FreeCalypso > hg > tcs211-c139
comparison README @ 29:132b3e230631
README written for tcs211-c139
| author | Mychaela Falconia <falcon@ivan.Harhan.ORG> |
|---|---|
| date | Sun, 01 Nov 2015 19:39:44 +0000 |
| parents | 3e89489a43b3 |
| children | 52325cb524a8 |
comparison
equal
deleted
inserted
replaced
| 28:fcaacf995636 | 29:132b3e230631 |
|---|---|
| 1 This is a special debug version of leo2moko intended for use by FreeCalypso | 1 This semi-source tree contains a hacked version of TI's TCS211 firmware that |
| 2 developers only; it does not provide any additional features for Freerunner | 2 has been made to run on the Motorola C139. The UI part of TI's reference fw |
| 3 users beyond standard leo2moko-r1 aka moko12; non-developer users are advised | 3 has not been ported over yet, hence the version presented here currently builds |
| 4 to stay with the just-mentioned stable release. | 4 and works only in the modem-like ACI configuration, i.e., control via AT |
| 5 commands only. | |
| 5 | 6 |
| 6 The primary intended use of this debug fw version is to enable FreeCalypso | 7 TI's original fw was/is designed to make use of two UARTs, one for the classic |
| 7 developers to troubleshoot misbehavior in our current gcc-built fw version | 8 AT command interface and the other for their RVTMUX debug/calibration/etc |
| 8 by comparing the operation of the fw against a known working reference; | 9 interface. Unfortunately though, our present target hw has only one UART |
| 9 the debug features added in this version are: | 10 practically accessible (Calypso's MODEM UART brought out on the headset jack), |
| 11 thus the classic AT command interface had to be sacrificed. Instead the AT | |
| 12 command interface (which is currently the only way to control the GSM | |
| 13 functionality in the absence of a UI ported to the present target) needs to be | |
| 14 accessed through the RVTMUX binary packet interface using FreeCalypso host | |
| 15 tools rvinterf and fc-shell. | |
| 10 | 16 |
| 11 * Same AT-over-RVTMUX mechanism as implemented in FreeCalypso mainline; | 17 The present fw has been built from a semi-src (half source, half binary objects) |
| 18 TI firmware release which was made for some manufacturer that made GSM/GPRS | |
| 19 modems, rather than voice handsets, hence the present configuration is | |
| 20 unfortunately highly suboptimal for our use case. The entire mass of code | |
| 21 supporting CSD, fax and GPRS data services is included and cannot be removed | |
| 22 because that part of the fw is in binary blobs, but all this code is pure dead | |
| 23 weight in the present configuration: the phone UI layer (when we get around to | |
| 24 porting it) won't make any use of data functionality (nowhere near enough | |
| 25 resources on this hw to implement a WAP browser or MMS), and because we had to | |
| 26 give up the standard AT command channel, the option of having the phone dual- | |
| 27 function as a laptop-tethered modem is not available either. | |
| 12 | 28 |
| 13 * ETM FFS access protocol changed from TMFFS1 (used by some TI Windows tools, | 29 Building the present firmware from semi-source requires using a Wine environment |
| 14 apparently) to TMFFS2 (the version adopted for FreeCalypso) to allow the | 30 to run TI's proprietary compiler toolchain and other build tools which exist |
| 15 flash file system to be manipulated with fc-fsio while this fw is running. | 31 only as M$ Windows binaries. The necessary environment can be downloaded here: |
| 16 | 32 |
| 17 * The pf_TaskEntry() function in the guts of GPF has been patched to not | 33 ftp://ftp.freecalypso.org/pub/GSM/TI_src/wine/ |
| 18 disable system traces. Verbose traces from various entities still need | 34 |
| 19 to be enabled explicitly, but the expected responses to sysprim commands | 35 You will also need the mokosrec2bin utility, which is needed for one of the |
