Random Noise

cat /dev/random >> /dev/dsp

Posts Tagged ‘firmware

Extracting firmware brcmfmac4366c-pcie.bin

leave a comment »

1. Extract the dhd.k0 from the trx firmware
2. Find the array object in the dhd.ko that holds the firmware.

For example we know the wireless chip is a 4366c0. Then find all symbols in the .ko using readelf

~$ readelf -s dhd.ko | grep 4366c0
 218: 00198b6c 4 OBJECT GLOBAL DEFAULT 35 active_cons_4366c0
 227: 00198b40 18 OBJECT GLOBAL DEFAULT 35 dlimagever_4366c0
 247: 00198a94 169 OBJECT GLOBAL DEFAULT 35 dlimagename_4366c0
 347: 00198b68 1 OBJECT GLOBAL DEFAULT 35 dlimagetag_4366c0
 478: 00198b54 20 OBJECT GLOBAL DEFAULT 35 dlimagedate_4366c0
 518: 00198b70 <b>0xe3f38</b> OBJECT GLOBAL DEFAULT 35 dlarray_4366c0
 624: 000022e4 4 OBJECT GLOBAL DEFAULT 46 debug_params_4366c0

Note down the size for the array object. Here it is 0xe3f38 hex. Or 933688 bytes in decimal

Now we need to find the beginning offset of the array object in the .ko file. For that we inspect and already available firmware for 4366b. You see the firmware starts with 00 F2 3E B8 04 F2

screenshot-from-2017-02-12-15-39-13

And ends with firmware Id  plus 4 bytes

screenshot-from-2017-02-12-15-41-39

Taking a clue from above. We first try to find 00 F2 3E B8 04 F2 and from that offset extract 933688 bytes as we found out from elfread.

~$ dd if=dhd.ko skip=1906224 ibs=1 count=933688 of=brcmfmac4366c-pcie.bin

Examining the extracted file we can confirm the beginning and end bytes are
00 F2 3E B8 04 F2 and (firmware Id  plus 4 bytes) respectively

Advertisements

Written by Vivek Unune

February 12, 2017 at 8:47 pm

Posted in linux, openwrt

Tagged with , ,

Building Lede Firmware

leave a comment »

Simple DTS:

Basic DTS Linksys EA9500 which has three BCM4366 wireless chipsets. 

---
 arch/arm/boot/dts/Makefile                   |   1 +
 arch/arm/boot/dts/bcm47094-linksys-ea9500.dts | 78 +++++++++++++++++++++++++++
 2 files changed, 79 insertions(+)
 create mode 100644 arch/arm/boot/dts/bcm47094-linksys-ea9500.dts

--- a/arch/arm/boot/dts/Makefile
+++ b/arch/arm/boot/dts/Makefile
@@ -78,6 +78,7 @@ dtb-$(CONFIG_ARCH_BCM_5301X) += \
 	bcm4709-linksys-r8000.dtb \
 	bcm47094-dlink-dir-885l.dtb \
 	bcm47094-netgear-r8500.dtb \
+	bcm47094-linksys-ea9500.dtb \
 	bcm94708.dtb \
 	bcm94709.dtb \
 	bcm953012er.dtb \
--- /dev/null
+++ b/arch/arm/boot/dts/bcm47094-linksys-ea9500.dts
@@ -0,0 +1,78 @@
+/*
+ * Copyright (C) 2016 Rafał Miłecki <rafal@milecki.pl>
+ *
+ * Licensed under the ISC license.
+ */
+
+/dts-v1/;
+
+#include "bcm4709.dtsi"
+#include "bcm5301x-nand-cs0-bch1.dtsi"
+
+/ {
+	compatible = "linksys,ea9500", "brcm,bcm47094", "brcm,bcm4708";
+	model = "Linksys EA9500";
+
+	chosen {
+		bootargs = "console=ttyS0,115200";
+	};
+
+	memory {
+		reg = <0x00000000 0x08000000>;
+	};
+
+	leds {
+		compatible = "gpio-leds";
+
+		usb0 {
+			label = "bcm53xx:white:usb0";
+			gpios = <&chipcommon 0 GPIO_ACTIVE_LOW>;
+			linux,default-trigger = "default-off";
+		};
+
+		usb1 {
+			label = "bcm53xx:white:usb1";
+			gpios = <&chipcommon 1 GPIO_ACTIVE_LOW>;
+			linux,default-trigger = "default-off";
+		};
+
+		power0 {
+			label = "bcm53xx:white:power";
+			gpios = <&chipcommon 4 GPIO_ACTIVE_HIGH>;
+			linux,default-trigger = "default-on";
+		};
+
+
+
+		wireless {
+			label = "bcm53xx:white:5ghz-1";
+			gpios = <&chipcommon 22 GPIO_ACTIVE_LOW>;
+			linux,default-trigger = "default-off";
+		};
+
+	};
+
+	gpio-keys {
+		compatible = "gpio-keys";
+		#address-cells = <1>;
+		#size-cells = <0>;
+
+		rfkill {
+			label = "WiFi";
+			linux,code = <KEY_RFKILL>;
+			gpios = <&chipcommon 16 GPIO_ACTIVE_LOW>;
+		};
+
+		wps {
+			label = "WPS";
+			linux,code = <KEY_WPS_BUTTON>;
+			gpios = <&chipcommon 3 GPIO_ACTIVE_LOW>;
+		};
+
+		restart {
+			label = "Reset";
+			linux,code = <KEY_RESTART>;
+			gpios = <&chipcommon 10 GPIO_ACTIVE_LOW>;
+		};
+	};
+};

Adding EA9500 to target/linux/bcm53xx/image/Makefile

define Device/linksys-ea9500
  DEVICE_TITLE := Linksys EA9500
  DEVICE_PACKAGES := $(BRCMFMAC_4366B1) $(USB3_PACKAGES)
  IMAGES := trx
  IMAGE/trx := append-rootfs | trx-serial
endef
TARGET_DEVICES += linksys-ea9500

 

Written by Vivek Unune

February 10, 2017 at 9:58 pm

Posted in lede, linux, openwrt

Tagged with , , , ,