From axilirator at gmail.com Tue Jan 9 20:46:45 2024 From: axilirator at gmail.com (Vadim Yanitskiy) Date: Wed, 10 Jan 2024 03:46:45 +0700 Subject: Pirelli DP-L10 OTA firmware update procedure Message-ID: <6c09e8e7-8422-4d78-a8b5-d9ec88d85f4e@gmail.com> Hi Mychaela and FreeCalypso community, I was curious about the OTA firmware update procedure, which is supported by the stock firmware of Pirelli DP-L10 (a.k.a. Arcor Twintel DP-L10, a.k.a. Telekom TC-300, ...). Mychaela documented some of her assumptions about the OTA procedure here: ftp://ftp.freecalypso.org/pub/GSM/Pirelli/fwupdate-magic.zip but IIRC, she had no experience doing it herself. Today I found an article, explaining the process: https://web.archive.org/web/20150918171544/http://blog.manty.net/2011/10/how-to-solve-90-of-problems-with-your.html Thanks to this article (and to archive.org), I was able to perform the firmware upgrade over WiFi myself on one of my Pirelli phones. For those who are interested, I documented what I did here: https://osmocom.org/projects/baseband/wiki/PirelliDPL10#OTA-Firmware-Update Additionally, I documented some secret codes supported by the stock firmware here: https://osmocom.org/projects/baseband/wiki/PirelliDPL10#MMI-codes -- Best regards, Vadim. From falcon at freecalypso.org Tue Jan 9 22:26:20 2024 From: falcon at freecalypso.org (Mychaela Falconia) Date: Tue, 09 Jan 2024 14:26:20 -0800 Subject: Pirelli DP-L10 OTA firmware update procedure In-Reply-To: <6c09e8e7-8422-4d78-a8b5-d9ec88d85f4e@gmail.com> References: <6c09e8e7-8422-4d78-a8b5-d9ec88d85f4e@gmail.com> Message-ID: <20240109222635.E9B8237401DE@freecalypso.org> Hi Vadim, > I was curious about the OTA firmware update procedure, which is > supported by the stock firmware of Pirelli DP-L10 (a.k.a. Arcor Twintel > DP-L10, a.k.a. Telekom TC-300, ...). Mychaela documented some of her > assumptions about the OTA procedure here: > > ftp://ftp.freecalypso.org/pub/GSM/Pirelli/fwupdate-magic.zip > > but IIRC, she had no experience doing it herself. Correct: I did some disassembly of Foxconn/Pirelli's extra flash-resident bootloader stage (responsible for decompressing OTA fw updates and making them live) and I found interesting bits in these "magic1" and "magic2" flash areas in one of the phone specimen I got (published in the linked ZIP file from 2014), but I never attempted any kind of active experiment. > Today I found an article, explaining the process: > [...] > Thanks to this article (and to archive.org), I was able to perform the > firmware upgrade over WiFi myself on one of my Pirelli phones. Thank you for the entertaining discovery! > Additionally, I documented some secret codes supported by the stock > firmware here: > > https://osmocom.org/projects/baseband/wiki/PirelliDPL10#MMI-codes Thanks, I use some of these MMI codes on my "everyday" Pirelli phones, so let me comment further on some of them: *36446337464#: Pirelli's help screen lists it as "Not use now", but it still works. The code spells "*engineering#", and it is the original engineering mode menu from TI's TCS211 reference fw. You can see info about your current serving cell (ARFCN, RSSI, TA etc), info about neighbor cells and the operator-controlled interval between periodic location updates (LUP). The screen that shows neighbor cell info looks poor on this phone because it was designed by TI for their larger 176x220 pixel LCD (on D-Sample), and Foxconn/Pirelli never changed it for their smaller LCD, but it is better than nothing. I use this debug menu all the time when checking GSM coverage quality in places I visit, like Mexico. :) ###520# version display: the MMI code once again comes from TI's TCS211 reference fw. ###800# engineering mode: this MMI code, introduced by Foxconn/Pirelli, is their "official" way, replacing TI's *36446337464# code. But it works differently: it sets a state bit that enables additional entries in menus, and one of the newly accessible menu entries is the "old" (from TI) engineering mode menu. Also when this "long-lasting" engineering mode enable flag is set (it is set with ###800# and cleared with ###801#), the volume-down button on the idle home screen acquires a new function: it displays some additional debug screens, and one of them (charging process state) does not seem to be accessible in any other way. M~