This post is intended for those who are interested in the inner workings of TI-based firmwares and their history; those with a "user" perspective may feel free to skip it. :)
If you've been playing with FreeCalypso rvinterf tools and studying their source, which is currently the only documentation for most of them, then you undoubtedly know about ETM. ETM stands for Enhanced Test Mode, and it's a component in our reference TCS211 fw (reproduced in our not-quite-there gcc-built gsm-fw) that receives and dispatches some "Test Mode" commands that can be sent to the running fw from an external host. As I have long suspected, prior to ETM TI had an earlier, non-enhanced "plain" Test Mode component: just TM. This non-enhanced TM component lives inside L1, so it can also be called L1TM or TML1. It still exists in the newer firmwares that have ETM, as it is needed for RF test modes (think RF calibration), and it coexists with ETM in those firmwares which have the latter. But it was only in the past few days that I took the time to get a better understanding of this older non-enhanced TM stuff which still lives on in TCS211. Studying L1TM as it exists in TCS211 is a bit difficult because by virtue of being a part of L1 it's in a binary lib (unlike ETM which is in the source part), and as with most of L1, the version in the LoCosto source is heavily mutilated relative to TCS211. However, I was able to determine the following: * The RVTMUX channel which I have previously been calling "ETM" was originally for just TM, and in firmwares like our TCS211 reference which have both ETM and L1TM it accepts the old TM3 command packets as well as the new ETM ones. Thus the RVTMUX channel itself should more properly be called "TM" rather than ETM. * ETM_CORE provides commands for reading and writing memory and ABB registers. Prior to ETM similar functionality was provided by the old TM, although in a slightly more primitive form (no commands for reading and writing 16-bit or 32-bit words in particular). This factoid is significant as follows: * When I first figured out how to break into locked-down C139 phones with TracFone branding (IIRC it was late spring of 2014), I was describing it in terms like "standard ETM memory read and write commands have been disabled, but they have a memory write command of their own invention which still works". This description is incorrect. Instead the memory write command which I thought was of Compal's invention (the one used by the tfc139 hack) turns out to be TI's standard memory write command from pre-ETM days, and Compal's fw just happens to use the old TM without ETM - that's why fc-tmsh ETM commands didn't work against Compal's fw, not because they were somehow artificially disabled. In light of these discoveries, I just pushed the following changes to freecalypso-sw: * The doc/RVTMUX write-up has been updated to explain the new understanding of TM and ETM, as well as their relation to TMFFS1 and TMFFS2 - read that doc if you are interested in such things. * I added a new doc/TFC139-breakin article explaining how the malicious bootloader lock works and how our break-in method works. I had previously explained it in postings on the OsmocomBB mailing list (that was May of 2014, hence long before our own list), but (a) my explanation at the time was based on my incorrect understanding at the time and (b) Osmocom folks screwed up at some point and lost their mailing list archives, so the links to those old write-ups are now dead. The new write-up replaces the old ones. * I made a minor code change to the 3 utilities under rvinterf/lowlevel, i.e., rvtdump, rvinterf and tfc139. The change is purely cosmetic and does not change the functionality at all: packets coming from RVTMUX channel 0x14 (now correctly called "TM", but previously thought of as "ETM") are now displayed as "TM: blah" instead of "ETM: blah". The function that does the deed has also been renamed from print_etm_output_raw() to print_tm_output_raw(). The change is especially appropriate for tfc139: the firmware to which this hack-utility talks has old TM but not ETM, hence saying "ETM" in tfc139 is plain wrong. That's all I have for now. I have not yet spent any significant time looking into the juicy part of L1TM that implements RF test modes - we'll need to delve into that stuff later in order to do our own RF calibration, but not tonight. Happy hacking, Mychaela _______________________________________________ Community mailing list [email protected] https://www.freecalypso.org/mailman/listinfo/community
