Hi Martin,
On Sat, Nov 26, 2011 at 02:03:50AM +0100, Martin Hinner wrote:
This is my first experience with GSM phones reverse engineering, so sorry if I am wrong, but it seems to be quite difficult for me to obtain four Calypso-based phones (yes, I know I can order them from webshop for a few euros, but I will need more of them if my experiments are successfull).
Currently, I do have some information (datasheet&code) for MTK platform, and I see there is implementation of "secondary bootloader" for these phones, but no layer1 yet.
the question really is how many of them you need.
On the other hand, I have access to very cheap phones using Infineon PMB7880 (C166 + DSP) or MTK (ARM9) chipsets.
Economically, the question is: * what is the price of the required qty of calypso based phones vs * what is the amount of work needed for porting to MTK
Even under the most ideal circumstances, porting the L1 to any new baseband chip architecture is going to be a lot of work.
As "ideal circumstances" I count * detailed knowledge about not only the integrated peripherals of the DBB but also register-level documentation of the ABB * detailed knowledge about the shared memory API between DSP-ROM and ARM CPU * no cryptographic verification in bootloader that needs to be broken * a developer who has very strong background on GSM L1 and cellphone hardware * access to measurement devices for MS testing like Racal 6103
Even under such circumstances, I would guess an effort of somewhere between 1 to 2 man-months full-time.
As the circumstances are never ideal, it will likely be more effort.
Some developers have already put quite a bit of effort into the MTK chipset side, and even though we don't have the register-level data sheets of all of the ABB chips and the DBB data sheets do not cover anything on the details of the DSP/ARM API interface, I think it is the most promising architecture.
Is it feasible to create layer1 implementation for Infineon and/or MTK? Is there anyone willing to help with this?
I think the big issue is availability. The people invovled in OsmocomBB are working on a variety of other projects and protocol stacks (OsmocomGMR, OsmocomTETRA, osmo-bts, etc.)
So the big question is: How can you convince anyone from the existing team to contribute to a port to MTK? I think the fact that the code runs well on the Calypso based phones (which are still avialable even in quantity) makes this a bit difficult, as there is no real gain.
People generally want to work on creating new functionality, rather than re-creating something that already exists...
I will add that I have spent many many nights disassembling car control units using Infineon/Siemens C166 core (since 2002?), so Infineon platform is very attractive for me (the flash is only 2MB for some phones, it's easy to read code, etc...).
On the other hand: C166 is a one-way road. No new baseband chipsets (even infineon) use them anymore. You need to port all the arm-specific assembly bits in OsmocomBB to the C166 code, etc.
MTK is a much more attractive target. More docs, more understanding, more existing code and ARM based.
Regards, Harald