diff --git a/README.md b/README.md
index f41aef9b5..02a55074d 100644
--- a/README.md
+++ b/README.md
@@ -31,6 +31,7 @@ bcm43430a11 | 7_45_41_26 | Raspberry Pi 3 and Zero W
bcm43430a11 | 7_45_41_46 | Raspberry Pi 3 and Zero W | Raspbian Stretch | X | X | X | X | X | O
bcm43451b1 | 7_63_43_0 | iPhone 6 | iOS 10.1.1 (14B100) | | | | X | X |
bcm43455 | 7_45_77_0_hw | Huawei P9 | Android 7 Stock | X | X | X | X | X |
+bcm43455 | 7_45_88_10_C0 | LG G5 | Android 7 Stock | | | | X | X |
bcm43455 | 7_120_5_1_sta_C0 | Galaxy J7 2017 | ? | | | | X | X |
bcm43455 | 7_45_77_0_hw(8-2017) | Huawei P9 | Android 7 Stock | X | X | X | X | X |
bcm434555 | 7_46_77_11_hw | Huawei P9 | Android 8 China Stock | X | X | X | X | X |
diff --git a/firmwares/bcm43455/7_45_88_10_C0/Makefile b/firmwares/bcm43455/7_45_88_10_C0/Makefile
new file mode 100644
index 000000000..a600adad5
--- /dev/null
+++ b/firmwares/bcm43455/7_45_88_10_C0/Makefile
@@ -0,0 +1,29 @@
+include definitions.mk
+
+all: ucode.bin templateram.bin flashpatches.c
+
+ucode.bin: $(RAM_FILE) definitions.mk
+ @printf "\033[0;31m EXTRACTING UCODE\033[0m\n"
+ $(Q)dd if=$< of=$@ bs=1 skip=$$(($(UCODESTART)-$(RAMSTART))) count=$$(($(UCODESIZE))) 2>/dev/null
+
+templateram.bin: $(RAM_FILE) definitions.mk
+ @printf "\033[0;31m EXTRACTING TEMPLATERAM\033[0m\n"
+ $(Q)dd if=$< of=$@ bs=1 skip=$$(($(TEMPLATERAMSTART)-$(RAMSTART))) count=$$(($(TEMPLATERAMSIZE))) 2>/dev/null
+
+flashpatches.c: $(RAM_FILE) definitions.mk
+ @printf "\033[0;31m EXTRACTING FLASHPATCHES\033[0m\n"
+ $(Q)printf "#include \n\n" > flashpatches.c
+ $(Q)$(NEXMON_ROOT)/buildtools/flash_patch_extractor/fpext -r $< -s $(RAMSTART) -b $(FP_CONFIG_ORIGBASE) -e $(FP_CONFIG_ORIGEND) >> $@
+
+rom.bin: ../rom.bin
+ @printf "\033[0;31m APPLYING FLASHPATCHES TO CLEAN ROM\033[0m\n"
+ $(Q)$(NEXMON_ROOT)/buildtools/flash_patch_extractor/fpext -r $(RAM_FILE) -s $(RAMSTART) -b $(FP_CONFIG_ORIGBASE) -e $(FP_CONFIG_ORIGEND) -i $< -o $@ -t $(ROMSTART) > /dev/null
+
+complete.bin: $(RAM_FILE) rom.bin
+ @printf "\033[0;31m MERGING %s and rom.bin into %s\033[0m\n" $< $@
+ $(Q)dd if=rom.bin of=$@ bs=1 seek=$$(($(ROMSTART))) conv=notrunc 2>/dev/null
+ $(Q)dd if=$< of=$@ bs=1 seek=$$(($(RAMSTART))) conv=notrunc 2>/dev/null
+
+clean:
+ @printf "\033[0;31m CLEANING\033[0m\n"
+ $(Q)rm -f ucode.bin templateram.bin flashpatches.c rom.bin
diff --git a/firmwares/bcm43455/7_45_88_10_C0/definitions.mk b/firmwares/bcm43455/7_45_88_10_C0/definitions.mk
new file mode 100644
index 000000000..4dbb6c2ee
--- /dev/null
+++ b/firmwares/bcm43455/7_45_88_10_C0/definitions.mk
@@ -0,0 +1,38 @@
+NEXMON_CHIP=CHIP_VER_BCM43455
+NEXMON_CHIP_NUM=`$(NEXMON_ROOT)/buildtools/scripts/getdefine.sh $(NEXMON_CHIP)`
+NEXMON_FW_VERSION=FW_VER_7_45_88_10_C0
+NEXMON_FW_VERSION_NUM=`$(NEXMON_ROOT)/buildtools/scripts/getdefine.sh $(NEXMON_FW_VERSION)`
+
+NEXMON_ARCH=armv7-r
+
+RAM_FILE=fw_bcmdhd.bin
+RAMSTART=0x198000
+RAMSIZE=0xC8000
+
+ROM_FILE=rom.bin
+ROMSTART=0x0
+ROMSIZE=0xB0000
+
+HNDRTE_RECLAIM_0_END=0x23ABCC #0xA2BCC + ram_start
+
+PATCHSIZE=0x4000
+PATCHSTART=$$(($(HNDRTE_RECLAIM_0_END) - $(PATCHSIZE)))
+
+# original ucode start and size
+UCODESTART=0x22CD14 # 0x94d14 + ramstart
+UCODESIZE=0xD5D8 # 0xa22ec - 0x94d14
+
+# original template ram start and size
+TEMPLATERAMSTART=0x23A2EC #0xa22ec + ramstart (ucodeEnd= ucodestart+size)
+TEMPLATERAMSIZE=0x8E0 # 0xA2BCC - 0x22ec (HDRTE_RECLAIR_0_END - templateramstart)
+
+FP_DATA_END_PTR=0x209580 #0x71580 +ram_sart
+FP_CONFIG_BASE_PTR_1=0x20B8F8 #0x738f8 +ram_start #20b948 el parcheado debe apuntar a 236bcc
+FP_CONFIG_END_PTR_1=0x20B8F4 #0x738f4 + ram_start
+FP_CONFIG_BASE_PTR_2=0x20BB7C #0x73b7c + ram_strrat
+FP_CONFIG_END_PTR_2=0x20BB78 #0x73b78 + ram_strrat
+FP_CONFIG_SIZE=0xc00 #no lo se rick
+FP_CONFIG_BASE=$$(($(PATCHSTART) - $(FP_CONFIG_SIZE)))
+FP_DATA_BASE=0x198800 #0x800 + ram strat
+FP_CONFIG_ORIGBASE=0x199000 #0x1000 + ram strat
+FP_CONFIG_ORIGEND=0x199C00 #0x1c00 + ram_strart
diff --git a/firmwares/bcm43455/7_45_88_10_C0/fw_bcmdhd.bin b/firmwares/bcm43455/7_45_88_10_C0/fw_bcmdhd.bin
new file mode 100755
index 000000000..932539e4f
Binary files /dev/null and b/firmwares/bcm43455/7_45_88_10_C0/fw_bcmdhd.bin differ
diff --git a/firmwares/bcm43455/7_45_88_10_C0/structs.h b/firmwares/bcm43455/7_45_88_10_C0/structs.h
new file mode 100644
index 000000000..14cfcfd02
--- /dev/null
+++ b/firmwares/bcm43455/7_45_88_10_C0/structs.h
@@ -0,0 +1,52 @@
+/***************************************************************************
+ * *
+ * ########### ########### ########## ########## *
+ * ############ ############ ############ ############ *
+ * ## ## ## ## ## ## ## *
+ * ## ## ## ## ## ## ## *
+ * ########### #### ###### ## ## ## ## ###### *
+ * ########### #### # ## ## ## ## # # *
+ * ## ## ###### ## ## ## ## # # *
+ * ## ## # ## ## ## ## # # *
+ * ############ ##### ###### ## ## ## ##### ###### *
+ * ########### ########### ## ## ## ########## *
+ * *
+ * S E C U R E M O B I L E N E T W O R K I N G *
+ * *
+ * This file is part of NexMon. *
+ * *
+ * Copyright (c) 2016 NexMon Team *
+ * *
+ * NexMon is free software: you can redistribute it and/or modify *
+ * it under the terms of the GNU General Public License as published by *
+ * the Free Software Foundation, either version 3 of the License, or *
+ * (at your option) any later version. *
+ * *
+ * NexMon is distributed in the hope that it will be useful, *
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of *
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the *
+ * GNU General Public License for more details. *
+ * *
+ * You should have received a copy of the GNU General Public License *
+ * along with NexMon. If not, see . *
+ * *
+ **************************************************************************/
+
+#ifndef STRUCTS_H
+#define STRUCTS_H
+
+/* band types */
+#define WLC_BAND_AUTO 0 /* auto-select */
+#define WLC_BAND_5G 1 /* 5 Ghz */
+#define WLC_BAND_2G 2 /* 2.4 Ghz */
+#define WLC_BAND_ALL 3 /* all bands */
+
+#ifndef PAD
+#define _PADLINE(line) pad ## line
+#define _XSTR(line) _PADLINE(line)
+#define PAD _XSTR(__LINE__)
+#endif
+
+#include "../structs.common.h"
+
+#endif /*STRUCTS_H */
diff --git a/patches/bcm43455/7_45_88_10_C0/nexmon/Makefile b/patches/bcm43455/7_45_88_10_C0/nexmon/Makefile
new file mode 100644
index 000000000..fa0417f65
--- /dev/null
+++ b/patches/bcm43455/7_45_88_10_C0/nexmon/Makefile
@@ -0,0 +1,202 @@
+GIT_VERSION := $(shell git describe --abbrev=4 --dirty --always --tags)
+include ../version.mk
+include $(FW_PATH)/definitions.mk
+
+LOCAL_SRCS=$(wildcard src/*.c) src/ucode_compressed.c src/templateram.c
+COMMON_SRCS=$(wildcard $(NEXMON_ROOT)/patches/common/*.c)
+FW_SRCS=$(wildcard $(FW_PATH)/*.c)
+
+OBJS=$(addprefix obj/,$(notdir $(LOCAL_SRCS:.c=.o)) $(notdir $(COMMON_SRCS:.c=.o)) $(notdir $(FW_SRCS:.c=.o)))
+
+CFLAGS= \
+ -fplugin=$(CCPLUGIN) \
+ -fplugin-arg-nexmon-objfile=$@ \
+ -fplugin-arg-nexmon-prefile=gen/nexmon.pre \
+ -fplugin-arg-nexmon-chipver=$(NEXMON_CHIP_NUM) \
