<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>
</head>
<body dir="ltr">
<div id="divtagdefaultwrapper" style="font-size:12pt;color:#000000;font-family:Calibri,Arial,Helvetica,sans-serif;" dir="ltr">
<p>there is a </p>
<a href="https://github.com/xobs/fernly" class="OWAAutoLink" id="LPlnk228811">https://github.com/xobs/fernly</a>
<div><br>
</div>
<div>seems they did what you are trying to do now. they also has a qemu to emulator that chip or so.</div>
<div><br>
</div>
<div>I made a little progress for patching mt6573 modem.img.</div>
<div><br>
</div>
<div>these output is from this commands.</div>
<div>radiff2 old.img new.img.</div>
<div><br>
</div>
<div>
<div>0x00110d08 f0b50fb43ef052fa01280fbc03d13ef05cfcf0bdf4e7 => 68616e67654e6f74696669636174696f6e000000f0b5 0x00110d08</div>
<div>0x0014f1b6 32683846f0252d02a8352d0293352d028c352d6808210902223109029831a94201d00020f0bd01200120f0bd8d466d462d1d2d1934 => 06460024407b95b02746012825460fd002281ed144f001fb024611a101a868f022fd01af384671f0d4fb85b2012410e00f48314600 0x0014f1b6</div>
<div>0x0014f1ec 2d19ad => 827d68 0x0014f1ec</div>
<div>0x0014f1f0 ad4605d0a0e1ffbd2d196400241d6519ad460000b0e329f7adfdffbd => 33f1a6fa0106090e01d0012904d1307b4df068f9040005d1307b2b46 0x0014f1f0</div>
<div>0x0014f218 be7dacf0 => 2b45414c 0x0014f218</div>
<div>0x0014f54e f0242402a834240293342402903405460e68206805e043fff0bdff0055e3fad100202946324600250446083025609cf0 => 06460025407bffb0c8b0012843d100272c2205233146c6a832f173fec0abc4b2187e002837d1022c03d0042c01d0052c 0x0014f54e</div>
<div>0x0014f57f e96660 => d12c22 0x0014f57f</div>
<div>0x0014f584 2360f0bdf0b5f02000460002a830 => 3146c6a832f162fec0abc7b2187e 0x0014f584</div>
<div>0x0014f593 02933000029030f0bd => 2826d1052c11d11748 0x0014f593</div>
<div>0x0014f5a0 f0b5fff7f1ff07680220396800468842fbd1391d081d00460046f0bd01b4fff7f9fd012801bc01d003d00fbcc1f7a6fbf0bdf0b515461e46fff7b8fffff7e0ff0446002d08d0002e06d00a68011d0446284615469cf0e2e800f002f8f0bd => 164b00683146827dc6a832f1e9fec0ab187e002816d101a943a832f1abf843a871f0e2f9c0032146020c0092307b3a4601ab4cf06bf80128054609d006480321006881800022307b29461346ccf0e4f97fb048b0f0bd0000c87dacf00a02
0x0014f5a0</div>
<div>0x0014f5ff 46f0 => 00f8 0x0014f5ff</div>
<div>0x0014f602 2046002801d0008829463246002a00d01160f0bdf0bdf080bde8 => 002506460c480468707b01280cd1a27d3146684633f193f8ff28 0x0014f602</div>
<div>0x001504fc 00bf00bf => 5bf0eaff 0x001504fc</div>
<div>0x001e8730 1a9866 => 0720fd 0x001e8730</div>
<div>0x001e8734 3ffd => c2eb 0x001e8734</div>
<div>0x001e87be 10a908600a2000021a9a1060 => 334a33a13ca0273203f0f6ee 0x001e87be</div>
</div>
<div><br>
</div>
<div>questions here is how can we change these hex strings to a ARM assembler code?</div>
<div><br>
</div>
<div><br>
</div>
<div>thanks</div>
<div> BL.</div>
<div><br>
<a href="https://github.com/xobs/fernly" class="OWAAutoLink"></a>
<div id="LPBorder_GT_14925757281910.5063689971380404" style="margin-bottom: 20px; overflow: auto; width: 100%; text-indent: 0px;">
<table id="LPContainer_14925757281890.3740510199160707" role="presentation" cellspacing="0" style="width: 90%; background-color: rgb(255, 255, 255); position: relative; overflow: auto; padding-top: 20px; padding-bottom: 20px; margin-top: 20px; border-top-width: 1px; border-top-style: dotted; border-top-color: rgb(200, 200, 200); border-bottom-width: 1px; border-bottom-style: dotted; border-bottom-color: rgb(200, 200, 200);">
<tbody>
<tr valign="top" style="border-spacing: 0px;">
<td id="ImageCell_14925757281890.3969962571624126" colspan="1" style="width: 250px; position: relative; display: table-cell; padding-right: 20px;">
<div id="LPImageContainer_14925757281890.8141633624948043" style="background-color: rgb(255, 255, 255); height: 250px; position: relative; margin: auto; display: table; width: 250px;">
<a id="LPImageAnchor_14925757281900.7309339228969642" href="https://github.com/xobs/fernly" target="_blank" style="display: table-cell; text-align: center;"><img aria-label="Preview image with link selected. Double-tap to open the link." id="LPThumbnailImageID_14925757281900.549890155941041" style="display: inline-block; max-width: 250px; max-height: 250px; height: 250px; width: 250px; border-width: 0px; vertical-align: bottom;" width="250" height="250" src="https://avatars1.githubusercontent.com/u/238325?v=3&s=400"></a></div>
