Running FreeCalypso firmware on Motorola C1xx phones====================================================Before we begin, it needs to be noted that running FreeCalypso fw on a C1xxphone is very much akin to xenotransplantation: Mot C1xx hardware is an aliento our FreeCalypso family (our native hw targets are those made by TI, Openmokoand us, not Motorola or Compal), and our non-Compal-based, non-Mot-basedFreeCalypso fw is equally alien to the C1xx phones. The xenotransplantationprocedure of converting a C1xx phone to FreeCalypso is highly unnatural, andinvolves a large number of cumbersome manual steps - you've been warned.Preparing the host system=========================Firmware flashing on Mot C1xx phones is accomplished through the headset jackvia a special cable. There is no need to disassemble the phone in any way orto do any soldering or other hardware surgery, but you will need a host systemto run the multitude of special software tools that are involved in theprocedure. You will need to begin by installing FreeCalypso host tools: thecurrent version of our FC-to-C1xx xenotransplantation procedure for the lowerC1xx subfamilies (the additions from the previous version are RF calibrationdata migration and battery charging configuration) requires fc-host-tools-r8 orlater, or if you are working on a C155 or C156 phone, you will need our verylatest fc-host-tools-r9a release:ftp://ftp.freecalypso.org/pub/GSM/FreeCalypso/fc-host-tools-r9a.tar.bz2You will also need our battery charging configuration files:https://bitbucket.org/falconian/fc-battery-confRun 'make install' in the fc-battery-conf tree to add the battery chargingconfiguration files to your FC host tools installation under /opt/freecalypso.Flash backup and data gathering===============================Before you begin the actual conversion of your C1xx phone to FreeCalypso, youwill need to gather the following pieces of information:* The phone's IMEI - we don't know how to extract it out of Mot/Compal's non-TI flash data structures, so you will have to reset it manually after the firmware change. Of course you can set your "new" FreeCalypso IMEI to whatever you feel like, but if you wish to keep the original factory-assigned one, you will need to note it down manually, either from the sticker inside the battery compartment (*very* hard to read!) or by booting the phone up with its original fw prior to the conversion, entering *#06# and reading it from the display.* Your specific phone's factory RF calibration values: you will need to make a dump of your phone's flash memory (also serves as a backup, always a good thing to have) with fc-loadtool and extract the numbers of interest with our c1xx-calextr utility, which is part of the new FC host tools.* You need to know whether your phone has 900+1800 MHz or 850+1900 MHz bands - you will need to communicate this information to the new fw after the conversion. To the best of our knowledge, all C11x/12x and C140 phones have 900+1800 MHz bands, but C139 phones have been made in both versions. On the phones that have passed through our hands so far, the first two digits of the IMEI have been 35 on 900+1800 MHz phones and 01 on 850+1900 MHz ones.* For the lower C1xx subfamilies only: you need to know whether your phone has 2 MiB or 4 MiB flash. To the best of our knowledge, all C139/140 phones have 4 MiB flash, but C11x have been seen with both 2 MiB and 4 MiB flashes. The flash memory size will be autodetected by fc-loadtool as part of making the flash dump. C155 and C156 phones have 8 MiB flash.The Mother's method for keeping track of these per-phone bits of information isto create a separate directory for each phone with the IMEI as the directoryname; the flash dump and the RF calibration bits extracted from it will thenreside in that directory, while the IMEI is in the name of the directory itself.Once you have created your per-phone directory and cd'ed into it, you are readyto run fc-loadtool to capture the flash dump. The phone needs to be off, butthe battery needs to be present and have some charge in it; with the phone off,connect the serial cable between your host computer and the phone's headsetjack, and run fc-loadtool as follows:C11x/12x: fc-loadtool -h compal /dev/ttyXXXC139/140: fc-loadtool -h compal -c 1004 /dev/ttyXXXC155/156: fc-loadtool -h c155 /dev/ttyXXXChange /dev/ttyXXX to the serial or USB-serial device corresponding to yourserial cable. With the serial cable connected, the phone in the powered-offstate and the fc-loadtool process running and waiting for the phone, press thered power button on the phone - a momentary press is sufficient and recommended.Once the phone boots the loadagent code fed to it serially by fc-loadtool andyou land at the loadtool> prompt, issue