd.key = *k;
+	cmd.ni = ni;
+	mtw_do_async(sc, mtw_delete_key_cb, &cmd, sizeof cmd);
+}
+
+void
+mtw_delete_key_cb(struct mtw_softc *sc, void *arg)
+{
+	struct mtw_cmd_key *cmd = arg;
+	struct ieee80211_key *k = &cmd->key;
+	uint32_t attr;
+	uint8_t wcid;
+
+	if (k->k_flags & IEEE80211_KEY_GROUP) {
+		/* remove group key */
+		mtw_read(sc, MTW_SKEY_MODE_0_7, &attr);
+		attr &= ~(0xf << (k->k_id * 4));
+		mtw_write(sc, MTW_SKEY_MODE_0_7, attr);
+
+	} else {
+		/* remove pairwise key */
+		wcid = (cmd->ni != NULL) ? MTW_AID2WCID(cmd->ni->ni_associd) : 0;
+		mtw_read(sc, MTW_WCID_ATTR(wcid), &attr);
+		attr &= ~0xf;
+		mtw_write(sc, MTW_WCID_ATTR(wcid), attr);
+	}
+}
+
+void
+mtw_calibrate_to(void *arg)
+{
+	/* do it in a process context */
+	mtw_do_async(arg, mtw_calibrate_cb, NULL, 0);
+	/* next timeout will be rescheduled in the calibration task */
+}
+
+/* ARGSUSED */
+void
+mtw_calibrate_cb(struct mtw_softc *sc, void *arg)
+{
+	struct ifnet *ifp = &sc->sc_ic.ic_if;
+	uint32_t sta[3];
+	int s, error;
+
+	/* read statistic counters (clear on read) and update AMRR state */
+	error = mtw_read_region_1(sc, MTW_TX_STA_CNT0, (uint8_t *)sta,
+	    sizeof sta);
+	if (error != 0)
+		goto skip;
+
+	DPRINTF(("retrycnt=%d txcnt=%d failcnt=%d\n",
+	    letoh32(sta[1]) >> 16, letoh32(sta[1]) & 0xffff,
+	    letoh32(sta[0]) & 0xffff));
+
+	s = splnet();
+	/* count failed TX as errors */
+	ifp->if_oerrors += letoh32(sta[0]) & 0xffff;
+
+	sc->amn.amn_retrycnt =
+	    (letoh32(sta[0]) & 0xffff) +	/* failed TX count */
+	    (letoh32(sta[1]) >> 16);		/* TX retransmission count */
+
+	sc->amn.amn_txcnt =
+	    sc->amn.amn_retrycnt +
+	    (letoh32(sta[1]) & 0xffff);		/* successful TX count */
+
+	ieee80211_amrr_choose(&sc->amrr, sc->sc_ic.ic_bss, &sc->amn);
+
+	splx(s);
+skip:
+	if (!usbd_is_dying(sc->sc_udev))
+		timeout_add_sec(&sc->calib_to, 1);
+}
+
+void
+mtw_newassoc(struct ieee80211com *ic, struct ieee80211_node *ni, int isnew)
+{
+	struct mtw_softc *sc = ic->ic_softc;
+	struct mtw_node *mn = (void *)ni;
+	struct ieee80211_rateset *rs = &ni->ni_rates;
+	uint8_t rate;
+	int ridx, i, j;
+
+	DPRINTF(("new assoc isnew=%d addr=%s\n",
+	    isnew, ether_sprintf(ni->ni_macaddr)));
+
+	ieee80211_amrr_node_init(&sc->amrr, &sc->amn);
+	
+	/* start at lowest available bit-rate, AMRR will raise */
+	ni->ni_txrate = 0;
+
+	for (i = 0; i < rs->rs_nrates; i++) {
+		rate = rs->rs_rates[i] & IEEE80211_RATE_VAL;
+		/* convert 802.11 rate to hardware rate index */
+		for (ridx = 0; ridx < MTW_RIDX_MAX; ridx++)
+			if (rt2860_rates[ridx].rate == rate)
+				break;
+		mn->ridx[i] = ridx;
+		/* determine rate of control response frames */
+		for (j = i; j >= 0; j--) {
+			if ((rs->rs_rates[j] & IEEE80211_RATE_BASIC) &&
+			    rt2860_rates[mn->ridx[i]].phy ==
+			    rt2860_rates[mn->ridx[j]].phy)
+				break;
+		}
+		if (j >= 0) {
+			mn->ctl_ridx[i] = mn->ridx[j];
+		} else {
+			/* no basic rate found, use mandatory one */
+			mn->ctl_ridx[i] = rt2860_rates[ridx].ctl_ridx;
+		}
+		DPRINTF(("rate=0x%02x ridx=%d ctl_ridx=%d\n",
+		    rs->rs_rates[i], mn->ridx[i], mn->ctl_ridx[i]));
+	}
+}
+
+/*
+ * Return the Rx chain with the highest RSSI for a given frame.
+ */
+static __inline uint8_t
+mtw_maxrssi_chain(struct mtw_softc *sc, const struct mtw_rxwi *rxwi)
+{
+	uint8_t rxchain = 0;
+
+	if (sc->nrxchains > 1) {
+		if (rxwi->rssi[1] > rxwi->rssi[rxchain])
+			rxchain = 1;
+	}
+	return rxchain;
+}
+
+void
+mtw_rx_frame(struct mtw_softc *sc, uint8_t *buf, int dmalen,
+    struct mbuf_list *ml)
+{
+	struct ieee80211com *ic = &sc->sc_ic;
+	struct ifnet *ifp = &ic->ic_if;
+	struct ieee80211_frame *wh;
+	struct ieee80211_rxinfo rxi;
+	struct ieee80211_node *ni;
+	struct mtw_rxwi *rxwi;
+	struct mbuf *m;
+	uint32_t flags;
+	uint16_t len;
+#if NBPFILTER > 0
+	uint16_t phy;
+#endif
+	uint16_t rxwisize;
+	uint8_t ant, rssi;
+	int s;
+
+	/* Rx Wireless Information */
+	rxwi = (struct mtw_rxwi *)(buf);
+	rxwisize = sizeof(struct mtw_rxwi);
+	len = letoh16(rxwi->len) & 0xfff;
+
+	if (__predict_false(len > dmalen)) {
+		DPRINTF(("bad RXWI length %u > %u\n", len, dmalen));
+		return;
+	}
+	if (len > MCLBYTES) {
+		DPRINTF(("frame too large (length=%d)\n", len));
+		ifp->if_ierrors++;
+		return;
+	}
+
+	flags = letoh32(rxwi->flags);
+	if (__predict_false(flags & (MTW_RX_CRCERR | MTW_RX_ICVERR))) {
+		ifp->if_ierrors++;
+		return;
+	}
+	if (__predict_false((flags & MTW_RX_MICERR))) {
+		/* report MIC failures to net80211 for TKIP */
+		ic->ic_stats.is_rx_locmicfail++;
+		ieee80211_michael_mic_failure(ic, 0/* XXX */);
+		ifp->if_ierrors++;
+		return;
+	}
+
+	wh = (struct ieee80211_frame *)(buf + rxwisize);
+	rxi.rxi_flags = 0;
+	if (wh->i_fc[1] & IEEE80211_FC1_PROTECTED) {
+		wh->i_fc[1] &= ~IEEE80211_FC1_PROTECTED;
+		rxi.rxi_flags |= IEEE80211_RXI_HWDEC;
+	}
+
+	if (flags & MTW_RX_L2PAD) {
+		u_int hdrlen = ieee80211_get_hdrlen(wh);
+		memmove((caddr_t)wh + 2, wh, hdrlen);
+		wh = (struct ieee80211_frame *)((caddr_t)wh + 2);
+	}
+
+	/* could use m_devget but net80211 wants contig mgmt frames */
+	MGETHDR(m, M_DONTWAIT, MT_DATA);
+	if (__predict_false(m == NULL)) {
+		ifp->if_ierrors++;
+		return;
+	}
+	if (len > MHLEN) {
+		MCLGET(m, M_DONTWAIT);
+		if (__predict_false(!(m->m_flags & M_EXT))) {
+			ifp->if_ierrors++;
+			m_freem(m);
+			return;
+		}
+	}
+	/* finalize mbuf */
+	memcpy(mtod(m, caddr_t), wh, len);
+	m->m_pkthdr.len = m->m_len = len;
+
+	ant = mtw_maxrssi_chain(sc, rxwi);
+	rssi = rxwi->rssi[ant];
+
+#if NBPFILTER > 0
+	if (__predict_false(sc->sc_drvbpf != NULL)) {
+		struct mtw_rx_radiotap_header *tap = &sc->sc_rxtap;
+		struct mbuf mb;
+
+		tap->wr_flags = 0;
+		tap->wr_chan_freq = htole16(ic->ic_ibss_chan->ic_freq);
+		tap->wr_chan_flags = htole16(ic->ic_ibss_chan->ic_flags);
