FreeCalypso > hg > freecalypso-sw
comparison doc/Compal-unlock @ 988:0654212e5c53
doc/Compal-unlock: documented safe flashing of newer fw versions and
cisversion unlocking
| author | Mychaela Falconia <falcon@ivan.Harhan.ORG> |
|---|---|
| date | Sat, 12 Dec 2015 18:40:56 +0000 |
| parents | 7a55a3eb985a |
| children |
comparison
equal
deleted
inserted
replaced
| 987:7a55a3eb985a | 988:0654212e5c53 |
|---|---|
| 286 The same procedure should be followed for flashing all firmwares for C11x/123 | 286 The same procedure should be followed for flashing all firmwares for C11x/123 |
| 287 and C139/140 phones. In the case of C11x/123, adjust the length for the "main" | 287 and C139/140 phones. In the case of C11x/123, adjust the length for the "main" |
| 288 erase and program operations appropriately for the flash configuration in your | 288 erase and program operations appropriately for the flash configuration in your |
| 289 phone. | 289 phone. |
| 290 | 290 |
| 291 One last word of caution: if you are going to flash some fw version other than | 291 Flashing newer firmware versions |
| 292 the unlocked North American C139 one discussed above, please check to see what | 292 ================================ |
| 293 boot code version it includes, and whether or not that version has the | 293 |
| 294 malfeature of checking the flash word at 0x2060 for the serial access control | 294 The flashing procedure given above, where the first 0x2000 bytes of the new fw |
| 295 flag. If the fw version you are seeking to play with has boot code with that | 295 image (the bootloader part) are written with the flash erase-program-boot |
| 296 malfeature present, the bricking vulnerability window extends until you not | 296 command and the regular flash program-bin command writes everything from 0x2000 |
| 297 only program the new boot code into flash, but also program 0xDDDDDDDD into | 297 onward, is only correct for older firmware versions whose bootloader portion is |
| 298 that 0x2060 word. You've been warned. | 298 completely free from the access locking malfeature: not only unlocked, but with |
| 299 no provision for locking at all. In these older fw versions the boot code is | |
| 300 fully contained in the first 0x2000 bytes and nothing from 0x2000 onward affects | |
| 301 the ability to perform a new serial boot, hence the bricking vulnerability | |
| 302 window ends at 0x2000. However, this flashing procedure should NOT be used for | |
| 303 newer fw versions that have the provision for locking the bootloader - it's the | |
| 304 provision that matters in this case, even if the lock hasn't been activated - | |
| 305 if you flash one of these newer fw versions as above, you will risk bricking | |
| 306 your phone! | |
| 307 | |
| 308 If you need to flash one of the newer fw versions that includes the bootloader | |
| 309 lock provision, you need to take some additional precautionary steps: | |
| 310 | |
| 311 1. Examine the fw image you wish to flash with a hex dump viewer. Look starting | |
| 312 at offset 0x2000. You should see 3 identifying ASCII strings: one right at | |
| 313 0x2000, another at 0x2020 and one more at 0x2040. Then look at 4 bytes at | |
| 314 offset 0x2060. If they contain 0xFFFFFFFF (blank flash) like the surrounding | |
| 315 unused bytes, then you have an older fw version without the bootloader lock | |
| 316 provision - you can safely flash it as in the previous section. If it's a | |
| 317 newer fw version with the bootloader lock provision, the word at 0x2060 will | |
| 318 contain either 0x00000000 or 0xDDDDDDDD, corresponding to the activated | |
| 319 (access disabled) and non-activated (access enabled) states of the lock, | |
| 320 respectively. | |
| 321 | |
| 322 2. If the fw image you wish to flash has 0x00000000 at 0x2060, you must patch | |
| 323 it to 0xDDDDDDDD with a hex editor before flashing. Just because our tfc139 | |
| 324 utility can recover phones with maliciously locked bootloaders does NOT mean | |
| 325 that you should *ever* deliberately flash such a bootloader-locked fw image | |
| 326 into your phone! Recovery of locked phones via tfc139 depends on the | |
| 327 complete fw image being present and working, not just the bootloader part, | |
| 328 hence if you were to flash an image that has a lockable bootloader with the | |
| 329 lock activated, the bricking vulnerability window will extend until the | |
| 330 *entire* fw image has been programmed - far too dangerous. | |
| 331 | |
| 332 3. When flashing the image with fc-loadtool, use a slightly different command | |
| 333 sequence compared to the previous section: | |
| 334 | |
| 335 flash erase-program-boot new-fw-image.bin 10000 | |
| 336 flash erase 10000 360000 | |
| 337 flash program-bin 10000 new-fw-image.bin 10000 360000 | |
| 338 | |
| 339 The difference is that the boundary between the part handled with flash | |
| 340 erase-program-boot and the part handled with flash program-bin has been moved | |
| 341 from 0x2000 to 0x10000. Because the word at 0x2060 is part of the bricking | |
| 342 vulnerability window with these newer fw versions, one should rewrite the | |
| 343 entire boot sector of the flash (including the beginning of the main fw image) | |
| 344 with flash erase-program-boot for safety. | |
| 345 | |
| 346 Unlocking while keeping the same fw version | |
| 347 =========================================== | |
| 348 | |
| 349 Suppose you have a phone with a locked bootloader such that you had to break in | |
| 350 with tfc139, you would like to unlock it so you can use RAM-based (non-flash) | |
| 351 tools such as c139explore or OsmocomBB with it, but you have no particular need | |
| 352 to change the main fw from the original version to a different one. If you | |
| 353 need to perform such a cisversion unlock, you can do it as follows: | |
| 354 | |
| 355 1. Break in with tfc139; | |
| 356 2. Use fc-loadtool's flash dump2bin command to save the first 64 KiB sector | |
| 357 of the flash to a file; | |
| 358 3. Using a hex editor, patch the word at 0x2060 from 0x00000000 to 0xDDDDDDDD; | |
| 359 4. Use fc-loadtool's flash erase-program-boot command to flash the patched | |
| 360 (unlocked) boot sector back into the phone. | |
| 299 | 361 |
| 300 C155/156 differences | 362 C155/156 differences |
| 301 ==================== | 363 ==================== |
| 302 | 364 |
| 303 C155/156 phones are nicer than the others in that they use a flash chip with a | 365 C155/156 phones are nicer than the others in that they use a flash chip with a |