Instead of counting both RSSI and ToA measurements separately,
let's have a single counter in trx_lchan_state.meas struct.
Change-Id: I45454a3ac92b8cc85dd74092e4ab6eb350f20c9a
All known TI GSM firmwares implement some kind of flash file system, or FFS.
We call it TIFFS (Texas Instruments FFS) because it is TI's invention.
TIFFS is a file system with a hierarchical directory tree structure, and
with Unixy forward-slash-separated, case-sensitive pathnames; the semantics
of "what is a file" and "what is a directory" are exactly the same as in
UNIX; and TIFFS even supports symlinks, although that support is a little
under-developed, and apparently no FFS symlinks were ever used in any
production GSM device. Thus the FFS implemented in TI-based GSM devices
(modems and "dumbphone" handsets) is really no different from, for example,
JFFS2 in embedded Linux systems.
The FFS in a GSM device typically stores two kinds of content:
- Factory data: IMEI, RF calibration values, device make/model/revision
ID strings etc. These files are expected to be programmed on the
factory production line and not changed afterward.
- Dynamic data written into the FFS in normal device operation: contacts,
settings / preferences, call history, received SMS, etc.
It should be noted that both Compal (Mot C1xx) and Foxconn (Pirelli DP-L10)
vendors moved their vital per-unit factory data out of the FFS into their
own ad hoc flash data structures, leaving their FFS only for less
critical data. However, we do enable TIFFS access for them anyway.
The location of TIFFS within the flash memory of a given GSM device is
defined by the firmware design of that device, but is always some integral
number of contiguous flash sectors.
- On Motorola/Compal C139/140 phones, the FFS used by the original
proprietary firmware occupies 5 sectors of 64 KiB each (320 KiB
in total), starting at 0x370000. C11x/123 use smaller FFS
configurations, whereas C155/156 seem to have switched to some
other FFS format, different from our familiar TIFFS.
- On the Pirelli DP-L10, the FFS used by the original proprietary
firmware occupies 18 sectors of 256 KiB each (for 4.5 MiB in total),
starting at the beginning of the 2nd flash chip select (0x02000000
in the ARM7 address space).
- On FCDEV3B (FreeCalypso hardware), the FFS is located in the first
8 sectors (of 256 KiB each) in the 2nd flash chip select bank,
which appears at 0x01800000 in the ARM7 address space.
- On the GTA01/02 GSM modem, FFS occupies 7 sectors of 64 KiB each,
starting at flash offset 0x380000.
For more information, please refer to the FreeCalypso project
documentation, from where this great contribution comes from.
Please note that existing MediaTek targets most likely use different
storage format as they have nothing from TI Calypso. Also, we don't
(yet) know the location of TIFFS on SE J100i and Compal E99 targets.
The TIFFS support is needed for the follow-up change, that
implements reading of the factory RF calibration values.
Tweaked (coding style changes) by Vadim Yanitskiy <axilirator@gmail.com>
Change-Id: If6e212baeb10953129fb0d5253d263567f5e12d6
Related: OS#3582
FCDEV3B (stands for "FreeCalypso development board, triband") is a
GSM mobile station development board by FreeCalypso project. The
board features the same legendary TI Calypso GSM MS chipset that
was used in commercial GSM/GPRS modems such as Openmoko's, and
functions as a standalone (or "bare") GSM modem.
For more information, please see the project's web side:
https://www.freecalypso.org/fcdev3b.html.
Change-Id: I09bd35a18d3ea094000050169a62fd82ba6eccfe
Related: OS#3581
The ability to read the second half of flash on E99 is needed
for the follow-up change, that implements reading of the
factory RF calibration values.
Change-Id: Ia677ebdc1ada9fd41daf211fd9da06cd118365fa
Related: OS#3582
Each given Mot C1xx phone is made either for 900+1800 MHz, in which
case only the DCS Rx port is connected, or for 850+1900 MHz, in which
case only the PCS Rx port is connected. Let's tell the TRF6151 driver
that both DCS and PCS ports are connected, so that the same binary
build can be used on both EU-band and US-band C1xx phones.
If one needs to tune the TRF6151 receiver out of spec, or at least
outside of the DCS/PCS Rx SAW filter's legitimate passband (or if
the SAW filter was changed or removed), then the rffe_get_rx_ports()
function might be changed to indicate which Rx port is physically
connected: PORT_DCS1800 only or PORT_PCS1900 only.
Change-Id: I620084c33ad165faffbbfc45923faedad77aafb2
Most Calypso peripheral interface signals are unconnected on
Openmoko GTA0x. Let's configure them to be GPIOs in IO_CONF_REG,
then configure them to be outputs in IO_CNTL_REG, then set
the outputs to 0 in ARMIO_LATCH_OUT.
