Libertas/WLAN hacking as done in DA's MacSpoofer

[crazyc]

Damn, sony are so lazy :)

Cheap, if you ask me. They couldn't do the right thing and use SD. Instead they had to eat their own dogfood to save a few pennies, even though it tastes like crap. BTW, before anyone gets any ideas about a MSIO usb host controller, i've only found one device which actually uses MSIO, and it's a wlan adapter.

[cloudhunter]

Damn, sony are so lazy :)

Cheap, if you ask me. They couldn't do the right thing and use SD. Instead they had to eat their own dogfood to save a few pennies, even though it tastes like crap.

Nah... You know Sony :) Rather than go for the most supported memory, you have to use the chance to sell your own Memory Stick Duo's ;)

That Wifi stick seems interesting - so there is a chance that the memory stick could be used to connect an external device.

Cloudy

[adrahil]

Their choice is not to save money :) Why do you think there is a fatty mgr.prx around up from 1.0? :) Well, their scheme uses MagicGate (memory-stick binding) for various content.... It's more of a security question, as the SD controllers are trivial to use and do not posess any such scheme.

[KickinAezz]

Donot want to ask but,
Is the possibility of 54g being investigated?

Like others said, it would be homebrew's best and greatest hack! Not to mention massive speed improvement. :D

[adrahil]

Well, I'm now investigating how the data moves around, right now :) (I guess DMA, otherwise we're locked at 3Kb/s at the maximum) The problem is that we need to modify the marvell firmware which is included (magpie or voyager) in order to achieve G... And for this, it's needed to know more about how the chip works, etc.

[KickinAezz]

Any updates?

[KickinAezz]

From Marvel docs:



HwSpec->FwCapabilityInformation returns
0x1000e59f.

Does it(firmware) mean it supports 802.11g based on bit 9?

[adrahil]

It is possible ;) But the problem is that sony have remapped some of the bits at their willing... The documentation is for the official marvell firmware. Sony only use a custom subset of it, based on some sloppy implementation. (I am talking about magpie/voyager)

[KickinAezz]

It is possible ;) But the problem is that sony have remapped some of the bits at their willing... The documentation is for the official marvell firmware. Sony only use a custom subset of it, based on some sloppy implementation. (I am talking about magpie/voyager)

I would be ecstatically jubiliant if you confirm you are still working on this project of Utopian scale :D

[jimparis]

0x1000e59f & (1 << 9) is of course 0, so the answer is "no" unless they've moved bits around like adrahil says..

[KickinAezz]

0x1000e59f & (1 << 9) is of course 0, so the answer is "no" unless they've moved bits around like adrahil says..

Yeah.

[KickinAezz]

Any progress updates on 54g/ Magpie Voyager hacks?
**Eyes wide open w/excitement**

[crazyc]

Any progress updates on 54g/ Magpie Voyager hacks?
**Eyes wide open w/excitement**

I personally don't believe this will be possible. There's documentation showing the RF chip supports OFDM, but nothing for the MAC. Even if it does, it's probable the firmware was written specifically for the PSP and may lack support for 802.11g.

[crazyc]

Like the 88w8388 described at OLPC, the 88w8381 in the fat psp has a built in ROM mapped at 0xfff00000, but it's only 32KB rather then 128KB. If anyone is interested in dumping it, I can post the details.

[KickinAezz]

Like the 88w8388 described at OLPC, the 88w8381 in the fat psp has a built in ROM mapped at 0xfff00000, but it's only 32KB rather then 128KB. If anyone is interested in dumping it, I can post the details.

I am willing to.

What is 88w388 and OLPC?

[crazyc]

I am willing to.

You misunderstand, I know it works. I just want to know if anyone else is working on reverse engineering the wlan interface and chip wants to dump the builtin ROM.

[KickinAezz]

I am willing to.

You misunderstand, I know it works. I just want to know if anyone else is working on reverse engineering the wlan interface and chip wants to dump the builtin ROM.

