This is merely a historical archive of years 2008-2021, before the migration to mailman3.
A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/baseband-devel@lists.osmocom.org/.
bruce lee bbsoo7 at live.comthere is a
https://github.com/xobs/fernly
seems they did what you are trying to do now. they also has a qemu to emulator that chip or so.
I made a little progress for patching mt6573 modem.img.
these output is from this commands.
radiff2 old.img new.img.
0x00110d08 f0b50fb43ef052fa01280fbc03d13ef05cfcf0bdf4e7 => 68616e67654e6f74696669636174696f6e000000f0b5 0x00110d08
0x0014f1b6 32683846f0252d02a8352d0293352d028c352d6808210902223109029831a94201d00020f0bd01200120f0bd8d466d462d1d2d1934 => 06460024407b95b02746012825460fd002281ed144f001fb024611a101a868f022fd01af384671f0d4fb85b2012410e00f48314600 0x0014f1b6
0x0014f1ec 2d19ad => 827d68 0x0014f1ec
0x0014f1f0 ad4605d0a0e1ffbd2d196400241d6519ad460000b0e329f7adfdffbd => 33f1a6fa0106090e01d0012904d1307b4df068f9040005d1307b2b46 0x0014f1f0
0x0014f218 be7dacf0 => 2b45414c 0x0014f218
0x0014f54e f0242402a834240293342402903405460e68206805e043fff0bdff0055e3fad100202946324600250446083025609cf0 => 06460025407bffb0c8b0012843d100272c2205233146c6a832f173fec0abc4b2187e002837d1022c03d0042c01d0052c 0x0014f54e
0x0014f57f e96660 => d12c22 0x0014f57f
0x0014f584 2360f0bdf0b5f02000460002a830 => 3146c6a832f162fec0abc7b2187e 0x0014f584
0x0014f593 02933000029030f0bd => 2826d1052c11d11748 0x0014f593
0x0014f5a0 f0b5fff7f1ff07680220396800468842fbd1391d081d00460046f0bd01b4fff7f9fd012801bc01d003d00fbcc1f7a6fbf0bdf0b515461e46fff7b8fffff7e0ff0446002d08d0002e06d00a68011d0446284615469cf0e2e800f002f8f0bd => 164b00683146827dc6a832f1e9fec0ab187e002816d101a943a832f1abf843a871f0e2f9c0032146020c0092307b3a4601ab4cf06bf80128054609d006480321006881800022307b29461346ccf0e4f97fb048b0f0bd0000c87dacf00a02 0x0014f5a0
0x0014f5ff 46f0 => 00f8 0x0014f5ff
0x0014f602 2046002801d0008829463246002a00d01160f0bdf0bdf080bde8 => 002506460c480468707b01280cd1a27d3146684633f193f8ff28 0x0014f602
0x001504fc 00bf00bf => 5bf0eaff 0x001504fc
0x001e8730 1a9866 => 0720fd 0x001e8730
0x001e8734 3ffd => c2eb 0x001e8734
0x001e87be 10a908600a2000021a9a1060 => 334a33a13ca0273203f0f6ee 0x001e87be
questions here is how can we change these hex strings to a ARM assembler code?
thanks
BL.
<https://github.com/xobs/fernly>
[https://avatars1.githubusercontent.com/u/238325?v=3&s=400]<https://github.com/xobs/fernly>
GitHub - xobs/fernly: Fernvale research OS<https://github.com/xobs/fernly>
github.com
README.md Fernly - Fernvale Reversing OS. Fernly is a simple operating system designed for use in the reverse engineering of the Fernvale CPU.
