Sony Ericsson K200i with SAMSUNG flash

Vadim Yanitskiy axilirator at gmail.com
Thu Nov 30 17:50:05 UTC 2023 

Hi Mychaela and community,

I acquired another SE K200i and picked it up from the local post 
department today.  It's the third K200i in my collection, and this new 
phone is a bit different from the two that I already have.  Sharing the 
details here, just in case somebody else than me and Mychaela would find 
this interesting.

Below is what makes this K200i special:

* R1AA003 firmware, an older version than R1AA008, which we saw on these 
two K200 specimens I have. [*]
* SAMSUNG K5L29xx_A flash (according to fc-loadtool), not SPANSION 
S71PL129, which we already saw.
* The IMEI reported by the phone starts with the '35617701' prefix we 
saw, but the label behind the battery has a completely different IMEI 
with a different prefix '35871701'.

[*] I also found R1AD001 on the internet, which appears to be even more 
recent version, but it's encrypted (binwalk shows entropy close to 0.9 
across the whole file).  SETool (paid version) should be able to decrypt 
and flash it, but I don't have a license for it.

The only difference between R1AA003 and R1AA008 I could find so far is 
AMR codec support: the former does not list it in the hidden "Service" 
menu.  We can compare further by looking at the MS Classmark bits.

Here is some related output of fc-loadtool (-h fcfam):

loadtool> flash info
Configured for two flash banks of up to 8 MiB each
Bank 0 base address: 03000000
Bank 1 base address: 01800000

loadtool> flash id
Autodetecting flash chip type
Basic device ID: 00EC 257E
Samsung extended ID device, reading extended ID
Extended ID: 2508 2501
Appears to be Samsung K5L29xx_A or compatible, checking CFI
Confirmed Samsung K5L29xx_A or compatible

loadtool> flash geom
Detected flash device: Samsung K5L29xx_A
Device has two banks, looking at bank 0
Bank 0 total size: 0x800000
Sectors in bank 0: 135 (2 regions)
Region 0: 8 sectors of 0x2000 bytes
Region 1: 127 sectors of 0x10000 bytes
Command set style: AMD

loadtool> flash2 geom
Detected flash device: Samsung K5L29xx_A
Device has two banks, looking at bank 1
Bank 1 total size: 0x800000
Sectors in bank 1: 135 (2 regions)
Region 0: 127 sectors of 0x10000 bytes
Region 1: 8 sectors of 0x2000 bytes
Command set style: AMD

Similarly to the ones with SPANSION flash, erasing the first flash bank 
fails (the bootloader/IMEI protection?):

loadtool> flash erase 0x00 0x800000
Erasing 135 sector(s)
erase timeout, aborting

The flash dumps can be downloaded from here:

https://people.osmocom.org/fixeria/dump/se_k200i/fw/K200i-R1AA003-CXC1250829-356177013769720-flash1.bin
https://people.osmocom.org/fixeria/dump/se_k200i/fw/K200i-R1AA003-CXC1250829-356177013769720-flash2-clean.bin

-- 
Best regards,
Vadim.

More information about the Community mailing list