FreeCalypso > hg > freecalypso-sw
annotate doc/Compal-unlock @ 992:a7b0b426f9ca
target-utils: boot ROM UART autodetection revamped
The new implementation should work with both the familiar Calypso C035
boot ROM version found in our regular targets as well as the older
Calypso F741979B version found on the vintage D-Sample board.
| author | Mychaela Falconia <falcon@ivan.Harhan.ORG> |
|---|---|
| date | Wed, 30 Dec 2015 21:28:41 +0000 |
| parents | 0654212e5c53 |
| children |
| rev | line source |
|---|---|
|
425
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
1 Using FreeCalypso tools to unlock Motorola C1xx phones |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
2 ====================================================== |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
3 |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
4 The ultimate goal of the FreeCalypso project is to produce our own complete GSM |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
5 dumbphone firmware which We the People fully own, control and compile from |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
6 source ourselves, running at first on some selected pre-existing hardware |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
7 targets, and then ultimately on our own Free Dumb Phone hardware. While that |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
8 goal is still far past the visible horizon, what can we do in the meantime to |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
9 make our current forced use of existing proprietary dumbphone firmwares a |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
10 little more tolerable? This article presents one such hack: using FreeCalypso |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
11 loadtools to dump the flash content of Compal phones for analysis, including |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
12 TIFFS, and to replace one existing proprietary fw version with another, e.g., |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
13 to remove carrier branding and the associated SIM restriction. |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
14 |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
15 Serial access |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
16 |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
17 Mot C1xx (Compal) phones have a 2.5 mm headset jack that dual-functions as a |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
18 debug/programming serial port. In hardware terms, there is an electrically |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
19 controlled switch (MUX) inside that switches the external jack between the |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
20 analog headset signals and the digital serial ones; this switch is controlled |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
21 by a GPIO signal from the Calypso. The hardware power-up state of this switch |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
22 is serial; Mot/Compal's standard fw switches it to headset upon boot, but the |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
23 serial setting persists long enough to use it to break into the bootloader. |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
24 |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
25 Bootloader |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
26 |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
27 The Calypso DBB (digital baseband) chip used in these phones has an on-chip |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
28 boot ROM, but it also has a hardware pin that enables or disables this boot |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
29 ROM, and unfortunately these phones have it disabled. If the boot ROM were |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
30 enabled in hardware, it would provide an unstoppable and unbrickable way to |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
31 take control of the device through the externally-accessible serial port like |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
32 we have on Openmoko and Pirelli phones, but unfortunately the hardware we have |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
33 available is not wired that way. |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
34 |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
35 However, Mot/Compal's standard firmware on these phones includes a bootloader, |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
36 a part that executes before any of the rest of the fw image is allowed to |
|
426
1060bf70d95d
doc/Compal-unlock: added cautionary note about flashing firmwares containing
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
425
diff
changeset
|
37 execute or is made use of in any way, and this Compal-specific bootloader has a |
|
425
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
38 provision for interrupting the boot process and diverting it to an externally- |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
39 supplied piece of code loaded over the serial line. Older fw versions have |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
40 this feature enabled unconditionally, but some of the newer versions have a |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
41 malfeature whereby the serial boot interrupt and code download possibility may |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
42 be disabled. Some C1xx phones out in the wild, particularly all North American |
|
987
7a55a3eb985a
doc: Compal-unlock and TFC139-breakin articles updated for the new tfc139 tool
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
974
diff
changeset
|
43 C139s with TracFone branding and some of the Cingular-branded ones as well, |
|
7a55a3eb985a
doc: Compal-unlock and TFC139-breakin articles updated for the new tfc139 tool
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
974
diff
changeset
|
44 have such maliciously-locked firmware in them. |
|
425
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
45 |
|
987
7a55a3eb985a
doc: Compal-unlock and TFC139-breakin articles updated for the new tfc139 tool
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
974
diff
changeset
|
46 Fortunately though, these maliciously-locked firmwares (or at least all versions |
|
7a55a3eb985a
doc: Compal-unlock and TFC139-breakin articles updated for the new tfc139 tool
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
974
diff
changeset
|
47 we've encountered so far) have been found to have another hole through which we |
|
7a55a3eb985a
doc: Compal-unlock and TFC139-breakin articles updated for the new tfc139 tool
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
974
diff
changeset
|
48 can break in, as described in the TFC139-breakin article. We can exploit this |
|
7a55a3eb985a
doc: Compal-unlock and TFC139-breakin articles updated for the new tfc139 tool
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
974
diff
changeset
|
49 hole in the firmware to gain code execution access to the Calypso, and then use |
|
7a55a3eb985a
doc: Compal-unlock and TFC139-breakin articles updated for the new tfc139 tool
