# HG changeset patch # User Michael Spacefalcon # Date 1405213882 0 # Node ID bf4286245c744c40f75895afbd8224b7f0a7930e # Parent 25b54c5ad6c23535dffa9deada95a1b8af8ccb8d Pirelli's RF calibration cracked diff -r 25b54c5ad6c2 -r bf4286245c74 .hgignore --- a/.hgignore Sat Jul 12 00:05:22 2014 +0000 +++ b/.hgignore Sun Jul 13 01:11:22 2014 +0000 @@ -22,6 +22,7 @@ ^miscprog/factdiff$ ^miscprog/imeibrute$ ^miscprog/mokosrec2bin$ +^miscprog/pircksum$ ^miscprog/pirimei$ ^miscprog/rfcap-grep$ diff -r 25b54c5ad6c2 -r bf4286245c74 miscprog/Makefile --- a/miscprog/Makefile Sat Jul 12 00:05:22 2014 +0000 +++ b/miscprog/Makefile Sun Jul 13 01:11:22 2014 +0000 @@ -1,6 +1,6 @@ CC= gcc CFLAGS= -O2 -STD= atsc calextract factdiff mokosrec2bin rfcap-grep +STD= atsc calextract factdiff mokosrec2bin pircksum rfcap-grep CRYPTO= imeibrute pirimei PROGS= ${STD} ${CRYPTO} @@ -17,6 +17,7 @@ factdiff: factdiff.c imeibrute: imeibrute.c mokosrec2bin: mokosrec2bin.c +pircksum: pircksum.c pirimei: pirimei.c rfcap-grep: rfcap-grep.c diff -r 25b54c5ad6c2 -r bf4286245c74 miscprog/pircksum.c --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/miscprog/pircksum.c Sun Jul 13 01:11:22 2014 +0000 @@ -0,0 +1,36 @@ +/* + * This program has been used to verify and refine my understanding of the + * checksum scheme used for Pirelli's RF calibration data. + */ + +#include +#include +#include + +main(argc, argv) + char **argv; +{ + FILE *f; + u_long offset, len; + u_char inb, accum; + + if (argc != 4) { + fprintf(stderr, "usage: %s fact.bin offset len\n", argv[0]); + exit(1); + } + f = fopen(argv[1], "r"); + if (!f) { + perror(argv[1]); + exit(1); + } + offset = strtoul(argv[2], 0, 16); + len = strtoul(argv[3], 0, 16); + fseek(f, offset, SEEK_SET); + for (accum = 0; len; len--) { + inb = getc(f); + accum += inb; + } + inb = getc(f); + printf("Computed cksum %02X, following byte %02X\n", accum, inb); + exit(0); +} diff -r 25b54c5ad6c2 -r bf4286245c74 pirelli/rfcal --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/pirelli/rfcal Sun Jul 13 01:11:22 2014 +0000 @@ -0,0 +1,52 @@ +The 64 KiB flash sector at 0x027F0000 (the last sector of the 2nd flash bank) +contains per-unit factory data, including the IMEI and RF calibration values. +The location of the IMEI record (at offset 0x504) was found back in 2013-07 and +its encryption was figured out in 2013-11, but it took a bit longer to find the +RF calibration data. But I finally found the latter as well. Here they are: + +Hex offset Corresponding FFS file in TI's canonical version +---------------------------------------------------------------- +072B /gsm/rf/tx/ramps.900 +092B checksum byte +092C /gsm/rf/tx/levels.900 +09AC checksum byte +09AD /gsm/rf/tx/calchan.900 +0A2D checksum byte +0A2E /gsm/rf/tx/ramps.1800 +0C2E checksum byte +0C2F /gsm/rf/tx/levels.1800 +0CAF checksum byte +0CB0 /gsm/rf/tx/calchan.1800 +0D30 checksum byte +0D31 /gsm/rf/tx/ramps.1900 +0F31 checksum byte +0F32 /gsm/rf/tx/levels.1900 +0FB2 checksum byte +0FB3 /gsm/rf/tx/calchan.1900 +1033 checksum byte + +10AF /gsm/rf/rx/agcparams.900 +10D7 checksum byte +10D8 /gsm/rf/rx/calchan.900 +10E0 checksum byte +10E1 /gsm/rf/rx/agcparams.1800 +1109 checksum byte +110A /gsm/rf/rx/calchan.1800 +1112 checksum byte +1113 /gsm/rf/rx/agcparams.1900 +113B checksum byte +113C /gsm/rf/rx/calchan.1900 +1144 checksum byte + +Each calibration record is followed by a checksum byte. It is a simple ripple- +carry sum of all bytes in the preceding record. Note that this checksum byte +is always 0 for the ramps records, as each correctly-formed ramp adds up to 128 +(0x80), and the array has an even number of ramps in total. + +The following still remain to be located: + +/gsm/rf/afcdac +/gsm/rf/afcparams + +I don't expect major difficulty in finding them; I just haven't got around to +studying this part of the calibration system yet.