baseband-devel April 2017

baseband-devel@lists.osmocom.org

12 participants
15 discussions

Start a nNew thread

Engagetted !

by Sébastien Lorquet

http://www.engadget.com/2010/12/29/researchers-eavesdrop-on-encrypted-gsm-c… Congrats!

8 months, 1 week

Calypso BTS

by phreaker1983

I tried to install CalypsoBTS have libosmocore installed, osmo-bts osmobsc, libosmo-netif, libosmo-abis, ortp, trx, libosmo-dsp everything went without errors, following the instructions I created: touch ~/.osmocom/open-bsc.cfg , then when you run : osmo-nitb -c ~/.osmocom/open-bsc.cfg-l ~/.osmocom/hlr.sqlite3-P-C --debug=DRLL:CC:MM:RR:RSL:NM shows me:<0005> bsc_init.c:498 Failed to parse the config file: '/root/.osmocom/open-bsc.cfg' file tried to create as administrator but without success , pleas help me -- View this message in context: http://baseband-devel.722152.n3.nabble.com/Calypso-BTS-tp4026753.html Sent from the baseband-devel mailing list archive at Nabble.com.

5 years, 7 months

OpenBTS OsmocomBB Asterisk

by trixbox.t

Hello! I Need Help I install these three programs OpenBTS, OsmocomBB, Asterisk Then run them, Everything works well OpenBTS sent an SMS to my phones I answered and he checked me I registered into OpenBTS a second phone I tried to transfer SMS between phones - all good but when I try to call from one to another I did not get Asterisk writes ================================================================ *CLI> Retransmission timeout reached on transmission 755803415(a)127.0.0.1 for seqno 179 (Critical Response) -- See wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions Packet timed out after 32001ms with no response ================================================================ Why? What do I do? -- View this message in context: http://baseband-devel.722152.n3.nabble.com/OpenBTS-OsmocomBB-Asterisk-tp402… Sent from the baseband-devel mailing list archive at Nabble.com.

6 years, 11 months

Osmocombb as a Zombie

by Duarte

Hey guys, first of all I want to express my deep respect for this project, this is truly amazing project and very well developed. Second, I'm doing a few studies regarding GSM security (no, I'm not hacking.) and I need to develop a feature for osmocombb, which is: the ability to turn the L23 app as a zombie (C unix domain socket) waiting for instructions (e.g.: connect to the network with predefined parameters (IMSI), collect RAND, send sms,...). Is there any documentation or flow regarding the code? It's very hard for a non C coder to follow the flow... Or is there someone that can help me in the Architectural level? Thank you.

8 years

Re: osmocom-bb moved to gerrit

by Vadim Yanitskiy

Hi, > The osmocom-bb git repository has now moved to gerrit. Great news! > There are no tests in osmocom-bb yet, but I wonder if it would be possible to add > simple jenkins job which checks that arm cross-compilation for osmocom-bb > succeeds as a patch check? I can take this task and try to write a Jenkins script. Also, we need to have cross-compiler installed on the build machines. With best regards, Vadim Yanitskiy.

8 years, 2 months

osmocom-bb moved to gerrit

by Neels Hofmeyr

The osmocom-bb git repository has now moved to gerrit. For patch submission to osmocom-bb, see https://osmocom.org/projects/cellular-infrastructure/wiki/Gerrit ~N

8 years, 2 months

osmocombb on qualcom android phones

by thayyil09 yil

8 years, 2 months

Re: gerrit for osmocom-bb

by Vadim Yanitskiy

Hi, > I'm not sure if it's just me or if I'm using it wrong but > I'm always annoyed when I have to login to gerrit ... +1 here, Gerrit login is (for now) a bit unfriendly. Even so, there are also some advantages to have OsmocomBB in Gerrit: - Jenkins builder: maintainers / reviewers don't need to manually check whether a new commit fails build or not. - I don't need to copy-paste the source code to leave a contextual comment or ask a question. - Doing 'git push gerrit ...' is simpler and faster for me, than 'git format-patch ...', 'git send-email ...'. So, I would be definitely happy to see OsmocomBB in Gerrit. With best regards, Vadim Yanitskiy.