</td>
<td id="TextCell_14925757281900.33269793140477133" colspan="2" style="vertical-align: top; position: relative; padding: 0px; display: table-cell;">
<div id="LPRemovePreviewContainer_14925757281900.11605082684046053"></div>
<div id="LPTitle_14925757281900.31543169578455343" style="top: 0px; color: rgb(0, 120, 215); font-weight: normal; font-size: 21px; font-family: wf_segoe-ui_light, 'Segoe UI Light', 'Segoe WP Light', 'Segoe UI', 'Segoe WP', Tahoma, Arial, sans-serif; line-height: 21px;">
<a id="LPUrlAnchor_14925757281900.1822574895558412" href="https://github.com/xobs/fernly" target="_blank" style="text-decoration: none;">GitHub - xobs/fernly: Fernvale research OS</a></div>
<div id="LPMetadata_14925757281900.07090810805369097" style="margin: 10px 0px 16px; color: rgb(102, 102, 102); font-weight: normal; font-family: wf_segoe-ui_normal, 'Segoe UI', 'Segoe WP', Tahoma, Arial, sans-serif; font-size: 14px; line-height: 14px;">
github.com</div>
<div id="LPDescription_14925757281910.24928159297078378" style="display: block; color: rgb(102, 102, 102); font-weight: normal; font-family: wf_segoe-ui_normal, 'Segoe UI', 'Segoe WP', Tahoma, Arial, sans-serif; font-size: 14px; line-height: 20px; max-height: 100px; overflow: hidden;">
README.md Fernly - Fernvale Reversing OS. Fernly is a simple operating system designed for use in the reverse engineering of the Fernvale CPU.</div>
</td>
</tr>
</tbody>
</table>
</div>
<br>
<div><br>
</div>
<div><br>
</div>
<div><a href="https://github.com/xobs/fernly" class="OWAAutoLink"></a><br>
<div style="color: rgb(0, 0, 0);">
<div>
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="x_divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" color="#000000" style="font-size:11pt"><b>From:</b> Craig Comstock <craig_comstock@yahoo.com><br>
<b>Sent:</b> Wednesday, April 19, 2017 2:57 AM<br>
<b>To:</b> baseband-devel@lists.osmocom.org<br>
<b>Cc:</b> bruce lee<br>
<b>Subject:</b> Re: Fun with the MTK 6573 Baseband (Patching / Replacing)</font>
<div> </div>
</div>
</div>
<font size="2"><span style="font-size:10pt;">
<div class="PlainText">RootZero/bruce lee sent me this github with baseband sources very similar to what I already have for MT626x:<br>
<br>
<a href="https://github.com/zxp86021/MediaTek-HelioX10-Baseband" id="LPlnk486126" previewremoved="true">https://github.com/zxp86021/MediaTek-HelioX10-Baseband</a>
<div id="LPBorder_GT_14925756268600.7900752874853518" style="margin-bottom: 20px; overflow: auto; width: 100%; text-indent: 0px;">
<table id="LPContainer_14925756268570.5781381794743236" role="presentation" cellspacing="0" style="width: 90%; background-color: rgb(255, 255, 255); position: relative; overflow: auto; padding-top: 20px; padding-bottom: 20px; margin-top: 20px; border-top-width: 1px; border-top-style: dotted; border-top-color: rgb(200, 200, 200); border-bottom-width: 1px; border-bottom-style: dotted; border-bottom-color: rgb(200, 200, 200);">
<tbody>
<tr valign="top" style="border-spacing: 0px;">
<td id="ImageCell_14925756268580.8618206527077665" colspan="1" style="width: 250px; position: relative; display: table-cell; padding-right: 20px;">
<div id="LPImageContainer_14925756268580.7244358832002971" style="background-color: rgb(255, 255, 255); height: 250px; position: relative; margin: auto; display: table; width: 250px;">
<a id="LPImageAnchor_14925756268580.309477576842655" href="https://github.com/zxp86021/MediaTek-HelioX10-Baseband" target="_blank" style="display: table-cell; text-align: center;"><img aria-label="Preview image with link selected. Double-tap to open the link." id="LPThumbnailImageID_14925756268590.20051184298891023" style="display: inline-block; max-width: 250px; max-height: 250px; height: 250px; width: 250px; border-width: 0px; vertical-align: bottom;" width="250" height="250" src="https://avatars3.githubusercontent.com/u/3607700?v=3&s=400"></a></div>
</td>
<td id="TextCell_14925756268590.7207147835702122" colspan="2" style="vertical-align: top; position: relative; padding: 0px; display: table-cell;">
