New phone discovery: Sony Ericsson J120

[Mychaela Falconia]

Hello FC community,

As Vadim has been experimenting further with Sony Ericsson J120 and
K2x0 phones, uncovering more of their quirks, I couldn't shake the
feeling that SE J120 seemed familiar, that I had seen something very
similar before.  So I took a closer look at SE J120 flash dumps
(provided by Vadim - I don't have one of those phones here), and sure
enough, I see the damning evidence I was looking for: SE J120 was made
by the same ODM (Chi-Mei) as Motorola C168 and W220, with many of the
same design decisions in terms of technical architecture.

Let's rewind for a moment to 2019-May.  This time point was prior to
my discovery of iWOW TR-800, I had a desire to produce a proper
FreeCalypso modem module in a form factor like BenQ M32 or Huawei
GTM900 (this desire has now been satisfied by rebranding iWOW TR-800
into FC Tango), and I was considering the possibility of using Si4210
RF transceiver instead of TI Rita for quadband GSM.  (Remember the
timeframe - prior to discovery of iWOW, we had no source of confidence
for TI's legendary Leonardo+ design.)  I was looking for some existing
phone that used Si4210 (Aero II), and I knew about Motorola C168 and
W220 from this wiki page:

https://osmocom.org/projects/baseband/wiki/PotentialCalypsoTargets

Some time around 2019-May I obtained samples of both C168 and W220.
C168 was a disappointment: I had no success in gaining bootloader
entry, or any other signs of life on the headset jack.  W220 was more
successful: I got in with fc-loadtool and dumped the flash.  I also
found schematics for W220; here they are, together with some flash
dumps:

https://www.freecalypso.org/pub/GSM/Mot_W220/

But the phone (Mot W220) was a disappointment in a different way.  I
was hoping to find a Calypso+Si4210 phone whose firmware architecture
was pristine-unchanged from TI, except for integration of RF support
for the different Silabs transceiver - then I could do some disassembly
to see how Si4210 support was fitted into mostly-unchanged TI fw arch,
then try running FC fw on the same hw, reusing original factory RF
calibration, and test the whole thing on my CMU200...  But nope, no
such luck - the fw architecture of Chi-Mei (Mot W220 and others, as
will be seen shortly) is altered beyond recognition, even worse than
Compal.  There is no TIFFS, no other identifiable FFS format, and I
couldn't even tell from the flash dump where the boundaries lie between
fw image vs factory data (RF cal etc) vs user data.  My venture into
Si4210 idea was set aside then, and later lost all relevance when we
discovered iWOW TR-800, containing nothing less than a mass-produced
version of TI's own legendary Leonardo+ core.

Back to Sony Ericsson J120 - let's review some basic properties it
shares in common with Motorola W220:

* Silabs Aero II RF transceiver;
* Calypso and Iota chips are in 0.5 mm ZPH/ZQW packages, rather than
  more classic 0.8 mm GHH/GGM;
* Intel W18 MCP flash (28F640W18T on W220, 28F320W18T on J120);
* Same incomprehensible fw structure seen in the flash dump: no TIFFS,
  no clear picture of where different parts are.

At this point I knew I had to either prove or disprove my suspicion -
so I did a little disassembly, comparing fw code around the flash boot
entry point between Mot W220 and SE J120.  And here is what I see:

* The highly idiomatic nature of code around the flash boot entry
  point is exactly the same between these two non-TI firmwares: both
  use flash boot mode 0 (contrary to TI fw design), followed by code
  that disables the boot ROM mapping and executes a swi instruction,
  as if they are trying to be compatible with the old broken boot ROM
  version in Calypso C05 chips.  The swi handler then jumps to the real
  flash boot entry point, and there once again we see the same highly
  idiomatic (won't arise by chance) code structure between the two
  firmwares.

* The only significant diff in this boot entry code between the two
  firmwares is that SE J120 version includes a call to an extra
  function (Thumb code at 0x20E0, ARM call veneer at 0x348C) very early
  in the boot path.  A quick look at this function (I didn't dig deep)
  strongly suggests that it is Ericsson-style EROM bootloader - I
  reason that Chi-Mei implemented this function for SE as a contractual
  requirement, whereas no similar requirement existed for Motorola.

And now comes the smoking gun: both firmwares expect the external
off-chip RAM (which I call XRAM in FC) to be at 0x02XXXXXX rather than
the usual 0x01XXXXXX location - meaning that XRAM on SE J120 must be
wired to Calypso nCS3 (instead of TI-standard nCS1) just like it is
depicted on the schematics we found for Mot W220!  This same oddball
choice of XRAM chip select wiring cannot arise by chance, so we know
that Mot W220 and SE J120 *had* to have been made by the same ODM.
And we know that this ODM was Chi-Mei: Motorola's published (for
service/repair shops) schematics helpfully name their ODM. :)

So what about SE K200/K220?  We still don't know which ODM made this
phone, but it does NOT look like either Compal or Chi-Mei.  Given some
similarities to Pirelli DP-L10, it could have been Foxconn - but even
then, the only *real* similarity between Pirelli DP-L10 and SE K2x0 is
that both designs stick fairly close to TI's original, as opposed to
changing it beyond recognition - hence with the common pieces coming
from TI, it is entirely possible that the designers of SE K2x0 were
some other conservative (in terms of fw arch changes) team that had no
relation to the designers of Pirelli DP-L10 at Foxconn.  So who knows...
(There is a Russian expression for *exactly who* may know, but it
contains a word that should not be used in polite company...)

Hasta la Victoria, Siempre,
Mychaela aka The Mother