<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>
</head><body dir="ltr">Also, my main interest here is to mention which chips might have a chance of osmocom-bb/nuttx-bb support.<br><br><div class="gmail_quote">On April 18, 2017 11:25:41 PM CDT, bruce lee <bbsoo7@live.com> wrote:<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div id="divtagdefaultwrapper" style="font-size:12pt;color:#000000;font-family:Calibri,Arial,Helvetica,sans-serif;" dir="ltr">
<p>there is a </p>
<a href="https://github.com/xobs/fernly" class="OWAAutoLink" id="LPlnk228811">https://github.com/xobs/fernly</a>
<div><br />
</div>
<div>seems they did what you are trying to do now. they also has a qemu to emulator that chip or so.</div>
<div><br />
</div>
<div>I made a little progress for patching mt6573 modem.img.</div>
<div><br />
</div>
<div>these output is from this commands.</div>
<div>radiff2 old.img new.img.</div>
<div><br />
</div>
<div>
<div>0x00110d08 f0b50fb43ef052fa01280fbc03d13ef05cfcf0bdf4e7 => 68616e67654e6f74696669636174696f6e000000f0b5 0x00110d08</div>
<div>0x0014f1b6 32683846f0252d02a8352d0293352d028c352d6808210902223109029831a94201d00020f0bd01200120f0bd8d466d462d1d2d1934 => 06460024407b95b02746012825460fd002281ed144f001fb024611a101a868f022fd01af384671f0d4fb85b2012410e00f48314600 0x0014f1b6</div>
<div>0x0014f1ec 2d19ad => 827d68 0x0014f1ec</div>
<div>0x0014f1f0 ad4605d0a0e1ffbd2d196400241d6519ad460000b0e329f7adfdffbd => 33f1a6fa0106090e01d0012904d1307b4df068f9040005d1307b2b46 0x0014f1f0</div>
<div>0x0014f218 be7dacf0 => 2b45414c 0x0014f218</div>
<div>0x0014f54e f0242402a834240293342402903405460e68206805e043fff0bdff0055e3fad100202946324600250446083025609cf0 => 06460025407bffb0c8b0012843d100272c2205233146c6a832f173fec0abc4b2187e002837d1022c03d0042c01d0052c 0x0014f54e</div>
<div>0x0014f57f e96660 => d12c22 0x0014f57f</div>
<div>0x0014f584 2360f0bdf0b5f02000460002a830 => 3146c6a832f162fec0abc7b2187e 0x0014f584</div>
<div>0x0014f593 02933000029030f0bd => 2826d1052c11d11748 0x0014f593</div>
<div>0x0014f5a0 f0b5fff7f1ff07680220396800468842fbd1391d081d00460046f0bd01b4fff7f9fd012801bc01d003d00fbcc1f7a6fbf0bdf0b515461e46fff7b8fffff7e0ff0446002d08d0002e06d00a68011d0446284615469cf0e2e800f002f8f0bd => 164b00683146827dc6a832f1e9fec0ab187e002816d101a943a832f1abf843a871f0e2f9c0032146020c0092307b3a4601ab4cf06bf80128054609d006480321006881800022307b29461346ccf0e4f97fb048b0f0bd0000c87dacf00a02
0x0014f5a0</div>
<div>0x0014f5ff 46f0 => 00f8 0x0014f5ff</div>
<div>0x0014f602 2046002801d0008829463246002a00d01160f0bdf0bdf080bde8 => 002506460c480468707b01280cd1a27d3146684633f193f8ff28 0x0014f602</div>
<div>0x001504fc 00bf00bf => 5bf0eaff 0x001504fc</div>
<div>0x001e8730 1a9866 => 0720fd 0x001e8730</div>
<div>0x001e8734 3ffd => c2eb 0x001e8734</div>
<div>0x001e87be 10a908600a2000021a9a1060 => 334a33a13ca0273203f0f6ee 0x001e87be</div>
</div>
<div><br />
</div>
<div>questions here is how can we change these hex strings to a ARM assembler code?</div>
<div><br />
</div>
<div><br />
</div>
<div>thanks</div>
<div> BL.</div>
<div><br />
<a href="https://github.com/xobs/fernly" class="OWAAutoLink"></a>
<div id="LPBorder_GT_14925757281910.5063689971380404" style="margin-bottom: 20px; overflow: auto; width: 100%; text-indent: 0px;">
<table id="LPContainer_14925757281890.3740510199160707" role="presentation" cellspacing="0" style="width: 90%; background-color: rgb(255, 255, 255); position: relative; overflow: auto; padding-top: 20px; padding-bottom: 20px; margin-top: 20px; border-top-width: 1px; border-top-style: dotted; border-top-color: rgb(200, 200, 200); border-bottom-width: 1px; border-bottom-style: dotted; border-bottom-color: rgb(200, 200, 200);">
<tbody>
<tr valign="top" style="border-spacing: 0px;">
<td id="ImageCell_14925757281890.3969962571624126" colspan="1" style="width: 250px; position: relative; display: table-cell; padding-right: 20px;">
<div id="LPImageContainer_14925757281890.8141633624948043" style="background-color: rgb(255, 255, 255); height: 250px; position: relative; margin: auto; display: table; width: 250px;">
<a id="LPImageAnchor_14925757281900.7309339228969642" href="https://github.com/xobs/fernly" target="_blank" style="display: table-cell; text-align: center;"><img aria-label="Preview image with link selected. Double-tap to open the link." id="LPThumbnailImageID_14925757281900.549890155941041" style="display: inline-block; max-width: 250px; max-height: 250px; height: 250px; width: 250px; border-width: 0px; vertical-align: bottom;" width="250" height="250" src="https://avatars1.githubusercontent.com/u/238325?v=3&s=400" /></a></div>
