Fernvale is an open-source development platform for the Mediatek MT6260.
It was also specifically designed to make reverse engineering easier.
It is available on the sysmocom web-shop
- There is a simple bootloader/interactive shell called fernly which can also be used for reverse engineering.
- There is a downstream port to Nuttx which is bootable but provides limited features
- There is a downstream OsmocomBB port which has a bootable layer1 image that doesn't support any of the GSM hardware yet.
|External memory||Fernly Nuttx|
|GSM, GPRS||None yet|
|LCD||Fernly , Nuttx|
Load Layer1 via Fernly¶
For now only loading into RAM is supported and via the fernly loader. Use this script: https://gitlab.com/unrznbl/fernly/blob/mtk-layer1/load-layer1.sh to load a built layer1 firmware from osmocom-bb to the fernvale via fernly.
Boot ROM cycles due to no Firmware flashed¶
If you simple connect the fernvale via micro USB cable to your host you will likely see some failures like this:
[10045.367504] usb 1-4: new full-speed USB device number 14 using xhci_hcd [10045.516385] usb 1-4: New USB device found, idVendor=0e8d, idProduct=0003, bcdDevice= 1.00 [10045.516397] usb 1-4: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [10046.102791] cdc_acm 1-4:1.1: ttyACM0: USB ACM device [10046.103011] usbcore: registered new interface driver cdc_acm [10046.103012] cdc_acm: USB Abstract Control Model driver for USB modems and ISDN adapters [10046.109599] usbcore: registered new interface driver usbserial_generic [10046.109623] usbserial: USB Serial support registered for generic [10046.116192] usbcore: registered new interface driver option [10046.116229] usbserial: USB Serial support registered for GSM modem (1-port) [10051.794634] usb 1-4: USB disconnect, device number 14 [10052.491445] usb 1-4: new full-speed USB device number 15 using xhci_hcd [10052.640174] usb 1-4: New USB device found, idVendor=0e8d, idProduct=0003, bcdDevice= 1.00 [10052.640184] usb 1-4: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [10052.643070] option 1-4:1.0: GSM modem (1-port) converter detected [10052.652198] usb 1-4: GSM modem (1-port) converter now attached to ttyUSB0 [10052.652881] cdc_acm: probe of 1-4:1.1 failed with error -16 [10058.956408] usb 1-4: USB disconnect, device number 15 [10058.956910] option1 ttyUSB0: GSM modem (1-port) converter now disconnected from ttyUSB0 [10058.956972] option 1-4:1.0: device disconnected [10059.651427] usb 1-4: new full-speed USB device number 16 using xhci_hcd [10059.800240] usb 1-4: New USB device found, idVendor=0e8d, idProduct=0003, bcdDevice= 1.00 [10059.800247] usb 1-4: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [10059.803041] option 1-4:1.0: GSM modem (1-port) converter detected [10059.803284] usb 1-4: GSM modem (1-port) converter now attached to ttyUSB0 [10059.803885] cdc_acm: probe of 1-4:1.1 failed with error -16
This is likely due to no firmware being flashed onto fernvale but only the BROM firmware being available and since BROM doesn't have anything to transfer control to, it cycles.
Apr 22 2018 - layer1 firmware has stubbed out implementations for mediatek/fernvale. layer1/main blinks the big LED on fernvale and fernly usb serial is ported so that debug messages are possible. See mtk-layer1 branch on gitlab.
Feb 13 2018 - fixed up Makefile.mtk so that both SciphoneDreamG2 and Fernvale firmwares build. An LED blink firmware is working on Fernvale but the loader_mtk firmware no longer seems to work on the SciphoneDreamG2.
Is it possible that openocd_mt6235.cfg for SciphoneDreamG2 could work with small modifications for fernvale/mt6260? Here is the output of running a slightly modified version with an olimex arm-usb-ocd-h adapter. Any help would be appreciated to adjust this cfg to get working JTAG since fernvale should support this fairly easily (kit includes parts to make a JTAG adapter interface).
openocd -f interface/ftdi/olimex-arm-usb-ocd-h.cfg -f fernvale.cfg
Info : Listening on port 6666 for tcl connections Info : Listening on port 4444 for telnet connections Info : clock speed 1000 kHz Warn : There are no enabled taps. AUTO PROBING MIGHT NOT WORK!! Error: JTAG scan chain interrogation failed: all ones Error: Check JTAG interface, timings, target power, etc. Error: Trying to use configured scan chain anyway... Warn : Bypassing JTAG setup events due to errors Warn : gdb services need one or more targets defined
- port Layer1bin - unrznbl is working on this currently
- create library from osmocom-bb to be used in NuttX layer1 app (hopefully very little copying of code into nuttx tree)
- port Mobile to NuttX
Very few people are working on it1, and because of that progress have been very slow.
1 See This blog post for more background on the issue.
References and documentation¶
- https://postmarketos.org/blog/2018/04/14/lowlevel/ : Article on porting OsmocomBB to the Fernvale
- https://kosagi.com/w/index.php?title=Fernvale_Main_Page : Fernvale hardware documentation
- https://kosagi.com/forums/ : Kosagi forums: they have a section on the Fernvale
- https://www.bunniestudios.com/blog/?p=4297 : Blog post on the initial hardware and software reverse engineering
- https://xobs.io/fernvale-the-path-not-taken/ : Blog post on the initial software reverse engineering
- There was a talk at the 31c3 about the Fernvale. video slides
- Nuttx's mt6260_tdma.h seem to contain some information on the GSM part