NB: this applies only to the firmware shipped with the Nokia N810.
Overview
The Conexant chips are driven via command queues that take both data and control commands. Both are actually written right into the chip's memory and processed by the firmware from there, so the host has to keep track of which memory locations in the chip are used for what. I think by convention, some areas right above the firmware (which is located at 0x20000) are reserved for control commands.
Command structure
Each command starts with a __le16 command control field indicating the frame type and some other control bits.
The bits are defined as follows:
Bit | meaning |
0x8000 | control command |
0x0001 | trap (only for control commands?) |
Data Commands (TX)
Data commands always have 0x4000 set, sometimes also: 0x4010, 0x4810.
Data commands contain a control header that might look like this:
__le16 length; __le32 cookie; /* frame cookie for host use, must be unique */ __le16 control_type; /* ? various values observed */ u8 retry1, retry2; /* retry counts (why two? always identical?) */ u8 rates[8]; /* TX (-retry) rates */ // much more
followed by the frame data (including CRC?)
Data Commands (RX)
Seem to come with command control field of 0x44d, 0x443, 0x45d, 0x453, 0x4453, followed by a control header like this:
__le16 length; /* mpdu length */ __le16 frequency; /* in MHz */ u8 antenna; /* ?? */ u8 rate; /* probably not */ u8 rssi, qual; /* probably not */ u8 unknown[2]; /* rssi here instead? */ __le64 timestamp; u8 mpdu[variable]; u8 pad[variable]; /* 0-3 bytes so the whole command * is a multiple of four */