Lup Yuen Lee 李立源 Profile picture
Jun 24, 2021 34 tweets 28 min read Read on X
Come join me (the "monster" 😂) as we dive deep into the #WiFi Code inside #RISCV #BL602 (the "wifi chip" 😂)

lupyuen.github.io/articles/pinec… Image
Many thanks to this hilarious (but truthful) comment on #BL602 😂

Here's the #BL602 #WiFi Firmware ... Let's find out how it connects to a WiFi Access Point

github.com/lupyuen/bl_iot… Image
#BL602 connects to #WiFi Access Point ... By notifying the WiFi Manager

github.com/lupyuen/bl_iot… Image
#BL602 #WiFi Manager runs as a Background Task ... Here's how we send requests to WiFi Manager

github.com/lupyuen/bl_iot… Image
#BL602 #WiFi Manager runs a State Machine ... That connects to the WiFi Access Point in the Background Task

github.com/lupyuen/bl_iot… Image
To connect to a #WiFi Access Point, #BL602 WiFi Manager sends a request to the Lower MAC Firmware

github.com/lupyuen/bl_iot… Image
LMAC is the Lower MAC Firmware that runs on the #BL602 Radio Hardware

ceva-dsp.com/product/rivier… Image
CEVA has an interesting list of customers

csimarket.com/stocks/markets… Image
#BL602 #WiFi Manager sends Connect Request to LMAC Firmware thru another Message Queue

github.com/lupyuen/bl_iot… Image
#BL602 #WiFi Manager talks to LMAC Firmware via Message Queue ... Let's find out how it works

ceva-dsp.com/product/rivier… Image
#BL602 #WiFi Driver talks to LMAC Firmware ... By writing to a Message Buffer and triggering an Interrupt

github.com/lupyuen/bl_iot… Image
#BL602 WiFi Driver triggers LMAC Interrupt ... By writing to Address 0x4400 0000 ... Let's see what's at 0x4400 0000

github.com/lupyuen/bl_iot… Image
But 0x4400 0000 is NOT documented in #BL602 Reference Manual! 😲 Now we know a secret ... BL602 talks to LMAC Firmware at Address 0x4400 0000 🤫

github.com/bouffalolab/bl… Image
Moving away from LMAC Firmware (since we got no code) ... Let's study the mysterious #BL602 #WiFi Library "libwifi" ... Which has been decompiled into C by BraveHeartFLOSSDev

github.com/BraveHeartFLOS… Image
#BL602 Firmware starts the #WiFi Stack ... By creating a Background Task that runs wifi_main ... Let's hunt for wifi_main

github.com/lupyuen/bl_iot… Image
"wifi_main" lives in the mysterious #BL602 #WiFi Library "libwifi" ... Let's study the decompiled C code (thanks to BraveHeartFLOSSDev and Ghidra)

github.com/lupyuen/bl602n… Image
#BL602 "wifi_main" calls "ke_evt_schedule" to do #WiFi Tasks ... GitHub Search shows that "ke_evt_schedule" is also defined in ... AliOS! 😲

github.com/lupyuen/bl602n… Image
But does "ke_evt_schedule" really come from AliOS? Not quite ... "ke_evt_schedule" actually comes from ... CEVA RivieraWaves! 😲

github.com/mclown/AliOS-T… Image
Now the #BL602 #WiFi Stack gets clearer ... We're actually reading the WiFi Driver Code by CEVA RivieraWaves! 💡

ceva-dsp.com/product/rivier… Image
Lesson Learnt: GitHub Search is our very good friend for Reverse Engineering! 👍

github.com/search?l=C&o=a… Image
The AliOS / RivieraWaves code we saw earlier was for Beken BK7231U WiFi + BLE SoC ... Is it related to #BL602? 🤔

bekencorp.com/en/goods/detai… Image
AliOS for Beken BK7231U WiFi SoC contains LMAC Firmware Code ... Is this the same LMAC Firmware that runs on #BL602's #WiFi Radio? 🤔 Super Exciting!

github.com/lupyuen/AliOS-… Image
From Now On: We shall read and understand the AliOS / RivieraWaves Source Code ... While comparing it with the Decompiled Code for #BL602 libwifi ... Just to be sure that they are the same 🤝

github.com/lupyuen/AliOS-… Image
Back to ke_evt_schedule, the function in #BL602 #WiFi Driver Kernel that handles every WiFi Event ... Let's hunt for ke_evt_hdlr and discover the WiFi Events

github.com/lupyuen/AliOS-… Image
Here are the #WiFi Event Handlers for #BL602 WiFi Kernel ... txl_payload_handle looks interesting ... Let's hunt for it

github.com/lupyuen/AliOS-… Image
txl_payload_handle handles #BL602 #WiFi Payloads by doing ... nothing! But txl_payload_handle_backup seems to be the right function that handles WiFi Payloads 🤔

github.com/lupyuen/bl602n… Image
#BL602 #WiFi Payload Handler calls rxu, txl and txu functions ... Fortunately these are defined in the AliOS / RivieraWaves Source Code we saw earlier

github.com/lupyuen/bl602n… Image
Here's the Decompiled #BL602 #WiFi Supplicant that handles WiFi Authentication ... Decompiled code looks readable

github.com/lupyuen/bl602n… Image
Thankfully #BL602 #WiFi Library libwifi was compiled with Assertions Enabled ... Makes Reverse Engineering simpler 👍

github.com/lupyuen/bl602n… Image
Let's do Quantitative Analysis of the Decompiled #BL602 #WiFi Demo Firmware ... How many lines of code do we actually need to Reverse Engineer ... Now that we've found some matching source files?

