Index: Librarier/bt_rom/format/headset.format
===================================================================
--- /YC1121E/SoftCode/1121EB/branch/HciDongle_MinZhan/Librarier/bt_rom/format/headset.format	(revision 4490)
+++ /YC1121E/SoftCode/1121EB/branch/HciDongle_MinZhan/Librarier/bt_rom/format/headset.format	(working copy)
@@ -265,7 +265,7 @@
 256 mem_zcode_buff_user
 
 	1 mem_queue_init_flag
-
+	64 mem_efuse_64_bytes
 0 mem_headset_end
 )
 (
Index: ModuleDemo/25_OTA/bt_demo/BT/patch/patch.prog
===================================================================
--- /YC1121E/SoftCode/1121EB/branch/HciDongle_MinZhan/ModuleDemo/25_OTA/bt_demo/BT/patch/patch.prog	(revision 4490)
+++ /YC1121E/SoftCode/1121EB/branch/HciDongle_MinZhan/ModuleDemo/25_OTA/bt_demo/BT/patch/patch.prog	(working copy)
@@ -16,12 +16,15 @@
 	beq patch00_2,p_main_loop
 	beq patch01_6,p_inquiry_receive_rtn
 	beq patch02_0,p_master_page_timeout
+	beq patch03_4,p_master_loop
 	beq patch03_6,p_master_disconnect
 	beq patch04_0,p_linkkey_ready
 	beq patch04_4,p_role_switch_master
 	beq patch06_2,p_send_eir
+	beq patch07_2,p_slave_loop
 	beq patch07_7,p_role_switch_slave
 	beq patch07_6,p_slave_disconnect
+	beq patch08_4,p_newconn_init	
 	beq patch0b_0,p_process_dmh_common
 	beq patch0b_4,p_process_dmh_data_end
 	beq patch0b_5,p_process_dmh_l2cap_packet
@@ -30,6 +33,8 @@
 	beq patch10_1,p_shutdown_radio
 	beq patch10_5,p_set_freq_tx
 	beq patch10_6,p_initialize_radio_cont
+
+	
 	beq patch13_6,p_initialize_radio_cont_by_init_param
 
 	beq patch14_0,p_lpm_hibernate
@@ -52,6 +57,7 @@
 	beq patch27_6,p_le_conn_dispatch
 	beq patch27_7,p_le_slave_match
 	beq patch28_1,p_le_slave_unsync
+	beq patch28_2,p_le_slave_disconn
 	beq patch29_3,p_le_receive_slave
 	beq patch29_7,p_le_send_adv_ind
 	beq patch2a_2,p_le_acknowledge
@@ -84,8 +90,20 @@
 	call sp_calc_sequence 
 	call sp_calc_sequence_256
 	call publickey_calc
-	call p_le_dispatch 
-	branch main_loop+5
+	call p_le_dispatch
+	call idle_dispatch
+	call app_process_idle
+	call inquiry_dispatch
+	call inquiry_scan_dispatch
+	call p_page_scan_dispatch
+	branch main_loop+11
+
+p_page_scan_dispatch:
+	fetch 1,mem_scan_mode
+	rtnbit0 page_scan_mode
+	fetch 1,mem_state
+	rtnbit1 state_inconn
+	branch page_scan_dispatch+2
 
 p_le_dispatch:
 	 call le_enable 
@@ -396,6 +414,7 @@
 	call wdt_init_reset_with_start
 endif //FUNCTION_WATCH_DOG
 	call headset_init
+	call p_read_efuse_64_bytes
 
 	setarg p_app_event_normal_process
 	store 2,mem_cb_bb_event_process
@@ -456,7 +475,11 @@
 	arg -1,temp // Here must be -1, the rom code is error
 	branch lpm_doze
 
-
+p_read_efuse_64_bytes:
+	setarg 0
+	arg mem_efuse_64_bytes,rega
+	arg 64,temp
+	branch efuse_read_data
 	
 /*********************************/
 /*********lmp send*************/
@@ -480,6 +503,7 @@
 	bbit1 7,z_send_lmp_escape
 	beq LMP_SETUP_COMPLETE, p_send_lmp_setup_complete
 	beq LMP_SRES,p_send_lmp_sres
+	beq LMP_DETACH,p_send_lmp_detach
 	branch send_lmp+10
 