I will try checking the dump myself. Could you post those details?

I think PSP is hacked sufficiently enough. Only thing left is this.

I have previous experiencing playing with NVRAM variables in routers :D

[crazyc]

I will try checking the dump myself. Could you post those details?

I think PSP is hacked sufficiently enough. Only thing left is this.

I have previous experiencing playing with NVRAM variables in routers :D

Actually, the AVC hasn't been figured out yet ether, but that is even harder. Anyway, if you want to know.

1) in psplink (1.5 kernel only) with the wlan switch off do

Code: Select all

pokew 0x88196474 0x46c06841
pokew 0x8818df48 0x46c046c0

(hopefully these address will be the same)

2) switch on the wlan and do

Code: Select all

thsusp @SceWlanMac
thsusp @SceWlanHal

3) run this program

Code: Select all

#include <pspkernel.h>
#include <pspdebug.h>

PSP_MODULE_INFO&#40;"wlan_test", 0x1000, 1, 1&#41;;
PSP_MAIN_THREAD_ATTR&#40;0&#41;;

/* IO_MEM_STICK_CMD = EX_SET_CMD | 0x7
 * buf&#91;0&#93; = 0xb4 read, 0xb3 write
 * buf&#91;1&#93; = size >> 8
 * buf&#91;2&#93; = size
 * buf&#91;3&#93; = address >> 24
 * buf&#91;4&#93; = address >> 16
 * buf&#91;5&#93; = address >> 8
 * buf&#91;6&#93; = address
 * buf&#91;7&#93; = 0
 * address is offset + 0xc0000000 in arm address space, read only
 * except 0x100 which is a special case
 */

// HW registers
#define IO_MEM_STICK_CMD *&#40;&#40;volatile int*&#41;&#40;0xBD300030&#41;&#41;
#define IO_MEM_STICK_DATA *&#40;&#40;volatile int*&#41;&#40;0xBD300034&#41;&#41;
#define IO_MEM_STICK_STATUS *&#40;&#40;volatile int*&#41;&#40;0xBD300038&#41;&#41;
#define IO_MEM_STICK_SYS *&#40;&#40;volatile int*&#41;&#40;0xBD30003C&#41;&#41;

// STATUS bit 
#define MS_FIFO_RW     0x4000
#define MS_RDY         0x1000
#define MS_TIME_OUT    0x0100
#define MS_CRC_ERROR   0x0200

// MS command code
#define READ_PAGE_DATA  0x2000
#define READ_REG        0x4000
#define READ_IO_DATA	0x5000
#define GET_INT         0x7000
#define SET_RW_REG_ADRS 0x8000
#define EX_SET_CMD      0x9000
#define WRITE_IO_DATA	0xA000
#define WRITE_REG       0xB000
#define WRITE_PAGE_DATA 0xD000
#define SET_CMD         0xE000

// MS status bit
#define INT_REG_CED   0x80
#define INT_REG_ERR   0x40
#define INT_REG_BREQ  0x20
#define INT_REG_CMDNK 0x01

#define swap_binh&#40;out, in&#41;	__asm__&#40; "wsbh %0, %1\n"	\
					 "rotr %0, %0, 16\n"	\
					&#58;"=r"&#40;out&#41;&#58;"r"&#40;in&#41;&#41;;

typedef struct  &#123;
	uint16_t CmdCode;
	uint16_t Size;
	uint16_t SeqNum;
	uint16_t Result;
	uint16_t Action;
	uint16_t Offset;
	uint32_t Value;
&#125; libertas_mac_reg;

static int ms_get_reg_int&#40;void&#41;
&#123;
  int ret, dummy, status;

