Sony Ericsson K200i flash protection
Mychaela Falconia
falcon at freecalypso.org
Sat Dec 2 09:15:26 UTC 2023
Vadim wrote:
> I will keep an eye on the fc-loadtool repository and look forward to
> hear any news from you.
>
> It's not like I need to be able to unlock and overwrite those locked
> sectors, I am just curious to learn how this kind of protection works.
> But well, I would also love to see it being defeated on practice ;)
I got flash sector lock/unlock manipulation implemented for PL-J style
of flash, which includes Spansion S71PL-J and Samsung K5L29xx which is
an equivalent of PL129J. If you execute 'flash ppb-erase-all' on a
K2x0 phone with Samsung flash, the result should be all sectors
unlocked. It works on the phone I tested here, and the same
functionality also works on S71PL064J flash on FC Tango modules.
I don't have any Spansion PL129J to test on.
This mechanism won't work on SE K2x0 with Spansion flash yet - that
Spansion flash is PL129N (not J), it does PPB program and erase
operations differently, and I still need to implement this version.
Please note that this 'flash ppb-erase-all' command does not erase any
flash content - instead it erases the special non-volatile memory unit
that holds all PPBs (persistent protection bits) for the whole flash
chip. There is only one such non-volatile memory unit for all PPBs,
and it can only be erased in its entirety - hence there is no
separation between flash banks for this one special operation. And
furthermore, on PL-J style of flash this operation requires diving
into the internal details of how NOR flash works, with quirks like
having to program all bits before commanding erasure, and pulse-
counting retries. I will need to write some documentation articles
explaining all of this stuff.
M~
More information about the Community
mailing list