Linux e hacking: Recuperare un'interfaccia Ralink a 5 Ghz con EEPROM danneggiata senza riprogrammare il chip

Molti mesi fa , mi si danneggiò la EEPROM della mia ALFA dual-band, la situazione inizialmente sembrava tragica, la periferica non veniva neanche più riconosciuta ( i descrittori usb contenuti nella eeprom erano danneggiati ).
La eeprom di questa periferica difatti , nonostante tramite USB sia possibile leggerne i primi 0x110 byte , in realtà è da 0x400 byte ed all'indirizzo 0x200 inizia la parte dei descrittori USB la quale è utilizzata dal chipset.
Una volta dissaldata la eeprom si può notare che l'interfaccia wireless funziona di nuovo, però le funzionalità dual-band non ci sono più, ed anche il mac address è danneggiato.
Dato che i tentativi che ho fatto di sostituire la eeprom , un po' per sfortuna , un po' per la mia poca esperienza a lavorare in SMD sono andati male , ho tentato di modificare il driver, in modo che nel caso il chip id della eeprom sia 0xffff ( ovvero quando il chip non è presente ) , vada a caricare un file in /lib/firmware in modo da riconoscere correttamente l'id del chip RF ed altri parametri ( tipo le antenne da utilizzare )

Ho modificato il file rt2800usb.c del driver rt2x00 , modificando la funzione rt2800usb_read_eeprom nel seguente modo

static int rt2800usb_read_eeprom(struct rt2x00_dev *rt2x00dev)
{
int retval;
mm_segment_t fs;
struct file *f;
if (rt2800_efuse_detect(rt2x00dev))
retval = rt2800_read_eeprom_efuse(rt2x00dev);
else
{

retval = rt2x00usb_eeprom_read(rt2x00dev, rt2x00dev->eeprom,
EEPROM_SIZE);
if ( rt2x00dev->eeprom[0] == 0xffff ) //No eeprom chip
{
printk("rt2800usb: connected device has broken/missing eeprom chip\n");
f = filp_open("/lib/firmware/rt2800usb_eeprom.bin", O_RDONLY, 0);
if ( IS_ERR(f) )
{
printk("rt2800usb: Cannot load eeprom from /lib/firmware/rt2800usb_eeprom.bin\n");
return -1;
}
fs = get_fs();
set_fs(get_ds());
f->f_op->read(f,(char*)rt2x00dev->eeprom,EEPROM_SIZE,&f->f_pos);
set_fs(fs);

filp_close(f,NULL);
printk("rt2800usb: Loaded eeprom override\n");
}
}

return retval;
}

In questo modo il driver al collegamento di una periferica rt2800usb andrà a cercare un file in /lib/firmware/rt2800usb_eeprom.bin contenente la EEPROM da utilizzare.
Purtroppo ci sono delle limitazioni, ad esempio non si possono usare più ralink 2800usb con eeprom danneggiata nello stesso sistema.

Allego di seguito la eeprom della mia ALFA , dovete assolutamente modificare il mac address con il vostro , oppure metterne uno casuale ( è consigliabile lasciare inalterati i primi 3 byte )

