GSM firmware hacking

Werner Almesberger werner at
Mon Aug 11 17:45:37 CEST 2008

Freerunner_User wrote:
>  - First we need the TI tool for accessing the Calypso GSM flash memory. 
>    This tool is called FLUID. The Openmoko people seem to have ported FLUID
>    to Linux/ARM,

This is correct. I did part of that (rather simple) port.

> however I have not found the source code or a Linux 
>    binary version of FLUID yet (anyone else ?).

It's for internal use - testing or firmware upgrades by our support
people - only, and I don't think it has escaped "into the wild" yet.

As far as I know, in negotiations with TI about allowing us to
distribute FLUID and firmware updates, TI seemed sympathetic to the
idea, but since Openmoko then adopted the "treat firmware like
hardware" policy, this discussion was never concluded. So, as far as
I know, we couldn't legally distribute FLUID in any form.

>    "device K5A3240CT 0xEC 0x22A0 amd map_8x8_63x64     /* GTA02 ???? */"

Hmm, this map is a "bottom" (K5AxxxxxB) configuration, not a "top"
(K5AxxxxxT)  configuration.

> Feel free to use FLUID with other options, but you are warned, erasing/
> writing the GSM Flash memory this way has not been tested yet and might
> damage your phone!.

In particular, you can also wipe out the boot loader. Not sure if
this is a recoverable situation.

>   - With this approach it should be possible to read the GSM firmware of
>     phones equipped with a newer version, create a GSM firmware image file
>     and flash it on phones with an older GSM firmware version.

There's at least one problem with this approach: there's a Flash section
that contains configuration and calibration data. If you end up erasing
it, or if you end up copying it from a different device, your GSM modem
may not work at all or it may perform poorly.

Similarly, if the firmware you install expects some configuration files
which are not in your (older or newer) Flash, it may malfunction.

FLUID doesn't know about the structure of that file secion. As far as I
know, the only tools we have to "properly" access that configuration
and calibration section are Windows-based, and I'm not even sure we
have the sources. Performing the calibration from scratch also
requires special radio test equipment.

>   - GSM Firmware hacking: The source code of the GSM stack for a phone
>     which also has a TI Calypso chipset inside can be found on the web
>     (its the TSM30). It *might* be possible to get this stack run inside
>     the GTA02/GTA01. But this is pure speculation in the moment and it
>     most certainly requires a *lot* of effort.

Uh, good luck ;-)

Disclaimer: my knowledge about GSM firmware internals is from discussion
with engineers who worked on it, I didn't touch it myself.

- Werner

More information about the hardware mailing list