Project

General

Profile

Actions

Issue #1937

open

Liberate the bcm4334 wifi/bluetooth firmware

Added by Kurtis Hanna over 5 years ago. Updated over 3 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Wi-Fi
Target version:
Start date:
06/13/2019
Due date:
% Done:

0%

Estimated time:
Resolution:
Device:
Grant:
Type of work:
Communication (mails, contacting people, etc)

Description

The driver for this chip seems to already be free software and is in the mainline linux kernel: https://redmine.replicant.us/issues/1836

Cypress now owns the rights to the bcm4334 chips' firmware. To my knowledge, Cypress is more likely to say yes to a request that they release the source code to this firmware with a free software license than Broadcom would have been. I don't believe anyone has formally asked Cypress to do this. Since this chip is in a lot of Replicant's supported devices, it would make sense for our project to formally ask this of them.

The non-free firmware binary seems to be available here:
https://github.com/OpenELEC/wlan-firmware/blob/master/firmware/brcm/brcmfmac4334-sdio.bin

There were some efforts to hack this chip's firmware in the past, but it seems to not have gone anywhere...

https://forum.xda-developers.com/showpost.php?p=52499037&postcount=5
https://github.com/cociorbaandrei/bcmon
https://recon.cx/2013/video/Recon2013-Ruby%20feinstein%20Omri%20Ildis%20Yuval%20Ofir.mp4
https://recon.cx/2013/slides/Recon2013-Omri%20Ildis%2c%20Yuval%20Ofir%20and%20Ruby%20Feinstein-Wardriving%20from%20your%20pocket.pptx
https://bcmon.blogspot.com/
Some of this work seems to have been done by this developer, who we could maybe contact for help if we also want to hack the chip's firmware: https://github.com/shoote

Actions #1

Updated by Kurtis Hanna about 5 years ago

Some more information about this has been added to our wiki: https://redmine.replicant.us/projects/replicant/wiki/WiFi#section-6

Also, here's a link to a bcm4334 devkit of sorts: https://store.embeddedworks.net/wlan670/#tab-label-additional

Actions #2

Updated by Anonymous about 5 years ago

I'm not a hardware guy, but in my opinion, a more direct way to create a dev kit is to buy a few of these:
https://www.aliexpress.com/item/32871146311.html

Then, buy an appropriate BGA to DIP adapter (the bcm4334 is strange (10x11), I'm not sure if getting a bigger one (11x11) would do the trick), and solder the bcm4334 to it (this step requires BGA soldering skills, which as I understand, aren't very common), wire it up properly and start hacking:
https://www.proto-advantage.com/store/index.php?cPath=4000

By the way, the pinout of the bcm4334 is labeled on page 90 of the datasheet:
https://www.cypress.com/file/298706/download

Actions #3

Updated by Jack K over 4 years ago

In light of this...

https://arstechnica.com/information-technology/2020/02/flaw-in-billions-of-wi-fi-devices-left-communications-open-to-eavesdroppng/

...does anyone think pursuing the firmware source code request with Cypress is worthwhile - asking that since they won't patch this vulnerable, old code, please release it to the community?

Has anyone got any experience with these sorts of requests?

Actions #4

Updated by Kurtis Hanna over 4 years ago

Hello Jack,

I'm not familiar with those sorts of requests. Please feel free to approach them and ask if you have the willingness to do so!

Cordially,
Kurtis

Actions #5

Updated by Kurtis Hanna over 4 years ago

I wonder if the fact that bluetooth works even when the proprietary firmware isn't on the phone is a clue of some sort: https://redmine.replicant.us/issues/1928

Actions #6

Updated by _I3^ RELATIVISM over 3 years ago

  • Type of work Communication (mails, contacting people, etc) added
Actions

Also available in: Atom PDF