</td>
<td id="TextCell_14925757281900.33269793140477133" colspan="2" style="vertical-align: top; position: relative; padding: 0px; display: table-cell;">
<div id="LPRemovePreviewContainer_14925757281900.11605082684046053"></div>
<div id="LPTitle_14925757281900.31543169578455343" style="top: 0px; color: rgb(0, 120, 215); font-weight: normal; font-size: 21px; font-family: wf_segoe-ui_light, 'Segoe UI Light', 'Segoe WP Light', 'Segoe UI', 'Segoe WP', Tahoma, Arial, sans-serif; line-height: 21px;">
<a id="LPUrlAnchor_14925757281900.1822574895558412" href="https://github.com/xobs/fernly" target="_blank" style="text-decoration: none;">GitHub - xobs/fernly: Fernvale research OS</a></div>
<div id="LPMetadata_14925757281900.07090810805369097" style="margin: 10px 0px 16px; color: rgb(102, 102, 102); font-weight: normal; font-family: wf_segoe-ui_normal, 'Segoe UI', 'Segoe WP', Tahoma, Arial, sans-serif; font-size: 14px; line-height: 14px;">
github.com</div>
<div id="LPDescription_14925757281910.24928159297078378" style="display: block; color: rgb(102, 102, 102); font-weight: normal; font-family: wf_segoe-ui_normal, 'Segoe UI', 'Segoe WP', Tahoma, Arial, sans-serif; font-size: 14px; line-height: 20px; max-height: 100px; overflow: hidden;">
README.md Fernly - Fernvale Reversing OS. Fernly is a simple operating system designed for use in the reverse engineering of the Fernvale CPU.</div>
</td>
</tr>
</tbody>
</table>
</div>
<br />
<div><br />
</div>
<div><br />
</div>
<div><a href="https://github.com/xobs/fernly" class="OWAAutoLink"></a><br />
<div style="color: rgb(0, 0, 0);">
<div>
<hr tabindex="-1" style="display:inline-block; width:98%" />
<div id="x_divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" color="#000000" style="font-size:11pt"><b>From:</b> Craig Comstock <craig_comstock@yahoo.com><br />
<b>Sent:</b> Wednesday, April 19, 2017 2:57 AM<br />
<b>To:</b> baseband-devel@lists.osmocom.org<br />
<b>Cc:</b> bruce lee<br />
<b>Subject:</b> Re: Fun with the MTK 6573 Baseband (Patching / Replacing)</font>
<div> </div>
</div>
</div>
<font size="2"><span style="font-size:10pt;">
<div class="PlainText">RootZero/bruce lee sent me this github with baseband sources very similar to what I already have for MT626x:<br />
<br />
<a href="https://github.com/zxp86021/MediaTek-HelioX10-Baseband" id="LPlnk486126" previewremoved="true">https://github.com/zxp86021/MediaTek-HelioX10-Baseband</a>
<div id="LPBorder_GT_14925756268600.7900752874853518" style="margin-bottom: 20px; overflow: auto; width: 100%; text-indent: 0px;">
<table id="LPContainer_14925756268570.5781381794743236" role="presentation" cellspacing="0" style="width: 90%; background-color: rgb(255, 255, 255); position: relative; overflow: auto; padding-top: 20px; padding-bottom: 20px; margin-top: 20px; border-top-width: 1px; border-top-style: dotted; border-top-color: rgb(200, 200, 200); border-bottom-width: 1px; border-bottom-style: dotted; border-bottom-color: rgb(200, 200, 200);">
<tbody>
<tr valign="top" style="border-spacing: 0px;">
<td id="ImageCell_14925756268580.8618206527077665" colspan="1" style="width: 250px; position: relative; display: table-cell; padding-right: 20px;">
<div id="LPImageContainer_14925756268580.7244358832002971" style="background-color: rgb(255, 255, 255); height: 250px; position: relative; margin: auto; display: table; width: 250px;">
<a id="LPImageAnchor_14925756268580.309477576842655" href="https://github.com/zxp86021/MediaTek-HelioX10-Baseband" target="_blank" style="display: table-cell; text-align: center;"><img aria-label="Preview image with link selected. Double-tap to open the link." id="LPThumbnailImageID_14925756268590.20051184298891023" style="display: inline-block; max-width: 250px; max-height: 250px; height: 250px; width: 250px; border-width: 0px; vertical-align: bottom;" width="250" height="250" src="https://avatars3.githubusercontent.com/u/3607700?v=3&s=400" /></a></div>
</td>
<td id="TextCell_14925756268590.7207147835702122" colspan="2" style="vertical-align: top; position: relative; padding: 0px; display: table-cell;">