 
@@ -556,6 +580,66 @@
 	loop p_check_tx_length
 	rtn
 
+
+
+p_slave_loop:
+//	bpatch patch07_2,mem_patch07
+	call scheduler_process
+	call slave_conn_recv_packet	/* go listen for a packet */
+	nbranch slave_notmatch,match
+	call supervision_flush
+	call scheduler_tx_l2cap_pkt
+	call prepare_tx
+	call set_flow_flag
+	call slave_conn_send_packet
+	call parse_l2cap
+	call parse_lmp
+	call p_process_cmd
+	branch slave_loop+12
+
+p_master_loop:
+	call parse_lmp
+	call p_process_cmd
+	branch master_loop+3
+
+p_process_cmd:
+	fetch 1,mem_hci_cmd
+	rtn blank
+	fetch 1,mem_lmo_opcode2
+	nrtn blank
+	call cmd_check_plap
+	nbranch p_process_cmd_conn_handle,zero
+//	branch process_cmd+6
+	
+	fetch 1,mem_hci_cmd
+	beq hci_cmd_remote_name_req,cmd_namereq
+	beq hci_cmd_pair,cmd_pair
+	beq hci_cmd_nopair,cmd_nopair
+	beq hci_cmd_linkkey,cmd_has_key
+	beq hci_cmd_nokey,cmd_no_key
+	beq hci_cmd_reject_conn,cmd_disconn
+	beq hci_cmd_role_switch,cmd_role_switch
+	beq hci_cmd_accept_conn,cmd_accept_conn
+	beq hci_cmd_accept_with_switch,cmd_accept_with_switch
+	beq hci_cmd_detach,cmd_detach
+	beq hci_cmd_in_sniff,cmd_in_sniff
+	beq hci_cmd_exit_sniff,cmd_exit_sniff
+p_process_cmd_conn_handle:
+	call cmd_check_handle
+	nrtn blank
+	fetch 1,mem_hci_cmd
+	beq hci_cmd_auth,p_cmd_auth
+	branch process_cmd_conn_handle+4
+
+
+p_cmd_auth:
+	fetch 1,mem_op
+	set1 op_auth_req,pdata
+	store 1,mem_op
+	fetch 1,mem_state
+	bbit1 state_linkkey,cmd_auth_sendaurand
+	call p_hci_send_linkkey_req_event
+	branch cmd_exit
 	
 p_hci_send_disconnect_complete_classic:
 	//fetch 1,mem_conn_handle
@@ -611,6 +695,8 @@
 	//bpatch patch03_6,mem_patch03
 	call quit_connection
 	disable master
+	fetch 1,mem_conn_status
+	beq 1,p_master_page_timeout
 	fetch 1,mem_state_map
 	bbit1 smap_name_req,master_name_disconnect
 	fetch 1,mem_state
@@ -831,6 +917,17 @@
 	rtn blank
 	branch p_hci_send_disconnect_complete		
 
+p_newconn_init:
+	call init_lmp_reinit
+	call new_conn_handle
+	sub pdata,15,null
+	nbranch p_newconn_handle_init,positive
+	branch newconn_init+3
+p_newconn_handle_init:
+	jam 1,mem_handle_num
+	branch newconn_init+3
+
+	
 p_hci_send_role_change:
 	jam 8,mem_mesh_event_para_total_length
 	jam HCI_EVENT_ROLE_CHANGE,mem_mesh_event_head_event_code
@@ -936,9 +1033,13 @@
 p_parse_lmp_detach:
 	fetch 1,mem_rxbuf+1
 	store 1,mem_disconn_reason_send
-	branch parse_lmp_detach
+//	branch parse_lmp_detach
+	call p_prepare_disconnect
+	branch accept_lmp_msg
+
 	//branch z_hci_send_disconnect_complete
 
+
 p_parse_lmp_in_rand:
 	call lmp_copy_rand
 	jam pincode_state_wait_pincode,mem_pincode_state
@@ -1206,18 +1307,18 @@
 
 // input: rega	return pdata=0:true  pdata = 1:false
 p_check_addr_in_white_list:
-	fetch 1,mem_le_white_list_cnt
-	copy pdata,loopcnt
-	arg mem_le_white_list,regb
+//	fetch 1,mem_le_white_list_cnt
+//	copy pdata,loopcnt
+//	arg mem_le_white_list,regb
 p_check_addr_in_white_list_loop:
-	ifetch 7,regb
-	fetcht 7,mem_le_white_list_type_and_bd_addr
-	isub temp,null
-	setarg 0
-	rtn zero
-	increase 7,regb
-	loop p_check_addr_in_white_list_loop
-	setarg 1
+//	ifetch 7,regb
+//	fetcht 7,mem_le_white_list_type_and_bd_addr
+//	isub temp,null
+//	setarg 0
+//	rtn zero
+//	increase 7,regb
+//	loop p_check_addr_in_white_list_loop
+//	setarg 1
 	rtn
 
 
@@ -1466,8 +1567,13 @@
 p_hci_send_event_le_disconnection_complete:
 	fetch 8,mem_mesh_le_event_mask
 	rtnbit0 DISCONNECTION_COMPLETE_EVENT
+	fetch 1,mem_le_conn_handle
+	store 1,mem_hci_record_disc_conn_handle
+	branch z_hci_send_disconnect_complete
 p_hci_send_disconnect_complete:
 	//status(1), connection_handle(2), Reason(1)
+	fetch 1,mem_conn_handle
+	store 1,mem_hci_record_disc_conn_handle
 	branch z_hci_send_disconnect_complete
 	
