Adhoc wifi notes

From DeSmuME
(Difference between revisions)
Jump to: navigation, search
(Some disassembling)
 
(4 intermediate revisions by one user not shown)
Line 9: Line 9:
 
- Luigi receives the beacons and asks "Mario found - want to play?", let's assume the player says Yes<br>
 
- Luigi receives the beacons and asks "Mario found - want to play?", let's assume the player says Yes<br>
 
- Luigi associates with Mario, they exchange a few 802.11 standard authentication/association packets<br>
 
- Luigi associates with Mario, they exchange a few 802.11 standard authentication/association packets<br>
- Mario sends a data frame every 1660µs. 478µs are given Luigi to reply.<br>
+
- Mario sends a data frame every 1660µs. Luigi is given 478µs to reply.<br>
 
- Luigi never replies for some reason. Connection fails.<br>
 
- Luigi never replies for some reason. Connection fails.<br>
  
Line 21: Line 21:
 
(located at 0x037F9504)<br>
 
(located at 0x037F9504)<br>
  
start:<br>
 
 
u16 flags;<br>
 
u16 flags;<br>
while (flags = IF & IE)<br>
+
do<br>
 
{<br>
 
{<br>
 +
flags = IF & IE;<br>
 
if (flags & 0x0080 /* TXSTART */) call 0x037FA528;<br>
 
if (flags & 0x0080 /* TXSTART */) call 0x037FA528;<br>
 
if (flags & 0x0040 /* RXSTART */) call 0x037FA5E4;<br>
 
if (flags & 0x0040 /* RXSTART */) call 0x037FA5E4;<br>
Line 38: Line 38:
 
if (flags & 0x1000 /* IRQ12 */) call 0x037FA418;<br>
 
if (flags & 0x1000 /* IRQ12 */) call 0x037FA418;<br>
 
}<br>
 
}<br>
done:<br>
+
while (flags);<br>
 
/* clear wifi IRQ flag in main IF */<br>
 
/* clear wifi IRQ flag in main IF */<br>
 
return;<br>
 
return;<br>
  
(edit: fucking mediawiki and its terrible way to handle linebreaks)
+
 
 +
IRQ12 (0x037FA418):<br>
 +
/* clear IRQ flags, blah blah */<br>
 +
/* R2 = txbusy; */<br>
 +
/* R0 = rfstatus; */<br>
 +
if (rfstatus != 3)<br>
 +
{<br>
 +
if (rfstatus != 5) goto 4f8;<br>
 +
}<br>
 +
if (txbusy != 0) goto 4f8;<br>
 +
call 0x027E9550;<br>
 +
goto 504;<br>
 +
4f8:<br>
 +
call 0x037F85F8;<br>
 +
504:<br>
 +
return;
 +
 
 +
 
 +
 
 +
TXSTART (0x037FA528):<br>
 +
/* clear TXSTART irq flag */<br>
 +
R3 = rxtxaddr;<br>
 +
status = rfstatus & 0xFF;<br>
 +
if (status < 3) return;<br>
 +
if (status > 5) return;<br>
 +
/* rxtxaddr range checks */<br>
 +
unk244 |= 0x0080;<br>
 +
unk244 &= ~0x0080;<br>
 +
return;<br>
 +
 
 +
 
 +
TXEND (0x037F9D18):<br>
 +
/* clear TXEND irq flag */<br>
 +
/* todo some shit */<br>
 +
R2 = txstat;<br>
 +
whosent = txstat & 0x0F00;<br>
 +
if (whosent == 0x0300) goto d80;<br>
 +
if (whosent == 0x0800) goto db4;<br>
 +
if (whosent == 0x0B00) goto df4;<br>
 +
goto ebc;<br>
 +
d80:<br>
 +
todo<br>
 +
 
 +
 
 +
 
 +
RXSTART (0x037FA5E4):<br>
 +
/* clear RXSTART irq flag */<br>
 +
if ((rfpins & 0x0003) != 0x0003) goto bad;<br>
 +
if (rxtxaddr < rxbufbegin>>1) goto bad;<br>
 +
addr = wrcsr<<1 + 12; /* with wraparound */<br>
 +
framectl = wifiram[addr] & 0xE7FF;<br>
 +
if (framectl != 0x0228) goto bad;<br>
 +
addr += 2;<br>
 +
duration = wifiram[addr];<br>
 +
lastcount = us_count_0;<br>
 +
6ac:<br>
 +
numreceived = rxtxaddr - wrcsr;<br>
 +
if (numreceived <= 14) { if ((us_count_0 - lastcount)<=64) goto 6ac; else goto bad };<br>
 +
addr += 8; /* advance to mac2 */<br>
 +
/* compare mac2 against something in memory*/<br>
 +
addr += 6;<br>
 +
addr += 10; /* advance to body+2, aka slave bits */<br>
 +
R3 = &us_count_0;<br>
 +
73c:
 +
numreceived = rxtxaddr - wrcsr/*R6*/;<br>
 +
if (numreceived <= 20) { if ((us_count_0 - lastcount)<=112) goto 73c; else goto bad };<br>
 +
slavebits = wifiram[addr];<br>
 +
if (slavebits & (1 << aid_low)) goto bad;<br>
 +
memory[somewhere] = txbuf_reply2;<br>
 +
txbuf_reset = 0x0040; /* disable reply2 */<br>
 +
memory[somewhereelse]++;<br>
 +
while ((rfpins & 0x0003) == 0x0003);<br>
 +
unk244 |= 0x0040;<br>
 +
unk244 &= ~0x0040;<br>
 +
unk228 = 0x0008;<br>
 +
unk228 = 0x0000;<br>
 +
/* store something into txbuf_reply1, latch into txbuf_reply2 */ <br>
 +
bad:<br>
 +
return;<br>
 +
 
 +
So yeah. Not only it analyzes the packet before it is fully received, but it also ''replies'' before the packet is fully received! Nintendo coding sure rhymes with madness :P
 +
 
 +
 
 +
RXEND:<br>
 +
todo
 +
 
 +
=== Update ===
 +
With the latest work on wifi, Luigi tries to reply to the packet sent by Mario. He uses txbuf_reply1/2, however those registers are always set to zero for whatever reason.

