nexmon
nexmon copied to clipboard
seemoo-lab
Can't find docs about how to patch
I'm looking to patch TicWatch Pro's bcm43436b0 chipset fw version 9.88.0.0. As far as I see, it could be easily supported.
Is there any guide on how to edit the patches? So far I've got the fw_bcmdhd.bin but unsure of how to figure out patches just by looking at the other's patches.
Support for bcm43436b0 (brcmfmac) has been added recently. If you're familiar with the tools I'd try to disassemble and bindiff brcmfmac/bcmdhd firmwares
How awesome is that! I'll surely do at some point. Any particular things to look for in the diffs?
How awesome is that! I'll surely do in the next few days. Any particular things to look for in the diffs?
Hello, what's the latest progress? I've been studying ticwatch Pro3 LTE recently. The chip seems to be bcm43436b0, and the Linux kernel version is 4.9. Are you interested in working together
Definitely! I also have the 3. I didn't have time to bindiff the first but both should be relatively easy. I have only little time so I postponed but I have some time here snd there 😃 Both chipsets are supported and both arm. Imagine the Hijacker app on your watch 🤯 hit me up on Telegram 👊
Definitely! I also have the 3. I didn't have time to bindiff the first but both should be relatively easy. I have only little time so I postponed but I have some time here snd there 😃 Both chipsets are supported and both arm. Imagine the Hijacker app on your watch 🤯 hit me up on Telegram 👊
OK, it's a great honor
Definitely! I also have the 3. I didn't have time to bindiff the first but both should be relatively easy. I have only little time so I postponed but I have some time here snd there 😃 Both chipsets are supported and both arm. Imagine the Hijacker app on your watch 🤯 hit me up on Telegram 👊
Busy with work, I have less free time. Come on! 😃
Support for bcm43436b0 (brcmfmac) has been added recently. If you're familiar with the tools I'd try to disassemble and bindiff brcmfmac/bcmdhd firmwares
This is the bindiff out put info: Could not find basic block: 00000004 ..... ..... Could not find basic block: 00058B76 Setup: 0.16s primary: fw_bcmdhd: 1666 functions, 4891 calls secondary: brcmfmac43436-sdio: 1595 functions, 4828 calls Matching: 0.15s matched: 1537 of 1666/1595 (primary/secondary, 1665/1594 non-library) call graph MD index: primary 74.448 secondary 70.1589 Similarity: 88.8388% (Confidence: 99.0592%)
What is next step to do and How to make this firmware patch?
What is next step to do and How to make this firmware patch?
Load them into your favorite disassembler and try to figure out how the offsets in definitions.mk need to be changed.
@lasyka I'll hop on to the Ticwatch Pro 3 fw then. Please let me know how you progress
Hmm the TWP3 has two firmwares, and the first one is actually the exact same version as the TWP, 9.88.0.0. Wondering which one is being used
fw_bcm43436b0.bin - 9.88.0.0
fw_bcm43438a1.bin - 7.45.96.79
Hmm the TWP3 has two firmwares, and the first one is actually the exact same version as the TWP, 9.88.0.0. Wondering which one is being used
fw_bcm43436b0.bin - 9.88.0.0 fw_bcm43438a1.bin - 7.45.96.79
Sorry, I'm a newbie, don't know how to do next step to patch the ticwatch wifi firmware. :( The bindif shows the original ticwatch firmware is approach to the nexmon's firmware. there are about 200 funcation differences.
So far I understand what to do next, I just don't have time. Just got a job to complete, then I'm jumping back in 👍
Hmm the TWP3 has two firmwares, and the first one is actually the exact same version as the TWP, 9.88.0.0. Wondering which one is being used
fw_bcm43436b0.bin - 9.88.0.0 fw_bcm43438a1.bin - 7.45.96.79
@yesimxev
I did an adb shell dumpsys wifi on my TicWatch Pro 3 Ultra GPS (Rubyfish) and here is the relevant info about which is being used:
Chipset information :-----------------------------------------------
FW Version is: Firmware: wl0: Jan 14 2021 10:53:53 version 7.45.96.79 (ce0e3d8@SYNA) (r745790) FWID 01-667de1ce es7
CLM: 7.11.15 (2014-05-26 10:53:55)
Chip: a9a6 Rev 1
Driver Version is: Dongle Host Driver, version 100.10.545.2 (r826445-20190806-3)
Supported Feature set: -1
Since it loaded version 7.45.96.79 I think it is safe to assume that fw_bcm43438a1.bin is being used.
@yesimxev the nexmon README says:
bcm43430a1 was wrongly labeled bcm43438 in the past.
Is it possible that this is actually a bcm43430a1 chip using version firmware 7.45.96.79?
I am trying to do that, but I'm new to patching, seems like my assumption is correct
What is next step to do and How to make this firmware patch?
Load them into your favorite disassembler and try to figure out how the offsets in definitions.mk need to be changed. @DrSchottky
I'm going to disassemble tonight. Is it a simple "find and replace" the addresses, according to the definitions.mk from the same chipset? I may be missing something in there. Could you give me just one example say the first thing you'd change, just so I know what you exactly mean. Doesn't have to be the solution, just in theory. Also, is the ROM bin needed too, or is the RAM bin enough? I also have an lg v20 waiting in the nexmon cue, again it's a supported chipset 👌😄
For example: I see
# original ucode start and size
UCODESTART=0x4E9C0
in firmwares/bcm43438/7_45_41_26/definitions.mk I'm looking at the disassembled brcmfmac43430-sdio.bin in ghidra. Looks like I found the ucode start in fw_bcm43438a1.bin too. 🙌
Make a very simple patch that is doing nothing else then extracting the compressed ucode. If that is working and the chip starts your patched firmware, you know that you found the correct locations of the ucode and the minimum required set of functions required for the ucode decompression operation. Then you can continue to add additional patches one by one, such as monitor mode, frame injection, ...
On 11. Nov 2022, at 11:09, yesimxev @.***> wrote:
Almost done boardconfig.mk. What's the next step?
— Reply to this email directly, view it on GitHub https://github.com/seemoo-lab/nexmon/issues/517#issuecomment-1311493603, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACZ773RO4ULONVSBQR6QRF3WHYLMPANCNFSM5QAHOGXQ. You are receiving this because you were mentioned.
@matthiasseemoo I'm ready with the ucode.bin. What shall I do after it's extracted?
Setup the folders/files structure for a new fw with only the patched for ucode extraction (see patch.c) and try to build and run it
I'm not too sure and sorry if I ask too much. I feel like I won't progress if I don't do so. Does only this patch line to be in patch.c?
Then flashpatches or patches still need to be applied in Makefile?
@yesimxev I noticed that the Raspberry Pi Pico Wireless uses a Infineon CYW43439 which has the same architecture on the WLAN side. This using the RPI pico W might be a less expensive way of troubleshooting the patching process.
Thank you for your advice. I also have a big support from @jlinktu, I just have some other stuff to clear first. We're not far from the result 🎉
Thank you for your advice. I also have a big support from @jlinktu, I just have some other stuff to clear first. We're not far from the result tada
any progress? I am starting to porting the work too for the same ticwatch model, let me know if I must work on it or if you have already modded nexmon for that purpose.
It's very close to finish. Just figuring out dunping rom and it doesn't want to spit out what we want. Does this work on your watch in adb shell? dhdutil -i wlan0 membytes -r 0x181000 0x915ac > /sdcard/rom.bin (invalid arg on mine)
dhdutil -i wlan0 membytes -r 0x181000 0x915ac > /sdcard/rom.bin
already tried to do that sometime ago, same result, even with twrp and root, it fails.