Adam Batori and
Robert Pafford
Saal GLITCH
Hardware & Manufacture
Playlists:
’38c3′ videos starting here
/
audio
We are aware of audio issues, especially with the talks on day 1 (2024-12-27). Some speeches released in a preview-version, but still working behind the scenes.
Despite the recent popularity and breadth of offerings of low-cost RF microcontrollers, there is a shared lack of documentation for the internal workings of their RF hardware. Vendors may provide APIs for their supported protocols, such as BLE, but their documentation will only provide as much detail as is necessary to use these libraries. For almost every BLE MCU available to hobbyists, interfacing with the on-chip radio is limited to secret ROMs or binary blobs. In this talk, we will finally remove the curtain on one of these RF MCUs, which provides the ability to understand and unlock the full potential of the hardware to operate in new modes.
The TI SimpleLink family of BLE and Sub-GHz RF MCUs presents a general-purpose Cortex-M4F platform with extensive documentation for developing custom embedded/IoT devices. With a reference manual full of countless diagrams and register maps for all its peripherals, the Radio section is surprisingly small, dealing only with a high-level API for to exchange commands between an RF coprocessor core. This secondary undocumented CPU handles the actual RF communication, running from inaccessible ROM. There is no mention of what peripherals lie ahead of the coprocessor other than the generic “DSP Modem” and “RF Engine” modules.
This talk serves as the unofficial “Radio Reference Manual” of SimpleLink MCUs, opening the black box of the RF subsystem and painting the full picture of how the radio works – from the stack to the antenna. As part of this effort to fully understand these chips, we are reverse engineering TI’s proprietary RF patch format, which enables SDK updates to introduce support for newer protocols in existing ones. chips. We show how these patches allow you to change the behavior of almost every part of the RF subsystem, control the RF subsystem in ways that were not intended, or even change the ROM firmware completely. Additionally, we investigated the hidden DSP Modem cores, and decoded their proprietary ISA to disassemble and create new firmware patches for them as well, potentially opening the door for an affordable single – chip SDR.
Publicly licensed under http://creativecommons.org/licenses/by/4.0
Downloads
These files contain multiple languages.
This Speech has been translated into many languages. The files available for download contain all languages as separate audio-tracks. Most desktop video players allow you to choose between them.
Please search for “audio tracks” in your desktop video player.
Tags
https://static.media.ccc.de/media/congress/2024/658-f1e929eb-5b85-563a-9c40-a489dd7913aa_preview.jpg
2024-12-30 13:44:00
