# HG changeset patch # User Michael Spacefalcon # Date 1403337674 0 # Node ID 7e305184b0b499fea61a34acb9b9e51d937881ad # Parent 1060bf70d95d2788e65ea6e16080522c76240af5 doc/Compal-unlock: TFC139 RTC alarm oddity explained diff -r 1060bf70d95d -r 7e305184b0b4 doc/Compal-unlock --- a/doc/Compal-unlock Sat Jun 21 06:55:27 2014 +0000 +++ b/doc/Compal-unlock Sat Jun 21 08:01:14 2014 +0000 @@ -142,6 +142,30 @@ proceed directly to feeding loadagent to the Calypso boot ROM. You should now be in full control of the phone via fc-loadtool. +There is one additional quick worth mentioning. It appears that Mot/Compal's +main fw (at least TF's version 8.8.17, which is the version we break into with +tfc139; other versions are anyone's guess) keeps resetting the RTC alarm +registers in the Calypso DBB as it runs, always keeping the alarm time in the +near future relative to the current time. When one breaks into this firmware +with tfc139 and takes over the control of the device with fc-loadtool, this +alarm time will almost certainly be reached, and the RTC alarm will go off. +This alarm has no effect on loadtool operation (i.e., it cannot reset the CPU +or otherwise wrestle control away from loadtool, so it doesn't add any bricking +risk), but it has one quite surprising effect upon exit, i.e., when you are +done with your loadtool session and give it the exit command. + +Loadtool's configured default exit action for this target is to send a power-off +command to the Iota ABB, leaving the device cleanly powered off. However, if +the RTC alarm has gone off previously during the session, the ABB will instantly +power the phone back on, and put it through a new boot cycle. The firmware +(again, the only version this stuff can be tested on is the one that works with +tfc139) handles this special form of boot rather oddly: it proceeds to the same +end state it would have reached via a normal power button hold-down boot +(powered on with the "Insert SIM" message on the LCD), but it reaches this state +almost instantly, without going through the power-on LCD logo and buzz phase. +Odd, but harmless. This explanation has been included to save other hackers +the hours of bewildered head-scratching I spent chasing this quick down. + Dumping and reloading flash ===========================