Acutally, If I decrypt wil6210-lhg-span2.8.brd and put it under /lib/firmware/ with the seed 0x967e9839, it fails with:
Fri Dec 20 15:39:08 2019 kern.err kernel: [ 928.103612] wil6210 0000:01:00.0 wlan0: wil_fw_verify: ERR[ FW ]checksum mismatch: calculated for 3588 bytes 0x6b37878a != 0xd414aa93
Can't I replace the boardfile like that?
Edit: Oh, you had the same problem. ^^
You can simply edit the checksum in the board file header and kernel driver would accept it.
Its normal as Mikrotik patches the file after being loaded and ignores the header.
Sry, if I use the state 0x58cfa159 and decrypt the brd-file, the error is
Fri Dec 20 16:09:19 2019 kern.err kernel: [ 2738.428602] wil6210 0000:01:00.0 wlan0: wil_fw_verify: ERR[ FW ]no file header
0x58cfa159 is the state u mentioned in the other thread, or? Which language do I have to use in Ghidra (Armv7?).
Could u maybe be a bit more precisely?
0x967e9839 in the script only applies to ROS 6.43.12, if you use that SEED for any other version you will not get a correct file.
Yeah, ARMv7 Little Endian, you need to look into the wireless binary.
Checksum is part of the board file header, you can find it after version info.
Simply search for the CRC that is calculated by driver(Its big endian so ordering is reverse from x86).
Thanks! Now your file works!
#!/usr/bin/env python3
import struct
import sys
import codecs
"""
struct wil_fw_record_file_header {
__le32 signature ; /* Wilocity signature */
__le32 reserved;
__le32 crc; /* crc32 of the following data */
__le32 version; /* format version */
__le32 data_len; /* total data in file, including this record */
u8 comment[32]; /* short description */
} __packed;
"""
brd = open(sys.argv[1], 'rb').read()
unpacked = struct.unpack('<IIIII',brd[0:20])
print("Signature: %x, Reserved: %x, Length: %x Version: %x, CRC: %x" % unpacked)
unpackedlist = list(unpacked)
unpackedlist[4] = 0x6b37878a # TODO change the value to CRC one
packed = struct.pack('<IIIII',unpackedlist[0],unpackedlist[1],unpackedlist[2],unpackedlist[3],unpackedlist[4])
open(sys.argv[2], 'wb').write(packed + brd[20:])
I don't get it, why it is so weird packed and the crc not at the position that is given in the sruct? I will try another boardfile now... 
Nope. 
Using the original brd file that ROS in version 6.43.12 uses does not work. Same error as before. And using the firmware, also does not work
Fri Dec 20 18:27:26 2019 kern.err kernel: [11025.448338] wil6210 0000:01:00.0 wlan0: wil_fw_verify: ERR[ FW ]no file header
Should I just copy the fw header of the original?
You can quickly know if the extracted file is okay or not, simply open it with a hex editor and search for 0x36323130 magic and the version number in ASCII.
You cant copy the header as the most likely file you extracted is incorrect, the only thing that should be wrong is CRC, everything else needs to be correct.
But in little endian or? So 3130 3632? xD
Then the number is correct in the extracted file.
No, its 30 31 32 36.
If thats correct, then you did not correct the CRC correctly, but rather messed something else in the header.
Simply do it manually as kernel will tell you the CRC value it expects.
Ah okay. hexdump -C ...Yeah the number is correct...
My code seems to work?
If it matches I would guess that it does
Could u give me a dmesg output how a sucessfull start of hostapd with wil6210 looks like?
Initializing the wifi
wil6210 0000:01:00.0: wil6210 device found [1ae9:0310] (rev 2) bar size 0x200000
wil6210 0000:01:00.0: enabling device (0140 -> 0142)
wil6210 0000:01:00.0 (unnamed net_device) (uninitialized): wil_pcie_probe: CSR at [mem 0x40400000-0x405fffff 64bit] -> 0x(ptrval)
urngd: v1.0.1 started.
wil6210 0000:01:00.0: Direct firmware load for wil6210_sparrow_plus.fw failed with error -2
wil6210 0000:01:00.0: Falling back to syfs fallback for: wil6210_sparrow_plus.fw
random: crng init done
firmware wil6210_sparrow_plus.fw: firmware_loading_store: map pages failed
wil6210 0000:01:00.0 (unnamed net_device) (uninitialized): wil_set_capabilities: Board hardware is Sparrow D0, flash exist
wil6210 0000:01:00.0 (unnamed net_device) (uninitialized): wil_set_capabilities: platform_capa 0x0
wil6210 0000:01:00.0 (unnamed net_device) (uninitialized): wil_refresh_fw_capabilities: keep_radio_on_during_sleep (0)
wil6210 0000:01:00.0: using dma mask 48
wil6210 0000:01:00.0 (unnamed net_device) (uninitialized): wil_get_bl_info: Boot Loader struct v2: MAC = c4:ad:34:26:32:87 RF = 0x0000 (status 0x0000) bband = 0x00000000
wil6210 0000:01:00.0 (unnamed net_device) (uninitialized): wil_get_bl_info: Boot Loader build 255.255.0.7253
wil6210 0000:01:00.0 (unnamed net_device) (uninitialized): wil_set_oob_mode: oob_mode to 0
Looks strange to me, that firmware_loading_store: map pages failed...
