BP firmware

From MILEDROPEDIA
Jump to: navigation, search

Introduction

Modern smartphones are made of two parts: The "smart" part and the "phone" part. They are very independent from each other, on iPhone for example MacOSX can crash during a call but user will still be able to pursue a conversation. Those two part use separate boards, processors, run different operating system started with different bootloader and of course don't use the same RAM. More interesting is that they are "poorly" coupled and communicate with each other via an UART serial line to pass commands, the same old way a 386 was communicating with a modem plugged on a port COM 14 years ago. The protocol (Hayes Command Set) is 30 years old, human readable and extendable: even relatively new function such as "unlocking" are done over AT-Commands.

Documentation

Article about HOWTO to create middle layer between AP and BP: Part 1, Part 2

Injecting SMS messages into Smartphones for the Security Analisys article

Open Source implementation of GSM stack osmocom

GSM protocol analysis A5

GSM Introduction

GSM Trace

TI GSM implementation

File:Nucleus manuals.tar.bz2 Nucleus Manuals

File:Nucleus src.tar.gz Nucleus PPC 1.12 source

Android and Nucleus

Interesting about C55x RTOS

File:Bp interface.tar.bz2 AT interface to BP

Reverse Engineering

Wrigley 3G use RTXC as baseband RTOS Manual and SDK and headers, on the Droid - Rex RTOS

Open source mux driver 3GPP 27.010 mux0710

Code, interacting with modem (needed to be reversed):

libmotdb.so
libmot_mead_jni.so
libmot_atcmd_mflex.so
libmod_atcmd.so
libril.so
libril-moto-umts-1.so
location
opprofdaemon
protocol_driver
tcmd
ril_tcmd
bplogd_daemon
nvm_daemon
panic_daemon
ssmgrd

Enabling logging all Modem protocol

To enable logging of ALL modem send/receive data you need run from root:

echo "1" > /proc/netmuxlog

Then all talk with modem will be logged (include all data) in dmesg output