comparison doc/SE-K2xx-FFS @ 1012:11391cb6bdc0

patch from fixeria: doc change from SE K2x0 to K2xx Since their discovery in late 2022, Sony Ericsson K200 and K220 phones were collectively referred to as SE K2x0 in FreeCalypso documentation. However, now that SE K205 has been discovered as yet another member of the same family (same PCBA in different case), it makes more sense to refer to the whole family as SE K2xx.
author Mychaela Falconia <falcon@freecalypso.org>
date Mon, 23 Sep 2024 12:23:20 +0000
parents doc/SE-K2x0-FFS@3152e23399a2
children
comparison
equal deleted inserted replaced
1011:6d9b10633f10 1012:11391cb6bdc0
1 Flash file system in Sony Ericsson K2xx phones
2 ==================================================
3
4 SE K2xx phones are based on our familiar Calypso chipset, their firmware is
5 based on the standard chipset reference fw from TI, and they use TIFFS as their
6 flexible data storage mechanism. Their TIFFS instance is located in the first
7 3328 KiB of the 2nd flash bank; the geometry is 256x13 or 64x52 depending on
8 which flash chip was used in each given phone. (Some specimen have Spansion
9 S71PL129NB0 chips with 256 KiB flash sectors, others feature Samsung K5L2931CAM
10 chips with 64 KiB flash sectors.)
11
12 Calibration data and self-regenerating ability
13 ==============================================
14
15 SE's FFS life cycle design on these phones is interesting in that vital per-unit
16 calibration data (RF, AFC and MADC calibrations) are stored in two places:
17 (1) in the FFS in TI's standard format and locations, and (2) in a dedicated
18 flash sector outside of FFS that appears to be written once at the factory and
19 never touched afterward.
20
21 SE's firmware design allows the FFS to be fully erased without breaking the
22 phone: whenever the fw boots in a state where the FFS area of the flash is fully
23 erased (you can of course erase those FFS sectors with fc-loadtool, but it
24 appears that some official tools also provide the same operation) but the
25 separate factory calibration data sector is valid, the firmware formats and
26 initializes a new FFS, and furthermore copies all essential calibration records
27 from SE's proprietary sector structure into their standard TIFFS locations!
28
29 But it gets even more interesting - when we examine FFS images read out of
30 various SE K2xx specimen, we see two different occurrences:
31
32 1) In some specimen the FFS content is exactly the same as what we would get by
33 erasing the FFS with fc-loadtool and letting the firmware regenerate a fresh
34 one on its next boot. We can thus reasonably assume that the FFS in these
35 specimen is indeed the product of such intervention at some point in the
36 phone's history.
37
38 2) In other specimen we see some additional files beyond those that exist with
39 the life cycle of the previous paragraph. One readily noticeable addition
40 is the presence of /gsm/rf/tx/ramps.* files, which are absent in the self-
41 regenerated FFS where the phone's fw copied calibration records from SE's
42 dedicated calibration data sector. How are these Tx ramp tables different
43 from all other RF calibration records? Answer: in the present SE K2xx
44 design, and also in all other Calypso phone and modem designs known to this
45 Mother, Tx ramps are calibrated per design and not per unit. Because the
46 correct Tx ramp tables are compiled into the firmware, having them in FFS is
47 redundant.
48
49 Based on the above evidence, I (Mother Mychaela) hereby make the following
50 reconstruction of how these two kinds of FFS found in the wild likely came into
51 being:
52
53 * In the case of Compal (Mot C1xx and SE J100) and Pirelli DP-L10 we know by
54 simple deductive reasoning that those firmwares must have had their l1_cust.c
55 code modified to read calibration records from their respective proprietary
56 flash data structures instead of TI's original FFS files. However, in the
57 case of SE K2xx it is plausible that their l1_cust.c did NOT have to be
58 likewise modified - they could plausibly still have TI's original l1_cust.c
59 code that reads RF tables from FFS on initialization and writes them back
60 into FFS upon those special MISC_ENABLE commands that are issued at the end
61 of TI's original calibration procedures.
62
63 * If my hypothesis above is correct, then it follows that when SE or their ODM
64 did their factory production line calibration, the results were initially
65 written into FFS and not into SE's separate factory calibration data sector.
66 If they are using unmodified l1_cust.c code from TI, then the presence of
67 redundant /gsm/rf/tx/ramps.* files is explained - TI's standard calibration
68 procedure results in these files being written into FFS because the canonical
69 l1_cust.c code classifies them as "Tx calibration" rather than "Tx config" -
70 see our RF_tables article.
71
72 * In a separate step after all standard calibration procedures, they must have
73 copied all important calibration records into their non-standard flash sector
74 at 0x01FD0000, specifically to produce a more durable copy that can persist
75 through full erasure of FFS. Tx ramp tables were not included because they
76 are relatively large and redundant, not actually calibrated per unit.
77
78 * Those SE K2xx specimen whose FFS contains /gsm/rf/tx/ramps.* files and some
79 other files that aren't found in auto-regenerated FFS probably exhibit the
80 original FFS from the factory production line that was never subjected to
81 being blown away and regenerated!
