FreeCalypso > hg > freecalypso-tools
view doc/Compal-calibration @ 921:74d284add54d
fc-fsio: guard against bogus readdir results from the target
If the FFS being operated on contains SE K2x0 extended filenames,
readdir will return strings that are bad for printing. We need to
guard against this possibility, and also against possible other
bogosity that could be sent by other alien firmwares.
author | Mychaela Falconia <falcon@freecalypso.org> |
---|---|
date | Sat, 31 Dec 2022 22:55:23 +0000 |
parents | 6dcca662a02f |
children |
line wrap: on
line source
Reading factory RF calibration values out of Mot C1xx and SE J100 phones ======================================================================== Motorola C1xx and Sony Ericsson J100 phones are based on the Calypso+Iota+Rita chipset from TI and their firmware is also loosely based on TI's reference, but Compal (the ODM who produced these phones for Motorola and SE) made lots and lots of changes moving away from TI's canonical way of doing things. When it comes to RF calibration, Mot/SE/Compal have performed it on each individual unit on their factory production line just like all other GSM phone and modem manufacturers, but instead of storing the results of this calibration in TI's flash file system, Compal put these calibration values into a completely different flash data structure of their own invention. We don't know the proper name for Mot/SE/Compal's flash data structure that has no counterpart in TI's canonical solution, but we know its location in the flash: * On C1xx phones with 2 MiB flash (most C11x/12x variants), it is the 8 KiB flash sector at 0x1FC000; * On C139/140 phones and the rare C11x/12x variants with 4 MiB flash, and also on the SE J100, it is the 8 KiB flash sector at 0x3FC000; * On C155/156 phones with 8 MiB flash, the data structure in question is contained in the first 8 KiB of the 64 KiB physical flash sector at 0x7E0000. The flash sector in question contains record-structured data; we don't know the meaning of most of these records, but we have been able to find the RF calibration records among them and locate the actual calibration values of interest inside those records. In order to extract the RF calibration values from your C1xx or SE J100 phone for use with FreeCalypso, you will need a dump of your phone's flash, or at least a dump of the specific 8 KiB sector at the model-dependent offset given above. As a specific example, if your phone is a C139/140 or a C11x/12x variant with 4 MiB flash (or SE J100) and you have a complete dump of that flash, execute a command like the following: c1xx-calextr -b rfbin flashdump.bin 0x3FC000 The c1xx-calextr utility locates the RF calibration records in the flash dump binary, extracts those calibration values contained therein which we are able to grok, and converts them to TI's canonical format for use with FreeCalypso firmware. The numeric argument after the flash image filename is the offset within that image file where the magic sector should be sought, and the -b option directs the tool to save the converted RF calibration tables in binary format (the alternative is -a for ASCII format) in the directory named after the option, named rfbin in this example. If you use the binary output option as recommended here, the resulting output directory will have two subdirectories in it, named rx and tx. The rx subdirectory will contain agcparams and calchan tables for each band, and the tx subdirectory will contain a levels table for each band. This directory structure and these names for the binary files correspond directly to the /gsm/rf directory subtree in the flash file system (FFS) of TI's canonical solution, hence once the C1xx phone in question is converted to FreeCalypso (i.e., runs FreeCalypso fw with an aftermarket FFS created for it), you can upload the extracted and converted RF calibration values into it like this: fc-fsio upload-subtree rfbin /gsm/rf Rx channel correction values ============================ A GSM phone or modem needs to know how to derive the actual input signal level in dBm from the power measurements reported by the DSP; the difference between the two is called the "magic gain" (GMagic), and the firmware needs to know what it is. The primary GMagic value for each band is calibrated at the center frequency of that band, and then there are channel-dependent corrections applied. In TI's canonical solution the complete ARFCN range of each band is divided into up to 10 subbands, and each of these subbands gets its own channel correction value. The ARFCN boundaries between the subbands are defined by the external calibration system and not by the firmware code, by virtue of being given inside the Rx calchan table itself along with the correction values. But Compal (all C1xx variants and SE J100) have made two changes: * They increased the number of subbands from 10 (TI's canon) to 21 for the GSM850 band, 30 for the EGSM band, 63 for DCS and 50 for PCS, so that each subband is only 6 channels (1.2 MHz). * The ARFCN boundaries for the subbands are not stored in the calibration records in the flash, but are fixed in the firmware instead. Changing our FreeCalypso firmware to allow up to 63 Rx AGC subbands to match Compal's fw architecture would be too disruptive, hence our current c1xx-calextr implementation translates Compal's Rx channel correction values to TI/FC format by combining groups of Compal's subbands into larger subbands, and making a mean value out of the smaller subband correction values in Compal's factory calibration record. The AGC subbands defined by Compal's fw are listed below, with each numeric line giving the ARFCN range of each subband; blank lines separate the groupings made by c1xx-calextr. 