<div id="LPRemovePreviewContainer_14925756268600.843283691110213"></div>
<div id="LPTitle_14925756268600.2716362510440984" style="top: 0px; color: rgb(0, 120, 215); font-weight: normal; font-size: 21px; font-family: wf_segoe-ui_light, 'Segoe UI Light', 'Segoe WP Light', 'Segoe UI', 'Segoe WP', Tahoma, Arial, sans-serif; line-height: 21px;">
<a id="LPUrlAnchor_14925756268600.6166994834605336" href="https://github.com/zxp86021/MediaTek-HelioX10-Baseband" target="_blank" style="text-decoration: none;">GitHub - zxp86021/MediaTek-HelioX10-Baseband: MediaTek ...</a></div>
<div id="LPMetadata_14925756268600.4569085504984939" style="margin: 10px 0px 16px; color: rgb(102, 102, 102); font-weight: normal; font-family: wf_segoe-ui_normal, 'Segoe UI', 'Segoe WP', Tahoma, Arial, sans-serif; font-size: 14px; line-height: 14px;">
github.com</div>
<div id="LPDescription_14925756268600.03591430615833435" style="display: block; color: rgb(102, 102, 102); font-weight: normal; font-family: wf_segoe-ui_normal, 'Segoe UI', 'Segoe WP', Tahoma, Arial, sans-serif; font-size: 14px; line-height: 20px; max-height: 100px; overflow: hidden;">
MediaTek-HelioX10-Baseband - MediaTek MT6795 (Helio X10) baseband source code</div>
</td>
</tr>
</tbody>
</table>
</div>
<br>
<br>
<br>
Looking there it seems we have layer 1 GSM/2G support for many more RF chips. The trick is to figure out what AP/SOC they are used in. For example the MediaTek-HelioX10 is a MT6795 which seems to use<br>
the MT6169 transciever chip (based on some other files in the sources). My ZTE Obsidian seems to use this same TRX chip (based on a MT6735 datasheet)<br>
<br>
<a href="http://www.datasheet4u.com/pdf/MT6735-pdf/925384" id="LPlnk690001" previewremoved="true">http://www.datasheet4u.com/pdf/MT6735-pdf/925384</a>
<div id="LPBorder_GT_14925756275890.12654338708785073" style="margin-bottom: 20px; overflow: auto; width: 100%; text-indent: 0px;">
<table id="LPContainer_14925756275880.7966760834658138" role="presentation" cellspacing="0" style="width: 90%; background-color: rgb(255, 255, 255); position: relative; overflow: auto; padding-top: 20px; padding-bottom: 20px; margin-top: 20px; border-top-width: 1px; border-top-style: dotted; border-top-color: rgb(200, 200, 200); border-bottom-width: 1px; border-bottom-style: dotted; border-bottom-color: rgb(200, 200, 200);">
<tbody>
<tr valign="top" style="border-spacing: 0px;">
<td id="TextCell_14925756275880.13785211959187138" colspan="2" style="vertical-align: top; position: relative; padding: 0px; display: table-cell;">
<div id="LPRemovePreviewContainer_14925756275880.7023348836921771"></div>
<div id="LPTitle_14925756275880.8283899659412328" style="top: 0px; color: rgb(0, 120, 215); font-weight: normal; font-size: 21px; font-family: wf_segoe-ui_light, 'Segoe UI Light', 'Segoe WP Light', 'Segoe UI', 'Segoe WP', Tahoma, Arial, sans-serif; line-height: 21px;">
<a id="LPUrlAnchor_14925756275890.4854715418988488" href="http://www.datasheet4u.com/pdf/MT6735-pdf/925384" target="_blank" style="text-decoration: none;">LTE Smartphone Application Processor Technical Brief</a></div>
<div id="LPMetadata_14925756275890.4342381183749108" style="margin: 10px 0px 16px; color: rgb(102, 102, 102); font-weight: normal; font-family: wf_segoe-ui_normal, 'Segoe UI', 'Segoe WP', Tahoma, Arial, sans-serif; font-size: 14px; line-height: 14px;">
www.datasheet4u.com</div>
<div id="LPDescription_14925756275890.5348082099360443" style="display: block; color: rgb(102, 102, 102); font-weight: normal; font-family: wf_segoe-ui_normal, 'Segoe UI', 'Segoe WP', Tahoma, Arial, sans-serif; font-size: 14px; line-height: 20px; max-height: 100px; overflow: hidden;">
MediaTek MT6735 datasheet, MT6735 PDF, MT6735 download, MT6735 datasheet pdf, LTE Smartphone Application Processor Technical Brief</div>
</td>
</tr>
</tbody>
</table>
</div>
<br>
<br>
<br>
Comparing L1D_RF_PowerOn functions it seems the MT6252 might be the closest to the MT626x which are completely missing from<br>
this newer set of sources that are maybe a year or so newer than the MT626x sources I have.<br>
<br>
m12196.c:/*BRIGHT2*/ void L1D_RF_PowerOn( void )<br>
