Can't find docs about how to patch

[yesimxev]

I'm looking to patch TicWatch Pro's bcm43436b0 chipset fw version 9.88.0.0. As far as I see, it could be easily supported.

Is there any guide on how to edit the patches? So far I've got the fw_bcmdhd.bin but unsure of how to figure out patches just by looking at the other's patches.

[kimocoder]

@matthiasseemoo

[DrSchottky]

Support for bcm43436b0 (brcmfmac) has been added recently.
If you're familiar with the tools I'd try to disassemble and bindiff brcmfmac/bcmdhd firmwares

[yesimxev]

How awesome is that! I'll surely do at some point. Any particular things to look for in the diffs?

[shandongtlb]

How awesome is that! I'll surely do in the next few days. Any particular things to look for in the diffs?

Hello, what's the latest progress? I've been studying ticwatch Pro3 LTE recently. The chip seems to be bcm43436b0, and the Linux kernel version is 4.9. Are you interested in working together

[yesimxev]

Definitely! I also have the 3. I didn't have time to bindiff the first but both should be relatively easy. I have only little time so I postponed but I have some time here snd there 😃 Both chipsets are supported and both arm. Imagine the Hijacker app on your watch 🤯 hit me up on Telegram 👊

[shandongtlb]

Definitely! I also have the 3. I didn't have time to bindiff the first but both should be relatively easy. I have only little time so I postponed but I have some time here snd there 😃 Both chipsets are supported and both arm. Imagine the Hijacker app on your watch 🤯 hit me up on Telegram 👊

OK, it's a great honor

[shandongtlb]

Definitely! I also have the 3. I didn't have time to bindiff the first but both should be relatively easy. I have only little time so I postponed but I have some time here snd there 😃 Both chipsets are supported and both arm. Imagine the Hijacker app on your watch 🤯 hit me up on Telegram 👊

Busy with work, I have less free time. Come on! 😃

[lasyka]

Support for bcm43436b0 (brcmfmac) has been added recently. If you're familiar with the tools I'd try to disassemble and bindiff brcmfmac/bcmdhd firmwares

@DrSchottky

This is the bindiff out put info:
Could not find basic block: 00000004
.....
.....
Could not find basic block: 00058B76
Setup: 0.16s
primary: fw_bcmdhd: 1666 functions, 4891 calls
secondary: brcmfmac43436-sdio: 1595 functions, 4828 calls
Matching: 0.15s
matched: 1537 of 1666/1595 (primary/secondary, 1665/1594 non-library)
call graph MD index: primary 74.448
secondary 70.1589
Similarity: 88.8388% (Confidence: 99.0592%)

What is next step to do and How to make this firmware patch?

[DrSchottky]

What is next step to do and How to make this firmware patch?

Load them into your favorite disassembler and try to figure out how the offsets in definitions.mk need to be changed.

[yesimxev]

@lasyka I'll hop on to the Ticwatch Pro 3 fw then. Please let me know how you progress

[yesimxev]

Hmm the TWP3 has two firmwares, and the first one is actually the exact same version as the TWP, 9.88.0.0. Wondering which one is being used

fw_bcm43436b0.bin - 9.88.0.0
fw_bcm43438a1.bin - 7.45.96.79

[lasyka]

Hmm the TWP3 has two firmwares, and the first one is actually the exact same version as the TWP, 9.88.0.0. Wondering which one is being used

fw_bcm43436b0.bin - 9.88.0.0
fw_bcm43438a1.bin - 7.45.96.79

Sorry, I'm a newbie, don't know how to do next step to patch the ticwatch wifi firmware. :(
The bindif shows the original ticwatch firmware is approach to the nexmon's firmware.
there are about 200 funcation differences.

[yesimxev]

So far I understand what to do next, I just don't have time. Just got a job to complete, then I'm jumping back in 👍

[Ma5onic]

Hmm the TWP3 has two firmwares, and the first one is actually the exact same version as the TWP, 9.88.0.0. Wondering which one is being used

fw_bcm43436b0.bin - 9.88.0.0
fw_bcm43438a1.bin - 7.45.96.79

@yesimxev
I did an adb shell dumpsys wifi on my TicWatch Pro 3 Ultra GPS (Rubyfish) and here is the relevant info about which is being used:

Chipset information :-----------------------------------------------
FW Version is: Firmware: wl0: Jan 14 2021 10:53:53 version 7.45.96.79 (ce0e3d8@SYNA) (r745790) FWID 01-667de1ce es7
  CLM: 7.11.15 (2014-05-26 10:53:55) 
  Chip: a9a6 Rev 1
Driver Version is: Dongle Host Driver, version 100.10.545.2 (r826445-20190806-3)
Supported Feature set: -1

Since it loaded version 7.45.96.79 I think it is safe to assume that fw_bcm43438a1.bin is being used.

[yesimxev]

Hmm it's a third version. Can't wait to continue

[Ma5onic]

@yesimxev the nexmon README says:
bcm43430a1 was wrongly labeled bcm43438 in the past.
Is it possible that this is actually a bcm43430a1 chip using version firmware 7.45.96.79?

[yesimxev]

I'll check when there's time. Both needs patches anyway 👌

[Ma5onic]

I am trying to do that, but I'm new to patching, seems like my assumption is correct

[yesimxev]

What is next step to do and How to make this firmware patch?

