Pirelli's flash usage scheme allocates 3 "magic" areas in the flash2 bank:

offset 0x480000 thru 0x7DFFFF: staging area for high-level fw updates
offset 0x7E0000 thru 0x7EFFFF: fw update control/state structure
offset 0x7F0000 thru 0x7FFFFF: factory record with IMEI and RF calibration

The image or record stored in each of these "magic" areas ends with the
following 12-byte signature and checksum structure:

Offset[1]	Type[2]		Contains
xxFFF4		32-bit word	0x12345678
xxFFF8		32-bit word	Length of the fw update image or factory or
				fw update state record
xxFFFC		16-bit word	Checksum 1
xxFFFE		16-bit word	Checksum 2

[1] The offset is from the beginning of the flash partition in question, the
    xx digits will be 35 in the case of the 0x360000 byte fw update staging
    area partition or 00 in the case of the two 64 KiB sectors.

[2] All 16-bit and 32-bit values are in little-endian byte order.

Checksum computation
====================

The checksum is computed in two stages.  First all 16-bit words in the main
body of the image (using the image length from the xxFFF8 word) are added
together as a ripple-carry sum, and this 16-bit sum is written into the 0xFFFC
word.  Then the 5 16-bit words from xxFFF4 through xxFFFC (inclusive) are added
together (again as a ripple-carry sum), and this sum is written into the xxFFFE
word.  Remember the little-endian byte order throughout!

The ../miscprog/pircksum2.c program verifies this checksum computation scheme.