FreeCalypso > hg > fc-am-toolkit
comparison doc/C1xx-boot-utils @ 28:58824cef4601
doc/C1xx-boot-utils: new article
| author | Mychaela Falconia <falcon@freecalypso.org> |
|---|---|
| date | Mon, 12 Jun 2023 06:00:57 +0000 |
| parents | |
| children |
comparison
equal
deleted
inserted
replaced
| 27:9e7ca43275eb | 28:58824cef4601 |
|---|---|
| 1 The present fc-am-toolkit package is mostly shell scripts, automating the | |
| 2 convoluted workflows for running FreeCalypso firmware on alien targets in | |
| 3 aftermarket configurations, but it also contains some C programs for working | |
| 4 with flash images read out of C1xx phones, particularly the bootloader part | |
| 5 which is absolutely critical on these brickable phones. The following 3 | |
| 6 utilities are provided - all 3 are used by c1xx-analyze-image script, but they | |
| 7 may also be useful on their own. | |
| 8 | |
| 9 c139-analyze-boot | |
| 10 ================= | |
| 11 | |
| 12 This program takes a binary file containing either the complete flash dump from | |
| 13 a lower-submodel C1xx phone (C139/140 or C11x/12x) or the beginning of one (must | |
| 14 be at least 0x2064 bytes) and checks it for presence of lower-submodel-C1xx | |
| 15 bootloader code that must be present in the boot sector on these phones. The | |
| 16 program prints a single keyword on stdout, indicating its findings, and exits | |
| 17 successfully. The following 4 classifications are emitted by this program: | |
| 18 | |
| 19 fc | |
| 20 | |
| 21 compal-flash-boot-for-fc.bin bootloader has been identified, the patched | |
| 22 bootloader version we put in sector 0 on these Compal phones when we run | |
| 23 FC firmware on these phones. | |
| 24 | |
| 25 unlocked | |
| 26 | |
| 27 Found one of the lock-free bootloader versions (either C11x or C139), | |
| 28 or found a lockable bootloader version, but the lock word at 0x2060 is | |
| 29 set to 0xDDDDDDDD, meaning unlocked. | |
| 30 | |
| 31 locked | |
| 32 | |
| 33 Found one of the lockable, but otherwise good bootloader versions | |
| 34 (either C11x or C139), and the lock word at 0x2060 contains 0 or some | |
| 35 other value than the needed magic. This status indicates that the flash | |
| 36 image in its given state is boot-locked (bad), but it can be transformed | |
| 37 into a boot-unlocked image with c139-patch-dmagic - see below. | |
| 38 | |
| 39 unknown | |
| 40 | |
| 41 None of the known-good bootloader versions have been identified. The | |
| 42 bootloader you got may be one of the later versions that have been | |
| 43 locked down more heavily, and these flash images are EXTREMELY UNSAFE. | |
| 44 You should NEVER flash any such images back into a phone: our defenses | |
| 45 against bricking don't work with such maliciously modified bootloader | |
| 46 versions, and if you try to flash one (even if you are only seeking to | |
| 47 restore what you originally read out of the flash) and the process gets | |
| 48 interrupted in any way (meaning the full, long process), your phone may | |
| 49 be bricked beyond all recovery! | |
| 50 | |
| 51 If you are able to somehow break into a phone with one of these ultra- | |
| 52 malicious bootloader versions (and you must have been able to break in | |
| 53 somehow, if you got a flash image you are analyzing), the generally | |
| 54 recommended course of action is to make a one-way transition to a | |
| 55 better, non-malicious official Motorola firmware version. | |
| 56 | |
| 57 c139-patch-dmagic | |
| 58 ================= | |
| 59 | |
| 60 This program needs to be run if c139-analyze-boot returned "locked" on your | |
| 61 flash image. This program opens the given binary file in writable mode and | |
| 62 patches the unlocking magic word 0xDDDDDDDD at offset 0x2060, thereby turning | |
| 63 the locked flash image into an unlocked one. If the image you've read out of | |
| 64 flash is a locked one, as determined by c139-analyze-boot, and you wish to | |
| 65 reflash that same fw version back into your phone (or into a different phone), | |
| 66 you MUST unlock the image with c139-patch-dmagic before flashing it with | |
| 67 fc-loadtool - if you proceed with flashing a locked image, you will have a very | |
| 68 high chance of bricking your phone (beyond all recovery!), as our regular | |
| 69 defenses against bricking don't work with locked bootloaders. | |
| 70 | |
| 71 c155-analyze-boot | |
| 72 ================= | |
| 73 | |
| 74 This program is a very simplified logical equivalent of c139-analyze-image for | |
| 75 C155/156 subfamily. Perhaps it is because these phones are less common, but I | |
| 76 (Mother Mychaela) have not yet encountered any locked or otherwise modified | |
| 77 versions of C155/156 bootloader beyond the one known classic version. | |
| 78 c155-analyze-boot currently checks for this one known bootloader version, and | |
| 79 prints "ok" if the image matches or "unknown" otherwise. |