m12196.c:/*BRIGHT4*/ void L1D_RF_PowerOn( void )<br>
m12196.c:/*BRIGHT5P*/ void L1D_RF_PowerOn( void )<br>
m12196.c:/*AERO*/ void L1D_RF_PowerOn( void )<br>
m12196.c:/*AERO1+*/ void L1D_RF_PowerOn( void )<br>
m12196.c:/*RFMD*/ void L1D_RF_PowerOn( void )<br>
m12196.c:/*SKY74117*/ void L1D_RF_PowerOn( void )<br>
m12196.c:/*SKY74400*/ void L1D_RF_PowerOn( void )<br>
m12196.c:/*MT6119*/ void L1D_RF_PowerOn( void )<br>
m12196.c:/*MT6119C*/ void L1D_RF_PowerOn( void )<br>
m12196.c:/*MT6129A*/ void L1D_RF_PowerOn( void )<br>
m12196.c:/*MT6129B*/ void L1D_RF_PowerOn( void )<br>
m12196.c:/*MT6129C*/ void L1D_RF_PowerOn( void )<br>
m12196.c:/*MT6129D*/ void L1D_RF_PowerOn( void )<br>
m12196.c:/*MT6139B*/ void L1D_RF_PowerOn( void )<br>
m12196.c:/*MT6139C*/ void L1D_RF_PowerOn( void )<br>
m12196.c:/*MT6139E*/ void L1D_RF_PowerOn( void )<br>
m12196.c:/*MT6140A*/ void L1D_RF_PowerOn( void )<br>
m12196.c:/*MT6140B*/ void L1D_RF_PowerOn( void )<br>
m12196.c:/*MT6140C*/ void L1D_RF_PowerOn( void )<br>
m12196.c:/*MT6140D*/ void L1D_RF_PowerOn( void )<br>
m12196.c:/*CMOSEDGE*/ void L1D_RF_PowerOn( void )<br>
m12196.c:/*MTKSOC1T*/ void L1D_RF_PowerOn( void )<br>
m12196.c:/*MTKSOC1*/ void L1D_RF_PowerOn( void )<br>
m12196.c:/*MT6252RF*/ void L1D_RF_PowerOn( void )<br>
m12196.c:/*MT6256RF*/ void L1D_RF_PowerOn( void )<br>
m12196.c:/*MT6255RF*/ void L1D_RF_PowerOn( void )<br>
m12196.c:/*MT6251RF*/ void L1D_RF_PowerOn( void )<br>
m12196.c:/*SKY74045*/ void L1D_RF_PowerOn( void )<br>
m12196.c:/*AERO2*/ void L1D_RF_PowerOn( void )<br>
m12196.c:/*SKY74137*/ void L1D_RF_PowerOn( void )<br>
m12196.c:/*GRF6201*/ void L1D_RF_PowerOn( void )<br>
m12196.c:/*IRFS3001*/ void L1D_RF_PowerOn( void )<br>
m12196.c:/*AD6548*/ void L1D_RF_PowerOn( void )<br>
m12196.c:/*AD6546*/ void L1D_RF_PowerOn( void )<br>
m12196.c:/*MT6162*/ void L1D_RF_PowerOn( void )<br>
m12196.c:/*MT6163*/ void L1D_RF_PowerOn( void )<br>
m12196.c:/*MT6280RF*/ void L1D_RF_PowerOn( void )<br>
m12196.c:/*MT6169*/ void L1D_RF_PowerOn( void )<br>
m12196.c:/*MT6169*/ void L1D_RF_PowerOn( void )<br>
m12196.c:/*MT6166*/ void L1D_RF_PowerOn( void )<br>
m12196.c:/*MT6165*/ void L1D_RF_PowerOn( void )<br>
<br>
one set of MT626x sources is called 11CW1418SP4 and supports the following baseband chips. Probably MT626x has an integrated baseband?<br>
<br>
m12196.c:/*MT6129D*/ void L1D_RF_PowerOn( void )<br>
m12196.c:/*MT6139E*/ void L1D_RF_PowerOn( void )<br>
m12196.c:/*MT6140D*/ void L1D_RF_PowerOn( void )<br>
m12196.c:/*MTKSOC1*/ void L1D_RF_PowerOn( void )<br>
m12196.c:/*MT6252RF*/ void L1D_RF_PowerOn( void )<br>
m12196.c:/*MT6261RF*/ void L1D_RF_PowerOn( void )<br>
m12196.c:/*MT6260RF*/ void L1D_RF_PowerOn( void )<br>
m12196.c:/*MT6250RF*/ void L1D_RF_PowerOn( void )<br>
m12196.c:/*MT6256RF*/ void L1D_RF_PowerOn( void )<br>
m12196.c:/*MT6255RF*/ void L1D_RF_PowerOn( void )<br>
m12196.c:/*MT6251RF*/ void L1D_RF_PowerOn( void )<br>
m12196.c:/*AD6548*/ void L1D_RF_PowerOn( void )<br>
m12196.c:/*AD6546*/ void L1D_RF_PowerOn( void )<br>
m12196.c:/*MT6162*/ void L1D_RF_PowerOn( void )<br>
<br>
<br>
So I guess I need to look elsewhere in the sources to puzzle out my MT6735 ZTE Obsidian which would give me I think the cheapest/oldest chip that supports 4G/LTE:<br>
<br>
GSM, UMTS, GPRS, HSPA+, HSUPA, TD-SCDMA, EVDO, LTE Cat 4 (from <a href="https://en.wikipedia.org/wiki/MediaTek" id="LPlnk256930" previewremoved="true">
https://en.wikipedia.org/wiki/MediaTek</a>)
<div id="LPBorder_GT_14925756849170.837033758986963" style="margin-bottom: 20px; overflow: auto; width: 100%; text-indent: 0px;">
<table id="LPContainer_14925756849140.8367047041405947" role="presentation" cellspacing="0" style="width: 90%; background-color: rgb(255, 255, 255); position: relative; overflow: auto; padding-top: 20px; padding-bottom: 20px; margin-top: 20px; border-top-width: 1px; border-top-style: dotted; border-top-color: rgb(200, 200, 200); border-bottom-width: 1px; border-bottom-style: dotted; border-bottom-color: rgb(200, 200, 200);">
<tbody>
<tr valign="top" style="border-spacing: 0px;">
<td id="ImageCell_14925756849150.8728491682542023" colspan="1" style="width: 250px; position: relative; display: table-cell; padding-right: 20px;">
