Fun with the MTK 6573 Baseband (Patching / Replacing)

Craig Comstock craig_comstock at yahoo.com
Wed Apr 19 02:57:16 UTC 2017


RootZero/bruce lee sent me this github with baseband sources very similar to what I already have for MT626x:

https://github.com/zxp86021/MediaTek-HelioX10-Baseband

Looking there it seems we have layer 1 GSM/2G support for many more RF chips. The trick is to figure out what AP/SOC they are used in. For example the MediaTek-HelioX10 is a MT6795 which seems to use
the MT6169 transciever chip (based on some other files in the sources). My ZTE Obsidian seems to use this same TRX chip (based on a MT6735 datasheet)

http://www.datasheet4u.com/pdf/MT6735-pdf/925384

Comparing L1D_RF_PowerOn functions it seems the MT6252 might be the closest to the MT626x which are completely missing from
this newer set of sources that are maybe a year or so newer than the MT626x sources I have.

m12196.c:/*BRIGHT2*/ void  L1D_RF_PowerOn( void )
m12196.c:/*BRIGHT4*/ void  L1D_RF_PowerOn( void )
m12196.c:/*BRIGHT5P*/ void  L1D_RF_PowerOn( void )
m12196.c:/*AERO*/ void  L1D_RF_PowerOn( void )
m12196.c:/*AERO1+*/ void  L1D_RF_PowerOn( void )
m12196.c:/*RFMD*/ void  L1D_RF_PowerOn( void )
m12196.c:/*SKY74117*/ void  L1D_RF_PowerOn( void )
m12196.c:/*SKY74400*/ void  L1D_RF_PowerOn( void )
m12196.c:/*MT6119*/ void  L1D_RF_PowerOn( void )
m12196.c:/*MT6119C*/ void  L1D_RF_PowerOn( void )
m12196.c:/*MT6129A*/ void  L1D_RF_PowerOn( void )
m12196.c:/*MT6129B*/ void  L1D_RF_PowerOn( void )
m12196.c:/*MT6129C*/ void  L1D_RF_PowerOn( void )
m12196.c:/*MT6129D*/ void  L1D_RF_PowerOn( void )
m12196.c:/*MT6139B*/ void  L1D_RF_PowerOn( void )
m12196.c:/*MT6139C*/ void  L1D_RF_PowerOn( void )
m12196.c:/*MT6139E*/ void  L1D_RF_PowerOn( void )
m12196.c:/*MT6140A*/ void  L1D_RF_PowerOn( void )
m12196.c:/*MT6140B*/ void  L1D_RF_PowerOn( void )
m12196.c:/*MT6140C*/ void  L1D_RF_PowerOn( void )
m12196.c:/*MT6140D*/ void  L1D_RF_PowerOn( void )
m12196.c:/*CMOSEDGE*/ void  L1D_RF_PowerOn( void )
m12196.c:/*MTKSOC1T*/ void  L1D_RF_PowerOn( void )
m12196.c:/*MTKSOC1*/ void  L1D_RF_PowerOn( void )
m12196.c:/*MT6252RF*/ void  L1D_RF_PowerOn( void )
m12196.c:/*MT6256RF*/ void  L1D_RF_PowerOn( void )
m12196.c:/*MT6255RF*/ void  L1D_RF_PowerOn( void )
m12196.c:/*MT6251RF*/ void  L1D_RF_PowerOn( void )
m12196.c:/*SKY74045*/ void  L1D_RF_PowerOn( void )
m12196.c:/*AERO2*/ void  L1D_RF_PowerOn( void )
m12196.c:/*SKY74137*/ void  L1D_RF_PowerOn( void )
m12196.c:/*GRF6201*/ void  L1D_RF_PowerOn( void )
m12196.c:/*IRFS3001*/ void  L1D_RF_PowerOn( void )
m12196.c:/*AD6548*/  void  L1D_RF_PowerOn( void )
m12196.c:/*AD6546*/  void  L1D_RF_PowerOn( void )
m12196.c:/*MT6162*/  void  L1D_RF_PowerOn( void )
m12196.c:/*MT6163*/  void  L1D_RF_PowerOn( void )
m12196.c:/*MT6280RF*/ void  L1D_RF_PowerOn( void )
m12196.c:/*MT6169*/ void  L1D_RF_PowerOn( void )
m12196.c:/*MT6169*/ void  L1D_RF_PowerOn( void )
m12196.c:/*MT6166*/ void  L1D_RF_PowerOn( void )
m12196.c:/*MT6165*/ void  L1D_RF_PowerOn( void )

one set of MT626x sources is called 11CW1418SP4 and supports the following baseband chips. Probably MT626x has an integrated baseband?