<div id="LPRemovePreviewContainer_14925756268600.843283691110213"></div>
<div id="LPTitle_14925756268600.2716362510440984" style="top: 0px; color: rgb(0, 120, 215); font-weight: normal; font-size: 21px; font-family: wf_segoe-ui_light, 'Segoe UI Light', 'Segoe WP Light', 'Segoe UI', 'Segoe WP', Tahoma, Arial, sans-serif; line-height: 21px;">
<a id="LPUrlAnchor_14925756268600.6166994834605336" href="https://github.com/zxp86021/MediaTek-HelioX10-Baseband" target="_blank" style="text-decoration: none;">GitHub - zxp86021/MediaTek-HelioX10-Baseband: MediaTek ...</a></div>
<div id="LPMetadata_14925756268600.4569085504984939" style="margin: 10px 0px 16px; color: rgb(102, 102, 102); font-weight: normal; font-family: wf_segoe-ui_normal, 'Segoe UI', 'Segoe WP', Tahoma, Arial, sans-serif; font-size: 14px; line-height: 14px;">
github.com</div>
<div id="LPDescription_14925756268600.03591430615833435" style="display: block; color: rgb(102, 102, 102); font-weight: normal; font-family: wf_segoe-ui_normal, 'Segoe UI', 'Segoe WP', Tahoma, Arial, sans-serif; font-size: 14px; line-height: 20px; max-height: 100px; overflow: hidden;">
MediaTek-HelioX10-Baseband - MediaTek MT6795 (Helio X10) baseband source code</div>
</td>
</tr>
</tbody>
</table>
</div>
<br />
<br />
<br />
Looking there it seems we have layer 1 GSM/2G support for many more RF chips. The trick is to figure out what AP/SOC they are used in. For example the MediaTek-HelioX10 is a MT6795 which seems to use<br />
the MT6169 transciever chip (based on some other files in the sources). My ZTE Obsidian seems to use this same TRX chip (based on a MT6735 datasheet)<br />
<br />
<a href="http://www.datasheet4u.com/pdf/MT6735-pdf/925384" id="LPlnk690001" previewremoved="true">http://www.datasheet4u.com/pdf/MT6735-pdf/925384</a>
<div id="LPBorder_GT_14925756275890.12654338708785073" style="margin-bottom: 20px; overflow: auto; width: 100%; text-indent: 0px;">
<table id="LPContainer_14925756275880.7966760834658138" role="presentation" cellspacing="0" style="width: 90%; background-color: rgb(255, 255, 255); position: relative; overflow: auto; padding-top: 20px; padding-bottom: 20px; margin-top: 20px; border-top-width: 1px; border-top-style: dotted; border-top-color: rgb(200, 200, 200); border-bottom-width: 1px; border-bottom-style: dotted; border-bottom-color: rgb(200, 200, 200);">
<tbody>
<tr valign="top" style="border-spacing: 0px;">
<td id="TextCell_14925756275880.13785211959187138" colspan="2" style="vertical-align: top; position: relative; padding: 0px; display: table-cell;">
<div id="LPRemovePreviewContainer_14925756275880.7023348836921771"></div>
<div id="LPTitle_14925756275880.8283899659412328" style="top: 0px; color: rgb(0, 120, 215); font-weight: normal; font-size: 21px; font-family: wf_segoe-ui_light, 'Segoe UI Light', 'Segoe WP Light', 'Segoe UI', 'Segoe WP', Tahoma, Arial, sans-serif; line-height: 21px;">
<a id="LPUrlAnchor_14925756275890.4854715418988488" href="http://www.datasheet4u.com/pdf/MT6735-pdf/925384" target="_blank" style="text-decoration: none;">LTE Smartphone Application Processor Technical Brief</a></div>
<div id="LPMetadata_14925756275890.4342381183749108" style="margin: 10px 0px 16px; color: rgb(102, 102, 102); font-weight: normal; font-family: wf_segoe-ui_normal, 'Segoe UI', 'Segoe WP', Tahoma, Arial, sans-serif; font-size: 14px; line-height: 14px;">
www.datasheet4u.com</div>
<div id="LPDescription_14925756275890.5348082099360443" style="display: block; color: rgb(102, 102, 102); font-weight: normal; font-family: wf_segoe-ui_normal, 'Segoe UI', 'Segoe WP', Tahoma, Arial, sans-serif; font-size: 14px; line-height: 20px; max-height: 100px; overflow: hidden;">
MediaTek MT6735 datasheet, MT6735 PDF, MT6735 download, MT6735 datasheet pdf, LTE Smartphone Application Processor Technical Brief</div>
</td>
</tr>
</tbody>
</table>
</div>
<br />
<br />
<br />
Comparing L1D_RF_PowerOn functions it seems the MT6252 might be the closest to the MT626x which are completely missing from<br />
this newer set of sources that are maybe a year or so newer than the MT626x sources I have.<br />
<br />
m12196.c:/*BRIGHT2*/ void L1D_RF_PowerOn( void )<br />
m12196.c:/*BRIGHT4*/ void L1D_RF_PowerOn( void )<br />
m12196.c:/*BRIGHT5P*/ void L1D_RF_PowerOn( void )<br />
m12196.c:/*AERO*/ void L1D_RF_PowerOn( void )<br />
m12196.c:/*AERO1+*/ void L1D_RF_PowerOn( void )<br />