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
974
diff
changeset
|
50 the latter to reprogram the flash, replacing the ultra-malicious firmware with |
|
7a55a3eb985a
doc: Compal-unlock and TFC139-breakin articles updated for the new tfc139 tool
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
974
diff
changeset
|
51 some other version that, although still proprietary, is a little less evil. |
|
425
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
52 |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
53 Making first contact |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
54 ==================== |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
55 |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
56 If you have a C1xx phone which you are seeking to free, your first step should |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
57 be to try breaking in with fc-loadtool, using the Compal bootloader method. |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
58 With the phone powered off, but containing a charged battery (SIM present or |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
59 absent, doesn't matter), proceed as follows: |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
60 |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
61 1. Connect the serial or USB-serial cable between your PC or other host and the |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
62 target phone's headset jack. |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
63 |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
64 2. On the host end, run fc-loadtool like this: |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
65 |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
66 C11x/123: fc-loadtool -h compal /dev/ttyXXX |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
67 C139/140: fc-loadtool -h compal -c 1003 /dev/ttyXXX |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
68 C155/156: fc-loadtool -h c155 /dev/ttyXXX |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
69 |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
70 3. Press the power button on the phone. A momentary press is sufficient and |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
71 recommended: the hardware powers up and causes the boot code to run exactly |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
72 the same whether the power button is pressed momentarily or held down. |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
73 |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
74 Normal phone power-up requires the button to be held down because the |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
75 standard firmware does a check fairly late in the boot process to see if the |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
76 power button is still held down, and commands the hardware (the ABB) to |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
77 power off if it is not - it is a standard feature to prevent phones from |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
78 turning themselves on inadvertently from accidental momentary presses of |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
79 that button. But if the goal is to cause the boot code to run, but not to |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
80 boot the regular fw all the way, a momentary press is ideal. |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
81 |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
82 If your phone has a bootloader without the malicious lock in it, the above |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
83 procedure should result in fc-loadtool gaining full access to the target and |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
84 landing you at a loadtool> prompt. You can dump the flash content and analyse |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
85 it, etc. If you would like to change to a different fw version (to remove the |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
86 SIM lock / carrier branding or for any other reason), see the corresponding |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
87 later section of this article. |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
88 |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
89 Alternative method |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
90 ================== |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
91 |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
92 If the above procedure fails to gain access to the Calypso because the boot |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
93 code in the phone never offers a serial download opportunity, the alternate |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
94 break-in method should be tried, going through the full running firmware |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
95 instead of just the bootloader part thereof. Proceed as follows: |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
96 |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
97 1. Remove the SIM (if there was one to begin with) and put the charged battery |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
98 back in. Charge the battery if necessary, using the standard charging |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
99 function of the existing fw. |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
100 |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
101 2. Power the phone up for normal boot: hold the power button down like a |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
102 regular user would, without fc-loadtool or other serial break-in tools. |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
103 The fw will boot up, notice the lack of a SIM, and the display will read |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
104 "SIM card absent" or something to that effect, depending on the fw version. |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
105 |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
106 3. Key in this magic sequence: **16379#. A hidden "Trace Switch" menu should |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
107 appear, with the choices being "Trace On" and "Earphone". Select "Trace On". |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
108 The electrically controlled hardware switch mentioned earlier in this article |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
109 should now be set back to the UART, bringing the latter out to the headset |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
110 jack. Because Mot/Compal's firmware is based on TI's reference architecture, |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
111 the interface presented by the running fw on this serial port is TI's RVTMUX, |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
112 albeit at 57600 baud instead of TI's default of 115200. |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
113 |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
114 4. Connect the headset jack serial cable if it wasn't already connected, and |
