-
-
[原创]Bluetooth Internals:A Reverse Engineer’s Perspective - CEVA
-
2023-3-31 13:32
-
CEVA
DSP、Wi-Fi和Bluetooth等方面IP授权厂商,每年营收1亿多美元,超4成营收在中国市场。DSP IP在音频、基带、计算机视觉、人工智能等方面和Cadence的Tensilica IP竞争;Bluetooth IP主要和Mindtree竞争;Wi-Fi IP好像是唯一公开的授权厂商。Bluetooth IP和Wi-Fi IP市场占有率第一,这里关注Bluetooth IP,DSP IP和Wi-Fi IP可能会在其它文章说明。可以把Bluetooth协议根据OSI七层模型分成以下:
L1
对应OSI L1,通常表现成射频RF IP。该射频IP采用零中频Zero-IF收发器或低中频Low-IF收发器,用PLL锁相环进行频率合成,PLL锁相环又分为模拟锁相环、数字锁相环和全数字锁相环。难点在于蓝牙双模的经典蓝牙的解调,经典蓝牙有79个信道,信道分为若干个625μs时隙,跳频时如果锁相环只有单一子频段,频率合成锁定时通过二分法搜索进行在线频率校准标定则至少需要7次,则锁相环的频率锁定时间+通信时间至少需要625us/7,大概90us,单一子频段的数字锁相环不知道能不能满足。为了支持经典蓝牙的EDR 2和EDR 3解调,物理层基带解调需要支持相干解调、星座解映射和差分解码等。射频RF IP最好是低中频收发器,灵活性高。
CEVA本来自己是有蓝牙IP的,射频IP方面应该是采用Orca Systems的,不知道有没有官方实现,收购了RivieraWaves后,不仅带来了新的蓝牙Bluetooth IP,而且射频RF IP方面有官方实现,也有射频RF IP官方合作厂商:CSEM、Aura Semi和Sirius Wireless,当然也可以用其它第三方射频RF IP厂商,比如Catena的Bluetooth双模RF IP与Wi-Fi双频RF IP配套搭配使用。一些射频RF IP架构图如下:
- CSEM ICYTRX:
- Aura Semi AU50xx
- NXP QN9090
Physical Layer Register
重点关注CSEM,射频RF IP有ICYTRX和ICYTRXDM两种:ICYTRX IP是用65nm/55nm的台积电或格芯半导体工艺制作,BLE单模,有多个版本;ICYTRXDM IP是用40nm/22nm的台积电或格芯半导体工艺制作,BT双模,可配置成BLE单模。
ICYTRX GCS1
CSEM射频RF IP寄存器描述粗略表示如下(详情请查看RSL10的SVD文件和用户手册):
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 | //基于RSL10 svd2rust(rsl10-pac) typedef struct icytrx_gcs1_type { REG32 reg00; //0x00000000 REG32 reg01; //0x00000004 REG32 reg02; //0x00000008 REG32 reg03; //0x0000000C REG32 reg04; //0x00000010 REG32 reg05; //0x00000014 REG32 center_freq; //0x00000018 REG32 reg07; //0x0000001C REG32 reg08; //0x00000020 REG32 reg09; //0x00000024 REG32 reg0A; //0x00000028 REG32 sync_pattern; //0x0000002C REG32 reg0C; //0x00000030 REG32 crc_polynomial; //0x00000034 REG32 crc_rst; //0x00000038 REG32 reg0F; //0x0000003C REG32 reg10; //0x00000040 REG32 tx_pulse0; //0x00000044 REG32 tx_pulse1; //0x00000048 REG32 tx_pulse2; //0x0000004C REG32 tx_pulse3; //0x00000050 REG32 rx_pulse; //0x00000054 REG32 reg16; //0x00000058 REG32 reg17; //0x0000005C REG32 reg18; //0x00000060 REG32 reg19; //0x00000064 REG32 reg1A; //0x00000068 REG32 reg1B; //0x0000006C REG32 agc_lut1; //0x00000070 REG32 agc_lut2; //0x00000074 REG32 agc_lut3; //0x00000078 REG32 agc_lut4; //0x0000007C REG32 reg20; //0x00000080 REG32 agc_att1; //0x00000084 REG32 reg22; //0x00000088 REG32 reg23; //0x0000008C REG32 reg24; //0x00000090 REG32 reg25; //0x00000094 REG32 reg26; //0x00000098 REG32 reg27; //0x0000009C REG32 reg28; //0x000000A0 REG32 pll_ctrl; //0x000000A4 REG32 reg2A; //0x000000A8 REG32 xtal_ctrl; //0x000000AC REG32 reg2C; //0x000000B0 REG32 reg2D; //0x000000B4 REG32 reg2E; //0x000000B8 REG32 reg2F; //0x000000BC REG32 