annotate doc/Compal-unlock @ 570:962f0d3a4e7e

gsm-fw/nucleus/tct.S: preparations for hooking in GSM small sleep just like how TI did it
author Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
date Sun, 10 Aug 2014 19:24:56 +0000
parents 2d8ab1b0df8d
children 3f67d5bf96ef
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
425
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
1 Using FreeCalypso tools to unlock Motorola C1xx phones
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
2 ======================================================
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
3
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
4 The ultimate goal of the FreeCalypso project is to produce our own complete GSM
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
5 dumbphone firmware which We the People fully own, control and compile from
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
6 source ourselves, running at first on some selected pre-existing hardware
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
7 targets, and then ultimately on our own Free Dumb Phone hardware. While that
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
8 goal is still far past the visible horizon, what can we do in the meantime to
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
9 make our current forced use of existing proprietary dumbphone firmwares a
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
10 little more tolerable? This article presents one such hack: using FreeCalypso
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
11 loadtools to dump the flash content of Compal phones for analysis, including
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
12 TIFFS, and to replace one existing proprietary fw version with another, e.g.,
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
13 to remove carrier branding and the associated SIM restriction.
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
14
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
15 Serial access
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
16
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
17 Mot C1xx (Compal) phones have a 2.5 mm headset jack that dual-functions as a
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
18 debug/programming serial port. In hardware terms, there is an electrically
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
19 controlled switch (MUX) inside that switches the external jack between the
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
20 analog headset signals and the digital serial ones; this switch is controlled
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
21 by a GPIO signal from the Calypso. The hardware power-up state of this switch
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
22 is serial; Mot/Compal's standard fw switches it to headset upon boot, but the
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
23 serial setting persists long enough to use it to break into the bootloader.
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
24
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
25 Bootloader
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
26
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
27 The Calypso DBB (digital baseband) chip used in these phones has an on-chip
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
28 boot ROM, but it also has a hardware pin that enables or disables this boot
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
29 ROM, and unfortunately these phones have it disabled. If the boot ROM were
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
30 enabled in hardware, it would provide an unstoppable and unbrickable way to
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
31 take control of the device through the externally-accessible serial port like
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
32 we have on Openmoko and Pirelli phones, but unfortunately the hardware we have
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
33 available is not wired that way.
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
34
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
35 However, Mot/Compal's standard firmware on these phones includes a bootloader,
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
36 a part that executes before any of the rest of the fw image is allowed to
426
1060bf70d95d doc/Compal-unlock: added cautionary note about flashing firmwares containing
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 425
diff changeset
37 execute or is made use of in any way, and this Compal-specific bootloader has a
425
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
38 provision for interrupting the boot process and diverting it to an externally-
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
39 supplied piece of code loaded over the serial line. Older fw versions have
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
40 this feature enabled unconditionally, but some of the newer versions have a
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
41 malfeature whereby the serial boot interrupt and code download possibility may
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
42 be disabled. Some C1xx phones out in the wild, particularly all North American
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
43 C139s with TracFone branding, have such maliciously-locked firmware in them.
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
44
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
45 Fortunately though, these maliciously-locked firmwares (or at least the most
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
46 common TFC139 one) have been found to have another hole through which we can
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
47 break in, as described here:
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
48
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
49 http://lists.osmocom.org/pipermail/baseband-devel/2014-May/004451.html
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
50 http://lists.osmocom.org/pipermail/baseband-devel/2014-May/004455.html
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
51
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
52 We can exploit this hole in the TFC139 firmware to gain code execution access
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
53 to the Calypso, and then use the latter to reprogram the flash, replacing the
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
54 ultra-malicious firmware with some other version that, although still
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
55 proprietary, is a little less evil.
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
56
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
57 Making first contact
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
58 ====================
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
59
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
60 If you have a C1xx phone which you are seeking to free, your first step should
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
61 be to try breaking in with fc-loadtool, using the Compal bootloader method.
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
62 With the phone powered off, but containing a charged battery (SIM present or
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
63 absent, doesn't matter), proceed as follows:
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
64
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
65 1. Connect the serial or USB-serial cable between your PC or other host and the
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
66 target phone's headset jack.
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
67
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
68 2. On the host end, run fc-loadtool like this:
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
69
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
70 C11x/123: fc-loadtool -h compal /dev/ttyXXX
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
71 C139/140: fc-loadtool -h compal -c 1003 /dev/ttyXXX
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
72 C155/156: fc-loadtool -h c155 /dev/ttyXXX
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
73
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
74 3. Press the power button on the phone. A momentary press is sufficient and
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
75 recommended: the hardware powers up and causes the boot code to run exactly
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
76 the same whether the power button is pressed momentarily or held down.
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
77
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
78 Normal phone power-up requires the button to be held down because the
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
79 standard firmware does a check fairly late in the boot process to see if the
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
80 power button is still held down, and commands the hardware (the ABB) to
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
81 power off if it is not - it is a standard feature to prevent phones from
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
82 turning themselves on inadvertently from accidental momentary presses of
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
83 that button. But if the goal is to cause the boot code to run, but not to
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
84 boot the regular fw all the way, a momentary press is ideal.
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
85
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
86 If your phone has a bootloader without the malicious lock in it, the above
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
87 procedure should result in fc-loadtool gaining full access to the target and
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
88 landing you at a loadtool> prompt. You can dump the flash content and analyse
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
89 it, etc. If you would like to change to a different fw version (to remove the
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
90 SIM lock / carrier branding or for any other reason), see the corresponding
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
91 later section of this article.
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
92
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
93 Alternative method
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
94 ==================
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
95
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
96 If the above procedure fails to gain access to the Calypso because the boot
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
97 code in the phone never offers a serial download opportunity, the alternate
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
98 break-in method should be tried, going through the full running firmware
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
99 instead of just the bootloader part thereof. Proceed as follows:
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
100
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
101 1. Remove the SIM (if there was one to begin with) and put the charged battery
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
102 back in. Charge the battery if necessary, using the standard charging
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
103 function of the existing fw.
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
104
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
105 2. Power the phone up for normal boot: hold the power button down like a
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
106 regular user would, without fc-loadtool or other serial break-in tools.
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
107 The fw will boot up, notice the lack of a SIM, and the display will read
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
108 "SIM card absent" or something to that effect, depending on the fw version.
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
109
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
110 3. Key in this magic sequence: **16379#. A hidden "Trace Switch" menu should
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
111 appear, with the choices being "Trace On" and "Earphone". Select "Trace On".
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
112 The electrically controlled hardware switch mentioned earlier in this article
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
113 should now be set back to the UART, bringing the latter out to the headset
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
114 jack. Because Mot/Compal's firmware is based on TI's reference architecture,
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
115 the interface presented by the running fw on this serial port is TI's RVTMUX,
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
116 albeit at 57600 baud instead of TI's default of 115200.
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
117
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
118 4. Connect the headset jack serial cable if it wasn't already connected, and
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
119 run this FreeCalypso hack-utility:
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
120
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
121 tfc139 /dev/ttyXXX
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
122
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
123 Compal's firmware has some non-standard commands of their own invention added
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
124 to TI's RVT/ETM interface, and one of these commands is a raw memory write.
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
125 Our tfc139 hack-utility will try to break into the phone (gain code execution
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
126 access) by using this Compal ETM command to write a little payload into a
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
127 particular RAM location (beginning of IRAM), and then doing more memory writes
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
128 by the same method, seeking to smash the stack and cause control to be
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
129 transferred to the sent payload by overwriting a function return address on the
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
130 stack.
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
131
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
132 If the stack smashing hack succeeds, the code injected by tfc139 will send a
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
133 message out the serial port indicating this success, and then re-enable the
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
134 Calypso boot ROM and jump to it. Once the boot ROM code gains control, it will
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
135 wait forever for a serial code download following its standard protocol. If
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
136 tfc139 gets the success indication from the target, it will announce this
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
137 success and direct you to run:
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
138
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
139 fc-loadtool -h compal -c none /dev/ttyXXX
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
140
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
141 Do as it says. The -c none option tells fc-loadtool to skip compalstage and
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
142 proceed directly to feeding loadagent to the Calypso boot ROM. You should now
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
143 be in full control of the phone via fc-loadtool.
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
144
433
2d8ab1b0df8d rvinterf/doc/tfc139.usage: written
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 427
diff changeset
145 There is one additional quirk worth mentioning. It appears that Mot/Compal's
427
7e305184b0b4 doc/Compal-unlock: TFC139 RTC alarm oddity explained
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 426
diff changeset
146 main fw (at least TF's version 8.8.17, which is the version we break into with
7e305184b0b4 doc/Compal-unlock: TFC139 RTC alarm oddity explained
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 426
diff changeset
147 tfc139; other versions are anyone's guess) keeps resetting the RTC alarm
7e305184b0b4 doc/Compal-unlock: TFC139 RTC alarm oddity explained
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 426
diff changeset
148 registers in the Calypso DBB as it runs, always keeping the alarm time in the
7e305184b0b4 doc/Compal-unlock: TFC139 RTC alarm oddity explained
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 426
diff changeset
149 near future relative to the current time. When one breaks into this firmware
7e305184b0b4 doc/Compal-unlock: TFC139 RTC alarm oddity explained
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 426
diff changeset
150 with tfc139 and takes over the control of the device with fc-loadtool, this
7e305184b0b4 doc/Compal-unlock: TFC139 RTC alarm oddity explained
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 426
diff changeset
151 alarm time will almost certainly be reached, and the RTC alarm will go off.
