The SoC/LTE Modem system consists of three main parts:
This is actually a simplification, because there’s a second, non-Coresonic DSP to handle 2G/3G signal processing (a Faraday Technology FD216), but I’m not interested in that. Also, it seems the BP won’t be a Cortex-R4 in future devices, as MediaTek has signed an agreement with Imagination Technologies to license some MIPS CPU core for the LTE BP in the upcoming Helio X30 (MT6799) and later SoCs, but that doesn’t matter now because the cheaper SoCs aren’t using them yet.
From what I’ve been able to glean from kernel sources and disassembled binaries, the AP and the BP share some memory for loading the BP fimware, DMA, and IPC (through virtual serial ports). They also appear to share access to certain peripherals, like the UART and UICC interfaces. The BP has either some or all of the DSP’s memory space mapped, and I think the AP may be able to access that directly (for, e.g., DSP memory dumps), but I’m not entirely sure.
-
Cellular RF Frontends (RFICs)
-
MT6169
-
-
Connectivity RF Frontends (RFICs)
-
MT6625
-
MT6631
-
-
Antenna Switches
-
Any Skyworks SKY77xxx-xx IC
-
-
Power Management ICs (PMICs)
-
MT6328
-
MT6351
-
The cellular RF frontends have two main functions:
-
Convert between the low-IF/zero-IF signals the SoC transmits/receives and the much higher-frequency cellular RF signals.
-
Filter and amplify the transmitted and received cellular signals.
It’s important to know that the cellular RF frontends only perform these tuning, filtering, and amplification functions, plus a few smaller functions—they don’t do any ADC/DAC, so the signals shared between the SoC and them are entirely analog.
The connectivity RF frontends are similar to the cellular RF frontends, but handle WiFi, Bluetooth, and GNSS instead. Like with the cellular RFICs, the amplified, filtered, and shifted RF signals for these functions are sent into the SoC for further processing. In addition to that, the connectivity RFICs also include a full FM radio receiver which contains a demodulator DSP.
The antenna switches take the large number of TX/RX signals from the cellular RF frontend and multiplex them over a smaller number of antennas. This way a phone only needs 1-3 cellular antennas instead of 10+ antennas.
The power management ICs are sort of "kitchen sink" ICs—in addition to performing typical power management functions like DC-DC conversion, battery charging, and battery monitoring and management ("fuel gauge"), they perform a number of additional funcions:
-
Vibration motor driver.
-
LED drivers.
-
Audio CODEC (ADC/DAC).
-
AUXADC for accessory detection/temperature sensing.
-
Real-time clock.
-
Extra GPIO.
To summarize, the PMIC handles most of the higher-power analog functionality that isn’t already handled by the RFICs or the SoC itself.
MediaTek uses a lot of acronyms in their code and documentation but rarely expands them, so this glossary is my attempt at fixing that. Please note that some of these entries are complete guesses.
- AICE
-
Andes ICE. This is a JTAG adapter/"In-Circuit Emulator" made by Andes Technology.
- AP
-
Applications Processor. The CPU cores that Android/Linux run on.
- BP
-
Baseband Processor. The cellular modem.
- BROM
-
Boot ROM. The mask ROM baked into the silicon of the SoC that holds the first code executed by the CPU. As it is a ROM, it is completely immutable.
- C2CRF
-
"Coresonic to Cortex-R(4)F"? "Core to Core RF"? Related to access between the CR4 and the Coresonic core, meant for debugging.
- CCCI
-
Cross Core Communication Interface. This is the memory/DMA interface through which the AP and the BP communicate.
- CCIF
-
Cross Core Interface.
- CCPU
-
Control CPU. This refers to the custom control CPU in the GCPU. It has a 22-bit instruction set, 32 general purpose 32-bit registers, instruction ROM, instruction RAM, and data RAM.
- CLDMA
-
Control Layer DMA.
- CONN
-
"Connectivity", usually refers to the connectivity subsystem. The connectivity subsystem includes the WiFi CPU core and possibly the Bluetooth CPU as well.
- CQDMA
-
Command-Queue DMA. This is what MediaTek calls their DMA controller.
- DA
-
Download Agent. In the official MediaTek USB-based eMMC flashing flow, the DA is code loaded over USB by the preloader (which itself may be loaded over USB in BROM USB Download Mode) that interacts with the host software to read from/write to eMMC.
- DAA
-
"Download Agent Authentication"? When this is enabled, the BROM will authenticate the DA before executing it.
- DBF
-
DSP Binary Filter. As the name implies, this is binary filter data that is loaded into and parsed by the firmware running on the Coresonic DSP.
- DCM
-
Dynamic Clock Management.
- DEM
-
Debug Exchange Module/Data Exchange Module. This is a hardware block with registers that control reset, clocking, and I/O selection for the debug subsystem. For example, the JTAG enable/disable registers are part of this module.
- DEVAPC
-
Device Access Permission Control.
- DPM
-
DRAM Power Manager.
- DSP
-
Digital Signal Processor.
- GCE
-
Global Command Engine. A SoC peripheral that can be used to program registers with strict timing requirements.
- GCPU
-
General Copy Protection Unit. A SoC peripheral used for decrypting encrypted media. It has a microcontroller core (CCPU) with some ROM, SRAM, and hardware accelerators for AES, SHA, MD5, RC4, DES, CRC32, DMA, etc.
- GCU
-
GPRS Cipher Unit. An accelerator for cryptographic ciphers used in some GSM protocols.
- HACC
-
Something to do with Anti-Clone or secure boot? Can do AES encryption/decryption. I think these regs are a subset of SEJ, or maybe "HACC" is another term for "SEJ".
- HIF
-
Host Interface. This is the interface between the SoC and the Connectivity (WLAN/BT/GPS) core. The HIF is an abstraction layer over the physical interface (AHB/eHPI/PCIe/SDIO/USB).
- INFRACFG
-
"Infrastructure system configuration". Refers to the block of registers that control reset, clocking, and some miscellaneous control signals.
- M4U
-
Multimedia Memory Management Unit. This is what MediaTek calls their IOMMU.
- MCU
-
Used to refer to different processor subsystems. e.g., "APMCU" refers to the main AP core cluster, while "MDMCU" refers to the BP CPU. "MCUSYS" seems to refer to the AP MCU system.
- MCUPM
-
MCUSYS Power Management.
- MFG
-
MFlexGraphics. Refers to the 3D GPU subsystem.
- MSDC
-
Used to refer to their EMMC/SD card controller core. Possibly "MediaTek SD Controller".
- PCM
-
Programmable Command Master. This refers to the custom power management CPU in the SPM. It has a 32-bit variable-length instruction set, 17 registers (r0-r15 + zero register r31), and instruction RAM.
- RXDFE
-
"RX Digital Front End"?
- SBC
-
"Secure Boot Code"? Refers to secure boot functionality. When this is enabled, the BROM will only load and run properly signed boot code.
- SEJ
-
Security Engine with JTAG control. Has some regs to control JTAG enable/disable. Also has some encryption/decryption functionality (maybe encrypted JTAG?). See also: HACC.
- SIB
-
System Interface Box. A custom SWD/JTAG adapter used by MediaTek? Or a hardware component inside the SoC’s debug subsystem?
- SLA
-
Serial Link Authentication. Some challenge-response auth to authenticate the program loading the DA? Challenge-response auth to authenticate the program communicating with the BROM? When this is enabled, it disables Download Agent (DA) functionality in the BROM.
- SPM
-
System Power Manager. A SoC peripheral used for power management. Contains a custom microcontroller core (PCM) that can manage the power states of the main CPUs, DRAM, and other peripherals in order to support system suspend, deep sleep/idle, etc.
- SST
-
System Stability Tracker. This is the name of the system trace functionality included in the BP firmware.
- SWLA
-
Software LA (Logic Analyzer?). It seems to be some kind of debug functionality in the BP firmware.
- TRNG
-
True Random Number Generator. A SoC peripheral that generates (hopefully) cryptographically-secure random numbers.
- WMT
-
Wireless Management Task. Refers to the WiFi/Bluetooth drivers/API.
-
2007: MediaTek acquires Analog Devices' cellular chip operations.
-
2012: MediaTek acquires Coresonic, a DSP IP core company.
-
2014: MediaTek releases their first LTE modem, the MT6290.
-
Path of Least Resistance: Cellular Baseband to Application Processor Escalation on Mediatek Devices
-
More of an analysis of the kernel and userspace side of things and not so much about the modem firmware, but still very good and helpful.
-
-
"Reverse engineering MT8173 PCM firmwares and ISA for a fully free bootchain"
-
Black box reverse engineering for unknown/custom instruction sets
-
"Reversing the ADF7242"
-
Good talk on how to reverse engineer ISAs in general.
-
-
Reverse engineering of binary programs for custom virtual machines
-
Another good ISA reverse engineering talk.
-
-
reverse-engineering a custom, unknown CPU from a single program
-
Explains how, for a CTF competition, a custom ISA was reverse-engineered with only access to the executed binary and a running, remote instance of the code.
-
By interacting with the code, they could observe how the code behaved and map its functionality, which enabled them to search for those patterns of functionality in the binary.
-
-
Security Vulnerabilities of Digital Video Broadcast Chipsets
-
This talk is primarily about DVB chip security, but it does include some discussion of ISA reverse engineering techniques.
-
"JMP and LOAD/STORE instructions sufficient to discover the meaning of all other instructions":
-
"JMP from firmware to user’s code path"
-
"STORE the contents of registers (firmware context)"
-
"LOAD user’s environment (contents of registers)"
-
"EXECUTE unknown SLIM Core instruction opcode"
-
"STORE user’s environment (contents of registers)"
-
"LOAD the contents of registers (firmware context)"
-
"JMP back to firmware code path"
-
-
Reversing a Japanese Wireless SD Card - From Zero to Code Execution
-
-
Explains how "Monitor debug-mode" works on ARM.
-
Monitor debug-mode can be used to debug code on targets without accessible/enabled JTAG/SWD pins.
-
This should be useful for debugging code running on the BP’s Cortex-R4 core.
-
-
-
-
Marvell Avastar WiFi firmware reverse engineering.
-
Blog post based on an earlier talk
-
Includes tips on fuzzing the firmware.
-
Uses afl-unicorn for fuzzing functions in the Unicorn CPU emulator.
-
-
-
-
MediaTek-specific modem information is in section 3.3.
-
-
Fun with the MTK 6573 Baseband (Patching / Replacing)
-
Fun with the MTK 6573 Baseband (Patching / Replacing), continued
-
Not much new information here, but still somewhat interesting.
-
-
Mali and Mali-T GPU ISA reverse engineering talks.
-
The design of the Coresonic core seems a lot like a GPU, so some of the techniques discussed here may apply.
-
FOSDEM 2014: lima driver: Opening up the Mali instruction set
-
XDC 2018: Lyude Paul & Alyssa Rosenzweig - Introducing Panfrost
-