|
987
7a55a3eb985a
doc: Compal-unlock and TFC139-breakin articles updated for the new tfc139 tool
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
974
diff
changeset
|
115 run this FreeCalypso utility: |
|
425
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
116 |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
117 tfc139 /dev/ttyXXX |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
118 |
|
987
7a55a3eb985a
doc: Compal-unlock and TFC139-breakin articles updated for the new tfc139 tool
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
974
diff
changeset
|
119 (The name tfc139 is historical; the current version is expected to work with |
|
7a55a3eb985a
doc: Compal-unlock and TFC139-breakin articles updated for the new tfc139 tool
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
974
diff
changeset
|
120 all Mot C1xx firmwares.) |
|
7a55a3eb985a
doc: Compal-unlock and TFC139-breakin articles updated for the new tfc139 tool
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
974
diff
changeset
|
121 |
|
974
3f67d5bf96ef
doc: TFC139-breakin written, Compal-unlock updated
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
433
diff
changeset
|
122 Compal's TI-based firmware implements some of TI's Test Mode commands, and one |
|
987
7a55a3eb985a
doc: Compal-unlock and TFC139-breakin articles updated for the new tfc139 tool
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
974
diff
changeset
|
123 of these commands is a raw memory write. It also implements some of TI's GPF |
|
7a55a3eb985a
doc: Compal-unlock and TFC139-breakin articles updated for the new tfc139 tool
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
974
diff
changeset
|
124 "system primitive" commands, including the MEMCHECK command that causes the |
|
7a55a3eb985a
doc: Compal-unlock and TFC139-breakin articles updated for the new tfc139 tool
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
974
diff
changeset
|
125 firmware to report some info on all running GPF tasks, including the location |
|
7a55a3eb985a
doc: Compal-unlock and TFC139-breakin articles updated for the new tfc139 tool
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
974
diff
changeset
|
126 of each task's stack. Our tfc139 utility will try to break into the phone |
|
7a55a3eb985a
doc: Compal-unlock and TFC139-breakin articles updated for the new tfc139 tool
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
974
diff
changeset
|
127 (gain code execution access) by querying the target fw for the location of the |
|
7a55a3eb985a
doc: Compal-unlock and TFC139-breakin articles updated for the new tfc139 tool
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
974
diff
changeset
|
128 L1A task's stack, and then using Test Mode memory write commands to write a |
|
7a55a3eb985a
doc: Compal-unlock and TFC139-breakin articles updated for the new tfc139 tool
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
974
diff
changeset
|
129 piece of shellcode into an unused RAM location and to make this code execute by |
|
7a55a3eb985a
doc: Compal-unlock and TFC139-breakin articles updated for the new tfc139 tool
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
974
diff
changeset
|
130 overwriting a function return address on the stack of the L1A task that |
|
7a55a3eb985a
doc: Compal-unlock and TFC139-breakin articles updated for the new tfc139 tool
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
974
diff
changeset
|
131 processes these Test Mode commands. |
|
425
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
132 |
|
987
7a55a3eb985a
doc: Compal-unlock and TFC139-breakin articles updated for the new tfc139 tool
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
974
diff
changeset
|
133 If the stack smashing hack succeeds, the shellcode injected by tfc139 will send |
|
7a55a3eb985a
doc: Compal-unlock and TFC139-breakin articles updated for the new tfc139 tool
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
974
diff
changeset
|
134 a message out the serial port indicating this success, and then re-enable the |
|
425
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
135 Calypso boot ROM and jump to it. Once the boot ROM code gains control, it will |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
136 wait forever for a serial code download following its standard protocol. If |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
137 tfc139 gets the success indication from the target, it will announce this |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
138 success and direct you to run: |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
139 |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
140 fc-loadtool -h compal -c none /dev/ttyXXX |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
141 |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
142 Do as it says. The -c none option tells fc-loadtool to skip compalstage and |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
143 proceed directly to feeding loadagent to the Calypso boot ROM. You should now |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
144 be in full control of the phone via fc-loadtool. |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
145 |
|
433
2d8ab1b0df8d
rvinterf/doc/tfc139.usage: written
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
427
diff
changeset
|
146 There is one additional quirk worth mentioning. It appears that Mot/Compal's |
|
987
7a55a3eb985a
doc: Compal-unlock and TFC139-breakin articles updated for the new tfc139 tool
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
974
diff
changeset
|
147 main fw keeps resetting the RTC alarm registers in the Calypso DBB as it runs, |
|
7a55a3eb985a
doc: Compal-unlock and TFC139-breakin articles updated for the new tfc139 tool
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
974
diff
changeset
|
148 always keeping the alarm time in the near future relative to the current time. |
|
7a55a3eb985a
doc: Compal-unlock and TFC139-breakin articles updated for the new tfc139 tool
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
974
diff
changeset
|
149 When one breaks into this firmware with tfc139 and takes over the control of |
|
7a55a3eb985a
doc: Compal-unlock and TFC139-breakin articles updated for the new tfc139 tool
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
974
diff
changeset
|
150 the device with fc-loadtool, this alarm time will almost certainly be reached, |
|
7a55a3eb985a
doc: Compal-unlock and TFC139-breakin articles updated for the new tfc139 tool
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
974
diff
changeset
|
151 and the RTC alarm will go off. This alarm has no effect on loadtool operation |
|
7a55a3eb985a
doc: Compal-unlock and TFC139-breakin articles updated for the new tfc139 tool
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
974
diff
changeset
|
152 (i.e., it cannot reset the CPU or otherwise wrestle control away from loadtool, |
|
7a55a3eb985a
doc: Compal-unlock and TFC139-breakin articles updated for the new tfc139 tool
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
974
diff
changeset
|
153 so it doesn't add any bricking risk), but it has one quite surprising effect |
|
7a55a3eb985a
doc: Compal-unlock and TFC139-breakin articles updated for the new tfc139 tool
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
974
diff
changeset
|
154 upon exit, i.e., when you are done with your loadtool session and give it the |
|
7a55a3eb985a
doc: Compal-unlock and TFC139-breakin articles updated for the new tfc139 tool
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
974
diff
changeset
|
155 exit command. |
|
427
7e305184b0b4
doc/Compal-unlock: TFC139 RTC alarm oddity explained
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
426
diff
changeset
|
156 |
|
7e305184b0b4
doc/Compal-unlock: TFC139 RTC alarm oddity explained
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
426
diff
changeset
|
157 Loadtool's configured default exit action for this target is to send a power-off |
|
7e305184b0b4
doc/Compal-unlock: TFC139 RTC alarm oddity explained
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
426
diff
changeset
|
158 command to the Iota ABB, leaving the device cleanly powered off. However, if |
|
7e305184b0b4
doc/Compal-unlock: TFC139 RTC alarm oddity explained
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
426
diff
changeset
|
159 the RTC alarm has gone off previously during the session, the ABB will instantly |
|
7e305184b0b4
doc/Compal-unlock: TFC139 RTC alarm oddity explained
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
426
diff
changeset
|
160 power the phone back on, and put it through a new boot cycle. The firmware |
|
987
7a55a3eb985a
doc: Compal-unlock and TFC139-breakin articles updated for the new tfc139 tool
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
974
diff
changeset
|
161 handles this special form of boot rather oddly: it proceeds to the same end |
|
7a55a3eb985a
doc: Compal-unlock and TFC139-breakin articles updated for the new tfc139 tool
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
974
diff
changeset
|
162 state it would have reached via a normal power button hold-down boot (powered |
|
7a55a3eb985a
doc: Compal-unlock and TFC139-breakin articles updated for the new tfc139 tool
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
974
diff
changeset
|
163 on with the "Insert SIM" message on the LCD), but it reaches this state almost |
|
7a55a3eb985a
doc: Compal-unlock and TFC139-breakin articles updated for the new tfc139 tool
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
974
diff
changeset
|
164 instantly, without going through the power-on LCD logo and buzz phase. Odd, |
|
7a55a3eb985a
doc: Compal-unlock and TFC139-breakin articles updated for the new tfc139 tool
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
974
diff
changeset
|
165 but harmless. This explanation has been included to save other hackers the |
|
7a55a3eb985a
doc: Compal-unlock and TFC139-breakin articles updated for the new tfc139 tool
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
974
diff
changeset
|
166 hours of bewildered head-scratching I spent chasing this quirk down. |
|
427
7e305184b0b4
doc/Compal-unlock: TFC139 RTC alarm oddity explained
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
426
diff
changeset
|
167 |
|
425
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
168 Dumping and reloading flash |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
169 =========================== |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
170 |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
171 Once you break in with fc-loadtool (either through the bootloader or through |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
172 tfc139), the first step you should do is make a dump (backup) of the flash: |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
173 |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
174 loadtool> flash dump2bin flashdump.bin |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
175 |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
176 Before you do any flash write (erase or program) operations, please realise |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
177 that these phones are brickable. Because the Calypso boot ROM is disabled at |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
178 the board level (Calypso DBB's nIBOOT configuration input is tied high directly |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
179 underneath the BGA package!), when the phone powers up, the ARM7 core starts |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
180 executing instructions directly out of the flash, from address 0. Therefore, |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
181 flash sector 0 must contain good working boot code (one that allows serial code |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
182 download access for recovery) at all times. If you erase this sector or fill |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
183 it with some garbage (anything other than good working boot code) and then power |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
184 the phone off or otherwise lose control of it, the phone will be unrecoverably |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
185 bricked! |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
186 |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
187 On most C1xx models there seems to be no way to access the Calypso's JTAG |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
188 signals, hence no possibility of using JTAG to unbrick a bricked phone. And |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
189 because the flash chip is a micro-BGA, it is quite unlikely that one could |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
190 successfully desolder it, program it in a standalone flash chip programmer, |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
191 and then put it back on the board. Thus if you brick your C1xx phone, then |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
192 most likely it is truly toast. You've been warned! |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
193 |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
194 That being said, if your phone came with a maliciously locked bootloader, such |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
195 that you had to use tfc139 to break in, then replacing that bootloader with a |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
196 non-malware version is pretty much a necessity, and taking the chance of |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
197 bricking the phone becomes a necessary risk. Even if the bootloader version in |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
198 your C1xx is free of the locking malfeature, if you need to reflash the main fw |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
199 to a different version, one still needs to erase and reprogram the dangerous |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
200 sector: on C11x/123 and C139/140 the main fw image starts at 0x2000, but the |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
201 erase block boundary doesn't come until 0x10000. |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
202 |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
203 The good news, however, is that fc-loadtool has special support for rewriting |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
204 the boot sector on Compal phones with minimal risk of bricking. The command is: |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
205 |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
206 flash erase-program-boot binfile [length] |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
207 |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
208 The first argument is the name of the file (in straight binary format) |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
209 containing the new boot code; the second argument (always interpreted as hex) |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
210 is the number of bytes to program, always starting at 0. If only one argument |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
211 is given, the length of the file is used instead, which must not exceed the |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
212 length of flash sector 0: 64 KiB on C11x/123 and C139/140, or 8 KiB on C155/156. |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
213 |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
214 This special command minimizes the bricking vulnerability window by loading the |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
215 entirety of the new boot code to be programmed into a scratchpad RAM buffer on |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
216 the target first (no problem because it's 64 KiB max), then commanding loadagent |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
217 (the code that actually runs on the Calypso when you use fc-loadtool) to perform |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
218 the "atomic" operation of erasing flash sector 0, then immediately reprogramming |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
219 it with the bits that are already in scratchpad RAM on the phone. |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
220 |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
221 With this approach the phone will only be bricked if the battery dies or is |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
222 physically yanked out of the phone in the time window between the beginning of |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
223 the erase operation and the last critical bit of the new boot code being |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
224 programmed - on the order of a second or two, or if the flash operations fail |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
225 for some reason. However, the phone will *not* be bricked with this approach |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
226 if the serial connection between fc-loadtool or the target gets broken during |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
227 the window in question, or if the host machine running fc-loadtool crashes: no |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
228 flash operations start until loadtool gives the go-ahead command to loadagent, |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
229 and once loadagent receives the latter command, it will proceed till completion |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
230 without caring if loadtool is still there or not. |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
231 |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
232 Of course the conventional flash erase and flash program-bin commands will be |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
233 happy to operate on flash sector 0 just like any other sector, but doing so is |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
234 NOT recommended, as the window of vulnerability for bricking would then be |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
235 considerably greater. |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
236 |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
237 Unlocked firmware for C139 |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
238 ========================== |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
239 |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
240 If your phone is a North American (1900+850 MHz) C139, and you are reading this |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
241 article because it came with Cingular or TracFone branding, whereas you would |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
242 like to use it with SIMs and networks of your own choosing instead, you've come |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
243 to the right place. We have an unlocked and non-carrier-branded (Mot branding |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
244 only) version of the fw that runs on these phones, and you can use FreeCalypso |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
245 loadtools to flash this version into your C139 whether it came with Cingular or |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
246 TF branding originally. Download this file: |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
247 |
|
974
3f67d5bf96ef
doc: TFC139-breakin written, Compal-unlock updated
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
433
diff
changeset
|
248 ftp.freecalypso.org:/pub/GSM/Compal/c139-unlocked-fw.zip |
|
425
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
249 |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
250 Unzip it, and you'll get c139-unlocked-fw.bin - that is the image you'll need |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
251 to flash into your phone. Get in with fc-loadtool (using tfc139 if necessary |
|
987
7a55a3eb985a
doc: Compal-unlock and TFC139-breakin articles updated for the new tfc139 tool
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
974
diff
changeset
|
252 for bootloader-locked phones) and make a backup of the original flash content. |
|
425
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
253 Then reflash the firmware as follows: |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
254 |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
255 flash erase-program-boot c139-unlocked-fw.bin 2000 |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
256 flash erase 10000 360000 |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
257 flash program-bin 2000 c139-unlocked-fw.bin 2000 |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
258 |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
259 The 3 commands given above will reflash the phone as follows: |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
260 |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
261 * The first 0x2000 bytes of the firmware image in c139-unlocked-fw.bin comprise |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
262 the boot code. This fw version features the "good" boot code *without* the |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
263 access locking malfeature. The erase-program-boot command will erase flash |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
