Project

General

Profile

WiFiResearch » History » Version 139

Kurtis Hanna, 07/30/2019 07:22 PM

1 75 Wolfgang Wiedmeyer
h1. WiFi Research
2 1 Denis 'GNUtoo' Carikli
3 128 Denis 'GNUtoo' Carikli
{{toc}}
4
5 1 Denis 'GNUtoo' Carikli
h2. Issue
6 75 Wolfgang Wiedmeyer
7 77 Wolfgang Wiedmeyer
Currently, the internal WiFi chip cannot be used on any of the Replicant-supported devices without having to load non-free firmware. See [[ReplicantStatus|Replicant status]] and the [[Index#Supported-devices|device pages]] for more information. 
8 28 Denis 'GNUtoo' Carikli
9
On desktops and laptops, several WiFi chips don't require non-free firmwares to be loaded.
10 27 Denis 'GNUtoo' Carikli
11
Several cases exist:
12
* The WiFi chip doesn't need a firmware, and the driver talks directly to the hardware (ath5k and ath9k compatible chips)
13
* The WiFi chip has a free software firmware (ath9k_htc, carl1970, and some b43 compatible chips)
14
* The WiFi chip has a non-free firmware in a flash chip and don't need loadable firmware.
15
16 80 Joonas Kylmälä
On phones, the only WiFi chip that doesn't require a non-free firmware that we know of is the OpenMoko FreeRunner WiFi chip. The firmware is in a flash chip.
17 29 Denis 'GNUtoo' Carikli
18 31 Denis 'GNUtoo' Carikli
The idea here is to find ways to still get WiFi on Replicant Supported devices, without needing to load any non-free firmware.
19
20
h2. WiFi Drivers and Firmwares types
21
22
Either the firmware implements the WiFi operations (scanning, association, and so on), either the driver implements it.
23
24
h3. Firmware implementing the WiFi operations
25
26 32 Denis 'GNUtoo' Carikli
This is also known as Hard-MAC. 
27
An easy way to find out is to look into the WiFi driver Kconfig for "select CFG80211" or "depends CFG80211"
28
29
Example:
30 33 Denis 'GNUtoo' Carikli
<pre>
31
config LIBERTAS
32
        tristate "Marvell 8xxx Libertas WLAN driver support"
33
        depends on CFG80211
34
[...]
35
</pre>
36 31 Denis 'GNUtoo' Carikli
37
If it is implemented by the firmware, it often contains bugs which cannot be fixed by the community. That also severally limit the use case of such WiFi chip beyond its most common uses cases.
38
39
This can result in more help in getting a free software firmware to run on such chip. However the amount of work to re-implement such firmware may be bigger.
40
41 81 Kurtis Hanna
The best way to reimplement it would be to write a new driver taking care of such WiFi operations and to make the firmware do the smallest amount of work possible.
42 31 Denis 'GNUtoo' Carikli
43
h3. Driver implementing the WiFi operations
44
45 34 Denis 'GNUtoo' Carikli
This is also known as Soft-MAC. 
46
An easy way to find out is to look into the WiFi driver Kconfig for "select MAC80211" or "depends MAC80211"
47 31 Denis 'GNUtoo' Carikli
48 34 Denis 'GNUtoo' Carikli
Example:
49
<pre>
50 35 Denis 'GNUtoo' Carikli
config WL1251
51
        tristate "TI wl1251 driver support"
52
        depends on MAC80211
53 34 Denis 'GNUtoo' Carikli
[...]
