MediaTek WiFi RE

Notes and utilities for reverse engineering the firmware used in MediaTek's WiFi cores. This includes the cores used in PCIe/USB/SDIO-attached chips, standalone WiFi microcontrollers, and SoCs with built-in WiFi.

Quick start

Software dependencies

• Python 3
• Kaitai Struct Compiler
• Kaitai Struct Python Runtime

Procedure

1. Install dependencies.
2. Run make to generate the parser code used by extract_fw.py.
3. Obtain the WIFI_RAM_CODE* binaries you're interested in. You can find these on many MediaTek-based Android phones in the /system/etc/firmware directory, but if that doesn't work for you, you can also find these firmware files on the Internet--typically in the "vendor.zip" files posted by Android ROM developers. You can also find them, for example, using this GitHub search query, but you'll need to be logged in to GitHub in order for that to work.
4. Extract the code and data sections from each binary with ./extract_fw.py ..., where ... is the name of the WIFI_RAM_CODE* firmware binary.

Reverse engineering notes

See Notes.md.

License

Except where otherwise stated:

• All software in this repository (e.g., tools for unpacking firmware, etc.) is made available under the GNU General Public License, version 3 or later.
• All copyrightable content that is not software (e.g., reverse engineering notes, this README file, etc.) is licensed under the Creative Commons Attribution-ShareAlike 4.0 International License.