264 sector 0 (the entire 64 KiB sector, as the physics of the flash chip dictates) |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
265 and then immediately reprogram its first 8 KiB with the "good" boot code from |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
266 the unlocked fw image file. The remaining 56 KiB of this sector will be blank |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
267 after this step. |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
268 |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
269 * The following "regular" flash erase command is to erase the following 54 |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
270 sectors (also of 64 KiB each) in preparation for programming the main fw |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
271 image in there. |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
272 |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
273 * The last command programs the bulk of the fw image into blank flash that has |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
274 been erased by the first two commands. |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
275 |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
276 I also recommend erasing the old FFS that was maintained by the old fw version, |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
277 so that the new fw will automatically format a "virgin" FFS the first time it |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
278 boots: |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
279 |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
280 flash erase 370000 50000 |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
281 |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
282 After this procedure the phone should retain its original IMEI and factory RF |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
283 calibration values, as these are stored in the 8 KiB sector at 0x3FC000 which |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
284 is not touched per the above procedure - not in the FFS. |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
285 |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
286 The same procedure should be followed for flashing all firmwares for C11x/123 |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
287 and C139/140 phones. In the case of C11x/123, adjust the length for the "main" |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
288 erase and program operations appropriately for the flash configuration in your |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
289 phone. |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
290 |
|
988
0654212e5c53
doc/Compal-unlock: documented safe flashing of newer fw versions and
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
987
diff
changeset
|
291 Flashing newer firmware versions |
|
0654212e5c53
doc/Compal-unlock: documented safe flashing of newer fw versions and
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
987
diff
changeset
|
292 ================================ |
|
0654212e5c53
doc/Compal-unlock: documented safe flashing of newer fw versions and
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
987
diff
changeset
|
293 |
|
0654212e5c53
doc/Compal-unlock: documented safe flashing of newer fw versions and
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
987
diff
changeset
|
294 The flashing procedure given above, where the first 0x2000 bytes of the new fw |
|
0654212e5c53
doc/Compal-unlock: documented safe flashing of newer fw versions and
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
987
diff
changeset
|
295 image (the bootloader part) are written with the flash erase-program-boot |
|
0654212e5c53
doc/Compal-unlock: documented safe flashing of newer fw versions and
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
987
diff
changeset
|
296 command and the regular flash program-bin command writes everything from 0x2000 |
|
0654212e5c53
doc/Compal-unlock: documented safe flashing of newer fw versions and
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
987
diff
changeset
|
297 onward, is only correct for older firmware versions whose bootloader portion is |
|
0654212e5c53
doc/Compal-unlock: documented safe flashing of newer fw versions and
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
987
diff
changeset
|
298 completely free from the access locking malfeature: not only unlocked, but with |
|
0654212e5c53
doc/Compal-unlock: documented safe flashing of newer fw versions and
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
987
diff
changeset
|
299 no provision for locking at all. In these older fw versions the boot code is |
|
0654212e5c53
doc/Compal-unlock: documented safe flashing of newer fw versions and
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
987
diff
changeset
|
300 fully contained in the first 0x2000 bytes and nothing from 0x2000 onward affects |
|
0654212e5c53
doc/Compal-unlock: documented safe flashing of newer fw versions and
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
987
diff
changeset
|
301 the ability to perform a new serial boot, hence the bricking vulnerability |
|
0654212e5c53
doc/Compal-unlock: documented safe flashing of newer fw versions and
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
987
diff
changeset
|
302 window ends at 0x2000. However, this flashing procedure should NOT be used for |
|
0654212e5c53
doc/Compal-unlock: documented safe flashing of newer fw versions and
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
987
diff
changeset
|
303 newer fw versions that have the provision for locking the bootloader - it's the |
|
0654212e5c53
doc/Compal-unlock: documented safe flashing of newer fw versions and
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
987
diff
changeset
|
304 provision that matters in this case, even if the lock hasn't been activated - |
|
0654212e5c53
doc/Compal-unlock: documented safe flashing of newer fw versions and
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
987
diff
changeset
|
305 if you flash one of these newer fw versions as above, you will risk bricking |
|
0654212e5c53
doc/Compal-unlock: documented safe flashing of newer fw versions and
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
987
diff
changeset
|
306 your phone! |
|
0654212e5c53
doc/Compal-unlock: documented safe flashing of newer fw versions and
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
987
diff
changeset
|
307 |
|
0654212e5c53
doc/Compal-unlock: documented safe flashing of newer fw versions and
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
987
diff
changeset
|
308 If you need to flash one of the newer fw versions that includes the bootloader |
|
0654212e5c53
doc/Compal-unlock: documented safe flashing of newer fw versions and
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
987
diff
changeset
|
309 lock provision, you need to take some additional precautionary steps: |
|
0654212e5c53
doc/Compal-unlock: documented safe flashing of newer fw versions and
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
987
diff
changeset
|
310 |
