Liberated Calypso docs found

Michael Sokolov msokolov at ivan.Harhan.ORG
Mon Sep 26 13:34:48 CEST 2011

Hello Openmoko community,

I have come across a Chinese mobile phone forum containing a decent
quantity of leaked/liberated Calypso GSM chipset documents:

It's all in Chinese and seems to use some kind of credit system to
restrict how much one can download, but by plowing through it with
Google Chrome's built-in translator I have succeeded in downloading some
juicy files, a good bit more than the two files ti-calypso1.pdf and
ti-calypso2.pdf which have been in the Om community's hands for a long
time now.  The two well-known PDFs just mentioned only cover the Calypso
DBB chip itself, not Iota or Rita; the files I've managed to pull from
the Chinese forum include Iota (TWL3014) and Rita (TRF6151) documents,
as well as schematics for TI's Leonardo board.  The latter is a complete
implementation of a very classic Plain Phone based on the Calypso/Iota/
Rita chipset.

To make these files more accessible to the general community, I have
just put them up on my FTP server, courtesy of the Anarchist Software


Good old FTP, no need for registration, credits or understanding Chinese. :-)

However, the original Chinese forum site seems to have a lot more
goodies, but I haven't figured out how to work their credit system in order
to download them: the language/cultural barrier is too high for me. :-(

Has anyone else in the Om community come across that Chinese site?  Has
anyone else had any better luck with it?

I don't know about others, but from my viewpoint the GSM modem *is* the
phone.  When I first heard about the idea of a free / open source phone,
I thought it referred to the GSM cell interface part first and foremost.
Learning that only the "application processor" front-end has been made
free / open source while the actual phone (the GSM block) is still as
closed and proprietary as ever was quite disappointing.

What follows are my musings on the relative merits of a multi-chip
solution like Calypso/Iota/Rita originally designed for feature phones,
versus the kind of fully-monolithic GSM/UMTS modules which seem to be
favored by the "newer-than-GTA02" community.

When I came across the apparently-abandoned gta02-core project (it
*seems* to have been abandoned... anyone know more?), which was an
attempt to recreate the GTA02 schematics, BOM and PCB layout with only
minor modifications as a truly open community project, my first reaction
was "what are they going to do about the NDA-encumbered Calypso part?"
Then I looked at the gta02-core project's schematics and saw that the
entire GSM block has been replaced with the GE865 module from Telit.
I can only assume that Golden Delicious have done something similar with
their GTA04, except for choosing a different module that also supports

So let's look at the pros and cons of the two approaches.  On the one
hand, the Calypso/Iota/Rita approach chosen by the original Openmoko has
two major problems associated with it, one moral and one practical, and
neither of these problems appears when using something like the GE865.
So what are these two problems?

The moral problem:  Usually the entity that withholds technical
documentation and firmware source code from the Free World is some big
evil corporation.  We are used to that, it's nothing new.  The big evil
corporation withholding the docs and source code from us is NOT one of
us, that's the key point.  But with Openmoko/Calypso the situation is
different: the Openmoko company and its employees are supposed to be the
"good guys" here, people working hard to build and market a free phone.
Yet these "good guys" are effectively playing the role of the "bad guys"
when they voluntarily cooperate with TI in withholding the Calypso docs
and firmware source code from us, the community.

Yes, their cooperation with TI is voluntary in my eyes.  The NDA is no
excuse.  The possessors of those NDA-controlled materials were/are
perfectly within their power to leak the warez and use the NDA as toilet
paper.  If I had been in that position, that's what I would have done in
a heartbeat.  Wanna sue me from breaking your NDA?  Sure thing, look up
my domain name registration, see the P.O. Box address listed on there,
and sue that P.O. Box.  Good luck.

OK, enough on the moral problem, on to the practical one.  The general
FOSS community strategy in such matters is that if we can't free something
and we are forced to live with a proprietary black box, we sequester
that black box behind a well-defined interface to limit the damage.  At
first glance, that is exactly what the serial AT command interface to
the GSM block does.  However, there is an important but subtle difference
here between an off-the-shelf black box like the GE865 versus the "good
guys company" (Om) effectively making their own closed black box.

If you are using an off-the-shelf black box like GE865, you are using
the exact same black box that is presumably used by many many others.
Because the black box in question was presumably intended to be sold to
a large number of different users who are not under NDAs (because they
aren't digging in the insides of the box), there is a greater chance
that the maker of the black box has produced and released good
documentation for its external interface.  That indeed appears to be the
case with GE865, see:

(Note the picture of the chip with an IMEI printed on it: that's the
fundamental difference between these fully-self-contained chips versus
building-block chips like Calypso.  With Calypso/Iota/Rita, you are
effectively the one building the phone, you get to assign IMEI numbers,
and you have to be under a tight NDA to be allowed to play with such
toys.  With a chip like GE865, that chip basically *is* the phone, fully
made and self-contained, IMEI number and all, hence buying such a chip
is only a slight notch above buying a consumer phone.)