8 years, 2 months

gerrit for osmocom-bb

by Max

Hi. I've just noticed that OsmocomBB is not on the list of projects at https://gerrit.osmocom.org/#/admin/projects/ Is this because nobody bothered adding it there yet or it's because maintainers do not find it suitable? If it's the latter than I'd love to see it added to streamline contributions and patch review process. -- Max Suraev <msuraev(a)sysmocom.de> http://www.sysmocom.de/ ======================================================================= * sysmocom - systems for mobile communications GmbH * Alt-Moabit 93 * 10559 Berlin, Germany * Sitz / Registered office: Berlin, HRB 134158 B * Geschaeftsfuehrer / Managing Director: Harald Welte

8 years, 2 months

Re: Fun with the MTK 6573 Baseband (Patching / Replacing)

by Craig Comstock

RootZero/bruce lee sent me this github with baseband sources very similar to what I already have for MT626x: https://github.com/zxp86021/MediaTek-HelioX10-Baseband Looking there it seems we have layer 1 GSM/2G support for many more RF chips. The trick is to figure out what AP/SOC they are used in. For example the MediaTek-HelioX10 is a MT6795 which seems to use the MT6169 transciever chip (based on some other files in the sources). My ZTE Obsidian seems to use this same TRX chip (based on a MT6735 datasheet) http://www.datasheet4u.com/pdf/MT6735-pdf/925384 Comparing L1D_RF_PowerOn functions it seems the MT6252 might be the closest to the MT626x which are completely missing from this newer set of sources that are maybe a year or so newer than the MT626x sources I have. m12196.c:/*BRIGHT2*/ void L1D_RF_PowerOn( void ) m12196.c:/*BRIGHT4*/ void L1D_RF_PowerOn( void ) m12196.c:/*BRIGHT5P*/ void L1D_RF_PowerOn( void ) m12196.c:/*AERO*/ void L1D_RF_PowerOn( void ) m12196.c:/*AERO1+*/ void L1D_RF_PowerOn( void ) m12196.c:/*RFMD*/ void L1D_RF_PowerOn( void ) m12196.c:/*SKY74117*/ void L1D_RF_PowerOn( void ) m12196.c:/*SKY74400*/ void L1D_RF_PowerOn( void ) m12196.c:/*MT6119*/ void L1D_RF_PowerOn( void ) m12196.c:/*MT6119C*/ void L1D_RF_PowerOn( void ) m12196.c:/*MT6129A*/ void L1D_RF_PowerOn( void ) m12196.c:/*MT6129B*/ void L1D_RF_PowerOn( void ) m12196.c:/*MT6129C*/ void L1D_RF_PowerOn( void ) m12196.c:/*MT6129D*/ void L1D_RF_PowerOn( void ) m12196.c:/*MT6139B*/ void L1D_RF_PowerOn( void ) m12196.c:/*MT6139C*/ void L1D_RF_PowerOn( void ) m12196.c:/*MT6139E*/ void L1D_RF_PowerOn( void ) m12196.c:/*MT6140A*/ void L1D_RF_PowerOn( void ) m12196.c:/*MT6140B*/ void L1D_RF_PowerOn( void ) m12196.c:/*MT6140C*/ void L1D_RF_PowerOn( void ) m12196.c:/*MT6140D*/ void L1D_RF_PowerOn( void ) m12196.c:/*CMOSEDGE*/ void L1D_RF_PowerOn( void ) m12196.c:/*MTKSOC1T*/ void L1D_RF_PowerOn( void ) m12196.c:/*MTKSOC1*/ void L1D_RF_PowerOn( void ) m12196.c:/*MT6252RF*/ void L1D_RF_PowerOn( void ) m12196.c:/*MT6256RF*/ void L1D_RF_PowerOn( void ) m12196.c:/*MT6255RF*/ void L1D_RF_PowerOn( void ) m12196.c:/*MT6251RF*/ void L1D_RF_PowerOn( void ) m12196.c:/*SKY74045*/ void L1D_RF_PowerOn( void ) m12196.c:/*AERO2*/ void L1D_RF_PowerOn( void ) m12196.c:/*SKY74137*/ void L1D_RF_PowerOn( void ) m12196.c:/*GRF6201*/ void L1D_RF_PowerOn( void ) m12196.c:/*IRFS3001*/ void L1D_RF_PowerOn( void ) m12196.c:/*AD6548*/ void L1D_RF_PowerOn( void ) m12196.c:/*AD6546*/ void L1D_RF_PowerOn( void ) m12196.c:/*MT6162*/ void L1D_RF_PowerOn( void ) m12196.c:/*MT6163*/ void L1D_RF_PowerOn( void ) m12196.c:/*MT6280RF*/ void L1D_RF_PowerOn( void ) m12196.c:/*MT6169*/ void L1D_RF_PowerOn( void ) m12196.c:/*MT6169*/ void L1D_RF_PowerOn( void ) m12196.c:/*MT6166*/ void L1D_RF_PowerOn( void ) m12196.c:/*MT6165*/ void L1D_RF_PowerOn( void ) one set of MT626x sources is called 11CW1418SP4 and supports the following baseband chips. Probably MT626x has an integrated baseband? m12196.c:/*MT6129D*/ void L1D_RF_PowerOn( void ) m12196.c:/*MT6139E*/ void L1D_RF_PowerOn( void ) m12196.c:/*MT6140D*/ void L1D_RF_PowerOn( void ) m12196.c:/*MTKSOC1*/ void L1D_RF_PowerOn( void ) m12196.c:/*MT6252RF*/ void