Project

General

Profile

Actions

Bug #5269

open

Sim card not powering up on sylvain/burst_ind

Added by abcd123 about 2 months ago. Updated 19 days ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
OsmocomBB Firmware
Target version:
-
Start date:
10/15/2021
Due date:
% Done:

0%

Resolution:
Spec Reference:

Description

After compiling Libosmocore(Master branch), sylvain/burst_ind(osmocombb) on KALI -2.0 and using compalram.bin to load Layer1 (As chainloading is broken in sylvain/burst_ind). It initializes the LCD screen of Motorola C139 and 'Layer1.bin' gets printed, but it does not power up the simcard. Due to this ccch_scan app and rest all other apps in misc folder won't run.

Output (Layer1 running) -:

root@gsm:~/osmocom/osmocombb_1/src/host/osmocon# ./osmocon -p /dev/ttyUSB0 -m c140xor ../../target/firmware/board/compal_e86/layer1.compalram.bin
got 2 bytes from modem, data looks like: 2e 83 ..
got 5 bytes from modem, data looks like: 1b f6 02 00 41 ....A
got 1 bytes from modem, data looks like: 01 .
got 1 bytes from modem, data looks like: 40 @
Received PROMPT1 from phone, responding with CMD

The filesize is larger than 15kb, code on the magic address will be overwritten!
Use loader.bin and upload the application with osmoload instead!

read_file(../../target/firmware/board/compal_e86/layer1.compalram.bin): file_size=49968, hdr_len=4, dnload_len=49975
got 1 bytes from modem, data looks like: 1b .
got 1 bytes from modem, data looks like: f6 .
got 1 bytes from modem, data looks like: 02 .
got 1 bytes from modem, data looks like: 00 .
got 1 bytes from modem, data looks like: 41 A
got 1 bytes from modem, data looks like: 02 .
got 1 bytes from modem, data looks like: 43 C
Received PROMPT2 from phone, starting download
handle_write(): 4096 bytes (4096/49975)
handle_write(): 4096 bytes (8192/49975)
handle_write(): 4096 bytes (12288/49975)
handle_write(): 4096 bytes (16384/49975)
handle_write(): 4096 bytes (20480/49975)
handle_write(): 4096 bytes (24576/49975)
handle_write(): 4096 bytes (28672/49975)
handle_write(): 4096 bytes (32768/49975)
handle_write(): 4096 bytes (36864/49975)
handle_write(): 4096 bytes (40960/49975)
handle_write(): 4096 bytes (45056/49975)
handle_write(): 4096 bytes (49152/49975)
handle_write(): 823 bytes (49975/49975)
handle_write(): finished
got 1 bytes from modem, data looks like: 1b .
got 1 bytes from modem, data looks like: f6 .
got 1 bytes from modem, data looks like: 02 .
got 1 bytes from modem, data looks like: 00 .
got 1 bytes from modem, data looks like: 41 A
got 1 bytes from modem, data looks like: 03 .
got 1 bytes from modem, data looks like: 42 B
Received DOWNLOAD ACK from phone, your code is running now!

Output (running ccch_scan) -:

root@gsm:~/osmocom/osmocombb_1/src/host/layer23/src/misc# ./ccch_scan -i 127.0.0.1 -a 110
Copyright (C) 2010 Harald Welte <>
Contributions by Holger Hans Peter Freyther

License GPLv2+: GNU GPL version 2 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Failed to connect to '/tmp/osmocom_sap'.
Failed during sap_open(), no SIM reader

===================================== MY TWEAKS ============================================================================================================

So, after unsuccessful tries with sylvain/burst_ind branch. I copied the code (app_ccch_scan.c) from fixeria/burst_ind branch to the master branch of osmocombb. It works but Motorola C139 gets switched off automatically.

Output (running Layer1 after applying my tweak) -:

root@gsm:~/osmocom/osmocombb_2/src/host/osmocon# ./osmocon -p /dev/ttyUSB1 -m c140xor -c ../../target/firmware/board/compal_e86/layer1.highram.bin
got 2 bytes from modem, data looks like: 2e 83 ..
got 5 bytes from modem, data looks like: 1b f6 02 00 41 ....A
got 1 bytes from modem, data looks like: 01 .
got 1 bytes from modem, data looks like: 40 @
Received PROMPT1 from phone, responding with CMD
read_file(chainloader): file_size=32, hdr_len=4, dnload_len=15341
got 1 bytes from modem, data looks like: 1b .
got 1 bytes from modem, data looks like: f6 .
got 1 bytes from modem, data looks like: 02 .
got 1 bytes from modem, data looks like: 00 .
got 1 bytes from modem, data looks like: 41 A
got 1 bytes from modem, data looks like: 02 .
got 1 bytes from modem, data looks like: 43 C
Received PROMPT2 from phone, starting download
handle_write(): 4096 bytes (4096/15341)
handle_write(): 4096 bytes (8192/15341)
handle_write(): 4096 bytes (12288/15341)
handle_write(): 3053 bytes (15341/15341)
handle_write(): finished
got 1 bytes from modem, data looks like: 1b .
got 1 bytes from modem, data looks like: f6 .
got 1 bytes from modem, data looks like: 02 .
got 1 bytes from modem, data looks like: 00 .
got 1 bytes from modem, data looks like: 41 A
got 1 bytes from modem, data looks like: 03 .
got 1 bytes from modem, data looks like: 42 B
Received DOWNLOAD ACK from phone, your code is running now!
Enabled Compal ramloader -> Calypso romloader chainloading mode
Received ident ack from phone, sending parameter sequence
read_file(../../target/firmware/board/compal_e86/layer1.highram.bin): file_size=62980, hdr_len=0, dnload_len=62983
Received parameter ack from phone, starting download
Finished, sent 63 blocks in total
Received branch ack, your code is running now!
fb_td014_init: initializing LCD.
Looking for TIFFS (TI Flash File System) header at 0x370000, 5 sectors of 0x10000 bytes
Found TIFFS active index block at 0x3a0000
Found TIFFS root inode at #d1