<https://github.com/xobs/fernly>
________________________________
From: Craig Comstock <craig_comstock at yahoo.com>
Sent: Wednesday, April 19, 2017 2:57 AM
To: baseband-devel at lists.osmocom.org
Cc: bruce lee
Subject: Re: Fun with the MTK 6573 Baseband (Patching / Replacing)
RootZero/bruce lee sent me this github with baseband sources very similar to what I already have for MT626x:
https://github.com/zxp86021/MediaTek-HelioX10-Baseband
[https://avatars3.githubusercontent.com/u/3607700?v=3&s=400]<https://github.com/zxp86021/MediaTek-HelioX10-Baseband>
GitHub - zxp86021/MediaTek-HelioX10-Baseband: MediaTek ...<https://github.com/zxp86021/MediaTek-HelioX10-Baseband>
github.com
MediaTek-HelioX10-Baseband - MediaTek MT6795 (Helio X10) baseband source code
Looking there it seems we have layer 1 GSM/2G support for many more RF chips. The trick is to figure out what AP/SOC they are used in. For example the MediaTek-HelioX10 is a MT6795 which seems to use
the MT6169 transciever chip (based on some other files in the sources). My ZTE Obsidian seems to use this same TRX chip (based on a MT6735 datasheet)
http://www.datasheet4u.com/pdf/MT6735-pdf/925384
LTE Smartphone Application Processor Technical Brief<http://www.datasheet4u.com/pdf/MT6735-pdf/925384>
www.datasheet4u.com
MediaTek MT6735 datasheet, MT6735 PDF, MT6735 download, MT6735 datasheet pdf, LTE Smartphone Application Processor Technical Brief
Comparing L1D_RF_PowerOn functions it seems the MT6252 might be the closest to the MT626x which are completely missing from
this newer set of sources that are maybe a year or so newer than the MT626x sources I have.
m12196.c:/*BRIGHT2*/ void L1D_RF_PowerOn( void )
m12196.c:/*BRIGHT4*/ void L1D_RF_PowerOn( void )
m12196.c:/*BRIGHT5P*/ void L1D_RF_PowerOn( void )
m12196.c:/*AERO*/ void L1D_RF_PowerOn( void )
m12196.c:/*AERO1+*/ void L1D_RF_PowerOn( void )
m12196.c:/*RFMD*/ void L1D_RF_PowerOn( void )
m12196.c:/*SKY74117*/ void L1D_RF_PowerOn( void )
m12196.c:/*SKY74400*/ void L1D_RF_PowerOn( void )
m12196.c:/*MT6119*/ void L1D_RF_PowerOn( void )
m12196.c:/*MT6119C*/ void L1D_RF_PowerOn( void )
m12196.c:/*MT6129A*/ void L1D_RF_PowerOn( void )
m12196.c:/*MT6129B*/ void L1D_RF_PowerOn( void )
m12196.c:/*MT6129C*/ void L1D_RF_PowerOn( void )
m12196.c:/*MT6129D*/ void L1D_RF_PowerOn( void )
m12196.c:/*MT6139B*/ void L1D_RF_PowerOn( void )
m12196.c:/*MT6139C*/ void L1D_RF_PowerOn( void )
m12196.c:/*MT6139E*/ void L1D_RF_PowerOn( void )
m12196.c:/*MT6140A*/ void L1D_RF_PowerOn( void )
m12196.c:/*MT6140B*/ void L1D_RF_PowerOn( void )
m12196.c:/*MT6140C*/ void L1D_RF_PowerOn( void )
m12196.c:/*MT6140D*/ void L1D_RF_PowerOn( void )
m12196.c:/*CMOSEDGE*/ void L1D_RF_PowerOn( void )
m12196.c:/*MTKSOC1T*/ void L1D_RF_PowerOn( void )
m12196.c:/*MTKSOC1*/ void L1D_RF_PowerOn( void )
m12196.c:/*MT6252RF*/ void L1D_RF_PowerOn( void )
m12196.c:/*MT6256RF*/ void L1D_RF_PowerOn( void )
m12196.c:/*MT6255RF*/ void L1D_RF_PowerOn( void )
m12196.c:/*MT6251RF*/ void L1D_RF_PowerOn( void )
m12196.c:/*SKY74045*/ void L1D_RF_PowerOn( void )
m12196.c:/*AERO2*/ void L1D_RF_PowerOn( void )
m12196.c:/*SKY74137*/ void L1D_RF_PowerOn( void )
m12196.c:/*GRF6201*/ void L1D_RF_PowerOn( void )
m12196.c:/*IRFS3001*/ void L1D_RF_PowerOn( void )
m12196.c:/*AD6548*/ void L1D_RF_PowerOn( void )
m12196.c:/*AD6546*/ void L1D_RF_PowerOn( void )
m12196.c:/*MT6162*/ void L1D_RF_PowerOn( void )
m12196.c:/*MT6163*/ void L1D_RF_PowerOn( void )
m12196.c:/*MT6280RF*/ void L1D_RF_PowerOn( void )
m12196.c:/*MT6169*/ void L1D_RF_PowerOn( void )
m12196.c:/*MT6169*/ void L1D_RF_PowerOn( void )
m12196.c:/*MT6166*/ void L1D_RF_PowerOn( void )
m12196.c:/*MT6165*/ void L1D_RF_PowerOn( void )
one set of MT626x sources is called 11CW1418SP4 and supports the following baseband chips. Probably MT626x has an integrated baseband?
