Updated understanding of TI's Test Mode components

Mychaela Falconia falcon at ivan.Harhan.ORG
Sun Nov 15 07:48:52 CET 2015 

This post is intended for those who are interested in the inner
workings of TI-based firmwares and their history; those with a "user"
perspective may feel free to skip it. :)

If you've been playing with FreeCalypso rvinterf tools and studying
their source, which is currently the only documentation for most of
them, then you undoubtedly know about ETM.  ETM stands for Enhanced
Test Mode, and it's a component in our reference TCS211 fw (reproduced
in our not-quite-there gcc-built gsm-fw) that receives and dispatches
some "Test Mode" commands that can be sent to the running fw from an
external host.

As I have long suspected, prior to ETM TI had an earlier, non-enhanced
"plain" Test Mode component: just TM.  This non-enhanced TM component
lives inside L1, so it can also be called L1TM or TML1.  It still
exists in the newer firmwares that have ETM, as it is needed for RF
test modes (think RF calibration), and it coexists with ETM in those
firmwares which have the latter.

But it was only in the past few days that I took the time to get a
better understanding of this older non-enhanced TM stuff which still
lives on in TCS211.  Studying L1TM as it exists in TCS211 is a bit
difficult because by virtue of being a part of L1 it's in a binary lib
(unlike ETM which is in the source part), and as with most of L1, the
version in the LoCosto source is heavily mutilated relative to TCS211.
However, I was able to determine the following:

* The RVTMUX channel which I have previously been calling "ETM" was
  originally for just TM, and in firmwares like our TCS211 reference
  which have both ETM and L1TM it accepts the old TM3 command packets
  as well as the new ETM ones.  Thus the RVTMUX channel itself should
  more properly be called "TM" rather than ETM.

* ETM_CORE provides commands for reading and writing memory and ABB
  registers.  Prior to ETM similar functionality was provided by the
  old TM, although in a slightly more primitive form (no commands for
  reading and writing 16-bit or 32-bit words in particular).  This
  factoid is significant as follows:

* When I first figured out how to break into locked-down C139 phones
  with TracFone branding (IIRC it was late spring of 2014), I was
  describing it in terms like "standard ETM memory read and write
  commands have been disabled, but they have a memory write command of
  their own invention which still works".  This description is
  incorrect.  Instead the memory write command which I thought was of
  Compal's invention (the one used by the tfc139 hack) turns out to be
  TI's standard memory write command from pre-ETM days, and Compal's
  fw just happens to use the old TM without ETM - that's why fc-tmsh
  ETM commands didn't work against Compal's fw, not because they were
  somehow artificially disabled.

In light of these discoveries, I just pushed the following changes to
freecalypso-sw:

* The doc/RVTMUX write-up has been updated to explain the new
  understanding of TM and ETM, as well as their relation to TMFFS1 and
  TMFFS2 - read that doc if you are interested in such things.

* I added a new doc/TFC139-breakin article explaining how the malicious
  bootloader lock works and how our break-in method works.  I had previously
  explained it in postings on the OsmocomBB mailing list (that was May of 2014,
  hence long before our own list), but (a) my explanation at the time was based
  on my incorrect understanding at the time and (b) Osmocom folks screwed up
  at some point and lost their mailing list archives, so the links to those
  old write-ups are now dead.  The new write-up replaces the old ones.

* I made a minor code change to the 3 utilities under rvinterf/lowlevel, i.e.,
  rvtdump, rvinterf and tfc139.  The change is purely cosmetic and does not
  change the functionality at all: packets coming from RVTMUX channel 0x14
  (now correctly called "TM", but previously thought of as "ETM") are now
  displayed as "TM: blah" instead of "ETM: blah".  The function that does the
  deed has also been renamed from print_etm_output_raw() to
  print_tm_output_raw().  The change is especially appropriate for tfc139: the
  firmware to which this hack-utility talks has old TM but not ETM, hence
  saying "ETM" in tfc139 is plain wrong.

That's all I have for now.  I have not yet spent any significant time
looking into the juicy part of L1TM that implements RF test modes -
we'll need to delve into that stuff later in order to do our own RF
calibration, but not tonight.

Happy hacking,
Mychaela

More information about the Community mailing list