--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/pirelli/rfcal	Sun Jul 13 01:11:22 2014 +0000
@@ -0,0 +1,52 @@
+The 64 KiB flash sector at 0x027F0000 (the last sector of the 2nd flash bank)
+contains per-unit factory data, including the IMEI and RF calibration values.
+The location of the IMEI record (at offset 0x504) was found back in 2013-07 and
+its encryption was figured out in 2013-11, but it took a bit longer to find the
+RF calibration data.  But I finally found the latter as well.  Here they are:
+
+Hex offset	Corresponding FFS file in TI's canonical version
+----------------------------------------------------------------
+072B		/gsm/rf/tx/ramps.900
+092B		    checksum byte
+092C		/gsm/rf/tx/levels.900
+09AC		    checksum byte
+09AD		/gsm/rf/tx/calchan.900
+0A2D		    checksum byte
+0A2E		/gsm/rf/tx/ramps.1800
+0C2E		    checksum byte
+0C2F		/gsm/rf/tx/levels.1800
+0CAF		    checksum byte
+0CB0		/gsm/rf/tx/calchan.1800
+0D30		    checksum byte
+0D31		/gsm/rf/tx/ramps.1900
+0F31		    checksum byte
+0F32		/gsm/rf/tx/levels.1900
+0FB2		    checksum byte
+0FB3		/gsm/rf/tx/calchan.1900
+1033		    checksum byte
+
+10AF		/gsm/rf/rx/agcparams.900
+10D7		    checksum byte
+10D8		/gsm/rf/rx/calchan.900
+10E0		    checksum byte
+10E1		/gsm/rf/rx/agcparams.1800
+1109		    checksum byte
+110A		/gsm/rf/rx/calchan.1800
+1112		    checksum byte
+1113		/gsm/rf/rx/agcparams.1900
+113B		    checksum byte
+113C		/gsm/rf/rx/calchan.1900
+1144		    checksum byte
+
+Each calibration record is followed by a checksum byte.  It is a simple ripple-
+carry sum of all bytes in the preceding record.  Note that this checksum byte
+is always 0 for the ramps records, as each correctly-formed ramp adds up to 128
+(0x80), and the array has an even number of ramps in total.
+
+The following still remain to be located:
+
+/gsm/rf/afcdac
+/gsm/rf/afcparams
+
+I don't expect major difficulty in finding them; I just haven't got around to
+studying this part of the calibration system yet.