+		tap->wr_antsignal = rssi;
+		tap->wr_antenna = ant;
+		tap->wr_dbm_antsignal = mtw_rssi2dbm(sc, rssi, ant);
+		tap->wr_rate = 2;	/* in case it can't be found below */
+		phy = letoh16(rxwi->phy);
+		switch (phy & MTW_PHY_MODE) {
+		case MTW_PHY_CCK:
+			switch ((phy & MTW_PHY_MCS) & ~MTW_PHY_SHPRE) {
+			case 0:	tap->wr_rate =   2; break;
+			case 1:	tap->wr_rate =   4; break;
+			case 2:	tap->wr_rate =  11; break;
+			case 3:	tap->wr_rate =  22; break;
+			}
+			if (phy & MTW_PHY_SHPRE)
+				tap->wr_flags |= IEEE80211_RADIOTAP_F_SHORTPRE;
+			break;
+		case MTW_PHY_OFDM:
+			switch (phy & MTW_PHY_MCS) {
+			case 0:	tap->wr_rate =  12; break;
+			case 1:	tap->wr_rate =  18; break;
+			case 2:	tap->wr_rate =  24; break;
+			case 3:	tap->wr_rate =  36; break;
+			case 4:	tap->wr_rate =  48; break;
+			case 5:	tap->wr_rate =  72; break;
+			case 6:	tap->wr_rate =  96; break;
+			case 7:	tap->wr_rate = 108; break;
+			}
+			break;
+		}
+		mb.m_data = (caddr_t)tap;
+		mb.m_len = sc->sc_rxtap_len;
+		mb.m_next = m;
+		mb.m_nextpkt = NULL;
+		mb.m_type = 0;
+		mb.m_flags = 0;
+		bpf_mtap(sc->sc_drvbpf, &mb, BPF_DIRECTION_IN);
+	}
+#endif
+
+	s = splnet();
+	ni = ieee80211_find_rxnode(ic, wh);
+	rxi.rxi_rssi = rssi;
+	rxi.rxi_tstamp = 0;	/* unused */
+	ieee80211_inputm(ifp, m, ni, &rxi, ml);
+
+	/* node is no longer needed */
+	ieee80211_release_node(ic, ni);
+	splx(s);
+}
+
+void
+mtw_rxeof(struct usbd_xfer *xfer, void *priv, usbd_status status)
+{
+	struct mbuf_list ml = MBUF_LIST_INITIALIZER();
+	struct mtw_rx_data *data = priv;
+	struct mtw_softc *sc = data->sc;
+	uint8_t *buf;
+	uint32_t dmalen;
+	int xferlen;
+
+	if (__predict_false(status != USBD_NORMAL_COMPLETION)) {
+		DPRINTF(("RX status=%d\n", status));
+		if (status == USBD_STALLED)
+			usbd_clear_endpoint_stall_async(sc->rxq[0].pipeh);
+		if (status != USBD_CANCELLED)
+			goto skip;
+		return;
+	}
+
+	usbd_get_xfer_status(xfer, NULL, NULL, &xferlen, NULL);
+
+	if (__predict_false(xferlen < sizeof(uint32_t) +
+	    sizeof (struct mtw_rxwi) + sizeof(struct mtw_rxd))) {
+		DPRINTF(("RX xfer too short %d\n", xferlen));
+		goto skip;
+	}
+
+	/* HW can aggregate multiple 802.11 frames in a single USB xfer */
+	buf = data->buf;
+	while (xferlen > 8) {
+		dmalen = letoh32(*(uint32_t *)buf) & MTW_RXD_LEN;
+		if (__predict_false(dmalen == 0 || (dmalen & 3) != 0)) {
+			DPRINTF(("bad DMA length %u\n", dmalen));
+			break;
+		}
+		if (__predict_false(dmalen + 8 > xferlen)) {
+			DPRINTF(("bad DMA length %u > %d\n",
+			    dmalen + 8, xferlen));
+			break;
+		}
+		mtw_rx_frame(sc, buf + sizeof(struct mtw_rxd), dmalen, &ml);
+		buf += dmalen + 8;
+		xferlen -= dmalen + 8;
+	}
+	if_input(&sc->sc_ic.ic_if, &ml);
+
+skip:	/* setup a new transfer */
+	usbd_setup_xfer(xfer, sc->rxq[0].pipeh, data, data->buf, MTW_MAX_RXSZ,
+	    USBD_SHORT_XFER_OK | USBD_NO_COPY, USBD_NO_TIMEOUT, mtw_rxeof);
+	(void)usbd_transfer(data->xfer);
+}
+
+void
+mtw_txeof(struct usbd_xfer *xfer, void *priv, usbd_status status)
+{
+	struct mtw_tx_data *data = priv;
+	struct mtw_softc *sc = data->sc;
+	struct mtw_tx_ring *txq = &sc->txq[data->qid];
+	struct ifnet *ifp = &sc->sc_ic.ic_if;
+	int s;
+
+	if (usbd_is_dying(sc->sc_udev))
+		return;
+
+	s = splnet();
+	txq->queued--;
+	sc->qfullmsk &= ~(1 << data->qid);
+
+	if (__predict_false(status != USBD_NORMAL_COMPLETION)) {
+		DPRINTF(("TX status=%d\n", status));
+		if (status == USBD_STALLED)
+			usbd_clear_endpoint_stall_async(txq->pipeh);
+		ifp->if_oerrors++;
+		splx(s);
+		return;
+	}
+
+	sc->sc_tx_timer = 0;
+
+	if (ifq_is_oactive(&ifp->if_snd)) {
+		ifq_clr_oactive(&ifp->if_snd);
+		mtw_start(ifp);
+	}
+
+	splx(s);
+}
+
+int
+mtw_tx(struct mtw_softc *sc, struct mbuf *m, struct ieee80211_node *ni)
+{
+	struct ieee80211com *ic = &sc->sc_ic;
+	struct mtw_node *mn = (void *)ni;
+	struct ieee80211_frame *wh;
+	struct mtw_tx_ring *ring;
+	struct mtw_tx_data *data;
+	struct mtw_txd *txd;
+	struct mtw_txwi *txwi;
+	uint16_t qos, dur;
+	uint16_t txwisize;
+	uint8_t type, mcs, tid, qid;
+	int error, hasqos, ridx, ctl_ridx, xferlen;
+
+	wh = mtod(m, struct ieee80211_frame *);
+	type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
+
+	/* select queue */
+	if ((hasqos = ieee80211_has_qos(wh))) {
+		qos = ieee80211_get_qos(wh);
+		tid = qos & IEEE80211_QOS_TID;
+		qid = ieee80211_up_to_ac(ic, tid);
+	} else {
+		qos = 0;
+		tid = 0;
+		qid = EDCA_AC_BE;
+	}
+
+	/* management frames go to MCU queue */
+	if (type == IEEE80211_FC0_TYPE_MGT)
+		qid = MTW_TXQ_MCU;
+
+	ring = &sc->txq[qid];
+	data = &ring->data[ring->cur];
+
+	/* pickup a rate index */
+	if (IEEE80211_IS_MULTICAST(wh->i_addr1) ||
+	    type != IEEE80211_FC0_TYPE_DATA) {
+		ridx = (ic->ic_curmode == IEEE80211_MODE_11A) ?
+		    MTW_RIDX_OFDM6 : MTW_RIDX_CCK1;
+		ctl_ridx = rt2860_rates[ridx].ctl_ridx;
+	} else if (ic->ic_fixed_rate != -1) {
+		ridx = sc->fixed_ridx;
+		ctl_ridx = rt2860_rates[ridx].ctl_ridx;
+	} else {
+		ridx = mn->ridx[ni->ni_txrate];
+		ctl_ridx = mn->ctl_ridx[ni->ni_txrate];
+	}
+
+	txwisize = sizeof(struct mtw_txwi);
+	xferlen = txwisize + m->m_pkthdr.len;
+
+	/* roundup to 32-bit alignment */
+	xferlen = (xferlen + 3) & ~3;
+
+	/* setup TX descriptor */
+	txd = (struct mtw_txd *)data->buf;
+	txd->flags = htole16(MTW_TXD_DATA | MTW_TXD_80211 |
+	    MTW_TXD_WLAN | MTW_TXD_QSEL_EDCA);
+
+	if (type != IEEE80211_FC0_TYPE_DATA)
+		txd->flags |= htole16(MTW_TXD_WIV);
+	txd->len = htole16(xferlen);
+	xferlen += sizeof(struct mtw_txd);
+
+	/* get MCS code from rate index */
+	mcs = rt2860_rates[ridx].mcs;
+
+	/* setup TX Wireless Information */
+	txwi = (struct mtw_txwi *)(txd + 1);
+	txwi->flags = 0;
+	txwi->xflags = hasqos ? 0 : MTW_TX_NSEQ;
+	txwi->wcid = (type == IEEE80211_FC0_TYPE_DATA) ?
+	    MTW_AID2WCID(ni->ni_associd) : 0xff;
+	txwi->len = htole16(m->m_pkthdr.len);
+	txwi->txop = MTW_TX_TXOP_BACKOFF;
+
+	if (rt2860_rates[ridx].phy == IEEE80211_T_DS) {
+		txwi->phy = htole16(MTW_PHY_CCK);
+		if (ridx != MTW_RIDX_CCK1 &&
+		    (ic->ic_flags & IEEE80211_F_SHPREAMBLE))
+			mcs |= MTW_PHY_SHPRE;
+	} else if (rt2860_rates[ridx].phy == IEEE80211_T_OFDM)
+		txwi->phy = htole16(MTW_PHY_OFDM);
+	txwi->phy |= htole16(mcs);
+
+	if (!IEEE80211_IS_MULTICAST(wh->i_addr1) &&
+	    (!hasqos || (qos & IEEE80211_QOS_ACK_POLICY_MASK) !=
+	     IEEE80211_QOS_ACK_POLICY_NOACK)) {
+		txwi->xflags |= MTW_TX_ACK;
+		if (ic->ic_flags & IEEE80211_F_SHPREAMBLE)
+			dur = rt2860_rates[ctl_ridx].sp_ack_dur;
+		else
+			dur = rt2860_rates[ctl_ridx].lp_ack_dur;
+		*(uint16_t *)wh->i_dur = htole16(dur);
+	}
+
+#if NBPFILTER > 0
+	if (__predict_false(sc->sc_drvbpf != NULL)) {
+		struct mtw_tx_radiotap_header *tap = &sc->sc_txtap;
+		struct mbuf mb;
+
+		tap->wt_flags = 0;
+		tap->wt_rate = rt2860_rates[ridx].rate;
+		tap->wt_chan_freq = htole16(ic->ic_bss->ni_chan->ic_freq);
+		tap->wt_chan_flags = htole16(ic->ic_bss->ni_chan->ic_flags);
+		if (mcs & MTW_PHY_SHPRE)
+			tap->wt_flags |= IEEE80211_RADIOTAP_F_SHORTPRE;
+
+		mb.m_data = (caddr_t)tap;
+		mb.m_len = sc->sc_txtap_len;
+		mb.m_next = m;
+		mb.m_nextpkt = NULL;
+		mb.m_type = 0;
+		mb.m_flags = 0;
+		bpf_mtap(sc->sc_drvbpf, &mb, BPF_DIRECTION_OUT);
+	}
+#endif
+	/* copy payload */
+	m_copydata(m, 0, m->m_pkthdr.len, (caddr_t)txwi + txwisize);
+	m_freem(m);
+
+	/* 4-byte pad */
+	memset(data->buf + xferlen, 0, MTW_DMA_PAD);
+	xferlen += MTW_DMA_PAD;
+
+	usbd_setup_xfer(data->xfer, ring->pipeh, data, data->buf,
+	    xferlen, USBD_FORCE_SHORT_XFER | USBD_NO_COPY,
+	    MTW_TX_TIMEOUT, mtw_txeof);
+	error = usbd_transfer(data->xfer);
+	if (__predict_false(error != USBD_IN_PROGRESS && error != 0))
+		return error;
+
+	ieee80211_release_node(ic, ni);
+
+	ring->cur = (ring->cur + 1) % MTW_TX_RING_COUNT;
+	if (++ring->queued >= MTW_TX_RING_COUNT)
+		sc->qfullmsk |= 1 << qid;
+	return 0;
+}
+
+void
+mtw_start(struct ifnet *ifp)
+{
+	struct mtw_softc *sc = ifp->if_softc;
+	struct ieee80211com *ic = &sc->sc_ic;
+	struct ieee80211_node *ni;
+	struct mbuf *m;
+
+	if (!(ifp->if_flags & IFF_RUNNING) || ifq_is_oactive(&ifp->if_snd))
+		return;
+
+	for (;;) {
+		if (sc->qfullmsk != 0) {
+			ifq_set_oactive(&ifp->if_snd);
+			break;
+		}
+
+		/* send pending management frames first */
+		m = mq_dequeue(&ic->ic_mgtq);
+		if (m != NULL) {
+			ni = m->m_pkthdr.ph_cookie;
+			goto sendit;
+		}
+		if (ic->ic_state != IEEE80211_S_RUN)
+			break;
+
+		/* encapsulate and send data frames */
+		m = ifq_dequeue(&ifp->if_snd);
+		if (m == NULL)
+			break;
+#if NBPFILTER > 0
+		if (ifp->if_bpf != NULL)
+			bpf_mtap(ifp->if_bpf, m, BPF_DIRECTION_OUT);
+#endif
+		if ((m = ieee80211_encap(ifp, m, &ni)) == NULL)
+			continue;
+sendit:
+#if NBPFILTER > 0
+		if (ic->ic_rawbpf != NULL)
+			bpf_mtap(ic->ic_rawbpf, m, BPF_DIRECTION_OUT);
+#endif
+		if (mtw_tx(sc, m, ni) != 0) {
+			ieee80211_release_node(ic, ni);
+			ifp->if_oerrors++;
+			continue;
+		}
+
+		sc->sc_tx_timer = 5;
+		ifp->if_timer = 1;
+	}
+}
+
+void
+mtw_watchdog(struct ifnet *ifp)
+{
+	struct mtw_softc *sc = ifp->if_softc;
+
+	ifp->if_timer = 0;
+
+	if (sc->sc_tx_timer > 0) {
+		if (--sc->sc_tx_timer == 0) {
+			printf("%s: device timeout\n", sc->sc_dev.dv_xname);
+			/* mtw_init(ifp); XXX needs a process context! */
+			ifp->if_oerrors++;
+			return;
+		}
+		ifp->if_timer = 1;
+	}
+
+	ieee80211_watchdog(ifp);
+}
+
+int
+mtw_ioctl(struct ifnet *ifp, u_long cmd, caddr_t data)
+{
+	struct mtw_softc *sc = ifp->if_softc;
+	struct ieee80211com *ic = &sc->sc_ic;
+	int s, error = 0;
+
+	if (usbd_is_dying(sc->sc_udev))
+		return ENXIO;
+
+	usbd_ref_incr(sc->sc_udev);
+
+	s = splnet();
+
+	switch (cmd) {
+	case SIOCSIFADDR:
+		ifp->if_flags |= IFF_UP;
+		/* FALLTHROUGH */
+	case SIOCSIFFLAGS:
+		if (ifp->if_flags & IFF_UP) {
+			if (!(ifp->if_flags & IFF_RUNNING))
+				mtw_init(ifp);
+		} else {
+			if (ifp->if_flags & IFF_RUNNING)
+				mtw_stop(ifp, 1);
+		}
+		break;
+
+	case SIOCS80211CHANNEL:
+		/*
+		 * This allows for fast channel switching in monitor mode
+		 * (used by kismet).