54
</pre>
55 31 Denis 'GNUtoo' Carikli
56 1 Denis 'GNUtoo' Carikli
h2. Internal WiFi chips on devices currently targeted by Replicant
57 2 Denis 'GNUtoo' Carikli
58 91 Denis 'GNUtoo' Carikli
|_. Device |_. WiFi chip |_. driver(s) |_. Research |
59 56 Denis 'GNUtoo' Carikli
| Galaxy S |/3. Broadcom BCM4329 |/3. BCMDHD (cfg80211) |
60 54 Denis 'GNUtoo' Carikli
| LG Optimus Black |
61 1 Denis 'GNUtoo' Carikli
| Nexus S |
62 105 dl lud
| Galaxy Nexus |/5. Broadcom BCM4330 |/5. |/8. * See the "nexmon project":https://github.com/seemoo-lab/nexmon
63 94 Denis 'GNUtoo' Carikli
* The BCM4330 has a rom. Can the driver use it? do functional free software firmware 'patches' exist for it ?
64 135 Denis 'GNUtoo' Carikli
* "Some documentation exists at least for the BCM4334":http://www.cypress.com/file/298706/download
65 136 Paul Kocialkowski
* Also see the "blog post about reverse engineering Broadcom wireless chipsets ":https://blog.quarkslab.com/reverse-engineering-broadcom-wireless-chipsets.html
66 138 Denis 'GNUtoo' Carikli
* A "talk that was given about debugging code running on the chip":https://recon.cx/2018/brussels/resources/slides/RECON-BRX-2018-DIY-ARM-Debugger-for-Wi-Fi-Chips.pdf
67 139 Kurtis Hanna
* See also the "RECON-BRX-2018-DIY-ARM-Debugger-for-Wi-Fi-Chips.pdf slides":https://recon.cx/2018/brussels/resources/slides/RECON-BRX-2018-DIY-ARM-Debugger-for-Wi-Fi-Chips.pdf
68
* "A political solution might be worth pursuing":https://redmine.replicant.us/issues/1937 |
69 1 Denis 'GNUtoo' Carikli
| Galaxy Note |
70 78 Wolfgang Wiedmeyer
| Galaxy S 2 |
71
| Galaxy Tab 2 7.0 |
72
| Galaxy Tab 2 10.1 |
73
| Galaxy S 3 |/3. Broadcom BCM4334 |/3. |
74
| Galaxy S 3 4G |
75
| Galaxy Note 2 |
76 54 Denis 'GNUtoo' Carikli
|/2. GTA04 |/2. Marvell 8686 (W2CBW003) | libertas_sdio(mainline, cfg80211) |
77
| libertas_tf_sdio(patches, mac80211) |
78 40 Denis 'GNUtoo' Carikli
79 1 Denis 'GNUtoo' Carikli
h2. Available Internal WiFi chips for smartphones and tablets
80
81 103 Denis 'GNUtoo' Carikli
|_. Driver / Chip |_. Busses |_. Firmware |_. Usable in smartphones or tablets? |_. Research |
82 96 Denis 'GNUtoo' Carikli
| ath5k | PCI, PCIe, PCMCIA, AHB  | None(Driver<->Hardware) | Busses? chip size? power consumption? | |
83
| ath9k | PCI, PCIe, PCMCIA, AHB  | None(Driver<->Hardware) | Busses? chip size? power consumption? | |
84
| ath9k_htc | USB | Free firmware | Bus? chip size? power consumption? | |
85
| carl9170 | USB | Free firmware | Bus? chip size? power consumption? | |
86
| airo | PCI, PCMCIA | Non-free firmware on flash | ? | |
87
| at76c50x-usb | USB | Non-free firmware needed for some cards only | ? | |
88
| b43/b43-legacy | SSB, PCI, PCI-E, PCMCIA | OpenFWWF with 4306, 4311(rev1), 4318, 4320 | ? | |
89
| rt2400 | PCI | No non-free firmware needed | ? | |
90
| rt2500 | PCI | No non-free firmware needed | ? | |
91
| rt2500usb | PCI | No non-free firmware needed | ? | |
92
| rtl818x | PCI, USB | No non-free firmware needed | ? | |
93 104 Denis 'GNUtoo' Carikli
| esp8266 (out of tree) |  UART, SPI, SDIO  | * Unsigned fimrware and free software SDK available for it
94
* "nonfree binaries required to make WiFi work":https://github.com/espressif/ESP8266_NONOS_SDK/tree/master/lib
95
* "Out of tree Linux driver available":https://github.com/george-hopkins/esp8089-spi which depend on nonfree firmware | Used in a tablet? | |
96
| esp32 (out of tree) | |  * Unsigned fimrware and free software SDK available for it
97
* "nonfree binaries required to make WiFi work":https://github.com/espressif/esp32-wifi-lib | Used in a tablet? |
98 1 Denis 'GNUtoo' Carikli
| rsi91x | SDIO, USB, other? | * nonfree firmware required
99 103 Denis 'GNUtoo' Carikli
* "may be possible to add it on a dedicated flash chip":https://puri.sm/posts/librem5-2018-09-hardware-report/ | Might be used in a smartphone in the future | |
100 104 Denis 'GNUtoo' Carikli
| brcmfmac | SDIO, USB, pcie | * ARM CPU with ROM and ARM
101
* Unsigned code
102
* nonfree firmware are used with the Linux driver | Used in smartphones and tablets | * TODO: Look if it works once firmware loading has been patched out of the upstream Linux driver
103 84 Denis 'GNUtoo' Carikli
* TODO: Look at the nextmon project if there are usable free firmwares
104 96 Denis 'GNUtoo' Carikli
* According to the "BCM4334 documentation":http://www.cypress.com/file/298706/download it's possible to have the firmware on dedicated flash chip. |
105 101 Denis 'GNUtoo' Carikli
| rtlwifi (staging) | SDIO, USB, PCIe | nonfree firmware | Used at least in e-readers | * The nonfree firmware allow reverse engineering (GPL)
106 96 Denis 'GNUtoo' Carikli
* "Reverse engineering the nonfree firmware looks easy":https://libreplanet.org/wiki/Group:Hardware/Freest/e-readers/Aura_H2O_Edition_2#WiFi_firmware |
107 59 Denis 'GNUtoo' Carikli
108 72 Denis 'GNUtoo' Carikli
Notes:
109
* PCI, PCIe and PCMCIA are available on very few SOCs (Like I.MX)
110 80 Joonas Kylmälä
* We are not aware of phone designs using USB WiFi chips.
111
* AHB and SSB are usually used as internal memory bus for SOCS. Maybe it can be used to connect a WiFi chip to the SOC memory, like with the I.MX WEIM bus?
112
* Chip size is important to fit inside a phone. Might be less an issue for tablets.
113 72 Denis 'GNUtoo' Carikli
114 69 Denis 'GNUtoo' Carikli
References:
115
* https://en.wikipedia.org/wiki/Comparison_of_open-source_wireless_drivers#Status
116
* https://wireless.wiki.kernel.org/en/users/drivers
117
* http://netweb.ing.unibs.it/~openfwwf/index.php
118 70 Denis 'GNUtoo' Carikli
* https://nurdspace.nl/ESP8266
119 69 Denis 'GNUtoo' Carikli
120 130 Denis 'GNUtoo' Carikli
h2. WiFi chip evaluation kit and hardware debug tools
121 129 Denis 'GNUtoo' Carikli
122
* "BCM4334 Evaluation kit":https://store.embeddedworks.net/wlan670/#tab-label-additional
123
124 133 Denis 'GNUtoo' Carikli
It would also be nice to find evaluation kit for the following hardware:
125 131 Denis 'GNUtoo' Carikli
* ath9k_htc compatible chips: This probably would make it easier to modify the firmware to debug and improve power management
126 132 Denis 'GNUtoo' Carikli
* Realtek 8188F compatible chips, because "freeing the firmware should be doable":https://libreplanet.org/wiki/Group:Hardware/Freest/e-readers/Aura_H2O_Edition_2#WiFi_firmware
127 131 Denis 'GNUtoo' Carikli
128 85 Denis 'GNUtoo' Carikli
h3. TODO
129 1 Denis 'GNUtoo' Carikli
130 85 Denis 'GNUtoo' Carikli
* Coordinate the work with the "Libreplanet wiki":https://libreplanet.org/wiki/Group:Hardware/ReverseEngineering#WiFi.2FBluetooth_chips_for_Smartphones_and_Tablets
131 107 Denis 'GNUtoo' Carikli
* Look into Broadcom chipset reverse engineering tools like "nexmon":https://github.com/seemoo-lab/nexmon . Since Broadcom chipsets have Bluetooth support on the same chip it is also worth to look into tools such as "InternalBlue":https://github.com/seemoo-lab/internalblue.