reg30; //0x000000C0 REG32 reg31; //0x000000C4 REG32 reg32; //0x000000C8 REG32 txfifo; //0x000000CC REG32 rxfifo; //0x000000D0 REG32 deser_status; //0x000000D4 REG32 irq_status; //0x000000D8 REG32 reg37; //0x000000DC REG32 reg38; //0x000000E0 REG32 reg39; //0x000000E4 REG32 resevered_000000E8; //0x000000E8 REG32 resevered_000000EC; //0x000000EC REG32 resevered_000000F0; //0x000000F0 REG32 resevered_000000F4; //0x000000F4 REG32 resevered_000000F8; //0x000000F8 REG32 revision; //0x000000FC } ICYTRX_GCS1_TypeDef; |
ICYTRX GCS2
CSEM射频RF IP寄存器描述粗略表示如下(详情请查看RSL15的SVD文件和用户手册):
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 | //基于RSL15 SVD(montana.svd) typedef struct icytrx_gcs2_type { REG32 reg00; //0x00000000 REG32 reg01; //0x00000004 REG32 reg02; //0x00000008 REG32 reg03; //0x0000000C REG32 pads_03; //0x00000010 REG32 pads_47; //0x00000014 REG32 center_freq; //0x00000018 REG32 pads_89; //0x0000001C REG32 reg08; //0x00000020 REG32 coding; //0x00000024 REG32 packet_handling; //0x00000028 REG32 sync_pattern; //0x0000002C REG32 reg0C; //0x00000030 REG32 packet_extra; //0x00000034 REG32 crc_polynomial; //0x00000038 REG32 crc_rst; //0x0000003C REG32 reg10; //0x00000040 REG32 reg11; //0x00000044 REG32 tx_pulse_shape_1; //0x00000048 REG32 tx_pulse_shape_2; //0x0000004C REG32 tx_pulse_shape_3; //0x00000050 REG32 tx_pulse_shape_4; //0x00000054 REG32 frontend; //0x00000058 REG32 rx_pulse; //0x0000005C REG32 reg18; //0x00000060 REG32 reg19; //0x00000064 REG32 reg1A; //0x00000068 REG32 reg1B; //0x0000006C REG32 rssi_ctrl; //0x00000070 REG32 reg1D; //0x00000074 REG32 agc_lut1; //0x00000078 REG32 agc_lut2; //0x0000007C REG32 agc_lut3; //0x00000080 REG32 agc_lut4; //0x00000084 REG32 agc_lut5; //0x00000088 REG32 agc_att1; //0x0000008C REG32 agc_att2; //0x00000090 REG32 reg25; //0x00000094 REG32 bias_0_2; //0x00000098 REG32 bias_3_6; //0x0000009C REG32 bias_7_9; //0x000000A0 REG32 bias_10_12; //0x000000A4 REG32 reg2A; //0x000000A8 REG32 pll_ctrl; //0x000000AC REG32 dll_ctrl; //0x000000B0 REG32 reg2D; //0x000000B4 REG32 reg2E; //0x000000B8 REG32 xtal_ctrl; //0x000000BC REG32 subband; //0x000000C0 REG32 reg31; //0x000000C4 REG32 demod_ctrl; //0x000000C8 REG32 reg33; //0x000000CC REG32 reg34; //0x000000D0 REG32 ble_lr; //0x000000D4 REG32 reg36; //0x000000D8 REG32 prot_timer; //0x000000DC REG32 cte_opts; //0x000000E0 REG32 pt_delta_0; //0x000000E4 REG32 pt_delta_1; //0x000000E8 REG32 cte_if; //0x000000EC REG32 cte_ctrl; //0x000000F0 REG32 agc_advanced; //0x000000F4 REG32 data_streaming; //0x000000F8 REG32 revision; //0x000000FC REG32 fsm_ctrl; //0x00000100 REG32 iofifo_status; //0x00000104 