Sony Ericsson K200i with SAMSUNG flash
Vadim Yanitskiy
axilirator at gmail.com
Fri Dec 1 10:33:05 UTC 2023
Hi Mychaela,
On 01.12.2023 15:47, Mychaela Falconia wrote:
>> * The IMEI reported by the phone starts with the '35617701' prefix we
>> saw, but the label behind the battery has a completely different IMEI
>> with a different prefix '35871701'.
> A refurbished phone with mismatched plastic case and motherboard?
most likely. Though the new phone is in a rather sad condition:
multiple cracks, something is dangling inside when I shake it.
>> The only difference between R1AA003 and R1AA008 I could find so far is
>> AMR codec support: the former does not list it in the hidden "Service"
>> menu. We can compare further by looking at the MS Classmark bits.
> Can you please remind me exactly which MS Classmark bits indicate AMR
> codec support? I thought this info wasn't present in any Classmark, I
> thought you had to make a test call and look at the speech version list
> in the Bearer capability IE in the CC Setup message to get this info -
> please clarify. In any case, I would find rather shocking to see*any*
> fw from late-Calypso era that disables AMR. Referring to my last
> OsmoDevCall presentation...
Of course the MS Classmark does not contain any bits related to the
codec support. I meant to say the Bearer Capability, but wrote this
instead. In any case, for the sake of completeness, I will compare both
the Bearer Capability and the Classmark between those firmware versions
and post my findings here soon.
> Intrigued by the presence of this write-protection (which we haven't
> encountered in any other Calypso GSM device until now), I took the
> time to thoroughly study various flash datasheets. I got interesting
> news: on both Spansion and Samsung flash chips that are used in these
> SE K2x0 phones, the implemented sector write-protection scheme is much
> more sophisticated than I remembered, and it isn't fixed in hardware
> with high-voltage programming equipment - we can actually lock and
> unlock sectors via software commands!
>
> On traditional AMD flashes, the kind I worked on for the first time
> right around 24 y ago, the only way to change sector lock/unlock state
> was to apply 12V to some pin and feed raw program/erase pulses to the
> chip - an operation which only an external device programmer can do,
> not something that can be done on a chip inside a system. But the
> newer Spansion and Samsung flashes that matter for us here, they still
> have non-volatile bits that control sector lock/unlock state (write-
> protected or not), but there is no more high-voltage circuit
> requirement - everything is programmed under regular in-circuit
> conditions. There are several different security schemes available:
> under some security schemes it is indeed impossible to unlock sectors
> (irreversible write-protection in hardware), but under other security
> schemes it*is* possible to unlock write-protected sectors via sw
> commands!
Very interesting!
> Please pull my latest code from freecalypso-tools Hg repository -
> fc-loadtool got a new 'flash lock-state' command which I just now
> implemented and haven't documented yet. Please run these commands on
> your SE K2x0 phones (both Spansion and Samsung flash versions) and
> share the results:
>
> flash lock-state
> flash2 lock-state
>
> These commands read and report the current state of all sector locking
> and security policy bits in the flash chip; based on the results, we
> should be able to tell if we can unlock all of the flash in software.
Please find the results below:
=== SAMSUNG flash ===
loadtool> flash lock-state
Autodetecting flash chip type
Basic device ID: 00EC 257E
Samsung extended ID device, reading extended ID
Extended ID: 2508 2501
Appears to be Samsung K5L29xx_A or compatible, checking CFI
Confirmed Samsung K5L29xx_A or compatible
Global status word 3: 0000
Global status word 7: 0000
Sector at 0x0: locked
Sector at 0x2000: unlocked
Sector at 0x4000: unlocked
Sector at 0x6000: unlocked
Sector at 0x8000: unlocked
Sector at 0xA000: unlocked
Sector at 0xC000: unlocked
Sector at 0xE000: unlocked
Sector at 0x10000: locked
Sector at 0x20000: unlocked
Sector at 0x30000: unlocked
Sector group at 0x40000: unlocked
Sector group at 0x80000: unlocked
Sector group at 0xC0000: unlocked
Sector group at 0x100000: unlocked
Sector group at 0x140000: unlocked
Sector group at 0x180000: unlocked
Sector group at 0x1C0000: unlocked
Sector group at 0x200000: unlocked
Sector group at 0x240000: unlocked
Sector group at 0x280000: unlocked
Sector group at 0x2C0000: unlocked
Sector group at 0x300000: unlocked
Sector group at 0x340000: unlocked
Sector group at 0x380000: unlocked
Sector group at 0x3C0000: unlocked
Sector group at 0x400000: unlocked
Sector group at 0x440000: unlocked
Sector group at 0x480000: unlocked
Sector group at 0x4C0000: unlocked
Sector group at 0x500000: unlocked
Sector group at 0x540000: unlocked
Sector group at 0x580000: unlocked
Sector group at 0x5C0000: unlocked
