FreeCalypso > hg > freecalypso-reveng
annotate se_k200i/flash-notes @ 393:6c31d8c54ae4
se_k200i: preliminary analysis
author | Mychaela Falconia <falcon@freecalypso.org> |
---|---|
date | Sun, 06 Nov 2022 01:13:43 +0000 |
parents | |
children | 00f5287db832 |
rev | line source |
---|---|
393
6c31d8c54ae4
se_k200i: preliminary analysis
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
1 SE K200 family phones have 16 MiB of flash total, physically presented to the |
6c31d8c54ae4
se_k200i: preliminary analysis
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
2 Calypso chip as two banks of 8 MiB each. Their official fw architecture uses |
6c31d8c54ae4
se_k200i: preliminary analysis
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
3 the following flash organization: |
6c31d8c54ae4
se_k200i: preliminary analysis
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
4 |
6c31d8c54ae4
se_k200i: preliminary analysis
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
5 Flash bank 1, first 64 KiB sector: |
6c31d8c54ae4
se_k200i: preliminary analysis
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
6 |
6c31d8c54ae4
se_k200i: preliminary analysis
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
7 This part of the flash naturally contains the boot entry point. The word at |
6c31d8c54ae4
se_k200i: preliminary analysis
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
8 0x2000 equals 1, telling Calypso boot ROM to move itself out of the way and |
6c31d8c54ae4
se_k200i: preliminary analysis
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
9 perform a watchdog reset, and then the reset entry point is at 0. The code |
6c31d8c54ae4
se_k200i: preliminary analysis
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
10 implemented by SE or their ODM in this flash sector is a boot stage of their |
6c31d8c54ae4
se_k200i: preliminary analysis
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
11 own invention, eventually passing control to the main fw entry point at |
6c31d8c54ae4
se_k200i: preliminary analysis
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
12 0x200000. |
6c31d8c54ae4
se_k200i: preliminary analysis
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
13 |
6c31d8c54ae4
se_k200i: preliminary analysis
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
14 Flash bank 1, 64 KiB sector at 0x10000: |
6c31d8c54ae4
se_k200i: preliminary analysis
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
15 |
6c31d8c54ae4
se_k200i: preliminary analysis
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
16 This sector holds two items of factory-programmed data, apparently intended to |
6c31d8c54ae4
se_k200i: preliminary analysis
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
17 remain immutable for the lifetime of each hw unit: |
6c31d8c54ae4
se_k200i: preliminary analysis
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
18 |
6c31d8c54ae4
se_k200i: preliminary analysis
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
19 7 bytes at 0x10000: the phone's IMEI, format obvious, no obfuscation |
6c31d8c54ae4
se_k200i: preliminary analysis
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
20 1 byte at 0x10007: 0xFF filler |
6c31d8c54ae4
se_k200i: preliminary analysis
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
21 64 bytes at 0x10008: appear to be cryptographically random filler |
6c31d8c54ae4
se_k200i: preliminary analysis
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
22 |
6c31d8c54ae4
se_k200i: preliminary analysis
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
23 Flash bank 1 starting at 0x20000: |
6c31d8c54ae4
se_k200i: preliminary analysis
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
24 |
6c31d8c54ae4
se_k200i: preliminary analysis
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
25 The main firmware image resides here, entry point right at 0x200000. |
6c31d8c54ae4
se_k200i: preliminary analysis
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
26 |
6c31d8c54ae4
se_k200i: preliminary analysis
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
27 Flash bank 2, first 13 sectors of 256 KiB each: |
6c31d8c54ae4
se_k200i: preliminary analysis
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
28 |
6c31d8c54ae4
se_k200i: preliminary analysis
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
29 The firmware on this phone model uses classic TIFFS. Their TIFFS organization |
6c31d8c54ae4
se_k200i: preliminary analysis
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
30 is 256x13 (a little smaller than Pirelli's 256x18), sitting at the beginning of |
6c31d8c54ae4
se_k200i: preliminary analysis
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
