[Prism54-devel] Re: Prism54 development update

Sebastien sebastien.bourdeauducq at gmail.com
Sun Sep 11 13:44:13 UTC 2005 

Hello all,

> I may not have my say in freemac (Sebastien wrote all of it, even though
> i contributed some reverse-engeneering), but i think we should follow
> the same path.
>
> First, separate loading seems a good thing to me (after all, the
> firmware code is dead once loaded, so it makes sense to use the firmware
> loading capabilities).

Yes. And I wrote a (basic) FreeBSD equivalent to Linux's firmware_class, so 
firmware licensing problems related to linking are over.

> Second, Conexant has been far from collaborative. I don't want the
> remote possibility of them taking advantage of the weeks i spend reading
> their asm

I entirely agree.
Moreover, I had a look at USB logs from their latest 2.13.1 firmware. Each 
frame contains a 32-bit signature based on the contents of the URB. And it's 
not a CRC32 - I wrote a program which computes CRC32 for every possible 
extracted string from the URB, and none matched.
If you don't send the right signature, the frame's purely ignored by the 
device.
The signature algorithm looks quite simple, if you take the LED control 
packets for instance :

00000000: 00 02 02 00|d2 9a c0 44|01 80 08 00 00 00 00 00
00000010: 0d 00 00 00 03 00 02 00 02 00 00 00

00000000: 00 02 02 00|9a 9a 80 44|01 80 08 00 00 00 00 00
00000010: 0d 00 00 00 03 00 03 00 03 00 00 00

The signature's what between the two "|"s.
If you align to ARM words :

01 80 08 00 
00 00 00 00
0d 00 00 00
03 00 02 00 
02 00 00 00
----
d2 9a c0 44

01 80 08 00 
00 00 00 00
0d 00 00 00
03 00 03 00 
03 00 00 00
----
9a 9a 80 44

As you can see, each byte of the signature seems computed from the rows above 
it. This is not true for longer packets, but this may be simply some kind of 
overflow/carrier.

What would be the point of such a signature ? USB Bulk endpoints already have 
error detection ; and this algorithm seems quite poor for this purpose. And 
why didn't they use CRC32 ? It's already implemented in ROM for firmware 
download.
This really looks like a lame attempt at making reverse engineering harder.

Regards,
Sebastien

More information about the Prism54-devel mailing list