  IO_MEM_STICK_CMD = GET_INT | 0x1;

  do&#123;
    status = IO_MEM_STICK_STATUS;
    if&#40;status & MS_TIME_OUT&#41;
    &#123;
#if SHOW_ERR_MSG
Kprintf&#40;"err&#58;get_reg_int timeout\n"&#41;;
#endif
	 return -1;
	&#125;
  &#125;while&#40;!&#40;status & MS_FIFO_RW&#41;&#41;;

  ret = IO_MEM_STICK_DATA;
  dummy = IO_MEM_STICK_DATA;

  do&#123;
    status = IO_MEM_STICK_STATUS;
    if&#40;status & MS_TIME_OUT&#41;
    &#123;
#if SHOW_ERR_MSG
Kprintf&#40;"err&#58;get_reg_int timeout\n"&#41;;
#endif
	 return -1;
	&#125;
  &#125;while&#40;!&#40;status & MS_RDY&#41;&#41;;

  return ret & 0xff;
&#125;

int buf&#91;4&#93;;
int bigbuf&#91;&#40;32*1024&#41;/4&#93;;

void busy_wait&#40;int mask&#41;
&#123;
	int i;
	while&#40;!&#40;IO_MEM_STICK_STATUS & mask&#41;&#41;  sceKernelDelayThread&#40;1000&#41;;
&#125;

int main&#40;&#41;
&#123;
	int count, i;

	libertas_mac_reg *reg = &#40;libertas_mac_reg *&#41;&buf;
	
	reg->CmdCode = 0x19;
	reg->Size = sizeof&#40;libertas_mac_reg&#41;;
	reg->SeqNum = 0;
	reg->Result = 0;
	reg->Action = 0;
	reg->Offset = 0;
	reg->Value  = 0xfff00000;

	for&#40;count = 0; count < &#40;&#40;32*1024&#41;/4&#41;; count++&#41;
	&#123;
		printf&#40;"%d\n", count&#41;;
		busy_wait&#40;0x1000&#41;;
		IO_MEM_STICK_CMD = EX_SET_CMD | 7;
		busy_wait&#40;0x4000&#41;;
		IO_MEM_STICK_DATA = 0xb4 | &#40;&#40;sizeof&#40;libertas_mac_reg&#41; >> 8&#41; << 8&#41; | &#40;&#40;sizeof&#40;libertas_mac_reg&#41; & 0xff&#41; << 16&#41;;	//0x001000b4
		busy_wait&#40;0x4000&#41;;
		IO_MEM_STICK_DATA = 0x100;
		busy_wait&#40;0x2000&#41;;
		//while&#40;!&#40;ms_get_reg_int&#40;&#41; & 0x20&#41;&#41;;
		IO_MEM_STICK_CMD = WRITE_IO_DATA | sizeof&#40;libertas_mac_reg&#41;;
		busy_wait&#40;0x4000&#41;;
		swap_binh&#40;IO_MEM_STICK_DATA, buf&#91;0&#93;&#41;;	//0x19001000
		busy_wait&#40;0x4000&#41;;	
		swap_binh&#40;IO_MEM_STICK_DATA, buf&#91;1&#93;&#41;;	//0
		busy_wait&#40;0x4000&#41;;
		IO_MEM_STICK_DATA = __builtin_allegrex_wsbw&#40;buf&#91;2&#93;&#41;;	//0
		busy_wait&#40;0x4000&#41;;
		IO_MEM_STICK_DATA = __builtin_allegrex_wsbw&#40;buf&#91;3&#93;&#41;;	//0
		busy_wait&#40;0x2000&#41;;
		while&#40;!&#40;ms_get_reg_int&#40;&#41; & INT_REG_CED&#41;&#41; sceKernelDelayThread&#40;1000&#41;;
		IO_MEM_STICK_CMD = EX_SET_CMD | 7;
		busy_wait&#40;0x4000&#41;;
		IO_MEM_STICK_DATA = 0xb3 | &#40;&#40;sizeof&#40;libertas_mac_reg&#41; >> 8&#41; << 8&#41; | &#40;&#40;sizeof&#40;libertas_mac_reg&#41; & 0xff&#41; << 16&#41;;	//0x001000b3
		busy_wait&#40;0x4000&#41;;
		IO_MEM_STICK_DATA = 0x100;
		busy_wait&#40;0x2000&#41;;
		//while&#40;!&#40;ms_get_reg_int&#40;&#41; & 0x20&#41;&#41;;
		IO_MEM_STICK_CMD = READ_IO_DATA | sizeof&#40;libertas_mac_reg&#41;;
		busy_wait&#40;0x4000&#41;;
		i = IO_MEM_STICK_DATA;
		busy_wait&#40;0x4000&#41;;
		i = IO_MEM_STICK_DATA;
		busy_wait&#40;0x4000&#41;;
		i = IO_MEM_STICK_DATA;
		busy_wait&#40;0x4000&#41;;
		bigbuf&#91;count&#93; = __builtin_allegrex_wsbw&#40;IO_MEM_STICK_DATA&#41;;
		reg->Value+=4;
	&#125;
	
