Skip to content

Instantly share code, notes, and snippets.

@eggman

eggman/mt7610u.md

Last active May 10, 2018 06:21
Show Gist options
  • Save eggman/0c69b87dfc3c7bd9a2e3bce85a6363fa to your computer and use it in GitHub Desktop.
Save eggman/0c69b87dfc3c7bd9a2e3bce85a6363fa to your computer and use it in GitHub Desktop.
Download ZIP
Raw
mt7610u.md

Hack Mediatek MT7610U Wi-Fi Chip.

Chip Spec

  • Wi-Fi 11g/n/ac
  • 2.4GHz / 5GHz
  • USB 2.0

Initialize

  • reset

USB

endpoint

  • endpoint 0 (Control)
  • IN
  • OUT

Tx / Rx frame format on USB

TX
-----------
TXINFO[31:0] 4bytes
-----------
TXWI 16bytes

------------
802.11


------------

RX
------------
RxDMALen[31:0] 4bytes
------------
RXWI 16bytes

------------
802.11

------------
RXINFO 4bytes
------------

Host Command

endpoint 0

  • 01 MT_VEND_DEVICE_MODE : reset, load ivb (initial vector block)
  • 02 MT_VEND_SINGLE_WRITE : write 16bit MAC Register
  • 06 MT_VEND_MULTI_WRITE : write 32bit Register
  • 07 MT_VEND_MULTI_READ : read 32bit Register
  • 09 MT_VEND_READ_EEPROM : read EEPROM
  • 42 MT_VEND_WRITE_FCE : setup DMA

endpoint ?

  • 01 CMD_FUN_SET_OP : set function Q_SELECT : select rx ring buffer (RX_RING0 / RX_RING1) BW_SETTING : select bandwith (20MHz / 40MHz)
  • 08 CMD_BURST_WRITE :
  • 09 CMD_RANDOM_READ : 複数のアドレスペアをまとめてリクエストできる。
  • 12 CMD_RANDOM_WRITE : 複数のアドレスペアをまとめてリクエストできる。
  • 16 CMD_LED_MODE_OP : controll led
  • 31 CMD_CALIBRATION_OP : set calibration data

endpoint ?

offset = 0x0D730100

  • 01 CMDTHREAD_RESET_BULK_OUT :
  • 02 CMDTHREAD_RESET_BULK_IN :
  • 03 CMDTHREAD_CHECK_GPIO :
  • 04 CMDTHREAD_SET_ASIC_WCID : set info of a station entry in AP mode
  • 05 CMDTHREAD_DEL_ASIC_WCID : reset MAC of a station entry in AP mode
  • 06 CMDTHREAD_SET_CLIENT_MAC_ENTRY : in AP mode
  • 13 CMDTHREAD_SET_WCID_SEC_INFO :
  • 14 CMDTHREAD_SET_ASIC_WCID_IVEIV :
  • 15 CMDTHREAD_SET_ASIC_WCID_ATTR :
  • 16 CMDTHREAD_SET_ASIC_SHARED_KEY : in STA mode
  • 17 CMDTHREAD_SET_ASIC_PAIRWISE_KEY : in STA mode
  • 18 CMDTHREAD_REMOVE_PAIRWISE_KEY : in STA mode
  • 1B CMDTHREAD_UPDATE_PROTECT : update protection bit

Register

  • 0000 MT_ASIC_VERSION

  • 0070 LDO_CTRL1

  • 0104 AGC?

  • 0228 GPIO_CTRL_CFG

  • 0238 USB_DMA_CFG

  • 0250 TSO_CTRL

  • 0260 HEADER_TRANS_CTRL_REG

  • 02A4 USB_CYC_CFG

  • 0400 PBF_SYS_CTRL : turn on bit13 (set to zero)

  • 0404 PBF_CFG

  • 0518 RF_MISC

  • 0438 TXRXQ_PCNT

  • 0730 COM_REG0 : MCU ready

  • 07B0 SEMAPHORE_00

  • 0800 FCE_PSE_CTRL

  • 080C MT_FCE_L2_STUFF

  • 09A0 TX_CPU_PORT_FROM_FCE_BASE_PTR

  • 09A4 TX_CPU_PORT_FROM_FCE_MAX_COUNT

  • 09A8 TX_CPU_PORT_FROM_FCE_CPU_DESC_INDEX

  • 09C4 FCE_PDMA_GLOBAL_CONF

  • 0a44 ?? : disable Tx info report

  • 1030 AMPDU_MAX_LEN_20M1S

  • 1218 BB_PA_MODE_CFG1

  • 121C RF_PA_MODE_CFG1

  • 1314 TX_PWR_CFG_0

  • 132C TX_BAND_CFG : 2.4GHz | 5GHz | Upper / Lower

  • 1330 TX_SW_CFG0

  • 1334 TX_SW_CFG1

  • 1338 TX_SW_CFG2

  • 134C TX_RTY_CFG

  • 13A0 TX0_RF_GAIN_CORR

  • 13A8 TX0_RF_GAIN_ATTEN

  • 13B0 TX_ALC_CFG_0

  • 13C8 TX_ALC_VGA3

  • 150C ?? Enable Tx length > 4095 bytes

  • 1700 RX_STA_CNT0

  • 1704 RX_STA_CNT1

  • 1708 RX_STA_CNT2

  • 170C TX_STA_CNT0

  • 1710 TX_STA_CNT1

  • 1711 TX_STA_CNT2

  • 1718 TX_STA_FIFO

EEPROM

  • 02 : EEPROM_VERSION_OFFSET (1以上を期待している)
  • 04 : MAC ADDRESS 0 1
  • 06 : MAC ADDRESS 2 3
  • 08 : MAC ADDRESS 4 5
  • 24 : TxAutoAgc | TRSW mode
  • 34 : EEPROM_NIC1_OFFSET BBP default value
  • 36 : EEPROM_NIC2_OFFSET BBP default value
  • 38 : EEPROM_COUNTRY_REGION (2.4GHz , 5GHz)
  • 3A : EEPROM_FREQ_OFFSET
  • 42 : EEPROM_NIC3_OFFSET BT Coexistence ??
  • 44 : EEPROM_LNA_OFFSET
  • 46 : EEPROM_RSSI_BG_OFFSET
  • 48 : EEPROM_TXMIXER_GAIN_2_4G or LNA GAIN 5GHz Band(CH100~CH128)
  • 4A : EEPROM_RSSI_A_OFFSET
  • 4C : EEPROM_TXMIXER_GAIN_5G
  • 52 : EEPROM_G_TX_PWR_OFFSET 1 2
  • 54 : 3 4
  • 56 : 5 6
  • 58 : 7 8
  • 5A : 9 10
  • 5C : 11 12
  • 60 : 13 14
  • 78 : EEPROM_A_TX_PWR_OFFSET 36 38
  • 7A : 40 44
  • 7C : 46 48
  • 80 : 52 54
  • 82 : 56 60
  • 84 : 62 64
  • 86 : 100 102
  • 88 : 104 108
  • 8A : 110 112
  • 8C : 116 118
  • 90 : 120 124
  • 92 : 126 128
  • 94 : 132 134
  • 96 : 136 140
  • 98 : 149 151
  • 9A : 153 157
  • 9C : 159 161
  • A0 : 165 167
  • A2 : 169 171
  • A4 : 173
  • D0 : EEPROM_MT76x0_2G_TARGET_POWER or EEPROM_MT76x0_TEMPERATURE_OFFSET
  • DC : EEPROM_MT76x0_A_BAND_MB
  • 10C : channel boundary index

Calibration

  • R_CALIBRATION

Device driver

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment