annotate doc/Flash-write-protection @ 1011:6d9b10633f10

etmsync Pirelli IMEI retrieval: fix poor use of printf() Bug reported by Vadim Yanitskiy <fixeria@osmocom.org>: the construct where a static-allocated string was passed to printf() without any format arguments causes newer compilers to report a security problem. Given that formatted output is not needed here, just fixed string output, change printf() to fputs(), and direct the error message to stderr while at it.
author Mychaela Falconia <falcon@freecalypso.org>
date Thu, 23 May 2024 17:29:57 +0000
parents 30fad2b3afd2
children 11391cb6bdc0
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
997
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
1 Some Calypso-based GSM MS designs (phones, modems, development boards) use
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
2 AMD-style (Spansion or Samsung) flash chips, while others use Intel flash.
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
3 In the case of Calypso devices that use Spansion or Samsung flash chips, all of
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
4 those chips support a rarely used feature: an ability to write-protect selected
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
5 flash sectors, disallowing erase and program operations in those areas. With
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
6 earlier AMD-style flash chips (actual AMD-branded ones prior to introduction of
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
7 Spansion brand, as well as Samsung K5A32xx used in Openmoko devices) this
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
8 sector-level write protection can only be applied or lifted by way of external
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
9 programming equipment, executing special commands with a high voltage applied
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
10 to one of the pins - hence when the chip resides on a product board, no new
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
11 sector locks can be applied. (We are not aware of any Calypso GSM device manuf
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
12 who locked some flash sectors and then populated the chip onto the board in
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
13 that state.)
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
14
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
15 With newer Spansion and Samsung flash families, however, sector locks became
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
16 more easily accessible: they have Persistent Protection Bits (PPBs) which can
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
17 be programmed (locking a sector or a group of sectors) and erased (removing all
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
18 such locks) in-system under normal operating conditions, using only special
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
19 software commands. These flash chips also have "hard" locking modes: a Password
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
20 Sector Protection mode in which PPBs can only be modified after feeding a
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
21 matching 64-bit key to the chip, and an OTP "master lock" mode in which the
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
22 ability to erase PPBs is irreversibly disabled, locking all write-protected
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
23 sectors forever - but so far we (FreeCalypso community) have not yet encountered
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
24 any devices in which any of these "hard" locks have been activated. There is,
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
25 however, at least one Calypso-based phone out there (Sony Ericsson K2x0 family)
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
26 in which the shipping state of the device includes some flash sector locks -
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
27 but these locks are of the "soft" kind, removable by performing a PPB erase
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
28 operation which is not further blocked.
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
29
999
30fad2b3afd2 doc/Flash-write-protection: document flash lock-state retrieval
Mychaela Falconia <falcon@freecalypso.org>
parents: 997
diff changeset
30 fc-loadtool support for sector write-protection
30fad2b3afd2 doc/Flash-write-protection: document flash lock-state retrieval
Mychaela Falconia <falcon@freecalypso.org>
parents: 997
diff changeset
31 ===============================================
30fad2b3afd2 doc/Flash-write-protection: document flash lock-state retrieval
Mychaela Falconia <falcon@freecalypso.org>
parents: 997
diff changeset
32
30fad2b3afd2 doc/Flash-write-protection: document flash lock-state retrieval
Mychaela Falconia <falcon@freecalypso.org>
parents: 997
diff changeset
33 As of fc-host-tools-r21, fc-loadtool provides the following facilities in
