Author Topic: Read/write eeprom from USB Wifi dongle with the Realtec RTL8187 chip  (Read 3758 times)

0 Members and 1 Guest are viewing this topic.

Offline tru3533Topic starter

  • Regular Contributor
  • *
  • Posts: 130
  • Country: no
Hello,
Needed to change the MAC address on my Wifi dongle equipped with the Realtec RTL8187 chip,
so I opened it up and desoldered the eeprom 93C46.
Was easy to read and change the MAC address @ 0Eh - 13h

I would like to change the MAC address many times so I was thinking it could be done via software.
Datasheet for the Realtec wifi chip RTL8187 says in chapter 9:
Software can read and write to the EEprom using "bit-bang" accesses via 9346CR register.
Look at the included datasheet  * RTL8187.pdf (754.83 kB - downloaded 390 times.)

This is something I would really like to learn.
How would you approach such a problem?
What software/programming tools would you use?

Any tips getting me on the right path is highly welcome :-)

Regards, Tom
 

« Last Edit: December 16, 2019, 04:45:06 pm by tru3533 »
 

Offline magic

  • Super Contributor
  • ***
  • Posts: 7453
  • Country: pl
Re: Read/write eeprom from USB Wifi dongle with the Realtec RTL8187 chip
« Reply #1 on: December 13, 2019, 12:09:31 pm »
Your datasheet doesn't say how to access EEPROM over USB.

However, there is a Linux driver for RTL8187 which contains definitions of all the necessary magic numbers. Beware that it seems to address the EEPROM in words rather than bytes, so 0x7 instead of 0xE. Once you know how to talk to the chip, write a utility using libusb.

And since you aren't going to bother with any of it, just buy a SOIC test clip to reprogram all your cards without soldering :-DD
 
The following users thanked this post: tru3533

Offline tru3533Topic starter

  • Regular Contributor
  • *
  • Posts: 130
  • Country: no
Re: Read/write eeprom from USB Wifi dongle with the Realtec RTL8187 chip
« Reply #2 on: December 14, 2019, 01:31:48 pm »
Thank you Magic,

No no, I'm on a roll here   8) I will not lay down because of some software challenges.  ;D

I looked for the libusb and also found the OpenUSB that takes a fork of the libusb 1.0 project
Not sure what to go for.

Good tip to look into the Linux USB driver

Using Python the PyUSB 1.0 also looks interesting
Seems like a straightforward way to access the USB


Code: [Select]
import usb.core
import usb.util

# find our device
dev = usb.core.find(idVendor=0xfffe, idProduct=0x0001)

# was it found?
if dev is None:
    raise ValueError('Device not found')

# set the active configuration. With no arguments, the first
# configuration will be the active one
dev.set_configuration()

# get an endpoint instance
cfg = dev.get_active_configuration()
intf = cfg[(0,0)]

ep = usb.util.find_descriptor(
    intf,
    # match the first OUT endpoint
    custom_match = \
    lambda e: \
        usb.util.endpoint_direction(e.bEndpointAddress) == \
        usb.util.ENDPOINT_OUT)

assert ep is not None

# write the data
ep.write('test')

« Last Edit: December 14, 2019, 01:37:04 pm by tru3533 »
 

Offline magic

  • Super Contributor
  • ***
  • Posts: 7453
  • Country: pl
Re: Read/write eeprom from USB Wifi dongle with the Realtec RTL8187 chip
« Reply #3 on: December 14, 2019, 02:05:27 pm »
Yes, that python library looks like the kind of thing I had in mind.
It will probably be the control endpoint this time, though. Again, see how the rtl818x driver does it.

By the way, you know that you can temporarily change the MAC address by software without messing with the card itself, right?
 
The following users thanked this post: tru3533

Offline tru3533Topic starter

  • Regular Contributor
  • *
  • Posts: 130
  • Country: no
Re: Read/write eeprom from USB Wifi dongle with the Realtec RTL8187 chip
« Reply #4 on: December 14, 2019, 02:21:19 pm »
Yes, I have been down that road already, changing the registry and setting the driver Network MAC address in device manager.
MAC address is changed but my pesky license checker is not buying it.   ;D
 

Offline tru3533Topic starter

  • Regular Contributor
  • *
  • Posts: 130
  • Country: no
Re: Read/write eeprom from USB Wifi dongle with the Realtec RTL8187 chip
« Reply #5 on: December 14, 2019, 03:07:21 pm »
Here I found a very good explanation about endpoints for those who follow this post.
https://microchipdeveloper.com/usb:endpoints
 

Online coromonadalix

  • Super Contributor
  • ***
  • Posts: 7012
  • Country: ca
Re: Read/write eeprom from USB Wifi dongle with the Realtec RTL8187 chip
« Reply #6 on: December 14, 2019, 03:21:06 pm »
Maybe an eeprom emulator,  but thoses i've seen are in the 300$ aud  range ???

Must be chapers ones, or maybe something arduino based, pic or avr based ??

Since your eeprom talks over spi bus, surely something could be done ?