Load them into your favorite disassembler and try to figure out how the offsets in definitions.mk need to be changed. @DrSchottky

I'm going to disassemble tonight. Is it a simple "find and replace" the addresses, according to the definitions.mk from the same chipset? I may be missing something in there. Could you give me just one example say the first thing you'd change, just so I know what you exactly mean. Doesn't have to be the solution, just in theory. Also, is the ROM bin needed too, or is the RAM bin enough? I also have an lg v20 waiting in the nexmon cue, again it's a supported chipset 👌😄

[yesimxev]

For example: I see

# original ucode start and size
UCODESTART=0x4E9C0

in firmwares/bcm43438/7_45_41_26/definitions.mk
I'm looking at the disassembled brcmfmac43430-sdio.bin in ghidra. Looks like I found the ucode start in fw_bcm43438a1.bin too. 🙌

[yesimxev]

Almost done boardconfig.mk. What's the next step?

[matthiasseemoo]

Make a very simple patch that is doing nothing else then extracting the compressed ucode. If that is working and the chip starts your patched firmware, you know that you found the correct locations of the ucode and the minimum required set of functions required for the ucode decompression operation. Then you can continue to add additional patches one by one, such as monitor mode, frame injection, ...

…

On 11. Nov 2022, at 11:09, yesimxev ***@***.***> wrote: Almost done boardconfig.mk. What's the next step? — Reply to this email directly, view it on GitHub <#517 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ACZ773RO4ULONVSBQR6QRF3WHYLMPANCNFSM5QAHOGXQ>. You are receiving this because you were mentioned.

[yesimxev]

@matthiasseemoo I'm ready with the ucode.bin. What shall I do after it's extracted?

[DrSchottky]

Setup the folders/files structure for a new fw with only the patched for ucode extraction (see patch.c) and try to build and run it

[yesimxev]

I'm not too sure and sorry if I ask too much. I feel like I won't progress if I don't do so. Does only this patch line to be in patch.c?

Then flashpatches or patches still need to be applied in Makefile?

[Ma5onic]

@yesimxev I noticed that the Raspberry Pi Pico Wireless uses a Infineon CYW43439 which has the same architecture on the WLAN side. This using the RPI pico W might be a less expensive way of troubleshooting the patching process.

[yesimxev]

Thank you for your advice. I also have a big support from @jlinktu, I just have some other stuff to clear first. We're not far from the result 🎉

[decaduto]

Thank you for your advice. I also have a big support from @jlinktu, I just have some other stuff to clear first. We're not far from the result tada

any progress? I am starting to porting the work too for the same ticwatch model, let me know if I must work on it or if you have already modded nexmon for that purpose.

[yesimxev]

It's very close to finish. Just figuring out dunping rom and it doesn't want to spit out what we want. Does this work on your watch in adb shell? dhdutil -i wlan0 membytes -r 0x181000 0x915ac > /sdcard/rom.bin (invalid arg on mine)

[decaduto]

dhdutil -i wlan0 membytes -r 0x181000 0x915ac > /sdcard/rom.bin

already tried to do that sometime ago, same result, even with twrp and root, it fails.

[decaduto]

It's very close to finish. Just figuring out dunping rom and it doesn't want to spit out what we want. Does this work on your watch in adb shell? dhdutil -i wlan0 membytes -r 0x181000 0x915ac > /sdcard/rom.bin (invalid arg on mine)

pheraps, have you found the offset of some "Important" function? (monitor mode, send frame, rx handler ecc..)

[decaduto]

It's very close to finish. Just figuring out dunping rom and it doesn't want to spit out what we want. Does this work on your watch in adb shell? dhdutil -i wlan0 membytes -r 0x181000 0x915ac > /sdcard/rom.bin (invalid arg on mine)
pheraps, have you found the offset of some "Important" function? (monitor mode, send frame, rx handler ecc..)

[yesimxev]

I want to first copy the ROM somewhere into a RAM location and then dump it. But I'm not sure how to access

[yesimxev]

dhdutil -i wlan0 membytes -r 0x181000 0x915ac > /sdcard/rom.bin

already tried to do that sometime ago, same result, even with twrp and root, it fails.

I tried the other method which I see on this repo for other devices with my address. But it returns nex_driver_io error. There must be a step in between that lets me access that memory address

[jlinktu]

From the screenshot I can see that you are passing decimal "800000" as value. The ROM of your chip starts at hex 0x800000 though. Try passing that as argument instead.

[yesimxev]

Thanks for your reply, I tried that too, but I had only this screenshot at hand. I'm still about to do the summary where are we at 😃

[yesimxev]

I came across this readme in one of the rom-extraction folders, saying

The **ROM extraction patch adds additional ioctls** to the Wi-Fi firmware to dump arbitrary memory locations. To dump the first 1024 bytes of the ROM, one may execute: `nexutil -g0x602 -l1024 -i -v0x0 -r > /var/root/romdump.bin`. As the buffer length for each ioctl is limited, we need to call the ioctl multiple times with different start addresses passed through `-v<address>`. The resulting ROM ...

So I'm trying to understand. Do I need to copy the patched fw back to the device? As far as I know, my patches which were done only did the extracted ucode part. Is there a step missing before I could run dump-rom?

UPDATE: after a good sleep, I got it. Flashpatched fw allows reading rom