github.com/lupyuen/bl602n… Image
Load the Decompiled #BL602 #WiFi Functions into a spreadsheet ... For easier crunching

Google Sheets: docs.google.com/spreadsheets/d… Image
Matching the Decompiled #BL602 #WiFi Functions with AliOS / RivieraWave Source Code ... And identifying the differences

Google Sheets: docs.google.com/spreadsheets/d… Image
Work In Progress: What's inside the #BL602 #WiFi Demo Firmware ... And how many lines of code need to be Reverse Engineered

Google Sheets: docs.google.com/spreadsheets/d… Image

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Lup Yuen Lee 李立源

Lup Yuen Lee 李立源 Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @MisterTechBlog

Jun 24
Our #RustLang App compiles for Software Floating-Point, but Apache #NuttX RTOS expects Hardware Floating-Point ... Let's fix this with a Rust Custom Target for QEMU #RISCV

Source: lupyuen.codeberg.page/articles/rust4…
Image
GCC Linker won’t link the binaries: Hard-Float vs Soft-Float ... Here's how we fix the #RustLang binaries in Apache #NuttX RTOS

Article: lupyuen.codeberg.page/articles/rust4…
Image
#RustLang won’t do Double-Float for 32-bit #RISCV ... Let's create a Custom Rust Target for #NuttX on QEMU

Article: lupyuen.codeberg.page/articles/rust4…
Image
Read 6 tweets
Dec 18, 2023
Let's look inside the #RISCV Sv39 Memory Management Unit ... With Apache #NuttX RTOS on @ThePine64 #Ox64 64-bit SBC

Article: lupyuen.codeberg.page/articles/mmu
Image
Protecting the RAM and I/O Memory inside our #Ox64 BL808 SBC

Article: lupyuen.codeberg.page/articles/mmu.h…
Image
Here's the Level 1 Page Table for #RISCV Sv39 Memory Management Unit

Article: lupyuen.codeberg.page/articles/mmu.h…
Image
Read 10 tweets
Sep 10, 2023
Let's power up the Display Controller inside #RISCV Star64 #JH7110 SBC @ThePine64 ... By running simple commands in the #UBoot Bootloader

Article: lupyuen.codeberg.page/articles/displ…
Image
#UBoot Commands "md" and "mw" for Dumping and Writing Memory

Article: lupyuen.codeberg.page/articles/displ…
Image
Writing to the Star64 #JH7110 UART Registers ... With #UBoot Bootloader

Article: lupyuen.codeberg.page/articles/displ…
Image
Read 14 tweets
Aug 22, 2023
#RISCV Star64 #JH7110 SBC is now supported by Apache #NuttX RTOS! Let's review how we created the first release of NuttX for Star64 @ThePine64

Article: lupyuen.codeberg.page/articles/relea…
Image
Here's how we build Apache #NuttX RTOS for #RISCV Star64 #JH7110 SBC

Article: lupyuen.codeberg.page/articles/relea…
Image
Bootable microSD with Apache #NuttX RTOS inside ... By creating a Flat Image Tree

Article: lupyuen.codeberg.page/articles/relea…
Image
Read 14 tweets
Aug 9, 2023
Apache #NuttX RTOS crashes on @ThePine64 Star64 #JH7110 #RISCV SBC because there's no Semihosting ... Let's modify NuttX to boot with an Initial RAM Disk instead (initrd)

Article: https://t.co/nhtphJNCvVlupyuen.codeberg.page/articles/semih…
Image
Apache #NuttX RTOS crashes on Star64 #JH7110 with #RISCV MCAUSE 3 ... Let's find out why

Article: https://t.co/YWcdZqVdcelupyuen.codeberg.page/articles/semih…
Image
Apache #NuttX RTOS halts with #RISCV MCAUSE 3 because of the EBREAK Instruction for Debugging ... But we're not doing any debugging!

Article: https://t.co/BZU2aQ8tjylupyuen.codeberg.page/articles/semih…
Image
Read 6 tweets
May 30, 2023
Will #LVGL Graphical Apps run in the Web Browser ... With #WebAssembly and #ZigLang Compiler? Let's find out!

Article: lupyuen.codeberg.page/articles/lvgl3… Image
#ZigLang and JavaScript will happily interoperate in #WebAssembly ... Both ways!

Article: lupyuen.codeberg.page/articles/lvgl3… Image
Read 15 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

:(