the following command:flash dump2bin flashdump.binGiven this command, fc-loadtool will autodetect whether your phone has 2 MiB or4 MiB flash (for the lower C1xx subfamilies), then make a dump of the completecontent of this flash memory and save it in a file named flashdump.bin in thecurrent directory. When this operation completes, exit the loadtool sessionwith the exit command - it will also cleanly power the phone off.The next step is to extract the RF calibration values. Run a command of thefollowing form:c1xx-calextr -b rfbin flashdump.bin <offset>For the lower C1xx subfamilies, change <offset> to 0x1FC000 if your phone has2 MiB flash (the size of flashdump.bin is 2097152 bytes) or 0x3FC000 if it has4 MiB flash (the size of flashdump.bin is 4194304 bytes). For C155/156 thecorrect offset is 0x7E0000. The stdout scribbles from c1xx-calextr willindicate which per-band calibration records it finds (from which you can tellif the phone has 900+1800 MHz or 850+1900 MHz bands if you didn't have thisknowledge already), and a directory named rfbin will be created, containing thecorrect subtree of directories and files which will need to be uploaded intothe new FreeCalypso flash file system (FFS) under /gsm/rf after the firmwarechange.Selecting and building the desired firmware config==================================================There is only one FC Magnetite firmware configuration for C11x/12x phones, butfor the better C139/140 phones (or for C155/156) there are several to choosefrom. The following two configs are the currently recommended ones:hybrid-vpm This config is available for all 3 C1xx subfamilies, although the actual fw images are different for each. In this configuration the converted phone acts not as an end user phone, but as a voice pseudo-modem that needs to be controlled by a host computer via a serial cable to do anything interesting. See the Voice-pseudo-modem article for more information.hybrid-ui-vo This config is available only for the C139/140 target, not for the other two. This configuration includes the UI layers, thus when a C139/140 phone runs this firmware, it is able to function as an untethered phone without a host computer connection. However, please be warned that this proof-of-concept UI is nowhere close to being practically usable - see the Handset-goal article for more info.Both of the above are hybrid configurations in that they use the new TCS3versions of the G23M protocol stack and ACI (Application Control Interface)firmware components grafted on top of the TCS211 chipsetsw foundation, resultingin a fully built-from-source configuration without major blob components. TheUI layers BMI and MFW in the UI-enabled hybrid-ui-vo config also come from thenew TCS3 source, not the old version of unknown origin. They are "voice only"configs in that CSD, fax and GPRS functions are disabled - these functionscannot be made use of on Mot C1xx phones, and disabling them significantlyreduces the weight of the firmware.For the C139 and C155 targets (but not for C11x/12x), it is also possible tobuild some of the older configs that use the old binary blob version of theG23M PS component and the corresponding old versions of ACI, MFW and BMI on topof it - however, those configuration are now officially deprecated except foronly two remaining use cases which do not apply to Mot C1xx targets, hence theyare no longer supported officially.Thus we have a total of 4 possible build configurations, one for the C11x/12xtarget, 2 for C139/140 and 1 for C155/156:./configure.sh c11x hybrid-vpm./configure.sh c139 hybrid-vpm./configure.sh c139 hybrid-ui-vo./configure.sh c155 hybrid-vpmSee the Compiling article for more information on how to compile your ownfirmware image in one of the above configurations.Bootloader change on the lower C1xx subfamilies===============================================This section applies ONLY to C11x/12x and C139/140 subfamilies; it does NOTapply to the C155/156 subfamily.If this is your first time converting a given lower-C1xx phone from its originalfirmware to FreeCalypso (as opposed to updating from an earlier FC firmwareversion), you will also need the compal-flash-boot-for-fc.bin bootloader imagein addition to the main fw image you just built:ftp://ftp.freecalypso.org/pub/GSM/FreeCalypso/compal-flash-boot-for-fc.binMot C1xx phones are brickable - because the Calypso boot ROM is disabled by PCBwiring, the ability to reflash a phone with new firmware critically depends onthere being a particular kind of boot code in flash sector 0 at all times - aparticular kind of boot code that allows the boot process to be interrupted anddiverted to external code loaded via the headset jack serial port.The FreeCalypso family of projects has adopted one specific version of theflash sector 0 boot code (produced by applying a binary patch to one ofCompal/Motorola's original versions) for use with all of our firmwares forthese phones. We use the same FC-C1xx bootloader on both C11x/12x and C139/140phones: the official bootloader versions are different between the two (andmoreover, each particular official fw version comes with its own bootloaderversion), but the simpler bootloader version which we took from one particularC11x fw version works perfectly well on the C139 as well, hence we've adoptedit for all combinations.Once you have our compal-flash-boot-for-fc.bin image flashed in sector 0, youcan then flash whichever FC firmware image you like at offset 0x10000 withouthaving to touch the dangerous boot sector.On C155/156 phones the situation is a little different: they are also brickablewith the Calypso boot ROM disabled, but Motorola's original bootloader on thesephones is significantly different from the one on the lower C1xx subfamilies,and they use a different flash layout: the bootloader in the first 8 KiB sector,unused flash space between 0x2000 and 0x20000, and the main fw image startingat 0x20000. Our FC firmwares for the C155/156 target are built to be flashedat 0x20000 just like Mot's official ones, and they are designed to receivecontrol from Mot's original bootloader on this target.Converting the phone to FreeCalypso fw======================================If you are starting with an unhacked C1xx phone running one of the officialfirmware versions, the procedure for flashing and bringing up FreeCalypso forthe first time is as follows - *after* you have done all of the preparatorysteps described in the preceding sections:* Have your phone's battery fully charged - although you will regain the ability to charge it with FreeCalypso fw when the conversion is fully complete (not just the flashing part, but also the subsequent FFS initialization), your phone will not have this charging ability while you are in the middle of the xenotransplantation procedure.* Get in with fc-loadtool just like you did when you made the dump of your phone's flash memory for backup and RF calibration data extraction.* If you are operating on a C11x/12x or C139/140 phone, reflash the boot sector with our FreeCalypso version: loadtool> flash erase-program-boot compal-flash-boot-for-fc.bin DO NOT flash compal-flash-boot-for-fc.bin into C155/156 phones, it is ONLY for the lower C1xx subfamilies!* To flash whichever FreeCalypso firmware image you would like to play with, execute the flashing script which the fw build system produced along with the actual image: loadtool> exec flash-script* Erase the flash sectors to be used for the FFS (flash file system) by FreeCalypso firmwares; the specific command depends on whether your phone has 2 MiB, 4 MiB or 8 MiB flash. On 2 MiB flash phones: loadtool> flash erase 0x1C0000 0x30000 Or on 4 MiB flash phones: loadtool> flash erase 0x3C0000 0x30000 Or on 8 MiB flash C155/156 phones: loadtool> flash erase 0x700000 0xD0000* Exiting fc-loadtool cleanly will cause it to power off the phone: loadtool> exitReflashing between different FreeCalypso firmwares==================================================By the conventions established in the FreeCalypso family of projects, all ofour firmwares for C11x and C139 targets have the following in common:* They all stay out of the boot sector and expect to receive control from the boot code in the same manner (boot entry point at 0x10058, exception vectors at 0x10000), thus there is no need to reflash the dangerous boot sector when going from one FC firmware to another.* They all use the same aftermarket FFS configuration of 3 sectors of 64 KiB each (64x3) at 0x3C0000 on 4 MiB flash phones, or at 0x1C0000 on 2 MiB flash phones. This FFS location is deliberately different from the one used by Mot/Compal's firmwares, eliminating the possibility of one fw trying to use the FFS created by the other, and by putting our FFS toward the end of the flash we maximize the amount of flash space available for our firmware code images. But even though we don't share our FFS with Mot/Compal's official firmwares, we do share the same FFS between all of FreeCalypso firmware projects - thus once you have initialized your FFS (see below) with one FC firmware version, it will work with the others as well.If you need to reflash your C1xx phone from one FC firmware version to another,simply get in with fc-loadtool -h compal (no more need for the inefficient-c 1003 or -c 1004 options or for tfc139) and reflash just the fw image part:loadtool> exec flash-scriptFirst boot of the firmware==========================Connect the serial cable, but instead of running fc-loadtool, run rvinterf.Press the red power button on the phone