injection without using the queue works

seemoo-lab · Oct 11, 2016 · f0a22a3 · f0a22a3
1 parent b699710
commit f0a22a3
Show file tree

Hide file tree

Showing 5 changed files with 82 additions and 23 deletions.
diff --git a/firmware_patching/include/structs.h b/firmware_patching/include/structs.h
@@ -27,6 +27,10 @@ struct wl_rxsts {
     uint8 rssi;
 } __attribute__((packed));
 
+struct wlc_txh_info {
+    uint8 PAD[80];
+} __attribute__((packed));
+
 struct osl_info {
 	unsigned int pktalloced;
 	int PAD[1];
@@ -40,9 +44,15 @@ typedef struct sk_buff {
     struct sk_buff *head;        /* 0x04 */
 	void *data;                 /* 0x08 */
 	short len;                  /* 0x0c */
-    int PAD;                    /* 0x0e */
-    int PAD;                    /* 0x12 */
+    short PAD;                  /* 0x0e */
+    int PAD;                    /* 0x10 */
+    short PAD;                  /* 0x14 */
     struct sk_buff *prev;       /* 0x16 */
+    short PAD;                  /* 0x1a */
+    int PAD;                    /* 0x1c */
+    int PAD;                    /* 0x20 */
+    int PAD;                    /* 0x24 */
+    void *scb;                  /* 0x28 */
 } __attribute__((packed)) sk_buff;
 
 struct tunables {

diff --git a/firmware_patching/include/wrapper.c b/firmware_patching/include/wrapper.c
@@ -68,6 +68,12 @@
     #define AT(CHIPVER, FWVER, ADDR)
 #endif
 
+
+AT(CHIP_VER_BCM43438, FW_VER_ALL, 0x9F38)
+int
+wlc_d11hdrs(void *wlc, void *p, void *scb, int short_preamble, int frag, unsigned int nfrag, unsigned int queue, int next_frag_len, int key, int rate_override)
+RETURN_DUMMY
+
 AT(CHIP_VER_BCM43438, FW_VER_ALL, 0x4E44)
 void *
 dma_rx(void *di)
@@ -103,16 +109,41 @@ int
 osl_pktfree(void *a1, void *a2, int a3)
 RETURN_DUMMY
 
+AT(CHIP_VER_BCM43438, FW_VER_ALL, 0x62A4)
+int
+osl_pktfree_plus4(void *a1, void *a2, int a3)
+RETURN_DUMMY
+
 AT(CHIP_VER_BCM43438, FW_VER_ALL, 0x625C)
 void *
 pkt_buf_get_skb(void *osh, unsigned int len)
 RETURN_DUMMY
 
+AT(CHIP_VER_BCM43438, FW_VER_ALL, 0x6260)
+void *
+pkt_buf_get_skb_plus4(void *osh, unsigned int len)
+RETURN_DUMMY
+
+AT(CHIP_VER_BCM43438, FW_VER_ALL, 0x804B64)
+void *
+pktq_mdeq(int a1, int a2, int *a3)
+RETURN_DUMMY
+
 AT(CHIP_VER_BCM43438, FW_VER_ALL, 0x803B60)
 int
 printf(const char *format, ...)
 RETURN_DUMMY
 
+AT(CHIP_VER_BCM43438, FW_VER_ALL, 0x8081F0)
+unsigned int
+udelay(int a1)
+RETURN_DUMMY
+
+AT(CHIP_VER_BCM43438, FW_VER_ALL, 0xF4A8)
+int
+wlc_txfifo(void *wlc, int fifo, void *p, void *txh, unsigned int commit, int txpktpend)
+RETURN_DUMMY
+
 AT(CHIP_VER_BCM43438, FW_VER_ALL, 0x80506C)
 int
 wf_chspec_malformed(unsigned short chanpsec)
@@ -154,6 +185,12 @@ int
 wlc_sendctl(void *wlc, void *p, void *qi, void *scb, unsigned int fifo, unsigned int rate_override, char enq_only)
 RETURN_DUMMY
 
+
+AT(CHIP_VER_BCM43438, FW_VER_ALL, 0x9DEA)
+void *
+wlc_get_txh_info(void *wlc, void *p, void *txh)
+RETURN_DUMMY
+
 AT(CHIP_VER_BCM43438, FW_VER_ALL, 0x82ABEC)
 int
 wlc_iovar_op(void *wlc, char *varname, void *params, int p_len, void *arg, int len, char set, void *wlcif)
@@ -174,6 +211,11 @@ void *
 wlc_scb_lookup(void *wlc, void *bsscfg, char *ea, int bandunit)
 RETURN_DUMMY
 
+AT(CHIP_VER_BCM43438, FW_VER_ALL, 0x81F80C)
+int
+wlc_pdu_txhdr(void *wlc, void *p, void *scb)
+RETURN_DUMMY
+
 AT(CHIP_VER_BCM43438, FW_VER_ALL, 0x44EC0)
 void *
 wlc_ucode_download(void *wlc_hw)

diff --git a/firmware_patching/monitor_mode/Makefile b/firmware_patching/monitor_mode/Makefile
@@ -1,6 +1,7 @@
 #SRCS=$(wildcard *.c) ucode_compressed.c
 SRCS=$(wildcard *.c)
 OBJS=$(SRCS:.c=.o)
+Q=@
 
