Some days ago I tried to disassemble the IPN2128 driver:
WLAN11b.dll, MD5 hash 3b8de73e7ed8cd7d8e930e9dea3ac10b
(the SDW-820 Windows Mobile 6 version from Spectec's website)
It took me a bit of time to understand how the interface to the SD host works.
There is only one import from sdbus.dll named SDGetClientFunctions.
This is an undocumented function called by SDRegisterClient.
It will fill a structure at 0x10023960 with function pointers:
0x10023960+4 completes SDRegisterClient call
See msdn.microsoft.com for documentation.
SDIODisconnectInterrupt is called by the functions at 0x100031bc and 0x100034a8
SDIOConnectInterrupt by 0x10003608 (=MiniportInitialize)
SDGetTuple by 0x1001be80
SDCardInfoQuery by 0x1001bfac
SDSetCardFeature by 0x1001bfac and 0x1001c1cc
SDSynchronousBusRequest is always called with Command=53 and Flags=0.
This implies use of BUILD_IO_RW_EXTENDED_ARG.
IncrementAddress is always 1.
Bulk reads and writes are done by 0x1001c590.
Bulk reads are always from address 0x6000 and
Bulk writes are always to address 0x3000, so these should be the frame buffers.
Single registers are 4 bytes long. They are read by 0x1001c40c and written by 0x1001c4d4.
These are adresses of registers that are read:
0, 8, 0x40, 0x48, 0x84, 0x104, 0x118, 0x194, 0x200, 0x204, 0x208, 0x20c, 0x210, 0x214, 0x218, 0x224, 0x228, 0x240, 0x248, 0x294, 0x2a4, 0x304, 0x360, 0x364, 0x368, 0x36c, 0x374, 0x410, 0x41c, 0x440, 0x444, 0x478, 0x480, 0x484, 0x488, 0x48c, 0x490, 0x494, 0x498, 0x49c
These are adresses of registers that are written:
0, 8, 0xc, 0x14, 0x40, 0x44, 0x48, 0x80, 0x8c, 0x100, 0x108, 0x110, 0x114, 0x118, 0x12c, 0x188, 0x18c, 0x194, 0x200, 0x204, 0x208, 0x20c, 0x210, 0x214, 0x218, 0x224, 0x228, 0x248, 0x294, 0x2a4, 0x2a8, 0x300, 0x304, 0x308, 0x30c, 0x314, 0x360, 0x3a0, 0x3a4, 0x3a8, 0x3ac, 0x410, 0x41c, 0x420, 0x448, 0x44c, 0x450, 0x478, 0x480, 0x484, 0x488, 0x48c
These lists are probably incomplete.
(Does this look like Prism? If divided by four?)
There is a fourth function at 0x1001c658 doing transfers. It can read and write up to 511 bytes in byte mode.
It is called to
- read 140 bytes from 0x104
- read 16 bytes from 0x4000
- read 52 bytes from 0x5000
- read from 0x6000
- write to 0x3000
- write to and read from 0xa000
Many functions appear to be methods of a C++ class.
The NDIS adapter context appears to have an element of another class at offset 0x114AC.
Code: Select all
NDIS_HANDLE MiniportAdapterHandle; // at 0x15c
short NdisVersion; // at 0x160
}; // 71296 bytes
Registered miniport callbacks are:
The SDIO interrupt callback is at 0x1001bd30.