-
-
[原创]Bluetooth Internals:A Reverse Engineer’s Perspective - Bouffalo Lab
-
2023-4-7 16:42 11295
-
[原创]Bluetooth Internals:A Reverse Engineer’s Perspective - Bouffalo Lab
2023-4-7 16:42
11295
Bouffalo Lab
射频IP是自研的,采用CEVA蓝牙IP。BL618/BL606P官方文档说明支持经典蓝牙,相关的射频IP寄存器的描述和定义未知,只能不完全分析BL602/BL702的低功耗蓝牙BLE的相关寄存器。
L1
Low-IF Transceiver
射频IP自研,是低中频收发器, bl602用模拟锁相环进行频率合成,bl702 用数字锁相环进行频率合成, bl618/bl606p未知,只能收集bl602和bl702射频收发器寄存器定义,bl618/bl606p未知。
Modem
bl618/bl606p官方文档说明支持经典蓝牙,相关寄存器未知,只能收集到bl602低功耗蓝牙BLE物理层基带寄存器定义bz_phy,寄存器各字段含义未知。
L2
Version
官方静态库文件rwble.o的rwble_version函数汇编指令(riscv)如下:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 | 00000000 <rwble_version>:0:47a5 li a5,0x092:00f501a3 sb a5,3(a0) 6:478d li a5,0x038:00f50123 sb a5,2(a0) c:02100793 li a5,0x2110:00f500a3 sb a5,1(a0) 14:00050023 sb zero,0(a0) 18:280007b7 lui a5,0x28000 1c:43d8 lw a4,4(a5) 1e:8361 srli a4,a4,0x18 20:00e581a3 sb a4,3(a1) 24:43d8 lw a4,4(a5) 26:8341 srli a4,a4,0x10 28:00e58123 sb a4,2(a1) 2c:43d8 lw a4,4(a5) 2e:8321 srli a4,a4,0x8 30:00e580a3 sb a4,1(a1) 34:43dc lw a5,4(a5)36:00f58023 sb a5,0(a1)3a:8082 ret |
可能的C源码:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 | /** * @brief VERSION register definition * <pre> * Bits Field Name Reset Value * ----- ------------------ ----------- * 31:24 TYP 0x09 * 23:16 REL 0x03 * 15:08 UPG 0x21 * 07:00 BUILD 0x00 * </pre> */#define BLE_VERSION_ADDR 0x28000004#define BLE_VERSION_OFFSET 0x00000004#define BLE_VERSION_INDEX 0x00000001#define BLE_VERSION_RESET 0x09032100__INLINE uint32_t ble_version_get(void){ return REG_BLE_RD(BLE_VERSION_ADDR);}// field definitions#define BLE_TYP_MASK ((uint32_t)0xFF000000)#define BLE_TYP_LSB 24#define BLE_TYP_WIDTH ((uint32_t)0x00000008)#define BLE_REL_MASK ((uint32_t)0x00FF0000)#define BLE_REL_LSB 16#define BLE_REL_WIDTH ((uint32_t)0x00000008)#define BLE_UPG_MASK ((uint32_t)0x0000FF00)#define BLE_UPG_LSB 8#define BLE_UPG_WIDTH ((uint32_t)0x00000008)#define BLE_BUILD_MASK ((uint32_t)0x000000FF)#define BLE_BUILD_LSB 0#define BLE_BUILD_WIDTH ((uint32_t)0x00000008)#define BLE_TYP_RST 0x09#define BLE_REL_RST 0x03#define BLE_UPG_RST 0x21#define BLE_BUILD_RST 0x00__INLINE void ble_version_unpack(uint8_t* typ, uint8_t* rel, uint8_t* upg, uint8_t* build){ uint32_t localVal = REG_BLE_RD(BLE_VERSION_ADDR); *typ = (localVal & ((uint32_t)0xFF000000)) >> 24; *rel = (localVal & ((uint32_t)0x00FF0000)) >> 16; *upg = (localVal & ((uint32_t)0x0000FF00)) >> 8; *build = (localVal & ((uint32_t)0x000000FF)) >> 0;}__INLINE uint8_t ble_version_typ_getf(void){ uint32_t localVal = REG_BLE_RD(BLE_VERSION_ADDR); return ((localVal & ((uint32_t)0xFF000000)) >> 24);}__INLINE uint8_t ble_version_rel_getf(void){ uint32_t localVal = REG_BLE_RD(BLE_VERSION_ADDR); return ((localVal & ((uint32_t)0x00FF0000)) >> 16);}__INLINE uint8_t ble_version_upg_getf(void){ uint32_t localVal = REG_BLE_RD(BLE_VERSION_ADDR); return ((localVal & ((uint32_t)0x0000FF00)) >> 8);}__INLINE uint8_t ble_version_build_getf(void){ uint32_t localVal = REG_BLE_RD(BLE_VERSION_ADDR); return ((localVal & ((uint32_t)0x000000FF)) >> 0);}#define BT40_VERSION (0x06)#define BT41_VERSION (0x07)#define BT42_VERSION (0x08)#define BT50_VERSION (0x09)#define BT51_VERSION (0x0A)#define BT52_VERSION (0x0B)#define BT53_VERSION (0x0C)//bl602 or bl702//ble_link_base:0x28000000#define RWBT_SW_VERSION_MAJOR BT50_VERSION//bl618 or bl606p ??? ////bt_link_base:0x28000400????