BRA

The firmware uploaded to the device contains a BRA (boot record area) which describes the firmware. This BRA is located at offset 20 in the file. Thus, the firmware file has the following structure:

    u8     code1[20];    /* contains initial ARM code jumping down to code2 */

    u8     bra[variable];

    u8     data[variable];

    u8     code2[variable];

The BRA area consists of TLV records with the following structure:

    __le32 bra_code;
    __le32 bra_len;
    u8     bra_data[4 * bra_len];

Possible BRA codes are:

BRA code	meaning
`0x80000001`	Component ID
`0x80000002`	Component Version
`0x80000003`	Interface dependencies
`0x80000004`	Exposed interfaces
`0x80000101`	Code description
`0xFF0000FF`	End of BRA area
`0xFFFFFFFF`	End of BRA area (legacy code)

The contents of each those fields can be:

Component ID

A four-letter string describing the firmware type, known values are:

LM20
LM86
LM87

The firmware for the N810 is an LM20 firmware.

TODO: check which ones we can accept

Component Version

A NUL-terminated string with the firmware version, seems to be 2.13.0.0.a.13.11 or 2.13.0.0.a.22.8 for the N810.

TODO: check which ones we can accept

Code description

Appears to always contain the following values:

    __le16 unknown1, unknown2;   /* unknown 2 might be a version number */
    __le32 frame_memory_start;   /* not entirely sure */
    __le32 frame_memory_end;     /* not entirely sure, p54 subtracts 0x3500 */

    u8     header_size;          /* +248 if unknown2 != 1, otherwise don't read and use 328 */
    /* three more unknown bytes */
    __le32 unk4;
    __le32 unk5;
    __le32 unk6;
    __le32 unk7;
    __le32 unk8;
    __le32 unk9;

    __le32 mtu;

Interface dependencies

Interfaces of other components this component depends on. Not sure this is useful in the firmware. Contains any number of copies of the following structure, padded at the end of all of them to a four-byte multiple.

    __le16 role;
    __le16 if_id;
    __le16 variant;

There are many possible interface IDs, see exposed interfaces.

Exposed Interfaces

Interfaces this component exposes. Contains any number of copies of the following structure, padded at the end of all of them to a four-byte multiple.

    __le16 role;          /* 0: server, 1: client */
    __le16 if_id;
    __le16 variant;
    __le16 bottom_compat;
    __le16 top_compat;

Valid interface IDs are:

ID	meaning
`0x0005`	SNWNMP app <-> firmware
`0x001a`	LMAC interface, must be present and compatible to 0x506
`0x001b`	unknown, exposed by N810 firmware with variant 1
Many more, see islsm