REG32 txfifo; //0x00000108 REG32 rxfifo; //0x0000010C REG32 iofifo; //0x00000110 REG32 reg45; //0x00000114 REG32 deser_status; //0x00000118 REG32 ble_aes_ccm; //0x0000011C REG32 irq_status; //0x00000120 REG32 rssi_min_max; //0x00000124 REG32 reg4A; //0x00000128 REG32 fei; //0x0000012C REG32 reg4C; //0x00000130 REG32 analog_info; //0x00000134 REG32 sample_rssi; //0x00000138 REG32 rssi_therm; //0x0000013C REG32 resevered_16[16]; //0x00000140 REG32 lut_antenna_array_1; //0x00000180 REG32 lut_antenna_array_2; //0x00000184 REG32 lut_antenna_array_3; //0x00000188 REG32 lut_antenna_array_4; //0x0000018C REG32 resevered_12[12]; //0x00000190 REG32 reg50; //0x000001C0 REG32 resevered_000001C4; //0x000001C4 REG32 resevered_000001C8; //0x000001C8 REG32 resevered_000001CC; //0x000001CC REG32 reg51; //0x000001E0 REG32 resevered_000001E4; //0x000001E4 REG32 reg52; //0x000001E8 REG32 resevered_000001EC; //0x000001EC REG32 reg53; //0x000001F0 REG32 reg54; //0x000001F4 REG32 reg55; //0x000001F8 REG32 reg56; //0x000001FC} ICYTRX_GCS2_TypeDef; |
BTDM RF
一些蓝牙芯片厂商采用CEVA蓝牙IP时如果支持蓝牙双模,则会用官方的蓝牙双模射频IP或自研射频IP,官方双模射频IP有Ripple和Thetis两种:Ripple不支持BLE 2M PHY,BLE Coded PHY由蓝牙IP提供BLE FEC支持;Thetis完美支持双模。另外还有Catena的蓝牙双模射频和CSEM的蓝牙双模射频ICYTRXDM,Ripple用的比较多,Thetis和ICYTRXDM现在应该很少使用,Catena的蓝牙双模射频IP会和Wi-Fi双频射频IP搭配一起使用,自研射频IP不大了解。当前只能收集到ICYTRXDM寄存器命名的文件,简单关注。
L2
对应OSI L2-L4,通常表现成蓝牙Bluetooth IP,类比Wi-Fi IP的LMAC,也类比无线通信IP的BP( Baseband Processor)。重点关注收购RivieraWaves而来的蓝牙Bluetooth IP,可以收集到7.X、8. X、9. X和10.X四个版本。由于有些厂商的射频RF IP并没有实现BLE FEC编解码模块,CEVA从9.X版本开始好像在蓝牙Bluetooth IP实现了此模块。
一些版本蓝牙Bluetooth IP架构图如下所示:
- RSL10(v8.X)
- RSL15(v10.X)
- QN9090(v8.X)
蓝牙Bluetooth IP有可能用CEVA的DSP实现,比如Teaklite/CEVA-X1/CEVA-X2/CEVA-BX1/CEVA-BX2等,也有可能是Cortus APS3,并且ROM固化,逆向很难搞,只能退而求其次,关注蓝牙Bluetooth IP链路层寄存器定义和描述。
Link Layer Register
BLE v8.X
低功耗蓝牙BLE IP链路层寄存器描述粗略表示如下(详情请查看RSL10的SVD文件和用户手册):
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 | // 基于RSL10 svd2rust(rsl10-pac),改进了一些寄存器的命名 typedef struct ble_link_8.x_type{ REG32 rw_ble_cntl; //0x00000000 REG32 version; //0x00000004 REG32 rw_ble_conf; //0x00000008 REG32 int_cntl; //0x0000000C REG32 int_stat; //0x00000010 REG32 int_raw_stat; //0x00000014 REG32 int_ack; //0x00000018 REG32 base_time_cnt; //0x0000001C REG32 fine_time_cnt; //0x00000020 REG32 ble_device_addrl; //0x00000024 REG32 ble_device_addru; //0x00000028 REG32 et_current_rx_descriptr; //0x0000002C REG32 deep_sleep_cntl; //0x00000030 REG32 deep_sleep_wakeup; //0x00000034 REG32 deep_sleep_status; //0x00000038 REG32 enbp_reset; //0x0000003C REG32 fine_cnt_corr; //0x00000040 REG32 base_time_corr; //0x00000044 REG32 