|
0654212e5c53
doc/Compal-unlock: documented safe flashing of newer fw versions and
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
987
diff
changeset
|
311 1. Examine the fw image you wish to flash with a hex dump viewer. Look starting |
|
0654212e5c53
doc/Compal-unlock: documented safe flashing of newer fw versions and
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
987
diff
changeset
|
312 at offset 0x2000. You should see 3 identifying ASCII strings: one right at |
|
0654212e5c53
doc/Compal-unlock: documented safe flashing of newer fw versions and
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
987
diff
changeset
|
313 0x2000, another at 0x2020 and one more at 0x2040. Then look at 4 bytes at |
|
0654212e5c53
doc/Compal-unlock: documented safe flashing of newer fw versions and
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
987
diff
changeset
|
314 offset 0x2060. If they contain 0xFFFFFFFF (blank flash) like the surrounding |
|
0654212e5c53
doc/Compal-unlock: documented safe flashing of newer fw versions and
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
987
diff
changeset
|
315 unused bytes, then you have an older fw version without the bootloader lock |
|
0654212e5c53
doc/Compal-unlock: documented safe flashing of newer fw versions and
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
987
diff
changeset
|
316 provision - you can safely flash it as in the previous section. If it's a |
|
0654212e5c53
doc/Compal-unlock: documented safe flashing of newer fw versions and
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
987
diff
changeset
|
317 newer fw version with the bootloader lock provision, the word at 0x2060 will |
|
0654212e5c53
doc/Compal-unlock: documented safe flashing of newer fw versions and
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
987
diff
changeset
|
318 contain either 0x00000000 or 0xDDDDDDDD, corresponding to the activated |
|
0654212e5c53
doc/Compal-unlock: documented safe flashing of newer fw versions and
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
987
diff
changeset
|
319 (access disabled) and non-activated (access enabled) states of the lock, |
|
0654212e5c53
doc/Compal-unlock: documented safe flashing of newer fw versions and
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
987
diff
changeset
|
320 respectively. |
|
0654212e5c53
doc/Compal-unlock: documented safe flashing of newer fw versions and
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
987
diff
changeset
|
321 |
|
0654212e5c53
doc/Compal-unlock: documented safe flashing of newer fw versions and
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
987
diff
changeset
|
322 2. If the fw image you wish to flash has 0x00000000 at 0x2060, you must patch |
|
0654212e5c53
doc/Compal-unlock: documented safe flashing of newer fw versions and
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
987
diff
changeset
|
323 it to 0xDDDDDDDD with a hex editor before flashing. Just because our tfc139 |
|
0654212e5c53
doc/Compal-unlock: documented safe flashing of newer fw versions and
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
987
diff
changeset
|
324 utility can recover phones with maliciously locked bootloaders does NOT mean |
|
0654212e5c53
doc/Compal-unlock: documented safe flashing of newer fw versions and
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
987
diff
changeset
|
325 that you should *ever* deliberately flash such a bootloader-locked fw image |
|
0654212e5c53
doc/Compal-unlock: documented safe flashing of newer fw versions and
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
987
diff
changeset
|
326 into your phone! Recovery of locked phones via tfc139 depends on the |
|
0654212e5c53
doc/Compal-unlock: documented safe flashing of newer fw versions and
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
987
diff
changeset
|
327 complete fw image being present and working, not just the bootloader part, |
|
0654212e5c53
doc/Compal-unlock: documented safe flashing of newer fw versions and
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
987
diff
changeset
|
328 hence if you were to flash an image that has a lockable bootloader with the |
|
0654212e5c53
doc/Compal-unlock: documented safe flashing of newer fw versions and
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
987
diff
changeset
|
329 lock activated, the bricking vulnerability window will extend until the |
|
0654212e5c53
doc/Compal-unlock: documented safe flashing of newer fw versions and
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
987
diff
changeset
|
330 *entire* fw image has been programmed - far too dangerous. |
|
0654212e5c53
doc/Compal-unlock: documented safe flashing of newer fw versions and
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
987
diff
changeset
|
331 |
|
0654212e5c53
doc/Compal-unlock: documented safe flashing of newer fw versions and
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
987
diff
changeset
|
332 3. When flashing the image with fc-loadtool, use a slightly different command |
|
0654212e5c53
doc/Compal-unlock: documented safe flashing of newer fw versions and
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
987
diff
changeset
|
333 sequence compared to the previous section: |
|
0654212e5c53
doc/Compal-unlock: documented safe flashing of newer fw versions and
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
987
diff
changeset
|
334 |
|
0654212e5c53
doc/Compal-unlock: documented safe flashing of newer fw versions and
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
987
diff
changeset
|
335 flash erase-program-boot new-fw-image.bin 10000 |
|
0654212e5c53
doc/Compal-unlock: documented safe flashing of newer fw versions and
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
987
diff
changeset
|
336 flash erase 10000 360000 |
|
0654212e5c53
doc/Compal-unlock: documented safe flashing of newer fw versions and
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
987
diff
changeset
|
337 flash program-bin 10000 new-fw-image.bin 10000 360000 |
|
0654212e5c53
doc/Compal-unlock: documented safe flashing of newer fw versions and
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
987
diff
changeset
|
338 |
|
0654212e5c53
doc/Compal-unlock: documented safe flashing of newer fw versions and
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
987
diff
changeset
|
339 The difference is that the boundary between the part handled with flash |
|
0654212e5c53
doc/Compal-unlock: documented safe flashing of newer fw versions and
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
987
diff
changeset
|
340 erase-program-boot and the part handled with flash program-bin has been moved |
|
0654212e5c53
doc/Compal-unlock: documented safe flashing of newer fw versions and
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
987
diff
changeset
|
341 from 0x2000 to 0x10000. Because the word at 0x2060 is part of the bricking |
|
0654212e5c53
doc/Compal-unlock: documented safe flashing of newer fw versions and
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
987
diff
changeset
|
342 vulnerability window with these newer fw versions, one should rewrite the |
|
0654212e5c53
doc/Compal-unlock: documented safe flashing of newer fw versions and
