Qualcomm documentation

[Andreas Galauner]

Hello everybody,
last year I stumbled upon a PDF which describes all registers inside the 
Qualcomm MSM7200 series chipset. I now got a new mobile phone and 
remembered about that document because wanted to play a bit with my old 
one (HTC Magic/Sapphire/G2/Ion).
I googled a few hours now and found several documents from Qualcomm, but 
I just found a whole svn repository full of Documentation [1].

Those Qualcomm chipsets are particularly interesting, because, due to 
Android, there already is a Linux kernel for the ARM11 core available. 
The missing part is a free implementation of the ARM9 baseband.

My next goal is, as soon as I managed to solder cables to the JTAG pins 
covered in epoxy, to get own code running on the ARM9. I don't know how 
hard this will get, because this chipset has several security features 
like signature checking of code, fusebits for security configuration 
etc., but I will give it a try.
JTAG definitely is still activated, because several people developed a 
method to unbrick their phones in case they have a bad ARM11 bootloader. 
And even if there is no chance to get own code running right away, I'm 
pretty certain that there somewhere is a buffer overflow which is 
exploitable. Either inside the baseband itself or in the serial console 
command parser of the early bootloaders provided by the OEM (OEMSBL).
Time will tell. I hope I've got something to show you at the 27C3.

My problem is that I don't have enough experience and knowledge about 
GSM yet to estimate if all this documentation is sufficient to implement 
a real baseband software on this chipset. If it's not, I think it's 
pointless to invest several days/nights of work to get own code running.
Maybe somebody of you can have a quick look over the repository and the 
documents?

Thanks,
Andy

[1]: http://code.google.com/p/ptwcdma/source/browse/