GSM firmware hacking

Freerunner_User dspaaron at yahoo.com
Sun Aug 10 16:28:50 CEST 2008 

Hello,

I am not sure if this topic can be discussed here on the list. If
not, please let me know.

I want to share some information about the GSM firmware and how
it could be accessed and *maybe* also modified at some time in 
the future.

The following information is based on public information and nothing
which is covered by an NDA. However some of required tools and information
most certainly should never have become public (e.g. the two leaked
Calypso documents).

Lets start: 

 - First we need the TI tool for accessing the Calypso GSM flash memory. 
   This tool is called FLUID. The Openmoko people seem to have ported FLUID
   to Linux/ARM, however I have not found the source code or a Linux 
   binary version of FLUID yet (anyone else ?). If you search the web,
   you can find several Windows versions of FLUID. The one I use is
   "FLUID Revision 2.28, (22 Nov 2004)". Please don't ask me for this
   tool, you have to find it yourself (If I managed to find it, you can
   surely find it too).


 - FLUID accesses the Calypso chip over the serial interface. On the
   GTA02 (most certainly the same for the GTA01) we have two serial 
   interfaces for the Calypso chip: One is connected to the ARM CPU 
   (this is the standard one which accepts the GSM AT commands) and 
   the other is accessible over the earphone jack. If we had the Linux/ARM
   version of FLUID, we could easily access the GSM Flash directly from
   the phone using the standard serial interface (the process was described
   on the openmoko-devel list). For the Windows version we have to go
   a different way and use the second serial interface (It might be
   possible to pass the standard serial interface through the USB
   connection from u-boot, however I have not tried it yet).


 - To access the second serial interface of the Calypso chip, we need
   some hardware first: A 4-conductor 2.5 mm jack (a 3-conductor jack 
   most certainly works too, but this is at your own risk) and a level
   converter to convert the 3.2 Volt level of the serial interface of
   the Calypso chipset to the standard RS232 voltage level. Most 
   certainly you can also use a cheap USB GSM data cable. I won't go into
   the details (please have a look at the GTA01/GTA02 schematics) but
   you have to connect HS_MIC/RX_IRDA (data from PC to the chip),
EP_R/TX_IRDA
   (data from the chip to the PC) and GND. I intentionally don't talk about
   the details because I want to avoid that anyone blames me for damaging
   the phone or PC. I did it as described and it worked without problems 
   but it has not yet confirmed if this will not cause any damage if done
   too frequently. So you are warned. 

   Switching the second serial line of the Calypso chip to the earphone jack 
   is done by the DL_GSM line, when using u-boot to turn the GSM modem on,
   DL_GSM is set to the correct level.
   

 - Now you can test you connection: 

    * go into u-boot on the phone and access the bootloader prompt

    * connect the serial interface hardware to the phone (earphone
      jack) and the serial port of a PC.

    * start a terminal on the PC (Parameters: 115200 baud, 8N1)

    * From the bootloader prompt power the GSM modem on:
 
      "neo1973 gsm on"

    * After a few seconds you should see lots of debug messages on 
      the terminal (at least this is what happens with my "moko8"
      GSM firmware).

    * From the bootloader prompt turn the GSM modem off again:  

      "neo1973 gsm off"


 - A minor modification to the Flash description file of fluid might
   be necessary to work with the GTA02/GTA01: In the file "devices.txt"
   search for the line

   "device K5A3340YB 0xEC 0x223D amd map_8x8_63x64     /* 14.0 + 18.0 !? */"

   and append the following line after it:
   
   "device K5A3240CT 0xEC 0x22A0 amd map_8x8_63x64     /* GTA02 ???? */"

   Warning: I have not yet confirmed if this line is correct, it does not
   care for just reading the flash memory, however for erasing and writing
   the flash memory its essential that the line contains the correct data.


 - Using FLUID to read the GSM Flash memory: Close the terminal first
   and then run FLUID on a Windows PC from the command line:

     "fluid.exe -o o -p 1 -r 0x00000000..0x00400000 -o b -f Flash.bin"

   This will read the whole GSM Flash memory (4 MByte) into a file
   "Flash.bin" assuming that COM1 is used ("-p 1"). For other options
   just start FLUID without any parameters.

Feel free to use FLUID with other options, but you are warned, erasing/
writing the GSM Flash memory this way has not been tested yet and might
damage your phone!.
    
Some ideas for the future:

  - With this approach it should be possible to read the GSM firmware of
    phones equipped with a newer version, create a GSM firmware image file
    and flash it on phones with an older GSM firmware version.

  - With some effort it should be possible to reverse-engineer the
    Windows version of FLUID and create a native Linux/ARM application
    which directly runs on the phone.

  - GSM Firmware hacking: The source code of the GSM stack for a phone
    which also has a TI Calypso chipset inside can be found on the web
    (its the TSM30). It *might* be possible to get this stack run inside
    the GTA02/GTA01. But this is pure speculation in the moment and it
    most certainly requires a *lot* of effort.


Please let me know what you think.

Best regards,
  An Freerunner user
-- 
View this message in context: http://n2.nabble.com/GSM-firmware-hacking-tp684093p684093.html
Sent from the Openmoko Hardware mailing list archive at Nabble.com.

More information about the hardware mailing list