annotate pirelli/rfcal @ 206:11761eaf712c

old Calypso F741979B boot ROM analyzed
author Mychaela Falconia <falcon@ivan.Harhan.ORG>
date Wed, 30 Dec 2015 08:27:46 +0000
parents 30ba25056ecd
children 2cc7a17c3859
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
181
bf4286245c74 Pirelli's RF calibration cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
1 The 64 KiB flash sector at 0x027F0000 (the last sector of the 2nd flash bank)
bf4286245c74 Pirelli's RF calibration cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
2 contains per-unit factory data, including the IMEI and RF calibration values.
bf4286245c74 Pirelli's RF calibration cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
3 The location of the IMEI record (at offset 0x504) was found back in 2013-07 and
bf4286245c74 Pirelli's RF calibration cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
4 its encryption was figured out in 2013-11, but it took a bit longer to find the
183
827b8977d3c2 pirelli/rfcal: found /sys/adccal, no luch with /gsm/rf/afc*
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 181
diff changeset
5 RF calibration data. But I finally found most of the latter as well. Here
827b8977d3c2 pirelli/rfcal: found /sys/adccal, no luch with /gsm/rf/afc*
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 181
diff changeset
6 they are:
181
bf4286245c74 Pirelli's RF calibration cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
7
bf4286245c74 Pirelli's RF calibration cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
8 Hex offset Corresponding FFS file in TI's canonical version
bf4286245c74 Pirelli's RF calibration cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
9 ----------------------------------------------------------------
183
827b8977d3c2 pirelli/rfcal: found /sys/adccal, no luch with /gsm/rf/afc*
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 181
diff changeset
10 06E5 /sys/adccal
827b8977d3c2 pirelli/rfcal: found /sys/adccal, no luch with /gsm/rf/afc*
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 181
diff changeset
11 0709 checksum byte
827b8977d3c2 pirelli/rfcal: found /sys/adccal, no luch with /gsm/rf/afc*
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 181
diff changeset
12
181
bf4286245c74 Pirelli's RF calibration cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
13 072B /gsm/rf/tx/ramps.900
bf4286245c74 Pirelli's RF calibration cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
14 092B checksum byte
bf4286245c74 Pirelli's RF calibration cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
15 092C /gsm/rf/tx/levels.900
bf4286245c74 Pirelli's RF calibration cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
16 09AC checksum byte
bf4286245c74 Pirelli's RF calibration cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
17 09AD /gsm/rf/tx/calchan.900
bf4286245c74 Pirelli's RF calibration cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
18 0A2D checksum byte
bf4286245c74 Pirelli's RF calibration cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
19 0A2E /gsm/rf/tx/ramps.1800
bf4286245c74 Pirelli's RF calibration cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
20 0C2E checksum byte
bf4286245c74 Pirelli's RF calibration cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
21 0C2F /gsm/rf/tx/levels.1800
bf4286245c74 Pirelli's RF calibration cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
22 0CAF checksum byte
bf4286245c74 Pirelli's RF calibration cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
23 0CB0 /gsm/rf/tx/calchan.1800
bf4286245c74 Pirelli's RF calibration cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
24 0D30 checksum byte
bf4286245c74 Pirelli's RF calibration cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
25 0D31 /gsm/rf/tx/ramps.1900
bf4286245c74 Pirelli's RF calibration cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
26 0F31 checksum byte
bf4286245c74 Pirelli's RF calibration cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
27 0F32 /gsm/rf/tx/levels.1900
bf4286245c74 Pirelli's RF calibration cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
28 0FB2 checksum byte
bf4286245c74 Pirelli's RF calibration cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
29 0FB3 /gsm/rf/tx/calchan.1900
bf4286245c74 Pirelli's RF calibration cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
30 1033 checksum byte
bf4286245c74 Pirelli's RF calibration cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
31
198
30ba25056ecd pirelli/rfcal: Rx agcparams and calchan were swapped
Space Falcon <falcon@ivan.Harhan.ORG>
parents: 183
diff changeset
32 10AF /gsm/rf/rx/calchan.900
181
bf4286245c74 Pirelli's RF calibration cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
33 10D7 checksum byte
198
30ba25056ecd pirelli/rfcal: Rx agcparams and calchan were swapped
Space Falcon <falcon@ivan.Harhan.ORG>
parents: 183
diff changeset
34 10D8 /gsm/rf/rx/agcparams.900
181
bf4286245c74 Pirelli's RF calibration cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