+		 */
+		error = ieee80211_ioctl(ifp, cmd, data);
+		if (error == ENETRESET &&
+		    ic->ic_opmode == IEEE80211_M_MONITOR) {
+			if ((ifp->if_flags & (IFF_UP | IFF_RUNNING)) ==
+			    (IFF_UP | IFF_RUNNING))
+				mtw_set_chan(sc, ic->ic_ibss_chan);
+			error = 0;
+		}
+		break;
+
+	default:
+		error = ieee80211_ioctl(ifp, cmd, data);
+	}
+
+	if (error == ENETRESET) {
+		if ((ifp->if_flags & (IFF_UP | IFF_RUNNING)) ==
+		    (IFF_UP | IFF_RUNNING)) {
+			mtw_stop(ifp, 0);
+			error = mtw_init(ifp);
+		} else
+			error = 0;
+	}
+	splx(s);
+
+	usbd_ref_decr(sc->sc_udev);
+
+	return error;
+}
+
+void
+mtw_select_chan_group(struct mtw_softc *sc, int group)
+{
+	uint32_t tmp;
+	uint8_t bbp;
+
+	/* Tx band 20MHz 2G */
+	mtw_read(sc, MTW_TX_BAND_CFG, &tmp);
+	tmp &= ~(MTW_TX_BAND_SEL_2G | MTW_TX_BAND_SEL_5G |
+	    MTW_TX_BAND_UPPER_40M);
+	tmp |= (group == 0) ? MTW_TX_BAND_SEL_2G : MTW_TX_BAND_SEL_5G;
+	mtw_write(sc, MTW_TX_BAND_CFG, tmp);
+
+	/* select 20 MHz bandwidth */
+	mtw_bbp_read(sc, 4, &bbp);
+	bbp &= ~0x18;
+	bbp |= 0x40;
+	mtw_bbp_write(sc, 4, bbp);
+
+	/* calibrate BBP */
+	mtw_bbp_write(sc, 69, 0x12);
+	mtw_bbp_write(sc, 91, 0x07);
+	mtw_bbp_write(sc, 195, 0x23);
+	mtw_bbp_write(sc, 196, 0x17);
+	mtw_bbp_write(sc, 195, 0x24);
+	mtw_bbp_write(sc, 196, 0x06);
+	mtw_bbp_write(sc, 195, 0x81);
+	mtw_bbp_write(sc, 196, 0x12);
+	mtw_bbp_write(sc, 195, 0x83);
+	mtw_bbp_write(sc, 196, 0x17);
+	mtw_rf_write(sc, 5, 8, 0x00);
+	mtw_mcu_calibrate(sc, 0x6, 0x10001);
+
+	/* set initial AGC value */
+	mt7601_set_agc(sc, 0x14);
+}
+
+void
+mt7601_set_agc(struct mtw_softc *sc, uint8_t agc)
+{
+	uint8_t bbp;
+
+	mtw_bbp_write(sc, 66, agc);
+	mtw_bbp_write(sc, 195, 0x87);
+	bbp = (agc & 0xf0) | 0x08;
+	mtw_bbp_write(sc, 196, bbp);
+}
+
+void
+mt7601_set_chan(struct mtw_softc *sc, u_int chan)
+{
+	uint32_t tmp;
+	uint8_t bbp, rf, txpow1;
+	int i;
+
+	/* find the settings for this channel */
+	for (i = 0; mt7601_rf_chan[i].chan != chan; i++)
+
+	mtw_rf_write(sc, 0, 17, mt7601_rf_chan[i].r17);
+	mtw_rf_write(sc, 0, 18, mt7601_rf_chan[i].r18);
+	mtw_rf_write(sc, 0, 19, mt7601_rf_chan[i].r19);
+	mtw_rf_write(sc, 0, 20, mt7601_rf_chan[i].r20);
+
+	/* use Tx power values from EEPROM */
+	txpow1 = sc->txpow1[i];
+
+	/* Tx automatic level control */
+	mtw_read(sc, MTW_TX_ALC_CFG0, &tmp);
+	tmp &= ~0x3f3f;
+	tmp |= (txpow1 & 0x3f);
+	mtw_write(sc, MTW_TX_ALC_CFG0, tmp);
+
+	/* LNA */
+	mtw_bbp_write(sc, 62, 0x37 - sc->lna[0]);
+	mtw_bbp_write(sc, 63, 0x37 - sc->lna[0]);
+	mtw_bbp_write(sc, 64, 0x37 - sc->lna[0]);
+
+	/* VCO calibration */
+	mtw_rf_write(sc, 0, 4, 0x0a);
+	mtw_rf_write(sc, 0, 5, 0x20);
+	mtw_rf_read(sc, 0, 4, &rf);
+	mtw_rf_write(sc, 0, 4, rf | 0x80);
+
+	/* select 20 MHz bandwidth */
+	mtw_bbp_read(sc, 4, &bbp);
+	bbp &= ~0x18;
+	bbp |= 0x40;
+	mtw_bbp_write(sc, 4, bbp);
+	mtw_bbp_write(sc, 178, 0xff);
+}
+
+int
+mtw_set_chan(struct mtw_softc *sc, struct ieee80211_channel *c)
+{
+	struct ieee80211com *ic = &sc->sc_ic;
+	u_int chan, group;
+
+	chan = ieee80211_chan2ieee(ic, c);
+	if (chan == 0 || chan == IEEE80211_CHAN_ANY)
+		return EINVAL;
+
+	/* determine channel group */
+	if (chan <= 14)
+		group = 0;
+	else if (chan <= 64)
+		group = 1;
+	else if (chan <= 128)
+		group = 2;
+	else
+		group = 3;
+
+	if (group != sc->sc_chan_group || !sc->sc_bw_calibrated)
+		mtw_select_chan_group(sc, group);
+
+	sc->sc_chan_group = group;
+
+	/* chipset specific */
+	if (sc->mac_ver == 0x7601)
+		mt7601_set_chan(sc, chan);
+
+	DELAY(1000);
+	return 0;
+}
+
+void
+mtw_enable_tsf_sync(struct mtw_softc *sc)
+{
+	struct ieee80211com *ic = &sc->sc_ic;
+	uint32_t tmp;
+
+	mtw_read(sc, MTW_BCN_TIME_CFG, &tmp);
+	tmp &= ~0x1fffff;
+	tmp |= ic->ic_bss->ni_intval * 16;
+	tmp |= MTW_TSF_TIMER_EN | MTW_TBTT_TIMER_EN;
+
+	/* local TSF is always updated with remote TSF on beacon reception */
+	tmp |= 1 << MTW_TSF_SYNC_MODE_SHIFT;
+	mtw_write(sc, MTW_BCN_TIME_CFG, tmp);
+}
+
+void
+mtw_abort_tsf_sync(struct mtw_softc *sc)
+{
+	uint32_t tmp;
+
+	mtw_read(sc, MTW_BCN_TIME_CFG, &tmp);
+	tmp &= ~(MTW_BCN_TX_EN | MTW_TSF_TIMER_EN | MTW_TBTT_TIMER_EN);
+	mtw_write(sc, MTW_BCN_TIME_CFG, tmp);
+}
+
+void
+mtw_enable_mrr(struct mtw_softc *sc)
+{
+#define CCK(mcs)	(mcs)
+#define OFDM(mcs)	(1 << 3 | (mcs))
+	mtw_write(sc, MTW_LG_FBK_CFG0,
+	    OFDM(6) << 28 |	/* 54->48 */
+	    OFDM(5) << 24 |	/* 48->36 */
+	    OFDM(4) << 20 |	/* 36->24 */
+	    OFDM(3) << 16 |	/* 24->18 */
+	    OFDM(2) << 12 |	/* 18->12 */
+	    OFDM(1) <<  8 |	/* 12-> 9 */
+	    OFDM(0) <<  4 |	/*  9-> 6 */
+	    OFDM(0));		/*  6-> 6 */
+
+	mtw_write(sc, MTW_LG_FBK_CFG1,
+	    CCK(2) << 12 |	/* 11->5.5 */
+	    CCK(1) <<  8 |	/* 5.5-> 2 */
+	    CCK(0) <<  4 |	/*   2-> 1 */
+	    CCK(0));		/*   1-> 1 */
+#undef OFDM
+#undef CCK
+}
+
+void
+mtw_set_txrts(struct mtw_softc *sc)
+{
+	uint32_t tmp;
+
+	/* set RTS threshold */
+	mtw_read(sc, MTW_TX_RTS_CFG, &tmp);
+	tmp &= ~0xffff00;
+	tmp |= 0x1000 << MTW_RTS_THRES_SHIFT;
+	mtw_write(sc, MTW_TX_RTS_CFG, tmp);
+}
+
+void
+mtw_set_txpreamble(struct mtw_softc *sc)
+{
+	uint32_t tmp;
+
+	mtw_read(sc, MTW_AUTO_RSP_CFG, &tmp);
+	if (sc->sc_ic.ic_flags & IEEE80211_F_SHPREAMBLE)
+		tmp |= MTW_CCK_SHORT_EN;
+	else
+		tmp &= ~MTW_CCK_SHORT_EN;
+	mtw_write(sc, MTW_AUTO_RSP_CFG, tmp);
+}
+
+void
+mtw_set_basicrates(struct mtw_softc *sc)
+{
+	struct ieee80211com *ic = &sc->sc_ic;
+
