• dev
• rtwn(4)
• FirmwareInfo

Realtek WiFi NIC Firmware

The Realtek USB and PCIe WiFi devices have an embedded CPU for driving some functionality. For some chipsets its optional, but it is required for more advanced 802.11n and 802.11ac support.

There has been some work in reverse engineering the firmware - please see https://8051enthusiast.github.io/2021/07/05/002-wifi_fun.html for an example.

Overview

It looks like the USB and PCIe devices use an 8051 MCU, clocked at a high frequency (> 80MHz on later parts.)

Functionality

(TBD)

Communication

There's two variants - USB and PCIe. Both look mostly the same; the difference is how the packets are queued/DMA'ed in and out of the hardware.

In terms of queues, there's typically:

• One receive queue;
• One or more transmit queues;
• A command queue.

The receive queue is used for received data and firmware notifications (such as rate control reports.) The transmit queues are used for transmitting data. The command queue is used to implement the H2C (host to controller) for control messages, such as loading firmware, resetting the chip, adding/removing stations, direct register IO and such.

For PCIe, the command queue is in PCIe config space. For USB it is just control transfers.

Firmware Functions

H2C (host to chip) commands

These commands are for the RTL8188CU, RTL8188RU, 8192CU and 8723AU.

• 0x01 - H2C_SET_POWER_MODE
• 0x02 - H2C_JOIN_BSS_REPORT
• 0x05 - H2C_SET_RSSI
• 0x86 - H2C_SET_RATE_MASK (0x6 + H2C_EXT, which indicates a larger message)

H2C_SET_POWER_MODE

(TBD)

H2C_JOIN_BSS_REPORT

This command indicates whether a BSS has been connected to or disconnected from. For these chipsets, it doesn't take a role or MAC ID.

Format:

H2C_SET_RSSI

(TBD)

This requires some reverse engineering from rtl8xxxu : rtl8xxxu_ra_iter() to see how it stores, fetches and uploads the RSSI.

H2C_SET_RATE_MASK

(TBD)

C2H (chip to host) notifications

Reverse Engineering

(TBD)