+ -fplugin-arg-nexmon-fwver=$(NEXMON_FW_VERSION_NUM) \
+ -fno-strict-aliasing \
+ -DNEXMON_CHIP=$(NEXMON_CHIP) \
+ -DNEXMON_FW_VERSION=$(NEXMON_FW_VERSION) \
+ -DPATCHSTART=$(PATCHSTART) \
+ -DUCODESIZE=$(UCODESIZE) \
+ -DGIT_VERSION=\"$(GIT_VERSION)\" \
+ -DBUILD_NUMBER=\"$$(cat BUILD_NUMBER)\" \
+ -Wall -Werror -O2 -nostdlib -nostartfiles -ffreestanding -mthumb -march=$(NEXMON_ARCH) \
+ -ffunction-sections -fdata-sections \
+ -I$(NEXMON_ROOT)/patches/include \
+ -Iinclude \
+ -I$(FW_PATH)
+
+all: fw_bcmdhd.bin
+
+init: FORCE
+ $(Q)if ! test -f BUILD_NUMBER; then echo 0 > BUILD_NUMBER; fi
+ $(Q)echo $$(($$(cat BUILD_NUMBER) + 1)) > BUILD_NUMBER
+ #$(Q)touch src/version.c
+ $(Q)make -s -f $(NEXMON_ROOT)/patches/common/header.mk
+ $(Q)mkdir -p obj gen log
+
+obj/%.o: src/%.c
+ @printf "\033[0;31m COMPILING\033[0m %s => %s (details: log/compiler.log)\n" $< $@
+ $(Q)cat gen/nexmon.pre 2>>log/error.log | gawk '{ if ($$3 != "$@") print; }' > tmp && mv tmp gen/nexmon.pre
+ $(Q)$(CC)gcc $(CFLAGS) -c $< -o $@ >>log/compiler.log
+
+obj/%.o: $(NEXMON_ROOT)/patches/common/%.c
+ @printf "\033[0;31m COMPILING\033[0m %s => %s (details: log/compiler.log)\n" $< $@
+ $(Q)cat gen/nexmon.pre 2>>log/error.log | gawk '{ if ($$3 != "$@") print; }' > tmp && mv tmp gen/nexmon.pre
+ $(Q)$(CC)gcc $(CFLAGS) -c $< -o $@ >>log/compiler.log
+
+obj/%.o: $(FW_PATH)/%.c
+ @printf "\033[0;31m COMPILING\033[0m %s => %s (details: log/compiler.log)\n" $< $@
+ $(Q)cat gen/nexmon.pre 2>>log/error.log | gawk '{ if ($$3 != "$@") print; }' > tmp && mv tmp gen/nexmon.pre
+ $(Q)$(CC)gcc $(CFLAGS) -c $< -o $@ >>log/compiler.log
+
+gen/nexmon2.pre: $(OBJS)
+ @printf "\033[0;31m PREPARING\033[0m %s => %s\n" "gen/nexmon.pre" $@
+ $(Q)cat gen/nexmon.pre | awk '{ if ($$3 != "obj/flashpatches.o" && $$3 != "obj/wrapper.o") { print $$0; } }' > tmp
+ $(Q)cat gen/nexmon.pre | awk '{ if ($$3 == "obj/flashpatches.o" || $$3 == "obj/wrapper.o") { print $$0; } }' >> tmp
+ $(Q)cat tmp | awk '{ if ($$1 ~ /^0x/) { if ($$3 != "obj/flashpatches.o" && $$3 != "obj/wrapper.o") { if (!x[$$1]++) { print $$0; } } else { if (!x[$$1]) { print $$0; } } } else { print $$0; } }' > gen/nexmon2.pre
+
+gen/nexmon.ld: gen/nexmon2.pre $(OBJS)
+ @printf "\033[0;31m GENERATING LINKER FILE\033[0m gen/nexmon.pre => %s\n" $@
+ $(Q)sort gen/nexmon2.pre | gawk -f $(NEXMON_ROOT)/buildtools/scripts/nexmon.ld.awk > $@
+
+gen/nexmon.mk: gen/nexmon2.pre $(OBJS) $(FW_PATH)/definitions.mk
+ @printf "\033[0;31m GENERATING MAKE FILE\033[0m gen/nexmon.pre => %s\n" $@
+ $(Q)printf "fw_bcmdhd.bin: gen/patch.elf FORCE\n" > $@
+ $(Q)sort gen/nexmon2.pre | \
+ gawk -v src_file=gen/patch.elf -f $(NEXMON_ROOT)/buildtools/scripts/nexmon.mk.1.awk | \
+ gawk -v ramstart=$(RAMSTART) -f $(NEXMON_ROOT)/buildtools/scripts/nexmon.mk.2.awk >> $@
+ $(Q)printf "\nFORCE:\n" >> $@
+ $(Q)gawk '!a[$$0]++' $@ > tmp && mv tmp $@
+
+gen/flashpatches.ld: gen/nexmon2.pre $(OBJS)
+ @printf "\033[0;31m GENERATING LINKER FILE\033[0m gen/nexmon.pre => %s\n" $@
+ $(Q)sort gen/nexmon2.pre | \
+ gawk -f $(NEXMON_ROOT)/buildtools/scripts/flashpatches.ld.awk > $@
+
+gen/flashpatches.mk: gen/nexmon2.pre $(OBJS) $(FW_PATH)/definitions.mk
+ @printf "\033[0;31m GENERATING MAKE FILE\033[0m gen/nexmon.pre => %s\n" $@
+ $(Q)cat gen/nexmon2.pre | gawk \
+ -v fp_data_base=$(FP_DATA_BASE) \
+ -v fp_config_base=$(FP_CONFIG_BASE) \
+ -v fp_data_end_ptr=$(FP_DATA_END_PTR) \
+ -v fp_config_base_ptr_1=$(FP_CONFIG_BASE_PTR_1) \
+ -v fp_config_end_ptr_1=$(FP_CONFIG_END_PTR_1) \
+ -v fp_config_base_ptr_2=$(FP_CONFIG_BASE_PTR_2) \
+ -v fp_config_end_ptr_2=$(FP_CONFIG_END_PTR_2) \
+ -v ramstart=$(RAMSTART) \
+ -v out_file=fw_bcmdhd.bin \
+ -v src_file=gen/patch.elf \
+ -f $(NEXMON_ROOT)/buildtools/scripts/flashpatches.mk.awk > $@
+
+gen/memory.ld: $(FW_PATH)/definitions.mk
+ @printf "\033[0;31m GENERATING LINKER FILE\033[0m %s\n" $@
+ $(Q)printf "rom : ORIGIN = 0x%08x, LENGTH = 0x%08x\n" $(ROMSTART) $(ROMSIZE) > $@
+ $(Q)printf "ram : ORIGIN = 0x%08x, LENGTH = 0x%08x\n" $(RAMSTART) $(RAMSIZE) >> $@
+ $(Q)printf "patch : ORIGIN = 0x%08x, LENGTH = 0x%08x\n" $(PATCHSTART) $(PATCHSIZE) >> $@
+ $(Q)printf "ucode : ORIGIN = 0x%08x, LENGTH = 0x%08x\n" $(UCODESTART) $$(($(FP_CONFIG_BASE) - $(UCODESTART))) >> $@
+ $(Q)printf "fpconfig : ORIGIN = 0x%08x, LENGTH = 0x%08x\n" $(FP_CONFIG_BASE) $(FP_CONFIG_SIZE) >> $@
+
+gen/patch.elf: patch.ld gen/nexmon.ld gen/flashpatches.ld gen/memory.ld $(OBJS)
+ @printf "\033[0;31m LINKING OBJECTS\033[0m => %s (details: log/linker.log, log/linker.err)\n" $@
+ $(Q)$(CC)ld -T $< -o $@ --gc-sections --print-gc-sections -M >>log/linker.log 2>>log/linker.err
+
+fw_bcmdhd.bin: init gen/patch.elf $(FW_PATH)/$(RAM_FILE) gen/nexmon.mk gen/flashpatches.mk
+ $(Q)cp $(FW_PATH)/$(RAM_FILE) $@
+ @printf "\033[0;31m APPLYING FLASHPATCHES\033[0m gen/flashpatches.mk => %s (details: log/flashpatches.log)\n" $@
+ $(Q)make -f gen/flashpatches.mk >>log/flashpatches.log 2>>log/flashpatches.log
+ @printf "\033[0;31m APPLYING PATCHES\033[0m gen/nexmon.mk => %s (details: log/patches.log)\n" $@
+ $(Q)make -f gen/nexmon.mk >>log/patches.log 2>>log/flashpatches.log
+
+fw_bcmdhd.complete.clean.bin: $(FW_PATH)/$(RAM_FILE) $(FW_PATH)/$(ROM_FILE)
+ dd if=$(FW_PATH)/$(ROM_FILE) of=$@ bs=1 status=none conv=notrunc seek=$$(($(ROMSTART)))
+ dd if=$< of=$@ bs=1 status=none conv=notrunc seek=$$(($(RAMSTART)))
+
+fw_bcmdhd.complete.bin: fw_bcmdhd.bin $(FW_PATH)/$(ROM_FILE)
+ dd if=$(FW_PATH)/$(ROM_FILE) of=$@ bs=1 status=none conv=notrunc seek=$$(($(ROMSTART)))
+ dd if=$< of=$@ bs=1 status=none conv=notrunc seek=$$(($(RAMSTART)))
+
+###################################################################
+# ucode compression related
+###################################################################
+
+ifneq ($(wildcard src/ucode.asm), )
+gen/ucode.bin: src/ucode.asm
+ @printf "\033[0;31m ASSEMBLING UCODE\033[0m %s => %s\n" $< $@
+
+ifneq ($(wildcard $(NEXMON_ROOT)/buildtools/b43/assembler/b43-asm.bin), )
+ $(Q)PATH=$(PATH):$(NEXMON_ROOT)/buildtools/b43/assembler $(NEXMON_ROOT)/buildtools/b43/assembler/b43-asm $< $@ --format raw-le32
+else
+ $(error Warning: please compile b43-asm.bin first)
+endif
+
+else
+gen/ucode.bin: $(FW_PATH)/ucode.bin
+ @printf "\033[0;31m COPYING UCODE\033[0m %s => %s\n" $< $@
+ $(Q)cp $< $@
+endif
+
+gen/ucode_compressed.bin: gen/ucode.bin
+ @printf "\033[0;31m COMPRESSING UCODE\033[0m %s => %s\n" $< $@
+ $(Q)cat $< | $(ZLIBFLATE) > $@
+
+src/ucode_compressed.c: gen/ucode_compressed.bin
+ @printf "\033[0;31m GENERATING C FILE\033[0m %s => %s\n" $< $@
+ $(Q)printf "#pragma NEXMON targetregion \"ucode\"\n\n" > $@
+ $(Q)cd $(dir $<) && xxd -i $(notdir $<) >> $(shell pwd)/$@
+
+src/templateram.c: $(FW_PATH)/templateram.bin
+ @printf "\033[0;31m GENERATING C FILE\033[0m %s => %s\n" $< $@
+ $(Q)printf "#pragma NEXMON targetregion \"ucode\"\n\n" > $@
+ $(Q)cd $(dir $<) && xxd -i $(notdir $<) >> $(shell pwd)/$@
+
+###################################################################
