Prism Firmware Header

organization of the firmware header

Disclaimer

This document describes the organization of the data in the header of the prism54 firmware files. Please bear in mind that i have no idea what the data actually means ! But this way, you'll be able to distinguish what is "data" in the header from what is merely "control", and to relate data from different headers in a meaningfull way. This is meant to reduce the complexity of reverse-engeneering, but is in no way a complete reverse-engeneering of the file format.

Example from p54u_2.5.8.0.arm

You can open the file in emacs with M-x hexl-find-file, this yields the following :

00000000: 0000 a0e1 80f3 9fe5 0000 0000 0000 0000  ................
00000010: 0000 0000 0100 0080 0100 0000 4c4d 3836  ............LM86
00000020: 0200 0080 0600 0000 322e 352e 382e 3000  ........2.5.8.0.
00000030: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000040: 0400 0080 0500 0000 0000 1a00 0003 0003  ................
00000050: 0003 0000 1b00 0100 0100 0100 0101 0080  ................
00000060: 0a00 0000 0300 0000 0002 0200 1477 0200  .............w..
00000070: 6404 01ff 0f08 fb00 0204 0b16 0c12 1824  d..............$
00000080: 3048 606c 0000 0000 0000 0000 ff00 00ff  0H`l............
00000090: 0500 0000 c198 0000 0000 0000 0000 0000  ................
000000a0: 0000 0000 0000 0000 5665 7273 696f 6e20  ........Version 
000000b0: 322e 352e 382e 3020 6275 696c 7420 6f6e  2.5.8.0 built on
000000c0: 2046 7269 204d 6179 2031 3420 3136 3a31   Fri May 14 16:1
000000d0: 393a 3530 2043 4553 5420 3230 3034 2062  9:50 CEST 2004 b
000000e0: 7920 696e 6c62 7569 6c64 4074 6978 0000  y inlbuild@tix..

Now let's have a look at the organization of all this. Real data starts at offset 0x14, where we have the 32-bits little endian 0x80000001 word. This is an "option" identifier. the length of the option is specified in the following 32-bits little-endian word 0x00000001, as multiples of 32 bits. In the following case, the data is the 32-bits word 4c4d3836.

Let's sum up, we've seen

1/ option 0x80000001

2/ of length 0x00000001 (this is 4 bytes)

3/ whose data is 0x4c4d3836, which we clearly see is the string "LM86"

The option 0x80000001 is a string. In all softmac firmwares you'll see that it is set to LM86.

Let's try to decode the next option. It's identifier here is : 0x80000002, it's length 0x00000006, this is 24 bytes.

Note :

there's no guarantee at all on the order of the options. That's why there's an option identifier in the first place. However, this is good, because it means that you have no difficulty relating some data from a firmware header to some other data in another firmware header. You should link them strongly if they are part of the same option.

This option is also a string, "2.5.8.0". Please note that this time around, the string does not fill in the whole option length, which is padded with zeroes, up to the next option, which starts at offset 0x40 in the file.

We go thus from option to option up to the last option whose identifier is always 0xff0000ff, whose length here is 0x5, that's 20 bytes, and which is invariably followed by the full version string. After this starts the actual PACKPACKPACK data, and this is another story altogether :)

TODO: parse all avalable firmware and try to relate the header data to the firwmare type, so that we can tell at bootup if we're using the right firmware or not.

TODO2: relate this data to the "lmac addresses" encoded into the driver. This is more difficult.

TODO3: make any sense of the data therein... For instance it seems to me that the following option :

00000050: XXXX XXXX XXXX XXXX XXXX XXXX 0101 0080  ................
00000060: 0a00 0000 0300 0000 0002 0200 1477 0200  .............w..
00000070: 6404 01ff 0f08 fb00 0204 0b16 0c12 1824  d..............$
00000080: 3048 606c 0000 0000 0000 0000 XXXX XXXX  0H`l............

Contains a rateset :

02 04 0b 16, the CCK rates of 802.11b ;

0c 12 18 24 30 48 60 6c, the OFDM rates of 802.11g.

(see for instance ieee80211.h in Jeff Garzik's ieee80211 kernel branch in netdev git repo)

Other ideas ?