OsmocomBB Layer 1 (revision osmocon_v0.0.0-2615-g9821955-modified) ======================================================================
Device ID code: 0xb4fb
Device Version code: 0x0000
ARM ID code: 0xfff3
cDSP ID code: 0x0128
Die ID code: f1562414ab039771 ======================================================================
REG_DPLL=0x2413
CNTL_ARM_CLK=0xf0a1
CNTL_CLK=0xff91
CNTL_RST=0xfff3
CNTL_ARM_DIV=0xfff9 ======================================================================
Power up simcard:
Analyzing factory records sector at 0x3fc000
Found 900 MHz band calibration record at 0x3fc100, applying
Found 1800 MHz band calibration record at 0x3fc19c, applying
Assert DSP into Reset
Releasing DSP from Reset
Setting some dsp_api.ndb values
Setting API NDB parameters
DSP Download Status: 0x0001
DSP API Version: 0x0000 0x0000
Finishing download phase
DSP Download Status: 0x0002
DSP API Version: 0x3606 0x0000
LOST 827!
L1CTL_RESET_REQ: FULL!L1CTL_FBSB_REQ (arfcn=110, flags=0x7)
Starting FCCH RecognitionFB0 (2723:8): TOA= 9648, Power= -63dBm, Angle= 4343Hz
FB1 (2733:8): TOA= 9631, Power= -63dBm, Angle= 255Hz
fn_offset=2732 (fn=2733 + attempt=8 + ntdma = 7)
delay=9 (fn_offset=2732 + 11 - fn=2733 - 1
scheduling next FB/SB detection task with delay 9
=>FB FNR 2732 fn_offset=2732 qbits=3340
Synchronize_TDMA
LOST 3156!
SB1 (5470:1): TOA= 27, Power= -64dBm, Angle= 299Hz
=> SB 0x004e221b: BSIC=6 fn=2128067(1604/19/41) qbits=16
Synchronize_TDMA
=>FB
FNR 5469 fn_offset=2128067 qbits=4924
LOST 1909!
L1CTL_DM_EST_REQ (arfcn=110, chan_nr=0x69, tsc=6)
LOST 2109!

Output (running ccch_scan after applying my tweak) -:

root@gsm:~/osmocom/osmocombb_2/src/host/layer23/src/misc# ./ccch_scan -i 127.0.0.1 -a 110
Copyright (C) 2010 Harald Welte <>
Contributions by Holger Hans Peter Freyther

License GPLv2+: GNU GPL version 2 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

<0001> app_ccch_scan.c:286 BCCH message (type=0x1c): SYSTEM INFORMATION TYPE 4
<0001> app_ccch_scan.c:286 BCCH message (type=0x19): SYSTEM INFORMATION TYPE 1
<0001> app_ccch_scan.c:303 SI1 received.
<0001> app_ccch_scan.c:286 BCCH message (type=0x1a): SYSTEM INFORMATION TYPE 2
<0001> app_ccch_scan.c:286 BCCH message (type=0x1b): SYSTEM INFORMATION TYPE 3
<0001> app_ccch_scan.c:615 PCH pdisc (NCSS) != RR
<0001> app_ccch_scan.c:639 Unknown PCH/AGCH message (type 0x2b): 01 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b
<0001> app_ccch_scan.c:286 BCCH message (type=0x1c): SYSTEM INFORMATION TYPE 4
<0001> app_ccch_scan.c:615 PCH pdisc (NCSS) != RR
<0001> app_ccch_scan.c:639 Unknown PCH/AGCH message (type 0x2b): 01 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b
<0001> app_ccch_scan.c:615 PCH pdisc (NCSS) != RR
<0001> app_ccch_scan.c:639 Unknown PCH/AGCH message (type 0x2b): 01 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b
<0001> app_ccch_scan.c:475 Paging1: Normal paging chan any to tmsi M(1764699315)
<0001> app_ccch_scan.c:286 BCCH message (type=0x00): SYSTEM INFORMATION TYPE 13
<0001> app_ccch_scan.c:615 PCH pdisc (NCSS) != RR
<0001> app_ccch_scan.c:639 Unknown PCH/AGCH message (type 0x2b): 01 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b
<0001> app_ccch_scan.c:615 PCH pdisc (NCSS) != RR
<0001> app_ccch_scan.c:639 Unknown PCH/AGCH message (type 0x2b): 01 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b
<0001> app_ccch_scan.c:475 Paging1: Normal paging chan any to tmsi M(3225114556)
<0001> app_ccch_scan.c:286 BCCH message (type=0x07): SYSTEM INFORMATION TYPE 2quater
<0001> app_ccch_scan.c:615 PCH pdisc (NCSS) != RR
<0001> app_ccch_scan.c:639 Unknown PCH/AGCH message (type 0x2b): 01 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b
<0001> app_ccch_scan.c:615 PCH pdisc (NCSS) != RR
<0001> app_ccch_scan.c:639 Unknown PCH/AGCH message (type 0x2b): 01 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b
<0001> app_ccch_scan.c:475 Paging1: Normal paging chan any to tmsi M(1546693755)
<0001> app_ccch_scan.c:286 BCCH message (type=0x1b): SYSTEM INFORMATION TYPE 3
<0001> app_ccch_scan.c:615 PCH pdisc (NCSS) != RR
<0001> app_ccch_scan.c:639 Unknown PCH/AGCH message (type 0x2b): 01 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b
<0001> app_ccch_scan.c:615 PCH pdisc (NCSS) != RR
<0001> app_ccch_scan.c:639 Unknown PCH/AGCH message (type 0x2b): 01 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b
<0001> app_ccch_scan.c:347 GSM48 IMM ASS (ra=0x04, chan_nr=0x69, ARFCN=110, TS=1, SS=5, TSC=6)
^Z
[1]+ Stopped ./ccch_scan -i 127.0.0.1 -a 110