Latest revision as of 14:36, 15 August 2011

Contents

The Ultimate Goal

- Getting adhoc wifi working. AKA NSMB multiplayer, pictochat, and many others.

The Issue

NSMB goes through the following sequence to connect two players together:
- Mario configures the wifi hardware as to send beacons every ~200ms. The beacons are 802.11 standard with extra data (tag DDh as GBATek puts it)
- Luigi receives the beacons and asks "Mario found - want to play?", let's assume the player says Yes
- Luigi associates with Mario, they exchange a few 802.11 standard authentication/association packets
- Mario sends a data frame every 1660µs. Luigi is given 478µs to reply.
- Luigi never replies for some reason. Connection fails.


Luigi does processing on the received data frame before it is fully received (aka between IRQ6 and IRQ0). Once it is fully received it's too late.
That's what we can call tight timing. :P

Some disassembling

NSMB's wifi IRQ handler (pseudocode)
(located at 0x037F9504)

u16 flags;
do
{
flags = IF & IE;
if (flags & 0x0080 /* TXSTART */) call 0x037FA528;
if (flags & 0x0040 /* RXSTART */) call 0x037FA5E4;
if (flags & 0x8000 /* PREBEACON */) call 0x037F95E8;
if (flags & 0x4000 /* BEACON */) call 0x037F9674;
if (flags & 0x2000 /* POSTBEACON */) call 0x037F9970;
if (flags & 0x0800 /* RFWAKEUP */) call 0x027EBC08;
if (flags & 0x0008 /* TXERR INC */) call 0x037F9A28;
if (flags & 0x0004 /* RXEVT INC */) call 0x037F9B54;
if (flags & 0x0001 /* RXEND */) call 0x037F9F88;
if (flags & 0x0030 /* TXERR/RXEVT HOVF */) call 0x037F99EC;
if (flags & 0x0002 /* TXEND */) call 0x037F9D18;
if (flags & 0x1000 /* IRQ12 */) call 0x037FA418;
}
while (flags);
/* clear wifi IRQ flag in main IF */
return;


IRQ12 (0x037FA418):
/* clear IRQ flags, blah blah */
/* R2 = txbusy; */
/* R0 = rfstatus; */
if (rfstatus != 3)
{
if (rfstatus != 5) goto 4f8;
}
if (txbusy != 0) goto 4f8;
call 0x027E9550;
goto 504;
4f8:
call 0x037F85F8;
504:
return;


TXSTART (0x037FA528):
/* clear TXSTART irq flag */
R3 = rxtxaddr;
status = rfstatus & 0xFF;
if (status < 3) return;
if (status > 5) return;
/* rxtxaddr range checks */
unk244 |= 0x0080;
unk244 &= ~0x0080;
return;


TXEND (0x037F9D18):
/* clear TXEND irq flag */
/* todo some shit */
R2 = txstat;
whosent = txstat & 0x0F00;
if (whosent == 0x0300) goto d80;
if (whosent == 0x0800) goto db4;
if (whosent == 0x0B00) goto df4;
goto ebc;
d80:
todo


RXSTART (0x037FA5E4):
/* clear RXSTART irq flag */
if ((rfpins & 0x0003) != 0x0003) goto bad;
if (rxtxaddr < rxbufbegin>>1) goto bad;
addr = wrcsr<<1 + 12; /* with wraparound */
framectl = wifiram[addr] & 0xE7FF;
if (framectl != 0x0228) goto bad;
addr += 2;
duration = wifiram[addr];
lastcount = us_count_0;
6ac:
numreceived = rxtxaddr - wrcsr;
if (numreceived <= 14) { if ((us_count_0 - lastcount)<=64) goto 6ac; else goto bad };
addr += 8; /* advance to mac2 */
/* compare mac2 against something in memory*/
addr += 6;
addr += 10; /* advance to body+2, aka slave bits */
R3 = &us_count_0;
73c: numreceived = rxtxaddr - wrcsr/*R6*/;
if (numreceived <= 20) { if ((us_count_0 - lastcount)<=112) goto 73c; else goto bad };
slavebits = wifiram[addr];
if (slavebits & (1 << aid_low)) goto bad;
memory[somewhere] = txbuf_reply2;
txbuf_reset = 0x0040; /* disable reply2 */
memory[somewhereelse]++;
while ((rfpins & 0x0003) == 0x0003);
unk244 |= 0x0040;
unk244 &= ~0x0040;
unk228 = 0x0008;
unk228 = 0x0000;
/* store something into txbuf_reply1, latch into txbuf_reply2 */
bad:
return;

So yeah. Not only it analyzes the packet before it is fully received, but it also replies before the packet is fully received! Nintendo coding sure rhymes with madness :P


RXEND:
todo

Update

With the latest work on wifi, Luigi tries to reply to the packet sent by Mario. He uses txbuf_reply1/2, however those registers are always set to zero for whatever reason.

Personal tools