briefly just like you would forfc-loadtool entry. Because there is no fc-loadtool running on the host end ofthe serial cable, the boot path will *not* be diverted in the bootloader, andthe main fw image will run - and this time it will be the FreeCalypso firmwareyou have compiled and flashed. If the fw you have flashed is the UI democonfiguration, the phone must have *NO* SIM in it the first time you boot it.UI-enabled fw configurations automatically bring up the GSM radio and try toconnect to the default network on boot if there is a SIM present, and you don'twant your firmware trying to connect to a real live GSM network when you haven'tinitialized your FFS yet. If the fw you have flashed is one of the AT-command-controlled pseudo-modem configurations, then you don't need to worry if the SIMis there or not on your first boot - just don't command it to connect to anetwork until you have initialized the FFS.If you have flashed a non-UI firmware version, the phone's LCD will remain darkas there is no LCD driver code in this firmware, but you will see trace outputin the rvinterf window, telling you that the fw is running.Before you do anything else, you will need to run fc-fsio and initialize theaftermarket FFS for our firmware:fsio> format /fsio> mk-std-dirsfsio> set-imeisv fc XXXXXXXX-YYYYYY-ZZ (punctuation optional, place anywhere)fsio> set-rfcap dual-eu (if you have 900+1800 MHz hardware)orfsio> set-rfcap dual-us (if you have 850+1900 MHz hardware)then additionally:fsio> upload-subtree rfbin /gsm/rffsio> write-charging-config /opt/freecalypso/charging/c1xx/standardThe last two commands are new with the 2018-01 revision of the FC-to-C1xxxenotransplantation procedure. The upload-subtree command uploads the RFcalibration values which you had extracted earlier with c1xx-calextr (theinstructions assume that you are running from the same directory where therfbin directory subtree had been created earlier), and this step is necessaryin order for your phone to continue to transmit at the correct power levelsafter the conversion. The write-charging-config command uploads theconfiguration settings for the FCHG battery charging driver, without which itcannot charge the battery; you must have the charging config files from thefc-battery-conf tree installed under /opt/freecalypso in order for this commandto work as given.It needs to be noted that the battery charging config settings uploaded withfc-fsio write-charging-config take effect only on the next boot cycle of thefirmware, i.e., until the next reboot after the write-charging-config operation,the firmware won't charge the battery even if there is a charging power sourceplugged in.After you've initialized your FFS as above, you should exit fc-fsio, and yournext steps will depend on which fw configuration you are playing with. If it'sthe sans-UI pseudo-modem configuration, run fc-shell and try some AT commands:AT+CMEE=2 -- enable verbose error responsesAT+CFUN=1 -- enable radio and SIM interfacesAT+COPS=0 -- register to the default GSM networkWhen you are done, you can power the phone off by sending a 'poweroff' commandthrough fc-shell, or you can kill rvinterf or unplug the serial cable and waitfor the firmware to power off by the keepalive timeout after some 15 to 20 s.If you are playing with the UI demo firmware, after you have initialized yourFFS, you can power the phone off with the power button, insert a SIM, power itback on and play with the primitive UI.Updating from previous versions===============================If you had previously initialized your aftermarket FFS using an earlier versionof these instructions, before we added the RF calibration and charging configupload steps, you need to add these bits to your FFS. Update to the latest FChost tools, extract the factory RF calibration values from a dump of yourphone's flash with c1xx-calextr, add the battery charging config files to your/opt/freecalypso installation, boot the phone with rvinterf, get in with fc-fsioand run the last two upload-subtree and write-charging-config commands as above.Recalibration=============In the interest of completeness, it needs to be noted that extracting Motorola'soriginal factory RF calibration values and reusing them for FreeCalypso is notthe only way: the other alternative is to perform a fresh calibration using aRohde&Schwarz CMU200 RF test machine and FreeCalypso RF calibration software(fc-rfcal-tools). This approach will yield superior results, but therequirement of having a CMU200 instrument which is itself properly calibratedand a cabling setup with the right adapters whose insertion loss at particularGSM frequencies is precisely known makes this approach feasible only forprofessional FreeCalypso service shops, not for ordinary individual users.