Newer
Older
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
## Introduction
MediaTek is a fabless semiconductor company that makes, among other
things, smartphone SoCs with built-in LTE modems. These SoCs interest me
for the following reasons:
- They're cheap.
- They're extremely popular.
- They're used in many inexpensive LTE smartphones.
- They primarily use off-the-shelf IP cores, which for the ARM cores means
documentation is publicly available.
- Their Linux kernel sources are generally available, though not always
buildable.
- While the BSPs for these SoCs usually support code signing/image
verification/etc., most phones based on them either don't enable it or
implement it incorrectly, enabling us to run our own code and build our
own firmware.
- You can usually find their datasheets, TRMs, register manuals,
functional specifications, and reference designs leaked online.
- Everyone else is interested in Qualcomm SoCs, so MediaTek SoCs are
currently low-hanging fruit. :)
The LTE modem in these SoCs consists of two main components:
- A Cortex-R4 to handle the LTE protocol.
- A Coresonic DSP to hande the data-to-RF conversion.
The initial goals of this project are to reverse engineer the Coresonic
DSP, its "SIMT" instruction set, the interface between the Cortex-R4 and
the Coresonic DSP, and the interface between the Cortex-R4 and the SoC's
applications processor. Doing this will empower users to build custom
modems using inexpensive, off-the-shelf Android smartphones. Some examples
of what would be possible:
- Over-engineered walkie-talkie.
- Cognitive radio in TV whitespace.
- Dongle-free smartphone digital TV receiver.
- Dongle-free smartphone SDR/spectrum analyzer.
- Free Software LTE modem.
This repository will track the notes I write and the tools I build to
do all of this.
## Current Progress
The DSP firmware can be decoded. See the "DSP" directory for some scripts
to do this and to read the notes on my findings.