////ble_link_base:0x28000800????//#define RWBT_SW_VERSION_MAJOR BT52_VERSION#define RWBT_SW_VERSION_MINOR (0x03)#define RWBT_SW_VERSION_BUILD (0x21)#define RWBT_SW_VERSION_SUB_BUILD (0x00)void rwble_version(uint8_t* fw_version, uint8_t* hw_version){ // FW version *(fw_version+3) = RWBT_SW_VERSION_MAJOR; *(fw_version+2) = RWBT_SW_VERSION_MINOR; *(fw_version+1) = RWBT_SW_VERSION_BUILD; *(fw_version) = RWBT_SW_VERSION_SUB_BUILD; // HW version *(hw_version+3) = ble_version_typ_getf(); *(hw_version+2) = ble_version_rel_getf(); *(hw_version+1) = ble_version_upg_getf(); *(hw_version) = ble_version_build_getf(); return;} |
bl602/bl702采用版本9的蓝牙IP,BLE链路寄存器基址为0x28000000,bl618/bl606p可能采用版本10或版本11或版本12的蓝牙IP,低功耗蓝牙BLE链路寄存器基址可以通过逆向rwble.o的rwble_isr函数获得,基址应该为0x28000800,同理可以获得经典蓝牙BT链路寄存器基址为0x28000400。
Register
bl602/bl702的链路寄存器粗略表示如下(不一定对):
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 704 705 706 707 708 709 710 711 712 713 714 715 716 717 718 719 720 721 722 723 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 750 751 752 753 754 755 756 757 758 759 760 761 762 763 764 765 766 767 768 769 770 771 772 773 774 775 776 777 778 779 780 781 782 783 784 785 786 787 788 789 790 791 792 793 794 795 796 797 798 799 800 801 802 803 804 805 806 807 808 809 810 811 812 813 814 815 816 817 818 819 820 821 822 823 824 825 826 827 828 829 830 831 832 833 834 835 836 837 838 839 840 841 842 843 844 845 846 847 848 849 850 851 852 853 854 855 856 857 858 859 860 861 862 863 864 865 866 867 868 869 870 871 872 873 874 875 876 877 878 879 880 881 882 883 884 885 886 887 888 889 890 891 892 893 894 895 896 897 898 899 900 901 902 903 904 905 906 907 908 909 910 911 912 913 914 915 916 917 918 919 920 921 922 923 924 925 926 927 928 929 930 931 932 933 934 935 936 937 938 939 940 941 942 943 944 945 946 947 948 949 950 951 952 953 954 955 956 957 958 959 960 961 962 963 964 965 966 967 968 969 970 971 972 973 974 975 976 977 978 979 980 981 982 983 984 985 986 987 988 989 990 991 992 993 994 995 996 997 998 999 1000 1001 1002 1003 1004 1005 1006 1007 1008 1009 1010 1011 1012 1013 1014 1015 1016 1017 1018 1019 1020 1021 1022 1023 1024 1025 1026 1027 1028 1029 1030 1031 1032 1033 1034 1035 1036 1037 1038 1039 1040 1041 1042 1043 1044 1045 | typedef volatile struct{ union { uint32_t R; struct { reg32 RXWINSZDEF:4; reg32 reserved_04_07:4; reg32 RWBLE_EN:1; reg32 ADVERTFILT_EN:1; reg32 ANONYMOUS_ADV_FILT_EN:1; reg32 reserved_11_11:1; reg32 HOP_REMAP_DSB:1; reg32 CRC_DSB:1; reg32 WHIT_DSB:1; reg32 LRFEC_DSB:1; reg32 LRPMAP_DSB:1; reg32 CRYPT_DSB:1; reg32 NESN_DSB:1; reg32 SN_DSB:1; reg32 MD_DSB:1; reg32 reserved_21_23:3; reg32 SCAN_ABORT:1; reg32 ADVERT_ABORT:1; reg32 