m12196.c:/*MT6129D*/ void  L1D_RF_PowerOn( void )
m12196.c:/*MT6139E*/ void  L1D_RF_PowerOn( void )
m12196.c:/*MT6140D*/ void  L1D_RF_PowerOn( void )
m12196.c:/*MTKSOC1*/ void  L1D_RF_PowerOn( void )
m12196.c:/*MT6252RF*/ void  L1D_RF_PowerOn( void )
m12196.c:/*MT6261RF*/ void  L1D_RF_PowerOn( void )
m12196.c:/*MT6260RF*/ void  L1D_RF_PowerOn( void )
m12196.c:/*MT6250RF*/ void  L1D_RF_PowerOn( void )
m12196.c:/*MT6256RF*/ void  L1D_RF_PowerOn( void )
m12196.c:/*MT6255RF*/ void  L1D_RF_PowerOn( void )
m12196.c:/*MT6251RF*/ void  L1D_RF_PowerOn( void )
m12196.c:/*AD6548*/  void  L1D_RF_PowerOn( void )
m12196.c:/*AD6546*/  void  L1D_RF_PowerOn( void )
m12196.c:/*MT6162*/  void  L1D_RF_PowerOn( void )


So I guess I need to look elsewhere in the sources to puzzle out my MT6735 ZTE Obsidian which would give me I think the cheapest/oldest chip that supports 4G/LTE:

GSM, UMTS, GPRS, HSPA+, HSUPA, TD-SCDMA, EVDO, LTE Cat 4 (from https://en.wikipedia.org/wiki/MediaTek)

-Craig

p.s. here are some sources I used to research both github and "from the internet":

http://git.huayusoft.com/tomsu/AP7350_MDK-kernel.git
https://github.com/akibsayyed/CELLTEL82_WET_KK_GPRS_HSPA_MOLY.WR8.W1315.MD.WG.MP.V35.git
https://github.com/akibsayyed/HSPA_MOLY.WR8.W1449.MD.WG.MP.V16.git
https://github.com/zxp86021/MT6795.kernel.git

mt626x stuff:
11CW1352MP_CENON61D_3232_11C_V2_GPRS_MMI
11CW1418SP4_CORETEK02A_WIFI_BT_V13_GPRS_MMI
MTK60D-11B1308-V2

--------------------------------------------
On Thu, 4/13/17, bruce lee <bbsoo7 at live.com> wrote:

 Subject: Re: Fun with the MTK 6573 Baseband (Patching / Replacing)
 To: "Craig Comstock" <craig_comstock at yahoo.com>
 Date: Thursday, April 13, 2017, 11:40 AM
 
 
 
 
 
 
 check this out. it is modem firmwear source code
 
 
 
 and this guy's github
 
 
 
 https://github.com/luckasfb/Development_Documents
 
 
 
 alots of good stuff.but do not have what am looking for.
 
 
 
 bruce.
 
 From: Craig Comstock
 <craig_comstock at yahoo.com>
 
 Sent: Thursday, April 13, 2017 2:10:15 PM
 
 To: bruce lee
 
 Subject: Re: Fun with the MTK 6573 Baseband (Patching
 / Replacing)
  
 
 
 
 Looking at some kernel
 sources I see a few things that look familiar to me from
 mt626x source. Grepping for RIL (radio interface layer)
 
 
 
 https://github.com/eagleeyetom/android_kernel_mtk_mt6572.git
 
 
 
 
 
 ./mediatek/platform/mt6572/lk/include/platform/mt_reg_base.h:
 #define RIL_SIZE          0x1600000
 
 ./mediatek/platform/mt6572/lk/include/platform/mt_reg_base.h:
 #define RIL_SIZE          0x0A00000
 
 ./mediatek/platform/mt6572/lk/include/platform/mt_reg_base.h:
 #define RIL_SIZE          0x1600000
 
 ./mediatek/platform/mt6572/lk/include/platform/mt_reg_base.h:#define
 RIL_SIZE   0x100000 //for connsys memory
 
 ./mediatek/platform/mt6572/lk/include/platform/mt_reg_base.h:#define
 MEM_PRELOADER_START             (DRAM_PHY_ADDR)
 //placed mem in RIL 256KB
 
 ./mediatek/platform/mt6572/lk/include/platform/mt_reg_base.h:#define
 RESERVE_MEM_SIZE                (RIL_SIZE)
 
 
 
 they mentioned infrasys and connsys near the RIL bits...
 
