"wifi_main" lives in the mysterious #BL602 #WiFi Library "libwifi" ... Let's study the decompiled C code (thanks to BraveHeartFLOSSDev and Ghidra)
https://github.com/lupyuen/bl602nutcracker1/blob/main/bl602_demo_wifi.c#L32959-L33006
#BL602 "wifi_main" calls "ke_evt_schedule" to do #WiFi Tasks ... GitHub Search shows that "ke_evt_schedule" is also defined in ... AliOS! 😲
https://github.com/lupyuen/bl602nutcracker1/blob/main/bl602_demo_wifi.c#L28721-L28737
But does "ke_evt_schedule" really come from AliOS? Not quite ... "ke_evt_schedule" actually comes from ... CEVA RivieraWaves! 😲
Now the #BL602 #WiFi Stack gets clearer ... We're actually reading the WiFi Driver Code by CEVA RivieraWaves! 💡
https://www.ceva-dsp.com/product/rivierawaves-wi-fi-platforms/
Lesson Learnt: GitHub Search is our very good friend for Reverse Engineering! 👍
https://github.com/search?l=C&o=asc&q=ke_evt_schedule&s=indexed&type=Code
The AliOS / RivieraWaves code we saw earlier was for Beken BK7231U WiFi + BLE SoC ... Is it related to #BL602? 🤔
AliOS for Beken BK7231U WiFi SoC contains LMAC Firmware Code ... Is this the same LMAC Firmware that runs on #BL602's #WiFi Radio? 🤔 Super Exciting!
https://github.com/lupyuen/AliOS-Things/tree/master/platform/mcu/bk7231u/beken/ip/lmac/src
From Now On: We shall read and understand the AliOS / RivieraWaves Source Code ... While comparing it with the Decompiled Code for #BL602 libwifi ... Just to be sure that they are the same 🤝
https://github.com/lupyuen/AliOS-Things/tree/master/platform/mcu/bk7231u/beken/ip/ke
txl_payload_handle handles #BL602 #WiFi Payloads by doing ... nothing! But txl_payload_handle_backup seems to be the right function that handles WiFi Payloads 🤔
https://github.com/lupyuen/bl602nutcracker1/blob/main/bl602_demo_wifi.c#L20203-L20398
#BL602 #WiFi Payload Handler calls rxu, txl and txu functions ... Fortunately these are defined in the AliOS / RivieraWaves Source Code we saw earlier
https://github.com/lupyuen/bl602nutcracker1/blob/main/bl602_demo_wifi.c#L20220-L20398
Here's the Decompiled #BL602 #WiFi Supplicant that handles WiFi Authentication ... Decompiled code looks readable
https://github.com/lupyuen/bl602nutcracker1/blob/main/bl602_demo_wifi.c#L29805-L29860
Thankfully #BL602 #WiFi Library libwifi was compiled with Assertions Enabled ... Makes Reverse Engineering simpler 👍
https://github.com/lupyuen/bl602nutcracker1/blob/main/bl602_demo_wifi.c#L38512-L38609
Let's do Quantitative Analysis of the Decompiled #BL602 #WiFi Demo Firmware ... How many lines of code do we actually need to Reverse Engineer ... Now that we've found some matching source files?
https://github.com/lupyuen/bl602nutcracker1/blob/main/bl602_demo_wifi.txt
Load the Decompiled #BL602 #WiFi Functions into a spreadsheet ... For easier crunching
Google Sheets: https://docs.google.com/spreadsheets/d/1C_XmkH-ZSXz9-V2HsYBv7K1KRx3RF3-zsoJRLh1GwxI/edit?usp=sharing
Matching the Decompiled #BL602 #WiFi Functions with AliOS / RivieraWave Source Code ... And identifying the differences
Google Sheets: https://docs.google.com/spreadsheets/d/1C_XmkH-ZSXz9-V2HsYBv7K1KRx3RF3-zsoJRLh1GwxI/edit?usp=sharing
Work In Progress: What's inside the #BL602 #WiFi Demo Firmware ... And how many lines of code need to be Reverse Engineered
Google Sheets: https://docs.google.com/spreadsheets/d/1C_XmkH-ZSXz9-V2HsYBv7K1KRx3RF3-zsoJRLh1GwxI/edit#gid=1323188614
2,500 lines of Decompiled Code in #BL602 #WiFi Supplicant seem to match Rockchip RK3399 ... Leaving 700 lines to be deciphered
Google Sheets: https://docs.google.com/spreadsheets/d/1C_XmkH-ZSXz9-V2HsYBv7K1KRx3RF3-zsoJRLh1GwxI/edit#gid=1323188614
#BL602 #WiFi Firmware: 87,000 lines of Decompiled Code have been classified ... 24,000 more lines to go!