31 flash bank 2, mapped into Calypso address space at 0x01800000. FFS design |
6c31d8c54ae4
se_k200i: preliminary analysis
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
32 appears to be self-regenerating: if the fw is booted with all FFS sectors |
6c31d8c54ae4
se_k200i: preliminary analysis
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
33 erased, it will not only format a new FFS like Pirelli's fw, but also fill it |
6c31d8c54ae4
se_k200i: preliminary analysis
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
34 with all necessary data. In contrast with Pirelli's fw architecture, the FFS |
6c31d8c54ae4
se_k200i: preliminary analysis
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
35 in these SE K200 phones appears to NOT contain any static asset files that must |
6c31d8c54ae4
se_k200i: preliminary analysis
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
36 be loaded externally. |
6c31d8c54ae4
se_k200i: preliminary analysis
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
37 |
6c31d8c54ae4
se_k200i: preliminary analysis
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
38 Flash bank 2, area starting at 0x01B40000, right after TIFFS: |
6c31d8c54ae4
se_k200i: preliminary analysis
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
39 |
6c31d8c54ae4
se_k200i: preliminary analysis
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
40 This area appears to be an extension of the firmware. Without a lot more |
6c31d8c54ae4
se_k200i: preliminary analysis
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
41 reverse eng work, it is not obvious if this area contains any executable code, |
6c31d8c54ae4
se_k200i: preliminary analysis
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
42 or if it is only data bits like UI pixel images, MIDI ringtones, language |
6c31d8c54ae4
se_k200i: preliminary analysis
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
43 strings etc. |
6c31d8c54ae4
se_k200i: preliminary analysis
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
44 |
6c31d8c54ae4
se_k200i: preliminary analysis
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
45 Flash bank 2, 64 KiB sector at 0x01FD0000: |
6c31d8c54ae4
se_k200i: preliminary analysis
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
46 |
6c31d8c54ae4
se_k200i: preliminary analysis
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
47 This sector holds factory calibration data, including RF, AFC (VCXO) and MADC |
6c31d8c54ae4
se_k200i: preliminary analysis
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
48 calibrations. When the firmware reinitializes a freshly formatted FFS, it must |
6c31d8c54ae4
se_k200i: preliminary analysis
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
49 be copying calibration bits from this sector. |
6c31d8c54ae4
se_k200i: preliminary analysis
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
50 |
6c31d8c54ae4
se_k200i: preliminary analysis
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
51 Flash bank 2, 64 KiB sector at 0x01FF0000 (end of flash): |
6c31d8c54ae4
se_k200i: preliminary analysis
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
52 |
6c31d8c54ae4
se_k200i: preliminary analysis
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
53 First 0x2C8 bytes: purpose unknown, but they are fed into the hash function |
6c31d8c54ae4
se_k200i: preliminary analysis
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
54 that determines whether or not the firmware is allowed to boot. |
6c31d8c54ae4
se_k200i: preliminary analysis
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
55 |
6c31d8c54ae4
se_k200i: preliminary analysis
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
56 8 bytes at 0x01FF02C8: output of some kind of cryptographic hash function |
6c31d8c54ae4
se_k200i: preliminary analysis
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
57 |
6c31d8c54ae4
se_k200i: preliminary analysis
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
58 There is a hash function implemented in the custom bootloader in sector 0 (not |
6c31d8c54ae4
se_k200i: preliminary analysis
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
59 studied in detail) whose inputs are the IMEI record at 0x10000, the block of |
6c31d8c54ae4
se_k200i: preliminary analysis
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
60 0x2C8 bytes at 0x01FF0000 and the block of 64 bytes at 0x10008 in this order. |
6c31d8c54ae4
se_k200i: preliminary analysis
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
61 The output must match the 8 bytes at 0x01FF02C8, or the code refuses to boot |
6c31d8c54ae4
se_k200i: preliminary analysis
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff
changeset
|
62 and goes into a dead hang instead. |