[Prism54-devel] Retrieve firmware from .sys file (was: New revision of SMC 2802W card, Firmware 2.4.3.0)

Rutger Nijlunsing (thuis) prism54-devel@tux.tmfweb.nl
Sun, 15 Feb 2004 22:00:31 +0100 

Summary: A mini-howto to retrieve the firmware for a V2 SMC 2802W
card. The cards gets one step closer to working, but still does not
work.

> Hi all,
> 
> I just got a new SMC 2802W PCI 802.11G card and tried to get it running
> with prism54.
> 
> Unfortunately the PCI id differs from the one of the "old" 2802W .
> SMC seems to call this one "2802Wv2" (the name of the installer EXE
> implies that name).
> 
> This is what lspci -v -v -v -n says:
> 
> 00:0f.0 Class 0280: 1260:3890 (rev 01)
> Subsystem: 1113:ee03

I've got the same card.

> Loaded prism54 driver, version 1.0.2.2
> PCI: Found IRQ 5 for device 00:0f.0
> PCI: Sharing IRQ 5 with 00:02.2
> eth2: islpci_open()
> eth2: resetting device...
> eth2: uploading firmware...
> eth2: firmware uploaded done, now triggering reset...
> eth2: device soft reset timed out

Same problem here with CVS version.

> After that partial success I xxd'ed the Win2k/XP Driver
> that was shipped with the card and found some
> interesting parts in 
> 2802W.SYS (and 2802W51.SYS):
> 
> [...]
> 0000870: 3200 5700 0000 0000 5000 5200 4900 5300 2.W.....P.R.I.S.
> 0000880: 4d00 2d00 5300 5400 4100 5400 4900 4f00 M.-.S.T.A.T.I.O.
> 0000890: 4e00 0000 5000 5200 4900 5300 4d00 2d00 N...P.R.I.S.M.-.
> 00008a0: 5300 5300 4900 4400 0000 0000 0100 0200 S.S.I.D.........
> 00008b0: 0400 0800 1000 0001 0203 0001 0203 0405 ................
> 00008c0: 0607 dd00 0000 a0e1 dcf3 9fe5 0000 0000 ................
> 00008d0: 0000 0000 0000 0000 0100 0080 0100 0000 ................
> 00008e0: 4c4d 3836 0200 0080 0600 0000 322e 342e LM86........2.4.
> 00008f0: 332e 3200 0000 0000 0000 0000 0000 0000 3.2.............
> 0000900: 0000 0000 0400 0080 0300 0000 0000 1a00 ................
> [...]

Here 'od -t x1z 2.4.3.2/2802W.sys':
0004300 06 07 dd 00 00 00 a0 e1 dc f3 9f e5 00 00 00 00  >................<
0004320 00 00 00 00 00 00 00 00 01 00 00 80 01 00 00 00  >................<
0004340 4c 4d 38 36 02 00 00 80 06 00 00 00 32 2e 34 2e  >LM86........2.4.<
0004360 33 2e 32 00 00 00 00 00 00 00 00 00 00 00 00 00  >3.2.............<
0004400 00 00 00 00 04 00 00 80 03 00 00 00 00 00 1a 00  >................<

> 00009d0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 00009e0: 5665 7273 696f 6e20 322e 342e 332e 3220 Version 2.4.3.2
> 00009f0: 6275 696c 7420 6f6e 2057 6564 204e 6f76  built on Wed Nov
> 0000a00: 2035 2031 333a 3033 3a33 3620 4345 5420   5 13:03:36 CET
> 0000a10: 3230 3033 2062 7920 696e 6c62 7569 6c64  2003 by inlbuild
> 0000a20: 4074 6978 5041 434b 5041 434b 5041 434b @tixPACKPACKPACK
> 0000a30: 7802 9fe5 0000 80e5 d3f0 21e3 0020 a0e3 x.........!.. ..

I've got files on the CD with the same names, but with versions 2.4.3.2:
-rw-rw-r--    1 rutger   rutger     379240 Feb 14 23:46 2802W.sys
-rw-rw-r--    1 rutger   rutger     377696 Feb 14 23:46 2802W51.sys

> 
> Has anyone ever tried to fetch binary firmware from a windows driver
> or does anyone have knowledge of the internal structure of the .sys
> files? 

The internal structure of the .sys files do not seem to help:
hte 2802W.sys -> F6 -> pe/headers gives alist which 
do not seem very helpful.

Now doing:
F6 -> hex -> F5 0x8e0 (we're now looking at the hexdump)
F9 -> pe/image
Scroll a little up, and see something like
   ..... ! offset_108c4:                   ;xref o1ca95 o1cb8b         
Which means this offset is referenced. So this is the start of
the firmware.

Select first xref (01ca95 in this case). Press ENTER. A little
down, ecx is loaded with the size of the firmware:
   1caa2 !   mov     ecx, [data_17708]
Goto this reference:
   17708   data_17708:                     ;xref r1caa2 r1cb98
   .....     dd      00006e44h                                                x
...and here is the length: 0x6e44.

'printf "%i" 0x8c4' gives 2244, this is the offset since the .sys is
mapped onto 0x10000 I think, so 0x108c4 - 0x10000 = 0x8c4.

'printf "%i" 0x6e44' gives 28228, this is the length.
(mental note: this seems too short indeed; something more is needed?
Maybe the firmware must be loaded in parts or so?)

so retrieve the firmware with:
dd if=2802W.sys of=/usr/lib/hotplug/firmware/isl3890 bs=1 skip=2244 count=28228

Bringing the interface up gives:

# ifconfig eth1 up
Feb 15 17:21:45 wingding kernel: eth1: islpci_open()
Feb 15 17:21:45 wingding kernel: eth1: resetting device...
Feb 15 17:21:45 wingding kernel: eth1: uploading firmware...
Feb 15 17:21:46 wingding kernel: eth1: firmware uploaded done, now triggering reset...
Feb 15 17:21:46 wingding kernel: eth1: timeout waiting for mgmt response 1000, trigging device
Feb 15 17:21:46 wingding kernel: eth1: timeout waiting for mgmt response 806, trigging device
Feb 15 17:21:47 wingding kernel: eth1: timeout waiting for mgmt response 1000, trigging device
Feb 15 17:21:49 wingding last message repeated 2 times
Feb 15 17:21:50 wingding kernel: eth1: mgt_commit has failed. Restart the                 device 

This is different from what happens with a V1 firmware:
Feb 14 20:32:55 wingding kernel: prism54: Your card/socket may be faulty, or IRQ line too busy :(

...so there is progress, albeit little.

Any hints for me what to check?


> I am quite sure that the card will initialize correctly when
> it receives the correct firmware.

I'm not so sure any more ;)

-- 
Rutger Nijlunsing ---------------------------- rutger ed tux tmfweb nl
never attribute to a conspiracy which can be explained by incompetence
----------------------------------------------------------------------