<div id="LPImageContainer_14925756849150.3071602937285278" style="background-color: rgb(255, 255, 255); height: 55px; position: relative; margin: auto; display: table; width: 220px;">
<a id="LPImageAnchor_14925756849150.9748814587448508" href="https://en.wikipedia.org/wiki/MediaTek" target="_blank" style="display: table-cell; text-align: center;"><img aria-label="Preview image with link selected. Double-tap to open the link." id="LPThumbnailImageID_14925756849150.8373168641496133" style="display: inline-block; max-width: 250px; max-height: 250px; height: 55px; width: 220px; border-width: 0px; vertical-align: bottom;" width="220" height="55" src="https://upload.wikimedia.org/wikipedia/en/thumb/2/2d/MediaTek_logo_as_shown_on_company_website.svg/220px-MediaTek_logo_as_shown_on_company_website.svg.png"></a></div>
</td>
<td id="TextCell_14925756849150.4583482896726926" colspan="2" style="vertical-align: top; position: relative; padding: 0px; display: table-cell;">
<div id="LPRemovePreviewContainer_14925756849150.8971619092319201"></div>
<div id="LPTitle_14925756849150.5615047228697504" style="top: 0px; color: rgb(0, 120, 215); font-weight: normal; font-size: 21px; font-family: wf_segoe-ui_light, 'Segoe UI Light', 'Segoe WP Light', 'Segoe UI', 'Segoe WP', Tahoma, Arial, sans-serif; line-height: 21px;">
<a id="LPUrlAnchor_14925756849160.9666930818237504" href="https://en.wikipedia.org/wiki/MediaTek" target="_blank" style="text-decoration: none;">MediaTek - Wikipedia</a></div>
<div id="LPMetadata_14925756849160.3882291352388543" style="margin: 10px 0px 16px; color: rgb(102, 102, 102); font-weight: normal; font-family: wf_segoe-ui_normal, 'Segoe UI', 'Segoe WP', Tahoma, Arial, sans-serif; font-size: 14px; line-height: 14px;">
en.wikipedia.org</div>
<div id="LPDescription_14925756849160.2564558144396757" style="display: block; color: rgb(102, 102, 102); font-weight: normal; font-family: wf_segoe-ui_normal, 'Segoe UI', 'Segoe WP', Tahoma, Arial, sans-serif; font-size: 14px; line-height: 20px; max-height: 100px; overflow: hidden;">
MediaTek Inc. (Chinese: 聯發科技股份有限公司; pinyin: Liánfā Kējì Gǔfèn Yǒuxiàn Gōngsī) is a Taiwanese fabless semiconductor company that provides ...</div>
</td>
</tr>
</tbody>
</table>
</div>
<br>
<br>
<br>
-Craig<br>
<br>
p.s. here are some sources I used to research both github and "from the internet":<br>
<br>
<a href="http://git.huayusoft.com/tomsu/AP7350_MDK-kernel.git" id="LPlnk601595" previewremoved="true">http://git.huayusoft.com/tomsu/AP7350_MDK-kernel.git</a>
<div id="LPBorder_GT_14925756857970.888090132402774" style="margin-bottom: 20px; overflow: auto; width: 100%; text-indent: 0px;">
<table id="LPContainer_14925756857950.6285797899677068" role="presentation" cellspacing="0" style="width: 90%; background-color: rgb(255, 255, 255); position: relative; overflow: auto; padding-top: 20px; padding-bottom: 20px; margin-top: 20px; border-top-width: 1px; border-top-style: dotted; border-top-color: rgb(200, 200, 200); border-bottom-width: 1px; border-bottom-style: dotted; border-bottom-color: rgb(200, 200, 200);">
<tbody>
<tr valign="top" style="border-spacing: 0px;">
<td id="TextCell_14925756857960.949523359852579" colspan="2" style="vertical-align: top; position: relative; padding: 0px; display: table-cell;">
<div id="LPRemovePreviewContainer_14925756857960.5257256736610809"></div>
<div id="LPTitle_14925756857960.9001049325468427" style="top: 0px; color: rgb(0, 120, 215); font-weight: normal; font-size: 21px; font-family: wf_segoe-ui_light, 'Segoe UI Light', 'Segoe WP Light', 'Segoe UI', 'Segoe WP', Tahoma, Arial, sans-serif; line-height: 21px;">
<a id="LPUrlAnchor_14925756857960.2741983181576533" href="http://git.huayusoft.com/tomsu/AP7350_MDK-kernel.git" target="_blank" style="text-decoration: none;">Tom Su / AP7350_MDK-kernel | GitLab</a></div>
<div id="LPMetadata_14925756857960.6630737053383758" style="margin: 10px 0px 16px; color: rgb(102, 102, 102); font-weight: normal; font-family: wf_segoe-ui_normal, 'Segoe UI', 'Segoe WP', Tahoma, Arial, sans-serif; font-size: 14px; line-height: 14px;">
git.huayusoft.com</div>