 
 
 craig at z500:~/android_kernel_mtk_mt6572/mediatek$ find |
 xargs grep -s infrasys
 
 ./platform/mt6572/kernel/core/include/mach/mt_reg_base.h:/*
 infrasys AO */
 
 ./platform/mt6572/kernel/core/include/mach/mt_reg_base.h:/*
 infrasys */
 
 ./platform/mt6572/kernel/core/core.c:    /* infrasys AO
 first half */
 
 ./platform/mt6572/kernel/core/core.c:    /* infrasys AO
 second half */
 
 ./platform/mt6572/kernel/core/core.c:    /* infrasys
 */
 
 ./platform/mt6572/lk/include/platform/mt_reg_base.h:/*
 infrasys AO */
 
 ./platform/mt6572/lk/include/platform/mt_reg_base.h:/*
 infrasys */
 
 craig at z500:~/android_kernel_mtk_mt6572/mediatek$ vi
 platform/mt6572/kernel/core/core.c
 
 
 
 
 So... mt_reg_base.h looks a little familiar to mt626x
 stuff.
 
 
 
 There is also this:
 
 
 
 https://android.googlesource.com/kernel/mediatek/
 
 
 
 and this:
 
 
 
 https://github.com/profglavcho/mt6735-kernel-3.10.61
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 --------------------------------------------
 
 On Thu, 4/13/17, bruce lee <bbsoo7 at live.com> wrote:
 
 
 
  Subject: Re: Fun with the MTK 6573 Baseband (Patching /
 Replacing)
 
  To: "baseband-devel at lists.osmocom.org"
 <baseband-devel at lists.osmocom.org>, "Craig
 Comstock" <craig_comstock at yahoo.com>
 
  Date: Thursday, April 13, 2017, 1:49 AM
 
  
 
  
 
  
 
  maybe  it is easiest  for developing on some boards
 
  which has UART port to look it boot up message.
 
  
 
  
 
  
 
  some mt6572 based boards one can find on China market.
 
  they event can share code with us if we buy it.
 
  
 
  
 
  
 
  it is android based. 
 
  
 
  
 
  
 
  
 
  
 
  
 
  so should/can we make a osmocom-bb based BP for this
 
  android board? or other smartphone?
 
  
 
  
 
  
 
  
 
  
 
  
 
  
 
  
 
  
 
  
 
  
 
  
 
  thanks
 
  RZ
 
  
 
  
 
  
 
  
 
  
 
  
 
  From: Craig Comstock
 
  <craig_comstock at yahoo.com>
 
  
 
  Sent: Thursday, April 13, 2017 3:21 AM
 
  
 
  To: baseband-devel at lists.osmocom.org; bruce lee
 
  
 
  Subject: Re: Fun with the MTK 6573 Baseband (Patching
 
  / Replacing)
 
   
 
  
 
  
 
  
 
  I
 
  don't have the files mentioned in that patch. They
 look
 
  very much like some part of an Android source code tree.
 So
 
  far I am working mostly not with Android at all... only
 
  osmocom-bb, nuttx, fernly and fernvale-nuttx.
 
  
 
  
 
  
 
  My work on the newer MT chip in the ZTE Obsidian is a
 ways
 
  down the road. One thing that was VERY encouraging is that
 I
 
  have tested the beginnings of interaction with it's
 
  bootloader (as in the fernly project)
 
  
 
  and it seems at least the initial MSG and ACK from the
 
  bootloader works the same as for fernly types of MT
 chips
 
  (6260/6261). So that might be a good starting point in
 terms
 
  of experimenting/fuzzing/???
 
  
 
  
 
  
 
  Maybe you could find a custom rom source tree and find
 those
 
  files that are being patched.
 
  
 
  
 
  
 
  In terms of participating in my project, I have a
 github
 
  repo and am primarily using the fernvale board I
 purchased
 
  from sysmocom as well as some mt6260/6261 based watches
 and
 
  the Seeed Studio RePhone.
 
  
 
  
 
  
 
  So I'd say go get one or more of those things and
 start
 
  hacking on fernly, fernvale-nuttx, osmocom-bb and
 nuttx-bb
 
  (combo of osmocom-bb and nuttx).
 
  
 
  
 
  
 
  I don't work too hard on the project. This branch is
 my
 
  latest not-working work in progress:
 
  
 
  
 
  
 
  https://github.com/craigcomstock/osmocom-bb/tree/feb-22-2017-mt62xx-wip
 
  
 
  
 
  
 
  
 
  
 
  
 
  
 
  craigcomstock/osmocom-bb
 
  
 
  github.com
 
  
 
  Contribute to osmocom-bb development by creating an
 account
 
  on GitHub.
 
  
 
  
 
  
 
  
 
  
 
  
 
  
 
  
 
  I have since changed my strategy and so this branch
 will
 
  likely rot. :( But it might give some indication of
 what
 
  I'm up to.
 