0000:0000 | 70 27 04 01 00 C0 CA 32 | p'...ÀÊ2
0000:0008 | B7 FE FF FF FF FF FF FF | ·Dÿÿÿÿÿÿ
0000:0010 | FF FF FF FF FF FF FF FF | ÿÿÿÿÿÿÿÿ
0000:0018 | FF FF FF FF FF FF FF FF | ÿÿÿÿÿÿÿÿ
0000:0020 | FF FF FF FF FF FF FF FF | ÿÿÿÿÿÿÿÿ
0000:0028 | FF FF FF FF FF FF FF FF | ÿÿÿÿÿÿÿÿ
0000:0030 | FF FF FF FF 12 04 20 00 | ÿÿÿÿ.. .
0000:0038 | FF FF 15 01 FF FF FF FF | ÿÿ..ÿÿÿÿ
0000:0040 | FF FF FF FF 09 04 00 00 | ÿÿÿÿ....
0000:0048 | 00 04 00 00 00 03 FF FF | ......ÿÿ
0000:0050 | FF FF 02 02 02 02 02 03 | ÿÿ......
0000:0058 | 03 03 03 03 03 03 03 03 | ........
0000:0060 | 00 00 00 00 00 00 00 00 | ........
0000:0068 | 00 00 00 00 00 00 FF FF | ......ÿÿ
0000:0070 | FF FF FF FF FF FF FF FF | ÿÿÿÿÿÿÿÿ
0000:0078 | 06 06 06 06 06 06 06 06 | ........
0000:0080 | 06 06 06 06 05 05 05 05 | ........
0000:0088 | 05 05 05 05 05 05 06 06 | ........
0000:0090 | 06 06 06 06 06 06 06 06 | ........
0000:0098 | 06 06 07 FF FF FF FF FF | ...ÿÿÿÿÿ
0000:00A0 | FF FF FF FF FF FF 00 00 | ÿÿÿÿÿÿ..
0000:00A8 | 00 00 00 00 00 00 00 00 | ........
0000:00B0 | 00 00 00 00 00 00 00 00 | ........
0000:00B8 | 00 00 00 00 00 00 00 00 | ........
0000:00C0 | 00 00 00 00 00 00 00 00 | ........
0000:00C8 | 00 FF FF FF FF FF FF FF | .ÿÿÿÿÿÿÿ
0000:00D0 | FF FF FF FF FF FF FF FF | ÿÿÿÿÿÿÿÿ
0000:00D8 | FF FF FF FF FF FF 88 88 | ÿÿÿÿÿÿ..
0000:00E0 | 99 AA 88 66 AA AA 88 66 | .ª.fªª.f
0000:00E8 | AA AA 88 66 AA AA 88 66 | ªª.fªª.f
0000:00F0 | FF FF FF FF FF FF FF FF | ÿÿÿÿÿÿÿÿ
0000:00F8 | FF FF FF FF FF FF FF FF | ÿÿÿÿÿÿÿÿ
0000:0100 | FF FF FF FF FF FF FF FF | ÿÿÿÿÿÿÿÿ
0000:0108 | FF FF FF FF FF FF FF FF | ÿÿÿÿÿÿÿÿ
0000:0110 | FF FF FF FF FF FF FF FF | ÿÿÿÿÿÿÿÿ
0000:0118 | FF FF FF FF FF FF FF FF | ÿÿÿÿÿÿÿÿ
0000:0120 | FF FF FF FF FF FF FF FF | ÿÿÿÿÿÿÿÿ
0000:0128 | FF FF FF FF FF FF FF FF | ÿÿÿÿÿÿÿÿ
0000:0130 | FF FF FF FF FF FF FF FF | ÿÿÿÿÿÿÿÿ
0000:0138 | FF FF FF FF FF FF FF FF | ÿÿÿÿÿÿÿÿ
0000:0140 | FF FF FF FF FF FF FF FF | ÿÿÿÿÿÿÿÿ
0000:0148 | FF FF FF FF FF FF FF FF | ÿÿÿÿÿÿÿÿ
0000:0150 | FF FF FF FF FF FF FF FF | ÿÿÿÿÿÿÿÿ
0000:0158 | FF FF FF FF FF FF FF FF | ÿÿÿÿÿÿÿÿ
0000:0160 | FF FF FF FF FF FF FF FF | ÿÿÿÿÿÿÿÿ
0000:0168 | FF FF FF FF FF FF FF FF | ÿÿÿÿÿÿÿÿ
0000:0170 | FF FF FF FF FF FF FF FF | ÿÿÿÿÿÿÿÿ
0000:0178 | FF FF FF FF FF FF FF FF | ÿÿÿÿÿÿÿÿ
0000:0180 | FF FF FF FF FF FF FF FF | ÿÿÿÿÿÿÿÿ
0000:0188 | FF FF FF FF FF FF FF FF | ÿÿÿÿÿÿÿÿ
0000:0190 | FF FF FF FF FF FF FF FF | ÿÿÿÿÿÿÿÿ
0000:0198 | FF FF FF FF FF FF FF FF | ÿÿÿÿÿÿÿÿ
0000:01A0 | FF FF FF FF FF FF FF FF | ÿÿÿÿÿÿÿÿ
0000:01A8 | FF FF FF FF FF FF FF FF | ÿÿÿÿÿÿÿÿ
0000:01B0 | FF FF FF FF FF FF FF FF | ÿÿÿÿÿÿÿÿ
0000:01B8 | FF FF FF FF FF FF FF FF | ÿÿÿÿÿÿÿÿ
0000:01C0 | FF FF FF FF FF FF FF FF | ÿÿÿÿÿÿÿÿ
0000:01C8 | FF FF FF FF FF FF FF FF | ÿÿÿÿÿÿÿÿ
0000:01D0 | FF FF FF FF FF FF FF FF | ÿÿÿÿÿÿÿÿ
0000:01D8 | FF FF FF FF FF FF FF FF | ÿÿÿÿÿÿÿÿ
0000:01E0 | FF FF FF FF FF FF FF FF | ÿÿÿÿÿÿÿÿ
0000:01E8 | FF FF FF FF FF FF FF FF | ÿÿÿÿÿÿÿÿ
0000:01F0 | FF FF FF FF FF FF FF FF | ÿÿÿÿÿÿÿÿ
0000:01F8 | FF FF FF FF FF FF FF FF | ÿÿÿÿÿÿÿÿ
0000:0200 | 12 01 00 02 00 00 00 40 | .......@
0000:0208 | 8F 14 70 27 01 01 01 02 | ..p'....
0000:0210 | 03 01 0A 06 00 02 00 00 | ........