| 20 are no longer suppressed. | 36 finishing steps in generating an image that can be usefully flashed into a C139: |
| 37 | |
| 38 ftp://ftp.freecalypso.org/pub/GSM/GTA02/gsm-fw/mokosrec2bin.c | |
| 39 | |
| 40 Once you have the necessary build tools installed, you should be able to | |
| 41 compile the present fw by running first winebuild.sh, then copyout.sh in the | |
| 42 g23m subdirectory. Then you can flash this firmware you just built into an | |
| 43 actual C139 phone with FreeCalypso host tool fc-loadtool. Flash sector 0 (the | |
| 44 brickable boot sector) needs to contain our patched bootloader version | |
| 45 compal-flash-boot-for-fc.bin (this brickable sector only needs to be rewritten | |
| 46 once when first installing some FreeCalypso fw on the phone; no need to touch | |
| 47 this dangerous sector on subsequent updates from one FC fw version to another), | |
| 48 and the main fw image needs to be flashed starting at 0x10000. The image to | |
| 49 flash is aci-build.progbin - it has TI's bootloader code stripped off, as we | |
| 50 are using compal-flash-boot-for-fc instead. | |
| 51 | |
| 52 The phones in question have a data structure in flash at 0x3FC000 (in an 8 KiB | |
| 53 short sector) that must contain factory programming, including each phone's | |
| 54 unique IMEI and RF calibration values. However, we don't understand how to | |
| 55 grok this data structure. Therefore, our firmware features the following | |
| 56 points of inconvenience: | |
| 57 | |
| 58 * You have to set your own IMEI. It's entirely up to you whether you set the | |
| 59 same IMEI as the phone had originally or a different one, but our fw has no | |
| 60 way of reading the original from Mot/Compal's factory flash programming. | |
| 61 You probably won't be able to connect to a live commercial GSM network until | |
| 62 you set some IMEISV which the network will accept as valid. | |
| 63 | |
| 64 * Because Mot/Compal stored their RF calibration values in some format | |
| 65 (different from TI's) which we can't grok, a phone running our aftermarket fw | |
| 66 will run UNCALIBRATED. It may have difficulty connecting to networks if it | |
| 67 can't acquire the frequency burst lacking VCXO calibration, and the Tx power | |
| 68 levels are almost certainly wrong (out of spec) - BEWARE! | |
| 69 | |
| 70 * Our fw does not even know whether your C139 is the 900+1800 MHz version or | |
| 71 850+1900 MHz. You will need to set the correct rfcap configuration at the | |
| 72 same time when you set your IMEISV. | |
| 73 | |
| 74 Flashing and usage instructions | |
| 75 =============================== | |
| 76 | |
| 77 If you are not scared off by all of the above and you still wish to try this | |
| 78 experimental fw on your C139, you can install it as follows: | |
| 79 | |
| 80 1. Connect to the phone with fc-loadtool, preceded by tfc139 if necessary - | |
| 81 see loadtools documentation. | |
| 82 | |
| 83 2. If the C139 in question does not already have some other FreeCalypso fw | |
| 84 version in its flash, replace the bootloader: | |
| 85 | |
| 86 loadtool> flash erase-program-boot compal-flash-boot-for-fc.bin | |
| 87 | |
| 88 3. Flash the main fw image: | |
| 89 | |
| 90 loadtool> flash erase 10000 220000 | |
| 91 loadtool> flash program-bin 10000 aci-build.progbin | |
| 92 | |
| 93 (If your serial cable setup supports the special GSM high baud rates, | |
| 94 you can speed the process up by issuing a baud 406250 or baud 812500 | |
| 95 command first.) | |
| 96 | |
| 97 4. Erase the sectors where our firmware's non-volatile flash file system | |
| 98 (aftermarket FFS configuration) will reside: | |
| 99 | |
| 100 loadtool> flash erase 3C0000 30000 | |
| 101 | |
| 102 5. Cleanly end your fc-loadtool session, which will power the phone off: | |
| 103 | |
| 104 loadtool> exit | |
| 105 | |
| 106 Now your phone has FreeCalypso firmware in its flash, but it no longer works | |
| 107 as a "normal" phone. Gotchas to be aware of: | |
