freecalypso-reveng: se_k200i/flash-notes annotate

annotate se_k200i/flash-notes @ 393:6c31d8c54ae4

se_k200i: preliminary analysis

author	Mychaela Falconia <falcon@freecalypso.org>
date	Sun, 06 Nov 2022 01:13:43 +0000
parents
children	00f5287db832

rev	line source
393 6c31d8c54ae4 se_k200i: preliminary analysis Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	1 SE K200 family phones have 16 MiB of flash total, physically presented to the
6c31d8c54ae4 se_k200i: preliminary analysis Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	2 Calypso chip as two banks of 8 MiB each. Their official fw architecture uses
6c31d8c54ae4 se_k200i: preliminary analysis Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	3 the following flash organization:
6c31d8c54ae4 se_k200i: preliminary analysis Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	4
6c31d8c54ae4 se_k200i: preliminary analysis Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	5 Flash bank 1, first 64 KiB sector:
6c31d8c54ae4 se_k200i: preliminary analysis Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	6
6c31d8c54ae4 se_k200i: preliminary analysis Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	7 This part of the flash naturally contains the boot entry point. The word at
6c31d8c54ae4 se_k200i: preliminary analysis Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	8 0x2000 equals 1, telling Calypso boot ROM to move itself out of the way and
6c31d8c54ae4 se_k200i: preliminary analysis Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	9 perform a watchdog reset, and then the reset entry point is at 0. The code
6c31d8c54ae4 se_k200i: preliminary analysis Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	10 implemented by SE or their ODM in this flash sector is a boot stage of their
6c31d8c54ae4 se_k200i: preliminary analysis Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	11 own invention, eventually passing control to the main fw entry point at
6c31d8c54ae4 se_k200i: preliminary analysis Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	12 0x200000.
6c31d8c54ae4 se_k200i: preliminary analysis Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	13
6c31d8c54ae4 se_k200i: preliminary analysis Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	14 Flash bank 1, 64 KiB sector at 0x10000:
6c31d8c54ae4 se_k200i: preliminary analysis Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	15
6c31d8c54ae4 se_k200i: preliminary analysis Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	16 This sector holds two items of factory-programmed data, apparently intended to
6c31d8c54ae4 se_k200i: preliminary analysis Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	17 remain immutable for the lifetime of each hw unit:
6c31d8c54ae4 se_k200i: preliminary analysis Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	18
6c31d8c54ae4 se_k200i: preliminary analysis Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	19 7 bytes at 0x10000: the phone's IMEI, format obvious, no obfuscation
6c31d8c54ae4 se_k200i: preliminary analysis Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	20 1 byte at 0x10007: 0xFF filler
6c31d8c54ae4 se_k200i: preliminary analysis Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	21 64 bytes at 0x10008: appear to be cryptographically random filler
6c31d8c54ae4 se_k200i: preliminary analysis Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	22
6c31d8c54ae4 se_k200i: preliminary analysis Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	23 Flash bank 1 starting at 0x20000:
6c31d8c54ae4 se_k200i: preliminary analysis Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	24
6c31d8c54ae4 se_k200i: preliminary analysis Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	25 The main firmware image resides here, entry point right at 0x200000.
6c31d8c54ae4 se_k200i: preliminary analysis Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	26
6c31d8c54ae4 se_k200i: preliminary analysis Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	27 Flash bank 2, first 13 sectors of 256 KiB each:
6c31d8c54ae4 se_k200i: preliminary analysis Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	28
6c31d8c54ae4 se_k200i: preliminary analysis Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	29 The firmware on this phone model uses classic TIFFS. Their TIFFS organization
6c31d8c54ae4 se_k200i: preliminary analysis Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	30 is 256x13 (a little smaller than Pirelli's 256x18), sitting at the beginning of
6c31d8c54ae4 se_k200i: preliminary analysis Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	31 flash bank 2, mapped into Calypso address space at 0x01800000. FFS design
