FreeCalypso > hg > freecalypso-sw
annotate doc/Compal-unlock @ 425:f81a931f9172
doc/Compal-unlock write-up
author | Michael Spacefalcon <msokolov@ivan.Harhan.ORG> |
---|---|
date | Thu, 19 Jun 2014 20:17:28 +0000 |
parents | |
children | 1060bf70d95d |
rev | line source |
---|---|
425
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
1 Using FreeCalypso tools to unlock Motorola C1xx phones |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
2 ====================================================== |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
3 |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
4 The ultimate goal of the FreeCalypso project is to produce our own complete GSM |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
5 dumbphone firmware which We the People fully own, control and compile from |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
6 source ourselves, running at first on some selected pre-existing hardware |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
7 targets, and then ultimately on our own Free Dumb Phone hardware. While that |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
8 goal is still far past the visible horizon, what can we do in the meantime to |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
9 make our current forced use of existing proprietary dumbphone firmwares a |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
10 little more tolerable? This article presents one such hack: using FreeCalypso |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
11 loadtools to dump the flash content of Compal phones for analysis, including |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
12 TIFFS, and to replace one existing proprietary fw version with another, e.g., |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
13 to remove carrier branding and the associated SIM restriction. |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
14 |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
15 Serial access |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
16 |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
17 Mot C1xx (Compal) phones have a 2.5 mm headset jack that dual-functions as a |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
18 debug/programming serial port. In hardware terms, there is an electrically |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
19 controlled switch (MUX) inside that switches the external jack between the |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
20 analog headset signals and the digital serial ones; this switch is controlled |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
21 by a GPIO signal from the Calypso. The hardware power-up state of this switch |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
22 is serial; Mot/Compal's standard fw switches it to headset upon boot, but the |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
23 serial setting persists long enough to use it to break into the bootloader. |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
24 |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
25 Bootloader |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
26 |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
27 The Calypso DBB (digital baseband) chip used in these phones has an on-chip |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
28 boot ROM, but it also has a hardware pin that enables or disables this boot |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
29 ROM, and unfortunately these phones have it disabled. If the boot ROM were |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
30 enabled in hardware, it would provide an unstoppable and unbrickable way to |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
31 take control of the device through the externally-accessible serial port like |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
32 we have on Openmoko and Pirelli phones, but unfortunately the hardware we have |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
33 available is not wired that way. |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
34 |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
35 However, Mot/Compal's standard firmware on these phones includes a bootloader, |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
36 a part that executes before any of the rest of the fw image is allowed to |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
37 execute or made use of in any way, and this Compal-specific bootloader has a |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
38 provision for interrupting the boot process and diverting it to an externally- |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
39 supplied piece of code loaded over the serial line. Older fw versions have |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
40 this feature enabled unconditionally, but some of the newer versions have a |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
41 malfeature whereby the serial boot interrupt and code download possibility may |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
42 be disabled. Some C1xx phones out in the wild, particularly all North American |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
43 C139s with TracFone branding, have such maliciously-locked firmware in them. |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
44 |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
45 Fortunately though, these maliciously-locked firmwares (or at least the most |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
46 common TFC139 one) have been found to have another hole through which we can |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
47 break in, as described here: |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
48 |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
49 http://lists.osmocom.org/pipermail/baseband-devel/2014-May/004451.html |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
50 http://lists.osmocom.org/pipermail/baseband-devel/2014-May/004455.html |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
51 |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
52 We can exploit this hole in the TFC139 firmware to gain code execution access |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
53 to the Calypso, and then use the latter to reprogram the flash, replacing the |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
54 ultra-malicious firmware with some other version that, although still |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
55 proprietary, is a little less evil. |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
56 |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
57 Making first contact |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
58 ==================== |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
59 |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
60 If you have a C1xx phone which you are seeking to free, your first step should |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
61 be to try breaking in with fc-loadtool, using the Compal bootloader method. |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
62 With the phone powered off, but containing a charged battery (SIM present or |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
63 absent, doesn't matter), proceed as follows: |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
64 |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
65 1. Connect the serial or USB-serial cable between your PC or other host and the |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
66 target phone's headset jack. |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
67 |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
68 2. On the host end, run fc-loadtool like this: |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
69 |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
70 C11x/123: fc-loadtool -h compal /dev/ttyXXX |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
71 C139/140: fc-loadtool -h compal -c 1003 /dev/ttyXXX |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
72 C155/156: fc-loadtool -h c155 /dev/ttyXXX |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
