First small steps toward free GSM firmware

[Michael Spacefalcon]

Norayr Chilingarian <norayr at arnet.am> wrote:

> > then flash into your GTA0x GSM modem
> Wait, it works both on gta-02 and gta-04?

By GTA0x I meant GTA01 and GTA02.  GolDeliCo' so-called "GTA04" is
rather badly misnamed: GTA originally stood for "GSM-TI-AGPS"; thus a
device that does not use a GSM chipset from TI cannot be properly
called GTA0x.

It is also quite misleading that Nikolaus markets his product as an
"upgrade" to the good old Openmoko phones, as it is actually a
downgrade: it replaces a free-able GSM modem (i.e., one on which the
ability to run 100% free fw is within reach) with a non-freeable one,
i.e., one on which such freeing is totally out of reach.

And for the record, regarding the recent prolonged debate on this
mailing list about the freeness of GolDeliCo's product or lack thereof,
I agree totally with Bob Ham.  However, I differ from Bob in that in
my view, the closed proprietary nature of Nikolaus' product is not
worth shedding any tears over because it is a useless product in the
first place.  The good old GTA02 from Openmoko is a MUCH better phone
than any "GTA04".

> Also, did you test if data connection works?

Only CSD, not GPRS.  I.e., I have tested CSD and saw it working; as to
GPRS, I haven't tested it because I have not yet learned it well
enough, but I suspect that it works - please test it yourself and let
the list know what you find.

> I don't use phone calls,
> only encrypted ssl over tcp over 3g/wifi.

There is no 3G on the real GTA0x, i.e., on GTA01/02.

> I am very interested if this can be flashed to gta-02 device,

I have it flashed into mine. :)

> (unfortunately I don't own gta-04).

Don't say "unfortunately", you are very fortunate to have a much
better device, which are sadly no longer made, and even more sadly,
the leftover stock of Om-made ones is rapidly being destroyed by
people like Nikolaus who cannibalize these great phones for plastic
parts to make their inferior "GTA04"...

> Also, is there is a possibility to
> change IMEI during flashing?

Yes, you can change the IMEI quite easily to whatever you like, and in
fact the ability to do so is completely independent of which fw you
use: my current leo2moko port, the future full FreeCalypso fw, or even
the original factory fw from Om.

The modem has a total of 4 MiB of its own NOR flash, divided (hw-wise
inside the chip) into two banks: a 3 MiB bank at the lower addresses
and a 1 MiB bank at the higher addresses.  The lower-addressed 3 MiB
bank holds the fw image - that is what you erase and overwrite when
you reflash from moko10 to moko11 for example, or when you flash my
FreeCalypso firmware.  The higher-addressed 1 MiB bank (or more
precisely, 7 sectors of 64 KiB each within that bank) holds the modem's
FFS (flash file system) in a TI-invented format - one which I had
successfully reverse-engineered even before I found the source, I
should add.

Whatever you do, DO NOT DESTROY YOUR ORIGINAL MODEM FFS!  The original
GSM modem FFS from Om's factory contains RF calibration data, and if
you lose these calibration values, your precious GTA0x will become a
brick (at least GSM-wise) unless you can get that RF calibration
redone.  For an idea of what kind of special RF test equipment would
be needed to redo the RF calibration, see this document from TI:

ftp://ifctfvax.Harhan.ORG/pub/GSM/Calypso/rf_calibration.pdf

Needless to say, redoing the RF calibration would be *very* expensive.

My fc-loadtool utility (which you will need to compile from source
from my freecalypso-sw Mercurial tree) allows one to read out the
content of a flash memory region and to save it into a file.  If you
are going to do any hacking at all on your GTA0x GSM modem, I recommend
that you make a dump of your FFS sectors (containing these precious RF
calibration values) and save that dump very securely, before you do
anything else.

The IMEI is stored in the same FFS as the RF calibration values, just
in a different part of the directory hierarchy: the IMEI lives in an
8-byte file named /pcm/IMEI; the RF calibration data live in a bunch
of files under /gsm/rf.  I have not yet written a utility to edit that
/pcm/IMEI file inside the FFS image in a user-friendly manner, so for
now you would need to use a hex editor - the IMEI is stored in a very
simple unobfuscated form in that /pcm/IMEI file.

> Sorry if my questions are a little bit off topic. Anyway I am very
> interested in free fw for my devices - OM gta-02 and n900.

