Author Topic: EFR32 RAIL Reverse engineering/Open source alternative  (Read 1603 times)

0 Members and 1 Guest are viewing this topic.

Offline jsilva

  • Contributor
  • Posts: 7
  • Country: pt
EFR32 RAIL Reverse engineering/Open source alternative
« on: December 20, 2018, 11:28:27 pm »
I have recently discovered Sillicon Labs' Wireless gecko SoCs, the EFR32 series.

Upon reading the datasheet and reference manual for the chip, I noticed that the radio interface chapter is short and just tells people to use RAIL, their closed source radio interface library.

As I am not a big fan of closed source libraries, and I am getting really interested on those chips, I started to search for an open source alternative, but got no success, most likely because they are not wide spread yet.

I though about trying to reverse engineer the library, but I soon realised that would not be easy. I gave it a shot anyways and opened it with IDA to look at some pseudocode that crushed my dreams... Just writes and reads to memory accesses in the radio peripheral address range and even undocumented memory regions.

I would really like to fully use those chips, including the radio. What are your thoughts?
 

Offline rstofer

  • Super Contributor
  • ***
  • Posts: 8126
  • Country: us
Re: EFR32 RAIL Reverse engineering/Open source alternative
« Reply #1 on: December 21, 2018, 12:46:58 am »
My thoughts?  Use what the factory provides and be happy! 

At least they give you more than just a 1200 page manual.
 

Offline amyk

  • Super Contributor
  • ***
  • Posts: 7302
Re: EFR32 RAIL Reverse engineering/Open source alternative
« Reply #2 on: December 21, 2018, 01:09:33 am »
. I gave it a shot anyways and opened it with IDA to look at some pseudocode that crushed my dreams... Just writes and reads to memory accesses in the radio peripheral address range and even undocumented memory regions.
What did you expect? That's typical of hardware-interacting code. You will need to make the documentation yourself, based on what the library functions do.
 

Offline free_electron

  • Super Contributor
  • ***
  • Posts: 7595
  • Country: us
    • SiliconValleyGarage
Re: EFR32 RAIL Reverse engineering/Open source alternative
« Reply #3 on: December 21, 2018, 01:51:26 am »
Most likely this is a kind of SDR. without knowing the actual hardware inside the chip there is no way you will figure out what this library does. Just use it.
Professional Electron Wrangler.
Any comments, or points of view expressed, are my own and not endorsed , induced or compensated by my employer(s).
 

Offline chicken

  • Regular Contributor
  • *
  • Posts: 238
  • Country: us
  • Rusty Coder
Re: EFR32 RAIL Reverse engineering/Open source alternative
« Reply #4 on: December 21, 2018, 02:01:30 am »
What is your intended application?

For the sub-GHz side: When I looked at them in the past (EZR32), the interface for the sub-GHz radio was identical with the EZRadioPRO family. So you might have some luck digging through the datasheets of their standalone radios or older chips. Though, from a quick glance at the block diagram in the linked datasheet for the EFR32BG12, this is probably a different radio.

If you target the 2.4 GHz side and want to replace their BT stack, I wish you good luck :-)

PS: I did some reverse engineering of the insides of the EZRadioPRO radios. Turns out they use the same silicon across the whole EZRadio and EZRadioPRO family, only differentiated by a few factory programmed settings. I wouldn't be surprised if that also applies to the EFR32 series of chips.


 

Offline jsilva

  • Contributor
  • Posts: 7
  • Country: pt
Re: EFR32 RAIL Reverse engineering/Open source alternative
« Reply #5 on: December 21, 2018, 04:46:54 pm »
Thanks for your replies. Honestly I would prefer a 1200 pages manual describing the PHY...

I am going to take a look at the EZR series.
 

Offline chicken

  • Regular Contributor
  • *
  • Posts: 238
  • Country: us
  • Rusty Coder
Re: EFR32 RAIL Reverse engineering/Open source alternative
« Reply #6 on: December 21, 2018, 08:31:34 pm »
Thanks for your replies. Honestly I would prefer a 1200 pages manual describing the PHY...

I am going to take a look at the EZR series.