<div id="LPDescription_14925756857960.8838800375549837" style="display: block; color: rgb(102, 102, 102); font-weight: normal; font-family: wf_segoe-ui_normal, 'Segoe UI', 'Segoe WP', Tahoma, Arial, sans-serif; font-size: 14px; line-height: 20px; max-height: 100px; overflow: hidden;">
GitLab Community Edition ... AP7350_MDK-kernel. AP7350_MDK Android手机开发模块/开发板 kernel 以及 bootloader 代码。</div>
</td>
</tr>
</tbody>
</table>
</div>
<br>
<br>
<a href="https://github.com/akibsayyed/CELLTEL82_WET_KK_GPRS_HSPA_MOLY.WR8.W1315.MD.WG.MP.V35.git" id="LPlnk875362" previewremoved="true">https://github.com/akibsayyed/CELLTEL82_WET_KK_GPRS_HSPA_MOLY.WR8.W1315.MD.WG.MP.V35.git</a><br>
<a href="https://github.com/akibsayyed/HSPA_MOLY.WR8.W1449.MD.WG.MP.V16.git">https://github.com/akibsayyed/HSPA_MOLY.WR8.W1449.MD.WG.MP.V16.git</a><br>
<a href="https://github.com/zxp86021/MT6795.kernel.git">https://github.com/zxp86021/MT6795.kernel.git</a><br>
<br>
mt626x stuff:<br>
11CW1352MP_CENON61D_3232_11C_V2_GPRS_MMI<br>
11CW1418SP4_CORETEK02A_WIFI_BT_V13_GPRS_MMI<br>
MTK60D-11B1308-V2<br>
<br>
--------------------------------------------<br>
On Thu, 4/13/17, bruce lee <bbsoo7@live.com> wrote:<br>
<br>
Subject: Re: Fun with the MTK 6573 Baseband (Patching / Replacing)<br>
To: "Craig Comstock" <craig_comstock@yahoo.com><br>
Date: Thursday, April 13, 2017, 11:40 AM<br>
<br>
<br>
<br>
<br>
<br>
<br>
check this out. it is modem firmwear source code<br>
<br>
<br>
<br>
and this guy's github<br>
<br>
<br>
<br>
<a href="https://github.com/luckasfb/Development_Documents">https://github.com/luckasfb/Development_Documents</a><br>
<br>
<br>
<br>
alots of good stuff.but do not have what am looking for.<br>
<br>
<br>
<br>
bruce.<br>
<br>
From: Craig Comstock<br>
<craig_comstock@yahoo.com><br>
<br>
Sent: Thursday, April 13, 2017 2:10:15 PM<br>
<br>
To: bruce lee<br>
<br>
Subject: Re: Fun with the MTK 6573 Baseband (Patching<br>
/ Replacing)<br>
<br>
<br>
<br>
<br>
Looking at some kernel<br>
sources I see a few things that look familiar to me from<br>
mt626x source. Grepping for RIL (radio interface layer)<br>
<br>
<br>
<br>
<a href="https://github.com/eagleeyetom/android_kernel_mtk_mt6572.git">https://github.com/eagleeyetom/android_kernel_mtk_mt6572.git</a><br>
<br>
<br>
<br>
<br>
<br>
./mediatek/platform/mt6572/lk/include/platform/mt_reg_base.h:<br>
#define RIL_SIZE 0x1600000<br>
<br>
./mediatek/platform/mt6572/lk/include/platform/mt_reg_base.h:<br>
#define RIL_SIZE 0x0A00000<br>
<br>
./mediatek/platform/mt6572/lk/include/platform/mt_reg_base.h:<br>
#define RIL_SIZE 0x1600000<br>
<br>
./mediatek/platform/mt6572/lk/include/platform/mt_reg_base.h:#define<br>
RIL_SIZE 0x100000 //for connsys memory<br>
<br>
./mediatek/platform/mt6572/lk/include/platform/mt_reg_base.h:#define<br>
MEM_PRELOADER_START (DRAM_PHY_ADDR)<br>
//placed mem in RIL 256KB<br>
<br>
./mediatek/platform/mt6572/lk/include/platform/mt_reg_base.h:#define<br>
RESERVE_MEM_SIZE (RIL_SIZE)<br>
<br>
<br>
<br>
they mentioned infrasys and connsys near the RIL bits...<br>
<br>
<br>
<br>
craig@z500:~/android_kernel_mtk_mt6572/mediatek$ find |<br>
xargs grep -s infrasys<br>
<br>
./platform/mt6572/kernel/core/include/mach/mt_reg_base.h:/*<br>
infrasys AO */<br>
<br>
./platform/mt6572/kernel/core/include/mach/mt_reg_base.h:/*<br>
infrasys */<br>
<br>
./platform/mt6572/kernel/core/core.c: /* infrasys AO<br>
first half */<br>
<br>
./platform/mt6572/kernel/core/core.c: /* infrasys AO<br>
second half */<br>
<br>
./platform/mt6572/kernel/core/core.c: /* infrasys<br>
*/<br>
<br>
./platform/mt6572/lk/include/platform/mt_reg_base.h:/*<br>
infrasys AO */<br>
<br>
./platform/mt6572/lk/include/platform/mt_reg_base.h:/*<br>
infrasys */<br>
<br>
craig@z500:~/android_kernel_mtk_mt6572/mediatek$ vi<br>
platform/mt6572/kernel/core/core.c<br>
<br>
<br>
<br>
<br>
So... mt_reg_base.h looks a little familiar to mt626x<br>
stuff.<br>
<br>
<br>
<br>
There is also this:<br>
<br>
<br>
<br>
<a href="https://android.googlesource.com/kernel/mediatek/">https://android.googlesource.com/kernel/mediatek/</a><br>
<br>
<br>
<br>
and this:<br>
<br>
<br>
<br>
<a href="https://github.com/profglavcho/mt6735-kernel-3.10.61">https://github.com/profglavcho/mt6735-kernel-3.10.61</a><br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
