Here is an idea - what if we break into a running C139 phone fw with tfc139,
then run fc-loadtool as usual, but instead of operating on the flash, use
r16 and abbr commands inside fc-loadtool to read out various audio config
settings established by the official fw?  Specifically use r16 to read out
some DSP API words (AEC and FIR blocks), and use abbr to read Iota ABB
registers dealing with audio.  Why do we need to go this convoluted route
with tfc139 break-in followed by fc-loadtool, why not some easier way?
Answer: C139 and other C1xx firmwares don't have ETM (thus no r16 and
certainly no high-level aur operations), they do implement the old TM3
protocol which we use to break in, but their implementation of oabbr is
broken, returns garbage.

DSP NDB start address is 0xFFD001A8, contains AEC control words

d_aec_ctrl should be at 0xFFD001A8 + 0x90 = 0xFFD00238

the 8 words starting with d_cont_filter should be at
0xFFD001A8 + 0x6A2 = 0xFFD0084A

DSP PARAM start address is 0xFFD00862, contains FIR coefficients

UL FIR coefficients: 31 words starting at 0xFFD00862 + 0xA6 = 0xFFD00908
DL FIR coefficients: 31 words starting at 0xFFD00862 + 0xE4 = 0xFFD00946

Iota ABB registers of interest:

VBCTRL1: abbr 1 8
VBCTRL2: abbr 1 11
VBPOP:   abbr 1 10
VBUCTRL: abbr 1 7
VBDCTRL: abbr 0 6