 NEXMON_CHIP=CHIP_VER_BCM43438
 NEXMON_FW_VERSION=FW_VER_7_45_41_26_r640327
@@ -57,8 +58,8 @@ patch.elf: patch.ld patch.o wrapper.o $(OBJS)
 brcmfmac43430-sdio.bin: patch.elf $(ORIG_FW)
 	cp $(ORIG_FW) $@
 	$(CC)objcopy -O binary -j .text.patch $< section.generated.bin && dd if=section.generated.bin of=$@ bs=1 conv=notrunc seek=$$((0x12110))
-	make -f patch.generated.mk
-	make -f flashpatch.generated.mk
+	make -f patch.generated.mk Q=$(Q)
+	make -f flashpatch.generated.mk Q=$(Q)
 
 #fw_bcmdhd.complete.bin : fw_bcmdhd.bin ../../bootimg_src/firmware/rom.bin
 #	dd if=../../bootimg_src/firmware/rom.bin of=$@ bs=1

diff --git a/firmware_patching/monitor_mode/patch.c b/firmware_patching/monitor_mode/patch.c
@@ -52,7 +52,7 @@
 #include <wrapper.h>	// wrapper definitions for functions that already exist in the firmware
 #include <structs.h>	// structures that are used by the code in the firmware
 #include <patcher.h>
-//#include "../include/helper.h"
+//#include <helper.h>
 #include "ieee80211_radiotap.h"
 #include "radiotap.h"
 #include "d11.h"
@@ -381,21 +381,19 @@ wl_monitor_hook(struct wl_info *wl, struct wl_rxsts *sts, struct sk_buff *p) {
 void *
 inject_frame(sk_buff *p) {
     int rtap_len = 0;
-    int data_rate = 0;
 
     //needed for sending:
     struct wlc_info *wlc = WLC_INFO_ADDR;
-    void *bsscfg = 0;
-
+    int short_preamble = 0;
+    struct wlc_txh_info txh = {0};
+    int data_rate = 0;
     //Radiotap parsing:
     struct ieee80211_radiotap_iterator iterator;
     struct ieee80211_radiotap_header *rtap_header;
 
-    // remove bdc header
-    skb_pull(p, 4);
-
     //parse radiotap header
     rtap_len = *((char *)(p->data + 2));
+
     rtap_header = (struct ieee80211_radiotap_header *) p->data;
 
     int ret = ieee80211_radiotap_iterator_init(&iterator, rtap_header, rtap_len);
@@ -417,26 +415,34 @@ inject_frame(sk_buff *p) {
                 break;
         }
     }
-
+    
     //remove radiotap header
     skb_pull(p, rtap_len);
 
-    bsscfg = wlc_bsscfg_find_by_wlcif(wlc, 0);
+    //inject frame without using the queue
+    if(wlc->band->hwrs_scb) {
+        wlc_d11hdrs(wlc, p, wlc->band->hwrs_scb, short_preamble, 0, 1, 1, 0, 0, data_rate);
+
+        p->scb = wlc->band->hwrs_scb;
 
-    //TODO last parameter is the rate, currently fix on 1MBit
-    wlc_sendctl(wlc, p, *(int **)((*((int *)(bsscfg + 0xC))) + 0xC), wlc->band->hwrs_scb, 1, data_rate, 0);
-    //printf("wlc_sendctl() ret: %d\n", ret2);
+        wlc_get_txh_info(wlc, p, &txh);
+
+        wlc_txfifo(wlc, 1, p, &txh, 1, 1);
+    } else {
+        printf("no scb found, discarding packet!\n");
+        osl_pktfree(wlc->osh, p, 0);
+    }
 
     return 0;
 }
 
 void *
-handle_sdio_xmit_request_hook(void *sdio_hw, struct sk_buff *p) {
-    //printf("sdio xmit req hook!\n");
-    return inject_frame(p);
+wlc_sdio_hook(int a1, int a2, struct sk_buff *p)
+{
+    inject_frame(p);
+    return 0;
 }
 
-
 int
 wlc_recvdata_hook(void *wlc, void *osh, void *rxh, void *p) {
     return osl_pktfree(osh, p, 0);
@@ -445,5 +451,5 @@ wlc_recvdata_hook(void *wlc, void *osh, void *rxh, void *p) {
 __attribute__((at(0x1210C, "", CHIP_VER_BCM43438, FW_VER_ALL)))
 BPatch(wlc_recvdata_hook, wlc_recvdata_hook);
 
-__attribute__((at(0x3A66, "", CHIP_VER_BCM43438, FW_VER_ALL)))
-BLPatch(handle_sdio_xmit_request_hook, handle_sdio_xmit_request_hook);
+__attribute__((at(0x7EF8, "", CHIP_VER_BCM43438, FW_VER_ALL)))
+BPatch(wlc_sdio_hook, wlc_sdio_hook);
diff --git a/firmware_patching/monitor_mode/patch.ld b/firmware_patching/monitor_mode/patch.ld
@@ -2,7 +2,7 @@ MEMORY
 {
     ram : ORIGIN = 0x0, LENGTH = 512K
     rom : ORIGIN = 0x800000, LENGTH = 640K
-    /* override wlc_recvdata */
+    /* override wlc_recvdata + 4 */
     patch : ORIGIN = 0x12110, LENGTH = 2296
 }