+
+check-nexmon-setup-env:
+ifndef NEXMON_SETUP_ENV
+ $(error run 'source setup_env.sh' first in the repository\'s root directory)
+endif
+
+copy-firmware:
+ @printf "\033[0;31m COPYING TO PHONE\033[0m %s => /sdcard/%s\n" $< $<
+ $(Q)adb push fw_bcmdhd.bin /sdcard/
+
+install-firmware:
+ @printf "\033[0;31m REMOUNTING /vendor\033[0m\n"
+ $(Q)adb shell 'su -c "mount -o rw,remount /vendor"'
+ @printf "\033[0;31m COPYING TO PHONE\033[0m %s => /sdcard/%s\n" $< $<
+ $(Q)adb push fw_bcmdhd.bin /sdcard/
+ @printf "\033[0;31m COPYING\033[0m /sdcard/fw_bcmdhd.bin => /vendor/firmware/fw_bcmdhd.bin\n"
+ $(Q)adb shell 'su -c "cp /sdcard/fw_bcmdhd.bin /system/etc/firmware/fw_bcmdhd.bin"'
+ @printf "\033[0;31m RELOADING FIRMWARE\033[0m\n"
+ $(Q)adb shell 'su -c "ifconfig wlan0 down && ifconfig wlan0 up"'
+
+install-original: $(FW_PATH)/$(RAM_FILE)
+ @printf "\033[0;31m REMOUNTING /vendor\033[0m\n"
+ $(Q)adb shell 'su -c "mount -o rw,remount /vendor"'
+ @printf "\033[0;31m COPYING TO PHONE\033[0m %s => /sdcard/%s\n" $< $<
+ $(Q)adb push $< /sdcard/ >> log/adb.log 2>> log/adb.log
+ @printf "\033[0;31m COPYING\033[0m /sdcard/fw_bcmdhd.bin => /vendor/firmware/fw_bcmdhd.bin\n"
+ $(Q)adb shell 'su -c "cp /sdcard/fw_bcmdhd.bin /vendor/firmware/fw_bcmdhd.bin"'
+ @printf "\033[0;31m RELOADING FIRMWARE\033[0m\n"
+ $(Q)adb shell 'su -c "ifconfig wlan0 down && ifconfig wlan0 up"'
+
+backup-firmware: FORCE
+ adb shell 'su -c "cp /vendor/firmware/fw_bcmdhd.bin /sdcard/fw_bcmdhd.orig.bin"'
+ adb pull /sdcard/fw_bcmdhd.orig.bin
+
+install-backup: fw_bcmdhd.orig.bin
+ adb shell 'su -c "mount -o rw,remount /system"' && \
+ adb push $< /sdcard/ && \
+ adb shell 'su -c "cp /sdcard/fw_bcmdhd.bin /vendor/firmware/fw_bcmdhd.bin"'
+ adb shell 'su -c "ifconfig wlan0 down && ifconfig wlan0 up"'
+
+clean-firmware: FORCE
+ @printf "\033[0;31m CLEANING\033[0m\n"
+ $(Q)rm -fr fw_bcmdhd.bin obj gen log src/ucode_compressed.c src/templateram.c
+
+clean: clean-firmware
+ $(Q)rm -f BUILD_NUMBER
+
+FORCE:
diff --git a/patches/bcm43455/7_45_88_10_C0/nexmon/include/vendor_radiotap.h b/patches/bcm43455/7_45_88_10_C0/nexmon/include/vendor_radiotap.h
new file mode 100644
index 000000000..0588d0350
--- /dev/null
+++ b/patches/bcm43455/7_45_88_10_C0/nexmon/include/vendor_radiotap.h
@@ -0,0 +1,67 @@
+/***************************************************************************
+ * *
+ * ########### ########### ########## ########## *
+ * ############ ############ ############ ############ *
+ * ## ## ## ## ## ## ## *
+ * ## ## ## ## ## ## ## *
+ * ########### #### ###### ## ## ## ## ###### *
+ * ########### #### # ## ## ## ## # # *
+ * ## ## ###### ## ## ## ## # # *
+ * ## ## # ## ## ## ## # # *
+ * ############ ##### ###### ## ## ## ##### ###### *
+ * ########### ########### ## ## ## ########## *
+ * *
+ * S E C U R E M O B I L E N E T W O R K I N G *
+ * *
+ * This file is part of NexMon. *
+ * *
+ * Copyright (c) 2016 NexMon Team *
+ * *
+ * NexMon is free software: you can redistribute it and/or modify *
+ * it under the terms of the GNU General Public License as published by *
+ * the Free Software Foundation, either version 3 of the License, or *
+ * (at your option) any later version. *
+ * *
+ * NexMon is distributed in the hope that it will be useful, *
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of *
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the *
+ * GNU General Public License for more details. *
+ * *
+ * You should have received a copy of the GNU General Public License *
+ * along with NexMon. If not, see . *
+ * *
+ **************************************************************************/
+
+#ifndef VENDOR_RADIOTAP_H
+#define VENDOR_RADIOTAP_H
+
+extern const struct ieee80211_radiotap_vendor_namespaces rtap_vendor_namespaces;
+
+/* Name Data type Units
+ * ---- --------- -----
+ *
+ * RADIOTAP_NEX_TXDELAY s32 milliseconds
+ *
+ * Value in milliseconds to wait before transmitting this frame
+ * for the first time
+ *
+ * RADIOTAP_NEX_TXREPETITIONS 2 x s32 unitless, milliseconds
+ *
+ * Amount of how often this frame should be transmitted and the
+ * periodicity in milliseconds of the retransmissions. Setting
+ * the number of retransmissions to -1 leads to infinite
+ * retransmissions
+ *
+ * RADIOTAP_NEX_RATESPEC u32 unitless
+ *
+ * Define the ratespec according to the definitions in rates.h
+ * This value overrides the rate settings in the regular
+ * radiotap header
+ */
+enum radiotap_nex_vendor_subns_0_type {
+ RADIOTAP_NEX_TXDELAY = 0,
+ RADIOTAP_NEX_TXREPETITIONS = 1,
+ RADIOTAP_NEX_RATESPEC = 2
+};
+
+#endif /* VENDOR_RADIOTAP_H */
diff --git a/patches/bcm43455/7_45_88_10_C0/nexmon/patch.ld b/patches/bcm43455/7_45_88_10_C0/nexmon/patch.ld
new file mode 100644
index 000000000..0fbd55979
--- /dev/null
+++ b/patches/bcm43455/7_45_88_10_C0/nexmon/patch.ld
@@ -0,0 +1,10 @@
+MEMORY
+{
+ INCLUDE gen/memory.ld
+}
+
+SECTIONS
+{
+ INCLUDE gen/flashpatches.ld
+ INCLUDE gen/nexmon.ld
+}
diff --git a/patches/bcm43455/7_45_88_10_C0/nexmon/src/injection.c b/patches/bcm43455/7_45_88_10_C0/nexmon/src/injection.c
new file mode 100644
index 000000000..de5bd8082
--- /dev/null
+++ b/patches/bcm43455/7_45_88_10_C0/nexmon/src/injection.c
@@ -0,0 +1,133 @@
+/***************************************************************************
+ * *
+ * ########### ########### ########## ########## *
+ * ############ ############ ############ ############ *
+ * ## ## ## ## ## ## ## *
+ * ## ## ## ## ## ## ## *
+ * ########### #### ###### ## ## ## ## ###### *
+ * ########### #### # ## ## ## ## # # *
+ * ## ## ###### ## ## ## ## # # *
+ * ## ## # ## ## ## ## # # *
+ * ############ ##### ###### ## ## ## ##### ###### *
+ * ########### ########### ## ## ## ########## *
+ * *
+ * S E C U R E M O B I L E N E T W O R K I N G *
+ * *
+ * This file is part of NexMon. *
+ * *
+ * Copyright (c) 2016 NexMon Team *
+ * *
+ * NexMon is free software: you can redistribute it and/or modify *
+ * it under the terms of the GNU General Public License as published by *
+ * the Free Software Foundation, either version 3 of the License, or *
+ * (at your option) any later version. *
+ * *
+ * NexMon is distributed in the hope that it will be useful, *
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of *
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the *
+ * GNU General Public License for more details. *
+ * *
+ * You should have received a copy of the GNU General Public License *
+ * along with NexMon. If not, see . *
+ * *
+ **************************************************************************/
+
+#pragma NEXMON targetregion "patch"
+
+#include // definition of firmware version macros
+#include // contains macros to access the debug hardware
+#include // wrapper definitions for functions that already exist in the firmware
+#include // structures that are used by the code in the firmware
+#include // useful helper functions
+#include // macros used to craete patches such as BLPatch, BPatch, ...
