Replicant

h1. WiFi Research

{{toc}}

h2. Issue

Currently, the internal WiFi chip cannot be used on any of the Replicant-supported devices without having to load non-free firmware. See [[ReplicantStatus|Replicant status]] and the [[Index#Supported-devices|device pages]] for more information. 

On desktops and laptops, several WiFi chips don't require non-free firmwares to be loaded.

Several cases exist:

* The WiFi chip doesn't need a firmware, and the driver talks directly to the hardware (ath5k and ath9k compatible chips)

* The WiFi chip has a free software firmware (ath9k_htc, carl1970, and some b43 compatible chips)

* The WiFi chip has a non-free firmware in a flash chip and don't need loadable firmware.

On phones, the only WiFi chip that doesn't require a non-free firmware that we know of is the OpenMoko FreeRunner WiFi chip. The firmware is in a flash chip.

The idea here is to find ways to still get WiFi on Replicant Supported devices, without needing to load any non-free firmware.

h2. WiFi Drivers and Firmwares types

Either the firmware implements the WiFi operations (scanning, association, and so on), either the driver implements it.

h3. Firmware implementing the WiFi operations

This is also known as Hard-MAC. 

An easy way to find out is to look into the WiFi driver Kconfig for "select CFG80211" or "depends CFG80211"

Example:

<pre>

config LIBERTAS

        tristate "Marvell 8xxx Libertas WLAN driver support"

        depends on CFG80211

[...]

</pre>

If it is implemented by the firmware, it often contains bugs which cannot be fixed by the community. That also severally limit the use case of such WiFi chip beyond its most common uses cases.

This can result in more help in getting a free software firmware to run on such chip. However the amount of work to re-implement such firmware may be bigger.

The best way to reimplement it would be to write a new driver taking care of such WiFi operations and to make the firmware do the smallest amount of work possible.

h3. Driver implementing the WiFi operations

This is also known as Soft-MAC. 

An easy way to find out is to look into the WiFi driver Kconfig for "select MAC80211" or "depends MAC80211"

Example:

<pre>

config WL1251

        tristate "TI wl1251 driver support"

        depends on MAC80211

[...]

</pre>

h2. Internal WiFi chips on devices currently targeted by Replicant

|_. Device |_. WiFi chip |_. driver(s) |_. Research |

| Galaxy S |/3. Broadcom BCM4329 |/3. BCMDHD (cfg80211) |

| LG Optimus Black |

| Nexus S |

| Galaxy Nexus |/5. Broadcom BCM4330 |/5. |/8. * See the "nexmon project":https://github.com/seemoo-lab/nexmon

* The BCM4330 has a rom. Can the driver use it? do functional free software firmware 'patches' exist for it ?

* "Some documentation exists at least for the BCM4334":http://www.cypress.com/file/298706/download

* Also see the "blog post about reverse engineering Broadcom wireless chipsets ":https://blog.quarkslab.com/reverse-engineering-broadcom-wireless-chipsets.html

* A "talk that was given about debugging code running on the chip":https://recon.cx/2018/brussels/resources/slides/RECON-BRX-2018-DIY-ARM-Debugger-for-Wi-Fi-Chips.pdf

* See also the "RECON-BRX-2018-DIY-ARM-Debugger-for-Wi-Fi-Chips.pdf slides":https://recon.cx/2018/brussels/resources/slides/RECON-BRX-2018-DIY-ARM-Debugger-for-Wi-Fi-Chips.pdf

* "A political solution might be worth pursuing":https://redmine.replicant.us/issues/1937 |

| Galaxy Note |

| Galaxy S 2 |

| Galaxy Tab 2 7.0 |

| Galaxy Tab 2 10.1 |

| Galaxy S 3 |/3. Broadcom BCM4334 |/3. |

| Galaxy S 3 4G |

| Galaxy Note 2 |

|/2. GTA04 |/2. Marvell 8686 (W2CBW003) | libertas_sdio(mainline, cfg80211) |

| libertas_tf_sdio(patches, mac80211) |

See also the "All wireless communication stacks are equally broken talk at 36c3": https://media.ccc.de/v/36c3-10531-all_wireless_communication_stacks_are_equally_broken :

* There are some tools to emulate WiFi and Bluetooth chips hardware

* Around 34 minutes 30 seconds there is "So the first part is mapping all the hardware registers", so the software tools probably have some very rough documentation on the chips

h2. Available Internal WiFi chips for smartphones and tablets

|_. Driver / Chip |_. Busses |_. Firmware |_. Usable in smartphones or tablets? |_. Research |

| ath5k | PCI, PCIe, PCMCIA, AHB  | None(Driver<->Hardware) | Busses? chip size? power consumption? | |

| ath9k | PCI, PCIe, PCMCIA, AHB  | None(Driver<->Hardware) | Busses? chip size? power consumption? | |

| ath9k_htc | USB | Free firmware | Bus? chip size? power consumption? | |

| carl9170 | USB | Free firmware | Bus? chip size? power consumption? | |

| airo | PCI, PCMCIA | Non-free firmware on flash | ? | |

| at76c50x-usb | USB | Non-free firmware needed for some cards only | ? | |

| b43/b43-legacy | SSB, PCI, PCI-E, PCMCIA | OpenFWWF with 4306, 4311(rev1), 4318, 4320 | ? | |

| rt2400 | PCI | No non-free firmware needed | ? | |

| rt2500 | PCI | No non-free firmware needed | ? | |

| rt2500usb | PCI | No non-free firmware needed | ? | |

| rtl818x | PCI, USB | No non-free firmware needed | ? | |

| esp8266 (out of tree) |  UART, SPI, SDIO  | * Unsigned fimrware and free software SDK available for it