+	/* set basic rates mask */
+	if (ic->ic_curmode == IEEE80211_MODE_11B)
+		mtw_write(sc, MTW_LEGACY_BASIC_RATE, 0x003);
+	else if (ic->ic_curmode == IEEE80211_MODE_11A)
+		mtw_write(sc, MTW_LEGACY_BASIC_RATE, 0x150);
+	else	/* 11g */
+		mtw_write(sc, MTW_LEGACY_BASIC_RATE, 0x17f);
+}
+
+void
+mtw_set_leds(struct mtw_softc *sc, uint16_t which)
+{
+	struct mtw_mcu_cmd_8 cmd;
+
+	cmd.func = htole32(0x1);
+	cmd.val = htole32(which);
+	mtw_mcu_cmd(sc, 16, &cmd, sizeof(struct mtw_mcu_cmd_8));
+}
+
+void
+mtw_set_bssid(struct mtw_softc *sc, const uint8_t *bssid)
+{
+	mtw_write(sc, MTW_MAC_BSSID_DW0,
+	    bssid[0] | bssid[1] << 8 | bssid[2] << 16 | bssid[3] << 24);
+	mtw_write(sc, MTW_MAC_BSSID_DW1,
+	    bssid[4] | bssid[5] << 8);
+}
+
+void
+mtw_set_macaddr(struct mtw_softc *sc, const uint8_t *addr)
+{
+	mtw_write(sc, MTW_MAC_ADDR_DW0,
+	    addr[0] | addr[1] << 8 | addr[2] << 16 | addr[3] << 24);
+	mtw_write(sc, MTW_MAC_ADDR_DW1,
+	    addr[4] | addr[5] << 8 | 0xff << 16);
+}
+
+#if NBPFILTER > 0
+int8_t
+mtw_rssi2dbm(struct mtw_softc *sc, uint8_t rssi, uint8_t rxchain)
+{
+	struct ieee80211com *ic = &sc->sc_ic;
+	struct ieee80211_channel *c = ic->ic_ibss_chan;
+	int delta;
+
+	if (IEEE80211_IS_CHAN_5GHZ(c)) {
+		u_int chan = ieee80211_chan2ieee(ic, c);
+		delta = sc->rssi_5ghz[rxchain];
+
+		/* determine channel group */
+		if (chan <= 64)
+			delta -= sc->lna[1];
+		else if (chan <= 128)
+			delta -= sc->lna[2];
+		else
+			delta -= sc->lna[3];
+	} else
+		delta = sc->rssi_2ghz[rxchain] - sc->lna[0];
+
+	return -12 - delta - rssi;
+}
+#endif
+
+int
+mt7601_bbp_init(struct mtw_softc *sc)
+{
+	uint8_t bbp;
+	int i, error, ntries;
+
+	/* wait for BBP to wake up */
+	for (ntries = 0; ntries < 20; ntries++) {
+		if ((error = mtw_bbp_read(sc, 0, &bbp)) != 0)
+			return error;
+		if (bbp != 0 && bbp != 0xff)
+			break;
+	}
+
+	if (ntries == 20)
+		return ETIMEDOUT;
+
+	mtw_bbp_read(sc, 3, &bbp);
+	mtw_bbp_write(sc, 3, 0);
+	mtw_bbp_read(sc, 105, &bbp);
+	mtw_bbp_write(sc, 105, 0);
+
+	/* initialize BBP registers to default values */
+	for (i = 0; i < nitems(mt7601_def_bbp); i++) {
+		if ((error = mtw_bbp_write(sc, mt7601_def_bbp[i].reg,
+		    mt7601_def_bbp[i].val)) != 0)
+			return error;
+	}
+
+	sc->sc_bw_calibrated = 0;
+
+	return 0;
+}
+
+int
+mt7601_rf_init(struct mtw_softc *sc)
+{
+	int i, error;
+
+	/* RF bank 0 */
+	for (i = 0; i < nitems(mt7601_rf_bank0); i++) {
+		error = mtw_rf_write(sc, 0, mt7601_rf_bank0[i].reg,
+		    mt7601_rf_bank0[i].val);
+		if (error != 0)
+			return error;
+	}
+	/* RF bank 4 */
+	for (i = 0; i < nitems(mt7601_rf_bank4); i++) {
+		error = mtw_rf_write(sc, 4, mt7601_rf_bank4[i].reg,
+		    mt7601_rf_bank4[i].val);
+		if (error != 0)
+			return error;
+	}
+	/* RF bank 5 */
+	for (i = 0; i < nitems(mt7601_rf_bank5); i++) {
+		error = mtw_rf_write(sc, 5, mt7601_rf_bank5[i].reg,
+		    mt7601_rf_bank5[i].val);
+		if (error != 0)
+			return error;
+	}
+	return 0;
+}
+
+int
+mt7601_rf_setup(struct mtw_softc *sc)
+{
+	uint32_t tmp;
+	uint8_t rf;
+	int error;
+
+	if (sc->sc_rf_calibrated)
+		return 0;
+
+	/* init RF registers */
+	if ((error = mt7601_rf_init(sc)) != 0)
+		return error;
+
+	/* init frequency offset */
+	mtw_rf_write(sc, 0, 12, sc->rf_freq_offset);
+	mtw_rf_read(sc, 0, 12, &rf);
+
+	/* read temperature */
+	mt7601_rf_temperature(sc, &rf);
+	sc->bbp_temp = rf;
+	DPRINTF(("BBP temp 0x%x ", rf));
+
+	mtw_rf_read(sc, 0, 7, &rf);
+	if ((error = mtw_mcu_calibrate(sc, 0x1, 0)) != 0)
+		return error;
+	usbd_delay_ms(sc->sc_udev, 100);
+	mtw_rf_read(sc, 0, 7, &rf);
+
+	/* Calibrate VCO RF 0/4 */
+	mtw_rf_write(sc, 0, 4, 0x0a);
+	mtw_rf_write(sc, 0, 4, 0x20);
+	mtw_rf_read(sc, 0, 4, &rf);
+	mtw_rf_write(sc, 0, 4, rf | 0x80);
+
+	if ((error = mtw_mcu_calibrate(sc, 0x9, 0)) != 0)
+		return error;
+	if ((error = mt7601_rxdc_cal(sc)) != 0)
+		return error;
+	if ((error = mtw_mcu_calibrate(sc, 0x6, 1)) != 0)
+		return error;
+	if ((error = mtw_mcu_calibrate(sc, 0x6, 0)) != 0)
+		return error;
+	if ((error = mtw_mcu_calibrate(sc, 0x4, 0)) != 0)
+		return error;
+	if ((error = mtw_mcu_calibrate(sc, 0x5, 0)) != 0)
+		return error;
+
+	mtw_read(sc, MTW_LDO_CFG0, &tmp);
+	tmp &= ~(1 << 4);
+	tmp |= (1 << 2);
+	mtw_write(sc, MTW_LDO_CFG0, tmp);
+
+	if ((error = mtw_mcu_calibrate(sc, 0x8, 0)) != 0)
+		return error;
+	if ((error = mt7601_rxdc_cal(sc)) != 0)
+		return error;
+
+	sc->sc_rf_calibrated = 1;
+	return 0;
+}
+
+int
+mt7601_rf_temperature(struct mtw_softc *sc, int8_t *val)
+{
+	uint32_t rfb, rfs;
+	uint8_t bbp;
+	int ntries;
+
+	mtw_read(sc, MTW_RF_BYPASS0, &rfb);
+	mtw_read(sc, MTW_RF_SETTING0, &rfs);
+	mtw_write(sc, MTW_RF_BYPASS0, 0);
+	mtw_write(sc, MTW_RF_SETTING0, 0x10);
+	mtw_write(sc, MTW_RF_BYPASS0, 0x10);
+
+	mtw_bbp_read(sc, 47, &bbp);
+	bbp &= ~0x7f;
+	bbp |= 0x10;
+	mtw_bbp_write(sc, 47, bbp);
+
+	mtw_bbp_write(sc, 22, 0x40);
+
+	for (ntries = 0; ntries < 10; ntries++) {
+		mtw_bbp_read(sc, 47, &bbp);
+		if ((bbp & 0x10) == 0)
+			break;
+	}
+	if (ntries == 10)
+		return ETIMEDOUT;
+
+	mt7601_r49_read(sc, MT7601_R47_TEMP, val);
+
+	mtw_bbp_write(sc, 22, 0);
+
+	mtw_bbp_read(sc, 21, &bbp);
+	bbp |= 0x02;
+	mtw_bbp_write(sc, 21, bbp);
+	bbp &= ~0x02;
+	mtw_bbp_write(sc, 21, bbp);
+
+	mtw_write(sc, MTW_RF_BYPASS0, 0);
+	mtw_write(sc, MTW_RF_SETTING0, rfs);
+	mtw_write(sc, MTW_RF_BYPASS0, rfb);
+	return 0;
+}
+
+int