reserved_48; //0x00000048 REG32 reserved_4C; //0x0000004C REG32 diag_cntl; //0x00000050 REG32 diag_status; //0x00000054 REG32 debug_add_max; //0x00000058 REG32 debug_add_min; //0x0000005C REG32 error_type_status; //0x00000060 REG32 sw_profiling; //0x00000064 REG32 reserved_68; //0x00000068 REG32 reserved_6C; //0x0000006C REG32 radio_cntl0; //0x00000070 REG32 radio_cntl1; //0x00000074 REG32 radio_cntl2; //0x00000078 REG32 reserved_7C; //0x0000007C REG32 radio_pwr_up_down0; //0x00000080 REG32 radio_pwr_up_down1; //0x00000084 REG32 reserved_88; //0x00000088 REG32 reserved_8C; //0x0000008C REG32 radio_tx_rx_tim0; //0x00000090 REG32 radio_tx_rx_tim1; //0x00000094 REG32 reserved_98; //0x00000098 REG32 reserved_9C; //0x0000009C REG32 spi_ptr_cntl0; //0x000000A0 REG32 spi_ptr_cntl1; //0x000000A4 REG32 spi_ptr_cnt2; //0x000000A8 REG32 reserved_AC; //0x000000AC REG32 advertising_channel_map; //0x000000B0 REG32 reserved_B4; //0x000000B4 REG32 reserved_B8; //0x000000B8 REG32 reserved_BC; //0x000000BC REG32 advertising_time; //0x000000C0 REG32 active_scan_stat; //0x000000C4 REG32 reserved_C8; //0x000000C8 REG32 reserved_CC; //0x000000CC REG32 white_list_pub_address_ptr; //0x000000D0 REG32 white_list_priv_address_ptr; //0x000000D4 REG32 white_list_current_ptr; //0x000000D8 REG32 reserved_DC; //0x000000DC REG32 aes_cntl; //0x000000E0 REG32 aes_key_31_0; //0x000000E4 REG32 aes_key_63_32; //0x000000E8 REG32 aes_key_95_64; //0x000000EC REG32 aes_key_127_96; //0x000000F0 REG32 aes_ptr; //0x000000F4 REG32 tx_mic_value; //0x000000F8 REG32 rx_mic_value; //0x000000FC REG32 rf_test_cntl; //0x00000100 REG32 rf_test_tx_stat; //0x00000104 REG32 rf_test_rx_stat; //0x00000108 REG32 reserved_10C; //0x0000010C REG32 time_gen_cntl; //0x00000110 REG32 gross_time_target; //0x00000114 REG32 fine_time_target; //0x00000118 REG32 reserve_11C; //0x0000011C REG32 coexistence_cntl0; //0x00000120 REG32 coexistence_cntl1; //0x00000124 REG32 coexistence_cntl2; //0x00000128 REG32 ble_priority0; //0x0000012C REG32 ble_priority1; //0x00000130 REG32 reserved_134; //0x00000134 REG32 reserved_138; //0x00000138 REG32 reserved_13C; //0x0000013C REG32 resolving_addr_list _cntl; //0x00000140 REG32 resolving_addr_list_current_ptr; //0x00000144 REG32 resolving_addr_list_local_random; //0x00000148 REG32 resolving_addr_list_peer_random; //0x0000014C //0x150 REG32 ble_iso_cntl0; REG32 ble_iso_mute_cntl0; REG32 ble_iso_current_tx_ptr0; REG32 ble_iso_current_rx_ptr0; REG32 ble_iso_tr_cntl0; REG32 ble_iso_event_cnt_offset_lower0; REG32 ble_iso_event_cnt_offset_upper0; REG32 reserver_16C; //0x170 REG32 ble_iso_cntl1; REG32 