Our Calypso device flash programming tool fc-loadtool can be used in severaldifferent paradigms; this article is an attempt to clarify the many availablemodes of usage. You should also read the companion article Binary-file-formatsfor further background.Flashing firmware release images================================In conventional forward engineering environments where you develop or maintainfirmware for hardware made by your own company (meaning no reverse eng, no"illicit" aftermarket tinkering on hw made by some other company aeons ago),you have a firmware build system that produces fw build images (some of whichmay subsequently be blessed as releases), and you have a tool that flashesthese fw build images into your hardware, operating as efficiently as possible,automated as much as possible, requiring minimal user action for the boringrepetitive task of flashing a new fw image every time you build one. And ifyou become lucky enough to produce your hardware in volume, the same objectivesof maximal efficiency and automation carry over into the production lineenvironment as well.In TI's environment the standardized format for firmware build images which arethen flashable into hardware targets was a variant of Motorola SREC written in*.m0 files, a variant which we have named moko-style m0 after its most famoususer. The special quirk of this particular SREC variant is its peculiar byteorder. TI's firmware build system produces a *.m0 S-record image as its finalbuild product, and TI's official Calypso flash programming tool (FLUID) takesthese *.m0 files as its input.Since the beginning of FreeCalypso we have had two ways of flashing TI-builtfirmware images into suitable targets (initially OM GTA02 modem, then manyothers including our own FCDEV3B):1) Our fc-loadtool has had a flash program-m0 command from the beginning, programming device flash with bits from an m0 file directly and natively. However, prior to fc-host-tools-r12 this command was poorly supported: it ran significantly slower than flash program-bin, had poorer progress indication and did not perform CRC-32 verification at the end, which is an important integrity check. Also this original flash program-m0 command (as opposed to flash e-program-m0 added in fc-host-tools-r13) does not include a built-in erase step, thus prior to fc-host-tools-r13 the user had to have outside knowledge of how many sectors to erase first with a separate flash erase command. The new flash e-program-m0 command added in fc-host-tools-r13 is m0 image flashing finally done right. It reads in the specified S-record image in moko-style m0 format, builds a map of potentially discontiguous flash regions into which the image deposits bits, erases the set of flash sectors which need to be erased before programming these regions, then programs the new image bits into flash, exactly like TI's own FLUID.2) The alternative way is to first convert the *.m0 S-record image produced by TI's hex470 post-linker tool into straight binary (*.bin) with a FreeCalypso tool called mokosrec2bin, then program the binary fw image into flash with fc-loadtool command flash program-bin. This method is the one we've been using since 2017, and our FC Magnetite firmware build system is now set up to produce not only fwimage.m0, but also fwimage.bin (it runs mokosrec2bin), and it also generates an fc-loadtool command script (a text file named flash-script) with two commands in it: a flash erase command with a calculated sector address range and a flash program-bin command to program the accompanying fwimage.bin image.As of fc-host-tools-r13 both methods work equally well: if you have an officialFreeCalypso firmware release (containing fwimage.m0, fwimage.bin andflash-script files) which you need to flash into a device such as our ownFCDEV3B or OM GTA02 (but *not* Mot C1xx!), you can execute either'exec flash-script' or 'flash e-program-m0 fwimage.m0' at the loadtool> prompt,and both ways will produce exactly the same result with equal performance andreliability. And if you need a more special operation such as erasing theentire flash (factory production lines) or erasing and reprogramming only acertain part of the normally affected sector range, that's what custom commandscripting ability is for.For the sake of symmetry, we also have a flash e-program-bin command that is abinary image format counterpart to flash e-program-m0: it first erases thesectors into which new bits will be programmed, then programs the new bits.Thus a third equally good way to flash a new FreeCalypso fw release into atarget such as FCDEV3B or GTA02 is to execute'flash e-program-bin 0 fwimage.bin' - but don't *ever* do it on a Mot C1xxphone!Discontiguous m0 fw images with large gaps==========================================One sometimes-advantage of S-record-based formats over straight binary is thatthey can have discontiguous filled regions with gaps in between them; all m0 fwimages produced by TI's TCS211 build system have some gaps in them. In ourcurrent FC Magnetite firmwares these gaps have been reduced to less than 16384bytes in total, reducing the wasted disk space and image transfer time tosufficiently insignificant if these m0 images are converted to straight binarywith mokosrec2bin and then flashed as binary as we've been doing. Forcomparison, in Openmoko's classic mokoN firmwares (almost TI's original versionof the memory map) the first flash sector of 65536 bytes had only 5072 bytes ofimage payload programmed into it, thus indirect programming via mokosrec2binfollowed by flash program-bin meant sending just over 60k filler 0xFF bytes tobe flashed - becomes noticeable at 115200 baud.But these gaps were even bigger in TI's classic firmwares (and many vendorfirmwares) built for 8 MiB or 16 MiB flash chips with TI's classic memory map.They have two code regions: one region is exactly 4 MiB in size but is placednot quite at the beginning, thus spilling past the chip midpoint, and the otherregion starts where the first 4 MiB region ends, going to the end of the flashchip or to the beginning of the area reserved for FFS. The way TI's linkerworks results in the first of these two program regions being not quite fullbefore bits start getting thrown into the second one, thus the resulting m0image can easily have a gap of a megabyte or more between the two regions.TI's own FLUID handles such discontiguous images with no sweat, but ourfc-loadtool has gained matching capability only as of fc-host-tools-r13 withour new