A thread with pickit 2 and 3 ??
https://www.microchip.com/forums/m905015.aspx
« Last Edit: December 14, 2019, 03:25:49 pm by coromonadalix »
 
The following users thanked this post: tru3533

Offline tru3533Topic starter

  • Regular Contributor
  • *
  • Posts: 130
  • Country: no
Re: Read/write eeprom from USB Wifi dongle with the Realtec RTL8187 chip
« Reply #7 on: December 14, 2019, 03:59:01 pm »
cormonadalix
Interesting approach using a piggyback mcu 
 

Offline tru3533Topic starter

  • Regular Contributor
  • *
  • Posts: 130
  • Country: no
Re: Read/write eeprom from USB Wifi dongle with the Realtec RTL8187 chip
« Reply #8 on: December 15, 2019, 04:07:59 pm »
Found the device with code

Code: [Select]
import usb.core
import usb.util
VID = 0x0846
PID = 0x6a00
# find our device
dev = usb.core.find(idVendor=VID, idProduct=PID)

# was it found?
if not dev:
   print('Device not found')
   exit(1)
print ('Found it')
reqType=
bReq=
wVal=
wIndex=
data=
# Send new MAC address
dev.ctrl_transfer(reqType,bReq,wVal,wIndex,data)


Now the problem is filling out the values according to the datasheet
Totally lost here.

dev.ctrl_transfer help file says:

def ctrl_transfer(bmRequestType, bRequest, wValue=0, wIndex=0, data_or_wLength=None, timeout=None)
Do a control transfer on the endpoint 0.

This method is used to issue a control transfer over the endpoint 0 (endpoint 0 is required to always be a control endpoint).

The parameters bmRequestType, bRequest, wValue and wIndex are the same of the USB Standard Control Request format.

Control requests may or may not have a data payload to write/read. In cases which it has, the direction bit of the bmRequestType field is used to infer the desired request direction. For host to device requests (OUT), data_or_wLength parameter is the data payload to send, and it must be a sequence type convertible to an array object. In this case, the return value is the number of bytes written in the data payload. For device to host requests (IN), data_or_wLength is either the wLength parameter of the control request specifying the number of bytes to read in data payload, and the return value is an array object with data read, or an array object which the data will be read to, and the return value is the number of bytes read.

Somebody have done this before?

« Last Edit: December 15, 2019, 04:47:59 pm by tru3533 »
 

Offline magic

  • Super Contributor
  • ***
  • Posts: 7453
  • Country: pl
Re: Read/write eeprom from USB Wifi dongle with the Realtec RTL8187 chip
« Reply #9 on: December 15, 2019, 07:10:33 pm »
https://elixir.bootlin.com/linux/latest/source/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c#L1486

Here. Some sort of "eeprom" object is created and initialized with two methods that access some device register somewhere :-//
Then eeprom_93cx6_multiread is called to read address RTL8187_EEPROM_MAC_ADDR.

Your job is to find the exact values of all those #defines, trace what kind of control messages the two methods send to the chip, figure out how eeprom_93cx6_multiread uses those methods to get the data.

Or, actually, what kind of other eeprom93cx6_whatever_write function you can call and how that function works.

In related news, prices of SOIC test clips really went down on AliBay in the last few years ;)
 
The following users thanked this post: tru3533

Offline tru3533Topic starter

  • Regular Contributor
  • *
  • Posts: 130
  • Country: no
Re: Read/write eeprom from USB Wifi dongle with the Realtec RTL8187 chip
« Reply #10 on: December 16, 2019, 01:42:25 am »
But... look how easy our dear ladyada solves this task,
like she says "you just need to read the datasheet"  :-+

for sure someone on the forum knows.

https://youtu.be/xH_y05pIDTo
« Last Edit: December 16, 2019, 01:45:38 am by tru3533 »
 

Offline magic

  • Super Contributor
  • ***
  • Posts: 7453
  • Country: pl
Re: Read/write eeprom from USB Wifi dongle with the Realtec RTL8187 chip
« Reply #11 on: December 16, 2019, 09:58:52 am »
Actually you are right that there is probably a datasheet for the EEPROM and you may even find python code to program it if it's some jellybean EEPROM. That's certainly worth looking for.

But you still need to provide means of sending commands to the EEPROM through RTL8187. This is not documented in the public datasheet so just copy it from the Linux rtl8187_eeprom_register_read/write functions.
 
The following users thanked this post: tru3533

Offline tru3533Topic starter

  • Regular Contributor
  • *
  • Posts: 130
  • Country: no
Re: Read/write eeprom from USB Wifi dongle with the Realtec RTL8187 chip
« Reply #12 on: December 16, 2019, 10:17:33 am »
I will try that, if I can figure it out.

in the meantime I found this interesting article:
https://learn.adafruit.com/hacking-the-kinect/overview

and this for those who still read this post
https://www.beyondlogic.org/usbnutshell/usb6.shtml

 

Offline tru3533Topic starter

  • Regular Contributor
  • *
  • Posts: 130
  • Country: no
Re: Read/write eeprom from USB Wifi dongle with the Realtec RTL8187 chip
« Reply #13 on: December 16, 2019, 03:13:37 pm »
Holy cow  :o

I found The Realtek RTL8187L Mass Production Kit EEPROM modifier program
used in the factory when it was produced.

Program can be used on several chips from Realtek.
You can change all settings in EEPROM  :D including transmit power if you like.
Warning Tx can be set to 1W and will for sure blow up your wifi device  ;D

Download link still works, winXP install
newer version of the program down in the post, so total 2 downloads.

https://xiaopan.co/forums/threads/the-realtek-rtl8187l-mass-production-kit-eeprom-modifier.5187/

 No more SOIC test clips for me  ;)
« Last Edit: December 16, 2019, 03:23:34 pm by tru3533 »
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf