--- a/doc/C1xx-Howto	Sun Mar 17 01:42:20 2019 +0000
+++ b/doc/C1xx-Howto	Sun Mar 17 04:52:06 2019 +0000
@@ -16,14 +16,10 @@
 via a special cable.  There is no need to disassemble the phone in any way or
 to do any soldering or other hardware surgery, but you will need a host system
 to run the multitude of special software tools that are involved in the
-procedure.  You will need to begin by installing FreeCalypso host tools: the
-current version of our FC-to-C1xx xenotransplantation procedure for the lower
-C1xx subfamilies (the additions from the previous version are RF calibration
-data migration and battery charging configuration) requires fc-host-tools-r8 or
-later, or if you are working on a C155 or C156 phone, you will need our very
-latest fc-host-tools-r9a release:
+procedure.  You will need to begin by installing FreeCalypso host tools; the
+current version as of this writing is fc-host-tools-r10:
 
-ftp://ftp.freecalypso.org/pub/GSM/FreeCalypso/fc-host-tools-r9a.tar.bz2
+ftp://ftp.freecalypso.org/pub/GSM/FreeCalypso/fc-host-tools-r10.tar.bz2
 
 You will also need our battery charging configuration files:
 
@@ -175,6 +171,10 @@
 
 ftp://ftp.freecalypso.org/pub/GSM/FreeCalypso/compal-flash-boot-for-fc.bin
 
+(If you are working with a binary release package that has prebuilt firmware
+ images, the compal-flash-boot-for-fc.bin image is also included in the
+ package.)
+
 Mot C1xx phones are brickable - because the Calypso boot ROM is disabled by PCB
 wiring, the ability to reflash a phone with new firmware critically depends on
 there being a particular kind of boot code in flash sector 0 at all times - a
@@ -303,12 +303,13 @@
 as there is no LCD driver code in this firmware, but you will see trace output
 in the rvinterf window, telling you that the fw is running.
 
-Before you do anything else, you will need to run fc-fsio and initialize the
-aftermarket FFS for our firmware:
+Before you do anything else, you will need to run fc-fsio (run it without the
+-p option to have it connect to your already-running rvinterf process) and
+initialize the aftermarket FFS for our firmware:
 
 fsio> format /
 fsio> mk-std-dirs
-fsio> set-imeisv fc XXXXXXXX-YYYYYY-ZZ (punctuation optional, place anywhere)
+fsio> set-imeisv fc XXXXXXXX-YYYYYY-SV (see following section for the details)
 fsio> set-rfcap dual-eu (if you have 900+1800 MHz hardware)
 or
 fsio> set-rfcap dual-us (if you have 850+1900 MHz hardware)
@@ -336,6 +337,34 @@
 the firmware won't charge the battery even if there is a charging power source
 plugged in.
 
+Note regarding the IMEISV
+=========================
+
+The argument to the set-imeisv command in fc-fsio is a 16-digit IMEISV, not a
+15-digit IMEI.  The IMEI part of IMEISV (the first 14 digits) identifies the
+physical hardware and is supposed to be immutable, whereas the two SV digits
+are supposed to identify the software version, i.e., they are supposed to change
+when the software version changes in a significant way.  Motorola and Compal
+did in fact use the SV digits as called for by the specs: their official
+firmwares take the IMEI part of IMEISV from the factory-written per-unit vital
+data records, and each fw version appends its own SV digits, different from one
+version to the next.
+
+When a Mot C1xx phone runs FreeCalypso as opposed to one of Motorola's official
+fw versions, we need our own SV to identify our firmware as being distinct from
+any of Motorola's original versions.  The convention established by the Mother
+of FreeCalypso is that the SV for FreeCalypso on Mot C1xx should be set to 98.
+
+To transform the 15-digit IMEI of your Mot C1xx phone into the 16-digit IMEISV
+to be entered in fc-fsio set-imeisv, perform the following two steps:
+
+1) Drop the Luhn check digit - it is not included in the IMEISV form;
+2) Add -98 to the remaining 14 content digits of the IMEI from the previous
+   step.
+
+Exercising GSM functionality
+============================
+
 After you've initialized your FFS as above, you should exit fc-fsio, and your
 next steps will depend on which fw configuration you are playing with.  If it's
 the sans-UI pseudo-modem configuration, run fc-shell and try some AT commands:
@@ -344,6 +373,11 @@
 AT+CFUN=1	-- enable radio and SIM interfaces
 AT+COPS=0	-- register to the default GSM network
 