ble_iso_mute_cntl1; REG32 ble_iso_current_tx_ptr1; REG32 ble_iso_current_rx_ptr1; REG32 ble_iso_tr_cntl1; REG32 ble_iso_event_cnt_offset_lower1; REG32 ble_iso_event_cnt_offset_upper1; REG32 reserver_18C; //0x190 REG32 ble_iso_cntl2; REG32 ble_iso_mute_cntl2; REG32 ble_iso_current_tx_ptr2; REG32 ble_iso_current_rx_ptr2; REG32 ble_iso_tr_cntl2; REG32 ble_iso_event_cnt_offset_lower2; REG32 ble_iso_event_cnt_offset_upper2; REG32 reserver_1AC; //0x1B0 REG32 ble_priority_schedule_arb; }BLE_LINK_8.X_Typedef; |
BLE v10.X
低功耗蓝牙BLE IP链路层寄存器描述粗略表示如下(详情请查看RSL15的SVD文件和用户手册):
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 | //基于RSL15 SVD(montana.svd) typedef struct ble_link_10.x_type { //0x00 //General Purpose Registers REG32 rw_ble_cntl; REG32 version; REG32 rw_ble_conf; REG32 int_cntl0; //0x10 REG32 int_stat0; REG32 int_ack0; REG32 int_cntl1; REG32 int_stat1; //0x20 REG32 int_ack1; REG32 act_fifo_stat; REG32 current_rx_descrptr; REG32 eptr; //0x40 //Deep Sleep Registers REG32 deep_sleep_cntl; REG32 deep_sleep_wakeup; REG32 deep_sleep_stat; REG32 enbp_reset; //0x40 REG32 fine_cnt_corr; REG32 clk_cnt_corr; REG32 reserved_48; REG32 reserved_4C; //0x50 //Validation Registers REG32 diag_cntl; REG32 diag_stat; REG32 debug_add_max; REG32 debug_add_min; //0x60 REG32 error_type_stat; REG32 sw_profiling; REG32 reserved_68; REG32 reserved_6C; //0x70 //Radio Registers REG32 radio_cntl0; REG32 radio_cntl1; REG32 radio_cntl2; REG32 radio_cntl3; //0x80 REG32 radio_pwr_up_down0; REG32 radio_pwr_up_down1; REG32 radio_pwr_up_down2; REG32 radio_pwr_up_down3; //0x90 REG32 radio_tx_rx_tim0; REG32 radio_tx_rx_tim1; REG32 radio_tx_rx_tim2; REG32 radio_tx_rx_tim3; //0xA0 REG32 spi_ptr_cntl0; REG32 spi_ptr_cntl1; REG32 spi_ptr_cntl2; REG32 spi_ptr_cntl3; //0xB0 //Encryption and Decryption Registers REG32 aes_cntl; REG32 aes_key_31_0; REG32 aes_key_63_32; REG32 aes_key_95_64; //0xC0 REG32 aes_key_127_96; REG32 aes_ptr; REG32 tx_mic_value; REG32 rx_mic_value; //0xD0 //Regulatory Body and RF Testing Registers REG32 rf_test_cntl; REG32 rf_test_tx_stat; REG32 rf_test_rx_stat; REG32 reserved_DC; //0xE0 //Timing Generator Registers REG32 time_gen_cntl; REG32 gross_time_target; REG32 fine_time_target; REG32 clk_current_target1; //0xF0 REG32 half_micro_second_target1; REG32 clk_current_target2; REG32 half_micro_second_target2; REG32 slot_clock; //0x100 //Event Scheduler Registers REG32 ble_scheduler_cntl; REG32 start_event_clkn_count; REG32 start_event_fine_count; REG32 end_event_clkn_count; //0x110 REG32 end_event_fine_count; REG32 skip_event_clkn_count; REG32 skip_event_fine_count; REG32 