This is merely a historical archive of years 2008-2021, before the migration to mailman3.
A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/baseband-devel@lists.osmocom.org/.
Craig Comstock craig_comstock at yahoo.comYes. I am using the work in fernly and fernvale-nuttx to try and make a nuttx-bb (nuttx unix os + layer1 app + mobile app) for mediatek chips... especially mt6260 and 6261. In the process I hope to possibly bring the same setup to the calypso phones. The goal being a usable 2g phone based on something like the Seeed Studio RePhone or a cheap watch phone which have mt6260 or more often MT6261. Craig On April 18, 2017 11:25:41 PM CDT, bruce lee <bbsoo7 at live.com> wrote: >there is a > >https://github.com/xobs/fernly > >seems they did what you are trying to do now. they also has a qemu to >emulator that chip or so. > >I made a little progress for patching mt6573 modem.img. > >these output is from this commands. >radiff2 old.img new.img. > >0x00110d08 f0b50fb43ef052fa01280fbc03d13ef05cfcf0bdf4e7 => >68616e67654e6f74696669636174696f6e000000f0b5 0x00110d08 >0x0014f1b6 >32683846f0252d02a8352d0293352d028c352d6808210902223109029831a94201d00020f0bd01200120f0bd8d466d462d1d2d1934 >=> >06460024407b95b02746012825460fd002281ed144f001fb024611a101a868f022fd01af384671f0d4fb85b2012410e00f48314600 >0x0014f1b6 >0x0014f1ec 2d19ad => 827d68 0x0014f1ec >0x0014f1f0 ad4605d0a0e1ffbd2d196400241d6519ad460000b0e329f7adfdffbd => >33f1a6fa0106090e01d0012904d1307b4df068f9040005d1307b2b46 0x0014f1f0 >0x0014f218 be7dacf0 => 2b45414c 0x0014f218 >0x0014f54e >f0242402a834240293342402903405460e68206805e043fff0bdff0055e3fad100202946324600250446083025609cf0 >=> >06460025407bffb0c8b0012843d100272c2205233146c6a832f173fec0abc4b2187e002837d1022c03d0042c01d0052c >0x0014f54e >0x0014f57f e96660 => d12c22 0x0014f57f >0x0014f584 2360f0bdf0b5f02000460002a830 => 3146c6a832f162fec0abc7b2187e >0x0014f584 >0x0014f593 02933000029030f0bd => 2826d1052c11d11748 0x0014f593 >0x0014f5a0 >f0b5fff7f1ff07680220396800468842fbd1391d081d00460046f0bd01b4fff7f9fd012801bc01d003d00fbcc1f7a6fbf0bdf0b515461e46fff7b8fffff7e0ff0446002d08d0002e06d00a68011d0446284615469cf0e2e800f002f8f0bd >=> >164b00683146827dc6a832f1e9fec0ab187e002816d101a943a832f1abf843a871f0e2f9c0032146020c0092307b3a4601ab4cf06bf80128054609d006480321006881800022307b29461346ccf0e4f97fb048b0f0bd0000c87dacf00a02 >0x0014f5a0 >0x0014f5ff 46f0 => 00f8 0x0014f5ff >0x0014f602 2046002801d0008829463246002a00d01160f0bdf0bdf080bde8 => >002506460c480468707b01280cd1a27d3146684633f193f8ff28 0x0014f602 >0x001504fc 00bf00bf => 5bf0eaff 0x001504fc >0x001e8730 1a9866 => 0720fd 0x001e8730 >0x001e8734 3ffd => c2eb 0x001e8734 >0x001e87be 10a908600a2000021a9a1060 => 334a33a13ca0273203f0f6ee >0x001e87be > >questions here is how can we change these hex strings to a ARM >assembler code? > > >thanks > BL. > ><https://github.com/xobs/fernly> >[https://avatars1.githubusercontent.com/u/238325?v=3&s=400]<https://github.com/xobs/fernly> > >GitHub - xobs/fernly: Fernvale research >OS<https://github.com/xobs/fernly> >github.com >README.md Fernly - Fernvale Reversing OS. Fernly is a simple operating >system designed for use in the reverse engineering of the Fernvale CPU. > > > > ><https://github.com/xobs/fernly> >________________________________ >From: Craig Comstock <craig_comstock at yahoo.com> >Sent: Wednesday, April 19, 2017 2:57 AM >To: baseband-devel at lists.osmocom.org >Cc: bruce lee >Subject: Re: Fun with the MTK 6573 Baseband (Patching / Replacing) > >RootZero/bruce lee sent me this github with baseband sources very >similar to what I already have for MT626x: > >https://github.com/zxp86021/MediaTek-HelioX10-Baseband >[https://avatars3.githubusercontent.com/u/3607700?v=3&s=400]<https://github.com/zxp86021/MediaTek-HelioX10-Baseband> > >GitHub - zxp86021/MediaTek-HelioX10-Baseband: MediaTek >...<https://github.com/zxp86021/MediaTek-HelioX10-Baseband> >github.com >MediaTek-HelioX10-Baseband - MediaTek MT6795 (Helio X10) baseband >source code > > > > >Looking there it seems we have layer 1 GSM/2G support for many more RF >chips. The trick is to figure out what AP/SOC they are used in. For >example the MediaTek-HelioX10 is a MT6795 which seems to use >the MT6169 transciever chip (based on some other files in the sources). >My ZTE Obsidian seems to use this same TRX chip (based on a MT6735 >datasheet) > >http://www.datasheet4u.com/pdf/MT6735-pdf/925384 >LTE Smartphone Application Processor Technical >Brief<http://www.datasheet4u.com/pdf/MT6735-pdf/925384> >www.datasheet4u.com >MediaTek MT6735 datasheet, MT6735 PDF, MT6735 download, MT6735 >datasheet pdf, LTE Smartphone Application Processor Technical Brief > > > > >Comparing L1D_RF_PowerOn functions it seems the MT6252 might be the >closest to the MT626x which are completely missing from >this newer set of sources that are maybe a year or so newer than the >MT626x sources I have. > >m12196.c:/*BRIGHT2*/ void L1D_RF_PowerOn( void ) >m12196.c:/*BRIGHT4*/ void L1D_RF_PowerOn( void ) >m12196.c:/*BRIGHT5P*/ void L1D_RF_PowerOn( void ) >m12196.c:/*AERO*/ void L1D_RF_PowerOn( void ) >m12196.c:/*AERO1+*/ void L1D_RF_PowerOn( void ) >m12196.c:/*RFMD*/ void L1D_RF_PowerOn( void ) >m12196.c:/*SKY74117*/ void L1D_RF_PowerOn( void ) >m12196.c:/*SKY74400*/ void L1D_RF_PowerOn( void ) >m12196.c:/*MT6119*/ void L1D_RF_PowerOn( void ) >m12196.c:/*MT6119C*/ void L1D_RF_PowerOn( void ) >m12196.c:/*MT6129A*/ void L1D_RF_PowerOn( void ) >m12196.c:/*MT6129B*/ void L1D_RF_PowerOn( void ) >m12196.c:/*MT6129C*/ void L1D_RF_PowerOn( void ) >m12196.c:/*MT6129D*/ void L1D_RF_PowerOn( void ) >m12196.c:/*MT6139B*/ void L1D_RF_PowerOn( void ) >m12196.c:/*MT6139C*/ void L1D_RF_PowerOn( void ) >m12196.c:/*MT6139E*/ void L1D_RF_PowerOn( void ) >m12196.c:/*MT6140A*/ void L1D_RF_PowerOn( void ) >m12196.c:/*MT6140B*/ void L1D_RF_PowerOn( void ) >m12196.c:/*MT6140C*/ void L1D_RF_PowerOn( void ) >m12196.c:/*MT6140D*/ void L1D_RF_PowerOn( void ) >m12196.c:/*CMOSEDGE*/ void L1D_RF_PowerOn( void ) >m12196.c:/*MTKSOC1T*/ void L1D_RF_PowerOn( void ) >m12196.c:/*MTKSOC1*/ void L1D_RF_PowerOn( void ) >m12196.c:/*MT6252RF*/ void L1D_RF_PowerOn( void ) >m12196.c:/*MT6256RF*/ void L1D_RF_PowerOn( void ) >m12196.c:/*MT6255RF*/ void L1D_RF_PowerOn( void ) >m12196.c:/*MT6251RF*/ void L1D_RF_PowerOn( void ) >m12196.c:/*SKY74045*/ void L1D_RF_PowerOn( void ) >m12196.c:/*AERO2*/ void L1D_RF_PowerOn( void ) >m12196.c:/*SKY74137*/ void L1D_RF_PowerOn( void ) >m12196.c:/*GRF6201*/ void L1D_RF_PowerOn( void ) >m12196.c:/*IRFS3001*/ void L1D_RF_PowerOn( void ) >m12196.c:/*AD6548*/ void L1D_RF_PowerOn( void ) >m12196.c:/*AD6546*/ void L1D_RF_PowerOn( void ) >m12196.c:/*MT6162*/ void L1D_RF_PowerOn( void ) >m12196.c:/*MT6163*/ void L1D_RF_PowerOn( void ) >m12196.c:/*MT6280RF*/ void L1D_RF_PowerOn( void ) >m12196.c:/*MT6169*/ void L1D_RF_PowerOn( void ) >m12196.c:/*MT6169*/ void L1D_RF_PowerOn( void ) >m12196.c:/*MT6166*/ void L1D_RF_PowerOn( void ) >m12196.c:/*MT6165*/ void L1D_RF_PowerOn( void ) > >one set of MT626x sources is called 11CW1418SP4 and supports the >following baseband chips. Probably MT626x has an integrated baseband? > >m12196.c:/*MT6129D*/ void L1D_RF_PowerOn( void ) >m12196.c:/*MT6139E*/ void L1D_RF_PowerOn( void ) >m12196.c:/*MT6140D*/ void L1D_RF_PowerOn( void ) >m12196.c:/*MTKSOC1*/ void L1D_RF_PowerOn( void ) >m12196.c:/*MT6252RF*/ void L1D_RF_PowerOn( void ) >m12196.c:/*MT6261RF*/ void L1D_RF_PowerOn( void ) >m12196.c:/*MT6260RF*/ void L1D_RF_PowerOn( void ) >m12196.c:/*MT6250RF*/ void L1D_RF_PowerOn( void ) >m12196.c:/*MT6256RF*/ void L1D_RF_PowerOn( void ) >m12196.c:/*MT6255RF*/ void L1D_RF_PowerOn( void ) >m12196.c:/*MT6251RF*/ void L1D_RF_PowerOn( void ) >m12196.c:/*AD6548*/ void L1D_RF_PowerOn( void ) >m12196.c:/*AD6546*/ void L1D_RF_PowerOn( void ) >m12196.c:/*MT6162*/ void L1D_RF_PowerOn( void ) > > >So I guess I need to look elsewhere in the sources to puzzle out my >MT6735 ZTE Obsidian which would give me I think the cheapest/oldest >chip that supports 4G/LTE: > >GSM, UMTS, GPRS, HSPA+, HSUPA, TD-SCDMA, EVDO, LTE Cat 4 (from >https://en.wikipedia.org/wiki/MediaTek) >[https://upload.wikimedia.org/wikipedia/en/thumb/2/2d/MediaTek_logo_as_shown_on_company_website.svg/220px-MediaTek_logo_as_shown_on_company_website.svg.png]<https://en.wikipedia.org/wiki/MediaTek> > >MediaTek - Wikipedia<https://en.wikipedia.org/wiki/MediaTek> >en.wikipedia.org >MediaTek Inc. (Chinese: 聯發科技股份有限公司; pinyin: Liánfā Kējì Gǔfèn Yǒuxiàn >Gōngsī) is a Taiwanese fabless semiconductor company that provides ... > > > > >-Craig > >p.s. here are some sources I used to research both github and "from the >internet": > >http://git.huayusoft.com/tomsu/AP7350_MDK-kernel.git >Tom Su / AP7350_MDK-kernel | >GitLab<http://git.huayusoft.com/tomsu/AP7350_MDK-kernel.git> >git.huayusoft.com >GitLab Community Edition ... AP7350_MDK-kernel. AP7350_MDK >Android手机开发模块/开发板 kernel 以及 bootloader 代码。 > > > >https://github.com/akibsayyed/CELLTEL82_WET_KK_GPRS_HSPA_MOLY.WR8.W1315.MD.WG.MP.V35.git >https://github.com/akibsayyed/HSPA_MOLY.WR8.W1449.MD.WG.MP.V16.git >https://github.com/zxp86021/MT6795.kernel.git > >mt626x stuff: >11CW1352MP_CENON61D_3232_11C_V2_GPRS_MMI >11CW1418SP4_CORETEK02A_WIFI_BT_V13_GPRS_MMI >MTK60D-11B1308-V2 > >-------------------------------------------- >On Thu, 4/13/17, bruce lee <bbsoo7 at live.com> wrote: > > Subject: Re: Fun with the MTK 6573 Baseband (Patching / Replacing) > To: "Craig Comstock" <craig_comstock at yahoo.com> > Date: Thursday, April 13, 2017, 11:40 AM > > > > > > > check this out. it is modem firmwear source code > > > > and this guy's github > > > > https://github.com/luckasfb/Development_Documents > > > > alots of good stuff.but do not have what am looking for. > > > > bruce. > > From: Craig Comstock > <craig_comstock at yahoo.com> > > Sent: Thursday, April 13, 2017 2:10:15 PM > > To: bruce lee > > Subject: Re: Fun with the MTK 6573 Baseband (Patching > / Replacing) > > > > > Looking at some kernel > sources I see a few things that look familiar to me from > mt626x source. Grepping for RIL (radio interface layer) > > > > https://github.com/eagleeyetom/android_kernel_mtk_mt6572.git > > > > > > ./mediatek/platform/mt6572/lk/include/platform/mt_reg_base.h: > #define RIL_SIZE 0x1600000 > > ./mediatek/platform/mt6572/lk/include/platform/mt_reg_base.h: > #define RIL_SIZE 0x0A00000 > > ./mediatek/platform/mt6572/lk/include/platform/mt_reg_base.h: > #define RIL_SIZE 0x1600000 > > ./mediatek/platform/mt6572/lk/include/platform/mt_reg_base.h:#define > RIL_SIZE 0x100000 //for connsys memory > > ./mediatek/platform/mt6572/lk/include/platform/mt_reg_base.h:#define > MEM_PRELOADER_START (DRAM_PHY_ADDR) > //placed mem in RIL 256KB > > ./mediatek/platform/mt6572/lk/include/platform/mt_reg_base.h:#define > RESERVE_MEM_SIZE (RIL_SIZE) > > > > they mentioned infrasys and connsys near