 
@@ -2019,6 +2125,9 @@
 	jam 0,mem_le_txlen_temp
 	setarg 27
 	store 2,mem_remote_rx_max_octets
+	call new_conn_handle
+	pincrease 24
+	store 1,mem_le_conn_handle
 	rtn	
 
 
@@ -2041,7 +2150,7 @@
 p_le_master_dispatch:
 	enable master
 	call le_supervision_update
-	branch le_master_disconn,positive
+	branch p_le_master_disconn,positive
 	call le_setup
 	call p_le_prepare_tx
 	disable match
@@ -2108,7 +2217,7 @@
 	bbit1  lestate_got_first_packet,p_le_master_cont
 	fetch 1,mem_le_first_packet_count
 	sub pdata,6,null
-	nbranch le_master_disconn,positive
+	nbranch p_le_master_disconn,positive
 	increase 1,pdata
 	store 1,mem_le_first_packet_count
 	branch p_le_master_cont
@@ -2591,7 +2700,7 @@
 	beq FLAG_LE_ENC_PAUSE,le_clear_enc
 p_le_check_wak_end_ll:
 	fetch 1,mem_le_txpayload_temp
-	beq LL_TERMINATE_IND,le_master_disconn
+	beq LL_TERMINATE_IND,p_le_master_disconn
 	beq LL_START_ENC_REQ,le_set_enc
 	rtn
 
@@ -3204,3 +3313,33 @@
 	rtn
 endif
 
+p_send_lmp_detach:
+	force 2,pdata
+	call msg_send_lmp
+	fetch 1,mem_disconn_reason_send
+	istore 1,contw
+	call send_lmp_request
+p_prepare_disconnect:
+	fetch 1,mem_op
+	set1 op_disconn,pdata
+	store 1,mem_op
+	jam 1,mem_conn_timer
+	rtn	
+
+p_le_slave_disconn:
+	call le_att_destroy_notify_pool
+	//fall through
+p_le_disconnect:
+	call le_clear_connection_info+1
+	call app_disconn_reason_collect_ble
+ifdef SECURE_CONNECTION
+	call sp_initialize_256
+endif
+	jam BT_EVT_LE_DISCONNECTED,mem_fifo_temp
+	branch ui_ipc_send_event	
+
+p_le_master_disconn:
+	call p_le_disconnect
+	disable master
+	rtn	
+
Index: ModuleDemo/25_OTA/bt_demo/BT/patch/z.prog
===================================================================
--- /YC1121E/SoftCode/1121EB/branch/HciDongle_MinZhan/ModuleDemo/25_OTA/bt_demo/BT/patch/z.prog	(revision 4490)
+++ /YC1121E/SoftCode/1121EB/branch/HciDongle_MinZhan/ModuleDemo/25_OTA/bt_demo/BT/patch/z.prog	(working copy)
@@ -628,8 +628,7 @@
 	call p_ipc_rx_hci_data_two_byte
 	store 1,mem_hci_conn_handle
 	jam hci_cmd_auth,mem_hci_cmd
-	call p_hci_send_event_command_status
-	branch p_hci_send_linkkey_req_event
+	branch p_hci_send_event_command_status
 
 z_hci_parse_packet_cmd_ogf_link_control_set_connection_encryption:	//13
 	call p_ipc_rx_hci_data_two_byte
@@ -743,6 +742,7 @@
 	call p_hci_prepare_send_event_command_complete_with_status_success
 	fetch 1,mem_conn_handle
 	istore 2,contw
+	jam LMP_SUPERVISION_TIMEOUT,mem_lmo_opcode2
 	branch ipc_hci_tx_start
 
 z_hci_parse_packet_cmd_ogf_controller_and_baseband_write_eir:   //52
@@ -1117,10 +1117,15 @@
 	call p_ipc_rx_hci_data_two_byte// Opcode
 	fetcht 1,mem_conn_handle
 	isub temp,null
+	branch z_hci_parse_packet_cmd_ogf_vendorspecific_rtk_a3_event,zero
+	fetcht 1,mem_le_conn_handle
+	isub temp,null
 	nrtn zero
+z_hci_parse_packet_cmd_ogf_vendorspecific_rtk_a3_event:	
+	storet 1,mem_hci_conn_handle
 	arg 0x03,loopcnt
 	call p_hci_prepare_send_event_command_complete
-	fetch 1,mem_conn_handle
+	fetch 1,mem_hci_conn_handle
 	istore 2,contw
 	fetch 1,mem_rssi
 	call p_rssi_convert
@@ -1149,7 +1154,6 @@
 	istore 1,contw
 	//TODO: restore connection handle
 	fetch 1,mem_conn_handle
-	store 1,mem_hci_record_disc_conn_handle
 	branch ipc_hci_tx_start
 
