During the Conference 38C3, a report was presented on the reverse engineering of the firmware and the TI SimpleLink chip command (CC13XX and CC26XX) with BLE (Bluetooth Low Energy). This breakthrough allowed for the implementation of an FM receiver, despite the fact that the chips are purely digital in nature.
The chips utilize DSP and are controlled by an ARM Cortex core, specifically the ARM Cortex-M0, which manages the radio subsystem (RF Core) with a limited interface based on messages. By modifying the memory of the radio subsystem using patches, researchers were able to alter the behavior of the radio subsystem. The manufacturer offers modules to support various wireless protocols through dynamic libraries and memory patches, similar to those used in BroadCom chips (now owned by Cypress). The radio subsystem controls the DSP with a specific architecture.
The researchers detailed the recreation of the proprietary format of the RF patch in their report and showcased how to create custom patches to introduce support for new wireless protocols (such as the FM receiver), manage a wireless subsystem, and update the firmware. They also released tools for generating and loading patches, as well as an assembler for the command system used in DSP, under the MIT license. However, the repository currently lacks the source code for the firmware that enables an analog receiver.