community Digest, Vol 254, Issue 2

Michael Sokolov msokolov at ivan.Harhan.ORG
Wed Sep 28 21:37:00 CEST 2011

openmoko at (Christoph Pulster) wrote:

> is there any geek out there who can extract from the secret GSM chipset  
> documents on the Chinese site, if there is any "hidden backdoor channel"  
> (for governmental purposes e.g.) ? or any other strange "secret" GSM  
> modem commands ?

If such a secret backdoor exists, it would be in the DBB firmware, not
hardware.  When it comes to the strictly-hardware pieces of the Calypso
GSM chipset (DBB hardware, the ABB chip and the RF chips), I have already
succeeded in locating (on the Chinese 52RD forum) what appears to be
100% of the HW documentation set that was given to phone makers such as
FIC/Om.  The only part that isn't documented are the inner workings of
the DSP block inside the DBB, but in my opinion that part is too
low-level to have been an effective place for TI to hide a backdoor.

As far as we know, TI had never shared the workings of their DSP with
their customers, instead they were expected to use TI's Layer1 code
which runs on the ARM7 in the DBB and talks to the DSP part.

If anyone would like to look at these Calypso HW docs for themselves, it
is no longer necessary to endure the pain of plowing through the 52RD
forum in Chinese: all of these docs I have found can now be downloaded
much more conveniently from my FTP site:


Download those documents (a good bit more than the two PDFs ti-calypso1.pdf
and ti-calypso2.pdf which have been widely circulated previously), look
at them and decide for yourself whether or not a backdoor could plausibly
hide in the hardware layers, below the firmware - I personally don't
think so.

The DBB firmware is an entirely different story though: it would
definitely be the place to put in backdoors and whatnot.  It is my
belief based on logical reasoning that TI must have provided at least a
partial source package to their major customers like Motorola, Nokia,
etc (just happens to include FIC/Om as well).  On simple features phones
without an application processor the Calypso controls the UI, and the
makers of these feature phones had most certainly tweaked the UI to add
their own flavor.

The HW docs on my FTP site include full hardware schematics (5 sheets,
of which 2 are decorative, i.e., the "meat" of the circuit is fully
covered by just 3 schematic sheets) for a reference design called
Leonardo.  Two versions of it in fact: the original Leonardo which
supported 900 & 1800 MHz bands, and Leonardo+ which supports all 4 bands.
The only difference is in the passive RF front-end chip (aka the antenna
switch), the Rita chip TRF6151 appears to have always supported all 4
bands from the start!  (The implication is that the little passive RF
chip is all that keeps GTA02 from supporting all 4 bands as well!)

The Leonardo board for which we-the-People now possess the full HW
schematics is nothing less than a 100% functional basic phone: LCD with
a backlight, classic phone keypad (10 digits plus * and #, call and
hang-up buttons, 4 UI navigation buttons, power button overlayed on the
end call button like in many classic phones) with a backlight, speaker
and microphone, vibracall, battery, old-fashioned combined jack for
charger/headset/data: the whole enchilada.  Anyone making a basic phone
simply had to take that board, make some very slight modifications to it
(the Leonardo board has just one speaker, so I guess one needs to
separate the earpiece from the loudspeaker or use a piezo buzzer instead
of the latter to play the ringing alert: Calypso has a special output to
drive the latter kind), slap it into a plastic case, and voila, you've
built a cellphone!

It only stands to reason that all those customers who had received the
Leonardo board from TI along with the docs for all of the chips on that
board (which are also on my FTP site) must have also received a copy of
the firmware driving that board.  While the rumors are that most of the
low-level guts of that firmware came as binary blobs (which I reason to
have been ARM ELF .o files), at least the superficial layers must have
arrived in source form: the customers must have had the ability to
differentiate their UI (I reason that TI's starting code had some basic
UI in it already to exercise the LCD and keypad on the Leonardo board),
and one also needs to modify the source slightly to accommodate product
differences such as single, dual, triple or quad GSM band.

Hence one of the holy grails I'm searching for is a copy of the intended-
for-customization fw package that came with the Leonardo board, however
much of it may be in the form of ARM ELF .o modules.  I can only reason
that this package must have been Om's starting point, exactly the same
as Motorola, Nokia etc.

I'm still plowing through the 52RD forum, hoping to find the magic package
there.  But I haven't found it yet, so I'm starting to worry that it may
not be there, unless I've been looking in the wrong part of the forum.
I don't understand why though: whoever it was that leaked the HW docs
(Leonardo schematics and specs/datasheets for the Calypso/Iota/Rita
chips) naturally ought to have been in possession of the firmware as
well: the two ought to go together.  Same NDA, same copyright issues,
same everything.  So why leak one but not the other?  That's why I still
hold out hope that it may be in a different part of the forum.  But if
it isn't there, we are screwed big time: OsmocomBB seems to be a loooong
way's away from practical usabilitiy.

Then there is the saga of the TSM30.  Unfortunately I'm a late comer to
the entire free-your-phone arena: I only started looking into it in June
of this year, just a few months ago.  So I don't know a lot of the
history which many of you have probably lived through.  I have read in
the OsmocomBB project's wiki notes that there used to be a Spanish phone
called TSM30, Calypso-based, and someone had apparently leaked a copy of
the complete source for its firmware.  (From what I've heard it was real
source, not .o files, but I could be wrong.)  The lore says that for
quite some time (years maybe?) the booty was laying on SourceForge and
other readily accessible websites, free for anyone to download.  But it
isn't on SF any more as far as I could tell, and I wasn't able to find
it anywhere else either.

I am in a disadvantaged position because I have come to the party late.
Is there *anyone* here who has managed to download that TSM30 source
from SourceForge before it got pulled?  If there is that someone, how
can I convince you to share it with me?  You wouldn't be breaking any
NDAs, just forwarding a file downloaded from SourceForge.  If you want
something in return, just tell me what and I'll see if that's possible:
I'll give just about anything for a copy of that source.

(Please note though that this email account from which I'm posting is
hosted on a 30 y old VAX.  It can't receive any mail larger than about
100 KiB or so.  But I can give you my gmail address, or there is
YouSendIt etc.)

> NDA is no matter of ethics or political ideology, but a legal one.

Legal according to whose laws?  Just create your own nation and make
your own laws:

> Feel free to break a NDA, but accept to get fucked from company lawyers.

Would you care to explain how?  Even if I were to ever get sued (which
is *very* unlikely to happen as it costs real money to sue someone, and
because I have nothing but my chains, there is absolutely nothing they
would ever be able to collect from me), here is how the process would go:

Step 1: I check my P.O. box once in a blue moon, and find some court
papers there.

Step 2: I take those court papers out of my P.O. box and stick them in
the paper recycle bin that has been conveniently placed right next to it.

Step 3: End of the story. :-)

But none of that is relevant to the present case anyway: I don't have an
NDA to break in this case; we can guess that someone must have broken an
NDA somewhere in order for the hardware docs to have appeared on,
but we don't know who it was and don't need to know that either.


More information about the community mailing list