andreas at galauner.de
Mon Dec 13 05:56:13 UTC 2010
last year I stumbled upon a PDF which describes all registers inside the
Qualcomm MSM7200 series chipset. I now got a new mobile phone and
remembered about that document because wanted to play a bit with my old
one (HTC Magic/Sapphire/G2/Ion).
I googled a few hours now and found several documents from Qualcomm, but
I just found a whole svn repository full of Documentation .
Those Qualcomm chipsets are particularly interesting, because, due to
Android, there already is a Linux kernel for the ARM11 core available.
The missing part is a free implementation of the ARM9 baseband.
My next goal is, as soon as I managed to solder cables to the JTAG pins
covered in epoxy, to get own code running on the ARM9. I don't know how
hard this will get, because this chipset has several security features
like signature checking of code, fusebits for security configuration
etc., but I will give it a try.
JTAG definitely is still activated, because several people developed a
method to unbrick their phones in case they have a bad ARM11 bootloader.
And even if there is no chance to get own code running right away, I'm
pretty certain that there somewhere is a buffer overflow which is
exploitable. Either inside the baseband itself or in the serial console
command parser of the early bootloaders provided by the OEM (OEMSBL).
Time will tell. I hope I've got something to show you at the 27C3.
My problem is that I don't have enough experience and knowledge about
GSM yet to estimate if all this documentation is sufficient to implement
a real baseband software on this chipset. If it's not, I think it's
pointless to invest several days/nights of work to get own code running.
Maybe somebody of you can have a quick look over the repository and the
More information about the baseband-devel