+mt7601_r49_read(struct mtw_softc *sc, uint8_t flag, int8_t *val)
+{
+	uint8_t bbp;
+
+	mtw_bbp_read(sc, 47, &bbp);
+	bbp = 0x90;
+	mtw_bbp_write(sc, 47, bbp);
+	bbp &= ~0x0f;
+	bbp |= flag;
+	mtw_bbp_write(sc, 47, bbp);
+	return mtw_bbp_read(sc, 49, val);
+}
+
+int
+mt7601_rxdc_cal(struct mtw_softc *sc)
+{
+	uint32_t tmp;
+	uint8_t bbp;
+	int ntries;
+
+	mtw_read(sc, MTW_MAC_SYS_CTRL, &tmp);
+	mtw_write(sc, MTW_MAC_SYS_CTRL, MTW_MAC_RX_EN);
+	mtw_bbp_write(sc, 158, 0x8d);
+	mtw_bbp_write(sc, 159, 0xfc);
+	mtw_bbp_write(sc, 158, 0x8c);
+	mtw_bbp_write(sc, 159, 0x4c);
+
+	for (ntries = 0; ntries < 20; ntries++) {
+		DELAY(300);
+		mtw_bbp_write(sc, 158, 0x8c);
+		mtw_bbp_read(sc, 159, &bbp);
+		if (bbp == 0x0c)
+			break;
+	}
+
+	if (ntries == 20)
+		return ETIMEDOUT;
+
+	mtw_write(sc, MTW_MAC_SYS_CTRL, 0);
+	mtw_bbp_write(sc, 158, 0x8d);
+	mtw_bbp_write(sc, 159, 0xe0);
+	mtw_write(sc, MTW_MAC_SYS_CTRL, tmp);
+	return 0;
+}
+
+int
+mtw_wlan_enable(struct mtw_softc *sc, int enable)
+{
+	uint32_t tmp;
+	int error = 0;
+
+	if (enable) {
+		mtw_read(sc, MTW_WLAN_CTRL, &tmp);
+		if (sc->asic_ver == 0x7612)
+			tmp &= ~0xfffff000;
+			
+		tmp &= ~MTW_WLAN_CLK_EN;
+		tmp |= MTW_WLAN_EN;
+		mtw_write(sc, MTW_WLAN_CTRL, tmp);
+		usbd_delay_ms(sc->sc_udev, 2);
+		
+		tmp |= MTW_WLAN_CLK_EN;
+		if (sc->asic_ver == 0x7612) {
+			tmp |= (MTW_WLAN_RESET | MTW_WLAN_RESET_RF);
+		}
+		mtw_write(sc, MTW_WLAN_CTRL, tmp);
+		usbd_delay_ms(sc->sc_udev, 2);
+
+		mtw_read(sc, MTW_OSC_CTRL, &tmp);
+		tmp |= MTW_OSC_EN;
+		mtw_write(sc, MTW_OSC_CTRL, tmp);
+		tmp |= MTW_OSC_CAL_REQ;
+		mtw_write(sc, MTW_OSC_CTRL, tmp);
+	} else {
+		mtw_read(sc, MTW_WLAN_CTRL, &tmp);
+		tmp &= ~(MTW_WLAN_CLK_EN | MTW_WLAN_EN);
+		mtw_write(sc, MTW_WLAN_CTRL, tmp);
+
+		mtw_read(sc, MTW_OSC_CTRL, &tmp);
+		tmp &= ~MTW_OSC_EN;
+		mtw_write(sc, MTW_OSC_CTRL, tmp);
+	}
+	return error;
+}
+
+int
+mtw_txrx_enable(struct mtw_softc *sc)
+{
+	uint32_t tmp;
+	int error, ntries;
+
+	mtw_write(sc, MTW_MAC_SYS_CTRL, MTW_MAC_TX_EN);
+	for (ntries = 0; ntries < 200; ntries++) {
+		if ((error = mtw_read(sc, MTW_WPDMA_GLO_CFG, &tmp)) != 0)
+			return error;
+		if ((tmp & (MTW_TX_DMA_BUSY | MTW_RX_DMA_BUSY)) == 0)
+			break;
+		DELAY(1000);
+	}
+	if (ntries == 200)
+		return ETIMEDOUT;
+
+	DELAY(50);
+
+	tmp |= MTW_RX_DMA_EN | MTW_TX_DMA_EN | MTW_TX_WB_DDONE;
+	mtw_write(sc, MTW_WPDMA_GLO_CFG, tmp);
+
+	/* enable Rx bulk aggregation (set timeout and limit) */
+	tmp = MTW_USB_TX_EN | MTW_USB_RX_EN | MTW_USB_RX_AGG_EN |
+	   MTW_USB_RX_AGG_TO(128) | MTW_USB_RX_AGG_LMT(2);
+	mtw_write(sc, MTW_USB_DMA_CFG, tmp);
+
+	/* set Rx filter */
+	tmp = MTW_DROP_CRC_ERR | MTW_DROP_PHY_ERR;
+	if (sc->sc_ic.ic_opmode != IEEE80211_M_MONITOR) {
+		tmp |= MTW_DROP_UC_NOME | MTW_DROP_DUPL |
+		    MTW_DROP_CTS | MTW_DROP_BA | MTW_DROP_ACK |
+		    MTW_DROP_VER_ERR | MTW_DROP_CTRL_RSV |
+		    MTW_DROP_CFACK | MTW_DROP_CFEND;
+		if (sc->sc_ic.ic_opmode == IEEE80211_M_STA)
+			tmp |= MTW_DROP_RTS | MTW_DROP_PSPOLL;
+	}
+	mtw_write(sc, MTW_RX_FILTR_CFG, tmp);
+
+	mtw_write(sc, MTW_MAC_SYS_CTRL,
+	    MTW_MAC_RX_EN | MTW_MAC_TX_EN);
+	return 0;
+}
+
+int
+mtw_init(struct ifnet *ifp)
+{
+	struct mtw_softc *sc = ifp->if_softc;
+	struct ieee80211com *ic = &sc->sc_ic;
+	uint32_t tmp;
+	int i, error, ridx, ntries, qid;
+
+	if (usbd_is_dying(sc->sc_udev))
+		return ENXIO;
+
+	/* init Tx rings (4 EDCAs, 1 HCCA, 1 MGMT) */
+	for (qid = 0; qid < MTW_TXQ_COUNT; qid++) {
+		if ((error = mtw_alloc_tx_ring(sc, qid)) != 0)
+			goto fail;
+	}
+
+	/* init Rx ring */
+	if ((error = mtw_alloc_rx_ring(sc, 0)) != 0)
+		goto fail;
+
+	/* init MCU Tx ring */
+	if ((error = mtw_alloc_mcu_ring(sc)) != 0)
+		goto fail;
+
+	/* init host command ring */
+	sc->cmdq.cur = sc->cmdq.next = sc->cmdq.queued = 0;
+
+	for (ntries = 0; ntries < 100; ntries++) {
+		if ((error = mtw_read(sc, MTW_WPDMA_GLO_CFG, &tmp)) != 0)
+			goto fail;
+		if ((tmp & (MTW_TX_DMA_BUSY | MTW_RX_DMA_BUSY)) == 0)
+			break;
+		DELAY(1000);
+	}
+	if (ntries == 100) {
+		printf("%s: timeout waiting for DMA engine\n",
+		    sc->sc_dev.dv_xname);
+		error = ETIMEDOUT;
+		goto fail;
+	}
+	tmp &= 0xff0;
+	tmp |= MTW_TX_WB_DDONE;
+	mtw_write(sc, MTW_WPDMA_GLO_CFG, tmp);
+
+	/* reset MAC and baseband */
+	mtw_write(sc, MTW_MAC_SYS_CTRL, MTW_BBP_HRST | MTW_MAC_SRST);
+	mtw_write(sc, MTW_USB_DMA_CFG, 0);
+	mtw_write(sc, MTW_MAC_SYS_CTRL, 0);
+
+	/* init MAC values */
+	if (sc->mac_ver == 0x7601) {
+		for (i = 0; i < nitems(mt7601_def_mac); i++)
+			mtw_write(sc, mt7601_def_mac[i].reg,
+			    mt7601_def_mac[i].val);
+	}
+
+	/* wait while MAC is busy */
+	for (ntries = 0; ntries < 100; ntries++) {
+		if ((error = mtw_read(sc, MTW_MAC_STATUS_REG, &tmp)) != 0)
+			goto fail;
+		if (!(tmp & (MTW_RX_STATUS_BUSY | MTW_TX_STATUS_BUSY)))
+			break;
+		DELAY(1000);
+	}
+	if (ntries == 100) {
+		error = ETIMEDOUT;
+		goto fail;
+	}
+
+	/* set MAC address */
+	IEEE80211_ADDR_COPY(ic->ic_myaddr, LLADDR(ifp->if_sadl));
+	mtw_set_macaddr(sc, ic->ic_myaddr);
+
+	/* clear WCID attribute table */
+	mtw_set_region_4(sc, MTW_WCID_ATTR(0), 1, 8 * 32);
+
+	mtw_write(sc, 0x1648, 0x00830083);
+	mtw_read(sc, MTW_FCE_L2_STUFF, &tmp);
+	tmp &= ~MTW_L2S_WR_MPDU_LEN_EN;
+	mtw_write(sc, MTW_FCE_L2_STUFF, tmp);
+
+	/* RTS config */
+	mtw_set_txrts(sc);
+
+	/* clear Host to MCU mailbox */
+	mtw_write(sc, MTW_BBP_CSR, 0);
+	mtw_write(sc, MTW_H2M_MAILBOX, 0);
+
+	/* clear RX WCID search table */
+	mtw_set_region_4(sc, MTW_WCID_ENTRY(0), 0xffffffff, 512);
+	
+	/* abort TSF synchronization */
+	mtw_abort_tsf_sync(sc);
+
+	mtw_read(sc, MTW_US_CYC_CNT, &tmp);
+	tmp = (tmp & ~0xff);
+	if (sc->mac_ver == 0x7601)
+		tmp |= 0x1e;
+	mtw_write(sc, MTW_US_CYC_CNT, tmp);
+
+	/* clear shared key table */
+	mtw_set_region_4(sc, MTW_SKEY(0, 0), 0, 8 * 32);
+
+	/* clear IV/EIV table */
+	mtw_set_region_4(sc, MTW_IVEIV(0), 0, 8 * 32);
+
+	/* clear shared key mode */
+	mtw_write(sc, MTW_SKEY_MODE_0_7, 0);
+	mtw_write(sc, MTW_SKEY_MODE_8_15, 0);
+
+	/* txop truncation */
+	mtw_write(sc, MTW_TXOP_CTRL_CFG, 0x0000583f);
+
+	/* init Tx power for all Tx rates */
+	for (ridx = 0; ridx < 5; ridx++) {
+		if (sc->txpow20mhz[ridx] == 0xffffffff)
+			continue;
+		mtw_write(sc, MTW_TX_PWR_CFG(ridx), sc->txpow20mhz[ridx]);
+	}
+	mtw_write(sc, MTW_TX_PWR_CFG7, 0);
+	mtw_write(sc, MTW_TX_PWR_CFG9, 0);
+
+	mtw_read(sc, MTW_CMB_CTRL, &tmp);
+	tmp &= ~(1 << 18 | 1 << 14);
+	mtw_write(sc, MTW_CMB_CTRL, tmp);
+
+	/* clear USB DMA */
+	mtw_write(sc, MTW_USB_DMA_CFG, MTW_USB_TX_EN | MTW_USB_RX_EN |
+	    MTW_USB_RX_AGG_EN | MTW_USB_TX_CLEAR | MTW_USB_TXOP_HALT |
+	    MTW_USB_RX_WL_DROP);
+	usbd_delay_ms(sc->sc_udev, 50);
+	mtw_read(sc, MTW_USB_DMA_CFG, &tmp);
+	tmp &= ~(MTW_USB_TX_CLEAR | MTW_USB_TXOP_HALT |
+	    MTW_USB_RX_WL_DROP);
+	mtw_write(sc, MTW_USB_DMA_CFG, tmp);
+
+	/* enable radio */
+	mtw_mcu_radio(sc, 0x31, 0);
+
+	/* init RF registers */
+	if (sc->mac_ver == 0x7601)
+		mt7601_rf_init(sc);
+
+	/* init baseband registers */
+	if (sc->mac_ver == 0x7601)
+		error = mt7601_bbp_init(sc);
+
+	if (error != 0) {
+		printf("%s: could not initialize BBP\n", sc->sc_dev.dv_xname);
+		goto fail;
+	}
+
+	/* setup and calibrate RF */
+	if (sc->mac_ver == 0x7601)
+		error = mt7601_rf_setup(sc);
+
+	if (error != 0) {
+		printf("%s: could not initialize RF\n", sc->sc_dev.dv_xname);
+		goto fail;
+	}
+
+	/* select default channel */
+	ic->ic_bss->ni_chan = ic->ic_ibss_chan;
+	mtw_set_chan(sc, ic->ic_ibss_chan);
+
+	for (i = 0; i < MTW_RX_RING_COUNT; i++) {
+		struct mtw_rx_data *data = &sc->rxq[MTW_RXQ_WLAN].data[i];
+
+		usbd_setup_xfer(data->xfer, sc->rxq[MTW_RXQ_WLAN].pipeh,
+		    data, data->buf,
+		    MTW_MAX_RXSZ, USBD_SHORT_XFER_OK | USBD_NO_COPY,
+		    USBD_NO_TIMEOUT, mtw_rxeof);
+		error = usbd_transfer(data->xfer);
+		if (error != 0 && error != USBD_IN_PROGRESS)
+			goto fail;
+	}
+
+	if ((error = mtw_txrx_enable(sc)) != 0)
+		goto fail;
+
+	/* init LEDs */
+	mtw_set_leds(sc, MTW_LED_MODE_ON);
+
+	ifp->if_flags |= IFF_RUNNING;
+	ifq_clr_oactive(&ifp->if_snd);
+
+	if (ic->ic_flags & IEEE80211_F_WEPON) {
+		/* install WEP keys */
+		for (i = 0; i < IEEE80211_WEP_NKID; i++) {
+			if (ic->ic_nw_keys[i].k_cipher != IEEE80211_CIPHER_NONE)
+				(void)mtw_set_key(ic, NULL, &ic->ic_nw_keys[i]);
+		}
+	}
+
+	if (ic->ic_opmode == IEEE80211_M_MONITOR)
+		ieee80211_new_state(ic, IEEE80211_S_RUN, -1);
+	else
+		ieee80211_new_state(ic, IEEE80211_S_SCAN, -1);
+
+	if (error != 0)
+fail:	    mtw_stop(ifp, 1);
+	return error;
+}
+
+void
+mtw_stop(struct ifnet *ifp, int disable)
+{
+	struct mtw_softc *sc = ifp->if_softc;
+	struct ieee80211com *ic = &sc->sc_ic;
+	uint32_t tmp;
+	int s, ntries, error, qid;
+
+	if (ifp->if_flags & IFF_RUNNING)
+		mtw_set_leds(sc, MTW_LED_MODE_ON);
+
+	sc->sc_tx_timer = 0;
+	ifp->if_timer = 0;
+	ifp->if_flags &= ~IFF_RUNNING;
+	ifq_clr_oactive(&ifp->if_snd);
+
+	timeout_del(&sc->scan_to);
+	timeout_del(&sc->calib_to);
+
+	s = splusb();	
+	ieee80211_new_state(ic, IEEE80211_S_INIT, -1);
+	/* wait for all queued asynchronous commands to complete */
+	usb_wait_task(sc->sc_udev, &sc->sc_task);
+	splx(s);
+
+	/* Disable Tx/Rx DMA. */
+	mtw_read(sc, MTW_WPDMA_GLO_CFG, &tmp);
+	tmp &= ~(MTW_RX_DMA_EN | MTW_TX_DMA_EN);
+	mtw_write(sc, MTW_WPDMA_GLO_CFG, tmp);
+	mtw_usb_dma_write(sc, 0);
+
+	for (ntries = 0; ntries < 100; ntries++) {
+		if (mtw_read(sc, MTW_WPDMA_GLO_CFG, &tmp) != 0)
+			break;
+		if ((tmp & (MTW_TX_DMA_BUSY | MTW_RX_DMA_BUSY)) == 0)
+			break;
+		DELAY(10);
+	}
+	if (ntries == 100) {
+		printf("%s: timeout waiting for DMA engine\n",
+		    sc->sc_dev.dv_xname);
+	}
+
+	/* stop MAC Tx/Rx */
+	mtw_read(sc, MTW_MAC_SYS_CTRL, &tmp);
+	tmp &= ~(MTW_MAC_RX_EN | MTW_MAC_TX_EN);
+	mtw_write(sc, MTW_MAC_SYS_CTRL, tmp);
+
+	/* disable RTS retry */
+	mtw_read(sc, MTW_TX_RTS_CFG, &tmp);
+	tmp &= ~0xff;
+	mtw_write(sc, MTW_TX_RTS_CFG, tmp);
+
+	/* US_CYC_CFG */
+	mtw_read(sc, MTW_US_CYC_CNT, &tmp);
+	tmp = (tmp & ~0xff);
+	mtw_write(sc, MTW_US_CYC_CNT, tmp);
+
+	/* stop PBF */
+	mtw_read(sc, MTW_PBF_CFG, &tmp);
+	tmp &= ~0x3;
+	mtw_write(sc, MTW_PBF_CFG, tmp);
+
+	/* wait for pending Tx to complete */
+	for (ntries = 0; ntries < 100; ntries++) {
+		if ((error = mtw_read(sc, MTW_TXRXQ_PCNT, &tmp)) != 0)
+			break;
+		if ((tmp & MTW_TX2Q_PCNT_MASK) == 0)
+			break;
+	}
+	DELAY(1000);
+
+	/* delete keys */
+	for (qid = 0; qid < 4; qid++) {
+		mtw_read(sc, MTW_SKEY_MODE_0_7, &tmp);
+		tmp &= ~(0xf << qid * 4);
+		mtw_write(sc, MTW_SKEY_MODE_0_7, tmp);
+	}
+
+	if (disable) {
+		/* disable radio */
+		error = mtw_mcu_radio(sc, 0x30, 0x1);
+		usbd_delay_ms(sc->sc_udev, 10);
+	}
+
+	/* free Tx and Rx rings */
+	sc->qfullmsk = 0;
+	mtw_free_mcu_ring(sc);
+	for (qid = 0; qid < MTW_TXQ_COUNT; qid++)
