GSM firmware hacking
dspaaron at yahoo.com
Sun Aug 10 16:28:50 CEST 2008
I am not sure if this topic can be discussed here on the list. If
not, please let me know.
I want to share some information about the GSM firmware and how
it could be accessed and *maybe* also modified at some time in
The following information is based on public information and nothing
which is covered by an NDA. However some of required tools and information
most certainly should never have become public (e.g. the two leaked
- First we need the TI tool for accessing the Calypso GSM flash memory.
This tool is called FLUID. The Openmoko people seem to have ported FLUID
to Linux/ARM, however I have not found the source code or a Linux
binary version of FLUID yet (anyone else ?). If you search the web,
you can find several Windows versions of FLUID. The one I use is
"FLUID Revision 2.28, (22 Nov 2004)". Please don't ask me for this
tool, you have to find it yourself (If I managed to find it, you can
surely find it too).
- FLUID accesses the Calypso chip over the serial interface. On the
GTA02 (most certainly the same for the GTA01) we have two serial
interfaces for the Calypso chip: One is connected to the ARM CPU
(this is the standard one which accepts the GSM AT commands) and
the other is accessible over the earphone jack. If we had the Linux/ARM
version of FLUID, we could easily access the GSM Flash directly from
the phone using the standard serial interface (the process was described
on the openmoko-devel list). For the Windows version we have to go
a different way and use the second serial interface (It might be
possible to pass the standard serial interface through the USB
connection from u-boot, however I have not tried it yet).
- To access the second serial interface of the Calypso chip, we need
some hardware first: A 4-conductor 2.5 mm jack (a 3-conductor jack
most certainly works too, but this is at your own risk) and a level
converter to convert the 3.2 Volt level of the serial interface of
the Calypso chipset to the standard RS232 voltage level. Most
certainly you can also use a cheap USB GSM data cable. I won't go into
the details (please have a look at the GTA01/GTA02 schematics) but
you have to connect HS_MIC/RX_IRDA (data from PC to the chip),
(data from the chip to the PC) and GND. I intentionally don't talk about
the details because I want to avoid that anyone blames me for damaging
the phone or PC. I did it as described and it worked without problems
but it has not yet confirmed if this will not cause any damage if done
too frequently. So you are warned.
Switching the second serial line of the Calypso chip to the earphone jack
is done by the DL_GSM line, when using u-boot to turn the GSM modem on,
DL_GSM is set to the correct level.
- Now you can test you connection:
* go into u-boot on the phone and access the bootloader prompt
* connect the serial interface hardware to the phone (earphone
jack) and the serial port of a PC.
* start a terminal on the PC (Parameters: 115200 baud, 8N1)
* From the bootloader prompt power the GSM modem on:
"neo1973 gsm on"
* After a few seconds you should see lots of debug messages on
the terminal (at least this is what happens with my "moko8"
* From the bootloader prompt turn the GSM modem off again:
"neo1973 gsm off"
- A minor modification to the Flash description file of fluid might
be necessary to work with the GTA02/GTA01: In the file "devices.txt"
search for the line
"device K5A3340YB 0xEC 0x223D amd map_8x8_63x64 /* 14.0 + 18.0 !? */"
and append the following line after it:
"device K5A3240CT 0xEC 0x22A0 amd map_8x8_63x64 /* GTA02 ???? */"
Warning: I have not yet confirmed if this line is correct, it does not
care for just reading the flash memory, however for erasing and writing
the flash memory its essential that the line contains the correct data.
- Using FLUID to read the GSM Flash memory: Close the terminal first
and then run FLUID on a Windows PC from the command line:
"fluid.exe -o o -p 1 -r 0x00000000..0x00400000 -o b -f Flash.bin"
This will read the whole GSM Flash memory (4 MByte) into a file
"Flash.bin" assuming that COM1 is used ("-p 1"). For other options
just start FLUID without any parameters.
Feel free to use FLUID with other options, but you are warned, erasing/
writing the GSM Flash memory this way has not been tested yet and might
damage your phone!.
Some ideas for the future:
- With this approach it should be possible to read the GSM firmware of
phones equipped with a newer version, create a GSM firmware image file
and flash it on phones with an older GSM firmware version.
- With some effort it should be possible to reverse-engineer the
Windows version of FLUID and create a native Linux/ARM application
which directly runs on the phone.
- GSM Firmware hacking: The source code of the GSM stack for a phone
which also has a TI Calypso chipset inside can be found on the web
(its the TSM30). It *might* be possible to get this stack run inside
the GTA02/GTA01. But this is pure speculation in the moment and it
most certainly requires a *lot* of effort.
Please let me know what you think.
An Freerunner user
View this message in context: http://n2.nabble.com/GSM-firmware-hacking-tp684093p684093.html
Sent from the Openmoko Hardware mailing list archive at Nabble.com.
More information about the hardware