m12196.c:/*RFMD*/ void L1D_RF_PowerOn( void )<br />
m12196.c:/*SKY74117*/ void L1D_RF_PowerOn( void )<br />
m12196.c:/*SKY74400*/ void L1D_RF_PowerOn( void )<br />
m12196.c:/*MT6119*/ void L1D_RF_PowerOn( void )<br />
m12196.c:/*MT6119C*/ void L1D_RF_PowerOn( void )<br />
m12196.c:/*MT6129A*/ void L1D_RF_PowerOn( void )<br />
m12196.c:/*MT6129B*/ void L1D_RF_PowerOn( void )<br />
m12196.c:/*MT6129C*/ void L1D_RF_PowerOn( void )<br />
m12196.c:/*MT6129D*/ void L1D_RF_PowerOn( void )<br />
m12196.c:/*MT6139B*/ void L1D_RF_PowerOn( void )<br />
m12196.c:/*MT6139C*/ void L1D_RF_PowerOn( void )<br />
m12196.c:/*MT6139E*/ void L1D_RF_PowerOn( void )<br />
m12196.c:/*MT6140A*/ void L1D_RF_PowerOn( void )<br />
m12196.c:/*MT6140B*/ void L1D_RF_PowerOn( void )<br />
m12196.c:/*MT6140C*/ void L1D_RF_PowerOn( void )<br />
m12196.c:/*MT6140D*/ void L1D_RF_PowerOn( void )<br />
m12196.c:/*CMOSEDGE*/ void L1D_RF_PowerOn( void )<br />
m12196.c:/*MTKSOC1T*/ void L1D_RF_PowerOn( void )<br />
m12196.c:/*MTKSOC1*/ void L1D_RF_PowerOn( void )<br />
m12196.c:/*MT6252RF*/ void L1D_RF_PowerOn( void )<br />
m12196.c:/*MT6256RF*/ void L1D_RF_PowerOn( void )<br />
m12196.c:/*MT6255RF*/ void L1D_RF_PowerOn( void )<br />
m12196.c:/*MT6251RF*/ void L1D_RF_PowerOn( void )<br />
m12196.c:/*SKY74045*/ void L1D_RF_PowerOn( void )<br />
m12196.c:/*AERO2*/ void L1D_RF_PowerOn( void )<br />
m12196.c:/*SKY74137*/ void L1D_RF_PowerOn( void )<br />
m12196.c:/*GRF6201*/ void L1D_RF_PowerOn( void )<br />
m12196.c:/*IRFS3001*/ void L1D_RF_PowerOn( void )<br />
m12196.c:/*AD6548*/ void L1D_RF_PowerOn( void )<br />
m12196.c:/*AD6546*/ void L1D_RF_PowerOn( void )<br />
m12196.c:/*MT6162*/ void L1D_RF_PowerOn( void )<br />
m12196.c:/*MT6163*/ void L1D_RF_PowerOn( void )<br />
m12196.c:/*MT6280RF*/ void L1D_RF_PowerOn( void )<br />
m12196.c:/*MT6169*/ void L1D_RF_PowerOn( void )<br />
m12196.c:/*MT6169*/ void L1D_RF_PowerOn( void )<br />
m12196.c:/*MT6166*/ void L1D_RF_PowerOn( void )<br />
m12196.c:/*MT6165*/ void L1D_RF_PowerOn( void )<br />
<br />
one set of MT626x sources is called 11CW1418SP4 and supports the following baseband chips. Probably MT626x has an integrated baseband?<br />
<br />
m12196.c:/*MT6129D*/ void L1D_RF_PowerOn( void )<br />
m12196.c:/*MT6139E*/ void L1D_RF_PowerOn( void )<br />
m12196.c:/*MT6140D*/ void L1D_RF_PowerOn( void )<br />
m12196.c:/*MTKSOC1*/ void L1D_RF_PowerOn( void )<br />
m12196.c:/*MT6252RF*/ void L1D_RF_PowerOn( void )<br />
m12196.c:/*MT6261RF*/ void L1D_RF_PowerOn( void )<br />
m12196.c:/*MT6260RF*/ void L1D_RF_PowerOn( void )<br />
m12196.c:/*MT6250RF*/ void L1D_RF_PowerOn( void )<br />
m12196.c:/*MT6256RF*/ void L1D_RF_PowerOn( void )<br />
m12196.c:/*MT6255RF*/ void L1D_RF_PowerOn( void )<br />
m12196.c:/*MT6251RF*/ void L1D_RF_PowerOn( void )<br />
m12196.c:/*AD6548*/ void L1D_RF_PowerOn( void )<br />
m12196.c:/*AD6546*/ void L1D_RF_PowerOn( void )<br />
m12196.c:/*MT6162*/ void L1D_RF_PowerOn( void )<br />
<br />
<br />
So I guess I need to look elsewhere in the sources to puzzle out my MT6735 ZTE Obsidian which would give me I think the cheapest/oldest chip that supports 4G/LTE:<br />
<br />
GSM, UMTS, GPRS, HSPA+, HSUPA, TD-SCDMA, EVDO, LTE Cat 4 (from <a href="https://en.wikipedia.org/wiki/MediaTek" id="LPlnk256930" previewremoved="true">
https://en.wikipedia.org/wiki/MediaTek</a>)
<div id="LPBorder_GT_14925756849170.837033758986963" style="margin-bottom: 20px; overflow: auto; width: 100%; text-indent: 0px;">
<table id="LPContainer_14925756849140.8367047041405947" role="presentation" cellspacing="0" style="width: 90%; background-color: rgb(255, 255, 255); position: relative; overflow: auto; padding-top: 20px; padding-bottom: 20px; margin-top: 20px; border-top-width: 1px; border-top-style: dotted; border-top-color: rgb(200, 200, 200); border-bottom-width: 1px; border-bottom-style: dotted; border-bottom-color: rgb(200, 200, 200);">
<tbody>
<tr valign="top" style="border-spacing: 0px;">
<td id="ImageCell_14925756849150.8728491682542023" colspan="1" style="width: 250px; position: relative; display: table-cell; padding-right: 20px;">
<div id="LPImageContainer_14925756849150.3071602937285278" style="background-color: rgb(255, 255, 255); height: 55px; position: relative; margin: auto; display: table; width: 220px;">
