Pirelli DP-L10 OTA firmware update procedure

Mychaela Falconia falcon at freecalypso.org
Tue Jan 9 22:26:20 UTC 2024


Hi Vadim,

> I was curious about the OTA firmware update procedure, which is 
> supported by the stock firmware of Pirelli DP-L10 (a.k.a. Arcor Twintel 
> DP-L10, a.k.a. Telekom TC-300, ...).  Mychaela documented some of her 
> assumptions about the OTA procedure here:
>
> ftp://ftp.freecalypso.org/pub/GSM/Pirelli/fwupdate-magic.zip
>
> but IIRC, she had no experience doing it herself.

Correct: I did some disassembly of Foxconn/Pirelli's extra flash-resident
bootloader stage (responsible for decompressing OTA fw updates and
making them live) and I found interesting bits in these "magic1" and
"magic2" flash areas in one of the phone specimen I got (published in
the linked ZIP file from 2014), but I never attempted any kind of
active experiment.

> Today I found an article, explaining the process:
> [...]
> Thanks to this article (and to archive.org), I was able to perform the 
> firmware upgrade over WiFi myself on one of my Pirelli phones.

Thank you for the entertaining discovery!

> Additionally, I documented some secret codes supported by the stock 
> firmware here:
>
> https://osmocom.org/projects/baseband/wiki/PirelliDPL10#MMI-codes

Thanks, I use some of these MMI codes on my "everyday" Pirelli phones,
so let me comment further on some of them:

*36446337464#: Pirelli's help screen lists it as "Not use now", but it
still works.  The code spells "*engineering#", and it is the original
engineering mode menu from TI's TCS211 reference fw.  You can see info
about your current serving cell (ARFCN, RSSI, TA etc), info about
neighbor cells and the operator-controlled interval between periodic
location updates (LUP).  The screen that shows neighbor cell info looks
poor on this phone because it was designed by TI for their larger
176x220 pixel LCD (on D-Sample), and Foxconn/Pirelli never changed it
for their smaller LCD, but it is better than nothing.  I use this
debug menu all the time when checking GSM coverage quality in places
I visit, like Mexico. :)

###520# version display: the MMI code once again comes from TI's TCS211
reference fw.

###800# engineering mode: this MMI code, introduced by Foxconn/Pirelli,
is their "official" way, replacing TI's *36446337464# code.  But it
works differently: it sets a state bit that enables additional entries
in menus, and one of the newly accessible menu entries is the "old"
(from TI) engineering mode menu.  Also when this "long-lasting"
engineering mode enable flag is set (it is set with ###800# and cleared
with ###801#), the volume-down button on the idle home screen acquires
a new function: it displays some additional debug screens, and one of
them (charging process state) does not seem to be accessible in any
other way.

M~


More information about the Community mailing list