Martin Hinner martin at
Sat Nov 26 01:03:50 UTC 2011


  I spent a few hours today looking at CCC presentations and osmocom
code. Good and interesting work! I have a couple of questions...

  This is my first experience with GSM phones reverse engineering, so
sorry if I am wrong, but it seems to be quite difficult for me to
obtain four Calypso-based phones (yes, I know I can order them from
webshop for a few euros, but I will need more of them if my
experiments are successfull). On the other hand, I have access to very
cheap phones using Infineon PMB7880 (C166 + DSP) or MTK (ARM9)

Currently, I do have some information (datasheet&code) for MTK
platform, and I see there is implementation of "secondary bootloader"
for these phones, but no layer1 yet.

I also have very basic documentation of Infineon SoC, plus I have
knowledge of the C166 code and I can very easily play with it (reverse
engineer firmware & assemble my own code).

Is it feasible to create layer1 implementation for Infineon and/or
MTK? Is there anyone willing to help with this?

Here are my additional questions related to the above question:

- Is there any documentation of mask-rom bootloader for Infineon C166 core?

- At this moment I do not understand how does the DSP on the PMB7880
work, if RF part is accessible from both DSP and C166 or just the DSP.

- How is it with Infineon DSP code, is it present in flash memory, or
is it ROM-only thing? Anyone has the code dump?

- Is anyone (who has experience with Calypso layer1) willing to help
with implementing the same on Infineon or MTK platform?

- If anyone has any resources for these two plaforms, I would be
grateful if you can send them to me.

I will add that I have spent many many nights disassembling car
control units using Infineon/Siemens C166 core (since 2002?), so
Infineon platform is very attractive for me (the flash is only 2MB for
some phones, it's easy to read code, etc...).



