Many thanks to this hilarious (but truthful) comment on #BL602 😂
LMAC is the Lower MAC Firmware that runs on the #BL602 Radio Hardware
https://www.ceva-dsp.com/product/rivierawaves-wi-fi-platforms/
#BL602 #WiFi Manager talks to LMAC Firmware via Message Queue ... Let's find out how it works
https://www.ceva-dsp.com/product/rivierawaves-wi-fi-platforms/
But 0x4400 0000 is NOT documented in #BL602 Reference Manual! 😲 Now we know a secret ... BL602 talks to LMAC Firmware at Address 0x4400 0000 🤫
https://github.com/bouffalolab/bl_docs/blob/main/BL602_RM/en/BL602_BL604_RM_1.2_en.pdf
"wifi_main" lives in the mysterious #BL602 #WiFi Library "libwifi" ... Let's study the decompiled C code (thanks to BraveHeartFLOSSDev and Ghidra)
https://github.com/lupyuen/bl602nutcracker1/blob/main/bl602_demo_wifi.c#L32959-L33006
#BL602 "wifi_main" calls "ke_evt_schedule" to do #WiFi Tasks ... GitHub Search shows that "ke_evt_schedule" is also defined in ... AliOS! 😲
https://github.com/lupyuen/bl602nutcracker1/blob/main/bl602_demo_wifi.c#L28721-L28737
But does "ke_evt_schedule" really come from AliOS? Not quite ... "ke_evt_schedule" actually comes from ... CEVA RivieraWaves! 😲
Now the #BL602 #WiFi Stack gets clearer ... We're actually reading the WiFi Driver Code by CEVA RivieraWaves! 💡
https://www.ceva-dsp.com/product/rivierawaves-wi-fi-platforms/
Lesson Learnt: GitHub Search is our very good friend for Reverse Engineering! 👍
https://github.com/search?l=C&o=asc&q=ke_evt_schedule&s=indexed&type=Code
The AliOS / RivieraWaves code we saw earlier was for Beken BK7231U WiFi + BLE SoC ... Is it related to #BL602? 🤔
AliOS for Beken BK7231U WiFi SoC contains LMAC Firmware Code ... Is this the same LMAC Firmware that runs on #BL602's #WiFi Radio? 🤔 Super Exciting!
https://github.com/lupyuen/AliOS-Things/tree/master/platform/mcu/bk7231u/beken/ip/lmac/src
From Now On: We shall read and understand the AliOS / RivieraWaves Source Code ... While comparing it with the Decompiled Code for #BL602 libwifi ... Just to be sure that they are the same 🤝
https://github.com/lupyuen/AliOS-Things/tree/master/platform/mcu/bk7231u/beken/ip/ke
txl_payload_handle handles #BL602 #WiFi Payloads by doing ... nothing! But txl_payload_handle_backup seems to be the right function that handles WiFi Payloads 🤔
https://github.com/lupyuen/bl602nutcracker1/blob/main/bl602_demo_wifi.c#L20203-L20398
#BL602 #WiFi Payload Handler calls rxu, txl and txu functions ... Fortunately these are defined in the AliOS / RivieraWaves Source Code we saw earlier
https://github.com/lupyuen/bl602nutcracker1/blob/main/bl602_demo_wifi.c#L20220-L20398
Here's the Decompiled #BL602 #WiFi Supplicant that handles WiFi Authentication ... Decompiled code looks readable
https://github.com/lupyuen/bl602nutcracker1/blob/main/bl602_demo_wifi.c#L29805-L29860
Thankfully #BL602 #WiFi Library libwifi was compiled with Assertions Enabled ... Makes Reverse Engineering simpler 👍
https://github.com/lupyuen/bl602nutcracker1/blob/main/bl602_demo_wifi.c#L38512-L38609
Let's do Quantitative Analysis of the Decompiled #BL602 #WiFi Demo Firmware ... How many lines of code do we actually need to Reverse Engineer ... Now that we've found some matching source files?