reserved_11C; //0x120 //Advertising Timer and Scanning Timer Registers REG32 advertising_time; REG32 scanning_time; REG32 reserved_128; REG32 reserved_12C; //0x130 //Device Filtering Registers REG32 white_list_cntl; REG32 white_list_current_ptr; REG32 search_time_out; REG32 reserved_13C; //0x140 //WLAN Coexistence and WiMax Coexistence Registers REG32 coexistence_cntl0; REG32 coexistence_cntl1; REG32 coexistence_cntl2; REG32 ble_priority0; //0x150 REG32 ble_priority1; REG32 ble_priority2; REG32 reserved_158; REG32 reserved_15C; //0x160 //Resolving Address List Registers REG32 resolving_addr_list_cntl; REG32 resolving_addr_list_current_ptr; REG32 resolving_addr_list_local_random; REG32 resolving_addr_list_peer_random; //0x170 //AoA Controls and AoD Controls Registers REG32 dfc_cntl0_1us; REG32 dfc_cntl0_2us; REG32 dfc_cntl1_1us; REG32 dfc_cntl1_2us; //0x180 REG32 dfc_current_ptr; REG32 df_antenna_cntl; REG32 df_interface_cntl; REG32 reserved_18C; //0x190 //ISO Channel Registers ????? }BLE_LINK_10.X_TypeDef; |
BT v10.X
经典蓝牙BT IP链路层寄存器描述粗略表示如下:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 | typedef struct bt_link_10.x_type { //0x00 //General Purpose Registers REG32 rw_bt_cntl; REG32 version; REG32 rw_bt_conf; REG32 int_cntl0; //0x10 REG32 int_stat0; REG32 int_ack0; REG32 int_cntl1; REG32 int_stat1; //0x20 REG32 int_ack1; REG32 act_fifo_stat; REG32 current_rx_descrptr; REG32 eptr; //0x40 //Deep Sleep Registers REG32 deep_sleep_cntl; REG32 deep_sleep_wakeup; REG32 deep_sleep_stat; REG32 enbp_reset; //0x40 REG32 fine_cnt_corr; REG32 clk_cnt_corr; REG32 reserved_48; REG32 reserved_4C; //0x50 //Validation Registers REG32 diag_cntl; REG32 diag_stat; REG32 debug_add_max; REG32 debug_add_min; //0x60 REG32 error_type_stat; REG32 sw_profiling; REG32 reserved_68; REG32 reserved_6C; //0x70 //Radio Registers REG32 radio_cntl0; REG32 radio_cntl1; REG32 radio_cntl2; REG32 radio_cntl3; //0x80 REG32 reserved_80; REG32 reserved_84; REG32 reserved_88; REG32 radio_pwr_up_down; //0x90 REG32 radio_tx_rx_tim; REG32 reserved_94; REG32 reserved_98; REG32 reserved_9C; //0xA0 REG32 spi_ptr_cntl0; REG32 spi_ptr_cntl1; REG32 spi_ptr_cntl2; REG32 spi_ptr_cntl3; //0xB0 //Encryption and Decryption Registers REG32 aes_cntl; REG32 aes_key_31_0; REG32 aes_key_63_32; REG32 aes_key_95_64; //0xC0 REG32 aes_key_127_96; REG32 aes_ptr; REG32 tx_mic_value; REG32 rx_mic_value; //0xD0 //Regulatory Body and RF Testing Registers REG32 rf_test_cntl; REG32 rf_test_freq; REG32 rf_test_tx_stat; REG32 rf_test_rx_stat; //0xE0 //Timing Generator Registers REG32 time_gen_cntl; REG32 fine_time_target; REG32 