porting osmocom-bb to mediatek chips (62xx)

• drop out of distraction technology
• know "what's inside" the device in my pocket

• sciphone dream g2 (mt6235)
• fernvale (mt6260)
• sim800 (mt626x)
• watch phones (mt6261)
• zte obsidian (mt6735) 4G/LTE
• orange pi 4g iot (mt6737) 4g/LTE

• poked around several MTK devices with BROM protocol (626x, 6735, 6737)
  • https://github.com/unrznbl/mtk-open-tools/blob/multi-device-support/simple-serial.py
• ported usb serial support from fernly to osmocom-bb (fernvale)
  • linker script, after fernly code runs, osmocom-bb firmware can be loaded and run at 0x0
  • USB serial code is roughly integrated into osmocom-bb
  • simple blinky light and serial output just to ensure firmware is "alive"
  • https://gitlab.com/unrznbl/fernly/tree/mtk-layer1
  • https://gitlab.com/unrznbl/osmocom-bb/tree/mtk-layer1
• ported txburst from uboot back to osmocom-bb demo in loader_mtk firmware (sciphone dream g2)
  • brought back lots of register and value information from uboot-mt623x to osmocom-bb
  • txburst works on sciphone dream g2 via loader_mtk txburst <arfcn> command from host
  • foundation for rx/FCCH/SCCH/etc
  • https://gitlab.com/unrznbl/osmocom-bb/tree/sciphone-txburst
• static analysis of "facts" from leaked 6260/6261 source/binaries related to baseband
  • made Makefile and small bundle of .c|.h files from leaked source to focus on baseband
  • started using ghidra to RE elf binaries in search of details about FCCH/FB state machine
• researched and correlated facts from MT6235 data sheet with leaked source
• begun carefully analyzing and cross-checking facts in txburst code with source/binaries/datasheet

• 2G chips
  • MTK60D-11B1308-V2 (6260)
  • 11BW1308MP_PYCINDA60A_6464_11B_BB_V15 (6260)
  • 11CW1352MP_CENON61D_3232_11C_V2_GPRS_MMI (6261)
  • 11CW1352MP_VITA61A_BT_11C_V5_GPRS_MMI (6261)
• all include l1_dm directory with same basic layer1 2G code (not complete)
• elf binary with symbols (nice for RE)
  • MTK60D-11B1308-V2/build/public/PUBLIC_BOOTLOADER_V005_MT6260_MAUI_11B_W13_08_MP_V1_ext.elf
• includes code for part of layer1 supporting:
  • FPGA target (some development stage?)
  • many many 62xx chips
  • >=MT6229 looks to be related to MT6235/MT6140 in sciphone dream g2
• some info about RF chips
  • MTK60D-11B1308-V2/custom/l1_rf
  • 6129, 6139, 6140, 6251, 6260, AD6546, AD6548, SKY74137
  • quarter bit timings for various parts of layer1
  • BPI pin connections
• 4G/LTE chip
  • MOLY.LR9.W1444.MD.LWTG.MP.V88 (6737)
  • (FDD)MT6795.MOLY.LR9.W1423.MD.LWTG.MP.V24 / (TDD)MT6795.MOLY.LR9.W1423.MD.LWTG.CMCC2.MP.V5
  • has some interesting >2g code
    • MediaTek-HelioX10-Baseband-1/(TDD)MT6795.MOLY.LR9.W1423.MD.LWTG.CMCC2.MP.V5/interface/modem
    • MediaTek-HelioX10-Baseband-1/(TDD)MT6795.MOLY.LR9.W1423.MD.LWTG.CMCC2.MP.V5/modem
  • some code related to MT6169 LTE transciever

• Baseband Serial Interface (BSI)
  • has immediate mode and scheduled mode
  • write values to several registers (0,1,2,9,11) for things like
  • https://gitlab.com/unrznbl/osmocom-bb/blob/sciphone-txburst/src/target/firmware/include/mtk/mt6140.h#L15
  • MTK60D-11B1308-V2/l1_dm/l1d_ext/m12196.c
    • Frequency Band
    • Gain Table
    • TX/RX
• Baseband Parallel Interface (BPI)
  • parallel access to enable/disable pins connected to transcieve chip
  • https://gitlab.com/unrznbl/osmocom-bb/blob/sciphone-txburst/src/target/firmware/include/mtk/mt6140.h#L66
  • MTK60D-11B1308-V2/custom/l1_rf/MT6140_CUSTOM/l1d_custom_rf.h

TODO: see osmocom wiki later in 2019

TODO: see osmocom wiki later in 2019

• get FCCH and SCCH sync working
• refactor osmocom-bb to work with both calypso and mt6235
• rssi firmware with BTS sync
• layer1 firmware
• port to fernvale/sim800
• port layer1+mobile to nuttx or linux
• make my rockphone, custom PCB/case