Skip to content

Latest commit

 

History

History
59 lines (46 loc) · 4.76 KB

README.md

File metadata and controls

59 lines (46 loc) · 4.76 KB

Inside the Silicon Labs EZRadioPRO

Reverse engineering the SiLabs EZRadioPRO family of RF ICs with the goal of writing custom firmware patches.

To avoid copyright violations, this repository does not contain firmware images or documents auto-generated from SiLabs binaries. Use the provided Python scripts to extract firmware images or generate documentation.

Pull requests are welcome, especially reverse engineering notes that augment documentation.

Progress

  • Dump all memory address spaces, including CODE and NVM
    • Si4362-B1B, Si4362-C2A, Si4460-C2A, Si4463-B1B, Si4467-A2A, Si4438-C2A
  • Run custom code on radio IC
  • Reverse engineered patch mechanism and created tooling for custom firmware patches
  • Analyze and annotate large parts of the firmware using radare2
    • Si4362-C2A: bootloader, main application image (FUNC1)
  • Found internal documentation for API and registers hidden in WDS
  • Created tooling for firmware analysis with Ghidra

Documentation

Tools

  • tools/ezradiopro.py: Python library and command line tool to talk to radio, dump memory and upload custom code.
  • docs/generate-docs.py: Python script generating HTML documentation from information hidden in SiLabs WDS executable.
  • tools/wds-xml-extract.py: Python script to extract XML files with internal documentation hidden in SiLabs WDS.
  • tools/patchcrypto.py: Python script to decrypt and encrypt firmware patches.
  • tools/ihex2patch.py: Python script to create patch file from Intel hex file.
  • ghidra: Tooling to analyze dumped firmware with Ghidra, including custom processor definition for 8051 core and plugin to import EZRadioPRO registers
  • radare2: Tooling to analyze dumped firmware with radare2, including firmware annotations.

Findings

The digital portion of the radio is run by an 8051 core, which implements:

  • Boot and power up process
  • Most of the SPI API (exceptions: CTS, FIFO read/write, FRR access)
  • Device state machine and interrupts, watchdog timer, IRCAL, channel hopping
  • Majority of packet handler functionality

The remaining functionality is implemented in hardware:

  • SPI communication is handled by a dedicated peripheral using DMA to interact with 8051 address space.
  • GPIO seems to be controlled by multiplexers, with only indirect ways for the 8051 MCU to interact with pins.
  • According to patents, the RF modem is implemented with a DSP. No access to DSP RAM or firmware has been found (yet).

Members of the EZRadio and EZRadioPRO product families share the same silicon die, and are differentiated at the factory through on-time programming (OTP) of non-volatile memory (NVM). See also this patent. Evidence for this conclusion includes:

  • Register maps and firmware ROM are identical across parts of the same revision (B1B, C2A/A2A), but differ significantly between older B1B and newer C2A/A2A parts.
  • Code in RAM is identical among the C2A parts investigated, with small differences compared to A2A parts.
  • Code in RAM, hardware presets and calibration data is copied from NVM during boot and power up.
  • Content of NVM is significantly different between C2A and A2A parts.
  • NVM organization and locking is similar to what's described in application note AN518 Si4010 Memory Overlay Technique.
  • The firmware of EZRadioPRO parts includes code for EZConfig commands, which are only documented for the EZRadio product family (Si4355, Si4455)
  • The string si4440 found towards the end of the firmware ROM matches die marking found on Si4362-C2A. It also was found in the Si4355 by TechInsights.
  • High resolution die shot courtesy of Travis Goodspeed, unfortuantely with most of the digital section hidden under a metal layer