====== Disassembling the ROM ======

To access the USB endpoints, disassembling the ROM may be preferred since it's only 4k (well, if it's like the 3886).

To obtain a dump, the SoftMAC firmware was started and attempts were made to send LMAC frames in the 0xe0000000 memory area. This obviously crashed the device, but it sometimes sent portions of the ROM.

So far, the first 1089 bytes of the ROM are available : 

{{re:3887_rom_start.bin.gz}}

Disassembly yields consistent code : {{re:3887_rom_start.asm.gz}} (with some comments, but there is not a lot of things interesing for now... especially I don't have the hardware addresses, because they are mainly in the data zone of the Thumb code, which is missing since it's at the end of the ROM)

====== Disassembling the uncompressed firmware ======

{{re:2_13_87_uncompressed.asm.gz}}
{{re:2_13_87_uncompressed_thumb.asm.gz}}

The unpacker does not access the endpoints ; its code is exactly the same as on the PCI firmware.

The 2.13.1 uncompressed firmware was disassembled, and the 0x40 event handler code was followed, since that event was triggerred on PCI IRQs with the 3886. It ends up executing at address 0x526e, in Thumb mode.

It was a good bet, the code accesses an unknown memory area starting at 0xc1000000.


This area seems divided in three parts :
  * 0xc1000000
  * 0xc1000200
  * 0xc1000400