clk_current_target1; REG32 half_micro_second_target1; //0xF0 REG32 clk_current_target2; REG32 half_micro_second_target2; REG32 slot_clock; REG32 fine_time_cnt; //0x100 //Event Scheduler Registers REG32 bt_scheduler_cntl; REG32 start_event_clkn_count; REG32 start_event_fine_count; REG32 end_event_clkn_count; //0x110 REG32 end_event_fine_count; REG32 skip_event_clkn_count; REG32 skip_event_fine_count; REG32 reserved_11C; //0x120 //Inquiry/Page and EDR Control Registers REG32 abtrain_cntl; REG32 edr_cntl; REG32 reserved_128; REG32 reserved_12C; //0x130-0x140 //MWS PCA Coexistence Registers //ignore //0x140-0x1F0 //WLAN/MWS Coexistence Registers //ignore //0x1F0-0x200 //SAM(Local Map) Registers //ignore //0x200-0x260 //Audio Channel Registers //ignore //0x260-0x270 //Audio Codec Registers //ignore //0x270 //ignore }BT_LINK_10.X_TypeDef; |
L3
对应OSI L5,通常表现成蓝牙Bluetooth Controller,类比Wi-Fi IP的UMAC,也类比无线通信IP的NP(Network Processor)。该实现可能ROM固化,也可能是Flash闪存实现,实现此功能的MCU指令集通常是ARM和RISC-V,最好是Flash闪存方式的实现,这样逆向蓝牙厂商官方以静态库的方式实现比较容易。
BLE Coded PHY
CSEM ICYTRX GCS1 + CEVA BLE Link v8如何实现BLE Coded PHY,Controller用Exchange Memory与CEVA蓝牙BP通信,8.X版本的BP并不支持BLE FEC,如何ROM Patch未知,只能在射频BLE 1M PHY配置的基础上再配置相关寄存器。
RF Selection
链路寄存器粗略配置如下:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 | union { uint32_t R; struct { reg32 SUBVERSION:4; /* bit[0:3].CSEM RF Sub-version selection.0: IcyTRx 65nm (v0x12, v0x20, v0x22)1: IcyTRx 55nm CS1 (v0x30);2: IcyTRx 55nm CS2 (v0x31);3: IcyTRx 55nm GCS1 (v0x40);4: IcyTRx 55nm CS553(v0x62)??? */ reg32 XRFSEL:5; /* bit[4:8].Extended radio selection field.0: No radio selected;1: Ripple radio (BT4.0)2: External radio controller;3: ICYTRX radio (BLE) */ reg32 reserved_09_11:3; reg32 JEF_SELECT:1; reg32 DPCORR_EN:1; reg32 reserved_14_14:1; reg32 SYNC_PULSE_MODE:1; reg32 FORCEAGC_LENGTH:12; reg32 reserved_28_29:2; reg32 FORCEBLEIQ:1; reg32 FORCEAGC_EN:1; } B; } BB_RADIOCNTL1;//BB_RADIOCNTL1.SUBVERSION=3;//BB_RADIOCNTL1.XRFSEL=3; union { uint32_t R; struct { reg32 ADD_WIDTH:5; reg32 DATA_WIDTH:1; reg32 BUSTYPE:1; reg32 INTMODE:1; reg32 CLK_SEL:6; reg32 USECRYPT:1; reg32 USEDBG:1; reg32 RFIF:5; /* bit[16:20].Support of the RF front-end. 0: Ripple RF;1: External radio controller support;2: Atlas radio;3: IcyTRx radio */ reg32 COEX:1; reg32 reserved_22_22:1; reg32 DECIPHER:1; reg32 ISOPORTNB:2; reg32 reserved_26_30:5; reg32 DMMODE:1; } B; } BB_RWBLEBCONF; //BB_RWBLEBCONF.RFIF=3; |
RF Config