Motorola c139 switches off automatically when the code reaches 'GSM IMM ASS function' on ARFCN 110. But the output is different for ARFCN 61..., it still switches off when it reaches 'GSM IMM ASS'

Output (with arfcn 61) -:

root@gsm:~/osmocom/osmocombb_2/src/host/layer23/src/misc# ./ccch_scan -i 127.0.0.1 -a 61
Copyright (C) 2010 Harald Welte <>
Contributions by Holger Hans Peter Freyther

License GPLv2+: GNU GPL version 2 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

<0001> app_ccch_scan.c:286 BCCH message (type=0x1c): SYSTEM INFORMATION TYPE 4
<0001> app_ccch_scan.c:286 BCCH message (type=0x19): SYSTEM INFORMATION TYPE 1
<0001> app_ccch_scan.c:303 SI1 received.
<0001> app_ccch_scan.c:286 BCCH message (type=0x1a): SYSTEM INFORMATION TYPE 2
<0001> app_ccch_scan.c:286 BCCH message (type=0x1b): SYSTEM INFORMATION TYPE 3
<0001> app_ccch_scan.c:615 PCH pdisc (NCSS) != RR
<0001> app_ccch_scan.c:558 Paging1: Normal paging chan any to TMSI M(0xc6b97e1)
<0001> app_ccch_scan.c:561 Paging2: Normal paging chan any to TMSI M(0x7f197d6)
<0001> app_ccch_scan.c:564 Paging3: Normal paging chan n/a to TMSI M(0xa5e797f8)
<0001> app_ccch_scan.c:567 Paging4: Normal paging chan n/a to TMSI M(0xe23d97f0)
<0001> app_ccch_scan.c:515 Paging1: Normal paging chan tch/f to TMSI M(0x7cf084af)
<0001> app_ccch_scan.c:518 Paging2: Normal paging chan any to TMSI M(0x234797db)
<0001> app_ccch_scan.c:541 Paging3: Normal paging chan n/a to imsi M(404277262105766)
<0001> app_ccch_scan.c:515 Paging1: Normal paging chan any to TMSI M(0x71aa97c8)
<0001> app_ccch_scan.c:518 Paging2: Normal paging chan tch/f to TMSI M(0x24b77291)
<0001> app_ccch_scan.c:541 Paging3: Normal paging chan n/a to tmsi M(3348620163)
<0001> app_ccch_scan.c:286 BCCH message (type=0x1c): SYSTEM INFORMATION TYPE 4
<0001> app_ccch_scan.c:515 Paging1: Normal paging chan any to TMSI M(0x807f97f9)
<0001> app_ccch_scan.c:518 Paging2: Normal paging chan any to TMSI M(0xd07c97f1)
<0001> app_ccch_scan.c:541 Paging3: Normal paging chan n/a to tmsi M(1232794977)
<0001> app_ccch_scan.c:475 Paging1: Normal paging chan tch/f to imsi M(404277284063409)
<0001> app_ccch_scan.c:558 Paging1: Normal paging chan any to TMSI M(0x582597e3)
<0001> app_ccch_scan.c:561 Paging2: Normal paging chan any to TMSI M(0xf64b97fd)
<0001> app_ccch_scan.c:564 Paging3: Normal paging chan n/a to TMSI M(0x8d8d84bf)
<0001> app_ccch_scan.c:567 Paging4: Normal paging chan n/a to TMSI M(0xc72d97f9)
<0001> app_ccch_scan.c:558 Paging1: Normal paging chan any to TMSI M(0x30c197e2)
<0001> app_ccch_scan.c:561 Paging2: Normal paging chan tch/f to TMSI M(0xa1f67d6d)
<0001> app_ccch_scan.c:564 Paging3: Normal paging chan n/a to TMSI M(0x4ebd96cf)
<0001> app_ccch_scan.c:567 Paging4: Normal paging chan n/a to TMSI M(0xa37d96cb)
<0001> app_ccch_scan.c:515 Paging1: Normal paging chan tch/f to TMSI M(0xa279858d)
<0001> app_ccch_scan.c:518 Paging2: Normal paging chan any to TMSI M(0xe3cc97fe)
<0001> app_ccch_scan.c:541 Paging3: Normal paging chan n/a to tmsi M(3717674898)
<0001> app_ccch_scan.c:558 Paging1: Normal paging chan any to TMSI M(0x6fb897eb)
<0001> app_ccch_scan.c:561 Paging2: Normal paging chan any to TMSI M(0x43ad97c6)
<0001> app_ccch_scan.c:564 Paging3: Normal paging chan n/a to TMSI M(0xd3a697c1)
<0001> app_ccch_scan.c:567 Paging4: Normal paging chan n/a to TMSI M(0xbee3869b)
<0001> app_ccch_scan.c:558 Paging1: Normal paging chan tch/f to TMSI M(0x96b48708)
<0001> app_ccch_scan.c:561 Paging2: Normal paging chan any to TMSI M(0x342697df)
<0001> app_ccch_scan.c:564 Paging3: Normal paging chan n/a to TMSI M(0x929f1ac6)
<0001> app_ccch_scan.c:567 Paging4: Normal paging chan n/a to TMSI M(0x75cb97f5)
<0001> app_ccch_scan.c:558 Paging1: Normal paging chan tch/f to TMSI M(0xf3257e1a)
<0001> app_ccch_scan.c:561 Paging2: Normal paging chan any to TMSI M(0x426197ca)
<0001> app_ccch_scan.c:564 Paging3: Normal paging chan n/a to TMSI M(0xaf157f7d)
<0001> app_ccch_scan.c:567 Paging4: Normal paging chan n/a to TMSI M(0x8ea097ca)
<0001> app_ccch_scan.c:286 BCCH message (type=0x19): SYSTEM INFORMATION TYPE 1
<0001> app_ccch_scan.c:303 SI1 received.
<0001> app_ccch_scan.c:639 Unknown PCH/AGCH message (type 0x00): 01 06 00 f0 00 58 47 eb 4a 93 e5 1a 19 8a 16 ab 2b 2b 2b 2b 2b 2b 2b
<0001> app_ccch_scan.c:475 Paging1: Normal paging chan any to tmsi M(3633753218)
<0001> app_ccch_scan.c:558 Paging1: Normal paging chan any to TMSI M(0x4eac97cb)
<0001> app_ccch_scan.c:561 Paging2: Normal paging chan any to TMSI M(0x188597ee)
<0001> app_ccch_scan.c:564 Paging3: Normal paging chan n/a to TMSI M(0x2a2997c2)
<0001> app_ccch_scan.c:567 Paging4: Normal paging chan n/a to TMSI M(0xa8867680)
<0001> app_ccch_scan.c:515 Paging1: Normal paging chan any to TMSI M(0xd35797c5)
<0001> app_ccch_scan.c:518 Paging2: Normal paging chan any to TMSI M(0xc59797fc)
<0001> app_ccch_scan.c:541 Paging3: Normal paging chan n/a to tmsi M(3986124795)
<0001> app_ccch_scan.c:558 Paging1: Normal paging chan tch/f to TMSI M(0x2072833a)
<0001> app_ccch_scan.c:561 Paging2: Normal paging chan tch/f to TMSI M(0xa6918619)
<0001> app_ccch_scan.c:564 Paging3: Normal paging chan n/a to TMSI M(0x2be97f7)
<0001> app_ccch_scan.c:567 Paging4: Normal paging chan n/a to TMSI M(0x8137f28)
<0001> app_ccch_scan.c:347 GSM48 IMM ASS (ra=0x05, chan_nr=0x71, ARFCN=61, TS=1, SS=6, TSC=6)
<0001> app_ccch_scan.c:515 Paging1: Normal paging chan any to TMSI M(0x291297d4)
<0001> app_ccch_scan.c:518 Paging2: Normal paging chan any to TMSI M(0x6cf996ee)
<0001> app_ccch_scan.c:541 Paging3: Normal paging chan n/a to imsi M(404221571515261)
^Z
[2]+ Stopped ./ccch_scan -i 127.0.0.1 -a 61

