MTK and Infineon-based phones

Harald Welte laforge at gnumonks.org
Sat Nov 26 08:23:49 CET 2011 

Hi Martin,

On Sat, Nov 26, 2011 at 02:03:50AM +0100, Martin Hinner wrote:
>   This is my first experience with GSM phones reverse engineering, so
> sorry if I am wrong, but it seems to be quite difficult for me to
> obtain four Calypso-based phones (yes, I know I can order them from
> webshop for a few euros, but I will need more of them if my
> experiments are successfull). 
>
> Currently, I do have some information (datasheet&code) for MTK
> platform, and I see there is implementation of "secondary bootloader"
> for these phones, but no layer1 yet.

the question really is how many of them you need.

> On the other hand, I have access to very cheap phones using Infineon
> PMB7880 (C166 + DSP) or MTK (ARM9) chipsets.

Economically, the question is:
* what is the price of the required qty of calypso based phones
	vs
* what is the amount of work needed for porting to MTK

Even under the most ideal circumstances, porting the L1 to any new
baseband chip architecture is going to be a lot of work.  

As "ideal circumstances" I count
 * detailed knowledge about not only the integrated peripherals of the
   DBB but also register-level documentation of the ABB
 * detailed knowledge about the shared memory API between DSP-ROM and
   ARM CPU
 * no cryptographic verification in bootloader that needs to be broken
 * a developer who has very strong background on GSM L1 and cellphone
   hardware
 * access to measurement devices for MS testing like Racal 6103

Even under such circumstances, I would guess an effort of somewhere
between 1 to 2 man-months full-time.

As the circumstances are never ideal, it will likely be more effort.

Some developers have already put quite a bit of effort into the MTK
chipset side, and even though we don't have the register-level data
sheets of all of the ABB chips and the DBB data sheets do not cover
anything on the details of the DSP/ARM API interface, I think it is the
most promising architecture.

> Is it feasible to create layer1 implementation for Infineon and/or
> MTK? Is there anyone willing to help with this?

I think the big issue is availability.  The people invovled in OsmocomBB
are working on a variety of other projects and protocol stacks
(OsmocomGMR, OsmocomTETRA, osmo-bts, etc.)

So the big question is: How can you convince anyone from the existing
team to contribute to a port to MTK?  I think the fact that the code
runs well on the Calypso based phones (which are still avialable even in
quantity) makes this a bit difficult, as there is no real gain.

People generally want to work on creating new functionality, rather than
re-creating something that already exists...

> I will add that I have spent many many nights disassembling car
> control units using Infineon/Siemens C166 core (since 2002?), so
> Infineon platform is very attractive for me (the flash is only 2MB for
> some phones, it's easy to read code, etc...).

On the other hand: C166 is a one-way road.  No new baseband chipsets
(even infineon) use them anymore.  You need to port all the arm-specific
assembly bits in OsmocomBB  to the C166 code, etc.

MTK is a much more attractive target. More docs, more understanding,
more existing code and ARM based.

Regards,
	Harald
-- 
- Harald Welte <laforge at gnumonks.org>           http://laforge.gnumonks.org/
============================================================================
"Privacy in residential applications is a desirable marketing option."
                                                  (ETSI EN 300 175-7 Ch. A6)

More information about the baseband-devel mailing list