35 10E0 checksum byte
198
30ba25056ecd pirelli/rfcal: Rx agcparams and calchan were swapped
Space Falcon <falcon@ivan.Harhan.ORG>
parents: 183
diff changeset
36 10E1 /gsm/rf/rx/calchan.1800
181
bf4286245c74 Pirelli's RF calibration cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
37 1109 checksum byte
198
30ba25056ecd pirelli/rfcal: Rx agcparams and calchan were swapped
Space Falcon <falcon@ivan.Harhan.ORG>
parents: 183
diff changeset
38 110A /gsm/rf/rx/agcparams.1800
181
bf4286245c74 Pirelli's RF calibration cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
39 1112 checksum byte
198
30ba25056ecd pirelli/rfcal: Rx agcparams and calchan were swapped
Space Falcon <falcon@ivan.Harhan.ORG>
parents: 183
diff changeset
40 1113 /gsm/rf/rx/calchan.1900
181
bf4286245c74 Pirelli's RF calibration cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
41 113B checksum byte
198
30ba25056ecd pirelli/rfcal: Rx agcparams and calchan were swapped
Space Falcon <falcon@ivan.Harhan.ORG>
parents: 183
diff changeset
42 113C /gsm/rf/rx/agcparams.1900
181
bf4286245c74 Pirelli's RF calibration cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
43 1144 checksum byte
bf4286245c74 Pirelli's RF calibration cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
44
bf4286245c74 Pirelli's RF calibration cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
45 Each calibration record is followed by a checksum byte. It is a simple ripple-
bf4286245c74 Pirelli's RF calibration cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
46 carry sum of all bytes in the preceding record. Note that this checksum byte
bf4286245c74 Pirelli's RF calibration cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
47 is always 0 for the ramps records, as each correctly-formed ramp adds up to 128
bf4286245c74 Pirelli's RF calibration cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
48 (0x80), and the array has an even number of ramps in total.
bf4286245c74 Pirelli's RF calibration cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
49
183
827b8977d3c2 pirelli/rfcal: found /sys/adccal, no luch with /gsm/rf/afc*
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 181
diff changeset
50 Unfortunately though, I have not been able to locate these two records:
181
bf4286245c74 Pirelli's RF calibration cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
51
bf4286245c74 Pirelli's RF calibration cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
52 /gsm/rf/afcdac
bf4286245c74 Pirelli's RF calibration cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
53 /gsm/rf/afcparams
bf4286245c74 Pirelli's RF calibration cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
54
183
827b8977d3c2 pirelli/rfcal: found /sys/adccal, no luch with /gsm/rf/afc*
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 181
diff changeset
55 These two files appear in Openmoko's FFS on GTA02 modems, and the byte content
827b8977d3c2 pirelli/rfcal: found /sys/adccal, no luch with /gsm/rf/afc*
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 181
diff changeset
56 differs for each physical unit, so I assume that these values really do need to
827b8977d3c2 pirelli/rfcal: found /sys/adccal, no luch with /gsm/rf/afc*
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 181
diff changeset
57 be calibrated per unit, but I haven't been able to locate them in Pirelli's
827b8977d3c2 pirelli/rfcal: found /sys/adccal, no luch with /gsm/rf/afc*
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 181
diff changeset
58 factory data block. /gsm/rf/afcdac is only 2 bytes long, thus very hard to
827b8977d3c2 pirelli/rfcal: found /sys/adccal, no luch with /gsm/rf/afc*
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 181
diff changeset
59 spot visually in a hex dump of an unknown larger data structure;
827b8977d3c2 pirelli/rfcal: found /sys/adccal, no luch with /gsm/rf/afc*
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 181
diff changeset
60 /gsm/rf/afcparams is 24 bytes long and has some structure to it, so I was
827b8977d3c2 pirelli/rfcal: found /sys/adccal, no luch with /gsm/rf/afc*
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 181
diff changeset
61 hoping to recognize the latter, but no luck.
827b8977d3c2 pirelli/rfcal: found /sys/adccal, no luch with /gsm/rf/afc*
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 181
diff changeset
62
827b8977d3c2 pirelli/rfcal: found /sys/adccal, no luch with /gsm/rf/afc*
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 181
diff changeset
63 We will have to try running uncalibrated, or perhaps we'll find the code in
827b8977d3c2 pirelli/rfcal: found /sys/adccal, no luch with /gsm/rf/afc*
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 181
diff changeset
64 Pirelli's fw that fills the parts of the T_RF structure that are normally read
827b8977d3c2 pirelli/rfcal: found /sys/adccal, no luch with /gsm/rf/afc*
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 181
diff changeset
65 from these files.