I understand that much, but we have the firmware - we don't have to extract it or rebuild it in a white-room? Or is some of that information baked into the firmware that we cannot flash? I've reversed some camera sensor binary blobs recently and I didn't have too many issues, only took a really long time (5 days) of running in a loop until source matched the original (sematically). I parsed the blobs into an intermediate language, exported to llvm and optimized it to recover the functional structure I also used this sematics structure to rebuild the source in rust(kinda, it's a variant of rust with snowflake features cause I hate the language). I think I got lucky because the sensors used the same mips opcodes (sv class) rather than some proprietary state machine.
> I understand that much, but we have the firmware - we don't have to extract it or rebuild it in a white-room?
You need a testing lab with easily 500k worth of gear and construction cost if not way more than that to probe the data buses and obtain the parameters, we're talking about 1.6 GHz (RAM) or, and here it gets dark, up to 16 GHz (PCIe) frequency here. A scope alone that's capable of digesting such signals runs north of 250k from what I hear, you need calibrations, test probes, the room needs to be extensively shielded in order to not get disrupted by RF emissions of, say, the microwave two floors away.
And the people needed to do that are short in supply. As said, RF is dark arts, and I'm a mere radio amateur - I know people who do own such class of hardware though. They make bank. And I stay away as far as possible from anything higher frequency than LoRa. Don't got the brains for that.
The firmware is loaded into these modules from the central compute unit, we already have that information and we don't need to probe or read it? Yes of course harvesting it from datalines is a non-starter, but we control the cpu and everything that runs on it which communicates with the RF chips. This isn't some black box nintento switch where we don't have root access.
Is there something I am fundementally misunderstanding?
> Is there something I am fundementally misunderstanding?
Yes. The binary blob handling the link training procedure needs not just the firmware portion implementing the link training (i.e. generate test signals, observe link quality) but also the pre-obtained measurement data.
So, to re-implement it you need to have a deep understanding about the entire hardware stack, knowledge that isn't even made available under NDA.
