MTK and Infineon-based phones
laforge at gnumonks.org
Sat Nov 26 07:23:49 UTC 2011
On Sat, Nov 26, 2011 at 02:03:50AM +0100, Martin Hinner wrote:
> This is my first experience with GSM phones reverse engineering, so
> sorry if I am wrong, but it seems to be quite difficult for me to
> obtain four Calypso-based phones (yes, I know I can order them from
> webshop for a few euros, but I will need more of them if my
> experiments are successfull).
> Currently, I do have some information (datasheet&code) for MTK
> platform, and I see there is implementation of "secondary bootloader"
> for these phones, but no layer1 yet.
the question really is how many of them you need.
> On the other hand, I have access to very cheap phones using Infineon
> PMB7880 (C166 + DSP) or MTK (ARM9) chipsets.
Economically, the question is:
* what is the price of the required qty of calypso based phones
* what is the amount of work needed for porting to MTK
Even under the most ideal circumstances, porting the L1 to any new
baseband chip architecture is going to be a lot of work.
As "ideal circumstances" I count
* detailed knowledge about not only the integrated peripherals of the
DBB but also register-level documentation of the ABB
* detailed knowledge about the shared memory API between DSP-ROM and
* no cryptographic verification in bootloader that needs to be broken
* a developer who has very strong background on GSM L1 and cellphone
* access to measurement devices for MS testing like Racal 6103
Even under such circumstances, I would guess an effort of somewhere
between 1 to 2 man-months full-time.
As the circumstances are never ideal, it will likely be more effort.
Some developers have already put quite a bit of effort into the MTK
chipset side, and even though we don't have the register-level data
sheets of all of the ABB chips and the DBB data sheets do not cover
anything on the details of the DSP/ARM API interface, I think it is the
most promising architecture.
> Is it feasible to create layer1 implementation for Infineon and/or
> MTK? Is there anyone willing to help with this?
I think the big issue is availability. The people invovled in OsmocomBB
are working on a variety of other projects and protocol stacks
(OsmocomGMR, OsmocomTETRA, osmo-bts, etc.)
So the big question is: How can you convince anyone from the existing
team to contribute to a port to MTK? I think the fact that the code
runs well on the Calypso based phones (which are still avialable even in
quantity) makes this a bit difficult, as there is no real gain.
People generally want to work on creating new functionality, rather than
re-creating something that already exists...
> I will add that I have spent many many nights disassembling car
> control units using Infineon/Siemens C166 core (since 2002?), so
> Infineon platform is very attractive for me (the flash is only 2MB for
> some phones, it's easy to read code, etc...).
On the other hand: C166 is a one-way road. No new baseband chipsets
(even infineon) use them anymore. You need to port all the arm-specific
assembly bits in OsmocomBB to the C166 code, etc.
MTK is a much more attractive target. More docs, more understanding,
more existing code and ARM based.
- Harald Welte <laforge at gnumonks.org> http://laforge.gnumonks.org/
"Privacy in residential applications is a desirable marketing option."
(ETSI EN 300 175-7 Ch. A6)
More information about the baseband-devel