Sony Ericsson K200i with SAMSUNG flash

Mychaela Falconia falcon at freecalypso.org
Fri Dec 1 08:47:32 UTC 2023 

Hi Vadim and community,

> I acquired another SE K200i and picked it up from the local post 
> department today.  It's the third K200i in my collection, and this new 
> phone is a bit different from the two that I already have.
> [...]
> * SAMSUNG K5L29xx_A flash (according to fc-loadtool), not SPANSION 
> S71PL129, which we already saw.

Of the two K2x0 phones I got (one K200i and one K220i), both have
Samsung K5L2931CAM flash+RAM MCP - thus I never got one with Spansion
S71PL129NB0.

> * The IMEI reported by the phone starts with the '35617701' prefix we 
> saw, but the label behind the battery has a completely different IMEI 
> with a different prefix '35871701'.

A refurbished phone with mismatched plastic case and motherboard?

> The only difference between R1AA003 and R1AA008 I could find so far is 
> AMR codec support: the former does not list it in the hidden "Service" 
> menu.  We can compare further by looking at the MS Classmark bits.

Can you please remind me exactly which MS Classmark bits indicate AMR
codec support?  I thought this info wasn't present in any Classmark, I
thought you had to make a test call and look at the speech version list
in the Bearer capability IE in the CC Setup message to get this info -
please clarify.  In any case, I would find rather shocking to see *any*
fw from late-Calypso era that disables AMR.  Referring to my last
OsmoDevCall presentation...

> Similarly to the ones with SPANSION flash, erasing the first flash bank 
> fails (the bootloader/IMEI protection?):
>
> loadtool> flash erase 0x00 0x800000
> Erasing 135 sector(s)
> erase timeout, aborting

Intrigued by the presence of this write-protection (which we haven't
encountered in any other Calypso GSM device until now), I took the
time to thoroughly study various flash datasheets.  I got interesting
news: on both Spansion and Samsung flash chips that are used in these
SE K2x0 phones, the implemented sector write-protection scheme is much
more sophisticated than I remembered, and it isn't fixed in hardware
with high-voltage programming equipment - we can actually lock and
unlock sectors via software commands!

On traditional AMD flashes, the kind I worked on for the first time
right around 24 y ago, the only way to change sector lock/unlock state
was to apply 12V to some pin and feed raw program/erase pulses to the
chip - an operation which only an external device programmer can do,
not something that can be done on a chip inside a system.  But the
newer Spansion and Samsung flashes that matter for us here, they still
have non-volatile bits that control sector lock/unlock state (write-
protected or not), but there is no more high-voltage circuit
requirement - everything is programmed under regular in-circuit
conditions.  There are several different security schemes available:
under some security schemes it is indeed impossible to unlock sectors
(irreversible write-protection in hardware), but under other security
schemes it *is* possible to unlock write-protected sectors via sw
commands!

Please pull my latest code from freecalypso-tools Hg repository -
fc-loadtool got a new 'flash lock-state' command which I just now
implemented and haven't documented yet.  Please run these commands on
your SE K2x0 phones (both Spansion and Samsung flash versions) and
share the results:

flash lock-state
flash2 lock-state

These commands read and report the current state of all sector locking
and security policy bits in the flash chip; based on the results, we
should be able to tell if we can unlock all of the flash in software.

M~

More information about the Community mailing list