MTK and Infineon-based phones

This is merely a historical archive of years 2008-2021, before the migration to mailman3.

A maintained and still updated list archive can be found at

Martin Hinner martin at
Sat Nov 26 01:03:50 UTC 2011


  I spent a few hours today looking at CCC presentations and osmocom
code. Good and interesting work! I have a couple of questions...

  This is my first experience with GSM phones reverse engineering, so
sorry if I am wrong, but it seems to be quite difficult for me to
obtain four Calypso-based phones (yes, I know I can order them from
webshop for a few euros, but I will need more of them if my
experiments are successfull). On the other hand, I have access to very
cheap phones using Infineon PMB7880 (C166 + DSP) or MTK (ARM9)

Currently, I do have some information (datasheet&code) for MTK
platform, and I see there is implementation of "secondary bootloader"
for these phones, but no layer1 yet.

I also have very basic documentation of Infineon SoC, plus I have
knowledge of the C166 code and I can very easily play with it (reverse
engineer firmware & assemble my own code).

Is it feasible to create layer1 implementation for Infineon and/or
MTK? Is there anyone willing to help with this?

Here are my additional questions related to the above question:

- Is there any documentation of mask-rom bootloader for Infineon C166 core?

- At this moment I do not understand how does the DSP on the PMB7880
work, if RF part is accessible from both DSP and C166 or just the DSP.

- How is it with Infineon DSP code, is it present in flash memory, or
is it ROM-only thing? Anyone has the code dump?

- Is anyone (who has experience with Calypso layer1) willing to help
with implementing the same on Infineon or MTK platform?

- If anyone has any resources for these two plaforms, I would be
grateful if you can send them to me.

I will add that I have spent many many nights disassembling car
control units using Infineon/Siemens C166 core (since 2002?), so
Infineon platform is very attractive for me (the flash is only 2MB for
some phones, it's easy to read code, etc...).



More information about the baseband-devel mailing list