Permalink
Browse files

added new bcm4366 definitions and scripts.

  • Loading branch information...
matthiasseemoo committed Sep 7, 2018
1 parent d5fd586 commit 982c71b0d622e51b890a13b3024de6c69d07dc5d
View
@@ -19,3 +19,5 @@ Galaxy S7 (SM-G930T) | 9.75.155.45_sta_C0 | 0x14e4 | 0x4415 | 0x1903e
MacbookPro12,1 | 7.21.171.130.1a1 | 0x14e4 | 0x43ba | 0x72069 | 0xaa52 | 0x1 | 0x0 | 0x31 | 0x133 | 0x106b | P318 | 0x715ab82 | 0x3a9cd71 | 0x1 | 0xb | 0x12 | 0x0 | 0
MacBookPro13,2 | 7.21.171.130.1a1 | 0x14e4 | 0x43ba | 0xd2069 | 0xaa52 | 0x2 | 0x1 | 0x31 | 0x157 | 0x106b | P108 | 0x715ab82 | 0x3a9cd71 | 0x1 | 0xb | 0x12 | 0x0 | 0
ASUS RT-AC86U | | 0x14e4 | 0x43c4 | 0x2103eb | 0xaa92 | 0x4 | 0x0 | 0x41 | 0x797 | 0x14e4 | P102 | 0xa0a7a14 | 0x0 | 0x0 | 0xb | 0x21 | 0x0 | 0
ASUS RT-AC86U | | 0x14e4 | 0x43c5 | 0x2103eb | 0xaa90 | 0x4 | 0x0 | 0x41 | 0x798 | 0x14e4 | P102 | 0xa0a7a14 | 0x0 | 0x0 | 0xb | 0x21 | 0x0 | 0
unknown | 10.10.69.6908 | 0x14e4 | 0x43c3 | 0x2103eb | 0x4366 | 0x4 | 0x4 │ 0x41 | 0x86fb | 0x1043 | P143 | 0xa0a451a | 0x4310243 | 0x0 | 0xb | 0x21 | 0x0 | 0x0
@@ -29,6 +29,7 @@ int fp_config_end = 0;
int ram_start = 0x180000;
int rom_start = 0x0;
char bcm43596 = 0;
char bcm4366 = 0;
const char *argp_program_version = "fpext";
const char *argp_program_bug_address = "<mschulz@seemoo.tu-darmstadt.de>";
@@ -44,6 +45,7 @@ static struct argp_option options[] = {
{"romfileout", 'o', "FILE", 0, "Save the patched ROM file as FILE"},
{"romstart", 't', "ADDR", 0, "ROM start address"},
{"bcm43596", 'x', 0, 0, "Select whether target chip has a flash patching unit similar to the bcm43596"},
{"bcm4366", 'y', 0, 0, "Select whether target chip has a flash patching unit similar to the bcm4366"},
{ 0 }
};
@@ -83,6 +85,10 @@ parse_opt(int key, char *arg, struct argp_state *state)
case 'x':
bcm43596 = 1;
break;
case 'y':
bcm4366 = 1;
break;
default:
return ARGP_ERR_UNKNOWN;
@@ -200,6 +206,34 @@ analyse_ram_bcm43596()
}
}
void
analyse_ram_bcm4366()
{
darm_t d;
darm_t *dd = &d;
unsigned short low, high;
struct fp_config_bcm43596 *fpc = (struct fp_config_bcm43596 *) (ram_array + fp_config_base - ram_start);
darm_init(&d);
for (int i = 0; i < (fp_config_end - fp_config_base) / sizeof(struct fp_config_bcm43596); i++) {
get_words(fpc[i].data_ptr, &low, &high);
darm_disasm(dd, low, high, 1);
printf("__attribute__((at(0x%08x, \"flashpatch\")))\n", fpc[i].target_addr);
printf("unsigned int flash_patch_%d[4] = {0x%08x, 0x%08x, 0x%08x, 0x%08x};\n\n", i,
*((unsigned int *) (ram_array + fpc[i].data_ptr - ram_start)),
*((unsigned int *) (ram_array + fpc[i].data_ptr + 4 - ram_start)),
*((unsigned int *) (ram_array + fpc[i].data_ptr + 8 - ram_start)),
*((unsigned int *) (ram_array + fpc[i].data_ptr + 12 - ram_start)));
if (rom_array != NULL && (fpc[i].target_addr - rom_start) < rom_len) {
memcpy(&rom_array[fpc[i].target_addr - rom_start], &ram_array[fpc[i].data_ptr - ram_start], 16);
}
}
}
int
main(int argc, char **argv)
{
@@ -219,6 +253,8 @@ main(int argc, char **argv)
if (bcm43596 == 1)
analyse_ram_bcm43596();
if (bcm4366 == 1)
analyse_ram_bcm4366();
else
analyse_ram();
@@ -0,0 +1,40 @@
function htonl(a) {
return rshift(and(a, 0xff000000), 24) + rshift(and(a, 0xff0000), 8) + lshift(and(a, 0xff00), 8) + lshift(and(a, 0xff), 24);
}
BEGIN {
fp_data_base = strtonum(fp_data_base);
fp_config_base = strtonum(fp_config_base);
fp_data_end_ptr = strtonum(fp_data_end_ptr);
fp_config_base_ptr_1 = strtonum(fp_config_base_ptr_1);
fp_config_end_ptr_1 = strtonum(fp_config_end_ptr_1);
fp_config_base_ptr_2 = strtonum(fp_config_base_ptr_2);
fp_config_end_ptr_2 = strtonum(fp_config_end_ptr_2);
ramstart = strtonum(ramstart);
fp_data_end = fp_data_base;
fp_config_end = fp_config_base;
printf "%s: %s FORCE\n", out_file, src_file;
}
{
if ($2 == "FLASHPATCH") {
printf "\t$(Q)$(CC)objcopy -O binary -j .text." $4 " $< gen/section.bin && dd if=gen/section.bin of=$@ bs=1 conv=notrunc seek=$$((0x%08x - 0x%08x))\n", fp_data_end, ramstart;
printf "\t$(Q)printf %08x%08x | xxd -r -p | dd of=$@ bs=1 conv=notrunc seek=$$((0x%08x - 0x%08x))\n", htonl(strtonum($1)), htonl(fp_data_end), fp_config_end, ramstart;
printf "\t$(Q)printf \" FLASHPATCH %s @ %s\\n\"\n", $4, $1;
fp_data_end = fp_data_end + 16;
fp_config_end = fp_config_end + 8;
}
}
END {
printf "\t$(Q)printf %08x | xxd -r -p | dd of=$@ bs=1 conv=notrunc seek=$$((0x%08x - 0x%08x))\n", htonl(fp_data_end), fp_data_end_ptr, ramstart;
printf "\t$(Q)printf \" PATCH fp_data_end @ 0x%08x\\n\"\n", fp_data_end_ptr;
printf "\t$(Q)printf %08x | xxd -r -p | dd of=$@ bs=1 conv=notrunc seek=$$((0x%08x - 0x%08x))\n", htonl(fp_config_base), fp_config_base_ptr_1, ramstart;
printf "\t$(Q)printf \" PATCH fp_config_base @ 0x%08x\\n\"\n", fp_config_base_ptr_1;
printf "\t$(Q)printf %08x | xxd -r -p | dd of=$@ bs=1 conv=notrunc seek=$$((0x%08x - 0x%08x))\n", htonl(fp_config_end), fp_config_end_ptr_1, ramstart;
printf "\t$(Q)printf \" PATCH fp_config_end @ 0x%08x\\n\"\n", fp_config_end_ptr_1;
printf "\t$(Q)printf %08x | xxd -r -p | dd of=$@ bs=1 conv=notrunc seek=$$((0x%08x - 0x%08x))\n", htonl(fp_config_base), fp_config_base_ptr_2, ramstart;
printf "\t$(Q)printf \" PATCH fp_config_base @ 0x%08x\\n\"\n", fp_config_base_ptr_2;
printf "\t$(Q)printf %08x | xxd -r -p | dd of=$@ bs=1 conv=notrunc seek=$$((0x%08x - 0x%08x))\n", htonl(fp_config_end), fp_config_end_ptr_2, ramstart;
printf "\t$(Q)printf \" PATCH fp_config_end @ 0x%08x\\n\"\n", fp_config_end_ptr_2;
printf "\n\nFORCE:\n"
}
@@ -46,6 +46,10 @@
#include <patcher.h> // macros used to craete patches such as BLPatch, BPatch, ...
#include <objmem.h> // Functions to access object memory
#define OBJADDR_UCM_SEL 0x00000000
#define OBJADDR_UCMX_SEL 0x00080000
extern unsigned char ucode_compressed_bin[];
extern unsigned int ucode_compressed_bin_len;
@@ -56,7 +60,7 @@ extern unsigned int ucode_compressed_bin_len;
void
tinflate_write_objmem(void *out_base, unsigned long idx, unsigned char value)
{
wlc_bmac_write_objmem_byte((struct wlc_hw_info *) out_base, idx, value, 0);
wlc_bmac_write_objmem_byte((struct wlc_hw_info *) out_base, idx, value, OBJADDR_UCM_SEL);
}
/**
@@ -66,9 +70,28 @@ tinflate_write_objmem(void *out_base, unsigned long idx, unsigned char value)
unsigned char
tinflate_read_objmem(void *out_base, unsigned long idx)
{
return wlc_bmac_read_objmem_byte((struct wlc_hw_info *) out_base, idx, 0);
return wlc_bmac_read_objmem_byte((struct wlc_hw_info *) out_base, idx, OBJADDR_UCM_SEL);
}
/**
* Function used by tinflate_partial to write a byte to an address in the output buffer
* here it is implemented to directly write to the object memory of the d11 core
*/
void
tinflate_write_objmemx(void *out_base, unsigned long idx, unsigned char value)
{
wlc_bmac_write_objmem_byte((struct wlc_hw_info *) out_base, idx, value, OBJADDR_UCMX_SEL);
}
/**
* Function used by tinflate_partial to read a byte from an address in the output buffer
* here it is implemented to directly read from the object memory of the d11 core
*/
unsigned char
tinflate_read_objmemx(void *out_base, unsigned long idx)
{
return wlc_bmac_read_objmem_byte((struct wlc_hw_info *) out_base, idx, OBJADDR_UCMX_SEL);
}
/*
* tinflate.c -- tiny inflate library
@@ -962,3 +985,41 @@ wlc_ucode_write_compressed(struct wlc_hw_info *wlc_hw, const int ucode[], const
tinflate_partial(ucode_compressed_bin, ucode_compressed_bin_len,
wlc_hw, 100000, 0, &state, sizeof(state), tinflate_write_objmem, tinflate_read_objmem);
}
void
wlc_ucode_write_compressed_args(struct wlc_hw_info *wlc_hw, const int ucode[], const unsigned int nbytes)
{
/* state: Decompression state buffer to pass to tinflate_block(). */
DecompressionState state;
/**** Clear decompression state buffer. ****/
state.state = INITIAL;
state.out_ofs = 0;
state.bit_accum = 0;
state.num_bits = 0;
state.final = 0;
/* No other fields need to be cleared. */
/**** Call tinflate_partial() to do the actual decompression. ****/
tinflate_partial(ucode, nbytes,
wlc_hw, 100000, 0, &state, sizeof(state), tinflate_write_objmem, tinflate_read_objmem);
}
void
wlc_ucodex_write_compressed_args(struct wlc_hw_info *wlc_hw, const int ucodex[], const unsigned int nbytes)
{
/* state: Decompression state buffer to pass to tinflate_block(). */
DecompressionState state;
/**** Clear decompression state buffer. ****/
state.state = INITIAL;
state.out_ofs = 0;
state.bit_accum = 0;
state.num_bits = 0;
state.final = 0;
/* No other fields need to be cleared. */
/**** Call tinflate_partial() to do the actual decompression. ****/
tinflate_partial(ucodex, nbytes,
wlc_hw, 100000, 0, &state, sizeof(state), tinflate_write_objmemx, tinflate_read_objmemx);
}
@@ -48,6 +48,7 @@
#define CHIP_VER_BCM43455 9
#define CHIP_VER_BCM43455c0 101
#define CHIP_VER_BCM43909b0 102
#define CHIP_VER_BCM4366c 103
#define FW_VER_ALL 0
@@ -95,4 +96,8 @@
// for CHIP_VER_BCM43909b0
#define FW_VER_7_15_168_108 210
// for CHIP_VER_BCM4366c
#define FW_VER_10_10_69_252 310
#define FW_VER_10_10_122_20 311
#endif /*FIRMWARE_VERSION_H*/
@@ -57,7 +57,7 @@
b_ ## name(void) { asm("b hook_" #name "\n"); }
#define GenericPatch4(name, val) \
const unsigned int gp4_ ## name = (unsigned int) (val);
unsigned int gp4_ ## name = (unsigned int) (val);
#define GenericPatch2(name, val) \
unsigned short gp2_ ## name = (unsigned short) (val);

0 comments on commit 982c71b

Please sign in to comment.