--------------------------------------------<br>
<br>
On Thu, 4/13/17, bruce lee <bbsoo7@live.com> wrote:<br>
<br>
<br>
<br>
Subject: Re: Fun with the MTK 6573 Baseband (Patching /<br>
Replacing)<br>
<br>
To: "baseband-devel@lists.osmocom.org"<br>
<baseband-devel@lists.osmocom.org>, "Craig<br>
Comstock" <craig_comstock@yahoo.com><br>
<br>
Date: Thursday, April 13, 2017, 1:49 AM<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
maybe it is easiest for developing on some boards<br>
<br>
which has UART port to look it boot up message.<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
some mt6572 based boards one can find on China market.<br>
<br>
they event can share code with us if we buy it.<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
it is android based. <br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
so should/can we make a osmocom-bb based BP for this<br>
<br>
android board? or other smartphone?<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
thanks<br>
<br>
RZ<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
From: Craig Comstock<br>
<br>
<craig_comstock@yahoo.com><br>
<br>
<br>
<br>
Sent: Thursday, April 13, 2017 3:21 AM<br>
<br>
<br>
<br>
To: baseband-devel@lists.osmocom.org; bruce lee<br>
<br>
<br>
<br>
Subject: Re: Fun with the MTK 6573 Baseband (Patching<br>
<br>
/ Replacing)<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
I<br>
<br>
don't have the files mentioned in that patch. They<br>
look<br>
<br>
very much like some part of an Android source code tree.<br>
So<br>
<br>
far I am working mostly not with Android at all... only<br>
<br>
osmocom-bb, nuttx, fernly and fernvale-nuttx.<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
My work on the newer MT chip in the ZTE Obsidian is a<br>
ways<br>
<br>
down the road. One thing that was VERY encouraging is that<br>
I<br>
<br>
have tested the beginnings of interaction with it's<br>
<br>
bootloader (as in the fernly project)<br>
<br>
<br>
<br>
and it seems at least the initial MSG and ACK from the<br>
<br>
bootloader works the same as for fernly types of MT<br>
chips<br>
<br>
(6260/6261). So that might be a good starting point in<br>
terms<br>
<br>
of experimenting/fuzzing/???<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
Maybe you could find a custom rom source tree and find<br>
those<br>
<br>
files that are being patched.<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
In terms of participating in my project, I have a<br>
github<br>
<br>
repo and am primarily using the fernvale board I<br>
purchased<br>
<br>
from sysmocom as well as some mt6260/6261 based watches<br>
and<br>
<br>
the Seeed Studio RePhone.<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
So I'd say go get one or more of those things and<br>
start<br>
<br>
hacking on fernly, fernvale-nuttx, osmocom-bb and<br>
nuttx-bb<br>
<br>
(combo of osmocom-bb and nuttx).<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
I don't work too hard on the project. This branch is<br>
my<br>
<br>
latest not-working work in progress:<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<a href="https://github.com/craigcomstock/osmocom-bb/tree/feb-22-2017-mt62xx-wip">https://github.com/craigcomstock/osmocom-bb/tree/feb-22-2017-mt62xx-wip</a><br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
craigcomstock/osmocom-bb<br>
<br>
<br>
<br>
github.com<br>
<br>
<br>
<br>
Contribute to osmocom-bb development by creating an<br>
account<br>
<br>
on GitHub.<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
I have since changed my strategy and so this branch<br>
will<br>
<br>
likely rot. :( But it might give some indication of<br>
what<br>
<br>
I'm up to.<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
-Craig<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
--------------------------------------------<br>
<br>
<br>
<br>
On Wed, 4/12/17, bruce lee <bbsoo7@live.com><br>
wrote:<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
Subject: Re: Fun with the MTK 6573 Baseband (Patching<br>
/<br>
<br>
Replacing)<br>
<br>
<br>
<br>
To: "Craig Comstock"<br>
<br>
<craig_comstock@yahoo.com>,<br>
