-
Notifications
You must be signed in to change notification settings - Fork 207
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Added Broadcom patchram and Bluetooth HCI
- Loading branch information
Showing
8 changed files
with
3,261 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,99 @@ | ||
| meta: | ||
| id: broadcom_patchram | ||
| title: Broadcom patchram blob | ||
| license: MIT | ||
| endian: le | ||
| doc: | | ||
| Patches for Broadcom chips firmware in ROM. | ||
| This spec describes the format of the blobs that are sent to the chip, that encode. | ||
| The blobs are uploded into chip RAM using WRITE_RAM to a special offsets in chip RAM in DOWNLOAD_MINIDRIVER mode, then when the chip is launched using LAUNCH_RAM. | ||
| The hcd files contain raw HCI commands to be sent to chips, the offsets are already there. They should be parsed with another spec, hardware/bluetooth/bluetooth_hcd, the commands should be emulated and this spec should be applied to the result. | ||
| doc-ref: | ||
| - https://raw.githubusercontent.com/seemoo-lab/internalblue/master/doc/internalblue_thesis_dennis_mantz.pdf | ||
| - https://github.com/MarkMendelsohn/brcm_patchram/blob/master/brcm_patchram_plus.c#L634 | ||
| seq: | ||
| - id: patches | ||
| type: patch | ||
| repeat: until | ||
| repeat-until: "_.command == command::end_fe or _.command == command::end_ef" | ||
| types: | ||
| patch: | ||
| seq: | ||
| - id: command | ||
| type: u1 | ||
| enum: command | ||
| - id: size | ||
| type: u2 | ||
| - id: value | ||
| size: size | ||
| type: | ||
| switch-on: command | ||
| cases: | ||
| 'command::patch_memory': patch_memory | ||
| 'command::patch_dword': patch_dword | ||
| 'command::reboot': reboot | ||
| types: | ||
| reboot: | ||
| seq: | ||
| - id: next_tlv_record_addr | ||
| type: u4 | ||
| doc: "When the TLV parser in the Download_Minidriver state processes the type 0x02 it initiates a reboot. However, in an early state of the boot process parsing the TLV list is continued at the address specified in the value of the TLV. In case of the bcm4335c5.hcd this is actually just the address of the next TLV object in the list." | ||
| - id: unkn0 | ||
| size: 6 | ||
| doc: Zero bytes? | ||
| patch_memory: | ||
| seq: | ||
| - id: target | ||
| type: u4 | ||
| - id: data | ||
| size-eos: true | ||
| patch_dword: | ||
| doc: | | ||
| Patching procedure (page 28 of the PDF, have I got it right?): | ||
| auto value_table = (uint32_t *)0xD0000; // ram | ||
| auto addr_table = (uint32_t *)0x310000; // hw register | ||
| value_table[rec.slot()] = rec.new_value(); | ||
| addr_table[rec.slot()] = rec.target(); | ||
| seq: | ||
| - id: slot | ||
| type: u1 | ||
| - id: target | ||
| -orig-id: target_address | ||
| type: u4 | ||
| - id: new_value | ||
| type: u4 | ||
| - id: unkn0 | ||
| type: u2 | ||
| doc: 0x0000 | ||
| - id: unkn1 | ||
| type: u4 | ||
| enums: | ||
| command: | ||
| 0x02: | ||
| id: reboot | ||
| doc: | | ||
| Issue a reboot and continues processing the list after the reset. | ||
| In the analyzed firmware patch (bcm4335c5.hcd) this typeis used exactly once and relatively early in the list before any of the type 0x08 objects. | ||
| 0x08: | ||
| id: patch_dword | ||
| doc: | | ||
| Patch 32-bit word in ROM. | ||
| 0x0a: | ||
| id: patch_memory | ||
| doc: Patch arbitray length of bytes in RAM. | ||
|
|
||
| 0x40: | ||
| id: set_mac_addr | ||
| doc: Set default Bluetooth Device Address. | ||
|
|
||
| 0x41: | ||
| id: set_local_device_name | ||
| doc: An ASCII string which is set to bethe new local device name. | ||
|
|
||
| 0xfe: | ||
| id: end_fe | ||
|
|
||
| 0xef: | ||
| id: end_ef | ||
|
|
||
| # todo: 0x03,0x0b,0x1a,0x40,0x68,0x69,0x6f,0x70,0x82,0x86,0x90,0xb1,0xb2,0xb3,0xc0,0xc1,0xd8,0xfd |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| /company-identifiers.html |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,27 @@ | ||
| meta: | ||
| id: bluetooth_hcd | ||
| title: Bluetooth Host Controller Interface Control Protocol | ||
| license: Unlicense | ||
| file-extension: hcd | ||
| endian: le | ||
| imports: | ||
| - control/bluetooth_control_command | ||
| - bluetooth_vendors_ids | ||
| xref: | ||
| wikidata: Q39531 | ||
| ieee: 802.15.1 | ||
| doc: | | ||
| Bluetooth Host Controller Interface protocol. | ||
| doc-ref: | ||
| - https://www.bluetooth.org/docman/handlers/downloaddoc.ashx?doc_id=478726 | ||
| - https://software-dl.ti.com/simplelink/esd/simplelink_cc13x2_sdk/1.60.00.29_new/exports/docs/ble5stack/vendor_specific_guide/BLE_Vendor_Specific_HCI_Guide/hci_interface.html | ||
| - https://www.ti.com/lit/ug/swru442b/swru442b.pdf?ts=1594902336269 | ||
| - https://community.nxp.com/docs/DOC-341764 | ||
| params: | ||
| - id: vendor | ||
| type: u2 | ||
| enum: bluetooth_vendors_ids::vendor | ||
| seq: | ||
| - id: commands | ||
| type: bluetooth_control_command(vendor) | ||
| repeat: eos |
Oops, something went wrong.