Hi all!
In case you're interested, there seems to be a public project on code.google.com that contains the build environment and baseband firmware sdk from mediatek:
svn checkout http://mobile-phone-mtk-project.googlecode.com/svn mtk-project
Please note that I don't know about the legality of this. However, it is distributed on a public server/service without any kind of authentication...
Regards, Harald
On Mon, Apr 12, 2010 at 02:52:47PM +0200, Harald Welte wrote:
In case you're interested, there seems to be a public project on code.google.com that contains the build environment and baseband firmware sdk from mediatek:
... which gets me to the next question: Does anyone know a phone based on the MT6223 chipset? We'd be looking for a phone that has this chipset, and for which we can find both the phone (ebay, ...) and schematics somewhere...
thanks in advance!
Hi, it seems that the nokia express music 5610 (in the forum they say "nokia exper muzic 5610") uses this kind of chipset (mt6226) and from the source the mt6227 is the same(?) and when I search for that I get many results.
bjoern
-----Ursprüngliche Nachricht----- Von: baseband-devel-bounces@lists.osmocom.org [mailto:baseband-devel-bounces@lists.osmocom.org] Im Auftrag von Harald Welte Gesendet: Montag, 12. April 2010 16:01 An: baseband-devel@lists.osmocom.org Betreff: Re: public project with MTK baseband firmware project
On Mon, Apr 12, 2010 at 02:52:47PM +0200, Harald Welte wrote:
In case you're interested, there seems to be a public project on code.google.com that contains the build environment and baseband firmware sdk from mediatek:
... which gets me to the next question: Does anyone know a phone based on the MT6223 chipset? We'd be looking for a phone that has this chipset, and for which we can find both the phone (ebay, ...) and schematics somewhere...
thanks in advance!
Hi,
Riemer, Bjoern wrote:
it seems that the nokia express music 5610
The MTK chipset is used in clones of this phone, the genuine Nokia xpress music 5610 seems to use some custom DBB:
http://www.phonescoop.com/phones/fcc_query.php?gc=QTK&pc=RM-279
Regards, Steve
Ok. I only did a quick search on google.. But this phone uses the mt6223 chipset: "lenovo 688" It is quite ugly with hello kitty design but has a big screen and is available on ebay.
Bjoern
-----Ursprüngliche Nachricht----- Von: Steve Markgraf [mailto:steve@steve-m.de] Gesendet: Montag, 12. April 2010 18:12 An: Riemer, Bjoern Cc: Harald Welte; baseband-devel@lists.osmocom.org Betreff: Re: public project with MTK baseband firmware project
Hi,
Riemer, Bjoern wrote:
it seems that the nokia express music 5610
The MTK chipset is used in clones of this phone, the genuine Nokia xpress music 5610 seems to use some custom DBB:
http://www.phonescoop.com/phones/fcc_query.php?gc=QTK&pc=RM-279
Regards, Steve
Would be funny to get in the news with "hacking a hello kitty phone"
2010/4/12 Riemer, Bjoern bjoern.riemer@fokus.fraunhofer.de:
Ok. I only did a quick search on google.. But this phone uses the mt6223 chipset: "lenovo 688" It is quite ugly with hello kitty design but has a big screen and is available on ebay.
Bjoern
-----Ursprüngliche Nachricht----- Von: Steve Markgraf [mailto:steve@steve-m.de] Gesendet: Montag, 12. April 2010 18:12 An: Riemer, Bjoern Cc: Harald Welte; baseband-devel@lists.osmocom.org Betreff: Re: public project with MTK baseband firmware project
Hi,
Riemer, Bjoern wrote:
> it seems that the nokia express music 5610
The MTK chipset is used in clones of this phone, the genuine Nokia xpress music 5610 seems to use some custom DBB:
http://www.phonescoop.com/phones/fcc_query.php?gc=QTK&pc=RM-279
Regards, Steve
Hi,all Most phones made in china are using MTK platform.MTK platform is very cheap and highly integrated! You can download more data or tools here: * ftp://study-bbs.com:study-bbs0304@220.113.15.15* Directory names and file names are in chinese,but most datasheets are in english. I'll give you some hints for understanding these chinese words. At the home directory of this ftp account,it may looks like this:
/ PADS2007视频教程光盘及试用版 //A video tutorial of a PCB design software max //unknown(maybe related to WinCE) 创易电子资料 //unknown 华禹-下载说明.txt //the same as "readme.txt" 实用单片机系统 //something about SCM 旋风001手机模块 //plese entering this directory!MTK related! A MTK develop board 飓风2440 //A PDA develop board(No GSM support,only wifi)
/旋风001手机模块 directory may looks like: 0.产品特色文档 //product introduction(in chinese) 1.工具类 //develop tools 2.源码类 //source code 3.C语言开发及芯片文档 //development documentation in c,datasheet (MTK platform),Maybe usefull 4.硬件资源文档 //hardware information(about an develop board,not the MTK platform) 5.复合类资料 //other document 6.用户发布资料 //user contributed documents 7.其他 //others(maybe have nothing to do with this project) huayu0001_手机PDA交流群资料导航及下载说明.txt //readme(in chinese) huayu0002_最新更新说明.txt //changelog(in chinese) huayu0003客户常见问题.pdf //faqs(in chinese) huayu506_C语言开发相关问题解答(不断更新中).txt //faqs for c program(in chinese) huayu507_java开发相关问题解答(不断更新中).txt //faqs for java program(in chinese) readme.txt //readme(like an advertisement)
Harald, I will try to support the MTK fact and phone finding effort a bit. Since I am currently in Shenzhen I walked down to the street and bought 3 books with MTK schematics. The stuff is probably online already somewhere but I will try to find phones that have matching model numbers to the ones we have schematics for. Those 3 books will be scanned and I will put them up on a server as PDF files. Maybe I go buy another set of books tomorrow and mail them to you in Berlin, just in case (they sell for the price of paper here, ca. 2.50 USD per copy. The data in them is essentially in the public domain in China, many 'publishing houses' (=copy shops) publishing them).