30fad2b3afd2 doc/Flash-write-protection: document flash lock-state retrieval
Mychaela Falconia <falcon@freecalypso.org>
parents: 997
diff changeset
34 relation to sector write-protection features on AMD-style flash chips:
30fad2b3afd2 doc/Flash-write-protection: document flash lock-state retrieval
Mychaela Falconia <falcon@freecalypso.org>
parents: 997
diff changeset
35
30fad2b3afd2 doc/Flash-write-protection: document flash lock-state retrieval
Mychaela Falconia <falcon@freecalypso.org>
parents: 997
diff changeset
36 * flash lock-state command is available when operating on those flash chips for
30fad2b3afd2 doc/Flash-write-protection: document flash lock-state retrieval
Mychaela Falconia <falcon@freecalypso.org>
parents: 997
diff changeset
37 which we've implemented the necessary table, listing how sectors are grouped
30fad2b3afd2 doc/Flash-write-protection: document flash lock-state retrieval
Mychaela Falconia <falcon@freecalypso.org>
parents: 997
diff changeset
38 for the purpose of write protection, how they are grouped for the purpose of
30fad2b3afd2 doc/Flash-write-protection: document flash lock-state retrieval
Mychaela Falconia <falcon@freecalypso.org>
parents: 997
diff changeset
39 lock status retrieval via Autoselect read mode, and what additional lock
30fad2b3afd2 doc/Flash-write-protection: document flash lock-state retrieval
Mychaela Falconia <falcon@freecalypso.org>
parents: 997
diff changeset
40 status words should be checked. We have implemented the necessary knowledge
30fad2b3afd2 doc/Flash-write-protection: document flash lock-state retrieval
Mychaela Falconia <falcon@freecalypso.org>
parents: 997
diff changeset
41 tables for all chips on which we support PPB manipulation (see below), but
30fad2b3afd2 doc/Flash-write-protection: document flash lock-state retrieval
Mychaela Falconia <falcon@freecalypso.org>
parents: 997
diff changeset
42 also for some chips on which sector lock state can be modified only by high-
30fad2b3afd2 doc/Flash-write-protection: document flash lock-state retrieval
Mychaela Falconia <falcon@freecalypso.org>
parents: 997
diff changeset
43 voltage methods - on the latter chips we can examine the lock state, but not
30fad2b3afd2 doc/Flash-write-protection: document flash lock-state retrieval
Mychaela Falconia <falcon@freecalypso.org>
parents: 997
diff changeset
44 modify it.
30fad2b3afd2 doc/Flash-write-protection: document flash lock-state retrieval
Mychaela Falconia <falcon@freecalypso.org>
parents: 997
diff changeset
45
30fad2b3afd2 doc/Flash-write-protection: document flash lock-state retrieval
Mychaela Falconia <falcon@freecalypso.org>
parents: 997
diff changeset
46 * flash ppb-* commands actively alter sector write protection state by
30fad2b3afd2 doc/Flash-write-protection: document flash lock-state retrieval
Mychaela Falconia <falcon@freecalypso.org>
parents: 997
diff changeset
47 programming and erasing PPBs on those Spansion and Samsung flash chips that
30fad2b3afd2 doc/Flash-write-protection: document flash lock-state retrieval
Mychaela Falconia <falcon@freecalypso.org>
parents: 997
diff changeset
48 allow these PPB alterations by software commands alone (without high-voltage
30fad2b3afd2 doc/Flash-write-protection: document flash lock-state retrieval
Mychaela Falconia <falcon@freecalypso.org>
parents: 997
diff changeset
49 circuits) and for which we have implemented the necessary knowledge tables.
30fad2b3afd2 doc/Flash-write-protection: document flash lock-state retrieval
Mychaela Falconia <falcon@freecalypso.org>
parents: 997
diff changeset
50 The set of flash chips for which we have implemented these active commands is
30fad2b3afd2 doc/Flash-write-protection: document flash lock-state retrieval
Mychaela Falconia <falcon@freecalypso.org>
parents: 997
diff changeset
51 a proper subset of those for which we have implemented flash lock-state
30fad2b3afd2 doc/Flash-write-protection: document flash lock-state retrieval
Mychaela Falconia <falcon@freecalypso.org>
parents: 997
diff changeset
52 retrieval.
30fad2b3afd2 doc/Flash-write-protection: document flash lock-state retrieval
Mychaela Falconia <falcon@freecalypso.org>
parents: 997
diff changeset
53
30fad2b3afd2 doc/Flash-write-protection: document flash lock-state retrieval
Mychaela Falconia <falcon@freecalypso.org>
parents: 997
diff changeset
54 These commands are primarily aimed at unlocking flash regions that have been
30fad2b3afd2 doc/Flash-write-protection: document flash lock-state retrieval
Mychaela Falconia <falcon@freecalypso.org>
parents: 997
diff changeset
55 write-protected by previous parties. It is very helpful, however, to understand
30fad2b3afd2 doc/Flash-write-protection: document flash lock-state retrieval
Mychaela Falconia <falcon@freecalypso.org>
parents: 997
diff changeset
56 some theory before using these commands, which the present document aims to
30fad2b3afd2 doc/Flash-write-protection: document flash lock-state retrieval
Mychaela Falconia <falcon@freecalypso.org>
parents: 997
diff changeset
57 explain.
