Disassembling is allowed in the EU in specific cases, these might be enough to write a free driver. I don't know how it's done in other jurisdictions. People who reverse engineer firmware for other devices do disassemble it. All firmware with free replacements has nonfree licenses, it's not sourceless GPLed code: it's possible to do it and have it included in distros without getting sued.
I haven't found more information on firmware format except for it being 8051 code loaded at addresses specified in the driver sources, probably some initial bytes are a header and the code follows. If you can load custom firmware and get some output from it, you might be able to find other useful details from the bootrom or experiments with your firmware.
pgpH44o4HAF5R.pgp
Description: PGP signature