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
987
diff
changeset
|
343 entire boot sector of the flash (including the beginning of the main fw image) |
|
0654212e5c53
doc/Compal-unlock: documented safe flashing of newer fw versions and
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
987
diff
changeset
|
344 with flash erase-program-boot for safety. |
|
0654212e5c53
doc/Compal-unlock: documented safe flashing of newer fw versions and
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
987
diff
changeset
|
345 |
|
0654212e5c53
doc/Compal-unlock: documented safe flashing of newer fw versions and
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
987
diff
changeset
|
346 Unlocking while keeping the same fw version |
|
0654212e5c53
doc/Compal-unlock: documented safe flashing of newer fw versions and
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
987
diff
changeset
|
347 =========================================== |
|
0654212e5c53
doc/Compal-unlock: documented safe flashing of newer fw versions and
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
987
diff
changeset
|
348 |
|
0654212e5c53
doc/Compal-unlock: documented safe flashing of newer fw versions and
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
987
diff
changeset
|
349 Suppose you have a phone with a locked bootloader such that you had to break in |
|
0654212e5c53
doc/Compal-unlock: documented safe flashing of newer fw versions and
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
987
diff
changeset
|
350 with tfc139, you would like to unlock it so you can use RAM-based (non-flash) |
|
0654212e5c53
doc/Compal-unlock: documented safe flashing of newer fw versions and
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
987
diff
changeset
|
351 tools such as c139explore or OsmocomBB with it, but you have no particular need |
|
0654212e5c53
doc/Compal-unlock: documented safe flashing of newer fw versions and
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
987
diff
changeset
|
352 to change the main fw from the original version to a different one. If you |
|
0654212e5c53
doc/Compal-unlock: documented safe flashing of newer fw versions and
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
987
diff
changeset
|
353 need to perform such a cisversion unlock, you can do it as follows: |
|
0654212e5c53
doc/Compal-unlock: documented safe flashing of newer fw versions and
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
987
diff
changeset
|
354 |
|
0654212e5c53
doc/Compal-unlock: documented safe flashing of newer fw versions and
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
987
diff
changeset
|
355 1. Break in with tfc139; |
|
0654212e5c53
doc/Compal-unlock: documented safe flashing of newer fw versions and
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
987
diff
changeset
|
356 2. Use fc-loadtool's flash dump2bin command to save the first 64 KiB sector |
|
0654212e5c53
doc/Compal-unlock: documented safe flashing of newer fw versions and
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
987
diff
changeset
|
357 of the flash to a file; |
|
0654212e5c53
doc/Compal-unlock: documented safe flashing of newer fw versions and
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
987
diff
changeset
|
358 3. Using a hex editor, patch the word at 0x2060 from 0x00000000 to 0xDDDDDDDD; |
|
0654212e5c53
doc/Compal-unlock: documented safe flashing of newer fw versions and
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
987
diff
changeset
|
359 4. Use fc-loadtool's flash erase-program-boot command to flash the patched |
|
0654212e5c53
doc/Compal-unlock: documented safe flashing of newer fw versions and
Mychaela Falconia <falcon@ivan.Harhan.ORG>
parents:
987
diff
changeset
|
360 (unlocked) boot sector back into the phone. |
|
426
1060bf70d95d
doc/Compal-unlock: added cautionary note about flashing firmwares containing
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
425
diff
changeset
|
361 |
|
425
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
362 C155/156 differences |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
363 ==================== |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
364 |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
365 C155/156 phones are nicer than the others in that they use a flash chip with a |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
366 "bottom boot" configuration. C11x/123 and C139/140 use "top boot" flash chips, |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
367 which is why the boot code and the first 56 KiB of the main fw image live in |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
368 the same erase block on those phones. The boot code and the control hand-off |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
369 interface between it and the main fw have also been revamped in C155/156 fw, |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
370 and the new structure is: |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
371 |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
372 8 KiB sector at 0: contains the boot code |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
373 7 more 8 KiB sectors starting at 0x2000: blank and unused |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
374 64 KiB sector at 0x10000: also blank and unused |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
375 64 KiB sector at 0x20000: beginning of main fw image |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
376 |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
377 With this new flash layout, it is now possible to erase and program the main fw |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
378 region starting at 0x20000 without ever erasing the boot code sector or doing |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
379 any writes to it, so there is no bricking vulnerability window at all. (The |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
380 phone can still be bricked though if one types the wrong command and erases the |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
381 boot sector inadvertently, so be careful.) |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
382 |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
383 So far the only phones in this family that I laid my hacking hands on have been |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
384 North American C156 units, all from the same seller and batch (hence identical), |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
385 so I don't know if there exist any maliciously-locked boot code versions in |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
386 this family - the boot code in my C156 is free of any malfeatures. But if "bad" |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
387 versions of C155/156 boot code do exist, and if you can break into the phone |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
388 somehow, you can use the flash erase-program-boot command to rewrite the boot |
|
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
389 code with minimal risk of bricking just like on the other Compal families. |