82
83 SE's non-standard extension to TIFFS
84 ====================================
85
86 There is one aspect of SE K2xx FFS that creates a pain point for our tools:
87 they made their own non-standard extension to TIFFS in terms of extended UCS-2
88 filenames, and given our natural desire to be able to use our tiffs tool (TIFFS
89 IVA) to examine FFS images from these SE phones, we had to extend our tool so
90 that it parses SE's extension instead of throwing up errors like it did before.
91
92 As explained in our TIFFS-Overview article, classic TIFFS requires every
93 elementary filename to consist of printable ASCII characters from the sensibly
94 narrow set of [A-Za-z0-9_.,+%$#-], further limited to a maximum of 20
95 characters. However, SE K2xx FFS images often contain some files that violate
96 this constraint; deeper examination reveals that SE (or their ODM) devised a
97 feature to allow filenames composed of UCS-2 characters, implemented as follows:
98
99 * The first "character" of the filename written into TIFFS is \x02, i.e., NOT a
100 printable ASCII character;
101
102 * The next "character" in the TIFFS object name is another binary byte encoding
103 the length of the UCS-2 string: for example, if the "high-level" name consists
104 of 6 UCS-2 characters, this second TIFFS object name "character" is \x06;
105
106 * These two non-printable-ASCII chars are followed by a long string of [0-9A-F]
107 ASCII characters, encoding the "high-level" UCS-2 name in hex;
108
109 * The whole arrangement ends with a terminating NUL, allowing the rest of TIFFS
110 to work unchanged.
111
112 Seen from TIFFS perspective, these extended filenames created by SE K2xx fw
113 violate traditional canon in two ways:
114
115 1) The overall length of the mostly-hex-encoded filename string usually exceeds
116 the traditional 20 character limit;
117
118 2) The set of allowed characters is grossly violated: not an innocuous extension
119 of allowing some additional "sane" characters, but non-printable-ASCII binary
120 chars that are barely compatible with C string functions by virtue of not
121 containing zero bytes.
122
123 Please see the new section titled "Support for SE K2xx extended filenames" in
124 our TIFFS-IVA-usage article for the explanation of how we handle these extended
125 filenames in our TIFFS IVA tool.
126
127 fc-fsio considerations
128 ======================
129
130 In addition to "in vitro" analysis with our tiffs tool, SE K2xx FFS can also be
131 accessed "in vivo" with fc-fsio in the following two scenarios:
132
133 1) SE K2xx firmware does not have RVTMUX enabled by default, but they have
134 non-volatile flags in their FFS (which can be set via a hidden menu entered
135 via secret MMI code #*87223564#) that enable RVTMUX on the MODEM UART that
136 is brought out, and their RVTMUX includes ETM and TMFFS2 protocols.
137
138 2) We can run TI's original FFS code against SE K2xx FFS bodies by adding the
139 necessary configuration to our fc-xram based FFS editor tool described in
140 our TIFFS-Overview article.
141
142 The expected behaviour in scenario 2 can be predicted statically by studying
143 the code, whereas scenario 1 calls for experimentation. Experiments with
144 RVTMUX-enabled SE K2xx original fw reveal that it does behave (at least as far
145 as visible behaviour over TMFFS2) exactly like TI's original FFS code in terms
146 of readdir output when listing directories with extended filenames in them: as
147 long as they fit into TMFFS2 string buffer, these extended filenames are
148 returned just as one would naively expect.
149
150 In light of these observations, fc-fsio has also been patched up to behave
151 gracefully when faced with such previously unexpected readdir results from the
152 target. Specifically:
153
154 * The short form of 'ls' command will print whatever the target firmware
155 returns, including extended filenames; any non-printable-ASCII characters are
156 escaped in \x hex form.
157
158 * 'ls -l' or 'll' will throw up an error if one attempts to list a directory
159 that contains one or more extended filenames, caught either at the level of
160 the readdir result not fitting into the buffer sized for standard TIFFS
161 filenames or (for SE K2xx extended filenames of 4 or fewer UCS-2 characters)
162 at the level of this readdir result containing non-printable-ASCII chars.
163
164 Finally, the following limitations need to be kept in mind:
165
166 * There is no way to address an FFS object with an extended filename by entering
167 a pathname in fc-fsio commands;
168
169 * File systems or subtrees containing extended filenames cannot be read out with
170 fc-fsio cpout command: it will fail just like ls -l;
171
172 * rm-subtree and cleandir commands will likewise fail and stop whenever they
173 encounter a filename longer than 20 characters (invalid for the purpose of
174 pathname generation based on fixed-length buffers) anywhere in the subtree to
175 be deleted.
176
177 The last limitation (inability to delete "bad" files) may seem like a serious
178 flaw in the design of fc-fsio at first, but please realize that the primary
179 mission of FreeCalypso is to work with our own hardware and firmware, not alien
180 - and the original FFS code from TI, which is what we use in FreeCalypso, will
181 never allow file system objects with such bad filenames to be created in the
182 first place. Therefore, the limitation of fc-fsio being unable to manipulate
183 certain files to the extent of not even being able to delete them is specific
184 to the peculiar scenario of operating on *alien* FFS from Sony Ericsson.