FreeCalypso > hg > freecalypso-reveng
annotate pirelli/rfcal @ 191:0c631396b8ce
started grokdsn utility, parses header successfully
| author | Michael Spacefalcon <falcon@ivan.Harhan.ORG> |
|---|---|
| date | Wed, 07 Jan 2015 06:55:33 +0000 |
| parents | 827b8977d3c2 |
| children | 30ba25056ecd |
| rev | line source |
|---|---|
|
181
bf4286245c74
Pirelli's RF calibration cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
1 The 64 KiB flash sector at 0x027F0000 (the last sector of the 2nd flash bank) |
|
bf4286245c74
Pirelli's RF calibration cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
2 contains per-unit factory data, including the IMEI and RF calibration values. |
|
bf4286245c74
Pirelli's RF calibration cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
3 The location of the IMEI record (at offset 0x504) was found back in 2013-07 and |
|
bf4286245c74
Pirelli's RF calibration cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
4 its encryption was figured out in 2013-11, but it took a bit longer to find the |
|
183
827b8977d3c2
pirelli/rfcal: found /sys/adccal, no luch with /gsm/rf/afc*
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
181
diff
changeset
|
5 RF calibration data. But I finally found most of the latter as well. Here |
|
827b8977d3c2
pirelli/rfcal: found /sys/adccal, no luch with /gsm/rf/afc*
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
181
diff
changeset
|
6 they are: |
|
181
bf4286245c74
Pirelli's RF calibration cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
7 |
|
bf4286245c74
Pirelli's RF calibration cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
8 Hex offset Corresponding FFS file in TI's canonical version |
|
bf4286245c74
Pirelli's RF calibration cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
9 ---------------------------------------------------------------- |
|
183
827b8977d3c2
pirelli/rfcal: found /sys/adccal, no luch with /gsm/rf/afc*
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
181
diff
changeset
|
10 06E5 /sys/adccal |
|
827b8977d3c2
pirelli/rfcal: found /sys/adccal, no luch with /gsm/rf/afc*
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
181
diff
changeset
|
11 0709 checksum byte |
|
827b8977d3c2
pirelli/rfcal: found /sys/adccal, no luch with /gsm/rf/afc*
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
181
diff
changeset
|
12 |
|
181
bf4286245c74
Pirelli's RF calibration cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
13 072B /gsm/rf/tx/ramps.900 |
|
bf4286245c74
Pirelli's RF calibration cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
14 092B checksum byte |
|
bf4286245c74
Pirelli's RF calibration cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
15 092C /gsm/rf/tx/levels.900 |
|
bf4286245c74
Pirelli's RF calibration cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
16 09AC checksum byte |
|
bf4286245c74
Pirelli's RF calibration cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
17 09AD /gsm/rf/tx/calchan.900 |
|
bf4286245c74
Pirelli's RF calibration cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
18 0A2D checksum byte |
|
bf4286245c74
Pirelli's RF calibration cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
19 0A2E /gsm/rf/tx/ramps.1800 |
|
bf4286245c74
Pirelli's RF calibration cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
20 0C2E checksum byte |
|
bf4286245c74
Pirelli's RF calibration cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
21 0C2F /gsm/rf/tx/levels.1800 |
|
bf4286245c74
Pirelli's RF calibration cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
22 0CAF checksum byte |
|
bf4286245c74
Pirelli's RF calibration cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
23 0CB0 /gsm/rf/tx/calchan.1800 |
|
bf4286245c74
Pirelli's RF calibration cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
24 0D30 checksum byte |
|
bf4286245c74
Pirelli's RF calibration cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
25 0D31 /gsm/rf/tx/ramps.1900 |
|
bf4286245c74
Pirelli's RF calibration cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
26 0F31 checksum byte |
|
bf4286245c74
Pirelli's RF calibration cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
27 0F32 /gsm/rf/tx/levels.1900 |
|
bf4286245c74
Pirelli's RF calibration cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
28 0FB2 checksum byte |
|
bf4286245c74
Pirelli's RF calibration cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
29 0FB3 /gsm/rf/tx/calchan.1900 |
|
bf4286245c74
Pirelli's RF calibration cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
30 1033 checksum byte |
|
bf4286245c74
Pirelli's RF calibration cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
31 |
|
bf4286245c74
Pirelli's RF calibration cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
32 10AF /gsm/rf/rx/agcparams.900 |
|
bf4286245c74
Pirelli's RF calibration cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
33 10D7 checksum byte |
|
bf4286245c74
Pirelli's RF calibration cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
34 10D8 /gsm/rf/rx/calchan.900 |