Change-Id: I306ffacb623d2b06a188f84026ccadab408d1676
This change fixes the following compiler warning:
sim.c: In function ‘gsm_sim_reply’:
sim.c:149:11: warning: variable ‘payload’ set but not used
[-Wunused-but-set-variable]
uint8_t *payload;
Change-Id: I3767b23bb1b28d3f4bb515d399bce160ba2eee09
As we do iterate over all entities in the BA list, it makes more
sense to print each one separately instead of printing the last
one. Moreover, as soon as the iteration is finished, *ba points
to some zero-initialized part of memory:
gsm322.c:5170 Write stored BA list (mcc=000 mnc=000 Marshall Islands, 000)
After this patch:
gsm322.c:5162 Write stored BA list (mcc=250 mnc=99 Russian Federation, Beeline)
gsm322.c:5162 Write stored BA list (mcc=250 mnc=01 Russian Federation, MegaFon)
gsm322.c:5162 Write stored BA list (mcc=250 mnc=02 Russian Federation, MTS)
gsm322.c:5162 Write stored BA list (mcc=544 mnc=31 Serbia, Telenor)
Change-Id: I5160492e6125401c6a1765f54d129b1f1cd503fc
In If1e851ac605c8d2fde3da565b0bd674ea6350c2e, msgb_wrap_with_TL()
was renamed to msgb_push_tl(). Let's use the new symbol name.
Change-Id: Ief37424e0ca3cd696054518a0ffb07b7ef17a462
Both l1ctl_link_init() and trx_if_open() do accept 'tall_ctx' now,
so there is no need to expose the root context anymore. For
logging initialization, we can just pass a pointer.
Change-Id: I7a2231eb880a995d3296b94481a7799e6ff07489
The main changes are:
- return pointer to the allocated l1ctl_link or NULL,
- accept the talloc context as 'tall_ctx' argument.
Change-Id: I7fe1bc306494ac692c182dcfd2a2d9412929194b
The main changes are:
- return pointer to the allocated trx_instance or NULL,
- extend debug message with TRX address and base port,
- accept the talloc context as 'tall_ctx' argument,
- rename goto label 'error' to 'udp_error',
- rename argument 'port' to 'base_port'.
Change-Id: I39b24afee2f09d6a6c500cfc26ac45f206589c5c
Since Ibff31fb3a958a714c828d0dea7e87d47f778fd80, fake_trx.py does
support multiple transceivers. Let's update its description.
Change-Id: I6e4351693da3a1f7e3eadd8e11971c34044dde20
Since fake_trx.py can handle multiple transceivers, it may be useful
to name transceivers. If transceiver has some name, it will appear
in logging messages, for example:
[INFO] transceiver.py:104 Init transceiver 'BTS@127.0.0.1:5700'
[INFO] transceiver.py:104 Init transceiver 'MS@127.0.0.1:6700'
[INFO] transceiver.py:104 Init transceiver '127.0.0.1:5700/1'
This change additionally assigns names to the both default
transceivers, and extends the '--trx' option with ability
to specify some name, for example:
--trx foo@127.0.0.1:5700 or --trx bar@127.0.0.1:5700/1
--trx ipv6@[2001:0db8:85a3:0000:0000:8a2e:0370:7334]:6700
Change-Id: I2f58f02e7819bb008b8aab1a8bf9e0adeb2e44ec
One can confuse TRX control interface with libosmoctrl's one.
TRX toolkit is not using libosmoctrl, and will never do. But,
in order to avoid this confusion, and potential confusion of
DATA interface, let's call them 'TRXC' and 'TRXD' in logging.
Change-Id: I67b1e850094cf8e279777c45c7544886be42a009
Since fake_trx.py can handle multiple transceivers, it makes sense
to print some info in logging messages about transceivers they
belong to. This acvieved by defining __str__() for Transceiver.
Some examples:
[DEBUG] ctrl_if_trx.py:83 (127.0.0.1:5700) Recv POWEROFF cmd
[INFO] ctrl_if_trx.py:85 (127.0.0.1:5700) Stopping transceiver...
[DEBUG] ctrl_if_trx.py:95 (127.0.0.1:5700/1) Recv RXTUNE cmd
[DEBUG] ctrl_if_trx.py:102 (127.0.0.1:5700/1) Recv TXTUNE cmd
[DEBUG] ctrl_if_trx.py:155 (127.0.0.1:5700/1) Ignore CMD SETTSC
[DEBUG] ctrl_if_trx.py:155 (127.0.0.1:5700/1) Ignore CMD SETPOWER
Change-Id: I1f706790a2da226f1418f89d2cfbb55baa6ea624
There should be no code in run() that does initialization,
__init__() is the best place for this. This change allows
to import the Application class from fake_trx.py, and
run it from script (e.g. for testing).
Change-Id: I84969630348a189d237cc98354e568421839a37b
The (BT)SAP (Bluetooth SIM Access Profile) is a part of Bluetooth
specifications, that defines the protocol and procedures that
shall be used to access a smart card (usually GSM SIM) via
a Bluetooth link.
The profile defines two roles:
- Server - the side that has direct access to a smart card.
It acts as a SIM card reader, which assists the Client
in accessing and controlling the smart card.
- Client - the side that accesses and controls the smart card
inside the Server through the connection with Server.
Typical examples of a Server are a simple SIM card holder or
a portable phone in the car environment. A typical example of
a Client is a car phone, which uses a subscription module in
the Server for a connection to the cellular network.
OsmocomBB implements the Client role providing abstract SAP
interface API to the higher layers. Instead of Bluetooth,
a UNIX socket is used to communicate with a Server.
The previous implementation of (BT)SAP interface was incomplete
and hard to maintain. This change (re)implements it almost from
scratch on top of the Osmocom FSM framework.
Besides that, the most significant changes are:
- The implementation is separated into three parts:
- sap_interface.{c|h} - public SAP interface API,
- sap_proto.{c|h} - SAP protocol definition,
- sap_fsm.{c|h} - SAP FSM implementation.
- Both 'sap_message' and 'sap_param' structures follow the
SAP message format definition according to 5.1 and 5.2.
- The message parsing is done more carefully in order to
prevent buffer overflow and NULL-pointer dereference.
- Introduced public API for getting / adding message
parameters, and checking the ResultCode.
- Introduced public API for opening / closing a connection
with the server, powering on / off and resetting the SIM
card, sending ATR and APDU.
- Introduced a call-back for handling the response message.
- Card reader state is also a part of the public API.
The new implementation was tested against softsim [1]. The
only limitation is Server-initiated Release, that allows the
Server to 'ask' a Client to release connection as soon as
communication with the smart card is finished. This is not
implemented (yet), and leads to immediate release.
[1] https://git.osmocom.org/softsim/
Change-Id: I77bb108615bb2c94c441568f195b04e0a5421643
It seems in Ice44e2b22566b3652ef6d43896055963b13ab185 I forgot
to do this, so all measurements triggered by MEASURE command
were incorrect (always noise). Let's fix this!
Change-Id: I155f118b2d3e3b23eb148fe7e2630790f8fcd18c
Since Ice44e2b22566b3652ef6d43896055963b13ab185 is merged, the class
hierarchy has become much more flexible, so it's possible to create
multiple Transceiver / FakeTRX instances and distribute bursts using
a single instance of BurstForwarder.
This change introduces a new command line option, that can be used
to specify additional transceivers. Please note that fake_trx.py
still initializes a pair of BTS and BB transceivers by default.
The new option has the following format:
--trx REMOTE_ADDR:BASE_PORT[/TRX_NUM]
Some examples for IPv4 and IPv6:
--trx 127.0.0.1:5703
--trx [2001:0db8:85a3:0000:0000:8a2e:0370:7334]:6703
If optional TRX_NUM > 0 is specified, e.g.:
--trx 127.0.0.1:5700/1
then this transceiver is considered as a child of another one.
See I7e97b7f32dde7ab74779133e9d7504f1d0fce60c for details.
Change-Id: Ibff31fb3a958a714c828d0dea7e87d47f778fd80
A BTS can (optionally) have more than one transceiver. In this case
additional (let's say child) transceivers basically share the same
clock source of the first transceiver, and being powered on / off
as soon as the first transceiver is powered on / off.
Change-Id: I7e97b7f32dde7ab74779133e9d7504f1d0fce60c
It was discovered that using an empty list as default argument
value does result into the cross-reference, i.e. all instances
of BurstForwarder would reference the same trx_list object.
This is not an expected behaviour, let's fix this.
Change-Id: Id71185de05b0ebc5adb105b10fad2cbde5f800b1
Passing NULL to sap_msg_free() is not only meaningless, but also
would result in NULL pointer dereference. We should call it in
successful case only, so let's fix this.
Change-Id: Icf868c4299e292a17c4b7aad1f9e728ea3653494
Due to a mistake, average RSSI value of received bursts was not
converted to GSM RX level (range 0..63), so trxcon has been
sending incorrect values to the higher layers.
Let's fix this, and also prevent possible division by zero.
Change-Id: Id4659de899411ec1ba1718fdcb40aec562dbfd65
There are several SIM card interfaces, two of which:
- GSM_SIM_TYPE_L1PHY (using built-in SIM reader of the L1 PHY),
- GSM_SIM_TYPE_SAP (using remote reader via (BT)SAP protocol),
can actually deal with a physical SIM card. But, for some reason,
only GSM_SIM_TYPE_L1PHY was considered as such. Let's also get
along with GSM_SIM_TYPE_SAP for the following procedures:
- PIN management and verification,
- FPLMN / LOCI updating,
- A3 authentication.
Change-Id: I4b3080fa7a5332467a449a314ba3cc3a07a9b7df
Since we have two ways to interact with a physical SIM:
- using built-in SIM reader of the L1 PHY (via L1CTL),
- using remote reader via (BT)SAP protocol,
name 'GSM_SIM_TYPE_READER' looks quite confusing. Let's rename it
in order to explicitly indicate the role of L1 PHY.
Change-Id: I0f83f365ed50cfd658fdd3a9d6866ed76c8c4009