7e305184b0b4 doc/Compal-unlock: TFC139 RTC alarm oddity explained
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 426
diff changeset
152 This alarm has no effect on loadtool operation (i.e., it cannot reset the CPU
7e305184b0b4 doc/Compal-unlock: TFC139 RTC alarm oddity explained
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 426
diff changeset
153 or otherwise wrestle control away from loadtool, so it doesn't add any bricking
7e305184b0b4 doc/Compal-unlock: TFC139 RTC alarm oddity explained
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 426
diff changeset
154 risk), but it has one quite surprising effect upon exit, i.e., when you are
7e305184b0b4 doc/Compal-unlock: TFC139 RTC alarm oddity explained
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 426
diff changeset
155 done with your loadtool session and give it the exit command.
7e305184b0b4 doc/Compal-unlock: TFC139 RTC alarm oddity explained
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 426
diff changeset
156
7e305184b0b4 doc/Compal-unlock: TFC139 RTC alarm oddity explained
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 426
diff changeset
157 Loadtool's configured default exit action for this target is to send a power-off
7e305184b0b4 doc/Compal-unlock: TFC139 RTC alarm oddity explained
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 426
diff changeset
158 command to the Iota ABB, leaving the device cleanly powered off. However, if
7e305184b0b4 doc/Compal-unlock: TFC139 RTC alarm oddity explained
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 426
diff changeset
159 the RTC alarm has gone off previously during the session, the ABB will instantly
7e305184b0b4 doc/Compal-unlock: TFC139 RTC alarm oddity explained
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 426
diff changeset
160 power the phone back on, and put it through a new boot cycle. The firmware
7e305184b0b4 doc/Compal-unlock: TFC139 RTC alarm oddity explained
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 426
diff changeset
161 (again, the only version this stuff can be tested on is the one that works with
7e305184b0b4 doc/Compal-unlock: TFC139 RTC alarm oddity explained
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 426
diff changeset
162 tfc139) handles this special form of boot rather oddly: it proceeds to the same
7e305184b0b4 doc/Compal-unlock: TFC139 RTC alarm oddity explained
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 426
diff changeset
163 end state it would have reached via a normal power button hold-down boot
7e305184b0b4 doc/Compal-unlock: TFC139 RTC alarm oddity explained
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 426
diff changeset
164 (powered on with the "Insert SIM" message on the LCD), but it reaches this state
7e305184b0b4 doc/Compal-unlock: TFC139 RTC alarm oddity explained
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 426
diff changeset
165 almost instantly, without going through the power-on LCD logo and buzz phase.
7e305184b0b4 doc/Compal-unlock: TFC139 RTC alarm oddity explained
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 426
diff changeset
166 Odd, but harmless. This explanation has been included to save other hackers
433
2d8ab1b0df8d rvinterf/doc/tfc139.usage: written
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 427
diff changeset
167 the hours of bewildered head-scratching I spent chasing this quirk down.
427
7e305184b0b4 doc/Compal-unlock: TFC139 RTC alarm oddity explained
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 426
diff changeset
168
425
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
169 Dumping and reloading flash
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
170 ===========================
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
171
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
172 Once you break in with fc-loadtool (either through the bootloader or through
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
173 tfc139), the first step you should do is make a dump (backup) of the flash:
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
174
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
175 loadtool> flash dump2bin flashdump.bin
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
176
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
177 Before you do any flash write (erase or program) operations, please realise
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
178 that these phones are brickable. Because the Calypso boot ROM is disabled at
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
179 the board level (Calypso DBB's nIBOOT configuration input is tied high directly
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
180 underneath the BGA package!), when the phone powers up, the ARM7 core starts
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
181 executing instructions directly out of the flash, from address 0. Therefore,
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
182 flash sector 0 must contain good working boot code (one that allows serial code
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
183 download access for recovery) at all times. If you erase this sector or fill
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
184 it with some garbage (anything other than good working boot code) and then power
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
185 the phone off or otherwise lose control of it, the phone will be unrecoverably
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
186 bricked!
