BenQ M32 modem modules

Mychaela Falconia mychaela.falconia at gmail.com
Mon Sep 4 18:02:58 UTC 2017


Hi DS!

> On this subject I received my BenQ M32 module from China. It comes with
> a PCB with holes for 2.54mm headers which is nice. I supplied VBAT and
> VBATRF with 3.5V, set PWRON to ground and the module was able to come
> to life. I used fc-loadtool in the dsample configuration with a CP2102
> connected to TX2/RX2 and dumped the flash memory.

Ah, you beat me to it!  I was planning on doing just that myself. :-)

> The result for the
> curious, is at ftp://ftp.freecalypso.org/pub/GSM/BenQ/flash-ds.img

Observations from examining this image:

* There is no FFS in TI's format, instead they replaced it with some
hacks of their own.  The 15 flash sectors starting at 0x300000 contain
data structures that must be BenQ's idea of FFS, and there are some
bits in the first sector at 0x300000 that look like RF calibration
tables.

* The strings visible in the image indicate that BenQ's fw was derived
from TI's mainline: Nucleus, RiViera, GPF, ETM and a bunch of other
classic TI fw components are visible.  But just because the code is
there does not mean that it is used: all of TI's FFS code is there too
in terms of its tell-tale strings, yet we see that they aren't using
TIFFS.

> (Mychaela, feel free to move or rename the file if appropriate).

The location is exactly where I would have put it, and your choice of
filename is fine too.

> I'm not planning to do more work on this module since the RF frontend
> uses unknown components, but still it's nice to see it works ootb.

If you power it up without fc-loadtool, does it emit any debug traces
on that 2nd UART in TI's format?  Anything that rvtdump can decode?

> For reference this is where I bought it: www.ebay.com/itm/-/230864246747

Yup, the same place where I got mine.  This seller appears to have the
last remaining stock of these modules.  The ebay listing says "More
than 56% sold", so my guess is that they have more than 10 but fewer
than 40 of these modules left, and once they are out, there is no more
of this obscure historical product anywhere.  I bought 15 of them.

The unavailability of these BenQ modems beyond a handful of pieces for
hard-core hackers like us is not something that we need to shed any
tears over though, I feel: with no corresponding source for their
firmware and no ability to put our own fw on their hw because of the
weird RF chips, it is just another proprietary modem module running
proprietary fw that cannot be studied or modified, and unlike the
Pirelli DP-L10 (which is otherwise a similar situation) we don't even
get to play with their FFS.  If their fw emits debug traces in TI's
format which our rvtdump can grok, that would be one advantage of this
modem module over non-TI-based ones, but that's about it.

As I see it, the only real value in these BenQ modem modules is that
we can use their PCB design as a "cheat sheet" reference for how to
build our own Calypso-based modem in the form factor of an SMT module.

M~


More information about the Community mailing list