132 1 Denis 'GNUtoo' Carikli
133 85 Denis 'GNUtoo' Carikli
h2. Internal WiFi chips on devices currently targeted by Replicant
134 57 Denis 'GNUtoo' Carikli
135 27 Denis 'GNUtoo' Carikli
h2. External Wifi solution
136 36 Denis 'GNUtoo' Carikli
137
Most/All Replicant supported devices support USB OTG. With the proper (standard) cable, the USB port of the device can do USB host.
138
139 80 Joonas Kylmälä
However devices differ a lot in the number of Milli-ampers they can deliver through that USB port. Some phones also have USB host enabled by default in their kernel configuration, and some other require patching the kernel.
140 37 Denis 'GNUtoo' Carikli
141
On Replicant kernels, USB WiFi drivers are probably not compiled in by default. So you will also need to recompile.
142
143 115 Denis 'GNUtoo' Carikli
|_. Device |_. Chips involved |_. Replicant 6 Kernel |_. Max mA |
144 113 Denis 'GNUtoo' Carikli
| Galaxy Nexus | TWL6040 | 3.0.101 | 500mA ("tuna_set_vbus_drive in board-tuna-connector.c":https://git.replicant.us/replicant/kernel_samsung_tuna/tree/arch/arm/mach-omap2/board-tuna-connector.c#n260 ) |
145 122 Denis 'GNUtoo' Carikli
| Galaxy S III (I9300) |/3. "MAX77693":https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/arch/arm/boot/dts/exynos4412-midas.dtsi#n131 with the "ESAFEOUT1 regulator":https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/arch/arm/boot/dts/exynos4412-midas.dtsi?h=v5.1#n401 |/5. 3.0.101 |/3. * Datasheet not found
146
* The upstream driver doesn't have the information
147
* Downstream drivers might have some information about how much mA ESAFEOUT1 can deliver |
148 120 Denis 'GNUtoo' Carikli
| Galaxy S III 4G (I9305) |
149 1 Denis 'GNUtoo' Carikli
| Galaxy Note 2 |
150
| Galaxy Note |
151 124 Denis 'GNUtoo' Carikli
| Galaxy S 2 | MAX8997 with the SAFEOUT1 regulator "[1]":https://git.replicant.us/replicant/kernel_samsung_smdk4412/tree/arch/arm/mach-exynos/mach-u1.c#n3486 "[2]":https://git.replicant.us/replicant/kernel_samsung_smdk4412/tree/arch/arm/mach-exynos/sec-switch_max8997.c#n61 | * Datasheet not found
152 122 Denis 'GNUtoo' Carikli
* The upstream driver doesn't have the information
153 123 Denis 'GNUtoo' Carikli
* Downstream drivers might have some information about how much mA SAFEOUT1 can deliver |
154 118 Denis 'GNUtoo' Carikli
| Galaxy Tab 2 7.0 | | | ? |
155
| Galaxy Tab 2 10.1 | | | ? |
156 55 Denis 'GNUtoo' Carikli
| GTA04 | | |
157 118 Denis 'GNUtoo' Carikli
| Galaxy S | | |
158 37 Denis 'GNUtoo' Carikli
| Nexus S | | |
159 55 Denis 'GNUtoo' Carikli
| Optimus Black | |
160 125 Denis 'GNUtoo' Carikli
161 127 Denis 'GNUtoo' Carikli
See #1926 for pointers on how to find the missing information for the Maxim Power Management ICs (PMICs).