diff compal-flash-boot-for-fc/README @ 933:8eb7cb176a70

compal-flash-boot-for-fc/README added
author Mychaela Falconia <falcon@ivan.Harhan.ORG>
date Sat, 31 Oct 2015 03:26:15 +0000
parents
children
line wrap: on
line diff
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/compal-flash-boot-for-fc/README	Sat Oct 31 03:26:15 2015 +0000
@@ -0,0 +1,31 @@
+Compal phones have malicious wiring in their PCBs to disable Calypso's internal
+boot ROM (nIBOOT input tied high instead of low).  Therefore, flash sector 0
+must always contain working boot code that allows the possibility of new code
+download over the headset jack UART, and jumps to the main firmware in the rest
+of the flash if no such download is taking place.  In the absence of such good
+boot code in flash sector 0 the phone is bricked.
+
+Compal's own firmwares for these phones do feature a bootloader just as
+described, but it has one defect: they put the boundary between the boot code
+and the main firmware at address 0x2000, but the flash erase unit boundary
+does not come until 0x10000.  Therefore, every time the main fw needs to be
+reflashed, flash sector 0 has to be erased and reprogrammed, creating a
+bricking vulnerability.
+
+Because Compal's original flash layout does not allow us to reuse their
+bootloader totally untouched while replacing the main fw, and we'll have to
+reflash our own version of the boot code at least the first time we reflash a
+given phone from its official fw to FreeCalypso, we can take the liberty of
+using a slightly patched version of Compal's boot code - with Compal's official
+firmwares the bootloader part differs slightly from one fw version to the next
+anyway.
+
+The version of Compal's flash boot code built in this directory is intended to
+be used with FreeCalypso firmwares.  It is based on one of Compal's versions
+that has no malicious features (no check of flash word 0x2060 and no requirement
+of "1003" signature in the serially downloaded images at the most inconvenient
+location), and it has been patched to transfer control to the main fw at 0x10058
+instead of 0x20F8, i.e., main fw images are to be flashed at 0x10000 without
+touching flash sector 0.  Interrupt and exception version redirections have also
+been patched accordingly; the specific interface between the boot code and the
+main fw now mimics that of TI's TCS211 reference fw.