Re: microcode reverse engineering
Please (1) post in plain text (2) don't top-post (3) don't full-quote > I found the 802.11 section on your website this morning, I don't know > why I didn't find it before. That's very interesting and you did an > impressive work!! I don't understand when you say that you're not > interested in r4 microcode or higher I'm not interested in r4 or *lower*. Maybe I made a mistake before. > because it seems that there are two different microcode description > and it seems that the boundary is between (r3,r4) and (r5), is that > correct? From these links I can find > > > http://bcm-v4.sipsolutions.net/802.11/Microcode -> core revision 5. > Is that r5? r5 and up. > http://bcm-v4.sipsolutions.net/802.11/OldMicrocode -> core revision > 4 and lower. Is that r3 and r4? Are they the same? r4 and down. > Have you tried to write your own mac to see if it works? No. Far too many unknowns still. johannes signature.asc Description: This is a digitally signed message part ___ Bcm43xx-dev mailing list Bcm43xx-dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/bcm43xx-dev
Re: microcode reverse engineering
Hi Johannes, I found the 802.11 section on your website this morning, I don't know why I didn't find it before. That's very interesting and you did an impressive work!! I don't understand when you say that you're not interested in r4 microcode or higher because it seems that there are two different microcode description and it seems that the boundary is between (r3,r4) and (r5), is that correct? From these links I can find http://bcm-v4.sipsolutions.net/802.11/Microcode -> core revision 5. Is that r5? and http://bcm-v4.sipsolutions.net/802.11/OldMicrocode -> core revision 4 and lower. Is that r3 and r4? Are they the same? Have you tried to write your own mac to see if it works? Thank you very much, FG On Dec 3, 2007, at 11:38, Johannes Berg wrote: On Sun, 2007-12-02 at 15:55 +0100, Francesco Gringoli wrote: Hi Johannes, I read the interesting note you wrote on September about r4 ucode reverse engineering. Have you new results since then? http://bcm-v4.sipsolutions.net/802.11/Microcode has a link to the old format too. I'm not particularly interested in the r4 format. Did you understand what kind of core is bcm4318 based on? From broadcom website it should be a MIPS32 core (check http://www.broadcom.com/ products/Wireless-LAN/802.11-Wireless-LAN-Solutions they say that "The AirForce family of network processors features MIPS32 processor...(cut)"). It's interesting that you found out a 6 bit prefix, like in MIPS! Nope, I don't think it's MIPS. I think "AirForce network processor" refers to the whole integrated thing that can be used as a full-mac chipset or a whole access point etc. Before reading your post I came to these conclusions - all odd words begins with zero (or a couple of them, this depends on the firmware version). This led me to think to 8 byte wide instructions. Unfortunately both mips32 and mips64 use 32bit wide instructions. No mips? - odd words are control codes to check even words correctness during firmware upload: unfortunately there are a lot of even words repeated throughout the code with different paired odd words. Did you try to change randomly some values and see what happens? - disassembling the code after having cut out odd words leads to MIPS assembly without ret instructions. There is no code too to handle IRQ. You want to read the above link and what is linked from it. I also tried to change endianness but didn't find anything more interesting. By the way, do you think that a complete reverse engineering could give us a platform to test new MAC methodologies? E.g. do you think it would be possible to change timings or medium control? Yes. johannes % Francesco Gringoli, PhD - Assistant Professor Dept. of Electrical Engineering for Automation University of Brescia via Branze, 38 25123 Brescia ITALY Ph: ++39.030.3715843 FAX: ++39.030.380014 WWW: http://www.ing.unibs.it/~gringoli % ___ Bcm43xx-dev mailing list Bcm43xx-dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/bcm43xx-dev
Re: microcode reverse engineering
On Sun, 2007-12-02 at 15:55 +0100, Francesco Gringoli wrote: > Hi Johannes, > > I read the interesting note you wrote on September about r4 ucode > reverse engineering. Have you new results since then? http://bcm-v4.sipsolutions.net/802.11/Microcode has a link to the old format too. I'm not particularly interested in the r4 format. > Did you > understand what kind of core is bcm4318 based on? From broadcom > website it should be a MIPS32 core (check http://www.broadcom.com/ > products/Wireless-LAN/802.11-Wireless-LAN-Solutions they say that > "The AirForce family of network processors features MIPS32 > processor...(cut)"). It's interesting that you found out a 6 bit > prefix, like in MIPS! Nope, I don't think it's MIPS. I think "AirForce network processor" refers to the whole integrated thing that can be used as a full-mac chipset or a whole access point etc. > Before reading your post I came to these conclusions > > - all odd words begins with zero (or a couple of them, this depends > on the firmware version). This led me to think to 8 byte wide > instructions. Unfortunately both mips32 and mips64 use 32bit wide > instructions. No mips? > - odd words are control codes to check even words correctness during > firmware upload: unfortunately there are a lot of even words repeated > throughout the code with different paired odd words. Did you try to > change randomly some values and see what happens? > - disassembling the code after having cut out odd words leads to MIPS > assembly without ret instructions. There is no code too to handle IRQ. You want to read the above link and what is linked from it. > I also tried to change endianness but didn't find anything more > interesting. > > By the way, do you think that a complete reverse engineering could > give us a platform to test new MAC methodologies? E.g. do you think > it would be possible to change timings or medium control? Yes. johannes signature.asc Description: This is a digitally signed message part ___ Bcm43xx-dev mailing list Bcm43xx-dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/bcm43xx-dev