+Once you are connected to a network, you can dial and answer voice calls with
+ATD and ATA commands, and you can use GSM 07.05 AT commands to send and receive
+SMS.  You can also use the quite capable SMS tools included in the FC host tools
+package.
+
 When you are done, you can power the phone off by sending a 'poweroff' command
 through fc-shell, or you can kill rvinterf or unplug the serial cable and wait
 for the firmware to power off by the keepalive timeout after some 15 to 20 s.
@@ -375,3 +409,71 @@
 and a cabling setup with the right adapters whose insertion loss at particular
 GSM frequencies is precisely known makes this approach feasible only for
 professional FreeCalypso service shops, not for ordinary individual users.
+
+Restoring Motorola's original firmware
+======================================
+
+If you have many phones of the same type, it is best to dedicate a particular
+phone to FreeCalypso, as reflashing a phone back and forth is a royal pita.
+However, if you have only one phone, then you don't have much choice except to
+reflash it back and forth between Motorola's official fw and FreeCalypso, thus
+instructions need to be provided.
+
+Restoring original fw on the lower C1xx subfamilies
+---------------------------------------------------
+
+Whether you are restoring the original fw version your phone came with or
+flashing a different official fw version, you need to ensure that whichever fw
+version you are flashing does not have its bootloader locked out.  Examine your
+fw image with a hex dump tool and look at the 4 bytes at location 0x2060.  If
+these 4 bytes are all FF, then you have an older fw version with no bootloader
+locking capability - good.  If these 4 bytes are 'DD DD DD DD' (0xDDDDDDDD
+32=bit word), then your fw version does have bootloader locking capability, but
+the lock is not activated.  In this case you can still flash it, but you must
+make sure that this 32-bit word at 0x2060 always remains equal to 0xDDDDDDDD,
+otherwise your phone will be bricked.  And finally if the 4 bytes at 0x2060 are
+all zeros, then the bootloader lock is activated - DO NOT flash an image in
+this state (you will brick your phone if you do), instead you need to patch
+these 4 bytes to 0xDDDDDDDD with a hex editor and then flash the resulting
+unlocked version.
+
+Once you have verified that your to-be-flashed fw image is safe, you can flash
+it as follows:
+
+1) Get in with fc-loadtool:
+
+fc-loadtool -h compal -c 1004 /dev/ttyXXX
+
+The -c 1004 option is generally unnecessary if your phone runs FreeCalypso fw,
+but it doesn't hurt to always include it - it only makes the fc-loadtool entry
+process slower by about a second.
+
+2) Once you are at the loadtool> prompt, issue the following commands:
+
+if your phone is C139/140 or C11x/12x with 4 MiB flash:
+
+loadtool> flash erase-program-boot mot-fw-image.bin 0x10000
+loadtool> flash erase 0x10000 0x360000
+loadtool> flash program-bin 0x10000 mot-fw-image.bin 0x10000 0x360000
+
+or if your phone is C11x/12x with 2 MiB flash:
+
+loadtool> flash erase-program-boot mot-fw-image.bin 0x10000
+loadtool> flash erase 0x10000 0x1E0000
+loadtool> flash program-bin 0x10000 mot-fw-image.bin 0x10000 0x1E0000
+
+Restoring original fw on Mot C155/156
+-------------------------------------
+
+On these phones the bootloader is separate from the main body of the firmware,
+thus there is no need to reflash the dangerous boot sector (erase-program-boot)
+when changing firmwares, whether changing between Motorola's official fw and
+FreeCalypso or between different Mot fw versions.  Simply get in with
+fc-loadtool like this:
+
+fc-loadtool -h c155 /dev/ttyXXX
+
+and reflash the firmware like this:
+
+loadtool> flash erase 0x20000 0x7C0000
+loadtool> flash program-bin 0x20000 flash-backup.bin 0x20000 0x7C0000