FreeCalypso progress update

Michael Spacefalcon msokolov at ivan.Harhan.ORG
Thu May 8 21:32:20 CEST 2014


Hello project followers,

Just a quick update on where the FreeCalypso project stands.  I am
still reconstructing the full-source form of TI's Calypso reference
firmware, the one which we currently have only in semi-src form,
running on TI's Leonardo board and on the GTA02 modem.  How can one
reconstruct a full source from a semi-src (half src, half objects) in
which half of the original source is missing?  By finding matching
source pieces in other TI source leaks (the "Peek" LoCosto one mostly)
and reintegrating them one by one onto the reconstructed FreeCalypso
firmware skeleton.

There are a few binary objects in the Leonardo semi-src for which no
matching source could be found in any of the available leaks.  I am
currently working on one of these hard pieces: the OS Adaptation Layer
part of the GPF, the thin layer that sits between the Nucleus RTOS
microkernel and the higher sublayers of GPF.  GPF stands for Generic
Protocol stack Framework, and it is the foundation on which Condat's
GSM/GPRS radio protocol stack is built.  Back in the days when TI
actively maintained their firmware for Calypso, LoCosto and other
offerings in this family, the GPF code was already so stable and
independent of the rest of the firmware that it was distributed and
used mostly as binary libraries even inside TI, it seems.  Take the
LoCosto source for example: all of L1, L2 and L3 code is compiled from
source, but GPF comes from *.lib files that are pulled into the build
as blobs.

But fortunately we've been able to find the real C source for most of
GPF.  The Leonardo semi-src includes a few pieces of GPF C source
despite not actually using them in the build (which uses *.lib blobs
instead); the LoCosto find includes the source for some *other* parts
of GPF - once again, not actually used in the build which uses *.lib
blobs.  By putting together the GPF source bits from the Leonardo and
LoCosto finds, we now have the original C source for *most* of GPF -
and this source has already been integrated into the gcc-built
FreeCalypso GSM firmware tree.

The thin OS Adaptation Layer between Nucleus and the rest of GPF, and
the equally thin OSX layer between GPF and L1, are the only two parts
of GPF for which the original C source could not be found.  The first
out of these two (OSL) is needed in order build a test fw image with
GPF included, hence it is the part I'm working on now; the other (OSX)
should not be needed until it is time to integrate L1, so I plan on
tackling it at that time.

I am reconstructing the missing/lost source for the OSL part of GPF
from the binary object form, by a process of disassembly followed by
decompilation.  The disassembly step is automated with a special tool
I wrote for this purpose.  See the leo-obj subtree in this Hg tree:

https://bitbucket.org/falconian/freecalypso-reveng

Anyone who wonders just how much info can be extracted from these COFF
binary objects is invited to see for herself:

hg clone https://bitbucket.org/falconian/freecalypso-reveng
cd freecalypso-reveng/leo-obj
make

Look at the *.disasm and *.ctypes files that will be produced, and
revel at all of the juicy C-level symbolic info contained therein.
All that stuff has been extracted out of the object blobs; the only
inputs to the tiobjd tool are the *.obj artifacts and some really
minimal hints in the *.hints files (see for yourselves how minimal
they are).  Who was it who said (some 2.5 y ago on this list) that the
ware in question is nothing more than useless blobs?

The next step is decompilation, and it's being done in the gsm-fw/gpf
subtree of the other Hg tree:

https://bitbucket.org/falconian/freecalypso-sw

The gsm-fw/gpf/osl directory contains the C modules which I am
reconstructing from the above *.disasm through manual decompilation;
the other subdirectories of gsm-fw/gpf contain the rest of GPF, the
source for which has been found in the Leonardo and/or LoCosto semi-src.
The inc subdirectory contains all of the original GPF header files,
used by both the original sources and the ones I am reconstructing.

Peruse the two source repositories above to see where the project
stands; look at the commit history to judge the pace at which it is
going.

Viva la Revolucion,
SF



More information about the community mailing list