I used binwalk to extract squashfs and simply used script on that
Thanks.
I extracted
binwalk -eM ...
and then I had to
unsquashfs
again, to look into the file system.
Under /etc/ there are some fwf files, e.g., ipq4000L-6.43.12.fwf.
But there is the kernel module? I can not find the wireless driver under /lib/modules/3.3.5/?
You could have simply used binwalk -e and it would have extracted the squashfs also.
FW files are under /bndl/wireless/lib/firmware
But you need to check bootlog/debug output in ROS to see which file is loaded for you
1 Like
Okay, interesting files:
wil6210.fwwil6210-lhg-span2.8.brdwil6210-lhg-span2.8.msgwil6210-wap60g-60deg.brdwil6210-wap60g-60deg.msgwil6210-wap60g-omni.brdwil6210-wap60g-sa-dir.brdwil6210-wap60g-sa-omni.brd
Which boardfile did u use?
Do I have access in normal ROS to bootlog/debug? (I will try in a couple of minutes myself...)
I will try install Ghidra and look for the seed. Is it easy to find it?
Actually, If I want serial access, can I just solder there a DB9 male connector? Or what is this SPI + UART?
There is UART on that SPI+UART pad header.
Pinout is known: Support for Mikrotik Hap AC2
LHGG uses wil6210-lhg-span2.8.brd but I have no idea which one is used by your wap60g model, you need to dig that out from support file(That's the easiest as a most likely part of bootlog with that will be captured)
Also, for UART you need to modify the hard_config options.
Its not really easy to spot the seed as there is only one function linking to the one that does the decryption and that contains the seed.
You can use the one provided with ROS 6.43.12
1 Like
1970.01.08-21:36:46.37@1: WilDev/wil0/wlan60-1: applyConfig 1 lhg60-dk RBwAPG-60ad wAP 60G
1970.01.08-21:36:46.37@1: WilDev/wil0/wlan60-1: fw: /pckg/wireless/lib/firmware/wil6210.fw
1970.01.08-21:36:46.82@1: WilDev/wil0/wlan60-1: bf: /pckg/wireless/lib/firmware/wil6210-production-SWL14R3-WAPG60-10330.brd
Thanks to https://github.com/farseeker/go-mikrotik-rif 
The call in ROS is different
1970.01.08-21:36:47.15@0: wil6210 0000:01:00.0: wil0: wmi_call(0x080e->0x180e) timeout 20 msec
Ah okay. File is existing in 6.41.2.
1970.01.08-22:49:57.69@3: WilDev/wil0/wlan60-1: applyConfig lhg60-dk RBwAPG-60ad wAP 60G
1970.01.08-22:49:57.69@3: WilDev/wil0/wlan60-1: fw: /pckg/wireless/lib/firmware/wil6210.fw
1970.01.08-22:49:57.98@3: WilDev/wil0/wlan60-1: bf: /pckg/wireless/lib/firmware/wil6210-wap60g-60deg.brd
Thanks a lot for your help! I will try this boardfile and see if the image will work! 
Acutally, If I decrypt wil6210-lhg-span2.8.brd and put it under /lib/firmware/ with the seed 0x967e9839, it fails with:
Fri Dec 20 15:39:08 2019 kern.err kernel: [ 928.103612] wil6210 0000:01:00.0 wlan0: wil_fw_verify: ERR[ FW ]checksum mismatch: calculated for 3588 bytes 0x6b37878a != 0xd414aa93
Can't I replace the boardfile like that?
Edit: Oh, you had the same problem. ^^
You can simply edit the checksum in the board file header and kernel driver would accept it.
Its normal as Mikrotik patches the file after being loaded and ignores the header.
Sry, if I use the state 0x58cfa159 and decrypt the brd-file, the error is
Fri Dec 20 16:09:19 2019 kern.err kernel: [ 2738.428602] wil6210 0000:01:00.0 wlan0: wil_fw_verify: ERR[ FW ]no file header
0x58cfa159 is the state u mentioned in the other thread, or? Which language do I have to use in Ghidra (Armv7?).
Could u maybe be a bit more precisely?
0x967e9839 in the script only applies to ROS 6.43.12, if you use that SEED for any other version you will not get a correct file.
Yeah, ARMv7 Little Endian, you need to look into the wireless binary.
Checksum is part of the board file header, you can find it after version info.
Simply search for the CRC that is calculated by driver(Its big endian so ordering is reverse from x86).
Thanks! Now your file works!
#!/usr/bin/env python3
import struct
import sys
import codecs
"""
struct wil_fw_record_file_header {
__le32 signature ; /* Wilocity signature */
__le32 reserved;
__le32 crc; /* crc32 of the following data */
__le32 version; /* format version */
__le32 data_len; /* total data in file, including this record */
u8 comment[32]; /* short description */
} __packed;
"""
brd = open(sys.argv[1], 'rb').read()
unpacked = struct.unpack('<IIIII',brd[0:20])
print("Signature: %x, Reserved: %x, Length: %x Version: %x, CRC: %x" % unpacked)
unpackedlist = list(unpacked)
unpackedlist[4] = 0x6b37878a # TODO change the value to CRC one
packed = struct.pack('<IIIII',unpackedlist[0],unpackedlist[1],unpackedlist[2],unpackedlist[3],unpackedlist[4])
open(sys.argv[2], 'wb').write(packed + brd[20:])
I don't get it, why it is so weird packed and the crc not at the position that is given in the sruct? I will try another boardfile now... 
