At least a bit, anyway. Thanks to a combination of ndiswrapper, qemu, pciproxy and sigirq, I now have a log of the conversation between the driver and the device. I have come to the conclusion that the driver is crazy. There are double reads and writes everywhere.

I think in a couple of days I'll be able to get the MAC address off the device in a few reads. Right now I'm doing many more than I need to, because I'm doing what the Windows driver does.

I tried putting debug statements on the WRITE_REGISTER_ULONG() and friends functions in ndisrapper, but as it turns out, the amd64 driver only uses MMIO, so those functions are never called. The problem is that ndiswrapper can't properly configure the device from inside qemu, so I can't do a proper reverse-engineer that way. I'll have to think some other way.