From c61a62fa79327880f1742a3b12c92845e7fdb532 Mon Sep 17 00:00:00 2001 From: Matthias Schulz Date: Fri, 29 Sep 2017 05:38:41 -0700 Subject: [PATCH] bcm43451b1: Extended rom_extraction patch. Now it is also possible to read the console buffer using an ioctl. --- .../7_63_43_0/rom_extraction/Makefile | 10 ++--- .../rom_extraction/include/local_wrapper.h | 40 +++++++++++++++++++ .../src/before_flash_patching.c | 2 +- .../7_63_43_0/rom_extraction/src/ioctl.c | 26 ++++++++++++ .../rom_extraction/src/local_wrapper.c | 33 +++++++++++---- 5 files changed, 98 insertions(+), 13 deletions(-) create mode 100644 patches/bcm43451b1/7_63_43_0/rom_extraction/include/local_wrapper.h diff --git a/patches/bcm43451b1/7_63_43_0/rom_extraction/Makefile b/patches/bcm43451b1/7_63_43_0/rom_extraction/Makefile index d754c163b..60dd8e909 100644 --- a/patches/bcm43451b1/7_63_43_0/rom_extraction/Makefile +++ b/patches/bcm43451b1/7_63_43_0/rom_extraction/Makefile @@ -160,15 +160,15 @@ endif dump-rom: FORCE @printf "\033[0;31m DUMPING ROM TO\033[0m /var/root/romdump.bin\n" - $(Q)ssh -p 2222 root@localhost 'nexutil -g0x602 -l1024 -i -v0x0 -r > /var/root/romdump.bin && for n in {1..447}; do nexutil -g0x602 -l1024 -i -v$$(($$n*1024)) -r >> /var/root/romdump.bin; done' - @printf "\033[0;31m DOWNLOADING ROM DUMP\033[0m /var/root/rumdump.bin => romdump.bin\n" - $(Q)scp -P 2222 root@localhost:/var/root/romdump.bin rom.bin + $(Q)ssh local 'nexutil -g0x602 -l1024 -i -v0x0 -r > /var/root/romdump.bin && for n in {1..447}; do nexutil -g0x602 -l1024 -i -v$$(($$n*1024)) -r >> /var/root/romdump.bin; done' + @printf "\033[0;31m DOWNLOADING ROM DUMP\033[0m /var/root/romdump.bin => rom.bin\n" + $(Q)scp local:/var/root/romdump.bin rom.bin install-firmware: tempranillo.trx @printf "\033[0;31m COPYING TO PHONE\033[0m %s => /sdcard/%s\n" $< $< - $(Q)scp -P 2222 tempranillo.trx root@localhost:/usr/share/firmware/wifi/C-4345__s-B1/ + $(Q)scp tempranillo.trx local:/usr/share/firmware/wifi/C-4345__s-B1/ @printf "\033[0;31m RELOADING FIRMWARE\033[0m\n" - $(Q)ssh -p 2222 root@localhost '/usr/libexec/wifiFirmwareLoader -F /usr/share/firmware/wifi/C-4345__s-B1/tempranillo.trx' + $(Q)ssh local '/usr/libexec/wifiFirmwareLoader -F /usr/share/firmware/wifi/C-4345__s-B1/tempranillo.trx' install-original: $(FW_PATH)/$(RAM_FILE) @printf "\033[0;31m REMOUNTING /vendor\033[0m\n" diff --git a/patches/bcm43451b1/7_63_43_0/rom_extraction/include/local_wrapper.h b/patches/bcm43451b1/7_63_43_0/rom_extraction/include/local_wrapper.h new file mode 100644 index 000000000..f903f57e1 --- /dev/null +++ b/patches/bcm43451b1/7_63_43_0/rom_extraction/include/local_wrapper.h @@ -0,0 +1,40 @@ +/*************************************************************************** + * * + * ########### ########### ########## ########## * + * ############ ############ ############ ############ * + * ## ## ## ## ## ## ## * + * ## ## ## ## ## ## ## * + * ########### #### ###### ## ## ## ## ###### * + * ########### #### # ## ## ## ## # # * + * ## ## ###### ## ## ## ## # # * + * ## ## # ## ## ## ## # # * + * ############ ##### ###### ## ## ## ##### ###### * + * ########### ########### ## ## ## ########## * + * * + * S E C U R E M O B I L E N E T W O R K I N G * + * * + * This file is part of NexMon. * + * * + * Copyright (c) 2016 NexMon Team * + * * + * NexMon is free software: you can redistribute it and/or modify * + * it under the terms of the GNU General Public License as published by * + * the Free Software Foundation, either version 3 of the License, or * + * (at your option) any later version. * + * * + * NexMon is distributed in