Outdated Cypress/Infineon brcmfmac firmware for Raspberry Pi 4 in OpenWrt 21.02.1

drone424 · January 16, 2022, 3:40am

tl;dr: Are there plans to update the aging brcmfmac43455-sdio (version 7.45.206 dated Mar 23, 2020) in OpenWrt, and is it safe to use given Kr00k, FragAttacks and other vulnerabilities announced since the Mar 2020 firmware date? If not, will the latest version from Cypress/Infineon (7.45.234) or RPi-Distro (7.45.241) work if updated in OpenWrt manually (on the Raspberry Pi 4B)?

I've recently started using OpenWrt with a Raspberry Pi 4B (BCM2711 64-bit) configured in dumb AP mode. So far it's working fine.

However, the firmware loaded for the BCM43455 (CYW43455) wireless chip (brcmfmac43455-sdio) is version 7.45.206 dated Mar 23, 2020. Now it's nearly 2 years old and may have restrictions, bugs, and possibly security vulnerabilities that have been fixed in more recent versions released by Cypress/Infineon. As far as I can tell, the latest firmware release is from May 2021:
https://github.com/Infineon/ifx-linux-firmware/blob/master/firmware/versions

Chip: 43455
File: firmware/cyfmac43455-sdio.bin
Version: 7.45.234
2021_0520 Release

And Raspberry Pi OS (Bullseye) seems to incorporate the following, likely with platform-specific customizations:
https://github.com/RPi-Distro/firmware-nonfree/blob/bullseye/debian/config/brcm80211/defines

[cypress/cyfmac43455-sdio.bin_base]
desc: Cypress CYW43455-SDIO firmware
version: 7.45.241

But the Master branch of OpenWrt still lists the older version, pulled from the forums, which makes me wonder when OpenWrt will change the version (and perhaps the PKG_SOURCE_URL to Infineon's Github?):
https://github.com/openwrt/openwrt/blob/master/package/firmware/cypress-firmware/Makefile

PKG_NAME:=cypress-firmware
PKG_VERSION:=v5.4.18-2020_0402
PKG_RELEASE:=3
PKG_SOURCE_UNZIP:=cypress-firmware-$(PKG_VERSION).tar.gz
PKG_SOURCE:=cypress-fmac-$(PKG_VERSION).zip
PKG_SOURCE_URL:=https://community.cypress.com/gfawx74859/attachments/gfawx74859/resourcelibrary/1016/1/

It seems like updating the firmware manually is possible just by replacing the firmware files in /lib/firmware/brcm, but SHOULD I DO IT? Are there technical compatibility issues with OpenWrt and the later versions of the firmware, assuming they've been tested? Would it be best to use the Infineon firmware or the Raspberry Pi specific version from RPi-Distro?

I've also heard there may be licensing reasons preventing use of the latest firmware in OpenWrt. Not sure if that's true for the 43455 chip.

I'm new to Linux development, and I'm trying to piece all this together from info on webpages and forums.

I may be missing something obvious, but I just wanted confirmation that it's safe to continue using my AP.

BTW, I'd like to stick with OpenWrt stable, release builds only, or build my own if absolutely necessary to package firmware that's not vulnerable. I'd prefer not to switch to DD-WRT just to get better Cypress/Infineon firmware support as suggested here, though, that may be ending anyway.

Thanks in advance for your time/help.

Pepe · March 26, 2022, 8:39pm

Yes. See my comment within this issue:

github.com/openwrt/openwrt

cypress-firmware-43455 files need updated for Raspberry Pi 4B

opened 12:36AM - 24 Feb 22 UTC

closed 04:53AM - 27 Oct 23 UTC

owenh000

With OpenWrt 21.02.1 on the Raspberry Pi 4B, I was unable to scan for and connec…t to certain 5 GHz channels. For example, I was able to scan for and connect to an 802.11ac wireless network on channel 44; but when I switched that network to channel 153, OpenWrt was not able to detect it in a scan or connect to it. Also, the logs were flooded with `daemon.warn wpa_supplicant[681]: wlan0: Failed to initiate sched scan`. The problem was fixed after I updated the firmware files in `/lib/firmware/brcm/` using the firmware from the linux-firmware repository: - <https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/plain/cypress/cyfmac43455-sdio.bin> (renamed to `brcmfmac43455-sdio.bin`) - <https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/plain/cypress/cyfmac43455-sdio.clm_blob> (renamed to `brcmfmac43455-sdio.clm_blob`) - <https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/plain/brcm/brcmfmac43455-sdio.raspberrypi,4-model-b.txt> I think the file that needs updated is [package/firmware/cypress-firmware/Makefile](https://github.com/openwrt/openwrt/blob/master/package/firmware/cypress-firmware/Makefile). --- Old, not working: ```console # opkg status cypress-firmware-43455-sdio | grep Version Version: v5.4.18-2020_0402-3 # opkg status cypress-nvram-43455-sdio-rpi-4b | grep Version Version: 2019-09-03-e7b78df2-2 # sha256sum <files> 3eb7d29497280dcd79462c0b45aaebfcc46645a1f9dc5eb64f0531f56bb2eb9a brcmfmac43455-sdio.bin c4195e23573d1d4ef3a95a54147ce6dfe57c73885d47db71d461db02b560a8a1 brcmfmac43455-sdio.clm_blob d90ac57cf01e9334ef1bce30f2cb00460ce910d8417ff7ba6cfa460212bd7573 brcmfmac43455-sdio.raspberrypi,4-model-b.txt # dmesg | grep 'Firmware: BCM4345/6' [ 7.656938] brcmfmac: brcmf_c_preinit_dcmds: Firmware: BCM4345/6 wl0: Mar 23 2020 02:20:01 version 7.45.206 (r725000 CY) FWID 01-febaba43 ``` New, working: ``` # sha256sum <files> d408faa9d0d5b1a2f9912dcea53ab0be48217288e398406d117f0edafe7c3edd brcmfmac43455-sdio.bin 15f50a27020b263d1bea215c8f68d0550d912932d1d9ef19ffd59f18d82dd460 brcmfmac43455-sdio.clm_blob edb6f4e4fb19e18940004124feb4ffe160d72fc607243a07a4480338a28b2748 brcmfmac43455-sdio.raspberrypi,4-model-b.txt # dmesg | grep 'Firmware: BCM4345/6' [162004.725511] brcmfmac: brcmf_c_preinit_dcmds: Firmware: BCM4345/6 wl0: Apr 15 2021 03:03:20 version 7.45.234 (4ca95bb CY) FWID 01-996384e2 ``` See also: <https://openwrt.org/toh/raspberry_pi_foundation/raspberry_pi#updating_the_wifi_firmware> Thank you for your work on OpenWrt.