Nope. 
Using the original brd file that ROS in version 6.43.12 uses does not work. Same error as before. And using the firmware, also does not work
Fri Dec 20 18:27:26 2019 kern.err kernel: [11025.448338] wil6210 0000:01:00.0 wlan0: wil_fw_verify: ERR[ FW ]no file header
Should I just copy the fw header of the original?
You can quickly know if the extracted file is okay or not, simply open it with a hex editor and search for 0x36323130 magic and the version number in ASCII.
You cant copy the header as the most likely file you extracted is incorrect, the only thing that should be wrong is CRC, everything else needs to be correct.
But in little endian or? So 3130 3632? xD
Then the number is correct in the extracted file.
No, its 30 31 32 36.
If thats correct, then you did not correct the CRC correctly, but rather messed something else in the header.
Simply do it manually as kernel will tell you the CRC value it expects.
Ah okay. hexdump -C ...Yeah the number is correct...
My code seems to work?
If it matches I would guess that it does
Could u give me a dmesg output how a sucessfull start of hostapd with wil6210 looks like?
Initializing the wifi
wil6210 0000:01:00.0: wil6210 device found [1ae9:0310] (rev 2) bar size 0x200000
wil6210 0000:01:00.0: enabling device (0140 -> 0142)
wil6210 0000:01:00.0 (unnamed net_device) (uninitialized): wil_pcie_probe: CSR at [mem 0x40400000-0x405fffff 64bit] -> 0x(ptrval)
urngd: v1.0.1 started.
wil6210 0000:01:00.0: Direct firmware load for wil6210_sparrow_plus.fw failed with error -2
wil6210 0000:01:00.0: Falling back to syfs fallback for: wil6210_sparrow_plus.fw
random: crng init done
firmware wil6210_sparrow_plus.fw: firmware_loading_store: map pages failed
wil6210 0000:01:00.0 (unnamed net_device) (uninitialized): wil_set_capabilities: Board hardware is Sparrow D0, flash exist
wil6210 0000:01:00.0 (unnamed net_device) (uninitialized): wil_set_capabilities: platform_capa 0x0
wil6210 0000:01:00.0 (unnamed net_device) (uninitialized): wil_refresh_fw_capabilities: keep_radio_on_during_sleep (0)
wil6210 0000:01:00.0: using dma mask 48
wil6210 0000:01:00.0 (unnamed net_device) (uninitialized): wil_get_bl_info: Boot Loader struct v2: MAC = c4:ad:34:26:32:87 RF = 0x0000 (status 0x0000) bband = 0x00000000
wil6210 0000:01:00.0 (unnamed net_device) (uninitialized): wil_get_bl_info: Boot Loader build 255.255.0.7253
wil6210 0000:01:00.0 (unnamed net_device) (uninitialized): wil_set_oob_mode: oob_mode to 0
Looks strange to me, that firmware_loading_store: map pages failed...
Routeros:
ipq4019: fw initialized, wait_limit 298, ind 0x80000002
probe_er_radio_data id 8001
probe_er_radio_data id 1
read_radio_data got 0 from 131072
ipq4019_ahb_probe: radio_data_read failed -2
ipq4019_ahb_reset
ipq4019: probe of a000000.wifi failed with error -2
or
add@/devices/soc.0/a000000.wifi
OF_NAME=wifi
OF_TYPE=<NULL>
OF_COMPATIBLE_0=qca,wifi-ipq40xx
OF_COMPATIBLE_N=1
MODALIAS=of:NwifiT<NULL>Cqca,wifi-ipq40xx
add@/devices/soc.0/a800000.wifi
OF_NAME=wifi
OF_TYPE=<NULL>
OF_COMPATIBLE_0=qca,wifi-ipq40xx
OF_COMPATIBLE_N=1
MODALIAS=of:NwifiT<NULL>Cqca,wifi-ipq40xx
Since lspci shows that the driver is okay, the memory mapping is okay, or? Since a000000 and pci@40000000 are different values. But I'm noob at device tree stuff... Device Tree
OpenWrt lspci:
01:00.0 Network controller: Wilocity Ltd. Wil6200 802.11ad Wireless Network Adapter (rev 02)
Subsystem: Wilocity Ltd. Device 0000
Device tree node: /sys/firmware/devicetree/base/soc/pci@40000000/bridge@0,0/wifi@1,0
Flags: bus master, fast devsel, latency 0, IRQ 64
Memory at 40400000 (64-bit, non-prefetchable) [size=2M]
Capabilities: [40] Power Management version 3
Capabilities: [b0] MSI: Enable+ Count=4/4 Maskable- 64bit+
Capabilities: [70] Express Endpoint, MSI 00
Capabilities: [100] Advanced Error Reporting
Capabilities: [148] Latency Tolerance Reporting
Capabilities: [150] L1 PM Substates
Kernel driver in use: wil6210