At first glance, in the schematics books I bought today I saw the following 6223/6225 phones:
--- MT6225: CECT Y200 CECT C3000 (I found a CECT C3100 for only 20 USD, not sure how it differs from C3000) HanTai HT5858 ZhenHua Z898 ZhenHua K888+ (note: many other brands make phones named "K888") (newer ZhenHua seem to be using 6226, would that also work?) BoDao H580
--- MT6223: SanKe K38
Hi Wolfgang,
On Tue, Apr 13, 2010 at 12:40:39PM +0000, Wolfgang Spraul wrote:
I will try to support the MTK fact and phone finding effort a bit.
thanks a lot for your feedback and input.
Since I am currently in Shenzhen I walked down to the street and bought 3 books with MTK schematics. The stuff is probably online already somewhere but I will try to find phones that have matching model numbers to the ones we have schematics for.
You can find the MTK reference schematics easily online - but not the various actual products that Chinese manufacturers build based on them. So those books are probably a really good idea.
Next steps for me: Scan the schematics stuff and put it online. Find some 6223/6225 based phones that are cheap & suitable for hacking, i.e. ideally with some nice test points or JTAG.
yes, JTAG would be incredibly cool. I really don't understand why the study-bbs.com P1302 and P1300 are sold as development platform and then don't provide JTAG access. The same company even sells ARM JTAG adapters :/
Other common MTK chips are 6205, 6217, 6218, 6219, 6226, 6228.
Yes, I'm aware of them, they all seem to be more or less the same.. but since we have seen leaked versions of the 6223 and 6225 SDK, we should start with them to have a 'known good' setup.
One word of caution - the above lists, and documentation we start digging up, may give a false impression of predictability. In reality the brand names and model numbers are a total mess in China. Typos everywhere. All sorts of things are printed on cases & boxes, chips are changed without anybody noticing or caring. There are endless smaller Chinese brands making phones with 6223 or 6225 chips, but I think it will be very hard to use them as a stable source, to get phones with the same chips over time. So I think it's better to focus on the somewhat bigger Chinese brands as listed above.
I completely agree.
Thanks again, Harald
hi,harald as you mentioned above,these develop boards have no jtag.because of they are just use for user application develop,not for baseband.i'm sorry for that!maybe we can find something usefull from the datasheet. this mail is send from my phone,and my input method doesn't support uppercases :)
2010/4/13, Harald Welte laforge@gnumonks.org:
Hi Wolfgang,
On Tue, Apr 13, 2010 at 12:40:39PM +0000, Wolfgang Spraul wrote:
I will try to support the MTK fact and phone finding effort a bit.
thanks a lot for your feedback and input.
Since I am currently in Shenzhen I walked down to the street and bought 3 books with MTK schematics. The stuff is probably online already somewhere but I will try to find phones that have matching model numbers to the ones we have schematics for.
You can find the MTK reference schematics easily online - but not the various actual products that Chinese manufacturers build based on them. So those books are probably a really good idea.
Next steps for me: Scan the schematics stuff and put it online. Find some 6223/6225 based phones that are cheap & suitable for hacking, i.e. ideally with some nice test points or JTAG.
yes, JTAG would be incredibly cool. I really don't understand why the study-bbs.com P1302 and P1300 are sold as development platform and then don't provide JTAG access. The same company even sells ARM JTAG adapters :/
Other common MTK chips are 6205, 6217, 6218, 6219, 6226, 6228.
