Hardware & Making
Beyond BLE: Cracking Open the Black-Box of RF Microcontrollers
December 29, 2024
3:45 PM – 4:25 PM Add to calendar
3:45 PM – 4:25 PM Add to calendar
Saal GLITCH
Despite the recent popularity and breadth of offerings of low-cost RF microcontrollers, there is a shared absence of documentation for the internal workings of their RF hardware. Vendors might provide an API for their supported protocols, such as BLE, but their documentation will only provide as much detail as necessary to use these libraries. For practically every BLE MCU available to hobbyists, interfacing with the on-chip radio is limited to secret ROMs or binary blobs. In this talk, we will finally peel back the curtain on one of these RF MCUs, giving the ability to understand and unlock the full potential of the hardware to operate in new modes.
The TI SimpleLink family of BLE and Sub-GHz RF MCUs present a general-purpose Cortex-M4F platform with extensive documentation for developing custom embedded/IoT devices. With a reference manual filled with countless diagrams and register maps for all its peripherals, the Radio section is surprisingly sparse, only mentioning a high-level API for exchanging commands between an RF coprocessor core. This secondary undocumented CPU is what handles the actual RF communication, running from an inaccessible ROM. There’s no mention of what peripherals lay beyond the coprocessor aside from generic “DSP Modem” and “RF Engine” modules.
This talk serves to be the unofficial “Radio Reference Manual” of the SimpleLink MCUs, opening the black box of the RF subsystem and painting the full picture on how the radio operates - from the stack to the antenna. As part of this effort to fully understand these chips, we reverse engineered TI’s proprietary RF patch format, which enables SDK updates to introduce support for newer protocols on existing chips. We show how these patches allow you to modify the behavior of almost every part of the RF subsystem, control the RF subsystem in ways not intended, or even replace the ROM firmware entirely. Additionally, we investigate the hidden DSP Modem cores, and decode their proprietary ISA to disassemble and craft new firmware patches for them as well, potentially opening up the door for a cheap single-chip SDR.
Additional information
| Live Stream | https://streaming.media.ccc.de/38c3/glitch |
|---|---|
| Type | Talk |
| Language | English |
More sessions
| 12/27/24 |
I'm not big-brained enough to use cameras on Linux, so I decided to write my own camera stack (based on a real story).
|
| 12/27/24 |
Reverse engineering the Wi-Fi peripheral of the ESP32 to build an open source Wi-Fi stack.
|
| 12/27/24 |
Many developers know that the answer to "How do I debug this microcontroller" is either "JTAG" or "SWD". But what does that mean, exactly? How do you get from "Wiggling wires" to "Programming a chip" and "Halting on breakpoints"? This talk will cover how common debug protocols work starting from signals on physical wires, cover common mechanisms for managing embedded processors, and ending up at talking to various common microcontrollers.
|
| 12/27/24 |
The Iridium satellite (phone) network is evolving and so is our understanding of it. Hardware and software tools have improved massively since our last update at 32C3. New services have been discovered and analyzed. Let's dive into the technical details of having a lot of fun with listening to satellites.
|
| 12/27/24 |
The 530 tons and 63 meter tall Ariane 6 rocket finally launched on July 9th 2024 carrying our open-source developed payloads – the SIDLOC experiment and the satellite Curium One – into space. SIDLOC tested a new, open, low-power standard for identifying and precisely locating spacecraft whilst our satellite Curium One established an open-source baseline for larger CubeSat systems and allowed us to test a bunch of new technologies. From sourcing a launch opportunity to the final integration ...
|
| 12/27/24 |
Recent breakthroughs in machine learning have dramatically heightened the demand for cutting-edge computing chips, driving advancements in semiconductor technologies. At the forefront of this progress is Extreme Ultraviolet (EUV) lithography—a transformative method in microchip fabrication that enables the creation of ultra-small, high-performance devices. However, the path from raw materials to these state-of-the-art chips navigates a complex global supply chain riddled with technical ...
|
| 12/27/24 |
Custom silicon chips are black boxes that hold many secrets, like internal ROMs, security features and audio DSP algorithms. How does one start reverse engineer them? Let's look at the basics of silicon reverse engineering, what gate array chips are, and how some tooling can generate Verilog code automatically from a die shot.
|