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
187
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
188 On most C1xx models there seems to be no way to access the Calypso's JTAG
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
189 signals, hence no possibility of using JTAG to unbrick a bricked phone. And
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
190 because the flash chip is a micro-BGA, it is quite unlikely that one could
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
191 successfully desolder it, program it in a standalone flash chip programmer,
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
192 and then put it back on the board. Thus if you brick your C1xx phone, then
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
193 most likely it is truly toast. You've been warned!
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
194
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
195 That being said, if your phone came with a maliciously locked bootloader, such
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
196 that you had to use tfc139 to break in, then replacing that bootloader with a
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
197 non-malware version is pretty much a necessity, and taking the chance of
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
198 bricking the phone becomes a necessary risk. Even if the bootloader version in
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
199 your C1xx is free of the locking malfeature, if you need to reflash the main fw
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
200 to a different version, one still needs to erase and reprogram the dangerous
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
201 sector: on C11x/123 and C139/140 the main fw image starts at 0x2000, but the
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
202 erase block boundary doesn't come until 0x10000.
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
203
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
204 The good news, however, is that fc-loadtool has special support for rewriting
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
205 the boot sector on Compal phones with minimal risk of bricking. The command is:
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
206
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
207 flash erase-program-boot binfile [length]
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
208
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
209 The first argument is the name of the file (in straight binary format)
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
210 containing the new boot code; the second argument (always interpreted as hex)
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
211 is the number of bytes to program, always starting at 0. If only one argument
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
212 is given, the length of the file is used instead, which must not exceed the
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
213 length of flash sector 0: 64 KiB on C11x/123 and C139/140, or 8 KiB on C155/156.
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
214
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
215 This special command minimizes the bricking vulnerability window by loading the
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
216 entirety of the new boot code to be programmed into a scratchpad RAM buffer on
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
217 the target first (no problem because it's 64 KiB max), then commanding loadagent
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
218 (the code that actually runs on the Calypso when you use fc-loadtool) to perform
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
219 the "atomic" operation of erasing flash sector 0, then immediately reprogramming
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
220 it with the bits that are already in scratchpad RAM on the phone.
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
221
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
222 With this approach the phone will only be bricked if the battery dies or is
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
223 physically yanked out of the phone in the time window between the beginning of
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
224 the erase operation and the last critical bit of the new boot code being
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
225 programmed - on the order of a second or two, or if the flash operations fail
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
226 for some reason. However, the phone will *not* be bricked with this approach
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
227 if the serial connection between fc-loadtool or the target gets broken during
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
228 the window in question, or if the host machine running fc-loadtool crashes: no
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
229 flash operations start until loadtool gives the go-ahead command to loadagent,
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
230 and once loadagent receives the latter command, it will proceed till completion
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
231 without caring if loadtool is still there or not.
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
232
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
233 Of course the conventional flash erase and flash program-bin commands will be
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
234 happy to operate on flash sector 0 just like any other sector, but doing so is
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
235 NOT recommended, as the window of vulnerability for bricking would then be
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
236 considerably greater.
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
237
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
238 Unlocked firmware for C139
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
239 ==========================
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
240
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
241 If your phone is a North American (1900+850 MHz) C139, and you are reading this
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
242 article because it came with Cingular or TracFone branding, whereas you would
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
243 like to use it with SIMs and networks of your own choosing instead, you've come
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
244 to the right place. We have an unlocked and non-carrier-branded (Mot branding
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
245 only) version of the fw that runs on these phones, and you can use FreeCalypso
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
246 loadtools to flash this version into your C139 whether it came with Cingular or
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
247 TF branding originally. Download this file:
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
248
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
249 ftp.ifctf.org:/pub/GSM/Compal/c139-unlocked-fw.zip
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
250
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
251 Unzip it, and you'll get c139-unlocked-fw.bin - that is the image you'll need
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
252 to flash into your phone. Get in with fc-loadtool (using tfc139 if necessary
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
253 for locked-down Tracfones) and make a backup of the original flash content.
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
254 Then reflash the firmware as follows:
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
255
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
256 flash erase-program-boot c139-unlocked-fw.bin 2000
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
257 flash erase 10000 360000
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
258 flash program-bin 2000 c139-unlocked-fw.bin 2000
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
259
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
260 The 3 commands given above will reflash the phone as follows:
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
261
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
262 * The first 0x2000 bytes of the firmware image in c139-unlocked-fw.bin comprise
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
263 the boot code. This fw version features the "good" boot code *without* the
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
264 access locking malfeature. The erase-program-boot command will erase flash
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
265 sector 0 (the entire 64 KiB sector, as the physics of the flash chip dictates)
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
266 and then immediately reprogram its first 8 KiB with the "good" boot code from
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
267 the unlocked fw image file. The remaining 56 KiB of this sector will be blank
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
268 after this step.