|
bf4286245c74
Pirelli's RF calibration cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
35 10E0 checksum byte |
|
bf4286245c74
Pirelli's RF calibration cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
36 10E1 /gsm/rf/rx/agcparams.1800 |
|
bf4286245c74
Pirelli's RF calibration cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
37 1109 checksum byte |
|
bf4286245c74
Pirelli's RF calibration cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
38 110A /gsm/rf/rx/calchan.1800 |
|
bf4286245c74
Pirelli's RF calibration cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
39 1112 checksum byte |
|
bf4286245c74
Pirelli's RF calibration cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
40 1113 /gsm/rf/rx/agcparams.1900 |
|
bf4286245c74
Pirelli's RF calibration cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
41 113B checksum byte |
|
bf4286245c74
Pirelli's RF calibration cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
42 113C /gsm/rf/rx/calchan.1900 |
|
bf4286245c74
Pirelli's RF calibration cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
43 1144 checksum byte |
|
bf4286245c74
Pirelli's RF calibration cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
44 |
|
bf4286245c74
Pirelli's RF calibration cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
45 Each calibration record is followed by a checksum byte. It is a simple ripple- |
|
bf4286245c74
Pirelli's RF calibration cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
46 carry sum of all bytes in the preceding record. Note that this checksum byte |
|
bf4286245c74
Pirelli's RF calibration cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
47 is always 0 for the ramps records, as each correctly-formed ramp adds up to 128 |
|
bf4286245c74
Pirelli's RF calibration cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
48 (0x80), and the array has an even number of ramps in total. |
|
bf4286245c74
Pirelli's RF calibration cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
49 |
|
183
827b8977d3c2
pirelli/rfcal: found /sys/adccal, no luch with /gsm/rf/afc*
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
181
diff
changeset
|
50 Unfortunately though, I have not been able to locate these two records: |
|
181
bf4286245c74
Pirelli's RF calibration cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
51 |
|
bf4286245c74
Pirelli's RF calibration cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
52 /gsm/rf/afcdac |
|
bf4286245c74
Pirelli's RF calibration cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
53 /gsm/rf/afcparams |
|
bf4286245c74
Pirelli's RF calibration cracked
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
54 |
|
183
827b8977d3c2
pirelli/rfcal: found /sys/adccal, no luch with /gsm/rf/afc*
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
181
diff
changeset
|
55 These two files appear in Openmoko's FFS on GTA02 modems, and the byte content |
|
827b8977d3c2
pirelli/rfcal: found /sys/adccal, no luch with /gsm/rf/afc*
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
181
diff
changeset
|
56 differs for each physical unit, so I assume that these values really do need to |
|
827b8977d3c2
pirelli/rfcal: found /sys/adccal, no luch with /gsm/rf/afc*
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
181
diff
changeset
|
57 be calibrated per unit, but I haven't been able to locate them in Pirelli's |
|
827b8977d3c2
pirelli/rfcal: found /sys/adccal, no luch with /gsm/rf/afc*
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
181
diff
changeset
|
58 factory data block. /gsm/rf/afcdac is only 2 bytes long, thus very hard to |
|
827b8977d3c2
pirelli/rfcal: found /sys/adccal, no luch with /gsm/rf/afc*
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
181
diff
changeset
|
59 spot visually in a hex dump of an unknown larger data structure; |
|
827b8977d3c2
pirelli/rfcal: found /sys/adccal, no luch with /gsm/rf/afc*
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
181
diff
changeset
|
60 /gsm/rf/afcparams is 24 bytes long and has some structure to it, so I was |
|
827b8977d3c2
pirelli/rfcal: found /sys/adccal, no luch with /gsm/rf/afc*
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
181
diff
changeset
|
61 hoping to recognize the latter, but no luck. |
|
827b8977d3c2
pirelli/rfcal: found /sys/adccal, no luch with /gsm/rf/afc*
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
181
diff
changeset
|
62 |
|
827b8977d3c2
pirelli/rfcal: found /sys/adccal, no luch with /gsm/rf/afc*
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
181
diff
changeset
|
63 We will have to try running uncalibrated, or perhaps we'll find the code in |
|
827b8977d3c2
pirelli/rfcal: found /sys/adccal, no luch with /gsm/rf/afc*
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
181
diff
changeset
|
64 Pirelli's fw that fills the parts of the T_RF structure that are normally read |
|
827b8977d3c2
pirelli/rfcal: found /sys/adccal, no luch with /gsm/rf/afc*
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
181
diff
changeset
|
65 from these files. |