Hi Johannes,
I found the 802.11 section on your website this morning, I don't know
why I didn't find it before. That's very interesting and you did an
impressive work!! I don't understand when you say that you're not
interested in r4 microcode or higher because it seems that there are
two different microcode description and it seems that the boundary is
between (r3,r4) and (r5), is that correct? From these links I can find
http://bcm-v4.sipsolutions.net/802.11/Microcode -> core revision 5.
Is that r5?
and
http://bcm-v4.sipsolutions.net/802.11/OldMicrocode -> core revision
4 and lower. Is that r3 and r4? Are they the same?
Have you tried to write your own mac to see if it works?
Thank you very much,
FG
On Dec 3, 2007, at 11:38, Johannes Berg wrote:
On Sun, 2007-12-02 at 15:55 +0100, Francesco Gringoli wrote:
Hi Johannes,
I read the interesting note you wrote on September about r4 ucode
reverse engineering. Have you new results since then?
http://bcm-v4.sipsolutions.net/802.11/Microcode has a link to the old
format too. I'm not particularly interested in the r4 format.
Did you
understand what kind of core is bcm4318 based on? From broadcom
website it should be a MIPS32 core (check http://www.broadcom.com/
products/Wireless-LAN/802.11-Wireless-LAN-Solutions they say that
"The AirForce family of network processors features MIPS32
processor...(cut)"). It's interesting that you found out a 6 bit
prefix, like in MIPS!
Nope, I don't think it's MIPS. I think "AirForce network processor"
refers to the whole integrated thing that can be used as a full-mac
chipset or a whole access point etc.
Before reading your post I came to these conclusions
- all odd words begins with zero (or a couple of them, this depends
on the firmware version). This led me to think to 8 byte wide
instructions. Unfortunately both mips32 and mips64 use 32bit wide
instructions. No mips?
- odd words are control codes to check even words correctness during
firmware upload: unfortunately there are a lot of even words repeated
throughout the code with different paired odd words. Did you try to
change randomly some values and see what happens?
- disassembling the code after having cut out odd words leads to MIPS
assembly without ret instructions. There is no code too to handle
IRQ.
You want to read the above link and what is linked from it.
I also tried to change endianness but didn't find anything more
interesting.
By the way, do you think that a complete reverse engineering could
give us a platform to test new MAC methodologies? E.g. do you think
it would be possible to change timings or medium control?
Yes.
johannes
%%%%%%%%%%%%%%%%%%%%%
Francesco Gringoli, PhD - Assistant Professor
Dept. of Electrical Engineering for Automation
University of Brescia
via Branze, 38
25123 Brescia
ITALY
Ph: ++39.030.3715843
FAX: ++39.030.380014
WWW: http://www.ing.unibs.it/~gringoli
%%%%%%%%%%%%%%%%%%%%%
_______________________________________________
Bcm43xx-dev mailing list
[email protected]
https://lists.berlios.de/mailman/listinfo/bcm43xx-dev
