openm...@pulster.de (Christoph Pulster) wrote:
is there any geek out there who can extract from the secret GSM chipset
documents on the Chinese site, if there is any hidden backdoor channel
(for governmental purposes e.g.) ? or any other strange secret GSM
modem commands ?
If such a secret backdoor exists, it would be in the DBB firmware, not
hardware. When it comes to the strictly-hardware pieces of the Calypso
GSM chipset (DBB hardware, the ABB chip and the RF chips), I have already
succeeded in locating (on the Chinese 52RD forum) what appears to be
100% of the HW documentation set that was given to phone makers such as
FIC/Om. The only part that isn't documented are the inner workings of
the DSP block inside the DBB, but in my opinion that part is too
low-level to have been an effective place for TI to hide a backdoor.
As far as we know, TI had never shared the workings of their DSP with
their customers, instead they were expected to use TI's Layer1 code
which runs on the ARM7 in the DBB and talks to the DSP part.
If anyone would like to look at these Calypso HW docs for themselves, it
is no longer necessary to endure the pain of plowing through the 52RD
forum in Chinese: all of these docs I have found can now be downloaded
much more conveniently from my FTP site:
ftp://ifctfvax.Harhan.ORG/pub/GSM/Calypso/
Download those documents (a good bit more than the two PDFs ti-calypso1.pdf
and ti-calypso2.pdf which have been widely circulated previously), look
at them and decide for yourself whether or not a backdoor could plausibly
hide in the hardware layers, below the firmware - I personally don't
think so.
The DBB firmware is an entirely different story though: it would
definitely be the place to put in backdoors and whatnot. It is my
belief based on logical reasoning that TI must have provided at least a
partial source package to their major customers like Motorola, Nokia,
etc (just happens to include FIC/Om as well). On simple features phones
without an application processor the Calypso controls the UI, and the
makers of these feature phones had most certainly tweaked the UI to add
their own flavor.
The HW docs on my FTP site include full hardware schematics (5 sheets,
of which 2 are decorative, i.e., the meat of the circuit is fully
covered by just 3 schematic sheets) for a reference design called
Leonardo. Two versions of it in fact: the original Leonardo which
supported 900 1800 MHz bands, and Leonardo+ which supports all 4 bands.
The only difference is in the passive RF front-end chip (aka the antenna
switch), the Rita chip TRF6151 appears to have always supported all 4
bands from the start! (The implication is that the little passive RF
chip is all that keeps GTA02 from supporting all 4 bands as well!)
The Leonardo board for which we-the-People now possess the full HW
schematics is nothing less than a 100% functional basic phone: LCD with
a backlight, classic phone keypad (10 digits plus * and #, call and
hang-up buttons, 4 UI navigation buttons, power button overlayed on the
end call button like in many classic phones) with a backlight, speaker
and microphone, vibracall, battery, old-fashioned combined jack for
charger/headset/data: the whole enchilada. Anyone making a basic phone
simply had to take that board, make some very slight modifications to it
(the Leonardo board has just one speaker, so I guess one needs to
separate the earpiece from the loudspeaker or use a piezo buzzer instead
of the latter to play the ringing alert: Calypso has a special output to
drive the latter kind), slap it into a plastic case, and voila, you've
built a cellphone!
It only stands to reason that all those customers who had received the
Leonardo board from TI along with the docs for all of the chips on that
board (which are also on my FTP site) must have also received a copy of
the firmware driving that board. While the rumors are that most of the
low-level guts of that firmware came as binary blobs (which I reason to
have been ARM ELF .o files), at least the superficial layers must have
arrived in source form: the customers must have had the ability to
differentiate their UI (I reason that TI's starting code had some basic
UI in it already to exercise the LCD and keypad on the Leonardo board),
and one also needs to modify the source slightly to accommodate product
differences such as single, dual, triple or quad GSM band.
Hence one of the holy grails I'm searching for is a copy of the intended-
for-customization fw package that came with the Leonardo board, however
much of it may be in the form of ARM ELF .o modules. I can only reason
that this package must have been Om's starting point, exactly the same
as Motorola, Nokia etc.
I'm still plowing through the 52RD forum, hoping to find the magic package
there. But I haven't found it yet, so I'm starting to worry that it may
not be there, unless I've been looking in the wrong part of the forum.
I don't understand why though: whoever it