+#include // rates used to build the ratespec for frame injection
+#include // radiotap header related
+#include // vendor specific radiotap extensions
+
+char
+sendframe(struct wlc_info *wlc, struct sk_buff *p, unsigned int fifo, unsigned int rate);
+
+inline uint32_t
+get_unaligned_le32(void *p) {
+ return ((uint8 *) p)[0] | ((uint8 *) p)[1] << 8 | ((uint8 *) p)[2] << 16 | ((uint8 *) p)[3] << 24;
+}
+
+void *
+inject_frame(struct wlc_info *wlc, struct sk_buff *p)
+{
+ int rtap_len = 0;
+ int data_rate = 0;
+ unsigned char use_ratespec = 0;
+ //int txdelay = 0;
+ //int txrepetitions = 0;
+ //int txperiodicity = 0;
+
+ // Radiotap parsing:
+ struct ieee80211_radiotap_iterator iterator;
+ struct ieee80211_radiotap_header *rtap_header;
+
+ // parse radiotap header
+ rtap_len = *((char *)(p->data + 2));
+ rtap_header = (struct ieee80211_radiotap_header *) p->data;
+
+ int ret = ieee80211_radiotap_iterator_init(&iterator, rtap_header, rtap_len, &rtap_vendor_namespaces);
+
+ if(ret) {
+ pkt_buf_free_skb(wlc->osh, p, 0);
+ printf("rtap_init error\n");
+ return 0;
+ }
+
+ while(!ret) {
+ ret = ieee80211_radiotap_iterator_next(&iterator);
+
+ if(ret) {
+ continue;
+ }
+
+ if (iterator.current_namespace == &rtap_vendor_namespaces.ns[0]) {
+ switch(iterator.this_arg_index) {
+ case RADIOTAP_NEX_TXDELAY:
+ //txdelay = get_unaligned_le32(iterator.this_arg);
+ break;
+
+ case RADIOTAP_NEX_TXREPETITIONS:
+ //txrepetitions = get_unaligned_le32(iterator.this_arg);
+ //txperiodicity = get_unaligned_le32(iterator.this_arg + 4);
+ break;
+
+ case RADIOTAP_NEX_RATESPEC:
+ data_rate = get_unaligned_le32(iterator.this_arg);
+ use_ratespec = 1; // this will override the rate of the regular radiotap header
+ break;
+
+ default:
+ printf("unknows vendor field %d\n", iterator.this_arg_index);
+ }
+
+ } else if (iterator.current_namespace == &radiotap_ns) {
+ switch(iterator.this_arg_index) {
+ case IEEE80211_RADIOTAP_RATE:
+ if (!use_ratespec) {
+ data_rate = (*iterator.this_arg);
+ }
+ break;
+
+ case IEEE80211_RADIOTAP_CHANNEL:
+ //printf("Channel (freq): %d\n", iterator.this_arg[0] | (iterator.this_arg[1] << 8) );
+ break;
+
+ default:
+ //printf("default: %d\n", iterator.this_arg_index);
+ break;
+ }
+ }
+ }
+
+ // remove radiotap header
+ skb_pull(p, rtap_len);
+
+ sendframe(wlc, p, 1, data_rate);
+
+ return 0;
+}
diff --git a/patches/bcm43455/7_45_88_10_C0/nexmon/src/ioctl.c b/patches/bcm43455/7_45_88_10_C0/nexmon/src/ioctl.c
new file mode 100644
index 000000000..428ffd97d
--- /dev/null
+++ b/patches/bcm43455/7_45_88_10_C0/nexmon/src/ioctl.c
@@ -0,0 +1,138 @@
+/***************************************************************************
+ * *
+ * ########### ########### ########## ########## *
+ * ############ ############ ############ ############ *
+ * ## ## ## ## ## ## ## *
+ * ## ## ## ## ## ## ## *
+ * ########### #### ###### ## ## ## ## ###### *
+ * ########### #### # ## ## ## ## # # *
+ * ## ## ###### ## ## ## ## # # *
+ * ## ## # ## ## ## ## # # *
+ * ############ ##### ###### ## ## ## ##### ###### *
+ * ########### ########### ## ## ## ########## *
+ * *
+ * S E C U R E M O B I L E N E T W O R K I N G *
+ * *
+ * This file is part of NexMon. *
+ * *
+ * Copyright (c) 2016 NexMon Team *
+ * *
+ * NexMon is free software: you can redistribute it and/or modify *
+ * it under the terms of the GNU General Public License as published by *
+ * the Free Software Foundation, either version 3 of the License, or *
+ * (at your option) any later version. *
+ * *
+ * NexMon is distributed in the hope that it will be useful, *
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of *
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the *
+ * GNU General Public License for more details. *
+ * *
+ * You should have received a copy of the GNU General Public License *
+ * along with NexMon. If not, see . *
+ * *
+ **************************************************************************/
+
+#pragma NEXMON targetregion "patch"
+
+#include // definition of firmware version macros
+#include // contains macros to access the debug hardware
+#include // wrapper definitions for functions that already exist in the firmware
+#include // structures that are used by the code in the firmware
+#include // useful helper functions
+#include // macros used to craete patches such as BLPatch, BPatch, ...
+#include // rates used to build the ratespec for frame injection
+#include // ioctls added in the nexmon patch
+#include // capabilities included in a nexmon patch
+#include // sendframe functionality
+#include // version information
+#include // Radiotap header relateds
+
+extern void *inject_frame(struct wlc_info *wlc, struct sk_buff *p);
+
+struct inject_frame {
+ unsigned short len;
+ unsigned char pad;
+ unsigned char type;
+ char data[];
+};
+
+int
+wlc_ioctl_hook(struct wlc_info *wlc, int cmd, char *arg, int len, void *wlc_if)
+{
+ int ret = IOCTL_ERROR;
+
+ switch (cmd) {
+ case NEX_GET_CAPABILITIES:
+ if (len == 4) {
+ memcpy(arg, &capabilities, 4);
+ ret = IOCTL_SUCCESS;
+ }
+ break;
+
+ case NEX_WRITE_TO_CONSOLE:
+ if (len > 0) {
+ arg[len-1] = 0;
+ printf("ioctl: %s\n", arg);
+ ret = IOCTL_SUCCESS;
+ }
+ break;
+
+ case NEX_GET_VERSION_STRING:
+ {
+ int strlen = 0;
+ for ( strlen = 0; version[strlen]; ++strlen );
+ if (len >= strlen) {
+ memcpy(arg, version, strlen);
+ ret = IOCTL_SUCCESS;
+ }
+ }
+ break;
+
+ case NEX_INJECT_FRAME:
+ {
+ sk_buff *p;
+ int bytes_used = 0;
+ struct inject_frame *frm = (struct inject_frame *) arg;
+
+ while ((frm->len > 0) && (bytes_used + frm->len <= len)) {
+ // add a dummy radiotap header if frame does not contain one
+ if (frm->type == 0) {
+ p = pkt_buf_get_skb(wlc->osh, frm->len + 202 + 8 - 4);
+ skb_pull(p, 202);
+ struct ieee80211_radiotap_header *radiotap =
+ (struct ieee80211_radiotap_header *) p->data;
+
+ memset(radiotap, 0, sizeof(struct ieee80211_radiotap_header));
+
+ radiotap->it_len = 8;
+
+ skb_pull(p, 8);
+ memcpy(p->data, frm->data, frm->len - 4);
+ skb_push(p, 8);
+ } else {
+ p = pkt_buf_get_skb(wlc->osh, frm->len + 202 - 4);
+ skb_pull(p, 202);
+
+ memcpy(p->data, frm->data, frm->len - 4);
+ }
+
+ inject_frame(wlc, p);
+
+ bytes_used += frm->len;
+
+ frm = (struct inject_frame *) (arg + bytes_used);
+ }
+
+ ret = IOCTL_SUCCESS;
+ }
+ break;
+
+ default:
+ ret = wlc_ioctl(wlc, cmd, arg, len, wlc_if);
+ }
+
+ return ret;
+}
+
+__attribute__((at(0x2150DC, "", CHIP_VER_BCM43455, FW_VER_7_45_88_10_C0)))
+GenericPatch4(wlc_ioctl_hook, wlc_ioctl_hook + 1);
diff --git a/patches/bcm43455/7_45_88_10_C0/nexmon/src/monitormode.c b/patches/bcm43455/7_45_88_10_C0/nexmon/src/monitormode.c
new file mode 100644
index 000000000..8e9f3a69d
--- /dev/null
+++ b/patches/bcm43455/7_45_88_10_C0/nexmon/src/monitormode.c
@@ -0,0 +1,211 @@
+/***************************************************************************
+ * *
+ * ########### ########### ########## ########## *
+ * ############ ############ ############ ############ *
+ * ## ## ## ## ## ## ## *
+ * ## ## ## ## ## ## ## *
+ * ########### #### ###### ## ## ## ## ###### *
+ * ########### #### # ## ## ## ## # # *
+ * ## ## ###### ## ## ## ## # # *
+ * ## ## # ## ## ## ## # # *
+ * ############ ##### ###### ## ## ## ##### ###### *
+ * ########### ########### ## ## ## ########## *
+ * *
+ * S E C U R E M O B I L E N E T W O R K I N G *
+ * *
+ * This file is part of NexMon. *
+ * *
+ * Copyright (c) 2016 NexMon Team *
+ * *
+ * NexMon is free software: you can redistribute it and/or modify *
+ * it under the terms of the GNU General Public License as published by *
+ * the Free Software Foundation, either version 3 of the License, or *
+ * (at your option) any later version. *
+ * *
+ * NexMon is distributed in the hope that it will be useful, *
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of *
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the *
+ * GNU General Public License for more details. *
+ * *
+ * You should have received a copy of the GNU General Public License *
+ * along with NexMon. If not, see . *
+ * *
+ **************************************************************************/
+
+#pragma NEXMON targetregion "patch"
+
+#include // definition of firmware version macros
+#include // contains macros to access the debug hardware
+#include // wrapper definitions for functions that already exist in the firmware
+#include // structures that are used by the code in the firmware
+#include // useful helper functions
+#include // macros used to craete patches such as BLPatch, BPatch, ...
+#include // rates used to build the ratespec for frame injection
+#include
+#include // defitionons such as MONITOR_...