m12196.c:/*MT6129D*/ void L1D_RF_PowerOn( void )
m12196.c:/*MT6139E*/ void L1D_RF_PowerOn( void )
m12196.c:/*MT6140D*/ void L1D_RF_PowerOn( void )
m12196.c:/*MTKSOC1*/ void L1D_RF_PowerOn( void )
m12196.c:/*MT6252RF*/ void L1D_RF_PowerOn( void )
m12196.c:/*MT6261RF*/ void L1D_RF_PowerOn( void )
m12196.c:/*MT6260RF*/ void L1D_RF_PowerOn( void )
m12196.c:/*MT6250RF*/ void L1D_RF_PowerOn( void )
m12196.c:/*MT6256RF*/ void L1D_RF_PowerOn( void )
m12196.c:/*MT6255RF*/ void L1D_RF_PowerOn( void )
m12196.c:/*MT6251RF*/ void L1D_RF_PowerOn( void )
m12196.c:/*AD6548*/ void L1D_RF_PowerOn( void )
m12196.c:/*AD6546*/ void L1D_RF_PowerOn( void )
m12196.c:/*MT6162*/ void L1D_RF_PowerOn( void )
So I guess I need to look elsewhere in the sources to puzzle out my MT6735 ZTE Obsidian which would give me I think the cheapest/oldest chip that supports 4G/LTE:
GSM, UMTS, GPRS, HSPA+, HSUPA, TD-SCDMA, EVDO, LTE Cat 4 (from https://en.wikipedia.org/wiki/MediaTek)
[https://upload.wikimedia.org/wikipedia/en/thumb/2/2d/MediaTek_logo_as_shown_on_company_website.svg/220px-MediaTek_logo_as_shown_on_company_website.svg.png]<https://en.wikipedia.org/wiki/MediaTek>
MediaTek - Wikipedia<https://en.wikipedia.org/wiki/MediaTek>
en.wikipedia.org
MediaTek Inc. (Chinese: 聯發科技股份有限公司; pinyin: Liánfā Kējì Gǔfèn Yǒuxiàn Gōngsī) is a Taiwanese fabless semiconductor company that provides ...
-Craig
p.s. here are some sources I used to research both github and "from the internet":
http://git.huayusoft.com/tomsu/AP7350_MDK-kernel.git
Tom Su / AP7350_MDK-kernel | GitLab<http://git.huayusoft.com/tomsu/AP7350_MDK-kernel.git>
git.huayusoft.com
GitLab Community Edition ... AP7350_MDK-kernel. AP7350_MDK Android手机开发模块/开发板 kernel 以及 bootloader 代码。
https://github.com/akibsayyed/CELLTEL82_WET_KK_GPRS_HSPA_MOLY.WR8.W1315.MD.WG.MP.V35.git
https://github.com/akibsayyed/HSPA_MOLY.WR8.W1449.MD.WG.MP.V16.git
https://github.com/zxp86021/MT6795.kernel.git
mt626x stuff:
11CW1352MP_CENON61D_3232_11C_V2_GPRS_MMI
11CW1418SP4_CORETEK02A_WIFI_BT_V13_GPRS_MMI
MTK60D-11B1308-V2
--------------------------------------------
On Thu, 4/13/17, bruce lee <bbsoo7 at live.com> wrote:
Subject: Re: Fun with the MTK 6573 Baseband (Patching / Replacing)
To: "Craig Comstock" <craig_comstock at yahoo.com>
Date: Thursday, April 13, 2017, 11:40 AM
check this out. it is modem firmwear source code
and this guy's github
https://github.com/luckasfb/Development_Documents
alots of good stuff.but do not have what am looking for.
