This writeup describes the replacement of the C139's stock firmware with a preview release from the freecalypso project. It's important to note that the freecalypso port to the C139 is currently (November 2015) very much a work in progress. This release is not ready for the end user; it's known that battery charging does not work, the screen does not switch off and the gui is prone to crash. Nevertheless even in the current state, it is possible to place and receive calls and exchange SMS messages. To try this firmware on something other than your main phone, you will need a PC running GNU/Linux or some other unix like system and a T191 unlock cable to connect your C139's audio jack to the PC's USB port.
There are various suggested sources for the T191 unlock cable at osmocomBB site , but as from January 2016 official FreeCalypso branded cables are available from George at UberWaves. Please consider supporting this supplier by ordering from uberwaves@gmail.com.
This firmware can be considered to be cousin to the stable leo2moko release for the OpenMoko neofreerunner. There are considerable additional developmental challenges for the C139 in that (for instance) the calypso firmware for this model is responsible for driving the gui. The chosen solution is to piece together code from two separate dumpster truck recovered versions of TI's official firmware. The project's goal to dispense with TI's compiler and switch to GCC has not been realized in this release, but a compiled binary is available if like me you want to avoid the necessity of a wine install on the PC.
If you want to compile the replacement firmware from source code, you'll need a wine setup on the PC to run TI's compiler. If like me you want to duck this step, there is a binary release. See here if you do want to compile from source code.
latest version of fc-host-tools is here
You will need a build environment on your PC to compile the fc-host-tools suite of utilities. In case you used earlier releases of freecalypso tools to flash the neofreerunner, it's important to know that the fc-loadtool utility is now included in fc-host-tools release. This version of fc-loadtool supercedes earlier releases; it is a requirement for working with the C139 and retains functionality needed for the neofreerunner.
Only a couple of the utilities are needed for flashing the firmware by end users and neither of these have external dependencies. To avoid compilation problems due to missing libraries, edit the third line of rvinterf/etmsync/Makefile:-
PROGS= fc-dspapidump fc-fsio fc-getpirimei fc-pirhackinitto be
PROGS= fc-dspapidump fc-fsioThe usual make and make install commands will put the compiled fc-host-tools in the /usr/local directory tree.
Decompress the binary release and open a terminal window in the directory where you put this.
The warning being that the C139 is eminently and permanently brickable if the commands at the loadtool> prompt are not issued correctly.
In the near future there will be three possible separate scenarios for this flash operation:-
This describes the first scenario in full, but notes situations in which certain steps should be omitted.
In the terminal window opened in the directory that contains the firmware run the command (assuming the PC allocates
/dev/ttyUSB0 to the phone)
fc-loadtool -h compal -c 1003 /dev/ttyUSB0
you will see this output:-
root@mapoko # fc-loadtool -h compal -c 1003 /dev/ttyUSB0 Using Compal stage image /usr/local/share/freecalypso/compalstage-1003.bin Waiting for PROMPT1 from target (/dev/ttyUSB0) at 115200 baudat this point press the red power button and terminal output will continue, in full you should see:-
root@mapoko # fc-loadtool -h compal -c 1003 /dev/ttyUSB0 Using Compal stage image /usr/local/share/freecalypso/compalstage-1003.bin Waiting for PROMPT1 from target (/dev/ttyUSB0) at 115200 baud Received PROMPT1, sending download command Received PROMPT2, sending download image Received ACK; downloaded image should now be running! Sending beacons to /dev/ttyUSB0 Got beacon response, attempting download <p command successful, switching to 115200 baud Sending image payload ................................................................... ................Sending checksum <c command successful, sending <b <b command successful: downloaded image should now be running! FreeCalypso loadagent running Loaded via UART 0 (MODEM) at baud rate #0 TCXO clock input autodetected to be 26 MHz Executing init script compal.init Script command: w16 fffffb00 00A3 Script command: w16 fffffb02 00A3 Script command: w16 fffffb10 0300 loadtool>The -c 1003 switch can be omitted if this is an upgrade and the freecalypso bootloader has already been installed. Although doing this improves the efficiency of fc-loadtool a little, it is harmless to retain it whatever the C139's firmware status.
This is a sane precaution even if you think you will never want to revert to original firmware. At the loadtool> prompt:-
flash dump2bin my_c139.bin
This command will take 10 to 15 minutes to complete; the output in the terminal should appear thus:-
loadtool> flash dump2bin my_c139.bin Performing CFI query CFI query successful: total size 400000, 71 sectors, command set style 0003 Requesting initial CRC-32 of the area from target... got B2CC218D Requesting memory dump... Rx 4194304 out of 4194304 bytes (100%) Requesting another CRC-32 of the area from target... match, dump successful loadtool>At this point you could issue an exit command at the loadtool> prompt thus powering off the phone with original firmware still in place. Although this howto continues to be split into sections, from here on consider this to be a single job to be completed uninterrupted at least up to the point where all work at the loadtool prompt has been done.