e-program-m0 command. And yes, it is smart enough to avoid needlesslyerasing sectors in the big gap, just like FLUID.Flash backup and restore========================A completely different paradigm takes place on alien targets such as MotorolaC1xx and Pirelli DP-L10, made by alien manufacturers, meaning not FreeCalypso,not Openmoko and not TI. The most important flash operation on these alientargets is making a flash dump; these dumps can then be used for forensics,reverse engineering, or simply as a backup. When we subsequently write toflash on these alien targets (after having saved a backup first), we are notflashing an m0 fw image or a binary image made from one with mokosrec2bin,instead the most common operations are:* Flashing a backup image back into the same device it was originally made from (flash restore);* Changing a device from one firmware version to a different one by programming its flash with firmware bits that were originally read out from some fw-donor unit;* Surgical manipulations such as erasing FFS sectors or rewriting one specific part of the flash based on reverse-engineered understanding of its structure.This different paradigm leads to a different mode of usage for fc-loadtool:instead of needing a maximally-automated operation that flashes a firmwarerelease image with as little user thought involvement as possible, our flashmanipulations need to be of a more manual peek-n-poke manner. We provide aflash dump2bin command for making and saving flash dumps first and foremost,allowing any part of the flash to be dumped and saved selectively if desired,including the second flash bank on the Pirelli DP-L10 and likewise on our ownFCDEV3B. When it comes to flash write operations, we provide a manual flasherase command that allows (and requires) the operator to specify exactly whichsector range should be erased and a manual flash program-bin command thatallows any range of 16-bit words to be programmed at any flash address, withthe bits to be programmed coming from a binary file, either the whole file orany specified subrange.These manual flash erase and flash program-bin commands give full control tothe operator, allowing every possible flash manipulation which the hardwareitself allows, at the expense of requiring the operator to think about whichflash addresses, offsets and lengths need to be operated on, and either enterlong commands manually or write a command script.Given our historical origins (long before we got to the point of producing ourown hardware, we started out by exploring the forbidden GSM realm of devicesmade by alien manufacturers who were hostile to our cause), our original flashmanipulation support in fc-loadtool had been centered around the manualpeek-n-poke paradigm, with elementary flash erase and flash program-bin commandsas our main staple, and no thought had been given originally to producingfunctionality that would work like FLUID or like our current flash e-program-m0and e-program-bin commands. But all actively maintained software evolves, andas our FreeCalypso family of projects has matured over the years, we now offerricher functionality covering a wider range of use cases.Binary vs. S-records====================(Please read the companion article Binary-file-formats for background, then come back here.)If you are exploring and manipulating the flash content of a GSM device in anaftermarket fashion, as opposed to flashing your own fw builds into your own hwdesign produced by your own company like Openmoko did in the late 2000s andlike we do currently at FreeCalypso HQ, then binary is the generally preferredformat: you make dumps with flash dump2bin, and when you selectively programthese images back into devices, you use flash program-bin with the right offsetsand length, along with appropriate flash erase commands.We also have flash dump2srec and flash program-srec commands in fc-loadtool,they were implemented back in the founding stage of FreeCalypso in 2013 for thesake of completeness and symmetry (it seemed right to support both binary andS-record formats), but they never got any practical use: if you are making aflash dump, you would normally want to examine it afterward, and any suchexamination almost always needs a straight binary image, not S-records.Furthermore, our flash program-bin command allows you to selectively programjust a particular portion of a binary image file into flash, at any arbitraryflash address, but we don't have the same flexibility with flash program-srec -the latter command is really just a sibling of program-m0 with the oppositebyte order.Thus the short summary is as follows:* If you are flashing an official firmware release image into your device, you need to use flash e-program-bin or flash e-program-m0 depending on whether the image is provided in *.bin or *.m0 format, or alternatively our older flash program-bin or flash program-m0 commands preceded by a separate flash erase command with the right sector range, possibly packaged in a supplied fc-loadtool command script.* If you are restoring a flash dump made with flash dump2bin or performing aftermarket flash manipulations on Mot C1xx or Pirelli DP-L10 phones or other such alien devices, you need to use binary-format-based flash manipulation commands; the specific commands will depend on exactly what you are seeking to do.* flash program-srec and e-program-srec commands do not currently have a valid use case.Special considerations for Compal phones========================================Motorola C1xx and Sony Ericsson J100 phones made by Compal have brickable flash:the right kind of flash-resident bootloader must always be present at thebeginning of the flash, or else the phone is unrecoverably bricked. We havespecial support in fc-loadtool for minimizing the bricking vulnerability windowwhen operating on these phones, but this special support requires usercooperation, meaning that you must limit your flash manipulations on thesephones to a narrower subset:* flash program-m0, program-srec, e-program-m0 and e-program-srec commands are not appropriate for these brickable phones - do not use any of these commands on these targets.* Flash sector 0 must be manipulated only with the special flash erase-program-boot command, not any of the regular erase or program commands.* Regular flash erase, flash program-bin and flash e-program-bin commands can and should be used for the rest of the flash starting at offset 0x10000 - but you still need to understand what you are doing.