L1D_RF_PowerOn( void ) m12196.c:/*MT6261RF*/ void L1D_RF_PowerOn( void ) m12196.c:/*MT6260RF*/ void L1D_RF_PowerOn( void ) m12196.c:/*MT6250RF*/ void L1D_RF_PowerOn( void ) m12196.c:/*MT6256RF*/ void L1D_RF_PowerOn( void ) m12196.c:/*MT6255RF*/ void L1D_RF_PowerOn( void ) m12196.c:/*MT6251RF*/ void L1D_RF_PowerOn( void ) m12196.c:/*AD6548*/ void L1D_RF_PowerOn( void ) m12196.c:/*AD6546*/ void L1D_RF_PowerOn( void ) m12196.c:/*MT6162*/ void L1D_RF_PowerOn( void ) So I guess I need to look elsewhere in the sources to puzzle out my MT6735 ZTE Obsidian which would give me I think the cheapest/oldest chip that supports 4G/LTE: GSM, UMTS, GPRS, HSPA+, HSUPA, TD-SCDMA, EVDO, LTE Cat 4 (from https://en.wikipedia.org/wiki/MediaTek) -Craig p.s. here are some sources I used to research both github and "from the internet": http://git.huayusoft.com/tomsu/AP7350_MDK-kernel.git https://github.com/akibsayyed/CELLTEL82_WET_KK_GPRS_HSPA_MOLY.WR8.W1315.MD.… https://github.com/akibsayyed/HSPA_MOLY.WR8.W1449.MD.WG.MP.V16.git https://github.com/zxp86021/MT6795.kernel.git mt626x stuff: 11CW1352MP_CENON61D_3232_11C_V2_GPRS_MMI 11CW1418SP4_CORETEK02A_WIFI_BT_V13_GPRS_MMI MTK60D-11B1308-V2 -------------------------------------------- On Thu, 4/13/17, bruce lee <bbsoo7(a)live.com> wrote: Subject: Re: Fun with the MTK 6573 Baseband (Patching / Replacing) To: "Craig Comstock" <craig_comstock(a)yahoo.com> Date: Thursday, April 13, 2017, 11:40 AM check this out. it is modem firmwear source code and this guy's github https://github.com/luckasfb/Development_Documents alots of good stuff.but do not have what am looking for. bruce. From: Craig Comstock <craig_comstock(a)yahoo.com> Sent: Thursday, April 13, 2017 2:10:15 PM To: bruce lee Subject: Re: Fun with the MTK 6573 Baseband (Patching / Replacing) Looking at some kernel sources I see a few things that look familiar to me from mt626x source. Grepping for RIL (radio interface layer) https://github.com/eagleeyetom/android_kernel_mtk_mt6572.git ./mediatek/platform/mt6572/lk/include/platform/mt_reg_base.h: #define RIL_SIZE 0x1600000 ./mediatek/platform/mt6572/lk/include/platform/mt_reg_base.h: #define RIL_SIZE 0x0A00000 ./mediatek/platform/mt6572/lk/include/platform/mt_reg_base.h: #define RIL_SIZE 0x1600000 ./mediatek/platform/mt6572/lk/include/platform/mt_reg_base.h:#define RIL_SIZE 0x100000 //for connsys memory ./mediatek/platform/mt6572/lk/include/platform/mt_reg_base.h:#define MEM_PRELOADER_START (DRAM_PHY_ADDR) //placed mem in RIL 256KB ./mediatek/platform/mt6572/lk/include/platform/mt_reg_base.h:#define RESERVE_MEM_SIZE (RIL_SIZE) they mentioned infrasys and connsys near the RIL bits... craig@z500:~/android_kernel_mtk_mt6572/mediatek$ find | xargs grep -s infrasys ./platform/mt6572/kernel/core/include/mach/mt_reg_base.h:/* infrasys AO */ ./platform/mt6572/kernel/core/include/mach/mt_reg_base.h:/* infrasys */ ./platform/mt6572/kernel/core/core.c: /* infrasys AO first half */ ./platform/mt6572/kernel/core/core.c: /* infrasys AO second half */ ./platform/mt6572/kernel/core/core.c: /* infrasys */ ./platform/mt6572/lk/include/platform/mt_reg_base.h:/* infrasys AO */ ./platform/mt6572/lk/include/platform/mt_reg_base.h:/* infrasys */ craig@z500:~/android_kernel_mtk_mt6572/mediatek$ vi platform/mt6572/kernel/core/core.c So... mt_reg_base.h looks a little familiar to mt626x stuff. There is also this: https://android.googlesource.com/kernel/mediatek/ and this: https://github.com/profglavcho/mt6735-kernel-3.10.61 -------------------------------------------- On Thu, 4/13/17, bruce lee <bbsoo7(a)live.com> wrote: Subject: Re: Fun with the MTK 6573 Baseband (Patching / Replacing) To: "baseband-devel(a)lists.osmocom.org" <baseband-devel(a)lists.osmocom.org>, "Craig Comstock" <craig_comstock(a)yahoo.com> Date: Thursday, April 13, 2017, 1:49 AM maybe it is easiest for developing on some boards which has UART port to look it boot up message. some mt6572 based boards one can find on China market. they event can share code with us