GSM firmware hacking

Freerunner_User dspaaron at yahoo.com
Mon Aug 11 19:40:38 CEST 2008 

Hello Werner,

Werner Almesberger wrote: 

> Hmm, this map is a "bottom" (K5AxxxxxB) configuration, not a "top" 
> (K5AxxxxxT)  configuration. 

You are right, the correct line in devices.txt should be:

  device K5A3240CT 0xEC 0x22A0 amd map_63x64_8x8     /* GTA02 */

> In particular, you can also wipe out the boot loader. Not sure if 
> this is a recoverable situation. 

It seems that there is 8 KByte of ROM in the Calypso, however it looks
as if nIBOOT is not connected so the ROM part could not be activated.
In this is true it will be really difficult to restore a broken
bootloader in the flash memory, if possible at all.

> There's at least one problem with this approach: there's a Flash section 
> that contains configuration and calibration data. If you end up erasing 
> it, or if you end up copying it from a different device, your GSM modem 
> may not work at all or it may perform poorly. 

OK, for me it looks like this right now (offsets into the 4 MByte flash):

  0x000000: Boot Loader
  0x010000: Start of GSM firmware
  0x22576B: "moko8" firmware ends here (lots of free flash starts here)
  0x380000: flash file system for phone configuration (does not seem to
                 be a common Linux flash file system)

So it should be possible to extract the firmware only.

> Similarly, if the firmware you install expects some configuration files 
> which are not in your (older or newer) Flash, it may malfunction. 

This could surely cause troubles. What about documenting the GSM
firmware version history, at least if the configuration is 
compatible ;-) ?

> FLUID doesn't know about the structure of that file secion. As far as I 
> know, the only tools we have to "properly" access that configuration 
> and calibration section are Windows-based, and I'm not even sure we 
> have the sources. Performing the calibration from scratch also 
> quires special radio test equipment. 

At least it should be possible to make a backup of the wohle GSM flash
and restore it if something goes wrong (assuming the bootloader has not 
been damaged).

> Uh, good luck ;-) 

OK, forget about getting a complete GSM stack to run. Lets start simple,
why not start with just receiving the beacon channel ? This also
would not influence the GSM Net at all (no sending). I consider
such projects as a good chance to learn the technology in-deep. Sure,
an USRP and GnuRadio could be used, but this is different.

Anyway, the main goal is to find a way to upgrade the GSM firmware,
at least if there is no official way to do it. Of course this requires
to know if the configuration can be exchanged between the firmware
versions.

Best regards,
 A Freerunner user.
-- 
View this message in context: http://n2.nabble.com/GSM-firmware-hacking-tp684093p686435.html
Sent from the Openmoko Hardware mailing list archive at Nabble.com.

More information about the hardware mailing list