Many thanks to this hilarious (but truthful) comment on #BL602 😂
LMAC is the Lower MAC Firmware that runs on the #BL602 Radio Hardware
https://www.ceva-dsp.com/product/rivierawaves-wi-fi-platforms/
#BL602 #WiFi Manager talks to LMAC Firmware via Message Queue ... Let's find out how it works
https://www.ceva-dsp.com/product/rivierawaves-wi-fi-platforms/
But 0x4400 0000 is NOT documented in #BL602 Reference Manual! 😲 Now we know a secret ... BL602 talks to LMAC Firmware at Address 0x4400 0000 🤫
https://github.com/bouffalolab/bl_docs/blob/main/BL602_RM/en/BL602_BL604_RM_1.2_en.pdf
"wifi_main" lives in the mysterious #BL602 #WiFi Library "libwifi" ... Let's study the decompiled C code (thanks to BraveHeartFLOSSDev and Ghidra)
https://github.com/lupyuen/bl602nutcracker1/blob/main/bl602_demo_wifi.c#L32959-L33006
#BL602 "wifi_main" calls "ke_evt_schedule" to do #WiFi Tasks ... GitHub Search shows that "ke_evt_schedule" is also defined in ... AliOS! 😲
https://github.com/lupyuen/bl602nutcracker1/blob/main/bl602_demo_wifi.c#L28721-L28737
But does "ke_evt_schedule" really come from AliOS? Not quite ... "ke_evt_schedule" actually comes from ... CEVA RivieraWaves! 😲
Now the #BL602 #WiFi Stack gets clearer ... We're actually reading the WiFi Driver Code by CEVA RivieraWaves! 💡
https://www.ceva-dsp.com/product/rivierawaves-wi-fi-platforms/
Lesson Learnt: GitHub Search is our very good friend for Reverse Engineering! 👍
https://github.com/search?l=C&o=asc&q=ke_evt_schedule&s=indexed&type=Code
The AliOS / RivieraWaves code we saw earlier was for Beken BK7231U WiFi + BLE SoC ... Is it related to #BL602? 🤔
AliOS for Beken BK7231U WiFi SoC contains LMAC Firmware Code ... Is this the same LMAC Firmware that runs on #BL602's #WiFi Radio? 🤔 Super Exciting!
https://github.com/lupyuen/AliOS-Things/tree/master/platform/mcu/bk7231u/beken/ip/lmac/src
From Now On: We shall read and understand the AliOS / RivieraWaves Source Code ... While comparing it with the Decompiled Code for #BL602 libwifi ... Just to be sure that they are the same 🤝
https://github.com/lupyuen/AliOS-Things/tree/master/platform/mcu/bk7231u/beken/ip/ke
txl_payload_handle handles #BL602 #WiFi Payloads by doing ... nothing! But txl_payload_handle_backup seems to be the right function that handles WiFi Payloads 🤔
https://github.com/lupyuen/bl602nutcracker1/blob/main/bl602_demo_wifi.c#L20203-L20398
#BL602 #WiFi Payload Handler calls rxu, txl and txu functions ... Fortunately these are defined in the AliOS / RivieraWaves Source Code we saw earlier
https://github.com/lupyuen/bl602nutcracker1/blob/main/bl602_demo_wifi.c#L20220-L20398
Here's the Decompiled #BL602 #WiFi Supplicant that handles WiFi Authentication ... Decompiled code looks readable
https://github.com/lupyuen/bl602nutcracker1/blob/main/bl602_demo_wifi.c#L29805-L29860
Thankfully #BL602 #WiFi Library libwifi was compiled with Assertions Enabled ... Makes Reverse Engineering simpler 👍
https://github.com/lupyuen/bl602nutcracker1/blob/main/bl602_demo_wifi.c#L38512-L38609
Let's do Quantitative Analysis of the Decompiled #BL602 #WiFi Demo Firmware ... How many lines of code do we actually need to Reverse Engineer ... Now that we've found some matching source files?
