Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bcm43430a1 karma #164

Open
wants to merge 16 commits into
base: master
Choose a base branch
from
+2,276 −34
Open

Bcm43430a1 karma #164

Changes from 1 commit
Commits
Show all changes
16 commits
Select commit Hold shift + click to select a range
159d632
Started working on FW hooks for KARMA implementation
mame82 Dec 4, 2017
e30fc68
KARMA Probing/Auth is bassically working for OPEN SYSTEMS AUTH. ToDo:…
mame82 Dec 5, 2017
236fac7
KARMA: Association to spoofed WiFi working (Open System)
mame82 Dec 5, 2017
5480d23
Untested switch to dis-/enable KARMA via IOCTL (uses possible PAD in …
mame82 Dec 6, 2017
b358fa9
Added IOCTL to enable/disable KARMA. ToDo: Disable DEBUG console out
mame82 Dec 8, 2017
42c5e1f
Reduced KARMA DEBUG out (branch based, no preprocessor compile exclued)
mame82 Dec 12, 2017
8fea0dc
Further DEBUG out reduction
mame82 Dec 12, 2017
647517a
Implemenation of firmware based list with unique SSIDs seen in probes…
mame82 Dec 12, 2017
a5b9e5d
Addded/extended some structs + needed function offsets from original …
mame82 Dec 17, 2017
d1bc75e
First implementation of multi beaconing (seen on probe requests + use…
mame82 Dec 17, 2017
ecab689
Removed unneded code/comments
mame82 Dec 17, 2017
1d6e8cd
Changed on-demand configuration via IOCTL, added SSID beaconing (karm…
mame82 Dec 18, 2017
8bbecc9
Added ioctl to dump KARMA config, updated python tool (dump_mem is cr…
mame82 Dec 20, 2017
19769c2
Fw: Fixed GET_MEM; mame82_util: fixed dump_mem, dump_conf prints curr…
mame82 Dec 21, 2017
d840feb
Capability check for KARMA support, CLI seetings tool for KARMA (work…
mame82 Dec 21, 2017
d97fc10
Updated KARMA firmware config tool
mame82 Dec 22, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Addded/extended some structs + needed function offsets from original … 
…firmware
@mame82
mame82 committed Dec 17, 2017
commit a5b9e5daeacb65ff1553bdb4534eaac89cbce607
118 changes: 104 additions & 14 deletions firmwares/bcm43430a1/structs.common.h
View file
Original file line number Diff line number Diff line change
@@ -405,7 +405,59 @@ struct wlc_if {
} u;
struct wlc_if_stats _cnt;
};

#define ETHER_ADDR_LEN 6 /* d11 management header length */
struct ether_addr {
uint8 octet[ETHER_ADDR_LEN];
};

typedef struct wlc_if wlc_if_t;
typedef struct wlc_bsscfg wlc_bsscfg_t;
typedef struct wlc_info wlc_info_t;
typedef struct wl_info wl_info_t;
typedef struct hnd_dev hnd_dev_t;

#define HND_DEV_NAME_MAX 16

/* Device instance */
struct hnd_dev {
char name[HND_DEV_NAME_MAX];
uint32 devid;
uint32 flags;
//hnd_dev_ops_t *ops;
void *ops;
void *softc;
hnd_dev_t *next;
hnd_dev_t *chained;
//hnd_dev_stats_t *stats;
void *stats;
void *commondata;
void *pdev;
};


typedef struct hnd_timer hnd_timer_t;
typedef struct hnd_timer hnd_task_t;
typedef hnd_timer_t wl_timer;
typedef struct wlc_ap_info wlc_ap_info_t;

struct wlc_ap_info {
int PAD;
};

struct hnd_timer
{
int PAD;
};

typedef struct wlc_assoc {
/* MaMe82: struct not verified */

struct wl_timer *timer; //0x00
char gap[0x44];
bool rt; //0x48

} wlc_assoc_t;

struct wlc_info {
struct wlc_pub *pub; /* 0x000 */
@@ -565,8 +617,18 @@ struct wlc_info {
int PAD; /* 0x25C */
int PAD; /* 0x260 */
int PAD; /* 0x264 */
int PAD; /* 0x268 */
int PAD; /* 0x26C */
/*
* MaMe82:
*
* The code @0x1d23a shows how the bsscfg array of wlc_info struct is iterated and reveals:
* offset 0x268: wlc_bsscfg_t **bsscfg //array of pointers to bsscfg structs in use, max length is 0x20
* offset 0x26C: wlc_bsscfg_t *cfg //pointer to primary bsscfg
*
* The observations have been verified on FW version 7.45.41.46
*/

wlc_bsscfg_t **bsscfg; /* 0x268 */ //MaMe82: checked, see comments above
wlc_bsscfg_t *cfg; /* 0x26C */ //MaMe82: checked, see comments above
int PAD; /* 0x270 */
int PAD; /* 0x274 */
int PAD; /* 0x278 */
@@ -733,7 +795,8 @@ struct wlc_info {
int PAD; /* 0X4FC */
int PAD; /* 0X500 */
int PAD; /* 0X504 */
int PAD; /* 0X508 */
//MaMe82: see code @ 0x0083f0cc
int ap; /* 0X508 */
int PAD; /* 0X50C */
short some_chanspec; /* 0X510 */
short PAD; /* 0X512 */
@@ -798,11 +861,6 @@ struct wlc_info {
int PAD; /* 0X5FC */
};