It is switches off automatically...

I know I should never mix up codes as this can damage my Motorola C139. But I did as I was curious...

Please help!!

Actions #1

Updated by abcd123 about 2 months ago

abcd123 wrote:

After compiling Libosmocore(Master branch), sylvain/burst_ind(osmocombb) on KALI -2.0 and using compalram.bin to load Layer1 (As chainloading is broken in sylvain/burst_ind). It initializes the LCD screen of Motorola C139 and 'Layer1.bin' gets printed, but it does not power up the simcard. Due to this ccch_scan app and rest all other apps in misc folder won't run.

Output (Layer1 running) -:

root@gsm:~/osmocom/osmocombb_1/src/host/osmocon# ./osmocon -p /dev/ttyUSB0 -m c140xor ../../target/firmware/board/compal_e86/layer1.compalram.bin
got 2 bytes from modem, data looks like: 2e 83 ..
got 5 bytes from modem, data looks like: 1b f6 02 00 41 ....A
got 1 bytes from modem, data looks like: 01 .
got 1 bytes from modem, data looks like: 40 @
Received PROMPT1 from phone, responding with CMD

The filesize is larger than 15kb, code on the magic address will be overwritten!
Use loader.bin and upload the application with osmoload instead!

read_file(../../target/firmware/board/compal_e86/layer1.compalram.bin): file_size=49968, hdr_len=4, dnload_len=49975
got 1 bytes from modem, data looks like: 1b .
got 1 bytes from modem, data looks like: f6 .
got 1 bytes from modem, data looks like: 02 .
got 1 bytes from modem, data looks like: 00 .
got 1 bytes from modem, data looks like: 41 A
got 1 bytes from modem, data looks like: 02 .
got 1 bytes from modem, data looks like: 43 C
Received PROMPT2 from phone, starting download
handle_write(): 4096 bytes (4096/49975)
handle_write(): 4096 bytes (8192/49975)
handle_write(): 4096 bytes (12288/49975)
handle_write(): 4096 bytes (16384/49975)
handle_write(): 4096 bytes (20480/49975)
handle_write(): 4096 bytes (24576/49975)
handle_write(): 4096 bytes (28672/49975)
handle_write(): 4096 bytes (32768/49975)
handle_write(): 4096 bytes (36864/49975)
handle_write(): 4096 bytes (40960/49975)
handle_write(): 4096 bytes (45056/49975)
handle_write(): 4096 bytes (49152/49975)
handle_write(): 823 bytes (49975/49975)
handle_write(): finished
got 1 bytes from modem, data looks like: 1b .
got 1 bytes from modem, data looks like: f6 .
got 1 bytes from modem, data looks like: 02 .
got 1 bytes from modem, data looks like: 00 .
got 1 bytes from modem, data looks like: 41 A
got 1 bytes from modem, data looks like: 03 .
got 1 bytes from modem, data looks like: 42 B
Received DOWNLOAD ACK from phone, your code is running now!