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
269
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
270 * The following "regular" flash erase command is to erase the following 54
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
271 sectors (also of 64 KiB each) in preparation for programming the main fw
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
272 image in there.
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
273
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
274 * The last command programs the bulk of the fw image into blank flash that has
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
275 been erased by the first two commands.
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
276
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
277 I also recommend erasing the old FFS that was maintained by the old fw version,
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
278 so that the new fw will automatically format a "virgin" FFS the first time it
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
279 boots:
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
280
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
281 flash erase 370000 50000
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
282
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
283 After this procedure the phone should retain its original IMEI and factory RF
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
284 calibration values, as these are stored in the 8 KiB sector at 0x3FC000 which
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
285 is not touched per the above procedure - not in the FFS.
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
286
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
287 The same procedure should be followed for flashing all firmwares for C11x/123
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
288 and C139/140 phones. In the case of C11x/123, adjust the length for the "main"
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
289 erase and program operations appropriately for the flash configuration in your
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
290 phone.
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
291
426
1060bf70d95d doc/Compal-unlock: added cautionary note about flashing firmwares containing
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 425
diff changeset
292 One last word of caution: if you are going to flash some fw version other than
1060bf70d95d doc/Compal-unlock: added cautionary note about flashing firmwares containing
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 425
diff changeset
293 the unlocked North American C139 one discussed above, please check to see what
1060bf70d95d doc/Compal-unlock: added cautionary note about flashing firmwares containing
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 425
diff changeset
294 boot code version it includes, and whether or not that version has the
1060bf70d95d doc/Compal-unlock: added cautionary note about flashing firmwares containing
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 425
diff changeset
295 malfeature of checking the flash word at 0x2060 for the serial access control
1060bf70d95d doc/Compal-unlock: added cautionary note about flashing firmwares containing
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 425
diff changeset
296 flag. If the fw version you are seeking to play with has boot code with that
1060bf70d95d doc/Compal-unlock: added cautionary note about flashing firmwares containing
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 425
diff changeset
297 malfeature present, the bricking vulnerability window extends until you not
1060bf70d95d doc/Compal-unlock: added cautionary note about flashing firmwares containing
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 425
diff changeset
298 only program the new boot code into flash, but also program 0xDDDDDDDD into
1060bf70d95d doc/Compal-unlock: added cautionary note about flashing firmwares containing
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 425
diff changeset
299 that 0x2060 word. You've been warned.
1060bf70d95d doc/Compal-unlock: added cautionary note about flashing firmwares containing
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents: 425
diff changeset
300
425
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
301 C155/156 differences
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
302 ====================
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
303
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
304 C155/156 phones are nicer than the others in that they use a flash chip with a
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
305 "bottom boot" configuration. C11x/123 and C139/140 use "top boot" flash chips,
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
306 which is why the boot code and the first 56 KiB of the main fw image live in
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
307 the same erase block on those phones. The boot code and the control hand-off
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
308 interface between it and the main fw have also been revamped in C155/156 fw,
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
309 and the new structure is:
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
310
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
311 8 KiB sector at 0: contains the boot code
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
312 7 more 8 KiB sectors starting at 0x2000: blank and unused
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
313 64 KiB sector at 0x10000: also blank and unused
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
314 64 KiB sector at 0x20000: beginning of main fw image
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
315
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
316 With this new flash layout, it is now possible to erase and program the main fw
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
317 region starting at 0x20000 without ever erasing the boot code sector or doing
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
318 any writes to it, so there is no bricking vulnerability window at all. (The
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
319 phone can still be bricked though if one types the wrong command and erases the
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
320 boot sector inadvertently, so be careful.)
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
321
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
322 So far the only phones in this family that I laid my hacking hands on have been
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
323 North American C156 units, all from the same seller and batch (hence identical),
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
324 so I don't know if there exist any maliciously-locked boot code versions in
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
325 this family - the boot code in my C156 is free of any malfeatures. But if "bad"
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
326 versions of C155/156 boot code do exist, and if you can break into the phone
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
327 somehow, you can use the flash erase-program-boot command to rewrite the boot
f81a931f9172 doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff changeset
328 code with minimal risk of bricking just like on the other Compal families.