https://github.com/lupyuen/bl602nutcracker1/blob/main/bl602_demo_wifi.txt
Load the Decompiled #BL602 #WiFi Functions into a spreadsheet ... For easier crunching
Google Sheets: https://docs.google.com/spreadsheets/d/1C_XmkH-ZSXz9-V2HsYBv7K1KRx3RF3-zsoJRLh1GwxI/edit?usp=sharing
Matching the Decompiled #BL602 #WiFi Functions with AliOS / RivieraWave Source Code ... And identifying the differences
Google Sheets: https://docs.google.com/spreadsheets/d/1C_XmkH-ZSXz9-V2HsYBv7K1KRx3RF3-zsoJRLh1GwxI/edit?usp=sharing
Work In Progress: What's inside the #BL602 #WiFi Demo Firmware ... And how many lines of code need to be Reverse Engineered
Google Sheets: https://docs.google.com/spreadsheets/d/1C_XmkH-ZSXz9-V2HsYBv7K1KRx3RF3-zsoJRLh1GwxI/edit#gid=1323188614
#BL602 #WiFi Firmware: 87,000 lines of Decompiled Code have been classified ... 24,000 more lines to go!
Google Sheets: https://docs.google.com/spreadsheets/d/1C_XmkH-ZSXz9-V2HsYBv7K1KRx3RF3-zsoJRLh1GwxI/edit#gid=1323188614
Quantitative Analysis of Decompiled #BL602 #WiFi Firmware is nearly complete! Actual lines of WiFi code to be reverse engineered: 10,500
Google Sheets: https://docs.google.com/spreadsheets/d/1C_XmkH-ZSXz9-V2HsYBv7K1KRx3RF3-zsoJRLh1GwxI/edit#gid=1323188614
Here's how we start the #WiFi Driver in our #BL602 Firmware
https://lupyuen.github.io/articles/wifi?2#bl602-wifi-demo-firmware
How we connect to a #WiFi Access Point in our #BL602 Firmware
https://lupyuen.github.io/articles/wifi?3#connect-to-wifi-network
What happens when #BL602 connects to a #WiFi Network
https://lupyuen.github.io/articles/wifi?5#connect-to-wifi-access-point
What goes on inside the State Machine of the #BL602 #WiFi Manager
https://lupyuen.github.io/articles/wifi?6#wifi-manager-state-machine
How #BL602 talks to its #WiFi Radio Hardware to transmit packets
https://lupyuen.github.io/articles/wifi?7#send-request-to-lmac
How #BL602 triggers a Lower MAC Interrupt in the #WiFi Radio Hardware
https://lupyuen.github.io/articles/wifi?8#trigger-lmac-interrupt
Let's dive into the #BL602 #WiFi Driver ... Decompiled into C by BraveHeartFLOSSDev!
https://lupyuen.github.io/articles/wifi?9#decompiled-wifi-demo-firmware
#BL602 runs a #WiFi Firmware Task ... To transmit and receive WiFi packets in the background
https://lupyuen.github.io/articles/wifi?10#wifi-firmware-task
What happens inside the #BL602 #WiFi Firmware Task? 🤔 The decompiled code reveals all secrets! 🤫
https://lupyuen.github.io/articles/wifi?11#start-firmware-task
#BL602 #WiFi Driver deciphered thanks to GitHub Search!
https://lupyuen.github.io/articles/wifi?12#schedule-kernel-events
#BL602 #WiFi Kernel calls these Event Handlers to transmit and receive WiFi packets
https://lupyuen.github.io/articles/wifi?15#schedule-kernel-events
#BL602 #WiFi packet transmission looks undecipherable... Bit there's hope!
https://lupyuen.github.io/articles/wifi?16#handle-transmit-payload
How does #BL602 transmit a #WiFi Packet? Let's walk thru the decompiled code
https://lupyuen.github.io/articles/wifi?17#another-transmit-payload
@lupyuen Huh, neat how much "closed source" code is out there if you only look for it.
@lupyuen You've uncovered a lot of information about the BL602's code.
Good work Mr. Lee.
@AmpBenzScientist Thanks to you too! 🙂
@lupyuen I wouldn't have taken it seriously without your advice. It just so happens that I am good with Reverse Engineering. If you want to see anything decompiled, just let me know and I will see what I can (legally) do.
2,500 lines of Decompiled Code in #BL602 #WiFi Supplicant seem to match Rockchip RK3399 ... Leaving 700 lines to be deciphered
Google Sheets: https://docs.google.com/spreadsheets/d/1C_XmkH-ZSXz9-V2HsYBv7K1KRx3RF3-zsoJRLh1GwxI/edit#gid=1323188614