the hope that it will be useful, * + * but WITHOUT ANY WARRANTY; without even the implied warranty of * + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * + * GNU General Public License for more details. * + * * + * You should have received a copy of the GNU General Public License * + * along with NexMon. If not, see . * + * * + **************************************************************************/ + +#ifndef LOCAL_WRAPPER_H +#define LOCAL_WRAPPER_H + +#include "../src/local_wrapper.c" // wrapper definitions for functions that already exist in the firmware + +#endif /*LOCAL_WRAPPER_H*/ diff --git a/patches/bcm43451b1/7_63_43_0/rom_extraction/src/before_flash_patching.c b/patches/bcm43451b1/7_63_43_0/rom_extraction/src/before_flash_patching.c index d47df4ba2..56f1483e7 100644 --- a/patches/bcm43451b1/7_63_43_0/rom_extraction/src/before_flash_patching.c +++ b/patches/bcm43451b1/7_63_43_0/rom_extraction/src/before_flash_patching.c @@ -41,8 +41,8 @@ #include // useful helper functions #include // macros used to craete patches such as BLPatch, BPatch, ... #include // rates used to build the ratespec for frame injection +#include -int fp_apply_patches(void); unsigned int fp_orig_data[183][2] = { 0 }; unsigned int fp_orig_data_len = 183; diff --git a/patches/bcm43451b1/7_63_43_0/rom_extraction/src/ioctl.c b/patches/bcm43451b1/7_63_43_0/rom_extraction/src/ioctl.c index af9532ce6..ee3200fcb 100644 --- a/patches/bcm43451b1/7_63_43_0/rom_extraction/src/ioctl.c +++ b/patches/bcm43451b1/7_63_43_0/rom_extraction/src/ioctl.c @@ -86,6 +86,32 @@ wlc_ioctl_hook(struct wlc_info *wlc, int cmd, char *arg, int len, void *wlc_if) break; } + case 0x603: // read from memory + { + memcpy(arg, *(char **) arg, len); + ret = IOCTL_SUCCESS; + break; + } + + case 0x604: // write to console + { + arg[len-1] = 0; + printf("%s\n", arg); + ret = IOCTL_SUCCESS; + break; + } + + case 0x605: // dump console + { + unsigned int *config = *(unsigned int **) 0x208e38; + if (len >= config[3]) { + memcpy(arg, (char *) (config[2] + config[4]), config[3] - config[4]); + memcpy(arg + config[3] - config[4], (char *) config[2], config[4]); + ret = IOCTL_SUCCESS; + } + break; + } + default: ret = wlc_ioctl(wlc, cmd, arg, len, wlc_if); } diff --git a/patches/bcm43451b1/7_63_43_0/rom_extraction/src/local_wrapper.c b/patches/bcm43451b1/7_63_43_0/rom_extraction/src/local_wrapper.c index 25410ab92..b1ad41667 100644 --- a/patches/bcm43451b1/7_63_43_0/rom_extraction/src/local_wrapper.c +++ b/patches/bcm43451b1/7_63_43_0/rom_extraction/src/local_wrapper.c @@ -32,14 +32,33 @@ * * **************************************************************************/ -#pragma NEXMON targetregion "patch" +#ifndef LOCAL_WRAPPER_C +#define LOCAL_WRAPPER_C -#include // definition of firmware version macros -#include // macros used to craete patches such as BLPatch, BPatch, ... +#include +#include +#include -__attribute__((weak, at(0x20a584, "dummy", CHIP_VER_BCM43451b1, FW_VER_7_63_43_0))) +#ifndef WRAPPER_H + // if this file is not included in the wrapper.h file, create dummy functions + #define VOID_DUMMY { ; } + #define RETURN_DUMMY { ; return 0; } + + #define AT(CHIPVER, FWVER, ADDR) __attribute__((weak, at(ADDR, "dummy", CHIPVER, FWVER))) +#else + // if this file is included in the wrapper.h file, create prototypes + #define VOID_DUMMY ; + #define RETURN_DUMMY ; + #define AT(CHIPVER, FWVER, ADDR) +#endif + +AT(CHIP_VER_BCM43451b1, FW_VER_7_63_43_0, 0x20a584) int fp_apply_patches(void) -{ - return 0; -} +RETURN_DUMMY + +#undef VOID_DUMMY +#undef RETURN_DUMMY +#undef AT + +#endif /*LOCAL_WRAPPER_C*/