Update communication_protocol.md#4
Conversation
professor-jonny
force-pushed
the
new-method
branch
9 times, most recently
from
15c93cd to
2850c68
Compare
|
An absolutely colossal work, hats off @professor-jonny ! What I'd really love is to have a bit more structure in this document. I believe it makes sense to first list the general info about the different packets in the "Packet Types" section, and for example, list that the payload of the " NETWORKS_LIST_RESPONSE" has an array of the network slots. The structure if the network slot can be described in a subsequent section and be cross-referenced. Also, having a bit more granular TOC would also be quite helpful, I believe there's a VSCode plugin that does that automatically. Please let me know if I can help you with anything! Cheers! |
|
you are right it needs a refactor, for the time being while I'm still trying to decipher more stuff ill leave it as is and do a formal final, when I think I'm in a better place to do so. I'm trying to make my c code statefull with structs so responses can be dynamic as I plan to port this to OpenWrt or esp32 but the Xbox hand shake throws a spanner in the works being as you connect to a network and the response alters and bam the xbox bumps you. I have made my c program a four in one with: Adaptor emulator Bridge mode where Xbox and adaptor plugged into separate network ports. Hex upload to Xbox or adaptor My code needs a refactor too as it has been altered chopped and changed lots of times every time i find out something new.
|
professor-jonny
force-pushed
the
new-method
branch
2 times, most recently
from
299afe7 to
e8da288
Compare
If you could look over my work it would be great!!!, I think I have finished now, but some of it needs a second pair of eyes over it. if i can figure out how of flash the device Ill try and enable the webpage and figure out the serial port connections as debug output will likely be handy going off the string table. I have also sent you a pm on discord and sent some ghidra stuff to ponder over, I'm slowly continuing to onlock a bit more. |
professor-jonny
force-pushed
the
new-method
branch
7 times, most recently
from
fa72dfc to
67d54d2
Compare
professor-jonny
force-pushed
the
new-method
branch
3 times, most recently
from
2555ac7 to
bae04c5
Compare
professor-jonny
force-pushed
the
new-method
branch
from
43ea7c3 to
e70e2a6
Compare
|
I'm finished with adding protocol information now the info is complete to the point I have a working emulator in windows that is able to use your pc as an Xbox wireless adaptor and control the radio and preform site surveys attach to networks passing the info on to the Xbox for signal strengths etc.... The documentation, needs someone else to look over and review it and it for sure needs a tidy up. There are referenced logs of all the captures, Ghidra xml's for the adaptor firmware and I have updated the xonlinedash xml's quite a bit so I could see the tag enum and values and confirm stuff not able to be confirmed from the adaptor disassembly alone such as values direct from radio vtables, dash rssi scaling etc..., Madwifi source is not available for this SOC so I have cross referenced and worked out as much of the radio structs etc to give me reliable and accurate data to build the manual and build an emulator. I went far over kill with the adaptor disassembly way more than needed every function is named and all the important stuff and stuff that is used a lot has had structs and datatypes created to make it easily readable. |
professor-jonny
force-pushed
the
new-method
branch
from
e70e2a6 to
e85d0a2
Compare
professor-jonny
force-pushed
the
new-method
branch
from
04093be to
0fe6fd8
Compare
professor-jonny
force-pushed
the
new-method
branch
2 times, most recently
from
4178b09 to
5669c4d
Compare
Update communication protocol document with findings from reverse engineering, and log capture and fuzzing. Add full capture logs for verification of sources from manual this serves as a great source for verification across hundreds of packets. add TFTP update log to show discover and update protocol. Add Ghidra XML for the following used in the disassembly: SG2.bin (WGA54g firmware binary) MSBN update tool (firmware update tool) NML.bin (MN740 adaptor firmware) MSBNUpdate.exe (TFTP Firmware update tool) Note: SG2 firmware is a multi ISA codebase based on ThreadX RTOS. it has mips32be/ mips16e and arm code for the radio binaries. Ghidra has problems with delay slots and ISA switching and it would be better to use an alternative tool than Ghidra that suits mips 32/ 16 switching correctly. plate comments have been placed in the code for the key functions in the mn740 firmware with all the points that need patching to enable WPA, HTTP and fix TFTP RRQ and WRQ functions. Signed off by Jonathan Brophy <Professor_jonny@hotmail.com> Update communication_protocol.md
professor-jonny
force-pushed
the
new-method
branch
from
5669c4d to
896db30
Compare
2 participants
major update from re of firmware and fuzzing interface.
The firmware is very telling as the c struct 's are there in plain view.