Best compatibility WiFi module for new device

[zhovner]

We are developing a portable device for security researchers in a Tamagotchi-style formfactor called Flipper Zero. We decided to drop Raspberry Pi and build our board from scratch and now we are looking for a WiFi module that supports all features for wifi hacking.

If Seemoo guys don't mind I will post my research of Broadcom modules here. Any comments are welcome.

Our requirements

• SDIO 2.0/3.0 interface
• Dual-band (2.4 and 5 GHz) 802.11ac on a single antenna
• System in Package (SiP) module — this modules already have all RF components like LNA, filters, etc packaged in one tiny PCB covered with metal shield.
• Monitor mode
• Packet injection

Possible candidates

I will post all my findings here and update this post while testing. Will open every module to see what chipset is inside. If you know some candidates, please suggest it in the same style.

Ampak AP6255

Chipset: BCM43454HKUBG
802.11ac, bluetooth 4.2
Installed on Orange Pi Lite 2. I can't figure out what's the difference between bcm43455 and bcm43455C0 and why it marked as different chipsets on nexmon table since all firmwares files have c0 at the beginning in full version string.

For example 7_46_77_11_hw file where chipset marked as bcm43455, but can see 43455 at the beginning:

43455c0-roml/43455_sdio-43455_ftrs-pno-aoe-pktfilter-sr-pktctx-lpc-pwropt-wapi-mfp-clm_4335_ss-txpwr-rcc-wepso-noccxaka-sarctrl-proxd-gscan-linkstat-pwrstats-idsup-ndoe-pwrofs-hs20sta-mchan-wfds-anqpo-disuart-hwmdns-hw_rndmac-hwpktfilter-wbtext-hwwnm Version: 7.46.77.11 (50bbc2c@shgit) (r) CRC: b6de9be3 Date: Mon 2018-07-16 14:41:08 CST Ucode Ver: 1043.20642 FWID: 01-543704cb

And 7_45_154 where chipset marked as bcm43455c0:

43455c0-roml/43455_sdio-pno-aoe-pktfilter-pktctx-lpc-pwropt-43455_ftrs-wfds-mfp-dfsradar-wowlpf-idsup-idauth-noclminc-clm_min-obss-obssdump-swdiv Version: 7.45.154 (r684107 CY) CRC: b1f79383 Date: Tue 2018-02-27 03:18:17 PST Ucode Ver: 1043.2105 FWID 01-4fbe0b04� DVID 01-3f88aa1a

So It looks like bcm43455 and bcm43455c0 is not a different hardware but only differs in firmware. Am I right?

Raspberry Pi B3+/B4 has a chipset marked CYW43455XKUBG and AP6255 have BCM43454HKUBG that is looked as preliminary version of BCM/CYW 43455 chip because not presented in datasheets.
Both chips use the same firmware. On Orange Pi Lite 2 with Armbian it uses the same firmware as on Raspbian — 7.45.154.

$ dmesg | grep brc

bluetooth hci1: Direct firmware load for brcm/BCM4345C0.hcd failed with error -2
Bluetooth: hci1: BCM: Patch brcm/BCM4345C0.hcd not found
brcmfmac: brcmf_fw_alloc_request: using brcm/brcmfmac43455-sdio for chip BCM4345/6
brcmfmac mmc1:0001:1: Direct firmware load for brcm/brcmfmac43455-sdio.xunlong,orangepi-lite2.txt failed with error -2
brcmfmac: brcmf_fw_alloc_request: using brcm/brcmfmac43455-sdio for chip BCM4345/6
brcmfmac: brcmf_c_preinit_dcmds: Firmware: BCM4345/6 wl0: Feb 27 2018 03:15:32 version 7.45.154 (r684107 CY) FWID 01-4fbe0b04

$ grep "" /sys/class/mmc_host/mmc1/mmc1\:0001/mmc1\:0001\:*/{class,device,vendor}
/sys/class/mmc_host/mmc1/mmc1:0001/mmc1:0001:1/class:0x00
/sys/class/mmc_host/mmc1/mmc1:0001/mmc1:0001:2/class:0x00
/sys/class/mmc_host/mmc1/mmc1:0001/mmc1:0001:3/class:0x02
/sys/class/mmc_host/mmc1/mmc1:0001/mmc1:0001:1/device:0xa9bf
/sys/class/mmc_host/mmc1/mmc1:0001/mmc1:0001:2/device:0xa9bf
/sys/class/mmc_host/mmc1/mmc1:0001/mmc1:0001:3/device:0xa9bf
/sys/class/mmc_host/mmc1/mmc1:0001/mmc1:0001:1/vendor:0x02d0
/sys/class/mmc_host/mmc1/mmc1:0001/mmc1:0001:2/vendor:0x02d0
/sys/class/mmc_host/mmc1/mmc1:0001/mmc1:0001:3/vendor:0x02d0

$ cat /sys/kernel/debug/brcmfmac/mmc1\:0001\:1/revinfo
vendorid: 0x14e4
deviceid: 0x43ab
radiorev: 0.88.3.11
chipnum: 17221 (4345)
chiprev: 6
chippkg: 2
corerev: 54
boardid: 0x06e4
boardvendor: 0x14e4
boardrev: P304
driverrev: 7.45.18
ucoderev: 0
bus: 0
phytype: 11
phyrev: 20
anarev: 0
nvramrev: 00079ac5

Ampak AP6256

Chipset: BCM43456XKUBG
802.11ac, bluetooth 5
Installed on Orange Pi 3. Not listed in nexmon supported hardware. Could be suitable.
It can use firmware from bcm4356 version 7.45.96.2 brcmfmac4356-sdio.bin and 7.45.96.53 founded in Google Coral project repo.

Latest 7.45.96.53 firmware full name, chip marked as 43455c5:

43455c5-roml/43455_sdio-pno-aoe-pktfilter-bcm_ftrs-ak-bcol-clm_4335_ss-sr-mchan-pktctx-lpc-pwropt-txbf-wl11u-wapi-txpwr-wepso-gscan-linkstat-pwrstats-proxd-ndoe-mfp-tdls-dhcpd-idauth-idsup-neeze-akiss-dfsctl-apcs-tka-wpf-gtr-noplmt-ak_disassoc-b5gctl-sdiorxenhance Version: 7.45.96.53 (5a84613@shgit) (r745790) CRC: 3ae8a8e5 Date: Fri 2019-09-27 15:21:52 CST Ucode Ver: 1043.20721 FWID: 01-54faa385

# dmesg | grep brcm
brcmfmac: brcmf_fw_alloc_request: using brcm/brcmfmac43456-sdio for chip BCM4345/9
brcmfmac mmc0:0001:1: Direct firmware load for brcm/brcmfmac43456-sdio.xunlong,orangepi-3.txt failed with error -2
brcmfmac: brcmf_fw_alloc_request: using brcm/brcmfmac43456-sdio for chip BCM4345/9
brcmfmac: brcmf_c_process_clm_blob: no clm_blob available (err=-2), device may have limited channels available
brcmfmac: brcmf_c_preinit_dcmds: Firmware: BCM4345/9 wl0: Jun 16 2017 12:38:26 version 7.45.96.2 (66c4e21@sh-git) (r) FWID 01-1813af84


 /sys/bus/sdio/devices/mmc0:0001:1/vendor:0x02d0
 /sys/bus/sdio/devices/mmc0:0001:1/device:0xa9bf

[Icenowy]

I assume 45455c0 start to be called c0 when c5 is available.

[jorikdima]

In Broadcom the last letter means chip tapeout revision and the last digit - ECO (ROM update e.g.). In this case part number without these Character&Digit means it's just omitted. Most likely it has B? in the end. Switching from B tapeout revision to C means that some minor HW was probably added or fixed, but in general it's still the same chip. Requirements to use only C* firmware means this FW uses this new HW.