	sceKernelSleepThread&#40;&#41;;

	return 0;
&#125;

4) in psplink do

Code: Select all

savemem 0x890DF4C 0x8000 wlan_builtin_rom

[KickinAezz]

Will try ASAP.

[KickinAezz]

The builtin rom seems to be a Plain module? No NVRAM vars or anything.

Any people could probably do/find something incredible out of this:
Prxtool disassembly Output

THERE IS NO COPYRIGHT LINE in the module, Can I post the binary here?

[crazyc]

THERE IS NO COPYRIGHT LINE in the module, Can I post the binary here?

Huh? What about "Copyright (c) 1996-2001 Express Logic Inc. * ThreadX THUMB/ARM9 Version G4.0.4.0 *". It's not a Marvell copyright but nonetheless...

Prxtool disassembly Output

prxtool is only for psp prx's. Not only is the WLAN ROM not a prx, it's not even MIPS.

BTW, the mac hardware registers strongly suggest no 802.11g support.

[KickinAezz]

THERE IS NO COPYRIGHT LINE in the module, Can I post the binary here?

Huh? What about "Copyright (c) 1996-2001 Express Logic Inc. * ThreadX THUMB/ARM9 Version G4.0.4.0 *". It's not a Marvell copyright but nonetheless...

Prxtool disassembly Output

prxtool is only for psp prx's. Not only is the WLAN ROM not a prx, it's not even MIPS.

Oops I tried it from PBP which might have overwritten everything from 0x8900000.

Result: It dumped itself xD

[KickinAezz]

crazyc,
Could you post the makefile?

I tried 2 ways to run it.
1: as a prx. I get a blank 32k.
2: As a pbp. What I get is NOT even close to your's and I donot see any Copyright line.

I highly hope to have a chance to look at my own psp's wlan rom.

EDIT: I do it from CFW 3.90 under 1.50 kernel, could it be a problem?

[KickinAezz]

crazyc,
Could you post the makefile?

I tried 2 ways to run it.
1: as a prx. I get a blank 32k.
2: As a pbp. What I get is NOT even close to your's and I donot see any Copyright line.

I highly hope to have a chance to look at my own psp's wlan rom.

EDIT: I do it from CFW 3.90 under 1.50 kernel, could it be a problem?

Post unnoticed?

[crazyc]

crazyc,
Could you post the makefile?

I tried 2 ways to run it.
1: as a prx. I get a blank 32k.
2: As a pbp. What I get is NOT even close to your's and I donot see any Copyright line.

I highly hope to have a chance to look at my own psp's wlan rom.

EDIT: I do it from CFW 3.90 under 1.50 kernel, could it be a problem?

Post unnoticed?

Missed this. The instructions assumed that the bigbuf variable would be in the same place when anyone else complied it. That isn't true of course. Do

Code: Select all

psp-objdump -t wlan_test |grep bigbuf

to the unstripped binary to get the savemem address.

