FreeCalypso > hg > freecalypso-reveng
comparison pirelli/rfcal @ 181:bf4286245c74
Pirelli's RF calibration cracked
| author | Michael Spacefalcon <msokolov@ivan.Harhan.ORG> |
|---|---|
| date | Sun, 13 Jul 2014 01:11:22 +0000 |
| parents | |
| children | 827b8977d3c2 |
comparison
equal
deleted
inserted
replaced
| 180:25b54c5ad6c2 | 181:bf4286245c74 |
|---|---|
| 1 The 64 KiB flash sector at 0x027F0000 (the last sector of the 2nd flash bank) | |
| 2 contains per-unit factory data, including the IMEI and RF calibration values. | |
| 3 The location of the IMEI record (at offset 0x504) was found back in 2013-07 and | |
| 4 its encryption was figured out in 2013-11, but it took a bit longer to find the | |
| 5 RF calibration data. But I finally found the latter as well. Here they are: | |
| 6 | |
| 7 Hex offset Corresponding FFS file in TI's canonical version | |
| 8 ---------------------------------------------------------------- | |
| 9 072B /gsm/rf/tx/ramps.900 | |
| 10 092B checksum byte | |
| 11 092C /gsm/rf/tx/levels.900 | |
| 12 09AC checksum byte | |
| 13 09AD /gsm/rf/tx/calchan.900 | |
| 14 0A2D checksum byte | |
| 15 0A2E /gsm/rf/tx/ramps.1800 | |
| 16 0C2E checksum byte | |
| 17 0C2F /gsm/rf/tx/levels.1800 | |
| 18 0CAF checksum byte | |
| 19 0CB0 /gsm/rf/tx/calchan.1800 | |
| 20 0D30 checksum byte | |
| 21 0D31 /gsm/rf/tx/ramps.1900 | |
| 22 0F31 checksum byte | |
| 23 0F32 /gsm/rf/tx/levels.1900 | |
| 24 0FB2 checksum byte | |
| 25 0FB3 /gsm/rf/tx/calchan.1900 | |
| 26 1033 checksum byte | |
| 27 | |
| 28 10AF /gsm/rf/rx/agcparams.900 | |
| 29 10D7 checksum byte | |
| 30 10D8 /gsm/rf/rx/calchan.900 | |
| 31 10E0 checksum byte | |
| 32 10E1 /gsm/rf/rx/agcparams.1800 | |
| 33 1109 checksum byte | |
| 34 110A /gsm/rf/rx/calchan.1800 | |
| 35 1112 checksum byte | |
| 36 1113 /gsm/rf/rx/agcparams.1900 | |
| 37 113B checksum byte | |
| 38 113C /gsm/rf/rx/calchan.1900 | |
| 39 1144 checksum byte | |
| 40 | |
| 41 Each calibration record is followed by a checksum byte. It is a simple ripple- | |
| 42 carry sum of all bytes in the preceding record. Note that this checksum byte | |
| 43 is always 0 for the ramps records, as each correctly-formed ramp adds up to 128 | |
| 44 (0x80), and the array has an even number of ramps in total. | |
| 45 | |
| 46 The following still remain to be located: | |
| 47 | |
| 48 /gsm/rf/afcdac | |
| 49 /gsm/rf/afcparams | |
| 50 | |
| 51 I don't expect major difficulty in finding them; I just haven't got around to | |
| 52 studying this part of the calibration system yet. |