Hello everybody, last year I stumbled upon a PDF which describes all registers inside the Qualcomm MSM7200 series chipset. I now got a new mobile phone and remembered about that document because wanted to play a bit with my old one (HTC Magic/Sapphire/G2/Ion). I googled a few hours now and found several documents from Qualcomm, but I just found a whole svn repository full of Documentation [1].
Those Qualcomm chipsets are particularly interesting, because, due to Android, there already is a Linux kernel for the ARM11 core available. The missing part is a free implementation of the ARM9 baseband.
My next goal is, as soon as I managed to solder cables to the JTAG pins covered in epoxy, to get own code running on the ARM9. I don't know how hard this will get, because this chipset has several security features like signature checking of code, fusebits for security configuration etc., but I will give it a try. JTAG definitely is still activated, because several people developed a method to unbrick their phones in case they have a bad ARM11 bootloader. And even if there is no chance to get own code running right away, I'm pretty certain that there somewhere is a buffer overflow which is exploitable. Either inside the baseband itself or in the serial console command parser of the early bootloaders provided by the OEM (OEMSBL). Time will tell. I hope I've got something to show you at the 27C3.
My problem is that I don't have enough experience and knowledge about GSM yet to estimate if all this documentation is sufficient to implement a real baseband software on this chipset. If it's not, I think it's pointless to invest several days/nights of work to get own code running. Maybe somebody of you can have a quick look over the repository and the documents?
Thanks, Andy
My advice to you would be to nip this idea in the bud so to speak. I have extensive knowledge of the Qualcomm platform. You will find that the low level radio stuff is handled at the DSP level, and there is some good layer1,2,3 code that interfaces with the DSP. However above this level code quality quickly goes south. (Making it very hard to work with)
On the Android devices, I suspect that Linux is running in user space under the L4 microkernel that now powers all Qualcomm devices. And they layer123 API will be inaccessible from Linux, which can only communicate to the legacy code through supplied APIs & L4 intraprocess communication.
Even if you could build from source, what you suggest would be a daunting task :-o
regards, Frank
Hello everybody, last year I stumbled upon a PDF which describes all registers inside the Qualcomm MSM7200 series chipset. I now got a new mobile phone and remembered about that document because wanted to play a bit with my old one (HTC Magic/Sapphire/G2/Ion). I googled a few hours now and found several documents from Qualcomm, but I just found a whole svn repository full of Documentation [1]. ... My problem is that I don't have enough experience and knowledge about GSM yet to estimate if all this documentation is sufficient to implement a real baseband software on this chipset. If it's not, I think it's pointless to invest several days/nights of work to get own code running. Maybe somebody of you can have a quick look over the repository and the documents?
Thanks, Andy
Hi Frank,
On Mon, Dec 13, 2010 at 08:22:29AM +0100, Frank A. Stevenson wrote:
On the Android devices, I suspect that Linux is running in user space under the L4 microkernel that now powers all Qualcomm devices.
You are wrong. All Android smartphones (with the exception of some legacy ST-Ericsson devices) contain an independent ARM processor for the Baseband and Application side. The BP (in the QC case) runs L4 + AMSS (their stack), the AP runs Linux natively without any hypervisor.
On Mon, Dec 13, 2010 at 5:15 PM, Harald Welte laforge@gnumonks.org wrote:
You are wrong. All Android smartphones (with the exception of some legacy ST-Ericsson devices) contain an independent ARM processor for the Baseband and Application side. The BP (in the QC case) runs L4 + AMSS (their stack), the AP runs Linux natively without any hypervisor.
Why do they need L4 if they are running just one container with AMSS ? Is there something else running on BP in L4 apart from AMSS (some other OS or RT apps) ?
BR, Drasko
Hi Drasko,
On Mon, Dec 13, 2010 at 05:33:58PM +0100, Drasko DRASKOVIC wrote:
On Mon, Dec 13, 2010 at 5:15 PM, Harald Welte laforge@gnumonks.org wrote:
You are wrong. All Android smartphones (with the exception of some legacy ST-Ericsson devices) contain an independent ARM processor for the Baseband and Application side. The BP (in the QC case) runs L4 + AMSS (their stack), the AP runs Linux natively without any hypervisor.
Why do they need L4 if they are running just one container with AMSS ? Is there something else running on BP in L4 apart from AMSS (some other OS or RT apps) ?
not in the smartphone (dual-core) designs like the MSM7200A or the Snapdragon.
Of course, there are feature phones which only have a single core, e.g. built around the MSM6275 or MSM6280, which then run BREW and various BREW applications on top of the same L4.
you can compare the baseband processor part in a smart phoen more like the USB GSM/3G Modem case: No UI and no application software on the BP.
Regards, Harald
baseband-devel@lists.osmocom.org
-
Andreas Galauner -
Drasko DRASKOVIC -
Frank A. Stevenson -
Harald Welte