The thing that gave me hope is that using one of the reverse-engineered drivers, at least a 2.4GHz interface is accessible, so I would think the other interface is possible to get up, the 5GHz is a mini-pcie too?
Save yourself time, and swap it out ...
1 Like
I mean. Yes that would be most easiest. But I want to explore the world of binary/driver reverse engineering. I mean I could get the stock firmware and get the files for the driver and try and reverse it.
sure, if that's the goal, knock yourself out 
Speaking of adding support. I should make a TOH for this device. Um how would I go about it? I'm still a noob at this.
You apply for an account to edit the wiki.
Thank you for the information. I will post more information as I get more into this porting of this router!
Do keep in mind, for your efforts to be useful, they need to be based on master. Security wise, 14.07 is Swiss cheese. Between the kernel your OEM used with that OpenWrt based SDK and 5.15 or 6.0 is quite a delta.
Also keep in mind you will not see anything involving binary blobs merged, unless they are freely distributable with Broadcom's permission.
1 Like
Definitely. I will be on the master branch. And be pulling as frequently as I can to get the freshest code base.
Also I retrieved an old GPL archive for this router. I hope it might aid me. I'll extract it when I have the time.
The mainline kernel has been burned with tiacx in the past, so they do insist on clean-room development, with clearly separated teams for reverse engineering to write documentation and the driver developers writing new code.
So. Here's my plan. There's a leaked source of WL, I asked my friend who's fluent in C++ to read it. Um. I told him to write a specification for me to code in. What does that exactly mean? I know that we at least need 2 people to keep the code-base clean. What info must he give me in order to code a brand new driver?
Hey all! I found something interesting. So it has a Web interface for flashing. When I flash an OEM firmware from DLink. It does a sort of signature checking with TRX file. Will post output of serial console later. For the custom Openwrt image I built (very basic) it also does some signature check. But it fails and says program anyway.
CFE version 6.30.39.2001 (r334376) based on BBP 1.0.37 for BCM947XX (32bit,SP,LE)
Build Date: Mon Jul 16 13:56:31 CST 2012 (michael_lee@Porsche)
Copyright (C) 2000-2008 Broadcom Corporation.
Init Arena
Init Devs.
Boot partition size = 327680(0x50000)
Found an ST compatible serial flash with 256 64KB blocks; total size 16MB
bcm_robo_enable_switch: EEE is disabled
et0: Broadcom BCM47XX 10/100/1000 Mbps Ethernet Controller 6.30.39.2001 (r334376)
CPU type 0x19749: 600MHz
Tot mem: 131072 KBytes
CFE mem: 0x80700000 - 0x807A57C0 (677824)
Data: 0x8073AA10 - 0x8073DDC0 (13232)
BSS: 0x8073DDC0 - 0x8073F7C0 (6656)
Heap: 0x8073F7C0 - 0x807A37C0 (409600)
Stack: 0x807A37C0 - 0x807A57C0 (8192)
Text: 0x80700000 - 0x8073AA08 (240136)
Board Name: WRGAC01
SVN revision: 668
We disable the arp for self.
We disable the arp for self.
Device eth0: hwaddr [Redacted], ipaddr 192.168.0.1, mask 255.255.255.0
gateway not set, nameserver not set
Loader Go ...........
CFE> runtime code
trx_validate_seama size 63102e
verify_seama: data=0x8073a4a0, size=-2139465792
TRX file size = 6492160
boot from bcm trx
HEADER error ,just write the image
Programming...done. 6492160 bytes written
This output from the serial console is from when flashing the OpenWRT image
CFE version 6.30.39.2001 (r334376) based on BBP 1.0.37 for BCM947XX (32bit,SP,LE)
Build Date: Mon Jul 16 13:56:31 CST 2012 (michael_lee@Porsche)
Copyright (C) 2000-2008 Broadcom Corporation.
Init Arena
Init Devs.
Boot partition size = 327680(0x50000)
Found an ST compatible serial flash with 256 64KB blocks; total size 16MB
bcm_robo_enable_switch: EEE is disabled
et0: Broadcom BCM47XX 10/100/1000 Mbps Ethernet Controller 6.30.39.2001 (r334376)
CPU type 0x19749: 600MHz
Tot mem: 131072 KBytes
CFE mem: 0x80700000 - 0x807A57C0 (677824)
Data: 0x8073AA10 - 0x8073DDC0 (13232)
BSS: 0x8073DDC0 - 0x8073F7C0 (6656)
Heap: 0x8073F7C0 - 0x807A37C0 (409600)
Stack: 0x807A37C0 - 0x807A57C0 (8192)
Text: 0x80700000 - 0x8073AA08 (240136)
Board Name: WRGAC01
SVN revision: 668
We disable the arp for self.
We disable the arp for self.
Device eth0: hwaddr 00-90-4C-0D-B0-18, ipaddr 192.168.0.1, mask 255.255.255.0
gateway not set, nameserver not set
Loader Go ...........
CFE> runtime code
trx_validate_seama size 9e30be
verify_seama: data=0x8073a4a0, size=-2139465792
SEAMA ==========================================
magic : 5ea3a417
meta size : 36 bytes
meta data : signature=wrgac01_dlob.hans_dir865
meta data :
image size : 0 bytes
verify_seama: signature=[wrgac01_dlob.hans_dir865], type=[(null)]
================================================
SEAMA ==========================================
magic : 5ea3a417
meta size : 36 bytes
meta data : dev=/dev/mtdblock/1
meta data : type=firmware
meta data :
meta data :
image size : 10367008 bytes
verify_seama: signature=[wrgac01_dlob.hans_dir865], type=[firmware]
checksum : E2FD8DE98AF176C1808572DD778C5CBE
digest : E2FD8DE98AF176C1808572DD778C5CBE
Selected !!!
================================================
boot form seama
Copy SEAMA with header (from 0x807a57f0).
Programming...done. 10367072 bytes written
This is with the uploading of OEM firmware.
Hmm what is SEAMA
Okay. So the absolute latest 1.09 firmware dumps you to a login prompt. The 1.07SHC firmware gives you a root shell. Wow. They improved?
With B43 I am able to get the BCM 4331 interface up. Even though its only a b/g device even though its n capable. Let's see what's going on here. I'll post my config up here tmr.