850 MHz band: 128-134 135-140 141-146 147-152 153-158 159-164 165-170 171-176 177-182 183-188 189-194 195-200 201-206 207-212 213-218 219-224 225-230 231-236 237-242 243-248 249-251 900 MHz band: 0-6 7-12 13-18 19-24 25-30 31-36 37-42 43-48 49-54 55-60 61-66 67-72 73-78 79-84 85-90 91-96 97-102 103-108 109-114 115-120 121-124 975-975 976-981 982-987 988-993 994-999 1000-1005 1006-1011 1012-1017 1018-1023 1800 MHz band: 512-518 519-524 525-530 531-536 537-542 543-548 549-554 555-560 561-566 567-572 573-578 579-584 585-590 591-596 597-602 603-608 609-614 615-620 621-626 627-632 633-638 639-644 645-650 651-656 657-662 663-668 669-674 675-680 681-686 687-692 693-698 699-704 705-710 711-716 717-722 723-728 729-734 735-740 741-746 747-752 753-758 759-764 765-770 771-776 777-782 783-788 789-794 795-800 801-806 807-812 813-818 819-824 825-830 831-836 837-842 843-848 849-854 855-860 861-866 867-872 873-878 879-884 885-885 1900 MHz band: 512-518 519-524 525-530 531-536 537-542 543-548 549-554 555-560 561-566 567-572 573-578 579-584 585-590 591-596 597-602 603-608 609-614 615-620 621-626 627-632 633-638 639-644 645-650 651-656 657-662 663-668 669-674 675-680 681-686 687-692 693-698 699-704 705-710 711-716 717-722 723-728 729-734 735-740 741-746 749-752 753-758 759-764 765-770 771-776 777-782 783-788 789-794 795-800 801-806 807-810 Tx channel correction values ============================ A similar situation holds here: in TI's canon each band is divided into 8 subbands for the purpose of Tx channel-dependent corrections, but Mot/Compal seem to be using smaller subbands: 13 for the GSM850 band, 18 for EGSM, 38 for DCS and 30 for PCS. We can see where these correction values are stored in the calibration records in the flash (immediately after the Tx levels array), but the ARFCN boundaries of Mot/Compal's Tx channel calibration subbands are not known, and the semantics of the correction values themselves are not clear: Mot/Compal's Tx channel correction values are centered around 0, whereas in TI's canonical version they are centered around 128. Because we are not able to grok Mot/Compal's Tx channel correction, we currently ignore this part of their factory calibration, i.e., FreeCalypso fw will run with all channel correction values set to 128, meaning no channel correction. But since we do use the Tx levels table of APC DAC values from Mot/Compal's factory records, and given that the tolerances for Tx power levels given in the GSM 05.05 spec are quite generous, we expect to still be within these tolerances despite the lack of channel correction. In vivo approach: tried and failed ================================== Before I figured out the format of Mot/Compal's factory calibration records in their flash and wrote the c1xx-calextr "in vitro" extraction and conversion tool, I tried an "in vivo" approach: reading the calibration values out from the running firmware via TI's L1/RF Test Mode commands which are still present in Mot/Compal's fw. This approach successfully yielded the tables of Tx ramp templates which are calibrated per design rather than per unit and thus compiled into the fw and not present in the per-unit factory calibration records (these extracted Tx ramps tables are now used by FC Magnetite fw when built for the C139 target), but does not help with much of anything else: * One can read the calibrated Tx levels table (rftr 16) for the low frequency band (850 or 900 MHz), but not for the high (1800 or 1900 MHz) band: in order to access the tables for the high band, one needs to issue an rfpw 7 command, but in Mot/Compal's version the latter command only loads the compiled-in tables and does not apply their non-TI calibration records. * The Rx agcparams table returned in response to rftr 31 always has the GMagic field set to the fw's compiled-in value and not the calibrated one. * The Rx calchan table (which Mot/Compal enlarged from 10 to 63 entries as explained earlier in this article) cannot be read out at all: the rftr 25 command crashes the firmware, probably via a buffer overflow from the enlarged table. * The Tx calchan table can be read out with rftr 17, but it does not make any sense: it still has 4 copies of a table of 8 subbands like in TI's canon, even though when we look at their factory calibration records, we can clearly see that the table of Tx channel correction values is also enlarged. But the correction values themselves are centered around 0 in this strange table returned in response to rftr 17, and not around 128 like in TI's canon. The fc-readcal utility was written before c1xx-calextr, and it was my original idea of how to extract Mot/Compal's factory RF calibration values. It features a -c command line option for "Compal mode" which disables the reading of Rx calchan and Tx calchan tables via rftr 25 and rftr 17, respectively (the former crashes the fw, the latter has the wrong semantics), but because it issues rfpw 7 commands for each band preceded by tms 1, it will only yield the firmware's compiled-in values, and not any of the factory-calibrated ones. Therefore, the fc-readcal method should not be used, and the c1xx-calextr method described in the main body of this article should be used instead.