https://github.com/lupyuen/bl602nutcracker1/blob/main/bl602_demo_wifi.txt
Load the Decompiled #BL602 #WiFi Functions into a spreadsheet ... For easier crunching
Google Sheets: https://docs.google.com/spreadsheets/d/1C_XmkH-ZSXz9-V2HsYBv7K1KRx3RF3-zsoJRLh1GwxI/edit?usp=sharing
Matching the Decompiled #BL602 #WiFi Functions with AliOS / RivieraWave Source Code ... And identifying the differences
Google Sheets: https://docs.google.com/spreadsheets/d/1C_XmkH-ZSXz9-V2HsYBv7K1KRx3RF3-zsoJRLh1GwxI/edit?usp=sharing
Work In Progress: What's inside the #BL602 #WiFi Demo Firmware ... And how many lines of code need to be Reverse Engineered
Google Sheets: https://docs.google.com/spreadsheets/d/1C_XmkH-ZSXz9-V2HsYBv7K1KRx3RF3-zsoJRLh1GwxI/edit#gid=1323188614
@lupyuen That's so much cleaner than the first version uploaded. It was also using a custom ported Processor that is also in the repository but not yet available in Ghidra. I'm just glad that you are finding it useful. Libwifi should contain 112 object files but 6 were excluded because of errors, I'll get them up when I can get them decompiled.
@AmpBenzScientist Cool thanks! 👍
Ghidra fails to load them? Id like to check if llvms disassembler will be able to parse and decompile them.
@PawelK @lupyuen Ghidra loads them but won't disassemble. It's an error regarding memory and my custom processor has reduced the number of errors. This is a memory issue that I need to address soon. Ghidra is a beast and 9.2.2 had the same quality code as IDA Pro on Arm. Gamiee and I had a little competition comparing the output of the two. He had to admit that it was powerful but it doesn't produce pretty code. Verbose Chainsaw is the actual test that was done. The capabilities are greatly improved in 10.0.0.
@AmpBenzScientist
Out of mem err or out of bounds write or read mem err?
I could be willing to get Your and Gaimees disassembler test harmess to contribute to llvm if it would be ok with You Two.
@AmpBenzScientist
Aaah. Arch specific buggy buggy. Ok.
@AmpBenzScientist
Btw Benzinski some guys around llvm and clang wanna invest some effort into making their disassembler perfect. One of its targets is riscv.
If You wanted to play with llvms disassemblers, i could link you to guys from project etc. They got perfect code quality and architecture for c++ its written in.
@PawelK @lupyuen After reading deep into SLED and SLEIGH so I could port a processor, I see why Ghidra is so effective. Given the troublesome nature of RISC-V disassembly, I would recommend SLEIGH because of the flexibility of it. Even with Ghidra, I spent 3 months working on this. It took about a week to get the first results and I've been doing work on Ghidra since then.
I might have to pass as I want to get involved more with Ghidra and Rizin development.
@AmpBenzScientist
Mkay. I wished ghidra and llvm got more synchronized. Llvms speed and low mem reqs kick ass. But we could try to use archspecs (isnt it whats sleight used for?) in sleigh and friends into llvm.
@PawelK @lupyuen I've had to defend Ghidra in the past and my work with it. It was developed by NSA Research for use by NSA Agents. It's not simple to use and I've not explored all of it fully. It's amazing and I want to port more processors to it. I actually have a theory that I want to try to test but it's hard to explain.
My theory is llvm backend could be switched into ghidra and You wouldnt need to feel the difference other than faster speed lower load amd disassembly times and lower mem use. I liked using it though. Mere tiny screech was different flow when jumping through code than in ida due to switch imho.
@AmpBenzScientist
Yea feels quite robust. Btw reminds me there was source code of binary that runs on three architectures. Contains smart ways to jump over other archs code and runs with same result on all three or so.
@AmpBenzScientist
Oh my, i just learned sleigh was introed partly or contributed to by one and only cristina cifuentes.
Oh my. I still have her dissertation somewhere. I was intoxicating myself in early childhood with reading it.
@granmogul Yep Pine64 PineCone runs on BL602: https://lupyuen.github.io/articles/pinecone
@lupyuen
It seems to set some hw reg though i suppose albeit not main workhorse.
#BL602 Firmware starts the #WiFi Stack ... By creating a Background Task that runs wifi_main ... Let's hunt for wifi_main
https://github.com/lupyuen/bl_iot_sdk/blob/master/customer_app/bl602_demo_wifi/bl602_demo_wifi/main.c#L729-L747