Lup Yuen Lee 李立源 @lupyuen@qoto.org

Let's do Quantitative Analysis of the Decompiled #BL602 #WiFi Demo Firmware ... How many lines of code do we actually need to Reverse Engineer ... Now that we've found some matching source files?

https://github.com/lupyuen/bl602nutcracker1/blob/main/bl602_demo_wifi.txt

Thankfully #BL602 #WiFi Library libwifi was compiled with Assertions Enabled ... Makes Reverse Engineering simpler 👍

https://github.com/lupyuen/bl602nutcracker1/blob/main/bl602_demo_wifi.c#L38512-L38609

Here's the Decompiled #BL602 #WiFi Supplicant that handles WiFi Authentication ... Decompiled code looks readable

https://github.com/lupyuen/bl602nutcracker1/blob/main/bl602_demo_wifi.c#L29805-L29860

Creamy and super garlicky 🤤

Cheesy Garlic Toast

#BL602 #WiFi Payload Handler calls rxu, txl and txu functions ... Fortunately these are defined in the AliOS / RivieraWaves Source Code we saw earlier

https://github.com/lupyuen/bl602nutcracker1/blob/main/bl602_demo_wifi.c#L20220-L20398

txl_payload_handle handles #BL602 #WiFi Payloads by doing ... nothing! But txl_payload_handle_backup seems to be the right function that handles WiFi Payloads 🤔

https://github.com/lupyuen/bl602nutcracker1/blob/main/bl602_demo_wifi.c#L20203-L20398

Here are the #WiFi Event Handlers for #BL602 WiFi Kernel ... txl_payload_handle looks interesting ... Let's hunt for it

https://github.com/lupyuen/AliOS-Things/blob/master/platform/mcu/bk7231u/beken/ip/ke/ke_event.c#L78-L138

Back to ke_evt_schedule, the function in #BL602 #WiFi Driver Kernel that handles every WiFi Event ... Let's hunt for ke_evt_hdlr and discover the WiFi Events

https://github.com/lupyuen/AliOS-Things/blob/master/platform/mcu/bk7231u/beken/ip/ke/ke_event.c#L203-L231

Chicken Soup with carrots, potatoes, onions, garlic, ginger and barley 🤤

Culinary Experiment 😂

From Now On: We shall read and understand the AliOS / RivieraWaves Source Code ... While comparing it with the Decompiled Code for #BL602 libwifi ... Just to be sure that they are the same 🤝

https://github.com/lupyuen/AliOS-Things/tree/master/platform/mcu/bk7231u/beken/ip/ke

AliOS for Beken BK7231U WiFi SoC contains LMAC Firmware Code ... Is this the same LMAC Firmware that runs on #BL602's #WiFi Radio? 🤔 Super Exciting!

https://github.com/lupyuen/AliOS-Things/tree/master/platform/mcu/bk7231u/beken/ip/lmac/src

The AliOS / RivieraWaves code we saw earlier was for Beken BK7231U WiFi + BLE SoC ... Is it related to #BL602? 🤔

http://www.bekencorp.com/en/goods/detail/cid/13.html

Lesson Learnt: GitHub Search is our very good friend for Reverse Engineering! 👍

https://github.com/search?l=C&o=asc&q=ke_evt_schedule&s=indexed&type=Code

Now the #BL602 #WiFi Stack gets clearer ... We're actually reading the WiFi Driver Code by CEVA RivieraWaves! 💡

https://www.ceva-dsp.com/product/rivierawaves-wi-fi-platforms/

But does "ke_evt_schedule" really come from AliOS? Not quite ... "ke_evt_schedule" actually comes from ... CEVA RivieraWaves! 😲

https://github.com/mclown/AliOS-Things/blob/master/platform/mcu/bk7231u/beken/ip/ke/ke_event.c#L203-L231

#BL602 "wifi_main" calls "ke_evt_schedule" to do #WiFi Tasks ... GitHub Search shows that "ke_evt_schedule" is also defined in ... AliOS! 😲

https://github.com/lupyuen/bl602nutcracker1/blob/main/bl602_demo_wifi.c#L28721-L28737

"wifi_main" lives in the mysterious #BL602 #WiFi Library "libwifi" ... Let's study the decompiled C code (thanks to BraveHeartFLOSSDev and Ghidra)

https://github.com/lupyuen/bl602nutcracker1/blob/main/bl602_demo_wifi.c#L32959-L33006

#BL602 Firmware starts the #WiFi Stack ... By creating a Background Task that runs wifi_main ... Let's hunt for wifi_main

https://github.com/lupyuen/bl_iot_sdk/blob/master/customer_app/bl602_demo_wifi/bl602_demo_wifi/main.c#L729-L747