view compal-flash-boot-for-fc/README @ 933:8eb7cb176a70

compal-flash-boot-for-fc/README added
author Mychaela Falconia <falcon@ivan.Harhan.ORG>
date Sat, 31 Oct 2015 03:26:15 +0000
parents
children
line wrap: on
line source

Compal phones have malicious wiring in their PCBs to disable Calypso's internal
boot ROM (nIBOOT input tied high instead of low).  Therefore, flash sector 0
must always contain working boot code that allows the possibility of new code
download over the headset jack UART, and jumps to the main firmware in the rest
of the flash if no such download is taking place.  In the absence of such good
boot code in flash sector 0 the phone is bricked.

Compal's own firmwares for these phones do feature a bootloader just as
described, but it has one defect: they put the boundary between the boot code
and the main firmware at address 0x2000, but the flash erase unit boundary
does not come until 0x10000.  Therefore, every time the main fw needs to be
reflashed, flash sector 0 has to be erased and reprogrammed, creating a
bricking vulnerability.

Because Compal's original flash layout does not allow us to reuse their
bootloader totally untouched while replacing the main fw, and we'll have to
reflash our own version of the boot code at least the first time we reflash a
given phone from its official fw to FreeCalypso, we can take the liberty of
using a slightly patched version of Compal's boot code - with Compal's official
firmwares the bootloader part differs slightly from one fw version to the next
anyway.

The version of Compal's flash boot code built in this directory is intended to
be used with FreeCalypso firmwares.  It is based on one of Compal's versions
that has no malicious features (no check of flash word 0x2060 and no requirement
of "1003" signature in the serially downloaded images at the most inconvenient
location), and it has been patched to transfer control to the main fw at 0x10058
instead of 0x20F8, i.e., main fw images are to be flashed at 0x10000 without
touching flash sector 0.  Interrupt and exception version redirections have also
been patched accordingly; the specific interface between the boot code and the
main fw now mimics that of TI's TCS211 reference fw.