73 |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
74 3. Press the power button on the phone. A momentary press is sufficient and |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
75 recommended: the hardware powers up and causes the boot code to run exactly |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
76 the same whether the power button is pressed momentarily or held down. |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
77 |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
78 Normal phone power-up requires the button to be held down because the |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
79 standard firmware does a check fairly late in the boot process to see if the |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
80 power button is still held down, and commands the hardware (the ABB) to |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
81 power off if it is not - it is a standard feature to prevent phones from |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
82 turning themselves on inadvertently from accidental momentary presses of |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
83 that button. But if the goal is to cause the boot code to run, but not to |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
84 boot the regular fw all the way, a momentary press is ideal. |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
85 |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
86 If your phone has a bootloader without the malicious lock in it, the above |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
87 procedure should result in fc-loadtool gaining full access to the target and |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
88 landing you at a loadtool> prompt. You can dump the flash content and analyse |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
89 it, etc. If you would like to change to a different fw version (to remove the |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
90 SIM lock / carrier branding or for any other reason), see the corresponding |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
91 later section of this article. |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
92 |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
93 Alternative method |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
94 ================== |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
95 |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
96 If the above procedure fails to gain access to the Calypso because the boot |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
97 code in the phone never offers a serial download opportunity, the alternate |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
98 break-in method should be tried, going through the full running firmware |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
99 instead of just the bootloader part thereof. Proceed as follows: |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
100 |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
101 1. Remove the SIM (if there was one to begin with) and put the charged battery |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
102 back in. Charge the battery if necessary, using the standard charging |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
103 function of the existing fw. |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
104 |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
105 2. Power the phone up for normal boot: hold the power button down like a |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
106 regular user would, without fc-loadtool or other serial break-in tools. |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
107 The fw will boot up, notice the lack of a SIM, and the display will read |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
108 "SIM card absent" or something to that effect, depending on the fw version. |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
109 |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
110 3. Key in this magic sequence: **16379#. A hidden "Trace Switch" menu should |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
111 appear, with the choices being "Trace On" and "Earphone". Select "Trace On". |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
112 The electrically controlled hardware switch mentioned earlier in this article |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
113 should now be set back to the UART, bringing the latter out to the headset |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
114 jack. Because Mot/Compal's firmware is based on TI's reference architecture, |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
115 the interface presented by the running fw on this serial port is TI's RVTMUX, |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
116 albeit at 57600 baud instead of TI's default of 115200. |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
117 |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
118 4. Connect the headset jack serial cable if it wasn't already connected, and |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
119 run this FreeCalypso hack-utility: |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
120 |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
121 tfc139 /dev/ttyXXX |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
122 |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
123 Compal's firmware has some non-standard commands of their own invention added |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
124 to TI's RVT/ETM interface, and one of these commands is a raw memory write. |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
125 Our tfc139 hack-utility will try to break into the phone (gain code execution |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
126 access) by using this Compal ETM command to write a little payload into a |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
127 particular RAM location (beginning of IRAM), and then doing more memory writes |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
128 by the same method, seeking to smash the stack and cause control to be |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
129 transferred to the sent payload by overwriting a function return address on the |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
130 stack. |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
131 |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
132 If the stack smashing hack succeeds, the code injected by tfc139 will send a |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
133 message out the serial port indicating this success, and then re-enable the |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
134 Calypso boot ROM and jump to it. Once the boot ROM code gains control, it will |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
135 wait forever for a serial code download following its standard protocol. If |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
136 tfc139 gets the success indication from the target, it will announce this |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
137 success and direct you to run: |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
138 |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
139 fc-loadtool -h compal -c none /dev/ttyXXX |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
140 |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
141 Do as it says. The -c none option tells fc-loadtool to skip compalstage and |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
142 proceed directly to feeding loadagent to the Calypso boot ROM. You should now |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
143 be in full control of the phone via fc-loadtool. |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
144 |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
145 Dumping and reloading flash |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
146 =========================== |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
147 |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
148 Once you break in with fc-loadtool (either through the bootloader or through |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
149 tfc139), the first step you should do is make a dump (backup) of the flash: |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
150 |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
151 loadtool> flash dump2bin flashdump.bin |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
152 |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
153 Before you do any flash write (erase or program) operations, please realise |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
154 that these phones are brickable. Because the Calypso boot ROM is disabled at |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
155 the board level (Calypso DBB's nIBOOT configuration input is tied high directly |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
156 underneath the BGA package!), when the phone powers up, the ARM7 core starts |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
157 executing instructions directly out of the flash, from address 0. Therefore, |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
158 flash sector 0 must contain good working boot code (one that allows serial code |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
159 download access for recovery) at all times. If you erase this sector or fill |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
160 it with some garbage (anything other than good working boot code) and then power |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
161 the phone off or otherwise lose control of it, the phone will be unrecoverably |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
162 bricked! |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
163 |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
164 On most C1xx models there seems to be no way to access the Calypso's JTAG |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
165 signals, hence no possibility of using JTAG to unbrick a bricked phone. And |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
166 because the flash chip is a micro-BGA, it is quite unlikely that one could |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
167 successfully desolder it, program it in a standalone flash chip programmer, |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
168 and then put it back on the board. Thus if you brick your C1xx phone, then |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
169 most likely it is truly toast. You've been warned! |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
170 |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
171 That being said, if your phone came with a maliciously locked bootloader, such |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
172 that you had to use tfc139 to break in, then replacing that bootloader with a |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
173 non-malware version is pretty much a necessity, and taking the chance of |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
174 bricking the phone becomes a necessary risk. Even if the bootloader version in |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
175 your C1xx is free of the locking malfeature, if you need to reflash the main fw |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
176 to a different version, one still needs to erase and reprogram the dangerous |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
177 sector: on C11x/123 and C139/140 the main fw image starts at 0x2000, but the |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
178 erase block boundary doesn't come until 0x10000. |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
179 |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
180 The good news, however, is that fc-loadtool has special support for rewriting |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
181 the boot sector on Compal phones with minimal risk of bricking. The command is: |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
182 |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
183 flash erase-program-boot binfile [length] |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
184 |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
185 The first argument is the name of the file (in straight binary format) |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
186 containing the new boot code; the second argument (always interpreted as hex) |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
187 is the number of bytes to program, always starting at 0. If only one argument |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
188 is given, the length of the file is used instead, which must not exceed the |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
189 length of flash sector 0: 64 KiB on C11x/123 and C139/140, or 8 KiB on C155/156. |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
190 |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
191 This special command minimizes the bricking vulnerability window by loading the |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
192 entirety of the new boot code to be programmed into a scratchpad RAM buffer on |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
193 the target first (no problem because it's 64 KiB max), then commanding loadagent |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
194 (the code that actually runs on the Calypso when you use fc-loadtool) to perform |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
195 the "atomic" operation of erasing flash sector 0, then immediately reprogramming |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
196 it with the bits that are already in scratchpad RAM on the phone. |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
197 |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
198 With this approach the phone will only be bricked if the battery dies or is |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
199 physically yanked out of the phone in the time window between the beginning of |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
200 the erase operation and the last critical bit of the new boot code being |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
201 programmed - on the order of a second or two, or if the flash operations fail |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
202 for some reason. However, the phone will *not* be bricked with this approach |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
203 if the serial connection between fc-loadtool or the target gets broken during |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
204 the window in question, or if the host machine running fc-loadtool crashes: no |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
205 flash operations start until loadtool gives the go-ahead command to loadagent, |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
206 and once loadagent receives the latter command, it will proceed till completion |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
207 without caring if loadtool is still there or not. |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
208 |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
209 Of course the conventional flash erase and flash program-bin commands will be |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
210 happy to operate on flash sector 0 just like any other sector, but doing so is |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
211 NOT recommended, as the window of vulnerability for bricking would then be |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
212 considerably greater. |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
213 |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
214 Unlocked firmware for C139 |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
215 ========================== |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
216 |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
217 If your phone is a North American (1900+850 MHz) C139, and you are reading this |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
218 article because it came with Cingular or TracFone branding, whereas you would |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
