Project

General

Profile

Issue #1937

Liberate the bcm4334 wifi/bluetooth firmware

Added by Kurtis Hanna 12 months ago. Updated 27 days ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Wi-Fi
Target version:
Start date:
06/13/2019
Due date:
% Done:

0%

Estimated time:
Resolution:
Device:

Description

The driver for this chip seems to already be free software and is in the mainline linux kernel: https://redmine.replicant.us/issues/1836

Cypress now owns the rights to the bcm4334 chips' firmware. To my knowledge, Cypress is more likely to say yes to a request that they release the source code to this firmware with a free software license than Broadcom would have been. I don't believe anyone has formally asked Cypress to do this. Since this chip is in a lot of Replicant's supported devices, it would make sense for our project to formally ask this of them.

The non-free firmware binary seems to be available here:
https://github.com/OpenELEC/wlan-firmware/blob/master/firmware/brcm/brcmfmac4334-sdio.bin

There were some efforts to hack this chip's firmware in the past, but it seems to not have gone anywhere...

https://forum.xda-developers.com/showpost.php?p=52499037&postcount=5
https://github.com/cociorbaandrei/bcmon
https://recon.cx/2013/video/Recon2013-Ruby%20feinstein%20Omri%20Ildis%20Yuval%20Ofir.mp4
https://recon.cx/2013/slides/Recon2013-Omri%20Ildis%2c%20Yuval%20Ofir%20and%20Ruby%20Feinstein-Wardriving%20from%20your%20pocket.pptx
https://bcmon.blogspot.com/
Some of this work seems to have been done by this developer, who we could maybe contact for help if we also want to hack the chip's firmware: https://github.com/shoote

History

#1

Updated by Kurtis Hanna 10 months ago

Some more information about this has been added to our wiki: https://redmine.replicant.us/projects/replicant/wiki/WiFi#section-6

Also, here's a link to a bcm4334 devkit of sorts: https://store.embeddedworks.net/wlan670/#tab-label-additional

#2

Updated by Anonymous 10 months ago

I'm not a hardware guy, but in my opinion, a more direct way to create a dev kit is to buy a few of these:
https://www.aliexpress.com/item/32871146311.html

Then, buy an appropriate BGA to DIP adapter (the bcm4334 is strange (10x11), I'm not sure if getting a bigger one (11x11) would do the trick), and solder the bcm4334 to it (this step requires BGA soldering skills, which as I understand, aren't very common), wire it up properly and start hacking:
https://www.proto-advantage.com/store/index.php?cPath=4000

By the way, the pinout of the bcm4334 is labeled on page 90 of the datasheet:
https://www.cypress.com/file/298706/download

#3

Updated by Jack K 3 months ago

In light of this...

https://arstechnica.com/information-technology/2020/02/flaw-in-billions-of-wi-fi-devices-left-communications-open-to-eavesdroppng/

...does anyone think pursuing the firmware source code request with Cypress is worthwhile - asking that since they won't patch this vulnerable, old code, please release it to the community?

Has anyone got any experience with these sorts of requests?

#4

Updated by Kurtis Hanna 27 days ago

Hello Jack,

I'm not familiar with those sorts of requests. Please feel free to approach them and ask if you have the willingness to do so!

Cordially,
Kurtis

#5

Updated by Kurtis Hanna 27 days ago

I wonder if the fact that bluetooth works even when the proprietary firmware isn't on the phone is a clue of some sort: https://redmine.replicant.us/issues/1928

Also available in: Atom PDF