All closed-source black-box products contain quirks, misdesigns and
misfeatures virtually by definition.  But if that black box is a standard
off-the-shelf item that's used by a lot of people, there will quickly
develop a community of hackers who will discover these bugs, discuss
them amongst each other, find workarounds, etc.  Ditto for any projects
to reverse-engineer the box.

Now contrast with the Openmoko/Calypso situation.  If you were to buy a
chip/module like GE865 as a small-volume customer, nobody would bother
to write custom firmware for you, so your GSM black box would come with
the same firmware that's used by everyone else.  Hence the logic of the
previous paragraph applies, and there will be new FW images coming for a
long time etc.  But the situation is totally different with Om Calypso
firmware.  Om did not and in fact could not use unmodified firmware
images from TI: they had to modify the firmware code to operate as a
modem, a slave device to an external processor, rather than driving the
UI directly as in the standard "feature" phones the Calypso was designed

So now we have a problem: we are stuck using a firmware image that is
specific and unique to the highly boutique GTA0[12] phones, and the
little company that exclusively maintained the ability to modify this
code has gone bye-bye.  With the Om company gone / out of the phone
business, who can make new FW images with bugfixes?  No one.  An FW
update image for some more widespread Calypso-based phone would not
work.  (But that approach would have worked with a module like GE865:
even if you can't get updated FW yourself, look for others using the
same module and steal their FW updates.)  And what about documentation?
Where is the full detailed spec between for the interface between the
free and non-free parts of the GTA02?  Nowhere.  (A pointer to the
generic GSM docs like 07.05 and 07.07 doesn't count.)  See above for
the kind of external interface docs one can get for modules like GE865.

Does the above analysis mean that Om has painted us into a corner with
the Calypso?  Would using something like GE865 be better on all counts?
Should we pursue a project like gta02-core that would replace the whole
Calypso-based GSM block with a single GE865 chip?

Well, not so fast.  While the Calypso-based design is keeping us in the
"screwed" position in the immediate right-now, there is at least some
hope with it.  People *have* leaked a decent quantity of Calypso HW docs,
like those from the Chinese forum site which are now on my public FTP
site.  If someone could leak Om's customized version of the firmware
source (OK, mix of partial source + object/binary modules from TI is
what it probably was/is), that would be awesome, but unfortunately we
don't even know for sure if there is anyone at all left on Earth who
still possesses a copy of that, legal or not: did any of the Om employees
take a copy home when they were let go?  Even if someone has, s/he
probably won't admit to it. :-(

But perhaps someone has leaked a copy of the generic, non-Om-customized
Calypso firmware partial-source-package, the one that Om must have
received from TI as their starting point, same as all the other phone
makers.  If someone has leaked that and we (people like me who don't
care about legalities) can lay our hands on it, it shouldn't be too
difficult to replicate Om's modifications: remove the UI, keep the AT
command interface mostly as-is, add the power-off command, add the
interrupt generation, what else?

And then there is the OsmocomBB project:

It is basically a project to write a from-scratch reimplementation of
the Calypso firmware.  While I would much prefer to shortcut the process
by using a leaked TI source copy (even if it's only partial source like
they gave to most of their customers), if that can't be obtained, the
OsmocomBB reimplementation seems like a feasible fallback approach.  It
would be a massive project, for sure, and would take a long time.  But
at least it's feasible.

None of this would be possible with a fully-monolithic GSM module like
GE865 or whatever GPS/UMTS module is probably used in the GTA04, though.
These modules are total black boxes, especially if implemented in a
single chip like the Telit ones.  While the external interface to the
black box is documented quite well, there is nothing like the hardware
docs that have been leaked for the Calypso/Iota/Rita chipset.

Hence while we are "screwed" with the Calypso on the GTA02 in the
immediate right-now, there is a greater possibility of turning it into a
truly free phone (whether it happens via leaked TI firmware or via the
OsmocomBB project) than there would be with any of the newer monolithic
GSM/UMTS modules.

And then there is the practical side of things: the GTA02 hardware, like
it or not, already exists and is readily available.  The gta02-core
project which sought to replace the Calypso with GE865 appears to have
been abandoned well before completion.  Methinks that using the GTA02
as-is and living with its GSM chipset as-is, like it or not, is a heck
of a lot easier than trying to revive gta02-core, making a new PCB and
then running around trying to find all the parts to populate it.  As for
the GTA04, that hasn't reached general availability yet either.

But don't be surprised if some day GTA02 suddenly becomes a lot more
valuable than GTA04: it would be certainly be for me if hackable Calypso
firmware ever becomes a reality!  I would *so* love to disable E-OTD


More information about the community mailing list