0000:0218 | 00 40 01 00 09 02 35 00 | .@....5.
0000:0220 | 01 01 00 80 E1 09 04 00 | ....á...
0000:0228 | 00 07 FF FF FF 05 07 05 | ..ÿÿÿ...
0000:0230 | 81 02 00 02 00 07 05 01 | ........
0000:0238 | 02 00 02 00 07 05 02 02 | ........
0000:0240 | 00 02 00 07 05 03 02 00 | ........
0000:0248 | 02 00 07 05 04 02 00 02 | ........
0000:0250 | 00 07 05 05 02 00 02 00 | ........
0000:0258 | 07 05 06 02 00 02 00 B8 | .......¸
0000:0260 | 11 7D 08 0D 00 00 00 00 | .}......
0000:0268 | 54 69 7A 69 61 6E 6F 42 | TizianoB
0000:0270 | 61 63 6F 63 63 6F 48 41 | acoccoHA
0000:0278 | 43 4B 20 20 00 00 00 00 | CK ....
0000:0280 | 12 01 00 02 00 00 00 40 | .......@
0000:0288 | 8F 14 70 28 01 00 06 07 | ..p(....
0000:0290 | 08 01 0A 06 00 02 00 00 | ........
0000:0298 | 00 40 01 00 09 02 20 00 | .@.... .
0000:02A0 | 01 01 00 80 E1 09 04 00 | ....á...
0000:02A8 | 00 02 08 06 50 0A 07 05 | ....P...
0000:02B0 | 81 02 00 02 00 07 05 01 | ........
0000:02B8 | 02 00 02 00 00 00 00 00 | ........
0000:02C0 | 00 00 00 00 00 00 00 00 | ........
0000:02C8 | 00 00 00 00 00 00 00 00 | ........
0000:02D0 | 00 00 00 00 00 00 00 00 | ........
0000:02D8 | 00 00 00 00 00 00 00 00 | ........
0000:02E0 | 00 00 3F 00 00 00 00 00 | ..?.....
0000:02E8 | 00 00 00 00 00 00 00 00 | ........
0000:02F0 | 00 60 70 A2 FF A2 60 70 | .`p¢ÿ¢`p
0000:02F8 | A2 FF A2 FF FF FF FF FF | ¢ÿ¢ÿÿÿÿÿ
0000:0300 | 04 03 09 04 00 00 00 00 | ........
0000:0308 | 00 00 00 00 00 00 00 00 | ........
0000:0310 | 00 00 00 00 00 00 00 00 | ........
0000:0318 | 00 00 00 00 00 00 00 00 | ........
0000:0320 | 00 00 00 00 00 00 00 00 | ........
0000:0328 | 00 00 00 00 00 00 00 00 | ........
0000:0330 | 00 00 00 00 00 00 00 00 | ........
0000:0338 | 00 00 00 00 00 00 00 00 | ........
0000:0340 | 00 00 00 00 00 00 00 00 | ........
0000:0348 | 00 00 00 00 00 00 00 00 | ........
0000:0350 | 00 00 00 00 00 00 00 00 | ........
0000:0358 | 00 00 00 00 00 00 00 00 | ........
0000:0360 | 0E 03 52 00 61 00 6C 00 | ..R.a.l.
0000:0368 | 69 00 6E 00 6B 00 00 00 | i.n.k...
0000:0370 | 1E 03 38 00 30 00 32 00 | ..8.0.2.
0000:0378 | 2E 00 31 00 31 00 20 00 | ..1.1. .
0000:0380 | 6E 00 20 00 57 00 4C 00 | n. .W.L.
0000:0388 | 41 00 4E 00 00 00 00 00 | A.N.....
0000:0390 | 04 03 09 04 00 00 00 00 | ........
0000:0398 | 00 00 00 00 00 00 00 00 | ........
0000:03A0 | 00 00 08 03 31 00 2E 00 | ....1...
0000:03A8 | 30 00 00 00 00 00 00 00 | 0.......
0000:03B0 | 00 00 00 00 00 00 00 00 | ........
0000:03B8 | 00 00 00 00 00 00 00 00 | ........
0000:03C0 | 00 00 00 00 00 00 00 00 | ........
0000:03C8 | 00 00 00 00 00 00 00 00 | ........
0000:03D0 | 00 00 00 00 00 00 00 00 | ........
0000:03D8 | 00 00 00 00 00 00 00 00 | ........
0000:03E0 | 00 00 00 00 00 00 00 00 | ........
0000:03E8 | 00 00 00 00 00 00 00 00 | ........
0000:03F0 | 00 00 00 00 00 00 00 00 | ........

0000:03F8 | 00 00 00 00 00 00 00 00 | ........

https://docs.google.com/file/d/0B5uKF4o3fPSWSGdUa2FOdDk2T2s/edit?usp=sharing

Linux e hacking

giovedì 19 settembre 2013

Recuperare un'interfaccia Ralink a 5 Ghz con EEPROM danneggiata senza riprogrammare il chip

Nessun commento:

Posta un commento