Routeros:
ipq4019: fw initialized, wait_limit 298, ind 0x80000002
probe_er_radio_data id 8001
probe_er_radio_data id 1
read_radio_data got 0 from 131072
ipq4019_ahb_probe: radio_data_read failed -2
ipq4019_ahb_reset
ipq4019: probe of a000000.wifi failed with error -2
or
add@/devices/soc.0/a000000.wifi
OF_NAME=wifi
OF_TYPE=<NULL>
OF_COMPATIBLE_0=qca,wifi-ipq40xx
OF_COMPATIBLE_N=1
MODALIAS=of:NwifiT<NULL>Cqca,wifi-ipq40xx
add@/devices/soc.0/a800000.wifi
OF_NAME=wifi
OF_TYPE=<NULL>
OF_COMPATIBLE_0=qca,wifi-ipq40xx
OF_COMPATIBLE_N=1
MODALIAS=of:NwifiT<NULL>Cqca,wifi-ipq40xx
Since lspci shows that the driver is okay, the memory mapping is okay, or? Since a000000 and pci@40000000 are different values. But I'm noob at device tree stuff... Device Tree
OpenWrt lspci:
01:00.0 Network controller: Wilocity Ltd. Wil6200 802.11ad Wireless Network Adapter (rev 02)
Subsystem: Wilocity Ltd. Device 0000
Device tree node: /sys/firmware/devicetree/base/soc/pci@40000000/bridge@0,0/wifi@1,0
Flags: bus master, fast devsel, latency 0, IRQ 64
Memory at 40400000 (64-bit, non-prefetchable) [size=2M]
Capabilities: [40] Power Management version 3
Capabilities: [b0] MSI: Enable+ Count=4/4 Maskable- 64bit+
Capabilities: [70] Express Endpoint, MSI 00
Capabilities: [100] Advanced Error Reporting
Capabilities: [148] Latency Tolerance Reporting
Capabilities: [150] L1 PM Substates
Kernel driver in use: wil6210That should be ok, so basically it will try to load wil6210_sparrow_plus.fw if it exists and if not simply fallback to old wil6210.fw
What do you get if you try to bring the interface up?
Only then it will actually load the FW.
a000000 and a800000 are address for the WLANs that are built into IPQ40xx, those are simply disabled on 60GHz Mikrotik devices
wil6210 0000:01:00.0 wlan0: _wil6210_disconnect: disconnect bssid= (null), reason=3
wil6210 0000:01:00.0 wlan0: _wil6210_disconnect_complete: disconnect_complete: bssid= (null), reason=3
wil6210 0000:01:00.0 wlan0: wil_get_bl_info: Boot Loader struct v2: MAC = c4:ad:34:26:33:31 RF = 0x0000 (status 0x0000) bband = 0x00000000
wil6210 0000:01:00.0 wlan0: wil_get_bl_info: Boot Loader build 255.255.0.7253
wil6210 0000:01:00.0 wlan0: wil_set_oob_mode: oob_mode to 0
wil6210 0000:01:00.0 wlan0: wil_reset: Use firmware <wil6210.fw> + board <wil6210.brd>
wil6210 0000:01:00.0 wlan0: wmi_evt_ready: FW ver. 5.2.0.18(SW 18); MAC c4:ad:34:26:33:31; 0 MID's
wil6210 0000:01:00.0 wlan0: wil_wait_for_fw_ready: FW ready after 0 ms. HW version 0x00000002
wil6210 0000:01:00.0 wlan0: wil_configure_interrupt_moderation: set ITR_TX_CNT_TRSH = 500 usec
wil6210 0000:01:00.0 wlan0: wil_configure_interrupt_moderation: set ITR_TX_IDL_CNT_TRSH = 13 usec
wil6210 0000:01:00.0 wlan0: wil_configure_interrupt_moderation: set ITR_RX_CNT_TRSH = 500 usec
wil6210 0000:01:00.0 wlan0: wil_configure_interrupt_moderation: set ITR_RX_IDL_CNT_TRSH = 13 usec
wil6210 0000:01:00.0 wlan0: wil_refresh_fw_capabilities: keep_radio_on_during_sleep (0)
IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready
I'm not the only one who struggles with the wap60g.
The person says the cause could be missing MSI or legacy pci interrupts. I will look into this.
Hm, wil6210 defaults to MSI intterupts.
There have been some bugfixes related to MSI in wil6210 but current wireless backports are based on 5.4 and should include those.
Hi PolynomialDivision,
I am actually struggling to get the extracted .brd file working with the openwrt image, could you share how you manage to do this? And/or could you share the working .brd file?
Thank you very much!
I extracted the board file from wireless-6.44.6-arm.npk, but if I try to use that one as is, I get the error:
[ 1363.901483] wil6210 0000:01:00.0 wlan0: _wil6210_disconnect: bssid= (null), reason=3, ev-
[ 1363.948742] wil6210 0000:01:00.0 wlan0: wil_get_bl_info: Boot Loader struct v2: MAC = 04:d6:aa:ab:45:40 RF = 0x0000 (status 0x0000) bband = 0x00000000
[ 1363.949162] wil6210 0000:01:00.0 wlan0: wil_get_bl_info: Boot Loader build 255.255.0.6836
[ 1363.961862] wil6210 0000:01:00.0 wlan0: wil_set_oob_mode: oob_mode to 0
[ 1363.969531] wil6210 0000:01:00.0 wlan0: wil_reset: Use firmware <wil6210.fw> + board <wil6210.brd>
[ 1364.010628] wil6210 0000:01:00.0 wlan0: wil_fw_verify: ERR[ FW ]no file header
The one that comes with the openwrt image works fine, but it is not taylored for the Mikrotik device.
You have to decrypt the boardfile, or you have to use an unencrypted version.
Extract it from version 6.43.12 because there I know the seed.
Or use version 6.41.2. In this version no encryption was happening.