[KickinAezz]

Missed this. The instructions assumed that the bigbuf variable would be in the same place when anyone else complied it. That isn't true of course. Do

Code: Select all

psp-objdump -t wlan_test |grep bigbuf

to the unstripped binary to get the savemem address.

Still no Success.

Steps:
1) With WLAN off, I do %prepinit which does:

Code: Select all

pokew 0x88196474 0x46c06841
pokew 0x8818df48 0x46c046c0

2) I wait a few seconds. Turn on WLAN switch and do %preppost which does:

Code: Select all

thsusp @SceWlanMac
thsusp @SceWlanHal

3) Then wait a few seconds. Then type ./wlanromdump/wlanromdump.elf

4) Then I double checke the address given by printf("%p",&bigbuf); and
psp-objdump -t wlanromdump.elf |grep bigbuf
Both give me 0x891590c.

5)When I do

Code: Select all

savemem 0x891590c 0x8000 wlanrom

I get a text file with all 00's; an empty 32 kb.

I tried:
1) Disabling optimization "-o0" flag
2) Trying again and again.

Any ideas?

--

Could you try the elf in the below package and see it still works for you? If it does, I have done something wrong.

http://www.sendspace.com/file/w7iqi3

-

Is your PM box full?

[crazyc]

Any ideas?

Do

Code: Select all

modinfo @sceWlan_Driver

in psplink and post what it prints.

[KickinAezz]

Any ideas?

Do

Code: Select all

modinfo @sceWlan_Driver

in psplink and post what it prints.

Code: Select all

UID: 0x029B5539 Attr: 1006 - Name: sceWlan_Driver
Entry: 0x881875C8 - GP: 0x881B9CE0 - TextAddr: 0x88187500
TextSize: 0x00013C9C - DataSize: 0x00016B40 BssSize: 0x00000093
Segment 0: Addr 0x88187500 - Size 0x00013CA8
Segment 1: Addr 0x8819B1B0 - Size 0x00016B40

[crazyc]

Steps:
1) With WLAN off, I do %prepinit which does:

Code: Select all

pokew 0x88196474 0x46c06841
pokew 0x8818df48 0x46c046c0 

Change these to

Code: Select all

pokew 0x8819B1B0+0x89C4 0x46c06841
pokew 0x8819B1B0+0x498 0x46c046c0

I hoped that the kernel would load the same with all versions of 1.5 compatibility mode, but i guess not.

[KickinAezz]

Steps:
1) With WLAN off, I do %prepinit which does:

Code: Select all

pokew 0x88196474 0x46c06841
pokew 0x8818df48 0x46c046c0 

Change these to

Code: Select all

pokew 0x8819B1B0+0x89C4 0x46c06841
pokew 0x8819B1B0+0x498 0x46c046c0

I hoped that the kernel would load the same with all versions of 1.5 compatibility mode, but i guess not.

I do see the Express Logic line, but it isn't at the end of the file; it's @ offsett 0x530a [in the middle of the file], Is it normal, or did I get get the partial rom

You said MAC registers strongly suggest no 54g compatibility, But I donot see any plain text?
OK, I see it "Marvell 88W8300 802.11b PC Card Version 1.1" My unlucky PSP :(

--

However, there's hope for others with Marvell 88w8010 :D

The 88W8010 is an upgraded (802.11g) version of 88W8000 (which only supports 802.11b). So this chip is fine. The one in question is 88W8380. If it is based on 88W8300, then it only supports 802.11b. But if it is based on 88W8310, then it is 802.11g capable (54Mbps, about five times faster than 11Mbps of 802.11b). The 88W8310 chip also support 802.11i and 802.11e, which is AES (WPA) and QoS (quality of service). Maybe someone has more info on the 88W8380 chip. If it is based on 88W8310 (not 88W8300), then the PSP actually supports 802.11g, but not activated.