<br>
"baseband-devel@lists.osmocom.org"<br>
<br>
<baseband-devel@lists.osmocom.org><br>
<br>
<br>
<br>
Date: Wednesday, April 12, 2017, 9:39 PM<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
Craig,<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
do you have the files mentioned at<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<a href="https://github.com/shadowsim/shadowsim/blob/master/mdlogger.patch">https://github.com/shadowsim/shadowsim/blob/master/mdlogger.patch</a><br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
and for your project, seem very interesting, and I<br>
<br>
would<br>
<br>
<br>
<br>
like to participate in.<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
thanks<br>
<br>
<br>
<br>
RZ<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
From: Craig Comstock<br>
<br>
<br>
<br>
<craig_comstock@yahoo.com><br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
Sent: Tuesday, April 11, 2017 11:35 AM<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
To: baseband-devel@lists.osmocom.org; RootZero<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
Subject: Re: Fun with the MTK 6573 Baseband (Patching<br>
<br>
<br>
<br>
/ Replacing)<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
My target was Mt6735 in a Zte Obsidian. I chose it<br>
for<br>
<br>
<br>
<br>
4g lte. I could root one and see if similar<br>
techniques<br>
<br>
work.<br>
<br>
<br>
<br>
My hope was to leverage leaked source for mt626x and<br>
hope<br>
<br>
to<br>
<br>
<br>
<br>
work my way up the chip models. I am currently<br>
working<br>
<br>
on<br>
<br>
<br>
<br>
porting osmocom-bb<br>
<br>
<br>
<br>
and nuttx-bb to fernvale/rephone/mt626x.<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
On April 11, 2017<br>
<br>
<br>
<br>
4:39:46 AM CDT, RootZero <bbsoo7@live.com><br>
wrote:<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
Markus and all,<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
I am very interesting in this<br>
<br>
<br>
<br>
project/hack.<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
can you share<br>
<br>
<br>
<br>
more information with US?<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
I<br>
<br>
<br>
<br>
searched lots web pages and do not find the source of<br>
<br>
<br>
<br>
mdlogger.cpp file.<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
I do<br>
<br>
<br>
<br>
have the source code of "modem.img" if you<br>
<br>
want<br>
<br>
<br>
<br>
please let me know. <br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
thanks<br>
<br>
<br>
<br>
RootZero<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
--<br>
<br>
<br>
<br>
View this message in<br>
<br>
<br>
<br>
context: <br>
<br>
<a href="http://baseband-devel.722152.n3.nabble.com/Fun-with-the-MTK-6573-Baseband-Patching-Replacing-tp4026683p4026772.htmlbaseband-devel">http://baseband-devel.722152.n3.nabble.com/Fun-with-the-MTK-6573-Baseband-Patching-Replacing-tp4026683p4026772.htmlbaseband-devel</a><br>
<br>
<br>
<br>
- Fun with the MTK 6573 Baseband (Patching /<br>
<br>
<br>
<br>
Replacing)baseband-devel.722152.n3.nabble.comFun<br>
<br>
<br>
<br>
with the MTK 6573 Baseband (Patching / Replacing).<br>
<br>
<br>
<br>
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi,<br>
<br>
I'm<br>
<br>
<br>
<br>
Markus, a security researcher from Germany. I<br>
recently<br>
<br>
did<br>
<br>
<br>
<br>
some work on MTK<br>
<br>
<br>
<br>
6573...<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
Sent from the baseband-devel<br>
<br>
<br>
<br>
mailing list archive at Nabble.com.Nabble<br>
<br>
<br>
<br>
• Free Forum • Embeddable Web<br>
Appsnabble.comEmbed<br>
<br>
<br>
<br>
into any Website. All Nabble apps are naturally<br>
<br>
embeddable,<br>
<br>
<br>
<br>
which means that they can be easily displayed inside<br>
any<br>
<br>
web<br>
<br>
<br>
<br>
page.<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
-- <br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
Sent from my Android device with K-9 Mail. Please<br>
excuse<br>
<br>
my<br>
<br>
<br>
<br>
brevity.<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
</div>
</span></font></div>
</div>
</div>
</div>
</body>
</html>