Hi Martin,
On Sat, Nov 26, 2011 at 02:03:50AM +0100, Martin Hinner wrote:
This is my first experience with GSM phones reverse
engineering, so
sorry if I am wrong, but it seems to be quite difficult for me to
obtain four Calypso-based phones (yes, I know I can order them from
webshop for a few euros, but I will need more of them if my
experiments are successfull).
Currently, I do have some information (datasheet&code) for MTK
platform, and I see there is implementation of "secondary bootloader"
for these phones, but no layer1 yet.
the question really is how many of them you need.
On the other hand, I have access to very cheap phones
using Infineon
PMB7880 (C166 + DSP) or MTK (ARM9) chipsets.
Economically, the question is:
* what is the price of the required qty of calypso based phones
vs
* what is the amount of work needed for porting to MTK
Even under the most ideal circumstances, porting the L1 to any new
baseband chip architecture is going to be a lot of work.
As "ideal circumstances" I count
* detailed knowledge about not only the integrated peripherals of the
DBB but also register-level documentation of the ABB
* detailed knowledge about the shared memory API between DSP-ROM and
ARM CPU
* no cryptographic verification in bootloader that needs to be broken
* a developer who has very strong background on GSM L1 and cellphone
hardware
* access to measurement devices for MS testing like Racal 6103
Even under such circumstances, I would guess an effort of somewhere
between 1 to 2 man-months full-time.
As the circumstances are never ideal, it will likely be more effort.
Some developers have already put quite a bit of effort into the MTK
chipset side, and even though we don't have the register-level data
sheets of all of the ABB chips and the DBB data sheets do not cover
anything on the details of the DSP/ARM API interface, I think it is the
most promising architecture.
Is it feasible to create layer1 implementation for
Infineon and/or
MTK? Is there anyone willing to help with this?
I think the big issue is availability. The people invovled in OsmocomBB
are working on a variety of other projects and protocol stacks
(OsmocomGMR, OsmocomTETRA, osmo-bts, etc.)
So the big question is: How can you convince anyone from the existing
team to contribute to a port to MTK? I think the fact that the code
runs well on the Calypso based phones (which are still avialable even in
quantity) makes this a bit difficult, as there is no real gain.
People generally want to work on creating new functionality, rather than
re-creating something that already exists...
I will add that I have spent many many nights
disassembling car
control units using Infineon/Siemens C166 core (since 2002?), so
Infineon platform is very attractive for me (the flash is only 2MB for
some phones, it's easy to read code, etc...).
On the other hand: C166 is a one-way road. No new baseband chipsets
(even infineon) use them anymore. You need to port all the arm-specific
assembly bits in OsmocomBB to the C166 code, etc.
MTK is a much more attractive target. More docs, more understanding,
more existing code and ARM based.
Regards,
Harald
--
- Harald Welte <laforge(a)gnumonks.org>
http://laforge.gnumonks.org/
============================================================================
"Privacy in residential applications is a desirable marketing option."
(ETSI EN 300 175-7 Ch. A6)