  
 
  
 
  
 
  -Craig
 
  
 
  
 
  
 
  
 
  
 
  
 
  
 
  --------------------------------------------
 
  
 
  On Wed, 4/12/17, bruce lee <bbsoo7 at live.com>
 wrote:
 
  
 
  
 
  
 
   Subject: Re: Fun with the MTK 6573 Baseband (Patching
 /
 
  Replacing)
 
  
 
   To: "Craig Comstock"
 
  <craig_comstock at yahoo.com>,
 
  "baseband-devel at lists.osmocom.org"
 
  <baseband-devel at lists.osmocom.org>
 
  
 
   Date: Wednesday, April 12, 2017, 9:39 PM
 
  
 
   
 
  
 
   
 
  
 
   
 
  
 
   Craig,
 
  
 
   
 
  
 
   
 
  
 
   
 
  
 
   
 
  
 
   
 
  
 
   
 
  
 
   do you have the files mentioned at
 
  
 
   
 
  
 
   
 
  
 
   
 
  
 
   https://github.com/shadowsim/shadowsim/blob/master/mdlogger.patch
 
  
 
   
 
  
 
   
 
  
 
   
 
  
 
   
 
  
 
   
 
  
 
   and for your project, seem very interesting, and I
 
  would
 
  
 
   like to participate in.
 
  
 
   
 
  
 
   
 
  
 
   
 
  
 
   thanks
 
  
 
   RZ
 
  
 
   
 
  
 
   
 
  
 
   
 
  
 
   
 
  
 
   
 
  
 
   
 
  
 
   
 
  
 
   
 
  
 
   
 
  
 
   
 
  
 
   
 
  
 
   
 
  
 
   From: Craig Comstock
 
  
 
   <craig_comstock at yahoo.com>
 
  
 
   
 
  
 
   Sent: Tuesday, April 11, 2017 11:35 AM
 
  
 
   
 
  
 
   To: baseband-devel at lists.osmocom.org; RootZero
 
  
 
   
 
  
 
   Subject: Re: Fun with the MTK 6573 Baseband (Patching
 
  
 
   / Replacing)
 
  
 
    
 
  
 
   
 
  
 
   My target was Mt6735 in a Zte Obsidian. I chose it
 for
 
  
 
   4g lte. I could root one and see if similar
 techniques
 
  work.
 
  
 
   My hope was to leverage leaked source for mt626x and
 hope
 
  to
 
  
 
   work my way up the chip models. I am currently
 working
 
  on
 
  
 
   porting osmocom-bb
 
  
 
    and nuttx-bb to fernvale/rephone/mt626x.
 
  
 
   
 
  
 
   
 
  
 
   
 
  
 
   On April 11, 2017
 
  
 
   4:39:46 AM CDT, RootZero <bbsoo7 at live.com>
 wrote:
 
  
 
   
 
  
 
   Markus and all,
 
  
 
   
 
  
 
   I am very interesting in this
 
  
 
   project/hack.
 
  
 
   
 
  
 
   can you share
 
  
 
   more information with US?
 
  
 
   
 
  
 
   I
 
  
 
   searched lots web pages and do not find the source of
 
  
 
   mdlogger.cpp file.
 
  
 
   
 
  
 
   I do
 
  
 
   have the source code of "modem.img" if you
 
  want
 
  
 
   please let me know. 
 
  
 
   
 
  
 
   
 
  
 
   
 
  
 
   
 
  
 
   
 
  
 
   thanks
 
  
 
   RootZero
 
  
 
   
 
  
 
   
 
  
 
   
 
  
 
   --
 
  
 
   View this message in
 
  
 
   context: 
 
  http://baseband-devel.722152.n3.nabble.com/Fun-with-the-MTK-6573-Baseband-Patching-Replacing-tp4026683p4026772.htmlbaseband-devel
 
  
 
    - Fun with the MTK 6573 Baseband (Patching /
 
  
 
   Replacing)baseband-devel.722152.n3.nabble.comFun
 
  
 
    with the MTK 6573 Baseband (Patching / Replacing).
 
  
 
   -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi,
 
  I'm
 
  
 
   Markus, a security researcher from Germany. I
 recently
 
  did
 
  
 
   some work on MTK
 
  
 
   6573...
 
  
 
   
 
  
 
   Sent from the baseband-devel
 
  
 
   mailing list archive at Nabble.com.Nabble
 
  
 
    • Free Forum • Embeddable Web
 Appsnabble.comEmbed
 
  
 
    into any Website. All Nabble apps are naturally
 
  embeddable,
 
  
 
   which means that they can be easily displayed inside
 any
 
  web
 
  
 
   page.
 
  
 
   
 
  
 
   
 
  
 
   
 
  
 
   
 
  
 
   
 
  
 
   
 
  
 
   -- 
 
  
 
   
 
  
 
   Sent from my Android device with K-9 Mail. Please
 excuse
 
  my
 
  
 
   brevity.
 
  
 
   
 
  
 
   
 
  
 
   
 
  
 
  
 
  
 
  
 
  
 
  
 
 
 
 


More information about the baseband-devel mailing list