But what level of abstraction do you want to declare as the PHY? Behind the (mostly) documented SPI interface of the EZRadioPRO is a 8051 running proprietary firmware, and below that there’s a DSP of some sorts, which talks to the hardware (I think)... It’s turtles all the way down!
https://github.com/astuder/Inside-EZRadioPRO

Sorry for the tangent.

For actually getting things done, ignorance is often bliss  ;D
« Last Edit: December 21, 2018, 09:06:33 pm by chicken »
 

Offline harbinger

  • Newbie
  • Posts: 3
  • Country: ua
Re: EFR32 RAIL Reverse engineering/Open source alternative
« Reply #7 on: April 09, 2021, 05:56:15 pm »
Sorry for necroposting. 8)
Now it's no longer difficult to do. Using Ghidra I decompiled this library earlier versions (1.xx). Fortunately Flex SDK version 3.xx contains RF registers descriptions - for EFR32 Series 2 as header files, for series 1 as python scripts. So work is in progress now!
Preliminarily: radio part of EFR32 series 1 looks like EZRadio but interface to main CPU is different - using shared memory spaces unlike SPI in EZRadio/EZR32. Mentioned undocumented area of memory (4 KB started at 0x21000000) contains so called "sequencer code" (interrupt vectors and jump tables for 8051-like RF MCU) and (close to end) some registers for address filtering parameters etc...
(c) 1990 Gibel Computers Co.
 

Offline chicken

  • Regular Contributor
  • *
  • Posts: 238
  • Country: us
  • Rusty Coder
Re: EFR32 RAIL Reverse engineering/Open source alternative
« Reply #8 on: April 17, 2021, 11:42:26 pm »
I did find the register map in the Python code hidden in the SDK. Even wrote a little script for importing the symbols from the EFR32 series 1 SDK into Ghidra.

But I never realized/considered that the radio would still be an EZRadioPRO. Now you're sending me down another rabbit hole!  :scared:

I just pushed the Ghidra script to my EZRadioPRO Github repository if anyone is interested - though it may be outdated as I didn't touch it in months.
https://github.com/astuder/Inside-EZRadioPRO/blob/master/ghidra/EFR32registers.py
 

Offline harbinger

  • Newbie
  • Posts: 3
  • Country: ua
Re: EFR32 RAIL Reverse engineering/Open source alternative
« Reply #9 on: April 29, 2021, 01:46:13 pm »
But I never realized/considered that the radio would still be an EZRadioPRO. Now you're sending me down another rabbit hole!  :scared:
Radio subsystem looks similar to EZ Radio Pro in EFR32 Series 1 only. Series 2 looks very different, e.g. sequencer MCU core is Cortex-M0 unlike 51 and much more... :(
Thank You very much for script; unfortunately I'm not familliar with python but here is some stimulus to learn it. :)
(c) 1990 Gibel Computers Co.
 

Offline chicken

  • Regular Contributor
  • *
  • Posts: 238
  • Country: us
  • Rusty Coder
Re: EFR32 RAIL Reverse engineering/Open source alternative
« Reply #10 on: May 03, 2021, 03:20:52 am »
Thank You very much for script; unfortunately I'm not familliar with python but here is some stimulus to learn it. :)

No need to speak Python. Just copy the script into the Ghidra script folder ($USER_HOME/ghidra_scripts). Then in Ghidra open the firmware binary in the CodeBrowser, then launch Script Manager (Windows > Script Manager). You can find the script by filtering for EFR32. Click on script EFR32registers.py to see instructions. Follow the steps to extract the JAR file, then run the script.
 

Offline harbinger

  • Newbie
  • Posts: 3
  • Country: ua
Re: EFR32 RAIL Reverse engineering/Open source alternative
« Reply #11 on: May 07, 2021, 05:08:01 am »
Thanks, it works.  :-+
But I did it already by manual editing .svd file and import it into Ghidra by SVD-Loader. Unfortunately not all RF-related peripherals are fully described in scripts - missing bit-fields of PROTIMER and BUFC registers, but it's not significant problem.   
« Last Edit: Yesterday at 10:57:16 am by harbinger »
(c) 1990 Gibel Computers Co.
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf