The problem

TP-Links compiles-in the support for their 'proprietary' CMT2300A driver in their Linux kernel blob but they have refused to publish this CMT2300A driver - this violates the GPL license.

The TP-Link partial GPL code for Tapo H200 Smart Hub product is available at the following URL:

https://www.tp-link.com/us/support/download/tapo-h200/#GPL-Code

Instead of further arguing about (GPL) licensing with TP-Link, we chose to simply write a Linux kernel driver for HOPERF CMT2300A RF transceiver ourselves!

Our HOPERF CMT2300A Linux kernel driver is available at the following URL:

https://github.com/kholia/linux/tree/Sub-1G-CMOSTEK-v3

Random brain-dump of the commands used in this journey:

List TP-Link firmwares:

aws s3 ls s3://download.tplinkcloud.com/firmware --recursive --no-sign-request > firmware_files.txt

Grab firmware for the device:

wget http://download.tplinkcloud.com/firmware/H200-up-ver1-2-8-P120221202-rel70835-signed_1672196982386.bin

Decrypt the firmware using https://github.com/robbins/tp-link-decrypt program.

Analyze the decrypted firmware files using binwalk:

$ binwalk H200-up-ver1-2-8-P120221202-rel70835-signed_1672196982386.bin.dec
...
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
DECIMAL                            HEXADECIMAL                        DESCRIPTION
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
169525                             0x29635                            uImage firmware image, header size: 64 bytes, data size: 1479775 bytes, compression: lzma, CPU: MIPS32, OS: Linux, image type: OS Kernel Image, load address: 
                                                                      0x80000000, entry point: 0x8000C190, creation time: 2022-12-02 11:47:24, image name: "Linux Kernel Image"
1676853                            0x199635                           SquashFS file system, little endian, version: 4.0, ...
...

Extract the kernel image:

$ dd if=H200-up-ver1-2-8-P120221202-rel70835-signed_1672196982386.bin.dec of=uImage bs=1 skip=169525

$ file uImage
uImage: u-boot legacy uImage, Linux Kernel Image, Linux/MIPS, OS Kernel Image (lzma), 1479775 bytes, Fri Dec  2 11:47:24 2022, Load Address: 0X80000000, Entry Point: 0X8000C190...

$ dumpimage -l uImage 
Image Name:   Linux Kernel Image
Created:      Fri Dec  2 17:17:24 2022
Image Type:   MIPS Linux Kernel Image (lzma compressed)
Data Size:    1479775 Bytes = 1445.09 KiB = 1.41 MiB
Load Address: 80000000
Entry Point:  8000c190

Next, we added support for analyzing LZMA compressed uImage files to IDA Pro's uimage.py loader.

To be continued…

Hacking on the Raspberry Pi system

Building the CMT2300A driver on a 64-bit Raspberry Pi Zero 2W Linux system:

sudo apt install linux-headers-rpi-v8 git build-essential

git clone -b Sub-1G-CMOSTEK-v3 --depth 1 git@github.com:kholia/linux.git

To be completed…

References: