Fun with the MTK 6573 Baseband (Patching / Replacing)

Craig Comstock craig_comstock at yahoo.com
Thu Apr 13 12:48:17 UTC 2017


I don't know much about the architecture of these MT based Android phones yet. We would need some source for the actual baseband part of the code in order to port osmocom-bb. I was able to quickly search for mt6572 kernel sources but that's not what we need. I also found custom ROMs like CyanogenMod. That might get us a bit further. Also there are "scatter" files that newer MT based devices use as a sort of map for fastboot flashing images onto a device (I think, not much experience here). So that might give a clue as well. This one has U-Boot! That might be helpful.

https://github.com/GoldRenard/AllegroROM_4.2.2_mt6572/blob/master/HWPackage/A516_S118/scatter/MT6572_Android_scatter.txt

So if you can purchase a 6572 based board and get enough source that might be what is needed to make progress. If you find a link to something share it I suppose.

I'm mostly focused on porting osmocom-bb to 626x at this point and figuring out how to get layer1+modem built as nuttx-bb... but... as I mentioned I work slow so if others push forward with a newer chip that would be cool. If we could end up with something like AOSP + osmocom-bb image for RILD I suppose that might be fun. I am more interested in NOT using Android for what it's worth.

-Craig



--------------------------------------------
On Thu, 4/13/17, bruce lee <bbsoo7 at live.com> wrote:

 Subject: Re: Fun with the MTK 6573 Baseband (Patching / Replacing)
 To: "baseband-devel at lists.osmocom.org" <baseband-devel at lists.osmocom.org>, "Craig Comstock" <craig_comstock at yahoo.com>
 Date: Thursday, April 13, 2017, 1:49 AM
 
 
 
 maybe  it is easiest  for developing on some boards
 which has UART port to look it boot up message.
 
 
 
 some mt6572 based boards one can find on China market.
 they event can share code with us if we buy it.
 
 
 
 it is android based. 
 
 
 
 
 
 
 so should/can we make a osmocom-bb based BP for this
 android board? or other smartphone?
 
 
 
 
 
 
 
 
 
 
 
 
 thanks
 RZ
 
 
 
 
 
 
 From: Craig Comstock
 <craig_comstock at yahoo.com>
 
 Sent: Thursday, April 13, 2017 3:21 AM
 
 To: baseband-devel at lists.osmocom.org; bruce lee
 
 Subject: Re: Fun with the MTK 6573 Baseband (Patching
 / Replacing)
  
 
 
 
 I
 don't have the files mentioned in that patch. They look
 very much like some part of an Android source code tree. So
 far I am working mostly not with Android at all... only
 osmocom-bb, nuttx, fernly and fernvale-nuttx.
 
 
 
 My work on the newer MT chip in the ZTE Obsidian is a ways
 down the road. One thing that was VERY encouraging is that I
 have tested the beginnings of interaction with it's
 bootloader (as in the fernly project)
 
 and it seems at least the initial MSG and ACK from the
 bootloader works the same as for fernly types of MT chips
 (6260/6261). So that might be a good starting point in terms
 of experimenting/fuzzing/???
 
 
 
 Maybe you could find a custom rom source tree and find those
 files that are being patched.
 
 
 
 In terms of participating in my project, I have a github
 repo and am primarily using the fernvale board I purchased
 from sysmocom as well as some mt6260/6261 based watches and
 the Seeed Studio RePhone.
 
 
 
 So I'd say go get one or more of those things and start
 hacking on fernly, fernvale-nuttx, osmocom-bb and nuttx-bb
 (combo of osmocom-bb and nuttx).
 
 
 
 I don't work too hard on the project. This branch is my
 latest not-working work in progress:
 
 
 
 https://github.com/craigcomstock/osmocom-bb/tree/feb-22-2017-mt62xx-wip
 
 
 
 
 
 
 
 craigcomstock/osmocom-bb
 
 github.com
 
 Contribute to osmocom-bb development by creating an account
 on GitHub.
 
 
 
 
 
 
 
 
 I have since changed my strategy and so this branch will
 likely rot. :( But it might give some indication of what
 I'm up to.
 
 
 
 -Craig
 
 
 
 
 
 
 
 --------------------------------------------
 
 On Wed, 4/12/17, bruce lee <bbsoo7 at live.com> wrote:
 
 
 
  Subject: Re: Fun with the MTK 6573 Baseband (Patching /
 Replacing)
 
  To: "Craig Comstock"
 <craig_comstock at yahoo.com>,
 "baseband-devel at lists.osmocom.org"
 <baseband-devel at lists.osmocom.org>
 
  Date: Wednesday, April 12, 2017, 9:39 PM
 
  
 
  
 
  
 
  Craig,
 
  
 
  
 
  
 
  
 
  
 
  
 
  do you have the files mentioned at
 
  
 
  
 
  
 
  https://github.com/shadowsim/shadowsim/blob/master/mdlogger.patch
 
  
 
  
 
  
 
  
 
  
 
  and for your project, seem very interesting, and I
 would
 
  like to participate in.
 
  
 
  
 
  
 
  thanks
 
  RZ
 
  
 
  
 
  
 
  
 
  
 
  
 
  
 
  
 
  
 
  
 
  
 
  
 
  From: Craig Comstock
 
  <craig_comstock at yahoo.com>
 
  
 
  Sent: Tuesday, April 11, 2017 11:35 AM
 
  
 
  To: baseband-devel at lists.osmocom.org; RootZero
 
  
 
  Subject: Re: Fun with the MTK 6573 Baseband (Patching
 
  / Replacing)
 
   
 
  
 
  My target was Mt6735 in a Zte Obsidian. I chose it for
 
  4g lte. I could root one and see if similar techniques
 work.
 
  My hope was to leverage leaked source for mt626x and hope
 to
 
  work my way up the chip models. I am currently working
 on
 
  porting osmocom-bb
 
   and nuttx-bb to fernvale/rephone/mt626x.
 
  
 
  
 
  
 
  On April 11, 2017
 
  4:39:46 AM CDT, RootZero <bbsoo7 at live.com> wrote:
 
  
 
  Markus and all,
 
  
 
  I am very interesting in this
 
  project/hack.
 
  
 
  can you share
 
  more information with US?
 
  
 
  I
 
  searched lots web pages and do not find the source of
 
  mdlogger.cpp file.
 
  
 
  I do
 
  have the source code of "modem.img" if you
 want
 
  please let me know. 
 
  
 
  
 
  
 
  
 
  
 
  thanks
 
  RootZero
 
  
 
  
 
  
 
  --
 
  View this message in
 
  context: 
 http://baseband-devel.722152.n3.nabble.com/Fun-with-the-MTK-6573-Baseband-Patching-Replacing-tp4026683p4026772.htmlbaseband-devel
 
   - Fun with the MTK 6573 Baseband (Patching /
 
  Replacing)baseband-devel.722152.n3.nabble.comFun
 
   with the MTK 6573 Baseband (Patching / Replacing).
 
  -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi,
 I'm
 
  Markus, a security researcher from Germany. I recently
 did
 
  some work on MTK
 
  6573...
 
  
 
  Sent from the baseband-devel
 
  mailing list archive at Nabble.com.Nabble
 
   • Free Forum • Embeddable Web Appsnabble.comEmbed
 
   into any Website. All Nabble apps are naturally
 embeddable,
 
  which means that they can be easily displayed inside any
 web
 
  page.
 
  
 
  
 
  
 
  
 
  
 
  
 
  -- 
 
  
 
  Sent from my Android device with K-9 Mail. Please excuse
 my
 
  brevity.
 
  
 
  
 
  
 
 
 
 
 
 


More information about the baseband-devel mailing list