Newer
Older
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
## Introduction
MediaTek is a fabless semiconductor company that makes, among other
things, smartphone SoCs with built-in LTE modems. These SoCs interest me
for the following reasons:
- They're cheap.
- They're extremely popular.
- They're used in many inexpensive LTE smartphones.
- They primarily use off-the-shelf IP cores, which for the ARM cores means
documentation is publicly available.
- Their Linux kernel sources are generally available, though not always
buildable.
- While the BSPs for these SoCs usually support code signing/image
verification/etc., most phones based on them either don't enable it or
implement it incorrectly, enabling us to run our own code and build our
own firmware.
- You can usually find their datasheets, TRMs, register manuals,
functional specifications, and reference designs leaked online.
- Everyone else is interested in Qualcomm SoCs, so MediaTek SoCs are
currently low-hanging fruit. :)
The LTE modem in these SoCs consists of two main components:
- A Cortex-R4 to handle the LTE protocol.
- A Coresonic DSP to hande the data-to-RF conversion.
The initial goals of this project are to reverse engineer the Coresonic
DSP, its "SIMT" instruction set, the interface between the Cortex-R4 and
the Coresonic DSP, and the interface between the Cortex-R4 and the SoC's
applications processor. Doing this will empower users to build custom
modems using inexpensive, off-the-shelf Android smartphones. Some examples
of what would be possible:
- Over-engineered walkie-talkie.
- Cognitive radio in TV whitespace.
- Dongle-free smartphone digital TV receiver.
- Dongle-free smartphone SDR/spectrum analyzer.
- Free Software LTE modem.
This repository will track the notes I write and the tools I build to
do all of this.
## Current Progress
See the "General-Notes.md" file in this directory for general information
about MediaTek's LTE modems and SoCs. Information specific subsystems can be
found in the "Notes.md" files in their respective subdirectories.
The DSP firmware can be decoded. See the "DSP" directory for some scripts
to do this and to read the notes on my findings.
The "Documents.md" file contains a list of research papers, presentations,
and patents that are or might be relevant to this project.