Sector group at 0x600000: unlocked
Sector group at 0x640000: unlocked
Sector group at 0x680000: unlocked
Sector group at 0x6C0000: unlocked
Sector group at 0x700000: unlocked
Sector group at 0x740000: unlocked
Sector group at 0x780000: unlocked
Sector group at 0x7C0000: unlocked
Password Protection Mode lock: 0000
Persistent Protection Mode lock: 0000
loadtool> flash2 lock-state
Autodetecting flash chip type
Basic device ID: 00EC 257E
Samsung extended ID device, reading extended ID
Extended ID: 2508 2501
Appears to be Samsung K5L29xx_A or compatible, checking CFI
Confirmed Samsung K5L29xx_A or compatible
Global status word 3: 0000
Global status word 7: 0000
Sector group at 0x0: unlocked
Sector group at 0x40000: unlocked
Sector group at 0x80000: unlocked
Sector group at 0xC0000: unlocked
Sector group at 0x100000: unlocked
Sector group at 0x140000: unlocked
Sector group at 0x180000: unlocked
Sector group at 0x1C0000: unlocked
Sector group at 0x200000: unlocked
Sector group at 0x240000: unlocked
Sector group at 0x280000: unlocked
Sector group at 0x2C0000: unlocked
Sector group at 0x300000: unlocked
Sector group at 0x340000: unlocked
Sector group at 0x380000: unlocked
Sector group at 0x3C0000: unlocked
Sector group at 0x400000: unlocked
Sector group at 0x440000: unlocked
Sector group at 0x480000: unlocked
Sector group at 0x4C0000: unlocked
Sector group at 0x500000: unlocked
Sector group at 0x540000: unlocked
Sector group at 0x580000: unlocked
Sector group at 0x5C0000: unlocked
Sector group at 0x600000: unlocked
Sector group at 0x640000: unlocked
Sector group at 0x680000: unlocked
Sector group at 0x6C0000: unlocked
Sector group at 0x700000: unlocked
Sector group at 0x740000: unlocked
Sector group at 0x780000: unlocked
Sector at 0x7C0000: unlocked
Sector at 0x7D0000: unlocked
Sector at 0x7E0000: unlocked
Sector at 0x7F0000: unlocked
Sector at 0x7F2000: unlocked
Sector at 0x7F4000: unlocked
Sector at 0x7F6000: unlocked
Sector at 0x7F8000: unlocked
Sector at 0x7FA000: unlocked
Sector at 0x7FC000: unlocked
Sector at 0x7FE000: unlocked
=== Spansion flash ===
loadtool> flash lock-state
Autodetecting flash chip type
Basic device ID: 0001 227E
AMD-style extended ID device, reading extended ID
Extended ID: 2221 2200
Spansion PL129J or PL129N, looking at CFI
Found PL129N
Global status word 3: 0080
Sector at 0x0: locked
Sector at 0x10000: locked
Sector at 0x20000: unlocked
Sector at 0x30000: unlocked
Sector group at 0x40000: unlocked
Sector group at 0x80000: unlocked
Sector group at 0xC0000: unlocked
Sector group at 0x100000: unlocked
Sector group at 0x140000: unlocked
Sector group at 0x180000: unlocked
Sector group at 0x1C0000: unlocked
Sector group at 0x200000: unlocked
Sector group at 0x240000: unlocked
Sector group at 0x280000: unlocked
Sector group at 0x2C0000: unlocked
Sector group at 0x300000: unlocked
Sector group at 0x340000: unlocked
Sector group at 0x380000: unlocked
Sector group at 0x3C0000: unlocked
Sector group at 0x400000: unlocked
Sector group at 0x440000: unlocked
Sector group at 0x480000: unlocked
Sector group at 0x4C0000: unlocked
Sector group at 0x500000: unlocked
Sector group at 0x540000: unlocked
Sector group at 0x580000: unlocked
Sector group at 0x5C0000: unlocked
Sector group at 0x600000: unlocked
Sector group at 0x640000: unlocked
Sector group at 0x680000: unlocked
Sector group at 0x6C0000: unlocked
Sector group at 0x700000: unlocked
Sector group at 0x740000: unlocked
Sector group at 0x780000: unlocked
Sector group at 0x7C0000: unlocked
PL-N Lock Register: FFFF
loadtool> flash2 lock-state
Autodetecting flash chip type
Basic device ID: 0001 227E
AMD-style extended ID device, reading extended ID
Extended ID: 2221 2200
Spansion PL129J or PL129N, looking at CFI
Found PL129N
Global status word 3: 0080
Sector group at 0x0: unlocked
Sector group at 0x40000: unlocked
Sector group at 0x80000: unlocked
Sector group at 0xC0000: unlocked
Sector group at 0x100000: unlocked
Sector group at 0x140000: unlocked
Sector group at 0x180000: unlocked
Sector group at 0x1C0000: unlocked
Sector group at 0x200000: unlocked
Sector group at 0x240000: unlocked
Sector group at 0x280000: unlocked
Sector group at 0x2C0000: unlocked
Sector group at 0x300000: unlocked
Sector group at 0x340000: unlocked
Sector group at 0x380000: unlocked
Sector group at 0x3C0000: unlocked
Sector group at 0x400000: unlocked
Sector group at 0x440000: unlocked
Sector group at 0x480000: unlocked
Sector group at 0x4C0000: unlocked
Sector group at 0x500000: unlocked
Sector group at 0x540000: unlocked
Sector group at 0x580000: unlocked
Sector group at 0x5C0000: unlocked
Sector group at 0x600000: unlocked
Sector group at 0x640000: unlocked
Sector group at 0x680000: unlocked
Sector group at 0x6C0000: unlocked
Sector group at 0x700000: unlocked
Sector group at 0x740000: unlocked
Sector group at 0x780000: unlocked
Sector at 0x7C0000: unlocked
Sector at 0x7D0000: unlocked
Sector at 0x7E0000: unlocked
Sector at 0x7F0000: unlocked
--
Best regards,
Vadim.
More information about the Community
mailing list