<a id="LPImageAnchor_14925756849150.9748814587448508" href="https://en.wikipedia.org/wiki/MediaTek" target="_blank" style="display: table-cell; text-align: center;"><img aria-label="Preview image with link selected. Double-tap to open the link." id="LPThumbnailImageID_14925756849150.8373168641496133" style="display: inline-block; max-width: 250px; max-height: 250px; height: 55px; width: 220px; border-width: 0px; vertical-align: bottom;" width="220" height="55" src="https://upload.wikimedia.org/wikipedia/en/thumb/2/2d/MediaTek_logo_as_shown_on_company_website.svg/220px-MediaTek_logo_as_shown_on_company_website.svg.png" /></a></div>
</td>
<td id="TextCell_14925756849150.4583482896726926" colspan="2" style="vertical-align: top; position: relative; padding: 0px; display: table-cell;">
<div id="LPRemovePreviewContainer_14925756849150.8971619092319201"></div>
<div id="LPTitle_14925756849150.5615047228697504" style="top: 0px; color: rgb(0, 120, 215); font-weight: normal; font-size: 21px; font-family: wf_segoe-ui_light, 'Segoe UI Light', 'Segoe WP Light', 'Segoe UI', 'Segoe WP', Tahoma, Arial, sans-serif; line-height: 21px;">
<a id="LPUrlAnchor_14925756849160.9666930818237504" href="https://en.wikipedia.org/wiki/MediaTek" target="_blank" style="text-decoration: none;">MediaTek - Wikipedia</a></div>
<div id="LPMetadata_14925756849160.3882291352388543" style="margin: 10px 0px 16px; color: rgb(102, 102, 102); font-weight: normal; font-family: wf_segoe-ui_normal, 'Segoe UI', 'Segoe WP', Tahoma, Arial, sans-serif; font-size: 14px; line-height: 14px;">
en.wikipedia.org</div>
<div id="LPDescription_14925756849160.2564558144396757" style="display: block; color: rgb(102, 102, 102); font-weight: normal; font-family: wf_segoe-ui_normal, 'Segoe UI', 'Segoe WP', Tahoma, Arial, sans-serif; font-size: 14px; line-height: 20px; max-height: 100px; overflow: hidden;">
MediaTek Inc. (Chinese: 聯發科技股份有限公司; pinyin: Liánfā Kējì Gǔfèn Yǒuxiàn Gōngsī) is a Taiwanese fabless semiconductor company that provides ...</div>
</td>
</tr>
</tbody>
</table>
</div>
<br />
<br />
<br />
-Craig<br />
<br />
p.s. here are some sources I used to research both github and "from the internet":<br />
<br />
<a href="http://git.huayusoft.com/tomsu/AP7350_MDK-kernel.git" id="LPlnk601595" previewremoved="true">http://git.huayusoft.com/tomsu/AP7350_MDK-kernel.git</a>
<div id="LPBorder_GT_14925756857970.888090132402774" style="margin-bottom: 20px; overflow: auto; width: 100%; text-indent: 0px;">
<table id="LPContainer_14925756857950.6285797899677068" role="presentation" cellspacing="0" style="width: 90%; background-color: rgb(255, 255, 255); position: relative; overflow: auto; padding-top: 20px; padding-bottom: 20px; margin-top: 20px; border-top-width: 1px; border-top-style: dotted; border-top-color: rgb(200, 200, 200); border-bottom-width: 1px; border-bottom-style: dotted; border-bottom-color: rgb(200, 200, 200);">
<tbody>
<tr valign="top" style="border-spacing: 0px;">
<td id="TextCell_14925756857960.949523359852579" colspan="2" style="vertical-align: top; position: relative; padding: 0px; display: table-cell;">
<div id="LPRemovePreviewContainer_14925756857960.5257256736610809"></div>
<div id="LPTitle_14925756857960.9001049325468427" style="top: 0px; color: rgb(0, 120, 215); font-weight: normal; font-size: 21px; font-family: wf_segoe-ui_light, 'Segoe UI Light', 'Segoe WP Light', 'Segoe UI', 'Segoe WP', Tahoma, Arial, sans-serif; line-height: 21px;">
<a id="LPUrlAnchor_14925756857960.2741983181576533" href="http://git.huayusoft.com/tomsu/AP7350_MDK-kernel.git" target="_blank" style="text-decoration: none;">Tom Su / AP7350_MDK-kernel | GitLab</a></div>
<div id="LPMetadata_14925756857960.6630737053383758" style="margin: 10px 0px 16px; color: rgb(102, 102, 102); font-weight: normal; font-family: wf_segoe-ui_normal, 'Segoe UI', 'Segoe WP', Tahoma, Arial, sans-serif; font-size: 14px; line-height: 14px;">
git.huayusoft.com</div>
<div id="LPDescription_14925756857960.8838800375549837" style="display: block; color: rgb(102, 102, 102); font-weight: normal; font-family: wf_segoe-ui_normal, 'Segoe UI', 'Segoe WP', Tahoma, Arial, sans-serif; font-size: 14px; line-height: 20px; max-height: 100px; overflow: hidden;">
GitLab Community Edition ... AP7350_MDK-kernel. AP7350_MDK Android手机开发模块/开发板 kernel 以及 bootloader 代码。</div>
</td>
</tr>
</tbody>
</table>
</div>
<br />
<br />