Yes, I'm aware of them, they all seem to be more or less the same.. but since we have seen leaked versions of the 6223 and 6225 SDK, we should start with them to have a 'known good' setup.
One word of caution - the above lists, and documentation we start digging up, may give a false impression of predictability. In reality the brand names and model numbers are a total mess in China. Typos everywhere. All sorts of things are printed on cases & boxes, chips are changed without anybody noticing or caring. There are endless smaller Chinese brands making phones with 6223 or 6225 chips, but I think it will be very hard to use them as a stable source, to get phones with the same chips over time. So I think it's better to focus on the somewhat bigger Chinese brands as listed above.
I completely agree.
Thanks again, Harald --
- Harald Welte laforge@gnumonks.org http://laforge.gnumonks.org/
============================================================================ "Privacy in residential applications is a desirable marketing option." (ETSI EN 300 175-7 Ch. A6)
Hi Wenhui Liu,
On Wed, Apr 14, 2010 at 11:54:21AM +0800, Wenhui Liu wrote:
as you mentioned above,these develop boards have no jtag.because of they are just use for user application develop,not for baseband.i'm sorry for that!
Well, the P1300 and P1302 are based on MT6225, a single-processor baseband design. The vendor provides a version of the MTK SDK exactly for the purpose of adding custom code to the baseband processor of those units.
And JTAG is very useful for any kind of development. Even if you do not touch the GSM stack and only do application development, it is still useful for those developers to be able to trace through their code...
Regards, Harald
Harald,
On Tue, Apr 13, 2010 at 05:26:20PM +0200, Harald Welte wrote:
You can find the MTK reference schematics easily online - but not the various actual products that Chinese manufacturers build based on them. So those books are probably a really good idea.
oh well, your suspicion was correct. The schematics I could find were all MTK reference schematics, not referring to specific phone models. The reason seems to be that there is only a small market for MTK phone repairs, most repair shops focus on phones that cost 150 USD and more. The typical MTK phone costs 20-80 USD so even in China not much efforts are made to repair them. The scans I have are 300 dpi, some details are not visible. I will do this in better quality once I find more valuable data.
http://downloads.qi-hardware.com/hardware/hacking/phones/mtk-schematics-1.pd... http://downloads.qi-hardware.com/hardware/hacking/phones/mtk-schematics-2.pd... http://downloads.qi-hardware.com/hardware/hacking/phones/mtk-schematics-3.pd... (I doubt any of this is new compared to what we already have on the other servers pointed out, but I didn't check what is there yet...)
I went ahead and bought 5 different MTK phones:
1) QQ phone (looks like a penguin), ca. 60 USD, MT6225A, MT6188C, MT6318A, MT6601T 2) DaXian X968, ca. 35 USD, MT6223DA, SuperPix SP5369, can't identify (0943 11B, S, LRS18C8G) 3) JinPeng S3566, ca. 35 USD, MT6225A, MT6139BN, MT6318A, MT6601T 4) JinPeng S6811, ca 35 USD, MT6223DA, MT6139BN, SKY77518-21 5) CECT C3100, ca 20 USD, MT6223CA, MT6139BN, RDA6212+
The standard set of 5 test points I seem to find on all MTK phones are PWRKEY, RX, TX, GND and VBAT. Beyond that test points are rare. The CECT C3100 had a few small ones right next to the CPU (but under a soldered shielding case). Might be something interesting but not sure yet. I will continue to investigate the C3100, Wolfgang
Hi all,
On Mon, Apr 19, 2010 at 07:21:40AM +0000, Wolfgang Spraul wrote:
- CECT C3100, ca 20 USD, MT6223CA, MT6139BN, RDA6212+
The standard set of 5 test points I seem to find on all MTK phones are PWRKEY, RX, TX, GND and VBAT. Beyond that test points are rare. The CECT C3100 had a few small ones right next to the CPU (but under a soldered shielding case). Might be something interesting but not sure yet.
I've used the PCB layers to trace the JTAG wires. They should be assigned as indicated in the picture at http://en.qi-hardware.com/wiki/File:C3100_testpads_jtag.png
The "RTCK" is a bit strange, it is the 'return jtag clock', i.e. you get back the clock that you send to TCK.
I haven't tested any of those yet, but maybe at some point during the next weeks...
Happy hacking, Harald
Harald Welte wrote:
The "RTCK" is a bit strange, it is the 'return jtag clock', i.e. you get back the clock that you send to TCK.
It's not so strange -- RTCK can be used to let the target generate the JTAG clock. This way you can debug targets which reduce their clock in power saving states more easily.
baseband-devel@lists.osmocom.org
-
Harald Welte -
Lubomir Schmidt -
Riemer, Bjoern -
Steve Markgraf -
Thomas Kindler -
Wenhui Liu -
Wolfgang Spraul