30fad2b3afd2 doc/Flash-write-protection: document flash lock-state retrieval
Mychaela Falconia <falcon@freecalypso.org>
parents: 997
diff changeset
58
30fad2b3afd2 doc/Flash-write-protection: document flash lock-state retrieval
Mychaela Falconia <falcon@freecalypso.org>
parents: 997
diff changeset
59 How PPBs work
30fad2b3afd2 doc/Flash-write-protection: document flash lock-state retrieval
Mychaela Falconia <falcon@freecalypso.org>
parents: 997
diff changeset
60 =============
997
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
61
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
62 Spansion and Samsung flash chips that feature PPBs have one PPB per sector or
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
63 per sector group - some sectors are aggregated into groups (of 4 sectors max)
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
64 for the purpose of write protection control. All of these PPBs are contained
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
65 in one special-purpose non-volatile memory element inside the flash chip, and
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
66 this NV memory element behaves like a little flash sector of its own: it has a
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
67 program operation, affecting each PPB individually, and an erase operation that
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
68 affects all PPBs across the chip at once. (See How-flash-really-works article
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
69 for an explanation of program and erase operations.) The programmed state of a
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
70 PPB corresponds to the associated flash sector or sector group being locked
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
71 (write-protected), and the erased state of a PPB corresponds to the flash
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
72 location being unlocked (free to erase and program at will).
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
73
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
74 fc-loadtool commands for manipulating PPBs are flash ppb-program and flash
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
75 ppb-erase-all; they are named in this manner (as opposed to a naming scheme
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
76 based on "lock/unlock" or "protect/unprotect") to emphasize the physical nature
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
77 of what they actually do in the flash chip. flash ppb-program command (or
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
78 flash2 ppb-program for the second bank of 16 MiB flash chips) addresses a
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
79 specific sector and programs that sector's PPB, causing the sector to become
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
80 write-protected; flash ppb-erase-all erases all PPBs across the flash chip,
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
81 causing the entire main flash array to become unlocked for write operations.
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
82
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
83 The internal implementation of these PPB manipulation commands is very different
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
84 between PL-J and PL-N flash types, as required by the respective flash chip
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
85 families presenting a very different type of command interface for PPB
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
86 operations. The command interface implemented on Spansion PL-J family and at
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
87 least some Samsung flash chips (K5L29xx in particular) exposes the raw physics
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
88 of the flash (see How-flash-really-works article) to the user for PPB
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
89 operations, requiring flashing software tool developers to understand all of
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
90 that theory and implement it in practice. OTOH, the command interface for PPB
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
91 program and erase operations implemented on Spansion PL-N family (of which only
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
92 PL129N is usable with Calypso) brings these special operations into harmony with
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
93 ordinary flash programming and erasure procedures. We don't know (and may never
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
94 know) if Spansion aimed to simplify life for flash low-level driver implementors
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
95 or if internal advancements from PL-J to PL-N flash necessitated some changes
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
96 in physics-level program/erase algorithms and Spansion didn't feel like exposing
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
97 the internal details of their newer flash - but the practical implication for us
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
98 is that we had to implement two different code paths to support both ways of
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
99 performing these operations, as we need to support all flash chip types that are
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
100 found in Calypso GSM devices of different ages.
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
101
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
102 It also needs to be noted that at least in Spansion PL-J and Samsung flash chips
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
103 the special non-volatile memory element that holds PPBs has a *very* limited
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
104 number of program-erase cycles: the datasheets we were able to find give a limit
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
105 of 100 (1e2) cycles for this special NV memory element, compared to 1e5 cycles
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
106 promised by the same datasheets for the main flash array. So please beware,
67513b9446da doc/Flash-write-protection: new article
Mychaela Falconia <falcon@freecalypso.org>
parents:
diff changeset
107 and avoid needlessly cycling these write protection bits.