Output (running ccch_scan) -:

root@gsm:~/osmocom/osmocombb_1/src/host/layer23/src/misc# ./ccch_scan -i 127.0.0.1 -a 110
Copyright (C) 2010 Harald Welte <>
Contributions by Holger Hans Peter Freyther

License GPLv2+: GNU GPL version 2 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Failed to connect to '/tmp/osmocom_sap'.
Failed during sap_open(), no SIM reader

===================================== MY TWEAKS ============================================================================================================

So, after unsuccessful tries with sylvain/burst_ind branch. I copied the code (app_ccch_scan.c) from fixeria/burst_ind branch to the master branch of osmocombb. It works but Motorola C139 gets switched off automatically.

Output (running Layer1 after applying my tweak) -:

root@gsm:~/osmocom/osmocombb_2/src/host/osmocon# ./osmocon -p /dev/ttyUSB1 -m c140xor -c ../../target/firmware/board/compal_e86/layer1.highram.bin
got 2 bytes from modem, data looks like: 2e 83 ..
got 5 bytes from modem, data looks like: 1b f6 02 00 41 ....A
got 1 bytes from modem, data looks like: 01 .
got 1 bytes from modem, data looks like: 40 @
Received PROMPT1 from phone, responding with CMD
read_file(chainloader): file_size=32, hdr_len=4, dnload_len=15341
got 1 bytes from modem, data looks like: 1b .
got 1 bytes from modem, data looks like: f6 .
got 1 bytes from modem, data looks like: 02 .
got 1 bytes from modem, data looks like: 00 .
got 1 bytes from modem, data looks like: 41 A
got 1 bytes from modem, data looks like: 02 .
got 1 bytes from modem, data looks like: 43 C
Received PROMPT2 from phone, starting download
handle_write(): 4096 bytes (4096/15341)
handle_write(): 4096 bytes (8192/15341)
handle_write(): 4096 bytes (12288/15341)
handle_write(): 3053 bytes (15341/15341)
handle_write(): finished
got 1 bytes from modem, data looks like: 1b .
got 1 bytes from modem, data looks like: f6 .
got 1 bytes from modem, data looks like: 02 .
got 1 bytes from modem, data looks like: 00 .
got 1 bytes from modem, data looks like: 41 A
got 1 bytes from modem, data looks like: 03 .
got 1 bytes from modem, data looks like: 42 B
Received DOWNLOAD ACK from phone, your code is running now!
Enabled Compal ramloader -> Calypso romloader chainloading mode
Received ident ack from phone, sending parameter sequence
read_file(../../target/firmware/board/compal_e86/layer1.highram.bin): file_size=62980, hdr_len=0, dnload_len=62983
Received parameter ack from phone, starting download
Finished, sent 63 blocks in total
Received branch ack, your code is running now!
fb_td014_init: initializing LCD.
Looking for TIFFS (TI Flash File System) header at 0x370000, 5 sectors of 0x10000 bytes
Found TIFFS active index block at 0x3a0000
Found TIFFS root inode at #d1

OsmocomBB Layer 1 (revision osmocon_v0.0.0-2615-g9821955-modified) ======================================================================
Device ID code: 0xb4fb
Device Version code: 0x0000
ARM ID code: 0xfff3
cDSP ID code: 0x0128
Die ID code: f1562414ab039771 ======================================================================
REG_DPLL=0x2413
CNTL_ARM_CLK=0xf0a1
CNTL_CLK=0xff91
CNTL_RST=0xfff3
CNTL_ARM_DIV=0xfff9 ======================================================================
Power up simcard:
Analyzing factory records sector at 0x3fc000
Found 900 MHz band calibration record at 0x3fc100, applying
Found 1800 MHz band calibration record at 0x3fc19c, applying
Assert DSP into Reset
Releasing DSP from Reset
Setting some dsp_api.ndb values
Setting API NDB parameters
DSP Download Status: 0x0001
DSP API Version: 0x0000 0x0000
Finishing download phase
DSP Download Status: 0x0002
DSP API Version: 0x3606 0x0000
LOST 827!
L1CTL_RESET_REQ: FULL!L1CTL_FBSB_REQ (arfcn=110, flags=0x7)
Starting FCCH RecognitionFB0 (2723:8): TOA= 9648, Power= -63dBm, Angle= 4343Hz
FB1 (2733:8): TOA= 9631, Power= -63dBm, Angle= 255Hz
fn_offset=2732 (fn=2733 + attempt=8 + ntdma = 7)
delay=9 (fn_offset=2732 + 11 - fn=2733 - 1
scheduling next FB/SB detection task with delay 9
=>FB FNR 2732 fn_offset=2732 qbits=3340
Synchronize_TDMA
LOST 3156!
SB1 (5470:1): TOA= 27, Power= -64dBm, Angle= 299Hz
=> SB 0x004e221b: BSIC=6 fn=2128067(1604/19/41) qbits=16
Synchronize_TDMA
=>FB
FNR 5469 fn_offset=2128067 qbits=4924
LOST 1909!
L1CTL_DM_EST_REQ (arfcn=110, chan_nr=0x69, tsc=6)
LOST 2109!