+
+#define RADIOTAP_MCS
+#define RADIOTAP_VENDOR
+#include
+
+// plcp length in bytes
+#define PLCP_LEN 6
+
+extern void prepend_ethernet_ipv4_udp_header(struct sk_buff *p);
+
+static int
+channel2freq(struct wl_info *wl, unsigned int channel)
+{
+ int freq = 0;
+ void *ci = 0;
+
+ wlc_phy_chan2freq_acphy(wl->wlc->band->pi, channel, &freq, &ci);
+
+ return freq;
+}
+
+static void
+wl_monitor_radiotap(struct wl_info *wl, struct wl_rxsts *sts, struct sk_buff *p)
+{
+ struct osl_info *osh = wl->wlc->osh;
+ unsigned int p_len_new;
+ struct sk_buff *p_new;
+
+
+ p_len_new = p->len + sizeof(struct nexmon_radiotap_header);
+
+ // We figured out that frames larger than 2032 will not arrive in user space
+ if (p_len_new > 2032) {
+ printf("ERR: frame too large\n");
+ return;
+ } else {
+ p_new = pkt_buf_get_skb(osh, p_len_new);
+ }
+
+ if (!p_new) {
+ printf("ERR: no free sk_buff\n");
+ return;
+ }
+
+ struct nexmon_radiotap_header *frame = (struct nexmon_radiotap_header *) p_new->data;
+
+ memset(p_new->data, 0, sizeof(struct nexmon_radiotap_header));
+
+ frame->header.it_version = 0;
+ frame->header.it_pad = 0;
+ frame->header.it_len = sizeof(struct nexmon_radiotap_header) + PLCP_LEN;
+ frame->header.it_present =
+ (1<tsf.tsf_l = sts->mactime;
+ frame->tsf.tsf_h = 0;
+ frame->flags = IEEE80211_RADIOTAP_F_FCS;
+ frame->chan_freq = channel2freq(wl, CHSPEC_CHANNEL(sts->chanspec));
+
+ if (frame->chan_freq > 3000)
+ frame->chan_flags |= IEEE80211_CHAN_5GHZ;
+ else
+ frame->chan_flags |= IEEE80211_CHAN_2GHZ;
+
+ if (sts->encoding == WL_RXS_ENCODING_OFDM)
+ frame->chan_flags |= IEEE80211_CHAN_OFDM;
+ if (sts->encoding == WL_RXS_ENCODING_DSSS_CCK)
+ frame->chan_flags |= IEEE80211_CHAN_CCK;
+
+ frame->data_rate = sts->datarate;
+
+ frame->dbm_antsignal = sts->signal;
+ frame->dbm_antnoise = sts->noise;
+
+ if (sts->encoding == WL_RXS_ENCODING_HT) {
+ frame->mcs[0] =
+ IEEE80211_RADIOTAP_MCS_HAVE_BW
+ | IEEE80211_RADIOTAP_MCS_HAVE_MCS
+ | IEEE80211_RADIOTAP_MCS_HAVE_GI
+ | IEEE80211_RADIOTAP_MCS_HAVE_FMT
+ | IEEE80211_RADIOTAP_MCS_HAVE_FEC
+ | IEEE80211_RADIOTAP_MCS_HAVE_STBC;
+ switch(sts->htflags) {
+ case WL_RXS_HTF_40:
+ frame->mcs[1] |= IEEE80211_RADIOTAP_MCS_BW_40;
+ break;
+ case WL_RXS_HTF_20L:
+ frame->mcs[1] |= IEEE80211_RADIOTAP_MCS_BW_20L;
+ break;
+ case WL_RXS_HTF_20U:
+ frame->mcs[1] |= IEEE80211_RADIOTAP_MCS_BW_20U;
+ break;
+ case WL_RXS_HTF_SGI:
+ frame->mcs[1] |= IEEE80211_RADIOTAP_MCS_SGI;
+ break;
+ case WL_RXS_HTF_STBC_MASK:
+ frame->mcs[1] |= ((sts->htflags & WL_RXS_HTF_STBC_MASK) >> WL_RXS_HTF_STBC_SHIFT) << IEEE80211_RADIOTAP_MCS_STBC_SHIFT;
+ break;
+ case WL_RXS_HTF_LDPC:
+ frame->mcs[1] |= IEEE80211_RADIOTAP_MCS_FEC_LDPC;
+ break;
+ }
+ frame->mcs[2] = sts->mcs;
+ }
+
+ frame->vendor_oui[0] = 'N';
+ frame->vendor_oui[1] = 'E';
+ frame->vendor_oui[2] = 'X';
+ frame->vendor_sub_namespace = 0;
+ frame->vendor_skip_length = PLCP_LEN;
+
+ memcpy(p_new->data + sizeof(struct nexmon_radiotap_header), p->data, p->len);
+
+ //wl_sendup(wl, 0, p_new);
+ wl->dev->chained->funcs->xmit(wl->dev, wl->dev->chained, p_new);
+}
+
+void
+wl_monitor_hook(struct wl_info *wl, struct wl_rxsts *sts, struct sk_buff *p) {
+ unsigned char monitor = wl->wlc->monitor & 0xFF;
+
+ if (monitor & MONITOR_RADIOTAP) {
+ wl_monitor_radiotap(wl, sts, p);
+ }
+
+ if (monitor & MONITOR_IEEE80211) {
+ wl_monitor(wl, sts, p);
+ }
+
+ if (monitor & MONITOR_LOG_ONLY) {
+ printf("frame received\n");
+ }
+
+ if (monitor & MONITOR_DROP_FRM) {
+ ;
+ }
+
+ if (monitor & MONITOR_IPV4_UDP) {
+ printf("MONITOR over udp is not supported!\n");
+ }
+}
+
+// Hook the call to wl_monitor in wlc_monitor
+__attribute__((at(0x1B3A36, "", CHIP_VER_BCM43455, FW_VER_7_45_88_10_C0)))
+BLPatch(wl_monitor_hook, wl_monitor_hook);
+
+/* // no flashpatches left
+// activate badfcs, if MONITOR_ACTIVATE_BADFCS is set
+void
+wlc_mctrl_hook(struct wlc_info *wlc, uint32 mask, uint32 val)
+{
+ if (wlc->monitor & MONITOR_ACTIVATE_BADFCS)
+ wlc_mctrl(wlc, MCTL_PROMISC | MCTL_KEEPBADFCS | MCTL_KEEPCONTROL, MCTL_PROMISC | MCTL_KEEPBADFCS | MCTL_KEEPCONTROL);
+ else
+ wlc_mctrl(wlc, mask, val);
+}
+
+__attribute__((at(0x2FB9A, "flashpatch", CHIP_VER_BCM43455, FW_VER_ALL)))
+BLPatch(wlc_mctrl_hook, wlc_mctrl_hook);
+*/
diff --git a/patches/bcm43455/7_45_88_10_C0/nexmon/src/patch.c b/patches/bcm43455/7_45_88_10_C0/nexmon/src/patch.c
new file mode 100644
index 000000000..8642f3468
--- /dev/null
+++ b/patches/bcm43455/7_45_88_10_C0/nexmon/src/patch.c
@@ -0,0 +1,60 @@
+/***************************************************************************
+ * *
+ * ########### ########### ########## ########## *
+ * ############ ############ ############ ############ *
+ * ## ## ## ## ## ## ## *
+ * ## ## ## ## ## ## ## *
+ * ########### #### ###### ## ## ## ## ###### *
+ * ########### #### # ## ## ## ## # # *
+ * ## ## ###### ## ## ## ## # # *
+ * ## ## # ## ## ## ## # # *
+ * ############ ##### ###### ## ## ## ##### ###### *
+ * ########### ########### ## ## ## ########## *
+ * *
+ * S E C U R E M O B I L E N E T W O R K I N G *
+ * *
+ * This file is part of NexMon. *
+ * *
+ * Copyright (c) 2016 NexMon Team *
+ * *
+ * NexMon is free software: you can redistribute it and/or modify *
+ * it under the terms of the GNU General Public License as published by *
+ * the Free Software Foundation, either version 3 of the License, or *
+ * (at your option) any later version. *
+ * *
+ * NexMon is distributed in the hope that it will be useful, *
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of *
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the *
+ * GNU General Public License for more details. *
+ * *
+ * You should have received a copy of the GNU General Public License *
+ * along with NexMon. If not, see . *
+ * *
+ **************************************************************************/
+
+#pragma NEXMON targetregion "patch"
+
+#include // definition of firmware version macros
+#include // contains macros to access the debug hardware
+#include // wrapper definitions for functions that already exist in the firmware
+#include // structures that are used by the code in the firmware
+#include // useful helper functions
+#include // macros used to craete patches such as BLPatch, BPatch, ...
+#include // rates used to build the ratespec for frame injection
+#include // capabilities included in a nexmon patch
+
+int capabilities = NEX_CAP_MONITOR_MODE | NEX_CAP_MONITOR_MODE_RADIOTAP;
+
+// Hook the call to wlc_ucode_write in wlc_ucode_download
+__attribute__((at(0x218678, "", CHIP_VER_BCM43455, FW_VER_7_45_88_10_C0)))
+BLPatch(wlc_ucode_write_compressed, wlc_ucode_write_compressed);
+
+// reduce the amount of ucode memory freed to become part of the heap
+__attribute__((at(0x19A4BC, "", CHIP_VER_BCM43455, FW_VER_7_45_88_10_C0)))
+GenericPatch4(hndrte_reclaim_0_end, PATCHSTART);
+
+extern unsigned char templateram_bin[];
+
+// Moving template ram to another place in the ucode region
+__attribute__((at(0x22CB6C, "", CHIP_VER_BCM43455, FW_VER_7_45_88_10_C0)))
+GenericPatch4(templateram_bin, templateram_bin);
diff --git a/patches/bcm43455/7_45_88_10_C0/nexmon/src/sendframe.c b/patches/bcm43455/7_45_88_10_C0/nexmon/src/sendframe.c
new file mode 100644
index 000000000..57bd11bb3
--- /dev/null
+++ b/patches/bcm43455/7_45_88_10_C0/nexmon/src/sendframe.c
@@ -0,0 +1,64 @@
+/***************************************************************************
+ * *
+ * ########### ########### ########## ########## *
+ * ############ ############ ############ ############ *
+ * ## ## ## ## ## ## ## *
+ * ## ## ## ## ## ## ## *
+ * ########### #### ###### ## ## ## ## ###### *
+ * ########### #### # ## ## ## ## # # *
+ * ## ## ###### ## ## ## ## # # *
+ * ## ## # ## ## ## ## # # *
+ * ############ ##### ###### ## ## ## ##### ###### *
+ * ########### ########### ## ## ## ########## *
+ * *
+ * S E C U R E M O B I L E N E T W O R K I N G *
+ * *
+ * This file is part of NexMon. *
+ * *
+ * Copyright (c) 2016 NexMon Team *
+ * *
+ * NexMon is free software: you can redistribute it and/or modify *
+ * it under the terms of the GNU General Public License as published by *
+ * the Free Software Foundation, either version 3 of the License, or *
+ * (at your option) any later version. *
+ * *
+ * NexMon is distributed in the hope that it will be useful, *
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of *
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the *
+ * GNU General Public License for more details. *
+ * *
+ * You should have received a copy of the GNU General Public License *
+ * along with NexMon. If not, see . *
+ * *
+ **************************************************************************/
+
+#pragma NEXMON targetregion "patch"
+
+#include // definition of firmware version macros
+#include // contains macros to access the debug hardware
+#include // wrapper definitions for functions that already exist in the firmware
+#include // structures that are used by the code in the firmware
+#include // useful helper functions
+#include // macros used to craete patches such as BLPatch, BPatch, ...