+		mtw_free_tx_ring(sc, qid);
+	mtw_free_rx_ring(sc, 0);
+}
diff --git a/sys/dev/usb/if_mtwvar.h b/sys/dev/usb/if_mtwvar.h
new file mode 100644
index 00000000000..013b6e58e36
--- /dev/null
+++ b/sys/dev/usb/if_mtwvar.h
@@ -0,0 +1,243 @@
+/*	$OpenBSD: if_mtwvar.h,v 1.1 2021/12/20 13:59:02 hastings Exp $	*/
+/*
+ * Copyright (c) 2008,2009 Damien Bergamini <damien.bergamini@free.fr>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#define MTW_MAX_RXSZ			\
+	4096
+#if 0
+	(sizeof (uint32_t) +		\
+	 sizeof (struct mtw_rxwi) +	\
+	 sizeof (uint16_t) +		\
+	 MCLBYTES +			\
+	 sizeof (struct mtw_rxd))
+#endif
+/* NB: "11" is the maximum number of padding bytes needed for Tx */
+#define MTW_MAX_TXSZ			\
+	(sizeof (struct mtw_txd) +	\
+	 sizeof (struct mtw_txwi) +	\
+	 MCLBYTES + 11)
+
+#define MTW_TX_TIMEOUT	5000	/* ms */
+
+#define MTW_RX_RING_COUNT	1
+#define MTW_TX_RING_COUNT	8
+
+#define MTW_RXQ_COUNT		2
+#define MTW_TXQ_COUNT		6
+
+#define MTW_WCID_MAX		8	
+#define MTW_AID2WCID(aid)	(1 + ((aid) & 0x7))
+
+struct mtw_rx_radiotap_header {
+	struct ieee80211_radiotap_header wr_ihdr;
+	uint8_t		wr_flags;
+	uint8_t		wr_rate;
+	uint16_t	wr_chan_freq;
+	uint16_t	wr_chan_flags;
+	uint8_t		wr_dbm_antsignal;
+	uint8_t		wr_antenna;
+	uint8_t		wr_antsignal;
+} __packed;
+
+#define MTW_RX_RADIOTAP_PRESENT				\
+	(1 << IEEE80211_RADIOTAP_FLAGS |		\
+	 1 << IEEE80211_RADIOTAP_RATE |			\
+	 1 << IEEE80211_RADIOTAP_CHANNEL |		\
+	 1 << IEEE80211_RADIOTAP_DBM_ANTSIGNAL |	\
+	 1 << IEEE80211_RADIOTAP_ANTENNA |		\
+	 1 << IEEE80211_RADIOTAP_DB_ANTSIGNAL)
+
+struct mtw_tx_radiotap_header {
+	struct ieee80211_radiotap_header wt_ihdr;
+	uint8_t		wt_flags;
+	uint8_t		wt_rate;
+	uint16_t	wt_chan_freq;
+	uint16_t	wt_chan_flags;
+} __packed;
+
+#define MTW_TX_RADIOTAP_PRESENT				\
+	(1 << IEEE80211_RADIOTAP_FLAGS |		\
+	 1 << IEEE80211_RADIOTAP_RATE |			\
+	 1 << IEEE80211_RADIOTAP_CHANNEL)
+
+struct mtw_softc;
+
+struct mtw_tx_data {
+	struct mtw_softc	*sc;
+	struct usbd_xfer	*xfer;
+	uint8_t			*buf;
+	uint8_t			qid;
+};
+
+struct mtw_rx_data {
+	struct mtw_softc	*sc;
+	struct usbd_xfer	*xfer;
+	uint8_t			*buf;
+};
+
+struct mtw_tx_ring {
+	struct mtw_tx_data	data[MTW_TX_RING_COUNT];
+	struct usbd_pipe	*pipeh;
+	int			cur;
+	int			queued;
+	uint8_t			pipe_no;
+};
+
+struct mtw_rx_ring {
+	struct mtw_rx_data	data[MTW_RX_RING_COUNT];
+	struct usbd_pipe	*pipeh;
+	uint8_t			pipe_no;
+};
+
+struct mtw_host_cmd {
+	void	(*cb)(struct mtw_softc *, void *);
+	uint8_t	data[256];
+};
+
+struct mtw_cmd_newstate {
+	enum ieee80211_state	state;
+	int			arg;
+};
+
+struct mtw_cmd_key {
+	struct ieee80211_key	key;
+	struct ieee80211_node	*ni;
+};
+
+#define MTW_HOST_CMD_RING_COUNT	32
+struct mtw_host_cmd_ring {
+	struct mtw_host_cmd	cmd[MTW_HOST_CMD_RING_COUNT];
+	int			cur;
+	int			next;
+	int			queued;
+};
+
+struct mtw_node {
+	struct ieee80211_node		ni;
+	struct ieee80211_ra_node	rn;
+	uint8_t				ridx[IEEE80211_RATE_MAXSIZE];
+	uint8_t				ctl_ridx[IEEE80211_RATE_MAXSIZE];
+};
+
+struct mtw_mcu_tx {
+	struct mtw_softc	*sc;
+	struct usbd_xfer	*xfer;
+	struct usbd_pipe	*pipeh;
+	uint8_t			 pipe_no;
+	uint8_t			*buf;
+	uint8_t			 seq;
+};
+
+#define MTW_MCU_IVB_LEN		0x40
+struct mtw_ucode_hdr {
+	uint32_t		ilm_len;
+	uint32_t		dlm_len;
+	uint16_t		build_ver;
+	uint16_t		fw_ver;
+	uint8_t			pad[4];
+	char			build_time[16];
+} __packed;
+
+struct mtw_ucode {
+	struct mtw_ucode_hdr	hdr;
+	uint8_t			ivb[MTW_MCU_IVB_LEN];
+	uint8_t			data[];
+} __packed;
+
+struct mtw_softc {
+	struct device			sc_dev;
+	struct ieee80211com		sc_ic;
+	int				(*sc_newstate)(struct ieee80211com *,
+					    enum ieee80211_state, int);
+	int				(*sc_srom_read)(struct mtw_softc *,
+					    uint16_t, uint16_t *);
+
+	struct usbd_device		*sc_udev;
+	struct usbd_interface		*sc_iface;
+
+	uint16_t			asic_ver;
+	uint16_t			asic_rev;
+	uint16_t			mac_ver;
+	uint16_t			mac_rev;
+	uint16_t			rf_rev;
+	uint8_t				freq;
+	uint8_t				ntxchains;
+	uint8_t				nrxchains;
+	int				fixed_ridx;
+
+	uint8_t				rfswitch;
+	uint8_t				ext_2ghz_lna;
+	uint8_t				ext_5ghz_lna;
+	uint8_t				calib_2ghz;
+	uint8_t				calib_5ghz;
+	uint8_t				txmixgain_2ghz;
+	uint8_t				txmixgain_5ghz;
+	int8_t				txpow1[54];
+	int8_t				txpow2[54];
+	int8_t				txpow3[54];
+	int8_t				rssi_2ghz[3];
+	int8_t				rssi_5ghz[3];
+	uint8_t				lna[4];
+
+	uint8_t				leds;
+	uint16_t			led[3];
+	uint32_t			txpow20mhz[5];
+	uint32_t			txpow40mhz_2ghz[5];
+	uint32_t			txpow40mhz_5ghz[5];
+
+	int8_t				bbp_temp;
+	uint8_t				rf_freq_offset;
+	uint32_t			rf_pa_mode[2];
+	int				sc_rf_calibrated;
+	int				sc_bw_calibrated;
+	int				sc_chan_group;
+
+	struct usb_task			sc_task;
+
+	struct ieee80211_amrr		amrr;
+	struct ieee80211_amrr_node	amn;
+
+	struct timeout			scan_to;
+	struct timeout			calib_to;
+
+	uint8_t				cmd_seq;
+
+	struct mtw_tx_ring		sc_mcu;
+	struct mtw_rx_ring		rxq[MTW_RXQ_COUNT];
+	struct mtw_tx_ring		txq[MTW_TXQ_COUNT];
+	struct mtw_host_cmd_ring	cmdq;
+	uint8_t				qfullmsk;
+	int				sc_tx_timer;
+
+#if NBPFILTER > 0
+	caddr_t				sc_drvbpf;
+
+	union {
+		struct mtw_rx_radiotap_header th;
+		uint8_t	pad[64];
+	}				sc_rxtapu;
+#define sc_rxtap	sc_rxtapu.th
+	int				sc_rxtap_len;
+
+	union {
+		struct mtw_tx_radiotap_header th;
+		uint8_t	pad[64];
+	}				sc_txtapu;
+#define sc_txtap	sc_txtapu.th
+	int				sc_txtap_len;
+#endif
+	int				sc_key_tasks;
+};