Output (running ccch_scan after applying my tweak) -:

root@gsm:~/osmocom/osmocombb_2/src/host/layer23/src/misc# ./ccch_scan -i 127.0.0.1 -a 110
Copyright (C) 2010 Harald Welte <>
Contributions by Holger Hans Peter Freyther

License GPLv2+: GNU GPL version 2 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

<0001> app_ccch_scan.c:286 BCCH message (type=0x1c): SYSTEM INFORMATION TYPE 4
<0001> app_ccch_scan.c:286 BCCH message (type=0x19): SYSTEM INFORMATION TYPE 1
<0001> app_ccch_scan.c:303 SI1 received.
<0001> app_ccch_scan.c:286 BCCH message (type=0x1a): SYSTEM INFORMATION TYPE 2
<0001> app_ccch_scan.c:286 BCCH message (type=0x1b): SYSTEM INFORMATION TYPE 3
<0001> app_ccch_scan.c:615 PCH pdisc (NCSS) != RR
<0001> app_ccch_scan.c:639 Unknown PCH/AGCH message (type 0x2b): 01 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b
<0001> app_ccch_scan.c:286 BCCH message (type=0x1c): SYSTEM INFORMATION TYPE 4
<0001> app_ccch_scan.c:615 PCH pdisc (NCSS) != RR
<0001> app_ccch_scan.c:639 Unknown PCH/AGCH message (type 0x2b): 01 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b
<0001> app_ccch_scan.c:615 PCH pdisc (NCSS) != RR
<0001> app_ccch_scan.c:639 Unknown PCH/AGCH message (type 0x2b): 01 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b
<0001> app_ccch_scan.c:475 Paging1: Normal paging chan any to tmsi M(1764699315)
<0001> app_ccch_scan.c:286 BCCH message (type=0x00): SYSTEM INFORMATION TYPE 13
<0001> app_ccch_scan.c:615 PCH pdisc (NCSS) != RR
<0001> app_ccch_scan.c:639 Unknown PCH/AGCH message (type 0x2b): 01 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b
<0001> app_ccch_scan.c:615 PCH pdisc (NCSS) != RR
<0001> app_ccch_scan.c:639 Unknown PCH/AGCH message (type 0x2b): 01 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b
<0001> app_ccch_scan.c:475 Paging1: Normal paging chan any to tmsi M(3225114556)
<0001> app_ccch_scan.c:286 BCCH message (type=0x07): SYSTEM INFORMATION TYPE 2quater
<0001> app_ccch_scan.c:615 PCH pdisc (NCSS) != RR
<0001> app_ccch_scan.c:639 Unknown PCH/AGCH message (type 0x2b): 01 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b
<0001> app_ccch_scan.c:615 PCH pdisc (NCSS) != RR
<0001> app_ccch_scan.c:639 Unknown PCH/AGCH message (type 0x2b): 01 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b
<0001> app_ccch_scan.c:475 Paging1: Normal paging chan any to tmsi M(1546693755)
<0001> app_ccch_scan.c:286 BCCH message (type=0x1b): SYSTEM INFORMATION TYPE 3
<0001> app_ccch_scan.c:615 PCH pdisc (NCSS) != RR
<0001> app_ccch_scan.c:639 Unknown PCH/AGCH message (type 0x2b): 01 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b
<0001> app_ccch_scan.c:615 PCH pdisc (NCSS) != RR
<0001> app_ccch_scan.c:639 Unknown PCH/AGCH message (type 0x2b): 01 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b
<0001> app_ccch_scan.c:347 GSM48 IMM ASS (ra=0x04, chan_nr=0x69, ARFCN=110, TS=1, SS=5, TSC=6)
^Z
[1]+ Stopped ./ccch_scan -i 127.0.0.1 -a 110

Motorola c139 switches off automatically when the code reaches 'GSM IMM ASS function' on ARFCN 110. But the output is different for ARFCN 61..., it still switches off when it reaches 'GSM IMM ASS'

Output (with arfcn 61) -:

root@gsm:~/osmocom/osmocombb_2/src/host/layer23/src/misc# ./ccch_scan -i 127.0.0.1 -a 61
Copyright (C) 2010 Harald Welte <>
Contributions by Holger Hans Peter Freyther

License GPLv2+: GNU GPL version 2 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