Continue at the loadtool> prompt with
flash erase-program-boot compal-flash-boot-for-fc.bin
loadtool> flash erase-program-boot compal-flash-boot-for-fc.bin Performing CFI query CFI query successful: total size 400000, 71 sectors, command set style 0003 Loading new boot code into target RAM at 820000 ................................. Verifying CRC-32 in target RAM match (05ED5A80) Commanding flash erase+program operation on the target Operation complete, final SR: 80This stage should be omitted in a freecalypso to freecalypso upgrade (the second scenario), but is essential in the other two scenarios.
This step will be necessary in all of our three scenarios; again at the loadtool> prompt:-
flash erase 10000 290000
followed by
flash program-bin 10000 mfw-build.progbin
loadtool> flash erase 10000 290000 Erasing 41 sector(s) ......................................... loadtool> flash program-bin 10000 mfw-build.progbin Setting flash base address: INFB 0 Clearing Intel flash SR Programming flash: 2662648 (0x28a0f8) bytes 0x28a0f8 bytes programmed (100%) Verifying CRC-32 of programmed flash area match (7B19FF5E)As with the original firmware image backup step, this will take a number of minutes to complete.
Once more at the loadtool> prompt:-
flash erase 3C0000 30000
loadtool> flash erase 3C0000 30000 Erasing 3 sector(s) ...
This step should never be necessary more than once; even if you reverted to the original stock firmware after an earlier freecalypso install, the freecalypo's flash file system will remain in place.
Now close the loadtool session with an exit command which also powers off the phone. Note that to this point, throughout the loadtool session, there is no output on the phone's LCD screen. It is here that it is safe to take a break if desired.
Once again, it should never be necessary to repeat this step, it only being required in our first scenario. However, if the previous flash erase command was inadvertently run a second time, that error is recoverable by also repeating the initializations in this section.
The phone can be disconnected from the unlock cable, but the SIM should remain removed. Power on the phone, the LCD
screen should light up and stop at an Insert SIM message. Rather than do that, reconnect the
unlock cable if it was disconnected and run the fc-fsio utility:-
fc-fsio -p /dev/ttyUSB0
We now format the flash file system and create directories in it with these commands at the fsio> prompt, which should
complete without output:-
format /
and
mk-std-dirs
The IMEISV is a 16 digit number that supposedly uniquely identifies your handset; this is not the place to discuss the
merits or otherwise of deviating from the factory set one you should have noted earlier. It may be only 14 or 15 digits
long in which case pad with 0s at the end as necessary. Until this step the handset has no IMEISV as far as the
freecalypso firmware is concerned and that must be fixed before powering up with the SIM inserted. At the fc-fsio> prompt:-
set-imeisv fc XXXXXXXX-YYYYYY-ZZ
The punctuating hyphons are optional and can be placed anywhere - note that below I've edited the actual command and
it's output for privacy reasons :-)
fsio> set-imeisv fc XXXXXXXX-YYYYYY-ZZ Writing "XX XX XX XX YY YY YY ZZ" into /etc/IMEISVIn addition to lacking knowledge of the factory set IMEISV the freecalypso firmware does not know if you have a EU or US model. The appropriate commands are:-
fsio> set-rfcap dual-eu Writing "00 0B 41 00 00 00 00 00 50 00 00 A5 05 00 C0 00" into /gsm/com/Issue an exit command at the fsio> and power off the phone by holding down the red button. Insert the SIM and power the phone up at which point it should connect to the network as normal.
You must have course have taken a backup prior to installing freecalypso. Despite doing that myself I have no intention to revert to the original firmware (currently I'm testing freecalypso on a spare C139), so for the sake of completion I'll finish with the lead developers notes on how this should be done at a loadtool> prompt.
flash erase-program-boot my_c139.bin 10000
flash erase 10000 360000
flash program-bin 10000 my_c139.bin 10000 360000
The net effect of these 3 commands is that the first 0x370000 bytes of
the flash (the region which Mot/Compal allocated for the firmware
image - as opposed to FFS or other data - on this hw model) will be
reprogrammed with the bits from the backup file.
I recommend this particular command sequence (reflashing the initial 0x10000 bytes first with flash erase-program-boot, then the rest of the fw image with regular flash erase and flash program-bin commands) because restoring an original fw after FreeCalypso requires reflashing the dangerous boot sector, hence flash erase-program-boot is called for safety.
Doing the entire sector (0x10000 bytes) with flash erase- program-boot rather than just 0x2000 (the length of the boot code) is recommended for less technical users who may not know the detailed characteristics of the specific proprietary fw version they are restoring. If that specific fw version happens to have a "bad" bootloader that checks the word at 0x2060 for the 0xDDDDDDDD magic, then the window of bricking vulnerability extends past 0x2000 up to that 0x2060 word.