219 like to use it with SIMs and networks of your own choosing instead, you've come |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
220 to the right place. We have an unlocked and non-carrier-branded (Mot branding |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
221 only) version of the fw that runs on these phones, and you can use FreeCalypso |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
222 loadtools to flash this version into your C139 whether it came with Cingular or |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
223 TF branding originally. Download this file: |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
224 |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
225 ftp.ifctf.org:/pub/GSM/Compal/c139-unlocked-fw.zip |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
226 |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
227 Unzip it, and you'll get c139-unlocked-fw.bin - that is the image you'll need |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
228 to flash into your phone. Get in with fc-loadtool (using tfc139 if necessary |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
229 for locked-down Tracfones) and make a backup of the original flash content. |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
230 Then reflash the firmware as follows: |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
231 |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
232 flash erase-program-boot c139-unlocked-fw.bin 2000 |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
233 flash erase 10000 360000 |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
234 flash program-bin 2000 c139-unlocked-fw.bin 2000 |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
235 |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
236 The 3 commands given above will reflash the phone as follows: |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
237 |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
238 * The first 0x2000 bytes of the firmware image in c139-unlocked-fw.bin comprise |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
239 the boot code. This fw version features the "good" boot code *without* the |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
240 access locking malfeature. The erase-program-boot command will erase flash |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
241 sector 0 (the entire 64 KiB sector, as the physics of the flash chip dictates) |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
242 and then immediately reprogram its first 8 KiB with the "good" boot code from |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
243 the unlocked fw image file. The remaining 56 KiB of this sector will be blank |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
244 after this step. |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
245 |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
246 * The following "regular" flash erase command is to erase the following 54 |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
247 sectors (also of 64 KiB each) in preparation for programming the main fw |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
248 image in there. |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
249 |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
250 * The last command programs the bulk of the fw image into blank flash that has |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
251 been erased by the first two commands. |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
252 |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
253 I also recommend erasing the old FFS that was maintained by the old fw version, |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
254 so that the new fw will automatically format a "virgin" FFS the first time it |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
255 boots: |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
256 |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
257 flash erase 370000 50000 |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
258 |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
259 After this procedure the phone should retain its original IMEI and factory RF |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
260 calibration values, as these are stored in the 8 KiB sector at 0x3FC000 which |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
261 is not touched per the above procedure - not in the FFS. |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
262 |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
263 The same procedure should be followed for flashing all firmwares for C11x/123 |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
264 and C139/140 phones. In the case of C11x/123, adjust the length for the "main" |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
265 erase and program operations appropriately for the flash configuration in your |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
266 phone. |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
267 |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
268 C155/156 differences |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
269 ==================== |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
270 |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
271 C155/156 phones are nicer than the others in that they use a flash chip with a |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
272 "bottom boot" configuration. C11x/123 and C139/140 use "top boot" flash chips, |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
273 which is why the boot code and the first 56 KiB of the main fw image live in |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
274 the same erase block on those phones. The boot code and the control hand-off |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
275 interface between it and the main fw have also been revamped in C155/156 fw, |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
276 and the new structure is: |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
277 |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
278 8 KiB sector at 0: contains the boot code |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
279 7 more 8 KiB sectors starting at 0x2000: blank and unused |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
280 64 KiB sector at 0x10000: also blank and unused |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
281 64 KiB sector at 0x20000: beginning of main fw image |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
282 |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
283 With this new flash layout, it is now possible to erase and program the main fw |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
284 region starting at 0x20000 without ever erasing the boot code sector or doing |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
285 any writes to it, so there is no bricking vulnerability window at all. (The |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
286 phone can still be bricked though if one types the wrong command and erases the |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
287 boot sector inadvertently, so be careful.) |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
288 |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
289 So far the only phones in this family that I laid my hacking hands on have been |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
290 North American C156 units, all from the same seller and batch (hence identical), |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
291 so I don't know if there exist any maliciously-locked boot code versions in |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
292 this family - the boot code in my C156 is free of any malfeatures. But if "bad" |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
293 versions of C155/156 boot code do exist, and if you can break into the phone |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
294 somehow, you can use the flash erase-program-boot command to rewrite the boot |
f81a931f9172
doc/Compal-unlock write-up
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
295 code with minimal risk of bricking just like on the other Compal families. |