RFTEST_ABORT:1; reg32 SWINT_REQ:1; reg32 RADIOCNTL_SOFT_RST:1; reg32 REG_SOFT_RST:1; reg32 MASTER_TGSOFT_RST:1; reg32 MASTER_SOFT_RST:1; } B; } RWBLECNTL; union { uint32_t R; struct { reg32 BUILD:8; reg32 UPG:8; reg32 REL:8; reg32 TYP:8; } B; } VERSION; union { uint32_t R; struct { reg32 ADD_WIDTH:5; reg32 DATA_WIDTH:1; reg32 BUSTYPE:1; reg32 INTMODE:1; reg32 CLK_SEL:6; reg32 DECIPHER:1; reg32 USEDBG:1; reg32 RFIF:5; reg32 WLANCOEX:1; reg32 reserved_22_23:2; reg32 ISOPORTNB:2; reg32 USETXLR:1; reg32 USERXLR:1; reg32 CORRELATOR:1 reg32 reserved_29_30:2; reg32 DMMODE:1; } B; } RWBLECONF; union { uint32_t R; struct { reg32 CLKNINTMSK:1; reg32 TXINTMSK:1; reg32 RXINTMSK:1; reg32 SLPINTMSK:1; reg32 STARTEVTINTMSK:1; reg32 ENDEVTINTMSK:1; reg32 SKIPEVTINTMSK:1; reg32 CRYPTINTMSK:1; reg32 ERRORINTMSK:1; reg32 GROSSTGTIMINTMSK:1; reg32 FINETGTIMINTMSK:1; reg32 TIMESTAMPTGTINTMSK:1; reg32 SWINTMSK:1; reg32 AUDIOINT0MSK:1; reg32 AUDIOINT1MSK:1; reg32 AUDIOINT2MSK:1; reg32 reserved_16_23:8; reg32 CLKNINTSRVAL:4; reg32 CLKNINTSRMSK:3; reg32 reserved_31_31:1; } B; } INTCNTL; union { uint32_t R; struct { reg32 CLKNINTSTAT:1; reg32 TXINTSTAT:1; reg32 RXINTSTAT:1; reg32 SLPINTSTAT:1; reg32 STARTEVTINTSTAT:1; reg32 ENDEVTINTSTAT:1; reg32 SKIPEVTINTSTAT:1; reg32 CRYPTINTSTAT:1; reg32 ERRORINTSTAT:1; reg32 GROSSTGTIMINTSTAT:1; reg32 FINETGTIMINTSTAT:1; reg32 TIMESTAMPTGTINTSTAT:1; reg32 SWINTSTAT:1; reg32 AUDIOINT0STAT:1; reg32 AUDIOINT1STAT:1; reg32 AUDIOINT2STAT:1; reg32 reserved_16_31:16; } B; } INTSTAT; union { uint32_t R; struct { reg32 CLKNINTRAWSTAT:1; reg32 TXINTRAWSTAT:1; reg32 RXINTRAWSTAT:1; reg32 SLPINTRAWSTAT:1; reg32 STARTEVTINTRAWSTAT:1; reg32 ENDEVTINTRAWSTAT:1; reg32 SKIPEVTINTRAWSTAT:1; reg32 CRYPTINTRAWSTAT:1; reg32 ERRORINTRAWSTAT:1; reg32 GROSSTGTIMINTRAWSTAT:1; reg32 FINETGTIMINTRAWSTAT:1; reg32 TIMESTAMPTGTINTRAWSTAT:1; reg32 SWINTRAWSTAT:1; reg32 AUDIOINT0RAWSTAT:1; reg32 AUDIOINT1RAWSTAT:1; reg32 AUDIOINT2RAWSTAT:1; reg32 reserved_16_31:16; } B; } INTRAWSTAT; union { uint32_t R; struct { reg32 CLKNINTACK:1; reg32 TXINTACK:1; reg32 RXINTACK:1; reg32 SLPINTACK:1; reg32 STARTEVTINTACK:1; reg32 ENDEVTINTACK:1; reg32 SKIPEVTINTACK:1; reg32 CRYPTINTACK:1; reg32 ERRORINTACK:1; reg32 GROSSTGTIMINTACK:1; reg32 FINETGTIMINTACK:1; reg32 TIMESTAMPTGTINTACK:1; reg32 SWINTACK:1; reg32 AUDIOINT0ACK:1; reg32 AUDIOINT1ACK:1; reg32 AUDIOINT2ACK:1; reg32 reserved_16_31:16; } B; } INTACK; union { uint32_t R; struct { reg32 SCLK:28; reg32 reserved_28_29:2; reg32 CLKN_UPD:1; reg32 SAMP:1; } B; } SLOTCLK; union { uint32_t R; struct { reg32 FINECNT:10; reg32 reserved_10_31:22; } B; } FINETIMECNT; union { uint32_t R; struct { reg32 CURRENTRXDESCPTR:15; reg32 reserved_15_15:1; reg32 ETPTR:16; } B; } ET_CURRENTRXDESCPTR; union { uint32_t R; struct { reg32 OSC_SLEEP_EN:1; reg32 RADIO_SLEEP_EN:1; reg32 DEEP_SLEEP_ON:1; reg32 DEEP_SLEEP_CORR_EN:1; reg32 SOFT_WAKEUP_REQ:1; reg32 reserved_05_14:10; reg32 DEEP_SLEEP_STAT:1; reg32 reserved_16_30:15; reg32 EXTWKUPDSB:1; } B; } DEEPSLCNTL; union { uint32_t