* "nonfree binaries required to make WiFi work":https://github.com/espressif/ESP8266_NONOS_SDK/tree/master/lib

* "Out of tree Linux driver available":https://github.com/george-hopkins/esp8089-spi which depend on nonfree firmware | Used in a tablet? | |

| esp32 (out of tree) | |  * Unsigned fimrware and free software SDK available for it

* "nonfree binaries required to make WiFi work":https://github.com/espressif/esp32-wifi-lib | Used in a tablet? |

| rsi91x | SDIO, USB, other? | * nonfree firmware required

* "may be possible to add it on a dedicated flash chip":https://puri.sm/posts/librem5-2018-09-hardware-report/ | Might be used in a smartphone in the future | |

| brcmfmac | SDIO, USB, pcie | * ARM CPU with ROM and ARM

* Unsigned code

* nonfree firmware are used with the Linux driver | Used in smartphones and tablets | * TODO: Look if it works once firmware loading has been patched out of the upstream Linux driver

* TODO: Look at the nextmon project if there are usable free firmwares

* According to the "BCM4334 documentation":http://www.cypress.com/file/298706/download it's possible to have the firmware on dedicated flash chip. |

| rtlwifi (staging) | SDIO, USB, PCIe | nonfree firmware | Used at least in e-readers | * The nonfree firmware allow reverse engineering (GPL)

* "Reverse engineering the nonfree firmware looks easy":https://libreplanet.org/wiki/Group:Hardware/Freest/e-readers/Aura_H2O_Edition_2#WiFi_firmware |

Notes:

* PCI, PCIe and PCMCIA are available on very few SOCs (Like I.MX)

* We are not aware of phone designs using USB WiFi chips.

* AHB and SSB are usually used as internal memory bus for SOCS. Maybe it can be used to connect a WiFi chip to the SOC memory, like with the I.MX WEIM bus?

* Chip size is important to fit inside a phone. Might be less an issue for tablets.

References:

* https://en.wikipedia.org/wiki/Comparison_of_open-source_wireless_drivers#Status

* https://wireless.wiki.kernel.org/en/users/drivers

* http://netweb.ing.unibs.it/~openfwwf/index.php

* https://nurdspace.nl/ESP8266

h2. WiFi chip evaluation kit and hardware debug tools

* "BCM4334 Evaluation kit":https://store.embeddedworks.net/wlan670/#tab-label-additional

It would also be nice to find evaluation kit for the following hardware:

* ath9k_htc compatible chips: This probably would make it easier to modify the firmware to debug and improve power management

* Realtek 8188F compatible chips, because "freeing the firmware should be doable":https://libreplanet.org/wiki/Group:Hardware/Freest/e-readers/Aura_H2O_Edition_2#WiFi_firmware

h3. TODO

* Coordinate the work with the "Libreplanet wiki":https://libreplanet.org/wiki/Group:Hardware/ReverseEngineering#WiFi.2FBluetooth_chips_for_Smartphones_and_Tablets

* Look into Broadcom chipset reverse engineering tools like "nexmon":https://github.com/seemoo-lab/nexmon . Since Broadcom chipsets have Bluetooth support on the same chip it is also worth to look into tools such as "InternalBlue":https://github.com/seemoo-lab/internalblue.

h2. Internal WiFi chips on devices currently targeted by Replicant

h2. External Wifi solution

Most/All Replicant supported devices support USB OTG. With the proper (standard) cable, the USB port of the device can do USB host.

However devices differ a lot in the number of Milli-ampers they can deliver through that USB port. Some phones also have USB host enabled by default in their kernel configuration, and some other require patching the kernel.

On Replicant kernels, USB WiFi drivers are probably not compiled in by default. So you will also need to recompile.

Information about currently supported WiFi adapters for Replicant 6.0 can be found here: https://redmine.replicant.us/projects/replicant/wiki/WiFiAdapter

|_. Device |_. Chips involved |_. Replicant 6 Kernel |_. Max mA |

| Galaxy Nexus | TWL6040 | 3.0.101 | 500mA ("tuna_set_vbus_drive in board-tuna-connector.c":https://git.replicant.us/replicant/kernel_samsung_tuna/tree/arch/arm/mach-omap2/board-tuna-connector.c#n260 ) |

| Galaxy S III (I9300) |/3. "MAX77693":https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/arch/arm/boot/dts/exynos4412-midas.dtsi#n131 with the "ESAFEOUT1 regulator":https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/arch/arm/boot/dts/exynos4412-midas.dtsi?h=v5.1#n401 |/5. 3.0.101 |/3. * Datasheet not found

* The upstream driver doesn't have the information

* Downstream drivers might have some information about how much mA ESAFEOUT1 can deliver |

| Galaxy S III 4G (I9305) |

| Galaxy Note 2 |

| Galaxy Note |

| Galaxy S 2 | MAX8997 with the SAFEOUT1 regulator "[1]":https://git.replicant.us/replicant/kernel_samsung_smdk4412/tree/arch/arm/mach-exynos/mach-u1.c#n3486 "[2]":https://git.replicant.us/replicant/kernel_samsung_smdk4412/tree/arch/arm/mach-exynos/sec-switch_max8997.c#n61 | * Datasheet not found

* The upstream driver doesn't have the information

* Downstream drivers might have some information about how much mA SAFEOUT1 can deliver |

| Galaxy Tab 2 7.0 | | | ? |

| Galaxy Tab 2 10.1 | | | ? |

| GTA04 | | |

| Galaxy S | | |

| Nexus S | | |

| Optimus Black | |

See #1926 for pointers on how to find the missing information for the Maxim Power Management ICs (PMICs).