Hi Johannes, I read the interesting note you wrote on September about r4 ucode reverse engineering. Have you new results since then? Did you understand what kind of core is bcm4318 based on? From broadcom website it should be a MIPS32 core (check http://www.broadcom.com/ products/Wireless-LAN/802.11-Wireless-LAN-Solutions they say that "The AirForce family of network processors features MIPS32 processor...(cut)"). It's interesting that you found out a 6 bit prefix, like in MIPS!
Before reading your post I came to these conclusions - all odd words begins with zero (or a couple of them, this depends on the firmware version). This led me to think to 8 byte wide instructions. Unfortunately both mips32 and mips64 use 32bit wide instructions. No mips? - odd words are control codes to check even words correctness during firmware upload: unfortunately there are a lot of even words repeated throughout the code with different paired odd words. Did you try to change randomly some values and see what happens? - disassembling the code after having cut out odd words leads to MIPS assembly without ret instructions. There is no code too to handle IRQ. I also tried to change endianness but didn't find anything more interesting. By the way, do you think that a complete reverse engineering could give us a platform to test new MAC methodologies? E.g. do you think it would be possible to change timings or medium control? Cheers, FG _______________________________________________ Bcm43xx-dev mailing list Bcm43xx-dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/bcm43xx-dev