R; struct { reg32 DEEPSLTIME:32; } B; } DEEPSLWKUP; union { uint32_t R; struct { reg32 DEEPSLDUR:32; } B; } DEEPSLSTAT; union { uint32_t R; struct { reg32 TWRM:10; reg32 TWOSC:11; reg32 TWEXT:11; } B; } ENBPRESET; union { uint32_t R; struct { reg32 FINECNTCORR:10; reg32 reserved_10_31:22; } B; } FINECNTCORR; union { uint32_t R; struct { reg32 CLKNCNTCORR:27; reg32 reserved_28_30:3; reg32 ABS_DELTA:1; } B; } CLKNCNTCORR; uint32_t reserved_48[2]; union { uint32_t R; struct { reg32 DIAG0:7; reg32 DIAG0_EN:1; reg32 DIAG1:7; reg32 DIAG1_EN:1; reg32 DIAG2:7; reg32 DIAG2_EN:1; reg32 DIAG3:7; reg32 DIAG3_EN:1; } B; } DIAGCNTL; union { uint32_t R; struct { reg32 DIAG0STAT:8; reg32 DIAG1STAT:8; reg32 DIAG2STAT:8; reg32 DIAG3STAT:8; } B; } DIAGSTAT; union { uint32_t R; struct { reg32 EM_ADDMAX:16; reg32 REG_ADDMAX:16; } B; } DEBUGADDMAX; union { uint32_t R; struct { reg32 EM_ADDMIN:16; reg32 REG_ADDMIN:16; } B; } DEBUGADDMIN; union { uint32_t R; struct { reg32 TXCRYPT_ERROR:1; reg32 RXCRYPT_ERROR:1; reg32 PKTCNTL_EMACC_ERROR:1; reg32 RADIO_EMACC_ERROR:1; reg32 EVT_SCHDL_ENTRY_ERROR:1; reg32 EVT_SCHDL_APFM_ERROR:1; reg32 EVT_CNTL_APFM_ERROR:1; reg32 WHITELIST_ERROR:1; reg32 IFS_UNDERRUN:1; reg32 ADV_UNDERRUN:1; reg32 LLCHMAP_ERROR:1; reg32 CSFORMAT_ERROR:1; reg32 TXDESC_EMPTY_ERROR:1; reg32 RXDESC_EMPTY_ERROR:1; reg32 TXDATA_PTR_ERROR:1; reg32 RXDATA_PTR_ERROR:1; reg32 RAL_ERROR:1; reg32 RAL_UNDERRUN:1; reg32 TMAFS_UNDERRUN:1; reg32 TXAEHEADER_PTR_ERROR:1; reg32 PHY_ERROR:1; reg32 reserved_21_31:11; } B; } ERRORTYPESTAT; union { uint32_t R; struct { reg32 SWPROF:32; } B; } SWPROFILING; uint32_t reserved_68[2]; union { uint32_t R; struct { reg32 SPIGO:1; reg32 SPICOMP:1; reg32 reserved_02_03:2; reg32 SPIFREQ:2; reg32 reserved_06_06:1; reg32 SPICFG:1; reg32 reserved_08_15:8; reg32 SPIPTR:16; } B; } RADIOCNTL0; union { uint32_t R; struct { reg32 SUBVERSION:4; reg32 XRFSEL:6; reg32 reserved_10_11:2; reg32 JEF_SELECT:1; reg32 DPCORR_EN:1; reg32 SYNC_PULSE_SRC:1; reg32 SYNC_PULSE_MODE:1; reg32 FORCEAGC_LENGTH:12; reg32 TXDNSL:1; reg32 RXDNSL:1; reg32 FORCEBLEIQ:1; reg32 FORCEAGC_EN:1;SYNCERR } B; } RADIOCNTL1; union { uint32_t R; struct { reg32 FREQTABLE_PTR:16; reg32 SYNCERR:3; reg32 reserved_19_19:1; reg32 LRSYNCERR:2; reg32 PHYMSK:2; reg32 LRVTBFLUSH:5; reg32 RXCITERMBYPASS:1; reg32 LRSYNCCOMPMODE:2; } B; } RADIOCNTL2;union { uint32_t R; struct { reg32 TXVALID_BEH:2; reg32 reserved_02_07:6; reg32 TXRATE0CFG:2; reg32 TXRATE1CFG:2; reg32 TXRATE2CFG:2; reg32 TXRATE3CFG:2; reg32 RXVALID_BEH:2; reg32 RXSYNC_ROUTING:1; reg32 reserved_19_23:5; reg32 RXRATE0CFG:2; reg32 RXRATE1CFG:2; reg32 RXRATE2CFG:2; reg32 RXRATE3CFG:2; } B; } RADIOCNTL3; union { uint32_t R; struct { reg32 TXPWRUP0:8; reg32 TXPWRDN0:7; reg32 reserved_15_15:1; reg32 RXPWRUP0:8; reg32 SYNC_POSITION0:8; } B; } RADIOPWRUPDN0;union { uint32_t R; struct { reg32 TXPWRUP1:8; reg32 TXPWRDN1:7; reg32 reserved_15_15:1; reg32 RXPWRUP1:8; reg32 SYNC_POSITION1:8; } B; } RADIOPWRUPDN1; union { uint32_t R; struct { reg32 TXPWRUP2:8; reg32 TXPWRDN2:7; reg32 