射频寄存器粗略配置如下:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 | union { uint32_t R; struct { reg32 PACKET_EXTRA_PATTERN_WORD_LEN:2; reg32 PACKET_EXTRA_PATTERN_MAX_ERR:2; reg32 PACKET_EXTRA_PKT_INFO_PRE_NPOST:1; reg32 PACKET_EXTRA_EN_STOP_WORD:1; reg32 PACKET_EXTRA_STOP_WORD_LEN:2; reg32 CONV_CODES_CONF_EN_CONV_CODE:1; reg32 CONV_CODES_CONF_CC_EN_TX_STOP:1; reg32 CONV_CODES_CONF_CC_VITERBI_LEN:2; reg32 reserved_12_15:4; reg32 CONV_CODES_POLY_CC_POLY_0:5; //bit[16:20].polynomial of the first convolutional code reg32 CONV_CODES_POLY_CC_POLY_1:5; //bit[20:25].polynomial of the second convolutional code reg32 CONV_CODES_POLY_CC_POLY_2:5; } B; } RF_REG0C; //RF_REG0C.CONV_CODES_POLY_CC_POLY_0=0b1111(x^3 + x^2 + x^1 + x^0) //RF_REG0C.CONV_CODES_POLY_CC_POLY_1=0b1101(x^3 +x^2 + x^0) //S=2 //S=8union { uint32_t R; struct { reg32 CONV_CODES_PUNCT_CC_PUNCT_0:5; //bit[0:4].puncture of the first convolutional code reg32 CONV_CODES_PUNCT_CC_PUNCT_1:5; //bit[5:9].puncture of the second convolutional code reg32 CONV_CODES_PUNCT_CC_PUNCT_2:5; reg32 reserved_15_15:1; reg32 FRAC_CONF_RX_EN_FRAC:1; reg32 FRAC_CONF_TX_EN_FRAC:1; reg32 FRAC_CONF_RX_FRAC_GAIN:1; reg32 FRAC_CONF_TX_FRAC_GAIN:1; reg32 reserved_20_23:4; reg32 RX_FRAC_CONF_RX_FRAC_NUM:4; reg32 RX_FRAC_CONF_RX_FRAC_DEN:4; } B; } RF_REG0F; //RF_REG0F.CONV_CODES_PUNCT_CC_PUNCT_0=0b111;??? //RF_REG0F.CONV_CODES_PUNCT_CC_PUNCT_1=0b001;???union { uint32_t R; struct { reg32 DECISION_EN_VITERBI_GFSK:1; // bit[0:0].0:disable;1:enable reg32 DECISION_VITERBI_POW_NLIN:1; reg32 DECISION_VITERBI_LEN:2; reg32 DECISION_USE_VIT_SOFT:1; reg32 reserved_05_07:3; reg32 RSSI_BANK_TAU_RSSI_FILTERING:4; reg32 RSSI_BANK_EN_FAST_PRE_SYNC:1; reg32 RSSI_BANK_FAST_RSSI:1; reg32 RSSI_BANK_RSSI_TRI_CK_DIV:2; reg32 CORRECT_CFREQ_IF_CORRECT_CFREQ_IF:16; } B; } RF_REG18; //RF_REG18.DECISION_EN_VITERBI_GFSK=1; //S=2 //S=8 |
L4
对应OSI L6,通常表现成蓝牙Bluetooth HCI,类比无线通信IP的RIL(Radio Interface Layer),未关注。
L5
对应OSI L7,通常表现成蓝牙Bluetooth Host,类比无线通信IP的AP(Application Processor)。如果某蓝牙芯片能够直接通过总线访问射频RF IP寄存器和蓝牙Bluetooth IP链路层寄存器,该寄存器部分有详细的定义和描述,并且此部分在用户手册中有上千页文档,那用这芯片结合蓝牙官方标准文档来实现蓝牙渗透工具就非常完美,可惜不大可能,其次是在该芯片的Bluetooth Controller实现蓝牙渗透功能。
推荐相对比较好实现蓝牙渗透工具的蓝牙芯片:
BLE
ON Semiconductor
RSL10/RSL15的蓝牙功能不知道是不是基于CEVA 蓝牙IP的参考设计改进实现,RSL15可能是为了支持3个BLE ISO Channel,使用3个射频IP,刚好对应了BLE的3个广播信道,挺不错。相关文档比较详细。
NXP
MKW39/K32W1使用收购来的Freescale射频IP,使用Mindtree蓝牙IP,该芯片文档应该是唯一最详细的;QN9090/K32W0不知道是不是使用Catena的射频收发器IP,物理层基带基于收购而来的Quintic物理层基带改进,使用CEVA蓝牙IP,相关文档不太详细。
BTDM
Bouffalo Lab
BL618/BL606P的射频IP应该是自研的,官方文档说明支持经典蓝牙的EDR 2和EDR 3,相关的RF IP寄存器的描述和定义未知,采用CEVA蓝牙IP,蓝牙 Controller实现用闪存存储。
Beken Corporation
BK3288和BK7256的射频IP应该是自研的,官方文档说明支持经典蓝牙的EDR 2和EDR 3,相关的RF IP寄存器的描述和定义未知,采用CEVA蓝牙IP,蓝牙 Controller实现用闪存存储。
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
最后于 2023-4-13 06:38
被vasthao编辑
,原因:
