Adam Batori and Robert Pafford
Despite the recent popularity and breadth of offerings of low-cost RF microcontrollers, there is a shared absence of documentation for the internal workings of their RF hardware. Vendors might provide an API for their supported protocols, such as BLE, but their documentation will only provide as much detail as necessary to use these libraries. For practically every BLE MCU available to hobbyists, interfacing with the on-chip radio is limited to secret ROMs or binary blobs. In this talk, we will finally peel back the curtain on one of these RF MCUs, giving the ability to understand and unlock the full potential of the hardware to operate in new modes.
The TI SimpleLink family of BLE and Sub-GHz RF MCUs present a general-purpose Cortex-M4F platform with extensive documentation for developing custom embedded/IoT devices. With a reference manual filled with countless diagrams and register maps for all its peripherals, the Radio section is surprisingly sparse, only mentioning a high-level API for exchanging commands between an RF coprocessor core. This secondary undocumented CPU is what handles the actual RF communication, running from an inaccessible ROM. There’s no mention of what peripherals lay beyond the coprocessor aside from generic “DSP Modem” and “RF Engine” modules.
This talk serves to be the unofficial “Radio Reference Manual” of the SimpleLink MCUs, opening the black box of the RF subsystem and painting the full picture on how the radio operates - from the stack to the antenna. As part of this effort to fully understand these chips, we reverse engineered TI’s proprietary RF patch format, which enables SDK updates to introduce support for newer protocols on existing chips. We show how these patches allow you to modify the behavior of almost every part of the RF subsystem, control the RF subsystem in ways not intended, or even replace the ROM firmware entirely. Additionally, we investigate the hidden DSP Modem cores, and decode their proprietary ISA to disassemble and craft new firmware patches for them as well, potentially opening up the door for a cheap single-chip SDR.
Licensed to the public under http://creativecommons.org/licenses/by/4.0