reserved_15_15:1; reg32 RXPWRUP2:8; reg32 SYNC_POSITION2:8; } B; } RADIOPWRUPDN2; union { uint32_t R; struct { reg32 TXPWRUP3:8; reg32 TXPWRDN3:7; reg32 reserved_15_31:17; } B; } RADIOPWRUPDN3; union { uint32_t R; struct { reg32 TXPATHDLY0:7; reg32 reserved_07_07:1; reg32 RXPATHDLY0:7; reg32 reserved_15_15:1; reg32 RFRXTMDA0:7; reg32 reserved_23_23:1; reg32 reserved_24_31:8; } B; } RADIOTXRXTIM0; union { uint32_t R; struct { reg32 TXPATHDLY1:7; reg32 reserved_07_07:1; reg32 RXPATHDLY1:7; reg32 reserved_15_15:1; reg32 RFRXTMDA1:7; reg32 reserved_23_23:1; reg32 reserved_24_31:8; } B; } RADIOTXRXTIM1; uint32_t reserved_98_9C[2]; union { uint32_t R; struct { reg32 TXONPTR:16; reg32 TXOFFPTR:16; } B; } SPIPTRCNTL0; union { uint32_t R; struct { reg32 RXONPTR:16; reg32 RXOFFPTR:16; } B; } SPIPTRCNTL1; union { uint32_t R; struct { reg32 RSSIPTR:16; reg32 RXLENGTHPTR:16; } B; } SPIPTRCNTL2; union { uint32_t R; struct { reg32 RXPKTTYPPTR:16; reg32 reserved_16_31:16; } B; } SPIPTRCNTL3; union { uint32_t R; struct { reg32 AES_START:1; reg32 AES_MODE:1; reg32 reserved_02_31:30; } B; } AESCNTL; union { uint32_t R; struct { reg32 AESKEY31_0:32; } B; } AESKEY31_0; union { uint32_t R; struct { reg32 AESKEY63_32:32; } B; } AESKEY63_32; union { uint32_t R; struct { reg32 AESKEY95_64:32; } B; } AESKEY95_64; union { uint32_t R; struct { reg32 AESKEY127_96:32; } B; } AESKEY127_96; union { uint32_t R; struct { reg32 AESPTR:16; reg32 reserved_16_31:16; } B; } AESPTR; union { uint32_t R; struct { reg32 TXMICVAL:32; } B; } TXMICVAL; union { uint32_t R; struct { reg32 RXMICVAL:32; } B; } RXMICVAL; union { uint32_t R; struct { reg32 TXLENGTH:9; reg32 reserved_09_10:2; reg32 TXPKTCNTEN:1; reg32 TXPLDSRC:1; reg32 PRBSTYPE:1; reg32 TXLENGTHSRC:1; reg32 INFINITETX:1; reg32 reserved_16_23:8; reg32 PERCOUNT_MODE:2; reg32 reserved_26_26:1; reg32 RXPKTCNTEN:1; reg32 reserved_28_30:3; reg32 INFINITERX:1; } B; } RFTESTCNTL; union { uint32_t R; struct { reg32 TXPKTCNT:32; } B; } RFTESTTXSTAT; union { uint32_t R; struct { reg32 RXPKTCNT:32; } B; } RFTESTRXSTAT; uint32_t reserved_DC[1]; union { uint32_t R; struct { reg32 PREFETCH_TIME:9; reg32 reserved_09_15:7; reg32 PREFETCHABORT_TIME:10; reg32 reserved_26_30:5; reg32 APFM_EN:1; } B; } TIMGENCNTL; union { uint32_t R; struct { reg32 GROSSTARGET:23; reg32 reserved_23_31:9; } B; } GROSSTIMTGT; union { uint32_t R; struct { reg32 FINETARGET:28; reg32 reserved_28_31:5; } B; } FINETIMTGT; union { uint32_t R; struct { reg32 CLKNTGT:28; reg32 reserved_28_31:4; } B; } CLKNTGT; union { uint32_t R; struct { reg32 HMICROSECTGT:10; reg32 reserved_10_31:22; } B; } HMICROSECTGT; uint32_t reserved_F4[3]; union { uint32_t R; struct { reg32 ENTRY_IDX:4; reg32 reserved_04_30:27; reg32 START_EVT:1; } B; } LESCHCNTL; union { uint32_t R; struct { reg32 STARTEVTCLKNTS:28; reg32 reserved_28_31:4; } B; } STARTEVTCLKNTS; union { uint32_t R; struct { reg32 STARTEVTFINECNTTS:10; reg32 reserved_10_31:22; } B; } STARTEVTFINECNTTS; union { uint32_t R; struct { reg32 ENDEVTCLKNTS:28; reg32 reserved_28_31:4; } B; } ENDEVTCLKNTS; union { uint32_t R; struct { reg32 ENDEVTFINECNTTS:10; reg32 reserved_10_31:22; } B; } ENDEVTFINECNTTS; union { uint32_t R; struct { reg32 SKIPEVTCLKNTS:28; reg32 reserved_28_31:4; } B; } SKIPEVTCLKNTS; union { uint32_t R; struct { reg32 SKIPEVTFINECNTTS:10; reg32 reserved_10_31:22; } B; } SKIPEVTFINECNTTS; uint32_t reserve_11C[1]; union { uint32_t R; struct { reg32 ADVINT:14; reg32 reserved_14_15:2; reg32 RX_AUXPTR_THR:8; reg32 TX_AUXPTR_THR:8; } B; } ADVTIM; union { uint32_t R; struct { reg32 UPPERLIMIT:9; reg32 reserved_09_15:7; reg32 BACKOFF:9; reg32 reserved_25_31:7; } B; } ACTSCANCNTL; uint32_t reserved_128[2]; union { uint32_t R; struct { reg32 WLBASEPTR:16; reg32 WLNBDEV:8; reg32 reserved_24_31:8; } B; } WLCNTL; union { uint32_t R; struct { reg32 WLCURRENTPTR:16; reg32 reserved_16_31:16; } B; } WLCURRENTPTR; union { uint32_t R; struct { reg32 PERADVLBASEPTR:16; reg32 PERADVLNBDEV:8; reg32 reserved_24_31:8; } B; } PERADVLCNTL; union { uint32_t R; struct { reg32 PERADVLCURRENTPTR:16; reg32 reserved_16_31:16; } B; } PERADVLCURRENTPTR; union { uint32_t R; struct { reg32 ADILBASEPTR:16; reg32 NBADI:8; reg32 reserved_24_31:8; } B; } ADILCNTL; union { uint32_t R; struct { reg32 ADILCURRENTPTR:16; reg32 reserved_16_31:16; } B; } ADILCURRENTPTR; union { uint32_t R; struct { reg32 SEARCH_TIMEOUT:6; reg32 reserved_6_31:26; } B; } SEARCH_TIMEOUT; uint32_t reserved_14C[1]; union { uint32_t R; struct { reg32 COEX_EN:1; reg32 SYNCGEN_EN:1; reg32 MWSCOEX_EN:1; reg32 MWSWCI_EN:1; reg32 RXMSK:2; reg32 TXMSK:2; reg32 MWSRXMSK:2; reg32 MWSTXMSK:2; reg32 MWSRXFREQMSK:2; reg32 MWSTXFREQMSK:2; reg32 WLCTXPRIOMODE:2; reg32 WLCRXPRIOMODE:2; reg32 MWSSCANFREQMSK:2; reg32 reserved_22_23:2; reg32 reserved_24_31:8; } B; } COEXIFCNTL0; union { uint32_t R; struct { reg32 WLCPDELAY:7; reg32 reserved_07_07:1; reg32 WLCPDURATION:7; reg32 reserved_15_15:1; reg32 WLCPTXTHR:5; reg32 reserved_21_23:3; reg32 WLCPRXTHR:5; reg32 reserved_29_31:3; } B; } COEXIFCNTL1; union { uint32_t R; struct { reg32 TX_ANT_DELAY:4; reg32 reserved_04_07:4; reg32 RX_ANT_DELAY:4; reg32 reserved_12_15:4; reg32 reserved_16_31:16; } B; } COEXIFCNTL2; union { uint32_t R; struct { reg32 BLEM0:4; reg32 BLEM1:4; reg32 BLEM2:4; reg32 BLEM3:4; reg32 BLEM4:4; reg32 BLEM5:4; reg32 BLEM6:4; reg32 BLEM7:4; } B; } BLEMPRIO0; union { uint32_t R; struct { reg32 BLEM8:4; reg32 BLEM9:4; reg32 reserved_08_27:20; reg32 BLEMDEFAULT:4; } B; } BLEMPRIO1; uint32_t reserved_164[3]; union { uint32_t R; struct { reg32 RALBASEPTR:16; reg32 RALNBDEV:8; reg32 reserved_24_31:8; } B; } RALCNTL; union { uint32_t R; struct { reg32 RALCURRENTPTR:16; reg32 reserved_16_31:16; } B; } RALCURRENTPTR; union { uint32_t R; struct { reg32 LRND_VAL:22; reg32 reserved_22_30:9; reg32 LRND_INIT:1; } B; } RAL_LOCAL_RND; union { uint32_t R; struct { reg32 PRND_VAL:22; reg32 reserved_22_30:9; reg32 PRND_INIT:1; } B; } RAL_PEER_RND; //0x180 //ignore //ISO Channel Registers} BLE_LINK_V9_T;#define LINK_BASE 0x28000000#define BLE_LINK ((BLE_LINK_V9_T* )(LINK_BASE)) |