+#include // rates used to build the ratespec for frame injection
+#include // ioctls added in the nexmon patch
+#include // capabilities included in a nexmon patch
+
+char
+sendframe(struct wlc_info *wlc, struct sk_buff *p, unsigned int fifo, unsigned int rate)
+{
+ char ret;
+
+ if (wlc->band->bandtype == WLC_BAND_5G && rate < RATES_RATE_6M) {
+ rate = RATES_RATE_6M;
+ }
+
+ if (wlc->hw->up) {
+ ret = wlc_sendctl(wlc, p, wlc->active_queue, wlc->band->hwrs_scb, fifo, rate, 0);
+ } else {
+ ret = wlc_sendctl(wlc, p, wlc->active_queue, wlc->band->hwrs_scb, fifo, rate, 1);
+ printf("ERR: wlc down\n");
+ }
+
+ return ret;
+}
diff --git a/patches/bcm43455/7_45_88_10_C0/nexmon/src/vendor_radiotap.c b/patches/bcm43455/7_45_88_10_C0/nexmon/src/vendor_radiotap.c
new file mode 100644
index 000000000..9815d252f
--- /dev/null
+++ b/patches/bcm43455/7_45_88_10_C0/nexmon/src/vendor_radiotap.c
@@ -0,0 +1,59 @@
+/***************************************************************************
+ * *
+ * ########### ########### ########## ########## *
+ * ############ ############ ############ ############ *
+ * ## ## ## ## ## ## ## *
+ * ## ## ## ## ## ## ## *
+ * ########### #### ###### ## ## ## ## ###### *
+ * ########### #### # ## ## ## ## # # *
+ * ## ## ###### ## ## ## ## # # *
+ * ## ## # ## ## ## ## # # *
+ * ############ ##### ###### ## ## ## ##### ###### *
+ * ########### ########### ## ## ## ########## *
+ * *
+ * S E C U R E M O B I L E N E T W O R K I N G *
+ * *
+ * This file is part of NexMon. *
+ * *
+ * Copyright (c) 2016 NexMon Team *
+ * *
+ * NexMon is free software: you can redistribute it and/or modify *
+ * it under the terms of the GNU General Public License as published by *
+ * the Free Software Foundation, either version 3 of the License, or *
+ * (at your option) any later version. *
+ * *
+ * NexMon is distributed in the hope that it will be useful, *
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of *
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the *
+ * GNU General Public License for more details. *
+ * *
+ * You should have received a copy of the GNU General Public License *
+ * along with NexMon. If not, see . *
+ * *
+ **************************************************************************/
+
+#pragma NEXMON targetregion "patch"
+
+#include
+#include
+
+static const struct radiotap_align_size radiotap_nex_vendor_subns_0_sizes[] = {
+ [RADIOTAP_NEX_TXDELAY] = { .align = 4, .size = 4, },
+ [RADIOTAP_NEX_TXREPETITIONS] = { .align = 8, .size = 8, },
+ [RADIOTAP_NEX_RATESPEC] = { .align = 4, .size = 4, },
+};
+
+static const struct ieee80211_radiotap_namespace radiotap_nex_vendor_ns[] = {
+ [0] = {
+ .n_bits = ARRAY_SIZE(radiotap_nex_vendor_subns_0_sizes),
+ .align_size = radiotap_nex_vendor_subns_0_sizes,
+ .oui = 0x004e4558, // NEX
+ .subns = 0
+ }
+};
+
+const struct ieee80211_radiotap_vendor_namespaces rtap_vendor_namespaces = {
+ .ns = radiotap_nex_vendor_ns,
+ .n_ns = ARRAY_SIZE(radiotap_nex_vendor_ns),
+};
+
\ No newline at end of file
diff --git a/patches/bcm43455/7_45_88_10_C0/nexmon/src/version.c b/patches/bcm43455/7_45_88_10_C0/nexmon/src/version.c
new file mode 100644
index 000000000..5ab2cbc27
--- /dev/null
+++ b/patches/bcm43455/7_45_88_10_C0/nexmon/src/version.c
@@ -0,0 +1,43 @@
+/***************************************************************************
+ * *
+ * ########### ########### ########## ########## *
+ * ############ ############ ############ ############ *
+ * ## ## ## ## ## ## ## *
+ * ## ## ## ## ## ## ## *
+ * ########### #### ###### ## ## ## ## ###### *
+ * ########### #### # ## ## ## ## # # *
+ * ## ## ###### ## ## ## ## # # *
+ * ## ## # ## ## ## ## # # *
+ * ############ ##### ###### ## ## ## ##### ###### *
+ * ########### ########### ## ## ## ########## *
+ * *
+ * S E C U R E M O B I L E N E T W O R K I N G *
+ * *
+ * This file is part of NexMon. *
+ * *
+ * Copyright (c) 2016 NexMon Team *
+ * *
+ * NexMon is free software: you can redistribute it and/or modify *
+ * it under the terms of the GNU General Public License as published by *
+ * the Free Software Foundation, either version 3 of the License, or *
+ * (at your option) any later version. *
+ * *
+ * NexMon is distributed in the hope that it will be useful, *
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of *
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the *
+ * GNU General Public License for more details. *
+ * *
+ * You should have received a copy of the GNU General Public License *
+ * along with NexMon. If not, see . *
+ * *
+ **************************************************************************/
+
+#pragma NEXMON targetregion "patch"
+
+#include // definition of firmware version macros
+#include // macros used to craete patches such as BLPatch, BPatch, ...
+
+char version[] = "nexmon_ver: " GIT_VERSION "-" BUILD_NUMBER "\n";
+
+//__attribute__((at(0x205510, "", CHIP_VER_BCM43455, FW_VER_7_45_77_0_23_8_2017)))
+//GenericPatch4(version_patch, version);
diff --git a/patches/bcm43455/7_45_88_10_C0/rom_extraction/Makefile b/patches/bcm43455/7_45_88_10_C0/rom_extraction/Makefile
new file mode 100644
index 000000000..a27fa82f8
--- /dev/null
+++ b/patches/bcm43455/7_45_88_10_C0/rom_extraction/Makefile
@@ -0,0 +1,194 @@
+GIT_VERSION := $(shell git describe --abbrev=4 --dirty --always --tags)
+include ../version.mk
+include $(FW_PATH)/definitions.mk
+
+LOCAL_SRCS=$(wildcard src/*.c) src/ucode_compressed.c src/templateram.c
+COMMON_SRCS=$(wildcard $(NEXMON_ROOT)/patches/common/*.c)
+FW_SRCS=$(wildcard $(FW_PATH)/*.c)
+
+OBJS=$(addprefix obj/,$(notdir $(LOCAL_SRCS:.c=.o)) $(notdir $(COMMON_SRCS:.c=.o)) $(notdir $(FW_SRCS:.c=.o)))
+
+CFLAGS= \
+ -fplugin=$(CCPLUGIN) \
+ -fplugin-arg-nexmon-objfile=$@ \
+ -fplugin-arg-nexmon-prefile=gen/nexmon.pre \
+ -fplugin-arg-nexmon-chipver=$(NEXMON_CHIP_NUM) \
+ -fplugin-arg-nexmon-fwver=$(NEXMON_FW_VERSION_NUM) \
+ -fno-strict-aliasing \
+ -DNEXMON_CHIP=$(NEXMON_CHIP) \
+ -DNEXMON_FW_VERSION=$(NEXMON_FW_VERSION) \
+ -DPATCHSTART=$(PATCHSTART) \
+ -DUCODESIZE=$(UCODESIZE) \
+ -DGIT_VERSION=\"$(GIT_VERSION)\" \
+ -DBUILD_NUMBER=\"$$(cat BUILD_NUMBER)\" \
+ -Wall -Werror -O2 -nostdlib -nostartfiles -ffreestanding -mthumb -march=$(NEXMON_ARCH) \
+ -ffunction-sections -fdata-sections \
+ -I$(NEXMON_ROOT)/patches/include \
+ -Iinclude \
+ -I$(FW_PATH)
+
+all: fw_bcmdhd.bin
+
+init: FORCE
+ $(Q)if ! test -f BUILD_NUMBER; then echo 0 > BUILD_NUMBER; fi
+ $(Q)echo $$(($$(cat BUILD_NUMBER) + 1)) > BUILD_NUMBER
+ $(Q)touch src/version.c
+ $(Q)make -s -f $(NEXMON_ROOT)/patches/common/header.mk
+ $(Q)mkdir -p obj gen log
+
+obj/%.o: src/%.c
+ @printf "\033[0;31m COMPILING\033[0m %s => %s (details: log/compiler.log)\n" $< $@
+ $(Q)cat gen/nexmon.pre 2>>log/error.log | gawk '{ if ($$3 != "$@") print; }' > tmp && mv tmp gen/nexmon.pre
+ $(Q)$(CC)gcc $(CFLAGS) -c $< -o $@ >>log/compiler.log
+
+obj/%.o: $(NEXMON_ROOT)/patches/common/%.c
+ @printf "\033[0;31m COMPILING\033[0m %s => %s (details: log/compiler.log)\n" $< $@
+ $(Q)cat gen/nexmon.pre 2>>log/error.log | gawk '{ if ($$3 != "$@") print; }' > tmp && mv tmp gen/nexmon.pre
+ $(Q)$(CC)gcc $(CFLAGS) -c $< -o $@ >>log/compiler.log
+
+obj/%.o: $(FW_PATH)/%.c
+ @printf "\033[0;31m COMPILING\033[0m %s => %s (details: log/compiler.log)\n" $< $@
+ $(Q)cat gen/nexmon.pre 2>>log/error.log | gawk '{ if ($$3 != "$@") print; }' > tmp && mv tmp gen/nexmon.pre
+ $(Q)$(CC)gcc $(CFLAGS) -c $< -o $@ >>log/compiler.log
+
+gen/nexmon2.pre: $(OBJS)
+ @printf "\033[0;31m PREPARING\033[0m %s => %s\n" "gen/nexmon.pre" $@
+ $(Q)cat gen/nexmon.pre | awk '{ if ($$3 != "obj/flashpatches.o" && $$3 != "obj/wrapper.o") { print $$0; } }' > tmp
+ $(Q)cat gen/nexmon.pre | awk '{ if ($$3 == "obj/flashpatches.o" || $$3 == "obj/wrapper.o") { print $$0; } }' >> tmp
+ $(Q)cat tmp | awk '{ if ($$1 ~ /^0x/) { if ($$3 != "obj/flashpatches.o" && $$3 != "obj/wrapper.o") { if (!x[$$1]++) { print $$0; } } else { if (!x[$$1]) { print $$0; } } } else { print $$0; } }' > gen/nexmon2.pre
+
+gen/nexmon.ld: gen/nexmon2.pre $(OBJS)
+ @printf "\033[0;31m GENERATING LINKER FILE\033[0m gen/nexmon.pre => %s\n" $@
+ $(Q)sort gen/nexmon2.pre | gawk -f $(NEXMON_ROOT)/buildtools/scripts/nexmon.ld.awk > $@
+
+gen/nexmon.mk: gen/nexmon2.pre $(OBJS) $(FW_PATH)/definitions.mk
+ @printf "\033[0;31m GENERATING MAKE FILE\033[0m gen/nexmon.pre => %s\n" $@
+ $(Q)printf "fw_bcmdhd.bin: gen/patch.elf FORCE\n" > $@
+ $(Q)sort gen/nexmon2.pre | \
+ gawk -v src_file=gen/patch.elf -f $(NEXMON_ROOT)/buildtools/scripts/nexmon.mk.1.awk | \
+ gawk -v ramstart=$(RAMSTART) -f $(NEXMON_ROOT)/buildtools/scripts/nexmon.mk.2.awk >> $@
+ $(Q)printf "\nFORCE:\n" >> $@
+ $(Q)gawk '!a[$$0]++' $@ > tmp && mv tmp $@
+
+gen/flashpatches.ld: gen/nexmon2.pre $(OBJS)
+ @printf "\033[0;31m GENERATING LINKER FILE\033[0m gen/nexmon.pre => %s\n" $@
+ $(Q)sort gen/nexmon2.pre | \
+ gawk -f $(NEXMON_ROOT)/buildtools/scripts/flashpatches.ld.awk > $@
+
+gen/flashpatches.mk: gen/nexmon2.pre $(OBJS) $(FW_PATH)/definitions.mk
+ @printf "\033[0;31m GENERATING MAKE FILE\033[0m gen/nexmon.pre => %s\n" $@
+ $(Q)cat gen/nexmon2.pre | gawk \
+ -v fp_data_base=$(FP_DATA_BASE) \
+ -v fp_config_base=$(FP_CONFIG_BASE) \
+ -v fp_data_end_ptr=$(FP_DATA_END_PTR) \
+ -v fp_config_base_ptr_1=$(FP_CONFIG_BASE_PTR_1) \
+ -v fp_config_end_ptr_1=$(FP_CONFIG_END_PTR_1) \
+ -v fp_config_base_ptr_2=$(FP_CONFIG_BASE_PTR_2) \
+ -v fp_config_end_ptr_2=$(FP_CONFIG_END_PTR_2) \
+ -v ramstart=$(RAMSTART) \
+ -v out_file=fw_bcmdhd.bin \
+ -v src_file=gen/patch.elf \
+ -f $(NEXMON_ROOT)/buildtools/scripts/flashpatches.mk.awk > $@
+
+gen/memory.ld: $(FW_PATH)/definitions.mk
+ @printf "\033[0;31m GENERATING LINKER FILE\033[0m %s\n" $@
+ $(Q)printf "rom : ORIGIN = 0x%08x, LENGTH = 0x%08x\n" $(ROMSTART) $(ROMSIZE) > $@
+ $(Q)printf "ram : ORIGIN = 0x%08x, LENGTH = 0x%08x\n" $(RAMSTART) $(RAMSIZE) >> $@
+ $(Q)printf "patch : ORIGIN = 0x%08x, LENGTH = 0x%08x\n" $(PATCHSTART) $(PATCHSIZE) >> $@
+ $(Q)printf "ucode : ORIGIN = 0x%08x, LENGTH = 0x%08x\n" $(UCODESTART) $$(($(FP_CONFIG_BASE) - $(UCODESTART))) >> $@
+ $(Q)printf "fpconfig : ORIGIN = 0x%08x, LENGTH = 0x%08x\n" $(FP_CONFIG_BASE) $(FP_CONFIG_SIZE) >> $@
+
+gen/patch.elf: patch.ld gen/nexmon.ld gen/flashpatches.ld gen/memory.ld $(OBJS)
+ @printf "\033[0;31m LINKING OBJECTS\033[0m => %s (details: log/linker.log, log/linker.err)\n" $@
+ $(Q)$(CC)ld -T $< -o $@ --gc-sections --print-gc-sections -M >>log/linker.log 2>>log/linker.err
+
+fw_bcmdhd.bin: init gen/patch.elf $(FW_PATH)/$(RAM_FILE) gen/nexmon.mk gen/flashpatches.mk
+ $(Q)cp $(FW_PATH)/$(RAM_FILE) $@
+ @printf "\033[0;31m APPLYING FLASHPATCHES\033[0m gen/flashpatches.mk => %s (details: log/flashpatches.log)\n" $@
+ $(Q)make -f gen/flashpatches.mk >>log/flashpatches.log 2>>log/flashpatches.log
+ @printf "\033[0;31m APPLYING PATCHES\033[0m gen/nexmon.mk => %s (details: log/patches.log)\n" $@
+ $(Q)make -f gen/nexmon.mk >>log/patches.log 2>>log/flashpatches.log
+
+###################################################################
+# ucode compression related
+###################################################################
+
+ifneq ($(wildcard src/ucode.asm), )
+gen/ucode.bin: src/ucode.asm
+ @printf "\033[0;31m ASSEMBLING UCODE\033[0m %s => %s\n" $< $@
+
+ifneq ($(wildcard $(NEXMON_ROOT)/buildtools/b43/assembler/b43-asm.bin), )
+ $(Q)PATH=$(PATH):$(NEXMON_ROOT)/buildtools/b43/assembler $(NEXMON_ROOT)/buildtools/b43/assembler/b43-asm $< $@ --format raw-le32
+else
+ $(error Warning: please compile b43-asm.bin first)
+endif
+
+else
+gen/ucode.bin: $(FW_PATH)/ucode.bin
+ @printf "\033[0;31m COPYING UCODE\033[0m %s => %s\n" $< $@
+ $(Q)cp $< $@
+endif
+
+gen/ucode_compressed.bin: gen/ucode.bin
+ @printf "\033[0;31m COMPRESSING UCODE\033[0m %s => %s\n" $< $@
+ $(Q)cat $< | $(ZLIBFLATE) > $@
+
+src/ucode_compressed.c: gen/ucode_compressed.bin
+ @printf "\033[0;31m GENERATING C FILE\033[0m %s => %s\n" $< $@
+ $(Q)printf "#pragma NEXMON targetregion \"ucode\"\n\n" > $@
+ $(Q)cd $(dir $<) && xxd -i $(notdir $<) >> $(shell pwd)/$@
+
+src/templateram.c: $(FW_PATH)/templateram.bin
+ @printf "\033[0;31m GENERATING C FILE\033[0m %s => %s\n" $< $@
+ $(Q)printf "#pragma NEXMON targetregion \"ucode\"\n\n" > $@
+ $(Q)cd $(dir $<) && xxd -i $(notdir $<) >> $(shell pwd)/$@
+
+###################################################################
+
+check-nexmon-setup-env:
+ifndef NEXMON_SETUP_ENV
+ $(error run 'source setup_env.sh' first in the repository\'s root directory)
+endif
+
+dump-rom: fw_bcmdhd.bin
+ @printf "\033[0;31m COPYING TO PHONE\033[0m %s => /sdcard/%s\n" $< $<
+ $(Q)adb push $< /sdcard/ >> log/adb.log 2>> log/adb.log
+ @printf "\033[0;31m Stopping wifi service and killing wpa_supplicant\033[0m\n"
+## $(Q)adb shell 'su -c "mount -o rw,remount /vendor"'
+ $(Q)adb shell 'su -c "mount -o rw,remount -t ext4 /system"'
+ $(Q)adb shell 'su -c "/system/bin/svc wifi disable"'
+ @printf "\033[0;31m Killing wpa_supplicant and backup it\033[0m\n"
+ $(Q)adb shell 'su -c "killall wpa_supplicant"'
+ $(Q)adb shell 'su -c "mv /system/bin/wpa_supplicant /system/bin/wpa_supplicant.backup"'
+ $(Q)adb shell 'su -c "killall wpa_supplicant"'
+ @printf "\033[0;31m LOADING FIRMWARE\033[0m /sdcard/fw_bcmdhd.bin\n"
+ $(Q)adb shell 'su -c "dhdutil download /sdcard/fw_bcmdhd.bin"'
+ @printf "\033[0;31m DUMPING ROM\033[0m ROM => /sdcard/rom.bin\n"
+ $(Q)adb shell 'su -c "dhdutil membytes -r 0x199000 $(ROMSIZE) > /sdcard/rom.bin"'
+ @printf "\033[0;31m PULLING\033[0m /sdcard/rom.bin => rom.bin\n"
+ $(Q)adb pull /sdcard/rom.bin rom_mia.bin
+ @printf "\033[0;31m Restoring wpa_supplicant\033[0m\n"
+ $(Q)adb shell 'su -c "mv /system/bin/wpa_supplicant.backup /system/bin/wpa_supplicant"'
+ @printf "\033[0;31m RELOADING PREVIOUS FIRMWARE\033[0m\n"
+ $(Q)adb shell 'su -c "ifconfig wlan0 down && ifconfig wlan0 up"'
+ @printf "\033[0;31m COPYING ROM\033[0m rom.bin => $(NEXMON_ROOT)/firmwares/bcm43455/rom.bin\n"
+ $(Q)cp rom_mia.bin $(NEXMON_ROOT)/firmwares/bcm43455/rom_mia.bin