<a href="https://github.com/akibsayyed/CELLTEL82_WET_KK_GPRS_HSPA_MOLY.WR8.W1315.MD.WG.MP.V35.git" id="LPlnk875362" previewremoved="true">https://github.com/akibsayyed/CELLTEL82_WET_KK_GPRS_HSPA_MOLY.WR8.W1315.MD.WG.MP.V35.git</a><br />
<a href="https://github.com/akibsayyed/HSPA_MOLY.WR8.W1449.MD.WG.MP.V16.git">https://github.com/akibsayyed/HSPA_MOLY.WR8.W1449.MD.WG.MP.V16.git</a><br />
<a href="https://github.com/zxp86021/MT6795.kernel.git">https://github.com/zxp86021/MT6795.kernel.git</a><br />
<br />
mt626x stuff:<br />
11CW1352MP_CENON61D_3232_11C_V2_GPRS_MMI<br />
11CW1418SP4_CORETEK02A_WIFI_BT_V13_GPRS_MMI<br />
MTK60D-11B1308-V2<br />
<br />
--------------------------------------------<br />
On Thu, 4/13/17, bruce lee <bbsoo7@live.com> wrote:<br />
<br />
Subject: Re: Fun with the MTK 6573 Baseband (Patching / Replacing)<br />
To: "Craig Comstock" <craig_comstock@yahoo.com><br />
Date: Thursday, April 13, 2017, 11:40 AM<br />
<br />
<br />
<br />
<br />
<br />
<br />
check this out. it is modem firmwear source code<br />
<br />
<br />
<br />
and this guy's github<br />
<br />
<br />
<br />
<a href="https://github.com/luckasfb/Development_Documents">https://github.com/luckasfb/Development_Documents</a><br />
<br />
<br />
<br />
alots of good stuff.but do not have what am looking for.<br />
<br />
<br />
<br />
bruce.<br />
<br />
From: Craig Comstock<br />
<craig_comstock@yahoo.com><br />
<br />
Sent: Thursday, April 13, 2017 2:10:15 PM<br />
<br />
To: bruce lee<br />
<br />
Subject: Re: Fun with the MTK 6573 Baseband (Patching<br />
/ Replacing)<br />
<br />
<br />
<br />
<br />
Looking at some kernel<br />
sources I see a few things that look familiar to me from<br />
mt626x source. Grepping for RIL (radio interface layer)<br />
<br />
<br />
<br />
<a href="https://github.com/eagleeyetom/android_kernel_mtk_mt6572.git">https://github.com/eagleeyetom/android_kernel_mtk_mt6572.git</a><br />
<br />
<br />
<br />
<br />
<br />
./mediatek/platform/mt6572/lk/include/platform/mt_reg_base.h:<br />
#define RIL_SIZE 0x1600000<br />
<br />
./mediatek/platform/mt6572/lk/include/platform/mt_reg_base.h:<br />
#define RIL_SIZE 0x0A00000<br />
<br />
./mediatek/platform/mt6572/lk/include/platform/mt_reg_base.h:<br />
#define RIL_SIZE 0x1600000<br />
<br />
./mediatek/platform/mt6572/lk/include/platform/mt_reg_base.h:#define<br />
RIL_SIZE 0x100000 //for connsys memory<br />
<br />
./mediatek/platform/mt6572/lk/include/platform/mt_reg_base.h:#define<br />
MEM_PRELOADER_START (DRAM_PHY_ADDR)<br />
//placed mem in RIL 256KB<br />
<br />
./mediatek/platform/mt6572/lk/include/platform/mt_reg_base.h:#define<br />
RESERVE_MEM_SIZE (RIL_SIZE)<br />
<br />
<br />
<br />
they mentioned infrasys and connsys near the RIL bits...<br />
<br />
<br />
<br />
craig@z500:~/android_kernel_mtk_mt6572/mediatek$ find |<br />
xargs grep -s infrasys<br />
<br />
./platform/mt6572/kernel/core/include/mach/mt_reg_base.h:/*<br />
infrasys AO */<br />
<br />
./platform/mt6572/kernel/core/include/mach/mt_reg_base.h:/*<br />
infrasys */<br />
<br />
./platform/mt6572/kernel/core/core.c: /* infrasys AO<br />
first half */<br />
<br />
./platform/mt6572/kernel/core/core.c: /* infrasys AO<br />
second half */<br />
<br />
./platform/mt6572/kernel/core/core.c: /* infrasys<br />
*/<br />
<br />
./platform/mt6572/lk/include/platform/mt_reg_base.h:/*<br />
infrasys AO */<br />
<br />
./platform/mt6572/lk/include/platform/mt_reg_base.h:/*<br />
infrasys */<br />
<br />
craig@z500:~/android_kernel_mtk_mt6572/mediatek$ vi<br />
platform/mt6572/kernel/core/core.c<br />
<br />
<br />
<br />
<br />
So... mt_reg_base.h looks a little familiar to mt626x<br />
stuff.<br />
<br />
<br />
<br />
There is also this:<br />
<br />
<br />
<br />
<a href="https://android.googlesource.com/kernel/mediatek/">https://android.googlesource.com/kernel/mediatek/</a><br />
<br />
<br />
<br />
and this:<br />
<br />
<br />
<br />
<a href="https://github.com/profglavcho/mt6735-kernel-3.10.61">https://github.com/profglavcho/mt6735-kernel-3.10.61</a><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
--------------------------------------------<br />
<br />
On Thu, 4/13/17, bruce lee <bbsoo7@live.com> wrote:<br />
<br />
<br />
<br />
Subject: Re: Fun with the MTK 6573 Baseband (Patching /<br />
Replacing)<br />
<br />
To: "baseband-devel@lists.osmocom.org"<br />