6c31d8c54ae4 se_k200i: preliminary analysis Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	32 appears to be self-regenerating: if the fw is booted with all FFS sectors
6c31d8c54ae4 se_k200i: preliminary analysis Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	33 erased, it will not only format a new FFS like Pirelli's fw, but also fill it
6c31d8c54ae4 se_k200i: preliminary analysis Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	34 with all necessary data. In contrast with Pirelli's fw architecture, the FFS
6c31d8c54ae4 se_k200i: preliminary analysis Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	35 in these SE K200 phones appears to NOT contain any static asset files that must
6c31d8c54ae4 se_k200i: preliminary analysis Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	36 be loaded externally.
6c31d8c54ae4 se_k200i: preliminary analysis Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	37
6c31d8c54ae4 se_k200i: preliminary analysis Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	38 Flash bank 2, area starting at 0x01B40000, right after TIFFS:
6c31d8c54ae4 se_k200i: preliminary analysis Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	39
6c31d8c54ae4 se_k200i: preliminary analysis Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	40 This area appears to be an extension of the firmware. Without a lot more
6c31d8c54ae4 se_k200i: preliminary analysis Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	41 reverse eng work, it is not obvious if this area contains any executable code,
6c31d8c54ae4 se_k200i: preliminary analysis Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	42 or if it is only data bits like UI pixel images, MIDI ringtones, language
6c31d8c54ae4 se_k200i: preliminary analysis Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	43 strings etc.
6c31d8c54ae4 se_k200i: preliminary analysis Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	44
6c31d8c54ae4 se_k200i: preliminary analysis Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	45 Flash bank 2, 64 KiB sector at 0x01FD0000:
6c31d8c54ae4 se_k200i: preliminary analysis Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	46
6c31d8c54ae4 se_k200i: preliminary analysis Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	47 This sector holds factory calibration data, including RF, AFC (VCXO) and MADC
6c31d8c54ae4 se_k200i: preliminary analysis Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	48 calibrations. When the firmware reinitializes a freshly formatted FFS, it must
6c31d8c54ae4 se_k200i: preliminary analysis Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	49 be copying calibration bits from this sector.
6c31d8c54ae4 se_k200i: preliminary analysis Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	50
6c31d8c54ae4 se_k200i: preliminary analysis Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	51 Flash bank 2, 64 KiB sector at 0x01FF0000 (end of flash):
6c31d8c54ae4 se_k200i: preliminary analysis Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	52
6c31d8c54ae4 se_k200i: preliminary analysis Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	53 First 0x2C8 bytes: purpose unknown, but they are fed into the hash function
6c31d8c54ae4 se_k200i: preliminary analysis Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	54 that determines whether or not the firmware is allowed to boot.
6c31d8c54ae4 se_k200i: preliminary analysis Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	55
6c31d8c54ae4 se_k200i: preliminary analysis Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	56 8 bytes at 0x01FF02C8: output of some kind of cryptographic hash function
6c31d8c54ae4 se_k200i: preliminary analysis Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	57
6c31d8c54ae4 se_k200i: preliminary analysis Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	58 There is a hash function implemented in the custom bootloader in sector 0 (not
6c31d8c54ae4 se_k200i: preliminary analysis Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	59 studied in detail) whose inputs are the IMEI record at 0x10000, the block of
6c31d8c54ae4 se_k200i: preliminary analysis Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	60 0x2C8 bytes at 0x01FF0000 and the block of 64 bytes at 0x10008 in this order.
6c31d8c54ae4 se_k200i: preliminary analysis Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	61 The output must match the 8 bytes at 0x01FF02C8, or the code refuses to boot
6c31d8c54ae4 se_k200i: preliminary analysis Mychaela Falconia <falcon@freecalypso.org> parents: diff changeset	62 and goes into a dead hang instead.

FreeCalypso > hg > freecalypso-reveng

annotate se_k200i/flash-notes @ 393:6c31d8c54ae4