 	/* temp is connection type 0=sco,1=acl */
@@ -1195,14 +1199,6 @@
 
 org z
 z_hci_send_mode_change:
-ifdef RF_DEBUG
-	jam 0x3f,0x8086
-	call rf_debug_active_sync_line
-endif
-ifdef RF_DEBUG
-	jam 0x3e,0x8086
-	call rf_debug_inactive_sync_line
-endif
 	jam 6,mem_mesh_event_para_total_length
 	jam HCI_EVENT_MODE_CHANGE,mem_mesh_event_head_event_code
 	call p_hci_prepare_send_event
@@ -1405,7 +1401,6 @@
 	fetch 1,mem_le_peer_sca
 	istore 1,contw	//master clock accuracy
 	fetch 1,mem_le_conn_handle
-	store 1,mem_hci_record_disc_conn_handle
 	branch ipc_hci_tx_start
 
 org z
Index: ModuleDemo/25_OTA/bt_demo/BT/sched/patch.dat
===================================================================
--- /YC1121E/SoftCode/1121EB/branch/HciDongle_MinZhan/ModuleDemo/25_OTA/bt_demo/BT/sched/patch.dat	(revision 4490)
+++ /YC1121E/SoftCode/1121EB/branch/HciDongle_MinZhan/ModuleDemo/25_OTA/bt_demo/BT/sched/patch.dat	(working copy)
@@ -3,12 +3,12 @@
 04   #mem_patch00
 40   #mem_patch01
 01   #mem_patch02
-40   #mem_patch03
+50   #mem_patch03
 11   #mem_patch04
 00   #mem_patch05
 04   #mem_patch06
-c0   #mem_patch07
-00   #mem_patch08
+c4   #mem_patch07
+10   #mem_patch08
 00   #mem_patch09
 00   #mem_patch0A
 31   #mem_patch0B
@@ -40,7 +40,7 @@
 07   #mem_patch25
 00   #mem_patch26
 c8   #mem_patch27
-02   #mem_patch28
+06   #mem_patch28
 88   #mem_patch29
 14   #mem_patch2A
 29   #mem_patch2B
Index: ModuleDemo/25_OTA/bt_demo/CM0/User/Drv_bt.c
===================================================================
--- /YC1121E/SoftCode/1121EB/branch/HciDongle_MinZhan/ModuleDemo/25_OTA/bt_demo/CM0/User/Drv_bt.c	(revision 4490)
+++ /YC1121E/SoftCode/1121EB/branch/HciDongle_MinZhan/ModuleDemo/25_OTA/bt_demo/CM0/User/Drv_bt.c	(working copy)
@@ -127,13 +127,22 @@
     uint16_t handle = 0;
     uint16_t totalLength = 0;
     uint8_t evtCode = 0;
+    //Avoid host use respin buffer
+    uint8_t evtBuffer[500];
     switch(type)
     {
         case H4_EVT:
             evtCode = *(dataPtr + 1);
             len = *(dataPtr + 2);
             totalLength = len+3;// 04 + evtCode(1) + length(1)
+            
+            //Avoid host use respin buffer
+            xmemcpy(evtBuffer,dataPtr,totalLength);
+            dataPtr = evtBuffer;
+
             Bt_HciParseEvt(evtCode, len, dataPtr + 3);
+
+            
             break;
         case H4_ACL:
             handle = (*(dataPtr + 1) << 0) |(*(dataPtr + 2) << 8);
Index: ModuleDemo/25_OTA/bt_demo/CM0/User/btreg.h
===================================================================
--- /YC1121E/SoftCode/1121EB/branch/HciDongle_MinZhan/ModuleDemo/25_OTA/bt_demo/CM0/User/btreg.h	(revision 4490)
+++ /YC1121E/SoftCode/1121EB/branch/HciDongle_MinZhan/ModuleDemo/25_OTA/bt_demo/CM0/User/btreg.h	(working copy)
@@ -1673,7 +1673,8 @@
 #define	mem_le_scan_window_temp                 	0x4e38
 #define	mem_zcode_buff_user                     	0x4e3a
 #define	mem_queue_init_flag                     	0x4f3a
-#define	mem_headset_end                         	0x4f3b
+#define	mem_efuse_64_bytes                      	0x4f3b
+#define	mem_headset_end                         	0x4f7b
 #define	mem_usb_mouse_data                      	0x4ace
 #define	mem_usb_kb_data                         	0x4ade
 #define	mem_usb_kb_multikey                     	0x4aee