bruce.
From: Craig Comstock
<craig_comstock at yahoo.com>
Sent: Thursday, April 13, 2017 2:10:15 PM
To: bruce lee
Subject: Re: Fun with the MTK 6573 Baseband (Patching
/ Replacing)
Looking at some kernel
sources I see a few things that look familiar to me from
mt626x source. Grepping for RIL (radio interface layer)
https://github.com/eagleeyetom/android_kernel_mtk_mt6572.git
./mediatek/platform/mt6572/lk/include/platform/mt_reg_base.h:
#define RIL_SIZE 0x1600000
./mediatek/platform/mt6572/lk/include/platform/mt_reg_base.h:
#define RIL_SIZE 0x0A00000
./mediatek/platform/mt6572/lk/include/platform/mt_reg_base.h:
#define RIL_SIZE 0x1600000
./mediatek/platform/mt6572/lk/include/platform/mt_reg_base.h:#define
RIL_SIZE 0x100000 //for connsys memory
./mediatek/platform/mt6572/lk/include/platform/mt_reg_base.h:#define
MEM_PRELOADER_START (DRAM_PHY_ADDR)
//placed mem in RIL 256KB
./mediatek/platform/mt6572/lk/include/platform/mt_reg_base.h:#define
RESERVE_MEM_SIZE (RIL_SIZE)
they mentioned infrasys and connsys near the RIL bits...
craig at z500:~/android_kernel_mtk_mt6572/mediatek$ find |
xargs grep -s infrasys
./platform/mt6572/kernel/core/include/mach/mt_reg_base.h:/*
infrasys AO */
./platform/mt6572/kernel/core/include/mach/mt_reg_base.h:/*
infrasys */
./platform/mt6572/kernel/core/core.c: /* infrasys AO
first half */
./platform/mt6572/kernel/core/core.c: /* infrasys AO
second half */
./platform/mt6572/kernel/core/core.c: /* infrasys
*/
./platform/mt6572/lk/include/platform/mt_reg_base.h:/*
infrasys AO */
./platform/mt6572/lk/include/platform/mt_reg_base.h:/*
infrasys */
craig at z500:~/android_kernel_mtk_mt6572/mediatek$ vi
platform/mt6572/kernel/core/core.c
So... mt_reg_base.h looks a little familiar to mt626x
stuff.
There is also this:
https://android.googlesource.com/kernel/mediatek/
and this:
https://github.com/profglavcho/mt6735-kernel-3.10.61
--------------------------------------------
On Thu, 4/13/17, bruce lee <bbsoo7 at live.com> wrote:
Subject: Re: Fun with the MTK 6573 Baseband (Patching /
Replacing)
To: "baseband-devel at lists.osmocom.org"
<baseband-devel at lists.osmocom.org>, "Craig
Comstock" <craig_comstock at yahoo.com>
Date: Thursday, April 13, 2017, 1:49 AM
maybe it is easiest for developing on some boards
which has UART port to look it boot up message.
some mt6572 based boards one can find on China market.
they event can share code with us if we buy it.
it is android based.
so should/can we make a osmocom-bb based BP for this
android board? or other smartphone?
thanks
RZ
From: Craig Comstock
<craig_comstock at yahoo.com>
Sent: Thursday, April 13, 2017 3:21 AM
To: baseband-devel at lists.osmocom.org; bruce lee
Subject: Re: Fun with the MTK 6573 Baseband (Patching
/ Replacing)
I
don't have the files mentioned in that patch. They
look
very much like some part of an Android source code tree.
