Access to GSM memory on HTC PDAs - Windows Mobile Development and Hacking General

Is it that hard to get read-only access to GSM processor memory? I know that in smartphones memory is shared, but in PDAs it does not (I'm specifically interesting in Magician). Is there a kind of mechanism how main CPU can access GSM memory? I now itsme was trying to re-create rsupgrade that is able to flash radio-stack: http://www.xs4all.nl/~itsme/projects/xda/xda-rsupgrade.html, but it seems that no solution were found. There is also incomplete description of the correspodning protocol http://www.xs4all.nl/~itsme/projects/xda/serial-protocols.html, but it is not clear whenever we can access normal gsm RAM this way or only flash...
Can people share with me some ideas how this issue can be solved? May be there is simple way of doing that, but I cannot see it...
P.S. If someone is interesting - I want to get an access to information about nearby cell towers like this people do: http://celltrack.spv-developers.com/?act=demo[/i]

Related

direct GSM access?

I am particularly interested in the wizard, however on a fundamental level WM will most likely operate the same across most models in respect to this issue (or at least that is the theory).
I realize that most GSM boards have processors on them which do things like channel syncing (which is fairly time sensitive since its tdma&fdma), a5, gsm framing, and all that. You more or less connect a sim, speaker and mic, and treat the gsm rf board as a black box.
I am hoping that somewhere someone has unearthed something that allows more direct control over the gsm board on these phones. I am aware of engineering mode, however that is not quite what I wanted.
I would like to be able to at the very least set the call parameters before a call goes out. For example, lets say that I want to disable A5, sinec there are 3 standard levels one being no encryption, and the tower and the phone negotiate and agree upon the highest common, something in the phone somewhere has to say that it supports encryption.
I am just uncertain if all that is burried away in a 'black box' somewhere and its not a software problem from within WM.
If anyone has any ideas I would greatly appreciate it, even if they are pointers to research material that may help me out a bit.
On WinMobile GSM part is isolated from the windows part, like in normal PCs modem hardware is isolated from mainboard. GSM part has its own CPU, RAM, ROM, operating system, and communicates with Windows via COM-port (or USB port in Universal). For example Universal has Qualcomm MSM6250 chip with some proprietary OS. HTC Himalaya had a different chip (I don't remember it now), and OS was based on nucleus RTOS. Anextek SP200 communicator had Siemens MC45 modem inside.
GSM hardware is a black box for WinMobile OS. MS specifies only some recomendations for OEMs, and controlling encryption is not among them. You can control it if GSM vendor supports some AT command, or some other proprietary method (maybe via dev_specific RIL command).
In the case of Universal, its GSM can be controlled from a PC with the usual Qualcomm diagnostic software (QXDM, QPST, etc), when you setup the device as a pass-through bridge between PC and GSM module. But I don't know any methods of doing the same from inside WinMobile.
mamaich said:
GSM hardware is a black box for WinMobile OS.
...
You can control it if GSM vendor supports some AT command, or some other proprietary method (maybe via dev_specific RIL command).
In the case of Universal, its GSM can be controlled from a PC with the usual Qualcomm diagnostic software (QXDM, QPST, etc), when you setup the device as a pass-through bridge between PC and GSM module. But I don't know any methods of doing the same from inside WinMobile.
Click to expand...
Click to collapse
That is what I was afraid of. Most of the GSM radio boards (or individual chips) are set up to act that way, and since its faster and cheaper I really dont know of anyone that hasnt done that in any phone that was made in the last few years.
At any rate, is there any documentation that discusses how to locate which com port or other method is used to access the GSM device within a wizard (or any other htc model, odds are many of them are similar, if not identical with this subcomponent).
Are there any known AT commands? my first project is to write something similar to the gsm engineer mode program, obtaining BTS information. I am unsure if this is obtained only via AT commands or if its something more involved, but welcome any information on this.
Found what appears the be half the answer at http://wiki.xda-developers.com/index.php?pagename=RIL While that gives me access to the radio for some stuff (location data app that can work with gsmloc.org for example) it does not appear to enable me to set any parameters for a new call.
So if anyone knows of any tricks that would help say for example disable a5 crypto (on a per call basis idealy) or something similar to the setup of a call I would still appreciate hearing about that.
I know that Typhoon ( spv c500 / i-mate sp3 /Dopod 565) memory block with gsm info data. I am trying to find it in Magican - but no results. I dont know how Typhoon place this info in mem.

Email Attachments

I searched in this forum for my specific answer and I'll be darned if I can find it. So here goes...
I am curious how well email attachments work with the different network settings for PDA's..specifically, the Touch Pro (I'm hoping there won't be a difference between this and the upcoming TP2 I plan on getting).
What's the difference sending and downloading with:
GPRS
EDGE
3G (I know there are different ones, so I suppose if anyone knows that would be helpful to know each)
EVDO (Here I'm a bit confused..I know it's used for CDMA phones, but not sure of the evolution of 2G to 3G).
The reason I ask is I was planning on using a PDA to send files via email to clients I have. I work outside, so having a computer like device in pocket is ideal. With a micro SD card I know the device will hold all the files I need, but how well to they actually send (and I'd like to receive files too) with the different networks. I'm thinking the typical files sizes are going to be anywhere from 150kb up to maybe 2mb.
Much of the time I would be able to get close enough to hook up to wifi, but there will be times that I would really like to use one of the above.
-Are there going to be known issues?
-Does anyone use their pda a lot for this and have an opinion on the network(s) they've used?
-Is there a best network for this type of use?
I really appreciate any advice.
Thank you in advance.

Looking for a (soft?) SIM Card Sniffer

Hello,
I would like to request your help in locating a SIM card sniffer in order to better learn/observe the SIM-GSM card.
Apart from hardware devices, I had an idea which I hope to confirm in this forum:
Do you think there is a way to hook/manipulate the phone's firmware/software (ex. WM Phone) in order to watch the transactions between the Smart Card and its peer (possibly a driver)? Eventually I’d like to get a sniff of APDU transactions which will assist me in understanding the protocol, and having a Soft-Sniffer seems much more cost effective and resource less.
Many thanks
A WM driver will most probably communicate with radio firmware using a higher level protocol. Radio firmware will actually issue SIM APDUs, so this is where such a sniffer is likely to be required to reside. There's usually no public/known API to plug into the radio firmware at this level and therefore no such sniffer either, AFAIK.
stepw said:
A WM driver will most probably communicate with radio firmware using a higher level protocol. Radio firmware will actually issue SIM APDUs, so this is where such a sniffer is likely to be required to reside. There's usually no public/known API to plug into the radio firmware at this level and therefore no such sniffer either, AFAIK.
Click to expand...
Click to collapse
ask viperbjk ... he can help /
QMAT allows sending APDUs via AT commands.
Functions for all mobiles with AT modes:
1. Send APDUs to SIM card
2. Read out all SMS with all headers
3. Send any AT command
Sniffing is a different story.

[Q]Touch HD Memory Map

Hello,
I'm actually trying to find some network information (current cell tower + neighbor) in the memory, i've found some interesting info, however they aren't completed, i would like to know if anyone can share a memory map of the phone ?
My phone is using WM6.
Thanks!

Physically removing internal storage from Samsung Galaxy S6?

So I've managed to soft-brick my device (see here - http://forum.xda-developers.com/sprint-galaxy-s6/help/soft-bricked-samsung-galaxy-s6-help-t3465144), and all I really care about is the data that's on it. Would it be possible to physically remove the internal storage and use it elsewhere to recover the data? What about physically replacing the OS (if this isn't a thing I apologize, I don't know all of the components of a phone and how they work)? Obviously taking the phone apart is not a problem for me, I just want to be able to access what's on it in some way, shape, or form. Even recommending a service that could remove it for me would be much appreciated. I'm also on a STEM university campus with access to lots of technology and technologically savvy people, I just don't know what I would need to request and from whom to be able to make my internal storage usable again. Thanks in advance!
nand
you will have to desolder the nand chip and used a device to read the contents.
here's a link to get you started. hardcoreforensics.com/blog/2012/01/02/arduino-mega-direct-reading-of-a-nand-flash-memory-chip/
bringrainfire said:
you will have to desolder the nand chip and used a device to read the contents.
here's a link to get you started. /
Click to expand...
Click to collapse
hardcoreforensics.com/blog/2012/01/02/arduino-mega-direct-reading-of-a-nand-flash-memory-chip
You can also read it while still in place. Find isp headers and pick up a jtag. You will have to do a lot of research. .

Categories

Resources