Google Sheets: https://docs.google.com/spreadsheets/d/1C_XmkH-ZSXz9-V2HsYBv7K1KRx3RF3-zsoJRLh1GwxI/edit#gid=1323188614
Quantitative Analysis of Decompiled #BL602 #WiFi Firmware is nearly complete! Actual lines of WiFi code to be reverse engineered: 10,500
Google Sheets: https://docs.google.com/spreadsheets/d/1C_XmkH-ZSXz9-V2HsYBv7K1KRx3RF3-zsoJRLh1GwxI/edit#gid=1323188614
Here's how we start the #WiFi Driver in our #BL602 Firmware
https://lupyuen.github.io/articles/wifi?2#bl602-wifi-demo-firmware
How we connect to a #WiFi Access Point in our #BL602 Firmware
https://lupyuen.github.io/articles/wifi?3#connect-to-wifi-network
What happens when #BL602 connects to a #WiFi Network
https://lupyuen.github.io/articles/wifi?5#connect-to-wifi-access-point
What goes on inside the State Machine of the #BL602 #WiFi Manager
https://lupyuen.github.io/articles/wifi?6#wifi-manager-state-machine
How #BL602 talks to its #WiFi Radio Hardware to transmit packets
https://lupyuen.github.io/articles/wifi?7#send-request-to-lmac
How #BL602 triggers a Lower MAC Interrupt in the #WiFi Radio Hardware
https://lupyuen.github.io/articles/wifi?8#trigger-lmac-interrupt
Let's dive into the #BL602 #WiFi Driver ... Decompiled into C by BraveHeartFLOSSDev!
https://lupyuen.github.io/articles/wifi?9#decompiled-wifi-demo-firmware
#BL602 runs a #WiFi Firmware Task ... To transmit and receive WiFi packets in the background
https://lupyuen.github.io/articles/wifi?10#wifi-firmware-task
What happens inside the #BL602 #WiFi Firmware Task? 🤔 The decompiled code reveals all secrets! 🤫
https://lupyuen.github.io/articles/wifi?11#start-firmware-task
#BL602 #WiFi Driver deciphered thanks to GitHub Search!
https://lupyuen.github.io/articles/wifi?12#schedule-kernel-events
#BL602 #WiFi Kernel calls these Event Handlers to transmit and receive WiFi packets
https://lupyuen.github.io/articles/wifi?15#schedule-kernel-events
#BL602 #WiFi packet transmission looks undecipherable... Bit there's hope!
https://lupyuen.github.io/articles/wifi?16#handle-transmit-payload
How does #BL602 transmit a #WiFi Packet? Let's walk thru the decompiled code
https://lupyuen.github.io/articles/wifi?17#another-transmit-payload
What is RivieraWaves? How is it used for #BL602 #WiFi?
https://lupyuen.github.io/articles/wifi?19#ceva-rivierawaves
#BL602 #WiFi Driver includes these modules from RivieraWaves Upper MAC
https://lupyuen.github.io/articles/wifi?20#upper-medium-access-control
Here are the Lower MAC Interfaces exposed by #BL602 #WiFi Radio Hardware
https://lupyuen.github.io/articles/wifi?21#lower-medium-access-control
#BL602 #WiFi Physical Layer looks a little murky 🤿
https://lupyuen.github.io/articles/wifi?23#wifi-physical-layer
How we do Quantitative Analysis of the Decompiled #BL602 #WiFi Firmware
https://lupyuen.github.io/articles/wifi?24#quantitative-analysis
How we classified 97,000 Lines of Code in our Decompiled #BL602 #WiFi Firmware
https://lupyuen.github.io/articles/wifi?25#load-functions-into-spreadsheet
Matching the Decompiled #BL602 #WiFi Firmware ... With the source code we've discovered on GitHub Search
https://lupyuen.github.io/articles/wifi?26#match-the-decompiled-functions
#BL602 #WiFi Quantitative Analysis says: A huge chunk of the WiFi Source Code is already out there!
https://lupyuen.github.io/articles/wifi?27#count-the-lines-of-code
@lupyuen This is very good news.
@AmpBenzScientist Yep hope to finish the article soon 🙂
@lupyuen A friend asked me to mention Rule 377 to you. It's a mass surveillance rule. The backlash can already be felt in the West.
This friend also wanted to complement you on the quality of your analysis.
I'm glad to hear that the 1st Edition is almost finished.
@AmpBenzScientist Yep thanks 🙂
@AmpBenzScientist You may wanna pass a word to Prof, I find his revving work very very impressive. Wish I could contribute on lmac and other parts with no sourcecode to relate to, if I manage.
@lupyuen
Very interesting analysis and nice method of relating a known source code base with decced binary.
Great job, Prof Lup.
#BL602 #WiFi Driver is based on CEVA RivieraWaves
https://lupyuen.github.io/articles/wifi?18#ceva-rivierawaves