<0001> app_ccch_scan.c:286 BCCH message (type=0x1c): SYSTEM INFORMATION TYPE 4
<0001> app_ccch_scan.c:286 BCCH message (type=0x19): SYSTEM INFORMATION TYPE 1
<0001> app_ccch_scan.c:303 SI1 received.
<0001> app_ccch_scan.c:286 BCCH message (type=0x1a): SYSTEM INFORMATION TYPE 2
<0001> app_ccch_scan.c:286 BCCH message (type=0x1b): SYSTEM INFORMATION TYPE 3
<0001> app_ccch_scan.c:615 PCH pdisc (NCSS) != RR
<0001> app_ccch_scan.c:558 Paging1: Normal paging chan any to TMSI M(0xc6b97e1)
<0001> app_ccch_scan.c:561 Paging2: Normal paging chan any to TMSI M(0x7f197d6)
<0001> app_ccch_scan.c:564 Paging3: Normal paging chan n/a to TMSI M(0xa5e797f8)
<0001> app_ccch_scan.c:567 Paging4: Normal paging chan n/a to TMSI M(0xe23d97f0)
<0001> app_ccch_scan.c:515 Paging1: Normal paging chan tch/f to TMSI M(0x7cf084af)
<0001> app_ccch_scan.c:518 Paging2: Normal paging chan any to TMSI M(0x234797db)
<0001> app_ccch_scan.c:541 Paging3: Normal paging chan n/a to imsi M(404277262105766)
<0001> app_ccch_scan.c:515 Paging1: Normal paging chan any to TMSI M(0x71aa97c8)
<0001> app_ccch_scan.c:518 Paging2: Normal paging chan tch/f to TMSI M(0x24b77291)
<0001> app_ccch_scan.c:541 Paging3: Normal paging chan n/a to tmsi M(3348620163)
<0001> app_ccch_scan.c:286 BCCH message (type=0x1c): SYSTEM INFORMATION TYPE 4
<0001> app_ccch_scan.c:515 Paging1: Normal paging chan any to TMSI M(0x807f97f9)
<0001> app_ccch_scan.c:518 Paging2: Normal paging chan any to TMSI M(0xd07c97f1)
<0001> app_ccch_scan.c:541 Paging3: Normal paging chan n/a to tmsi M(1232794977)
<0001> app_ccch_scan.c:475 Paging1: Normal paging chan tch/f to imsi M(404277284063409)
<0001> app_ccch_scan.c:558 Paging1: Normal paging chan any to TMSI M(0x582597e3)
<0001> app_ccch_scan.c:561 Paging2: Normal paging chan any to TMSI M(0xf64b97fd)
<0001> app_ccch_scan.c:564 Paging3: Normal paging chan n/a to TMSI M(0x8d8d84bf)
<0001> app_ccch_scan.c:567 Paging4: Normal paging chan n/a to TMSI M(0xc72d97f9)
<0001> app_ccch_scan.c:558 Paging1: Normal paging chan any to TMSI M(0x30c197e2)
<0001> app_ccch_scan.c:561 Paging2: Normal paging chan tch/f to TMSI M(0xa1f67d6d)
<0001> app_ccch_scan.c:564 Paging3: Normal paging chan n/a to TMSI M(0x4ebd96cf)
<0001> app_ccch_scan.c:567 Paging4: Normal paging chan n/a to TMSI M(0xa37d96cb)
<0001> app_ccch_scan.c:515 Paging1: Normal paging chan tch/f to TMSI M(0xa279858d)
<0001> app_ccch_scan.c:518 Paging2: Normal paging chan any to TMSI M(0xe3cc97fe)
<0001> app_ccch_scan.c:541 Paging3: Normal paging chan n/a to tmsi M(3717674898)
<0001> app_ccch_scan.c:558 Paging1: Normal paging chan any to TMSI M(0x6fb897eb)
<0001> app_ccch_scan.c:561 Paging2: Normal paging chan any to TMSI M(0x43ad97c6)
<0001> app_ccch_scan.c:564 Paging3: Normal paging chan n/a to TMSI M(0xd3a697c1)
<0001> app_ccch_scan.c:567 Paging4: Normal paging chan n/a to TMSI M(0xbee3869b)
<0001> app_ccch_scan.c:558 Paging1: Normal paging chan tch/f to TMSI M(0x96b48708)
<0001> app_ccch_scan.c:561 Paging2: Normal paging chan any to TMSI M(0x342697df)
<0001> app_ccch_scan.c:564 Paging3: Normal paging chan n/a to TMSI M(0x929f1ac6)
<0001> app_ccch_scan.c:567 Paging4: Normal paging chan n/a to TMSI M(0x75cb97f5)
<0001> app_ccch_scan.c:558 Paging1: Normal paging chan tch/f to TMSI M(0xf3257e1a)
<0001> app_ccch_scan.c:561 Paging2: Normal paging chan any to TMSI M(0x426197ca)
<0001> app_ccch_scan.c:564 Paging3: Normal paging chan n/a to TMSI M(0xaf157f7d)
<0001> app_ccch_scan.c:567 Paging4: Normal paging chan n/a to TMSI M(0x8ea097ca)
<0001> app_ccch_scan.c:286 BCCH message (type=0x19): SYSTEM INFORMATION TYPE 1
<0001> app_ccch_scan.c:303 SI1 received.
<0001> app_ccch_scan.c:639 Unknown PCH/AGCH message (type 0x00): 01 06 00 f0 00 58 47 eb 4a 93 e5 1a 19 8a 16 ab 2b 2b 2b 2b 2b 2b 2b
<0001> app_ccch_scan.c:475 Paging1: Normal paging chan any to tmsi M(3633753218)
<0001> app_ccch_scan.c:558 Paging1: Normal paging chan any to TMSI M(0x4eac97cb)
<0001> app_ccch_scan.c:561 Paging2: Normal paging chan any to TMSI M(0x188597ee)
<0001> app_ccch_scan.c:564 Paging3: Normal paging chan n/a to TMSI M(0x2a2997c2)
<0001> app_ccch_scan.c:567 Paging4: Normal paging chan n/a to TMSI M(0xa8867680)
<0001> app_ccch_scan.c:515 Paging1: Normal paging chan any to TMSI M(0xd35797c5)
<0001> app_ccch_scan.c:518 Paging2: Normal paging chan any to TMSI M(0xc59797fc)
<0001> app_ccch_scan.c:541 Paging3: Normal paging chan n/a to tmsi M(3986124795)
<0001> app_ccch_scan.c:558 Paging1: Normal paging chan tch/f to TMSI M(0x2072833a)
<0001> app_ccch_scan.c:561 Paging2: Normal paging chan tch/f to TMSI M(0xa6918619)
<0001> app_ccch_scan.c:564 Paging3: Normal paging chan n/a to TMSI M(0x2be97f7)
<0001> app_ccch_scan.c:567 Paging4: Normal paging chan n/a to TMSI M(0x8137f28)
<0001> app_ccch_scan.c:347 GSM48 IMM ASS (ra=0x05, chan_nr=0x71, ARFCN=61, TS=1, SS=6, TSC=6)
<0001> app_ccch_scan.c:515 Paging1: Normal paging chan any to TMSI M(0x291297d4)
<0001> app_ccch_scan.c:518 Paging2: Normal paging chan any to TMSI M(0x6cf996ee)
<0001> app_ccch_scan.c:541 Paging3: Normal paging chan n/a to imsi M(404221571515261)
^Z
[2]+ Stopped ./ccch_scan -i 127.0.0.1 -a 61

It is switches off automatically...

I know I should never mix up codes as this can damage my Motorola C139. But I did as I was curious...

Please help!!