+
+backup-firmware: FORCE
+ adb shell 'su -c "cp /vendor/firmware/fw_bcmdhd.bin /sdcard/fw_bcmdhd.orig.bin"'
+ adb pull /sdcard/fw_bcmdhd.orig.bin
+
+install-backup: fw_bcmdhd.orig.bin
+ adb shell 'su -c "mount -o rw,remount /system"' && \
+ adb push $< /sdcard/ && \
+ adb shell 'su -c "cp /sdcard/fw_bcmdhd.bin /vendor/firmware/fw_bcmdhd.bin"'
+ adb shell 'su -c "ifconfig wlan0 down && ifconfig wlan0 up"'
+
+clean-firmware: FORCE
+ @printf "\033[0;31m CLEANING\033[0m\n"
+ $(Q)rm -fr fw_bcmdhd.bin obj gen log src/ucode_compressed.c src/templateram.c
+
+clean: clean-firmware
+ $(Q)rm -f BUILD_NUMBER rom.bin
+
+FORCE:
diff --git a/patches/bcm43455/7_45_88_10_C0/rom_extraction/patch.ld b/patches/bcm43455/7_45_88_10_C0/rom_extraction/patch.ld
new file mode 100644
index 000000000..0fbd55979
--- /dev/null
+++ b/patches/bcm43455/7_45_88_10_C0/rom_extraction/patch.ld
@@ -0,0 +1,10 @@
+MEMORY
+{
+ INCLUDE gen/memory.ld
+}
+
+SECTIONS
+{
+ INCLUDE gen/flashpatches.ld
+ INCLUDE gen/nexmon.ld
+}
diff --git a/patches/bcm43455/7_45_88_10_C0/rom_extraction/src/patch.c b/patches/bcm43455/7_45_88_10_C0/rom_extraction/src/patch.c
new file mode 100644
index 000000000..3c23a21d2
--- /dev/null
+++ b/patches/bcm43455/7_45_88_10_C0/rom_extraction/src/patch.c
@@ -0,0 +1,52 @@
+/***************************************************************************
+ * *
+ * ########### ########### ########## ########## *
+ * ############ ############ ############ ############ *
+ * ## ## ## ## ## ## ## *
+ * ## ## ## ## ## ## ## *
+ * ########### #### ###### ## ## ## ## ###### *
+ * ########### #### # ## ## ## ## # # *
+ * ## ## ###### ## ## ## ## # # *
+ * ## ## # ## ## ## ## # # *
+ * ############ ##### ###### ## ## ## ##### ###### *
+ * ########### ########### ## ## ## ########## *
+ * *
+ * S E C U R E M O B I L E N E T W O R K I N G *
+ * *
+ * This file is part of NexMon. *
+ * *
+ * Copyright (c) 2016 NexMon Team *
+ * *
+ * NexMon is free software: you can redistribute it and/or modify *
+ * it under the terms of the GNU General Public License as published by *
+ * the Free Software Foundation, either version 3 of the License, or *
+ * (at your option) any later version. *
+ * *
+ * NexMon is distributed in the hope that it will be useful, *
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of *
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the *
+ * GNU General Public License for more details. *
+ * *
+ * You should have received a copy of the GNU General Public License *
+ * along with NexMon. If not, see . *
+ * *
+ **************************************************************************/
+
+#pragma NEXMON targetregion "patch"
+
+#include // definition of firmware version macros
+
+__attribute__((at(0x198080, "", CHIP_VER_BCM43455, FW_VER_ALL)))
+__attribute__((optimize("O0")))
+__attribute__((naked))
+void
+copy_hook(void) {
+ int *ram_dest = (int *) 0x199000;
+ int *rom_src = (int *) 0;
+
+ while(rom_src <= (int *) (704*1024)) {
+ *ram_dest++ = *rom_src++;
+ }
+
+ while(1);
+}
diff --git a/patches/bcm43455/7_45_88_10_C0/rom_extraction/src/version.c b/patches/bcm43455/7_45_88_10_C0/rom_extraction/src/version.c
new file mode 100644
index 000000000..e69de29bb
diff --git a/patches/bcm43455/7_45_88_10_C0/version.mk b/patches/bcm43455/7_45_88_10_C0/version.mk
new file mode 100644
index 000000000..26ac4d08b
--- /dev/null
+++ b/patches/bcm43455/7_45_88_10_C0/version.mk
@@ -0,0 +1 @@
+FW_PATH=$(NEXMON_ROOT)/firmwares/bcm43455/7_45_88_10_C0
diff --git a/patches/common/wrapper.c b/patches/common/wrapper.c
index c945d787e..163c310ae 100644
--- a/patches/common/wrapper.c
+++ b/patches/common/wrapper.c
@@ -235,6 +235,7 @@ AT(CHIP_VER_BCM43451b1, FW_VER_ALL, 0x1be7fe)
AT(CHIP_VER_BCM43455, FW_VER_7_45_77_0, 0x19ED78)
AT(CHIP_VER_BCM4358, FW_VER_7_112_300_14, 0x182238)
AT(CHIP_VER_BCM43455, FW_VER_7_45_77_0_23_8_2017, 0x19ED88)
+AT(CHIP_VER_BCM43455, FW_VER_7_45_88_10_C0, 0x1A4874)
AT(CHIP_VER_BCM43455c0, FW_VER_7_45_154, 0x19A17C)
AT(CHIP_VER_BCM43455c0, FW_VER_7_45_189, 0x19A0FC)
AT(CHIP_VER_BCM43455, FW_VER_7_46_77_11, 0x19F660)
@@ -261,6 +262,7 @@ AT(CHIP_VER_BCM43451b1, FW_VER_ALL, 0x64c38)
AT(CHIP_VER_BCM43455, FW_VER_7_45_77_0, 0x19A0E8)
AT(CHIP_VER_BCM43455, FW_VER_7_120_5_1_sta_C0, 0x19A0F8)
AT(CHIP_VER_BCM43455, FW_VER_7_45_77_0_23_8_2017, 0x19A0F8)
+AT(CHIP_VER_BCM43455, FW_VER_7_45_88_10_C0, 0x19A1C4)
AT(CHIP_VER_BCM43455c0, FW_VER_7_45_154, 0x19a098)
AT(CHIP_VER_BCM43455c0, FW_VER_7_45_189, 0x19A018)
AT(CHIP_VER_BCM43455c0, FW_VER_7_45_206, 0x19A0F8)
@@ -387,10 +389,15 @@ AT(CHIP_VER_BCM43596a0, FW_VER_9_75_155_45_sta_c0, 0x162858)
AT(CHIP_VER_BCM43596a0, FW_VER_9_96_4_sta_c0, 0x162BB8)
AT(CHIP_VER_BCM43451b1, FW_VER_ALL, 0x2504)
AT(CHIP_VER_BCM43455, FW_VER_ALL, 0x3834)
+
+AT(CHIP_VER_BCM43455c0, FW_VER_ALL, 0x3834)
+
AT(CHIP_VER_BCM43455c0, FW_VER_7_45_154, 0x3834)
+
AT(CHIP_VER_BCM43455c0, FW_VER_7_45_189, 0x3834)
AT(CHIP_VER_BCM43455c0, FW_VER_7_45_206, 0x3834)
AT(CHIP_VER_BCM4366c0, FW_VER_10_10_122_20, 0x46C0)
+
int
printf(const char *format, ...)
RETURN_DUMMY
@@ -520,6 +527,7 @@ RETURN_DUMMY
AT(CHIP_VER_BCM4339, FW_VER_ALL, 0x34D68)
AT(CHIP_VER_BCM4335b0, FW_VER_ALL, 0x3F468)
AT(CHIP_VER_BCM43455, FW_VER_ALL, 0x2FC50)
+AT(CHIP_VER_BCM43455c0, FW_VER_ALL, 0x2FC50)
void
wlc_mctrl(void *wlc, uint32 mask, uint32 val)
VOID_DUMMY
@@ -969,8 +977,10 @@ AT(CHIP_VER_BCM4335b0, FW_VER_ALL, 0x12CEC)
AT(CHIP_VER_BCM43455, FW_VER_7_45_77_0, 0x19A0C2)
AT(CHIP_VER_BCM4358, FW_VER_ALL, 0x35d0)
AT(CHIP_VER_BCM43455, FW_VER_7_45_77_0_23_8_2017, 0x19A0D2)
+AT(CHIP_VER_BCM43455, FW_VER_7_45_88_10_C0, 0x19A19E)
AT(CHIP_VER_BCM43455, FW_VER_7_46_77_11, 0x19A512)
AT(CHIP_VER_BCM43455, FW_VER_7_45_59_16, 0x19A0A2)
+
int
memcmp(void *s1, void *s2, int n)
RETURN_DUMMY
@@ -1164,6 +1174,7 @@ AT(CHIP_VER_BCM4356, FW_VER_ALL, 0x14008)
AT(CHIP_VER_BCM4335b0, FW_VER_ALL, 0x2B2DC)
AT(CHIP_VER_BCM43451b1, FW_VER_ALL, 0xf7cc)
AT(CHIP_VER_BCM43455, FW_VER_ALL, 0x203B8)
+AT(CHIP_VER_BCM43455c0, FW_VER_ALL, 0x203B8)
AT(CHIP_VER_BCM43596a0, FW_VER_ALL, 0x38E3C)
AT(CHIP_VER_BCM43455c0, FW_VER_ALL, 0x203B8)
AT(CHIP_VER_BCM43909b0, FW_VER_ALL, 0xe4c4)
@@ -1359,6 +1370,7 @@ AT(CHIP_VER_BCM4356, FW_VER_7_35_101_5_sta, 0x1C469A)
AT(CHIP_VER_BCM43455, FW_VER_7_45_77_0, 0x1D0DFC)
AT(CHIP_VER_BCM43455, FW_VER_7_120_5_1_sta_C0, 0x1CF9A0)
AT(CHIP_VER_BCM43455, FW_VER_7_45_77_0_23_8_2017, 0x1D13C8)
+AT(CHIP_VER_BCM43455, FW_VER_7_45_88_10_C0, 0x1D8D6C)
AT(CHIP_VER_BCM43455c0, FW_VER_7_45_154, 0x1C9FA4)
AT(CHIP_VER_BCM43455c0, FW_VER_7_45_189, 0x1CF494)
AT(CHIP_VER_BCM43455c0, FW_VER_7_45_206, 0x1CCF20)
diff --git a/patches/include/firmware_version.h b/patches/include/firmware_version.h
index 8f769326d..b3eb55fc6 100644
--- a/patches/include/firmware_version.h
+++ b/patches/include/firmware_version.h
@@ -92,6 +92,7 @@
#define FW_VER_7_120_5_1_sta_C0 91
#define FW_VER_7_120_7_1_sta_C0 92
#define FW_VER_7_45_77_0_23_8_2017 93
+#define FW_VER_7_45_88_10_C0 94
#define FW_VER_7_46_77_11 94
#define FW_VER_7_45_59_16 95