Microcode reverse engineering
Hi Johannes, I'm currently involved in a project that requires to change a few mac timings and other stuff: this is the reason I'm very interested in decoding the Broadcom firmware, it could be a good development platform without having to buy code and sign NDAs. I spent a couple of day trying to collect all documents about what Broadcom has acquired before 1999 and that could have been implemented into AirForce Mac Processors. I didn't find anything that was explicitly saying we are using this core. I have now a few conjectures about the library used to build the chip, let's say a few candidate: - E14 firepath - Trimedia CPU64 - A kind of ARM core mixed with a FPGA lib I discovered some patents talking about wifi network and the CPUs of above. Do you have any idea? I also discovered this url http://www.arm.com/iqonline/news/ partnernews/15399.html check it out for future drivers. And I would very be pleased to know how did you pointed out the meaning of the opcode in the website. Thank you very much for your time, cheers, FG % Francesco Gringoli, PhD - Assistant Professor Dept. of Electrical Engineering for Automation University of Brescia via Branze, 38 25123 Brescia ITALY Ph: ++39.030.3715843 FAX: ++39.030.380014 % ___ Bcm43xx-dev mailing list Bcm43xx-dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/bcm43xx-dev
Re: Microcode reverse engineering
It could also be the case that the opcodes on the website aren't opcodes to a real CPU, but that they are executed by a VM. So they could have used a MIPS, now an ARM cpu, and as long as the VM is implemented in one of those languages, it would be able to execute the uCode. That's just speculation, thought. ___ Bcm43xx-dev mailing list Bcm43xx-dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/bcm43xx-dev
Re: Microcode reverse engineering
Hi, I'm currently involved in a project that requires to change a few mac timings and other stuff: this is the reason I'm very interested in decoding the Broadcom firmware, it could be a good development platform without having to buy code and sign NDAs. It could, if we understood how it worked. I spent a couple of day trying to collect all documents about what Broadcom has acquired before 1999 and that could have been implemented into AirForce Mac Processors. I didn't find anything that was explicitly saying we are using this core. I have now a few conjectures about the library used to build the chip, let's say a few candidate: - E14 firepath - Trimedia CPU64 - A kind of ARM core mixed with a FPGA lib I discovered some patents talking about wifi network and the CPUs of above. Do you have any idea? I also discovered this url http://www.arm.com/iqonline/news/ partnernews/15399.html check it out for future drivers. Hmm. I sort of did similar research a while ago but never found anything I thought was related. I'm pretty sure though that for example tg3 ethernet uses MIPS cores. And I would very be pleased to know how did you pointed out the meaning of the opcode in the website. Well, we simply tried all those we found in existing firmware by running them on the device and seeing what changed, and then taking some common sense together to fill the gaps. johannes signature.asc Description: This is a digitally signed message part ___ Bcm43xx-dev mailing list Bcm43xx-dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/bcm43xx-dev
Re: Microcode reverse engineering
It could also be the case that the opcodes on the website aren't opcodes to a real CPU, but that they are executed by a VM. So they could have used a MIPS, now an ARM cpu, and as long as the VM is implemented in one of those languages, it would be able to execute the uCode. That's just speculation, thought. And a crazy one at that. These things are supposed to use little power. Also, look at the opcode/operand set for a minute and you'll realise that it's quite specific to the memories/registers the hardware has. johannes signature.asc Description: This is a digitally signed message part ___ Bcm43xx-dev mailing list Bcm43xx-dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/bcm43xx-dev
Re: Microcode reverse engineering
On Tuesday 04 December 2007 14:51:50 Holger Schurig wrote: It could also be the case that the opcodes on the website aren't opcodes to a real CPU, Broadcom calls this a Programmable State Machine. But what is this all about? Why do you care what type of CPU this is? Does this matter _at_ _all_? I mean, we know all opcodes of the device and we have a _complete_ disassembler and assembler. http://git.bu3sch.de/git/b43-tools.git What do you want more? The only thing we don't completely understand are the various device registers and device status codes (external jumps) used. But that has nothing to do with the type of the CPU used. -- Greetings Michael. ___ Bcm43xx-dev mailing list Bcm43xx-dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/bcm43xx-dev
Re: Microcode reverse engineering
On Tue, 4 Dec 2007 13:23:47 +0100 Francesco Gringoli [EMAIL PROTECTED] wrote: I spent a couple of day trying to collect all documents about what Broadcom has acquired before 1999 and that could have been implemented into AirForce Mac Processors. I didn't find anything that was explicitly saying we are using this core. I have now a few conjectures about the library used to build the chip, let's say a few candidate: - E14 firepath - Trimedia CPU64 - A kind of ARM core mixed with a FPGA lib I discovered some patents talking about wifi network and the CPUs of above. Do you have any idea? Why are you interested in this? I mean, you have been provided with the complete instruction set and an almost complete list of registers. You have been provided with a driver which can give you ucode register values in realtime. What else do you need? To me, it looks like you want other people to do your homework. If you could put your efforts on writing specs for firmware operation (i.e. not the instruction set, but what exactly does the firmware do) or writing an open firmware based upon the info I listed above (you can do that, there's an Italian 'fair use' law, so if you reverse engineer and code together for compatibility purposes only, it's perfectly legal), it would be just great. We are short on people here. I just can't do any reverse engineering because I would get tainted (me too I live in Italy, but I'm working with other people who are based elsewhere), same for Michael, and we couldn't go on with driver development then. I'm willing to help with a firmware rewrite (that wouldn't taint me, as long as I'm given clean specs), and your work on reverse engineering would be greatly appreciated then. -- Ciao Stefano ___ Bcm43xx-dev mailing list Bcm43xx-dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/bcm43xx-dev
Re: Microcode reverse engineering
Hi Michael, It could also be the case that the opcodes on the website aren't opcodes to a real CPU, Broadcom calls this a Programmable State Machine. But what is this all about? Why do you care what type of CPU this is? Does this matter _at_ _all_? I mean, we know all opcodes of the device and we have a _complete_ disassembler and assembler. http://git.bu3sch.de/git/b43-tools.git Can't you put this on the web site? Only a small link... What do you want more? The only thing we don't completely understand are the various device registers and device status codes (external jumps) used. But that has nothing to do with the type of the CPU used. Yes, you are right. I will now use the tool to better understand the device. Thank you very much. You did a great job! FG ___ Bcm43xx-dev mailing list Bcm43xx-dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/bcm43xx-dev
Re: Microcode reverse engineering
On Tuesday 04 December 2007 18:13:01 Stefano Brivio wrote: If you could put your efforts on writing specs for firmware operation (i.e. not the instruction set, but what exactly does the firmware do) or writing an open firmware based upon the info I listed above (you can do that, there's an Italian 'fair use' law, so if you reverse engineer and code together for compatibility purposes only, it's perfectly legal), it would be just great. We are short on people here. I just can't do any reverse engineering because I would get tainted (me too I live in Italy, but I'm working with other people who are based elsewhere), same for Michael, and we couldn't go on with driver development then. I'm willing to help with a firmware rewrite (that wouldn't taint me, as long as I'm given clean specs), and your work on reverse engineering would be greatly appreciated then. That interoperability (or compatibility) clause also exists in Germany, but we decided to _not_ make use of it, as it's basically undefined what interoperability is. And I don't want to trigger the precedence case at court for this. -- Greetings Michael. ___ Bcm43xx-dev mailing list Bcm43xx-dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/bcm43xx-dev