FreeCalypso > hg > freecalypso-sw
comparison doc/Compal-unlock @ 427:7e305184b0b4
doc/Compal-unlock: TFC139 RTC alarm oddity explained
| author | Michael Spacefalcon <msokolov@ivan.Harhan.ORG> |
|---|---|
| date | Sat, 21 Jun 2014 08:01:14 +0000 |
| parents | 1060bf70d95d |
| children | 2d8ab1b0df8d |
comparison
equal
deleted
inserted
replaced
| 426:1060bf70d95d | 427:7e305184b0b4 |
|---|---|
| 140 | 140 |
| 141 Do as it says. The -c none option tells fc-loadtool to skip compalstage and | 141 Do as it says. The -c none option tells fc-loadtool to skip compalstage and |
| 142 proceed directly to feeding loadagent to the Calypso boot ROM. You should now | 142 proceed directly to feeding loadagent to the Calypso boot ROM. You should now |
| 143 be in full control of the phone via fc-loadtool. | 143 be in full control of the phone via fc-loadtool. |
| 144 | 144 |
| 145 There is one additional quick worth mentioning. It appears that Mot/Compal's | |
| 146 main fw (at least TF's version 8.8.17, which is the version we break into with | |
| 147 tfc139; other versions are anyone's guess) keeps resetting the RTC alarm | |
| 148 registers in the Calypso DBB as it runs, always keeping the alarm time in the | |
| 149 near future relative to the current time. When one breaks into this firmware | |
| 150 with tfc139 and takes over the control of the device with fc-loadtool, this | |
| 151 alarm time will almost certainly be reached, and the RTC alarm will go off. | |
| 152 This alarm has no effect on loadtool operation (i.e., it cannot reset the CPU | |
| 153 or otherwise wrestle control away from loadtool, so it doesn't add any bricking | |
| 154 risk), but it has one quite surprising effect upon exit, i.e., when you are | |
| 155 done with your loadtool session and give it the exit command. | |
| 156 | |
| 157 Loadtool's configured default exit action for this target is to send a power-off | |
| 158 command to the Iota ABB, leaving the device cleanly powered off. However, if | |
| 159 the RTC alarm has gone off previously during the session, the ABB will instantly | |
| 160 power the phone back on, and put it through a new boot cycle. The firmware | |
| 161 (again, the only version this stuff can be tested on is the one that works with | |
| 162 tfc139) handles this special form of boot rather oddly: it proceeds to the same | |
| 163 end state it would have reached via a normal power button hold-down boot | |
| 164 (powered on with the "Insert SIM" message on the LCD), but it reaches this state | |
| 165 almost instantly, without going through the power-on LCD logo and buzz phase. | |
| 166 Odd, but harmless. This explanation has been included to save other hackers | |
| 167 the hours of bewildered head-scratching I spent chasing this quick down. | |
| 168 | |
| 145 Dumping and reloading flash | 169 Dumping and reloading flash |
| 146 =========================== | 170 =========================== |
| 147 | 171 |
| 148 Once you break in with fc-loadtool (either through the bootloader or through | 172 Once you break in with fc-loadtool (either through the bootloader or through |
| 149 tfc139), the first step you should do is make a dump (backup) of the flash: | 173 tfc139), the first step you should do is make a dump (backup) of the flash: |