Difference between revisions of "BP firmware"
(Added modem logging) |
m (→Documentation) |
||
| Line 18: | Line 18: | ||
[http://laforge.gnumonks.org/papers/gsm_phone-anatomy-latest.pdf TI GSM implementation] | [http://laforge.gnumonks.org/papers/gsm_phone-anatomy-latest.pdf TI GSM implementation] | ||
| − | [ | + | [[File:nucleus_manuals.tar.bz2]] Nucleus Manuals |
| − | [ | + | [[File:nucleus_src.tar.gz]] Nucleus PPC 1.12 source |
[http://www.mentor.com/products/embedded_software/android-linux-multicore/ Android and Nucleus] | [http://www.mentor.com/products/embedded_software/android-linux-multicore/ Android and Nucleus] | ||
| Line 26: | Line 26: | ||
[http://rtosdsp.blogspot.com/ Interesting about C55x RTOS] | [http://rtosdsp.blogspot.com/ Interesting about C55x RTOS] | ||
| − | [ | + | [[File:bp_interface.tar.bz2]] AT interface to BP |
== Reverse Engineering == | == Reverse Engineering == | ||
Latest revision as of 21:00, 23 December 2011
Introduction
Modern smartphones are made of two parts: The "smart" part and the "phone" part. They are very independent from each other, on iPhone for example MacOSX can crash during a call but user will still be able to pursue a conversation. Those two part use separate boards, processors, run different operating system started with different bootloader and of course don't use the same RAM. More interesting is that they are "poorly" coupled and communicate with each other via an UART serial line to pass commands, the same old way a 386 was communicating with a modem plugged on a port COM 14 years ago. The protocol (Hayes Command Set) is 30 years old, human readable and extendable: even relatively new function such as "unlocking" are done over AT-Commands.
Documentation
Article about HOWTO to create middle layer between AP and BP: Part 1, Part 2
Injecting SMS messages into Smartphones for the Security Analisys article
Open Source implementation of GSM stack osmocom
GSM protocol analysis A5
File:Nucleus manuals.tar.bz2 Nucleus Manuals
File:Nucleus src.tar.gz Nucleus PPC 1.12 source
File:Bp interface.tar.bz2 AT interface to BP
Reverse Engineering
Wrigley 3G use RTXC as baseband RTOS Manual and SDK and headers, on the Droid - Rex RTOS
Open source mux driver 3GPP 27.010 mux0710
Code, interacting with modem (needed to be reversed):
libmotdb.so libmot_mead_jni.so libmot_atcmd_mflex.so libmod_atcmd.so libril.so libril-moto-umts-1.so location opprofdaemon protocol_driver tcmd ril_tcmd bplogd_daemon nvm_daemon panic_daemon ssmgrd
Enabling logging all Modem protocol
To enable logging of ALL modem send/receive data you need run from root:
echo "1" > /proc/netmuxlog
Then all talk with modem will be logged (include all data) in dmesg output
