GSM firmware hacking

Werner Almesberger werner at
Mon Aug 11 22:11:06 CEST 2008

Freerunner_User wrote:
> You are right, the correct line in devices.txt should be:
>   device K5A3240CT 0xEC 0x22A0 amd map_63x64_8x8     /* GTA02 */

This looks better, yes.

> It seems that there is 8 KByte of ROM in the Calypso, however it looks
> as if nIBOOT is not connected so the ROM part could not be activated.

It seems to be routed to the lone resistor "south" of the Calypso,
100k to GND.

> This could surely cause troubles. What about documenting the GSM
> firmware version history, at least if the configuration is 
> compatible ;-) ?

I had a look at our list of changes, and I found the following changes
that appear to have affected that configuration data:

- moko5: added lots of config files (e.g., for the firmware version
- moko6: removed most of them, since we're better off hard-coding
  that information

This is as unauthoritative as it gets, so please don't complain too
much if things break anyway :) E.g., I'm not sure if that list of
changes is complete or if it would mention file format or file name

> OK, forget about getting a complete GSM stack to run. Lets start simple,
> why not start with just receiving the beacon channel ?

Dunno. A few things to consider:

- I don't know how many design variants are there for calypso-based
  RF subsystems that differ in how they are controlled. I also don't
  know if our circuit is anything like a "standard" configuration or
  something more exotic.

- I also don't know how much different firmware "strains" tend to
  vary. At least some companies apparently fork the firmware for
  each customer and implement changes on a request basis. Thus,
  firmware for device X may end up being very different from device
  Y, even though they use the same chip.

  This sort of differences may also occur in low-level functionality.
  For example, when we went for PTCRB certification in HXD8, we had
  to ask TI for support to beat our firmware into shape.

- I know for sure that things like AT at POFF and our wakeup interrupt,
  simple are they are, are Openmoko-specific.

So I would assume that there's a fairly high risk that you'll end up
configuring the modem such that it emits something unpleasant, even
if you don't intend to. Unless you have suitable test equipment,
you'll only find out what atrocities you've committed after somebody
who does knocks at your door ...

Given that such a project would almost certainly violate various laws
and regulations in your area, it may also be difficult to find support
from labs or companies that are equipped to perform at least some of
the measurements.

Of course, given the trouble not broadcasting what you're doing
might save you, a communication tester like the one Andy mentioned
may actually be a bargain ;-)

> Anyway, the main goal is to find a way to upgrade the GSM firmware,
> at least if there is no official way to do it. Of course this requires
> to know if the configuration can be exchanged between the firmware
> versions.

My general advice would be not to take chances and to contact support
if you think you need a more recent firmware. But since you seem to
be determined to try it anyway and since you've already figured out
enough to get you in trouble, a few warnings:

- Given that moko5 requires a number of configuration files neither
  earlier nor later versions have, I would avoid any change that
  makes you end up with moko5 unless your phone already came with

- I'm not sure if it's safe to upgrade from pre-moko5 to post-moko5
  (because > moko5 may need configuration files that didn't exist
  in < moko5)

- Do not install firmware from a different device if that firmware
  is < moko5 or if it is for a different region (850/900 MHz).

  And no, installing firmware for a different region will not make
  your phone work with that band, since hardware and calibration
  are different.

Any advice on what may happen in future firmware revisions exceeds
my predictive skills ;-)

- Werner

More information about the hardware mailing list