the RIL bits... > > > > craig at z500:~/android_kernel_mtk_mt6572/mediatek$ find | > xargs grep -s infrasys > > ./platform/mt6572/kernel/core/include/mach/mt_reg_base.h:/* > infrasys AO */ > > ./platform/mt6572/kernel/core/include/mach/mt_reg_base.h:/* > infrasys */ > > ./platform/mt6572/kernel/core/core.c: /* infrasys AO > first half */ > > ./platform/mt6572/kernel/core/core.c: /* infrasys AO > second half */ > > ./platform/mt6572/kernel/core/core.c: /* infrasys > */ > > ./platform/mt6572/lk/include/platform/mt_reg_base.h:/* > infrasys AO */ > > ./platform/mt6572/lk/include/platform/mt_reg_base.h:/* > infrasys */ > > craig at z500:~/android_kernel_mtk_mt6572/mediatek$ vi > platform/mt6572/kernel/core/core.c > > > > > So... mt_reg_base.h looks a little familiar to mt626x > stuff. > > > > There is also this: > > > > https://android.googlesource.com/kernel/mediatek/ > > > > and this: > > > > https://github.com/profglavcho/mt6735-kernel-3.10.61 > > > > > > > > > > > > > > > > > > -------------------------------------------- > > On Thu, 4/13/17, bruce lee <bbsoo7 at live.com> wrote: > > > > Subject: Re: Fun with the MTK 6573 Baseband (Patching / > Replacing) > > To: "baseband-devel at lists.osmocom.org" > <baseband-devel at lists.osmocom.org>, "Craig > Comstock" <craig_comstock at yahoo.com> > > Date: Thursday, April 13, 2017, 1:49 AM > > > > > > > > maybe it is easiest for developing on some boards > > which has UART port to look it boot up message. > > > > > > > > some mt6572 based boards one can find on China market. > > they event can share code with us if we buy it. > > > > > > > > it is android based. > > > > > > > > > > > > > > so should/can we make a osmocom-bb based BP for this > > android board? or other smartphone? > > > > > > > > > > > > > > > > > > > > > > > > > > thanks > > RZ > > > > > > > > > > > > > > From: Craig Comstock > > <craig_comstock at yahoo.com> > > > > Sent: Thursday, April 13, 2017 3:21 AM > > > > To: baseband-devel at lists.osmocom.org; bruce lee > > > > Subject: Re: Fun with the MTK 6573 Baseband (Patching > > / Replacing) > > > > > > > > > > I > > don't have the files mentioned in that patch. They > look > > very much like some part of an Android source code tree. > So > > far I am working mostly not with Android at all... only > > osmocom-bb, nuttx, fernly and fernvale-nuttx. > > > > > > > > My work on the newer MT chip in the ZTE Obsidian is a > ways > > down the road. One thing that was VERY encouraging is that > I > > have tested the beginnings of interaction with it's > > bootloader (as in the fernly project) > > > > and it seems at least the initial MSG and ACK from the > > bootloader works the same as for fernly types of MT > chips > > (6260/6261). So that might be a good starting point in > terms > > of experimenting/fuzzing/??? > > > > > > > > Maybe you could find a custom rom source tree and find > those > > files that are being patched. > > > > > > > > In terms of participating in my project, I have a > github > > repo and am primarily using the fernvale board I > purchased > > from sysmocom as well as some mt6260/6261 based watches > and > > the Seeed Studio RePhone. > > > > > > > > So I'd say go get one or more of those things and > start > > hacking on fernly, fernvale-nuttx, osmocom-bb and > nuttx-bb > > (combo of osmocom-bb and nuttx). > > > > > > > > I don't work too hard on the project. This branch is > my > > latest not-working work in progress: > > > > > > > >https://github.com/craigcomstock/osmocom-bb/tree/feb-22-2017-mt62xx-wip > > > > > > > > > > > > > > > > craigcomstock/osmocom-bb > > > > github.com > > > > Contribute to osmocom-bb development by creating an > account > > on GitHub. > > > > > > > > > > > > > > > > > > I have since changed my strategy and so this branch > will > > likely rot. :( But it might give some indication of > what > > I'm up to. > > > > > > > > -Craig > > > > > > > > > > > > > > > > -------------------------------------------- > > > > On Wed, 4/12/17, bruce lee <bbsoo7 at live.com> > wrote: > > > > > > > > Subject: Re: Fun with the MTK 6573 Baseband (Patching > / > > Replacing) > > > > To: "Craig Comstock" > > <craig_comstock at yahoo.com>, > > "baseband-devel at lists.osmocom.org" > > <baseband-devel at lists.osmocom.org> > > > > Date: Wednesday, April 12, 2017, 9:39 PM > > > > > > > > > > > > > > > > Craig, > > > > > > > > > > > > > > > > > > > > > > > > > > > > do you have the files mentioned at > > > > > > > > > > > > > > > > https://github.com/shadowsim/shadowsim/blob/master/mdlogger.patch > > > > > > > > > > > > > > > > > > > > > > > > and for your project, seem very interesting, and I > > would > > > > like to participate in. > > > > > > > > > > > > > > > > thanks > > > > RZ > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > From: Craig Comstock > > > > <craig_comstock at yahoo.com> > > > > > > > > Sent: Tuesday, April 11, 2017 11:35 AM > > > > > > > > To: baseband-devel at lists.osmocom.org; RootZero > > > > > > > > Subject: Re: Fun with the MTK 6573 Baseband (Patching > > > > / Replacing) > > > > > > > > > > > > My target was Mt6735 in a Zte Obsidian. I chose it > for > > > > 4g lte. I could root one and see if similar > techniques > > work. > > > > My hope was to leverage leaked source for mt626x and > hope > > to > > > > work my way up the chip models. I am currently > working > > on > > > > porting osmocom-bb > > > > and nuttx-bb to fernvale/rephone/mt626x. > > > > > > > > > > > > > > > > On April 11, 2017 > > > > 4:39:46 AM CDT, RootZero <bbsoo7 at live.com> > wrote: > > > > > > > > Markus and all, > > > > > > > > I am very interesting in this > > > > project/hack. > > > > > > > > can you share > > > > more information with US? > > > > > > > > I > > > > searched lots web pages and do not find the source of > > > > mdlogger.cpp file. > > > > > > > > I do > > > > have the source code of "modem.img" if you > > want > > > > please let me know. > > > > > > > > > > > > > > > > > > > > > > > > thanks > > > > RootZero > > > > > > > > > > > > > > > > -- > > > > View this message in > > > > context: > >http://baseband-devel.722152.n3.nabble.com/Fun-with-the-MTK-6573-Baseband-Patching-Replacing-tp4026683p4026772.htmlbaseband-devel > > > > - Fun with the MTK 6573 Baseband (Patching / > > > > Replacing)baseband-devel.722152.n3.nabble.comFun > > > > with the MTK 6573 Baseband (Patching / Replacing). > > > > -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, > > I'm > > > > Markus, a security researcher from Germany. I > recently > > did > > > > some work on MTK > > > > 6573... > > > > > > > > Sent from the baseband-devel > > > > mailing list archive at Nabble.com.Nabble > > > > • Free Forum • Embeddable Web > Appsnabble.comEmbed > > > > into any Website. All Nabble apps are naturally > > embeddable, > > > > which means that they can be easily displayed inside > any > > web > > > > page. > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > Sent from my Android device with K-9 Mail. Please > excuse > > my > > > > brevity. -- Sent from my Android device with K-9 Mail. Please excuse my brevity. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.osmocom.org/pipermail/baseband-devel/attachments/20170419/dcb41662/attachment.htm>