<baseband-devel@lists.osmocom.org>, "Craig<br />
Comstock" <craig_comstock@yahoo.com><br />
<br />
Date: Thursday, April 13, 2017, 1:49 AM<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
maybe it is easiest for developing on some boards<br />
<br />
which has UART port to look it boot up message.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
some mt6572 based boards one can find on China market.<br />
<br />
they event can share code with us if we buy it.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
it is android based. <br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
so should/can we make a osmocom-bb based BP for this<br />
<br />
android board? or other smartphone?<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
thanks<br />
<br />
RZ<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
From: Craig Comstock<br />
<br />
<craig_comstock@yahoo.com><br />
<br />
<br />
<br />
Sent: Thursday, April 13, 2017 3:21 AM<br />
<br />
<br />
<br />
To: baseband-devel@lists.osmocom.org; bruce lee<br />
<br />
<br />
<br />
Subject: Re: Fun with the MTK 6573 Baseband (Patching<br />
<br />
/ Replacing)<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
I<br />
<br />
don't have the files mentioned in that patch. They<br />
look<br />
<br />
very much like some part of an Android source code tree.<br />
So<br />
<br />
far I am working mostly not with Android at all... only<br />
<br />
osmocom-bb, nuttx, fernly and fernvale-nuttx.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
My work on the newer MT chip in the ZTE Obsidian is a<br />
ways<br />
<br />
down the road. One thing that was VERY encouraging is that<br />
I<br />
<br />
have tested the beginnings of interaction with it's<br />
<br />
bootloader (as in the fernly project)<br />
<br />
<br />
<br />
and it seems at least the initial MSG and ACK from the<br />
<br />
bootloader works the same as for fernly types of MT<br />
chips<br />
<br />
(6260/6261). So that might be a good starting point in<br />
terms<br />
<br />
of experimenting/fuzzing/???<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Maybe you could find a custom rom source tree and find<br />
those<br />
<br />
files that are being patched.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
In terms of participating in my project, I have a<br />
github<br />
<br />
repo and am primarily using the fernvale board I<br />
purchased<br />
<br />
from sysmocom as well as some mt6260/6261 based watches<br />
and<br />
<br />
the Seeed Studio RePhone.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
So I'd say go get one or more of those things and<br />
start<br />
<br />
hacking on fernly, fernvale-nuttx, osmocom-bb and<br />
nuttx-bb<br />
<br />
(combo of osmocom-bb and nuttx).<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
I don't work too hard on the project. This branch is<br />
my<br />
<br />
latest not-working work in progress:<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<a href="https://github.com/craigcomstock/osmocom-bb/tree/feb-22-2017-mt62xx-wip">https://github.com/craigcomstock/osmocom-bb/tree/feb-22-2017-mt62xx-wip</a><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
craigcomstock/osmocom-bb<br />
<br />
<br />
<br />
github.com<br />
<br />
<br />
<br />
Contribute to osmocom-bb development by creating an<br />
account<br />
<br />
on GitHub.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
I have since changed my strategy and so this branch<br />
will<br />
<br />
likely rot. :( But it might give some indication of<br />
what<br />
<br />
I'm up to.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
-Craig<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
--------------------------------------------<br />
<br />
<br />
<br />
On Wed, 4/12/17, bruce lee <bbsoo7@live.com><br />
wrote:<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Subject: Re: Fun with the MTK 6573 Baseband (Patching<br />
/<br />
<br />
Replacing)<br />
<br />
<br />
<br />
To: "Craig Comstock"<br />
<br />
<craig_comstock@yahoo.com>,<br />
<br />
"baseband-devel@lists.osmocom.org"<br />
<br />
<baseband-devel@lists.osmocom.org><br />
<br />
<br />
<br />
Date: Wednesday, April 12, 2017, 9:39 PM<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Craig,<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