L3
Controller用Exchange Memory与L2蓝牙BP通信,链路寄存器ET_CURRENTRXDESCPTR配置相关,低功耗版本Exchange Memory相关寄存器定义和描述可以收集到,由于低功耗版本的Controller某些版本源码有流出,重点关注经典蓝牙版本的Controller的逆向,以静态库文件ld_page.o的ld_page_em_init为例,ghidra反编译后的源码可能如下:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 | #define REG_EM_BASE_ADDR (0x28010000)#define EM_BT_CS_OFFSET (0x4ca8)#define REG_EM_BT_CS_SIZE (0x60)#define EM_BT_FRCNTL_INDEX (0x00000000)#define EM_BT_FRCNTL_ADDR (REG_EM_BT_BASE_ADDR +EM_BT_FRCNTL_INDEX*2+EM_BT_CS_OFFSET)#define EM_BT_CLKOFF0_INDEX (0x00000001)#define EM_BT_CLKOFF0_ADDR (REG_EM_BT_BASE_ADDR +EM_BT_CLKOFF0_INDEX*2+EM_BT_CS_OFFSET)#define EM_BT_CLKOFF1_INDEX (0x00000002)#define EM_BT_CLKOFF1_ADDR (REG_EM_BT_BASE_ADDR +EM_BT_CLKOFF0_INDEX*2+EM_BT_CS_OFFSET)#define EM_BT_LINKCNTL_INDEX (0x00000003)#define EM_BT_LINKCNTL_ADDR (REG_EM_BT_BASE_ADDR +EM_BT_LINKCNTL_INDEX*2+EM_BT_CS_OFFSET)#define EM_BT_BDADDR_INDEX (0x00000004)#define EM_BT_BDADDR (REG_EM_BT_BASE_ADDR +EM_BT_BDADDR_INDEX*2+EM_BT_CS_OFFSET)#define EM_BT_BCH0_INDEX (0x00000007)#define EM_BT_BCH0_ADDR (REG_EM_BT_BASE_ADDR +EM_BT_BCH0_INDEX*2+EM_BT_CS_OFFSET)#define EM_BT_BCH1_INDEX (0x00000008)#define EM_BT_BCH1_ADDR (REG_EM_BT_BASE_ADDR +EM_BT_BCH1_INDEX*2+EM_BT_CS_OFFSET)#define EM_BT_RXMAXBUF_BCH2_INDEX (0x00000009)#define EM_BT_RXMAXBUF_BCH2_ADDR (REG_EM_BT_BASE_ADDR +EM_BT_RXMAXBUF_BCH2_INDEX*2+EM_BT_CS_OFFSET)#define EM_BT_PWRCNTL_INDEX (0x0000000A)#define EM_BT_PWRCNTL_ADDR (REG_EM_BT_BASE_ADDR +EM_BT_PWRCNTL_INDEX*2+EM_BT_CS_OFFSET)#define EM_BT_TXRXCNTL_INDEX (0x0000000B)#define EM_BT_TXRXCNTL_ADDR (REG_EM_BT_BASE_ADDR +EM_BT_TXRXCNTL_INDEX*2+EM_BT_CS_OFFSET)#define EM_BT_WINCNTL_INDEX (0x0000000C)#define EM_BT_WINCNTL_ADDR (REG_EM_BT_BASE_ADDR +EM_BT_WINCNTL_INDEX*2+EM_BT_CS_OFFSET)#define EM_BT_TXDESCPTR_INDEX (0x0000000D)#define EM_BT_TXDESCPTR_ADDR (REG_EM_BT_BASE_ADDR +EM_BT_TXDESCPTR_INDEX*2+EM_BT_CS_OFFSET)#define EM_BT_TXDESC_OFFSET (0x4f88)#define REG_EM_BT_TXDESC_SIZE (2*12)#define EM_BT_TXPTR_INDEX (0x00000000)#define EM_BT_TXPTR_ADDR (REG_EM_BT_BASE_ADDR +EM_BT_TXPTR_INDEX*2+EM_BT_TXDESC_OFFSET)#define EM_BT_TXHEADER_INDEX (0x00000001)#define EM_BT_TXHEADER_ADDR (REG_EM_BT_BASE_ADDR +EM_BT_TXHEADER_INDEX*2+EM_BT_TXDESC_OFFSET)#define EM_BT_TXPHEADER_INDEX (0x00000002)#define EM_BT_TXPHEADER_ADDR (REG_EM_BT_BASE_ADDR +EM_BT_TXPHEADER_INDEX*2+EM_BT_TXDESC_OFFSET)#define EM_BT_TXACLBUFPTR_INDEX (0x00000003)#define EM_BT_TXACLBUFPTR_ADDR (REG_EM_BT_BASE_ADDR +EM_BT_TXACLBUFPTR_INDEX*2+EM_BT_TXDESC_OFFSET)#define EM_BT_TXLMBUFPTR_INDEX (0x00000004)#define EM_BT_TXLMBUFPTR_ADDR (REG_EM_BT_BASE_ADDR +EM_BT_TXLMBUFPTR_INDEX*2+EM_BT_TXDESC_OFFSET)//v8 sizeof(ld_page_env_tag)=0x58//v10 sizeof(ld_page_env_tag)=0x5Cunion ld_page_env_tag_v10{ unit8_t reserved_00[0x5C]; struct { uint8_t value[0x5C]; } R;}//ld_page_env_tag_v10 ld_page_env;/** * Frame Format * - 0000x: Do not use. * - 00010: Master connect. * - 00011: Slave connect. * - 00100: Page. * - 00101: Page scan. * - 00110: Master page response. * - 00111: Slave page