I build gnu-arm-toolchain from here ---> https://osmocom.org/projects/baseband/wiki/GnuArmToolchain

Actions #2

Updated by abcd123 about 2 months ago

I built gnu-arm-toolchain from here ---> https://osmocom.org/projects/baseband/wiki/GnuArmToolchain

Actions #4

Updated by abcd123 about 2 months ago

fixeria wrote:

You can find pre-compiled firmware images for 'sylvain/burst_ind' here:

https://download.opensuse.org/repositories/home:/mnhauke:/osmocom:/nightly/openSUSE_Tumbleweed/x86_64/osmocom-bb-sylvain-burst-ind-firmware-0.0.0.git1391535122.07ce6faf-4.40.x86_64.rpm

Just unpack and give them a try.

I am not bale to unpack the rpm files...I tried every command (mock, file-roller,tar, rpm2cpio) but unsuccessful...

Actions #5

Updated by fixeria about 2 months ago

7z works for me:

7z x osmocom-bb-sylvain-burst-ind-firmware-0.0.0.git1391535122.07ce6faf-4.40.x86_64.rpm
7z x osmocom-bb-sylvain-burst-ind-firmware-0.0.0.git1391535122.07ce6faf-4.40.x86_64.cpio
Actions #6

Updated by abcd123 about 2 months ago

fixeria wrote:

7z works for me:

[...]

my output is --> osmocom-bb-sylvain-burst-ind-firmware-0.0.0.git1391535122.07ce6faf-4.40.x86_64.cpio.lzma

I used unlzma but it says 'decoder error'. Can you please upload the cpio file here ?

Actions #7

Updated by abcd123 about 1 month ago

abcd123 wrote:

fixeria wrote:

7z works for me:

[...]

my output is --> osmocom-bb-sylvain-burst-ind-firmware-0.0.0.git1391535122.07ce6faf-4.40.x86_64.cpio.lzma

I used unlzma but it says 'decoder error'. Can you please upload the cpio file here ?

Oh! I did manage to extract rpm file by using 'alein'. But even after copying the nightly built binaries I am not getting ccch_scan app to work !! (I am using Motorola C139)

Output (Layer 1 as usual doesn't power up simcard) -:

root@gsm:~/osmocom/t-osmocombb/src/host/osmocon# ./osmocon -p /dev/ttyUSB1 -m c140xor ../../target/firmware/board/compal_e86/layer1.compalram.bin
got 2 bytes from modem, data looks like: 2e 83 ..
got 5 bytes from modem, data looks like: 1b f6 02 00 41 ....A
got 1 bytes from modem, data looks like: 01 .
got 1 bytes from modem, data looks like: 40 @
Received PROMPT1 from phone, responding with CMD

The filesize is larger than 15kb, code on the magic address will be overwritten!
Use loader.bin and upload the application with osmoload instead!

read_file(../../target/firmware/board/compal_e86/layer1.compalram.bin): file_size=49796, hdr_len=4, dnload_len=49803
got 1 bytes from modem, data looks like: 1b .
got 1 bytes from modem, data looks like: f6 .
got 1 bytes from modem, data looks like: 02 .
got 1 bytes from modem, data looks like: 00 .
got 1 bytes from modem, data looks like: 41 A
got 1 bytes from modem, data looks like: 02 .
got 1 bytes from modem, data looks like: 43 C
Received PROMPT2 from phone, starting download
handle_write(): 4096 bytes (4096/49803)
handle_write(): 4096 bytes (8192/49803)
handle_write(): 4096 bytes (12288/49803)
handle_write(): 4096 bytes (16384/49803)
handle_write(): 4096 bytes (20480/49803)
handle_write(): 4096 bytes (24576/49803)
handle_write(): 4096 bytes (28672/49803)
handle_write(): 4096 bytes (32768/49803)
handle_write(): 4096 bytes (36864/49803)
handle_write(): 4096 bytes (40960/49803)
handle_write(): 4096 bytes (45056/49803)
handle_write(): 4096 bytes (49152/49803)
handle_write(): 651 bytes (49803/49803)
handle_write(): finished
got 1 bytes from modem, data looks like: 1b .
got 1 bytes from modem, data looks like: f6 .
got 1 bytes from modem, data looks like: 02 .
got 1 bytes from modem, data looks like: 00 .
got 1 bytes from modem, data looks like: 41 A
got 1 bytes from modem, data looks like: 03 .
got 1 bytes from modem, data looks like: 42 B
Received DOWNLOAD ACK from phone, your code is running now!
^Z

Output (running ccch_scan) -:

root@gsm:~/osmocom/t-osmocombb/src/host/layer23/src/misc# ./ccch_scan -i 127.0.0.1 -a 110
Copyright (C) 2010 Harald Welte <>
Contributions by Holger Hans Peter Freyther

License GPLv2+: GNU GPL version 2 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Failed to connect to '/tmp/osmocom_sap'.
Failed during sap_open(), no SIM reader
^Z
[2]+ Stopped ./ccch_scan -i 127.0.0.1 -a 110

Actions #8

Updated by abcd123 19 days ago

Hi,
I checked with C118 and I am still not able to capture bursts. Please can anyone help me... which version of Ubuntu, libosmocore etc to use so that it will work ?

Actions #9

Updated by abcd123 19 days ago

Hi,
I used C118 to check whether it works or not, but I am not able to make it
work...

Any more suggestions?

Regards
Abracadabra

On Fri, Oct 15, 2021, 4:32 PM fixeria [REDMINE] <>
wrote:

Issue #5269 has been updated by fixeria.

7z works for me:

> 7z x
> osmocom-bb-sylvain-burst-ind-firmware-0.0.0.git1391535122.07ce6faf-4.40.x86_64.rpm
> 7z x
> osmocom-bb-sylvain-burst-ind-firmware-0.0.0.git1391535122.07ce6faf-4.40.x86_64.cpio
> 
Actions

Also available in: Atom PDF

Add picture from clipboard (Maximum size: 48.8 MB)