do you have the files mentioned at<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<a href="https://github.com/shadowsim/shadowsim/blob/master/mdlogger.patch">https://github.com/shadowsim/shadowsim/blob/master/mdlogger.patch</a><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
and for your project, seem very interesting, and I<br />
<br />
would<br />
<br />
<br />
<br />
like to participate in.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
thanks<br />
<br />
<br />
<br />
RZ<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
From: Craig Comstock<br />
<br />
<br />
<br />
<craig_comstock@yahoo.com><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Sent: Tuesday, April 11, 2017 11:35 AM<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
To: baseband-devel@lists.osmocom.org; RootZero<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Subject: Re: Fun with the MTK 6573 Baseband (Patching<br />
<br />
<br />
<br />
/ Replacing)<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
My target was Mt6735 in a Zte Obsidian. I chose it<br />
for<br />
<br />
<br />
<br />
4g lte. I could root one and see if similar<br />
techniques<br />
<br />
work.<br />
<br />
<br />
<br />
My hope was to leverage leaked source for mt626x and<br />
hope<br />
<br />
to<br />
<br />
<br />
<br />
work my way up the chip models. I am currently<br />
working<br />
<br />
on<br />
<br />
<br />
<br />
porting osmocom-bb<br />
<br />
<br />
<br />
and nuttx-bb to fernvale/rephone/mt626x.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
On April 11, 2017<br />
<br />
<br />
<br />
4:39:46 AM CDT, RootZero <bbsoo7@live.com><br />
wrote:<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Markus and all,<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
I am very interesting in this<br />
<br />
<br />
<br />
project/hack.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
can you share<br />
<br />
<br />
<br />
more information with US?<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
I<br />
<br />
<br />
<br />
searched lots web pages and do not find the source of<br />
<br />
<br />
<br />
mdlogger.cpp file.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
I do<br />
<br />
<br />
<br />
have the source code of "modem.img" if you<br />
<br />
want<br />
<br />
<br />
<br />
please let me know. <br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
thanks<br />
<br />
<br />
<br />
RootZero<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
--<br />
<br />
<br />
<br />
View this message in<br />
<br />
<br />
<br />
context: <br />
<br />
<a href="http://baseband-devel.722152.n3.nabble.com/Fun-with-the-MTK-6573-Baseband-Patching-Replacing-tp4026683p4026772.htmlbaseband-devel">http://baseband-devel.722152.n3.nabble.com/Fun-with-the-MTK-6573-Baseband-Patching-Replacing-tp4026683p4026772.htmlbaseband-devel</a><br />
<br />
<br />
<br />
- Fun with the MTK 6573 Baseband (Patching /<br />
<br />
<br />
<br />
Replacing)baseband-devel.722152.n3.nabble.comFun<br />
<br />
<br />
<br />
with the MTK 6573 Baseband (Patching / Replacing).<br />
<br />
<br />
<br />
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi,<br />
<br />
I'm<br />
<br />
<br />
<br />
Markus, a security researcher from Germany. I<br />
recently<br />
<br />
did<br />
<br />
<br />
<br />
some work on MTK<br />
<br />
<br />
<br />
6573...<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Sent from the baseband-devel<br />
<br />
<br />
<br />
mailing list archive at Nabble.com.Nabble<br />
<br />
<br />
<br />
• Free Forum • Embeddable Web<br />
Appsnabble.comEmbed<br />
<br />
<br />
<br />
into any Website. All Nabble apps are naturally<br />
<br />
embeddable,<br />
<br />
<br />
<br />
which means that they can be easily displayed inside<br />
any<br />
<br />
web<br />
<br />
<br />
<br />
page.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
-- <br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Sent from my Android device with K-9 Mail. Please<br />
excuse<br />
<br />
my<br />
<br />
<br />
<br />
brevity.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
</div>
</span></font></div>
</div>
</div>
</div>
</blockquote></div><br>
-- <br>
Sent from my Android device with K-9 Mail. Please excuse my brevity.</body></html>