if we buy it. it is android based. so should/can we make a osmocom-bb based BP for this android board? or other smartphone? thanks RZ From: Craig Comstock <craig_comstock(a)yahoo.com> Sent: Thursday, April 13, 2017 3:21 AM To: baseband-devel(a)lists.osmocom.org; bruce lee Subject: Re: Fun with the MTK 6573 Baseband (Patching / Replacing) I don't have the files mentioned in that patch. They look very much like some part of an Android source code tree. So far I am working mostly not with Android at all... only osmocom-bb, nuttx, fernly and fernvale-nuttx. My work on the newer MT chip in the ZTE Obsidian is a ways down the road. One thing that was VERY encouraging is that I have tested the beginnings of interaction with it's bootloader (as in the fernly project) and it seems at least the initial MSG and ACK from the bootloader works the same as for fernly types of MT chips (6260/6261). So that might be a good starting point in terms of experimenting/fuzzing/??? Maybe you could find a custom rom source tree and find those files that are being patched. In terms of participating in my project, I have a github repo and am primarily using the fernvale board I purchased from sysmocom as well as some mt6260/6261 based watches and the Seeed Studio RePhone. So I'd say go get one or more of those things and start hacking on fernly, fernvale-nuttx, osmocom-bb and nuttx-bb (combo of osmocom-bb and nuttx). I don't work too hard on the project. This branch is my latest not-working work in progress: https://github.com/craigcomstock/osmocom-bb/tree/feb-22-2017-mt62xx-wip craigcomstock/osmocom-bb github.com Contribute to osmocom-bb development by creating an account on GitHub. I have since changed my strategy and so this branch will likely rot. :( But it might give some indication of what I'm up to. -Craig -------------------------------------------- On Wed, 4/12/17, bruce lee <bbsoo7(a)live.com> wrote: Subject: Re: Fun with the MTK 6573 Baseband (Patching / Replacing) To: "Craig Comstock" <craig_comstock(a)yahoo.com>, "baseband-devel(a)lists.osmocom.org" <baseband-devel(a)lists.osmocom.org> Date: Wednesday, April 12, 2017, 9:39 PM Craig, do you have the files mentioned at https://github.com/shadowsim/shadowsim/blob/master/mdlogger.patch and for your project, seem very interesting, and I would like to participate in. thanks RZ From: Craig Comstock <craig_comstock(a)yahoo.com> Sent: Tuesday, April 11, 2017 11:35 AM To: baseband-devel(a)lists.osmocom.org; RootZero Subject: Re: Fun with the MTK 6573 Baseband (Patching / Replacing) My target was Mt6735 in a Zte Obsidian. I chose it for 4g lte. I could root one and see if similar techniques work. My hope was to leverage leaked source for mt626x and hope to work my way up the chip models. I am currently working on porting osmocom-bb and nuttx-bb to fernvale/rephone/mt626x. On April 11, 2017 4:39:46 AM CDT, RootZero <bbsoo7(a)live.com> wrote: Markus and all, I am very interesting in this project/hack. can you share more information with US? I searched lots web pages and do not find the source of mdlogger.cpp file. I do have the source code of "modem.img" if you want please let me know. thanks RootZero -- View this message in context: http://baseband-devel.722152.n3.nabble.com/Fun-with-the-MTK-6573-Baseband-P… - Fun with the MTK 6573 Baseband (Patching / Replacing)baseband-devel.722152.n3.nabble.comFun with the MTK 6573 Baseband (Patching / Replacing). -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I'm Markus, a security researcher from Germany. I recently did some work on MTK 6573... Sent from the baseband-devel mailing list archive at Nabble.com.Nabble • Free Forum • Embeddable Web Appsnabble.comEmbed into any Website. All Nabble apps are naturally embeddable, which means that they can be easily displayed inside any web page. -- Sent from my Android device with K-9 Mail. Please excuse my brevity.

8 years, 2 months

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

baseband-devel April 2017