response. * - 01000: Inquiry. * - 01001: Inquiry response. * - 01010: Do not use. * - 01011: Do not use. * - 011xx: Do not use. * - 10xxx: Do not use. * - 11000: Master Broadcast. * - 11001: Broadcast Scan. * - 11010: Master Access window. * - 11011: Slave Access window 1. * - 11100: Slave Access window 2. * - 11101: Do not use. * - 1111x: Do not use */#define EM_BT_CS_FMT_MST_CONNECT 0x02#define EM_BT_CS_FMT_SLV_CONNECT 0x03#define EM_BT_CS_FMT_PAGE 0x04#define EM_BT_CS_FMT_PAGE_SCAN 0x05#define EM_BT_CS_FMT_MST_PAGE_RSP 0x06#define EM_BT_CS_FMT_SLV_PAGE_RSP 0x07#define EM_BT_CS_FMT_INQUIRY 0x08#define EM_BT_CS_FMT_INQ_RSP 0x09#define EM_BT_CS_FMT_MST_BCST 0x18#define EM_BT_CS_FMT_BCST_SCAN 0x19#define EM_BT_CS_FMT_MST_ACC_WIN 0x1A#define EM_BT_CS_FMT_SLV_ACC_WIN1 0x1B#define EM_BT_CS_FMT_SLV_ACC_WIN2 0x1C#define ld_page_env 0void ld_page_em_init(void){ //cs_index=ld_page_env.cs_index; uint8_t cs_index=*(uint8_t *)(ld_page_env + 0x45); uint32_t t1=(uint32_t)cs_index*REG_EM_BT_CS_SIZE; //0x8 7 4 4=0b 1000 0111 0100 0100 //.FPOLL=1 .FWMSPATT=0 .TXBSY_EN=1 .RXBSY_EN=1 //.DNABORT=1 .SAM_EN=1 .LSAM_DSB=0 //.FORMAT=4 //em_bt_frcntl_pack(cs_index,1,0,1,1,1,1,0,EM_BT_CS_FMT_PAGE) *(uint16_t *)(t1+EM_BT_FRCNTL_ADDR)=0x8744; //em_bt_bdaddr_setf(cs_index,0,ld_env.bdaddr[0]) *(uint16_t *)(t1+EM_BT_BDADDR+0*2)=*(uint16_t *)(ld_page_env+ 0x2C); //em_bt_bdaddr_setf(cs_index,1,ld_env.bdaddr[1]) *(uint16_t *)(t1+EM_BT_BDADDR+1*2)=*(uint16_t *)(ld_page_env+ 0x2E); ////em_bt_bdaddr_setf(cs_index,2,ld_env.bdaddr[2]) *(uint16_t *)(t1+EM_BT_BDADDR+2*2)=*(uint16_t *)(ld_page_env+ 0x30); *(uint16_t *)(t1+EM_BT_BCH0_ADDR)=*(uint16_t *)(ld_page_env+ 0x48); *(uint16_t *)(t1+EM_BT_BCH1_ADDR)=*(uint16_t *)(ld_page_env+ 0x4A); *(uint16_t *)(t1+EM_BT_RXMAXBUF_BCH2_ADDR)=*(uint16_t *)(ld_page_env+ 0x4C)& 3; *(uint16_t *)(t1+EM_BT_PWRCNTL_ADDR)=0x8097; *(uint16_t *)(t1+EM_BT_TXRXCNTL_ADDR)=0; *(uint16_t *)(t1+0x28014d04)=0; *(uint16_t *)(t1+0x28014cc0)=0x1a; *(uint16_t *)(t1+0x28014caa)=*(uint16_t *)(ld_page_env+ 0x40); *(uint16_t *)(t1+0x28014cac)=0; *(uint16_t *)(t1+0x28014cae)=(uint16_t)cs_index; uint8_t status = *(uin8_t *)(ld_page_env+ 0x58); if (status==0){ uint8_t txdesc_index=(cs_index & 0x7f); uint32_t t2=txdesc_index * REG_EM_BT_TXDESC_SIZE; //em_bt_txheader_pack(txdesc_index,…) *(uint16_t *)(t2+EM_BT_TXHEADER_ADDR)=0x390; //em_bt_txpheader_pack *(uint16_t *)(t2+EM_BT_TXPHEADER_ADDR)=0x92; *(uint16_t *)(t2+EM_BT_TXLMBUFPTR_ADDR)=0; *(uint16_t *)(t2+EM_BT_TXLMBUFPTR_ADDR)=0x50f4; *(uint16_t *)(t2+EM_BT_TXPTR_ADDR)=0; *(uint16_t *)(t2+EM_BT_TXDESCPTR_ADDR)=(uint16_t)(t2+0x4f88 >> 2 ); }else { *(uint16_t *)(t2+EM_BT_TXDESCPTR_ADDR)=0; } *(uint16_t *)(t1+0x28014cc4)=0; *(uint16_t *)(t1+0x28014cc6)=0; *(uint16_t *)(t1+0x28014cc8)=0; *(uint16_t *)(t1+0x28014cca)=0; *(uint16_t *)(t1+0x28014ccc)=0; *(uint16_t *)(t1+0x28014cce)=0; *(uint16_t *)(t1+0x28014cd0)=0; *(uint16_t *)(t1+0x28014d06)=0; return;} |
[CTF入门培训]顶尖高校博士及硕士团队亲授《30小时教你玩转CTF》,视频+靶场+题目!助力进入CTF世界
最后于 2023-4-18 13:16
被vasthao编辑
,原因:
赞赏
|
|
|---|---|
|
|
他的文章