See above regarding Om GTA02.  As to the N900 from Nokia, I doubt that
much freeing can be done with its BB5 modem: I don't know of any
leaked hw docs (let alone fw sources) for that modem, and I've heard
something about it having a crypto-signature-checking bootloader - we
are VERY fortunately to NOT have one of the latter in the Calypso!

(Calypso's on-die ROM bootloader is actually awesome - not only is it
 completely non-"secure", but it is also completely unbrickable: no
 matter what state you get your flash into, one can *always* break
 into the bootloader by sending the right characters into one of the
 UARTs when the modem powers up, and then load the flash writing agent
 into RAM and then reload your flash.  So the hard-to-recover RF
 calibration values are the only part you have to watch out for.  And
 even with those, if you lose/corrupt the FFS in flash, you can
 reprogram if you got a backup copy saved.)

But since you mentioned N900, are you also aware of the upcoming
Neo900 project?  See www.neo900.org.  I have already volunteered to
make a FreeCalypso modem option for the Neo900:

http://talk.maemo.org/showthread.php?p=1376708

... and I will make it happen *iff* the Neo900 baseboard provides the
necessary signal connections.  (There are some inherent interface
signal differences between Option's black box module and a Calypso-based
modem; I can probably fit the FC modem design into a physical form
factor mimicking that GTM801 LTE modem, and even match some of the
interface signals like the digital voice channel, but the control/data
interface will need to be serial, not USB.)

But before I can build any FreeCalypso hardware (either a plain phone
or a modem for Neo900 etc), I need to find a copy of the Leonardo+ PCB
layout.  See:

http://lists.osmocom.org/pipermail/baseband-devel/2013-October/004183.html

If that PCB layout cannot be found/obtained (I heard that even Om
didn't have it, because FIC gave them a hobbled tri-band design
instead), we are going to have to recreate it ourselves starting with
just the schematics (which we already have, see links in the above).
But because I am not qualified to do my own RF design/layout at GHz
frequencies, we are going to have to hire some RF professional to do
that part, and it will be *expensive*.

Timo Juhani Lindfors <timo.lindfors at iki.fi> wrote:

> Afaik the firmware in question won't meet the FSF free software
> definition

The FSF free sw definition does not require that the sw be legal in
any particular jurisdiction.  My FreeCalypso firmware is perfectly
legal in those countries which have accepted my Eminent Domain
declaration of TI's abandonware copyrights as null and void,
effectively placing the code in the public domain.  See:

http://en.wikipedia.org/wiki/Eminent_domain

In particular, see note regarding how the principle of eminent domain
can be applied to "intellectual property" as well.

For an example of a truly free country, see:

http://www.sealandgov.org/

There is nothing to stop you for making your own copycat of Sealand in
any international waters body of your choice.

> or OSI open source definition since you don't have a license
> that lets you share and change it legally.

Again, legally according to WHOSE laws?  What is stopping you from
declaring yourself as your own sovereign micronation and making
whatever laws you like for yourself?

> If you want free software
> firmware that runs on gta02 you can take a look at osmocombb.

That software is practically unusable: because of their lack of any
power management and a fundamentally flawed architectural design that
runs GSM stack layers 2&3 on the wrong processor, it will drain a full
battery in less than an hour, doing nothing but sitting idle.

They also don't know how to read the factory RF calibration values out
of FFS and to make use of them, so their RF performance is very poor,
at least in the PCS1900 band I work in - that makes their mobile
station very unreliable, i.e., it is a coin toss whether a dialed call
will go through or not, running on a phone (Pirelli DP-L10) whose
original proprietary fw works rock solid.  Not to mention the lack of
CSD capabilities, let alone GPRS.

(I haven't tried OsmocomBB on my GTA02, only on the Pirelli, because
 running it on GTA0x is a royal pita.)

To be fair, my current proof-of-concept leo2moko port is not truly
free YET - it still contains the same object blobs for most of the
GSM/GPRS protocol stack components as were present in the original
Leonardo firmware which TI gave to all of their customers.  But I am
already working on a better version that will be free of any blobs
(full compilation from source) and will build with gcc instead of TI's
proprietary compiler running under Wine.  The sources for the GSM
stack components which the Leonardo version has in object form will
come from this other TI source leak:

http://scottn.us/downloads/peek/

(Already archived on ftp.ifctf.org as well of course, in case that
 ScottN, whoever he is, takes his copy down.)

VLR,
SF