the omap based phones are easiest to experiment with,
the xda-1 and xda-2 are predecessors which are somewhat different, but use a similar code base.
both gsm stacks were created by condat/TI.
source code of an old version of the gsm stack can be found in the .iso file on this page
( or google for plabs+gsm )
from that source code i could find the locations of many interesting internal data structures in memory.
on the omap phones the gsm uses a shared memory area with the windows ce part to communicate, and load code.
so you can modify code and data while the device is running.
some tips for reverse engineering the gsm rom
the rom is based at offset 0, this will give some problems where ida will things small numeric constants are offsets
there is ram at 0x00800000 - 0x00880000
there is ram at 0x01000000 - 0x01100000
the gsmdata area is copied from diskonchip to 0x01010000
at 0x2000 there is initialization data for the ram with format:
there is a large block copied from +- 0x290000 -> 0x821000
( the code doing the copy is usually the function called before the one
doing the processing of the data at ox2000, it is called from the first 1024 bytes
of code from the rom )