| 108 | |
| 109 * Mot/Compal's original firmwares (like all other production phone fws) | |
| 110 implement on a guard on the power-on button: you have to hold it down for a | |
| 111 little while to confirm that you really mean to power the phone on; a | |
| 112 momentary press of the power-on button is interpreted as spurious by standard | |
| 113 fws, and they power the phone back off. However, the present hack-fw has no | |
| 114 such guard, hence even a momentary press of the power-on button will launch | |
| 115 the firmware into full boot. | |
| 116 | |
| 117 * Because our present fw has no UI, the LCD will remain dark and the buttons | |
| 118 won't do anything. A momentary press of the power button will turn the phone | |
| 119 on, but you won't know that it's on - it will just silently and invisibly eat | |
| 120 the battery. Furthermore, the only way to power it off (aside from yanking | |
| 121 the battery) is to connect a serial cable and send a poweroff command via | |
| 122 fc-shell - there is no way to command a power-off from the keypad. (Pressing | |
| 123 and holding the power button produces some kind of hang or crash - to be | |
| 124 investigated - instead of a proper power-off.) | |
| 125 | |
| 126 * The present fw includes TI's LCC (low-cost charger) code that came with | |
| 127 TCS211, but it is not clear whether or not this code drives the charging | |
| 128 circuitry correctly for Mot/Compal's hardware. Therefore, plan on having | |
| 129 the phone with FC firmware draining batteries only, and have another phone | |
| 130 running official fw (or a standalone charger) to charge them back up. | |
| 131 | |
| 132 What all of these gotchas practically mean is that the phone with FC fw in it | |
| 133 should not have a battery inserted on a regular basis; instead you should use | |
| 134 it as follows: | |
| 135 | |
| 136 1. Begin each FC hacking session by inserting the SIM you wish to use, then | |
| 137 inserting the battery - but don't touch the power button yet. | |
| 138 | |
| 139 2. Connect the serial cable and run rvinterf on your host. | |
| 140 | |
| 141 3. Press the power button, and see the firmware boot output in the rvinterf | |
| 142 window. | |
| 143 | |
| 144 4. Run fc-shell, fc-fsio, fc-tmsh etc as desired during your hacking session. | |
| 145 | |
| 146 5. End the session by yanking the battery, killing rvinterf and stowing away | |
| 147 your serial cable. | |
| 148 | |
| 149 First session | |
| 150 ============= | |
| 151 | |
| 152 Remember the notes above regarding this fw not being able to read the factory | |
| 153 IMEI record? That's right, you'll need to set your own IMEISV. Furthermore, | |
| 154 because we are using our own "aftermarket" FFS configuration for non-volatile | |
| 155 data storage (you erased the flash sectors to be used for this FFS when you | |
| 156 flashed the fw with fc-loadtool, or at least you should have), this FFS needs | |
| 157 to be initialized before the fw can function correctly. | |
| 158 | |
| 159 Initialize your FFS as follows: | |
| 160 | |
| 161 1. Connect the serial cable, run rvinterf and boot the fw as above. | |
| 162 | |
| 163 2. Before you try issuing any AT commands via fc-shell, run fc-fsio first. | |
| 164 | |
| 165 3. Initialize the FFS via fc-fsio as follows: | |
| 166 | |
| 167 fsio> format / | |
| 168 fsio> mk-std-dirs | |
| 169 fsio> set-imeisv fc XXXXXXXX-YYYYYY-ZZ (punctuation optional, place anywhere) | |
| 170 fsio> set-rfcap dual-eu (if you have 900+1800 MHz hardware) | |
| 171 or | |
| 172 fsio> set-rfcap dual-us (if you have 850+1900 MHz hardware) | |
| 173 | |
| 174 After the above steps, you can exit fc-fsio (or leave it running), run fc-shell | |
| 175 and exercise the GSM MS via AT commands - try connecting to a network! With my | |
| 176 US band C139 (former Tracfone, now a Crackfone) on Operator 310260's network, | |
| 177 both voice calls and SMS work like a charm. YMMV. |