So
far I am working mostly not with Android at all... only
osmocom-bb, nuttx, fernly and fernvale-nuttx.
My work on the newer MT chip in the ZTE Obsidian is a
ways
down the road. One thing that was VERY encouraging is that
I
have tested the beginnings of interaction with it's
bootloader (as in the fernly project)
and it seems at least the initial MSG and ACK from the
bootloader works the same as for fernly types of MT
chips
(6260/6261). So that might be a good starting point in
terms
of experimenting/fuzzing/???
Maybe you could find a custom rom source tree and find
those
files that are being patched.
In terms of participating in my project, I have a
github
repo and am primarily using the fernvale board I
purchased
from sysmocom as well as some mt6260/6261 based watches
and
the Seeed Studio RePhone.
So I'd say go get one or more of those things and
start
hacking on fernly, fernvale-nuttx, osmocom-bb and
nuttx-bb
(combo of osmocom-bb and nuttx).
I don't work too hard on the project. This branch is
my
latest not-working work in progress:
https://github.com/craigcomstock/osmocom-bb/tree/feb-22-2017-mt62xx-wip
craigcomstock/osmocom-bb
github.com
Contribute to osmocom-bb development by creating an
account
on GitHub.
I have since changed my strategy and so this branch
will
likely rot. :( But it might give some indication of
what
I'm up to.
-Craig
--------------------------------------------
On Wed, 4/12/17, bruce lee <bbsoo7 at live.com>
wrote:
Subject: Re: Fun with the MTK 6573 Baseband (Patching
/
Replacing)
To: "Craig Comstock"
<craig_comstock at yahoo.com>,
"baseband-devel at lists.osmocom.org"
<baseband-devel at lists.osmocom.org>
Date: Wednesday, April 12, 2017, 9:39 PM
Craig,
do you have the files mentioned at
https://github.com/shadowsim/shadowsim/blob/master/mdlogger.patch
and for your project, seem very interesting, and I
would
like to participate in.
thanks
RZ
From: Craig Comstock
<craig_comstock at yahoo.com>
Sent: Tuesday, April 11, 2017 11:35 AM
To: baseband-devel at lists.osmocom.org; RootZero
Subject: Re: Fun with the MTK 6573 Baseband (Patching
/ Replacing)
My target was Mt6735 in a Zte Obsidian. I chose it
for
4g lte. I could root one and see if similar
techniques
work.
My hope was to leverage leaked source for mt626x and
hope
to
work my way up the chip models. I am currently
working
on
porting osmocom-bb
and nuttx-bb to fernvale/rephone/mt626x.
On April 11, 2017
4:39:46 AM CDT, RootZero <bbsoo7 at live.com>
wrote:
Markus and all,
I am very interesting in this
project/hack.
can you share
more information with US?
I
searched lots web pages and do not find the source of
mdlogger.cpp file.
I do
have the source code of "modem.img" if you
want
please let me know.
thanks
RootZero
--
View this message in
context:
http://baseband-devel.722152.n3.nabble.com/Fun-with-the-MTK-6573-Baseband-Patching-Replacing-tp4026683p4026772.htmlbaseband-devel
- Fun with the MTK 6573 Baseband (Patching /
Replacing)baseband-devel.722152.n3.nabble.comFun
with the MTK 6573 Baseband (Patching / Replacing).
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi,
I'm
Markus, a security researcher from Germany. I
recently
did
some work on MTK
6573...
Sent from the baseband-devel
mailing list archive at Nabble.com.Nabble
• Free Forum • Embeddable Web
Appsnabble.comEmbed
into any Website. All Nabble apps are naturally
embeddable,
which means that they can be easily displayed inside
any
web
page.
--
Sent from my Android device with K-9 Mail. Please
excuse
my
brevity.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osmocom.org/pipermail/baseband-devel/attachments/20170419/c66a93c6/attachment.htm>