#define ETHER_ADDR_LEN 6 /* d11 management header length */
struct ether_addr {
uint8 octet[ETHER_ADDR_LEN];
};


/* partly CHECKED */
struct wlc_pub {
@@ -820,8 +878,18 @@ struct wlc_pub {
char field_26; /* 0x026 */
char field_27; /* 0x027 */
int PAD; /* 0x028 */
int PAD; /* 0x02C */
int field_30; /* 0x030 */
//MaMe82 see code @ 0x0083f0be
// int PAD; /* 0x02C */
bool PAD; //0x02c
bool PAD; //0x02d
bool PAD; //0x02e
bool _ap; //0x02f is AP
// int field_30; /* 0x030 */
bool _apsta; //0x030 is APSTA
bool PAD; //0x031
bool PAD; //0x032
bool PAD; //0x033

int PAD; /* 0x034 */
int PAD; /* 0x038 */
int PAD; /* 0x03C */
@@ -844,6 +912,28 @@ struct wlc_pub {
//0xec --> bcn_tmpl_len ??
} __attribute__((packed));


#define WLC_NUMRATES 16
#define MCSSET_LEN 16

typedef uint32 ratespec_t;

typedef struct wlc_rateset {
uint32 count; //likely to be uint16
uint8 rates[WLC_NUMRATES];
//uint8 htphy_membership;
//uint8 mcs[MCSSET_LEN];
//uint16 vht_mcsmap;
//uint16 vht_mcsmap_prop;
} wlc_rateset_t;

typedef struct wlc_bss_info {
struct ether_addr BSSID; //0x00
uint8 GAP[0x32]; //0x06
wlc_rateset_t rateset; //0x38 MaMe82 : see code @ 0x008377fa
uint8 TAIL[1];
} wlc_bss_info_t;

struct wlc_bsscfg {
struct wlc_info *wlc; /* 0x000 */
bool up; /* 0x004 */ //up
@@ -911,8 +1001,10 @@ struct wlc_bsscfg {
int PAD; /* 0x0E8 */
int PAD; /* 0x0EC */
int PAD; /* 0x0F0 */
int PAD; /* 0x0F4 */
int PAD; /* 0x0F8 */
//int PAD; /* 0x0F4 */
wlc_bss_info_t *current_bss; /* 0x0F4 */ //MaMe82: see code @ 0x008377f4
//int PAD; /* 0x0F8 */
wlc_assoc_t *assoc; /* 0x0F8 */ //MaMe82: see code @ 0x00847840
int PAD; /* 0x0FC */
int PAD; /* 0x100 */
int PAD; /* 0x104 */
@@ -1831,8 +1923,6 @@ struct tdls_iovar {
uint8 PAD;
} __attribute__((packed));

typedef struct wlc_bsscfg wlc_bsscfg_t;
typedef struct wlc_info wlc_info_t;

/*
struct bdc_ethernet_ip_udp_header {
34 changes: 34 additions & 0 deletions patches/common/wrapper.c
View file
Original file line number Diff line number Diff line change
@@ -1692,6 +1692,40 @@ AT(CHIP_VER_BCM43430a1, FW_VER_7_45_41_46, 0x18994)
void wlc_ap_process_assocreq(void *ap, wlc_bsscfg_t *bsscfg, void *hdr, uint8 *body, uint body_len, struct scb *scb, bool short_preamble)
VOID_DUMMY

//no hook call so far, as called by driver
AT(CHIP_VER_BCM43430a1, FW_VER_7_45_41_46, 0x819aec)
int wl_open(hnd_dev_t *dev)
RETURN_DUMMY

AT(CHIP_VER_BCM43430a1, FW_VER_7_45_41_46, 0x848154)
int wlc_bsscfg_up(wlc_info_t *wlc, wlc_bsscfg_t *cfg)
RETURN_DUMMY

AT(CHIP_VER_BCM43430a1, FW_VER_7_45_41_46, 0x839CC4)
void wlc_bss_up(wlc_ap_info_t *ap, wlc_bsscfg_t *bsscfg)
VOID_DUMMY


//0x0082b1d4 wlc_lowest_basic_rspec
AT(CHIP_VER_BCM43430a1, FW_VER_7_45_41_46, 0x82b1d4)
ratespec_t wlc_lowest_basic_rspec(wlc_info_t *wlc, wlc_rateset_t *rs)
RETURN_DUMMY

//0x00824820 wlc_bcn_prb_template
AT(CHIP_VER_BCM43430a1, FW_VER_7_45_41_46, 0x824820)
void wlc_bcn_prb_template(wlc_info_t *wlc, uint type, ratespec_t bcn_rate, wlc_bsscfg_t *cfg, uint16 *buf, int *len)
VOID_DUMMY
//--> example usage @0x008377f4 (wlc_ap_doiovar)

//0x00803acc memmove (untested)
AT(CHIP_VER_BCM43430a1, FW_VER_7_45_41_46, 0x803acc)
void *memmove(void *dst, void *src, int len)
RETURN_DUMMY

//0x00880e60 PKTFREE
AT(CHIP_VER_BCM43430a1, FW_VER_7_45_41_46, 0x803acc)
void PKTFREE(void *osh, void* p, int send)
VOID_DUMMY

#undef VOID_DUMMY
#undef RETURN_DUMMY